<TABLE width=500>2 r# Q9 ?% x& I) T: I' c5 w
<TBODY>
$ w% s; \8 D6 s1 L5 l<TR>" ]$ u) A1 |9 r7 a, ~" n
<TD><PRE>Method 01
Y6 k* h' G+ o5 c1 _0 f( _=========* q1 e- V) k2 c8 [
6 a/ s9 y3 U! X9 {This method of detection of SoftICE (as well as the following one) is n( Y( M0 ]2 @
used by the majority of packers/encryptors found on Internet.
+ c9 T1 E5 w+ n& p1 O2 N f( KIt seeks the signature of BoundsChecker in SoftICE% S' X( Y, b7 N& Y! I% x6 a# `$ L1 o/ q
$ F7 w8 q; |: N' H6 q
mov ebp, 04243484Bh ; 'BCHK') v8 }6 t, m* q
mov ax, 04h) R* N0 q, F" N3 c( u5 A1 e8 [ o" F
int 3
& Q4 U \% M9 s3 A cmp al,4
* {& j+ z7 R' e- I# q( d2 ` jnz SoftICE_Detected
+ `: \) J5 e3 ~$ H z4 H d9 y3 V7 _" x( Z
___________________________________________________________________________
* W5 V' n6 F/ X. J: P8 i5 F J/ I: ^; M N( q
Method 02
y6 h" Z; ^& e; }! w=========
/ ^' g4 e1 E# d9 X2 D. `
5 w: C' M# n( c. p4 v) X- M" \* N; jStill a method very much used (perhaps the most frequent one). It is used
5 L, x/ ^) ^$ x* A' l9 \( s0 Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 i" G, O9 b `# N- ]/ h+ ?
or execute SoftICE commands...
4 }) l0 W k5 l1 t' wIt is also used to crash SoftICE and to force it to execute any commands% A' ?/ L- E9 q; u# I( L1 F8 ]
(HBOOT...) :-((
3 t* z9 g8 Q9 |- C" @
) z0 e0 y- P z+ G7 Q5 J& ?Here is a quick description:8 z$ A" a: C4 j" U0 W: v
-AX = 0910h (Display string in SIce windows)- A1 r& \" V: `0 B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; A5 |& }0 O) \4 w& }-AX = 0912h (Get breakpoint infos)8 s3 y h2 q6 K1 X
-AX = 0913h (Set Sice breakpoints)
8 k' k9 Z% h* N-AX = 0914h (Remove SIce breakoints)
% y) k, R& s# j# K5 O" O1 l6 Q, a( w: H( q* q
Each time you'll meet this trick, you'll see:
. ~1 J8 _# c7 F, k! Y0 G-SI = 4647h
/ ~6 Z+ ]: R; G6 b. O/ o* R. c% k, `-DI = 4A4Dh
+ a7 v5 S) D, u, z. MWhich are the 'magic values' used by SoftIce.
9 g" W5 D Z# q- rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' u: q, a6 \/ A$ V3 {% a5 L
5 Q* Q0 B: ~/ d6 ~- U& d( R3 N8 d
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) C1 @) m4 v0 QEnvelope utility use to protect DOS applications:
" p# N1 V1 w) d4 R& V/ Q, P4 S, a& V* m2 m- l- S* _5 E1 Y+ P
" e7 n6 K& s% w% q5 V8 h& s4C19:0095 MOV AX,0911 ; execute command.9 H# }+ v- O5 l9 I+ n3 K7 w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' H1 G0 i! n. V4C19:009A MOV SI,4647 ; 1st magic value.
9 w: D3 G# @% s v) p+ V1 j4C19:009D MOV DI,4A4D ; 2nd magic value.: X# z4 q* W0 e( F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 t( f& u, b$ Y% T
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' D& j: V- q4 g2 i1 |' O4C19:00A4 INC CX- c+ b9 h; ^* S, p& ] ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* x# ?7 [* d( L/ F! d2 K
4C19:00A8 JB 0095 ; 6 different commands.( i9 r$ h$ ]: D$ @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 H7 ^8 X" a" {( a) \6 @- d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* m1 t6 \" x2 O# M: M- o
$ ]5 G6 V( `9 k$ ?& U1 L; [& k
The program will execute 6 different SIce commands located at ds:dx, which
/ J: [/ H, [$ q0 q3 j+ z6 eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ @ F7 Q& ]* U+ ?0 ]7 q
2 t' B# u4 _" L+ @7 Z# y4 c& P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( f. F% |2 r0 P9 W5 E___________________________________________________________________________
! L8 C* X; v1 n" y/ O7 _9 }! R8 j3 i) |0 I& T; i
( k+ n$ ^) k( r3 w: s' RMethod 03
( |" U8 G7 `. `3 I2 G3 s=========' ?' | h7 a/ E
( C$ |; h6 i: y- U6 s$ @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 w; h$ A9 G- q B+ F5 w9 N! V
(API Get entry point)
( D# b- h& V! J. ? 3 C* V J8 u$ t5 O1 ~, M1 ?
3 S, S6 V& m2 b( |' g
xor di,di
# T+ W, j9 b( S- w mov es,di) `" \% j) h% a. _6 q+ k
mov ax, 1684h : c! h3 C3 r N/ [; y
mov bx, 0202h ; VxD ID of winice* F& R4 s/ F$ y
int 2Fh9 ?' V4 g3 j( u3 U; c2 z/ U
mov ax, es ; ES:DI -> VxD API entry point3 W4 L6 z( h1 {8 |
add ax, di* ^6 K( V& R' N# o
test ax,ax
( m- ^# Q5 h4 | jnz SoftICE_Detected
9 q* N. @: F" b0 I( c0 @7 L. q
6 \7 P( |, f5 }- Z4 m$ C+ C___________________________________________________________________________
5 a% A" [; D0 j1 m5 [9 x" ?
' B0 {$ |" s5 K6 d( _% _Method 04
1 d* z3 Q2 b* W=========
+ z0 O5 b& \% u7 n* q2 @! q# V6 b, j- a5 y8 l |
Method identical to the preceding one except that it seeks the ID of SoftICE3 g1 V2 y* E+ L0 u' C
GFX VxD.
& F9 d0 m5 ~5 r, b2 Y: T g! L1 N9 v- ]
xor di,di
% ?/ V, t/ q9 a# B- [$ r mov es,di' V; r" r/ _! |4 r
mov ax, 1684h
* @* `, A. I: c2 _" W; _# A8 W( L mov bx, 7a5Fh ; VxD ID of SIWVID2 d5 I4 w% t, j9 h0 J
int 2fh
3 g2 o) u/ d+ @9 s2 J3 @) e mov ax, es ; ES:DI -> VxD API entry point, Y1 l$ }! t' i7 I0 i5 @0 B, S
add ax, di
. y- o. u v- m4 ?+ {- O: P5 F test ax,ax( j: C1 i& G6 r3 D% ^% a1 b
jnz SoftICE_Detected9 }; J; S' K [+ F% t3 O
6 l& O9 ?4 b, j" H* w4 ]2 l& ~__________________________________________________________________________
, O* ?6 s8 ~4 U( Z& ]% A/ R [! _* b4 P) f# d) U% P* V! g( z/ X
7 _9 G* {: f3 U( P) C( |" ]Method 05
+ G" C5 @' u y$ D* R) ?! w=========
' w' M" T# }6 q. P2 \: q# G' \
3 a/ r+ U4 S- l: _' a, pMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 d) p% ?1 q- M* _" B, ]3 E3 w8 j% y
debugger. It calls the int 41h, function 4Fh. y( _5 H4 w: v2 ^+ o [2 n% f- l: O
There are several alternatives. - H6 j% ^7 o/ `% \( f) q" ]
% q, |) { ^ V2 uThe following one is the simplest:
" G" o9 M4 j3 ^& ]5 H
' \7 L0 y1 s7 z mov ax,4fh" p% {& r! K2 S }
int 41h
6 V% M) X0 l: s; |. D cmp ax, 0F386( ?# Y! x+ _2 Z& S7 [7 {- Q' `
jz SoftICE_detected
* w* W; W8 M+ A9 v
, n! I' J! g$ [) B
# e1 O. {% H/ x9 z' V" ~Next method as well as the following one are 2 examples from Stone's
% f- Q/ Y' S. V% I' ^9 l% F"stn-wid.zip" (www.cracking.net):2 j2 Y! u. u# X% y% c
7 D7 b/ ]& q) C0 W3 d. k mov bx, cs- S6 N: p$ [7 X0 k- w! y( t
lea dx, int41handler2
9 F% M- g, Y! A$ r/ }/ A, v xchg dx, es:[41h*4]
. Q, s1 e" G4 T" U4 n* Q4 Y xchg bx, es:[41h*4+2]
4 ^. [8 D" a" G1 P' n mov ax,4fh4 c# |& ?, z" u- I6 s0 w' s+ ^0 b
int 41h& G2 U4 a8 j4 N @ s$ z
xchg dx, es:[41h*4]/ d) M c, H* L( h9 D
xchg bx, es:[41h*4+2]
! J* Y0 q. K/ I) h cmp ax, 0f386h$ H0 }" q8 l# x( R6 D, x( s4 C
jz SoftICE_detected
. O' _$ M/ w& v- [7 m2 T7 \; T5 f) ?$ G7 L; y8 v
int41handler2 PROC
" p7 d# n o4 B; o iret
3 r0 @( |$ C& l% Z" ~int41handler2 ENDP0 _# B' M# {2 |) {
8 x& y1 \7 W* I* D: W! ?- g/ e& u
6 k9 v3 G% R3 J! d4 a; T- }_________________________________________________________________________
7 n5 Z, C ~. b' L, K( B* x# c: l6 p5 ~: a
( k+ `; v# B: ]. F: [$ d
Method 06
3 l2 B7 n' ^4 `6 {=========: a* e+ f+ m$ _2 s, |4 t
: k: k# U0 u( ?) @" W
# I1 m& s6 |8 s/ _. }3 `% [4 n2nd method similar to the preceding one but more difficult to detect:
' Z* f1 i3 g% ]1 w
( l3 G: r$ g( a5 w2 Y2 o; T$ Y
1 q- j7 o; H! l" Z$ D* H7 Z/ Zint41handler PROC2 N9 }9 y9 d1 X
mov cl,al
8 y) V/ w. r/ F iret. K! e# e( z! n+ |+ T6 s
int41handler ENDP* b* z* c0 v) M. l4 O* }
# C6 ~# L" s0 m1 r( V# g8 h6 g
1 W8 Q i6 O0 r xor ax,ax
/ G! K: }. r$ V D4 q; z mov es,ax
8 ?6 Y% P# d$ J& K% Q6 L mov bx, cs
: v, A6 Y6 }0 l2 W" U lea dx, int41handler
4 G: e) |4 Q; E+ E( G- D xchg dx, es:[41h*4]" O1 M" }4 u7 a* d4 C2 O0 H
xchg bx, es:[41h*4+2]
7 m! G' A" ?* B+ _" _& c/ F in al, 40h
! {/ S( H# R5 v xor cx,cx2 L* k( \( n P5 ^5 @
int 41h
" D2 G7 q1 }# K6 ^ xchg dx, es:[41h*4]
j" S! p+ v( a0 b4 e6 o5 Q xchg bx, es:[41h*4+2]6 W" D' G* h5 i$ _* L9 Z
cmp cl,al
( t v* r! V) c9 w jnz SoftICE_detected+ i* A9 m; M6 _- x$ M2 F! h6 l3 f
4 d2 F. L/ J- @, u+ N6 y_________________________________________________________________________7 i1 H0 I1 ]7 w- ?4 P+ L' q7 H' q
" b. f4 D( }% o8 a) g& p$ RMethod 07; Z# p) e2 U/ U7 u) F# S
=========
( k2 \% d. i+ q1 n+ {
/ t* i/ C7 z$ C. E" PMethod of detection of the WinICE handler in the int68h (V86)
5 i0 R- Y7 Y7 W7 I$ u) z( }& v8 F. z) ]9 Z2 j/ B
mov ah,43h$ T. X7 U% D' d& x
int 68h
1 A; {8 s: v4 j: U" \& p cmp ax,0F386h
$ U2 K" M9 ?; D1 d! F$ b8 g" [ jz SoftICE_Detected
. l- ~2 w- C- a% G9 j- p% ~# ?: }8 r! J
6 D. ^$ e3 E& T; J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 P! U% D4 s6 L" o, t0 D
app like this:
/ A: n. o" W' u( j; U) v
" A% Z m; q* U8 `# m6 Y; N BPX exec_int if ax==68- a* }2 c! R$ {# ^& _
(function called is located at byte ptr [ebp+1Dh] and client eip is
( e5 m6 }" R; U' D- n located at [ebp+48h] for 32Bit apps)* X% R _3 j5 C0 L4 V6 J; C C3 |
__________________________________________________________________________
" V: f9 |' R7 {: r, l2 v$ c! @: _! d" R& W6 {5 R
( s. z$ _5 e8 E- PMethod 08
5 B+ N& m0 ]' N' |! t=========- Y' e7 D+ x7 y* v9 j
0 R; O1 ]1 S# n" |4 N+ O
It is not a method of detection of SoftICE but a possibility to crash the7 r+ v2 G7 r, F6 J2 [
system by intercepting int 01h and int 03h and redirecting them to another- R. Q4 {9 l4 ~+ O; K. l
routine.0 C& _$ U; W2 p: j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ h( x- Q1 q% M* z9 oto the new routine to execute (hangs computer...)) [6 n% ^3 _" y0 r4 M7 f% u6 h
0 r: R& I# N8 Q mov ah, 25h4 N9 p- r; G7 x8 V3 `1 ?
mov al, Int_Number (01h or 03h)
4 v4 _ M4 w; _: |7 l5 V9 e) u7 M$ ] mov dx, offset New_Int_Routine
1 f3 U, m( U: O4 ?: x int 21h
8 y& I! |0 W0 P7 y/ w. ]+ H2 [+ u y2 C+ ?+ L: u
__________________________________________________________________________2 s6 i; i6 \* r/ K7 U# h8 G; U' {) k
# r/ P: Y# k( ^- u* K& _$ D0 |( m
Method 09
3 b5 ~' ]5 a9 ]4 y/ @=========$ S8 {2 [, k# P/ e& o1 E1 s% v
1 o( r9 E& [$ X8 K5 Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& @& M: I+ |+ T% @# k4 f0 h7 o
performed in ring0 (VxD or a ring3 app using the VxdCall)./ G: K8 C; m: k+ ?$ ]8 S
The Get_DDB service is used to determine whether or not a VxD is installed2 M' M3 X8 s4 a6 j \
for the specified device and returns a Device Description Block (in ecx) for
5 d% K) T; |# f" o# Y+ `: |. ethat device if it is installed.3 }8 g* x, S/ S% W
1 a/ C' W6 k4 M7 O) _8 ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' s0 u' c2 X1 f mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 M! }+ |' ]2 T n
VMMCall Get_DDB e6 C2 ~/ I! o/ E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 a" z5 Y$ \; f4 L, b( E* m% |7 Q) j9 e; r; r. \/ i( E
Note as well that you can easily detect this method with SoftICE:6 } c1 z7 R" g8 W
bpx Get_DDB if ax==0202 || ax==7a5fh
0 d# K# C# B3 p$ D: c9 _# e
! C( C2 V; o& I__________________________________________________________________________8 d* t5 N! H! H8 U) ]
% A$ d% I0 A/ F
Method 109 W" f5 W! I$ W: O7 j8 R
=========: a7 }+ l- O& e" S
+ c6 i5 Q! u" x: Y' P2 y=>Disable or clear breakpoints before using this feature. DO NOT trace with' Q& ~8 R2 }* }+ g. |$ |0 S
SoftICE while the option is enable!!) [$ {3 i, H8 B# l
$ K/ B4 p9 j6 `8 v* i' _2 H& PThis trick is very efficient:
9 L) f9 P( l. a$ z* }by checking the Debug Registers, you can detect if SoftICE is loaded/ C6 f: I# n- n. @
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; m0 {. b: g9 }: k& p4 N T2 Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 b s- k3 h) e: w; b/ d) U
value (in ring0 only). Values can be manipulated and or changed as well' m9 U- j( {. Q9 f
(clearing BPMs for instance)3 e. [& ~' k% G, g2 A6 v/ C* S
`& w4 @& N8 v, O__________________________________________________________________________
/ M7 y" T* e m9 w: W4 C! b4 I. f( C( R
Method 11' k- W% C3 S5 N% o" a
=========4 Z7 g5 l) U: {
) ^8 w# t- k- WThis method is most known as 'MeltICE' because it has been freely distributed) F/ |. D/ X/ N1 D6 ^
via www.winfiles.com. However it was first used by NuMega people to allow1 P% I# C* y) W" H! Y
Symbol Loader to check if SoftICE was active or not (the code is located
: {8 u! N. U+ `3 P& Dinside nmtrans.dll).3 f. e6 P9 V4 K; b) |' F: p0 F: A8 f
3 l/ E) l# p2 x# n- N* d$ ~; A
The way it works is very simple:# _2 ~. G2 _4 e! `( ~1 d% Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 j/ o$ T- `9 ~* d
WinNT) with the CreateFileA API.
# R- [% Z; |& l( F
& r( _0 c0 N" H% ZHere is a sample (checking for 'SICE'):$ _" e% Q% y# b8 I
) L, K1 H5 v( n0 [0 I- ?BOOL IsSoftIce95Loaded()4 a% [3 ~8 Y* @# F" @, q7 B* y: E
{
5 S3 y( _" ^7 b4 q% J HANDLE hFile;
2 G) Q( A( S) N- ` hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& a6 q3 U- y# h FILE_SHARE_READ | FILE_SHARE_WRITE,
7 {" F9 a0 p. D) | `" @% D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, H0 V/ I* X L: A
if( hFile != INVALID_HANDLE_VALUE )
; q2 J0 a: R4 I" G {
- D! `6 a. D5 A" R1 D. j: w CloseHandle(hFile);5 i) i& I( B; M& f0 g1 Y: C
return TRUE;8 s/ r+ o4 z( x4 |' @+ h1 P
}
9 C; i% x% {% i1 h# I return FALSE;0 o l# q, N. \0 F" F! N
}
r: O0 V2 l3 ~4 Q: S% w0 m) e4 Z! v! |
1 i/ e( B! D, |( gAlthough this trick calls the CreateFileA function, don't even expect to be% H2 r' p9 L$ i2 x6 C
able to intercept it by installing a IFS hook: it will not work, no way!
' P! Q5 I& u+ D! V6 a n/ d. \' FIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 i+ t- D4 {0 M, R/ X1 Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). t# V: e5 W, l( ^$ \
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 e8 P3 s% s! J% ofield.( m! q! h h a8 C0 {* F* |$ b
In fact, its purpose is not to load/unload VxDs but only to send a 4 t( l2 v* t) X6 J, v7 X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; W* g* \3 s2 P0 c5 p* qto the VxD Control_Dispatch proc (how the hell a shareware soft could try! H- s% G) @0 B2 P
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 y+ b3 j# A$ r& |; R+ V! a
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 k$ f* F, Z: h% V5 v; T8 ^6 W2 Y
its handle to be opened and then, will be detected.
# a g c( r* N6 z3 rYou can check that simply by hooking Winice.exe control proc entry point
. S) i, W' a. h; i- l" U, V" { ]! kwhile running MeltICE.2 K( n# f, ~4 Y2 \* P c! ]
, n* F5 N+ [+ D3 L$ N. N# L( Q! n7 k& w# c* F3 y* U
00401067: push 00402025 ; \\.\SICE' @) @% h" ]( E, S% W1 |
0040106C: call CreateFileA
, W* q. `* l- y9 e 00401071: cmp eax,-0012 I' l( U9 P5 `/ ~" p
00401074: je 00401091& o; o- [' p% p# ^4 V* C
, Q9 M$ H& e9 q7 M2 |+ w: D3 g5 @) D! u- t9 Z
There could be hundreds of BPX you could use to detect this trick.* p7 |' E- v x% _
-The most classical one is:
/ ^/ O2 O3 Z& Z% A7 D _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* N$ U6 D" x& z9 J, y7 g0 c0 N
*(esp->4+4)=='NTIC'/ A4 f6 H( E% l) K8 g5 b
- N6 p. S$ \1 M f3 l-The most exotic ones (could be very slooooow :-(" @1 k* |; J, o# i- S- `2 Q+ z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% v8 B' ~# @" \ u7 l( S ;will break 3 times :-(
+ U9 s' T* Z0 l; g0 ?2 Q ~8 Q* R7 I, R
-or (a bit) faster:
& Y" }/ @3 v; a- a% q4 u BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 b* R. Q6 ]6 s# v, y% F* t9 a% i. S8 G3 _; \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
J: T& V& d9 O: ]6 D: v ;will break 3 times :-(
5 s% i8 I2 t% n! Y5 E0 X, E
) ~% U% P1 S8 D& v: d/ T- J-Much faster:
' T& S" h9 p0 m& h3 i3 O( V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') ?$ Y# Z4 G; ^0 T; n5 o9 x5 `
x! D2 X* ~* u, k7 o, {( p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# B# }* W2 ~" R5 e
function to do the same job:
$ Z2 ?* r, m/ ~1 V5 s& Q4 E) _% l- _/ _! J
push 00 ; OF_READ
# D# q9 t6 o4 U( a! t! ?0 W8 N mov eax,[00656634] ; '\\.\SICE',0, f. R% [( p* R/ E. F
push eax
8 V; P2 P. q: O9 _ call KERNEL32!_lopen
. p6 ?* B4 z; n/ H$ J inc eax
, ^$ U$ q9 }# B x' B jnz 00650589 ; detected
7 }- W+ W0 H; `) B- h push 00 ; OF_READ
4 K( U. i/ V w8 G' X2 N7 H mov eax,[00656638] ; '\\.\SICE'6 ?+ |0 Y) e6 t: b) V
push eax
@: _7 X2 G, ]2 W6 L& s call KERNEL32!_lopen
" S9 @& T1 m: C6 z; }' v. u2 x inc eax
! H" K+ E; f9 x jz 006505ae ; not detected2 ~) `( O9 ?1 D% E
1 i x) X5 x8 _
0 Z4 D. t" y" R4 y) A O( `__________________________________________________________________________ a w9 _- B1 W" B0 h+ [- \, k
! m6 j8 J! U, }- r6 T9 _8 v$ U9 r
Method 12
8 Q+ W$ X* A- I0 J$ h! I/ {=========) ~# `; ^1 g# I5 t. P, N$ }% {8 g
: b- Q$ v* U- q# J! AThis trick is similar to int41h/4fh Debugger installation check (code 05
. h. K: }1 \4 g8 F& 06) but very limited because it's only available for Win95/98 (not NT)
w3 a$ p1 x7 l% c( j& p1 was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 _9 s+ w7 K, i
2 P5 E& }; q. @4 `' k" p, \0 B9 U push 0000004fh ; function 4fh
7 Y9 ^8 N6 p1 N5 r( L/ D8 y2 I push 002a002ah ; high word specifies which VxD (VWIN32)' N. a( [# S2 w/ n$ ?& g& d
; low word specifies which service9 e0 h# Q7 p& d9 }
(VWIN32_Int41Dispatch)9 u8 J0 Q7 S" B
call Kernel32!ORD_001 ; VxdCall
( v3 m; J+ _5 Z( s$ W cmp ax, 0f386h ; magic number returned by system debuggers" c. K2 X! M8 ~# t5 ^
jz SoftICE_detected
5 ~# m" }1 k* q- q' m
5 E# L2 v/ U3 X1 @4 wHere again, several ways to detect it:) M. |( \2 }# I7 v( z$ T
. m+ ~' d3 \( V4 a7 q
BPINT 41 if ax==4f
6 j! ?$ l5 [/ F1 R9 J/ ?% F5 \8 L8 f9 V" C) i
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# }( P- f9 b$ G9 y( \ t
3 G& y3 J0 h( J1 _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& v& Q$ H; V4 l/ ?8 [. a( C
. Z1 _( I1 u8 |+ Z4 i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. ~+ J6 \: X3 O7 c8 Z& n. e! s
# D1 M2 ?- B% v r8 x__________________________________________________________________________
& L/ n( Y {' ^, u% a2 d Z; a
( j z$ o, B! G/ n1 j- c9 X# YMethod 13
1 j# d6 M' T* H! z$ [# H @=========
( ^, @2 G- z2 k. y+ l) n5 u7 E
" y3 a6 z% x5 N9 T5 z1 q2 Z; CNot a real method of detection, but a good way to know if SoftICE is
' ~# W# ^ ]1 h Zinstalled on a computer and to locate its installation directory.4 }- F# l0 r1 z! k$ b1 J
It is used by few softs which access the following registry keys (usually #2) :8 p1 Z& M, k7 C
; ` {! d( B8 w7 g& l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ N/ W1 d5 l$ X {/ \, m1 F
\Uninstall\SoftICE1 A$ U8 N" F' H' q1 k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* G! r3 Y+ ]. l* j
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, S! J- g6 K) m9 I1 @! W7 C\App Paths\Loader32.Exe
# A, K0 ]0 S; n
: I( x) _- @1 t* J; m
4 L# \8 D- p2 C" oNote that some nasty apps could then erase all files from SoftICE directory
" V, y6 P8 S( v6 d& s(I faced that once :-(
. e" i) v5 K) \; e0 l) R; C1 B) _, v( o! I% M9 X/ b `
Useful breakpoint to detect it:
0 n$ m3 G! J8 Z2 r# g9 w# T
3 k/ }$ o4 [9 o" ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', B4 P! u5 X# w" i& M3 B
/ L- S, y: X0 u' P
__________________________________________________________________________8 \5 j0 t) W& M4 u
& Y/ ?# p( V& V9 h' C
% S7 e- i7 }( S8 {
Method 14
$ v/ ^5 L( \* l2 H @=========
* m. L& L) g. I- k0 W/ b. A) E3 Y0 b$ f1 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 L/ h! }' w# V1 tis to determines whether a debugger is running on your system (ring0 only).) m* u; F# N* E9 ]2 m# q
3 d, R% G, R6 e( w- K
VMMCall Test_Debug_Installed" y: B$ X! m" D% Y: i( @) L
je not_installed
) v" Y5 q- U* `" r$ M/ a
, @$ r$ l I! L% y. g4 @This service just checks a flag.
/ `) A9 J+ R0 M7 ]7 U1 K</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡