<TABLE width=500>4 E* N0 y, a* t+ ~
<TBODY>2 C$ @& J2 L$ Q( s
<TR>
3 t8 Y. {' d4 k<TD><PRE>Method 01 & ^' T& I3 Z: h( t. e7 A |5 `
=========6 t( t+ v0 Y4 m* E0 ]$ I
# Z; \! O6 {" C6 h+ U/ O
This method of detection of SoftICE (as well as the following one) is* {) U# A' s" x+ H; g
used by the majority of packers/encryptors found on Internet.7 d* k1 z) g( r/ c3 _! e' m
It seeks the signature of BoundsChecker in SoftICE
/ ]! Q) j( _$ ~; z: t0 V7 X) A6 K5 `1 v5 G h0 Q, u
mov ebp, 04243484Bh ; 'BCHK'3 L0 x1 g. O( z2 v$ q6 i! D4 ^
mov ax, 04h$ n3 O! M; B/ w- ?
int 3
; N2 |+ F( R/ f: D cmp al,4+ l* w, i: B" z% H& X) D: h
jnz SoftICE_Detected
e' Q% E+ r- _+ w$ F3 e: L
- t; g$ j& V7 }0 R6 s___________________________________________________________________________
1 w7 K" I0 D- ^0 I* v6 M& \, p$ d) z/ ? h- ?) p( W4 R
Method 02
/ Q$ ^( x' |9 e5 m3 c) f=========
- _* b8 K7 {* b9 {. ~+ [; X
2 x4 Q# M6 `9 { B; n9 p' UStill a method very much used (perhaps the most frequent one). It is used
- {6 Z O* e0 J7 U# ]0 lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 _, f( z+ @, [& B! v
or execute SoftICE commands...
4 M) u9 b! j8 oIt is also used to crash SoftICE and to force it to execute any commands8 M$ V. Y) o5 }0 ?
(HBOOT...) :-(( # Y& }- t- ?3 q, f( ]0 K
( `# y% S+ j: Y% [# A6 G
Here is a quick description:
# p0 Z' m5 n# i9 I1 Q$ X! w-AX = 0910h (Display string in SIce windows)7 H1 m3 O' f" z" j2 Y2 [
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 L! ~2 c9 L: y1 b0 J& B& W-AX = 0912h (Get breakpoint infos)
! X1 k# e3 M3 W-AX = 0913h (Set Sice breakpoints)
( c3 T! ], ^& x6 E-AX = 0914h (Remove SIce breakoints)8 s2 R: m3 S& R7 L" ^/ w
3 A& c$ z m# U2 M# i
Each time you'll meet this trick, you'll see:
5 l& N: K0 u6 r# \% l% t- c-SI = 4647h
1 [4 T9 P% D+ R6 I-DI = 4A4Dh' _/ E8 C. C$ N3 \ R
Which are the 'magic values' used by SoftIce.
8 b: s5 N. _5 J4 IFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, R2 N% R6 U- V9 {7 r8 o5 A
2 s" u: U! Z6 I! i5 J4 J1 sHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 c' @- s- H' E& Z# ~4 A9 o% GEnvelope utility use to protect DOS applications:9 H" h: y& v* {8 q' B/ d8 M# V
$ m8 S$ r1 x2 I9 Y$ M: K3 a. Q
4 a0 O5 b% ^( m" V( S4C19:0095 MOV AX,0911 ; execute command.6 \) n; n: R4 a8 S, }9 [' P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; K* X4 k9 T) m2 u4C19:009A MOV SI,4647 ; 1st magic value.+ g# ^* E6 `+ r6 t
4C19:009D MOV DI,4A4D ; 2nd magic value.
' [$ \" N( k* p0 C- d! Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 d$ o; j9 M" {" _# I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ W* o' h- g. i4C19:00A4 INC CX
0 \' C0 D# k* p; i8 Y. k( n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 A! X3 V& ^8 X$ D4C19:00A8 JB 0095 ; 6 different commands.; Z5 U* A# c4 T4 O% U9 q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 h0 c! ?4 O& r8 H/ @+ W1 d4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. h( ]: L3 ~! J; j$ E, @7 V: B
7 B- O) d7 @; ^0 T; {1 xThe program will execute 6 different SIce commands located at ds:dx, which
5 ?, R( ]" W2 y# k. u+ z) i* o9 W5 B0 gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. x" m* S9 o; A4 e2 e- ?9 P
( {; f3 D1 T, @$ U% b3 d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% a9 p+ G/ T- Q: n___________________________________________________________________________3 Q9 T$ \! d8 b
& K" F) k5 K9 C9 c5 Q/ P
) L3 z; ~4 N# h9 E- OMethod 03/ b$ X' H$ ~8 i. D
=========
& w0 q. d5 _8 W) T( x( t0 L' \/ d- _3 m& u0 |& D9 j. i/ L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& f4 X: z5 {7 k2 o(API Get entry point)$ m& X, y) h) ?$ ]( d$ ?+ ~* E4 P3 K
8 o) y1 f% d# d1 K9 s
" I8 Y: T/ `4 d0 k1 ? xor di,di f0 k( h" o* B2 t
mov es,di4 s4 P& J2 B: ~9 W( P
mov ax, 1684h 9 A, q& c8 x3 G
mov bx, 0202h ; VxD ID of winice
s4 |6 ?. u+ j: e* |4 Y# A int 2Fh
3 @: S+ x+ Y! E0 v, Q2 R. V mov ax, es ; ES:DI -> VxD API entry point
2 S [) Z1 W- `0 `' x add ax, di
+ B+ c' a L( P$ H0 }! t* P8 I test ax,ax
! w5 P# {; Q) Y" L2 ~ jnz SoftICE_Detected
( x8 O. w6 z$ s" d% n$ j" H- B
. Q: A w. v* U: G/ _* ____________________________________________________________________________" x3 M* m1 K4 n6 |
% y! }) a4 y! P; j
Method 04% P, w) l: a' ]# l! _, A" z
=========: W5 B, S! w& x! K9 S
( C8 p: q; K% m3 y4 ]) O/ x( ~1 R; b; k
Method identical to the preceding one except that it seeks the ID of SoftICE! j1 a1 ~9 O2 X* p# r
GFX VxD.3 K* d! N( q& x. p" Y4 h
! L+ ]! q. }1 e4 i7 m; ]
xor di,di
K% k0 M) a) r: m mov es,di6 e$ |/ C; b% I# w$ ^
mov ax, 1684h
; A: h9 r3 B1 R! \/ v5 n/ t mov bx, 7a5Fh ; VxD ID of SIWVID
5 m0 i1 `: P! T. j int 2fh
4 y' Q2 N, S! `. u1 y6 S# m* Y: c mov ax, es ; ES:DI -> VxD API entry point* G8 ^7 w) z' r* a
add ax, di; a1 E- y( m! R
test ax,ax$ |9 c e) Y4 I2 r" Z" p9 ~3 d% k
jnz SoftICE_Detected0 W( \. q* u- _: b' |! r
7 [8 _* w9 g$ O7 u/ s& ]__________________________________________________________________________
- ?* n1 G: E9 N; L& P7 V/ X. z
+ u1 e/ O; c" h5 {! {# L' v/ m* S. Q7 e% C C2 S
Method 05
* T' o" N/ T( K* w. [=========
( h2 u7 u- U8 I. B% m4 b" P
" c8 z) d9 V* w% `$ c1 _+ u3 j# XMethod seeking the 'magic number' 0F386h returned (in ax) by all system
$ V, N' J5 Z1 o. Y- o$ \( G sdebugger. It calls the int 41h, function 4Fh.$ f3 n, D7 k0 ?# |
There are several alternatives.
$ {9 R C% W: }2 q9 Y
$ w6 b0 G# ]! R c3 sThe following one is the simplest:
, v+ h% J& H E$ H! p9 u' F$ ~! }1 Q- l' L. T+ C
mov ax,4fh8 Z Y3 A9 V5 D9 s; I! Q
int 41h! E" @$ X$ U/ J( @+ q- d
cmp ax, 0F386
( f, d1 s* b. a. v0 d jz SoftICE_detected! i" |2 H! v* q
. [6 h! z8 p( r8 H) l: r" h- U
% ]: ^5 W/ `9 HNext method as well as the following one are 2 examples from Stone's 6 x7 X& s2 F P0 R, a3 v* d. Y: [
"stn-wid.zip" (www.cracking.net):& i! L. U2 D: U
) S* v. |9 N5 g4 G7 T5 q% h8 m
mov bx, cs
. B& S& W2 j% G( N6 s lea dx, int41handler2
2 a! @( F4 O( V8 [ xchg dx, es:[41h*4]/ L$ Y( e' A. Q$ ~# n6 k
xchg bx, es:[41h*4+2]0 U% n( }3 H1 I3 {1 W
mov ax,4fh
e& p7 k5 T4 n U int 41h
& s, W) Y2 {! h6 w4 [ xchg dx, es:[41h*4], N2 T1 y0 c8 A; X2 a' c$ L+ U
xchg bx, es:[41h*4+2] ?! x& H% W8 z, o/ q+ p; g
cmp ax, 0f386h
9 _& [5 w0 K! A$ `& r8 p jz SoftICE_detected3 R* n5 [. U, q0 p; A. O
, T6 Z5 y1 |+ W4 e, i& I( nint41handler2 PROC
: N; A0 Q, A, ^* ^. L9 e1 V. {% ~% h iret" s% r6 d; s# P6 F
int41handler2 ENDP
( C- N7 B: h; J5 E
: V0 I* b* M1 e; E; S4 E( u: T0 _& ^* S' S' s+ x# z
_________________________________________________________________________, G6 S4 |5 J8 c4 {) y
% ?6 S7 C" t6 u$ Q% j2 m
5 S* M/ K' h8 x# _) F! p: l
Method 06
6 X3 I* a3 n8 H1 l2 v========= i9 _" l9 W0 w
" @% Y6 ~1 Z. Z" T: i2 e. ?
9 r- f8 A: x2 H. _+ A7 b) \% J
2nd method similar to the preceding one but more difficult to detect:
3 F: B9 t8 ~8 @& s" I* u: M, E! W9 D9 ?: {3 x0 m. k
& _7 U! i* A+ T6 Bint41handler PROC) ? g8 t& D4 U( Z5 s' ^( {- ^. Z
mov cl,al; \+ r$ \! R8 D x4 B
iret& ~( H) y( H m1 J0 |7 K) z! i
int41handler ENDP4 u; }3 K2 z6 m. C+ R# N E$ N0 K
- Y' O' p; P/ U) n9 F/ W+ |( H
% I1 O4 U* K' P4 j5 }6 s
xor ax,ax
- }" V- W* @ s mov es,ax; j. }2 h: y8 Q* s
mov bx, cs
# s A* A$ A8 {* C2 w lea dx, int41handler4 s/ C# h3 ]. Z4 p2 y
xchg dx, es:[41h*4]
+ z7 E# f1 @$ \6 y/ a xchg bx, es:[41h*4+2]
- x1 Z/ u. b# G, m$ x2 @: A in al, 40h
& d& a( k! r3 H% b xor cx,cx3 r. j# y3 y9 F- D& m
int 41h
- P, O2 s5 E( c% P xchg dx, es:[41h*4]
/ Y, O" Q1 C8 g* E# A0 c xchg bx, es:[41h*4+2]$ |0 K$ ^% E9 K, x
cmp cl,al
+ Y0 ^; Y1 t* p& N# S$ Z jnz SoftICE_detected
" T: n, o8 J" U6 @ _) }" _- Q* c6 s7 G$ A) P1 |" F( j4 g
_________________________________________________________________________
! G! E2 |; }9 f3 q% y8 W& `* x5 H6 ]# [$ G
Method 073 m. Q6 i0 k5 ~" `, L& }
=========! X" ?, g* H- @( e" q4 c
: z" `/ H4 c$ q
Method of detection of the WinICE handler in the int68h (V86)2 X" {# w# ?0 H
- L f- V/ z9 ^9 C T! \ mov ah,43h' f; d" |+ K- N6 f4 f5 c1 h
int 68h
Q; ~+ ~2 q u4 r cmp ax,0F386h3 s4 ^- A7 a" \" W) J
jz SoftICE_Detected! P/ T; w# q. ^3 q7 I, Q) j
8 r- [2 F9 B* U# `& ~1 H, N, U# l7 c% p2 z. x1 D3 Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; X' {+ A! W8 h. K- G$ I1 v9 b/ B3 i
app like this:2 v, S; c% j, k) C" _
5 U7 Q6 m, C* N' v( [) @' F
BPX exec_int if ax==68 H; I& J% f5 `$ K1 o# T p8 K+ |
(function called is located at byte ptr [ebp+1Dh] and client eip is0 r# i5 ^9 v9 m- l0 S7 Y! z: c1 L% d
located at [ebp+48h] for 32Bit apps)$ ^9 w, Y$ x c
__________________________________________________________________________
1 l" `% Y K: v# P1 y% |. e- t3 }
+ F% v3 A% K! ^. v; d
Method 08! T( i/ x, o% ^6 m# ^( A# v( V
=========! ^0 B5 ?$ R+ S# p I
1 ?- m! D; h w8 O
It is not a method of detection of SoftICE but a possibility to crash the! F& [* R6 D1 c6 F# T1 D( {" D
system by intercepting int 01h and int 03h and redirecting them to another. [ I& O2 U& k/ N* Z& R- N4 G
routine.
! T0 U6 @- m" C5 e! A1 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; A9 F& J6 k; }+ _! f
to the new routine to execute (hangs computer...)
! v6 i* S1 a4 T0 r
. \, ~, l1 ^. @ mov ah, 25h
: {* f; Q$ @+ | mov al, Int_Number (01h or 03h)- K1 F2 N V. L7 Y
mov dx, offset New_Int_Routine
2 s# j8 I" H, w( E8 ?8 W int 21h& P% ?- \( h1 d
1 }2 B, e( M) y ]) X/ X__________________________________________________________________________
0 j, r5 [+ @6 V8 w' S1 C6 H/ y; W8 }/ X
Method 09
8 S2 F( C# n" j=========
3 ~1 q; y( A& }: T
2 ?2 z5 s0 O6 N+ X1 ~/ B8 VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" N; b, p# y7 {6 N4 y# o8 pperformed in ring0 (VxD or a ring3 app using the VxdCall).
! o& ]+ k* g" v$ kThe Get_DDB service is used to determine whether or not a VxD is installed& q5 w1 F) u! h8 j6 T: @! M- t( w( h! a
for the specified device and returns a Device Description Block (in ecx) for3 S( v# m) {+ `6 O* j; r
that device if it is installed.
8 M- A; c5 ^# f: ]/ X' l+ D0 P: z; u7 n. ^% e. N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 k K7 V0 i( w7 O9 {" e: a, @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( A" K* z6 C8 K' p/ P$ G! T VMMCall Get_DDB/ s1 Q) T9 m6 s6 r. W; T+ U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 |; f8 I7 l Q& `
+ Y3 o- v W" n' xNote as well that you can easily detect this method with SoftICE:
& }* k. F( C- x2 ~; c bpx Get_DDB if ax==0202 || ax==7a5fh
+ `/ f, s# A3 C* O) Q4 F" x: u+ g/ z" s3 z% l
__________________________________________________________________________
8 D( y! M/ g' z9 k% _; p9 ~4 s
I5 G! O; C; H7 u u' xMethod 102 R9 t s* z. ]1 w z$ o) F: ?, @
=========( B! `! _+ [# o2 ]! v7 a% o
" Z5 E: o: ]* j9 q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ T7 v( j. [- _$ {) U2 M SoftICE while the option is enable!!
6 v2 V0 V6 w& p8 x5 d
1 K& k. i6 W1 S2 H& p/ \: vThis trick is very efficient:1 s: j+ T9 N7 y, h, z: h
by checking the Debug Registers, you can detect if SoftICE is loaded
1 ?9 T, u) P4 [/ `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( B$ ?- B+ M$ Q% w( mthere are some memory breakpoints set (dr0 to dr3) simply by reading their2 R9 Y$ p4 A* \, v
value (in ring0 only). Values can be manipulated and or changed as well m8 O+ k1 W# u }& Z
(clearing BPMs for instance)
) p* l+ W8 t! d8 Z- g3 R- W* o! e* h: ~4 G& W" Q
__________________________________________________________________________& {; H( x( Q; X# Y5 O1 T: |
5 z; q) d! N- s- a/ X' r$ B8 [& CMethod 11( g, _7 [' w2 u1 P
=========$ s3 L8 y; J9 V K; b! j
! f% P. g2 s/ S! X( s+ h1 X
This method is most known as 'MeltICE' because it has been freely distributed
8 o# A! A% n( e% H8 B% dvia www.winfiles.com. However it was first used by NuMega people to allow
: a; ~# F& S I: ?: WSymbol Loader to check if SoftICE was active or not (the code is located
7 J$ U' F/ ^0 Z9 j# V' v8 Dinside nmtrans.dll).
5 @+ {- }4 t6 P6 _5 Q" q: I3 L! N" {; H" l( J: z
The way it works is very simple:
' l! [& d4 F; L/ B" c4 R% x% ]' vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; }; R0 H4 B* y4 Q- N/ jWinNT) with the CreateFileA API.6 w( j$ u _( a5 M. u
/ f, E% Q) Q# v5 [6 w! _Here is a sample (checking for 'SICE'):6 k/ p3 a3 q4 F/ ]0 n- o& e& z
% @+ }+ O# |6 [2 aBOOL IsSoftIce95Loaded()/ C% _5 ]3 f# R$ s
{
$ G+ {5 \+ Q# z HANDLE hFile;
1 _+ Z# j6 N, r1 q6 [9 t9 x Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 m2 k) o+ f) s( v
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 I, p+ Y' n! W; j/ n* e NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
x P& z3 E5 k; n, E( a0 E if( hFile != INVALID_HANDLE_VALUE )
G' K l& I: g5 \9 B# a, ~4 }; B {0 i3 ^% N; e( `! c/ l8 a0 k. L: u
CloseHandle(hFile);
2 z9 m$ B" W9 s D# v! M return TRUE;* r5 Y/ O" D* Q2 ~
}
% m0 U* K6 P0 N4 Z3 V4 i m return FALSE;9 ^) }" E" J& K' d: R s$ }
}+ _9 h4 {* p# b$ ~
7 A0 {! f+ `& G# O- _
Although this trick calls the CreateFileA function, don't even expect to be
3 ?8 L- K. s) zable to intercept it by installing a IFS hook: it will not work, no way!
# y+ d/ ]4 n+ O/ X% |$ b7 C9 gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F0 R* ~3 \1 t7 m/ h2 A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 I3 u- P% {4 w( l2 |- B- g3 rand then browse the DDB list until it find the VxD and its DDB_Control_Proc* {: k2 ~: A' {% O
field.
( E/ d5 J* D- J1 l) N. dIn fact, its purpose is not to load/unload VxDs but only to send a 2 f1 O8 U6 r: A5 F3 `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' y, ]) S! C& A" t' j" r# s* T- X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& R3 e( Y4 g7 k& v9 b
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" J6 Q0 g+ E- L0 x: n% a, zIf the VxD is loaded, it will always clear eax and the Carry flag to allow& p8 t$ [& B/ [" \, [ b/ Q- m
its handle to be opened and then, will be detected.
3 g- B9 C$ K4 ]" F) k2 `You can check that simply by hooking Winice.exe control proc entry point
& a8 g5 {! i$ Y# v- twhile running MeltICE.
8 p$ P' p% R0 g7 F6 B) [4 G
* s7 A& O8 l: \* n! @8 w1 t& R/ E+ R3 M: `
00401067: push 00402025 ; \\.\SICE
0 |0 Q( J: ^" j% z' F$ E; W 0040106C: call CreateFileA0 ?) B- \+ T S5 F: Z
00401071: cmp eax,-001
. @) O# ^. D8 o/ B( K7 p8 I 00401074: je 004010910 |6 X. B5 C' i2 m2 C8 v
; ?5 B6 }4 }$ T) _' @& ^
( W! f3 y& @3 c
There could be hundreds of BPX you could use to detect this trick.4 A6 F2 [7 G) F- n
-The most classical one is:( }. b [6 {5 B% {$ j& m
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 v4 |, W2 ~* C" X! T3 l* K/ n
*(esp->4+4)=='NTIC'
3 s7 p9 F( g" ?
$ [& K, K$ B6 ], j% O% A T-The most exotic ones (could be very slooooow :-(
8 }9 G$ r9 ~+ K+ D BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # Q" b/ \' U9 e) m1 K
;will break 3 times :-(
- r: ]; g' T8 r2 C. l; `9 n/ q% @! K" w) a8 W
-or (a bit) faster: 7 P5 T6 Q" u( v2 d& ]
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 t" v) ^7 O1 d* K# ^* t. \$ J* Q
' O7 ?/ T* @4 A c4 @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, n, h& u' ?& C0 x ;will break 3 times :-(
' ^, Z% ^% u# m7 c) A; A7 b9 s0 `, k6 X& d$ O t
-Much faster:) Y3 Y9 a2 U) @# L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ P+ T* `+ I" }6 R4 f! \4 r; t$ T- i2 k# R3 W, p- Z; Q5 Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( ^. d @8 `3 G) y2 {; U1 ofunction to do the same job:
) q( A( X! F+ V/ T# F, C2 N& I0 E( Q. g
push 00 ; OF_READ t' s2 A' Y% X5 ]# [
mov eax,[00656634] ; '\\.\SICE',0
. O$ W. ]& q; C! w6 \& H push eax& w- u2 [0 p/ u: L# h
call KERNEL32!_lopen$ T0 F) j/ Q# X& H, N1 Z
inc eax3 c- ^7 f& Q0 y* X6 [
jnz 00650589 ; detected
2 C. ?5 y. t h- r0 H: O push 00 ; OF_READ
n2 T; h* z8 K: K- C9 ]! B# R mov eax,[00656638] ; '\\.\SICE'
/ y1 M [6 _( `6 [5 W push eax2 {) K* K& U6 K
call KERNEL32!_lopen
7 J+ }: `& e% M$ Q; d4 _ inc eax
`+ U! }- ~3 R jz 006505ae ; not detected
! a- z2 g1 N( ?* F5 e( y7 F* t" N2 o. j
* A# ^0 N% M* ^/ d' W% [! ^/ J0 C
__________________________________________________________________________. y( j! `' G( D& ^& ~
3 Q6 i. z% E1 h* I1 q0 R
Method 12: g- @ a u" O8 i) H, v1 F
=========
9 Y; e/ \" ]. B6 T) ^& ^! u, N+ T0 `
This trick is similar to int41h/4fh Debugger installation check (code 053 Z. j1 J3 K; [9 u& z/ V; J
& 06) but very limited because it's only available for Win95/98 (not NT)8 I8 j) e+ ?2 `, S+ E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% s: y! r/ n- @0 }
1 R% m: G4 L6 `9 a push 0000004fh ; function 4fh
3 A6 A; _9 {$ J& y% r1 J; p push 002a002ah ; high word specifies which VxD (VWIN32)' S9 O3 d( E* {8 y
; low word specifies which service$ V u$ o& x% m2 G4 e/ f1 k$ m& C
(VWIN32_Int41Dispatch)
, X P2 d( A) Y% _" b call Kernel32!ORD_001 ; VxdCall
0 ^; V1 \: A+ C) M% a- M5 U; ?$ \ cmp ax, 0f386h ; magic number returned by system debuggers
# _& [6 u: R5 W) {/ e# a jz SoftICE_detected
- I5 [% a4 a' V0 x ~3 j. x' S X* l6 Y) k* ~, q
Here again, several ways to detect it:! N0 Q G% h5 ?% w% r9 w
# I( E" \1 s6 d/ K' _) b X: M BPINT 41 if ax==4f; ~# p0 ]) U. e6 _
5 y8 E6 I! E1 ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" X4 X3 r; r6 J. h1 `1 C
. F0 a+ s- S7 E# D
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( D+ e I* e I1 z5 b
! y5 [0 E( k' h! [6 \. |" k1 {
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ a. N4 @% r# l9 i! I# G6 d" V
4 O' ^9 j, g4 b1 K% C__________________________________________________________________________1 e0 y4 D( ]9 s/ i5 p5 o! x
, R; k8 P" m& w' E: W, A( e) QMethod 13$ H2 G4 Z. N* z; o6 f
=========# a; x+ m5 z. S M
3 k2 y3 O: W2 r& Q
Not a real method of detection, but a good way to know if SoftICE is
& L W4 ]7 t+ @& Yinstalled on a computer and to locate its installation directory.
* y1 D }3 ~8 u8 o+ _It is used by few softs which access the following registry keys (usually #2) :
; K! }4 R6 u8 g# V/ } k5 G$ V+ x" m% b0 g; d7 t$ w( E2 v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ n3 g; @7 \0 @2 i0 @4 \
\Uninstall\SoftICE; i6 P0 P( S6 p( k Z5 H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 I% a& I1 @$ m. }/ x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 f g* s( |0 c& ?8 p$ h- ]0 f
\App Paths\Loader32.Exe8 F7 w. g2 J3 M5 R
% o0 N2 p3 [# i
$ X* E( P8 n) ~7 SNote that some nasty apps could then erase all files from SoftICE directory2 p+ O# g, |1 `/ l F
(I faced that once :-(5 Y. \6 ~$ o" k; x: F {0 p
) w6 H" a! B; d' q! D, AUseful breakpoint to detect it:
6 E( q5 G+ D+ m, I2 ~0 Q' S L) X7 _4 I# K' @6 h/ q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% p0 ?+ h+ M6 g2 R0 J2 C3 O( L7 `! c1 l
__________________________________________________________________________' j% m% z' g" Y( z
: A2 a$ R% k, U! w- I9 ~
6 j: H( i: Y3 A; O" d: }& l
Method 14
$ S# y* e8 x3 l0 L. I% K W. [6 h=========
# R$ W% Q- W- P0 `7 X7 a; b! a
- a5 L. Q. U. a5 p( XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 Z2 n# H0 d0 K' f- A: Uis to determines whether a debugger is running on your system (ring0 only).9 c* B! }% z9 X6 q
3 a! }* J- u+ ]( `; x' z
VMMCall Test_Debug_Installed
E8 Q. G& N1 @0 r5 t) V je not_installed! v9 J! v6 ~% Y; X9 q; ^
' V& L8 y+ V5 Y5 d1 `( tThis service just checks a flag.* X6 p3 ^5 m" k3 ?- |2 |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡