<TABLE width=500>
" l- A) D" I J0 I<TBODY>( i- ]# {3 ^( ]8 `8 X$ p
<TR>
) Y Z' `% v& s$ f7 v+ M<TD><PRE>Method 01
# S6 e& s, {: b5 L6 _. N=========- F% N, \1 y2 Q
; f7 `6 A- o( j" i5 A: SThis method of detection of SoftICE (as well as the following one) is
0 M( y5 n# _' H0 lused by the majority of packers/encryptors found on Internet.: F/ B" f, @1 c
It seeks the signature of BoundsChecker in SoftICE
z) s9 c. Q% @8 a4 e0 D# B+ V1 e# T+ x- C6 ]0 B( _
mov ebp, 04243484Bh ; 'BCHK'* n+ X. y7 \8 w3 J# [) M1 O, `. d% S
mov ax, 04h
4 G/ e( c7 N5 Q: M9 Y$ T int 3
; m+ l. v* l( C" l+ C- P. ~ cmp al,4 B8 }/ U9 ]% m7 B+ B% ^
jnz SoftICE_Detected4 D! x4 @" d2 O. a
8 E( a- N! u( n1 b) Y% A: k9 ?' G0 o
___________________________________________________________________________
`9 M$ e8 l M" p7 z2 F; m0 j$ H$ \' W; @3 h' V8 c
Method 027 ~, |8 Q6 r5 b8 M% C
=========
( v$ d& r: F. B% P7 c s3 y4 ^: R) o- I) Y3 E
Still a method very much used (perhaps the most frequent one). It is used! I7 I/ x" y) L l6 [, E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% r% A& q' ?- `1 u$ g
or execute SoftICE commands...
# h: x f6 p! M( Y+ ~! p( VIt is also used to crash SoftICE and to force it to execute any commands
$ c S+ I: Z9 |: {(HBOOT...) :-((
' D" M, O3 @( n3 E3 |& @) t, E8 r, Q+ B
Here is a quick description:/ H- L2 a0 J" }1 f; ? ^: H
-AX = 0910h (Display string in SIce windows)/ y: r8 v; M/ ]/ r2 l9 @2 N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' b; `, O" ?; R( ?/ |8 M
-AX = 0912h (Get breakpoint infos)% k% _" d/ H8 F
-AX = 0913h (Set Sice breakpoints)" S# F) U5 s: h: O$ _: b' T T
-AX = 0914h (Remove SIce breakoints)
4 A( D( I1 G: G! g0 ]3 _+ i5 Q9 i3 D$ I0 N
Each time you'll meet this trick, you'll see:" x$ h( v/ G6 N0 {( j/ l" v$ R, }0 E
-SI = 4647h
0 p! x( E8 I0 @4 k& _-DI = 4A4Dh2 I( p0 h8 u7 ^! }' x
Which are the 'magic values' used by SoftIce.5 F7 u. m1 ]6 Q6 u1 u6 P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 r" P! F/ ]% j& K5 y+ R/ Z
' M {8 O" N* H7 A$ t$ x$ ^$ kHere is one example from the file "Haspinst.exe" which is the dongle HASP' f+ j' O- O D& ]
Envelope utility use to protect DOS applications:& c- D( x# A6 c* H& l, e# |! v
: b+ f3 L7 ?, i9 P9 j* ?
+ f1 W9 w& U% I, E- F1 v4C19:0095 MOV AX,0911 ; execute command.
$ H& G- Z. b2 B& r1 t8 S7 I3 i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) f& j% j: F- o# w$ a" J
4C19:009A MOV SI,4647 ; 1st magic value.
7 d) H( w2 L; s5 j) ^4C19:009D MOV DI,4A4D ; 2nd magic value.9 [! L+ E5 g* q$ b: X( g. {5 y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). Y) U, R$ Y6 P& c4 J% Q( _ W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 M3 x0 ?, u, c5 B- o0 n7 w" K
4C19:00A4 INC CX
: R a4 g" W t' F: ]4 b% Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' ~) e3 E3 C' s. f0 b4C19:00A8 JB 0095 ; 6 different commands.
5 T" m( x3 U V) {3 B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( M: G( j! ^- V2 [4 w% { {! P3 l9 m4C19:00AD MOV BX,SP ; Good_Guy go ahead :) F8 l4 S$ E! ] U; k/ T& q X
0 D+ ?: [1 U! Q3 H
The program will execute 6 different SIce commands located at ds:dx, which5 s3 x8 R( i, {0 T2 ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 J2 D- v* H0 A/ G: g! j V& ]) h9 J T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, a7 L, H) ~! O# F# b! T |6 Y___________________________________________________________________________
( R' f' y6 `% J6 L
5 X* E n. \0 a0 ?3 @0 H2 Y& x: B1 ?+ z+ x
Method 036 M5 m q7 S( x* d$ J# J
=========
: K" \+ W& Q5 r, }% \3 T a. n7 n+ L. e" w0 [5 f; B4 j+ C
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 a n. Z& ?. y1 J* f# h. s(API Get entry point)4 u2 V0 [3 a8 G
c: Z# q. \' Z4 d. |5 m" _
8 D% p' R' F6 w- v% z
xor di,di
& _. h( A0 t. R* e: N. ~% B9 \/ ^ mov es,di
' d+ P1 Q* ]- M5 v mov ax, 1684h
6 _3 B; V4 U* E7 [ mov bx, 0202h ; VxD ID of winice
9 b( T7 U& d- H$ o$ l int 2Fh
9 f( x4 s% `+ P mov ax, es ; ES:DI -> VxD API entry point) l6 o9 D! C T3 Y# D
add ax, di6 V2 N5 z8 ~ k* h( r/ h: k
test ax,ax3 \" \8 y) m# C" j) C4 ^
jnz SoftICE_Detected& P/ \: h2 ? m: D7 \% j- |6 f7 j
7 \6 j' [% f( ~3 I* G. Q& x___________________________________________________________________________
8 X3 ^# Y& q/ @# }! W4 s D" T
$ v4 l. Q+ V. b/ k- D0 i9 t) ]4 vMethod 04 ]5 M) ^$ ]! T
=========. |1 w5 C \/ b# ?4 \
1 s; ]4 m) Y) H& t9 n/ R
Method identical to the preceding one except that it seeks the ID of SoftICE! s" T. T; ]7 K$ \4 k) }* Z
GFX VxD.- \: }3 Z5 W4 X8 Y r' f& s
9 A1 V$ S3 P" J4 w+ E( d1 c
xor di,di" @" d6 J9 E7 J8 q/ v! U+ p9 m
mov es,di1 Q" d. g4 ]( B1 _* F
mov ax, 1684h $ _# N A8 R# x* ~2 ?
mov bx, 7a5Fh ; VxD ID of SIWVID
, L. }) r0 h; {7 G3 B& P. i9 B7 m int 2fh, U0 n7 t2 Y: T0 P
mov ax, es ; ES:DI -> VxD API entry point
% A7 q( }8 H$ g2 j x# ] add ax, di
3 N0 q0 [# ~+ I" m" p f test ax,ax
+ P9 @. Z. ?6 V* t4 p+ \ jnz SoftICE_Detected; E$ k! n) e+ F* @" N
7 w. {. s- O- e" a; O__________________________________________________________________________) f# a- ?' W+ D2 s& e% ~
) l# a# j# W0 b ^: ~0 e- Y
- \, e1 i/ }. \: b! t8 ^5 MMethod 05
* }4 U+ d; R/ F S$ q+ ~, N=========8 o, K3 d! S( s9 t2 J B4 m6 F
: b; M3 [5 K: w" n1 S
Method seeking the 'magic number' 0F386h returned (in ax) by all system" s6 ~5 X+ ?" s; L. L; p5 l* J- K
debugger. It calls the int 41h, function 4Fh.
+ ^9 j1 X5 v$ ~8 t3 m9 UThere are several alternatives.
4 B+ r' w9 R; V4 v+ Y+ E# x; x, G) _
The following one is the simplest:
- `7 z T+ L- H8 p2 Z( s! |' |" v1 P3 L, m# N+ g2 I3 H
mov ax,4fh
- F2 S1 k/ ^! n2 r8 A d int 41h9 G& I9 z% s; s c
cmp ax, 0F386
# i" R5 e9 W, p+ R9 B jz SoftICE_detected0 c2 }9 Q/ L+ p# h' p# K7 Q. U
; g6 w( L4 ~( m/ Q0 L- I
: ~) [, c/ q% o/ o7 ^1 pNext method as well as the following one are 2 examples from Stone's 2 o. x+ B# N8 O" E
"stn-wid.zip" (www.cracking.net):
) ^5 S" S% [5 O; K& e& I4 x/ k' w }* _9 n# d$ _% ~; a7 _
mov bx, cs
& a& F ?! G% P1 Y lea dx, int41handler20 }! r. }( K- t5 R7 R) }
xchg dx, es:[41h*4]
2 J3 e* W# Y, D: w$ _- Y3 n! E$ Q xchg bx, es:[41h*4+2]! m* v! l; a; |1 T# F
mov ax,4fh2 k* ], ?6 s4 t- b$ y$ G& X
int 41h
2 H ]2 j7 e% \4 u$ b; f xchg dx, es:[41h*4]
/ Y' L1 w) D2 V& O) v xchg bx, es:[41h*4+2]0 w. P( r, @. X3 I8 g- {/ }
cmp ax, 0f386h
8 r. v0 ?6 G' B& w4 o1 u% v2 g9 i jz SoftICE_detected5 {! M: ~2 I2 r6 X- I' G# Q' e3 M
7 s: x( c4 ?+ f+ Q/ J( P U' dint41handler2 PROC
, I: s5 @8 P( K( I iret
% E, N3 h* M( b T3 f/ Dint41handler2 ENDP
6 g) e. Z, F' w, x) s! z3 n' \) E/ Z# n4 o( L2 \. E5 U
, N0 v j2 a9 [) V( g. \1 j
_________________________________________________________________________
: Q" ~! F7 v6 h3 |, \$ c# ~7 I4 ?( ]8 C& K; l& X& g
) B; A8 S Q$ e; l8 E g
Method 067 p9 y& B" N" i9 v a9 e' U, M
=========
( l8 B( g- v3 ^3 ^7 c/ q6 T
2 }+ v% j. P- E% }' f
2 \; Z" D8 N2 i2nd method similar to the preceding one but more difficult to detect:( B) e$ U* t1 z
; U( U+ | G* |9 h" i
: c" w4 f) e, T( m
int41handler PROC
3 S) E4 L1 t2 Z/ d: J mov cl,al" M; h7 W5 \* p
iret* J5 Z3 j0 B1 I, t
int41handler ENDP
6 v, S- c8 \# B; d2 J# u2 k; S' e6 ~ A e# s9 y& N3 K" L. ]
! ^# o+ m' N. J$ Y' | xor ax,ax/ W8 k# i8 i* g" [ y" y7 [
mov es,ax3 M9 a, F9 `: [2 Z y7 R& i
mov bx, cs
% ]* k/ K* z! h7 h) b: D lea dx, int41handler
% u" S8 u* D; [3 o; k4 j, p xchg dx, es:[41h*4]* a$ q, F- Z* A9 Z: l
xchg bx, es:[41h*4+2]
) n4 \2 q; e* h3 ~9 V- S Y& v in al, 40h
" W& H8 V! f; \' M* `7 n# s xor cx,cx
4 f% D( G8 W( }( I* ]; w& b/ c int 41h7 e; }( k- }4 f8 P
xchg dx, es:[41h*4]5 y% f' Z; k9 L
xchg bx, es:[41h*4+2]
7 p; a6 n* ^' f( D, n! w% \ cmp cl,al
/ V: S1 s# O1 k1 ] jnz SoftICE_detected3 b( h, s- {# |- O0 ~; T
& e0 l- T0 q/ f3 G# G
_________________________________________________________________________$ Y4 g) F0 S. [1 P
/ C5 o6 X% b- i5 U
Method 07
2 k& \' d4 A3 n=========
) d+ ~4 c m' h/ r
( V5 ^- n7 X" }! f+ o7 R# v8 WMethod of detection of the WinICE handler in the int68h (V86)
' J" ?5 f" n- U" s; }% i/ z$ B- U' v/ o/ e$ O& g6 {
mov ah,43h
7 v1 m. ^0 N% S0 |7 f+ [3 \ int 68h
9 G6 U- ]& Y h% u. I cmp ax,0F386h
5 i5 [! v' x' w( t jz SoftICE_Detected2 L( @$ E& h& Q
* Q9 i& e% k" `& [( i4 b8 v- U* \" f! n; M5 w2 [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, l! i+ F5 ?, L: d! j
app like this:, p! B# p! `! F
0 u0 V/ g4 w4 l/ B" P3 m6 H
BPX exec_int if ax==68) J- Z/ V3 d" N5 o. _$ ?
(function called is located at byte ptr [ebp+1Dh] and client eip is
0 k2 x# [" O2 {: W! a9 h located at [ebp+48h] for 32Bit apps)
p% l, @- h& ^' X: v__________________________________________________________________________. u; g$ a& ~4 h5 M, t
4 G$ `6 @2 X( Q1 G& Z
$ t6 G) q$ [# W3 ^6 ]$ A- p& T
Method 08
# {' ]) P; U4 s=========
; J1 N9 o, D' @# f" O) ^$ u( p1 V4 x1 X
It is not a method of detection of SoftICE but a possibility to crash the2 B7 }) H- C: E& D
system by intercepting int 01h and int 03h and redirecting them to another
! v# d. b, a: O: v" v# {; proutine.
; E: s7 U1 e3 b1 U0 ]# v1 m' oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 u+ M) r8 N7 B+ tto the new routine to execute (hangs computer...)0 f+ G, a+ Q V6 W" ]6 {! J5 k
- \) Z6 x2 g+ f" }- ^6 M5 d mov ah, 25h
' p+ I$ U% S" X6 f' ^3 L mov al, Int_Number (01h or 03h)
8 E( Y$ y! x1 l mov dx, offset New_Int_Routine; X& d4 R5 x0 f) F
int 21h
8 i1 W! x9 A0 S6 N! K: e5 t& }* I2 |; F( j2 ]! S
__________________________________________________________________________9 X9 D1 j2 L+ q! F
# J/ S; ~7 _5 K4 M( Z% _% mMethod 09
4 ?, L* v, h8 f! T5 H# y=========
8 J; V- H/ T, E" ]6 h- o! N8 Q% w% T! Z& Q- p4 ]- w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ ? c {5 O) O# s' a0 p
performed in ring0 (VxD or a ring3 app using the VxdCall).
: d0 g# V2 j; J6 x9 f Q+ ]The Get_DDB service is used to determine whether or not a VxD is installed* a* F! b6 C3 P' H- X2 j) ~
for the specified device and returns a Device Description Block (in ecx) for
* E4 q# I x( Lthat device if it is installed.2 V5 a2 ^( e1 k. T; ?2 [! B+ o' j
9 r# s5 c& I4 o1 }( D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 {6 \/ {7 U3 `: w. ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 \& c9 o6 ?: I9 x8 x
VMMCall Get_DDB( K3 E0 V9 ^7 N* r0 k) l+ B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 l& R) u* A% _+ b+ U/ E) H: }
f8 z& E7 \4 w! V/ yNote as well that you can easily detect this method with SoftICE:+ ?- R! C( z0 E; ^
bpx Get_DDB if ax==0202 || ax==7a5fh8 ^5 ]( o$ d W% y+ R' I
, j( w- Y& Y4 \& \! @
__________________________________________________________________________4 |2 f. d) m& _3 d
; Z3 P( C' o% I" D
Method 10: w$ v6 W6 u7 N* o" |
=========
, a }; T& k) M" D, B2 C# h9 l. m+ @" X* U1 m. Q5 ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with! z% y; t+ I" J3 Q
SoftICE while the option is enable!!
' h& G! S" {* D. G8 A# d k* ?; L0 Y" {% p! Z
This trick is very efficient:
P4 t8 g) C xby checking the Debug Registers, you can detect if SoftICE is loaded! ^# D. e- \5 g% o [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, w3 F0 Z. O8 Y6 C: [; m+ g9 `
there are some memory breakpoints set (dr0 to dr3) simply by reading their# c5 Y7 r4 u0 g1 d* d, J
value (in ring0 only). Values can be manipulated and or changed as well0 f, G* o% m1 P
(clearing BPMs for instance)) \0 J6 y7 @& j5 `
+ g8 Z" b' B% F) D& M( `" a: O( q4 ]
__________________________________________________________________________" D! y' @% d4 g+ U4 @
: @0 g( h, n8 u1 \/ |
Method 11
" B" J2 j* L1 p( T=========& o% g' U' K: ?+ k" i( {
; L6 t* ~8 X* G2 A4 M
This method is most known as 'MeltICE' because it has been freely distributed# P" B+ e$ t' k
via www.winfiles.com. However it was first used by NuMega people to allow
: G+ b; j, h- P, }5 pSymbol Loader to check if SoftICE was active or not (the code is located
& t/ {3 E$ |9 F3 Zinside nmtrans.dll).% S$ {3 P3 K, G: H9 e8 f
7 ] f/ F8 U1 l
The way it works is very simple:
5 [9 x8 L7 ~$ G/ @" lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 \7 Y& [: N4 G* y9 s! o
WinNT) with the CreateFileA API.
+ @6 D. g; Z5 d9 [4 O, r5 x5 N' Y5 \
Here is a sample (checking for 'SICE'):
2 |' F2 p) D- H" D7 i2 \( ?! N% x @- [
BOOL IsSoftIce95Loaded()! ?* F8 `1 ^- [$ @7 h5 P: \
{2 R, T( b& W& d6 \' o' m1 ?9 j
HANDLE hFile;
* \3 W# R. C1 w3 i% z; L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ y& F8 O- n3 D FILE_SHARE_READ | FILE_SHARE_WRITE,2 o, Q% W5 g: S5 r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: }# j% x6 z1 M8 M$ g
if( hFile != INVALID_HANDLE_VALUE )
w* L) u3 }) u/ S/ H8 G {
% `4 e; J& ]# T# w CloseHandle(hFile);
+ p% y- Z8 Q, Z- i6 |4 N, V return TRUE;6 r3 Y3 f! B5 m1 B
}( o9 U' K* k" S0 q" ?! j/ k# M- _
return FALSE;
4 F5 s; G; J; H9 w; Y- a}
6 p' R4 k5 o B; Y- m+ n5 |
2 j% \, ~/ V2 T. \) u- J3 ]. rAlthough this trick calls the CreateFileA function, don't even expect to be1 k, }, u- S/ p& f; j% y7 Z2 n2 N
able to intercept it by installing a IFS hook: it will not work, no way!
0 i. B- N& _+ r$ lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) ]8 Q' i# Z" f( g9 Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 E9 U4 c8 K( m8 P/ sand then browse the DDB list until it find the VxD and its DDB_Control_Proc1 S$ U/ ]1 ]( ^ {1 k" p. K, s
field.
# Z; T' i# b& R M. g7 ` d& wIn fact, its purpose is not to load/unload VxDs but only to send a
2 T+ ~% \! b6 Q7 C& zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): Q" a% p* j2 _ G! Q G4 @
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; C' `$ R6 J# l. R0 W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. I; v5 H) c- d" d. IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; q# a! }* D8 u9 f$ H% P7 g4 p; Iits handle to be opened and then, will be detected.
1 |2 J) Z1 Y3 w" KYou can check that simply by hooking Winice.exe control proc entry point
5 ?& B6 P' o0 v' w% Z6 _: @9 a, X8 Ewhile running MeltICE.
z3 f( J# y/ p8 Y6 N: Q
! J# w2 a$ u/ u6 B$ v% Y- ]9 |8 w$ c2 h( c* `
00401067: push 00402025 ; \\.\SICE
! e3 J* r2 z7 J) q' S 0040106C: call CreateFileA9 i; Z( J' u6 p/ L, n
00401071: cmp eax,-001/ }2 @& c' o! ~( ?$ ~
00401074: je 004010915 ] l6 d7 c) K: d- n
* Z, l1 I, v+ V( p, T
) R% G- D# _" H# P# r2 u2 `
There could be hundreds of BPX you could use to detect this trick.2 @/ O2 _) C: i/ A. l! G
-The most classical one is:
% l8 j; j5 ?$ o, z% S0 @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) @8 g, f7 ~5 q) O4 T1 e4 O
*(esp->4+4)=='NTIC'
4 z. f3 T1 x [$ g, P3 } l1 _; m) n0 S
% |/ \1 u7 m$ T5 ^/ O-The most exotic ones (could be very slooooow :-(# h( O3 V1 y) T3 M
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 |& e3 K3 i2 P8 R1 X+ }+ Q" M( t
;will break 3 times :-(
; I& R! W/ C% Z2 u6 l0 c: y8 D
) G8 Q5 O8 S+ c8 C* q, o* m1 ^-or (a bit) faster:
( m+ a% L! V9 ]: x1 g% Z9 k5 y5 s BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ x# `( S1 @& |+ i
% r4 i& m" d5 H# `# j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) }* g# _# V7 Y+ V' H
;will break 3 times :-(
7 T& A% O0 [ `8 n
# o5 ]( x8 C% @' M-Much faster:
6 U% B3 Y+ G, ?+ M BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', y. Y! O4 T2 K: O' f* w( t; q; R% {1 U/ }
* f# z; ]& ^% _9 L3 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 F" z/ s; M& f* P
function to do the same job:
# j4 c* S$ u5 ~% Y: H; c
& x- U' g4 K5 n1 e% A push 00 ; OF_READ: h. W7 ]4 \- O1 O5 {) r# g8 {* s
mov eax,[00656634] ; '\\.\SICE',08 ?$ }. { n. w1 q
push eax
8 ^/ x' |* }! S! q call KERNEL32!_lopen
( O& H9 y. z6 m( C inc eax
" F+ Z9 u: Z& Y/ ? jnz 00650589 ; detected
; L( a9 W- G0 R7 H push 00 ; OF_READ6 t6 H8 }$ {) y6 C. b* W% \
mov eax,[00656638] ; '\\.\SICE') I! q5 s) R0 D" r8 Z/ w6 G
push eax% H( H3 B# b+ v% p/ ~6 d& f. I
call KERNEL32!_lopen& r! Y( \0 h, C/ J# o* R
inc eax
8 O8 s! Q2 r! k7 m4 Q( a jz 006505ae ; not detected9 Y% A# a. l5 B5 a0 M. m
. j2 ^5 |( _6 ]( c7 @8 W( ?; c
! x( `' `( o9 d& t Z
__________________________________________________________________________
, |2 |7 P* }. N' N
; K0 I* H5 S0 c# t9 {& @Method 12) H- e; l; L2 z ?, T& A! w! e, d z
=========
5 E1 u! U' e- p: X/ x6 K+ s% Q/ ~$ ^
This trick is similar to int41h/4fh Debugger installation check (code 051 z0 m4 j" D; k- B& i, a
& 06) but very limited because it's only available for Win95/98 (not NT)1 \* {) @9 j" P4 X8 D3 P/ E8 p. h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 e4 Q! C- {1 G* b5 Y4 g4 } Z. K6 W8 k! ]
push 0000004fh ; function 4fh
" }+ J) u# ]! N& G push 002a002ah ; high word specifies which VxD (VWIN32)
% K& [, _! d3 f; \6 C ; low word specifies which service- ]+ j u% S; [' f; c' T
(VWIN32_Int41Dispatch)
+ p" ^$ ^ H" ]" l call Kernel32!ORD_001 ; VxdCall' X3 a! T1 B4 L& _/ W/ s" u6 B9 V4 Z
cmp ax, 0f386h ; magic number returned by system debuggers
1 _( o0 c& `$ T8 D$ ~# w( r jz SoftICE_detected
9 a' U; g* j5 c. R. b7 |
( Q( o9 [% z O3 X/ ]8 PHere again, several ways to detect it:
8 q) X& y# a" S8 y M9 B" }. m6 w; E4 R; v
BPINT 41 if ax==4f
, u) {$ w& w" D/ P- q' `6 s3 E {
( ]0 Z) G$ H2 {1 F+ f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' B" _0 G+ H( r2 b3 x( \8 \' T' v( e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ G" Q" x1 P6 g8 i' @' u
4 ]+ M3 [" E6 o, N1 L1 m8 V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 M# ~2 u& R+ w g7 P
8 h, }: [" q) W) Y& a__________________________________________________________________________0 |. `) J+ W1 M. i
! G+ @* N$ K2 H2 E& U3 SMethod 135 m+ M% l6 a5 I) e3 _
=========5 R0 s+ X% @9 e* y/ |5 o, H
9 @' B2 u2 C& _) z' [) N* d
Not a real method of detection, but a good way to know if SoftICE is4 p: }, S3 h& o6 M/ a- e: H% T) O
installed on a computer and to locate its installation directory.* _0 T6 A, x1 a. e4 N' g
It is used by few softs which access the following registry keys (usually #2) :) Q- r# X. B- Y# M# y
* d- J" a4 V( S$ ]- `% c, j) }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ K0 ~ Y+ e8 a- n( j
\Uninstall\SoftICE1 [: P2 v9 o( D1 I3 X9 h. z$ m% }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& `+ S ~; C) e% u; J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' ~4 \) d% x/ a' u: E- c0 ~4 ^\App Paths\Loader32.Exe
5 U, b+ L4 z$ E( D5 x# h; D- e+ U7 C/ W R3 Y4 _. |5 y: Y: f
* R- x- t/ O' E3 V, V+ _+ d
Note that some nasty apps could then erase all files from SoftICE directory
9 Z0 x2 ^, C- [4 J8 |. s0 t6 @(I faced that once :-(& d, n$ |' a5 J0 T0 ~* a4 D& x
0 x+ t+ R3 o3 o" [1 o# ]( G9 T
Useful breakpoint to detect it:
! h& @$ x* @+ `5 b) P. {! r# {/ i4 e- R2 y- g0 O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' u* m. G9 v7 D3 q" K1 U) ?
) Q; F# Y# f/ i1 y% c) g) F3 P
__________________________________________________________________________
* A) b5 Q' |+ a. Z( ]& \
8 K7 p) o+ u! ]& x4 N0 D( r9 O l" H
5 U# _; n, q* T& L' T8 }" XMethod 14 : X% f3 V2 D* s H n9 g/ ~! c
=========
N% j- V4 p m
; m- D' E6 N: s3 S+ }4 J: x* {! w6 `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 N! @! v7 x, C
is to determines whether a debugger is running on your system (ring0 only).
6 g/ L' a$ \& Y% L; Z3 @0 o$ c5 z, e
VMMCall Test_Debug_Installed" c( Q. |+ q0 _- A x1 y% t
je not_installed
" G3 l2 X2 o' y
2 W. M& L4 y2 ~5 EThis service just checks a flag.
( M! I& x5 f% [. x</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡