<TABLE width=500>
* {- X* ^8 x2 M9 d/ b<TBODY>
9 r, ~1 b! w2 |# I* [) m5 |<TR>' W7 E1 J* g6 ^( ]
<TD><PRE>Method 01 $ d/ h: T J6 {" W0 Z# S2 @
=========0 Y# S }3 b6 o( I- v+ b" \
/ H2 U5 u3 ~! Y1 b5 JThis method of detection of SoftICE (as well as the following one) is! D6 h* B. T0 f* Z7 I
used by the majority of packers/encryptors found on Internet.2 |' c# P* z( v- Z! }6 l
It seeks the signature of BoundsChecker in SoftICE. o9 }5 y- _: `. q
5 [. `( U* C# K- s( J
mov ebp, 04243484Bh ; 'BCHK'
+ K" k I, i! _5 e8 |- C mov ax, 04h, N7 C$ S; T+ ]- K: h
int 3 - V- O8 p& y% O' U3 P5 e
cmp al,4
7 u( h5 V1 ~$ K z jnz SoftICE_Detected+ b1 ~* R& B# w m1 L
' E- Y" \/ D, w4 {$ [0 a, E___________________________________________________________________________4 l: f8 V& b6 q" R
% N6 o9 M- Q$ b3 [) {( s# T( v0 |Method 02
9 d- @3 Q" ^0 a( B+ o3 E=========
# z5 W. p9 u9 [$ ?( {! ~" ^) J
+ H- o" _- x; R. H; i1 i& h5 NStill a method very much used (perhaps the most frequent one). It is used
1 _! `' }+ o/ nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 L7 l7 H% B# m# f) i bor execute SoftICE commands...
4 D' J0 O- F" R; `It is also used to crash SoftICE and to force it to execute any commands5 v. I9 |( N+ ^' S8 w
(HBOOT...) :-(( 1 l5 E# D# Y* Q
- A9 B/ o& h( Q+ H- `6 J! L, LHere is a quick description:
& z* ?. l4 ~# q9 g' W# p-AX = 0910h (Display string in SIce windows)5 g# _* _* z1 |8 j
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( ~& w3 i8 L$ u: ^. P
-AX = 0912h (Get breakpoint infos)
' \; v# M8 I: X# X, @8 w9 [-AX = 0913h (Set Sice breakpoints)
5 v5 Q+ C$ k4 m/ N/ R-AX = 0914h (Remove SIce breakoints)4 \- k4 v8 c% L2 b7 Z
% s% V- C1 I4 n( p
Each time you'll meet this trick, you'll see:( T- ]. I8 T* C+ s% D0 d3 Q7 \
-SI = 4647h
4 }9 z* C) L$ { L/ t7 j% Q-DI = 4A4Dh
3 a8 K( g( N- G$ |5 Q% f( kWhich are the 'magic values' used by SoftIce.
* \7 ^2 I+ K7 Z; fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 C* f( k% F: ?5 C" P, j
1 |! ] b- S, y' u8 K ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP% ]; G2 q6 x$ Z; v C
Envelope utility use to protect DOS applications:& w, X( m+ x- M$ M1 e& s, S1 M" A
2 x* W3 e; s- g7 ~/ q; t' L
% n: V) p1 y0 w2 ^4 k: s4 O
4C19:0095 MOV AX,0911 ; execute command.
. ?! U7 v0 r: q& B. N* O6 Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ T1 ?& a* O1 O) d; m/ j5 r
4C19:009A MOV SI,4647 ; 1st magic value.
% h3 z& K, S: ^1 h4C19:009D MOV DI,4A4D ; 2nd magic value.
7 N/ f2 Q: F. l4 k+ V* T1 p* z6 R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% T# b1 N: g6 D( }( F" z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 R9 t% N9 ~" W& b+ x5 k S
4C19:00A4 INC CX7 a# Q: T+ ^# l7 O7 p4 s8 H T
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ x* ]; g0 y% m8 c+ q& ` B# S
4C19:00A8 JB 0095 ; 6 different commands.$ ?4 e. k: H8 B* r ^1 j0 M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" \1 s8 ~7 T0 f# C' P- k* ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ o' n e4 ^. y+ V4 Z/ \! f( ?* ?) q) @: @; i; T4 a
The program will execute 6 different SIce commands located at ds:dx, which
8 q9 O3 b+ W9 O( u. [* sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* L; l. S, c1 B% b2 N( O+ f' _4 f$ g7 G4 Y/ ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. z5 v( i* L2 f$ K' ____________________________________________________________________________
" M3 N. @" L! g) f- U
+ u, V8 d5 ]- Q$ t% D9 p/ P& X$ ~7 }& [) z
Method 030 b" |3 N* g# F
=========8 \3 a, d0 |; _9 k# }; t( r$ M @
. `( o+ d; ~: b5 X3 }% i- p' F6 T& fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ R- y: _; U+ D) v' B, S
(API Get entry point)
: S0 }% y1 W* ^& N" C
7 ~/ b0 \0 i! ]3 @5 S) P l
- ?8 B3 a0 l- l+ L @9 X xor di,di8 g( G' [8 G% v2 y" v
mov es,di" M9 D1 a& i) _1 e: O3 _
mov ax, 1684h 6 z' ^2 y, o7 i7 N
mov bx, 0202h ; VxD ID of winice% F0 I2 M" X6 Y+ x _' {
int 2Fh
5 `6 g5 Y0 q4 s( j0 t _" k+ d mov ax, es ; ES:DI -> VxD API entry point
! f" `% Y$ a, P add ax, di
* r; s1 a, }1 Z6 n, E$ a* b test ax,ax s+ n4 B# k7 J' ^( g3 k& {! O
jnz SoftICE_Detected
- ]/ L0 f7 G/ d8 a/ @
& i7 P# \3 e" C8 V0 S1 o7 v3 @6 e___________________________________________________________________________( ~1 g6 `+ ?) x: m2 G3 A# d7 g
9 A( z( g2 S6 v5 t# [# {# c
Method 04' {6 |- y* y! X4 [" h! z) x. Z% `3 T7 x
=========
( r/ c3 |% A# X: ^& F6 e& b% u
* h" q. i+ p% @2 [" mMethod identical to the preceding one except that it seeks the ID of SoftICE8 a# R' L* b5 F# D
GFX VxD.
/ i' m# r( L; {- p8 S% o, D8 Q' O, p% g. Y5 s: W. @
xor di,di. T( h* k* u1 f: f: v
mov es,di7 s5 p2 e: X# A8 Q) B, Y
mov ax, 1684h . t. m" e3 O! F& g+ y& X4 M" D
mov bx, 7a5Fh ; VxD ID of SIWVID' I3 X3 f7 p' y( y
int 2fh
6 o/ h* l9 N- c: ^: p mov ax, es ; ES:DI -> VxD API entry point1 G' Q. g# w! D: p4 e# a: [
add ax, di. w J& z8 _) b! W2 q- K. ]7 P( b
test ax,ax
7 w7 `2 S; a& X2 V1 _) l% w jnz SoftICE_Detected! x$ n4 w0 p* N! K1 a
# H& g2 a% P" M. Z! x
__________________________________________________________________________1 K( m7 }! e- k# @- S2 |
: k1 |& P, e) H+ w4 k9 h
- Z8 |% B x$ N1 _4 vMethod 05
' ~1 X9 s8 L3 U1 {- F4 d8 M=========
, y3 v* [. X \( G: C9 `, q( ^" O# T8 z! Y- l. ]' f$ y. [
Method seeking the 'magic number' 0F386h returned (in ax) by all system" C& G+ S" `7 Y" G6 d
debugger. It calls the int 41h, function 4Fh.
4 `# `/ e1 G/ D& i2 L# \) uThere are several alternatives.
+ d) E; @6 H& }3 [2 ?+ b5 `) f5 C! X( _8 i5 F1 ]& C" P4 c0 i% j% }
The following one is the simplest:0 q) U* h3 A6 f3 s9 I3 _
1 {" i: b" ]/ u7 @
mov ax,4fh
0 {9 [8 V+ z( q4 h7 Q int 41h, \4 b0 r6 Z- @9 E1 g
cmp ax, 0F3864 [) r" @0 F! R5 I
jz SoftICE_detected
# o. d+ I; u- u
7 J$ f; g/ x" r0 p. \8 ?' f5 i6 m0 E1 L4 S3 B/ q9 K. Z0 O
Next method as well as the following one are 2 examples from Stone's
( } k) S/ m- }8 x: A# p4 b5 f4 m- Z"stn-wid.zip" (www.cracking.net):- l6 k) q2 q y7 q* T4 ], j
$ b8 K% Q4 A4 F. u* O mov bx, cs
- \ X/ g; H9 e; V# l* |1 D lea dx, int41handler2
+ m, p+ K6 [9 I; G xchg dx, es:[41h*4]- C% Y1 v! B1 ?9 N
xchg bx, es:[41h*4+2]
: W- C+ h# |, \5 ^ m% x9 D mov ax,4fh$ }- c% L- k$ S* g, @. n) x
int 41h7 b$ T' k& h4 w8 N
xchg dx, es:[41h*4]8 x* Z( C% G9 l; m
xchg bx, es:[41h*4+2]
( p6 S9 x2 [8 L. G. |: l cmp ax, 0f386h
* d! e) q8 Y6 s3 T2 t2 D3 G7 g+ K jz SoftICE_detected
; J6 I, T( S+ {, \' {: i
y6 } U0 @( Hint41handler2 PROC
) ~. ^5 Q# Y/ G! t1 D5 t. M iret
3 j, q6 z$ k- `int41handler2 ENDP2 ?- R' ~- ~) Z9 O9 o2 R6 R- V, u1 O
/ m) B7 {, k. p6 S
7 O$ ?8 k- T0 o- b# y! T_________________________________________________________________________
, ^( e/ S, u5 B3 z
* k R. y1 n6 D" f! |! R0 l! _8 U# d8 G' Y! D) g- b U1 M# l
Method 06, ]/ A; D0 O$ f5 \* O% S7 z
=========
# g3 B1 u) c+ P( P) N2 [9 b9 X
! F) n; p, _# U" H! ~1 j l( X, o7 L, q. O7 {2 O; z
2nd method similar to the preceding one but more difficult to detect:) l2 E# a% k5 g! Q
6 ]* C3 N( c5 w2 ~% Q3 |
. {/ W3 ?7 @8 J9 xint41handler PROC
% E7 C* ?' }2 @6 L& G3 {+ I! w2 J mov cl,al( ]+ l) J& c' y9 d) I, k
iret' o8 R4 D* z+ r1 B
int41handler ENDP
% U" }, k: a6 g- I9 e3 ?" s) S4 W4 ~2 f" t& k* n
' F* L# W1 U# {% m! b
xor ax,ax
6 W& Q4 j. Q U mov es,ax2 ]0 L# v6 x! m! O# d
mov bx, cs
, o: n' u3 Y% Q- U6 B: r, \" X lea dx, int41handler2 V7 |6 M! s3 c8 r! {, y
xchg dx, es:[41h*4]
2 R4 S8 q c6 g9 u( c# ]' a xchg bx, es:[41h*4+2]
: p9 V, q' x {6 Z in al, 40h* n- y1 Z1 @8 E1 Y, q
xor cx,cx! v& `+ t' L) u5 k7 F# V! ]$ z+ g0 L
int 41h) g8 I- P' `. E
xchg dx, es:[41h*4]
, B5 i1 j6 v0 O, B* `& K xchg bx, es:[41h*4+2]7 n/ t+ o# a) q
cmp cl,al
& C3 {% j) Z. c jnz SoftICE_detected( F* r7 w: U5 P6 _
: u, `, R' \8 _; r# l9 C_________________________________________________________________________* z- h5 _% Q) E& s4 w- s
/ T% y+ e4 a9 p: kMethod 07; c( ]" e" A' B4 f W/ w
=========
% g" N& U* n" y$ n: K& E% Z! ^7 ?+ l" l" ]( Q3 F
Method of detection of the WinICE handler in the int68h (V86)( V! a1 G" s- F/ K& K- v
% R# v; G2 N2 e% {; R; R5 h mov ah,43h
; j$ y; K4 _$ X. y5 x7 w int 68h
0 {) p" [6 S! _- P0 Q2 y cmp ax,0F386h
2 ^- p) E- K' U4 e. i4 g. @% X jz SoftICE_Detected$ w F R; C; T3 \
' B: M- a) k3 \8 W( m' ]- F: X" q: h( P' j+ G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. ^" G. @' w& `: z2 j7 D1 |+ ? app like this:0 m X2 Z% f$ k' l5 A6 i# M. C( Q {
4 w& q" ~, e( T% ? BPX exec_int if ax==68: x4 P5 r8 Y. g Y
(function called is located at byte ptr [ebp+1Dh] and client eip is# A: e; L+ M/ \$ k. u4 x( u
located at [ebp+48h] for 32Bit apps)
, g& x: k- \$ b; _* u__________________________________________________________________________
% n8 F8 C2 P1 I2 h3 y: ]9 m# k
/ l: m$ @* y) B2 S* j: P5 x2 Y4 O1 ^$ q1 F
Method 08
1 j/ l0 M8 c* V5 [=========
! G/ n+ j& s! ~8 G- \; L- ? D/ |& `; _1 s
It is not a method of detection of SoftICE but a possibility to crash the
' f2 f- N# \' Fsystem by intercepting int 01h and int 03h and redirecting them to another
L5 {' Y& D9 V8 vroutine. K5 P9 W7 D# Q- Q$ M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ g, _* N& G/ C" P/ M
to the new routine to execute (hangs computer...) d4 x6 V6 {' ~0 e! w I" L8 _
, K! s: o/ f2 P$ S- r- H
mov ah, 25h' g3 g0 ?8 J8 t+ g& O+ r
mov al, Int_Number (01h or 03h)
5 @* n4 [9 f% | mov dx, offset New_Int_Routine. w% J: ?; z; G- N4 v, r# [
int 21h
* I/ o$ d; m- X+ |* H/ m) ] k
__________________________________________________________________________ \3 p3 x, Z! o1 h
Z: ~4 y! A4 x, D. M% A5 E! H
Method 09
- Y( H. T) w' R4 U' Q b=========
) n7 i9 n8 ~- N8 n+ Y7 G5 Q: W( x% {! Y2 ^" G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' v8 e3 b8 \" p1 l- d& L
performed in ring0 (VxD or a ring3 app using the VxdCall).
( t' \6 u6 @% u* C( pThe Get_DDB service is used to determine whether or not a VxD is installed
* x9 R' J2 i$ ?* S3 @# ^2 Hfor the specified device and returns a Device Description Block (in ecx) for# k2 v: ]3 x2 F& R9 [, s
that device if it is installed.7 V1 U; z( [$ B& T. P' v" V
3 `* w" ~* ^) n/ A# `9 u1 x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# ~1 ~5 ?% } e: Z: o. y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 ?5 p7 e/ m( b2 Q VMMCall Get_DDB
- Y- f) v9 E* y5 a; s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 S6 ~, E2 T5 x6 R: V w. N
4 u" X' p R- y) K' n1 UNote as well that you can easily detect this method with SoftICE:7 U4 u) s9 G+ H( q% ^& s9 C
bpx Get_DDB if ax==0202 || ax==7a5fh* q4 I8 M5 |, B0 a7 [1 c- L7 E
! t# H; [7 {+ |__________________________________________________________________________! u5 L C( b3 |5 [( p* r0 r! Q6 q
7 _1 m3 C+ h/ y* [$ c
Method 10
; z4 Y8 _& n9 H! F0 E5 I=========$ x9 C! j$ P+ g3 c% Z! Q
/ l7 M8 q8 V* o& R6 z4 Y& w4 h=>Disable or clear breakpoints before using this feature. DO NOT trace with
# \/ m, f; @/ a$ b SoftICE while the option is enable!!; r+ W, ~5 Y: q
% e" L- p6 E6 \3 y* V4 A1 Y" QThis trick is very efficient:
/ \/ W7 h) c1 K V1 g4 ?' eby checking the Debug Registers, you can detect if SoftICE is loaded
S* D4 U/ x! a3 r7 B3 A, k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 H: V- B T) g3 t, I" N- M) J& Othere are some memory breakpoints set (dr0 to dr3) simply by reading their- o# h$ ^" j; ]! P- x4 c# t
value (in ring0 only). Values can be manipulated and or changed as well
. F+ Q9 ?% E5 H4 z. L(clearing BPMs for instance)/ a# c! a, O7 x1 j" |
+ P2 m* U/ c- w7 M/ I- h
__________________________________________________________________________! M P6 M3 _ ^* @
7 |3 b% j% J4 M% k/ T( NMethod 11; z% @5 U2 H7 i% U
=========
3 Q. b- M9 {6 A. s% [
+ s. {5 c! L" e$ v7 QThis method is most known as 'MeltICE' because it has been freely distributed# S" d& x& T% X( o9 E8 S- S+ L
via www.winfiles.com. However it was first used by NuMega people to allow+ L1 j2 `, a, s# ~0 t; G T
Symbol Loader to check if SoftICE was active or not (the code is located
: }: }8 a6 w& _& ?% l! i4 V9 dinside nmtrans.dll).
2 j, a: r2 r/ O* ^- a) Q
5 e; h! {% z8 N8 P/ A4 y8 m3 TThe way it works is very simple:0 x$ H( B3 F9 Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( e! `: B& o& Y: {9 U
WinNT) with the CreateFileA API.* ^3 B U3 @( C: j+ @6 `
0 t" E* Z/ W a9 n+ JHere is a sample (checking for 'SICE'):
. U! {6 C! k8 Y* G3 I2 y$ Q5 y- n+ J; `/ u( L- i4 C
BOOL IsSoftIce95Loaded()9 Y' R$ w5 q9 I; l
{
. A( N. R% b& K/ l9 b HANDLE hFile;
/ M! t9 O/ D' v hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- C( C, G, e1 ]
FILE_SHARE_READ | FILE_SHARE_WRITE,- y r) Z7 l( j7 `; i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); f0 C! N3 K% x& E. O1 N' a2 r7 R
if( hFile != INVALID_HANDLE_VALUE )
: d" n1 ^6 R& ^. ?! s {
6 Q/ x( t; S9 z- U- L3 c CloseHandle(hFile);4 f& Q$ D6 ]" h/ t' W
return TRUE;
+ K7 |- K/ v# k5 o- w }) Z e6 C: \5 e
return FALSE;
3 D+ P+ {0 g G, x7 N& U}% q* l$ r" ?1 N; z. N+ X
2 C' b0 M! L% ?4 t/ k# O8 c6 n
Although this trick calls the CreateFileA function, don't even expect to be( J4 ]' @: n! e! c
able to intercept it by installing a IFS hook: it will not work, no way!( g+ x: r' H6 s9 N+ [
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 c* J" R: m" ^( S/ b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ [) j1 z$ X6 L3 s- N- @" land then browse the DDB list until it find the VxD and its DDB_Control_Proc# Q3 [" \/ ^4 M) p6 J! C9 [
field.! F, _4 q6 c! V V
In fact, its purpose is not to load/unload VxDs but only to send a + f. E, d! m$ |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): d6 N/ D1 u* m& [0 m2 h4 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: E, w9 M r* X6 V6 l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 `4 z ~2 ?' h, z* x$ q& |' z7 |7 e
If the VxD is loaded, it will always clear eax and the Carry flag to allow* x/ {5 L0 W) [# ~3 u: A, x5 l
its handle to be opened and then, will be detected.
. N, p) Q9 `6 QYou can check that simply by hooking Winice.exe control proc entry point7 k% e4 N# ^5 g6 Q7 G9 W
while running MeltICE.
# \0 v! o4 h4 ^% K9 y0 G, u+ ~0 p6 ~3 }- `) }, [
, S9 h4 W' U# P) V9 |/ u) { 00401067: push 00402025 ; \\.\SICE
7 U8 G7 W, p6 B; F( h( B3 u 0040106C: call CreateFileA
' d2 W/ o" b; n$ D 00401071: cmp eax,-001
, o* ]# v$ @" T 00401074: je 00401091
; A( w# m& W) ^' b+ t1 g! d9 N/ V( L: l- c& d9 f5 N4 Z
1 }5 t4 n, D, k) U" `. u* s
There could be hundreds of BPX you could use to detect this trick.: [5 C9 m! O3 q% G; W' C1 L6 f' {; k
-The most classical one is:
# E! d. h6 F- u5 G& ]/ t BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! j+ U5 ]/ ^: J6 x
*(esp->4+4)=='NTIC'
1 l4 B; S- N% |. ~" X: F' U
8 X! a1 U, E" D, u3 ?, g-The most exotic ones (could be very slooooow :-(
- w' E/ f# C. t+ O z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) _7 B7 N' |: V5 S3 `- J ;will break 3 times :-(5 U) H" V- Z8 y! j
2 N9 Y3 \; O/ b, @' g7 d6 U/ r0 o" K
-or (a bit) faster:
9 O j; o( [8 h- |1 i" U( ?! y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% t, j" C0 V- ]. R: H) O/ _
2 b8 {; q, Q$ f0 x* F3 X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 J: f& w7 T4 b) j, j1 L ;will break 3 times :-(' [9 P2 c9 K; H3 U. M( ?
* ^) k& p5 ]! |1 \' C) j-Much faster:
; l% {) Q; a$ g1 q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: k0 Y6 R$ g. ?; x
6 {9 c; N7 h: j3 J! \/ [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- o& [1 ~4 I! u7 @ n4 Dfunction to do the same job:5 o9 d0 n' m8 A6 \* s7 f* Y& n
' X# f* V q0 z( o) M! g push 00 ; OF_READ+ G& l; p! [$ a9 W
mov eax,[00656634] ; '\\.\SICE',0
" C7 n2 a2 F2 i; b( B push eax
3 {, I' l5 G+ _ call KERNEL32!_lopen5 a' C2 p* P( \( d4 B7 l* p
inc eax1 t( N4 k' D1 Z2 ?+ |
jnz 00650589 ; detected" O' f, m& o+ Q. a
push 00 ; OF_READ+ ~9 x& Q# `9 E# i4 Q0 N
mov eax,[00656638] ; '\\.\SICE'
" `) E. U$ ~: g0 @' {4 I* r push eax" A8 [" e8 i8 y+ c; f
call KERNEL32!_lopen
7 g. q6 f7 D8 `! u: n inc eax
4 ` L+ A Q* f- o: u" h jz 006505ae ; not detected
. N2 M" a5 ^3 l- J' p
( c0 {0 T: g9 R0 l- c7 o, R8 x! y9 m3 s1 o3 s, N6 |) p2 g
__________________________________________________________________________. H9 f2 }* F+ `8 y/ p! V
% `9 f7 x0 T5 |: A" i' F: d
Method 12
5 C: a$ h5 I4 N/ Q' X9 z=========( u# r: \4 F* v) F
- S# C- o' B1 s0 C( T: C7 I
This trick is similar to int41h/4fh Debugger installation check (code 05
' |2 O5 W& s+ j3 @& 06) but very limited because it's only available for Win95/98 (not NT)) B) Q$ R1 K) i! X: V+ R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 ]' y4 p, z+ ^; D3 M3 @7 K
+ p% U: X2 R p push 0000004fh ; function 4fh
: y8 t x* d2 d! f/ Y P/ c push 002a002ah ; high word specifies which VxD (VWIN32)6 o4 @9 n) H, c# m6 V. F# \
; low word specifies which service
" q% Q) [+ V& x8 o) k9 o7 f9 T0 x+ ~ (VWIN32_Int41Dispatch)
! O2 h9 |8 A, l call Kernel32!ORD_001 ; VxdCall
3 m8 q8 D5 o2 t L6 x3 ^ cmp ax, 0f386h ; magic number returned by system debuggers2 Z( t& F$ F+ ?+ q5 G: r4 \
jz SoftICE_detected9 p6 e! K& {. d% Y9 ~, |+ R
s3 U4 A1 \" s4 x- ?
Here again, several ways to detect it:: c( E) F- \4 v: S. G; q
2 u8 `! C, Y5 g3 b% R/ \ BPINT 41 if ax==4f3 Q! s2 z" o0 u& i8 O
& Q- v# t @% f* k3 D BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' @8 ]# ^$ {4 f* A4 l6 |/ j
# q" e" v/ M) E+ V! N
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% b4 \+ p: ^0 b
! F ~1 q+ g( W$ r7 d BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" {# [ R6 S# a) M& W9 y7 a) {/ i
% W& B( ^( O4 u( {__________________________________________________________________________) m, K7 ^9 q$ Z0 d3 J" `
! M) [9 _% K4 Z9 x
Method 137 d+ V! j* s; d H; L
=========
; R" `- \3 O9 ~. u4 c9 ?6 V
5 X4 k! V4 J8 f# t% v5 P# pNot a real method of detection, but a good way to know if SoftICE is
7 J8 ]0 @- G6 `/ I1 J+ B" M# i, kinstalled on a computer and to locate its installation directory.' c2 r. b1 B0 t& f
It is used by few softs which access the following registry keys (usually #2) :, M. a( L2 E8 @
8 b- \, Y3 i" {6 C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) e. E9 ?/ L) \
\Uninstall\SoftICE
2 [% J& F! J; m7 k* i" ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ y8 a. b3 @% P( p, `3 Z6 V- o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 J. P4 @) u( K, R\App Paths\Loader32.Exe& ]# a0 t: s: N, O+ e5 W6 D
4 J9 {% T+ d# a3 ~
' A% |: G. X% J% v, p
Note that some nasty apps could then erase all files from SoftICE directory8 {! w) s* S' Q
(I faced that once :-(
- k2 x2 |# q5 Y o9 j& c$ F7 B& ^7 M# \6 H; a3 z
Useful breakpoint to detect it:$ \) d: Y6 d4 Z B6 S; l
, x, G. M# h5 e" Q& @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 R$ H9 a" W. _& F9 a2 ~
7 y/ t& P1 P) p
__________________________________________________________________________$ F9 c% m: c" k; S5 b
/ Y/ k+ \% y, W: S8 B4 g% x3 R F
+ d6 }# e9 a# Y& Y0 y9 E% }) q7 XMethod 14
6 k* R9 w3 `% Z% y( G3 u=========8 I' v- ]' A& l
" B8 i' B1 `' o7 b$ c; h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 B- u3 q/ ]9 d/ C+ M3 p" {! V
is to determines whether a debugger is running on your system (ring0 only).
) q$ T, Y; m3 m" w) ~ V- g) d+ I" U9 c( D( O) E
VMMCall Test_Debug_Installed; R N! O. s) W/ b
je not_installed
$ ]5 ]2 t" ?2 Y2 I9 I% j, E" D5 d
) I1 u3 d4 b: }) i6 Y1 S5 _This service just checks a flag.
! C7 G/ [! r1 F: l e+ k# D, O! z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡