<TABLE width=500>( P9 J9 b. E$ Z2 e- s- G" f
<TBODY>
2 S( w: w% q& U% f<TR>" B) y* A4 N$ o3 _3 _
<TD><PRE>Method 01 ; j5 ^7 n' A8 w8 m
=========2 f- X/ c9 ^" ^1 s
: O* j" G2 k# v; r. WThis method of detection of SoftICE (as well as the following one) is% w1 W. n5 o3 t8 U
used by the majority of packers/encryptors found on Internet.* `; T: m+ U- r4 Y( z
It seeks the signature of BoundsChecker in SoftICE
! C( n7 o$ m. f5 i: Y% M! i& r. z' F/ T; d2 `/ x
mov ebp, 04243484Bh ; 'BCHK'1 ~( J# f' D% Y% G; B7 c( T
mov ax, 04h
3 A9 v% i2 k( [) m1 W int 3 ; u1 ^5 r Z0 z1 @& g% h
cmp al,4# v5 ]; |6 s1 `; s3 p2 `
jnz SoftICE_Detected1 }& Y) \, A$ N# `+ h
/ K/ s0 r% F5 {- ~: P% P" U5 e
___________________________________________________________________________
) q2 k7 q& B$ n8 ] @# A- s. d: g" Z% ]8 {7 o3 H2 p6 _
Method 02
0 x) X; E( k" K! O4 G$ H" ^=========6 D2 y. [- \! s7 C% c1 m7 y
% X8 ^% A( Q* u# }& l5 x3 XStill a method very much used (perhaps the most frequent one). It is used
5 S5 _% ]9 T& W! |) f! Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 S. x& w% ]+ g1 k) D) }7 q s
or execute SoftICE commands...; R% N. V6 `+ o" B3 ` L7 ] D- U5 w
It is also used to crash SoftICE and to force it to execute any commands6 V1 |9 V7 x3 R" e
(HBOOT...) :-((
; n/ y% ?( u1 {+ m2 T' @ o! r( S9 k& R! @, Z1 {
Here is a quick description:
$ l4 i5 \1 o" |% y) e-AX = 0910h (Display string in SIce windows)
& F* ]2 D. i4 Q+ c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); x5 E- W8 ?8 L! r
-AX = 0912h (Get breakpoint infos)- |! A3 w6 `& V3 ?5 Q1 `
-AX = 0913h (Set Sice breakpoints)3 m# \6 H9 v/ I/ |
-AX = 0914h (Remove SIce breakoints)
. ~6 j9 g9 h% C( \( }- n1 n; T
2 i3 {4 W# w! Q7 ?3 UEach time you'll meet this trick, you'll see:+ J2 ]: x( j; s4 U
-SI = 4647h
2 U7 h$ q# Y0 s3 X-DI = 4A4Dh& f+ r' c8 T; q
Which are the 'magic values' used by SoftIce.
4 y; e" d5 k( f: W' E4 AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h. G4 X: w4 ]+ N2 _5 A$ a6 W1 J( H. i
7 u: t$ F6 q% {$ f" PHere is one example from the file "Haspinst.exe" which is the dongle HASP" E( ~; @0 `9 b/ e% N
Envelope utility use to protect DOS applications:
$ s; J+ M. d* [# S' y, d) D
; Z+ z6 \$ D' f& I% l! X; k5 b T' M7 q1 Y- m9 y; g, S+ Q
4C19:0095 MOV AX,0911 ; execute command.' ^! r: _% u' m9 c9 Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ p- T7 M/ y# a* v' G4 b" s
4C19:009A MOV SI,4647 ; 1st magic value.3 |# X# c$ C( b' v
4C19:009D MOV DI,4A4D ; 2nd magic value. k& q$ D$ ~" I) X3 ~4 G( `7 P7 ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ N8 H% r: p# Y# i5 D4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! b# J4 H3 z( ~; }% n- W* |
4C19:00A4 INC CX
2 Y3 B# `( I/ D% W4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' `$ r+ Z6 B L( f4C19:00A8 JB 0095 ; 6 different commands.
0 Y) R% G1 s5 a0 H4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! h g. M7 E6 ]( @4C19:00AD MOV BX,SP ; Good_Guy go ahead :), M! t3 h9 k* [4 U6 ?5 J; K
4 ~- o8 P& c3 h7 sThe program will execute 6 different SIce commands located at ds:dx, which( g; T2 h4 E( u0 t( N/ n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 z8 F$ U" u3 i2 S
, |$ P$ {* a# t* s9 F3 ?6 ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 Z, O+ T0 {5 d
___________________________________________________________________________
W# @, v. r8 N0 P6 K
' X( b, I) u& \
" ~: m2 W+ c. dMethod 03
* H" ^' Y: J4 }% E% \" y=========
. @1 s* a. A! W4 t5 z9 x- y9 c: |+ U+ U' O% ?, N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& V9 g6 t- p9 Q u; ~( X. m7 C) I
(API Get entry point)
; w5 u2 y' C2 {1 g5 S 9 [# }" D' g8 T- q: h, Z
! i0 ]8 `5 C( N6 ?1 {
xor di,di
! D+ p! X. c& k- a4 ? mov es,di, t& m/ w4 B0 x0 z; L* [
mov ax, 1684h 0 a5 \8 J) G' N+ n# w
mov bx, 0202h ; VxD ID of winice! }# H+ D/ H& j1 Y
int 2Fh, G1 _0 S1 F! L" ~0 T
mov ax, es ; ES:DI -> VxD API entry point
, D/ h1 v N$ d" \- D add ax, di4 T0 o; _; y' Z1 ]) {
test ax,ax
( @" Z: V5 ~" Q3 s- @) q) ~" i jnz SoftICE_Detected. g; [# N) V9 z, G
' Q& h) h% u2 k
___________________________________________________________________________
; k3 J5 ~5 i6 k0 r9 {" J
) m0 j0 p4 S. D2 f5 {Method 04
. k; e: B- S0 ^& M=========* Q8 h- K% ~- K6 u) V+ p6 t5 \9 A
/ ~$ J' Y& a. o! ^4 g
Method identical to the preceding one except that it seeks the ID of SoftICE
& @2 ~( f( I( X ^/ ~GFX VxD.
% l! c: X; d3 D0 U: w; S, i
' Q* P- O- I+ e) r/ |: o xor di,di1 _3 n$ s |& }! A6 o) N$ `6 e- e% p) ^
mov es,di! Z9 s9 {/ E+ V0 `
mov ax, 1684h
: W0 u+ X. B8 V# I" O3 }. } mov bx, 7a5Fh ; VxD ID of SIWVID
$ H3 W8 ~3 m& O* e1 f int 2fh# s& m5 G" H4 n L( q9 }! _
mov ax, es ; ES:DI -> VxD API entry point
" }* `6 ?) G3 e8 e9 h: t add ax, di2 e0 _( o9 h* H
test ax,ax. z+ n, M4 ?& J" Q3 r" P. F
jnz SoftICE_Detected
4 b8 q) G. l( p- I
- h. |, @9 h7 ?# E9 s8 J6 a4 W6 j__________________________________________________________________________& N0 x: R: r2 _# p. o- n6 N6 k0 f+ p
) A8 n2 g% t; ]! I/ p2 g- J8 W% K+ S5 c9 Q3 `
Method 05
0 H9 W( m5 C/ C0 N! z=========! E2 o- \6 u9 Z( @4 C/ W' ]
* E* y; N! ~6 S
Method seeking the 'magic number' 0F386h returned (in ax) by all system! l X/ W2 b; m" x7 W0 f
debugger. It calls the int 41h, function 4Fh.' b! F4 k5 u! O( g1 h" \
There are several alternatives.
1 w! z' G9 Q/ c: d2 p7 v
% Q. |7 e) ^0 W; q6 s3 _$ tThe following one is the simplest:
% D/ s: l, O- w) q$ B$ M" c5 ?7 `6 A& b
mov ax,4fh5 x; Q7 L5 N3 W
int 41h
/ y% }! e, L' H8 c3 w1 D cmp ax, 0F3866 _0 i3 e4 e1 O- b$ P( P- S
jz SoftICE_detected
. q ]- c, ]( s8 J% }: W6 |0 J; ^, ?2 ~6 V
- [# l5 z! y0 {3 w3 DNext method as well as the following one are 2 examples from Stone's 8 s: b5 |4 g8 G) g$ H/ F
"stn-wid.zip" (www.cracking.net):
* ?* J0 P: g, U3 v. R$ y4 {
) V. n5 @$ p m4 t4 C3 f mov bx, cs
3 C" c: i+ T# J. G6 W A7 ~0 E( N, O lea dx, int41handler21 T6 W+ h r2 Z+ K: L' d/ [/ c
xchg dx, es:[41h*4]+ {/ K7 ~- m* k) {6 {) D! E+ J8 ?. n8 u4 Q
xchg bx, es:[41h*4+2]" d& b; N$ }5 O Z
mov ax,4fh
# j; H+ R/ s% L int 41h
3 Q/ R, X$ Y# G9 b5 }7 T xchg dx, es:[41h*4]
# [8 E2 Y6 h: M xchg bx, es:[41h*4+2]1 s) ?* U! U# t7 b# X5 ?
cmp ax, 0f386h8 J" D2 Q* Q4 e1 y! @9 f
jz SoftICE_detected( I, \ w/ u Y: x* Z3 L H0 H8 x
6 D- S* c2 X) N9 a0 ~+ t% U
int41handler2 PROC2 v9 Y# ~$ `. O# \, |
iret3 B" @+ O) h: Y7 v
int41handler2 ENDP
+ M0 U g" k& Q" p* P8 m. a7 W/ N0 Q2 ?/ g; m4 w3 W! R& \* w
; s" _9 X5 M" m1 ?
_________________________________________________________________________
e% Z/ S: M5 }4 R9 n
, @+ e: t& @+ D2 a
( u6 X; E3 n. {, l v TMethod 06
$ U2 h. Z6 m0 r0 D, y=========
c& k0 q& `6 R* b1 T
, l* F3 U: ]/ x j3 B/ Y
! O) L+ o0 H- [( X2nd method similar to the preceding one but more difficult to detect:2 ^( c. @, ~8 t
) a+ }: l+ r5 y9 Q, x
/ ~. K; d0 S% @+ e' d3 d* Bint41handler PROC) _, A! r* J) s1 w: Z0 }
mov cl,al; v% v/ q3 @. J& X' b6 M
iret
; f- p2 G5 I) V5 }8 d* a, Bint41handler ENDP
- w4 t; E) X. f6 _! r1 h' y3 \0 ^, z* F7 N" i: V8 f; B1 n
1 R7 G7 P! i5 H7 A* @9 U xor ax,ax( ]: \3 I1 I3 T: e6 U5 z% e
mov es,ax( j- y$ N4 D& X* ~' k
mov bx, cs
1 b, y+ ^* L6 q" N lea dx, int41handler
) H9 y4 ]% U( n) i2 a& S xchg dx, es:[41h*4]& i" B( ]( _0 k2 U1 R
xchg bx, es:[41h*4+2]5 I# c N5 A) B6 w7 [7 p
in al, 40h; A" f1 `5 T3 H+ s) f9 i
xor cx,cx+ l ?$ ^: z' n! e' ]: C9 q# W& I
int 41h4 p; c3 a9 O9 A
xchg dx, es:[41h*4]+ q7 V$ y/ r3 \' w1 d; X7 v" k
xchg bx, es:[41h*4+2]
6 p) H; i. Y0 I2 F cmp cl,al
$ y! d: s6 a* L+ z( C jnz SoftICE_detected
" w& ` d" F& }$ u+ [ Y& Q$ h8 r- ?- t% ~6 H/ t* p
_________________________________________________________________________% v6 u6 [) C' `
' P1 r7 F( w7 V5 A" \( ^Method 07! S! P0 }1 }7 a! P, Q, L- a& Z
=========- y/ m6 @, j. R* h1 H
3 |, y, v, D% X" Z( p+ `; v: Y
Method of detection of the WinICE handler in the int68h (V86)7 Q0 Z! ^4 Y' ~7 ]
% O- R$ s' ^7 d c& _" {% N* F# h/ r
mov ah,43h
$ ~2 W, K" l% Z* L, q int 68h
1 A5 r- B6 N3 V: R; V cmp ax,0F386h) }4 Y7 z% l0 D' ?( a0 d$ n6 I( S
jz SoftICE_Detected
1 E( ^, B1 a5 E3 p% n6 R' M5 a, }' h' G8 _7 A$ Y
! M' P" E6 t% J4 o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* T. t% O3 n# L4 U app like this:3 q5 X: L v; M! w/ S$ e, e6 Z
, S+ V0 A3 Y6 a$ x |; k
BPX exec_int if ax==68
& k3 T+ ?* X# ]# \, \4 K6 S5 { (function called is located at byte ptr [ebp+1Dh] and client eip is6 ?: `& o0 z% x9 n6 f- ]. U; f" j% z
located at [ebp+48h] for 32Bit apps)
4 R. T/ f% V9 l& ]8 n8 z r__________________________________________________________________________
+ s B! \3 O/ g: I( G9 {* G9 X7 b
# {, M2 c& O7 E, ~$ a$ h( uMethod 08
7 I% _0 J( t0 G# Q" s=========0 R$ i2 M, Q& M7 H! R
8 M) z8 D3 r5 s8 C* s+ q2 IIt is not a method of detection of SoftICE but a possibility to crash the) W2 M S5 s+ a8 ^6 x* z: m
system by intercepting int 01h and int 03h and redirecting them to another
/ t4 h0 L9 w0 A+ C8 v* [! W6 c' ^routine.
+ M W8 i- m7 D( j1 HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 g- t- X `& E6 }" Kto the new routine to execute (hangs computer...)
9 @6 O" t2 a" W+ v
4 T$ o: s, A* k mov ah, 25h
" h, |0 Q8 W e3 U* S" k9 E* g mov al, Int_Number (01h or 03h)
8 B* Y/ `/ x+ U2 [' q# r( b mov dx, offset New_Int_Routine
/ s1 x* r1 a' `0 Z7 D* C8 N int 21h
* N5 \0 w5 H% u1 b, r( _8 B4 Y% E) ?
__________________________________________________________________________
7 D8 n! D/ g* N" b) F( I* h/ k: l, d, U) i
Method 09- o1 J2 ]$ ^0 _2 F
=========
G( C' f F$ l4 w) M) Z- D/ b4 b* B/ C7 X, t7 K, l' f# ^( N6 l% h
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% r: T3 p% d4 t, C2 a3 X1 e
performed in ring0 (VxD or a ring3 app using the VxdCall).( C& {5 \3 _0 N' W5 j. X( B2 T
The Get_DDB service is used to determine whether or not a VxD is installed
, u. Y; Y! t& Y. u q$ s+ E1 G" o3 Nfor the specified device and returns a Device Description Block (in ecx) for! T f+ |* L, v* y' \$ A6 _) A
that device if it is installed.
8 q: o, G- r& A/ A0 p+ B7 R
, N5 n$ {% g* b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% r1 G( S T6 V6 Y3 p, V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( w; J2 y0 X7 D; H& f5 T6 [
VMMCall Get_DDB
3 u1 t& O2 h8 r3 T6 l- [: W mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' t! h/ ]# m2 `" r' Y! r/ I
& Y5 g8 H/ j' D/ U9 g( i
Note as well that you can easily detect this method with SoftICE:8 n- J& V3 A& t
bpx Get_DDB if ax==0202 || ax==7a5fh
5 E$ r7 |) L# V- k9 z; [: y! x/ `7 d. `( y. F2 x- k
__________________________________________________________________________3 [6 q- A9 e: Q; C8 v! P1 ^
" Z; q$ \* |% l' |4 EMethod 103 V: a6 S- G3 H! v8 C6 r9 z
=========
$ s% ]/ R! W( }0 p# @, p
( g2 u& A# \! S, ]=>Disable or clear breakpoints before using this feature. DO NOT trace with
- O5 T3 A5 Y; x1 M& F' B SoftICE while the option is enable!!
* s; a: c0 ?2 x
- D* Y; Z7 c) JThis trick is very efficient:: r- F$ v8 ^) H O% \: T4 J
by checking the Debug Registers, you can detect if SoftICE is loaded
" l% x; Z( W- o3 w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 [* j. n* B2 j! B
there are some memory breakpoints set (dr0 to dr3) simply by reading their( v% ^* h% Y% T4 f' r
value (in ring0 only). Values can be manipulated and or changed as well
5 J, X3 |; c/ G(clearing BPMs for instance)9 n# h8 v; r9 d% B# v( q+ Q! v. y
8 D. W S+ w5 E) m__________________________________________________________________________
! `1 D; g6 c) Q# a( r4 D/ z, @
( v& @4 V* X2 c1 IMethod 11
; Y. z; X* J# x4 V2 c& J=========
- [7 q+ W$ G. S( U3 N2 v" X* U8 p: u, O! F+ d0 v! B! d
This method is most known as 'MeltICE' because it has been freely distributed
/ F% g+ R8 ^$ e/ |0 z1 _3 f; Uvia www.winfiles.com. However it was first used by NuMega people to allow- ^0 @$ ^* a7 q6 o7 \
Symbol Loader to check if SoftICE was active or not (the code is located- q* \; U# P, i
inside nmtrans.dll).& ~! S, p9 A/ D, m; |& w: ]
2 j! S9 d9 R1 ~
The way it works is very simple:4 g' I* M0 H& M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- x- O+ A1 H# h5 y
WinNT) with the CreateFileA API.
- s8 r7 L- ?& G3 D4 Y. N
* S3 H$ Z$ s3 ]! o( s8 fHere is a sample (checking for 'SICE'):! t* f- F2 R, W- J H: y2 L' D
9 L* H: r5 o. p: s
BOOL IsSoftIce95Loaded()2 P B6 S9 L- `/ N/ [
{ c3 Q2 ?7 y v
HANDLE hFile;
5 q6 K4 H3 N8 q0 p% H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: W4 G0 f1 z+ J# a' N5 ]% |
FILE_SHARE_READ | FILE_SHARE_WRITE,
* Y1 O5 U2 J2 q5 u9 s/ U NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% Q3 `- e( X4 l; s c' V
if( hFile != INVALID_HANDLE_VALUE )1 Y* M2 \! U$ [ q" s
{
3 e" p' v. w' r! b" m% t( b# I CloseHandle(hFile);% R9 B4 L0 \* I5 W6 T7 b/ Q+ ~
return TRUE;' k4 s `1 I# g$ g2 `
}! B# t5 W$ e4 ~6 ?) y% R+ }3 N
return FALSE;% V8 z8 w j6 {* ?7 i0 `% `+ r0 F
}& f" t1 C0 `$ ?5 j
# k8 @% ]0 b. P5 \. c
Although this trick calls the CreateFileA function, don't even expect to be
' V2 J, s$ b: \3 eable to intercept it by installing a IFS hook: it will not work, no way!1 m$ Y) u/ l% e: s) t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 v* f. x8 T- _ B/ f) `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) z! V, Q6 @; N K) T( Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) ?" e( \" t; v! Y- T, i9 f6 Y
field.1 N* i% B* b# c$ S6 j
In fact, its purpose is not to load/unload VxDs but only to send a
* ]4 a3 ^) }' n) S1 XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 j6 t+ k) \! ]$ o* O0 B& X; m, D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try' J- L; Z' G0 n5 t( I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# c/ m1 c. e- q# w& S) l0 h0 J5 N
If the VxD is loaded, it will always clear eax and the Carry flag to allow- S0 Y S! Z& G1 N
its handle to be opened and then, will be detected.
; U8 M e8 O. R& Y( [% F) q7 |You can check that simply by hooking Winice.exe control proc entry point
. N: i- @8 [- R" D" @( O/ mwhile running MeltICE.- h$ H. V: `4 m7 Y+ m8 C
% ?$ m, q/ p" T- t. D7 ~3 q( Q) E' O) U( N9 s+ s% C. ~1 q6 w- W! j" R
00401067: push 00402025 ; \\.\SICE/ b% l2 u! R6 h: _" T- d
0040106C: call CreateFileA7 N. X3 |* L6 u: k. t: ]
00401071: cmp eax,-001
! h( X3 @- |! h9 w# l% k 00401074: je 00401091, L1 _) X- Y& x( c
5 ~4 U$ ~1 x% d1 O. R+ ], K/ J; P4 T; l, K& c
There could be hundreds of BPX you could use to detect this trick.
- _6 ?8 Z3 u8 c7 c8 ^( S-The most classical one is:
5 G! ?: ?8 Y: T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% H" M3 y2 }, k- Z8 l *(esp->4+4)=='NTIC'6 F1 n# C5 p& \- S6 O+ h( o8 x
$ `2 d3 o4 K, A
-The most exotic ones (could be very slooooow :-(3 x! T, f) D5 e8 k8 E- w0 ]
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 N* x4 {& `0 t
;will break 3 times :-() m- e. i3 Y! o" |; I0 u0 N
' I% Z1 n8 t4 R, H, d1 \4 D-or (a bit) faster:
7 K. E4 q& m) G' {- O K' I9 [ k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ Q/ P4 V: x/ G3 h) N
. u( i2 b$ ?2 z2 N) V* `& r* Z( y7 [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- Q6 r9 R; r( d+ r! C6 s0 Q+ q ;will break 3 times :-(
1 r) r" S( C' D3 b5 X2 _! t. k; u. f
-Much faster:0 y. m; w- t+ O( _/ E$ A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 a& p- B p, d! v& K+ U
% C. M& u4 W: T+ o
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 F6 M( N8 X* X' V# y' y
function to do the same job:% w! ?3 c- Q. a
! ~7 r2 {" `- x" Y+ J* [0 s push 00 ; OF_READ
; O5 w* ?/ j; J* a" C6 p; [/ j, Z mov eax,[00656634] ; '\\.\SICE',0/ O5 m- U5 T; K% w3 M, H$ D
push eax# d1 h( x" S; g/ U1 T
call KERNEL32!_lopen
$ @: f4 K e9 d. m6 S inc eax
0 v5 U/ E. B2 J jnz 00650589 ; detected
6 F$ ]- J: B& f" u& t push 00 ; OF_READ
2 L f2 }% a( P; {7 I mov eax,[00656638] ; '\\.\SICE'0 k2 M5 Y0 ]* ~, y3 O# _" O
push eax
l. L/ ?# L! c' |4 _ call KERNEL32!_lopen, [. _ Z9 h% x1 V1 |8 s
inc eax# Q' n/ w' j! t( Y4 K
jz 006505ae ; not detected' T) W: A0 ^( T4 P1 t
9 s4 s0 h1 [5 ?; V, _" m
4 d- j0 r3 H( @$ f! n5 c, @- C8 D__________________________________________________________________________( W& J5 V% L0 P1 u
) D ]) S% o& n g( k" SMethod 12
- E) Z+ c5 e/ d/ l6 R=========
% o: j$ N6 T7 Q9 ]1 c3 N& `
0 `' S% W- x. I1 IThis trick is similar to int41h/4fh Debugger installation check (code 05
/ }7 c9 q4 y2 n3 i3 u& 06) but very limited because it's only available for Win95/98 (not NT)1 M' H; q# C9 a- F& x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ H. n1 I) v! V ~( c8 H/ l' z6 \7 \/ `" B
push 0000004fh ; function 4fh s- I; h% h+ Q, ]( x) c
push 002a002ah ; high word specifies which VxD (VWIN32)
& H- m- {( Z! F+ E4 l i! O7 l ; low word specifies which service: E2 p. J8 t- y$ K
(VWIN32_Int41Dispatch)
- Z5 p0 C( n4 p9 V5 W6 A call Kernel32!ORD_001 ; VxdCall4 \0 p8 [4 O+ k3 `+ r W
cmp ax, 0f386h ; magic number returned by system debuggers
8 p& m2 t+ f" g1 h. P jz SoftICE_detected8 q/ i% l1 t/ U' w
3 B) P3 T& B3 HHere again, several ways to detect it:
/ Y( k. u3 {& B" Q
% k* x8 s$ x0 P% D BPINT 41 if ax==4f0 S1 c" l" z* @4 c; \9 }- T
) c; W" \* ~8 r9 T9 V: _) @
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# D2 o% y+ v, Z1 K: E& O
3 |: a7 F2 I, b& }9 F0 L1 H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 [2 W# X: M7 O% O: h0 X
" L: J2 \+ @! n9 [! C0 U) O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 ^+ u8 G) S2 G4 C, i
+ c7 ?8 R N! P/ ?8 T) c: J4 {__________________________________________________________________________
' Y' \! P6 |, P, W
" f1 ^# l3 E% h! |- uMethod 13% e3 u+ T$ k' d* |# A) z( J" Y* _
=========
7 j# r, ~( b* S3 S; R" J: o6 U8 x) i% m
Not a real method of detection, but a good way to know if SoftICE is5 Z2 w( y8 E* K# `7 L) a7 l( H' L* Q& T
installed on a computer and to locate its installation directory.
+ `* A8 s5 [" Z; r; ]2 lIt is used by few softs which access the following registry keys (usually #2) :
H$ _: }) ?6 D- Z% t: K* |! T% j- j% H6 _( r5 G
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' \6 U# V* ]# H5 E\Uninstall\SoftICE
; x$ d4 @" P" G4 |% O-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% x( w2 c5 d/ q: a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: N7 q, g) \, s; z\App Paths\Loader32.Exe
( Z! g1 L8 G4 C2 r9 }! g; S+ n* s2 p" `" F0 J% z" w" m) m! l
3 o: @. U2 f& m6 k) Z% P
Note that some nasty apps could then erase all files from SoftICE directory
% n3 @- R* Z* L; h; W0 p(I faced that once :-(6 h0 w* }/ l; d( S* f5 I# @9 l+ K
' ?2 p) t% ~3 A' `+ uUseful breakpoint to detect it:
2 m! h5 X$ S. w" ^1 y& x: A1 f4 r
. f0 X1 t' p V5 ~$ q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! ^( H; K$ c5 Y3 a/ O% J
* k1 N- `( L! ~- [( z$ M__________________________________________________________________________
_) ~! \; n" [' Z9 @* L
3 h6 r" ^( l/ P! l' o# d" w3 V% F5 O
Method 14 " X+ _ ], _, d4 y6 }" |+ H
=========: {7 P3 _ U q
4 {3 u/ `* Y( C7 oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' {3 B( U# @/ S' i. H8 ?- @! fis to determines whether a debugger is running on your system (ring0 only).4 u1 g, s6 m0 C2 n
2 i* J& E3 ]& {1 W2 M. d VMMCall Test_Debug_Installed
; M; w" t9 t8 A( ? je not_installed5 z% O. ^* x& c- s% N
' k* W+ a! f, e$ G% `' q0 A
This service just checks a flag.
- T0 R* k2 {8 G9 `: ?</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡