<TABLE width=500>8 D, F- B, v( t! h8 p6 ]: K9 Q2 U) i
<TBODY>2 y6 B: r: q* C
<TR>
8 Z( a2 a9 [- N$ g7 V3 Z<TD><PRE>Method 01 * i" i# ]& x y/ d6 b
=========
* y4 \8 y6 i( e0 ]
" m5 E3 }5 h, i% X; {; r$ e E: y+ LThis method of detection of SoftICE (as well as the following one) is4 ~6 \/ q$ U, E7 |: \* [# v
used by the majority of packers/encryptors found on Internet.' e5 l$ U) l+ \
It seeks the signature of BoundsChecker in SoftICE
8 O- R) ?/ S2 w. r5 o& {6 E, n- D( \9 [$ g! F1 k- V; b* N" C& B
mov ebp, 04243484Bh ; 'BCHK'
. I. q; B3 B6 N+ V, G- u& O. ^ mov ax, 04h' O9 h' f2 R: ^- X+ B
int 3 ( G+ H- |' J4 Q- k4 E, |5 F6 p! A
cmp al,4
+ i$ m" C% U3 {. Z jnz SoftICE_Detected
6 U" i( i, S2 w: H
5 v7 l- p) H: K* @ V) I/ u___________________________________________________________________________
* X7 n+ a, Y1 a, }+ |
* D6 N( Z, `% ]. qMethod 021 n( X' J0 Y$ z% S
=========( L0 D; e. Y" Y0 p" F* C& s3 i
3 u9 P& _- M, g; ^: nStill a method very much used (perhaps the most frequent one). It is used
) [, p# R# }8 gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( }" g; z: b/ G/ k z0 L \: I2 N
or execute SoftICE commands...
- K. a! d) s% z6 Q0 M. t. ]7 H1 S. t$ }It is also used to crash SoftICE and to force it to execute any commands& w8 ~1 y4 Y& E% D
(HBOOT...) :-((
* R- ~$ L1 t2 z3 o
- t* V4 L3 f2 s* u/ N1 h3 OHere is a quick description:
- z# Y( k- \" o-AX = 0910h (Display string in SIce windows)( y( p6 I$ V5 f; }9 c. {& G
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ w1 s9 U" |$ O) e& Q. x
-AX = 0912h (Get breakpoint infos); p! q" c" r1 f
-AX = 0913h (Set Sice breakpoints)) O2 B" N6 `$ w+ O4 l( i
-AX = 0914h (Remove SIce breakoints)
/ g1 w }" U, q5 l1 W3 a4 J5 R% y7 |5 G3 M5 h
Each time you'll meet this trick, you'll see:
, i) _. F: X- O* s8 a P" i* ~, V-SI = 4647h
% x% h( w* i/ h/ T4 `9 ~-DI = 4A4Dh" d! V# H, d, |1 v9 X' N1 \9 G
Which are the 'magic values' used by SoftIce.& a; C Y/ O7 V; s+ o+ a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ Z1 K% @7 z" c) b7 D* e+ Y, w& L q
4 H! X" w: U( THere is one example from the file "Haspinst.exe" which is the dongle HASP
9 t. S" A" z, E1 h8 p) H0 n0 c# {Envelope utility use to protect DOS applications:
3 T4 _' e! r- D; V* n" z7 D
5 J$ h! g; J. ]. S, b9 p; h& X
% F( `, t( i0 Y. h4C19:0095 MOV AX,0911 ; execute command.4 A7 J$ p& \6 G( D. |- ~" ]
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. i5 p) T6 W/ i0 \
4C19:009A MOV SI,4647 ; 1st magic value.2 D+ a+ Q- P* {; N U
4C19:009D MOV DI,4A4D ; 2nd magic value.
6 L7 U' S) \! q1 \3 L7 U$ f4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 o1 d, p1 V x( y' k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. B$ d0 o" V, z( e: }; q' r4C19:00A4 INC CX
% a$ X% S: I. q% G/ v( Q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 D) ]& Q, M$ M% T) H; C/ R4C19:00A8 JB 0095 ; 6 different commands.
& d/ _) z# p8 w4C19:00AA JMP 0002 ; Bad_Guy jmp back.; Y. X: u. x6 n& ~
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). V/ p9 O0 w, N
0 c9 O3 Q( `( p6 d- p# `5 b, XThe program will execute 6 different SIce commands located at ds:dx, which6 b% g) U/ v9 \- A0 T0 Y2 ]2 {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 ~1 t9 }1 [# H
6 }) S/ u9 N$ r3 g6 |+ {1 I/ p* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 l) b* s5 ?: C- x( N* B
___________________________________________________________________________
0 L0 R9 l' o: d1 m* Y4 W: |! A" o4 _$ z$ i- Y2 @$ N
4 `4 A! ?! g4 t0 \9 f A& Y
Method 03
: {9 B, d) v" y7 Y=========; u R3 v4 ?" ?( t/ @$ d$ b
" L0 C. k' @; }8 qLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 ^" t( [8 [ x(API Get entry point)1 T) C% J; O2 Y* P1 ~
* h* _* l4 t/ I+ F2 V' K+ v( F; {+ w7 e( Q/ k
xor di,di9 X+ s% ~4 s, r9 K- s
mov es,di* y3 \- ?- ^. j" ^$ e
mov ax, 1684h
5 l0 W1 c/ `2 S mov bx, 0202h ; VxD ID of winice
* e/ b' ]9 g e8 b% y int 2Fh6 J9 n0 O" L. n, V# d; @
mov ax, es ; ES:DI -> VxD API entry point! p- n0 m: h6 \$ t0 l! U
add ax, di
$ L7 A5 ~2 I4 D5 ?: L! L# y test ax,ax
) E& _$ j8 ~# l3 G jnz SoftICE_Detected, \9 ~9 g4 q% S B! e ~; _0 D6 }
; e$ N% w/ {- x: I t* y6 `5 z___________________________________________________________________________; ~$ w, W' m' }7 \5 l: @
- D1 b' M7 Q0 N0 B5 i* Q9 D
Method 04
3 o: c$ K3 @& _) Z8 w2 }=========/ P) b( A. r) B; N2 c( f* L
4 M4 u" k, J' k) C' Y8 n3 Q
Method identical to the preceding one except that it seeks the ID of SoftICE7 \6 \7 e" ?9 C& f \3 F4 I- d
GFX VxD.
! p8 Q8 J: z6 y" I6 H+ S) d" j0 S1 h
xor di,di K3 h/ q, s/ p
mov es,di3 v' C) j" r$ W" H! ?
mov ax, 1684h 0 F" l- C+ I' s) m
mov bx, 7a5Fh ; VxD ID of SIWVID" b; Y7 X8 _* l8 ? D
int 2fh; y! q J. ?2 _, e; v
mov ax, es ; ES:DI -> VxD API entry point% [. d; p9 h* b/ X/ |
add ax, di
( ]' h, p" T3 T test ax,ax
; r4 }5 s( r1 R6 r jnz SoftICE_Detected1 j% ^+ Z: S6 A9 ~+ p# B
2 O% j6 N% E6 U0 P+ V, Z0 O
__________________________________________________________________________/ N. `. ~9 S6 k3 r
8 u3 m% A/ j1 m A0 C) c
4 _7 V+ U' d- O R+ YMethod 05
% O3 Y; Z8 w: D5 l* x/ G j=========
# u) L. q2 q' M- ]
* d- S; n( l) G/ \# ? q5 cMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 [9 w8 w' C, J& A+ V% O3 Qdebugger. It calls the int 41h, function 4Fh.
1 M) i2 Q- m% _There are several alternatives.
! j6 I! V* E% K
7 b( N# `9 B$ M# Q) [+ w' u' h( xThe following one is the simplest:2 i$ ^4 O4 F. e, X9 G% R5 T
6 f0 t; T$ ]' T- R, l
mov ax,4fh5 A& m4 S: i4 s$ T `+ M( Z {: H' y6 ?
int 41h
9 t m! T) t+ m+ J- _ cmp ax, 0F386
4 V3 K C( r1 { jz SoftICE_detected
/ O4 {2 R) Z5 f5 v* V$ `; K
' T7 i# o5 n* n$ N; ?* Z7 V" K8 W9 [. `9 I2 y) D% e
Next method as well as the following one are 2 examples from Stone's ( z; F0 d: C$ Y+ g
"stn-wid.zip" (www.cracking.net):
( t3 @) S6 b/ q6 v
% r- y! Z6 x( m* ] R, I1 J5 F. q mov bx, cs8 t8 |, e/ n/ [7 D+ s5 ^, V: {
lea dx, int41handler2
- w' f% ~( |' F3 y xchg dx, es:[41h*4]
# n5 J# k, N! S9 j xchg bx, es:[41h*4+2]
' A" g- d/ z+ f, U mov ax,4fh
! N% k% V3 _' _8 E9 K+ L int 41h
4 T3 j! X. {9 f2 _6 T+ C xchg dx, es:[41h*4]
/ Z$ i: g' Q- T0 c# K xchg bx, es:[41h*4+2]0 v) J7 X' M) D; E4 y
cmp ax, 0f386h
* _: B+ ?4 m, J2 ` jz SoftICE_detected s7 H" j- P8 w$ B0 g- G$ R. q
: K, l7 n( t5 e/ W; c
int41handler2 PROC
" `% h* I( E. ? L iret5 w$ N+ d* ^5 x/ }
int41handler2 ENDP$ W0 H" J/ `7 t% a: t4 g9 Q
' B a5 k$ f5 \# h& D( V6 Y' Y; H/ U2 j) R# J2 R9 }
_________________________________________________________________________
* V$ X+ M+ G( r
! E! G1 b( H6 Z0 h+ G1 H4 B4 e' J9 d2 y$ J Q! f* }
Method 06# C9 A! M- t Z) C" d6 J
=========
' Z7 o }0 k T' @- c. D+ s/ l* c
" P3 N) z, {/ l9 w5 }8 j
. p$ \- O4 r! T3 P( A2nd method similar to the preceding one but more difficult to detect:/ B/ o' Y9 u' c! U
2 ^3 |% _8 ?8 p! W. N1 T7 C- n, Y( h- _: Z# m' [# [3 @) i( l6 H
int41handler PROC
! m$ I# T0 [8 S# T mov cl,al* S) I& ^/ Q! l+ v l6 w
iret9 C* f1 R& A# S" }$ T, D q
int41handler ENDP
, H: D D% h' R% G! X9 E% n7 s6 u, v3 i
6 w" u! z/ \8 W. x+ H* U% c: y xor ax,ax. \7 S# P" Z9 ?+ ?5 _' v% F0 t
mov es,ax* }7 W: O0 O( J8 q0 }) p
mov bx, cs# ?; Z% Z Q8 Q7 t* O# v: g1 O# A
lea dx, int41handler
9 d/ q7 f. K& [- j xchg dx, es:[41h*4]: O( H, N0 S' Y; `. p8 l
xchg bx, es:[41h*4+2]
) O0 }" M$ S0 B& H; Z in al, 40h
' @/ t8 L1 B4 o" x0 Q5 H: o1 a xor cx,cx. A, Z- `/ R3 K+ L
int 41h
% p6 Y7 X. A( ]% }$ v2 H" W3 _ xchg dx, es:[41h*4]
4 Q7 p( R* P2 v2 B8 n, ` xchg bx, es:[41h*4+2]# b/ d. ]/ {- b" K3 l
cmp cl,al/ i- m( }, ~' ?* _0 V1 D) H
jnz SoftICE_detected; {* K' ~, b9 N9 q, K! \
' B0 t% C$ Q; \7 y_________________________________________________________________________
5 V/ M; m J# E& O9 [) S* g) s% C. l4 k, Z8 |* A9 @
Method 07/ A4 f9 x) n y) d' G" q" X. ^
=========. E; {) ^% U# X: X+ s
' |- _0 ~! N: n$ H3 A( ]7 SMethod of detection of the WinICE handler in the int68h (V86)6 }+ G. R8 D6 M
* N$ _. j+ F g$ W! i- D$ i; P mov ah,43h# x' [- L# c, |% h
int 68h) Z. M, {" s1 i7 A
cmp ax,0F386h- e4 d$ \: q& B8 R6 ^+ N! m
jz SoftICE_Detected6 h. b1 ^7 J* p0 @ _9 c+ p% a
5 Y! M% }" n: n& P
5 q% y7 K5 P. W" q* y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; Q b9 `+ ~" J: c+ `+ i app like this:, _. R. ^/ T- t3 X6 \
0 c5 i/ L1 c- y z# L1 K
BPX exec_int if ax==68
8 k" D! j" j* Y7 p/ d0 ^ (function called is located at byte ptr [ebp+1Dh] and client eip is
# Y4 n7 h4 M* u5 ] located at [ebp+48h] for 32Bit apps)! l5 r: p; ?+ A6 i- q c: k
__________________________________________________________________________' r. @6 ` _6 i: ]
& p- K( u+ K/ y$ z9 @- t
) U/ V7 N. }# K2 ?4 {/ s! Q4 KMethod 08
8 a9 T, a' x3 t- I=========
0 z* N% J u |4 B1 v5 X$ t* p2 O- h$ L' }! E; Y
It is not a method of detection of SoftICE but a possibility to crash the+ @; w5 Y$ v# @1 F* U. h o
system by intercepting int 01h and int 03h and redirecting them to another
Y- i- f. B( ~ ?7 b( s) x: Groutine.
/ L2 u2 H3 D" V, W$ r/ TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ N% w! |1 l, l# ?, `& k
to the new routine to execute (hangs computer...)- M5 z6 ^- B9 _' U4 L/ @
; E: B9 C2 F- t$ B+ A) e
mov ah, 25h
$ G: X, z4 S) @) ]! [ mov al, Int_Number (01h or 03h)8 r" _" Q k8 f4 q! N* E, l3 r
mov dx, offset New_Int_Routine
, n# V+ z0 E- a5 Q int 21h
% S/ r7 @ ?; r- y% g6 c
, w- f5 K" F4 c; E2 D3 V__________________________________________________________________________ T) E1 O0 m( x' \
& \8 x+ W! x$ G( a( y4 i1 E
Method 09; k4 x6 |! {6 \% Y/ k) n6 X2 x$ F7 Q
=========& k0 E" g; I3 u
( y# b( t7 s( oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 y f+ j C8 N
performed in ring0 (VxD or a ring3 app using the VxdCall).
) G8 F a5 F U9 z5 w OThe Get_DDB service is used to determine whether or not a VxD is installed
9 b& \& E6 v# U' V* r, }for the specified device and returns a Device Description Block (in ecx) for
- o, t7 L, q( E& J$ c" z2 Fthat device if it is installed.
$ L5 C: n7 E ?- }% U% ~9 A: c0 C
, P; \* @) ]( @! `! e- p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, w& v. M( t# c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 W, H& K+ ^7 }8 }+ ] VMMCall Get_DDB
# K7 s& N. \' D0 H1 t mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 Z- k. k( y+ T7 F# t+ L4 D1 z: ?6 u" Q, G; s. ]+ V
Note as well that you can easily detect this method with SoftICE:( H9 n9 q% r9 J, f$ q$ P9 A! X
bpx Get_DDB if ax==0202 || ax==7a5fh
3 l L k8 v6 V+ O! j0 C1 Q% D0 m7 H `. [8 Z8 g/ K
__________________________________________________________________________' R; }! G# j0 c5 F
, b2 Q, R8 g5 H! ] @0 w
Method 103 s% o- P& K1 b: O( e5 E# ], |
=========
6 ]# F* z: ]$ e' x2 X x( } N8 R: I6 J6 g! Q' _$ _2 i# z! x, k
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 Z9 _0 O) O( M SoftICE while the option is enable!!3 S* n, f/ x! }" c6 p& J
( I7 L, @& {$ n% g8 j/ N& u2 I
This trick is very efficient:8 ~; O( j U Z% i" a4 _
by checking the Debug Registers, you can detect if SoftICE is loaded
7 Y' a5 U5 {& b(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, @6 L9 w, Q% L" g" R- t0 ithere are some memory breakpoints set (dr0 to dr3) simply by reading their: E1 S% r0 Z* h$ ~
value (in ring0 only). Values can be manipulated and or changed as well
/ q K0 o3 {5 `: L, C! R( W# C(clearing BPMs for instance)
9 W" k+ \4 c; u. r* y3 P1 ?
' ]7 i1 m9 C& z__________________________________________________________________________8 l6 x' g& b. w, ~
+ g0 k% b/ h) y; c' f
Method 11
( I* j2 f, F) @4 ?6 v: {# g=========
2 A+ M$ _. B! b! O+ D3 U& ~2 \. y) l; O2 q& H) ]$ V$ N
This method is most known as 'MeltICE' because it has been freely distributed
: d* d+ E- g' \( `+ X* W; {via www.winfiles.com. However it was first used by NuMega people to allow( b5 k7 a6 L2 r5 c
Symbol Loader to check if SoftICE was active or not (the code is located( h/ N$ _$ q9 P. p+ ^$ ]
inside nmtrans.dll).; l3 E( |$ e, k! l: `
5 X, g- f* B0 ]% l1 y; A# RThe way it works is very simple:9 Q3 w5 K4 ^: X |- V% f0 N* L9 b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" } F3 G$ |( V) G. gWinNT) with the CreateFileA API." @/ V* F, U0 j6 v( e
. C& x/ L! p& S6 D" q
Here is a sample (checking for 'SICE'):9 @' n- P; R4 T
5 r' {6 D( ?) S$ H1 |BOOL IsSoftIce95Loaded()
7 x7 V' ?7 i" c7 h5 q; ]{9 J, C1 w ]# u5 K( l
HANDLE hFile; , o% |. o$ y" T |3 c7 Z4 D6 r, ^
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) @2 K+ V; F; l6 W% z6 z4 ~
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 ^ c3 C- M/ ~% K; S NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 J8 d7 r8 m, |& Y- P, O
if( hFile != INVALID_HANDLE_VALUE )
. D% }* w* @5 v8 Q/ w4 v) t- I { S3 B& Q5 X; L$ G& G* C" P
CloseHandle(hFile); X: i' ^( N. F% m2 D
return TRUE;# W8 e @# w* o2 u/ ~$ |, n7 q, P, [
}
) }" R8 _. m8 [ return FALSE;1 X. N: B& H( F Q* p/ J1 T
}
1 J3 D9 E# C& O1 \% x: N0 L9 Q! L0 l* `9 C/ O
Although this trick calls the CreateFileA function, don't even expect to be& z% ?9 i# }4 g4 K! ]5 K
able to intercept it by installing a IFS hook: it will not work, no way!0 m; b8 B$ ^$ B1 x" z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& A) L: ?; m0 \service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 l9 c* A# C6 | X# K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 q" B7 u( W' B( p/ Z3 Ifield.
4 U" N7 X% k4 c. JIn fact, its purpose is not to load/unload VxDs but only to send a 6 H, n S8 e7 u4 d6 h7 u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 W5 h, G6 u/ `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 y% ^# ]$ o' A7 V1 g. @, N; ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 t) c9 z' G! j1 `# f; a, h) W
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 r6 U! f( v7 e% Dits handle to be opened and then, will be detected.% ~" L: [7 u$ S9 i: M
You can check that simply by hooking Winice.exe control proc entry point
; _9 b* R4 r Z. ?* o, Iwhile running MeltICE.' W; N1 a& l( D! j% I
+ j0 s/ g8 M$ I5 e1 \
5 u$ x; F$ A" Z @ r 00401067: push 00402025 ; \\.\SICE7 T s5 f: G7 Y0 O
0040106C: call CreateFileA
, v5 K# \2 Z. i# Y; x. F. i 00401071: cmp eax,-001- S' p1 z: N8 w l
00401074: je 00401091: S2 i; m1 c7 p$ ?' @) ^! ?: o) p
, y5 B' J, p+ O% a9 Q3 k; ]. [& N2 U9 o% x
There could be hundreds of BPX you could use to detect this trick.
9 {& f/ K. |4 y: }0 B7 F-The most classical one is:6 \2 s2 k1 U; w! f9 M$ ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- a9 o: |% F0 P, u *(esp->4+4)=='NTIC'8 R6 E! X" E, g7 g0 j) z
9 O! I7 [6 b' H" ~) }+ e8 z& g-The most exotic ones (could be very slooooow :-(
9 I0 d) h6 U! ^8 j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 b. ` Q* ?, H( q% a( j4 a: o# F
;will break 3 times :-(
1 C7 C+ S3 f6 [ ?) y2 t3 u! }2 p0 Y* C$ `4 {& ]4 o. C/ ?& z) v
-or (a bit) faster:
! H/ h6 w! U% B( L BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! x1 G; J q6 X1 @
2 h8 B3 Y" W0 w4 q% Q6 r" G' O: P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; s9 z q. F0 G7 R2 q/ I. r
;will break 3 times :-(
9 Z3 N/ s7 o2 J& S$ O/ w; w. t5 K/ ~5 `8 ^, U9 ^
-Much faster:
3 w y6 t( f+ } u% a# y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 s. |; s; j* H Q
. E" S, v- { z! KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 d% j# m6 A+ d7 s% _: Q4 r$ Cfunction to do the same job:
9 z- t3 n$ |/ {$ K- V; _
7 `5 m0 d. o+ P* a push 00 ; OF_READ
H/ I+ j6 B% r1 u a mov eax,[00656634] ; '\\.\SICE',07 _, _, W# [: [4 v, N" O3 ?3 f
push eax
( u) H' Z# O J. w5 X0 L call KERNEL32!_lopen9 N4 M6 W8 M! H% G
inc eax) B0 S9 m4 b* @6 k/ z7 K
jnz 00650589 ; detected
5 B& s0 P6 C% i8 c& d. J, A push 00 ; OF_READ
, h7 ?, q0 ^& D7 u) R% s mov eax,[00656638] ; '\\.\SICE'
9 L8 c* `4 C1 T, a push eax6 m% v! q7 ~6 {5 S% w' U3 f, s
call KERNEL32!_lopen
; g7 n: n4 g, q5 k8 V" d H( J inc eax% C& K+ P5 n: o
jz 006505ae ; not detected
) H" m* h0 f, ]/ I6 E5 G8 y. K4 m& J) X: t
! q+ J+ e8 \) a- Y' q
__________________________________________________________________________
( b9 p/ R4 I) @ n6 l0 R( T1 w& K
Method 12
8 G( n3 x/ y0 T3 u=========. m" P6 ~0 s1 @) r/ i
' k! k9 L+ S% b. Y* @
This trick is similar to int41h/4fh Debugger installation check (code 05( J7 _. g! S7 \/ S% k" v
& 06) but very limited because it's only available for Win95/98 (not NT)
# W" M% D6 V8 I7 Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 {( M4 ~( N% y
- H: p8 X+ ~7 u$ B! U: B push 0000004fh ; function 4fh
" _7 O! } ^; C$ a: O push 002a002ah ; high word specifies which VxD (VWIN32)
4 J" Y% r% H% M7 x+ Q; X ; low word specifies which service T0 S3 o- a9 X: S' U' r0 p
(VWIN32_Int41Dispatch), l# V0 g4 W% t
call Kernel32!ORD_001 ; VxdCall9 w- I1 A1 y* v( C
cmp ax, 0f386h ; magic number returned by system debuggers
4 i1 g# v) b( G, D jz SoftICE_detected4 U4 f' L4 U3 R5 B0 o
6 Q7 \2 q0 ]0 P6 d5 N! ~Here again, several ways to detect it:
: k# q [: ? m& z! D5 o2 Q1 u
5 ]) ^0 w& c$ @: f BPINT 41 if ax==4f0 e8 y' i' c9 a2 J, r7 Y
- ]% _6 w- C, ]# r
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! p5 x3 @$ `$ F, e! r! q6 D2 N
4 D- Q9 D' A6 ^5 N
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* g1 O- S D6 I. M
$ K% l& a2 g: o! w1 M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) R& Y5 P6 z- Z* v* n. K
4 x9 B0 s0 b- u! M
__________________________________________________________________________
- h7 e9 w7 [: s( b
" B* ]/ r5 h* D( d8 @% N- D+ r/ C: TMethod 13
m! k; E6 W- o=========5 o8 K, n/ b, c- F) Q$ s( P
- H5 |0 C, N' J0 C5 `7 @Not a real method of detection, but a good way to know if SoftICE is6 t5 r3 m0 q3 X3 }" z o
installed on a computer and to locate its installation directory.4 x* ^" G& G9 q6 H
It is used by few softs which access the following registry keys (usually #2) :
. c8 R. ? _' y' Z1 g2 s& c$ p' ^. g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 E% C8 S; e) T
\Uninstall\SoftICE
& I+ p! ~0 w+ ]7 i2 E0 U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: g& @' {* y( g
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 x5 D" h- d2 a& |4 k! I\App Paths\Loader32.Exe
# y7 p# M( y( H3 \: _0 L ^( s* }+ c8 e, B8 _5 t$ S ?. N
& \% ^9 x1 ]& f$ `8 m0 C, S, G
Note that some nasty apps could then erase all files from SoftICE directory9 b4 M4 Y6 } K; E% I. D8 h1 ?
(I faced that once :-(
" X1 R2 x/ K* _8 K: b& Z
! L/ w/ l: V# g% O" mUseful breakpoint to detect it:
5 M) v7 o* s& g% s; W
5 c9 Q6 B3 {3 N+ Q- W" ^ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( _8 N7 k6 @7 p
# z% {# Y- T( E__________________________________________________________________________' }; a6 W) x; X& p- e. l
1 K9 v) s4 J2 ]
" L. d5 h: r9 S& tMethod 14 % [' ^3 p, }' ~
=========
6 G# Q0 L8 D7 r2 l- c: L& t5 o, r7 X4 P! F1 X8 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ h7 v2 n; G5 k
is to determines whether a debugger is running on your system (ring0 only).
0 b: t* C+ M2 m
: p! B8 c1 a& C, P VMMCall Test_Debug_Installed- T# H3 V. m! b5 w; ?, B; C
je not_installed
+ S2 p# a: t& R. z
2 }3 U& Z/ W# X8 W% s& x/ jThis service just checks a flag.
" o5 g3 j3 Y: A% c</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡