<TABLE width=500>5 z- ^1 t, D# c
<TBODY>0 B2 }/ q1 l, x, h9 z( j
<TR>
9 ~$ X- ~' [6 E& F2 n<TD><PRE>Method 01 6 }! n2 D7 O( m* i3 b' k& u( {
=========
. B. N. t/ p2 f
) v L& r5 l& T( ?$ C& F1 `( \This method of detection of SoftICE (as well as the following one) is) z+ }5 G m# c+ E/ a0 q3 _' V& p4 p( T
used by the majority of packers/encryptors found on Internet.( P% c! x% C3 O( B" e4 }+ r
It seeks the signature of BoundsChecker in SoftICE7 ~' c) S% F# \* v
% H5 ^: c# b, J4 |8 N mov ebp, 04243484Bh ; 'BCHK'( c. Y& E x+ c' L) C/ I* K5 O
mov ax, 04h
" c) m. l# m* k3 ~& ~7 V int 3 # v( r' O0 M2 D4 B( a
cmp al,4
; J7 [7 U5 T. Y, z jnz SoftICE_Detected# r& q8 K" l5 b# v# S* K
3 ~* n7 s( @: w# R* R___________________________________________________________________________
h( L( g0 q2 V) w; o
2 i. ]5 B2 j, n! |# Y* T! ]Method 02! o. d# ~0 V6 t7 I. A
=========
# Z# @; B0 y- P! v2 s( D+ `1 z. |- e7 }% s, N
Still a method very much used (perhaps the most frequent one). It is used) Y7 d+ n5 v- d3 C9 R# n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: h( z, Y/ {/ n$ {! U6 Hor execute SoftICE commands...
$ w1 ~- H. h0 K- V$ zIt is also used to crash SoftICE and to force it to execute any commands; ^) g" m" b7 T% D2 x3 L
(HBOOT...) :-(( * ^% ^! N+ G) E T. g8 [
1 \( d9 ~& H6 J( r
Here is a quick description:& e5 i0 r- E5 w. {9 s8 v
-AX = 0910h (Display string in SIce windows)2 w4 U, U! e' e- |* p, O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& H$ S; e9 M1 \) B* j
-AX = 0912h (Get breakpoint infos)- N1 c2 ]5 b7 N4 Q
-AX = 0913h (Set Sice breakpoints)
# {. M! A6 t( _-AX = 0914h (Remove SIce breakoints). x0 S1 C9 I, J M9 [6 ]
# X4 j5 T7 c) X1 _8 J9 F2 M7 _* K6 CEach time you'll meet this trick, you'll see:% }9 N) R1 P7 t2 ~. S
-SI = 4647h
8 g) B6 g$ y9 m( C-DI = 4A4Dh, D3 g9 \ P# ]8 k3 h
Which are the 'magic values' used by SoftIce.8 ~6 I0 Z3 d0 t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 T$ y7 C3 M0 Q2 a
3 O- I' T1 [, i; h: a" ^ KHere is one example from the file "Haspinst.exe" which is the dongle HASP9 I5 U, n! K$ N" x! R8 r$ x
Envelope utility use to protect DOS applications:
/ h& I2 m8 h! ?5 V. H7 T7 X% {" x1 H0 f9 L7 \ `
6 L1 {/ [, ?* a. [ q+ z4C19:0095 MOV AX,0911 ; execute command." B% s5 S7 @ C5 S/ Z/ ]
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. T9 _ g$ Z. h0 c8 }8 i
4C19:009A MOV SI,4647 ; 1st magic value.
' |, P# _! ^+ m5 R4C19:009D MOV DI,4A4D ; 2nd magic value.# F. a' m$ E7 v% z/ y+ B
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# i6 c! s7 I4 C1 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 R8 N2 L1 N( W+ ]8 R4C19:00A4 INC CX
8 I0 |/ h: q: [$ s: S9 T7 v. ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 C& T" [8 d s/ M$ X4C19:00A8 JB 0095 ; 6 different commands.
& Q" [) X. O7 ?9 ?1 r* {' u4C19:00AA JMP 0002 ; Bad_Guy jmp back.( s1 `! b2 d& g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: A$ _: c, W! m5 Q" O# d1 I$ x$ N1 g* J- b
The program will execute 6 different SIce commands located at ds:dx, which- }: O O& L3 ^( G3 ^' u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. e8 ]: O- s: `+ h4 `8 a7 K* H
: P \. d) c4 M0 a" a" Y; ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 Z6 _: b8 h9 P4 t1 L1 G
___________________________________________________________________________
0 |& {* t+ I- B9 D5 h( V" Y$ c2 j/ j) [3 T3 a. {) v% Z
' S( a9 K4 ?6 z) a5 B% r. ?1 M
Method 03
4 Y0 B$ N# X5 ^/ }7 h6 i) T=========3 ~+ s) b1 {, D
# L( R9 `/ m. s a" e5 @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 \& m0 M4 \ C7 M. a- q
(API Get entry point)
) [( b* e! z0 |, F1 R: R
) U5 b$ Z6 n o# J! l- }4 w* k: ~2 X; H2 N6 |4 z% a) ?' |$ K& g
xor di,di
3 B" {; {0 z8 n" p mov es,di
& J% A5 I% v; b3 Z mov ax, 1684h ; `! q% o1 {$ b" z& P5 F5 n
mov bx, 0202h ; VxD ID of winice' }7 D% m+ g' }3 D' p
int 2Fh
/ I9 n5 ^2 ^, K) O C4 c mov ax, es ; ES:DI -> VxD API entry point B5 N/ [2 ~0 K4 |' t: H$ U$ G
add ax, di
9 c4 m+ k8 u; E' u test ax,ax
3 }. Y5 `1 \& p* E# c: W jnz SoftICE_Detected2 n: M7 i5 j t; Z/ E1 c- U
& Q( z. X0 p5 H/ P
___________________________________________________________________________
, K( m. T' I' }1 N! v; g
1 b: R3 _9 I" B# I* m( bMethod 041 |6 L0 B; L/ o' s) |. r4 c
=========
9 g! x, G: d( V7 c
& m1 K" v( \1 yMethod identical to the preceding one except that it seeks the ID of SoftICE5 M8 J3 D# t6 }
GFX VxD.6 G$ }+ {6 u I7 _ P+ U
, C: u' a g+ o5 q
xor di,di
1 W: ~. L, F2 s+ j+ a/ i mov es,di4 k( G6 W5 j0 u: P
mov ax, 1684h
$ r- F/ i- P7 u( [- Y( J* A" X mov bx, 7a5Fh ; VxD ID of SIWVID
5 c! n; ]% I. n( b1 k int 2fh
. l% e) o* T+ `( b mov ax, es ; ES:DI -> VxD API entry point' p$ M6 d+ m1 i7 C) \( |( x
add ax, di. j2 x% _8 N7 @# N
test ax,ax
) v2 s9 e7 o1 M jnz SoftICE_Detected( p& b9 M& n# M" T
& `- ]+ J7 u# O$ t
__________________________________________________________________________& b9 M' I6 K% A9 F
. A9 [& G: p9 M+ N1 [2 U0 z
/ y' v% P7 N0 }; Z8 r$ i8 W3 sMethod 05
% ?4 I7 n( k9 F2 I* Z=========0 c3 v5 N! N2 x I3 V
9 e9 L ]# M. I' d! b
Method seeking the 'magic number' 0F386h returned (in ax) by all system
^: P9 k! k5 T; j) q: odebugger. It calls the int 41h, function 4Fh.
2 X& V. M' m1 |" i% F+ }+ k# w4 sThere are several alternatives.
( ?7 T1 N- @1 x2 c7 M4 z, j2 P3 D3 e, U+ f2 u X; A0 C8 O
The following one is the simplest:$ b5 A# g: Q8 \! r
0 ^3 W3 ?9 Y; Q0 P9 Z2 p: }- @5 ?1 w: G mov ax,4fh9 o8 G; u; p: q# ?' K8 o1 p
int 41h, s8 u7 }. E) \" {" T
cmp ax, 0F386
8 z) U- ^5 g$ \' F6 S jz SoftICE_detected
3 }: s! s! J' e# I. y2 v' u1 T( t m2 v+ B" j* c$ A2 q
/ H% J' _/ c( m# k. z1 w# Q" RNext method as well as the following one are 2 examples from Stone's
& S, N# Z g2 L+ i1 J"stn-wid.zip" (www.cracking.net):
2 [7 ?* Y) o& Z" |' ~- ~0 _8 Z5 t- ]( A2 H# \/ P$ G
mov bx, cs
; Q3 {: x. u* e! N6 F9 C$ T lea dx, int41handler2. @3 W8 A( W, }# t
xchg dx, es:[41h*4]& `- [, A. K" Q9 H6 f" E l
xchg bx, es:[41h*4+2]+ @6 a6 ]0 F2 @& x: {) A- O/ T
mov ax,4fh& ]# `" S0 `4 }6 {! f
int 41h
+ M* |2 U/ B1 d xchg dx, es:[41h*4]8 f8 v' p/ L' b0 ^
xchg bx, es:[41h*4+2]3 X$ Z E0 l- A3 r
cmp ax, 0f386h
4 @! h0 i8 S, `2 K, k jz SoftICE_detected, `6 S/ ^; r/ }/ H7 Y3 L- y
% ^0 ^" S c! d; _int41handler2 PROC
, A& U6 B& R' x* V3 R' I5 y& C9 X iret
" i3 S1 @' M4 r( `; |/ Z, {int41handler2 ENDP4 x" b% U# y+ J( [! P
3 ]! }% _5 } ~2 Z! U5 R" |2 m% [+ t
2 O6 I2 G \1 x$ Y. r( c1 r_________________________________________________________________________0 i5 Y$ }' [ ?4 \' N4 ^- a
, m' G- O+ E& Y8 D2 L8 D7 u
. r$ O' t2 P7 c. f+ G( zMethod 06
0 u9 N- g) E6 Q=========
g' a" P, |# I8 X7 f. U* m8 O
4 | h2 B [6 j4 a7 m# h& y! E/ e
$ K" ]2 y/ @1 ]# e. S! b2nd method similar to the preceding one but more difficult to detect:
- Y$ q$ l) ?; n) T/ E
. y! |$ Z3 J; r2 K) Y
$ B8 n! U% q0 D, k d/ o/ _int41handler PROC
/ R2 u v5 G% L3 D& A3 y8 ~$ W mov cl,al
$ \+ |9 ^/ f- W }+ ^ iret
0 J `% X/ y' ~# v4 `* gint41handler ENDP
2 h+ K1 i4 O4 H$ J# c- R; j2 ]; G) U9 K& @) g: I
/ i+ }# Y/ ` k r7 X
xor ax,ax
! }- d4 p/ d2 i! a$ Q9 X9 B% X+ v mov es,ax% e# E4 X Y/ c1 V( X7 o0 w
mov bx, cs
2 ]% x9 i3 |& X5 I% s* p lea dx, int41handler
7 D* P" p& M& A5 K0 E, n# @ xchg dx, es:[41h*4]7 v+ C& s! c* D$ Y7 j1 q1 d
xchg bx, es:[41h*4+2]
' n; A; A1 z& Y5 c# {" r in al, 40h
9 a3 Q3 w$ U% w/ e2 B! l xor cx,cx% K F. w$ t, O
int 41h/ D7 E% Y5 \' h0 ]
xchg dx, es:[41h*4]! {% e: e+ C1 b! [ h" U) |
xchg bx, es:[41h*4+2]+ G* N7 }$ K: a# r2 _3 R5 K
cmp cl,al1 O8 W! _- V2 y6 l/ |/ J0 S
jnz SoftICE_detected
: |, _4 Y3 |$ ` {* ]" `9 ?/ @- r# L7 ~
_________________________________________________________________________% g& M/ f7 A' T) Z7 }
1 ~; y/ M: d* Y! q* x JMethod 07, K2 X3 a. P A3 A
=========2 f+ j9 [6 Q3 G7 S1 R1 E
9 }7 }2 z* Q3 k1 r `. e; H2 A
Method of detection of the WinICE handler in the int68h (V86)
* o) m$ o' x1 e7 k7 g, I! P9 e" i% G$ m9 ^9 M/ S% W9 g5 N
mov ah,43h
, B K4 ^( i6 f6 A I2 }' { int 68h
/ x* J, N( O B" N cmp ax,0F386h
; c) m; G$ U/ G jz SoftICE_Detected
3 g: a: v6 ^* C/ R+ r
7 f, n( ~8 b- k$ i& \3 S
! r7 H. g0 \& L- q5 e$ f8 g1 c. Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 v6 ?- c7 Z/ ]! Z app like this:
" y% c' e+ u; G1 B* r3 g1 ]* R8 S2 E. t& g6 `
BPX exec_int if ax==68, K0 e2 ~ E. S p- B* h. h( \
(function called is located at byte ptr [ebp+1Dh] and client eip is8 w W' E' [" H- I& r% _4 b: f
located at [ebp+48h] for 32Bit apps)
* c& U2 L; d5 I# d__________________________________________________________________________
" ]2 M0 Y+ T8 L N3 e9 }
1 X1 H) ~% M# c/ x' K7 e! }
* G& B* E. _! Y4 H- O8 ?# v& lMethod 08$ O/ v6 A% \8 ?1 \ s
=========
2 r' A4 _! ?1 E4 L, e" ~* @. H' t* l, u" j* k$ R
It is not a method of detection of SoftICE but a possibility to crash the% n$ h6 Z% y4 p) K( a
system by intercepting int 01h and int 03h and redirecting them to another/ T4 {. J" E7 L
routine.
& P9 \6 [( v3 T) O' WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ v5 }3 e Q" Hto the new routine to execute (hangs computer...)# e8 E! X/ @" [. h% \& h
6 h6 x9 C' _9 L6 Y, S$ | mov ah, 25h
D- |2 u9 ^, Y& x& S7 {; U mov al, Int_Number (01h or 03h)
4 z. j$ c$ H e mov dx, offset New_Int_Routine
4 \+ H3 f( k( Q+ ~0 T+ ?$ \+ ? int 21h6 u) e: x' m, A- a# h
" X" f. X9 V0 u' L5 L, K* V- Y__________________________________________________________________________
& t4 V) l9 { C4 p' g/ V) W6 X) d2 ` e) b
Method 098 a5 a" ?. H* ^5 Z0 h7 \( f- W
========= p: I% s( h# ]; x5 o/ R
; S2 p# Z6 N7 b6 L4 l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" I# r( I$ ?& g+ E
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 d& ^5 Z0 J, X/ [The Get_DDB service is used to determine whether or not a VxD is installed
! J( W" x7 {) ^2 xfor the specified device and returns a Device Description Block (in ecx) for1 {6 U0 c& L# L
that device if it is installed.. t7 m3 e; v" s' D
+ z" x. w$ Y! G8 V B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) q, B/ b D/ h+ F( Z$ @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ y& l5 t7 m$ v
VMMCall Get_DDB" y# G; ?- u" N9 [* e- ` e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 V/ P- B- z# }" D; Q* R
1 ^) v2 r7 K6 N8 Z8 CNote as well that you can easily detect this method with SoftICE:
2 E- _" e; s6 Y! [' h bpx Get_DDB if ax==0202 || ax==7a5fh3 y! N( e* l" z5 a
1 {8 I4 d! G, i" D' h1 N
__________________________________________________________________________, f4 y1 K/ u d% D8 B& K
" y: g& b4 |# M* l) p
Method 10* l9 f& B' e8 Q
=========
% ~& c0 j: ]. n5 Z
& \6 ^7 i! k' k4 E H" T" a' F=>Disable or clear breakpoints before using this feature. DO NOT trace with
, R% ?' m( e. J3 x0 J2 i3 M SoftICE while the option is enable!!* _: h* B7 a- r" J$ ]7 M+ W' G
) G: g" p; c0 H" W5 V- n8 ~
This trick is very efficient:
( n& e+ S6 l& G7 E8 Yby checking the Debug Registers, you can detect if SoftICE is loaded2 ~% o& j' w. Z! W" M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if j u9 I2 k9 V+ ?: W9 f4 b
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ B7 K: y- O8 Z1 m
value (in ring0 only). Values can be manipulated and or changed as well
0 ~) F, E. L* U/ |, f' W8 O0 c! t' q(clearing BPMs for instance)2 j) ]9 Z# E6 S, X" x |6 K
$ l+ N1 U* ^% A9 M' c6 a4 |__________________________________________________________________________
7 ]0 T3 `; ]# d5 o5 q) q- s, ~( u! e( H
Method 111 m2 L: G4 g8 U* ^
=========
# V" }4 C/ ?/ v) l7 Q' l4 v, f( C* p- V
This method is most known as 'MeltICE' because it has been freely distributed
7 x; w* W# v, l2 ~1 T5 f( ivia www.winfiles.com. However it was first used by NuMega people to allow; C+ {4 }% w- t! v6 G
Symbol Loader to check if SoftICE was active or not (the code is located( O# a9 I, A: k/ T
inside nmtrans.dll).6 H# n' l6 C3 W9 @) \, Q
9 {" d/ }2 h M' P, m/ r; tThe way it works is very simple:
0 \/ }& F( p- z' r" g+ t4 \( ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: b, o% C3 r- z/ v: }+ iWinNT) with the CreateFileA API.
+ m/ N- F8 S' v K# t9 {8 I+ l# ~
; u1 q& T/ w+ n! U3 Y/ q' THere is a sample (checking for 'SICE'):3 p: a. L/ @) z; K E5 t
* @, v8 O( e8 kBOOL IsSoftIce95Loaded()
( w1 }1 [ N n{) `' L) y9 T+ z3 M( L- t
HANDLE hFile;
4 e9 u/ r" y3 f) k( U hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) v5 h' x$ @/ Y+ Z, q FILE_SHARE_READ | FILE_SHARE_WRITE,
Y4 u4 M$ g0 P" }: ]/ m+ G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 x r: M+ ~+ ]# q0 J if( hFile != INVALID_HANDLE_VALUE )
0 U. d/ S# v0 h4 I: Q z& o5 _# o {0 T5 A9 V0 w8 h
CloseHandle(hFile);
7 n4 T' n/ |' H( T6 ]4 n# E return TRUE;
4 d1 y8 C4 x( ?: S }* ~: {6 f/ E1 ~4 P; a' n7 K7 E
return FALSE;: X5 \7 S; B3 x+ {1 L! U
}* e K& f/ \6 i+ a7 y. J, a6 M% n
& N8 V& I! v; R( z" x& @, _' C* @* \6 gAlthough this trick calls the CreateFileA function, don't even expect to be
e7 o- f: [% r3 b, zable to intercept it by installing a IFS hook: it will not work, no way!- Q6 C. R: o$ ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, b* b# b- ~& ?+ B% O Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! i* D: w$ [( p- f$ U. T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 }/ T# {* P) a n0 Z; k, |1 [
field.' W, d7 y1 I$ }0 B1 l- `
In fact, its purpose is not to load/unload VxDs but only to send a
/ ~; T( t" I% X, EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ f7 A! q4 f) gto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 s8 L( h, [; ?" q! q! @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ g0 Y( j& {$ h" n3 d( k+ P6 l# E
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ ? `3 @6 P% f0 Y! P
its handle to be opened and then, will be detected.
2 @+ Q7 k; @9 B4 _; jYou can check that simply by hooking Winice.exe control proc entry point5 C5 z/ B0 V; E- O# i7 d
while running MeltICE.
; ?, F# j v( H# E0 U W3 f; X) q* h2 l+ A# b; d" T
* x' q; ]) b1 g0 x m8 j 00401067: push 00402025 ; \\.\SICE% {$ ~0 ?& i/ z0 C; T
0040106C: call CreateFileA @4 w2 }1 E) `6 z+ W# A# Q+ t
00401071: cmp eax,-0013 @3 ~# I) X9 i
00401074: je 00401091
$ q" u0 W* ^1 f( k7 I2 F. l- g) u2 _4 h0 ]5 ]8 @& e* y! y4 R
6 `5 i" W6 T, a9 c
There could be hundreds of BPX you could use to detect this trick.7 U; f1 n4 ?% M1 [
-The most classical one is:" w1 u, N! @8 E( r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* _5 _1 B" Y. c7 {# ?
*(esp->4+4)=='NTIC'( \0 O( i, }0 b3 k
) B" T9 D; J, N" L$ i) j( z; l
-The most exotic ones (could be very slooooow :-(
0 M/ G7 s2 ^* ?( F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! p( ]1 V/ @, Y( [" V7 J/ l. S n ;will break 3 times :-(
" q, W' W% ^) P0 m3 U+ g0 e" v2 W+ z2 {0 V: g
-or (a bit) faster: & l! n8 T( P; J' ^2 O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& T4 z3 K, q3 J" p* q
/ F8 K4 S" _6 f6 R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' e2 D7 K& P+ a! J
;will break 3 times :-(
+ i( t7 { T& b& b; u+ E$ U: N
" c/ x3 e9 ]: M-Much faster:
: F9 M1 y5 J9 w( c! }3 `( N% `/ r0 ? BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% P; b6 i9 s$ w/ y* O. B; s
( J. |: o0 |: r1 M9 BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 U' ?. |9 O& |1 {
function to do the same job:# O2 A Y6 o4 y6 {, s
8 B9 C# @, J& Q
push 00 ; OF_READ
1 \, W4 P" E1 q! x/ N3 S5 z, Y( V9 K mov eax,[00656634] ; '\\.\SICE',07 a# y; B3 [. c q
push eax
6 k* v% e+ `+ F) c2 x' f1 k call KERNEL32!_lopen. ]4 l: Q: k4 z, B, T* p/ p
inc eax9 `! Y3 C4 A) X$ \# h6 }: D
jnz 00650589 ; detected& b; f- _6 `" E/ G( \2 H, a3 f4 G
push 00 ; OF_READ
% M7 }0 j, W& N e/ L7 P6 S mov eax,[00656638] ; '\\.\SICE'
4 N S4 T+ |) v3 [9 W3 b4 A0 h push eax W: {. e7 H0 _1 S! I
call KERNEL32!_lopen
# ^9 t- Z, H }7 B" p6 h inc eax
$ I; A8 w. g9 N8 G" @7 }# j jz 006505ae ; not detected
* W% O! l5 I% \9 s
5 |) y! t, @) J$ |" |# ~& {% {/ G# a2 c& b
__________________________________________________________________________
2 S$ Z% V* Y1 n# ]* m. J8 Z7 V5 b. Y/ @
Method 12; A5 Q K$ O6 ^
=========) \- Y s* g2 c3 u! m0 e% L
/ o/ T: i4 e, j- ~5 UThis trick is similar to int41h/4fh Debugger installation check (code 05
+ W( o( T! b, t# R+ i8 n& 06) but very limited because it's only available for Win95/98 (not NT) ?# w( Z8 g8 R' q, r6 _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% ~5 k5 s0 Z2 n7 y: W' X9 ?9 x; y7 O, c8 t$ n* a
push 0000004fh ; function 4fh" ?5 O1 k! Z. Z W0 l9 t3 z
push 002a002ah ; high word specifies which VxD (VWIN32)
6 |4 |& L8 S$ j9 U: A: o) o ; low word specifies which service
2 Z; w" A1 I) ?$ g" B (VWIN32_Int41Dispatch)
5 {, O3 n% W a6 k1 e call Kernel32!ORD_001 ; VxdCall6 b3 L+ i* q- V+ l
cmp ax, 0f386h ; magic number returned by system debuggers
4 M; d3 @- N; B+ ~0 w jz SoftICE_detected7 R9 w1 \0 {5 p% L1 z+ g# ^7 n
+ K! H& F; o# k2 x$ x5 r9 V8 pHere again, several ways to detect it:' G- S! y+ i* d- P! F
" r! ?5 G* K Q4 l1 i
BPINT 41 if ax==4f6 T/ r- C- Z% [8 b: |6 g% f
7 G# R+ Z$ x6 B! ?5 P( [( `( @ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ K! \& m: d, _5 b! v5 a0 z9 q
: u2 R* h a% P! D# X* ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: K, F1 C/ e5 T- o* j% C. ~2 Q1 h% w3 J" Q1 O& p
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 ?" a; u0 \! t( {5 Y% o' x% l
$ v3 @1 p) C7 T! D__________________________________________________________________________
5 @, n2 i3 _" J! S5 Q
, q, Z0 u/ M( E- ]Method 13
- B' k) j" Y5 D7 S+ ?% L4 f=========
1 W! X7 z" D: e( U, q' E( f6 U6 t* H3 o* m* ^/ N
Not a real method of detection, but a good way to know if SoftICE is
9 p* {. p1 b! Z7 y& ainstalled on a computer and to locate its installation directory.- k- O7 T7 _; B& G1 a, w
It is used by few softs which access the following registry keys (usually #2) :0 g+ B/ e" @6 b& _
( J* n" m& W3 U-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 ~- [3 ?$ y6 B, w5 H
\Uninstall\SoftICE# y0 S- f" H z, t3 R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ ~, }! G. u8 S9 D/ {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! ?( m U& l1 v- U7 G5 S
\App Paths\Loader32.Exe
% W! }* c0 b3 E' ~* |1 K+ K/ f6 Z# M3 d" e% d% q
7 [, k% ~$ w5 z
Note that some nasty apps could then erase all files from SoftICE directory
* D, ?0 q" c( k1 m; U1 y0 {8 v9 b(I faced that once :-(1 X% M- ^2 _0 |2 A4 \( s
' T" S8 t) D4 @8 f9 i) w6 Z# y7 V7 G
Useful breakpoint to detect it:
* e) e0 y, N3 H1 o/ D( a0 ]3 j
& U0 A" U- K, Y# r3 w7 M; o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ I& b( ^6 c$ j" `) u, |1 S
4 x- F' b$ d: X! B$ S9 u__________________________________________________________________________
8 o+ ?- r! x; P3 a S5 w7 C( r# t3 u& s
0 V7 |3 P1 \) Y4 S6 PMethod 14 + I7 Q0 f# G4 F" a# j# z; ~+ c' y
=========
' U' h+ v3 [: {- ~) k; g" M. ?) Y$ k6 ?6 e, q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 a( V* E5 i/ a7 S( S, Ois to determines whether a debugger is running on your system (ring0 only).
, L x/ L; T: Y4 \# ?) j
! S# J: M8 B; P5 R& I VMMCall Test_Debug_Installed" k, w9 M& w. J+ ^! G0 @
je not_installed+ ]: O6 S9 G% K9 B8 g
! X( N+ }; O2 I/ j, r
This service just checks a flag.
2 s# f& d- t0 w. i</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡