<TABLE width=500>& D* z0 ~& s& M9 O( j
<TBODY>5 M# X/ W) r1 ~ r& }# {* L/ F
<TR>5 c; s( c/ v; Y( w
<TD><PRE>Method 01 4 w \4 ^0 A" X; R/ k
=========9 q! @/ G* p* L. A) N5 `8 k9 g
8 g! z, A$ i0 g
This method of detection of SoftICE (as well as the following one) is
3 M1 z" U! B- D! X6 s5 Mused by the majority of packers/encryptors found on Internet./ w) ~/ o% A L5 }, y' R! p
It seeks the signature of BoundsChecker in SoftICE
! n+ O b7 H& ^8 v# t* G1 N# G$ \: f. q/ v& X
mov ebp, 04243484Bh ; 'BCHK'' ^/ f& F9 p3 P& Z' W9 v& ?
mov ax, 04h
: _' [/ z$ i' X+ z9 c" P int 3 : c, _0 f/ q! w/ _
cmp al,4
6 g% i. z1 D0 j0 i5 ]: n0 A- w/ d jnz SoftICE_Detected
3 H! p6 |+ n5 e; k7 {
7 E, P# _' w, D# m; a___________________________________________________________________________5 c0 V. _( u2 \3 f
( \. |/ Y% H# t
Method 02
5 f8 a7 }' E) z4 s=========1 d+ ]0 N0 T, ]$ f \- f
( R2 Y7 z. J/ M8 N0 tStill a method very much used (perhaps the most frequent one). It is used
# |2 t. q, r! Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: V* |4 T. |' q( wor execute SoftICE commands...& U7 b9 H- O: Q1 C
It is also used to crash SoftICE and to force it to execute any commands
0 P% r5 I; {* |/ j. k+ V(HBOOT...) :-((
1 a$ Y" k$ T: H7 E( t) M! J5 S! Y/ d/ U [8 M# S% T
Here is a quick description:
7 M3 Z2 E% N! a: I-AX = 0910h (Display string in SIce windows)
: n$ Q; e, C2 J8 P. _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( c9 }4 Z; v" _& }" Z
-AX = 0912h (Get breakpoint infos)( N7 O; a$ V$ \5 u) }# H
-AX = 0913h (Set Sice breakpoints)$ F2 ^% F5 Q9 l B) X
-AX = 0914h (Remove SIce breakoints)& o0 @6 C9 j; e
/ i0 T: `+ p9 r* n; t& j& B& ^Each time you'll meet this trick, you'll see:
2 Y$ D/ d/ @; r# A-SI = 4647h
/ I! p" a- F6 h' m- d' @% f-DI = 4A4Dh% k( c7 u) C5 W" H
Which are the 'magic values' used by SoftIce.
4 n J8 ]. R. I9 g2 \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: J s* }' K z8 r9 p3 |4 C* P0 }2 [$ ]) _$ z1 E
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 }) ^4 W0 K4 S+ B5 J1 z
Envelope utility use to protect DOS applications:7 T1 i B! S, m& p
2 F- q& C: t5 H5 q, R
, O! L2 q! S+ V6 H" L3 ~. w( V4C19:0095 MOV AX,0911 ; execute command.
: P' L: m8 E& M% `& Y4 b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., l2 F u2 E8 p
4C19:009A MOV SI,4647 ; 1st magic value.. a; _; R O- n# J6 _
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 T/ g3 }" k% t5 o4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 K" a0 w1 T- O7 s2 U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, m2 G# e+ I$ e* Y5 Q+ k- e# }4C19:00A4 INC CX5 ?1 D+ a7 T5 L5 {$ w* r% Y F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ E5 e: H g8 ]! Q4C19:00A8 JB 0095 ; 6 different commands. C7 D* F/ \" G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 j v/ H! P1 ], N* E# X1 O b& u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, Q# }) q3 B6 d: w, U) A( c/ y3 x: l/ W3 h
The program will execute 6 different SIce commands located at ds:dx, which* h8 [' |/ ]6 B3 r( _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; _6 M3 S. r1 R) n; e/ ~- B# S5 J# O
, U+ o! t# G& l7 y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ E7 L* P3 _- t. X$ o% m2 p9 k
___________________________________________________________________________
4 r1 F; Z2 m: o: v9 }+ k4 S
' s p- a; K5 P' C, Q6 O: c, s3 {/ Z' D5 P
Method 034 {* T v4 J1 A0 R! J/ M
=========
2 _' ?& s$ }3 E( q, @; ^2 k5 F, W$ N. X4 y/ x/ E. P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# M+ f j2 x, ?' O) t# f/ _( e2 ^
(API Get entry point)% O9 p9 m3 l5 `5 k1 p O$ v4 q* h
: s6 u+ a7 V& o+ g
* C: O" T* b) I( U xor di,di4 a+ {' }2 X+ l
mov es,di
$ h; I! U3 w" e3 T5 L mov ax, 1684h
- P' G. e' O2 J M mov bx, 0202h ; VxD ID of winice& |: }( B: ^- @+ G1 h
int 2Fh7 {2 ]8 i; N6 r: [( j
mov ax, es ; ES:DI -> VxD API entry point2 B) t( @8 W+ z ?; ` u! t/ c- ?/ ~
add ax, di% g! M5 o6 l/ S5 j# [8 S
test ax,ax
2 d$ N$ y1 B. r0 D8 G jnz SoftICE_Detected+ p% Z- n& a$ g/ i0 U! t' |3 K
0 q5 G$ t- J$ z- ~7 P9 d
___________________________________________________________________________
, @2 u; q4 X! u7 E( O4 ^0 S) f4 b' K8 I- v9 g+ x6 w# p
Method 04
' Z4 p9 R3 G5 U' g=========1 K9 y) v" N+ z9 z& t
8 A) O. w$ @, L9 k4 P# g) _1 E
Method identical to the preceding one except that it seeks the ID of SoftICE" l2 E; @( p: M2 W
GFX VxD.+ Q* A8 j. ^0 Y: N! N
0 d; l* B5 n3 [, A xor di,di
! w9 R8 _# L+ |5 K* D mov es,di
$ }; A8 `+ V- _ mov ax, 1684h 2 O; @/ z. f; D; b9 \- N) r8 U7 F& K
mov bx, 7a5Fh ; VxD ID of SIWVID
2 {, [+ [) A4 x int 2fh
0 F5 j8 E% F0 ]" }" W1 I6 y mov ax, es ; ES:DI -> VxD API entry point5 `( _% Z9 j5 U$ d4 {5 c
add ax, di# t% g0 ~4 S; V- m5 s4 A& H- ~ G
test ax,ax' L. a9 E) H6 ~! F
jnz SoftICE_Detected
* x) p: q8 t7 I3 i( p0 B
' H& E# R# J* G+ c3 L& V__________________________________________________________________________
, G, Q h, _+ E! {1 r, z. E3 E
5 p% A8 M6 U3 V; d. V; N. S! N. \
Method 05# |; v+ I5 L6 G
=========
1 o* _: k5 e0 G4 f9 T3 d
7 J- @/ c8 m) |+ ~3 T* ^Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ L- t# Q0 H# J9 O& ^debugger. It calls the int 41h, function 4Fh." w4 O+ G# e0 I/ x# b
There are several alternatives.
, q: s# j3 b" {6 g1 |
( S$ r1 f- C& W1 j/ x7 Q/ uThe following one is the simplest:
! K1 Q/ v# ]! W+ g) p# B9 V9 Y- x, V
mov ax,4fh
5 V* m, p4 I* `4 p int 41h
0 b1 J7 W" A) q1 E* g! W3 q4 e7 g cmp ax, 0F3869 d2 E* [$ K4 c y5 K9 p4 v! y% `; ~
jz SoftICE_detected' T, ^0 M- O( I1 K0 p' n; h- y7 Z
- M. N6 m1 i$ d8 s% o1 E
: e; T0 B' D+ W+ k LNext method as well as the following one are 2 examples from Stone's ; |: ^. V: y. v; |+ R4 K7 O( H
"stn-wid.zip" (www.cracking.net):1 H# u/ l9 a2 b# J! ?5 @- E) s
1 u9 h3 \( y: i; L! ^ C6 w) H! ^
mov bx, cs
- s2 t2 V$ s! b+ T: m3 e- f lea dx, int41handler2
4 X7 b6 r( k' i7 Z1 l1 k" p xchg dx, es:[41h*4]
" z, l2 ?* M1 l xchg bx, es:[41h*4+2]4 j2 g) f) ~% Y$ ~" y7 J; C# D
mov ax,4fh; R! S4 v f# x/ u( ?' z# X
int 41h
$ m m0 |6 c, C6 I xchg dx, es:[41h*4]/ R% X/ Q: I- R( z- j, E
xchg bx, es:[41h*4+2]
5 {( ]" c" Y% y8 r cmp ax, 0f386h5 z$ ~( S" T W, f, n: D5 I
jz SoftICE_detected
G* Z" q$ ]4 E8 X9 I4 f5 z
" Y) f( ]$ c9 tint41handler2 PROC
* ~6 s X- X3 v% k* y iret$ J0 e! V+ d4 G& Y0 Y- @
int41handler2 ENDP
! a. j k) @. @: j
* ~4 \% U/ V9 f5 g {5 ~4 |, n5 U0 E4 w/ `+ }7 v6 O
_________________________________________________________________________
2 ?' H: {& v* z) |; v9 }( R7 o z6 z% @, @ c
E3 \% O* B0 a" ~7 H4 o ?/ j
Method 06
$ S2 H4 l( }+ Q4 P- p=========
- t9 b$ C' i3 \* m( f' t6 {5 L% N3 |$ X9 s# `( @5 j
' ^2 o1 s$ a0 Z5 D7 g3 Y9 g
2nd method similar to the preceding one but more difficult to detect:2 B; y5 H7 c# h; K2 c) l" x" n; F
/ J( }! T% h) }1 Y3 U! Y4 Y9 p. T
+ u" @2 S- c3 n- t" V- P( [! Pint41handler PROC
5 d% S* I' P. B R0 u% B) A G mov cl,al
' l+ x9 o0 B! D3 E3 e iret4 W" T6 g3 z6 r/ }! t
int41handler ENDP# }3 T1 P- u. e6 S3 g) M$ j
* Q: l2 b1 o+ t: B! ^7 d
, m& W4 u+ m* k7 ]' H$ N- V* Q+ t xor ax,ax" g. n; |) u% G
mov es,ax
' W1 O* a! ^, N( B5 b4 B mov bx, cs
: g+ N) i9 i: e, T lea dx, int41handler
8 o( P- E q% c xchg dx, es:[41h*4]/ r8 c4 e0 b4 v1 W* T4 ?
xchg bx, es:[41h*4+2]
- ~4 r4 D* @/ r in al, 40h
1 ?2 o t' ~' }$ Q! X, U xor cx,cx
$ V9 U" S: \" F int 41h
) t( s5 e, G! a9 z+ s0 i' ] xchg dx, es:[41h*4]
; t- O' G9 ~& o0 S3 q xchg bx, es:[41h*4+2]" y- J( n5 P6 [/ f9 S* y1 j
cmp cl,al
6 o+ a$ x% R1 Z$ u3 F0 o, B. Y jnz SoftICE_detected: g2 D0 E. w6 J6 J5 J; x5 c; [
) \) j! T- `1 h- z. m_________________________________________________________________________- ` }! U$ R( c9 C# s
8 Y. V S0 `5 v* PMethod 07& W( M( l) ^' F: {! r3 |
=========
; V9 O) u& s6 A9 R8 N* f- N4 A8 K4 D9 b0 {5 h
Method of detection of the WinICE handler in the int68h (V86)! ]; R: S2 O4 T0 }2 l: i c
% B+ W3 e3 C& K4 U! w
mov ah,43h$ j J$ {$ g# k3 T
int 68h
, }! j0 B# Z1 C" n& m; A( f) o cmp ax,0F386h( p& y4 m# J1 r' G6 v2 o
jz SoftICE_Detected& [( ~7 ^# ^1 M4 w
. H. S: o g" c3 ~2 o7 C7 ?
$ ^; C0 y4 K. K! |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* u, G) k5 {6 `+ A1 X
app like this:8 j+ M. i5 w5 N( s2 I/ U
3 a5 R+ A1 W H7 u1 l3 S. r
BPX exec_int if ax==68
) }( j: W' [9 {5 \2 ^# q' O (function called is located at byte ptr [ebp+1Dh] and client eip is2 r. B, k, w: r7 `0 i
located at [ebp+48h] for 32Bit apps). s$ J& F, z' q1 m; [: v
__________________________________________________________________________
3 H2 F9 ^. X- X% C* h# @& [! ~
) O P9 M0 m# l; j, C
& l# |$ h- l9 [: j/ B5 i# j+ g$ _Method 08, H3 T# h- O1 J/ t; n: Z
=========
+ q/ n0 P2 _3 ]2 n: v$ G* O+ u7 v+ |8 ~2 ]& o+ N
It is not a method of detection of SoftICE but a possibility to crash the
" Q/ m) g8 F) lsystem by intercepting int 01h and int 03h and redirecting them to another3 J8 T1 _9 y+ m9 j8 C- _( a5 G) I
routine.
# m: G" d. |9 U9 p( aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* n- l* a8 [" ?: x
to the new routine to execute (hangs computer...)% v4 r+ @' L) E
# G/ l& |7 C: n3 L8 D mov ah, 25h9 A( M$ ^) Q# X! ^8 v2 C/ A1 @
mov al, Int_Number (01h or 03h)) Q% ~4 v. x, o
mov dx, offset New_Int_Routine
8 V/ y- a' M! | int 21h
3 g. V7 ^6 Y" @" h# \- q& C. a0 `8 j, {' t, N
__________________________________________________________________________
' l5 u2 {; y) h! S9 ~$ r: y6 A3 W2 {
( q9 k# ^- T: \+ N- O; r! f+ G( Q' uMethod 09. V1 C+ Q) B, I9 v+ Z, @8 A. M, c6 t ~
=========% V0 R. a3 X, U6 r7 [1 K( |( P0 d
5 h) J6 m0 T- y: @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" s5 p# i0 u8 r2 I
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 L2 P: z) F- d, n6 W. G( z% `The Get_DDB service is used to determine whether or not a VxD is installed- c1 y9 I% Y8 L
for the specified device and returns a Device Description Block (in ecx) for
: U k$ @) O# n2 ^8 kthat device if it is installed.
% W$ u" t/ X/ F3 B, I5 J2 ^2 l1 ]0 j/ v5 _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 a) V: t% B3 ~; ` mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( B4 h) t. w* x% s/ J VMMCall Get_DDB* M8 B- e; J. L
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 Q( m; g4 g1 a% [
' Z- W) W( c3 z* K
Note as well that you can easily detect this method with SoftICE:
; s: R; q( t0 W' [2 d& y bpx Get_DDB if ax==0202 || ax==7a5fh
$ h8 }9 Y, ^- Q. X4 Z, L' H; y7 A5 l! S: b6 ?6 E
__________________________________________________________________________
; b6 F6 X/ c% d" P0 Q
8 @% d$ R: h% j4 I* d* R5 WMethod 10& t$ a. Z$ F& d2 p2 {2 v( Z
=========
' L; ~2 b. r; O( K- Z& A; Z! g7 U0 O4 x3 ?. j4 M
=>Disable or clear breakpoints before using this feature. DO NOT trace with
- y1 ~: w* e: W5 i- E0 z$ M SoftICE while the option is enable!!
8 v; T/ x( N0 Y, P- H8 e+ E8 z/ G: o. `; M8 k
This trick is very efficient:# _% X3 w0 Q% B" }: X8 f
by checking the Debug Registers, you can detect if SoftICE is loaded9 ]7 |# I& l$ |/ {9 v8 f2 _$ }* l9 t& q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- w# t4 J S3 ~0 m0 N1 x
there are some memory breakpoints set (dr0 to dr3) simply by reading their# a% L/ ]+ p S/ t
value (in ring0 only). Values can be manipulated and or changed as well
' K" q9 q5 o5 U( p(clearing BPMs for instance)
4 G* C" Y8 ?7 p/ F5 t5 F
' O1 C' `+ }: G' y. s__________________________________________________________________________
( i$ W3 ?- z C2 q }5 J
, f0 g5 W: ~3 {/ r: J" }Method 11* g2 S# B2 B& V$ g. |# G
=========, p* [6 a2 O G2 P
* e% L" X h5 _* ]This method is most known as 'MeltICE' because it has been freely distributed
$ H+ Y* l* S4 g4 B/ |8 j: N# E, Hvia www.winfiles.com. However it was first used by NuMega people to allow
/ Q4 T6 c Z. t3 I. [. ESymbol Loader to check if SoftICE was active or not (the code is located
+ h+ F9 j* `; T# f' T/ sinside nmtrans.dll).
+ @5 j P- {" r6 o" T3 Z$ e/ p$ {& `/ q. i; q9 I
The way it works is very simple:
# c. y" l' q. M' SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* }% O& n) @. n5 X4 uWinNT) with the CreateFileA API.
8 C7 b# P8 Y5 r6 Z p
9 H' p2 ^2 s. M; G* c! oHere is a sample (checking for 'SICE'):/ v. x3 M8 [1 d% U7 t' }2 q
) s. K. L9 s) V) t9 IBOOL IsSoftIce95Loaded()
k4 A6 `+ G9 N- Z& m{, ^3 O! W' Y) j
HANDLE hFile; % V# n/ x6 U8 i( U% E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 @0 s+ k0 C2 W# w- N
FILE_SHARE_READ | FILE_SHARE_WRITE,# }9 h, F# ^, O
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 k+ f) N( V5 f: V: {% ?* r+ j+ X
if( hFile != INVALID_HANDLE_VALUE )2 {3 u" f; `3 n* z* b
{
- X) r6 Z7 p! u4 g* X CloseHandle(hFile);! b2 N4 `: r+ R: ~) O$ C/ r
return TRUE;
% H# s L d! Q9 O* _) X( Y }5 B+ N% v$ S% i. s: y: c$ c6 H
return FALSE;" A% U+ Q# w- Z, G7 c' `
}0 V4 f& L7 @5 ~( g7 N- T
! _. h8 m( L3 g) ?* R! n! J
Although this trick calls the CreateFileA function, don't even expect to be% {8 h! x3 H1 y3 Z* |/ o
able to intercept it by installing a IFS hook: it will not work, no way!
" G# C6 e3 {/ Z) K4 J n/ \+ r6 SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 T/ m% g5 {' H l( w9 }$ t1 a! I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ V; a( k3 |) @5 h/ n. ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 y9 G- c8 z3 Y9 F( j( S1 x/ o( Mfield.# o* J$ H B( E
In fact, its purpose is not to load/unload VxDs but only to send a # ~1 Y4 S8 i1 j$ m( M% ^# h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* H g. Q. h5 G0 v" k& [to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( r% q4 p+ {2 V6 Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
* R. E0 K" ^) Z: c1 P& UIf the VxD is loaded, it will always clear eax and the Carry flag to allow! E/ g" \+ K) A, v& p4 ^
its handle to be opened and then, will be detected.
- g+ b. a6 h( Y5 p4 a9 F& lYou can check that simply by hooking Winice.exe control proc entry point
9 ^/ h2 p0 P% z, f. u) }9 Lwhile running MeltICE.
3 n+ N8 j: M! G# k" w
- g& h( ^& D y# z1 \- u
6 T9 Q+ _2 `6 E* e 00401067: push 00402025 ; \\.\SICE
# r' G* Y( C7 k* |* j2 e7 Q N 0040106C: call CreateFileA1 E: z$ m$ O+ j
00401071: cmp eax,-0011 b4 J, L- x4 {/ X$ D( K
00401074: je 00401091
1 j. @# H, X# }$ V: \( I4 V! a6 `5 S* w1 y3 p; o
( c2 C5 _6 v2 F) y2 _
There could be hundreds of BPX you could use to detect this trick.
5 Z# O2 ^* N( Q( w2 {' G# I0 _-The most classical one is:9 L8 N0 Z' L% J: h/ i) u1 F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || {6 c' Y4 X7 T a* X& \! A
*(esp->4+4)=='NTIC'
2 x4 P$ }2 f) H% A9 [6 ~2 V* A* p7 [" W
-The most exotic ones (could be very slooooow :-(! Q: s/ N7 r% ` `( { ^+ t0 n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + s5 I# w. W: Z6 _
;will break 3 times :-(
! ^. l$ v" o6 h" V' g8 c2 n! Y* h z9 T8 {# s" ~1 \
-or (a bit) faster: T9 ?* Q+ u5 F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ P+ N# a8 j- e& b. i; R
: T& |, i# M& j; {+ P$ @6 H BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! i8 b. B2 ^+ h9 U; C% P5 G
;will break 3 times :-(0 U0 E. c" {% P4 F7 {5 X
* W Z% v9 J2 b( E8 t# h
-Much faster:
1 ^# v0 e: j% d" U BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 r( C" M: O' z# d
; Z5 B/ f' Q. d( Y. ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: _, a3 s6 ? F2 \: nfunction to do the same job:
9 B. J& p) u, X6 _9 C0 X+ X1 l, R @1 ?9 j" Z2 Y. a1 }/ g- u* ~
push 00 ; OF_READ
& t, f% u% l. B1 B mov eax,[00656634] ; '\\.\SICE',0# G4 k$ p1 r7 `
push eax! `/ u7 i2 F" ~# ?
call KERNEL32!_lopen7 T0 S7 U6 l( E$ }5 ~
inc eax3 E) e% k: A6 w; L9 S
jnz 00650589 ; detected7 H3 i1 e; b' p4 Z- V2 N
push 00 ; OF_READ! D/ D; H1 m1 D5 V6 S$ B5 A
mov eax,[00656638] ; '\\.\SICE'/ {% C% j* y x6 S( w9 d2 v; f( x C* F
push eax# h3 t" i3 t3 L; V
call KERNEL32!_lopen/ n" N. w5 i4 Z" C; _2 v
inc eax
' I7 n* c2 S1 R; x9 { jz 006505ae ; not detected- \1 f4 a9 K W8 q
! k" E5 i! R% ~3 i& J
) Z9 ^6 g) i& }- {0 R( ^__________________________________________________________________________: u+ w# i+ ]2 ^: b% L: ~) p% m0 d
) s- B! _6 C3 m% oMethod 12
' F2 D! a: M7 Z+ Z" _8 L=========
1 _2 b3 Y, Z I$ g5 A; {* m
t4 p" X7 W; j; Q/ r0 A+ S* AThis trick is similar to int41h/4fh Debugger installation check (code 051 l& N. ^" G/ g; h6 _% L! m' {
& 06) but very limited because it's only available for Win95/98 (not NT)
% f; l" t5 @* _6 s; m& Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 r" Y" e2 v, \8 r9 g
2 \6 L7 F; L, a7 D, Z- k6 S
push 0000004fh ; function 4fh0 Y, A- o% Q6 z* @& g
push 002a002ah ; high word specifies which VxD (VWIN32)
, ~* ~/ E+ T d8 F& g' x ; low word specifies which service; Z, l9 J# f# K/ G
(VWIN32_Int41Dispatch)
& ]$ ]" F% A" {& d- i! o call Kernel32!ORD_001 ; VxdCall
3 E+ j5 ^1 s, a' \# K+ U cmp ax, 0f386h ; magic number returned by system debuggers
! r$ S: g' E9 p1 ^) l jz SoftICE_detected
% E' x9 |* ~1 I8 s7 A) b5 [- w8 E W, j
Here again, several ways to detect it:
9 e8 g; s8 T; N/ z' Z% y1 b/ l
t5 ~4 i! p+ _, f9 p BPINT 41 if ax==4f
- ]9 p6 _/ k) t9 E' s3 v( j
7 S" {" x ?6 Y J: S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) C' w8 d$ s2 y
9 b" W/ G/ t0 G4 I' W( S
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% M0 P5 X- h t& O
; i' G+ B# S) M9 C0 E6 `* I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! `7 t E8 f% |( e3 Z# a
) S5 ^1 \( l* f! j
__________________________________________________________________________
8 x- Q% W$ _5 y! T' t- L1 w# }" f: K2 @- E8 o
Method 13
# O: R. E G* p5 z=========; V( s. x- j5 N h
; a* z R, O- v9 B7 H+ G2 A- bNot a real method of detection, but a good way to know if SoftICE is
$ [$ k( r- u8 h4 r+ U0 F2 {* cinstalled on a computer and to locate its installation directory.* S$ q. L" U' P" |1 y) H \
It is used by few softs which access the following registry keys (usually #2) :* S+ B) j- \+ ~% z" n
1 `( I& u/ ?( F8 l" e# j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# q9 I. x& f! R' y" G\Uninstall\SoftICE1 W1 h% @+ b" ~3 H' `6 S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" C9 D% e- t. J9 B" `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 m7 V5 Q- ^$ w+ J5 F7 n
\App Paths\Loader32.Exe
$ b5 J8 q. C( b. ]3 S& v5 [! O6 }- g3 B, K
9 [% j u) _# R) e6 ~; W+ FNote that some nasty apps could then erase all files from SoftICE directory
) f+ G) d3 ?2 v6 _& ^5 R(I faced that once :-(
% |/ z) G: p( F2 i2 T# f4 C
; v$ B9 m+ {4 t7 mUseful breakpoint to detect it:
5 e9 |7 P9 }3 U% [% p; A# M
! K. v0 s0 j6 j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ e3 I& e# C. b+ d3 c: a, X) Q
6 E1 x/ h! H" k2 e- K__________________________________________________________________________2 X8 C7 |5 G# W$ y
+ F* J7 E q' h5 ?! P% o( |
; [2 Q: d6 L( i! dMethod 14
0 y5 G1 T/ _0 ~# B4 E=========
- R. d6 g! T+ o* C
9 G- Y* A2 m8 I- ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& e/ v8 a \) } G& E: K3 x
is to determines whether a debugger is running on your system (ring0 only).6 p4 b- m/ @! e% \
! d7 O( v0 ]$ H1 ~* L VMMCall Test_Debug_Installed
5 l; m; E. [% P% } h/ O" E. m' F je not_installed
, k" I+ q7 `# s# z' [- E% Q& B, J4 ?# U) z- a# C
This service just checks a flag., _- g6 | v1 I: w0 H4 f. Y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡