<TABLE width=500>
9 W* @4 u, a4 j, ^' }5 q- I<TBODY>
) U8 o. [' _- P+ @<TR>$ U7 p. d) J0 @
<TD><PRE>Method 01
# _* \7 \' m3 h( W& c: @* J, V=========3 U2 [/ j" e/ ~0 f/ w
" m+ s+ t: G/ M1 OThis method of detection of SoftICE (as well as the following one) is* q7 f/ M& x7 L" V: v
used by the majority of packers/encryptors found on Internet.( r% o$ m8 B+ x, ?* N
It seeks the signature of BoundsChecker in SoftICE
7 H% D* E. m: j1 i8 H+ q% X$ m K/ k, t& t+ |
mov ebp, 04243484Bh ; 'BCHK'8 a8 e* Q- K; t. {7 ~$ u
mov ax, 04h
$ f- D2 T% Z' u: r int 3
% r9 T0 U9 B- c1 |2 I$ } cmp al,4- _4 \7 s$ ~8 T0 F. a
jnz SoftICE_Detected; Y* l$ _" ~1 c+ t
0 ?7 N4 q8 N+ g% R- q___________________________________________________________________________
: v+ w5 F. X- I# t( l, @1 Z2 [1 E( e
Method 02
+ z1 C8 N1 }# g4 k/ m=========1 C* O, D7 O) I. d
* F' A. h' R0 }6 J
Still a method very much used (perhaps the most frequent one). It is used
) B, r8 R3 i2 X7 _9 \; Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 g& @3 Q' q3 H. ]' }) |or execute SoftICE commands...
8 o" D v0 ]# T" }It is also used to crash SoftICE and to force it to execute any commands
& b( Y3 C7 x$ c3 E# [(HBOOT...) :-((
5 e$ s! [/ u7 X# ?% c$ C: z$ l8 d& W, x
Here is a quick description:
6 v( @! Z1 Y9 R* U-AX = 0910h (Display string in SIce windows)+ v# V' f5 s- z5 j" l; O- `" H
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) i5 b1 z& y6 Y, e
-AX = 0912h (Get breakpoint infos)" V9 M; _# |; C. v
-AX = 0913h (Set Sice breakpoints)
( O0 S1 Y; @) r1 D# J" n-AX = 0914h (Remove SIce breakoints)
8 f. _$ G( c- I6 _
0 `8 G& X) Z: h- I+ sEach time you'll meet this trick, you'll see:0 F; [! V r$ j/ g+ Y, _
-SI = 4647h$ b8 Q) v/ Q! V. |$ l
-DI = 4A4Dh' _5 x, f7 S( B- b% G! g2 C
Which are the 'magic values' used by SoftIce.
9 | B/ \% d2 v/ \1 @& `6 n0 GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& o" W* I; Q- H8 R" i. R7 T
: A* ]8 G, B8 g- u( VHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 s' d5 G2 E$ h4 h' _Envelope utility use to protect DOS applications:
4 D* ]& M+ d y' C [9 I1 L% F! p' h# A& c9 t' [" q
4 ^. e- V' r7 @& I! Z4C19:0095 MOV AX,0911 ; execute command.' W6 S0 V" Y' x, j
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 J: v" R9 o: Q7 V6 Z) x6 T6 P* _
4C19:009A MOV SI,4647 ; 1st magic value.$ E; @: C, i1 a, |3 {* \
4C19:009D MOV DI,4A4D ; 2nd magic value.
6 E9 V9 _, _& \+ j6 e; K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& p; _; i% V+ G4 b* k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute ~) D" g/ x+ j8 h* {# [+ W9 D
4C19:00A4 INC CX
- G" E8 A7 C. k! g4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% i8 m5 U. p0 T9 ?4C19:00A8 JB 0095 ; 6 different commands.
& M$ l5 g& b4 ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& G2 a+ S7 K, m' u- a4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 v4 s" L4 x- M8 {# @ |' v
2 n8 }7 m M( l; G" _2 {$ M1 i. YThe program will execute 6 different SIce commands located at ds:dx, which
2 ~4 F v$ T2 T9 m) N9 G/ \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 @ K0 O$ ?8 C# F
8 a, W& G" s/ |4 N0 V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 G9 h0 `) n j& u4 c1 i9 _
___________________________________________________________________________# k% X- P; v$ X4 V! r9 t
, c% G9 p9 u5 W' J. j
) j' X& }2 d# |" n; @) vMethod 03+ J" d7 ~/ K( v# y6 @! ]4 p
=========
7 r5 A5 K5 |$ b3 M; e8 _+ V+ {
P5 ^- Z" v4 LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. b# T1 i. e4 F8 X, `9 N
(API Get entry point)
J1 I0 A1 l, \
/ i0 h9 j, n5 }4 X+ V9 K% W1 F! Q/ K, Z9 s& J8 Y
xor di,di
9 w: v6 x! D: P$ R; n mov es,di
5 |5 a+ c* ^% Q( R* a/ O( `4 i mov ax, 1684h
% L _# j6 d* M mov bx, 0202h ; VxD ID of winice
% ?) i, i3 u/ w" f( t int 2Fh
% O9 D+ g7 n3 X2 k7 Q+ C# r6 H mov ax, es ; ES:DI -> VxD API entry point5 `* O8 A9 U9 @5 b5 e6 |
add ax, di
- X$ o) D' `. u( y3 N8 T test ax,ax
8 a# m% W" } U( g N jnz SoftICE_Detected
; Z3 W( i, Q9 d4 C7 {5 i7 U
7 u T( g8 ~: m3 \& `' {3 t d___________________________________________________________________________
c: n$ B+ X/ V, e1 T
0 Z3 h' T5 L2 AMethod 04. V$ i( x. _% o2 b
=========7 E/ r4 G3 U' ?2 v( E: x
% u- {' l0 x! W" aMethod identical to the preceding one except that it seeks the ID of SoftICE
- u6 |" R/ o# c0 r# a, PGFX VxD.
+ J! d. i( f3 h% f% r3 A3 `( p/ p6 {
xor di,di ~; Y5 `1 T: w' S X) z5 F9 O
mov es,di
! l7 Z# K. ~. s: g mov ax, 1684h 5 E9 \. D" S, d( ~" S
mov bx, 7a5Fh ; VxD ID of SIWVID
% W% `. w7 j$ e( ^" } int 2fh5 y4 B& |5 o$ X' J; V
mov ax, es ; ES:DI -> VxD API entry point
) `! s' r$ V( K: e# O' V add ax, di' ~1 J0 a7 z1 d3 z, F
test ax,ax! n; ^3 [% F7 J! A& l; ]0 j% l
jnz SoftICE_Detected
' e/ v V' x3 o$ u, A8 R
1 R u/ |) u' m( p__________________________________________________________________________
8 ]% I4 E0 {% D* T9 L, a
2 L/ d* i" q# h, C% F2 G4 k" w6 Q7 l6 c6 p: P; O( W1 T" f' B
Method 05
' s" A1 X1 L3 N" d9 w=========( `5 ]& J1 _7 M6 u
# }5 I5 ?: F4 ` Z& d4 o+ ^Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 U% e6 ]1 y' X6 E! O3 r0 s1 zdebugger. It calls the int 41h, function 4Fh.8 |& l. S5 Q5 u$ t8 x1 b/ l9 K
There are several alternatives. & M0 v5 p- `2 L. A1 \- x
- s+ `( V4 [, uThe following one is the simplest:
1 I* x6 C# q8 b6 d6 Q+ ?. I1 J( M
% j% K8 ^6 U4 m0 D mov ax,4fh
/ P$ M9 l! }% D int 41h
2 M- G) @9 f- u3 a5 a% P cmp ax, 0F386
" c% _/ X- Y$ R- |5 R jz SoftICE_detected
5 J) }( \1 r) A3 E8 V; d+ P& C5 z7 L' G$ z8 g
8 C0 ~! S* p) z& [) k/ l, T
Next method as well as the following one are 2 examples from Stone's
: i% W# J6 E2 `; e6 e" K"stn-wid.zip" (www.cracking.net):5 N* U# p) ^. {$ } I2 r* G/ b
7 x& T3 N& i* q# a+ m! |
mov bx, cs' h- w ]- J% `
lea dx, int41handler2
l% C9 Q0 l2 J: i+ v& w5 u1 T xchg dx, es:[41h*4]
( S) Y( ^- e5 B) l* X xchg bx, es:[41h*4+2]+ F6 s. ^. J& E+ L5 h
mov ax,4fh
$ H% h* h. ` S# b% P! ^; \ int 41h* u ]8 ^/ L- C
xchg dx, es:[41h*4]
" g0 m, y; Z0 m) X7 S1 D xchg bx, es:[41h*4+2]% i N* u/ o" u+ T7 V3 ^$ X
cmp ax, 0f386h
& N) e, D" q0 O1 p+ M) O) c jz SoftICE_detected
, i6 G0 s9 Y7 q- c1 Q
$ {+ B7 n% m4 D* ^) wint41handler2 PROC
& j: A' J/ v0 a/ h5 n. c; `# O; J, d iret
6 f/ ?6 `9 ^8 Vint41handler2 ENDP
W3 D+ ^1 e! O7 l
; Q5 X8 s$ M7 P R7 m6 ~* _' T8 b9 D d+ R
_________________________________________________________________________! ?8 l# _, |- _* Z
5 Y" _( A: j9 l* h' K$ Y
# t" U, E7 O- m: L' g- @. h( aMethod 06
4 M( Y. r9 q. ] p% v=========
; s! u3 Q% o/ @
8 N; Z/ P' z" v3 S" {4 u
% O7 b$ K- i. P3 |0 {8 H2nd method similar to the preceding one but more difficult to detect:
, w" R6 f1 k6 f# S. C2 l7 A2 B3 W: Q: B8 U
1 t; [6 u- C( T' Z( e8 Aint41handler PROC, c7 I" ^. l) w
mov cl,al
- j) ?3 P3 I! t* M iret
; T9 y0 z1 ^; a7 h$ }& t: Wint41handler ENDP, j" [8 X3 C! ?( U7 C/ W$ w
- _2 H8 C3 l& Z3 B3 }+ c% z$ e& z9 _" H% \+ N" Y {
xor ax,ax
( e* N4 r* D) p9 w mov es,ax. q" y! p$ \. O9 B, }: }+ l
mov bx, cs
* F' t: p9 U/ y: h lea dx, int41handler
" o& j$ ?9 X, {: I# ~ xchg dx, es:[41h*4]
# u3 Q& d5 s5 Y2 t, e7 {" Z. ~ xchg bx, es:[41h*4+2]8 E1 f. J6 s; M$ f* M
in al, 40h
4 b0 x5 E. t' V" Q" b; v1 } xor cx,cx, U3 D8 ?& t# B5 M& X
int 41h. y+ S4 X/ o0 z& ]6 o" P4 I8 ^/ ?
xchg dx, es:[41h*4]
( `0 ?) T d7 W6 F ^! Y) Z9 n* A xchg bx, es:[41h*4+2]
8 g6 A6 K* l: \0 r* b3 `+ r7 a7 S7 Q( | cmp cl,al
2 D- n/ E) u5 `9 x& X jnz SoftICE_detected
. H9 @0 F4 p5 ?
) l0 s' J4 E5 ?! {_________________________________________________________________________
! K# x" P. R/ \( p% ^6 _6 x* ?' u
1 R" V8 Z4 D1 y' uMethod 07& n1 J& l2 t2 r8 s
=========
' X e n7 [/ J6 W% A9 m0 C- j% p) ?( u3 j2 N& y
Method of detection of the WinICE handler in the int68h (V86)
; k% y) Y$ o7 X4 L7 i9 O( Y( y5 b: A Y! G. o
mov ah,43h& n% f" k1 x# x+ S
int 68h
$ h4 l3 t2 l" K) Q, F' n; ` cmp ax,0F386h
* \2 J( H9 D3 O7 x7 |* a: @ jz SoftICE_Detected/ d6 ?: e x5 y$ D" E# @- m
* F( L; i7 F5 g U4 v; F3 N# Q/ I: y3 Q% [$ ^
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; m/ f0 U. n0 i
app like this:' i* d5 s! n l$ P1 Z6 ] G+ Y+ U. `
$ Z2 k6 Z) l! H, k# `, i# W BPX exec_int if ax==68% Z/ G1 j4 f6 @
(function called is located at byte ptr [ebp+1Dh] and client eip is
" [1 M* }4 K! q! Y0 _! H3 p" r' J located at [ebp+48h] for 32Bit apps); a8 F# r: [$ Q% o4 t* L1 \; [- e
__________________________________________________________________________+ I( H7 A1 ?0 [: X# ^
& O2 N; ~+ c0 P) `( n; i8 `9 z: e/ W; P
7 E. e' W2 s. F& Z/ ~Method 08: Q% @- i* I, Y1 e! A' y P0 j; G* `
=========
# {( f, ^0 A/ g2 f3 z2 _& R* x& C$ }7 @) n
It is not a method of detection of SoftICE but a possibility to crash the
! [% r5 J; ~- M6 x7 f% [$ k$ y; ]1 usystem by intercepting int 01h and int 03h and redirecting them to another" X9 W7 j5 t3 g' e3 d% V5 Q% s
routine.
( i5 k: K" f3 ?& x* n3 c/ i& f% OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 }3 H) g: n6 c7 ]& w! C1 W
to the new routine to execute (hangs computer...)) {# \2 g1 r$ }5 c( H3 {
h+ L% W" n+ I5 q: b8 ]# M
mov ah, 25h
) U! ]$ j% i: O0 g mov al, Int_Number (01h or 03h)# p- V: U; [9 L. d0 X$ P" \
mov dx, offset New_Int_Routine$ T$ \; D. ` I" i! @1 G
int 21h, @( }# e) b4 ^
: N/ E4 j5 w) Q5 U( T% J__________________________________________________________________________: x0 ?8 z N! X2 y# I# x L4 z9 L
& y5 n) @6 F: r
Method 092 e% `, w# I& z. n0 C* r2 N( K/ o
=========+ d7 d* f8 k' W) }: i
% B- \* B4 S) {& i, Q& W; KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
R5 ]# I( [; K, e/ }9 i+ Kperformed in ring0 (VxD or a ring3 app using the VxdCall)." c, k8 y5 K2 s
The Get_DDB service is used to determine whether or not a VxD is installed
; R% {9 ?2 D$ M8 Xfor the specified device and returns a Device Description Block (in ecx) for6 ?- f+ N6 w. J+ I7 m, F
that device if it is installed.
$ z* r' X5 @9 {4 V
" J) V% \' ~3 H2 w+ Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. u& P& f* H7 F4 m; F% A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 J/ a: I$ \! S1 A8 M W) l, e VMMCall Get_DDB3 S9 x& b, j' }$ F2 k
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# }# W/ C7 ]& I, e
7 F, l% W T& N/ o8 w! G9 j% X
Note as well that you can easily detect this method with SoftICE:
" E) J" r" E* Z; Z) Q# K5 I bpx Get_DDB if ax==0202 || ax==7a5fh" }% }+ D" e) T& ?
6 ]/ M7 l, T4 q" f! D5 `; L__________________________________________________________________________: S. ~% h3 _2 d, M1 w
& \ { |* F. a# w. i. qMethod 10% N6 y" n# A% r$ | o5 [5 _
=========
0 I. b+ O( H2 x0 Q1 T% ~4 Q3 L
# T3 h' E/ |; Q" Y9 M9 c3 n=>Disable or clear breakpoints before using this feature. DO NOT trace with8 L( p- Z5 f* w: m+ w
SoftICE while the option is enable!!
+ }/ ~4 p" s5 k5 Q- P& m; g3 C* @3 E( {1 |) l1 m8 N
This trick is very efficient:
- a: ^1 }; V$ n% C& aby checking the Debug Registers, you can detect if SoftICE is loaded
8 V1 K) B3 v/ S" h4 X. k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) J3 c. {( s9 _. q; T) @; U/ {there are some memory breakpoints set (dr0 to dr3) simply by reading their
, l8 E$ ]& d, `' ]0 P$ bvalue (in ring0 only). Values can be manipulated and or changed as well( e" b( f3 P( v, f$ @
(clearing BPMs for instance)/ V; @: I- Y* V X" t% \ `+ s
. V6 P) b( `* w8 j( S) j__________________________________________________________________________' `7 }2 ?0 y( b1 D3 `( c
& ]$ f6 a- p a
Method 11
" O* e5 l8 B/ A2 A7 q: f- M- Z" p=========9 L- e; T! b# \" J% \; h8 }
( u# Y& m4 I/ C3 x$ sThis method is most known as 'MeltICE' because it has been freely distributed
% g0 w _5 y2 n1 ], |via www.winfiles.com. However it was first used by NuMega people to allow, M9 q+ z* z( }
Symbol Loader to check if SoftICE was active or not (the code is located
! @ k4 |$ {" R* {9 Pinside nmtrans.dll).1 e( g( b c. x$ s) s1 e
$ p. O! [3 N2 Z$ m' T# A$ V
The way it works is very simple:
5 m& K/ S7 r# {/ X1 kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 _% q7 a8 U/ O1 `6 U' L; ^ g4 ZWinNT) with the CreateFileA API.0 p+ R4 Q% c# a) `
& m, z2 N6 N$ EHere is a sample (checking for 'SICE'):
6 ^- e0 Q0 [9 N7 {
7 L7 u- o2 l! B! J( N6 c" j. ~# KBOOL IsSoftIce95Loaded()- W* ^8 ` ]; J$ N* L. N
{
% P6 N* z7 w. v y HANDLE hFile; 3 [( p2 o+ T% f# o1 \0 [; Q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 D9 s) |. Y3 e+ ^
FILE_SHARE_READ | FILE_SHARE_WRITE,
& o) W2 X, f$ \, w. q# ^ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 d& L# u/ P6 X! U. U9 s- i if( hFile != INVALID_HANDLE_VALUE )
' \; D3 v2 ]7 b0 I9 @' i {) \! r( H; o! r: r$ V* f
CloseHandle(hFile);6 J0 @. {* \7 r/ [5 ^4 q
return TRUE;' Y# Z$ Z3 t- \: [; a0 w+ o0 K- Z! F
}" w1 w9 L8 L$ G. b9 l. G( [& g) G/ u
return FALSE;
/ v1 _7 s" b1 G" w. ^+ j4 o}
g! i& N9 n% b% C' ~7 R
2 W: t( z2 a, k( U' D& |# IAlthough this trick calls the CreateFileA function, don't even expect to be% r5 V* N5 `, `
able to intercept it by installing a IFS hook: it will not work, no way!
9 |+ ~: Z8 F( I" \ pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* q; C9 V8 w) iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, j1 N, d* l7 ~7 d# w ]and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: q$ R! X. c1 ?$ j& O8 Ufield." g8 U7 q4 H. V) H5 J0 f
In fact, its purpose is not to load/unload VxDs but only to send a
" C% v4 k; d+ \: {2 X3 n4 k8 z7 w1 ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ Z# O3 _: I/ x* ~9 ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try: ~$ o' v4 C9 K. p& @2 H o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- W' ~4 A; m& }$ _If the VxD is loaded, it will always clear eax and the Carry flag to allow8 J7 h% M. f/ O7 }- Q: m" U2 E8 X
its handle to be opened and then, will be detected.: W9 t" @9 ?, P5 ^) j9 c
You can check that simply by hooking Winice.exe control proc entry point
" x, z h7 B$ I# |while running MeltICE.
; A6 P0 r* N' o7 b5 L C' @+ j& x
# }5 ?, O; h, @% i9 \- m' a, G' S$ p5 ~+ n+ e
00401067: push 00402025 ; \\.\SICE4 J# ]* i# ^, T9 m* i& c1 G! w
0040106C: call CreateFileA* g, n# ?8 N+ K( ?
00401071: cmp eax,-001
s: {' l/ T+ E1 N4 Z& u; _ 00401074: je 004010918 m% j! `' \9 a0 l$ F
! e+ v$ \3 l" x# t
" v s1 m: X" I+ H! U' dThere could be hundreds of BPX you could use to detect this trick.
; ~) _, [3 p$ X4 ^ m4 j-The most classical one is:1 M5 A' _) w5 }+ `# t6 ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! C5 S8 E- y, ]1 @2 G8 C5 y7 }* J *(esp->4+4)=='NTIC'% g, W* c$ t' q& a( P, E. H
, G% g7 r! e" Q* r- V- M- r. \-The most exotic ones (could be very slooooow :-(
+ s& i/ @& N; c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 G: j7 M' \4 m0 K- C
;will break 3 times :-(
7 M( i+ C5 [. [& K8 f/ A7 c2 g* s) Y
$ m! F0 i% v' M$ I. f-or (a bit) faster:
( \* u1 Y, w/ G% a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# `0 v: y) I, I; n, P# r3 `5 m2 G& y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# c% F: L% z1 o ;will break 3 times :-(0 p. `1 D6 ]& _- J, u m
3 O( V/ w+ M+ y6 @2 I- H# m
-Much faster:
6 P+ [, H3 C4 E7 W7 T/ [& L1 F) D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 h8 {; X) o3 s a( i6 D3 ~8 \
1 K. v1 a" }0 W2 \- k, l1 ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: r# {" ]) l+ B' W' mfunction to do the same job:
( E* m/ S; M4 D3 [8 m/ t# G: {% P1 C" K3 I' @) B) J4 c
push 00 ; OF_READ1 z) t. z3 Z9 k; b% f, h
mov eax,[00656634] ; '\\.\SICE',0! ?2 T. i+ Y0 z G: @* O1 m( K
push eax( }& J& i+ v$ @$ \2 {2 g
call KERNEL32!_lopen
& }6 X; S) p6 I5 Q- |5 z- N inc eax# Q! w9 n7 z, P4 t* Y W
jnz 00650589 ; detected/ y+ t& j9 M8 g$ U/ r
push 00 ; OF_READ
; U6 V9 ]' M" h2 ~! E$ Z8 u mov eax,[00656638] ; '\\.\SICE'" p1 E% O+ ?# B) P
push eax$ l& p* \1 _& Y0 }- \
call KERNEL32!_lopen
' _- _. F- \' t9 y# g4 J inc eax
5 o" D9 C E% w0 r9 u jz 006505ae ; not detected4 i' P/ S( c$ @
) _2 ^: N+ J" r* O0 H- m
# m. r* k+ M& v/ D% J" L__________________________________________________________________________+ Q" y8 {& x0 u
. z: V4 O5 u6 k& F J; LMethod 127 S/ ]/ X. @, p- h9 C6 R$ C7 k' j
=========
$ n' }& w$ \: W h$ t; [
5 i1 y3 S# F& ~2 fThis trick is similar to int41h/4fh Debugger installation check (code 05& Y+ \7 {7 y& S/ B! p0 |
& 06) but very limited because it's only available for Win95/98 (not NT)
& s) [1 ^. z% k2 J! J {6 Z. Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 l y" a& t9 p
- q- h( E7 v; n/ p+ L* F push 0000004fh ; function 4fh
( X! M; s& i7 b$ s/ b$ a push 002a002ah ; high word specifies which VxD (VWIN32)) {% |7 j" n- T' B* B
; low word specifies which service7 m& P5 L- X8 U2 {
(VWIN32_Int41Dispatch)4 O$ x6 A- A9 G* ~" ~5 J3 h
call Kernel32!ORD_001 ; VxdCall: i7 M+ G9 F" {) n
cmp ax, 0f386h ; magic number returned by system debuggers ~4 d5 c6 N5 a0 y: t5 s, _
jz SoftICE_detected
1 b! `, o/ M' d" m, m, F: s
0 g7 b3 u/ m# E) e2 HHere again, several ways to detect it:
. Y, T3 }$ w0 \: R3 E
: g3 @! a, u& C8 a3 N1 @ BPINT 41 if ax==4f* z% u m U }% Q3 v. b7 H2 r
" d1 W, D8 R) ^2 f3 ]6 _5 I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 h+ Z$ ~: h5 m0 G' c# B+ n0 C
8 j3 g) j9 R: Q8 V8 Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( \2 D# u7 i& @7 V: W0 v! n' O! d# r" N* ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( W5 Y1 N0 O' U) y! r+ _" h
+ h/ r; N& I5 K3 H( S' x__________________________________________________________________________
0 u) O' Z: I) |# S
% y& j; L6 y/ IMethod 13# N' p1 Z A* F, D/ Z; l( X* q' R& N
=========5 j( f/ {- t/ J/ S+ z4 }
" K" v& E' l: P$ T3 |1 z" P6 M/ h
Not a real method of detection, but a good way to know if SoftICE is
4 f) x' U% M/ p, ]installed on a computer and to locate its installation directory.) u& p( U# X! [, N
It is used by few softs which access the following registry keys (usually #2) :
' {1 e3 A* T$ d( X) G
4 _' @3 N+ w+ Z$ ^. J-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 f- Z/ u$ F4 u1 a+ |\Uninstall\SoftICE$ V4 j/ U/ |% S7 y5 r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ b3 G: t( W3 \% C: \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 ^- |: i! [, V\App Paths\Loader32.Exe
" ~5 p1 S, W: P- v: u, b: ~8 `- z, v+ Q
6 D% G* B2 ~6 {! f) I# t' ?0 Q& ~# Q5 k9 u: N, R+ \ F3 n& Y; V9 n
Note that some nasty apps could then erase all files from SoftICE directory
9 n a5 {- ?& f. K2 P(I faced that once :-(1 ~# p6 k$ q% q: Q/ |% p
/ b4 t! _: N) S" ^& }
Useful breakpoint to detect it:
7 w1 L$ M! a, ]6 m" v2 X* s w5 }2 n* q! ^' y5 t, `4 h
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') B% L5 A G1 p
" X, p+ R- H- `6 Z9 j3 l+ g
__________________________________________________________________________
5 r `7 |% d. ~) {% n. M9 }0 s+ h& a
V: g. F& ?7 y! H1 dMethod 14
3 l/ o5 P+ o2 b; E7 N9 W=========
: A1 ?8 D- P! | l- E/ O% T5 S1 a& q9 l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& y; n3 p3 U* h( X" v8 P: nis to determines whether a debugger is running on your system (ring0 only).' q6 H: d* C1 Y( z9 J
" T/ J T" g* e1 I2 N' { VMMCall Test_Debug_Installed* ^' `0 }0 T% y& ^. m; b6 C. v
je not_installed
6 [ O( |, s' N6 a) a' `* W' n* r0 I1 y$ _1 }7 }
This service just checks a flag.1 h! A( a1 `. v
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡