<TABLE width=500>8 u! z8 j- ^1 O$ \/ A1 @0 k. `
<TBODY>
$ k( X) V c1 f/ `+ N4 M* T [<TR>
& {0 r3 H9 ^- r* |% Q5 e4 _<TD><PRE>Method 01 ) _& n9 O. [9 x1 k2 z
=========
, E. A; k2 W1 U' m/ ~4 Q/ i+ M! K3 s8 e& J4 B5 z# G# U( B
This method of detection of SoftICE (as well as the following one) is
2 }) [3 Z& A7 v2 y! t7 ~/ z6 rused by the majority of packers/encryptors found on Internet.( t; c% [( O1 D' _. K) U
It seeks the signature of BoundsChecker in SoftICE0 k: Z9 X4 [( Q" P) `3 U- p
. S0 F% N3 u4 ]8 E# n% E1 ~7 n% H
mov ebp, 04243484Bh ; 'BCHK'( e1 V; \4 p3 H3 j( U
mov ax, 04h
r& Q8 R' Z+ t/ s int 3
, Y' D2 j6 _& I6 w3 p cmp al,4' r! W# t. ?5 x+ {% M7 \; L
jnz SoftICE_Detected
3 W) e, M L5 X' q& B, l$ U1 `: f% }% t( u4 z; u6 M. P: O
___________________________________________________________________________
2 o0 ^- `5 w. P8 R: j8 r: g9 U) ]
, R8 P8 B& f& u; zMethod 02. e$ H+ b: H( a' e" I0 H& K
=========9 ^: U5 U* [' B! |7 C: g
" W. s& e) ^ W8 t
Still a method very much used (perhaps the most frequent one). It is used2 `0 e. H. W* g ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 V( h7 |9 `4 V, v0 O1 L% Y$ C: a
or execute SoftICE commands...+ ]( Z" U; G5 q! z2 \
It is also used to crash SoftICE and to force it to execute any commands
+ e0 F' R3 K# n) `8 i: t' g% E# ^9 Z(HBOOT...) :-(( 4 n% A+ v0 D2 o5 u2 n' G
8 Y! h! b3 _6 e$ v- a0 Q: @8 H8 wHere is a quick description:
5 T( I0 i* ^1 y& J7 B, [$ S) T-AX = 0910h (Display string in SIce windows)
2 m: x# m& z% a0 f1 L& W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ Y; i1 V: z( k. x2 w-AX = 0912h (Get breakpoint infos): V4 k+ X2 B+ ~' I b& k, e* Q
-AX = 0913h (Set Sice breakpoints)
4 `" s. U4 J+ k-AX = 0914h (Remove SIce breakoints); K2 d' @: b! J: l( Q; m
" P* n/ j8 A: l* b1 DEach time you'll meet this trick, you'll see:
! w* G. l$ y, ]0 d, D2 G9 ]-SI = 4647h7 f+ `7 U; T% e
-DI = 4A4Dh+ D" f+ p3 l2 e6 E0 Z# L
Which are the 'magic values' used by SoftIce.4 `1 n) {2 ]+ P6 a% Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( s+ q& d9 r8 F+ o3 H% Q2 w# Q
9 A* d" U$ |& D" v, |Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 E* `- e7 @! |- UEnvelope utility use to protect DOS applications:8 R1 _5 m* B1 ~0 o! y. A
7 D# s) o' P! f0 A2 r6 U8 z7 D
# ?1 I/ A- r5 Z5 u9 m4C19:0095 MOV AX,0911 ; execute command.
+ \4 k8 Z& b' V4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. |& P- G8 \3 |- j
4C19:009A MOV SI,4647 ; 1st magic value.
k. a& L; l- ~ E4C19:009D MOV DI,4A4D ; 2nd magic value.. ?. H( e0 L7 C6 m Y& [0 x) V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& R$ {$ v0 G) w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) {3 F- H, x3 }3 o4 u
4C19:00A4 INC CX9 s+ D5 t% f3 N: F- e& R/ e
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; g* p1 Y) s/ L3 j! g4C19:00A8 JB 0095 ; 6 different commands./ A/ V- H- f: k R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 ~; d8 }! e: ~$ X* ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( ]. |( @# Y* Y8 [1 G% ?
, J8 V, l. P% Q. S) Q
The program will execute 6 different SIce commands located at ds:dx, which
. @2 }/ m2 ]/ Y8 T4 _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. h! T* H; [5 z! V
+ ~, M6 f0 w8 W% J& ^0 i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ W& h' g) k: J. i) O___________________________________________________________________________2 y) ~' Y' w7 o9 ^- c' V$ h
! I7 I' B8 h# Z
K8 K! \3 U. f) IMethod 03. T2 t- ~( @$ U9 q/ `9 x
=========
a$ J" S( |+ a9 C
% M F1 R' o. M2 g3 z% |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) U4 D& S9 F/ G; r* z(API Get entry point), V" ^" \4 E8 ?6 Y9 Q& N6 I
- X9 O) N' M" [( N6 e
/ V" b; n J; x1 j1 W' C: y/ C# i$ _ xor di,di, F+ k# @( v9 c l4 A U
mov es,di$ x+ V. Q2 }* I; B# V+ L
mov ax, 1684h . P+ ~7 |2 T/ x$ v
mov bx, 0202h ; VxD ID of winice
# G; Q# e0 t8 I$ W int 2Fh
8 Y, A' L8 ^1 c$ I% K mov ax, es ; ES:DI -> VxD API entry point
* a7 R, F! Z Q# a* j4 q2 a add ax, di5 M+ u( H5 f+ u% c
test ax,ax7 }0 {5 b* O- b: Z
jnz SoftICE_Detected
9 e5 c: u J4 k& l% R6 ~8 S
& A3 r3 {: K- B, s___________________________________________________________________________+ J7 y$ e5 O; m7 r, W! l+ Q2 o: ^# R
; u/ O {1 y2 `0 T
Method 04
' P" s) h8 ~0 B* }* S9 e=========
( S7 B! F/ \& r, y7 \$ z' y v$ [ c5 N
G6 U* Z; d1 f9 M6 l PMethod identical to the preceding one except that it seeks the ID of SoftICE( r6 Z8 o7 H1 ~- Z
GFX VxD.
8 j" w5 Y2 q1 V! K; c. j# X! N) D3 _* D* o4 w4 a
xor di,di2 N' y+ A6 L1 r
mov es,di3 H- H' V7 w5 @! U1 a
mov ax, 1684h - P9 ?) `# `9 Q+ L, ^" l
mov bx, 7a5Fh ; VxD ID of SIWVID0 G. ?5 R# v4 f. O* k
int 2fh
# V# ^8 m4 E' y: b0 V3 e mov ax, es ; ES:DI -> VxD API entry point, u2 M8 l. n ~$ ~. s+ N
add ax, di4 l0 n N/ }/ T3 }6 V9 j! L
test ax,ax
4 c! P, \8 D9 b: ?- p jnz SoftICE_Detected
! L) C$ z, \ {9 }$ W4 F2 ]2 s) b1 U. E6 o& V! S: K- v7 Y# R$ e9 y
__________________________________________________________________________2 h2 e9 g+ U3 ^6 L! q
- I8 z$ E8 N6 v1 ]4 N
* B) {6 }! u, o6 y1 wMethod 05
8 Q# D5 a9 V* s=========# D/ S; g/ c8 \5 d8 b1 r# Y
& w# S \% l" ~5 [: C' {( c L }( P
Method seeking the 'magic number' 0F386h returned (in ax) by all system% G) c1 n; M0 t: f Y0 p5 ]* |8 F
debugger. It calls the int 41h, function 4Fh.
5 } s9 q* t( _! D9 K: I% u. yThere are several alternatives.
' M2 F- A' b; H- J) M. ?* T' }$ D! c _ j& S4 E! w, ~6 b* B
The following one is the simplest:2 R# u& g, e6 f. W E9 o+ p
2 z% M# T! ?, e0 P2 }
mov ax,4fh1 T9 H2 j9 F( M. O2 z& i2 e8 \8 e
int 41h- y/ d+ z; U! R+ v, W
cmp ax, 0F386" t+ B# s" T' }5 I0 [2 M
jz SoftICE_detected% Y8 t7 D: _" P; ]: k1 @# T
. b, l4 g* g& ^) w4 w8 R: W) u6 [; J4 F3 j( H, \3 w: f8 o6 w
Next method as well as the following one are 2 examples from Stone's
) v X2 i2 c' R% U"stn-wid.zip" (www.cracking.net):
5 S9 J; f. c% ^5 J2 X! o: C% [; |# t* l E7 O: P, i+ {6 E. ]- @
mov bx, cs
7 p8 f5 |( e# r* K lea dx, int41handler25 |1 n" K( G: J3 a
xchg dx, es:[41h*4]
3 W% K7 w+ h+ q5 f7 I l& Z1 h y xchg bx, es:[41h*4+2]
4 Z9 P W& Z8 ] mov ax,4fh
! B* J0 @7 G0 E int 41h% {$ m& |5 y% }- x+ ~3 |: A+ J
xchg dx, es:[41h*4]
0 k+ J6 @. o6 k g5 I! q& @ xchg bx, es:[41h*4+2]
( B+ i3 q8 j0 y+ q& d+ { cmp ax, 0f386h
2 @1 a2 B" F: y jz SoftICE_detected# n+ ^( s3 Z6 z f3 X" T: Q T
# n8 w' G9 L) n% S9 s" {0 }int41handler2 PROC& K4 A* f$ j5 {
iret3 G; }$ }# s! z6 Z' B' x
int41handler2 ENDP! v* U( ]! F, B
/ R% B! m' y1 `6 F1 V9 Q5 |) J9 H# g
_________________________________________________________________________
$ P2 \* ?4 Q1 d9 O _# z# p8 a' |$ i' E
( x2 M( u0 \/ c: N1 N7 F
Method 069 N: c7 e4 {: `) J2 l
=========, l. d) b5 f) D1 z. y
% S( s, i% ~' \! V8 ]4 ~( }0 A; j1 `' k$ q/ b n
2nd method similar to the preceding one but more difficult to detect:6 S* l/ r, H0 s! F: @
) ^) D: J' O- n
% C* p; y: W! k
int41handler PROC
, |5 A3 ]: S, W* C" R mov cl,al
) R5 z6 v, B2 V8 S3 Y$ r; v- u0 l iret7 x) z/ y7 b1 ]8 Z' Q9 G6 {* K% E. q' ?
int41handler ENDP
' l6 \! D/ Q5 K9 r) f& ~0 Z: D( H& e2 C# S) Z! T0 P) V
! G1 E8 F: g) B# }# p+ d
xor ax,ax
& f0 N# K: m3 p% ]! @ mov es,ax
! ?7 t' k' L( U- `0 M4 ^* ^ mov bx, cs
$ ?3 E0 F' m6 J" v" | lea dx, int41handler
1 }4 O+ i1 x" x h, H xchg dx, es:[41h*4]
4 T9 j+ [8 n2 d4 [4 r xchg bx, es:[41h*4+2]
+ b, p/ r: z! o0 L& T3 { in al, 40h
$ n6 d" M1 ?) U+ Z' ?& S$ G8 f- f xor cx,cx0 E2 J ]0 h S
int 41h
' X6 E. } v8 t7 X xchg dx, es:[41h*4]0 g0 k& O7 K4 p; u# J$ {
xchg bx, es:[41h*4+2]
& y+ s& e$ @# e! S2 p( C3 Q; ] cmp cl,al1 t0 X/ w' i3 A2 }' n, f
jnz SoftICE_detected
8 d2 z! C- W4 M* x! i: I
. G" ` ]- v2 z$ H$ p_________________________________________________________________________
' |3 D9 U( c% Y# q$ }
1 ?% c) G& B- f0 u# }# u ]Method 07! v0 j! K6 Q1 ~7 B/ Y0 M# S
=========; Q$ P1 A! \2 X
& V0 A4 W& |8 O
Method of detection of the WinICE handler in the int68h (V86) B9 N6 D5 G* ?$ D% g2 e
, G! {* s# Z/ m
mov ah,43h
/ x6 U* @* ~9 X- E int 68h8 a# s" U) F$ C0 R" O
cmp ax,0F386h
: ?, }3 [3 x1 M9 [! S2 U" c jz SoftICE_Detected
$ H7 N' V4 y, u8 E" o: J4 ]: T. u1 M. ~8 E) |, a. D
% N; ~6 J- `7 d( i ?( e3 V( I. y! U=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! @$ O# k3 B, e0 N app like this:1 C' f6 W* B( E
" }7 w" i4 Q. X2 D C5 t; ^" l BPX exec_int if ax==682 s% U' d- |& M( P& P+ G
(function called is located at byte ptr [ebp+1Dh] and client eip is+ i- ?" f2 X G7 F% u; p& |
located at [ebp+48h] for 32Bit apps)' a* X; _2 T- _8 |7 E: n$ u# H
__________________________________________________________________________
. |. T, {* y* T- l" i9 B1 t* B; }9 Q* s [
|4 l: e3 L, u; M2 c1 dMethod 08- i, w6 o6 g. b; ~* U5 n/ |
=========: ?0 i( O( t0 X* C
* r0 f0 {0 o6 HIt is not a method of detection of SoftICE but a possibility to crash the
R# b2 _7 h0 m' O9 vsystem by intercepting int 01h and int 03h and redirecting them to another3 u ` t& y4 [2 t7 k
routine.
" @* N* G, h8 D% P8 K* rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; d0 p3 s) X: V! T7 v* j9 }( Eto the new routine to execute (hangs computer...)0 ^7 E% K" b7 W$ E7 z
* ^( ]" ~4 a5 @. k mov ah, 25h" n# H/ ^! n9 e- h. E
mov al, Int_Number (01h or 03h)# ?5 r. ?& B( O4 s! x% e
mov dx, offset New_Int_Routine
% d$ F! K$ O4 g) r int 21h! _: d9 _+ s2 y2 N" b, ~4 y! W2 h
6 r* C* Q5 e, z6 m+ e' S
__________________________________________________________________________; h& M8 x9 T7 ?/ p2 L# l. Y
5 q) y& m3 w: N5 }) S% w; E, ?
Method 09) Q/ t9 |5 y; K
=========; h; ?3 G2 O- l9 x: D
) t: r+ f9 |5 Y8 a$ _! ^5 D2 U) Q) n* oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 F3 W$ _8 U zperformed in ring0 (VxD or a ring3 app using the VxdCall)., r2 j9 O* W3 u- Z
The Get_DDB service is used to determine whether or not a VxD is installed
" [9 {! u3 Z: }- F) ~& Y, \- P9 ifor the specified device and returns a Device Description Block (in ecx) for
% ?2 f1 ]( G3 i$ f/ Lthat device if it is installed.3 g7 L3 _. N* H$ w5 w, ?: a
3 }" z- ~8 m% A! p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& f; K9 v7 Q5 \1 \7 U
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ r! K7 F7 Z ]( d VMMCall Get_DDB' l% _$ P' u- i4 Z3 Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 a0 z" E5 z1 a, ^7 y& Q: ~+ _0 s3 g/ D8 o6 w9 R) h- S }% I
Note as well that you can easily detect this method with SoftICE:
* H& Y/ |7 b: c& J$ ^; ? bpx Get_DDB if ax==0202 || ax==7a5fh3 g$ f- J( m1 w( t _3 s1 Y0 f
+ Z+ Y3 [% X* @& J/ c
__________________________________________________________________________
5 \2 K8 w; k$ f* t6 g3 a
$ a6 g; L) U+ CMethod 10
6 c) J7 d$ c8 u E7 c# N7 C=========
, C3 ~3 F4 i- a+ f- z7 |0 V
" V8 ^% q3 b" B& T8 ^; m6 K; C=>Disable or clear breakpoints before using this feature. DO NOT trace with4 g6 L& K: k- x2 ]. x; M; c
SoftICE while the option is enable!!. E9 E8 X8 p( E" z% k% r
1 s* }) }6 c% x, o
This trick is very efficient:" q, @9 f9 X Q' `
by checking the Debug Registers, you can detect if SoftICE is loaded
) {8 ~- j/ `$ ?0 [) C0 s) [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* i4 B$ @$ K4 B/ T
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! h* e: V. z8 o" V# v( V2 lvalue (in ring0 only). Values can be manipulated and or changed as well3 e% H" P7 r# m3 R) `
(clearing BPMs for instance)
% \( R/ g" h3 G/ O6 O. J2 d0 B0 s* I/ z; H& V" P4 V* G& i
__________________________________________________________________________9 v8 {9 X% i( O) u4 I$ l
7 h/ I5 g% v7 v8 S0 D
Method 11
! m( {* c8 p1 ^) B1 Q=========1 U# f6 R8 U6 ?8 w
5 t: ]# |$ Z# d& E7 U! [5 P
This method is most known as 'MeltICE' because it has been freely distributed) O; {0 i0 y/ E
via www.winfiles.com. However it was first used by NuMega people to allow, I0 R$ t4 A& `* Y- ]2 Y7 k+ c
Symbol Loader to check if SoftICE was active or not (the code is located
; ~7 R+ @0 `" |; P# h3 y; E0 Uinside nmtrans.dll).0 }" J4 f8 ?* S+ F
$ ~2 ~" L+ |8 p! yThe way it works is very simple:! |* T# c. x; N: [. D% L2 h% l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 T' ]* X) K( ~6 U$ \
WinNT) with the CreateFileA API.: {; @9 e: E5 {/ |) X2 ?
( `0 }% G6 v& `
Here is a sample (checking for 'SICE'):7 t! y8 ~" ^- p( q& t1 G
5 ?" C2 Z" q0 ?8 Q+ S& e2 o
BOOL IsSoftIce95Loaded()) x" ^8 r0 F: N8 G% m
{
' @' d$ f( g6 u; s/ b HANDLE hFile;
$ w: ], H4 ]4 N) a hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& n+ ~ y6 w4 N% d2 G
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 Q5 G ]3 D2 l& J/ X7 C& e4 m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' T+ T0 \5 o- R) o if( hFile != INVALID_HANDLE_VALUE )
9 m Y0 Q1 C0 b {
; Z; e& O0 D% a9 C X CloseHandle(hFile);
4 g# A! N) `6 L% y5 g9 m return TRUE;6 n: Q8 k& B% l6 ^- t2 O1 r- Z0 @
}
" p5 p- X% c( p8 Q3 t return FALSE;
1 F8 r6 H+ y0 g7 L U; U" w}
+ B* k6 D7 v: H7 F1 n
# U2 E* o# v4 E- \% WAlthough this trick calls the CreateFileA function, don't even expect to be/ D: M7 C# N; p8 ?3 l! {1 P
able to intercept it by installing a IFS hook: it will not work, no way!$ ] m8 G2 u6 y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- c* q5 K v' D8 p6 k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) B3 G. l2 Y) I( {and then browse the DDB list until it find the VxD and its DDB_Control_Proc' G; ^ M$ ~% V# |
field.% g K/ `) |# W$ H
In fact, its purpose is not to load/unload VxDs but only to send a , v1 ^, Y: j' n0 J' J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 W4 a8 z, I* S: e' i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# P8 L* M+ Y+ N t; G3 ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).! b, X- A+ _/ [; s4 t
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 R6 k! R: U9 B0 m" Oits handle to be opened and then, will be detected.$ w6 \+ C' a k* V1 L0 v( `$ A
You can check that simply by hooking Winice.exe control proc entry point
+ C3 x' M* {: V7 w8 }2 V0 C5 kwhile running MeltICE.0 R* Y+ c; V4 L( E8 Q, j
2 h' p3 ~( \" X5 @9 H* J
- f4 n6 j! ]3 S m! t
00401067: push 00402025 ; \\.\SICE5 W: ?9 w9 l! ~% y1 l8 u( e6 F! K
0040106C: call CreateFileA6 r( o; P4 p3 U% m- o- ~
00401071: cmp eax,-001! V6 G; g1 [0 ]; g2 B- o( P
00401074: je 00401091
! L& {4 [* b$ [. h9 w4 W* N7 N) e& K, q D# T: [' Z
! T6 G6 P. \( hThere could be hundreds of BPX you could use to detect this trick.
+ e! x4 S, a/ Y! a0 i H-The most classical one is:) |6 ~, a2 H3 w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 _$ u2 m& ~1 U& a *(esp->4+4)=='NTIC'
' H6 V: F, P% @6 ?8 w; Y0 N1 l/ R3 A& Z7 B
-The most exotic ones (could be very slooooow :-(
' u9 h4 v) Q" F: h8 s- g2 d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % o) R) P6 T% s( w8 R
;will break 3 times :-(
# N( X5 [) E3 A0 l# f) Q8 F6 h! D% M, r2 E d2 P
-or (a bit) faster:
& ~: `+ c3 X1 m" f( y. y: D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, D! f' g8 ~3 p- X0 J& Z. Y) G! |. p) _+ J; w$ l- b
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; P; Y. Y) d0 `( a% `
;will break 3 times :-(
9 o% \# N6 k. t4 e d1 P& L# ]) g3 I" k; ^: K) V
-Much faster:' F1 K. M, K# |
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( A9 ?, C1 y& K9 I2 D$ {" M
( e7 g2 v/ J, p' H! w" BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 K" ~+ j: s# `1 @. ~5 [
function to do the same job:
- {7 ^. A" q* A* y
5 Y' S) y% b& @ push 00 ; OF_READ
, G0 {& L+ y/ w& v P5 q) r mov eax,[00656634] ; '\\.\SICE',0
- w: h- m3 L) J" f push eax0 B) T( Y; y1 l- O2 b; p' g! o
call KERNEL32!_lopen+ s/ r* `( a+ u4 }' c8 K
inc eax
! H% Y2 ^% Z- V N2 U2 S/ ?) k jnz 00650589 ; detected6 P# {" J, f) S' |9 ^
push 00 ; OF_READ
/ t9 J; T1 R% g3 D2 M: k, Z mov eax,[00656638] ; '\\.\SICE'
/ a0 g* ?& k: j' u& }: _ push eax
; a) |& A8 N' @# @* G* o call KERNEL32!_lopen! J0 q- T" w% }$ _6 j1 d/ D
inc eax
" V" A' u. U* b" t( F2 Q; k jz 006505ae ; not detected
) @6 |3 k) U2 y4 s+ C& i u% `" {0 U- D# G
( ~9 Y: i; W5 k4 \+ g
__________________________________________________________________________/ Q2 d- M& S7 |' m0 T
% B% O7 x, U9 X I7 G
Method 12
0 r5 ?7 K+ z5 H6 @; n=========
# y# G" t, ?, [5 [$ A' d2 P6 e/ r. n% R. S' k& l. m9 P+ Y* q
This trick is similar to int41h/4fh Debugger installation check (code 05
& B+ X2 P# U( [' t+ A/ K& 06) but very limited because it's only available for Win95/98 (not NT)
6 |+ v9 N- F0 G! P9 }% I* das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' g! ^( @1 i+ E+ J. B& q# K8 F* s, x
push 0000004fh ; function 4fh
2 \: ]. S* e/ o push 002a002ah ; high word specifies which VxD (VWIN32)
5 A0 C; [8 S2 ^! o5 W ; low word specifies which service
$ k% }% V1 ?( n, Q/ f( z1 W" [ (VWIN32_Int41Dispatch)
1 {, L9 J# X) r, f* Q call Kernel32!ORD_001 ; VxdCall
" \. c! j" D* {# D' d3 Q) D/ e' f cmp ax, 0f386h ; magic number returned by system debuggers" x3 Z1 @3 Q4 a) L
jz SoftICE_detected
; O$ T$ Z% B; v$ I6 R6 _1 y
, ]) z1 ]1 r7 r, ?6 o. ^Here again, several ways to detect it:
8 [- ]& j4 s/ Y$ Q6 A5 S+ ?1 c6 i
BPINT 41 if ax==4f
# h2 R2 K5 A$ u
1 g9 l+ C1 N; h j( s N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 L6 O t( i' n8 k9 ~$ k) ~
2 i) x' `% X2 o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 w, V- Z, f+ [2 f
: W3 ]6 P8 O0 z! D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* l) B' g) W; M$ M
4 l# o1 ^+ M) C
__________________________________________________________________________; P, M9 F5 k6 Y% [' P3 |9 N% A5 L
% o9 r: \, L! t/ c( r [. Q) EMethod 133 H, ?# G, _/ G% J* ]
=========# Z8 D* t! [2 C' u# T. {2 A
) Q+ B$ d* X4 v5 B% l
Not a real method of detection, but a good way to know if SoftICE is
$ e# M" C. o: \7 S" N6 q. `installed on a computer and to locate its installation directory.# R! G" g9 M: W: E
It is used by few softs which access the following registry keys (usually #2) :$ v7 L) S1 o& d0 E' N3 y% e; M5 f
g8 v5 f0 h: a R; S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ E* E) {+ u' r, e1 c `9 {1 ?0 N$ Q\Uninstall\SoftICE
8 Y5 b) U0 a7 l& s$ i6 O! N-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& o4 J( E# R0 H t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( q% M( R* e& G( a# c& D3 h
\App Paths\Loader32.Exe
) ?: z) f2 A) c% v" U( [5 z( k
6 ]& K: D2 d7 X* \7 Y/ U. F: `" U3 w1 m, W* H+ s+ X! C |0 |% J
Note that some nasty apps could then erase all files from SoftICE directory, H: O/ d" I$ y1 N: ?; N6 h
(I faced that once :-(; Q, n+ d6 c0 j9 a
0 K/ H5 b( X* L7 OUseful breakpoint to detect it:
3 }. `+ Z. |+ j; J3 D6 u' s9 o! m5 @: O$ D/ K
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& a" H' |6 C5 E. a) p1 s- M. y
) B3 r1 K3 g7 a" T7 v) p3 h__________________________________________________________________________: S7 A) P B- d9 ?- j$ W2 ~
# |) ?( {+ v; t, {
' o- f7 }! P% {$ ?. z. f m. IMethod 14 % ]5 e& {: A( C, O2 A: o
=========
; j6 z0 w0 s; ~$ ^# h% b' C9 P" q* ^, k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; j6 l# j9 x, a8 ^! I* n5 A! _( Lis to determines whether a debugger is running on your system (ring0 only).
" \: V9 I6 E1 E; s
$ J2 f& G; F! n" m6 o' k1 Q( V5 J VMMCall Test_Debug_Installed& @0 @! ?, O4 _* q! G% y1 x: G$ I
je not_installed
, {. g( _7 V" U
/ [) z; a4 _5 E$ g/ CThis service just checks a flag." ~% a- { ]5 L" b
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡