<TABLE width=500>( s; `7 Y6 ]5 q4 j
<TBODY>, Q4 Y$ X* _0 { B2 [3 Q
<TR>/ Q& j; L( L8 C3 a" t# P o
<TD><PRE>Method 01
, u; p4 X) j7 Z' D=========
3 F! V" r/ s5 W# F0 u4 y) }/ Y+ R* c) i8 W' ]
This method of detection of SoftICE (as well as the following one) is! L1 n# }4 w; E
used by the majority of packers/encryptors found on Internet.
9 s: G1 d! G6 ]# _/ c1 ^# sIt seeks the signature of BoundsChecker in SoftICE9 Y* N8 b7 F! D
/ X( g. X. ?! a# O9 b6 P mov ebp, 04243484Bh ; 'BCHK'
4 U9 e4 ~3 ~9 \% c( @+ a mov ax, 04h3 |* O( w- ?4 @+ Q* Q" U" }7 x
int 3
: L% X# s. m9 v0 Q2 [5 _" N; r cmp al,43 p7 I6 m$ D! G- i A
jnz SoftICE_Detected7 j6 _' S! W' e* G
3 Y7 G( ~3 z" m7 K& E1 ^/ V
___________________________________________________________________________
" U5 Q- Y. U, V# \ M% w; V: N0 R0 b
Method 02
! l9 [+ D; M5 q( x=========
' t0 }* P1 V2 S& b
3 s6 E( l) s( v4 ~1 nStill a method very much used (perhaps the most frequent one). It is used
; \- g( i6 d$ H: |- n$ Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 P* ~0 g7 |7 M* t8 f
or execute SoftICE commands.../ u6 ^/ W( N; a7 D' T' A5 ]9 @
It is also used to crash SoftICE and to force it to execute any commands
* k2 B* F- Z# _2 N3 }7 r( S* f8 M(HBOOT...) :-(( # o# S& h2 }$ C' N) ^
) T; U. q/ e# M0 B8 s6 h
Here is a quick description: E2 x' J0 g, p. W k- z
-AX = 0910h (Display string in SIce windows). M; c" J8 I% M( j0 ~7 U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- ]) l- z% b ?, ^' x5 M
-AX = 0912h (Get breakpoint infos)# h- m+ `! C. f8 U% V% \0 B
-AX = 0913h (Set Sice breakpoints)3 x9 R8 y4 w5 ?$ S2 y8 ~
-AX = 0914h (Remove SIce breakoints)
2 \* _ N ]8 z3 K
# O4 m+ |$ V' W- pEach time you'll meet this trick, you'll see:
' j- g7 j% p1 f, G: O0 d1 a1 d; k: Z-SI = 4647h
4 C2 [6 `: g4 f2 I* U% k-DI = 4A4Dh
+ ^# X6 G( T$ L, |7 gWhich are the 'magic values' used by SoftIce.7 S" w/ F3 W: o$ H
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 Y% o+ X% u8 I7 C5 m3 W; G- X/ H J; R* ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP' G5 O4 T, x8 ^! A; q
Envelope utility use to protect DOS applications:
$ R# M. ]( e3 r/ K8 S9 H; K0 ^* [, {+ c5 O) P' n
/ r8 L" P# F; |4 S4C19:0095 MOV AX,0911 ; execute command.
6 J/ Z v3 M3 ]! [4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 s& D" [! F2 N; \8 Q# g. U L
4C19:009A MOV SI,4647 ; 1st magic value.: x d6 o2 ^6 H" ?% {& O9 \
4C19:009D MOV DI,4A4D ; 2nd magic value.4 h+ D: n4 U0 |, Z5 u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 y4 Z8 @ e: ^& @6 u# [* {0 ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ ^. D q: ~( e0 S$ |+ r
4C19:00A4 INC CX
- u$ I }* A7 C: |4 ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( @# ~3 H7 R' x( W1 _ a4C19:00A8 JB 0095 ; 6 different commands.4 f e& \# H$ K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) B9 d2 h* t' [. b8 O% n: ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 J5 n- T% [' U) F* `
- N+ G& l) P1 }! vThe program will execute 6 different SIce commands located at ds:dx, which
% Y) s2 K- t: Y$ h( c+ m- J6 y3 }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! f2 X: f" N8 R" N7 P6 k
; d* s! A4 J# T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# V' l0 s) N$ X- ?. g
___________________________________________________________________________' P* q5 h) A U) t
4 B3 j- o+ B6 C& J% h: i9 g2 O
& k0 Z( u) V. x1 c C. y
Method 03( E8 _7 H) p- O" L
=========
8 V- R; g9 n8 H* g- H+ p( r7 ^- r* `5 O; m* v; x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ B7 Q6 X, ?' f# E
(API Get entry point)
( d6 J% Y; {- y/ e% J
7 T: \2 N8 ^/ r% `) n, h. k& p, M3 X( u8 o3 T, R
xor di,di* E1 e5 m; k4 I8 u/ K% o$ @( Q
mov es,di
4 d ~1 o$ h m- I* V0 G mov ax, 1684h
9 u; c/ c; J6 J* N% m2 K" P; x mov bx, 0202h ; VxD ID of winice
2 l/ l2 U, i( K" ^. p6 g( M( C int 2Fh$ n. W6 H9 t& E, ^# W
mov ax, es ; ES:DI -> VxD API entry point
9 \/ j5 x1 ?3 F* [ add ax, di- w- y2 s* S" h# X1 ]
test ax,ax
' |6 ^' |9 P% u; i8 ~0 J/ e* t# ` jnz SoftICE_Detected
, l* T! b! M" ]8 u7 U ~& \- J) h- \8 \7 R
___________________________________________________________________________/ i: O& y- U# i8 N+ e& y: v2 F
" D% W! \) ]: sMethod 04% l7 ~& m# U2 E4 t- u# z/ [5 Q
=========$ {; o1 q/ Z3 a3 X# @+ c" W4 p
& K P* u+ ]5 e# [& BMethod identical to the preceding one except that it seeks the ID of SoftICE% G2 l; s/ E6 [0 O F% ^$ K7 N- |
GFX VxD.% \) H l4 ?) Q( b: t9 W- i$ ^
1 w: D$ P( y) e$ Q; a1 H) V* U* K! X xor di,di
8 H0 [( J) r8 a7 D. u mov es,di
- E! B! l2 K5 n& g mov ax, 1684h
, Q; z8 [+ F! u2 T7 J, o mov bx, 7a5Fh ; VxD ID of SIWVID
# v& ]) K/ W) k6 O( m# ?: I, I2 p int 2fh+ X( ~. i, W V
mov ax, es ; ES:DI -> VxD API entry point6 ]- l# p, J/ F+ B% p
add ax, di4 R) l! @# \$ _ i! T+ m; J
test ax,ax
/ j: p, }" y; i4 B; a jnz SoftICE_Detected
$ f6 _& a4 o F* T
( m/ h' ?: s. e4 q__________________________________________________________________________0 F* Z9 V/ g6 S
. C1 c- o# u+ ~. m2 J7 F
) X$ \* T9 z6 I0 ]1 N: T$ Y! hMethod 05. Z. X. N5 r* u# f
=========
# s. r% z2 A& c3 l0 n6 d6 f3 r0 |
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 U8 }0 P S* J2 H) {2 G: j4 \+ sdebugger. It calls the int 41h, function 4Fh.2 g; R, B/ \4 d; T
There are several alternatives. 0 S# Y' D" ]+ y- b
. @& {! u. v( \$ o5 RThe following one is the simplest:
2 Q) _, W# x: L
+ l$ O0 ^1 ?5 ~3 k. M' P mov ax,4fh
5 G6 Z" Y( _3 a$ @5 A# X9 {% L int 41h
: E& ]1 P% H- x5 t cmp ax, 0F386
& \7 }# R/ n- x6 d" h jz SoftICE_detected9 C. H/ @3 J( U! n" P/ D$ V8 Q
8 R ^! w4 C3 l) _4 o- |" f1 Z, ^. t" ^! l7 O, m* M. B. W! T7 U( }
Next method as well as the following one are 2 examples from Stone's ( |% U# E6 L: y+ x3 v
"stn-wid.zip" (www.cracking.net):( F {# t# {& v& W5 P. q9 c
# q4 Q) r# t5 Q# @7 M
mov bx, cs9 k y- Q) K8 g) ]7 T" G, g
lea dx, int41handler2" v/ z) f+ j+ X0 M" H2 R3 F" R/ U
xchg dx, es:[41h*4]
9 E* v1 b" a) v+ N' t. T xchg bx, es:[41h*4+2]
1 B/ V. z. V+ A7 L4 ^ mov ax,4fh' G" b, }6 e1 _* s5 ]6 g
int 41h0 S/ w, b$ M& C
xchg dx, es:[41h*4]: }; v2 n. u1 N8 V9 `$ p; Z
xchg bx, es:[41h*4+2]
: }9 M( _7 }2 `" D9 {: O& @ cmp ax, 0f386h: t# i) Y/ x# L! }' U6 ]8 W
jz SoftICE_detected
# o- Q& ^" x0 b2 D- i; y% E5 ?$ G x2 a4 O
int41handler2 PROC% [+ R6 U! }2 z5 r/ j
iret6 X) o$ _, j2 b9 k6 U9 r7 V
int41handler2 ENDP
8 s8 @! @/ T) m9 d9 N
1 `* X, }' l' c! n7 n
" y0 [" s+ l1 }" o/ y; N3 q_________________________________________________________________________# U4 C( x& H. r v2 [* \
; g) p: _! L4 n3 D) ~- B$ [3 Z$ [' N! s8 g2 s x: {
Method 068 C# R* w% P& s0 k u( L
=========
- n7 f& E( h2 j; n# |1 b# A' b! O8 n) Y# H: i) l, |' A% M
+ r8 G# a$ a+ L' c! g
2nd method similar to the preceding one but more difficult to detect:9 Q* d" V5 _8 v; E
+ M4 Y3 p+ d+ u; @& u( F$ f$ x# i, I
int41handler PROC5 [; ?8 n: K0 y6 ?
mov cl,al. Y" z0 {. S* j* v8 H o0 [
iret- x$ }! Y( J: _5 G/ W" H
int41handler ENDP/ R2 P2 o4 ]1 A
+ P' U3 H) e8 p/ R; P; e
+ j% j; z4 {$ P2 o; h xor ax,ax7 b" |, [4 P+ M
mov es,ax
+ J6 S7 Q, _$ q/ O; c5 m0 T1 G mov bx, cs
) s! z/ B% J( [$ a2 Y1 I1 { lea dx, int41handler% C! v1 W* s7 X0 r3 H
xchg dx, es:[41h*4]
9 O3 N" Z9 }6 n. w9 y xchg bx, es:[41h*4+2]' i: P1 B" f5 Z3 E+ x, F
in al, 40h
' T6 f% Z" w2 O0 X5 S xor cx,cx) o3 b. p) D/ M# C' P! ?2 `
int 41h7 P7 e9 r# T5 p' t
xchg dx, es:[41h*4]
0 Z$ `! `' y5 O xchg bx, es:[41h*4+2]/ }: d& D: P* O
cmp cl,al
! \7 y! b# F; V# s- X jnz SoftICE_detected
. U9 S" d) W; D+ E# `) P% n
( V- _/ ^' C3 k. t0 s' Z, I7 i_________________________________________________________________________* ]+ G* J/ v' F( v: Z
$ _" m: ]. y* z. _, g' N d7 M1 R+ P
Method 07+ h; E5 a% a, S" d
=========
J: y& @& Z5 }& f( W
" Z) g% l- g5 T' c' X# ~" h! A3 b$ v5 C+ aMethod of detection of the WinICE handler in the int68h (V86)0 S& X1 z: R2 g! [2 {8 f) L: ]
7 M _: d1 z: [! v* I
mov ah,43h; g+ q0 {% O9 z# I# Y4 R$ v7 d
int 68h7 B; W, ]6 e% Q$ Z( o
cmp ax,0F386h+ w) d: g+ _+ w9 b0 k
jz SoftICE_Detected
3 _" E+ Q2 p0 R/ N# E1 v0 W% a# ]+ Q
( p) b0 B# L1 _5 @+ A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) s) q0 h! b4 R$ g- S( ^6 j$ w% o+ b) V
app like this:! y1 ^; Q* e1 j) [
- k3 y( G! w& M' h
BPX exec_int if ax==68. k# B$ f8 Y( X2 d% |' }5 |, ^
(function called is located at byte ptr [ebp+1Dh] and client eip is5 G" U% B J- z1 P8 K
located at [ebp+48h] for 32Bit apps): W' u n: U, t/ ^! }! X; q6 W6 q
__________________________________________________________________________3 a2 f- u# t2 k4 t3 C3 V1 z( n2 N
, u. H% R( Z) B, r! J* ?* n0 _# o4 Q2 r7 @' ?. l$ r; B6 g0 [
Method 08( H5 r6 ^: e9 I% Q1 ~' y# g
=========
( b% F5 Y1 h) n. }7 s3 q. v7 G/ b- b8 F
It is not a method of detection of SoftICE but a possibility to crash the8 C, t( i) V7 v+ ^
system by intercepting int 01h and int 03h and redirecting them to another, H- E- q$ i" C# Y; L0 o
routine.9 }: U/ O5 R) D+ {5 Y' |. c% `5 s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& o' z: c+ W" ?4 G: I6 {" ato the new routine to execute (hangs computer...)8 c- D1 G: r* R/ [/ j4 _
- {" r! f2 M; i, b- x
mov ah, 25h
R5 ` w0 v$ V1 z; ^; @ S mov al, Int_Number (01h or 03h)8 l( n* E) S' ^
mov dx, offset New_Int_Routine
1 F9 l5 {' U$ L7 r/ G$ z6 c+ d int 21h* `% G. w9 ?8 }6 z" \
1 K: T$ ]; {0 y" g1 b__________________________________________________________________________# W o, x% M2 v; F
& E; u$ f4 B2 q7 P1 x+ cMethod 09
: X1 y" I/ V" t5 }=========) w0 P! s R1 j/ p* X
) C0 p m& _5 I$ l1 G. g9 `# CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% `1 I2 T; K( {8 F5 }0 t) F: ~
performed in ring0 (VxD or a ring3 app using the VxdCall).
r+ O* T/ @; J6 i- yThe Get_DDB service is used to determine whether or not a VxD is installed
& S2 d8 C3 X; O# xfor the specified device and returns a Device Description Block (in ecx) for8 ]; l% ?- S7 J6 ]$ W! w- B) ]
that device if it is installed.( S: B0 u) i2 ~0 f$ M! [! o. w
4 s- W, U8 _& v5 s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! D2 S& N: g' T3 J mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) Y# }% W3 i/ I, A2 ^, ]' }0 p VMMCall Get_DDB
2 y" X/ k1 t: ~2 x5 E% a. i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 D$ h) J3 x! g, _, |+ f) i( U
" C+ s, v- P, m- J) e, n
Note as well that you can easily detect this method with SoftICE:2 f& p& S' T1 }& z" w/ J1 m$ C e
bpx Get_DDB if ax==0202 || ax==7a5fh& Q& |: I. ^2 S8 J. ]7 V
+ [" W6 d- L# p2 u6 m
__________________________________________________________________________
% @( A/ s' y/ W
& C" [" Z4 B. |$ {) Q* Q2 N+ B' xMethod 10
3 h' E1 J. S0 m# m: O9 }. L% c=========
" W5 c1 f* V: i! @0 I
6 c0 r9 N' W. o8 ~& f! {=>Disable or clear breakpoints before using this feature. DO NOT trace with5 S$ q6 d( n/ I" \/ I' j; m# V
SoftICE while the option is enable!!: D0 x- k. T$ O2 l e. t
5 X% l* H3 J/ B% b1 B. D
This trick is very efficient:$ Y) t1 h' r1 k( t
by checking the Debug Registers, you can detect if SoftICE is loaded4 G ~0 A/ } E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
K7 x6 h" c0 f4 _4 D! k Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. U3 F1 z% H) B9 X8 B5 T8 L! b2 Gvalue (in ring0 only). Values can be manipulated and or changed as well
8 B( f% t& t2 d( W. E(clearing BPMs for instance) H+ N5 h2 R8 W( d
2 n% N! t5 |) g__________________________________________________________________________. r6 q# n# p5 n
8 p$ h+ |6 B$ @9 P! ]4 Z
Method 11, q6 W' N3 M. K) w* B+ c
=========# L0 T, u E* T5 K$ Y R1 X7 o0 O6 u
% O9 j/ q7 m1 t5 K/ P* [
This method is most known as 'MeltICE' because it has been freely distributed
0 i' ]1 w: G. a1 Nvia www.winfiles.com. However it was first used by NuMega people to allow1 G$ @4 a, C- n# w
Symbol Loader to check if SoftICE was active or not (the code is located8 M/ ^" p5 n+ o" F" r1 V5 p$ U& A6 {
inside nmtrans.dll).
) {) {5 j9 ~; H" Z- z9 @( Y; n3 v8 y6 e
The way it works is very simple:
3 y- C) `. j( o1 ~' r ]8 h6 z$ jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! e# [& E3 v# CWinNT) with the CreateFileA API.7 d6 F t. ^; X
( V: ^# M4 X1 w/ T% ]
Here is a sample (checking for 'SICE'):
$ L$ {6 y0 {# J& S9 k# u6 @2 f9 [; \; t5 O" ^% @2 k# C
BOOL IsSoftIce95Loaded()! q( Y4 {9 h* V
{
, F- C4 f1 z5 a! J$ q* p* I& z HANDLE hFile; ; z) a o* ]# [* u3 G4 A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. m. u$ C2 e6 t FILE_SHARE_READ | FILE_SHARE_WRITE,1 S1 ~1 r# i7 i, ^4 [& c1 u% I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ p# g1 Z1 w* Q if( hFile != INVALID_HANDLE_VALUE )
" k: E4 P4 D8 _2 I$ C { n: O- C# t' S2 ~- j, M
CloseHandle(hFile);: Y# R6 x' _/ H' p. O" c' {
return TRUE;
8 E8 d- g1 \: ~$ b7 ]! V9 l. U& G }: |. \3 [3 n5 c3 X
return FALSE;
0 H0 {; [: ?! M1 x* z! E4 P, }7 t}, ^) U0 r. f# H
: a- O# E/ }4 @/ E, _# V8 j
Although this trick calls the CreateFileA function, don't even expect to be3 L" N% \8 k8 \: L& Y
able to intercept it by installing a IFS hook: it will not work, no way!
2 p8 K- e* d) C4 N4 F0 [In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) ^5 K% x4 [* d+ A# p+ H- Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 B# L4 ?% Z3 S4 d' H9 _ K( D" L- z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 [& [# X/ A9 @& f$ |$ {; d5 q
field.
+ d+ g2 |1 ]: K* Z& p+ `6 c [" IIn fact, its purpose is not to load/unload VxDs but only to send a 6 d1 ?" L" B5 a, Y8 B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
O1 G. G) D5 w7 H5 k3 Y: }to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 O' T$ E7 M$ X; R* M$ s& B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 t8 F) \& a F8 d( \3 t! d8 ~# x
If the VxD is loaded, it will always clear eax and the Carry flag to allow) k# @/ Z0 l0 T: c0 ]
its handle to be opened and then, will be detected.( w; @ r7 D+ V$ @
You can check that simply by hooking Winice.exe control proc entry point
' m p, G9 e B' V- U Dwhile running MeltICE.
% x; ?( e# n/ B
0 ]; R* N$ {2 x2 c
X5 S9 G% c5 U1 } 00401067: push 00402025 ; \\.\SICE2 I- u# C0 m4 L' y' _, }
0040106C: call CreateFileA8 R! X- Z3 B+ D6 [8 P% q
00401071: cmp eax,-001# Y6 T: w* i% d6 t! E5 V
00401074: je 00401091
& ? U% ~( P+ @
2 X# x, Q0 G. ~4 R4 A2 R3 s& `6 j: b1 A4 |( ^: T
There could be hundreds of BPX you could use to detect this trick.7 M+ {! G ?& y a& r
-The most classical one is:
. c @* o% ^' W) m6 O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( B( X" H0 N% R9 {
*(esp->4+4)=='NTIC'. ?3 I( v" k* v$ V! L
2 e2 h: q6 r( P. N" m. u4 b-The most exotic ones (could be very slooooow :-(
$ W" H9 V( o8 ~0 `5 b! u; \9 F/ n w5 [: N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 R' r. O, Q, r" d" h
;will break 3 times :-(
+ r" N2 u: Q# ~2 }7 P
4 R, e4 Q g/ e& s5 A; a9 {& X-or (a bit) faster: / I9 `" A" \8 f+ R7 s: x1 S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 G9 j4 g2 m- j5 \* R
D2 x! g$ f& R7 }- c+ {- n& b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' w3 `! P: o) P$ r ;will break 3 times :-(
0 _" g1 K6 V# k" }
8 A7 x* h3 v4 b1 Y" J$ N-Much faster:
: `( X+ _# d, Q% z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 g, q5 G a* }4 H6 e
5 ]% j% u0 i+ ^; Y9 fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) K: n0 |2 k7 L3 H: @; nfunction to do the same job:- I0 ~9 p, y/ h; O/ w6 P; P8 \
* t U# B$ I1 \* ?) y push 00 ; OF_READ+ e+ K+ l7 l( ^- y( H
mov eax,[00656634] ; '\\.\SICE',0
' y% y7 l8 `$ ^; J0 p0 n push eax: X$ x) {" H$ o. J3 r
call KERNEL32!_lopen
; K: {, F- J5 C inc eax3 |) q7 Z ?! T( c' V
jnz 00650589 ; detected
! j& S/ D0 H# c& L) d+ W push 00 ; OF_READ
# I0 _) D' m- \6 f1 E. i mov eax,[00656638] ; '\\.\SICE'9 I8 z% G, u& _) V0 a1 w$ l" K
push eax
: p3 K* X1 n% d% j% e9 g( s call KERNEL32!_lopen
5 P* U3 N A* s; J, P6 D: ? inc eax
+ _4 v% s+ n7 }1 \ jz 006505ae ; not detected
. E2 a3 V/ H! O2 t( F
" q# n2 e7 M( w( e7 W/ }$ E- U8 p" s3 ~( ]" f* N& ^% f+ R
__________________________________________________________________________
+ l7 }: c2 ?2 e% I
/ M R E5 V0 J% IMethod 12' { N6 _2 ?8 q: q5 W! v# A( c
=========
A" x% e1 u8 ~9 V3 B8 r+ a! g, Q# d' b. W
This trick is similar to int41h/4fh Debugger installation check (code 05; F4 b8 n+ P+ Q! ]
& 06) but very limited because it's only available for Win95/98 (not NT)" u0 A* t- E, S7 U2 e; i! C
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 {3 g. R& {5 _ w7 b6 @
* y/ {$ V1 a9 P( v2 W4 j push 0000004fh ; function 4fh% R3 [2 E+ T; C5 n9 e. P- O
push 002a002ah ; high word specifies which VxD (VWIN32)
! G4 Y+ c; u: ~( `& ^6 w ; low word specifies which service% Z" @% U1 y" u
(VWIN32_Int41Dispatch)
e& ~ h4 v4 F% P0 E/ v# N' E call Kernel32!ORD_001 ; VxdCall3 {2 v5 H7 ?" b% [: `9 U
cmp ax, 0f386h ; magic number returned by system debuggers/ ]2 {' D% \& j( D: z0 P; L ~* J
jz SoftICE_detected. q# D( v L+ B* B
9 {+ p6 D }; a- m" j4 L6 A% n
Here again, several ways to detect it:
# N7 h6 q$ O0 \+ T9 c3 t, x6 ]* z7 M: i% p3 r- F
BPINT 41 if ax==4f8 { s7 m O% N6 L% `4 J" a0 a2 J
% i% V0 m2 Z% W/ _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: `# j4 z' C) D+ @
9 M3 T) E: z3 Q) ~! z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, A9 f5 ~! U6 q6 \, Z
. B* x3 i+ U$ Z, f$ Q% e. q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 s$ g& p* b, \* o9 A
5 r) s! `" A, v__________________________________________________________________________
0 `& N$ ^ Z& B& d. V) m& Q. j' p/ {) w4 s- j. s; K& ~- B+ z
Method 13
; G6 }8 R% ], i* Q0 B3 f7 t7 p* G=========! p/ M- a9 i! _" H# A) {
8 \/ ^2 X. v; CNot a real method of detection, but a good way to know if SoftICE is
9 ^) a( R$ y, b1 ]# Rinstalled on a computer and to locate its installation directory.
3 H3 b0 b, r$ F- v! BIt is used by few softs which access the following registry keys (usually #2) :1 o5 I7 N; X D
7 n6 p! u# a0 x3 c; n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; h& x4 o8 u5 r6 @) d D% r f3 M
\Uninstall\SoftICE: w* t1 o v% V$ Q0 @0 `+ a3 }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" B5 V, \6 Z7 @+ a8 T6 i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 M Z* a& s* x( V8 O6 |
\App Paths\Loader32.Exe
( E: S# d0 U; Z1 \1 y# U2 [
. Y" E) Q2 F* s7 i0 M- N: `9 ?+ u, D" ?: g
Note that some nasty apps could then erase all files from SoftICE directory7 u% k2 @4 F2 l! K: \! N+ E
(I faced that once :-(
4 a* Q: B$ p) c) K
: Y# O& Q' K- e) @. o/ A0 dUseful breakpoint to detect it:
$ q) r* Z: t' X' ?" K
0 O" g" Y# a! _1 ~! j ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! G" j& A7 f. e% V" n4 c4 ^
3 z5 H4 H, P/ u( Z: D- J$ X( ?9 ~__________________________________________________________________________4 |1 n* p1 y+ n% j" a
+ G: X+ d0 Y/ \, f% [2 a- c% G
2 ^% q7 H) Y$ o+ OMethod 14 9 j2 {9 D0 L, q+ W, B
=========- s# Z8 n$ }' I) y% {2 {% y# k: Q
5 R- x- n5 Z6 B; O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 E' l; ^6 J, b: Y+ G8 n
is to determines whether a debugger is running on your system (ring0 only).
1 J/ ?" \4 q% W9 N, B' e$ B; B+ X( V; ]# S) `0 [ I+ T
VMMCall Test_Debug_Installed2 p7 `; b" J q; t
je not_installed; \6 [4 y% i4 }* y' j* R
' B6 H! j! Y2 L
This service just checks a flag.
q2 q! k7 D& t- K2 p: o</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡