<TABLE width=500>
( D1 Z+ A2 t8 {& i<TBODY>
, d- B' k$ O! z, |; T+ c<TR>
( g M$ V5 L2 y& w0 e<TD><PRE>Method 01 . \% H2 I$ {, j% W' V E6 Z
=========
! A4 O9 h3 I# I
: E; D$ B# o; r8 _This method of detection of SoftICE (as well as the following one) is
) a& o/ V( G( Q6 Y! J. Vused by the majority of packers/encryptors found on Internet.7 g5 G, X' t$ B2 u
It seeks the signature of BoundsChecker in SoftICE
& U9 v6 a0 h% R' k% @" M- K) F2 d5 n2 g/ t6 f9 f7 K
mov ebp, 04243484Bh ; 'BCHK'
: v2 q! \; C/ b mov ax, 04h
2 f$ b$ e1 f2 b8 e int 3
9 V1 w( ?7 \" [& m1 h cmp al,40 Y+ N: M% t6 V$ ?% L# E
jnz SoftICE_Detected3 T8 S7 X/ E! G. d% h4 H
+ t( |& V- V. ]7 p0 G2 v" R4 C/ r
___________________________________________________________________________2 q% l! c/ |3 f8 C) N t
* v: Z# j w6 A' ~/ b6 x+ n& IMethod 02
* \( @, a9 \/ T8 M=========. ^+ K, Q+ K4 @3 C" J3 W$ a* Z
7 x5 }/ g5 v7 S4 L$ S7 \Still a method very much used (perhaps the most frequent one). It is used
( p* U8 V* }, ?: a& `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 B- p9 Y* U# n0 xor execute SoftICE commands...
, @8 x5 K5 K0 Y: \- UIt is also used to crash SoftICE and to force it to execute any commands
o# c; O! C9 Q* D# u/ a(HBOOT...) :-((
7 g8 \( [( y) M( K9 l
/ v$ t3 x J2 [( w. yHere is a quick description:/ W. R) ^/ n0 b3 Z1 O" ~
-AX = 0910h (Display string in SIce windows), i( K/ E9 g4 w* f3 D; x9 p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! B3 a. \$ k0 b4 z-AX = 0912h (Get breakpoint infos)
( R$ l7 N( Y' ^+ P1 O7 x-AX = 0913h (Set Sice breakpoints)
6 D1 a( Z z. {# Z7 u8 h7 j, y( M-AX = 0914h (Remove SIce breakoints)
% S* q; _" I h1 S2 C4 W
; U* y: y! u+ R- s, WEach time you'll meet this trick, you'll see:+ J! }; q( j" q
-SI = 4647h
+ v: W, Z2 W& |5 y/ }' F-DI = 4A4Dh
; h6 R3 E2 `& {& ^& uWhich are the 'magic values' used by SoftIce.0 I' Q6 O: {# y q }, e1 E
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 u9 o3 L: b" u+ s; R
( x& ?9 V+ d5 H' c/ w% _
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 \, J* i5 h2 W: o9 O
Envelope utility use to protect DOS applications:
0 O' B! {: t0 j, v( [6 M: u
1 R* o, T4 n/ h* a O/ j/ K7 h6 a* g$ N$ D; ]. I8 s. s7 X% u
4C19:0095 MOV AX,0911 ; execute command.
: G' S' y G+ w R) e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! N; ?- R* ]& I! j4C19:009A MOV SI,4647 ; 1st magic value.
2 `+ H' Q9 ~; X) z- d# b; g4C19:009D MOV DI,4A4D ; 2nd magic value.
- L4 X4 j. z: [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 h6 B3 @3 d3 l2 J/ ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% N# e, h+ p" s9 z4C19:00A4 INC CX; [7 K7 x& w/ Z6 \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& n' V0 I) A2 S6 D( Q0 A4C19:00A8 JB 0095 ; 6 different commands.
6 Y1 Z9 e7 L6 j4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, I$ E1 S3 R* _8 Q& P' w- W4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ E, W+ D) ~* m9 ?8 N
; s3 Y2 v$ T& z$ pThe program will execute 6 different SIce commands located at ds:dx, which
. v! X9 o" i6 ^# Y8 O- w/ D7 hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' a& K- p1 C- Z# A' Y
+ h" {1 B0 ~) u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, N/ p2 @' [, A% c# a___________________________________________________________________________
. U* w) ~2 y' s7 G" D& N
' G( {& ]' Z$ b. C7 I+ K' P4 U9 H) V2 u; n
Method 03. w% P- l3 e2 L! I8 \0 s* N
=========
3 ?' T4 R3 n I4 D) W( L4 |3 Y8 X: N& J: P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 w# _7 ~. G, L/ T6 ^3 ?0 W(API Get entry point)
3 `/ u+ T8 j8 F5 G ' |/ f2 |: g1 Z! q+ V( ~: |6 o3 c
+ J6 w0 K5 ~4 a. `1 [- w k
xor di,di; U0 E5 o, {; K* c
mov es,di1 s6 v9 t4 G+ Y1 F* v6 A1 G) A
mov ax, 1684h
: h# P4 K" N( Y9 y6 V+ M: p mov bx, 0202h ; VxD ID of winice
4 X- V8 M7 c$ O8 r* T1 [ P* u4 r int 2Fh
; W2 [+ j7 n- H& J D" R mov ax, es ; ES:DI -> VxD API entry point* B8 E' y% G% u }
add ax, di: Y1 q) x: Y1 M8 Y k3 j9 R" y
test ax,ax: t- O7 z4 }5 _* j7 _' o6 H
jnz SoftICE_Detected
/ o* r( Q/ z% i7 c; `9 l* L6 B5 y$ p/ B/ ^' `" s3 Q
___________________________________________________________________________4 m; \/ A7 L) M* |% z; B; D+ S
& L# |/ M2 l9 j3 D
Method 044 h4 u4 Z5 S& s9 v; p
=========
$ C" i6 X2 B, Q3 K0 w- N
# _* K) t* h. `* z D& dMethod identical to the preceding one except that it seeks the ID of SoftICE
* D+ @& }' }& K7 LGFX VxD.
9 E' Q8 {3 _- r5 Q* p
+ d( _) V* _7 o1 v4 b, O xor di,di" H2 i, o3 z6 U( ^9 V: }! k$ ]
mov es,di$ J6 L9 y. d+ F
mov ax, 1684h
4 r; g0 g) T0 _" k. S$ C/ Y mov bx, 7a5Fh ; VxD ID of SIWVID
1 E8 K3 G$ g& ^ L& d4 P2 ` int 2fh' e- ?3 d7 |% M5 u
mov ax, es ; ES:DI -> VxD API entry point0 J9 x+ x3 e% e; ]% ?$ Q( l: _
add ax, di! o9 B) ?, M) k5 d! X
test ax,ax
. o9 [+ |) r z jnz SoftICE_Detected
. r/ o l' c4 ~7 y' M0 d1 X1 {8 V9 m( m- A+ f
__________________________________________________________________________" i0 H" X0 y8 I/ k
4 m1 N# O7 S1 g) `" h" W/ J1 [8 R5 y' Y* e1 H# B
Method 05
( ?" v& \$ T/ K6 T$ C=========
1 I4 R; S; c: f0 Y# M4 l) M. r! W/ ]' f2 d: l: @
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 I/ b% W- Z$ A- z' x' B
debugger. It calls the int 41h, function 4Fh.
4 ~3 B, r3 a; S) e, Q7 oThere are several alternatives. 5 P: \ G4 X- Z
0 e9 {8 i/ L9 u% ?% d0 VThe following one is the simplest:( f4 c) d( }3 ]; w; A6 a; p
% |$ V8 G+ \. F" h mov ax,4fh+ c1 F1 r% b% u& @! B+ |
int 41h
0 r$ A3 s) y- P# t' r/ W/ A cmp ax, 0F3860 N* T0 v! V# p( q7 B
jz SoftICE_detected
; Z. M$ D' X7 h A U0 {$ g
, y/ L4 q- P9 ]- h$ l" E& Q7 ~
7 F9 j, U9 o) e, c/ N1 eNext method as well as the following one are 2 examples from Stone's
3 }" w, z8 b, F+ ^& x"stn-wid.zip" (www.cracking.net):
- R2 W9 ~2 P. n& C+ l0 J& q
" T. O! W$ m- a5 B% M6 d- Z mov bx, cs
5 z7 g$ P. U1 x- s lea dx, int41handler22 I5 w# {* g7 S1 ?+ d {: R
xchg dx, es:[41h*4]! a2 Q. H) o9 z" ~' B
xchg bx, es:[41h*4+2]( y8 c2 u* a/ a% H
mov ax,4fh
( u7 f/ W" `! ?0 i6 D int 41h
9 p( U6 N7 P6 p& Q: C1 n xchg dx, es:[41h*4]
/ `0 \0 b3 _/ o* { xchg bx, es:[41h*4+2]
3 m- N5 {+ ^ F; U3 s2 \' ~# S3 Q cmp ax, 0f386h
: v! q+ a9 Q3 C5 H% ^ jz SoftICE_detected
3 Q3 b5 n9 }( x" U" a5 N) P4 T8 f( r
& [, Z' B4 L! q9 [int41handler2 PROC2 T1 |- w: _9 r1 {
iret0 `. I2 [+ }" A* L
int41handler2 ENDP
0 Z# I2 R0 m! [+ O' I3 i2 J7 r: A5 U
J+ Y7 q! I- l' K_________________________________________________________________________
, p& a0 l+ ?, K9 ~- p$ R5 O0 ?0 y' k% r3 D9 `. D. O
9 ?( D! _: f- V- g5 `; Z; |2 n) xMethod 06: M8 ] D% q6 I6 {- O# J
=========) O% U' x- N% o
) q9 |' x8 ^: l, K$ @ `9 Y* B. H% {7 A/ G
' a' d2 ^; o' c% x) Y8 t2nd method similar to the preceding one but more difficult to detect:! i. o4 L0 [# D5 j* ]9 k. y
- V) M# d! v& _7 o& ^( a' k2 ^# C
8 Z/ J: O. a* _5 Nint41handler PROC
. C$ x* \1 Y' _( d+ {. a mov cl,al3 N2 z: P& H, F3 c+ k% k
iret, }8 C' l. T4 Z9 R
int41handler ENDP- A3 e* l- N7 ]( e4 r& N4 b g# {
# `! Y* [( B; C" @' M* H J3 D' V% w! u7 E1 L+ E* R% \* @
xor ax,ax) n3 K# c0 @2 c E2 E- [$ V
mov es,ax
2 _$ \( ^7 R: H; x5 C9 S mov bx, cs, i( C3 c+ K! c! r* P( L3 V, e! t
lea dx, int41handler
" E8 R# h) e- I5 x& w1 J xchg dx, es:[41h*4]
/ I6 X5 Z4 E" q; W4 h3 y xchg bx, es:[41h*4+2]3 b+ d2 C. x: p- a7 @
in al, 40h/ R8 ?3 ~6 G/ m; g! \
xor cx,cx
& `1 R8 \3 A# z, g, Z% A int 41h
9 ]2 ?; a7 [) d7 b( g* h6 W xchg dx, es:[41h*4]
& J9 S4 T! D9 ?8 Z+ m, y5 K xchg bx, es:[41h*4+2]( l+ l2 b4 d& Z" o/ D
cmp cl,al
9 b- K: I5 k/ C jnz SoftICE_detected
% }! a8 u& A d: B6 Z7 E1 ?8 M- C$ j9 `; [
_________________________________________________________________________9 D# O8 {! z/ d# S
/ v, x3 v. X. m& g I( K
Method 07
2 [. D0 Z6 M4 Y5 q=========
( ^; r' k$ k( C7 E
8 R& {! z$ Y; }Method of detection of the WinICE handler in the int68h (V86)
6 C9 }1 {7 E# Q% @) ~5 ?% y
2 U- q/ D- G' y- h8 B) \" b$ u3 S mov ah,43h
, E" p- ?% L. [9 A3 X. L7 k/ O7 }2 c int 68h9 \ p+ a+ H$ Y! O9 Y" o
cmp ax,0F386h
& r& [2 j' v4 b) n2 a jz SoftICE_Detected
! O- b2 B8 n! G* R9 L( j/ x. ], ]6 Y' g% K( g# p" D
3 a5 F9 O4 N# L" Y. w, D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! K" }9 m* J. w: h7 s f1 I; J app like this:) ~+ N4 H) l" s9 A
( M* f* ]3 Q$ ~
BPX exec_int if ax==68" g+ E) j6 a1 R6 S5 t! |) a
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 h& K: I- k4 a8 k4 G: h located at [ebp+48h] for 32Bit apps); K; [. @7 Y( Y" r- a
__________________________________________________________________________
9 b2 L& W) m1 E) k* n9 V0 H; ]2 ]4 b9 I( L- a! u
5 ]- z2 q. c# n0 SMethod 08
. f. s) e& r, A5 u=========2 ?1 H% w* r- P) o
/ q9 _! j; |$ `+ gIt is not a method of detection of SoftICE but a possibility to crash the R+ F0 ^# b) I; l. Y$ m! ?2 o/ [
system by intercepting int 01h and int 03h and redirecting them to another
& }8 G0 o1 e0 ^" P& }routine.
: m% M5 `; O* n& l, D# [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 y7 }# \! D' N' v' v+ Rto the new routine to execute (hangs computer...)( j9 P0 I* d8 [5 x
7 V% k/ s+ m3 W# Z mov ah, 25h9 q" [0 W) m/ ]* E5 A
mov al, Int_Number (01h or 03h)
* x8 R1 b; g9 m t0 }! u mov dx, offset New_Int_Routine
7 D0 r7 k; w. b& S4 x% ~4 i5 C int 21h2 h1 i; e6 j* u( h. Z
( k# i0 j q# c* j5 f8 q+ P3 ~. X" @__________________________________________________________________________
, w# S: {: {% h( M* c/ h+ p+ G7 H; j/ {+ P2 X9 O5 d4 J
Method 09
1 U9 D7 o( Q1 `) E- J=========
7 G7 R& t9 \& Q5 V0 K/ d7 B8 U$ L0 v2 y+ N# U: A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% r' ?" N; I- ?- n% \7 Xperformed in ring0 (VxD or a ring3 app using the VxdCall).! ]9 J1 T- f; L- T
The Get_DDB service is used to determine whether or not a VxD is installed
6 u, B+ }" ]: @/ {5 @: Lfor the specified device and returns a Device Description Block (in ecx) for4 o5 H1 U, E8 U" f) t. P
that device if it is installed.
' U2 V$ l A0 M6 u! |. Y+ p! _+ x
, [$ b$ E' {- Z) a3 m" K7 \" p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# v8 ^: ~6 e' u7 m& j9 y- Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" y' ~+ H$ o3 j' z7 D VMMCall Get_DDB
; i! Y5 x0 l! l: G mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 P2 S1 c3 i. R- g& b' A9 q# e) [" P" Q7 @$ @7 ]+ y
Note as well that you can easily detect this method with SoftICE:
+ _9 A) f! k1 Q& o1 X) `" w bpx Get_DDB if ax==0202 || ax==7a5fh. q ] e2 ^% s" L! f. q& r6 c" E
/ w g5 g H- s7 i9 S0 |
__________________________________________________________________________
) q# g$ x" B" S7 F# M5 ?: i" J4 b5 v* [# e* E
Method 10
; _" C' r5 e7 D=========/ w L T; V: ?& `, i' C6 g( Y
; C* ^% s1 {8 ~( y% o
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ `( B- V% u4 S5 r4 B! ~: G) a
SoftICE while the option is enable!!0 A6 H$ D* ~! B3 [1 n7 z
/ T' S/ `/ U, k4 ^7 n9 lThis trick is very efficient:$ E5 C) J& J. r ^+ _6 ~7 v: o
by checking the Debug Registers, you can detect if SoftICE is loaded4 o+ y$ ^% [/ w% z6 x# w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* t( l; \* ~+ N. R. K$ {there are some memory breakpoints set (dr0 to dr3) simply by reading their4 F- Q4 d0 e2 m
value (in ring0 only). Values can be manipulated and or changed as well' g' ~/ A* r; r. t) B
(clearing BPMs for instance)
) Q7 E. H: _( d: U; d( a# D3 V1 ~3 }- Q9 O
__________________________________________________________________________
0 u! W8 j( F, W7 {6 n/ @( F% T/ d5 [
Method 11+ t1 X1 \* B5 G4 q
=========
( T6 {( F O1 k& l( [
4 J! J5 r) t! {4 X# A! d5 g6 nThis method is most known as 'MeltICE' because it has been freely distributed
& ~! x) X- o& l' f! E% S8 P3 \2 svia www.winfiles.com. However it was first used by NuMega people to allow
+ R X( w! S/ T: p% FSymbol Loader to check if SoftICE was active or not (the code is located
, j$ @8 T j8 c/ [8 l' _% I4 uinside nmtrans.dll).
0 y7 U3 H3 Q0 K' l
5 ]- g/ r4 }: c1 lThe way it works is very simple:' |" _3 t7 b1 X% k4 O! v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 y8 O3 W& c" V2 `" f0 G, ?WinNT) with the CreateFileA API.- @3 c% ]+ I" L5 }
; N' f7 s$ S( C$ _. R! @( O/ K/ }
Here is a sample (checking for 'SICE'):2 S% B( G- [7 [( i
; |# u; } b3 |* V
BOOL IsSoftIce95Loaded() ^, F, j9 X% K! s( L) i# ] O& T
{
" v' c6 b( C- G9 D2 F( E+ r4 X HANDLE hFile;
4 T; f) S' R7 ?1 n1 k- N! { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 U9 k s" y/ {7 t
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 P( @' X/ o3 _" F' p* L) ^/ m2 B: @+ N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% [4 m; s) n+ @7 K# k8 ~- R if( hFile != INVALID_HANDLE_VALUE )
/ k( _7 {) F% }0 j* T$ t. d8 G6 j {+ t. y: Z: X% T
CloseHandle(hFile);: T, \5 Y" ] M) }9 _. i
return TRUE;( o2 K: b! W' Z& \, _
}1 k1 S" D, ]$ }0 k
return FALSE;
$ }+ H5 x# B% {, _7 k* R}4 A4 I) H1 E) J, g0 G1 n/ C
; m6 \% M0 \' L( l) Y/ [/ z5 J
Although this trick calls the CreateFileA function, don't even expect to be
. Y" B2 G% F! G9 [+ T8 H. v# G2 C+ |able to intercept it by installing a IFS hook: it will not work, no way!
% I1 K; k& N p7 x1 Q% HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" l2 ?: k8 T. }, [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 Z0 K: e" t: b8 O; sand then browse the DDB list until it find the VxD and its DDB_Control_Proc( A- f& m9 l) N. E* g! A
field.$ `" f: Y2 y1 T1 h5 {( b1 R$ M
In fact, its purpose is not to load/unload VxDs but only to send a o: y4 o2 H! m+ R/ [; S! J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: G [% u, _% Q/ Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
. J; N5 h' m8 _( S0 j- \5 O& t9 \to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 b/ S4 `' V# yIf the VxD is loaded, it will always clear eax and the Carry flag to allow) j: `& y$ X$ g+ I1 F! \
its handle to be opened and then, will be detected.
@ Y& M1 A; CYou can check that simply by hooking Winice.exe control proc entry point4 P7 h% K( D( G& G, z d
while running MeltICE.7 A9 u9 }! r! ?* M: P
r! p7 b! ?, g2 D
/ w8 c4 m% f# o
00401067: push 00402025 ; \\.\SICE" w! x! M0 O3 D. ?5 b5 A
0040106C: call CreateFileA+ t# v: `2 w c0 O
00401071: cmp eax,-001
8 Y4 I) D& i% A2 ~# i& Q6 D 00401074: je 00401091- o) o6 o' f$ Z7 Y' m
0 \7 F( u% B: E. _) S
7 V1 l% ~, m: n: |3 J
There could be hundreds of BPX you could use to detect this trick.2 C, J5 [7 [9 R# T3 Y
-The most classical one is:
9 F$ Q* f3 v$ v8 D BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 C) d P- [7 N4 A G- f* S
*(esp->4+4)=='NTIC'+ z) a8 k, ]- X7 O/ M# \! K+ ]
" O2 j# \7 ^' K: f3 s( H) \-The most exotic ones (could be very slooooow :-(1 q6 y x( |9 S- \; ~6 ` r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + Y$ M1 J* `& D! n5 H4 g
;will break 3 times :-() w7 C- L$ s: g2 a! Q
: z" T4 D1 b( m
-or (a bit) faster: . O- x5 z: Q. q4 }" l* f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 _0 c' p; e2 T' F Z; i' R
7 O6 o" J- m X! C% E. t, m& F8 _ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # x5 N% I- G+ c/ }. K
;will break 3 times :-(
: v; S% J$ F- V! F- d5 a7 X4 W4 \9 |/ ]
-Much faster:
/ u7 g' |/ ?, r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 o( m0 \/ ?" g' T
) T h8 h# i2 I' QNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ ]5 w- |6 o& @+ h7 E2 `
function to do the same job:3 k3 d2 N2 \# Z
- t4 V% Q }! T4 m push 00 ; OF_READ
3 S1 x; g5 K k! d$ b mov eax,[00656634] ; '\\.\SICE',0, ]8 g4 O, R+ u& ^; k. Q. u' U
push eax' `" e' {4 n9 }/ y& ~! A k, G" E
call KERNEL32!_lopen
: ]( d( N( {5 N! O8 f$ E7 O2 X) r& r inc eax
3 E( i, ?8 l2 u$ T3 l jnz 00650589 ; detected
! d H& R3 m1 Y- C push 00 ; OF_READ
7 S. r, b" M9 p2 |/ ]/ d1 K mov eax,[00656638] ; '\\.\SICE'/ q, S! ~# b! k0 v* r$ s
push eax
8 V8 c0 w3 {& L3 J# d t' J! X call KERNEL32!_lopen
( z2 i9 O B, r inc eax; o) \- v* s9 y& L
jz 006505ae ; not detected1 q8 t8 \( C( N9 s+ [1 a4 L
2 Q' {/ a, K# }8 b. `' B
: k& ~" w4 T( { K, p/ ~__________________________________________________________________________
% @/ j! s/ U7 Y8 ^( F) p J+ v; V6 O$ `
Method 12
8 I3 [2 G* ~$ O6 f) f: }=========
; ?- ]( Y6 o- j8 s1 x `6 u4 Q* Y, K C2 x
This trick is similar to int41h/4fh Debugger installation check (code 05
3 D7 ~, _( E7 \3 a! y- B1 {& 06) but very limited because it's only available for Win95/98 (not NT)+ M1 Z, G) e" x5 W; E4 d
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 b) h7 M+ ^) F. N z* v
$ H3 ]$ A' P: M: m M push 0000004fh ; function 4fh
: |8 G& e; E6 o5 q) n push 002a002ah ; high word specifies which VxD (VWIN32)' d+ p: N" i0 K# ~
; low word specifies which service
! L8 e8 j t7 a# d* i, {$ M (VWIN32_Int41Dispatch)
0 u" s& v& [; r6 ?$ n9 M& T call Kernel32!ORD_001 ; VxdCall1 n/ h" X# z5 C& w
cmp ax, 0f386h ; magic number returned by system debuggers
' d" ]; P! C" o" ?5 E d jz SoftICE_detected
" x' \" M! S& e1 {8 h" M ] o3 }+ v" e: |
Here again, several ways to detect it:
% ~3 `0 `; x: J) ^
. e2 x7 k) r2 e$ @% Z" F, V BPINT 41 if ax==4f
8 @7 C1 K p/ g5 r. b/ a1 E; ^# _& H: U# @- @. Q' y: ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 K3 t5 m: l/ C/ J" L W
7 B y2 X% N6 s7 i4 T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" i, E9 K c% j- {6 w) o+ F5 H& R6 C: v4 ^6 r. c/ Y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ l) E( G' }- w/ I( r4 G, a) h& f* J9 m( m
__________________________________________________________________________
! T# O7 r7 T8 j, L( G
1 s4 b6 Q5 \: V+ M9 k+ r# MMethod 138 P1 E$ l8 u; I! Y7 O0 I/ M
=========' A t/ p( {+ }6 {( S
, B3 p# X" J8 DNot a real method of detection, but a good way to know if SoftICE is
8 ^9 C; I6 U- _) F. z! Iinstalled on a computer and to locate its installation directory.2 Q6 F$ z% @7 J8 F
It is used by few softs which access the following registry keys (usually #2) :' v" Q3 s- K& ?& W) y
' I& ^0 H4 o2 U$ _8 \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( P3 K# O* B3 ^. J\Uninstall\SoftICE
8 ]/ C% g9 a; X-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: A9 s* M, }1 M! K! Z( s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; j; v, p; P; d* t/ m2 |9 ^
\App Paths\Loader32.Exe
; @; \3 Y' N2 Q# O U' z8 I2 R7 {2 p9 I6 C* |8 @5 T
0 n! t7 E( c, ~& ^Note that some nasty apps could then erase all files from SoftICE directory
' z/ W* m. n, r(I faced that once :-(
3 J% `3 k2 k3 m/ a% Y. i) Y
. B9 \ L+ M* O7 h0 C- o) rUseful breakpoint to detect it:% p+ K. Q9 c; X7 C" @
3 D% q. r# a/ \- i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: B" P/ Z3 u' ?+ h) @+ [+ b# B# K
( l8 I" g0 p" d: q__________________________________________________________________________! U; V* `0 Z! o- e9 ~" f
1 y" U- Q: R P) s$ ]3 v$ O4 e k& K/ f2 ^
Method 14 9 I- C0 Z, h" E8 e& U
=========
6 Q9 c/ Q; ]; t5 n( r( S9 }0 s1 W4 `: `0 S& f" K8 d( K: X& K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; V2 _2 P0 V% H6 S! P5 }( @is to determines whether a debugger is running on your system (ring0 only)./ i; D, [) m s8 |! n. K9 M
' ?* f) n. K* y# u9 Y VMMCall Test_Debug_Installed
v! L# g3 {, A% R+ g2 t je not_installed
2 c! r7 a9 ~* k; v8 [- G
6 k3 _7 C' t: z gThis service just checks a flag., }* O' ?2 n- s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡