<TABLE width=500>
% k0 K, t9 S+ Y" J! {# V<TBODY>+ {6 T& \7 C: L9 w! _1 X0 @
<TR>* b, T. k1 y& ?1 B
<TD><PRE>Method 01
/ T U1 s& G+ h$ Q! n=========4 f3 Y6 C. L3 }5 G
- L7 l8 Y, a- Z
This method of detection of SoftICE (as well as the following one) is) i! t. o4 r; N% H; ^
used by the majority of packers/encryptors found on Internet. n2 T* @0 g3 ^, K
It seeks the signature of BoundsChecker in SoftICE' D( Z% W; g8 D7 [% E, u, o+ B
5 R) c* q4 j$ `% J6 P1 C! A mov ebp, 04243484Bh ; 'BCHK'
) s1 K7 z- I s/ L9 w mov ax, 04h
2 V( z3 e: a' M5 h: S( z, ` int 3 * }( {9 C! I6 m
cmp al,4) ~+ {$ k3 q& t1 h0 X" N
jnz SoftICE_Detected( e6 i+ z( X" X+ J
2 z- u, {4 N2 X I7 a5 {$ ~
___________________________________________________________________________# v: R! r5 M, T- @, F
6 [) d! f- w0 \9 P }2 k9 K
Method 02
$ n0 G9 w- {3 w=========7 W4 u9 W/ @1 b" ] S/ J, ?" k: s
( l& i$ M1 U) p7 w" y' ?Still a method very much used (perhaps the most frequent one). It is used7 i! N2 ^* _( m/ B8 `. L/ o- X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 d* F+ S0 b7 Q% uor execute SoftICE commands...
# l3 d( A5 Q7 c: K8 E6 T7 c! UIt is also used to crash SoftICE and to force it to execute any commands
# p5 ` d% D" g) _% J# k M9 u, ~(HBOOT...) :-((
5 ?5 ?" @# a% i$ }/ \* u4 q, v/ w2 M6 O4 b; i, X
Here is a quick description:
# [! i& h+ O0 }7 o3 _% V7 m7 E-AX = 0910h (Display string in SIce windows): y3 n1 ~; s4 L! [, N: T; q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), r8 i, Z8 f2 \$ J" o
-AX = 0912h (Get breakpoint infos)
* \& i8 F2 z6 ^' g-AX = 0913h (Set Sice breakpoints)
; f& ^- ~( L1 A0 a) l9 s6 q-AX = 0914h (Remove SIce breakoints)
' }6 O1 R. z2 o f1 K& P7 }
* o) ^. q# r kEach time you'll meet this trick, you'll see:0 F3 R2 z' `+ a3 e5 o
-SI = 4647h
- q9 V% `" z' A( u( t-DI = 4A4Dh
( b2 T% b' x6 S# i0 S3 v/ G, QWhich are the 'magic values' used by SoftIce.( o$ s( V" ~' ~0 G, [# `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 s3 v/ G) u" F
$ k n+ D" U5 {9 F! h5 {
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 O, }9 d/ V: j/ E7 i7 wEnvelope utility use to protect DOS applications:
0 y9 g& o& O# J$ ~) f) s: R* G5 s5 H7 B f& f& s8 j% K* D5 ~# t! W2 ~
" l# u/ A* m* c. n4 \4C19:0095 MOV AX,0911 ; execute command.
- V9 \9 T8 r6 j& `' c2 y# `$ Q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" z+ b; d5 G; `) k4C19:009A MOV SI,4647 ; 1st magic value.% b: T$ [' O. s& D6 J# D
4C19:009D MOV DI,4A4D ; 2nd magic value.
6 P: \( R) ?6 A. E; E v5 W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! u$ ~) m! w: H0 Q1 q( P4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ Z9 Q5 w _" W2 @+ ~
4C19:00A4 INC CX
6 f* S) ~' Y1 J2 R; L4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ l/ g* f5 F" H7 Z, @; T, S4C19:00A8 JB 0095 ; 6 different commands.: }: U3 n/ F- P' D6 F" v' }# i/ C, I
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# W, ~) p; M4 A/ ~- ~
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 y$ T" A. h' r! Q8 x
, W3 H. ^4 m# y- z- ]
The program will execute 6 different SIce commands located at ds:dx, which
+ t9 y& w6 ^' A* X( Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 y: U3 o' R8 W7 j. G7 A4 h; A* ~3 }( a9 P7 ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ g/ W% Z% y! |: T! I7 W" p% W
___________________________________________________________________________4 g7 V/ h$ A- \* U ?; |4 G
; m8 J: o3 e5 r8 i
$ f* f/ v; o4 f. h8 b8 VMethod 03
r9 K0 u+ T' [4 N6 ~" |=========
~5 a( v8 k+ b8 [
1 N: K5 V6 P6 w/ ~% C5 u5 O' xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" {) W. i: t) I- Y; Z7 M(API Get entry point)
; k8 A6 Q) ^- M1 A0 H+ C, i" Z ) u0 G2 j+ ]8 x+ l- M4 _
) Z/ D2 j/ v' l xor di,di& R# s6 \3 }" F2 C' ~6 r c
mov es,di
+ K% f( M8 a9 J' G/ V mov ax, 1684h 9 a8 Z4 d) X$ }' ~
mov bx, 0202h ; VxD ID of winice# P- N7 C. P3 e! P+ h) X
int 2Fh
" z$ ?" K- O _1 v mov ax, es ; ES:DI -> VxD API entry point8 \0 Q( R& o9 A1 }' Q( o( z
add ax, di7 b' Z) \3 W* p( D7 z
test ax,ax
1 H+ n' x+ p$ {+ K2 E% B$ Q; u jnz SoftICE_Detected
" }$ O" \& [0 \% C& n7 ~- ~" V9 t; T6 |1 r
___________________________________________________________________________
$ k5 y" `0 t. {9 Y0 M3 M2 _( `0 ^* E9 n3 G2 {; c
Method 046 q0 q$ |2 W$ T% C
=========
, V% r2 S& k: s, n- F
' L4 N' F. X. tMethod identical to the preceding one except that it seeks the ID of SoftICE
2 J# F) S# v, b) d" S+ L4 O gGFX VxD.
1 ]; Q* O. h. _/ L5 K8 g4 s+ ]/ I7 ^0 w% w+ w/ v% a" b# S& E4 j9 D' A
xor di,di
7 u, u1 A+ U% t" V& c: I mov es,di
, s1 Q+ V4 @( c mov ax, 1684h " x5 s1 k+ c$ `6 W* x) C
mov bx, 7a5Fh ; VxD ID of SIWVID
) v: R2 Q% J/ p* \ c+ _+ j int 2fh
4 ]9 N* H4 T- T9 c! L; e4 x mov ax, es ; ES:DI -> VxD API entry point
! I- ]- U3 x; r) }5 U add ax, di
3 |7 r7 \0 [1 G+ I+ A test ax,ax
7 B$ E1 _8 W# X. }* s5 M jnz SoftICE_Detected; K( ?/ H" k" W
7 _( N" Q" u* V: U8 L5 h__________________________________________________________________________
* v; T2 V+ [6 P# c2 o4 K9 m3 |9 Z1 w! |! l
7 d8 _) K; j7 O3 IMethod 05
* O/ r# G/ K/ A) A4 N=========
+ W8 D8 n6 V9 }: c1 V( W& O6 G; ^ v( j& w0 b. [* N7 Q$ Z! r
Method seeking the 'magic number' 0F386h returned (in ax) by all system) X2 C% P7 t* g! V$ }. f
debugger. It calls the int 41h, function 4Fh.
* V+ Y/ ^# w7 z1 {5 N- JThere are several alternatives.
: j; r! b) ?" g9 b9 K
; A6 I4 x8 ?+ r: u z: R2 @The following one is the simplest:. _3 d4 { L5 F/ d
2 W! m6 v$ ~" l$ x+ y+ u# Z mov ax,4fh k1 }+ {1 C/ N
int 41h
8 s* e' U! V- } cmp ax, 0F3861 R$ X: A' v. p% x# ~
jz SoftICE_detected
7 i% G: d8 [1 k( P
, V: i4 C/ q! g* }
' k) S/ H9 E1 F, z8 ?8 z1 uNext method as well as the following one are 2 examples from Stone's
. S) y) f6 t+ E7 o% _: h: |"stn-wid.zip" (www.cracking.net):0 g5 J: Q6 ^ T& Q
1 L$ W3 [$ x! L; n
mov bx, cs2 j( J. p- F. Z& K# I5 @
lea dx, int41handler2
# I/ z9 C) d) W ` xchg dx, es:[41h*4]
4 r, f2 s4 A, K$ t9 d6 K xchg bx, es:[41h*4+2]
9 S$ @) u, t) H1 S( T mov ax,4fh
" f' J. }/ R- B% t int 41h* x! Y& L) _+ c5 ]
xchg dx, es:[41h*4]( d0 T% ^+ O6 g$ }' Z, Q, [7 t
xchg bx, es:[41h*4+2]
& @: p! F! D- Y) f+ n cmp ax, 0f386h
) @0 } o4 E. } jz SoftICE_detected8 I1 }" n. Y6 r; M: f
" ~- `% w0 N7 M% k# p- Xint41handler2 PROC3 [1 I1 S6 v- m3 U
iret
# {, O) b/ G) ~int41handler2 ENDP+ l! e' n# e9 B9 F
$ b+ P+ j- n. H; B# p7 C
6 ]0 ~& v- L" V* `" O- l& d_________________________________________________________________________% S+ q T, K9 l/ ]1 N
9 H: ]- _2 _/ a0 \0 T$ v, Z, L" m7 ~% u8 O4 w! ?7 G% D
Method 069 @) L% ^6 g, A' I' |9 u7 e7 z
=========
+ \' K8 a$ |, H; s9 `, t! [8 r& b& M* H0 q$ @5 j% E
- c; R: u/ T. b7 p+ g1 c. D2nd method similar to the preceding one but more difficult to detect:1 T5 I/ {7 K9 Z5 v
0 s- h) X6 s8 z m" F! a6 z c
- |1 @. H7 M. F* F, }; N) P4 F
int41handler PROC' F0 T7 g# h3 B% u1 Z% z# [0 `
mov cl,al* c+ U4 x, H! Q
iret
# w+ c8 L1 w. T3 x r$ ? Nint41handler ENDP: s3 T% Z4 d9 D; _
9 o' h% C M0 b( p+ ^2 ~
' \7 P [2 U7 V
xor ax,ax7 M% w, d! i% k( h3 e3 w$ I8 J
mov es,ax
. ~' C9 B! q2 U6 c7 ~' g/ q mov bx, cs B+ o2 D! M: e2 g3 k
lea dx, int41handler. J0 D0 y. F; U$ y5 n Y& p
xchg dx, es:[41h*4]
; w1 u: t L2 n3 r1 S xchg bx, es:[41h*4+2]
& ^. h, T# q" e5 ] in al, 40h' Y/ \5 u7 j0 S. o: N" [
xor cx,cx
0 a8 z1 } M4 w1 c! d9 l int 41h
j6 _" E t4 o( _) U xchg dx, es:[41h*4]
5 `( _& }) }% \$ u7 ?) X xchg bx, es:[41h*4+2] P5 h4 {$ r' o' K, B5 W
cmp cl,al* V f: T7 x; R/ f& e
jnz SoftICE_detected; C; C, }( t, C, C2 V/ y5 @0 E
, ]5 [+ f! W k
_________________________________________________________________________, U1 m, e, A) |1 e; [) A
6 ]* x8 D: ^3 kMethod 071 e6 |* `6 _% U' \ ?( ?+ I3 r
=========
) q" _$ i, [8 I6 {& i4 `- n$ r! s4 ]2 _9 K3 ]
Method of detection of the WinICE handler in the int68h (V86)4 z6 n5 f4 O- P, c0 i- n; D8 \4 r
& @& o5 h" t# p" s
mov ah,43h
2 ?! |3 E% l) u: M3 d3 I, t int 68h
# n( g+ k# p/ N! s+ B" Q cmp ax,0F386h0 M: G8 W7 q6 _
jz SoftICE_Detected- w" ~; o5 A' p- H u! C3 J
/ |& }$ X( Z# o7 n: b' O2 \; \+ z: z( a: j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 k. g* V% ]% |8 v4 E1 G+ `
app like this:
: I. R9 [4 n. @! D
; L, N$ V Z& j5 _6 I BPX exec_int if ax==68
1 Z6 Z0 P+ H8 r) z (function called is located at byte ptr [ebp+1Dh] and client eip is
& h* d5 q; j& n2 }( W. s located at [ebp+48h] for 32Bit apps)/ q3 E' L7 e6 v
__________________________________________________________________________8 O9 a& x; C! \8 q6 G
9 \3 b) k& M, ?; ]" b- \* @& d) p
; k9 C) N( S9 C6 V! U5 i$ g8 S, JMethod 08
. O) S6 D" X* z* t=========
# A4 C- A% z9 x5 N
) g2 x1 |( Q( z Q7 hIt is not a method of detection of SoftICE but a possibility to crash the
' \8 Y7 R2 e9 X T0 F/ H( ]system by intercepting int 01h and int 03h and redirecting them to another
+ G' b8 D7 b j) y" \' eroutine.
- i* ?7 E# M% n, ]# S$ uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( p0 C' C8 d; e. i6 R$ @, T& |
to the new routine to execute (hangs computer...)5 ^. o" k3 B. P" A' `
" h4 Y/ \' r) X( T mov ah, 25h
- ^5 t; m" q- T0 J" A mov al, Int_Number (01h or 03h); t3 q( @3 ]6 O3 `1 }/ T
mov dx, offset New_Int_Routine- Q- d3 D. t+ O0 x
int 21h: K3 o H" v# ]2 K
+ U- b: g# J- z: H$ b& [
__________________________________________________________________________3 x% E( Z! R# M2 Y
! j# r; ]/ _7 Z
Method 09- ^' ~% I1 {& P5 J v
=========7 _1 C- A6 j( N2 e
0 l L2 z8 P* p) M: F% f2 vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 v4 k6 [ ^5 x+ A4 w
performed in ring0 (VxD or a ring3 app using the VxdCall).8 x# Z; l$ [5 b( h1 ~/ m( F) l4 Z4 n
The Get_DDB service is used to determine whether or not a VxD is installed
6 M- P. B5 |6 K! s# Afor the specified device and returns a Device Description Block (in ecx) for$ ~: D& |) i0 H4 C9 b' b: T+ E
that device if it is installed.
# k4 X i I' u) x3 B, Z' T4 R' Q1 }9 E7 g( }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) t- t4 [+ N" o: s: @8 [ E6 B# E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 ]$ s3 X- i8 N2 H
VMMCall Get_DDB
: _4 e5 o7 I0 J% o2 V7 l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 u3 f) ^; J3 t5 O
5 y2 N d5 x4 p: Q4 k
Note as well that you can easily detect this method with SoftICE:+ j$ d9 `% \; }- C0 f0 w
bpx Get_DDB if ax==0202 || ax==7a5fh
7 Y: C/ B3 n) a/ c2 t
) G! x' Z. e9 Q; z2 T T__________________________________________________________________________
" g! b7 E j8 U; J8 Q! t% C$ [: m1 l3 |, d1 F9 \5 y0 q/ d! h8 r5 k3 D
Method 10
8 v/ Q: e+ ~1 J0 ?/ N0 O1 V* m. Q=========3 o* j6 l( N8 `3 K7 j' o
& Q4 h' x! y+ }4 P7 T4 N9 \=>Disable or clear breakpoints before using this feature. DO NOT trace with
- L4 T' n* C l3 ] SoftICE while the option is enable!!
* G; F% n+ T" y/ I8 |% t
' J9 a2 B0 `! R# X! K9 QThis trick is very efficient:
; {. `3 v) ?# A7 a) l, ?/ I0 P" \by checking the Debug Registers, you can detect if SoftICE is loaded
, ^2 |$ u2 e+ }- F; s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- Q" h$ O9 h- C/ O! D
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ k1 B. {* m0 {. T" j7 G/ z
value (in ring0 only). Values can be manipulated and or changed as well
j4 t4 \) l5 t# `, H(clearing BPMs for instance)7 Z7 g: D* d3 `9 i. d9 W
6 k( ]/ Z- ^: s. G
__________________________________________________________________________# x$ v- O3 N+ R; M9 {3 p$ F
/ ~8 ?% W5 P* H2 n3 L
Method 11/ y/ g# T! }7 d: F1 \, P: k5 A
=========' j1 v) W# [5 ?6 S- p
1 I! Q0 J7 l R& i; ^This method is most known as 'MeltICE' because it has been freely distributed+ |0 s. J4 U" O9 N/ N$ a
via www.winfiles.com. However it was first used by NuMega people to allow, D$ g) S. p0 v G
Symbol Loader to check if SoftICE was active or not (the code is located/ L. c: ~, n$ O; v; N9 T+ ]0 A
inside nmtrans.dll).5 v5 ?+ c9 b6 K# U5 }; o: |, @ @
& u) l2 B& O+ FThe way it works is very simple:
* L7 z, r7 L0 H& ?+ z' sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. \; d' `5 n- P# q+ K5 Y; A
WinNT) with the CreateFileA API.
) Q4 K$ ^3 l6 g: A0 ?
; @: R3 U! i. z& `Here is a sample (checking for 'SICE'):( k/ T1 z; Q9 l8 n) C0 K- e/ B
5 ^- i" ^2 V; X6 [8 S: i+ l, S
BOOL IsSoftIce95Loaded()
+ H$ J+ P* O' H. A{
9 r2 j- k3 L3 d; U( X9 G HANDLE hFile;
- G4 L, n* U7 c0 V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' I! [) _% K) X+ v7 \7 O
FILE_SHARE_READ | FILE_SHARE_WRITE,! E3 c9 s6 V7 y4 y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, s- g0 X: ?7 [: s0 z# i& `2 d if( hFile != INVALID_HANDLE_VALUE )$ x/ a( p$ I! z: ^
{
1 E/ A1 H: c9 f5 g: q8 b CloseHandle(hFile);. ]( I" c3 w. H M4 i3 q4 F8 p
return TRUE; l9 e7 ?3 V6 f: t8 q0 s5 d! R
}
7 A; ~& c) X8 I* J2 Q return FALSE;
, k- I0 f( b: H9 S0 K, p& i' V}7 Y( r: @ S" p$ w6 X
. n# O: H/ e( `4 ]" k5 sAlthough this trick calls the CreateFileA function, don't even expect to be* u2 E+ u; H7 ~- C6 B7 b3 v& V
able to intercept it by installing a IFS hook: it will not work, no way!
. Y% p- g. N; T# j8 R1 H+ rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, ]% p3 V8 P# O" N8 ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 C8 f% }4 S: N. g( fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 ~- L( W" h1 y1 w5 p0 bfield.
" L9 h1 k7 Q/ O( RIn fact, its purpose is not to load/unload VxDs but only to send a 4 u ~& [2 ~: o5 @: c- w( }8 ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& Z2 d+ p3 H; q- _! h7 Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
* m$ U" u1 J! f; f% k5 x4 Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).6 W3 M E; [4 ]1 D, ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; p: \8 E9 v; Vits handle to be opened and then, will be detected.
7 \6 s+ X9 |# V( s2 J7 SYou can check that simply by hooking Winice.exe control proc entry point
$ @0 Z. M& g" e5 Swhile running MeltICE.
3 u1 i6 H5 i1 R$ G, ^" E) L# Y& g' i
. K+ f2 B% A) d! T" ]4 b1 }: z 00401067: push 00402025 ; \\.\SICE+ T# M5 k# C o5 X
0040106C: call CreateFileA
& c3 r( g, _, J 00401071: cmp eax,-001' F; v0 g6 t! z/ ~/ V
00401074: je 00401091* Y/ Z/ G2 x2 P: Z$ c1 P( G: Q
; b5 B. M4 M m V @$ e$ y# b1 y
5 U! D7 \/ c6 n/ VThere could be hundreds of BPX you could use to detect this trick.+ ^6 D p/ ~" t8 Z+ j s
-The most classical one is:
% x+ o, a+ F) q2 f6 N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ J! f1 P! x! o% w" _$ U5 j
*(esp->4+4)=='NTIC'
2 ]' g( d6 B8 v7 m! V- V
. G4 F: ?3 ` i" R% v5 _-The most exotic ones (could be very slooooow :-(0 V1 Y5 b' R1 w) W: n4 e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# e7 z) l; e9 Q; h ;will break 3 times :-(- o- i7 g7 q! h' H2 ~
. O' J6 ^0 ~2 _' @-or (a bit) faster:
, _$ r% x2 w. o. |! ^1 ~" {. M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- R4 y' X# q' X! ?6 c6 a# j; s/ ]
2 p+ ]1 R- _; ^0 _ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) p P' i8 J: a, f ;will break 3 times :-(
a0 N5 b1 f; v' ]7 d. Z5 d3 f) a' k, A; R- t" C; ]: `
-Much faster:
5 Z% v2 T9 G, j! X9 g: s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 r% G6 m9 x! R% ?
( s' j( s0 K ?+ a; R, n( T( W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ P2 L8 M2 g# x, x. i( xfunction to do the same job:
/ M0 k2 D* n8 f$ Q4 {& B
" C, L+ g- ~" r. C {. `% l' ? push 00 ; OF_READ
: g1 I; K+ U7 q4 m9 \- }2 z- k mov eax,[00656634] ; '\\.\SICE',03 @' d+ |, \/ M5 n V* a4 S
push eax
; a& e# }, L. [" o# u call KERNEL32!_lopen
1 A+ A8 \& y) f& B9 ?+ Y inc eax" k. i7 a# T! x8 a7 O% D) i
jnz 00650589 ; detected
" F# j4 Q% V6 X1 H; v. ~6 o& J push 00 ; OF_READ& D! v+ i% @: R( |
mov eax,[00656638] ; '\\.\SICE' ^- S- g5 a8 t( I/ p$ @
push eax
% ]3 h% F0 p2 L/ h0 B3 W$ ?. i call KERNEL32!_lopen
# n; A0 @5 f8 o inc eax$ _( z6 j! S! F% W
jz 006505ae ; not detected, S7 [& O2 ?3 l
: R1 f) b* Q# h5 A1 I) @: F3 y
: s8 h! d" H/ f__________________________________________________________________________; O s* g- h4 E( J4 i) n
" ^, U9 p3 F2 @$ H/ k, E* W% @
Method 12: h: z' R3 c; |* r4 ? v0 D
=========
; b% [" i: h. o: K2 H7 A; w9 D1 Y( F& B: S; l# r" L1 p9 _2 L
This trick is similar to int41h/4fh Debugger installation check (code 05
3 U$ ]7 M$ D! E7 B8 S& 06) but very limited because it's only available for Win95/98 (not NT)( v2 G! z& Z- ?* o; L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 i0 P8 {: V8 a/ c/ q1 M* b" E. r* `6 N, _' u! a [
push 0000004fh ; function 4fh7 u+ y X( h# z) }1 r
push 002a002ah ; high word specifies which VxD (VWIN32)
: }7 Q2 D9 w# G/ m% n1 g+ F1 d. e; | ; low word specifies which service# T2 {, W* m. G6 b
(VWIN32_Int41Dispatch)
7 ?2 h- }8 e$ p2 _) w1 X0 H7 h; f call Kernel32!ORD_001 ; VxdCall$ d! {# _- I1 F1 D4 t. y
cmp ax, 0f386h ; magic number returned by system debuggers
1 `7 S3 m; c T6 }) Z jz SoftICE_detected
8 T2 w. d h9 i2 }+ |
/ U: w ?- o9 uHere again, several ways to detect it:' l/ v x- p5 p) Z O
0 Z" M8 b7 y2 X8 H) w) { BPINT 41 if ax==4f
: p4 t/ o3 ~8 j' U. V7 |' }: f% `& g) o: p$ D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- S; U; d% k& B* I' x9 B5 H
8 ^9 u( `7 } f h! }0 \ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) z# I3 J# I/ @" Z
5 @* N& B. z; r1 y2 z1 Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( F6 o! J% L( h4 y
3 q" T/ {; Q' X1 U! {__________________________________________________________________________
/ X$ M, w' U, H& c) x7 d
0 U) V# H5 ~! L* N8 ^9 ^- B( zMethod 13
4 w8 C' G- e" I7 @=========
8 Y4 ^3 Q' G7 z* e1 }7 O1 _8 k
7 _2 v" V( x8 o6 o, O# o; ENot a real method of detection, but a good way to know if SoftICE is
% k7 i9 e: l7 Y+ k, L3 cinstalled on a computer and to locate its installation directory.( |# l3 g5 L, E# D9 Q& u
It is used by few softs which access the following registry keys (usually #2) :
- i0 `. P1 X) t! S# y3 @: o) e, _) L2 m& _8 K( V8 X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 x' ]( `7 r+ w) Z, f) p* B) |
\Uninstall\SoftICE* Z/ Q3 }- X: e5 u" k' {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- a' @% O' O1 s) j, U& b# Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ]5 F h) k' F" I1 E9 _1 E
\App Paths\Loader32.Exe
# ^2 B7 F8 ~9 o% i+ v* Y
; C3 }! f" p$ p' O( U0 ~: @
0 A+ O! k9 ~: d+ I+ ~" wNote that some nasty apps could then erase all files from SoftICE directory q) a; ?2 b c
(I faced that once :-(
# Q: ~: }9 I5 J
+ t2 h6 z9 E6 [ J0 S% S# GUseful breakpoint to detect it:, ]5 h. f4 k* b h
: S9 _; h" o2 Y: Q. f- M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' @+ a! G& N8 I$ y6 y l: Z
7 \! ` ?, w/ o/ B5 W6 d, ?
__________________________________________________________________________
; V; |. Q. M# [# i
: \' H) X* s' N9 w# Y& P* a1 w
, i" Y/ c- C1 [Method 14 : J e" L" x% G0 Y
=========
* w6 F9 @4 E: E
( U7 M* @& U) C# f5 A. H" X+ CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' H. l7 _8 ?/ Y5 y9 W
is to determines whether a debugger is running on your system (ring0 only).+ O, u/ s3 J' u$ G1 p" r9 V
2 r# K# ^7 v3 ]+ ?" k0 t5 s9 u
VMMCall Test_Debug_Installed
% i; q# S/ a2 s/ O7 Y je not_installed
6 U w( K3 G- E& s
1 H: E% E6 I7 u' M; j4 @2 BThis service just checks a flag.+ x* q2 q. ^8 o* `' L
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡