<TABLE width=500>: A ]5 S5 e1 E- e2 v) u" f" @0 S* [
<TBODY>6 |; w/ l) `3 K
<TR>
}+ x- y$ D g5 z, K/ l6 m<TD><PRE>Method 01
2 h7 X1 b- N$ q=========+ J( i& L- p! N7 s K/ f( ^2 C
( b4 O/ s, T, q2 {
This method of detection of SoftICE (as well as the following one) is
2 g, |8 R1 p) z; Jused by the majority of packers/encryptors found on Internet.
: m# v& V4 l6 ]) c# o$ t- AIt seeks the signature of BoundsChecker in SoftICE& |" ?* D! E) y- p
, I, w: Z) C; ^) ]
mov ebp, 04243484Bh ; 'BCHK'
& g h# b, ^' x, v7 y7 R- G mov ax, 04h+ V2 d3 f; R3 f( \! i" z+ ~8 A
int 3
$ Q/ ]! B; _+ x& x- x cmp al,4& F" I7 y) Y& k, ~4 D) V
jnz SoftICE_Detected2 p! P/ ^- S i' ^: @5 f; g
$ v* E S5 v' d/ O5 G___________________________________________________________________________' ?5 y) d; ~! b" F7 h c' ^( L: a
2 W; l- I2 b7 t; E
Method 027 Q! e$ |) F( W% h% k
=========" M2 L1 l$ Q# ]! w7 {3 ~% q, X
P+ p7 z0 ?2 f3 T6 kStill a method very much used (perhaps the most frequent one). It is used
8 C5 k) G" W( \5 fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( G- O3 U2 m; Jor execute SoftICE commands...& v6 |! J2 d: P% N
It is also used to crash SoftICE and to force it to execute any commands$ J" S, X& h7 ^$ f
(HBOOT...) :-((
. ?$ {" }' R J) {6 f [; U. J% M% E
$ h j+ | L& o, Y! sHere is a quick description:5 k# e. O% e9 M
-AX = 0910h (Display string in SIce windows)3 S7 m7 j l4 E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( l$ l$ R( E" V$ K8 }-AX = 0912h (Get breakpoint infos)
" u8 ^+ m/ w" f6 r4 q9 P9 V# a) D6 s-AX = 0913h (Set Sice breakpoints)
1 R/ ^$ K% v, t9 W( x* g-AX = 0914h (Remove SIce breakoints)
( c9 }" @5 H [; L5 W# H; ]: s& {* N
% T+ d6 h% j4 k m0 L. e# |, fEach time you'll meet this trick, you'll see:
6 N! J }" Z9 |& {0 }* C-SI = 4647h
8 R- Y5 c# k6 V. b* n: d, u$ O6 i* }9 c-DI = 4A4Dh
: { B3 e5 q- q( l( EWhich are the 'magic values' used by SoftIce.
7 R# c4 v# D: L% N) j0 DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 r% X; E/ Z) o! u% P7 {9 h) k
9 I- [1 R) v& U0 y+ jHere is one example from the file "Haspinst.exe" which is the dongle HASP
& ]$ _1 t/ z2 A7 P# ]* I0 DEnvelope utility use to protect DOS applications:
+ V9 \- w2 S, O0 f
. T, u- Z/ F& B" `& D8 W% C" q
. A0 b( A4 h1 n- [ I* P4C19:0095 MOV AX,0911 ; execute command.
& _8 q* _1 U7 _) F0 I; V( q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; z! p# J2 P4 m4C19:009A MOV SI,4647 ; 1st magic value.* D' p- m) o* M0 u* D
4C19:009D MOV DI,4A4D ; 2nd magic value.9 r# f2 j( U3 T! }; J- u9 ], k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 Z' ~, d- d! F3 J4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: v- `) Z0 |6 q8 D* w- w
4C19:00A4 INC CX" Y8 L1 o; M. S& A* J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
V# s# ~7 M3 s' J9 o+ D4C19:00A8 JB 0095 ; 6 different commands.+ e- i- k7 V c& j2 v. }2 z0 g
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 }4 R6 \) `7 i* t C" \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ v; L; t) h$ I
. J% q/ P1 x- yThe program will execute 6 different SIce commands located at ds:dx, which D1 ]$ L- v( O% D2 w$ ] N/ W/ a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 s* `& x$ u& P( s, `0 v& h' W
( C% @$ ~5 j! ? t0 ]3 f/ @. z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ M) y0 {, I8 X+ G4 [* M
___________________________________________________________________________3 u5 _; e0 `0 y5 F; @) H. ~
; s1 T! v9 i& S$ {2 b( D; \
9 H0 V9 P- M9 B; f7 ^: T, LMethod 03' x0 g0 Z) s7 w1 ~/ C% O$ p$ j) d- m
=========, { f; M$ ]. Q/ q
# K) J5 z8 O' r* G- K6 E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 O/ Y! x" H2 u3 @(API Get entry point)3 m4 o# F1 Q* o. @: ~
: Z# g+ H9 r# c6 r( J
& @ f) h' n" T; h xor di,di7 ^" E7 g* K8 Z( M; f% f7 H( }. C1 |
mov es,di
4 m2 w& U. A/ o9 r mov ax, 1684h
0 y" Z# ^; J+ g7 T mov bx, 0202h ; VxD ID of winice) S# i" ~5 p( @3 ]
int 2Fh) l* w6 | e) i8 s f2 J# ^
mov ax, es ; ES:DI -> VxD API entry point# v: E2 X5 r# y) R* a# f" B
add ax, di1 B! L" o2 u; w: y0 J
test ax,ax! f2 _1 \5 w. r
jnz SoftICE_Detected: O a$ @9 b6 Q
7 {# [/ F& |% @6 r/ A___________________________________________________________________________4 ~" O5 @9 o% t0 q/ t0 ]
. {+ N/ F; t. c! ^4 {8 h' n. yMethod 04
9 q( [: ` p+ M+ C% ^1 H/ T F N$ v% e=========
) x/ c! V3 m. v' d J0 j! \
2 \$ d7 Z: m/ [5 n& OMethod identical to the preceding one except that it seeks the ID of SoftICE) g' T1 A1 E: s! e& l& [, W; z
GFX VxD.
2 I' I) z$ V7 V& m. g9 P+ W0 ~+ [; s4 D9 g% U. H: A' H) }3 b
xor di,di8 s: ]& |! A- C
mov es,di
3 P" t; ?$ b. |, q6 g2 O% S; p mov ax, 1684h ) O& q( ]5 o# v* a' y
mov bx, 7a5Fh ; VxD ID of SIWVID
- `. `5 g$ F& }$ a" U/ W, x int 2fh3 W% w* z2 A6 j6 U
mov ax, es ; ES:DI -> VxD API entry point. d. B: x3 ^1 _- H
add ax, di
2 R) g) r9 l x5 e8 X test ax,ax6 j0 w, W, }! u- D, t9 ]# B
jnz SoftICE_Detected
( z" X( i( j) i3 a9 Q# j, R1 \) j- p! ~+ I) i
__________________________________________________________________________/ b% Z' s. _ J' m6 R6 `" M) k2 p
( s. X0 y& H. G2 m( V' h1 u) H
# G* |) ^7 P; c% d( R3 y% f7 e, c
Method 05& b; _0 y$ {% }$ E
=========
: R5 S! u- ~9 p" y/ Q2 G) y
0 }/ K; s! T8 h9 u7 O, vMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% A, _$ A9 C$ Ydebugger. It calls the int 41h, function 4Fh.% o# n# u0 s# `! R9 J7 [ u5 c
There are several alternatives. " ~0 q. {4 Q5 q, g
, Z7 \( ~% K3 A* Y. { \
The following one is the simplest:
; S8 t) E' C' ]! T' V
! g, |' m/ q7 [ mov ax,4fh/ D3 x; A( t ?5 d. N
int 41h" Z! M/ o$ h+ L4 C# l' t8 N4 ?
cmp ax, 0F3869 N5 \$ S) t/ W. K6 F3 r* p! u9 R
jz SoftICE_detected) `; I o' j( e
% p! s% B! ~2 i! J( ~& C
" w/ p4 ?0 E i n- w
Next method as well as the following one are 2 examples from Stone's $ d; D! E9 e# c
"stn-wid.zip" (www.cracking.net):# g, B& ^3 D8 q+ w& i0 `
+ N1 W' n1 I" n- e" j# @
mov bx, cs5 r! l" Z2 u4 E- i u
lea dx, int41handler2
4 [# M( E5 {* f0 M8 p9 G: v xchg dx, es:[41h*4]
! ^) h# C% z$ K xchg bx, es:[41h*4+2]
8 n9 T# Q# T" A0 l. ] mov ax,4fh
& t8 Z: y' c6 b1 K int 41h3 x8 ^# } P3 x, j
xchg dx, es:[41h*4]8 o! g9 r" U' a% k
xchg bx, es:[41h*4+2]# ?& D; \- D; E/ G8 g3 [6 j
cmp ax, 0f386h
L) K7 y3 k' i5 u6 r q jz SoftICE_detected
. A, Y; U! e- O" Z) F: |
, H7 u3 y4 y \" z. z% _2 Hint41handler2 PROC
/ i6 K* ~1 g6 `5 @5 T iret- I& @/ x p z) K9 s* j$ N' p
int41handler2 ENDP
3 Z& Q% v5 n8 }) ?, @3 ^, k
1 r0 J* U4 K' ^
1 ?/ k. F! y/ }2 V# m_________________________________________________________________________
1 W) p4 o& R( f3 O6 S9 P9 b6 {) t" I2 m u
! k9 G8 Z2 w) V0 M: P
Method 06
7 K- O! s7 i ]' Q$ T. F=========
9 G/ b. Z/ M: D+ W6 d" d: U
6 I7 F5 H& v% _. }1 r9 R6 R
% q' W* i+ s+ u+ N& w2nd method similar to the preceding one but more difficult to detect:7 t" A/ j( t) c8 |/ X1 B& N6 b
1 C5 v# \6 s/ a: F5 c& {/ A3 S: A6 L+ i8 J9 K. ]9 u8 w' b0 f
int41handler PROC
# O8 Q% p- p2 T& a# c* e mov cl,al0 I! d4 i1 P" H- N" n. x0 h! O3 ~- \
iret
9 _& Z, h9 H4 ?8 X" V" W. R) hint41handler ENDP
1 r3 {. |1 |$ X( L/ ^
z2 c, b9 s* l: U! y! X% S, h* k& A" m. M
xor ax,ax
- l. b: [! i0 u/ a7 }6 M mov es,ax
7 h# k, c; }# |) B) l: q! _ mov bx, cs
" \# t# V( h4 g$ h6 W1 M' L2 Y2 W lea dx, int41handler/ {) S5 A4 a5 k! j5 F/ X+ g0 E: s) L
xchg dx, es:[41h*4]2 n: c! \, W$ j
xchg bx, es:[41h*4+2]2 ^) S9 ~+ g) W9 g6 k* x
in al, 40h0 X1 @) _8 T o, {) h/ y; n
xor cx,cx
2 G! j. N* b3 @5 N5 x8 W1 ] int 41h
- v' ]& v6 F ` xchg dx, es:[41h*4]
# H" q& |) B; \1 Q8 K xchg bx, es:[41h*4+2]
" n! n5 H9 Z. ]* i cmp cl,al
! s" ]/ q2 E; k& d3 p+ E% Y8 n6 I jnz SoftICE_detected$ V/ I o ~5 G
& L9 m/ `& s- ~9 y3 F8 M% x: ]4 B- `
_________________________________________________________________________8 P& x0 f& L6 h6 p7 Z) u* h. e
& Z0 E: u+ Z: ]Method 07& M# `. p0 G- ]4 ]$ @
=========
; p. `+ K! _* j1 n& W' m9 P' j2 x s) o4 ?# R }
Method of detection of the WinICE handler in the int68h (V86)1 m8 m$ t$ A3 X5 S
/ t0 ~ L6 ~# a7 m! O
mov ah,43h% `* A6 [& K+ l& p# a
int 68h
+ d, i# `5 V) ^ cmp ax,0F386h
4 c5 `7 f5 j; v. J9 J1 O% | jz SoftICE_Detected8 A- ^' ~5 ^& F% t* L% |
& x6 _% @; M6 i
& {0 z- a9 ~+ n( t- H/ Y7 ~=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ Z; |. q- I& M9 c k8 x! }
app like this:; e0 p5 A1 l( k9 |$ Z! ~! A
9 G, f- h+ q$ g l& j- J( d
BPX exec_int if ax==68* z6 R y3 C9 K& x
(function called is located at byte ptr [ebp+1Dh] and client eip is. y/ R5 M4 f: |" X- p- ?* P# x
located at [ebp+48h] for 32Bit apps)
( {7 p, i( V& Z# y' \__________________________________________________________________________
3 X2 s2 l% x) {$ @9 G$ j/ f5 I
. R) z. G6 [2 z5 P( P/ I
2 j/ q7 u: l' S: \7 {Method 08% G8 n9 d2 I! O2 Z
=========7 c! C! O# l1 H0 S2 c' H
* t! s& `2 ?# I/ @4 mIt is not a method of detection of SoftICE but a possibility to crash the% S# h5 t7 o1 v6 C; f8 b* ^
system by intercepting int 01h and int 03h and redirecting them to another
7 p2 E2 q, j( C* C" s& C) eroutine.1 L6 ^9 ]% f# u' l$ y: n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ [8 }7 _; d# pto the new routine to execute (hangs computer...)
j* o0 C6 ~& o/ j7 R
~; u, `0 u; `- Z mov ah, 25h
* E4 G) `* o* j. e) x+ w mov al, Int_Number (01h or 03h). d$ s; @# ]% n# Z0 B- s1 a
mov dx, offset New_Int_Routine
9 a& V1 t3 ]8 j& @7 }2 ^ int 21h. Z. Z: C3 ~' ~3 }3 P9 u+ B; i
) N; o1 s) K( a. T# [5 ?__________________________________________________________________________! t" M: w8 `' Y; l
/ J& W9 F- j3 d) Z; E3 G8 e$ M% |
Method 09
8 `% q3 I; F6 D* @0 ^=========+ C; X- X: _& n/ s
6 k+ ~9 u0 f' e/ z0 O) W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 r; N, j9 \0 Y1 s% u
performed in ring0 (VxD or a ring3 app using the VxdCall).2 Q- _0 {) t. {$ W2 d1 T2 [1 ~' R
The Get_DDB service is used to determine whether or not a VxD is installed$ X, E4 I4 h$ D7 q' g2 B
for the specified device and returns a Device Description Block (in ecx) for/ Y4 {( v. g+ j/ ^
that device if it is installed.
2 G4 B/ a3 ?* k2 w! @& ~* @* B3 j" q0 w% N7 H' {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 D8 |' j; g/ t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
V9 q# q; o4 b: @2 p VMMCall Get_DDB# T5 ?4 H: k# {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) w& ~' G6 _1 Y5 K8 r' w. ^7 M
( R4 w- g7 B x8 V
Note as well that you can easily detect this method with SoftICE:
7 P, k- k+ d- l2 \4 V/ T bpx Get_DDB if ax==0202 || ax==7a5fh
7 U1 A* ^ `. Q+ F/ Z7 E
6 b9 z2 Z A: ?# H( C__________________________________________________________________________
3 H5 N) |8 ?% [, C
$ h# c8 R3 b% k- C, M% wMethod 10
/ `# N; @; @0 f. J=========
- \( N$ t* q. k: o) { j; R
; w9 r! s/ v0 k. s3 N/ I=>Disable or clear breakpoints before using this feature. DO NOT trace with) F$ @3 j1 v, z& F0 w0 ?
SoftICE while the option is enable!!) W2 F" I+ e+ d" `) {, _
; D$ w4 j3 @* s, E: {5 p' vThis trick is very efficient:
$ K5 M( o$ U( Y* O, Eby checking the Debug Registers, you can detect if SoftICE is loaded h# @1 n: m8 A3 _7 O8 I
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if p( T, E, ?& [4 A. W
there are some memory breakpoints set (dr0 to dr3) simply by reading their( U1 B+ @* c" k: J6 `
value (in ring0 only). Values can be manipulated and or changed as well" H0 a( J0 I- [' f2 L' {
(clearing BPMs for instance)# y7 {" K2 {# G& b
' E: g. Y2 t) B; r" Q7 ^' X+ ]2 ___________________________________________________________________________
" x! d/ L8 x" @/ z: r. @' G8 e4 }# _- `1 W$ e; K- w$ V; m/ ^
Method 11
, u! V u- q# H6 T1 F=========2 h3 r$ z* b* P( `( h
5 M. t9 j$ I' t: s
This method is most known as 'MeltICE' because it has been freely distributed- Q& ^) I, d1 ?3 d/ ^: z# n
via www.winfiles.com. However it was first used by NuMega people to allow4 U2 T$ z$ p8 s3 F2 Q8 K9 o# S
Symbol Loader to check if SoftICE was active or not (the code is located
2 n `. q. h0 V% W& _- P8 t6 }+ Minside nmtrans.dll).
; e+ s$ }1 I5 B. [/ C* b S7 c/ E. z o+ g& W
The way it works is very simple:
" r2 p& [9 p* }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 i w1 n- b% Q
WinNT) with the CreateFileA API.
+ @8 B7 c- o% W c: B4 F1 y$ t* h6 n2 p: D
Here is a sample (checking for 'SICE'):1 r2 Q' T1 x4 Z* n1 u" o; }/ u
! O, A3 y! U( I7 V5 GBOOL IsSoftIce95Loaded()' L2 f4 d4 j' b! r/ t7 X2 {; s
{
0 G& S1 F8 M) Z HANDLE hFile; 6 g- f3 p9 T5 X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 I+ s9 O! F& s1 J6 m" _7 E FILE_SHARE_READ | FILE_SHARE_WRITE,
, h/ c4 {. U: R* |8 v( t. A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 z( F# H* R4 z) p- \4 t
if( hFile != INVALID_HANDLE_VALUE )
6 a& H4 ?% [( e8 k+ ^, q7 k* l9 @; L2 ` {7 B& v. v& |% l
CloseHandle(hFile);6 a# g2 M5 P6 @7 B) v
return TRUE;% n( A7 s' o7 _: [# H$ z
}' ?! m7 P+ ?/ q
return FALSE;
4 A& |" @1 ]: j% p" n2 N2 p' ]}
5 X# r5 t3 x: h s3 B
& s4 G9 w# j# i7 n& A% ^9 t. gAlthough this trick calls the CreateFileA function, don't even expect to be8 E' ]( j2 {; }3 W/ O
able to intercept it by installing a IFS hook: it will not work, no way!- G* _0 f) V* A( p0 K3 k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' P/ }# S' S1 w2 v! n3 M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* P$ q8 s4 n1 J# a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 \. O( ]6 N% j0 ?( t/ Z) Cfield.& U- a8 ?" @; K! H- h; Z
In fact, its purpose is not to load/unload VxDs but only to send a
7 m8 l: E6 b+ }W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 w; N2 }# x9 v# A; U. Q) g: nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 o& |' ]: J9 w% z N. g. Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).. U2 C( L' c& }" ~# ], g0 K& e
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' t _4 s8 M1 |# z' f/ Dits handle to be opened and then, will be detected.
& J0 t3 X2 J* `* U# P6 q9 `. nYou can check that simply by hooking Winice.exe control proc entry point
2 B$ k7 {3 o0 B8 b# nwhile running MeltICE.
; d2 ? z: Y4 o2 G$ o4 y2 |
& j6 P1 P) {* |2 n4 A
" g. r- S o# R" i! P0 T 00401067: push 00402025 ; \\.\SICE
' J% ~3 x! x3 r2 ]( V, b/ I 0040106C: call CreateFileA
* {. T5 A7 F. q: f- i5 S S6 i 00401071: cmp eax,-001) ?! V4 r s7 y4 V2 ~, L
00401074: je 00401091
+ O3 b! w5 M$ a7 |, z( g
# E) [: s0 K3 Y; Y: d2 Z" L1 N
3 s2 b' t1 X, j/ iThere could be hundreds of BPX you could use to detect this trick.! S F5 C( v: M1 ]! s7 S% A
-The most classical one is:, P5 R* r b3 F& K1 o. v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 j' d5 Y; m- v/ M0 X: i
*(esp->4+4)=='NTIC'
: @ t% w+ n2 f5 H* M3 t) w( H$ v
7 D; V3 p# u+ l& Y4 N1 ~4 m6 ?-The most exotic ones (could be very slooooow :-($ Z5 O" _( e) i/ }( B! A0 C. g9 c0 [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" O+ S, j# T" X* g( x ;will break 3 times :-(! i. ~ z$ ^% z# ]: \, D4 b5 a
* {! ~: s7 S' C4 v$ |# s+ s
-or (a bit) faster: & T i3 A, o+ v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 [$ S) R0 E( B
, u6 _) }/ r8 P: j. I- ^% c' h+ q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * G' m& C6 |; z1 H- m& ?. \+ z
;will break 3 times :-(
3 @$ M$ W4 G/ g& h1 E' D1 E
6 j/ }; ^% Z. C6 d* t-Much faster:
9 d- D; E/ r, _( K# h BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 D8 [ m. n$ ^2 @$ Q" U
/ H' c5 q- W- K3 nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ _2 }) f) l4 o/ G) x
function to do the same job:3 t+ z u4 A$ ^) i5 X2 F- |. O
2 {! `/ |4 x& w2 \ `
push 00 ; OF_READ2 n& b4 n+ o* C- Y- i
mov eax,[00656634] ; '\\.\SICE',0
2 e+ v; R. i( }2 q- z5 ^ push eax
3 Z, k' K# y3 |$ k+ ^9 c, N call KERNEL32!_lopen
. s! C( E- B S" i% \ inc eax
$ n( ^4 ^# Q I3 W jnz 00650589 ; detected" N& L( n7 Z$ p
push 00 ; OF_READ
+ q, r' P( L6 R; C5 k- N mov eax,[00656638] ; '\\.\SICE' P" I2 G0 z. ` J$ p( \( L
push eax
. q* d! O+ w0 G' D+ z" z call KERNEL32!_lopen- \) g! y' E4 T% R/ ~+ X
inc eax
. s+ h, Q2 n* u0 t( b( @ jz 006505ae ; not detected
% _5 a8 P! E3 v" {# l! p0 w ~8 K
- s ^' K+ g& M) i$ `1 |, V__________________________________________________________________________, T Z" ~" Z6 M. m) _9 C, \
' ~! K4 k7 `) z5 R2 U7 y
Method 12
" ]2 E( x& }6 I3 j$ w=========3 y+ ?- `" @0 l4 s& X# q9 L6 x$ C
) D% l" j' \2 JThis trick is similar to int41h/4fh Debugger installation check (code 05
5 y, u- Q a: \) [& 06) but very limited because it's only available for Win95/98 (not NT)
1 B- q; {* ? O2 y2 d, _$ Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo., y, z$ s3 B+ \- ?+ h. |8 ~
' w9 D0 L8 p% J7 m5 u" b# i7 e
push 0000004fh ; function 4fh6 L6 c) L! ^9 @- i4 R0 ^! D* `- [
push 002a002ah ; high word specifies which VxD (VWIN32): b+ Z! |" U4 P( C7 b* {
; low word specifies which service
- E2 `/ g- e+ s (VWIN32_Int41Dispatch)! K( t/ f+ _% t% m- B! k
call Kernel32!ORD_001 ; VxdCall
4 h8 A5 {! v1 q+ w cmp ax, 0f386h ; magic number returned by system debuggers1 a6 a8 C" j9 D
jz SoftICE_detected! b$ Q4 w: d' _% P* u- ^
- b0 X- U" C& k3 P- E5 T4 c
Here again, several ways to detect it:5 I9 W* G" F1 b/ K! I$ f2 H
/ E3 }7 r7 N* k7 _3 w) K BPINT 41 if ax==4f
) B$ W9 c: W- t% _! q" _1 ]0 O' T u# s; ?$ {, i
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' i1 U: Z0 c, m9 H% [
/ ?& ^! _/ v) S6 g- Q& a
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" E) H V _0 R y: n# j
8 w r2 n3 c6 ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 r& Y* v- ?3 ? H- F
$ p( n/ e1 I% I& E. f% I__________________________________________________________________________$ d2 {) @$ G6 E# `( x) n \5 I
. O: K/ l ~! p+ c/ l& H+ `; FMethod 13
7 f9 Z# K, }& o=========
7 `( `; h2 s, w- ^2 o$ x
$ c: E, Q2 ?5 I3 \Not a real method of detection, but a good way to know if SoftICE is
# F7 y4 k( m8 K/ r+ n% {4 Oinstalled on a computer and to locate its installation directory.
! d& A3 Z6 `% J. t( W: [It is used by few softs which access the following registry keys (usually #2) :5 C" e7 z% O s [' y! g9 K: `- g
. E' k/ U0 O+ m6 c. B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( h# K% O6 w7 j+ [% Q3 y8 ^" d\Uninstall\SoftICE, F" N7 w4 {7 Y. Y" h. ?7 \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 `% d9 W& p" A* Z# v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 i2 b3 X& J1 j' q* i) p% Y\App Paths\Loader32.Exe
# F: Y% I+ H$ F: s
5 \6 T8 S. U9 n4 Z' ^7 B! F" t' q" x0 F6 Y' x) Z
Note that some nasty apps could then erase all files from SoftICE directory3 Q5 j: k( _' |' g
(I faced that once :-(3 [& e5 O" _; u5 ^ {
9 p& B; N, |' c# V; g; i! @Useful breakpoint to detect it:
! r7 p/ e0 R3 q% T( N' S. d" Y/ H6 V
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; q) f& D0 b, s& o; T! J6 Q2 v8 d
8 v, U8 f s- \0 L- p+ u__________________________________________________________________________
% k; J4 n* v1 i: r% ], d- k8 Y+ C3 p/ n4 K9 X4 B
% m- X. d, \5 J1 fMethod 14 x$ G5 ]9 R# s0 I b2 W
=========4 i- U3 C1 M1 o" V. H6 D
: U5 e" m- V _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 G3 [5 H- v) o6 H) Q5 \: o: k
is to determines whether a debugger is running on your system (ring0 only).; r6 n# r! ]; S! ^7 R" X
& F* M3 s, e+ S( s" Q
VMMCall Test_Debug_Installed
. W% p, b4 B! i3 t je not_installed
& \! C# [5 ^4 C8 D+ k1 r! r. q- ^( q: F* i
This service just checks a flag. a' ^2 U1 m L" y, N; l
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡