<TABLE width=500>
$ n. }; L4 N8 I) B<TBODY>
) S# v5 c5 D) B* a. K% R9 V6 z" }) C<TR>
7 ?( C; H9 l$ y5 A3 M: k<TD><PRE>Method 01 ) q a' ?% R) H
=========
, J4 m2 G/ p. n5 j1 k- e( K' {# E& t$ F: D8 g
This method of detection of SoftICE (as well as the following one) is3 e+ h/ k6 x, ?& [9 p
used by the majority of packers/encryptors found on Internet.3 y- D9 h. _# v, V- G2 z
It seeks the signature of BoundsChecker in SoftICE# p( J1 p6 U9 X$ H
. V) X. I1 w* Q# ]' A
mov ebp, 04243484Bh ; 'BCHK'
9 M: `9 s2 m* {. r6 F2 U mov ax, 04h
- p' E6 a2 Y6 y7 F int 3 + w( s: g; } R5 T, l- h3 o3 ~& f6 ?
cmp al,48 R" L9 D* }8 v! Q( J! D
jnz SoftICE_Detected
i. s- x, W( k7 j9 Q3 @' R6 x; f# O6 [5 k% U
___________________________________________________________________________9 Q/ e) `) D+ U P4 t$ }
5 S) K- H( F2 {; z1 \2 h3 t3 u/ [
Method 02
- ]& p' v0 w1 Z, G=========6 D- F3 u: m8 E8 H& C/ V; I
; Z% d" p" b6 A UStill a method very much used (perhaps the most frequent one). It is used
6 Y" ~) a! Z$ O2 @9 P6 W* H7 pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 U1 ^8 E/ q6 C6 s: X b# E8 ]+ `9 S1 p
or execute SoftICE commands...3 c- T. L, X4 m9 K2 _. m
It is also used to crash SoftICE and to force it to execute any commands3 V( X( `8 ]3 ]# s+ n
(HBOOT...) :-(( 6 ?0 A/ p0 C Q0 G# ?, Z! U
7 g& e. L a" W; O# UHere is a quick description:
9 x1 l0 b0 m* @1 c- d5 R-AX = 0910h (Display string in SIce windows)
+ M- t' Y' A/ R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 Y% \. R0 x, s, U
-AX = 0912h (Get breakpoint infos)
: f0 ^) L: C, j-AX = 0913h (Set Sice breakpoints)2 O& I X' w4 n3 Z
-AX = 0914h (Remove SIce breakoints); R! c; |: O7 @" h' I" K" X
9 b6 S! J' K1 N: `$ t( `
Each time you'll meet this trick, you'll see:
- `6 [9 C, h: B3 d+ u$ P-SI = 4647h
7 r7 O2 y; @1 o2 w-DI = 4A4Dh
$ W4 Z6 g5 B$ b) d, M$ ]/ ]( Z2 ?Which are the 'magic values' used by SoftIce.( X% g* K4 ]8 y: S& V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; i% N7 O ]4 }" ~2 J) G- N% c
8 c' U6 f/ E5 j8 M, wHere is one example from the file "Haspinst.exe" which is the dongle HASP, A" |# O" F& U E
Envelope utility use to protect DOS applications:. E* t/ }. S2 G
( V9 W5 D- o7 l9 X# I& @% m3 v6 o$ Z: F5 g; a
4C19:0095 MOV AX,0911 ; execute command.
- h1 H4 ^2 a6 y5 I8 J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* t2 e! g) r/ u) s
4C19:009A MOV SI,4647 ; 1st magic value.4 E# {+ N& s" p
4C19:009D MOV DI,4A4D ; 2nd magic value.
% X' }, t! B# w4 L% _5 x n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 {: H8 P# z- y% O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; u! \* i/ Q# t8 J4C19:00A4 INC CX; `# b: |4 d! C" \5 |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* z& p6 W* B; B ?4 b
4C19:00A8 JB 0095 ; 6 different commands.9 [$ J2 i8 ~6 a7 T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 u/ i1 D: v/ \ o, r. Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :). X7 v$ A) x$ I6 n4 P& ]
! r- L! Y6 ?1 u2 [1 S+ P8 RThe program will execute 6 different SIce commands located at ds:dx, which7 l7 q1 J7 @) ^1 E9 W, c6 u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. i3 s" D# ?& e$ x' d4 O O r* ~. l! a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 z# C2 y4 y/ g- H___________________________________________________________________________/ t+ {* z6 b4 u7 U
4 }$ I' A: P. m+ q: X; f
9 N2 {7 B( _$ e( T
Method 035 N' D/ H" P; e9 ? v1 e
=========
# D+ ^- B& r& H! M% z5 {0 K& ~: L& ]! y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; A1 P9 i( a y- n, J7 s' W7 R$ Q
(API Get entry point)
; L* ?* X0 q5 l8 @; A/ I8 n$ h 0 z( j0 {+ u. j6 c2 g' [7 A
- @. c5 L3 B1 l* S) C9 W% U. ^( H
xor di,di) a# ?% J' d) b! T) a; s) d4 n& w
mov es,di
o; t; b& P. Q. y mov ax, 1684h " [: l7 ]3 c8 f. ~9 s% R: o( T( j
mov bx, 0202h ; VxD ID of winice' b4 z3 \/ o9 |
int 2Fh5 {# `4 C+ l6 m% P- A( t0 V1 O
mov ax, es ; ES:DI -> VxD API entry point m) X t" |4 ~2 [, g8 r' W+ a! a
add ax, di" E4 l6 D0 t! i3 m' y2 _3 [
test ax,ax* P, X: L7 R. w, z" q G
jnz SoftICE_Detected
6 s0 K8 e) A W; J* S1 E6 {7 ~6 i
# C6 i& n/ ^' p! w: o* h1 A___________________________________________________________________________
/ ]0 z( H p# Q. |, }( W6 U1 u8 w; D% N, G2 }+ q2 g
Method 048 ?5 s5 A- J4 T5 L/ W
=========
; Y. `- P0 |* _! E" Y
( g1 Z: H. S8 _; X6 p U) h6 VMethod identical to the preceding one except that it seeks the ID of SoftICE! x! m' O' j z* _. K
GFX VxD.
, N y8 t# T* s( A( C4 L7 {% x v+ A0 a# _# O- o
xor di,di
) r! R: `+ C; O mov es,di
' O/ a/ k8 \1 i; _! B( ~ mov ax, 1684h . d* T! j8 v( z& P3 U; f- U# ^ L4 }
mov bx, 7a5Fh ; VxD ID of SIWVID
|8 H' V f4 O& Y) s3 Z7 Q; | int 2fh
4 w" `6 i4 h' { J0 X8 m mov ax, es ; ES:DI -> VxD API entry point
8 ]; \1 y r' D" G* B& D2 K add ax, di
0 _, m1 b( d4 O, [- O5 v& O test ax,ax6 u4 \1 {- K s- P9 N1 A8 T4 }
jnz SoftICE_Detected3 P6 @7 s& t0 j) ~
! M: ]: W" V& K( J m, F
__________________________________________________________________________
# z) b: s! g) u1 m
. K& ] A+ T( M3 Z6 V' G: Q
% e* w H4 x3 S+ |9 ~% ?. gMethod 05 L4 @* \; u# _7 D" `: a; ~
=========' X$ Z+ ?$ R2 a# w u% A+ _' K
( X+ y7 {' ~7 l9 b- kMethod seeking the 'magic number' 0F386h returned (in ax) by all system0 U- h/ j R* T6 M5 P
debugger. It calls the int 41h, function 4Fh.
; m9 L6 b: n9 G) v* A4 n5 ?There are several alternatives. ! I* }: M+ {" v$ U
' |) A N9 B1 ^9 W1 }5 }- c- \
The following one is the simplest:
% G- V$ a. o: I5 d# c3 w! `1 }( p
/ _/ @$ F( H% w- u5 O mov ax,4fh1 x7 w+ K# w- D1 u2 u
int 41h
( z3 Q- i( \8 E: k- i cmp ax, 0F386& q8 Q9 W4 S* S2 R' c$ x2 d' }
jz SoftICE_detected! U. m( J7 Y: z5 q
4 M+ C# E1 B6 U$ X; `: O0 x3 X
% l( P e/ T5 p8 t; w8 Q3 SNext method as well as the following one are 2 examples from Stone's f3 y0 c) `) f" G8 a( t- C
"stn-wid.zip" (www.cracking.net):
0 T0 T2 M' v. b, L" Y9 o7 W/ F2 m# N5 E1 P& ^4 d+ l6 F. @8 H0 G `5 j
mov bx, cs
# P7 M& J' m9 M& b( m8 s0 H' Q( q! [ lea dx, int41handler2
6 ?1 P! n# E2 u xchg dx, es:[41h*4]) t- U, d: U6 u7 S
xchg bx, es:[41h*4+2]+ m4 F' B2 [2 }6 U' F# G
mov ax,4fh7 m0 N$ g0 J! [: ~! n, h$ l2 [8 {
int 41h, u4 o* X# B8 y& I: o
xchg dx, es:[41h*4]. F4 [; ?2 a3 ?/ {5 @" d, o( A, K
xchg bx, es:[41h*4+2]
' f3 I& `9 }, L4 d l3 u+ G cmp ax, 0f386h5 N' C8 j" K( D9 T' t
jz SoftICE_detected. ~. G9 h ?8 P7 C- f
9 g6 M6 o6 U* a) [* l
int41handler2 PROC
: \* ~ A' }( p! G2 h: C% _, q iret
5 ?; V7 e% M: i Q' D2 m' eint41handler2 ENDP
8 y$ {6 W# ]9 i+ |6 G6 U
1 u/ [( @9 G$ E6 v1 u4 Y, o
7 I5 Q8 j! |( |# A( R' e_________________________________________________________________________
3 A8 M/ {1 T: Z) {; j
! V! M8 t8 p1 N- W( a- d& `, ?) C# m
" A4 q5 S, \) B/ b4 r M9 iMethod 06
. f% Y( P, [: Z+ \/ C=========! o8 Q) O/ @. t! {; ?3 s& a. f
" ? x) o# g2 v* Q/ d$ R% L
# Q% E, X' E" k5 g" n4 b
2nd method similar to the preceding one but more difficult to detect:
?1 A! x* `* g/ n+ a, G( R
/ V2 a4 {3 g9 C7 i0 K# X" X- e; y. ^: `, c# q3 T, Z4 U1 Y& ^
int41handler PROC7 [ p8 |, _4 x: u1 V
mov cl,al
/ l* n% ?3 o2 `# J6 F6 [ iret
6 W" N u8 ~4 a4 `9 b6 H2 k( dint41handler ENDP5 x6 Y; b4 \! Z/ v# l6 U
2 X" m- x1 b$ F6 J1 S; l; f2 n
; n, n: Y. V# {" A4 \- z
xor ax,ax& E. s: B. d4 V. T" N" n$ n" R
mov es,ax
+ Z/ m6 H0 V5 \0 t7 u mov bx, cs
1 Z% z7 d% @+ {/ Y* b% U1 m H lea dx, int41handler& X/ p5 K) q- ^
xchg dx, es:[41h*4]
( Y! Y1 `0 Q3 D* w+ } xchg bx, es:[41h*4+2]
. t6 d; m! o) e6 D: y9 T. j: I7 } in al, 40h( } ?, s* h, l1 m: }6 B
xor cx,cx
& b+ p1 h1 o" d1 a/ U int 41h
. P# n1 ^! Z; ] xchg dx, es:[41h*4]* Q' S6 c$ P6 c" B
xchg bx, es:[41h*4+2]1 s: [$ a, f0 Y; W
cmp cl,al4 B- J; Z" k" k
jnz SoftICE_detected
% f0 M1 K4 e( T$ ?: E2 W
$ D$ g; Y) @2 e- `_________________________________________________________________________8 T% j& _) l8 P' I; t$ r) ?0 S
; I! g, U& P+ n/ t1 ~: wMethod 072 Q* f. l. E' w5 F
=========$ f5 n; _ ~& B8 N
* c0 v0 ^! I4 O# ?Method of detection of the WinICE handler in the int68h (V86)
! Z* x7 x6 U7 [$ j# t
4 E2 g: e J0 z mov ah,43h6 ?) X& Q i' q
int 68h, }! ^! g9 x0 a* I, H; H- e
cmp ax,0F386h+ X9 t. O! k4 W+ y6 R m% e4 U
jz SoftICE_Detected
z. C+ w+ R- {" B7 [, s* F9 r8 |7 q( k5 A! t+ C; J
$ j+ T$ Z% n' ~- H ~7 }; v H( r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 b4 ^2 X8 S. M app like this:9 f4 [9 }7 a1 r H! W
9 a3 ~+ e/ t+ x$ f1 l' `
BPX exec_int if ax==68
, B: o" A/ ?+ H9 P, I& l/ N (function called is located at byte ptr [ebp+1Dh] and client eip is
/ M I* q3 ` H1 m( T8 C located at [ebp+48h] for 32Bit apps)
3 D1 m" X/ b7 P2 e__________________________________________________________________________
. T. l* ~( F0 d% t
$ `# ~/ u* d/ E* y- p+ L7 i) M; R. |2 ?0 n3 y3 I: ]6 q
Method 08
9 S% F$ b3 e& \5 {' u' W0 c3 _6 F( v=========" {) K z- Q; ~" B; b4 T
0 \2 e1 O( b: p8 p* G# e
It is not a method of detection of SoftICE but a possibility to crash the3 L6 h& X; F3 D5 D3 m) X
system by intercepting int 01h and int 03h and redirecting them to another
- I+ c5 P4 K8 Qroutine.
- Q3 \" O" h- ]+ j" fIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
q" z5 ?* @- X5 Eto the new routine to execute (hangs computer...)
1 k- [" F5 ^% B. P/ J3 o
& O, k6 `' }; w6 y$ G: z2 U8 ]! P mov ah, 25h$ Q: b* j* U$ j; F6 M; Z
mov al, Int_Number (01h or 03h)6 E3 c! e7 _8 z% k, c9 Q! D
mov dx, offset New_Int_Routine
& F, w1 S6 v* {3 F' r int 21h
; A' l& `0 F! j( j/ c; M+ _
9 @2 Q' B: X" E+ j* N6 C__________________________________________________________________________5 y. ?% w! S4 W) v9 L/ w Q% I$ w
, u6 H* `% J' w9 `Method 099 H7 a: E8 y* }( \( \7 X& n
=========9 l- p: u7 W) H X6 o7 t
+ ^% |$ d# H* z+ ~* V2 V I8 l) WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, V' x% H2 P) k7 _% Wperformed in ring0 (VxD or a ring3 app using the VxdCall).
* z" h6 J6 R0 U* ?2 DThe Get_DDB service is used to determine whether or not a VxD is installed3 B: y7 S0 A2 v+ U' o- d
for the specified device and returns a Device Description Block (in ecx) for
8 Y6 R6 w4 d4 i! |6 X, q: lthat device if it is installed.
& y5 I. o4 f) `7 g/ t C1 _. v
- u x* N# L5 T- L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# X) ]$ ?* l5 G9 k. M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 _* b' ]2 b8 v7 P
VMMCall Get_DDB( d4 d" T3 _) \3 I) @; d) T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 r, ~+ W- r7 i. e
9 T, J1 ` y S! a4 N
Note as well that you can easily detect this method with SoftICE:
9 R: `6 f, V0 l) M! s# f bpx Get_DDB if ax==0202 || ax==7a5fh
# I' i. ]# }4 S5 t! g, Q
& j( D% {; o; E; S6 a__________________________________________________________________________% ^. O$ F0 \: g5 c9 ]
3 W+ \3 J4 t5 h7 n$ M( vMethod 102 D1 f! Z) {7 {% p5 s& U6 f7 X
=========
1 \0 S) ]+ Z1 x- z" m2 r, z+ q/ W9 j* c! e
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 |) c R, n' p8 o" Q7 ]* _' @3 z SoftICE while the option is enable!!1 N/ Q+ G6 W- T# m2 e
, @1 K3 Z" \% m) \# Y+ q' ^2 L5 sThis trick is very efficient:" H4 h; H- Q. |$ {5 G8 k
by checking the Debug Registers, you can detect if SoftICE is loaded1 `( Q3 l5 M# S/ e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" X1 j: m- O/ A( h; p; vthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ l Z r% _! U
value (in ring0 only). Values can be manipulated and or changed as well( `5 Q$ h+ r% P G2 C
(clearing BPMs for instance)3 N* [3 {- t( ?& ]5 E
6 V; t d. g7 `) q w. o/ w__________________________________________________________________________
Z* q+ }. K: r) T
4 S; P" _: ]. {Method 11/ Q; G6 l1 T3 T
=========
2 ]# D f% R* f" H1 W6 p& `
o+ U# o4 w4 x* j* \, MThis method is most known as 'MeltICE' because it has been freely distributed; `- L2 e; ^5 \: j: k$ T. @( u
via www.winfiles.com. However it was first used by NuMega people to allow
, p5 m1 {3 p6 [Symbol Loader to check if SoftICE was active or not (the code is located& K) j* T8 S8 U D
inside nmtrans.dll).
1 v R7 H( ~0 M& B0 Q$ Y" o: o+ ]( k( i0 f# r. K7 t/ B3 b
The way it works is very simple:, X5 f! r. o1 ~5 W9 {# y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. |3 p7 s5 j/ W( LWinNT) with the CreateFileA API.& W: Q% A- ]/ |
8 J. I+ w" \* K D
Here is a sample (checking for 'SICE'):
8 u* Q3 n7 `. g# `! w2 `$ M- c' T5 h$ g) h6 o0 P7 p) K2 l
BOOL IsSoftIce95Loaded()
5 B' b& g, h- m& x/ e# {8 ^. b( c% @{
+ l* H9 d5 G W8 P- m# ]- z HANDLE hFile; 1 P$ q* c( n, S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 D0 D6 R% P0 D4 X( f
FILE_SHARE_READ | FILE_SHARE_WRITE,
8 ^; T6 S* ]# K$ ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 {; b! Z E5 } C
if( hFile != INVALID_HANDLE_VALUE )9 b" e3 K/ k( l9 w# d! m6 t
{
# k, y5 s' w" J! ~9 q# C+ Z+ k CloseHandle(hFile);
- {) m5 |" h: V+ ^+ h return TRUE;; O) N0 t' I& R7 N) S
}
: q8 t& S, t/ n: U% m8 a, u5 | L return FALSE;/ _, y, K% d7 R' w h: Q
}
! A: P3 E9 a; e3 b [4 b3 k$ U9 g x- d& w' m
Although this trick calls the CreateFileA function, don't even expect to be; y+ S+ z1 E1 Z* d( F4 v e! X
able to intercept it by installing a IFS hook: it will not work, no way!
6 e! j0 C# W" f2 g% mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" q" }! G' K4 sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# D$ e$ ] s+ c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# E4 Q. m7 g/ b: A; h' P
field.% |& w, Z# w* Z* L
In fact, its purpose is not to load/unload VxDs but only to send a 1 r6 A: }' P( H# K* `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' a) N) w2 _' n& m3 \& c+ t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 c2 L* U. {" j) X' B3 `# Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; S8 V( Z) Y* VIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ n! [8 n7 l- Q2 T! `! f
its handle to be opened and then, will be detected.
( P. \; R) Z* ?& Z) A5 J' @9 E9 GYou can check that simply by hooking Winice.exe control proc entry point
; J R' i. x! o! T: xwhile running MeltICE.! q/ T( j( r1 y
$ P, U6 ~+ C# r G) L* A H
' j2 M0 d) l& H
00401067: push 00402025 ; \\.\SICE% P2 [* l$ ~% w: D9 ?
0040106C: call CreateFileA! I) d+ K' s8 T+ ]' \- i3 h- Z; [
00401071: cmp eax,-001
1 L* s! M/ G% ~; \& Y" A 00401074: je 00401091& r& ~& Z! A+ g! Y, U* L" y2 m
* V% ^$ ~& B4 |& F
5 D% g9 ~+ O3 c5 A) QThere could be hundreds of BPX you could use to detect this trick.
( B, x3 G( j. |( R% Q( C-The most classical one is:) _+ Q9 Z7 Q) B5 ]9 C L
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || }. v0 E( W, M; g9 l" Y/ y
*(esp->4+4)=='NTIC'3 s. e8 {" M% \2 i; q4 a5 ~. N
) O z0 c8 K0 E0 P-The most exotic ones (could be very slooooow :-(
1 k2 L# V { D: E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 D# \8 z+ c8 j* W/ C
;will break 3 times :-(
1 ~( v6 D8 ^# u0 u. E5 \. D; g: X, c8 _9 I& M
-or (a bit) faster: 4 M6 G5 T" d8 @! D( C: b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 p6 ^9 M; u- I' N% ?/ Q) E1 _% W; u+ ^% a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 H L; { n) y R. k/ g
;will break 3 times :-(
' t* l- `; h/ R5 X% U' e: d3 m5 Y. I0 ?0 e1 X5 H6 n/ u0 Y
-Much faster:
! y2 K5 B' V+ ^0 c$ T& O BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" v- E5 b5 B4 q9 F/ ]3 y1 Z5 o! a5 H& u+ k9 Q3 h: Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( C3 S; k0 E5 m. r P! @' yfunction to do the same job:
/ Z+ h: I* T* P) h1 W, Y" i# {3 s& m$ f' u4 k* z
push 00 ; OF_READ
' @! V) {* O/ } J& y/ L mov eax,[00656634] ; '\\.\SICE',0
$ |9 C; y, w' z2 k. X7 ~ { push eax
: D7 G* S1 Y& W; q( r6 o call KERNEL32!_lopen- F) j$ D, S: o
inc eax k0 g; d) {: W! ~
jnz 00650589 ; detected
3 o7 [# Y- [4 E7 j5 B( `5 B& L' s push 00 ; OF_READ
* z% d6 u( k% V( P+ o+ {( Y/ Q g mov eax,[00656638] ; '\\.\SICE'
" F1 o: {* r) C* T9 D- n1 y push eax2 b4 X" o; v( |$ v
call KERNEL32!_lopen% c' v6 u4 k( X5 d9 h8 ?9 t
inc eax* @' D! [! s V2 m5 R& l8 u
jz 006505ae ; not detected
4 q5 g. ~! {: w$ [3 x5 S
: R. w# T" t; w: d
B# E" W9 ~; m__________________________________________________________________________
! I& L/ m2 G9 x y9 `% w
: `8 M# \3 X7 \0 N1 W/ BMethod 12; c2 |8 p* o8 q. c: e- s4 l
=========
' E/ k9 m& x, W7 k, k1 T5 u& A+ L5 p
This trick is similar to int41h/4fh Debugger installation check (code 05! P1 y. ^. S6 D* F8 n6 k% F. l& [) `
& 06) but very limited because it's only available for Win95/98 (not NT)/ [$ x+ q0 h3 V. K4 H& b% u! i3 j* J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! K, u# M' \3 n1 j, i
0 q7 q- Z$ S( e0 b2 G* G
push 0000004fh ; function 4fh. F, h2 c. M- h/ a
push 002a002ah ; high word specifies which VxD (VWIN32)4 V; C0 t/ d5 G# @
; low word specifies which service9 F* l$ N2 [7 O+ P7 q2 _% W! v2 z6 ?6 d
(VWIN32_Int41Dispatch)6 X9 `+ V; x) t/ B8 c7 b c6 W4 P
call Kernel32!ORD_001 ; VxdCall2 _1 x6 m) W% F
cmp ax, 0f386h ; magic number returned by system debuggers/ S; t& s N7 f2 Y( v4 l& D0 Z# X
jz SoftICE_detected: H- ~! d$ b) y( v
6 Z5 B! s" _& O
Here again, several ways to detect it:. S: i! Y+ o6 [/ e6 N( K; C
" H! n* }. H3 [8 I0 O BPINT 41 if ax==4f
9 Q6 o" z3 G% \) ?2 y3 F) M+ K5 S1 y) F/ X0 f+ \/ p4 n4 R( }; \- A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
P$ D- p2 [+ ?$ J I, O: Q
4 J7 z3 K' [& j, T3 W$ e. c BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% s0 B) A* v V7 H' r) ~. h& [5 ~
, l O4 C- @+ m( m- _/ f; i% D+ ^+ M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 H& ^( |% d5 O, [ d8 P
% F' y$ r& l4 s$ G' `7 O__________________________________________________________________________0 q1 m: R9 j; e
8 X& g" X- W+ FMethod 13, J* j# V: v! s
=========* P1 }7 i* E! T2 O
$ R m! S: b" k& A/ E' n
Not a real method of detection, but a good way to know if SoftICE is
3 X: p# h8 k( h" U) a( T( xinstalled on a computer and to locate its installation directory.
+ W/ n9 C v/ e; n1 MIt is used by few softs which access the following registry keys (usually #2) :( }* }/ m& C9 K" Z3 x) L+ p
" l3 {5 Q$ f( j% }& }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- C4 K( \$ }- L
\Uninstall\SoftICE6 s' m- `! L4 i+ O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 h, |4 \5 B& P" t6 i2 {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, t$ z7 r1 Z" T" }% F) U\App Paths\Loader32.Exe- b8 h6 [9 V1 J$ T. j/ g
" m9 ~, x W& Z5 x* f$ A: G
# H) n( k( W/ eNote that some nasty apps could then erase all files from SoftICE directory. w. ?# u: X2 i
(I faced that once :-(
/ K" w2 F. p7 }& v/ _0 r9 [! B! M8 f# X+ s2 s: X' f- p
Useful breakpoint to detect it:2 ^. `& S8 d* l% B8 Q2 B
6 G9 R7 W9 T9 Q! s5 \# |0 _
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 Y( o# d- t& c2 p& _
- l0 V2 D1 X) {, n, R: u__________________________________________________________________________
: Q" L% ?6 h8 K. V( M* |( F6 |) `! D' c
9 m* J8 y2 c0 o% o+ u
Method 14 9 s4 x: C# |! F+ V4 O; L) y
=========
J+ \2 m; q- n, c- G' q7 i, Y- K+ i6 [6 |1 ~1 H" e8 ^
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; l; O6 M6 r! R0 c5 @1 Y
is to determines whether a debugger is running on your system (ring0 only).
3 p" j% y+ _5 Z3 N6 U0 T4 b
/ o F" [3 v2 x( k& ^ VMMCall Test_Debug_Installed5 W2 v, }" _4 B+ Q5 G' `5 R, {
je not_installed
4 e5 `+ _8 U; R1 C. V. N! b; r/ j1 r) A! o2 T7 ]" ~
This service just checks a flag.
! r* u3 J s) x9 @8 m. q/ g' Z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡