<TABLE width=500>
7 U* E. p% D% k% n( Z3 Q<TBODY>$ `% L% E- n. w! S
<TR> z- [6 r1 X( N2 T8 w$ m
<TD><PRE>Method 01
T& q/ y" j: V8 a, K=========
0 a+ r! D& a C8 |2 P0 u
$ R7 H. ?' ]7 Z2 e( bThis method of detection of SoftICE (as well as the following one) is
0 S" e" y0 J3 b% _' k, L( oused by the majority of packers/encryptors found on Internet.
+ J( _! F% @: \, e- g" MIt seeks the signature of BoundsChecker in SoftICE
# ?% P' Z* Q2 `# q+ L
5 B/ p8 h1 Z1 v \/ t mov ebp, 04243484Bh ; 'BCHK'4 X+ `2 `$ i* J9 C8 P- `
mov ax, 04h
& |( o& G& ~6 | int 3
, {* W2 t; ~5 h+ i) k cmp al,4
- C: [4 q, K' J jnz SoftICE_Detected
/ g2 ~$ d6 g) ^ k D2 Z7 ~7 w
$ `; P: U9 ? J) n( R& G___________________________________________________________________________
A4 x* f1 ? Y# k8 y0 b q
2 y/ f/ j) J0 B* }* qMethod 02
, d5 Y5 K* z+ P, P6 a7 z=========
1 C9 h" m0 @0 ?
3 Q" r% b, B9 r- j8 r1 {Still a method very much used (perhaps the most frequent one). It is used; Q h4 D8 K6 w A8 M! E+ n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) ?2 J: N' O5 E5 e# vor execute SoftICE commands...) T# H8 {* N- @2 D; \
It is also used to crash SoftICE and to force it to execute any commands+ @% p1 W! K4 Q4 y
(HBOOT...) :-(( 9 \0 t0 p: h. ~( W5 C
7 k, v4 P1 \9 ~7 a: V7 P
Here is a quick description:# h& Q+ Z* z5 i: Y
-AX = 0910h (Display string in SIce windows); `9 c E4 H# U8 p. Q' ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 P: s8 s8 z, o& T-AX = 0912h (Get breakpoint infos)# x+ R9 J! g. }* T, ^8 @& ]2 L
-AX = 0913h (Set Sice breakpoints)
" `& K% `+ }' z: x-AX = 0914h (Remove SIce breakoints)3 u; o; r" E! g* E+ T5 U) t% V
; R6 P. }: k& ]/ r2 j/ U7 d% kEach time you'll meet this trick, you'll see:
3 r2 N5 }8 z* `1 L e( {5 s' O- A-SI = 4647h
& w( N! ~6 c. |7 M$ t! e1 W5 a-DI = 4A4Dh
~1 D. F) c( sWhich are the 'magic values' used by SoftIce.
: A4 X* [* Z2 h5 f: fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ F: P1 y- ]+ q9 N
7 s" C# P8 _% ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 m1 U- z% X! r8 h: g- E9 iEnvelope utility use to protect DOS applications:
( o. T, `+ P3 E- g* L/ g m
* g: ] K& Y4 H' N( Y' j! Z2 O8 i) @' p6 f/ d
4C19:0095 MOV AX,0911 ; execute command.1 E Z. O4 o1 j$ |+ ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ w* A4 L9 W8 ]& M9 A! x% {2 F
4C19:009A MOV SI,4647 ; 1st magic value.
) S& j$ O! F; c0 x8 q& Q6 x4C19:009D MOV DI,4A4D ; 2nd magic value.6 d- W+ z2 l' ^% E
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" Z( R$ l! u, m7 R+ E( u) t1 I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 _2 J* G& @" ^5 x, o1 f! p+ \
4C19:00A4 INC CX' l- Z* O N! k, K/ a* R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute a+ e& J0 d8 a1 {" v k" i
4C19:00A8 JB 0095 ; 6 different commands.( y) M/ c9 u3 y8 I9 b5 N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- {+ _6 r" i* l3 N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% q; m6 ]) N6 E% H0 e a; c
# f C D5 t8 o# V8 O/ KThe program will execute 6 different SIce commands located at ds:dx, which
/ k6 b. Y1 T- e4 ^1 ]: F4 V9 ^+ C) Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& f- ]' K5 v- p1 F, X4 l+ V+ C# r6 F: `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, b7 B. w+ n8 L5 V; {; l; \0 g! o___________________________________________________________________________& u9 ?" D1 z. N0 D$ E3 m
, l( W6 s7 _- _+ f; c& w
% M7 X1 c N4 T1 V- JMethod 03
3 p/ x1 ~ T+ `=========' p) _9 }6 y' X8 ?7 p4 q2 q
( R+ @! _# N8 _; K- R
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; _- l. d& L2 V6 B* [
(API Get entry point)
$ H4 B/ G, ~+ ?) _+ P7 y ^+ F $ Z' r! p/ O7 ?7 _: ~
+ s p+ s4 ? N% d xor di,di2 _# z* Y5 v3 F
mov es,di+ {$ D+ J$ m3 H' R1 N! R6 s7 f! N
mov ax, 1684h % c# K" ~/ ^7 i
mov bx, 0202h ; VxD ID of winice
0 @0 r" T/ {2 q int 2Fh) A- B: H' q6 H' g c: U9 v: u7 A
mov ax, es ; ES:DI -> VxD API entry point* J. J, T# h: T* f+ w$ D- J
add ax, di
" U5 J J) P6 B. s) { test ax,ax
* ^2 |- H/ p1 V! T- H0 R4 h- m jnz SoftICE_Detected- K' _! _3 l0 G- N6 J
! S; |9 V& O( S& E; C___________________________________________________________________________
; K) f3 {: C! c7 W' X, H
) ^. _0 z% u& s, b. L/ m) l, bMethod 04
) h1 H* f# q6 D+ v: C7 q=========
, S: |: A) w2 k" p5 g! Z5 R- r( ?! ^6 w8 ~4 r2 g/ l
Method identical to the preceding one except that it seeks the ID of SoftICE2 k8 y5 i+ T! F, ?
GFX VxD.
1 C! F6 E% D6 N0 y7 `0 |+ O; V' W" A3 |% `2 A5 W+ V5 v! F( u
xor di,di. ~% k8 Y, t+ T) e7 r
mov es,di
3 K. v' Z* Z( N! m) F c mov ax, 1684h 0 Y2 r) R/ E) O. s h& q$ B
mov bx, 7a5Fh ; VxD ID of SIWVID9 x0 ]3 L# P& x0 J; w. G+ V; J
int 2fh
+ T3 S+ |' _: _ L+ f) b0 r1 C1 _ mov ax, es ; ES:DI -> VxD API entry point
4 H( Z; p$ ?. d2 n9 h9 l/ {3 t! M add ax, di
! ^9 x; v; n# _8 A; C: @ test ax,ax2 T1 S, M% p6 Y: r# Y
jnz SoftICE_Detected
* d+ \! S5 q# P4 y% O s6 p# E3 l: u) X1 H9 ]
__________________________________________________________________________
: O J- [' `9 M- ?3 b4 z+ W- ~' z: z) c( A
- F) H8 }& I& H; ?
Method 057 h1 `9 `5 C7 @& i3 _1 \
=========$ Y. o2 O( \/ ]/ O* ]- k e( \
% m1 _6 K! v& Z) n& g+ cMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 N3 e0 r/ Q7 y) ?, O8 k# a! H) w9 m* d. x
debugger. It calls the int 41h, function 4Fh.
% l; O% k. I( i' @1 K1 H R& {" cThere are several alternatives.
4 e: }( ]$ d% p! O- u G5 F! r Y+ ^& Z, n
The following one is the simplest:( ?3 X+ e. v/ V1 @
3 V( I: O5 s6 N, S [: W1 w8 T mov ax,4fh
. N; P. y3 @0 s. { int 41h* V0 F4 K U7 I7 [
cmp ax, 0F386& K( Z3 _' C$ [; q; K
jz SoftICE_detected( v5 k" W" |- L- ~" G
! m" C- ?: v' n$ S. O# T" H
g6 r9 O+ H. V1 J( _! c6 XNext method as well as the following one are 2 examples from Stone's
3 \9 V$ m* B. m0 Y- _"stn-wid.zip" (www.cracking.net):
. _+ V* [; E7 K1 M x! u! ]/ @
3 S5 C0 R g- l2 E- K' d/ {. ` mov bx, cs* I( h: u1 K) j- h% t5 {1 O) v* K# o1 H
lea dx, int41handler2
0 y; C6 M1 D+ r4 T0 Z) ` xchg dx, es:[41h*4]6 n" v$ c0 }$ ]( [! G6 D7 c
xchg bx, es:[41h*4+2]
8 p4 ^ X# O5 h1 I( r mov ax,4fh7 i: n3 p* _, @- a9 o: v% I* a# ]
int 41h; Z$ W2 x% S7 s3 i( O
xchg dx, es:[41h*4]
- h9 }5 t4 a7 ^ xchg bx, es:[41h*4+2]
8 B7 q- h/ i) w/ Q( N( G3 J cmp ax, 0f386h/ Z5 P4 N: x1 `5 p5 W, v
jz SoftICE_detected: ?. L/ x" Y! z' B9 s0 b/ K% i L$ g
8 N+ g+ J0 |- M) \0 `% Z n6 Lint41handler2 PROC( f; _4 I) U; }1 _8 A
iret
: b9 m+ v8 I+ J5 r$ `0 G4 fint41handler2 ENDP" c; K& ]8 f8 ?1 r; H$ o
1 C( L4 K% |* Q' c3 r/ c, P# A8 n
3 l$ G# [9 L3 I_________________________________________________________________________% J; }/ M8 ?3 E" s
' B3 Z+ T# w2 ~' r; R
/ e( v/ T" k2 F! c6 H) nMethod 06" N ]! r P, N1 z, F
=========( M8 K/ w) V, y$ L% A+ Q3 D
" E& `" |. v& `: g1 `5 U7 W, ~
7 h0 ^, z$ y: z! q2nd method similar to the preceding one but more difficult to detect:( M; r- s6 a( b- j5 C
+ p/ G! K& d% j% I# N: N" I+ B
2 p8 Y, b/ _! n; |* e0 q% aint41handler PROC
: S i0 S I$ L& U& J mov cl,al
. v" v( K5 h# {2 ? iret
6 V7 e h/ d3 ~1 dint41handler ENDP& T; f y: z6 V+ E& U1 _" P
6 |7 s1 s; t+ d- |! f3 u, e6 h! I9 }8 W( K+ P7 ~
xor ax,ax2 m3 I @: Z* b* J
mov es,ax& A! H+ j- ]' [; m$ r+ ]0 j4 ]2 H. W& }
mov bx, cs
7 f, c6 V3 P+ x+ M( o3 Z lea dx, int41handler
, a% j3 Q: T5 D0 ~ xchg dx, es:[41h*4]6 o) B3 b- d! m) z3 D8 [7 K+ k
xchg bx, es:[41h*4+2], H. j/ h7 b6 m. U* b
in al, 40h
8 O6 e8 o$ f9 f. H xor cx,cx1 ~0 o4 ~0 P4 y* p7 R
int 41h
8 ?- f l) D) ?2 Q, X6 b xchg dx, es:[41h*4]
3 y) Q. R4 g' B xchg bx, es:[41h*4+2]- W* |' q1 p) r. a
cmp cl,al5 }$ @8 z" y0 p) B3 _' R
jnz SoftICE_detected. A' r; c" c1 t" Q
L6 d& S' c$ M2 A2 __________________________________________________________________________
$ B; B! R5 L! _+ V" x& Q. H# G
# ^# w4 w( W% Y3 \1 @Method 07* k1 V5 [4 x3 U0 [$ P7 ~
=========+ s& {5 o Z# n
" D* \4 z+ f4 g. q# l
Method of detection of the WinICE handler in the int68h (V86)
0 O7 I: v5 C) E$ `: a- {( s/ J6 {# n0 Y
mov ah,43h
6 N4 c# J c0 ]0 G int 68h
: b, h/ \3 r+ {( j( C cmp ax,0F386h
* ^7 H2 }4 p9 x. `8 g8 C jz SoftICE_Detected! G! B' p( l2 E7 T4 \
, b+ F4 ^2 r5 f* E- U9 ?2 { z+ ?" k! j& Z( @, [3 T0 }2 C9 ]# P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% |5 f4 c8 \" R& j- V& C app like this:
' Y4 p8 [6 {0 ?1 \1 J; B5 I* w- ^+ W K( ^' ?6 y
BPX exec_int if ax==68' Y( Z( O' q; C- d4 O& S- x
(function called is located at byte ptr [ebp+1Dh] and client eip is
; `! {+ k( v* y7 s located at [ebp+48h] for 32Bit apps)
: L4 E' ?' O; B0 B. @9 z__________________________________________________________________________0 w. n# r, X0 N( O
. H" H- F8 B7 `, e$ B- `$ B) n% Z7 J" X& X- J& v: M6 [
Method 084 N0 j, u9 @) l& |5 x" B" V
=========
9 J0 ?7 n H! S: {& [; c
5 b- z% G0 w2 O! R. u" XIt is not a method of detection of SoftICE but a possibility to crash the
, T# r, y: ^4 v/ Gsystem by intercepting int 01h and int 03h and redirecting them to another
1 W! K- ^2 ]1 P! Oroutine.
$ i5 B8 J: c/ d0 i+ t6 JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 l) }& E7 b( v" D
to the new routine to execute (hangs computer...)3 k B, r; D/ D5 ~$ m7 p8 C
9 h* \, B: I4 g
mov ah, 25h
5 \# |% a& `: x1 W3 `2 f mov al, Int_Number (01h or 03h)& r% z9 y( {/ n5 o% S
mov dx, offset New_Int_Routine1 g7 Q- o D: d3 @: h E: c5 v
int 21h: e; c+ m( t8 I( \6 }
) v) e- p- j/ Q3 P7 X7 p7 K
__________________________________________________________________________/ x2 Q( F) K5 q
* W! Y6 z% B6 }% c( `2 p9 W* K3 y5 E2 p4 D
Method 09" }* Q/ K9 p, Q" {
=========
$ O5 q) G; I. N. F% K6 s+ T
; `' c3 E9 O0 ]' s, n6 HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& O \/ J. d7 Z* n' d
performed in ring0 (VxD or a ring3 app using the VxdCall).' w: Y, P* R! K$ q3 B
The Get_DDB service is used to determine whether or not a VxD is installed
3 V3 Y8 ^( Q7 K) @: Lfor the specified device and returns a Device Description Block (in ecx) for7 ^' k- |2 @; Z$ G
that device if it is installed.+ H! p& j( U/ }( {, x
" `9 l) L9 n- v4 v2 C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ H5 s$ l& M( z' ^( e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ H( ~8 y" F# t7 g8 k VMMCall Get_DDB: X# H& l; P; D! z- q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# t6 t9 U+ W/ ~$ d# N: t, K8 S
: J* [ m6 s3 ~9 k" j3 n- wNote as well that you can easily detect this method with SoftICE:
$ |, G- Q3 q* v6 T bpx Get_DDB if ax==0202 || ax==7a5fh" K1 Q0 U) P. }" J
# b$ M, G: A2 M6 p__________________________________________________________________________
' G6 r) n! s" o9 w \
" N H* O7 ^: H, ]# g; MMethod 10: f# Z u& k3 c# E, S+ Q7 Q5 W$ {; \
=========
* l, D) E( `! r# q7 D; h
# X' _+ R3 F9 @0 z4 b$ `=>Disable or clear breakpoints before using this feature. DO NOT trace with! E( \! L, [. C4 A, d0 W, b% z/ f
SoftICE while the option is enable!!
/ K" g+ J: [+ [" G0 x% l0 n2 T. ~1 [% g
This trick is very efficient:
3 M( v. q; l/ y& ~# W! c8 C1 Wby checking the Debug Registers, you can detect if SoftICE is loaded
' {) V3 f' H' R! `# \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 h( ~6 L |7 s" Y/ @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 Q+ B$ m3 Z1 `3 t2 s; |; X" hvalue (in ring0 only). Values can be manipulated and or changed as well
k0 K, U8 l7 k/ S$ @+ ~; X4 N(clearing BPMs for instance)* I4 X9 j$ P7 l" o$ @
0 k" J9 f5 b) @; f9 d
__________________________________________________________________________' m' C* z# ?2 x) q
q% ]/ P, [. b/ w0 k
Method 118 E+ F* @- q3 `0 u: c# w, s4 I0 @' _
=========( } M0 V6 ~/ U8 o
; h- O9 T( n4 H* A) OThis method is most known as 'MeltICE' because it has been freely distributed
; C6 g) B" r1 z( Fvia www.winfiles.com. However it was first used by NuMega people to allow e7 L# C4 \4 ]; [
Symbol Loader to check if SoftICE was active or not (the code is located
/ R d0 f$ O+ z; v d* |1 _% xinside nmtrans.dll).1 {% e& _$ H8 \( A
* ~& n( a8 z7 r. R- HThe way it works is very simple:" _1 z5 i% P/ J& O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. d% N' y$ c/ W, m zWinNT) with the CreateFileA API.
; G4 `2 E4 K1 F3 Y8 y5 Q
% ]3 }* E \' P* D7 _Here is a sample (checking for 'SICE'):
/ C; R8 f3 R( c0 D! X, t# d$ M+ z; k7 I6 v: M
BOOL IsSoftIce95Loaded()' @) y5 u( N; @( u
{0 b" f4 [ W) i: A# \
HANDLE hFile;
7 d: w0 F" ~( I! Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 v- `% ]. _' H8 t, p, L
FILE_SHARE_READ | FILE_SHARE_WRITE,
) P0 E: D( i4 i. t" ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 ?7 E5 I7 O" W2 @; I
if( hFile != INVALID_HANDLE_VALUE )
0 O9 Z$ c5 T8 y6 Y5 t {
: O) |" n5 b+ i0 M( r i5 \/ K CloseHandle(hFile);4 O; g4 s3 y# A" F5 @* ~
return TRUE;0 C; R3 p' t; R5 n4 ^% `+ ^( X
}+ P. {: K l+ P0 n. ?
return FALSE;0 l6 u( L4 T6 y l
}7 D F/ o0 w N6 P* O
3 j" k" p; s' [) j) w8 }
Although this trick calls the CreateFileA function, don't even expect to be* f% ^8 I0 H" n& x2 E ?0 D6 \/ }3 X
able to intercept it by installing a IFS hook: it will not work, no way!
; r9 {5 \8 b1 b4 e; A; Y) F c& KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ L0 o9 l2 |$ z) j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
S) H9 q2 Y$ r# ~$ Z5 @" \and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ T4 h0 ~: Z- i
field.
" V% V P4 E$ a0 P) z1 u6 EIn fact, its purpose is not to load/unload VxDs but only to send a 2 S5 r2 T6 q7 o' q6 h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( a( O3 J8 D. g% F* ato the VxD Control_Dispatch proc (how the hell a shareware soft could try7 w$ i/ e* S/ e/ U, @- h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 A; V1 }: [9 ~( i5 F4 q p
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 `' E- G% \; [ v! c6 s
its handle to be opened and then, will be detected.0 A, j! N7 Y* F' w3 M# G
You can check that simply by hooking Winice.exe control proc entry point5 O: C/ z7 C, ?1 U- X8 l
while running MeltICE.
" q$ k9 @6 P( [* s$ ~: ^; n
0 O7 N* X- `( K' E* w$ ~+ y. _* G' C1 r* \( |. o
00401067: push 00402025 ; \\.\SICE
) C$ y& C, d3 F 0040106C: call CreateFileA Q- l" u5 z" j6 x2 L; c
00401071: cmp eax,-001
6 O2 v9 @* R1 M2 Y7 H2 e 00401074: je 00401091
1 _6 S: d+ ~1 g' K" C0 o$ [5 K0 z0 L0 P+ t$ e
3 ~8 T4 i% T0 y) {& e! ?; UThere could be hundreds of BPX you could use to detect this trick.$ I* ?! J; ] w% ]; h0 @
-The most classical one is:
/ @: F; h( G* D BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. i2 o$ ?' S- T
*(esp->4+4)=='NTIC'# p# M% g- N: w
' A- P% O* ]8 D, h% P2 u
-The most exotic ones (could be very slooooow :-(
, y2 U# u1 A* @2 j8 \* o BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 M+ ?& i# W8 j% X; [
;will break 3 times :-(
3 ?) n4 H p# x& i, U+ ]& y/ u, K9 h/ _9 {
-or (a bit) faster: " h# v- U/ d3 s- {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 ^/ Z3 {2 q* T% ?; a, C. a* Q4 V
" d3 ^3 V2 ~3 a; k/ V$ [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 \, a* t( z7 ?' s ;will break 3 times :-(
/ D$ B. \" E, c) Z% I7 w0 J+ k
8 n4 Z$ K9 H/ X( C, Q7 F$ B-Much faster:
4 D1 k. K3 ^' `( ?6 S* m- ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 D, [: E6 }* b
! J. I/ s) d2 ~% Z' LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 v! J' \+ Y7 |0 Ifunction to do the same job:& r- A" q P. v1 |2 V
3 a; U: V. V8 }7 [9 q
push 00 ; OF_READ6 Q9 ?; t8 i k3 l1 Y, t
mov eax,[00656634] ; '\\.\SICE',0
; M$ i1 Q) c7 _3 V+ Q push eax
3 x1 @' m% f# r& l" G& d call KERNEL32!_lopen
" B, {+ \' u# x4 W7 H# [: W inc eax7 Q% ?+ B$ K+ Y- ?
jnz 00650589 ; detected8 R) w5 o' ]. j! G! S9 c- U1 H* _
push 00 ; OF_READ% x6 W$ E. ]5 u V. f
mov eax,[00656638] ; '\\.\SICE'1 U+ F f0 |8 W% y7 j: o! |5 U4 ^
push eax
; c# o0 e% }4 |) ]* Y+ y call KERNEL32!_lopen
8 C, e6 b$ s' d" M% W- u7 N) e inc eax
# @+ ~$ \ e* ]0 \6 ?$ a# T% E jz 006505ae ; not detected
' K; S: A$ ? L; ~' t2 q
. l* F. Y& a8 D3 N L) T0 q m# G7 ]) z2 X7 J* Q# h
__________________________________________________________________________
U+ ^: w$ C! U' |5 y# R9 ~' [1 {' N2 C; o, K. e5 l
Method 12. m( a; [/ J& E
=========
7 I' z. [' l, w i& P+ |+ g- J: C; D7 v
This trick is similar to int41h/4fh Debugger installation check (code 05' u% r8 P% E2 {3 M/ [
& 06) but very limited because it's only available for Win95/98 (not NT)
" r4 {* e' {7 [# L9 H2 v! ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- w, g" D. w% |7 y6 @6 x* x0 I( q/ f7 }! |) B
push 0000004fh ; function 4fh
7 b. i$ `8 u3 W2 s: I5 {0 X- e0 `. M8 L push 002a002ah ; high word specifies which VxD (VWIN32)
8 V0 Z! b$ t/ p! |; r ; low word specifies which service
/ ? I1 _6 C) L0 C& E (VWIN32_Int41Dispatch)
( E0 h" m) ]2 a call Kernel32!ORD_001 ; VxdCall
& P1 v6 X/ Y) M. Q cmp ax, 0f386h ; magic number returned by system debuggers
0 d1 R" {- ] q* [/ r( a7 Y jz SoftICE_detected) m/ }; z! n5 M& o2 m1 O& g) g
& o$ i5 _: h) P. J, m; h$ p2 a
Here again, several ways to detect it:1 l! L! }8 L/ m+ s: G% x! A8 F
( L0 [) z4 q; S( m" N( e BPINT 41 if ax==4f# \9 S) ^3 }( Z% p+ I! J0 {" Z0 j: I
, H, d3 J& d+ F$ o
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ j; s7 ^9 S- }! F& r& r8 n
1 m: ~, S" l; ]5 g! h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" \* x: ?! B" B9 g
% B% F6 G8 r1 G8 j3 n) E) ^ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 w; \% b" B O* j( i4 c1 k- x( G7 c
__________________________________________________________________________
* D- |# I! L" |& e2 z! H
0 K5 O& P! s) N1 Q1 X* x, r( K; `' eMethod 13( Z5 D# J5 s) f( a/ r3 y4 ?
=========6 k% v8 F: |: x7 G5 U7 q
3 }4 `/ V# h! X- ]) iNot a real method of detection, but a good way to know if SoftICE is$ d5 @$ w7 ]) |
installed on a computer and to locate its installation directory.
- n7 |- c S d% o& i NIt is used by few softs which access the following registry keys (usually #2) :3 x& i c3 Z( v9 k9 w! ~0 ~
" a3 Q7 [+ k, A" k' y2 _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 T/ r6 k, p) x3 z
\Uninstall\SoftICE
; I1 D1 u1 c) i. ` J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 P; q0 o* i( ?& u7 S: y- r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" d' n2 s- D9 ]& R3 [- F
\App Paths\Loader32.Exe9 U& k4 P1 {( e9 {% u9 L( S5 g M
7 h* K; X# _, I7 Z j [3 `; h
$ j/ L% N1 N' \9 H! ^
Note that some nasty apps could then erase all files from SoftICE directory
! A, c- E! ]. ~5 K" e(I faced that once :-(
& S* y5 j7 l- b( k$ ^" a7 m: p* ^/ R) y4 {
Useful breakpoint to detect it:5 q5 P, m9 L3 _3 I7 ~/ X8 S& R
, r+ S5 W% E; x( |* g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 p" q2 [( k- W& S
I* c Y2 T4 X" ~
__________________________________________________________________________9 ^$ I: X! f0 v3 P
+ p" J3 G8 Z, Q( V) q
( `4 H. W0 {+ x4 u& D, e VMethod 14 - g F& l+ h" p2 Q3 v: l* B
=========
. F. ^; L. S" g/ S( q- o6 ]2 M! o6 D2 k: y8 q9 e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 ^' M" v# j+ C/ G I/ E- {
is to determines whether a debugger is running on your system (ring0 only).* X8 G$ {& f/ [5 |+ K |" ]
$ ^/ o+ e% a# b& E9 ^ VMMCall Test_Debug_Installed4 N5 R+ K" Y5 M0 m& w+ U( [7 F
je not_installed
) o* k0 ?+ W1 u# E/ o' i- L! x% }$ ]' Q9 j+ y, C9 H
This service just checks a flag.
9 d' j _. e1 \9 `* {" Z2 F# z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡