<TABLE width=500>7 y% E* U# L5 `
<TBODY>
' O! q; v9 }; u0 O2 o, c' u; o/ }<TR>
9 B) V7 N1 U2 t4 P<TD><PRE>Method 01 3 M. N; H0 i4 p5 {, c" x4 p) ^6 ]
=========5 |7 {% W" ?" v% `
8 E" y" ?* |+ z' A- a A" d
This method of detection of SoftICE (as well as the following one) is' u c4 A: F1 @
used by the majority of packers/encryptors found on Internet./ Q# u7 u) x# R" F1 W, r
It seeks the signature of BoundsChecker in SoftICE
# L% o3 C O( I& a0 T
- q1 C. T. G* G mov ebp, 04243484Bh ; 'BCHK'
J8 |, a9 Z( V! S; X mov ax, 04h' R/ ~# F8 b6 k n; q! W9 H
int 3
6 B C: D# u& s$ l) T cmp al,43 u! y: l9 C) \8 P7 v q2 _* N
jnz SoftICE_Detected
3 {# e' w3 d& [, v
2 ^* Q$ S' H+ t% ]% x& p___________________________________________________________________________
+ |* u; r& B% w3 V5 y& _+ b* v# X# x$ G. O9 ^2 x
Method 02
4 V5 M0 P; u8 ~6 _) S: p' r=========5 A1 I4 s8 f9 W% v8 y
) G9 F7 _9 f+ g( |' s# yStill a method very much used (perhaps the most frequent one). It is used! h- s" ^# s; e# O# D# j1 ~- }9 l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 L' U! w* c! T& c B
or execute SoftICE commands...
5 b& d$ W* N4 ^% [3 T( p7 l1 _: JIt is also used to crash SoftICE and to force it to execute any commands& |" F1 L/ W& Z
(HBOOT...) :-((
5 U. c0 L! s: X# F
) _+ l8 |- A- H6 M$ A6 yHere is a quick description:
6 t. `1 d" q, B-AX = 0910h (Display string in SIce windows)
6 r6 v5 O; d% ?; b& k-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 O# f, K' C7 p8 X1 R& l. h" _7 E: @-AX = 0912h (Get breakpoint infos)
1 b9 z9 y* R t4 |- [7 Q" @-AX = 0913h (Set Sice breakpoints)( N& [' x5 N" Z/ S/ K! B/ b
-AX = 0914h (Remove SIce breakoints)9 K {: ]% x' o; d9 B
0 N3 i- y; B3 o( s3 K9 l" h4 AEach time you'll meet this trick, you'll see:
8 R' c. Y8 e' H# q) }2 T8 r. q$ ?-SI = 4647h [8 |3 W' P( D1 Z
-DI = 4A4Dh- F! l, L% ^ M) M) _
Which are the 'magic values' used by SoftIce.
* ?6 h2 Y& a1 p1 ~1 CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& H8 l& `/ C$ w/ y/ i
" C- Z) H8 W) h$ {0 X8 p- a
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 G# e: i6 r6 t" V: s. YEnvelope utility use to protect DOS applications:, ~, @% N6 V0 @+ H) T0 H
% q8 E7 T% F2 z! m) t: q* d" l: l
K. D4 Q* y- n4C19:0095 MOV AX,0911 ; execute command.
9 d* n9 Y& y$ f; b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., V5 z; r2 p& w% }$ w3 H
4C19:009A MOV SI,4647 ; 1st magic value.* L8 W. t1 w* B( m9 M
4C19:009D MOV DI,4A4D ; 2nd magic value.) Y: W) @" ?7 f; _! H% S9 z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: B5 |; F9 \6 ]; C: G5 n5 p4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) `1 f3 U, Y( D" r
4C19:00A4 INC CX
1 {5 Y- j }6 E# q$ l/ q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- `% }( A) O' F# F+ u/ z4C19:00A8 JB 0095 ; 6 different commands.
. A$ M4 B' A/ [. T& y* { _4C19:00AA JMP 0002 ; Bad_Guy jmp back.. F: r$ [- I+ j" w/ K* M* L& K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& b3 w# P- w9 Y6 A' J" t
- N, a( A- K: H1 Z) ^" y7 wThe program will execute 6 different SIce commands located at ds:dx, which2 I. A( { O9 O; X! N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! o3 h' Z* H9 e& w- @; j( d1 F7 t' S8 @ x4 I' A" J$ H" t+ Y: e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! Q/ I6 B. }& `: D___________________________________________________________________________; t' Z9 g' _* P, s x' C
6 \) G3 n2 t0 V$ D( J! p5 q
6 d8 T* Y) t+ { [, ]7 a
Method 03
4 K# u0 U( g7 L! L=========7 U7 \: J0 F. Q/ b( t3 W/ D A
h6 k2 v- L& S% N% q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 e% f( ] B2 W(API Get entry point)" I( z" z0 T9 B0 J# f' Y3 m& `
: Z: V6 ?# E9 e! S% i) e, o) C
! \% L' v& B5 K; Y, U
xor di,di
0 n; H2 ]" ]* W3 I0 i! J mov es,di
+ a7 X: s% {4 M! z0 E# f mov ax, 1684h 2 a6 a, U* K! M- K1 x
mov bx, 0202h ; VxD ID of winice
* r' o/ E3 k& J* u( c. W; R int 2Fh x2 A0 I) T7 `8 j
mov ax, es ; ES:DI -> VxD API entry point; n0 J5 o4 y. ^6 Z7 B' \5 Q
add ax, di4 m1 F5 Z+ O# d2 f4 V4 z+ g
test ax,ax
$ O. ]" F, Q8 n' x/ p4 w/ E+ A jnz SoftICE_Detected
- Q1 E; F2 Q$ A/ ]; Z0 E! }# J% p6 X" f! X d& f v
___________________________________________________________________________
+ m" Z R- X2 ]+ z+ T% m7 V: K8 v8 a1 H/ R* d7 p* D/ {; x
Method 041 l3 I5 c* W3 @- I5 ^# L( w
=========0 k- z/ u4 L, C+ }3 o/ k3 B" V
7 ~0 u; w" h1 i: i
Method identical to the preceding one except that it seeks the ID of SoftICE
f% W7 S0 Q' p$ X0 |2 cGFX VxD.
4 y4 L' D1 q1 Q @: d( f, Y4 O! H' s: u( W* l# Z0 u" n& e
xor di,di: T9 E& m& ?4 ?, ~# x6 o
mov es,di
3 J0 r. U' E, |3 g mov ax, 1684h
1 L1 H4 L% R8 n8 x( F mov bx, 7a5Fh ; VxD ID of SIWVID
+ o& t0 [9 R+ f) [; J, F int 2fh- t; D! G; i' B# _2 A- J* A
mov ax, es ; ES:DI -> VxD API entry point
( n$ y/ S1 L5 z+ m add ax, di+ ]" U$ D- R+ z( M
test ax,ax& \, q& ~* R" M6 |7 ]
jnz SoftICE_Detected
2 u4 ^+ y0 e' a/ Z. u% q; _
, X0 z' P% c/ F, P L: y/ S, w6 ___________________________________________________________________________6 U! ^. \' [6 ~1 z$ A% L Z
~: i# F; u* r, t: ~
: U8 Z! s6 k7 M& W5 M) W% k2 f* r8 NMethod 05
* `, I+ r1 b' @) V+ q8 [( J& a# \2 z=========3 S1 H( H- Z$ N5 x8 Q! O' K' u
4 t6 y( `7 z2 ]3 b8 A, NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 V# L5 ?, g3 K8 F. ydebugger. It calls the int 41h, function 4Fh.$ g5 e" W9 |! J2 f
There are several alternatives. 5 ?# Q0 Q T J1 d% j
, u" e7 P/ h0 d3 @8 @
The following one is the simplest:1 q8 M* }( D! C8 Z
; ?9 P1 W/ d. \1 P+ Z8 n
mov ax,4fh
0 A; p" y$ x8 _7 K! G int 41h% o* [5 R' v c& x! ?9 [' j
cmp ax, 0F386
2 ~- C6 g. Y# b5 B" z, `$ V jz SoftICE_detected
% K( _6 O3 N _ V' T9 m! t0 ]
4 v4 o8 [4 T/ S, m7 b% K* ^! I1 G# L5 `( W* S) Q
Next method as well as the following one are 2 examples from Stone's $ m. K' P7 L+ U
"stn-wid.zip" (www.cracking.net):) H% O. W/ t& _8 a3 l
1 L" N0 m5 f1 b& H- g mov bx, cs. H, n# ^% J6 c9 F0 ]) o9 D n
lea dx, int41handler2 \0 j% P/ q2 H
xchg dx, es:[41h*4]
3 f, @2 j% @5 O& T- D xchg bx, es:[41h*4+2]( y5 u" H% R' Z2 `
mov ax,4fh) ]0 F6 [: U0 w( B" q
int 41h
) m* S- O; X: b xchg dx, es:[41h*4]
0 P5 J0 j$ S' X# Y( v xchg bx, es:[41h*4+2]/ M4 {- w% p. Y0 f! _1 }
cmp ax, 0f386h1 j0 x" r/ r' E5 E: [% n
jz SoftICE_detected, i" R( l0 Y+ u, }7 L
0 _7 c2 Z- u; A' x+ T
int41handler2 PROC
0 C; V5 {: n1 ]6 I iret" L- l% I8 f; P( J x
int41handler2 ENDP2 n8 l" E# N0 D, `+ E+ M
. G" ?9 ^/ K( F# @0 T! M4 \' I
+ u8 i: H& C' v8 Y- ~
_________________________________________________________________________, m/ j! Y7 x7 S
) t) F L- R+ y
" J2 `7 m4 o6 t& @1 \
Method 06
5 b0 c' {9 {( Z$ E G& {9 M" q/ C=========- [) B$ j$ i6 s- F! n
) g: c/ M, o. E! N" K+ B
8 W4 T4 U) X. b2nd method similar to the preceding one but more difficult to detect:
/ V! l9 X: `, q; E8 P, c1 W, k, [# j/ p: z% ^% j5 G. @9 o
# {) P6 t, y9 S( Q+ W) Q* Tint41handler PROC
/ V0 r2 r+ N8 @. O. ? mov cl,al
y% }5 o8 q0 _8 J iret) _6 Y9 z! D% d& ` |9 f' ]
int41handler ENDP6 z& }. g) \; D: A4 A/ l
" ^! V/ o8 K" {0 T9 G( @
: H% E: h* m+ h e7 ^ xor ax,ax
9 S- a, ~) ]% I a" p' ^+ D mov es,ax& F' [% M% N8 n6 F Q7 j" K' D- U
mov bx, cs, m) O! |, f! x; w0 k$ c7 P& H
lea dx, int41handler
+ M- m# m) |9 Q } xchg dx, es:[41h*4]
$ \: {) g x5 A6 a+ _, p/ n xchg bx, es:[41h*4+2]9 f# v( G# ]9 _
in al, 40h
+ z* w# k& S% X0 m: ^" O, J, I xor cx,cx
6 z1 a5 |- |2 A- ] L& n int 41h
- t, C0 y, j# Y$ c1 _ xchg dx, es:[41h*4]3 X8 t, v! \ l2 a; J; d
xchg bx, es:[41h*4+2]. i: }0 q. T$ C& S+ V+ E
cmp cl,al. g; x; U7 \' B% \3 `+ R
jnz SoftICE_detected
8 ?% X, W. A& X e* x- c7 C5 t! R9 p" t# R
_________________________________________________________________________; u! ~7 H$ b2 L9 X9 F' o
1 }" M! t% R$ E5 g$ _/ z! EMethod 07
C" o$ g9 j+ L* p+ D=========' r( k0 `- o; x: k7 c% o' Q
" {) \0 P9 J9 G8 ?3 }
Method of detection of the WinICE handler in the int68h (V86)
3 V% B2 g. p! P7 w# U
$ l+ c0 N' i1 h+ O O mov ah,43h
- v! Y4 p4 G; D7 m0 l. P; U3 t6 H int 68h
( P( W8 U! C, R" G5 Y; M0 x f& ? cmp ax,0F386h
( H |) l3 ]5 r% T" O" \* B jz SoftICE_Detected. e% l/ K7 C+ r
) g% Y. k2 l+ W) C
/ H- F7 h" i7 L3 N9 x! A$ A=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; Y& f$ q6 W6 m9 F
app like this:2 [2 X6 W4 l' S
4 H0 ?' n! G$ p1 r' G$ K" a
BPX exec_int if ax==68! c9 [5 T. P: N& H: _2 c
(function called is located at byte ptr [ebp+1Dh] and client eip is& P9 i. T9 o$ N4 `& u6 ~
located at [ebp+48h] for 32Bit apps)3 T5 ^3 W/ {: W2 B1 L) M
__________________________________________________________________________
& b0 h' v7 E% f/ ?: H' a
. P8 t/ g; n0 b) M; V
, T0 j2 a, ^6 A2 q+ ^# X2 V; w8 Q4 }Method 08
) a% q( H' j" f0 C. c6 c$ m( f8 M=========
5 g( P, B: S8 ], A3 Y; c0 b
5 z- t5 R1 F7 h, L9 wIt is not a method of detection of SoftICE but a possibility to crash the
2 N6 V3 W" ~$ j1 t6 ~system by intercepting int 01h and int 03h and redirecting them to another
1 u( B8 g* J( L6 P3 ?* @& wroutine. h" d1 @6 E+ j6 {$ j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; G6 v( S4 A9 [, L" A' Y5 I
to the new routine to execute (hangs computer...)) E% f) Z- z5 i, e) S2 z( r
3 v& L/ Q6 g+ A3 c& U: z
mov ah, 25h
4 R$ w, K* v! G mov al, Int_Number (01h or 03h)! ~1 Z6 z9 ^5 D0 B, K
mov dx, offset New_Int_Routine
: M6 q u. o3 Z( p int 21h* Y+ I7 C4 V5 M" p" F$ s
; M+ T4 i7 O5 L2 ?4 s$ S__________________________________________________________________________( S7 \; l8 u6 P% z
$ T- r. K y9 o# k* U$ x7 T
Method 093 p/ ?. A6 j5 |. v# n
=========9 J& c* y7 [' D1 [. {
; ]6 b2 c$ O& x! OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. T& S \- i" V/ w- F, ]
performed in ring0 (VxD or a ring3 app using the VxdCall).
2 h( i1 Q/ Q: ^The Get_DDB service is used to determine whether or not a VxD is installed
4 T* S2 w( N0 b. T+ m" g/ M) Cfor the specified device and returns a Device Description Block (in ecx) for" |% S$ f o- C8 F
that device if it is installed.$ W- Y# D4 s. e
$ {1 ]! m" Z( c; ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% t5 O( ?/ Z' }; R mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% Q4 v0 e; C1 G: x8 y
VMMCall Get_DDB
% P, P, @) {! ]' J/ e% o4 @2 c6 { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 s u( n- o/ R; Y
: {& @$ y: y( n$ F. |: z1 LNote as well that you can easily detect this method with SoftICE:; \9 w( |! {, E# F$ K3 B7 k4 d/ d
bpx Get_DDB if ax==0202 || ax==7a5fh
7 J j; K8 x { S6 c0 Z& T. V& ]' j
__________________________________________________________________________
3 H5 d3 s9 j6 @, y5 a0 I# W/ k, K$ ^ u# i
Method 10
3 O& \) c/ k; y=========! N# r0 j O& K( o; ?4 D
/ V# d+ O6 h1 W& Y+ }$ A# H5 I+ p9 \=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ f1 I; j: W3 w& u; R SoftICE while the option is enable!!, ^9 o1 E. K6 n" V% |; A' T
3 _6 c8 [) [$ Q( e. w+ n4 [) \; C9 u
This trick is very efficient:3 B4 v, Z; B( C$ T* v
by checking the Debug Registers, you can detect if SoftICE is loaded
b% ?5 O O$ {) w+ h, h0 n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* I* W& _; F$ S- q
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& U! c& }# K5 i* a2 ~ m3 jvalue (in ring0 only). Values can be manipulated and or changed as well7 {& r8 \& B1 m+ o9 o
(clearing BPMs for instance)+ Q* X8 l- U: ~2 A" q! o
+ ^; Z, X% W! i6 b' E7 g( U( z, r__________________________________________________________________________
M/ Q) e" c) u% B, `7 X. {1 K I l# X1 g- O$ l
Method 11
- t) ?. l; O. O' x ^2 ^3 Q=========
# U. O% \- F" b/ V' X+ |
& v, [) z4 k% tThis method is most known as 'MeltICE' because it has been freely distributed) b: S' R" u6 V
via www.winfiles.com. However it was first used by NuMega people to allow+ n6 K3 K- c, h! Y, _
Symbol Loader to check if SoftICE was active or not (the code is located6 G4 d1 y/ O$ s7 q9 N
inside nmtrans.dll).; }6 |% k% W6 w4 h- z$ y
2 f% T# Y' d% p- a# N/ v3 ]
The way it works is very simple:
& T6 ?1 S) r2 K3 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 y9 j& @! t0 u7 ^& FWinNT) with the CreateFileA API.
/ e0 d8 ?7 Y; d' E2 ?( `) ~; `1 d1 U8 `2 d. L
Here is a sample (checking for 'SICE'):& Z$ j. J& a4 n$ e
+ S: z; U# K9 @* _- _( S2 W5 }
BOOL IsSoftIce95Loaded()9 S7 j. j! e8 x! ?/ C0 X
{( ^8 Q- T& G3 e% h K3 u# v3 m
HANDLE hFile; $ ]% A) G# c2 e
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 x, R8 m7 J4 g) p; A0 a; M% s
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 Y9 Y1 t! K9 `4 n% J7 n9 ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% p6 b; s( X* j$ y if( hFile != INVALID_HANDLE_VALUE )! W9 V+ {5 ?$ [0 {6 z% W
{
) U9 d: C& o% c: ^* U CloseHandle(hFile);5 z* F N# B6 B/ K/ `
return TRUE;
8 B3 K1 I' P c; a }. L* y+ S& O: z y, W- v) E
return FALSE;
$ n ~5 I% O, Z8 V# X* a; l}/ u4 e, p9 a5 X
3 E% ~( H0 b- cAlthough this trick calls the CreateFileA function, don't even expect to be L9 ]$ Y5 A: f( X. s
able to intercept it by installing a IFS hook: it will not work, no way!6 I4 U9 R8 R# {! U2 q& y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, J* z3 F6 Q" {, D1 ]5 `: @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# {$ c9 F( }* H) ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: v+ L0 p5 z! i+ S) y6 C
field.
! w# I" w$ {2 w( }* w8 X! w, t0 oIn fact, its purpose is not to load/unload VxDs but only to send a ' o/ w7 D: ]( e! ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), U* t# u8 |4 m0 C& x6 `9 D& e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) U5 R- i& [1 l* J+ a; g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 j9 f' ]9 y# n; N" k
If the VxD is loaded, it will always clear eax and the Carry flag to allow' e8 q+ @/ H2 E8 h* C
its handle to be opened and then, will be detected.
9 i& m0 A1 N# zYou can check that simply by hooking Winice.exe control proc entry point& Y7 o/ G- p" {( J& }( u+ y# L$ i6 g
while running MeltICE.
0 g" g! c6 }, o5 y8 o% g: ~# Z: B0 e+ r) a8 F; R5 F, q! m; |
- s$ c9 v0 V5 b, U& H/ ~
00401067: push 00402025 ; \\.\SICE( V1 z! a0 r7 o( C( L0 T/ g
0040106C: call CreateFileA! P' O# d. Z# Q7 l( }9 e8 |
00401071: cmp eax,-001* @1 a3 f- i* { v' J* Q7 [
00401074: je 00401091
9 o3 W# b3 Z! u' |
5 l$ z& n0 O6 h. z/ `7 t6 V/ O: S( ]; v! X. A+ ]: f0 Y1 O5 U, B
There could be hundreds of BPX you could use to detect this trick.
( U) ~3 w3 b# w _, P" f4 A# p-The most classical one is:1 { e9 U1 _( W! i6 Q/ T7 l- G
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* G) F5 q3 @8 Q4 N. f: R- b& n *(esp->4+4)=='NTIC'
+ O' ]. v; ^; Z+ f; u1 T
2 Y3 s/ q/ Q/ T' T! ^2 g, P-The most exotic ones (could be very slooooow :-(4 \. Z% }5 p7 W" w; q3 d; \" I8 }
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 i$ I. ^, N; l* C) q c ;will break 3 times :-(
$ f! @$ v& b2 s6 T
7 y' p! K# S/ I" t' e: o) X-or (a bit) faster: * ]) ]! F. ~7 J D0 ]8 B
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 j( w& k4 `" S. q' ^: ]* i
+ ~ _6 ]' u" ?: i BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' R' j: a8 c& y- X: Y
;will break 3 times :-(
1 e$ _. ]0 O+ i5 K
, Y2 X! d% `$ s' K9 \9 E-Much faster:; n: b7 M4 V; j4 |9 d( h) [( Q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 V: |$ K) a! g" v! v
' T+ \% H$ }* BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. m" l- O- Y9 T$ q/ m' x
function to do the same job:9 p/ B6 p' {: u: `2 g8 F/ N
9 h- D# l/ Z1 S J, W6 w push 00 ; OF_READ9 v6 J9 u! ^3 @# t. J
mov eax,[00656634] ; '\\.\SICE',0, q9 a; p6 t& ^( G; b+ `" Q
push eax% k4 Q9 {& C$ h* t8 W
call KERNEL32!_lopen
, B' E2 b2 Z( s& p inc eax
* s( c' e# `: V. N% z3 I# Y B jnz 00650589 ; detected
9 O1 z. v" t# ~' c4 a$ y% Q push 00 ; OF_READ: i0 J% U& `' l) I7 Y, r
mov eax,[00656638] ; '\\.\SICE'/ C U9 R4 D$ [9 y; x
push eax
3 I+ \, I( X L) [3 [5 \ call KERNEL32!_lopen m. o9 T( F5 D0 n8 r1 s
inc eax5 X7 ~; z3 V7 p$ [. h0 e
jz 006505ae ; not detected4 H2 [! V {! F) ^ ?
, ], g3 B2 \/ y1 N9 R( H2 j. R
2 a5 P) K$ g- M+ o. P
__________________________________________________________________________- d0 ?/ Q9 J5 l$ ^( R, C
9 T( ]$ V! o, Y* C
Method 12, G& ^3 Q% D7 D( w
=========9 L& L+ r' ^2 @" z
: A7 j! R0 U4 @0 e
This trick is similar to int41h/4fh Debugger installation check (code 053 u8 F+ p8 C/ {% k9 S% Q
& 06) but very limited because it's only available for Win95/98 (not NT)
- n8 U k+ Q2 o, j+ ?) W# k% L; Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 V# H% q3 b; p3 j7 d1 g( A
$ s0 D; b# l& I$ n! [$ `( b push 0000004fh ; function 4fh
% z- S' r# h/ r push 002a002ah ; high word specifies which VxD (VWIN32)0 S9 e. C: @1 n: b
; low word specifies which service
# q& N8 }7 }6 M3 ~5 l, e (VWIN32_Int41Dispatch)
& J% k5 Y( u. [' g call Kernel32!ORD_001 ; VxdCall
1 C( ~8 [+ y' J* t* ?% Y: N' v cmp ax, 0f386h ; magic number returned by system debuggers
; Q2 b! ^" S- Y# M0 g$ Q- z jz SoftICE_detected
* T* L# c1 P! [, F7 i1 x6 f
: [. v2 X9 n& Q" D* m |. ~1 AHere again, several ways to detect it:5 o% `/ Z3 x1 T2 i1 }9 P! d+ x
! N( X. Z' G5 D6 e+ ^
BPINT 41 if ax==4f$ j5 {/ V/ I- H8 z! d- b- T
7 m, `. C, h. H, h& W0 M7 c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; I, i; }2 i& Y% @3 x$ f" E c1 Q' L" S% U& L6 f9 C& n
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) r& r0 U/ q% x, C( q) M+ j3 B: O7 o* i. \7 _$ y: `1 u. y& ~) _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ \" Q6 |6 [9 I' A" w) x- N" O6 }. [
n3 D2 M4 A2 q$ U: t2 g__________________________________________________________________________
1 p! v2 e) u- B" G; u2 ] D( t
% _0 h C( z% i: x" dMethod 13
5 u( [+ a4 U$ J+ Y3 i, T- U# B=========+ e& A- A* z( [* F
" x( l; X$ n, R9 ]% g: P
Not a real method of detection, but a good way to know if SoftICE is" ?8 B8 E+ Y6 t) _
installed on a computer and to locate its installation directory.# w2 }& ?8 z* O% G
It is used by few softs which access the following registry keys (usually #2) :
) g8 J" B! _6 Y+ J% S. f% u* s+ W6 P& z# w% q: @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 X* K: ^( q5 V5 R4 B6 j, y3 F
\Uninstall\SoftICE
! T5 r3 U3 d9 q. ~5 J$ @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ x; X9 ?8 o: I3 S) ^' j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 t8 u+ Q+ I) a8 S F\App Paths\Loader32.Exe, l: r5 B7 g X
) a5 B" k0 w+ T/ A9 q3 ?: O3 }) V, E5 `
Note that some nasty apps could then erase all files from SoftICE directory% R: U; |4 A2 F7 O: _) R- d
(I faced that once :-(
$ a! L6 S- K [, \: G
; \ c! S5 j' U4 `+ sUseful breakpoint to detect it:5 `3 g! T$ \% M5 U
; H: h ]8 ^7 k( ?, f3 J. Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- y1 z/ B9 E; }; }3 u% F7 }
+ U/ e$ w$ V" u* d2 u__________________________________________________________________________1 b$ f/ w0 G) Z! j) x: T
7 a. |8 a4 M( ?+ o/ S
, d$ q6 L X" [$ S1 p+ {Method 14
6 J6 Z4 o3 g/ }+ _=========
6 n7 g) {$ c4 h9 }0 u( C
. p5 j. c0 L" y. q( RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 O/ i F( ]& u8 e8 `) k! _is to determines whether a debugger is running on your system (ring0 only).
1 R7 S8 T$ b6 [, t8 z3 d+ t
1 c8 F5 H8 p0 i VMMCall Test_Debug_Installed
& l5 Y/ W; M, _1 b/ g r je not_installed- P0 J' A$ M' M) [
: B0 q0 ] L" m9 C# Y. rThis service just checks a flag.# u! H( D1 u7 J: B. q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡