<TABLE width=500>
4 o% V% O- H; t- `" z) q<TBODY>
7 p2 W/ y1 i+ m) X: u# K<TR>
+ u; L w8 Q/ c# p% Z* M+ V0 L<TD><PRE>Method 01
2 z! _* a- @% h0 O; n=========+ E/ Z. ~, E, C' c; z9 T
" V+ \/ b' A4 x4 D0 R0 g* h8 |6 QThis method of detection of SoftICE (as well as the following one) is
. C% q$ h- c. ~# Lused by the majority of packers/encryptors found on Internet.9 }) X. }! Z' Q% t* k" n& T- I. R
It seeks the signature of BoundsChecker in SoftICE
; C6 C! d8 o+ q; `2 z5 d! k% f: u2 C: | C7 w/ a7 l1 X8 q
mov ebp, 04243484Bh ; 'BCHK'
; s& O8 w( h6 v0 R$ m mov ax, 04h
: y& s- V4 w( L" n int 3 $ s% G+ Y1 a& ]
cmp al,4) F! f0 p9 @+ v- n
jnz SoftICE_Detected; r# T, G9 D; I0 c9 t! c
) b& E+ m9 o! _2 n( Q
___________________________________________________________________________
7 C6 A( o- C/ [
9 p8 l% }- g x1 `- jMethod 02
2 }: F- b6 N6 \& ]=========4 @/ j2 n8 L' N3 G2 i/ L
3 Z( M; M3 }! M" O# T4 w$ D
Still a method very much used (perhaps the most frequent one). It is used
# ?; O0 j" ~ J6 A8 k5 ], ]% \! ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, S9 i" M( `* k) X% |/ Aor execute SoftICE commands...8 `- Z U7 `% k* f; k. U
It is also used to crash SoftICE and to force it to execute any commands
! j1 E# q. A2 ](HBOOT...) :-(( 9 U: P V7 t* d: W
% \# z1 L7 L! H( H# jHere is a quick description:! r1 B4 _% W& y4 m" X
-AX = 0910h (Display string in SIce windows)9 A4 u$ m) e$ t* p$ ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 z: A6 L" m7 ?7 A' `-AX = 0912h (Get breakpoint infos)
6 s. t3 J0 k; A-AX = 0913h (Set Sice breakpoints)( {! C; Y, p7 d# V
-AX = 0914h (Remove SIce breakoints)
9 w0 W. E) @" I7 W) A/ {% u8 Y5 D) J! d0 `7 d$ Z0 I; ~5 o
Each time you'll meet this trick, you'll see:+ T6 O% W: v2 ^+ K
-SI = 4647h6 _+ V4 s/ R) X' m) ^& J
-DI = 4A4Dh
1 d; c5 X/ b6 g* _. YWhich are the 'magic values' used by SoftIce.
$ U# W+ j" r! m" R. rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* C* ]- V. e# f7 y% v/ I$ ]1 Y6 i
% `. y! l# F6 ~ \2 GHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ u$ p$ A5 w8 a/ m% d% x0 v2 aEnvelope utility use to protect DOS applications:
/ ]6 q2 W* Y4 m% o9 |1 L0 k# v+ R1 N' G* F7 u
6 _1 @4 [! @) V+ G; h( Y4C19:0095 MOV AX,0911 ; execute command.
6 h. [( Y/ A) R8 T0 o3 J" ]" H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. n& D6 B9 j' Z( O% ?( O" j
4C19:009A MOV SI,4647 ; 1st magic value." u$ I M: x3 X, \" X
4C19:009D MOV DI,4A4D ; 2nd magic value./ y' W$ s% k+ U& Y0 h$ z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( L6 i: O8 p" c5 z$ Q1 @: q$ C2 e
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 @+ K" J+ P+ l( I* U S( z$ |4C19:00A4 INC CX
# C+ K1 m8 m( W5 ]- R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ I, A5 @6 A& b E, |
4C19:00A8 JB 0095 ; 6 different commands.) D3 w' z) V/ x1 k: \, I
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) s. d! i5 m- W P/ r
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 ^4 n6 X" e# [* B- Y- B3 Z( C3 y
" O, y2 Q6 A: Y) R# r- xThe program will execute 6 different SIce commands located at ds:dx, which
& Z5 l# Q; ?+ \" z% @1 Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ O3 m. u4 g& P( G! I8 Z% ~2 c& y$ Y: x) b6 m9 o( G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 J; A3 @* `0 n- W, y
___________________________________________________________________________) p! T8 n6 Q) h9 r. H3 z
- |" M6 `: j% U E
5 [* o) ^' Y* X9 M7 a% y) XMethod 03! i- s' B# d. d& y( ?: A* k
=========
; l# O9 O N" H0 M1 H/ Y D
* @- m6 @( d& vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: c ?: T) q2 I5 O- r, Y4 {
(API Get entry point). u- w. n$ l0 u# v, `; f
: Q3 T% | ~2 N W0 Q! u* Q$ U- ?1 M. a. }' ^& Q8 m, Q
xor di,di0 _" r# \) h; K% g
mov es,di
8 [& H) w9 l% d( E mov ax, 1684h 7 p8 a5 _6 x+ V0 b! N
mov bx, 0202h ; VxD ID of winice
" J5 ?- O* g, Y" ^ int 2Fh
. c' B1 J+ m: a" a# S! X- J mov ax, es ; ES:DI -> VxD API entry point
5 i/ Y* r3 t, R6 N# u6 U% [ add ax, di8 m& a8 A' H- |. G- c4 U
test ax,ax
0 Z7 k! t+ S- I* m. R$ V% s jnz SoftICE_Detected
1 D- [; F3 z" s7 {, j: Y& F: P) T
6 c# P# n7 G3 v& o- R1 f2 a: d___________________________________________________________________________
. d8 J/ y- }: y# l7 } P# a" _0 Y0 ~$ l! z
Method 04
" \; A1 n# u( }$ |$ F=========
. X! X a: E3 Z2 K9 T- A! R% J; Y4 T4 |1 p8 b# ]4 }+ [
Method identical to the preceding one except that it seeks the ID of SoftICE
& {( ~2 L; y0 }7 ?3 H# J, hGFX VxD.
: }3 T; x4 Y2 ~% ?; ^( q; r
+ I- j$ i' N3 X6 A# j# k xor di,di$ B) k% w \" {8 p
mov es,di
, W7 t) m6 B; ~" s mov ax, 1684h 3 T- [/ o" k' t5 {1 `" T
mov bx, 7a5Fh ; VxD ID of SIWVID
- q' K# j8 E9 {$ s0 ~ int 2fh
3 u7 n. Z& |/ c5 Z+ j: G: t4 F: o mov ax, es ; ES:DI -> VxD API entry point, I. x; F) h5 m" t% ~: W
add ax, di& E9 x* [. P6 t, \
test ax,ax5 a+ l) ]2 n6 k# h
jnz SoftICE_Detected( a: r6 r# w1 s- q( O8 F5 E
" T z4 K" C1 q' k% P) p
__________________________________________________________________________2 k: J+ v+ l! h8 w6 u3 `" `; V
5 d" ^% I* c3 a; Y, e& }7 f$ T4 ?; Z# ]1 A% D6 \7 m7 b
Method 05; }* E+ D7 e5 Z6 l; k1 `. B% K
=========, J' _8 _: d! f- q0 J; Q8 q
; e! n- `/ |4 J, I! M& j9 {
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( |4 E: s$ C( B3 v: H. bdebugger. It calls the int 41h, function 4Fh.
3 _9 A8 B" F( u: J/ R8 ^+ y. d1 iThere are several alternatives. . i* X5 F! D+ z) b! P
2 e5 e/ `% \: B0 V7 A( r* ?The following one is the simplest:6 O4 | }7 ?1 J6 R( j% r: y3 m A
# \) `9 p; h ?2 V+ C. X! G% |
mov ax,4fh6 e6 k7 _' E& V4 b5 O7 r% s) X
int 41h
* R/ L. w+ B4 l% A. e% f cmp ax, 0F386
0 ^! d; B2 X' P! w2 w( y6 m ?" S jz SoftICE_detected
1 _ }' D ~ g1 f: c
) t9 C( {" V1 @: Q/ M4 a- T) D, d. g! F. U
Next method as well as the following one are 2 examples from Stone's ' w9 Z+ r& r" w& r. [+ z) x
"stn-wid.zip" (www.cracking.net):
' U, o4 v2 k1 }5 f( |% p" a+ |7 C" G$ L( |: t. c
mov bx, cs J' M& A* N; s' m
lea dx, int41handler2, M8 N- n5 w2 Y7 @; M0 C
xchg dx, es:[41h*4]+ f3 l% G) @" m% [
xchg bx, es:[41h*4+2]
% Z1 x1 o4 D/ g: D, \$ b mov ax,4fh
5 @7 ]; S- O3 N5 Z int 41h4 z9 s0 J0 B$ l; _: j2 O2 u N. B
xchg dx, es:[41h*4], k/ D! \6 X; T
xchg bx, es:[41h*4+2]
5 g1 B# c, U3 n) R2 T cmp ax, 0f386h: e1 N/ m7 H6 S# y" t5 v/ w$ H5 p4 A
jz SoftICE_detected
5 N9 v( d# s- u" C# @) j" }, g3 p7 j) c" Z3 |6 ^
int41handler2 PROC
; N2 l' \6 C0 J* m2 p3 u3 r iret, G6 c8 C7 U' a7 x1 {
int41handler2 ENDP
2 z3 T; a# W! v) _3 b2 A$ f6 W6 c* z9 H' Z' F1 S
) Z( U+ R0 p* k, N9 T& r+ ?% h! A_________________________________________________________________________
: O5 e: c" K5 s# p, z% E/ c( P( E! m
( `) V3 y! e7 X+ @4 Q. }% J6 K/ V5 K
Method 06
% v7 O) p0 i- S5 |=========9 t: A) k$ w K: S" l% i
' D7 R6 B5 P: N
% \ D$ Q. e( x
2nd method similar to the preceding one but more difficult to detect:$ y; o5 F8 s8 p" @
/ b+ y7 K) J! O# e+ x3 s) n$ k# Z' P7 w8 s) D- R( ?8 @' F- j3 j& Y
int41handler PROC
3 L7 _5 O7 d7 G mov cl,al
+ {' o$ x8 Z" v* O$ A iret
* S) ]' V% j- iint41handler ENDP
% u6 C8 [0 J7 M% X5 |# u) I
$ F, I8 i3 h6 e \! A' ]2 g& F8 \9 Z; W; i: ~
xor ax,ax: L3 k9 _% a2 ], |- O" ?2 X
mov es,ax! S& T, C: U8 \" ?7 y6 u8 b
mov bx, cs! G7 x4 ?+ q1 l! |0 C% k
lea dx, int41handler
/ A' ]9 U) u/ u/ m" H xchg dx, es:[41h*4]
( O( F* N }0 C) Y& d1 W- Q xchg bx, es:[41h*4+2]6 F6 s4 C) E/ q2 j2 b
in al, 40h& ~& s* M( V7 n- Q$ e, P
xor cx,cx ?- g" N3 ] ]5 a) L- v% _" z, b
int 41h5 {+ j. @' s& F$ c2 w4 f! ^
xchg dx, es:[41h*4]% w1 W! n) [% x6 @* U: j
xchg bx, es:[41h*4+2]
! m0 ^; G; U7 s6 M( J1 o cmp cl,al
: k7 Q6 E3 q1 R; i& P" p8 T jnz SoftICE_detected
: F! W4 S& [! _+ w) j
2 b) l$ M" N' D+ U_________________________________________________________________________, n% Q5 P; t9 k5 e- g. {
" h7 b$ @) ]& L: qMethod 07- o8 |! }7 p" H
=========+ q9 y, h- c# _5 a6 e7 p( k
6 _ q- J9 e( |5 ]' z6 A) V9 C* [
Method of detection of the WinICE handler in the int68h (V86); y( k/ E* y4 W0 g
: N7 Z* Y5 l4 h! k6 ? mov ah,43h2 b8 } z/ o9 @9 G5 A
int 68h1 ]! J# ^6 `$ [1 V
cmp ax,0F386h5 R) r" u s2 t ]* j, o- x: l
jz SoftICE_Detected5 ~2 e: p# c) u3 k& @
2 A' D4 S3 p9 |* j4 R
, x. a! \1 `/ ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( J0 ^% J n( O0 e0 g8 x! W* n app like this:' N7 C' e g# ?- f+ U3 k: W
2 R" \! n& H0 r" h( r: U- y. [+ n BPX exec_int if ax==68
" b2 t- X: s) } (function called is located at byte ptr [ebp+1Dh] and client eip is
1 s( e# [! Q& y) ?/ ]* | located at [ebp+48h] for 32Bit apps)3 r* v% v0 Z4 e: _
__________________________________________________________________________; A+ m% |6 _* @) Y3 m
( {7 t/ A. Z: c% m/ F5 n0 y5 L5 c( I! y8 O
Method 08
5 i8 B6 h9 m- F/ n=========$ `/ H* E1 b/ M3 [
" }& ~2 |2 i* Q7 rIt is not a method of detection of SoftICE but a possibility to crash the
% h/ X% J8 F3 _system by intercepting int 01h and int 03h and redirecting them to another
" y; N8 v' r3 v% U, O. l7 `routine.5 Q; {/ H; ^* J" {, Q5 v. d* g
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 K6 @4 j f) }% e; P8 O9 L# O
to the new routine to execute (hangs computer...)
, M* [' ~( E1 }: ~+ _% s+ H8 t+ |) Y2 W7 X' u4 o) _
mov ah, 25h. c9 E6 }; d+ _2 m
mov al, Int_Number (01h or 03h)
$ i. ^5 c) I5 X$ n( D mov dx, offset New_Int_Routine
2 b+ Z2 y6 j6 [$ w; ]. F( \ int 21h
( ^' P5 _& C/ [4 _8 X" {! B3 W: L5 m4 d" a9 j) S
__________________________________________________________________________0 ~5 W* C/ R0 F* w* B; ]! q
6 ]6 s2 j" t8 F. m1 I$ s% l" j
Method 09
C t. P* y# S$ V' S0 {=========8 w& f5 j6 t, q8 q8 ]
8 C1 {0 d8 D# W: j' K# f% M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, F: e2 _. P8 y( U' F( `% B
performed in ring0 (VxD or a ring3 app using the VxdCall).2 Q: w, \$ G' n$ h
The Get_DDB service is used to determine whether or not a VxD is installed
3 N/ U8 ]3 f$ m1 Z. ]4 C; @: G! {for the specified device and returns a Device Description Block (in ecx) for! l& _1 \. i* H- n X# l
that device if it is installed.
% N3 d. j5 \' v5 U: P1 {4 X6 A( J
% A1 e- q& \$ v% R+ b6 E5 r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# Q7 X, [8 G( w" \9 |' y2 @( q8 j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
f# a8 ?- l+ A9 t" h7 w' _' E+ u VMMCall Get_DDB
9 f# T( i* s5 l z. ?0 ^3 ?4 u8 {# ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: u8 w8 u8 v' v/ X
3 P5 R1 G. _' L/ ^2 fNote as well that you can easily detect this method with SoftICE:
8 o2 \( S I' v/ c. P bpx Get_DDB if ax==0202 || ax==7a5fh
" |4 O J6 M1 k4 [7 ~) s7 C+ S7 l0 j6 A' {) ]1 I7 ?, I! I2 j) t1 |
__________________________________________________________________________
1 I! T' s% V1 t4 W; H
9 m0 _2 {0 N2 z* |' j$ eMethod 10
7 [2 s7 v' V$ j=========6 P7 N6 T: ^) x; D; z- i
: F( j- S* M% \. J8 Z! h$ N
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 \" }; N0 h" q$ t+ t/ V
SoftICE while the option is enable!!: G+ x% V6 ^/ x! l- c C7 T5 w6 J2 K
; f4 z, p& T; n
This trick is very efficient:7 M. x9 Q- P. r2 o1 d
by checking the Debug Registers, you can detect if SoftICE is loaded
" k/ d% R5 b2 T, H6 t; J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. u. G5 v0 O- ^9 T) S: w3 t3 Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their Q" R) O5 d$ \9 v
value (in ring0 only). Values can be manipulated and or changed as well
& V& p7 K6 S* M9 p. ~: H(clearing BPMs for instance)
$ l% x( a+ S: E
6 }/ a! z3 J8 y! t& x__________________________________________________________________________$ X8 r& V2 p5 }) X
" y. K- t: w+ U: [! e" E! ]! k' iMethod 11$ T0 F1 _: {0 K
=========! L, U( s! ~6 N1 R$ b# ~
' w2 r( w8 i0 c" mThis method is most known as 'MeltICE' because it has been freely distributed
- X7 x- E3 R: _1 R, a! U/ Ivia www.winfiles.com. However it was first used by NuMega people to allow
6 R7 Q- F8 I9 c& i9 U- sSymbol Loader to check if SoftICE was active or not (the code is located
) a3 {% ~9 r8 ^; \$ d2 Finside nmtrans.dll)., X/ q; @, F* X- m" s& J4 J' ]
% y" P0 g7 S7 C( v1 R ZThe way it works is very simple:
" e' u' u c; O. q# B4 SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! F, O1 U( c! B# ?WinNT) with the CreateFileA API.
% z/ V$ C6 P' [# R
7 ~" ], Z5 M+ `8 f) ?* v; }* [Here is a sample (checking for 'SICE'):4 Z4 N0 x" d2 D
+ n4 q% k$ m% R# ~BOOL IsSoftIce95Loaded()
. a7 x; d/ t- v/ u& I{# i5 W( C3 H3 N: T0 X
HANDLE hFile;
: Q/ A' e. J$ E( D% }9 I0 F! Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( c) |$ D" t, R7 K) p: W$ P FILE_SHARE_READ | FILE_SHARE_WRITE,
* r1 F5 D S0 U+ I* u# a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 J- w4 G' a% w5 e2 } if( hFile != INVALID_HANDLE_VALUE )% Z6 A( |( _7 n/ {
{
5 l8 L& q; ~" w CloseHandle(hFile);
+ l$ N0 Y8 L' k+ `0 }" n return TRUE;
6 T! k& M4 h$ ^8 X( ]; G5 Q }9 t0 p6 a- P% `2 O
return FALSE;
0 R* x5 ~& C. w% n}
5 p) {8 H# V& a
; f, J1 u7 [% G& I, I: d* xAlthough this trick calls the CreateFileA function, don't even expect to be8 E% `; |6 d0 F' u% G# h
able to intercept it by installing a IFS hook: it will not work, no way!
- E" f" U# h( z3 z3 qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" w- I8 j& B" m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) e7 }1 Q) j, I9 B. X$ j# Land then browse the DDB list until it find the VxD and its DDB_Control_Proc( k/ @1 x% H7 S
field.
: m5 s4 R! @0 D$ I* {In fact, its purpose is not to load/unload VxDs but only to send a $ v# ~/ H7 N- X: D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 H& [- l; k3 n! qto the VxD Control_Dispatch proc (how the hell a shareware soft could try) p9 ?8 u4 T: w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! t5 ]( s' w3 R/ N/ G( |! M6 ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
: r2 \4 }1 u B6 ^its handle to be opened and then, will be detected.
6 p% P e1 j7 O+ [. CYou can check that simply by hooking Winice.exe control proc entry point; @3 i4 H E2 v. A1 c" |. `
while running MeltICE.
: t3 _9 t1 m+ m9 x. l4 h
% v) _' {4 V3 S* w$ B- T8 Z+ y2 C, i9 }* q3 v
00401067: push 00402025 ; \\.\SICE
4 f7 U- T5 E2 P* ~- B 0040106C: call CreateFileA, C" b( o; s* n; ?2 o
00401071: cmp eax,-001; z2 L5 f# I- U0 J$ t6 U
00401074: je 00401091
( l# |5 F( N. k0 P+ h) N) G4 l: |% {# ~( \
, T/ L$ P3 t9 h: z, cThere could be hundreds of BPX you could use to detect this trick.$ t( i- A/ U) Y
-The most classical one is:" U% I d, c" m7 [$ F9 B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, v7 M0 g' Q+ s) b
*(esp->4+4)=='NTIC'3 Y+ y; g# m* @2 Y& O" F0 ]/ G
9 K3 E* S- \# }9 Y* j-The most exotic ones (could be very slooooow :-(5 y- P8 a5 y! ^; ^( B' T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( \9 s$ c$ ]: _5 n
;will break 3 times :-(8 l' z9 r, q7 ~
. f% m7 z2 N3 S& ^2 B
-or (a bit) faster: 8 F* n% c1 `# C. M/ X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( ^: h! {3 r6 z/ e- O- n
4 l a# `6 B* C& p- ]4 E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 H/ }9 {+ e& A" ^2 N: u6 Q
;will break 3 times :-(
3 [ @9 u6 Q7 D' ^) A- ^5 T2 g8 W' @& l: p
-Much faster:* d1 ^$ p: m# [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ j0 o# f- O1 E V9 |* O
4 p& ^9 Y7 D% Z, K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 U/ N) p( @+ M, W5 o
function to do the same job:% P; }/ d9 O4 K% M$ V# s) o
. E& B+ |; g' b4 `5 ~+ I
push 00 ; OF_READ
% a1 ^! I" _+ g; _; O6 i; N8 p mov eax,[00656634] ; '\\.\SICE',0: |+ d3 T* ^4 z5 r
push eax4 x _7 t! Z- t; U9 J+ {
call KERNEL32!_lopen, }5 q1 e$ l; m; n
inc eax
- z6 W' N8 K& Z7 y9 Y) S+ W: J7 m jnz 00650589 ; detected3 G0 v+ T c; _) J0 k/ ]
push 00 ; OF_READ
& ~, D2 S) x! x1 J" F6 u8 w mov eax,[00656638] ; '\\.\SICE'! L6 T& `; q; h* Z# h6 J
push eax. o( O" [2 d5 Y. b- h
call KERNEL32!_lopen: k% S; Y' G" b, h4 F# t8 `
inc eax
" c, X- b, U# f1 ~ jz 006505ae ; not detected
9 a- ~1 b! k) b" _# V5 J8 n1 g6 M% ?2 b! r5 G
+ O" d1 |+ T1 g; w e/ l4 o7 r, {
__________________________________________________________________________
8 n2 o$ P* T6 t, i ~2 w* r: U2 T5 C* B
3 q- v& F0 Z9 ]' zMethod 123 e3 `1 o( Q% r) _
========= \% l; b" X- E. H4 g
B7 n" e. y) |3 l( kThis trick is similar to int41h/4fh Debugger installation check (code 054 @/ B5 r6 I& z! f" X+ k6 k7 n6 L
& 06) but very limited because it's only available for Win95/98 (not NT) _, c1 }& t7 y% D, _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 t" ^1 T1 y3 ~
$ ^- v' R+ h1 ~2 Q' N push 0000004fh ; function 4fh
, I' O3 |+ B% n' o" W3 n% _ push 002a002ah ; high word specifies which VxD (VWIN32)
" y: Y* q) N, D$ B$ O4 R# b3 O3 r/ v ; low word specifies which service
) |' K: `/ L% ~2 t' k L7 | (VWIN32_Int41Dispatch)$ Z3 P! ^" q6 }
call Kernel32!ORD_001 ; VxdCall
) l9 x7 n) C& W M! X0 i cmp ax, 0f386h ; magic number returned by system debuggers
5 ?' t; R+ N, f: V5 M f. I1 T4 G jz SoftICE_detected8 q5 B& V9 A- j0 V6 t' _3 w
) ?; L- u! }3 fHere again, several ways to detect it:
6 r* [6 v$ e# N3 A. Y& O& i$ ]; d$ Z
BPINT 41 if ax==4f: ?: Y& H8 o% [
. f7 b' ]2 g" r' o, x BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; Y/ p+ V% a1 w Q7 K# M8 v5 u0 D. f0 P2 v0 ` e+ a, l9 n
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# C5 q- Z& B* F0 K- K! m. [
3 i' s$ P! [! I& h/ e1 A. Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 ?9 A5 m* O7 K7 d
) F, x! z- B* T) e2 i7 o
__________________________________________________________________________$ i2 G* X0 e" a) p
$ m9 q4 u; r4 J6 a/ w! c' WMethod 13
, w, R2 S4 d$ J- `=========
0 J0 s9 t0 }, H4 w
# l/ F; H* Q8 B! o+ z) D9 TNot a real method of detection, but a good way to know if SoftICE is; y) J4 U* S- W1 z' s5 w& S
installed on a computer and to locate its installation directory.
) h" \- g _3 \5 h, K2 q6 gIt is used by few softs which access the following registry keys (usually #2) :
4 M9 k5 _# A/ u2 h7 S6 r
" V' Z' C2 A9 \/ }, F) B' I. P. u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* h6 h/ s' x( I) A% g
\Uninstall\SoftICE" j5 t+ @, q3 e3 D% j+ M: m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( \& ^; ]* ~5 v5 b% V4 A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 K# ?+ Y2 m% n' I& O' L5 L
\App Paths\Loader32.Exe4 l% i( P; @, ^" `
& x# Z b3 B1 n6 v$ e9 \; n5 q w
* ]4 K% H$ `6 s7 G* W3 yNote that some nasty apps could then erase all files from SoftICE directory
1 i, e0 O' _, Y; f* B/ V3 A(I faced that once :-(; C) I( d0 y2 L1 k v5 S/ Y
4 F3 S# S6 y) p _$ Q4 v
Useful breakpoint to detect it:* H/ P9 S! N# l+ k H7 b' V O
, E* G# ^: N% C/ X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. e3 W( [, t6 C" t. K( ?
9 [' i* {6 u: ^; v# q! u" {6 }1 I__________________________________________________________________________
5 s X* o7 ~' B! u0 e8 \ z6 w
. ]) _* b/ O3 B6 D% Q: Z
" D) T; e) x9 A SMethod 14 $ a4 h ?& s; d0 w" `
=========6 D! `; m) d8 r$ I0 }
: C: L- @( @$ F7 w) Q3 M, n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 B7 F1 e. _" F" T+ V
is to determines whether a debugger is running on your system (ring0 only).1 Q( q. D4 a$ l3 S8 F) f; `
' K7 L8 E1 C% s+ F* f, T) K; a t VMMCall Test_Debug_Installed
4 _ G2 A2 `% y) U& Z7 h je not_installed
- K6 s* S% p/ \$ l. K/ w# i
; l( k( {$ b8 d7 f, {: RThis service just checks a flag.
. j5 s5 c* b, u% g% Y; ?3 _" P</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡