<TABLE width=500>. p& r2 m9 V, x" o$ \
<TBODY>
7 k. Y. d6 Y7 L<TR># W1 s7 |( O7 v' b! B$ _
<TD><PRE>Method 01
8 N. p. L7 S5 s0 _/ I- E; R* B=========8 E3 M+ J% G( T
* V8 V/ @, O, Y, U' }9 XThis method of detection of SoftICE (as well as the following one) is
3 d% d, S( W" l+ A% P, bused by the majority of packers/encryptors found on Internet.4 J- ?9 f) F% L* ` j/ f& }, F8 n
It seeks the signature of BoundsChecker in SoftICE
# q9 G# {4 ^) x
- b5 ]% [, o* _/ ^; r C mov ebp, 04243484Bh ; 'BCHK'
; G9 ? i- p. p0 |/ n7 J `3 m c mov ax, 04h
( g! p ?- E2 n9 w% n int 3 # O4 Q" W9 _/ J) |8 G$ K8 v
cmp al,47 L+ E8 T( O( Y/ h
jnz SoftICE_Detected
' E8 o+ ?; @2 k0 G' O! m2 M$ n. ]
; a7 n7 q1 X( B d: N- i___________________________________________________________________________
8 B$ V6 A+ W1 i( A, f
7 l, ^) C4 f: y+ q! b' K& e9 O, YMethod 02
3 X) H; e$ d" i7 o=========1 m, ~6 S6 c0 G' i, o; {
W* I8 ~0 Y: [7 L- F
Still a method very much used (perhaps the most frequent one). It is used
6 _: D9 \# r1 U' v' I8 Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ O+ ~# g* G3 ^. t$ @
or execute SoftICE commands...* B( F/ ^& m$ Y- o" E
It is also used to crash SoftICE and to force it to execute any commands
g3 U2 ]5 s. h6 i(HBOOT...) :-((
: P. _; X2 ]4 y, d5 s4 j; j3 F3 U, u+ |4 Z8 Q
Here is a quick description:* M3 s" U5 p1 L( T/ L
-AX = 0910h (Display string in SIce windows)
$ x& n8 O' `( E2 F l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# z: ^. m5 J" R: |0 I
-AX = 0912h (Get breakpoint infos)0 ^. U" c: j% u
-AX = 0913h (Set Sice breakpoints)
: k9 L9 L c1 O. |8 d-AX = 0914h (Remove SIce breakoints)) _5 l& d/ O) Q; _. Y
# S" F X) p1 f- j' g" kEach time you'll meet this trick, you'll see:
4 r, f# j) m5 \0 K; B+ A-SI = 4647h
) C( O. {& ? {0 B; i5 @-DI = 4A4Dh
* F- ]9 b# P2 R) OWhich are the 'magic values' used by SoftIce.
( G, P8 o/ w9 tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 s. H5 Y$ Y- ^; `, E# L
& I- w* W! F( ]( A* Z5 q8 SHere is one example from the file "Haspinst.exe" which is the dongle HASP8 X8 _: V( t9 D5 B0 x$ o& z3 s: |
Envelope utility use to protect DOS applications:
1 R. E# E) Q) k5 f! D% H) @$ [" N) z4 W' b& |$ S1 n. V1 h0 N& G- n
$ ?# P" z8 H5 q) @% b# z: g, E% ^
4C19:0095 MOV AX,0911 ; execute command.
7 b5 Q1 \5 \6 \* C* s' S4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ a/ ^6 ` E* m9 Z6 x! J' f* p4C19:009A MOV SI,4647 ; 1st magic value.3 S. @4 ]0 B0 m. v( V
4C19:009D MOV DI,4A4D ; 2nd magic value.. g* K; G7 v# h5 p' L' a! F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 i; S: y, J+ ?+ g5 C4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 s: P7 A8 ^& A8 l! { D4C19:00A4 INC CX
" ?8 T! b l2 J U; C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- E6 W k+ j. |+ [3 u; I
4C19:00A8 JB 0095 ; 6 different commands.
6 B# ?/ o1 `" u7 r: H4C19:00AA JMP 0002 ; Bad_Guy jmp back." v* V' t3 T. [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( Y0 O* e4 B) I/ h8 \5 T
: o% u$ E& |+ w# B0 v7 mThe program will execute 6 different SIce commands located at ds:dx, which+ b8 r7 }1 |% n; S6 \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- F: Q0 b" n" g# f
9 I, H9 l q$ {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* }$ r' F) F# u/ s O___________________________________________________________________________$ V) G: ?+ h2 w+ v$ X: W
5 }# @% Q# j( \- V- X) z; y
3 x+ o5 m) S1 a0 W+ F, d9 r
Method 03
6 l: z9 D4 o4 _, F0 J=========* T/ ~3 T' H% c& a1 x! [
2 @8 S2 V1 o* D. PLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( n: @: m( B) k0 D7 u$ B
(API Get entry point)
3 M3 b& i' z+ @% d0 i3 z & J- M) e9 w! W
s& v" L Q3 R t
xor di,di: W, D# F7 Y3 o% s5 U% E" V
mov es,di( u3 L3 A. l( l& j- T8 E7 G
mov ax, 1684h
2 r F$ Z+ {, F! \/ I$ j3 k mov bx, 0202h ; VxD ID of winice
- c7 u, C# S0 C( ~( [/ s int 2Fh& b' c; d0 |& A; k! f8 R
mov ax, es ; ES:DI -> VxD API entry point
: ?: F- P& Y' d" s, {, o+ ` add ax, di$ n& K s& l& n0 r! ^" f
test ax,ax
8 N' T2 h/ S8 W- b c5 G5 {* J3 k. z0 i jnz SoftICE_Detected
+ N0 W1 w+ _+ _! c: v ?- V- d& n$ I$ s
___________________________________________________________________________
" W# \, p( r; n* K# L4 a# v8 K
; s3 o8 z' Q0 u* Y+ aMethod 043 [9 ?9 d$ y4 \1 e( ~, M
=========: q3 C1 Q6 @/ i8 V/ y
9 l3 W; v% Y( O: V; LMethod identical to the preceding one except that it seeks the ID of SoftICE% E% }. b2 b1 m4 i# o% ^
GFX VxD.* ]$ N' j6 S- x' J0 ]4 @ g2 e5 Z" r* b
6 n+ u7 [7 r m X xor di,di' r& j( Q* K- y. V9 F& }! T2 u
mov es,di
' L: C+ @) ~5 j7 Z+ p mov ax, 1684h , G0 L* x5 c5 _ ?2 E% I/ |
mov bx, 7a5Fh ; VxD ID of SIWVID
4 y3 [: Y. v$ t1 [. q4 Z' X: Y+ i5 m int 2fh- u) A, P9 y( A2 q6 A: |( A; O
mov ax, es ; ES:DI -> VxD API entry point- \- g* x, `: i6 t- X
add ax, di* L& p' b% L1 E: s1 d) o( D& d
test ax,ax8 C4 f4 \0 F2 X9 ~
jnz SoftICE_Detected( U$ V$ |& {& ^8 Z, X- ?# @
% d9 I# \2 e) ^; @0 @ ]) \; k5 q; r__________________________________________________________________________
# E. R4 M6 Z4 R4 t" e4 j4 ]" j7 G+ }% y8 j1 p+ n) E
* w0 K6 z8 [1 o [# hMethod 05" H/ l- S' x1 ~3 g" ~ p# a
=========
2 k9 I" J, P, f1 `' X: w
" x+ [( o/ C$ q4 _5 gMethod seeking the 'magic number' 0F386h returned (in ax) by all system; q0 D) V: z8 v: d K
debugger. It calls the int 41h, function 4Fh.- {* O* v3 z) g; L2 t4 t/ e& k
There are several alternatives.
. V+ {% u6 [6 B3 a8 d4 Q
3 P/ I6 s( J" y: qThe following one is the simplest:
% [3 l4 A4 l& i' R9 Q3 f# X2 W( p: [% V0 [# h- U
mov ax,4fh
2 [; i9 I) V9 m5 y int 41h
! B: l2 m- D, N6 r cmp ax, 0F386
5 y( R9 w4 ]3 |' c! Z$ q' D6 x! Y% y jz SoftICE_detected' m. B7 Z2 h( M4 s7 H
# f. s! U: R/ @
- U1 `: A6 [0 m! XNext method as well as the following one are 2 examples from Stone's 9 Z# S) u4 F% F8 r* I* g
"stn-wid.zip" (www.cracking.net):# m( o( z! A4 ?
0 r9 S5 V$ V2 @4 f+ h
mov bx, cs; \& |$ a6 t6 ]) q3 {, N
lea dx, int41handler2
- y& r; V+ e4 X$ e0 F xchg dx, es:[41h*4]
, k5 j8 @+ ]8 i& N+ j6 ~& V xchg bx, es:[41h*4+2]; f3 X6 @; x; V+ @, p; ]" e' K( Q
mov ax,4fh. g& `' |6 W- @* G3 u, w% B) z# d
int 41h
( p6 J7 h5 }, ~& W9 _ xchg dx, es:[41h*4]% d0 x3 u% f T) d$ J. Q! x. C _
xchg bx, es:[41h*4+2]
) Y. ~* [- ?" O- E/ E6 R0 E cmp ax, 0f386h# Y4 p$ }* D" b3 ~
jz SoftICE_detected) Z# A0 A3 O5 j' A0 {8 {. |
& T" N4 @/ V/ J9 t0 m6 E) U" W, Q
int41handler2 PROC) V! v- s) c: S- F# W
iret2 n) `. m- T0 W, ~, w' M7 l @1 f
int41handler2 ENDP
* e% l4 ~2 e* f7 \+ B6 Y" f. B" ]$ N1 K, b1 U# g
) Q3 i6 G' ~% ?1 r_________________________________________________________________________# p4 q# O. F( X2 {- _+ c
7 K6 n& E7 D( o& t3 j- d5 n+ h3 M. g8 m) N( V: \
Method 06' z9 ^' \- A; ]7 F
=========
- e/ M4 o) a8 h. z1 K) X. W9 P& e, y8 i3 Y5 ?; O
/ O- e0 B% v8 k( x) c8 K2nd method similar to the preceding one but more difficult to detect:' \- y% b* r/ r9 E' G9 c
* m6 a; L. @) Q' l* H: u8 f1 T" `& A% x) }
int41handler PROC- M2 D" x! R9 \8 Y) ]7 W" W
mov cl,al
D+ c/ Y3 h% M2 h4 z# h: h9 | P: b+ ` iret+ @7 v H. m9 ^# O
int41handler ENDP% e& c' N# _+ D$ b# `
+ R4 G# F d" l4 t
/ U L# g% c1 `) F- i+ j" f7 b) H xor ax,ax9 p' b6 v r/ q. }
mov es,ax
1 G" @5 C9 B/ v' r mov bx, cs
4 |' N! g$ z$ l$ Y1 c& Y! c& e; _ lea dx, int41handler3 a. Y8 I% M+ j4 ~6 n5 Q: X
xchg dx, es:[41h*4]6 A; O$ D! q/ ]( u/ R( A/ @5 d0 v5 ~
xchg bx, es:[41h*4+2]+ R9 \8 r# r1 {) D
in al, 40h j, X* b& Y# |+ ~
xor cx,cx! s+ J( b& p+ E$ `9 g+ L. K
int 41h
) j4 h9 d% `! n# V, ] xchg dx, es:[41h*4]# g: q9 N$ b* S
xchg bx, es:[41h*4+2]1 y) k* R. R0 h+ X8 t- S
cmp cl,al
+ b& }+ e, L W! V m* K jnz SoftICE_detected6 K" q' E' }0 o8 m; Y4 j/ r' v$ ]
! A9 G ?3 ?& p, V. v
_________________________________________________________________________1 l# q% m1 Y, h
% ~+ C% u+ ~0 X5 CMethod 07, U; X4 C' O. R. x. g4 e: P6 O
=========& d7 K2 r V) |9 C8 F
0 x# ^" {; r5 J% bMethod of detection of the WinICE handler in the int68h (V86)6 Y. N& X7 @' A- Z& T: N
: V& D+ e% }- _' i' ?4 K0 P8 z mov ah,43h
; b& j7 ]& Z/ E int 68h
2 l {+ z; Y4 } cmp ax,0F386h5 {9 H4 m6 s' K
jz SoftICE_Detected- ~8 u& w7 }/ C! d3 |3 I! V7 D
; D3 F: Z% i& d2 H0 ~: S7 |4 M: @- Q# \5 u. L1 H2 u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. m! c; J0 n4 u0 ]/ K app like this:' Y! j2 L3 A3 f( w: E7 w
5 H9 x R% w' K" ` BPX exec_int if ax==68
7 {4 y7 s- x" \/ v (function called is located at byte ptr [ebp+1Dh] and client eip is8 O, |: A: a% [. r4 c+ ?4 p5 ~' k
located at [ebp+48h] for 32Bit apps)
& Z ?/ e, s3 x, }% S7 W$ t__________________________________________________________________________! W, R3 n1 ?( F, X
, C t; u! G; T; p- J/ w
2 _" K; p6 _$ o& w" X+ T# lMethod 08
7 e! C( ?2 v' P1 K6 p3 _) k6 E=========6 p. Z6 e4 c% k7 p) {; Z/ w
) u4 l# y/ U" F9 H jIt is not a method of detection of SoftICE but a possibility to crash the. y" U: K0 g- Q) g1 H: A" S: W) I
system by intercepting int 01h and int 03h and redirecting them to another' s! d% }( y" q8 g A& ?* `- L
routine.; T' U1 b' Z- n7 U( L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* Y2 I r! ]. K; h# ^4 Dto the new routine to execute (hangs computer...)! M& q7 z. a# {! v# \
' c! f0 I/ a: l7 t, {) j4 a
mov ah, 25h
4 q8 H8 I- k- @% ^4 v# M mov al, Int_Number (01h or 03h)
) \5 [) ?4 i* Q, J& y) w mov dx, offset New_Int_Routine
" K0 n3 m. Z2 U# V# O- d( k int 21h
: R; R8 p W, \
4 q7 z/ H% o0 I7 S( o" |, [* g__________________________________________________________________________
4 A6 m+ K& ~* P2 z# h$ g7 A. `2 I \
Method 09
7 Q- ?, ~6 v8 o q; { D=========4 G" e& A* n+ o( g- r/ i9 B
& O) @4 @) f. B/ yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
R2 L7 w+ C! ^performed in ring0 (VxD or a ring3 app using the VxdCall).% d D2 z6 [5 \7 E' I
The Get_DDB service is used to determine whether or not a VxD is installed2 q1 C& B3 Q: y* R7 a! I
for the specified device and returns a Device Description Block (in ecx) for
; a2 V w. W/ z% tthat device if it is installed.
6 t* {9 |: {% b3 h. ?& n# b- M/ ^1 c3 M2 ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! {& v7 D+ Z" k
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# q! ~( l9 v& U VMMCall Get_DDB
; n3 k5 W; L& V7 z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed a. J* w+ b+ ^) }0 Z$ _
+ ?3 Z5 T! x0 N8 Q# l! z# hNote as well that you can easily detect this method with SoftICE:9 m0 R2 ^ y! \ I3 o
bpx Get_DDB if ax==0202 || ax==7a5fh( j& ?! w1 \; k2 o% O9 t$ T* [
+ r. A7 V9 ]# B4 P+ S% \$ @: K
__________________________________________________________________________
- B0 ]9 n. {8 M8 M* ]5 T6 Z( |5 f
) }& {& g* I8 xMethod 10. d0 N, t8 t& X1 M+ S& D( v/ X
=========
9 w2 }$ T I- P/ U8 u: C
9 G( p: N( f( e \9 B=>Disable or clear breakpoints before using this feature. DO NOT trace with
( X2 \/ B* d8 `; U SoftICE while the option is enable!!
5 o7 c: u# M+ A$ W6 ~& p7 x o8 t' b3 V6 h- |3 r" u2 L1 z7 {
This trick is very efficient:
9 e; v' H& b) n, F: ^) Dby checking the Debug Registers, you can detect if SoftICE is loaded3 E5 o; p4 T$ J* J! `0 m# U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ K! _! G/ e7 s6 [, _! y W5 C
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" L1 E" o; C0 F$ E) a1 O" jvalue (in ring0 only). Values can be manipulated and or changed as well
# `& j4 F( ?0 Z1 X7 l: T(clearing BPMs for instance), r) H, N; a6 b
+ n U4 X/ [8 M
__________________________________________________________________________ r- P4 u. U; q; _# }3 Y# z
6 Q/ k. x+ U$ [
Method 11
1 A# J% i4 J2 W" J=========, J, Y) `$ v2 ~: q! m3 G
4 x e& O" u3 p7 U* v* ]This method is most known as 'MeltICE' because it has been freely distributed
' i: X4 s% P: @0 X4 k2 U' `via www.winfiles.com. However it was first used by NuMega people to allow
( z$ F, c# X* G9 N3 |7 a( LSymbol Loader to check if SoftICE was active or not (the code is located4 W# z s1 V. z9 d9 A }: Y, _
inside nmtrans.dll).
, m" V% y. _: m. N1 Y4 M
+ s" O( X4 S: b; GThe way it works is very simple:; K5 R3 w; g- {* q8 m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- G0 S% z# q" v3 D+ C; m
WinNT) with the CreateFileA API.9 D$ x0 t8 D& N. \
5 D1 z% r3 |3 w, A0 M
Here is a sample (checking for 'SICE'):! Z+ g) N/ S* g) o) S! s5 H2 j
# j" l4 @% ^* ~8 a: q$ E
BOOL IsSoftIce95Loaded()( l' `. ^0 n+ d8 F
{8 r$ i0 L9 G- W) H& A- B
HANDLE hFile; 1 {0 n) Y; x b6 K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. I/ W! b; z/ E8 S( O1 A
FILE_SHARE_READ | FILE_SHARE_WRITE,: ]/ P4 R5 i% I( U* T
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 S0 F5 F5 {8 S3 v1 y& N% X
if( hFile != INVALID_HANDLE_VALUE )+ z) z3 I$ a0 F
{- P$ M2 n5 F/ o/ G' ?! |
CloseHandle(hFile);
- C9 Q" D$ F. D. p5 [/ l, j. P; _ return TRUE;! K) D; _, ~* L% v% Y' @" ^9 q- ]
}; L" h* ~) C, t1 ~
return FALSE;3 [$ y, \; [) o& E
}' d4 {2 s' d8 L! }+ p7 N
. }& F J0 _9 @7 X+ D
Although this trick calls the CreateFileA function, don't even expect to be
& W& m# ?% ]' bable to intercept it by installing a IFS hook: it will not work, no way!
& p i" T$ p6 U, B2 x( `In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 z: ^7 R9 g: D, Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ T& x( u$ y$ P( F4 Y. {" dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 F z0 q% g( R; Y( ~- w5 I. d4 _/ cfield.
* I/ W# p/ v* U# W* gIn fact, its purpose is not to load/unload VxDs but only to send a
0 x$ X+ P7 g- D, X8 _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( K& [7 t3 |6 K: ~# h" ]- t4 \/ W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& V. l. H! |! p# a6 M7 L+ Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& O) b1 x5 x+ J/ E8 tIf the VxD is loaded, it will always clear eax and the Carry flag to allow, g) R/ Z# M- q( f7 A, x% K, r3 z
its handle to be opened and then, will be detected.5 {7 Q4 `. e, |2 I% t1 J
You can check that simply by hooking Winice.exe control proc entry point
# P( v3 A' H& x/ B- Wwhile running MeltICE.
$ M) A6 Q8 H+ z0 x$ v8 M
. A% ?3 u8 r ~. P5 C. u
4 q8 d9 l4 B+ D0 z 00401067: push 00402025 ; \\.\SICE1 m0 f) ^) }+ l8 P! x" S
0040106C: call CreateFileA
: c1 }! B7 o z# H9 [. O) O* q H 00401071: cmp eax,-001
. |' \9 K8 {) X* J 00401074: je 00401091! y* l; o/ K3 h j0 R6 k, ^3 S
) q# S: F; R9 q
' `/ N6 @" i& E$ f7 pThere could be hundreds of BPX you could use to detect this trick.# l" \$ d9 S* a2 G7 u) C9 o' u1 d8 [
-The most classical one is:# N5 Q5 `4 h; P) }5 l; s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ E( } r! M" u. X/ u# | *(esp->4+4)=='NTIC'
) _$ Q3 b. O2 S6 L Q" w6 |5 w
/ p5 O, n; h7 d( s# c2 c( S% v2 Y-The most exotic ones (could be very slooooow :-(4 X; T- n8 U9 z1 G- L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- K) T/ N o% B* l2 N' X" \ ;will break 3 times :-(+ a4 C0 o w5 x5 ?8 a. e
: L. Y1 b ?% f. J4 E
-or (a bit) faster: / G1 `" L& R6 c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! L! U4 R0 ?; }9 Z, ]! \. ^5 {- E
1 L1 f7 E' S0 d) w% D, d$ F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 B+ x5 b+ d" D2 ^0 f7 Y) H" i8 F
;will break 3 times :-(+ |; x) ?0 J% N3 A* n4 Y
2 Y8 ~* s2 q& M" r; w' a
-Much faster:) J" X5 _/ i! G
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; k3 m0 e8 c6 P+ G2 K9 T
4 }4 {: Z8 ?! t( k& U; L4 _) YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 Q2 i9 v1 w0 R% |# n8 ]/ ffunction to do the same job:
0 G0 Y# a3 @* o! [- F
; a# M- H3 r, L; C push 00 ; OF_READ
0 H8 {0 b; f3 K& k/ q: ], I3 [9 { mov eax,[00656634] ; '\\.\SICE',06 _7 P: A; _3 h* } M9 D, b
push eax
" J, _8 k B& N+ }' w' e$ f call KERNEL32!_lopen8 q+ M! Z9 K* @: u
inc eax
. @4 {+ ^/ V4 C B5 ` jnz 00650589 ; detected
1 F; k- l) j2 V; q6 ]7 w push 00 ; OF_READ
2 f* }% O6 r+ _& M: Y mov eax,[00656638] ; '\\.\SICE'
, b4 g" y/ Q9 K' C% d push eax+ ?* _/ a5 J. d6 N( f1 @5 o& ]
call KERNEL32!_lopen! Y" o( i- e! ?1 r3 c8 |& ?( X
inc eax6 i" ?/ T5 `- {) H9 |0 L
jz 006505ae ; not detected8 H+ R6 j7 w& h- {+ Z% }
) X/ c: H- ?4 A# L- D- X$ `; M: K& h# x7 g4 |2 U+ c
__________________________________________________________________________ N$ M" J/ |. t* G
5 A A' @+ U( k/ ^- H
Method 129 W$ g% w5 S9 Z, l t. E# _
=========
l! M& i8 a4 t% F9 S3 O e% X6 @+ t
This trick is similar to int41h/4fh Debugger installation check (code 05
4 Q9 h" e6 g1 U& 06) but very limited because it's only available for Win95/98 (not NT)+ M/ l9 D& c- {, I9 h- o# [1 {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 d! N+ K h( i) n) h$ P; U ~
" E% W" r# {6 o/ K0 D: v push 0000004fh ; function 4fh5 d2 D: w" s& ^. l: S3 z
push 002a002ah ; high word specifies which VxD (VWIN32)
! r' Z$ ]8 M R+ ^ ; low word specifies which service
! m3 u& I! ?( S1 u# F: ^ @4 S (VWIN32_Int41Dispatch)
. q* V, w, \. `2 H) U9 O call Kernel32!ORD_001 ; VxdCall( P( F* I7 v. g- ?
cmp ax, 0f386h ; magic number returned by system debuggers T& V0 e) ]. l+ g3 s4 D
jz SoftICE_detected/ n6 K4 p6 F8 o& Q9 @
y0 F& D; k5 C3 @$ w" E0 E% O
Here again, several ways to detect it:
3 \# c4 e; {9 h3 J) v* V
* w- L6 j4 Y/ ]+ Y0 i3 H) O BPINT 41 if ax==4f
7 [2 a$ z- P# s& S: @ k8 f& k7 _$ I& H$ S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. I6 E6 M4 n& M3 P9 \- I& S: u3 N: C$ m1 `0 ]* k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- V' U3 Z2 X( E7 h# l2 H+ b V; O [
$ w' x8 K* G* I% R/ ^# z+ ~. ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) O/ b3 L7 o; f1 {' j+ }
& ]4 t* v) z6 \% G
__________________________________________________________________________2 P5 }. l& L' ]5 O2 u; e
& K1 C; T8 N( cMethod 13
& A/ W( i) I+ e/ k; l. s) h8 r=========3 q1 H0 s h4 q0 Z' _ v% ?
5 n/ g) u5 r; e
Not a real method of detection, but a good way to know if SoftICE is
+ v) F, r3 L V* Y; m. @5 n, Oinstalled on a computer and to locate its installation directory.( }+ q' r% l) f) P j$ I6 ~
It is used by few softs which access the following registry keys (usually #2) :
7 n1 A( P d3 P+ g4 O9 I3 ~
/ I3 u( d1 w7 n# m( q. y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! t3 w* t6 L+ J- z: U0 q) a3 {5 x
\Uninstall\SoftICE
5 M2 @( w( v' X& i: ^3 B+ C3 p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: _6 `+ G1 U. }" f# B5 j) F M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( B; a- l4 w! i
\App Paths\Loader32.Exe
; K* x. p1 B/ r1 J$ U R( h6 ?4 Y" o$ K0 c2 w
: l' ]% c! m+ O* g) q0 A: Z
Note that some nasty apps could then erase all files from SoftICE directory
8 i4 @ m. c- [- q, _9 q7 I# B( t(I faced that once :-(
5 k9 r9 ]$ o9 O+ G1 L+ l
. D/ v) ^4 y" S zUseful breakpoint to detect it:: @+ g2 s8 p n3 a9 x
- b0 M+ E {. U7 ?0 O0 d6 o( z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', @0 k) t) E; ?1 ]' q
$ n( K6 o# P4 o6 o__________________________________________________________________________
$ [4 F1 k9 G2 \# V/ g2 B: _; ^5 D- r0 H- |7 P
/ u. ?' N; C& U, oMethod 14
9 F% e5 x) e5 F=========/ Y# J2 {- j! p# y% S. _
1 o$ `, C% a8 a2 H% K/ _1 u3 h0 n* D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. \' c0 B, @% n
is to determines whether a debugger is running on your system (ring0 only).* B+ [( O+ O4 u' a) d
( [7 n$ y# f/ x) d" p
VMMCall Test_Debug_Installed
+ Q! D8 A) \- F$ Z1 m; J je not_installed
2 [+ K z$ r8 I3 j8 n1 t
0 a, o! g. |' [) F" rThis service just checks a flag.
5 m8 ]) M( Z+ N</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡