<TABLE width=500>
. D+ B5 n' u# e/ r6 u7 M<TBODY>
0 x* J" j; M1 m8 E6 m<TR>8 a$ _9 l8 L4 c( ~; n* [
<TD><PRE>Method 01
5 n! W- p7 B) n2 A. O* M=========
5 D8 Y2 w$ G5 g5 ]* ]! l# Z! o* k5 z. m# g1 w! ~4 y
This method of detection of SoftICE (as well as the following one) is$ i; e/ b) R. H- a7 |9 `
used by the majority of packers/encryptors found on Internet.
4 k2 G! L% W, k, Y% [4 r) sIt seeks the signature of BoundsChecker in SoftICE* y' `+ \2 f3 J. s5 `$ q; ?
2 S) }. M" a9 Q, g! ?8 n8 }
mov ebp, 04243484Bh ; 'BCHK'1 e" K: ]5 }5 _: r" ~& Y: k
mov ax, 04h' K$ Z6 |9 l$ w( C! v: j& u
int 3
5 M8 {, s; _# ]2 j6 l3 B& [& s4 ? cmp al,4. K. z D% Q4 B; s6 V0 A, M
jnz SoftICE_Detected4 ]8 k' s7 ]0 A* E
, c5 j8 \% ?& T$ L9 I' P$ y
___________________________________________________________________________$ Z6 T" q9 b0 R7 {, ^
# V. `- m b% y$ ^1 |4 u( bMethod 029 D$ H8 ^: f7 H% g' W
=========8 ~. s) l4 x$ g. t/ H. I
: a$ E3 h e- ?Still a method very much used (perhaps the most frequent one). It is used
/ _, }0 ]$ Q6 n; D- R# [4 [: fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,& h$ p: }. T Q
or execute SoftICE commands...5 G0 i$ m9 |* N! u
It is also used to crash SoftICE and to force it to execute any commands
Z7 _ t6 m y- D. n1 o* N- D(HBOOT...) :-(( 5 D( p; n) @ U- O9 W+ \
: e# |3 }6 o- d5 Y# _1 L( vHere is a quick description:' I: X: S0 v* A4 W; R! a
-AX = 0910h (Display string in SIce windows)
; D( \ E) b6 D& O0 ?6 a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 X9 w9 @2 n) N0 b7 }& Z-AX = 0912h (Get breakpoint infos)
, S5 h+ a8 v4 Z( \-AX = 0913h (Set Sice breakpoints)3 Q3 t6 S/ v2 f$ ?, i
-AX = 0914h (Remove SIce breakoints)
4 ~3 g1 g1 d2 U( e
3 C8 {% S! p5 d. OEach time you'll meet this trick, you'll see:9 P; u. @) U/ i9 D! j
-SI = 4647h0 O: Z. b( |- H( K: z3 {+ T
-DI = 4A4Dh) C$ I5 [, {7 J
Which are the 'magic values' used by SoftIce.
& r1 P' ?3 N) j# N% I1 a {8 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 q$ J2 Q- z- c. Z
- Z# v: n8 H' K) QHere is one example from the file "Haspinst.exe" which is the dongle HASP& j0 f# x+ K2 L; |4 l
Envelope utility use to protect DOS applications:
' G% k, l# z# b/ a
$ @" t# b$ f2 \, P- R9 D; F" H) }8 ?' I# \3 s$ Y, `
4C19:0095 MOV AX,0911 ; execute command.; Z" J/ p2 S, t* U. `$ x; |
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 y- |! w( b! d0 i) d+ W* e
4C19:009A MOV SI,4647 ; 1st magic value.: Q8 F1 I2 l, h" `- ~! D2 n
4C19:009D MOV DI,4A4D ; 2nd magic value.5 \% P* ]4 N9 |, U/ k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); R% I7 B0 M6 t. N' J- M
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 V3 y! X5 G; {* z( p0 @4C19:00A4 INC CX6 Z5 ~& q" k& A! ^
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ O7 y2 b# [- f+ h
4C19:00A8 JB 0095 ; 6 different commands.
1 k0 b1 x4 n" E# d4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' ?6 a" ?' E/ {( k' |! ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, H, ^! A/ S6 r1 ]# C, @, a4 Y
2 x$ `5 B& l2 y* r' v* FThe program will execute 6 different SIce commands located at ds:dx, which
" r5 G; b' k, x3 l) v2 Jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 o& y- Y2 E7 Z4 @0 y4 Z# v: a
. |8 d6 z7 O! n( K2 C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. I( U$ @* \- Q# M1 ~1 B, V
___________________________________________________________________________
: f: }7 c6 F/ q4 P* E @) `+ P
0 \! T4 K3 m) _% u5 R( m) T& \; B/ d$ p2 ]7 h
Method 03. O# B5 r4 ~# u
=========8 U% g* e. d6 m S
0 W( Q5 G3 l& ^* f; f" @5 lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" a8 {0 J( d9 Y, t/ g% g/ @
(API Get entry point)
. L% E3 @% J5 v6 H. J: _. k 6 C- O) D; I o+ p+ E7 ~1 y) ^
* I: T; \/ r& t9 M$ G. Z xor di,di( c: |0 ~4 L8 N l- [
mov es,di
% J. ]: [# K( z# }& K mov ax, 1684h
3 W6 a& N: g0 I mov bx, 0202h ; VxD ID of winice
T- k; J. [3 k. W( Q9 t4 y% v int 2Fh8 D1 B0 b/ a+ b
mov ax, es ; ES:DI -> VxD API entry point
4 d2 Q. G0 A' I6 O add ax, di2 y; Q# C n: s
test ax,ax; c0 H: w/ Y6 Z( ?) E
jnz SoftICE_Detected
3 e* J7 C: y6 Q) h: A- j( _0 F4 `( w9 z% z7 x
___________________________________________________________________________
: o2 L* h+ M0 E5 a% Q& H5 D! O$ o* Q2 i. f( ^$ W3 b7 `4 z
Method 046 t. s7 ^- a, ~! {
=========
, q5 t& V1 P: g* v* e4 {, X2 o7 O2 `
- P' } }* @9 t# M' J* WMethod identical to the preceding one except that it seeks the ID of SoftICE) f/ }, Q, M6 `5 K. F) H
GFX VxD.
' o( }2 I* _; o) X# d
: A- g; ^# o: M0 g/ z1 t xor di,di% S- {6 y. ?9 H! ]' {
mov es,di6 B5 H4 b6 ?5 A% t+ D" h3 X
mov ax, 1684h
5 v1 z8 j# q" _8 i W mov bx, 7a5Fh ; VxD ID of SIWVID
" A& [/ i/ X/ x2 g- ^ int 2fh
5 M8 o# ~; K" A3 w3 V$ a- Z6 ` mov ax, es ; ES:DI -> VxD API entry point7 I5 P0 @: e4 E; T$ t
add ax, di7 k& t! D7 K s( R# P) \
test ax,ax
" `1 Y& S3 c+ G5 k1 e. u: ~8 V jnz SoftICE_Detected# n9 x. ]+ C0 b* C" i" d
7 S `6 c0 i5 J$ l
__________________________________________________________________________# H2 Q* _& ]' T, d
- D2 q( U' B# @" l0 i
* z' x6 j P4 }" `" R& TMethod 057 @' c& j: N; C, `# i3 x: ^
=========
$ l1 ?6 {7 ~; j' a. K, H; a- [4 [% C0 S; b
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ J4 G% ]; U" H! l& E
debugger. It calls the int 41h, function 4Fh.; }5 p) O4 |: |' Z: Y
There are several alternatives. S- G: M* L2 f/ M
2 i6 V) l# ?1 W5 d6 j# OThe following one is the simplest: k6 F& j/ ~' p7 h
# x; k$ d5 }: e* x" I0 J+ r; A mov ax,4fh
- x& K# I* s0 A% s" d int 41h; O1 r0 S" X+ s* X+ D. K
cmp ax, 0F3868 r' _2 N( a5 k/ X
jz SoftICE_detected! [* S) R j8 C3 q
' d) e5 c0 H2 S' U# y# l7 w1 y' B8 I! Q/ ?- Z* ]# w& [% `
Next method as well as the following one are 2 examples from Stone's
% O5 Y" K @: t0 p$ u: u4 I"stn-wid.zip" (www.cracking.net):3 j t' } j/ R% x* E; p+ I6 Q
1 \. A ?8 B- E! l
mov bx, cs
4 x# y' `! e J lea dx, int41handler28 ?* [6 t4 a& g4 ^
xchg dx, es:[41h*4]
& F$ \, P' f$ ~( `( W xchg bx, es:[41h*4+2]
) b! b3 v/ M' ?0 X5 R mov ax,4fh
& A; V( g& u1 l' Y3 S int 41h
8 o6 [9 M* r, U E0 U xchg dx, es:[41h*4]6 J9 I4 v3 q% }: _3 o
xchg bx, es:[41h*4+2]
0 [( l8 F/ b* h% j$ _ cmp ax, 0f386h
7 M W/ S" b) s7 O6 r/ I1 h) } jz SoftICE_detected
! I- u" F6 {; m/ Q D' ~+ M m& P, E% S9 a# ^% h4 @5 Z0 S5 Y
int41handler2 PROC
! D* `$ k4 i0 h7 q3 M( _ iret
' D) u( y$ V. h. B6 }, xint41handler2 ENDP! e7 j9 k8 n# U& d+ o; ]! M
& j; A# E ]0 l/ \, |" a7 Y7 l
: v, Y5 ~+ T3 V& {2 e# I9 e% Y
_________________________________________________________________________
* E; _7 s* g& a8 t- s: @; J2 y
0 o& r0 L) T o
! M( g$ z8 \/ q8 U0 R/ Y t* BMethod 06
6 ~- |7 X. w0 l* I=========. d/ a2 i0 W7 ?" G; Y! P
' ^2 |% a* p% `4 U# I/ X5 r" f
# O& C9 G& V- `7 X, m8 a2 r2nd method similar to the preceding one but more difficult to detect:
) p3 z1 {& v( J7 i9 ?& U) q" _ b1 L5 F' B" R
9 u7 v+ F7 W3 ]+ ]8 I
int41handler PROC, Y+ m" r: z" d: T& i% n, K x, t
mov cl,al
# {- e4 L' S4 `0 \( {% d, Z iret
/ x: o3 R v9 Iint41handler ENDP
6 F" P; N8 L1 i% L0 V% o: y7 H! k2 o; \0 _' c
5 o- L: D1 b9 Q1 ?: W xor ax,ax, k5 @" x6 ^0 m9 d- M& }( X- f' `% V/ w0 }
mov es,ax. M2 ]9 g7 z- E' f
mov bx, cs
$ q' W) z6 z- ~1 K9 Z lea dx, int41handler
8 E; I* Z- g& J" p8 {1 k5 R xchg dx, es:[41h*4]( ]7 W ?/ }0 k0 M" i
xchg bx, es:[41h*4+2]% x' v0 |3 j& p% G
in al, 40h
5 p8 R! L# I, f ^+ P xor cx,cx' A$ ^7 Y7 q9 f K* G
int 41h; U" E6 R5 F9 Z
xchg dx, es:[41h*4]
- q7 ^$ W7 H6 V xchg bx, es:[41h*4+2]
7 D+ ?& O d1 W/ a0 J cmp cl,al$ Q- I7 F% Z" `9 `: Y8 Z. Z* T
jnz SoftICE_detected) v. |5 I8 A. R9 X8 Y; j' |) q% V0 C
: ^; \2 V* H9 F& ~7 ]
_________________________________________________________________________/ z r7 h- X4 V1 Z9 e, }- r+ ?
h4 s# _5 ^9 F' Y/ \0 m7 e
Method 07
; G- e% j& G' L0 \=========
( I7 ^9 P# [0 S) T, Y! ^0 ?+ G) k; B0 b
: J/ M+ e5 u5 b- gMethod of detection of the WinICE handler in the int68h (V86)0 X6 Q; q) e) S
2 T7 t4 N* {, m2 z, u, R mov ah,43h
, a: }( G4 c4 o3 Y$ h int 68h
! J/ b$ Z/ j# K3 D! R6 E cmp ax,0F386h
9 Q3 _6 @2 m9 \ t9 u/ K jz SoftICE_Detected
: n" a& s8 V% r, m1 d2 ^! l+ i
7 o G0 E) h. w/ H4 K
# D2 K- d8 `0 V/ `8 l=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit R4 C8 a, P$ ?
app like this:* h& Q( {0 t* U# P3 ?8 L
1 l* S7 K0 k) @ BPX exec_int if ax==68
( T$ d5 c! @$ b (function called is located at byte ptr [ebp+1Dh] and client eip is
p7 l5 \$ C2 K3 R3 Q5 r/ a located at [ebp+48h] for 32Bit apps)
, ^ x3 J3 B+ N. _ \__________________________________________________________________________
3 X! b$ Q6 q% c# _5 ]6 q6 C: ~6 P3 O2 K$ z" i8 k6 D9 S
9 `. b6 S W8 EMethod 08
; _) \+ F$ J' ~% g8 h. h$ x; p. ^=========
/ U7 m, d: U8 _' `/ n! y& `
* n0 B2 ?1 z# \) x* A; UIt is not a method of detection of SoftICE but a possibility to crash the
, S" n, Z u, n. j7 ?; D+ vsystem by intercepting int 01h and int 03h and redirecting them to another5 O4 L; z+ G* W& B5 x" ~
routine.. l+ O X4 w. S& y7 t2 k# r, Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; t! i+ O% `/ r U- zto the new routine to execute (hangs computer...)
9 K& d& n$ Q5 A; X# Z5 o! i9 e0 L9 J! x
mov ah, 25h
$ \, j% U2 l+ r8 a! x" p b mov al, Int_Number (01h or 03h)4 J ~# T& P. Z; J# l6 o2 z5 t
mov dx, offset New_Int_Routine
; h8 g+ D) v. B! x6 w' e% h5 a int 21h
9 f' [6 J* t! _" e" @/ ?0 n3 u" N3 h' U
__________________________________________________________________________* X' d! m: X. a1 b1 J
4 ?# W# O- Y$ WMethod 09" q7 C: ~! r" n
=========0 g: d( N) y' {) g+ j. x; B
) O% |9 U2 h- CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 D0 f- f" F+ J' s$ }performed in ring0 (VxD or a ring3 app using the VxdCall).# e. X5 f4 |5 Y: U$ s
The Get_DDB service is used to determine whether or not a VxD is installed. i; j: k2 t% J1 L8 D1 {
for the specified device and returns a Device Description Block (in ecx) for
$ S. Z" L8 w( t7 Hthat device if it is installed.
% F1 w( f! g, v; d* w2 z
4 C c6 @! O7 M) ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 D" M; I: y3 ^2 Q9 |- J2 B4 P" t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; P% u, {, b& i7 }1 t X5 f VMMCall Get_DDB* Z( j; B6 ?6 x3 m3 x) h/ W3 X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ h& {2 T2 I: F- t1 t
' ]( k2 o! @, k8 `$ E* S$ X
Note as well that you can easily detect this method with SoftICE:; d0 J' N, B# o* e2 {! P. v
bpx Get_DDB if ax==0202 || ax==7a5fh
8 h$ A4 {0 r- V+ J! P' e$ i P. X, _# J
__________________________________________________________________________' Y* G; j# o) @5 T
# v5 R" Y+ J+ l' G
Method 10
% L- r4 y# [. A. \=========6 m) V. q% ] Q, ~* L6 Y
- _; I. F) C3 T9 I9 M1 U
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ u5 s% ]+ Y/ L% }+ f8 b6 D SoftICE while the option is enable!!
( C- ~+ v: j, i6 |. [; C. y
. s0 A. Y' H! q+ x( P W: zThis trick is very efficient:" ]) B6 T# o, M. ?* d" z
by checking the Debug Registers, you can detect if SoftICE is loaded
$ v. t1 n S' ]: q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ ?; R# K/ \5 c: ?/ g! }" L
there are some memory breakpoints set (dr0 to dr3) simply by reading their. m) }2 ~% f$ f4 o Z: z A
value (in ring0 only). Values can be manipulated and or changed as well+ T( m% `2 x3 D+ Z; Q) Z) b
(clearing BPMs for instance) \5 ]; k) j9 o$ K
( G: X I4 B+ n* M4 ~
__________________________________________________________________________
, L9 b, h4 \ Y0 q( u0 T7 }9 z6 X5 S- s0 n
Method 11: w% ^4 I6 l& z7 i" u$ `
=========
& ~& L4 {' q9 |# t8 S- @0 Y
6 b4 ~$ u. M) b5 G/ c R/ SThis method is most known as 'MeltICE' because it has been freely distributed
* U6 t! A9 p; j2 q$ f% Evia www.winfiles.com. However it was first used by NuMega people to allow
- Z" r, b% p4 q8 X2 _% mSymbol Loader to check if SoftICE was active or not (the code is located/ i# n) Z& c* S0 X2 S5 S
inside nmtrans.dll).
3 w! y9 f) n2 u& ^6 I. M
/ {& \0 Q3 ^0 K: T3 BThe way it works is very simple:
2 }' V8 A8 ^0 PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' e. s G( i l" z, K
WinNT) with the CreateFileA API.6 y7 ]8 B# j+ }& m9 t N
" Z$ R; ]5 Q# F2 v# x1 ~ T3 f8 M0 [! ]
Here is a sample (checking for 'SICE'):8 b. E" ~( R: X$ t. ?
* d3 @% N. r* h
BOOL IsSoftIce95Loaded()4 u7 h5 {& p3 G# F0 J9 s9 d
{
4 @. V* G" O" y3 ]+ { HANDLE hFile; 0 G$ C6 a# W4 o, f+ c
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: r! p; N) y1 L' ^" m7 _2 `- R3 W FILE_SHARE_READ | FILE_SHARE_WRITE,2 S+ A+ }4 y2 v4 j2 p K4 `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! X# B$ e, }! q. l
if( hFile != INVALID_HANDLE_VALUE )- @7 `1 w% A$ Y9 A# z) b
{
7 C: I" | X1 v9 }. [ CloseHandle(hFile);& T/ e- B- G/ F* Q' ~
return TRUE;
6 d$ s6 F: C \( e7 }0 z }3 t- i5 [, G& x- p3 k/ N
return FALSE;' l% J* h# O) G% d7 R
}0 P X9 l* B A+ q
8 I6 }+ D# A% }! W3 g6 G
Although this trick calls the CreateFileA function, don't even expect to be
# h/ h9 `6 J6 e5 f" E3 sable to intercept it by installing a IFS hook: it will not work, no way!/ @: d4 f1 @6 y9 H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 M# P" n9 g; X# L( E- R' ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: k) @* y7 ^# @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 b% w0 y. W3 t$ j# z- y7 r7 X$ c, Pfield./ m+ y4 ?0 K! K
In fact, its purpose is not to load/unload VxDs but only to send a
/ A' V+ p8 `- n! _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' f5 O6 k3 b& j6 W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ r5 T% X1 G* y1 a3 V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! X/ w, ]) G" Q# P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 h4 `1 p ~3 V3 ^4 I& u9 }its handle to be opened and then, will be detected.3 f# v+ {% C9 ]. m9 ~% v: Q
You can check that simply by hooking Winice.exe control proc entry point8 u1 P' U. v. i9 c, B m
while running MeltICE.3 l1 N+ o& w0 ?' \% g# T3 l
, g. A: j6 s+ a1 w; m @
' o) r) s7 q* G" B 00401067: push 00402025 ; \\.\SICE
' U! U, @+ g5 v; n/ R0 q 0040106C: call CreateFileA4 ]; g) g/ h0 N Z( \' v
00401071: cmp eax,-001
1 Z2 `( U6 K. Z% L 00401074: je 00401091
' M! H( Y& q' F3 b7 e) h$ I+ d) O* l- U/ j | Y
7 @8 o" ^* j7 L9 `, I
There could be hundreds of BPX you could use to detect this trick.( e: Q X: p& `3 b [% z5 ^9 X
-The most classical one is:
" i I6 `; }& r4 h1 C/ q# u" l: X0 v BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ N( E4 I7 n3 i' l2 {% \( K4 z *(esp->4+4)=='NTIC'+ s! c& y7 ?. O5 t5 s2 O: w! G, ?
- O' r" V4 R& g! q
-The most exotic ones (could be very slooooow :-(
S' J8 f% p$ u, G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 z; @. M- @) m1 s
;will break 3 times :-(
/ o6 e5 s7 ~0 L0 Q5 @$ D+ B ]" G3 j! d# x. J i# E: j- L
-or (a bit) faster: 9 t+ |. g% a$ Z3 {. \$ Q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). Y/ `+ q1 b7 L
/ b4 V0 ~, K R7 U' S: d# X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ n1 `: F3 A6 J8 l: | ;will break 3 times :-(. ?8 r( a8 U$ G5 E& y; C- }
5 q/ z1 j" |. _ i, {-Much faster:3 t3 g: T6 }' l" L7 }3 l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* q: Y& n" Q5 v& @9 n/ B$ v2 Q$ g3 b6 X5 Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 ?) t+ Z5 l0 b9 L" [function to do the same job:
6 X/ p- v$ E4 ^- M3 L0 Y1 W6 d! P' e9 G" _6 n
push 00 ; OF_READ
, C* z" A! P' h0 E3 n7 ? mov eax,[00656634] ; '\\.\SICE',0
- C: q% p' z8 h7 X0 p) j7 l1 j push eax
5 H: q+ x4 H9 y call KERNEL32!_lopen
+ _6 }: A. B3 D2 c) ]5 S/ [ inc eax
- I3 a5 e- o: _) j9 d( r jnz 00650589 ; detected1 z7 @! ]6 t) b: A" z) x6 V; o' ^3 A' K
push 00 ; OF_READ: |; ^8 k1 V2 _% E6 e/ U) o# i
mov eax,[00656638] ; '\\.\SICE'
; B, ?1 ~/ K- u3 _/ a push eax
9 B: y$ ~( p* h call KERNEL32!_lopen
( {/ S! Z& ?( g1 \" G inc eax
+ x# d7 e* v" l& M1 ]5 |- U jz 006505ae ; not detected. _/ o$ I; b5 @0 f5 @% L- u
9 v @# ^/ J2 T; X
! C4 q* Q' O& f2 c( @3 E__________________________________________________________________________) t) A, P" n, p4 Q. n
. z C& G1 k: h( f2 iMethod 12
# [5 l$ ] I, p2 I/ x=========; Z+ A1 j3 a% O
' ]7 i) Q7 T @2 b) n/ J5 m
This trick is similar to int41h/4fh Debugger installation check (code 058 [5 _( p4 K9 U' p- C4 K
& 06) but very limited because it's only available for Win95/98 (not NT)
, V& |3 u% m( I* h$ r! e) i5 @$ jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* g1 v! d: W% u, w0 V
1 d" W* b0 V2 ~4 `. c; ? push 0000004fh ; function 4fh9 W/ N* t% r! x; F1 r4 l
push 002a002ah ; high word specifies which VxD (VWIN32)
* C2 \5 o/ g5 Y( a. { ; low word specifies which service1 ]" k& I2 C* S" c2 _6 s+ t" g
(VWIN32_Int41Dispatch) J' }; J0 [* f" Q
call Kernel32!ORD_001 ; VxdCall( h0 W& d0 _; @6 y( o: J" O
cmp ax, 0f386h ; magic number returned by system debuggers& r/ b1 b6 N) ^9 C( C0 K
jz SoftICE_detected& ?' u0 c7 u z/ w/ t o
' N4 n* n9 _8 rHere again, several ways to detect it:0 F! t9 [) V2 g z7 @
7 x) f$ I) ], D3 |1 i+ E7 A$ G# } BPINT 41 if ax==4f; s9 V1 W) o# f* m+ g- N9 A5 y
. j" }+ w( |5 I9 d4 H) W. j) Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; S& C! N1 h' Y- {1 X, h1 c" x K1 d6 U* p6 ^, w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; K. a- i O' R b; @6 o ]
* j6 [) n( t3 L/ _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% u7 T+ ]; W0 f
6 Z# R9 h2 `9 q! m& b__________________________________________________________________________/ w8 _# V* X# O4 m
) F! J |$ ^* G' m3 f$ g
Method 13
/ k" ^8 D2 B- ^! \5 V) V=========
( N$ {& _) P$ a& U& r1 D* B: t0 k& ^, _" X, r; m9 H8 b1 d& o) j
Not a real method of detection, but a good way to know if SoftICE is
7 M( \+ _! c% {& Qinstalled on a computer and to locate its installation directory.
; {0 K( r5 x1 O" cIt is used by few softs which access the following registry keys (usually #2) : U6 K/ y9 T+ Z' b
" o1 T8 e! v5 W1 o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 a) b( h. s! g1 K1 b\Uninstall\SoftICE
/ u1 o2 f3 t/ r7 s& e1 X+ Z6 W! B9 }! l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' V2 `- U. f6 J. Y2 ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ r# s9 p- x- I% }8 U9 n' o$ w
\App Paths\Loader32.Exe! u) X- S$ J0 a# z" |/ W+ U1 I% |
: {- C1 n0 n7 z5 R9 Y- m. b5 r
6 i2 x3 [1 Z. u) o- C& Z% MNote that some nasty apps could then erase all files from SoftICE directory
) P9 M' w" k, \ S(I faced that once :-(7 m, L; \( ?' o# C5 s- N& R
, T+ [( k- v% R1 v' c) W( yUseful breakpoint to detect it:
0 K# L7 ~$ _0 ~
7 g* c6 I4 M8 a$ {, j' }8 F BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 G! H' ?2 `3 q0 ?- l! {) `
, C9 q- |# L) w0 U) M
__________________________________________________________________________
: S( Y: X" h# u% \
" c. z2 }, P, q7 R d
) e# {4 Z `2 K, ]. c$ SMethod 14
( Q* `3 ^8 I4 w Z: Q=========7 |( j* U4 J% l4 V2 @0 |3 v
: r0 B. [3 J" X0 W2 c6 n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. |5 }8 G) q' N& ]# J' I- \
is to determines whether a debugger is running on your system (ring0 only).
. F2 g; U# \6 z4 o: y& i; c5 g2 e5 G% f( b
VMMCall Test_Debug_Installed
, M# U+ v& z5 {3 j+ W! I- Y7 x je not_installed* }6 `7 p! G3 Z; U# c! u- ?
, M/ s5 G+ r! D5 g6 r3 ~* Z! ?
This service just checks a flag.4 l. H/ e3 d$ o; x: a1 o6 d
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡