<TABLE width=500>; w% ~# E: @( Z% r* e* O# e5 b/ H
<TBODY>$ w1 p7 j, g% W
<TR>8 u. `6 Y1 `! o+ c4 R+ G$ |
<TD><PRE>Method 01 3 k% T5 F y7 D5 y, N6 G% M
=========6 {5 U4 x8 B4 {5 x/ j' E
! _6 \% v, P ~& _( i/ [" Y; P/ x- l* r
This method of detection of SoftICE (as well as the following one) is: t& p3 J! G! m: w9 j8 D
used by the majority of packers/encryptors found on Internet.- W! k$ d5 B; w J+ C
It seeks the signature of BoundsChecker in SoftICE- O# Q! }# f3 x( S4 c) o* K% _
) U6 W: ~3 V, {( N8 r/ d- K7 K
mov ebp, 04243484Bh ; 'BCHK'3 y2 H9 [2 @' r+ V
mov ax, 04h' S2 C8 k7 S' S3 g
int 3 4 I- M- v6 v. X/ l& U- }7 X
cmp al,47 u$ V5 ^; G) P
jnz SoftICE_Detected& E# E: d5 I3 v, F; I+ _* c; M; J
8 ]: G8 S N: U5 m2 Q& E___________________________________________________________________________
! [+ k& q0 i7 @* y/ B* u3 f1 a, v( j" Z- c1 V
Method 02
7 Y6 m* \( d" W- E6 j& O=========
/ x7 v4 Q, y+ }3 |1 ^" F
8 _/ ~( n: d8 O% dStill a method very much used (perhaps the most frequent one). It is used6 p2 {( `, k, V! N; A) l, }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 A ?3 f2 P: Y* H; V+ w' {or execute SoftICE commands...
2 {7 I: v% X5 C4 U* |% qIt is also used to crash SoftICE and to force it to execute any commands
/ ~# o9 C# Q2 }& |8 h7 K( I; H(HBOOT...) :-((
o) m. u8 j* ]8 R: ] N1 J4 R3 B. \& g3 M8 [$ n6 S& p2 o* W$ ^
Here is a quick description:
& j2 s: N" Z; h9 Y9 t. {- c-AX = 0910h (Display string in SIce windows)* Z) z) K) k. O# `! H4 ^9 M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): |' S- I# m# ^# g6 v l6 k
-AX = 0912h (Get breakpoint infos)
2 q- f% x, \5 _/ J" I-AX = 0913h (Set Sice breakpoints)
2 X( i* f/ F8 m6 Q) F% Q1 I9 j-AX = 0914h (Remove SIce breakoints)
6 ~* S3 f% D! A8 E' _1 i4 S1 {0 B& x. j m& e. n! n: b; @
Each time you'll meet this trick, you'll see:
, H) k# K4 f) \( ^, F; Y-SI = 4647h
( q+ ]9 d5 i5 O-DI = 4A4Dh
0 ^; h6 ~4 w" I ~# v$ |+ {Which are the 'magic values' used by SoftIce.
1 q% i, |6 H9 i6 R: Q( A& |; ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
| z5 S+ q& E1 J, e" V& m2 ?) |* Z; ?3 F8 z" G' z. b4 v
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 |$ Z) c. H/ N- ?
Envelope utility use to protect DOS applications:
6 W1 I- K/ F2 ?+ P. A0 J" u
2 X$ I8 A# f' v: V, A' K$ E- l5 f: o- W7 s0 D
4C19:0095 MOV AX,0911 ; execute command.0 k& B+ }- ]* A Q8 j C7 l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( E' B8 E' b2 U/ p$ |7 m4C19:009A MOV SI,4647 ; 1st magic value.
! G4 W' ]& N- X9 I4C19:009D MOV DI,4A4D ; 2nd magic value.
2 f/ V; @+ I0 Z) I8 x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! {, D" [# k5 E
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 v( |6 v8 U' c/ s4C19:00A4 INC CX& \# {4 \& r- P2 i. }5 x' S
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 b9 O: k/ _# Y0 J
4C19:00A8 JB 0095 ; 6 different commands.# s# E" q! v8 D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& F9 Y( W1 v! C1 X: G) J4 W; M
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* E! K# K* T2 ]; q- c
4 \7 X6 R! V9 V- ^* h7 C0 o- fThe program will execute 6 different SIce commands located at ds:dx, which
; }. q! M0 o. E# O' q# G0 |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- ?" U3 k! E9 [
4 {7 `; i* M( l9 S# Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 h7 u/ W0 l- M' |* o' G
___________________________________________________________________________
. O9 w' e- N; x& Y; r0 B F( F6 Q( n+ D7 a6 m
/ u- Q# ~1 R; V& G. N* XMethod 03
( e; V/ U: k% S% X/ s4 B4 _) z========= P2 v8 [% V& C+ ^ |0 {$ A
) w4 ~# \) G) d; J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# ^) G6 I9 y* @. S( L! a
(API Get entry point)
5 t. \. X! j4 O% R3 ` 3 [' h" B- k- d& _! O- x d$ u9 u
. ]6 B: h) d" _% j/ X3 K xor di,di
3 h O* A# |- m& E, y mov es,di
: M3 j; x! ]1 z2 ^( J! S: @3 K% Z mov ax, 1684h : n) O% J6 [, F( x
mov bx, 0202h ; VxD ID of winice
8 e0 j* [# X) X4 I9 B @: i int 2Fh1 h W4 d+ }" G+ k/ w
mov ax, es ; ES:DI -> VxD API entry point% K" c% s& a7 m+ a# g, s9 C
add ax, di
0 G6 ^6 T5 {+ M& h1 r( V test ax,ax
6 P5 @ c3 u/ m# H jnz SoftICE_Detected
2 }1 O' T- H1 ?0 C" h4 h
) ~2 T- K9 Z$ K9 Z6 W2 O___________________________________________________________________________- d2 m9 d# b6 B$ p$ k2 Q' H
1 W5 f# Y) b4 T2 m) U' A( I) ]Method 049 N. C* t$ m1 O5 L+ V8 h: l1 N
=========
, L# y+ N( J" `) m% E- ]: `) H6 @: f& E/ B9 c U/ }) B% G9 |# |+ w
Method identical to the preceding one except that it seeks the ID of SoftICE
9 D4 C7 S) B- A/ i/ B- HGFX VxD.4 ^! Q2 w- M; ` Q3 r, u9 k
/ i' n9 i4 s! W2 ~6 _ xor di,di$ j" Z8 T" f; K, N# x
mov es,di2 U0 @7 b+ @2 p4 R& S" u+ e/ j0 F
mov ax, 1684h
5 a$ O3 a6 b/ Q: O. K+ H mov bx, 7a5Fh ; VxD ID of SIWVID, w9 K, U# S0 w
int 2fh" |, D$ n# }8 P! \5 d+ ~
mov ax, es ; ES:DI -> VxD API entry point4 a# f% B- I! ^, ~* z- n
add ax, di5 h3 O: F3 [- n; c% Q7 E
test ax,ax
( F* A z/ f5 K$ L2 ~! J4 B jnz SoftICE_Detected
' P% Y( s9 C2 \2 i& `3 b; d
- y7 M( {+ S7 N) M: K6 [__________________________________________________________________________
6 {; D5 K% j: I0 z
5 e! D1 }; ^, W
( W8 L6 P0 R. |, m0 K/ R9 B; h8 LMethod 05+ q' G& e% H. L5 z1 P1 U
=========
( x% C* N2 h+ a1 q& b" _" r! g1 o
& X7 F- j/ u W# j* A# a" a) {Method seeking the 'magic number' 0F386h returned (in ax) by all system$ | {4 @9 B5 C- }6 l
debugger. It calls the int 41h, function 4Fh.
4 L* b; Z! F( S3 MThere are several alternatives.
' S& F3 [; h3 i8 ~5 H+ F7 }$ { u6 B% ~; s
The following one is the simplest: V; A' M: O; O- \9 M" o- S8 Y2 s
( r, o* E: W! t! u mov ax,4fh
) `' }% U8 T* R0 p1 ?/ p int 41h2 t4 Z* f$ c# A7 T. N
cmp ax, 0F386- w* m. _. Z9 w
jz SoftICE_detected
, o: }/ w8 a. a9 Y1 G4 d( P. e9 `- N& y. {
4 ]4 i# ~. L& b, L( P$ |
Next method as well as the following one are 2 examples from Stone's r( N, ^6 t& n$ X/ Q
"stn-wid.zip" (www.cracking.net):& V& e- X$ A! P6 s6 r( b
, j( k3 R: D* x, V7 x, e
mov bx, cs- n/ C% \6 L1 w0 T, }
lea dx, int41handler2
0 T/ b- V( [0 h- D- s Q xchg dx, es:[41h*4]/ P# R# x# o* o- B. S9 p( n
xchg bx, es:[41h*4+2]/ N' P8 T( K! T# G& ]( p
mov ax,4fh
5 ?7 Y1 Y8 y6 n& H2 A" H7 A int 41h
* j2 P# r4 J, A xchg dx, es:[41h*4]
2 X8 Y. @8 K9 X( O0 `4 D( T xchg bx, es:[41h*4+2]" i+ B8 |4 f; l, O8 `. \
cmp ax, 0f386h1 w D- n, C0 ^' E9 a+ F P
jz SoftICE_detected
" }7 y' ?" R! o6 [; o' o
& c- v% p$ O' Gint41handler2 PROC
. ~+ y+ t, o6 o( J iret: q8 `0 A" k& ^
int41handler2 ENDP0 K8 w( A% @8 w! Z
/ s( ?! b8 q# }8 a. Z' G* @. @# V7 y7 v% K$ E1 T9 [/ Z
_________________________________________________________________________
3 q D6 m# P% L, T% U3 W
$ v& Q' O; |4 u7 o, P+ t1 j ~/ x: u: j/ k0 O$ g
Method 06" x" j) Y& w+ o% L9 D' V% c) M
=========
- ]( O: t) _2 i) q/ m: z9 S8 A" K5 L
2 L, g# z, G+ x) Y. i
2nd method similar to the preceding one but more difficult to detect:
; ?$ ]8 A9 y) O, X% G( H: Z
7 K6 l4 |& J$ j& l6 B! ~2 U/ P" N% I. o7 |# e4 f( m
int41handler PROC
8 C5 n. F D, \: s. e F mov cl,al/ G8 j; ^( q! { Z
iret
% ~) U5 o' A1 \, t# O5 ^int41handler ENDP
& b+ N: Y- k; D
. _* _* J% ^! @6 I/ P& q; A. H) c, d% p0 J
xor ax,ax
' O% F/ m, l. x0 v9 W' E! V+ ` mov es,ax/ s# k0 o) h' R) m! f" l, W" c
mov bx, cs
" W' W5 ?- ?6 L8 y/ p( ~4 J lea dx, int41handler0 m6 i( Y- D/ A
xchg dx, es:[41h*4]
1 T6 [) y% c" {& K2 r, ~ xchg bx, es:[41h*4+2]
! a9 _* Q u4 b- C$ a& s in al, 40h5 p' J% R/ |& }9 A; |5 M
xor cx,cx
# i. ]. s0 c& Q6 u4 J' Q int 41h. _- A; X, i" V8 ]4 O/ _
xchg dx, es:[41h*4]# L5 W- Q, N4 E! [( p
xchg bx, es:[41h*4+2]
2 K: {# q3 \( W2 V cmp cl,al
; E. Z- e' ]2 \/ n jnz SoftICE_detected
9 |# M) t x4 m( w E
) ^! x! g' h* m4 T0 H ]/ n_________________________________________________________________________
: I: P7 h6 E, J1 y9 w. e* r) b$ s; b
Method 07
, v8 ^# k1 w+ i9 W2 P8 e6 m=========
# u, n& {) b. U* p! h7 u& Q' n- I% h* D, z) e
Method of detection of the WinICE handler in the int68h (V86)$ ]$ f' u- }3 w8 N" O! M
- |, z5 [% g' g& e( c/ R t- S
mov ah,43h
) r0 W0 q* }4 h int 68h
4 N5 P; J6 y$ T5 C cmp ax,0F386h
+ l" a, v; P- Q jz SoftICE_Detected+ o; a( Y2 S0 c$ W3 D7 W# {
7 { w9 _% Z' [
8 I# U, ?* }' t b6 Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 @7 f! v( A% z8 G3 v
app like this:
: _+ m3 l9 O: t3 H R2 ?$ p2 ?* o( M% h! V" T, Q9 ^
BPX exec_int if ax==687 z) n8 R3 M0 A1 F+ y
(function called is located at byte ptr [ebp+1Dh] and client eip is
% u8 O/ U8 \( s! v7 g9 w; X located at [ebp+48h] for 32Bit apps)
! u+ S6 T! x; b g1 Q. E- I__________________________________________________________________________+ c) H0 o Y v
5 ?% A" e( i- ~" N
+ p( w, ?. `5 m
Method 088 V$ G8 x& [+ M5 x, o1 K
=========
/ ~# V s+ ?$ U: D0 \( V
' `/ Y6 x$ ^6 i- u/ u9 zIt is not a method of detection of SoftICE but a possibility to crash the3 p( B+ x0 `( [5 z3 N
system by intercepting int 01h and int 03h and redirecting them to another! ^2 `7 b# Z: ~: n8 w
routine.
2 ~% t8 G! L/ n- DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 p8 C. t2 o6 k3 f3 \5 Tto the new routine to execute (hangs computer...)) S" Y+ \% }7 H* n" b/ [) @
`! { Z% n* C8 Q. T mov ah, 25h
7 k9 O; R4 r7 R: F mov al, Int_Number (01h or 03h)6 ?7 Q3 L$ F7 M2 @! `% o9 d6 r; E
mov dx, offset New_Int_Routine
7 |% S$ G8 X& } K$ `- v8 j int 21h; y. G7 o* p: u2 c0 m
& C7 b4 T+ h4 L2 K' |
__________________________________________________________________________
( J# v% `& N: X, x/ {$ v9 T% n& J- ^0 l
Method 09& O) Q( C$ N; ]1 k( Q9 N! P$ x5 F( z
=========
0 o. c, q4 e2 t b0 J- X5 D
$ t" I8 o- I0 Z: O6 xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' C6 j4 A0 O7 y/ P# F
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 H5 Q! O' l0 W$ s7 v+ h2 H* ?1 _The Get_DDB service is used to determine whether or not a VxD is installed
( ~, _2 K% D' M& J* N ?% ?: g5 h/ gfor the specified device and returns a Device Description Block (in ecx) for
8 `1 X- y: t; gthat device if it is installed.
, d3 ~1 ?* z8 ^5 t5 x2 o3 @* s2 @& ^3 P7 A/ b! X/ d8 ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ V. t4 F/ `) t. B
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& y1 \/ z7 E' V) E
VMMCall Get_DDB% O/ O; m" Y. \% u' s! y* h/ l; c& H
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 z1 G, ~- W+ B6 k" e, {6 M/ k. Y+ U
9 \% @; \ \8 DNote as well that you can easily detect this method with SoftICE:
* a+ t. G# [ ]1 t% j: X bpx Get_DDB if ax==0202 || ax==7a5fh
9 |& x" S# \. l' a5 \# T
# q; ?1 p; t1 @) C' k__________________________________________________________________________
) [$ ?7 d$ W% l
( ^& O1 I& ^2 T5 q+ }3 nMethod 10
* U w# s- \# v w=========
" [$ \* b: D" I, f- g9 e1 p1 B5 J a9 m( Y9 Q/ ~, p3 b- C- Z- Q: e
=>Disable or clear breakpoints before using this feature. DO NOT trace with! N3 |; ?' o- s l- |% r9 v
SoftICE while the option is enable!!4 \4 k. }- f5 F4 a8 l
& U9 P' j* F0 \( _) b" x+ ~ p$ `" VThis trick is very efficient:, j2 ^& L4 g; b* c
by checking the Debug Registers, you can detect if SoftICE is loaded6 x! R d( D' X8 P m4 m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ ~1 \5 k" \+ U+ @ U5 i4 {there are some memory breakpoints set (dr0 to dr3) simply by reading their
- v- t9 B: ~, y% p2 K. Mvalue (in ring0 only). Values can be manipulated and or changed as well
7 h3 F! C& ^# H) _7 G Y8 n(clearing BPMs for instance)1 z5 U( `0 x% |6 J T
- o( C: v- U, b# B; ~0 u
__________________________________________________________________________
5 l$ J, {# P7 K2 S% U5 c
- @2 J0 z$ P/ N. R/ i( bMethod 11+ g$ H& P! W/ \$ S9 c
=========
9 i. d4 p2 Z4 M5 ~" b, `: X+ n4 l8 u% n6 ^ A, U
This method is most known as 'MeltICE' because it has been freely distributed* o H; n, _9 d* J2 _! V
via www.winfiles.com. However it was first used by NuMega people to allow @: V2 d' _/ M* p; ?- z
Symbol Loader to check if SoftICE was active or not (the code is located
* B; ]7 z2 [ s+ ?5 |1 Winside nmtrans.dll).& B' O2 Q# x6 x, M( }3 R/ |0 S# y
5 x/ u8 m' [* E8 _# sThe way it works is very simple:
) Q, S M, ?4 ?4 \, l" jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% k" x6 a( y) _( O
WinNT) with the CreateFileA API.# O9 f! W+ n6 {4 ]
; S* R3 `- i+ x6 ]% |) n* LHere is a sample (checking for 'SICE'):( M8 N1 a1 [3 v- \1 O* Y
0 m( @6 h+ p w9 JBOOL IsSoftIce95Loaded()
7 a) k4 e5 P4 m: B5 K{
7 [" e! q* ^* G* F9 {9 \ HANDLE hFile; / F$ S4 `3 U# ]6 k
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! C+ w, D; h. I& c+ R5 Y FILE_SHARE_READ | FILE_SHARE_WRITE,
5 H- H8 j: m! }+ y* r) G. I2 J% q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ g6 U8 c" k' H, c: G/ X. N) _8 P if( hFile != INVALID_HANDLE_VALUE )
! k, d9 I- T1 ] {9 x# C' C' J U& J8 h9 d. v& }
CloseHandle(hFile);4 x9 x8 p, w2 f G; P! `( t
return TRUE;' q `+ { V0 H7 } i* x
}" o: h0 \: r3 f4 j+ N0 E4 [
return FALSE;$ B9 N$ ^5 K r" M% B3 l. v
}
+ P2 W) w! Z# g7 p/ |. S% k) {# F I9 s0 F" p8 m2 G& O
Although this trick calls the CreateFileA function, don't even expect to be8 M! M! } o) w' r6 p
able to intercept it by installing a IFS hook: it will not work, no way!
. }" p- Q/ j9 U1 z$ }In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ k$ }0 b! f+ |7 y9 h$ qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 v4 z3 V0 m0 F; P) G+ [; d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 p" L. r6 |, o# Y( `field.$ P! m* f! Y( z, n4 Z/ J4 M' _
In fact, its purpose is not to load/unload VxDs but only to send a
- ]# H; u9 p5 X) eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ K# k! }; Z/ }. J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% U2 p) I3 {% b. _6 w/ E1 n" a- ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 T0 P6 c% A6 d3 I5 LIf the VxD is loaded, it will always clear eax and the Carry flag to allow! Y3 p) v' m0 [) s5 M' U
its handle to be opened and then, will be detected.! z6 H$ N8 w0 b9 F6 v
You can check that simply by hooking Winice.exe control proc entry point4 R* @+ N9 \3 i+ U! b
while running MeltICE.; C0 ~! W0 ~2 w8 f' f3 ]
( i7 N# x q7 X* N! T' I
9 d5 t+ I4 ^2 P6 `! B- N
00401067: push 00402025 ; \\.\SICE
7 m+ X+ V( k% Z% d 0040106C: call CreateFileA
1 V( E' o% q* r' r- S8 E. h 00401071: cmp eax,-001( L# ~/ s8 b1 ?4 j' B
00401074: je 00401091
7 y" W# d7 y( s
- L- j1 d6 g9 }* a
. O( o5 C4 u, h9 l. s: s0 O9 MThere could be hundreds of BPX you could use to detect this trick.
3 H5 c" e: g7 e3 Z7 H/ F' C-The most classical one is:
2 n5 c* U4 S+ |9 C4 L" w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" X! z c r9 i3 }7 ]
*(esp->4+4)=='NTIC'% ?4 n5 Y5 ]! u# k9 B. k# |6 h, U
! `8 z8 y$ w1 M1 i-The most exotic ones (could be very slooooow :-() |6 H: L+ T3 @) p# ~- o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # }) u* W+ {4 t; U! F
;will break 3 times :-(
/ C0 s3 e: J# H; F' x! }" s# e8 S* K+ C; c2 f7 j: U- U! l B
-or (a bit) faster: 4 ]* u0 M3 k0 i! c2 ^# z& B8 Q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ p3 u) G' G _/ P
7 V7 A& ]+ c2 e% c' D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( p$ p) B: X/ ^" K$ P ;will break 3 times :-(
- s5 A0 a3 M2 y, i9 ]; L6 l
9 ]4 H6 a" j2 ^- g-Much faster:
, h% O8 L+ O9 D$ P6 U& f# T BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# q/ l9 M7 T0 A9 Y" o
/ a( F/ V8 W& v5 o* o1 q6 h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 g; L% o+ A! ]/ D* H- q3 E
function to do the same job:
" f) _7 c( M* F+ d4 |! }
. j5 ~" h) B P2 b( N push 00 ; OF_READ. B# [ C- g" R4 f }' H% S# o
mov eax,[00656634] ; '\\.\SICE',0
- E. r9 b: Y7 W2 W. z, H2 G; y0 Q push eax0 v2 s! @! k. f
call KERNEL32!_lopen
0 D( G6 d- V6 v8 h inc eax
. ?) [6 r- L4 t5 B0 T& ? jnz 00650589 ; detected
6 h8 d: I3 k' z! O push 00 ; OF_READ8 W% j& ~0 u6 R, k
mov eax,[00656638] ; '\\.\SICE') S# y8 r" z" I H
push eax
) J, T1 s& O4 B# r# K8 ^% y4 ? call KERNEL32!_lopen
( m3 ~" i+ p# h inc eax/ X4 c! y( V6 J$ {5 L. X" E
jz 006505ae ; not detected
2 Q p' T4 ^$ N" c7 R3 }5 B* M4 X+ E6 S+ k9 E9 u5 m
. W e0 p3 F$ @. e% t+ l
__________________________________________________________________________; Y% I- b6 r& U' e2 N
% P( A4 W# _, a2 w& d
Method 126 [3 X& H4 M& s- n; P
=========
: F" e( b0 C0 \# x' ^+ ?; l, P# F8 |; x) y! P. J, e! }
This trick is similar to int41h/4fh Debugger installation check (code 05
0 l/ Y$ t8 y* M' ~6 k2 {& 06) but very limited because it's only available for Win95/98 (not NT)7 }4 x& j# r# [9 G! p
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ A* \9 B' \# `+ q! U
$ U8 @: P3 S( }# K3 S( g% I" u push 0000004fh ; function 4fh
8 e- j/ B, B9 i3 U/ X! T+ m push 002a002ah ; high word specifies which VxD (VWIN32)
5 J( Q4 I9 a( v5 X9 h( b, _ ; low word specifies which service
- _+ c5 x/ s$ m: C4 h a) ?, [+ Z2 l (VWIN32_Int41Dispatch) I9 T1 K5 w: k4 }
call Kernel32!ORD_001 ; VxdCall
$ ^ b- b \6 o& g2 \ cmp ax, 0f386h ; magic number returned by system debuggers
9 x: W; g0 @6 }% |: }' z jz SoftICE_detected; l% a7 ^7 c! Q+ u
7 B- R' J, M# gHere again, several ways to detect it: F8 Y1 k [# i
4 g `( \+ e& V0 {. Q
BPINT 41 if ax==4f+ f1 h `. i6 h
' r6 ^' [4 M; P" X4 p2 j: {% G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 Y* ]! B1 a- U V, Z* E
4 `0 t- e" _- A BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& R! g) D! k5 O
6 U- L4 J0 t2 u0 c BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ \! r7 k" j8 |4 I/ V3 s9 K1 }" \1 j/ l1 `
__________________________________________________________________________% ?; D5 W% x) w/ c$ Z
3 {) d, X g5 D1 i8 T9 EMethod 13
. ]3 H8 i7 m6 q D=========+ ]! W$ L+ m( G! h( d
# r) a0 v4 M: M5 c7 S2 TNot a real method of detection, but a good way to know if SoftICE is/ _: V" n% I$ P& H! D" I' I% f
installed on a computer and to locate its installation directory.7 Y' K2 {. w3 V; B& p
It is used by few softs which access the following registry keys (usually #2) :
f0 x7 W* x' i$ l! B, I$ n6 ~
! U" g _' ^0 d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 S8 ]3 `. G1 e\Uninstall\SoftICE+ W X4 ]8 d% S" A9 K& ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 P' ?9 W! a y7 i; L6 d: Z! |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 S# @/ L8 A# r6 H\App Paths\Loader32.Exe4 v5 `. n& Y" p2 p1 J- u8 S5 A
9 F" p! _8 q4 C, p. P
( q# P V5 i$ w' W. \
Note that some nasty apps could then erase all files from SoftICE directory
2 q3 Z& @ ?0 K& H(I faced that once :-(. v. C, \. M; G! c: z
0 X( g* J% ^% S6 d$ P- n
Useful breakpoint to detect it:
9 l; s; t2 J4 ~/ @+ L
* K. J/ E9 o. ]; L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ r0 V& E. k5 Z$ G$ f# f N2 }: A$ d+ H" T' g0 g& ~! d; l
__________________________________________________________________________
7 r- J# y; J1 P- @
6 x R( w: ^+ t3 k5 G" }0 E: u2 a X) n1 z) w e
Method 14 5 f3 `; p, ~! I0 k8 J& s
=========& x" l- B" \$ ^7 \
8 t% i. N1 t2 l! ^
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* f& w: R1 X J8 W% U% uis to determines whether a debugger is running on your system (ring0 only).* f7 Q: R$ M; o# V" d$ ~
- c0 U6 l( I+ T6 @3 D- x
VMMCall Test_Debug_Installed
1 _! Z3 W: V t je not_installed
# ]' {8 @3 q5 D% V+ v" ]6 [
" G8 Q5 p E4 c( `5 PThis service just checks a flag.+ H3 x9 l7 Y) n5 A
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡