<TABLE width=500>
% e$ K, p" ~' b- i1 N4 k, b, ^<TBODY>7 t6 O6 `( ?6 f$ M2 v& U! O& n
<TR>
$ P$ v) D$ p2 y4 o<TD><PRE>Method 01 : i Q; ]9 X7 G2 a) y
=========; {9 [" z+ N ]0 ^
q6 l' l# w" L
This method of detection of SoftICE (as well as the following one) is
9 B# H& \2 {0 N) l6 x8 R% Sused by the majority of packers/encryptors found on Internet.- v X8 P/ D5 p
It seeks the signature of BoundsChecker in SoftICE
% n4 h, e- ]! r
$ E& g) _3 t" k& Z+ G" r+ [+ A6 s mov ebp, 04243484Bh ; 'BCHK'
; c* F; b# H7 [# g" h: s# c mov ax, 04h/ D6 t( Z4 U( ^- O- W* ]0 C; V
int 3
% e& A( n. h, Y( O) e. w& P% { cmp al,4
- H% z# h% B. f& B jnz SoftICE_Detected- u2 `3 d/ X a7 q: S
( k% V1 {0 e w9 [' Q3 F
___________________________________________________________________________
5 l y4 _+ J3 L0 ~( L9 W* x1 U' F9 M9 c& [) { d
Method 02: {# S" u+ w) F- j/ B M2 h" ~
=========
/ w1 d6 |4 h6 y( x. X5 K' t. X( [, e3 U; \2 L" d5 V, C, \8 |
Still a method very much used (perhaps the most frequent one). It is used
3 O# g4 r( S8 C( @9 oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 R1 @* F/ P; h8 \7 S. D
or execute SoftICE commands...
. a+ g7 C% Y$ ~" \' n) D+ a7 M8 PIt is also used to crash SoftICE and to force it to execute any commands
# d* ~ H; w* D0 i* Y- M. g+ {(HBOOT...) :-((
1 \3 A f+ |$ O5 h& T
: |8 U3 W6 P( e4 W+ _, IHere is a quick description:
- J! f: q+ V. x% l9 |. p1 U# ^-AX = 0910h (Display string in SIce windows)
, _7 C& k/ P8 Y9 R3 d& {6 ~+ X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' k0 D5 W" ]! ]2 A! M! q. r
-AX = 0912h (Get breakpoint infos)
# |4 j( J9 n6 ]8 f, t-AX = 0913h (Set Sice breakpoints)5 J- y5 v2 G q. D7 `7 Z( k% @
-AX = 0914h (Remove SIce breakoints)
L( m1 a1 s) h- B
7 `$ b( o# w" u' E0 R dEach time you'll meet this trick, you'll see:
5 ]' g: i/ {' ^1 ~: V-SI = 4647h) [* b" I' _. C, u- _! i
-DI = 4A4Dh. Y) _/ k# c9 b
Which are the 'magic values' used by SoftIce.% r. o1 @* H8 `- f* `, P2 S' p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 S4 X& y" E6 }0 I% m/ g! \ V, m# D
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, ~# U' B* i. L VEnvelope utility use to protect DOS applications:
5 c \# R/ ?7 ]+ I0 q( a6 u" k0 n6 z3 i& W) z
' p6 Z' p# J1 b
4C19:0095 MOV AX,0911 ; execute command./ `/ D4 k4 U8 N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 X' w6 Y( T0 f+ o* i4C19:009A MOV SI,4647 ; 1st magic value.3 \- r1 p( F6 w9 B3 p' ]
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 ?6 K# c H# F$ H+ R3 _: S2 R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). L- r& Y: n+ `5 R7 F+ C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% p+ u. |% _% x& M8 ]; T! O0 x2 J4C19:00A4 INC CX
; E( ^5 e% T, Q( O. `: J4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- _. V4 d9 b* `! ?
4C19:00A8 JB 0095 ; 6 different commands.
/ Q, h+ Q* ~9 Z3 I. W, V4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 G" \+ N/ f8 i% P& I# @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 _/ x$ z( A# W( s( w; O/ i9 t9 o
+ t4 t7 [; X, K% x. C( j
The program will execute 6 different SIce commands located at ds:dx, which! N: t9 v; n! K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" V7 D% O3 ~, G# V3 @, j5 C( B [6 o$ F' x% G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! t. w6 p( [7 m! ^0 y___________________________________________________________________________
: G, ]) h! S& P3 o
- B# ]* E$ Z6 U- ~3 L) J3 v- }* q( V5 l9 P% |
Method 03
+ A" K! C+ E# a# F/ k=========' {1 }# Q# ]6 A
) P# r' y( c, e+ N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# B3 _+ d$ i9 r: [(API Get entry point)
. T* f Q0 {. B
1 B! u2 t- S$ F9 L7 _8 z9 M
4 ], o+ f* @( B% M2 D: u- L xor di,di' S" B; u& m, x9 |
mov es,di
, W8 J( v0 d, T mov ax, 1684h & @% Q0 [- I+ x! h
mov bx, 0202h ; VxD ID of winice! _, E* x" y* J: ^
int 2Fh7 S) r- s7 t3 r' B, r# o
mov ax, es ; ES:DI -> VxD API entry point
) \- x3 Q' J2 P+ [ W+ L. P" d2 Z add ax, di
+ y6 Q1 q' R# `" {4 ^ test ax,ax5 ]( q$ a+ U" J' I
jnz SoftICE_Detected
3 K, m j. D5 B
2 h0 w1 `) i2 Y0 z+ @___________________________________________________________________________
9 F$ t, Q9 B6 |5 k6 q0 t, P- e! Z4 j' k
Method 041 k" m+ v4 j' d1 D" Q( |
=========' _4 o# W; |3 b# C* x! [
* V' \. z c) a* s4 i; @Method identical to the preceding one except that it seeks the ID of SoftICE/ ~& \( u, C& _- m* t1 D# A
GFX VxD.6 W) O3 S: Y! p' |: D
( }: k9 U5 O; ?1 Z8 I5 ]
xor di,di
/ T" V- _) I* F) h3 l$ i mov es,di
+ w0 W4 D+ ^: E8 {% {" h3 d+ V mov ax, 1684h
3 Y' y4 I9 Z9 v7 X8 z% Z mov bx, 7a5Fh ; VxD ID of SIWVID9 u3 V9 B: u. W; a7 i) H
int 2fh# ^% e& \; l8 e: I
mov ax, es ; ES:DI -> VxD API entry point
& J$ c% i3 o3 ~2 V& x& l add ax, di
4 l. m$ k& ?1 \ test ax,ax5 N# f% @0 k$ K, v8 A9 |- P6 e" N
jnz SoftICE_Detected
# P8 d# V& h9 L6 j2 v: g# J0 N2 E; _( k2 n% u
__________________________________________________________________________
2 f! T# i/ d% x: E7 _; s6 s2 v" T6 Q! `: l
# p3 ?% k; m; ^, N8 h5 ?Method 05/ N- [9 S1 g2 p; [; n8 p2 z
=========" O: N- S5 C' {9 p. [( X
6 S$ A2 @6 v* @" A" z. B2 }. W
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# A: ~- N% p; z: U; d3 z5 Bdebugger. It calls the int 41h, function 4Fh.
* I* I& f( Y1 tThere are several alternatives. 5 n7 `; p" j5 E% p
+ o ~' t. p; c# BThe following one is the simplest:' L" q7 K0 [0 o0 N& P1 }
# Z% L+ L! _- z- e, ]/ o p4 i
mov ax,4fh$ q! c& n" X6 ?( V' H
int 41h/ g$ Q; C9 b; B' R9 A
cmp ax, 0F386; f" n% y( o- u/ f
jz SoftICE_detected
. D$ I# t, o9 w! g g: j! v! R9 }
/ X! w4 Q' x" ?) c! r. `' c2 ]: i$ k: K8 M- i
Next method as well as the following one are 2 examples from Stone's % j8 U) a! |4 J: T8 E% D% V4 ?+ l
"stn-wid.zip" (www.cracking.net):& [7 _7 [' [, C+ F! P) I+ l$ g
( _! _; K4 d P$ J, D$ ?+ z! Y
mov bx, cs
/ q9 t+ r: h, i lea dx, int41handler2
7 G0 b8 @( t& j# N2 u0 J xchg dx, es:[41h*4]7 M$ V9 @4 F1 r
xchg bx, es:[41h*4+2], ]6 x1 h) w' d, }2 V2 E5 o
mov ax,4fh
L! }# B( n: c* Q4 ]8 ], f6 ~ int 41h
) ]6 K/ e( d) S5 S% ` a% z6 `1 o _ xchg dx, es:[41h*4]/ H# s* H, E9 P: x! K
xchg bx, es:[41h*4+2] U" H, U0 u0 H# G
cmp ax, 0f386h! i- ?, f, i4 z( i1 g" M' }" `7 W p" _
jz SoftICE_detected
1 n4 Z' s! J) A) c) c3 Z/ Y
2 p+ ]1 q+ Q5 L, |& [0 `int41handler2 PROC
* U) L; ^( {: A& o iret) P. e. S+ b3 h. }' G6 E
int41handler2 ENDP
$ {- J6 a) j. y2 D7 x' y4 _% J& v/ k; e# i
. V; p( Q1 D, z
_________________________________________________________________________
0 [( h# e( I. b% ]9 i9 o
4 d5 v4 E* Y7 ]6 h/ R# i' I0 S% T1 _# m8 G
Method 065 r r- b3 V& I% ?
=========$ ~1 U2 p# P) a: Q& {# ?; o) u
0 {: _# K2 j {/ J6 u6 m0 a6 J) F9 Q+ c# ^- e# ?* A
2nd method similar to the preceding one but more difficult to detect:. F5 x( Y0 @& x; @; e
+ L o/ n' f4 z( x n) U5 S" b
0 Q5 S" N9 s8 p' f' z& [- p& f
int41handler PROC% l' N/ L# z# I ?: ^- u8 i
mov cl,al
# _! Y4 B# y' q5 z5 }/ V iret5 x* R0 i2 a, P( d! ^( H2 N& w+ H
int41handler ENDP" K/ Y5 x) q; b( v% A1 r6 }' |
3 C8 f4 Y n! b% q
$ {: I' b& g( j) q! |; f xor ax,ax
6 i' }5 {0 g% k' ~6 c5 e7 i mov es,ax
$ s5 N' c) A; B Q1 N4 v7 k# K+ Z mov bx, cs
( Y6 F- P; s; ]4 i6 t2 y- t lea dx, int41handler- U- e2 T- e' s4 ~: t; i
xchg dx, es:[41h*4]
/ Z' C# Q. ^, ?8 D6 K% y xchg bx, es:[41h*4+2]
K$ g8 V: l4 @ in al, 40h
5 H1 C3 G- e+ v+ l% s xor cx,cx2 C4 w' [4 y% |
int 41h
7 Q: p( G5 A. T) j1 w xchg dx, es:[41h*4]
$ D6 R2 i& R* f xchg bx, es:[41h*4+2]( v2 t3 y2 O, e2 P
cmp cl,al$ J6 Z5 G( f P; u9 z
jnz SoftICE_detected
; S7 b% z* X3 t: D1 `% r: h
& u8 ?- W9 U. n* m9 P& ?; q W) m) w+ @& ~_________________________________________________________________________8 L* f6 f+ S- V, `# s
" t2 S- E. T# I4 q2 i( [* J6 U
Method 07
$ u. i# C: N! W; x5 r% G=========
& H! y. k- q( Y5 j5 r% M2 D* o9 U4 j0 i9 x6 ]
Method of detection of the WinICE handler in the int68h (V86)
& M g3 u* [, k. D+ Z8 F% i1 m3 \9 U! k- R: x0 o* j( z8 U/ ^3 d: f4 h. E
mov ah,43h
2 y3 Z4 H3 A% q7 j. C0 \ int 68h
- I' h! _% e( c: S cmp ax,0F386h
6 Y1 [% Q) _1 _& B) n( b jz SoftICE_Detected# ?5 U* }+ l( M1 C* Y! s
; U( g3 E- | z
: |% j. e7 {7 P+ p- {( l! T3 O' ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ A8 U5 u1 b6 Z. w* x app like this:
% {# {/ j6 }( L1 x, G5 p* @2 D+ r% Q/ Z* M
BPX exec_int if ax==68
) k3 @' {3 K& |5 y: v! ]8 ~ (function called is located at byte ptr [ebp+1Dh] and client eip is9 l( m" N2 m8 Y, l$ Z7 j4 ~( ]. e
located at [ebp+48h] for 32Bit apps)
( z, O. G6 {, i; b# W) u__________________________________________________________________________
% R/ ^9 ~8 ]* L# h6 }. [- I: c1 e: }3 L/ K8 @8 d$ k( z
- P \. Y: v2 d' }, G
Method 08
( o" ~! f8 G! Y% y6 k# N=========& g% X3 j' h: M; U+ v
0 g8 a3 Y7 b* }
It is not a method of detection of SoftICE but a possibility to crash the. b$ g( T" y4 b& d; c; @% g6 {7 p
system by intercepting int 01h and int 03h and redirecting them to another* l" }0 e A$ @, y( b5 B
routine.9 v! j5 h0 n/ h' ~/ v9 t# v' Q2 m3 H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: U0 v2 S. M( O( p- y! S0 t: S
to the new routine to execute (hangs computer...)4 T0 v. c; p5 W6 Z2 p1 W
5 o& o5 z9 o, f" S& z. @
mov ah, 25h/ m/ p$ [7 O& \0 X. X
mov al, Int_Number (01h or 03h)' w8 K9 b! b) F# T
mov dx, offset New_Int_Routine2 |- b) w5 v5 d$ V4 T
int 21h
( p! p# [9 u+ g( m9 | c
5 U( i! S8 v# H! t+ y( [__________________________________________________________________________
; x( t+ A7 b9 r9 u8 X# p& j6 w7 i
: R: ~8 G( J: i$ b8 ]% P4 [! nMethod 09
3 g+ r3 m0 |) y# n2 d6 [2 [! G9 G3 k========= D) J+ K$ P- A
3 j" Q p, F5 [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* R" U8 I1 b8 {0 N0 d4 \
performed in ring0 (VxD or a ring3 app using the VxdCall).
" g% E O& q$ C1 kThe Get_DDB service is used to determine whether or not a VxD is installed
/ X1 _% @, J1 y9 w& n, G' zfor the specified device and returns a Device Description Block (in ecx) for
& G4 T% U/ N1 X/ @5 z6 Xthat device if it is installed.
0 M# D5 `2 r+ R, F Y' n6 ~. c- ^5 M: a+ d$ m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! g4 I* Q/ Z% x' A: _# {
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ y& n- d8 T4 \9 P6 F: B, g
VMMCall Get_DDB
: d8 Z( P# c* ~0 k$ ^& A4 A6 d( U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ K" B) e8 Q0 W$ F( N$ g9 D
8 @# q s6 _, l% ^. G% k
Note as well that you can easily detect this method with SoftICE:
$ K+ ^1 y- r4 ] bpx Get_DDB if ax==0202 || ax==7a5fh
/ W5 l: P3 }! N5 D' V7 T0 m6 k4 M5 a; J- T
__________________________________________________________________________- X8 L# A1 [6 Q6 D* C
8 {6 B) H- i% v c) j0 E, {4 w" N
Method 10' {4 m: P* A; N/ |6 n# U9 H6 k
=========
8 m4 N# f# S/ @2 L3 W$ ? v1 \6 b% R: O% p* x& Y+ B, i4 h% O
=>Disable or clear breakpoints before using this feature. DO NOT trace with( b( p0 Q. J1 j
SoftICE while the option is enable!!
. B V9 c5 s \
* H5 _2 i) A ~This trick is very efficient:+ ?7 F, s `8 |( F9 b3 a; a
by checking the Debug Registers, you can detect if SoftICE is loaded
7 C0 O3 S7 k) p$ o# k$ p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 a+ @7 K. G" [( S3 P" }there are some memory breakpoints set (dr0 to dr3) simply by reading their( G6 J0 }2 y4 E8 e+ ?8 e" D8 d
value (in ring0 only). Values can be manipulated and or changed as well2 R+ D: z A# {* t" Y
(clearing BPMs for instance)( H3 c! V4 I& y' d6 K- `+ J$ g
7 m1 h b1 E& y
__________________________________________________________________________( o# a. s1 Z2 Q) C1 L
7 P( {6 I; x* h) ]6 }, pMethod 11
( |0 M& q0 |0 f=========: f: a8 E5 j1 G! _
; V3 {, L5 M7 w/ @! i
This method is most known as 'MeltICE' because it has been freely distributed
) D& I* ~% U- n* Lvia www.winfiles.com. However it was first used by NuMega people to allow
- g! \4 }. r) e) w v- F& W* LSymbol Loader to check if SoftICE was active or not (the code is located9 H- j. a6 v$ M$ T7 B
inside nmtrans.dll).
* D8 w) h* C# Y3 P% G# {0 [) [2 j0 w5 |2 e m$ E6 L, }, E
The way it works is very simple:; q5 r7 B: y, E) c. |3 z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* Y9 A# F" x1 ]3 g( o1 {WinNT) with the CreateFileA API.
# S& ]2 ^% W2 w( g' O3 C/ f8 h8 e; E( {6 x, G7 u
Here is a sample (checking for 'SICE'):0 a R7 n" D p; n
6 O" `0 u1 J# o, @8 |BOOL IsSoftIce95Loaded()
- H/ _! ?! R0 K{
; [9 p: a$ r% s" O s HANDLE hFile;
; I+ e" U3 h' a" G. V& G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; j& ^% r; D' h! [- H% H
FILE_SHARE_READ | FILE_SHARE_WRITE,
- F# q/ X) W) Z$ ~8 k# e- ?" P7 E/ ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 a$ a5 B7 E) y! o/ ~" N+ b
if( hFile != INVALID_HANDLE_VALUE )
) F% M( `. {! E1 ^, S* i- ~, } {
$ X8 h: \- |# @. N8 w4 b CloseHandle(hFile);& z* d& t4 W6 C- D; k
return TRUE;& L7 g: i7 J$ A0 K4 d$ Y
}
0 |$ d. _, J9 c7 { K; m return FALSE;" |' v# w" Y4 n; \- D
}& K. a$ k. Y$ k! z# V
; w; k! z# k+ _0 w) ZAlthough this trick calls the CreateFileA function, don't even expect to be( R8 K, i t$ [! b6 z7 X5 O, @
able to intercept it by installing a IFS hook: it will not work, no way!; K4 Q& g% i. U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( F2 h9 Y. I* c6 \1 R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 L5 F1 P! u$ u1 D+ I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& j& z9 E5 o/ M6 p6 O+ v8 Z
field.
4 I! j' z, f6 J0 u* j( XIn fact, its purpose is not to load/unload VxDs but only to send a * }4 m/ ~7 Z! w5 |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 i, h; w+ z, f( B" [$ H9 \# X c* w7 U$ A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, X3 |. u* Q; U5 m, w. xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) J/ ]/ T4 F: f! P# T/ j5 \! ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
Q% E! d" w0 Z& w8 Tits handle to be opened and then, will be detected.' g: t) x7 i$ J, s8 w
You can check that simply by hooking Winice.exe control proc entry point' |/ D. N* S* x# S6 r2 o% E0 y
while running MeltICE.3 ?: i7 v5 ^6 Q( A+ L" J
# B0 d0 q/ X! U9 E) o3 ^8 x) p
% u7 K* h0 H9 L' ] 00401067: push 00402025 ; \\.\SICE3 H a4 f- \: L! \: ?
0040106C: call CreateFileA
# Q9 e: }: h( w, R. q 00401071: cmp eax,-001! u( Q8 P' P, C& L- J& z# B
00401074: je 00401091
$ b- H5 `1 Z, {
/ ?+ X o8 O8 j
1 {" J( I, D' O' tThere could be hundreds of BPX you could use to detect this trick.
+ l0 y$ z# @$ H y+ P0 G-The most classical one is:
5 [0 V6 T; H# U7 E3 S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# ^( b2 K; {1 |$ k; w
*(esp->4+4)=='NTIC'
% @( D" z+ G0 g; }
r" o2 O3 N" N: ^: O-The most exotic ones (could be very slooooow :-(5 n. ]& R. n8 ]; f# n; M+ E, h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + O; d0 Z) [+ H- I8 U7 v$ m$ i' r$ T
;will break 3 times :-(5 Z5 n3 l! N! ]7 O5 O0 b; b* c
+ O: h. ^/ ^* P0 k$ k# k
-or (a bit) faster:
# }2 B$ b/ i9 x( Z! f BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): }. S; C# G. r5 O4 [
! Q! L% q% R$ _0 C0 ?4 ` T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' Q8 q1 p0 V: L+ u+ v, m v4 V( t/ p
;will break 3 times :-(
! ]! Z! t- r: D: ?. I$ X+ n: w9 ? W6 `( s6 }3 [4 q* |
-Much faster:
' h1 Q) ^9 R% g h8 W BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& c) k6 Y+ i- R H
' `4 p1 Q! R' O% T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 N+ ]9 h% B3 [9 Wfunction to do the same job:, v2 _3 U2 y# Z& f) |/ x2 m
+ U4 b1 i4 z. j! s" y push 00 ; OF_READ' l( g% j8 Q8 I7 M. A% } ?
mov eax,[00656634] ; '\\.\SICE',0
" q. ^7 g% L# z3 f d push eax
7 ^1 Q2 O/ h* |: j6 j' T1 o call KERNEL32!_lopen
0 V) C, r. W* w; p w! d3 v/ [* F, k inc eax) m2 y! c. D+ |
jnz 00650589 ; detected7 R1 W, J' _% \; |! s$ F
push 00 ; OF_READ
: O, u, \) n9 B, B* N mov eax,[00656638] ; '\\.\SICE'7 j! g; a9 O+ s
push eax6 X5 ^/ ?# B5 f; W; f5 |5 j
call KERNEL32!_lopen
7 E+ l3 k- f5 I3 B5 l% z5 S inc eax; _! k3 p, ]) Y6 p' e
jz 006505ae ; not detected
$ ]3 N1 O( v4 w( r$ d2 U) b. i2 H! l* g2 r* z/ b$ ~8 E; d( l
0 d! X! A( |0 p. O
__________________________________________________________________________
* r! K( F* r8 B2 r) h) \9 H" X7 r! u+ w- _4 H" w& m. x7 ` r
Method 12
4 {; L& T S4 m4 a=========
5 _& @ e# j/ `0 B/ z( Y+ F8 p# R9 `9 J c* c
This trick is similar to int41h/4fh Debugger installation check (code 05
% W& s) } T0 p1 N( O2 K; Y9 O: d6 T& 06) but very limited because it's only available for Win95/98 (not NT)8 |' a8 \' o, K8 S5 a% a) A/ b
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., w3 a' f# I- H3 X: J4 _
& z. V6 R/ L$ G$ f9 e9 W1 e- n
push 0000004fh ; function 4fh K ]5 m' n: E/ i8 O6 _# L
push 002a002ah ; high word specifies which VxD (VWIN32)
/ [2 `- Q2 s7 Z, c) H: @) [: J. O ; low word specifies which service
w9 t. C+ |! [ (VWIN32_Int41Dispatch)
8 @( u# L$ F; Z1 G# g/ s% k call Kernel32!ORD_001 ; VxdCall
" D/ z2 P f& d! f6 |/ o6 G6 Q6 p cmp ax, 0f386h ; magic number returned by system debuggers
2 {0 {3 I' v( G8 t5 J jz SoftICE_detected
. B6 }- P+ t: p% @. _3 l# H/ f; u" G" i- b8 A( ]4 ?. `' I9 S
Here again, several ways to detect it:
# u2 y5 r5 s1 h7 i7 U0 C5 `9 i% j8 _2 `- v4 d3 C) ?1 D
BPINT 41 if ax==4f
) m9 k- ?+ b& N9 e* L2 [
( T8 Q: y# I8 x$ R& P4 q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 W' }/ w( ]" ~
v6 i0 L5 S a3 D& X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
]: K; o+ k; ?6 y. t4 X+ g3 b3 y+ X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 o4 _1 Q: \) |& Y8 s
& m: U' ` |) [3 |) Z__________________________________________________________________________1 i7 h Z0 b1 w/ G8 F
, b M& F0 O: e; c. _7 a
Method 13
# j/ \* y1 v- _) l=========
/ g8 D- F# l& N4 C9 I8 r! X" ^7 {% Z; a0 h
! T! H( G* T8 d/ [& ?/ sNot a real method of detection, but a good way to know if SoftICE is
+ L' j o/ { G4 v9 g3 rinstalled on a computer and to locate its installation directory.
; p; q! S+ X2 X% NIt is used by few softs which access the following registry keys (usually #2) :" `. j% M! V2 N% _
$ x+ k' ~: \( e: W) s( { c% o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- V5 s2 H# g/ C/ Q, |\Uninstall\SoftICE
/ X) E" x' H0 L" U9 m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: }$ e8 [" N0 y5 y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; C# {: `( M$ F- v9 u
\App Paths\Loader32.Exe
5 F5 R& r: a3 A3 y1 w* I& ~0 u% n) L- W/ [& |; e$ _- k
2 ~; B. | |8 }
Note that some nasty apps could then erase all files from SoftICE directory
6 |; ^( w7 N3 c3 N y(I faced that once :-(. A3 J! C J* ^! a9 ?, M) P2 ~
* O( w6 D) c5 ]9 c
Useful breakpoint to detect it:6 r' m; `( Y, l8 r9 ?+ Y0 }5 H
9 [( G; p0 u# c$ H1 g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ _2 {' V& f0 |) ]8 O
/ \" y; c; q5 T__________________________________________________________________________
* P- @; m: ^+ E4 a0 ~- Y. I# l8 d A! f$ }
. `+ D6 d" K& g, i, e% h7 i
Method 14 " c% ]/ a& t3 v) Y, R/ ~
=========
7 P* _" _4 @& S0 Z# N# w4 d
0 n, H$ H; I( ]# mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( J6 w! f! O& f7 X4 Cis to determines whether a debugger is running on your system (ring0 only).7 v+ _; i8 u# |5 n2 t2 z
3 X3 A- {# c% `: v# m- n/ @
VMMCall Test_Debug_Installed
% b5 z# x, z7 T4 A9 h0 F/ K je not_installed
$ u' M1 `$ W/ D7 n9 `3 z0 Z% h0 ~5 H! [0 [6 s1 t
This service just checks a flag.1 b2 K( `. ~0 p* u& k/ A
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡