<TABLE width=500>* [, Y, Y; O1 g& R) t$ t1 @
<TBODY>3 c& ^3 j+ A- k. m0 L
<TR>
! r1 ^2 A' ?1 d1 z<TD><PRE>Method 01
% Z: Q" i3 d6 m) H2 }4 H3 m/ F2 p2 ]=========
! ?! b8 @+ m6 j Z* v+ `! }7 T9 c' m* W& h. K
This method of detection of SoftICE (as well as the following one) is8 p, }: ^2 |3 ^. ~
used by the majority of packers/encryptors found on Internet.) i" ^8 I1 }2 C
It seeks the signature of BoundsChecker in SoftICE- M1 j2 R, z/ P: e4 @) K
2 p9 p/ w& z7 T% ^ mov ebp, 04243484Bh ; 'BCHK'* g3 m2 r) D7 b7 t$ j/ n
mov ax, 04h
8 A- Q. I/ ?1 q& g int 3 4 a6 z9 W5 I1 \- n% u/ f
cmp al,45 Z( k2 q/ a$ d/ D$ M1 H' E$ U
jnz SoftICE_Detected+ E$ i# @% r5 f
/ q- o: s9 `0 V' \___________________________________________________________________________
/ G* B0 n+ {: }1 Y: F4 Z
8 m9 F. o7 [8 Y( ~2 p( ?; CMethod 02
7 d( H9 U3 U- k' l- h3 Z, v=========
3 Z4 b7 R- I0 A* T3 K
& o" C ^% J n1 a' nStill a method very much used (perhaps the most frequent one). It is used
# x% g6 [1 \6 ^3 Z2 rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' }1 N! s8 R9 j8 d# Eor execute SoftICE commands...& k$ g7 z( f7 X8 ~5 `
It is also used to crash SoftICE and to force it to execute any commands
- ~7 \7 V* H# Q6 R(HBOOT...) :-((
" x/ V- h7 }! I8 w0 h% o) t, x5 J
Here is a quick description:
' ?1 G1 a; m, f" V4 V-AX = 0910h (Display string in SIce windows)
+ G3 A9 f. }* A% f; v. {0 z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, s* [. Q$ M! `& P% v2 V-AX = 0912h (Get breakpoint infos)' Y8 S$ x3 j. E# u: B' K
-AX = 0913h (Set Sice breakpoints)
2 Q2 @$ q) n7 ^5 n-AX = 0914h (Remove SIce breakoints)3 b. M* g1 S3 V" L B6 v" Z
- W8 r( l( ]1 n7 HEach time you'll meet this trick, you'll see:9 g2 q- q% Z* V% p5 n
-SI = 4647h; U$ U z! g% ^7 r# L" W
-DI = 4A4Dh
! T( y# H w- e# a* f v+ V+ j" ?Which are the 'magic values' used by SoftIce. S4 w$ Q) H* h) U5 M- P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 \8 Q- j2 d( d, x) w+ Z" F
0 \' f2 L5 ~ M& I" B& l G
Here is one example from the file "Haspinst.exe" which is the dongle HASP. q# P! r4 ?7 p& ?' {7 u4 \* s
Envelope utility use to protect DOS applications:
0 l0 j3 B; ?1 O' A3 i0 a* [$ i, r8 {
" a" P& Z0 \6 u3 y% z- k
4C19:0095 MOV AX,0911 ; execute command.
0 K8 ~- r1 W$ [6 y* [4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, Z+ ^& }- G$ M4C19:009A MOV SI,4647 ; 1st magic value.
6 C* o5 c: {& \! A# B8 }/ ~4C19:009D MOV DI,4A4D ; 2nd magic value.% t/ m7 B) n& ^. ~: T% u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& H+ n0 y( H: Y! t6 {) N$ y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ a2 n8 A: \2 T, P
4C19:00A4 INC CX4 e/ N" b; _/ V$ j* |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ G6 O& j# t8 n7 L' A4 P# e6 T
4C19:00A8 JB 0095 ; 6 different commands.9 w' X& L6 b) o8 s1 _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& P8 p/ @7 `3 n3 i; D$ Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* c: P. r4 G( F `9 Q' Z5 a) H w
& |) [+ ` k8 S2 YThe program will execute 6 different SIce commands located at ds:dx, which
! t8 ^9 E z% ~# U6 ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& b/ ^9 Z2 H0 r/ K: H4 U
4 t. D3 q. J4 U, H* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. c; G5 @& @2 C4 N* o+ U% o7 j4 B___________________________________________________________________________9 T9 l* J; E+ W s) h4 _
; k$ b; E0 Z! [+ M
% f; _- r9 t7 V9 O; HMethod 03" L- j0 T3 h/ g) |" Z+ D
=========$ N1 U% f3 i( h4 s+ n0 ]# |
6 p F8 V# J5 wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. z/ n! I% ~2 f6 y* S8 ? v
(API Get entry point)
/ Z5 m v$ `4 w _( |- }
2 k1 i% g4 I6 C4 C( E4 l- L/ `' t+ m
xor di,di2 E4 X: v% L3 H9 t/ A
mov es,di
; ?! u# b+ N; W. m8 q! N7 t( V mov ax, 1684h
& |7 x" R8 g6 l9 ^ k0 x mov bx, 0202h ; VxD ID of winice/ @ I! o$ R' ]5 d; E: ~5 W$ C
int 2Fh' k; K2 w0 P4 g" ?! f
mov ax, es ; ES:DI -> VxD API entry point: ?: |! ~, a% d8 |: [
add ax, di
1 s& q) Z, t/ w7 C) t b, o test ax,ax
9 B3 A/ t( P6 P5 G1 L jnz SoftICE_Detected
+ R( W2 j" M# @7 A8 Q+ Q
5 ?& p+ K+ Y, i0 f/ D$ B___________________________________________________________________________
* j8 x2 w8 ^2 Z( T* b
; h/ w' q7 p$ E9 O: ?Method 04
8 q) y! j6 t) y3 p& B/ {; W=========
8 w: M1 A$ q9 ~) x
, _2 i; C+ E. |/ \/ h' F4 wMethod identical to the preceding one except that it seeks the ID of SoftICE
9 U, O; M! s) A, fGFX VxD.
" M( @; S9 }8 v% N
7 W) p4 u1 C$ d. x( R# t% j xor di,di
8 c% |' C/ `0 _ mov es,di
& l6 F# L4 B6 Y/ l, I$ D8 \, g5 X mov ax, 1684h
: l8 ]4 s/ j* l! S8 J! Q7 w% b mov bx, 7a5Fh ; VxD ID of SIWVID
- U8 Q" M1 K6 ^4 ^8 r int 2fh$ h7 C1 C) { s! N9 T; D
mov ax, es ; ES:DI -> VxD API entry point, Y8 J" d9 L! w% @2 F7 s4 Y
add ax, di
9 l- A2 n# S( h% j0 `7 a2 h' T a test ax,ax
6 G& P8 }3 b, |5 [/ j9 b0 x jnz SoftICE_Detected
8 h& T$ e" G* p8 w- C5 p
9 g* s2 L5 g3 A, n8 _! H$ M__________________________________________________________________________
0 a6 ?. [* Y7 t, ?4 C1 P6 N3 B3 p( p
# I5 o1 i7 y. G b2 T( k
Method 05" g( y4 Q+ q% B6 j; _
=========* y8 b1 k* ]% d+ Z6 q4 `
0 T+ |" D5 I: U8 S3 M4 l# sMethod seeking the 'magic number' 0F386h returned (in ax) by all system- k7 M* g" Q* j' V7 {. Z
debugger. It calls the int 41h, function 4Fh. d* C# i( C4 R- h4 p& M6 s+ e
There are several alternatives. : d2 z: f s1 e
' o* H% O2 t. H. n- E6 S' o# K
The following one is the simplest:
/ N* Y: {8 B4 O& T( ?. h3 O4 P( g. r* N9 c
mov ax,4fh& B& N$ f) U" ^9 Q: t' @
int 41h
8 u* |6 Q/ o+ F cmp ax, 0F386
' u3 q* B3 [ H jz SoftICE_detected1 R; [+ n& C( v" Z! \
) i- v( j: G% P
( F( ]1 l6 O0 m, _; `9 kNext method as well as the following one are 2 examples from Stone's 3 e* M) X9 B" ]1 p! B& d! V
"stn-wid.zip" (www.cracking.net):
$ D* Y6 Q9 ^4 v& {: Q& F
" N/ }# A( V! x: \. I( Q mov bx, cs
0 ]0 L8 B0 ]) R" I& U/ [ lea dx, int41handler2" d% P; I1 \9 G2 M% d& Q
xchg dx, es:[41h*4]# }( h+ W% [! Q
xchg bx, es:[41h*4+2]' U; e# N- U' `9 [( d: t. @
mov ax,4fh
; T. U2 c, x* X; w6 P9 l int 41h X3 u. j* ^. n! I5 ~; D( y' F7 \
xchg dx, es:[41h*4]
- L4 G! w2 P1 i9 ~2 {( q xchg bx, es:[41h*4+2]
# ^+ E9 C) F+ {5 E3 q2 w cmp ax, 0f386h
- I9 o$ ]6 F# y$ A1 \/ q jz SoftICE_detected/ q! V" A' d) c( X3 `
% H3 g7 p7 N: B1 Aint41handler2 PROC, [; H1 p& r j/ g
iret
2 C( n" r) F! ^, H. }( j' {9 fint41handler2 ENDP+ w0 O2 F9 C; ^- e9 _* Z9 c6 N
0 X' z C$ X% J8 D- I. M
6 O- t& i: Q8 M& E6 ?4 g& s5 m_________________________________________________________________________; O9 T6 t5 P: y2 {1 c2 a: \- e
0 C! J V2 v) M p0 E4 V
% X8 d# Z* `6 n% zMethod 06
: d/ r2 l, D5 S' T2 Z=========
! t2 a2 S& x0 p6 s) ]* R- H E9 i
6 H0 |" C. p& | A! ]2nd method similar to the preceding one but more difficult to detect:& f% Q% u5 F# d N' X- ~. Z$ e
+ M! l0 F% O$ |8 P; F
) x9 x4 H/ }( H1 p; }. ~% Rint41handler PROC0 L- \: Q7 O. ?+ p. Z% @8 {( p
mov cl,al
& G0 n' B9 ^ e6 i iret
9 n) t) o j0 m, [( bint41handler ENDP
) w, c7 u: a( K! C0 ]; E; x+ \2 C6 s/ \+ p
0 d7 v1 i+ R0 m4 O" z# z) q xor ax,ax
4 D |4 m! y# k mov es,ax
; `& j+ z3 q0 a9 Q! S/ O7 C mov bx, cs
* {! \ e! k5 f& F* h lea dx, int41handler
& r( |+ O4 z0 J# U) e xchg dx, es:[41h*4]5 w: `1 a; e% G( v' H, d+ p
xchg bx, es:[41h*4+2]
2 S' A V4 \/ ]& i6 c8 t0 i$ @ in al, 40h) E+ M" |7 O2 k# f6 x. y7 j% _! o
xor cx,cx0 q, N# q: a" S, P7 f5 L9 [8 Q
int 41h
/ H/ V8 A% ~$ j. | |! { xchg dx, es:[41h*4]6 z% c \. B! Y# E
xchg bx, es:[41h*4+2]
+ K" p' T5 b$ y cmp cl,al: q, G! t0 h: Y7 ^
jnz SoftICE_detected
7 \3 [: L9 F: r6 Q& _
* \" o( i# z* ^_________________________________________________________________________
9 h+ _. ]# d( {+ C
+ q! a7 Q# u5 C6 u# P% D: F; WMethod 07
* _8 h4 t5 E) f" s, q=========
% d- d" ]# A5 p% [& c. K a
) y1 d% `$ N3 z7 M9 U2 d& uMethod of detection of the WinICE handler in the int68h (V86)
! b b ?; J' W' r5 O# b. t. v) t, q
4 u7 W C; X. s mov ah,43h% C- g2 m! Y, b2 e
int 68h
9 n1 ^1 M3 Z: u/ j; J cmp ax,0F386h
8 Y* n6 ~% R4 M% ]; l jz SoftICE_Detected# u8 U) t$ t9 I% \9 c
4 h7 ^4 x: A' J( E$ t) k
8 c0 } r. _1 L. w$ p$ \: [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- N4 _2 R1 t% y w
app like this:
/ C/ U5 x" W5 }1 f2 i2 s( A' O
8 _. }8 S' S a9 s BPX exec_int if ax==687 R% K; i7 x9 x: j7 _
(function called is located at byte ptr [ebp+1Dh] and client eip is3 E4 y) R. H) ?7 f2 L
located at [ebp+48h] for 32Bit apps)
! @( @( ^2 g! I3 h6 u% [1 M__________________________________________________________________________
: l u1 Z. l# S/ f. L- A' v' Y/ P; F/ i8 W
- G" r# n; \- o& N6 s. L. b2 u! mMethod 085 d9 W: |+ W7 x5 B* H% J# r$ ? W
=========
: c# E, j; b) M& p+ M H+ H
, p# U; K) f! d* b6 AIt is not a method of detection of SoftICE but a possibility to crash the
' z8 i0 D# r$ m+ k" l6 esystem by intercepting int 01h and int 03h and redirecting them to another6 p/ z& m; W1 i+ K. t9 [2 x
routine.
0 G" V9 b# V' o d' m: _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. |$ [2 Y8 Q. L( Oto the new routine to execute (hangs computer...)2 I0 `: o! `6 @5 f1 h
/ c7 d) ]/ M) _! p5 g" U
mov ah, 25h
8 ]' N1 V% N7 o! ? g0 z mov al, Int_Number (01h or 03h)/ v" T* E. u+ \7 f8 [& H
mov dx, offset New_Int_Routine
4 {2 ~$ M# N5 J/ T& q' ~ int 21h
7 r, k" p, G" r: Z
( [# C/ R4 V' ]/ P__________________________________________________________________________. L1 Y, Y+ L! b3 s/ B7 O; J
$ k, U* Y- l+ ZMethod 098 z) a2 S" U, x) K# ~$ _
=========
& S' Q) ^1 _$ E ?# }0 i: y; O9 H y0 w# R6 V L' T1 |3 N5 g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! [ |: z5 x% @6 h
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 d$ E1 Q! W$ ?* HThe Get_DDB service is used to determine whether or not a VxD is installed
. D& Y, t2 S% a& {7 I: E: G& P) ifor the specified device and returns a Device Description Block (in ecx) for5 Y( H5 X3 v9 M4 w0 c
that device if it is installed.8 R$ ~5 I- k, m7 d, p5 z7 ^" g
& D* U' [! E2 Q" V: s, ^9 N, l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' H1 a5 z$ c: i: ]4 u5 L; F+ \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 d5 _' X. Z o1 Z0 |5 _6 V8 g VMMCall Get_DDB& |8 i( k* ?6 f8 T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ ^" u. X' H M1 ]: C# X9 e5 |6 n' b; s3 k0 o( m
Note as well that you can easily detect this method with SoftICE:/ J3 P: g/ k6 ]* ~+ M. g7 j
bpx Get_DDB if ax==0202 || ax==7a5fh
1 p) P: k& O4 n. f# K5 b8 L9 ?
) l6 Q _/ l5 I* |5 A8 t4 m% X6 p2 w__________________________________________________________________________5 M- }7 W E. u2 s4 l7 G
! R, V* v1 Q; q4 Q, X6 t3 c
Method 106 c" {& e" v1 X3 D; J) a
=========
9 X1 D; P& A N* e) W8 Y2 L* P' f9 e4 {; X: ?& d3 y# _
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 ^+ `- b1 w% d) i SoftICE while the option is enable!!0 t7 ^$ G6 z6 o; j- T) O+ ^" O
" g1 T: p/ p: G* u: W- Q& ^This trick is very efficient:8 U$ Q1 a& j. b1 a' {0 H
by checking the Debug Registers, you can detect if SoftICE is loaded
8 Y& H! B; ?% |5 V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 d# ^! P9 n' s2 mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 A6 |- |3 }$ K! C. Qvalue (in ring0 only). Values can be manipulated and or changed as well7 e- @+ h7 V+ A# `2 S0 G
(clearing BPMs for instance)
, s) v" d2 r0 n3 h) G( e ~& T6 y+ U6 }, l: {' D' s2 m$ e: e1 y& _
__________________________________________________________________________: w: t ^3 \' ~! W7 V
$ B+ c$ D; p; I4 w! m! O
Method 11. k' r: A. Z9 m( X$ i; h/ _; ?% z
========= Q5 j+ ]7 ]& P; F2 Z+ c
6 `) f4 F3 `4 |9 G3 V$ F$ B: ~
This method is most known as 'MeltICE' because it has been freely distributed2 B! c# c' C4 W, g
via www.winfiles.com. However it was first used by NuMega people to allow
$ h$ T7 a- K* y- A/ rSymbol Loader to check if SoftICE was active or not (the code is located K. { Q5 b+ a! o [
inside nmtrans.dll).
" Y1 X2 e0 j8 t% N) c/ d
4 Y% Y! Q, L7 L6 z q, H: z2 ?The way it works is very simple:* y, Z! c6 `: E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 o; r5 i# [+ BWinNT) with the CreateFileA API.
5 |6 O( ?" Y, E" g! u1 V2 D; Y& w* {9 s4 y8 F
Here is a sample (checking for 'SICE'):6 ~! N5 O3 ^& K0 z+ x+ N8 q. n
. |9 o6 R, O B4 T6 |5 ~
BOOL IsSoftIce95Loaded() J( `( M* B6 k* p2 C# U8 u9 \
{: ?, [6 J2 m2 ?* C& P
HANDLE hFile;
. q2 z8 [' b4 x$ n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 Y6 Y5 o) E& ^3 p- q0 |
FILE_SHARE_READ | FILE_SHARE_WRITE,1 Z# _/ r' B' v" W" k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 Q( `; q1 v3 U ]4 k if( hFile != INVALID_HANDLE_VALUE ); Q7 ^5 ?0 v8 `0 o9 P; ~
{) n/ E' L" a3 {2 I7 ` X! b- X0 m' m
CloseHandle(hFile);
- ]9 N2 O8 |& y return TRUE;& ?& i6 Y8 ?: i5 A) d, F
}3 C5 \' Z% ]! L0 W- M
return FALSE;
0 L$ ^, Z. r$ `0 v3 B4 L0 k$ d}
& U( p$ j) D, a1 a9 w; U; ~1 @2 H* e$ x; m
Although this trick calls the CreateFileA function, don't even expect to be* u# w) M9 D8 u6 |, W. }- v. m
able to intercept it by installing a IFS hook: it will not work, no way!
& @5 r4 ]* A2 w% E+ Z! S2 S' }In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 |( Y3 r2 v) I4 S9 ?; K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
K" x6 U! `8 H+ M- T5 {and then browse the DDB list until it find the VxD and its DDB_Control_Proc: I, N7 S& [+ A2 k1 O- ~& o
field.
- Q! S; b$ M- z5 {In fact, its purpose is not to load/unload VxDs but only to send a
& ?8 ] m# P X* q8 W& K: MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) s% ]# s8 m3 ?/ o* v5 \to the VxD Control_Dispatch proc (how the hell a shareware soft could try& h, A" Q; h! W0 g" l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 R! n0 [$ J. y' i( B/ l) l7 y* W
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, ?' i9 r v6 c! B/ b. Hits handle to be opened and then, will be detected.
, o* B, z) Q& R+ Q! V. ?3 b$ eYou can check that simply by hooking Winice.exe control proc entry point
/ i \8 U1 c$ v' [( qwhile running MeltICE.
! e* [0 r/ }! D3 G S
! \/ z# B$ T8 Z" Y o$ {
8 x6 ~8 u! K( S5 w 00401067: push 00402025 ; \\.\SICE& e. P- J& x& m( D1 N4 y5 h; n* F
0040106C: call CreateFileA8 z) t) y( ]) l: s
00401071: cmp eax,-001/ f. Y8 X5 x4 y9 q
00401074: je 004010910 b8 m1 }- z4 K
/ w% J; t: m& o- ]: m/ |3 H# k1 g: Q: n
There could be hundreds of BPX you could use to detect this trick.: ~ S/ k# T. W$ ^0 h0 w, }
-The most classical one is:
/ l; n% @% ^. t/ O' _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 E3 i) Z/ L7 W9 ^) ^3 G" f$ k' l *(esp->4+4)=='NTIC'
& k8 U e0 @' G! L5 H
) Y4 v! u( z ?-The most exotic ones (could be very slooooow :-(
9 d& M" w M g0 |, z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( _4 l3 L* _! M/ g/ y
;will break 3 times :-(
0 y* u+ D+ k% \* F
2 T4 \1 x- d7 k# W) s-or (a bit) faster: $ p; a# x" f& s4 B" I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, _$ n; T# E4 x0 l# q* O- u" ~$ g, j' @1 ^" o
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ ]) x# [' r% I2 U7 ?9 S& q ;will break 3 times :-(2 j2 S: U9 j6 f' J* m9 m
0 M4 K: _) q* i+ i' h-Much faster:
# Z; ?% L/ F0 I$ V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- A) W8 B% b; y# V1 q# `" r$ o
+ J9 h4 q, v6 z" LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen& h2 ?# m# i, A( t
function to do the same job: V/ h) c7 t# f, A" r% o
8 O9 n, e8 U4 B/ F8 }; {# W push 00 ; OF_READ, M- a/ [, }+ P1 J! b
mov eax,[00656634] ; '\\.\SICE',0/ K% h2 B' O8 ?
push eax
" D$ O1 F. A1 ~ call KERNEL32!_lopen
) W; q3 l- ^/ V, d$ T' i inc eax
1 D& f8 d5 [9 b# \ jnz 00650589 ; detected
2 h0 ^! P4 e: W+ i5 w0 Q4 |+ g push 00 ; OF_READ, Z7 l1 M3 _2 B" g8 d: a4 m
mov eax,[00656638] ; '\\.\SICE'
& B! C( R. q9 H9 x$ [# p# l! a push eax
. Y- u o7 V3 A# R; ~8 u q call KERNEL32!_lopen
8 J3 C+ e0 K/ y& ]4 w inc eax( |( y: s0 E+ h8 D J4 O- Q- u5 V6 {
jz 006505ae ; not detected; w! O' q- F- O( a6 F) J6 @, V" \
# A' C ~" e8 f+ E/ ^. r
9 F( A' W, ~8 j% m__________________________________________________________________________) W$ e+ d7 I) g
m9 n; c: Z& i& E; A U6 C! `! tMethod 12
; H( @4 X9 i% e=========, r4 [* O6 @# c% K# {7 V3 B
! e0 p0 ]1 j% H& D" ~& c& v
This trick is similar to int41h/4fh Debugger installation check (code 05, k( j: a! @- x, N) S N6 ^9 E
& 06) but very limited because it's only available for Win95/98 (not NT)' u. m, J/ q- n- v+ V2 a# F$ U6 A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% w' ~! M2 F8 b9 [: Y
! a! E4 v5 D: a
push 0000004fh ; function 4fh8 f3 Z8 s# Q3 [; P2 B& ?9 z9 H# b" F; r
push 002a002ah ; high word specifies which VxD (VWIN32): Y2 W" Q/ X: y @3 p. D% k* W$ }2 x
; low word specifies which service- x: g) f4 E' M5 i4 s( v
(VWIN32_Int41Dispatch)! K2 O3 f! R1 p+ I; ^! X
call Kernel32!ORD_001 ; VxdCall
$ }* I# [- i: W8 i cmp ax, 0f386h ; magic number returned by system debuggers0 F+ F. Z3 @4 K; N5 g/ L
jz SoftICE_detected
( F" q2 A7 r# G4 a7 U* l
, \" m; c& J. b. B/ yHere again, several ways to detect it:% H! }* _6 U4 e1 {- t
% H0 W# S$ x* \7 a2 m# s
BPINT 41 if ax==4f5 ]* m; f2 ^) f) I6 M0 D
) ] `. N5 w& b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) P; H" t Q' B- l8 H! V
, ?9 T% P6 [1 P" K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 | K1 k) Q+ ^& u5 |" {* T
' O0 k J( A/ B# Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ G9 p2 O. k# C+ ~2 K1 ?8 p
; V( k% k b2 D8 K- H) Z- [__________________________________________________________________________+ L: y4 M) N/ x7 v
7 J4 N8 k1 b( m% Y. A7 F
Method 13
3 o C$ S+ l& c( y5 T=========9 N8 C# J( z \" U4 V6 g7 \0 X: D$ W
7 u- n- E' m r- p* m
Not a real method of detection, but a good way to know if SoftICE is G4 s" f; u' ?4 x0 F
installed on a computer and to locate its installation directory.& J; d7 v0 v2 i1 W- s. m' x3 [
It is used by few softs which access the following registry keys (usually #2) :3 A. \: X. F' F4 `* L
( t; `7 Z9 f: z# q( J/ S. I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ e e8 ?5 {( v& E\Uninstall\SoftICE
7 ~, z3 y, n& Z- a. f' m4 o% j; f- e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) K& u/ m% b2 y1 A" v% m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: G8 t0 a' L$ ^* i\App Paths\Loader32.Exe
/ q3 c! W' p5 j( y/ f0 Q
& ]( s( E% n% j7 I( {' E, W
& i# L* ^2 u0 c5 KNote that some nasty apps could then erase all files from SoftICE directory/ J: h* d; v/ h' S. Q& W( @
(I faced that once :-(
, z* X+ V' Y& O: g- M! F1 k# {
% \# R$ X2 v& pUseful breakpoint to detect it:
& e: ]' f$ w" ~% I2 @7 f1 H/ i% [. J$ j; [, F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 b0 ?: g t2 E s5 x+ d! x( }& _3 _9 r& g) G9 K: |( F( Y
__________________________________________________________________________
, j" w9 X4 _7 \1 U2 d0 g1 z9 v7 g0 t3 W
: A4 Y$ V1 Q) R- W* |1 X+ H+ \0 h
Method 14 & _! M9 {5 {- W. ?/ k- @( d$ Z: ^) R
=========1 B! O& m& q" j" P* Q) R( s9 z+ V9 X
' B3 ?; {1 @ E; w. u
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( e5 T* C' E2 V; cis to determines whether a debugger is running on your system (ring0 only)./ z. n$ `! C6 Q6 M; @* t) `% u
6 Z: Y8 v/ M1 F; i) @) @. e! t/ r VMMCall Test_Debug_Installed& t0 _3 |/ Z5 K9 R
je not_installed. C# W+ Z! W' P' y9 A7 u
4 v; j" T! c, n% H$ TThis service just checks a flag.
1 @0 S8 ?+ e! E) \0 @* _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡