<TABLE width=500>
6 ]& {% R3 s$ C) ~ [<TBODY>: S+ i) e0 k! h. B0 A. O. I
<TR>
1 `$ T9 W* y9 u$ n<TD><PRE>Method 01 $ Q( R& u6 m6 M& j7 D
=========
: T9 d/ z/ m" W- `
2 W3 [+ w7 ]- J6 { dThis method of detection of SoftICE (as well as the following one) is
* `; N! [0 N. n7 ]* o* S+ t" a: Tused by the majority of packers/encryptors found on Internet.
. E! k J, |! O i6 K2 p5 x. v. qIt seeks the signature of BoundsChecker in SoftICE6 x( f4 `2 s- J1 A5 x& z: y# H
( y7 S+ e8 O( K, [* R- K5 t2 S mov ebp, 04243484Bh ; 'BCHK'0 K. \8 ^. g) Q/ C; V; S
mov ax, 04h
7 ]% [- c3 Z4 C( ]2 a, v8 f2 T& H int 3 , c9 f: m& [, Y" q
cmp al,4
" d% E5 t, h% t5 Y1 L. c+ P jnz SoftICE_Detected
. Q( I3 q+ K7 G$ `& ]8 W7 w) L
( Y# v0 D2 k6 d9 B" ^/ @___________________________________________________________________________
) W. s- N) X; @+ @( g5 j5 k% d; Q1 I1 k
Method 02: u8 l' [( }$ c6 b) h9 Z
========= j3 _* P3 q* [& O! ?5 M
6 l$ J; R8 b( r R
Still a method very much used (perhaps the most frequent one). It is used& J6 n& E6 l1 R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 V7 I7 j% k5 |3 N4 ^+ }or execute SoftICE commands... F5 @. ^, U1 b% W2 G
It is also used to crash SoftICE and to force it to execute any commands
: x8 M" |/ G) n* G' ^, e9 p8 \ K(HBOOT...) :-((
! b0 y% H5 |5 Y& I' A# p$ \- m# z& }! g# a+ Y
Here is a quick description:
* K& T' Q% Z! X-AX = 0910h (Display string in SIce windows)3 |- I& G' h- L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, a+ @- j, c' J-AX = 0912h (Get breakpoint infos)* n1 _( G/ O# C. a- }
-AX = 0913h (Set Sice breakpoints)
7 \4 O, p3 @" r6 f4 ]& a-AX = 0914h (Remove SIce breakoints)
! N3 C( h2 ] G; P7 x
! _# Y% r6 p: c/ gEach time you'll meet this trick, you'll see:
5 O1 Y2 B, Y- u2 w& a-SI = 4647h
2 D7 Q9 H: @: T3 ^6 q$ P-DI = 4A4Dh0 i E9 ]1 A* G
Which are the 'magic values' used by SoftIce.( X! }* z5 u, _: g. _" c% `+ B
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 n% F, }! {: x6 l/ `0 J" _
$ ~# o4 J/ G. q: MHere is one example from the file "Haspinst.exe" which is the dongle HASP- l% ?7 `- u0 {" c( U3 C; v2 U
Envelope utility use to protect DOS applications:- h) \* m: x# x! n: M1 z T% E: `5 k
/ _5 k1 m: z1 X W r9 D
. V* `3 `" u6 h( a! s' y4C19:0095 MOV AX,0911 ; execute command.
2 F& F! s" D( g9 B z$ b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' r9 g9 {4 {* ?
4C19:009A MOV SI,4647 ; 1st magic value.
, c0 Y6 }7 q! i; X$ a4C19:009D MOV DI,4A4D ; 2nd magic value.
- ^" A# @; X0 u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 P% e& {$ @7 B! H) q5 P3 V, S3 o6 K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% V7 z8 ^+ e* v) p* v. z4C19:00A4 INC CX
3 Z0 g9 ^/ X* }6 C0 a$ ]! T) t: T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ @2 H. L+ J1 h/ R/ p# o. g
4C19:00A8 JB 0095 ; 6 different commands.# u: J, J: t% x2 M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" c, E; \# S' N9 M4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 F5 @3 D+ @- B/ s+ m8 {
( J0 O/ ^0 U# X1 b. Z
The program will execute 6 different SIce commands located at ds:dx, which. S( B2 V+ K, N5 v( b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. z# Z0 k+ s/ s8 e. t/ T. f) ]
/ n/ F7 s' {$ V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( {: b5 O/ Q& I- r. C! D% Q% e7 M( `+ Z___________________________________________________________________________
0 m6 s: {; D5 O9 l, w7 S$ |: \, e, g @$ }
2 @' q4 {1 \6 V/ N# f5 G- C: T2 N
Method 03+ x( u4 y/ |% `9 b
=========
# u1 m& d0 q7 g# ]- i
" I7 X: W0 s0 a% h/ A9 RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 O$ }7 P) [+ B$ {9 p
(API Get entry point); z9 }7 ], a4 Y, p, n
, a1 B6 C3 }% f) I5 y
3 Z } r( J4 C E0 [ xor di,di
! M" x: |3 B6 l mov es,di
) c7 j: @, ~" p mov ax, 1684h
3 H1 z1 K9 z/ @6 r1 a2 H$ j mov bx, 0202h ; VxD ID of winice. a g6 m* c' L& `! Y% e6 ^
int 2Fh
; E3 E8 E& j! Q k mov ax, es ; ES:DI -> VxD API entry point
G! c4 G9 m9 A, g# Q add ax, di' l1 E" u) d$ E1 d: B% d) f
test ax,ax
3 x2 f$ y7 G( P$ u. d jnz SoftICE_Detected! ` n2 Q5 d3 p5 @/ {) A$ b
* }# x Z) Z, Q1 ~___________________________________________________________________________
% C1 ?5 L4 N0 a
& p9 G' n+ T7 E+ `0 C* KMethod 04* Y: Q5 q5 b1 n. i/ P% ?
=========
- i+ u9 `! Q$ n3 z; u
$ e0 @9 H* z! E1 u x8 ~0 SMethod identical to the preceding one except that it seeks the ID of SoftICE
7 y8 }! S* d" W- w9 ]1 ^' r' r/ E& RGFX VxD.2 [# G' f4 M: J1 s0 v
2 s1 L4 y. F+ b( j xor di,di* E; w( { m( q' m/ A( @0 F3 M
mov es,di6 ]" _' j* M7 t& k
mov ax, 1684h
+ I0 `* n [7 A5 o mov bx, 7a5Fh ; VxD ID of SIWVID
" {2 F6 Z5 z( X" O9 b( B0 `8 u* j6 y int 2fh2 R) N5 I8 u7 O0 s
mov ax, es ; ES:DI -> VxD API entry point
, @+ ]" w1 `& @( _! Z' |5 f add ax, di
* o2 v5 a$ c! D0 o# A X test ax,ax2 Y- X# z7 C8 b! H3 i' M4 Y
jnz SoftICE_Detected. J- a q1 z. `8 ~" o* d9 N- E7 p
* s' j6 `& Y4 y3 Q% z
__________________________________________________________________________
Z& b! o l- z/ D; D: R0 a, O+ e
% o; ^. p/ S% r1 l8 B' K5 s$ I) M# o& U& h0 S
Method 05
* a. b4 A. d# {/ t: Z=========1 }: u4 g5 k; ]2 T- c& f
* ]9 R: j1 t& S1 h2 ^4 Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ v# q) S6 n1 D+ k: i5 ?
debugger. It calls the int 41h, function 4Fh.
! R! f. L4 B, Q5 G0 b9 I9 h/ [1 HThere are several alternatives. 9 @8 F: i% z+ y, W) B& P
4 W1 O6 w" l* ~5 F
The following one is the simplest:
. o0 u6 U* L" V3 Q* J5 v/ |) \# i+ E( e) N, J* j
mov ax,4fh. B; z8 C5 t& M) t. _7 b4 `
int 41h+ s( ?* D2 R1 s
cmp ax, 0F386
4 n# l. C, n, i- O% S jz SoftICE_detected' \4 w4 Y" U) O$ K
- q: |& b* l$ z# x ]" m6 g# @- o; h% T0 ^
4 N/ r3 w; l: F+ g' y8 ], rNext method as well as the following one are 2 examples from Stone's 0 c7 M5 ^8 {) D5 B! V3 k
"stn-wid.zip" (www.cracking.net):( M8 ?8 e+ Q" {/ N+ k: c6 h+ |
& {: @- k8 P. | f: z
mov bx, cs) j" f) p6 e- ]8 p, ~6 Y: C
lea dx, int41handler2
0 I2 Z2 g' z4 x# p: v* s7 D xchg dx, es:[41h*4]
' H @' G4 g6 a9 p" m" y: |/ l0 _ xchg bx, es:[41h*4+2]
6 v# h3 q8 G& }+ @0 s, V mov ax,4fh9 p7 @' P d1 [3 h" A
int 41h* ^( z6 p5 p9 K' a6 Q! _2 J
xchg dx, es:[41h*4]
4 ?+ R! v2 M: H& Z: B2 r xchg bx, es:[41h*4+2]* h8 Z+ d* M9 h% W' q
cmp ax, 0f386h1 y. u3 e- Z) @& L! c9 }2 d
jz SoftICE_detected, f* t, B+ Y( f& Y
+ Z# }/ a+ m: V* \; o$ Y8 {9 \
int41handler2 PROC- r2 q I% x1 N/ S! u
iret
9 i# F! l; f/ U* fint41handler2 ENDP
- V$ M3 n3 I: v4 C5 x: G3 D" w
B# y5 ?- Y4 j% U9 O
6 \' R/ ]( N# ]6 z. `! C8 m3 I5 U_________________________________________________________________________1 ~) W- r: O0 e$ D1 H
8 s& i- T3 I! p
/ f; r1 Y9 F" Z! a8 E6 c3 @Method 06, q. Y9 ^9 u" s1 m
=========
4 F- g8 L; W/ t3 b1 r# e6 z/ x0 a1 K/ |% U, D& M
! ^; Y7 ^5 P# F$ D0 ?9 X9 Z
2nd method similar to the preceding one but more difficult to detect:& K% q; G2 m2 i" N7 v
) F1 U9 t# F+ K! C7 c8 Y
2 ]/ I5 r. O/ Tint41handler PROC0 I% e' m1 O; b
mov cl,al
7 g9 O O' S+ [8 g1 q% i iret# q n! j: z# |6 W: k
int41handler ENDP
8 x, {7 Y1 I, U/ P' l7 M" m* _! q7 ?6 v( t: k9 t
' Q R- F% `7 w
xor ax,ax: G4 k; n* d- x' T
mov es,ax( N) }% f. v' v: `) N
mov bx, cs
! ]* b3 W4 y/ x$ s) D, w+ q lea dx, int41handler
' x4 P! @7 I a0 ?. [ xchg dx, es:[41h*4]
3 ~* F2 t* J# Y' C5 Q r3 I2 [ xchg bx, es:[41h*4+2] ]# g7 D2 s2 i8 G! m' e
in al, 40h
1 p0 b5 q4 I. L# y$ ? xor cx,cx
) {. N- e- {* k+ l1 w1 J int 41h
9 ~) F& n8 \. G2 Y xchg dx, es:[41h*4]; d7 G' _0 J" j) K0 u% s
xchg bx, es:[41h*4+2]( c1 i) H! @3 Z4 x6 x( W
cmp cl,al, E6 {$ P" G6 `" s
jnz SoftICE_detected' {3 z* i2 y1 g# y% D
, t) p6 p0 Q* \3 X. a ^
_________________________________________________________________________
& r) J4 g! F" i/ `8 d5 u( l
9 h$ K; s& R, w: M1 NMethod 07
, K. I1 o& H- W' B) e U4 q=========8 r) ~( [% g# {* t q
9 k( x, e* n0 H1 [8 u1 y+ C F
Method of detection of the WinICE handler in the int68h (V86)
' }9 q- h) }: z9 B R9 Z; _+ w& x; t1 D* n, }5 r% N
mov ah,43h
) e, R, J/ g( @8 F! S int 68h
9 A0 x$ [3 k" c" B7 ^! M2 r cmp ax,0F386h4 M- n9 C$ M* c3 S; R
jz SoftICE_Detected: O* I$ x; }/ i5 i+ Z; p
- D7 h4 c1 ~- [/ q6 r5 @" f" y
! c8 W& }7 c# P4 q) v6 p" W( ^' @/ j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 ?" z+ G. Y7 ?+ d' Y' t3 ]
app like this:
8 ]. m2 T _# n! l+ q4 ~9 |% w& X
8 u1 |+ g9 W0 ~. F: W: [ BPX exec_int if ax==688 y, p6 z) j4 R* F
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ e3 }. A+ P: h: d! P6 C located at [ebp+48h] for 32Bit apps)
7 B! l& r: R: E P1 {$ c__________________________________________________________________________
! n: [" N1 v: q8 ~: B3 `9 }% e n0 X+ U6 X: R9 y4 L6 t. _8 n7 u
& O$ ]* [: M5 e. p5 p
Method 081 E. F* c3 {: t/ p. F
=========) m0 t1 i* M1 _2 |/ X; r0 R; z/ {
/ w( r; X9 o- t n h& B
It is not a method of detection of SoftICE but a possibility to crash the& g: D' c$ S) x( M4 ~5 }# H
system by intercepting int 01h and int 03h and redirecting them to another& q& _1 ^; ]9 Y2 z+ I
routine.
2 D9 H" ~; V( w4 d" u, kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 K7 U3 e4 w* ~! `& b Y2 bto the new routine to execute (hangs computer...)2 G, {( K% S, e& S$ t5 [# [
( t. e3 e, |5 }! T0 W7 g7 K2 W/ w! D mov ah, 25h, o# u! a# F8 W& C
mov al, Int_Number (01h or 03h)" U; T1 p% E' l! ~6 ]: y. _
mov dx, offset New_Int_Routine& w( h8 a1 s! n+ a2 @1 P( g* m- {. g
int 21h
7 N4 s! h3 t( r4 O& F6 D1 d, @( s' B6 m, T5 B+ Y
__________________________________________________________________________6 J3 c2 B8 ]/ }7 A. W
4 A9 n+ w- Q6 a6 b0 M9 [- _4 mMethod 09
$ o1 d d5 {4 @( ?$ N! M% F=========& Q% ~0 ~( h/ U1 @1 Y3 {
' a* }5 I* p) M' X% e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
_8 B/ n0 \9 \2 s }5 Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 l0 z" }6 P: d8 D L: WThe Get_DDB service is used to determine whether or not a VxD is installed! a! ~* `" X& J' k
for the specified device and returns a Device Description Block (in ecx) for
; O. B* s0 R7 e6 Zthat device if it is installed.
& n- r3 w3 y1 d- f: y4 o
' B+ b; L& C" K+ s- ~1 _- } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" |; B* t& w7 L& R a3 y d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), d) S+ i0 N1 N0 o( W: C5 f
VMMCall Get_DDB
8 s) l$ a+ q0 \: ?1 C mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 [: h$ c0 u, D- D) F
# Z$ {$ w* X/ a0 {: d: g
Note as well that you can easily detect this method with SoftICE:
; K8 N4 m b- `0 Z' R1 X$ { bpx Get_DDB if ax==0202 || ax==7a5fh" ^( I* W4 i2 X' [
# \4 A: L+ r3 W1 k+ E__________________________________________________________________________0 k; ?, G, M" `: t6 f: q0 {0 `1 Z$ v
8 u$ N' M- n M0 ]/ K& Y$ BMethod 10/ c; O9 D9 R* T3 E
=========
4 x4 x% ^% X2 `( `* B a; Z
9 k* O2 i" G. r+ T# ]=>Disable or clear breakpoints before using this feature. DO NOT trace with
# m7 {8 Q8 m* |' V3 Y& l SoftICE while the option is enable!!
( y9 C; j7 s' u$ r! H9 n! T( r" A1 x
This trick is very efficient:4 D! j* n/ q( n( p
by checking the Debug Registers, you can detect if SoftICE is loaded
3 t/ M' a6 x" ~/ P8 G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 q1 ^+ q0 J+ R) M$ D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) V% v: O; L9 {7 `value (in ring0 only). Values can be manipulated and or changed as well+ \3 {" F% | P
(clearing BPMs for instance)) G9 N$ Y8 l) l; g/ C* B, I
: m# Y4 f& h. }9 y: X__________________________________________________________________________3 A/ N9 D- F4 d" ~2 t/ ^( n
. Z }1 a3 i( Q9 x. z
Method 11. j3 ^2 z( O! `5 _2 c( P u
=========6 [& ` \" r+ h' x* k
3 b* s4 x! \# P" P- h
This method is most known as 'MeltICE' because it has been freely distributed
9 p3 C; L" T q6 T3 f8 Vvia www.winfiles.com. However it was first used by NuMega people to allow
9 U3 H6 z. U7 U( m9 @Symbol Loader to check if SoftICE was active or not (the code is located8 f8 p' [/ F0 q# V, S" i* z5 z1 r% u
inside nmtrans.dll).
: X; R# \) o" ]3 i8 v$ o) ?$ F1 P/ E: u# N- X m
The way it works is very simple:
- T' `6 t' J& J2 R; T- KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- T& }9 {5 t; ^+ X3 {. G2 T# ~WinNT) with the CreateFileA API.8 S3 D3 N" ?" H* w( E
% E" Z. z" m& X( @ z4 S% E/ A. v
Here is a sample (checking for 'SICE'):
j" C- R# h$ a2 _: d- l, m$ e& s9 u6 `3 ^
BOOL IsSoftIce95Loaded()! e0 S8 t7 w. P# N8 y x( w) `6 J
{: }6 G4 J$ n, L
HANDLE hFile; 0 t2 d9 u8 D: }; {& s- H7 }' x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: B0 M, q/ X. h, @ FILE_SHARE_READ | FILE_SHARE_WRITE,0 m# S" P( ?) `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 H2 Q# T; h6 a2 V7 g
if( hFile != INVALID_HANDLE_VALUE )& k, v2 D: w" C, j2 m) b% t
{- R; a" R; M' t) y2 s7 ^. K
CloseHandle(hFile);2 N V# K3 R' k" i& \; V& X3 z
return TRUE;
+ b: }8 [7 u9 O$ J3 @+ n7 O }
* X3 Q8 j0 q% U! V3 O+ }2 x9 T1 b! I return FALSE;
2 f* k) Z7 k$ P7 C}) {+ ?4 e, C/ T- {
; m& d- o# Y% a& G. `
Although this trick calls the CreateFileA function, don't even expect to be! G. |1 v- p2 a- {4 X! ^! [! r
able to intercept it by installing a IFS hook: it will not work, no way!
* V, p5 t# {# E1 X1 ]5 W7 fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; r& f) Y7 Z( D& L- D0 w5 Y' m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( o9 u, q9 ]* I- r+ Y i8 R7 I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 p8 z: a) @$ `4 |" ] a9 x' k
field.
; T! [5 q" U3 M1 c, t4 l, EIn fact, its purpose is not to load/unload VxDs but only to send a
& w/ p* W& D6 e8 b/ q% rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 n3 [' Q) _& O* f2 J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. C) K! I; b+ Y2 t, h E
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( c; e f3 I- Q% T/ V% h
If the VxD is loaded, it will always clear eax and the Carry flag to allow! @8 A. r6 @& W
its handle to be opened and then, will be detected.4 O/ G* B- b: K) q
You can check that simply by hooking Winice.exe control proc entry point8 y) Y" P3 ^. O6 }' z N4 d( |- `
while running MeltICE.
3 M$ t' x$ Y2 `4 R$ n& k+ e: G8 @" s) R% z6 t+ O7 Z8 _
& W/ M% U! v7 g2 P2 f. X
00401067: push 00402025 ; \\.\SICE
# l: c- o; m9 y' A! q$ A 0040106C: call CreateFileA4 D1 J C1 ?5 r0 P( k" j
00401071: cmp eax,-0012 ^8 V: ?2 h3 J" P$ p
00401074: je 004010914 l' m* O1 `, e& x: r' M
# Z3 n7 C: E; u% `: I
7 L. R! e' _! \$ S: _% S# d+ [There could be hundreds of BPX you could use to detect this trick.
, [: w" x- K7 t-The most classical one is:2 k2 S9 O8 o8 Z( Z, C; y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: ~3 U; A; A0 ]2 H) W *(esp->4+4)=='NTIC'2 k8 T7 P# y5 i, Z
- V( s7 r! `! u0 U* s! y/ I
-The most exotic ones (could be very slooooow :-(
* x. i5 R% H8 i/ [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' E d3 b$ l8 k7 m1 j
;will break 3 times :-(3 o' b4 x, n3 ~$ K
; V& X8 i) t, i& U
-or (a bit) faster:
$ f0 \: _4 A- \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ h4 ?! k% b- C C+ q0 p. g' B6 T8 p @+ J0 a" w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- x$ M2 f& p. V, H5 `& ? ;will break 3 times :-(
4 r# V" h- v. V7 ~7 r( n, V5 b) Y
-Much faster:1 p3 t* F8 }5 V- t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 Q6 ^" @4 c: i- @0 j
3 ~" P2 b! K$ U# m( j6 J' }
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
]/ W: y6 k: w efunction to do the same job:
4 p f- j P' h7 l6 j
8 K* e) V2 w! ~, K4 k push 00 ; OF_READ- k( @7 j: r/ O9 X/ P F, e
mov eax,[00656634] ; '\\.\SICE',0
# K* d) K, k% I) K push eax$ w( I) I4 f x' w9 J
call KERNEL32!_lopen1 F1 e, o/ @. T# [0 t0 p
inc eax
4 s# a( c6 \7 C7 O: \% O jnz 00650589 ; detected7 w5 x0 l+ h; Z7 @ u6 B
push 00 ; OF_READ* i: Q+ r9 ?5 Y/ I* L1 g
mov eax,[00656638] ; '\\.\SICE'
, z1 f0 c, @: e% d* i6 A push eax' {; [) y4 v2 g4 V
call KERNEL32!_lopen" R' K% t. c a8 _, X2 t
inc eax t" X) g1 ?2 L6 @, d
jz 006505ae ; not detected5 r" _) o3 w/ k- P
( L1 r, P7 Q3 d( W0 C V! z$ z/ }: @
__________________________________________________________________________ Y0 G& S% p1 J2 a- X8 ]
9 ^8 p' u. X: O9 t- RMethod 12
- m) F- V$ I0 W, m; r' }, }=========
( P# R# P0 U$ r$ D2 Z# Y
! r6 P7 s5 c. y- j" xThis trick is similar to int41h/4fh Debugger installation check (code 05
) o( J( `- y: x& 06) but very limited because it's only available for Win95/98 (not NT)
8 U2 i J2 p2 Z9 z: M) |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ l6 A% v+ g. W5 E2 n; N2 f- J& L2 b Q' ]
push 0000004fh ; function 4fh: S9 w I# v& `% t; f! E* i
push 002a002ah ; high word specifies which VxD (VWIN32)8 u' f3 X- q. Y0 ~! e. u
; low word specifies which service
0 I& U+ l4 S& a (VWIN32_Int41Dispatch)
5 j( @8 s) i: o/ Z( L2 U call Kernel32!ORD_001 ; VxdCall4 I h" S$ C# F% c" G: d
cmp ax, 0f386h ; magic number returned by system debuggers1 S/ s. }. l& S- ]
jz SoftICE_detected. `2 r1 ~$ }! t- Z7 z9 K
9 _7 L/ Z- h+ S2 Z& {
Here again, several ways to detect it:
/ `- ]! Z' f" I& K/ z# E( |
, Q6 q0 A( s5 B9 R1 R! D3 U' t8 |9 c BPINT 41 if ax==4f) E# C# d6 R0 n$ t; U0 x' d1 B9 X
; p2 j9 q$ ^: W7 I$ m$ e4 q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; x C' W% Y% S, f
8 b9 s" w/ V) p' e; n; G% K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 b- Z8 S V' u0 _9 x; u: D/ l ?; }% L! B. k1 }: N1 Q- O$ D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 U! |1 a( m8 a0 t b j* p4 F
. P) c8 z8 B) [' M__________________________________________________________________________
! x* r% p/ K2 Z+ E6 U7 B2 ?
7 R2 {8 i/ P$ k2 a: I2 Y& [Method 13
! {1 s! I; E, e2 y! M6 T=========' {) G$ {4 s* `7 U8 K
0 F J( ^+ V5 u6 v+ Y6 XNot a real method of detection, but a good way to know if SoftICE is D+ g* _3 [7 I' _4 x3 B }
installed on a computer and to locate its installation directory.$ Q i1 n7 G1 `9 y1 A2 c4 k r1 `
It is used by few softs which access the following registry keys (usually #2) :
, t" A) N0 D% }( n5 @ S [% v+ b
- P# _1 n7 j5 ?' z5 x# U4 G+ K5 D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& J# R' v. y1 {' e: T; D* n" m. Z\Uninstall\SoftICE- p: P1 B8 L5 Y8 Q1 Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ S; S" Q" J( D0 H* I: G4 Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 K( a$ u! X+ P7 {5 _6 n; U9 e. L. V\App Paths\Loader32.Exe3 s$ @( A$ j* C/ G9 {6 q- |/ A
( N7 u3 }8 [' Z, h, }' [) }- |/ X4 T+ m; B8 B
Note that some nasty apps could then erase all files from SoftICE directory- ], f7 x: q/ [- B# A& j
(I faced that once :-(
6 {; o# H$ \% e6 T) I) e0 T) D4 L( [0 ?; m3 o4 P
Useful breakpoint to detect it:2 S& y/ Q' ~. M) x* ~) `# q
0 Z$ Z* f! S6 Q& v7 D9 {2 R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' \# }& b7 f$ p6 o0 m
4 U% B( r1 y7 Q" M__________________________________________________________________________
' {6 z- B# O: x! j" O- O; q. y7 ~6 F; R7 a
! |" W* N$ e: f1 [Method 14
4 u! m- d% @, }9 d/ i& Q* v=========. Y: z% N) _% s" H+ w0 r/ p- A
6 X4 H8 K/ O. K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ z% W8 h! h7 l
is to determines whether a debugger is running on your system (ring0 only).
6 K" R* E# b$ `- o0 m/ Z; p; m
: q5 E$ E( r, }, @, N VMMCall Test_Debug_Installed+ m7 ~: |) K* Z0 r% k5 w) }
je not_installed
- `1 J6 r- c' o" ]- r
5 ~# j+ }, o9 H' q+ \This service just checks a flag.5 z2 y X- O' u& }6 u% b& X
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡