<TABLE width=500>
+ p9 `& N/ M5 ?1 N1 K: Q$ q<TBODY>
$ R& J3 F7 {: X: N$ z<TR>% A( ~6 i+ m( Y2 o
<TD><PRE>Method 01 ( Z; P) z" h: G0 f M8 K
=========" j; z& [1 v( y
& C4 h* q% W! t; ^% bThis method of detection of SoftICE (as well as the following one) is) m: U. a7 r* U! k. ]; W
used by the majority of packers/encryptors found on Internet.
3 \+ [9 F. B3 k/ t* O5 E1 ]4 hIt seeks the signature of BoundsChecker in SoftICE
f7 M; ~. G( `4 p" v4 t6 C
! y& Y9 _) t- |! \7 a5 h mov ebp, 04243484Bh ; 'BCHK'
) \1 N, Q( f% D) ?0 M mov ax, 04h
& O* E. S8 V2 z' o. i int 3
- q! ?; }: D. d: P4 s- e* b cmp al,4 I8 e, {; V( N$ L% y9 C; q1 ^
jnz SoftICE_Detected
. ~( M7 Z0 m8 `- Z7 B4 ]; m6 h5 Y7 n3 c& y# W7 m, U! R
___________________________________________________________________________
7 D5 k" s+ }( n8 h( C% c) H) w/ n+ q- M) F3 X9 K$ C* a
Method 020 X e) A- ~5 w r. K- Q
=========
- E( ^0 {/ l( {" j2 f; G8 V" F6 v
( ?. t. o- [5 D' r6 P7 E! XStill a method very much used (perhaps the most frequent one). It is used* N4 U4 m+ V& y [8 ~
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 a) S8 ~% W9 w+ U
or execute SoftICE commands...& W( e! t' q K: o# P3 P- Y5 ]
It is also used to crash SoftICE and to force it to execute any commands
3 I A+ F' v6 Y(HBOOT...) :-((
4 p& B1 V2 k/ _5 W# C3 e& ?6 N. K, C- J# A3 u, E+ Z* j* k
Here is a quick description:- N* K/ D: X& B6 A, E: _8 j
-AX = 0910h (Display string in SIce windows)1 E% A( C3 m6 M- W, }. I
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* r' Q, u) m. y1 F2 e-AX = 0912h (Get breakpoint infos)
5 z6 L9 R' d) M0 o) ~* R-AX = 0913h (Set Sice breakpoints)' Q; d7 @. o. l& {9 M2 Q
-AX = 0914h (Remove SIce breakoints)1 O3 C: P! M$ l b- {5 M O
& j( {/ c; s: G! n2 M* ]/ k7 VEach time you'll meet this trick, you'll see:; ^8 q4 _5 b4 ?* y! B( ^
-SI = 4647h0 l \. i/ W. e7 ^
-DI = 4A4Dh
k. F/ c6 _/ r: `( z4 h3 XWhich are the 'magic values' used by SoftIce.
( U5 k( s- X1 wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 v- C) u0 O7 W7 p
. Z- M9 j. `+ q: d" o! nHere is one example from the file "Haspinst.exe" which is the dongle HASP
, J. Z0 F/ z8 j- P- uEnvelope utility use to protect DOS applications:
" U# e5 a, f% K' s V% w, v1 |9 {: W! }8 a+ q- M) n' T4 z+ Y( ^, U
% W3 R1 S9 y. [$ T: K2 q4C19:0095 MOV AX,0911 ; execute command.
- `! ?: E' T1 d% f4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 p, p$ _. K/ W+ h" m4C19:009A MOV SI,4647 ; 1st magic value.; l: }( r+ ?( Y- T
4C19:009D MOV DI,4A4D ; 2nd magic value.
$ F7 r) P$ ]! \4 l; B Z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 B: Z, h& L: D9 w3 x4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 C. ?. J0 U* k. ~4C19:00A4 INC CX4 g4 {7 g% H$ `; u& s+ C1 n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute w1 I- j: [( K" x3 O
4C19:00A8 JB 0095 ; 6 different commands.
0 C7 s' P$ f( H1 v! i# s! X4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 `' Q6 y$ A4 b# h' e' [! ]
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 q7 n/ ]$ v0 E8 O: k5 I% u4 R
$ t* m& k9 k9 l$ C8 e0 O
The program will execute 6 different SIce commands located at ds:dx, which
9 L% } q; K0 r6 q3 O- Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT." R6 Q) X. e F2 `' i+ i1 p" n
- ^7 e/ {2 A8 d- D( n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 e; q& m+ _- U$ j8 y; N4 F6 B- L2 j___________________________________________________________________________* f& ^7 r3 ^; U7 [- U& X( K
6 U# N) v1 A, t% D
9 k$ h1 q, ~0 R% s+ KMethod 03$ h2 K' J' f' x4 F
=========1 B3 P+ Q0 V2 ~& _8 G j
8 S- { ^4 M. R/ o% w- QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. I- [( d* T5 m* [
(API Get entry point)
- P- D% B. S1 N7 ^ 5 {) Y8 R) B: q W1 N
/ w8 _* S! j7 Q' i% ] xor di,di0 F* b! e: J \
mov es,di
! P/ D Y& j$ n$ i- z0 f: z. R& D! |( S mov ax, 1684h
. S* G0 p6 T3 w5 z, B mov bx, 0202h ; VxD ID of winice
+ p% M% \7 H) ` int 2Fh
" g4 r$ h# c# A8 r) y# C! u3 g mov ax, es ; ES:DI -> VxD API entry point5 A$ g9 S: l, T2 Q' c
add ax, di$ e6 c- J( v/ }/ f ?3 T) L* ~
test ax,ax# b. N( w6 c: ~$ \/ g: D
jnz SoftICE_Detected
8 z. T4 w6 U* f- q7 c/ G5 e
, Y7 |1 c" _3 n+ b9 y- ^___________________________________________________________________________' ?! S5 j# r0 z( F
- Y, p2 m; q) m0 fMethod 04
* |4 d. p" _$ B2 _# l5 b=========
. {* ]3 e' [5 A. R4 n, R% l7 R% F$ b
Method identical to the preceding one except that it seeks the ID of SoftICE% o6 M" o. i& |% L7 J: q
GFX VxD.* j! v8 H- l8 j
8 b1 J, r3 q0 E6 r xor di,di# w+ P+ B9 b- p8 n# Z# h: T' ]
mov es,di+ t( j. u0 ~5 s2 L$ E. U1 W6 T( [
mov ax, 1684h
, t, o6 ?' W4 ~+ D/ X! Q v mov bx, 7a5Fh ; VxD ID of SIWVID
3 `% ~2 Y% b' G5 `9 q6 b8 q8 _7 z4 A int 2fh4 K2 X Z7 w% K) m+ s3 q3 l9 \6 R% i& r
mov ax, es ; ES:DI -> VxD API entry point, R. n( |) j, ?
add ax, di$ U5 X# t. E, e1 o c; R( u( P$ [
test ax,ax1 y! O8 a* K" f, e3 w4 b
jnz SoftICE_Detected
o) c8 L* j7 q, M6 p0 A- W2 U- I# [3 e$ K" ]4 j T3 [0 h# g
__________________________________________________________________________0 T9 p; P! z* V- A
u# W2 a$ j. S) S- f* J C
2 I( m2 z& X, [! v6 h. AMethod 056 p; J) l; v( u5 Q
=========
; L( c0 e& Y0 i2 R8 I, c5 p
% E. ~# h5 c& H) GMethod seeking the 'magic number' 0F386h returned (in ax) by all system1 B2 c3 q/ M# F, |3 d
debugger. It calls the int 41h, function 4Fh.
3 F" l1 A3 a2 H; X; z0 yThere are several alternatives. # Q& ?. ^1 Y5 G. Q& ~& [( E9 H: T
+ g7 ~. g# J+ s; \% V
The following one is the simplest:
. o9 l3 l, F' Z6 ^% o* \ A' m+ v k* i: D
mov ax,4fh
$ t, ~; c7 m% L/ `6 |2 y* V int 41h( \! Z/ W, I2 m
cmp ax, 0F3862 [+ F8 Z* R; f- T/ y
jz SoftICE_detected
" C# D: G$ A: E; I& N
* G5 Q) l' F8 B% ~& {9 c
5 B. N8 Y$ j- ANext method as well as the following one are 2 examples from Stone's 2 e4 p( h! C' S4 ?. o. _4 p3 }
"stn-wid.zip" (www.cracking.net):
& V6 F/ z" f1 V$ B) f, W, B( |* S9 q3 T1 U
mov bx, cs
. ^0 h3 D: U1 i# h lea dx, int41handler2
- e+ U$ U' M& |4 ?. o5 Q* v xchg dx, es:[41h*4]
' e5 y, k; @- ~* z9 c xchg bx, es:[41h*4+2]' O1 V0 O$ t8 ~/ ], A
mov ax,4fh
. j& G. f" Z, t1 M- A- u4 ^9 H int 41h
- y2 A4 c6 ^$ g! E' C/ x xchg dx, es:[41h*4]! g4 U" n% q9 T0 H
xchg bx, es:[41h*4+2]
7 A) v8 P8 x- @/ z* D3 g0 L& b; A cmp ax, 0f386h
- E- F8 U4 G% j5 d, |2 S% ^) i jz SoftICE_detected' I) w1 x. o: a9 n, \
6 Y# L% J7 J! @8 r3 i5 C) a3 y
int41handler2 PROC9 r R! v' f+ k6 Y
iret" |- n \) c! i' D& G% B: u0 E
int41handler2 ENDP. |( T8 e; W; l8 x
' @6 X* x. X5 Q7 [: u8 i
& E i+ S( W- X! M7 Z0 w
_________________________________________________________________________5 {- X. t6 q. `! M* Z d# C8 A, s7 V
# m$ s; g5 Y5 a9 j
$ n( y5 R% B3 }* WMethod 06" I5 H" |. ^# A3 r. _
=========$ h, a) q" Z) _
: Y% U4 \5 O" V' F9 c- j
1 u t* _8 J3 _9 C2nd method similar to the preceding one but more difficult to detect:
/ Z& U4 k5 B6 ~4 Q2 ~) u
1 f | {) B R6 j- Z) e: l! [2 X+ m8 o4 }( X2 ^
int41handler PROC
' R, w% u: c& J mov cl,al
- {$ A( K: x$ Q5 {3 e iret
" l* p: @" |; Fint41handler ENDP
5 f3 Y& L+ U$ l/ h. K+ t2 G# V+ s5 f" [5 J, F, _
- {5 q$ c( d/ _0 V [
xor ax,ax. A# ~" f9 e/ Q# i2 w
mov es,ax1 C' ~) U4 o N3 p& ?% X1 x: ?
mov bx, cs
6 O* D8 S7 R( b1 ]# k5 w lea dx, int41handler
8 Z4 t- Z1 [( T5 O3 r; g6 _( r$ M xchg dx, es:[41h*4]
9 r' o0 E# I: G) U0 T xchg bx, es:[41h*4+2]
% i- ?4 j/ g" n. ^& y3 h* t+ c in al, 40h, C) S) @! x/ Y" z
xor cx,cx# }& `& y5 `* d* C7 a7 m s
int 41h$ S! r7 i6 v8 G
xchg dx, es:[41h*4]$ Z6 l, x# T) G6 W4 c
xchg bx, es:[41h*4+2]
# R1 ^, V- p- Z' g cmp cl,al
; v% j% ~' ]3 Y u# u8 M8 O# C4 s jnz SoftICE_detected$ W6 V" l6 G7 P+ T5 y$ m
$ ~" {' O2 h# |: H
_________________________________________________________________________
" I! a: [( n7 ^: ` r* Y1 e3 ^. q
b. Y+ j0 w3 zMethod 07
6 P& ~0 K T: i3 e; U( J$ x=========
6 a1 Y) a- J+ P* k1 D! q% v
; E9 v& P) O Y GMethod of detection of the WinICE handler in the int68h (V86)
5 O& X+ L) l0 b6 G) _% i! n, K- f. h
, G9 ~( N, T* h5 q$ [( q- Z) {, k mov ah,43h
9 D7 C8 _$ V1 b6 R. k8 {, y1 _ int 68h/ x3 K! Y& k' j, l% }( g4 M
cmp ax,0F386h
9 n% z8 g1 d4 a# W0 Y. g# x jz SoftICE_Detected
( q, a$ b, @; z; b3 v, | P$ A5 Z6 \+ }& {/ L5 o" H4 a8 {5 V
7 G* R7 @% g0 h, c( E% l5 t; m1 A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ |% b2 ]5 c: \8 U4 O
app like this:
9 O0 k7 E& X4 i: T1 f+ q: g9 H. [* t$ U: f. E3 J
BPX exec_int if ax==68
( h: {: d& m, } (function called is located at byte ptr [ebp+1Dh] and client eip is* v' Z1 f7 z: j& a) g7 J
located at [ebp+48h] for 32Bit apps)
4 r$ W' o% e1 z/ S7 L__________________________________________________________________________# z5 Z7 M* }6 |' v: S- E4 O
5 `( ]; v4 }5 K! _8 a) y4 Q* o
: n! W% b+ u" C6 l. YMethod 08
8 T3 P& i3 [! [3 V% N; B=========
% U# B# _, Y% k. I
8 }, ]1 ~; b7 Q8 T7 U2 FIt is not a method of detection of SoftICE but a possibility to crash the
# Z" o' M$ g( J$ \/ Osystem by intercepting int 01h and int 03h and redirecting them to another$ e4 [' t8 B. o+ }% V5 B
routine.
& M Y8 h9 N" k* L) K1 M! |/ @4 \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" d @# G$ |) H
to the new routine to execute (hangs computer...)& M s: V5 p! D1 z B
: F, Z6 f( [6 I. u4 m
mov ah, 25h
$ S# x3 l1 f' s0 D4 w: o mov al, Int_Number (01h or 03h)0 H1 B5 N$ O3 z6 |: |
mov dx, offset New_Int_Routine
/ V4 N' D+ w+ h0 D int 21h! i1 s8 H1 k i
4 L: W) ^; b$ b! j+ d# x9 Q4 l
__________________________________________________________________________# l2 f2 E: U% g) I8 q; Q! L, N: x
* z3 M- F3 E1 S: V! |, D" a5 ]9 rMethod 09/ n' A& t& O8 T% r6 V
=========
! E/ j( M) e3 h' Y. m9 W- [+ I' Z; A. _' f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' k4 r: x, P- w% k
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 h7 }: F& a( s9 \The Get_DDB service is used to determine whether or not a VxD is installed
K+ _" J' S( C1 g: A9 qfor the specified device and returns a Device Description Block (in ecx) for9 L* |/ {3 G1 j' g6 g. D- ` |
that device if it is installed.
( h$ I. i+ L' i* S0 N, T% y5 ~$ V# |& [/ D' b# w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' [( B4 g, _6 J f! X4 k
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 c- _: R% I+ b) M( d3 x& ?
VMMCall Get_DDB! k* q" D ]! b. x, u7 Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 C+ c7 y: h3 l6 b
/ J, N& f& N/ R3 O/ i# \) R! b* CNote as well that you can easily detect this method with SoftICE:# e* ~ Z+ }4 s$ G! W
bpx Get_DDB if ax==0202 || ax==7a5fh
0 X. r& u" n: L* I$ v& W) b
/ `9 k6 k) G, y5 ?' q9 t! e__________________________________________________________________________" T4 g" d4 ~9 Z/ c5 Y
( C5 z' T# |& N( {: N. N
Method 10
0 S- s: X* M5 J5 Z5 |3 u1 H& w=========. T0 x0 z: D! q- t3 h! s
9 l( J4 C: i$ f7 q. ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with& z! C# g" D2 d1 u* B7 g
SoftICE while the option is enable!!
5 b2 _9 B6 @" L, D7 u/ {/ a2 q. @
% V) E; e ]: I+ U7 X! WThis trick is very efficient:, L5 U4 l" c* n/ s3 v& P7 G
by checking the Debug Registers, you can detect if SoftICE is loaded- t' ?8 G* `- X: `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; {, o/ _# M7 M8 Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their# t4 i1 Y: K7 y1 s9 c5 ?
value (in ring0 only). Values can be manipulated and or changed as well0 H# _( e" v. I: L C% C
(clearing BPMs for instance)$ l- @! Z; Y* @( ~1 E
" d* A; _- R! L" @3 N
__________________________________________________________________________, R" z* z3 d7 R2 `' f& C
! {5 U: T$ }, ^$ _, ]) v
Method 11$ @; h6 ]/ b1 o: ~9 x
=========# e; N% Z o; [* M* a
1 G6 n, I) O% o! lThis method is most known as 'MeltICE' because it has been freely distributed
2 i8 L; l# F( Z2 l2 N9 C, Q# @$ G6 Jvia www.winfiles.com. However it was first used by NuMega people to allow+ A1 t$ a: g' K) s" w% s2 g
Symbol Loader to check if SoftICE was active or not (the code is located
0 w) |* v$ u2 z% @( @6 Tinside nmtrans.dll).5 l; }" K/ z) O& H; F+ g
7 w0 p$ o* \( }" I3 m* p
The way it works is very simple:
% \0 |/ f; ~, \' m3 v9 `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, N8 V4 A S; P, X$ `, E% fWinNT) with the CreateFileA API.
' X- `% B$ ?* y% \, v
: e/ E: V) X. OHere is a sample (checking for 'SICE'):
e1 H, N; F8 U0 n2 i4 h* g: m7 O% t; h% Q* ?8 y3 x" k
BOOL IsSoftIce95Loaded()# ]# I$ k- I. ]3 [
{4 X# U0 j, q) K
HANDLE hFile; : \ K* e; J( G/ {/ l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. p L4 c# Z* c7 y FILE_SHARE_READ | FILE_SHARE_WRITE,
I/ S$ f, y: I8 B/ ]% v& { NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ T2 q5 }1 J# J2 \4 v if( hFile != INVALID_HANDLE_VALUE )
; T# E1 w$ ~( } {
, a/ M' X4 i6 ]: V% _7 m CloseHandle(hFile);( U3 ^& Z6 y5 I- R8 B- D! O
return TRUE;/ M# d) k4 r( r# U* q8 q* g$ |
}0 Q: Y$ F% r7 y) ?% A% e7 M6 c5 h; [
return FALSE;
) W# {0 V' M$ k) b6 n0 {}+ }: Y6 |# d" T3 O7 j
7 G+ x. ?/ G6 r L
Although this trick calls the CreateFileA function, don't even expect to be( R- t& D: }6 @# f4 F
able to intercept it by installing a IFS hook: it will not work, no way!
4 E3 j; z, b! @4 g6 P, [- lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' k) f& F& _3 J5 j( vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' V+ P8 B( Q+ rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 l% m) {, ]7 o& T, Jfield.
. S3 e1 L: Y+ y, G2 w& y* \In fact, its purpose is not to load/unload VxDs but only to send a ) f# A5 E# H7 }. j0 h0 G2 p) H1 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). N" x. L F) L) z" I; `+ p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 ?+ W9 ~' ~" ^6 l
to load/unload a non-dynamically loadable driver such as SoftICE ;-). P9 x6 z9 ?+ r! ^ a3 [
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' C! d0 s% G3 b% q$ e6 z9 ?its handle to be opened and then, will be detected.
2 }/ s; ?" H4 GYou can check that simply by hooking Winice.exe control proc entry point
7 ]7 n& w, \& E- b! twhile running MeltICE.0 K) e/ b" D' K; C/ H1 l
! T' Z+ d7 ^. w' Y) u' [ r4 _. {
9 s; D& S* T8 J7 G 00401067: push 00402025 ; \\.\SICE% y2 u! U2 r1 u5 C
0040106C: call CreateFileA
7 G' d) E) C8 s% w% B0 e8 k 00401071: cmp eax,-001
8 Q* e* }& i' N' F 00401074: je 00401091# G* c' ?% q5 R+ ^1 {! Y
( {- M5 f* N2 r0 }' Z: r. s# ^: j
( S3 i$ w, [5 o$ l5 \
There could be hundreds of BPX you could use to detect this trick.+ z, |4 r; X! L& C5 j% r
-The most classical one is:6 [, {& f j9 C3 D7 {/ f& Y4 _
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) A4 W( U& l" g! [
*(esp->4+4)=='NTIC'
" c% N; Q' Z( Q. } i3 B C% T) Z; r
. A; J) | z6 q( n3 D& n( n-The most exotic ones (could be very slooooow :-(
. a0 D/ O7 y* C8 n& @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# y$ X' N- R8 ^% C% a ;will break 3 times :-(
4 b X ~6 m% a: u d
2 T6 m) O% K. f2 x0 J! w-or (a bit) faster:
0 h7 i$ k* M1 m2 q, c0 Z9 D# K BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; h" y9 V$ ]2 K! N& ` q
' q0 u+ u& J2 Q& ?$ ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & c& Q" M/ C! A& Q) a- p. q% M5 X
;will break 3 times :-(
7 _; G2 x+ _+ x
) }( |2 r, ~' d3 W% `# q-Much faster:2 z7 ?. \$ Y" {& N
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 R( f. ~+ J6 Q, A
/ i2 @2 e% [# e# UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen" {; I/ C T# x& J( {+ U
function to do the same job:
8 G6 t/ d! J2 e/ q+ W! \" Y- |- Z+ V" K+ k7 W. z
push 00 ; OF_READ; X) E% V2 W* d' w* z p
mov eax,[00656634] ; '\\.\SICE',0
+ H' `- m1 R) z/ P1 ?: c push eax
7 P e6 k S$ p6 E# n call KERNEL32!_lopen, Z; B* G8 M( i9 R
inc eax+ a# }4 u0 n R7 }0 H6 C) n
jnz 00650589 ; detected: l9 I1 g+ J' K) g7 k
push 00 ; OF_READ+ h, Q6 V% J# k) r+ x9 T% X/ V
mov eax,[00656638] ; '\\.\SICE'
, ]1 l( C/ [; d; U push eax/ |; r% _- ] z( T
call KERNEL32!_lopen
! z( Y* b) H. P _; v% |: w inc eax
0 w( _, k: z( L# X jz 006505ae ; not detected/ P; L; y- H: o% [1 |, z
2 p; D' O5 a$ v) t/ u/ o4 z- r5 A- E
__________________________________________________________________________' @% v% ]( n' R) H! A1 s- _ c9 y; p
! n/ M8 d" E8 p% LMethod 12) ]+ \7 p4 c" ]! m3 s7 W0 U; Q
=========
* Z n9 E( v; w, Z& ?) {/ K# C
+ K$ T9 t* q4 |' e$ O$ sThis trick is similar to int41h/4fh Debugger installation check (code 055 f7 W8 q. F1 I: P2 V
& 06) but very limited because it's only available for Win95/98 (not NT)+ n% [5 a5 d+ x* i4 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 ?" D0 M N; a0 d* U+ _# m7 `9 W
: C& o1 U% j% ^/ w
push 0000004fh ; function 4fh
4 ?* `( o% I$ k4 d* C push 002a002ah ; high word specifies which VxD (VWIN32); d6 _* u I! F1 `! y
; low word specifies which service
+ W! M$ g6 x4 V* I% p3 I (VWIN32_Int41Dispatch)
" s* f0 A8 Q. e+ F' p call Kernel32!ORD_001 ; VxdCall
3 R( H! l( ]% B7 u _& M$ A% z7 D cmp ax, 0f386h ; magic number returned by system debuggers* ~6 }( c" L; F3 T s0 u* w: F
jz SoftICE_detected
/ s9 J3 ]& T" G( b: I( i u {1 \; O1 W" T
Here again, several ways to detect it:
1 Z! Y2 v: r4 G& r* w& h+ G, }, O, Q* n6 a; J: ]: M0 W
BPINT 41 if ax==4f
2 r; J, H# g, u6 l* d
0 v0 ?; R9 Y& d$ D4 J+ ]* t0 @ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# ?$ [) Z- }2 N: H: E4 @, K3 j- W# Q6 t& H- x8 X8 d: Q9 {
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 R' ~7 e* T* {4 f) v9 U: f% l
4 U; M7 k' |. F( c BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! Z. C4 z) x/ [& A# i( \9 w/ ]
__________________________________________________________________________
( C8 C. Q/ H1 \& {1 @9 j2 |
+ e0 u1 q% Q! X) I: P* WMethod 13
* e4 ~- W, S2 a/ r" h=========( |$ F. e$ D- K0 \3 z5 ?
5 O) x0 s$ r4 F$ eNot a real method of detection, but a good way to know if SoftICE is
1 q4 c4 s1 o1 ]# Q5 A$ i( x& I. Winstalled on a computer and to locate its installation directory.$ X, J. m6 }0 |; y
It is used by few softs which access the following registry keys (usually #2) :7 A5 g! V$ w" @/ g4 i" S. f5 C, a: M
. b9 d B0 l2 f
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" s; E# j9 {0 h( I2 x2 ?\Uninstall\SoftICE! l8 T9 D( m! T# g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 S5 ?5 o- m/ z* M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& O8 h6 R8 x7 u% G' H- q\App Paths\Loader32.Exe
) W) n4 _/ Q* G* ?% ^- p
" j2 L* T' a1 H; t7 {- a0 f( z' Y7 N- G
Note that some nasty apps could then erase all files from SoftICE directory& S# `: I: Y6 B1 D5 S1 P. D3 M
(I faced that once :-(% r( q( `; V/ z2 f, P, D
7 D6 c1 @; r6 P; V7 E* y
Useful breakpoint to detect it:- K! u4 p2 `2 e; o& f
3 m/ ?& p5 g G# P- Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 Z0 I0 E6 c4 x. p3 b6 Y
~8 P1 I M' ?- L__________________________________________________________________________
, Y" o* c/ w- |- l4 o9 V0 s4 K& `% v% w. b( Z" _) ?
4 E8 @# n9 `2 y7 H0 P+ z7 H
Method 14 $ D' _0 z" m: w/ T3 C
=========
7 I( H: l( f: W+ Q" T2 M- `5 m9 O. b; Z" q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 a; c* f) _9 a9 g5 b) q/ wis to determines whether a debugger is running on your system (ring0 only)./ i5 t) V+ e' R" |- J
" ~0 T9 G% [* V" P6 }* {* b
VMMCall Test_Debug_Installed
( x/ y; j9 k- c2 q1 g8 U# O3 H je not_installed9 A$ _& }- x' B7 |# a2 K
: T/ t5 R: T% j5 w2 O. C1 h
This service just checks a flag.
+ y2 m8 [4 c4 k* @0 T</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡