<TABLE width=500>; n- u. Y+ U' v7 z$ Y: ^" m% ~
<TBODY>! E9 y+ p$ D/ |; E
<TR>1 Q g- l/ K* s7 Q3 R
<TD><PRE>Method 01 ( [& `3 j/ @8 \1 |
=========
8 r! \7 x5 t% Q; }8 g0 `( d, }/ @2 a3 u0 @# x! R7 d7 [9 p/ o
This method of detection of SoftICE (as well as the following one) is" Q( ~' e! y0 Z" [8 m/ i
used by the majority of packers/encryptors found on Internet.; j" a1 }+ x! [" j' D+ u
It seeks the signature of BoundsChecker in SoftICE6 S# }; K8 r2 O: s! E3 `2 X
j8 v C1 E; {" L T mov ebp, 04243484Bh ; 'BCHK'
+ Z% R8 V* v& n3 P6 e mov ax, 04h
% \& h2 ~5 C; `$ ~2 ^ int 3 4 d$ \0 Z7 P2 J& d
cmp al,43 F: T$ z/ j& ^
jnz SoftICE_Detected9 s( m* a( i, A# [2 m, `
% _+ ?, R/ z( o* A+ _( p
___________________________________________________________________________* ]2 D! ~9 }( g0 e9 @7 R- k7 \
$ U. w: d4 H0 X |0 D3 g& y
Method 025 y. F8 M8 p) d% G& {3 s
=========6 A* c) X: D) W3 Q$ o( J
1 ?1 p" {! ]/ v. }: [Still a method very much used (perhaps the most frequent one). It is used/ q- X" O' I- k& }1 A5 R* Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 F7 _ u8 \3 K1 e" [
or execute SoftICE commands...
|, o. s! [- l( ^) zIt is also used to crash SoftICE and to force it to execute any commands& F( D! h/ C: x1 c1 n; I
(HBOOT...) :-(( ) S/ h1 U+ T; c( a7 H/ R! r4 S. B7 r
! A- W5 F' D$ Y% O2 L( }* z& ^
Here is a quick description:
$ K- A9 d4 s2 J' g# Q1 V-AX = 0910h (Display string in SIce windows)( q6 M2 q+ G+ L' i' V
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 E. S# Q- \' I-AX = 0912h (Get breakpoint infos)
$ U+ N1 N% \# V: W-AX = 0913h (Set Sice breakpoints)
& b; V; k! V( U3 h& i-AX = 0914h (Remove SIce breakoints)$ D: a7 p3 c( j" u6 u4 B3 K4 G7 K
+ P8 z, Y/ C4 R8 j7 YEach time you'll meet this trick, you'll see:
+ d* ~0 n/ |2 r! `+ O: s1 [$ @; O-SI = 4647h. |' m. ]* }3 |5 {. L
-DI = 4A4Dh) K% L2 Y0 T# |7 |$ L
Which are the 'magic values' used by SoftIce.. H0 {. ]1 c. A1 ^0 H: r1 y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 h; ]3 z& H" R+ ?8 B4 E$ ^( @
Here is one example from the file "Haspinst.exe" which is the dongle HASP. ?" _: a/ X3 V' Y# E! J
Envelope utility use to protect DOS applications:$ |1 a) b* g5 N! k, I. {5 V
1 k$ g9 d9 d5 Z4 l; e+ N! M0 x
+ w- g! t' s+ ~# d' I8 q3 U4C19:0095 MOV AX,0911 ; execute command.3 {% X, _/ b1 O* ~% E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 J3 h0 w, G- B4C19:009A MOV SI,4647 ; 1st magic value.
$ N c. J$ D8 W+ n5 X4C19:009D MOV DI,4A4D ; 2nd magic value.4 F) C7 K1 N0 c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 S1 [/ w" C1 e9 v6 N }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 _& ?9 {% ]9 d% R# w
4C19:00A4 INC CX
+ B! Z/ w" [8 j* s' P$ {) Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. b% m: @/ r/ w2 _# g5 o4C19:00A8 JB 0095 ; 6 different commands.
, v+ Z7 y* v7 e5 P6 u( v: o4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 X! A$ l- @+ Q- G4 ~
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 J& G5 T' ]- `& a2 I( M
* V: C+ @* T! nThe program will execute 6 different SIce commands located at ds:dx, which' ~/ d$ t2 h1 e' x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* B0 }6 Z, R- J/ ]5 l% m; H* F
, h7 M7 U( e- L2 v6 P' J& x T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 Q1 }, I3 V6 s" T% \0 A
___________________________________________________________________________
; q+ F; x+ b i, p5 M4 T4 G0 k3 F+ r/ l) P! p, D+ z- i
5 d7 ^$ ]1 C; }: B- I0 @
Method 03; e# z. E6 Z, q+ o h4 V- R
=========- W& S& @5 \# [ A4 o9 }
" {1 j6 ^+ F5 z" C% i8 o
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% N E. d; t' ]5 @. @$ i
(API Get entry point)
) r5 M {/ K2 _2 s8 o( f; s 7 k/ D% |- Q$ X% f1 t$ ~$ c
* | c7 D+ `1 d' O9 e: P4 V
xor di,di: @3 [2 w1 u/ n2 I4 K/ ^
mov es,di
/ Y V. t* D* m8 X5 [( J$ Q mov ax, 1684h , l5 Y/ R, B& X" p. x: g% a) s
mov bx, 0202h ; VxD ID of winice
% r+ f5 D) e( w C, Y* | int 2Fh
1 y, f. F5 s# U# N* p mov ax, es ; ES:DI -> VxD API entry point
, `- v" G: ~! Q/ Q add ax, di
" d! F* \! C/ G/ R. o& {0 } test ax,ax2 E) E/ N; | Y- ?
jnz SoftICE_Detected/ h# O4 D: b7 }6 `$ ?: Y4 h
0 B$ }" t. Z: T' I9 o& {3 `3 }___________________________________________________________________________4 W& i% V7 T# [- w; S
: t5 G- ~5 d5 i9 G8 n: N
Method 04
' V2 c2 w$ A' O2 {2 X. t========= N" y5 [8 R/ k# ^
z6 z/ q0 `' I, d* _& U/ nMethod identical to the preceding one except that it seeks the ID of SoftICE: P; y3 H N& p; [; L8 O( m! n
GFX VxD.
3 g& L8 ]- I- y" }- }1 a
) K0 ]& `: \( k. Z8 T& Y- d) x xor di,di( V3 ?' Q, [/ J& ~- _+ q3 ]
mov es,di. l" k8 b* ?( N3 i. ^7 o" F
mov ax, 1684h
) @7 v0 l+ p4 j9 i mov bx, 7a5Fh ; VxD ID of SIWVID# a: x+ n' l2 {2 E: Y- e
int 2fh
& F# m4 m9 i* d+ h0 K mov ax, es ; ES:DI -> VxD API entry point
4 |& y8 O- T. ^' |& L+ U# {! w add ax, di
/ ?" m* |. ` ?- v test ax,ax
1 o: i( _, Q% N" U0 f jnz SoftICE_Detected
5 [; M R) D# \; M- D6 a$ ]- L B, X6 e$ P# J6 C
__________________________________________________________________________! B$ X# P# ?( G5 X# d% S3 F
8 z1 A( c8 _+ X& v+ s. r1 ?5 v
* C4 p, E! \. W9 q5 i
Method 054 ~, l# ^0 ]: X
========= T V1 V/ z9 @' y
3 @: H' {8 G: ^9 b, L2 I$ e- e0 V
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ l5 @3 B( G2 M, E; K' Y6 L
debugger. It calls the int 41h, function 4Fh.# m# m' C( l* ?% u4 m: ]& K
There are several alternatives.
; p( O' j1 E$ b3 G. Q0 S1 P3 P
# X' N5 h+ y7 l P( dThe following one is the simplest:# h, }. M& f7 V% u4 t5 e0 f/ _
3 q& J% i6 y5 C r. f `# _ mov ax,4fh7 ~; @( `8 V. n3 M& J1 f
int 41h
* h$ e4 p. d7 F' t1 n8 w cmp ax, 0F386+ L/ l3 `& l% D) Q
jz SoftICE_detected1 l5 C. f2 v# s& k( E
' o; J$ I. S6 `2 Z( v2 T9 ~) b, s+ K
Next method as well as the following one are 2 examples from Stone's : z4 K0 a( O3 e1 @0 i( t# E1 R5 M
"stn-wid.zip" (www.cracking.net):
; K. o6 w3 e2 B, ?" p
D' @/ e$ Z& u: ^ mov bx, cs7 v& P6 _; l+ }) {: d( b- g
lea dx, int41handler2
6 E$ |/ @4 W0 {4 D g; Q xchg dx, es:[41h*4]
4 v' Q' X: E1 C" s4 l* j ?0 Q xchg bx, es:[41h*4+2]5 | w( n) n \; l8 z( R2 [# T, p
mov ax,4fh
! z \2 N8 Y# _* w! o2 q int 41h
- c9 ^2 C. @% n3 \8 K4 t: _ xchg dx, es:[41h*4]
% P% h# i+ m3 u& I4 @ xchg bx, es:[41h*4+2], \( F$ w6 h- `& z( l. }! V; [
cmp ax, 0f386h
- ~' U& u. {- O; ^4 x7 z, ] jz SoftICE_detected
" g$ v# u, w& g* ~) h, }( `8 ~& q1 ~8 U4 M3 F% G
int41handler2 PROC
3 D# _- E4 s4 P4 W9 ~5 q6 e iret$ @0 O. I! L6 l% a6 {( _# a$ J ]
int41handler2 ENDP
3 {1 B+ w0 }% b6 N+ `, g8 H, s+ o' q) I# _
3 t: Y7 t d8 l5 n_________________________________________________________________________
4 N6 x; ^4 n- i z1 I9 H
( {3 R2 v3 e: a/ A: } |( v$ u' C6 i; s: S: Q$ H- N
Method 06& A/ }# ~. p4 w. \( N8 Z
=========
1 ?3 k2 Z( H' X
+ v4 |: p7 c. Q8 v, d1 {4 J& l( D+ D9 [% a, K- r/ V
2nd method similar to the preceding one but more difficult to detect:6 S& D' h, x% n
5 h+ C6 r8 h: q, h
' ]! @5 f( c8 ~int41handler PROC
{' m+ `% K$ c; I3 r" k. A mov cl,al) U l& e$ q9 h. Y5 e
iret
% w; D* c* v; g$ N7 xint41handler ENDP
6 E7 E6 x0 I3 n3 D: x
/ G1 {/ E# X- S, o4 F& S, `3 t& N4 G
xor ax,ax
# y/ r: F# m; Q% Z0 M mov es,ax6 u o. b6 X7 o9 K
mov bx, cs
2 @8 Q6 d6 Q! U0 A9 g lea dx, int41handler( \% t% ^" c+ T* V- H# E; L0 i+ G
xchg dx, es:[41h*4]% J% Q' c9 p5 N: N
xchg bx, es:[41h*4+2]3 }* C# ~1 f: r
in al, 40h
, @( e- h, J7 h2 L xor cx,cx
2 _1 |! u/ m% n) d int 41h9 o. N+ W; y, N( j
xchg dx, es:[41h*4]: l# z2 S$ u. D+ R7 g/ ^( L
xchg bx, es:[41h*4+2]/ e6 u1 c9 }, N X; l# H
cmp cl,al( Z! [& g8 t# R* i: c
jnz SoftICE_detected3 J+ U2 d/ b% h2 {1 L
! q" j" G0 T& R; i; w% Z; c6 C
_________________________________________________________________________) F) c6 D0 r: S4 x- g
7 Y( V8 q7 Q9 m9 \0 cMethod 078 p! S& ]0 a6 Z8 `
=========' ]3 z$ q' `( B9 c- N. W9 M" a+ v- r
9 S7 k9 }' x! s! Z$ Z7 w! ]6 }
Method of detection of the WinICE handler in the int68h (V86)/ ^8 Q$ N& M5 U1 a
! X8 ^, P4 }) A mov ah,43h# m A2 X4 i! ~
int 68h" }. |* k) R. g9 K$ | P% E
cmp ax,0F386h5 n9 x% e6 K8 S4 S
jz SoftICE_Detected
7 O; m- i- x# z( F8 @
6 c' B+ c2 C. E3 X6 f9 G
8 m z" I7 u% [4 v* y& f=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ J; L [: d4 R, _ app like this:* y, O1 h( y# u5 x" x* t
( T% h! r/ k- D! e& w5 `; T
BPX exec_int if ax==68$ @9 G7 E8 A+ N7 |9 ?6 j6 V! ~9 }
(function called is located at byte ptr [ebp+1Dh] and client eip is- Z2 n" i* e/ K1 E& |0 t! l) x* \" Y9 i8 j0 _
located at [ebp+48h] for 32Bit apps)
2 M l: @. o8 G3 ]' X5 u3 A__________________________________________________________________________! S! G# Y8 M9 e* b7 f
# O. L/ S( t4 E" b6 H5 |3 b% l h/ m5 c0 f- w
Method 08
# K1 H" i, e4 {: y: P5 S9 _=========8 k# I* r V0 K7 _ B
& Q! N+ j7 z' L2 v3 r( tIt is not a method of detection of SoftICE but a possibility to crash the. D8 C* N4 P, p* U' L$ l+ j! |3 D
system by intercepting int 01h and int 03h and redirecting them to another
5 T6 g5 C$ R6 u$ u/ d5 D4 Droutine." ]# ]8 Y0 h/ z; h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 I+ J5 d2 \" A. J% ^- u) F
to the new routine to execute (hangs computer...)
' n9 I: S8 Y: J. n+ W7 R* O% \
, i# y2 I7 e5 @ mov ah, 25h. @7 f2 q1 O3 |% }% Q3 b
mov al, Int_Number (01h or 03h)) c1 D" ^; n @6 E4 U [# s( C
mov dx, offset New_Int_Routine1 F. H. U; v. A |8 h/ |
int 21h
$ B4 X, q' a5 x8 j7 Z4 L
0 K2 z( a" u- o6 |' m" ~5 ~__________________________________________________________________________( K9 j A4 ^" T9 \7 J; U3 P
8 R1 u$ h* E' w8 F7 G: NMethod 09
, W, E3 _4 ~1 } }+ x5 q/ p5 z=========
3 n+ u% L H, @
9 u- M) Y; ^6 [' \! T$ k$ M$ EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ m# S7 h+ Q8 g) j- _- {- `/ pperformed in ring0 (VxD or a ring3 app using the VxdCall).2 x3 P5 b; v9 O, g9 S1 N
The Get_DDB service is used to determine whether or not a VxD is installed. d( R0 J) p4 D D, M8 y
for the specified device and returns a Device Description Block (in ecx) for6 W- g l5 G2 T
that device if it is installed.
+ v& y0 G t, A' q' \9 V& ~$ L4 z2 I) r( g/ E$ _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! Z$ I) R& x( h7 v& U
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% i: N- f; o$ _
VMMCall Get_DDB" l I0 y0 o3 r! }. ^" p: w7 Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ V; _5 ~ n! ~" ]+ f
7 F. o3 y/ Y6 [
Note as well that you can easily detect this method with SoftICE:
" T. t! p, r8 R6 e& m. n bpx Get_DDB if ax==0202 || ax==7a5fh H" j! i. L- w2 G
( Q* j# F4 n8 _' H3 e__________________________________________________________________________
+ c) |* r2 b9 \$ X6 r" E& O
6 o% f: S7 y' l3 EMethod 10
6 Y* x$ n7 M4 b# l( G0 W P=========
, u9 o6 V. G* F3 S4 q2 r$ b$ M9 C" I; J1 L! v
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 S2 b) b% f' i SoftICE while the option is enable!!
1 q" d" p: [! ~: [# [+ y9 {4 ^6 Y5 S% B7 {" ^, F& _
This trick is very efficient:. o8 L1 E5 c7 h, k. @ d
by checking the Debug Registers, you can detect if SoftICE is loaded
# r' t7 [' E1 _' W& H3 b- t) M, N' n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 ~+ f' p, S, c7 q/ C, f- x6 k" S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' Z: ~9 x0 q% a0 tvalue (in ring0 only). Values can be manipulated and or changed as well( B3 I" E; _* s) q3 [* K
(clearing BPMs for instance)1 z1 ~7 E* v& q6 n
. p& x" _' ^% I* j) ^__________________________________________________________________________% b- ^9 `& t5 \+ p
7 X1 n. J- s: A; E: a! r" ~
Method 11' T+ u/ c9 T O7 y; c& f6 b7 Q
=========
) l4 Q/ \8 q, c$ V1 t- H/ j+ K3 U! B; |! Y
This method is most known as 'MeltICE' because it has been freely distributed
% C4 ~9 \* |8 ?: Gvia www.winfiles.com. However it was first used by NuMega people to allow$ e0 m& K% k5 a: [
Symbol Loader to check if SoftICE was active or not (the code is located4 ^4 S, L. Z% Q6 P3 z3 P
inside nmtrans.dll).) h ~3 i9 @+ l1 t( q3 D6 z
# r3 p3 ^+ y( v$ p' vThe way it works is very simple:
% j' b x, k7 Q& B4 {. r0 Y$ g. q- nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- Y+ K5 T$ X/ y+ z+ S
WinNT) with the CreateFileA API.
( j, Z, g$ n9 e5 d/ t' D7 @: \% t9 @6 r8 B2 S- }% X: ^2 \9 V
Here is a sample (checking for 'SICE'): H) _4 W- X: [4 d, J, z$ Q9 p6 J
* }% {) v) ~# V9 k) a
BOOL IsSoftIce95Loaded(); x, v- m! z. T/ M$ i2 o6 |
{4 o" E8 p2 j# ?8 u
HANDLE hFile;
0 ?$ B0 G( K1 h( D- F* w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 P; j8 m; i) | FILE_SHARE_READ | FILE_SHARE_WRITE,0 T! a( J& x3 E
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! U2 i1 u, t. e4 n7 A+ h# c
if( hFile != INVALID_HANDLE_VALUE )
7 ?% _/ E- G5 c( [ {7 m, B: z: n9 E) t! g
CloseHandle(hFile);
% _) ^3 p9 X( r return TRUE;- |" J; s! W! o( X% X s, J
}' o* N' @( o0 p* |, |. w
return FALSE;* g1 x. g! P1 u" @* F
}
6 [9 L6 a7 z6 A/ d9 M9 L- R& N
% s; ]4 e6 t8 hAlthough this trick calls the CreateFileA function, don't even expect to be+ f* N/ S9 M7 z' V9 v
able to intercept it by installing a IFS hook: it will not work, no way!+ ]/ t3 N( G d, R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: a+ t7 j, }. P4 m6 V" V( d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 ]2 j A$ ~4 I; `( N6 ]6 s3 P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% M+ P& i i% i1 Kfield.: P/ ~. o& x% X6 V' q' F2 Q' h
In fact, its purpose is not to load/unload VxDs but only to send a
3 E) H7 s0 N; w0 m3 Q" ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% g, N& N, j4 ]- e* u9 g$ j/ B- X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 \8 `( m1 g; S) U8 G( B' N+ bto load/unload a non-dynamically loadable driver such as SoftICE ;-).6 p3 ~ H3 i* t) Y. ~
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ x3 F+ u9 P* G1 x3 |
its handle to be opened and then, will be detected.2 I2 s, |8 q0 K# E
You can check that simply by hooking Winice.exe control proc entry point- I2 c+ N6 E3 a) C! e
while running MeltICE.$ W' }; a: o, ]( f0 O
- d; R# X* ?# w& d4 A& q- I: j. t. p
00401067: push 00402025 ; \\.\SICE% D$ _- ^2 q. e& ^' y0 }$ @' u+ W
0040106C: call CreateFileA
% Z+ t8 a3 K* ]0 d 00401071: cmp eax,-001& l! C1 h3 H# ]" Y8 `! \8 \- I3 r
00401074: je 00401091
. V: |+ x( B0 S$ j4 h% t
) }/ H8 a g6 r% f: d* v4 m# Q4 s# z1 _. x% C6 I
There could be hundreds of BPX you could use to detect this trick.' \' [& O) c M3 s, _7 Q0 v% Y0 e
-The most classical one is:5 a* ]: h) y, b" F [% t7 `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 e; B0 a4 o3 K *(esp->4+4)=='NTIC'& M3 _" M9 p" a6 L
1 k" k* Z7 A% |3 }- j9 m
-The most exotic ones (could be very slooooow :-(
6 e n9 A0 R7 G( Z% ]( q7 O$ ]" P$ M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 `5 k: ~( [( c6 Z ;will break 3 times :-(
4 M# Y/ x5 t) A( e9 h7 H" E& b; h
$ A7 H( R& W9 P: X-or (a bit) faster: # f' `' g E( c0 s) B. w% M$ |0 ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( G6 D9 ^8 \! N: n$ M* I
7 x5 F6 s+ o" d# [, f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' X9 i. H, E: x' R
;will break 3 times :-(
& r3 K6 q# r" d+ ^
0 B. \) H: l3 h5 Y# Q" t, ~- Q-Much faster:
. G' A" R# D v- G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 _8 P ~% L4 ^4 `
3 u0 h2 J( \8 A# o# u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) X) s/ _+ l3 |: m1 a) Ffunction to do the same job:7 q% O9 ]; c, Z" U7 q; U8 F
/ R- I: G& V' n: W) c1 h
push 00 ; OF_READ
" r7 f; G8 h9 y% B1 _ \ mov eax,[00656634] ; '\\.\SICE',0; K7 O: g) a4 z# S; d, K
push eax
! u* Z) }8 U+ B call KERNEL32!_lopen
( L& G( f: `8 y, H: h( F8 @# J: L inc eax
' k a3 C' o t% H3 t, x jnz 00650589 ; detected* r- m. H5 \% u4 [7 H$ P
push 00 ; OF_READ
_2 X& e, o L/ J mov eax,[00656638] ; '\\.\SICE'
5 M* E' }, F- ?+ V l$ x& C: @" | push eax9 N% z1 ^% o8 s) ], C
call KERNEL32!_lopen6 z3 S7 {& Z. U$ K! l- y
inc eax
; W- k# o% D& q. i# j4 T p jz 006505ae ; not detected* A5 X1 W" z0 a x* ]
+ @# {: l" q; ~& [
" l1 B7 O6 i2 Q& n6 Z5 m__________________________________________________________________________& Q0 {6 t% b" ?7 i
4 E; w7 W' T8 b* n+ n; _, ?Method 12
@4 F8 r0 `! [, ~5 G========= G5 U! X6 ^! I/ q
& T; A8 m/ L, }: ?& _
This trick is similar to int41h/4fh Debugger installation check (code 05
+ ]# {: a4 a9 s) x9 x3 a& 06) but very limited because it's only available for Win95/98 (not NT)
" S, |2 i- H+ v s5 H0 \* Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ ~5 C0 V4 S! w# F O
& `- [" ^0 A5 ~5 V6 } push 0000004fh ; function 4fh& u3 s+ Z: f: T+ J* O% b
push 002a002ah ; high word specifies which VxD (VWIN32)
/ f7 c7 \ y" }+ a ; low word specifies which service
% u$ m% `9 ]" ~5 ]) W) ^. N3 x (VWIN32_Int41Dispatch); s* z% \" |6 k$ _) {( @9 {, B- I
call Kernel32!ORD_001 ; VxdCall
5 Q. r" f! Q( T N cmp ax, 0f386h ; magic number returned by system debuggers
}" ~2 i3 w; _5 A: X- r jz SoftICE_detected+ L" |- z6 }" e
$ t" P! N5 D- k) v @" E& ^. wHere again, several ways to detect it: t7 C; z( B8 O+ f2 z
8 R+ g1 j2 \6 W |3 L' y6 `$ q$ s BPINT 41 if ax==4f4 z- a' ]1 b7 M
! }, \$ ^% I9 U% f3 B7 Z2 @' H BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 F3 v& A. Q5 C( r
; L: W' J) h7 V2 Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ p0 ?+ C, f2 Z) f2 Z7 @! ~2 W) U4 Y: A" ]; r% }7 B1 R; a5 s* L& _8 W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ c+ ~' Q0 S% y+ h) f- t1 g
2 ^) Q! L* C% s- S- h__________________________________________________________________________
F$ S+ s* A, L9 ]. U
( b2 [) C, u. V- g, a) UMethod 13* O5 }& U9 T% h9 G4 ^+ r, ?
=========
' G8 Y) b3 n1 z0 b3 i% u
4 M( V6 Q6 _5 LNot a real method of detection, but a good way to know if SoftICE is
# D4 f% f {% y0 ~8 v2 ?installed on a computer and to locate its installation directory.( A: e8 O: J: h9 n" L/ m
It is used by few softs which access the following registry keys (usually #2) :1 p5 [, z3 F9 L6 q( L
$ o. }2 S) i m# X8 X& E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
g" }5 q! o# T# d- A7 z7 h\Uninstall\SoftICE3 a. N& i; c0 J$ O2 I2 |0 R- f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# x; d! I+ z/ c" X+ x; _+ ]- }9 n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# t: @3 Y# L' T( W" }4 L
\App Paths\Loader32.Exe& t+ o/ |. k/ u$ r! q5 `
: H9 ~% d, i5 Z' p, H' D) v& d
4 L$ D/ y7 \0 _# k) w8 v$ uNote that some nasty apps could then erase all files from SoftICE directory" Q$ C! `- {$ _7 t D
(I faced that once :-(+ j. ?* V2 v. G2 d8 t" @& |
3 f c' P" ]6 Z1 P
Useful breakpoint to detect it:
1 G2 \/ }; z) c1 Y9 c
- \) G( Z- s& `" W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ }! Z. T- X" w" |
1 Z# l( a& u8 A f8 s3 e$ c& c
__________________________________________________________________________. i" E1 V/ P0 J4 M
7 o9 _0 a5 y( _# p& c7 R
4 D3 P& v4 h2 a4 R$ i: Q8 pMethod 14
' K$ u$ f* J# y' N) Y5 ^+ R% y=========
( b, ^3 h4 q1 W1 y V
; a% K1 R* c# A. ?7 i6 |* NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" I5 V! }, H1 U+ K/ Y4 Kis to determines whether a debugger is running on your system (ring0 only).
o/ |2 D0 H/ K+ U( k# x8 f- M! u& f) j4 w1 x
VMMCall Test_Debug_Installed! x. X7 `9 Y1 k" C) x$ i' p# ~* V
je not_installed
/ K. h+ M9 f. x# n$ r5 W7 H, w
- Q5 d8 m; s1 [4 p/ qThis service just checks a flag.$ V$ G( {( L! |6 \' X |- d' e4 C) b. v
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡