<TABLE width=500>/ L% v, M. W* R) E; X
<TBODY>7 [7 q. Q! ^9 j! [, m* d" a
<TR>. ~3 }6 Z! e% w5 N7 {& W
<TD><PRE>Method 01
6 ^, v( _- {' S" \6 z=========
% c+ I- r4 _9 g( m
, f4 H1 K' j7 [- X- {$ SThis method of detection of SoftICE (as well as the following one) is
. n. g- g! p: p) ~used by the majority of packers/encryptors found on Internet.6 N( m2 x2 E$ w- t
It seeks the signature of BoundsChecker in SoftICE, F8 F& Y: R* l( f. b* m: _
9 x7 H1 m; P' K mov ebp, 04243484Bh ; 'BCHK'
9 ?0 v8 y+ L8 _ i/ i' u7 v( i mov ax, 04h$ D3 g! h' p" \/ g
int 3
1 y* [9 V6 l9 R! k9 v, N cmp al,4' p* H) ^9 h9 P \5 g/ A$ w w, f
jnz SoftICE_Detected. c$ q' t1 l1 t3 F/ U
6 d* Q+ G; Z$ A4 F- ]+ o___________________________________________________________________________0 i* ^) \ O0 A5 z" P K. K5 u
& [% M& ~7 A! K: w. E* p, v
Method 02
* i% ]* P3 s6 _/ j( X6 o=========' N% H3 j; B2 x" {) F% b+ E A
g+ V0 t" z* y, \" l. F
Still a method very much used (perhaps the most frequent one). It is used8 n! Y4 q$ A$ k r; t. R# W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# g3 U, L( C) s, G1 C$ @or execute SoftICE commands...- R% f# U3 H2 H1 w: r
It is also used to crash SoftICE and to force it to execute any commands
: S- T) R& n# o2 b0 }1 D(HBOOT...) :-((
7 M' M& k$ O0 W! f
/ b$ F( Z9 z* p- ]! q% C" ^% _Here is a quick description:- p, k4 g* b ^2 z" i2 E9 H
-AX = 0910h (Display string in SIce windows)
2 o! @% Z& V. S2 I" c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 Q" I* Z1 S+ j
-AX = 0912h (Get breakpoint infos)3 g- w1 o {: `5 v3 n
-AX = 0913h (Set Sice breakpoints)
; Q6 o8 L) M* i& _-AX = 0914h (Remove SIce breakoints)
4 j% s4 {3 L" h% j* S
$ h) y' E) [& A' u X# J! f8 REach time you'll meet this trick, you'll see:
( i" l8 s( I- E0 M-SI = 4647h- T* Q! W5 L- ~! T% S, b# K
-DI = 4A4Dh
/ c: ]0 b! K( M5 u% G) O5 {5 [Which are the 'magic values' used by SoftIce.
/ V$ @% a4 A/ m% AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 X# b' y& E* h9 q$ _' v0 h! c$ q5 G. |" x9 p
Here is one example from the file "Haspinst.exe" which is the dongle HASP. S& J& y2 y5 ~: C. Q$ v
Envelope utility use to protect DOS applications:8 ]$ \9 g4 g6 @ f; p
+ R& a3 b- K5 g8 E# W) `. y# b
, @, y. H* z8 i4C19:0095 MOV AX,0911 ; execute command.
1 c/ W& m& U5 y2 e* M+ ]3 x7 n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ I+ T' H9 Z- [4C19:009A MOV SI,4647 ; 1st magic value.: O9 V) t' L: P) l+ A0 M: g
4C19:009D MOV DI,4A4D ; 2nd magic value.
" |, x k/ F, r1 t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ [. K$ [' g! V& _8 v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ r5 x% j1 o. l$ c7 @6 ?4C19:00A4 INC CX: j2 G! |$ x3 Q$ [! Q/ X% o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ x8 l* `, b8 K& v9 g/ a4C19:00A8 JB 0095 ; 6 different commands.
+ H H/ M: L+ W4 I( U- n4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 P* d, S3 N5 \( m/ e( h7 e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 d9 L, ~7 T# J0 k
) y2 ~8 B# m2 j% c* [& e4 J* K2 C$ ?The program will execute 6 different SIce commands located at ds:dx, which
' E' y' @; b/ W# \8 F" fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* T3 X7 c) [0 a$ a: ~! N3 }- a& N+ {, C1 k3 A, ~: ]7 @, e8 z% Y; v9 d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 c+ s% s5 y) ]8 a" b2 J7 j* G___________________________________________________________________________
5 `! V6 @7 E3 _+ L# T3 I* B0 B1 J% \& G. {3 j, R
' |! I3 Z' e4 u3 Z% q1 h2 vMethod 038 I$ V6 z, W- I" c f
=========& g6 m( J2 P9 [; T* z
3 W& _# V. B' S4 F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# p) H; v. v5 {" b
(API Get entry point)3 I4 d9 H- b, q5 d, b- l$ \3 ^
5 G1 C. ~; j, h" c% T
( E6 \2 j9 h$ k+ w+ ` xor di,di
, k& _: q" ?4 j* W mov es,di, Y# i! J- p) @) M8 M9 y
mov ax, 1684h
6 w9 s) y* i6 I% t3 p mov bx, 0202h ; VxD ID of winice2 \7 N; X7 v1 |5 Y6 `" `* j e
int 2Fh' d/ K$ N$ G" Z7 s( }5 ~* P
mov ax, es ; ES:DI -> VxD API entry point
" C w( {1 g2 S add ax, di
8 w3 x- v$ W' N. V ^ test ax,ax* ~9 O% Y" C6 s7 a: J- G+ U: Y
jnz SoftICE_Detected
P; K! ]7 [. a5 ^% k( i# r# Q$ d) v9 ^# l' c( {" h2 t) A
___________________________________________________________________________; { U+ k( W* j, h" v
6 ~, C8 b& L# u' z: p. r3 |: m
Method 04# _$ [( [9 E0 c
=========4 L( i6 h3 y# S' [
/ _ ^# \6 Q/ Q" wMethod identical to the preceding one except that it seeks the ID of SoftICE {& i( C, I, M# ^8 l5 P' l+ \
GFX VxD.$ v9 @5 Z2 \+ n8 ~
7 B$ D4 G# _( f6 s+ @- D6 Z+ J* g% @ xor di,di
' \# o/ s# w6 m mov es,di6 t; N; a4 f+ X0 W& F
mov ax, 1684h 8 T3 @, p) m; _$ r6 k2 E
mov bx, 7a5Fh ; VxD ID of SIWVID2 Q3 J( P, O; E
int 2fh6 |4 G, M% Z2 {' I7 _2 O
mov ax, es ; ES:DI -> VxD API entry point
7 D- e# _, E# D4 b( x add ax, di0 P& P1 i E+ e$ J' q/ l, J
test ax,ax6 L" n: X) x3 \9 R' _# Q; V
jnz SoftICE_Detected
% T1 R9 W( k H- i6 Y
9 F# a" b& L" e" L ?__________________________________________________________________________% K! k6 r; p; D& G; w0 M9 r
& g* S* L, ]6 G+ Q A1 d/ Z# ^ I
3 Q# e5 u1 o" o9 n4 SMethod 05; R+ M8 S7 L2 F% P6 `4 |+ S1 m$ B
=========
. g5 Q, {* r, c* V- v2 a: r2 R, A/ a6 X/ [0 O4 W. i5 O, X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) f( f5 ^" X: ^. [5 H. A( \6 D! Ydebugger. It calls the int 41h, function 4Fh.
2 w4 B# G2 b6 O9 W% yThere are several alternatives. % _: L+ L3 K! s; N4 x7 H& U
% J9 i9 l$ ~. Y c
The following one is the simplest:
g) V8 R1 }/ V7 p, h" @3 H
( m3 o4 v8 d6 L0 C8 j mov ax,4fh: ?4 D' c- \7 p' z
int 41h
8 \" ^2 x% ~6 ]) D( F cmp ax, 0F3869 {6 q$ |5 \& k, R# | ~+ H
jz SoftICE_detected
8 \# v! t: k0 ?! [9 a) F1 O7 `& W! p1 P. m4 V$ W- u
- g& ~" r, x6 `2 }4 {; H8 _. L& p
Next method as well as the following one are 2 examples from Stone's , F" h% Q3 `+ v' h
"stn-wid.zip" (www.cracking.net):
3 C" A- l* P6 h7 V4 j' [2 W6 w3 r0 K/ {0 ?
mov bx, cs* A$ ~5 ?6 v: v W
lea dx, int41handler2
- y }! K9 U( g' `0 y! ]1 @) g xchg dx, es:[41h*4]8 J$ t1 K- W- F$ q) L/ p9 ^& F
xchg bx, es:[41h*4+2]
/ Q/ z1 l$ j- ~2 ~! L mov ax,4fh' ]2 N+ n z# S6 `3 m/ T# b
int 41h
: X' Z# [1 J2 G xchg dx, es:[41h*4]
$ V1 K, ~8 Y+ k( K, T9 i+ J xchg bx, es:[41h*4+2]
; s$ K5 ~4 I* I% B- Y cmp ax, 0f386h
; Z: q' n! J& N1 ~+ X jz SoftICE_detected5 T0 s/ a o }/ O
! Y/ c5 s, ?( f% Iint41handler2 PROC9 C: g/ N, t2 Q, x9 }4 B
iret
* r6 E( K$ t! W, ], I0 jint41handler2 ENDP
' _, A, s+ {8 ]! M, v
9 g! i* v, n& `3 C2 I) ^3 n
: x/ a8 {! W& G2 x: M6 y e2 R_________________________________________________________________________' w0 \1 a( R6 A3 {8 ~( y- j0 l" i
) @5 l! K v2 N* Z; T1 Z
G' ]8 z. q5 f1 G( f, ^Method 06
1 J: u7 x, O4 h# i=========; M2 Z: ~5 v- c+ ]
7 s2 _' I) b, F( e k! a* J
- h& V6 m- g& V2 n. Q# n) U3 @
2nd method similar to the preceding one but more difficult to detect:
) I9 a+ V' I* ]. Z* W( Y
( [+ y! w+ V' v6 Q. C
1 Q. y" g, O. \) f+ ~9 r' u, Wint41handler PROC8 T5 R' a2 f$ |6 u5 `* u/ N
mov cl,al
& {! A, R' h2 s9 X6 v/ q3 Q; T+ C- ~ iret( z+ X! _. }+ x: \2 Y( ~# N2 c
int41handler ENDP. n7 l/ x; c/ q A
5 ?/ D+ T6 G' C3 ^& h, p7 L
+ i) Z6 Y; ?$ P9 M. ?' s xor ax,ax
5 |* ? {8 b% W8 P mov es,ax$ w1 K" E* ~- E* z( O
mov bx, cs
# _5 L( @3 Z& B& R lea dx, int41handler- F! u* R/ g! w$ Z3 ?6 D
xchg dx, es:[41h*4]
$ _( m1 W. _' X4 J4 A! E+ _ xchg bx, es:[41h*4+2]
V0 @6 h) J: E$ o0 c1 j# J$ M in al, 40h
( h3 T# Q, H1 G xor cx,cx
( X8 H8 a/ k! ^4 F5 R6 H9 Q int 41h8 F( }& c( l( f. i; \! o
xchg dx, es:[41h*4]
$ {/ b) G! d1 Q" h4 n: M xchg bx, es:[41h*4+2]4 n, y6 w+ _* R2 T2 g; q1 U
cmp cl,al
+ N: t8 V3 A+ v! e* R4 k jnz SoftICE_detected
; r$ \/ T6 {) N- p: ~: y: f, J) ?* a2 F, g0 @
_________________________________________________________________________
3 D! o" G: ?6 Y( u L# R' w, Y5 f1 r$ T, [
Method 07
0 [4 k8 P" \: Z% m4 F- t6 l9 U=========4 b. e8 F, s5 ?3 ^
9 H9 a$ r& c1 K, ~) \
Method of detection of the WinICE handler in the int68h (V86)
8 }9 h4 J5 u+ o2 A; c) q9 b$ j1 E
6 o, W9 \5 N* S3 U mov ah,43h
' g9 _3 F: S$ t' \) U0 w) l, } int 68h2 f2 p+ P3 |& g h5 U8 A
cmp ax,0F386h0 G r2 {# Y l- F. v
jz SoftICE_Detected
6 H1 @2 l& Z- [( `; S
0 T2 ^& K/ Z5 ], _* k9 |# c- Z& \1 ]7 L3 x7 X3 A# |
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 I0 M: I/ I& d5 I. d
app like this:
! z: ?% g. j3 n( _6 P: ]
! V: ?5 W0 h# n' Z6 N BPX exec_int if ax==68
/ u" i# L7 P) l- C (function called is located at byte ptr [ebp+1Dh] and client eip is0 w2 \ A) z8 c
located at [ebp+48h] for 32Bit apps)
N. A7 z, J) b3 m4 u* l R% F__________________________________________________________________________
- G; L& W2 T4 i2 o9 Q8 L
+ ^; M0 T6 }* A2 w
' l( }( B# w# a/ H- A2 T1 r* dMethod 08
% Z8 j1 s0 A' b: T( V=========
M* T4 y/ z+ p6 W: C+ F
/ g( _% q9 I- l, J: }' S7 l. E7 lIt is not a method of detection of SoftICE but a possibility to crash the
' l* t% u; b% ^! u- Osystem by intercepting int 01h and int 03h and redirecting them to another8 |8 ~( y: d1 m0 z$ _! g: N1 \
routine.
# N2 |( U, h' v* B7 c K, c5 \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 s* ~" z# g$ g8 cto the new routine to execute (hangs computer...)* k: \$ `" P& I
. X C4 o" B& d& k+ K
mov ah, 25h# ]3 T- |! E. \# V6 f' y
mov al, Int_Number (01h or 03h)
' Q# t5 f. E* B% r, i' O9 |+ c8 f mov dx, offset New_Int_Routine: [1 M K: O( D) E5 O
int 21h, R9 w* b0 S0 l
* _) B# k* }6 |4 z8 @- L
__________________________________________________________________________
- K0 P5 S w/ S# X, v `' G1 ]7 s# c6 z- [6 \& w' [
Method 09" Q2 n# C$ j( {7 e' y0 X4 ]1 i$ D$ g
=========* t# i4 ]0 o0 a' p
2 u. h$ O% z* m: P, b" e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ L; o# a8 t! T
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 \. M+ r$ F0 n8 f( B! r4 V* O' uThe Get_DDB service is used to determine whether or not a VxD is installed
. y$ r5 c6 t% y) Kfor the specified device and returns a Device Description Block (in ecx) for8 K" P% h* U4 e
that device if it is installed.7 g% X$ T: i8 _1 T
3 b8 s; H9 j7 C) D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" L: H" u0 J, ], X% Y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
V% ?& i% U. w VMMCall Get_DDB
7 a0 q& }3 e) W0 y2 [9 v1 v mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 g4 q& L+ t) e. \
7 b7 R/ ?2 X& W* _* F
Note as well that you can easily detect this method with SoftICE:
5 N/ S0 B2 w2 \/ `) D- }; k bpx Get_DDB if ax==0202 || ax==7a5fh& D# C! q7 ~6 q6 T( q I/ c' y
' o) M, u% S, C6 z- m$ i. i. H4 E, }__________________________________________________________________________6 y, q; \2 Y0 \0 @+ \
; [( ~5 y" \3 u$ F9 R3 c7 P" \9 GMethod 10* C5 o6 }* K3 a3 j8 ?* G6 Z1 \8 A
=========
) F6 m; y) Y6 W' x4 ^) p
: ?* f6 E! y" s6 T, u8 w=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 d+ s1 u5 b1 i6 f8 L SoftICE while the option is enable!!
' Y. Q+ N% p7 U8 U, v6 Y! E+ k# N" U5 c$ ^4 W3 H
This trick is very efficient:
. u* W2 s$ @4 Y' q, iby checking the Debug Registers, you can detect if SoftICE is loaded
; k* l' m& J& q) v" {5 o) ]. y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! E2 z! E% S, @
there are some memory breakpoints set (dr0 to dr3) simply by reading their, b7 ?) Q% x: x( r+ f
value (in ring0 only). Values can be manipulated and or changed as well
% ^1 l: L P- ?(clearing BPMs for instance)) D! s( C/ Y% y
& x+ V" F( B9 s+ I' r: q__________________________________________________________________________
# W1 u. w" V. e3 t& X
2 U f5 y D. q2 d" K* ^Method 11( C* H8 }' s$ X, l% y* U+ q
=========: i1 \8 |- o4 ?
$ @. u+ a: K9 ~% q% {This method is most known as 'MeltICE' because it has been freely distributed8 D$ S+ I* F3 S- [
via www.winfiles.com. However it was first used by NuMega people to allow' P: O8 Y5 x3 Q9 r7 |2 [7 J/ d* V
Symbol Loader to check if SoftICE was active or not (the code is located
$ g/ M' h+ y7 ~6 T- minside nmtrans.dll).
* q6 w. p8 B; {% F# ^) P/ L% V' Q9 l/ Y# d5 W8 b$ z
The way it works is very simple:$ v. Y A) V2 B) K. ?9 v- L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' R, \5 n# E( k2 W( W- A+ r
WinNT) with the CreateFileA API.7 D( }% O4 g! m2 b! d$ p D- M) C
& |+ p1 F6 v- E* u- S2 B& W o
Here is a sample (checking for 'SICE'): ?$ p# s' l+ E
* u' F! z, l W' f; Y( Y
BOOL IsSoftIce95Loaded()3 I" ?' O* U3 f2 N) F
{
0 i0 b8 ?/ {# s8 G6 k, v# \ HANDLE hFile;
8 f3 n, z5 d- z# ]1 N8 S* u2 h& C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 ]3 z2 p c$ Z5 ?9 B7 R5 i" A) ]8 D FILE_SHARE_READ | FILE_SHARE_WRITE,
7 e' @9 i9 ^% I! l: F NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* J! D; S. B+ z
if( hFile != INVALID_HANDLE_VALUE )
# N' l3 q/ C' q. m4 ^6 A( J {
/ A2 \3 B- c. D0 w' q CloseHandle(hFile);, l) a# g, M8 ]" k+ d
return TRUE;
4 s: A+ ?1 Z! s; H }
/ x( }5 k" k) l6 \( y return FALSE;$ S5 @" j0 g" \# @
}
$ c$ l' [/ D& h1 Q5 l! H( ~4 o, _/ X/ [" i
Although this trick calls the CreateFileA function, don't even expect to be" `' o4 A4 y( H
able to intercept it by installing a IFS hook: it will not work, no way!& Z! z! j# X8 {/ _( T5 q4 V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( r9 E9 n, H7 ~5 P! e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) S/ J/ }# h! `' Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 ?& |* F: a# W. F7 Y0 }& |field.
% J, Y3 g; t7 S7 \+ dIn fact, its purpose is not to load/unload VxDs but only to send a " K1 Q1 [! M- k9 f7 U( F& `: B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 A* s! g& f4 {+ Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try! x2 g& n$ f- `* o: o8 u$ f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 O, y V" ?+ P. o- w- g% HIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! A: m+ D( \! Mits handle to be opened and then, will be detected.5 B/ j6 B! s4 K8 T; c1 C8 U! S: z
You can check that simply by hooking Winice.exe control proc entry point
6 f. r5 t4 ]) @( c4 K& d( gwhile running MeltICE.' y1 S9 N6 W3 O; I, |' J
# }- t( X; K4 A$ n+ y1 l! `
8 i u$ D* s N0 A2 _ 00401067: push 00402025 ; \\.\SICE" m1 S( Y+ K+ \0 Z# E5 ^
0040106C: call CreateFileA
t5 W6 x& ^8 E5 D/ ^& a 00401071: cmp eax,-001+ @4 V: d& D0 L3 Z
00401074: je 00401091; p/ V" c, @/ J& s" Q
1 h) y# k- }0 d, V4 X8 G& ]4 T
There could be hundreds of BPX you could use to detect this trick.
4 q6 d" n+ Y2 f-The most classical one is:' E1 M# x: w9 |* }! u# f) x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) x3 x8 q, o9 W' C6 `8 q9 V *(esp->4+4)=='NTIC'
2 Z/ u: c* x" c5 N" y* b1 S! w! ~, G8 T* Y- K! ^( q" |1 m+ N
-The most exotic ones (could be very slooooow :-(; J4 n+ [. | |& w" E% Y: C2 v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ D$ n/ `: c I/ p5 h* b ;will break 3 times :-(/ k! a6 s. U+ S
3 j- Q7 o, _7 a* W6 p% T
-or (a bit) faster:
8 n! D; \5 L+ b BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- ~6 \; R: T$ t0 Y0 k. C4 ?
8 p2 K, W& Q+ h) S7 `+ `7 W+ u, d8 | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! \9 s7 n& M; `' { ;will break 3 times :-(
7 B: T) x. b$ U1 R# a/ C* t; m! A) K' P( K. m8 L. T8 `
-Much faster:/ V, [+ j7 h& W: N- h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) @' T8 O5 W F
# x' `2 e0 `1 c, B3 ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 ~$ `. M$ z$ t/ \8 {& ~7 c9 |
function to do the same job:% x/ p/ l. ^ L0 }9 b
. Z/ {* Y! y8 _& i6 v/ m4 z push 00 ; OF_READ
& s! Q5 {1 v! \$ p2 d mov eax,[00656634] ; '\\.\SICE',0+ F: \/ b$ Q# }3 H/ y3 ?
push eax; Q7 A, z5 d6 k. ?: v8 J
call KERNEL32!_lopen
4 s% B$ a* V: ]) v inc eax
% E$ k( h( o) R) T3 X' X) V# Z jnz 00650589 ; detected
9 f- q& d2 A* G4 J push 00 ; OF_READ5 A* o4 e/ V/ H/ _7 K! R* V7 d
mov eax,[00656638] ; '\\.\SICE'
" R/ O& N9 \& Y; x push eax8 U3 t. |4 [' y( z. y3 x
call KERNEL32!_lopen' B! Y# D" O$ \3 J$ E
inc eax+ O0 h/ h' \+ K5 y9 w! z3 Q6 ]
jz 006505ae ; not detected
$ Y5 Q) g: V/ c g( {3 d% F1 B3 [( W
5 j5 f$ a4 V0 h% R
__________________________________________________________________________
3 Y, Y! ^% S s6 w, G- _
0 h* `- r3 P5 r5 x% r9 PMethod 12. z4 A! {3 D/ g- n3 N
=========
2 m C$ X4 d7 J" W- T% X
" M: K8 H+ S) I; BThis trick is similar to int41h/4fh Debugger installation check (code 05
. |6 u" c/ X, m8 r1 S7 Z1 S* P, J& 06) but very limited because it's only available for Win95/98 (not NT), v' D6 R" ? ^9 _, S# P5 H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! `# P( m, a4 ^+ H+ t; C" B' @2 I6 I& j
push 0000004fh ; function 4fh
. G8 ]: Q% a$ A, d push 002a002ah ; high word specifies which VxD (VWIN32)
0 i- G9 ?$ m9 X( I ; low word specifies which service
' O8 G M+ [1 W% t* g" _ (VWIN32_Int41Dispatch)
% u" m: Y1 j) w% ^1 e9 z call Kernel32!ORD_001 ; VxdCall& Q0 Y6 T, z1 D1 m- K. B1 q' x
cmp ax, 0f386h ; magic number returned by system debuggers
9 M( y% }3 k v# M) n( g- A, g jz SoftICE_detected/ e; ]- S7 v V# }( E9 D- Q
" z8 ^2 E7 I7 M4 i; u( |Here again, several ways to detect it:
1 O5 {# T2 e4 u: a( L, \8 m+ [# j/ U8 j& Y
BPINT 41 if ax==4f
7 \0 S" F2 U, l1 @
- U M! F: C8 t5 _ A BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ m4 B. H) r8 o1 H v, E4 t5 u
2 j" R `/ H% y4 ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* O3 k W' a' N& g
R2 f- _. |% R8 G7 l
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ n3 K) ^& S! Y1 p8 j1 W6 Y% i3 G# x! e/ ?. ]
__________________________________________________________________________" q3 P& `- Q8 L- ?! c
6 x8 K% }5 f; C# U6 ?Method 13; ^& `2 J, Z( A
=========
; Q C# ]" f) [! D. t4 K: ~/ \4 C4 a& m* m2 h3 {; B. C* P
Not a real method of detection, but a good way to know if SoftICE is
8 u0 [$ ^% A1 r0 b6 _installed on a computer and to locate its installation directory.
/ ^% j$ \+ ~0 M8 W2 \! ^; f* qIt is used by few softs which access the following registry keys (usually #2) :% E0 o" L1 `' O+ X, P
2 |. D' J q& j4 C3 M! w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
~5 l6 n) g3 }7 k7 r9 N\Uninstall\SoftICE
& m* J! O. B% p8 y8 c* x# H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 Z9 _4 J% K* K' W' H, v7 h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( X2 o, U- o; N5 F\App Paths\Loader32.Exe
_" ]$ b1 D; P9 P8 z$ y0 H& H `5 j% c4 O6 w1 ]0 d& q6 T
3 w' O& S9 ^* L; [0 b' n+ I
Note that some nasty apps could then erase all files from SoftICE directory+ I( b2 W8 N% W. T0 Q+ Q
(I faced that once :-(
9 E( ?/ Y( ~1 L( g0 n- K7 @2 k9 q6 N0 [" E2 \& Y1 o5 E
Useful breakpoint to detect it:: c B/ e, F$ ~: I; y( A) y
- i* s. G* b! S5 L) w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 T$ K! \4 U. |- n2 J. Z, I. W2 G/ y, C
__________________________________________________________________________8 w$ b2 ?/ X' k V8 B* Y9 U
% c; t% w! R g* C+ @+ x
2 A7 `! ?- X$ xMethod 14 * S" ]# z2 q z
=========
6 ~& n6 o3 k3 Y, X2 |# a5 x7 Z6 t$ V; d. ?3 ? l& m2 Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 i! F* X" Q* p E( y
is to determines whether a debugger is running on your system (ring0 only)./ Q# g3 h. \1 Z) l3 c. I9 D2 `/ @: ^1 ?
* j* |) q) {! J2 ]1 o8 l) ~; [
VMMCall Test_Debug_Installed
+ f2 s; \6 I O je not_installed7 T3 f. g n" U8 Y
& ?: k: t6 d- z. C9 p" p
This service just checks a flag.. z n* z. i( A) s7 P8 ^- Z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡