<TABLE width=500>% E* v! L& _8 x! I4 W2 y7 f: z! A8 {0 [
<TBODY>- f# D6 ^# E D* P6 m. }* M
<TR>% b! n( m, I# i6 q0 {- y1 C( s6 f
<TD><PRE>Method 01 9 K K: y# h( Z9 \- h7 b
=========
" C+ G x% r5 T. K! v" ?$ [8 j+ Z1 n. S! O
This method of detection of SoftICE (as well as the following one) is. c. W i2 F: `& v C: c% o
used by the majority of packers/encryptors found on Internet.
5 m: Y/ n! Z* ?7 h# ~' lIt seeks the signature of BoundsChecker in SoftICE
9 e0 q" O5 c8 z0 v: I; i, c* e
9 v' \# F8 u0 Y5 d& E% U/ w mov ebp, 04243484Bh ; 'BCHK'
) r; T+ b) b# f# \4 T7 ^ mov ax, 04h
" u+ K2 C/ P7 K3 G$ D* ~ A int 3
2 I& l$ }/ D3 \' [$ U9 b6 F. G* b cmp al,4
$ [3 n/ A( X1 H4 K. y( g jnz SoftICE_Detected% n O. Z! S6 p
) _ `; A; U$ [5 C& G! `3 H( O___________________________________________________________________________6 A% {; r- T0 }: f- u0 S3 A
; i- u* u ~: N
Method 02
3 s" y- R4 S6 f5 L9 D=========
, {; |) t) n3 N% Q5 K9 W; Z' \ G* `6 z6 r/ M
Still a method very much used (perhaps the most frequent one). It is used1 R9 d7 K7 X! C5 N- v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! D, O" K. `/ P: Z/ @: B7 [
or execute SoftICE commands...1 i. s0 A/ h' U0 R! S
It is also used to crash SoftICE and to force it to execute any commands- I! U4 r9 [+ |. {
(HBOOT...) :-(( 2 m' o( A s3 a
$ l6 p* g4 i) b$ QHere is a quick description:
$ c# K; g8 N; n4 u-AX = 0910h (Display string in SIce windows)3 Y5 d0 D9 P' `, K$ Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, x' Q, g2 X9 d7 S' ~ H-AX = 0912h (Get breakpoint infos)& @( A( m: O$ C( L" Y
-AX = 0913h (Set Sice breakpoints)* c# b. u0 K/ p& e
-AX = 0914h (Remove SIce breakoints)8 j5 I- G8 f8 D$ b; n# E; a( T* K5 n
# D; R2 m( b) n" g
Each time you'll meet this trick, you'll see:
: B7 `% ` b1 S7 B/ Q7 z+ r4 R-SI = 4647h( l, q+ J9 s2 H- y- c9 N, w+ ?6 y
-DI = 4A4Dh
# h! F* B; M- n. QWhich are the 'magic values' used by SoftIce.
" C; p- j4 u" F: G& W' eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, ~) g. O6 J$ j. k7 `5 i9 P/ [) @& y6 z' p2 m3 E. W
Here is one example from the file "Haspinst.exe" which is the dongle HASP. e$ ~3 [8 ]/ o
Envelope utility use to protect DOS applications:
8 e# f2 [ n3 v0 P% `4 Y% ~
$ x7 @& f v c; B9 s4 X! K7 U- F
) ?) M/ r5 z! L' I0 L! |- {& C, \4C19:0095 MOV AX,0911 ; execute command.
# k6 D4 a; m" u3 c" {; V4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 Q( y$ s- @; k7 T+ o1 _
4C19:009A MOV SI,4647 ; 1st magic value.
, u+ {8 ~' A$ Y4C19:009D MOV DI,4A4D ; 2nd magic value.
" v& l4 M- m1 N* I# l+ o7 k* g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) Y6 V* Z* K0 W8 b' _! E( D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 Y" G. G" Z1 |" [ E) s, K4C19:00A4 INC CX
: {5 p3 r7 x' }' h2 d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 d: d" t5 T. S5 z4C19:00A8 JB 0095 ; 6 different commands.0 H i+ _9 Y: U- X! l1 K; B/ c! H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 S! ]( p/ _' G) p3 k: _
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- a3 \* g1 @- D1 S- V* r/ N6 O! r1 R7 u, X! Q
The program will execute 6 different SIce commands located at ds:dx, which1 P5 |: @% q; Q' s4 U; X6 G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) y, D$ p4 C1 L; v% l7 @& o
- a- G+ ?5 r8 x0 B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) R7 G' h w( k
___________________________________________________________________________4 V( @9 O+ v" @" A
0 k( f9 U6 |8 V5 v8 |4 m
' \- H3 I i5 _& K7 f3 `/ ^
Method 03
" S% Z% Z2 S( A* B7 T I/ }=========
) h' Z9 V8 A6 D0 n2 v2 `
% o) \. P( I7 L- Q3 s# o' kLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: K+ t; T# ~% T7 j9 F+ U9 |7 H(API Get entry point)
* j5 W! x7 O6 ^7 d) R( _3 t, Z7 ?
7 N: ^4 X- t5 B8 t3 Y. u5 z: Z5 m+ V% R6 g& w
xor di,di
' u, d# a) V' x( [ }6 t mov es,di( \. u: V; j1 ]
mov ax, 1684h
6 s n5 o/ w! h5 X, p mov bx, 0202h ; VxD ID of winice
$ {7 V1 E" g% f i$ f int 2Fh0 r: t7 J# T+ X- C9 \
mov ax, es ; ES:DI -> VxD API entry point
, s2 _, T: \/ d6 a! d5 \ E4 z add ax, di( ? h; [9 E7 x- k
test ax,ax
7 g: W0 M( \1 V1 p0 I1 j( X2 V) e6 R jnz SoftICE_Detected
' S5 f' @& a! @; p" B, I; _ I9 Q# O3 U# u
___________________________________________________________________________+ d/ I5 M1 a8 \9 N* I% K$ a2 f
+ w$ t; Q9 W0 D5 t7 Q) A7 c8 }Method 04
! M5 q) J4 Q: z3 i=========* }6 h0 O8 R& l' {2 D: d/ y9 g- h
* L+ R3 d b6 ~
Method identical to the preceding one except that it seeks the ID of SoftICE1 H3 `% A. a) N/ ]( K4 r' U
GFX VxD.& U& W1 Z: y* M
% S0 u% z) ?- A, q1 L. n+ P
xor di,di+ ~9 H! g2 K, s
mov es,di& Q! s4 O7 s, Z2 a6 I
mov ax, 1684h
# `, C6 f7 e P/ y% S7 U mov bx, 7a5Fh ; VxD ID of SIWVID
0 Z" E7 _* z- H' ~; J5 U! m# r3 i int 2fh
3 L C3 P! |" ] mov ax, es ; ES:DI -> VxD API entry point; L- k$ [ L( P
add ax, di. L& h9 ]' a6 ^
test ax,ax ?( Q+ P; t4 j1 i( V
jnz SoftICE_Detected
j# E1 _. _: N
# ]1 Y9 V4 i; m3 X# m& {__________________________________________________________________________
( D7 @% {* |3 i* A# E- A& \6 ^4 L4 u& j O4 R" u0 E. v' t
9 l! i* f' r4 Q' K7 F/ y3 b; n- kMethod 053 Y2 D' D" s& Z: c* K
=========
( i7 |3 c. _9 j. D# d& O+ s
9 {5 ?8 N$ x; \2 |# @ ~/ @Method seeking the 'magic number' 0F386h returned (in ax) by all system3 e8 ^5 l: Q2 O! d& S- q3 p
debugger. It calls the int 41h, function 4Fh.2 s6 E! m4 P7 c2 e6 S }5 N
There are several alternatives.
5 n9 q- J- B B9 Z1 d+ a5 Y8 P" c7 y; H3 `* B
The following one is the simplest:
9 Z( M" d, b' t3 [" I, K
3 w8 [' u# b' d- Y mov ax,4fh
1 y+ H" `- _ x4 H3 D int 41h$ C; k& ]& `, v1 b2 ^6 C5 W
cmp ax, 0F386
( K( }; `1 C: w0 H8 V' q1 z+ ] c3 w0 T jz SoftICE_detected
. }7 j- @; S7 n0 d$ v% {% s& E# W3 y9 N& u$ u" E. J" Y
$ Q& i$ w1 h: L4 N# X* E& b
Next method as well as the following one are 2 examples from Stone's
% _: j: A6 I7 ?2 w; c"stn-wid.zip" (www.cracking.net):
; }( S/ t+ {2 L3 }! D; H, o- m4 A" f6 ~* d# y G
mov bx, cs
: b! A1 N- p* ]& F$ J lea dx, int41handler2
! W0 d! r8 d4 A$ G! y. s: |0 @ xchg dx, es:[41h*4]
6 N- Y! B+ R% c- W1 X* q xchg bx, es:[41h*4+2]. H) d1 _1 R& V) t
mov ax,4fh$ j4 q! c7 E/ F( Z6 N& q% T
int 41h7 {, o8 x% i6 l' t; _
xchg dx, es:[41h*4]- U/ e. ?: v$ M+ T1 U* T& Q0 V
xchg bx, es:[41h*4+2]
. F& u8 {( q) H cmp ax, 0f386h% l0 ]9 u: I9 m' E
jz SoftICE_detected
6 K7 d J% K& b: \/ C X& v# C
9 V1 w4 l$ H) J9 o; oint41handler2 PROC6 y: o! @4 t- E$ _7 x
iret P. x# t. b! [
int41handler2 ENDP
$ S+ J: a$ c$ P* ^. f# d& Z3 [2 C1 v Q2 S- S' o2 [
) ?9 T3 ~7 d# i5 v_________________________________________________________________________
5 R& c" z% \9 ?( J* {) l" D; d! P1 E
" s" l' B" Q- M- x- P# nMethod 06; {' s+ h9 [4 _1 M5 r$ A4 m' k1 x
=========
" M5 v' c5 X# D1 j
+ q& M- J$ g/ a s
) K* i- E% M7 p) \+ Z$ K* k2nd method similar to the preceding one but more difficult to detect:
, U! r ^1 t4 P" K* Q5 T' [; l, s" G% N
$ ^. `2 f2 J$ X' ]* V; j' W+ Z" |$ ]" B
int41handler PROC
1 y+ n. f2 A) \- K5 Z+ b mov cl,al) \9 [" b# O, _( |! n& q
iret. |8 c4 J! X, L7 {" U5 o
int41handler ENDP V& D3 z+ R$ G# ?4 D/ E/ E. _/ ^
. y- a0 P3 W0 c8 B$ W G; }: i& D9 b$ p* m/ g6 c
xor ax,ax
4 J$ [5 t% D- r4 Y/ K: @+ J) ? mov es,ax. p9 t- m7 y& s0 m" j) M f ]
mov bx, cs5 t9 j. [& X1 u, J; n4 z' \
lea dx, int41handler
- e1 t9 a8 [7 z xchg dx, es:[41h*4]/ N0 I& y: a& l
xchg bx, es:[41h*4+2]
3 O, d7 r7 L6 Q4 |8 E in al, 40h
8 D( n* X8 H) q4 ~, B' p xor cx,cx
' c4 y; _- `' B: w int 41h. _- [1 ~% y* Y3 ?
xchg dx, es:[41h*4]
{' t8 V r% a/ u+ Q* ^ xchg bx, es:[41h*4+2]: G' f: f: D5 H _: }
cmp cl,al
# ^) |0 N7 ^8 P8 k, z jnz SoftICE_detected& X5 u# u: n6 g* U [9 S
# _& z. q7 ?, ~8 {# l
_________________________________________________________________________6 r8 S% |7 b: C1 \3 m3 }; B
* _7 U- e- y$ d+ c- ?% J! H7 B% R2 p
Method 07
1 I! i% R! `. g5 k Y! y. f" `=========
! c" a5 o$ J4 K8 x7 { X2 k
- x/ S9 J: A, K3 U' F7 {' KMethod of detection of the WinICE handler in the int68h (V86)0 C% E5 Y4 d9 @( h; l
' k: N( O: I- k4 b# Q/ {
mov ah,43h
: t7 y3 \" \* U/ q6 {. t9 Z# G int 68h3 N' R E+ M7 _. ]7 S( [
cmp ax,0F386h
% ], n. n+ [+ ^' `. O$ n jz SoftICE_Detected0 [8 h6 }) a& j' }
6 b% q$ @7 R0 c
) D+ ~% A! }. H- e# n& l& M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 s: s. O5 _7 B; ?# ~/ b app like this:% j$ k. E( F, [
( S& m1 M- r1 c- Y) H+ W4 ]
BPX exec_int if ax==68' T5 A9 A4 I0 G1 i& J) S: L# _
(function called is located at byte ptr [ebp+1Dh] and client eip is
# P4 S2 ?7 j' J: K located at [ebp+48h] for 32Bit apps)
* N0 Z) }) I3 R* v2 S__________________________________________________________________________
' z2 V- ~7 L5 E
) m- S' A1 ], T; `- [2 p+ |) J2 u+ F
Method 08 D7 a- y7 E' U; m# r$ Q6 n6 c3 t+ o
=========
$ u' M5 A" J4 w& D' x2 M4 i2 S3 J8 o6 q* [. y, ~4 k$ z
It is not a method of detection of SoftICE but a possibility to crash the
! R; h% {, Y& `3 x" A e* }. Qsystem by intercepting int 01h and int 03h and redirecting them to another
/ E0 I# {. ^" E/ T: [" W; qroutine.
2 F6 m' a8 B9 u2 GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 `! Z+ ?/ m' i( ?
to the new routine to execute (hangs computer...)* s1 J6 P, E/ N0 k$ ]: {! V) \- Q
; U) N1 I$ d! y' C: t. X
mov ah, 25h. D" b) H$ \ C( l c
mov al, Int_Number (01h or 03h)' [4 {9 |- k w6 E3 \$ j/ {
mov dx, offset New_Int_Routine
" d& |! Y: F2 i- s ] int 21h
+ p" z, ^- D) O% a5 c
S! y/ E) n- z__________________________________________________________________________
8 h2 u$ f/ g* N; z# c# |; l. M6 U& q3 S& w6 P) O9 f
Method 09
" }6 M- @/ |7 a. y=========, [# N6 T& n6 D
. r/ \$ M$ ^7 P. g9 R5 Z4 y# o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 A; i) r5 q2 Operformed in ring0 (VxD or a ring3 app using the VxdCall).! z! i9 k7 Y) \" Z+ M1 y
The Get_DDB service is used to determine whether or not a VxD is installed
5 T) B7 M/ Q, k$ o/ r6 Xfor the specified device and returns a Device Description Block (in ecx) for/ z4 g) j( H- o4 ]; o2 n
that device if it is installed.
, {' N. T* ]) @& j5 U& o4 ?9 ?5 h- K( a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ ~1 m+ G+ m& \; U( b+ n$ n- r$ t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) u i3 c- V$ e1 }( J7 \
VMMCall Get_DDB: `1 ?. _: N3 ~* P2 K5 u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ K5 r4 w0 b6 v* x7 b* N3 k
) d9 n! {6 ~* S9 RNote as well that you can easily detect this method with SoftICE:4 ? ~, n& [& m; L
bpx Get_DDB if ax==0202 || ax==7a5fh* s. `- M1 s% ]: O; T
, ~1 _" ~9 \; `4 x
__________________________________________________________________________4 o# ~. Z% G m: J) _
/ f, w0 x* L% `$ w/ { O. y( QMethod 101 U8 s8 z5 ~/ n
=========4 x J; G/ b" d# y1 M
: F& Q5 L$ y# N4 H! {
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ s. t/ g3 Q( ]- z4 U/ Q1 _ X
SoftICE while the option is enable!!
8 H! }7 X) j) e, t5 T( j- E7 A$ f! O+ t% }% K' B
This trick is very efficient:
3 k8 x# I: j+ N/ N2 R0 eby checking the Debug Registers, you can detect if SoftICE is loaded
/ @7 V! `5 t9 G4 [: W9 `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 q6 D- u1 ]8 p% l6 k! @+ l% \: x" Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) q ]4 `* h5 K& x0 m8 d4 g" m0 Nvalue (in ring0 only). Values can be manipulated and or changed as well. W9 V; ~# D/ M0 t) f
(clearing BPMs for instance)( @) D1 i5 X! ]& A+ f7 f
6 _9 o% J H1 b; P2 k* D4 w__________________________________________________________________________
" V7 Q, S' o1 q' ^5 `5 I
5 S# ^1 p4 { iMethod 11
# D+ x6 y( x- c |* i! s=========$ ]. l# \( H0 K, u V. z6 y
$ }: l P3 p5 B) J+ {This method is most known as 'MeltICE' because it has been freely distributed+ Y) ~. h8 p" }0 |/ f: Z8 k
via www.winfiles.com. However it was first used by NuMega people to allow
$ r2 Z# f) X: X+ H( h$ I1 JSymbol Loader to check if SoftICE was active or not (the code is located: q" S, r7 _# U
inside nmtrans.dll).
! w; A- H% c M0 J
W+ Y! P6 C7 o$ GThe way it works is very simple:
. {; C1 }6 E1 o! _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 ` s1 X; J+ H$ PWinNT) with the CreateFileA API.
' i' C9 V" L7 b+ u6 c( n! {9 I6 u4 x
Here is a sample (checking for 'SICE'):
% r) _/ v+ U9 T, f1 h F
! C7 R; P* a/ A0 _7 J* H% WBOOL IsSoftIce95Loaded()& k( ~. R+ [/ v) c( q/ q, p/ p
{ s+ K( V- K8 F+ ~3 p
HANDLE hFile;
& h" V4 h. G0 I6 ^) P! } hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 o* b* _, L+ Z6 H1 h9 E FILE_SHARE_READ | FILE_SHARE_WRITE, u2 R3 t2 l7 O [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 r+ }* u9 L+ \5 Q/ ^' b% G if( hFile != INVALID_HANDLE_VALUE )
" U2 U7 U9 w6 C5 {! p) m {
. i+ p: l" W6 g0 d CloseHandle(hFile);
4 C/ s8 ?: l6 d& {* h' j$ [; @ return TRUE;. L4 [4 a7 G) d- B; T
}+ ^$ j0 d; b$ r! F, V( Q
return FALSE;
$ d! V: M4 q( c8 D}( I9 ]- \3 ^$ m
6 e: k! F" G0 m. p6 @2 h+ ?6 zAlthough this trick calls the CreateFileA function, don't even expect to be9 b( J7 s, R7 [0 b# }
able to intercept it by installing a IFS hook: it will not work, no way!9 O, u G- ]$ W0 C( A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ s* ?+ x2 u8 @ Z, T% m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: N$ e$ ?8 U* Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 w- j C# Z' ~. z: @5 u/ W8 q9 Lfield.
3 {. U; j7 \ n6 O5 m+ Z3 s# p+ oIn fact, its purpose is not to load/unload VxDs but only to send a 3 I2 Z' @: i+ O W1 B8 S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 G# W* Q6 s$ C" V# r d) qto the VxD Control_Dispatch proc (how the hell a shareware soft could try; z( S" a8 L* ]7 ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 m" M5 k) x' v: ~" K8 g$ ]- @
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, S1 _# ?. K+ S. I: ]: r+ `: [its handle to be opened and then, will be detected.3 W6 X d: v% |
You can check that simply by hooking Winice.exe control proc entry point2 t. [" k2 M( G7 g8 Z* G; L
while running MeltICE.6 [- B, T9 l8 W) p! r6 B) _
' J- G! s" \* L3 ]' w6 y" p( t# _
% a$ }& r V0 u+ f2 Y 00401067: push 00402025 ; \\.\SICE
2 a) O- T/ ?& b A 0040106C: call CreateFileA
7 c* I% E3 C# Q 00401071: cmp eax,-0019 n5 I. [8 q$ _' S5 v9 W. A' |. ^
00401074: je 00401091
! A9 P: ]2 j+ |, U% U
8 p) k7 \" r8 U) E2 p) @* O+ x1 F$ q2 {1 ^9 |
There could be hundreds of BPX you could use to detect this trick.7 C8 g& A2 c9 b& h3 P
-The most classical one is:
! H3 n1 V& I: K0 ` BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 O5 n8 L/ `! Y, F: S6 X *(esp->4+4)=='NTIC'1 T: f1 t$ R' O' M$ h' N
$ p& |4 U6 y& c$ o0 u5 p
-The most exotic ones (could be very slooooow :-(
+ S4 y) P+ \% ^" d4 Q8 B& ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% L# f) x* w; ~- ?! v ;will break 3 times :-(9 }1 h5 h3 d& N& A
3 F* _. M( K7 ?, B4 D/ _3 M/ l$ `-or (a bit) faster:
# n! e! f7 ?/ S a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 C7 Z$ E% ^" J1 u- S: E# @
/ M T4 u- E. G) i& ~
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( M9 y$ [! [! Z4 `
;will break 3 times :-(; b0 |5 p" g. f% L
, g `& O5 L6 P2 Q: }' o-Much faster:" q5 Z( c7 \ r2 o; ~6 `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 U+ |6 l, u% u$ K9 _+ p6 _$ [4 ?6 U
) j4 {) }0 k( g( ]& I! {+ p: x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ x8 z+ @* D) A# A# e" r2 S
function to do the same job:
4 i# S2 ^ T8 }$ C1 R+ m7 N2 a4 B# B- L" @( k
push 00 ; OF_READ- d1 l% Q4 T" {1 y
mov eax,[00656634] ; '\\.\SICE',08 A1 g D- e9 g3 {" E+ N; {
push eax
2 q, t) D) V8 m; M/ X( B call KERNEL32!_lopen
- Y" ~0 A1 Q- F inc eax
8 @6 g1 t/ w8 d* T& }* p% B jnz 00650589 ; detected) f: y2 L( y/ [" N- O
push 00 ; OF_READ
& b* f' _ c5 D6 }4 I5 g, G e4 V2 m mov eax,[00656638] ; '\\.\SICE'7 K2 g4 U; s! ?
push eax. h5 C7 r" W+ }5 b; t7 ^" }
call KERNEL32!_lopen% S4 ~* @ j! t& z2 F& @ L
inc eax: R, ~* F, d+ v4 f- V1 r$ C
jz 006505ae ; not detected9 M0 s, F* f6 n- d( w& c! t% \5 ^
; w, S9 E6 ^& O4 u7 v
0 Q7 y+ L$ }5 x__________________________________________________________________________
& ^8 |) x% X) {: z! P, {2 }+ G
4 G1 f' f, e# ]1 a; o: l2 BMethod 12
t! Q5 }' |3 m: }5 A b/ ~=========
v6 x( c& ?; B% f. g6 R& q2 Q
This trick is similar to int41h/4fh Debugger installation check (code 05+ P- v: I6 }% Z& T9 O; _
& 06) but very limited because it's only available for Win95/98 (not NT)
3 A+ r! O$ @6 j7 ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; f* N/ {5 Z' X; a. W5 {& i; l
/ j" h9 p) h) | push 0000004fh ; function 4fh, v& L8 {, K" Z% d! L/ T. q$ k0 O3 @
push 002a002ah ; high word specifies which VxD (VWIN32)
; i( T7 n: M3 }& P3 y1 C/ d" r& K ; low word specifies which service, j4 D& ]1 `0 d$ I: p: c( D
(VWIN32_Int41Dispatch)
\' O& ^3 [% R call Kernel32!ORD_001 ; VxdCall
8 c% q) t5 ` L0 D L' G cmp ax, 0f386h ; magic number returned by system debuggers3 e, L) H; R; }: `7 R$ D; [2 C& u
jz SoftICE_detected* D4 U6 |) E" l/ E o, P
$ v: T! w( ?7 _2 SHere again, several ways to detect it:, |# n3 }! I6 k$ d
9 W) E3 L/ |! a6 k* u5 ~ BPINT 41 if ax==4f
+ g+ x _; D5 [; t, Z6 n& l
2 o( q, h3 f- O! ]) t8 c BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" ]8 ^+ s) u+ p
! i& l: E' k1 f5 m2 R) k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( h7 t3 T4 a- M0 |- a5 ]
, |% B. v1 V( T1 v! ~( r+ G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ n8 Q6 B, `- I. P, m' Z8 y+ q& B% | C
__________________________________________________________________________! f1 I& j6 s9 R: c6 V1 e+ ^" M* j
9 S& g4 `, w) |
Method 13- [# e. O& {; w% V( N4 [
=========/ ?3 w7 r# ]9 S7 s8 Y9 W
9 k2 o# b3 M, V# e9 x- h" zNot a real method of detection, but a good way to know if SoftICE is
1 u# ?9 Z5 ], f: minstalled on a computer and to locate its installation directory.
- i0 V/ N' V. a8 b. IIt is used by few softs which access the following registry keys (usually #2) :
4 y9 L/ O9 X# Q& j. C# f- D# Z6 f; ~5 K
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 B! m: z) K' I' Q
\Uninstall\SoftICE8 d! _- }! M' N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 \) G) @+ D3 M1 _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! G! d/ Z# S9 T
\App Paths\Loader32.Exe5 x. ^& l, _3 N- \
% Q9 D" i. B5 {
4 c( f5 Q \# V0 j7 Z( B( DNote that some nasty apps could then erase all files from SoftICE directory% [" U% V# }' g: K C* ^( x5 g
(I faced that once :-(0 ^5 g3 C' D6 `9 F' j
6 ? u* C+ K. HUseful breakpoint to detect it:
/ }! s1 E+ \9 X; T" ? M
3 w' _; u: { a# h, _* G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! P9 T7 f, a s9 i
8 @/ g/ D6 x C- L6 l__________________________________________________________________________6 [5 R$ \; H( i' t4 P, N
3 G/ p# Y9 {4 X/ q6 I& D3 s0 ^; J+ @& Y4 N5 _4 \
Method 14
/ q1 R% p$ c' V1 ~# H/ ^=========/ n8 W4 T+ p6 H8 U! r
# j6 `7 k, L/ }+ \; k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 ?* k: m0 H2 k2 n. K0 _# R
is to determines whether a debugger is running on your system (ring0 only). H3 w. \; f, I, D1 q: g" R
1 }, T+ W6 \6 l! J* n) i) \$ ~. p VMMCall Test_Debug_Installed% [3 M6 H2 L/ n& R1 e# K
je not_installed+ l# V9 Q3 y! q) g: m: |2 K
1 w" i& R+ I. \2 G: gThis service just checks a flag.
9 a6 Y% }, A1 n m1 D3 X7 t</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡