<TABLE width=500> j" @( D+ g8 _0 b5 R
<TBODY>
# @! ]) _9 ?. s( a/ j/ G<TR>! N; T& e* v- S9 J
<TD><PRE>Method 01 ; Y4 {! J! V& w1 y/ t/ i: P
=========
! o: ]9 g0 h3 W9 n1 F
' m+ G5 C9 G+ f; L& r MThis method of detection of SoftICE (as well as the following one) is! S8 Y' [* S+ y I
used by the majority of packers/encryptors found on Internet.
: r! m( u; A, r e1 fIt seeks the signature of BoundsChecker in SoftICE
+ r) K0 S& R8 \. f* W9 { v [6 J$ D. ?
mov ebp, 04243484Bh ; 'BCHK'
; \/ J0 x! b' H: j+ i mov ax, 04h
, w: @! N- N9 k& Z% Q int 3
K' L ?6 C& J+ H3 {& K8 D cmp al,4$ m9 u) u1 i, j" o3 a
jnz SoftICE_Detected; K* ~8 C8 N4 Y" N/ V) c
0 f1 Y' a4 i5 f( }___________________________________________________________________________/ d6 }7 a. q1 q: t& d }
: S/ P2 ]) r; c" U8 u
Method 02
) D) v" \0 ^/ q! f- X6 r, W=========! w4 {# L, M0 X5 q: h2 U: e. ]3 C* m
$ f& J+ _; A% _. k( {Still a method very much used (perhaps the most frequent one). It is used
4 P3 K N- U4 hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# H& W/ O- O4 b) D' |or execute SoftICE commands...5 S+ [( r9 C0 f: R7 T
It is also used to crash SoftICE and to force it to execute any commands
) y. ]( q. y/ r# d(HBOOT...) :-((
& }# H. @2 X5 u: C3 |4 D( b
" m. N; k4 n4 I% ]4 JHere is a quick description:
* _0 U" [; k3 J/ D6 E N-AX = 0910h (Display string in SIce windows)9 P. S" V6 H. i K7 Q& q6 C; R- G
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 [- a8 D. N: i! x
-AX = 0912h (Get breakpoint infos) h- @) i+ r3 S, h# R3 u2 \0 J; f' i
-AX = 0913h (Set Sice breakpoints). [) Y; ^! ^4 }/ e* u6 Z
-AX = 0914h (Remove SIce breakoints): {8 B0 s+ @7 ?$ s
1 A; A5 {: [% D% A4 b+ OEach time you'll meet this trick, you'll see:
0 }6 \8 ?! L9 M; O5 D-SI = 4647h
. W/ N3 g/ p$ k+ }$ o8 i-DI = 4A4Dh6 k6 c" O p- B$ D1 {9 G2 h# |
Which are the 'magic values' used by SoftIce.& E0 ]1 j0 ^. ~) {6 c$ l8 X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, R+ a# S! r3 C8 E3 p, V. j! v x1 O4 \, i9 B
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 ]# h5 P# R% Z4 S& d
Envelope utility use to protect DOS applications:) v. O4 M, |4 [# F# ]9 J8 m7 G8 v
1 w/ L4 K' p9 \7 t9 g5 t- r: B) Q! i; `* m& b5 k
4C19:0095 MOV AX,0911 ; execute command.
; k$ W/ j& N* D; T" T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 X$ p+ E& @: F: n
4C19:009A MOV SI,4647 ; 1st magic value.& H# v f* y6 B2 g! `* L1 _5 r
4C19:009D MOV DI,4A4D ; 2nd magic value.4 v e* U4 G- H! a4 O9 x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 Y2 y6 p7 ]/ v
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ `; w# y) l6 n l) j
4C19:00A4 INC CX9 c) u" P2 e8 B% O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 d8 S# x* y1 `. a; [( ]
4C19:00A8 JB 0095 ; 6 different commands.
- A# Y9 \' C; E4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 y3 ~: F& _5 n! n* w- r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' C7 o3 x( J9 U6 O+ U
1 ~! K7 ?5 d/ Y- W/ wThe program will execute 6 different SIce commands located at ds:dx, which; T' E) A, ^4 d, x+ m4 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 t0 ]5 b/ W% X& f" R
. F5 ?) P# q) s- m8 o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# X# }0 M$ n8 W2 ]8 _7 O% k/ D___________________________________________________________________________
! e' H9 w* _& F. I# g
4 y w) I& l- A( Y" E: ]0 {# N" A% l8 d% {% I# r& D8 I7 ^
Method 039 _$ g5 g: R( ]8 U' F
=========- q9 I" o( f- E& W. d4 d |; o
4 f1 f$ z' u3 n( p7 {# ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" I0 q7 ^' c! ^/ S0 ^
(API Get entry point)
# K. U# Z+ Z& t
) J6 `6 _% n; a
! E. n. r0 @. g9 j' a xor di,di
* p! M, K$ N7 y' N mov es,di
0 G7 \1 R# e/ y5 O* L. S mov ax, 1684h # _+ m6 O! [1 m7 c9 f9 \
mov bx, 0202h ; VxD ID of winice
' G* J" F7 d1 _& }( Y# P, u7 k int 2Fh ]9 d+ E2 x, V) J! I. r; X
mov ax, es ; ES:DI -> VxD API entry point' X% a# D# n+ N; m" ]; U6 L! X3 Z
add ax, di
& }$ f; O y8 F test ax,ax
2 e5 S/ n" J Z) |4 [: L jnz SoftICE_Detected3 W6 Q0 F! R% B+ e
$ j `9 B- b5 p6 L___________________________________________________________________________7 O, M: I; W0 u; F2 g3 l
9 e" V3 ~0 O8 P& J
Method 04
! L- \, \- E4 A0 {0 d=========
- O7 b [- J- g+ `3 F! x/ s$ d! B
Method identical to the preceding one except that it seeks the ID of SoftICE
, s" b/ K- I) O/ ?' n9 G" Q( j4 tGFX VxD.
1 V' g% s3 e- U9 }% v" X' L1 A1 l% q- `1 n4 t4 n! }# }
xor di,di
6 P& o4 D0 w S mov es,di7 t0 `: K8 _; U5 @3 p" [
mov ax, 1684h
# U. t8 W) ?7 T6 Q mov bx, 7a5Fh ; VxD ID of SIWVID
* L- u+ ]( r$ {# M# J& f2 d3 A int 2fh$ G# J/ I( ~) k1 A) o0 K6 l
mov ax, es ; ES:DI -> VxD API entry point
8 L# B6 S9 D8 _/ l+ m add ax, di
9 l6 w, M, Z/ R _, `7 q7 e6 b test ax,ax
% ~! i& G; O( j% D3 y, y) \+ K jnz SoftICE_Detected& R9 D6 B' S+ M9 ?0 k
& s8 _! e5 k U# }" x7 H' n8 e1 C
__________________________________________________________________________; }4 C% c, E4 O5 V+ I. K* I
3 w7 D8 }7 x! [" a
6 d6 n4 ^& f8 \; Z6 j# r5 O1 UMethod 05
: t) g$ i. s/ D$ w8 o' H0 d# Y4 B5 H=========, v. K2 x5 T) F2 s% y/ C
& V0 {: _* ]- G! D
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 H1 ~* d; {( s/ ]3 V9 K) `debugger. It calls the int 41h, function 4Fh.( h: S0 f8 n' Q; g8 x7 r
There are several alternatives. $ g; j- J" I6 @0 g# u
. \2 _1 w" k$ e
The following one is the simplest:! W+ ^( C2 T! l1 g9 M# }0 E
9 q: G* `# t2 s
mov ax,4fh" V7 Y. Y+ J# n
int 41h0 }# Z* @2 L3 c9 N9 \
cmp ax, 0F386
# y( y9 g. c* |5 t4 K7 S4 @9 P jz SoftICE_detected. a6 w7 L _+ G# f+ G
, R' d) x: v" {1 l( }
$ L! J& w7 L$ M, V
Next method as well as the following one are 2 examples from Stone's
' t' p# w. q( f/ S+ T9 e) s"stn-wid.zip" (www.cracking.net):
$ G+ v- ^3 K. W4 k( w1 ]7 n* \$ ~) G1 f" a- o/ V, ~' n0 h2 u
mov bx, cs
+ D. L& H2 {, z6 \9 [ lea dx, int41handler22 y7 } L; p& \# m/ f6 d8 i
xchg dx, es:[41h*4]
v g! n9 I) R% R xchg bx, es:[41h*4+2], q8 P9 a9 y N
mov ax,4fh8 N/ o: R% l; L0 ]7 U, j
int 41h
O1 _- B0 f i# Q xchg dx, es:[41h*4]3 v. K' l: a, T, X+ }; R$ y% B9 M
xchg bx, es:[41h*4+2]
! Z9 |0 _/ a' w$ K& Q cmp ax, 0f386h" G" q$ C1 N" R$ U1 {! L6 X
jz SoftICE_detected
. T0 J% r, {7 V6 ?6 F: h& s2 ^& o) |( ~) X( b2 b1 {
int41handler2 PROC
! W- B+ L" g3 X: I9 n7 c+ b! V iret2 h T) g# u, m
int41handler2 ENDP
1 B( E' ^. m3 K# W+ [
* a9 M9 }+ y( q" T+ w2 Q7 O" o9 s8 k! R1 {( D8 C
_________________________________________________________________________: T D( {) H' ]6 ~, `4 w
1 y# r. h* O' C* ~$ Y' ?1 m; W: @
, `/ g" p" f. ~) G. w8 A
Method 064 z' K" K" A4 O8 Q% \6 w( V9 V
=========& e- E( y& {# A, j. j9 L6 E3 O
% {4 c& y B8 ^) C! @! k6 u6 h9 G0 z2 L5 v
2nd method similar to the preceding one but more difficult to detect:
N+ A) g {* O9 R
; o e) q7 z9 @2 p
% k0 Q. P, S3 n7 J4 a9 C( M/ ?int41handler PROC
; x9 ?& z% Y C2 @% v mov cl,al
; P/ L# U- R. W0 i4 m iret+ b8 A5 Q5 k* g Y$ R9 s& n6 y
int41handler ENDP( {( p) y3 ~0 N0 _5 [
: B9 W# r! S' J+ n2 w. ?1 B' t
; G' p$ D) n4 A7 A) I xor ax,ax' a/ b% U& M8 ~6 q7 N
mov es,ax& `( w8 s: h- `3 I0 o8 ~3 Y( F' `+ D
mov bx, cs
" \) M7 q# Q! j7 Q' }- ~! s lea dx, int41handler
- p3 P3 i V' g) ^/ ~ xchg dx, es:[41h*4]
. N- `5 E% L( g: B$ s xchg bx, es:[41h*4+2]# o t: a- A. B# j/ ~
in al, 40h
! O# }3 |, U( _2 ^0 b xor cx,cx
+ ~0 r$ u. ? {( s& j6 ` int 41h+ b* |" V/ |1 }" p5 l5 d1 q' w! D" O
xchg dx, es:[41h*4]
- J3 }! m. O; G0 u$ {" x xchg bx, es:[41h*4+2]
+ ?/ M- |- W* f& c6 x0 [" k( n cmp cl,al5 N/ W1 p4 d) u+ o
jnz SoftICE_detected
' I9 D5 ^' `0 U
. U1 h5 `& I0 U" x6 f* }% j_________________________________________________________________________$ H! M9 Z7 |( P, K, w9 j
- \( W, r- i/ l# M- g$ y
Method 073 k# R. z/ M! \: X1 n; Y. q. G- s
========= l* b+ G5 L2 M- k! Z4 S
3 g$ N, K3 K# R6 y) A7 HMethod of detection of the WinICE handler in the int68h (V86)
- |# U; b9 ?) [" B3 @' ^0 h) G& y. n
mov ah,43h! L4 ^ t4 A1 A8 Q+ |4 U/ k( b
int 68h
9 T7 g( t4 }2 C/ x) {! g! r! L5 H cmp ax,0F386h% x7 h, _* s& l' G- c4 ]9 [- ?9 ~
jz SoftICE_Detected& v- N0 n+ X- b% E2 \: b1 q
! r- K: Y# ?% b$ f
& x& a2 B6 |) g' d' d; ^" H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; z! a* P1 g' k% ~
app like this:
6 D! M, @, I6 V2 X6 R! X
% W& i4 l- Q7 O7 Z" D5 G* q" J/ n BPX exec_int if ax==68
! f# @% a. X- L/ y: c* R (function called is located at byte ptr [ebp+1Dh] and client eip is
) W/ G- d9 T/ K* T" q located at [ebp+48h] for 32Bit apps)
. P5 x$ }+ h) j# l1 f) Q: H__________________________________________________________________________& g& h% V g2 r, w8 A8 S: V
1 [- J1 K. z3 B3 v0 C u
* f _' C6 a: j1 g4 LMethod 08
w6 a3 ^# I( r=========! ~6 L, e- j; k! s e+ _* R
+ }; ?: @' f# {9 uIt is not a method of detection of SoftICE but a possibility to crash the V$ x- A3 C! R( ?
system by intercepting int 01h and int 03h and redirecting them to another
7 N! h9 {* P9 E8 {' R5 ]routine.
$ S/ x! b A& YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, p n2 P/ p) g: B% a1 I/ J1 O
to the new routine to execute (hangs computer...)
; K1 {6 \9 r5 U. W# J. U# e8 q* m5 W" E1 W/ u0 @5 C8 h1 Z* q4 r: l
mov ah, 25h4 v6 G* V( C& ?: k) H4 H
mov al, Int_Number (01h or 03h)
" G U; W/ |# c! @ mov dx, offset New_Int_Routine
6 w: C, A3 y# f( x int 21h5 z- C/ r- l9 i
0 E6 N, g9 J" a__________________________________________________________________________, }+ \: E0 W- }4 x
8 K* ?& x |. `" ~& ^6 `. b! uMethod 09
2 `, M9 ]8 u- o+ A=========$ K+ O) b- [$ F% g
/ d( A/ Z( j/ q- ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ ~9 p0 v8 y4 Iperformed in ring0 (VxD or a ring3 app using the VxdCall).: x) ]4 k% p' M$ Y1 s# z) t( o0 ~
The Get_DDB service is used to determine whether or not a VxD is installed U% B* k8 v# X# _
for the specified device and returns a Device Description Block (in ecx) for o' c0 ^$ X3 N S: Y1 S. A) h' K/ F
that device if it is installed.& `; n& L' @! b
# t/ q, @5 c# e7 P' w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# r6 j0 q; R3 L! G: d2 w) h; E# V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 `6 [4 o0 w) s VMMCall Get_DDB
1 s& g/ t" F* E0 F mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 i' n2 a8 U Y6 E! ?) \: u; @
7 c8 V9 U2 |5 P% G& I( Q$ }# {Note as well that you can easily detect this method with SoftICE:" ^5 {: Z( p' O
bpx Get_DDB if ax==0202 || ax==7a5fh
2 Z" P* W$ D; i' G$ G1 ?5 y( f- R5 r; n0 r
__________________________________________________________________________
- R! {% H6 k& r# X
7 y6 w- N1 k) i1 m+ aMethod 10
+ y! h, l" ?6 e2 A5 x7 B% ?=========
# U* ^1 v8 |3 b. E' y( s- q- D" J2 }/ E( C/ M. H
=>Disable or clear breakpoints before using this feature. DO NOT trace with( ]- F8 ^1 v* d5 v0 [7 N
SoftICE while the option is enable!! S8 ?5 n( v' O3 Q: R
! {9 g/ k. C# X- s+ k2 k2 b8 n( J
This trick is very efficient:# R2 t& x# d: M- O
by checking the Debug Registers, you can detect if SoftICE is loaded+ w) g6 `" F/ a6 l/ E+ |5 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 g3 m$ H+ K7 V; v/ s. O/ bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) ^ |; ~' z: cvalue (in ring0 only). Values can be manipulated and or changed as well
* _+ s& v' T7 t5 @, O(clearing BPMs for instance)
8 l/ v7 Y- O0 o9 Z( N n; d+ q/ m2 K, ]0 i. z$ l5 _
__________________________________________________________________________
$ W# W+ r2 a: X( X2 Z* z" s5 ^
) i K/ m6 o" f; ?" G& H1 KMethod 11
$ l% n3 y, ?5 O% t) y=========
' E) |( U1 B7 x3 ^' B5 f# B) I2 s: |' k5 c( t
This method is most known as 'MeltICE' because it has been freely distributed
# P! B3 K1 Z: L' J2 }! svia www.winfiles.com. However it was first used by NuMega people to allow
5 M! R9 l2 G, B+ c! [, |; `Symbol Loader to check if SoftICE was active or not (the code is located' L- y, r8 r# E( h
inside nmtrans.dll).6 m. P: y9 M' L- D5 J
: t/ C$ T+ ~ |, ~$ R$ ]# F" g8 K1 R
The way it works is very simple:5 C; ^1 e$ a; U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 P7 h3 x/ ^, T" P4 g- ?
WinNT) with the CreateFileA API.8 [- g6 h& R0 l/ X% R& D8 o. ]
9 M( m) _' c6 L+ d% C
Here is a sample (checking for 'SICE'):
1 p6 z* y. V: W8 S4 Y1 o9 g+ [" f3 \/ t, J: c3 k" K2 Q
BOOL IsSoftIce95Loaded()" O7 g7 e' T; ~) E6 m
{) F% z0 ]0 ~7 | F! r
HANDLE hFile;
7 b% p3 G& Z2 Y0 u* { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 N; X- `. @8 m' {( X! x0 Y& b
FILE_SHARE_READ | FILE_SHARE_WRITE,+ E" |6 o( S; A9 c! n
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' e3 F' P1 ?7 M8 N
if( hFile != INVALID_HANDLE_VALUE )
( q c! c! b8 I* i: M {
! z8 w' K: C7 } CloseHandle(hFile);
+ S& o5 e8 {: b) w return TRUE;. a9 {. Y# D6 J8 n9 D+ Z5 O
}! ]1 ]6 x9 D$ Z" w \/ d6 T
return FALSE;1 [+ O% g3 u# T. p+ O# [- B6 A
}2 H6 f+ K" L# g' \9 H- }6 ]
2 o& [* F$ p/ r$ X+ s! B
Although this trick calls the CreateFileA function, don't even expect to be
- ~. y. a2 d" n5 |; ]able to intercept it by installing a IFS hook: it will not work, no way!
5 z( V8 L& ~# IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' S* X7 s; h+ n$ `. g% A* t1 ~. Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" n: X( }) s/ m W2 _1 {% x3 Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 `" E% s9 O) m
field./ }3 v/ E8 q; x; j- c8 N
In fact, its purpose is not to load/unload VxDs but only to send a & s! L" l/ ]% i' e* z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 a$ h; P; t0 n% T, y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 V |2 t3 _! T' E$ R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 U% G: `# r8 _% T# K$ [' }/ V% U
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: z% q( Q' V" Tits handle to be opened and then, will be detected.4 T) W3 \# p% Q5 S
You can check that simply by hooking Winice.exe control proc entry point
9 f: P6 [/ J7 _5 z( e* H5 i9 Kwhile running MeltICE.
- F# c, h8 ?+ D8 q5 p, U) W/ U, ~, S; x0 }) Q
. \3 D0 j6 }7 c& r
00401067: push 00402025 ; \\.\SICE, Z5 U' o- F6 {- D) `+ y l7 p2 Q" k0 O
0040106C: call CreateFileA6 ~) w) p' ~ _
00401071: cmp eax,-0010 p- s! S7 Z% m" {) I6 E, t! ?* E
00401074: je 00401091/ V h a& n/ j2 t3 |" a# N$ L
2 O, d& m" f" d' b7 L3 g' { J
! Z& `4 f) Y5 ]! r9 n- XThere could be hundreds of BPX you could use to detect this trick.
9 l4 i' }% Z! q" y# j: p-The most classical one is:
; N/ @, _: v* g/ s4 v: P6 a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 V: q& f2 n2 a0 S0 O7 N *(esp->4+4)=='NTIC'
2 i) C) u. v+ i' X7 x, j6 c/ w" w, N. ^/ Y4 F1 X" d. z! t; g
-The most exotic ones (could be very slooooow :-(
( f2 [1 M0 n4 V& t9 D- z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" L3 S; W- @4 h8 p ;will break 3 times :-(& D/ \, \% O6 j3 Z
* f+ n: H" ~' H# M% U! g; N( ^-or (a bit) faster: / I/ s" c2 ^. U1 a" i
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ q( y |0 t b, H, D# x% O) d! Y
5 i" }/ k3 k; i: }3 h8 A" C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 V+ ?: x- x2 ~% n, {! p) t ;will break 3 times :-(. C3 [2 D4 A# @6 N) Q7 s7 k7 F9 [
5 I& O! Q$ U% Q- h+ o# U9 z* V. m-Much faster:
/ p; a; n' m2 S. Z* l' i5 t BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 R; a& J0 D1 @3 o1 b
. m% v5 X2 y5 u! X5 ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- q8 ~. W$ F; A l) P1 Mfunction to do the same job:) ~1 I: u/ ?3 z6 V0 T2 |
5 v- U2 O J( w u' C; @ push 00 ; OF_READ
3 U+ l0 \0 m" z/ c* s mov eax,[00656634] ; '\\.\SICE',0
$ t% d8 q% T% Q1 h& f" P) R3 t, K push eax
8 W) S/ I& O P9 u7 u* X call KERNEL32!_lopen2 M+ q6 J- O$ ~2 P. p9 H4 ]# @
inc eax- M$ g8 ~9 i6 z+ D3 Q, _
jnz 00650589 ; detected
! u7 ^9 t4 d- K* L: y push 00 ; OF_READ7 V& Q8 N% y+ h
mov eax,[00656638] ; '\\.\SICE'
/ A- q1 W+ s, U# r8 | push eax
5 \! Q5 @' {0 a+ v% r- }8 W call KERNEL32!_lopen
: D7 N4 w2 \1 b inc eax7 P2 i( {$ X0 S8 [4 |5 U
jz 006505ae ; not detected2 n4 Q+ Y. i s
" G/ @2 I1 Z4 R) }! b4 S+ T9 R
2 U; Y5 v- x# e! X__________________________________________________________________________4 q$ {, l5 u# {$ r, N
7 _8 O2 j) z: S6 yMethod 125 T6 K, }) J0 V# H: T% P. A
=========
# g' j! N% b" I1 @6 ]+ k1 f. @% ], _$ D$ x
This trick is similar to int41h/4fh Debugger installation check (code 057 T1 V2 Y# [4 ^
& 06) but very limited because it's only available for Win95/98 (not NT)' G# g; M1 \& n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! g% v5 E6 l2 C- v8 k9 ~ J
: `+ h# j7 |' v6 ^' _" n T push 0000004fh ; function 4fh
8 A% k4 T# S3 i& v: L' d push 002a002ah ; high word specifies which VxD (VWIN32)
5 V' c i2 g. Z8 l8 ?3 X ; low word specifies which service
, q& D) m$ e: O8 g; m- } (VWIN32_Int41Dispatch)! V8 U* _" }6 Y% x
call Kernel32!ORD_001 ; VxdCall4 h9 U8 I7 W" u3 Y
cmp ax, 0f386h ; magic number returned by system debuggers
; C q4 r" `% x' {9 J5 r7 M' g jz SoftICE_detected7 N( K9 U& [6 q; v2 r
: w! O! f5 H! @2 W; m" b/ SHere again, several ways to detect it:
$ r8 S* K8 w# O i6 O2 K' U
5 }' M; S5 R0 b BPINT 41 if ax==4f
- `% D5 Z2 i+ d( r" H4 T
, C5 G2 Z S" G) M BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. R' ~* {6 j7 X& _5 ~0 f
& n) V( G4 j7 b BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ a; A5 v: |9 T7 k( R
* b$ w. ~- w* T" k1 C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 `) X/ @) P2 J, S+ |' `# x/ p# | v( a# [4 A
__________________________________________________________________________/ S# T( y" l1 T3 p
6 v- z2 q+ [4 E* I, q0 J2 O: U$ S
Method 134 \. P% w+ ?2 |# }! O* U
=========
) R; }: b8 r" J/ l; L" E+ H# {+ H
6 w1 y1 s+ v/ u% v# ENot a real method of detection, but a good way to know if SoftICE is
. M9 p0 F# |5 k- V( N6 Qinstalled on a computer and to locate its installation directory.1 `: @7 M. O# y- q& t3 m% @
It is used by few softs which access the following registry keys (usually #2) :
. E* f' P2 _1 f- i9 I# w- m: c/ L- E- Y1 d% W9 k, K
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 a" P$ H* R0 @3 b
\Uninstall\SoftICE" t1 y/ ~. O% `. `+ c# x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& ^6 }( _. ?. V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; r( x' e$ Z; T9 a( |
\App Paths\Loader32.Exe
( M( S! Q3 i0 G9 I: Z, u+ x! w* d! }, d# K% z4 w9 a) o/ q4 c
( ^3 z! ~! H( wNote that some nasty apps could then erase all files from SoftICE directory- a% d7 o8 g! n; V" q k- l @
(I faced that once :-(. h: m' d3 H7 P" o: O* N& ^9 v0 C
# X+ d4 \; Q$ d, ^
Useful breakpoint to detect it:
& Z5 Y( h3 m3 b |( ~
0 w |) f6 e4 P, r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! G7 e9 \( G; W" Q& `
. |6 ^; l6 E! T. [__________________________________________________________________________0 C! ^1 {4 \ G- E
" r5 F& m! i; N3 _) w H, O, N" b F6 _4 w
Method 14 ' S4 `3 F! d$ t1 h! p: i7 ~ H
=========
6 F( u7 }; {& o: f5 F5 e" _5 O4 F3 K- `2 d% l) c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ V3 J" V- q7 C; Y% kis to determines whether a debugger is running on your system (ring0 only).; ~; w% n5 i1 [" M8 z! ^/ K
5 s& } o u4 M( {4 l6 b* f Q VMMCall Test_Debug_Installed
2 L/ B0 l7 R% e" A O2 b/ m je not_installed
2 N2 [* b; D- k" g/ c F+ L. Z( ]. k7 d/ C+ a1 T1 D
This service just checks a flag.
% ?" A0 J; y* I* F8 z" [</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡