<TABLE width=500>, K1 t6 a: B' R! o% e8 m* A; z3 I9 U
<TBODY>
* T3 l& k% y |<TR>
2 t$ f& H. n! G- b9 [* T7 U: b" C5 D4 h<TD><PRE>Method 01 0 K# _+ H2 n7 E4 D& ?" l) @
=========5 U' \" _' Y6 P6 y
0 v. Z+ I" X. t) ]& L6 {% D$ IThis method of detection of SoftICE (as well as the following one) is
, Y, [1 H% Q; n" Y$ o% `used by the majority of packers/encryptors found on Internet.6 n8 }4 t, {5 V6 P. ~
It seeks the signature of BoundsChecker in SoftICE
8 `- N7 E) ~, E. j* A3 O! c: d+ ~2 G9 A5 V* U2 U0 h
mov ebp, 04243484Bh ; 'BCHK'
6 |" q% ^/ y" P. S/ P mov ax, 04h1 N) Z1 Z- z6 m3 R
int 3
a- S4 H) [/ I( r1 [0 Y2 ? cmp al,4
5 j, M4 W9 ~/ g# ^. J jnz SoftICE_Detected6 t: D9 Y& a1 [. L$ {* b
* Z. ~5 J; |. A5 P" r3 S, |___________________________________________________________________________6 e6 S5 l; X; X' i
! \2 t; G; e5 M; n$ \( j: ]: T
Method 02( g1 n8 s$ [4 T$ f0 }& u
=========" p( L2 I1 ~! w2 `0 P
+ S0 e5 M$ J& k& N2 s9 @4 XStill a method very much used (perhaps the most frequent one). It is used* m; i x* [6 G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% m; c' p( m, e
or execute SoftICE commands...6 K* K! T1 U5 J6 h, b
It is also used to crash SoftICE and to force it to execute any commands
# ~. N4 T' ?, u" M; m(HBOOT...) :-(( " g$ o% d, `0 o
6 M3 [( C2 e, [3 w$ D1 F" f- P7 BHere is a quick description:- v6 q: F; Y2 ~/ X: h/ {8 G9 z
-AX = 0910h (Display string in SIce windows)1 n! X# s4 B$ n7 A9 K$ b
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
a7 O. k/ R0 W/ I-AX = 0912h (Get breakpoint infos)
. z; j) c. m4 x ]-AX = 0913h (Set Sice breakpoints)
5 L6 j& N: ~" U! t" I1 a-AX = 0914h (Remove SIce breakoints)9 U$ X7 @4 ^; M+ F
, ^$ S. s4 e8 j* R# {7 l' R
Each time you'll meet this trick, you'll see:
' x+ F9 j! `) \- J+ H2 u- S! V* c-SI = 4647h
5 Y5 H8 i- `3 U5 M-DI = 4A4Dh5 d2 t! V3 b, ^! @& C$ E
Which are the 'magic values' used by SoftIce.
( n1 `) J. G* y' o6 b7 pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' B, C, m2 `7 P, \& [
+ O. }/ [) Q( ` RHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ D" f @% s' UEnvelope utility use to protect DOS applications:% U; Z$ M& e c
* @# f! P" }3 D t( j( V8 C' f! R5 B
/ Q5 ]! i8 f$ U" ]0 ]
4C19:0095 MOV AX,0911 ; execute command.
- U& e+ a& ]: L! H0 m% Y: F. ~4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 V# K$ C8 M5 i- r% E+ D6 C9 ~
4C19:009A MOV SI,4647 ; 1st magic value.# B1 {- y* U' c, \9 H
4C19:009D MOV DI,4A4D ; 2nd magic value.! J9 ^% S1 g/ {! u+ I' }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( t/ j9 i* O* M; Y& V4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 } }' o6 M' h. E0 P4C19:00A4 INC CX$ f7 ^, m- S6 D! J u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: z+ L7 E1 z4 K) a v9 |7 D! r
4C19:00A8 JB 0095 ; 6 different commands.
, l: u- k' y# G1 n4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ E) r# ]# ?* d' C. r! b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 E9 k& c0 p( h& a7 B9 l5 Y$ c* a0 F) `
The program will execute 6 different SIce commands located at ds:dx, which
0 v4 V4 N9 B# v. pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: [% |: S3 _5 V7 K1 ~$ A
. P$ ~. J* `" m* [3 S1 k1 ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ y: c7 a, H- r$ Z3 H/ N+ M___________________________________________________________________________) j8 ~4 k2 { M$ {: {, c" L
; _* W: v( ?8 A# C/ v% j
3 H# ?7 m) K) b9 v3 @' n2 VMethod 03
0 q& ]2 T* A! n=========
) \5 ~+ y: G. [% \$ l' Q" x0 |, M5 i1 \; _
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 O& w! h. {- c- Q& l(API Get entry point)
4 r- m7 E1 ^+ T7 D
/ i d6 R3 ? o5 b( h
# B+ [( |4 ]% i3 V xor di,di
( O( ?' B& ^7 A mov es,di) D8 ~5 Q4 U, R' W4 q, ~1 E
mov ax, 1684h
0 ?8 `7 l% m& r mov bx, 0202h ; VxD ID of winice
; w4 V4 o3 w+ g8 Q4 Q* l int 2Fh
" x5 O M0 P, Z5 y( u mov ax, es ; ES:DI -> VxD API entry point% I4 Q7 G! z w* t6 X) B
add ax, di
: `# [, G4 g5 v3 B+ x+ T test ax,ax6 ^7 R9 h; E; S/ }
jnz SoftICE_Detected
( ?' w% t2 O' d5 l- ^7 B& X# Q# ?2 X) S! e& \# N+ k
___________________________________________________________________________
4 g: y# H7 E% [" Q, x* Z! l
# J. P/ N7 p' z2 ?, [- ?- Q8 RMethod 04
9 u% w& o! s+ q; z! G- Y- v: W: E=========+ h; O* b# J8 r+ i( y
- P. `& q3 W3 D/ z& X, ~; X; \
Method identical to the preceding one except that it seeks the ID of SoftICE
! F* Y! ~4 ~0 R& \" aGFX VxD.
6 i4 S: Y# _! S1 }2 V, W: B
( l n* T" }* Z xor di,di
" G* Z" v3 ^* P# M mov es,di
" n5 |. q9 V+ y. n9 d mov ax, 1684h , g4 M# S- A+ t# S& N
mov bx, 7a5Fh ; VxD ID of SIWVID
+ N9 w' k/ V' _- { int 2fh
; n0 @- z% g8 l# ]; O: W mov ax, es ; ES:DI -> VxD API entry point V' G2 k1 k r1 ]( ]
add ax, di
- h7 S& R, e. V7 |3 o test ax,ax
4 t: k; t) ^: V/ D H4 ~ jnz SoftICE_Detected
8 b' e: x4 o, F" u v
3 W' y( B0 J. I% g0 m, J9 d8 ~__________________________________________________________________________6 g6 c8 R+ b! W1 ]* q2 U% K0 Q
8 Q, X3 y) Y) ]' T5 }9 g; Z6 v3 j. i! [" E- O6 V: {2 w
Method 05
, S' T ^! H* p, E0 u=========/ G& C# i: i; C: |
( M( } ^% {0 L. Q" XMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ Q: y2 _3 u' z: [" f; t: ?debugger. It calls the int 41h, function 4Fh./ } H. |8 C& D$ c. Z' J
There are several alternatives.
+ f) }, a2 e, I# B! ^% ^) B) N( o. y+ z; Q
The following one is the simplest:
8 g- s5 P- q6 T7 ~( X" E% R5 ^2 e1 i: R; r( q5 N
mov ax,4fh
# e: o% J6 |' s$ b. t0 ]% L7 u) Q- k int 41h$ E6 R1 W* r2 |
cmp ax, 0F3868 U1 I: m# {0 s" e& H
jz SoftICE_detected
' X% E) d4 a; {, Z# L
5 D, w0 J, x! w4 K! r7 _& Z6 r0 Y/ H+ m
Next method as well as the following one are 2 examples from Stone's
, ?4 ?. Z( B- P"stn-wid.zip" (www.cracking.net):
2 `/ H3 A/ A% ~
! l5 v7 X+ s. ?! B" d# I# t mov bx, cs
- V/ W, S1 X& W# R4 Y lea dx, int41handler2 K+ z8 {2 r1 R+ H
xchg dx, es:[41h*4]9 r% ^1 e) E3 a& ~+ V
xchg bx, es:[41h*4+2], Z! g4 ~' x6 O0 d5 }1 s
mov ax,4fh
7 P5 R: S8 e8 N# K; X" W" X) r, C+ X int 41h
4 G) W& G8 ^+ G8 e2 J xchg dx, es:[41h*4]
8 ~+ q& D. s, r1 z7 Q" Q( G xchg bx, es:[41h*4+2]
$ M0 p/ G/ f$ I' f L5 m7 l cmp ax, 0f386h- {& H# ^0 Z- V, B
jz SoftICE_detected5 T" o. L3 Z4 s% ~1 ^: \; e
0 [# t0 h+ T. f, Hint41handler2 PROC
0 b& T K( e7 b$ P! @1 f3 h iret
7 o9 f, w% }* ] Yint41handler2 ENDP
7 b% z+ i' ^3 n6 L( n, c: D9 R0 `: e4 E J
6 z4 ~0 ]( s r) e+ E; O& ]3 M_________________________________________________________________________2 X( S3 g e. E# `- V
$ a* E Z0 F2 M* L9 S2 |1 x& r1 e3 x3 h8 R* l& B
Method 06
7 x/ G. R$ l3 `=========# ?7 w' L0 f2 x( h8 r4 S: Y9 y
, \) l/ f: t- J9 j( e, i; C! z6 ]9 P9 s# ]* A7 t. R. L
2nd method similar to the preceding one but more difficult to detect:
/ Y0 f% K8 U' e; x0 r( |. S- X' ]. i3 X: Z$ Z6 Q6 \2 _
$ K, r% E3 h2 S6 w6 ?' K( ?4 `
int41handler PROC" i* B, q# ?, [" U! R5 q) A2 @
mov cl,al
+ Z: Y4 `! e5 P/ m8 C iret6 W+ a, L5 Y( k! d6 b. S i# g
int41handler ENDP' x* T- p% q0 ^2 [
/ l% J# B- q8 L v; k) k
5 O4 E# r- ?: I2 H3 _; x xor ax,ax+ v, L4 A" a h% z T3 q3 M7 F2 p2 U/ [
mov es,ax
/ K+ |8 w1 c/ S+ j4 @6 z: I* k mov bx, cs8 [ `3 V' F1 p* W6 |
lea dx, int41handler
- I5 V/ |4 p& j9 \ xchg dx, es:[41h*4]
' }& \ Q# g, V y4 ^ xchg bx, es:[41h*4+2]. P( y* k i' e% I; Q
in al, 40h
- V2 X" g3 l8 [9 b& x xor cx,cx
6 g+ _5 v! s( s int 41h
" |# }* e5 F- o4 h1 X6 p2 ] xchg dx, es:[41h*4]
' i0 H' T) J8 d xchg bx, es:[41h*4+2]
5 i* W( Z" C" v; z/ u0 \, {* n cmp cl,al; W! J& s; F, q! l4 O; L
jnz SoftICE_detected- [2 E: |( O8 Y4 r% h
+ a- M' E4 M0 ]& R
_________________________________________________________________________
2 z7 Q& V; e5 V2 Q$ m
. I& { p, \; i; YMethod 07
3 j- v1 z5 a `$ o=========
8 [+ J7 f+ D: `% S7 W3 B- [& @/ Y3 X) A/ A4 o
Method of detection of the WinICE handler in the int68h (V86). J# r" g; N* V1 Z5 X1 L
: p8 c5 }, e( t0 V2 h7 J
mov ah,43h
* s, j1 R" w$ w9 ~5 h- m" X int 68h6 c( {9 T3 C+ [- U% N
cmp ax,0F386h
1 m$ m. `) R& F; T jz SoftICE_Detected
% e4 ~4 e9 a6 O5 a# ~4 b+ D, q0 N' A! |) B5 G7 b
% [& L: A3 q# U. E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- s. s! w- b9 g$ Z8 ~) `
app like this:/ c! L4 }' t9 i( O1 r x1 _
, R7 L. Z0 q+ v6 s1 |3 D" M
BPX exec_int if ax==68
# P7 m2 b% ]: @* M8 E j( K( C, _ (function called is located at byte ptr [ebp+1Dh] and client eip is
5 ?; L$ [3 m% Z- ^! h$ ~$ B located at [ebp+48h] for 32Bit apps)1 ]3 L% x; ~* {/ i
__________________________________________________________________________8 y6 a) H" V" U( r) v
+ a% X+ r& c) L$ ^9 N! L0 W
/ @2 Q: x* H6 W& u9 @/ I+ rMethod 085 r! G, ~5 m5 O2 D% u5 n! t
=========
2 }# q! Q* T& j/ p( v& A( H2 B
, f* ~+ O' N6 h% o+ y$ [. G% tIt is not a method of detection of SoftICE but a possibility to crash the. `- S9 \$ a# h0 {$ v
system by intercepting int 01h and int 03h and redirecting them to another4 b2 k0 G7 p/ C" V; _% y7 I8 I
routine.6 y7 N: n# K U7 H, @+ i1 B6 ^
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* i4 @$ @& H' L
to the new routine to execute (hangs computer...)1 }, O9 A2 Q' j' J) e+ X
3 ~2 n7 h- u# Q' b* n
mov ah, 25h
0 `; J% h" F) o' U mov al, Int_Number (01h or 03h)
) K$ q1 S5 G; o5 O% b2 }( D) f mov dx, offset New_Int_Routine7 p' e# U" h6 Y6 ~& b; X0 P
int 21h
# O6 w1 s, z0 {* `3 a
3 L7 R! k9 m5 M' z__________________________________________________________________________. ^# A: M) G$ S7 l# N) y3 g
4 H# X, y! u8 V7 a& ^Method 09. U& @& I# m9 ^) @" T f8 M2 M
=========
. k' F7 j6 ^' G7 _5 v* E; I! [+ l; v) ^5 F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( N5 Y! l6 N d+ Q7 W) Bperformed in ring0 (VxD or a ring3 app using the VxdCall).
1 I" i7 j# h A& w6 e* W" rThe Get_DDB service is used to determine whether or not a VxD is installed" ]' M* }& Z* F
for the specified device and returns a Device Description Block (in ecx) for+ u; J5 y4 o C% z, i
that device if it is installed.. Z- S ]; @* P2 p. z$ x
/ v1 { K2 Z5 a' h; w5 T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ h2 C& D3 n+ @7 g4 ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ [" S4 \0 C( V1 J8 B2 W6 n VMMCall Get_DDB
- i+ V. m0 y6 H7 H mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 r/ V' e9 L2 G& ?5 m% G$ R
C" }+ f# R# c. q
Note as well that you can easily detect this method with SoftICE:! Q- s% U. M' `3 `
bpx Get_DDB if ax==0202 || ax==7a5fh
) w0 w; K! `2 X3 f# [- g; q+ z, S
__________________________________________________________________________: Z7 v0 O- w3 _5 x4 l
; ?# h/ |! b, k% D6 W% tMethod 10
+ e, {+ a* S3 m2 A=========( E+ M f; U( C" s# \+ X
/ r- U9 Z7 E P! e& r5 H=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 t( n8 R. z, U5 z# S5 s9 u% @ SoftICE while the option is enable!!% u. j# @% I. c& n0 s1 r% ?% S
6 C: }# O5 f$ A" o4 ?, ]8 u5 E$ yThis trick is very efficient:
: [- t& F- v, q. h' _by checking the Debug Registers, you can detect if SoftICE is loaded
* }0 t# Y. h9 _( o! q/ d4 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% D1 l0 R% k. } c' ?) b+ d
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 P. \8 t" a3 }) m9 F! L8 L
value (in ring0 only). Values can be manipulated and or changed as well" w) X5 M0 C t3 F% a2 H
(clearing BPMs for instance)+ u) [! |; ]' A
9 s8 ^0 f! {6 o3 E0 d9 `
__________________________________________________________________________
: Q8 e3 o; A3 Y8 E+ E3 Y3 V1 l: L& K5 C2 V
Method 11
, p( d6 C# f6 A! }( o2 k; R& n=========
& c2 l+ `' Z0 e8 U9 v( x; l# Z- _9 [5 ?( B! y( [9 N, A
This method is most known as 'MeltICE' because it has been freely distributed4 {1 ~+ j7 \1 P% |% b
via www.winfiles.com. However it was first used by NuMega people to allow
0 B! m1 s% J0 \9 QSymbol Loader to check if SoftICE was active or not (the code is located
8 a, o7 f0 n' b Cinside nmtrans.dll).
* S2 L7 [( j5 F5 K, k. y' ?
$ c! ` O" S2 |: E$ P) B& K# AThe way it works is very simple:% E4 m/ k" c- R5 Q, ]# \9 y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- }" Z$ _# m0 r: p$ U; dWinNT) with the CreateFileA API.$ }) T$ f9 R4 s3 m) N0 O
9 J/ g) U9 {6 x1 u6 @Here is a sample (checking for 'SICE'):, K+ k- v% s# T4 v
) ^% g5 B }) `6 m C: H! \BOOL IsSoftIce95Loaded()
& {7 G, h% j3 f' V{
- _$ |8 k! Z: B8 p HANDLE hFile; ; m/ `- w9 n% H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 @$ h) x) f4 g& h FILE_SHARE_READ | FILE_SHARE_WRITE,
& w: d2 q2 C7 [% w8 F0 i: a+ ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" d$ D; ]6 m; s$ L if( hFile != INVALID_HANDLE_VALUE ): z1 K1 F$ m5 w+ n2 Z( j
{! o. |+ ?0 F# a0 G. N
CloseHandle(hFile);
% U" ]* x" K3 [+ c/ p return TRUE;
7 Z# @# L; Z1 p5 g/ R }- V" X* H/ S, T% I: T( V h
return FALSE;
9 i, M6 X4 ^" f O}; ?% S/ |, s: J& U! l
' ]! S6 {. L+ R! [! e GAlthough this trick calls the CreateFileA function, don't even expect to be
/ Q8 t3 Q4 r2 g' Uable to intercept it by installing a IFS hook: it will not work, no way!* A# Z8 B( ^( V- k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% I0 u H; l( S2 U: \( u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 m& K% `2 a! D, E% h& _6 rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
w& F' p6 V! ?' i" f7 A1 m# X8 w& Xfield.+ w5 N# \! Z/ g. a Y' u- @) B
In fact, its purpose is not to load/unload VxDs but only to send a
- ~9 l6 w! b, X' A5 u' L fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 M8 s6 s9 a4 p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* f3 D9 C0 m( J; N" e* nto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 C* r: x* L/ W) C
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; N: G" I1 y% @0 h/ N6 lits handle to be opened and then, will be detected.
# c( Q4 z7 Y0 H4 c7 Y0 |' s- I1 BYou can check that simply by hooking Winice.exe control proc entry point* u) o/ V# Z3 P& R) H" U
while running MeltICE.
, a9 C9 B" S$ |8 Y3 h
% v$ i* x; l- Y( \! Q' m& r0 `& O- |% x5 F T. U
00401067: push 00402025 ; \\.\SICE6 L4 o0 J* V3 ?5 F4 ]% `& L3 D
0040106C: call CreateFileA) B! [& ]0 W) B- B+ O( P
00401071: cmp eax,-001
; A/ i5 ^+ J1 W+ t. k6 c 00401074: je 00401091# ]4 a+ h- d7 T/ w
1 ?" r6 [/ |2 Q7 U: a3 g2 k% i
/ O8 H/ y/ x, m9 u6 _
There could be hundreds of BPX you could use to detect this trick.3 l9 W' O' W+ b; t* S: P. W7 ^: N! X
-The most classical one is:
' T% o$ Q% H* ~5 K& Q0 ~( i J BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 V ]; I6 e- O
*(esp->4+4)=='NTIC'0 l# _6 r/ O; H& I- p
0 _( T4 j( e) P3 ^& g: w" H; i-The most exotic ones (could be very slooooow :-(6 A# U+ f" l! x9 p2 T+ I) g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 a! [- h8 V+ P0 O ;will break 3 times :-(, E% q8 Z" \7 j7 l7 o* J S+ Z/ ^/ I
% z; n5 D1 g: O: n; e& e w
-or (a bit) faster: 4 ?; `/ z+ {7 s) n. E0 l" F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 f$ [0 w% S6 D3 X9 j, Y I+ ?! ^
6 _# E9 N& N! [# r; R0 C8 m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 W/ c' C% m" T- e
;will break 3 times :-(
* r# e4 N# k3 X3 N7 ?5 D7 ~3 ?2 j9 X+ z _
-Much faster:4 T6 w: V( V, j( i+ o8 W0 }) L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 n6 O" ?' I4 D m4 Q
& Y7 x; y5 p8 `4 s. r2 \" ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: k2 o$ a7 _" G9 K
function to do the same job:
m7 |: g+ Q' T7 o3 B# I- O' C8 S5 j4 A& l. y1 f. _, B
push 00 ; OF_READ
7 C& X) J9 x2 K+ F/ A! G& S mov eax,[00656634] ; '\\.\SICE',0# l6 h$ ~" N0 o0 M. p3 {
push eax
. J' }/ L5 I% i6 t$ W; T! d1 U call KERNEL32!_lopen/ B S. i* q3 M4 ~4 ?9 `7 x
inc eax/ v* @& D" S3 T
jnz 00650589 ; detected
. w" n: J; Y1 k, o8 J& K" q push 00 ; OF_READ' _6 d: V1 _4 w2 V! D0 K8 @
mov eax,[00656638] ; '\\.\SICE'
0 u2 s$ @4 y4 Y2 ?5 o/ d push eax8 a$ G! n2 C" U5 q' R
call KERNEL32!_lopen# r9 | J- u, t
inc eax* w; b/ C+ b& B: d- v* z# X" l8 e9 ?
jz 006505ae ; not detected
( x9 L0 V9 r6 Z+ `* I( D
& d$ K4 U- `# a/ a: X; }# X$ Y; g3 S# {- F% d) z# d& w
__________________________________________________________________________6 |% X% y' q9 }8 k) d7 @& M
& ^& c) E% F q1 z8 q4 g# _
Method 12* d' o7 W/ O" d T: n$ e5 n; d
=========! C6 X8 x* Q) M- i: y. w. x
9 J8 v8 B1 Q) z4 Y6 _# h) RThis trick is similar to int41h/4fh Debugger installation check (code 05
. M X; Q9 f" D& 06) but very limited because it's only available for Win95/98 (not NT)
9 L6 {* a/ M! S+ }" Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 p" W Q' ~' ?" y% v. V
% s0 \) `" _; w6 ^; \1 L push 0000004fh ; function 4fh; q/ T+ z) ~2 V S% z
push 002a002ah ; high word specifies which VxD (VWIN32)9 F# M1 L" w' n5 q3 b8 |' p3 t* z
; low word specifies which service
7 e, x+ ? b! l! F, o s! m# }; b% N (VWIN32_Int41Dispatch)" J1 a5 x8 U9 g% e
call Kernel32!ORD_001 ; VxdCall
$ ^0 C$ z' X7 R& ? cmp ax, 0f386h ; magic number returned by system debuggers \! }3 a7 X. D1 m% g- J( R
jz SoftICE_detected! b) C- M U% j1 ^+ M2 [/ B
8 \- |: J- @' tHere again, several ways to detect it:1 d6 n) ~5 b3 L& ]
8 \( D, M* d2 Y( J- r) C BPINT 41 if ax==4f0 H: b* n+ f) r7 N1 k
1 @+ O: `' O) a4 ]4 _% J8 E9 G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ _& C, M8 @7 q7 a2 g! E* j% W
B% P; ~2 C: g4 F( n, ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* w3 L' ?8 y; ~& ?! F& P9 Y# T2 M; d& Q5 `% M# W1 `! Z, K7 Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- M9 \, z/ U2 G6 d4 y4 N; n0 N+ z) k
__________________________________________________________________________8 t/ R. ^- S( v( s0 D4 G* h! S
' C5 M# h$ V/ b2 `
Method 132 |4 F7 c9 b9 Q9 ?' |2 e
=========
' o; J- y: h" @, [
. g% T; S6 s) s* c. u% ]$ T3 JNot a real method of detection, but a good way to know if SoftICE is5 L, k4 \3 T1 g U) G3 }, D% _
installed on a computer and to locate its installation directory.
! F6 B8 h' f, T1 {, h, `) KIt is used by few softs which access the following registry keys (usually #2) :
0 ?8 w3 t2 I: x! e7 K* L* Y* Y( S! I( B% c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 \* \$ j9 D) }/ @- q
\Uninstall\SoftICE
' p& v* K- p& d; P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 s0 q' M/ k0 O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 Q( Z2 U) ^5 o/ w0 k( K\App Paths\Loader32.Exe
# O6 B) W4 s2 L8 r/ G4 l8 N; { M% R# P5 i3 w% j) q) f2 ~8 c
' Z2 m; X! {: Y* PNote that some nasty apps could then erase all files from SoftICE directory
6 {( q2 U( X2 C' p! a7 F2 T, \(I faced that once :-(9 U( u# `8 t; G$ {# j' h
7 @2 O# d4 w# x- l/ mUseful breakpoint to detect it:
+ r# I4 b- G5 y7 r6 I1 I
4 q3 g) T& E9 [) V3 q% F* X O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ v8 Y% a" U& x+ f+ v
1 a- H; T7 ]3 Z__________________________________________________________________________; L7 {5 l M) h+ U0 N ]
. I, h" V4 f' z1 l
: l- j2 E% @8 R) C8 v& Z
Method 14 * M1 h, ~. }/ l+ W* c6 ~4 c
=========
3 f9 I7 Z( R! T' R" S( ~( S' L$ ?! U" P( V& L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- I8 w4 q. C! h
is to determines whether a debugger is running on your system (ring0 only).# X: I i, j' n ^* G, [# J; X
: w$ }& W, d- J6 t. D VMMCall Test_Debug_Installed
6 l5 @ x$ \5 c5 ^5 u' q. P je not_installed
% ~6 d0 k3 c% ^9 |9 r8 ^1 q' @+ N* f, J2 n' _
This service just checks a flag.
+ t/ T* w. }& V% m- w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡