<TABLE width=500>" H3 a- `- Q( ?
<TBODY>
; t$ x( S- i* [5 ?: E4 A<TR>
0 K$ P3 S: n" r; }<TD><PRE>Method 01 5 ]5 z6 g |3 W
=========
" E4 t1 {3 V( B1 |+ E& x+ r6 h" R1 g) k- H: j5 m( @3 |" }) M. y9 L
This method of detection of SoftICE (as well as the following one) is4 N) H, p: L; ^( O! s" D0 f9 m3 z
used by the majority of packers/encryptors found on Internet.2 h9 ~9 }+ P/ } B) h3 u* l2 {; S
It seeks the signature of BoundsChecker in SoftICE/ q z4 T( u9 q* I) X& }
# l) P' ?. J* t6 P7 e7 F7 t mov ebp, 04243484Bh ; 'BCHK'
* }$ ~0 X/ { E, c mov ax, 04h% P3 R# S- o( `7 O
int 3
6 j( ]& `3 g( i0 F* e" y cmp al,40 a/ T. K& h Q! L4 _0 T
jnz SoftICE_Detected
5 C, H& S/ W8 p! S B5 H5 p* u
. C, q0 n" F0 l, a! N; |___________________________________________________________________________
' c& [4 ?8 |* j& x; q! |0 L# o- q4 {: ^
Method 02- y' q/ Q! b7 l5 h" T1 a8 H
=========
0 y+ e6 z0 C' A, t1 V: _! D& A* [, k/ x9 P: i
Still a method very much used (perhaps the most frequent one). It is used
; g, l3 W# o h( P* u% V; [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 c! D! }5 w4 n' x2 n
or execute SoftICE commands...
/ T! w; I D! ?, a+ [It is also used to crash SoftICE and to force it to execute any commands
* V. W4 o7 k, l; x+ A6 z2 a$ s(HBOOT...) :-((
4 W! y' `/ k! Y8 z; D# D+ k. \. r; v, B; k4 t S" c ^) ]
Here is a quick description:
% a( U o% n) k( T5 W, ]-AX = 0910h (Display string in SIce windows)9 r6 D& q+ X! L# C1 w
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ p# H1 A7 v2 v- j4 i# B-AX = 0912h (Get breakpoint infos)
* C" Q) C8 L# }! [# W-AX = 0913h (Set Sice breakpoints): V* L; @5 x: D% @/ ^) ^6 ]
-AX = 0914h (Remove SIce breakoints)$ t/ J, `% L: C) o
8 ~0 q' N% v9 `* b; E( l; T' l
Each time you'll meet this trick, you'll see:
' o r5 v4 T' p3 ]# f-SI = 4647h3 c) K/ s' g. F0 r% @' _+ u
-DI = 4A4Dh+ U. \) `, a4 ?4 O" P
Which are the 'magic values' used by SoftIce.
9 H9 U8 z% `/ E6 w# MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 S: `0 J8 [' ^' @
" G0 o, @% M( u P$ a+ _2 v
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, [; I$ }- ~# W4 S# m9 {8 wEnvelope utility use to protect DOS applications:
; s. S+ ]; t8 m- k1 h; W$ y
6 s, N& v9 K3 a. `3 U$ @
9 e7 R- \7 S' a$ Y4C19:0095 MOV AX,0911 ; execute command.
& }- {% v5 ^9 ]. m7 h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: t" _6 g- V) W
4C19:009A MOV SI,4647 ; 1st magic value.
" \0 B" {# d' ~( }8 l4C19:009D MOV DI,4A4D ; 2nd magic value.
+ y% e- m- G! J4 E) }* n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 ~; n* r0 ~3 j1 V$ |. a$ u5 {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 S; G& K) H' f5 k+ D6 J: l& [0 e
4C19:00A4 INC CX
6 g" |* ~. m& f9 ]0 m" X4 D9 u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, J- [$ B$ {' K8 u4 @ I$ ~5 G; T4 Q( l+ L9 I4C19:00A8 JB 0095 ; 6 different commands.
' s: @/ x X- P3 e+ A/ M5 g4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( i% W4 j$ D8 ]; E: p: V. z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 J* Y1 f% j2 _) z
- w9 K: Q6 x8 g7 yThe program will execute 6 different SIce commands located at ds:dx, which
J+ ^$ d& F/ E7 Z& n4 Q# t# I0 X- Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 N+ i" f& x1 a* b
& }2 B8 B& e( h# Z3 N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ {7 S. t" K4 q___________________________________________________________________________
% Y, @" {( W, g: `# V6 m7 ~, q& I2 Y
# r0 s" X6 ~. b5 v' v' k9 @- \5 yMethod 030 |2 O) i% Z0 t; u( U9 o
=========* }/ B6 v( P5 V( N3 E) N" i
4 C* u! z& g/ a. S* ~ s. c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* S8 e' {" @9 E' ?7 O& c9 h8 V" N* a(API Get entry point)" l3 \" \* n3 W. |2 W
% w9 Q; q, ?& d+ c
+ Z/ v$ H2 l* c) r- y* v+ o _: |( K xor di,di
5 x8 n8 P( z2 u7 `! ?' U/ t% o mov es,di# `) D0 \) a8 ]
mov ax, 1684h u* Y. Q5 j- [1 s+ e, ^: `$ l
mov bx, 0202h ; VxD ID of winice; B: |. ?+ Z1 q' q. J% A
int 2Fh) |' _* `0 F9 ~# t: R) p5 u* l) h
mov ax, es ; ES:DI -> VxD API entry point
* q! [% r- m9 Y add ax, di/ Q/ X; i$ P, a& H' W5 s# }2 ?8 T
test ax,ax& J f# V( y( b6 V) i
jnz SoftICE_Detected
) }" O3 `4 b4 ], U
l ]7 y6 G1 S) Y7 W' U: \% m___________________________________________________________________________
k; c- s' }8 Q) @) w! B% \* j1 D( J0 _/ y/ H: y( l& \) S* S
Method 04
. o: V5 d5 @4 S" w1 p=========
% O9 A ?, d' h: H* A1 E
" c4 W/ E9 R- \" Y7 xMethod identical to the preceding one except that it seeks the ID of SoftICE; n, W1 I: `+ [) r9 n1 C3 M
GFX VxD.
4 R" \; o+ O4 L% y9 t* h! @2 j5 a' X y" T! D0 A
xor di,di
% K' T7 v. i5 \- R mov es,di& Q, ?3 O7 L& B- I" g' ?
mov ax, 1684h 3 W- V p! P7 z) }2 `
mov bx, 7a5Fh ; VxD ID of SIWVID
: z- l' f$ y" Z5 i) b, z int 2fh8 q1 U. N4 p# K. `7 j; B
mov ax, es ; ES:DI -> VxD API entry point7 N5 _% B% V4 [' ]
add ax, di( i) \1 ^& R, p1 \- J6 J
test ax,ax v* m$ n2 [* z7 ^1 f9 k7 [$ i; G
jnz SoftICE_Detected6 \( V3 @8 F2 q: `7 _
5 f E/ s2 {5 G* Q9 I__________________________________________________________________________
0 R# J/ j9 u0 y" c, F# a
% L- I2 m m" C) V
; e9 j: H& a) N- o, Z( YMethod 05
4 }; A5 F& W+ j/ j: E3 \7 o=========
! m6 d: t! _& D# x& G& L( T2 H* a; n/ Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system% i. c; d- B8 S" i
debugger. It calls the int 41h, function 4Fh.
% z; t/ a2 f( v, ^; N! zThere are several alternatives.
6 ]6 Y, a% q8 W! t* |4 U$ f1 o9 l) `$ O7 n7 M# W
The following one is the simplest:
# |& a$ V) p, S- v0 a
+ i% E; |( P4 V mov ax,4fh m6 a7 A7 T$ `1 z, A9 c% |3 ]3 ?
int 41h5 v4 b) w5 `8 }# L/ o& U
cmp ax, 0F386% S2 d& E# _3 d# ~; C. _% K6 t
jz SoftICE_detected, [+ C4 ?0 I& G1 d
{: W! a/ E+ R3 q0 M" R+ C
7 `1 K6 N: n3 _& \Next method as well as the following one are 2 examples from Stone's
& }/ R: k$ {$ S6 ["stn-wid.zip" (www.cracking.net):' R& j7 ?/ L$ D- p6 a
I2 w% Y! k$ w# }2 g/ P3 c
mov bx, cs' R- n5 F9 e9 C: Y4 \* H% O/ C( F
lea dx, int41handler2+ z" Q) z% ^) k) l& e$ \) ]
xchg dx, es:[41h*4]- ~2 X2 ]$ Z$ I6 Q; q& @+ K9 X
xchg bx, es:[41h*4+2]0 g* o: a$ W+ T% c3 F$ y: Y
mov ax,4fh& t7 v( [- r% ^2 }
int 41h
8 }# q3 _" D& ^$ K3 q5 k1 b' W xchg dx, es:[41h*4]* z% w; n1 G3 N# Y( }; b% k* f3 d- ^2 \
xchg bx, es:[41h*4+2]4 ~' ^- v1 v8 A5 T' ]! i
cmp ax, 0f386h
7 I) K* |& @& J- d1 c6 h jz SoftICE_detected% h1 d \) X* l* _. Y
8 P+ V) {; q* s! ]$ Eint41handler2 PROC
) M6 I5 \( ^5 o3 q; ]" B3 f iret
- H" ?7 S' _# P& l5 r4 k1 ]int41handler2 ENDP1 A9 | \ E. @8 W+ z( R
! b6 @' x" n+ s r: F; W- U
0 z' P9 \. O% K) R3 [! `% p_________________________________________________________________________
+ O% \+ @- g3 ]/ B
$ ]9 F! W0 N6 q" p! d
7 R+ D/ z, w3 BMethod 06
' S- C; h# J8 H& r6 i1 ^, w=========9 a: d# C f6 a- B/ A
% S- ?/ V: A0 Y
; t" ^7 [3 i9 }2nd method similar to the preceding one but more difficult to detect:
4 n5 j# F0 F' w% r/ M: l+ s" y) B3 P% M. Y9 f/ j
( b; R' e4 |, Oint41handler PROC
! o* F+ s7 s& X3 z* f mov cl,al
. z( U" H- n8 ^ h5 v5 s1 a iret
; W' z8 F/ j. `/ Zint41handler ENDP
: I( u# p8 [- n1 d# g9 V7 [1 r2 {0 _0 ?
) j; o3 @& j9 X/ F1 ~! R xor ax,ax" O2 p* m+ Z3 w1 Q( Z" p
mov es,ax
" q+ ~ A2 P8 b0 v; X' J- E mov bx, cs2 Z$ s$ v' b/ i9 [. h9 Y% G K
lea dx, int41handler5 P; y, m0 E8 W( A# f$ P
xchg dx, es:[41h*4]/ c0 H; s) ~' X
xchg bx, es:[41h*4+2]( n9 Q* R! A- J, x p
in al, 40h/ j/ O& n+ T; Q# M# O
xor cx,cx; T$ n- \( v, i7 |
int 41h
6 _/ h! F* s$ w4 [ xchg dx, es:[41h*4]5 ?; r3 t) v# j9 Q7 Q
xchg bx, es:[41h*4+2] q) H% B y7 Z3 M8 p
cmp cl,al0 r, C0 C6 g r3 D: m/ f7 k
jnz SoftICE_detected
: k g& P* S1 K! q7 T/ D
/ c- `4 w/ c7 e' S# ~! g8 H5 y_________________________________________________________________________. P# K1 L7 f' Y
9 G7 e' ^3 P6 A# u" C- H c
Method 078 o" f1 I5 h T: F, l4 X
=========& o' Y0 A5 i2 q2 Z6 }8 p
H: H4 U) L" M' Z' q' MMethod of detection of the WinICE handler in the int68h (V86)
) m: a2 f: F3 e2 z2 O+ M4 j
6 \! i. Y2 O$ l9 a7 n mov ah,43h
: W* Q7 v( K: v: `) P& ` [; R* U int 68h# `' T7 F b$ @
cmp ax,0F386h b; W/ d" B5 b; V
jz SoftICE_Detected+ n0 B/ G9 F% q
2 J# A9 h9 }: n+ U( ~/ F& K
8 v( C# J G7 D' l( D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% V. O$ e' Y9 S9 q* ~" | app like this:
' `4 M5 @* l# s% o6 u& L
( O- ?& p: m3 P4 E BPX exec_int if ax==681 k0 m( u9 @5 K( X# Y5 E; d2 j
(function called is located at byte ptr [ebp+1Dh] and client eip is9 {, e; \4 \) ^! v* ^
located at [ebp+48h] for 32Bit apps)- j: C" J- j: e
__________________________________________________________________________
1 K. e6 L+ w0 ~9 _* D. r
0 c, I6 U4 o! J! X) d3 m
e" u6 N& ~: w# j5 kMethod 086 v( L! R1 B K; ^* R, o
=========! C5 k) t2 h, g- c3 Y0 N) K
% j/ m7 a# i5 ]2 V+ B0 N
It is not a method of detection of SoftICE but a possibility to crash the
; R p% i3 A3 {$ |4 Vsystem by intercepting int 01h and int 03h and redirecting them to another. a% t1 r) }' r% S) g5 P
routine.
, q" V* x2 ~. n6 G) B* {0 m5 H1 OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# G- N; ]) R+ ]% a% B7 q
to the new routine to execute (hangs computer...)( k2 Q- Q2 B$ m/ p9 L! B# D
; J/ _) h; ^/ u0 o9 J
mov ah, 25h2 u& B% }/ F! R8 o! f' x
mov al, Int_Number (01h or 03h). y1 Y. ^ \8 b( u2 u* O9 B/ y. M
mov dx, offset New_Int_Routine
+ X) G3 R* B0 U2 P int 21h
' R( {4 s3 T6 X; X W, d8 W) K5 v0 l& w1 D/ D
__________________________________________________________________________
0 @) j! S L! Z$ s
' [( ?# P% W" r, e" ?Method 09
% ^8 t! L, ], g7 I8 X2 s=========2 Y: {& Y0 x. V0 b4 B+ e
/ P# H' S* {0 P/ {+ G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" Y/ v$ A7 D5 r. r( s: Z1 k O$ L
performed in ring0 (VxD or a ring3 app using the VxdCall).! l0 U" q. D+ }6 @; ?3 R
The Get_DDB service is used to determine whether or not a VxD is installed- k8 j! {1 ~% `! v( H
for the specified device and returns a Device Description Block (in ecx) for9 ?5 z/ C, i7 a5 Q( w. `
that device if it is installed.
" S" L1 M! P; C& ^ d6 k1 U- U! k9 a% H2 l0 B' v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 Y! w) ~: ^- N4 ^1 Z9 W( U' W* ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ y P g! J0 U* l; m2 z1 r
VMMCall Get_DDB
% h b& q3 E1 y s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 R2 M v7 v- G* f7 s/ B
0 w0 v% e7 @5 O$ X1 u& f8 \1 pNote as well that you can easily detect this method with SoftICE:
1 @, P2 K) y3 j& w bpx Get_DDB if ax==0202 || ax==7a5fh, p/ W0 h. J& j" i3 l1 E) c
! m2 C1 [* U/ _+ ~__________________________________________________________________________
+ D4 x2 i% r5 }& C6 [2 \5 \6 l0 x' _
Method 10: S: _) E# t/ n2 E
=========& s4 p2 Z. X! z* P2 l: T2 A
6 o: M. p' v0 A& q3 l
=>Disable or clear breakpoints before using this feature. DO NOT trace with; w, S, ?& d0 o; e& J! M
SoftICE while the option is enable!!
8 E/ [/ N/ e4 z, k- k' O$ s, Q6 x. z9 m0 T
This trick is very efficient:$ k2 Z4 k- X8 ~3 Y, g
by checking the Debug Registers, you can detect if SoftICE is loaded
; k/ u8 M1 g5 Q3 A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% R) X5 S0 O' h, R: |3 F* P, I
there are some memory breakpoints set (dr0 to dr3) simply by reading their# n$ A7 n+ x i6 D+ r7 }
value (in ring0 only). Values can be manipulated and or changed as well) O% D+ C. b E/ j
(clearing BPMs for instance)
6 V9 M( l9 N( {, ?( v2 x8 I+ A0 |- F
__________________________________________________________________________
) n; z, j% H" F6 K& A( q9 Q$ T( Z" K" \% {3 g# F
Method 11! D2 E. ]' B) U ^- @, F- I
=========
R; g5 X0 @# {) }& ^
, Q3 |' v+ U) K2 y5 y: k6 |+ E! @2 pThis method is most known as 'MeltICE' because it has been freely distributed
( Z( V- k) y- r. F- P8 ]. M( ?via www.winfiles.com. However it was first used by NuMega people to allow
+ [* Z& k( n$ z, b% g! CSymbol Loader to check if SoftICE was active or not (the code is located8 l' v1 q! ]8 n0 j- B$ H
inside nmtrans.dll).
4 R! P# ^( W+ n6 u' d! n
; i/ f5 a6 V! v# I( p: P. r+ FThe way it works is very simple:6 v( i7 e j2 v9 Z3 |
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* s( B- F# @/ t" u7 P) y/ ^" hWinNT) with the CreateFileA API.
$ Z. v/ M4 U L5 ^ @) s% y/ o& {7 P! z
Here is a sample (checking for 'SICE'):
+ n9 B( A5 @9 |- {4 t& V: E
2 j! W! r7 m3 T7 r* lBOOL IsSoftIce95Loaded()( a2 u1 \! z1 h* ~6 r3 Y
{9 n: Z: `9 `, r0 }
HANDLE hFile;
% ]+ t) S8 o5 Q* r/ P# g9 o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- V V$ {) D" w1 D: X9 @3 C
FILE_SHARE_READ | FILE_SHARE_WRITE,
: y% i1 `6 p0 I& B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* y2 Q7 m. f/ l
if( hFile != INVALID_HANDLE_VALUE ). {; f; k8 ]* X( J+ H8 L* D
{
) F# v* A/ \8 [& f CloseHandle(hFile);& O( u, h) z* c2 c
return TRUE;! y! I& H2 H4 T# @9 ^% |; C1 A Z! m X7 D
}9 t: ]9 l9 v% `9 \' [) O" W1 }0 H
return FALSE;. V8 p+ S& ?+ ^1 I" f4 G B6 C' q
}
' w; L; @9 \ ?" p) Q( k7 ]0 S7 x- ?
" A4 `: k3 \6 ?# _3 |$ D* bAlthough this trick calls the CreateFileA function, don't even expect to be0 t0 l# ?- S) W1 Y2 W6 X
able to intercept it by installing a IFS hook: it will not work, no way!
: V. r( X) a! O0 MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; M8 H2 H* o9 m' tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 x2 d# g! r6 ~8 L) G6 Z0 i. o! A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ e! l3 k2 h, N5 p K( k8 Cfield.+ g! y( a' s+ v6 l( K- R4 g! v- V
In fact, its purpose is not to load/unload VxDs but only to send a
, r; S% q$ ]7 UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 K+ f1 k8 A, N) o6 t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) ^% n% g+ B' r6 ?& Sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
% c* @1 x) X3 p1 a( @8 I7 d) h0 EIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 l6 f& R1 \( Z# l0 u6 S& h, P
its handle to be opened and then, will be detected.; O1 |4 v4 ]* k, p3 ~: C
You can check that simply by hooking Winice.exe control proc entry point9 _2 g7 v, e2 y8 N
while running MeltICE.* a+ L( S; x4 Y* Z
0 {- _, I- K u, n! G
" d, I1 d8 I% R 00401067: push 00402025 ; \\.\SICE$ u' A: m! I' A( I9 V ]" Q
0040106C: call CreateFileA
0 K5 }) J0 R( v 00401071: cmp eax,-001
3 t i- K/ d0 N; h 00401074: je 004010910 f: ]. g: B2 S
' J# N+ i0 y# K9 a5 |) @
. O- l6 o5 k8 ]6 l& B: B* R$ {
There could be hundreds of BPX you could use to detect this trick.2 Y$ f$ }' C# ]& Z9 T/ A. x
-The most classical one is:
* _0 \( i8 x% O8 a0 X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- C e8 `# ]/ _1 D4 Y, u$ E *(esp->4+4)=='NTIC'
! s" X7 t# I p: i* n# [, ~9 ~% K8 Y4 g, _) U3 J
-The most exotic ones (could be very slooooow :-(
4 c; Y$ |' ~' d) o* A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# c0 y2 S. ?' ^7 \) D ;will break 3 times :-(
% v1 O* z% Y2 _3 p. w6 s% Y2 [5 C( F; @& `5 X! T
-or (a bit) faster:
: h2 h7 _& S% ?+ W; ^& ~( ^$ K0 j$ z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) P0 y2 W7 A7 Q/ X. p
' _8 a& F5 V: v# K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . G6 M6 @/ \. {. d' O
;will break 3 times :-(
3 w% Z. O1 }3 w2 ]% `/ E" t/ s
3 T5 u, v$ m! z( m" G3 B-Much faster:4 _. O1 L7 B) S# i! m r
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 S: j* ~, e8 m2 G1 V: v
. o s; ^" {9 a: o: u) [5 ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 c8 {, b7 Y- Zfunction to do the same job:
0 n2 g8 b5 E* B+ `, ^& I9 W' N a: Q/ A: f: U
push 00 ; OF_READ5 J* C; V# G5 ]: ]; H- y
mov eax,[00656634] ; '\\.\SICE',0; V- t" u" Q5 |, x: V8 c0 B6 i
push eax; d, Y0 y" ^* a' R" S
call KERNEL32!_lopen6 I0 J! q5 L f6 i- a3 F* Y; E
inc eax) q1 T1 u# k. n5 s, ^$ e
jnz 00650589 ; detected- w. c( O! j/ k8 v. {5 N. d
push 00 ; OF_READ
+ t, a, J' U. Z* z9 l. ~+ D9 K mov eax,[00656638] ; '\\.\SICE'! n' H D: f/ B9 S1 g
push eax) f" [' N; l1 Y/ I
call KERNEL32!_lopen7 s& p/ ^/ | k/ K) \/ c2 E/ W) b
inc eax& ^5 |0 D7 [% H+ W [
jz 006505ae ; not detected
! X* {* O9 ]0 \" ]7 k
c# D k7 |9 j% a9 a/ N
1 @& A* _& O" B& e- b__________________________________________________________________________. {$ D. m1 M1 W* V
: Y' i y7 B- |6 h+ P
Method 12, z+ ?2 Q5 |* Q$ R- u7 A
=========
/ }- u3 k( [6 w" b* a, _ g( k9 u9 n8 C/ O$ G6 e
This trick is similar to int41h/4fh Debugger installation check (code 05( F( S) x, ]' p- g
& 06) but very limited because it's only available for Win95/98 (not NT)4 B1 Q1 S' v# {* q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; V' C( Z ^* y, k! ~( ~; Z- \" |
2 C$ T4 ~( |0 z- c push 0000004fh ; function 4fh6 m7 N4 E/ M$ N
push 002a002ah ; high word specifies which VxD (VWIN32)( P' v ]" x8 \/ C6 v0 P
; low word specifies which service3 V- j) g# n- m6 X
(VWIN32_Int41Dispatch)
; K( L0 P( \2 W! i: L0 n; s call Kernel32!ORD_001 ; VxdCall
/ X3 Z9 O6 |* e0 _% j2 Q cmp ax, 0f386h ; magic number returned by system debuggers1 q- s4 a8 {5 C/ \0 H8 X# [/ P
jz SoftICE_detected6 ]1 D8 n1 e$ P: E: T
6 P4 R( _7 I9 v) I: J6 wHere again, several ways to detect it:
( S$ j7 b% l, B4 I4 I& r( _* D) R
( f' i6 v$ O; P1 F BPINT 41 if ax==4f
# ?; [# H0 v* m4 w# t
! x$ x4 p. H& x BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: l4 J! B2 [3 K7 H, c- s& j6 D/ ?' g# j4 J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 g+ [, I4 _2 K6 R% S- v
7 ~: W% U9 J$ L) ~# z/ _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" Y9 ~: ^6 e6 j% T
' e5 ^4 ^9 t4 _; T4 @- v5 p' A1 ___________________________________________________________________________
2 \! F2 G6 e' t6 c' [1 y* R
9 x" _9 y( K( a( a: GMethod 13' S# X' [4 d* O; R$ |
=========+ J5 E8 M3 c x
% Z# q4 T, M& zNot a real method of detection, but a good way to know if SoftICE is
& U a# x3 T, C9 B) h+ ?0 Tinstalled on a computer and to locate its installation directory.* Q/ y2 M% Q- c; H5 K2 k7 B
It is used by few softs which access the following registry keys (usually #2) :
- h( s/ V" E1 T/ `
' f5 I' q4 H: O4 `: _9 B" [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ ~2 L& s4 a' g" i j\Uninstall\SoftICE' A( e" f: l/ ~2 D4 {( \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; x1 o2 ]* k- k5 H/ i9 n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 Z4 E, B# z& A3 E8 B' ^8 H\App Paths\Loader32.Exe
. p: s P+ x* K) b9 E/ X8 o/ T Z
! l3 r. f" O3 W+ N) a; P; X; V! i1 |5 G" j$ m$ t% H" Y' D
Note that some nasty apps could then erase all files from SoftICE directory$ O; O9 F( G% d+ ], l+ r
(I faced that once :-(
! W, r) R U' s% T$ W! i/ l0 i+ A2 b0 u0 a" n
Useful breakpoint to detect it:4 A; U4 Y) |. Y% f: b: q3 i/ n
5 B& c/ o, ]2 m; c; N& b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 R, p/ _+ V2 \% z( `8 _
7 W8 V; L# u1 F, @
__________________________________________________________________________% n; v$ N. @1 _1 Z- c. d
* `& t, M5 E% N
3 d5 \4 C! |7 I( x/ T# F& X/ e; g. q
Method 14
6 U6 K5 t- Y& r- o) U=========
2 p! J( @4 x' q; g+ g, {8 }7 c h. \* y" a- A$ J8 S& X6 J
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ |. w' H! m# H; s% G; `
is to determines whether a debugger is running on your system (ring0 only).
( }6 l7 `' V2 d8 F, a
- K) Y, w8 y- {& x: Q; A VMMCall Test_Debug_Installed( w" N4 y& k4 Q1 T+ ~0 B& t3 K
je not_installed
# q" A2 h* F V: ?* R% ]9 e; V$ Y- y% F! `) U
This service just checks a flag.
/ \6 \: f3 Z' R' G N, W" r! [ c, f</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡