<TABLE width=500>
c( ]- d- }& _9 V, F$ |2 K<TBODY>
5 G+ c8 o- S% a<TR>8 N" D7 _! Y& [) O( r$ h% N
<TD><PRE>Method 01 3 a! I. Z* C% f/ i- _' J8 V
=========
+ a$ ]1 t0 }0 z; o. d$ p5 V5 ^5 W& t3 S% b5 g o
This method of detection of SoftICE (as well as the following one) is ~6 J) }' ^1 t7 C
used by the majority of packers/encryptors found on Internet.
9 h, F, v I9 \+ q2 kIt seeks the signature of BoundsChecker in SoftICE
0 s6 R2 A- V; m; @# Z0 z [# [! x: J# m) r. r& Y5 r
mov ebp, 04243484Bh ; 'BCHK'
% v9 y _' ~; ?( b* i1 F mov ax, 04h
2 e+ }% K8 m* g0 y& W int 3 + t. h) p# ^! @/ t, }0 m
cmp al,4
4 y9 P) E3 r: D" m7 h8 B- n. d jnz SoftICE_Detected
" e0 O: M8 D4 R
, E6 }6 k" |! {! j7 v1 v( M$ L/ ?___________________________________________________________________________ I3 X( l! T# v
: u6 [% l+ [3 U" U! y0 p8 Q
Method 02
* k. z4 U" Z" r) m=========0 G! s, ^& Z% M+ o { e5 o
1 v4 V9 p+ d; d( N- }+ F X
Still a method very much used (perhaps the most frequent one). It is used; S4 b: q# |8 K1 n! t1 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# Z7 T$ o3 p3 L, x' M( L! |. Uor execute SoftICE commands...1 Y) ?' w% G+ \1 g
It is also used to crash SoftICE and to force it to execute any commands
. T+ a3 ^$ V. @5 s(HBOOT...) :-(( & u5 g! m/ R# _9 M) X
( S6 V- _: [( H' g0 N+ l$ W$ [
Here is a quick description:
! K/ M8 q- s4 M9 k-AX = 0910h (Display string in SIce windows)8 F9 d. D& U8 ^' O* g5 L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 {& `3 o' S! |% _-AX = 0912h (Get breakpoint infos)
: k Q5 P% I1 G% X- f-AX = 0913h (Set Sice breakpoints)
! u) r5 o; c9 U8 C7 m6 N+ X) u-AX = 0914h (Remove SIce breakoints), T& e- N! f: P
; i- B! F) q/ Y: LEach time you'll meet this trick, you'll see:3 [, Q0 l% M$ L/ E) W, y
-SI = 4647h1 P% Y! |& [& i% K( ?& p. ~8 `: h
-DI = 4A4Dh1 R" l& H/ F* d" j. e! I, o
Which are the 'magic values' used by SoftIce.
; I7 {& C E Y4 d% \' gFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 q- g! f7 {% |& L
' V+ N& |( o6 aHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 a J% p3 n U) W8 K! Q8 Q1 s' UEnvelope utility use to protect DOS applications:
7 y2 u" g- Z2 M# @+ K& v+ w
' {( s; e6 l# ]. Z; o1 `$ M# f0 T9 S3 A
4C19:0095 MOV AX,0911 ; execute command.% K" S0 n* X8 C7 a( ]( F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( ^9 p& G) E* Z, Y4C19:009A MOV SI,4647 ; 1st magic value.
* V% }8 Z0 S/ V4C19:009D MOV DI,4A4D ; 2nd magic value.
+ B: f, Q/ B: M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) Q' H: t9 n0 m0 l7 M
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* M% J( \+ c! I, g2 D5 k6 V4C19:00A4 INC CX0 T: ]4 c$ e" T& G; c
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: E9 N [) `3 b
4C19:00A8 JB 0095 ; 6 different commands.
" Q2 B: D# U4 S: U$ i; {4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' K, n- U% D1 h/ h2 M4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 L% _& P9 P" c8 K6 w, |) N
9 E6 r/ ]( b& LThe program will execute 6 different SIce commands located at ds:dx, which' x) Y e6 ]: g ^' ^0 v/ Q; O! z, O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
\, `$ I2 ]& e) e3 W
( } z: y4 E; I6 L' n% C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. m* ?2 m/ H. _9 T( |- Y2 c" g* T
___________________________________________________________________________
0 O, ^ Z. i# y/ m* v) b; Y
2 }5 z# f9 I! ^
0 T& Q" L: s$ I4 q2 eMethod 03* L: R7 ]$ O6 b0 E2 ?6 D5 ]
=========6 y: O* L7 `8 y8 b1 l& f5 U0 U& U
. K' {3 D- [3 H/ B# M$ ~, N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% ^5 h0 X* B( Z4 i( f: n/ N
(API Get entry point)2 T9 e( F% N. r3 _
$ A5 B' V4 X6 @2 }4 ^, R" t# l0 U9 u8 X4 f7 R: G0 v/ j
xor di,di
5 P3 H6 s: _+ X1 j: s& ^' j" ~+ f mov es,di( H9 l0 X: e# v8 k
mov ax, 1684h
: g- o- T$ C. V0 z; t mov bx, 0202h ; VxD ID of winice
/ }, a' @1 z3 [+ |4 i" x int 2Fh G- l/ } V$ E$ _0 ?
mov ax, es ; ES:DI -> VxD API entry point
3 y, j1 R" ?/ K! Q add ax, di
) [* Q. i# z$ U b) k3 l1 X test ax,ax1 E+ t4 l3 l9 f$ h/ [- Q
jnz SoftICE_Detected
1 E; W4 X' o' \/ l: n- ]+ n- l5 Y/ M' Z9 [! v7 g/ l0 Z# g5 W
___________________________________________________________________________1 X6 ?( N5 V! r: L* j$ C; N
- A. D# G% D* O
Method 04/ ~6 n1 n h7 f! S3 }
=========
& `, g' U1 Q- P, x8 c8 v& X$ f h* b* ~ f
Method identical to the preceding one except that it seeks the ID of SoftICE9 d) z6 ^7 L, J
GFX VxD.
5 B- I& O7 L1 Z
3 ]* m! X9 T+ V4 }; ]$ w xor di,di
2 @5 _- C: _) G4 k& f! F, G) M mov es,di4 Y# G. y/ R; X* _
mov ax, 1684h 5 S" W) {+ V1 x6 j1 \- f, b
mov bx, 7a5Fh ; VxD ID of SIWVID
0 ]2 Z/ R6 K7 v$ c5 U int 2fh
; f! S) ]/ I" u8 y mov ax, es ; ES:DI -> VxD API entry point
' U" W( p' G4 v: p- k add ax, di
: P% s. g- n/ d7 G7 W: O test ax,ax$ L* X8 y% E+ o# Q- O( V5 K% ~3 m
jnz SoftICE_Detected
1 z# r2 I+ ?# G# x" Q9 r$ S4 a# q5 f( s% e) |0 H( d+ F# h
__________________________________________________________________________
0 {5 X6 V% C% v' H
+ Y) E; x# x: v7 m
' C ?# S, b# \Method 05
! k# @8 ^7 ~- o=========
5 \: p9 U' j7 ]
: k* M/ I- p# c5 K2 p* J2 OMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& \- {" J+ u3 t+ ]4 F4 a5 t) l, ndebugger. It calls the int 41h, function 4Fh.
0 F& D1 _( F, L: A& a# rThere are several alternatives.
& v+ Z" c' e# h, i" D8 ]: d0 `! k5 j4 c2 R6 x! B1 _* z. y& Z
The following one is the simplest:0 {$ |6 s; `( E
9 m( a) O3 K( Z- Y% q mov ax,4fh
/ z; q- x7 i" y4 ], z7 G% I int 41h
% \, \; @: i8 K" F cmp ax, 0F386
4 @3 g! e# a ~ jz SoftICE_detected
" O3 G/ J$ G. F+ n
" O2 k% ^, V" b. N, [! r! o* j+ X, ^- g# X) @1 Q- M$ z$ ?. p' K
Next method as well as the following one are 2 examples from Stone's 3 o3 \7 n2 Y5 T0 y
"stn-wid.zip" (www.cracking.net):
, `& N- O5 m# K& a _6 i
H) C# @6 y1 j3 P! r mov bx, cs+ A, Q: g, q( L4 T( S+ C/ G
lea dx, int41handler2
. v9 i; h, |& ~; W X/ z. ^" J xchg dx, es:[41h*4]
8 q! A3 U$ l! k3 e( K3 e3 y" k xchg bx, es:[41h*4+2]
+ r" c' V, _& K& z7 p, L& O mov ax,4fh4 D! s$ u3 ~) g; y! _8 r1 A
int 41h
+ x9 u7 f6 D) `6 r" s4 w xchg dx, es:[41h*4]
: [# w& i- M# a7 E6 v) `! M2 X xchg bx, es:[41h*4+2]/ x) v* A# o% _9 P2 G
cmp ax, 0f386h
: R' @9 W) i4 R. t jz SoftICE_detected; I" C% ~6 U1 Q
v1 v) f% D3 o* U2 f+ Qint41handler2 PROC
& P2 l. J7 x4 W. z iret
: ]* Q' t9 Z1 c$ p( Uint41handler2 ENDP4 b$ g4 j W8 P1 y/ {
% ^" D3 o4 h1 a* L7 _
, r: t1 a( `, p* J_________________________________________________________________________
+ s+ c8 O, ^( T g
. j* G* Q' s |6 G3 t
# B# k8 P* \3 l) z& j1 WMethod 06
# y, ~3 }! m5 Y) u) q; p=========
4 ?% ~+ G0 P% T* F: V. X0 z4 }! ^) k# Y4 I& Z: t+ M5 |$ ^! Q# F
. y; k' D' c7 M' v
2nd method similar to the preceding one but more difficult to detect:4 u! ~( L$ e: p) ~3 e" R
2 v0 d/ O# v. p: Y3 i
( v" r7 N D; e* {% c4 {int41handler PROC$ O% S j: K+ W G H
mov cl,al, U6 Z- D$ p" Q6 \: a4 A4 Q% m
iret: {1 R, Z2 @0 w" h# O# c" F
int41handler ENDP
$ b8 X2 m7 D8 {0 ] d8 \4 k# l J% w8 m* c0 X
5 P {# @ G& U/ ?4 i% p1 C
xor ax,ax
4 P/ g" R: T( O mov es,ax
+ E% Z0 y S' ~0 ^ mov bx, cs4 K- D0 ?) U8 u7 g. N0 D
lea dx, int41handler6 Q: |- H$ v& r, I
xchg dx, es:[41h*4]" d9 |) k' W+ {$ Q# v- r& Y
xchg bx, es:[41h*4+2]4 p/ w$ _) X" A* J5 ^/ e7 A$ P
in al, 40h9 P/ ~4 G" @$ m( j1 y
xor cx,cx' P: Z( L3 I7 m6 P
int 41h
* h# |' M/ ?# e D( o2 u xchg dx, es:[41h*4]
, z) n8 c6 B% G4 _- T, E, d xchg bx, es:[41h*4+2]: l% H, m; w U! `) ?; j% {
cmp cl,al# _2 u+ |! D& D) {/ P" G
jnz SoftICE_detected6 e+ d# }) D- G4 F6 X
' L3 T; H+ v" W2 W& U5 I- Y b_________________________________________________________________________+ J) s& M8 g8 k1 S# O
5 W A1 |: H& [3 @- A6 b* D
Method 07
0 G, A6 n' X7 C7 X+ K' `. Z=========4 Q* |2 C6 ]. w$ O: G
/ E) n/ L }6 ^3 T' @5 I$ _, LMethod of detection of the WinICE handler in the int68h (V86)
1 u* g# l. W4 g; a5 e0 ]9 b3 L' z/ L2 U. \- q" J* Y7 \1 i
mov ah,43h
) l4 x- b& b6 ~$ X7 Q) {( ] int 68h
% \: X+ ]3 j0 G7 d! `# r2 U cmp ax,0F386h
" R, _) s) o: B: U jz SoftICE_Detected8 \* v, Z( @; o: y+ A
$ @8 e- T- h9 z$ B2 s- t4 q# L. q3 m/ q/ ]0 o3 d
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 p% s. w2 c8 W; U, H
app like this:: B! E/ V( c y# _# o8 I; j) R
+ H- k4 B. y$ m5 c6 J BPX exec_int if ax==68! N) U, B, Z6 u% q }
(function called is located at byte ptr [ebp+1Dh] and client eip is4 [ A$ {2 i$ L( s
located at [ebp+48h] for 32Bit apps)
" i; b* K& s6 X* K) U4 H__________________________________________________________________________
, L) T% P, o4 O
) _8 H6 g0 ?) U3 C! W7 U
1 a2 \ n* A- u( _ v! A8 }# z7 }Method 08# `5 h2 r2 X7 m! C; `+ h
=========
. k/ O; u" u0 I& a5 L
2 h) \+ Y4 q9 T% L; C) e0 e5 _It is not a method of detection of SoftICE but a possibility to crash the; T; S3 w+ ?6 }; M: o. E0 K1 K
system by intercepting int 01h and int 03h and redirecting them to another
: j, q5 }4 x4 P" }8 q$ }3 e* groutine.
. R% G& ^& f% e8 l5 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! L& D; n& d3 M. Hto the new routine to execute (hangs computer...): u$ m) Z; t; T$ u; p1 W" n
# ^7 X9 l' D6 d J1 h4 s
mov ah, 25h
+ j7 p; q$ T, n) I) q mov al, Int_Number (01h or 03h)* S# ]9 b; j3 ] O. L& S
mov dx, offset New_Int_Routine
0 j! C: p7 s0 O: p int 21h9 Y3 T4 R& B" M3 A! S+ \
0 W) z' M0 x( g) Z' V
__________________________________________________________________________
' Q# a4 u( [9 Y: d
5 v. f2 i' W& d/ k* jMethod 09! U; o3 W4 A" R! ~7 u5 s1 u# }
=========' G# h. g! [# b& w! H5 P' ~6 Q
% ?- _/ g9 Z1 F( n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. j! q9 o7 n, n4 ^8 {: wperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 G; i' V1 j/ L2 e; }The Get_DDB service is used to determine whether or not a VxD is installed
! w0 K, z2 I6 B! x9 R3 T' z4 M9 pfor the specified device and returns a Device Description Block (in ecx) for
# H" ]+ m+ g9 M! O, Sthat device if it is installed.9 Q1 S7 x" D: a
. x% E% }/ y/ c8 l0 s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 u" c3 Q1 R q5 ~7 \7 E8 b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ }' P5 }: [6 Y* d% H& }. f
VMMCall Get_DDB' E9 L/ b+ A1 t/ Z* |; D+ y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% c6 k) r& |7 P1 C6 ?/ ]
0 Y! }' ?# _( `% Z, d$ \. l0 J/ I4 F/ c( Y
Note as well that you can easily detect this method with SoftICE:
+ @, x2 H8 B+ s" i1 b* j7 ~ bpx Get_DDB if ax==0202 || ax==7a5fh) a& ~7 t. ^# E+ o4 ^
9 V/ H; W8 a2 H2 ~5 ^4 b( N
__________________________________________________________________________
: t( I Y2 F6 _; a2 a' {4 d, B
Method 10+ a/ Q" P3 x1 h2 O2 r/ T
=========
: r! w! M ]: m& b( i6 L4 C: N( M S7 ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& Z- J9 g4 E) A; p5 r/ W! q6 Z/ v SoftICE while the option is enable!!# Z# d& K- c5 [' z, i% F
+ ~' k0 k6 K9 G% ?. O7 _ Q
This trick is very efficient:8 ~1 [4 W k2 e7 B: X0 a
by checking the Debug Registers, you can detect if SoftICE is loaded& E- e: B T! w/ N6 Y6 l9 q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 M) r. W; H' {0 j2 ^+ w" O
there are some memory breakpoints set (dr0 to dr3) simply by reading their# d3 N+ H& N3 {# o( J/ X0 ?$ p2 I
value (in ring0 only). Values can be manipulated and or changed as well" |. B% \5 F0 {) M4 j' A
(clearing BPMs for instance). J% i. k" m" |8 O! J7 [/ v
* G0 x% }* @" r4 N__________________________________________________________________________( ~/ _' O) M# B5 ?
O [+ P4 h( l, FMethod 11
; k3 h8 [6 Z8 y7 R: q% L8 O=========
! Q! r; y& Z8 ~2 ^0 W' f
1 Q5 @9 y2 [( ?; a' A2 J0 ^( aThis method is most known as 'MeltICE' because it has been freely distributed: ~: D7 B9 Y8 A+ z2 s+ s n
via www.winfiles.com. However it was first used by NuMega people to allow+ R5 T8 p9 ]1 W1 ^" G- e$ V
Symbol Loader to check if SoftICE was active or not (the code is located. ?/ s$ H( y8 Y( ~. D
inside nmtrans.dll).
7 b& L$ i) E0 h e, V! i0 j0 Q6 A% |/ r# D$ D8 t2 H& M
The way it works is very simple:
8 e7 K$ Q3 x VIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ f( ?! ~6 R# [' T9 QWinNT) with the CreateFileA API.) }( _/ _0 T; G1 @ L$ c
q9 [: B, g& m- u5 HHere is a sample (checking for 'SICE'):
! y0 q8 R" p/ t! m% j6 C/ x1 S
( L7 S w$ n! R* z) Q7 H. \BOOL IsSoftIce95Loaded()
2 @8 x; v& L+ U& M6 [) ?{
6 r9 Y+ d4 t/ L" t2 b( r7 H HANDLE hFile; 6 l) n9 l8 v2 s: U0 Y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! t0 r3 {0 c% ^ r. D FILE_SHARE_READ | FILE_SHARE_WRITE,
! S9 h9 [: u: r. [) k; A4 H ]+ h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, w w& {2 J9 ~8 c
if( hFile != INVALID_HANDLE_VALUE )
% i( e& { B' R) I3 ?# a7 e! [4 [1 p. f { J: Z2 {6 m. o) X- U4 ^" M; g6 o/ Q
CloseHandle(hFile);0 J9 O9 W6 A. G
return TRUE;+ ]+ Q! F- m4 Z/ }, T- r5 a' R
}$ ?# z5 P) M# Z% _
return FALSE;1 U* R/ t9 v& |; C
}
! ?/ f8 x- ]; Y! f
7 ^+ o( Y1 @6 qAlthough this trick calls the CreateFileA function, don't even expect to be
* ~1 [. I9 f; O; ^! Vable to intercept it by installing a IFS hook: it will not work, no way!
1 }3 r6 L7 m8 y% s* T8 z) A% yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F5 f% t. l3 Z1 Q! g/ G4 s4 q7 O# q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* l9 C+ [7 R+ U) d% r8 {& Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
' U+ y: E( b- n1 @field.3 Z9 Y+ z d1 ?' n/ ~
In fact, its purpose is not to load/unload VxDs but only to send a 7 g4 X- N( v! r% ~# e; _( M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) S) i' _) P' t9 ~2 Z: H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. A* V: R: a& d0 U; [6 w( X# y3 dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
x3 q8 R+ ?% z( @& k# {If the VxD is loaded, it will always clear eax and the Carry flag to allow5 Y/ H# ~" A- [- a* j: x- h4 M, L
its handle to be opened and then, will be detected.
6 W4 F3 x4 e7 J& QYou can check that simply by hooking Winice.exe control proc entry point, M V$ u9 | [( R" i' }1 s" o
while running MeltICE.
2 m: |; _+ B) v* ~3 t/ k+ K* G( r" ]! C4 Y% T
& U. p9 M. t7 g; `. h- ` 00401067: push 00402025 ; \\.\SICE
- t: B5 q/ N$ d+ i* W* L3 _ 0040106C: call CreateFileA# p! ]9 V& L; `: z
00401071: cmp eax,-0013 h6 J% m+ @0 j. ]+ K5 E# f4 U2 ?
00401074: je 00401091& X( f" j( i( V, p
) z" P6 f" F# t. n' a) u
) a5 d9 g. T& g+ s* h' |8 }5 `* C3 fThere could be hundreds of BPX you could use to detect this trick.
% ?& ]5 X7 c5 }) Z7 B) s-The most classical one is:* o0 }7 G+ z8 O, E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& N% v7 P4 ~7 q+ a! d
*(esp->4+4)=='NTIC'
' h, W% i& N) L. d
4 L2 d2 l0 t5 Q2 K& k" d) J-The most exotic ones (could be very slooooow :-(
: l. H. ~- U9 ~% B. r- W BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' b1 j5 r$ F* p* \/ y
;will break 3 times :-(2 p2 ~) Y( q0 Z i) Z
: B8 x, s3 n" C! O
-or (a bit) faster:
0 v6 P& a ?7 T, p+ g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( _* w2 v) I& c) C+ u
f/ A. T0 @2 B- t2 d4 T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & P. D6 K, h. A p. c
;will break 3 times :-(
5 }9 O" [1 v" a# q. r+ k: v) [. e& `" c. A$ u9 g
-Much faster:
% C, P. i, \' Y \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
n. N1 D$ W" u1 N( P( i5 f9 J7 B2 @0 ]: F* f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. m# I3 j" A4 `* C, Vfunction to do the same job:
. ?3 I" ~) Q) D+ D2 i
. a: x1 I2 ]# e push 00 ; OF_READ* e9 S6 i P {& V
mov eax,[00656634] ; '\\.\SICE',0" B6 K+ u; p* ~$ o0 _2 H* v& E
push eax
T' h% B/ r; x9 V* Q7 E. ] call KERNEL32!_lopen G3 C% n+ P- h4 s& m7 ^
inc eax* H# G3 W1 @/ I# g
jnz 00650589 ; detected; A9 |8 U& y8 A" p; _( q+ D
push 00 ; OF_READ3 U/ |+ [- a. r! y
mov eax,[00656638] ; '\\.\SICE'7 b8 `/ E) \: f' e; h) K/ p3 d- `
push eax
, `9 ?6 t4 ?6 @# G5 ~) { call KERNEL32!_lopen/ z7 _+ T6 j/ L
inc eax" ?# x2 | K5 L
jz 006505ae ; not detected4 l; i, b2 y3 U# |6 F
/ ]5 O* h& H i5 j$ {
f, Z! o' ^7 g__________________________________________________________________________$ I* K, O0 C4 y
# f+ L8 M2 Z/ h L4 C% n% O) xMethod 121 p( G6 H( ]$ k- I
=========8 W. c6 ~( F/ z/ `; Q
$ t$ R; R5 r6 R2 |; j- }/ J
This trick is similar to int41h/4fh Debugger installation check (code 05' O0 @6 V& S& ?: R+ O8 y/ B
& 06) but very limited because it's only available for Win95/98 (not NT)
) c S9 p0 j3 R$ ^' ?1 zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 e1 `/ B9 M4 D! C" t+ l, z+ q; c5 V
. ~ |9 J, h1 X5 P0 O: f5 A
push 0000004fh ; function 4fh
. L' D- u: n. S/ v& u* @ push 002a002ah ; high word specifies which VxD (VWIN32)4 o+ V) X9 ~. [( E3 }
; low word specifies which service
! |2 L+ c: F- q8 a) D/ p (VWIN32_Int41Dispatch); D0 K6 I, ?5 `2 u2 z) |$ N' E( A3 t
call Kernel32!ORD_001 ; VxdCall4 ?6 Y8 n0 V6 n. N* r& x& E+ i
cmp ax, 0f386h ; magic number returned by system debuggers
( \* d) E4 @' T" T jz SoftICE_detected
+ m; E c0 E8 n) t- F$ [6 {
5 K4 o7 }* h4 {* e$ \$ O5 _Here again, several ways to detect it:$ P7 [' l( E$ W% \
7 m& T& c: H& y I U
BPINT 41 if ax==4f) P# \/ h4 z# Q) m
4 w1 M% \% A' J, x* \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" d! Y7 @$ g7 A& ]
) D1 n0 R" B# I3 }! K8 i, M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ C0 X# v& ?2 N* I9 U' }" t
2 f: C) @& l* Q& u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. K5 v2 R" r' _. |' w
! Z! ^% ~, j. B2 g! U9 A
__________________________________________________________________________
% P, T! n* ?; U% \7 i1 ]) |9 E O$ S5 @1 |1 G( T
Method 13; w. N: G3 |: @ |2 `: H! z
=========8 R- m1 _ h- ?
- P- t( }8 J5 G' ^$ `& ^Not a real method of detection, but a good way to know if SoftICE is
' M. T/ {5 a, K. E+ E1 @$ a0 H8 yinstalled on a computer and to locate its installation directory.
1 M4 f: j: g3 g" b; QIt is used by few softs which access the following registry keys (usually #2) :3 q& ~8 a2 V( D7 j9 i
% j8 ~! T( E) G6 y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( W' B- h" X, A) Q8 d, W) ^\Uninstall\SoftICE" [0 I& l+ n3 Q5 f7 A/ z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. ]3 A- |& }( U! Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 p0 i! `3 h- }2 y+ E* e) y5 L\App Paths\Loader32.Exe
' c! R F* t9 h7 i1 w$ S& {, M* M4 E
3 K" t8 |/ A- `) q3 [, w3 s
Note that some nasty apps could then erase all files from SoftICE directory
* s) _; Q: @ P. ~( N(I faced that once :-(
' o9 W# J! N* B3 V2 j* k0 X: }
3 ^5 d9 h2 C. |( T1 V: _Useful breakpoint to detect it:
- I, A5 l: ?! F0 {% T
: i; P" ^$ Q# p! b- S' k* |' j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ }( H. L$ r: `& u! W, r. H+ a+ G7 z. z1 m
__________________________________________________________________________
0 E4 G+ D a- f8 E3 r* P
- o! O/ Z; ]8 ^7 K& Q
7 y1 s7 l9 q7 Y s, HMethod 14
0 e& l1 W: \* p9 X* W+ @=========9 a% j) N9 U; u" E
! K0 }3 T1 _1 CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 S7 k& E" f6 f2 m& ris to determines whether a debugger is running on your system (ring0 only). ?8 q5 \% G# `/ B* A f
N+ E j |4 M$ [$ @9 \ VMMCall Test_Debug_Installed
/ J7 |+ z* N9 q) d& m je not_installed' l( B9 s1 k9 K! X: i
) U( X( }7 @6 R
This service just checks a flag.
- c0 m8 z' X" u# {5 u</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡