<TABLE width=500>
' t/ ]) N" ~/ l2 B& L$ y/ C0 D<TBODY>5 T3 K8 c0 P! d
<TR>
b3 a+ P7 q8 z3 |% Z h<TD><PRE>Method 01
! h0 N# L( ?# s9 j9 K# P=========
# B5 N$ j" G0 n% o0 Q1 z1 I. ~+ R( t+ p0 L, Y% x
This method of detection of SoftICE (as well as the following one) is* H5 ]# K- l, }% E. b" I6 N3 t
used by the majority of packers/encryptors found on Internet., s+ {3 W7 X' `
It seeks the signature of BoundsChecker in SoftICE. O# |, U P, m" u
- b2 y# | R$ e1 C! h/ c4 V
mov ebp, 04243484Bh ; 'BCHK'5 x8 C* o6 J/ S1 {5 E
mov ax, 04h# ?" p: m5 j9 Y1 A( Z- M G
int 3 0 b% u, T9 H5 P/ _8 u
cmp al,41 @$ d* j$ h1 ` X7 y
jnz SoftICE_Detected
1 U A2 y/ |! z+ q, q0 [% c+ t( f( ~! T4 \
___________________________________________________________________________
7 n$ l5 G7 J' S' T3 o# n
7 a) [' R o% f4 iMethod 02, B5 j3 g- ]8 z4 w) M, [. V
=========$ L' r. b$ z j" f. b, j0 z& C
* V: w7 k6 u! m% F
Still a method very much used (perhaps the most frequent one). It is used5 O7 s& z4 S: `( \. x/ J. i) _5 @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* K" j+ l/ B) m7 ~
or execute SoftICE commands...' }, h E D' r( L; Y6 Y- `9 d
It is also used to crash SoftICE and to force it to execute any commands" F1 @1 w# D- N) |6 j' h$ m
(HBOOT...) :-((
' x4 t1 }1 R- q0 A' z. |
$ T) i0 J( @( q, Q# ^( ^Here is a quick description:
% x0 Y4 e% H) A/ U2 M$ R. V" B( ?; w-AX = 0910h (Display string in SIce windows)4 {: }3 a' x3 a/ j8 |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 I$ ]: ~/ y- X2 ^+ f
-AX = 0912h (Get breakpoint infos); t' H( V/ b' ?# R B2 g
-AX = 0913h (Set Sice breakpoints)& A! F- S, _5 @7 d% f0 `
-AX = 0914h (Remove SIce breakoints)7 t* F" b$ v: T3 Y6 S2 D, H5 |) H
v k I7 ^! T( q K% X8 r- ~6 S) ^Each time you'll meet this trick, you'll see:
7 a- \1 u; f' l7 l-SI = 4647h
3 m N$ R8 r. B& P! Z. m-DI = 4A4Dh
/ D7 u7 J. h0 ^4 _* {Which are the 'magic values' used by SoftIce.& }! Z: p2 F6 Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 L& F3 C: E+ T# B3 X: T) r# U! V$ C- h* x. _: C9 j7 l( K
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ J9 p9 z" g' X: k6 TEnvelope utility use to protect DOS applications:6 a* k' Y7 w6 Y% M+ j/ r+ N* [- x
" A0 E- M. G: V1 Q5 D5 h0 Q
* `, V9 t% i* r9 W% Q4C19:0095 MOV AX,0911 ; execute command.) |: g2 \/ W! }. m; D7 G+ T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ K0 l! Y* `+ A( k% l/ p! {1 Y5 O4C19:009A MOV SI,4647 ; 1st magic value.
% L! ` s1 ?* d; m- Q4C19:009D MOV DI,4A4D ; 2nd magic value.6 |0 l6 S1 t* F8 y- l- l" u" P+ P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 L0 W9 t( ^8 s8 z9 }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 ^3 k) d3 g: h) y$ h* Q
4C19:00A4 INC CX
8 `' F8 T- t5 |6 u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- S3 l# }. A( e' L- N, H
4C19:00A8 JB 0095 ; 6 different commands.2 f4 h& p6 w8 P! z. c4 |
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
C& J5 ]; L, u* w4 k8 {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 I( w0 O" s5 u$ g# t: b
7 W/ s4 F, f& H8 \' B2 m( o
The program will execute 6 different SIce commands located at ds:dx, which
+ J. V3 t2 v; x# ?! u* f9 Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 g. e$ R# ~# ?# v% u3 Q
- h8 J; c+ n0 Y/ o2 z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ ~- Q6 V' T7 X1 a) m
___________________________________________________________________________- o) z0 Q* V1 l8 |
" P. [/ \, c, M4 m% W) w% j; a6 q
; O( S4 X3 B+ f3 l- d+ m) TMethod 03
6 @+ {, {: F/ q$ b- h9 O=========, g2 r/ x) x3 t8 L
: e/ S E( C+ I- l0 r, SLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( K3 L. U9 F2 |* t! H6 }% k8 A" o
(API Get entry point)
9 {0 ?/ r9 Z& q) p" r 0 ~6 F: s* h( m' h! y7 R
) a$ J) R) B9 I3 ^+ W' G( ~$ D
xor di,di
# T* e/ E) z8 a# E' b% J mov es,di6 D) j& Q- U# ~9 X0 D
mov ax, 1684h + i2 j. X' O- D3 p& r3 L0 D: `
mov bx, 0202h ; VxD ID of winice0 Y: T) a" Y3 _/ j: q" S
int 2Fh% w6 b q% m* K& f# t" J0 y
mov ax, es ; ES:DI -> VxD API entry point
q2 }3 Y, Y" w" j. t2 e add ax, di: ?& a7 H5 L+ c$ h0 K7 Y ?
test ax,ax8 E4 i: B" ^" ]% f" G9 @" n
jnz SoftICE_Detected
; J' H& |4 N- i/ b7 A+ ?$ Y
5 r* L4 [5 Q3 K$ {( z___________________________________________________________________________# K1 b$ K! P& K3 e' j1 _* d3 {! X
3 S+ T% m9 v$ V! _; W
Method 04$ l) {" _0 p6 a0 ?9 e
=========
1 Q! K3 ~4 a ^0 T: `* C6 f5 P' U- y5 D8 i9 [* ^' e
Method identical to the preceding one except that it seeks the ID of SoftICE6 b3 a2 B8 i" C9 n
GFX VxD.
) U% S \/ P* K; @0 {! _
. U! d- g( ^$ B3 o ~ xor di,di: ?3 D! \, s, ?8 ~2 |
mov es,di# M4 r$ b$ w5 N) I" h! y
mov ax, 1684h : G- q8 _( N( S+ R: z r7 e# Z6 }
mov bx, 7a5Fh ; VxD ID of SIWVID
9 l6 t+ d) t8 c; V1 |, C int 2fh& S+ L4 D d& U* u8 c. L
mov ax, es ; ES:DI -> VxD API entry point
K9 {2 T% x4 O: i add ax, di3 ?, G3 R; J% F) h" ~* ^1 Z h) U
test ax,ax
% N$ Y2 K. B8 d6 V c jnz SoftICE_Detected
* V) B( p4 A2 A7 G0 }4 h/ Y
+ }; r6 I; n. [: c; A__________________________________________________________________________, t+ {0 q( O- c# L: S4 ~: p, g
+ b$ ]3 u* U7 h% |$ b, ^: O7 @' I2 ^8 z
Method 05* v9 X! S3 R7 m4 M5 l; K1 w
=========
6 R# _+ ]* H( M4 B( W% m: w* R. A e
Method seeking the 'magic number' 0F386h returned (in ax) by all system
c- h. Y6 m6 s+ ?) sdebugger. It calls the int 41h, function 4Fh.
( R# K7 S% n; _: _( rThere are several alternatives.
0 q' y8 Y: q4 |" c
, a) F' a8 Q' p- f$ I* rThe following one is the simplest:5 M0 `8 W% E; k/ m/ M6 Y
! z( \# T: Q( ~1 l2 Z# n" x7 ]" j; R mov ax,4fh* c" I( `( d0 y* e! h
int 41h8 k* c. i! K$ j) g; H4 w
cmp ax, 0F386- j% T4 y \$ I+ X+ U# p6 ^5 b
jz SoftICE_detected& w* O& Q- V) a6 F/ b
6 d5 ?, ~6 \# C/ ~6 ]2 l0 P L
, N2 ]* X$ t* l" k; ~Next method as well as the following one are 2 examples from Stone's
( N9 r" T! R# k) A) I5 ~! W"stn-wid.zip" (www.cracking.net):+ M0 x, u, c# _& Y' \! n
5 Q- a% S V% ~2 Z8 l mov bx, cs
5 T# ~3 v( L( g lea dx, int41handler2: c) l8 r9 H$ q: z, o1 ~
xchg dx, es:[41h*4]* N; d) [8 V2 p, B1 F5 W6 L) M' I
xchg bx, es:[41h*4+2]* ?7 g; {( U/ W% X
mov ax,4fh) r7 _0 [" p: Q& X" U, I, y
int 41h& h7 [$ ^3 y6 z8 m p; k/ T
xchg dx, es:[41h*4]
6 \/ g& H7 q0 f3 v. H; _ xchg bx, es:[41h*4+2]2 b' R/ D& X" o6 l8 |# m! k$ j
cmp ax, 0f386h
0 y& e- {2 D" D4 N jz SoftICE_detected( f4 |2 N' C$ }+ b5 G
" k; [" @. | [0 V+ v* s/ j7 v
int41handler2 PROC4 ?; D' [1 `# K* _+ m
iret1 b* U% h" j5 p0 V7 X% C4 p1 O" @7 A
int41handler2 ENDP
7 r8 p8 u5 v; ~: W7 q4 I+ M4 l3 ?. t
, B. g# f$ y1 i8 f$ c. V# |; ~3 q) r" q6 L
_________________________________________________________________________6 Y* u9 d* ?/ H# J, a3 A9 v
q+ r- o0 l) S! T, v1 F( W9 I% b8 X8 A
Method 06 D: G/ F; z4 D/ a w
=========/ Y, g* P) S! U8 }! ]3 o) J
- E. z3 ~4 C1 E
4 o$ [, z# d; R: ~3 c7 b4 m2nd method similar to the preceding one but more difficult to detect:+ X5 T. w5 u5 w" U! J
' \; Z% X3 u/ Y5 U3 a5 L P& \. s: B0 h% i% j. Y
int41handler PROC
+ n: l, C. a* @ mov cl,al
) G i: ~4 [0 W) _! t iret
+ Y T1 l6 L, H+ a% Dint41handler ENDP6 j7 F2 E( u+ u* p4 V! R
& k* b7 n) J" }- D# `6 x) V8 l
+ C9 ~; ^: [! G& h/ S, K5 N xor ax,ax
; n0 ^& }5 i$ _$ Y8 D, {* [ mov es,ax0 H9 j3 g4 n1 Z! r) n+ R; Q
mov bx, cs
7 ~! h4 I1 p" I& f' d lea dx, int41handler0 [% ]& t9 R1 @. u
xchg dx, es:[41h*4]
9 H0 |7 e9 X" }, m) C* P3 H xchg bx, es:[41h*4+2]
% t6 c% Y. `1 e7 [ in al, 40h1 Z5 `9 X6 F5 Z+ L4 d. S) T) `7 k
xor cx,cx
5 Q5 j2 {( J# v. \( M int 41h' V( g2 E, M% e/ z) d( ~
xchg dx, es:[41h*4]' ]6 {! g8 s5 k8 l
xchg bx, es:[41h*4+2]
; z3 u' ~& Y4 m8 c3 W cmp cl,al9 b+ n l1 D7 H4 e
jnz SoftICE_detected2 w I' T; O( G' h) @" L% |$ }" A1 v
' Z. {& J4 \( e% D. \# R
_________________________________________________________________________
+ w+ q, P% [4 n7 H; w( L" l; ^; F. {/ L" `
Method 07
7 j% t: C: S3 i=========
) J c! l9 T" a1 a J9 o) e! }5 P. p. q1 l+ C% s
Method of detection of the WinICE handler in the int68h (V86)( p) x3 X: u7 g
, Y* Y# p* ?' a( g+ [$ [, |; X mov ah,43h
. n0 a& ] p# D, U int 68h
# @* ^; O! ]7 U9 R, J cmp ax,0F386h
! _( M0 z; p8 S jz SoftICE_Detected
* V1 P1 ~3 s# x0 x" |; K/ o. \! E+ T; U! A+ q( t( s
5 F% ^/ M1 A: T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 |7 o' S+ u' Q app like this:$ _5 d% K, N/ z+ ^
( @4 \' r, I' w. ]( K
BPX exec_int if ax==682 q1 w7 H6 ^/ i. c' T k4 \& E
(function called is located at byte ptr [ebp+1Dh] and client eip is
% H; d5 O. ]$ a. @8 L located at [ebp+48h] for 32Bit apps)
9 J: F7 M) h0 S$ @$ B& T__________________________________________________________________________
: {' S( _0 L% ^8 ^! _: r
0 a; ~8 N& |2 I6 E
# l$ P5 `2 U# J* VMethod 08
- k5 V- |) V4 |+ t* Y=========! m0 f5 ?% F& n; p$ U* P
! G" ^3 d0 D! V/ }! P
It is not a method of detection of SoftICE but a possibility to crash the
0 ~) Q! h$ P/ [+ y6 Ysystem by intercepting int 01h and int 03h and redirecting them to another
1 D& ~' P: r+ h2 Sroutine.
; e c! s. Z% _% X7 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" s. {/ Y6 p7 A# G" {. i& d
to the new routine to execute (hangs computer...)( a9 M( k' p1 {, `
6 M5 Q. n) r1 P. @" y# s mov ah, 25h
Q4 \! ?1 S/ |+ G mov al, Int_Number (01h or 03h)
n: O. x& l/ c- d. I mov dx, offset New_Int_Routine
- Z$ y f3 {" c9 W/ I int 21h
" P" ], W/ J- p
7 [6 r' O" I/ ?__________________________________________________________________________& e) b. J! d" i1 M. [! y4 b5 B
# [5 G2 Y. f6 | Y, NMethod 09" r# Y0 A+ e0 y$ l6 `; X
=========+ s" E( V) v4 v; W
/ z* ?, I3 Z0 @0 h: N+ T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ ~* u6 i( S4 t [performed in ring0 (VxD or a ring3 app using the VxdCall).
3 |0 O! |6 O3 x7 ]- W2 M: e5 }' `The Get_DDB service is used to determine whether or not a VxD is installed) Z! M* z7 H7 ?" k$ @- Z- c# H) ?
for the specified device and returns a Device Description Block (in ecx) for
1 Q1 P3 `* C1 m/ jthat device if it is installed.+ a( I4 u1 ?; \% Y3 x
3 e" v5 R7 h; @$ U7 [
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! i6 D" d& G4 e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 c6 y% {' G' v' ]" s, c VMMCall Get_DDB
4 t. B; |" o, @* O/ D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' t6 b8 L5 ^: \/ g
- @ U! ^% K, m1 n. Q! wNote as well that you can easily detect this method with SoftICE:+ k5 w8 V; _. F6 h3 H
bpx Get_DDB if ax==0202 || ax==7a5fh
4 X9 H( Z$ t2 h* g) e7 s$ b* y5 \3 t( ]0 b
__________________________________________________________________________5 _" R8 |' B9 ]3 v
4 V" g1 W' g8 C+ }- {Method 10! E) a9 x- q8 U- t# f9 N
=========& D$ e3 M9 L) A, C
- X$ @3 L' ?" M: g; Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with- c9 V7 p* k! Y$ N- U8 m
SoftICE while the option is enable!!
/ U* f5 M( x& Z+ P. @6 e! V2 b( ^+ p& k8 ^, z! _0 @: N
This trick is very efficient:
1 g- I9 W' a- j# O) r$ M8 rby checking the Debug Registers, you can detect if SoftICE is loaded! G& @. a, a6 F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; q* e; R9 o2 J& d! |there are some memory breakpoints set (dr0 to dr3) simply by reading their4 z3 B: J6 _9 h" ~1 R
value (in ring0 only). Values can be manipulated and or changed as well6 i" S2 U) |, @3 t$ L
(clearing BPMs for instance)0 x* I( {4 R8 m1 J9 \
' `9 f5 v, h$ t' B* \
__________________________________________________________________________7 a1 q8 b, Z. j( Z
- J) j% D+ r: s8 \$ ~4 g, h/ T
Method 11/ ^6 E, q: n1 m% H1 j/ [$ ~/ @7 @: @4 W
=========/ z! B3 p$ o; U* K- C/ V
- G# [; ^7 F: D6 O. q1 a1 I
This method is most known as 'MeltICE' because it has been freely distributed
6 y' _$ e' m) R5 m, Ovia www.winfiles.com. However it was first used by NuMega people to allow0 w4 e" I: P% v! d( N
Symbol Loader to check if SoftICE was active or not (the code is located
{+ M; D- s6 L. W- sinside nmtrans.dll).+ L/ V% C9 U- \, J- z9 ^
7 B2 Y' K2 a. u( [$ X# V5 Y! m
The way it works is very simple:
t9 E- e; T: H3 ?1 Q B, uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 i2 S u% r2 a5 p) J" hWinNT) with the CreateFileA API." |2 q" G" J. I1 G* p' P
- C3 U7 P, K& |& Y# T+ U# b
Here is a sample (checking for 'SICE'):' e+ z0 `; O1 X: P
" L' U, i; m$ X3 B, g
BOOL IsSoftIce95Loaded()
6 N6 [3 x; c6 E/ D' l* Q6 Y{
% }& T9 _9 A4 o HANDLE hFile; : n* X6 k7 l/ f% i8 L) x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 j& s8 [2 J J% j" X+ _/ X FILE_SHARE_READ | FILE_SHARE_WRITE," c. a. z* ~3 O3 Q% s6 V! W
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 W9 p8 v1 h3 Z/ Q
if( hFile != INVALID_HANDLE_VALUE )2 S+ \% ^( ^: G2 y7 v8 a
{
# }; W. D5 S. X$ H6 ^: H. V# F, N CloseHandle(hFile);& l7 n0 }% i _$ D
return TRUE;
8 Y6 y" a3 Q0 R. k& ^ ] }
0 d8 W, d8 Y$ ` return FALSE;! Q- i5 y2 s7 B
}
V3 [* I( p4 o' {& a7 w3 w5 |7 }, N/ O% q
Although this trick calls the CreateFileA function, don't even expect to be
4 L: s, m7 p G7 D' P6 Gable to intercept it by installing a IFS hook: it will not work, no way!3 F0 ]; f+ n1 ]6 j" M: z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" F% H1 h1 G: E# o4 }7 N) c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 h: `9 a1 p+ h0 k! O" A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) x3 \4 g( O& N
field.* s: @$ x# }" A3 ]. R, b0 S3 L& a
In fact, its purpose is not to load/unload VxDs but only to send a 9 ^! m2 G8 R1 ~; X) C4 v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. _8 s0 O6 I; x5 i( ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try) q9 e" U& @2 u! J9 ]: K1 B5 S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; U* Q0 M# Y" h1 F+ g6 x- t( e* EIf the VxD is loaded, it will always clear eax and the Carry flag to allow" ~- P4 ?9 l! s9 P8 @
its handle to be opened and then, will be detected.+ C: Z( }6 d. O% Y" E5 S
You can check that simply by hooking Winice.exe control proc entry point( r3 d5 {% a8 A% ]* s( M
while running MeltICE.( U. @8 O: Q# b5 x
5 m3 U @/ o: Z) g0 [9 p4 m: u, L. U7 a- E8 H! [9 [1 Q1 w
00401067: push 00402025 ; \\.\SICE
2 k& ^# W, ~5 U2 t' \2 ^8 U 0040106C: call CreateFileA
& G: G. K! V# B+ ]8 m% y. c 00401071: cmp eax,-0013 a8 ~! F2 ]% t1 z
00401074: je 00401091
e7 k7 z& a1 |4 O7 n! c0 `. K/ J2 ^3 x* G9 Q
+ E v4 z# x7 ?4 {There could be hundreds of BPX you could use to detect this trick.
* U% s9 v* f7 \) Y0 ]* Q, E-The most classical one is:
~1 }! g4 a& g% Z+ a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% R6 b! D7 h. K( g
*(esp->4+4)=='NTIC'- n, c, r/ Y2 x# G6 d' n5 X/ @
2 g" M7 B" }) D- l3 Z, L) Y-The most exotic ones (could be very slooooow :-(6 h3 O0 C$ L3 f" _
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') |' v: j* P/ ]- h7 I4 [% A
;will break 3 times :-(0 O* n& P9 M* b Y
! N2 `3 J$ M @$ c; q-or (a bit) faster:
' w+ Z8 s. w" h9 P4 o1 @9 i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, g# x1 P% e: w5 k/ s W& d- f. F- x# b, k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . Y8 Z& R7 ?7 w
;will break 3 times :-(0 }6 {7 M3 x( ~. y! \; O* F# R
0 M, w: f f+ {6 P
-Much faster:! x7 K/ |( e4 |# k8 P% e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 x. q, G3 U0 g' o1 X+ \) M
- ?) B, s1 P# ~% x* e. P: E9 d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 g9 o6 W# A) ~# d2 Tfunction to do the same job:* c$ G. x$ x+ D5 }
. x0 ?7 x/ V8 x2 @8 L push 00 ; OF_READ# Y6 U; A$ U& z2 x$ [+ f: V
mov eax,[00656634] ; '\\.\SICE',01 @) @0 Y( f: ~0 E! | T' i# y$ p8 d
push eax
7 x6 i9 m- p& T! w' t call KERNEL32!_lopen
! L4 ~& `. z- c( p) ~ inc eax
# c4 \7 N( T2 Z* l- k3 Z jnz 00650589 ; detected
" H! B9 H0 ?7 R7 v2 V4 U' f' ^; V/ y push 00 ; OF_READ+ [5 n+ N% H. b& A
mov eax,[00656638] ; '\\.\SICE'6 u* z- P D9 a) y- A$ ~0 ~
push eax
0 z6 Y/ i! X7 g$ Q6 m1 \9 c' J call KERNEL32!_lopen4 t! A+ w/ N( r. E. _) n+ i
inc eax
9 S" q. m' Z: m0 _' q" I0 \0 O jz 006505ae ; not detected
3 S1 B" ?4 t+ k6 Q7 R4 |% K6 i n% ?3 }7 Z- f
m6 N. s+ M+ I/ |
__________________________________________________________________________) N6 U t% N* I1 h7 X
9 d. x0 e: Y- RMethod 12
2 q& f0 \. P$ B6 Y=========" A& b k( j' T6 w
H7 C8 }9 M, R X( o7 V
This trick is similar to int41h/4fh Debugger installation check (code 05
- ^' g# c2 g, g6 ?" ?: j' v6 R) q& 06) but very limited because it's only available for Win95/98 (not NT)
" e1 m, U8 w% M' Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 v8 Y& Y, U1 Y3 [/ J# x a. z& h( f3 R G
push 0000004fh ; function 4fh
* f" i: J1 ~/ M0 m. a push 002a002ah ; high word specifies which VxD (VWIN32)0 f( D) \. w( k1 |9 k l
; low word specifies which service$ E! l4 X0 {- g/ w8 g# j
(VWIN32_Int41Dispatch)
1 q' f8 L. p3 s call Kernel32!ORD_001 ; VxdCall2 @, B9 d, K8 W9 k' w
cmp ax, 0f386h ; magic number returned by system debuggers
% h2 s2 I, |* [' b+ M) Y3 Y jz SoftICE_detected4 p _4 P" t/ W! q8 R' y
A$ D) v! D9 n* OHere again, several ways to detect it:4 S. H0 T2 K* i3 x1 k# x! t
: z9 o; q" T, E. G' i BPINT 41 if ax==4f
/ w+ T5 E5 k! n" {9 p; k5 G) z- J4 p# y" ?) B/ u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% d; Q2 j% \/ o8 y
: C0 x1 K4 _/ i3 L# ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& l' V" T- o7 I5 p% P# G! `% c+ c& B- _# G3 i u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' C' Z- Z- r5 _* Z O4 `5 S9 \) ^( }
( Z! w- m- P. q; {- Q7 J__________________________________________________________________________0 ?; w) `( T+ d6 U1 y/ S2 ?
) k, Z( C5 T' q; G7 ~2 ?8 [: GMethod 13
1 T5 s1 C& `8 `9 u( J=========& a3 H' ?) }$ X) g" L9 o
3 C- _2 P+ E* YNot a real method of detection, but a good way to know if SoftICE is- \1 k; C- R8 W7 c, L \
installed on a computer and to locate its installation directory.
9 R& }* l+ f8 F# H5 _. K: ]4 ZIt is used by few softs which access the following registry keys (usually #2) :8 ]0 O# K5 T( |7 w
9 V1 W- J7 y8 }9 i! y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 _' A9 Z1 Y% ^
\Uninstall\SoftICE, B# e* V: @+ }( ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 K( g ^; p8 @4 P( m+ k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 t. p- P1 l% s0 g\App Paths\Loader32.Exe* J, L) i7 E, F4 E7 B
" y" `; j' n7 o* [5 x
6 T' b% d) Y7 `" ~* d' |Note that some nasty apps could then erase all files from SoftICE directory
" m# U$ F3 x* U( I* Q X: R(I faced that once :-(
9 G) G. k5 ?: p y. q* J$ @; ? [+ o' O) r6 I( N- e
Useful breakpoint to detect it:
3 c, Y" o0 g3 c2 K `. z$ `- ]5 f, q" N+ |- X, e2 _
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 m" _% N3 ?' b: x5 r; y5 C* v; S0 [
__________________________________________________________________________3 r L' U+ P+ ]$ o& ^
% |$ l0 U& K: C" z; z: g: D* ]
5 G& I4 B# b7 S! h" p5 P/ \- ^6 ]2 ^
Method 14 8 h% r% c' W3 ]$ P: @5 N
=========
. U P9 F" G9 _& F/ u& V1 e
' Y6 R- L5 x. N* SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 j7 H" v+ j# x) A( Eis to determines whether a debugger is running on your system (ring0 only).
' d( o2 T5 `) j' o/ R# B X. P- V% M. M1 L
VMMCall Test_Debug_Installed
' V* a [8 Y6 s& `) N: d9 R je not_installed n4 D! g$ M: t$ ^7 T4 d% \3 P
' N2 ^) C$ f9 ]
This service just checks a flag.0 E% E: [9 O: q) w4 O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡