<TABLE width=500>) D1 O' X' i# ~5 ?# A. P. ^3 o
<TBODY>
9 C( r0 @- b7 e) Y. K% v/ j( N, \' F<TR>& ~4 g: M( W- v$ K# ]$ k9 f% {
<TD><PRE>Method 01
, e' W3 c6 M3 ?8 D! T- h6 A! q=========
0 b* i; ^0 P3 l5 O' @8 ` d; h! g% e) f' O
This method of detection of SoftICE (as well as the following one) is
% A! F- p) M0 b3 k0 w9 R5 Eused by the majority of packers/encryptors found on Internet.$ _, L2 [) p4 ]# B& L& i
It seeks the signature of BoundsChecker in SoftICE& x9 D* f4 E2 d# R7 H& P9 V
- Y5 V, @/ Y$ N, q0 J; P% w
mov ebp, 04243484Bh ; 'BCHK'6 N' h! U: `' _6 i% x* |6 N+ P8 B
mov ax, 04h
( ~: Y- A! P1 R8 k1 E, |' M! K: _) ? int 3
# V$ m9 \) b3 y% ]- ^. t. G cmp al,4& G I5 t1 C) I% D3 P- ^' }9 K
jnz SoftICE_Detected( S- O4 W, M8 B7 k! |' n
6 E# e$ O: d6 h: Z! i5 [% J" H: ]0 X; q, i___________________________________________________________________________
8 N- g. ]: a, `- P; O8 C( z9 `7 ]7 [3 g- m6 z+ S4 B; ~+ K
Method 024 N! `$ ^4 R* {3 X7 @
========= ^" @9 P4 e2 {3 A
s# O4 x9 {. |( Z& e/ a/ U z* m7 Y
Still a method very much used (perhaps the most frequent one). It is used
, Z" j: d# _( I- Q# ^& b- J7 wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 r# z: j9 Y! c" M& T9 f& K. J
or execute SoftICE commands...
# \4 m* | H) |5 L. \. A& ^It is also used to crash SoftICE and to force it to execute any commands
4 |2 t' @- I1 ~7 W(HBOOT...) :-(( % n0 _% P# k! f; S
$ d) f/ q7 o' k' KHere is a quick description:
, O P. ~. H# ^) V1 \9 I-AX = 0910h (Display string in SIce windows)/ J3 n- J3 [3 e0 `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ o V2 Z* l$ v( p
-AX = 0912h (Get breakpoint infos)& q; i3 s0 F2 Q, e$ g
-AX = 0913h (Set Sice breakpoints)
3 E& u& }# w5 ^: t' i: N3 n-AX = 0914h (Remove SIce breakoints)
0 d& J% ?6 q( q5 r
- U1 l# t4 C; Y5 [Each time you'll meet this trick, you'll see:
4 P0 d7 R1 S( b' ^-SI = 4647h1 s! K" u) x" Q6 W8 }' K! c+ a5 j
-DI = 4A4Dh1 ?' w/ Q+ p( K( o0 s
Which are the 'magic values' used by SoftIce.
2 `+ ]' O; D- ]9 f. W# fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" L: U: b) e2 ^9 }. C: l6 \( T) C2 ^" G! }7 C
Here is one example from the file "Haspinst.exe" which is the dongle HASP; v. W" b& c+ ^' D* Y/ \1 R
Envelope utility use to protect DOS applications:
# ]& b# i6 l: |! ~% ^& Q1 U, p! q% \
; O/ [ N) C4 A
4C19:0095 MOV AX,0911 ; execute command.
, X- ^. R5 a5 { M' y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! e* d3 N6 Z' u4C19:009A MOV SI,4647 ; 1st magic value.* W( r e0 ]. f. E# |/ z. Q
4C19:009D MOV DI,4A4D ; 2nd magic value./ b( G3 G g. q- ?! T
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% k8 M6 @% _/ N5 v' B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 k% P* f/ J! F
4C19:00A4 INC CX6 b4 P+ m* B3 Z q$ u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( B8 ^4 [. [- \
4C19:00A8 JB 0095 ; 6 different commands.
# a" p" V& m8 p( c0 o4C19:00AA JMP 0002 ; Bad_Guy jmp back.
q# n5 C8 j ^! M% h# O4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* W. x5 V3 W' J4 M! @
- A- m+ r+ b, G; O v6 ]The program will execute 6 different SIce commands located at ds:dx, which z3 u! M: U+ a/ b, G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' t# e9 Y( ~/ u8 _8 {8 I7 Q
% i8 ~+ b* {7 f6 M; {1 ^4 [- M7 E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ b$ ]8 i2 W9 r: C0 i) W
___________________________________________________________________________
: S6 l) m; m1 l" A J6 @* m
' E# M$ v. v1 w4 i: F
# S* S1 c2 [& D+ c" c2 Z7 t, JMethod 03( Z) X$ ]4 s" y; A. ~. q
=========
* _+ |+ Y7 g! K' U2 Y8 f% L
# y% A4 w$ A) o& k0 ~! R# fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, M& K7 [# ]* a( W6 m/ i/ H
(API Get entry point)6 O# X V5 n" o; m# V2 h* t
* S2 R( Z6 D; V S5 L4 S0 N0 I) s9 K
xor di,di
- J3 ?, x! j" l3 X mov es,di3 I- b- F: \% I1 V0 U( @$ N0 ?" [
mov ax, 1684h " m+ r$ @' x6 Y# D4 C# a" A1 `
mov bx, 0202h ; VxD ID of winice- A0 m# n. Q8 u- ^0 C
int 2Fh5 I3 L. e: v' [1 y: S3 [
mov ax, es ; ES:DI -> VxD API entry point
2 q9 y6 f. F2 i4 l! G& {1 E7 h$ e add ax, di0 N8 c% [" v5 A7 M9 n
test ax,ax
3 q7 M3 O9 K% I, X* M4 u R jnz SoftICE_Detected
8 s' \# r( F L8 z0 f( o) ~- R3 O- C2 {0 T1 f, B
___________________________________________________________________________& ~1 F/ m8 k: t; z7 u
% j7 `# j& q8 P# ^4 a
Method 04
' W! u- b2 q% f=========8 K: e- z* Z5 h
1 ?+ _$ g1 ]+ _: L0 g! UMethod identical to the preceding one except that it seeks the ID of SoftICE
2 W8 {9 V! s T) M* N `/ @GFX VxD. z1 J, R3 j/ _& P, R& c) t
5 E+ B* O% {# B- ~
xor di,di) ~& N& J5 q, D% I# l) ?# G9 H+ i( S' ~
mov es,di
$ N+ T' @& h8 x8 \) S- ^* ~, O mov ax, 1684h 8 F$ V% `: k/ |1 I
mov bx, 7a5Fh ; VxD ID of SIWVID/ |! }8 C/ v+ j- E6 h; W
int 2fh
. h+ N$ G9 P* l/ S2 L* ^ mov ax, es ; ES:DI -> VxD API entry point3 J% v* ?+ y0 i( T
add ax, di
" u" Q- J$ f% g test ax,ax
$ B4 a. H- d+ W5 S7 b) C! r& T# o jnz SoftICE_Detected( ]6 [% O% N# J; Q% {2 n
; ~7 {$ R0 ^$ T$ ]__________________________________________________________________________
' r% s& T$ f9 g" ^/ R7 T( }2 l8 h4 n+ F& X
5 y1 V, o1 F" i9 x
Method 05
, ^( J( O8 V7 ^+ S=========. n9 W: E# A2 H9 i, H1 t! i
: |) [( P! g8 _1 ]9 w3 bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& k y' X0 C6 \3 {) m% \% udebugger. It calls the int 41h, function 4Fh.
9 h& T2 Q) T, e8 I# y8 r k" tThere are several alternatives.
- M- n; J7 s9 v
1 ]8 A9 q3 y- L4 {9 dThe following one is the simplest:$ f& Q9 |( u2 H2 t/ J. r( Y
4 H( ~3 X7 y- l9 r% p
mov ax,4fh1 W: W( |% u( W9 R# l l
int 41h
! Y b7 b; _, U; B+ d; N cmp ax, 0F386' P6 x9 j$ C$ V/ z* t, x
jz SoftICE_detected
+ x% e! X+ ~; H* M
7 B4 ~; [6 f: F" s& ~- B& H
1 e8 u: r$ F' c2 ZNext method as well as the following one are 2 examples from Stone's
3 J5 S* b( N2 E4 f* ?"stn-wid.zip" (www.cracking.net):
7 k2 Q7 \% e9 V7 A, _2 M& n" m. \ R
mov bx, cs; ]6 Y# W7 H+ L1 S$ O
lea dx, int41handler2
3 T/ z$ t3 A/ K7 N$ Z% ~* Q0 t xchg dx, es:[41h*4]4 o9 a1 [6 K9 L C( J
xchg bx, es:[41h*4+2]' e/ d, ]3 [4 j* H) u ?
mov ax,4fh# |& J* I2 u& M9 D3 \- c& s
int 41h
/ q/ c; |( ]+ F4 i& i$ ^ xchg dx, es:[41h*4]1 e8 {- a4 x8 i
xchg bx, es:[41h*4+2]. ?) r# [; G9 L
cmp ax, 0f386h' K. b b0 ~- v" J' V
jz SoftICE_detected. }+ D7 ^* ?: u' W
( F. |% O$ u; J, I* |4 K lint41handler2 PROC
" j6 W; _7 {- \: ~2 r ?8 X iret
5 s# {* m. c5 l8 l R4 g9 vint41handler2 ENDP
* z$ \* t% q$ v. b: I* `5 J# ^$ I8 k" ?. C$ \* e8 q' n- s, T' Y- J
9 H7 M4 S- S( Y4 y& x& N_________________________________________________________________________+ v( W. P! i5 M. E5 a. W% r
9 I" ^$ N: q& a3 |2 y, e
* e1 C! g x- |# ~
Method 06& H. x' o! b" e$ k
=========
6 G( |# h3 y( R; n0 C; G3 Y: d! V& J, [! p& Z* |( G
9 ]; k) @9 ?& ~; O5 R# ?2 G
2nd method similar to the preceding one but more difficult to detect:
- a1 A; J9 c V, d
; }/ S- J& i( M0 j% M& g% v
- R& n9 v1 |, X7 @int41handler PROC
. S! B/ _. l% G mov cl,al
# A- `- {% b* {, w8 B5 B* }3 c9 ~- k iret
# B, c! f7 ?3 Q( K! C" Sint41handler ENDP) N% \2 D- a+ v# [9 e+ j _
* L. o7 n3 _- K% c; o7 k5 @2 h+ J; [ h2 r! u
xor ax,ax) ]- h& t5 s0 Y: i1 y
mov es,ax v( X) i1 R0 Z5 Z' Z
mov bx, cs
( E J! U8 {" C( {! M5 g lea dx, int41handler( D* o4 }+ }4 Z/ g0 k/ {, ~
xchg dx, es:[41h*4]. Z- R% a3 i# n5 ?! {1 q8 }$ u
xchg bx, es:[41h*4+2]' l* B. J G' K6 q6 K4 l) }
in al, 40h
' O l5 M) J. L/ }3 G# ? xor cx,cx$ y! D* B% Y7 a3 @0 A6 Y0 M/ o
int 41h
8 e+ D, A/ @1 W3 Q xchg dx, es:[41h*4]4 g6 L0 O e" a. j+ e: T
xchg bx, es:[41h*4+2]. a4 v. z$ ?7 K! z$ T
cmp cl,al
+ t) J ~$ v& z jnz SoftICE_detected
" R p e* W1 Q1 r* J) A Y/ i2 y3 j+ u3 `6 Z* T
_________________________________________________________________________" a8 ?) `& N, G" I
; g- Y4 z5 c) S: n. p8 KMethod 07% L) ?: ?; B# F* o! l
=========
2 g% H7 L4 p% ~6 x- c5 C) e4 h; |% ^4 B! A6 c1 l( L* W
Method of detection of the WinICE handler in the int68h (V86)
5 S$ u" m- j3 ]. x2 ]2 w$ c5 y
mov ah,43h
/ D3 f7 R% [: h5 H/ Z int 68h) i" j1 v7 J5 P$ H4 J
cmp ax,0F386h
* l; @ c+ G u' c- J4 V jz SoftICE_Detected
$ z) c7 @( V# t @$ ^3 h) q* k
& s9 H o. S7 y' P% b' s" V
& h! t& A. F' W7 `$ f' D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% ~2 Y* N# ~( z app like this:- u, Z4 Q5 |1 J2 t
: g/ y' b1 L. r BPX exec_int if ax==68
7 u5 R3 f' |7 N- N( n9 m (function called is located at byte ptr [ebp+1Dh] and client eip is. J+ S9 d2 O& [$ Z/ ?4 B
located at [ebp+48h] for 32Bit apps)
9 J+ l1 [. ~' v# U: W! O__________________________________________________________________________
* k* a+ _0 X6 v7 ~: c3 L( y' b* ~# k7 N7 E: y
6 S2 o! e q6 J6 g: NMethod 08" t1 [# f7 D$ e5 K4 v
========= m( M2 [8 c* f! f$ u
! X( n/ P7 e2 W& V/ @
It is not a method of detection of SoftICE but a possibility to crash the+ S: S; O5 q5 O( J
system by intercepting int 01h and int 03h and redirecting them to another
; ?. S) w# N1 L. J2 G4 ]routine.
0 w/ W: `; s, N. U+ E* f; iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 r* L6 t' \8 S5 P, j
to the new routine to execute (hangs computer...)
1 j) I3 m* K; `1 o
4 l7 d. w8 V5 J) [8 k mov ah, 25h# v* w |/ n% j, D, H' j
mov al, Int_Number (01h or 03h)
, t0 ^, B4 v: j7 e5 g' U* } mov dx, offset New_Int_Routine+ J, M# f& K9 ^9 U6 ? V* o
int 21h
. W6 o9 M. Z4 S7 O+ p) |
; l( p1 o2 s* _2 f ^7 F3 R6 Q__________________________________________________________________________+ k( j! ?% M+ x& |$ \+ u% G8 z
: J U8 D9 t2 V, `
Method 09
: {7 W! V# d2 Z2 F. }5 a) j=========
) g, ?* c$ L) ~% J2 b3 J) J* l
8 U: U/ H: S! M# O9 }* F& O" MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) v- u$ ^' G3 g' K! n' l
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 y) X, I$ O5 G+ h7 W# R0 m* q! {/ v; MThe Get_DDB service is used to determine whether or not a VxD is installed1 W+ \; u# Y( R m, [" O2 n
for the specified device and returns a Device Description Block (in ecx) for4 I2 y, m1 \7 n6 t6 O
that device if it is installed.& I2 H5 r3 N4 E g: w7 ^, |
4 J( F5 T) ~% D1 X+ e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: L+ f& Z' C3 _; w% [3 m7 M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 X+ n. ~# }8 Q: \. u# F1 X! @
VMMCall Get_DDB
6 H: j5 I! ]- ?7 b/ o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) ~0 s1 `: U/ n/ n+ T
6 }; a; D1 r0 xNote as well that you can easily detect this method with SoftICE:# N2 y/ |% J# Q/ x7 C
bpx Get_DDB if ax==0202 || ax==7a5fh
% w& E( K# u) i3 g) W1 p% A8 z* d' E8 l+ b
__________________________________________________________________________
5 j, Y1 G, t) [& N6 [6 } l6 A9 A. S! q0 i& T
Method 10
# j7 J$ c: U' W7 p5 d=========
8 b u% z- x* }$ u5 E2 p2 f* ?, U8 \+ {" i% {8 F0 Y2 l
=>Disable or clear breakpoints before using this feature. DO NOT trace with: h, \2 M. _$ r2 |3 M$ A1 I4 {( g
SoftICE while the option is enable!!
$ v7 `1 O2 G$ \
[( Q) o3 n2 g+ }. OThis trick is very efficient:- X! T% J6 m4 b B
by checking the Debug Registers, you can detect if SoftICE is loaded0 `8 v' K3 M7 _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 L6 n( [9 T1 P4 l: Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 `& d6 z5 a, ^" n) |3 Dvalue (in ring0 only). Values can be manipulated and or changed as well4 r& m8 H4 N6 N+ l1 Y5 Z4 w
(clearing BPMs for instance)
v7 `8 A; _ [) @! {
. h7 T' ]& }( J* E5 ^__________________________________________________________________________) |, N% h1 v6 F6 U2 s, M
* k }0 N9 R& a0 U1 K+ i+ w: xMethod 11+ J" \+ a! T0 L5 K
=========
2 J4 b# M# K) _# d
) j% y5 W0 _2 |' z: U" v) z3 qThis method is most known as 'MeltICE' because it has been freely distributed
3 c, r0 ]$ ^4 D2 ?" qvia www.winfiles.com. However it was first used by NuMega people to allow
/ T: V+ y2 R/ g- k# ZSymbol Loader to check if SoftICE was active or not (the code is located( ?4 T5 I: Q+ N4 Y
inside nmtrans.dll)." `0 H6 c- B8 T& S6 ?( O6 ^
9 F, C( J+ J" u6 e5 |5 u3 j) d dThe way it works is very simple:
# G& }% R$ X9 ~$ kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 u5 n- U7 Z( f) w5 k) T" T/ \* X
WinNT) with the CreateFileA API.& i, w ?: g3 d2 l6 l
" G% A/ o0 R9 \" z& HHere is a sample (checking for 'SICE'):% K G4 I; r: E4 e) Q, t# x7 ?
* N4 l& Y0 u# G5 { D) `" _8 e
BOOL IsSoftIce95Loaded()9 m/ A9 I3 v' B) J, |) ^
{
0 [3 ~! s: H: q1 a0 D: I, X' m2 ^' L HANDLE hFile; 9 z; f& m; n( [9 O
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 S+ O# ^4 ?: N. |8 Q FILE_SHARE_READ | FILE_SHARE_WRITE,
6 e! X- }2 b! C5 E) S2 W/ V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 J# k8 _/ M% |# B
if( hFile != INVALID_HANDLE_VALUE ) Y# D& Z$ {/ g1 l! W
{
9 |% E+ T& v8 P CloseHandle(hFile);& M" t' W3 l# ^, I: F/ ?. a- S
return TRUE;
9 Z. P# j4 @) N, I }! ?4 ]0 h0 ~5 s) D
return FALSE;
[- q2 K7 T$ w3 Q! p( n2 m0 U S}0 C. Z, b% I' Q4 _6 a& m
. O2 u" ~9 m( L: a! s1 QAlthough this trick calls the CreateFileA function, don't even expect to be) f1 n @& ?+ Y: \5 \2 e
able to intercept it by installing a IFS hook: it will not work, no way!! n; o% e8 V& {+ t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; b+ }" x Q, k: J5 Q6 U! d% q# ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& G% d+ L5 i" r5 w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 v( N: l% C9 t9 ffield.
2 |- h2 h, M& j2 n9 d/ c- E, yIn fact, its purpose is not to load/unload VxDs but only to send a
: r- }$ o2 Q0 K/ @4 J0 R- ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# ~0 F5 v% Z. k2 W4 g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 b( G% e* k2 w; }& `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; Z5 @% r. f! Y% vIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 ~4 O" _7 i! p) Gits handle to be opened and then, will be detected.
, x. t7 n w( @, h, a- t2 x- Z& kYou can check that simply by hooking Winice.exe control proc entry point
) O* G: j# Z6 R* h6 k) P7 q0 @while running MeltICE.
p7 b' R; x9 Y1 g+ m. [. V3 t# m$ V8 B' y, }1 _7 ^! N& _9 J
# p; y3 z. X& _7 J
00401067: push 00402025 ; \\.\SICE9 T* s4 X. m3 w6 W( u
0040106C: call CreateFileA
/ I. G! W8 t. ~( M @+ b 00401071: cmp eax,-001
- w# b5 s* d3 P1 m* h 00401074: je 00401091
& r! f3 Y, W/ S2 o
R/ `4 v6 O& _# x+ K" B* j! t5 P& I
There could be hundreds of BPX you could use to detect this trick.
& B. g/ o6 G6 a1 f( p8 x-The most classical one is:: M; A# r/ ]- r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 F; S3 B1 W" B3 o5 G- y& I- ]3 ?8 m' P *(esp->4+4)=='NTIC'$ b& M9 F9 ~7 ?+ m5 ]5 ^
4 s$ Z3 o* K0 P
-The most exotic ones (could be very slooooow :-(; H) {" {& ]: C7 q+ Q/ Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 |" V$ W4 _& }# p9 p, O1 n1 Z( f
;will break 3 times :-(
; K* E, Q% ^( r7 l: u' M. d/ E6 {& G) \7 d
-or (a bit) faster: 3 V) ?# N& N3 e$ W9 J
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# _7 W2 B' S3 Y8 z- k: A% r6 Q( F
* p3 h) h, T- o; }$ i ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 K& A: `0 }( {% j. ?
;will break 3 times :-($ L+ @+ z1 V, @
. V: m& T: j" G$ E% e9 G% [
-Much faster:
) t0 ]( R9 t6 O9 v1 u BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', L6 P3 w/ D) f
+ H9 G; ^, d+ J* E) i& ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 K3 f( ]: J* \function to do the same job:+ c- ~ Y, I' r. j3 a3 h' E% }
+ @! K# R8 J: | push 00 ; OF_READ
. w0 }3 a% F6 D- q mov eax,[00656634] ; '\\.\SICE',0 \, t6 _4 v% u( F A, H# W
push eax
1 q$ L5 C( G+ t% Q, i call KERNEL32!_lopen9 A" R1 e1 J4 e: y6 _9 f
inc eax
: U9 s) T! m: i3 k" M5 Y jnz 00650589 ; detected
1 _, E$ i7 ^/ U3 H! x4 W push 00 ; OF_READ+ y% `: w3 |# t( I$ ~+ U6 p
mov eax,[00656638] ; '\\.\SICE'
, `, J3 J* I0 c push eax
; N( Z* `4 {# u+ c* N) J, ` call KERNEL32!_lopen
6 ^( A6 y2 K( f* ^" T inc eax
- K g, J# G% s6 V T jz 006505ae ; not detected
9 u _ }2 K) H+ u+ D- B; Y6 I$ C; M& K" C. T( P7 n! M1 r) J* b
+ [; @( B6 @1 R$ K
__________________________________________________________________________- T" H: U% A* f* X L
' u8 I6 u1 c. c% Y( xMethod 12, {) S# T5 Z% }% I( k
=========
$ b9 Q2 V( ~" p# V8 q
6 u3 L/ {' l+ e1 w0 L. @: Q. SThis trick is similar to int41h/4fh Debugger installation check (code 052 R9 V/ Q6 M" Q! b! G
& 06) but very limited because it's only available for Win95/98 (not NT)8 @* S- W. O( w3 |9 M7 ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ L' ^- g9 m9 M4 }
6 |6 u9 T+ m! h push 0000004fh ; function 4fh
+ S4 z+ q/ {$ c2 D8 H7 M push 002a002ah ; high word specifies which VxD (VWIN32)
& g' {2 h" i! w, m( d ; low word specifies which service
, u D, Q6 _3 e- h (VWIN32_Int41Dispatch)0 V2 g H+ l4 C' G; p. u( Z2 J2 `
call Kernel32!ORD_001 ; VxdCall
: ^1 p2 v% ~5 g cmp ax, 0f386h ; magic number returned by system debuggers
, @3 O2 x' D! f( Y jz SoftICE_detected
4 R) a, n" e) y0 r& j
5 Y% x' S) z2 O BHere again, several ways to detect it:
6 |/ ?( r& [$ S/ g! J Q( r7 u$ Z
- T) p" X( J3 G& N5 t& j BPINT 41 if ax==4f5 Z6 s5 Y; Q6 X/ m' o/ e
+ ^' J1 m8 B+ b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" {! M% n) ^( m2 H+ r& y" @- M& \0 T) K2 m' J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 i' Y( G& Y L/ m1 h7 `4 {+ k. l( e D/ d$ {
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ u3 l3 \9 f1 w) P4 I8 @/ J! W; Y/ m8 [ R X2 w! m1 o
__________________________________________________________________________* V0 i6 p8 S) K" ]( c6 I
# J& P7 G" I$ p# N uMethod 13* k2 d+ Y, B! |/ R
=========3 d9 Q1 m8 _3 S4 U+ D. G3 g) v
- j2 n3 e/ i% ]; dNot a real method of detection, but a good way to know if SoftICE is
/ L4 R. g4 y: b. @5 Y3 dinstalled on a computer and to locate its installation directory.
+ y/ g2 I J% c* h$ k( SIt is used by few softs which access the following registry keys (usually #2) :6 z( Z/ T+ m4 T9 G
- }4 c- Q0 m' Q+ K" d, k+ A4 C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 s# B4 t( C/ K; o" ^\Uninstall\SoftICE
1 `% f5 {! \$ o5 X! H5 v, w5 d3 b-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% a0 m4 p- J" Z4 l! x0 d- `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ t5 V) @% ` U2 M: u- X" {) Z
\App Paths\Loader32.Exe1 ^' c6 a. }8 h5 A: T
( d) e- I5 N! M+ ~
/ `2 h/ M! Y4 S; P
Note that some nasty apps could then erase all files from SoftICE directory
; ~6 f8 Y. C6 U# ?. R7 s o5 n(I faced that once :-(1 ^; H& d2 f6 M. @( p# |/ J6 I
* D) a. F5 l2 |% Q* fUseful breakpoint to detect it:" Q' m- r1 _, a' d
% R9 C/ y) g; P2 t; m' h9 r: ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# p* I; i% ]$ h; ~1 F' _
7 d) R. h8 v# v* ^% z- `6 c9 r
__________________________________________________________________________$ R0 a4 C9 x0 v8 b: r6 X* e
4 P' f* \) x2 z, F
6 f7 f0 f% |9 Q4 c+ ~( r; W1 G' n, z
Method 14
4 O' d& F/ c$ T& S7 p' K$ v=========
8 @! m, a* w6 R* M# G% T9 w& H: ~. L- Z2 r& ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; T* v9 m, ]' `' Q, P! q n
is to determines whether a debugger is running on your system (ring0 only).
- W m& P }" u% @$ ?! b: w. H
* l8 i" P" k' x( m* \ J% D6 W9 Z6 L VMMCall Test_Debug_Installed1 e% m: r. ~/ k( d; h4 c
je not_installed, B i# m/ n$ U1 I/ Y
1 P5 n, ]2 R! J( v* d: H; N" L% z5 M
This service just checks a flag.
* u! H" D5 w5 F9 H/ t4 D3 P- L0 y v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡