<TABLE width=500>$ M; d# K- n2 o- b- L4 y, h
<TBODY>
: M' `9 P7 P, ]% I- X<TR>; e3 X' E1 D3 I# s. x$ O
<TD><PRE>Method 01
4 N0 s" _. ~! d=========
" H+ G" A3 T5 b j/ B; t( H2 J+ L E/ J7 f) w# s9 ? v7 O
This method of detection of SoftICE (as well as the following one) is
6 a* `. m* u. p2 M5 Nused by the majority of packers/encryptors found on Internet.; l7 M# g* `2 A# x' F% g$ N
It seeks the signature of BoundsChecker in SoftICE! y3 r6 ~; r. z3 ]8 {5 q+ V) G$ y
2 p3 D3 u4 E; H8 M# F, F$ Z
mov ebp, 04243484Bh ; 'BCHK'
" d3 |2 j6 }7 N; Y mov ax, 04h% n3 [7 @+ S3 O: k9 q
int 3 ! M5 v+ r6 q! z- D. H9 m9 _
cmp al,4
0 c ?; Q: v9 w& T! \* k jnz SoftICE_Detected
8 O; O! [0 Y% k2 b u* a7 I7 ^; Y* e. X$ Y
___________________________________________________________________________0 V! ~2 L& l) M/ P
8 H2 V! D/ `/ S3 J, ?- v8 ~3 e
Method 024 j6 x3 [. B0 `5 T( v3 }& L: R
=========3 l+ f' y2 l4 K
9 Q! Q; s U3 L6 H2 ?
Still a method very much used (perhaps the most frequent one). It is used
" w# d7 I0 d/ E' }7 H, `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! A" x/ h2 ~/ H/ V% g; Y! q0 ?or execute SoftICE commands...
7 J9 E6 t5 { F9 i3 x8 QIt is also used to crash SoftICE and to force it to execute any commands: v9 W( I2 t' a2 p
(HBOOT...) :-(( 8 b6 V! U4 S9 p: U9 i7 ]
% W0 l' z3 q3 ?' E2 J. v" R* KHere is a quick description:; T" d- ^5 C" e/ i/ S+ d9 \' ?
-AX = 0910h (Display string in SIce windows)$ m1 w0 h. g, g2 Q. m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 g+ W4 U5 a* b) s, \8 v& Z: w& ?-AX = 0912h (Get breakpoint infos)
: I+ t- G8 ^: [- v& q! y-AX = 0913h (Set Sice breakpoints)4 T1 q6 q. ]% F9 c0 p8 m6 x7 p. |
-AX = 0914h (Remove SIce breakoints): _7 M0 F$ e+ M+ Q' s) z; R9 |
& k& a9 [7 k i4 Q
Each time you'll meet this trick, you'll see:
/ C2 P5 E; V4 o' ]8 g" g-SI = 4647h
. I, t6 ~1 z$ n3 [# n# ~) U-DI = 4A4Dh
9 s6 I+ I2 e8 |6 r) ~ u2 DWhich are the 'magic values' used by SoftIce. V- i; [* U) v" x+ j6 `' @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 ~) }9 K h" w9 p& [
: L2 ]: `8 X5 THere is one example from the file "Haspinst.exe" which is the dongle HASP& P( `, _) b+ m _* T" {0 |! O7 j
Envelope utility use to protect DOS applications:
2 t" g# k2 ?6 Y# d
+ W. B6 { d' c: N5 Y8 o( w* C& e4 Y! {
+ f* N7 c3 r# v; p4C19:0095 MOV AX,0911 ; execute command.5 p, v) r- G& B% R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 k3 y& G9 J4 {3 S; g' }
4C19:009A MOV SI,4647 ; 1st magic value.
) |5 ]8 r$ k# m; @) I4 v" u4C19:009D MOV DI,4A4D ; 2nd magic value.8 m: A; b4 [( C% s4 Y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 \- r% P$ o9 D6 d; |
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, C5 Y/ Q5 [' [+ {5 @5 T, ~( V
4C19:00A4 INC CX3 W( u. x0 c, }3 m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 c: [5 \$ J( W* x! V3 Z
4C19:00A8 JB 0095 ; 6 different commands.
+ W( m9 P7 S- ]) Y' T7 m- ?8 [9 ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; X! q4 i A7 _9 F3 U3 }4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ p, @( J, X! F9 t
! Z# T0 @5 _. R" N9 |" d* B( r
The program will execute 6 different SIce commands located at ds:dx, which
6 R' A; o) g9 A$ K+ M: Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# J+ W( c+ k \2 z2 u
- c% v$ I$ L$ c2 l/ Q; ^ B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; ?. N$ r$ O' v( g) ]! z. [___________________________________________________________________________
- j1 a7 m" r7 Y5 i) X
. P* Z" P) j# O* z$ h9 I" y% s' U* w2 f, U
Method 03 n1 R5 V" W& P& M/ B
=========0 _1 ^/ C1 z2 h7 I3 \
5 [7 W, O9 f- U2 NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 e. [+ l Z' B' i2 U* p
(API Get entry point)( a4 S5 y! y* v) S: h# X- a
" V7 l2 Y" n- d
0 ^5 c5 F+ X5 F) V9 v xor di,di
* P! b# s6 R* O- E/ w mov es,di3 i0 M+ x" j; Z' l& T
mov ax, 1684h
; v# |& y2 S+ w3 P- p1 K mov bx, 0202h ; VxD ID of winice0 J! S: F, ^: }: @$ Y4 L6 Q
int 2Fh
* R. |8 j, E& j a mov ax, es ; ES:DI -> VxD API entry point
& k, N5 o! a* u$ |, t7 M add ax, di
1 l# T) A5 v3 W test ax,ax( n6 h7 H! n2 d
jnz SoftICE_Detected
' d% l. h" t# Y3 S" h+ y- S1 S: ~6 G. D; {# y5 E* k z' K
___________________________________________________________________________
+ z- v/ o6 ~7 |1 }+ }
+ R" G2 k0 U9 y9 kMethod 04
- R, ]8 P6 M. u: p=========4 {, n1 r. D+ O$ c
* r6 a0 N8 F5 ~3 U$ n( Y/ f& \1 qMethod identical to the preceding one except that it seeks the ID of SoftICE
+ {6 `1 g# m4 b0 k6 Y- x/ D& JGFX VxD.( w! _6 _4 x5 C7 ^- v6 k8 L
5 w @( r1 G% a- A0 P# k: C
xor di,di
' z- B9 Y: O0 A% E9 A$ [' }/ R# ~$ N mov es,di
" O! n1 U/ C9 J" b& m7 ~ mov ax, 1684h
( k$ n- I- N/ S z9 D mov bx, 7a5Fh ; VxD ID of SIWVID' L- l6 ?- s$ l5 m. D2 u5 }7 D/ n
int 2fh6 b5 }8 u0 V" q
mov ax, es ; ES:DI -> VxD API entry point6 l( n* ?: C! V w; h$ P
add ax, di: I$ z+ R3 j1 O8 H. ~5 A1 ]
test ax,ax9 e7 K( B" O( j9 W: Q- o
jnz SoftICE_Detected) v. D ?/ T+ {+ O/ X
4 S4 o5 Z5 X. K0 [( m
__________________________________________________________________________
# E$ b/ _6 ~& c" C& _/ e1 ?& |9 I0 @0 y
5 p/ A4 O8 J7 U7 h6 e& LMethod 05
( d9 V$ K5 ~8 c' K, Q=========
+ [: u: M/ I( ~# o- E+ @- R0 Q1 J7 j9 c1 f
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" `% g$ x0 _1 X1 f3 Kdebugger. It calls the int 41h, function 4Fh.0 o, E8 v0 A( h) \9 q
There are several alternatives.
6 `9 @9 P! N% o. x3 i# A6 J) y" L6 L/ `: \
The following one is the simplest:
8 c0 E) f- |1 z, i" k0 i+ z, M; \0 e7 M
mov ax,4fh& P. x- w- k, `" a2 o
int 41h# K1 m. u" f' D" I0 R. l0 k
cmp ax, 0F386
9 W( Q+ @9 M4 w. Y% O& J: A! V jz SoftICE_detected8 Z) a8 `- Q0 z7 |) N8 ^' @
6 u( C4 }% Q# E; e
# o; _9 o0 L2 E# s/ ONext method as well as the following one are 2 examples from Stone's
- f& n6 v) T" h- T"stn-wid.zip" (www.cracking.net):( [6 ]% Z; G& [ V+ C+ E
M; i% z# j# ]7 p! m1 ~6 i mov bx, cs
8 y$ o) F7 x6 Y& a* A1 S lea dx, int41handler23 | _ c& r& S9 T( W+ q% v; w
xchg dx, es:[41h*4]
- w/ l P/ @1 v$ U2 H$ O xchg bx, es:[41h*4+2], w4 U! m" N7 i+ R$ K3 |0 `
mov ax,4fh! M% {: a4 C3 R
int 41h
, k/ z4 |1 e( c3 B2 W& H8 L) Z2 m xchg dx, es:[41h*4]
9 K9 `3 o( j8 F4 l xchg bx, es:[41h*4+2] Q2 |- l: j- X
cmp ax, 0f386h) |9 l4 a6 K% H6 y! p
jz SoftICE_detected
5 e7 B- |# h( R8 k9 a7 O$ d" a$ B" n
int41handler2 PROC7 P& E \& C/ {% }
iret- f3 o; U; z7 E
int41handler2 ENDP6 F* Q+ A2 w9 J: D, t# g) w+ m
0 [) x& `- A& ]4 E
" j W- c: e9 W
_________________________________________________________________________
/ g* z2 ]# {+ O7 B f& f3 ^4 h; q5 N# D1 l( _: R* m7 w
U t* }; N& l' j; @Method 06# c5 t& f1 W1 {
=========0 j5 x) ^$ p9 G- m1 ?
! i: z7 y% H3 u$ m
6 G$ o; ^* k; g2 r& I1 b2nd method similar to the preceding one but more difficult to detect: E; \2 l: g& j d2 y% t8 d0 I/ z
4 I% n& @- j B S
6 [; T# s( u# X) C$ c5 ^( sint41handler PROC4 ?" }* A% w- @% B- E m
mov cl,al
7 a3 M H T; K% _. q2 n+ v A iret2 ]* o, J7 d4 [2 \ H
int41handler ENDP
' @" v) E9 |& g2 V8 g
: _8 }- b j# d0 G" _( [" L" m# D- z$ k- k
xor ax,ax3 E0 X( K4 S$ S* z+ h6 u1 w1 @
mov es,ax7 T: y n4 D k
mov bx, cs
v' H1 n/ F# U1 y% O! ` lea dx, int41handler! R+ ?" t0 r) E6 o8 }. j
xchg dx, es:[41h*4]
1 Y" z6 e! n7 u) k) j" Y- e xchg bx, es:[41h*4+2]. d/ [ Y) n3 E" R* X) C; T
in al, 40h1 A1 N; J/ ^/ Q. [& ~4 v6 d0 V; [7 b
xor cx,cx
" i+ @4 ?/ d6 j$ _7 L) j3 I int 41h) q9 s. p0 ^2 F" f K* k
xchg dx, es:[41h*4]9 i" A% S+ d' h% ~, I b
xchg bx, es:[41h*4+2]
. v% S* I7 j- P# C0 _2 k: Z cmp cl,al
6 P Q, e+ W2 h& C$ o4 e jnz SoftICE_detected w4 ]& E8 `# B! K0 [4 ~
7 A u* f {( k# F# m; Q/ e_________________________________________________________________________- t) |: L c ]
( _! r/ Y: Q8 Y: ]" I5 J& OMethod 07- Y! a- L% ~. A2 p( ^9 l) ?' U
=========1 K( z/ w5 [: i% V5 A. ]
5 X, t( r5 ]( M9 v0 y$ y# }' A+ hMethod of detection of the WinICE handler in the int68h (V86)
, K. d, B6 R; L* f' f, ~ ?5 ~ u0 S, l
mov ah,43h
0 d& x6 n+ m- p$ \% l int 68h4 [% O- t; Q9 B/ X" E( F3 {
cmp ax,0F386h0 d" I g) b6 ]" o/ |: \
jz SoftICE_Detected
6 l* s" ~3 c5 y: J- m8 ?
{3 _' `) C' X% t' S( P/ k6 s* ^) l% m& q9 c3 J# X
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 y$ z% D" \% L2 i, U- m4 y app like this:- T: f, R1 B! Y) X/ C. H- a. Q
1 K! n% K/ D D2 ?4 E BPX exec_int if ax==68
; _/ a- |$ ?1 O6 Y2 {& K (function called is located at byte ptr [ebp+1Dh] and client eip is: U U3 W+ i+ z4 _0 X9 F+ L" @
located at [ebp+48h] for 32Bit apps)/ V, q$ d0 O1 ~& O
__________________________________________________________________________6 g0 g' ^9 q1 ]" {3 v! @
8 W1 S3 X3 u+ d+ T/ w4 S! u. j- W9 X5 b
Method 08
& R2 V5 P& X- J4 z+ N! h=========6 T0 b, `/ Z& o5 Y
1 R* @1 Y9 A( t) K" ~
It is not a method of detection of SoftICE but a possibility to crash the% C8 g( K! q) f$ I
system by intercepting int 01h and int 03h and redirecting them to another8 t( Y% y% `# ^) o& i4 m
routine.( d0 C$ e$ Y+ j) R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: T( o$ ~5 \' e' r4 e* c) D; J8 s
to the new routine to execute (hangs computer...)
* ?, J A w7 _1 A: W. o
" b$ `; ?9 b. }" R5 h mov ah, 25h
$ Z2 q9 _( D- s3 T: z/ K; A mov al, Int_Number (01h or 03h)
4 {) E/ r* K9 |$ P, z2 Z, [& Z mov dx, offset New_Int_Routine# p e2 X/ `4 T: X/ y
int 21h
% t! ^" G d" M0 k0 `0 e
7 e' \5 l$ N5 G- B- {/ F__________________________________________________________________________+ m4 H% P5 S, |2 J, f+ o1 `
. U, |2 \$ G% r O1 B1 ~Method 09( V2 X s& R* D1 }
=========
9 l- c' q! J: n" h" e) F
6 j; C7 ?: d9 l9 F! ^1 d* S0 q6 MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 ?# O/ l) t$ y7 l
performed in ring0 (VxD or a ring3 app using the VxdCall).2 g& U4 m0 F% `8 f
The Get_DDB service is used to determine whether or not a VxD is installed
/ j ]; a$ D% H; g1 n! Ufor the specified device and returns a Device Description Block (in ecx) for
6 N {& u' ~) S5 zthat device if it is installed.
! I# H8 o5 O2 {( n0 Z y- u5 V
. p# l5 z( P1 s1 \# P$ ~$ r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 R- v& }- |" F3 {7 p7 E% N6 F mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 P5 `, f: X, K
VMMCall Get_DDB) A1 X* l) w, h
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 H- [0 S5 w$ n5 E) P
. q* Z. G+ a8 t5 j6 e! y
Note as well that you can easily detect this method with SoftICE:- p) f; i1 |& ^2 s7 Q( y5 I8 b' j
bpx Get_DDB if ax==0202 || ax==7a5fh' \7 h i. u9 A& [+ f _
# J1 X2 C: W1 y__________________________________________________________________________7 I/ f4 u, m( i
8 c% W6 B6 o% y) ?- K+ \% C. OMethod 10
* x! a$ ]0 B8 r; r5 c( X6 P* |=========0 ^, y; {( c C3 s
; S6 u; c8 o& ~! e1 P" W
=>Disable or clear breakpoints before using this feature. DO NOT trace with! H3 f/ m4 ]- B/ `
SoftICE while the option is enable!!$ x+ g& ]; X5 m
+ k- Y+ L8 c' z! o# H# v; U
This trick is very efficient:
' J' _, k1 J& E- _9 d4 yby checking the Debug Registers, you can detect if SoftICE is loaded! R9 y6 k0 o# C1 S' E2 Z# r
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 n3 H c- |- Z. m8 R0 U' J5 N
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 q6 Z: c, E5 K% n. }3 j- M8 ~/ Tvalue (in ring0 only). Values can be manipulated and or changed as well G" ~/ a' s- |! k; ~* {
(clearing BPMs for instance)* K; Z$ k1 |" m/ Y y. R
. K( v+ A1 N$ L, P; X
__________________________________________________________________________
. x9 a7 V. _' f; _0 z4 ?! i: {; _4 M0 J) G
Method 11
) h( A$ j! W% [ i* u2 u" M=========
" g. E% B( T* a) I6 v$ P F" n, J* J7 t% }( I* f
This method is most known as 'MeltICE' because it has been freely distributed
6 C: y. V' {9 |1 b: L& P' ]* Lvia www.winfiles.com. However it was first used by NuMega people to allow7 v* Y( X) U9 c( Y# C1 |8 ~
Symbol Loader to check if SoftICE was active or not (the code is located# L' {" a4 b/ }* o& J8 v1 C
inside nmtrans.dll).
; p. u* k+ s0 E E, k o1 [* a6 a2 H0 B0 i) S
The way it works is very simple:# K* m. m, M! m% D6 |
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 r# Y) q8 b1 j! F: b
WinNT) with the CreateFileA API.
# q5 T7 \) c1 O+ Z% k% R
: P: Z; \( D8 l% B0 K5 MHere is a sample (checking for 'SICE'):* b# v4 ?. u: d) A! K* {
$ e1 A1 H8 j5 ^1 _+ m/ E7 k& hBOOL IsSoftIce95Loaded()
3 a9 M: [2 }% i5 |: W9 N3 C+ Z{9 l2 {' ^9 M) Q! E( o i
HANDLE hFile;
! f9 g. e/ O. G9 u hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 @" `/ m6 Z$ L; d+ p- t FILE_SHARE_READ | FILE_SHARE_WRITE,
) X& H3 u% P5 [+ s NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- B& V( C) ?% m( M( A% p if( hFile != INVALID_HANDLE_VALUE )& ?* v" A: K" w, e
{
9 N5 S' @ m' D CloseHandle(hFile);5 G+ m& g2 |. A# H9 u0 _
return TRUE;3 a7 C, I7 J1 a; q& @
}
$ I# J1 K( A2 ?% l$ j1 F return FALSE;
/ S2 B& } I2 t: x( L- u: y% i}% p( }7 d6 V' G0 L) Y7 ?1 J
7 v& o* y6 p& Q) Q0 f3 l" ]
Although this trick calls the CreateFileA function, don't even expect to be
7 e a! Y: B1 M) ^3 {able to intercept it by installing a IFS hook: it will not work, no way!; U, q1 m- \. x8 j2 q0 f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, X3 O9 s' U7 ^/ l7 |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 Q F2 Z( k/ ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, w: v I- K- u3 c( l
field.
1 z3 O9 h. h/ ?# c$ q- r; [+ pIn fact, its purpose is not to load/unload VxDs but only to send a
* ^* E: i" h+ K& H. LW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) `' M0 H7 e( i! ?( z* L
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ j! z! i; r6 M/ a$ L5 ?" Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 `4 r+ j- q0 l( v& dIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ l+ k m1 G6 h$ Mits handle to be opened and then, will be detected.2 I9 O Z, j. ]7 m3 E4 ^5 ^. o2 E
You can check that simply by hooking Winice.exe control proc entry point
4 x6 K( N5 P( u/ Q/ I& dwhile running MeltICE.
* F# T3 H* z4 H& g
. b& |3 _' J, j2 M Z# O
! e5 G5 C8 k W, G3 \! l$ c 00401067: push 00402025 ; \\.\SICE( t* E6 X9 Q2 b k
0040106C: call CreateFileA/ J8 n( G9 L* A
00401071: cmp eax,-001
; f% J" a" O: e* Y* Q$ n: J 00401074: je 00401091' {" w/ o' s8 w( ]
; ~* z3 p# g; _# }. [
+ g, Q# q6 G: C5 Q
There could be hundreds of BPX you could use to detect this trick.; ?# m4 O' h& I, n
-The most classical one is:
9 P, S( U- K0 r# ], A6 [5 n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ |% z; S6 f" S5 i k7 F7 C9 @. ~
*(esp->4+4)=='NTIC'- w/ c3 k2 |7 l. o% ~
* d1 y/ T1 k. O; _6 t-The most exotic ones (could be very slooooow :-(
& R ^, J5 [3 Q4 r3 n1 X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' _* ]& G% R- s ;will break 3 times :-(3 j. |6 v1 Y% U* H3 H* @
5 S( o1 s+ l& z v5 F$ V-or (a bit) faster: ( K4 Y+ |/ S6 H0 x8 [9 R2 W
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: r) X$ M1 d& h; x& E6 I% z3 c8 _& k) x/ X. Z$ [/ G% ]
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) i' B3 F9 N* K$ a5 i% d- F5 L0 y: O+ [ ;will break 3 times :-(% v$ o0 F, s- z9 @% o4 G
8 q4 p9 ^4 R1 V. g9 n* K
-Much faster:5 l4 o6 B! C4 s& p3 t3 m* p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! \1 {. D) |1 X, S! W; N2 P* K O# b3 h' z, b% s; O( V5 V0 Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 {; E0 X9 u6 N0 g- d& T
function to do the same job:$ Y9 e- g2 n- S& N. `) A
! i# A& o j5 S& Y, p" q1 l0 S0 w) L# a push 00 ; OF_READ9 }6 q4 m' i7 j4 {/ ]* b- e$ {
mov eax,[00656634] ; '\\.\SICE',0% @' B; ^) J, b1 Y! A
push eax$ L! t: v, O ]# J6 r
call KERNEL32!_lopen
6 j1 R# Y: ?& i' f; ~" j0 v9 q inc eax/ _7 [4 O- m1 \& y; e
jnz 00650589 ; detected
( E2 m2 g) `; m" B( ` push 00 ; OF_READ
. ]9 B* p) ~ @; ? mov eax,[00656638] ; '\\.\SICE'
; g6 L4 z8 l" y& b* d3 z- [ push eax
1 }2 \3 a2 ], {& l# _ call KERNEL32!_lopen
. I; X W* H* F8 Y8 @. p inc eax
2 k. @) }, U8 J. E2 V jz 006505ae ; not detected7 k/ w6 D+ b) R8 I- ?' `+ M. p
9 K: i! b: L! v# j
; H/ p8 B9 c- }: f8 y% ?__________________________________________________________________________$ W% D2 H- e5 U
" c y% F' g( P% z9 UMethod 12
$ r! \- C/ |4 q========= p) d/ a+ Z# _& J; |6 L
1 M( z! d/ X& [+ Z& K7 X( b6 U' U
This trick is similar to int41h/4fh Debugger installation check (code 05
6 W+ I. i C* F. k" L& 06) but very limited because it's only available for Win95/98 (not NT)% b* L6 ?6 c; {" {. y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! J' J3 B. W. f% P: @; C
* e3 o- ]% Q, T, A( D8 l$ Q' w4 E push 0000004fh ; function 4fh) L8 }* `$ \( J
push 002a002ah ; high word specifies which VxD (VWIN32): m) ?- T. D; e$ m. S. \3 p
; low word specifies which service4 f# Z. p2 A7 @ t/ y1 s- D
(VWIN32_Int41Dispatch)
* y$ Q* i& k) D. B, y: X call Kernel32!ORD_001 ; VxdCall
. c7 j. b0 b4 }! X0 }# W cmp ax, 0f386h ; magic number returned by system debuggers
% ~' _, U1 h3 g0 A. v3 { jz SoftICE_detected, N3 F: W: u4 E" c: `
9 B, b9 ]2 q, o1 c$ I1 i+ \# k
Here again, several ways to detect it:6 Z6 h* ], L! c- c$ @2 Y0 s
) d) T# f' ?1 Y* A5 u; Y BPINT 41 if ax==4f
( Y M3 A: v% D' f3 y1 V# G( B/ d: {! C: o$ f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& J0 p0 O6 C, ~% j! i8 N5 q3 i: u$ e q$ z: U/ W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 v* I8 H# W9 G+ p7 k: E
. U# B. k# Z$ H6 Y3 @' L0 f$ q9 }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( `/ [) N* W Y; [9 I! D; j+ X5 C0 a
__________________________________________________________________________
6 o* i6 F9 L# A9 T3 s+ q8 b
0 D6 Y& ~' u' F# \# a- qMethod 13
8 _3 ~' w! ^) D4 Z=========
! A2 O2 S1 L+ t. I# j* t8 p6 m* k# r
Not a real method of detection, but a good way to know if SoftICE is4 O; F. t! s/ P9 ?# t
installed on a computer and to locate its installation directory.3 M3 M/ U! P4 t0 G
It is used by few softs which access the following registry keys (usually #2) :' o& o# o m+ f6 D I8 k' D# @/ M
6 y# v9 H5 j' }3 N) ?7 m
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; i; h E8 T1 k d
\Uninstall\SoftICE
+ {6 {8 S2 f" T) f+ c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 k3 ]4 g2 e! a( P- Z* C# w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 Z: }4 T3 _" l1 k; h\App Paths\Loader32.Exe( k2 `$ Z1 ~: a: U
# b* n) N& w- Y
+ R5 m5 {( u! E9 X8 dNote that some nasty apps could then erase all files from SoftICE directory; ?" K' t7 O) t9 k
(I faced that once :-(
' i; T% @4 _3 C2 G2 x. f& K/ N& j% U7 Y" U0 L2 O( Z) {7 K0 O* U+ G
Useful breakpoint to detect it:( T c# u' U) R7 B0 }4 G- o
( q9 y: u) `8 t9 e
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ Z; \2 K& y- j0 M, A' B Q% y; X9 x5 ]/ T% Q+ L
__________________________________________________________________________
3 t: N' c) N3 i8 `' z6 F8 D# \5 `; v' r0 i$ }) Z# h3 \
9 [0 W- a+ b( R e; j) zMethod 14 8 g9 }, u3 C6 n* l0 O. }
=========
/ Y& ^! [* |& I: R$ ~7 C+ Y, f/ O& z4 |* Q$ O) J6 V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ S* x3 F# ~& q3 \5 ]
is to determines whether a debugger is running on your system (ring0 only).3 D2 _/ C; ^/ T( p
: [5 l4 f) o: l4 i0 s5 H
VMMCall Test_Debug_Installed
- W% Q! k6 }7 H1 p& c/ A je not_installed
; i3 }! ~$ V( i. z: r0 v! W2 k$ s3 Z7 _) c( e
This service just checks a flag.
2 b+ @- U2 T: J1 { W</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡