<TABLE width=500>; D1 ?) o1 A2 i
<TBODY>
: x- i6 }; u+ n0 E3 t<TR>8 R$ {) e \! |8 e7 }+ f
<TD><PRE>Method 01
4 v! m4 Q& m5 e=========
& n m) v, z* j; A9 E8 M
. R6 d9 q: i% t! E/ e5 [This method of detection of SoftICE (as well as the following one) is( A3 C" K5 d5 y# x: I1 A
used by the majority of packers/encryptors found on Internet.
. y% v1 x) ]7 o2 |- d: S4 H3 G: ~It seeks the signature of BoundsChecker in SoftICE
- M8 i1 e( J1 w6 Z" A' x+ L( M3 Q# O5 ~8 D1 Z0 Q
mov ebp, 04243484Bh ; 'BCHK'
! R0 e" v- l" Z. B( S3 ] mov ax, 04h
) ~& E9 g6 U5 n" l int 3 + G' x& V$ J$ F. R5 @
cmp al,4/ g+ e$ ?; h/ R/ `
jnz SoftICE_Detected
0 T& }1 L& M5 U4 @; V3 ~0 ^
2 \. {- G2 v ^9 b0 v; n. a2 J___________________________________________________________________________# Z, V( \ N0 ^- j7 M% h9 t
+ P- B9 Q& F/ b+ k" f, L0 y. C
Method 027 X0 U q: g+ @: D# \! `
=========
6 _, [; y; c9 r5 z: z: f9 J& M( P$ |$ F$ u% a
Still a method very much used (perhaps the most frequent one). It is used
9 z* J7 o+ Z, a1 E; j& w( Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' U. r3 Y! R% I2 [" v' K4 Nor execute SoftICE commands...
& i J- f% X; m$ V2 j8 r& D- C, yIt is also used to crash SoftICE and to force it to execute any commands
* m% O" H! f- m, p. p(HBOOT...) :-(( " d$ |; ~, _/ c
7 p. J( N' h3 G. u7 {! H
Here is a quick description:' P$ {' `0 G q8 ~( `( _
-AX = 0910h (Display string in SIce windows)
# W9 B" @8 E8 s, B+ q) L5 I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( G, z& d& P3 E3 y9 H
-AX = 0912h (Get breakpoint infos)
4 I3 f6 K, r/ `. G3 M5 V1 X-AX = 0913h (Set Sice breakpoints)5 O' F6 I& F' J l. H! f) r
-AX = 0914h (Remove SIce breakoints)* T, K! r- C/ b, y. D
+ } m" G1 t& wEach time you'll meet this trick, you'll see:
: p# O3 a/ C5 L$ f9 a" Z z @-SI = 4647h
6 k9 Y# Q' U7 t/ {0 M4 k-DI = 4A4Dh
5 D7 P }1 W; O: D8 SWhich are the 'magic values' used by SoftIce.1 A/ \- d2 B8 }/ F! L% K# y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: i5 O+ `+ G L9 h
: Q7 Y2 x2 ~5 \: ~$ YHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ @9 W6 P; H0 a. IEnvelope utility use to protect DOS applications:! U+ z/ x3 m, L
. K* z# i1 G( m7 [! s; d; a
6 {- v, K. ~" s7 i% D7 X* n; \5 x4C19:0095 MOV AX,0911 ; execute command.# ?- Z% [9 Z! |) I
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 M$ t: n0 |" e0 N4C19:009A MOV SI,4647 ; 1st magic value.. Y, M: C( M7 {, c4 D; _
4C19:009D MOV DI,4A4D ; 2nd magic value.& {! \' P5 k2 A5 m/ ]8 R7 l& [ x. x4 a
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' T5 ^- t" ]2 F: n$ ~/ a& G- H
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ a$ S7 u! b2 c& [* z8 o" v8 ~* Q1 _8 b4C19:00A4 INC CX/ _; ?& d4 j9 O& ?9 o7 V; ~1 m3 n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, I4 ]- C* {3 ~; F
4C19:00A8 JB 0095 ; 6 different commands.
$ u$ `6 U8 X# ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ k! ?: y* r6 d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 D& {! A* Q& e8 {: G! c
: ~1 c. h* v, R- ]3 s# UThe program will execute 6 different SIce commands located at ds:dx, which( p! D) |9 y. w, L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ q; ~! w2 U8 D" i* B( w3 ~+ w! A# n) [
/ p3 A" _ U) |' V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 p# J: C4 x n$ M
___________________________________________________________________________; R& {1 m! I/ h( o
) H, h9 {1 _5 y+ ^
0 b3 J! M0 s8 @- pMethod 03
8 F$ Y$ @5 S8 `6 J9 F& q1 S f=========
2 T' Y4 T7 K3 J: x
; b; ]: @8 J* q( X9 x/ _Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 m q5 h" f, h(API Get entry point)
) n, b* N+ _* w, b8 C3 U . r; I. m- E% X( ?4 y$ }* K% e" u
) U: U4 ~ }* z8 g8 G- u, @ xor di,di* J4 J- P+ C4 g( ^5 r0 K7 k: A9 N
mov es,di/ ^: m+ G2 B9 K
mov ax, 1684h
% `4 T6 B# V# I& J/ E4 a+ T mov bx, 0202h ; VxD ID of winice A4 J' U4 e5 m8 [! Q8 \$ X* Z9 Z
int 2Fh ~: c4 U9 K. ~+ P7 s4 R: @
mov ax, es ; ES:DI -> VxD API entry point5 J2 P( `' q! N* q
add ax, di
! `% D* I$ Q& j* N& w+ I& U test ax,ax3 n/ v1 `/ Q$ w$ X) L
jnz SoftICE_Detected! o j. R* }1 U! d1 r, r
9 k; N6 g& l# v2 y m( y___________________________________________________________________________1 q0 t8 ]7 Q2 Y! D {
) o5 z0 O. c% MMethod 04
! |( N! \+ J8 J, Q1 \; S. w& o========= q% n8 M7 v4 s" n8 C' e8 `! b* Z: u
$ Y4 V$ F* G! P$ N4 I OMethod identical to the preceding one except that it seeks the ID of SoftICE
: g1 _. m. I( @' fGFX VxD.
; X( E& I5 D# p0 i5 _" P; t9 W* k( V, A% }4 ?# H2 m1 C
xor di,di
% `7 D# l7 _/ X2 f& K4 N+ C5 x mov es,di! p4 r2 m5 `5 x3 f& t* X- g3 w
mov ax, 1684h & X5 A7 S7 l4 P- _ R5 I" D
mov bx, 7a5Fh ; VxD ID of SIWVID% c$ @$ H+ v9 I1 U) q) a* p0 W
int 2fh d, C5 E2 C; ~/ K$ L/ m
mov ax, es ; ES:DI -> VxD API entry point' {2 {0 l& N, l' N
add ax, di
8 @2 Z4 n/ o# i6 @# [ test ax,ax
' a. n5 h$ [* H, w jnz SoftICE_Detected6 @% z6 J; k2 H' X
% M" Q0 J! F) |( ?
__________________________________________________________________________+ F3 ~9 [9 Y/ h2 G
+ Z' m/ R7 o2 q* U- ]. O9 z
: f6 i" l; _' z) i$ I( a3 l# h
Method 05& B" L2 X& o, V* @
=========
. T3 _ f% V) |/ |1 e7 n) L% N1 [. r* j1 G- j
Method seeking the 'magic number' 0F386h returned (in ax) by all system
o! s4 |* \( A) gdebugger. It calls the int 41h, function 4Fh.% e0 X9 e3 S: M. g
There are several alternatives. . _# L5 G7 c: S5 a9 S7 [
& E4 I% d6 _) @- h% W* Q4 B
The following one is the simplest:: K, f/ {+ l% Q* E# F% Q9 p; D5 Q
Y8 {( F2 _; B. S9 i' h B mov ax,4fh. [8 y# z6 z+ P+ s
int 41h3 x8 @# g1 K6 o, b" ~
cmp ax, 0F386' X( D: h6 @* m
jz SoftICE_detected
+ s# w$ q; A' O. y# T& |
7 [& @% w) C7 C" [& b% x: L' @* c. a" l
Next method as well as the following one are 2 examples from Stone's
# J6 n0 x2 G/ u0 T) y"stn-wid.zip" (www.cracking.net):. K; `& ]$ b! [9 [0 f- H. o7 I* W
, {: _2 T, T$ S
mov bx, cs
0 B, [& R# a; | r9 c lea dx, int41handler2# p, P, |- u1 w* I
xchg dx, es:[41h*4]* A6 {& U; f: N8 t0 w
xchg bx, es:[41h*4+2]3 j6 K; V4 E/ W6 N- J) f' @
mov ax,4fh8 n0 z; M" s9 U+ c
int 41h
% {% _; i, `6 k: e& m xchg dx, es:[41h*4]
' j4 a7 t; g. k5 T( t xchg bx, es:[41h*4+2]
0 M+ P: J& N2 |( p3 O cmp ax, 0f386h. K$ U' D# ]8 k
jz SoftICE_detected" d( h" z- c4 }& |* |, s, e
. o H$ M, ^1 |2 Iint41handler2 PROC( m9 d1 |- ^& p
iret
5 D! |) g+ B% I- U$ n$ `# vint41handler2 ENDP# l4 ?) s9 C7 t" ?+ M2 T- t
7 ]: m r, H; P" \0 |9 K" c. q! I
3 N( \9 ?3 Y" M. {2 M- O; S3 F( p
_________________________________________________________________________ _; r& x5 q3 o+ b j
& h" d# e6 J) d' P8 v7 O" H9 p. M% a! }* Y( k+ n9 b+ ~
Method 068 ]) Y/ K; {% ]
=========2 }' e9 o* A `' |- B2 v/ R
( o: }: F$ K( k) r1 I% b/ ?+ d
" r! ?8 A& \5 u A
2nd method similar to the preceding one but more difficult to detect:* {* [! o6 D# ^4 O0 J& A
: k& x1 l! a; x
. R% v, f+ I* H) o8 X3 a- Sint41handler PROC
9 ]* W* c) U' ` mov cl,al
1 e' n5 L% X$ g7 @& i iret
2 J: N/ n% { ^: _int41handler ENDP
# F8 w' Q$ C+ T# {3 S
8 n# P- Y" j& |3 o. ?8 c$ `
4 ? T; P; i* _ xor ax,ax
% s4 G q5 s5 S# T6 M mov es,ax
l9 Y2 z* {3 _ mov bx, cs
; S2 Z! s5 o+ x2 V: Q. y lea dx, int41handler
' h- t7 M# Q% h, V5 Y' e xchg dx, es:[41h*4]
( y+ i% @3 Z: m1 y- j ]- e8 P xchg bx, es:[41h*4+2]5 J6 U3 g! {7 N* u
in al, 40h; D/ p1 c7 }7 k, m9 `
xor cx,cx, h1 H) ]. ?1 H; ~# Q
int 41h, I$ u* a: w2 G( w
xchg dx, es:[41h*4]
6 y# d1 z% b0 \; H xchg bx, es:[41h*4+2]
7 m$ R3 j5 q0 {3 L" i8 ^( {$ ^ cmp cl,al; {: U# g7 [1 K1 T4 l5 s
jnz SoftICE_detected
5 S! L0 o* V5 c! N x
# O2 s# l, M2 B$ \; S& F. Y2 E% g_________________________________________________________________________
9 Q2 r4 N# ~6 {5 U+ }% J- q" C2 v+ {1 m1 z5 H5 h
Method 07
; T" t* z1 Q! D. D=========
$ c+ _" _ B N* T' H& R2 c8 F4 ?2 q* H+ z8 \3 b9 u& e: j
Method of detection of the WinICE handler in the int68h (V86)
D* O8 W* p2 J# K6 Q9 ?3 N3 j' W, P# e5 S
mov ah,43h
. T5 o9 _3 q8 R. i" l9 p int 68h g1 ]+ {- r' y5 j2 ~8 H! \
cmp ax,0F386h& x4 S& B* m# n& P5 k' _0 I
jz SoftICE_Detected
- U/ c+ O0 e) o. U, S8 S$ Z# G- B4 D' R( i- K5 m& y% G* r- J7 ]8 ~# S
! p( `2 f D+ ^* G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit \1 C9 }1 Q# d/ Z" w( ]
app like this:0 f3 o$ s. O4 s# B7 [
4 U7 [. ~0 Q" b: A& _ BPX exec_int if ax==68
" ^( A0 H7 N7 H7 G (function called is located at byte ptr [ebp+1Dh] and client eip is
% Y+ t8 H' V# `2 i located at [ebp+48h] for 32Bit apps)
) Y6 N- w0 |1 t8 M F( H6 o2 E__________________________________________________________________________
; W/ `' k I3 R1 F( n1 Q
; X9 B+ d! _, P+ ^0 _; O! Y( C3 C. g) W" |- {- ~# f
Method 08
1 V9 z7 @/ s- ^4 F' v( Q* m7 e5 s- z ?- A=========) [9 E0 d! _) P! Q7 B
4 x* m2 P! v- BIt is not a method of detection of SoftICE but a possibility to crash the4 a- q' H! p+ {( h- ^! g
system by intercepting int 01h and int 03h and redirecting them to another
`$ m6 u- g2 ^/ \2 b7 U6 Vroutine.
6 t! \0 F! Q$ zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% r0 N7 [- l# v$ M
to the new routine to execute (hangs computer...)
7 t4 }8 ~) X* |3 Q0 B# P, _% y* ~3 ?" b% O1 @$ x# i9 V, |
mov ah, 25h) ` Z' L( J' h8 k+ ~$ V& n
mov al, Int_Number (01h or 03h)- k( ]7 x, d# v
mov dx, offset New_Int_Routine
& z& c1 v) [+ o. _0 _+ c int 21h
! O h4 E: r6 Z
5 o9 X( f7 l1 q3 s7 s& W6 @__________________________________________________________________________& Y& I1 v$ d6 {! E" I2 [
4 l6 u! W, u) e. X! N
Method 09
8 v( w2 F" t- a& C$ T$ d=========
0 }' b7 [$ G9 Z' l: H; a0 P4 |' g% {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 b$ B- N1 ?- @* ^
performed in ring0 (VxD or a ring3 app using the VxdCall).7 G l; H, j2 y B7 }2 o
The Get_DDB service is used to determine whether or not a VxD is installed1 ?; g' D! U) U) b; U$ y" W0 A. L
for the specified device and returns a Device Description Block (in ecx) for
+ i( W P( a {/ Lthat device if it is installed.
; n$ d% o* d6 V7 n; r9 n
' ^8 ?. N& T/ g6 L; b9 X6 l5 X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ ?" {2 \/ n N4 `0 A+ C5 `% A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; [+ z3 a9 C0 C' H4 l e; f% n VMMCall Get_DDB
1 e) {9 J2 V- n# f) ~2 S# x! \+ y+ E( t mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) x: i% U' k4 @& i" f
1 @1 t' I2 b+ o' v
Note as well that you can easily detect this method with SoftICE:
% `& N! D/ l0 b0 P2 \' p5 s bpx Get_DDB if ax==0202 || ax==7a5fh* p+ \* i' o8 y [8 S! X' C
: H% ~% }1 N! X5 k$ K
__________________________________________________________________________
8 j& I+ I4 J2 L( A1 [+ S8 U. ?0 q0 c/ s/ d
Method 10
7 `. {) M6 F% Y. u=========; N8 K/ z2 }& R c( t- t
X$ D4 F5 F6 |1 P
=>Disable or clear breakpoints before using this feature. DO NOT trace with. [& U+ c; C' a& B
SoftICE while the option is enable!!
: m% ]: o6 ^' i- y: v' I: N/ U% V
' E Z2 X5 Q4 t: t7 n! M/ l AThis trick is very efficient:- m a6 ^! A9 V- {
by checking the Debug Registers, you can detect if SoftICE is loaded6 r- i. E/ R6 z1 T# V& j8 h$ ?$ \
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( {) O8 s* z- V( Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their$ s' C4 `$ B$ o8 i. f+ E. V# l
value (in ring0 only). Values can be manipulated and or changed as well+ Z$ c- m" l* u$ h* H5 ~
(clearing BPMs for instance)
! I$ G" N& F, m" }2 K# w- J# K$ Z0 o: ^% j: R& r2 x
__________________________________________________________________________
$ H9 r! ?3 K" r& ^3 u2 R) c' |$ z6 R8 i. u' W
Method 11" o# z: Y3 E0 ]- h% z- B' Z5 c
=========
5 z9 |' D- S# x9 _ d6 z% y& a2 ]9 [
This method is most known as 'MeltICE' because it has been freely distributed6 ]% t6 P- ?; q2 F4 @
via www.winfiles.com. However it was first used by NuMega people to allow
. ~' L5 ?1 S2 R# P/ Y6 E: |. V+ pSymbol Loader to check if SoftICE was active or not (the code is located- |5 P- W# b, u0 R' E5 y! W
inside nmtrans.dll).
, j% A* O; q. z9 H: Z+ s6 q
; v4 o/ ]* y; E( e0 @/ { P/ `) VThe way it works is very simple:7 r4 g- W4 ]- e) Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: q. x4 L+ q# d- ~WinNT) with the CreateFileA API.3 I* {# e7 o, ^5 n2 m5 w
0 I( o; }4 `7 K" jHere is a sample (checking for 'SICE'):
4 E, w1 n6 K! H: w* L+ q, M x) x2 u' a8 e$ J% j
BOOL IsSoftIce95Loaded()* ]5 Q& x% L2 Z7 W0 R6 d
{
( T' a; a, y- D/ K. F& l HANDLE hFile; " r$ ~0 A1 b) U' @, _7 N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 L0 q* l( }- a5 E FILE_SHARE_READ | FILE_SHARE_WRITE,$ C! H7 m" {# {. D7 J' g- z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ \+ _1 k2 k, B4 Q9 h# B7 h3 H9 j+ l if( hFile != INVALID_HANDLE_VALUE )
. e7 H( _5 U4 M# A7 ] {: S* ?! G) [. y/ P x. y: P
CloseHandle(hFile);
" {' _- H6 h Q* u- P return TRUE;
y W- H: x3 | z' p }
c! U3 i6 O# Z' T4 r/ ^6 Y d4 h return FALSE;- Y0 i( m0 H5 m7 k
}
+ ~6 P% p* f' l$ m6 S+ E* x
# `" e1 F8 u s& A0 m7 W9 F9 UAlthough this trick calls the CreateFileA function, don't even expect to be
# z ]1 I; l6 p6 @2 Y table to intercept it by installing a IFS hook: it will not work, no way!
1 X9 i3 i6 f! ~, }/ s& y$ m' h8 yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 ?3 r A5 I$ c! d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' y3 h" U! n4 e5 V7 _9 f/ ~0 E G% F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 G9 c# t! L$ m( E7 O. l( l+ W4 T
field.
* J3 {7 A$ B/ y' W# Z5 S# P6 lIn fact, its purpose is not to load/unload VxDs but only to send a
9 R; P: X& f1 \" |6 j. ^* |" KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); L+ { y; [3 n3 h; n$ m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, B$ w, S8 k$ b3 p3 e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 e8 D, w9 l( d2 u5 p3 n$ [/ q
If the VxD is loaded, it will always clear eax and the Carry flag to allow: G! y. w) t8 H- I: e
its handle to be opened and then, will be detected.
; @2 Q7 O5 T; E+ B* lYou can check that simply by hooking Winice.exe control proc entry point
6 H( K' H( ^# c4 j! R; ywhile running MeltICE.1 }) w0 p5 Y! \1 K, x
4 y' y: {2 @" R4 W) d5 n% V7 a0 V: o7 G' S
00401067: push 00402025 ; \\.\SICE' B. x% r4 e/ E2 N9 n: _! ^
0040106C: call CreateFileA
5 n! v3 a" r& d, _5 y 00401071: cmp eax,-001
1 z; v/ _1 J! {! Z' d 00401074: je 00401091+ L9 Z/ z, V; M" u
1 L+ l* G h) W( @. D0 ^. l2 Z
" g2 Q: ]: d s
There could be hundreds of BPX you could use to detect this trick.2 r% d3 a0 A! W# ^0 J- u+ M8 y
-The most classical one is:2 [. b' Q) W- V U" `& h3 h
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; C* `+ g0 R8 B
*(esp->4+4)=='NTIC'
4 h, ?9 ^7 M2 D( x6 b d; }6 F' b# z# b* n/ y
-The most exotic ones (could be very slooooow :-(/ C7 k. A( c1 B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& N5 O% { \( h* A ;will break 3 times :-(7 X3 ], q* p. o, W0 [& }- l3 t; S: J
3 d6 Q+ P1 ~! f1 I-or (a bit) faster: ( X" Y# w! K* A& I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); H6 e" M# g) G# F# E+ }- l
! k- A* |* c) X% W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 j9 }. w* L% C3 J4 F
;will break 3 times :-(
6 k; ^3 b# q9 F7 {$ ]* @1 D5 x( z! b+ i2 h
-Much faster:" E4 y* [7 l! y8 Q' f
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ i# z6 y* s( }4 }
?2 T7 Z5 [9 dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( A3 b" K" j7 N6 o' j1 j) h o' wfunction to do the same job:, l! M) j, c. n( P2 z/ R) S
2 S; y2 z1 B6 G' z- j4 V+ }1 |
push 00 ; OF_READ- d) j$ x5 z( {3 z; B
mov eax,[00656634] ; '\\.\SICE',0; t* |( ~9 D% f
push eax, [! z3 ?# i! f2 ~) r# x7 R- ^
call KERNEL32!_lopen; c+ a: g" M9 r. p( q. A) {1 d
inc eax
B9 F* q. i' n; O& V) J jnz 00650589 ; detected
9 X! z9 B3 K& [ d9 q; t* i* g push 00 ; OF_READ
8 m2 ~7 }, I2 w$ v! D mov eax,[00656638] ; '\\.\SICE'
: k0 ?8 ]* Q9 I push eax
; n1 e6 W; U6 }0 U. m5 A: a' r- k call KERNEL32!_lopen
. Y- Z- U, H6 u6 w inc eax
5 p! d6 d" w, J1 Y* |) v, k$ N" z jz 006505ae ; not detected ~+ e+ w6 |5 P* q
, s* f2 o/ I i" @$ Y$ ?
* F: y/ e$ V0 V3 d__________________________________________________________________________
7 r% p1 t* p% _+ N! M! u0 ^( N: e5 r' Z! D) o) M
Method 12$ G! e: h7 b2 D' R6 _+ K4 U. p7 u+ X
=========
8 Q1 m& W+ g" W* Q1 |0 U
' ?) H4 `1 t% O/ ?This trick is similar to int41h/4fh Debugger installation check (code 05
' p9 n }7 R4 G# t& 06) but very limited because it's only available for Win95/98 (not NT)3 X, ?; K/ Z5 h$ \' E* _- w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 ]' Z6 J! O$ G, i+ ^
* m8 l2 p( `' _
push 0000004fh ; function 4fh
i5 v [% g! v; i3 `6 l' ^# w7 f5 ]# ] push 002a002ah ; high word specifies which VxD (VWIN32)
7 E5 b) ~9 b! ]5 |. {7 [9 d ; low word specifies which service
- H# a: t5 G7 M/ A- ~% b (VWIN32_Int41Dispatch)
; x2 m' U1 n# {% ^) z& y call Kernel32!ORD_001 ; VxdCall
7 S% E5 f$ A) g cmp ax, 0f386h ; magic number returned by system debuggers: t% [7 F5 d4 w, f0 W2 ^' S4 R( F
jz SoftICE_detected+ Z: S6 ~# W) R. `6 e- w
X: [6 w6 s( m; c# \5 |5 }
Here again, several ways to detect it:# T {' X: v% B8 T
0 _5 j' K$ A: l7 D" e V3 @ BPINT 41 if ax==4f! n% e9 F- \3 @; |
6 h# I& D( A z3 t6 t
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ _ H+ M% X! K' x2 p+ L
! O5 ~$ i: o; u& Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 ^) f5 M3 v0 h( T
: {& }1 n( m8 K' l3 g* l$ Q* X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ ?* ^, R! f$ I! [ M# y2 t" M) k
+ ^0 w8 z% Z2 M. G+ X0 v1 m__________________________________________________________________________, o0 Q \2 T$ c
3 j7 |4 Y) D6 c$ U0 n
Method 13- B( H$ C0 j* u- o
=========- k' T1 j* j1 f9 A5 q$ Z0 T
& d0 D$ L! U+ T2 h3 @0 _& h
Not a real method of detection, but a good way to know if SoftICE is
2 k) {* d* c5 n: Q1 k1 u+ \0 binstalled on a computer and to locate its installation directory.- C& [- n0 x+ h9 Y+ E; |1 M( p
It is used by few softs which access the following registry keys (usually #2) : }+ T0 k: H6 l+ y
- w% ?; g$ A& {3 |; U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 Q' f1 j/ t0 w7 x\Uninstall\SoftICE+ D* E+ n' b4 V- W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. R( U1 ~2 f' _$ \* v% v, S, D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 o2 I# \# w5 M1 g* G
\App Paths\Loader32.Exe
1 C" `' G( C: R2 @6 P( _+ J4 G* N! r6 R3 M
1 H, I7 R! d/ R; d# O+ uNote that some nasty apps could then erase all files from SoftICE directory" Y5 i) ?0 V3 O
(I faced that once :-(. P$ J" ]1 s. ~1 j! h! j& X4 m
/ Q" K" v7 t: u0 e% X( G LUseful breakpoint to detect it:
# P. X( G/ W" i P. x& v; q5 e( H& ~7 M- A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, @; q' P; c- ?$ X g5 e7 \5 G8 M! s2 p; l* w
__________________________________________________________________________
) e: N5 I- K$ b v" n) n# L- i; W W0 d1 v8 k! S
& y3 g- D: k7 I$ E! ]9 BMethod 14
4 f; Z* i+ V: n3 T=========+ t, }1 o% N& K$ m! p3 a) B; ]# j# G& F; ~
( \' S7 G2 t+ \9 _( B5 C6 dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- Q4 B3 ^' X# u3 q8 j
is to determines whether a debugger is running on your system (ring0 only).8 O/ W5 D% V2 |' `
6 T; _+ o$ R) }- I
VMMCall Test_Debug_Installed
. l1 p3 T9 T! Y1 | je not_installed
: H' O( S; J- E5 A" G: R
! \+ g+ h9 a. A; l; N8 O- F) uThis service just checks a flag.! R$ ]6 k6 p+ H9 \2 J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡