<TABLE width=500>. b) o) l0 W t9 Y
<TBODY>
" S- M. q0 Z- h% Q P9 o<TR>
, ?& N8 j* f" Y5 u<TD><PRE>Method 01
) U2 g, k5 w3 U5 l& p=========; Z6 Q# I3 K: v' q, h
; p8 ~7 B/ b' t" [This method of detection of SoftICE (as well as the following one) is
* P+ w! ]- x7 i# ?% g& F# `5 Kused by the majority of packers/encryptors found on Internet.
2 `' Q7 u+ q2 e/ }+ I( ?4 M n* aIt seeks the signature of BoundsChecker in SoftICE+ E% P7 G; ^( X9 }0 {3 ~% k
, o1 o- n; `6 n1 I3 u' u9 a
mov ebp, 04243484Bh ; 'BCHK' O; ?; b2 }2 c4 F9 s* s
mov ax, 04h8 y5 O$ U6 i6 |* {7 E
int 3 ' S" ]2 M0 s/ S5 R
cmp al,4
) b8 j! h7 w- w jnz SoftICE_Detected
1 v0 a1 _. v+ [$ s5 L! z" I/ C5 V* s3 I* e5 g. D9 v
___________________________________________________________________________' X4 t% a8 @/ V2 u$ e
* q0 W9 T$ y3 v4 Q9 KMethod 02$ }' ^: I$ v. ]% k
=========7 \. Q `5 ]; j3 ]+ @3 E1 p* A2 L' n
; r% k% h" l5 i* b3 u: x _& a
Still a method very much used (perhaps the most frequent one). It is used" Y+ V4 r- |+ M4 p3 @9 {. d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 @1 @. w) q! [3 ^
or execute SoftICE commands...0 E0 H4 Q" A6 |, n
It is also used to crash SoftICE and to force it to execute any commands0 f: D! C1 N3 ]- T: N( ?
(HBOOT...) :-(( . Z. Q0 N$ w) R6 U/ W" v
" u% S! I/ G: K6 E* qHere is a quick description:6 ?( Q3 G1 r' e
-AX = 0910h (Display string in SIce windows)
4 z2 {5 X6 l( F/ Z+ i7 E8 b-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 N9 \9 [1 D7 D; _% w% s
-AX = 0912h (Get breakpoint infos)
. j7 K o7 _1 B' Z& x: A- }-AX = 0913h (Set Sice breakpoints)
8 ?& v5 g0 G/ q' {; l4 ^4 M. e-AX = 0914h (Remove SIce breakoints)8 G8 P- Y- T- M C
' C5 I/ ^+ I+ p. R* l1 b' kEach time you'll meet this trick, you'll see:# N3 q. c" C' S, o+ e( f
-SI = 4647h
6 ]9 n9 I3 { {7 e-DI = 4A4Dh
' b; b3 j/ i# [, C9 Y. c1 jWhich are the 'magic values' used by SoftIce.+ p9 z9 X) q6 Y# F6 ]# k. c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& M5 ^0 T9 ?& k* K0 f, e; `% M9 ]# [
- t/ z5 j* N6 ]6 hHere is one example from the file "Haspinst.exe" which is the dongle HASP" F. ]7 X. P4 y& H! y3 R9 M& W
Envelope utility use to protect DOS applications:
) ]4 Q, ~# `% k: w/ B& K
7 S. u8 b8 j* R; L8 E6 k% h4 G/ E* F% y9 l. ]) f2 u
4C19:0095 MOV AX,0911 ; execute command.
6 G) o% `" Y+ h' M: M0 i/ x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 @5 u( y j$ P; V. N% R. O1 V; h
4C19:009A MOV SI,4647 ; 1st magic value.
- O! \9 M, f9 S, u L' R6 I4C19:009D MOV DI,4A4D ; 2nd magic value.
- t8 X/ O; W' O6 n% i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# a1 G7 D+ C( `) ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- G6 S: N8 q) i6 D3 x4C19:00A4 INC CX0 N5 Q3 T+ m, v: a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! b2 j: ?, a! Q, ?3 D4C19:00A8 JB 0095 ; 6 different commands.
% |0 x' `: B: h4 x4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 W* a) O" d9 I+ a. N0 P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) V ?6 u1 D7 W0 D3 D' r6 b/ u* T4 [2 g Q! x
The program will execute 6 different SIce commands located at ds:dx, which( a8 v3 `/ p N& G. z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 z. ~0 X0 U1 G# @8 U: H" y- g/ {% R' ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: h7 X6 J3 l( A! E/ g8 _8 m- Z___________________________________________________________________________
; J6 ]/ d+ n$ C. R; H" Y" i6 s4 x2 \8 ~" X+ ^3 L7 N
6 t8 O5 O" I2 C
Method 03. d& A* `, S/ E+ y
=========
$ e2 `' F4 A( W# Q% b+ K, [2 K' c# }) P U; J5 X: n* k6 e
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# P* A" V* \* f, |/ Y; }: Z(API Get entry point)
4 j+ x- I8 ~8 N4 P+ Z3 m& ?
h7 F3 s) k" T& w) D* i& ^+ a
+ E L, v/ i" Z. j xor di,di
9 t# V9 ?; w% I! v1 N r mov es,di7 c4 r) S! e+ J* C+ A% r; A
mov ax, 1684h 2 v; |8 }1 X1 k4 [
mov bx, 0202h ; VxD ID of winice
! M/ `' W8 k% M, I int 2Fh. y5 @. I' t1 X$ {$ U# b1 V
mov ax, es ; ES:DI -> VxD API entry point
7 l$ Z: e* I& k/ J add ax, di
) E$ p8 g# v* F test ax,ax4 a3 C) m* A7 K
jnz SoftICE_Detected% i' C7 l7 a* K; J0 M# E \3 M
! T# }0 l1 `. E
___________________________________________________________________________
8 b' \3 p( E7 S& r0 ]- y$ k3 k) Z
% Y2 G" }6 X3 V4 n5 B, d9 I& yMethod 04
) F, }5 Q4 ^+ Z: F) _; o=========
. P2 E& L: o5 I" v* x! Y* `2 A7 B+ {! l$ @% c3 c; W
Method identical to the preceding one except that it seeks the ID of SoftICE( F3 k4 R0 U) z5 {. w
GFX VxD.0 R1 \- w1 h- }; }9 u( Z
* ]( w! Z3 b" Y* ]
xor di,di! `5 O$ s6 `4 N1 K8 ]' j
mov es,di! Q* Q/ F5 Z0 u* A8 C
mov ax, 1684h ) A/ q/ @8 O3 c, z& z' E4 Q% U
mov bx, 7a5Fh ; VxD ID of SIWVID
% I& d" z* h* T3 U int 2fh
* @3 a5 S. Y. e; K' I3 z2 l; g mov ax, es ; ES:DI -> VxD API entry point7 e$ } [7 _( c* R7 [5 T$ `
add ax, di
0 M g' g: h2 ~ f' Q5 n test ax,ax4 y% T/ n/ V( k9 p+ N) J2 q2 z* a
jnz SoftICE_Detected
% K$ B+ d2 @7 O" ^7 S d$ S
3 I" I5 W5 s+ g+ Y__________________________________________________________________________; Y8 A7 F, K4 S. `' f" ?, l
! ^& t2 b+ B i
Z' k" e# P5 c! i5 ?1 F) o" QMethod 055 w9 q, |3 l( @2 ~8 H4 p3 n6 B+ d3 B
=========9 \' P: q% L3 `/ _7 Q
; \7 a' d. L5 l u- L& tMethod seeking the 'magic number' 0F386h returned (in ax) by all system
3 f7 }: ^4 h% I& {9 ^% i5 ydebugger. It calls the int 41h, function 4Fh.
: c/ f+ n0 c" q3 Y. d( PThere are several alternatives.
: |' s% q) p# }
! k% A( ^6 O6 M# D' `The following one is the simplest:+ m3 v0 W6 n7 y: M2 y8 y$ A& u1 M& Q
1 B1 n* i- R' S/ V+ T$ w. X+ d
mov ax,4fh& E9 P0 f0 V$ Z5 Z( O. j4 D: P9 b! a4 t
int 41h l4 e8 _8 {& R# m1 y- m- E8 M9 Q
cmp ax, 0F386. v3 F- }' }. H+ S6 j
jz SoftICE_detected
& A4 Z2 U/ w7 q, A! L# K% ^) ?
% p4 j1 @) n; N# N' Z: ~+ n
# a1 j B7 B$ d1 c. yNext method as well as the following one are 2 examples from Stone's ; h) a' q5 j% }0 J5 j1 f
"stn-wid.zip" (www.cracking.net):6 x" G4 e, X% m( s
2 Q' Q# n7 t% a3 `& W
mov bx, cs, l5 ?# Q* W7 x* _/ x
lea dx, int41handler2* ~- E3 D- T, \. H. q; z
xchg dx, es:[41h*4]
6 w0 A% \, r$ t& Y/ ~# a5 D xchg bx, es:[41h*4+2]; l$ N# M. W& i$ e! m
mov ax,4fh
& u# W0 W" l1 e8 _: T int 41h
6 V& e1 U; x2 c: Y* m/ b6 B# X xchg dx, es:[41h*4]/ ?# V0 A9 A7 T) t. Y, y0 t
xchg bx, es:[41h*4+2]
. S, B3 s# }. Z0 Q+ O cmp ax, 0f386h
& T, g! f% p" F& B" }4 v ^ jz SoftICE_detected7 A9 N, _$ R/ O6 N. c' T# ]
- \2 v0 ^- ~6 D# `int41handler2 PROC
2 N& p" `4 K5 ^ iret
. _* M4 c8 o1 Uint41handler2 ENDP+ z; M: d" g4 n$ _+ E
* C1 B+ v5 t% y# }
% U; w$ j* D5 A
_________________________________________________________________________
- a+ i! ?; P0 u" |
; t! g8 O! d- E$ u {& ~. `7 B# a5 {
% y9 _" Z4 L2 a7 h% j* O5 ~# S5 TMethod 06
& C# B# {( U* q o/ v, S, J=========/ t- m7 |2 s6 g8 L. U
! M6 t' m- Z; b, U0 G
/ [+ g: L+ ~2 a
2nd method similar to the preceding one but more difficult to detect:) C, F9 H! |9 \/ N1 M
7 H8 M+ O, w* z4 @, N
( Y% `) ^9 B0 B! y% ]8 L3 ?int41handler PROC
0 y8 z; m; Y( F/ X2 @ ] mov cl,al! Y- A% a: C* Q( c
iret4 V6 F9 F8 v1 s
int41handler ENDP
2 X) t1 M7 m# h0 t6 W# [
. b' r. K2 ^( V& @& y7 `
2 ]1 k$ J% s5 ^ xor ax,ax
4 {" r9 r: F- T mov es,ax9 G+ E4 k. k H
mov bx, cs
3 t; F* U9 v; h1 g' c! {( b lea dx, int41handler" U6 Z2 U* _9 L6 [
xchg dx, es:[41h*4]2 C. S1 v% O: f; \9 c
xchg bx, es:[41h*4+2]
: h, D, W6 E) B in al, 40h# ], @6 ?" V! G& L, {, {; n
xor cx,cx
& [6 ?- W3 a. f3 G+ j* Y int 41h
3 n/ M! I) Q: a& R6 X xchg dx, es:[41h*4]0 q' S c ^. c0 m3 j
xchg bx, es:[41h*4+2]4 M% A0 ~0 F0 Q' q
cmp cl,al
* L$ @+ m: ]+ N jnz SoftICE_detected% ~2 k* ^) K+ g8 l/ J
) a& F5 d, c$ f% K( `. x
_________________________________________________________________________& ]2 z7 L6 ~8 N3 a3 P
! w4 N7 b! q" ~6 {; r
Method 07
0 L) a% @4 O0 A1 y. a& L# }! e=========
, B$ m3 y- h6 }" ]/ I3 J/ y; n4 U% J, @( ?
Method of detection of the WinICE handler in the int68h (V86)! l: x" z/ W: i+ t% }) B" X
3 I4 H# I# s! e7 P" [' }2 Z mov ah,43h, g8 f$ C3 n( ^8 h9 T8 p) t% @
int 68h- T* N8 G/ U0 u$ ]
cmp ax,0F386h" B, V: y) e3 P. _: j8 j
jz SoftICE_Detected
- [' Y" H2 z$ ]& R0 y" e5 Q' F5 D8 y. }6 l# u( U
9 y, A7 d# |! U: e9 g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ D& }. f8 j$ X- w3 E5 x* A$ U app like this:4 `; H9 x" P- j4 g
% O% w& _# k+ L! d1 l3 h$ L
BPX exec_int if ax==68
: F( ^5 j/ J$ d' c" U (function called is located at byte ptr [ebp+1Dh] and client eip is
: M- M3 b/ Q' X$ L% ~( T- C1 f; ` located at [ebp+48h] for 32Bit apps)
2 u6 f$ F% ]0 }+ }6 ?: P) R__________________________________________________________________________
- Z4 ^# V' P2 |8 h/ S! i: }9 v" t/ T' M# f& F( c/ H, t
* l, K/ |, b- }0 V; a5 Q
Method 080 v; L+ z( |# z- v2 F; E( b& i7 {( [0 z
=========
, f1 \6 g6 V4 S; N. R
: s) {4 j6 A6 h7 M) a+ nIt is not a method of detection of SoftICE but a possibility to crash the
) F% A8 O2 O8 n: K% dsystem by intercepting int 01h and int 03h and redirecting them to another" r! i/ a& {7 z4 R8 {
routine.
) w, d: z5 H# @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 \1 r" i$ _' j5 V( j1 ~, T
to the new routine to execute (hangs computer...)8 F! F! f* X3 @1 t1 _1 C" w: q# ?
+ L: `7 U" O4 M0 s8 ` mov ah, 25h( i+ i0 j) n+ V' ?# ?* g
mov al, Int_Number (01h or 03h)6 Q* L/ W: ^$ S' [8 p
mov dx, offset New_Int_Routine* q( W5 n/ O2 j# R2 x
int 21h5 q* u( q* D$ P- |
& {3 g; q5 {7 f; q2 P
__________________________________________________________________________6 k# d7 ]2 t5 d# {6 T
( j+ v% W) W1 {6 l6 J& h% R
Method 09
3 k3 ?* Q9 G- C$ f* ]3 ?. G=========0 @- k1 H; A& ~1 c6 b
5 |2 {/ f r" C/ oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 a) g3 b* O6 N) `9 c7 }# `) K# d
performed in ring0 (VxD or a ring3 app using the VxdCall).# N, ~. `2 [$ e* ^* h; X
The Get_DDB service is used to determine whether or not a VxD is installed% U* Y& G/ f/ l7 K% J& ]5 Q
for the specified device and returns a Device Description Block (in ecx) for
K# J8 r% Z! J' g9 jthat device if it is installed.8 J4 k; m( r: i; X! ], I: L
1 S! l! F2 c4 B1 m9 y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- m L2 _+ {& ]* F. \, F& D4 c% A- n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 F7 i% g7 k- p VMMCall Get_DDB9 A$ a0 x3 h! F; Z7 c' {; |3 d) |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- d0 A% q! A+ Y9 }; k9 d( H
* F2 b s1 n, t% _- u0 s ~% z& d' LNote as well that you can easily detect this method with SoftICE:! y+ v3 |% A; w4 a0 }. w7 v* A
bpx Get_DDB if ax==0202 || ax==7a5fh
0 q, D X! J" B
# j+ s5 I# x" I9 w8 ~7 w6 b__________________________________________________________________________/ S) Z+ N' S: h$ u! V) O& `
% E; J8 m: G7 w/ g' R$ KMethod 10
$ `( g* s: K) X) d6 ]=========
- P% Q* P6 o# t1 A$ |' \& ~* Q. K# A6 M! q
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ M# }: f4 S9 l
SoftICE while the option is enable!!$ I# @1 [# ]3 C4 Y6 s( a
. k! L I4 u9 TThis trick is very efficient:
: z) K% ]) Z: F! M3 i" y1 Qby checking the Debug Registers, you can detect if SoftICE is loaded
5 K2 G3 g0 a* {1 S* X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 p; P3 ~) c1 p; wthere are some memory breakpoints set (dr0 to dr3) simply by reading their& \* e) W) r# Z
value (in ring0 only). Values can be manipulated and or changed as well
# R$ t. W. \1 k8 C. m(clearing BPMs for instance)
% F6 x9 l$ C& F3 h5 R+ x" B+ P" F3 z* x+ o6 p9 @
__________________________________________________________________________
4 d$ R+ f/ Q4 Z' U- r
" _- S4 ~1 q, i3 l$ SMethod 112 F* }+ L2 Q! u2 H4 e9 N! L/ w
=========% Y6 j* p) \7 w% p7 @8 u7 x
2 ~2 P* }/ I/ p I+ zThis method is most known as 'MeltICE' because it has been freely distributed
0 ~, {7 d6 W; f* Uvia www.winfiles.com. However it was first used by NuMega people to allow
# o9 {# |. E: ~; g4 DSymbol Loader to check if SoftICE was active or not (the code is located
8 S! @& z' K+ e7 Tinside nmtrans.dll).
5 r9 A6 {) x7 J R! i7 O
" M3 g8 {$ l' V+ ]- c( fThe way it works is very simple:
; z9 f' U8 [( G( ]" y+ n8 UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' o0 q4 M5 }5 U4 \WinNT) with the CreateFileA API.
, J* }! M2 P1 ^4 N: r, y5 E$ K1 E( V" Q4 K/ z' _# p5 X% N) |
Here is a sample (checking for 'SICE'):8 s- ?; I7 N o6 r
9 U. n2 R; X- ]# |
BOOL IsSoftIce95Loaded(); }1 T" `! |1 T
{1 y. q8 j- ?7 {- L4 c
HANDLE hFile;
2 J) ^% v9 _) ?4 Z0 o0 Q: B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 c+ V! o: K$ Y/ z
FILE_SHARE_READ | FILE_SHARE_WRITE,
( X) k4 ]0 _: Y) J) m$ `0 m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) W$ _" z" o8 D if( hFile != INVALID_HANDLE_VALUE )# A/ O/ H, P. j' a
{& C% }9 x( g6 u
CloseHandle(hFile);2 s" t- ~) G7 T
return TRUE;" |$ f y& m+ x, C! M; l9 g# i
}$ q7 _# L/ W8 [& `
return FALSE;
2 X% U' }2 `. u1 B, ?}
7 t# {6 V7 R. \. N
2 i9 P% T/ E6 K! mAlthough this trick calls the CreateFileA function, don't even expect to be
" N, G# W/ _' Z4 n: b/ mable to intercept it by installing a IFS hook: it will not work, no way!
/ n" ~, n8 C6 g" ~+ {% X: z0 CIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ c: i/ w+ @) L8 U# e1 n; }; _8 }7 [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 P6 S7 e- @2 ?" yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 }/ C8 I; p; Dfield.
5 `8 k8 ~" G2 p* t/ D5 G) ]( VIn fact, its purpose is not to load/unload VxDs but only to send a
. R0 ?! g z9 X8 N4 T. f* A5 [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ Q4 F ~8 o( rto the VxD Control_Dispatch proc (how the hell a shareware soft could try2 W1 t0 j% ?4 W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- f6 ]( N0 `: I5 ^' N% ~
If the VxD is loaded, it will always clear eax and the Carry flag to allow) t% @0 B8 O- D$ Z
its handle to be opened and then, will be detected.
/ A# \# S! O% {) A: yYou can check that simply by hooking Winice.exe control proc entry point5 W1 E& ^7 @! {* q$ W' o
while running MeltICE.
: c' j' S9 N! w [( \
6 I3 w& ?0 |* i) d' p* i( j6 Z
, u7 s+ L8 c; q7 |4 A 00401067: push 00402025 ; \\.\SICE4 z5 i: F% u3 @1 I. n, {# q
0040106C: call CreateFileA; L2 e* m, I+ _! g, M: C
00401071: cmp eax,-001& N. V# C5 @# T" P: S
00401074: je 00401091
4 r( @* P b& e) p2 l/ I! Y4 j6 v. E2 K, C
, q% D+ {7 ]& r& v- Y* t$ O
There could be hundreds of BPX you could use to detect this trick.
9 Z+ T. w- ?8 ]% m-The most classical one is:
7 H5 m: M! t% W \ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- _& b" l ~8 i5 W. ]. ?& S9 D *(esp->4+4)=='NTIC'+ `7 t. V1 ~) T' \! l
9 Y! o/ q2 ~' f9 ]-The most exotic ones (could be very slooooow :-(
+ t. B* U! B# I; \8 y* ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 c- @" F. \, a- T
;will break 3 times :-(# u1 E P* K1 q2 h2 g
j. C9 x( \) P3 D2 F2 }( r
-or (a bit) faster:
# b, {2 t& W) D9 { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 N6 l2 l2 l) {0 b5 O O
8 Q/ f0 N) J# r M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 V$ m# a& O( ~; {# a4 G ;will break 3 times :-(
4 |$ S, b( e: m7 ~, p& E- y6 H7 L. D; h$ r8 {( _5 c% x. @5 o
-Much faster:/ g5 D' ~: _' [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. [0 P" M0 H$ X$ ]6 M& q# z
0 ?: O8 v9 S1 INote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 `' p% X; f# o' _0 ^! H9 }function to do the same job:
- i) g7 y( b3 C8 W* x
: A3 i$ U6 w6 \3 t# `$ } push 00 ; OF_READ
$ y$ J: m/ {% n6 R# i9 e mov eax,[00656634] ; '\\.\SICE',0
+ w# y9 x2 Z* G& v push eax
: h! J3 |$ j4 l g& H& A4 r call KERNEL32!_lopen$ s- a: X' q/ r8 f0 f) W
inc eax
( Z) D3 Y6 N3 x7 m6 H: R! k jnz 00650589 ; detected
- Y' i( g+ ?5 S) Z* x" S' D push 00 ; OF_READ0 n; A9 e% A2 }0 P
mov eax,[00656638] ; '\\.\SICE'# d$ j( U8 i' |5 E8 A. H( k7 o: n5 u
push eax' |: [' y1 K \
call KERNEL32!_lopen, ~+ [: T( W2 C/ V2 H
inc eax
! A( x/ z$ [& o o4 g3 g" o jz 006505ae ; not detected
, f# _( v6 D& d) _. f/ L- e y
; |& `4 `9 P! ~7 ~. \0 j
, F+ j7 g3 ?, m/ }5 h__________________________________________________________________________
5 |7 ^- R$ ?" K; O) G+ Z
+ f) Q& L d' p1 ]Method 124 w5 [9 S8 @! ?
=========, p) X5 B8 h, g/ h. T; x1 I4 A
! y% b) i- F3 ~7 ^) K; u+ x' G5 m4 q
This trick is similar to int41h/4fh Debugger installation check (code 05. C5 I7 g) P9 G8 }* U2 m
& 06) but very limited because it's only available for Win95/98 (not NT)
5 O3 k' E& E- W. l8 }5 S- N/ las it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ f( k4 \, A+ J6 K& ]8 R
# }" t4 F8 f; |; a! v
push 0000004fh ; function 4fh# E* H- c& c5 N. O3 h
push 002a002ah ; high word specifies which VxD (VWIN32)
5 B: [% n; D: ?: H1 h: e7 j ; low word specifies which service3 B0 J4 {; k4 G
(VWIN32_Int41Dispatch)
& H% w' m6 D9 B/ f+ \3 L1 X3 a call Kernel32!ORD_001 ; VxdCall
7 C: N: V6 R) V7 [4 d5 V cmp ax, 0f386h ; magic number returned by system debuggers
1 L9 v. `) ]: ^' f. B5 C jz SoftICE_detected
7 S u: U, {, |0 E' t' X7 ?8 k6 S
! k! Q. ^5 a' A; e3 U- s! A( QHere again, several ways to detect it:& ~2 H* {9 q2 g5 }& v! G6 B
; @+ n/ L3 v9 e3 z5 D( ]2 p
BPINT 41 if ax==4f* T% p+ r! a) F/ {" S7 m8 d: L) j
4 r: T; C5 m$ I& u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! X: s$ q6 \3 k0 ]. Y, ~
; c/ B I F2 v2 i+ U" x0 l3 @; c9 Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. M9 V9 B* U# @; m2 e: A
/ X3 l9 _) ^! P7 x4 S& X/ ?
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- R7 c$ e: @) I; S4 N; w
/ r, A8 D/ d9 f. k# k9 S! y9 K$ M- Q2 ?__________________________________________________________________________
6 l/ j/ M, h% P4 R( j( r+ _$ ?0 T* U! D' `0 J2 x3 o' v
Method 13
5 y( |# l% t6 q2 U3 a7 k- \9 `=========$ S6 p m1 i" E( L. X# |( Z
2 G" `- D- r/ x) \9 S+ G+ x
Not a real method of detection, but a good way to know if SoftICE is) o% z; p, r+ i# w' ?
installed on a computer and to locate its installation directory.
# }9 b4 q( O7 K3 oIt is used by few softs which access the following registry keys (usually #2) :
: [+ l: g4 ~* M. d+ c" F
- t3 Z# F/ X% J! W) s& ^) D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, X6 E1 e/ X; c3 {+ {\Uninstall\SoftICE
% c0 _8 h8 }8 j+ p( q* Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% e' Z5 z! b/ T3 V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) V% D" ?" ]7 g; T u5 J8 p
\App Paths\Loader32.Exe
D) [: R0 j2 N: P0 Y
" _7 ]- e% \0 s B6 E+ f' K" |
- x( u9 b/ K KNote that some nasty apps could then erase all files from SoftICE directory2 ?& U3 W4 m( m$ X) w4 S
(I faced that once :-(
- G: U5 k, n' J0 ]0 j- n2 c6 F8 p6 w2 t- u
Useful breakpoint to detect it:' [- I9 x4 A9 L. b; |4 C# X
! P- g& G& m+ B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; I% u5 k$ o0 u/ A
) \. A' X' X5 O( K: Y
__________________________________________________________________________" S9 b, M" _) I( r2 E( w
2 C! c8 [9 X6 P4 Q% t
% }: a+ ~: F% @$ _ R+ W CMethod 14
) }# U) R9 e" U# h=========" [3 O# z# q0 t
3 F- q( C' K. F7 P+ l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ j; a' T* i# _0 y) x& o2 Nis to determines whether a debugger is running on your system (ring0 only).* X6 g6 ]3 s6 h8 Q1 C$ L
+ s, b/ M+ G$ j( s$ x5 K# K( ] VMMCall Test_Debug_Installed( K2 C; |9 g' M3 G) l3 k p# y! J
je not_installed* m9 [$ n# W0 ?9 U+ |' |/ G( L
. l( q& e8 V$ z+ S' [8 p) t2 BThis service just checks a flag.
7 |1 X, }2 A: i. I</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡