<TABLE width=500>: r4 F% X/ t3 o% F
<TBODY>
7 E# A- ^2 z3 W6 g1 b<TR>
k+ f4 D+ i0 X0 c* f/ _* k% S<TD><PRE>Method 01
" w: M8 K+ V1 [6 |/ q=========
! ~/ i- e0 [) c; z/ y: M) L8 ]' k
- \, t6 E0 R' x. n% ~' ^* J+ ~This method of detection of SoftICE (as well as the following one) is
. f8 P. S/ ^ [/ B% pused by the majority of packers/encryptors found on Internet.
3 y% s0 K( O5 Y# \! _It seeks the signature of BoundsChecker in SoftICE
0 c' b- b+ @) H0 B1 j9 Y
. l- c3 P5 V# b% K. J+ U mov ebp, 04243484Bh ; 'BCHK'7 j1 W: ~; E' q# N, ]2 v
mov ax, 04h6 p5 {% r7 T$ k2 _% m
int 3
( Z, A" q7 C! L cmp al,4
p9 m7 B( a4 _% K' I jnz SoftICE_Detected2 c4 ?7 m. {& I9 J' H& M2 P. t: B
: j. c. y/ b* B3 b3 A& D! h
___________________________________________________________________________8 a8 f: b9 T6 I5 t+ v8 ^! |9 v
6 E2 D8 B5 [& J$ P6 T3 C
Method 02
( @: w" @/ j! d/ D, ^=========
( U/ P6 [5 @' h, M4 k; {4 m9 t7 |2 Z' S8 R
Still a method very much used (perhaps the most frequent one). It is used
5 w4 ~8 y# e$ Q: _4 G! y# dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,* n" o/ h7 k" _3 d
or execute SoftICE commands...1 ~( U- e* u: w
It is also used to crash SoftICE and to force it to execute any commands
! A; U8 X3 u" @# ]7 ?* B(HBOOT...) :-((
6 K9 k/ h/ S$ b) L: ~6 J4 w( [
0 T6 e8 i4 ^! D* E& ?, A9 YHere is a quick description:: j9 X7 Z+ u! c+ Y9 Q# l
-AX = 0910h (Display string in SIce windows): L) d* s, L. K/ k+ f; Y" }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 b0 o% k: T2 b/ z& c
-AX = 0912h (Get breakpoint infos)
3 C/ y. Z& |- w+ H/ d-AX = 0913h (Set Sice breakpoints)% E4 ^ h& b/ b
-AX = 0914h (Remove SIce breakoints)
% ]5 W5 j' p3 i0 _ L1 I$ _: f9 y. E# S R ]# s/ W% w
Each time you'll meet this trick, you'll see:
& C& ]: n, m3 s3 W' U* G% }% F-SI = 4647h
: [$ Q+ M( p( A. e-DI = 4A4Dh
, V6 {; l( d5 }" L" U4 l! vWhich are the 'magic values' used by SoftIce.
( F, W3 Z" P% R) I4 cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 j- _1 g- S" s8 b' u: [! v; P" o4 u: _' ?6 s
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. g- _9 m3 D. {4 a2 P3 y4 eEnvelope utility use to protect DOS applications:
! v" ]) B% S3 L7 x6 ?
$ }5 X2 U' D/ L9 s( c3 Y; Q$ f8 e& ]9 o- s( Z: m
4C19:0095 MOV AX,0911 ; execute command.
0 Y1 q( l8 w2 K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 B% v5 V8 y* V! y% l7 k4C19:009A MOV SI,4647 ; 1st magic value.
$ z% Q! b) H5 [: _9 s4C19:009D MOV DI,4A4D ; 2nd magic value.
; E7 r0 S: r* i/ N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 A# `4 x T1 A0 E9 `7 A9 R3 |( w% X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* P7 U5 z& x( k; b1 J R/ H+ l4C19:00A4 INC CX Q- a/ b' x3 j! L, o" O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 D9 u* n7 d1 Z4 N0 Q& w4C19:00A8 JB 0095 ; 6 different commands.
: [- p. C5 ~; x& L8 C/ O: f p4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 ^3 P+ v/ z' H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- m% a/ C b8 v; r r7 d' O# V0 K
The program will execute 6 different SIce commands located at ds:dx, which! g: C0 V0 N8 {0 p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( j, S; `+ y0 Z# D+ A
* v: [& S6 x! S/ [4 V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 k2 |# c' W7 ]0 X) L" l$ [% d
___________________________________________________________________________
$ P+ f3 Q k( {7 X% p/ c. C% r1 Q9 v* t/ I' E( b
, S! G: H- a0 `3 a$ p" _+ iMethod 03
7 A( u- N) t; A% O) ^- ~=========5 P+ A! x9 C3 H* `& g \' ^
# W& K {# G# ~5 k2 S" c8 _9 KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( B; C. z$ s" t: T3 s$ r. B(API Get entry point)# v( n. s h: y$ g, e0 k5 M
% Z; q* e7 g& w$ E! B) j& B. K
6 Z; y) D! H2 u( R1 ?
xor di,di& Q( N/ ]1 b! F2 g7 R
mov es,di* G4 R; K* k) u$ C( A8 G/ X j7 R+ O
mov ax, 1684h / u! i1 }7 L2 {( Z. `4 L
mov bx, 0202h ; VxD ID of winice3 q0 f: {$ v/ b) S8 y5 i
int 2Fh+ {+ s/ J6 E2 c- t& R1 `+ q
mov ax, es ; ES:DI -> VxD API entry point3 M# [ W0 s* Y, N
add ax, di
/ _0 B- S3 ^* ]) `& d test ax,ax
2 [ N1 Q9 h6 j% D9 ?7 a jnz SoftICE_Detected2 ]) q) }; z! w: P
* w8 A4 X/ j# C7 L% M___________________________________________________________________________0 s: c" x4 l+ e# z; {/ {3 D3 I# C4 w
; l- x$ a2 k, H) ^9 P
Method 043 o9 R" ?. W1 |
=========! x& S, x4 t# y+ e" ?2 h5 n
* a% r& ~7 r% ?& Q# u cMethod identical to the preceding one except that it seeks the ID of SoftICE- S% ^+ N6 I6 V
GFX VxD.
2 |1 O5 W, f) ~9 J8 ?
1 s/ P0 U! M: e- `$ }& P xor di,di
. k8 U! q. V6 ^! A8 Z e+ h3 b; e mov es,di
/ v3 ^, Z7 ~ @0 O mov ax, 1684h 4 R4 C8 e t, D: y/ J, u
mov bx, 7a5Fh ; VxD ID of SIWVID
) v3 e" K$ j) _, w. y0 n; m) r, ^ int 2fh1 d( u" A& b* o+ {0 B6 d/ X' `
mov ax, es ; ES:DI -> VxD API entry point, m& O" M# {, D: Y8 n
add ax, di/ I" G' `5 Q" z- r, V
test ax,ax9 X' c0 U) ^/ Y
jnz SoftICE_Detected
" ^4 c0 V* g1 m! b3 ?1 ~1 I
4 ?5 @) Y2 b8 N) a' N4 b$ n__________________________________________________________________________+ L: _. D) f) e4 m
% f( B8 F, {$ {
% \' M }% `. X: G7 z5 x( a
Method 05
0 D# J9 L. x( Q3 F=========
/ v& \; O) S0 q9 V: Q' y! d( y+ [* L* k
Method seeking the 'magic number' 0F386h returned (in ax) by all system- m# m. t/ u: G+ i' u2 d% N
debugger. It calls the int 41h, function 4Fh.0 \( l: k# |: o: E' V
There are several alternatives.
0 A& G9 f* j# o8 s: Z- h5 E
3 j% M. v" p A7 A2 N: y( yThe following one is the simplest:0 _7 H, |7 k3 m6 k8 s" E
* M) F- Y9 `; z' D# [; e mov ax,4fh" F! v5 a. L) S& D: g1 m' X, X4 m
int 41h; r% Q1 @ c4 U. s6 S; R
cmp ax, 0F386
7 \2 h ~/ a/ k+ j0 X jz SoftICE_detected/ `! P* N6 q) _& q! I$ y% e
" s* _# T, @; m) e
# S1 W9 D/ m/ R9 KNext method as well as the following one are 2 examples from Stone's 8 ^/ M4 m: h8 h# t# K; C1 o" Q
"stn-wid.zip" (www.cracking.net):! U% p$ n7 |- O& q# e( c9 r
6 J/ D# G0 `, q7 w3 _! L" z' d% c
mov bx, cs* t, ]' b q$ ]. N$ H
lea dx, int41handler20 l0 H4 B$ T; r4 \- N5 T4 W
xchg dx, es:[41h*4]
! u5 Y i N9 T4 ^ xchg bx, es:[41h*4+2]6 Z2 v+ O" X$ w8 m3 S% I
mov ax,4fh% \! f# @( R" _8 c/ H/ C1 w
int 41h# G7 F$ h+ P" f+ G
xchg dx, es:[41h*4]2 d+ d0 \% p1 _& j
xchg bx, es:[41h*4+2]
5 c5 B0 N% O/ r) a! y cmp ax, 0f386h. b" a* O3 A9 e- {
jz SoftICE_detected, H y& S; M) G
- Y$ ^1 d, g1 D; a( Rint41handler2 PROC
& T( w3 N( q; }/ N: c. K iret
0 i- q4 {5 D2 k% kint41handler2 ENDP
# \3 P) A7 H2 o" B6 u( ~3 s7 f3 z; [; w
, U1 I& |: R3 f/ r1 o- t_________________________________________________________________________
+ d# v% N6 B' G4 v/ r# S( W" x" }5 n% ~1 C7 u1 W
1 Y9 i: p1 h: [. M4 ?) W
Method 06
/ `" [5 M" A1 t- ~' R=========8 `0 {% m0 W' }# a! W n" v
2 H& o. S, R- O: |
# T! f2 r8 e. j# j2nd method similar to the preceding one but more difficult to detect:
" n+ a9 s9 W' i, l3 H4 I
4 r2 O" I/ s3 F8 h( o0 ]0 V9 p% [/ p
; e- @/ P; l# s; K4 Qint41handler PROC
- \ T* k6 m% `8 s: w* _ mov cl,al% R7 b* D* M; Q5 q
iret
: I& C6 O- |- W, dint41handler ENDP# Y2 V" S- T6 g+ A/ s- n
2 G8 G* k; N1 Q& S; B7 g
7 H8 J w( L8 U2 p! K& v: m2 w4 B xor ax,ax5 M/ f. e8 n& C1 O
mov es,ax8 l- W. C, J" G, K" B. P. S
mov bx, cs
: n& W( K6 Y# n: O- b lea dx, int41handler
5 m h6 d! C: Z) ^5 {5 Y xchg dx, es:[41h*4]% g3 S( j) e6 a% l2 m+ S" n
xchg bx, es:[41h*4+2]; \) D* {6 G7 A% q
in al, 40h6 Q9 t- c5 H+ e: g8 `
xor cx,cx# \- @2 j P4 {& Q
int 41h' \3 U) l/ I) _" {
xchg dx, es:[41h*4]
* S5 ]* ~; X R; F xchg bx, es:[41h*4+2]
; ~( ?0 F" l/ i. ?3 U. A5 [4 ~ cmp cl,al
, b: t# e2 q, |& t( z1 \, o n jnz SoftICE_detected8 |1 c$ J" N2 h4 a' w
- ~0 H3 Z5 r$ T0 `8 d( F6 @; h_________________________________________________________________________
4 b# g; `& p5 Y) d# N) }
/ E0 N& S% j, ~+ Y. D1 V; `. K# zMethod 07
" a' Z& X; b: c4 [' w* i3 h, g+ i=========+ H9 d0 _ l* v0 \( {, e
5 s; L# o' c0 ]& WMethod of detection of the WinICE handler in the int68h (V86)& o- R7 z: ?5 e) C5 ^6 ^' h6 U+ E
3 \$ h* Y6 h: L" \9 V- _
mov ah,43h+ P5 B; b2 W" e. j/ o$ x/ p
int 68h% J: B/ x# s" }
cmp ax,0F386h
" c3 F0 B) T0 @( X) k) K jz SoftICE_Detected! Y4 y3 l9 `7 [& {% Y9 F3 _
* d {: G0 b+ d) a9 n
3 z) a( e$ z! X9 H" P% A. G0 u7 v. e1 s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( t! B; C N: |& y/ d* M app like this:+ L0 v* X4 Y A5 f; V
9 F% i4 \) Y8 x, Y% V c
BPX exec_int if ax==68
4 C: R# d* s' c8 ?- f (function called is located at byte ptr [ebp+1Dh] and client eip is
% e& G5 i9 L5 o% x9 z- c$ C7 V located at [ebp+48h] for 32Bit apps)
" c2 h% `" I7 d5 }__________________________________________________________________________6 o8 w3 S# k, Y. L
2 T* t3 h/ Y& ^' S# P- M+ P7 C, @9 K# `2 c# {0 W5 j
Method 088 i, b6 V1 ^( {5 ~/ R
=========
- S3 g* o8 a4 M5 ]* m# [: e f) ~# R1 V( T1 |
It is not a method of detection of SoftICE but a possibility to crash the4 r! r9 k1 F4 z- [8 C& L
system by intercepting int 01h and int 03h and redirecting them to another! f: T, y' g% v; c2 }/ T% Y/ ~
routine.
9 e3 L* R, U5 h z7 EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 G. j: ~, U1 Y. [- Y' R% ~( Sto the new routine to execute (hangs computer...)5 ~" k! Q0 z* p0 C; C% c
: w3 m: G& p" ^# }
mov ah, 25h/ i" Z; a3 P3 n' j
mov al, Int_Number (01h or 03h)+ a# q: |9 r' A; f) a, D/ a g
mov dx, offset New_Int_Routine( y' P5 b& Q3 U3 }) L& g' u! E
int 21h) [/ a9 ^, f' P' Y4 \$ q
& h& L8 _8 U- r( U8 J2 u__________________________________________________________________________& |% |4 d) h3 J0 X3 f6 b0 @/ x1 w
% c# B: i' U/ N
Method 097 K4 h2 L$ d9 `1 L3 i! E( X
=========8 ~ [/ n q$ N& ~; U" R2 \
+ ^" V8 ]% Q1 r/ m& y& ~8 KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 X' A X0 k+ f7 b1 E3 ]
performed in ring0 (VxD or a ring3 app using the VxdCall).
! H O3 i5 K3 r" dThe Get_DDB service is used to determine whether or not a VxD is installed
3 }9 W) F) T0 l( X, y' p" @for the specified device and returns a Device Description Block (in ecx) for
4 j3 c+ Y9 G' Lthat device if it is installed.0 i# G# R j" c* ?# J: P" S- U
Q9 m/ ~1 a l7 ]. `$ C5 u+ b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 n; t2 R, o% v4 C
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ m' G# v8 U) }* `. Y c
VMMCall Get_DDB9 _" v& `1 p# E: f) r" O+ t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ Y& k: S5 \' C9 k' f# P
" d, Q# p3 A- Q4 [/ CNote as well that you can easily detect this method with SoftICE:) d0 v! W5 G: h+ V" C" s
bpx Get_DDB if ax==0202 || ax==7a5fh
# ]4 {: l/ O( M! c1 r/ v
/ v9 ]: Z* q+ J2 }: p. s__________________________________________________________________________ V, P% H* u' C/ N9 \
o- s. V6 s' p. q
Method 10
" g" L& w' v" Y. O( [& E=========
2 r/ C" _! w/ L; o$ {' S: L
* v3 h% y5 o4 r1 d% y=>Disable or clear breakpoints before using this feature. DO NOT trace with/ s7 C8 O y1 F! S& l3 t* |( H% N
SoftICE while the option is enable!!
) s0 }( _" O7 E; A6 X6 O9 A2 v; s& n# t! r$ B3 z* ~
This trick is very efficient:
) V' o' m+ ]/ b2 A% aby checking the Debug Registers, you can detect if SoftICE is loaded& o7 E) R4 F% b. G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ {1 [9 ~4 R( L6 w7 Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, X. L5 |& G$ [value (in ring0 only). Values can be manipulated and or changed as well
3 k1 d: t. a7 _4 b(clearing BPMs for instance)
* }# B' W8 R: A0 [
) X$ N3 i2 H3 _5 P1 o' @- Y: g__________________________________________________________________________
q }5 H. `8 B5 r9 D1 E
( X4 T. y" C/ E- ZMethod 11% ~' X3 u) h' ^: h1 L; @3 j
=========
* w5 k" a5 w2 a9 P- S4 a9 I
* C9 m) L6 e. W3 n" |This method is most known as 'MeltICE' because it has been freely distributed
, w5 N3 s9 Y1 Evia www.winfiles.com. However it was first used by NuMega people to allow1 J5 _5 l ~: R5 x1 o% U, ~
Symbol Loader to check if SoftICE was active or not (the code is located& W! j R: Z' _- I1 I+ @
inside nmtrans.dll).
+ U6 x E# P9 D. A3 ~2 N" I3 r: o8 Q; l5 p' Y
The way it works is very simple:: n' Z# C; }: G, [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' q, b6 j3 ]3 Z" ], X# MWinNT) with the CreateFileA API.
* ?. U |4 D! w! v5 q0 Z* ?# k' z7 M
Here is a sample (checking for 'SICE'):
' v( _; V; \- e! o. f8 ~
" ~) h2 y" U/ ?4 x5 RBOOL IsSoftIce95Loaded()
/ Y& C) A1 g! U, a2 C{/ f. f1 }& z' K4 D6 v
HANDLE hFile;
- B' N) S8 q0 K; B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 h$ s7 a! g; `% S7 V X
FILE_SHARE_READ | FILE_SHARE_WRITE,& E. [$ k @) R! o- U2 E* \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 z8 g1 Q; Q6 |$ \; l" t if( hFile != INVALID_HANDLE_VALUE )/ g2 A: j- u6 W* s6 B
{
+ S- U2 X% T, c7 n* \% }7 ~! u CloseHandle(hFile);% A$ K; n9 }: [+ b1 n* D6 |3 N
return TRUE;6 x, D. H$ N P% e5 D" ^; ~0 T
}' P4 D5 x* Q4 x+ h7 k! n) p
return FALSE;
3 J, ?9 N! x, h2 F. o}
; z/ V g$ V* @ A# x3 p y; o2 ]6 c: b. Q2 D& p: {: P; ?
Although this trick calls the CreateFileA function, don't even expect to be
7 R. M ?7 f+ n' z9 F# D+ Lable to intercept it by installing a IFS hook: it will not work, no way!
R# J3 `# F1 W$ b. O sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- p5 K# s9 Q6 p! ]- d& |/ o. tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 u2 G$ U: V9 I' Y. [and then browse the DDB list until it find the VxD and its DDB_Control_Proc% Q2 t5 E; E4 f% V% w
field.
% y6 k; t* t8 f+ E: l$ a* D& |, `- \In fact, its purpose is not to load/unload VxDs but only to send a 2 F% H4 P9 S( f3 z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 E0 ]5 n% R8 U- _: ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* {# ^. [2 F9 Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).( }2 Z) A" Q$ Z' v& Q* C# y$ Z$ y
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 W: c/ h9 a" b3 C+ r9 I
its handle to be opened and then, will be detected.
8 l/ y& W0 \2 w$ YYou can check that simply by hooking Winice.exe control proc entry point
% T+ x" N* c1 f( O) ~" awhile running MeltICE.
8 N7 p8 b8 w- M" I- q/ p2 d1 }8 ]; G+ Z8 ^3 Y
+ b9 P3 Y& \, Y, w& X6 z) ?" }8 f: y3 | 00401067: push 00402025 ; \\.\SICE
5 a1 U" M( N4 W- n5 `* f/ P1 O 0040106C: call CreateFileA/ [% u) I+ a2 _2 F
00401071: cmp eax,-001. g, F: X0 E6 {* A0 w2 V
00401074: je 00401091
0 T! `/ t8 a! B. E
7 ?. A1 E8 X8 H3 a) n
6 s9 J6 N; [2 @3 QThere could be hundreds of BPX you could use to detect this trick.
( |+ X. q U' [: B* H-The most classical one is:$ M% o. I) D1 \4 u+ ?: z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
i5 Z) k- @- ] T8 h& m' A *(esp->4+4)=='NTIC'
9 a3 @5 G% Z- o, B( x+ i' o) C7 A
4 g b% E; l' L+ M& p8 v-The most exotic ones (could be very slooooow :-(
, T- Q' i. e; J( N! N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 Z$ F) r, K9 S7 Y4 f: L9 g; l. W
;will break 3 times :-(
& ]# Z8 V2 M- n6 j# z k/ |( H: H" D( |# Y
-or (a bit) faster:
4 }" `+ U: `) C BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 D: {/ v1 u4 a; s
% s9 ]4 P+ D( v s BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) u; {3 b4 c# G* U, q
;will break 3 times :-(8 Z+ i& T6 B3 E2 [
$ z; Z1 k- z$ e B0 c# j-Much faster:$ G, e# p$ R& N; W
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': U3 i5 E' v: ?7 S% E+ e9 P3 v
. f8 b. X- Z1 J& F" G3 ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% J9 V4 G3 o/ b7 M) S# ]8 ?function to do the same job:; t% [6 Y, h4 m6 N7 G+ i5 W! x
3 U2 a4 L6 E, j. D, S1 p
push 00 ; OF_READ
4 b0 J. R+ r: e C. B* F1 e mov eax,[00656634] ; '\\.\SICE',0
( ?6 @7 B! Z& q5 k% w2 ? E push eax& Y' P* F; i! n' n4 d) Q5 x6 Z" H
call KERNEL32!_lopen
( w0 q1 _6 i/ z9 s m& B) n) m# [ P inc eax
7 h O" X: v1 d& J jnz 00650589 ; detected1 A% n" U, D6 ~- _- v! w
push 00 ; OF_READ; o5 ? C9 G& l5 F4 D+ d" r0 C
mov eax,[00656638] ; '\\.\SICE'5 H; j6 s/ t A9 r0 l" p$ W
push eax2 y( U0 }* r% `. s* M5 k
call KERNEL32!_lopen; H$ N1 C" U7 x, j
inc eax
' ?, x! U( L. m2 ^; H1 @/ O( c! L jz 006505ae ; not detected
m$ Z3 H$ X, H( L7 a$ z
" ]9 V5 t$ m4 @/ ]* \6 K7 J
& n: `5 u' d! {3 G$ E5 h# C__________________________________________________________________________
, J- A3 y# W* {: C- j3 \9 [
" F' v8 s* S( x0 a/ Y% T5 k( R, wMethod 12
& {! i' r8 c& G) @9 H/ e=========
O; h5 G; D* J4 [# l# |% ^6 K% \2 X: z% L+ s6 e
This trick is similar to int41h/4fh Debugger installation check (code 05
' m. C! h' y0 B& 06) but very limited because it's only available for Win95/98 (not NT)* d/ \# s/ m5 I I$ p* U: B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 v9 o& b6 z4 C: U3 m0 V
2 d* O7 F) K5 Q+ U4 k/ J push 0000004fh ; function 4fh ^# {+ ~; E- N$ j& q
push 002a002ah ; high word specifies which VxD (VWIN32)* L7 F, X) M1 \0 W" B4 o& v) x
; low word specifies which service" Z' m1 `- k6 ?6 O4 e N
(VWIN32_Int41Dispatch)
0 Z, N5 I0 o Y; ], n/ y) A call Kernel32!ORD_001 ; VxdCall
, ^. f( t2 v8 b3 G- V, k cmp ax, 0f386h ; magic number returned by system debuggers
& |8 R4 u& H( v5 s jz SoftICE_detected
1 _4 j/ r; |# Q) f! h/ @" T
& s& w: t& D& L; UHere again, several ways to detect it:
' o6 v* q7 e4 ?8 z# D& D1 p' X. t5 t8 Z& | U
BPINT 41 if ax==4f
9 r5 A$ G& x1 R0 F m: A. M+ B* Y
& J+ ]% j1 x' V$ M# ^, y5 x5 w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 S0 q* X/ |; S: ]
) ?0 |7 `( r1 H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 T5 N' b" m( j2 X2 ^! O. p5 f4 d4 F+ l
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 O" w4 ^# c- a) I. X2 g
7 A7 r: e, O$ R# O# r__________________________________________________________________________
) R: f0 M$ A% _4 t0 N. [% u7 G8 `- \) O2 @ g; v" g
Method 13
4 S1 ]) A5 |% {========= d. V* D6 [( R! d/ T* ]
b: F$ b. f# K+ V+ u& L
Not a real method of detection, but a good way to know if SoftICE is6 u: C( J( |9 G% B0 W- q
installed on a computer and to locate its installation directory.5 q9 V7 B' l" w6 U
It is used by few softs which access the following registry keys (usually #2) :
6 D0 |% F7 B$ E* _2 H) w1 I) R+ I+ _6 a! B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 Y/ u+ t @" P
\Uninstall\SoftICE& _3 _9 O4 q \% O5 r. F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 L9 J9 n) _3 k. f9 U-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# y5 x6 l2 F9 N6 m
\App Paths\Loader32.Exe' B8 E. Y2 q2 ~0 h+ f/ `, i; l% `
4 v& V# F1 k- l. A; B. K6 A' B- C9 o/ g6 O! w# }4 k3 x. q
Note that some nasty apps could then erase all files from SoftICE directory7 O$ n6 [: A, ^6 b1 U9 y! k( N' l4 W
(I faced that once :-(
. C" a* u* e8 k
" q) r7 Q B- R, l$ b% IUseful breakpoint to detect it:) x" e! R! ?4 t
; f' l" ]3 B; n- ?6 r# U% a% J- D; |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; c" d0 M+ D8 Y
$ L5 ]$ {* C& _- Y4 @! `7 I__________________________________________________________________________
& {2 b! p5 r3 g; a# y; X. m' r$ q( D, n# p
6 r: z5 f) V1 e/ C7 R9 X
Method 14
1 _# M+ ~! R# D" g2 V; M- B/ ^% g=========
7 t* G, u! F! O ]
1 N( h5 X8 o/ O. I( vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; T7 @9 L. u$ B$ A7 q1 i, [0 c
is to determines whether a debugger is running on your system (ring0 only).; ~5 j C+ J$ M! R0 @8 x' F
: _4 A/ H1 v; W% \! A% w VMMCall Test_Debug_Installed8 m/ O0 F' }% k; s# z
je not_installed
1 L( G) \: K/ J5 n( ? _3 I3 D( r8 g: G% ^7 R7 D3 b
This service just checks a flag.1 w# \: x; R; \6 {& ]; a% y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡