<TABLE width=500>
) {! `8 {" s/ A# c" a+ G<TBODY>
' ]1 t" h9 u( F6 f f: W<TR>
' } @$ N, `: q8 {, B<TD><PRE>Method 01
! i- r! @) A. A3 p, @5 p4 X=========' K! w9 ]) b$ ]. R2 v$ u9 c( j
- M# m% P: {( T; @' G$ ]( XThis method of detection of SoftICE (as well as the following one) is
: B0 a9 B# ^4 H" o: V. ]used by the majority of packers/encryptors found on Internet.
# ]( Y0 W4 e( {- M. dIt seeks the signature of BoundsChecker in SoftICE( y/ |% o8 d2 E& ^
+ ~. i" o% a0 L2 {
mov ebp, 04243484Bh ; 'BCHK'
( g7 }# {' n y: @2 |1 [5 r mov ax, 04h) ~) u1 I- h4 m
int 3 # R1 k( N6 l2 x
cmp al,4
/ j. ~+ U' z; y jnz SoftICE_Detected! ?1 r& Z* R; {. m& q* R! D9 J
' U1 g, g$ Z) S5 ~: e6 h___________________________________________________________________________% j5 z0 t( L7 L5 i
% x! X7 I# P% ^; Y! G' vMethod 02
3 v2 y# ]4 N0 F=========
0 d0 k2 X2 H- G$ Y6 T5 _8 m" R3 }" g( n5 T7 M$ J& r/ x
Still a method very much used (perhaps the most frequent one). It is used0 e( `9 O) ~* l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& h+ n& l z# r% @$ \/ Dor execute SoftICE commands...
' t8 H4 B$ _) H F- IIt is also used to crash SoftICE and to force it to execute any commands
# _7 r. g* }; Y- X( g: |# U7 o% d(HBOOT...) :-(( 5 M7 ]9 t% C- Z8 h6 L8 J& E
* M4 \/ q2 E$ o8 [! r6 V/ }9 V
Here is a quick description:
8 S, W& Z% h" c' s! p {8 }-AX = 0910h (Display string in SIce windows)
4 r( @( X* q0 R9 F- b% \: t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& D' Q3 }* F1 j4 V-AX = 0912h (Get breakpoint infos)
d0 S; h, ]& l- y5 A& x# _-AX = 0913h (Set Sice breakpoints)( y- z( a8 W' Y0 F1 U7 w
-AX = 0914h (Remove SIce breakoints)
7 c$ ?$ ?7 E5 V4 G& q( y9 F6 b3 u9 [# h; Z; F' e' Y8 g, _
Each time you'll meet this trick, you'll see:
( O0 V, V: r! t) m-SI = 4647h
1 z% b- v: {3 u2 Z-DI = 4A4Dh& K' q) k* _9 {5 h. C1 e
Which are the 'magic values' used by SoftIce.. |7 f9 R% w, U* m% O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ M+ [! q e% [; [0 w( o% ?6 N; v
! l7 e; _+ a) q& tHere is one example from the file "Haspinst.exe" which is the dongle HASP
* n9 m5 o: a* q% |! K) TEnvelope utility use to protect DOS applications:
& L7 [. |" y% u
0 U N; @) u0 v( I$ J! B) R: q6 n( G
4C19:0095 MOV AX,0911 ; execute command.3 m+ M C/ ^7 i& e) o( C7 e4 ~
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' k( `, Z1 X, E# D+ y! C% f4C19:009A MOV SI,4647 ; 1st magic value.4 k3 ]% ^2 v/ K) E+ r/ a1 V
4C19:009D MOV DI,4A4D ; 2nd magic value.3 P) L' l7 i4 B8 A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 c# B# w" {2 a1 {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: Y4 m; x2 ` y9 w, j! D% ~5 b
4C19:00A4 INC CX7 @! V" s. m- u2 ~- ] b M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' X m8 i8 k' |+ S0 A q) h( Q% H4C19:00A8 JB 0095 ; 6 different commands.
- Y9 s8 j4 Y; U) P4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 j% A z' I* E/ G+ \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% Q1 D2 K' Z, J9 T" l' G) {
9 \& Y+ F7 y5 N& P: Q6 A
The program will execute 6 different SIce commands located at ds:dx, which
$ W' Y4 G1 o3 v8 E8 aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., z' B+ x& X3 i% n& y! `8 @! F* R
& p+ U2 M9 N+ u& N* u& C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) L- y- O$ m5 F. n1 `. h& g$ f
___________________________________________________________________________7 N6 S2 T9 z7 L$ _
7 h8 W0 d7 o8 a& q" ?% |- _: N
- g$ I: Q4 T9 z, U) Y, d5 @+ ]Method 03
1 c* ]( P+ R) K+ a f3 ^8 G=========
0 V2 ]1 O0 o/ d$ v
% C) b: y0 X- [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& ]- u+ P* [+ x* a9 y7 [, W1 V(API Get entry point)
, g1 W' e, g/ N4 V7 @* \ 3 }" G1 R0 T8 [1 d
, ?2 S6 W1 l( u9 e xor di,di
$ i! S) D/ `" k: r0 S: W! ^' {) ` mov es,di
% _# _/ c8 p1 F$ Y mov ax, 1684h
9 }$ p0 ?0 J( L( v mov bx, 0202h ; VxD ID of winice
& e4 o$ ~: E8 ~5 o+ V int 2Fh: U5 P, ]+ S; m
mov ax, es ; ES:DI -> VxD API entry point z+ D2 W$ {. U& I; F0 D+ \8 x
add ax, di9 \3 a. E( `, L/ ~' B
test ax,ax
0 i( w. F$ C5 ~( u/ d jnz SoftICE_Detected$ |0 o3 V6 ~% g: L
8 W! X' _* q7 q, t
___________________________________________________________________________: ~9 {2 R1 i2 s$ y W
9 C+ e) e5 b, W- p+ V0 a. ~Method 045 i# I& j: r. ~& ?
=========5 T' ~4 D2 y1 y/ H
0 W+ U3 O; Q- b
Method identical to the preceding one except that it seeks the ID of SoftICE1 x1 c/ m D8 A* F3 k R- C
GFX VxD.3 b/ x) M5 B$ T' j/ M
! `) z: h% k. i( m5 m8 k! l
xor di,di( X* I0 A+ X9 q# U7 \
mov es,di9 @. L7 M* S1 {, K' v5 i
mov ax, 1684h : u0 q8 y" `1 M; U. U" n" k! @
mov bx, 7a5Fh ; VxD ID of SIWVID
' R+ j, z$ g. j; e! u; z" H int 2fh: P9 \) C3 p1 O% L- M
mov ax, es ; ES:DI -> VxD API entry point
4 Y/ V' n1 ~* {. d' |7 f' g5 l- ` add ax, di" ~' e8 o" G8 N. ]' `( V( _& t! D; r
test ax,ax, F8 V! ^( f4 B- X; T5 q
jnz SoftICE_Detected8 F2 q; ^, N6 x1 g. G, I; w
1 a8 O; B: }5 j: E% V4 O: g__________________________________________________________________________
+ q8 z7 y: f b5 h5 Q0 Q) A
5 O; a! C! W" E3 V' I: ~
/ y' Y; j2 z+ ]: L: uMethod 051 A3 e' S5 |6 }' X" N
=========
' D2 x5 A$ z2 }1 T( S, G
5 }% b' m) r! VMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ Y% X; X! k6 Cdebugger. It calls the int 41h, function 4Fh.
$ S- q+ P' C" b0 \3 P3 `0 jThere are several alternatives. 6 `/ G/ V: Z% I) z+ i# [0 X! R
- R* d6 J* N- C f; C" B+ a* O' \
The following one is the simplest:) m$ R" e8 A+ N/ m5 N! h/ Q- [, W' B
% Y) L0 g! v2 C: V4 l" R; H, ]2 F
mov ax,4fh7 L# M, i+ S1 j y. T2 |
int 41h
2 O+ v% J% R& n( V0 H cmp ax, 0F386
6 ]; w, x$ s [* u1 g: ?, } jz SoftICE_detected
, C, r/ @7 E6 U4 c2 @& y0 U5 a' X4 c- S+ |* D
J* R8 Q: `* u( V2 L rNext method as well as the following one are 2 examples from Stone's 7 }5 X% f" g' {4 U7 z. p! K
"stn-wid.zip" (www.cracking.net):7 T9 j1 e8 q4 M( ^, w
' ?9 U7 S; Y$ f0 E( y
mov bx, cs' k% F1 b) Z1 Q% l5 \# O! S' L
lea dx, int41handler2
2 P5 G( j. V5 d# l xchg dx, es:[41h*4]
$ j: J9 p: l4 i, @. a$ ~ xchg bx, es:[41h*4+2]) l1 n9 W& V# [5 O/ w# Y
mov ax,4fh9 K" {0 q n7 _1 z0 R; F: d
int 41h. o) `+ `, U" f) g5 i2 Z' @$ n
xchg dx, es:[41h*4]
1 J# G! L; X& ^6 h xchg bx, es:[41h*4+2]9 F* @$ _! L' i8 u, k- [
cmp ax, 0f386h8 i6 w Y# a; ~/ [
jz SoftICE_detected2 X5 } c9 v# }7 d( H4 N+ E4 s% w+ C
; R( ~2 @2 @2 Q" U
int41handler2 PROC3 a- k: S) K+ I6 v
iret9 P8 O7 X7 ^/ X8 C& u
int41handler2 ENDP" v) @' ?8 H6 R, M9 g, I: p7 J
# _* u9 Y8 o1 |' t
' g$ i- a1 r' W% W- o- r9 W A_________________________________________________________________________
) F' |( h+ A0 }7 N7 S6 o
% x7 ^; }; O" t1 b4 N9 c/ w6 D S
& P6 H. a* q) Q$ K4 q0 @8 O$ TMethod 06
$ I2 X( Q4 f9 M6 Q=========2 m) X8 k1 T) j5 a0 r( D, j
$ W% n1 Z: n N6 b/ e$ i9 Q9 e$ T3 K# q2 O! e
2nd method similar to the preceding one but more difficult to detect:/ F) F6 Y, Q: G5 T, N
. e X& p9 Q: I/ g/ x0 l5 M: z
2 a5 H/ K6 O/ d$ E, |int41handler PROC
" i* j$ ^+ \& n; J- T; o mov cl,al% I; H0 b! y8 B0 o7 W
iret
1 `! j6 i: j2 M0 a, Qint41handler ENDP6 Q" w, U( R ^5 `1 |. i
5 C A" L5 Y+ q2 j. p/ u/ d/ c% t+ u( L( s4 ~
xor ax,ax( l# K$ J/ P# u; X/ z1 ?# `
mov es,ax
" a" u- `( r3 k6 }9 o mov bx, cs* ?5 l$ O) J$ M, [- |1 _" Y0 O
lea dx, int41handler. N; c# R$ j9 l" n& p% A) T
xchg dx, es:[41h*4]
9 B2 A. N3 ?* ^* t3 [ xchg bx, es:[41h*4+2]
) Q% P. \6 _- c! ^* Q' h in al, 40h! ~6 T1 n+ j' B9 d+ u7 p$ z' X
xor cx,cx/ z/ k) y5 Z0 f# o8 }2 e
int 41h0 \5 m/ e2 t& k6 t1 L7 [
xchg dx, es:[41h*4]( X7 [. w# F; ^5 [' ]
xchg bx, es:[41h*4+2]) j8 g/ B: W0 N9 P; \/ O
cmp cl,al7 K1 b9 v" l J" K7 {
jnz SoftICE_detected
1 }, S5 E6 \" G9 m' z* V; P
5 T2 [$ U5 e# n" @_________________________________________________________________________6 Z$ J4 g4 V P/ G& K( [6 f
$ C& ?& n7 y7 i' f* |Method 07$ p( t0 ~! J& ` ]) w- m
=========; k/ S; f- M" W7 ` n( [
$ ?- t# c% s* f3 f9 R1 a: LMethod of detection of the WinICE handler in the int68h (V86)$ ~. X0 b+ }9 o- B
0 d I9 c; C/ O% P3 u( M
mov ah,43h* f: _6 {6 Z3 f, @
int 68h
/ K: W4 ]+ j2 H L( n/ j# j9 B5 F cmp ax,0F386h
/ g$ v2 V: O, h' g. }" K+ N- c jz SoftICE_Detected! x" l" W1 ]0 I/ U( F p
7 I8 z" B& O5 N' M
% U# R+ V! N3 }( f* U5 H# k' Y* ?
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# h4 q# G& G$ w/ F2 ]0 Q s
app like this:- R3 C# F9 u( _3 r D) b; a
8 b+ _7 X- ?; r* O BPX exec_int if ax==68
* @4 D. P" g' H+ f Y! e* K2 O1 s (function called is located at byte ptr [ebp+1Dh] and client eip is+ o: I& {9 M" ^; c% t) h& O0 V
located at [ebp+48h] for 32Bit apps)
* F8 Z/ h) s. ^' ?/ T__________________________________________________________________________
; ^( j" u, N1 |7 \
9 N# c8 i: q2 L( h0 W. }- P% q; S2 R% T8 y4 h
Method 081 Q4 O+ O4 A/ {; o- E8 N' ]. z8 [# m
=========
2 Q7 f+ b( n8 j+ z! U; G( N% E0 X1 R" O% i
It is not a method of detection of SoftICE but a possibility to crash the( ~6 {) S' j7 S
system by intercepting int 01h and int 03h and redirecting them to another# R1 J4 i( j: o4 _. c
routine.
! c+ V* H2 w" m, _, SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( C7 ~6 f( U6 Y2 L4 j
to the new routine to execute (hangs computer...)
* `& k- o" K; p/ `4 \2 Z3 i' t3 n" _1 q8 f3 T7 L( c* {
mov ah, 25h
F# S! W. Q% E! {' p( c5 g mov al, Int_Number (01h or 03h)4 t: q* D8 X \. z @2 ^
mov dx, offset New_Int_Routine
1 p- Q Y: k, h; i. G+ m. y ` int 21h; `! U* s- o3 W- H0 c7 o9 W
7 X2 v# c$ A$ N ~__________________________________________________________________________
+ ?+ {, B, D1 u# o3 w
1 L' G# R2 t8 J1 zMethod 09
4 E/ T+ k" G) ^4 [2 h=========! ~4 B; ^4 N( V7 h ^( }
' g+ U q7 D7 i( z# H6 wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 V0 p4 ^3 G; S$ ^- W, Nperformed in ring0 (VxD or a ring3 app using the VxdCall).
" W! i, ^' f h" n9 L# p: q% gThe Get_DDB service is used to determine whether or not a VxD is installed( f( a1 B: n w [
for the specified device and returns a Device Description Block (in ecx) for8 ]1 j$ Q: A) a7 g( k1 O* b) u
that device if it is installed.
8 J6 j: X x+ W O. z* W$ Q0 T5 v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- z* q1 y. V/ ?$ }
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): H3 s5 p7 P8 s+ r2 l9 h8 E9 o7 P* J
VMMCall Get_DDB
/ l* R* z1 f; Q& v mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! |2 u$ E9 ?5 N7 Z; {0 F7 u$ K$ w9 R j; \& A
Note as well that you can easily detect this method with SoftICE:
9 X8 T1 R9 T& }! ? bpx Get_DDB if ax==0202 || ax==7a5fh
( \1 h5 F* i- b1 c! J
/ r$ ~0 J5 c6 }* ~% l__________________________________________________________________________
4 N# c1 M8 Z7 Z4 x$ D4 j
$ ^7 b' J0 ^( t tMethod 10
8 V* G* z; W- o7 |6 i=========/ L6 P% ~3 a' e$ ?$ r5 y
_- K3 `' v+ Q/ k
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; @3 r* W9 s2 E/ i+ k! c SoftICE while the option is enable!!
* S/ j" L6 O9 L: n! d' ~9 c4 y( i* k
This trick is very efficient:& V1 ?( [& s* `, [
by checking the Debug Registers, you can detect if SoftICE is loaded
5 p+ j. i1 h1 n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( N3 ^4 _, M8 e+ a% X
there are some memory breakpoints set (dr0 to dr3) simply by reading their. ?3 T, o9 R" S i' S! o
value (in ring0 only). Values can be manipulated and or changed as well3 e% f6 m0 p R4 B
(clearing BPMs for instance)
) `3 C8 \7 B1 z7 h0 Q
' U8 O1 h2 l/ {! I1 p& @% D% L) ?__________________________________________________________________________
2 n, o, k. B% Q5 n# a5 Z. r$ n
9 A7 r0 b9 N; z- s( ^Method 11
# K% ^ |6 f3 K. d+ A, }=========
+ T. X. e8 X7 q4 L
+ p7 f" J% X; T, M: [This method is most known as 'MeltICE' because it has been freely distributed1 F# j& N( n' b) ~
via www.winfiles.com. However it was first used by NuMega people to allow
& k5 \) I' I8 b+ }; ^9 MSymbol Loader to check if SoftICE was active or not (the code is located
9 M, z* T, J4 @2 K1 oinside nmtrans.dll).; E2 c @: C9 p5 t' h) s9 [
% N" ?8 b- x6 q3 LThe way it works is very simple:( ?/ `0 E& z; ~1 O( V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" W, {* ]% j% L1 hWinNT) with the CreateFileA API.; Y2 u3 Z; h4 c0 G. o$ Z" |7 B
! }6 v/ |+ E0 w& b& Y+ OHere is a sample (checking for 'SICE'):
: x9 _$ ?5 R7 W; L: G7 J0 D: K
8 _% I* j1 p+ L! \+ `8 R& }BOOL IsSoftIce95Loaded(): B7 x Z# }7 k; K
{6 U0 e6 i' Y! L- w: L4 N! E# r
HANDLE hFile; & u7 ?5 ~7 X, g! @ S2 }" Q; L5 I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 j) k! }- l5 z# V7 z7 b* Y FILE_SHARE_READ | FILE_SHARE_WRITE,$ |0 q- T* `4 P% o9 `# G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 t' Y1 X9 {, a2 M% V/ F# F) [
if( hFile != INVALID_HANDLE_VALUE )
5 l/ {, n6 m. H { }! _# ^& e7 N9 g _- Q
CloseHandle(hFile);
' F7 h: {: p- C2 e, p: d return TRUE;0 `8 g- |9 O. G( S9 V
}4 o7 b! A5 G. n. x' H
return FALSE;
# f3 s8 r0 B7 h- p6 W, r}
) C+ ]3 k9 ?, F5 U1 {/ N7 d) _
/ `' Z7 l8 F1 X$ gAlthough this trick calls the CreateFileA function, don't even expect to be# y8 {: P: D9 B" U$ l0 A
able to intercept it by installing a IFS hook: it will not work, no way!% w s9 J# k. u" y$ `$ o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 B% Z3 V; K0 G. y9 q* |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, }, K- i% J- r P8 Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 {+ ]& i) j/ i6 G3 Efield.
. V1 O0 S% v( c sIn fact, its purpose is not to load/unload VxDs but only to send a : ]0 i# J) X; D5 `# f% g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( c1 z0 R+ A0 p, r+ p9 x" h* V% Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try g) B- E; e3 {$ p$ @6 r4 @5 A
to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ i% O7 o2 @5 _. d! a" S# J8 C
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) A) k$ O: |5 `6 s; [its handle to be opened and then, will be detected.5 r) |5 J! c8 ]8 N7 G1 t
You can check that simply by hooking Winice.exe control proc entry point% [* d. o4 q6 R: H; ]8 o
while running MeltICE./ _& y# j. ^/ b5 g* S
, r. @+ U) T" J/ t( {2 l: s. Q' n* a& T& c* h, t
00401067: push 00402025 ; \\.\SICE
d( c7 M5 ?, a3 k; V2 { 0040106C: call CreateFileA
7 }6 z& ]0 n3 \: l+ Q, j 00401071: cmp eax,-001
. _, e/ I9 D& t, n/ } 00401074: je 00401091" l2 C; b5 }# h! }% G& S
5 c3 u3 N. c* w* a: l$ E7 O6 s8 X
2 P6 e& X8 u# w) s. d* x
There could be hundreds of BPX you could use to detect this trick.
0 l: V: b; Q7 H" p- ^-The most classical one is:" w$ A& m6 { K% O0 S
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 n5 A& i" }2 B7 Y *(esp->4+4)=='NTIC'
$ F* K$ \! L8 V
2 K r3 ~; t3 K-The most exotic ones (could be very slooooow :-(
5 R( b& S$ U: v& I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 [% \+ U) t+ u6 V s ;will break 3 times :-(1 i4 j- S4 B, `8 Y4 p4 _
# q5 E. ^7 E; e6 O1 y8 w-or (a bit) faster: & c4 {- `. @! t; l N; o' N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ W+ \: M. b: V2 l4 }2 z+ h( V3 _4 x' j* A# ~
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 _" `2 q' G+ A4 ]* ?) x! t I
;will break 3 times :-(/ i/ C& m4 i2 f& K
* I( p, O) s% E0 D
-Much faster:
2 X; ^ D$ @5 R, _6 p2 ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ _3 O6 ~9 s% J% y+ d$ s! n3 l+ P& T. {1 Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 Q' j" A: Q: Q- Y7 ]8 ffunction to do the same job:! ~: \$ K( h2 S: O1 s0 c
2 x: ^4 c( g7 K" }
push 00 ; OF_READ
# w, l! g O6 [; N) e6 U/ S. t mov eax,[00656634] ; '\\.\SICE',0
8 |3 _0 C0 E2 i push eax
L0 ?: w3 `+ W% h- g j call KERNEL32!_lopen
7 w$ M& l& I4 n9 L inc eax
. G% y* V5 x0 q \2 d jnz 00650589 ; detected4 a' c! g7 ?5 A& U- @) T- J B5 e
push 00 ; OF_READ: c; k$ a. @9 d2 o) P
mov eax,[00656638] ; '\\.\SICE'
8 ^* m. H6 s$ N" c push eax
1 A8 ?& \, i/ p4 G+ a call KERNEL32!_lopen
5 L3 Q/ R- E- u inc eax
: a8 J" C8 R1 O% K, @) [/ w jz 006505ae ; not detected$ p) m/ H; U* `, B: i8 z' T
/ O8 W5 e' w3 n' r- k4 E* O9 U% F9 R+ R# e4 P" _0 \6 V7 e9 Q% W
__________________________________________________________________________
; B6 H+ X( ?9 x( e6 ] T: i: K* o/ o
Method 121 H2 J1 k+ S# `) E/ E' X, G
=========
9 y8 f3 ]. ^- W9 A0 I2 e. T5 r: H- C
This trick is similar to int41h/4fh Debugger installation check (code 05
9 G' D2 w8 [3 V7 p! m6 _4 [1 C$ |& 06) but very limited because it's only available for Win95/98 (not NT)1 E3 r/ R. h( s- L! e" U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: h9 G8 U3 y/ b# ?$ m- U! V( p% X6 O4 F B( P- z6 r5 Z L8 i
push 0000004fh ; function 4fh) [" |# T: F8 z: h
push 002a002ah ; high word specifies which VxD (VWIN32)/ V1 L6 |/ W; Q. d+ k9 ]
; low word specifies which service
8 w3 K* {: M7 C0 x, x8 ~ (VWIN32_Int41Dispatch)" H) ]( J: j* Y- G: t
call Kernel32!ORD_001 ; VxdCall ~4 l1 E2 p) A4 Y1 R4 ~
cmp ax, 0f386h ; magic number returned by system debuggers/ Y! c7 j: V! {/ N
jz SoftICE_detected
/ L* j; [8 t8 B% W" {/ v6 ^/ C/ n" o5 }2 b! f
Here again, several ways to detect it:) C4 x, u, W. p; P% F* m- a
! A+ w8 @. @1 [# G; I. v
BPINT 41 if ax==4f
! x- `) T2 y6 i- [% Y2 T7 W) b+ D; N- Z, T C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one x# Y; ~( j; l( B% m2 i: [+ V( w
, N' T$ Q; k/ k) ?: J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 [, V1 D) X% i1 S/ V$ m
1 T. i" \9 ~6 o# M) _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) N# [ A5 w7 V; W
1 F1 z6 k) k/ V; r2 l__________________________________________________________________________
1 H! G& G! D4 w5 E
* v0 [; h0 m' u7 DMethod 13
- A; W! x+ m7 C=========
+ s& u3 b9 j* J) M& ]- f: s# P$ y
# }. B. `2 n; Q6 j- e" `# J2 V2 KNot a real method of detection, but a good way to know if SoftICE is9 F" {, |9 y5 C! o
installed on a computer and to locate its installation directory.
" M9 j5 W( N% Y4 t4 ^* {& T; U4 zIt is used by few softs which access the following registry keys (usually #2) :: i1 F4 s$ l2 T+ G( h
5 J) O8 e5 v' d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- Q% c% b( B, {9 o' x\Uninstall\SoftICE1 b- }1 `$ z( n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* a1 S: e3 o& l) ~; @ z* n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 T, H6 M \6 N8 ]6 h" y- U
\App Paths\Loader32.Exe
- c* u$ [6 @; ~* Q/ W( j4 E0 m2 s' A- D* k
4 ~+ ]6 c) _9 }) F% zNote that some nasty apps could then erase all files from SoftICE directory/ D6 q7 M$ J" m* [7 R# W" [
(I faced that once :-(
# ^/ _# Q( p/ @; J# A0 z5 C, j5 J9 G3 z
Useful breakpoint to detect it:
+ R% Q9 `+ Z) r* K
3 a8 _+ _8 L8 P' Q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ z& [) Q+ `* Z
h( C$ C6 Q) H K6 f, I& h2 z8 ]__________________________________________________________________________0 x9 g% e) F7 w; m
: y% A" d* H c
$ g/ ]8 U9 q5 W2 z- xMethod 14
+ p- b9 }; Z: y) ^$ ^=========
" @9 H& b! I; V& T
o" R5 \* J9 m* u$ qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 X' q3 z. h1 D* h
is to determines whether a debugger is running on your system (ring0 only)./ P7 g6 k) P3 ^* h# [# |! F4 j
/ R0 a2 p- w5 J2 }5 R# [3 I1 J$ J
VMMCall Test_Debug_Installed
, c" r6 E* Y- O# h( k: }0 e; Y" ~ je not_installed' u! D& l1 ?6 X/ O* y& [
! b1 \% M$ I5 @: l4 q! v
This service just checks a flag.
7 p' B. p; S% C' P/ l- ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡