<TABLE width=500>2 e" F6 Q6 M! C0 r: v# {
<TBODY>4 r5 i7 [" M+ ?
<TR>
& C V7 l- ~' m5 g) \<TD><PRE>Method 01
$ x# S/ a+ X! ~- e4 _* ~=========
$ e* G8 Q8 W$ h9 d. \3 l4 e4 q8 z, U
This method of detection of SoftICE (as well as the following one) is
, U/ U) G' X5 H' o3 uused by the majority of packers/encryptors found on Internet.5 r, Z/ _& Q# U% `7 a
It seeks the signature of BoundsChecker in SoftICE
' k8 l8 ?+ I1 [5 W7 h# o0 r- T+ l [- @
mov ebp, 04243484Bh ; 'BCHK'0 D$ `! z& c' t- M/ @
mov ax, 04h
% z5 @, G) p1 D4 u" ^ int 3
/ t& r' f- G' G9 ]4 J) t* { cmp al,4
" r7 r8 `& s; L8 f: }8 N! r jnz SoftICE_Detected
) U; \" A$ ~) c0 C L
/ V6 A. K0 d6 g' }9 C___________________________________________________________________________* j0 o) P( o$ C
* k, C* k( u' l3 RMethod 02
% V2 t4 n6 k# B& w; N=========
. m1 D. t! x1 \' I. J. L0 J. C9 R+ u( m
Still a method very much used (perhaps the most frequent one). It is used
# o& F1 ^# I1 R. v P% h6 G7 Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 ^$ ^/ ?/ n7 ~4 l& T) p4 [: H) ~. \or execute SoftICE commands...
( b9 Z* J1 X; S0 m2 p8 A/ {4 X! CIt is also used to crash SoftICE and to force it to execute any commands
! k! S$ E) T& Z% m8 N(HBOOT...) :-(( ' d; W4 P: |; \1 T0 L
8 J- Q8 G3 n; z) N; c- oHere is a quick description:
0 d& `0 d" ~$ e" Z1 V-AX = 0910h (Display string in SIce windows)
q+ c- Z6 j1 n3 V* r/ m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 n. [4 Q8 S4 e$ t; @ y' a6 y
-AX = 0912h (Get breakpoint infos)+ y6 s7 T7 W3 ^9 s9 [4 r
-AX = 0913h (Set Sice breakpoints)
{8 [' t1 E6 G8 v& z-AX = 0914h (Remove SIce breakoints)' E& J9 Y4 b I) Z' R/ {
4 ^2 A+ Q- o( D/ A
Each time you'll meet this trick, you'll see:
# `" w. D. C) Y5 z% v4 }0 F$ y-SI = 4647h( V( h5 ?- b8 \- C
-DI = 4A4Dh
/ j) @. ~& O) v1 h& q3 U: q0 cWhich are the 'magic values' used by SoftIce.
- W' O. c' w- V. Y% xFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. k' a$ U6 G& B+ [
4 @* C2 F0 b: nHere is one example from the file "Haspinst.exe" which is the dongle HASP
- ?3 [" r% ]' H9 A4 o- P a9 gEnvelope utility use to protect DOS applications:
2 R# m, V. @2 } w$ I/ \( m4 d! l$ u+ k+ B
# R8 c$ e2 b% h1 L) {' f! k
4C19:0095 MOV AX,0911 ; execute command.
5 R, P0 W; h2 M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* g) P' _- F/ Q; ^: B
4C19:009A MOV SI,4647 ; 1st magic value.( s' H' U1 ]% b6 h- N) y% _+ b! q
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 w/ Y; d; r1 i0 [$ o4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 @* i* a N: b. e& \! p. k J! I4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! s8 x0 x( I; V$ o, J( q" B( A
4C19:00A4 INC CX6 i8 O6 n/ t8 @8 q; z0 K v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 n8 J8 y: S w' R. i& e8 h- I4C19:00A8 JB 0095 ; 6 different commands.& B. a( S% d) e. D' z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 k1 K# k1 R" O- {1 v8 z! w z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( T5 X* L0 z- S" ]
K: a5 U) E( i6 E0 e
The program will execute 6 different SIce commands located at ds:dx, which! a+ H5 d3 Y, D( z, h! \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ S ?) |" b9 \/ z5 T1 h" J: ^( s" y6 B% x: v( N: ?* o" b4 c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 v1 k8 u/ M( H1 l, ^___________________________________________________________________________
$ i3 R% w& `; M& h5 ]0 Q* h8 G
% M, w$ L; S" E' j7 \- K2 k8 k8 B% v' P/ u: U9 {8 M0 P! P
Method 03
. {* X, e2 j# p+ h% ?0 f3 P* y5 V=========
^9 K4 b$ |* s' K( l! n+ y9 q7 o4 V
. F" X# }9 [+ S3 kLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ O% j, L8 p6 M0 q% B5 `# j' H(API Get entry point)
( d1 h( c3 }7 J3 b4 b
2 |- L$ J( T6 J P
& G+ _) I2 y( [1 L4 s x2 h$ \ xor di,di
6 w p& m: ]9 Z, R3 R, e0 @ mov es,di
& Z+ c0 }3 A8 a% P mov ax, 1684h
) p+ R7 N- k0 a R mov bx, 0202h ; VxD ID of winice
- x" \* N( ~6 G* r+ b* t1 {/ G7 b! H int 2Fh
7 B- ^) n O. T1 F" Y. Z) x& b mov ax, es ; ES:DI -> VxD API entry point" ?4 S: u7 E% w: E$ G" O9 T) ]
add ax, di t$ @5 {4 a2 N5 i+ t
test ax,ax1 b' [ i% V: ]- }( Q
jnz SoftICE_Detected
7 k/ T$ U$ }( U
6 a! E8 v; [; d( _$ B& o; j. x___________________________________________________________________________
6 \3 f7 w% F/ r2 E" Y- e7 l3 p# r( F: c# x6 e' h/ G8 K6 H
Method 049 Q: R2 C% X! n9 ?: j k
=========) I5 G6 p: t4 L0 ?+ v7 u
# ^) Q( W6 [% i( J
Method identical to the preceding one except that it seeks the ID of SoftICE
% c6 L C5 Q* xGFX VxD.
& x' R% m' o% [8 h4 Q& \3 g) O9 D6 c5 \( E- u0 o' F5 v/ w0 [
xor di,di
1 W* z$ V& l$ I( } mov es,di, D" r! x0 e/ O& _1 _
mov ax, 1684h
. z7 r& J! `" m2 f' y mov bx, 7a5Fh ; VxD ID of SIWVID
( r( K" f. l- p E; D% u int 2fh# A: w( t) @! B4 R* }2 K& v1 ?, n
mov ax, es ; ES:DI -> VxD API entry point
4 D3 ^7 \# M; ]- y* p add ax, di; _( q6 a9 x( a6 `. o; Y5 s
test ax,ax1 y5 J. i& K# |. X/ z& {& x
jnz SoftICE_Detected
! r6 d# s) k. o6 {* v0 o' R z6 b% N, b$ j& K! x, B! e' n
__________________________________________________________________________
1 {( L( R" w% N% @- n# W6 \9 e' r; c m6 y7 U/ M5 G6 D9 S
) F. x6 i* e$ d, @( J. oMethod 059 C) t1 A' F3 u) N2 Z( u
=========# w- e, U$ j( f% P8 z
/ [, u% t/ Y' z1 k; I8 L+ g) q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( n% K' _" W1 mdebugger. It calls the int 41h, function 4Fh.
) a4 f, |% d$ _2 Z( c& j! J4 pThere are several alternatives. 6 T" A( J# E2 V
$ J4 e# b+ V h. I4 s
The following one is the simplest:
) g: [% X# {$ j+ a8 C7 s) _0 d. L# Z, }" w: e8 h
mov ax,4fh* [& I% I3 D6 K, a( i3 h- @
int 41h
' b5 `% T3 A/ f+ B* [( j cmp ax, 0F386
3 k$ v( v. T% L% | jz SoftICE_detected
: }! @/ d9 B' V; g3 F1 \* s
7 R4 P, _! v+ \ M t3 l6 t4 c
6 q" B2 e8 x9 M/ M' {! ZNext method as well as the following one are 2 examples from Stone's
, P& E8 E/ @8 \3 ?"stn-wid.zip" (www.cracking.net):
% s1 V! X% q2 h; U# \0 A. e9 n$ L/ B) s( [% B
mov bx, cs
% `' W5 E* }7 y* _: {% _ lea dx, int41handler2' o6 b$ t3 H7 Z' F/ I, ` K
xchg dx, es:[41h*4]
b: I1 U( {8 U( {8 G2 F xchg bx, es:[41h*4+2]- Y) l+ x( D0 G. M
mov ax,4fh
0 E' L; o" y/ v4 q4 w int 41h
, y7 F9 I+ i/ q/ [! ^: R xchg dx, es:[41h*4]
0 L& Y" `- w5 n' D xchg bx, es:[41h*4+2]" A; k1 Y6 X1 i, Y# Y! Q9 v; V# f2 O
cmp ax, 0f386h
2 W$ ^7 ?+ |* p- e) @+ Q" O7 Z; a jz SoftICE_detected
" F1 ~9 Y" ~2 N6 D* ]) L1 g; Z* }6 y; ]" w: i5 W( I
int41handler2 PROC
7 u4 X) k( C# O8 ]5 x iret
: A. V7 b5 W vint41handler2 ENDP
$ }1 g5 a) Q5 u* P, q+ {- E: e8 B
% @+ d) ~5 U' v: F5 J% `
& `6 B# a& J" y3 T& U+ a; \_________________________________________________________________________+ e& v. J0 ~+ s: W. k
; V! V9 l8 o- K: k9 S1 O, Y( [/ Z! M1 Z
Method 06
* x5 Q( G w$ i% H `3 j. e=========3 y) s4 J( \1 c0 m
4 r: W1 B0 `! v: c1 [! V5 ~
+ G5 U0 |8 y' n, y2nd method similar to the preceding one but more difficult to detect:
- z j' B( Q. ^6 r
5 n/ i" p1 F2 q
% D' t& d8 i9 a& Nint41handler PROC* t' c8 Z: x! J5 Z# ]
mov cl,al
) W5 d5 ?+ K7 N6 v6 l8 e, L, T. P iret
/ I @" l0 C& S0 x, a1 T+ jint41handler ENDP& G2 {! W! Y# H' _ y5 a4 M5 |
- o* |% ]5 m# A+ w3 \8 y
5 Z. G, h) T0 G2 k5 l7 h xor ax,ax2 {, l0 W* [. d+ u- e& }8 l9 I
mov es,ax8 z, t& t2 R- e9 a) t- _9 |
mov bx, cs
3 {" f" B$ J9 H( Z3 {; r; y lea dx, int41handler
, F. J1 U. a3 i1 C xchg dx, es:[41h*4]7 ^2 x/ f, Q- e
xchg bx, es:[41h*4+2]
2 D. M9 O R0 j' }* A# N- |' L in al, 40h
J' F; O; t; O1 Q5 x xor cx,cx
8 T3 e+ M5 h! Y- H$ B# h: x, J! o int 41h/ o3 v3 B: j A( b, ~. J T5 J( c \
xchg dx, es:[41h*4]+ T1 i- _7 q |) C5 G
xchg bx, es:[41h*4+2]
, C+ Y- P& r4 S5 w0 y/ Y cmp cl,al; Q3 S9 d4 m! u2 o! Q% N
jnz SoftICE_detected
3 ^5 f; |3 e9 U& N: @
2 N( |8 |0 Z2 i! M_________________________________________________________________________
* i. S# F" c# c$ G, Y9 E
0 ^$ i" p3 a: w$ jMethod 07
! ^6 S$ }, D0 @=========
' l( n! I: D" v! i9 A& k- E& W, C5 \
Method of detection of the WinICE handler in the int68h (V86)
) Y, {( N# L& I( `+ }% c& I; t- m
; g) U5 `/ V/ L$ Z9 Q mov ah,43h% J' l' V+ |$ h9 t. g+ U
int 68h* E8 Z' @) d4 ]5 ] p
cmp ax,0F386h) C3 t: y) K, R5 Q2 \& P
jz SoftICE_Detected
7 E/ W1 s9 j/ `& h' T
! G5 Y$ o7 ^$ L% B6 s0 B4 e# m0 b! w t p! X/ z' Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 c' _( ]3 v+ G0 u: f
app like this:
# V% ^6 t5 j; e0 |, f l k$ b# O/ b2 V! G8 m) f% o- x
BPX exec_int if ax==68
0 c: X C# i8 `1 u7 v: q5 g (function called is located at byte ptr [ebp+1Dh] and client eip is
6 E" @% j! ^1 g2 } located at [ebp+48h] for 32Bit apps)% R0 Z+ L" h j* O: z. ^
__________________________________________________________________________
; |; b! t7 t! ^/ h" m5 V/ o9 {$ k, _& e; k" B: T9 Q2 P
) _9 J4 w& u6 I
Method 08
1 S1 Z$ L5 x0 y=========
: l5 S2 l5 s" @9 [. |' T0 L0 V* P7 G% d8 {: }
It is not a method of detection of SoftICE but a possibility to crash the" d* `; _1 E. k0 {9 Z, L
system by intercepting int 01h and int 03h and redirecting them to another
" \' o1 p) ]3 @routine.
. ]" {, o* V4 q1 M" M* F( U5 w1 SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% a* E' L5 |, [ S* \
to the new routine to execute (hangs computer...)! G# J, m f) d" o, l" |
- N- }5 C9 w5 a8 Q1 g mov ah, 25h. l: z4 n1 n0 K0 \3 Y+ D
mov al, Int_Number (01h or 03h)0 W+ [. k( M |* K: \% D
mov dx, offset New_Int_Routine
3 x! F' d- }( R% ^: d, ~9 U5 d9 W int 21h- |# y! A: D& p
8 E. Z. \& t' \__________________________________________________________________________& J% _+ P5 q2 c6 g( s' N* S3 e
/ n7 P, |, c: L, k; g X9 FMethod 094 O5 I$ O& U M7 {# Y9 q
=========7 ^/ X# F$ h& T/ T$ C+ E; A# X
; D3 p/ W2 D0 t% P' u R, [9 M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 P4 D2 }9 a9 S2 G- h& @. D' q
performed in ring0 (VxD or a ring3 app using the VxdCall).
* U: g$ j2 v" j# X3 D5 e/ nThe Get_DDB service is used to determine whether or not a VxD is installed
$ S# s5 y, l: M7 H9 Z- v( j% f: cfor the specified device and returns a Device Description Block (in ecx) for
$ y8 K/ m6 g2 G( Athat device if it is installed.
Z( e8 ?' D( C0 |7 |/ {7 n* s3 u. y$ f7 D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 k% Z: I$ `! }
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 j2 _; U$ |8 z. X VMMCall Get_DDB# D5 i) }0 I' @4 K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 k# q% N; h/ Y: K: ~0 y" Y) _
: r" X! ?) ]+ D
Note as well that you can easily detect this method with SoftICE:: {, [2 \* H0 t( B
bpx Get_DDB if ax==0202 || ax==7a5fh
6 w* h% u$ f* X/ W+ H6 B5 l) N6 R4 _. ]0 x. Q
__________________________________________________________________________
$ Y2 L0 I- c/ `/ G" V
5 _) u2 @( P1 ?: gMethod 10
% E; i [5 @- S: O! ?+ N `=========
0 A. M6 [+ _, F% i# F5 w+ m
+ [$ ~1 W2 n) e=>Disable or clear breakpoints before using this feature. DO NOT trace with o t8 O. ?; ~( l* O, _
SoftICE while the option is enable!!" ?- ?/ R5 H0 [4 z; Z3 m
& h* K1 n ~, m- tThis trick is very efficient: ~: p# p$ t1 n& y
by checking the Debug Registers, you can detect if SoftICE is loaded
- Y! q+ Q% P6 O3 E7 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" S9 ^( z, d3 Z1 O' O, y" W
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- G; d) d; _; G6 k' t0 |% {) v" Lvalue (in ring0 only). Values can be manipulated and or changed as well2 }0 h1 y/ p& F. ]" ~
(clearing BPMs for instance)
" O1 f& ]2 I9 S4 A3 I4 L- d. C. g o! c2 U0 o: c7 ~( d1 }5 F
__________________________________________________________________________
4 L M; v$ U ]1 R2 ?
: e2 N) `5 T0 z- ?5 \ [Method 11
$ q& O5 w9 _ |, Y( V=========7 K3 i: ]4 |! g/ h
! F+ X$ }7 g4 ^, c2 t3 @
This method is most known as 'MeltICE' because it has been freely distributed
; F- _9 ?2 G' Z. Q j( {via www.winfiles.com. However it was first used by NuMega people to allow
9 U2 q U2 o* }+ j1 E& y$ k3 uSymbol Loader to check if SoftICE was active or not (the code is located0 Q$ d+ I7 p& ^" e, \6 Y- i
inside nmtrans.dll).
5 Y; s+ g7 L% W0 h6 T) h
( l# D! q/ h8 a: [. W4 I0 q/ I: {The way it works is very simple:
/ p3 K; ]2 A6 R2 Z$ O1 MIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 F; M3 ]2 j. N$ f% m, i% u
WinNT) with the CreateFileA API.
% ]* @$ ]4 |' U$ N2 p4 f) L8 j- P l# j/ C4 a) L
Here is a sample (checking for 'SICE'):7 I" r0 \+ l5 G/ P' U% {
; v# G0 P# f L# s. k# U
BOOL IsSoftIce95Loaded()
b# M, M' N! u, a2 g, [- g{+ t5 a9 _ u3 ]2 H) G# I5 e! z. g3 D
HANDLE hFile; * @* r* ~5 g+ e7 r# `# K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 m0 H7 @& I2 b% P7 B' I FILE_SHARE_READ | FILE_SHARE_WRITE,
' \" m9 _8 i2 C5 z) V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 U2 G; z! ]: O7 n N+ [
if( hFile != INVALID_HANDLE_VALUE )) c# F" {- i' ^- R6 w
{
; |' ]) n# P# X CloseHandle(hFile);0 d6 Y8 o$ r' P
return TRUE;0 {9 O5 [4 Z, G2 {
}
C. {2 ~ k+ s" g) S return FALSE;( l) n" [% Q0 e: V
}5 u! F& E w- w( l" b
- c7 s2 ~- `+ r8 ~. r
Although this trick calls the CreateFileA function, don't even expect to be& T4 {# ^2 d/ P" |8 }1 R7 b: f' Q
able to intercept it by installing a IFS hook: it will not work, no way!
9 L% n6 O+ J kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F9 v9 ~. R" Y; e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, u0 m, E2 L& l. l; D) Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc
- e( W" ]3 n8 \3 Xfield.0 q+ m! ]1 j/ {: i
In fact, its purpose is not to load/unload VxDs but only to send a
- A3 ~8 \2 @9 ` H! @' F3 F zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( l) c& @5 }6 C1 m! ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ i+ `! {2 x& Z$ w0 |& F. fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 f2 R O6 D/ x. {' D: G1 RIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 F# }5 Z( H3 x
its handle to be opened and then, will be detected. A. ~. C: ?4 W% ]' o$ F9 [' I
You can check that simply by hooking Winice.exe control proc entry point
0 C+ j* `. |- K! m. Zwhile running MeltICE.6 V) ^' T8 ^# E" k% A! q
# z3 X# }0 b1 u- ^$ ~* @) v" s
, J) H. D3 O4 Y9 B% n0 I
00401067: push 00402025 ; \\.\SICE8 y+ ~8 N x" o" w' S4 c' S6 h! F
0040106C: call CreateFileA
8 e2 a3 N' F5 F3 _8 Z" v8 }' a 00401071: cmp eax,-001
7 r5 L$ o! Q! q0 f% T 00401074: je 00401091
# x( k% B6 R. k! w, Y4 O
8 _3 w' R5 i$ ~: W& C* C- Z
6 l X7 E. r8 r9 J6 wThere could be hundreds of BPX you could use to detect this trick.
# W$ r5 J9 B$ N, f7 z8 y-The most classical one is:3 v+ l+ U$ @8 A9 n0 R7 M% B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 K( x! V. a, t$ E7 @1 d *(esp->4+4)=='NTIC'
/ Q, f D" Y8 q5 T$ c
9 @$ M5 K$ [. f! N-The most exotic ones (could be very slooooow :-(' F% |5 \: z, t& I" h9 Y4 k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , z- i* z# X W- O
;will break 3 times :-(
- z5 ]3 I9 H+ c. U6 a
v- y* u6 K+ |# H) j-or (a bit) faster: ' t, ?5 h& i M, g% P9 a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) d* a; A) F( C8 `
' J% D, D. S2 r @1 n# X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& e5 [: [" u/ Y# h+ J8 K ;will break 3 times :-(3 C! s. r/ ^6 n
9 P1 c; W8 O$ |6 P
-Much faster:7 k# ^8 Q8 ~( p: `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ W0 a; r; ` _, R
2 Y3 P! ^" r* J2 F: I k" t; h7 a" W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 r* _9 F& I8 @+ X. S7 Z; S8 v6 Qfunction to do the same job:
2 R# D. B+ x* L8 E
* \( S0 ?4 ~; y% g0 b" {5 ]" b9 M push 00 ; OF_READ
5 H# {1 ]$ s! C& h& C2 b7 }9 I mov eax,[00656634] ; '\\.\SICE',0( W6 ~/ a) S) e- T# r: T2 L0 t
push eax
1 x5 Y; ~4 B& d call KERNEL32!_lopen
- W) w- ], L$ N# K, m- h1 L inc eax
: b, P! ~0 t) D. N+ m- H jnz 00650589 ; detected! E/ @; H' `: v0 O! ]6 [, r& b
push 00 ; OF_READ- l5 |/ f, @3 [; Z4 i7 _
mov eax,[00656638] ; '\\.\SICE'# j/ d7 g5 X" ~: i
push eax
0 _; d, e, K9 X, M: J call KERNEL32!_lopen' e F: U! g0 @4 |% m% c4 m
inc eax! i, Y. T! u* n X1 X# z
jz 006505ae ; not detected: y3 H+ ^* I/ N* n' R% T
, \8 A8 M! O: x1 V) s! b# J) B' C1 `- n1 ]* a! [
__________________________________________________________________________5 N" _9 k7 q8 ]! G
. B# e! {: |/ Y
Method 12
# |4 \5 z0 Q% S=========4 w8 G$ n' z* h- Q a, u
, B, S" S0 t! t: M; g
This trick is similar to int41h/4fh Debugger installation check (code 05
% {3 W' I$ w8 I. n& 06) but very limited because it's only available for Win95/98 (not NT)1 l) s' B9 ? m9 c$ |# d
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 j# m/ r8 k5 m1 S
?, X3 r' }! f5 A; d7 Q push 0000004fh ; function 4fh
& N5 T- ^* ]1 z$ |6 E, |% j0 X7 g push 002a002ah ; high word specifies which VxD (VWIN32)$ Q) B, z0 s) y y
; low word specifies which service
: N& v# z7 S0 v: K3 D (VWIN32_Int41Dispatch)
( q( ?4 I" m% K( |4 L call Kernel32!ORD_001 ; VxdCall1 c5 o/ v8 |) N# E% e
cmp ax, 0f386h ; magic number returned by system debuggers8 M7 m2 l, b- j {% U
jz SoftICE_detected
+ J+ ?# {& F: I4 r3 S4 e' C. C0 |( Q* p5 u
Here again, several ways to detect it:
4 l9 J# Q, U" K% ?/ l2 z5 z* z' j) g5 v
BPINT 41 if ax==4f2 w9 c! ^/ G' P, i; N( I) H( X" ]
& m0 ?6 C4 d1 t8 s0 r6 Q. m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
| d7 L0 D7 t4 Q+ q6 U
, M( P" l6 O9 |5 F( m0 U! x. N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( {/ l. D- a% G* o. t4 z, E8 L: O, J: d' ~# c7 z( t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 O4 l1 ?1 r, D6 g5 F. ~/ q2 \* G
__________________________________________________________________________
- S- `1 N) K: N' U3 Q8 E
4 x4 V; p, _1 o) T0 ?Method 13
! T9 t6 Q3 F; O! J=========
# w8 z* J' A! G# J/ E3 E6 j& b: \2 Q8 r3 b g! d
Not a real method of detection, but a good way to know if SoftICE is2 I& u9 j5 \7 {
installed on a computer and to locate its installation directory.
6 v) E, g5 H4 g0 ?It is used by few softs which access the following registry keys (usually #2) :
$ I$ O3 h. r: u3 I: _
. {7 l, _3 W$ _) A9 }5 ^) @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( A0 ?1 q, K& q\Uninstall\SoftICE- z4 p T8 `, o+ `) C- `/ j6 `! \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ z8 M, Q6 u% k# H( t- G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; F4 P1 A4 D" A' w+ s
\App Paths\Loader32.Exe0 A/ g8 w4 z5 B4 o B
1 ^# U8 `# x; `( C3 @# e
F) s0 t: {/ ^: _* j" d
Note that some nasty apps could then erase all files from SoftICE directory) h3 A9 V! {& ~% ?6 [2 [% z/ Q
(I faced that once :-(' [9 G2 ~, F7 u! n+ v7 L9 R- S
2 [8 ^6 v( l! n) s. v8 gUseful breakpoint to detect it:
2 X4 Z, f% z0 ]
5 A- @( C- g. j, k- u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" ?/ J- Q- c. p9 s% C, k4 E+ y( z0 T; c
__________________________________________________________________________ Z" K: k( A4 E3 R1 ~; V" [- x/ M/ ?
2 J9 U% d) I3 j+ d0 |1 b+ }: z( U5 a: T+ k6 ?3 ?
Method 14 ' E, V' P( @; F6 H5 Y9 R% j
=========: C5 B- ]! f4 y; d
. B# L! N+ {/ v+ }* VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 D. e7 l: ` c) E. x" N5 G7 F# r0 yis to determines whether a debugger is running on your system (ring0 only).. d6 a! Z3 v' H# \9 w
% _3 n; }4 _) G, P6 r5 `! G0 N* m
VMMCall Test_Debug_Installed$ Y5 _) ^* e o4 E+ w
je not_installed
3 \9 Y. s& L) S/ k5 o" r* S2 P) j# a
This service just checks a flag.4 h/ G) M) H- W- J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡