<TABLE width=500>, Y: N! S8 X q/ |1 Z0 a) ?; [" p9 s* s
<TBODY>
: D3 w9 S# {4 z m9 r# ]$ D2 G; R/ Z<TR>
' U1 H. j7 t9 F! `) N3 Z<TD><PRE>Method 01 : }6 ~7 G" A) f, A7 G
=========
. A" T1 d$ `% ?0 N9 @- i' Y! i. l4 f. E0 h# q: r4 v
This method of detection of SoftICE (as well as the following one) is
+ S" h3 K: T( j" Mused by the majority of packers/encryptors found on Internet.
$ r' g0 [ _8 W4 B' B7 @2 S) q" Y, TIt seeks the signature of BoundsChecker in SoftICE8 ] M$ H; P" R: A1 \" h" l7 [6 d/ q" s
. Q1 d* P5 f; F2 A% F* \% ~6 q
mov ebp, 04243484Bh ; 'BCHK'
; H! w+ `9 ^& q* L3 V mov ax, 04h
+ U: Q/ |( m3 z& y3 [ int 3 ! C1 `) E. f, C/ ]& H. H
cmp al,42 ^; ^6 H7 j) @% D6 Y( C; h/ [
jnz SoftICE_Detected
% L& {& Q- n I; o$ R- Q1 t0 K! l- d2 c: o& m b
___________________________________________________________________________6 a& t2 @( t0 U4 ~( S7 A
5 y7 }4 m5 G# X W4 D% o5 @# U, f/ \Method 027 f2 J4 x8 V ~( z! c
=========
' ]8 X% I2 R k+ v1 g
. d4 ]9 ?5 a# D4 Y4 _Still a method very much used (perhaps the most frequent one). It is used
" {1 S8 Q K5 V0 h; {" gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,% T2 e/ w2 d2 ^
or execute SoftICE commands...: T, Q* _! W9 b* ]# j5 L5 U
It is also used to crash SoftICE and to force it to execute any commands
# P. @) ~6 c; ]* G" D! D(HBOOT...) :-(( H$ i# H" G0 q/ n6 R# u
7 e+ V& {8 f0 W0 H5 t: n4 bHere is a quick description:
9 y- e8 U) u8 i" s- D: a% R5 h! h-AX = 0910h (Display string in SIce windows)
& v9 s9 o6 u- S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 Y1 e4 _( Z+ X- I1 q
-AX = 0912h (Get breakpoint infos)
+ h( U1 o( J8 J& X; N4 o-AX = 0913h (Set Sice breakpoints)
) \2 h K; m0 w3 Q( q r+ j: _' H-AX = 0914h (Remove SIce breakoints)
; a: F, R6 h' b/ B1 o- ~* S! c$ A- o9 y3 H M: \' h: p
Each time you'll meet this trick, you'll see:
7 O, o/ C7 N ~4 a9 }-SI = 4647h
& H8 O( L% \0 [1 p/ j1 s# Y1 `+ w-DI = 4A4Dh8 |( Z T2 U+ j" N+ U8 E+ w
Which are the 'magic values' used by SoftIce.
+ T/ y' ]/ V$ t* xFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.: f: S: r" p9 a( p& C. }
- {6 h$ j m. i4 ^, C. V
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 E6 v/ K: Q- S7 J- T* H! W
Envelope utility use to protect DOS applications:
7 D9 A7 s' Z& |
% K! @ z6 l% W% \0 T) ^/ g
' s; {4 Q0 K9 i- E4 a( ]3 V4C19:0095 MOV AX,0911 ; execute command.
* H: R) I3 D* n k" l4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# G8 M9 @. f5 Y+ T% g4C19:009A MOV SI,4647 ; 1st magic value.
3 f9 s- Y4 Q! C, U6 [) N% I4C19:009D MOV DI,4A4D ; 2nd magic value.
_& [6 B7 y% R4 N% d5 i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* n) r7 M+ S1 s3 s: [
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 {5 |" ~$ k1 B. g
4C19:00A4 INC CX
; B+ C' z; T2 ?$ C7 U1 F1 T1 c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 [6 D+ A$ f* N' t
4C19:00A8 JB 0095 ; 6 different commands.& k8 Z0 d$ K1 Y3 w; h/ W$ n: `
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 o5 M, ?! D/ {" w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) T7 A& ?# a4 e6 T+ f6 I8 X% s
8 V2 y. A4 a7 m7 W8 G" ?" \
The program will execute 6 different SIce commands located at ds:dx, which
$ B, }) r( M& W R4 mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 ]/ y, I) A/ {9 [
/ z' V. {8 q3 x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; @- c, G7 x, i# P& y% X9 {___________________________________________________________________________1 o5 G' k* h( o
* z+ L$ H. h7 d
8 k3 Q: y H. a; T J( fMethod 03
6 o4 `% X3 w, t, R' p. o5 {2 X% p=========& e" k4 {' ?: W+ w5 z" h$ p2 Y1 q3 R
- |6 V( n5 W! j- |) Z! Q* _1 T% fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 l! a3 r% C* i I( J( ^! L
(API Get entry point)1 t6 S) I8 d& G' ?( }/ q
& W) q7 w2 g/ r5 |- o6 m6 q
, J4 e8 t' ?- c/ E xor di,di
% d% T8 Y' l* d! L% ~; p( l% ]0 \' e mov es,di
0 O$ L- g) d+ [8 E# l, b mov ax, 1684h 5 D. B) r- L! D6 }7 {+ y
mov bx, 0202h ; VxD ID of winice
, \% x) x8 x8 o% D( b int 2Fh+ P3 C. {) T% ?, Z. x2 K! l
mov ax, es ; ES:DI -> VxD API entry point
: g. y' q0 d/ @4 @( i" f add ax, di; v% I2 A9 J% J) t$ D
test ax,ax
2 x) U" [2 T) U$ {7 E: f jnz SoftICE_Detected# R& o [# O' J" B8 Z9 Q
9 p( r+ T, g2 L2 F
___________________________________________________________________________
2 U. E" d1 q0 l( u2 h# v8 @$ t0 @) |$ U0 a( v
Method 04
@7 T4 u* y$ U: |3 H- Z=========8 Q6 c) Z! n' y0 }: R. [
: ^0 ?7 W' d9 _7 `+ o
Method identical to the preceding one except that it seeks the ID of SoftICE: o r$ o$ q' ]* ]3 r a
GFX VxD.0 M; T4 j% F8 w6 h2 G$ h
4 M I9 J7 b1 ?8 [8 ^7 ~
xor di,di+ \+ o t8 v+ K
mov es,di
! q, m# q( v' J mov ax, 1684h
0 [# V- _% g9 ~% c. K% W mov bx, 7a5Fh ; VxD ID of SIWVID
7 @7 W" u/ t8 ~+ _/ ?4 A: y int 2fh+ b5 ~* ?4 ?5 u# I# o. e
mov ax, es ; ES:DI -> VxD API entry point
3 ~' w6 ] D- a add ax, di2 @$ O' C8 R( q
test ax,ax
2 Z- s$ L7 ^- `+ j( T jnz SoftICE_Detected
2 w/ P* {, h' @! `0 E8 i: c$ h
( Y8 g& R0 d( o9 z! f0 P__________________________________________________________________________
/ O+ t1 X5 G# f2 z0 \: |4 a) |3 j$ {. W3 T% d% A% }* F
' m# ~: U4 Q a6 ~; r, e6 rMethod 05
6 j, b% v* G$ O1 ~* M7 v=========
' e0 g3 Z2 C- W9 m" y8 r/ j' s1 i( |: a/ v D
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 h8 P) X$ o& V% N* w* k# ]
debugger. It calls the int 41h, function 4Fh.; A5 H. N3 J2 y8 }8 ^) _
There are several alternatives.
6 n( r1 k3 V% g: F6 f9 W# ^# d' {! V' B. Q
The following one is the simplest:% x) M( a' I( ~) J- [
* @1 }3 A8 z G
mov ax,4fh& N( [) G1 O8 e* v$ i) @+ N% P
int 41h
# c/ p, d$ O/ L$ y cmp ax, 0F386) N! W* q, K C; D8 P& s" ]
jz SoftICE_detected3 M! P8 s0 p" s9 s% |# a& I$ O# r
$ O( T6 N" n9 I2 s2 w
* S/ I; m# L( b7 mNext method as well as the following one are 2 examples from Stone's
% D5 \$ r* v ?0 H/ @8 ]"stn-wid.zip" (www.cracking.net):
# X z5 g& U8 z+ g3 R/ I5 t1 o( ?2 \
mov bx, cs% [- C. R4 G% M: I
lea dx, int41handler2- T" q" X6 { R& k- G7 E3 H
xchg dx, es:[41h*4] Y5 h/ f+ u. o5 a K; U9 b
xchg bx, es:[41h*4+2]6 ?( l) M* R; b9 H
mov ax,4fh
0 {" X! ?" O- C$ c int 41h4 q3 I4 F+ q* @) |" ~* S8 ~
xchg dx, es:[41h*4]6 L' @, f0 |7 W4 D" k
xchg bx, es:[41h*4+2]
' D$ `3 e' x( {5 { \6 p+ `1 o cmp ax, 0f386h
$ p$ V9 ~5 _0 n* F6 O) r3 g jz SoftICE_detected% y( i) ]. Z; q% G& h( z3 Q: N% X
$ Z5 b0 I) q3 R+ s; D3 n, Q! b" p
int41handler2 PROC- B F2 l6 y7 ]1 u- D
iret
" S1 `3 d* O1 qint41handler2 ENDP
* e. ^, o- }, N; w9 w2 W( s( M9 X1 _. H' I! O* \
8 a" M3 j/ _# ?4 t2 ?/ |' `/ S
_________________________________________________________________________; r8 G" ]7 }" V8 a
5 v8 ~; {: M5 r( m5 K5 t8 I8 ~$ S
Method 063 ?2 V3 _1 d( v5 S" V
=========
; j& c ]0 x, V, |5 C
8 D; |3 W* A3 r
{8 w# }) J6 I2nd method similar to the preceding one but more difficult to detect:
# ^( k0 V, z) j9 j. }* o* D% i/ `6 m( K1 d$ |: F8 h+ g. t
; f2 m% x; w/ {- O9 Yint41handler PROC
) Z6 t: G- O" Z6 O8 o# A' h mov cl,al9 T& m3 c, M7 {) i m
iret# M$ \ [+ R& _. C9 P8 Q5 n% u8 D9 L
int41handler ENDP
+ s' B( a5 {$ g* j
6 H$ z1 a5 U c# p: k
- y8 I$ | t6 J/ D6 h# i6 v xor ax,ax
2 t. T1 ^+ N s* T- j/ t mov es,ax1 _ o& i$ ~6 w3 A# i; U
mov bx, cs
0 N/ f2 g6 r' B# p* ]+ m lea dx, int41handler1 H: M2 M+ q4 Y: T7 c0 ?
xchg dx, es:[41h*4]
8 T5 ?+ [8 ` Q. ^* m; s! g2 p3 U xchg bx, es:[41h*4+2]) K8 K8 `$ Y" D, _* S
in al, 40h
$ Z, }+ S5 A0 [) v% W7 U xor cx,cx
6 w2 J/ T0 ?& V5 W int 41h2 `7 ]7 p! u: c* A G
xchg dx, es:[41h*4]' M. v1 b. ?- h: S( y0 C, ~6 Z
xchg bx, es:[41h*4+2]
" M# I8 N' E5 m" y/ [8 M cmp cl,al
% _$ d7 M) z4 t. p! e4 V jnz SoftICE_detected! I+ k' b% {/ j t
% V9 V, p6 G" L/ W4 v+ a& u
_________________________________________________________________________1 p5 U3 ~4 a6 W. n7 h) R' X: ~
& y9 W# r& h" V7 N) K& DMethod 07# a4 U5 R6 |! e. U" h* U
========= b& {7 i% E/ c K
! O2 _- V- p, nMethod of detection of the WinICE handler in the int68h (V86)
: V8 i3 f! a. Y8 K) q9 a H) u5 Z; J& p1 [+ Y8 D
mov ah,43h
8 H! p+ E, c; z" c" H ^ int 68h5 w3 o! T- N( o! F
cmp ax,0F386h
; a% h/ a$ N% R jz SoftICE_Detected& m4 ~, K5 o Y
' P! Q$ Y7 Z' I- o8 H2 @
2 B3 G0 M/ x% K5 g( W" g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( z" z! w! V# p' k* @5 p
app like this:& y, W. @9 t& G8 H
$ U- V2 y- T3 e1 Q5 l2 _ BPX exec_int if ax==68
6 z# y$ e- L' K( r (function called is located at byte ptr [ebp+1Dh] and client eip is
$ Z6 h" v3 a' {2 ^ located at [ebp+48h] for 32Bit apps)" O7 H: t) V: d& X4 P0 v+ M
__________________________________________________________________________
; K# O- T2 T. ]6 @+ O+ _
6 k9 f' g: k/ I4 V7 }: q0 Y/ f5 @7 g; v9 r' |* B" u3 Q; t
Method 08% _6 i4 e# r& p @" }
=========8 @# a7 J! f; y! w1 p' C
4 D w; @2 {, [ P4 sIt is not a method of detection of SoftICE but a possibility to crash the5 a$ C( ?/ X- D
system by intercepting int 01h and int 03h and redirecting them to another- F3 m ]8 I: p3 r4 d
routine.+ i: M2 o3 ?" i; d; P5 m1 M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ \, k6 u+ Y5 B9 R! s h
to the new routine to execute (hangs computer...)
6 r$ [8 z' c, R5 m/ N3 M
4 O g& G8 w0 E( X- p! h! G! V mov ah, 25h8 U$ w9 x3 ^, r4 I
mov al, Int_Number (01h or 03h)
+ o7 r" p1 }, \: b mov dx, offset New_Int_Routine
2 _! A) D6 g/ g- j! o2 e- B: J int 21h) F* R/ W- l4 f! g9 d
8 g4 `+ D, C* z3 |3 o- F! z0 L' h
__________________________________________________________________________9 l/ ]% m9 ^) S. l3 O
$ A- Z" Q* @( B
Method 09
# i+ R" L! `" |7 }4 D: L) X# }& \=========
+ P8 m) |0 A/ o7 J& b* F+ i8 R7 U
0 D$ e; I h$ k3 S$ q1 T& tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 ]; C( ~1 \9 n* u2 S7 a- Lperformed in ring0 (VxD or a ring3 app using the VxdCall).
, H% X0 n; j1 N+ t2 HThe Get_DDB service is used to determine whether or not a VxD is installed
0 N9 n4 e- Q. P* ]: X4 Lfor the specified device and returns a Device Description Block (in ecx) for
6 L3 W5 j8 I: Fthat device if it is installed.
, n3 b% A, s& e) I- |
# e) [( W7 |/ I2 g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 D* n: m+ I7 I4 R4 L* r3 P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 y u. l% `8 j& l
VMMCall Get_DDB
' ^5 l) q) j: |8 a7 S) p mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) O, U4 g. g+ v( A+ l
3 W2 Z# b O$ k. W+ q) n1 PNote as well that you can easily detect this method with SoftICE:* G) G% N B8 j0 R3 N4 ?$ ^" P2 w5 e
bpx Get_DDB if ax==0202 || ax==7a5fh; C2 N1 {! M$ Q0 Q$ O, C8 O
. Z5 _- D- x- J O; _. M__________________________________________________________________________
1 R5 r" ?& j! E; O6 C5 G- _. S7 J2 m$ ~/ ?1 ?: c7 T3 g
Method 10
" c, M9 u8 T, q8 B$ k/ u=========
/ ?+ Y0 l4 Q2 E
5 m0 g6 w: o6 H; ^: a' u4 w. e=>Disable or clear breakpoints before using this feature. DO NOT trace with
- j: I6 A0 e7 B& A+ | SoftICE while the option is enable!!
! W# J& f" i* V d8 {/ i; w6 {1 J' N! m6 l
This trick is very efficient:
. t* X6 L0 ~# W5 t1 wby checking the Debug Registers, you can detect if SoftICE is loaded% b9 _! W. i3 J8 m( }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 }+ p/ n2 F- N+ Q n' |
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 t; q1 c- t& m0 x+ ]) J8 \
value (in ring0 only). Values can be manipulated and or changed as well
5 I- | o1 k' ?/ ]1 `2 {$ o(clearing BPMs for instance)" }/ @# d2 ?8 r( f# ^. e) L
?; \, m7 Y0 ]$ O2 m
__________________________________________________________________________- i# a( N% `$ H# m, j* f
1 L1 O& A8 C0 G4 d8 P# W
Method 11' `* m4 Z1 w' K) G. D: o
=========
$ ~( K8 i7 P- ~6 m" \' |# d# F; G2 z, O- a
This method is most known as 'MeltICE' because it has been freely distributed3 Q& m1 |) T: R' u6 _
via www.winfiles.com. However it was first used by NuMega people to allow
! B; P% B0 `$ L. E5 R# MSymbol Loader to check if SoftICE was active or not (the code is located
7 B5 g8 B6 T( B$ q* |inside nmtrans.dll).
' I6 U* u/ P( y# B$ H9 q! N% ^* E9 |! B
The way it works is very simple:1 s% M- r% W) U) Q4 [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ R& L) }5 s$ U, }7 Y( PWinNT) with the CreateFileA API.( A1 n/ T( j+ W; s+ {) S7 T( d
7 m, s7 J1 u W" QHere is a sample (checking for 'SICE'): D1 U8 ?& J" `# `9 Z, l
2 F$ C, `2 F) F6 I
BOOL IsSoftIce95Loaded()2 f: w: |3 o3 g
{
! g$ z' n5 I- t. d6 @ HANDLE hFile; 5 g, S1 @/ c" l4 C; P& T, b# {; I2 Q- P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 G8 A+ m% b' E+ H. E4 M5 Z
FILE_SHARE_READ | FILE_SHARE_WRITE," r0 m6 O. _2 z2 g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- Q2 S- n2 R* L" K; h1 K
if( hFile != INVALID_HANDLE_VALUE )3 B. v* e% R; N8 ?$ [
{* q) Z2 v( ]. ^1 K; J' X
CloseHandle(hFile);
* V9 y X! n C G return TRUE;! D. I2 o+ v6 ?3 p" D! y# |
}' w. q, x6 g2 |8 m2 w( P( ^
return FALSE;
) ]* \) T; M9 l, \1 n* c}+ l" c K' m! Q: W( t& w
: B/ G- ~: m5 w1 k5 p
Although this trick calls the CreateFileA function, don't even expect to be
6 k0 W h$ ?, c& ?( E9 K; Dable to intercept it by installing a IFS hook: it will not work, no way!
4 c; i1 b) G) @7 q$ GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) u) I+ {6 e9 y7 [: x: Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. x( w! }, l% Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) t& ]. N/ X( pfield.( |/ M+ _9 Y5 S
In fact, its purpose is not to load/unload VxDs but only to send a 9 m/ Q, u. a7 u# T9 I3 }$ W A0 ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 m R- d6 r( T L; s$ R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
u2 t; {; `: e6 k* Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ l' o( n# f0 }- ]If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 h) @0 L1 ~. m& X4 fits handle to be opened and then, will be detected.( Y% ^* }0 |/ h
You can check that simply by hooking Winice.exe control proc entry point3 a/ h, z' A4 M
while running MeltICE.# x# I! L, m. T9 \* p2 N( c5 J. q3 n
+ W: K1 q: {* S7 k1 z& g' |$ L3 d y5 o, c
00401067: push 00402025 ; \\.\SICE* o$ H9 y7 Z6 V/ T9 H v
0040106C: call CreateFileA
" n1 \0 m& U) L4 ~7 B* M8 X/ t 00401071: cmp eax,-0011 C6 B: D: y& \' N0 x7 G
00401074: je 00401091' W) z4 G0 d3 `$ r5 f
. z2 h# J( p* |# Q) g
$ N, I& e" x+ y$ ] C
There could be hundreds of BPX you could use to detect this trick.$ c4 @( G ~0 ]
-The most classical one is:5 y- B: U( O. c8 M8 V0 e* [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: @$ F( Q! U1 Z- t
*(esp->4+4)=='NTIC'
- _ ^1 \3 {/ R+ ~' p5 `9 n+ o" p0 z0 Q" s; Q
-The most exotic ones (could be very slooooow :-(+ t: k- N. ^* i1 `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 v* b; S$ [) A( q. y
;will break 3 times :-( u- U+ k3 g5 q A3 h- V
9 ^% Y( i5 }1 C# N" Q+ t9 U9 }( e
-or (a bit) faster: 4 g/ ]4 a2 A1 M, O- y/ t% |: |
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) M8 \3 ~; p$ Z, O
7 s# T$ F2 v8 @# N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 o+ g, s4 }7 O1 g ;will break 3 times :-(, R$ {( t T8 b
/ D1 u" @: W" Z
-Much faster:
- n( Z; Q7 W2 W" ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- ~$ s# F+ F/ J$ _! H
% F5 P5 O" h% s/ r' V: f7 V+ s, Y. nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
; \$ X; J% a1 f7 n' u$ Hfunction to do the same job:
4 D: M' ^9 m v. f( E4 G3 W! \1 L# s. N0 u) ]0 `8 |
push 00 ; OF_READ1 M) C, K' R! S
mov eax,[00656634] ; '\\.\SICE',0
$ W5 C H* ]7 i2 T# P( ]2 R6 M push eax& P# d# {* m: [. {- B8 o' }
call KERNEL32!_lopen
6 w8 z( V( _) a3 G* J7 s! D inc eax
; M7 ~1 C0 \$ p. F jnz 00650589 ; detected; ^0 ]- U* B6 x, U& N8 x0 w
push 00 ; OF_READ2 M9 D6 o) J0 ^ k
mov eax,[00656638] ; '\\.\SICE'
- ?6 L" ? J! j' l' V, i$ o. n push eax0 b) u2 f& k, ^% v! M0 c& A7 K w
call KERNEL32!_lopen
5 P6 a5 O% e2 I- F0 D! E inc eax
: |" @0 V$ A3 ?( o# I jz 006505ae ; not detected
% @- W3 u! h6 u4 k
. ~% k1 k7 ]& n; H- Z7 [, F7 m5 G$ F! \; K6 r6 Y2 P
__________________________________________________________________________' h1 p9 D2 U( B( } a- j
7 u }: s5 A9 G+ p- q9 {: cMethod 12! u. |1 h% F( h, C9 h
=========
9 ^' M- a. C/ o
3 M$ I9 t* j; T$ e: t, F9 O3 e% K/ D) IThis trick is similar to int41h/4fh Debugger installation check (code 05& D/ M( H, D# W0 A
& 06) but very limited because it's only available for Win95/98 (not NT)& g* F/ E8 L' f( f+ ?2 ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; i1 A: e4 |/ G
& V6 Q6 B1 ]# l/ L4 D
push 0000004fh ; function 4fh+ N1 j7 J- D, S! h# p* m6 A3 a0 H9 ~8 @
push 002a002ah ; high word specifies which VxD (VWIN32)$ l$ C F; X0 X# J2 ? R# a+ b- I
; low word specifies which service
$ h( {, \0 F4 @ (VWIN32_Int41Dispatch)5 J9 s! J- h4 T, B& R' S
call Kernel32!ORD_001 ; VxdCall
! e$ k; _& ~2 Q; ` cmp ax, 0f386h ; magic number returned by system debuggers; O2 F0 [% i& j4 V5 C$ q6 l
jz SoftICE_detected! D3 {8 G7 K, Q, P# D
- }( S+ u8 v0 w$ j- Q& g6 x& X
Here again, several ways to detect it:/ L' N4 E1 F6 t" O- o& k
) N& @8 Z1 ?0 m& B" G
BPINT 41 if ax==4f" }4 Q6 A; N8 y
|2 N- c8 m- w! K2 K% l6 _ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 B! O. T: o% Q' G* }
" X$ v) b- v$ ^9 R$ Q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 c, W7 W& k" `
# l# x& J6 y" n6 U2 ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' S6 \% H8 s8 O1 i1 B- w% k3 y# W3 w, B. G# `) }# Z+ l
__________________________________________________________________________. v" T4 h H' Y4 i9 V
+ f7 [! F, ~% O- t" m. xMethod 13
s; v# \- H2 ^2 V, |=========3 t" w$ s8 O% ~8 H* o3 B) L& p; n
/ E) i, A3 e# B) qNot a real method of detection, but a good way to know if SoftICE is6 d) K7 u; Q9 @# T5 u
installed on a computer and to locate its installation directory.5 R: |8 v- e; r2 r
It is used by few softs which access the following registry keys (usually #2) :
& x5 {$ {9 L1 E
2 {: ^5 x+ p2 x0 `" j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) l0 o) O+ j! T7 B$ R4 Q6 |/ a$ E\Uninstall\SoftICE
" N' l3 v7 Z+ x B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' T8 o$ u- H5 P0 _# q2 T& w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; R; x9 ~! T! x6 }: i5 z
\App Paths\Loader32.Exe
5 v. c0 \9 f: c& c& i" k* s- V0 N, W4 u2 Z5 c
- h r6 x- B8 n2 XNote that some nasty apps could then erase all files from SoftICE directory
7 ]4 p# Q6 S6 f/ O% }(I faced that once :-(+ g4 L, N0 t, z
% N& I8 K' i* C5 U9 ~7 c1 }# l1 K
Useful breakpoint to detect it:) O3 w! B( m2 ]4 J3 ~
k6 U$ g6 }6 ~- Z8 q# F) P
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 Y L. ^3 @6 E
' V+ F" i$ ], e. l- g: R( ^: U__________________________________________________________________________% `4 Z1 A9 s3 T. U
8 _% x d+ s$ r3 Y' f
6 Y* ]# k. V$ W4 Y# y
Method 14 % N+ ^7 N" Q1 P6 J
=========
* I7 K5 u( \ K" R4 [- X
$ e% X4 x! N6 M6 |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' B- E. g5 A2 sis to determines whether a debugger is running on your system (ring0 only).2 f4 t. l+ p6 ]# S% e- b. p ~2 d
1 @( I `3 m% t
VMMCall Test_Debug_Installed! U/ o4 [7 t6 @ P- u
je not_installed) t2 Z+ q/ u% i4 q# ]
7 d4 N# ^* Q/ i% t% C' V
This service just checks a flag.
9 S0 b6 f {0 p- a0 u, M</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡