<TABLE width=500>
# H) y/ D, g9 x' C Q7 b& Y/ }5 [6 w<TBODY>- `4 m/ `1 d* ]' F" u" C
<TR>; p Z/ w. e/ @4 q: L6 `
<TD><PRE>Method 01 9 ^- Z% m; P' ]. p' B1 ~; u' j
=========9 o/ W' X# A5 g/ c$ S' m
! E" ?" ^2 h: g4 B# kThis method of detection of SoftICE (as well as the following one) is/ u* k U9 Q9 h
used by the majority of packers/encryptors found on Internet.
2 R' B) v) x$ T6 O, z8 qIt seeks the signature of BoundsChecker in SoftICE
1 k K- x" {* l& c5 p- _
# u# |4 \, Q" \% E" G mov ebp, 04243484Bh ; 'BCHK'
- f, ` p7 C5 e7 \( l8 q mov ax, 04h
# A; H' l$ B- t+ J6 X: l, o% J+ ? int 3 5 u. r8 E# l( a2 o0 X
cmp al,4
. j& B8 ]9 m+ P9 G4 E, i0 @: o jnz SoftICE_Detected
$ u, j+ t. ?) c5 M4 a
; T/ B- Y' y/ S# E8 Q( H___________________________________________________________________________
* d* S$ ~3 Z% x" P! ]( H5 R# b+ \: S: K( h& J
Method 02
9 O9 w: v: s* v& G {=========0 M/ t. e* n% \7 g% A/ b
9 K1 K) ~/ V! B0 J! K6 g
Still a method very much used (perhaps the most frequent one). It is used" ]$ J0 R/ Z4 \+ U. k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, C& i) T M* \5 H
or execute SoftICE commands...0 \6 x9 S7 e& \( j6 f) K
It is also used to crash SoftICE and to force it to execute any commands7 B+ i$ D) Z0 z% _9 C
(HBOOT...) :-(( & \; J) c. c2 O" H/ J
! A4 J, Z! x! ]) K) \2 `* G* kHere is a quick description:
8 O2 V( }3 ~- N2 b. h/ c# Q-AX = 0910h (Display string in SIce windows)' ]! j5 n" h T! A
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( y0 z' @5 N/ p( Y6 @1 H, d
-AX = 0912h (Get breakpoint infos)
/ B! a. w g4 w* e-AX = 0913h (Set Sice breakpoints). j8 i( A) H# O; O8 E% w2 b
-AX = 0914h (Remove SIce breakoints)
) ~% L% i$ A% o6 ~$ ~" S' a. w
3 x2 [) ^+ `, CEach time you'll meet this trick, you'll see:3 a1 b2 _! n( Q4 F: ?
-SI = 4647h8 H9 `; S/ r- V# ~) ?
-DI = 4A4Dh& e4 s! O; u$ Y
Which are the 'magic values' used by SoftIce.! q; Y7 i' g( n& F# V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ c, g9 ]; A: w2 o) F$ l0 L
4 B2 A5 [6 Y. s. O) G8 ?& Z& \
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ W- N5 C& R( w( g; hEnvelope utility use to protect DOS applications:* j2 N3 a( }' E
* J$ m4 q1 A- G5 Q! P7 j6 ]$ I5 W* T
4C19:0095 MOV AX,0911 ; execute command.7 W Y& L/ T S% f% X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 T- P3 B! P$ |. r( R
4C19:009A MOV SI,4647 ; 1st magic value.% Q. t" n A' M1 ~' p' Z
4C19:009D MOV DI,4A4D ; 2nd magic value./ G) B3 _# p( n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( v2 W: v/ B8 S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& h+ d; N& W5 _+ s4C19:00A4 INC CX
0 f' H: o: z5 u! e T# d$ s+ K4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 _ G7 T# a1 U' K# k4C19:00A8 JB 0095 ; 6 different commands.
& S9 U! e. S; h# c$ z; r" A0 F4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 y4 P G/ M$ z7 a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 y0 o6 `; K3 E) Y2 w8 I8 d
2 E G; s' T( g* [+ {The program will execute 6 different SIce commands located at ds:dx, which# q4 m3 |6 |( ?6 L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ }. x' t+ u# o. h& ]* l1 K+ C1 x+ e6 b+ |# c8 O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% q, f: w" L5 S; h! U! |
___________________________________________________________________________2 q0 |* [& }0 T
1 H! P4 L, }6 y& q
( ~3 ?% A) v' f
Method 03
- T: ]3 Y8 s8 [) }; \9 t=========2 N6 V! e3 J" T2 W% M, V3 U& ]
/ u. W; g5 y0 u& @$ f+ MLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 o/ `, B( r3 P
(API Get entry point)4 G1 \+ E2 g. T2 r! R0 t
% L, G" I+ T# ?7 G
5 b( i# ?# o' Q: U! [% O: u, J xor di,di
/ [( X% {6 G5 l8 Q2 D3 ?/ f2 i) r mov es,di
* k% T# S7 S9 a3 s) `3 m, W# a) i mov ax, 1684h
2 q. D- V9 u6 ^ h mov bx, 0202h ; VxD ID of winice) d5 A' h& e* N2 R
int 2Fh; R( r1 d ~& D; Y* I
mov ax, es ; ES:DI -> VxD API entry point
* v& `5 r9 [; i9 A$ A* I add ax, di7 Q5 }& X2 c! r: r8 u2 f+ V1 k8 X8 U% e
test ax,ax
# R( }' U2 F3 J5 x( o$ b jnz SoftICE_Detected! Q3 k1 L2 ~0 f9 k6 C9 H
) H: _& [' v' }: o0 I* w9 q9 K$ _
___________________________________________________________________________
; Q; W3 X1 D& |& T6 J: t( t, B" Q6 f9 F9 m. g
Method 04
$ x7 b# d u* l/ M; d; t2 r=========
! l& c# p; O0 I
1 c s, D, L/ d9 w: _' R1 U8 LMethod identical to the preceding one except that it seeks the ID of SoftICE& _; K! a1 R6 }0 B R6 d
GFX VxD.
. S* |* J p, w' s* P* o# z
2 n6 T. h4 f! S; `4 [: X0 j* x xor di,di
0 a$ f4 m/ X9 d; }( h/ b mov es,di
* K4 Z* O3 x4 \ mov ax, 1684h
$ Y& l% @ C x9 A5 k mov bx, 7a5Fh ; VxD ID of SIWVID
8 `+ r% C* r- k* j5 f; z) y5 a0 b! F int 2fh* E, y' ]2 M( Z n3 A1 p/ `
mov ax, es ; ES:DI -> VxD API entry point
. X+ E$ k2 y1 b add ax, di
2 }6 G- Q7 b1 @( E1 |- { test ax,ax. ~# Y& s8 p+ l
jnz SoftICE_Detected8 y, ` b2 N4 w: }2 i) z* T/ \" _
; k g0 W: u* @% V. y3 W9 N__________________________________________________________________________
% M/ U( v+ B& J A U5 N3 y0 x7 A! _) H
3 r% y6 E" C `" {9 ^Method 05- ], g) _& W3 T" }/ x0 m3 V
=========6 s! n, p5 N5 g1 [( E
9 \7 C" I0 l- w3 M
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 @" \1 d/ O" C" b
debugger. It calls the int 41h, function 4Fh.
! a) d9 \! }/ k! l4 s- ^/ OThere are several alternatives.
0 V) R {9 H7 n( w
- W6 `; \4 I! X. lThe following one is the simplest:
$ a- Q# ]1 [2 K& b3 S
( q- K* M" E0 P# H+ d mov ax,4fh
% c6 t! I" s+ @7 }' f, a: K0 w int 41h& B# v) v' i& ?& ]$ z( I- Z" {! P
cmp ax, 0F386
2 f0 R7 }( [% Y jz SoftICE_detected
4 @* G% t" |+ A0 i& ?) e7 S I! J: l! R8 Z
( ]* ^1 i1 ^6 i- A7 ^5 g' s% u- pNext method as well as the following one are 2 examples from Stone's 5 v# n- g8 g' h/ J
"stn-wid.zip" (www.cracking.net):
: x* e, M+ `3 u! @* o, r2 ?6 b0 t* f2 W2 C
mov bx, cs3 T! G; H& _1 l, a* C) Y
lea dx, int41handler2
& g6 i' l, b; f6 I i xchg dx, es:[41h*4]& o. Z0 Y# e5 W9 @3 b3 f5 `" j7 Y
xchg bx, es:[41h*4+2]
% `' i7 g0 L- A; G/ A mov ax,4fh. c+ q9 S( L& W* B9 s- w6 a0 }2 r. Y
int 41h- F2 ~- S/ o2 s6 Y. t0 j
xchg dx, es:[41h*4]4 | V5 j/ n c; B& W& {+ r4 \
xchg bx, es:[41h*4+2]* g& z) \% j0 \/ U
cmp ax, 0f386h# i& r" G, `+ \$ t! h$ \; f, H
jz SoftICE_detected- a6 t* m: L, S& D. K8 d
: U/ y3 C! P8 f3 m" V/ cint41handler2 PROC
, l# \; g+ s Q, K/ p6 l iret
3 T$ e, B1 _ q+ {; Zint41handler2 ENDP
. t! F; T: b! o: y
; o. X( p+ o0 \; Y! i/ ?/ K
( i' b3 Q+ b! C. i6 D# W7 z" c3 H_________________________________________________________________________( q: G C% {5 C
( [2 Z; B# d1 [/ F7 v2 `6 J
) V0 a8 ]: a% N8 o: \Method 06
, f! J0 @0 p+ [. l2 ]=========
* o% S" A4 C8 O5 E! _& W- T0 T7 C" K
3 H* t( j" M. n* z; k. J7 p* Q/ S. D9 v0 X6 f$ U8 |+ {4 }" E
2nd method similar to the preceding one but more difficult to detect:
3 F( q9 p( L5 x) V2 P8 t7 D
; K/ i, F3 c: s+ E" \7 T# |
+ k G+ }1 y0 _int41handler PROC0 L5 f9 m3 p) ^+ C9 v
mov cl,al! j: B: q* D; Y4 h/ X# l5 Q+ P% W, l
iret
. }1 I: S% h* i. c7 J8 p$ a4 jint41handler ENDP( a8 v9 o- L1 g( N' G1 a$ |" i
$ s2 J m1 H/ t9 T, m( O, N
. Z0 c0 l U1 O( E7 e5 C& B xor ax,ax1 e: c& g, n5 k6 v0 X* E
mov es,ax( N5 {. [( i/ V- ?5 R! n: v
mov bx, cs
9 ^& ?, B- j7 C d6 I+ n+ H5 \7 b0 J lea dx, int41handler
8 T4 Z/ o7 k0 e( K. |& j8 P xchg dx, es:[41h*4]
" K0 ^: ?2 k/ T3 ~ xchg bx, es:[41h*4+2]
+ s. k4 p: A' f' }) m" v$ P in al, 40h
, f0 D* e$ l5 S. K3 e2 I! N xor cx,cx
: W' J- J8 b3 z int 41h$ _- \) V. G& Z3 o$ V' w' K: z' D
xchg dx, es:[41h*4]) F" E' A$ }$ B8 o7 J$ d1 b
xchg bx, es:[41h*4+2]6 Q" G$ N# c* s: [ ]/ \% z
cmp cl,al" p! U" e- c& @$ K) H0 e
jnz SoftICE_detected F1 w7 i+ M5 @" U
2 o3 ]; r, @" f3 E_________________________________________________________________________
$ g- j9 K4 P! D, d- d8 [$ N0 F) z
Method 07
8 k+ U2 a% l9 V/ A5 G2 n I9 h3 u=========
# X6 ] P5 i; z9 a4 n/ X; u! ?$ a& D% ]/ a5 x, S5 _9 z
Method of detection of the WinICE handler in the int68h (V86)% ^ v7 @( S% F9 v2 d
* q/ \/ ^3 l- p9 N/ \ mov ah,43h a: A3 ?1 p8 Z
int 68h
# G) a# [6 i' W/ |: I3 |0 a# Q7 _ cmp ax,0F386h8 ]! e6 s( [ d
jz SoftICE_Detected' b( f/ f' C- f: h
5 v5 T. d# h" X( b$ G4 r- _% A
6 h" g! }5 s9 f( p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 C1 \% f5 G( T& c
app like this:
0 z3 {- W7 P2 d! X; G# s& u- `. ^+ a; G) b+ {7 g
BPX exec_int if ax==68
$ u6 y- a. `: N1 E4 K8 [ (function called is located at byte ptr [ebp+1Dh] and client eip is0 _) k# M* I |3 v" T# x# A
located at [ebp+48h] for 32Bit apps) k9 k3 L/ b/ O+ m& i: L5 R: J$ R
__________________________________________________________________________% ?0 {; v- k9 f7 z5 M2 i
3 N* M- m8 N: h2 D0 P$ q" p1 j- i" P6 F
Method 08
, o) q3 V6 N5 Q; d+ _=========5 g" `! j2 H: V/ U6 d
, k) q% V8 m7 p- lIt is not a method of detection of SoftICE but a possibility to crash the
# } X3 _+ Z( L( t$ esystem by intercepting int 01h and int 03h and redirecting them to another2 y2 P0 k; V" S0 _
routine.$ _' f) E# s! f" M1 y4 Z X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! j d* I+ b" x5 t% mto the new routine to execute (hangs computer...)/ n; P, X% |/ f" f# `
! a) v- Q8 I+ W N2 w0 ?3 C4 {
mov ah, 25h& j& X8 r! K& h' m- h: w& i
mov al, Int_Number (01h or 03h)
9 D' k7 }. N3 ~# V: C1 [) Z mov dx, offset New_Int_Routine9 F+ n( X' y. R c) `* I
int 21h9 b6 m I, f7 `# h1 t! f( v
5 i4 y* [4 _: u1 K- ~
__________________________________________________________________________. V# k* \3 Q, ~: o6 t6 Q
5 s- p3 B0 {% O) xMethod 09
2 w$ L1 X, p) b/ J=========5 Y, b+ [6 A/ i: Z% z, `
6 e8 e; N8 u" k. F$ e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only F& ]6 g' ^6 S$ o; \" k
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 P/ x e, h; f: E; aThe Get_DDB service is used to determine whether or not a VxD is installed$ b" l( b8 o1 }6 S, a
for the specified device and returns a Device Description Block (in ecx) for3 O1 O1 d! T; l1 `- i6 n4 M8 Y
that device if it is installed.7 e( G" p$ \9 y; F7 ^
# M$ ]' L' |7 U# O+ S' k. R7 {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; [8 p/ o& _6 j: s7 O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. v' B) a; _' I) h3 d5 Z3 m$ D% w0 I. M VMMCall Get_DDB2 ?0 b8 ~* O3 ^0 u7 d/ S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ s3 _ [' Z& A5 E* ?( }2 ?( p- \2 U5 O g" b# h
Note as well that you can easily detect this method with SoftICE:3 |1 @7 Z* S" P2 P$ j
bpx Get_DDB if ax==0202 || ax==7a5fh0 _7 n V" O" d& f6 D2 C( A8 q: {
) @+ c% R- \+ ~9 F__________________________________________________________________________
6 H; N( A, `! ]$ j$ J" c3 o3 X
: Z/ l% ~3 v3 o3 w' ]Method 10 a* d5 t$ o5 N* Q& V# l# Y ~( g
=========
9 G, v! F" O* i6 ]; D6 X f/ _; H" A# K& V
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 d+ G0 x' r! m4 B$ l0 Z% _
SoftICE while the option is enable!!
X" E& j9 N% A$ B: f5 p. [1 R5 I1 b; t* F `
This trick is very efficient:2 @+ D4 i( A- m" R5 c4 L/ D0 g( y' H
by checking the Debug Registers, you can detect if SoftICE is loaded* M) l3 P- I& w+ I0 K. g9 i
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; L" A5 D1 d, V5 `5 L. i3 wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 ^1 L" O. h) F) c" Lvalue (in ring0 only). Values can be manipulated and or changed as well- B& f2 T4 y2 k
(clearing BPMs for instance)
3 n1 ^; z; A8 Y- K8 f/ R3 e0 ]9 C# e, _! t" `5 ~! K' H. g
__________________________________________________________________________
* @$ z4 V9 L& l
/ `8 O/ b; d0 [- YMethod 11: b3 ^8 L8 D/ k( l; M( p
=========
* I: v4 K7 [0 ^7 }
; n4 o. _8 D, o M, BThis method is most known as 'MeltICE' because it has been freely distributed
8 M/ o+ C6 G1 o l7 `via www.winfiles.com. However it was first used by NuMega people to allow
- U, C5 F9 `1 \, A7 @Symbol Loader to check if SoftICE was active or not (the code is located: G8 B$ Q0 t0 \3 x4 q
inside nmtrans.dll)." u# b6 X( a9 v/ m
8 S4 }! E* n V/ ~* w
The way it works is very simple:
- Z# W: R( h- A. T5 Q3 WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 d; V0 O! Y- l0 c" o8 Y+ d
WinNT) with the CreateFileA API.; B2 X+ P7 L/ o3 _
% B6 Z' f6 c9 ~: V" h
Here is a sample (checking for 'SICE'):5 |- Y$ Q) U8 P7 v5 {4 T
3 r$ \- S' z P( ?7 zBOOL IsSoftIce95Loaded()
& K; r6 n9 u; ?* x9 ?{
1 m( R) Y9 m/ I& `& x; ]" M HANDLE hFile;
5 j% E, B" z) f2 @& c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, m+ [; C: B- S
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 q% D4 |* C+ b$ H9 `$ l NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& R5 ^ P1 X w3 e. K8 g4 P
if( hFile != INVALID_HANDLE_VALUE )& q5 {+ ?8 Z* Y. K
{* i# s" J$ |0 K: `2 W
CloseHandle(hFile);* }8 O9 _3 v, }* U
return TRUE;+ h1 h# P, D) F* W8 n
}9 g- T" |8 R, E* W" J6 |
return FALSE;/ T! S% s$ P4 H4 H
}
5 P8 |* W0 y! @& M4 Q6 a
8 I* X N( Q' l9 ~3 BAlthough this trick calls the CreateFileA function, don't even expect to be5 B9 v [# V* l$ w; n
able to intercept it by installing a IFS hook: it will not work, no way!
! N; P( X# N' q5 nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ v r/ t( O3 ?9 }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) _4 H! U. a L! S/ U, Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
\1 ~) N* H1 t5 e. Z' Ifield.& z- S. I8 R- G! {( o7 {/ w
In fact, its purpose is not to load/unload VxDs but only to send a
3 K7 D8 I! V/ u6 {- e, O+ s8 wW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) A7 p9 z; G0 G; U5 z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 Y7 ]6 h; a6 x0 a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 Q k& Q3 F/ D( g9 H* l4 VIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ _4 |( s& k" v* g9 r
its handle to be opened and then, will be detected. B L3 y; n2 g; T: m7 e" V# z0 \
You can check that simply by hooking Winice.exe control proc entry point, H& J5 M2 A8 V' W# j
while running MeltICE.
" s4 V+ S# M3 M" H2 K9 `# J- V
2 X; v6 s+ K; E. j* }% x' E4 u2 r* W4 q$ v
00401067: push 00402025 ; \\.\SICE, e$ j, x: c% P' g$ j% W, q
0040106C: call CreateFileA
3 x: ]3 d) O( Z% u$ i2 e0 D 00401071: cmp eax,-001& p, S( w$ |; X1 ~, |8 A
00401074: je 00401091
: L. b$ f5 i# |
5 i# A! r+ U% ]8 ^
- d% F$ l% ]% q1 G! dThere could be hundreds of BPX you could use to detect this trick.
4 _. d8 C' Y3 l2 r) v x-The most classical one is:
3 A! e+ k' i! O! W* d. h) y, C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 B% ~/ C0 t, M% w9 d) U& F
*(esp->4+4)=='NTIC'
$ w4 m6 R( J; u, }" h+ a! Z& H) J
) K: z. `$ b" k! } A-The most exotic ones (could be very slooooow :-(
& O3 ?- m4 N9 d0 ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : s! U6 W$ t) A$ ^6 n
;will break 3 times :-(
; q( M! s7 e1 _- U, J: J1 y$ M
! V `8 o* {7 E! I-or (a bit) faster: 5 x$ c0 ?& I. W: t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 Q9 N8 Q8 v( w( N+ h9 c
7 ]" C% D5 S( S( {& U5 t5 c# y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . k( Z+ Y8 E0 _7 a; k
;will break 3 times :-(, h0 h4 M% F. S: E
% D$ O, k( d+ @8 o; z- g- f3 M-Much faster:
- c, y+ g( y- W; R6 t2 l" U! Q; { BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 [% }' D6 N! D2 o4 n
+ `" S" X: t1 M- W" W. dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ x, n' s" K2 V( w+ J: A# G2 O$ X( pfunction to do the same job:* {" G) z0 i% i$ O2 @8 p
: s+ L" h8 m( q) ?; a
push 00 ; OF_READ8 G8 x3 l! Z. [, J0 s( E
mov eax,[00656634] ; '\\.\SICE',03 y# H8 T8 B0 f! i6 u
push eax1 p# m0 ], g6 L
call KERNEL32!_lopen
7 F5 J3 ^4 L E* G6 s inc eax
$ r0 }" E" ^; I" J; H jnz 00650589 ; detected* L9 j+ X& u4 x9 k9 f# r8 J
push 00 ; OF_READ7 n8 H H! D% N7 s5 ^( s) g* a
mov eax,[00656638] ; '\\.\SICE'2 k0 S1 Y2 E6 y) Z* K0 [5 B5 W
push eax8 E# o, ]+ ]0 Q' v1 c: A9 ~( E7 m' _
call KERNEL32!_lopen
! ^' h$ G) E! g u4 v5 { inc eax
7 I* o4 i* i+ l9 t! g7 a# u jz 006505ae ; not detected
2 f& L0 G P0 @" \3 W, E+ r6 T5 m- t' r) c
$ s+ Q! J. v N) \$ _, }__________________________________________________________________________
/ ~9 p% v1 {1 R+ A
# z$ g7 B$ o3 Z4 HMethod 12
0 B# g" q1 Y7 F& ~=========
, E+ L: t$ V" }* L% n0 e; ?6 f7 N. D0 m
This trick is similar to int41h/4fh Debugger installation check (code 05
$ g% \' `2 e v- B+ t* I& 06) but very limited because it's only available for Win95/98 (not NT)
9 }, ~* E. m G0 M1 @( Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! E1 s( u g# A+ h9 {
6 K% P' }. c* U9 D: w1 F# s push 0000004fh ; function 4fh
- H& q: f* A8 P0 N4 t$ y push 002a002ah ; high word specifies which VxD (VWIN32)
" q: B3 O8 j4 C7 {$ i8 U ; low word specifies which service1 ~; m+ T' H, S, Z
(VWIN32_Int41Dispatch)
% N5 m% \: k* V# e7 `9 [ call Kernel32!ORD_001 ; VxdCall
5 u9 B" V0 c2 Q" w( O; l0 p# { cmp ax, 0f386h ; magic number returned by system debuggers
$ r, w* g4 ?9 [( [ jz SoftICE_detected' e; o% e, Q! K# Q* ~3 v+ R! R
8 m, w7 C4 Y3 n2 p
Here again, several ways to detect it:
) v: v& {( Q" j+ `* X7 k7 I# b- d8 h
: s1 i( p9 `7 p5 I5 b0 z BPINT 41 if ax==4f
. Q8 ?$ A# d/ `, V+ Y0 N% j
, e1 H( O' f; ^1 z7 t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 e) l9 c; `8 d7 x( A- d: P; D+ a
1 [7 h8 t2 I( R BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 J. D2 j: B; b/ F
# c. r- p. f- x) b! f# I# w% e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ U+ k5 e% P1 ^0 I8 y$ l) h
- ? J) q( d8 ]3 j" C8 Y+ L
__________________________________________________________________________
4 H ]8 [' J6 c2 L% d3 L' L
/ j+ z$ U l% H4 FMethod 13' \/ d+ x( ~2 Z8 Z& \3 J& @' b
=========
. _) R4 ~* s: t# `" V' j- n4 b
% g. m' G3 J' i, `8 ~8 tNot a real method of detection, but a good way to know if SoftICE is
- w6 |# S( f0 \+ i7 n2 e. ?- \installed on a computer and to locate its installation directory.9 ]+ p7 X* D" Z7 O3 r
It is used by few softs which access the following registry keys (usually #2) :
% e8 p: ?! Z& {2 t
2 X- g5 ~3 \' m/ Q( V4 X: ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# Y) `3 C' l8 C/ X' K) `
\Uninstall\SoftICE
8 t3 ^: d3 V& N6 r8 ~; ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- L6 ]& U) L; C) p" r6 |7 K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" U. J, q0 x6 P* F7 [% F" G# _' X
\App Paths\Loader32.Exe0 g! V: Q' Q4 p! F
o3 `8 \/ h2 u# t. R: e( f0 E& `! x5 @" N3 W
Note that some nasty apps could then erase all files from SoftICE directory+ f- N* e1 q( R2 q- d5 j2 L
(I faced that once :-(
& V2 R/ W, p. h' {( D6 Y! j8 V
Useful breakpoint to detect it:2 j" ]: n7 Y4 w o' N, k
1 d4 [9 @$ _2 [# b$ J/ z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 W8 r) ?; {4 j% |
5 T( c& p4 _; P$ n' V4 v__________________________________________________________________________
; A6 ^5 j1 M5 ]# d9 L& c6 b' [" f% V% x
3 o: x3 i: v" H6 n: G4 u+ h- l
Method 14 3 o" S) x) Y$ P m a) N- N
=========
/ m/ A7 t) C8 w
, K8 f+ _. u8 J. }8 \; mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 U7 O. [+ V$ o: y
is to determines whether a debugger is running on your system (ring0 only).6 L" i9 n9 |# j9 @: ~
8 M# W1 c3 O6 v2 O) b. D% ^
VMMCall Test_Debug_Installed9 \% G" B6 W. s; h% S) o
je not_installed
: ~* G- X1 t0 M/ s
+ L) |% n+ G/ O3 H9 {: {7 QThis service just checks a flag.9 K i* `9 r, `6 w* \( W, m& U
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡