<TABLE width=500>
- A$ Q) |5 I1 F# t* ^$ ]<TBODY>
" m8 n; B+ f( m1 q1 d" e<TR>
8 {* c7 x$ q3 i<TD><PRE>Method 01 " } q5 o( w$ s0 H. Z
=========
. k/ M6 e. _! R
% ^' y5 @5 a9 K6 ^. @This method of detection of SoftICE (as well as the following one) is5 r5 @( \( M! Q& z, M4 g) b5 M4 l
used by the majority of packers/encryptors found on Internet.) J1 @4 P; H! Q! Z& l7 J. _
It seeks the signature of BoundsChecker in SoftICE+ ^+ r# S0 u+ {: r' h
/ [' ?9 q8 d7 i
mov ebp, 04243484Bh ; 'BCHK'+ ?* B- v3 W% v1 }7 k0 J' o
mov ax, 04h
+ e2 m8 k/ p, ~+ D int 3
" c: M3 a, J) B$ H* y- m cmp al,4
$ k e# d& r* N# b# T2 T' D jnz SoftICE_Detected( @; k$ S0 c2 u; q; [/ \- D' h
( r" |5 t5 n; P) X; v+ r" B0 O
___________________________________________________________________________9 b- ]' d, j( c6 L W/ C/ x
% @! S( _! ~. e! xMethod 02
* t2 H2 G. Y* _: X4 A# D Z, p=========
3 V0 o) j) w" h1 q& R$ b2 h m+ `# S
p2 H8 @4 ~) S/ q( i; N1 TStill a method very much used (perhaps the most frequent one). It is used
4 t+ T! @" M1 p" l+ E' o Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 a. F' D8 y( v
or execute SoftICE commands...
1 K! G i4 F( |5 L. z: IIt is also used to crash SoftICE and to force it to execute any commands% a9 h8 n* a, v3 ?2 y
(HBOOT...) :-(( 3 n0 a/ @- |& n7 ~: ]
# p/ E5 e7 r# z4 G4 q
Here is a quick description:, c7 m5 E$ S; [$ d9 Q
-AX = 0910h (Display string in SIce windows)
( P: w& z* C8 j' c' @7 Z4 k! B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 }: y' a0 K& V. t/ z- ?) p
-AX = 0912h (Get breakpoint infos)+ h V: N& P) i
-AX = 0913h (Set Sice breakpoints)9 z1 K5 n2 c. b6 }9 v3 n* ^$ \$ {
-AX = 0914h (Remove SIce breakoints)7 _7 G* U& f$ M5 ~$ P
: a( O, a6 l* d; W) ^Each time you'll meet this trick, you'll see:
% d) _3 p& D9 P3 j-SI = 4647h
( j* k5 Y) ?8 s8 M% N' m-DI = 4A4Dh5 r3 M( c4 t3 l S/ T0 k+ X0 O% U4 ]
Which are the 'magic values' used by SoftIce." l, D% o3 y" K* j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 ?5 W# U6 r0 |& t3 G6 O) ?0 K) \. R" ?% _$ H! x! d
Here is one example from the file "Haspinst.exe" which is the dongle HASP& F$ ^; o, x' K I' \+ V; G
Envelope utility use to protect DOS applications:1 e' ]/ K- E, R0 A* D3 S
, s% m1 q( N: n |" P
[7 f" n. V/ O* R' b1 a# z9 l+ T4C19:0095 MOV AX,0911 ; execute command.- j9 l" V' L ~( U) o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ j# z' }; w+ b, d$ E. R
4C19:009A MOV SI,4647 ; 1st magic value.
8 R3 V4 D& B S/ d" e4C19:009D MOV DI,4A4D ; 2nd magic value.- \, y5 e2 k* _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ v$ e2 z: p( E9 u8 ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 P' {8 _( U x' A1 y9 n
4C19:00A4 INC CX
, o% j, T7 q3 c! O, x/ b2 F$ ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ b% s* O3 e1 b4C19:00A8 JB 0095 ; 6 different commands.
, `& e% f. K6 q# F: }4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 X v/ j- C+ u' J4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# y4 ~9 h5 ]+ L) E& G" b' \9 c7 j4 ~8 G( F4 h
The program will execute 6 different SIce commands located at ds:dx, which* D5 H9 \$ X2 v5 W9 V% K$ H4 \* s
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: I! y7 @0 o: J8 ]* T9 L
2 q/ H8 m' H! S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ r. d: c. N0 Q' K' P___________________________________________________________________________ H6 A# A) F" L- L
: `' H6 t! y3 C7 k! P. y
) g0 Z% Q1 n7 `* ^( i* GMethod 03
! c+ L! ?+ o2 P( i0 m$ {=========
( h6 X: G1 V9 n$ O6 S2 q; c7 P4 j H) P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 {$ [2 \# I G
(API Get entry point)
. B1 p+ o" _4 m& Y7 i/ V L
' ]% E) P' G1 Y# x
' L- \% S4 \+ j. |: Y9 { xor di,di
; y* w6 A) u4 N9 L mov es,di. R0 _5 v7 a2 r: f
mov ax, 1684h
0 ?9 }8 Y( F3 }$ h: d mov bx, 0202h ; VxD ID of winice7 u+ ?3 ?8 Y/ l, b. L7 P& n# _: P7 t8 I
int 2Fh: x6 `: ?9 S2 I( `9 x) g
mov ax, es ; ES:DI -> VxD API entry point8 W s# ]$ P6 _1 C# J. X
add ax, di
4 H3 p; s- s: G- n( N$ J& J* @1 y/ j0 ] test ax,ax( u" t/ w+ t3 b1 P
jnz SoftICE_Detected0 q1 r5 o9 c) A4 X" r, k
3 I0 E& p7 z& H; e3 w/ t) K
___________________________________________________________________________ D, o, }# H6 K! \* i& q' y
9 R u7 G2 k2 A/ j, eMethod 04
9 d8 G0 G6 y% {* K=========" a. M1 x N$ w3 M5 g( |- e* A. D
/ I' C0 \, R8 @/ ?4 o% z; W$ t
Method identical to the preceding one except that it seeks the ID of SoftICE
$ g* M% W+ g2 b( R& u# r7 fGFX VxD.
7 x8 Y' r4 D6 J1 W- s2 R' L1 G$ T8 g; f. ~' C* L" l) i
xor di,di
! k6 t% E3 K" g4 K6 @7 o, m mov es,di& F! t4 n! E- c( m/ r
mov ax, 1684h 0 X% g2 q( R) h& K* N3 T
mov bx, 7a5Fh ; VxD ID of SIWVID
+ [, m- e3 @; I& b( [" d int 2fh
4 i4 P8 I2 F0 q+ a mov ax, es ; ES:DI -> VxD API entry point( Y% Y3 k% U# Y: U& c( l. z
add ax, di
% e6 m2 o) ?! X% G1 F1 o+ o2 `8 p test ax,ax( @% a$ l" V5 d6 q
jnz SoftICE_Detected
9 e- k! P) @2 y! V8 R& Q2 }# q, A7 i4 O* X
__________________________________________________________________________
+ L" X$ g* o: t' v' i! o
. ^" d2 H& i: b. c [( w# G. T' j1 @
Method 05
' q6 p1 x) p4 I1 Z# i! g2 T=========
V8 g$ w( s# i8 Z& H' j& B! |4 f; c" n* M$ a3 [/ F
Method seeking the 'magic number' 0F386h returned (in ax) by all system# c1 ?, W* a9 X0 V, x9 B4 `
debugger. It calls the int 41h, function 4Fh.
1 G7 d2 f" Z: S- H, W9 ]There are several alternatives. - @9 U3 b, w, g% Z8 t
3 Q$ _6 @5 A: g+ O* EThe following one is the simplest:
! b. h* Z; }$ X; m, d1 u" e" w
# L- d, P, h* l9 x9 j mov ax,4fh. @* }' U# l; c9 |9 d. s
int 41h7 T4 z6 t( {+ l6 d& p+ @3 I0 k) S
cmp ax, 0F386* b! m( f# ]- c) Q
jz SoftICE_detected3 x! N3 w( a, L, b! o9 p. t( h
$ ~2 c# F) L; k1 G; |. D6 d3 I/ [. x! K& `8 j8 o$ ~5 E
Next method as well as the following one are 2 examples from Stone's 6 |% W- F$ `5 N% U- e2 E
"stn-wid.zip" (www.cracking.net):
, i1 ^4 O3 f) a0 ~! ~
. m8 \$ r# G' ]! _( [1 J mov bx, cs6 p. u# h+ v2 n% [0 _
lea dx, int41handler28 D4 d# E2 ], Z' E7 C
xchg dx, es:[41h*4]" s" y8 m& B7 `
xchg bx, es:[41h*4+2]( A) `$ J2 m8 {7 G- Y! a
mov ax,4fh" v' A" P& `3 j: L! z* }$ e$ S" L/ O: ^
int 41h
8 S6 B; f8 r+ L' D% J' p, J3 U7 H xchg dx, es:[41h*4], R4 K9 P( F8 v/ Q2 J0 z, q( F" I
xchg bx, es:[41h*4+2], m: C, c6 q. T, r5 } m
cmp ax, 0f386h9 A7 L+ Z" y% l6 D3 X+ F
jz SoftICE_detected
" R$ g' r8 v& \
7 a7 f* X2 o$ _" M! c. y+ p2 j! L& X/ pint41handler2 PROC6 L& Y# t) V+ ]8 ?
iret
2 f$ I! ?! d* aint41handler2 ENDP
+ I, C* O8 `' C% O1 p4 s s/ g
' G# D# S5 p& u; r% E. P( j4 e
" P. m) k7 D& r_________________________________________________________________________
3 ^2 K1 }8 @2 k$ p: w
; P4 E. A3 `' I/ u1 b7 T# s
! _) m+ Y9 x! ~# V$ q$ S+ UMethod 06
/ A& m4 t ~; ~; } \! }# w. q( f=========& J6 e) j! S, M- g
% t' u. z3 F- `4 m
) w7 J- A% y( Q5 a3 [2nd method similar to the preceding one but more difficult to detect:
$ J Y N* i# }: Z$ U4 V" w0 v- e) k& Z9 Y
- t# w* h9 C8 N6 A
int41handler PROC
! H$ w' o0 E) p5 l* D- z! ] mov cl,al
7 N! i# S1 S/ }# ^+ y8 r3 H# q iret
6 s) {$ T! k% N3 ~5 c) `int41handler ENDP
, B( Q, U; y) T, q5 W* D
8 D6 Q2 l! m) @. v: t, ~! U* q" X# O+ z: C
xor ax,ax
. s, L* ]$ @7 j% k8 Z mov es,ax
9 ~0 J% F+ G8 @# j. U. ?( {" F mov bx, cs) [ q5 E6 G5 Z' v
lea dx, int41handler
* n" C7 k5 E6 f3 ^ y7 {) n) { xchg dx, es:[41h*4]
6 I! J, [6 A; T9 f. J* T% J% z! H xchg bx, es:[41h*4+2]
4 i9 Y8 H. e/ A8 L in al, 40h) N7 h& y: V' J9 _8 f
xor cx,cx
- ^( {" R2 V. N0 S2 e int 41h2 d3 R _# P% g: @
xchg dx, es:[41h*4]- x2 U# @. ?; J/ x3 }
xchg bx, es:[41h*4+2]
+ K7 @- u2 J: }# ? cmp cl,al
& M+ `( ]& {7 Y$ G3 j! a& I jnz SoftICE_detected. N. S# k( ?. i/ J; M q
7 U- B2 t) P" ?0 \* j4 x- q
_________________________________________________________________________
9 U5 K% b5 K2 z, |- ?9 h$ U$ I/ N# B1 A( C u" S
Method 07
1 n/ |6 r( j0 {$ N% P" D" ]=========
7 |$ ^9 ~# K1 A* L s
7 R1 |# V& ]4 P# L! ]/ [8 \$ _Method of detection of the WinICE handler in the int68h (V86)
" I9 I6 b3 P( Y; T0 z+ ^) i- O$ |! f% S7 r, Z" O9 _. z5 k% h
mov ah,43h. o" k* |9 M s6 i U% N9 q+ Q& z# Y
int 68h
3 t0 D5 H2 ^" m) m cmp ax,0F386h9 T4 m1 E$ L! Z$ g6 _
jz SoftICE_Detected
- V9 _0 e& w# Z0 {4 r6 p/ Y9 q3 O: m$ l
# J$ Z7 R' A& ?. n8 d
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 M& d0 X4 [( w
app like this:
8 n$ {' a9 W: V: ?
8 y; ?4 e: c7 R4 S BPX exec_int if ax==68" N) B k p* ~2 C7 C
(function called is located at byte ptr [ebp+1Dh] and client eip is( Y' l; b& F0 I0 @+ e, N% g: X; [
located at [ebp+48h] for 32Bit apps)
6 D4 I8 Q6 ?& W__________________________________________________________________________5 h' R4 {' ~# }
! S5 [ b- s' H" O4 o+ [4 k! a1 M% @: y! Q% c
Method 08
. z. v* |* ^& ^7 P# A. c- Y: e4 x=========0 S, a1 v1 A3 d$ W+ d" C8 X: q+ y
7 ~# o( U4 Q- k* i+ b% y, I7 Z2 pIt is not a method of detection of SoftICE but a possibility to crash the |+ L' v9 y0 p1 S
system by intercepting int 01h and int 03h and redirecting them to another
6 u( a% T' s; z2 K2 jroutine.) x/ R$ G8 ~; W
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 [) @# G9 q$ Q: ^+ l- Q7 q
to the new routine to execute (hangs computer...)
t# W9 f* E5 I) @
# m( A/ M5 Z: F mov ah, 25h
+ e2 T; O* J4 v mov al, Int_Number (01h or 03h)) C+ |& {5 l# Y$ ~2 P4 Y1 ]! {
mov dx, offset New_Int_Routine
" _- K5 p3 c) i2 A int 21h
) k8 V2 ~$ f3 p+ j) @# {
6 i( y" M3 L1 r" e( _8 h* y! z- B__________________________________________________________________________
- w1 ~5 S( A- N* h/ T7 ~* G
% S' C/ f6 d9 I, W4 c' _, NMethod 09* V% k3 R3 E# j; _
=========
# F$ ^9 Y' d% z+ g# z# \
4 Q: f% `8 X4 d; LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 F4 }" P# p7 f0 |5 |+ a9 R/ jperformed in ring0 (VxD or a ring3 app using the VxdCall).6 n- h; h' H. @: E0 g1 ?
The Get_DDB service is used to determine whether or not a VxD is installed
$ p4 |+ D7 Z: f8 Kfor the specified device and returns a Device Description Block (in ecx) for M& a6 w9 o4 |
that device if it is installed.
, j& c9 e a5 h+ B- v' K, _$ [7 z& N( J- M# s" Y$ j$ p" t% m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 L7 B4 ~8 |4 ~9 t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: n+ O- a6 F* y+ j4 V VMMCall Get_DDB& j* R* l9 ? t: `1 W% i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' j. q; Y$ y$ F$ Y L; S
9 N. `- P! H E7 y, j% PNote as well that you can easily detect this method with SoftICE:
2 y a7 f! w$ y D7 P0 N. p bpx Get_DDB if ax==0202 || ax==7a5fh! {' K7 L k. f! C9 B
1 w- @. }0 d+ o: x__________________________________________________________________________, Y+ p3 z) g* ^; W5 r
& f1 I& W3 t+ f' M0 Q) n8 B/ }Method 10
& G6 u( ?+ T- Z0 B# p m" g. A# k4 g, K=========
6 a) Y0 p6 z% I, o% Y. }' V
( \; b; W% d* s* |0 y" L5 b=>Disable or clear breakpoints before using this feature. DO NOT trace with
. W6 f; i3 r5 t+ w# M SoftICE while the option is enable!!% F/ ]' m9 l* ^& w
& U2 u( s( o+ S6 G
This trick is very efficient:
9 [" b) X3 y" N3 w1 D; j6 zby checking the Debug Registers, you can detect if SoftICE is loaded# F Q) G2 W7 N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 V( T' A- |2 P# U; V) Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ f/ s. l5 T: O& w' ]value (in ring0 only). Values can be manipulated and or changed as well
2 R: R8 `- _; ~9 c* {: Y(clearing BPMs for instance)7 B C. i: a$ A6 }. M& K
3 S' Y. E ^# `
__________________________________________________________________________
3 ]0 I/ a& g1 `2 T- K' w6 T, i' O5 I; E' l8 U
Method 117 n. d3 B! t" I. O' p
=========
" w$ {5 T. i) B5 }
2 q: \0 [( B' j" `) ^. ?+ |This method is most known as 'MeltICE' because it has been freely distributed
5 r: y& v; ^ S8 L: Q; ~via www.winfiles.com. However it was first used by NuMega people to allow! R! f& N+ X5 Q l
Symbol Loader to check if SoftICE was active or not (the code is located
: \ C/ S F4 ^7 Binside nmtrans.dll).
- o+ H3 F: A9 b% p7 L5 P! ?+ S
( X7 ]9 n1 r9 f* A+ ]The way it works is very simple:
8 O3 E% S: d) V$ ]( \& eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ d* u. [) f/ e+ x" qWinNT) with the CreateFileA API., N8 M, D) V( I; B- X: B' z- x! x- d
: H* ]! J5 k. `, y k# _6 A
Here is a sample (checking for 'SICE'):( u! |! k. n1 k1 ?+ y" j
& J% q. K8 [; P4 n8 Y: }* i
BOOL IsSoftIce95Loaded()7 L% S9 p& ]; P. y, e
{) p1 _2 @8 V0 J2 h
HANDLE hFile;
/ w. j1 c6 d* v' ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ k1 ?0 a( V2 {3 g
FILE_SHARE_READ | FILE_SHARE_WRITE,
( M( k a0 P+ C+ O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ ~3 J) ?2 k4 S- K( J4 l3 `2 @+ h% a" B if( hFile != INVALID_HANDLE_VALUE )
! q9 [% y$ E, V; u8 B {2 ^- e# A. `6 N
CloseHandle(hFile);# o. l5 p! T }' @5 I$ d
return TRUE;
! V' Q2 I3 G. O' x8 N }
4 _0 S( _ q+ \5 h2 m8 l return FALSE;8 Z F/ j9 |4 u
}
/ ^0 [* A( n9 [' _( u6 `6 o: J% [3 I" } b( D9 D: d% w% d- q
Although this trick calls the CreateFileA function, don't even expect to be1 E) H5 A7 r+ h" i( g
able to intercept it by installing a IFS hook: it will not work, no way!" Q% ^- I. ^/ G# |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F |- p! Y$ M- ]' a1 w7 Q7 a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 s2 l! \" ^" e9 t) B0 land then browse the DDB list until it find the VxD and its DDB_Control_Proc
% }# ~6 Q# \/ E( ~field.' A# Q; C8 L9 `$ Y( W
In fact, its purpose is not to load/unload VxDs but only to send a $ q1 A1 G" J" W; O, m
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. [ O: u( B- W6 i" D5 nto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ e$ n. f6 R: }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% q3 ? }. } cIf the VxD is loaded, it will always clear eax and the Carry flag to allow* n- c j& h: m9 j
its handle to be opened and then, will be detected.5 ^ E* K5 ~" H% P
You can check that simply by hooking Winice.exe control proc entry point9 I1 O+ |! T/ X' w7 }4 \$ y7 t. m
while running MeltICE.
) M8 E' [5 M5 w) h: K* u9 C# D
0 I- U. O! G; O% o; h7 R6 `
s7 o4 U+ g& S5 I1 ?) |* |. s 00401067: push 00402025 ; \\.\SICE# Y; ]/ @2 C& S3 a8 ~$ i/ Y6 u
0040106C: call CreateFileA, I- T/ m% y! m3 }. u2 |/ x
00401071: cmp eax,-0013 r- @% z4 w, I3 R' C5 |6 Y" N) x
00401074: je 004010916 ~- P( J* F1 n0 `9 |
9 C0 [2 d/ A, W' X7 Z2 S4 y w4 @5 U# ~5 o& X" p, t
There could be hundreds of BPX you could use to detect this trick.
9 o3 g. {# T" w- d! K; M7 d2 Y-The most classical one is:) e7 H5 u; N0 f* `$ u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' \8 A7 n# o) \3 l( \
*(esp->4+4)=='NTIC'3 m* L& c, h. U# T' W% k; g
, P% h: A+ U1 l
-The most exotic ones (could be very slooooow :-(' t: J, V$ t( B3 D
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% m8 Z2 J& R# f3 B* r ;will break 3 times :-($ o8 T/ t4 k* ?% T3 L: i5 y/ y9 A
" e6 Z' [! H4 A( Q( ~4 @6 o' ?/ R1 c+ p" f
-or (a bit) faster:
1 B& L# T) F: W. [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" g8 f1 R0 n9 A6 c6 A1 N. t
) X$ B. B' N8 {& _# l4 X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 O. j: }' R5 O3 {) |* e
;will break 3 times :-(6 _6 S3 `7 g" R
1 c% A0 M0 x2 r# }* b) M2 O
-Much faster:
1 g# X( i' h/ @1 u8 j0 h0 l BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 \8 T# E, ?9 z& G& c% }) x) y% G/ J
. m+ u+ @9 T9 a# {+ K, h& l- }4 F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! `2 a; W; Z, K6 J$ qfunction to do the same job:
! x- a) l% h( ~+ k' G& G( L
1 e4 O; _ S& I; H2 L" S push 00 ; OF_READ% D3 n; z h) @ h1 l! R) U3 V
mov eax,[00656634] ; '\\.\SICE',0
" E/ v1 a# n5 c0 e1 w, {- } Z push eax8 {& H4 R1 \( v4 ~
call KERNEL32!_lopen* a6 K/ s4 \5 O( U2 [ [. u
inc eax
3 W0 Z9 @* H. [ jnz 00650589 ; detected
/ g9 I0 U+ B$ n& p+ {" Z push 00 ; OF_READ. a7 t* N, @3 w" s8 x8 l5 ]4 h$ V( Y
mov eax,[00656638] ; '\\.\SICE'
5 a& b) S1 ?3 E. H push eax$ z' a6 N; Z( W4 {( N! N
call KERNEL32!_lopen3 g1 n9 M& Z5 z. t1 K/ |$ V
inc eax7 V3 G$ L d0 @6 l$ J: i+ Z
jz 006505ae ; not detected% D2 s# x/ ^. A- S# ~
: `) ?" `: ^0 l5 z- c2 N K6 B( @+ p4 e& G" R+ H' Q
__________________________________________________________________________; j( Y" e* }# R# M2 M
8 e& a. P8 U( z* P/ X$ ?Method 12$ O/ b Y! ^ c f$ K6 s
=========
, Q4 G5 R: m: P3 l, v" O( j- H6 |2 H+ f2 I6 P
This trick is similar to int41h/4fh Debugger installation check (code 05
4 i4 I. \& h% K1 G$ c; R% ~- e$ ?2 L& 06) but very limited because it's only available for Win95/98 (not NT)% z8 O7 g* s( f6 I: P( d5 C
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 u! k' H! V9 F
. m7 [+ a; {" h* d) H9 |+ `7 E
push 0000004fh ; function 4fh
6 X+ W2 Y9 @) O5 B# C push 002a002ah ; high word specifies which VxD (VWIN32)% L! N" e" b% n0 _% S* J( q- a# ~& C
; low word specifies which service. T# C9 q" S4 i- j! Z, a( ?
(VWIN32_Int41Dispatch)) ?8 S+ c2 C( x7 ~9 \
call Kernel32!ORD_001 ; VxdCall% D" P4 L5 F( v
cmp ax, 0f386h ; magic number returned by system debuggers. s1 ]- w+ G5 k' r5 I I h3 i
jz SoftICE_detected2 x" I( Y5 L! S: e
% Z1 A/ M" [8 j4 bHere again, several ways to detect it:
7 p: F1 J5 _3 `- d" s! W: M
, j* ], _) P$ ?7 Q* l+ j' T" Z BPINT 41 if ax==4f- r2 t& d3 Y; ~: J4 Y9 {% U
2 v2 J3 w: p4 K6 m; n4 a# [7 R BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* `) R1 R1 O; T+ O( g9 }! k I: W$ g! M
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; u& B1 H4 J# z) \' [3 c
/ k1 E. W$ A, ?5 J0 j z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! X5 l- D( L/ [6 I5 S5 ]8 `0 R
2 c$ a* g- ?0 M8 y$ r9 R! E# S__________________________________________________________________________
& p, e5 G) o! ~" Z* t# f" `" u( u, s. }
Method 13
& C6 w2 Y7 H' J+ y, A=========/ S1 P5 I# I6 b, O/ {& v( X
. A1 [3 y+ B+ X7 Z
Not a real method of detection, but a good way to know if SoftICE is
- {- A5 o! g1 |( }6 xinstalled on a computer and to locate its installation directory.
2 o- r: D* K. ~% l1 h' o3 ?It is used by few softs which access the following registry keys (usually #2) :
+ P! V ^/ K$ R+ `1 j2 x9 c$ I& ]/ V. q( S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, \& {3 t) F& C* I: R
\Uninstall\SoftICE) B o6 I! V5 g( v$ j% d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' U" ~. C) f8 c: @/ a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 ]# E2 {8 c% `" x8 a% G\App Paths\Loader32.Exe
" k7 V, }$ D; ^8 }7 }' r# E# y* I7 F7 X% h
. C" B1 w+ B4 w& P+ d" mNote that some nasty apps could then erase all files from SoftICE directory' T5 p( b- J, v5 L
(I faced that once :-(; L5 a+ K9 |5 @- d* n7 [
7 i) d" @4 S( M) A2 @5 j" c: |
Useful breakpoint to detect it:
: j: ]- Z! ?; a, n9 B6 i, Q4 S1 m' J/ K% |0 k! t/ w- }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* k, O8 E9 j x! ]" h" \
9 x2 f2 \0 i! p* {: p__________________________________________________________________________0 v. }- |6 ]( \6 C& h; v
/ y8 X6 o+ ~7 Q1 q5 k
$ F- S2 E% }$ o( `0 Z, YMethod 14
% O/ |' w8 K5 c( E+ ^=========; ^, }% {' [! w3 K) [* P
5 A6 O' m0 K B" w$ P8 h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' L$ b1 [9 V: F8 Q% [/ i8 V
is to determines whether a debugger is running on your system (ring0 only).
+ _2 Y0 T5 ]; @2 a6 M
* f) \1 e( R% U0 ?$ s( ]; D' x: t4 D VMMCall Test_Debug_Installed. U4 s+ G$ I6 W0 M5 N4 e
je not_installed
& L+ T6 j. }6 X$ m* s6 b R: F
9 a+ B, @* M+ _5 E M7 X0 tThis service just checks a flag.
: k f+ ^2 {# U3 d1 R2 U</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡