<TABLE width=500>& b$ u, p; j7 e! @, ^7 D
<TBODY>7 ^6 m4 p9 u0 H: K4 u
<TR>
4 C7 s4 J9 S8 r; C<TD><PRE>Method 01
3 v. Y" b" O4 x0 g7 ]. q2 ~! |' o$ D# Y=========6 c0 |% p* |$ a/ j, n' F
0 x f5 h( S# xThis method of detection of SoftICE (as well as the following one) is& J. \' ?9 ^ L- q8 d8 }4 V) r
used by the majority of packers/encryptors found on Internet.4 R) c2 ~( H6 |% }
It seeks the signature of BoundsChecker in SoftICE! Q& T) x. k8 M$ P. v, f
9 z0 Z! w4 @# x& W o mov ebp, 04243484Bh ; 'BCHK'
0 j C- b! J2 n/ O mov ax, 04h
8 T; v: E% D" l* A9 ~: t int 3
6 f$ h( ~- o: V3 z' l$ b+ d0 w cmp al,4/ e0 \/ f6 K( J% g/ \
jnz SoftICE_Detected0 O% X/ V" W& _4 h1 H! L
) M( {) M2 I( L1 O
___________________________________________________________________________
: j6 G8 o1 @2 z' m7 O" y
6 l3 P1 L" ]! J' L6 ?; e' v# C2 rMethod 02
7 I) v( B7 t. a0 l0 z; ^' |: `=========/ \& m0 [1 R, h) h% c8 s% E
" F& M; m, O7 K% e$ H+ p0 l- x7 s
Still a method very much used (perhaps the most frequent one). It is used
9 b% P2 o O! Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 Q, W8 r3 \4 C" `( S) a! A/ Bor execute SoftICE commands...) Y- l8 f0 z9 I3 l
It is also used to crash SoftICE and to force it to execute any commands
5 w9 @# n$ y4 w# [6 i t3 {(HBOOT...) :-(( 6 D$ O+ x% W$ O) e4 w
; f' z; G: w5 [' ^1 S" SHere is a quick description:
|+ U# @1 ?+ L. C9 j; Q-AX = 0910h (Display string in SIce windows)
2 L: ]1 i0 k+ S8 g) r* a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ N; c6 d, V. R; H8 n& A-AX = 0912h (Get breakpoint infos)
9 r1 S% o' ]: j7 y( R# T-AX = 0913h (Set Sice breakpoints)
! q. r, b" Z9 L-AX = 0914h (Remove SIce breakoints)
7 t% k: j% c) v( d
7 \$ i, W9 Y. B$ m# UEach time you'll meet this trick, you'll see:) l& b% L; c2 G5 [5 ]/ ~& x7 d& X
-SI = 4647h
. D7 y C1 _* `& Y2 q-DI = 4A4Dh
# S% v9 U4 _) s+ B$ }Which are the 'magic values' used by SoftIce.
+ [4 z% R# M3 Y0 C/ wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 o& I+ J! ?; z; u! U: b# k: j& P
/ H. \$ {/ y8 z" F0 Q' F$ d1 g/ F
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. P# Z R$ d. T8 t. M! zEnvelope utility use to protect DOS applications:
9 [: Z, N9 k. h. |' c) \0 i& k: x% z1 Z$ q
. i' c V4 m$ P4 n! W6 f% `/ K
4C19:0095 MOV AX,0911 ; execute command.' _3 ?/ N n( l$ P2 P+ ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' f, I I& @$ ?7 s% \$ a' A. }' @4C19:009A MOV SI,4647 ; 1st magic value.
* ~" c j% n4 n$ V% J# L# }4C19:009D MOV DI,4A4D ; 2nd magic value.+ v( n2 d# E [% |) [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), Y# z4 h6 _# p8 R. L, u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! O. X8 ?* b6 b2 y6 y4C19:00A4 INC CX
( \+ {9 B0 C. U0 j9 t% H1 ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& ?7 O4 b) g; j' C3 u4C19:00A8 JB 0095 ; 6 different commands.. S) g5 C% j* J0 Y* o1 b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ _9 X8 |3 S; c( @/ A
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 A, N4 f3 J. m2 g- U) k& d R1 E
( T/ \% A! r1 FThe program will execute 6 different SIce commands located at ds:dx, which% Y6 {% [5 ]! H8 N9 T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* [% ~$ p+ X8 k/ X. j9 w" F
) B% H/ E: C2 W, M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) |7 |- w% W$ ]* S: z6 E___________________________________________________________________________
: V" i/ z+ m: O* L" \# n( `; c+ M: s4 y+ a8 e: j
X" r; p: |$ [9 mMethod 03" J) [' T! x$ |5 y, Q5 G
=========, O6 d9 z8 m/ l* M
' T) W( ]! a% c; O$ A$ c4 K% u) WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& X9 x5 x- t7 }2 a5 [. _
(API Get entry point)
9 H( o- v6 {& O8 z* v3 d& @7 X
7 \: k, W% u0 D& U
% }5 y. |5 }2 H$ V/ R xor di,di$ F P l! G, g0 R9 x7 O
mov es,di
% o/ j, P! e0 z; Z/ } U+ B6 w mov ax, 1684h
6 |: a, X" ~ W) \) b+ i h mov bx, 0202h ; VxD ID of winice
. {8 Q& I. S/ M& `7 _5 ` int 2Fh
/ v( L$ e- M9 g* b) y mov ax, es ; ES:DI -> VxD API entry point; ?" g! P; g+ v+ t9 M
add ax, di
+ g1 ^- c6 K/ h/ D4 u0 f test ax,ax& w8 y% S/ Z& M- D3 j, T
jnz SoftICE_Detected
w0 G1 z& \( }5 k
) ~, a: ~ [. O5 n2 q$ @___________________________________________________________________________
: ^2 O! e% n! V, R1 B: [8 h1 x* F" \2 r! j' m, O
Method 04
: A' h) A, F% Q* L5 e$ x0 k=========
, }4 I$ I! }1 @) @- z# d9 Z
; K" Z% J0 V" G; u# A( iMethod identical to the preceding one except that it seeks the ID of SoftICE6 x: I# [" Z8 C+ A% A
GFX VxD.
$ u1 I. B. f, D5 `! j& I u9 e2 [; A! q) M" s6 i
xor di,di4 L& C6 n5 P$ B1 b) Z! T' }3 C
mov es,di
$ S7 ^! |+ [# ]8 m( R; H mov ax, 1684h - Y8 }3 k7 {0 X
mov bx, 7a5Fh ; VxD ID of SIWVID
6 {, \; i' C- s* e7 k0 @3 | H int 2fh
% J- k+ |; G0 K( D& U mov ax, es ; ES:DI -> VxD API entry point
3 _( s W& @) Z/ @ add ax, di. e0 k4 G2 D v# D7 ^( Z5 t/ I! {
test ax,ax4 e4 V; s0 b7 J. _4 W7 n* ?
jnz SoftICE_Detected
6 R. Y; Z) a P' c! s
) G# H9 h8 ?% I6 r7 V* Z__________________________________________________________________________0 Z% I; K( {! C2 ]& G
# e2 V7 D" e: b
- j9 Q7 ?" s7 c5 h1 D- `Method 05
. u; ~. C" n+ G1 N5 z=========2 l4 ?" p z0 R
: E3 n* k$ `0 N+ S9 M9 \% ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
- ?9 R7 A p' t* L) ^! {debugger. It calls the int 41h, function 4Fh.
& L1 S b6 P" M8 ]+ vThere are several alternatives.
7 q" [& |7 Y7 j* A9 l9 J: s1 F/ E4 p* Z( r5 x
The following one is the simplest:
8 g4 F% O, h& X- v9 j. I
9 `) B, o7 v) \) X. y mov ax,4fh4 m4 _# |) _5 @* f9 C: ?
int 41h
1 G$ _, L+ t, ?# q, B cmp ax, 0F386
/ P3 v; R! ] K9 H+ r jz SoftICE_detected3 ^/ u! b, P: R: n, m [) e( c
6 q3 G' b% k# a
) n+ V+ k% l0 P! @) }4 n8 ANext method as well as the following one are 2 examples from Stone's
0 P; ~0 U* x* D9 p% w6 t6 e8 U"stn-wid.zip" (www.cracking.net):
0 T3 ^$ x' d, w7 X% u) r; Z
4 C/ ]/ ?4 L7 V% c7 K mov bx, cs: K- {6 g2 G( b( b$ u
lea dx, int41handler2
' z/ O7 z* |- F1 p xchg dx, es:[41h*4]
/ m* ^- z. T. d& @% D( @: ?* c xchg bx, es:[41h*4+2]* w) S% T0 ~ B/ p1 l }4 h6 T
mov ax,4fh
5 N- Y7 S6 V) v( h, N. L int 41h
3 e2 w3 B: f* G8 D' Q: {& B xchg dx, es:[41h*4]
+ z2 k' X- c+ b/ N' Z, | xchg bx, es:[41h*4+2]
/ G4 s1 ?2 H' _ cmp ax, 0f386h
8 n& U- R3 V& T+ V G7 c" K/ P, z jz SoftICE_detected8 Y/ h0 v1 W! S
7 i X2 i8 E& T4 Q4 g- @int41handler2 PROC N8 E E& Y' b9 _' H
iret
m6 }/ W+ y- N+ h4 ^- O% |int41handler2 ENDP
$ @. z; t# H" w# Z8 h
, V4 E L; ^; X* A7 O
& a3 f+ \- d' v7 }/ }6 y0 e% M9 z_________________________________________________________________________
9 x+ O5 ]8 Y( l9 L
/ V5 [! i% u; c; y9 L( H. |6 w: N2 ~! C! h: K1 x- H2 Q! D9 U
Method 06# r, R' l* i+ N# ^6 U0 t
=========
3 a7 s0 `0 N3 u. a J; g4 L b" b) s- \$ L4 n5 J) I* C) R2 U
/ l0 F: V; a: [
2nd method similar to the preceding one but more difficult to detect:
' Y/ h, e5 k( X. x! q9 ~9 C- s0 ^" ^$ e
& t! Q- B6 ]4 P! t0 j
int41handler PROC
0 X* Z2 P. K" [ mov cl,al
' _5 a' a: ^7 x+ w" a5 ]" b iret
; ?4 ~! V" V9 ^; Lint41handler ENDP
4 O/ ]- f* M- O- J
8 s& e8 b) T. @" w' F2 B2 [/ I6 v, q- }% ?
xor ax,ax% S! q+ e6 a6 Z
mov es,ax
D+ P/ ^6 h9 n1 C+ }& E mov bx, cs
/ x3 W! x, k' [1 R' s/ c lea dx, int41handler" @/ {! B7 Q( a* y
xchg dx, es:[41h*4]& o+ @. t5 ^* O! T) J
xchg bx, es:[41h*4+2]
( \, I& k( u7 |6 @2 Z3 ] in al, 40h
2 c+ m: _3 r' Z) A xor cx,cx
# ]9 a+ r, U& V" {4 P' j int 41h
_ S0 J0 M; F- ?; ^" j, T$ R xchg dx, es:[41h*4]
8 W5 r" U- V u6 E# {% U2 W xchg bx, es:[41h*4+2]
8 [* a# J! |) v9 R cmp cl,al
% ]: N; O7 c* T0 \. X& l8 d jnz SoftICE_detected4 ^0 L3 Q a3 o7 h5 i. [
& R, u- D% R/ @& c2 E
_________________________________________________________________________3 m8 d4 Q* y* G- A/ O
" ?6 A" a* @$ f ^
Method 07
8 [) n$ H7 W! f+ N2 M4 e=========
9 C0 {, _% L" r$ K( c: F- f( u4 i( M! l# {4 K: q$ ~4 u
Method of detection of the WinICE handler in the int68h (V86)
* X7 G4 F/ ~3 d& o; y! g3 @8 h$ ^6 Z
mov ah,43h6 h/ G2 Y: J3 r
int 68h
6 T. O3 F( E, @( U cmp ax,0F386h
/ U% A6 s8 ^( P8 }( C& e8 ] jz SoftICE_Detected
1 Z4 _- I |3 R
' d% z# t! ]/ x. C" e* Q1 v6 R% x6 x ]5 k; g% r8 T& r7 R
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 P, G5 {$ f& s
app like this:" s! @0 C) v* Z# \) G
7 G4 j" \6 o# b, ] BPX exec_int if ax==68
% M" Q% u2 U! c, e (function called is located at byte ptr [ebp+1Dh] and client eip is
. B. N+ y: e }/ `. A+ k located at [ebp+48h] for 32Bit apps)! o, k7 E; R3 @, q z
__________________________________________________________________________
3 y7 r+ X" R" X
5 J8 H/ K; _3 i6 L$ Q$ S5 V- A8 X. i$ R! }- K) h% d" p
Method 08! v: v6 }: N0 L
=========3 P% z7 P5 F' q) n$ w. w
1 z7 f$ r8 c' E3 G8 w0 WIt is not a method of detection of SoftICE but a possibility to crash the) }* `# D9 w3 D, ?4 v7 E
system by intercepting int 01h and int 03h and redirecting them to another9 `5 M! ?. c8 c
routine.! W# B7 J* ~" d! p+ x M- H, e( B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 j1 |6 ?5 [. M6 Ato the new routine to execute (hangs computer...)
7 m- }. ]( _7 q( d1 b6 B3 {8 w q) s7 q/ _* T) l! ^
mov ah, 25h
; y! x6 [, ?9 m. N0 J8 r mov al, Int_Number (01h or 03h)
$ e# x$ j5 P2 G: p$ {; T0 _ mov dx, offset New_Int_Routine; @4 ]& n2 z4 `) `0 h
int 21h' V4 ~. X3 H9 a* D0 J# j7 j
, W: o w/ h. j& @ ]' `
__________________________________________________________________________8 w5 y: v7 X/ q8 o' U: ~% c/ z
0 u* v/ V% F3 j; J7 q- f' u4 e4 kMethod 09' N- N, i+ B; z3 X- F" z, {6 @
=========9 T7 G I' X3 _/ h8 T$ B! i
4 |$ q* a, w: R' e: xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 n7 O2 g0 s9 P, ~# \performed in ring0 (VxD or a ring3 app using the VxdCall).% ?0 Y2 b7 n4 Y" i. ^7 a& o. Q
The Get_DDB service is used to determine whether or not a VxD is installed0 ~, L$ z" X- F- o( i( J$ M
for the specified device and returns a Device Description Block (in ecx) for3 v5 t- }3 d' U. @' z0 j
that device if it is installed.. J* b* p# y* b3 U$ {: o
, B, L z3 V$ g s. s: B4 P
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& k1 {/ t7 m) x/ `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ _% q, E5 d5 f3 q8 p VMMCall Get_DDB U0 N. k! l! S/ H; |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed T6 x. r7 ^6 t2 h+ n4 [# v
( h; V6 u6 Q# u9 \; O# i1 F7 B1 b. {
Note as well that you can easily detect this method with SoftICE:
7 g/ [+ Q2 Z# m2 d X6 e bpx Get_DDB if ax==0202 || ax==7a5fh ?( P- r* l, Z4 S
: f% v( h8 }9 `1 j, Q8 P7 ~__________________________________________________________________________
9 t" P& ?% \! v3 M* p
* a8 N3 B) y' m! o! EMethod 10. A6 e+ m1 G2 L
=========+ e& j j- L/ s/ E e& ^& x
) K3 o7 C! N7 v* E! |$ _
=>Disable or clear breakpoints before using this feature. DO NOT trace with' t; g; T7 K9 T" w. G! p
SoftICE while the option is enable!!2 g8 p% T5 v4 K6 b
' P( ^$ c& O) u% qThis trick is very efficient:% H: H9 L& b- J. ?! M2 z( S
by checking the Debug Registers, you can detect if SoftICE is loaded2 h' b$ c: a( Q$ i7 t: Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 J6 I: s1 x$ [% O8 I% t2 g# tthere are some memory breakpoints set (dr0 to dr3) simply by reading their) N; c: H, `; |; m4 ]9 `* G- l' B
value (in ring0 only). Values can be manipulated and or changed as well
& H l e e3 x) U; W5 J% @- }( o7 n(clearing BPMs for instance)
* F9 w! U/ h# u- E$ n/ u1 B' V
; T( V& [: K/ D# W$ x1 i$ @__________________________________________________________________________' r" K. ]- C& z4 e
5 j1 s: p5 N4 ?. C! nMethod 11
9 f' ?6 W7 `- p- ~ r. @9 ?* v8 m=========0 R r. Y& x- c* a' n/ g
6 q$ w/ l" g5 E, x5 WThis method is most known as 'MeltICE' because it has been freely distributed
! \0 I4 a7 v) C8 L+ ?via www.winfiles.com. However it was first used by NuMega people to allow( H% {' m2 d5 c( n# _% k+ _; o
Symbol Loader to check if SoftICE was active or not (the code is located
5 e# T/ J; a& Vinside nmtrans.dll).
8 R7 h H: A4 U! j$ m( L- q7 l* r0 ]7 p0 S O/ P, x
The way it works is very simple:! n' Q. Y. n( x! K: X7 ]4 o# s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, i- P8 a6 O8 z& J/ ~3 f7 ?WinNT) with the CreateFileA API.6 c7 |1 `/ ?9 k$ q( u( t
4 F4 ?( n3 y3 r# X: \2 z- WHere is a sample (checking for 'SICE'):6 s2 c! v- K9 u: P( T1 L) P
7 Y6 n) k6 B( {0 E$ L$ o! ]4 z3 Q; UBOOL IsSoftIce95Loaded()3 a/ L5 [" D) z# q& k0 q
{* H& }4 H( ?- `3 g. i/ ~# F) G! u
HANDLE hFile; # X. J1 e% J7 T% v: P. k; q0 `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& D6 }% @1 g0 F% V8 ]
FILE_SHARE_READ | FILE_SHARE_WRITE,4 ]' I8 {# y% C: E
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ {5 e- P! b# }* D2 d# ^
if( hFile != INVALID_HANDLE_VALUE )
# O. y8 Y, `- V3 i x. A {
! E z& S# @# k) X CloseHandle(hFile);: d! G) v. X+ [$ G2 S" S4 Q
return TRUE;
\( Q' c, X0 P2 ~) X6 k }
* W; O* v6 R6 v s! d/ m return FALSE;( v0 L; b5 w2 Y
}0 m: w4 ?8 O. j# N" s2 z
$ @, N: a" Y$ t. k( Z
Although this trick calls the CreateFileA function, don't even expect to be
L7 g9 |/ M! Zable to intercept it by installing a IFS hook: it will not work, no way!% E1 B) v1 X% t5 ^3 W0 T e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- Q$ x/ W' D/ f4 f" Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ Z D, k" N7 f" D3 B" e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ D8 ]9 s2 G3 \2 j
field.
- V8 Q; f$ k- Z! G' S( W* tIn fact, its purpose is not to load/unload VxDs but only to send a 9 U( s" ^6 M, z# _ u$ j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ h4 U, V ?* Q: p& wto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 _! n ]4 G9 \4 r# }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 `( j3 s' I6 c0 H
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, f) a+ y2 D3 k8 o$ r% m7 Mits handle to be opened and then, will be detected.' l+ ^. A- n0 c5 f# r# Q$ i2 t
You can check that simply by hooking Winice.exe control proc entry point
& E, |- F8 n" E4 Q# Iwhile running MeltICE.# N% e* ] _% T0 v- ^" H
2 _" B) n0 w/ c" C0 [- P ]) L1 K% U. I" e+ K9 S7 L: b
00401067: push 00402025 ; \\.\SICE
- x, k3 ~9 N( k* f# L 0040106C: call CreateFileA( o) ?1 X1 K8 K5 e X- S* H7 G5 h
00401071: cmp eax,-0010 s! ?3 x$ a6 V
00401074: je 00401091
5 B( L$ b' T2 o4 v* a/ F7 B) \: k- t) o7 b* I9 E0 `& D
. ?5 t) l& a7 U% }8 ?There could be hundreds of BPX you could use to detect this trick.- z# Q5 t9 \2 w* c. g# `
-The most classical one is:
9 N* N9 M8 f. P0 o/ |5 p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. A' h5 S- x8 {5 ^$ A( D( E0 @ *(esp->4+4)=='NTIC'. D4 Z) k, W7 A" Z, O
H, I8 |5 ?+ q/ O2 m
-The most exotic ones (could be very slooooow :-(9 M, _$ ~, c6 e; ?
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- |6 }1 f; s5 S- T9 X ;will break 3 times :-(
3 Q7 H0 M1 A+ w, y" K1 l! H0 J! x: \; F$ i- h* L) T
-or (a bit) faster:
1 f& m3 ~2 h! W, u* [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 T, g, Y2 y! M5 P5 N' G+ c2 K
7 ~ Q" p/ j" V p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. B! X% c, f9 X ;will break 3 times :-(
6 y8 M; F) t; O. v' h) F3 m: Z; \
-Much faster:
' D) ]; p# o/ A; E. o BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 ]5 a1 |% f3 d. u0 d3 T7 F# K
3 n6 P1 A5 f' V) m% D, y- ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; {8 p' s- W, c. g8 |
function to do the same job:
6 @; ~8 B+ {) n. g
# O7 V* a% o3 Q8 O2 K push 00 ; OF_READ
! P8 q& L6 c+ r3 g8 l& t mov eax,[00656634] ; '\\.\SICE',04 C' } n5 k5 Z3 p
push eax* W" U" f2 U. G4 C
call KERNEL32!_lopen4 A& P+ I4 b' u: Y4 y+ o
inc eax
9 n8 _! E n+ _0 t R1 _; _ a jnz 00650589 ; detected
3 T3 @! p/ v; Y9 u$ G# @; ^; S' K push 00 ; OF_READ( R# D1 @- a# L9 n6 @# r0 P
mov eax,[00656638] ; '\\.\SICE'
5 U/ F' n: V0 T. j push eax
) f# t- L" g4 A, s1 f2 A call KERNEL32!_lopen6 S7 U1 A3 A9 B; s
inc eax' N( \$ n5 l3 B6 }: ~
jz 006505ae ; not detected
4 `2 m; f4 o/ i- h/ L( }
1 F& }0 k/ `2 y2 B0 l- l+ d9 k! j( p O7 E( G+ L9 |6 S! i; _0 D
__________________________________________________________________________5 o R1 w, u& |( |0 u; z
- K; T8 U, V4 [' W, |Method 126 P3 `) r$ _. v* l; K9 U
=========
* ^% X0 z' u3 }2 O7 m9 H" m+ J' K4 ^
This trick is similar to int41h/4fh Debugger installation check (code 05! P. D1 k; ^1 ?& E+ `
& 06) but very limited because it's only available for Win95/98 (not NT). C' C9 f3 @1 O5 [% M% w2 o* Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 l$ Q) w q4 [4 d/ a- q& d7 g
) z% {) t; s, ~0 k1 g
push 0000004fh ; function 4fh
6 q8 N C; ]% m7 O+ }, @2 d- Q push 002a002ah ; high word specifies which VxD (VWIN32)
1 C2 t4 @/ v0 H2 S9 H ; low word specifies which service9 f: J6 M+ J: f$ A2 I
(VWIN32_Int41Dispatch)4 f5 t+ N# _0 [; a) L1 ~
call Kernel32!ORD_001 ; VxdCall
% B& O, g3 ^* \) v9 u cmp ax, 0f386h ; magic number returned by system debuggers
. Z+ e' b. v( B8 s% g2 u. w jz SoftICE_detected1 [; d1 s) \3 j
& i( {# x. Y0 S1 B
Here again, several ways to detect it:
) ]. \9 P! r) J
9 `6 _ H$ v/ L BPINT 41 if ax==4f" s3 [7 w6 w F* N7 F. {
+ R5 r1 ^" r5 b9 y0 A' r8 x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* o; }, f, J8 \8 a6 X6 P
. ]9 }+ W$ u1 h# Z, ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ m4 D* m# R8 z! c7 G5 o, \+ b+ w) i
, @/ [1 F$ V: p, P; B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' X+ t1 I3 q! Q
2 ~% G* S/ f& \
__________________________________________________________________________
4 @1 ]' k! k4 @6 Z. r
/ L: X! f% f5 n1 AMethod 13 u0 Q2 ~) h5 r f
=========; u" B7 {3 V! `9 F% a4 D! D
( t: h# ?. ^# f wNot a real method of detection, but a good way to know if SoftICE is" Q# t1 j2 R9 E! @
installed on a computer and to locate its installation directory.0 r5 R# {6 ~: [( @+ H4 F- C8 m1 {
It is used by few softs which access the following registry keys (usually #2) :
# ~9 k, Y- N0 h6 u7 k
9 v9 x( `% f3 o* j) F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% g+ i! ?$ _ i+ G8 [\Uninstall\SoftICE& X3 K/ D! @8 g7 E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! N0 Z m5 F4 \3 _$ }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- ~% t, I1 e5 {. E
\App Paths\Loader32.Exe
1 o% `5 Q: U$ [( Y
+ d, p9 j- [: f( j( m1 L4 u: l. V
0 v5 ]* [( {3 gNote that some nasty apps could then erase all files from SoftICE directory
+ Y/ _7 t8 a/ m% a$ M& ]) |' E(I faced that once :-(6 o7 v5 `4 _- O2 H, B4 [& [# S
6 ?, x# D+ d* G2 o. W1 ]
Useful breakpoint to detect it:
; F) x% R# F; [# |# L5 `1 w
9 p0 ^3 f* a2 u7 B+ N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 i0 Q' Z' E! _! i n; T
: U8 X* C% @" e a. a! q) V/ a. m
__________________________________________________________________________
3 X/ ~5 B, f, h7 d) \: |6 w2 g
3 i* n2 n0 u& M! `1 y0 w' n
% D& K- c' V& AMethod 14
8 P0 X2 M2 m2 A( x7 i=========2 W2 k# X( O* T8 F: q& L
" x# r1 f$ V& \# C4 b4 Q; L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, O: p) A# @. b& Tis to determines whether a debugger is running on your system (ring0 only).! T8 ~/ O, r. t. l. ]" g( _5 l
( X1 H, `/ u% p, J- H3 _) C4 Z- K VMMCall Test_Debug_Installed3 I0 U. P, ~+ @; m2 `1 f9 r' g% Z
je not_installed: L ]7 }4 g0 `2 G9 o+ w; H
9 ~: C7 S- r wThis service just checks a flag.
) H A# A; W7 l* V4 n7 x" ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡