<TABLE width=500>
! j$ E4 r6 J y# x<TBODY>4 s9 C U$ F+ q1 H- m/ K
<TR>; ~' |0 t0 E. j+ Z
<TD><PRE>Method 01
& o/ n1 w! Y1 P: e8 X% A" ?+ Y=========; U6 L+ l ^% J6 A- i! x0 d6 \
* n7 ?* T* L7 r* V- W- W VThis method of detection of SoftICE (as well as the following one) is- d' }% S0 L: J, a/ O, T7 s
used by the majority of packers/encryptors found on Internet.
7 c" Y- E' a! \1 n4 |, mIt seeks the signature of BoundsChecker in SoftICE$ _# y# E( f" u( Z0 i0 l
, \7 w( A# r0 P G mov ebp, 04243484Bh ; 'BCHK'3 f8 }) @/ D; I8 ?
mov ax, 04h3 P- B7 z% [) g4 r4 N- O
int 3
# K$ i! N( j" {- H6 ` cmp al,4
' k0 B! n& B% ?2 g jnz SoftICE_Detected
! c5 h) F# @' W( A. N: S3 j1 g" g# O
___________________________________________________________________________! h, g9 W* ]/ M( [
) i. |0 v2 f0 Q4 Y+ x. m9 i2 ~
Method 02+ M: ?( E, q% i# N1 ~5 j
=========
g) i8 i; g& V, @. o H, F) r8 X Z$ F
Still a method very much used (perhaps the most frequent one). It is used$ N7 M2 z" s8 `, T$ @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 F/ u3 G4 o& G. d- lor execute SoftICE commands...) y5 l1 i. n9 e; p
It is also used to crash SoftICE and to force it to execute any commands
% }) w# `8 Z9 P(HBOOT...) :-(( / W7 @" b- E; K' q) l; R
! A, n2 y( y7 ~7 |+ _' [Here is a quick description:. \0 U" P4 l% [6 f, W# o; z% }
-AX = 0910h (Display string in SIce windows)
0 O+ I- }; O3 f, d! ?& X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 M8 U: L/ h! P( p8 R, P-AX = 0912h (Get breakpoint infos)
$ _& _7 ?% b d. A-AX = 0913h (Set Sice breakpoints)
) u+ f0 o) F& W+ @# L" j-AX = 0914h (Remove SIce breakoints)
" K, p8 b% G0 J
" Q& w2 f* i9 lEach time you'll meet this trick, you'll see:1 G7 _0 }- v, D9 T
-SI = 4647h
3 Z% Z4 ~. d: _8 w-DI = 4A4Dh
% s d6 `3 Q; }Which are the 'magic values' used by SoftIce.# t+ H) n; p% H6 P b0 O5 \0 y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ q% `" ^7 D% ^0 J
% ~; S$ D( ~. H( `' V( [6 C" f7 M' q gHere is one example from the file "Haspinst.exe" which is the dongle HASP' {3 l" k0 n7 v3 F6 m Y
Envelope utility use to protect DOS applications:
% }9 }, e( W3 a* y5 `7 z9 y; V. a+ S3 g& S4 Q. b
% k) V$ q0 g3 M2 j4C19:0095 MOV AX,0911 ; execute command.
+ i: H+ i# T0 d, _# [4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., ~5 H( Q9 P4 z R
4C19:009A MOV SI,4647 ; 1st magic value.+ Q7 v' M: Z1 m; v5 {9 X- ?
4C19:009D MOV DI,4A4D ; 2nd magic value.9 v, u+ q$ r: C% g( d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 [: R3 e4 ~. F$ ^: i d/ S; p4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 D7 P9 B* K% p6 D9 x6 l5 i' q
4C19:00A4 INC CX
9 m! A- K' R$ r5 [4 f' r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 M; h0 O- B) b7 w- j2 h- i+ M4C19:00A8 JB 0095 ; 6 different commands.+ N2 h0 \# I( Y1 Q4 b8 l# Q! i0 G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: h% W' t: K0 U( Y+ j6 {# S/ t% z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 {4 i# U3 E t" f: b- N3 w: N+ K% Z+ }' L& J
The program will execute 6 different SIce commands located at ds:dx, which
0 F$ L% L, O; k" B- I- c; vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, F% s+ f: c/ Z! _( Q7 c( f- l# ~! I1 B8 d4 a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* S& v) G' | H- _# P___________________________________________________________________________
$ S+ V" n0 p, C: r/ R/ t
; x7 B/ a: s1 c8 r! O; @4 G: S/ V# Y' G n Y* s# q: Y
Method 03$ U, [ \& ?9 q% d5 l8 c; e x8 I
=========5 D# ^1 n. `! d9 ~9 R7 j, l9 s# P
4 U W2 r9 L9 ^9 ?( b" d$ c- eLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# X; m) r, p. ^(API Get entry point)
' x' l$ j% z; z! F9 V
: y8 q4 J5 U7 X5 j) P6 t/ M1 M, I
3 B" n$ }( [8 p# G$ w* N( x xor di,di
" [5 `: i" M3 G mov es,di
4 [- q" o D+ h0 K* o5 y mov ax, 1684h ) w9 d% i# x! D, N9 ?
mov bx, 0202h ; VxD ID of winice
7 S! M. C* B- s( K int 2Fh2 W1 `- m3 t0 X1 Q! q9 x
mov ax, es ; ES:DI -> VxD API entry point
/ `5 x! a. I: |: s+ l( x" Y- D add ax, di
' P# i6 f7 a& y' h* m5 q" l w test ax,ax( w9 j2 r( @$ g' s# ?! @
jnz SoftICE_Detected
8 K7 |, E* I, Q& o( H6 c2 Q+ P8 s: s1 J% |: w6 ~/ M$ {# x
___________________________________________________________________________
# F! G( W0 e" u& k2 m) i+ o$ k! T
4 h5 s6 A# |8 e/ Y* ]/ r9 NMethod 04
S7 H: A2 q( s/ a* ?========= [5 u4 l. g6 J
1 {+ z! T7 p7 } j! o+ i* Q4 xMethod identical to the preceding one except that it seeks the ID of SoftICE; _7 v( I0 v! Y, u$ m8 a
GFX VxD.
7 J J) h, D% J* P6 ~; c' C1 Y% F1 t; }# Y. w* P6 Z
xor di,di1 c' x" H( D/ T% Y8 z
mov es,di
0 `6 V$ d. a* @' Z0 B mov ax, 1684h
1 P, [3 X' D( B7 h) H; Q mov bx, 7a5Fh ; VxD ID of SIWVID7 G' m: S& X3 J5 E3 J" ]$ {6 U
int 2fh8 t. } f0 j6 z3 [9 Y$ L5 E9 a9 t
mov ax, es ; ES:DI -> VxD API entry point
8 W) B3 U# i* X add ax, di- R3 e( @- i0 k J
test ax,ax
6 i! B5 ? Y8 C( B' e! q! W, k jnz SoftICE_Detected
8 u( G8 y9 w3 N/ x* ]7 U. j" B( l
1 h# [5 Y) Z( K__________________________________________________________________________' t8 E- k% O* d4 p. F# u7 C
% U' x4 `- Q( L; x& K8 S$ t: w/ F
* M$ q' |5 \' wMethod 05% f5 w9 d& o, V) j% n$ g( H6 Q
=========
6 j; l$ B6 N" C7 a( I& C7 T7 D2 v4 g7 n
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 K8 z% Y1 i, ]* j' G) ndebugger. It calls the int 41h, function 4Fh.
% x y ?" x G6 A0 X7 fThere are several alternatives.
( e# s) V2 z% {( ]3 h
+ r% W) g6 e( R, ~. tThe following one is the simplest:
1 b" D4 m8 \% S/ {, S) k
4 \. x' }7 K/ ^) G mov ax,4fh
1 T0 y2 T Q6 T$ V9 a0 n% d. c int 41h; ]& H5 m6 |; l( h! c2 ~' i
cmp ax, 0F386
& Q! S" |2 m2 R jz SoftICE_detected
; K3 w1 H6 h3 C6 U1 ~- r9 P: P8 z, z- s% `
- L( Y" J& o6 Z: S) W7 A8 z) N# _# ENext method as well as the following one are 2 examples from Stone's
8 i! Y& S, [; O# k4 K"stn-wid.zip" (www.cracking.net):
2 S1 ^) v# F p' P
$ g$ _1 P8 v3 `$ _. c( T0 t k8 T mov bx, cs
" ] O2 x2 E, B0 }; ?1 M1 _ lea dx, int41handler2
4 B' u$ R3 z- y& r xchg dx, es:[41h*4]
$ V/ x- A P8 g xchg bx, es:[41h*4+2]
0 Z' ]/ A; { d! I mov ax,4fh
& N2 R0 @1 P5 P int 41h4 T9 ~" c" Z+ p5 Y( Q
xchg dx, es:[41h*4]
; H) i9 V/ K- X xchg bx, es:[41h*4+2]
1 F# X6 [* @7 o% w" M7 `8 v8 f cmp ax, 0f386h
: ^9 s0 h8 Z: v, t' ~ jz SoftICE_detected
( `1 l* }. r) H2 s5 I! d8 y* k6 A+ G7 | x0 |$ c" t6 t' B6 {/ x
int41handler2 PROC
! ^3 P( O( O, U8 d iret: p7 d( ?+ S! l/ M' V
int41handler2 ENDP5 s- a( W3 F( K5 \
; ]; {2 z M0 ]9 Q }1 s: S
5 w' m* L+ C4 M" d7 {& d_________________________________________________________________________3 u8 z. P0 x5 q0 S9 h+ Z
+ K; j+ y, w8 ~1 k: L+ ?
. {0 h2 ~8 j1 G9 RMethod 06. \4 M6 j2 {# L
=========
6 u. W9 F- Z" r. m8 Q- m# c+ K! W2 P8 S$ T& O1 Q8 ]
5 ~- H$ F: S) r0 j( S+ C# g2nd method similar to the preceding one but more difficult to detect:
. q, G( w g1 X2 U1 M* ]( }
* R, g. J4 O# d$ R( y" s' z
$ p2 ?6 x/ r' C4 \/ Qint41handler PROC
, r' z4 D4 y0 } mov cl,al
; u& F# K3 b! T0 l' i iret
. x& Z$ Q) U9 u& g8 c' N& rint41handler ENDP
$ X4 B* Q. b2 @6 N+ l4 l4 v7 N$ Y9 U0 ?) a- B! Q# i
6 e( M( |, @$ P3 w+ P& e7 s/ v xor ax,ax" F" d( h4 H- P1 E2 H, q2 Q
mov es,ax1 G# t3 K2 O3 \" y5 V
mov bx, cs
( |6 ]+ f" J! ~; i! z lea dx, int41handler, _+ D# f& x3 P( T7 [
xchg dx, es:[41h*4]) `, Z; Z' s+ n0 t% M3 c# ?" Q) ?
xchg bx, es:[41h*4+2]
1 Z u/ b: C" a8 f" {5 C6 M! g in al, 40h
0 ^, T1 _$ t; `" J xor cx,cx/ p0 u# ^( ~" M
int 41h
( X7 O) D4 Z7 e# z# B5 n1 c xchg dx, es:[41h*4]0 a- K9 q. c9 `; P7 j% ]
xchg bx, es:[41h*4+2]' Z0 |: r$ ~" u, f- G
cmp cl,al( U8 z0 w# p M* s5 i
jnz SoftICE_detected
* o: m, i3 y A' p- F5 A! W4 V# \- H) ~9 X3 L1 \7 \% @, r% F
_________________________________________________________________________
; b. c/ E2 R5 m% Q5 j0 b' W1 v; f9 Q5 P4 s! C4 m, W) U. y
Method 07
' h; `& t" n ^2 l& s5 L: Y=========
) g6 Y7 j% p9 D r& f! D2 Q" F; S! X/ u
Method of detection of the WinICE handler in the int68h (V86)( }7 |6 j/ H7 |+ e% a' k# r! M1 J) _( n$ C
, T5 X X/ `! m1 x7 H% K" u
mov ah,43h% x' e) V" u# S
int 68h
/ R7 v* q1 F! T6 V3 v5 S/ q" u! x cmp ax,0F386h: P m- a/ B3 k5 _4 d. F& i
jz SoftICE_Detected
0 J3 A# K7 \) I; G8 D+ Q! w) m. D5 G2 X. z# [% _9 V
4 c6 @/ `' p f" z' D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# n+ W) [/ |/ q( W" V9 D, [
app like this:" R; g1 p& Y' Z7 | R
2 J1 W" b8 J- r( d3 |( V C BPX exec_int if ax==68
5 ]6 S- ?9 t ^4 L3 c (function called is located at byte ptr [ebp+1Dh] and client eip is
o; C$ O' C' W0 N$ T P" ^' [ located at [ebp+48h] for 32Bit apps)
4 _9 n+ |( Y9 o; H& V9 @: Q" e6 o+ G__________________________________________________________________________/ z1 q) V+ X4 B" R
2 U. T! p$ c0 n7 c" r$ v6 t& c2 U9 g$ Y# ^4 Q
Method 08( Y* G4 X: w4 e {( ^
=========
0 T d1 k' S+ A q
# ] P6 M" s( Z7 A1 A* lIt is not a method of detection of SoftICE but a possibility to crash the
8 H7 M4 \; G2 M% b7 A) hsystem by intercepting int 01h and int 03h and redirecting them to another
: o+ b/ ?) q7 J' D* troutine.
' L3 I9 O' V, e1 L, Y) ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! f" _: m9 U' y: l4 g9 H4 Y- O
to the new routine to execute (hangs computer...)4 }* L) D# B" W" v0 z o* x
* J* _4 h& v) |* k7 f
mov ah, 25h! C: o+ z9 I$ f$ Y% ?
mov al, Int_Number (01h or 03h)! a- B1 g; p- E8 z
mov dx, offset New_Int_Routine$ ^ [' q: n u4 f! p W/ d
int 21h
6 v" Q3 m( z6 p( R/ s- L" f
6 _, c9 @' W' z' ^__________________________________________________________________________
% l3 A5 F. u& f! o% A) l' b7 D, ]* X. ]0 _6 x3 R ~! ^" E! y9 x: u. c p. c
Method 09
) C- |6 V/ l& H5 |! e1 B=========9 X4 G, k& s3 k
+ U0 g* }2 ^& r8 \6 b0 WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. {3 ~3 ?$ o! {$ e' \/ _performed in ring0 (VxD or a ring3 app using the VxdCall).0 _# x2 G+ j3 Y: D5 L% A" b
The Get_DDB service is used to determine whether or not a VxD is installed. t" l! X1 z, L
for the specified device and returns a Device Description Block (in ecx) for
& o$ @+ r- z- \9 n* nthat device if it is installed.
* _# k& ^4 V2 w, ^1 p3 A2 o( ~6 S" b4 ]5 }/ E/ @6 e) M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( @; E' ]1 ]; L% [ D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ s- I0 s+ u, D+ h( ^0 d- `4 H VMMCall Get_DDB
1 E8 o+ B; W/ g* p/ L* y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; F" s! |) i" C( w/ u% L- z; D
7 ^% P8 _8 u5 @% ]/ n2 j) W0 q2 P7 D1 _Note as well that you can easily detect this method with SoftICE:
* K& @7 O% K r bpx Get_DDB if ax==0202 || ax==7a5fh
' j9 s& _* @; }) P/ w, P7 L/ k3 G! W% D' _" ?% B+ h! j2 H
__________________________________________________________________________" x- W8 q" P( f
8 b2 G1 {- f* E& ~6 }8 ~Method 10
# x' e! w) [" Q9 }=========
- m0 t: J- C# A; Z% L
4 B, ` P5 `+ @$ n# ~=>Disable or clear breakpoints before using this feature. DO NOT trace with; O/ C5 R2 [9 Z c; }7 T
SoftICE while the option is enable!!! ^: ~2 G' |+ z- ]! I
8 E! u# {* q2 @" C9 ^6 X1 H
This trick is very efficient:
( q2 ]5 c: `( f. k! w& }by checking the Debug Registers, you can detect if SoftICE is loaded
. R2 _+ a0 ^1 G/ x \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 f5 {0 M( V: t; y0 pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 n& w7 m: r9 C' `" Ivalue (in ring0 only). Values can be manipulated and or changed as well
8 O6 e) b4 W% X: u(clearing BPMs for instance)
. ~) {" c* t! D% P
- {/ l+ _0 ?; y; t, ^0 Z5 M__________________________________________________________________________, D! X2 P- @ z3 [$ R/ S
& p3 V' Q- l! v* P3 y0 A! u) n
Method 11
3 \4 p' S$ v: ~" {% y- z, W=========) F2 { ?% H; h1 M. U
: c( F% S) O) W. J+ C# h) V* t
This method is most known as 'MeltICE' because it has been freely distributed
" R; P. K+ j! E5 }0 L3 @/ z2 s% Jvia www.winfiles.com. However it was first used by NuMega people to allow
& Q5 u6 A& c% y: I! b6 k4 V) p* vSymbol Loader to check if SoftICE was active or not (the code is located
# p4 {% P8 X8 r9 minside nmtrans.dll).$ \# d$ P; j7 C
0 M# C- X6 @7 o$ C% E4 J
The way it works is very simple:& ^8 Q# E& X! X) f2 b% p& H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( K7 t- W% s6 nWinNT) with the CreateFileA API.( \6 P4 B6 \" K1 O6 }
+ G# H/ w5 o) q2 i) \& m
Here is a sample (checking for 'SICE'):
% T0 N @' T R% j$ h; G) J" _2 Q- y8 d5 G& d
BOOL IsSoftIce95Loaded()
0 l* g% n u" L% O4 v{
8 @8 d- U- C P* Q HANDLE hFile;
, F7 h9 a1 \8 }/ w6 F$ L. _1 ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; [$ T" j, i- Y3 ?0 N; M) b K FILE_SHARE_READ | FILE_SHARE_WRITE,
0 Y( {1 @" [- D& ~. u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 N. R( K- ^7 e* |- o if( hFile != INVALID_HANDLE_VALUE )
. @. Y- b% { v+ |- }7 H {
* A0 N' z: M: r% h( u7 ` CloseHandle(hFile);7 u- k0 k. n0 V* a, l' Y# v& b
return TRUE;
+ ]' B. J# O' E }& v% f0 r) n5 z/ i a! p$ |
return FALSE;3 V. B: D& @/ _) S9 i5 p6 c- D; q6 H
}# M3 c# Z9 c# X' b' i
9 b- z% `/ T5 I8 ?
Although this trick calls the CreateFileA function, don't even expect to be- t+ m/ g# t2 N& B& n+ Y' H. j
able to intercept it by installing a IFS hook: it will not work, no way!
6 i% [; w! Y$ w1 E0 X9 N7 R% ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 g; W& `" K; w, ~1 g9 t& mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& _, R8 c n6 F+ `, o7 ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 E! K1 K6 Z4 `
field.! a3 f( e7 W- p2 f. v; ]
In fact, its purpose is not to load/unload VxDs but only to send a / K: L- k% ]% {; y/ s1 N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): W6 T8 z7 k9 A4 ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 \1 y0 m# a/ j& g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* B, V% u* u: x1 CIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 S* n/ b7 W! V* r1 o
its handle to be opened and then, will be detected., q, [4 d, w7 ~9 m2 H2 Z
You can check that simply by hooking Winice.exe control proc entry point# y1 q3 O3 Y4 [
while running MeltICE.
- Y# w. |0 E* Z7 s5 L. l) C7 E8 ]# ]# t1 B6 ]1 R
5 x, h) u# G* `8 q# e
00401067: push 00402025 ; \\.\SICE7 j! R5 h6 H' x& i
0040106C: call CreateFileA
, v7 K* }% x* ?9 M. Q% k 00401071: cmp eax,-001! Q7 n h" D6 r, \
00401074: je 004010912 x. d3 E+ C5 |
0 \) F5 j- ?1 d$ n8 y: m+ p; h% h6 `: G0 x) S% _
There could be hundreds of BPX you could use to detect this trick.
) L. w$ S* F3 d: z' m9 \) V2 V+ V-The most classical one is:) @* U- _9 E7 b6 e ]' Y+ E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" `! y" a6 r% L7 d% c1 H" i5 U. I% x *(esp->4+4)=='NTIC'1 b$ Y9 u: l. I/ w9 |, K
0 D- A# b# u2 T( Y6 J) A% n4 c
-The most exotic ones (could be very slooooow :-(
1 b" C _$ F8 h1 |1 W1 A2 [8 ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # c. Z7 X( \' L9 d
;will break 3 times :-(; J0 i- q! u$ E9 V8 H. S0 g
! i! {% @; y7 F5 D-or (a bit) faster:
; k8 X$ v* Z) u" a) p! l BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# V, `+ ^2 F3 k1 d5 n
& G$ i/ ?6 B/ Y( u% E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 o5 U% h& K3 x( p
;will break 3 times :-(
/ P- K. v4 t5 a) }+ U) x- J5 W/ O: }, }. a* ^2 d. k* d
-Much faster:
2 j/ s# _) O, M$ J0 a# V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 f& q3 C* Z# m
: o% W& v+ M4 U& ^7 O/ e! ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" \. R0 t# {" ?/ hfunction to do the same job:4 [3 m. H, p8 Y
+ z4 Z1 n3 a# }, S push 00 ; OF_READ$ p( y3 |8 `1 u4 r4 F5 O7 Z
mov eax,[00656634] ; '\\.\SICE',0
. U1 n. B B+ j T: [+ V& H push eax
( t. S! S' X) Q call KERNEL32!_lopen/ ^& I( [+ I' c0 V- I
inc eax
8 b6 R# Q/ K, z9 u% b( U* u7 ^& D jnz 00650589 ; detected
9 _. `2 r! d' V" z: { push 00 ; OF_READ
; Q b6 s/ d9 m$ S mov eax,[00656638] ; '\\.\SICE'7 r7 k6 D1 @/ i
push eax0 m- H7 I2 Y( ]# q* |
call KERNEL32!_lopen
& U t/ |' b% j0 c inc eax& Y) t7 Q( h6 R+ w
jz 006505ae ; not detected
! F: a Q% [/ z5 k# ]) m1 d, J9 z5 s4 u8 W: ]
! C; l" {+ O6 I2 v; n- z& k* _: h
__________________________________________________________________________3 g9 A" z$ j; K# l* T
1 O2 V( ~1 {, }4 a) u c3 Y% wMethod 12
7 k( J6 C8 z* ~=========
+ e" J6 a5 e8 J; [- d3 b! W* P6 D5 F6 t& H$ e. \* B& e
This trick is similar to int41h/4fh Debugger installation check (code 054 _; N2 @ R3 N3 N
& 06) but very limited because it's only available for Win95/98 (not NT)+ J0 H) r C8 j" \9 G* b- k) y# t
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 J# G/ N' l1 u6 v6 J5 T2 I2 n; a4 C$ @0 A# k @; B, H1 o* A Q
push 0000004fh ; function 4fh3 l) n3 h; q9 B- x# x* z
push 002a002ah ; high word specifies which VxD (VWIN32)" _2 `2 c: i0 h: p" b2 B+ A
; low word specifies which service! v- p8 ], q: x6 R
(VWIN32_Int41Dispatch)
, Y+ W% H& w( d# D call Kernel32!ORD_001 ; VxdCall
. c `5 }8 t" S/ o6 Z8 o5 L0 C& y cmp ax, 0f386h ; magic number returned by system debuggers1 p( d3 l# e# U( Q& h# h! A3 W! X" @
jz SoftICE_detected
& L# D, @+ I* A' H; j5 D0 G7 x* C
% F* s5 l9 @: _7 Y% a2 ~0 aHere again, several ways to detect it:" h9 G" ?, |& ?6 x9 \
2 S' F# G: K5 \
BPINT 41 if ax==4f
+ n. X" @5 V H/ B/ h2 J3 X: p6 t: M- T/ e4 F( e! u3 S5 m8 Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! F: D8 ~7 ]6 n' `- R+ m9 h" Q
$ X/ {, @' C/ u$ z- b1 s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ \" j5 x7 ^7 X1 G0 Y k8 Z- ^4 a6 P4 K! n4 C8 F. k1 J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 {$ u7 D n8 J! h) {, g! G" c$ D4 o) q# m' H* @; N* x9 R
__________________________________________________________________________
. G/ h& p1 s, f- F% W( |$ D% I- m* E5 q
Method 137 s; C+ F, n4 z
=========
+ a6 e1 Y" F1 A3 c. I
9 D1 q4 ?: f; n& _Not a real method of detection, but a good way to know if SoftICE is
& N! p& c9 N3 r. t7 Cinstalled on a computer and to locate its installation directory.; q0 N8 d _1 u& e& J5 ]1 h; s
It is used by few softs which access the following registry keys (usually #2) :
. |0 e: G/ e- n T1 U4 S' y, e& [; [# ~0 ~8 B/ c- g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 `5 j7 F) ^ o6 \- y4 H\Uninstall\SoftICE5 A: r2 u6 M D+ u' p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) Z8 [ [3 q8 I5 _% l6 V$ x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ y4 q/ g+ k: ^+ s5 _0 x4 G\App Paths\Loader32.Exe4 T' r- H# Q0 k4 i
' z$ [* ~: h; G' D" H/ Y8 B$ y
3 u. _7 C2 |8 Y
Note that some nasty apps could then erase all files from SoftICE directory* V$ }% C3 r+ `
(I faced that once :-(
. r0 v, T* D# P. F' e) ^$ s2 d r# ^4 n( E3 j% T/ r' c
Useful breakpoint to detect it:; S" j/ }' [8 Z4 d5 N& i% i- P" E
# d3 e s1 I6 s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ O: P0 m0 I+ ^1 m1 w- ~
7 f7 l/ W) P9 \2 V__________________________________________________________________________- _8 y9 T% Z' x& Q& o9 J
( E1 s7 D+ n r# o n
' m! \1 }2 k) Q3 k3 {4 H, [$ bMethod 14
! B& L$ m! r! U- k2 x- x4 F$ g=========
$ d: ~+ _! G9 I9 O$ w# b6 [
1 @5 t7 ?9 h/ I; E RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- T; d9 L4 G" [) n6 @( ?1 Pis to determines whether a debugger is running on your system (ring0 only).
' [0 F+ V' l) B7 o- \
: X1 h6 D' D# n0 c( V z J8 K VMMCall Test_Debug_Installed
3 \6 P1 B. U! Y! N# w1 u je not_installed
0 v5 p" w. N/ S% L1 s) G7 \ T" e, t
This service just checks a flag.9 _% q X' Z) g
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡