<TABLE width=500> }: C2 |) S# v3 Q/ {! G" T, e
<TBODY>3 J& p7 }, q4 }4 R& u/ }; E
<TR>0 W7 P4 Q m# l/ x* \1 j
<TD><PRE>Method 01
# r2 ~' Z( `1 e( n1 `7 M=========. q" n, X' o& |$ X7 v
% j$ K; J: H* ]) y) Y8 F9 g0 MThis method of detection of SoftICE (as well as the following one) is
: i/ v6 e% N& @+ oused by the majority of packers/encryptors found on Internet.
% h+ j; ~, @3 ~; Q# u3 A4 fIt seeks the signature of BoundsChecker in SoftICE" ] U2 F8 T Y- e9 @7 \
- c8 N& M1 c, l6 ]6 U mov ebp, 04243484Bh ; 'BCHK'
% ?9 W7 x: O0 C6 q3 E mov ax, 04h( k, z3 l3 J0 u( q) x2 n( I
int 3
) p& i b+ u! f) @ cmp al,4; l! E* ^& R. Q" H1 A
jnz SoftICE_Detected
$ D5 U a- Q% a& R+ C, a. L5 n
2 d; N" A& P9 M9 C' D$ R___________________________________________________________________________
( p ?4 A- x1 e# W( \9 g6 e; ?8 H
0 U7 W) L' }/ u( T# VMethod 02
$ E3 O+ @ s- {+ |' s) V=========
. M v% f7 i$ ?: d' W7 i
% A1 T. U. e( \/ g( }2 i. E2 vStill a method very much used (perhaps the most frequent one). It is used
; Q! X' t* c K' Z% Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 x1 j8 X, H6 g& s) [or execute SoftICE commands...9 L6 {+ o2 K$ |- h4 _3 c: k
It is also used to crash SoftICE and to force it to execute any commands
7 k3 e# [4 w5 D5 {3 _. y7 z(HBOOT...) :-((
+ H# i: }' N* v/ T4 E' Y+ K2 E4 ]* x' H' `9 o6 \
Here is a quick description:
9 S/ i7 x; O/ E; t( \7 \, t-AX = 0910h (Display string in SIce windows)
) o) r, N, n: x2 X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ L! W4 {0 e2 I5 R& p$ \
-AX = 0912h (Get breakpoint infos)- H z/ W' p; E; `4 y/ b2 w
-AX = 0913h (Set Sice breakpoints): \( p0 }# J& B1 {7 l" \8 P4 l
-AX = 0914h (Remove SIce breakoints)
' A7 o' {7 Z+ ~: C1 o5 W: v# W
1 C l F' ~+ OEach time you'll meet this trick, you'll see:1 l* ^ X: L e, J$ l2 {
-SI = 4647h2 L* G+ b+ S+ h) S
-DI = 4A4Dh$ z% \+ y# c3 [- [" x P" x
Which are the 'magic values' used by SoftIce.- p, M1 X2 g7 S2 ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 F% Y9 ^& a. o4 k+ l+ w+ R
# p: P& m: ^' G$ `Here is one example from the file "Haspinst.exe" which is the dongle HASP
* C4 y9 F' r1 S$ f( V1 r# PEnvelope utility use to protect DOS applications:+ i! @- [8 M2 h6 _* P% P R( ~$ b
7 t& ~4 F1 D3 {! s& w
/ b+ u) E$ o$ d. h! r2 W4C19:0095 MOV AX,0911 ; execute command.
! @' @; \. j. G. M6 t+ w* e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 L0 p3 z' p( B' r' Z
4C19:009A MOV SI,4647 ; 1st magic value.
( x( B1 ~# P" G3 L, ]6 {! T: ]4C19:009D MOV DI,4A4D ; 2nd magic value.+ m- G! f, ~& L7 d; W
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) B7 Z5 t3 ]" l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- h6 ^4 \ K$ |* K6 O: u, V
4C19:00A4 INC CX# z+ G: S J( \$ h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 T' ?" w8 m1 @" b" N8 `7 A% d9 |4C19:00A8 JB 0095 ; 6 different commands.
# i+ L3 d+ n, }3 J/ B5 q) t4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# W b# L) }+ V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( y, Q. R M+ T( T5 f
5 D5 g- I( N7 D% XThe program will execute 6 different SIce commands located at ds:dx, which+ i- d2 j6 s% d. I6 Z0 R, a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 R0 ?8 R5 o5 u- n* J/ o+ S, u1 k% R n& D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 X* e V' Q( A8 q& s
___________________________________________________________________________
' e- Z5 X$ Z( e) j8 e$ M
9 A7 V% m, \ d& V( e+ [. V! D: ?* n# t) K
Method 03
6 @6 w9 o1 N$ Y# W=========
" u" I; m2 }! E" x5 u7 \* Q/ m# o# x' h! u+ Y2 Q/ D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 t: l0 J3 G( x& \ F
(API Get entry point)
$ Q% B% m+ L8 ^5 ~' Q( U ! s# N4 ~$ u. E% ~1 L8 p4 A
& ^6 W" ^( n. ]$ {
xor di,di
( \( h" }( v% l/ ] {* I mov es,di3 H' S- w: x: X' r" Q. J
mov ax, 1684h 5 } j+ a P! y: J. x* ~
mov bx, 0202h ; VxD ID of winice
. [% X, s4 j" {' ~ int 2Fh
1 |6 h! Y! k8 v7 p0 x2 b% } mov ax, es ; ES:DI -> VxD API entry point" M5 q2 r4 S" ?. m& l
add ax, di* S! A4 O5 s7 D8 I& ]* H$ g
test ax,ax
4 m1 W1 S7 h3 O Y5 [4 B3 [2 u jnz SoftICE_Detected* O( ?: w4 I1 V% x7 P. W# D! \
. g4 a5 c( `& z( g7 v2 V
___________________________________________________________________________
3 d/ F" v% A1 S& U- e1 s6 m7 C7 d" }6 [ ~
Method 04
& T# z3 H* C; U- k; w. C; f=========6 E+ Z. y1 d" N( D' m: [. [
?; X/ J1 s0 e# n( w- j. @Method identical to the preceding one except that it seeks the ID of SoftICE: T/ n! H% ]9 ^) J* ]% }
GFX VxD.( I* W: J7 q' e# M
( F; w7 E0 G+ e" _5 o xor di,di$ f5 f! o5 @0 n0 `4 S( r, t* m
mov es,di
0 h' Z W2 G- i+ a; U% J mov ax, 1684h
9 ~& t+ q" {8 b" p, q* |; w( _ mov bx, 7a5Fh ; VxD ID of SIWVID/ c! b- c; U, ~" v6 Y
int 2fh& p! l2 K, T! w/ t5 v' P& ?; W$ I/ b" K
mov ax, es ; ES:DI -> VxD API entry point
$ T. H0 Y, z# U m/ J8 [8 | add ax, di
) O) d" v7 w B/ i a test ax,ax! z/ w4 y. h' E+ Q J6 v: b; H
jnz SoftICE_Detected$ T2 _% }" e2 |! f6 @
6 Z* k! g& j5 F& F7 }4 c7 Q__________________________________________________________________________
# D" a& Z: l: ~* P/ H4 D9 M- e0 o5 M* Y$ w
& s% Y% O. h5 F- `$ kMethod 05
! h* u) e9 X! x/ z, l=========$ N; P: @ ~: j; @6 P/ h, K0 O
" h, W+ T2 g; Y S: \! ^! O( A
Method seeking the 'magic number' 0F386h returned (in ax) by all system# N( a5 K6 _1 P" F i' ~/ h6 [- f
debugger. It calls the int 41h, function 4Fh.; R4 K( w6 t1 B+ ^# x; `5 d/ s
There are several alternatives. $ B8 I: u* R8 I% b
Q6 L$ J t: I. c7 `" ]1 RThe following one is the simplest:6 ]$ I$ l6 R8 g4 i
1 @3 t: w4 p7 `
mov ax,4fh9 q7 _, I k% f! p6 @; q1 W
int 41h2 s5 J% G( F% f) z5 q
cmp ax, 0F386) P @. K1 D1 j2 Q* u1 r
jz SoftICE_detected
& P) l4 W" q% K
8 f! \4 O3 j% V! B- G O W+ H+ n& c9 V7 `
Next method as well as the following one are 2 examples from Stone's
& q7 M( o, R1 i4 @& I* J' h0 }1 _"stn-wid.zip" (www.cracking.net):
; o( B* q- A. b% g- N# K
1 ~$ M: _. w, z1 Y3 r mov bx, cs
, a2 i: L/ b- l3 ?$ K- { lea dx, int41handler22 b4 D7 I u$ C# S9 z
xchg dx, es:[41h*4]
- Q8 v+ `. D+ ?" N5 J( t; r xchg bx, es:[41h*4+2]2 ] V. D* N U' T, }! V) \
mov ax,4fh
" k5 z& _# {8 `/ G' d. C int 41h3 C' X. x% O" ^2 P/ _* Z
xchg dx, es:[41h*4]
- M1 N, h2 S9 m$ e/ E: b xchg bx, es:[41h*4+2]
- A" E& T2 D. A+ D I cmp ax, 0f386h. `0 c' `& s" S3 J$ m n
jz SoftICE_detected3 j0 h7 n. k f: o2 W, T9 ]
6 g3 }8 ~# x! e v1 Uint41handler2 PROC+ y5 [% c I- P4 k# ]! J# |( H
iret# ^" M* t! ?6 t; t$ ^
int41handler2 ENDP- b3 ]1 j9 d+ X2 O5 d4 d
" E, ~+ i% Z0 Y) D6 F/ Z$ X
% T6 i- |% {4 D# ]_________________________________________________________________________
7 w3 E ]; M0 a: o' O( ^ S5 S5 _2 F& x% Y6 g0 r
5 d; b. ?! i% D( Y# c
Method 06
1 T% i8 h3 J" V* K% u2 o' c0 I=========5 d4 m$ T* M0 g" Y/ L$ P
$ q8 L! t9 [2 w, o9 F; @
3 ?+ S8 i( N5 L: _( P
2nd method similar to the preceding one but more difficult to detect:
5 ]: K' s O/ R/ d
5 ] @6 M2 x5 Q3 G9 L3 I- f$ q; h. }7 B1 W/ \+ T
int41handler PROC
/ I& g+ h8 x: F [: E mov cl,al
7 c5 {4 d+ z/ d7 w# L7 c iret( X6 |, E& I, `
int41handler ENDP$ S8 `* Q$ _, z1 c( o
- k" ^2 s( z* I
% O E7 g0 f y' U* I5 S1 t I1 I$ D0 C xor ax,ax
: E1 T7 G/ h3 I0 l# P4 b mov es,ax+ B6 g6 i' e% H1 }
mov bx, cs0 y7 H" ]* a# R$ k
lea dx, int41handler
0 o' ?; }) f6 ? xchg dx, es:[41h*4]
9 c4 [% s8 g- F; { xchg bx, es:[41h*4+2]8 E9 t7 J) P# }( y
in al, 40h; W- u3 J: D) M0 n! e8 C* N
xor cx,cx
% Z ~* z2 V+ } int 41h4 k3 T$ N0 ?/ W6 g
xchg dx, es:[41h*4]% y: H# @$ |/ `0 A$ y$ ?, k
xchg bx, es:[41h*4+2]" E8 I# e o) j; z H# j
cmp cl,al
1 r/ ]& c1 \0 o! M, G/ x0 i$ g jnz SoftICE_detected
/ q; ^* l& C" K% I
# q5 i, k2 v9 u* l. ]7 h' O_________________________________________________________________________$ n0 ~$ t M+ V/ Q
: _; n9 b; B5 C8 v
Method 071 a' U' I3 D: @/ J! _+ V
=========2 d e) C/ `- k, ~/ m
% G( }! }+ J; S( S' NMethod of detection of the WinICE handler in the int68h (V86)) Z3 { r, D) |3 {" y' H- a
6 B4 ~7 o5 K, S
mov ah,43h% A1 V* ^" [" K
int 68h
# `+ w4 b! T8 b6 k3 [& Y cmp ax,0F386h
: A( t: c1 A/ A% x/ _ jz SoftICE_Detected6 H+ x% Q. w* f: n' q2 x" n
% H3 H `' b! Y/ `6 C$ \
+ K: C# v( J/ W5 n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( Y9 l+ n2 y8 D6 S& U5 u* u/ {' ? app like this:
9 `2 G' t4 u! {1 m4 m4 @
# {7 e3 C G& W BPX exec_int if ax==68
, s$ N* v: m0 b (function called is located at byte ptr [ebp+1Dh] and client eip is: r6 H3 W# Q6 O# `3 q
located at [ebp+48h] for 32Bit apps)$ A3 A$ f$ d" m/ _' _' w, C, l
__________________________________________________________________________
7 H1 ~0 V* U3 S ?( V, j
, b" c& n( d$ P- C& r2 c- j$ v
/ S8 d+ @7 D: D& U- p. |Method 086 j' x' b# o% K7 z+ M) D* C
=========
6 H# n, x5 e n0 m% `3 M
% O, @. y. L6 `It is not a method of detection of SoftICE but a possibility to crash the5 m2 _+ A6 K) P6 y7 x
system by intercepting int 01h and int 03h and redirecting them to another* l/ B/ W# H C) `
routine.% o, Q! m, w' G( s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! o; c* E/ w, t5 S% T9 i9 D, A
to the new routine to execute (hangs computer...)
j" U8 e; L8 `' V7 x
4 D' p6 K) e+ N0 J/ U' M& ~ mov ah, 25h9 c+ {4 ~2 A! a, w
mov al, Int_Number (01h or 03h)3 J: C7 E) m$ a* D
mov dx, offset New_Int_Routine4 w1 c. M. L/ T* U& u8 a( k U
int 21h
6 Z# m: E# T+ r
, O5 M* w, K4 E$ @' z# E__________________________________________________________________________( j, U% A% \+ ?! b: z: B, [
& V e# j/ z* P) T( G7 iMethod 09/ j( \* F" o- B. _$ R: f8 v
=========( o3 }1 f6 k* o" f8 [* {+ l
9 I/ r0 D1 {* J4 r1 [/ ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 L7 E, E# ?+ g+ b8 Nperformed in ring0 (VxD or a ring3 app using the VxdCall).
! b+ ^4 U# Q* i( v7 U& @The Get_DDB service is used to determine whether or not a VxD is installed
. M" ?; a7 D; x; m4 H1 Jfor the specified device and returns a Device Description Block (in ecx) for* s% m: K+ K8 H. h, I
that device if it is installed.3 p* p! m- x2 N4 V# H
6 A6 Q; r- r3 O& X6 v1 n
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- o3 [4 I S, E1 p- p. Z- S/ h mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% j/ X) _- w& H8 v VMMCall Get_DDB
1 p3 {0 i0 @* g n, Q% a: o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' }2 t O) z4 a- | a R
9 z4 w2 X9 a* o: N- p4 ~& jNote as well that you can easily detect this method with SoftICE:
; Z' `; D3 D& T# E bpx Get_DDB if ax==0202 || ax==7a5fh
3 A" y' g) ?7 P. e( m
% B# R- J1 v! H& s__________________________________________________________________________# F+ U: o0 u3 ^( e) P( [ t
# d ]% E/ ]3 }7 j1 }3 |6 x- ?
Method 10
6 A& I; f b$ B8 v/ c=========: V! S. W6 O' E% u$ Z
# y" s: @% t# v m5 {& Y! t6 l4 o& i0 `
=>Disable or clear breakpoints before using this feature. DO NOT trace with5 T5 A5 }% N0 O+ t5 } ]3 {9 l- |* |
SoftICE while the option is enable!!" ~) g: U7 W8 f: f3 Q8 z, Z7 C2 M
* j1 z1 ?7 z0 i% V- z+ d( {3 K' k0 F$ OThis trick is very efficient:
$ Y5 x3 d3 v+ B, c$ U4 n. Nby checking the Debug Registers, you can detect if SoftICE is loaded
* l: q7 {! w' \8 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& b+ S6 ^& b0 y0 ?3 d7 l2 Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their& N) R' V" l- r6 ~; J0 e
value (in ring0 only). Values can be manipulated and or changed as well3 {% M% N7 m7 p: I
(clearing BPMs for instance)
& r" B% o, G3 h7 o3 p) z }0 z9 B, _2 g
__________________________________________________________________________/ N! o7 G3 L9 T. t# l
5 T& x! x8 T. y$ ]Method 11, X; c7 w6 s3 G, n
=========
# ?" A/ Z! _* I0 a1 O( n a- v$ ^1 _8 [* L. h* L, Q
This method is most known as 'MeltICE' because it has been freely distributed
9 G8 Y; B6 s( l( i$ C* h4 Wvia www.winfiles.com. However it was first used by NuMega people to allow
7 k& o8 x# ?- ISymbol Loader to check if SoftICE was active or not (the code is located
2 A* g) ?% K# C, m" F5 Y: v6 \$ minside nmtrans.dll).
% o: J$ _$ k+ S, @* S" U. L# T3 l/ z7 y- U3 N6 J. P
The way it works is very simple:
& ]) o# o' i/ g* h+ T2 O6 ^6 r1 f3 CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) F( A/ W+ @4 h& x0 d6 I
WinNT) with the CreateFileA API.
4 [; A# e! n% y& @$ @
# N c7 O. l" j$ X8 LHere is a sample (checking for 'SICE'):
& c4 m1 k+ u" } ~! l3 Y3 y! r
! A* N6 V7 S" ]9 M7 sBOOL IsSoftIce95Loaded()* n( V9 t- u/ F% I
{
; R! ]" i {) V% Z0 v( Z HANDLE hFile; 3 w0 Z8 q9 C' c. `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. R6 ^- \- N* y
FILE_SHARE_READ | FILE_SHARE_WRITE,
. `5 t& w" Y, Y: ?4 i# f& ]6 z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ z; S% X- w# Q* m, @' n if( hFile != INVALID_HANDLE_VALUE )
% s5 _" d- I1 a2 U {! l9 G% \$ p8 i2 H0 a
CloseHandle(hFile);- L: K) h! L- e( c7 l" E' A) N
return TRUE;/ H1 o& u* g1 t5 m I$ m6 o
}2 }$ _) k" P; H3 p1 e
return FALSE;: O8 t; G. D1 n+ x7 U, b- C
}; ^/ w8 D1 D- c$ M8 ?
5 v& ^) s5 R; ]: I9 a$ M5 c% K' A
Although this trick calls the CreateFileA function, don't even expect to be; \8 O! K5 x) I( g/ y* M
able to intercept it by installing a IFS hook: it will not work, no way!
( o0 W: j" ]. v# r0 E5 FIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: W; p9 s( j" N+ e: [$ j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* ?2 C4 E" n a5 }% S4 Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc& H$ [" M* Q( ^. g% X$ s& D/ z) p
field.7 L( c4 u4 S+ @% R# Q8 z5 f4 @
In fact, its purpose is not to load/unload VxDs but only to send a
; v: q+ \" ?9 m) AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 H; _$ i& }) t6 m' rto the VxD Control_Dispatch proc (how the hell a shareware soft could try! c; \; j+ a2 I7 j# C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 P) M: g- ^9 D, d% {9 c/ ]7 KIf the VxD is loaded, it will always clear eax and the Carry flag to allow' i$ ^2 y8 I7 v d3 ]' A
its handle to be opened and then, will be detected.
3 ]0 L. k1 c, |1 eYou can check that simply by hooking Winice.exe control proc entry point* P+ Y0 n0 _4 ^; S
while running MeltICE.
O! f2 C7 S4 f4 u( j( a4 s) X" B, L S
* w6 `+ F2 i* T5 J, _: f- T 00401067: push 00402025 ; \\.\SICE4 ^6 U- C) X5 A% k- n! P- J# ^
0040106C: call CreateFileA
K' F7 P. O5 C 00401071: cmp eax,-001( J& z; j- Z0 p5 ?9 ~- e. B
00401074: je 00401091* r: V7 I3 ]# N- `0 E# ~0 W
9 j- W# m) J8 `7 l' f
, t9 B) c f; X! U0 uThere could be hundreds of BPX you could use to detect this trick.
4 Z' r& \7 X) E/ [) r-The most classical one is:7 i4 S. `$ t: V- `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# [% c/ _: w, c" L* G. @: t% C
*(esp->4+4)=='NTIC'
3 O9 i3 ?! a; L% c u% ]* o+ l
% e, O; V3 ?( M9 G8 ?* J, e$ @* _: x5 s-The most exotic ones (could be very slooooow :-(
, a5 |1 x& A6 G: C3 L8 B8 w, K e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 X4 B- \" Y( d8 s) m. ^ ;will break 3 times :-(: B1 e" w3 h" Z0 j
& h0 t2 F$ I( \+ _8 m; a-or (a bit) faster:
$ z# G+ r* v. Y+ N; y( h4 z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ k# X/ d O6 e: G+ u
! s% p N5 C; \ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 M$ X. C4 Q( m' L
;will break 3 times :-(3 \- b/ @) f' g' u* w% h. U0 S" r7 \% Q
) V8 l( v( t: U) V6 b
-Much faster:
8 Q6 O8 h" z d- l3 b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! a) N0 h! S0 }/ s5 }
d6 g$ J& A: S5 e( q: CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* X) Q6 p* W) }, J* y- w) Hfunction to do the same job:
5 z" d! d9 V( r L" f- k" K! L0 E1 R% R" y3 X- a8 x
push 00 ; OF_READ4 o7 w5 J! w, s7 g8 v0 k- W
mov eax,[00656634] ; '\\.\SICE',0: H ]7 q Z/ f, Q
push eax
$ v; k; f6 Q0 L( y1 t! W; K2 l/ R* I call KERNEL32!_lopen+ Y0 ~% C5 G7 A4 X( I* [
inc eax6 S2 G4 K" |. s4 E: I% B3 p4 S
jnz 00650589 ; detected
: X S9 G; ]$ P push 00 ; OF_READ& o! E3 E) @3 J/ z/ U. p5 d" W0 w
mov eax,[00656638] ; '\\.\SICE'( v+ z& o* r/ ]8 x1 o$ p
push eax3 ?( p1 I( O. M. f8 p( W
call KERNEL32!_lopen
; y( r0 u9 P- |% [" A. f inc eax/ ?8 Q4 a# w5 c" n' O
jz 006505ae ; not detected
, _" }! \' t) }8 ?
& j0 {) a; `( ~1 {7 Z
" K: Z. s0 K# A4 H; O2 j3 q6 c__________________________________________________________________________
; P( P; L' s1 Y' M* r& j" h
% l! U5 { m+ RMethod 125 ~6 T0 m0 Z8 D M
=========9 a1 _( s; H3 \; _' R+ p
7 |% a+ N, q9 e# @! R! Z: m
This trick is similar to int41h/4fh Debugger installation check (code 05+ f# t6 U; e7 r" H; u
& 06) but very limited because it's only available for Win95/98 (not NT)) _, v/ r- u" B6 P% L, O) W. x& N' l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' Z7 F) h$ ~7 A0 a
! O+ |( m* ]6 f1 V. t2 K; a
push 0000004fh ; function 4fh( i. w: K$ {" | v P) J
push 002a002ah ; high word specifies which VxD (VWIN32)1 `0 e% G" [2 Z$ V( ^! F
; low word specifies which service
0 J. d5 O8 y" S6 q& w (VWIN32_Int41Dispatch), G$ {# p& [; h) k: a
call Kernel32!ORD_001 ; VxdCall8 R' e/ w' p5 |( A% S
cmp ax, 0f386h ; magic number returned by system debuggers4 \7 m' n. g6 E- @5 ?
jz SoftICE_detected
; G1 ?+ r$ t; g# l& R
5 U7 `; l; j4 h2 y* c# v* e) x: yHere again, several ways to detect it:
, D- A& _/ M+ s3 Z
* H. e8 W l; c& w: K7 J$ g BPINT 41 if ax==4f, D2 C3 S+ O$ {" A$ F
3 B; e @, X4 H1 G! |
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
L2 y: v+ r6 v& k) g- Y5 r/ k @+ R# y7 s
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! X# i' I* S5 V# C5 A1 K' X
- t: j3 }3 f+ Z! s, K7 @% ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! [( _( I& u! d: b2 \4 \# b5 |
! ?% z" Z, r/ P, ?; k
__________________________________________________________________________
( E4 T/ P) O; W0 r
+ \3 W) |# v: Q0 dMethod 13
0 _! R9 B: S* |; h, ^# ?=========
- L4 r! t$ j2 @7 g$ A+ j; C
0 A- _* B& X0 T ZNot a real method of detection, but a good way to know if SoftICE is) w' a1 W& j9 S* v1 b
installed on a computer and to locate its installation directory.
/ e. m) U j Y6 a: o8 Y6 E; DIt is used by few softs which access the following registry keys (usually #2) :
& L+ H# h2 T6 x, m" J2 [8 m. E- D+ J N! G& @& q0 o! D/ L7 L0 k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 u( t& h1 B) V4 g- V% O& ]
\Uninstall\SoftICE
% E3 D L9 P* j7 C0 K& x. [9 K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# u/ M# n8 ?$ m9 P& a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) `- G9 V" e1 W4 m
\App Paths\Loader32.Exe2 v. n# d) D2 U; n/ {# T
# z) p+ x5 H" ^
" u5 `" ^8 @ z5 `6 oNote that some nasty apps could then erase all files from SoftICE directory
( a" m9 o+ G+ v! J- M) s(I faced that once :-(
4 s& ?0 z, ?# j; F$ ~% f3 [8 S& h0 w9 [& x8 `1 {
Useful breakpoint to detect it:
: t+ y5 t# t+ a! R% z- [
/ _2 E6 w" r2 z7 K2 K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 _8 `" A& y# q$ B( | ^' @5 v. H$ Q1 \' J
__________________________________________________________________________1 [$ v5 E. v% |0 n
$ a. T) m" s+ l5 U e" L4 M% }- O
Method 14 7 n, n! C, W/ @( o1 z
=========
; M( X; u$ Y6 j B/ ?- c; \: \0 h% u0 M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 a% {( M5 U% Q! p( \is to determines whether a debugger is running on your system (ring0 only).
' t4 I6 |1 a1 ~0 T% n6 ]% q
" D4 {) F; c" i VMMCall Test_Debug_Installed
k' ?5 I0 k( Q8 {! ?) ~, U! T je not_installed$ l4 w7 T4 ]% ]3 y
0 q; P7 ^. L- y9 G# X- V4 L
This service just checks a flag.5 v; _0 C2 F4 C% L% U) e
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡