<TABLE width=500>" J5 P- t, S) H
<TBODY>
+ U3 R" I( N V3 J$ _% I<TR>1 C" @+ Y) R7 P. E$ c; h
<TD><PRE>Method 01 : E! v4 g4 u3 w& i
=========
0 i' U; T; q" n4 h
1 r+ z5 N1 U0 Z# n, _ Q% rThis method of detection of SoftICE (as well as the following one) is
2 L; X" s: ^0 e6 kused by the majority of packers/encryptors found on Internet.% d+ `& w: R5 q# a& H1 B
It seeks the signature of BoundsChecker in SoftICE
3 P6 m# M7 {. _. X+ L$ `1 f* _# Z, D
9 c* e; \9 g& s/ }1 o mov ebp, 04243484Bh ; 'BCHK') e" v+ L- Y! b
mov ax, 04h, Q$ m# J3 T8 N9 P+ m+ z0 I: m
int 3 # w! j1 n5 q- u# `5 h; B* v; `, J
cmp al,4
8 ]$ J3 Z/ S8 V& [- _! n8 q jnz SoftICE_Detected
# @7 {+ X8 s: T
. }% Y" ]/ O [. X___________________________________________________________________________
1 X/ q5 z6 U( ] H
9 ~+ Y9 B6 C* c7 v# p8 a0 UMethod 02* `' y S f# e# H- K9 ?
=========
- \$ t! A$ S' m: ~. m* Y# _( H6 |; b+ \6 {! @! v* A
Still a method very much used (perhaps the most frequent one). It is used
9 u" q8 ?" Y& p; xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,' G I7 `6 ]+ e) ^" V* F
or execute SoftICE commands..." b) o- ~& ]' K) x n
It is also used to crash SoftICE and to force it to execute any commands9 m; t6 g/ X1 w: O! L5 x# I
(HBOOT...) :-(( & [8 b& H7 _" u {; g3 u
7 h# ^% T8 D' Z" Z' a) `; Y+ GHere is a quick description:
. P$ ^4 T8 [/ l! l-AX = 0910h (Display string in SIce windows)* D5 W) o$ F+ f- {4 a
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! X/ M: c5 @0 t; @8 [- A-AX = 0912h (Get breakpoint infos)2 a. A- N% c/ j0 R2 b2 V; _+ C
-AX = 0913h (Set Sice breakpoints)
! @5 r, d4 H" j, o/ a, k-AX = 0914h (Remove SIce breakoints)
5 h$ M b9 d+ E/ Q4 a8 z9 X' i$ u; r. O0 m. R: V$ J2 ^) l: ~
Each time you'll meet this trick, you'll see:
) a6 M) S$ x/ s) z-SI = 4647h
1 B2 P1 D# Y4 {7 o- Z-DI = 4A4Dh$ j" U6 V8 ~6 T P
Which are the 'magic values' used by SoftIce.9 g% ?& k {/ ]: O( S& a& q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 g% l$ C: [- Q! x3 W+ ~; D
( r2 f7 F4 J7 o7 `8 ~, N ]3 }Here is one example from the file "Haspinst.exe" which is the dongle HASP- c9 V3 D9 h. {8 r/ ?( m9 F, M; P+ z
Envelope utility use to protect DOS applications:0 ^+ U- {! z/ I) e
/ \) y1 O2 w- G5 q& r; M+ ^# r
. n( q2 M& w' J# D
4C19:0095 MOV AX,0911 ; execute command.
! X5 j( { M+ m6 C+ W$ ^7 b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 ], `9 I+ q; R1 c0 w
4C19:009A MOV SI,4647 ; 1st magic value.
2 P) @; c: i$ K$ c6 w1 i4C19:009D MOV DI,4A4D ; 2nd magic value.
8 Z5 L, `. `. z ^/ V4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 o* j5 [# z& g4 C# }$ f$ y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 q; |/ u5 s, c) J4C19:00A4 INC CX" ^# N, ]1 ? w1 T9 P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% J3 J- A9 e" ?5 F3 d# a5 k
4C19:00A8 JB 0095 ; 6 different commands.
e2 @# D/ w- ~) e4C19:00AA JMP 0002 ; Bad_Guy jmp back.* ]6 P! M# v7 @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# {, q: ~* l! L. [
; E. ]/ [# B) x/ hThe program will execute 6 different SIce commands located at ds:dx, which7 m% `. p7 T# ]4 n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 L: l7 d& i8 y) z7 w: N0 p3 V1 }1 v' L' t* \+ S+ J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 e- }0 Z: o8 E% k( a
___________________________________________________________________________( Q/ _8 }: O4 H2 T0 X# e
, F) T2 x7 E! X$ @- M
( ^* Q2 ]; i+ I) H8 ~5 u6 ]Method 03
& k, U! Y4 [( T L8 r=========
: j3 w: Q* z6 K6 Z4 z5 L0 M8 z- Q$ h+ e) V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' D% K/ S+ A+ o) |2 v' b$ W(API Get entry point)
# K3 L& l/ s- O* K0 a4 H 0 D, i! ]. h) y
& Z! U5 L$ \2 d: p: x: j
xor di,di# P3 N: c; ^# I4 r& R& p
mov es,di) }2 } P- }3 G5 e; C% L+ a
mov ax, 1684h
- H7 o1 w2 S) _* V M* i7 | mov bx, 0202h ; VxD ID of winice9 I, W. C" r0 R& ~% P' {
int 2Fh
/ ^( e" B! n3 _1 j3 b( R mov ax, es ; ES:DI -> VxD API entry point8 ^9 D2 C; ~, t+ Y
add ax, di
& H. l/ g! h! L+ h) |% \8 w# v5 f test ax,ax
3 Z; H5 c) P& q. m d2 x3 t jnz SoftICE_Detected
" j3 y4 b; P" U; `( A; v3 n; U
1 z) v! ]1 r# H: f% r( x# ?8 l___________________________________________________________________________6 ~6 s2 n* S o+ W5 |5 v3 [
5 Z( n E# j& xMethod 04
" `/ \) l+ Z' F& T6 k- r=========
Z4 I9 j& V, v& C: R& W, ^/ r" ?9 L
Method identical to the preceding one except that it seeks the ID of SoftICE
( U8 M c" W+ b& \4 L6 QGFX VxD.
* b0 d9 c) g$ Z% e/ D
- a* y9 _2 \6 e6 t4 B xor di,di
6 n# P) a0 J& e! m) L mov es,di
( Z$ a: C9 E$ A9 @% I* G8 d6 ?3 k& @ mov ax, 1684h 3 h; R) J- k+ p6 k) L+ V/ {
mov bx, 7a5Fh ; VxD ID of SIWVID8 K& o* H/ i; i1 R, u" W
int 2fh
0 z& m! q* j3 [7 Z) G5 O4 w mov ax, es ; ES:DI -> VxD API entry point0 T5 L' d7 ]1 u
add ax, di( m1 }- c6 q) }: J3 ], X; Q& k2 Z
test ax,ax$ w5 G2 } ?0 n5 b/ T( e
jnz SoftICE_Detected& r# c2 g( {; b. H. m" U
+ D, N- d3 C' Q5 F2 T6 s% ^__________________________________________________________________________( U% M7 [6 [* b4 R: F
t" \/ v* K6 K2 K! F6 \, \
: d9 O. J) u8 t$ }. R2 f
Method 05
3 m3 V) N$ T: V3 o6 ~=========3 C8 H) s% L9 a3 R; r0 a
6 T L( x. w! T* T7 _Method seeking the 'magic number' 0F386h returned (in ax) by all system+ x$ ?$ x- `9 M2 ]
debugger. It calls the int 41h, function 4Fh.: F. a0 O% I7 A+ @7 a$ V5 ]$ G
There are several alternatives. 3 a; q. k2 B) h% O5 g& t
& c+ h: d/ \; bThe following one is the simplest:3 F0 j- j* Z9 f- @& C, T
* }% [6 {2 {7 R) \. z# d# A
mov ax,4fh
* v3 x: _ |& o6 |" I u( s int 41h% [& k4 V! ~0 {
cmp ax, 0F386
1 c( u; X( \+ B2 `& P# r/ P6 | jz SoftICE_detected
+ O/ s/ a N1 \1 t6 R% y, M
) O2 \; u5 }1 i$ R" ?; v, X+ G! w0 o; H1 I. F0 c5 `) `& P5 k
Next method as well as the following one are 2 examples from Stone's 3 ~6 S; \5 g& T
"stn-wid.zip" (www.cracking.net):$ L7 [* e+ b: {. d8 M G: V- I% } T8 i
, ?, H1 Y6 S6 P/ ^
mov bx, cs! O3 p1 T7 E j, c( P. z
lea dx, int41handler2
) G \/ o: {1 |, ^& z xchg dx, es:[41h*4]& e: a+ [. O- N/ r( C. }) g+ J
xchg bx, es:[41h*4+2]
1 R$ C1 [% `" ]0 {, P6 Z" w mov ax,4fh
* E. F" i; P% X# V int 41h( }' X5 q3 Z/ ~( H2 r1 x$ a+ x
xchg dx, es:[41h*4]
) X1 J. t8 |# W' }- d xchg bx, es:[41h*4+2]
' c7 ]+ q6 w: ?* O9 O2 c/ `2 T cmp ax, 0f386h
1 ?' V, l3 [* v% B7 J g jz SoftICE_detected( c F( W5 k% K* `
. }1 p6 Z4 y$ F" B; y8 o1 dint41handler2 PROC0 D8 m* f' u5 p3 K( \; N
iret" w' K* _! |9 I' A' d8 x2 G
int41handler2 ENDP: m. G" D4 c* s$ }, F: r& N7 U
( Y5 | b+ x# H6 n7 ]9 z8 F6 o* t9 }; F) N j7 |* E* s; j
_________________________________________________________________________
( r* O* \5 h7 o8 Z4 j0 @ a- \
" z/ v( q. ^* r) a {- ?
Method 06, i9 I/ O( R$ o4 A* {# E, h
=========
4 C8 e( I3 t0 D3 {
9 g0 \1 ~. S5 j+ A8 [3 Y% |- w7 y6 a3 f& ^ X
2nd method similar to the preceding one but more difficult to detect:% c. v$ @# J! k! ?% f
9 e/ V" s* a0 C: D* E
" ^" ~6 n7 p% o1 u$ R( F) U
int41handler PROC
8 I" P+ F- c( f7 _# G+ I! k mov cl,al; w, z( B6 ~8 Q, @( h3 F
iret4 Q& d1 ^* `1 K3 z0 r6 R6 A% y" t
int41handler ENDP0 N% x$ w. u; y6 r! I& ]
5 D1 I) Z6 {& `5 k
* s& R7 |) c5 Y9 T' d) C3 z
xor ax,ax p+ V$ Y% {' m2 a1 Y2 L1 p# f3 c8 K2 \
mov es,ax! m: {0 k0 J" W
mov bx, cs9 D& L5 e9 p ~& d% I5 {& f( J# K
lea dx, int41handler
J" f2 }% \5 m! ? h$ F xchg dx, es:[41h*4]
$ \; D+ `4 e2 v/ q xchg bx, es:[41h*4+2]
' a* O+ c/ F* q1 p, k1 ^ in al, 40h
5 F) q9 n9 K+ p9 @7 s1 Z. ? xor cx,cx
/ a- k0 X) Y: F2 g; O m int 41h
' v5 P3 n6 r; P3 V; a+ I xchg dx, es:[41h*4] G0 p6 s4 z6 M% ]0 w) y% ]8 Z
xchg bx, es:[41h*4+2]+ _/ X! c9 @8 m+ B: V% d1 z
cmp cl,al
+ ~% S/ |/ ~" L* ] ^8 o1 h4 { jnz SoftICE_detected
& q5 Z1 x! I' C% d
+ w [- _/ B0 R: D! Y7 h_________________________________________________________________________
7 u, P0 t3 L. r5 f+ ?2 [- M$ S
Method 075 _4 j, E) @ }# C' n" v) o
=========6 F, W; D1 `7 J, C1 d0 |% C
" f) z3 M- r5 D- bMethod of detection of the WinICE handler in the int68h (V86)# \$ f$ J% u- s7 Q U
, C( z3 U) H9 k2 A B( U" z mov ah,43h
5 i/ s7 g% M, b p" [ int 68h2 D0 O* q+ P0 K! [1 k2 N
cmp ax,0F386h
% l$ K6 F4 U j* q jz SoftICE_Detected) J9 x; \3 C- S- {7 N
) r( J5 T2 ]& r7 V) a
4 Y" h4 T+ i# ~- r=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: k# }; m' P3 S# k( |* P/ I0 r
app like this:7 _3 }- W0 Q' U: t
8 g8 ? H7 q" ~$ V: h, ?
BPX exec_int if ax==68
s: l+ L( h% {& T (function called is located at byte ptr [ebp+1Dh] and client eip is
/ ]9 K M; n2 L- W located at [ebp+48h] for 32Bit apps)# c; N0 M2 y- F0 }% W& v; M* O; D
__________________________________________________________________________
' a ]5 G8 m" y# y% v6 s
N, l( @: m5 Z) G8 E& J5 I8 r, ^) f* s* x" v8 d
Method 08
+ u3 |8 ?' h" r+ u% v& v=========7 ^/ l Z3 f. i- [0 {
- q, A+ G: A! c% @It is not a method of detection of SoftICE but a possibility to crash the) g" n" Z- `/ J! q1 Q
system by intercepting int 01h and int 03h and redirecting them to another0 {1 W) d1 ~! z. p( T
routine.
( [6 k! ^" B* |8 {2 ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. o3 I8 z- ?1 ]) t, A1 Dto the new routine to execute (hangs computer...)7 A0 i$ q5 B* K
3 l% q1 |- z. G. Y1 L6 Z' h mov ah, 25h: }3 ?1 T# P5 r3 o
mov al, Int_Number (01h or 03h)4 w# }& u' s" S
mov dx, offset New_Int_Routine$ L) k' V9 E& f& K
int 21h
5 E0 [5 t6 H" `/ C8 f& f* X4 J7 G5 M: ]/ \" l7 ^" V+ o& L" P& r
__________________________________________________________________________9 I9 b( \; e1 k. j9 ?" r
- p6 `/ b: L5 H5 dMethod 09
0 e% \5 G& f6 p" p8 I5 Z=========1 j3 f! _/ \& h1 J4 K; q, ^
) I8 k" a: O# ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. @- d7 ?" S5 f$ P, B5 t; h; b
performed in ring0 (VxD or a ring3 app using the VxdCall).
% {1 \: h+ V; z' Y+ a/ l' yThe Get_DDB service is used to determine whether or not a VxD is installed3 }0 K% b8 h+ h$ M8 @% {0 `! K
for the specified device and returns a Device Description Block (in ecx) for
% S( v: s6 y' V% K8 E" Cthat device if it is installed., [. b3 ?9 f9 \( ^. L# T" G8 t5 f
% w& \' ^2 N& h3 g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ F# t2 A L; Q8 W. g+ `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); s% p/ B$ z6 q9 D9 Q1 }/ i/ k
VMMCall Get_DDB4 `* s, ^0 T [# M- Q2 e1 H7 E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) X8 s4 V& I" G3 z! u
) R7 d4 V8 z1 w8 [9 m
Note as well that you can easily detect this method with SoftICE:+ N1 X& t, M4 E+ u
bpx Get_DDB if ax==0202 || ax==7a5fh& G. Y% W" A( I5 B
0 a% E# s/ b1 D, {$ x8 J
__________________________________________________________________________) q$ }" R! b3 `) b; d9 g
' c: A* a: z0 e' g9 `" DMethod 10+ x8 G. G6 F m* f6 r
=========6 v3 r( o9 j( p* ~% J. f
- i7 l. E& R6 m/ `=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 s$ Y9 _0 N+ S' u/ a SoftICE while the option is enable!!' t0 W) @* T3 z, Y2 o) U4 J* i3 {
/ s; _4 p2 _9 L8 C [: YThis trick is very efficient:, K6 O# r! w* q) o/ n. h& m4 X
by checking the Debug Registers, you can detect if SoftICE is loaded$ }9 Z8 r7 r* L+ z7 c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; a4 c9 \" e2 B/ v) }+ L+ u _6 A
there are some memory breakpoints set (dr0 to dr3) simply by reading their% A8 H3 X( x9 _
value (in ring0 only). Values can be manipulated and or changed as well, {8 _" G9 [* h0 T9 m5 O+ G
(clearing BPMs for instance)1 j) [- z& t* X0 X) J
+ s: ^: e% I o9 z__________________________________________________________________________* x) B: X0 }1 ^
: x# T; Z: q! P) j9 G7 OMethod 11/ e/ v- h1 g4 S, [( ]
=========
) W4 d1 v3 ~7 [' G: K( B& J# Z. E0 |
This method is most known as 'MeltICE' because it has been freely distributed& I& _: R% w; {( Y
via www.winfiles.com. However it was first used by NuMega people to allow
7 _0 T. B' Y* D4 uSymbol Loader to check if SoftICE was active or not (the code is located( I, C5 F& Y8 F) Z; N; C
inside nmtrans.dll).$ A. J5 n" t2 h. \+ g' r y& M6 n
6 N9 Q! Q _7 x: x4 {( P* _8 LThe way it works is very simple:
H) h6 }- G+ ~- XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' d0 ^: _" k3 F& j6 k2 A' e
WinNT) with the CreateFileA API., P( o3 y7 _4 C/ x/ |8 \0 ?
4 I: X% \; H nHere is a sample (checking for 'SICE'):3 C4 f# Q3 E. f7 r) o: Y
% i ~+ Q* M2 @( p* Q! pBOOL IsSoftIce95Loaded()
% S1 E; C2 p E4 r }{
+ ?) ^: K0 z, h$ U6 ?: c t HANDLE hFile; % J2 _& }* l" }7 e- v& Y% N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 I9 U% a% d- I7 g! g4 P( K FILE_SHARE_READ | FILE_SHARE_WRITE,
' m! ] }$ S( D% @: n" ?' k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. W4 c, y. b3 {( h0 H( _% Y* ?
if( hFile != INVALID_HANDLE_VALUE ) ^% t1 |1 v7 \7 l; {$ J6 ]
{
_. R0 y' D% b$ H H CloseHandle(hFile);
& r. m' @* G9 R2 e/ q9 P return TRUE;
) b7 t3 d/ I# C4 B* T: T( I }
5 n. w1 }6 z) M. a return FALSE;& `% T8 f$ F+ {1 w }
}0 R0 k& Z9 Y( N1 y4 N2 B) `
% q( I0 x ]) B) n. {* K
Although this trick calls the CreateFileA function, don't even expect to be
, q( n3 ]* `* Z$ R2 ~8 T7 bable to intercept it by installing a IFS hook: it will not work, no way!
9 w! d1 }- M1 SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 I' d! }0 f g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& b8 q! `( h W1 P- m# c. V% tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# f7 D7 }) ]& | Afield." w5 c, M: V9 Q/ q
In fact, its purpose is not to load/unload VxDs but only to send a . ^7 x0 W( T$ d# {( _2 j ^- b8 d
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): e. U% p! r' R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* M6 z& A; w1 l4 D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ ]$ n5 h; N& ^6 z+ `3 y ^% NIf the VxD is loaded, it will always clear eax and the Carry flag to allow% ?0 [$ x9 U/ h$ J
its handle to be opened and then, will be detected.
0 t1 y: \9 o' o4 g# L8 EYou can check that simply by hooking Winice.exe control proc entry point$ e4 K7 f" l/ [2 Z: Q
while running MeltICE.
; {4 [ L" n! l# U& h& }/ a
9 k `; v) O7 V1 N) _7 C; k- ?: w7 ~! Y8 ~/ ?7 p
00401067: push 00402025 ; \\.\SICE
" B+ [) W6 Y. z2 _: q 0040106C: call CreateFileA
$ b& r0 X! b9 J$ { 00401071: cmp eax,-001
& Q9 h4 X' W, Q4 t" m$ t: \6 ?0 B 00401074: je 004010918 J0 ~+ X1 n/ d% {" q! h
: }7 J. x1 r3 M) H: S
# v8 j# F3 K: K( L6 }$ t
There could be hundreds of BPX you could use to detect this trick.
9 U9 z( l0 u) O; }( r' Q2 i; y( N, E4 y-The most classical one is:
2 P y0 ~, k0 V6 x$ `- Q6 B4 H BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& h, \( \# ^& _$ W *(esp->4+4)=='NTIC'
3 F+ A/ `$ k0 q% Y6 S
6 L9 G, ]; L0 ~" L! D) ?) B-The most exotic ones (could be very slooooow :-(
6 q, k# }1 X! }4 J0 W3 M5 d# U( n9 N$ Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) L$ g1 Y& A0 C1 V
;will break 3 times :-(, s& ?. y( s2 z4 c; k
3 @' @$ c6 e2 c2 W) O" R% Q-or (a bit) faster:
% o; e) m, B! M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 E0 D" u- ~8 z7 q% D
. r+ j+ u, k7 t% |& J
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ F& {; H/ C$ D7 v% D" }# T: L ;will break 3 times :-(9 H7 d" x1 g5 h0 s9 A0 k' E
0 P8 u1 g& x% M1 G4 {( u8 o
-Much faster:
! l: C$ M( P* } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 D" R, h1 R0 p$ s4 I3 H* X
, _) K' P# {6 q; B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 S, J" E3 w* S7 S' M1 h! w8 ^
function to do the same job:% C* M, Z. D; n9 k7 D
$ \. r% k$ h7 q/ q) p: L
push 00 ; OF_READ/ a9 J9 j/ k' B- c; B- r
mov eax,[00656634] ; '\\.\SICE',0' H7 W9 M/ d8 e
push eax
0 R- c% i, l' B: U% s) u- F0 @ call KERNEL32!_lopen% W# y4 r6 E: c8 s8 ?+ Y: H5 U
inc eax
$ ~3 W: r3 Y2 @" ]; a, q" H jnz 00650589 ; detected
/ A; h3 b$ K B& g& E push 00 ; OF_READ7 S, ^/ z) F- K8 W
mov eax,[00656638] ; '\\.\SICE'8 \& c) k. P: X2 q
push eax
; w/ H! r5 `0 T n call KERNEL32!_lopen
; V5 O/ |& @( q$ A inc eax
* H4 ` V ?2 A1 w+ F4 D: c# E" d( k jz 006505ae ; not detected
) a' N5 O: \9 S: W4 V* e* p7 R( F3 k: b9 s% b/ x* r: U4 p
0 ^6 n, U6 i0 Q0 h% {8 \6 g P
__________________________________________________________________________( v0 o5 N. L3 D& z# q3 o
1 d4 v* P3 I" p4 S- P {* } ^
Method 12; k; O3 ]" Y" D& q7 {
=========% q' @+ N# m0 o1 B8 P
' j6 v% M v4 s
This trick is similar to int41h/4fh Debugger installation check (code 05" Y6 ^1 I! J, x% n7 I. ^3 u
& 06) but very limited because it's only available for Win95/98 (not NT)
2 {9 K, s+ _1 W5 qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 J d# ~5 ]# q8 Z0 g2 Z! s
* p# x8 {0 R: c8 T0 l; K
push 0000004fh ; function 4fh; K' f9 t# n3 \( ^0 t/ A& ^; n
push 002a002ah ; high word specifies which VxD (VWIN32)) n! D4 x3 h4 u: O2 A: P1 A
; low word specifies which service
7 N9 y0 k& B x$ K (VWIN32_Int41Dispatch)
j2 |0 S# }0 ?0 m5 l+ ^" ~ call Kernel32!ORD_001 ; VxdCall2 o( X% \# n E1 N0 ^
cmp ax, 0f386h ; magic number returned by system debuggers
[, }# l) D! N& A1 b* E jz SoftICE_detected* g6 u5 R, E& V
$ Q( W* v. q" pHere again, several ways to detect it:
7 d1 h% {) {. _, P/ q0 n& Q4 R9 m' J9 f* J- p$ ^
BPINT 41 if ax==4f
( i' @4 y& p$ P0 K1 C
4 C' h5 I) K% X6 z& Z. F7 K+ ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 x8 J S1 P& `3 b" H
~1 \: b% n, n8 L1 [
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ B$ Q/ _2 S! s
" y6 Z+ F! r* J3 w& o- M5 j' R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 x* r9 I+ ^5 `& w+ N4 @3 g9 O9 z3 b4 q; D1 r
__________________________________________________________________________
9 X/ L& Z9 t9 Y9 \0 V3 |) t2 f& ` R, y3 y: [, e3 ?! |& z5 O, c
Method 13& r8 t3 \! K2 M+ n
=========
& N e" Q6 v( P% d$ u6 u q3 r
) |% Z) p5 l# z$ H. bNot a real method of detection, but a good way to know if SoftICE is
# A' w3 u- I; C+ finstalled on a computer and to locate its installation directory.! ~8 x6 M8 |! `) k- \# ?) d
It is used by few softs which access the following registry keys (usually #2) :
) d5 ~* P( ^) i; |
# A5 x) C. Y' `4 b3 T% A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 N7 ?' v7 b1 B& T% X
\Uninstall\SoftICE5 m$ q. R6 z1 L1 }& g# j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ i8 |- {! z% E/ o) ^8 l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: }/ i1 k. Y( W5 h% P% r\App Paths\Loader32.Exe" V, W2 h, }' S0 t$ D, p2 G* v
4 v9 C6 P; s7 l! a, z5 W v( b3 }0 X1 P4 q
Note that some nasty apps could then erase all files from SoftICE directory
/ ^, X8 Z. ~6 d- H3 A(I faced that once :-(
: {9 Q9 [6 o1 f$ w' O0 b$ H" a: ?+ z2 W* F
Useful breakpoint to detect it:4 S: }0 ]9 h+ K+ c$ O: ^
/ Q4 w3 n7 O8 U" `1 h BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 [8 a' k8 z7 h H6 d7 \! u" _
2 p3 h$ ~# Z6 J5 }" q5 Q' i__________________________________________________________________________0 a( |5 W; Z5 k
- e0 C3 c8 |" Y+ ^: V
4 l$ |+ o, ?9 n6 h( YMethod 14
# ]7 f0 X) c0 s* C% s4 A) `=========
& r1 c0 |+ {3 ~0 f0 f, |6 @
1 k+ _- H3 u4 a+ t& I& wA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 A4 c' a, ~6 Z* N5 `is to determines whether a debugger is running on your system (ring0 only).; D) ]! C( m% e1 X% x) E0 X
, j$ B9 e$ f3 j t8 n+ k3 d6 L VMMCall Test_Debug_Installed
/ i' a5 ^* n/ m8 V# q3 K e je not_installed
! m. J" t. Q: V/ A( ]+ K, n7 m# V0 ?
This service just checks a flag.! [& o7 s# g# V: z+ j3 S4 f
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡