<TABLE width=500>
+ L& w. y5 w( b; [6 r<TBODY>
( s2 T+ a) Q, R% h. w<TR>
. x0 S2 f0 ?$ D& c5 r* N<TD><PRE>Method 01 0 ?9 g6 y0 F f
=========- ]" F& H! Q, \! v
+ C6 P" b& R) L; UThis method of detection of SoftICE (as well as the following one) is
4 R/ O5 q1 U/ M5 t8 U$ b. l d, yused by the majority of packers/encryptors found on Internet.0 p5 P+ u' M" K: G
It seeks the signature of BoundsChecker in SoftICE
% }# h$ t2 d C1 V" A/ T% g; r) c2 n1 D
mov ebp, 04243484Bh ; 'BCHK'2 m. ~3 e0 W: a m" t* N0 Z. D! y k
mov ax, 04h6 B0 I: D# r, E( m1 k" {# O
int 3 7 \% P3 D6 |: x4 b3 j' S
cmp al,46 }$ f5 { { L4 J% h# g& x
jnz SoftICE_Detected Y. f1 l5 e# g; p$ w
3 t; ^# _* O2 f/ f- E; K! |# }' v4 m) X___________________________________________________________________________
; z* c0 k1 T/ Q' d+ L; S6 G2 i% a, s2 x9 p1 u7 H S! c
Method 023 f) _& R# d+ W
=========8 ]5 d4 ~9 q9 C, }
+ P7 D6 ^* }' y$ B7 t5 P7 gStill a method very much used (perhaps the most frequent one). It is used
% h# J' I" g4 Y3 W, M- Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ x' I1 F2 {- s( J9 [1 O Z! b6 L* T
or execute SoftICE commands...
6 s6 H( T6 s w! A) n7 ^! z) vIt is also used to crash SoftICE and to force it to execute any commands6 q8 y% i5 @8 S* N0 P
(HBOOT...) :-(( $ J6 C' s2 c% d' R5 D
l9 W }0 i' E9 ^- b0 L, L6 wHere is a quick description:
( Z. s+ h; X/ N, r! b8 I! x) F' a& [-AX = 0910h (Display string in SIce windows)
- Q$ U( n1 [" r7 U8 S% i7 k-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 E0 M8 Y$ N, _+ t5 j6 k4 @' f% k3 N-AX = 0912h (Get breakpoint infos)
* K! \3 Z6 F3 [2 s; O* ?-AX = 0913h (Set Sice breakpoints)
' f, e$ L2 G: i9 P' N- J-AX = 0914h (Remove SIce breakoints)
3 N- b! F ^" r! U0 D1 [" z# q+ g
Each time you'll meet this trick, you'll see:
4 F) M7 l9 M6 [# @! ?! d-SI = 4647h
8 Q& G% b# p" J7 I. Y-DI = 4A4Dh" `- \0 |; b; r5 _) d
Which are the 'magic values' used by SoftIce.
8 a' G1 B/ V8 I- d, K$ tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 Y/ _& j2 X5 c; p0 S `2 j
) _1 c! y' p) G6 |Here is one example from the file "Haspinst.exe" which is the dongle HASP/ q5 r! s! C( Q
Envelope utility use to protect DOS applications:5 k8 q9 l6 |4 d" C0 L
8 a, o H, i6 R: M
; h0 s7 u# b2 m: W1 |' C4C19:0095 MOV AX,0911 ; execute command.! n/ D) o. q; q% m5 V: _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 s, p9 C, Z( c$ {- r/ Z
4C19:009A MOV SI,4647 ; 1st magic value.
' d" W% M; Z8 t4C19:009D MOV DI,4A4D ; 2nd magic value.. X% h# H( \& R$ x v
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! C" k( }1 Z9 t. Q- y- s4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 @! v, x8 x ~9 Y) Q/ h, i4C19:00A4 INC CX; J# I) L2 s' Y- F9 M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 e4 c/ Q# E0 u! q' T+ b9 h; `4C19:00A8 JB 0095 ; 6 different commands.% i& M1 z. W: q4 K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 Y) g5 |( G( ?9 e. j3 S; U( c% @7 V" ~ G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 e1 B# y) v( G8 Z7 t) b n3 B# O, v# T$ e
The program will execute 6 different SIce commands located at ds:dx, which4 }# S: }8 m. m( ~, @- _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., e" { f6 A8 L! i/ U
( f$ {6 M- L* o- b8 L9 h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% ^. R! w+ }+ N4 i4 j5 X___________________________________________________________________________
3 @) f9 }3 A I# N6 a7 }1 \- l' Z* ?' p5 H& `$ r% _8 _
2 l0 n1 o- \+ D& d; [; S
Method 038 h9 w% m6 Q; P7 a
=========
$ l. H R8 S# @) h2 l* u# ^' I$ U% c N4 r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 L! [* W a* A. d [& w( b(API Get entry point)
. i+ P+ H8 ]6 W% `
' b" U9 Z; h1 O4 O
2 Q" E' n# s, b" [ xor di,di
! Y0 h& J0 [6 H8 C& ? mov es,di
2 s% C$ i1 J. X2 Q X mov ax, 1684h ( ?; w6 l4 E# M. r/ |
mov bx, 0202h ; VxD ID of winice% {- V7 I$ ^- b- `
int 2Fh, v% f8 m3 Y) {- h) o
mov ax, es ; ES:DI -> VxD API entry point
( `8 s% a$ x+ B1 K4 }) W. ? add ax, di+ o0 h; {: K: M+ @9 D+ Q
test ax,ax
* ] H, {9 t {2 O# } jnz SoftICE_Detected
* k$ J7 e3 B7 ~ S: l5 x* }
1 P+ z) L3 v s7 `! g___________________________________________________________________________
5 Q1 G" u! ~ d& R% ?" t7 n L* d7 K% B" r
Method 04
0 _; Q J1 y" H# t=========
% P) z! z, W0 X7 R6 T( x! ]3 t+ Y& p- `$ Z8 N0 V
Method identical to the preceding one except that it seeks the ID of SoftICE
8 h$ K: t ~+ p5 q5 dGFX VxD.
( N! j4 @: Z7 i2 o- Q0 m' ^. q/ o; {4 w: G s5 n. ]- g/ ^! {( s) \
xor di,di' Y0 @5 w0 r, q0 ~& H7 ~8 ?
mov es,di6 `: U5 j* `" U7 Y: D) N4 T4 g; M
mov ax, 1684h
: Z" V- s) ^5 T; _ mov bx, 7a5Fh ; VxD ID of SIWVID
0 M8 N+ b- p, S q- x& z int 2fh
2 q9 N% y( M' }8 H& ^ mov ax, es ; ES:DI -> VxD API entry point* h, U' }; M& w& @# R
add ax, di* Q N8 ^, ^( M1 I
test ax,ax
) S3 {) Z& ^& k# \6 P. Y jnz SoftICE_Detected! D) p5 u. e2 o) H5 Q/ c* h9 }
% ]3 S: Z& e; C3 n# O__________________________________________________________________________$ M& H7 V* \7 C) B
3 H+ _9 q0 [+ R; e
+ G- ^& ` p0 IMethod 05
1 K. O! ]# f0 s/ d3 \=========
) T3 h, \0 b8 d
7 f. o. J& h# u! vMethod seeking the 'magic number' 0F386h returned (in ax) by all system
b/ K7 a# }( ?) o+ p) ]5 wdebugger. It calls the int 41h, function 4Fh.
/ v! ^: P. q. \+ q0 f5 e' L% S2 ^There are several alternatives.
* Q" h6 I" ]" `& b2 I- [' @
" t) w# m l* H( h3 {The following one is the simplest:7 W9 f3 M c3 k! |; o8 ]! K2 A
1 e3 B0 o; @: V( Z8 G5 i. o mov ax,4fh4 |( H; s$ ]8 ~
int 41h
% g# Z' p/ N/ G$ t1 t cmp ax, 0F386. \' m+ X* y# C5 s* S- G7 \6 c
jz SoftICE_detected+ ~' Y. W: ` l
6 K9 z- c0 n7 V: c
% u0 x3 p7 {( h: p' l7 H$ zNext method as well as the following one are 2 examples from Stone's # t& g2 t& l* ^ o
"stn-wid.zip" (www.cracking.net):1 s9 {0 ?, X1 p. k1 a4 I8 w! r" ?
t# W0 D% U- D% d
mov bx, cs
+ t M% d7 s; b& C" z3 D lea dx, int41handler2
0 P. ]/ k0 z9 r9 i5 H/ ~& X xchg dx, es:[41h*4], [! t% [+ D, [$ ^0 c$ ] g
xchg bx, es:[41h*4+2]* S+ _# O; f* l4 K
mov ax,4fh
, {; v& k. z `5 _, \% F( l: w2 ]5 Q int 41h. ^, r: k m& t W( {
xchg dx, es:[41h*4]! E3 p; }( y9 x+ z% a
xchg bx, es:[41h*4+2]1 Y+ f! q) J( F# G7 y# [
cmp ax, 0f386h/ d4 ^% [" f% B8 M
jz SoftICE_detected0 f5 w( D; X' y! I/ C
# R1 ?* k% r; }# {
int41handler2 PROC
4 U5 o) F( k4 q0 c1 J iret. X5 I* G" G3 A
int41handler2 ENDP$ ]2 I2 H0 p2 ]6 a2 z! G6 ]8 P
6 }0 Y' b( {& U2 W% o# V/ d% s5 ~
$ O Z* W$ j7 G: t& r: E2 ]_________________________________________________________________________
% i3 h& t+ E4 S* V
' ~4 I' m! T9 O; b/ ~8 L5 u* P
, G* s$ \# g m) iMethod 06; o1 o& I8 }' T6 K, w' b. `5 _
=========
1 D( L0 P% x; }! ~" _4 y3 L+ C7 p6 W7 G$ p$ a
7 O* h$ O4 L8 {% J0 ]: l
2nd method similar to the preceding one but more difficult to detect:
% p; S2 k. V* ^' E; E i
3 A6 w' N) v7 t" S
' E* b: v" b! e+ }* e+ L8 t1 D) yint41handler PROC
- f5 ^' ~4 [) g3 Q3 m' o mov cl,al
6 [, `6 R; Q8 Z5 Z iret* p3 R% q1 z9 l0 u/ g* W
int41handler ENDP
6 e6 X5 T7 x1 Q" `6 `- I H
* ]4 f6 |! U2 `- _8 j: p
6 N: u4 h0 x/ N& I& j% l xor ax,ax u6 d2 P; S$ f
mov es,ax
- k3 {1 y& F$ K mov bx, cs
7 Z2 y: A7 N4 ?+ C% U lea dx, int41handler/ M5 x4 h8 B! \, O& W4 y
xchg dx, es:[41h*4]
- T( L: |) A) k' k/ `6 P& k8 [) m xchg bx, es:[41h*4+2]
# f. [( v- M" S# S# N O5 l in al, 40h/ n( [. v! K6 h
xor cx,cx3 D; X+ I1 F: R2 {5 A$ a
int 41h/ g. X" m" O% W; r7 i
xchg dx, es:[41h*4]
- j4 E+ m3 f! e& e* o3 [ xchg bx, es:[41h*4+2]& R9 }9 m1 f/ G. U8 o1 o% w$ }) M
cmp cl,al
+ J- ~( S" F3 ] d$ o* T jnz SoftICE_detected
9 J- ^# J z6 c/ W
2 Z7 I3 |6 V, W( x5 a/ F_________________________________________________________________________
+ l& m# R4 g- e
5 C; ]* ^2 c( i% G z1 T6 N7 sMethod 071 C5 Z. T% O8 ?0 v+ E1 `' {( ?* v
=========+ u8 E0 u4 q4 R1 p- l
+ Y8 g( }. a v; r n
Method of detection of the WinICE handler in the int68h (V86), l- u: [0 R8 N# [$ A* n, g/ v3 n* N
- a- W: O8 P7 y& y% Z
mov ah,43h1 E) [ E' C! [; a$ h5 O! {0 x
int 68h( k/ q+ V4 O* j0 L6 F) y
cmp ax,0F386h# Z6 A; X2 A+ V$ m2 A
jz SoftICE_Detected' E9 Q5 d5 r7 T* f4 r
- w9 K) M1 n. J+ X) Z; E# e
* Q3 c" l4 p6 q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 M3 p# a/ |; E" D app like this:2 J# U4 b1 U9 n+ l7 ?
& U' C+ Z, u1 X0 Y1 ^2 F7 j$ m
BPX exec_int if ax==68) f5 X% T1 Y( i" w, w( U" c4 a3 F- V
(function called is located at byte ptr [ebp+1Dh] and client eip is( {# O3 W, q( i1 z
located at [ebp+48h] for 32Bit apps)9 z( z& B# F) Q5 r( L0 n: g4 z! Q
__________________________________________________________________________
T' ~# c! s3 u$ m
6 H. z- v7 p$ B) n z4 \/ X V! o/ c$ Y6 C7 K9 g
Method 08/ u s2 m9 \( ~2 K4 X' q
=========
- B' b/ {3 {5 H& U. l9 V- \- o1 `( J. Q6 |7 C/ z# G% \
It is not a method of detection of SoftICE but a possibility to crash the
5 ~, Z+ K3 X* }# s/ W$ e6 F' v. C0 ^system by intercepting int 01h and int 03h and redirecting them to another
# ^; m9 r7 a/ Sroutine. T4 u+ B4 n$ X3 j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ O+ H: D& t7 ^. I7 B8 S; i; z b
to the new routine to execute (hangs computer...): e& |' ?, t: P, y
4 ?$ c8 N2 ]% S
mov ah, 25h
8 v, q1 b- b. s; F F mov al, Int_Number (01h or 03h), s) w( C! I' Q
mov dx, offset New_Int_Routine
1 @) w2 Z* Z) n1 g int 21h
/ g9 a/ Z4 l6 s! W3 L
9 v% f- I) D" `/ r__________________________________________________________________________
/ C( f s- V D/ V# D/ l& H6 t9 y3 |( C
Method 09& T" _8 n! M4 u$ X5 ?8 V( n
=========
8 K# t w; F9 V) m$ x) N& o3 b! ?. t/ W+ N" _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; N1 h$ ]6 k7 y9 Z& x2 w* }+ Z
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ f, V- O) \# n4 E1 |The Get_DDB service is used to determine whether or not a VxD is installed
. A7 a% k) l u" N* W' j4 t. [8 B+ }for the specified device and returns a Device Description Block (in ecx) for! }: ?/ M4 S i+ T
that device if it is installed.
" A0 O2 T+ {1 u! R+ }$ U( Q7 O. ?9 D+ [4 J( M N# M4 b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% ]# ~# E0 B! ?, O2 _( ^# k# u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ f& x7 e( A0 W0 x
VMMCall Get_DDB) p* _. O. f8 D! ]1 ?( h5 f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' j+ b% ~, R2 R k6 Z: B1 `
& O( V: @. _- |! h% h5 e& l
Note as well that you can easily detect this method with SoftICE:
G( U* ?! }. {/ H bpx Get_DDB if ax==0202 || ax==7a5fh
7 }# q/ @6 w* n+ Z+ i! e" M; V
. x9 N$ O% | K0 V* N+ a__________________________________________________________________________$ r% q% i: x1 n+ a Q
! S7 @. f" `* r% K: u [" QMethod 10- S; F1 w$ A: C* b r
=========
+ O0 G- j. u$ H( q4 O! _, C% @
- ]" n2 Z: m5 t: q+ q2 T! b=>Disable or clear breakpoints before using this feature. DO NOT trace with
' g# c8 }! A6 G6 } SoftICE while the option is enable!!4 ~# p/ c0 K, e, G1 s
" m9 W7 @+ b) f! W* ?5 x- j
This trick is very efficient:
* a7 ?8 U. A/ _" o: ?3 D0 X. kby checking the Debug Registers, you can detect if SoftICE is loaded; H! @2 q8 F% P R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( c0 e) o# S2 N4 w( Q2 i& lthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 n6 k' S* {' B9 q: o
value (in ring0 only). Values can be manipulated and or changed as well
: _% ^# \0 X# r k! \(clearing BPMs for instance): L/ D; B4 @+ R" C
V3 @8 \. Y2 Y8 Z3 D' K/ c__________________________________________________________________________0 Z" g/ X2 O1 q0 P3 y3 d/ y
% M6 r9 }9 {1 \Method 11
5 I& O% n( t# L1 a3 m3 Y=========/ I- h* T+ O8 c& b, ?! S+ M
7 _; X% p2 S+ O* g) O* ^
This method is most known as 'MeltICE' because it has been freely distributed
2 u% P0 |: G2 M+ F/ Hvia www.winfiles.com. However it was first used by NuMega people to allow
: c+ W. ~7 p2 n- p. D: ]Symbol Loader to check if SoftICE was active or not (the code is located
: [; c( o. d5 D, n' h! ^' N6 t" Iinside nmtrans.dll).
8 |4 n* F. u' z
+ x+ ]8 K2 }" @* I6 F0 H4 }! RThe way it works is very simple:
# R$ y# |. \& { h, DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: G3 U9 s/ k: g! q5 |3 vWinNT) with the CreateFileA API.2 [0 ^: p: `1 x! N6 ?5 Z
) n% ]* P6 f, h8 @/ F. u7 s
Here is a sample (checking for 'SICE'):/ _4 R) |) b7 Z0 K5 U( R8 {
" F/ W9 S5 K/ y0 }; E. {- {, L4 I
BOOL IsSoftIce95Loaded()6 N9 a# ^" ?0 O0 d( G; w6 q: D
{/ ]; t% `' U5 M) O/ f% l4 a
HANDLE hFile;
/ }: E+ ]$ a$ ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 L' w" L( O7 V5 E, W
FILE_SHARE_READ | FILE_SHARE_WRITE,! L" [) u5 |5 e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. t$ @2 H, Z& k% t8 b* y/ Y if( hFile != INVALID_HANDLE_VALUE ): K. O4 b% D- {. _, d/ E
{9 w4 T% K6 ^& W* {# E. g. A2 F* }+ g
CloseHandle(hFile);
z7 t1 j5 L# C4 U! g% R return TRUE;3 @. a. x/ E) |1 F# {& y( H- r
}
[/ w( [( q' [% V# Z6 q return FALSE;% G: C9 I! I- i3 a, {1 }/ D6 Z; Y) |$ Q
}/ I H& G& [. X1 x) n t- u/ Q7 `% w
$ s* [2 d6 \$ O& m- q) g, |" h
Although this trick calls the CreateFileA function, don't even expect to be# \' S0 t5 s$ O) s' J
able to intercept it by installing a IFS hook: it will not work, no way!
0 k3 w) R v7 I, R/ RIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: V4 a( n6 o6 w2 n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& s3 _( ]2 ]8 ~2 Land then browse the DDB list until it find the VxD and its DDB_Control_Proc
! u( W' o, M3 E$ \2 W, kfield.
4 w3 f) S. M r$ {' w. zIn fact, its purpose is not to load/unload VxDs but only to send a
. z: `3 Q1 `" {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! b' l4 X3 b( ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try* a1 }& {# e2 o# ]+ L" C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 i: [ R8 L) jIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 o2 |0 Q, G6 r! T% K& f2 q
its handle to be opened and then, will be detected.
. u$ U- X& n9 j8 q0 Q1 z9 FYou can check that simply by hooking Winice.exe control proc entry point; v3 o& x2 Z9 d
while running MeltICE.
, C( k! Z& e- @+ R0 P4 X
5 W2 i5 i$ \) z- C) Y5 r8 R
" e9 c8 u* d& u9 M4 m$ R 00401067: push 00402025 ; \\.\SICE
" ]; {: ~5 B ^9 Z 0040106C: call CreateFileA
$ ~0 `, _5 ~0 B: _7 O4 R+ y( b; c 00401071: cmp eax,-0015 j: j* ?. }/ w3 X9 I: q% w8 K
00401074: je 00401091
# H5 y5 ?1 D4 ?& p1 {+ b
& N0 S0 E; X8 W. n% Q. g( }
8 d: t0 Y) ~2 W* \% m* y- RThere could be hundreds of BPX you could use to detect this trick.! M2 J( H+ I1 ^
-The most classical one is:
; Y, b) p% `, t( e8 U) c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 }" a0 @6 j% i5 }( _- s/ k: U" G% H$ L
*(esp->4+4)=='NTIC'
" \- E8 | N$ D* Q0 C! {4 V3 D
" q3 k' C9 Y4 n-The most exotic ones (could be very slooooow :-(
! F; i( k7 M3 S, a2 n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- U3 }4 R4 M* ? ;will break 3 times :-(5 [( Z: `8 b4 t( G& {: t$ K4 R
1 k3 `+ |" o1 Y" H# y$ n! l. n-or (a bit) faster: * M" M2 j7 q T0 Z S8 w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ [3 y3 X7 d8 ]. b* j0 [ J8 T6 ~) V" O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : G5 m% `1 p) a. U
;will break 3 times :-(8 q! O& ]4 d& k5 G, D
/ A T: z k. Z3 l) b' L5 D-Much faster:5 K, S+ q/ y8 M: S# `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; W) {2 }( R. K4 \3 R3 g" S" S; H _4 o9 x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, w+ {3 r0 t( `0 a1 D6 Z$ I2 vfunction to do the same job:
]! b+ K% B. R2 o
$ R" i @8 P; ?/ F- O# _# ?) s* G push 00 ; OF_READ2 D+ W7 l2 l' f9 [3 Y& @ {8 t
mov eax,[00656634] ; '\\.\SICE',0
% t' S+ x5 ~" z push eax) o, q& a; I2 f) ]: `
call KERNEL32!_lopen+ m$ b f( R0 }5 Q# w( H
inc eax
7 @; y3 D! N5 K4 E8 C( q jnz 00650589 ; detected
N5 \ _! t' Z push 00 ; OF_READ( @ v4 R6 _4 s# K+ Q6 i8 o
mov eax,[00656638] ; '\\.\SICE'0 y& T* M$ k3 b3 @* [6 p, D9 k! C
push eax
8 B- ~1 e0 t" T" f call KERNEL32!_lopen. B5 q1 M, c9 h
inc eax
6 A, }( e' N4 p& ]' s jz 006505ae ; not detected; d# { U3 C$ s7 I- w
; e1 W& e: f' u3 b* [. {
. K, S/ R* t5 ~__________________________________________________________________________! I+ t; s" Y9 k
3 e( y5 v1 z [( V- k% X* hMethod 12
5 `6 }3 a+ w/ B6 ^& @$ T=========
6 f7 `- ]- R5 [8 \0 l
3 y ^- ?# R0 A5 V% N7 X; e& vThis trick is similar to int41h/4fh Debugger installation check (code 053 ]- M: i& t, p( C+ h, m1 H7 P, N
& 06) but very limited because it's only available for Win95/98 (not NT)- G( B; t4 a0 j% O. o5 k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 W$ x+ M7 q2 Q* ]& d' O
# L+ ~; Y! c& |! R. I5 R* v push 0000004fh ; function 4fh
5 r0 C: U% y" f, J push 002a002ah ; high word specifies which VxD (VWIN32). O) h# M% x1 O" B% B1 C2 o
; low word specifies which service/ [: |' @! ]' q. q
(VWIN32_Int41Dispatch)
0 Y# ~/ H/ h O; o call Kernel32!ORD_001 ; VxdCall# L( k# K: ~: l9 g
cmp ax, 0f386h ; magic number returned by system debuggers( l$ C' Z; ?( y0 \& s
jz SoftICE_detected* m- x- c! l0 g$ Y y5 G; K
; `! y5 Y; x" h) \8 A! Q+ IHere again, several ways to detect it:
- x; C: R6 y$ K
5 K) ^+ L9 }$ R N2 k N$ k BPINT 41 if ax==4f: V% U9 X) `3 c( ]
( Z. X1 d* s7 F" {/ | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% a/ f5 {0 m$ [/ Y. s$ p
9 d6 v8 M' L! }; y4 r2 N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& B9 F: \: V9 a* L" U3 {6 O" ?
; D7 {# b+ w; v* i$ P
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ g- g" P, f; P0 C# o
* e! P: Q/ D- m1 x4 k9 Y# A: M
__________________________________________________________________________( O/ W0 r6 C5 }
3 q( r/ Y# p$ q5 [1 sMethod 137 c4 ^& v5 @$ n' n( Y
=========7 P2 b7 b0 f# Y0 U6 k+ q+ a
3 o8 l6 W4 y9 p1 K* q3 }$ C4 E
Not a real method of detection, but a good way to know if SoftICE is+ d9 r9 m+ x6 ?* N H
installed on a computer and to locate its installation directory.; n5 w$ s( n6 e1 b$ d
It is used by few softs which access the following registry keys (usually #2) :' I; f: W3 l% w; B. n
2 D7 d% X2 @4 s. A8 m* v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 x3 I- r: a1 H* l* D\Uninstall\SoftICE9 z! u& D* O1 N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! R9 L' I, c& l1 A* X8 M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* T# [9 ~. u- Q\App Paths\Loader32.Exe/ V- [5 Q4 A/ F+ f G9 z m* U; J
9 {7 J! ~2 a6 n. K* }- {: A8 Z, \! l9 A7 g1 y' h, Q& N. P
Note that some nasty apps could then erase all files from SoftICE directory
" e- h Y e6 x; P/ V1 c3 U(I faced that once :-(
8 Q4 l+ l7 L1 j' ]# h" W2 r
/ r0 ^- D5 Y2 j& l: e. O! Q p6 }2 uUseful breakpoint to detect it:
1 n1 a7 L8 ~# o [, t' l. ^
}- v0 A6 g' Y; I BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 j3 x2 @& A2 Q; i
! D# M/ S* ~5 \5 f8 |+ B$ Q( ?; i
__________________________________________________________________________
* @4 u) a1 d% o. O" z5 l; b9 [7 s+ I) Q
& q: `+ a& ~: A& Z9 {* jMethod 14
* h9 [/ l$ {' z+ C( E7 w+ K=========
3 z' _$ j0 M O7 b2 a! z
( u! `' g5 M/ e# P& rA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- r0 e9 ~! H+ S* j
is to determines whether a debugger is running on your system (ring0 only).5 B8 ~, X5 R8 B, Y4 ]! f! z- p
/ E" @8 T3 }0 D% x! B# {7 V
VMMCall Test_Debug_Installed
1 v* F5 ]) J7 C; m5 y% [( \ je not_installed$ V5 H! X7 M2 G: Y1 W+ o1 P9 F6 {
4 I3 l& O# h1 L! Q7 [) q# J
This service just checks a flag.8 Y) X/ i* Z( X0 ^1 h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡