<TABLE width=500>( o& F& S8 F! l+ T% X# P- g
<TBODY>
7 R' _4 c9 i. p3 F/ t" g" \<TR>
0 R: \' \- A# P. @3 `0 `; R9 h<TD><PRE>Method 01 8 K- _( F3 R d8 ?% z) i+ I
=========
. A# @( ~1 k) y8 U
0 S# O8 b& r \ \1 }+ ]This method of detection of SoftICE (as well as the following one) is
+ W8 w7 @$ I8 ~4 vused by the majority of packers/encryptors found on Internet.
3 V+ Q3 |( l8 C+ EIt seeks the signature of BoundsChecker in SoftICE
" v5 q4 E, C# M; y5 N9 G5 M! B$ {0 C! v4 p) C, e
mov ebp, 04243484Bh ; 'BCHK'+ z3 |& V0 a" J; j5 r
mov ax, 04h: n2 t8 N. x& v0 J; ^6 C9 D
int 3
9 M( C0 K d6 Y' g w W cmp al,4
% E8 o+ n: H) l7 |* P1 o0 H" s9 H jnz SoftICE_Detected' ]# T, B$ v s j
4 X4 U; R# h- ^; n) p3 p4 u___________________________________________________________________________( G, _ t( ]; Z6 T/ Y( W O- Y+ |$ P4 T
A8 A3 `# o3 d3 t% `1 _ E
Method 020 V/ x& p9 z: {" s( ]4 G
=========4 o2 m) }2 \ j8 \- W6 E
/ C5 N- g) o7 t2 VStill a method very much used (perhaps the most frequent one). It is used
, U3 v4 k* Q8 i+ b$ |1 Bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 c4 l! P/ b* I+ i) q G
or execute SoftICE commands...4 m- b; E6 V# R# b1 k# }
It is also used to crash SoftICE and to force it to execute any commands
& O; J# A( y& i5 v: Q( @; m/ V. U(HBOOT...) :-((
& w9 d2 E1 l, ]' W' a
( U3 \8 v" z/ m/ R9 K. uHere is a quick description:4 v' s& Q: r; e* L3 F5 m; s
-AX = 0910h (Display string in SIce windows)
7 Y2 U' Y, L6 e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 S& ]8 ]6 y6 ^$ L
-AX = 0912h (Get breakpoint infos)
1 j+ s4 d6 A" N-AX = 0913h (Set Sice breakpoints)
2 Y1 O5 @, C7 Y: h3 i# |( M" ]) x-AX = 0914h (Remove SIce breakoints)
! x5 B6 v/ i9 L1 s* F$ P; G
7 d; V$ c, l1 d* aEach time you'll meet this trick, you'll see: T0 i2 Q k2 n
-SI = 4647h
: A+ }2 T/ ^& y1 ^1 c-DI = 4A4Dh
0 w' O: e; b" h% I0 QWhich are the 'magic values' used by SoftIce.- U$ A1 {+ F: t/ z- P1 S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 E+ H; @, o8 w( w- w! J* O; n: r+ p: Z" @, i0 r& S
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: W5 [! R" }6 }- m0 C& hEnvelope utility use to protect DOS applications:
: a" h5 ^1 h9 i/ _2 ~* e: {. n/ ^& n, ]
) K/ ^# f- E- S# z) M* x4C19:0095 MOV AX,0911 ; execute command.* W. B1 c0 `8 a) E: Q! L9 A
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; [; u- `1 u2 ~' k
4C19:009A MOV SI,4647 ; 1st magic value.: k7 K) x- H) U0 L& f
4C19:009D MOV DI,4A4D ; 2nd magic value." s! E. Y0 v3 d3 j! u5 @7 X% H" l5 j
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 E) T9 w8 x, j8 R$ d/ P4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# M# ^. Q% C+ O7 @6 c3 t
4C19:00A4 INC CX
0 g, C$ F r2 _: I9 T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 L( L& i3 c$ E. J ]" l4C19:00A8 JB 0095 ; 6 different commands.
1 Q0 b8 b9 B0 z% B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% V+ ^, w: ?8 E) E8 m2 w. {3 F2 c4 m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& Y/ r1 V! w+ n' S, L
' h7 z1 K$ D2 B. T' h( o
The program will execute 6 different SIce commands located at ds:dx, which
- A# X% {5 _7 ^' ]* Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ O2 s; n7 B$ r2 T& h1 V4 @9 U' V2 s" v" @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% q0 R( J2 A. p$ a
___________________________________________________________________________' r/ b% d% q5 j
, C8 a. ^% K4 M0 O1 X [
2 a" d7 |+ U: wMethod 03
# Z7 {' Z2 g0 L2 _$ `1 Y=========4 o5 ?( K' o! |0 X1 ~2 J
3 {9 A, A8 D _) y. a
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: X; } L: X% `! G; ]/ t- Y3 E9 T7 O
(API Get entry point)% c5 b3 \! O0 q" m, ^8 ^
7 g! }8 L$ n' y& t3 i+ i
( s% M1 @" O. t9 J/ S ?+ u9 } xor di,di( z9 h9 l4 G2 D4 s& `2 Z1 |
mov es,di
8 D1 H7 C0 d, ^4 \# F; I( W mov ax, 1684h ; u- K- `- H7 v, i: ^- t/ C
mov bx, 0202h ; VxD ID of winice
) Z3 a* F' j. {3 g, v6 y, `: k int 2Fh
, E; b# F/ H6 f& `, M mov ax, es ; ES:DI -> VxD API entry point. c/ L5 u$ e( j+ f+ o
add ax, di2 }# B; J: c0 o
test ax,ax( W5 ?3 p8 G8 y4 l$ s2 v5 f+ L
jnz SoftICE_Detected. w8 ]. z! Q0 ?! V
1 ?2 E1 L2 t5 z
___________________________________________________________________________% E4 x9 r& u. L! ~6 F' j6 g
* D! I. J% ?: \3 A) t3 e9 V. [Method 04
: E" n# ?1 N* J' k7 e/ i=========
/ f' j3 Q: C t3 X. g! ^$ G! B) g. H9 H& a, H1 b [- Y
Method identical to the preceding one except that it seeks the ID of SoftICE
% C" f# [& [8 M9 }6 d; H3 l: c; sGFX VxD.! l: f, Z4 M; l# @; M. `
3 M3 X' \! T& H# z* {, L
xor di,di7 ?7 e. n$ o& G0 N
mov es,di& F$ J3 j, J0 g+ s
mov ax, 1684h 2 L3 P& ~4 [. q* f* A* _- e
mov bx, 7a5Fh ; VxD ID of SIWVID" O S# L8 G- v2 F1 r( g7 y
int 2fh
8 M( N( T3 t) M1 l6 K9 ] mov ax, es ; ES:DI -> VxD API entry point$ Q/ `, l) T {/ l, R/ I
add ax, di
6 @) E: D3 {* K$ ]1 Q test ax,ax
' m$ r9 d0 p% j( \; k+ N d# \ jnz SoftICE_Detected
# e0 Y3 d5 {, s* o% v3 P+ V, b; y. C/ e7 t( `& Z
__________________________________________________________________________
' S- t; _* \# } t
! o% ?4 r' q/ W& p( D
, e. Q3 I' [' y! L uMethod 05
+ i! a2 E/ N; C4 X5 B& p=========
4 z, x C* x1 `. t+ i3 B7 L
( b; S% E3 j) `3 J \) \+ [! [Method seeking the 'magic number' 0F386h returned (in ax) by all system; _* D/ x1 e6 |( _
debugger. It calls the int 41h, function 4Fh.% J' Q; g$ u" b
There are several alternatives.
( L4 W2 d7 W; Z2 \, \/ v. R8 a6 z( B" T; q
The following one is the simplest:# j. B, \4 ~- ]1 R. g6 {. k
: F( W g- Q) ? B mov ax,4fh& y2 R$ r' U9 K% }+ t1 ^, f
int 41h& l6 V# l( c: ~9 @; _. `
cmp ax, 0F386" }( F+ K4 R* r8 H
jz SoftICE_detected b# q b( ?& O1 v$ n
) \' z. R3 V( b/ P: o
2 s6 I' c3 c& V9 b" B; ]Next method as well as the following one are 2 examples from Stone's . x. a: v$ O* o# |. k% z2 z! ^# u
"stn-wid.zip" (www.cracking.net):$ |' |8 I6 d8 [9 D
6 c' ]* _% g, t6 m4 y8 g
mov bx, cs
/ q$ C% z6 C5 x2 p3 }7 y& T! J" J lea dx, int41handler20 G8 \0 f: c) x8 m9 A/ A5 S9 K1 Y6 e
xchg dx, es:[41h*4]; z {' A1 P7 I- w, K/ W- r
xchg bx, es:[41h*4+2]1 W" X1 g, ?1 X. }, R6 |4 N
mov ax,4fh0 L" K* p( k2 ~* v1 D
int 41h0 g: c: g% Y, M& t; T- Y/ p
xchg dx, es:[41h*4]2 ]% i! L, }' t/ v4 ]/ I: v. d3 E
xchg bx, es:[41h*4+2]6 ? J. \/ y2 T+ y8 U
cmp ax, 0f386h" s* {) x9 t S6 N: }( a! ?! V7 v
jz SoftICE_detected
2 {2 i9 l1 `& q+ I+ @1 }2 ?$ p! D+ A- U: T" H+ I
int41handler2 PROC
5 X% L) X# w) R' x* R. J iret
% l, v, H. F& Q$ rint41handler2 ENDP8 R* E( e+ c! m! D; m1 W
7 |' }1 r! q# M: i+ n
* J. |2 _" B3 t3 e_________________________________________________________________________3 y8 n- ?2 l* {$ O+ r
`+ z8 V2 F) t( Y( W; p- Q, A
Method 06
: D; D2 w5 R; |2 j3 X+ [) l=========4 ?2 B0 G8 ]4 ?9 f ?
, {* \2 Z; ~, h& Q, b
[5 h* D1 ^$ s- d7 c2 r
2nd method similar to the preceding one but more difficult to detect:
( H. T6 v4 n# l0 L4 \# }
. o! h) [& \* _8 [# |: d
5 X, t- g7 t/ Z0 u" k W+ fint41handler PROC
; b" P! o6 _( G$ F7 ^) {5 H mov cl,al- _1 v" ^) I1 Z, I t3 Y
iret
- l' L1 B U, F! u' t$ yint41handler ENDP4 \ P P& R4 \
2 J/ q7 ^6 S+ r3 a' S8 c
f" k# ^0 T) R xor ax,ax
$ L5 F! o" |; j0 q mov es,ax8 e5 @( H* h3 W$ e7 b
mov bx, cs3 s+ T* x% h s4 O! m) `
lea dx, int41handler
4 l+ v8 F# Z; j0 o xchg dx, es:[41h*4]1 N5 p$ x/ y& |7 T3 g. ^- \4 [
xchg bx, es:[41h*4+2]6 i+ |" Y Y" n, o; k' D
in al, 40h
' v3 ^% D7 h8 {" x; V" A4 K9 t2 V: ? N xor cx,cx8 x: O) y1 U* O
int 41h- W5 ^+ u3 v9 A+ }. \
xchg dx, es:[41h*4]# s. f' y. C, r v }
xchg bx, es:[41h*4+2]7 O4 Z9 x2 Z4 Q7 J6 P
cmp cl,al7 y2 ]( q5 |7 I) p$ t. @0 ^
jnz SoftICE_detected
% ]1 {! X& y$ p
+ e% Y9 p! u& R9 |( i2 L_________________________________________________________________________
1 @+ G2 p5 b: E/ f4 T. `$ V& s, v# `5 d) ?3 C* Z9 W
Method 07* I2 |) _& W' q' g+ `
=========
) T9 j& o9 M' G" W
! E9 _* q! K. _" Q2 c& k) pMethod of detection of the WinICE handler in the int68h (V86)3 c+ ]& _4 `) U. c1 w* e+ g; w0 ^
7 D* q5 g$ Q5 m
mov ah,43h8 [/ P& G1 N" h* y
int 68h4 x, _5 j, Q" F
cmp ax,0F386h
$ ?- {6 Q/ r4 x7 a jz SoftICE_Detected
" v) N: T5 B( G/ t- e& t8 T: e3 I$ X$ ]' Q8 ?: g$ i- K
2 C' \! M& ^$ T1 z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% [4 B% N" q$ ?- }/ K app like this:8 g3 {2 j; l. Y V0 J( h. g
1 Z) i' H/ r2 B9 V
BPX exec_int if ax==68
5 U2 N" W0 C. ^' x (function called is located at byte ptr [ebp+1Dh] and client eip is- a7 c/ @7 k8 l, d8 |
located at [ebp+48h] for 32Bit apps)& v- X$ V6 H+ F) @6 q* y# v
__________________________________________________________________________. q5 t9 }& q/ { l
- _( `) j3 ^# W4 ]+ ^' I% F4 m4 F" u! C1 c8 E, l" J5 ~ m
Method 08
9 z t [+ R% G/ s9 [4 P=========( Q# |) j/ w6 R/ @2 @0 @+ ~6 [ P
7 e' r7 I" h( d/ _2 b$ g, w
It is not a method of detection of SoftICE but a possibility to crash the7 H0 _4 P% |/ Q) C' c+ v
system by intercepting int 01h and int 03h and redirecting them to another
0 S9 ^) w1 \; x0 s# Vroutine.. u s3 E R2 s0 D% Q4 c: J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 C5 J. P4 G6 P; d% p: Ato the new routine to execute (hangs computer...)
2 P7 \8 x6 x/ G1 M
; Q# v9 t# x" ^+ v- P9 K- F+ C4 R3 ?! w" u mov ah, 25h% r. \7 j( A4 Y9 Q- y3 D$ h" p
mov al, Int_Number (01h or 03h)
( V: q/ N4 k; S- [- Z mov dx, offset New_Int_Routine8 P/ h5 @. V3 R* \/ v, n
int 21h2 W# L9 f" P3 p+ M3 x v$ ?$ j$ k
d* s# F Y: A- W. s E9 d
__________________________________________________________________________
' v9 p$ R) ~+ w4 {4 g6 {# Y
+ D, U$ |- `& L$ h" o" u/ gMethod 09
# R- c6 h e5 [0 M0 L3 i5 q=========$ z5 ~! p! y; q: }6 g
* m$ q5 P, i, l- e, K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% A5 |) x$ S) x4 D& W* dperformed in ring0 (VxD or a ring3 app using the VxdCall).- {& V$ M2 [/ x6 T8 I3 R
The Get_DDB service is used to determine whether or not a VxD is installed
* _" S% ?. g" Z% a: ^for the specified device and returns a Device Description Block (in ecx) for
8 @$ K) s) r/ n# ?9 P, Kthat device if it is installed.5 x8 X2 ^9 E) f6 B) I3 r, V! C
( n0 x, n* P; f$ H5 e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: u8 X- k" D% }3 S; |
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! N) i ]/ @: E$ t2 C, _ VMMCall Get_DDB
7 p1 u+ n! F) }" E' O7 g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, U2 E0 ^3 W+ h$ x! l2 A
4 E% ~, Z5 A6 o( e2 d
Note as well that you can easily detect this method with SoftICE:
. x0 b* r' Z9 e, ]. _ bpx Get_DDB if ax==0202 || ax==7a5fh" R, U+ W9 g% ?6 K. ?
, F! u6 D/ r# v% h__________________________________________________________________________; x5 [2 j% ~0 q5 k/ N
6 `' H5 [( Z1 C
Method 10; h9 k$ \* H! @. u
=========
" k. E b6 H7 G. A' n
1 d2 S+ k& t4 e# ~=>Disable or clear breakpoints before using this feature. DO NOT trace with$ e+ s m. X, s
SoftICE while the option is enable!! Q0 b( }" ]" e7 o8 n
# m5 _) x$ `+ M4 m4 V
This trick is very efficient:
9 b' r) E" s/ Tby checking the Debug Registers, you can detect if SoftICE is loaded8 ~" C- W# z) A# G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 t N. |: ~- t7 A( T' s0 B: Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their% }' v) S7 z( s) L( c/ F4 p% ]
value (in ring0 only). Values can be manipulated and or changed as well
* \/ \) I1 a2 d/ F5 e(clearing BPMs for instance)
7 ]$ E/ K- H6 M
3 U1 D( y6 _8 _. Q__________________________________________________________________________
% Q) a# u% N& X. w: V
% v7 `$ |! h7 }! u6 I q# yMethod 11
: n& K& H) e" x& y- W=========
' n/ X- k4 P# ^$ G
( M I, L l7 h' |, Z) ZThis method is most known as 'MeltICE' because it has been freely distributed
! ~! a* n% U/ ^1 x ^' L, Pvia www.winfiles.com. However it was first used by NuMega people to allow1 n- x3 L3 v6 g7 u8 \: Y
Symbol Loader to check if SoftICE was active or not (the code is located
7 A: l7 R. i8 K$ Oinside nmtrans.dll)." I3 ]5 p/ Y2 q& O& P
. q# q5 E8 [8 a6 _) V- `: w, R
The way it works is very simple:
9 b$ E" V% ]# M L! vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ p! f2 i2 p* r8 o' HWinNT) with the CreateFileA API.
3 H H1 S: _: S! M2 n, {1 \- c: ]4 u# Y
Here is a sample (checking for 'SICE'):' B# ?6 C* O0 g. c& Z5 m
% b8 [0 w2 e) X6 Z4 [% _. x- xBOOL IsSoftIce95Loaded()- u$ {+ ~. \' _
{
* f) n9 Y9 F1 w7 N HANDLE hFile;
, v+ M) H( d6 F/ L3 e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 b( E; t5 c) d5 {' N
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 s/ C z4 R5 G6 e! l* R NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 s, V3 G: g7 [/ D
if( hFile != INVALID_HANDLE_VALUE )
6 q. U5 E4 e2 [* { {
8 V& N+ q8 Z( W0 c CloseHandle(hFile);% p4 \: u2 r% i
return TRUE;
7 J2 X$ [( d" h, |) y }
0 I) Q4 G: }5 J return FALSE;
; u3 u+ \7 v4 b8 b}
' t1 x/ L5 T" B6 b
6 E3 c1 l1 T0 {6 d' mAlthough this trick calls the CreateFileA function, don't even expect to be$ M- @ y- ^* f: l7 G1 M: E
able to intercept it by installing a IFS hook: it will not work, no way!9 b. h* F0 c8 o" ]" b% X1 h1 ]; t! P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# K3 ?4 W$ K' B) C8 Y, P4 Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 u5 [6 ?! T+ \4 s& q% W3 I# n: ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc o5 V% k& ^1 }/ z @$ T5 T: a# U
field.
$ a" b! C# F8 V! F4 d4 y2 E& u1 tIn fact, its purpose is not to load/unload VxDs but only to send a
@8 [5 U& D" v4 }W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 ^0 V: w' R8 W$ M$ E. J* }to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ k$ y2 s2 L6 z7 {6 C1 i
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! c7 a& T" w$ [/ q
If the VxD is loaded, it will always clear eax and the Carry flag to allow. e- S p# x, R' [6 B# F/ F
its handle to be opened and then, will be detected.
# w; X2 G4 k. `" h* k- X" WYou can check that simply by hooking Winice.exe control proc entry point& Z/ R. G* r" A( l) c' O' @5 ?& B/ E _
while running MeltICE.5 p$ L9 T8 _0 k# @( z, i; p
$ U5 e' ^& f' }8 b
% b' e8 Q, t) A% J 00401067: push 00402025 ; \\.\SICE) E3 p* O% n! J Z
0040106C: call CreateFileA
3 ~( b; `! H" G5 J% `. W 00401071: cmp eax,-001) u. C+ i8 W4 ~% R+ _
00401074: je 00401091, H, ?4 S# d `6 w
6 Z. M9 Q3 {. v% P+ c4 s
! w |1 Z5 d& S/ lThere could be hundreds of BPX you could use to detect this trick.2 j$ S) w0 `+ [7 s! p# h6 k
-The most classical one is:
) ?' H# E) a, u0 L m) `; c8 N( T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 @1 q7 P H' k: y6 ]8 m6 N
*(esp->4+4)=='NTIC'1 I; U0 y' A3 k h2 C; D, ]
6 c2 s4 {$ _ ^* `' G
-The most exotic ones (could be very slooooow :-(
9 b' m d$ i9 P1 ?, E9 g, B" V2 M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % ~- P/ P# q# u9 W. j
;will break 3 times :-(
, e( V, h5 P/ [" i" _+ O# p9 Y7 S; B$ C/ t- |( u8 H( m
-or (a bit) faster:
& f \; _+ h) g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* m% z: }# Z" B/ J
" N) m7 H3 F5 z; B5 I. { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% \ y, G s& G1 e ;will break 3 times :-(. [; `2 U3 g+ a% c# S4 V
7 N' B; S9 S2 F3 t) g/ b4 b7 X
-Much faster:
& l% Y. ?5 Y- J4 n& D9 L' v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 p4 a/ h' Z5 J& G0 z) y) `
0 {* K5 ~; J* S# O( H$ }. H+ ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 l; X1 X; ]$ }7 G$ {
function to do the same job:
$ {' c& i. P1 k: Q' z
; n+ F% V9 Y0 A- R push 00 ; OF_READ5 K$ F2 d4 ]0 z1 F2 F
mov eax,[00656634] ; '\\.\SICE',03 [! c6 @' @% k9 B+ c
push eax: K+ a1 v% z& U# o
call KERNEL32!_lopen( X ?+ Z+ @2 Q2 C% @& N
inc eax$ v: i/ I* ^( E- f5 @8 L3 _ X' i: h' g
jnz 00650589 ; detected$ x, M2 R8 P+ R3 P1 R
push 00 ; OF_READ+ Z4 c" k8 }$ ? E) |' Y5 T) s& b
mov eax,[00656638] ; '\\.\SICE', L# f3 f2 T# Z' k
push eax/ F8 r# c; Z5 E. o3 g v+ L0 L
call KERNEL32!_lopen
& ~# Z, O* @$ I, N inc eax( Z0 ?( ^1 c1 @) l# y
jz 006505ae ; not detected; ]/ O4 T: d0 r# }/ e
/ n3 d# m- | h: e, C$ p/ P2 a9 f# y4 P% o4 k4 r, X3 c
__________________________________________________________________________
9 c1 q: w% e# [3 u3 K# `6 Z5 Q
1 G+ e( D3 I) T: \- k: CMethod 125 [* Y6 q$ k" H! ?
=========
3 F1 L- c4 S: {! L: V8 t4 R- N+ V
0 a: ^; _) ?& P& v% k: V! TThis trick is similar to int41h/4fh Debugger installation check (code 053 m; S; D- y) Z8 [. G# @
& 06) but very limited because it's only available for Win95/98 (not NT)
3 I) |& M+ a, j8 q% D2 kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 M. O5 A1 E1 I; A' I
, H7 ^% w1 I: w- s- ? push 0000004fh ; function 4fh! b1 R" X: i% r- P! A; i
push 002a002ah ; high word specifies which VxD (VWIN32), ], n6 F: H; U- ^2 i1 J- U" h$ }
; low word specifies which service& k( f9 J! G9 }. ~& D% f
(VWIN32_Int41Dispatch). w/ c% W! w: r
call Kernel32!ORD_001 ; VxdCall
/ F) t; b, c8 c) a, T* }) d* ~ cmp ax, 0f386h ; magic number returned by system debuggers2 o# \+ \( Z" Q% O* ~9 u
jz SoftICE_detected
" [2 E$ E* t+ a
7 e& g8 y; k7 M7 y0 C; q$ AHere again, several ways to detect it:
* j# h/ O$ v# `3 a8 C5 S3 [' r# z; O/ N8 {
BPINT 41 if ax==4f$ }* E7 N" X" U3 x" f
2 I, a0 N9 X1 `# b4 ^6 N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' S# |7 } @$ O0 S. G
& S. ]' ?1 C! ^) L. i, S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 u: D. v5 R# q$ O- @" G' R' }
: i& L _/ I1 y- X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 f/ I4 c8 ~, I# q% r3 A/ t/ j/ X' Y9 Q/ j9 H K
__________________________________________________________________________' k# B' U( E: F0 ~5 y; Q4 V
9 S6 g8 v/ j9 k8 A# nMethod 13
. Z5 T; A- Q; F% z7 `2 W7 [+ i=========
9 p' j. @( \& C! Y0 Z; h Y2 H1 A$ q; R, O. ?
Not a real method of detection, but a good way to know if SoftICE is) w1 ~4 x' U: j( e
installed on a computer and to locate its installation directory.
# D- g4 g: b& e, UIt is used by few softs which access the following registry keys (usually #2) :4 `; |3 U( x$ W1 a W6 r& T# L0 }+ @
7 |2 ]+ _ |2 [/ ^0 r4 S6 z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 X: R7 C8 c1 C& G# p; ?\Uninstall\SoftICE
/ f' s: S$ Q* z) D; @5 `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 y. k- Y ^1 E, b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 S: T" P7 J5 j. n: ^# |; u0 Y
\App Paths\Loader32.Exe& ~+ \, w/ L( Z8 x! E* r' X% l7 I
! p; V4 B: ^2 q2 W$ f5 P2 k
% q2 z3 }- I7 w- G, VNote that some nasty apps could then erase all files from SoftICE directory
, ?' K' h7 c5 r% `( n7 L3 f u(I faced that once :-(0 @. H, V. ~% ] {& d, J
! G7 X/ D; U. T2 O5 P& b
Useful breakpoint to detect it:
& R4 \% ~/ @# P' C. o0 |
1 l* ?9 O6 ~0 k: z0 H( ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* ]: N9 M( b: f( p
* k, h6 ~' T( S% [% i. w/ I__________________________________________________________________________
$ w+ Y0 U, D7 h* @2 }# A X4 L* ^
J% c0 U8 s6 [7 [- q- d5 h7 \: J/ K3 y4 F k$ ]
Method 14
& p( V% R% C6 C3 i1 c" [: f* j=========9 B, t6 B) N, H# [. A6 b
# O9 e: @+ J4 IA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) I% c) W: P' ~6 I' [
is to determines whether a debugger is running on your system (ring0 only).
: k- H8 D$ S4 N" U2 W8 K+ w* @1 o" a9 N7 u ^* y
VMMCall Test_Debug_Installed( j8 ]4 g2 `0 z& `( y5 U
je not_installed
+ K- G% S& v1 f u3 |% c+ J2 B! N: H) w- [3 Z
This service just checks a flag.
3 [- G$ j5 f9 ?, i$ C$ `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡