<TABLE width=500>& Y8 m& b7 B" Y
<TBODY>6 H* u P# \# ^1 S7 J
<TR>0 v' S# U6 F7 i- j0 c$ ^# {) \, E* Z
<TD><PRE>Method 01 & [5 W9 R4 }8 g! U0 Z7 O. ^
=========) t7 S/ g, K9 q* h
: y2 e- T* E( Y
This method of detection of SoftICE (as well as the following one) is
2 ?' C* n- Z0 i6 `/ W% E- u' Q) Xused by the majority of packers/encryptors found on Internet.
+ N2 E6 o1 Q8 o) t7 p$ |+ tIt seeks the signature of BoundsChecker in SoftICE% e4 G$ ?5 Q. w/ l) F/ A' L
$ Q7 J# I4 w2 ^' v2 z mov ebp, 04243484Bh ; 'BCHK'! d' t ^; s# A( a3 c, L
mov ax, 04h; h: O* g( ?/ M
int 3 5 V' V6 j. W- P( s* g$ z, I+ q/ ^
cmp al,44 Z5 Z* n5 T) j) r, Y: w
jnz SoftICE_Detected+ E9 M4 J3 s1 L& P4 n' ?- O9 Z3 P
/ ?7 w, J3 }+ s' ^" z6 b% s1 b3 R: m' V/ u
___________________________________________________________________________. H( ? G" ?; u1 Y5 {4 T' a
5 F. g8 J% y& h, Y* A
Method 02( x) E, r: H+ U; C7 p5 h# B
=========) W" ]+ P0 m& X7 T' ^
& u" o7 z% H* b' S. B# M6 a
Still a method very much used (perhaps the most frequent one). It is used
, G* P) c' k' D' n/ ?* N6 Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints, C( Y5 k+ \7 J5 B
or execute SoftICE commands...
4 M- r* N% n$ WIt is also used to crash SoftICE and to force it to execute any commands) R; d: t) Y, J( t% H+ m
(HBOOT...) :-(( 8 \4 V, u1 p5 f$ W0 A
7 Z" c4 T& L( Q, s5 @! XHere is a quick description:8 V& A- v' k. p: s) \, E
-AX = 0910h (Display string in SIce windows)0 r: W9 r: N9 U; s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, E: `: \8 [9 }1 D-AX = 0912h (Get breakpoint infos) J8 ~ w4 X& Y
-AX = 0913h (Set Sice breakpoints)
6 Z; M& x1 u( D2 d/ C, t$ a& l-AX = 0914h (Remove SIce breakoints)
9 ?/ ~; A- W9 R, M" |1 D; \1 z1 Z' d
8 v) B9 v" z* C# IEach time you'll meet this trick, you'll see:' [! }1 ^9 B. T9 j5 ]
-SI = 4647h) A1 `6 ^, k/ ^& B }1 G0 c
-DI = 4A4Dh
! q( b" k" X7 q* xWhich are the 'magic values' used by SoftIce.
4 A6 ]& U" f/ e- s, J0 h9 KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.; k% o& F: i* M. I
4 s) F% |; `) q9 M; |: FHere is one example from the file "Haspinst.exe" which is the dongle HASP/ I5 s- p8 I) ?$ s9 W3 L+ K6 M
Envelope utility use to protect DOS applications:
# ~. ?: v- R D* F/ \- v8 P& R! V4 L, h
$ C9 ~; f1 ^% ~( M4C19:0095 MOV AX,0911 ; execute command.
B& V1 y u' n. Y0 @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 i. X1 u9 c' F, q; c2 f
4C19:009A MOV SI,4647 ; 1st magic value.% Y! M- W, Y$ U% R. \0 B$ Z! ]
4C19:009D MOV DI,4A4D ; 2nd magic value.' k% x; f7 m7 F3 L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) _) Z" ^1 n4 u: k9 a$ r2 [0 ?" [4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! L! m" a4 P4 ]% a
4C19:00A4 INC CX
% s$ D8 w6 H( D) L4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 c6 v# A8 w/ q9 ?6 }+ P/ T4C19:00A8 JB 0095 ; 6 different commands. ~- ?* Q0 @7 [3 R6 b. @ |( O
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 S4 A6 Q0 Q/ l ?& {; ~1 F4 q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 m8 ~5 H: @6 G. T
# w9 e/ [( ?1 L# k$ KThe program will execute 6 different SIce commands located at ds:dx, which6 m% C' D! X* `6 e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 n9 ]: U; e' E: d
w5 g3 m4 F( H0 w: L; }2 f( U* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 x! K9 o) R% i; p
___________________________________________________________________________
: W6 N4 ^& e9 E, y) S4 R) q _4 J" y$ x) n5 ?5 v2 f
% s3 `9 a* w8 ]0 Q4 Z, r0 SMethod 03
) ?' E q- O3 w# P/ r=========- O/ W, G$ o+ e
2 F5 A9 K0 q1 L- N* t% ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% w" G7 G9 u! t( s(API Get entry point)
" ^/ b8 K6 @0 l( K 5 J( p/ ]6 j7 F' H2 m9 I
" f% q" f3 d( N, p xor di,di
3 D! L$ Z* R5 q4 a! } mov es,di2 F& S' w9 _0 ^+ |* }1 _
mov ax, 1684h
) }( v$ ]" J& ~; G+ _% z; N mov bx, 0202h ; VxD ID of winice3 Z5 @: D; U% r. G4 t. _' i8 C' K
int 2Fh
7 ` |+ _3 o7 r1 | mov ax, es ; ES:DI -> VxD API entry point
* o% `5 ` }) F" l- e; W/ B add ax, di' l& o8 W; N3 {% F8 h! I+ N
test ax,ax4 `' J- y; _7 r
jnz SoftICE_Detected* S. u; I2 d' u
4 ?3 `9 P2 q$ e___________________________________________________________________________! t2 u$ z/ L" U: z3 {% O5 H K5 d
" ~. K. f- p8 }
Method 04 n1 Z" V; K. x( M4 `2 J& L
=========
$ {1 n" |) H7 E G! T- ]5 @: W9 @. v
Method identical to the preceding one except that it seeks the ID of SoftICE! {. P; ~% @# O, J
GFX VxD.
+ X! }2 P' G* Q0 W; @
3 C$ u/ \ v0 M8 y xor di,di# B: Z3 s5 l0 H. e3 R7 {/ y& H
mov es,di
/ w- Z5 ]. ?+ r* X. Q3 f* J mov ax, 1684h " }: U6 I+ T, f2 ^8 P6 T; g' V
mov bx, 7a5Fh ; VxD ID of SIWVID
9 z, G) L, P$ ]8 y int 2fh. \, I& v7 g$ W2 v: X, r1 Q
mov ax, es ; ES:DI -> VxD API entry point
& x: ~1 C! i3 X" P7 V! V) Y add ax, di/ t8 _0 G& p2 L" `( d
test ax,ax$ O( p2 c' c. {5 Z- L
jnz SoftICE_Detected
/ ~( |9 }. _1 X1 n* N' ]6 S0 ~9 _: D+ y
__________________________________________________________________________' B) I6 w& v4 v! v0 X3 u% x
/ R2 \% K# T T
- w6 |8 Y: G7 N5 C9 |4 n" vMethod 05, k; b$ ~& h1 L7 V0 y: e- e
=========
' {& e2 C5 f; t% O3 j. ?8 [% o5 }$ J
Method seeking the 'magic number' 0F386h returned (in ax) by all system) a) Q1 I! Y& o R7 H6 z
debugger. It calls the int 41h, function 4Fh.: a; @ _1 G0 l9 S0 S0 d; v
There are several alternatives. 1 g$ [( T) S1 J; H. [( n' _1 S
$ k% ]" C" @. U/ Y$ J1 ^
The following one is the simplest:% @0 t+ j H: z
, S# Y+ V# [9 l+ }2 E) c4 Y, P+ N
mov ax,4fh
' N! O1 F6 X) e- f int 41h
- m K$ F/ j- ]8 e4 l2 j cmp ax, 0F3862 r) j% d! E7 ]+ Y
jz SoftICE_detected5 i0 E/ L, D2 o. M
% H" f( s* W8 S7 c! C
, e _+ u8 P4 B! z1 _& n9 UNext method as well as the following one are 2 examples from Stone's * ~5 C! _ z# i: c d
"stn-wid.zip" (www.cracking.net):# [# E- x' _& }% X
+ `: n" G! y F. D
mov bx, cs
( x! i8 ?' E v# ` lea dx, int41handler20 l! u, C$ T" K- s# ~2 p2 D
xchg dx, es:[41h*4]
3 G+ e: r( O2 p& J xchg bx, es:[41h*4+2]; {7 R+ o# L/ b8 X7 U7 R6 v
mov ax,4fh
. o" B% P( b& x, m! i* Q9 `0 v int 41h2 m' {1 t- N2 D+ X- ^0 r0 a
xchg dx, es:[41h*4]' j" t7 \- ^9 f8 P' {: I: b
xchg bx, es:[41h*4+2] t0 I9 o, E. q( K0 q$ U
cmp ax, 0f386h
. b! Q% e3 n7 ~1 w/ z) } jz SoftICE_detected1 A/ ^# N" a5 s! R/ U* A3 ?- D
, ?5 K z% O) T# h) E4 C
int41handler2 PROC
/ X' @0 Z# ]6 i iret
( n; i3 N8 i9 iint41handler2 ENDP$ \9 |3 v* K. C4 ]! V* l) v4 p& J
! y! I; R! q6 Z
0 S+ Y+ P$ [/ P8 S, p
_________________________________________________________________________ |4 e' | A0 b! A W( i
, v8 k* ]4 ~4 Z, G7 j% s9 S
! z" {9 q" \9 T$ I5 O( s& oMethod 06
& c0 W" h% g) Y4 U( G7 V=========
$ E ?- R) p/ \% r6 Q, D1 b7 D- ]3 r% _/ _# Y5 w
- r! B8 q, ]2 ~8 h. g& A
2nd method similar to the preceding one but more difficult to detect:
. g: l' `" ?+ k
. \1 x5 E% ]. Y: k8 J
# y3 S) X, b& Y: qint41handler PROC& \8 T8 J7 R+ ~- w; D
mov cl,al
& U1 S. l$ _7 O! X c- _ iret' R$ d, ^) Z2 d, z! T
int41handler ENDP& T9 R4 w. i, U/ F
, y l# A& y6 X( F6 H( @% e
& b" o+ {) [9 ^- |" M
xor ax,ax
+ n/ i4 q( @. p, H1 q mov es,ax
' x' B) W1 d3 f* A1 C3 Y7 H mov bx, cs
) r3 `! w& h5 V3 s1 { lea dx, int41handler5 y% b0 f3 t: b- f1 A6 x9 ]& ]1 a
xchg dx, es:[41h*4]
: T% R) M' B, {3 ^8 m xchg bx, es:[41h*4+2]! k# ]& L- G" j+ ]6 F2 x
in al, 40h$ Q7 q( `' R9 h% V/ A
xor cx,cx
4 A5 F6 D- m7 I1 d" p int 41h/ X r, |- ?& b9 y( V4 Q% n
xchg dx, es:[41h*4]0 K. k9 o) z9 K7 _
xchg bx, es:[41h*4+2]
1 F$ ?, S4 f+ m: Z cmp cl,al
: V& h- b; K, l9 y5 v6 W jnz SoftICE_detected
K" _8 l2 _9 `5 N% ?6 |
$ B; e/ k U5 K Q x, |_________________________________________________________________________
/ L& _2 G* S+ K6 m* ?6 |
: p" o1 o+ P* X$ aMethod 07
! N& ]. G% O$ W! c L% ^- A=========% N( `4 u& X8 g+ E4 |9 \, @& ^! @
3 O' {! c. F2 M& ~$ d
Method of detection of the WinICE handler in the int68h (V86)
! a) k7 A8 Z, l
6 D/ _' R" g7 A, f$ b5 W mov ah,43h
% q3 x) u6 Y# G7 N+ _# z. j$ i int 68h2 H. [, V' V6 s1 S# q( u8 Q7 C
cmp ax,0F386h
( S7 V; C* E. L: O' J jz SoftICE_Detected
9 Y! M# P7 Y1 a& }) {' o& {+ W/ Z6 \. j: Q% D
4 }# g* ?5 [4 x6 B1 R+ x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; ~4 {# P7 Z: n5 s+ d8 w& r app like this:
6 b$ L2 [& t7 Q! S0 D! k6 M! B" _
BPX exec_int if ax==687 z% ~4 c& I. k( o5 |% v
(function called is located at byte ptr [ebp+1Dh] and client eip is
& V- E' D7 V3 C/ E( v% S located at [ebp+48h] for 32Bit apps)
5 W K! V8 |' d! ?- F6 B__________________________________________________________________________
$ K! U) I; U- s# k0 R9 z. G) g3 f) p7 ]& Z5 Z, w) B; L
* Y- [4 R" O) r0 ]% T
Method 08& X2 B4 U. Z- K& b/ ~, n
=========
- i; v" H- ~: u% n7 G% ^9 e. _: Y' Y) _' K1 a( H" j
It is not a method of detection of SoftICE but a possibility to crash the! R, v$ u6 L& C
system by intercepting int 01h and int 03h and redirecting them to another
9 c- h" G: Z" O* }- Froutine.
' u% g" u. \- s) \4 [7 h# X6 jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) B6 N+ q) n4 c
to the new routine to execute (hangs computer...)
5 o6 g C# B! Y* i1 M9 `+ D: i' }
& G' |6 [' @# v* y mov ah, 25h
8 ]# i- I+ c/ Y1 M5 ~. c8 ` mov al, Int_Number (01h or 03h)
8 @: {9 S# F7 `3 e5 M mov dx, offset New_Int_Routine% ]" g( I4 }5 K/ W5 X% P
int 21h8 ?& ]' O3 n3 j3 r0 ?( c3 A# `* e2 O
) }& n& _9 Q+ J; s1 }: g__________________________________________________________________________' _- L6 @) i" @+ N! N! l5 @
, B: P, |5 s. q4 S( c$ t
Method 09
& f5 m! ^' T" Q( M1 ]=========
2 O, v& t; Q l: s' S. v
3 a' R0 q7 U* n" T, S4 ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ |# Y; j. z2 \) I# Kperformed in ring0 (VxD or a ring3 app using the VxdCall).
% ]0 L- H2 V& DThe Get_DDB service is used to determine whether or not a VxD is installed
( S, O$ ]. t: C: n& x( _$ J4 I; zfor the specified device and returns a Device Description Block (in ecx) for
, H( E, C$ ^1 C: A( Q6 U8 C- gthat device if it is installed.
: z1 _% V* X4 J/ T7 ^2 q
+ \% C: ]' z* z9 I0 H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 e8 [; d" b$ R+ n# \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ f# J! `; l( Z: b: n& O, {. q VMMCall Get_DDB9 Q# y$ W' g5 y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 V9 _4 `( [9 X8 B p- V, L$ j7 V$ C% g6 }2 x0 R% Q
Note as well that you can easily detect this method with SoftICE:9 }- t4 s& O7 ]6 W, ?3 H
bpx Get_DDB if ax==0202 || ax==7a5fh
e9 i1 @" b0 C4 P4 X
3 J3 \/ R/ n6 w1 r: @! x__________________________________________________________________________
) a( e% Z' \, U8 k, Q' O. ~) X+ r
, S7 z* b/ O: Z( Y: Q0 dMethod 10
# d/ r: l4 Y) z0 Q' l$ z! R% d! z' V=========
* @, l) N2 o5 d% [! }) z, D4 I* J/ x
=>Disable or clear breakpoints before using this feature. DO NOT trace with6 F w$ ?- G3 M: T, b; y
SoftICE while the option is enable!!
4 ]( ~- H5 `9 ^7 V7 ?
3 c6 W- c# \: [- D& D5 [/ y$ y' R2 _This trick is very efficient:# L: E9 e/ c+ |$ m0 J. V9 {
by checking the Debug Registers, you can detect if SoftICE is loaded
$ x+ R E; I$ b(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: U$ R6 f, w9 _: x$ h7 K5 Kthere are some memory breakpoints set (dr0 to dr3) simply by reading their! _& A1 Y$ G" U# d8 _$ d5 c( h9 ^3 z; d- ^
value (in ring0 only). Values can be manipulated and or changed as well1 b3 V5 X: s8 K& W9 G0 D4 P
(clearing BPMs for instance)' d2 m- }+ {( D) S% H' ^0 A: ?7 h
o k! y% {7 Q. m4 \
__________________________________________________________________________
/ ]1 H3 ~, _; b( x) E4 _' F# t$ R3 X( G) r; Z
Method 11 ~. t1 m5 g0 f* C" F+ c+ g
=========
$ D& H) S1 B' J \4 ]/ @4 b: r! E# j% a ?9 B! h/ ^4 e/ X$ w
This method is most known as 'MeltICE' because it has been freely distributed+ U8 k8 \9 [' p4 e f' ]
via www.winfiles.com. However it was first used by NuMega people to allow
9 _ g2 T# h+ |7 |& fSymbol Loader to check if SoftICE was active or not (the code is located5 R' C, H7 Z: P' N# A6 @; H
inside nmtrans.dll).4 b7 I1 K: @7 {0 d( y
# S# v/ S) P2 c, ~# [3 V B
The way it works is very simple:
- O3 Q8 N2 L: j! nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ T J$ U# I: M, d _WinNT) with the CreateFileA API.
" F9 W- b: A, ^
6 ~! G8 M9 } g* sHere is a sample (checking for 'SICE'):5 M! B" l8 }: g: M3 i9 y
/ O* n' V" m3 c! F; M2 n
BOOL IsSoftIce95Loaded()
- x+ w* O0 C% S* U{3 u+ b+ X' g% l) _1 ]
HANDLE hFile;
" g9 Y. T/ f7 s( _: @, U0 I, h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 [2 g! i+ E! f) a3 h, m3 ^ FILE_SHARE_READ | FILE_SHARE_WRITE,! w- q" _# e9 l9 |2 } V
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 m& h X. b" s. b+ f! f4 J! |
if( hFile != INVALID_HANDLE_VALUE ). R0 I, x/ K; z5 w( o/ y2 B
{2 x1 I i5 b F
CloseHandle(hFile);0 p6 @) S" g- f# [& V5 J4 v k
return TRUE;
2 T# D! c n! r0 o }2 T8 a3 V' \$ n% k5 S( d" H& C( J
return FALSE;8 h# T# y9 a* C }% i
}& V" s& B+ P, z" T, I
0 |3 F% T P0 C) D( s8 jAlthough this trick calls the CreateFileA function, don't even expect to be
+ E9 {. U" Z2 w# [0 Y4 `+ fable to intercept it by installing a IFS hook: it will not work, no way!
7 a1 P6 d/ i* N, x* dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 e% q) q8 R# F1 ]( z- T7 Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- U3 E7 J( r. F2 ]1 g% f3 I+ t. Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' k, p+ G3 W1 h ufield.8 Z" n% b, x9 `9 w, Q+ b% G7 d
In fact, its purpose is not to load/unload VxDs but only to send a
2 Q Z; b& ?) C" P1 H4 n4 _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* c- w3 h$ e6 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ H9 Y" Y# f8 O0 Z3 X. z+ f; ato load/unload a non-dynamically loadable driver such as SoftICE ;-).$ S/ ^- k5 w. F& c. p
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ X- K7 Z. ]' A* jits handle to be opened and then, will be detected.
1 \2 i* q; l5 d. k ]* PYou can check that simply by hooking Winice.exe control proc entry point/ D: R8 g/ e X( q
while running MeltICE.7 }$ i" u+ J( r, Q
8 d6 {3 C. A2 H" k8 w/ q
/ H5 N9 }& X/ X$ E# Z' n
00401067: push 00402025 ; \\.\SICE
% G- J" Q0 z1 @2 J 0040106C: call CreateFileA3 D. h- d+ [. x- s( B
00401071: cmp eax,-001
$ E2 u, T/ o4 R6 {4 f 00401074: je 00401091
! E' O/ C1 h0 K" Q+ A! H, A
; K7 t0 v$ U* ?" {4 g+ d3 q3 T6 s M) b/ ?+ }3 t: A$ [5 J* q
There could be hundreds of BPX you could use to detect this trick.. f7 x+ _" [) p8 Z# v
-The most classical one is:
- N' s' `; E6 x- z8 p" E BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- x8 S& W" n) M+ P *(esp->4+4)=='NTIC'
8 c1 \" v6 t9 k2 c4 i4 B
. R& J! e* R3 v- I-The most exotic ones (could be very slooooow :-(. P$ p6 Y2 X2 I: Y' B' u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 ^/ l7 B: d. z ;will break 3 times :-(! L# p. ^& K) U. l2 z
$ k5 f( _/ T; f' m) J1 [0 a6 X-or (a bit) faster:
6 ^) t9 Z0 }7 @3 o: W" b/ W) g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ W$ y" N! {! p- T+ k' `2 f0 A W
4 N d4 e1 u: N3 J) @6 j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & g. \8 q1 W+ K8 z" \$ H# a. H: Z
;will break 3 times :-(, J% Y5 o: k" x3 Y( N) a
9 ^* U2 N; Q! M/ v% ^1 N-Much faster:
9 y& T4 |: H9 L; S' f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% I* ^8 c" R) j0 M X
, g* m5 M6 D, X; R: Q8 t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 v( P- r8 j$ K1 j( V* j% v% zfunction to do the same job:0 E& |5 @& U% S9 b
, B2 [( E# l: u! T+ u% C
push 00 ; OF_READ
1 f0 F! p7 n l& c) J mov eax,[00656634] ; '\\.\SICE',0
* F7 t" j8 Z0 M/ A: _, h push eax0 T% ]' F. w& `$ Z4 u, R8 Z. n& J
call KERNEL32!_lopen" v" I9 r0 p* g7 f' Z
inc eax
, Z# i% W( K6 D O( s4 f jnz 00650589 ; detected6 S7 t% r9 N- d! r- @- K
push 00 ; OF_READ
2 n0 `: G- p4 n# ? mov eax,[00656638] ; '\\.\SICE'7 E; [% a. R9 S% ^1 ?* \; O
push eax! M8 l* j9 q- j- ?
call KERNEL32!_lopen, h4 N" L, X& T0 M" a4 S
inc eax
& C+ s+ l6 L3 M5 r' B) D jz 006505ae ; not detected
6 z- @9 w+ d! I W9 B- A W, L
|: S8 |, M7 g4 }9 U: z- G
/ V' W- u: M0 u) L6 X__________________________________________________________________________
$ a2 q; f$ j% A9 ]% h3 h: W8 S! k3 \: R8 P7 C. z6 w2 T1 }
Method 12 t* X8 C# p7 ^' e5 D4 z( M N
=========9 T. j t6 L- n) R) ^- u& x, t, c
. |. Z! [& J! P) ]5 { _4 I& M# q8 q
This trick is similar to int41h/4fh Debugger installation check (code 05
& x% H* _/ a; [& 06) but very limited because it's only available for Win95/98 (not NT)* T* |2 F7 Q! y% F L4 n/ B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 P3 W+ ?# H$ V/ h6 ]9 r9 p
; L4 I1 u; I8 v5 G6 `1 H! j) V
push 0000004fh ; function 4fh6 X; T# P) }+ q. ^2 o( G
push 002a002ah ; high word specifies which VxD (VWIN32)
, o X, u+ ]6 A. u) ~ ; low word specifies which service6 s4 Q. g$ H: ~% ~+ x2 L! i
(VWIN32_Int41Dispatch)* A% Q, I; P$ V( J
call Kernel32!ORD_001 ; VxdCall
( \0 U/ k0 H/ t `& a9 i2 D cmp ax, 0f386h ; magic number returned by system debuggers
) Q! ]$ j5 _( I9 k: m) c Y* S jz SoftICE_detected' a. f3 j+ ]. T& }+ {8 J- m
' K( B: O' H5 `" Q9 THere again, several ways to detect it:
' K$ `& P/ u0 h9 H" W5 L5 \2 c1 ]& M7 _# t& f B
BPINT 41 if ax==4f$ |2 @. P% m8 D7 F. n2 K1 R
9 Q* T. ]; j* A( g) |
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' d- ^0 V3 Y: a
& K; ] f/ y- L' [ L3 T+ B BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: H" |0 R2 F" s6 G7 f) H
0 b! ^$ D6 d! e$ Q* R: L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, L6 T' i1 h7 i# ?& y
) C. l. q6 F* r y__________________________________________________________________________! r2 @. T0 k6 T2 b. i1 R, @+ J
* u( |2 P0 h7 ~. TMethod 13: A! |0 y# g {
=========. m, R. Z! n z- \: z7 B
2 o/ x0 W: u2 R; ~0 O, ~' KNot a real method of detection, but a good way to know if SoftICE is
& R/ R+ b8 g6 |9 q, x# x! jinstalled on a computer and to locate its installation directory.
0 C! {9 ?( m* h# i" G1 M6 aIt is used by few softs which access the following registry keys (usually #2) :
3 W( F4 k. }, E: U1 U8 {) u! ~: \/ {9 w/ B R4 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 Z) S- m' N- Z$ T; D' f: L
\Uninstall\SoftICE7 N; C$ C8 p" \' Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ s' i: g& _9 V6 ?6 x/ A; {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. p" q, A3 t, ]& t% Q
\App Paths\Loader32.Exe
' c' v+ _$ T8 `# D, Z, i( o- V, {9 t' R0 I1 z
9 a3 ]7 n+ z, p* ^! CNote that some nasty apps could then erase all files from SoftICE directory2 h# Y5 Z9 U- Q) n: |
(I faced that once :-(
) K* U4 R0 ^1 c# p' s
$ b0 h2 T& {: E& W K# q Y/ c) AUseful breakpoint to detect it:1 [! u8 s8 b. Q! \
* P8 ^. f8 y" Q4 i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 t7 Q9 e* k1 I' W* x8 K
/ R3 A0 @0 P+ c2 S! ~0 p( s
__________________________________________________________________________# J* H0 T$ z6 x6 G
# h6 P+ l/ o, Q/ i5 F' `. |# L
3 B3 u A8 s. |9 ]8 nMethod 14 ' |$ d/ ?- [+ ?$ n/ F
=========
) L/ U1 x5 [6 X& ~; v
4 {7 Q% D2 n( Y, ^- }) ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! G7 z# G( v, V. ^$ {; \7 w4 k/ vis to determines whether a debugger is running on your system (ring0 only).: \" C: j# [; w: e
% N' M. [& b; N( T; s6 p VMMCall Test_Debug_Installed5 A% X- i% ?# }6 j8 I1 }
je not_installed/ {6 c+ R7 w" w1 {4 p- _
! Y R# i& _8 ? C7 r
This service just checks a flag.* [. g- y" Q6 E4 M4 L
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡