<TABLE width=500>
, f/ \8 X3 I# T<TBODY>8 ?! l3 B( D1 D! w. o. k
<TR>; a; k- R! l0 o6 h
<TD><PRE>Method 01
5 V' R% I$ ^# F( B5 G s- f=========! O# V0 M# |# n
+ f! a% L) l( Q1 L- d* J
This method of detection of SoftICE (as well as the following one) is
+ q" h2 P/ M- s: W% _2 aused by the majority of packers/encryptors found on Internet." Y, G1 R& R4 Q, _
It seeks the signature of BoundsChecker in SoftICE
9 A# W4 L& q& _# ~$ R7 W, }$ @ T. F' x" c' h5 O$ E
mov ebp, 04243484Bh ; 'BCHK'
9 Y2 s6 p4 q7 d# s* z% I' K. Y mov ax, 04h2 q- Q7 l* I/ u: M' @! |! A7 B9 i
int 3
2 U& x1 E% R% l; W7 ?8 l5 _ cmp al,4/ W0 k. Z* F: g1 J3 t
jnz SoftICE_Detected
9 I, o1 M# L" ]3 V \* \6 x7 F$ V I2 F# l+ i! p' p" X
___________________________________________________________________________
' Y) ?$ x! A: d$ N% j9 E/ o4 O# ^3 b# H8 d* O
Method 02
! K) v6 i5 L+ g% z. u/ k=========
- G S1 ?3 v" g: }5 j
3 e& v+ D$ {# p% m2 t5 lStill a method very much used (perhaps the most frequent one). It is used
( ?2 z4 i! G; d. U" C# gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,' v% d1 @6 p9 y- F5 S; J9 `
or execute SoftICE commands...5 l4 ~5 S- p# y
It is also used to crash SoftICE and to force it to execute any commands
6 Z/ J5 `6 h3 [" Y# y8 G; j(HBOOT...) :-((
( A/ Q3 r! [& G: ^& A5 E9 A" s* s" m9 l: N1 ^
Here is a quick description:/ D- ^, l4 }0 |$ Q! y9 K
-AX = 0910h (Display string in SIce windows)9 E( U4 G. K* E* @& A
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 W, g0 x8 P8 P% ?-AX = 0912h (Get breakpoint infos)" G$ b, W* \1 r5 U, ], ?4 Y. U
-AX = 0913h (Set Sice breakpoints)& _5 ]0 b. l% d& Z6 [/ k
-AX = 0914h (Remove SIce breakoints)4 v: _, ~) X9 C( x) Y
? C5 l3 y& _1 t2 \ Y
Each time you'll meet this trick, you'll see:
$ N6 @2 a9 [/ O-SI = 4647h9 F) l# d" o$ L4 k# M7 [2 _" F
-DI = 4A4Dh4 t; A& K I8 s$ n
Which are the 'magic values' used by SoftIce.
5 P4 M8 }9 L. H* T/ J( I# VFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.( N4 f5 J6 M& I2 V* a9 W1 q
! \# @: [# K6 i2 Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, Z$ X. E3 P' z/ \Envelope utility use to protect DOS applications:
# S) x4 h4 x- [$ A- C+ W" c: x! t; s/ n* E
# o5 y- D- P9 {4C19:0095 MOV AX,0911 ; execute command.8 W' Z2 `1 l- X) Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- A+ Z+ p4 r' P7 P4C19:009A MOV SI,4647 ; 1st magic value.
' B- [3 i6 f, m4 w4C19:009D MOV DI,4A4D ; 2nd magic value.# x, [5 l" N# d$ T2 D' r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 `9 Q0 T. [; ~) q" D0 L( Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" |1 M1 W7 s1 ~/ z/ g6 x& q' e4C19:00A4 INC CX
/ K- |1 L0 J) v5 F8 p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* {3 D' w J2 Y
4C19:00A8 JB 0095 ; 6 different commands.
+ t5 H7 _+ v- ^3 Z% i4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 t, d ]5 [) |# f" x7 a3 Q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
n1 x; G1 Q3 I' D7 Q
6 q. |/ E/ a1 }. J7 M9 yThe program will execute 6 different SIce commands located at ds:dx, which
) k0 U) k7 g2 o+ \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& D0 S; B: E) P4 Y) ?0 R# o
. \( q+ x% y: y: z( a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! E, y; ]6 K6 k7 ~, {( }9 T" L
___________________________________________________________________________
7 A5 y5 c" ~3 {; {8 G2 e# S
5 R0 z. C; m8 U$ Y8 n& E ^! L% j0 u' l9 D- w8 `# U1 u4 c6 y) L8 v1 L
Method 03
! j1 l- a" C* P* A. Y {=========6 n2 W3 p3 S. B
; {+ p' g% J# N9 G
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 u' p, Q. c# \(API Get entry point)
/ ~! u A( t- Y8 t2 S0 j9 o' o W % @& V' G I- [- I' Y
1 _2 A1 @9 _% c' l; j9 ] xor di,di
! e% W) h# x ^% k" z% |+ b9 R s9 o mov es,di; l- R" P1 e9 }2 I; t( `
mov ax, 1684h
: X( g/ ~- D" `/ [- { mov bx, 0202h ; VxD ID of winice
B) V4 g4 _; J/ J8 I4 p1 v int 2Fh. k3 t; U9 } s2 v3 Z1 W5 k9 m* D
mov ax, es ; ES:DI -> VxD API entry point
2 J k# e+ I0 `) d; P# Q) ?$ ~ add ax, di9 [$ j% h, K8 o1 H9 R
test ax,ax& X3 j# d0 \$ g; [
jnz SoftICE_Detected
" X1 `% w. X7 h6 N. b. ~! E7 a* G: p8 D* ]7 c5 d) O; J
___________________________________________________________________________+ Y4 Q8 G" S) ]
; ~" i7 G& k0 n; Y3 GMethod 04/ b2 e, g7 E I$ `, u5 V0 p7 ]
=========
* w# g! c0 m: W/ n k( _& `% @' D" P1 `: L4 P+ x( w- A
Method identical to the preceding one except that it seeks the ID of SoftICE
( x, G* X$ `2 j% C, FGFX VxD.
F2 W. e' b, q% R1 k5 X, ^) [2 g
0 k' X: H; H8 c) X2 y/ D xor di,di, [- ` l4 O+ _0 p- Q( P2 g% s
mov es,di
- R) r. i3 @' O6 t& _6 { mov ax, 1684h % W/ D% |6 t5 F8 Y* R' U' Z i5 x3 i E
mov bx, 7a5Fh ; VxD ID of SIWVID
+ F* S1 R* ?2 K! y% u+ q5 ` int 2fh$ Z" u: @0 J c
mov ax, es ; ES:DI -> VxD API entry point
) `% o# _. A; t9 Y add ax, di+ `- o- u; X; x7 k+ ~
test ax,ax
3 L' @# f& [) }9 e d* o- i6 }: K jnz SoftICE_Detected& \$ n& |0 d! A `, I8 R/ B& S6 d
7 A7 Q: S+ J* z3 L& f7 J1 n__________________________________________________________________________
* u" Z+ m8 | F6 X8 t: L* T, Y- q7 `, O# }5 \
1 t8 _- f2 g) ]9 Y& z9 `0 x! g) ~% MMethod 05
" K; g' Z- B. q" t. n=========
3 S! E* m) _9 H: `% G6 m/ G) J _" Q$ J6 d R. f' L2 |
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' A: y. o, f; u+ k. \* z" N8 ydebugger. It calls the int 41h, function 4Fh.
& q! O O/ F, E7 }There are several alternatives. 2 M, e5 @$ W% x
: t0 o* h* M) O) SThe following one is the simplest:
" r. Y# J7 @% U2 \$ q% L% W# X: _+ t, g9 b
mov ax,4fh
2 U2 A, \$ I- t8 d* R int 41h
+ d- f9 Q0 j7 }/ J8 d cmp ax, 0F386# ]% R5 Y1 ^* M( n3 L
jz SoftICE_detected# z! R& V7 _' [
- T! D7 I) i, H& L8 y. H
+ L- T; R0 w* H5 W, ]! ?
Next method as well as the following one are 2 examples from Stone's
/ \( o- z) e- E; ~3 ]"stn-wid.zip" (www.cracking.net):) _+ m% F# l1 E+ z$ t1 ?0 w P. H
6 {9 W% A, k+ Z- |/ I4 c3 f$ g- U' { mov bx, cs6 j; g K2 E* a
lea dx, int41handler2% ^. H* k# y. V
xchg dx, es:[41h*4]; P4 ]4 Z& C8 a1 z
xchg bx, es:[41h*4+2]
r4 Q* A0 l( ?; D; T mov ax,4fh
& W7 _) d/ m8 S- I0 ?2 ]+ G int 41h
7 ]/ a L1 u* r xchg dx, es:[41h*4]
6 h! Y6 q8 |# o# k/ p& d* U2 h/ J0 p xchg bx, es:[41h*4+2]
. q2 e. ]. Z0 g) F cmp ax, 0f386h% P8 k5 i1 A, @9 C( M$ t5 j' ?( r$ z5 B
jz SoftICE_detected
/ E [$ [& {" ~: E) j% `4 p0 `- c" Z3 B u3 T
int41handler2 PROC# ?2 Y8 K4 D0 ^
iret
3 o9 m- `7 ?0 r9 L' E% Rint41handler2 ENDP
8 Z. g( g# \: D9 |$ s) |. X$ o. D: M# Y2 R+ O0 ?
5 B- Y, W% }1 g: f/ o9 o
_________________________________________________________________________
* s1 e2 W" ?* K; M" Y' ^6 e
! x. S, }0 {& P& F6 i6 A" h5 ^/ j: u Y+ ]! b
Method 06- J l% O% {# w3 \" z }* |
=========. b4 u+ t' C: T0 H3 n2 Y
9 m$ M1 `) u* V4 w/ k2 p; e/ y/ h
( f5 J* m0 B9 a6 O# A4 h
2nd method similar to the preceding one but more difficult to detect:3 z" x- q3 Q+ P
! u2 P+ X2 v1 e5 O$ x; x9 r
, K/ ~, K/ R" h1 r6 w2 j& |9 Wint41handler PROC6 j8 K. R& r* I. P8 X
mov cl,al/ j6 D5 x" R: C2 {4 O" `
iret
' F. w" h8 M! b8 ^% [int41handler ENDP- X6 U6 E5 V8 y6 u, w! Z/ A. P
" P, n b% n. g8 ]( e" W
/ p5 D- R4 s, t; X! N8 Y xor ax,ax9 x5 [: U8 m% G! t1 t3 e
mov es,ax
' y" Y* P2 Z% N7 s mov bx, cs
0 W0 l/ q+ u" J" W) g" g lea dx, int41handler9 L3 V' M+ O& }! e1 U
xchg dx, es:[41h*4]
7 \, n0 ^+ \1 z6 u: j xchg bx, es:[41h*4+2]
5 h' O2 T& k9 h: G8 c( [$ B in al, 40h7 a8 W% |- G: Z0 q6 v9 m4 k5 a
xor cx,cx' D* ?7 c5 k m8 `" G
int 41h
5 }5 C* [( y9 k! H. ^# B3 ^ xchg dx, es:[41h*4]
2 d8 S. s0 a8 p3 T+ a xchg bx, es:[41h*4+2]
) M( K6 m7 [/ I6 e) S7 y6 I, O cmp cl,al3 F% V2 @! x" _2 Y# C. j4 X7 c
jnz SoftICE_detected3 V4 W3 y5 |9 i& @$ w* J% w
- D$ {- G: ~$ D7 b! ]4 X" Q
_________________________________________________________________________4 x# j" L: b& u6 ~5 x5 u: o7 T3 `
- [, y) W8 V1 q C" m' U* M) qMethod 07
* o1 O! b1 f, [& d) J9 r=========9 f5 W* J6 J' p1 ~1 `
6 C7 \" O' A0 ?- K( lMethod of detection of the WinICE handler in the int68h (V86)' t# o1 {9 l, O: Y( l- b* r
0 h! a$ R1 k7 Q5 }, v
mov ah,43h
' e% _# c( z) e$ w* o! F int 68h! S$ a0 A8 N- ?$ G
cmp ax,0F386h
* f6 P$ u/ J" K8 r! V' p0 { Z5 a jz SoftICE_Detected
8 k+ i, Z2 V3 D# m( q J
0 S9 s2 G3 g4 Y$ M3 X {' f$ a1 D0 E; l* j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 S" L2 L0 f; | app like this:
3 T% n' H+ T0 Z2 ?' Z6 o7 B' G7 S* o' H' e
BPX exec_int if ax==68
4 y# |! S0 q6 ?7 @ (function called is located at byte ptr [ebp+1Dh] and client eip is
; v; b9 g& V5 {! c5 j9 [ located at [ebp+48h] for 32Bit apps): g- D% K- b3 \% e2 v
__________________________________________________________________________
# E' }$ T; _% P9 P: S. ^& ^
% t+ c, c3 p# H9 f( h% D% k. E$ v
6 d V- w0 f$ x1 i. o/ fMethod 08
! ?% k' d% F" a% M- e=========; x; R1 X& k) ?, |: P- n9 m
o4 Q) b5 A( D- U( q/ q, w
It is not a method of detection of SoftICE but a possibility to crash the' y- y+ U# N, k$ w
system by intercepting int 01h and int 03h and redirecting them to another6 c4 {. K; b1 a+ I1 _9 }5 ~' `
routine.
% g* I: Z9 L4 r. k( M9 y- \4 |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' S* X! H2 Z+ q, O0 R5 Q* n. x2 h
to the new routine to execute (hangs computer...)# @+ V( p5 g% t
$ e, ^2 L1 W; O. D" E& R- u2 y mov ah, 25h
3 D- r0 ~9 U; t4 ] mov al, Int_Number (01h or 03h)/ ]. o* E, L2 ]8 s. s& v M
mov dx, offset New_Int_Routine; |1 h- I6 b! K1 |9 K
int 21h
- A; s$ o. w; a% h2 i
" L2 X: k0 `, Z& C6 b0 D b+ b__________________________________________________________________________
6 C5 Z4 R s/ m* d7 s1 \3 }3 I+ f1 X2 S7 }' r6 R* u0 W$ t. z
Method 09
/ M1 H: {& A% I O# P=========
% a8 X- W% C: y3 B" l o1 ` Z
/ G- R; L) k6 c1 ~" `: r! L* ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 h! d, I8 _& B* C7 C' F& p0 k- uperformed in ring0 (VxD or a ring3 app using the VxdCall).% ~& N& W% } L6 @
The Get_DDB service is used to determine whether or not a VxD is installed
$ y3 A/ u8 G" }1 Z$ U3 afor the specified device and returns a Device Description Block (in ecx) for
8 b$ ~ Y& R( w) t8 Gthat device if it is installed.+ n+ D/ f2 T: `. b6 v
+ e1 e! P' d6 ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ {) a/ y& j. j5 ?, m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* G4 Z, i/ L$ P2 L; a VMMCall Get_DDB
6 {$ v6 Y# b X7 j# [8 ?' y6 D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 e- g' N% ?& b) C0 n
( Z' a. R* r0 l) V4 {1 A0 R$ w2 VNote as well that you can easily detect this method with SoftICE:& H$ m0 F J$ t9 D. `
bpx Get_DDB if ax==0202 || ax==7a5fh: A3 a" J+ Z5 p) ~+ P
$ q( Z( y8 r6 |1 r. q
__________________________________________________________________________
. l3 K( v4 Y; K& n: J
$ D) K1 P. Y( [% i& P+ z7 yMethod 10
: p- Y/ U7 W/ y=========
9 P) W7 J5 B7 C" w) q
& [* X) a2 R4 ?0 ~=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 m" c4 y& B1 X4 X2 ? SoftICE while the option is enable!!3 \9 ^4 r* _/ l7 D
0 @6 E. [# s/ d! V3 oThis trick is very efficient:
& |. X. E2 j9 lby checking the Debug Registers, you can detect if SoftICE is loaded$ _- ?# }$ h" L$ Q3 `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- t" D0 C( f1 S4 Othere are some memory breakpoints set (dr0 to dr3) simply by reading their0 y+ q3 n7 ?5 k* ?) ^0 p [0 c* g+ Z
value (in ring0 only). Values can be manipulated and or changed as well
- H& _( m; E' |0 N9 g(clearing BPMs for instance)$ d( o6 e8 @7 r/ R+ o
( m2 E; {" x( x2 ?
__________________________________________________________________________
& x- U8 a$ d5 P, W3 }2 K
) o8 q- `" E2 QMethod 11
! z' j1 {. i, @/ f( S=========
* s8 g5 f& P+ p! s% A; k: c( S' O
; g2 h @7 Y" V6 G4 a* nThis method is most known as 'MeltICE' because it has been freely distributed
6 t i& T( T& h) }/ r4 h; ]via www.winfiles.com. However it was first used by NuMega people to allow
( @1 i' u; X# F! N# BSymbol Loader to check if SoftICE was active or not (the code is located
# k) o: v9 I# | C2 `' T3 Kinside nmtrans.dll).
& l0 U0 j/ @$ e$ z* Y2 v* Y2 E, m( ~' _( ]0 ^& N
The way it works is very simple:
5 I+ Y: V# d) l6 X6 L/ G' X! p mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
B7 n: S( q0 wWinNT) with the CreateFileA API.
$ v. I4 v& z" G b
! q+ R/ k2 Q$ g3 n' ^. m% S9 THere is a sample (checking for 'SICE'):
0 ?4 d/ D# A4 X6 p; Z& R% U
5 k- C1 ]; K& I0 KBOOL IsSoftIce95Loaded()' ~* R/ y+ ^2 i* [- N( s
{
7 g" b; r- Y$ \7 }5 j& I HANDLE hFile;
* }! L7 v. f) B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) \$ U; h4 \1 ]5 H$ l) e f9 ] FILE_SHARE_READ | FILE_SHARE_WRITE,
9 Q; r: x; J( E$ N8 n [( I3 C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 i/ i( d/ V" a3 P4 u
if( hFile != INVALID_HANDLE_VALUE )# t8 s( }' W# R! {2 }- `
{
9 J( @6 Q% n9 H( e' [ CloseHandle(hFile);
' q6 X+ [$ g: W5 x return TRUE;. o5 {3 v3 c$ ~; m& e! q
}
# V! c- y% G0 G return FALSE;# K9 v% E9 m! }' V. @0 M( O3 ~
}
: V' y4 V* G2 D7 O7 y# A; E2 H0 I- z2 Z/ X, _/ s- {
Although this trick calls the CreateFileA function, don't even expect to be
' H8 M5 h% B( d1 Q7 j& w' r! Jable to intercept it by installing a IFS hook: it will not work, no way! j9 R: t# [1 `7 \ p, I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 u- g4 B2 `; Q' q. P& }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 E d4 g ] u8 e8 o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ o8 g8 d* o; @, W* h% Z7 a6 Kfield.( a! S2 G5 ?7 K7 k- `# S
In fact, its purpose is not to load/unload VxDs but only to send a 2 y. X8 v" b) V0 q+ }5 @2 N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 c6 i+ j- ^& {3 \! [7 Q; U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# J$ U8 @0 ?( t" Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).* _2 n) f! a* a& L, @" W
If the VxD is loaded, it will always clear eax and the Carry flag to allow) }7 B5 }* d3 L9 Y
its handle to be opened and then, will be detected. p$ {* m. ]6 F/ p" ~2 r; P
You can check that simply by hooking Winice.exe control proc entry point
6 W$ M4 f% Q, b7 E5 @* k( ywhile running MeltICE.+ n8 A# _# c7 Y
6 m- A( R: f2 c5 y
+ t. c( D& s9 d$ Z" x% v
00401067: push 00402025 ; \\.\SICE1 P; E' \7 e% b; ]+ e# L
0040106C: call CreateFileA% M$ R7 p6 D1 t
00401071: cmp eax,-001* o- \8 [5 f0 z1 q. ^* B/ h
00401074: je 004010918 \ v, r% R7 N% w3 z% G
& q- ^( q2 k% N0 ?; f7 X+ M' u: S$ X
9 ?3 p5 K9 @" F, g9 m, ~
There could be hundreds of BPX you could use to detect this trick.
+ I% k3 O' E9 _+ b; k-The most classical one is:+ I0 p# w! t7 ]8 h+ y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || \6 ^. l2 O+ { i( N: d
*(esp->4+4)=='NTIC'3 k! J2 W+ h1 f9 Z# [7 I
% X6 g* m J6 I' p
-The most exotic ones (could be very slooooow :-(( T# B- i( I: {' l
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ N7 p: j7 P0 e; L/ Z- G ;will break 3 times :-(
% e" v* l# T8 r* l5 b$ Q
. l$ F4 R. r7 R. H7 L-or (a bit) faster:
H- ?1 O I) p+ D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ o0 p) p8 }0 L3 O. Z
( r& B+ J' B3 u0 o/ g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ g6 \, n& s D- Y" { ;will break 3 times :-(8 l, A E- d& ^: G3 J
) f. k6 B9 O9 j-Much faster:" D2 T; u k( x8 B. K( |' S" t+ e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% W) @/ O, c7 M1 N
5 }; ?: x3 u8 h" R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- @2 |3 R2 g% i
function to do the same job:; R1 i5 H- H, I6 @
- M* N! |& Y1 k4 _# [ push 00 ; OF_READ" d3 X: _; f1 |: m O2 k1 H
mov eax,[00656634] ; '\\.\SICE',0. w$ M: \9 S' B1 L$ m
push eax
( o4 i, m8 D6 V7 C1 Q: u* V call KERNEL32!_lopen1 ^. l: r9 ~4 D3 g+ o
inc eax* X! a, p% B6 K% j. P H
jnz 00650589 ; detected
+ i& u# m; O: a; ]! g! t- }# z push 00 ; OF_READ8 G3 w7 \ Q* B; t
mov eax,[00656638] ; '\\.\SICE' f: i8 P) o+ E: M
push eax
4 ^+ `3 h" i1 v8 S call KERNEL32!_lopen- n' k% ]1 O2 ~. m' M
inc eax* G; J( i6 b q) ~2 U% D. T. U0 C0 X
jz 006505ae ; not detected* Z6 b; N: }5 B1 k
; q# K: ]! X4 K2 R# i) f' h6 \$ m1 ~0 J0 ?7 x) C8 l/ j7 a
__________________________________________________________________________& N, ?6 c/ U# ]
! y; j' e; y/ ^9 \
Method 12 v+ U" `& K7 D4 W- p) a, U' C
=========& s6 m% y0 X, P+ L- I
* u* F. T5 A! KThis trick is similar to int41h/4fh Debugger installation check (code 05- x# F3 X- R" b2 d$ c! H- @
& 06) but very limited because it's only available for Win95/98 (not NT)+ s1 I. n. O# }) a1 A& M: T, W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 ?% U+ p0 |, v6 P9 c9 j7 @
+ p6 k A8 ~7 g9 b. F push 0000004fh ; function 4fh( H/ s6 t* r2 Z# o" m
push 002a002ah ; high word specifies which VxD (VWIN32)
9 @/ V9 F _0 O+ V" ~2 s ; low word specifies which service
' w+ M& W" ~" R' k/ u1 ~ (VWIN32_Int41Dispatch)$ z7 {+ A+ X5 }, A! y
call Kernel32!ORD_001 ; VxdCall
* {. r& s. K0 ~" V) Z0 _$ D% P cmp ax, 0f386h ; magic number returned by system debuggers& p$ A* K0 }$ |3 }: h5 |3 w) ?
jz SoftICE_detected
; c9 H$ q2 ~" S) n! P
- j- \( q( L4 } `* }Here again, several ways to detect it:
- g# M' A' G0 N' Z: B0 ~( H0 W( e' A' I) }* a% m
BPINT 41 if ax==4f
/ b% p' P( f! Y" O- t* y0 N& J4 H2 L% c. y( u( e; u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! S: i) f- S+ d$ x# {; u
2 z0 n' e/ F9 i3 z' M" X# P1 A BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, V: X% _: x3 ?6 t: z7 R
+ s% [7 j) T3 E- L3 E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 M T6 m' {( W5 f
) v/ c5 T8 {- ?" {__________________________________________________________________________
: b1 ]* x3 H; f; b
& Y$ A: R) f6 i, JMethod 13' t" j% `. f' O v9 M" N. f
=========
2 w1 m; V% i# O7 j$ `6 |+ P
& g' o1 e+ y* f) h9 I8 g# TNot a real method of detection, but a good way to know if SoftICE is" x: U/ Q. P) J4 m0 y
installed on a computer and to locate its installation directory.- T8 [, T! L7 L* u3 \- g
It is used by few softs which access the following registry keys (usually #2) :4 k' A& M; v6 W5 A4 p9 P3 L4 Y
k' d( N9 A' M; P( V" j+ ?& @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 H- J* q [; c# C2 E; i2 o) E\Uninstall\SoftICE
7 s5 t6 X6 q }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 K b% `9 S, y8 l: z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 _ O7 k, Y+ }( Z
\App Paths\Loader32.Exe4 G0 e; }: f ?' p8 o" s
% d' f% c4 L0 ]) H3 {' v( h$ S
* K; K* [6 M& m; q% K0 i" sNote that some nasty apps could then erase all files from SoftICE directory
$ O' L( W& Z4 L: L+ v(I faced that once :-(9 ?# d$ J' t* w$ \4 ^
$ \6 Q$ H, d3 o; Y0 A
Useful breakpoint to detect it:
3 O k5 u* m: I: G7 h3 c4 l3 L- Q( Q+ Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- f5 P1 f1 ~0 p4 {9 G9 D4 h, V3 ?( X
__________________________________________________________________________2 {0 q3 l' W% e7 ?, O
" i* o: ]( f& T% _: N
Q5 | C0 q% I. h2 b- y: ZMethod 14
( r5 U, B* v g. D2 I=========8 Z, J g/ V: ~5 k7 b
9 o+ k7 m6 V# E; x% }' SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 f j. ^8 r+ j# qis to determines whether a debugger is running on your system (ring0 only).; ]3 m! |% O, v7 b$ o e
. s% s* N. W* |
VMMCall Test_Debug_Installed
$ j$ w5 l0 t9 X# n, t je not_installed" G9 B- b% M. \2 T
) W, X* s h! LThis service just checks a flag.
: B- @3 u% a" q1 N$ U! Y9 D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡