<TABLE width=500>- N$ K3 m9 M5 Z' F& j9 j
<TBODY>
9 w* U' h H2 y3 b* [5 P<TR>
5 N1 G$ X; X2 j! `0 u. I<TD><PRE>Method 01
4 s. F( K3 C1 R% n=========) F! Z f0 }% A, T
- `8 l. X, v2 X- j! zThis method of detection of SoftICE (as well as the following one) is
1 q- b, _# C) c+ q6 t; ^- P. D" Uused by the majority of packers/encryptors found on Internet.
- o, B$ D* p2 U. B# FIt seeks the signature of BoundsChecker in SoftICE
( U7 t' }+ z% T4 R: P( d6 s8 h# }. V; j' V6 j
mov ebp, 04243484Bh ; 'BCHK'
8 _+ K' O* Q; b5 W7 _4 n, C0 { mov ax, 04h! j% e) b" o+ B3 P% k
int 3 4 z) \: r; r2 E U
cmp al,4
6 ?" I. c7 ]+ ]2 S( U jnz SoftICE_Detected
/ x9 K4 n" b7 Z% ~% ]3 }% Q$ x$ L
___________________________________________________________________________& l$ ?2 h# _& r6 U
8 K4 W+ ?3 Q) w' }Method 02
7 E/ Q A- l" D2 ~( M6 k=========
8 o: t* O; t* r) J6 U: i% p/ q8 j: H) @; {7 w% n l; m
Still a method very much used (perhaps the most frequent one). It is used
; U: e/ t' u8 r9 k A1 ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' V. W* @+ d7 J7 O, A
or execute SoftICE commands...
: P' n! ]6 `+ t H, I, G, a1 j8 GIt is also used to crash SoftICE and to force it to execute any commands- q# j8 U2 S! v! K2 I% I5 E$ R
(HBOOT...) :-((
/ i& V/ q! W, ?" o% U1 @& D0 h5 r
, Y5 o2 m+ B. [# i" K: K* H5 E* wHere is a quick description:/ O% \1 s, Z: S8 ~
-AX = 0910h (Display string in SIce windows)
* w9 o2 z( `2 D5 a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 ]+ ^8 W9 K; V! l8 @
-AX = 0912h (Get breakpoint infos)# l+ L+ {/ e. q1 m# n
-AX = 0913h (Set Sice breakpoints)
+ J7 R# ], b7 L( |7 S4 h1 v( N-AX = 0914h (Remove SIce breakoints)9 A1 \; @: A& o7 }4 x/ L
2 w7 \: \" |! h# u9 M
Each time you'll meet this trick, you'll see:4 |, g* Y' P3 g# P: Y
-SI = 4647h1 n5 ~. U8 P3 C4 l8 n
-DI = 4A4Dh
- @" H1 I' p8 s! IWhich are the 'magic values' used by SoftIce.: s. \( X0 a' U/ L% }' l
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. e. a: |- y, W4 B2 C! |! k" | z3 V9 U; M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
- _3 g/ ~' |) n9 @1 REnvelope utility use to protect DOS applications:
$ V/ Z. R# f% p. k) J; z, p0 }) d+ E* \" u+ m3 v! n, L
. W, O# }$ C+ b4C19:0095 MOV AX,0911 ; execute command.
- z! T, [) x- ^! e( [- J4 J/ t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). Z. B T8 d, i1 Q2 U1 n
4C19:009A MOV SI,4647 ; 1st magic value./ k& m! v, R: V; {, D! l9 }' e( c$ x
4C19:009D MOV DI,4A4D ; 2nd magic value.
# y& h# a1 W! K6 N$ r' ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ ~+ Z" F8 y' z. Q! _% R: R" b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, r' c) a1 `4 P; x8 z4C19:00A4 INC CX; T' U' C5 q7 d X( y; m8 [0 @1 `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, H% j/ l L, s% q8 S; T4C19:00A8 JB 0095 ; 6 different commands.
- H7 j; L' j5 s4C19:00AA JMP 0002 ; Bad_Guy jmp back.
E' g8 i6 @& q$ w' p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 J `- ^2 N5 G" F8 [) V
7 i+ B# `* W& O' {2 `The program will execute 6 different SIce commands located at ds:dx, which
2 F2 M( E$ k. O6 L: xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( p! d% s7 E; F c# M) g1 C
; d( E$ B8 _3 i9 V O) D/ g* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' S% N0 a$ [' R, B1 X/ t
___________________________________________________________________________9 ^* L9 P% T- h: }2 H2 e, G
. `' W: v# {! }7 p, O9 S/ R: @9 E+ p1 I& m: A8 ^4 m
Method 03# M; M3 z, D4 ^ ?, n: M ^
=========7 q) _9 ^5 ~2 Q- g# g9 g/ z' u
/ y$ ]& U; ^ C: R; `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ B' i6 \4 _% O* m* L
(API Get entry point)
$ F' e- [; I: E- S& \& G ( R b5 f1 ` c
% F( c* C3 H( m xor di,di! P% I. _: f" |
mov es,di6 R6 K- y3 V" P) \3 w: G+ G0 }
mov ax, 1684h 9 h" a. E; B+ s- K5 y
mov bx, 0202h ; VxD ID of winice' a) M& r% A6 R5 z B8 h- b" \
int 2Fh) ~4 D7 ~5 {+ S- M. E
mov ax, es ; ES:DI -> VxD API entry point( A; Y" v7 E% F: h+ g
add ax, di' i$ R! n" ]. D0 `& C6 n! Q6 {- t
test ax,ax
0 |6 c, I8 O% z4 }' H jnz SoftICE_Detected
7 c# _5 @4 J2 A$ e. ~- D$ Y1 Z1 {* }' o& J7 O
___________________________________________________________________________
; [9 p: t7 J8 D- e' s+ z. I$ V, Y: T& n" I- {
Method 04$ J% w) k7 |2 Q0 w8 e* m
=========. A8 n1 k, Z8 @! }, X0 x
: m& T$ w0 v5 O
Method identical to the preceding one except that it seeks the ID of SoftICE0 a$ R& ^' q3 W! w& r
GFX VxD.
. I c* v% A9 j2 N& D% w" i+ F3 o% x4 z
' R) V A7 E& z I4 l I/ R; T xor di,di4 t* ^$ u; H9 X8 l; V. V# u; ?5 o
mov es,di
, t! f4 ?( K+ E; B$ a: @ mov ax, 1684h 2 ~. Q. N7 \, t6 b0 V
mov bx, 7a5Fh ; VxD ID of SIWVID; ?0 p, m6 @% j3 `) ~- E
int 2fh0 q# T' G- d/ }
mov ax, es ; ES:DI -> VxD API entry point) n! I8 I' D! [ r( W* i2 T
add ax, di |/ r* v* `5 w
test ax,ax
2 @) z' j+ ~9 g- Q a) O4 _ jnz SoftICE_Detected
( J3 G7 J" b$ K+ I1 P5 z
% A% s6 p2 X2 z2 h. k- C( U1 N__________________________________________________________________________
6 o! h& ]8 t) c& G0 t2 q$ Q
6 A W6 L2 S4 e, L& U5 y5 V8 }4 i% S8 @/ G+ d) @7 |
Method 05
+ c* \% L ^: L7 _+ q=========
1 Z" z1 {7 s2 z2 K* ]( N" M$ w8 [" W
# M5 ]9 Y' [, N. m8 f9 {% L8 ~/ YMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; M$ a5 ~6 q* [0 g7 Cdebugger. It calls the int 41h, function 4Fh.
" e/ j' V% \# g" N5 G( SThere are several alternatives.
7 {2 y3 M/ Y' ~ ~, }5 ]* X3 e5 y
, q2 m" n+ W! ^' f6 ~The following one is the simplest:) r6 H# g# h& W- V7 B
* I0 @! p& T$ G! X. a' y, s- i
mov ax,4fh" @' O! W* `9 \# r- Q2 Q
int 41h
5 z4 A5 h+ Z* v cmp ax, 0F3867 p) k+ X' \! Z
jz SoftICE_detected
$ K+ V) j, Z" J' n$ E+ n9 @/ f- @9 j# Z1 Y* K
# c; X. x) Y9 I4 q
Next method as well as the following one are 2 examples from Stone's
6 k( p) R9 L, o"stn-wid.zip" (www.cracking.net):0 Z/ }) j; e" M0 G# S. L
2 R% i2 W: I: E' H/ ]9 t8 ~
mov bx, cs
2 y0 p4 w* w7 N" J% A lea dx, int41handler2! @* B- A2 h$ ^
xchg dx, es:[41h*4]
0 V ^1 B& Z* U' U xchg bx, es:[41h*4+2]
, s7 w7 v+ K$ n+ T( V1 h mov ax,4fh
' [( o6 i: E' E3 l& B4 V int 41h
% a$ k! h q/ z( l5 \/ X& v xchg dx, es:[41h*4]
8 ?+ y) j0 i% }( ]5 L( `2 b xchg bx, es:[41h*4+2]- u, |$ l6 c& ^1 k- N8 ~6 X
cmp ax, 0f386h6 x, }% q* Y. N5 v. {
jz SoftICE_detected
8 Q8 z- n, U1 F+ H* z+ A: u- h
- Y/ `$ Q, B- F" T6 Z6 Bint41handler2 PROC( W) p3 I+ {, v4 e8 M: K
iret
- x F2 j/ A3 {, U, u2 Y1 b Oint41handler2 ENDP
/ P% j" `4 W' {/ i& O' u0 A3 i/ w3 h) W: z' Z% W
# D& G! Y" [- E1 {: u
_________________________________________________________________________
& x: T* H. s9 a2 u& W* y+ l6 Q- d1 t3 t. c
6 u. K8 K# ~( m2 p/ D
Method 06
1 h+ w- @ h+ ]+ g=========, }" g% D4 \. z- G* }/ l
! `9 y- f9 Q/ [# Z2 ]$ @
- b+ b* B0 X& d5 @$ [- e
2nd method similar to the preceding one but more difficult to detect:
8 k" v% ?' V5 P- a- r8 f+ t! K1 l, I) H/ p# `' k. A
. u a% c p2 C0 n, ?) sint41handler PROC* A& @+ b2 \0 x7 B: \. m
mov cl,al
( ^) u) `2 S6 W! U3 ~ iret9 r3 q3 e j4 w+ Z: o- L9 k
int41handler ENDP
( x& Q# r6 t) O1 r
8 S' a, t' g: N: l9 W. S7 z5 v4 _7 o
xor ax,ax
' W9 |; h7 S" e M( B! J mov es,ax# S- H% D+ k% a6 q. d
mov bx, cs( Z) V0 t5 a. D8 S: b
lea dx, int41handler3 ]* P" c* n, m, R2 Z2 k! b! k1 D
xchg dx, es:[41h*4]+ w4 V9 W$ d Q# g, d' o
xchg bx, es:[41h*4+2]
% ^; g8 u& d$ x3 t a in al, 40h
& j3 T1 d4 d3 |8 E2 d, m' q xor cx,cx, [2 Z7 n) e* X
int 41h
" y, i0 _: K, O* [: y3 X7 s& ~ xchg dx, es:[41h*4]
' q% ] z$ U: M8 R! N8 y xchg bx, es:[41h*4+2]
4 z7 G2 a z4 _ cmp cl,al
( s: z" [& S6 Z9 w jnz SoftICE_detected' P' f) [. o7 r+ }/ D/ S
+ m& @$ o2 }4 W7 G; x4 a8 M* R
_________________________________________________________________________5 d7 ~4 K+ a/ N. K; J& X; q- Z. T
) K5 d8 E8 k# w% S9 M% D
Method 07
9 v" \" D4 u7 L3 ]8 L=========- _2 L4 W5 q( J" s5 X( k
) C" k) X' v4 b2 l2 W( l' WMethod of detection of the WinICE handler in the int68h (V86)
$ i Q- h# M4 l. |* I- U9 O6 |7 b1 X- p) N5 K
mov ah,43h |3 R1 h; X. R0 V
int 68h
5 g" c1 U3 q h3 {0 Q7 Z+ Y cmp ax,0F386h
7 G' H/ o0 n# C [5 ^; q4 w jz SoftICE_Detected
0 u7 y4 t' T3 k5 K t. W6 \2 Z6 O0 R
% K/ ] x% U- ^# i2 V* e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: M( ~9 a/ Z' N, ` ^
app like this:* O6 G/ A) W6 C
2 o6 R5 q3 S2 D- D" a( O0 v BPX exec_int if ax==68
6 o- s6 J- u1 v' b# A5 ~9 z (function called is located at byte ptr [ebp+1Dh] and client eip is% k: v5 Q: j6 B, q
located at [ebp+48h] for 32Bit apps)
) L' G* @% E+ J. Z. l# A, A__________________________________________________________________________
9 l& W' l1 x2 w6 K
+ a+ ?$ a! B4 J7 h Z" u% p5 c+ F
$ W8 @- F( Y! F- S% g& c. g& JMethod 08. a8 ~" v" s! B. _% A/ \3 n
=========4 @& d# ^# E, K: W! C- a+ E
) f7 X+ b# I& v- J* vIt is not a method of detection of SoftICE but a possibility to crash the
3 I( k- [% b/ A& m' n. E3 ]3 Lsystem by intercepting int 01h and int 03h and redirecting them to another, E3 T Q3 W3 G* ?: i* [& |9 w
routine.! s) w) a5 u, L0 Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- w# y4 I% V5 ^# W9 E3 kto the new routine to execute (hangs computer...)' z; G+ F, e$ x: p0 ]
) A7 M# z1 n o2 ~3 F$ P' z5 U* E mov ah, 25h
2 w( x `: b" a1 E mov al, Int_Number (01h or 03h)$ i3 f( n+ K7 M: ]1 b" H* ` v
mov dx, offset New_Int_Routine
' W; T4 j1 |, F4 w int 21h. J2 K$ N' R" _* k. F- v
- {. A$ f! W& a$ o c% B' y! k__________________________________________________________________________3 w& n+ k3 B# L6 t4 v' p, K7 E* }
# I) c7 G) G6 W) g: w2 s1 S
Method 09
) h5 _: v8 d ^1 z3 c4 O=========# _ t4 a2 l2 A! K1 o5 l
0 |( U0 z, P: n8 Q/ Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 L1 L- n, k( t2 r; z9 Xperformed in ring0 (VxD or a ring3 app using the VxdCall).0 f# s! j7 x; ]* D3 d" h d! o
The Get_DDB service is used to determine whether or not a VxD is installed9 ?7 I) t3 h: V: T5 Y% Q' ]7 x9 ]
for the specified device and returns a Device Description Block (in ecx) for
4 J) i- K# _' c/ [. X- cthat device if it is installed.( E. {- N M2 v
5 U5 N% N/ ]) C) n. k
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( s. }! C3 r1 O# x$ K' G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 W' t1 j" F. e! a VMMCall Get_DDB& B: V7 t4 w3 _4 w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- Q; N% r$ H% W% G8 Z; D# ^: }8 S
: @; X% ^" j; D; MNote as well that you can easily detect this method with SoftICE:0 }/ u: s- V4 x* ]( {& C# y
bpx Get_DDB if ax==0202 || ax==7a5fh |* q1 J& J1 I+ d; {: v) Y
- h. I' x% t' s' e0 ]6 W2 L2 y, z__________________________________________________________________________
! x! S t5 T T& f6 y5 K. P4 C @6 R' M2 c
Method 10
3 ]: b8 K) L* ]$ z, L& F x; h5 g=========
0 \0 L. C) ~9 k( L9 V/ s: \* {
& i0 _/ R: i3 B" H=>Disable or clear breakpoints before using this feature. DO NOT trace with5 t, C# Y5 e9 E
SoftICE while the option is enable!!
' }! j* x! R, Z$ n0 c" E# Y& |2 n7 T" d) ]6 U2 @$ x& N
This trick is very efficient:
( w" Q- G. V) C0 t2 j$ Yby checking the Debug Registers, you can detect if SoftICE is loaded
& h; ~+ X1 \7 Z5 ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 Z7 U( }. |9 h6 W1 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
# O# l$ w7 r- Mvalue (in ring0 only). Values can be manipulated and or changed as well0 C0 q3 B K; l; F
(clearing BPMs for instance)7 ?$ Z. O% H, z3 N' |
0 N k; G1 U, X% P: H__________________________________________________________________________6 ~0 f8 }# [6 a3 N- a
! i. b; G l6 C2 N/ ^* \: rMethod 11
( i/ B$ e% [. U0 ]; [8 L: e. F=========
, F$ `. w$ m6 I( A# ^. ]/ U
6 H$ c9 G4 L3 | i/ s/ oThis method is most known as 'MeltICE' because it has been freely distributed7 j- z: H; j$ Z$ I
via www.winfiles.com. However it was first used by NuMega people to allow: X. ?% q* T. f) a2 g
Symbol Loader to check if SoftICE was active or not (the code is located
4 x2 k! @6 n: E$ P7 W7 oinside nmtrans.dll).( Q( z# r$ p# u8 n$ _
) k+ j0 j/ w: d/ ]. x" zThe way it works is very simple:$ G& e9 m m& Y# i8 O" X0 Q0 \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ {1 ]3 a: [& N% M3 t# ?
WinNT) with the CreateFileA API.( t: a! K! T# U
7 C. U; J/ n& J0 l' f
Here is a sample (checking for 'SICE'):$ C" R, }+ T9 `/ C, r. u! j; Q4 P2 j
w" m5 e8 z9 {1 h! X3 ]2 E
BOOL IsSoftIce95Loaded()
7 W5 P' e' ~6 S4 h7 u& G1 U: Q{
" h/ ?0 E( ^# i4 N1 z) ] HANDLE hFile;
/ G+ p$ r% W: ^7 `/ k( V% y* M, Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," g' k/ _1 P2 } y8 R) [9 N
FILE_SHARE_READ | FILE_SHARE_WRITE,
* @( |# d# e b+ ?4 c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* s+ k6 Z- J# i6 U- d0 l if( hFile != INVALID_HANDLE_VALUE )& u7 K, E& e9 G' n; m* z
{
- e) q- I( |$ D' k CloseHandle(hFile);
* b1 f: ~* f+ c. O return TRUE;5 J3 I4 b# d9 G9 I" q. q
}1 L( z4 e! K- }4 E
return FALSE;
. {" k4 k* Q9 {# Q0 M+ e}
W4 M! ]: g9 ]# ]+ z6 W. t* a1 d9 H# Q, y& @' |) @
Although this trick calls the CreateFileA function, don't even expect to be
Z) ^1 e( u" D3 o. q% j4 sable to intercept it by installing a IFS hook: it will not work, no way!
( R3 C* ?. I! m6 U( T0 nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 V7 R! z9 q$ e2 mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ F" P, {* L' @0 N% T- x9 D2 Y9 Y& j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ W+ A$ O, w5 b" g. d' w7 s8 R9 \
field.+ I& p- n* }3 b: K' d
In fact, its purpose is not to load/unload VxDs but only to send a 1 @5 s3 ?- q3 f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), P' V) {! h' t" b1 v. J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try [1 x1 H" D" T. M w5 e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ R V3 Y9 k' u! |# qIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 k, p" B' a, F a; H6 m3 [3 d
its handle to be opened and then, will be detected.7 g- N$ M6 W/ l3 ]3 I& E
You can check that simply by hooking Winice.exe control proc entry point
: L E% O% B& \5 Hwhile running MeltICE.
0 U' |5 N7 F; [6 Y* F: ]! t
0 S0 {6 @# l. Y' g; c' a! k$ j+ w5 R
00401067: push 00402025 ; \\.\SICE; V0 [9 r$ a1 d3 Y! a
0040106C: call CreateFileA1 a& I* I0 A9 L! ~
00401071: cmp eax,-001( v) G9 W! i$ |9 x
00401074: je 00401091
! O7 O. c9 Y" J3 L! o {/ `8 W: }6 E- C3 s
3 x) T9 Q, d+ H* l1 t1 W8 W
There could be hundreds of BPX you could use to detect this trick.6 E& G3 y2 G7 Z+ {
-The most classical one is:, P$ N+ O0 l4 e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 j8 M$ P5 p3 w9 x
*(esp->4+4)=='NTIC'! H! m- o5 Z- \7 f" n6 @! Q
8 @# [. p) B5 z# U6 d. z: q4 A- I7 H-The most exotic ones (could be very slooooow :-( f% x: L2 ?$ g; j7 f2 K3 R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 j# h( I: t# b# [8 {' T7 p( A$ r ;will break 3 times :-(( v' P C8 @- I4 t# l
( Z$ {0 M, }$ Q c! j& ^: |-or (a bit) faster: * ^' I/ Y1 c6 X3 l! I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& a; }# N/ P1 D+ Y, \9 w; P) A* M& G, G5 E$ g( W+ q! A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) e: c$ @& Z! h- z. p6 q5 v ;will break 3 times :-(
8 X" ?* C/ t$ w! Y: R+ Y# G
4 H2 [% R; Q2 J" \! o3 B-Much faster:6 Y# C: l& E+ q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ T5 M1 \, {, A
' j6 z/ D+ j) A9 h; x' j6 `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- F* v2 _: f3 G+ o* P! C0 i
function to do the same job:
8 w. t0 v: A) S* c2 Z% a' ?
, k3 P0 a ?) ] push 00 ; OF_READ+ M/ v$ u5 T* w8 L' S5 T
mov eax,[00656634] ; '\\.\SICE',0
, C: c* \& {! a3 F5 \0 p push eax
; s# m1 a! }4 |+ }4 C. { call KERNEL32!_lopen
A+ D* b; I8 u( s7 O, r. J8 L0 O inc eax2 I+ J& J$ ~1 R0 E9 G" G9 Q; e
jnz 00650589 ; detected
& F. S2 c. I' u/ P9 _ push 00 ; OF_READ
i, c' [$ X5 {9 B9 }$ V mov eax,[00656638] ; '\\.\SICE'4 [- N4 s) u4 F6 b& k
push eax$ S, }1 c; G! \
call KERNEL32!_lopen8 k. O% g: D0 |) I
inc eax+ P1 q- v9 e t' T) b; `8 s/ r
jz 006505ae ; not detected5 _$ T: g- ?; f$ Q' K& k! A0 X
9 D& Q2 V k9 e+ b2 o
6 J$ j/ E) ?8 ^' N__________________________________________________________________________4 \- r/ t _& ~# Q' S
" F4 I; f1 Y; }& H1 O
Method 122 Y. K/ _; R3 C) x5 j% F
=========- F: N! p+ i0 g4 A2 X! F* x! L! y# Z% V
8 {7 t' g+ b3 fThis trick is similar to int41h/4fh Debugger installation check (code 05
1 F. @1 @- x8 Z0 A7 I: k& 06) but very limited because it's only available for Win95/98 (not NT)2 Z2 x4 u- L! Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; L7 _& y8 C# o# c; R$ o4 ~* X) Z1 K6 Q; ]3 N8 m1 Z9 q( c1 [
push 0000004fh ; function 4fh
- K7 b7 s# x5 j$ ]/ H push 002a002ah ; high word specifies which VxD (VWIN32)" T* f: ^9 j+ F/ K. p3 J
; low word specifies which service
4 Z: m7 {! n2 F9 f' T (VWIN32_Int41Dispatch)9 n% l/ ?- ~" }
call Kernel32!ORD_001 ; VxdCall
( Y8 B. ^5 \" S/ S0 N) h% ~: n cmp ax, 0f386h ; magic number returned by system debuggers
. I+ y/ m7 _' X' ~/ `# x9 o jz SoftICE_detected7 P7 _% K' `6 h. T$ T* {
5 \# Y1 z# {* N1 P9 GHere again, several ways to detect it:
- v8 ~8 |" }; d: @. `% t0 O: K0 ^, K: }. R4 t8 w' T
BPINT 41 if ax==4f
) v2 p3 P" l; o' b2 P* B
) v. |4 v* d. @5 g- Y- J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; d" M/ ~9 Z1 v5 N: W7 a2 D' h+ q6 S, ~$ f8 L; H3 G; W! ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# i, |- Z/ X4 [9 J
' ]: \8 E. m) j3 E! v BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, E( J& o& k, I; Y* B+ v! d9 n
2 ~0 [4 }2 p" _8 R5 b
__________________________________________________________________________
: D. M* f- k" y4 m+ b |/ ~5 B8 s# Z: j& d
Method 134 D9 b" h7 \3 F
=========
/ Q% m8 V) F5 E
8 i5 }7 p2 ~ L' Q8 y' }+ Y5 JNot a real method of detection, but a good way to know if SoftICE is8 O1 }- v$ P( q' Q$ |6 R) g! N# Z6 O l! M
installed on a computer and to locate its installation directory.
! _8 n, B' o9 nIt is used by few softs which access the following registry keys (usually #2) :9 I/ q' y0 n$ _' I
: p# K" a' F8 O) I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: c7 L( L0 [5 u1 L0 ?, p' B
\Uninstall\SoftICE$ @6 j+ d( c, x/ g5 I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 j. i+ j0 P1 O& {: g# F4 q$ I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 D% g, V3 o- B. y+ R8 s
\App Paths\Loader32.Exe
- @9 o6 G1 c5 A0 _2 L
6 G+ T6 z- b& ^* T
( F( t0 L5 ^4 V' A2 {9 B: wNote that some nasty apps could then erase all files from SoftICE directory" }* ^ } U, G! b# m% Z8 |7 w
(I faced that once :-(4 P/ G% h/ l1 e" {& ?# ^
3 |/ p, n, ?. `Useful breakpoint to detect it:" Q& Z6 y# a0 ?4 W1 Q1 P6 [
" `$ Z- {* n0 R8 k) b/ B
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# U0 P% y+ M, v5 c: y# A/ x/ U" i* V; k1 h* R! v
__________________________________________________________________________5 C; Q# O* M' L2 f2 e& G$ G
, ^0 K- E' T6 W# l; {' W2 E' |3 K3 j
Method 14
, r' |$ f& }0 h! H2 |9 [3 H) w=========
0 |- a/ ^6 _9 F5 K. C# F9 l- Y- Y/ A- ?0 [% Y+ d* z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) `( L8 N) a; f, B9 n; kis to determines whether a debugger is running on your system (ring0 only).
7 T6 _ ] k: ?0 S$ L6 j) v/ v2 P! V1 M! e
VMMCall Test_Debug_Installed1 }% P+ N3 I* O# _% l# G, g* F' f
je not_installed
0 ]8 Z: V0 F- h- K" D! P3 ~$ u! s* p9 S+ ^* g. R7 c2 i
This service just checks a flag.
- s9 s6 Q$ X, _, w& H" Q8 [</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡