<TABLE width=500>
" e3 q3 k3 G8 t- ?" C0 S<TBODY>7 C8 h1 f6 J8 B( T0 |
<TR>* `' c$ P8 ~9 ~" `0 u
<TD><PRE>Method 01 5 L* K% |3 h: ^* b
=========
7 f0 b, i( V8 _0 E+ ]3 n4 t) S% ~' n! [8 v5 V: A( {2 T3 S
This method of detection of SoftICE (as well as the following one) is( w- d, e5 B* R m3 {" z- e
used by the majority of packers/encryptors found on Internet.; F4 w0 w$ ^) d2 f4 D3 b3 y
It seeks the signature of BoundsChecker in SoftICE- \! }, G0 h$ ~2 e9 g3 K
8 S, \9 z2 Z# O3 }5 ?' p mov ebp, 04243484Bh ; 'BCHK'
0 p% l* U+ q6 U& z# U, ]+ t mov ax, 04h
! v! X6 ?, [) A! U int 3 . X, ~ R& }, s" e2 D9 D! @. L1 }8 Q
cmp al,41 ^# b7 T) j: ?6 A
jnz SoftICE_Detected# ~% a# o% \2 i& O* ?' p1 K
1 p& u8 |, w% F2 n# M& F0 r___________________________________________________________________________3 m- h! _" ?; ?
j6 F( I/ S) J6 {, Y: l+ IMethod 02
6 s9 k' s& [) M. a; | D=========! I+ X/ v( G/ D% w0 A0 L9 c
' s8 H3 h- H4 X/ U3 \6 ]& O0 KStill a method very much used (perhaps the most frequent one). It is used
A- a+ ?# l8 ~, O/ Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ f4 q1 k8 k* L" u7 f, @. ior execute SoftICE commands...
( c8 Q n% o+ ~% _It is also used to crash SoftICE and to force it to execute any commands
e# R2 u0 j9 ?3 m! x7 P2 y(HBOOT...) :-((
0 ]) t" n L& ~. }* V! B/ _' t
8 d( p) M3 I) k* j8 @9 K0 x2 H6 _Here is a quick description:
i1 E8 Q' E E$ `$ C9 f-AX = 0910h (Display string in SIce windows)
3 E, T& K! v- H- o-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( P/ T/ j& C& w7 q4 u
-AX = 0912h (Get breakpoint infos); e5 r' J1 G! C& q* l" z
-AX = 0913h (Set Sice breakpoints)6 r& p+ b- Q/ u. n+ i
-AX = 0914h (Remove SIce breakoints)) A) X9 I5 n4 \0 S/ d6 s: e# A7 k
6 s6 a8 L2 [/ @/ b; l( \Each time you'll meet this trick, you'll see:" \+ j- \. P/ H) e9 ]" b
-SI = 4647h
" k* q# [; C+ I/ M-DI = 4A4Dh6 m2 x# z& I( m( }) Q
Which are the 'magic values' used by SoftIce./ [5 ^0 D: e* o' ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 r9 c$ Q: V, k# ~0 n% n: _5 V( H
T) p" v' Y6 i3 O5 K. w+ c1 i
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ i" C+ N: D% P; fEnvelope utility use to protect DOS applications:3 V* N" f) M! P3 V7 ^
! C* {; f: ?: a8 {9 C6 R7 b
: R/ H. m \, W
4C19:0095 MOV AX,0911 ; execute command.( a, Y! m( I0 Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 |; [1 H3 R' [! Q( L7 u+ l4 Q
4C19:009A MOV SI,4647 ; 1st magic value.
5 N( F5 l; t2 s$ N# p% a+ n4C19:009D MOV DI,4A4D ; 2nd magic value.
; z# n/ m# Z+ O, J# a e+ g0 ]0 t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); E$ f, g% c& Y; b2 }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 J! Z4 P% S2 B3 Q! |4C19:00A4 INC CX
8 E7 x: J0 z, r( L4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
m) P7 G9 ^1 E6 h* X9 ^+ b4C19:00A8 JB 0095 ; 6 different commands.
, Q; r! I) M. r Q6 X4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& x+ ]4 h4 [ M4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; R4 t0 q4 Z" ^- K7 C8 e
5 s. Y% a1 r" y$ C$ X7 jThe program will execute 6 different SIce commands located at ds:dx, which# _& ^5 d% i/ D# i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( W! S/ A* }# {. i; I% a/ w' E. t
' C1 [: N4 F- e" c0 J( y% L8 m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 A7 H5 Y% d/ K4 G* @+ P+ I___________________________________________________________________________
( e$ V: r' X. u; J: y; V
( r% J3 b, B7 M( p
# d1 @4 b- \5 g1 F; EMethod 03$ H* M& w& K( W; n
=========
6 |8 Z0 I0 @& p: ?
) u9 i4 [) x0 h) O( b) J- {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h v2 H2 ^7 t+ s, q
(API Get entry point)2 o+ Q0 F0 W6 a9 |& C' o; s1 D* n
# M" j! w0 a [$ ?# H# T b
& K& y: h" k9 F xor di,di
, w a0 Q6 d# X0 X. t mov es,di
2 l) ?* L5 ?1 n$ i mov ax, 1684h 8 N6 k6 h; l/ V8 F! U
mov bx, 0202h ; VxD ID of winice
& R& I% C, w9 k1 ?8 R" { int 2Fh: z3 L( L! E/ D$ a
mov ax, es ; ES:DI -> VxD API entry point8 Z! r, S" P, i) r, T
add ax, di
4 [) S) p8 I" ^: g4 H: O9 ?/ _ test ax,ax4 B# V4 T1 l! r$ s
jnz SoftICE_Detected& a# w* N; ?7 Y2 {* C' M
6 ?6 t8 U+ O; b: B& K
___________________________________________________________________________
2 s* t2 }5 x2 @7 u
* u! A$ c! c! f9 u9 J. ?/ ^Method 042 s) L4 H0 |$ j1 d0 ]& n- h
=========
- h- Z) |# f& z6 `( I
+ _# l F4 i3 X* T) _Method identical to the preceding one except that it seeks the ID of SoftICE1 y; \. v9 y( Y5 j
GFX VxD.6 Q0 H% Y7 X: W; P0 g1 _
$ T+ ?9 N1 n; s: Z+ v
xor di,di
' G! y4 F' X' c( G mov es,di8 m5 t" u8 V4 m9 Y& \! I2 N" J
mov ax, 1684h - o! v* I* k& V' n8 I+ _
mov bx, 7a5Fh ; VxD ID of SIWVID1 ~6 ~; d5 n1 j
int 2fh
1 ~8 i8 w9 W/ ^, a" Y. g: Q- L mov ax, es ; ES:DI -> VxD API entry point
% D/ }- I8 o. p9 M9 r+ ~( C- r% f add ax, di
5 u% j9 e7 `+ ]; g @3 O1 p test ax,ax
9 v, V3 c9 L/ T; K8 v5 z* ` jnz SoftICE_Detected. n- A Y$ k% w
+ i) x. }: G% L- w" Z' Z! @* ]
__________________________________________________________________________
0 e$ D: V A7 j" j) A, }2 w( U1 t% C0 J9 o C
' N' _9 q4 q" ^# `% S% n" K r
Method 05$ a" v2 H2 z# E2 n' s1 ^
=========
3 P% C7 x$ w6 e' h
6 `0 K: e& L& h' Z6 qMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 O% J& _( m" \% o$ F1 R2 Y: Tdebugger. It calls the int 41h, function 4Fh.- N; u* G/ l/ s i0 r( N
There are several alternatives. 2 G: X8 C8 ^ X+ U7 }/ ]2 Y, F
7 t+ l0 Z( \# \( gThe following one is the simplest:+ \5 f. b4 }6 Q/ B9 Z% a
7 `8 \# y0 @8 O: ]5 T; ?0 V% }
mov ax,4fh4 r2 u5 L' A6 ]
int 41h, A) K1 j7 m: e4 Q, N4 d
cmp ax, 0F3868 N9 `0 b( w+ I$ d1 K
jz SoftICE_detected; T9 B7 z( [/ F; k/ b# D
* D" Q$ K J% O$ _
& M& V7 y' j. C! n6 Z f+ fNext method as well as the following one are 2 examples from Stone's ) r: V+ m2 K8 k$ |% w4 l e/ l
"stn-wid.zip" (www.cracking.net):3 R7 Z D+ M# x: ^. W; g/ x9 ~
$ k5 ~6 ?: l4 Q6 @
mov bx, cs
. a m* M+ ]7 ^: g. T3 ?3 r lea dx, int41handler28 g+ N5 ]; ?3 U. Q% Y
xchg dx, es:[41h*4]% Q+ }/ y. w, u% c) j$ E5 h
xchg bx, es:[41h*4+2]
; d- Y l! ~7 n8 ?3 R5 U; U- ? mov ax,4fh9 r: I: j# c, _% S
int 41h
4 H" ~1 T8 g0 e1 w& j }: V xchg dx, es:[41h*4]
2 i8 w* N! I# w% v. u* B xchg bx, es:[41h*4+2]
G" i* }: R* U# `- k cmp ax, 0f386h
. E5 {$ Z* j$ c6 P/ @, P jz SoftICE_detected4 f8 x* _7 i$ G+ z% w" y( u
' Y: ]4 D$ y7 y. kint41handler2 PROC$ I3 k! R' O6 _" U! _
iret
* M0 U' g% f7 t& \ g8 _6 q0 gint41handler2 ENDP
; G- {9 i# }% p$ F# L/ M2 o% L9 U) m) g% \
) p" Q# z& v' R" i2 D
_________________________________________________________________________
. E/ B) G, y: _- B& A o- ~& t8 K& e9 c8 Q+ W
9 m7 a- T4 ]/ O% m; D
Method 063 c7 w& X r# F
=========/ d& `; I& X6 O6 k
/ r3 h$ {9 d* V8 D7 A
: O: q h7 R! c% U2nd method similar to the preceding one but more difficult to detect:# I w2 O7 v: O; e
- I( d: W# p2 q2 `7 M% }
9 F# U1 }. E5 z8 x& D4 S
int41handler PROC
R5 b3 ]8 W9 ^% I1 g. x mov cl,al
5 N# D6 u* x( v! N3 z' T iret1 d* l7 V( S7 {/ H8 c, O! t8 Q2 m4 F
int41handler ENDP
) R/ c, G! D0 P$ ?- }' B/ R$ ]
2 w3 p+ {& K' r9 E9 ?
+ c0 M) S5 j( B: G( w xor ax,ax, s0 K1 p% e' J! R* g+ d
mov es,ax' P) Z1 y0 p- F4 I2 W
mov bx, cs
5 S' t! a4 W, z/ ]5 b4 O) h lea dx, int41handler
6 ^# {) g F5 H0 m( a3 g xchg dx, es:[41h*4]' d7 C$ m2 ]0 M. D. e+ S: I; m
xchg bx, es:[41h*4+2]3 C0 ?4 E2 l* w4 D3 [
in al, 40h/ H0 g! ]/ @5 g' i. l Q3 p! s
xor cx,cx
. B: O' B0 y' c9 U& [& i! g int 41h
8 U* A: n% ^4 p/ R# r9 b xchg dx, es:[41h*4]
" v- p/ g [- l( H4 t4 v xchg bx, es:[41h*4+2]+ K7 U! X6 S J B& k. K4 f
cmp cl,al4 y3 N4 K% r+ `5 Q2 a, B: G+ r
jnz SoftICE_detected
( a: M) U; A$ C+ T
3 I9 Y5 ]1 M$ K8 _7 J_________________________________________________________________________
& p9 k: n7 c+ m
8 O$ X: t+ g% b, h. rMethod 071 k( h) P0 A$ Z/ C
=========
3 ?0 E k) M2 H3 n: x( j
0 \; C% d3 T* e" ^; ~Method of detection of the WinICE handler in the int68h (V86)% I7 H ]. D2 H; c8 Q! T; p
2 U$ r1 r8 H' S4 _& @% Q mov ah,43h8 ?' ]4 |" _$ k0 g( j
int 68h
8 \/ B; P7 s8 P8 E: O/ ^5 ~ cmp ax,0F386h
5 N6 j/ |) _- n1 O# N. S# j6 v9 z$ M jz SoftICE_Detected1 G1 ], q5 j/ A+ d F2 A; q
% F' c1 V! b* i. ~: [/ D* i) {
6 W" e6 C6 q: f' R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ g* h- w$ F6 a! n: [' p0 T8 |
app like this:4 z- P! N l; A0 a) k) I
) a5 s. b7 R4 v7 d
BPX exec_int if ax==68
: T$ v: q% W! A* J9 P6 D (function called is located at byte ptr [ebp+1Dh] and client eip is/ @# L6 l9 \% ?7 A8 Q* Y
located at [ebp+48h] for 32Bit apps)
* Q: o# \( l0 y& g% P__________________________________________________________________________
2 V9 q! m) ^: _! {( |7 S" u M! {. x5 c" b, G
4 U4 e& _0 @- w; P1 ?
Method 08 E/ d* x3 l$ P2 h( l
=========8 N1 a3 \3 I& F% z; t" L
9 l7 B: U9 ]' \3 Q- yIt is not a method of detection of SoftICE but a possibility to crash the# ^/ D* E) P& [% q' q" w
system by intercepting int 01h and int 03h and redirecting them to another
6 a$ y! ^+ A3 e) o4 rroutine.4 i! R- S1 A2 [# m6 J4 {0 w
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 ?& r) l( I7 l
to the new routine to execute (hangs computer...)
3 P1 J2 V8 T9 N& k7 C) t. z. l$ M" M
mov ah, 25h
/ g# Q+ F/ F" _; w! b3 U mov al, Int_Number (01h or 03h)( y1 T% i2 v) ^( ?. L
mov dx, offset New_Int_Routine
2 V% E" F7 ]) d! ? int 21h
) G v* o5 P& f# B( Y" n# D: F! {" i2 ]) i' g" h' v1 s9 v& K7 T
__________________________________________________________________________
3 K( Y; m- ?. G f$ P: `+ O D# t( p8 N2 h2 y
Method 092 ?# y& L. P) g! C5 [
=========
, c( [4 r& t; u7 E
# l: m; N# p& {# o' G; P8 O5 DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ c5 x- S; d: j) F8 d4 u# x/ @performed in ring0 (VxD or a ring3 app using the VxdCall).
* v' H9 d0 E# r* z2 Z' MThe Get_DDB service is used to determine whether or not a VxD is installed
3 }. [6 P" } o7 V+ z" T5 T8 zfor the specified device and returns a Device Description Block (in ecx) for E \9 B8 ]/ u0 Y4 p8 D
that device if it is installed.
& I# y/ M. c2 [" A$ M3 Z; N- e, }
+ Y, s1 g2 M+ l# Y* H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 V: m2 R# x0 e2 L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& ~/ Z6 U3 p2 ]5 e7 p% S VMMCall Get_DDB- C2 p M& Q+ h9 C
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed P) u6 Y" ^2 V! }2 L( p
/ y6 a x* {. J! N8 x# L9 M7 A
Note as well that you can easily detect this method with SoftICE:, ~! X8 Q* r) z0 I1 |
bpx Get_DDB if ax==0202 || ax==7a5fh
/ W8 ]) y3 N9 t- M Q/ s: U) f9 R0 D2 f6 q/ R( {. j
__________________________________________________________________________
! \% \( | M$ t; Y
/ s# r% y" W$ o) d! R. JMethod 10
: B! B& D6 Y% K" t=========
6 j( S0 X& O$ S9 |9 n
2 e7 h5 R; B+ p5 {=>Disable or clear breakpoints before using this feature. DO NOT trace with
) Z0 C: W$ }) i2 [ F4 C* b2 I5 [ SoftICE while the option is enable!!
- B* R* n) k. J q1 ^$ b$ t) t. }! U; `+ F
This trick is very efficient:) ^4 q8 { n O6 T. }
by checking the Debug Registers, you can detect if SoftICE is loaded! k" E2 k1 u+ j) w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. M& }1 M2 m: Y- `1 e) Z* kthere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 F# v7 L. l) xvalue (in ring0 only). Values can be manipulated and or changed as well
$ V9 X* g- n$ @1 c* B(clearing BPMs for instance)/ m9 I P. I' A$ a
. l& ]; {. \; ^/ x. F__________________________________________________________________________: ^+ U" w' a/ L1 ]
* }% U) B1 {! E2 SMethod 11, F& k, v# F G- R' e! c/ G" h" m
=========3 l0 R2 _: D v/ `8 h/ Z: P
3 S4 ~# J |: f& D2 y" w
This method is most known as 'MeltICE' because it has been freely distributed! x/ s5 G, q2 C6 h* l3 ]
via www.winfiles.com. However it was first used by NuMega people to allow
1 q2 \ }3 w8 ^1 S- f& nSymbol Loader to check if SoftICE was active or not (the code is located
# X O- c& k; w2 z, \8 X- Vinside nmtrans.dll).. }8 b$ A; Q2 f5 m. e- T8 @
4 t0 f, A9 ?# E8 gThe way it works is very simple:
6 t; z& E$ @; @7 FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, c2 g+ u7 {, YWinNT) with the CreateFileA API.
! Q" b8 c0 p; S- O' p
( i. O- M8 Z4 u9 G) X- d6 XHere is a sample (checking for 'SICE'):
+ l- j$ l6 H1 w' h
) k! }: z7 m4 `0 t+ k3 Q! tBOOL IsSoftIce95Loaded()2 l4 \& N7 Z/ {; e3 S, }% j
{
& N$ G% s$ K, n5 C HANDLE hFile; ' r4 L# r1 u8 w3 t8 \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 B X4 c' R- b7 h/ s4 r
FILE_SHARE_READ | FILE_SHARE_WRITE,
& M% U* ]9 y7 n NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ d* X4 s5 K# {% i# K& \ if( hFile != INVALID_HANDLE_VALUE )
7 {' X2 g3 f6 P3 {4 n {
$ ^" L4 ~# x5 s- t% b+ N CloseHandle(hFile);$ N: P# p% h' q6 U) C
return TRUE;
. x' L& M& |( F4 Q4 d E# p }
( [4 V, Z r/ I9 h7 V6 \' }5 I return FALSE;
+ o9 |# X4 J5 }0 R" }( l2 J6 B}
7 T) `' l* \$ t6 n: e" T" Y7 l* D7 w, v: h
Although this trick calls the CreateFileA function, don't even expect to be
4 J" e& }0 x: p3 W$ Sable to intercept it by installing a IFS hook: it will not work, no way!" {! ]0 U, q! ]% D, R- P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, l6 o# a) D7 Y4 {4 W: Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! l5 ~ e* P, }4 v6 x j) qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( Y' c @& Q0 a- K. \4 R) z/ Xfield.
( ?2 w/ J3 R3 W# E+ FIn fact, its purpose is not to load/unload VxDs but only to send a
& U, N3 G9 U, ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ ?. R0 U% g2 c3 h% ^$ D. S! P. l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 @6 L; q2 s3 ~1 t" Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. w: \4 u& u- R6 M% nIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 Z1 x1 ]/ B1 b) z! @* M7 A/ f# P4 r
its handle to be opened and then, will be detected.
( O1 _5 ^ w# m' Y) M7 d+ FYou can check that simply by hooking Winice.exe control proc entry point) c( ^( j6 W( h- o
while running MeltICE.& u7 d& W- Z1 J" s
" }6 Z; Q/ T |4 C
( o& _# I3 @1 V9 E1 ]2 Y 00401067: push 00402025 ; \\.\SICE& m6 T( A* ^$ J7 B/ Y
0040106C: call CreateFileA; x7 {7 b2 {4 B6 `( n; d. u1 v
00401071: cmp eax,-001
; R. S0 _* o9 n7 E/ l 00401074: je 00401091
) }! p Y% _1 {( K/ h
! B- E# k& W/ o; ?
$ V3 A |8 R1 Y0 jThere could be hundreds of BPX you could use to detect this trick.8 [8 J# L. }! V. f `) Y, y8 x2 }2 y
-The most classical one is:/ h4 r; U% M0 @& v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ m: G4 h- m5 C# t# p *(esp->4+4)=='NTIC'0 J) r' L& \# \
! t, g7 {6 e" i8 `) I) @* ~& @: p
-The most exotic ones (could be very slooooow :-(1 H& z: l( L' r( N5 c$ a% L7 i
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ K4 x0 o/ U& }4 x ;will break 3 times :-(& |* Z1 \, |3 s. f9 e! S6 m
8 A* h' e8 g; x" b+ Y3 B1 m-or (a bit) faster: $ i+ k: w& ^% B3 e$ |# Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ S) f- h3 g' O+ U& l' I+ |4 R! B* T M0 g$ S0 M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) D3 C5 V$ f* [3 `
;will break 3 times :-(
: z/ }9 K" h' b4 t! j% J2 D, {
' F3 m, I: m, n-Much faster:
- m5 {4 h7 y; G7 ]/ j- c BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 n7 k j! l$ i$ D0 b h, c/ X
. h) v, l6 C) W* r9 nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. r2 b2 A5 u' K
function to do the same job:
( U( z8 }) q: g' \8 J+ u0 d. m y) I( F$ _
push 00 ; OF_READ
3 Q+ D7 e: T3 A P9 ^7 e! T4 N! k mov eax,[00656634] ; '\\.\SICE',0! K' w7 j7 m4 [! s: `9 N& C
push eax* K1 _1 _1 c4 ?
call KERNEL32!_lopen
7 c0 m9 C# K9 ] G3 J- s2 j- \ inc eax+ z1 X& }( W) F5 `
jnz 00650589 ; detected6 m- f. \7 B T" W' T4 x
push 00 ; OF_READ+ x5 m' ]& M" ~0 s
mov eax,[00656638] ; '\\.\SICE'# p. n: c: Q$ ~8 U" G: e
push eax
, y$ ?) s7 g$ p* Q2 H! H call KERNEL32!_lopen) s$ O* I; |$ g% ^; _" R, W2 n" d, i
inc eax
7 N* g/ c5 @* h+ R/ I jz 006505ae ; not detected
8 Y9 ^: _( b M4 }* g3 P
7 q7 h- a$ J% B7 a; C: h
% \: x8 b6 B' U__________________________________________________________________________ b' i: I1 d* V, K
0 y! `* I. M, s( lMethod 12
# P0 o9 ]0 G& u8 M0 R1 e=========1 ?7 |! s U% |! f
5 n5 y& Y( a" l) m* r4 H; @! v+ sThis trick is similar to int41h/4fh Debugger installation check (code 05
) l+ f; `2 L2 [9 d9 `4 x- A" D& 06) but very limited because it's only available for Win95/98 (not NT)
# E8 d' v5 P$ P4 m& bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 U% w! m7 Z( O5 s: S
. R/ `' u6 d& L& z/ y' c8 h
push 0000004fh ; function 4fh
# q$ q" _$ s% d1 d1 e' c& g push 002a002ah ; high word specifies which VxD (VWIN32)# s) ]( i; |9 e( f" P0 h
; low word specifies which service
5 b4 _5 t$ C- t/ e+ I' O$ n0 ?7 q. ? (VWIN32_Int41Dispatch)0 F7 Y: _& n) R S3 ^# R& i1 ^8 c
call Kernel32!ORD_001 ; VxdCall! Y: i, M/ t7 [% e4 |" k+ k
cmp ax, 0f386h ; magic number returned by system debuggers9 E& k3 x9 r0 B& C9 P- H$ W. q
jz SoftICE_detected u1 {6 n' b' Z- x3 m9 L
0 C. _. r0 X# ~1 f
Here again, several ways to detect it:3 W5 w: l0 T$ z; h0 |9 I, L0 c7 L3 v. Y
9 I" x+ g# j& V, j! g BPINT 41 if ax==4f
) V S9 Z1 k, S% @! X2 o4 ~8 ?4 `- `3 e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ }) Z1 l% c) A- q- o) O/ n
. ~8 w3 K2 @! r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. K% I3 f3 w/ w/ `/ M, o# ^
% \. b2 {4 l% j4 G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 _+ A' h- r k- i5 g5 M2 n4 Q% c* O& T# w6 _' F
__________________________________________________________________________, Q4 p# l, s# G' N
2 w1 @* G( a( o' S r; U. `Method 13
! `- Z. m+ f2 s=========
: Y. S1 d. _9 F0 `' L2 V `
# c1 N, t! U' }/ y0 eNot a real method of detection, but a good way to know if SoftICE is
5 U% z$ _: y4 N0 Jinstalled on a computer and to locate its installation directory.
$ R" P/ j' C- j- z1 zIt is used by few softs which access the following registry keys (usually #2) :
) W; Q; Q! A- |$ @) g( L+ ?/ L$ T9 a" a! a$ \3 A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 d; p8 r/ {! I
\Uninstall\SoftICE/ e, f S. Y: F# R5 {8 E+ _4 G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: m% J- |! O6 j/ U& L
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, O# |2 e: K0 I
\App Paths\Loader32.Exe
4 w5 q3 L! }# v& A+ i3 D1 |7 i
" o! w) z: w3 j& U3 x/ z/ R8 J% ]/ {& o8 b% B! N/ D, T
Note that some nasty apps could then erase all files from SoftICE directory
% o* h; q l6 f, C: h' p(I faced that once :-(
% v3 T6 R% K1 R+ R& A3 W j/ A3 o) z" K1 a
Useful breakpoint to detect it:
. C; P1 z5 `2 {3 D+ u" A% L" L' K/ q) Y9 p) d2 a
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 x" N5 F6 B3 {) T; ^" V8 h
5 a6 ?% N N9 n* J0 A' b8 Q% r__________________________________________________________________________$ o2 q0 ^# W+ q5 a% K! s
; e0 C/ C1 C* E5 [3 R p! P
) T2 q6 M/ w$ ?. n ~5 PMethod 14
% L) X3 M) p: P. S/ p8 N& ]: g=========' `/ T' b1 G& P% s- X* X" S
' z- w& U4 i w* r% O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 A7 F- o h. p
is to determines whether a debugger is running on your system (ring0 only).
4 i6 X+ ~ J; M+ x; G% R# C/ ?% P, ~4 n6 O @3 f! M7 K
VMMCall Test_Debug_Installed
- o! k' P+ \ a" [& X je not_installed
( a" V. `* R4 I) @' C7 C
+ b3 [; b$ x* k8 e, n2 N7 J gThis service just checks a flag.& P( ?6 a3 l( d! A. ~& B2 o
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡