<TABLE width=500>5 ~: I9 g% ?4 l1 _6 O D3 R& S
<TBODY>
. E) W |: N7 b5 j: r/ G7 b% l<TR>
* q* F1 ~ Y' o. h" T. _+ B( {$ J<TD><PRE>Method 01
! M' v' l- \" h+ C' q=========; ?( x& |. Z2 e% L9 ]
6 n) Y$ O2 M/ U, DThis method of detection of SoftICE (as well as the following one) is% O, T* ^+ j1 Y( g3 R
used by the majority of packers/encryptors found on Internet.
" K- R5 A1 z) _7 Z/ [' A1 k1 n8 VIt seeks the signature of BoundsChecker in SoftICE
0 H' l0 X6 N' ?8 I
4 |% U0 s& i5 _+ W9 B2 a mov ebp, 04243484Bh ; 'BCHK'8 i- e0 w* H9 i9 w( z( r5 x
mov ax, 04h
_+ Q+ y. H. w int 3
7 N* u# y* _* G cmp al,4& w* \6 I, b# S
jnz SoftICE_Detected
! |# E9 U1 s0 L
) F# z/ d. k: O% e4 Y___________________________________________________________________________: U4 Q7 w. s/ }1 y+ x7 G6 L2 A
# G! m7 {; d( [/ y) [
Method 02$ J$ F8 |" N: b1 ]7 S7 U
=========, S0 E& W d2 z7 D! [; M
8 ~" C1 Q: v7 A7 d0 _0 ^* r2 yStill a method very much used (perhaps the most frequent one). It is used% d! e( e; w4 W/ v. B1 V3 w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% m3 P: X7 N) y) w, k" l4 a
or execute SoftICE commands...+ [5 U" W/ n) _. G6 k2 B
It is also used to crash SoftICE and to force it to execute any commands
" n5 d2 w( G: C* I) f) K' _) @(HBOOT...) :-(( 7 i) w. \: F; J
$ X) N* G& I$ F2 v2 AHere is a quick description:4 ~ o. J6 v" m9 ~4 v8 p
-AX = 0910h (Display string in SIce windows)' T' g$ p5 p! B( h1 L) D: {9 x/ C6 i
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 M! U7 n3 H& i* B% X7 L-AX = 0912h (Get breakpoint infos)2 q2 J1 y0 s. [
-AX = 0913h (Set Sice breakpoints)
) k& V! X; ^0 s! ~-AX = 0914h (Remove SIce breakoints)* U3 U* r% z6 C; b& U& U
: d# `! L# j$ |) n0 }0 x
Each time you'll meet this trick, you'll see:
, F2 A* m* w& Q. y-SI = 4647h
; P+ S- U: J) v- Z-DI = 4A4Dh
/ x$ L+ ~4 t) u; U, M Z, U2 QWhich are the 'magic values' used by SoftIce.' Y+ _8 N0 E$ L7 ^, g* i% L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 }+ Y' Y6 d3 k1 w7 J
6 Y% b' \5 Y, c9 M
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 w6 L( p3 O" u3 Q; }6 \
Envelope utility use to protect DOS applications:
- X( K$ k* X( Y0 z' u' d/ V) a: {$ c( Y: r0 y
/ ]- W/ F( e2 R5 R& _, t4C19:0095 MOV AX,0911 ; execute command.
- `; L/ ^* K8 i8 E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 {* o' ^ Y, `7 }4 Z4C19:009A MOV SI,4647 ; 1st magic value.
/ L& u1 [- ?' e+ p4C19:009D MOV DI,4A4D ; 2nd magic value.
/ Z0 b& @1 ~/ _" S, H8 W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# t4 l6 ` d$ r- U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ W! ^, |" U9 T
4C19:00A4 INC CX
6 D. H! B) H' V* t1 h4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 {( |6 E! k- F" Z* E! q
4C19:00A8 JB 0095 ; 6 different commands.# M3 w7 H* h( \2 H" X, o* k* k7 U
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( C; j3 X+ v0 _4 ^& I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 P3 u! R4 r- Q1 a, B: j. y& k3 E1 R R' U# {4 m% U: G h
The program will execute 6 different SIce commands located at ds:dx, which
" ^7 y4 n" h/ p, xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: V/ P2 a0 L# I) l) J
5 g0 V* Q5 d6 J4 k+ {6 m! M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 v. V9 m; [6 t* H' t
___________________________________________________________________________
, J3 I/ q& R5 c5 \
7 y7 Z' ^4 p9 i* A% E& M" v9 V4 W+ h
Method 03
: ]) _! ^$ t/ F. r( X=========
; H3 y8 i7 K7 I( k% i0 N
. ~% W* R3 K, X/ E/ R6 r- p' L! H$ ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 [( n5 F% b" |5 I4 P(API Get entry point)! f3 U, R7 k$ O' w
0 I8 U, ~- B& D
2 F& G# S4 E3 u! t: f xor di,di
1 U+ @) f7 q; V mov es,di
8 l. O4 V3 R) T$ X2 p& R" ^) N mov ax, 1684h
6 a$ Z: H6 [' c8 G" W: _ mov bx, 0202h ; VxD ID of winice/ S/ F; Z8 A; j( x6 ]' I G4 Y( e
int 2Fh: _, _6 D+ N; d- W1 ~: Y* D {& V! @
mov ax, es ; ES:DI -> VxD API entry point! P( f7 B! t3 r
add ax, di1 p5 X5 h/ W4 P! P3 w9 c) @& W2 i
test ax,ax0 d$ @- R: G* s
jnz SoftICE_Detected+ }4 R4 q+ z. m' o6 f
5 m$ f. H. o+ i; W1 s' u
___________________________________________________________________________7 M/ N5 U% f8 L& ]: k
" N `" [; w9 Q4 { E
Method 048 h3 p6 G8 _0 ]! J6 Y" h
=========1 \( Z: n2 F, o$ L! E
/ r2 p) l4 e5 V3 cMethod identical to the preceding one except that it seeks the ID of SoftICE. O$ d. U# W% g( d$ Q# Q% ]
GFX VxD.
) S0 g. g8 m. f( z$ n; H- Z4 h2 g' A5 q& {+ t; ?3 d% Y
xor di,di" [* h5 ?; R7 R7 I$ V; d& g3 c
mov es,di
2 \) T; ]% _/ w9 ^ mov ax, 1684h 0 ~" j/ c% e% B2 J9 Y" s H7 ]
mov bx, 7a5Fh ; VxD ID of SIWVID" }2 D4 H$ u/ `$ l0 B* c
int 2fh
0 S" M: o/ ~" S0 l/ p; j! { mov ax, es ; ES:DI -> VxD API entry point
" l; r8 d# f+ ~0 V( t add ax, di
3 s7 P. n" f# E9 O test ax,ax
9 N4 B9 Z: Z m' y jnz SoftICE_Detected$ Q# |! T4 S0 e
* Y6 |' Q7 z+ O) P
__________________________________________________________________________# V5 e! u& f+ W8 o6 n4 {
- F$ ~( B+ ?5 L" O t
1 m7 ]- c. E, ?0 YMethod 05
; L1 K0 x! }6 |& d=========
, K0 ~: s8 s3 U. K6 u3 I9 F( R1 ]
8 b! z# j: u4 j4 R/ f GMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 D, s5 }4 n1 D" e% l3 ?: U* j
debugger. It calls the int 41h, function 4Fh.
, t9 o3 \4 T. B0 mThere are several alternatives.
5 Z' ]: H( G2 ?0 Y
" ~2 q h. r1 ~, n# ~The following one is the simplest:
+ R, C% g* o9 O2 m0 D
w5 w( h: k# y6 ?) M mov ax,4fh
6 J0 U7 i0 Q6 B; F3 g( t+ q, k int 41h( T; G& d6 s4 b5 k( P
cmp ax, 0F386& j8 B: N! y6 C1 ^# W5 t" D
jz SoftICE_detected
$ s6 q2 V* k8 c: h1 N# _% a
; I% N# j: } _# I7 P$ G
" ^2 S6 b' W7 w/ gNext method as well as the following one are 2 examples from Stone's
2 |9 P6 a0 J! R8 `0 X"stn-wid.zip" (www.cracking.net):
6 R8 d5 l% j( z% \+ j
/ n, J% L. x% c: O, q* ^: S mov bx, cs$ n5 B; j/ h) q& o) S9 Y L. q
lea dx, int41handler2+ Z+ ]# t% w* G6 U
xchg dx, es:[41h*4]
8 F3 M$ c+ N+ e" I! E( t) c xchg bx, es:[41h*4+2]/ G5 H& Z+ D8 P
mov ax,4fh
7 |6 D- R$ ~) ?9 x2 i: B' W$ A int 41h
, x( |- r( z: Q8 H' u3 b xchg dx, es:[41h*4]0 h% H: w T# ~. c7 A% C
xchg bx, es:[41h*4+2]
7 _7 F+ P! G+ y) ?5 C cmp ax, 0f386h
, |6 _8 U7 k$ n& d2 t8 Z# j jz SoftICE_detected
3 x J& O2 W. T/ N% u
* k0 J; y+ |% [9 H6 y; |int41handler2 PROC! M+ H% k$ T3 E( O
iret
1 A6 v! B9 U: z& [4 f qint41handler2 ENDP
( |2 \2 q- C. Z8 v. D1 q* Z1 K5 o' C
8 i6 j% h0 p+ |; |: e5 m_________________________________________________________________________
3 R9 }7 h6 C7 r8 A: {
) i, K7 S( J0 B+ ^; Y1 _
8 M9 \9 O/ M8 W2 z5 wMethod 06" X+ X# M8 O8 P* C% s3 M. J
=========# O* Q: P1 e/ O) n0 T' Q6 F' f9 e
' N0 |. ?+ I; {" x
( \+ Q: }# @. E6 ]6 L
2nd method similar to the preceding one but more difficult to detect:) o" b* u# B$ K1 x
1 ^+ U, `, X0 H7 ]2 P: |3 N
$ h2 ^4 v+ s- D5 Q, f" hint41handler PROC
- m; ?! V2 @& I: |0 I7 n8 N mov cl,al8 H# R9 U, ?. x+ r, \
iret7 U% Z$ I4 O& @
int41handler ENDP) g! @% C. y- _/ b! j' d
. e' ?4 ^# Y. f0 b7 O- D* m
B' ?- r; A+ ~' w/ x) V+ ~7 v xor ax,ax8 z9 _9 U2 a3 Z2 t, \5 f
mov es,ax
1 a2 D8 @9 l6 c: w) H mov bx, cs7 t* r- G+ Y+ M3 ^1 t# R# \' C
lea dx, int41handler" x- _: S7 B, D/ n9 b
xchg dx, es:[41h*4]
/ z: U. n" ?1 \5 g xchg bx, es:[41h*4+2]
8 A9 j, z/ Q- g: W" t5 A in al, 40h% b! \& ]& u1 M4 h" B; S% ~6 x
xor cx,cx1 Y4 ^% Q* }8 R( E" X) ~
int 41h8 u# m/ X W2 \7 v4 W' t
xchg dx, es:[41h*4]7 F, T1 I- j7 p) M/ w
xchg bx, es:[41h*4+2]: l- @; B; f t& y0 z/ Y
cmp cl,al
d. I% M) p* U: M" m$ E: {! | jnz SoftICE_detected
3 k, v5 Y: l. }( Z. t
+ }' L, I! e4 g" d u+ s_________________________________________________________________________7 f( @/ r/ y; G1 s% `
: B9 o8 [" w) x" ^/ h' y
Method 07
/ Y# n9 R2 P, ~) [6 Z7 m* }=========, k. t+ v' Z# ?* F, A$ d% _5 F
; O/ D* p$ x. m5 ~6 A: H. r) T! rMethod of detection of the WinICE handler in the int68h (V86)
2 n: N/ \, l1 X% R0 ~6 r
) b# c3 u5 i2 u, ]& O; [ mov ah,43h1 G, }+ O8 k6 {" X' h) @; K
int 68h6 X( ]5 u) a! q5 {
cmp ax,0F386h! f9 t6 E/ n6 O$ T% p# h
jz SoftICE_Detected; M4 g v2 P, t7 @$ [
% d6 s2 E) y" z7 _- n
r) {, d1 ~1 n$ I4 a) }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 s, q; @5 a# O, V' ?% | app like this:% J! \+ K3 \$ M# k+ x8 d7 k) r
, V# I- l U1 k2 ] BPX exec_int if ax==68' m, M- S# J. E+ ]. u4 M1 J0 [) D
(function called is located at byte ptr [ebp+1Dh] and client eip is8 J& ]7 v; Q+ M5 Z) ~( M9 m. W
located at [ebp+48h] for 32Bit apps)
; t$ ^7 V$ `# m' g, ]4 V__________________________________________________________________________
* c4 A: K+ l4 R q: S3 p, m7 U; k% y8 H4 g- q+ x
+ f0 H. [" R+ W3 [9 Y& m2 u0 y) U5 |
Method 08
- A h' v- y+ a8 f4 M; ?=========9 ^7 u H8 y2 l; n* t' l2 W
4 n, O F4 x9 }% d OIt is not a method of detection of SoftICE but a possibility to crash the, L1 B. W2 Z( v7 t
system by intercepting int 01h and int 03h and redirecting them to another" w3 l+ J3 h+ S: }& {: ~
routine.
- b- d! Z. v5 {6 C' y1 pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' b2 h% y' c3 k0 I
to the new routine to execute (hangs computer...)
4 X2 o/ \2 x$ R' a9 e6 g& q5 `' b8 p8 p( j+ @
mov ah, 25h
1 e6 L6 m. C& j& O7 K* E mov al, Int_Number (01h or 03h)# t( C: j6 u0 j3 h( t' `4 J" U7 L' W
mov dx, offset New_Int_Routine
% j# `; h% `+ W% A) [$ o int 21h9 c$ i6 {! f7 S* r7 j5 H% {4 E
. Y0 D& t2 S! {: B
__________________________________________________________________________
: D0 ^2 A, C0 L, P' ~3 n; p$ {, ~2 j
Method 09
, X7 u+ ]% c, a7 ]* e# S=========
, w9 V* b1 v9 L2 u# O5 @5 G
. a1 P, s* u5 w- ^" x8 hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 L1 ~ `, n; P' F8 E+ Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 y; G8 c. W, i9 I! ~. hThe Get_DDB service is used to determine whether or not a VxD is installed! _; v6 Y& B/ K7 {! T# V% o/ \9 Q
for the specified device and returns a Device Description Block (in ecx) for
1 j! L$ k. b5 f/ Y: F; l; y; X" Jthat device if it is installed.
: P3 l9 `+ a( v
$ I2 h% Z# L1 Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# }, A6 ^; Y4 D# x- r
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" C8 E' r) Z8 A2 y2 r
VMMCall Get_DDB
y& q2 a/ C+ \4 L% i2 p( c mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) L0 F! K5 R e4 T: n
) u6 @9 Z# [+ Y2 i! PNote as well that you can easily detect this method with SoftICE:
: J) D N* V# a5 m) Q/ j6 v bpx Get_DDB if ax==0202 || ax==7a5fh4 y1 R# M# H: N$ R# C# t y0 d
) ~5 Y, I; Y- m* f8 m$ D__________________________________________________________________________/ L& C1 C9 k# u9 ~- M0 I. ~8 D
# o9 O. e b+ O y* V( R) Q+ t# C
Method 10: P. }) @6 M4 j) ]( ^9 t3 _( N( c
=========$ x ?, d9 W S e2 t& J
8 ~5 {, k4 E: a: @
=>Disable or clear breakpoints before using this feature. DO NOT trace with
H8 v v+ u/ W4 y7 h7 G1 }& n SoftICE while the option is enable!!
7 h3 _4 y4 O& W% C" ]7 N+ U2 N+ e0 v, y4 g8 T) P
This trick is very efficient:
% W0 E* g. S3 m2 oby checking the Debug Registers, you can detect if SoftICE is loaded
' l" V2 {2 K4 \7 a/ R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 c* o' N; j! z: f! Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their& ]( X8 G" d5 A: ]
value (in ring0 only). Values can be manipulated and or changed as well
3 |" Y5 S# x* B7 ~(clearing BPMs for instance)7 ?4 f2 ] Q0 o5 u2 W
1 T5 w6 D" g$ N" f3 W__________________________________________________________________________3 O9 t# S! d' f9 E1 ^4 U7 q
* E; `0 S2 S1 @' l
Method 11
7 |9 v0 v% l% E=========
7 S& J* w& A( u4 H+ P) Q" Y4 H& {
This method is most known as 'MeltICE' because it has been freely distributed p# z7 z) h8 I; ~ u7 u
via www.winfiles.com. However it was first used by NuMega people to allow
, i( G8 H* Q @" ~/ s: y4 vSymbol Loader to check if SoftICE was active or not (the code is located0 S4 T* u+ A J7 \( J
inside nmtrans.dll).
- N4 ]. m( W1 z1 W7 a& O5 q4 W6 b. c* _' W
The way it works is very simple:
) u0 `* _ _. f- e2 |3 {7 m/ ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 R+ \; f7 c7 D8 mWinNT) with the CreateFileA API.
& V/ @+ w4 I: P2 G$ T+ b5 k
- U* @# G, l( B& @! `) oHere is a sample (checking for 'SICE'):
7 \4 b4 m: r3 T& @/ v' y" J4 }1 c$ \1 r/ D" b, l2 g' c8 k
BOOL IsSoftIce95Loaded()
6 U, S% S3 \7 r4 b" P4 e" \# d! [{: z1 t) O8 C: W3 G. \7 R
HANDLE hFile;
3 v6 [+ m( B: N$ }+ W( U5 {/ }% i hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: _7 K* w7 z# d0 p4 Y
FILE_SHARE_READ | FILE_SHARE_WRITE,
: |0 P& N: `8 ]9 r; O" { NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ M: H Y9 l8 \# M. I/ c( ^; P if( hFile != INVALID_HANDLE_VALUE )
$ L' T/ O0 a! e7 i' y {0 X W. x# v5 A+ a4 I4 m" H
CloseHandle(hFile);
9 c8 R+ U* g! D1 u7 M- P3 h x return TRUE;. N$ [0 e+ v# Z, V
}6 S, s' L3 S7 |4 W
return FALSE;
' N, z' C9 G* [5 l}& p0 G4 P( L- P
4 X; w2 L0 j5 {
Although this trick calls the CreateFileA function, don't even expect to be8 a" e5 m) s1 o, v# y) Y* S
able to intercept it by installing a IFS hook: it will not work, no way!( }- E9 n t9 u2 C7 f8 {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" ]1 _3 l2 Z* x- Z* ~1 k5 w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
H6 Z" a& }$ Y$ D- r, h2 H3 Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc' h; o, E2 D4 ~3 l+ J, D
field./ }, P9 C3 r% U y X
In fact, its purpose is not to load/unload VxDs but only to send a ! w5 \% p1 u! g1 f& I( ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, G1 } M! ]- F! C6 i3 v0 K& Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 [) U3 P8 L! j: y
to load/unload a non-dynamically loadable driver such as SoftICE ;-). P' C( \0 K8 w. _1 c$ g
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, `1 X0 c$ ~7 o) ~its handle to be opened and then, will be detected.
/ B/ A& j8 T. Q7 P3 OYou can check that simply by hooking Winice.exe control proc entry point% I/ ]4 P- f6 f5 n
while running MeltICE.
) O" H- Q( K; q1 ?6 K5 j7 Z4 M0 m* I/ m' T/ a- m
4 O9 E# @- c9 Y% l5 Q 00401067: push 00402025 ; \\.\SICE1 [$ ^5 O) F2 W8 z. |% l' J: @3 V
0040106C: call CreateFileA S! j0 k9 t/ ?) E
00401071: cmp eax,-001
9 L3 H- f) a s/ U1 { 00401074: je 004010915 `3 a5 E# z4 P8 Q% s X( w
& G4 c# L# O% J! L
+ Q6 ~- W b7 f. c8 BThere could be hundreds of BPX you could use to detect this trick. d6 d3 f ^5 f7 B x: ]# P
-The most classical one is:
/ F }: h+ m! ^* C- f: ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- E1 }1 ^" w) s' |/ I1 M6 \ *(esp->4+4)=='NTIC'
w( ~6 E# K+ J. t* C d
9 S) z5 k9 f8 R% Y* `-The most exotic ones (could be very slooooow :-(; q" w& V5 U8 [ W3 W% W, K* d) t
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& S5 f& ^ K3 h/ V' _: l9 W9 ? ;will break 3 times :-(
" k& c3 Q; Z& t9 Y2 ^! |/ x7 |9 n4 r* s
-or (a bit) faster:
5 p- A2 P" l* L- I5 J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( Z6 w% q$ b5 P
- ~4 m) g, E+ F1 [, L5 i% ~ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 O9 r2 [' x8 }/ H ;will break 3 times :-(
# g8 d6 `& o: v" ^8 j* Q( w2 R4 g: ^) m$ ~
-Much faster:
! l( }/ ~* h" A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. C" y( [8 l$ A E
, O. @3 l, z/ \& ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 z, f) e8 J. |) n; j) Hfunction to do the same job:4 p, u- I+ c% B1 W) x# X
* y9 j2 L7 W# M8 H' X/ z' K8 } push 00 ; OF_READ* ^8 A5 P5 H% m" w8 s9 w# c( }
mov eax,[00656634] ; '\\.\SICE',08 y$ W1 c2 _ d* H6 t
push eax
% R9 A$ H5 @* s; p( I call KERNEL32!_lopen
& M% a& B \9 ?! z inc eax
$ W( F/ e3 z% o8 [. O; D jnz 00650589 ; detected, g/ O8 _, T, i3 J p
push 00 ; OF_READ
F8 K) B1 t. [; |0 X1 |, k3 L mov eax,[00656638] ; '\\.\SICE'
& g. e9 J; a- J8 q& R- v4 z push eax: h5 P+ g) l7 B4 F9 A" i4 L- D7 F
call KERNEL32!_lopen8 ~: X6 d z+ E5 ^
inc eax$ B: t; Y: |5 f8 z# k1 Q f4 R8 D
jz 006505ae ; not detected* p2 @* W7 c) B7 r7 t# p3 {
* Y3 ` G V! @+ G# k' i
" Y7 m) B6 V* }: Y__________________________________________________________________________
. ^; o7 z2 C! C! L5 W+ c' E: q+ _' J/ `' F8 i
Method 126 S. T X" s J; L
=========* E0 C) t6 V. a- V4 C
. w3 \# Y. \ EThis trick is similar to int41h/4fh Debugger installation check (code 05
& H/ T1 O% N: Y& 06) but very limited because it's only available for Win95/98 (not NT)+ d7 }9 y3 h; l8 ~+ W* w, J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! i# } E& F$ V( u r' J. r( `
/ l! J0 g, U4 i' ^6 Y5 Y% L
push 0000004fh ; function 4fh) G9 Y. c9 O- |- a) a8 K
push 002a002ah ; high word specifies which VxD (VWIN32)
+ I# v; h/ i( q ; low word specifies which service* U( h, u7 @* L) }, @
(VWIN32_Int41Dispatch); t7 a+ ~& B9 ~
call Kernel32!ORD_001 ; VxdCall* @* M. p2 X1 \/ ]% C K
cmp ax, 0f386h ; magic number returned by system debuggers- a. }* j& t& W1 w* W
jz SoftICE_detected+ g" f# M1 @6 G" I- H
8 @2 Q6 [0 P7 H9 s
Here again, several ways to detect it:
5 q! s/ V) L2 g7 l6 T' y( R3 v1 ^4 h* I" }
BPINT 41 if ax==4f
/ A! i; F9 H1 ^7 O& Q, R) Z8 P k! D7 F/ X i; h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; a6 ~! H0 u) J3 I& g4 N1 @4 b, X2 j7 n* O' z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 ?8 w8 n4 C& A( N
1 o3 c- k' K+ u% z% k# k; ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' f5 S0 n, j r" p& r
3 ^. y. d6 O3 y& O; l+ H__________________________________________________________________________. `9 E+ y. u' @; ]
* ?% W g0 l2 o4 A
Method 138 y1 I/ l# O5 O9 B# Y7 t
=========; M4 D# s! f% Z3 a7 i$ ?
0 P% |) j0 @1 r# L; b; S" [Not a real method of detection, but a good way to know if SoftICE is
' F6 s! v L7 _ W- n- {installed on a computer and to locate its installation directory." q7 P/ X- h8 F( r! h& C
It is used by few softs which access the following registry keys (usually #2) :
* u* t7 g7 c& R7 Y' {
# X9 }$ r2 V3 T3 A) Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% U/ p; G. q% E) {* _) a; S
\Uninstall\SoftICE
: r4 i1 ~" B# {& _1 A7 U! C/ Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& G+ N& N2 \, q+ N8 N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 o4 k4 h9 F# h; ^4 u# a\App Paths\Loader32.Exe
( Z* N% `9 Q& ~/ w+ m1 W
5 t; I) x% m: ^/ _
4 t7 L( h" x8 M% j( eNote that some nasty apps could then erase all files from SoftICE directory1 F% W6 Z! J' Z; g" p# R+ Y3 t
(I faced that once :-(
4 C- s1 H/ \& i+ L6 Q5 F. \! g- l* e- d3 [1 I
Useful breakpoint to detect it:
5 J# V0 K. j# c7 ^2 ~0 d
# K" w( W8 [& { K% F BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' f Y! z! S* q" l, C/ U2 N
. l J# ]( B j/ i$ L__________________________________________________________________________9 Y- k4 P# _* K+ J
7 g9 ^8 B6 ]( T6 _$ c9 E
/ s1 [6 T# Y' h5 ~9 x7 t
Method 14
2 P2 k0 y# x% q. Y. q% u8 _. \! `=========. y, g6 h9 q% [8 K
/ I+ i; X# f w6 R8 ?, A+ [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& A. @) G; I' z- A
is to determines whether a debugger is running on your system (ring0 only).0 x5 K7 W6 u) O) Y; y8 T! I# ~
; _" B& g# }* l: I, q8 i6 [( @
VMMCall Test_Debug_Installed) S5 Y1 ]3 ]7 p8 {9 y6 U
je not_installed
# D" @3 d4 B1 b6 A
& v( v# B e, ?3 e- ?. tThis service just checks a flag.
; O2 s$ w- z/ K; F6 S; E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡