<TABLE width=500>9 M; [6 k3 R( A) H& ~9 l
<TBODY>
7 |* {* b7 g, C2 v3 V<TR>- y2 m8 ?. a! n! s* e
<TD><PRE>Method 01
8 R3 `" N* k# G9 H=========
+ E& M! ~0 Y0 Q; s0 c
! S6 F( V) j9 }' sThis method of detection of SoftICE (as well as the following one) is
4 A7 K2 x, S2 G+ q: G& cused by the majority of packers/encryptors found on Internet.& u6 `: s! S J! V0 U, [6 M( ^( S* U
It seeks the signature of BoundsChecker in SoftICE6 P6 E, W. V7 r# n+ P N- K7 G
( T. \* b+ h9 \; Q m. m; e
mov ebp, 04243484Bh ; 'BCHK' k; @7 C( q9 o) V" {8 k; ]4 _
mov ax, 04h
; C! h w8 ]' Z6 E2 D0 L( w' h int 3
( y. n+ v" m P" c2 L7 v$ } cmp al,4. k9 d) z. s$ P
jnz SoftICE_Detected) K% y6 ~; g" A" }7 L
8 R8 R" {0 _6 @) O. s c6 {& X
___________________________________________________________________________& L4 R9 V& [) Z$ x7 z: Y% U
# Q0 y I* m2 r: G/ N' oMethod 026 [% l/ ]" a1 q. Z
=========( B: n) O3 c1 X% h$ V
' e1 n( Y# V. w1 Q, t( P ^; cStill a method very much used (perhaps the most frequent one). It is used5 g) O3 V3 F: S3 b( @( s' }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, f4 i2 Z0 ^4 @: P
or execute SoftICE commands...
" R: U7 B. e9 S# V' yIt is also used to crash SoftICE and to force it to execute any commands
, l6 @! w0 }5 P4 K3 v(HBOOT...) :-(( ( z! q: F2 ~% n: p" p& f; i2 i" i
* Z8 h* V, [' |! ~/ P$ g, K' ?Here is a quick description:& b% S3 ?+ q1 g
-AX = 0910h (Display string in SIce windows)
4 k# V6 U& U$ j# Q/ p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- |! N0 G$ {: w' ]
-AX = 0912h (Get breakpoint infos)) V5 s! x( \1 m0 ~1 W+ N+ Z& k" J5 [
-AX = 0913h (Set Sice breakpoints)
* }, g# d7 N+ D- v: q6 x-AX = 0914h (Remove SIce breakoints)9 t: F8 Q+ H+ c
5 W: c- f5 d |* L: h1 QEach time you'll meet this trick, you'll see:8 e/ i$ N" K, q' ]" Q. A5 j
-SI = 4647h. u! V4 k/ B' v. p, y& H: i
-DI = 4A4Dh
0 \8 ]6 y8 a% s {& aWhich are the 'magic values' used by SoftIce.
/ t/ }: R$ X/ w' d3 _: YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& {5 z% U4 B3 B6 p n- h, F
0 |0 g9 V) C& M" X9 `+ x5 [. }* sHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 U! g9 D L5 a. {Envelope utility use to protect DOS applications:
4 G$ H7 g" r, S* d
$ q$ a1 P1 H/ O9 `; f
/ y: b# k) E( z4C19:0095 MOV AX,0911 ; execute command.* [; O: \, J! O6 L7 E/ K
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; o; c8 g$ R6 _, b) U+ C" O
4C19:009A MOV SI,4647 ; 1st magic value.& h1 `% ~5 e: V- X/ w" z$ Q
4C19:009D MOV DI,4A4D ; 2nd magic value.& V0 {. K5 ?2 Q: M# z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 p _- G! D2 U4 X7 R; t& ^. b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 ?/ Y" Z+ ?& q0 C4C19:00A4 INC CX
) d. V6 s3 h$ s) J& Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. y; W( W' u& x& o/ H0 c! v4C19:00A8 JB 0095 ; 6 different commands." J9 ^0 N8 U$ G, c+ g
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 m* C9 k3 W% ~+ j# y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 U2 H& m* j# d. R, b! ? M
: q0 b7 N! |9 |# MThe program will execute 6 different SIce commands located at ds:dx, which
' |4 |* c7 Y7 p- I/ d' K/ Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT." ]* a6 _. y. z3 e
2 X5 G3 y6 i" {/ H7 K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. @6 }# y3 E r) U( X
___________________________________________________________________________
* I, j) ~5 X9 Q. B+ ~$ Q; _: F1 q4 G* N9 k* a; N% R0 \9 {' A* A
, N& t0 X( t6 XMethod 038 D* o" S0 u0 G. O+ G3 A
=========
5 q: \: A: k, X' u1 M/ I% T
3 C6 g4 F6 d* Q- HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 @ ^( |) c/ U- e% b4 x5 t(API Get entry point)9 d, ~0 E" v& | }7 V
* |4 W. _8 @2 @: w9 Q+ J3 B5 g" ^# f7 _! [
xor di,di2 X7 A d" m E. O5 q) b# r# E
mov es,di
* t( ]' j; k9 ~; C: e8 m% m mov ax, 1684h 6 l" k2 i8 j7 i, O8 @' ~! _
mov bx, 0202h ; VxD ID of winice
4 }1 A6 f3 y& B( q4 n0 z# ]2 C int 2Fh5 A/ U* B, I& t
mov ax, es ; ES:DI -> VxD API entry point
! [+ ~3 n: f4 X4 l5 d7 R add ax, di
: u( q2 _2 F9 X" [2 `, k! g test ax,ax
6 k' H M3 c1 J/ ~' N jnz SoftICE_Detected& y& |. }) j& x r
2 `$ G7 p3 ~0 h9 c___________________________________________________________________________
2 q3 p3 K/ Z) y0 O/ O
: B9 m. e' v, P: X5 U" c C+ \; l9 PMethod 041 W) V" l* {# Q% h' I. C" \% [. E
=========" ?5 X$ X6 O5 @7 d
: E. v7 ?) J* @
Method identical to the preceding one except that it seeks the ID of SoftICE& d7 T- A( X% o0 K0 g5 ^; R8 q* v. S# p- U
GFX VxD.- b7 q2 i# _4 W1 [9 Q/ D8 i
2 ]7 P9 I$ \ ?. C' Q* v/ t9 f
xor di,di; x& j* k2 Z: K( ^; a+ p) K
mov es,di5 j5 f1 X4 v0 C* F _* V" J2 J
mov ax, 1684h ( a z3 a4 W! A; {% Y. J; _
mov bx, 7a5Fh ; VxD ID of SIWVID( ]5 B6 A; e- j5 Q7 h# |! \
int 2fh; L+ S! k2 v- Z7 |9 c3 j6 d- |
mov ax, es ; ES:DI -> VxD API entry point
( z) A( |( B: K add ax, di
- Y! d6 X) ^. i9 x5 z" M test ax,ax' @0 f2 X4 t) J8 w
jnz SoftICE_Detected$ U& i( \) `! e0 G
6 R% }5 G7 ~8 P* q$ x8 W
__________________________________________________________________________
/ J/ t9 d8 [, n! r1 x4 x' D
9 T9 C7 ^2 ]6 K- `
! a) }( Z8 _/ \+ i q8 SMethod 05
9 W+ M4 l, C1 q' M0 ^& _6 e; ]4 v=========; n0 [, ]; D( V
4 @2 U1 M: Z4 ~9 v1 c+ j2 `
Method seeking the 'magic number' 0F386h returned (in ax) by all system& ?7 G/ m7 P# u6 x
debugger. It calls the int 41h, function 4Fh.2 k- [; @, Q1 I1 |5 x1 B ?4 R. \
There are several alternatives.
! W6 Q1 k1 ]; G' O3 k
U' B% L" y8 [; GThe following one is the simplest:" O. s" \' R% [- U
: p8 R. S. o$ [- v7 p# a
mov ax,4fh
7 A( M; d' S( _3 ~# F3 b# ]2 D int 41h
) y; J7 `6 s+ o/ L+ ?6 k% { cmp ax, 0F386/ V7 J! w2 d6 c/ D6 Q
jz SoftICE_detected% n( C* B3 j4 Z4 r5 P
# Q2 C( }- l: M& @
6 l+ v" j* _! R* `( |: q
Next method as well as the following one are 2 examples from Stone's 7 M6 v9 p& [4 a3 O" R
"stn-wid.zip" (www.cracking.net):
1 y5 n3 U3 N2 s" T. e/ [- X- i- z2 e. I- @) m
mov bx, cs
( D/ [* g4 i) d0 z lea dx, int41handler2
5 _& }* x m, y9 Y, z* s xchg dx, es:[41h*4]
8 U, f% k; k: _) j9 W xchg bx, es:[41h*4+2]9 Q; a( R0 ~+ E" `
mov ax,4fh A0 @) F' O/ I- I* X4 d
int 41h" n, p2 D) T( b" c$ l% _
xchg dx, es:[41h*4]! _; C: A3 C2 V( [
xchg bx, es:[41h*4+2]5 B# n, j0 g/ b/ Z5 L. c* |
cmp ax, 0f386h
% _9 [- l7 r% R8 } jz SoftICE_detected
6 H7 N, n G7 u1 ?+ z8 g# L1 q: {% h" |3 B# \
int41handler2 PROC
3 X* Y! ^ b4 v iret
' _; w2 P+ a, s3 yint41handler2 ENDP
$ A4 \, O% s! V5 A9 y; V
# @$ T% O8 @8 Y! |5 S. J8 q5 |: Q7 ]7 r9 V* {; X: D1 ]
_________________________________________________________________________
! G! D6 I( Q# R$ U7 R# ^6 _6 a& I- ?$ t& t
: U6 x) w- z/ |/ [. i8 y! d
Method 06
?! @4 q5 h% }: G7 B=========0 X/ k8 j3 C3 \; i6 H
$ h1 D- Z- E( h0 Q8 T- Q
% {+ d" L+ |; @) |
2nd method similar to the preceding one but more difficult to detect:
( d6 A8 @* e/ y9 q. {# O: H1 o+ f- T- k+ C1 D+ t& Q S
3 b1 X8 e2 c) E- K8 A" K1 Pint41handler PROC9 k/ m) D% }" [6 v& l$ D: Y/ r3 O, \
mov cl,al6 `$ b( O* E6 C, I, B9 Y8 X
iret- X4 N# F+ `+ B6 ^
int41handler ENDP
' Z% E I% \9 B% q: x, K% `" h' h( [. ?. r; }
3 L0 K ?+ I6 x, m" R7 @) k+ [! y xor ax,ax0 y; W- {4 n6 Z; X" |/ w: g
mov es,ax. n2 j3 c+ T% K# \
mov bx, cs
z; g- `& Q- U2 U% g% @ lea dx, int41handler N1 {$ O/ O% w
xchg dx, es:[41h*4]% p, h5 U) ]: I2 u: r, s9 y! p
xchg bx, es:[41h*4+2]8 b+ t( J) m: h! _! c) {# B
in al, 40h8 ~8 V5 ?- s f6 u
xor cx,cx, g" a4 C6 F3 q! |& _
int 41h
5 D: |' W3 r; a; h/ j# U. { xchg dx, es:[41h*4]! P& v' \" E/ g0 P% G, h
xchg bx, es:[41h*4+2]
9 |" Y8 }7 @) u0 v) g+ L" ]* P cmp cl,al
4 O O( m, J1 v, A$ P# I jnz SoftICE_detected8 c+ b0 J3 r s' \! f- z# A/ _" t
* \# z1 e0 ~7 v/ J
_________________________________________________________________________
6 M* D1 y5 v' h
3 q, `# G9 T1 o- S' k A S% S( Z. PMethod 07
g1 h0 Y% ^/ k4 ^1 ^=========
( I2 y/ W' ^9 y F# S) y
; ]/ E) `( \) E3 E7 ?* ~! ZMethod of detection of the WinICE handler in the int68h (V86)
) {$ t- j# h4 j7 {+ c& V* \# t! A. |* ^
mov ah,43h
" H( Y. P* R0 H$ z0 N3 u" s* a) ^ int 68h
1 y4 J; e5 D, L- y5 n2 ] cmp ax,0F386h
) R P% a: E7 m% Q! u* i& y jz SoftICE_Detected! B: J( V8 ?9 o
& @; m0 f$ ~% Y" C; M8 \
6 j2 z9 c& }# P9 Y: t2 E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# o4 E6 B' P i& n/ a) x app like this:8 }+ i' [) Q1 c8 T6 \' r
+ q6 ]! u; I5 S1 L4 [
BPX exec_int if ax==68
3 F* a t# G$ E3 G5 k (function called is located at byte ptr [ebp+1Dh] and client eip is
3 x3 h2 k. C; g+ E2 v located at [ebp+48h] for 32Bit apps)
5 s0 n9 \# O- j' u! F. Y__________________________________________________________________________
3 }( P% z0 [6 s! r1 N' S0 | g
( X/ W' j R1 q' |( S- z# Q* N1 X, v4 m# d$ W* R/ _- ^3 b
Method 089 _7 ?6 @ v$ k2 J
=========
+ z/ ~% v+ R. B9 \3 s' r7 Z
* O9 x$ O$ v- L7 X, F1 kIt is not a method of detection of SoftICE but a possibility to crash the
7 {; R3 O- v5 F# n. ?0 jsystem by intercepting int 01h and int 03h and redirecting them to another% p3 V' x0 t2 K, p; |' ?
routine.
) H( g" a& d& p# ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% I3 J, i* F4 d6 ]* A6 t
to the new routine to execute (hangs computer...): G" y$ F: L' U/ h* [6 X9 Z
1 z: a! o) e7 @6 e& N
mov ah, 25h, J/ E2 o/ I$ X# h
mov al, Int_Number (01h or 03h)
- j6 J1 D& {# q. @2 ~% d mov dx, offset New_Int_Routine' x. o3 |3 O8 x4 c
int 21h
, F( Y. B" J! R! q& ~* f* k; S8 U3 l# z
, ]% W. }. S8 b: {- U7 T__________________________________________________________________________5 t% Y8 y* f# H& t( J# g
, \$ u& p: Y1 d0 C# S6 C
Method 09
, k9 Y# c9 V' l# h( R5 p=========
* N# S+ E1 p3 I. |
' y6 l' c; H; z3 GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ G4 ^! I4 }; U3 c2 ]. Qperformed in ring0 (VxD or a ring3 app using the VxdCall).
1 H+ Q! D% z5 o- N+ _The Get_DDB service is used to determine whether or not a VxD is installed
( w( @; O8 L* y$ q5 R9 f0 Ufor the specified device and returns a Device Description Block (in ecx) for: w" U4 B1 u# ^" f, V4 Y
that device if it is installed.6 E: _$ b j+ m: b2 {$ ^- p2 R
) M* x+ J5 \& g+ d) t8 e mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' ?+ I( C1 D1 @; Z: \% e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% z8 s1 j8 A: @* T+ A
VMMCall Get_DDB
6 A2 @) r/ [. m% b8 d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed E. }( W4 ^$ g% q
& @4 o2 e2 Z0 B/ N7 e' u
Note as well that you can easily detect this method with SoftICE:+ O1 C- i* z' u0 k
bpx Get_DDB if ax==0202 || ax==7a5fh* y% A( T2 l7 z: k
' Z0 E5 ?; b% w9 h__________________________________________________________________________ ]! d* v# d0 G( A; O( H, U
8 r, T' C6 f, _Method 109 T7 M# i6 s( L
=========# K. X4 ?8 R4 A$ x. F( g s( e
9 o; c4 V' w0 U3 S+ I=>Disable or clear breakpoints before using this feature. DO NOT trace with) X+ i& u9 w/ l" n
SoftICE while the option is enable!!8 C) a. Q* G9 A: K2 E( n: H, S
1 p9 Y! j" t G& k2 o: V, yThis trick is very efficient:0 \* M; v- [- r# o/ x% T( A
by checking the Debug Registers, you can detect if SoftICE is loaded
1 u ^3 N; j/ x* S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( v4 H+ O* [! J0 B0 q4 Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their& ~* }! Q3 N0 D, K: P7 J
value (in ring0 only). Values can be manipulated and or changed as well
X* L" h; M6 t# n6 h5 P(clearing BPMs for instance)+ s: o7 r" k! [; p8 K% U
) e6 l6 j7 {2 h1 z- @' G
__________________________________________________________________________
2 G5 I9 r8 V0 H. ^3 K; N( g0 z. w! f
Method 11% u6 i! h A7 O+ a# A/ J. K( h
=========/ J# H* w" M& C( Z8 m" f4 J
# h% e- `% |8 ?, ^+ g5 q/ e
This method is most known as 'MeltICE' because it has been freely distributed
; K7 ~: E! e$ ?) l } u0 ?. a# nvia www.winfiles.com. However it was first used by NuMega people to allow8 p- j. k# \- ]; _! \- K* D
Symbol Loader to check if SoftICE was active or not (the code is located
. ^. V6 k" K/ ]0 A( a3 Zinside nmtrans.dll).
& i( e& q+ W. c2 } o) a& L3 X! v* d3 e! b' c
The way it works is very simple:6 A; Q, ~+ X6 t3 K! W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 i0 Q8 H. }; S3 p( UWinNT) with the CreateFileA API.
8 m5 U( R4 U2 J6 n+ c* i4 t8 s) X( ~, x" V7 X# Q
Here is a sample (checking for 'SICE'):! n& p7 G6 Y' Q) n
: P' B7 v0 y/ Y U# V3 RBOOL IsSoftIce95Loaded()
$ }, @% ?( m) |0 v{) f- \& z9 g5 Y: J) t9 E- J
HANDLE hFile;
1 q1 y; p' n( s; P: O! g$ m+ P hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 h" |/ i' t$ T FILE_SHARE_READ | FILE_SHARE_WRITE, M' s' \" m a7 g" k; i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; C5 \7 k0 p d4 f) f" p/ Z& g
if( hFile != INVALID_HANDLE_VALUE )2 y/ k) x: G; `1 \, H. x. H9 r, Y0 w
{
# D& S2 m6 o$ G8 [ CloseHandle(hFile);5 a% o8 z" Y) W, t- W
return TRUE;
2 U% e" @: [; C4 N" N; t: \6 y }9 l6 z6 c" O4 G
return FALSE;
' ^4 w4 Y# n- t9 R% h/ w9 N1 c}
9 i) f3 M& i' y! L2 M F F# s) r7 [5 M8 ~# M, o4 m( k
Although this trick calls the CreateFileA function, don't even expect to be
2 ]7 Q2 _- {. [" Kable to intercept it by installing a IFS hook: it will not work, no way!
6 R! H* g# j( t4 O# Y1 kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- S* l p5 D$ u' `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& t" y/ f4 u4 B2 C' o O9 ]; |
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: p7 K L N% ?; d( wfield.' y: K: {3 [9 ]0 ?7 }- T
In fact, its purpose is not to load/unload VxDs but only to send a
% L1 V V, u- D7 n7 `% A2 l, ~4 xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 k+ E7 s) s2 P. C# M- O) {
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 l" y4 c: o5 K9 S9 I" eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 @* P* _) S" Z; H; q& P% y) vIf the VxD is loaded, it will always clear eax and the Carry flag to allow: o7 G) n5 {3 E ]! F# @* n
its handle to be opened and then, will be detected.% g+ P. @8 \ J) L" i4 n5 f" o
You can check that simply by hooking Winice.exe control proc entry point
$ |" }: p0 F0 q7 i2 gwhile running MeltICE.: J) z* H1 m7 O# N" w! {
1 W% j& a+ N7 l8 v( H
9 a' z7 v C2 c _6 ~ 00401067: push 00402025 ; \\.\SICE
) G, }5 O9 z) w3 V! S6 A( s' i% o6 p& k 0040106C: call CreateFileA
+ I; m2 e5 l( Q7 y( t 00401071: cmp eax,-001
& B% u& C) K3 P' x 00401074: je 004010915 ]6 S1 S- w" f: p$ D, Z* j3 r
7 \# v7 i; n. R+ s" p0 Z- F" E# z! n, N
There could be hundreds of BPX you could use to detect this trick.- ^3 y( F) c1 F! |5 L
-The most classical one is:
, B3 q* Q/ ~' D' m5 Q: ? L! c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ P. Z& t' ~- \0 L$ R *(esp->4+4)=='NTIC'
$ v: B8 }# h. o# ^ ? P' N" D2 m' |( D' a1 D/ z+ T6 B C
-The most exotic ones (could be very slooooow :-(6 U" D5 D1 {$ f: U* k, O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ c1 B2 d T) |/ ?' h ;will break 3 times :-(6 _4 ]1 f* i* Q) d4 }
" Q2 j1 N6 p' t1 @" G5 [-or (a bit) faster:
! `6 Z% r5 z( C6 H# W) v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 P2 t! @ I0 Y0 u2 E7 T: [8 l, Y/ _
, M* w5 Z: i; Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( Y8 b5 j0 E( n- T: C6 f- e ;will break 3 times :-(
3 y, a6 n/ I' s, S9 K" b! M6 H& {% E) B
-Much faster:) u' m1 J; ^+ w6 O$ x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 H! Y P5 l, c/ V' W4 H* f, o9 p# S1 Y( m! S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" o/ O- _) |% ~
function to do the same job:2 c3 D5 D) A9 U* C
, @0 @$ S: D4 r* }( a8 Q
push 00 ; OF_READ
) I; |4 y# m* F1 u X/ O mov eax,[00656634] ; '\\.\SICE',0: _, }( Y: u! {* \/ F3 E5 M; q; A
push eax; m1 l) [# ^5 ^( n9 d. }5 n* s
call KERNEL32!_lopen
8 m7 p& F0 o2 b/ N$ ^! F; |, C inc eax
4 i w- o. i( q' ]0 x jnz 00650589 ; detected
1 @& V4 Q: C# t! { push 00 ; OF_READ
1 Z$ e0 ]0 z3 D R mov eax,[00656638] ; '\\.\SICE'; M' J/ ^7 r0 u2 c6 r) G0 K, {1 j
push eax
% H/ J0 L6 m: Q call KERNEL32!_lopen
# ?; L* i. n6 h0 ?8 ^ inc eax
- D1 e5 l, C/ F: D+ | jz 006505ae ; not detected
6 d8 Q, K) L' G) ]& a" {0 a% g
+ n# N5 D7 I, s3 `
. i9 H9 r x. @; }7 c: V__________________________________________________________________________+ v$ N6 ^+ g, R& W
1 ~4 J4 O* t+ y5 W7 W* ]" YMethod 12" y; _- m$ ^# e8 k% M" Q: ~) g# Z
========= J9 A- n: U5 q! k# u! ]
! q: n. S& m. v4 O2 g/ E+ `* nThis trick is similar to int41h/4fh Debugger installation check (code 05: N3 ~3 q/ S# y6 c) }. n9 s, G
& 06) but very limited because it's only available for Win95/98 (not NT)
% h( R" D$ V. [/ |. _, g$ Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' { u* ` K$ E: J5 Y: K( ?
* e2 }+ _# J4 `' x0 B5 w/ Z push 0000004fh ; function 4fh' s: y% h8 N5 }# K4 r3 E4 h
push 002a002ah ; high word specifies which VxD (VWIN32)
# t/ {2 d, p& G! `6 h0 D2 {& F* y. v ; low word specifies which service
- ^2 S5 `) A+ m0 M( [ (VWIN32_Int41Dispatch)$ M0 }3 U; i' b+ o3 g2 h: o) \
call Kernel32!ORD_001 ; VxdCall C4 V8 l9 P1 G* l ], h
cmp ax, 0f386h ; magic number returned by system debuggers
7 |8 B0 l$ k& L2 }& ]( X4 o jz SoftICE_detected; s' c% L5 ?+ y" J
4 U g0 o+ K4 b% N) O% \7 b
Here again, several ways to detect it:
# t0 _0 M& E5 P8 S8 e$ E% O/ p6 F2 U2 u( q8 O
BPINT 41 if ax==4f, E i2 ]% U; Q' l+ z
" C3 Y( R l7 m- F) }, ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one g0 P8 m' W' L/ {* \
# D( Q7 T9 ^: J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
\+ M' R% x9 b5 Y6 X# |* z( r/ `4 j* a4 R
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, i$ ?4 D0 i7 Z( k# L& i% o! U
) K9 e9 a/ L& u/ g__________________________________________________________________________
' s/ ]& o3 E: ]0 x9 O' D
& z+ B2 T/ E; {Method 13. S9 h: o1 J0 z C
=========2 l b R) Z/ L+ W8 n6 ?
! N( X! Y* s! m/ t8 M1 H h& o) Q/ ?Not a real method of detection, but a good way to know if SoftICE is6 r3 `, j' H* b3 A6 O
installed on a computer and to locate its installation directory.
$ S: x( x" Y7 _7 ~( u/ J9 N BIt is used by few softs which access the following registry keys (usually #2) :
9 m- R( l) f1 @( n/ ?
# y. a/ `) W' K! w6 M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! `3 P" Y" S" D, L Q5 O\Uninstall\SoftICE
, Q+ z: y' V' R" R% X( T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- r9 C. L, S) Z( @8 @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 V2 P [1 g; x3 a; \- m\App Paths\Loader32.Exe6 P2 _7 O+ `; G0 c
! G A: E" ^, N) d
( v- ?, F3 H3 j( t0 C
Note that some nasty apps could then erase all files from SoftICE directory: t3 j( ~. Y# ~) p
(I faced that once :-(
$ t: A9 U8 r( W- D3 L. i+ r# I; A; k$ i3 _) J0 w
Useful breakpoint to detect it:' X5 I0 h( t m3 l4 z& a7 @
' `% l' n! b$ L6 r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, _4 n/ w7 K' K) c/ ]' E! t) z, Q! d5 @" Y
__________________________________________________________________________$ u2 C6 {' u/ y' L. [; y' Q
- ^, f' b* K4 n0 ~3 g1 d7 g3 Z1 l5 W8 l3 G0 J. {
Method 14 % ` \8 q) C/ O# g# o a- N
=========% ~$ Y+ j# [. z8 U$ O! @" w
7 W0 x( a% T3 h+ A
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ T( [- \9 X2 r. ?6 ]9 T
is to determines whether a debugger is running on your system (ring0 only).$ I2 I4 O T- S0 E
, [: ?) s6 M7 p' K
VMMCall Test_Debug_Installed4 ?% N; r l! u' a& U* |6 p; \. o
je not_installed A% E# J0 ~ V
* [2 l# g; [) l# Z
This service just checks a flag.
7 r0 X- m& U/ S" Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡