<TABLE width=500>, D2 B4 x8 J5 |1 M/ J+ S6 H. h
<TBODY>- R8 c; L& E% M7 v
<TR>: @0 L( c0 ]7 {2 J$ A: d
<TD><PRE>Method 01
% G* A$ G3 B6 Z% N* L* }' n1 ^=========5 N5 N2 A6 w1 F& ^! f
/ k/ |& O/ L% b- U
This method of detection of SoftICE (as well as the following one) is
6 _( O5 g! T* Z: _% ], G0 Hused by the majority of packers/encryptors found on Internet.
6 ^6 b N2 r5 L( Q/ AIt seeks the signature of BoundsChecker in SoftICE
+ L; b) F) [2 u7 q" `; h% C0 H2 f3 q+ n5 E
mov ebp, 04243484Bh ; 'BCHK'2 o5 D9 O+ P i0 J1 b5 v X0 n6 ?
mov ax, 04h
) E# K% O. }5 L; s& \5 f9 i' P int 3
4 @; O2 H, r9 X9 f6 v/ Y: Y cmp al,43 r7 Z/ B& g( @" U
jnz SoftICE_Detected# k; s9 J9 K% X# t, ~; _1 S3 e9 I
: T- l( }; E8 V+ d
___________________________________________________________________________% V! I2 s' _" S
3 ?3 }" ~# ? {3 P! P" B8 }
Method 02$ | j) T: j" Q% N& q u# G$ s8 g
=========# Z! r3 v5 N* c8 k3 [2 R
- O9 F$ _3 w) ^. s5 a, t ?
Still a method very much used (perhaps the most frequent one). It is used- X8 s* N; Q# d* X1 \, C0 C" G0 I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- T6 X/ l; S; T( ^or execute SoftICE commands...
, H& \1 u- F0 y' IIt is also used to crash SoftICE and to force it to execute any commands
+ i" R9 y) U2 O(HBOOT...) :-(( 4 F; q, M, K* V, h7 y3 n0 R
+ w0 h( u2 t7 C- j% c5 r: h' nHere is a quick description:
4 t2 {/ f1 K2 J+ ~7 }$ g+ L-AX = 0910h (Display string in SIce windows)& e. R' X2 k1 A' J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# J7 m6 i7 [; [% [* |. f-AX = 0912h (Get breakpoint infos)! I8 |# y! m" o- [3 \* w. \
-AX = 0913h (Set Sice breakpoints)' g% Z! |5 k# G% u) p! p
-AX = 0914h (Remove SIce breakoints)- {- `( [+ T2 w6 [& _
6 S g6 O+ ?6 f& tEach time you'll meet this trick, you'll see:
d- n( V' a- M) p! @-SI = 4647h' P# W+ s6 o8 V- a1 I' F% J
-DI = 4A4Dh7 D1 g1 L& V1 V& G
Which are the 'magic values' used by SoftIce.' q4 }7 h2 {! d1 _9 R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* Q& T9 y( ~ a9 q4 |( x' ?# h2 f( O
9 w+ a; i% {5 J( `1 E WHere is one example from the file "Haspinst.exe" which is the dongle HASP
. N% a1 p1 x; j) c$ R: x; N1 [Envelope utility use to protect DOS applications:
1 |7 q1 m" k! O4 F+ t2 S& f6 k5 O( z
8 D3 B/ ]1 T0 }& _& J4C19:0095 MOV AX,0911 ; execute command.+ g( X5 D6 D( X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ i* F0 q, H6 @% w. a4 N d& X4C19:009A MOV SI,4647 ; 1st magic value. Q5 f2 l6 |% \. S3 X0 T
4C19:009D MOV DI,4A4D ; 2nd magic value.. E; a% X: N' i5 d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, D1 s+ D: C+ e+ H2 ?* A( C' y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) r; A' e: M5 \3 F+ y4 \% F4C19:00A4 INC CX
/ J2 O8 I2 \! V* g4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. K' t V* I* y; l$ [+ B- \
4C19:00A8 JB 0095 ; 6 different commands.
7 P0 K2 Q- O3 J' R4 d5 C4 b4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) p# D/ X3 h2 N5 h$ B0 u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- S& @( c# S9 \) b; _ U* Q4 Z
" M" `* k4 p( vThe program will execute 6 different SIce commands located at ds:dx, which5 b: r/ U1 Z( c$ P( y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 e( z. @1 q3 ^1 F6 R; z+ ^1 S7 I: f5 w. w) g7 W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. r N$ A' f4 Z+ z# Z( B$ H t% U
___________________________________________________________________________
1 h, }4 K0 D" m4 H0 A: }9 Q
6 }+ D3 Q7 r) F" x$ `& D
- `2 y$ p( M7 [% n2 {6 kMethod 03
3 R- t8 N9 \4 R* S% D8 J5 O=========
. N( u1 K7 x, ]0 V, j2 ^' k
. e/ ^) R: M7 @3 M9 A4 sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 L# I4 ]8 i* u8 O0 o- _
(API Get entry point)0 T' f, A' ]+ a/ r( `7 {
+ e8 d" ~- J- s3 u6 }. m
k/ Q) R, ^5 Z p xor di,di
, C/ ? f% P. O, |5 N5 D. v, Q mov es,di
" f& `) g9 x% |- ~- y/ @ mov ax, 1684h . S7 Y# m6 m3 k# L _5 d
mov bx, 0202h ; VxD ID of winice1 q+ M( V& ?9 T: E
int 2Fh$ o8 u5 D" y: L5 J- ~
mov ax, es ; ES:DI -> VxD API entry point
?6 T/ ~. j$ w. O3 q0 ]% l add ax, di
' G/ n$ m5 ^" k/ W, U test ax,ax' B8 W$ w. n. B1 B3 h# x4 D: D2 k! L9 e
jnz SoftICE_Detected
: ?7 R$ E7 Q9 D5 U: i) [0 S' W' R
8 v5 a/ g$ C/ k& ]___________________________________________________________________________6 k2 q/ d) D( _% }. u5 u' g& }
0 ]- x/ t D! r" jMethod 04! H! d! K. G0 E8 e) k0 i2 i$ ^
=========1 L* V8 v! L; |. m
$ K+ f( A* s7 q) V$ FMethod identical to the preceding one except that it seeks the ID of SoftICE
q$ R& u5 m7 mGFX VxD.* @! Q& g1 w6 Y' g
6 E# w2 k0 a3 c3 F+ n! E xor di,di
' _5 n, c+ [) ^2 v/ Q1 y i mov es,di
* h/ x+ ]5 ~' X! _4 l6 K- V% k mov ax, 1684h
: X% ^: m' ~* u$ X. \ mov bx, 7a5Fh ; VxD ID of SIWVID0 K2 g* V5 i( y9 w
int 2fh
3 S ?, E- v6 m mov ax, es ; ES:DI -> VxD API entry point. _# q1 j. f/ W: q. L
add ax, di
3 @" u) z' @: }2 m test ax,ax
( c u9 c7 M' C1 O6 O0 F D jnz SoftICE_Detected8 N7 J. C3 ~6 S7 G; b2 `
% ~& k6 x0 ^* e% P F& |0 x
__________________________________________________________________________6 z9 `7 ]& B* q8 X/ y: j5 E
4 o+ i0 J: Q( r5 ?: t
4 k. ]( { @8 W, hMethod 05
7 Q8 W0 o6 M4 R5 I8 Z5 @4 @=========# L7 b0 a2 m+ l N5 {
9 i& M" ^. t, R% D) L( [
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 E6 Z9 ~, W% ?8 s& b; ldebugger. It calls the int 41h, function 4Fh.
$ E" W: R, D, s' I1 gThere are several alternatives. 4 W0 n6 `$ x7 T0 w9 [7 @: `
3 O8 [3 U, A0 n( HThe following one is the simplest:" ^3 t' i% ^, K3 s9 H% g# q
# |) q8 x" Z. o. s9 U
mov ax,4fh
5 y& a: c+ r* T2 y int 41h& T5 C5 j1 X6 U* M: b5 I- d
cmp ax, 0F3868 D/ p0 _- j; Z/ i+ b1 z: s% f
jz SoftICE_detected% z; W9 ] L" v
( E$ F9 l$ O `* D! T* ?8 v
) W+ J4 ~% I: a7 | w. Y+ A( U
Next method as well as the following one are 2 examples from Stone's $ ^4 j4 Q F! |: X% E4 i# P8 a5 l
"stn-wid.zip" (www.cracking.net):; [) o f. D; V, \
! |9 X% l& C/ G ^! O8 Z9 W3 _" c mov bx, cs5 y, [- b4 N3 N3 d
lea dx, int41handler26 Y' N/ b' F- l5 ]( R
xchg dx, es:[41h*4]
2 a1 L0 U- L7 M1 a+ F4 z xchg bx, es:[41h*4+2]
5 q! ^( ?0 M5 h; D; m- C mov ax,4fh$ b+ y$ G' Y% l& v7 w, }
int 41h
. H4 h% a# X, R8 ]( B xchg dx, es:[41h*4] N* P. a; j r2 g' W! e
xchg bx, es:[41h*4+2]: q. d3 a/ k- x- ^
cmp ax, 0f386h* Y( \' R: G4 d! X9 z
jz SoftICE_detected
" |1 Q( K" `7 E3 `; r0 a* Z. g. Z
* ?3 o, u z5 `int41handler2 PROC9 F1 ~0 g% A& d) e Q" y9 g0 K% G$ v
iret0 a" w ~5 Q, c
int41handler2 ENDP- G' A( i2 W F+ q+ Z
" n0 R+ x6 K2 a) t" t
# I+ A! B; D8 A( ~ ]) t& u9 h1 l_________________________________________________________________________
1 J9 v0 n! w$ _1 @9 ~5 Y9 Z
* i% W( B/ r1 E) X: s7 l+ f6 K5 Y% x( e+ v& ~9 A
Method 06
8 a- w' b, `6 o=========
M/ V) D7 Z. m, `" d5 e: b5 B" F7 F0 e, }
9 Y. P% \# B7 H; y( a7 u2nd method similar to the preceding one but more difficult to detect:
. t$ ?0 V! w$ {2 [- [# p" z8 E( ~" l/ Y& x
1 Q' k- H0 w+ d
int41handler PROC
" f' y3 x+ l6 N0 o4 a3 \( x/ y mov cl,al" Y( `8 ^7 a% h& `0 k+ g* Y
iret8 H) K2 Z& w% J! \
int41handler ENDP
7 K, W& r% Z% E4 S* L7 N* [/ Z8 A& U/ Q# w- W
) u8 ^8 l1 d; v, p* f/ n( M9 g& { xor ax,ax$ X6 D% }0 Y$ q( [% i
mov es,ax
4 h2 y/ q. w& Y/ R9 O# k3 } T mov bx, cs
9 Y2 }: j7 Y) A+ k2 J& j0 } lea dx, int41handler+ m) W# {3 `9 R
xchg dx, es:[41h*4]
. E" |, E4 [: [1 H0 a xchg bx, es:[41h*4+2]: p# a, b4 G# A2 X0 N; r; P( l
in al, 40h. ^' j( ~9 C3 e [3 E6 H4 s
xor cx,cx/ A, ?9 V0 F! b* ?
int 41h
1 x) ?6 |# W, w xchg dx, es:[41h*4]) L& U% j6 |0 C& c2 V3 X9 O
xchg bx, es:[41h*4+2]% N% ]# t2 T: ^/ n
cmp cl,al3 L+ k; d5 g! d( V" S" s: _
jnz SoftICE_detected
7 b3 b& \% @/ Q0 J I9 k' V$ F+ m; d) j3 W
_________________________________________________________________________0 n- @% t8 M2 ~* x: l
% B2 k5 T- N% a( rMethod 07/ ]9 r- M1 L) d6 t* K
=========
' ?2 E( x* [# S) Q' q) T5 z) ~8 e: F. t% S8 U2 o0 g: |
Method of detection of the WinICE handler in the int68h (V86)
& f4 e0 g; X# `
# Q# C2 X5 S: a# }9 c& e/ v mov ah,43h7 O( F0 t( {1 e0 Y- `
int 68h
) v1 D( I1 M" d. n( z4 M cmp ax,0F386h) |$ s8 ~0 ^, o! o" f8 x2 Y3 N
jz SoftICE_Detected: D' S7 b: K& q3 b/ E" ]: Q
* d: u# D) R6 v* A5 F4 h
, p) l6 p; g* c6 ?6 F; q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 O0 T* u2 w7 }% H& q7 K$ |
app like this:9 Y! l: z/ e1 o+ W% j
4 k/ J6 s) S5 T2 i BPX exec_int if ax==68
, d$ T# }& k3 }! @% B (function called is located at byte ptr [ebp+1Dh] and client eip is; j3 _! J, J0 f
located at [ebp+48h] for 32Bit apps)
9 X- h5 y' b s__________________________________________________________________________; s0 m9 g- }1 j0 k" X3 @
7 O; b6 {3 G5 p. h+ e) B
1 R7 K+ B5 g$ r0 K
Method 084 E: |5 `1 k5 L1 t
========= Y8 s w$ h& B5 m) X8 M
1 U W- t! R, s# n xIt is not a method of detection of SoftICE but a possibility to crash the0 K# K1 b2 x9 I
system by intercepting int 01h and int 03h and redirecting them to another
[# t1 t; |( C0 ?+ A; ~routine.
/ a2 N- D$ D4 FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ m" d* V7 a. {4 pto the new routine to execute (hangs computer...)
$ Q2 ? B6 ?" @' M2 @
+ v7 U$ r0 q) O. x( E3 `: z mov ah, 25h3 ]; B: K Y9 {7 A1 P$ d
mov al, Int_Number (01h or 03h)
; h% @$ V/ @: A" j, X1 [. u mov dx, offset New_Int_Routine
8 @( l5 [6 p9 F int 21h
7 d" k+ _3 q$ P1 d# l/ b$ V) x% m. w: h) h) ?* N
__________________________________________________________________________
4 P) T' B" ^7 _
4 q+ F- S; V8 v8 Z% V: Y" J8 J+ PMethod 09
' m7 d5 I# r- J- V$ ^6 s) I6 U: s=========
; S7 r5 j8 ] c" U* s7 D7 n
: ]7 E1 U; y6 K: p, M+ LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, F3 F7 {# o3 d+ S8 V! Kperformed in ring0 (VxD or a ring3 app using the VxdCall).( L6 i0 `7 ?& x1 z
The Get_DDB service is used to determine whether or not a VxD is installed
4 c8 q$ j& x D0 Dfor the specified device and returns a Device Description Block (in ecx) for
+ p% w3 V5 Z% \# u; @1 v' [' Jthat device if it is installed.
) @! e! i' D5 ]" _( k& C. N* y: m* f; t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ T+ D: z0 ^; v: d; N) I) H4 c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), U4 s" H5 I! T; r" p( z1 Z
VMMCall Get_DDB
* D- `8 z/ W0 s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ L. T/ T# i3 m
8 ]/ y: _" }3 j4 a
Note as well that you can easily detect this method with SoftICE:
: V2 T: B5 B0 x5 s bpx Get_DDB if ax==0202 || ax==7a5fh
/ G( F* _$ @( {/ w3 a* {! f6 @+ B# l4 y7 T
__________________________________________________________________________, v. A* S3 U6 Z' w' J5 s. Y
6 i$ X$ m# q% ?# D
Method 10* S7 I% F' W4 T2 I z" t
=========
3 [! |5 o) C/ }4 J4 y( x; f6 ]
+ Z4 o( N4 i* }, u- r, e=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 r8 D2 K' k& L$ |: O& O1 b7 t SoftICE while the option is enable!!
% `8 r6 k3 a3 \3 r; u ]
# g# l- V. Q8 dThis trick is very efficient:: U) t+ U' Z* p- ^9 I
by checking the Debug Registers, you can detect if SoftICE is loaded: E% X. n1 H6 i* ^: q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' M' i! u0 e3 i2 N
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ B8 j/ x0 G) t0 o7 Q% N) w e# ?value (in ring0 only). Values can be manipulated and or changed as well
8 W* D/ ^* N6 d) x, C) x# h(clearing BPMs for instance)
: Z' v! h* e8 F2 k+ {1 ^, d6 I; B* a( u$ C
__________________________________________________________________________
2 @3 h) Y' r4 U. |
) x; m: B% X# \. f l K4 I; m% AMethod 118 G% n- I, Y$ ^9 @" K L* `% x
=========3 s( a) t% F% t# W) V+ E7 }
, k4 `; S' \$ d1 Z
This method is most known as 'MeltICE' because it has been freely distributed
* T* D0 p' {. @$ I# ovia www.winfiles.com. However it was first used by NuMega people to allow: T' W- ~7 a; B6 u
Symbol Loader to check if SoftICE was active or not (the code is located. d% N8 W* R4 U P4 g
inside nmtrans.dll).! n! U5 m6 @ r/ N0 I( d: j% C% f/ A
9 E4 f. B4 B# V8 W$ [8 {$ n
The way it works is very simple:: ?5 m5 @+ z: x5 b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; B. I) {; k2 B3 D; L1 j+ }+ ]. Y1 m
WinNT) with the CreateFileA API." Z; `( H! v/ o) K
+ o* s0 O( b# k5 C* }# ~. m) p
Here is a sample (checking for 'SICE'):
; A U) O5 ?1 a) K7 q7 _
9 W+ y2 K( c' z- L4 C$ vBOOL IsSoftIce95Loaded()
7 r B, _( ~1 ^% T: z/ Y5 w{
/ v5 K; X5 s( D HANDLE hFile; + ]+ T. N, ^( ] y+ _7 ?3 ^+ C
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ O3 O. n) m% d% L0 F FILE_SHARE_READ | FILE_SHARE_WRITE,; g$ y2 J. Y+ `3 n. }% d7 P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( q- X0 B4 C5 |! x
if( hFile != INVALID_HANDLE_VALUE )# T# a% t/ @7 m5 q+ E
{
0 ]6 g" Q' v3 w5 S6 U) K2 Q CloseHandle(hFile); p5 ?& l: w o7 w$ h
return TRUE;- h( B; E8 v9 x/ L. p- @4 T6 G
}
; [5 Q1 O$ ]5 r6 I, Y% b7 Q7 _ return FALSE;
2 ^1 v: f. i& E0 Y- N7 f! a' b}, X: f# C9 ?6 L& |: u2 f: \5 J% _
4 A# |/ `8 W& g: h+ ]% R7 d% lAlthough this trick calls the CreateFileA function, don't even expect to be+ s8 W7 K- F! ?( p+ J" f0 B3 H
able to intercept it by installing a IFS hook: it will not work, no way!
2 _' a# U; P, X/ l' X @In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 c H6 w" z q A6 D' b+ n4 B
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 u" m0 I" i3 B% o' P* J+ P2 zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
* c; K7 h' e3 A3 a5 A+ ]* i- rfield.0 n, X" p9 K+ I7 h/ Y, i1 `, ]
In fact, its purpose is not to load/unload VxDs but only to send a
6 V+ f6 b" p6 Y9 n0 K V" RW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. z5 L2 W1 _5 F# @: G$ Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: R% ^5 o# I* b) h) |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 \) O( h3 p5 v+ I% x1 lIf the VxD is loaded, it will always clear eax and the Carry flag to allow" f0 ]) b! g0 `1 Q' ~3 u! P
its handle to be opened and then, will be detected.! |( x8 h0 X! q
You can check that simply by hooking Winice.exe control proc entry point8 e% P. H5 g, P# e, ^
while running MeltICE.
: M( u1 `# B2 J7 d; A' u) v% O2 E
5 i; {% N0 [2 I o; t0 o
00401067: push 00402025 ; \\.\SICE
* `: T' ^/ s; w( n8 _' E 0040106C: call CreateFileA
7 [6 r1 f. G ?$ T* v 00401071: cmp eax,-001 h0 L* D* E2 |( g' B# b
00401074: je 00401091
2 y. j% h. I, F) I
$ o7 H) |: h) B' b x/ `7 J6 b; {* k8 l- g
There could be hundreds of BPX you could use to detect this trick.
$ p: n: W( \$ j) k( Z1 q/ [-The most classical one is:- I! F L f5 J3 [. q1 {$ p X
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
@( p0 v& P: u9 E) C9 O *(esp->4+4)=='NTIC'& p3 v3 O# }( A
6 ?% C. o$ h* L5 ~# X-The most exotic ones (could be very slooooow :-(
' Y; Z% _1 f# s BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 S, E1 k; f2 U1 Q! M
;will break 3 times :-(( Y' f9 A6 _0 R' J. d6 x
- |& l1 \9 Q/ j+ Q-or (a bit) faster:
2 E5 E2 i' o9 s% @7 q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- \0 i8 I$ d5 ]
8 b8 n* R0 G6 W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # l' d5 k8 `+ w! p8 |
;will break 3 times :-(! D( G" \: Q$ l' W
+ {$ k, Q& t" _2 {) b" i-Much faster:
: |; V; l) f1 ?- X" s" q* Q1 x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! f# A l2 p' h1 t) c
' t* Z, ]& Q& u1 M% DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% {1 T6 I+ e9 o! \% J! O7 G/ Vfunction to do the same job:
6 |0 U' x1 B) a
9 z/ O/ ^2 w6 W! | push 00 ; OF_READ
- m& v7 ^4 s8 G& [+ Y3 o3 d) _/ R mov eax,[00656634] ; '\\.\SICE',0
( ?" E3 ~7 F( m1 C" | push eax. F: z3 a% B7 g8 |) q& b8 ?
call KERNEL32!_lopen
3 M2 ~ X$ s+ v1 N7 P. ?* W3 B inc eax
* q, W$ g1 ?9 x jnz 00650589 ; detected2 X- f/ C6 c& n4 Y+ f. h4 t" _
push 00 ; OF_READ
1 A* V$ e$ U4 E. H3 E: z0 s mov eax,[00656638] ; '\\.\SICE'
$ z+ p4 ?2 o- w+ ~, i1 E1 ^ push eax2 w1 s. F. K) m: ~( Q7 F% O
call KERNEL32!_lopen( f! D: p# }; ?% O3 R' |4 |
inc eax+ M" |1 A% ~6 L# A5 x% `
jz 006505ae ; not detected
5 _& m1 a: U! L2 V4 R s' H! g6 ]# ?
8 v8 \5 U5 D( |( s V+ u( m. x- |' J/ E( g. l4 X y
__________________________________________________________________________
0 x2 u7 f4 B- u3 o- {: ^7 n @. t& c0 E: G& A+ A ?& _" a( U) N
Method 123 R" D& Y* V; d& I, _7 u z# W
=========
( E0 d3 V* B- l' _ r& Z
1 Y% D3 Y" A/ K4 P! T6 ~This trick is similar to int41h/4fh Debugger installation check (code 05
! e" U& |& ~0 U N, N: k+ G& 06) but very limited because it's only available for Win95/98 (not NT)
! v1 N D# N }" _( W* sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ y t$ c- i. \; E* S5 M! ~: ^# s3 L% S! p1 f* C/ f' ~
push 0000004fh ; function 4fh
$ \( M. u" b) G push 002a002ah ; high word specifies which VxD (VWIN32) G4 d% v+ r L% L# T
; low word specifies which service
1 a5 |$ b# ?. S; T8 c+ s5 k (VWIN32_Int41Dispatch)- W) B/ \$ z! ?+ m
call Kernel32!ORD_001 ; VxdCall
3 p) {: F1 L" T; A8 | cmp ax, 0f386h ; magic number returned by system debuggers
; w! m: M V; O2 F1 | jz SoftICE_detected
8 O7 H; ?; o9 t8 h& ]0 S& p7 E' x3 C0 B1 F; V2 D% i
Here again, several ways to detect it:
, S7 g4 G' B( @; v/ o7 N
: V6 J0 d2 s' m2 T6 S0 q BPINT 41 if ax==4f
Y( E3 P# u( o; f8 I2 D, p' M# P0 Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' x, c \- B4 a ?7 R: t+ r
/ S: T+ [1 V* {8 w; Z; S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( N$ B% ]7 m5 L
: ^2 h+ j1 u( t$ T) ~8 b8 Z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, U2 O1 O( H% L: b4 _! c! `: Y
8 g B6 D& _7 R& q__________________________________________________________________________7 N7 e9 U0 p) Y% q. v# v l
, F# x" d7 i- @Method 13# K' m3 v1 V0 k2 u
=========
( n2 ~$ |) \6 f3 P
/ W* _; [3 X! T0 C7 GNot a real method of detection, but a good way to know if SoftICE is4 Z! b+ \8 J8 ^+ l7 X. m
installed on a computer and to locate its installation directory./ @ h, a* q6 x
It is used by few softs which access the following registry keys (usually #2) :
! s0 ~: ~2 m3 B9 B5 k$ A3 a" U0 j k+ J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: |6 z/ z( |: y; q\Uninstall\SoftICE' _; x; x- ]; q0 d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 N4 g% b& I! w3 L! i. B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( j2 a0 E/ h2 y. n5 f+ \! h\App Paths\Loader32.Exe6 T. ^( {- r! }% K! \' M
; ]0 A% [& k7 v
: F- e# Q% U- x" QNote that some nasty apps could then erase all files from SoftICE directory
: P1 i5 n: z* s S+ r3 S3 Y(I faced that once :-(% D& Z* Z9 C# Q% x! H$ n1 E9 z
0 _2 `0 n3 p) G0 @ U# sUseful breakpoint to detect it: p/ Z4 ^: a! F
' e) H' u+ F( @/ G3 B9 J
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* s$ R8 \/ }' O- w# p1 C/ K3 P" Q c V
__________________________________________________________________________0 |* R- M( ]! C" y$ D( b F3 R
0 H7 ?- Q- E( ^; Q
1 k1 `+ x' _6 U, z7 @) sMethod 14
- s. Y; `' `% o8 f5 ?) E=========6 L( M7 U" X( B& g, j( g
! s' p. z. a0 ^: e$ QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 e/ k( [9 u5 _8 [
is to determines whether a debugger is running on your system (ring0 only).# t! v5 ]8 R+ U
( m' W7 w/ Z+ |# w5 _! W4 d
VMMCall Test_Debug_Installed
% N8 d: k+ h$ z9 M je not_installed' p$ T2 A/ X$ q$ J
0 }3 a. R% x5 B+ fThis service just checks a flag.- M$ w, C( ]( s2 b: r* U! E' [, z1 r
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡