<TABLE width=500>
; b. X' c" w% I1 N( D% b6 i# N<TBODY>2 n p" n, H- s( K1 M/ j
<TR>3 r6 W, z' ?; N! m' G, p
<TD><PRE>Method 01 ! w5 g- d$ T( j3 W3 k1 O
=========
* ?3 \/ O- P% k* \$ l% Z8 {( Y9 B4 m: g( d; ?) D2 ]* m& m
This method of detection of SoftICE (as well as the following one) is
" c- M# c+ y, g$ v5 y- v# \7 Yused by the majority of packers/encryptors found on Internet." n* G# K {+ [% E: ^7 U Q
It seeks the signature of BoundsChecker in SoftICE5 t9 z/ t5 Z' G
n# J$ T2 y( X8 l! y. g% N) w/ T0 y: j1 M
mov ebp, 04243484Bh ; 'BCHK'5 u9 M: Y0 ]: M: [* M( Q
mov ax, 04h
( P! Q: w" ^" h- _& I0 A0 w int 3
, e& R: Z/ e4 P cmp al,4* r: d" x5 W- H1 J6 d
jnz SoftICE_Detected% \4 c, Q/ z7 e8 x% f8 W
/ d! S- u: [$ K4 |$ o) \' m; d___________________________________________________________________________ I1 w; K/ ]- V
+ p2 d1 C! z6 L- b+ p
Method 02
' G6 l' ?6 x" O' r/ Y4 u* w=========8 P2 s2 l6 y7 g( z" ?4 y
8 x0 Q3 A3 u. @; JStill a method very much used (perhaps the most frequent one). It is used0 Q* u( {. A8 @+ ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. E* \6 Z/ W" v$ R% F: E& e8 G
or execute SoftICE commands...
1 b; W$ s4 W3 c! |) TIt is also used to crash SoftICE and to force it to execute any commands% q+ m: B0 c) u& L
(HBOOT...) :-((
3 |' {( y" [3 B) b5 j" d8 i6 J# u1 {# H
Here is a quick description:
& l- ~, @4 m0 w! }3 Z" {-AX = 0910h (Display string in SIce windows)$ k m0 [$ @5 _ t8 N4 |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 L" t" a& ^8 S-AX = 0912h (Get breakpoint infos)
{6 d6 [0 m; g# ^" ^-AX = 0913h (Set Sice breakpoints)1 W8 S2 G: r# J% }/ G; ^# r, e h
-AX = 0914h (Remove SIce breakoints)
& e. H4 ]) X" B$ q6 L' m0 ~. t$ w, z) K. d5 y
Each time you'll meet this trick, you'll see:
3 }( E& P3 X* E& |9 _-SI = 4647h
9 W2 v) I. e: C3 p-DI = 4A4Dh
1 a, h4 {% Y8 H( f6 g J$ j6 {Which are the 'magic values' used by SoftIce.
$ r8 f7 _; j9 A4 KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% ]: O. c; D" _* }' E6 v3 I2 O4 j6 ~! y) R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ u* Z o2 q4 z- qEnvelope utility use to protect DOS applications:( ~& j- A7 L, }; t& q; E* x7 q/ O; Q
5 Q/ L# q( C4 _" p
2 F7 c* l6 J* M" e4 d" W4C19:0095 MOV AX,0911 ; execute command." x: l2 Y. B9 G* B
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). y; F# w9 i2 b
4C19:009A MOV SI,4647 ; 1st magic value.2 n5 J$ ~% Z+ t8 _) l
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 j1 v' `0 B. W3 l0 z, e, T3 O- ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 w! W! K; ^$ h9 Y5 c$ w( _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" d8 Q* G3 [8 f) r; z4C19:00A4 INC CX) }3 }! T9 I/ p% a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% k f/ ~4 z W/ a" T2 h4C19:00A8 JB 0095 ; 6 different commands.
" }3 I% A! s8 B2 ^5 E4C19:00AA JMP 0002 ; Bad_Guy jmp back.% T' | S2 w) _
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) r. p1 f8 Q- e6 K; `
# v6 l8 [/ @/ b' [: H/ SThe program will execute 6 different SIce commands located at ds:dx, which
8 o) K5 @' q; q/ b& ^: T& ~# Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 N% j5 H+ N/ Z" e
8 P' J V! [: q+ R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; h% D* W( l( ?; c0 g
___________________________________________________________________________
( K1 Y* u! y& [9 ? V, I, }) l* k8 c5 ]. E9 T6 F- {, n
, I* \5 k( I' q$ K( R
Method 03
/ {9 E+ R0 ~3 g: x" t5 A4 y9 o( X=========0 Z- S" a3 t6 J2 i
; L- d1 ^- Z6 b. V* H! @' ]5 m' P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. T4 j' g3 e6 w" Y: \
(API Get entry point)
, h- l3 @% u( Y
- k8 u+ [: `$ v; N- _% _1 h0 _ f: p7 T/ h- _2 m) W1 X4 z
xor di,di
9 S- V4 c' b& R- J3 W mov es,di, f3 p% P0 [: G/ E% n5 H
mov ax, 1684h
6 r( o2 s- y8 C7 \& t7 h mov bx, 0202h ; VxD ID of winice
+ ]4 h5 b7 {. F* A; L' u3 K. } int 2Fh- d$ f' T' {% w4 }# E4 w) b
mov ax, es ; ES:DI -> VxD API entry point) E7 y; `3 \; s1 z# C7 T. n( L9 ]0 N
add ax, di* j: t# E: C5 l* B) e* o
test ax,ax
) J3 w7 W: `' ~6 j1 W; m \1 }1 a jnz SoftICE_Detected- ?# k6 M; u) V2 U! o/ Q
! O' A9 J; t; A& R a___________________________________________________________________________2 s( w8 j* B, c4 J2 y0 K% ^% H
5 @0 T, w; l3 n. xMethod 04. b& u+ h3 e/ N$ c6 i, }* K
=========
* _& a" y2 W4 W ~( s( M8 I3 m7 r) e0 b+ I. p
Method identical to the preceding one except that it seeks the ID of SoftICE
8 h& H+ u- l A& \& C" C1 T8 gGFX VxD.
4 j6 Q' B3 e" }5 _
% L+ F, d a: [" M xor di,di
{9 `7 H" Z9 B- ?1 D0 ] mov es,di
* N0 u& l# ~" Y0 ~% ^# Q& W3 m mov ax, 1684h $ D" e& w+ C& a G4 |# G: S
mov bx, 7a5Fh ; VxD ID of SIWVID. i, b* G W2 v$ q2 v l8 H
int 2fh8 |, t# C7 ?& g+ ]
mov ax, es ; ES:DI -> VxD API entry point
s$ C. v. @$ E" x3 @2 L8 ^( N x add ax, di
- L3 c" M/ F$ d& ^% B5 u test ax,ax9 H# _% ^/ f8 P- H# \
jnz SoftICE_Detected3 R) w) k& {0 a. d7 ~
- [$ ~7 T' G4 t# P9 \__________________________________________________________________________; t& B7 u- q5 I, { m( U+ ^; q
; J5 A4 }. c; T& F" R1 ^+ Y& z( H2 i6 P0 n) \! U3 S( q& V
Method 05
, x; G+ f, X. f=========
8 s* t3 L3 ]4 D
& A( y& F9 h1 H! | [Method seeking the 'magic number' 0F386h returned (in ax) by all system$ c1 f9 B0 S6 O w/ b6 V
debugger. It calls the int 41h, function 4Fh.
9 F N6 ~( ?6 z8 r( [6 G6 r& W( \There are several alternatives.
6 I, T/ G. b9 s# j6 a$ ~8 w- Q4 s! L/ T- g( o K
The following one is the simplest:4 ^# h1 c. z, Y H- m
8 V; v5 U I" g% @- l mov ax,4fh! m& ^& W F' ?8 N, |1 |
int 41h) A- @+ N" G2 b+ I( ^( w3 w& Q/ e
cmp ax, 0F3861 v( z! l5 H5 ]+ t
jz SoftICE_detected# a" j8 |7 G7 t& Q
# L" y, H" j) W! J& r! G- H7 I
1 S- [: E9 L( y# r1 w( \3 mNext method as well as the following one are 2 examples from Stone's ! a5 S3 G( S- ^, e2 Y# H2 ]' \
"stn-wid.zip" (www.cracking.net):& N. e y* a% K2 B
5 O+ N+ }: z, \) N mov bx, cs
1 U7 ^: {7 q' R% I# M lea dx, int41handler2; q( ]- C& J7 B) D
xchg dx, es:[41h*4]6 S* N, a- G# T
xchg bx, es:[41h*4+2]
3 T4 L$ H- W& F8 i mov ax,4fh/ u) N- W! t8 G' b& S
int 41h/ Q6 Z; I. ]# k' Z; o
xchg dx, es:[41h*4]
/ \% n: k" T1 g8 ~6 o xchg bx, es:[41h*4+2]
5 g) ?% P! F; p2 ]: f$ s# e+ o cmp ax, 0f386h
0 H$ J8 v* t% P' L. z$ ?8 R jz SoftICE_detected; z5 _6 @/ O* L0 z( L
0 u# f$ b. K; r' Z0 M
int41handler2 PROC
+ b! G" R: n1 s B" w iret
" m& M5 K6 n* Y1 X8 O/ ?- D2 yint41handler2 ENDP$ o0 O, a- `- w- e2 ?9 | R$ W
& p3 D( c0 B8 [; s
) _% G7 U" ^( L& j5 M" C_________________________________________________________________________
+ A$ i7 }' c% Q: J) u
" Z( S) f/ }2 H# ?6 \: T$ j- s, ?( @) B- ^7 G. F
Method 06
; h0 Q3 G+ Z: J6 m8 Q0 u=========) B0 f# X* z' V( U$ X# f
/ N1 F# z3 l8 U& r4 u8 T
n3 l& @1 {! ~" b& L2nd method similar to the preceding one but more difficult to detect:
/ l6 L) W1 O; F: W; T# V6 d0 W8 o' c) [, m9 E9 g! |! i4 m) C
: E) i7 ~$ o4 `int41handler PROC4 w9 ?9 F8 w2 \; M) Q
mov cl,al) H2 Z% v+ c$ D4 n5 `- S
iret& X F. L, Q8 D' H1 G* t& {9 C# ^
int41handler ENDP- R' u; r5 h' w1 K0 o
' P: Z# ]6 _: _* n" B
1 z; g4 M9 D5 |1 H+ m" Y
xor ax,ax
1 y; P k. e1 p) d mov es,ax6 I. c1 r2 q' t- B0 i
mov bx, cs1 h, M: o' T8 b: B
lea dx, int41handler
$ |8 a8 E3 s; l# a xchg dx, es:[41h*4]
7 Y+ c- @; I) x/ V/ z& | xchg bx, es:[41h*4+2]
7 ~! ^; v! a* q2 G* L in al, 40h! \0 J# X9 _! Z* d8 q1 ~6 a1 r
xor cx,cx
6 h9 @# h M" |8 N4 J! N$ u/ t, I int 41h
+ I1 P8 R# t6 @( U/ b8 N/ T xchg dx, es:[41h*4]
$ k5 H% X/ \; e xchg bx, es:[41h*4+2]
. e3 F( n; N2 O8 R: Q5 Z cmp cl,al/ G0 ~. c7 A) M4 {( k* u6 u4 n
jnz SoftICE_detected8 r: Z, @+ u" a. r
* Y4 s' p& X8 G d. A0 W/ i) h5 L# p_________________________________________________________________________ u/ p/ ^# ]- h
0 C; L/ `$ p o/ c4 C; \0 p" z; v
Method 076 U, f5 i3 P1 @" W3 }2 c4 s
=========9 `1 r7 ?6 p2 ~- J' N8 g0 L
# o3 }% O8 K: `4 w3 Q
Method of detection of the WinICE handler in the int68h (V86)4 t3 i# ^4 v# R+ R+ ]* c; Y! c
* }& \& P) o) b9 E
mov ah,43h
/ w) Q+ L1 O$ E3 D' ~. ?2 Y int 68h) e( d: d, M" K# u
cmp ax,0F386h
/ b. X9 F5 B% j jz SoftICE_Detected& W: k+ r0 F5 t- Q* r9 ^0 }
2 k4 k1 L2 m7 A$ W5 s& C1 J" D6 L* T, \3 q- q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) t0 y3 i1 a1 Q' r app like this:
9 k+ |) ?8 F; [" }/ T
& }1 R6 y$ n2 j4 n BPX exec_int if ax==682 [, G! @4 W4 [. ^/ j6 a
(function called is located at byte ptr [ebp+1Dh] and client eip is
, p8 ~& W1 `' p+ |& \7 q2 I" v) B3 Q located at [ebp+48h] for 32Bit apps); C( ?1 k1 n$ F$ H0 M/ A
__________________________________________________________________________0 ~* a$ A9 |4 P4 A( Q% s( C
. ?6 |9 b/ O4 ~- N/ D9 e6 e% G' _% x! n% R$ [3 U2 C
Method 086 V* ]: \* ~: ]4 E' z6 A+ B
=========
6 `% S. J7 o+ h. v
" |; r9 D) z3 ]6 X) X! W3 S6 }It is not a method of detection of SoftICE but a possibility to crash the
# `. d4 T8 z) c8 Usystem by intercepting int 01h and int 03h and redirecting them to another/ l4 ?: I6 l2 f) z0 i( V7 f* }* c1 ?
routine.
8 S. K" \, l8 Y* iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 {) c: _, k% y! {! U8 g
to the new routine to execute (hangs computer...)- l8 ? h6 f* P8 z- w3 ]2 w/ ^
, X2 @$ y) V- m' G0 l mov ah, 25h D, L: A6 w. K- V7 _
mov al, Int_Number (01h or 03h)$ o- |6 ]% p( R! p0 Q6 t9 C
mov dx, offset New_Int_Routine! I# D( e( E3 k5 H* ^ B4 z8 E
int 21h
9 `+ f. f. D. m A& L6 z) J* I6 q6 v- b4 D9 ^
__________________________________________________________________________
5 F. a+ I* W |3 O8 K8 \8 ?/ }+ @8 t4 O+ s* p
Method 09
# ~. S$ i# O! B2 E=========1 g5 A, [" c1 T# j5 Q
1 K* Q2 G+ v6 y4 |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ F6 H8 } l* q$ T* P$ ^" H% _9 Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 h. j5 Y$ g& ?The Get_DDB service is used to determine whether or not a VxD is installed7 w$ R9 ^2 L" x8 {/ O2 J3 i
for the specified device and returns a Device Description Block (in ecx) for# ~' `) X% v9 G/ l; [: U p
that device if it is installed.' Q6 g4 ?, m0 u) B7 \! h
* Y- T0 C n: ^2 N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 y3 j' G, ?. ?8 S/ t: e3 ]0 p+ U* v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), Z3 Y" [9 m- H
VMMCall Get_DDB3 x& ^+ l( y7 o# z% C6 p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' r( V* R8 [: }1 J# O- P: t) C: \+ q
8 t# T s& C# ~2 @( ZNote as well that you can easily detect this method with SoftICE:8 _2 J7 R* c4 A/ ^! K$ {
bpx Get_DDB if ax==0202 || ax==7a5fh
& }6 Z4 j8 Y6 e
0 S* I* M) h) J0 f6 \$ a__________________________________________________________________________4 F5 k( @) q$ p t3 ]( L" R
8 S* _' U0 h' ^- s
Method 10* R4 w T, U! R& |3 E
=========
9 j! o0 f9 ~4 Z% e y9 p
8 H) w- D% a- W=>Disable or clear breakpoints before using this feature. DO NOT trace with( r, u) l4 h) p3 S" y( X
SoftICE while the option is enable!!
& f5 F# c6 }4 ?1 T9 x; g6 U2 }* |, o# g; }) H
This trick is very efficient:
# q6 Q3 w3 h) k; y1 K4 ]by checking the Debug Registers, you can detect if SoftICE is loaded
9 G% {$ a- f. ~3 B8 A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" L7 h* ?/ o7 Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ P" G. b5 t. a; E/ R) uvalue (in ring0 only). Values can be manipulated and or changed as well, `0 j/ V2 }; L- c) t, c
(clearing BPMs for instance)
1 ]$ c* a6 F( z J% a6 A- D4 ?5 p
# s+ c1 I2 x, m4 _5 U& X+ z' h' V4 ^__________________________________________________________________________$ c4 i: J7 _; N
6 U$ V* |1 s9 [Method 11; ]: T0 f2 P5 f% O
=========
+ p2 @9 o# l9 q* p" k- }1 i" W- f1 ^( k" q0 A* u: q& M
This method is most known as 'MeltICE' because it has been freely distributed6 U8 }; D# W: z! W* l/ v, x: M# ~
via www.winfiles.com. However it was first used by NuMega people to allow# q& I( [0 b9 W: S+ Y: x
Symbol Loader to check if SoftICE was active or not (the code is located
0 p7 j t3 w% n( V/ j1 D( einside nmtrans.dll).
& V! A$ G5 J& T# P( |) [
7 f/ T3 q& F7 t- s, t) y* Y' i% EThe way it works is very simple:
. Y4 H/ c6 b a( s4 g; m% WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; P% `, I ]$ _/ `- _( a6 v
WinNT) with the CreateFileA API.
' _ Y/ k' V" k8 C( y9 {' ]3 {8 r1 M: J& u, k$ W
Here is a sample (checking for 'SICE'):
6 }" J$ M, }) J1 m, O' Z, K0 x T h2 J v% ?9 S1 a
BOOL IsSoftIce95Loaded()& d4 W. s8 ], H
{& u% n7 h1 _, ]
HANDLE hFile;
- V/ j$ H9 K; c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
P3 }: e" Y+ q' R% X3 g. W FILE_SHARE_READ | FILE_SHARE_WRITE,
' @ @' s* {# q; a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) K8 c* {& q% \# W/ K if( hFile != INVALID_HANDLE_VALUE )- i0 k2 G: @2 k5 J8 ~; ]7 D" Z$ s& L" E
{
& T& y; i; L; M! a CloseHandle(hFile);2 Q- [ n1 l: Z* @2 c
return TRUE;! Y! x( q' W+ F" ^9 @4 I. T, o5 O
}/ s% c) d' j7 Q, p2 q( \4 K, r' n2 J
return FALSE;6 J/ H7 [- Z# n' V" L: N
}$ h" H$ b/ M9 Y* O2 ]
' W$ k2 k6 \& A' k% @* r4 WAlthough this trick calls the CreateFileA function, don't even expect to be
$ Z* c% T' A1 L* I/ @! \able to intercept it by installing a IFS hook: it will not work, no way!
5 G+ o- S9 L" a* w, bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: a3 G4 D% o2 ^4 f& @4 j% y! ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& h, ]+ t2 t" \* C4 G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* m: a0 z F- r P' l
field.
. @" X/ i; V8 p) SIn fact, its purpose is not to load/unload VxDs but only to send a * ^/ W! y" N% t, T' U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ |& ^0 _& X# c( Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 `9 y! [0 i& I' rto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 A) J _3 G1 \* Z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' Q7 t/ _* }$ |, xits handle to be opened and then, will be detected.( y0 V+ F0 P' W( Y; t
You can check that simply by hooking Winice.exe control proc entry point- ^6 U" Y, E6 |
while running MeltICE./ ~; M% f) P/ M( h5 k9 R
6 X! `$ ~) P B) ? [/ u- {! m& n8 v0 w$ w' F- {9 V
00401067: push 00402025 ; \\.\SICE
3 n2 g( G2 q$ J; B6 f+ l9 g8 O2 t, D 0040106C: call CreateFileA/ Y, D' f; e. h7 z2 [. a) I
00401071: cmp eax,-001; w5 L) \9 }* |1 I' U$ o
00401074: je 004010912 ~) h& k- P' C) y9 x
' y6 e1 g F4 Y4 m' f5 G- V& c, n( `! q; u e, G; ~* z8 k: N& D5 I5 H
There could be hundreds of BPX you could use to detect this trick.
\$ [' x @9 r: s) Q-The most classical one is:% Z1 E+ q2 M# R
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. b% t6 ~5 r/ D" E
*(esp->4+4)=='NTIC'
+ ]' T9 V- J' c8 j A) u) Z+ e/ q$ O/ A! r* R# l" L4 _+ A
-The most exotic ones (could be very slooooow :-(9 P8 L3 P& m/ v, c- u6 z3 q6 \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( X3 A- v, U9 d: l2 @- Y
;will break 3 times :-(; u. ?, W6 x P; d: M9 l5 e
1 g, r# m% J8 c5 G; e' _* G$ V% D-or (a bit) faster: - E* ~+ n4 P. F$ Z* N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 q( X1 ~" S0 `
) M' M2 G0 X3 j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* B2 g6 |- S( M ;will break 3 times :-(
' m( k0 w) v, v2 t2 e
8 d: r6 Q) t. e3 y( R5 c-Much faster:
2 f- L, W' V2 b; {7 a BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% N; l" c! t7 A+ j) S# ~, C) Z- @/ U, E1 d4 v2 [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" x% S5 R, |/ ~# J9 W! c* F' \
function to do the same job:+ ~: o$ a9 i( b8 s4 [, I
0 q3 x' k) H& A: l! S$ D# F push 00 ; OF_READ4 I/ `" X5 o) _# h y8 P
mov eax,[00656634] ; '\\.\SICE',0$ G0 w# U6 [6 G
push eax
0 g$ H6 z1 J1 f% j3 p7 l" e' i+ R call KERNEL32!_lopen
- g3 z' e7 ?; J inc eax
* ~& G+ ]: h& X* S0 @. o0 d jnz 00650589 ; detected
; Y4 M/ _/ t& R5 ?& p( K/ b6 Y push 00 ; OF_READ
# m! i" O; _5 g2 B& x$ v mov eax,[00656638] ; '\\.\SICE'7 I( r9 h8 G- c u6 G
push eax
9 u( T. z! _) Z X! `6 p+ Y% u call KERNEL32!_lopen) M5 e8 c, n- l; K9 p) Z
inc eax
) p- c$ v4 b2 _: U/ z6 ^9 n jz 006505ae ; not detected) y( ?* v! U" S0 Z: \" V
; L$ ?$ _1 B% z2 }, Z
2 Q$ o/ `) E, h, v0 R; L3 M__________________________________________________________________________
& R& D+ y2 e! R" W, _; O. M& B5 B( ?1 w, u7 K
Method 12
* M P8 z7 N9 F8 ?=========
5 }) s# b0 o1 m3 t& s# H0 _5 W+ |1 s* L: O, |
This trick is similar to int41h/4fh Debugger installation check (code 05
) g0 Q3 d6 p; P0 e& 06) but very limited because it's only available for Win95/98 (not NT)
; X+ O2 Q+ Z, ^+ x8 d+ Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 z8 E. ~) n4 B0 T& y( }
8 O; I3 A* G* z" k
push 0000004fh ; function 4fh
5 x6 j# \6 j; I/ j' h push 002a002ah ; high word specifies which VxD (VWIN32) E7 M4 W. f. D; L' [
; low word specifies which service
1 x; m7 c9 S/ d' e/ c. T (VWIN32_Int41Dispatch)
! {+ N: |' R' P1 n- n call Kernel32!ORD_001 ; VxdCall e G4 P5 w1 q& B. \+ E5 h" y, I
cmp ax, 0f386h ; magic number returned by system debuggers
8 W! ]8 X3 _/ d) @% ^# R jz SoftICE_detected
. Q1 y( O: W( Q; I8 ~; {
4 }/ e2 Y/ Q9 A" }: oHere again, several ways to detect it:* K7 [5 @/ w- T: ]7 l M
: J( _+ \! m; L3 w, ^! G q2 k; e
BPINT 41 if ax==4f$ M. _2 ?* `* I1 ]
# U, K& ^: j5 _; K( J! t) [ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, ^9 T% r5 a! T. D+ W: B+ B
0 h/ u1 n# g0 m. s8 ]1 }5 u6 J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A D. Z4 P) M8 F# N/ y$ s2 E6 `: Q
9 l% ?5 r' w% C. }$ d& {: R
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: h5 O$ W% P) {; Z r+ z% L3 u
0 F1 H0 H, ~9 S* w" a. L
__________________________________________________________________________
- Q. ?" s+ _- y# ^
9 [5 R# _- a% |' r$ C! iMethod 13+ T% o5 {$ Y" R& P. g( j
=========! x# n) J: S- f
/ o- h5 X2 w! H. pNot a real method of detection, but a good way to know if SoftICE is2 w* t5 w; Q7 n: D4 G
installed on a computer and to locate its installation directory.$ |2 x& ?2 h5 K0 s. B
It is used by few softs which access the following registry keys (usually #2) :: i$ P* r3 C. \" K
$ v1 {# }- j0 x% _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& v& o( j5 s( ^3 K; g! G\Uninstall\SoftICE2 d8 \, i6 X; f( h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ r r8 }9 ?7 U& a3 z% `, C7 A# N6 \3 r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* p u7 A* o% V2 }
\App Paths\Loader32.Exe+ D2 I5 L7 W9 ~& Q W% l
& E) `) U- n% w+ q0 x: @% V
: T% Q1 ^+ T* g0 d; @
Note that some nasty apps could then erase all files from SoftICE directory
' u# u; f5 l4 G q' W(I faced that once :-(
) h9 |( z/ s! M( q L9 Z! v8 m7 V- B. ]) r
Useful breakpoint to detect it:
% k! Y! K* [; q7 m* y, l
" I$ O% U+ s' I( B- J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, H7 @% G2 w) Y9 d% O5 i& W; k4 _ O: A6 Y' r9 T
__________________________________________________________________________
( k) }1 x8 v) N' b! K6 `7 v6 q* G
2 W: B! l1 T) v& n$ [5 e# r8 L# o7 | @* Z# ?
Method 14 U4 L" L. e! m& v5 `
=========
& r5 ?& I" g$ w1 y, P
' K F7 ]# i' h/ ~& aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; F0 B* v1 }# }! Q" i8 [is to determines whether a debugger is running on your system (ring0 only).1 F& {6 h3 D4 ]! b1 D! B; A) Y" N
" Y6 n0 y# x3 J; x VMMCall Test_Debug_Installed% e0 O) H3 `5 y1 l
je not_installed& d8 N5 b* W& J7 o- i: f
6 s" u, X0 D* A9 E
This service just checks a flag.
9 b! o% N0 K9 V; G4 ~4 P, L</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡