<TABLE width=500>2 C$ ]+ B+ ^& B- Y
<TBODY>
% B0 }( I- Q o6 v<TR>
1 N* v/ U0 ?" c& O3 v0 r/ q/ V<TD><PRE>Method 01
0 {, j; K" c3 G! U$ T5 v=========, ?3 L7 k. j; U+ o6 m* w t
' f! n/ x) K, B9 M7 p5 N- NThis method of detection of SoftICE (as well as the following one) is' ~- J( S k, Y% F2 C6 r
used by the majority of packers/encryptors found on Internet.
2 l; U8 J% h; L. I% |6 G) N, ZIt seeks the signature of BoundsChecker in SoftICE
/ c+ N- u9 V* ^7 \- w- n
5 `) {$ ^4 ~- {( `+ D mov ebp, 04243484Bh ; 'BCHK'; F3 F! S. H# _2 S/ c# P
mov ax, 04h c% F6 ^$ P( s# X
int 3 % H1 u: M$ S% B+ i* F+ D$ l
cmp al,40 ?/ p- [$ O% D" q# ~0 @
jnz SoftICE_Detected9 F% R4 I6 U' [# t( }, K) {
K; z. j- M B: n+ E
___________________________________________________________________________
% p9 X5 R' ?! W/ g0 `% ?4 ^/ j; r$ E; [4 _
Method 02
2 @. r* ^9 ` N @9 I( B=========
# T/ O' m- Q1 ^/ ~% ~2 Z
$ @* a$ Q" {/ ~* P, [( w6 f: dStill a method very much used (perhaps the most frequent one). It is used. u3 B& y7 C, O! k* }0 a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 ?* _( B% w8 _* |5 s2 v' T$ J7 ior execute SoftICE commands...
0 S' K+ x9 N$ q CIt is also used to crash SoftICE and to force it to execute any commands
! v( k+ L% z7 h$ c+ k1 C' D* [(HBOOT...) :-(( + g* a( l/ E& w& _# O. `3 s ~
, }8 @* @8 W3 S' g( E; S
Here is a quick description:
/ n' J9 q" |, P-AX = 0910h (Display string in SIce windows)
& `/ `( P% r$ D+ z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ v) O' d D* `3 q2 }-AX = 0912h (Get breakpoint infos)' Y0 s& v6 u* J
-AX = 0913h (Set Sice breakpoints)
* u' S; T. Y$ f-AX = 0914h (Remove SIce breakoints)
8 y5 B3 j7 T: W% i4 R. y$ u6 q0 B9 h7 f2 a3 i3 r
Each time you'll meet this trick, you'll see:: y3 M' O, a! t( m
-SI = 4647h
. c; a# b6 D- E6 b3 l-DI = 4A4Dh
+ F) Y$ x" J. D. Y4 d& vWhich are the 'magic values' used by SoftIce.
6 u( }+ e7 [& G* @: Z+ nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 I! i% S$ H- c. V& _" C
9 T5 u6 @7 f! zHere is one example from the file "Haspinst.exe" which is the dongle HASP8 |" C3 b7 p4 ^' d, m" H
Envelope utility use to protect DOS applications:
# |% C, H. W/ W( V& t4 d F1 J: C. c0 X. s4 ^+ R5 c, s
0 n% |/ y0 ]: E8 b. q4C19:0095 MOV AX,0911 ; execute command.
4 M; E( l2 W& H7 g5 B4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 k- C# U$ O4 b, A/ q4C19:009A MOV SI,4647 ; 1st magic value./ }6 m6 Z# c# b" h" q d1 d
4C19:009D MOV DI,4A4D ; 2nd magic value.
# C9 W9 j) J, g5 S. b- z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( F# K: c$ y0 t
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! l) V+ ]1 C$ _; f0 G
4C19:00A4 INC CX% A: Y' i0 U+ j2 O" _& K$ k
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ U( u9 L8 U1 n* y' w' C6 D7 n8 ]% C7 @4C19:00A8 JB 0095 ; 6 different commands.
$ o' s- j* ~( F3 B' ]1 M* A4C19:00AA JMP 0002 ; Bad_Guy jmp back." l" `7 e4 D* d# u/ }
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 ^3 ]' z; g7 j0 `" B
4 v% c& W8 s( z
The program will execute 6 different SIce commands located at ds:dx, which
. }; e& x( d$ D; P6 Y' ?1 iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- A1 d/ g$ e& J: u4 _* F i1 M$ y2 q$ J. V& O; u& d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 a+ g# x( o3 C+ f! X___________________________________________________________________________
9 q: L; `1 ?/ M, }
, h* ]- b: H4 M5 k# i) k! f4 P
& U4 f" T! p* h) ]% j) nMethod 03
$ g+ S. ]- V* p1 h# }. @* ?1 E; h=========: G( H4 E' ]8 n3 i9 w, T& D2 I
8 ]3 x9 s& f4 T# GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 \5 `* `) \" g0 K(API Get entry point)4 V4 B; z& L. W/ n- [. V7 i
4 J$ l8 o0 s" A' e, L) v1 M
0 ~/ H( C- H/ t8 Z. W% w% o xor di,di- C+ ?5 ^) t: h6 e
mov es,di
$ J- L4 E8 W5 g9 S6 H mov ax, 1684h
9 A1 D* |% q7 d* d/ h& T mov bx, 0202h ; VxD ID of winice( u2 E1 i. L" `& J
int 2Fh1 x/ ]$ E( T0 g6 K, _) V: l$ J
mov ax, es ; ES:DI -> VxD API entry point# S# Y. o5 S/ c9 f9 c$ v" k
add ax, di* Z0 O+ f& B/ N- d1 e) f/ s
test ax,ax" T" I3 V. g* N/ d
jnz SoftICE_Detected2 t* v' y8 N7 ^1 A% P7 D
) O* f2 ~ @3 ?- }* v___________________________________________________________________________. A: I! O$ _5 r3 w' s2 v) Z z/ p
5 N2 }5 u5 l7 I2 M2 g# X( V. o: a, I
Method 04. x( E9 _ y: I/ _( I# U+ m5 \
=========
/ R. ~. H* r: t9 O% n: W$ ]
2 d4 e+ U% E) ]$ m( _0 @Method identical to the preceding one except that it seeks the ID of SoftICE
6 @! {3 C6 e" M+ f2 i1 QGFX VxD.* K) t: y* O2 s7 G8 G
4 h6 H B7 `- Z3 |/ L xor di,di
2 H5 G( g7 \9 H0 ~/ d3 C. i mov es,di7 p5 c, t4 ^6 ?9 Y! u( g) m2 o' N
mov ax, 1684h
4 p0 H! E* \; ]# ^) p mov bx, 7a5Fh ; VxD ID of SIWVID# E6 p) c: R/ F1 j9 }4 G; v. y
int 2fh
5 h1 {/ V) q' Q/ f mov ax, es ; ES:DI -> VxD API entry point! O- B" m" D/ \7 ]7 H+ v8 T
add ax, di( j2 J# X0 ]3 t) ^& @" f: f
test ax,ax
`0 e, d" T' x( B jnz SoftICE_Detected1 w1 O' J5 }6 X
# v5 v2 z: I% C* y
__________________________________________________________________________
- }" d! y; t) W0 A& L) ~9 m
# M4 ^5 L# I0 A6 o
- s4 _% M) K2 `/ q& ^$ Y1 rMethod 05
$ B1 l7 n/ x1 J0 }$ F' x=========
, ^3 J% h; A& A t0 p' x3 r8 c" k0 { q5 w% a5 r
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 u5 O! O/ L/ R9 D, f
debugger. It calls the int 41h, function 4Fh.; C% e9 b3 p7 `! J
There are several alternatives. 8 e& q+ c" S) w5 ~) {
a" [* _9 b5 D& @The following one is the simplest:# i+ E' w0 u0 U
; M+ j7 c9 G; F6 k
mov ax,4fh
! R$ Y v( m+ H8 N4 B) @+ Y int 41h% }/ `. I( y3 F: ]: C
cmp ax, 0F386
. S% ]' O; P; E% G% y# [7 T jz SoftICE_detected
% _' e* s, m; z6 k8 U% R$ S8 B# K: O! P) m& r& T2 ^
; k$ d/ {+ X! A4 j: F9 i( e3 z
Next method as well as the following one are 2 examples from Stone's
/ G+ G& d$ q. i( I"stn-wid.zip" (www.cracking.net):
, k: X b. @$ z7 X0 P1 d0 E8 \
1 f* w* I, n3 J% H8 {& s mov bx, cs
6 O, J% Y1 ?1 V9 D f lea dx, int41handler2, t0 z, K8 ^/ Y8 R3 G8 g) U
xchg dx, es:[41h*4]
6 G% [3 C4 U, O xchg bx, es:[41h*4+2]
4 a/ K# w9 e4 n# D$ G" n+ G mov ax,4fh2 s) z5 |: N! E9 ]
int 41h& g. T {" x2 }- s6 O
xchg dx, es:[41h*4]! G8 T+ w1 D+ G$ T7 y8 U
xchg bx, es:[41h*4+2]
" V. h0 X0 C c \ cmp ax, 0f386h
4 v- E2 b3 _9 q' t jz SoftICE_detected
2 D$ ^( m' z) O; a9 o: c% f6 j, I7 u" V
int41handler2 PROC
' r; R+ _! K, J# ^ iret0 M$ I! ]* b" m
int41handler2 ENDP
1 D7 J" | J$ q/ M, k9 e5 _* j9 D9 [$ ]7 I& B6 t; T5 J3 y
5 T$ i; H5 `; a5 k; n_________________________________________________________________________- ?5 v5 Q9 n- p
. x( Z: z* C2 {% `1 U$ _2 B# p. j7 C
Method 06
! y5 V( H3 {6 R- u=========
0 U: y, `& F2 L- o! b
7 G' B# \( J$ c+ \3 U
$ o$ c" K3 ?& a. n2nd method similar to the preceding one but more difficult to detect:
% J- q9 ~. J: I3 D# o
* J# t- `# \7 f1 _
9 e& f" P1 U' H$ N, aint41handler PROC* g; Z; H2 b1 R- X R
mov cl,al: [8 L% I8 l7 {- G7 b! B
iret$ o+ a7 ], a3 Q& x
int41handler ENDP
9 S* ]( m% u( Z9 I, D% M) L" c( C$ s: e/ _& a
9 T8 V l( q' A \
xor ax,ax
# ] Z8 A' |7 V N) @ mov es,ax
# D. E6 ^! C: s$ ~/ i. \2 N# _7 Q/ e mov bx, cs
: P% @ J9 b$ q# [7 q8 V. A lea dx, int41handler
* w( Q8 V( Y; E) _; } xchg dx, es:[41h*4]
5 c; m# C( a& {8 o xchg bx, es:[41h*4+2]; L+ v/ [- X& y9 E
in al, 40h' s* M, e+ F1 M% j1 i
xor cx,cx# R- P1 R# U/ L! @7 f5 [
int 41h
5 a6 J R' R; {% D$ V, ~- i/ r xchg dx, es:[41h*4]! g! k1 \# O' Q5 b0 C
xchg bx, es:[41h*4+2] \4 y/ G4 s- Y
cmp cl,al2 R! G( V+ L, H, u4 k" s% [
jnz SoftICE_detected
! `+ | m% S8 N. Y* b: q, o, j- j
* {; j ~; }; }$ \, B$ f c* q_________________________________________________________________________" u5 V: R8 B( X! \+ K9 f
4 E+ l0 b" J) ^: T
Method 076 ~ {' c! Y' F9 q0 ]4 t9 z) W
=========
! f- i- G4 n/ Z+ N3 K) f
1 P9 i: {# m; _2 ?: f% V# nMethod of detection of the WinICE handler in the int68h (V86)
9 ]' q, T$ u+ T, R" Z2 Q) x& [, D, a/ j) S5 P% W& {. D7 H" m
mov ah,43h8 ]% ~' ?3 E$ | _! U4 D0 N
int 68h5 t% G* G. o! l6 ~) I" j E
cmp ax,0F386h
' {9 h3 W, m7 Y% J, x1 I# N jz SoftICE_Detected
2 U7 v9 _( y5 s3 o8 R$ B- S
6 o- e/ u5 p! O( {& @5 @
% Y# E" i: c0 m7 i( ?- u; t/ v3 `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# g/ H: I/ B1 b4 n; D. K
app like this:
& g6 k* `6 g3 P* J5 H2 g
% l+ @* b1 _* H% O( t& X BPX exec_int if ax==68
" B2 p X s( g, \- {- p: F (function called is located at byte ptr [ebp+1Dh] and client eip is
; G2 x* ?' k- r" R located at [ebp+48h] for 32Bit apps)( ~" M: k. }6 g; c# e
__________________________________________________________________________
/ Y1 F( X2 x* B2 p" K! V1 `9 l) d3 I" A8 q* f1 f0 X7 K
4 R9 i8 \) T6 o- R8 V& V5 M: E$ TMethod 08# j4 J3 |9 N5 E' p* r5 V
=========
6 S& z& B9 R7 v1 e
6 f4 M2 Z, G. ?8 E) ?It is not a method of detection of SoftICE but a possibility to crash the. @. x& j. B6 i2 D
system by intercepting int 01h and int 03h and redirecting them to another1 y/ n) ` g$ w& j! N2 {
routine.
# f% g1 ?- b- }3 D5 f, R# z; SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 M; `, [2 |/ V2 C, v. [% ]
to the new routine to execute (hangs computer...)
Y! e9 H% b" G8 s [ t6 n6 Z; ~2 i2 m) Y
mov ah, 25h! t: i% j# Y9 m! j0 K" C# l
mov al, Int_Number (01h or 03h)" C K7 O# O$ g0 B+ M0 U6 q7 f
mov dx, offset New_Int_Routine$ y. s! k! s& D G6 W
int 21h
* R1 Z6 O& S2 z3 O4 o& i) R2 |' i+ |1 ?$ a2 @5 b! ~4 F8 c* Y
__________________________________________________________________________$ Y1 p6 @; ?9 a; Q
# k" ?8 [. ?* Z) [/ H2 VMethod 09
# l8 j2 ?; K8 `: W8 \6 K+ G=========
% v- i7 k: C! T
$ O8 ?* G, Y/ X9 S+ `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# w6 s) v9 G3 u i
performed in ring0 (VxD or a ring3 app using the VxdCall).. _! N z/ S B% b( t* g
The Get_DDB service is used to determine whether or not a VxD is installed9 ]/ E6 S0 j- ]0 e
for the specified device and returns a Device Description Block (in ecx) for
& `4 {% k: k# W W. wthat device if it is installed.9 D+ c: X- D1 @ v# p
; q2 V) @' p, F( Q$ q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- g/ G: o) E3 u7 X/ {) _/ \" D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 s; `8 n `- M( X0 x VMMCall Get_DDB! S1 N+ _5 d# ^9 U' E7 z$ x F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" K3 V& H& U5 o9 M! E1 w+ h$ T
) A9 l! V& T, u6 K2 w9 {, j# cNote as well that you can easily detect this method with SoftICE:
0 D [; Q: A* c' H bpx Get_DDB if ax==0202 || ax==7a5fh
4 A- f4 g7 v; V( ^1 v' U7 ^: Z( B* r" ]' [1 \4 o* W1 M8 F+ F) k
__________________________________________________________________________
; M5 |3 h1 T$ p' \, }
2 g& l4 k5 ^' v' f6 sMethod 10
7 v+ c0 }" P' Z4 b$ }" z=========
' @/ q- u5 e9 `) [$ B0 @) x% ~' @
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* q4 T: a0 G! N3 } SoftICE while the option is enable!!; l! |. _ p1 ]7 d1 u8 f
' _" o2 o+ c. `% y @ A7 M) W
This trick is very efficient:
/ h4 c! s H' w9 ~% q1 eby checking the Debug Registers, you can detect if SoftICE is loaded3 n0 m0 Z7 x% E9 R: p G! B. S; y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 `8 e+ I" I* c/ v* F8 ?, ~" Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 w4 I4 [. B2 m; A
value (in ring0 only). Values can be manipulated and or changed as well3 w! w9 w" J7 _5 q- `) Y# F0 k
(clearing BPMs for instance)
4 ]" \7 k. t3 |3 Z* C- I# E- w' n! w: p1 g3 Q. V
__________________________________________________________________________
, U' p) O( s; c$ D
- c$ [9 T9 B# G# sMethod 11& \7 H% {+ f$ b/ \6 p _/ ], E9 h
=========
4 {% q" w, Q- l0 c2 D9 Z: D- R
5 O# }9 S" Y; qThis method is most known as 'MeltICE' because it has been freely distributed+ y. \, [. D6 U" N0 K
via www.winfiles.com. However it was first used by NuMega people to allow
/ d. B. u1 p! K: @+ LSymbol Loader to check if SoftICE was active or not (the code is located, C) ?; B- N+ W/ j4 q9 h
inside nmtrans.dll).
# ]& x& ^+ F; U( R
9 [0 z7 U2 @% X* }* S7 N i( c$ iThe way it works is very simple:
+ T1 k( D2 k2 u/ h; o! h. WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 N$ m0 Q; i X; m* m$ a$ fWinNT) with the CreateFileA API.
/ F4 |) M: N4 D9 e
3 ?# _- K% C0 C# L3 w. `' c+ SHere is a sample (checking for 'SICE'):. C6 Z, M, D1 O9 j5 _' s
+ C. w/ B" @3 I8 v+ D8 E" k, ]
BOOL IsSoftIce95Loaded()
1 J: d& d2 R, f* O) l{ M6 [! U @* r( \
HANDLE hFile; 3 x& M4 F3 M, a% ?/ Z: x7 E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, D9 R2 k1 _' {+ [% X) A1 P9 D: y FILE_SHARE_READ | FILE_SHARE_WRITE, f2 D( z h5 G# Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
q2 [, k8 I7 E# G/ S if( hFile != INVALID_HANDLE_VALUE )
) B% I w$ l/ a- l( y" j {$ S$ K' l; E: l s7 K. u6 ?( `
CloseHandle(hFile);
$ {! L* Z/ w; v( B return TRUE;. h. T+ D8 l2 Q1 d. G
}
6 S5 a ~- j8 |, E5 G return FALSE;
Q; _( i% u% y: W}7 E. h/ x& [2 Z5 U2 m
5 K4 p8 Q% [# |$ w4 h) [( p' x5 kAlthough this trick calls the CreateFileA function, don't even expect to be
0 y; K. A$ i: w- Fable to intercept it by installing a IFS hook: it will not work, no way!
& \$ W& s* M/ N2 x; n9 DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% r9 ]7 }' b3 ]& j; j$ ]/ iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& {; \' T* a: S$ J Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc9 N# K9 y) y! J7 g- E
field.
5 O! b4 r4 C e. S+ sIn fact, its purpose is not to load/unload VxDs but only to send a
1 Z4 U. {$ i% X4 W" y( z8 p5 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 W; j# u2 T# q$ S& z& \, b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 R0 v0 U1 p# @9 G! H5 p0 d2 ~9 Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 R+ u: ?, U! k8 O2 R
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& b0 p v" n; X6 d4 Dits handle to be opened and then, will be detected.; A5 l9 e& m8 q! o- ^
You can check that simply by hooking Winice.exe control proc entry point7 U3 H5 z( L; v
while running MeltICE.
" s( a2 f. r$ I: M! \$ G3 i* i, c+ T- A
' B' Z# U; c" H; d% b) q
00401067: push 00402025 ; \\.\SICE1 Y# e* J) g* n! L/ K# C1 s2 ~
0040106C: call CreateFileA
( B4 D/ ]$ z6 U: T: r1 y# U( g 00401071: cmp eax,-001
. Z7 o* a$ t+ h8 Z# \5 l8 Q 00401074: je 00401091& W9 P4 _. n, c% A4 T, n
! e# a; [* |2 q; S' b6 o& a
7 n1 e" W( ` ^7 U4 MThere could be hundreds of BPX you could use to detect this trick.3 r$ q/ e7 O2 e
-The most classical one is:
; \$ x, T) D, o( ^: p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 N" Q9 X! G0 u5 x9 V- ]: X7 I *(esp->4+4)=='NTIC'0 R1 `+ b7 ]2 v/ ^" y' H
$ I1 N8 o0 g% z, K ~% }) o-The most exotic ones (could be very slooooow :-(
( h3 P* h- D6 \( Y# M* S3 J4 c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 z0 l. y6 S2 V7 R8 B. v
;will break 3 times :-(
) q, V: ^' j7 I$ u: R+ _/ z& _$ A8 Y) ^' Y1 e7 u
-or (a bit) faster: , p% ]/ @: }& K% S$ A" ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 u: |7 G4 ]0 g: `0 H
, U$ d" X$ K, ^) ~, L* N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 `0 T! J' N2 b1 @- O ;will break 3 times :-(
$ k* G/ t' j& ^6 m% w1 h
) z1 H' B. V) |: A/ l2 b- N5 j/ E-Much faster:) l# Y3 A5 ~* [% Z* {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" `9 Y# _' v4 F" D
4 c; K i! E7 [: R9 I7 U; Q2 N+ ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ D3 y7 Z, V1 J* b/ Z& _- S
function to do the same job: ?2 D, m/ _. a0 b
% H& ~; j7 b9 A" {; {% l Z
push 00 ; OF_READ" v5 P" u7 \% c$ c+ X/ T' k1 ^$ `3 O
mov eax,[00656634] ; '\\.\SICE',0. _9 C# b, |! W1 T& Z
push eax
0 `/ `0 N$ u2 Z' s5 i1 b$ b, ` call KERNEL32!_lopen
, N% w q$ ?. r+ ?7 u3 o inc eax- h+ ]: l8 e6 J+ ?! S! Y3 C1 g
jnz 00650589 ; detected
- O$ R- T5 \* z push 00 ; OF_READ3 Q: M+ `+ W% U4 B( Y2 w3 F
mov eax,[00656638] ; '\\.\SICE'
; G$ P! h- w7 h6 l& P3 ?' } push eax
/ d3 Y2 Q: G$ q) m, C3 o call KERNEL32!_lopen
8 V6 c8 W' M( I. Y9 f3 T inc eax
. x# F8 G7 g0 {( L p# ~ jz 006505ae ; not detected% {! U# s( q. P5 x% T; Y0 T. k
4 s3 M1 M7 E1 a# i2 H) _- y$ s
9 \/ R5 j4 S8 _* S, x* h__________________________________________________________________________
2 L: c* g) j: @& `6 I
8 G) |# s% C' u; |! R. nMethod 12
3 E9 I7 L6 c/ U6 Y7 {6 c; {=========& |! u5 s$ r" g
' D" i# ^, z. m. {) q
This trick is similar to int41h/4fh Debugger installation check (code 05
" f; s8 s, q3 Y1 W& 06) but very limited because it's only available for Win95/98 (not NT); h& ^3 ?' E/ b z: I) A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- z8 c6 \* O0 I0 z
e8 o, g1 t9 b: [1 J0 @# i push 0000004fh ; function 4fh& O5 M3 E3 ?; D. F
push 002a002ah ; high word specifies which VxD (VWIN32)
# A* R( k3 o, R* Y% X ; low word specifies which service
2 @" {( B8 O" X) | (VWIN32_Int41Dispatch)# |- x- p( p5 B* i
call Kernel32!ORD_001 ; VxdCall
2 x% y1 o( o& [" L cmp ax, 0f386h ; magic number returned by system debuggers/ S% r" B. Z5 D; P
jz SoftICE_detected p) H! r! o$ {" }) s7 v
2 k6 f, U$ F; v! R$ c! x+ T6 WHere again, several ways to detect it:
2 l. X( l% P$ I
9 _+ v& Y. f* ]1 ~ BPINT 41 if ax==4f; @# b- f" T2 J# y- g! P& n
) b3 ?- k1 W# \! q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% [' Z7 `; i6 S3 O( p& ^
( i: ^9 w7 L* O$ [8 J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- m" g- c/ U& { T, g9 S# X
C- V3 x& N; {' h6 o$ u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, z9 m4 T8 U6 z& o* ?, [2 I/ X$ Q: G
__________________________________________________________________________
7 C2 p* |. A& L* ^1 l Y' d. M" m- C
Method 13( ^2 c# ~$ Y, {/ e
=========1 K7 |2 E( |# G0 c5 j
$ d& ~# o/ l' g4 x: B% \4 bNot a real method of detection, but a good way to know if SoftICE is
# d* m) o3 m% m4 n' B$ hinstalled on a computer and to locate its installation directory.6 J! \" R# u; q1 L% M- t/ m8 N
It is used by few softs which access the following registry keys (usually #2) :
/ S/ ]3 m; F/ M) [; Y8 u( [& t" B% A; Y$ T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" M1 o' u* s' E4 d% i B' f% P
\Uninstall\SoftICE
% @! D0 D+ H: F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' B7 f ]% W! d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 ^' _: b- M; h
\App Paths\Loader32.Exe+ W' z. l; j% G0 z7 e: p
* r! U1 u; l! M6 r) J+ l$ V% S7 c4 ^7 N) X" O$ i
Note that some nasty apps could then erase all files from SoftICE directory
7 L8 L7 [7 `, w2 B& r' e(I faced that once :-(+ ^2 {: C$ I: m$ o
+ E2 G- G& l: i6 g" W2 T1 ~Useful breakpoint to detect it:
! J+ u' u0 o( O) V$ U( N. I( p& V. Z v: y* m/ \
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' G i" W9 @8 f) q& \# k
& h5 G, L% C9 d, j& i2 k! Q7 o5 a1 S__________________________________________________________________________
. O! a6 M3 q) k% l7 \: ]( W- L( X1 O( H! M& V
- ^* V, v, y. [4 i0 K, r
Method 14 7 X) A2 j* T4 L* P1 g" G
=========' W- N& H- }1 m8 x0 z2 X( x& w
* [; g$ X [& d( P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) c5 D5 k2 `# h w: w- Q
is to determines whether a debugger is running on your system (ring0 only).6 J9 L% i! N) P3 K0 D
8 ` t; E: _5 o( R VMMCall Test_Debug_Installed9 T3 W, H- B# l+ |& b
je not_installed
" g- p5 s( F4 x3 X: p: q2 o& S7 S0 A( y/ {' \
This service just checks a flag.
' X" K. Q0 w$ n( O/ ~</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡