<TABLE width=500>
* X4 `# _( R; t+ c9 l<TBODY>; T! k7 l. g' B. `4 N1 E8 \2 x0 }6 {' n% \
<TR>
- S# f- ]3 w7 B& V& S$ \5 h1 x' d<TD><PRE>Method 01 . D3 P1 g0 I1 o
=========$ [9 t5 ?! T- b7 O# V/ ]$ }
# T# W1 E' x6 i; ~
This method of detection of SoftICE (as well as the following one) is9 m- g% |' s4 l7 l i: V) t$ ?
used by the majority of packers/encryptors found on Internet.8 A7 F$ M. m7 l4 H
It seeks the signature of BoundsChecker in SoftICE/ o3 u' n+ l( _$ r/ x' T
' Z& Q' Z* `* T7 P( _1 |
mov ebp, 04243484Bh ; 'BCHK': q8 g' u Q* j' Q1 h
mov ax, 04h$ r( q! i3 ?; A1 w6 b8 Z7 g
int 3
' S5 d# }8 J$ q8 \' Q( S cmp al,4* y9 O$ a L n. I5 l. @
jnz SoftICE_Detected
9 \0 k/ q5 b9 V/ c- M, z$ t
: r* N2 W) W- O; D___________________________________________________________________________6 u3 s! u o: F3 c5 S, r. ~
; H! _! O: C# O8 AMethod 021 ]* x4 P/ `& M0 I
=========
! E6 W9 U& I! k; e" m
# ^4 Z5 b( E5 |: ]- o& k- i3 qStill a method very much used (perhaps the most frequent one). It is used& H: x& ]. T- v d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 h+ ^2 ?8 d. Q0 z
or execute SoftICE commands...4 t9 L! {" X- v @- j
It is also used to crash SoftICE and to force it to execute any commands
6 g" v; }* B# z6 }(HBOOT...) :-((
$ ?' P" V% \0 [) K. U. o9 C1 z4 l& Q. o! O, x- }# o; i7 e
Here is a quick description:
3 z2 p, H4 n: n1 r% Z-AX = 0910h (Display string in SIce windows)
) Y; G$ Q4 W5 ~" ]4 q; B+ i$ G-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ A8 O6 b' `% r- a. t3 X* h( {
-AX = 0912h (Get breakpoint infos)
' D9 Y' S$ L! H! C) R) c-AX = 0913h (Set Sice breakpoints)% s7 V! \% ?! l9 B& @' }
-AX = 0914h (Remove SIce breakoints)4 m* n: H$ r; s9 q: [8 r" s
. `. ]/ {( a7 T
Each time you'll meet this trick, you'll see:0 x0 [/ [, ]1 F5 u3 n
-SI = 4647h
4 [- {9 T, ^# ^5 G6 ?' T-DI = 4A4Dh
6 K6 a+ |8 C" p; d1 t) I0 eWhich are the 'magic values' used by SoftIce.( Y+ _: n+ M! b3 b2 u5 h6 f% d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. K- s& H. x2 V! x
( o5 K. R- b- CHere is one example from the file "Haspinst.exe" which is the dongle HASP9 e2 z D1 N+ q- H4 S
Envelope utility use to protect DOS applications:& l" Z, j& U4 q' P/ Q. y
* M6 Z: t4 J/ Q% Z. i
# m, b3 d7 i ~1 M7 x, [6 y; k
4C19:0095 MOV AX,0911 ; execute command.
* I5 x5 f; G/ M6 `7 B! t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! q, i! Y* W- D( K& \# d4C19:009A MOV SI,4647 ; 1st magic value.
+ H; M' ~6 _: A2 @4C19:009D MOV DI,4A4D ; 2nd magic value.$ L: ?: M: X$ @" F# q7 e# `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 {8 L9 u, D* q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! t8 x! t8 V/ H4 u4C19:00A4 INC CX
) |4 h0 C% X( A8 e! F4C19:00A5 CMP CX,06 ; Repeat 6 times to execute w1 x) N0 H# ~1 `6 c4 `
4C19:00A8 JB 0095 ; 6 different commands.
. A( [- E) A9 R$ x D) R! E( c6 a n4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 {% N$ u" C4 v1 ?0 l$ n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 }5 F; b2 B6 n8 V% L& y
# v& t/ R; d S+ z( H$ TThe program will execute 6 different SIce commands located at ds:dx, which
- X7 J5 l- ^+ lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: H" h% M9 O. w4 L7 v2 W: X
. i" `! j3 u7 w# u7 I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% y6 L- H# ~$ U! N+ _3 q' H___________________________________________________________________________
; E! l1 D! C* e$ [- p' E5 f$ o: _- H$ {0 q f
" g. ^5 h% G3 a! e) I3 \3 mMethod 03
z, f- ]- b7 }7 x6 t! ^3 C+ b=========7 V0 z+ v4 v1 k& h' e0 a( J' N( e
3 Z, W" L4 m# w2 x! L$ u6 LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 ?, b% A0 x# {; ^: k
(API Get entry point)/ Q9 X- N" ~* k5 O! a7 L4 K
, O+ E7 Y" Y( Z* N' _2 a4 |+ E8 B8 N: s3 m/ a) ?
xor di,di( P/ d! E) X0 d% _7 }* y9 c+ Q- K
mov es,di! L6 i) r6 a& G
mov ax, 1684h
& W5 U4 s" \+ r5 l# \! ^, T mov bx, 0202h ; VxD ID of winice
- J A" e. h' \3 Z o int 2Fh
1 K; t* x1 a: @2 ?3 Z, k+ n" |6 ` mov ax, es ; ES:DI -> VxD API entry point# \0 O. n/ q) Z( z, c5 m+ o! O" K
add ax, di+ T; ]7 d3 @$ [: {# k7 E* Q5 e
test ax,ax1 o1 E4 e/ H8 P" f9 j! I+ O
jnz SoftICE_Detected8 H8 X1 t e, X) k" h
- z" b' ^/ e9 m0 X___________________________________________________________________________
% P# X4 G- S' Z9 g3 v+ R" t7 V( t
3 `: @- d4 @; P. d: m" `Method 04# E) f/ F. P m# K, S# ]6 ^* j
=========
* L- d$ }+ M3 Y/ j; {# P6 v* B
Method identical to the preceding one except that it seeks the ID of SoftICE
3 [ ^$ Z: u; f9 k) [1 jGFX VxD.
9 M% T2 E" U6 Q! a- \& j& c) h, \" {# B& U: q9 |' S; W. h% U
xor di,di: U7 V+ G1 _# a" P) X
mov es,di7 u/ n d A2 \+ a
mov ax, 1684h
1 x; T: ~- r- [6 K6 g. `3 i mov bx, 7a5Fh ; VxD ID of SIWVID
+ X9 I& E5 e* m+ z3 d int 2fh$ k3 F/ O6 r- Y( J! p( S3 z
mov ax, es ; ES:DI -> VxD API entry point
' `' k$ z* F% n, B$ u* i( y/ ~2 ~ add ax, di
4 d$ O, G' T3 g- y1 X test ax,ax
0 @; f6 q5 Q: K, i jnz SoftICE_Detected
5 A" [) a5 V1 O. I( x! P3 }2 u6 P9 V* n3 J! L1 z
__________________________________________________________________________
- T& C9 Z" n' t
3 K- t2 o$ \: Y/ L
& \ F H& U( k) vMethod 05
, B0 \5 M! X3 S. U" p- o7 M========= {) d+ Q1 B% Y$ o: r
; l$ H- n! D1 X/ C H7 \2 P" lMethod seeking the 'magic number' 0F386h returned (in ax) by all system% n. d$ c! q7 y4 r; x* w2 }+ W
debugger. It calls the int 41h, function 4Fh.% V) y8 k* U5 }3 |& t/ C7 Y
There are several alternatives.
8 A3 ? R" t, L& n. u9 B7 A. V% A: F% e) ]
The following one is the simplest:
, s& w$ S) l7 }, m$ v% K$ p
! \; s9 Y# Z$ l: Y# a4 W2 ? mov ax,4fh5 D! ~+ Q6 W1 v( k5 w2 ], \
int 41h
5 F6 G- Q6 I- N; u cmp ax, 0F386
+ M3 K8 ^) {8 w8 l) @7 O jz SoftICE_detected
0 q, Y0 f6 |6 o. X1 |
8 C7 O$ T M: P' u* N& g
* {0 E* I8 J( w- N# \: wNext method as well as the following one are 2 examples from Stone's
9 A7 k2 b9 J6 o5 i( ^9 K! H; F0 k"stn-wid.zip" (www.cracking.net):/ T7 z6 \4 B1 \6 G
1 W0 X8 F1 \* z, F$ e* I' T mov bx, cs
, U5 d2 J6 }9 `0 d( L8 G lea dx, int41handler2* s7 g5 d F/ ?) \+ l+ c" S
xchg dx, es:[41h*4]
# r0 }3 c( k0 {" v& a9 Z3 R xchg bx, es:[41h*4+2]
$ {) D9 z+ v, B$ D+ R mov ax,4fh: x/ w( q5 u2 B" F
int 41h3 `" |- |2 ~9 [* C/ o+ D0 a
xchg dx, es:[41h*4]
6 \! E4 O. i7 C( ^ xchg bx, es:[41h*4+2]
6 G# u; i& B' g cmp ax, 0f386h% ]- w9 {6 b6 [3 E
jz SoftICE_detected/ Q! H! \& d2 W9 d; P
* o3 _' s" @% m1 J. Gint41handler2 PROC
i# \/ L, d$ t3 r4 L iret
* I* e2 ^7 j1 T8 p; n3 X$ Bint41handler2 ENDP
3 m. j' I$ ^5 V' P' f/ `9 m: ^) y) z) x4 Y6 D+ V. r
; Q) f2 Z% `! q6 c0 w_________________________________________________________________________* m$ M0 w2 ?( Z" k; }
- d& z3 P8 j/ D/ M2 p
9 |8 o0 \. O. q. ~' ~8 C6 P) UMethod 06# N& [$ G2 t9 R ~- Q
=========& x, g7 l9 U! {+ t
7 ^: o/ \3 ]! z; h4 F$ E/ l' g
y! Z; `$ ~" G# D2nd method similar to the preceding one but more difficult to detect:3 m9 R. z9 v# d' Y! j3 E
) _' ~% e7 ]$ b" A$ S1 `
+ ?2 |2 A" e" h" s# h$ c$ a7 i: rint41handler PROC
" M* s) l: @. J9 a! |& n$ L% Q, t/ L mov cl,al
& N8 y7 x: b$ j iret' H) B: R6 A" k1 s8 q5 `
int41handler ENDP; C+ K+ d/ a! D7 f/ b
/ P( R9 J4 X6 C( b4 |
3 h, ?3 B+ R) B' y& O xor ax,ax" ?- q' w" g) Q' o5 \" B! ]% ^
mov es,ax
- i& J( |: K+ x y8 h mov bx, cs$ t4 N6 o3 @( d
lea dx, int41handler
& d" ]* `! T2 u# @" \ xchg dx, es:[41h*4]$ _- c# @2 \) E
xchg bx, es:[41h*4+2]1 t" m( n6 M) S7 z5 q
in al, 40h
$ J ]+ h& l3 b/ P xor cx,cx! o- ^, G1 t. D$ s' W# E
int 41h# k/ \" f( s7 O. h0 D
xchg dx, es:[41h*4]
& L+ |$ g1 N0 P$ H xchg bx, es:[41h*4+2]
* X7 n) E) `" h: F cmp cl,al$ z3 z4 L0 C( r! A' X" F
jnz SoftICE_detected) O1 q3 G) ^+ j( Z9 _# W6 v
# P; l1 v% J- k/ C9 ?2 \
_________________________________________________________________________: \0 w5 S) Y5 l. B- w F! S1 `1 z
" I" Y% I9 N# X0 Q, a% f& Z$ IMethod 07
k( B. J4 _) I" F$ Q5 T t=========
( ?, C) U/ N6 g0 e3 x" X U! }+ R
Method of detection of the WinICE handler in the int68h (V86)
1 r8 o8 F+ T+ i ~; M T/ Y1 E/ p
# @* S+ M: I9 |- _/ G mov ah,43h
; j* Z9 m( L4 C. w3 U( b8 ~* A int 68h
3 ~3 D3 K ~4 m/ A7 I L. V5 d cmp ax,0F386h8 b0 q1 ^ `$ k2 e, k5 z1 f
jz SoftICE_Detected6 {1 j, ?7 o- U6 X& `
1 P' l, n( m, L8 R1 e. K m) \* w$ R- ?7 e1 s% [7 M7 P) d% j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: T; V7 r* h0 c- V5 X* H9 t
app like this:* w6 C( K* T+ ?5 H0 w
0 [& f3 ~1 y2 Y2 X BPX exec_int if ax==68& r; L/ A$ L5 f3 `, e: @
(function called is located at byte ptr [ebp+1Dh] and client eip is2 ?! k7 ^. g% P }8 P
located at [ebp+48h] for 32Bit apps)
: A& b( l4 a/ D# l7 u- h__________________________________________________________________________
( k _0 s4 T* c3 j0 z& P* X: I& m1 O6 E h9 u+ ?8 o
4 t3 z; `9 Q& g( G& G& D+ K) C8 O
Method 089 [ y* C: d5 [9 u: Y( J% I) k- e
=========( Q ^3 ~1 L, @! ~/ A9 M
' X* _: j" ^9 V& K. K# KIt is not a method of detection of SoftICE but a possibility to crash the+ d& h) ^2 s7 v5 M; A
system by intercepting int 01h and int 03h and redirecting them to another
8 G0 r3 F! ^* ]; D" X) s% s! w7 s: oroutine.
! Y/ B. s4 T7 h2 B% N) {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 b: k) {0 m4 L
to the new routine to execute (hangs computer...) z$ F; O; t9 B: T; v! u. U
- y6 R9 n6 S' L mov ah, 25h* v2 B$ n, ?: z+ f9 M" @0 w
mov al, Int_Number (01h or 03h)
0 z& u# k. b7 G6 Z" e0 o mov dx, offset New_Int_Routine
( l* j: t0 e/ T2 Q3 f) l# j int 21h
. x1 ?8 M* k% P1 d" m3 D* r) C; H
__________________________________________________________________________0 f$ z! m$ z6 ^! }; ^
) s6 Q9 N. W8 ~9 u1 kMethod 09! Q" O+ R; h, E
=========5 ]: N) u. J o2 r& z: h4 w3 U
3 U9 V$ q% q# t; A, L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 R8 E$ @% M8 i5 B' \5 a J8 a
performed in ring0 (VxD or a ring3 app using the VxdCall).( W6 J; O! t0 x! U
The Get_DDB service is used to determine whether or not a VxD is installed5 m' m% z% R% t) z A
for the specified device and returns a Device Description Block (in ecx) for0 b B H# u* }0 B4 V
that device if it is installed.- i" b- H' I. z; l5 N& Z7 A5 `
% T" ?6 I$ q3 q" Y. B) | mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 C2 w C2 d @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# n" r8 `' J, U5 v, `( `( r# r VMMCall Get_DDB
% p: W0 U& t8 |& i0 Z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: z, x* e0 ], T+ r5 p) X
2 y3 B& n$ j$ k9 h/ r F1 K6 k3 C
Note as well that you can easily detect this method with SoftICE:/ _& q5 D, X# a$ M5 F
bpx Get_DDB if ax==0202 || ax==7a5fh
y0 t5 K" g0 M! g( `9 l4 {8 z) B! g( m
__________________________________________________________________________
& Q7 }" ~$ U1 L. b( K( ^3 ^
1 o/ E- M2 A* Y/ zMethod 10
5 z- [( m- ]$ Q8 q8 [3 P4 K: Q=========
# F" |# A/ x9 U/ ]( Y
9 G- p6 z$ z3 D! p# Z) r7 u0 q* A$ y& J=>Disable or clear breakpoints before using this feature. DO NOT trace with+ ?% r8 m, U! ~( F L
SoftICE while the option is enable!!0 h i0 A3 @' j/ x
; H2 v* c# @( O7 ], m; F
This trick is very efficient:$ q s! |2 n4 E$ X
by checking the Debug Registers, you can detect if SoftICE is loaded v5 E, z0 b. H# S/ W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 I3 f: V) x# U2 H; X: \
there are some memory breakpoints set (dr0 to dr3) simply by reading their) Q# Y+ \) h8 t- n& l" q- r
value (in ring0 only). Values can be manipulated and or changed as well
1 o7 ?' E* i6 ^8 |& E- H3 q(clearing BPMs for instance) Q) g; @+ U+ ?$ L' d( G
7 ?& S; I* h6 R+ w S
__________________________________________________________________________
1 F6 b6 V. R. e6 F \! i2 D: r, n7 W4 ]7 Q
Method 11
( X; B8 Y% k1 o$ J0 `1 V=========
. ~3 x# }# [8 k& g: X& ]- \) O' u- m% j& D4 t
This method is most known as 'MeltICE' because it has been freely distributed
9 U3 @- n9 F& @9 P; S( bvia www.winfiles.com. However it was first used by NuMega people to allow! e5 v" b6 o: z! m% x- y2 e
Symbol Loader to check if SoftICE was active or not (the code is located* C& M" L3 \6 A* P1 z0 H6 p3 W" q
inside nmtrans.dll).
& s: |5 T- [6 N5 z
' L! ]% h8 i1 Z+ a. F5 |The way it works is very simple:
5 R( l7 G/ Y1 {# @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for a) P; z- z# [ s/ s2 H* @# V N
WinNT) with the CreateFileA API.
/ w7 }2 |8 ?% J0 d
! g0 a2 X% X7 f; m2 uHere is a sample (checking for 'SICE'):& x Q% J/ w. a
8 o' f+ H: w& {% s
BOOL IsSoftIce95Loaded()
: ?( k3 ?( k9 J# N5 E! }{! Y9 f4 y( E; z2 U* D1 o
HANDLE hFile;
. C' h2 W' y3 R! b/ S7 A/ N3 | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 M$ k3 v- |+ L* p/ t FILE_SHARE_READ | FILE_SHARE_WRITE,' P# }7 x0 f4 d. ?) h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ Q }# Z' o/ V& p! O& u if( hFile != INVALID_HANDLE_VALUE )
' r5 t0 C/ V' L* o {4 T5 V+ u$ ^ g& K& ~- A/ D
CloseHandle(hFile);9 S+ u1 ]6 S% H( I
return TRUE;
! H5 b) \+ K. p" K% Y& N }/ q" E$ \9 H% A
return FALSE;% x* |. ~4 u+ K" ]' G- H4 e
}
- G# U# ~( l* }# q
, M' H, i8 M$ y5 [5 s+ r, KAlthough this trick calls the CreateFileA function, don't even expect to be
9 Y2 f3 e0 w3 ]" s2 mable to intercept it by installing a IFS hook: it will not work, no way! z8 R/ A% t- u, k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% o, { M2 E' T* Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& Q j! {+ t4 n4 s4 Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc Z# h+ c" w3 N8 D2 e! R6 R/ |' q
field.
) c- N* X+ ~; P# OIn fact, its purpose is not to load/unload VxDs but only to send a
7 {5 a% V- n i* l; w0 i* R( YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 s" h( g% [& c9 Q4 e. N/ Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 w! [7 o& g. D x# x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 H4 h& {5 z) Y% [9 X* ?. UIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 f+ P+ n" e+ ?its handle to be opened and then, will be detected.
" e/ ]' u0 N% A$ W% b" U% IYou can check that simply by hooking Winice.exe control proc entry point8 Y( G, K( q. O6 ]
while running MeltICE.
, V4 q5 S+ p6 D0 n$ m; f/ j$ l e6 u2 ~/ ~/ J! `* E8 W- e
( x" K3 S1 l2 J1 d$ S* B9 Z
00401067: push 00402025 ; \\.\SICE B7 x7 |) E- H1 q o6 a
0040106C: call CreateFileA
- H9 X) \' l6 ~ 00401071: cmp eax,-001: c$ j6 b0 ^5 O- Z, u
00401074: je 00401091
6 h! w6 q( ^3 R5 Z, i; h( ]9 ]# c2 Q7 P. c
, F# b; U8 O' Y* g/ g' H
There could be hundreds of BPX you could use to detect this trick.
8 x h! g. r/ k$ c: v" {7 H-The most classical one is:
6 e6 y) t* _# y& {/ l6 c1 V. @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 j# I( f/ R/ N7 I *(esp->4+4)=='NTIC'7 v9 g" K% V) i: s/ T, O
4 c$ |# S. C1 Y r-The most exotic ones (could be very slooooow :-(+ ^' J7 x ]. ^, v: E
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- g% G$ ?! g- q5 B+ R ;will break 3 times :-(3 E s4 x4 |; B ?4 _* b ]
; X" A- h: j& Y" H7 N; B6 ~# |
-or (a bit) faster:
; j- z* W, _# |" Y* ~2 b) i& P BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ @" x7 g( ]: R5 i
( N5 A" [+ n6 x; g- Y) x" u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % N9 Y8 ]2 `+ F# M6 s2 P
;will break 3 times :-(
; x, L* R& l0 `- P3 w, Z+ M# Q/ S E J" r* _! C
-Much faster: H; i1 C# J0 U5 i1 d; `+ _# e+ g
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) t( x7 V5 e' @- _8 K
1 M" ^9 `4 c. \8 W+ lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- z, U1 i8 f, Ofunction to do the same job:, S5 h' `' r, ]+ L
, s0 y& ^" U0 y5 o1 ]( B- n- {
push 00 ; OF_READ2 |) M3 c4 P. X% b/ ]# d& R/ ~
mov eax,[00656634] ; '\\.\SICE',0
1 g+ d' p: M: v% w push eax7 ^" P7 n6 U* |3 b* ~) ]
call KERNEL32!_lopen
# @" g8 f4 B; {5 E; K7 p inc eax
4 R/ x B5 i3 f k jnz 00650589 ; detected
% G, O8 \ q4 |% P7 ]& | push 00 ; OF_READ5 T' @ [2 }/ k/ o
mov eax,[00656638] ; '\\.\SICE'3 {3 G3 Z5 |, N# r( r1 i0 V( s
push eax
9 v- w( ]( `5 O& o# d) J3 J call KERNEL32!_lopen
4 B* f+ s) d) s8 Z inc eax
3 s2 B8 Q, g9 r' ?" e, j Y( ~ jz 006505ae ; not detected
% ]! t- j, P8 Y1 U: A5 N0 u+ o7 t$ K7 U- H3 X5 E
* `) f# `, u1 L/ i. C& ^; N
__________________________________________________________________________
+ `- h' d# w* E$ {5 P2 x4 Q3 E Q# Y3 `$ ^0 `) `" d" }7 h+ D
Method 12
0 N/ Q J. M8 F' o: u=========2 y. o2 N- T- r* d2 I1 R
1 y8 d5 P7 p8 F) R( i0 P: qThis trick is similar to int41h/4fh Debugger installation check (code 05
* e# K+ O$ ~; ]3 }: g. k8 ?0 f& 06) but very limited because it's only available for Win95/98 (not NT)
& n6 L, Z' o. \, D' r+ k& L; Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 {+ r5 \- s/ W+ \/ \& |$ g
) U6 E6 T2 O2 c0 x5 m3 c% {* V* w push 0000004fh ; function 4fh3 `) ?) T; F& ]3 g9 p0 {0 x
push 002a002ah ; high word specifies which VxD (VWIN32)
4 l' \8 n+ K, Z8 K. q9 p5 M ; low word specifies which service- I: F0 q1 k' P3 d6 Z `' B
(VWIN32_Int41Dispatch)
" Y* `# n( c! k M call Kernel32!ORD_001 ; VxdCall
4 s. q4 n8 W" I" s! w cmp ax, 0f386h ; magic number returned by system debuggers
2 f. v. m4 d( Q! _5 _2 A6 s jz SoftICE_detected a. l! O9 J3 d
7 u, G C9 z5 `" [0 X% `5 \Here again, several ways to detect it:( S0 ]+ Q; D7 n. | C8 R: m' f
3 }4 h9 s. k9 D, I( s
BPINT 41 if ax==4f
' X* N4 C1 n V3 V2 v& W# l
& u8 C0 F8 T' N' ?$ a, ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! b+ M, D; G0 ^' u
. H" u, f6 J8 k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) z: P6 v1 {8 ^7 u
9 b, J; e4 Z" j* t* D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- [0 N3 i/ Y1 V3 r% M# M
" \' Y$ N1 L% X4 ?7 l. N5 X, Z( n__________________________________________________________________________. |( [, h" D% c! k
/ b# a5 c6 c7 i6 c, Z& sMethod 13' a+ @4 d6 L; Z$ l% M4 j
=========, D1 j y9 A5 x/ a# z5 ]0 c
( A3 U" j3 l R7 i" g# ~Not a real method of detection, but a good way to know if SoftICE is
7 O5 ^0 P0 X. g t rinstalled on a computer and to locate its installation directory.! | U/ y8 n( k$ q# g
It is used by few softs which access the following registry keys (usually #2) :
/ a5 D2 _4 W, c, N7 l" ~) n; j' r/ h; ^9 g8 O- U8 |' |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- D! A; }/ N# G7 H% U* Y' [0 c\Uninstall\SoftICE
) c$ }! }7 v1 T$ U+ T4 q5 B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ A( C, K. R" i( x& k: |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ c0 a1 i* g9 X- Y. J! c1 J
\App Paths\Loader32.Exe
l* C& t8 H0 W( U# i( L5 Q" t" {& ?' o& g% c G
, \3 ~2 H0 N( {( n& n8 N
Note that some nasty apps could then erase all files from SoftICE directory( m/ B8 a$ ~/ h1 `9 c; q8 ^2 u7 g
(I faced that once :-(
7 G7 S* h9 I" Y6 z: D5 q1 B3 _6 i( a0 U
Useful breakpoint to detect it:
0 h* ~& `! G$ s6 T( O \6 D( M
0 I3 w4 e4 ^4 E# o3 ?. N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& W6 Q7 p/ z: `- A" r: |
, [$ z" Y3 x: _% R- E__________________________________________________________________________
1 G4 |6 B+ [: k9 ^& T$ q0 O
# _9 T9 o* X) J! _4 u' Y. A S4 V u
?1 Q6 S) B" hMethod 14 % R' l% ?. W& c% H4 l
=========
6 G/ a$ _; k1 K1 R/ Y2 A, j) W' I! v0 S+ D4 A
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) Q2 ]: y) b! O, P, o( P
is to determines whether a debugger is running on your system (ring0 only).( q: _ d) a$ `) K
2 t1 h$ ~* F3 O9 r8 I( U VMMCall Test_Debug_Installed* p3 I7 E+ V7 a* K
je not_installed
5 n& i' |) q6 \5 r" R" w) `. g) v7 z. e5 x. W
This service just checks a flag.
5 g1 A, F5 R) Z* J, ~</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡