<TABLE width=500>- H& M+ z: `9 ]( u& K u- w
<TBODY>- |' T! g# z+ S- T+ y, F
<TR> l& Q' ~# U0 {& ^3 U2 m
<TD><PRE>Method 01
' M5 C! g6 r2 f9 j7 {3 p3 I/ T; L=========/ A0 a$ ]! ^; s9 T* ?5 A9 Z
2 j4 ~. D( p; W/ o+ aThis method of detection of SoftICE (as well as the following one) is
3 _ u! k# j, O& d% N, Q2 Hused by the majority of packers/encryptors found on Internet.
$ J; ~! [6 c9 @# I* E8 d$ LIt seeks the signature of BoundsChecker in SoftICE! `- m |) ~% N3 l# y' ]0 L
, A" j! Y* V& d, _9 h mov ebp, 04243484Bh ; 'BCHK'( d* i5 Y0 k. J5 O: t0 q
mov ax, 04h
: I3 P* `7 m8 ? C int 3 + h8 e1 z7 X- j: [1 W
cmp al,45 g& t% z0 o# P+ k
jnz SoftICE_Detected
# k4 Q# n- p2 r! p6 I9 |, K8 i3 o" `; r1 }6 S& }5 r, L
___________________________________________________________________________5 V( V4 n+ v- |: n4 k x$ P2 `. q
! C; r! a! [ c; {; NMethod 02
: d' C+ k) U: L! m5 `7 R=========
2 ^! e8 O* i2 b, V$ H) m4 L
+ i' L2 X% T; R: o* WStill a method very much used (perhaps the most frequent one). It is used' F! t& ], B4 ]; S9 @! V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, w, q5 H+ ?, D( E& {2 c( \" L
or execute SoftICE commands...
5 N5 e& N& R& SIt is also used to crash SoftICE and to force it to execute any commands0 j9 B0 i( a5 O; X6 H
(HBOOT...) :-(( 6 {! F- X& b6 X) V% h& _' ~& x# z
. p. M. `9 t) X8 W
Here is a quick description:9 q+ B' q* Y1 t9 P
-AX = 0910h (Display string in SIce windows)6 l/ X7 J2 m3 `6 k9 ~, s% C8 b
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 Q8 O/ D/ j" b-AX = 0912h (Get breakpoint infos)
: Z. G3 p5 x9 v8 B5 f" z3 m-AX = 0913h (Set Sice breakpoints)
* d8 v( b) C, G8 k; P; k3 S-AX = 0914h (Remove SIce breakoints)' ]) A5 B. Q. q9 ?3 t' M- h, c& ~
; G1 o: `3 L( Z+ j& i- M7 TEach time you'll meet this trick, you'll see:. n: J- @2 ], }, Y- {# {% D
-SI = 4647h
6 V" ]) e( i. ?4 n- E-DI = 4A4Dh
7 q; D% G) b" I5 S2 V6 `8 e4 eWhich are the 'magic values' used by SoftIce.1 ]5 e, u! o/ r+ i4 C4 o& M7 z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 h2 z3 `5 o, s8 p5 u' v
8 L; Y2 p# _) |2 {( `4 {5 DHere is one example from the file "Haspinst.exe" which is the dongle HASP
: B3 \/ c0 l! d AEnvelope utility use to protect DOS applications:: A' L5 E0 B- e1 Q) l5 g1 {
. T$ Q6 s- H8 X Q' a4 ?( d+ c( r+ Y4 V+ e2 U) ~
4C19:0095 MOV AX,0911 ; execute command.
& @* N8 q' g( g+ \# K" B4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 Q' @0 j Y% i' }4 ] _0 x- y: y
4C19:009A MOV SI,4647 ; 1st magic value., B9 p# Z7 x8 M. s/ F4 m
4C19:009D MOV DI,4A4D ; 2nd magic value./ O3 ?' p. h4 N; [0 E1 z5 J5 r& w
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& P, M& s( y& E+ e$ M9 n
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' w- c0 k2 P" @+ r+ o g4C19:00A4 INC CX/ }( M; t& |; Q# G( W4 c1 ?* G$ l
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 ?* w. Q0 a4 N. x2 u( J* ]
4C19:00A8 JB 0095 ; 6 different commands.9 V& t/ s1 O1 @) U
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# [/ A/ u0 v! B
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# F0 x! n; B0 k
# o3 V5 t' a! I t @The program will execute 6 different SIce commands located at ds:dx, which, j3 g$ ^: X+ X/ q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ f% _. P6 G, s9 q0 c; \+ c8 Q! [) `' |+ k0 g$ b1 }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 @/ }/ S$ \) |9 Z4 W___________________________________________________________________________, }# p) W @6 C" s
) x' o' B7 D6 z2 x( F3 \% K& X r! _. U& h0 B" o& I9 l3 `$ u9 b5 o
Method 03
2 N7 ^! { G; n=========2 T: e/ H% G$ y, H* c3 @6 {
L# {1 f! V4 |8 {% v. I# Z/ E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% h: f, y Q1 A Y' V$ g(API Get entry point)
: _# f0 a% O9 U. i \( `- o8 B/ E) k2 m5 ^% c
; j2 N- M' i+ K& f! g) q
xor di,di
0 [% @/ S, l, ?. T% k* k! e; r mov es,di
4 V* W! e7 S/ l5 g mov ax, 1684h r( d6 A6 J$ g- I2 Q
mov bx, 0202h ; VxD ID of winice
4 r9 c2 k4 y I0 m9 [' [ int 2Fh
5 g' f% p9 M, C f# B; T+ q( E' J mov ax, es ; ES:DI -> VxD API entry point
& X) E5 S+ W/ C; y5 g h add ax, di, {7 I( M: p6 i% l/ M
test ax,ax
/ k8 U$ _1 j) R# _8 J8 C! r% U jnz SoftICE_Detected T# S$ Q" n }+ b% D0 D$ A- B, p
" E3 M/ Y0 \0 L% {4 b8 G- Z) d___________________________________________________________________________
! U* P1 j/ a) q( |9 ^9 g3 b6 O, v( V6 G
& \: m; Z+ [3 ?% o( K6 \- vMethod 04
* O3 ~( O& D1 k' b9 s=========1 n2 f! p6 V% w- `
5 A' K3 Z5 `) w: }: LMethod identical to the preceding one except that it seeks the ID of SoftICE
+ X' W+ @' E! w$ t, wGFX VxD.
! c# H) c6 o' X6 k _
/ o# S# j' V1 F8 O& ]- e xor di,di; s1 D$ u+ u! x9 v7 _
mov es,di8 z5 [% X. l3 U; P+ k0 T/ `% d
mov ax, 1684h
0 ?; [: J, @" i. d0 m) X2 y mov bx, 7a5Fh ; VxD ID of SIWVID
D; t. c& }8 X9 `0 f% [( j% Q int 2fh
) g) r0 V+ _. c6 U mov ax, es ; ES:DI -> VxD API entry point: D+ k2 n5 g, K$ X# h) e
add ax, di& }6 p# H1 B% T. v m: U9 l; H
test ax,ax+ O5 K1 E# i% [" w2 {/ S
jnz SoftICE_Detected
) u% j* U+ u* K/ O) v" _: A' P. \1 }: C& @( }' P
__________________________________________________________________________5 T& D. k1 _+ x+ j# C, v& Z. \/ |
) |$ t% E5 D; c2 }8 z/ P- Z' |# M% j* V7 t* e$ ^
Method 05; s4 u: F5 }5 S( J9 z, g. e
=========
7 h( [1 u) f0 C1 h, l- ^0 h) Q+ x, Q; [7 H; Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 v; @# l- c X9 u" B7 E# Adebugger. It calls the int 41h, function 4Fh.* |- a: @3 x) v
There are several alternatives. 4 |- O6 v& h: c, h9 }7 d$ f& Q
- L/ O2 n; }1 w% O8 O
The following one is the simplest:, v( q) w( p- f" z
3 o6 Q% a8 B( i mov ax,4fh
' k: C# u c: d$ ?' r0 I int 41h
9 r; i9 y! Q' ^& [4 A5 x% L cmp ax, 0F386" x# {1 S- C$ U+ T
jz SoftICE_detected5 o8 [8 B* F* f
$ ?6 F) a7 f7 ~+ W
$ g) @3 k3 I. w
Next method as well as the following one are 2 examples from Stone's
6 T% B: R0 i) t( `0 d"stn-wid.zip" (www.cracking.net):
$ T+ y+ q& [9 x2 p& F! P6 {; F4 |. }! s
mov bx, cs6 n, x/ r$ _8 a! |
lea dx, int41handler2
% m. g$ H) N$ W( ^ xchg dx, es:[41h*4]5 T1 l# o, c, {1 W- r7 v) w( y
xchg bx, es:[41h*4+2]
) y, E% X& e/ I: D; [2 w mov ax,4fh; s8 |$ R& x8 v2 T
int 41h
9 L+ h! W- J" v xchg dx, es:[41h*4]
& x9 U) c: d# E5 R2 s7 x xchg bx, es:[41h*4+2]
% i; b2 i9 Q4 b, E" H" s# U cmp ax, 0f386h$ v# [8 Y0 ]. b; h, q
jz SoftICE_detected
8 g9 y$ S. u9 ^6 q" {% ?8 b, F4 z9 L' V* C. A+ ~
int41handler2 PROC
+ J: v' \' a( |) }+ V! D3 w5 k( p iret
: N+ C2 s4 o3 Y4 D. v5 `1 I$ dint41handler2 ENDP
7 K' O9 t( b* d+ X0 q* u4 U4 }$ b9 Y# R4 `
# g+ ]3 s5 ~# w6 [+ E
_________________________________________________________________________
" s6 A7 ~# ?# z4 |
8 f n) e1 Y) B; y
# c: Y2 z9 T$ r7 F. J) x7 FMethod 06 F- ], ?! r/ N
=========& B' B3 n: E. Z
. Y1 e) i8 i3 P
! X$ Y6 p0 z6 _9 H' F$ ]2nd method similar to the preceding one but more difficult to detect:# o/ `. k& w0 H, ~
. O; m! R" s9 y0 u3 ?. w. T; Y0 P2 d
; Z( d, @9 z9 ^0 {3 s- P% {int41handler PROC
0 g2 A/ c* L5 ~5 Z mov cl,al7 F- o) W+ S9 q
iret
4 A' F/ y, o' y4 |6 C4 \ Bint41handler ENDP' ?* x- r5 Z: ^3 l0 ?
# m) j; O& B& [8 b) ? [- X
$ c! J: M0 d+ x/ {2 T Y
xor ax,ax
3 _# L4 u) T& D& P J2 ?$ `4 Z% v mov es,ax
1 j1 d7 ~; {: X* W; W mov bx, cs, G% N( O* {% m |2 r l
lea dx, int41handler
7 B5 ~/ r9 p7 ]1 f7 Q xchg dx, es:[41h*4]
: l0 f I7 x7 [/ M, F xchg bx, es:[41h*4+2]
; k4 g$ R5 n" @" ` in al, 40h C" Q5 S9 t7 [" \ S
xor cx,cx( c( f `1 S6 H8 i! q6 ?- \4 Z- \
int 41h" x3 z1 X# z) k
xchg dx, es:[41h*4]
2 w! E* Z( L1 @+ G0 ` V8 A1 ~ xchg bx, es:[41h*4+2]
& H2 Z+ P" q# e3 _9 M cmp cl,al" O9 \" M( V. J% v# T( i
jnz SoftICE_detected
7 f9 i1 @. t7 O4 i+ p/ y/ \6 U1 F: c- L
_________________________________________________________________________0 L8 o9 T" J1 |( J3 F* F
4 P' i0 N( L# b/ b1 PMethod 07
0 _' p2 K9 l; t$ |=========1 a2 ~- [3 ?4 H# r' F
6 }' H5 m3 @: [9 d1 }Method of detection of the WinICE handler in the int68h (V86)# k1 q- B9 J) v9 ^3 i
6 I+ [: d# A" c d. v! ` mov ah,43h$ H" @5 ^: V. T# u
int 68h
f4 K7 w: U I! F8 L; e9 A: b cmp ax,0F386h" z7 Q/ \; ^9 e2 ?7 O6 }# H
jz SoftICE_Detected
5 ]9 t. e+ v6 |5 \. g& [7 N' q5 b# z- I1 K/ q
" r& r8 j" ]) g# S- h, q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' N8 `0 c) i- _ app like this:9 T* n7 N3 g7 a. A. m- P1 V% P
& }( D7 v- }! t' o
BPX exec_int if ax==681 a$ b0 j8 V7 l5 I; N
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ u2 g4 R0 j% Y1 U% P located at [ebp+48h] for 32Bit apps)
6 G2 b4 V' e) x( u1 g__________________________________________________________________________
) \1 [6 t7 ^# a2 u5 n4 b) P7 l4 A# T! D1 z/ f: r4 u; C
* }! N b- S4 ]0 X0 U
Method 08! `; Z- ~" f, K6 f" e. l' _) I, L
=========" N1 X$ w! Z( q
8 V( a) d1 [! O5 O1 |3 [9 t* c* y8 b
It is not a method of detection of SoftICE but a possibility to crash the. p$ o, }! n7 W$ ^2 ~, o
system by intercepting int 01h and int 03h and redirecting them to another0 [ T# r, N/ t# g
routine.
# f0 o' K7 u" p& ?( p: D" E# aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& C; r$ f( A, Y% oto the new routine to execute (hangs computer...)) L. J- X$ p8 t; |- H) Z2 a4 i( _
# b( k+ l" e9 `( [) w b: B
mov ah, 25h2 r+ U9 z+ W! b0 j: L/ W
mov al, Int_Number (01h or 03h)
# J5 N: y* }& [ mov dx, offset New_Int_Routine2 m) a2 a9 f' t$ S: x$ X; J4 ]8 p% `- _$ f
int 21h
- {4 f3 U3 u$ m& b8 \+ c3 Z; _" |" A" F
__________________________________________________________________________4 q- Y0 {6 G- Q# \* h- V
5 \) F; w1 o6 J7 g1 E
Method 09
# O7 r$ a' X+ J0 W5 ?=========9 H" N- t/ ]9 M1 a2 {, t# v
" U# Z& R/ |' B/ A' a# s3 G' A& tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- N7 s0 B/ W3 M% Uperformed in ring0 (VxD or a ring3 app using the VxdCall).% h) }: E3 P p, I8 O
The Get_DDB service is used to determine whether or not a VxD is installed
, U8 D+ C! p. t/ s. {for the specified device and returns a Device Description Block (in ecx) for, ?# Q! L0 y% O/ X+ ^' z2 G4 e% c
that device if it is installed.
1 }6 }& k0 u4 p h2 g5 W9 v! E$ r* i l9 q9 v- S0 w- O" v2 {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! @$ q' D" p5 F8 E mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% V9 ^# j1 z3 V3 { VMMCall Get_DDB
' i s3 P+ T" H" n/ ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: v* |9 \$ C% {1 O* T
" b" v4 f, M. D/ ^
Note as well that you can easily detect this method with SoftICE:
3 L# ?! Z6 \0 g9 d bpx Get_DDB if ax==0202 || ax==7a5fh, D/ i/ ~" T( o/ @$ h
2 [: g1 b9 ^' s c__________________________________________________________________________
2 q# H* m- Z- Q5 J) q. Z* B6 I' M% E
& ?9 x. m. l1 gMethod 10
5 D* M- D; z0 a z5 g1 B" u7 M# ]========= e" X7 H. b9 `/ G# ?( j
9 {& y7 m! `9 p; u# d=>Disable or clear breakpoints before using this feature. DO NOT trace with X) g N- e" ]. Q( ~$ K/ Q3 P
SoftICE while the option is enable!!
0 [) W% l l# }8 e2 K3 |/ z( ^ Y9 p+ G9 {) m0 q
This trick is very efficient:) [; a9 v- K* J2 J! ]8 |0 C
by checking the Debug Registers, you can detect if SoftICE is loaded
. G" F9 ~3 L( @" }) n; i% B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 p4 I7 a7 v5 lthere are some memory breakpoints set (dr0 to dr3) simply by reading their- g. s" J8 J; D5 Y$ r5 _
value (in ring0 only). Values can be manipulated and or changed as well: h1 [3 _7 W5 D5 [* [ X
(clearing BPMs for instance). D8 q# X* o W% A$ X! q/ y: w5 {6 g
9 g; |& A4 c# d: D$ Z( P
__________________________________________________________________________
# M( |; {$ d4 D/ o8 B# ?' B
7 F7 a9 x1 C& c6 c, i n) ?# KMethod 11
' ^( D! |, ^/ Y; l' \% H=========
* v6 v8 t) M9 @1 U4 @) r$ _: k( E% l; c1 |) t( I9 X/ ?
This method is most known as 'MeltICE' because it has been freely distributed
' D O2 M' P% w7 _3 x% j% Wvia www.winfiles.com. However it was first used by NuMega people to allow
: g* G% K6 X' X- ESymbol Loader to check if SoftICE was active or not (the code is located
; r( u* S+ q9 f$ T! }inside nmtrans.dll).
0 ~' s) l, B0 w1 {" Z" O [; L0 ?: ], s
The way it works is very simple:3 a6 ], ~0 u1 R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ y1 w; \3 r5 D" Q) ~2 X% UWinNT) with the CreateFileA API.+ P/ T& d: X6 `: E
$ f) L z3 {" _/ A3 |. S8 J7 {Here is a sample (checking for 'SICE'):, [" Z- D* [2 P" R& X% p
9 a2 f9 Y; M1 H8 x/ a, Q3 r, vBOOL IsSoftIce95Loaded()$ f" B3 R/ p" O0 J7 w/ }
{
3 X: p4 r9 o, @! Z" ] HANDLE hFile;
7 q5 g! A( l- V; I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ C3 k; q# ^8 j4 d. {& s1 D
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 f8 I4 I1 R. f' N) H; H. z2 i" s NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" p' R0 b! Q: t7 f' c
if( hFile != INVALID_HANDLE_VALUE )3 r9 j, H% b1 ?8 q
{
7 W: Z. C- V5 G7 }' _4 b5 m CloseHandle(hFile);9 o+ d: w8 H" z7 J
return TRUE;( n' `' f/ w3 L. `* {+ F$ f
}
3 Q# V4 S1 h7 \, ] return FALSE;
: ~9 ~& _( x6 Z& E2 z2 \; e7 V}
. s3 |0 n) [3 x5 V" p; N" l3 B6 J D9 d; U6 W, s; r
Although this trick calls the CreateFileA function, don't even expect to be2 ^5 u; o! t: q+ Z
able to intercept it by installing a IFS hook: it will not work, no way!
+ Y: n& ~0 i) A! d) mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" _% U) D! Y4 oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 e$ a9 B; c# n4 I$ p! mand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 x$ z1 d3 }* y
field.$ p$ m& F H8 A
In fact, its purpose is not to load/unload VxDs but only to send a . M1 [* K* s- P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 e( n4 v$ L8 z# B& gto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 }& p" x1 q6 ~/ z4 c* x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 S2 G6 `* f/ k# Y0 I( K9 H4 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- A. z6 p2 G* aits handle to be opened and then, will be detected.
; M0 {6 a% h4 E. c$ x4 F! zYou can check that simply by hooking Winice.exe control proc entry point) w5 h% C. F! A8 ^ i Q
while running MeltICE.
4 p( h: g9 ^7 y1 H! @( I8 ^- u& B1 ]% W+ h" B# z' s1 S
+ z: E5 b0 x" h& B! `
00401067: push 00402025 ; \\.\SICE2 o8 D3 N2 K: q. Z+ X1 T' r. i3 W
0040106C: call CreateFileA: ^8 @1 v0 S# l( U" P) ~& w5 O
00401071: cmp eax,-001
+ O8 ^$ M, s. b8 X; o, ? 00401074: je 00401091' e9 \6 @" |) p; ^6 a' i
, r' x7 B1 z. i+ k3 V8 t, K) b1 k
' ^( M: ]+ W( B6 J$ C
There could be hundreds of BPX you could use to detect this trick.& p. \8 u( K% e3 r- g
-The most classical one is:
' R. g, G' m6 u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ L+ e: ~* z& F6 k7 Q9 e: t *(esp->4+4)=='NTIC'( d. @! C$ M1 F9 b/ ]9 P
7 M+ S1 M, G- _: |' Y3 J-The most exotic ones (could be very slooooow :-(- A0 z# p- u; F6 H0 t1 b, C
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') m8 C/ ~ \6 W4 v& F
;will break 3 times :-(
( ^- X0 K' |! w5 N p, a. X, V/ u' s! ?& J5 P
-or (a bit) faster: 2 j% D: p7 x, ~8 X( f- x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') E; T8 M) H' K/ |% R% R* L
, I2 ^- s K7 w3 R4 j" v BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % R6 B( Q: Y3 C7 H4 B
;will break 3 times :-(
- p2 V: J8 b' m5 i5 K, j# J E3 x Y2 O0 P, W+ _( e2 F8 a
-Much faster: D* o$ J: W5 | ^- k$ I' Z. l+ p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': P7 w7 S. m) L% {$ j) f
2 m+ V J" M, Q' I9 n+ R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" r3 G! |: \+ d! n( L8 j
function to do the same job:- ?( g; H* K1 ~& Z
) J7 N* w0 J$ p L push 00 ; OF_READ7 ? X3 u% E( ^: N7 d
mov eax,[00656634] ; '\\.\SICE',0$ p* M, M+ b( @& l X: v
push eax, {$ Z3 r& X6 K3 B, U; |
call KERNEL32!_lopen. i7 `; n, q0 p
inc eax
4 ^5 v: r1 K! v$ \* G$ s jnz 00650589 ; detected5 n/ ?7 S4 x" \4 c- c
push 00 ; OF_READ0 l, d3 }% S0 o" M$ v
mov eax,[00656638] ; '\\.\SICE'
' D4 q* z. x1 V! _ push eax0 l! T- P$ X& W. |5 n
call KERNEL32!_lopen A& b8 r: f6 g8 k
inc eax
2 W" O5 I1 P, F jz 006505ae ; not detected; `0 N0 I; Y# r7 ?* R
& J' _! K: l, W5 T% B
, k* e6 n0 Z$ o* v__________________________________________________________________________
0 e5 t$ k3 ~8 K2 M/ P9 q! V. z- g- B$ a* {, t8 P/ ~7 i6 k
Method 12/ e$ Y% O1 P' H# i4 Q- v
=========6 _6 l1 L6 Y; ^' H/ \6 b
# l2 A$ s+ e) ^* P% [" a; i q
This trick is similar to int41h/4fh Debugger installation check (code 05
9 g I3 j% N j6 B+ F |* |& 06) but very limited because it's only available for Win95/98 (not NT)6 J+ l& r% Y* T9 w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; u$ z* M0 q4 f+ P7 ]
2 e- Q7 s% t0 Q# a$ ]4 N, u push 0000004fh ; function 4fh
( p1 M$ `! N- H' C) Y, Q, \ push 002a002ah ; high word specifies which VxD (VWIN32)" a4 v% C" g% P* J" G
; low word specifies which service) v1 D% e9 w5 ^2 R
(VWIN32_Int41Dispatch)
* G* M/ j/ s8 S+ R call Kernel32!ORD_001 ; VxdCall
0 G5 r/ ^$ h9 t2 n cmp ax, 0f386h ; magic number returned by system debuggers/ S1 u; N/ t( `' F/ {/ c
jz SoftICE_detected( q Q& Q1 p, ]) C% l
3 [ J6 ^- A: v# v Q
Here again, several ways to detect it:3 g! }9 o# u+ L' Y0 e$ v U
" r1 J) M: ]2 L4 E. @ BPINT 41 if ax==4f& L B8 W% A D& O7 C9 G
- @! h8 _2 s7 y. N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 U" ^% W% ~% [( O9 f6 j. E3 A+ |; }
3 O* B8 p* ^2 C9 `$ o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 _- F0 j9 C1 [, k+ l4 D# `! d9 W( {, @; R$ p6 r* w& H5 r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" l$ b; T( b4 P( e4 W( s2 j1 S2 Y; x
6 V) Y; A: @1 s- U2 w R
__________________________________________________________________________
. `; \# \ D( u1 h& M/ R! k
3 D" A) Y# }5 i0 M+ [5 iMethod 13
( K0 \' e! f3 o- e========= g2 ?, b0 ?/ A9 p' i
$ Y* P6 V0 c% R. V4 R* qNot a real method of detection, but a good way to know if SoftICE is$ ]$ b* }. b! E8 b+ t
installed on a computer and to locate its installation directory.
8 n5 X" D; K# T# f5 m0 Q$ uIt is used by few softs which access the following registry keys (usually #2) :7 R, _. K( p# R7 a8 e3 C6 G( E
) J" h+ M: V/ K( U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ C/ p: U5 h: `. i
\Uninstall\SoftICE- r7 l8 Z, F/ d) O O7 ^: W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 d' T# b j V3 }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 Z7 A7 q A# \. h$ n
\App Paths\Loader32.Exe% X, D* i. S7 J1 l* T
; ^+ \: X/ g# C5 D
. K3 ?" [+ I3 ^: _. z2 Q/ ZNote that some nasty apps could then erase all files from SoftICE directory
3 `% Y1 ]: V; n(I faced that once :-(
6 X4 ]8 I5 X; a2 D
) H% X6 u' g5 e) }2 }+ t8 [: AUseful breakpoint to detect it:
0 F0 X! o4 }; F3 W3 I( ^, _2 ^$ t% l L* E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
b4 q& ~( n& j$ l
7 {4 G3 s4 u7 K5 w, c3 j2 j2 E__________________________________________________________________________0 B( c k# I3 ?2 P
8 W1 r; B1 y% ~4 ?* F! T
9 q* u5 E3 n# x. s; ^0 l9 f5 x
Method 14 5 c+ q" e {: H) \; d: }+ b
=========
7 g" g) X* w1 k6 G5 s- H1 R$ j7 |( d; w: a1 i4 }% B( E3 w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ ]! Z. t0 I+ y9 Ois to determines whether a debugger is running on your system (ring0 only).3 D9 Z( V! R! @5 R, y
0 T6 {: m$ ]* i+ x! O VMMCall Test_Debug_Installed
. F# `7 S. b! P2 C( ~# m( T je not_installed
$ \( S) [+ |1 X: y
7 Z: d- u2 t+ h6 D# P- K- yThis service just checks a flag.
6 ]6 r, y$ S! j</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡