<TABLE width=500>* l/ k2 e/ f2 W
<TBODY>
3 U9 W! s7 P; _2 X3 _4 Q7 r" a<TR>7 Z) ^2 F6 ^( w! c1 V
<TD><PRE>Method 01 , B) Z& d5 v* s8 _6 `6 K: `) p6 X
=========
, m/ n- l3 F5 R1 w1 ^4 X2 Y3 X, q# U- {3 U
This method of detection of SoftICE (as well as the following one) is
" D: P2 }- C- h; B; b8 Yused by the majority of packers/encryptors found on Internet.
' v) u7 t6 f+ ?# U* ^It seeks the signature of BoundsChecker in SoftICE
6 y/ J0 c: z2 u$ t( ~6 C2 v* ~: j S" z, v. v0 l) x/ \8 u
mov ebp, 04243484Bh ; 'BCHK'" r, g% m4 l- g' q- @# J
mov ax, 04h/ {8 l* U1 w; |
int 3 6 R& v, x2 ]4 }6 q/ x* p& x
cmp al,4
! e4 s: z: x* Y* P+ T$ A" v- O6 n jnz SoftICE_Detected8 B& l. K. ^4 P+ B& ^, E' W
. r6 d. X- f' {/ o' Z1 ^
___________________________________________________________________________
+ G+ Q; @3 w9 c' t2 A1 r j- G& U
Method 028 `" R' v7 a$ k1 n% J8 m
=========' Y2 b& O- P! M! ^5 I
h# p; F. p9 W* _4 P! ?, TStill a method very much used (perhaps the most frequent one). It is used% {' z& r. y: P, m/ L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% S. o6 G. ^$ g% _ d* E p4 Y
or execute SoftICE commands...
' f+ \* M0 K+ K. |/ _It is also used to crash SoftICE and to force it to execute any commands
# _" s6 R8 }+ t5 ^(HBOOT...) :-((
0 b: m. ~* ?' L) ^) c4 h4 ]1 J! @; l
Here is a quick description:1 a$ Z6 A! q' N8 u/ ` w9 ~: w
-AX = 0910h (Display string in SIce windows)
" M8 V& @7 p G) ]) |/ m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. S4 v' M& G$ K% ^% {1 s-AX = 0912h (Get breakpoint infos)
1 q4 D1 g2 F/ u4 d+ X( M-AX = 0913h (Set Sice breakpoints)3 F7 {) {# t+ U2 a0 i% p/ w8 r6 V
-AX = 0914h (Remove SIce breakoints)3 t+ Z. ~: k, u! ^1 U
( o9 Q4 V5 o. d; B' i" cEach time you'll meet this trick, you'll see:
/ a, K7 d. t C& E3 @4 B0 \% `-SI = 4647h
0 K5 D5 j f0 r# _-DI = 4A4Dh# f ?% A) ^' Z0 W' l, l" n
Which are the 'magic values' used by SoftIce.3 b2 d$ C3 @1 O" V7 c8 O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" w8 o& s, L" C3 z# _7 L
. j. G3 e# ?9 L# ^Here is one example from the file "Haspinst.exe" which is the dongle HASP
- h" Q5 r' y" W2 {Envelope utility use to protect DOS applications:9 e3 h: f3 R: q( c. j' M
. f7 v* w% d8 u: G
7 y4 U. v/ U. E2 L. m4C19:0095 MOV AX,0911 ; execute command.
( Z* E" I3 p) I' h: k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" p3 E7 C& Q5 ]: @% G' Q, c6 S4C19:009A MOV SI,4647 ; 1st magic value." z! o" L+ x4 _( t9 E
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 I: D. ~4 Y3 i4 ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 ]6 r/ ^, I5 A7 q' Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; D+ F$ D5 @, V& N" e
4C19:00A4 INC CX
: V0 o! m+ }/ U( g4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 a6 s/ w: b5 S+ p, l: z4C19:00A8 JB 0095 ; 6 different commands. Z% t+ o b5 N1 A/ w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 m" F9 `! R! v3 H, g- ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# L z. h$ e7 N
6 C+ ~% t z/ c+ G- ]2 k
The program will execute 6 different SIce commands located at ds:dx, which1 Q( D! d9 b1 z$ G4 Z5 I& M: M+ j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- `, n$ j' {% y" i$ d
9 ]1 Y3 F7 j( U' P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." ?; y. _4 m4 d. [
___________________________________________________________________________
8 R. ?3 u9 u" S! V
3 j2 k" f/ L a/ G! i0 k% C+ n* ]0 f7 L |4 Q/ {, V/ |
Method 03
~0 |" a" J$ u5 S9 \2 i- y2 j=========
3 d+ F' H/ T5 E- N% A) z: a n8 A+ O8 \5 P; F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, ^ b+ Y5 n, A4 K8 b8 a
(API Get entry point)
% q& e5 s- t; e! A" n
8 w8 w" L7 V5 {* C
" L5 k3 B& f7 Q! i/ R; d! P xor di,di, F4 Q8 B! C) \; W& ]0 h+ @' J0 [& s% _, ~
mov es,di
- g2 a1 y/ q8 f9 _7 L mov ax, 1684h & N6 v$ [; @0 z3 x0 F) _2 \ t7 I+ J
mov bx, 0202h ; VxD ID of winice
( ]3 z2 c+ a3 m1 O G& y( m/ h int 2Fh
) C7 ^! l, w3 b# C3 [, H; X mov ax, es ; ES:DI -> VxD API entry point
2 S" `5 ~! i# D9 T add ax, di* z' j5 d- H7 }0 i) ^+ G
test ax,ax
# `0 Y' H8 w. W% q# @ jnz SoftICE_Detected
8 T' V) D& ]6 d* r9 n1 ~. u- G
9 Y7 |% w9 G: u___________________________________________________________________________3 s9 K( m9 M* {/ U1 _! K
5 ^( V. \4 i8 |$ `4 K. BMethod 046 G( D5 Q. U" I% M
=========- ?" h6 Y) f- w+ l/ ? O$ n) T
; f9 [8 I/ g8 n; h, K& _Method identical to the preceding one except that it seeks the ID of SoftICE
0 Q8 b: i6 y/ a: m, h4 m) k/ `GFX VxD.# l/ v7 Q, B. x. S, r6 o- F
; ^$ `9 f2 C' j: H1 \ xor di,di
* i2 q1 z" s- |7 u$ @" z mov es,di
, b0 {$ L2 R4 p0 P mov ax, 1684h
6 \0 l# L) h9 Q$ j; y2 q mov bx, 7a5Fh ; VxD ID of SIWVID
! d5 x. e% C& u. x$ ^9 U int 2fh
# a" m* O5 L0 r' ~# C mov ax, es ; ES:DI -> VxD API entry point% z3 W0 ~( g1 Y: k
add ax, di
- V2 [1 t' D1 f. u test ax,ax$ Z1 t# g5 W# v! v
jnz SoftICE_Detected
3 T7 f" C9 F% H C, I% D% u2 ?! L
__________________________________________________________________________- a, e' e9 P" W3 @1 {
# o, y0 ?3 `. {1 ^' n# E7 I4 C" {
9 C2 o$ N" y" i" v {; e2 C
Method 05
7 o$ I3 e7 R0 o4 [* i# h=========
9 E1 \4 |3 \1 I4 R
7 X0 P# J% [1 o( ~5 [0 ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
( ~4 n. d2 B5 Z9 ]& Edebugger. It calls the int 41h, function 4Fh.! B5 c- Y. H7 ]. C% o" j
There are several alternatives.
; L6 h0 R3 y! U0 h% c2 r
4 }+ [5 c5 J+ ?The following one is the simplest:4 ?) C5 N. |' i6 e0 a
: m, B7 c. s- ]- m7 K! h( a1 t, w mov ax,4fh2 {4 { `6 X( R0 b1 G
int 41h
2 z( p3 a9 v% a7 t: A9 J: n4 Y/ n cmp ax, 0F386
; Z8 ~ P2 T. X+ L/ ^9 G jz SoftICE_detected
# ]3 i+ z$ a, s- C' h# n5 m. g) K4 d- A, U$ e0 I E
- j0 M( K* O; v: v+ f
Next method as well as the following one are 2 examples from Stone's
) Q2 `7 N. W6 h3 }% C. @% H8 D3 W"stn-wid.zip" (www.cracking.net):
% M: ^- I# o2 R" D1 \
( E" {: T) i+ `4 x9 [4 l2 b mov bx, cs
. Z/ Y4 z9 z2 d" h, d' { lea dx, int41handler2- O' g$ `& ]! L, \
xchg dx, es:[41h*4]
0 { u( g: d" J$ ^ xchg bx, es:[41h*4+2]- x$ b+ c9 j& B. J7 I
mov ax,4fh
7 f; h! b* B; n) v3 `9 A" \ int 41h: c9 w [" S9 B8 u; l
xchg dx, es:[41h*4]. [, P3 r1 r( Y4 }. J7 d
xchg bx, es:[41h*4+2]
, h3 }0 @$ Y# n cmp ax, 0f386h2 k7 Q( J; O& X1 |- ?- ?5 J
jz SoftICE_detected
4 z7 E; V# {( I7 e7 q/ b% R- r" w- `- [
int41handler2 PROC( v$ o! n* O9 X1 G
iret+ s9 ~2 u: O8 q$ s
int41handler2 ENDP- `( @9 a! J7 a% I1 |. d2 Z. f A" H
1 |0 R4 b5 j. e7 `* F8 x/ s4 \' m$ X4 C3 Q! e1 \- a& f* ?
_________________________________________________________________________) c' }* I" N6 j. o# d) [
" c. Q: O8 C; D- Q5 V" x/ b! N
! O* y" |0 R4 D8 Y6 O: j
Method 06
3 c+ E! f# k0 T: v! u# {0 p) p=========
- A* U4 B/ A" m! D9 ^- A! v& _- u6 B# j# z' k8 e
- I# X, N9 C" C3 o' O+ k2 S
2nd method similar to the preceding one but more difficult to detect:0 v& I: q0 _1 W( |" A% [; t4 x! E
% _; E2 G) f3 N, I: E
' Y! _1 y8 f+ t' bint41handler PROC8 l/ {% R2 b7 z
mov cl,al
7 ^3 l. }+ d ]8 \# q$ _ iret, b# `# h; `' t6 F. ]9 E5 F; {. c/ H
int41handler ENDP
: ~9 a9 M7 Q7 `8 t: p
" R8 p3 f- w! D" f
[7 E; h9 k7 L; j xor ax,ax
1 [2 a5 t4 `- |7 B0 S& M3 T. A mov es,ax
9 D& s" n; V7 Q5 ~4 E2 q mov bx, cs2 [5 f) {: o8 F* s0 j- r
lea dx, int41handler
/ o! b: G0 w- V, x8 w xchg dx, es:[41h*4]6 z+ a4 S' G! T1 W/ Q8 j$ P5 j/ C
xchg bx, es:[41h*4+2]
|' h& N+ ]2 u6 H @3 M in al, 40h
7 P1 l6 l+ O& k% e! e) i1 i xor cx,cx
$ ?0 m, |2 _$ u# T& y8 M int 41h
* B q7 U) C# Q5 k9 Q) p9 L xchg dx, es:[41h*4]
6 n; X4 P' L) k& [& p. F& k xchg bx, es:[41h*4+2]$ q- K- t$ v' w/ Q+ ^ U
cmp cl,al! } y1 m! x& ~5 O5 m P
jnz SoftICE_detected4 F) s: K1 b( j1 N# e. Q$ ?5 X, S3 p4 w
" q( p1 j9 f8 z( p' t+ P3 w8 j
_________________________________________________________________________' h' \) h' S$ J) I
. D0 R4 _1 I7 z7 \
Method 07
# G0 E* l3 _" x9 ]=========
: N# _+ r: E E( C+ I8 j3 a2 x- s5 r. [# \% g ?2 v, t: j
Method of detection of the WinICE handler in the int68h (V86)
. \# R X) ?' I j
' r) ?5 X3 f' L mov ah,43h5 C3 ^4 c6 \. b: b
int 68h
2 M8 N% I: x L' n+ _: @- ?8 j cmp ax,0F386h4 H' j! d/ t& m* g: h0 ^/ K
jz SoftICE_Detected
, d P" W) R6 i2 n% b+ m# R/ d' N1 a1 i
0 z$ A# o6 O1 d' I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 z! [( c. A; A8 |
app like this:
4 [/ A( l- i# [. b
' A. \" ?7 @7 o BPX exec_int if ax==685 B% q c: o! w' ~$ E7 V
(function called is located at byte ptr [ebp+1Dh] and client eip is
' x' j! c. {$ R# x! e located at [ebp+48h] for 32Bit apps)5 T4 X# C9 ?3 u# k9 H
__________________________________________________________________________
# m: ~0 p3 \: B6 g2 B; n6 H- V9 ~; O. W1 E& n
4 O5 W) m! ]' E4 { j
Method 081 R" N; p% g" _1 T
=========( o$ O2 ^3 d7 P3 H+ Q' c
9 n: [; V, z* F/ t+ X$ s
It is not a method of detection of SoftICE but a possibility to crash the
, V( d: a" f! Vsystem by intercepting int 01h and int 03h and redirecting them to another
9 c3 @6 U( B4 o0 i' @: Y% Nroutine.* q8 K( u+ e$ G! m% d$ w
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ b" I0 q! o9 L: W' fto the new routine to execute (hangs computer...)
) R0 g: ]; [% V, c" A% v- [
+ M9 r0 H. S; r mov ah, 25h
$ x- C- r) s1 M% g0 ^+ d9 V" ^1 o2 N mov al, Int_Number (01h or 03h)
" h. U0 q3 n% k$ S mov dx, offset New_Int_Routine* j Z. D5 P1 K; L* a% c* n( M
int 21h" R4 W7 S0 A9 b, f7 [
* ^7 E/ M! |' ?- `* F( ]) O__________________________________________________________________________; h6 p2 @( a7 G3 {# Q
6 K* s9 U3 V5 S% Z2 EMethod 09
! ~3 |. I" f0 Q- Q=========* G/ M- F% {. V' C0 {0 X
" m1 B! l4 G( s5 X& K: C' A. }) ~# k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ `% u6 j/ R0 I: c7 H. K6 i* Qperformed in ring0 (VxD or a ring3 app using the VxdCall).: A9 _: p( e* o8 ~* Y* K; `
The Get_DDB service is used to determine whether or not a VxD is installed: x. o2 ^$ a9 f2 H
for the specified device and returns a Device Description Block (in ecx) for2 f, A6 X! o& k
that device if it is installed.
7 J) ?/ _% Z& Y$ O! E
6 p! d' f5 i: m8 e/ R# M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ k5 p/ J8 `# u. ^
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) L! }" J0 b( O; V$ W
VMMCall Get_DDB
- ^( Q$ p7 \6 h6 r: o) h mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 Q* }: H/ b% B7 }3 W: N' _ l# O- V! m
Note as well that you can easily detect this method with SoftICE:2 j i5 z% N) Y7 U1 x7 C7 E
bpx Get_DDB if ax==0202 || ax==7a5fh
1 n* c0 E6 \3 z1 y, h* j# y. `4 f3 `8 m$ |: }0 _' M
__________________________________________________________________________
3 d! d% t: C9 f: y! R9 |0 R/ J( U' ^. A
Method 10
& X) @! }7 l* n* F' S& a1 v=========
/ z2 U* D- i4 k+ ]" l _4 T; E; k( @/ C" J' Q4 C5 B- o7 p% c7 F
=>Disable or clear breakpoints before using this feature. DO NOT trace with% ^; N2 k1 O3 Y; l ~9 T5 }
SoftICE while the option is enable!!
* d$ S/ K( M+ o. I0 j; Q
( u$ D# n o7 t9 ~% N1 HThis trick is very efficient:
, C* f" @' v1 g) Z& z4 C: E! Gby checking the Debug Registers, you can detect if SoftICE is loaded, V" j, @: v- `4 g5 d( r! b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ c( t/ k5 d0 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* ?, `% y, w1 Z- |) K% c4 Ovalue (in ring0 only). Values can be manipulated and or changed as well
1 h3 m- c% O+ `. Z(clearing BPMs for instance)3 l2 }$ X& w+ N% r4 z& j, H
/ W$ I. ?' O! F Z( O__________________________________________________________________________3 C! [' `: L) {6 o' ]- u4 t: P
, i& R" m; R6 T a* N: \' OMethod 11* u1 F9 d0 d1 u" K6 D/ f4 [5 |
=========- \ e4 O8 H; p
3 x7 y* Q) z: ~
This method is most known as 'MeltICE' because it has been freely distributed8 v+ e8 V2 M$ }3 x
via www.winfiles.com. However it was first used by NuMega people to allow6 p6 ]# u. o2 \% W6 Q, X
Symbol Loader to check if SoftICE was active or not (the code is located [7 `% D2 {$ T' Q$ A I
inside nmtrans.dll).
! c$ m; H* l2 l4 ?0 p! n
) Q4 P1 I. U. b" TThe way it works is very simple:) p% ?8 ` E$ D w9 q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) C8 `+ M, }5 o& X, r! n
WinNT) with the CreateFileA API.
g* u. h+ ]( C% M) v \/ T: p, X+ a3 `) ?0 V
Here is a sample (checking for 'SICE'):
( t' |) i& i3 o; G2 z4 v+ V/ i- t& b% F0 {# S- q
BOOL IsSoftIce95Loaded()8 J8 @2 X: x0 S: o) V. Y
{
' t3 ?$ K# G2 ^9 _7 _, K HANDLE hFile; " B1 {& y" o% K8 B- D
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 q: k3 B( a5 c5 S7 Q
FILE_SHARE_READ | FILE_SHARE_WRITE,% z, v) S& f8 d1 [( T+ ]
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 Q w0 h/ @5 _9 R. E
if( hFile != INVALID_HANDLE_VALUE )$ r- z" A4 ~2 n" _& c
{ F; c7 |7 ]' }7 T
CloseHandle(hFile);& \% E% o" i& k/ ~4 Z2 W( K) `
return TRUE;
% `: k$ n% x" F }5 l) o/ G5 X8 b2 s: `) }! E
return FALSE; H# G2 [8 O& U2 E9 U0 I
}) T) H1 G# I) F9 i2 x2 N$ m0 @& n) |
$ a1 H& M3 g3 ~! Y& n2 k2 h
Although this trick calls the CreateFileA function, don't even expect to be# ~& N/ n& ]2 e: Z
able to intercept it by installing a IFS hook: it will not work, no way!5 c/ \" V! q7 i8 |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) ?6 H; p7 h) h% R" T Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- E" G$ d. P @! n" V2 Z- ^* a- K& `and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ K1 d3 [2 {9 G: F0 X/ [) Ifield.1 K* Y8 Z6 h% }* U8 T" D; l9 w; [" b
In fact, its purpose is not to load/unload VxDs but only to send a
, Z$ R* O5 Q# N6 s% gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% Z4 U1 b) K- S3 v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* g9 o1 T6 l" x; F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% {7 |% I/ |& C0 `If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 G) H; i; d+ L* nits handle to be opened and then, will be detected., [- D8 ^) p3 s/ L# i1 r
You can check that simply by hooking Winice.exe control proc entry point
+ O' `. J' J$ K8 y* j2 dwhile running MeltICE.1 W$ l( o6 v# O! @: d# g6 ]+ j- |
& @) c* A Z4 M& Q5 C; V! X$ P# \% [2 E; O: w: c
00401067: push 00402025 ; \\.\SICE6 y+ ~, B. v. E" F$ j
0040106C: call CreateFileA6 Q" y& U% V' i/ K6 V" z, `! Z8 ]
00401071: cmp eax,-001
% l, _3 m- M3 i 00401074: je 00401091
6 `+ r' R( z7 D9 P8 ` b
- {- I' b$ W- U6 x( ]9 r5 y, E
There could be hundreds of BPX you could use to detect this trick.
2 e7 H7 ~. g& H6 @-The most classical one is:
; a$ y2 X' Z" ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! Y' b2 [7 Z+ a0 n8 Q4 f7 v
*(esp->4+4)=='NTIC'/ R2 d. e& @6 B6 S% p' S ~
% o" ]/ a7 }- V-The most exotic ones (could be very slooooow :-(& W, s' ~) e8 a- u1 m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 Z7 s- \, i2 D" a% A! g: q
;will break 3 times :-(1 Q. I8 w- }* I2 }, y$ ]
/ i0 e* ?, l) A; Y' s! ?3 z. r$ Q-or (a bit) faster:
4 W* B: W* E! q4 K8 K( N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ U u7 J3 x, q" U) Q+ V$ E
1 g+ h r* ]* F+ A6 j1 L! n2 E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 ], x9 }2 ]9 I) G2 E; {# [) | ;will break 3 times :-(0 f. J$ z, F! D! T' y M# P5 [
( D: S% i. z% L! ?% a" F
-Much faster:
/ w7 ~% z" _8 f7 O5 E1 H' R0 q4 z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 D6 V; q9 s2 Z7 d8 ^" V% C/ m3 N: u7 k) a9 `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# G) i0 w t; d- O z8 P: y: R# ^function to do the same job:* Q7 {# F2 h$ [* R3 c1 j# y
# r1 ]$ f; {* E. M/ N
push 00 ; OF_READ6 n6 c1 U7 k/ D+ l9 B5 Z* Y( `+ K
mov eax,[00656634] ; '\\.\SICE',0
% U% q0 P n* _1 Z* x push eax% n$ d# j/ A, C" j" B6 [
call KERNEL32!_lopen4 R* N. \* e' e' U, D$ V4 a
inc eax
) Q0 @- k5 Q1 K1 y jnz 00650589 ; detected
& A. X5 v( W5 p! g! \2 E push 00 ; OF_READ
1 }5 h4 }1 Z: j" ? X mov eax,[00656638] ; '\\.\SICE'
7 W' \% h/ { S7 D$ E push eax; B5 i: C- b# V' N U0 F M( x
call KERNEL32!_lopen
+ e8 Q* E U6 h/ k5 G inc eax4 w) k% F# r+ F1 B: J y+ t- p) j
jz 006505ae ; not detected4 i; y' d: I1 ~$ v
. g7 ~. n) J) B
0 O1 g4 {3 O b/ ]% y3 V3 ]6 B
__________________________________________________________________________
/ [$ P$ q6 F2 X4 m. W
; Z N' C- ]( K# Z q4 T& UMethod 12
6 \- a: e5 o2 s5 V8 K. Z" D=========
2 [; w5 |! `- R3 q5 P- C1 v# B* Q. M7 G
This trick is similar to int41h/4fh Debugger installation check (code 05- h5 t/ W& z: K
& 06) but very limited because it's only available for Win95/98 (not NT)1 R* r g: F9 p' N9 G \" G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) I; b" f4 S: P4 t6 K I6 b0 I$ I& x0 y0 }
push 0000004fh ; function 4fh) {; Q' Q7 c0 w! V& a7 c
push 002a002ah ; high word specifies which VxD (VWIN32)
9 } o- d- ^7 _9 O+ M ; low word specifies which service* s' j* `( @+ [# X9 h$ Z
(VWIN32_Int41Dispatch)& M8 D& s1 x: g5 e$ Z! B
call Kernel32!ORD_001 ; VxdCall5 y4 p' R+ D2 G) g7 h' o7 S9 @/ u
cmp ax, 0f386h ; magic number returned by system debuggers) o" k. x2 @. i ?
jz SoftICE_detected2 v1 I) h. k) h+ Q/ E
, o) d5 o, i U4 x7 r4 P! ~ B5 b
Here again, several ways to detect it:
* }2 @) `- }5 ~# Y( w
* d8 ^& Y) C1 R3 Z" Z& ^ BPINT 41 if ax==4f
4 `3 x2 C" A. v9 `) C; x8 }% ]. d6 ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. C$ n; u( V4 q: ?
0 o: {8 z Y5 q4 K3 x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: T4 y+ @& I7 ~. x* M( `0 H2 R @, T2 {2 ~$ Y3 ]& l, K
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) }8 D' j; Q5 t- s& O# J, V
( x7 I3 _2 N( q7 T3 V__________________________________________________________________________
2 f! ?/ x* S! m" {& }3 T, U
" x! P: V: G! y. D4 {& L6 U2 z3 vMethod 13
( Y6 ~# L$ w' i4 E=========
* I% T6 j {* c Q7 X& M
+ Q$ N7 r8 P# mNot a real method of detection, but a good way to know if SoftICE is; t- }! K. O4 [: i* D
installed on a computer and to locate its installation directory.
# b- S& x m' r% S# R7 M& lIt is used by few softs which access the following registry keys (usually #2) :
5 c! F2 y1 d+ z! M' g% h) V7 [; E
, H/ l! [8 h, h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) b2 a/ ]! q+ w* Z: F
\Uninstall\SoftICE
3 m2 Z0 A: U, j0 ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 N& _ c6 m6 ]7 p6 [7 m/ P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( l: |5 c7 ]; M3 c* O
\App Paths\Loader32.Exe O2 U' {9 q) e: J$ [- E9 J( r0 ~
4 k+ P0 U. q- T+ C* ?. M2 E1 }: p/ K6 C
Note that some nasty apps could then erase all files from SoftICE directory
- Y: T7 D, _. z+ `8 T" ]+ K1 x(I faced that once :-(
3 \& ?# ?. h; [6 S- G6 W2 H
8 }7 g b* B- t6 M" b9 l" I3 vUseful breakpoint to detect it:7 A7 u+ K }% n% N& @/ S I0 M8 ~
* m$ o" q' v# m8 J. N D, G- t BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* j1 m+ W8 q# a. f/ W. b9 v
1 z/ P& V' W% ]; V1 d+ u% R+ L__________________________________________________________________________
: p# G+ Y+ x+ f# @9 g
; s3 C# |% c7 s& ]1 s
4 J! M8 B3 B5 s8 f' y# `/ Q3 a YMethod 14 & a. j( s0 d9 E9 c- @! a
=========
- J& K3 n4 G/ x& h! A! r2 m0 N8 v7 A/ W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# o. E* ?8 F; l
is to determines whether a debugger is running on your system (ring0 only).
; E' t9 Y+ I8 e: ?
0 l/ l0 A& S ]( M6 A# @ VMMCall Test_Debug_Installed
e; A, Y9 g( d5 e4 L) z% m, i je not_installed
) m3 c" _" S7 B; |5 K- s6 e D$ m0 Q# }" q% }8 X
This service just checks a flag.! f' ?: _% E% C/ J* g8 q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡