<TABLE width=500>$ W L# @' S8 n% \! R
<TBODY>% D; Q* T& s" U
<TR>
4 {* p2 j6 H2 `+ f<TD><PRE>Method 01 ; N) T: _! \. z# _: f
=========
! P3 B2 L! W' R
, ^% Y% p+ \4 {3 l- dThis method of detection of SoftICE (as well as the following one) is
% u* \/ w6 B. S$ yused by the majority of packers/encryptors found on Internet.
4 g- I3 U; @- b( J2 j! K5 k4 X* JIt seeks the signature of BoundsChecker in SoftICE% l7 x$ h0 }6 |" w) G( v
: i5 u i2 h8 U mov ebp, 04243484Bh ; 'BCHK'
; Z! t# z* l" M0 _' E1 b9 o mov ax, 04h
* s* E# D1 o* F int 3 2 x$ a) C, o8 K7 N( C0 N/ u
cmp al,4# e X: z4 m7 ]. Y6 k! c* A
jnz SoftICE_Detected' W/ P' G3 }1 ~; m* q, M
" x6 u0 K4 U4 I8 u1 B___________________________________________________________________________ I" p8 C' W8 X \6 Y% M G- Y
- A9 f$ ~5 }( T Q; i; WMethod 02( p6 D9 X) {9 N. u7 A/ A1 q# O
=========, a9 z4 M7 p2 D; F9 ]+ n
5 W5 T2 ?- K( Y! k( ` @
Still a method very much used (perhaps the most frequent one). It is used9 X: e$ F5 [% R% @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. Z7 j: Q r+ g5 h9 Zor execute SoftICE commands...
2 k1 R% O' H1 f7 t4 aIt is also used to crash SoftICE and to force it to execute any commands$ \, x. o& R5 L+ `
(HBOOT...) :-((
! e' ?, u* V! H$ W. f D: k5 T6 W& e- J/ ]
Here is a quick description:% Q6 {' y( s4 U) I3 f( K
-AX = 0910h (Display string in SIce windows)
, c4 ?6 z/ ]" `! S& Q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& z5 X x- N7 a: \+ m: ^
-AX = 0912h (Get breakpoint infos)2 W+ y5 ^% z6 n, G; U* q
-AX = 0913h (Set Sice breakpoints)
8 ~% `1 {9 B; F% X' Q) O$ R-AX = 0914h (Remove SIce breakoints)
: T1 g: s7 z. |
% ^& z$ E, [6 c8 nEach time you'll meet this trick, you'll see:5 L9 A0 X! h7 d+ G+ m
-SI = 4647h
5 q" T: }. x2 R7 Z-DI = 4A4Dh
. _+ y6 _* v9 U- NWhich are the 'magic values' used by SoftIce.
% w1 z* p- ]% YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& U7 k) ~9 B4 [
( U4 R2 H. g: N7 |: f' p4 BHere is one example from the file "Haspinst.exe" which is the dongle HASP( Q) a7 l4 _+ z& a+ P8 p
Envelope utility use to protect DOS applications:
% `6 B1 I# J" E1 a7 ~
0 i; {) ^. a: g$ E9 a0 h6 U; \- _" C' B+ S
4C19:0095 MOV AX,0911 ; execute command., [0 P$ x1 Q6 x- H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 d2 T+ G, Z! }
4C19:009A MOV SI,4647 ; 1st magic value.
2 l% J/ `/ k" B' M4 M# C( Z4C19:009D MOV DI,4A4D ; 2nd magic value.
6 w# S' d. H) d3 F4 O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 n$ }% V, p3 W5 O6 d/ J1 T: a5 _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
l, _' A% A% Z2 _9 p* t% N( f4C19:00A4 INC CX" q6 C2 a3 L3 J$ C1 L8 g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 B+ B( b: Q& @9 @1 z0 Q
4C19:00A8 JB 0095 ; 6 different commands.
0 t3 t( l; o( X7 Y! x6 o4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 |1 }& D: A2 E7 j2 o, h( Q; i4C19:00AD MOV BX,SP ; Good_Guy go ahead :): o+ A! p3 Y% f. V+ Q
, { {, R. l9 L& C. G, ZThe program will execute 6 different SIce commands located at ds:dx, which
* @- O% A3 J R% p' \, oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; Q+ i! ]' t2 J! D9 R7 a% k4 v& ]
3 N- X2 m% u9 q8 O4 q! R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 A( W X8 z8 a: K" D+ ]1 c
___________________________________________________________________________! z! c6 h; L2 D) f6 r
4 L# d' M: A& Z
* M1 J, L2 q. A9 ]8 `Method 03
; Q) p$ s- [: u. L=========
/ n4 q3 P: ]6 U5 i
7 ?& ?! `. a B0 m8 W! FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ k) W9 n4 U2 c) C) a8 O7 `
(API Get entry point)) a' Y: j, G3 C3 F" V ~
" k5 k% R; X" A( O" b5 J( q; s5 `/ U" p
xor di,di' g$ `1 ]2 S, f# \% D
mov es,di9 _# t8 G- V5 f. q! M, h
mov ax, 1684h
7 R4 a2 R. j5 b6 O! a/ ~5 P! T mov bx, 0202h ; VxD ID of winice
' ^/ q: T; t1 k+ ~- r int 2Fh- H) L; a7 H3 @- [8 l, F" W
mov ax, es ; ES:DI -> VxD API entry point
0 ^7 I+ M& R$ t+ W# o+ p$ i+ ^8 Y add ax, di
. v" b$ y' W- V8 X# |- W7 Q. O# j test ax,ax
4 c! P& H8 N I jnz SoftICE_Detected
8 {3 n/ M/ I b! n8 q2 T, u$ l0 {0 u U3 L0 o4 Q: D& ^/ L4 S0 a
___________________________________________________________________________
7 O3 }- H- n4 \6 O. j$ J; B. N
) [% j/ Q" V7 Q, ~' [Method 04
( d3 ? W0 p) u& ?3 `=========
( I& s8 \ K, k6 _% F3 f% a, p, o- Q: ~# L, x* _* B/ [
Method identical to the preceding one except that it seeks the ID of SoftICE# g' W( @3 Z0 M) {2 g1 n4 [. y
GFX VxD.# o' w+ ~% P: X% X
) y. R6 R6 M& k6 ~3 X0 r3 c1 D
xor di,di% m8 y. x) ~# n7 K, P# ^4 J ?' s* W; O
mov es,di
* Z* ~1 R/ I% e( ^" A1 U! q$ c; C mov ax, 1684h
; @3 b' H: v+ e, T. t3 {: } mov bx, 7a5Fh ; VxD ID of SIWVID5 |& E( Q* z$ l; t
int 2fh
! P1 K% m# v* o. J/ d) O( q mov ax, es ; ES:DI -> VxD API entry point
4 J1 f C8 d2 A add ax, di& W0 M1 M% B4 m! D
test ax,ax
0 C x5 F0 s1 P5 d! a/ g7 a jnz SoftICE_Detected/ R- |; q) {# X8 g; |( B/ n
$ u, Y- S! e/ B5 h: A3 f( q__________________________________________________________________________; T6 ?: y. P2 l8 }7 S+ a: x
2 `: z7 f c; ~+ ~7 M
3 F+ y O( a7 |5 ZMethod 05
4 N' R# K8 c' F/ o5 n=========1 T0 o3 Q5 }; j
& g. o; m0 b. [1 E
Method seeking the 'magic number' 0F386h returned (in ax) by all system( A1 ]! E9 I5 t1 m: S- I6 \
debugger. It calls the int 41h, function 4Fh.
6 b O0 d" h6 j$ B5 CThere are several alternatives.
) i6 ]2 r5 b/ s/ }0 }
" `/ H0 v1 z; m8 {/ GThe following one is the simplest:+ ?2 w q# Y6 Y i/ M3 j/ b; k( O8 ^
/ |6 Y5 o, L( Z+ S1 V7 p
mov ax,4fh3 q% U& t |- d8 ~& e1 {; m3 L% z- O; U
int 41h5 j% k1 e5 L& r# z
cmp ax, 0F386
* L- h7 P) y: ^ jz SoftICE_detected; v( f9 g( ^+ \7 I8 }
4 x* \* V& E, Q6 L# o; i
! p2 t( _# U7 g9 s, P& ]Next method as well as the following one are 2 examples from Stone's . A- n9 o, a7 I6 K0 d+ y$ X. J" a, u5 e
"stn-wid.zip" (www.cracking.net):! S) r2 M/ U! f( V
8 \6 a' I) m* {2 e; T
mov bx, cs- E1 Z9 N4 D% o1 R
lea dx, int41handler22 o' G6 k) U7 y1 N
xchg dx, es:[41h*4]
: M5 F) w0 v) @4 _# F; t' m xchg bx, es:[41h*4+2]* w% O v& l8 t) {
mov ax,4fh* y" X+ i. [0 x) i
int 41h
2 \4 M. w; c1 h xchg dx, es:[41h*4]
9 C% t0 X @! D% N- ~1 `9 L% b xchg bx, es:[41h*4+2]
9 S h/ I) M3 R# q3 q0 @0 O cmp ax, 0f386h3 c/ g" \! N. U( F# ] ]! [1 i
jz SoftICE_detected% t2 T8 ?$ x8 ~/ d5 R( y: m P$ N
; O" I. P" E. V9 [% L; Z' Qint41handler2 PROC
( B7 ^1 ~; ]& R iret# u8 ^$ b% i# i3 A% D
int41handler2 ENDP. v) B* ?% M# z) k
@; \! A7 `$ v+ B% M7 B; M/ Z! g0 V& V- O
_________________________________________________________________________1 s' K9 f0 O" ^- J2 M, A# `
6 d7 H- G: l- ]) \4 |
0 i: E. p4 G; v; t% `0 O
Method 062 E/ y3 N- W5 w6 Z5 z- s
=========9 o1 F& O$ P. c6 e9 H
p( z+ f0 W+ z# h! ]
# k5 f, x: z0 V6 B( e/ k* Z
2nd method similar to the preceding one but more difficult to detect:
/ v5 p% F8 ` ?: I( W$ U. q3 }* ?1 b2 R/ T5 [) {% _
6 F. J2 t9 v [* G4 m6 O. F$ o1 Qint41handler PROC3 b5 H% p* r% W/ g6 N
mov cl,al
9 d& m3 ]% ?! A a c$ `1 N- J iret6 N8 n. P9 |# z% G
int41handler ENDP
$ [, R9 p0 Z; I8 ?+ w- d8 @
# U/ p9 o. G+ q# o9 L1 S" N/ |* \* f
8 a3 L( t; Y" \% D( d6 M xor ax,ax
8 n1 X7 S# a8 A j) ?" U. s mov es,ax
2 U4 b- Q4 _2 U" T$ h mov bx, cs9 G6 E7 _5 A( A1 }: s5 M: G* i8 Z
lea dx, int41handler& s8 y8 f8 f! t+ n5 ~
xchg dx, es:[41h*4]
; y: Y0 t/ `8 ~, V* T+ M- V xchg bx, es:[41h*4+2]! w7 [, ^& _) E0 T8 c# _
in al, 40h1 \5 G/ k1 j6 K* K7 L( y% _
xor cx,cx; l- g b9 S7 i1 G
int 41h
4 |# T' s$ { w xchg dx, es:[41h*4]7 t: S/ J3 i4 s4 I
xchg bx, es:[41h*4+2]
, F( M, G5 Z( U4 ` cmp cl,al
6 _# n4 o+ Q" w, F' O4 h jnz SoftICE_detected
* D8 G. s3 ]! w: j a5 O, E
% R0 f: F j( L, Y% C9 r: @_________________________________________________________________________
' H* H0 z. ]2 v' d9 l! M/ i
3 `- [' U: y( C5 A5 M* ~1 Z! D8 qMethod 07
6 q: M; ~, w! u. x* M: b=========5 D2 P+ K3 z- L0 v' I8 D3 o
; W) P0 e2 _3 r& k
Method of detection of the WinICE handler in the int68h (V86)( w( ~) Y/ u! m1 W$ v
* b+ k7 j4 V$ y k: e mov ah,43h/ c4 O8 R1 W+ S5 j# L
int 68h1 W6 ~$ L$ F* s- k* ^2 i
cmp ax,0F386h
( c% d& a) c0 w6 ~9 c4 t2 N jz SoftICE_Detected2 t" `. E- c+ R1 U% x
& Z6 T0 |7 ]5 @
4 _2 Y/ `2 q4 i9 L4 T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& z2 v6 `7 e8 W8 X
app like this:
1 @ V% f9 S0 a
4 Z$ ?% x% q( i, O. r2 [ BPX exec_int if ax==68$ w, G% d6 m- o: D
(function called is located at byte ptr [ebp+1Dh] and client eip is: u; i' M) ]# x1 f6 d
located at [ebp+48h] for 32Bit apps)
4 d' a& U4 I0 h1 `& g0 c% {__________________________________________________________________________6 u U L. U: F" G; V6 v1 K0 R# c
, c6 P8 A/ | W3 O! d J. O
% _4 G0 d5 [6 v L( v9 U2 ZMethod 083 P" }: S" ?! u: T. d: d& B
========= d$ j, W% E' W6 y5 I
0 o( r7 X8 w. ~7 K+ A$ ~# C
It is not a method of detection of SoftICE but a possibility to crash the
: f% j! s! p3 Q0 @0 E1 O$ A' qsystem by intercepting int 01h and int 03h and redirecting them to another
0 g/ o! Z. Y' J2 m. Nroutine.$ h! x, s/ }3 R% C* P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 d# Y9 f% c; }to the new routine to execute (hangs computer...)
h7 E3 W. _% m" O5 s. b% d9 [% s1 R: @# D4 K+ D1 S0 K9 t2 z
mov ah, 25h
1 {) f/ y3 g: t+ Z* f mov al, Int_Number (01h or 03h)
, D, x' B0 v5 m) p5 r mov dx, offset New_Int_Routine$ c; ~4 q$ K+ ~8 U
int 21h5 F9 j! J/ i, H2 i6 q
8 @9 r9 e5 s) k* v
__________________________________________________________________________
( M& _) ^! w7 r3 B3 v6 n$ T
( _1 Z. X3 u ^( a/ ]1 O: d5 iMethod 09! w. N" O5 C G/ N% i
=========6 e0 u0 Y. U* D1 c' N# }: k
- W3 G/ m3 @% O; c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- Z) A* w! k9 B6 w7 O
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ a5 u) H' [: W* s. I6 TThe Get_DDB service is used to determine whether or not a VxD is installed' i& P$ ^9 ]6 H1 O. e k% W' p
for the specified device and returns a Device Description Block (in ecx) for
/ x/ D! d' T, E, j( ethat device if it is installed.- X5 A8 S! _3 g& t
: Q& [, k, [; M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 F2 \+ H6 g& ?, a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 V3 [4 d0 F1 S, C. C
VMMCall Get_DDB
- R" L' G9 t. R6 J/ u mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ e A, p& P& X8 p3 B
/ e2 `2 ^7 ^' g* i$ `/ yNote as well that you can easily detect this method with SoftICE:
/ k/ h9 [" U, l$ I bpx Get_DDB if ax==0202 || ax==7a5fh1 C$ f5 P% R: `. A0 o5 b8 G. v
+ Y4 Y5 u. i4 v5 v7 m__________________________________________________________________________8 ~7 \$ }' z9 `! k
% J! F! X! O6 q5 d7 |% a' ZMethod 102 t4 h D% a9 A' B! g: |. B: e
=========
1 V& ~: T0 v7 J# H S
3 \* W. C0 L+ _) r=>Disable or clear breakpoints before using this feature. DO NOT trace with
; n- f' o8 [" C& _4 i. _# m: p3 j" h4 Z SoftICE while the option is enable!!
F; Q) \( M6 i( W8 y2 q) R9 T& D+ Y4 z, K' o7 o' L0 b
This trick is very efficient:
6 p, V/ T1 m9 ]) b2 V( W5 jby checking the Debug Registers, you can detect if SoftICE is loaded$ B+ U" }2 B: v |( S1 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 d5 q( x+ ^ d J& I/ D3 l
there are some memory breakpoints set (dr0 to dr3) simply by reading their
i0 E2 P8 K: B+ Ovalue (in ring0 only). Values can be manipulated and or changed as well
6 a# ?& `9 ~' }/ n: q(clearing BPMs for instance)
C0 K3 O. ]: R9 P5 M* ~# z& c; [- ^8 q+ a
__________________________________________________________________________
* w8 m) a; I1 h6 C! z
3 l9 @: H1 b5 I" R% XMethod 11
$ b7 u+ }' k" e! X. ~; [/ p: c$ o=========. b4 z. W; a8 L
* U+ c/ }7 b/ d
This method is most known as 'MeltICE' because it has been freely distributed4 I# W9 q& v, t# T0 o+ X* M
via www.winfiles.com. However it was first used by NuMega people to allow7 f! R0 g* C9 s3 o+ x' ^
Symbol Loader to check if SoftICE was active or not (the code is located
5 D; w* ~0 {) ^$ I/ cinside nmtrans.dll).& p9 u7 ?" y6 v1 E2 t F1 r; B
: F+ K2 F/ v5 Q9 ?7 u
The way it works is very simple:
1 ~9 C0 C) w9 O# s, AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& z) j2 t2 x7 _+ X* j8 WWinNT) with the CreateFileA API.
9 E" v% o" t# C# z1 n1 \8 b, b0 N- K) h {+ `2 u
Here is a sample (checking for 'SICE'):, d& A3 p( d( ^8 K$ j- U7 l, a
1 {. h, p: q+ a# }BOOL IsSoftIce95Loaded()0 b! \& ^) ^( j( W) Q* T) x
{3 A/ c6 q/ S5 z# k4 E
HANDLE hFile;
* P# d b6 d* k y# t$ c( Q% E$ L; T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 ~9 _: x! ]0 j7 I9 a2 W$ [/ C FILE_SHARE_READ | FILE_SHARE_WRITE,9 S; _' T6 a6 I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# g% e, a3 c) @' h- ? s if( hFile != INVALID_HANDLE_VALUE )
' B% x4 h6 q% }% C0 ~ {
* d+ N8 J) l* E) p( _4 Y4 M CloseHandle(hFile);
. H1 H* H+ V6 E* I return TRUE;
. O7 i5 L* q1 G& [, j- T( E8 d }: ]5 g6 X8 O0 s* z
return FALSE;: Z% g3 ]; ~ ~% f; W& H$ w
}
* g- b1 E- a9 d$ e. {* ^& E1 ~* p2 f( W9 d
Although this trick calls the CreateFileA function, don't even expect to be! i% `! s# l& m1 z: R1 z
able to intercept it by installing a IFS hook: it will not work, no way!
' d4 _& V. {8 Y! bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! f, R5 R1 h; Z% p$ Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 S. P7 x% P/ Z* i! j8 j3 Z3 uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
x; A; T) \3 E3 [) Lfield./ ?2 E1 e4 I) t+ x' t5 \
In fact, its purpose is not to load/unload VxDs but only to send a ; W3 o! I* q: y2 r' ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) [' ~: u- k6 U6 U+ O& i" Q0 Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ i) }$ M! B7 N' v7 q; n* U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 m+ G6 z O EIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 T5 N. ^( x9 Xits handle to be opened and then, will be detected.
7 A1 b, R/ ` d; q" L, @" I6 hYou can check that simply by hooking Winice.exe control proc entry point
9 ?% J, t n0 S$ k% p4 E9 o/ J3 M, O& Kwhile running MeltICE. Y# k/ B" A1 n0 q4 }3 H" q& [
6 W# f( m: H& X% x
1 A( ~# Q9 [ G" G9 Q 00401067: push 00402025 ; \\.\SICE# l% u3 o0 u! g6 |
0040106C: call CreateFileA
3 b1 M& s A3 C& d5 I: O$ J 00401071: cmp eax,-001
* u6 h% o' o# j& p: v2 w- @ 00401074: je 00401091
! ~: l) F3 P+ @2 f: P% s
+ [; ]: {# Y# G9 w6 X( X9 n( f
! u$ W! j1 w( [2 g. r$ gThere could be hundreds of BPX you could use to detect this trick.
* Q+ w3 y+ V: I0 |. n- x& A- u-The most classical one is:* J, V% p x9 a3 `7 u- L/ ^$ b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: w: O* V* C2 {) P' W
*(esp->4+4)=='NTIC'
6 e# W. J# K( |. o) F
# }! F( l) V5 X( [- o' a-The most exotic ones (could be very slooooow :-(% o" Y! Q- V0 G; [2 g% g3 @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' v& e, H! g2 p3 D* q+ Z+ Y ;will break 3 times :-(
/ Q0 d7 T( Q- ~' Y; J( |# f
7 \- x# g. V- C8 a1 ]- c-or (a bit) faster: 6 f) N: d h! @" _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 Y! u5 ], [& {1 `( @ l3 ?$ l! C
4 E# D# m- ?" h/ l7 ]
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + i1 S& W( j) v
;will break 3 times :-(
# Q1 V9 E# }+ ^$ _+ H2 W* `$ n' V7 R# w Y
-Much faster:" }: z( W P/ @' F# X; z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ r7 W, {, g+ \' X3 x
7 y& t. A3 d. sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) w8 k7 m1 ?( k" n
function to do the same job:& B, d, @. W' Q8 g
1 |, q5 Z- h6 ^0 {0 Z# u2 D
push 00 ; OF_READ! [" T& o- ?' H5 P7 I8 `' L
mov eax,[00656634] ; '\\.\SICE',0# y7 y" n- t4 q+ Q' t! d
push eax1 ^6 d( X( W3 y7 S
call KERNEL32!_lopen: V" D5 R& L7 E) A( f7 I
inc eax
v- d" ?9 c/ q6 r# [/ `+ E+ o jnz 00650589 ; detected
# ?1 S4 a) [2 l0 r5 N D M push 00 ; OF_READ/ X9 z# k F- q# W1 q- N
mov eax,[00656638] ; '\\.\SICE'
# }# Y% E% [$ Y( B0 Y _ push eax* q; i9 ^3 ~; g+ f) M
call KERNEL32!_lopen
( O3 M+ H7 R8 b& R, Z$ u4 } inc eax+ l& |6 }8 @( B7 x, l+ a& y$ M
jz 006505ae ; not detected
8 `7 g( H7 S$ ]" k# n8 Q3 L( l6 s9 S) X9 A1 u( }4 |
( @6 y1 |) D, J7 c
__________________________________________________________________________
) \' c. T: U" R( c, `+ Y
8 b: @/ o( R7 l% I2 c; W5 ]Method 12/ N( N8 }# T3 J" L Y
=========
5 D4 u t- f K# Z2 u9 N# }" s: M
6 |7 g. O& m4 k* W$ \# u+ w: ~This trick is similar to int41h/4fh Debugger installation check (code 05
0 z2 `5 b- ] t" S& 06) but very limited because it's only available for Win95/98 (not NT)1 `. l: |7 b1 ]( t$ Q' Y0 j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 @3 A/ y# X0 L' Y9 D" K2 Q- }: d; e( C
* j8 c0 m9 q1 k push 0000004fh ; function 4fh
" J3 S+ M+ `. O# k; i; g. j push 002a002ah ; high word specifies which VxD (VWIN32)( w; m: @' |2 D0 T6 t! S- p/ P+ u' b
; low word specifies which service; ^4 F4 ] [( y5 @4 C2 K2 `
(VWIN32_Int41Dispatch)
# V0 O5 s! F+ H" @( p3 q call Kernel32!ORD_001 ; VxdCall' e4 N1 N* K9 n: I; u
cmp ax, 0f386h ; magic number returned by system debuggers
4 n8 d, _& v; F5 P( X jz SoftICE_detected: M* n$ D- x, f
' S% r! f8 O( A& X! T
Here again, several ways to detect it:( I8 R! @3 e) U8 q- Y& s0 X
! m& O, m0 i$ g9 E" j BPINT 41 if ax==4f
% [- n9 t; B" J: v: F6 l4 M3 Z7 }# J( n6 W5 _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 I; @ }$ j$ H3 A4 }5 E! [. [& C" O. y& F' h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ |( f4 W1 }0 w5 ^+ W# q+ V) m
# f* B. \' S( o: o1 N3 {7 Y* o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 B c" n) `* Q% U$ I" H$ e6 _' G1 N2 p1 S; q( o
__________________________________________________________________________3 r* U$ |8 `! e8 O" W: I
4 Q. p# s" K% O, T' I8 \9 ?
Method 13) F& J9 Y5 P! J6 W/ P8 d5 u, p
=========
- `$ i6 i# I4 l: Y% \0 K7 V7 f9 C& q
Not a real method of detection, but a good way to know if SoftICE is
8 O, \& }9 J& R2 S5 L9 Finstalled on a computer and to locate its installation directory.: _) V1 ?4 r5 B t
It is used by few softs which access the following registry keys (usually #2) :! q5 t% j; g7 [) J4 u
) r, K( Y0 e' |2 \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 x0 P' ~/ q2 p4 M* n+ k; Q\Uninstall\SoftICE2 H$ h& M+ c! w9 y& B9 @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) c; M; y+ b# `" C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& k. L4 W$ J( w0 e
\App Paths\Loader32.Exe" z* K' o1 q4 ^" P& `- s
# i6 y+ e9 X4 D! }% c
V( z; X! D g' A6 T
Note that some nasty apps could then erase all files from SoftICE directory
, @% k% V; A( _- K; K(I faced that once :-(
; _% t3 O: L) \# }! x3 R
0 u0 b( S1 ], C( \/ JUseful breakpoint to detect it:
* n1 b2 K/ w5 w2 m2 y5 w3 Q3 j4 H* V" A+ K. s7 S
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# a: ~% A( e5 w/ m+ l$ _
. `' l( n( p1 B* ]. Z$ N
__________________________________________________________________________" x v5 x+ d9 i
V+ L3 e2 c! ]$ f. m
F8 U+ n {3 ^/ e, G5 h
Method 14 ( o3 u3 p) z& b- \+ _( t4 `2 v% A8 J
=========
# I* X& a+ W4 Q& k5 ^7 K+ H7 a$ l, |, x, F# z! c6 }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 K; ]/ t! s2 E1 P) n2 d. |is to determines whether a debugger is running on your system (ring0 only).
T; e; z" y1 M, B, q. H* |* H5 _- d7 A* o
VMMCall Test_Debug_Installed' q6 _ C- _, g; ]4 q2 q( _
je not_installed4 W7 p$ e* m9 Q% y4 P9 \% \
% T/ Y7 z" X1 _% A
This service just checks a flag./ J' ]5 P& K, c$ h/ P2 e* X
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡