<TABLE width=500>& z0 C- ?+ O! @( s+ `) F# @/ `( Z
<TBODY>
8 z5 x( h) X R- z! d+ _<TR>
# G: J+ h/ E+ b- w<TD><PRE>Method 01
* s* R) y6 ~# e6 C9 Y# Z=========
' m w2 _' k+ T1 v
) v! [7 [$ J _2 b, M0 Y. \This method of detection of SoftICE (as well as the following one) is# k" X* s2 y/ ]$ ]' w9 }8 u) P
used by the majority of packers/encryptors found on Internet.
0 o j8 [ `1 D: JIt seeks the signature of BoundsChecker in SoftICE7 ~, U/ U3 e% [ |) M
$ j# r1 J% f! ?6 x# N6 A mov ebp, 04243484Bh ; 'BCHK': |' l! Q+ Y$ B) d
mov ax, 04h4 B5 g' W C+ K" y* ~" y
int 3
. ]7 O9 Q) j2 r$ ]7 |0 O3 | cmp al,4" M; \" R8 d$ P5 H8 L( ~
jnz SoftICE_Detected
5 ^' i# [9 `- ]+ S: m' {
- ]: a( e! T2 A2 h B1 v+ H: Y G# N___________________________________________________________________________
: K* z5 ?" y: k7 W
3 @4 g0 w8 e* z5 R% U; rMethod 02
" J' X( @6 K$ l* ]=========, Y. q+ Y& ~) b" ^
7 H X% Z6 N: E! t1 H; fStill a method very much used (perhaps the most frequent one). It is used
5 z Q- j7 K$ r7 {+ l) s2 ~" Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 w& t8 M) X( S% b) W$ G
or execute SoftICE commands...4 m- I: L) t) F( j
It is also used to crash SoftICE and to force it to execute any commands
2 l% a# x8 w. G& e6 q2 }6 [8 c0 j(HBOOT...) :-(( 5 x2 K2 N" T3 a* _$ R4 @
7 b5 H7 \( p" sHere is a quick description:1 A/ X& @: n% T# ]" e& \, [ r
-AX = 0910h (Display string in SIce windows)
+ X* v8 x, J& E' o2 q6 q) H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 P8 Z6 v/ D; c7 d' K
-AX = 0912h (Get breakpoint infos)
6 n' k+ x$ @$ Y2 t, _-AX = 0913h (Set Sice breakpoints)
) N6 C4 }7 o1 c8 N3 U" {-AX = 0914h (Remove SIce breakoints)7 A# n! o) z& y* |1 ?
0 e2 F' `; }! i# {( HEach time you'll meet this trick, you'll see:
, t; J+ F& j% D% p0 g! E-SI = 4647h
4 v ~0 \: Q. s8 H, D-DI = 4A4Dh
% y7 ~ G8 V- s2 ZWhich are the 'magic values' used by SoftIce.2 U5 M* h' v2 K7 C$ A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 q) e8 c* O3 [& R1 N9 }$ I
: B5 Z1 y5 E) Y; JHere is one example from the file "Haspinst.exe" which is the dongle HASP
& q8 L" z+ {& ?! ~) }$ j1 MEnvelope utility use to protect DOS applications:
' g) O' c& C" A5 I2 [- |& k5 {
" S& K" x$ Y c, o
! z- Y8 f ?* y! Q4C19:0095 MOV AX,0911 ; execute command.5 M E) u, F9 |& d8 B- d
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 ~9 M0 {9 u- b D
4C19:009A MOV SI,4647 ; 1st magic value.+ l- r: B3 W9 k. ^; P' S
4C19:009D MOV DI,4A4D ; 2nd magic value.
( z5 j+ m' Y x' ^. G4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) b% \9 U0 W; B, I% F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 G; i+ B' _6 H: C4C19:00A4 INC CX5 h; @* N/ ^! H* N0 m( X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# A, Z. s6 ~& R
4C19:00A8 JB 0095 ; 6 different commands. U/ L# x! t: \) ?% I3 F- W
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* V5 S# n7 {: k6 l' ]4 ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# Q6 g/ M5 \& V/ f7 I; s7 _
! g* k( Z( g2 P3 L3 hThe program will execute 6 different SIce commands located at ds:dx, which' u0 U% k' _: |- s3 p- B, @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: A; o: Y* O9 i$ N$ l4 t" A" B+ y6 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! V$ _) {. p5 e3 ^+ Z/ R. \' G
___________________________________________________________________________
- T* P' A% z0 U$ E) S. H0 @, j: Y n2 h4 |2 C5 E
* B4 [. h$ X9 ?
Method 03
* }0 T* ~9 N9 Y; W=========/ B$ {- |' y: a2 Y" e0 G
7 R# y, ^3 r \" g% o# m9 ~Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h y' B6 @/ q6 b/ R
(API Get entry point)
( x z7 H; `; A& ~! v8 H
9 \$ j* `. ?$ {. C
! {; ]4 @; {& ]( g: f xor di,di, T; w3 _7 g" x. p5 g- v
mov es,di M4 b- u" A, ~5 r7 C- X D( Q
mov ax, 1684h
7 K6 P9 K8 f/ _0 E& W* H9 e* q mov bx, 0202h ; VxD ID of winice/ s- ?0 j3 ]" {. u4 }6 Y
int 2Fh
' A" w/ C) [6 l D$ p' {& b mov ax, es ; ES:DI -> VxD API entry point: b; {3 x* D- U5 U, y, ~
add ax, di
- b" a, E7 K' d; p$ K6 _ test ax,ax
) I2 z. ]+ U6 S+ T5 H jnz SoftICE_Detected$ N0 d% r- n$ B8 f7 O( N3 p A
. |9 e5 E- O& y6 H! r- {___________________________________________________________________________
8 g8 a! ^: m- \- ^9 w
! ]8 Z) f. d. [9 x {Method 04
* y/ W- C8 J9 s b4 B: T: H" [=========
1 O( v- d# k. W. R6 Y2 v% ~2 }9 w; R! a B/ T5 Z( E1 F* h5 l. I( a
Method identical to the preceding one except that it seeks the ID of SoftICE
. j# G) `" W9 ?' w# S7 D- {GFX VxD.0 |# _3 j, q6 E/ A- M
& P6 F- r, j& W1 A1 |, r
xor di,di: h$ b X" g( k* Y% u5 m
mov es,di) d) K/ C4 Q) f' \: m) ~9 n
mov ax, 1684h ! D* [+ b% ^: J/ O/ d1 n0 E2 i/ m% `
mov bx, 7a5Fh ; VxD ID of SIWVID! T' g. |% K; H/ D. m
int 2fh
/ v* \0 F# A9 C' u! S mov ax, es ; ES:DI -> VxD API entry point. J- v- @2 ]/ F& C7 [& r
add ax, di0 p$ \0 H. b/ a. R5 A
test ax,ax
3 ^3 K6 _. k: s1 b& k jnz SoftICE_Detected7 T# h& N5 d3 v/ x( p- S) h
- v$ t. P, v4 O3 c% n__________________________________________________________________________
% L0 G. q" F6 l: Q5 g9 e
9 _1 ~& b' r5 f3 j9 u6 T
" K2 S4 m$ r' |5 S5 ]$ V7 ]Method 05, r" F1 K! t. V" N' q) ^& W1 R( p
=========
& Z# F5 [1 ~) ?& J c& C! y9 _1 ~: M1 z6 r
Method seeking the 'magic number' 0F386h returned (in ax) by all system. T+ u' Q8 u% h8 n
debugger. It calls the int 41h, function 4Fh.
& ?; K) d: s9 Q& H# MThere are several alternatives. ) c# O7 n/ G$ J3 c
0 o+ i; W# P1 s: e* UThe following one is the simplest:2 J0 {# t/ u/ a( F$ q
" R8 Q3 v* `# ^8 w9 B& `% b mov ax,4fh/ o! I* ^, F+ i8 n9 [( T
int 41h
" s, s: p. @2 u cmp ax, 0F386# }. G: e: N9 l+ ?0 w
jz SoftICE_detected) K- P& ^+ J. H, I
+ ~, T: K1 U i/ I: {% a
& c) c, k/ y! {' V
Next method as well as the following one are 2 examples from Stone's
% n5 _( A! j7 |; u! U) }"stn-wid.zip" (www.cracking.net):" p$ y- G, R4 R5 x# |
6 O' r' N0 l4 u$ o9 R |
mov bx, cs0 Z! c" C4 m6 z; \4 D
lea dx, int41handler23 n2 f/ B* Z" N
xchg dx, es:[41h*4]
: n% X9 n3 T( P0 N1 z* R9 g xchg bx, es:[41h*4+2]
2 _: O6 b1 T4 h5 ^1 I4 B mov ax,4fh
0 g* L8 w7 }/ B7 b( Z( Y+ O int 41h
1 q" c9 G2 |5 g. M# S2 U# ] xchg dx, es:[41h*4]
( H- X7 S$ `4 H xchg bx, es:[41h*4+2]7 T- a9 `- n: u6 i# @( z/ S, h
cmp ax, 0f386h! A1 b; @" ^ M% W) y" ]1 S- }! J
jz SoftICE_detected" d ^. E& X4 F. {" _! @9 r
6 V) X* a1 p) V1 v
int41handler2 PROC
! q/ U) p9 q. H6 b6 R ?" I9 S iret
% c" B% g- [! [5 ?int41handler2 ENDP+ V0 e0 a' B% ?; D8 r
- ^4 G+ T; \7 v. f2 r& k
9 B; _6 I, _* u6 y" __________________________________________________________________________# l4 A* j1 c7 S) K
9 {: z" e' m/ z+ |5 f7 e
5 ^1 [2 Z4 N. ?% iMethod 06
5 v" Q$ o0 B9 t$ v* n" f/ a=========
+ C T, V, z8 Z4 ]
y0 H8 M& O H' c4 \8 e }
" C: M( p1 k: q% I2nd method similar to the preceding one but more difficult to detect:+ W& Z4 w/ r4 V3 i: S2 Z
6 j7 p5 I4 M& d4 u9 F$ u/ e* k4 s( A9 S+ y
int41handler PROC+ K; m8 S+ C: V/ M8 h8 O
mov cl,al
! E4 l! q6 @5 |2 H6 a0 I* U) a iret
M7 X3 s' n( d7 m7 O3 w% Lint41handler ENDP" w) u6 S+ z4 H# r7 k/ ]6 H }
8 k; w9 L1 F/ f+ ~/ b% N+ ?0 Q
' e( G+ u3 e1 v; c% i& B$ A! M' V
xor ax,ax
+ i& t4 T' p/ y" x, h mov es,ax4 m6 Y9 z6 f& ^9 x; x4 Q
mov bx, cs
4 |5 W. r1 G) O2 @8 k" n" A lea dx, int41handler6 o2 o2 N3 L5 V
xchg dx, es:[41h*4] @! \6 H6 | r1 e
xchg bx, es:[41h*4+2]
: B" r, b+ n0 v( B% z8 K/ G in al, 40h3 X" ~! f: P" _% W+ I9 w
xor cx,cx0 \* k$ Q! G" |! @! M# J, \; T
int 41h
* W7 O7 V- R! V; x5 Z3 [ {, o xchg dx, es:[41h*4]' F8 I4 }- U' r% f' T2 D
xchg bx, es:[41h*4+2]
- B' g: O4 q# Z! l: s- s cmp cl,al
) y. P6 d4 \0 S. B& M# v jnz SoftICE_detected
- T. I; c9 e9 }7 p( s* c# f- H: o3 {6 e
_________________________________________________________________________
& M, s8 P2 y. q" D1 K! d' r7 B8 h }1 M, L; l* ]* g. U
Method 07" `3 p8 d$ P$ |
=========
5 g8 Q9 h5 |1 m0 H; c& c/ R+ N' d+ @2 U% s& `
Method of detection of the WinICE handler in the int68h (V86)/ z0 j' s5 D0 P* J
+ a! [$ {6 @0 x3 s& _
mov ah,43h
- {) T( a# V$ p0 ~2 J int 68h1 v y. H; z& e1 N+ e- x; I3 ?) b
cmp ax,0F386h
; b3 \5 w; @; z) S, ^ t# `" d jz SoftICE_Detected
9 {4 N C$ S5 P2 ^# G/ L8 f# F6 J% V0 L" ?5 G& Y
& s/ i, [: C* J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 H9 Z% ?' g4 V app like this:/ u/ @! b' n9 }& Q9 k# L5 H: _& L( c" m
3 n! j6 _) s7 u3 K BPX exec_int if ax==68
8 l }5 N, T# l ^+ W7 d. [ (function called is located at byte ptr [ebp+1Dh] and client eip is5 ]/ F, }) W8 ?
located at [ebp+48h] for 32Bit apps)
5 |2 {* w6 t* ^6 C% L" r__________________________________________________________________________
1 }' [ B) e" `& m, v/ F+ E8 t! X2 ?9 R6 x
- Y' B+ j9 m8 d' ~% G; h% AMethod 08' X0 h, O( H# w8 u& h: m
=========& |* S2 f* V7 U: W0 ]% y8 t
2 b2 g& q( h+ b4 S& N2 c
It is not a method of detection of SoftICE but a possibility to crash the: _& ~9 O$ i" b$ `: N
system by intercepting int 01h and int 03h and redirecting them to another( o5 ?- Y' ~7 O: \) N: p
routine. H5 f* z; j6 B7 H8 A/ E- W: I) u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( M" ^8 V& m3 E, t8 N0 yto the new routine to execute (hangs computer...)9 m( U: L1 g! ]( I" `$ p' V" l
8 Q! n+ f2 o; U+ P, j mov ah, 25h4 y9 m- n' H \8 {
mov al, Int_Number (01h or 03h)
9 E) \9 X9 K6 W) f* [ mov dx, offset New_Int_Routine
0 ]0 y8 J) e% ~6 H* g0 P int 21h
f) y, j+ p H5 \( ~" Y2 P
8 s7 e, V& o* Y/ {__________________________________________________________________________9 }6 p9 ~% K+ t, t: p& L
5 L, p3 [1 X; M6 h$ kMethod 09! g; S! C( O8 H" {' D) F
=========+ k+ m" ?! t' V" {
, D2 ?4 @. h' ~# [. ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 Q5 }2 a* f+ a8 G! r7 X, Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
: P7 K5 K l: LThe Get_DDB service is used to determine whether or not a VxD is installed
; f& M" X7 d7 d( A& @$ S2 ofor the specified device and returns a Device Description Block (in ecx) for
. d) t$ I2 V" s8 |, wthat device if it is installed.
' A+ H! q3 b# D( F: z5 ]( \' M7 ~, S. s \1 w6 M! y! |4 }0 R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. e, y' i2 K: L2 i; | b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- Y3 B# [9 @4 l) ~
VMMCall Get_DDB
4 W8 P/ z5 k( y# I3 N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. t" S( @9 v" {7 i& R8 F+ N1 Q! K# X
* C; [* t0 X, w7 H' C/ D7 P: ?9 p
Note as well that you can easily detect this method with SoftICE:
9 ]9 @, C7 \* Y0 ^; D, ~ @ bpx Get_DDB if ax==0202 || ax==7a5fh
5 V! N) I& W- p8 p3 x5 U! e' R/ R/ G. m) Z1 j3 p( F+ j" X
__________________________________________________________________________- s, Q% M" E! A: N- |
1 o: A. d! f0 @0 M0 eMethod 10
+ y" T% m+ I3 I$ V=========
& A/ C9 F; d+ |# _* v! U4 ~- i8 g: |
=>Disable or clear breakpoints before using this feature. DO NOT trace with
% e X+ _) {2 `% C& U' ~$ z+ { SoftICE while the option is enable!!; M9 |' M* b9 b9 _1 o
2 b( s/ t+ Y% _# G% TThis trick is very efficient:) a1 M6 O# Y- m# s4 f
by checking the Debug Registers, you can detect if SoftICE is loaded/ e# d4 K4 u3 J7 l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 H6 E k2 g8 l, R g% n5 h( _there are some memory breakpoints set (dr0 to dr3) simply by reading their
& P3 B; p4 m6 k# E6 m# Fvalue (in ring0 only). Values can be manipulated and or changed as well
8 t& q( A6 J/ B3 p3 e: }& I4 ?(clearing BPMs for instance)
1 l: o$ G6 ?% _. K; y3 p( Y4 i! H
__________________________________________________________________________' L& t( t# y) u- v) ]8 i( v
+ ?: p t. a1 J. v8 ~; I# P1 g! HMethod 11
. O" f, Y) S" _5 s: Q=========8 C2 ^8 q7 Y1 Q
4 w% J& D9 Z: S; h5 [This method is most known as 'MeltICE' because it has been freely distributed e+ q6 R" D# z' Y, L3 i4 H
via www.winfiles.com. However it was first used by NuMega people to allow
* }* `; {( |8 O" i$ p" Q, CSymbol Loader to check if SoftICE was active or not (the code is located$ R% o5 e0 K( d* {) Y2 K
inside nmtrans.dll).1 I6 e% p$ K. a7 @* k
3 ?. W, _/ K" T+ I8 i& i1 ZThe way it works is very simple:
, W" g* R, _2 R: v# M0 c% P- g$ AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" n2 a$ C' H8 |% T: [$ P( `
WinNT) with the CreateFileA API.. p+ I- c4 S7 L
2 t* s8 B( d/ X. j7 A: e, ~Here is a sample (checking for 'SICE'):
8 a& S5 y% y W5 S- l4 H, z+ F5 k) O
BOOL IsSoftIce95Loaded(). g5 R2 X$ T8 h% X/ m/ k
{
9 u: d8 j5 V7 ]3 O0 R1 e, j HANDLE hFile;
* O! d# }( O% h2 L+ s: [+ p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 Q+ ^' @; R- A, t FILE_SHARE_READ | FILE_SHARE_WRITE,
' b0 y, N; `+ k$ j4 g NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 t: i! F* D; I$ \1 N: p if( hFile != INVALID_HANDLE_VALUE )9 O1 I% j2 h. \6 Z
{
0 Z1 i0 o% A' H" r& F8 P CloseHandle(hFile); J6 T- b1 x! ~" \5 K; @2 U$ H
return TRUE;& X, f- _( t3 g) |) J. L& r
}* H: |3 s" P/ ~) z5 f! T9 X
return FALSE;
1 v6 b; ]2 X4 X0 p( V7 c. [}
, m" A% P9 n) U4 E* y0 r. R! s) g* m/ I
Although this trick calls the CreateFileA function, don't even expect to be
0 C# Q9 j: h. K, P8 o- h! F+ d( f% I( yable to intercept it by installing a IFS hook: it will not work, no way!; R7 w! R0 W/ A# v$ l! o" ^+ v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# O5 E# h2 a; iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 ]7 c$ M v9 p6 ]& G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 s' K% j2 l. p$ }. w
field.
$ M' |$ U2 v! ~In fact, its purpose is not to load/unload VxDs but only to send a
( s4 v4 I, V% ^4 Y9 VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ M% b; w- q5 h) ato the VxD Control_Dispatch proc (how the hell a shareware soft could try* \; n/ n/ Q0 G, \4 E9 S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 d1 `6 N# N. L! q7 X
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 R: U O; V: z; y' B$ e+ Hits handle to be opened and then, will be detected.
- o2 ~) m/ z6 o+ w4 qYou can check that simply by hooking Winice.exe control proc entry point
# O/ H, I+ r- R7 G9 Q) p& h+ E7 h& x( Ewhile running MeltICE.
8 J9 j7 R+ B* L0 j( u8 q( H( g9 h$ [* {) z# K5 B9 M/ |( x
, z v2 f5 z4 G/ N" R0 b
00401067: push 00402025 ; \\.\SICE
6 b, i# F8 A2 c% g5 x1 C2 y& f* k 0040106C: call CreateFileA8 m1 M8 V$ h7 S( Y! o
00401071: cmp eax,-001) X, a8 a* U' N2 O q( x- T
00401074: je 004010912 u1 T, `6 _/ D9 w( Y/ {9 {
+ k4 E4 s3 q# s# l9 I
, H7 O3 t K& G- V9 e" R' RThere could be hundreds of BPX you could use to detect this trick.7 ~+ r6 e; H) v: _
-The most classical one is:
! G, }9 ^ B, Q8 x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- ~6 Z5 q1 o! x" S' C5 B/ V
*(esp->4+4)=='NTIC': d+ \& E% D; e2 W7 A" r
, K$ a2 }7 [# h( F; B8 H# c4 ]& _-The most exotic ones (could be very slooooow :-($ o5 K4 L2 S- T- W; K) X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % T0 X! @' C5 Y7 K5 x/ j/ j- C, {1 Z* q
;will break 3 times :-(
0 F, _! e; u. k( c1 b: E* R8 k2 N
7 P" ?) L- C& Q' W-or (a bit) faster:
0 t( T% a; ]$ S! C: S# a( B BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* E8 B" x3 |- c! d! I' U8 m# A+ a$ K' p, D# X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" U: S( w [4 m8 U) p y6 t ;will break 3 times :-(( X7 l$ V) ?# D2 l! I0 b6 i
9 U7 s. G* v6 R/ U-Much faster:
/ ~ f8 q/ ^% |3 G+ w/ L BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 B1 N6 z* ?9 P7 n/ H/ y
1 p# a1 a- T; x {, x8 ^7 d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 \! O4 O9 _+ q/ K* Tfunction to do the same job:
( V5 m2 F( U, \8 k9 X$ z2 j8 d0 o! o, a
push 00 ; OF_READ
" I# J J: c8 j% G/ a* p mov eax,[00656634] ; '\\.\SICE',0
: @9 h* i0 M: s+ r# P$ N push eax& {- F/ o) y, ?" w( N8 O) } _4 C* X
call KERNEL32!_lopen. F/ [! p2 K( T/ [8 K- v
inc eax+ X' F6 h4 Y7 C) U0 S
jnz 00650589 ; detected
0 P5 X5 ~3 C- B4 Y push 00 ; OF_READ
( R0 s7 T5 X d# A9 R t# Z mov eax,[00656638] ; '\\.\SICE', n+ U* K2 G+ J( C& o2 d
push eax
; C& a. [9 ]1 f9 L call KERNEL32!_lopen2 `0 e7 A0 t6 @0 S4 S8 l3 {
inc eax+ C& C1 M! P: z
jz 006505ae ; not detected
( s0 x; p* p8 F% P6 I8 e4 \) l3 e0 @3 X. t2 d
2 P* [4 u4 g1 G; s3 J5 h, A1 A* B
__________________________________________________________________________
3 u5 K7 ^6 \: q0 ?3 H( t* r. ^% i
# P* E) c) G2 G, H g: M4 \Method 12, X( V" j" [9 g0 O% V5 t2 ?
=========
0 M" h( v9 M2 T: J
: m# m: u; j/ l v4 kThis trick is similar to int41h/4fh Debugger installation check (code 055 s& l3 _5 H1 Y; y% c( H0 G! g
& 06) but very limited because it's only available for Win95/98 (not NT)0 v7 h5 G. B* B: m9 O( a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; N7 D" W% d, u
* @$ `2 q" @! k! C5 ^/ M* `% m push 0000004fh ; function 4fh
+ P6 g* U5 P4 B" T) I" J push 002a002ah ; high word specifies which VxD (VWIN32)6 }% J; L' E8 Z) [& x+ e' o
; low word specifies which service4 A6 v; b/ B/ F0 `9 d
(VWIN32_Int41Dispatch)
8 e/ N# h7 ]5 X) _0 v call Kernel32!ORD_001 ; VxdCall
9 S2 ~! i; H' s0 E. S. n3 S cmp ax, 0f386h ; magic number returned by system debuggers
; C. W. h8 J/ s3 o' h jz SoftICE_detected
1 Y* ]* E8 { e, }+ w+ L/ n. B( M# u. n& J8 H% v
Here again, several ways to detect it:6 Y4 c- ]' _# L8 Y; h
, v) _: c$ X! ~& S* L; d
BPINT 41 if ax==4f
7 \0 T8 E+ B( j& O9 H/ F% [1 u6 r: g
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 h0 Q2 X5 }% g- K8 K
, G! v: y' c! g7 v: {3 q+ L* Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% U# t! p5 j ]
' o! @% f8 i4 U1 k BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( X* {! h$ t$ H% R1 A3 l
- w# y7 \7 M) I$ z8 L( M__________________________________________________________________________, k0 \# |) k7 g( H
l; G! @; O) l5 @* F7 v v2 I W
Method 13
& ]( @4 b1 |7 D6 e4 T/ w1 k e=========3 ]& e4 o+ D. `) c# l; n" }- `
" R2 d, C( j) w( B5 tNot a real method of detection, but a good way to know if SoftICE is, S" d+ g) o7 o3 m
installed on a computer and to locate its installation directory.
, `5 {, z# \3 `+ aIt is used by few softs which access the following registry keys (usually #2) :6 T0 _3 b: Q: Q7 w
. Y- Q3 H$ p, b+ y- ^( `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; I+ \5 I8 d) L( X- [# Q6 `4 ~\Uninstall\SoftICE
5 l+ i* f4 B* w O# K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE [$ l1 k0 W) E- q/ ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 e% ]' j$ P" P! L$ F
\App Paths\Loader32.Exe
1 h2 ?7 X2 V' C, @5 I: {. J; D$ i5 i9 l4 o0 @+ ^/ i2 V7 u1 m
! q9 I* V9 ?, `& t6 b2 z8 b, BNote that some nasty apps could then erase all files from SoftICE directory" p) W; H) d$ S* q" u
(I faced that once :-(7 P2 ` v; F# q+ f/ [0 P3 e* v
2 z4 r( k" I6 X* d: s L# E4 @9 s o
Useful breakpoint to detect it:
( p9 n1 R% b- H* k5 ~, z
( }7 l3 y; y$ Z! P- V, r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 V9 {: m( i; X! L' l9 O0 ^" @( z: w; ~
__________________________________________________________________________4 w' d, [) s5 o9 D
6 K2 D/ a3 c" ^! Q/ `3 q
/ A# i* w: T) U( W+ R& t. EMethod 14
$ v! i' n4 R7 t8 h+ }% f. ~/ i=========
/ z' F; D5 r9 t/ L% x6 N! x' \. R8 P0 p- J' P3 r( t# s3 Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; [7 T1 b% S0 Q' a3 _
is to determines whether a debugger is running on your system (ring0 only).
H9 Y! k2 ]" p1 ]' ^# N+ g! X5 d4 p! L% P6 ^+ s1 A7 V
VMMCall Test_Debug_Installed
8 M J$ h: Q& A( w% G je not_installed
6 L/ B; q4 C- }
$ _$ v1 L5 j! G; ~$ H& T" RThis service just checks a flag.0 G, r* C+ R0 h a
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡