<TABLE width=500>9 G/ c3 I6 Z" t# d7 Z
<TBODY>, I6 c0 l* g' b+ I' E6 m
<TR>* y. d. U: A1 \! v% F" ?( g% v
<TD><PRE>Method 01
1 L% B F. j' ?=========0 z/ w+ _' d8 k
: [ x. P; Y8 w' \2 [This method of detection of SoftICE (as well as the following one) is% B. D8 _* ?' c
used by the majority of packers/encryptors found on Internet.; i9 q$ M) Z) M/ L5 T4 d- C) \ e
It seeks the signature of BoundsChecker in SoftICE
0 e5 l3 f q, q# P) ?, g% h
- p+ }3 O# Q, b1 ~1 W5 K mov ebp, 04243484Bh ; 'BCHK'
6 D5 @4 x9 N2 o mov ax, 04h
( ?7 ?/ E& ]1 S- L int 3 6 X/ W& V: d0 _$ M- a2 R, T
cmp al,4; m3 Y1 H# i# T! k$ U6 p
jnz SoftICE_Detected
7 B: X- D, f( ? B6 N1 V/ B; x% U3 k' i: }
___________________________________________________________________________
8 W, C: U+ i; e- }6 E6 _% e+ w; h; n7 u; b
Method 02$ W5 N6 D4 [0 V* J
=========
2 u/ A3 s! {, {9 E$ ^5 p. g/ i
$ m b: f; y# K$ MStill a method very much used (perhaps the most frequent one). It is used
: _& {' {" y% f& ~& l' Z& U$ Ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 u9 Y4 P& ?, S( c4 x q3 `! K1 R
or execute SoftICE commands...9 h7 m5 r G7 m
It is also used to crash SoftICE and to force it to execute any commands
2 P% U, [4 u) y# G, E(HBOOT...) :-((
9 f0 e* J% b) }# ^( M, A- k$ @ b% k* D& u5 o8 ^
Here is a quick description:8 J) b Z% Y' ~2 q# W! l6 C, B
-AX = 0910h (Display string in SIce windows)
, l3 ?; B; }' {+ Y, _6 S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! V4 G0 ]) O: M3 J# F \+ f1 ?/ f7 J
-AX = 0912h (Get breakpoint infos)# B$ j) K+ n7 [" X( S K
-AX = 0913h (Set Sice breakpoints)# H4 J ~9 |6 Y: E6 i7 E$ s' h
-AX = 0914h (Remove SIce breakoints)4 ~: N' ^: e, S: W6 s8 ]# T
0 z, Z2 k0 Z+ M' pEach time you'll meet this trick, you'll see:
' q1 {5 f0 O1 e1 z3 w0 F-SI = 4647h
; k* I7 _; g& s-DI = 4A4Dh
9 e" V8 v3 Y: g& \Which are the 'magic values' used by SoftIce.
/ Y' t5 q$ b3 J9 [- ]* g: B& ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 p& f1 }% O4 w
* a' ]! v, Z. e! r# U$ WHere is one example from the file "Haspinst.exe" which is the dongle HASP6 C; ?% B# r: b' T
Envelope utility use to protect DOS applications:; c; ^1 [2 k* c, {0 M9 d
! E; E6 U" R# A+ U/ {
4 z. s' C& ?( V' I/ ~4C19:0095 MOV AX,0911 ; execute command.
/ w9 \5 T2 c v Z- u! @) Y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( O5 S6 |$ |% e |3 h) w" u( c7 [4C19:009A MOV SI,4647 ; 1st magic value.$ B& p C9 n% o2 s2 r7 \
4C19:009D MOV DI,4A4D ; 2nd magic value.' Y' w1 v3 u3 l( e) `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 X$ h; f. @9 A) m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ X% s) K1 j: i8 }# y4 y$ N6 [
4C19:00A4 INC CX2 ^! s, C& F4 A9 L8 O% a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" v1 [+ p/ d! V6 \4C19:00A8 JB 0095 ; 6 different commands.
; y# U" q6 {3 ?4 g/ w4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. Y4 U- }8 ]8 t1 d4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& C1 h8 J/ A# |# K# `
, L Q" E2 s! n; J0 Y2 m/ L( ^8 {
The program will execute 6 different SIce commands located at ds:dx, which9 e& m% n3 E$ }( f5 H; P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. y+ d/ E0 [# P1 r% d, X0 Y
5 b! {4 Q0 U7 Y1 Y+ v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# X( H; s' o$ w, ]; V___________________________________________________________________________
- D+ i* e8 `, Y0 Q4 Y& H
- }' X8 {3 ]: O, d. }/ i5 [4 Q$ l; n) Y) b
Method 03, D, e8 M! B/ R, [; w& F
=========% W( X4 k! q% m. z: k8 i
' M( P- x: U0 z3 E* Z2 ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" ] _+ @# g; N6 f; F(API Get entry point)# Y& f) V" f& j" M6 o4 |0 }
0 r+ i1 l8 y4 Z u7 E) y
0 L5 R- b, b% u5 x& Y( ?2 q0 y- v* e+ I xor di,di7 X# }7 |& b1 I4 D }( |; l" h" A
mov es,di
' M& E3 Y6 F% G/ P! C, ^ k mov ax, 1684h
4 N- d3 s( E, |- Y1 k3 M2 Q mov bx, 0202h ; VxD ID of winice
`3 P& q% r7 u# X/ q! h% ?" t5 H int 2Fh
( @1 m, E+ `# d" S3 c mov ax, es ; ES:DI -> VxD API entry point8 |7 D, p6 j, R5 L; \& N
add ax, di2 j# @; M4 J- ~* f
test ax,ax
! T) [/ m% R _* q jnz SoftICE_Detected, k; v0 A8 D* |" w
& F! d( \! m! d9 N___________________________________________________________________________8 o6 T/ I5 T$ n& P
& |/ v$ q! O6 `! c! kMethod 04
J0 X! l3 z* q1 w+ U=========! s+ ?9 o2 l y$ J
$ ]! Z" ` k" l4 _/ |
Method identical to the preceding one except that it seeks the ID of SoftICE
4 Y2 G0 c) h9 c. x v8 _2 e, \GFX VxD.* d$ I5 ]$ ?3 M6 |
1 R: p1 R* j7 Z3 G xor di,di8 O7 T% g( M$ o6 s, P, w
mov es,di
$ h: a' T' C) A: n* B% E( s0 y* e mov ax, 1684h + O* @; a" s4 }1 y
mov bx, 7a5Fh ; VxD ID of SIWVID( Y' T- F; M6 Z; S9 @8 U% N
int 2fh% ]2 L6 F' Z2 g% W; v: P3 G
mov ax, es ; ES:DI -> VxD API entry point s$ z4 d& L+ ` a, \" d, O; E/ Y% {
add ax, di: ~- v1 h5 o" J1 Q
test ax,ax% Z- M2 z# v; Q+ @' L
jnz SoftICE_Detected4 i8 M+ N" Q8 H! \5 [" ?
6 y1 T5 d; q! F, m# T8 M# ?__________________________________________________________________________/ D& E0 e* V5 z6 m2 d0 J
; \+ L) I5 X/ ?' p' @
. Z) c& D3 T9 Z# ]- x3 ]- w
Method 05$ V1 y9 A) a7 B6 u: T
=========
# l/ D. y. I: ^6 F
' E' T# b* n. h5 K6 W& u2 CMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 c+ ]- V5 ^* Y) i. qdebugger. It calls the int 41h, function 4Fh.
3 ^$ e9 V. u6 kThere are several alternatives.
0 m: Q) f# w: B5 x; j6 n- ]( Y
( `' h, |8 c1 T% @5 d5 { L3 l) [The following one is the simplest:+ [" J& u$ s7 `3 \3 i! W
4 u+ g) P8 d$ T) P" l* f
mov ax,4fh G; ]) u0 O$ r4 e' e
int 41h7 E4 R) y8 x- K1 \) l
cmp ax, 0F3869 X W5 Z2 V# C% z0 F6 p3 m
jz SoftICE_detected, f4 h1 ~9 o7 ?3 g1 V# N
* i/ v$ n; `) N; W8 v6 S# y; P* W
/ H# ? ~5 g: G* uNext method as well as the following one are 2 examples from Stone's 9 v: S5 N; _& k. N; d
"stn-wid.zip" (www.cracking.net):/ d" ]# ~- [, {( M8 u
; M V6 Y( `) A# J1 I. d3 V1 Y9 H
mov bx, cs+ b, ?, ]3 i- _
lea dx, int41handler2
9 D1 d- z& `6 C' N+ @3 I7 O# a# N xchg dx, es:[41h*4]% `5 B5 O7 E' L. F9 l( e4 o/ J
xchg bx, es:[41h*4+2]& P+ H5 v! C3 \6 Q: m& r
mov ax,4fh% v3 e- |, v( C, |: Y/ A
int 41h1 B7 l% p7 ^4 k# a% H A9 _
xchg dx, es:[41h*4]
, @) w# _0 X5 J, t3 m7 g% d! ` xchg bx, es:[41h*4+2]
$ D0 g! ]$ C/ s cmp ax, 0f386h
1 q9 \' P: u5 x jz SoftICE_detected, E5 b1 X3 t& r* A
" w6 u+ U) u- u* vint41handler2 PROC7 l- `9 U! U5 H% u. ?: t
iret e6 h. k% q& H+ W8 Q
int41handler2 ENDP$ z1 X2 J) @8 L
! o0 S/ ^1 |5 n P% h+ M4 n9 ~. i1 ]" ]" C
_________________________________________________________________________
" [% r! U$ v+ G( L" g7 Y6 Y. j/ Z9 _+ ~1 C4 s, s5 L$ f& V2 `
. w M% E1 W# `) LMethod 06 v1 e8 y7 U; |" e6 U+ d
=========
: E3 D8 @. i+ G& ^0 k9 O. I8 F1 o8 K
" H& z& y+ M4 b" S2nd method similar to the preceding one but more difficult to detect:
6 O5 b! R& D/ ?0 p
6 j: k) Z- D: |. C! c; q7 G% e2 D- `- g' ?
int41handler PROC
9 g" ], r) g9 a" C9 j. ^9 u% k mov cl,al( U0 F0 }; ~. y" K& Y$ o
iret
k8 U; l0 I/ e! ^. u, i0 P0 uint41handler ENDP
' ]0 B5 }+ l+ N" r0 ]( _6 W; l3 d5 K. A1 M* c
. G! v4 B+ ]* N7 a" p, | xor ax,ax
4 D) A+ N! ^4 g- X; P0 N- _ mov es,ax1 A w" m7 A- h4 N ^7 d
mov bx, cs- r6 X$ y- l$ f7 a+ n
lea dx, int41handler
4 o3 n5 e( I8 \! j xchg dx, es:[41h*4]+ t6 y8 _8 p6 _* O- o
xchg bx, es:[41h*4+2]( X" A" A3 y! I- w
in al, 40h
, ^3 r: i6 Z. Z/ A% A; ^ xor cx,cx
; R: |8 q! O" P* B6 @' ~ int 41h; f7 K8 {% C4 V5 M8 ~" z/ r& |$ }
xchg dx, es:[41h*4]6 h0 a7 V) D' \; r) ~, M
xchg bx, es:[41h*4+2]
# I# [# s* ^, H6 G6 U7 v6 u cmp cl,al3 u5 {' y* {; F+ Q: Y
jnz SoftICE_detected: c5 u6 e' A" F3 s
. X+ y; L, s! z: o Z
_________________________________________________________________________
$ I) b3 d4 _# Q' K6 t! x' d0 P% E9 j
0 ]& s5 U+ V& w; p# Q* bMethod 07
L; }' g6 t# ?) @3 ^- B=========
1 ]( ?# B* }% _# ~& f1 y" ?( C5 W7 X
Method of detection of the WinICE handler in the int68h (V86)+ C1 p4 L- t) d2 g, _: e9 W
! X- K1 q- i8 R" {* A# p% y6 o$ M mov ah,43h
/ A2 T: a8 o8 N' w% z" m% d% L int 68h! f! [7 r' N0 j% H
cmp ax,0F386h
0 K- j$ j: g0 y+ v; [7 r( Y# D jz SoftICE_Detected
, P) b/ h6 X& Q1 \6 a! x& w9 u1 s
W) F4 s" E0 ?# H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ T$ p5 p" z) O. [ app like this:; S: F( d; w% {8 w( Y
5 u! b2 F# T: I2 o, [* T
BPX exec_int if ax==68
$ a; f! L$ a! R, k1 H (function called is located at byte ptr [ebp+1Dh] and client eip is2 |% m% K+ S6 S/ x4 F' V/ T" P/ j
located at [ebp+48h] for 32Bit apps)
6 }9 F2 n& M! w" ?__________________________________________________________________________7 j+ @; O5 O" z' F0 X$ C1 E3 ]
) _! @" V8 v9 g$ e2 M6 G7 G4 a/ H5 `
Method 08
4 z% s o% Y* H0 m=========8 u% z& v) f, {! k! d
# \; T7 z+ i4 @& ^It is not a method of detection of SoftICE but a possibility to crash the
5 `5 h% L3 C* m3 S& osystem by intercepting int 01h and int 03h and redirecting them to another
3 r9 U2 v v- h6 M( croutine.
7 N: O; i7 F: Q" rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 g0 s* N) p. w- N" F
to the new routine to execute (hangs computer...)
2 E2 |1 A, I* c9 o: Z" `' \$ Q! [6 j1 c- ^
mov ah, 25h: K% x7 i& S( x0 y2 z
mov al, Int_Number (01h or 03h)( `1 Z2 o6 i, n/ `8 I- I3 }
mov dx, offset New_Int_Routine
- z$ F( o7 B1 k; v int 21h
1 W; b# [: s5 h) a: B3 D. w) P+ b+ F$ x, l& Z/ E _
__________________________________________________________________________
6 f/ P2 Y" A0 t6 b4 [1 K9 S, G9 e3 x. J# A' |2 n' d$ t: g
Method 09
# V4 j$ N; x/ w, t=========6 _; a8 `- r& R" l% P
8 E. M/ h( l6 B8 j ?2 r( qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 w! h. d3 q- ]: ~( ~3 S
performed in ring0 (VxD or a ring3 app using the VxdCall).0 v$ T: T: s! j* L7 T5 u# {
The Get_DDB service is used to determine whether or not a VxD is installed
' R% Q; e- j; K2 sfor the specified device and returns a Device Description Block (in ecx) for( i# U; o2 K$ C" h& [/ p3 G; K( U: K% }
that device if it is installed.
2 o2 E/ c( O2 t& _$ b
) [+ N3 j7 d2 \# d! x0 @& \) e Z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. V) ~0 F( ?4 ?8 D* \: K8 T" Y4 N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 @. N0 H: [' a. p) A# k
VMMCall Get_DDB
2 p1 ?# P8 h+ E, k) a mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, ^0 [ W$ ]4 I" @) Z. A
6 a2 A* x3 |% Q! s) B9 e8 qNote as well that you can easily detect this method with SoftICE:
, p! P7 G6 I5 e bpx Get_DDB if ax==0202 || ax==7a5fh
* B/ B3 y# N% D/ F5 ~% y& d
6 _$ R0 T2 p+ t L__________________________________________________________________________
: n. p( Q2 m& D) A( e3 \
2 ^- I4 r: q% c0 V5 aMethod 10: V1 ]( W u1 U6 y8 r
=========
. ~6 W* l5 R9 Q1 V3 k. F" W. M$ W9 n6 r1 p2 h" }% f" u# B5 F+ [
=>Disable or clear breakpoints before using this feature. DO NOT trace with
{. Y6 N; }7 Q- l- f SoftICE while the option is enable!!& l) x, N( y s& n. u: D; R
% U% b' h" Y$ g8 a. C, q
This trick is very efficient:
1 [1 E- @7 |$ r) Hby checking the Debug Registers, you can detect if SoftICE is loaded: _4 E: ^0 ?; ]3 |1 |/ c6 m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) h, I" a1 t( @/ S/ V
there are some memory breakpoints set (dr0 to dr3) simply by reading their x6 y" Y: U% h6 x2 z3 g
value (in ring0 only). Values can be manipulated and or changed as well9 b+ q% d- r( u3 Q6 R* q# _
(clearing BPMs for instance)
_. t$ ^; Y8 c; r
: G O' L4 t# Y__________________________________________________________________________7 ]& g$ g3 Y' o/ o' C( W
' p9 h# T _. Q, K# l& p, l( G
Method 11
/ [0 z6 @+ L6 B! d, O: A=========6 a2 M4 D! m: Y* c
- V- d8 \+ b* A# q! U
This method is most known as 'MeltICE' because it has been freely distributed+ f" ]+ J- V. d
via www.winfiles.com. However it was first used by NuMega people to allow
4 Z% `8 x% J% I/ O7 f6 PSymbol Loader to check if SoftICE was active or not (the code is located
0 T2 Z2 r8 {1 yinside nmtrans.dll).+ [! ~8 I1 T( K' T. p: @+ X! A
& W+ V2 y' A' M2 q n- J0 NThe way it works is very simple:
T3 x; s# k! J, @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! N* i0 F9 ?( X0 z+ g
WinNT) with the CreateFileA API., \$ v7 ^) x5 |8 I: r5 g4 e
* f, D7 f z8 \$ R9 q/ LHere is a sample (checking for 'SICE'):5 r) _% ~5 H8 x$ |/ ^
$ m( k: Y8 H0 I/ E8 nBOOL IsSoftIce95Loaded()' k. j; Q$ J) {9 ?- i* y
{$ f- Y0 ?' o# R( |$ ~
HANDLE hFile; 2 x8 ^7 `0 n8 G$ J1 [2 ~2 p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 m7 @& W# t4 @! A4 O
FILE_SHARE_READ | FILE_SHARE_WRITE, G' c; b: S* x. t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ _4 A& y8 M) d8 K. y" H if( hFile != INVALID_HANDLE_VALUE )
( h, B9 j3 P+ Y O& S. O {$ T/ ^: P; Q: T* |- i% B
CloseHandle(hFile);2 d/ v5 ?. d; S- Z% X2 g
return TRUE;+ X, t# ~" y. r7 P9 E0 h+ O
}
& l! W/ ?' [+ M6 C5 p9 h+ b) ` return FALSE;0 q1 a& ~8 T3 e8 T; g2 V- t/ F! E2 z' S
}
4 `; x8 E# ^4 H% k3 o
( i' a+ O1 F$ D( h$ mAlthough this trick calls the CreateFileA function, don't even expect to be
6 ?( R5 Q$ \& U8 q5 u. n5 g4 P+ ? g+ Rable to intercept it by installing a IFS hook: it will not work, no way!( t/ q: i% }( O5 R) a! A9 X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' X" n1 x. `) m9 }+ ^# y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& ]5 F( \) Y8 \% n& a e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% N$ d# h# X1 ~1 u
field.
$ ?( ?0 D I7 c! E8 ]8 R1 l* FIn fact, its purpose is not to load/unload VxDs but only to send a
" Z4 A# o7 G' M! U" eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% ^# o3 y! W8 ]! X \to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 V8 A; D) ]+ _ {( ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
( R) o# R7 n$ K3 b& S0 U6 jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! u2 V4 c/ {+ `3 K& ~; }, N( s0 jits handle to be opened and then, will be detected.
7 K3 v3 t2 k' ]9 R7 A2 ?You can check that simply by hooking Winice.exe control proc entry point
+ _6 f9 X' ?0 {1 r1 _while running MeltICE.
2 s4 B1 U/ G- g* P% b) h5 u
& W# d% N& S+ z3 v
& ~6 i' S2 N- H- g 00401067: push 00402025 ; \\.\SICE' p5 q9 l( R) [8 P- l
0040106C: call CreateFileA
0 J6 T9 e% ]5 e5 M X 00401071: cmp eax,-0015 V% i3 p5 M0 [1 C# P6 d
00401074: je 004010910 a) b# q! ~4 v% |' V. F
: c; Y5 J3 D# T. L5 ~* k+ M
. W& l7 s# U A3 N# h$ EThere could be hundreds of BPX you could use to detect this trick.
9 _3 p: E" \: t( h) o0 g-The most classical one is:7 G4 D/ V3 P% v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 C$ C( {; a# [9 K5 s: U! Q& ?2 S *(esp->4+4)=='NTIC'& I8 [0 c' P: b7 M) s
8 }: t4 Q$ G4 Y: `, Z' `) d& r! W( u-The most exotic ones (could be very slooooow :-(
' x6 d. N+ A4 [" a. m. n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 j1 a; U3 a+ N& X1 @2 k ;will break 3 times :-(
* i" g, i7 L# {) K3 C
8 l0 ]8 \" B+ Q6 M-or (a bit) faster:
: |0 C2 X. m) u$ N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; q. p5 K# d/ b5 \- ~7 O# S' `1 @! L! p5 d0 |" O9 L' f
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! I5 ~: s" D/ N) B4 N6 G# e# h
;will break 3 times :-(
, K0 {3 }( V( T/ W+ V% l8 g( {+ I) M% g3 d) s" @0 X
-Much faster:
* O2 G# v* C5 \4 s S! O6 k BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') E. i, N* }$ l3 \! u& Z
5 w4 C. { `. b0 Y2 O" y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" \& k; R! z# S1 q7 H6 { H; f9 n, P; D mfunction to do the same job:
& G s' k1 F( m9 Q" Z0 @3 q4 ~! {! x
push 00 ; OF_READ
* e9 ?& J3 B" y6 T* p; w4 K mov eax,[00656634] ; '\\.\SICE',0' v# w; x1 H, d6 K' k# K
push eax
4 K' b! \. ]" v, l call KERNEL32!_lopen5 M* Z( P& {0 `/ b
inc eax
9 {! q7 x/ |4 R# ^8 ~6 B0 r jnz 00650589 ; detected$ S3 ~1 b8 b+ o- @% R
push 00 ; OF_READ# s. B$ C+ t0 Y
mov eax,[00656638] ; '\\.\SICE'4 Y! H5 o' Z! a- E2 d4 w
push eax
9 A6 q1 @* P$ W3 t% [6 I* u" X call KERNEL32!_lopen" W0 d+ Q9 S |) e* D/ u
inc eax
4 M+ p. Y5 `8 W7 @8 y ~4 r jz 006505ae ; not detected
& b& X. L1 f" c! l# H6 v! T& d0 l. e" ^# A; h7 {. K! Z
1 k5 Z" g: Y# C" ]# U3 b& G1 Y__________________________________________________________________________
) @9 J% P, H* L9 s- I- z$ O; k3 V9 }8 U0 i. |) C5 c1 ]
Method 12$ q4 a; J7 C& T8 v
=========/ S9 o: H7 S) `/ i" H/ j) b
. l) x7 j0 |7 V1 E* ]) L0 [" yThis trick is similar to int41h/4fh Debugger installation check (code 05- K. _9 q- g5 B3 c
& 06) but very limited because it's only available for Win95/98 (not NT)& T- \ H5 n2 r2 S8 T' h4 {& V e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" o" Y, |9 {! m: x5 ~
& [* u$ Q7 G9 W/ v7 }/ Q! K push 0000004fh ; function 4fh; X0 ?/ s$ [. J, a E) q
push 002a002ah ; high word specifies which VxD (VWIN32)
& M4 s; t! W, }! \3 j) ^0 B ; low word specifies which service6 ^( q c0 `3 U5 i& T' `% B
(VWIN32_Int41Dispatch)
$ a# ]) A" _+ P* _ call Kernel32!ORD_001 ; VxdCall
; @& f, M& |1 s* F! D* H$ I cmp ax, 0f386h ; magic number returned by system debuggers
4 B) t$ T! Q7 A jz SoftICE_detected
7 S* x8 i- K5 E" h2 Y$ c- A7 F. Q' @
Here again, several ways to detect it:
$ j- X& K% c5 _" [6 `% ]
8 k: ` o1 V7 c* i( c1 O0 i. \ BPINT 41 if ax==4f5 o* R0 F4 |0 Q* M5 y3 y
7 i( q% Y) ^' a) _7 _' ? BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, {! @& w- N" A& @6 b. T6 Q* Z
8 X0 u, t% Q, w' ]% e BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! {3 b8 ?$ A) {; t- x: v. O; H
2 l( p$ @9 D, m4 _% T* N$ g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# L5 _, X' ~# h" ^
, I( q" P, f6 ~/ @8 T5 d. C% m__________________________________________________________________________
7 N" [/ a! l5 y- I" n& q: P
0 c& z9 |$ }7 S' j1 L" {- M: tMethod 13+ f; z% U5 n7 }: _: o1 ?
=========
( z- r2 T! n R) G* n$ |' c
, `5 H4 v9 e. n% M* {Not a real method of detection, but a good way to know if SoftICE is0 H; A) a- R N, {. e
installed on a computer and to locate its installation directory.- Z& J+ q7 u9 p' B1 L
It is used by few softs which access the following registry keys (usually #2) :
$ S; r; i: a8 A8 {/ R- L
/ q; Z" z3 \: v- r& T6 K7 X, Y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; t9 Y- |+ v2 A% [\Uninstall\SoftICE
/ }' ^4 W8 @1 {. ]5 O-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% y' ]: L' x! X3 }* P8 T
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" o3 b6 E" Y9 J7 x, X\App Paths\Loader32.Exe
; f3 b% Z% K' H( k& [% f8 }4 d, m: o6 ^8 d2 R
/ K4 O* y* P' |# v7 r2 v! w8 ^Note that some nasty apps could then erase all files from SoftICE directory& G% _- z1 `& @. P+ }; o
(I faced that once :-(# P/ O. V( D$ E2 }6 T* i
( H0 b' C6 ]) f q" ~; W2 a7 _3 v: M
Useful breakpoint to detect it: }/ n- G8 J6 C/ R) \7 b0 }! k4 L
) _, p9 r6 b/ T* \
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( }8 C2 o6 Q; W7 s3 _. T% L3 ~; M
' Y. R9 k! }! t0 s* m9 C" X__________________________________________________________________________8 _/ @ ]& |' D" r, }
% o* f" ?7 U, Z! l
/ Q8 w, ] i: g- `' t! V2 z3 rMethod 14
: J: \0 X1 h9 w8 a=========* s$ f6 k8 l0 @& k
* F# D' W! k5 F7 }' N0 Q! r) Y# `) \" `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 L- |6 \7 Q/ Y' U1 V. Pis to determines whether a debugger is running on your system (ring0 only).; \) i) T. V- q# f1 u' ] _' X
: U& z3 U& j9 k0 t$ S% N2 s. ?
VMMCall Test_Debug_Installed; A( n( G6 W9 y' y# \% a3 s
je not_installed/ z, S! A; x+ _. C. t& a; B8 _
( ]' k) R O, @; J# m0 ?
This service just checks a flag." o, h. m0 H) E% r
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡