<TABLE width=500>% N+ a0 ^& ^& k
<TBODY>
. ~: G& d0 Z" L( d& l! x<TR>0 b I* W" Z) f m2 w( U! J
<TD><PRE>Method 01 9 d( L1 t$ I- q3 m* Q7 {
=========
! `6 _ v6 P7 A4 o
9 }/ g; d4 d) Q6 D. n- qThis method of detection of SoftICE (as well as the following one) is
3 ] l4 ]/ C! ^6 D+ l6 ~, c/ Lused by the majority of packers/encryptors found on Internet.
+ t9 S1 ^% J$ ^+ v2 i0 xIt seeks the signature of BoundsChecker in SoftICE h5 x7 J" \7 ^. Z5 @
6 x, N" Q( E* K& ~4 ` l8 ^ mov ebp, 04243484Bh ; 'BCHK'
% T4 A0 p" p3 O$ X* C0 T mov ax, 04h9 `) a! i+ Y6 V$ w. _
int 3
6 ]7 ]7 b( Z( G. j7 e- D cmp al,4: K5 S6 \. [+ G9 N/ ^. ~1 w g' b
jnz SoftICE_Detected% ^5 f9 b L! ?( J8 `
* c( G4 H" w0 A6 b9 k" u' b___________________________________________________________________________/ h& @# f- g* A* {
s7 P7 `' |, f: X! z8 q# {
Method 02 V+ G$ J. ]9 f5 C0 O% d; M
=========7 B; U2 b* B9 ^
3 d* ^* {- g! w
Still a method very much used (perhaps the most frequent one). It is used5 [4 h6 T! o& Z6 ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- q5 b; e1 j2 I! {or execute SoftICE commands...: ]0 N* _* O" ^8 X% k N5 j* D5 b b
It is also used to crash SoftICE and to force it to execute any commands
2 O: J" e b- J% L" ?( Q. v(HBOOT...) :-(( % i4 z2 R. [3 I, Q) b. ]" v4 d) P
7 V3 e9 E+ _2 H }0 ?" X6 k
Here is a quick description:& k' Z# Z3 p# t" ~% r" F: i+ V, V; U
-AX = 0910h (Display string in SIce windows)
~9 s( `0 y8 D, i9 I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ v; v5 E* R0 }2 U8 s8 ?" R0 T-AX = 0912h (Get breakpoint infos)
; H8 i }$ V2 w) ^$ c2 J-AX = 0913h (Set Sice breakpoints)
0 N4 |8 q* ]1 A2 m-AX = 0914h (Remove SIce breakoints)
: `: P% `! q0 C/ g
6 d" T' {' ^& `) ^* b! yEach time you'll meet this trick, you'll see:# P% U' O! Q4 m( F8 H0 m
-SI = 4647h
& r8 r; v# e, f/ w! r" @-DI = 4A4Dh3 H. Q+ l# N1 w8 p e2 a' a( w9 H
Which are the 'magic values' used by SoftIce.
" X0 |8 y+ \" N6 B `" GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ o: _7 o$ f" r+ v8 k2 h! F
/ U- I+ N: {9 I6 t" h, @Here is one example from the file "Haspinst.exe" which is the dongle HASP
; `6 |3 O* d/ B) j; g- k6 a+ AEnvelope utility use to protect DOS applications:+ j% `6 [! l6 r6 f' i& f
9 D* t' u7 v! G5 L/ q
$ s; e& V# m% j4C19:0095 MOV AX,0911 ; execute command.+ C9 R" _' t( M# s- c% Y3 E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., ^+ ~( Y/ S% l
4C19:009A MOV SI,4647 ; 1st magic value.
$ H# I! T0 @- R& F4 E& _4C19:009D MOV DI,4A4D ; 2nd magic value.' }* [; E1 @1 o9 z: k5 b
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! l/ C2 S3 t8 F( V4 ^9 N( p O5 }0 h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% i1 m) t( |+ n4 h& `5 L4C19:00A4 INC CX
# i! k: g R6 q) X7 G4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ A, m2 ?/ e" Z. V
4C19:00A8 JB 0095 ; 6 different commands.
5 I% u( [" k9 ]1 K+ E! d; q" u4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 k! y1 `6 }9 ?! f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- h$ W" G" D! R) t# d3 E8 q- Z
, k: \' w! X- TThe program will execute 6 different SIce commands located at ds:dx, which! i0 i; C* h6 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 p! N( c' N# L6 q; D0 P4 v& B! i
- Y. x! [& e/ F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- u) n; K6 H6 R3 T1 Q
___________________________________________________________________________" \5 h4 p7 U( [( H' i
/ V& C: q4 D$ z, J6 ^0 O1 S7 V* M& o2 Z( ]
Method 030 i y1 I9 z9 m7 V
=========
& P9 Z3 F" l! x3 b2 o- w
1 ~5 L& q0 N& j* G1 ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. g8 K3 E4 l& I1 q' v1 l/ V$ E; u(API Get entry point)3 \7 `5 B- ]/ z* X
& V) I! C6 F% U2 u" f2 h
( A V5 Z L2 {5 P xor di,di
) \' v% O6 R3 v9 l* \! n, | mov es,di2 |5 \2 b: h S/ w3 z: R3 N M1 A
mov ax, 1684h
1 u4 b! U3 r1 B0 g mov bx, 0202h ; VxD ID of winice2 |6 y# C) v# n) Y4 k) ]
int 2Fh
+ L/ a& H3 ~) T. w mov ax, es ; ES:DI -> VxD API entry point
0 A: Y1 ]: x1 [ A* ? y add ax, di5 ^& u* L, _3 d# I( k% q
test ax,ax
X9 o8 o# Q; ~* b" s( o" g) u jnz SoftICE_Detected4 ]" Q5 O1 e2 t
$ u' }+ l- Z2 _' D; `" w___________________________________________________________________________2 J5 Q/ j' c! c j1 V8 i E
5 B; M) x( Q3 W" P: `8 j- u& kMethod 04' W4 d* u# Z7 V- O7 v9 Z
=========
& ], u0 P9 `+ f; i( f) Q0 P3 O1 g2 V; G# l5 V9 x( q. ^3 q( [
Method identical to the preceding one except that it seeks the ID of SoftICE) ?3 V. c2 w i" e
GFX VxD.$ D1 T& ?$ F; v" t* q3 X' t
7 \# |. ]) g" F# {9 ?
xor di,di
, d8 S9 ?4 l$ I* O J mov es,di% j1 K$ X. i& J; s% ^* `6 X
mov ax, 1684h * Q9 l! I0 s* j& ], b, {) _) c
mov bx, 7a5Fh ; VxD ID of SIWVID
( b1 A- ?" b8 p: T6 @" U int 2fh2 R2 u5 G, B2 w/ o h- p
mov ax, es ; ES:DI -> VxD API entry point
" f0 l$ D6 t9 u# s# i" K add ax, di
! t' Q: }8 P8 {1 ~8 [% N test ax,ax
, |- z$ W& Z( o3 h jnz SoftICE_Detected% A) h3 S7 f! ?4 |. }
; C: r% G! Y W6 g
__________________________________________________________________________& r3 a5 Y; b, H
8 s/ g3 o- ]% R4 z
1 l6 [1 a6 r: C# ~Method 05
# U' T1 Z& n8 T; X, V# e0 s; o" f=========- [1 L. h9 }7 Y+ n0 h
% Q/ s' g* _+ o4 ^" j; NMethod seeking the 'magic number' 0F386h returned (in ax) by all system" _6 y9 g& q- r( F4 o" Z9 x
debugger. It calls the int 41h, function 4Fh.
" L6 y% j% y& ~7 M/ B* R% K' U/ bThere are several alternatives. 5 i" b/ o: R2 P( ?1 D$ \
3 A) d7 k J, @5 f4 r
The following one is the simplest:! a" V4 A- _4 b
! k5 i: V# s% q- V4 G7 G
mov ax,4fh A# {# {# @" m7 l
int 41h
8 |, r2 X$ j" w# U cmp ax, 0F386
: G1 h& S3 Y; q+ e$ K; C3 N: A jz SoftICE_detected
- a% T2 U3 Y& \7 f9 r0 j- C' G% j/ [" T; {+ Y; v
# h: j- F* `1 i$ j4 v
Next method as well as the following one are 2 examples from Stone's
; y$ \! R! ~5 L5 E: G"stn-wid.zip" (www.cracking.net):2 `) Q; r$ Z% e1 a
9 K+ K9 O, @2 F" I4 u
mov bx, cs. ^% U3 x1 K) d8 D5 g
lea dx, int41handler2) U; ?3 w0 @$ Q+ _
xchg dx, es:[41h*4]# s2 k$ Q3 {$ V) ]+ e) I" A! `* n
xchg bx, es:[41h*4+2]2 `5 H/ K0 X& k% W9 a* F8 a. d. M
mov ax,4fh" v$ O$ O- t2 J& M! D
int 41h
! O+ Y% I8 I& g) v) Q6 I" \- w xchg dx, es:[41h*4]7 d9 v s u1 R( v
xchg bx, es:[41h*4+2]3 X9 ]* s& {3 ]' q/ @
cmp ax, 0f386h! t$ m6 b6 v. }2 o. [6 _6 A
jz SoftICE_detected/ o% Z9 k# ~+ H, h. Q3 h" ?
" S8 e9 H3 L. |# d7 o, X
int41handler2 PROC
! Z% Q9 p5 E/ U# i F9 n3 q/ L iret& g. K9 ]2 ]& |' i
int41handler2 ENDP/ q' j+ a# m! M2 X5 B
, y; L1 x5 y; ]& [9 |' e1 o) Q% }
1 K J7 ?- q0 l6 z5 M' Q! s
_________________________________________________________________________
" i" o1 w3 _; Z( }0 f+ ~
@% a2 y" W& n, h1 Y' y4 h9 B7 [, D/ M d- Q( c" Y& C
Method 06
6 }- w; R7 C P' g& a: D5 w=========
' o3 D l; T& M8 d) B! E6 D; N% t0 h/ \' H: q2 V
+ i) u1 y& U( \ `" \5 K$ b
2nd method similar to the preceding one but more difficult to detect:
) {% Y; D& X5 {4 r7 D7 Y1 D/ p! i A8 u
I" |+ A3 y3 H; O* j( A6 @: a) {int41handler PROC
0 v: c$ v( j8 k! V1 ?3 [: a mov cl,al
, F2 Q* Y" r0 T- l f7 O iret+ M# N) |9 q9 `6 p
int41handler ENDP
. |& c9 r6 y$ C8 g4 d- u" c2 A" ?$ S5 V
9 w) T) {' e: ^% x- y0 R. T/ Y$ ~: m9 a$ Z4 k j
xor ax,ax _3 @$ o( Y7 |' w
mov es,ax$ ^8 i+ _5 w% k s! Y
mov bx, cs
! i- e! O I: w5 g- m8 j Y" M2 s! M lea dx, int41handler
8 [! L5 d7 w' M' L xchg dx, es:[41h*4]
2 q0 |3 j4 `' H xchg bx, es:[41h*4+2]0 h# E# h, L( r- y7 P, k* f
in al, 40h6 H$ Q! c! G- @: }3 H3 a( K- z
xor cx,cx/ {$ W: x6 X( I+ p$ H3 |
int 41h2 e* l& ^2 c, ~
xchg dx, es:[41h*4]
7 S# P: x2 ~: T1 x8 Q% N) | { xchg bx, es:[41h*4+2]1 F* o7 C. c+ q# N* J: u; @
cmp cl,al: `/ g' V$ A4 ~! y: S0 [8 b
jnz SoftICE_detected' b2 H: ?7 l3 ]$ T
- ~$ @% {/ O8 R* B. `_________________________________________________________________________
, @* l; Y0 z% y4 }
: F! ?1 J- H5 _, LMethod 07
8 U) ` o- g6 {8 l=========
* N6 r3 ]3 h/ E
# S6 o! M U* Z T( qMethod of detection of the WinICE handler in the int68h (V86)
( k2 M9 T& @8 l3 H+ {, i" |% Y3 i& W1 s8 W9 j f
mov ah,43h
% `6 s8 V$ _" k4 ]2 i int 68h
$ Z' Y& W! J+ A+ F7 D cmp ax,0F386h
# N1 T, P3 t5 N$ E' y" H* L6 X& l8 v jz SoftICE_Detected4 @6 E' H5 X' z i: @
. Q. ^ j. b0 A% N3 u
C: S$ a1 w1 J; `& s4 B0 k% f
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 `4 ?4 K9 Q1 p) ]$ W
app like this:# X j: G5 `4 ^
* V8 H/ G* J" ^; {* E+ i
BPX exec_int if ax==68
3 o8 I& }" w1 A9 M! S- v; H (function called is located at byte ptr [ebp+1Dh] and client eip is
, k c, K& p$ I4 m0 M+ h located at [ebp+48h] for 32Bit apps)
' U* T! i+ j- J' f__________________________________________________________________________
$ u0 X/ @8 _" _" c8 _; j
% C0 I6 ~8 x9 I+ s; m; S
1 A+ Q* M& @% r8 ~Method 08
: _" }( I( n. `7 D% Z=========0 c$ p# S& n: V: }. r7 d. |, U
1 t4 E- Y. l. |, h, uIt is not a method of detection of SoftICE but a possibility to crash the
8 I, H; g0 C* x0 y) L7 k; _/ ysystem by intercepting int 01h and int 03h and redirecting them to another7 e$ d5 O! a' T1 D% t% F
routine.
( |4 O, R1 i/ H8 a; y9 J9 D9 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 p2 J/ u P" @. y
to the new routine to execute (hangs computer...)8 E- y/ u4 M3 h- L5 i5 t
; G# q W& B) b6 J0 x% [ mov ah, 25h3 m- f% q( g2 B
mov al, Int_Number (01h or 03h)5 W- {4 y% V/ O, \# @
mov dx, offset New_Int_Routine; I8 h. G5 H: m6 l. b) _( x$ w
int 21h' T1 t. W( q# W6 n
, [+ w" [6 ^. f+ z8 }0 c8 J
__________________________________________________________________________0 j C5 o6 W6 `( l
( D" D$ a; w/ o$ e9 J! N- B
Method 09
# A4 g% @0 }: ]4 e# f=========
, V& u% l" a1 D) d/ H, e
8 A0 |$ |; P2 B; [! rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 i# E" K" n: \+ I$ J3 d+ f& b
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ P% G/ \; M* j; ]" FThe Get_DDB service is used to determine whether or not a VxD is installed& F1 z: U8 p1 E! q4 k' y
for the specified device and returns a Device Description Block (in ecx) for
& ]5 ^: w# L" Q& q H6 Rthat device if it is installed.1 o; t! G' S' U W2 k3 H' Y3 n7 j
4 j6 Z" N# ^ R* o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 K% }- }2 j1 s) J5 j+ I% ]' N( P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 s9 j' f$ [( O8 `, ]7 B& b
VMMCall Get_DDB
% v- C- c; x' T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 W$ X- b3 p* u* d
2 s' s" z5 @+ y/ eNote as well that you can easily detect this method with SoftICE:
8 l0 ^% A6 a1 V* H( m: [5 _ bpx Get_DDB if ax==0202 || ax==7a5fh
! k& [: R. |' v% o [8 Z1 N% N+ Y8 \3 m- m$ @
__________________________________________________________________________
5 ^& |/ G0 w( f: J$ N8 L
( P2 U4 w8 x# a O' u( N9 j5 x1 H$ R6 DMethod 10# Z8 o9 D9 X& _% w
========= f6 |" |; t: z* g, @& D
! G! h( j) R1 i1 W! f* P; e3 f/ `
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: {! g1 a5 Z% @7 i SoftICE while the option is enable!!
* l/ h; g$ v, q# f# H4 w, |; z% X+ B2 d& j& o9 g! Z
This trick is very efficient:
& y8 M5 O/ `4 x$ Y/ E* @by checking the Debug Registers, you can detect if SoftICE is loaded7 u7 _# F4 H0 G9 l( s3 {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- g+ X# {- p9 n
there are some memory breakpoints set (dr0 to dr3) simply by reading their) m& S: c- } I2 U0 Y
value (in ring0 only). Values can be manipulated and or changed as well7 M7 [4 m% g! B! e# L9 J1 r8 h
(clearing BPMs for instance)
- X6 O3 K) E }0 z# s: C0 Q; Y: L* S6 p7 X0 m- ^6 B8 Y7 W" K
__________________________________________________________________________3 v: \: ]' P+ E6 ~0 |& s2 E
9 N1 X/ n" V3 L R% o; K! A7 Q: Z5 N
Method 11: |/ d; i1 f+ s% h
=========# r; O3 I* S/ P2 v: }( Q! ]: q7 y
4 ^: Z3 b5 L! A+ q2 X6 AThis method is most known as 'MeltICE' because it has been freely distributed
2 T" u& }" I' D+ o( j4 ovia www.winfiles.com. However it was first used by NuMega people to allow
! _ A3 O- H9 W' _6 f% dSymbol Loader to check if SoftICE was active or not (the code is located/ L! J+ n4 A. e" a8 l3 g5 N1 w4 i* u
inside nmtrans.dll).
' J- q3 ~' X2 z, a: D3 F O" f' f' P1 X# ]8 Z" k
The way it works is very simple:
4 k) h+ v+ x5 LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 L( d, k W) Q8 J" KWinNT) with the CreateFileA API.9 y4 W5 }0 W3 ^
/ P. x: B9 G$ _6 W' \0 d9 MHere is a sample (checking for 'SICE'):& `2 B) u. K# T8 C
' B* n( y ?; q( y5 A2 ^
BOOL IsSoftIce95Loaded(): H, ^: x7 [! \' e9 P& _& N1 @
{9 J: {' V2 u6 B2 h& X- V3 d) Z
HANDLE hFile; 7 Z; a# E- @, r/ x1 K( I# ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ b" d# K2 O/ K s2 T FILE_SHARE_READ | FILE_SHARE_WRITE,
! }- T% C& y/ I/ r( d" x NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) `1 `+ O" t+ @: G
if( hFile != INVALID_HANDLE_VALUE )! M" M1 f1 m; U) O- @
{5 I; c7 T# @2 z* N2 J: O
CloseHandle(hFile);
$ g8 x4 T+ U V2 s return TRUE;
! F6 U( |8 r% }8 Y: m; S8 H" j8 Q }
' `; H" F* S3 M! K; k" U return FALSE;
: d" c% x) x& o+ b) c5 o' `}6 @/ C X8 N' B$ a4 v, S7 N
3 ^% H$ S0 Y E/ x1 q
Although this trick calls the CreateFileA function, don't even expect to be& T3 E* s( z" `, W# q! n
able to intercept it by installing a IFS hook: it will not work, no way!
, h& p) r2 ]+ S3 Z: UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 I [; `7 o8 }: N8 ^" J1 O/ k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 x8 q5 @% f# q' o' Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 _ M! x! `+ c0 Q+ Z* E
field.
6 e s; D( h: ?" nIn fact, its purpose is not to load/unload VxDs but only to send a 6 |% {3 f! y# ^ S3 v, k& _
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% u/ a, Q, \$ T1 M+ @+ e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 D0 o1 |% e' i5 V5 a* D5 Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).
* p) z' x6 h; [& RIf the VxD is loaded, it will always clear eax and the Carry flag to allow
) N) i! g$ Y5 x: Eits handle to be opened and then, will be detected.. j) n- }3 w+ W+ u
You can check that simply by hooking Winice.exe control proc entry point3 I/ U1 ?9 @4 k
while running MeltICE.
7 B6 q9 P0 r5 l0 u% q0 ?0 \! O/ H: t
1 Z9 s2 q$ ~0 n1 `
00401067: push 00402025 ; \\.\SICE+ q, i# r0 B) R2 p
0040106C: call CreateFileA
* |. i0 j' y9 N& F. h, _7 B 00401071: cmp eax,-001
; U2 E7 M. V) H 00401074: je 00401091
; Z- }9 f" U) N. J# \/ @. S) s/ W( J; Y* q4 Y8 X
& d: y) J6 y; t5 JThere could be hundreds of BPX you could use to detect this trick.- D6 x& {! ^' R n7 y! n
-The most classical one is:
* H: ] S" V$ G$ u) [6 O) q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
\0 J$ B( f% K1 C. c *(esp->4+4)=='NTIC'
9 N1 b) V) G$ w- E
8 w/ |( W% h3 s: W! _% E; L% S-The most exotic ones (could be very slooooow :-(2 X2 A5 c6 R: M' |* M
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! `4 h% Y9 F* s) d3 r ;will break 3 times :-(
8 F$ c* ?: D! R% v9 S# Q9 M+ R: r6 s5 D
-or (a bit) faster:
* o! r9 Q* r! D( t+ R: u. }8 i! z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 Q. e( m5 {6 B! ?
8 l, H0 R U- Y/ c N" { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & y0 {% @+ y4 e* a
;will break 3 times :-(6 p6 @9 O4 d" P ?
4 _2 |* U6 w- [( R! `. k6 @
-Much faster: I" x; N' x; O) W- e" i; x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( w$ A" |0 o. M8 R, y# `( s1 D2 r# J; c, m, k- H, ~* C: l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! v$ D$ N) \' t9 e5 Pfunction to do the same job:1 J1 Q& f5 N5 c- n: R: d: L
& ^- ~7 p4 |' ^6 H
push 00 ; OF_READ
7 C' Z0 U9 L3 c1 o/ y4 I% S mov eax,[00656634] ; '\\.\SICE',0
1 A2 v8 @1 r" W8 _ push eax+ u H* T) Y+ Y
call KERNEL32!_lopen
( c K+ R5 W+ E6 j* D( j inc eax+ H9 ?5 p3 Y v4 @* h1 U
jnz 00650589 ; detected
0 b$ m3 H1 E( d% _/ p8 l. i6 u* \ push 00 ; OF_READ; D- n% `% |/ D1 H! A& b
mov eax,[00656638] ; '\\.\SICE'! k/ a* |* b9 j
push eax% T$ u3 x! y' S/ g0 a! A
call KERNEL32!_lopen
/ Q' s# H- _% l8 R9 N, u9 N inc eax& D. k2 l: Y- T# S! ^" K. h+ m
jz 006505ae ; not detected
9 j' }7 \* e! {' c: q
l# w# X+ s: J8 G2 z
% }! _# Y/ E' q+ b3 `__________________________________________________________________________- j' X" j- X( x" \
0 q1 c' L2 `' t' p; H+ b3 ^
Method 12$ a3 R( [3 _; R) V: Y# H/ Z, l
=========) Y1 o+ l1 s5 j& f
6 f1 u1 P, R& x8 }This trick is similar to int41h/4fh Debugger installation check (code 050 `! a8 ]: I. K/ h
& 06) but very limited because it's only available for Win95/98 (not NT)
! g H& F% a9 l& G8 u7 aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, @' G* }" E+ w$ I# O! Q# m8 F( d$ X1 `& {# ~/ f7 D
push 0000004fh ; function 4fh
) I: b* b* V+ Y/ S- h7 q# W push 002a002ah ; high word specifies which VxD (VWIN32)+ y% e. Q$ X' `7 o* X# c/ X
; low word specifies which service
, D% }) U/ s/ F (VWIN32_Int41Dispatch)
8 f! T5 E0 l* } A call Kernel32!ORD_001 ; VxdCall( b4 B" E* S# M0 S; w2 B
cmp ax, 0f386h ; magic number returned by system debuggers
I: n6 v/ x7 ^$ D8 h1 ? jz SoftICE_detected1 a: M; [, b/ n' B
% J4 w- X) p5 J `+ cHere again, several ways to detect it:$ k5 c# n+ K/ T1 L* |9 `
6 h. o6 b2 x/ c6 B BPINT 41 if ax==4f
/ I7 w/ c7 {; q' V) {5 e1 x* K9 [9 a: r
2 c5 \- m @1 i BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 C" s( o, t" `. M8 j: L
1 Y8 n$ P9 |. K) Y. A; V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: n( G7 D4 ]2 Y6 x# y6 m1 w
6 C9 |5 ?8 S. v) M8 E. ^, g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' i1 y% h# [! T6 }6 x, ^; X
' p8 k1 t! S% M7 H( q__________________________________________________________________________/ @/ P: d* ]) F* f9 g& |, Z( h
8 Y; U& C+ ~" MMethod 13
# d2 z: x* j8 u1 \6 C) U=========4 {( r6 M( `& Y$ Y) z
0 k U* w- f9 B) h9 y& @% l3 B
Not a real method of detection, but a good way to know if SoftICE is
/ Q# ~& c* V7 J7 Winstalled on a computer and to locate its installation directory.
" \1 I& M* q# f# VIt is used by few softs which access the following registry keys (usually #2) :! N& a; M# ` Q* e8 S: F
- b% b) B9 e9 J" {2 t, @6 p5 b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 j0 [1 s% }4 J\Uninstall\SoftICE( n: [% Y2 h7 t- n6 m' Y" g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- f' A1 M' X( Y) |" K4 Q3 b6 C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 ^# k. L/ T( ^% Y' q\App Paths\Loader32.Exe4 g$ {* m8 z8 Z
4 b `8 Q* b1 H0 l @" D3 x4 s
A4 g: a( v6 C0 R
Note that some nasty apps could then erase all files from SoftICE directory
2 J( R) ?$ |, p" Y2 X- M& F(I faced that once :-(' m% y9 ?! u) V% f# M3 L) g
; n1 O2 X" G! }$ qUseful breakpoint to detect it:
1 ^) B, ~! j2 q4 M+ T' p0 j& n8 d# H1 v. ^$ s$ w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 f' O4 l2 Z3 ] |9 W- [0 O
3 n( g5 {: T2 c0 X1 ]
__________________________________________________________________________
r4 j! d( D- I2 [7 {% Z
+ {6 M8 l* N' u. F! M2 @1 J$ h; M3 M% U$ P' j" s
Method 14
( H/ m$ m( b( R7 T=========
* {3 Y0 P }& n: j- v, i: q6 D; a+ ]0 K2 F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" F. q; R4 y z1 Tis to determines whether a debugger is running on your system (ring0 only).8 d# [' I% v8 z) l5 h5 J
% @; G$ p0 ?) P" A
VMMCall Test_Debug_Installed
% t ^5 X& {! ]) R3 K- n: B je not_installed& W0 ^& q) Y5 M- N4 y y
* O4 h5 q, v# M* f2 _! y
This service just checks a flag.
/ d* F% o9 m& F% f/ J* q. E, a</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡