<TABLE width=500>/ b$ w+ O; }6 |8 q% `
<TBODY>9 t i: V: g7 K. _& z
<TR>
! V' x/ y6 M Q; ^+ L7 v1 z( G0 f6 Q1 D3 o<TD><PRE>Method 01
* c9 K/ O6 g/ Y' s: B z3 s=========7 O! O* `- }+ D+ g/ M+ H8 P. U
$ v9 |' O' O+ G# C lThis method of detection of SoftICE (as well as the following one) is
: _, x' Y& {5 f/ pused by the majority of packers/encryptors found on Internet.
, J# x0 w9 j; \+ {$ \) ?It seeks the signature of BoundsChecker in SoftICE
4 `/ s3 f+ t! d: ?6 f7 n$ w9 e! U+ `- a k( a0 _( }
mov ebp, 04243484Bh ; 'BCHK'8 ^6 P c6 L( B/ u; Q. K) E7 V) M
mov ax, 04h
" E, `5 C% S! U$ S/ m" h& @ int 3
0 f4 o9 k0 f9 [& a7 s cmp al,4
. ~# `8 V9 p3 l8 r: e/ E, k3 R jnz SoftICE_Detected
K/ Q5 a# z6 j5 _) h! N: }2 n
: X, X* u% j1 ?9 X+ F' f! n___________________________________________________________________________
3 X4 p e. O8 b- n: V8 T# I7 F# u6 T& Q1 X* Y
Method 02
7 x2 D8 O1 V. s# A=========
6 {8 k; T) ~+ X1 V* y3 p6 W/ P* K8 P) Y' |7 g
Still a method very much used (perhaps the most frequent one). It is used
* n$ `" Y8 [5 ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
Z/ r0 _# Y! v% ?( Bor execute SoftICE commands.../ q$ a% _1 F0 B ?0 K
It is also used to crash SoftICE and to force it to execute any commands8 S0 R$ M! a6 O" k( [1 u$ F! E
(HBOOT...) :-((
2 Z8 c! n1 p' X! K2 g" g [0 U; c( U: x; H$ b) ]/ v3 I$ Z) _
Here is a quick description:1 O- F8 @8 `, [; h( i [+ P
-AX = 0910h (Display string in SIce windows)' Z% ~# S2 [/ d) T& ~$ ] o( _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: n$ ^' M" ?" U; @5 t-AX = 0912h (Get breakpoint infos)
0 s( z& E4 S& m' k" M! ]-AX = 0913h (Set Sice breakpoints)
" @! L; h7 H* K" \6 h-AX = 0914h (Remove SIce breakoints)
- N% e- k6 C% D# f: _: K% W/ P E0 R) S, ]$ \% C
Each time you'll meet this trick, you'll see:
( D& I, {( H1 o-SI = 4647h
/ r( } c0 e; m" c9 s-DI = 4A4Dh
4 |3 d: B8 F, e* x2 b, ~Which are the 'magic values' used by SoftIce.' I* r, k5 s5 }5 A5 z, H
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: J1 |, r5 ~$ y0 m) K; l, k/ H/ a2 O
/ @; ~, ^3 m! wHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 U8 u9 J" H6 Y/ f; p: mEnvelope utility use to protect DOS applications:9 F; \3 \) |6 T7 k$ p; |* @+ z) p
2 V5 H3 t) ~1 f* Q C) L. S4 k) z4 K+ l' J# Z
4C19:0095 MOV AX,0911 ; execute command.
, X, G' B+ |+ b5 A' |# N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 t- |8 b6 ^5 G3 f1 O
4C19:009A MOV SI,4647 ; 1st magic value.
) I0 w; s( A0 t( P( R$ x8 k4C19:009D MOV DI,4A4D ; 2nd magic value.
( a. a+ L; X% ~; |7 O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), P9 o/ M( p# x+ v
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, i7 r0 ]( Q1 \
4C19:00A4 INC CX5 {4 H5 B4 f8 w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- A0 k- z/ \; D! }8 x6 m' p
4C19:00A8 JB 0095 ; 6 different commands.) W& Q2 D! T3 N% W% d3 X+ d( z& R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 q' \$ o( I% [: t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 n; F$ W9 h" F. d. R
- T H" Z# F8 ?The program will execute 6 different SIce commands located at ds:dx, which1 o5 y' Z9 s; q; I3 f. J2 D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ {$ R/ I5 `/ g, Q7 N" v' _" R: E' S2 y" E1 s/ g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ W6 j8 i! @- ?8 j: w; o) [___________________________________________________________________________5 a% r2 y, D0 n* E# j+ y9 m
# k1 ~' [6 `' A/ m/ a, M4 B s5 z$ u W+ h5 i; [0 |4 _( v Y! [6 i8 i
Method 03% z$ ~; E$ A6 q1 t8 S; Q. m
=========
$ M0 V7 C* O' S. t* }: C
$ q4 W5 ?! W, F; L! G- d' PLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ q$ y5 U- O; f8 M/ [$ e
(API Get entry point)6 h0 @, @* N1 j- c
+ l" d7 H0 `+ k8 h: Z0 |9 A9 b: ]% B: [1 c
xor di,di
3 K" @1 t% d4 \: X' Z mov es,di
) T% y L7 z: p4 [) O) m mov ax, 1684h
3 `8 Z5 }, u( K% y# R mov bx, 0202h ; VxD ID of winice
+ [. l- g$ q; b/ s) a1 b" C' | int 2Fh" n( F$ _ D* k- B
mov ax, es ; ES:DI -> VxD API entry point' l: y A! a, |: j2 p
add ax, di
0 @3 R7 ^& x2 q+ ~. i; E+ N- h test ax,ax2 V" J7 I( S7 B3 l- z" U
jnz SoftICE_Detected: I. e6 |$ Q0 u8 X" f% G* _
6 p8 _3 b/ N) h2 t8 {___________________________________________________________________________
$ I' A. j$ }+ M, o3 p# X2 y* l* M9 t
Method 04
/ U/ T, _9 D* g0 I$ A: v' v" u=========
1 V* R4 K& l0 H8 E5 ^! B' j! N! N$ a( y2 E
Method identical to the preceding one except that it seeks the ID of SoftICE4 f( k6 {* q0 c8 C1 x
GFX VxD.0 {8 Y$ c* `3 V
/ ]; M, x2 z, O+ @! X
xor di,di% Z6 ?! \2 i2 q! K U0 c
mov es,di+ [$ i3 ?% P' x9 c. m
mov ax, 1684h
7 H* D5 ^4 f: U& r: G# k mov bx, 7a5Fh ; VxD ID of SIWVID
- a1 q( L+ g% d3 ?, W int 2fh( h+ r. \/ f3 W R' Q, s' f
mov ax, es ; ES:DI -> VxD API entry point) q3 B# |* @& H8 n6 V0 F6 f6 J
add ax, di, `& E9 C5 M# C( b* P6 W
test ax,ax
" r& D9 O( H+ _* S1 I. x jnz SoftICE_Detected! K6 j. f3 p1 z: C
: I( A. s7 w _$ i: I
__________________________________________________________________________
; w- @# y: p: B; s9 X
; r& e' P( y8 }! _6 k
( B1 g [( U! \: p! FMethod 050 y0 j$ I: @- j) v" e, J& T" S
=========" f1 L2 Y$ I2 w, F6 j6 \
& l8 u$ {" Y9 y/ A+ q pMethod seeking the 'magic number' 0F386h returned (in ax) by all system
n W1 L: u) Bdebugger. It calls the int 41h, function 4Fh.1 W" j8 C% P! _) M- i- b( ^
There are several alternatives.
" W' z8 J& ]6 y+ d
. G) [' o: u9 D3 S( C! X. bThe following one is the simplest:
( A- n3 ]' p0 |! P4 ~4 B: V: Y3 K! g
mov ax,4fh
9 E. i+ @! W& z int 41h
0 N$ a5 t N9 U9 [! n$ n" p cmp ax, 0F386
& t- e0 Q' B( a2 O/ x1 t! |0 V" a0 Q jz SoftICE_detected8 R* K; H. f- i- Z0 Z: M1 [8 N
1 V; G6 M& p P7 v2 Q& o
# x( a* h; |: v# f, Z+ y sNext method as well as the following one are 2 examples from Stone's
7 o5 C* {2 O) k: h3 p- j"stn-wid.zip" (www.cracking.net):) @, ?( {( U) ?4 H
+ F2 Z2 g, c7 c6 K/ [1 e0 j
mov bx, cs
3 ~9 m6 R; ~! ^( c' P) D7 A lea dx, int41handler23 ~: M2 ]- S: K7 R' O& K4 k( H2 `
xchg dx, es:[41h*4]5 E1 @# R9 P; \7 p T
xchg bx, es:[41h*4+2]
+ H$ f& T& W) l( ]- N mov ax,4fh
$ b( G. f4 {% p int 41h
2 z( g+ t$ g# g3 \0 P1 H xchg dx, es:[41h*4]5 ^9 ]4 u. m7 b
xchg bx, es:[41h*4+2]
d% w& Z U0 \ cmp ax, 0f386h5 ^, o$ }2 E7 d- e
jz SoftICE_detected3 o4 }# Z8 z4 o7 `. q h
- W. i, t! \9 N* ?int41handler2 PROC
; P" Q* ^% G* Y: t6 { iret" l1 w5 @/ x5 s+ M
int41handler2 ENDP
3 B( ^0 i9 }1 |1 D# J) v6 u4 S, W3 U% _5 b, o5 P
- p+ f% g4 b8 _* r: o; t& x- x
_________________________________________________________________________
5 Z$ G) d2 A3 s
0 O- k6 A- v/ q# C" R8 y; \9 S4 p" J
; z b. o W! L& t# PMethod 06! N, i, d0 p3 e+ @
=========
+ f+ B0 F0 A$ X4 C! c! G8 p( Q0 Q
5 D" o$ q, O4 X- a/ x: t. O# ?9 K' s2 d( h& Z8 }
2nd method similar to the preceding one but more difficult to detect:5 O" _. J0 q! {
/ d- ]! [# j, h8 W! i! O+ Q4 k" n X" D
int41handler PROC: q- F. ?8 p1 W( B) [/ {) w7 W) @
mov cl,al
6 {+ _2 Y/ \) Q: w) e! ? iret3 S9 b4 B1 x4 j6 `
int41handler ENDP+ A. Y8 X. I- L; b1 M% S, x
: r/ I' g# T4 q; x9 ]; n8 N/ K( t" n
" K6 f; E9 L' A+ o ] xor ax,ax
4 J0 G1 V! s6 ] mov es,ax T3 Z% f0 Q& @! C& E" }! U
mov bx, cs5 q* y/ v( ?- c. ~# {
lea dx, int41handler( b+ c5 e4 e6 h8 _8 d6 n
xchg dx, es:[41h*4]0 ~. p# v: k( x* M2 }7 U( k
xchg bx, es:[41h*4+2], E1 G# O' \; P+ K5 I8 V
in al, 40h1 H. I* E% D. S5 F$ R
xor cx,cx" A0 a$ u& N! W. p; N
int 41h; }" c0 U( n6 g0 B8 X9 y# L
xchg dx, es:[41h*4]7 u( Q8 s+ b% ?: T8 v, c
xchg bx, es:[41h*4+2]) m: G& s! L9 E2 w! o
cmp cl,al+ P% N% v( p; q. Z& R7 l" v4 E
jnz SoftICE_detected
/ c- w0 l% g9 w5 m) m9 z+ [; {$ I( i0 k, s8 X- V
_________________________________________________________________________
( X. G+ [1 R! ~0 T
0 |0 D$ I7 \$ p" C1 kMethod 07
# w9 q1 T; }7 |=========% B/ k3 h: r) u# x5 n) E: i
, u0 J6 k; U' a3 b; m: L
Method of detection of the WinICE handler in the int68h (V86)
9 S3 ?" h, ^$ u% _$ \& w, [5 f7 o2 q5 W' O$ {( X: ^
mov ah,43h
8 |0 D& L. y: p& O* ~ int 68h3 k; ]; E2 p' y% G4 w8 x3 ~1 G J6 M
cmp ax,0F386h5 l+ W0 M6 |) c" }( d
jz SoftICE_Detected
* ^$ p& c% N* O" {% o2 X8 k
3 u+ l! i# p0 J; T, d" A* _1 v
+ P# R, t( }$ }4 |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 T' _$ L' v. Y! G app like this:% r! _9 B$ ?9 K7 `' {2 v
1 K4 J% P, J0 Y% P BPX exec_int if ax==68
0 u: \6 ^1 ~9 @4 z. o (function called is located at byte ptr [ebp+1Dh] and client eip is# I4 M3 I' x \; |2 k9 d
located at [ebp+48h] for 32Bit apps), o$ J8 K' k9 p% g5 G" p1 t
__________________________________________________________________________
. E; O( m! S' L! _
- y% Q4 ^3 S* J
) h9 a1 C! Y/ m: O# [/ {Method 08
0 {5 u7 g1 h6 n" V5 r6 p=========
% ]7 G1 _- e% ~; {& w9 \1 z% n x
. i3 }' ^' h$ P% p' w9 jIt is not a method of detection of SoftICE but a possibility to crash the
6 q; `; U! L! \- }- {- e8 qsystem by intercepting int 01h and int 03h and redirecting them to another
; D6 c" n1 c0 @9 \routine. d. ?1 W8 S! F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) T5 q, m6 Q: B* I! v
to the new routine to execute (hangs computer...)! c9 G1 q' G! \
9 h8 u% k! z9 W0 o* o# [ Z
mov ah, 25h
# G2 Y. j9 r$ [ H+ J) [" `, q1 b mov al, Int_Number (01h or 03h)
! `1 Z% X% y t5 c- P mov dx, offset New_Int_Routine2 w! U% G4 L J2 B/ n% e- u" q& p
int 21h+ f) [ Q) N) z" L) U
2 d* J. h! F2 p$ c* {, }% p
__________________________________________________________________________
' ^7 T* n# V4 p: }$ \& ~( E5 O g5 c8 ^ Q
Method 09; {) k/ d* g9 z5 I
=========
. l9 j. S% ~6 Q$ M$ b6 w" w0 o2 y! @& b
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ E8 E9 Q' s/ ?- g9 ?performed in ring0 (VxD or a ring3 app using the VxdCall).
1 f- ~& H+ c# ]) mThe Get_DDB service is used to determine whether or not a VxD is installed9 r# |0 B/ D. Q, D2 g! x
for the specified device and returns a Device Description Block (in ecx) for
0 F, S$ V0 q( z& u' tthat device if it is installed.$ e" m, w6 P" ]! m5 D
- O" ]3 @1 D: V: j0 G/ _' M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! c. |" x( [3 y( D; E% F( w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; C2 g1 l) x5 w/ D8 u: V VMMCall Get_DDB
! J, E% h. E$ P/ E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 f$ u! r. g R# G- C0 R
8 U8 J& e4 ^4 j- M O" VNote as well that you can easily detect this method with SoftICE:
' x* U7 L; c# F R$ [ Z bpx Get_DDB if ax==0202 || ax==7a5fh
9 N, @2 O# H% Q( p
b5 A4 m2 n m& _8 ^: p__________________________________________________________________________
. k7 v- `& h6 D @6 S4 J5 {+ @7 H0 |6 j' [" y j
Method 105 b1 M6 R# k$ ~% T& U0 j* L1 W5 }
=========
5 j/ F* r) K; Z {. p' g7 d9 P
; J# ]5 B% d7 n=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 I% a( d6 ]8 K g1 z/ q SoftICE while the option is enable!!' E1 `% a( z* z' n; e+ }
( D9 h; \+ `% \This trick is very efficient:
* [) G1 h+ t# b' @7 ^ D* G, n! pby checking the Debug Registers, you can detect if SoftICE is loaded
) P& ~1 u P+ d9 H7 K# ~/ Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 P5 }7 e" Z! Z& z$ V4 p K' [
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 u" e- |& a) X" I# {6 P( yvalue (in ring0 only). Values can be manipulated and or changed as well* P' ]( r) d+ j5 r% r U+ ^2 J7 I+ ]
(clearing BPMs for instance)7 I! T4 _" q+ G# S
+ \5 ~7 f$ Y( k- j, p__________________________________________________________________________
: y7 q2 o. V% R! J) |9 w
" d% h i- X# I6 E; @; \* ^7 s% A5 d' x' XMethod 11* q$ a0 b8 t' h& ~/ b7 I
=========6 J& E+ S* D6 U9 y6 `- e7 `6 P. M
! ^' k0 S) a/ |% R- WThis method is most known as 'MeltICE' because it has been freely distributed8 |8 Y) P8 Y" a3 D, Q) m
via www.winfiles.com. However it was first used by NuMega people to allow8 |. d9 d! {9 Q, v9 C2 z$ n
Symbol Loader to check if SoftICE was active or not (the code is located- m _& V* ?' n I# ?
inside nmtrans.dll).+ g8 P" J9 F+ R: k8 |/ }
/ u" D5 Y( `7 Y$ U: V
The way it works is very simple:
% B; B. e ]5 TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* q! x4 U3 P# f" qWinNT) with the CreateFileA API.
+ i2 b$ P7 Z2 g- ]# a0 {1 y3 z" A0 I' }& z
Here is a sample (checking for 'SICE'):# d7 L; B) O) j& U8 ?8 @) E8 b: @6 |
/ u% u! s, E3 u* Q
BOOL IsSoftIce95Loaded()- p7 F% \" e+ a9 q
{
! }) l3 g% t o7 [5 N HANDLE hFile;
: Q# F9 l& r* W$ g+ | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 p% u0 t2 s! |8 w k2 G
FILE_SHARE_READ | FILE_SHARE_WRITE,
- X4 \: _4 d, P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 z# I* v. E7 h) ?, f8 O8 `6 s6 T) u: `
if( hFile != INVALID_HANDLE_VALUE ), u7 s' j3 N6 \; h
{$ L9 w1 ^2 U& M$ s3 R: {4 y2 J& m; I
CloseHandle(hFile);2 E# a7 K# x3 n
return TRUE;% |/ w4 p) X# F0 U9 ^8 `
}" ^$ z4 a" s2 w! j4 R b
return FALSE;
0 n( |! H0 {' ^% i9 a2 w- K7 x}
0 c* N. T1 {0 Y" ]: i i/ `: A
- k" X9 N3 ^( H& s" r* ~/ FAlthough this trick calls the CreateFileA function, don't even expect to be) Q" J9 G( W$ m2 e8 P- l9 G
able to intercept it by installing a IFS hook: it will not work, no way!# m; `4 `9 S: A$ g! K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 v; H6 i- o7 t5 j- B: q$ H3 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 Y& x7 I; [! @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! c6 A/ F* j( w" H6 xfield.
- X! k6 v$ Q; M5 B- @, e; _9 hIn fact, its purpose is not to load/unload VxDs but only to send a
7 o# b/ H, u3 q! u5 w3 t0 f' l9 uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; l5 A2 k# S' Z2 i# Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try s$ [) w+ d6 | Y8 j1 F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: V; u$ s+ Y4 _. ~If the VxD is loaded, it will always clear eax and the Carry flag to allow
' \. F$ M: V0 }1 J5 S; e& \( bits handle to be opened and then, will be detected.
6 n2 c. l& r! y) p Z6 ?2 D' kYou can check that simply by hooking Winice.exe control proc entry point& A8 x" E2 \1 {6 u1 c; \
while running MeltICE.
! m2 }- h3 M$ U5 G3 e2 k8 ~ w# N4 q8 c: b1 ?& V8 k. O
* K& L- w* Y9 Y1 V 00401067: push 00402025 ; \\.\SICE, v W/ u2 P# J
0040106C: call CreateFileA4 S. |8 n9 { K' [
00401071: cmp eax,-001! m- g2 |! |. Z0 `& X6 A3 v1 b% I
00401074: je 00401091
, n& h7 j/ j5 q/ ?+ Y3 Q- ~) W
+ _+ S1 w8 t, \( U/ z8 e$ j* d- g" E+ w! k
There could be hundreds of BPX you could use to detect this trick.9 n/ q R6 A1 X3 {1 e, y% V
-The most classical one is:- Y4 ~" G5 N( X4 n8 c& s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || [: H# H% r" o8 F
*(esp->4+4)=='NTIC'
9 m# u: ~0 o \ i6 I- ^* N* A* d7 ]" h5 s- n: A6 M
-The most exotic ones (could be very slooooow :-(0 V! B- r7 {( H H$ @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; n1 R) V+ i8 | ;will break 3 times :-(" |9 n" h3 t8 L e5 f
: K ~ r" k3 I0 ]
-or (a bit) faster:
& g) ~9 H3 B! C% @0 ^! c BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( j4 _: ]. q( ~7 C& T& [! N5 J1 p( U m# f' O6 S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 K6 `/ d9 K3 r" Y ;will break 3 times :-(
3 i) |4 o- G$ m! t) U& i' r" B3 J4 o @0 N# t1 }
-Much faster:% s0 {5 e* D! y& u* ~; y: o- q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ a: Y4 w& N- D% i/ D3 \# O
$ D7 v: s2 z" E) ?. g8 n
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 v, J7 m( q6 n7 i0 C# s+ ~" I
function to do the same job:
& ^2 {% k& U. G% Q' }5 n- o0 [: M" C* D% r; ^* v5 Z$ a
push 00 ; OF_READ
8 c$ @" p& @8 x9 L9 T# G) j# Y0 B mov eax,[00656634] ; '\\.\SICE',09 s" s$ L, }' Z A1 U
push eax8 w. O$ x# n2 c# c; v" j
call KERNEL32!_lopen% k9 X1 v" b' i0 z$ F
inc eax
( q* n4 E( C' q, o2 T jnz 00650589 ; detected/ X. n- A* A: g7 G: s
push 00 ; OF_READ
. A h3 y# i+ j$ m; b) N4 a, w mov eax,[00656638] ; '\\.\SICE'
8 c) Q. [; x4 u$ Z6 b$ k( x0 e8 m z push eax" N ^+ ~2 Y1 `, L0 O
call KERNEL32!_lopen
9 Y% R2 [) V) q/ t. w- } t3 G inc eax
' S% [% a8 f& }" U- `" T8 x jz 006505ae ; not detected
, `% f( {& c/ {2 V9 \; @7 `
2 u1 Q; C$ y' @/ h5 Z* j
- u4 g, ]. K, h$ B. a w" {7 l__________________________________________________________________________
! m# F5 d9 e; e6 h. s
P9 s: o% i. C3 x/ AMethod 12% n) H" f5 \- w$ Q4 K. Q
=========* W7 x. k2 a* [/ Q" _, ]5 c- f- i! \
3 D# _7 B* M7 f, _% }
This trick is similar to int41h/4fh Debugger installation check (code 05. b, L. l3 u' D! @9 ^7 N
& 06) but very limited because it's only available for Win95/98 (not NT)% X. l7 i: |0 v( {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( o) M1 M* l) @7 f5 n C( }4 W0 ]) @; x* [
push 0000004fh ; function 4fh
) ]$ [4 u* k# o x6 Y push 002a002ah ; high word specifies which VxD (VWIN32)& |+ `. [4 l6 h! X
; low word specifies which service1 A, f( W; r" I8 G6 w
(VWIN32_Int41Dispatch)3 f1 B' ]+ i) L
call Kernel32!ORD_001 ; VxdCall
$ Y' t+ V- E& M0 I% [ cmp ax, 0f386h ; magic number returned by system debuggers
. N) v7 q; Q$ B8 @# \/ V5 @8 a jz SoftICE_detected
# T" C# E: G: r ^. P* ?- [* e( A, y/ l6 C& @4 N' s" g
Here again, several ways to detect it:8 C& F4 r4 Y+ e1 ^6 g# s/ m
0 ?6 ~) b" r) b$ K6 U3 E$ Q BPINT 41 if ax==4f- _' ?" \; U/ U0 T1 h+ {
6 B7 d# s$ R3 f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* B; t" O/ f6 @* M% t1 D
$ Y) D" x, f' k A) L }
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" X5 I' \ F& ]
8 p5 O! h9 ]! U/ A& N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, ^7 |9 b3 a; A( U: j2 P3 w4 a0 e( k9 v8 w( h
__________________________________________________________________________
& u/ j: ^1 W- P {- I. p1 _
1 P1 d7 X9 t3 m- {* m* e7 LMethod 13+ `, G( B! c5 u) t& Y7 ^9 y0 X$ Q! n' {
=========
$ N+ V+ [/ V F/ q. _5 `' G; F
Not a real method of detection, but a good way to know if SoftICE is6 @5 O7 X3 p8 N( T7 Y, h
installed on a computer and to locate its installation directory.$ ^6 @) d T# |+ }
It is used by few softs which access the following registry keys (usually #2) :
/ A* J3 u3 Q+ ~) s% @. w) w
( Z: `" ?- P$ u; N0 A3 G4 s1 x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% x% }6 w- @- {2 u5 R\Uninstall\SoftICE+ O% G2 P, W+ [! G- p8 p; \: {# d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* R; J Y8 x* }4 a2 d/ M! N+ J8 t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" K, m i0 |* o. `3 U$ u! H. ]
\App Paths\Loader32.Exe+ M# ]) g% c. D4 L
' n- ]* \. B$ o# P' j! G1 n
( @' X, M: o0 S4 gNote that some nasty apps could then erase all files from SoftICE directory
( d6 L) B4 Z& D& }, L. g- u(I faced that once :-(; X: o) U) e' y7 k9 E; n- x
5 l4 e, b% n k0 e
Useful breakpoint to detect it:
( r* b, J( W/ C$ l$ u
( y. G1 G# Z% z# m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ j- P8 D' H2 @
$ C7 P5 l7 K# e. H% K q+ i__________________________________________________________________________" \& b% R9 r; \9 Q+ C- P* z. _
7 B/ h) Y/ J% y6 A0 J2 V% G4 h; h7 ]) B2 P; a
Method 14
7 I6 l3 g) c- D=========# A9 y8 ~/ t' e5 c) X$ |) P, x' n
4 k% P/ G1 L8 T4 }1 w+ z7 K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) N3 {1 E. `: b
is to determines whether a debugger is running on your system (ring0 only).
) Y& V; z( a$ i Y2 v
$ i0 y- k# a" Q D$ X, u N: H VMMCall Test_Debug_Installed
3 r# [- |; O; a je not_installed
! a3 v, Z$ E# u
5 t# c$ q7 E; Y6 U1 YThis service just checks a flag.
- p ^- _- y$ Y) \! t& t</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡