<TABLE width=500>+ r( D( I; D. {' y% @7 ] s
<TBODY>% O6 u1 H' o1 y4 l# i+ B* `. t
<TR>+ Y' U. z+ _7 W4 k: t2 ]6 e6 ]
<TD><PRE>Method 01
/ f+ X+ `5 c, V2 Z; u+ A5 o=========
$ ?$ a% l- s- u0 d# @- E
5 e% v. R/ _0 ^, \This method of detection of SoftICE (as well as the following one) is& L8 X+ a0 s* ?3 v" j
used by the majority of packers/encryptors found on Internet.! ]$ m$ k$ f+ A
It seeks the signature of BoundsChecker in SoftICE+ ^$ H# y. }. b F* Z6 I: ~
. U/ v! d' W" F' L mov ebp, 04243484Bh ; 'BCHK'
8 E% N% m; E" h: `0 H/ p' p7 | mov ax, 04h0 f. V2 J, _5 W5 @7 E
int 3
; w: z m, C; p7 ^( l cmp al,4
9 B. E* o$ ?% D8 U jnz SoftICE_Detected
+ T) H0 k& B' {% @4 y$ O- ^6 I9 i, ^/ I
___________________________________________________________________________* B% G+ A0 |2 x2 V2 e" \ n% j! h
1 A; j" M: L/ V. X* s8 e. ZMethod 02* B4 J$ U$ U7 b9 Y( A- G
=========/ [( e4 b1 a7 _
R. `; B- {7 O* S; H" c6 O
Still a method very much used (perhaps the most frequent one). It is used
P, M, k( `% e- o; I3 P1 Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 |/ ^) ]; c. ^/ g: e! C! N* P
or execute SoftICE commands...3 M# A0 ]" `* p1 Y6 q1 L
It is also used to crash SoftICE and to force it to execute any commands6 ]" ~/ Z% O" ~
(HBOOT...) :-((
$ u2 Z" C \6 y
. {* a* C7 _' |/ W# L+ s' H0 WHere is a quick description:8 \+ }1 W/ x. R
-AX = 0910h (Display string in SIce windows)- U7 i# o8 G+ ~0 [" T# e) \1 L9 }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! X' }5 m0 R! d
-AX = 0912h (Get breakpoint infos)4 @. ] m, k& W9 s) V7 d! \1 s
-AX = 0913h (Set Sice breakpoints)
q6 R ~- q! B2 u-AX = 0914h (Remove SIce breakoints)
0 C: V5 m0 F" J* |. s* v3 |% o K8 n+ u3 f+ P9 D' m% B
Each time you'll meet this trick, you'll see:0 F* w# _( Z5 x4 d! a/ H% A" Y
-SI = 4647h
, u4 P6 v M+ s+ i: \-DI = 4A4Dh
' A) K" V+ N1 y' r* sWhich are the 'magic values' used by SoftIce.# l$ q) k4 Y) z9 p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ {' M- A* T5 e) e0 l
- h# O/ ^- t) n8 I/ ?9 o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 v# R* ?* e( |7 zEnvelope utility use to protect DOS applications:
' }! B- n) K8 p. o; \/ j: j6 o4 e4 P1 k1 m9 c$ W: g9 b
: y- e1 C$ a* B3 I( H; s4C19:0095 MOV AX,0911 ; execute command.
& _, J" R3 w1 M/ T' `( c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 ~5 ~/ k* p3 m n2 O8 _
4C19:009A MOV SI,4647 ; 1st magic value.. m2 s, L. ^6 H
4C19:009D MOV DI,4A4D ; 2nd magic value.3 {2 G$ w4 S8 [& w' q) O% t I- A6 H0 H
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; t0 R. ?; m1 _0 ?+ S4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ ~; v" }$ O0 F/ y4 p7 @% V0 A4C19:00A4 INC CX
9 ?8 l8 Q# `8 H. T: `/ Z0 _6 P4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 N) @/ [# J8 i1 q4C19:00A8 JB 0095 ; 6 different commands.
# e9 V7 Y. [/ N: g1 R8 W" {9 M1 l4C19:00AA JMP 0002 ; Bad_Guy jmp back.! o: Z+ l! [; o9 q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( L9 b: ] t- h/ y3 z2 c) G2 l6 Y! T9 W8 a6 s, P# B6 K9 _; `
The program will execute 6 different SIce commands located at ds:dx, which' T4 c- ?9 L4 y: `: O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# s. T6 X! s- H4 G
: v: i0 I2 r1 x: ^& z2 ^' x8 L6 e# B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 ?( u4 p7 W# s e+ ]) _2 O2 j$ ____________________________________________________________________________
/ f, c: p! u* @$ a
o7 \5 L2 N& u
, P- M' B9 z& v7 }/ [/ v% N+ YMethod 032 B9 B9 n1 y* e. z, L
=========& @! n P5 M* I! F9 w/ N, |
: m8 ^" i7 z8 \, b- c; @) g H+ BLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 ^( n z) N1 D(API Get entry point)
! Y4 D6 e p9 d' I# x( [* O
0 q7 R) {+ K3 q1 g, k [/ n8 R! M" ]3 [$ G8 y; y9 z
xor di,di4 @5 P% u% G' _3 ^, }5 Q" x; [5 O2 `
mov es,di- A5 g( \# o0 n' e" c6 c8 F
mov ax, 1684h
( t1 @$ H4 I# K. X mov bx, 0202h ; VxD ID of winice
/ ]( n+ T9 @3 z6 }& Z& L int 2Fh$ s f3 F6 x9 ^( s
mov ax, es ; ES:DI -> VxD API entry point( L) g! O% a8 {6 _
add ax, di
8 d% }/ a3 b" ` test ax,ax
( h7 w% F. z4 l6 N( w+ ^ jnz SoftICE_Detected
. H b5 z$ x3 [/ q7 ~1 u
3 ]/ T2 u' @- f- k. X0 l$ H7 Y___________________________________________________________________________2 A' O8 B3 `9 U
, E) F9 t' M" t5 P* b
Method 04+ p# z1 R9 c: b
=========
" U; y8 C) \3 c; C8 ^0 g" G
" M# s. x, L) p! D5 A/ }. t" dMethod identical to the preceding one except that it seeks the ID of SoftICE
- ~ Q6 |: b. ^5 ]GFX VxD.
, o5 B" L! m V2 x ~! p8 P1 @! h9 ]
+ ~5 i8 b, R" p6 q1 o9 @/ L xor di,di+ A, a7 V4 j( k$ `/ t
mov es,di
" m Z1 g! z) {+ O0 A7 I mov ax, 1684h ) M; ]( [+ r) x, c
mov bx, 7a5Fh ; VxD ID of SIWVID9 q7 ~. Q4 s* o7 T W# d
int 2fh
- Y6 z! P2 E7 B4 o0 t6 h mov ax, es ; ES:DI -> VxD API entry point
! K1 p- ~! o$ P add ax, di
% _6 U8 S2 u: V0 a. b& F test ax,ax
6 I7 G2 i$ j- f g. X jnz SoftICE_Detected( e1 i; g5 R7 _% \- n
. f; s" J5 f6 S; l- C__________________________________________________________________________4 Z0 o) O0 m" o+ {$ H
$ V7 f4 Q5 z0 [ {+ J
$ N, q0 i: y" L7 [& a* kMethod 05
( |# ?( c8 W/ V+ \=========
) p9 O* a" m$ r* `# H! z* D5 }( k% n/ r9 J+ G
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- d2 G% n" \1 S# b3 tdebugger. It calls the int 41h, function 4Fh.
# C6 A3 L- p, @. Z" b4 ^There are several alternatives.
2 ^7 C8 T8 l. I, _% l) f2 x0 g3 c) p& D: E
The following one is the simplest:4 S; U% i+ o5 Q! L4 A
* X6 q6 I# P/ x$ P0 g1 P2 I# `
mov ax,4fh' J! y. O7 B& v
int 41h! @" O. ], G, u
cmp ax, 0F386
+ Q8 j) e7 j& l9 v jz SoftICE_detected
% }3 P5 k0 Y w9 H/ x) c. f! @
+ K% g2 B- u6 O; E2 n0 W0 r( {3 f( g
Next method as well as the following one are 2 examples from Stone's
- K& M. H& J/ y7 V, v3 k"stn-wid.zip" (www.cracking.net):: J" X+ }. {* ] P
2 `) t% U+ e1 j) p% g1 I6 j mov bx, cs5 p& I! H" T0 s: [# K8 Y6 J
lea dx, int41handler2" P% \" j( @7 ~8 A$ q1 V' c
xchg dx, es:[41h*4]
5 r- P) r6 {# c2 `6 d xchg bx, es:[41h*4+2]0 r2 O' [7 F0 c* n* p( Z
mov ax,4fh
( x: q: z5 X; ^; L5 \, o" u+ S int 41h" e3 K: n' b7 d6 r
xchg dx, es:[41h*4]% K8 O9 |. x$ e7 h- b' }: t" q1 ?6 n
xchg bx, es:[41h*4+2]9 z4 {" X) V4 G6 \1 V
cmp ax, 0f386h
& A& R) }. [$ a4 B: k0 C5 E8 Z* K jz SoftICE_detected! U: v6 O" o. E: }9 d% D9 \+ [
3 e/ N& n3 U) l+ Q% {
int41handler2 PROC
, w( j5 n: V* S7 G( e iret
P8 E2 q$ H. c" nint41handler2 ENDP
2 B) A8 n" @9 W Q
C9 d+ p( V" m; l/ @; O; J! v& ?# L3 y% f( [
_________________________________________________________________________
6 C7 P: v# C7 k2 y; Z9 l9 b' H' ^" h( y
/ O2 v5 T" p1 xMethod 06
( X% t D; D6 |3 t=========' `& ?. l7 w* S1 Z
# {! u$ P' k) H5 r7 h# M: m6 O. }# N( { S1 ^$ Y5 B: {
2nd method similar to the preceding one but more difficult to detect:
1 |& x- p% x8 N9 c% c- |& N, p$ M
9 d1 v3 n3 h F0 q; Y7 I
! K+ H0 l" w% R: o0 dint41handler PROC; i4 A' v* s0 I$ p9 y
mov cl,al
" s9 P* L; |1 R: F' S- e( V; { iret; P5 @* e% H4 u; C, @
int41handler ENDP9 O7 q- r8 K5 M, K0 W
# S/ X# N+ k3 e& @1 P( J
/ `) u! ?7 ]/ O7 x5 H) ]0 l xor ax,ax
0 w7 W! M5 e& j6 a+ ]) R( z mov es,ax
- @* k4 \+ V# w0 D+ k mov bx, cs, B3 u/ W6 v/ \1 W
lea dx, int41handler
- F, b) r% f- P B2 I xchg dx, es:[41h*4]+ Y; J9 O n: P5 d/ D
xchg bx, es:[41h*4+2]
0 M& V) E* ?3 J1 t in al, 40h' i0 s3 V" K% s0 }7 z$ \
xor cx,cx7 Z& W# F! D t* V, v3 u$ i& V
int 41h C- T8 y9 }- W' d5 ?0 f* f
xchg dx, es:[41h*4]
U6 Z/ l; b. B; h# p/ f xchg bx, es:[41h*4+2]" M: |+ e0 z1 W f, ^
cmp cl,al9 D$ _1 [2 n3 o# ^2 j
jnz SoftICE_detected { G1 d. M6 C
. C0 W/ K: O. B1 Q: B_________________________________________________________________________' i/ b* c: F9 q6 t5 D! b
9 S# ?( \, K B$ T& j5 vMethod 07
0 }8 `& u3 N4 u0 z, Y3 {=========8 o: y/ ]0 i0 b
& r' h. }5 L' R$ bMethod of detection of the WinICE handler in the int68h (V86) h3 M* q: v# R/ z' l
- S# \$ b( Z' P3 Y
mov ah,43h. N% j7 a0 g+ |9 T* B
int 68h
& s' Z! T- H" r cmp ax,0F386h+ m, |. f6 K. y1 ]* w. F
jz SoftICE_Detected
/ E+ ^6 m- C- x A/ G x; B8 D* w5 f3 Z( i8 |9 U
; h4 W3 Q1 Z: ~9 \3 Y) h% c
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ Q& X, z( E. S0 D9 S5 n* K
app like this:
5 a' d5 d, {- V2 B5 `5 |$ `3 H0 H3 O: a' p( i/ d9 l
BPX exec_int if ax==68
' q1 L# O! \9 |0 E3 O& E (function called is located at byte ptr [ebp+1Dh] and client eip is
1 T. ^9 L! H# x; s' b1 ?8 v located at [ebp+48h] for 32Bit apps)* c! Y7 } Q* [ z
__________________________________________________________________________
2 m4 c3 ?/ T" G6 h7 A! a5 U" n4 d! X) y
' b% b" M& U/ O6 lMethod 08% |6 `! y% l5 e, b* ~" k& i" L
=========6 W. L5 A6 A; v2 O$ D5 ?; c9 g
7 {$ e8 Q% t$ q5 g+ Z) ~! @
It is not a method of detection of SoftICE but a possibility to crash the
' C5 a& X% x( y4 o: j7 I, k9 p0 Bsystem by intercepting int 01h and int 03h and redirecting them to another7 z t5 R' o' X6 a: n" Y+ G
routine.
" R* c) U H* o& ]+ [5 s/ { {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: Q4 v$ T' S4 `to the new routine to execute (hangs computer...)" E$ |% o% D, m1 o+ b9 T
; a; ?6 H; B4 Y9 W0 G! F. x- Z6 ? mov ah, 25h
" r. l; |- R7 C& \ mov al, Int_Number (01h or 03h)9 M1 \" W, \4 d L
mov dx, offset New_Int_Routine3 G# v: x8 S, | V. S7 m
int 21h W2 A( e6 b7 @* \
9 d# o- O# k7 d+ m* |* f7 m__________________________________________________________________________
0 ~. C x5 \6 o9 ?8 N' [: J2 d
1 B! e" `5 z0 @6 m$ zMethod 09* Q4 ]) c% G J& ^ \4 U
=========
& a: N& N+ D3 W+ r5 O( y. k: _. \. \4 M* ~% o9 C( N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% @5 C! F, d! R! c- |' @performed in ring0 (VxD or a ring3 app using the VxdCall).8 f7 q$ C" \# F+ P
The Get_DDB service is used to determine whether or not a VxD is installed
# A1 u3 J; ?7 n# V+ e* D: z% d9 Efor the specified device and returns a Device Description Block (in ecx) for7 ]3 E( Q" u2 S; L
that device if it is installed.& @- i* N7 C) P+ m3 b
: Z; N1 c$ m/ Z5 P5 W! T/ C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 x9 l3 p5 u4 e, M5 [ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ {$ T, R3 y# w" g3 q5 S0 e VMMCall Get_DDB$ a$ f* d# @: W, B+ c- d8 p* i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% U% G" B* f$ ?. e+ n
* V7 M' W9 _7 I& V) q+ h: g8 c& G& H# [Note as well that you can easily detect this method with SoftICE:
- e: ^1 n# \/ W$ y9 e7 B; |& v bpx Get_DDB if ax==0202 || ax==7a5fh* i: ?# l( i9 Y: O6 t: @9 t" f
/ X# h3 G. o0 t! z1 k) o__________________________________________________________________________
6 ~" S* D' C) W. }2 q3 w
4 `7 @& d4 U- e% p; TMethod 10
8 D4 V% {! v8 h- }=========
. \2 N$ U2 p1 _& C
3 R6 w [. w; \! Z=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 z8 @( d O: N! G$ E- n SoftICE while the option is enable!!
3 G5 t2 d) A/ ^( o1 o
8 ]8 ?3 |5 g$ ]! [This trick is very efficient:+ [" c, e9 W- ]2 p% i1 k% Q. G
by checking the Debug Registers, you can detect if SoftICE is loaded u# F. I( i8 \+ D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 t4 I6 }! j7 a; x% z0 I6 Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) W9 j9 ?) \' s# X5 Qvalue (in ring0 only). Values can be manipulated and or changed as well% R T$ L- {+ H7 ?- J; i
(clearing BPMs for instance)
+ W1 b- _: r, u: M# p
4 b2 p) c0 i, }__________________________________________________________________________
: K7 W' G1 S! H, k3 R
6 I$ i+ C6 N+ u& l+ G1 L) RMethod 11
) n1 T1 |& s3 A9 m7 W, C=========
% o/ i$ J! n$ n$ h6 Z1 u, U/ H
4 B' d0 m) ~& k/ O) U2 L- PThis method is most known as 'MeltICE' because it has been freely distributed3 m! B" J; }$ Z1 E6 [! ^$ C
via www.winfiles.com. However it was first used by NuMega people to allow
. ]- F1 h2 t% I5 q# ?Symbol Loader to check if SoftICE was active or not (the code is located2 \$ E8 R S' ^
inside nmtrans.dll).% w# S( a+ x X
9 J! K9 q9 P/ t8 @The way it works is very simple:1 g4 ]- z7 j* I1 M4 d' l( U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' A# q2 j% N* f$ g* Q0 S
WinNT) with the CreateFileA API.1 k( u$ e2 r. O
# g6 ], q1 [) eHere is a sample (checking for 'SICE'):& D9 h$ O" w2 A, O; O4 ~1 u
/ T# j2 I( l B7 r \$ n# uBOOL IsSoftIce95Loaded()" U$ m) y$ i- H% A9 h/ P8 J
{
( m# M: g! X; |' r3 A& l HANDLE hFile; + k) o% g. w- W; j3 h; o b9 G% W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 }5 q3 X! r/ v
FILE_SHARE_READ | FILE_SHARE_WRITE,* P* }4 b! n; v, u: K. O9 }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! r9 p0 a/ U9 ~& S if( hFile != INVALID_HANDLE_VALUE )
, j4 M# D+ Z0 e/ m# Q {: X$ }& t6 g7 b+ K, X9 N0 `9 M
CloseHandle(hFile);4 e8 v7 N8 L1 D4 u: L
return TRUE;: R+ b U0 J; V' n. K7 O% k
}
% E# w' n9 Z" F return FALSE;
& u7 N& Z0 j8 Q' @}
6 v; L$ O& q+ ~$ Y7 B4 N9 i) x2 q& v: _$ @1 r
Although this trick calls the CreateFileA function, don't even expect to be
; E7 w6 o$ Z6 y+ y4 Oable to intercept it by installing a IFS hook: it will not work, no way!
- T* ]' Q1 ~" B( a5 J! oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 A; |/ S$ q' wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 {& y# t5 a& L, O3 @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. r7 ]- H! a6 [1 [6 u9 N2 I) ~
field.+ X8 J/ R' G0 G1 _% H% h3 Q+ E; F
In fact, its purpose is not to load/unload VxDs but only to send a
% V7 d0 m$ O8 f G& Y! `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# e D& r' m- C+ P) ]9 M" Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 w5 O' D) v+ x0 ?" N B' Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).5 w/ ]2 D$ l* g9 r
If the VxD is loaded, it will always clear eax and the Carry flag to allow* t* B1 x& ^8 N8 k2 V
its handle to be opened and then, will be detected.
7 w7 H. l& {, l1 ]. f- GYou can check that simply by hooking Winice.exe control proc entry point, ], I& a# f" S" \; P
while running MeltICE.
; B$ ?$ a& F5 C3 H0 z9 t, q0 E8 I+ q# P; |& i6 b' x3 w
) Z- k9 ^1 f6 e% Y5 m8 x) J 00401067: push 00402025 ; \\.\SICE& {. L! {+ S8 n# c P+ B; W
0040106C: call CreateFileA
' d1 E4 v2 ~: D% |% Q b 00401071: cmp eax,-001
9 k" S& B8 w# m+ H" W; S) ]" X 00401074: je 004010910 D7 e6 d. P Z9 {6 Y9 P0 o- Y
! d' x: B7 n7 p
6 q$ e/ a, ^- [There could be hundreds of BPX you could use to detect this trick.
7 o/ n8 ~" V2 }$ o1 G' d-The most classical one is:
+ }! A3 w- j, `8 {) B6 t. d8 W BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 t8 t0 w# Z" P* X) P$ s
*(esp->4+4)=='NTIC'
& E* _/ P4 ^9 T- d& C1 [/ W/ e+ P' r! A9 ]! P# B# w" t C- \ e& P$ e
-The most exotic ones (could be very slooooow :-(. p& H7 Q/ }$ {* D3 `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 M6 a) C) k; `; S8 Y) q
;will break 3 times :-(! e+ [6 g% |7 I2 u# E5 g! _
8 G8 ?0 n/ p/ F- z* y' d-or (a bit) faster: - E" A& C' Y: v+ Z+ p: ~$ I; _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) B/ e- g' _ u" D8 Q, {/ M# A' ~, y' A( L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 t4 W- R& @9 O5 M$ E. N3 b ;will break 3 times :-(
0 x4 e+ ^( X# T1 Q0 w
, r$ k3 A8 V& N" p- Z: ] c0 X' h-Much faster:
: u0 W' O2 p% X+ C) M, q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! S) g/ e& U5 B! _* t
0 U# u z) A3 ?8 L$ o2 DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ p% {. Y5 t0 Ufunction to do the same job:
& f9 S" x3 L$ c2 O0 \
+ q4 @! g& w) J" V( \ push 00 ; OF_READ
" N R; T( z2 j$ F/ x3 g mov eax,[00656634] ; '\\.\SICE',0" ]+ ~. a2 _8 e; [4 C1 x
push eax
9 q3 i2 X! d+ K% b6 k call KERNEL32!_lopen2 x% a5 B7 ]2 y6 A5 x
inc eax
$ D% m1 v! \6 a- H$ Z jnz 00650589 ; detected
% ]' k4 C# K3 [5 @ push 00 ; OF_READ$ L, K' ^- y& p7 Z" ~6 u
mov eax,[00656638] ; '\\.\SICE'. r4 Z# o ^& m+ E+ W, Q6 m4 Z
push eax+ |7 K# ~; b2 e) p
call KERNEL32!_lopen
+ @' ~# {4 c8 M6 r inc eax6 D( j8 F Z! Z: q1 T, _
jz 006505ae ; not detected2 H3 v) N0 Z9 T2 z& q/ s
) [6 K4 q: Y2 A; K. Q: v8 ~9 M2 z. z
__________________________________________________________________________
1 p* u5 \, U3 E! x
0 J9 c, a- k# Z& C# yMethod 12. ^: v: U) _! s8 c, O
=========: r6 X+ j1 ^7 b5 a& V- G
; G4 ~- J( } g7 k2 G" A+ |This trick is similar to int41h/4fh Debugger installation check (code 05
% Z! f' e8 c4 V: y6 }& 06) but very limited because it's only available for Win95/98 (not NT)
. e/ B$ }+ t5 C$ J2 e6 `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 q. J7 q: V( m# R8 Q
' q G8 J e, ^2 `1 r push 0000004fh ; function 4fh
$ s; A, I# X9 A) n' m8 K I push 002a002ah ; high word specifies which VxD (VWIN32)1 B. l/ O1 n4 Y$ ]& g
; low word specifies which service( F) h- ?; L3 W# y. T
(VWIN32_Int41Dispatch)2 t3 Y0 F! n- Z
call Kernel32!ORD_001 ; VxdCall
! W b& t4 H( d% B/ m cmp ax, 0f386h ; magic number returned by system debuggers
% r) r6 N# ^% R; k. E; L jz SoftICE_detected: k& d8 C& ^4 Y" k. G
$ s$ J0 z7 g$ n( U3 m
Here again, several ways to detect it:1 |; M! F: D3 z0 y" E: E
$ X3 N8 L$ g# `9 o- i$ D BPINT 41 if ax==4f! c R3 j* C$ V$ `1 Q- D3 |
! Q/ o; {) p( ^# T% | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. w1 |8 ?3 y) t9 y. C5 [
! {5 w D) `0 l, y( O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 O9 d/ N: B% L8 I( n: S
, l o3 o7 s# d3 ^1 h! u8 B9 H
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 P# ~9 [- |2 D% g0 O" \; x
, ]7 Y& ^- z( a. G( w/ i7 u$ `3 e__________________________________________________________________________
/ i; r' t( Z8 k& a
$ J$ _" R+ m4 t9 ~8 e8 J8 rMethod 13
2 G5 k( v2 [ q1 R. o" D o=========, m* y; L& f) O. |0 X- p/ F( m
: G3 p% S' G5 C. J9 [Not a real method of detection, but a good way to know if SoftICE is' }2 n6 J! N* [! T0 g3 a* r& `
installed on a computer and to locate its installation directory.' I+ M, n @9 W3 ^1 ~
It is used by few softs which access the following registry keys (usually #2) :
+ K7 E, v4 u7 ^# V
) j- r3 m8 P% \: n$ ?' r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 I% }0 j+ L5 \6 m6 @( o3 w! p- L3 R
\Uninstall\SoftICE. i# c6 R' ^2 s; ~2 Z# q$ {: k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, u, V4 p" F" `4 {, i- v1 o* t0 P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% d4 O+ Q3 R% ?\App Paths\Loader32.Exe
8 d9 k3 r/ `2 y5 s5 T j
2 z# o4 g" U& o# h6 Y
$ \% I4 e. n8 g& LNote that some nasty apps could then erase all files from SoftICE directory
$ X* a& {2 S" s! k(I faced that once :-(" r, ^+ }9 a! c+ |' {
! m' O. o& s1 N8 B6 o/ [: Y4 y
Useful breakpoint to detect it:. `# Z4 _; o2 ]! u8 T
- d# C4 a' p8 c# P- z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! [2 }9 q) s( ] G4 L7 O- X* Z
3 W+ S7 k0 k! @9 t5 [+ M$ Q__________________________________________________________________________1 @* S0 ^( [. V7 a) t( y0 }( V' i
. |8 R7 h7 I; y/ c/ K
' E. ^. M( I! k5 C0 ]& I3 J w
Method 14
( K# j, h% W. m2 Y; S/ e& S( [. s=========, o2 w- N& {" C& @
7 n3 g9 R) ~- |& h4 T1 B9 MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 J+ m2 S8 }( i o3 r/ Pis to determines whether a debugger is running on your system (ring0 only). L6 d r; G- Y% Y& t5 m
- @$ |% o ?! _* R. N# X0 ^0 [9 k# | VMMCall Test_Debug_Installed
! q5 h% C5 @- Z' R- Y3 _ je not_installed
! \6 `) r6 W* G5 Z
: ^, H9 s \' h, O# V O3 I% UThis service just checks a flag.% W# i8 P0 _% x# F& ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡