<TABLE width=500>
' H, B3 H6 Q0 i# Q5 {- S0 ?<TBODY>
5 E. G% X+ l- s% k7 a+ N# V<TR># V* {. k+ F, D% m2 O/ U
<TD><PRE>Method 01
8 N/ C. I H6 \1 W6 E7 P=========3 y* [' S% x8 V% x. Z0 ^
" P0 s: @& K" Z7 ~
This method of detection of SoftICE (as well as the following one) is4 c5 C; |* S% h) ~/ A$ q& d. j' j) K
used by the majority of packers/encryptors found on Internet.
" J( R. D4 a0 B, {3 L. yIt seeks the signature of BoundsChecker in SoftICE
) r g, r4 R& h* ~
3 d1 N8 m' M: B: u. w; G/ \1 z mov ebp, 04243484Bh ; 'BCHK'2 s. K+ `3 O+ M. E
mov ax, 04h
' X% n- |+ c, L/ e; I int 3
: O8 V/ F5 \0 R7 P' I% \- x cmp al,4# ^: h9 s1 R5 s" [4 \9 Q
jnz SoftICE_Detected2 ]* M: t! C O& G+ z' [
: H+ ~# j4 M, M2 F$ c. |7 ?) g* S___________________________________________________________________________5 P* K, @& O' @* i/ P3 c6 V7 Z
' L$ D" a4 c7 u* b- B
Method 02
) `7 R2 C" E/ s2 V* D=========
7 H. P9 V" m# M" \2 N! A8 R: d% Y4 G4 @& Y- A
Still a method very much used (perhaps the most frequent one). It is used# j1 Z0 E1 @! q$ K
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% Q- y* z( y& S- k: f/ _
or execute SoftICE commands...& h, D) J' P% h+ v2 d1 `5 z
It is also used to crash SoftICE and to force it to execute any commands4 w8 i) C2 h2 q6 O+ D9 h# I
(HBOOT...) :-((
9 r8 l1 ?) J- G7 c6 D+ B' h' K3 E2 x' I' Q3 D# s' q# G# [
Here is a quick description:
2 I" g1 T2 C) s& O$ y; S* I-AX = 0910h (Display string in SIce windows)6 ?2 {% B1 \* U6 R* q1 O1 o
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) K% Q1 `. l2 f. V
-AX = 0912h (Get breakpoint infos)$ J6 L$ Y5 [' ~1 |7 ]# \
-AX = 0913h (Set Sice breakpoints)
$ |1 i5 t$ V2 I. }5 F5 M# b-AX = 0914h (Remove SIce breakoints)
/ |! n4 V( ?6 R: d6 A: C: T$ X+ a) |/ U# `5 a
Each time you'll meet this trick, you'll see:
: Z3 W. ?$ h, N# Z-SI = 4647h' w. ?) M0 A, w* b7 ~7 X( @
-DI = 4A4Dh4 @3 a2 B3 k3 X/ _- J
Which are the 'magic values' used by SoftIce.2 i6 ^8 ~# |/ D; ]: P( D' v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 i" i S& m- z1 S2 J" m
; b/ Y* y- t, H B- |& ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 O1 Q& w, ?: H9 B( p/ R5 UEnvelope utility use to protect DOS applications:, s! s1 r) w- R4 U5 Y
! ^2 Y9 T; e# G3 T+ m8 l
/ F; H0 \ ^6 t" m- ?1 {4C19:0095 MOV AX,0911 ; execute command.
2 n6 S2 B4 k. j1 M( I2 u* w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( j: e. D) B n7 t4C19:009A MOV SI,4647 ; 1st magic value.
" H" T$ F p6 Y( \% o) X4C19:009D MOV DI,4A4D ; 2nd magic value.
# m! h+ F% h1 `0 w f7 S l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& V* s) k) @/ F; v) \8 e
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) _* ?7 s/ ~$ t; Z- e2 a: i# h
4C19:00A4 INC CX5 F/ R( k( A. @- w" C# N0 |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& C' p* o8 c# n9 c7 D
4C19:00A8 JB 0095 ; 6 different commands.
/ u) J& i( Y: x( n) C- V4C19:00AA JMP 0002 ; Bad_Guy jmp back.% h1 e- {% e$ B3 [6 w! `1 p9 }' c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 E1 i3 }, c+ C) a" m; [! ` d
3 e3 O' O. _) C( K
The program will execute 6 different SIce commands located at ds:dx, which- {9 d" Y! k0 P2 t3 j6 t# m; U+ c
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ M; R* L7 m6 D* M/ `( n
' m$ y' c3 q: I, _& |8 w3 L
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; V3 ~4 r1 U$ [5 L# o___________________________________________________________________________
" y1 d( U3 `( n `1 b& K4 J( C0 @' d0 T6 O5 m/ i6 g0 c
2 Q1 S% C& F3 HMethod 03" m! m7 C( g% i
=========
" Y f) S* J' S0 K( \$ ?
4 B/ o' _4 ?8 B& W% D9 LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
R* v" x" P+ o! D5 T% I(API Get entry point)
7 d' x) `7 P! {2 s5 z# j
# }1 V2 F- Q, x7 k# J) k4 }# z/ ~5 l6 |1 ]! `
xor di,di. M$ k& c4 h. z L
mov es,di
8 Y$ p! y( R: {8 e mov ax, 1684h % s* W. ]7 w) z. A a: m. A' t
mov bx, 0202h ; VxD ID of winice
' v; y5 f8 R$ o/ w int 2Fh
2 C2 y+ [0 g9 ?3 ?, v K mov ax, es ; ES:DI -> VxD API entry point: H5 ?0 r6 H$ p+ x
add ax, di, i- V, P6 N9 H9 g ~
test ax,ax( l& V, m8 Y* Z2 X4 V, G+ y
jnz SoftICE_Detected
/ m+ ^6 D8 F' l( i( V0 H, q7 K, E" v/ Z# J
___________________________________________________________________________
n0 _0 J3 Z' k% {- \! Q
2 y) ~4 l. \. R/ c! |7 XMethod 04
% w* A3 |) [/ \2 E8 J+ n! r1 r=========9 S" K/ F8 ]/ _1 s7 k+ p
+ k) j1 e! q [
Method identical to the preceding one except that it seeks the ID of SoftICE5 E9 q$ g* ~4 l$ Z, b
GFX VxD.- a, @5 B7 e; d. k& y
3 i! T, z+ L* h- @# R xor di,di3 K2 e: P& I. q5 ]$ t
mov es,di
: r4 m5 z, l% o0 K. t mov ax, 1684h 2 {# ^& t( }0 }
mov bx, 7a5Fh ; VxD ID of SIWVID
0 G7 u0 L! V- J5 b8 l: j, X int 2fh% j% Y) M7 J3 S6 z6 \- C
mov ax, es ; ES:DI -> VxD API entry point
2 R0 r* p) {5 `3 C [# h0 j. x v, y add ax, di
3 @. y2 G1 |' r* H2 S6 l2 A test ax,ax* j8 ?% L; ~. }" l( z. w6 P I7 t- [5 \
jnz SoftICE_Detected7 M3 r$ Y; G0 `) \2 _
* t1 ~+ o7 ^$ e, @9 G__________________________________________________________________________0 l7 k k0 i: J! c5 y- }+ f1 z
9 h5 i+ G/ d. G* ]6 @' m3 f6 G' n
Method 051 t+ W$ c6 Y: t8 }/ u# o3 l! U7 ]' j
=========
8 M3 e9 j3 O( |/ ^4 d! `4 T! W3 a! K) t7 D& @, t
Method seeking the 'magic number' 0F386h returned (in ax) by all system: Q4 y9 C9 j& r
debugger. It calls the int 41h, function 4Fh.
; C4 U- o7 L* ]: h3 \, Y5 nThere are several alternatives. , L( l% E+ x! F1 a2 l
5 L8 L) d* H9 a
The following one is the simplest:
3 s0 R6 G! c& P' u: u9 r
4 K4 C' W( B! _( Z mov ax,4fh
- N8 W4 H% K. X2 d; p# D int 41h5 B- s; x# I2 N! C! k% q* @
cmp ax, 0F386
: w8 L$ d) ]" c# ?7 Z jz SoftICE_detected1 n+ \# J; h0 |' P! X' w
$ K* G$ T. P/ I: q, W$ |
) }0 G# a/ C7 n |5 wNext method as well as the following one are 2 examples from Stone's , t8 M# _9 w6 T0 i
"stn-wid.zip" (www.cracking.net):. U# D+ k; l9 h- l
7 E/ l& q; j* X mov bx, cs8 o$ y% {" N7 Z! \: ~$ E
lea dx, int41handler2' Z1 p, [/ h/ `* r
xchg dx, es:[41h*4]- K6 b! w V. V3 S' x( O
xchg bx, es:[41h*4+2]
! k3 N) Q, ^1 b mov ax,4fh
" T- v# a" l4 c+ E. M, G int 41h
0 n. R7 c1 G7 m. s4 y xchg dx, es:[41h*4]
) {% a5 ~/ n8 m' Z3 P. [ xchg bx, es:[41h*4+2]1 _3 }! I& x4 M0 \4 y8 s7 } d
cmp ax, 0f386h. d: l( |& B6 e% J
jz SoftICE_detected/ T1 W: H1 x- [$ P
. _% ?( a5 [, {' M& O4 u4 R0 t4 Kint41handler2 PROC% W% p7 R: P( b$ F
iret
: l; ~* R4 b- [, nint41handler2 ENDP
% p+ a6 U0 A1 Y
( N/ R* C' F3 O p X5 V4 _4 ?
_________________________________________________________________________
3 Y* @" B4 P+ e) \ k( e9 H& `/ n9 F [6 ~
+ H3 |4 m# I( ?* g9 S9 X2 l6 ^+ k! PMethod 06
& F1 K/ w8 N5 C4 |! S/ Q6 L=========% `$ V9 p+ j0 Y3 c' {) @4 ^) q
. Y/ {9 {; u, F4 g o
$ y/ w) T. r' t+ ?- y: n, o2nd method similar to the preceding one but more difficult to detect:
' i9 N, b8 ^* p6 _; V
7 W/ C9 E) E. u5 ^
& o% l# M. Y: q( _6 w) sint41handler PROC
$ P8 N; G& {- W, s7 `. b mov cl,al
8 z, m" f& K$ D$ y0 c+ X: o9 o iret
* d0 n* T$ C( M E p+ [int41handler ENDP+ P9 J; w! o0 Q; w6 r5 p
( {' |+ k1 e. t. B7 U% G8 P) P' Z% w3 D8 e5 H
xor ax,ax
+ g1 k) w! ?* A$ U1 w. r mov es,ax* Z6 ^8 @ U( H& o# z
mov bx, cs
! l7 v9 `( { I0 D# h7 V0 D. [8 y1 L lea dx, int41handler
$ k& M J4 x, o& b, U5 H# ? xchg dx, es:[41h*4]7 H# A; k) m8 C K
xchg bx, es:[41h*4+2]
! u0 d9 L) ?1 e/ Y6 e in al, 40h- N8 d; X* |3 Q0 b5 M' G" c- C
xor cx,cx
2 ]; g7 n: |" R3 h( R& u7 }4 u# C7 ^ int 41h
+ c1 q; s, y2 y7 r' @ xchg dx, es:[41h*4]
( w" ]# l5 B5 Z* W2 U$ V! Z4 L xchg bx, es:[41h*4+2]6 o8 V3 A( q0 S5 `, ^1 J: `
cmp cl,al. r; O+ R3 D2 ^ }& r8 K
jnz SoftICE_detected2 n7 p j4 [3 K U6 p
+ o0 c& H+ T9 |
_________________________________________________________________________$ m7 h4 W% P: D' B" D/ t4 f
4 s) w5 U' y" C9 @$ d* A9 Y
Method 074 h% R. ~, M! m3 K; P
=========6 B. c# [6 g& e
- c% ?: i+ m0 j3 o- u
Method of detection of the WinICE handler in the int68h (V86)# C* C4 z( M0 m8 ?# f' `3 B
" {0 s3 H5 s: f6 F5 I
mov ah,43h- p2 q$ R: ]: v8 e/ m! K
int 68h. P. t! \# H# `
cmp ax,0F386h; J: n. v5 f6 z. }
jz SoftICE_Detected
1 C% |& ~( `1 F" j# U. q* D( m) @$ x3 i& x4 s' B3 p* c
x- S( n4 d/ ^: ]. l) {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) w& J. i4 i4 N6 B: W3 h. h* A
app like this:
3 o# Q" b7 m1 J N* K) }
% @$ A4 c+ m* k, y2 m* o BPX exec_int if ax==68! X6 T9 m. ~0 L
(function called is located at byte ptr [ebp+1Dh] and client eip is
K/ T' w0 T/ g# o3 [0 h- {! ]% h located at [ebp+48h] for 32Bit apps)
* w' y4 N0 C+ [6 P__________________________________________________________________________
8 t9 u( Z+ a8 m; p7 ]% b5 R" o n3 K) ?
; \" n+ o1 N C/ U8 [Method 08
' m- ?) Y! K0 W# Y1 w$ I1 k4 E=========
# \) a5 [8 `2 g# F% }
( E0 k# ^' e8 ^' M4 L% A6 KIt is not a method of detection of SoftICE but a possibility to crash the
1 a$ W1 s6 O' B! Z( ssystem by intercepting int 01h and int 03h and redirecting them to another7 P- `. p; E0 t
routine.8 s6 C. g1 C) F# ~. E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" q- t; X% ?% h. z- Vto the new routine to execute (hangs computer...)
5 H: T# I( y+ S W$ Z' c0 B3 t2 P3 F) M4 e% D2 n4 n+ e
mov ah, 25h
6 @2 ]/ b2 L: v. ^) x mov al, Int_Number (01h or 03h)
" k6 E, A3 B# K. O mov dx, offset New_Int_Routine) A' b& L- x5 [! s
int 21h
( [# W$ y% I. O w, F n3 {3 I
- \- c# u+ v% ] a, M2 g__________________________________________________________________________
; x1 f- `8 O0 F" a' R, [6 Z& z# @( v; b# ~) k0 f
Method 09
: D$ b8 ]" y7 H# e3 _9 h; c8 s=========
) c5 r8 f2 M" W! S
9 v0 i6 u$ b( l( DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 Y( ~$ a1 W) U, S8 i5 @4 o: i2 Y! S
performed in ring0 (VxD or a ring3 app using the VxdCall).
" F' Y0 G% u; nThe Get_DDB service is used to determine whether or not a VxD is installed
6 J# D: v' I2 P9 A) T, W+ V% B4 }for the specified device and returns a Device Description Block (in ecx) for
2 E" j3 Y) X# D) ~6 n$ |' qthat device if it is installed.& I) D- v8 I0 m% h& V
0 N' K* ~) q( w. V _% ^# k8 V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; W+ z" O4 e- G6 h/ r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): r4 e5 G- J6 c
VMMCall Get_DDB1 A1 s( c. v* T! i8 s0 p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ H5 H/ ?* E+ ?! T( H- i
% ^5 ~9 G1 q" Q+ C& U- x) U) qNote as well that you can easily detect this method with SoftICE:3 @7 e* `: y1 B* c6 Y& z
bpx Get_DDB if ax==0202 || ax==7a5fh
3 g6 F5 a/ Y8 q/ l* t2 R
( Q0 z P% Z0 }: H; t__________________________________________________________________________
' K! U6 |; F9 R) N* {3 n& }8 a
9 E& Y) o7 g5 d6 T' FMethod 10
) }" s( I2 t: J) @) p; Y=========
7 v* ^! K: P9 M, m
$ W" \6 r4 f$ b2 _=>Disable or clear breakpoints before using this feature. DO NOT trace with9 }: f; w5 s8 L/ E: c/ P" Z
SoftICE while the option is enable!!
) w% V0 v/ K8 H, ~1 F: O/ M
) Z# u* V( m4 mThis trick is very efficient:
" f( m2 P9 g. c2 Z1 S" N K# ]by checking the Debug Registers, you can detect if SoftICE is loaded
- R: p) @6 J, P4 [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 g+ S# F8 _: P4 z5 h& cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
; z4 b4 _' q. U8 i# Hvalue (in ring0 only). Values can be manipulated and or changed as well( r5 P: G7 M Y3 `" E3 e
(clearing BPMs for instance) ]8 a" n! C* P( r& y
* V) ]6 N7 R9 j* C6 L
__________________________________________________________________________
7 n! |# e$ k7 h
4 n. O: i r# lMethod 11
8 I7 I/ p, U, D* t* K=========) ]* O' _! X; n6 `8 s0 Z* @. _; E4 ~
. a1 D& X' l" A: r0 v/ f8 g% z4 ^This method is most known as 'MeltICE' because it has been freely distributed$ U: t5 Z& w; }
via www.winfiles.com. However it was first used by NuMega people to allow4 |/ k2 b6 \4 u1 z' K2 K" \
Symbol Loader to check if SoftICE was active or not (the code is located
E6 ]/ L# s' M: J( i& z% _ jinside nmtrans.dll).
. @+ g# @; ]" E9 \% c0 b) L
8 `4 A" S# L; F, wThe way it works is very simple:
& ~( E4 I. P' Q3 Z; ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& C) ^$ n. X( f/ D: \WinNT) with the CreateFileA API.9 M* Z7 N& C5 ?9 x- ^) F( [2 _
& C, ] z" ?* Y0 n4 m9 zHere is a sample (checking for 'SICE'):
+ E$ _5 M( r% P# _, K: m. |+ \5 `- v
BOOL IsSoftIce95Loaded()7 y3 | M" K+ K: R! I
{! X( t, V: t, V
HANDLE hFile; 9 b2 w, h1 J" ?2 y. E0 `4 D3 @. v
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 {/ w- Z; t% q; {7 T& s8 v0 M FILE_SHARE_READ | FILE_SHARE_WRITE,
7 q' t" ?# [) E- ]6 H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 \6 Z3 z/ I2 C, `& H/ f if( hFile != INVALID_HANDLE_VALUE )2 ]/ m- r& B" u9 v* P
{8 ]" i4 o. }! {( |) w/ ^) D
CloseHandle(hFile);
- L; E' j& _, U; T( u0 T$ h. x return TRUE;
* j. o) y4 K9 ~; w# u) O5 Z }/ \4 \& L# U) t+ x- N
return FALSE;1 b, J% z3 Q, l
}/ \/ l% g. b: S2 ~7 Q* S0 g" _
0 |$ G5 {( Z. l$ D% H
Although this trick calls the CreateFileA function, don't even expect to be
+ |( l2 Q6 v# i3 x1 Jable to intercept it by installing a IFS hook: it will not work, no way!; V, I, k# ~$ a" a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 S/ Z O/ n; t$ kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): A( w0 W9 p$ N5 n1 y" h- m6 {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- l- \& `. L( o
field.
9 d& k5 b+ G4 I# j. xIn fact, its purpose is not to load/unload VxDs but only to send a 2 @2 ]2 A* X- |* k5 k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 N; ^/ W/ F7 h6 ?6 [7 d( T+ i8 I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 V8 s0 b2 U" ^& a; [, t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 a5 }9 U: U- A2 N) h: L
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 N2 z$ h( N: s% n @" }+ P5 [; F
its handle to be opened and then, will be detected.
0 l& O# k2 Z4 |- x) Z) ~You can check that simply by hooking Winice.exe control proc entry point
w$ k* \ g I0 ` y! h# Dwhile running MeltICE.# N8 V* a1 L3 S9 f9 x
7 `! S1 Z! [) N1 u
& t. S- c3 n' }0 |9 r- o5 H 00401067: push 00402025 ; \\.\SICE
: W* j5 g( b7 ~8 m- E; J 0040106C: call CreateFileA- N% e7 a# X5 ^. ~4 G, k! x% ?9 h( j" D
00401071: cmp eax,-001
$ C- f: x1 x% }, P! O; V) Y 00401074: je 00401091& r! ?5 Y7 D9 W% `6 b5 ~
0 i" ^' x* |( N: H3 n
, Z( v8 R7 o8 O9 ^0 K( z; G" N
There could be hundreds of BPX you could use to detect this trick.+ b, |* l, p7 J
-The most classical one is:4 N1 G8 e1 h* s4 {/ P; N; y [; E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) V9 {! ^( f+ _- S *(esp->4+4)=='NTIC'
; o, r- y0 T( n! d% o1 E. v
' r) ]2 C6 C# X! V-The most exotic ones (could be very slooooow :-(8 T( Z: }5 \# p" X8 y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 u4 [" |' u& W4 r( E$ `& T) d# L- G ;will break 3 times :-(
0 s; @1 H/ d0 v" P
6 ^( D9 N; l( s4 d( l+ H-or (a bit) faster:
3 W; Q5 ^' w7 E8 M8 ?; T7 N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* R+ {1 U* i' J0 R% J# x$ z
9 L! F* ]+ Q* q" b: r% r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; T5 w5 ^! s1 V- \5 f) I
;will break 3 times :-(
5 E8 s+ c0 E# T: E7 m; e5 X9 }' n5 ]% B
-Much faster:
) w: D) U0 Q9 k! p1 Z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. H% T+ I9 f% j" a& O( ~( i8 ?
$ U) h- w6 L6 A4 R* A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# _) ?+ B+ p$ h% D9 c0 k6 G9 dfunction to do the same job:
! N( t) O; q2 l% f# D4 ?. X6 q0 @- b: p' s# {
push 00 ; OF_READ" N" i2 S, _: U0 Z" z! L- n
mov eax,[00656634] ; '\\.\SICE',0
# T0 k' z; M/ x$ D, q, [ push eax. ?0 z+ N" }( E/ i$ t/ v9 |' |
call KERNEL32!_lopen
2 c2 i" A0 g7 x0 C% e ^ inc eax l: a8 h. f$ g3 [+ ^% s
jnz 00650589 ; detected
5 c/ L' K8 D( j; L" t# n push 00 ; OF_READ
( w! c3 W! q" U+ t$ H( U( X2 F mov eax,[00656638] ; '\\.\SICE'
1 i1 L" }' s7 ] push eax1 Q' C! R) D" S) b% i+ D
call KERNEL32!_lopen* Q& Y) w! Y. y1 B2 s
inc eax2 y7 X: H6 z- V8 a/ q: H6 c# q
jz 006505ae ; not detected6 T! e# u* T, G5 N; Z' n- y
8 |% t7 Z4 O' L l( Y0 Z" i) ~0 l5 B& G
__________________________________________________________________________
( b8 q p2 ~4 l" F {7 B# n
, @( D. b4 K' c7 J: X+ |8 b* `Method 12$ d5 R. M& W& t
=========- \ d- n. O, `0 K8 e( Q
0 ~1 R3 v# D1 h4 n E9 c' M. c
This trick is similar to int41h/4fh Debugger installation check (code 055 R8 d5 b d- L% P
& 06) but very limited because it's only available for Win95/98 (not NT)! f/ q% t( O5 X/ o; t4 f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( a: ]9 J4 J! e8 E
9 u% p( J" |5 [. r! l6 g push 0000004fh ; function 4fh
* b8 ]" W- e4 ^/ p, r push 002a002ah ; high word specifies which VxD (VWIN32)
2 C: C: F o! ? ?0 V ; low word specifies which service
3 v9 I) q/ B% J* Z7 z3 x" z/ ^ (VWIN32_Int41Dispatch)( H( j N! M( x' G, `
call Kernel32!ORD_001 ; VxdCall
- `: Q F* a9 c cmp ax, 0f386h ; magic number returned by system debuggers
o$ ^: i1 d( |) ?* |% o& p jz SoftICE_detected& d( M& ^7 v: e; B1 O
+ x7 e" ^, w k
Here again, several ways to detect it:
' l+ P9 C" n- A1 }# o3 z& |: Z7 }# M6 o. G; q6 [5 f% {
BPINT 41 if ax==4f! _% I3 t5 ^# d& s; ~$ Z7 ~
- V C+ f4 C0 e7 C% P0 G* n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 v+ N! ^5 o& [; |: g
/ E( D- K4 R7 g0 Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 o b# i1 P# ~" {# z) K! u
) G% {& m& j: }- h# V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: i* M w( O8 S; v6 K3 q; e: n) {6 T
__________________________________________________________________________
' y7 \% F- B( f3 u8 h0 I, x; Q/ u! P& F+ G3 w
Method 138 A8 x, ?+ f4 G; v$ T
=========4 v4 Y2 y) K7 M5 R. p8 t0 i
- k! ~: P: s8 ^3 ?" zNot a real method of detection, but a good way to know if SoftICE is( g* ]7 T7 L* ]- e/ i3 I$ @; k* \
installed on a computer and to locate its installation directory.
* n6 @4 `$ O( S+ @- F9 d- R9 r8 kIt is used by few softs which access the following registry keys (usually #2) :& L1 A9 H! g/ ^$ `2 |2 ^7 q
: |: d2 P t5 r8 |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' s7 D+ K' Z+ V1 @* K% b\Uninstall\SoftICE
d# r; S l) @9 |& d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 j! U3 j4 F: A- w- k% M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( M) W% g: F+ `4 y0 S m
\App Paths\Loader32.Exe
3 S7 K9 b& h+ S5 Y4 ]* F. q7 N* m
' @! T: l* l9 m# @8 L" c# f3 f. p' f% r6 |1 {6 l
Note that some nasty apps could then erase all files from SoftICE directory
3 N/ Q# ]3 r3 m9 Q; T(I faced that once :-(" ?4 P* A" L; g% Y& X5 k2 u
+ i7 `6 }3 ]! ]* P' k; F; [Useful breakpoint to detect it:1 X9 B/ b' t$ a$ |. G2 {5 Z
5 q6 c7 [ Y4 `1 v, k% a1 ^$ O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& \/ E/ K8 [( M9 M! I+ x. h9 h
* B2 B. D$ X8 r- F) E7 N2 d__________________________________________________________________________
( U/ u/ T) b( D- D7 ?3 ] D& H; E
! `: t# K( t/ i8 m0 Z# Y1 N w2 t, [! v& r5 X
Method 14 ( i+ i9 p8 a; I4 }$ e
=========
( r7 J( ]) y2 {% m% \$ w3 p6 Q; N: L4 ~& S' o3 U3 \* X& H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 h7 J0 V: F) K$ G. c4 K6 T
is to determines whether a debugger is running on your system (ring0 only).
# ?! s) |6 Q* x, ^# Z! w8 q1 `6 m
5 t B( u" X5 J. J VMMCall Test_Debug_Installed; R# M' M: `7 B- c3 r( c
je not_installed! Q2 l: x' y! u* A
) p, y5 W: d/ w6 r! D: E7 rThis service just checks a flag. ?) N7 M! t/ q0 @: F" h# n# r9 B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡