<TABLE width=500>
7 T8 @/ y7 [4 I6 v: E" L0 Y5 H- `2 t<TBODY>5 Y$ x1 a9 x! Z9 z/ a
<TR>6 L+ a; o$ A% K. w
<TD><PRE>Method 01 5 {! u8 P* o7 p; J2 M' p
=========8 K9 T, G6 `) x$ q% S
D9 L2 U( F* [8 K/ ~* O
This method of detection of SoftICE (as well as the following one) is$ \( E9 j5 E; V, _. u; n
used by the majority of packers/encryptors found on Internet.
( y, Y" U) Q5 X+ ]7 m8 I* M8 b1 bIt seeks the signature of BoundsChecker in SoftICE" I; [0 V9 J m0 J3 ~8 h
; L& j" H4 s+ f1 Y
mov ebp, 04243484Bh ; 'BCHK'9 m) p( o" p8 l, G% H2 M: s
mov ax, 04h& p y7 `9 h" V2 M+ c# N% y8 |
int 3 2 P- \- Y' o" y4 d# f2 z
cmp al,4 G u* W* p8 ]; b* ]* m6 r
jnz SoftICE_Detected2 G# }( r! O" A) {0 F
) R i7 O7 T7 W% M8 w# b___________________________________________________________________________
6 |( Z, |& w e$ Z3 C9 c# m1 }
Method 02
4 ]; O1 x$ J/ R; ^! H. {=========
E( g9 H; W; s& I, X% [
$ g% ^) \& {6 H" Y8 Y. }! eStill a method very much used (perhaps the most frequent one). It is used6 D1 o2 Z7 \2 o3 L7 }, y8 l/ C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ m( I" }- W, z; s3 Z1 Kor execute SoftICE commands...3 Y2 q8 ]! f, g( p; C7 G
It is also used to crash SoftICE and to force it to execute any commands( l4 S# _$ t" c$ \' r. T
(HBOOT...) :-(( , S, C2 v& j* P8 Y6 i! B, a* t
% V# Y& `2 A9 t. ~5 K$ ?8 n" lHere is a quick description:
2 Q. V( m. a4 H2 |6 j6 ^& u3 P-AX = 0910h (Display string in SIce windows)
0 @9 Z8 ]5 p' [% ~- U* j" r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. k) i6 `2 }7 R; e% d1 o: b3 ?-AX = 0912h (Get breakpoint infos)
3 V+ c7 o) f9 ?$ {+ \) z$ M( B3 I-AX = 0913h (Set Sice breakpoints)* d. G3 x0 z. q& T: g n% I
-AX = 0914h (Remove SIce breakoints)
+ k0 s) I3 D2 n9 f
! h" i2 G7 m" X5 }Each time you'll meet this trick, you'll see:- q0 n( _& M" l7 e( i' ^; I, {- h& ]
-SI = 4647h
0 u. X1 V7 r! ]5 `% m' H3 m2 {8 Z. t-DI = 4A4Dh
; _, o' V$ ^ M" e& Y- ]% PWhich are the 'magic values' used by SoftIce.
/ g, I, {$ X9 KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* w# f+ L+ I; V3 J
^' R# h" y- v! t
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; e ~1 `# v/ ~/ T3 GEnvelope utility use to protect DOS applications:
5 i6 y$ k. R& o2 B0 i. x
0 A, H: g5 x; [
$ G$ A/ p% e5 v4 I+ O$ ]4C19:0095 MOV AX,0911 ; execute command.
/ o, T9 [$ m6 Z. o1 E" U/ a) ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' p, B' w2 t: s+ B) {& t M( u4C19:009A MOV SI,4647 ; 1st magic value.1 Q5 w: T4 k' F9 w! D! ?
4C19:009D MOV DI,4A4D ; 2nd magic value.! x, d) w3 j \0 J2 W |2 H" t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# t0 s" f; c( |! _; R( |$ e
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
s/ ~$ t4 T+ H1 e0 v: L5 r4C19:00A4 INC CX
' F3 P* B) N( U, u' |7 g2 F/ Y9 J4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# p& t c' C- k( J" g8 @4C19:00A8 JB 0095 ; 6 different commands.8 P% r: Y! ]' j/ F5 M! x
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* H1 |4 d) K0 S P( H4 n* E4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" p1 W3 l8 o6 Y9 N8 T, }6 y# G0 j9 O( A. W
The program will execute 6 different SIce commands located at ds:dx, which- I2 H, o8 G0 I% n; F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 p- R! r% i0 ]4 k6 {: @: M
3 [' `. @5 v, x. P$ b. t* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ E7 L( l" G) K3 n4 R. f___________________________________________________________________________4 j O, E. q0 M5 W" ?
: {6 [$ V" Z+ B1 d* {0 H0 Y
% a# R4 {6 m; x/ w6 n% i5 RMethod 03
) U6 G8 X9 a& |. F6 w" ?3 x) q=========) a( F- L" z' p* _
% A3 |$ j: k: b+ G, R( Y6 M- b- ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. T$ }3 Q5 V% B. }, p(API Get entry point)
/ T! I3 y8 B7 Z3 y8 u
' \, o+ C6 d3 S3 ~# T$ V$ O7 i; t, l! }) ?
xor di,di
/ A. F" d% l! w2 |5 ^. X0 k mov es,di& M8 o7 o( a# }7 J' z
mov ax, 1684h
7 X. ~1 V" M* _$ r& Z mov bx, 0202h ; VxD ID of winice
% n( n: Z. ^) q9 Q9 X6 D( x int 2Fh
, L% q( p9 E" C) v/ b+ y5 o mov ax, es ; ES:DI -> VxD API entry point7 h5 C- u8 o! i0 u, _' N0 f9 A3 Y
add ax, di5 Y5 P1 e% }' P. i; W. V
test ax,ax/ f1 |. K2 I6 [+ i# _0 I
jnz SoftICE_Detected
7 k4 {& e7 p% c( [7 E, ]
0 r/ h8 v% y) m$ E___________________________________________________________________________6 I2 [' o# q; R( |3 Y4 }# S, u+ v/ ~) C
5 s' p/ S" X/ t2 H& v; f
Method 04
5 f( h0 W/ w, |3 B; U=========
' G8 `( F! w- j0 f8 O* f6 `5 y( o6 [5 K$ W! I+ b
Method identical to the preceding one except that it seeks the ID of SoftICE- T- c+ k' p; `. x; k; V
GFX VxD.6 J% T2 q U" u8 q0 ?5 a( }$ `4 ^1 o
8 J/ E2 |) M4 n xor di,di
) w# Q1 m1 [% I1 n% G5 d mov es,di8 U/ F$ Z- P8 j% [& y
mov ax, 1684h - `0 |: @; ~9 U( q7 w$ K( R" v @
mov bx, 7a5Fh ; VxD ID of SIWVID. B& T6 W" R7 i* ^; `4 b" z) ?
int 2fh1 S( G" y- \6 T# j0 }
mov ax, es ; ES:DI -> VxD API entry point4 X) |* v' \2 @" K. F; C
add ax, di
( u! S0 `1 _2 I# V% N test ax,ax4 p% y/ X. w! N m
jnz SoftICE_Detected
& ~! \5 i) U3 j/ x3 U% I+ m5 Y
9 P" @ s) y2 t J& H& e/ V__________________________________________________________________________3 O- p+ P7 Q2 |6 t4 j
3 `, C& v/ e+ T! e' P2 p
3 \0 F+ S5 P5 ]) q; a# \0 bMethod 05; V3 @! e7 f2 J9 S5 h- y
=========
- {) j. U/ P6 t! O! k8 w; z
9 z& ?0 U0 s% [8 eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
* O! z: g- w$ U1 \0 p; ^3 _debugger. It calls the int 41h, function 4Fh. J/ O- C+ C) Y ~8 {- W; r
There are several alternatives.
" o# B! m4 C7 k) P$ W+ P8 i
4 _: ]/ _4 a) R; y; WThe following one is the simplest:: q2 M- [$ V2 r' ~5 P) g! L, N: B
( T2 f1 v2 |1 ^( C
mov ax,4fh6 p% n, H7 E4 U; ~: Z. \
int 41h
, r. H. w9 g# Q* Y) O+ [) f [ cmp ax, 0F386
! a, l- y5 I" F, I9 ^ w! } jz SoftICE_detected
- F! m5 M, C; X* F1 D# s' w0 ]) h5 _- o3 I: F( x
* Y" K% O9 ]7 b9 ]! K; SNext method as well as the following one are 2 examples from Stone's
' V, @9 o" F# q"stn-wid.zip" (www.cracking.net):
1 J4 L5 k* V; Z# E/ U7 u, b
; k. n; a& [9 I- K7 s mov bx, cs
2 F5 r" l( H0 T( D2 W( u lea dx, int41handler2
. L2 S$ J) Q1 p/ P xchg dx, es:[41h*4]; k# {) _- c4 g- e/ A( J" A: _
xchg bx, es:[41h*4+2]0 q! K0 ^, `0 z$ _
mov ax,4fh+ {3 Y; l) ?: K$ {; P* s9 D9 h
int 41h
& ~) p/ Z, d& M# n6 n xchg dx, es:[41h*4]) E0 m* V; C: O8 _
xchg bx, es:[41h*4+2]" C J. h9 a) b' w) I
cmp ax, 0f386h5 i; ?/ L7 P, h/ P! O
jz SoftICE_detected8 I+ l7 T# M" K
9 v4 V, ~$ a* \9 r# q8 z
int41handler2 PROC2 x/ X0 W6 R4 s$ R: s
iret. x' W$ l3 F, H/ j# m! y4 q% U( E
int41handler2 ENDP
/ z% ^& l' D3 X5 x6 M8 k3 P9 q% f4 F0 O! ~
5 Z8 A8 |& S D( |8 m
_________________________________________________________________________; M1 `4 O5 ^) Z8 v
7 t0 N' T1 e1 Y. y
( V& _' Z: M# }0 P" u; \* SMethod 064 I3 r$ ?* M0 E) S3 | u3 J5 w" H
=========5 ?7 A3 f9 F* Q n
s( B6 P, F! u7 W' v5 y: Z
/ }& d/ d8 D1 y- C* v2 N2nd method similar to the preceding one but more difficult to detect:1 t! l7 F* f5 s! p4 O L
8 ~" V8 `5 J4 u1 d) i6 P6 C- R4 n( H; ~8 N. J2 e% k: G
int41handler PROC
4 {5 B, ?+ G; h# d mov cl,al) B+ V/ _, N, K* N! z$ |: h
iret
: f% a9 r' G# |% V$ yint41handler ENDP3 V6 o0 G! Q+ ~' _; ]
. T8 o5 S% [9 M/ P }6 ^* w/ r
* v2 E* k- V) v1 z) M
xor ax,ax: ]7 _( [, p+ c9 f1 N! W1 e3 b. \% }
mov es,ax1 o/ P6 F: Z. A- J8 L6 ~: M
mov bx, cs/ h7 d1 {- u2 c$ e5 b, m4 `" C( N, K
lea dx, int41handler4 b$ `' n! _ r# m) j
xchg dx, es:[41h*4]. k7 f, L$ S: N3 t M
xchg bx, es:[41h*4+2]. @: ]. h }" N/ D
in al, 40h
3 y' A' m: Q3 k xor cx,cx
; n" Q# V( l0 D7 P% m8 D int 41h8 j+ T' L! ]8 r% q% ~# N
xchg dx, es:[41h*4]9 l( |. Z$ c9 \& N4 L* L* E
xchg bx, es:[41h*4+2]! g( ~5 s# M1 i) Z7 f1 t0 Q
cmp cl,al
, B0 ]8 I& f T, s3 i5 I( _ jnz SoftICE_detected8 b; t* w1 n: N* E) A: `) }+ s
5 Y; b, v2 e$ M4 p
_________________________________________________________________________' ~7 T3 e* o: d9 `1 P$ ]
2 l; y* d' [' Y6 Q: i
Method 078 C7 ?! q/ ^( |
=========
& n4 L7 v5 b6 _7 l
0 k; q6 |' x1 a! o+ b8 N3 tMethod of detection of the WinICE handler in the int68h (V86)6 u6 t' f6 `7 ], m
) t6 j, j% M) q9 q/ s6 F4 o mov ah,43h
5 k t+ u0 V5 q& t M* }2 p- D int 68h
2 g( J& _' d9 t+ e cmp ax,0F386h
; Z, X- r4 O9 Q& F jz SoftICE_Detected6 L5 r, N4 y; O, ^
5 u" [; A2 X; l& o/ {* I2 t7 t( o6 \4 Q7 ^' x( g+ \% P- X
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( C* L; x/ T; p* I* N, k5 N
app like this:) }( Q+ c" t" ^0 f: j) D
- m# ?; S* w C/ F5 \& F+ l+ g8 F BPX exec_int if ax==68
8 i9 ]$ r; [$ ]2 ?. A+ v, G (function called is located at byte ptr [ebp+1Dh] and client eip is
" O/ J, n6 ?. I9 z* q5 o' | located at [ebp+48h] for 32Bit apps)
3 b- E5 z, V x7 ?* [, ?__________________________________________________________________________& b6 O4 n, g% O" f% {0 Y- M
/ n6 K; j- |; B# N. G D0 M+ c. Z* l
. U' b+ P* O! _# X; Y) yMethod 08
/ k# y) y! c P2 w% ~% U=========
5 V7 N/ n( F( }6 Y1 L/ H4 E
! |; Y, }) J3 u8 I1 G. |1 QIt is not a method of detection of SoftICE but a possibility to crash the
. v* l- s+ s* r, xsystem by intercepting int 01h and int 03h and redirecting them to another
* I6 g, F1 d* v, l) _routine.
8 L- X! T- j5 Z: v [" }$ pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 W8 S W4 V- ~5 h
to the new routine to execute (hangs computer...)) c, L# Y$ k, f4 ]% Z
- }1 D5 _! F& r mov ah, 25h
' V4 g& v5 |8 Q8 f: D" L- D4 v7 S% W mov al, Int_Number (01h or 03h)
$ B% v6 p- ~: M4 J mov dx, offset New_Int_Routine
|& r' n7 n4 ^1 z" V( z int 21h
/ x; w4 I$ b- l; d, S% W
3 k5 V! J7 T7 p5 L" x+ M, Z) }__________________________________________________________________________
! W1 G% m3 I) ^ s% L
X, H3 {; S% q7 c! z. j2 Y" l1 bMethod 09# o. N) O( b3 J* C" n; }$ N4 N F5 g
=========6 b0 V$ b a1 H/ D$ Q
& `! j5 S$ u5 @+ T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 [: g3 x- Q3 }3 [' W0 c8 s
performed in ring0 (VxD or a ring3 app using the VxdCall).3 z, H, n8 L( [' G: m
The Get_DDB service is used to determine whether or not a VxD is installed
, W n- m8 P4 U6 O9 Q7 ^3 X6 Vfor the specified device and returns a Device Description Block (in ecx) for
6 \% c9 z {# b# P( Z8 }$ Ethat device if it is installed.
- S U+ @# B3 E
* S- `3 j/ M* f! x7 E/ m mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& ?- ~! |4 s5 }) s& B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- n7 {7 u0 ]" F' W, F8 B VMMCall Get_DDB
: S9 J5 Y$ e) R: O M" J% I) v& T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% D1 I4 k/ G- {/ d3 A1 G% o
$ v3 L6 P6 @% d' h9 c0 B& ?
Note as well that you can easily detect this method with SoftICE:
- T* O. J% {/ Y" U4 { bpx Get_DDB if ax==0202 || ax==7a5fh: X/ d2 `& \9 |, b
- H" s& n" c# V5 k+ P2 J6 O__________________________________________________________________________ Q* r( e) @* L6 V, j% O9 ~
7 |; _7 Z( r0 p+ Z; n+ D# [& ?/ B6 n
Method 10
1 \) ^; \& x7 |+ B=========
- V+ H" @8 X, c9 E0 b" ?2 h( F
+ Z: A) [* ?$ S=>Disable or clear breakpoints before using this feature. DO NOT trace with
" v* y S9 n! A* l0 m( T/ ~, o SoftICE while the option is enable!! u/ b L u- c; Q( m, c7 |
: P8 r5 g! a& {% }0 I
This trick is very efficient:
5 v+ ?1 N9 {8 }5 V) L; ^! ]by checking the Debug Registers, you can detect if SoftICE is loaded" D) k0 f# I) L4 g4 \, ` g; W& Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 y9 L9 c7 e' I( e G. |there are some memory breakpoints set (dr0 to dr3) simply by reading their! _1 G1 a8 Z: w
value (in ring0 only). Values can be manipulated and or changed as well' R% i9 f, D) O. Q0 ~* S" \+ z
(clearing BPMs for instance)& [7 r1 w. k. B/ `0 D
4 J6 t, u4 I5 p9 r' X
__________________________________________________________________________
! k' B# ?1 s3 `1 w6 W" r! g( ]6 ]* G7 G
Method 11
! _8 J b2 W H7 c/ B5 z# Y=========! Q& [' `: ~3 x5 }4 U# W+ J
4 U# ^& B+ R. Z0 s3 B. P
This method is most known as 'MeltICE' because it has been freely distributed
# g' B( A2 q1 S3 g) pvia www.winfiles.com. However it was first used by NuMega people to allow
" S# l3 _% i9 c1 s/ U9 Z3 G& JSymbol Loader to check if SoftICE was active or not (the code is located
# t2 q7 ]% X% \* k. U' t8 @inside nmtrans.dll).
5 ~% w$ _% i1 q
' k) L4 o+ i2 M n8 g3 RThe way it works is very simple:
2 b) Y! b3 `* U* F; @9 [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% M P, q8 T( b+ R8 J- o# qWinNT) with the CreateFileA API.
: `- `4 o3 [! e3 a; g# a8 }/ f- h7 f" z
Here is a sample (checking for 'SICE'):4 Q# L8 t7 j( I, f( @
i U0 u0 D0 O* b1 ^
BOOL IsSoftIce95Loaded()
& O: d4 P, U; c{9 X1 g: ^& B: [6 I. F0 q4 ~
HANDLE hFile;
+ f+ Y/ |7 Q* {1 y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 A' ]; O6 D( H. L FILE_SHARE_READ | FILE_SHARE_WRITE,4 X2 l* h& u8 N2 C' W8 D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" D# C# m6 y( V& Y( F6 U4 ^
if( hFile != INVALID_HANDLE_VALUE )' m8 h g1 p. {4 v2 ^- H
{- x3 O& q- t) i7 |$ J5 |0 S3 \; x
CloseHandle(hFile);+ i; N* Y) j! N/ ^
return TRUE;
% z& l! d- @, R( E }
+ }$ f6 c# A* d! } return FALSE;4 V* x: N( |! @ v, U
}
. e" {: T5 l7 Z+ {) \) L2 Z* X. _+ B8 T, A" S2 B
Although this trick calls the CreateFileA function, don't even expect to be$ a% u. L1 q" {! Z. ]$ S7 N
able to intercept it by installing a IFS hook: it will not work, no way!5 K* D; g: K; X, K7 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. n' n& p& w8 k4 i: l
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) } D) x" S. w, e3 x% p; }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. c- i; R4 k6 g% f |7 ]field.
3 \* P+ @* X* [* v/ W' E3 }6 vIn fact, its purpose is not to load/unload VxDs but only to send a
" q9 W" v9 A$ i$ ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( R( X! M! @8 H! `2 H) W, Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try @8 a% N/ C, H% s9 _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( \4 c9 c4 p, H6 K/ s" zIf the VxD is loaded, it will always clear eax and the Carry flag to allow2 |% \1 S% Q' t
its handle to be opened and then, will be detected.
2 o+ d8 c( f% \+ l1 R' e: H IYou can check that simply by hooking Winice.exe control proc entry point, ^7 W6 L* ^) p h* U) \: n2 [2 Y
while running MeltICE.
" W" Q2 g0 _) T& R/ k) c6 U9 \4 A; ^
?3 a- ~' T1 M& X! W- {5 k
3 R! Q" [2 Q/ J9 S9 i. s 00401067: push 00402025 ; \\.\SICE9 w8 }1 S8 @) _. `5 b2 u
0040106C: call CreateFileA
+ ~9 [! }0 Q. S) i 00401071: cmp eax,-0018 m1 P9 K% L( Y- w! w. H
00401074: je 00401091
& Q; W" P' e0 A3 f7 }/ ^& B. Q* r: C: P8 R
V% w( ^# v7 q0 L* O- A, ~) U, M! A
There could be hundreds of BPX you could use to detect this trick.( l3 }3 H6 s+ p0 X& d
-The most classical one is:- _* O2 q6 O* |0 f6 m
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 [/ G3 e3 @5 b *(esp->4+4)=='NTIC'
' j# w6 Z* a1 l2 ^# Y0 b& i3 @8 |3 C% t7 h
-The most exotic ones (could be very slooooow :-($ ~+ s1 K& V4 e4 ^( J( R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# T) Z: R& j* | v ;will break 3 times :-(8 E7 Y0 ^. Z) M V- f- ]: _' O
$ b- y" L* b* v1 u( j- g
-or (a bit) faster:
- M- L3 P+ C: ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 m" a( l p. ^5 X4 I
/ |$ |1 f+ W3 M' |/ k* d: a9 z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / a- G9 u3 U- P9 v- U! W9 g
;will break 3 times :-(
9 @$ w$ b4 C, W6 `% `
. T C; R& l7 f-Much faster:
: r& m0 K8 D! r6 C% ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 W6 v, H3 R; {: U, A- ?
+ ~; Y2 P6 i- u* k8 {# X! BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 Y% c3 x# Q/ B; L% [, Wfunction to do the same job:: ]6 B% J. s& ~" b& Y; u9 O
% V& ~2 i( f F" ~7 V+ \ push 00 ; OF_READ
, n$ H/ a# G2 Q6 y mov eax,[00656634] ; '\\.\SICE',0
0 l! c; e* R* a0 |$ F: |; w8 h push eax% K+ r/ I/ \/ z4 v& m% m
call KERNEL32!_lopen
6 r! P+ L8 C: ^9 [ inc eax
V* W' Y# ~" ?# `' ?* y jnz 00650589 ; detected
+ |8 {; a4 G, h2 @ push 00 ; OF_READ( ?' ^' f3 M7 v* R
mov eax,[00656638] ; '\\.\SICE'0 K0 M% C! s* \8 H+ x
push eax
! [/ }( c( m" }. [. c/ {$ W2 l9 Z$ n* z: T call KERNEL32!_lopen' y6 m" Q& _- ]1 B. G8 |7 [# f! a
inc eax
5 P4 h6 {! L9 w3 A$ a jz 006505ae ; not detected
# U" Q, F5 |' `2 y" E: M) N5 {, B3 K" b
0 e9 @& o$ a4 m/ K% \* W4 q' X- c__________________________________________________________________________
4 `8 q0 k3 w$ l% G7 I4 g, n& i* b' G' k& v
' C, f7 U5 a/ [8 C r( `' WMethod 12
! L# O, h, G, Z7 w: S8 \, B=========
* _ l& C* k* c; q# L6 ^/ m0 S1 N0 o) m+ a' J" I/ _1 u
This trick is similar to int41h/4fh Debugger installation check (code 051 p7 }. k; k) q& t% r1 V
& 06) but very limited because it's only available for Win95/98 (not NT)1 O) }1 T/ c1 k6 T2 m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
x( i* K o7 R5 U q q) t9 J2 P" U: i' D
push 0000004fh ; function 4fh W9 Y; I G3 z C: o) Z2 G
push 002a002ah ; high word specifies which VxD (VWIN32)/ Q( T3 a) H. Z$ N( ]
; low word specifies which service0 I" }/ d9 W! \ c
(VWIN32_Int41Dispatch)
4 f5 ^" G. D# _* i$ r& J2 I/ F call Kernel32!ORD_001 ; VxdCall
2 l' Z Q! ~" W' }9 q0 ` cmp ax, 0f386h ; magic number returned by system debuggers
& w) U2 V* ?! ] o& M8 \ jz SoftICE_detected
; }3 \1 T/ Q1 r* x
: E6 e+ r4 X3 RHere again, several ways to detect it:
# `. f; I8 y# D7 Q9 G2 ]2 U4 \) c6 w& P- o3 L X5 F+ n
BPINT 41 if ax==4f0 c9 g7 J% B% t* l
9 T" Z1 Z6 z- H( b" L5 W/ r+ y9 M7 J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# B% B" _, ~; |) ?, J
: E# g2 f7 n# `8 Y- t BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 j# S) ?* T% y) B
; k* V: Y8 }% m3 ~; L7 i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 c/ x! ]5 \# z3 S7 K3 L9 k& H/ p7 r- p% f4 R5 Y
__________________________________________________________________________3 Q+ M4 N/ T" H+ M& Q6 @
2 D5 P$ C, T; ?: k) ]Method 131 t; L I8 j. Q# c5 Q
=========
) ?8 P+ L; W% ~- m; }
1 V7 a$ Z0 I {3 ~" r8 g: ?Not a real method of detection, but a good way to know if SoftICE is
4 ]( r2 }9 B1 A" b: P& jinstalled on a computer and to locate its installation directory.
) h" Z( E. i/ |, mIt is used by few softs which access the following registry keys (usually #2) :( m7 n" A C7 f0 J# }
4 J" i) G$ R6 r: A9 Y! g% w/ v6 F) I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( E0 f. d4 y5 G\Uninstall\SoftICE
0 g# F7 I+ V' u- B6 I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# v1 M/ q+ h7 X% Q* J5 m5 N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ y2 u: _7 _8 G3 z5 p\App Paths\Loader32.Exe$ H! L& C8 W8 c! f1 I$ C
m! Y8 ?: Z' G9 }+ q- ^$ I; I" |' p5 ~7 d
Note that some nasty apps could then erase all files from SoftICE directory( i+ j8 ]8 a; k. `: l
(I faced that once :-(
7 D( Y* G! R' ]' r) c% N1 L0 H
# z8 \+ _1 ~( A; [3 g7 q+ ^ {Useful breakpoint to detect it:& R/ j; r6 ^7 O/ g" a
9 z* L0 L( Y0 f! k4 }$ M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 m* J# W! t; k" u+ K5 b0 P5 o
6 d _$ x2 R/ Z: o; F6 A8 d__________________________________________________________________________/ m2 T* v/ J" C' P3 {3 _
+ Y- C/ T% C( D# M" t* y
4 u( c6 n' L( N" N: v$ O; @Method 14 " U Z( a( f" Y4 t2 Y1 L4 C
=========
4 j3 K; ]+ g2 N+ @) Q Z
. [! P i) ~* W; d0 m4 G0 Y+ lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 q5 g' R( ~ ^- S; ^5 m. vis to determines whether a debugger is running on your system (ring0 only).
# b! T H: R5 B' b# O4 M6 P- z4 L" F6 y0 O
VMMCall Test_Debug_Installed
) ?5 T8 _/ X: y1 T( T9 n3 Q# m je not_installed3 W, J9 ^, E8 W0 I
7 `; b8 h5 { D+ c
This service just checks a flag.
# A$ F: G' {5 l' E+ @</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡