<TABLE width=500>
0 L" a" K/ R' u3 A( B% d+ r<TBODY>
) p5 D2 A0 z& K/ H<TR>6 y/ V$ E g( \% g
<TD><PRE>Method 01 7 `, i9 S3 }2 b7 T3 p7 |
=========
2 e1 d4 p$ k: t- F
5 I: W# v) l9 ]8 \This method of detection of SoftICE (as well as the following one) is; {1 W5 I0 R% }7 y" Z
used by the majority of packers/encryptors found on Internet.
+ W( D* U7 p* |It seeks the signature of BoundsChecker in SoftICE8 u" E( h* Z# I5 Y$ |( ]5 u6 ^) o$ j
- h, b( G* H, k' A9 m# C z' I
mov ebp, 04243484Bh ; 'BCHK'0 P- T! C- ] u6 v! K
mov ax, 04h8 }8 `6 \- O, H! A8 }* x P
int 3 - t K6 r0 S: L6 t% `3 h$ x( t
cmp al,4
6 {5 n# K9 _8 d& k! q jnz SoftICE_Detected6 u3 F8 y' y3 v. o4 F2 K" g) j, p9 k
6 `3 y6 A) @2 ~+ n2 b. G' P
___________________________________________________________________________
( G( l9 L4 V- Y* s- V* U4 e) ~% a" O
+ M) l* @4 J/ h- `2 s( jMethod 02- W9 v7 e @" q* N" I
=========7 M. [3 R: a" f- P1 D- P
w- B/ F' J; B
Still a method very much used (perhaps the most frequent one). It is used9 O* U. {1 k4 l" X( }$ b4 s( c1 h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; n+ {6 ]7 v: ~
or execute SoftICE commands...
, K' e6 ]4 q; G6 v2 c8 q! S; |5 xIt is also used to crash SoftICE and to force it to execute any commands8 Z) N1 ^* k9 k; p" s
(HBOOT...) :-((
* D2 f9 M, G: a: L2 u$ T; S7 q' R0 a- }3 `9 C9 b
Here is a quick description:
( A. B1 `) i, \( e-AX = 0910h (Display string in SIce windows)
1 C" V. r4 ~; D' m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: Y, k' F t# O% v# o0 B-AX = 0912h (Get breakpoint infos)6 M% c. B! ?/ W: C" r+ Y: ?$ L
-AX = 0913h (Set Sice breakpoints)( t9 T5 w) ^ M7 a+ I2 ^1 ^
-AX = 0914h (Remove SIce breakoints)
4 I3 Z0 E+ C( }. H/ x5 A3 L
5 R) H9 k! x# Y1 J0 j+ ZEach time you'll meet this trick, you'll see:% l4 p" O# ?/ q) l
-SI = 4647h& ]$ S2 f" }' O6 e( ?
-DI = 4A4Dh1 K* P% i \2 _7 u& @) l. g/ W7 |
Which are the 'magic values' used by SoftIce.- `" j. `' I& D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
e" d+ v$ A6 a4 o" P
! B v8 A( I# a& d- s8 o3 mHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ O8 Y" M" u" U- e. LEnvelope utility use to protect DOS applications:: ^* c! k5 A6 L; B! A/ X1 x6 z6 w
* E0 Q* a8 `- x8 R! ~6 Z- y9 X) B
@$ z* }* Q5 C" k% c0 k7 Z4C19:0095 MOV AX,0911 ; execute command.6 k* F/ D2 ^9 A; E7 ^. [
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 l. ?9 U( c0 `8 D4C19:009A MOV SI,4647 ; 1st magic value.
- C, g, w x) S+ V b9 c4C19:009D MOV DI,4A4D ; 2nd magic value.- \9 _& x2 \( n/ t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 J- I" G' E) E9 i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# e# @; p9 Y5 L6 k0 b
4C19:00A4 INC CX; U/ p, a& d5 D1 f' z* s
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% y4 b$ q0 [ {( U; r4 H6 n% u4C19:00A8 JB 0095 ; 6 different commands.( g4 J+ V9 }$ O- o5 r% c, P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: {$ _9 B2 D: ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ x" @$ F0 a8 N, u
1 F! T: Y8 z6 A) x/ [The program will execute 6 different SIce commands located at ds:dx, which$ j8 h4 i3 Y9 B7 h1 W9 P& C' e1 y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 U' o0 p4 `& J) K$ @# {
$ r4 i O5 C$ u! Z6 A) x0 B6 p q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) ]; `, O0 `: G___________________________________________________________________________
" ^- S: q7 i, U4 r+ W- S
" ~* Z. c$ s4 Y5 I* }9 H# P( a s, L/ @0 P$ w
Method 033 `% s% I+ \, u
=========
. g4 k/ d! B4 I7 r2 o8 l5 v
* o" _% s# I" X9 QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 e2 S! M% j5 a7 p. C5 e, v(API Get entry point)) f+ O) l" U7 a2 C) b
& s v8 ^3 @. c) P7 P; w7 U& B% A
5 y Z% V8 [* n
xor di,di E- l" g+ u" h2 h) P# ]/ ?
mov es,di
- K- B5 S; o& x% J) _" A. H mov ax, 1684h
! \0 \2 y1 Z, \1 U. x mov bx, 0202h ; VxD ID of winice
; y- p1 |' z6 p, A& d1 t5 w int 2Fh7 G2 }8 U! z n2 B
mov ax, es ; ES:DI -> VxD API entry point
& S& I8 @) K* K* w) P; P$ O add ax, di
6 g2 g9 w$ _0 H* V- W9 d/ J) y0 e test ax,ax9 e% t! o f. x3 V6 ~. V
jnz SoftICE_Detected* c" J5 W! i I( h: Z2 o
" C, m) I7 S7 c3 }/ |) J! V
___________________________________________________________________________% R2 w0 Y1 M% M5 X
9 N) A: X+ ~6 {
Method 046 r7 q+ o; m" ^$ t+ Y3 c
=========
, x, \* G% g7 j# Y5 z4 Y( e9 k( ~8 ]- v6 |, p( x
Method identical to the preceding one except that it seeks the ID of SoftICE/ F W2 o0 g% H: _
GFX VxD.( B/ b1 x/ ]3 v/ d. B
! u; V; [7 T0 A: O) J0 c. J# f7 [ l0 z xor di,di
& `8 M* y: L8 g$ B mov es,di3 p8 z/ b- h2 M9 }
mov ax, 1684h
3 D" u/ j& B6 h- r3 ?9 @& ~1 f7 F) n mov bx, 7a5Fh ; VxD ID of SIWVID% G3 M8 t; r1 A2 l& P; ?$ s
int 2fh
+ n% ~+ q4 o5 g% d: v8 w mov ax, es ; ES:DI -> VxD API entry point, ]5 U$ ~, g0 p; n9 G
add ax, di
! R6 v' C8 w9 s m' x test ax,ax, }- O: e' @( Q$ b3 q
jnz SoftICE_Detected
0 f& p) ]. ^1 n
% _. b) t! E1 c! ~3 p__________________________________________________________________________$ h7 t/ X% \3 T
, D& M3 H9 W' C- G: u4 k9 R
. Q7 g& i1 }6 {6 H1 V% h) h4 H
Method 05" r7 e- ]/ t8 }3 s: D A
=========. Y K8 G. N" J& {; a
9 A0 x* N; h% tMethod seeking the 'magic number' 0F386h returned (in ax) by all system! l3 a( t) d- W3 y" h) _4 T1 a
debugger. It calls the int 41h, function 4Fh.' c8 ^1 p$ `+ z) M1 U; O
There are several alternatives.
. J# r/ F: n2 m% D/ S L9 b; x# U
- M, z2 O5 l; a! ]3 [/ F6 WThe following one is the simplest:- U' z) E! y! T* v$ ^) C
" k2 f( a( U3 h) p
mov ax,4fh/ ?3 d) ~* r3 c* F) r% ? N
int 41h* e& r3 K0 |0 X
cmp ax, 0F3868 ]3 n; i5 T; v4 q1 Y( I
jz SoftICE_detected
5 y" M& e4 S, V5 g6 M! n% m- N/ n: D
* C, N; j3 H& ~0 D7 I! s" h1 n
Next method as well as the following one are 2 examples from Stone's `5 m4 f+ _3 C; D6 r
"stn-wid.zip" (www.cracking.net):
* D- U& x7 M4 F. \
7 {3 P& a1 _. g$ z0 J& @9 S mov bx, cs
8 C1 O1 u: N: l& W* I/ Q7 X lea dx, int41handler26 n7 w, k% m& f; @; p6 p: C; v
xchg dx, es:[41h*4]: D+ ?. z9 f! f" g. r7 X0 D
xchg bx, es:[41h*4+2]
m5 L3 b: N ]9 J5 J mov ax,4fh6 D! X: S7 g2 n) I6 t# }- w" E
int 41h
* i: Q _$ p! u A" l xchg dx, es:[41h*4]4 b! X0 L) G* A0 Z
xchg bx, es:[41h*4+2]
9 [) s2 Q1 L q! ^; g9 N* V/ R, G; [ cmp ax, 0f386h& h/ n9 F7 i6 p* } K/ ^
jz SoftICE_detected
" P0 k i* B+ |+ s a
) N, b8 i$ n4 Y/ `7 C4 Vint41handler2 PROC
' f! T0 i1 g$ K1 w/ r) }7 ~6 d' D iret# \( e+ N7 e' H. x q
int41handler2 ENDP/ i# u' q4 Z. @6 G
1 p+ F5 {3 r6 z3 N, f- t6 O
# y; W2 j* Y+ f/ [_________________________________________________________________________
7 B6 Z7 W" n/ F e+ c8 B
1 }* l, V5 r( [- i
$ d9 X/ ~0 @" `$ EMethod 06( {# W K8 g0 N; N" @$ e( z
=========5 t" r) v! C/ B' t. l) H7 p7 Q* Q
u3 h/ `7 k3 R0 g/ c$ g
3 F; ~- n, Q E& b9 y. A p, W: B
2nd method similar to the preceding one but more difficult to detect:0 _2 A+ Z9 ?- L" O
6 e. p. V$ k( B8 v- e" L0 ]2 n' y) U: B* ]! ]" S
int41handler PROC0 }' F8 R2 l/ M1 O8 B
mov cl,al& v5 [* ?8 a( v C
iret
% Z6 N) g* {$ ]( i O6 aint41handler ENDP
% }5 C+ w u6 L. E) `3 M8 t& n/ b N0 H) @% l' |$ d
3 [& ?4 D$ s# O* _( C% q) p& i& L xor ax,ax; ?* K9 Q- [+ |' {
mov es,ax
- c& }+ j9 @ x' O. d3 p' y; G mov bx, cs
: J7 c; F1 `# ? lea dx, int41handler
0 ]4 `) s: ]5 k+ b! F6 O xchg dx, es:[41h*4] B, U, A9 r0 w" T% ?( R
xchg bx, es:[41h*4+2]. E+ ?6 S7 {- d6 f9 y% C
in al, 40h
9 }5 ?4 Y; D0 m4 c$ U xor cx,cx0 g9 V& j1 n8 ~% `# F* M5 z( r
int 41h: c& n" N3 F/ T% g1 O! ?
xchg dx, es:[41h*4]
4 v7 K& x! H9 C% @0 ~9 l( g% V( r xchg bx, es:[41h*4+2]% P+ H3 a# \" T6 b
cmp cl,al
0 D E% ^/ ^5 t: O/ t jnz SoftICE_detected: w3 t d, }# I7 v2 K
! t% i- a4 x* {) E2 Y3 }_________________________________________________________________________
; h" }3 o3 a$ g$ C1 `" R
/ Z8 i& ], E, K: D a( C/ }0 wMethod 07
" ]7 j5 k, n- Q! ?( o7 t! n=========# v1 p$ O( R) {; D" `; z4 s/ B
3 Z" }5 p, E6 r# m
Method of detection of the WinICE handler in the int68h (V86)
2 L- D& v; {( d& A% ^' t; m# J4 l7 @$ f
1 K: }, A2 ^$ r/ b mov ah,43h4 i$ A$ L4 R. Z5 r* b
int 68h C1 I! D# j1 Q0 t
cmp ax,0F386h
8 y r0 z' {* k! b2 J" p( M9 ~ jz SoftICE_Detected
0 y+ |$ F$ w# m. X, x
& H- J- y& E( H4 P; E+ c3 z# R, q; s- y
& O' O/ E* ?) t9 D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& x/ x# f- u+ [8 Y# n
app like this:
6 U. ~8 j5 ?! X, k. f, l
; w- k+ y# L. i- X BPX exec_int if ax==68
$ L$ u+ } U+ S1 U: ~8 V8 N (function called is located at byte ptr [ebp+1Dh] and client eip is
: y& ~: M' T2 ^: J3 h2 X located at [ebp+48h] for 32Bit apps)
. X9 Q7 {5 e/ H+ O! l- l6 W__________________________________________________________________________
" X% C+ F; o% U" L; z5 v
6 { Z$ R$ l8 j8 w9 p) B/ j$ d& P
0 J" B9 u/ T4 R2 t* GMethod 08
1 a9 G2 S) \) d# u% n=========2 O- b: E6 r, p8 k# k* N; C! J0 b
5 { C+ o" w% U. R# ^
It is not a method of detection of SoftICE but a possibility to crash the; M* X# p; B+ Q/ A0 m, W G; ]
system by intercepting int 01h and int 03h and redirecting them to another
8 t9 y2 z9 ^4 k) d1 H/ z7 Uroutine.
: O9 l# Q- a7 f1 |( d mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 ` K' V9 s$ H) L; l: O& Q; c
to the new routine to execute (hangs computer...)
+ z) ?# V7 `$ r% F S6 r6 V9 l- B3 M- K
mov ah, 25h
; B: K; [) c( {3 P mov al, Int_Number (01h or 03h). a: V- H% l9 {
mov dx, offset New_Int_Routine
1 z, s1 V L( X4 f7 |& t int 21h
- F2 o6 W# @ z- i B4 K1 t! T: _1 U$ E% z0 V u
__________________________________________________________________________0 x4 A7 Q' A# A
3 O' T" n( @2 o* J& k9 P
Method 09' Z: v& Y/ h/ ]" O
=========+ _$ v5 g! Y1 y- }) X: R
) p" ^7 R- b$ O H7 n. p- q+ fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 C( j) e% f1 V$ }performed in ring0 (VxD or a ring3 app using the VxdCall).
7 O' a' W, m3 X: f9 j% pThe Get_DDB service is used to determine whether or not a VxD is installed/ L0 H' {3 l4 Z* Q5 g
for the specified device and returns a Device Description Block (in ecx) for% I$ B! \3 g9 |% u( |/ q
that device if it is installed.
7 A4 l5 i G* l* F; k' g- Y0 y Y! z& _9 I- C) y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* m* B" q2 X$ W# U$ Z4 `: C* @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 j' O0 m' F o. |! c8 l2 H3 J VMMCall Get_DDB* o& T# z1 ]+ V5 R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: a! n! l/ r' W& n% L) [/ H
6 S. [7 F. h% m# s$ \
Note as well that you can easily detect this method with SoftICE:$ q4 b# p7 I3 A% S) G
bpx Get_DDB if ax==0202 || ax==7a5fh& V3 v g; j u
! n+ C/ b N9 z G2 _
__________________________________________________________________________) V3 U& i7 s( n3 I* B1 r
" m! Q8 q6 ?/ ?! J' T. N: |
Method 10
7 L- |% f: G8 n) [, b=========
8 ?! e7 c; }, t( K5 _2 w. s' P; e9 f4 m E" S- o
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 j3 x! V( J+ n; U: o' | SoftICE while the option is enable!!; y$ M( E, i' \4 @0 L
- |% |1 g& }! l+ N/ [* S& ?This trick is very efficient:
- b7 o3 |4 o' b+ [by checking the Debug Registers, you can detect if SoftICE is loaded- S* c f# T! |! [* g& S
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 A+ H3 {2 ? d: e; Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 b1 J- ^6 M" ?value (in ring0 only). Values can be manipulated and or changed as well2 H6 n/ A3 J0 F7 p" Q7 l$ K) V6 L
(clearing BPMs for instance)
6 S' @9 n0 `, S* e0 O
! H3 [8 ~8 E" ]. Q$ D \__________________________________________________________________________
/ C; E; Y% z7 \4 |3 U% m* F* E/ i* l1 a6 M; L; E; @
Method 11
) Y3 Q: N, p8 l=========
9 k# T! e- H9 p3 q
2 y# M, ~6 ^- _. [5 ?+ M" U* HThis method is most known as 'MeltICE' because it has been freely distributed# j9 d: `6 R( K: j2 ~
via www.winfiles.com. However it was first used by NuMega people to allow$ d9 E2 y* p3 }( s; h! `
Symbol Loader to check if SoftICE was active or not (the code is located- g- z n1 E: \9 B1 |% A. V9 o
inside nmtrans.dll).9 {: U( O% |5 n8 J( V( e8 u' q
" e2 O( X- F( L1 E# A9 {The way it works is very simple:
3 L( G( @1 m) PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- W, p5 y+ M w* xWinNT) with the CreateFileA API.
' m8 R( K0 c( T7 a7 b% H5 T) n7 D' U: o3 H3 K5 X8 ~1 F1 o
Here is a sample (checking for 'SICE'):
! V7 t2 M) ^" o/ J5 ]. e$ }# U. ?* B0 j& n7 B2 i
BOOL IsSoftIce95Loaded()
" f! U' r+ o0 O* _' y" g{( ~, T- s& u9 }* R& U
HANDLE hFile; " R0 Z" b! g8 J3 K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 x- |$ z, l. O& Z0 e6 N5 C5 p FILE_SHARE_READ | FILE_SHARE_WRITE,
' G! Q+ F; |; j1 @" B1 J NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 j2 h$ d# ^2 x/ I9 z) ?4 Z- I
if( hFile != INVALID_HANDLE_VALUE )
# [5 q5 ]( F2 y( |0 { {
2 J7 A/ Q* _" w5 W: I9 f2 u CloseHandle(hFile);
4 I& x1 ]9 _) ^$ Z/ S return TRUE;* O7 z2 V5 |& \/ E6 S1 s2 R
}
0 f( U+ J7 e- h/ v/ S return FALSE;9 o V" I$ Q2 X
}
. m' g6 P. I" o# B+ t
" ?" e" {" V& d7 a" X+ X, K# z6 [Although this trick calls the CreateFileA function, don't even expect to be; ]: j( {1 O+ K# `
able to intercept it by installing a IFS hook: it will not work, no way!
7 \% g; @( W* t2 N6 L- YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
_ q' [/ _( j$ g( l- j% w: |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 b' b/ r/ w' l% P ^& w6 y7 Band then browse the DDB list until it find the VxD and its DDB_Control_Proc9 ]4 `' ^7 l! w/ z: W! [
field./ q6 X& Z( Q3 m+ b" _
In fact, its purpose is not to load/unload VxDs but only to send a
4 P2 w. ?% Y( E9 q" ~- xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! A6 X% X2 ^1 |, Z9 L- a; i' V
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 T! o3 Q- y( @% R: L
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% c# u7 P8 P2 R( n" D( d/ n) l
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 n: F' a* D3 s! U
its handle to be opened and then, will be detected.
: U& J5 g. I! j0 ~+ E7 LYou can check that simply by hooking Winice.exe control proc entry point3 s& B& N. |9 n
while running MeltICE.
; X" H: y: f3 p& e- T# x
2 `1 T- i9 D4 ^. d& t& ]* e/ u8 k E& o, ~7 z9 T
00401067: push 00402025 ; \\.\SICE' s) _2 n; q) F. r* g( a' i
0040106C: call CreateFileA: J0 d% t# V$ g, N) ` ^
00401071: cmp eax,-001, y% H$ M) J9 k% a2 J# D( L
00401074: je 004010919 [! l; b% Z6 G! J
1 b, g4 |7 G {& C, o: v
: s" @% r, ] ^$ L3 I4 jThere could be hundreds of BPX you could use to detect this trick.! q: {: Z; H% h" K' e: W
-The most classical one is:8 ]( x m0 P4 z/ M2 D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* k# d V5 g+ J% [: E' ] *(esp->4+4)=='NTIC'
- n, e5 C+ y8 u. G6 k7 T4 |# N' e9 D( S2 w2 Z! y5 p/ a
-The most exotic ones (could be very slooooow :-(* z! e5 c9 u5 S! R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 n2 l R4 X7 z6 ]7 \1 Q% a ;will break 3 times :-(: ~( Y2 q# Y: c4 U; T: W* G5 e( A
3 r1 \1 B9 [" z) v
-or (a bit) faster: ; i0 L. a' _8 _$ n! S2 A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ E: q- E% z# s) {
! V" H% B$ T8 }* H& T/ F
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 q: b! t- _8 z$ d5 J ;will break 3 times :-(6 o0 j8 S8 P" K" B, v
( z" d" V5 ]: L1 I v
-Much faster:# G+ {4 n0 f5 m, X4 |# W ^+ @# V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- B9 Y, i3 T) i! |0 M
% [/ L/ ?8 ?( @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) A8 o) g1 U2 V+ c) pfunction to do the same job:! [ W0 k$ E4 P) d9 q3 S
' O3 v9 K z7 `4 q5 ^ T push 00 ; OF_READ* d$ j0 a9 N, y( D2 l4 G2 q
mov eax,[00656634] ; '\\.\SICE',0+ u B* x8 J V9 h g2 I7 Z. G# H
push eax
# H& h% `% u, a call KERNEL32!_lopen0 T# z u4 E3 t1 Q. ?
inc eax3 o1 o* D7 P- e$ h; V( r
jnz 00650589 ; detected
" g1 U" K# @# {& U; e2 i push 00 ; OF_READ
/ b0 v' j4 B& i* s mov eax,[00656638] ; '\\.\SICE'+ M" {+ ^; o5 _8 C& ~
push eax: n/ i! ~, v! R1 w
call KERNEL32!_lopen
8 ^& A$ D# \/ O- @* v) ^& Z inc eax
4 F: e8 N$ f! e& ], a) ^ jz 006505ae ; not detected
l: h' ~2 d, B7 D4 @1 j" l
+ ^" b& H# }1 B( ^. P) ?3 h# v g" `( P5 C
__________________________________________________________________________9 A t: R: A! N5 j6 |# B0 k
3 ^8 ~" M9 M6 ~$ _1 DMethod 12
; j8 y6 a$ |8 a=========: f* @, U& P; p0 k1 m
: h, `3 ?5 Q" X( VThis trick is similar to int41h/4fh Debugger installation check (code 05
" P E( f" g: S' X+ p% W& 06) but very limited because it's only available for Win95/98 (not NT)
* C( c' h# d1 |$ Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 z' E2 s5 [% A- t8 X
! Y4 ]: U6 ]" W$ H: v push 0000004fh ; function 4fh6 a: O* K M, P; [4 M: g
push 002a002ah ; high word specifies which VxD (VWIN32)
2 s0 @, Y4 N6 L3 K! z ; low word specifies which service. t" X& `5 I8 q/ y
(VWIN32_Int41Dispatch)- _5 w! P; n4 t" ~: M# [) v# V# X6 B
call Kernel32!ORD_001 ; VxdCall- G) V, o O/ l
cmp ax, 0f386h ; magic number returned by system debuggers* \8 N+ H: W* l& {
jz SoftICE_detected* J: \- L8 h- ]( Y
( i! H; `. V9 A( X& t0 x- \
Here again, several ways to detect it:7 M5 Y4 B# `) e3 c1 C
+ m! w! L6 K5 r" M+ ~9 ~
BPINT 41 if ax==4f/ R/ W) S! m8 b
3 q5 h& I8 p# h- q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one j& i* q6 q+ E; u
) U, [# g) [8 Z" J2 ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 d1 l- H& y4 z E
- D' C% K4 [6 f4 x: g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( n- W" C5 K$ d$ j+ _3 C( b8 B9 V( P
__________________________________________________________________________! ` x( t% V0 c* b4 F
0 r% K$ y0 E; s0 X. bMethod 13
3 |0 C' g# s7 m* }) B; J/ z=========" S) P& D0 R3 ?# M- N- e5 M5 ]# ~1 N
- J6 B( C0 F2 E J# G, ^4 P2 T3 HNot a real method of detection, but a good way to know if SoftICE is8 K' i+ G+ T- t! t$ L# [( W2 n. k
installed on a computer and to locate its installation directory." m( C) l* h# C. y9 r! z
It is used by few softs which access the following registry keys (usually #2) :
# ]7 }" G2 s' [, S0 r; @. ?; p2 r, k1 P- z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* ~- Q" |3 u* M% |
\Uninstall\SoftICE
' \, k. D7 [8 t$ ]- N, ?. g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- _: D" k. h1 _0 H- D2 u. s3 I3 i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% { V2 R3 g4 z! B\App Paths\Loader32.Exe
0 \" ]5 U# i9 X# l4 i2 t% O0 V
. o+ J/ O1 D+ Q+ D$ |0 ~6 W/ j; J+ ^8 T. a4 M
Note that some nasty apps could then erase all files from SoftICE directory
. ?% P; J$ D2 U5 r(I faced that once :-(
0 o. ?' l0 W1 M! C
' w I) q3 |! rUseful breakpoint to detect it:
0 z! W/ `( k8 Q2 m; o8 o1 Q; z
+ m4 f y) o, q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- y" P& e( k2 S2 [
- i. c7 h/ H7 v$ A' P
__________________________________________________________________________. d) N) m+ M! E. Z9 d
# x9 _ b K0 |5 T' e5 C* A
3 N1 b$ H* e8 s [Method 14 6 B! p0 a& ~& m( K. \5 C: D
=========
; ~: @9 W: v6 x u8 ?2 n6 v
5 P$ r' l1 N/ _7 c& wA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) l; h1 N2 N( Y/ l5 @$ I( m, Wis to determines whether a debugger is running on your system (ring0 only).
3 D. n( i6 Y: ~! p5 S& P
# }4 y6 Y! x1 x3 x1 R VMMCall Test_Debug_Installed# ?& h) A) o: m' t; X6 F
je not_installed
+ [' f% Y2 a3 B; d) @) F4 S% f7 O0 ?# T7 j9 l+ A# @
This service just checks a flag.+ G$ O6 {: I B2 Q. a7 r
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡