<TABLE width=500> h7 H5 l3 p1 J& q% E1 {. D
<TBODY>& c: }& J+ y5 Z; v
<TR>" D3 d" j# ^# N+ {+ Y$ q% R. g
<TD><PRE>Method 01 % a- f1 q* Z6 c4 l. e2 q6 G' ?; |
=========- E- f5 M* n& g7 \
5 R+ X5 ?1 q4 l6 e, Y9 O" r1 A! |This method of detection of SoftICE (as well as the following one) is7 r9 l$ h: _; h8 o, a
used by the majority of packers/encryptors found on Internet.
) ~; P5 G1 ^* y7 YIt seeks the signature of BoundsChecker in SoftICE
) a, Y6 p# y4 j" B S. D
) R$ s* K7 G) |9 X0 ?, X f, j mov ebp, 04243484Bh ; 'BCHK'
4 @6 R6 {- r/ y5 K: | mov ax, 04h2 H( m/ u4 L) d! K$ K& E4 H; o
int 3 # j9 h2 {! b' e! r) Y3 J! E
cmp al,44 Y5 c* |: E/ H) s: I6 s
jnz SoftICE_Detected7 ]1 I" s# u5 w0 L
7 q4 b1 ^$ \4 S. l
___________________________________________________________________________
! }: o$ D+ G' {) G
% [: j0 k5 V v5 s- v- Z& sMethod 02
- N6 u f6 r2 |5 h. `/ r8 F8 s* g=========" Z( N# O- G8 q' i# b/ h! t
/ J: o7 p7 X! M, z
Still a method very much used (perhaps the most frequent one). It is used
. @" w1 V( G, k; _; Y: }2 x9 Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 A N1 I9 m' c/ Z" d$ u
or execute SoftICE commands...+ Q! O. W+ t( S E: U& o; @" K
It is also used to crash SoftICE and to force it to execute any commands
' s8 e9 ?3 g* e9 ]+ ?(HBOOT...) :-(( 5 n% e* y# J8 J# w+ e
. f$ Z3 j" E1 D1 U9 Z( u" ?7 i
Here is a quick description:
' Y/ {# ?+ Q" I v7 \; y-AX = 0910h (Display string in SIce windows)/ E5 u+ v Z7 S: @: z( n
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ z! p9 m3 @5 M% U# K% a-AX = 0912h (Get breakpoint infos)% P/ m/ _9 C$ e) s
-AX = 0913h (Set Sice breakpoints)
& k- G, Z4 `, k4 L% L-AX = 0914h (Remove SIce breakoints)
! F! L8 H9 j# u$ o+ e7 f2 b" Z# @) n, {5 H4 ?9 H9 R3 q
Each time you'll meet this trick, you'll see:
3 p( J" D% s! m, }* {4 I0 Y4 v-SI = 4647h
; W6 c% e! I# L3 D-DI = 4A4Dh
% {, J9 C+ k* Z9 gWhich are the 'magic values' used by SoftIce.
# w- }; u! \( }2 o) FFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% K, F- Z6 }* H. e; x. q$ [: ^1 u: q' T4 G0 ]! c: A
Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 A4 g$ ]1 i8 `/ \5 r1 f0 oEnvelope utility use to protect DOS applications:
$ M+ f% I& L$ W8 b( R& j! {0 A o
8 H. c8 h; i, [( a, C
$ r' ]- a4 H8 v4C19:0095 MOV AX,0911 ; execute command.+ [ ]4 a) X6 E8 W. s
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# j! h3 e4 `1 K$ D
4C19:009A MOV SI,4647 ; 1st magic value.+ N4 N. W: X5 A
4C19:009D MOV DI,4A4D ; 2nd magic value.6 m6 Z1 _' Q% p3 r. a0 n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): c2 Z" L' Z4 W+ x
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 T$ _2 m5 O+ V# {
4C19:00A4 INC CX
) \4 T) F# f3 t6 L: {4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( Z g) \9 S1 }# A+ ]! p4C19:00A8 JB 0095 ; 6 different commands." ?, h5 p- F5 O8 t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# j# d, h# w9 o7 F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 z! c: X7 M# l# f% |3 M6 K( c
$ q) H! a7 _6 h+ k ^* \
The program will execute 6 different SIce commands located at ds:dx, which% }& U- d) T6 x& B8 p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% T* I4 o( K$ D x$ `
. @2 ^) C0 T' [2 Z/ U" |! A! Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 {! S0 @# H- {: x C; k
___________________________________________________________________________: i1 V4 p g6 ~: Q
# o$ Q$ ~) j( d" `, |. H0 j- f: g6 x' M& h- ]2 y
Method 03
5 g% T: c' f' t2 P2 W6 @* M=========
$ r2 T( G n3 a5 W! Q
$ G" G% X2 s& Q% \ }- yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 q3 q0 Z' R) l4 X6 b* t0 x(API Get entry point)& B8 K ]* C; V6 m
& Q, N: O( Q4 r0 _, {& f4 ^
6 R- F) R9 K j" \$ S& S xor di,di' U( D- S* R& c& e5 G8 F5 k. I
mov es,di8 d/ @" _ E3 t9 I+ y& q" e
mov ax, 1684h
" m6 s& k5 C+ d2 N/ f% W mov bx, 0202h ; VxD ID of winice3 }% K6 Q, E h7 l+ \% M7 i
int 2Fh
% W0 L' X# X2 ~; ^ mov ax, es ; ES:DI -> VxD API entry point
# @# A$ K. `4 a, [) @ add ax, di
" [- a0 V" G \( X* b3 G test ax,ax8 s F. K: l+ Y
jnz SoftICE_Detected& {& h* {) ~* k( I
; j& G1 E+ N$ D& Z+ y: {
___________________________________________________________________________
L- e i* H# _; ?, V7 `6 v( K( G. q l: I3 Y
Method 040 t# h8 v* U9 D; x9 e- _) {5 a
=========
7 v5 h0 J' ^2 q5 ?- d6 Y0 j! ?$ S+ U- o+ G. j! t
Method identical to the preceding one except that it seeks the ID of SoftICE. _. l; d% o1 i2 X" ?& w, c
GFX VxD.! D, {# O) ^" n6 t) v
' d* h5 u. \/ Q/ Z' R) W
xor di,di) g% j* [- ^! N. v
mov es,di
) `# c4 G# N, j9 R- r- `. b mov ax, 1684h
: y7 A) g8 E, I3 x. A mov bx, 7a5Fh ; VxD ID of SIWVID
; a5 S$ x7 I. `, x$ f% y int 2fh# e6 s# w# z! q H; [
mov ax, es ; ES:DI -> VxD API entry point
9 \3 ^" e0 m6 o4 p add ax, di! s1 L: W* V& s, K3 s5 c) T
test ax,ax
; _" G- ~* V X2 K& s: @ jnz SoftICE_Detected
' e" h/ ]1 L( P. C) \5 l* \& k4 h2 [# q$ C
__________________________________________________________________________
- v3 W4 [% N4 w
6 O+ S/ q. U' L+ K/ g" Q
+ m& @- I% y+ n j/ IMethod 05
1 b" U- i F5 w9 q, g=========
3 u) y3 D( |1 t* d2 {6 M8 _. V: E6 ^" a# P0 r4 R
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* F! K- {4 U# ddebugger. It calls the int 41h, function 4Fh.) Q& Z f% {# G
There are several alternatives. $ X( M7 |6 T2 D0 A' ^; L
1 S. V2 y2 e- N- k0 u/ \ fThe following one is the simplest:
) t5 P; J5 q4 V Y8 K9 `5 f
, K4 C! m% H9 p3 `/ W mov ax,4fh2 F3 w5 h; | X- N8 Q5 h* q
int 41h
- `2 X. Y' M p9 ` cmp ax, 0F386, {' c/ U, L) R7 \( m
jz SoftICE_detected
& ~( o9 A2 c2 {$ \7 t/ \- r+ p- F a
5 {1 h: R8 [3 b6 q) o8 R
Next method as well as the following one are 2 examples from Stone's
X/ t2 \# p6 d8 q Z4 p"stn-wid.zip" (www.cracking.net):& ~9 ?% ^/ Q0 O4 T0 z9 U
. C* c5 W$ |/ ~- a* C4 r$ X
mov bx, cs
' F. h/ |- J" W, O lea dx, int41handler23 E6 N4 e( S' I
xchg dx, es:[41h*4]0 f5 T. Q5 D0 q( Q
xchg bx, es:[41h*4+2]5 G/ T* i' c& s6 U, A1 L: Y- n
mov ax,4fh$ z" ^ p" o0 f/ N) \, D
int 41h
8 x( I; V- _9 u1 Y, ?7 Z) W xchg dx, es:[41h*4]
: }' F5 o0 v8 }0 P# b. { xchg bx, es:[41h*4+2]% w9 y+ q, T) a/ e
cmp ax, 0f386h5 C- c7 ]- y p/ _4 s
jz SoftICE_detected5 @7 C( L% z( Y* R6 I w
. H, @# u. a* }) ]( y6 q/ G
int41handler2 PROC
* D# M1 R, b" `( N iret0 c5 {! g* _. ^/ R. b& O+ s
int41handler2 ENDP
7 y/ C* e( I0 ?0 ~: }
' ~! S" h& N4 M" A [/ ~* {+ U
& L8 n3 e+ [6 ^_________________________________________________________________________' h8 v* g. l& S% D) G% g' }" H
7 I- i+ V6 R& m }! W+ m4 ~# j
# N- Q0 h( s% x' sMethod 06& t% A$ P( K; M6 o: s3 C) a9 V/ D/ X
=========) g K& o" Q* N3 |4 P
6 w% v. g& L0 L' J# o, p* l- S0 c6 Y' L" ~$ M9 o
2nd method similar to the preceding one but more difficult to detect:$ m$ d& G, ~" ], a: y8 b5 ]6 _
7 i& T, y. V8 t$ V2 }4 s$ T7 L' C4 D/ |
int41handler PROC
5 b' B) v4 d5 l mov cl,al
% A% v3 I7 u! Z. x0 s7 W: k) k iret
: o( g1 T8 d. y5 h& Kint41handler ENDP. e0 K7 F4 g7 k% S
) p( U. @7 V4 i% X% [( ?
& t4 }6 J! r0 \+ A4 V
xor ax,ax
, ?+ V% ^5 y" l4 i0 M mov es,ax
+ c# ?. X" x- p; W4 v mov bx, cs
2 x: w% c: T* p8 D3 v# g lea dx, int41handler
* h! v' `( [' e; ` xchg dx, es:[41h*4]
^" W# g( w9 |0 D xchg bx, es:[41h*4+2]
; v( [$ Q$ H- Y; ~ in al, 40h
# r8 \, C& x' ^% ?% n, _! v7 C xor cx,cx- M& n; i- S+ L6 S: a* [7 v7 N1 X+ {
int 41h
! Q& @) H! i8 G' W4 }; ^ xchg dx, es:[41h*4]
9 z! B4 _; t, Y! V xchg bx, es:[41h*4+2]
0 e# r' z" p r* M cmp cl,al# I* U* \8 Y4 q/ o) ]/ T) |
jnz SoftICE_detected
4 S( Q3 h" L) V/ d4 G) l4 m2 u% n/ X( D( u) }1 }
_________________________________________________________________________
* W) e7 l' [! B$ @+ l
$ k; w, x+ F; H& i* ~Method 07
3 @0 A% ]& }$ L1 X8 E) c=========
2 C* m ] N. t! \5 H6 ]: F6 _. C" r Q n7 W" p$ ?+ w) O
Method of detection of the WinICE handler in the int68h (V86)
" h) u( E& z" f m* I& T
( z- Y. G0 Q' C: ? mov ah,43h- e9 O- V' L& ]. j. i- S
int 68h2 e1 H" L3 Y2 T3 S( |
cmp ax,0F386h7 j7 ~# \0 [" z
jz SoftICE_Detected
+ ~( Q& v5 E: k; S, @/ u. z; b$ X% v* M4 J5 c/ i
/ o" {; s1 m4 @& u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, q4 ]" K6 ?- ~" G# q' n app like this:
; H4 H$ g( w5 @6 G) ~0 I* K. w
3 l5 N7 Y5 \0 _& N D BPX exec_int if ax==68; a E& n1 d! D" _9 y% ^! R M
(function called is located at byte ptr [ebp+1Dh] and client eip is9 `# b3 x$ J& s, O& _# j8 p
located at [ebp+48h] for 32Bit apps)
8 e# O, e/ F) b4 V5 I7 f__________________________________________________________________________) K' P( F; H; I# K
) M# i3 _3 s) H
- r% W0 z$ W. L8 V3 {+ ?) Z
Method 08
# j. U' x# d9 B=========
T/ r5 Z0 @% S( j* @% X; m
& \; }& ]' ^ n! z/ eIt is not a method of detection of SoftICE but a possibility to crash the
; c. g# V; P% k" S2 `+ @' Rsystem by intercepting int 01h and int 03h and redirecting them to another
# E8 N" M' {1 Z F& Y' s4 proutine.1 s% l- w' u* y+ }& d+ I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 i* s6 _2 d) s$ mto the new routine to execute (hangs computer...)8 r+ @' l E9 m# W; m/ i. ?9 T. m
, ^$ U9 Q5 E0 m& n9 z) ^% B mov ah, 25h
( C; N2 O$ U+ J1 p mov al, Int_Number (01h or 03h): \ n5 d2 z& F3 F- M1 K
mov dx, offset New_Int_Routine
/ G* Y' F. i* w+ t4 y1 ? int 21h
# e/ N% ~6 E2 ~0 `$ K2 b, F
5 j7 }$ [& M0 q7 w* Z/ \# ___________________________________________________________________________
1 d/ ]8 P2 V% o$ K# S
* x: n1 _) k' K6 V) g9 }Method 09
: b$ R4 B" Y* y# s U- [' _% a- `=========2 g4 R5 Y3 y& ?- V0 T7 p
! D; j4 I/ K" E! d! }' P; x h/ eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ O0 v: k- X3 W' T. B; Tperformed in ring0 (VxD or a ring3 app using the VxdCall).
/ ?/ L0 V- l \: D# ?) r) _0 dThe Get_DDB service is used to determine whether or not a VxD is installed
1 ]! u, B# D. Q0 g+ u, N6 _7 ffor the specified device and returns a Device Description Block (in ecx) for( |* \1 l" C- k) @" S1 w2 S+ z ?
that device if it is installed.# W" C6 i+ O& N# Y& j
3 w2 {* Z3 s2 W+ f$ |" [
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& q3 f% b4 x9 t: S5 H/ ?& S$ j5 h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 U" k2 V& w4 d+ K. C# \+ \8 f. E VMMCall Get_DDB+ w9 |! B5 X% ]3 M8 J: r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 ]& q/ O; t* }$ X0 N5 Z. o" i5 n2 O' e( i7 ~ c8 T9 J
Note as well that you can easily detect this method with SoftICE:
9 y+ P5 x; c) |9 w; [) V bpx Get_DDB if ax==0202 || ax==7a5fh* b/ \2 L5 N: L) B8 y* F. b. J
7 P+ A+ j3 i, C9 ?
__________________________________________________________________________
7 G i& [/ D3 S" c, H9 Z- p ^# d7 C1 @' E1 R+ n
Method 10
( i3 S4 M% y: }# U=========, k" I' W6 `9 B [. G+ `
" ~% ]5 v3 ?6 K=>Disable or clear breakpoints before using this feature. DO NOT trace with1 {% I' b9 [; o5 p7 x
SoftICE while the option is enable!!
4 \9 S x, L0 \. q6 e( ^- L
5 b* t/ z4 q& X3 L' X \ `$ ]This trick is very efficient:4 \0 Z9 t c, U) x3 J2 h1 T
by checking the Debug Registers, you can detect if SoftICE is loaded
9 G4 [: w; I2 T* @4 y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 J& h. Z. }/ L# @there are some memory breakpoints set (dr0 to dr3) simply by reading their1 X! }# A: G. a; q
value (in ring0 only). Values can be manipulated and or changed as well; x4 A' G/ @7 u5 M `& V' |+ [
(clearing BPMs for instance)1 W/ `8 \; R% {( w. Q- i# U
7 |# i* D6 c8 s @__________________________________________________________________________- a3 g) w5 Y, N
k0 v F& m( ^; t" h; `; ^1 e
Method 11; I& |- \# h& K4 S8 h Y
=========- F( |4 }4 C9 D& c; Z1 t
) Q* ^# |: L! s% VThis method is most known as 'MeltICE' because it has been freely distributed
9 }3 v3 r( T1 ?) jvia www.winfiles.com. However it was first used by NuMega people to allow
$ B( W& d) Q9 Q/ ySymbol Loader to check if SoftICE was active or not (the code is located
$ W9 v6 e8 t5 W; ?8 {3 o2 W# r! `inside nmtrans.dll).$ m9 o4 o7 F5 T' A% |/ j
2 M+ s2 N" d7 z- jThe way it works is very simple:
4 S1 d9 I" d( vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 y. w) c Z/ m) I9 f1 YWinNT) with the CreateFileA API.
; D% l. J% f2 |* _! o/ W- i" F2 n+ `# A
* R b3 H$ x# E' zHere is a sample (checking for 'SICE'):8 g9 ^2 X) A7 ^
* U% }! q' p" n2 u! r. T7 W% CBOOL IsSoftIce95Loaded()3 n, f8 s7 \. \ M" X8 D; U, [
{8 C6 G. Z+ ?0 m+ q% K$ W
HANDLE hFile;
) T0 [9 g! y \ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% p2 a. u [7 W7 q3 q% o FILE_SHARE_READ | FILE_SHARE_WRITE,5 R. R! \. `( U" ?9 m; m! N' w
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, P3 a+ P' S3 D1 V0 f4 D p9 ` if( hFile != INVALID_HANDLE_VALUE )) H9 v0 K9 Y- Q0 k
{
( h& Y& X" r6 _3 P `% L5 P5 q( E CloseHandle(hFile);
' G" a1 x3 a U% ~4 I. p$ g; Q3 N return TRUE;9 B8 l8 ^' T5 v
}
$ T! |2 @! r/ E; T! U; B7 e" p return FALSE;2 N# g& `2 J$ f# P! y9 w: R9 x. T
}
7 [+ S; o1 z( O/ m- J* F: Z7 V4 `$ O& E7 q
Although this trick calls the CreateFileA function, don't even expect to be
H) ^6 d6 _0 H+ e3 K6 D5 Zable to intercept it by installing a IFS hook: it will not work, no way!
( Z1 i5 z+ b" ]' k+ ?' q: ?: s4 JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% y; e0 w- a9 X. R' H6 `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ w5 ~6 m5 a: N# N* ]/ D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# R9 Z9 S0 Z% h0 X1 Z/ W. C) j
field.5 f) P( D+ k( f, N& j
In fact, its purpose is not to load/unload VxDs but only to send a 4 b, [- D0 Z* w. i* p X8 G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# U& c5 {, g' W/ B6 Y5 [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" r* h+ ~8 z. M( B: hto load/unload a non-dynamically loadable driver such as SoftICE ;-).- ^1 o* t& i- t3 d# G
If the VxD is loaded, it will always clear eax and the Carry flag to allow& h: T/ T! u+ t2 m* g/ O7 e
its handle to be opened and then, will be detected.
# C S9 R0 C7 K8 v+ s6 [8 cYou can check that simply by hooking Winice.exe control proc entry point
& Z% \& A7 q1 O9 T+ l" o: vwhile running MeltICE.+ X c; b$ W* q0 J7 m
" W8 E- Z( B. C) [. @# B2 t2 ^0 ~
6 W! D T' [. e' `4 {% [" ` 00401067: push 00402025 ; \\.\SICE
: [1 z# E: ~3 h- A# i7 ~ 0040106C: call CreateFileA
- ? h0 z! ~# S" M# _2 J0 \ 00401071: cmp eax,-0015 y( z6 Y; [% H2 _2 o3 t% o9 {! D
00401074: je 00401091
3 ?+ [ U7 d, k; b: i
4 \* d* W* i; r, ?' T3 T5 j/ U) @& ?0 B) C+ E: ]$ }$ ^
There could be hundreds of BPX you could use to detect this trick.
/ V l. E% J- s* o+ E-The most classical one is:
: {. A) l) l B9 d6 @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: D% a7 ?1 v: F% }3 f4 t9 j
*(esp->4+4)=='NTIC'* G6 H" ]$ i$ E7 F/ T8 F o
+ x/ O8 e o& n' N7 ]5 |2 i
-The most exotic ones (could be very slooooow :-(5 G) y( V" h" i. u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( c O4 H/ A8 S! e ;will break 3 times :-(, H8 f8 M9 ~& @7 \7 Q! F
8 P3 y _/ M. w+ z- u8 m-or (a bit) faster:
" F" J; _0 z4 U BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' V9 }6 [7 P5 {$ y4 x4 w- k
* E* |0 i* [/ h) t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 E2 ^7 r' j: T0 Q
;will break 3 times :-(
0 v# N* D! v* s& m; p, j2 \" n9 N. n% b& D3 Q
-Much faster:
7 b1 V. s# J" @2 l. ^) N7 O BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', t+ f. |3 W: e) V
& I2 g7 P9 c& k& M, O; t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 W; }% Z# W1 ]: F1 b! R& H! o
function to do the same job:
' c3 c0 b. P i+ o. Z0 {4 J* c$ v; W. X5 t# S2 n3 M* ]
push 00 ; OF_READ) z* ]. _+ F* G* \% |9 E, X
mov eax,[00656634] ; '\\.\SICE',0
! g1 p1 R/ o" q3 B H0 C push eax& S) q- X& i2 h# B+ V$ K
call KERNEL32!_lopen
( B( G+ |0 }' q( K2 B inc eax
1 N8 B& V2 ?! f4 d: H& O jnz 00650589 ; detected4 L$ x% i2 d% H# E
push 00 ; OF_READ6 [) z; @. x- w* b% x- Y' ~
mov eax,[00656638] ; '\\.\SICE'2 e" Z) j0 X% @, n$ Q
push eax* P" _/ u+ `. d8 l8 d' h
call KERNEL32!_lopen
* J/ w ~3 I8 q( f6 H" [( G! w, {$ p inc eax' W6 k" ~% U# i: Z; U; K
jz 006505ae ; not detected" M% A6 ^* U n- D& ^, R& u
% `# _ T7 Y. f/ s3 H, h
9 U/ ^3 ~) E/ K& v' f__________________________________________________________________________
, o' V: b/ | O2 a. F* _, h$ K0 }% b' O
Method 12
1 O( b) w2 X. k2 C=========
1 i& j6 C$ s1 L' g# u/ [6 L, e
9 p$ F8 _& I& K: M- h' p# y# v* XThis trick is similar to int41h/4fh Debugger installation check (code 052 k/ S4 E! `( b- i* y @7 s8 s
& 06) but very limited because it's only available for Win95/98 (not NT)
/ V1 J2 D% E8 n4 B. [( C8 Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. w$ }8 Q c( y* u8 f* h
- N6 `$ |. v/ Y# } push 0000004fh ; function 4fh
8 x# y9 o& h; X$ M. Z, a push 002a002ah ; high word specifies which VxD (VWIN32)8 l- S5 [1 X8 k! q& o& K( a% p2 I J
; low word specifies which service
, U; W9 t9 C' k$ ?( x! [# D( H (VWIN32_Int41Dispatch)* ^* X. d% ~3 p' O$ u5 N' f% Y3 `
call Kernel32!ORD_001 ; VxdCall1 X; z6 _7 S; @
cmp ax, 0f386h ; magic number returned by system debuggers: h( H+ B# e% e1 p0 w
jz SoftICE_detected# V" ]8 M5 s3 H( e3 W+ W. x
/ T; g2 W( `/ d1 n. ]( |
Here again, several ways to detect it:& @; g' ~0 G) z8 d/ s1 l! @
, a5 U$ M% x& @" V& i" ]! {0 S BPINT 41 if ax==4f
9 ~8 Q; \5 v1 _3 q8 y$ [
+ K- \3 g6 k9 @6 q: K" B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' o1 p. ?, d. K) C# G
$ s1 f3 b2 T$ E. J0 d" Q6 m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 H8 |' {0 f) S5 h" f \8 F$ z# X }" u3 f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ ?& W2 G6 W0 a8 D, p( T. N9 k6 y1 T( l S( n p: f
__________________________________________________________________________$ o' }5 c7 ?$ d8 ] R) j7 H: t
9 j/ X& m) C/ X9 ]' O
Method 137 I2 Q$ N2 g. ~+ t
=========
7 W2 r6 d- ~$ C: W. E
( I% v' m$ K) u% }! R* k% [Not a real method of detection, but a good way to know if SoftICE is' v1 I+ R9 T* N! u+ C
installed on a computer and to locate its installation directory./ b9 q; `* `* V# m/ V
It is used by few softs which access the following registry keys (usually #2) :
! c, X1 |) x! k- l$ q: N8 v# `: e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 w2 C/ B( f/ d' H\Uninstall\SoftICE7 v/ J" H. Z3 K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 W6 u# Q/ f$ Y$ V, I0 ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ q! ]4 Q1 }6 S- S\App Paths\Loader32.Exe$ @% m9 D2 q3 D. }
+ ` ]- |+ b* q7 [$ N4 m2 X/ I, e% g4 S0 P+ F6 F& Y! G
Note that some nasty apps could then erase all files from SoftICE directory/ H4 f* q7 X7 `2 G" g/ G
(I faced that once :-( _; x( w4 k! i2 K; ^5 @- k
6 c& _3 w& B8 SUseful breakpoint to detect it:9 A5 [/ y3 d: m& D( R( u
7 ~+ h, d1 T2 Y0 s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' Z+ | x- \- N7 Y' G3 b) [5 D; w& V5 f- T9 }
__________________________________________________________________________
* Q+ D1 [: l' ?' x* T4 l$ a3 ^5 X+ a6 M6 M: }# N) a
) ^' a: ^ Q' g) ?0 r
Method 14 S6 p2 {. V/ f3 \* L1 g
=========7 N# o" L+ K) @' X( W' w/ ?+ Q
$ {. \: Y% N! x, v8 I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 x/ }5 l9 H0 T* m" K
is to determines whether a debugger is running on your system (ring0 only)./ c) m% H9 k7 b) v! W
. v2 |) F0 Z$ o) J- d) v3 `
VMMCall Test_Debug_Installed4 \/ q1 w7 S( n
je not_installed
3 r# A* ^; q9 r4 `( K; p1 e* a$ D: z: O; r
This service just checks a flag.5 b! M, b0 D# {( R7 L' v
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡