<TABLE width=500>' w7 l0 @0 c: p( Y
<TBODY>1 T0 ~ ]9 C+ H' e
<TR>( w# U5 [' ?; x& ? s2 L
<TD><PRE>Method 01 / p k" ]7 i8 p
=========
: G0 i S! T. e7 k1 f% w X y& X4 ~& l( m& w* o
This method of detection of SoftICE (as well as the following one) is9 U6 A( W( I- j0 c
used by the majority of packers/encryptors found on Internet.
3 ]2 { e2 Q. G/ ^: H) qIt seeks the signature of BoundsChecker in SoftICE+ \9 A3 @* ?9 ? M6 M+ m: |; Y
# }; [4 H% ^( n4 L3 ~1 U) p+ T9 B; q8 j
mov ebp, 04243484Bh ; 'BCHK'9 B7 A4 O1 {, g7 F% U) s& A
mov ax, 04h, a) j# T2 s/ X3 x D, ^
int 3
3 n* _) d; `, @/ W0 T3 N, L" n cmp al,4
2 L. Z9 S `& ?0 w4 n" T u jnz SoftICE_Detected
7 m# q6 h: G2 u; f) t! ?. @: y0 \7 V$ q1 y+ f, v3 C( @4 v
___________________________________________________________________________
( s1 Y6 ?) ^% a% M: B
! c& F! Q% c5 f5 x5 X# vMethod 024 S N0 n$ S+ E/ H. @
=========
9 ^% [, D: n; R$ t
- N& k/ Y3 E+ }/ b# L" TStill a method very much used (perhaps the most frequent one). It is used3 h \3 ^% g1 w* F* V3 W# @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 V F# p1 F; c3 F/ e) @or execute SoftICE commands.... `- ~/ r7 Q# w: o# f3 d) j2 s
It is also used to crash SoftICE and to force it to execute any commands+ u* I# _4 t0 U: G3 @: J' g/ ~
(HBOOT...) :-((
/ R7 Y( m6 Q2 e9 F5 i3 W8 b% s* s" A* C$ p
Here is a quick description:
7 k, E' ^$ J0 B8 h- `' y' T1 g4 D! a$ K-AX = 0910h (Display string in SIce windows)
( j6 ^2 I1 \8 E1 e; \9 ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; l& S$ L6 F# ~* |-AX = 0912h (Get breakpoint infos)
& O8 k+ B8 w9 U# M0 t-AX = 0913h (Set Sice breakpoints)2 I# Q, w k; u4 D; w
-AX = 0914h (Remove SIce breakoints)3 o/ \, ]" B7 o
/ X0 l: i* ^' j% e* hEach time you'll meet this trick, you'll see:4 w) z6 c. h7 W$ B
-SI = 4647h
c& x6 d+ _* N; F-DI = 4A4Dh$ L( W# K5 }5 b+ F% w' I
Which are the 'magic values' used by SoftIce.9 b7 H/ H1 }4 r0 s' `. w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- U) Y9 B1 |8 n1 A% Q3 L
. }# d3 R" S! w3 T M2 |+ CHere is one example from the file "Haspinst.exe" which is the dongle HASP/ J8 T- I: d7 ^# {/ `- |
Envelope utility use to protect DOS applications:- o9 r# j+ t" h6 R
5 _- C8 X1 W* O' z; b! y! s- M
# C* G4 J+ c. W. w4C19:0095 MOV AX,0911 ; execute command.0 J; P0 j+ ]- b0 F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* H7 R! z) S; a; S9 N$ P- H
4C19:009A MOV SI,4647 ; 1st magic value.
4 @* l" }2 x# K- Z4C19:009D MOV DI,4A4D ; 2nd magic value.0 f4 q# Y% B. y% S6 H6 A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), y. k4 N) Q, y: ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# p7 L9 p' k7 j( P8 p" _# M4C19:00A4 INC CX- e( E0 c/ \8 c% K2 m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 U" d4 K' H2 v& l$ g3 G4C19:00A8 JB 0095 ; 6 different commands.
* Q- k+ m; ]6 o4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ l2 s, d6 O# v, \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); w/ E/ W& Y, w
1 F+ H3 Z, d( X Z9 r# VThe program will execute 6 different SIce commands located at ds:dx, which$ }8 s7 s% z( D- g. R' G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. z) L3 }6 K! L, S/ n% U2 \% V4 l( m' }: v8 ^$ S3 L4 f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! u0 m4 _/ G* Q0 `0 G___________________________________________________________________________8 v/ W& t' ~% K$ r
+ a- o1 J" o' v
, S& K9 O9 c XMethod 03
( C/ [* f$ x( b1 ~* c. x=========% q. V5 l& @/ O) l+ P
' ~9 @0 r* y8 G v. p: }
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ \$ m2 f& k+ A5 K
(API Get entry point)
2 s+ o7 B5 ]- j7 W
7 Z1 M6 l. F# [+ @! o! V* n# I: m
Q6 u8 t% h, A* `/ P xor di,di
9 C9 }* G0 R5 {1 E; ]. Z2 f$ W mov es,di/ }. e, y4 V+ x# ~6 }( m
mov ax, 1684h 2 A) M9 x* j+ i" J$ Q; L5 |
mov bx, 0202h ; VxD ID of winice
' S/ G9 e" Y6 W' ?8 k int 2Fh G8 j H, g6 h& J( W
mov ax, es ; ES:DI -> VxD API entry point
. ]% i* T! \. J add ax, di, L. W) c- J- m0 m. w+ n
test ax,ax$ x; X1 C. d, k6 |& Q$ r7 a6 T# c
jnz SoftICE_Detected
! V: \8 U( U6 ~+ I7 j0 Y+ i; S" _
___________________________________________________________________________
* J- E9 l; Z3 T& c- _! G7 Q9 F# j
; ?' A) K8 z! ]7 @% e) bMethod 04
8 e9 u0 M1 h! B6 u=========! _0 r2 n3 o! M, u* V1 D
9 W( p# ^* a# v: `4 n( \' ~Method identical to the preceding one except that it seeks the ID of SoftICE6 L6 c, c1 l3 v" _- Z
GFX VxD.
$ o4 @! ?& n+ ?7 N: r" T: V
+ h5 z6 M$ C$ E X xor di,di. d) i$ f1 A6 X' k& O% p
mov es,di
2 \7 ]6 D* w+ H) q' }! J mov ax, 1684h ~ B) \) r% _" ^; i1 f* e: V# h: O
mov bx, 7a5Fh ; VxD ID of SIWVID
# ? h4 s: g, w9 N int 2fh
; `7 i2 }" Q+ a- ?1 s0 C mov ax, es ; ES:DI -> VxD API entry point
; F2 I$ S8 j9 g+ T* o3 e. n% U" V add ax, di
+ e$ l# S$ l1 U, r test ax,ax$ y0 F: D2 A# M, E0 u# a' B
jnz SoftICE_Detected& E5 \5 a5 ^7 g
! o4 C' F6 v' J V
__________________________________________________________________________
" k E* A6 Z% V* n
& g7 Z; [- k* E6 n! y7 f4 T( S2 ~
5 ^) c8 u8 w/ T" T; FMethod 05$ q' p: E2 L6 t- J% S- K. P
=========
) s% x) H: T, |5 u5 c) g% O4 Y0 G3 K% Y( K3 y2 G9 w) Y! i. }2 [
Method seeking the 'magic number' 0F386h returned (in ax) by all system, P; \0 j2 w; \% M( K: T7 w0 K
debugger. It calls the int 41h, function 4Fh.
( T- ?* d0 r( p# Z/ A+ D6 o* yThere are several alternatives. `! a7 a! G6 h
/ }- c; j2 m, ^The following one is the simplest:6 a0 f7 S; Y5 X; E# ]5 E) P! x
' i! C; F+ f/ {8 `: f/ l2 k
mov ax,4fh
8 M- o# o8 W! c' g m int 41h, G7 d5 }% N. d0 b4 x
cmp ax, 0F3867 n' a1 S; B. L$ h
jz SoftICE_detected
- u) _. X. T& M; T# W1 n
) ?* r+ x2 y! W# i7 Q; C3 i' }: p: w: S! F( p% }
Next method as well as the following one are 2 examples from Stone's 7 _5 ?8 K1 H8 ?3 s- d# a% U3 K
"stn-wid.zip" (www.cracking.net):7 E1 e7 S) {7 q0 o% i
/ q9 {3 G4 J; J4 R/ [7 L1 n mov bx, cs
0 m. v1 L6 @2 |, ?5 Q$ b; c. i lea dx, int41handler28 w" u8 g* }2 R. F4 n# {: u) K
xchg dx, es:[41h*4], C9 H/ h7 ?( ~. U
xchg bx, es:[41h*4+2]
/ I2 {; K9 t" F+ p" X) e mov ax,4fh+ l5 g+ h2 C" c) Q3 g
int 41h% I. w u" Y9 ~
xchg dx, es:[41h*4]$ P6 b# a- L) S- L) o, V
xchg bx, es:[41h*4+2]0 t F* T3 X3 A3 \: g% B6 ^
cmp ax, 0f386h1 x6 X ^2 P# ^, d/ s& G
jz SoftICE_detected
! ~9 J. _/ y3 ^# x$ T# T2 R6 H3 q5 s1 b/ h
int41handler2 PROC& E8 S! j, j: I; [8 a
iret
, P7 q: M8 w8 c, ? y" K! m* {6 Zint41handler2 ENDP
: u8 r( Q$ j' D+ C
% V" \- o: K4 F5 f
3 T9 I. O* B8 F_________________________________________________________________________' K: ^+ X1 F: y; r3 v
( H* K+ P' X, m; J3 f1 P: `4 A* B( d( K+ Q( C, b
Method 06
% s# O" a i6 y2 m5 I3 o=========
, g- z/ @# y6 u# h8 C0 R0 W* q7 E+ u* k' x1 p- `
% [% P5 b7 e, T: U8 I9 y6 R2nd method similar to the preceding one but more difficult to detect:
0 F6 d4 W; N- q
3 w5 l L! y4 J- n. j! A( |2 F( J: S# s& B& J
int41handler PROC: W6 A. S! a2 C/ D a2 D! i
mov cl,al! { X+ U# B% U C# K- u0 n1 |
iret
/ F1 G a* \; E, |5 ]% B( aint41handler ENDP T5 ^8 v% Q0 l6 \& @+ W
' j: e/ E. B6 S4 I" q. \* _0 w' a" q3 n! I' u
xor ax,ax
/ I5 V* E( x3 [" ?# M! y' D mov es,ax( M' n+ P6 J! Q0 a3 n3 s" _
mov bx, cs
y$ a1 U% Y* v/ _7 ? lea dx, int41handler' g$ _& r6 {& A4 u1 s# F! L
xchg dx, es:[41h*4]
2 c3 e/ M/ {2 ^ xchg bx, es:[41h*4+2]. S# I# c/ T5 N( m0 L2 W P
in al, 40h( m5 H1 Z n6 W( y
xor cx,cx. K5 L% p$ W1 g
int 41h
8 \1 A' b2 b, O% p% o& n xchg dx, es:[41h*4]1 T" N: l4 n1 V% H) ^' N8 _1 O
xchg bx, es:[41h*4+2]
5 d0 Q. _8 Y4 ?. B3 c cmp cl,al
9 w0 j4 \1 F# H; c jnz SoftICE_detected$ g8 _: L- o1 o5 G, M
2 p( u" h2 q2 B7 x$ g_________________________________________________________________________# Y- j2 X. T! B
& E1 L6 r" U8 R* c
Method 07' O( R' U% s$ e4 s0 I
=========5 U: |: V3 S* P( b: x r9 j, a( O
$ E+ ^/ M/ ~! U P! E+ ]# Q2 ? w
Method of detection of the WinICE handler in the int68h (V86)3 E& k. Z( z- Y
, d; _" M6 e2 l( A. \8 S
mov ah,43h3 a3 o: z' k$ N1 k) n
int 68h5 ~3 h; A9 L+ t5 Q* o" r. J6 ?7 h
cmp ax,0F386h3 T" W5 }, J t+ X4 S
jz SoftICE_Detected
3 o3 ]$ N3 E) y$ ]1 |
, l1 h+ C' v( j7 ^# J A7 X0 s9 j
5 ^. W1 E) r2 d& S, v/ J, P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 {" j# t7 X% x, c
app like this:- D* u _7 M8 {. `
/ {6 X4 Q! [' U5 u) Z4 b/ P' x
BPX exec_int if ax==682 {) v+ D `+ _3 p2 F& t
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 ^# i# Y* \. z3 B9 i) C0 F9 D. e& `% i0 k located at [ebp+48h] for 32Bit apps)
7 W# n) F3 n& k% C1 f: q0 F0 i__________________________________________________________________________! d3 [. _, P% c( _, E& U
/ j" J2 J9 i* ?$ U
8 W+ Y9 Y5 M# {( Z' PMethod 08, ]2 x& E( F+ { n/ ^: i
=========
( i$ U, Z$ `* P) B2 P \# h
- f: u+ U6 Q: s2 R B {0 s, eIt is not a method of detection of SoftICE but a possibility to crash the
- [) R) B1 C3 _. k. A9 R9 vsystem by intercepting int 01h and int 03h and redirecting them to another
, W5 N& R: ]! |3 k- v1 oroutine.
# W7 y" f# y. FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 B9 s" J1 }. g; ?7 xto the new routine to execute (hangs computer...)% E- C T& P: W2 J
b+ ]( s, r' h8 v" f mov ah, 25h5 [1 _. C6 @; x, ?
mov al, Int_Number (01h or 03h)
- g- D9 c' T" G6 C' z# P5 k mov dx, offset New_Int_Routine
$ D+ u0 h" v7 m4 @6 N; o( S$ k int 21h$ N9 v9 u; M& u; n3 a$ y
/ v( F; C5 o/ O__________________________________________________________________________) ]& N. _9 U1 h) o% r$ U, u
% P8 ?; z9 B @! j) H2 j" dMethod 09
$ B C' ^- i7 ?8 x=========
# @: \/ [! Q6 a8 X/ D, m
3 p) F7 W3 N9 X3 DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; u9 i" V1 C# z( ]2 }4 b8 O, S& K; ~1 r
performed in ring0 (VxD or a ring3 app using the VxdCall).! p1 V, W {- t: _3 S( j) C7 N
The Get_DDB service is used to determine whether or not a VxD is installed5 L7 |& t$ {4 n
for the specified device and returns a Device Description Block (in ecx) for/ M* T7 A0 O: C
that device if it is installed.3 w3 v% l. a# p5 e/ H/ o% e% Z
) o2 ?" @7 n3 U; K( O
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; d" m7 Z2 w/ s: I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 f$ c- o+ A6 H: a' n' M1 o
VMMCall Get_DDB
3 F0 n% H# i7 z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- u. B: O, G: U" K$ Z2 j( }1 L4 z6 |3 Y' t/ B
Note as well that you can easily detect this method with SoftICE:2 w: i9 h+ }! G% t/ d& s5 j7 p
bpx Get_DDB if ax==0202 || ax==7a5fh5 S& z+ k# x0 @) Z# o7 u0 m3 G3 P) J
( \9 P- P) \/ i8 ^, }
__________________________________________________________________________* y4 y1 n' D9 U- P
* q: i* H8 q& L$ v! [! `
Method 106 u% P8 L8 Z5 S# k/ ~+ [
=========" ~5 l' l( D7 ^1 O" p2 L
: D2 D- t: p4 e=>Disable or clear breakpoints before using this feature. DO NOT trace with; }" Z& I7 T( S, x) V8 |' |
SoftICE while the option is enable!!9 e* }9 k* O7 F0 D: p. w
; [' G+ f0 A) h# ?4 l- ^' q* t! s& |
This trick is very efficient:7 ~+ V7 j6 i+ J; g1 s3 W( H7 a
by checking the Debug Registers, you can detect if SoftICE is loaded4 L1 _' K5 _) p, u! A7 `6 s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 D7 e# p ^( w/ K. E
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 i& W3 Q; V( ~
value (in ring0 only). Values can be manipulated and or changed as well- p) y. Z! v4 N7 j8 v. A" _( |
(clearing BPMs for instance); a4 b2 ]/ Z3 B
7 Y0 Q) K) {2 z, L$ l__________________________________________________________________________
9 V. `+ B+ b; n" c7 p9 t
8 H8 s, M W% L# w4 @, lMethod 112 Y, g6 s a$ A+ M- o6 t
=========& P$ H# g! H$ B8 U2 A4 R9 o- K
" A& F* }1 O* }) C4 G& j
This method is most known as 'MeltICE' because it has been freely distributed
A! a* x" W4 o+ Mvia www.winfiles.com. However it was first used by NuMega people to allow1 M7 c0 [$ B6 A
Symbol Loader to check if SoftICE was active or not (the code is located4 m+ @7 W4 j1 o- p/ Q" ~! T4 C+ q
inside nmtrans.dll).* y- i: W4 h: Z4 y
( `, ?% o% @% E5 \ bThe way it works is very simple:
, C) a) B; c* n+ V( \# u+ I% ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 W6 U2 K& C b( g
WinNT) with the CreateFileA API.
/ Z$ f' N4 D* u# T/ k8 j9 s3 Q
& d" Q8 G7 }* l1 ?& X3 xHere is a sample (checking for 'SICE'):
4 Y4 U: ~$ q, J O# g" g" r5 c6 [* n3 |
BOOL IsSoftIce95Loaded()
7 I3 u" p/ M0 Q; W0 S4 x5 k# Y3 v{6 o8 `$ N! H8 c' c" I' ^
HANDLE hFile; : B- j5 F' G9 y/ a3 R" G- B- V) u' r$ q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 @5 K+ A% }% I# G0 r6 t* Z FILE_SHARE_READ | FILE_SHARE_WRITE,
) u9 s8 X, ~ K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 l9 O- `7 S8 s) m* ^ if( hFile != INVALID_HANDLE_VALUE )
+ R: I( ?0 c$ p: R( ~ {
/ I6 D7 `$ d+ B& B* ^ CloseHandle(hFile);0 n* l3 D4 @! T: ?, [" y
return TRUE;1 Z. I0 B6 d; A" d$ c
}& d3 W. o5 }) \
return FALSE;
$ _/ ^' Q$ \& p) T8 w}
; u1 Z( n% n% b! ] i% G9 |
5 z+ q0 u6 ?$ a, v$ i' YAlthough this trick calls the CreateFileA function, don't even expect to be( A1 ?! n x4 j) a& c( I; r6 W
able to intercept it by installing a IFS hook: it will not work, no way!- ^. @1 V5 v Y$ C; }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 ^/ d$ |/ D# B: i ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* d, L1 R3 u- F( ?. M( {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 P$ {: R7 T6 k9 v
field.
% i& k* j. j8 ? FIn fact, its purpose is not to load/unload VxDs but only to send a
9 \& _/ L3 r' dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 {1 v) H" T1 J8 w2 zto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 O0 P4 z8 O# w( ]/ G. x4 S' v% Z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# E# j+ ~+ b4 l2 m Q5 M2 c/ R! \If the VxD is loaded, it will always clear eax and the Carry flag to allow
. S# \, G0 u7 r3 N7 ?1 xits handle to be opened and then, will be detected.
+ P) z. S$ W6 s9 nYou can check that simply by hooking Winice.exe control proc entry point( P" G4 K' E+ }' @) f, v
while running MeltICE.
4 k E) K+ G8 J; Y2 T" W+ [& b) q! A+ y+ V: v% c, ^
A7 D( A4 \! B+ e9 P$ I$ q6 W8 p7 w
00401067: push 00402025 ; \\.\SICE7 [! Z8 A, _0 l% e
0040106C: call CreateFileA" R' s7 f. K( Z' A
00401071: cmp eax,-001/ t9 L0 T4 x9 r5 | i% r
00401074: je 00401091 }8 R8 V: A$ s; e3 g, w" y2 D, N( k
Z9 s x( D F+ X/ {
/ I: V- n% v9 S
There could be hundreds of BPX you could use to detect this trick.; R& v6 [! X& E6 n' {8 \
-The most classical one is:, C% J& [6 N. v5 Y9 d+ e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 R4 B. }2 w6 _" L8 T: o3 M" W
*(esp->4+4)=='NTIC'
$ ~3 N: B, u! } ]/ B( v
' m( t2 E1 h, E( l, N-The most exotic ones (could be very slooooow :-(
^$ S6 k5 N8 I; j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ d' x+ x" {8 y& I ;will break 3 times :-(5 N9 `4 f+ l B2 V4 h' z) o9 {- [
: n4 W" h( ~% J/ d/ [' `9 s* [-or (a bit) faster:
# w& x, z* W7 e' d. F1 v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# ~ b, I- q$ ^7 v6 y
- j5 c# S, i N5 e& A$ j8 E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 `" `" y, w. D5 |9 U7 v5 \5 G ;will break 3 times :-(
4 t) g) S( {& T) E8 N- M" M$ g' Q" ^1 v& g6 N
-Much faster:* i6 r0 c6 _! N6 i; P$ m1 N1 v1 z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ w$ j7 c2 u7 p) f% L% \5 w' ^
2 n- n9 r( {( Z% g. d+ fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen$ q- U2 o, i; z8 ?0 h" x- |
function to do the same job:
+ \1 ?5 Y- R' B" E* w+ J8 N% t" ]7 _ g' X) u9 w! u) K
push 00 ; OF_READ
, z6 g( g; D+ [2 `$ V4 x. _ mov eax,[00656634] ; '\\.\SICE',0) e6 O/ i$ r1 ^0 U
push eax
. l- B& X, |9 r8 B, l9 b call KERNEL32!_lopen
! c9 [3 a4 E9 y) P inc eax9 S! j3 u! Y- r3 j8 i6 M
jnz 00650589 ; detected3 E( v9 j+ w3 e; B" K
push 00 ; OF_READ4 D: d; N9 s& s
mov eax,[00656638] ; '\\.\SICE'4 D# J- a/ e* v* t9 I& F; S
push eax# A$ l) p! J& t" H2 @
call KERNEL32!_lopen3 l1 o# d' L- _- \. G t$ `
inc eax; t+ J( y/ ~2 Q& |
jz 006505ae ; not detected
/ d' `( X! P/ b: L, a9 y
7 E( W) d: v, q0 {0 H) c5 h( U- e% ?3 E
__________________________________________________________________________
n5 c$ N+ v5 K5 n! D0 [; _* |/ t6 M2 i4 V, j8 H! m
Method 12
& Z* Y6 Y% S7 B, R% W=========
- s5 h# ?* Q3 n5 U7 C9 ^/ ]
3 x0 F; _3 M0 P/ _& m7 t3 GThis trick is similar to int41h/4fh Debugger installation check (code 055 S9 u g: {( k {6 X
& 06) but very limited because it's only available for Win95/98 (not NT)
, a N/ P3 D' S( V% fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.& M/ o% c4 {' q& {
3 H, s7 X2 J9 @2 f# Y. J9 x- f push 0000004fh ; function 4fh
/ d- F/ H( e, ~. o8 M( J push 002a002ah ; high word specifies which VxD (VWIN32)1 w- [0 Q4 a3 ~/ F1 ~
; low word specifies which service b: D2 n- F, D
(VWIN32_Int41Dispatch): z6 \: e; t: b5 Q! C
call Kernel32!ORD_001 ; VxdCall. v8 L9 f9 k# U
cmp ax, 0f386h ; magic number returned by system debuggers# h8 F: |6 E4 B4 l: Q: B3 [2 }' S
jz SoftICE_detected
. b, I k6 d7 |; e8 q3 a3 K7 {6 h, {( m& x
Here again, several ways to detect it:
2 \1 z3 |' H0 g9 G) s
. V: x# g0 o) c' u BPINT 41 if ax==4f$ _' F$ y, L. l$ r# p2 N
) h. a* `' ], }9 u. r! Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) w. f, K- _4 q! c
. s" c% z. b# C BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
d* _" F9 l2 h" L/ g6 }
8 R3 V- j* n2 K0 |" [+ m$ ~8 d, b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- g' S+ F* y) j# w& m
( C6 X" a3 c& R
__________________________________________________________________________
- P) K) [% z6 R3 Y& j' _ S* j+ _0 u8 N/ L
Method 13 c# O$ M8 }: F# ~0 K/ |2 }
=========
8 r# a; k) _: K) v
- h l) C. z0 E3 p5 m" VNot a real method of detection, but a good way to know if SoftICE is
# X; |4 |4 l: J0 }9 b2 ^4 Pinstalled on a computer and to locate its installation directory.
5 m4 W8 G- l2 ]It is used by few softs which access the following registry keys (usually #2) :
. H! N9 m- u$ q$ V/ D4 s w7 j/ d: L9 E* r/ A4 j3 s" F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ N! P+ F+ g+ p- ^$ @( A\Uninstall\SoftICE9 x( K: } v2 D: K6 K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE O8 s! i3 v: O; \+ b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* o! g' k P# |- N$ ?* ?
\App Paths\Loader32.Exe
7 P, p3 }, `( h* S) g5 @( _' b( G4 D+ n6 J) w2 P' d
4 \* c$ M% N& e6 @' D2 F+ |' d4 E
Note that some nasty apps could then erase all files from SoftICE directory, }0 @9 T9 p# s0 A$ S' j& `- Q
(I faced that once :-(# Q1 Z9 N. L" Q
+ K! R4 n3 }; @/ ]! l) VUseful breakpoint to detect it:
4 J9 o; j+ F+ f' K1 b
; R* m2 {9 X9 l$ q @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 p$ T% x/ Q- i2 [) H W& L8 N
' x( c/ K9 ?+ o8 e4 D/ C( P. G__________________________________________________________________________
+ N3 Y2 @. Y9 l. z& z8 k X4 q
0 N S2 @+ [# n6 T# R# y* zMethod 14
4 O6 r' ^% B: j% ^% d% o=========
$ [5 ~( L- F6 p3 M: @, x* \% b" r* J. E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ p; Y) i0 \4 his to determines whether a debugger is running on your system (ring0 only).0 {! P- f# {5 o- T% @7 f% G
0 E% ^: o* {; g# z; e% B7 N- c2 a
VMMCall Test_Debug_Installed% |$ E) H: f B& l
je not_installed8 _. X, S) V0 r! w0 n' H+ g/ ], m
0 c! S" M. U3 A5 a
This service just checks a flag.
. g$ d }; x7 R, R6 R. J! t0 z* K</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡