<TABLE width=500>1 l% j1 l, u0 W# @
<TBODY>. w8 D2 Q+ K7 y4 a" [* @; C
<TR>2 N3 q/ p d. F/ M- J! a* @
<TD><PRE>Method 01
! N: @: J; J( i: B=========
( e/ r: B. m% [, |) U
3 M3 Y/ O$ \' f+ o- h* Z" {8 t- m0 nThis method of detection of SoftICE (as well as the following one) is: H% I9 e! k4 d# e# s( J1 r
used by the majority of packers/encryptors found on Internet.) q T+ y3 u( j3 _
It seeks the signature of BoundsChecker in SoftICE
5 [6 ~; r: ?! V1 a3 Y* ~
. S* n$ L3 n$ v: z7 Q& K& a mov ebp, 04243484Bh ; 'BCHK'+ |5 k- Q; e% }$ m" f D. @ O
mov ax, 04h
& U! e6 c5 V8 Y- D z! D3 a8 I. q int 3 & C9 p/ @0 b) y$ j3 I5 m9 j$ c7 Q
cmp al,4
9 ]4 C+ l& S# M" G/ s; [- l jnz SoftICE_Detected! A9 i/ s1 |; j5 O; `2 s
G' i, |7 u% e0 W/ a8 ]___________________________________________________________________________
9 E3 k7 N$ w9 b% u% a$ e5 R: ?0 E% n. Q4 P2 D
Method 02
) A' j& |* ]; J, Q! r+ ~9 f% N7 V=========
; _5 b% [3 c; S0 _- a. d& H' S, G( Z% A
/ C1 D* K0 `5 F. U7 ZStill a method very much used (perhaps the most frequent one). It is used, p% o, d9 k) L9 ?" z$ I2 E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 } @% W6 ^% q! p3 Zor execute SoftICE commands...5 J1 d9 s2 O' P
It is also used to crash SoftICE and to force it to execute any commands3 S. L2 G2 ~: L6 a
(HBOOT...) :-(( 4 E8 x& j8 ?, J( }1 V. Y* e. c9 F
+ N# O8 }) P' v4 Q& mHere is a quick description:
8 c- H; @9 E! i8 g3 @* Q' S( @' b-AX = 0910h (Display string in SIce windows)8 E6 B% @ N' A4 Z. [2 O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# H4 j j% X. W3 p: z! y- ~-AX = 0912h (Get breakpoint infos)
4 p+ P1 E) e% z; S6 W-AX = 0913h (Set Sice breakpoints)
; E6 o( _2 A( @# P% \) G0 K-AX = 0914h (Remove SIce breakoints); x, R% j1 s; m, |
A8 r# Z/ P, G h) w
Each time you'll meet this trick, you'll see:
" e$ a, G; Y5 G! _0 e8 C-SI = 4647h
" _4 I( q) \. d! c% e, h-DI = 4A4Dh( Z$ a% q |, d$ ?4 X) e
Which are the 'magic values' used by SoftIce.: } N* \2 I F# v% S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 t- b* W& S4 l) f' z0 x
, J+ [# g. g- B2 t
Here is one example from the file "Haspinst.exe" which is the dongle HASP
I4 u3 r5 v# f& f EEnvelope utility use to protect DOS applications:
( e U6 o' L+ d" m6 Q1 P! B3 u, d; O" `3 x. ~) |% X
4 V8 a1 V4 D6 ^/ i& E9 X1 q
4C19:0095 MOV AX,0911 ; execute command.& P8 }; h: t1 e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. h4 C) D" d# l9 y* B4 l. c" x+ c4C19:009A MOV SI,4647 ; 1st magic value.
7 `0 J& r! W. R/ V; X3 g4 ]+ k- K; q4 e( _0 Q4C19:009D MOV DI,4A4D ; 2nd magic value.% J& G1 p# C' `5 L* ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 s8 n O( z0 e0 S" g0 o" }) H
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 S: W: L' z3 x+ y: T9 |0 ^0 `
4C19:00A4 INC CX
7 s% }* b U% j+ m( E. T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 P* O1 B) B6 R8 R& r, X0 D
4C19:00A8 JB 0095 ; 6 different commands./ I2 \, R/ ]+ l& z/ G$ ?. S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 ^+ v, C! |$ c( E0 [5 Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- H9 w" Q* b& O3 x: f
% H/ Q6 {; D# e2 J! F4 t0 a
The program will execute 6 different SIce commands located at ds:dx, which+ O7 p$ C! b2 l/ Y. F1 I' J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 q8 Z K3 X; t. {
, L# h+ N( K: w* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! c# C4 h; i( F5 l___________________________________________________________________________6 d% |5 C$ m3 B' H
2 W5 h5 h" l& B+ G& I* V" _6 J
; B! F$ }; x% M/ |9 z6 A( a3 HMethod 03! u. a, \1 a4 e: ~1 Q7 V* G6 h. y
=========
S; G/ L3 \8 X$ g r# W8 \, V$ v$ e# t4 u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. I; y" `* R. B. s6 w(API Get entry point)
( n& x7 @7 h, W) J' G" T
# w5 E+ I# A. y: O' D' k" G$ e; }8 \
xor di,di! [& e; t! r+ a9 S
mov es,di+ T* i5 o! Y3 S( ^, {" A
mov ax, 1684h
8 {9 [& ?+ f# f A mov bx, 0202h ; VxD ID of winice
+ W% }" w2 |# ] int 2Fh; n, k t2 Z$ o( c3 o1 D
mov ax, es ; ES:DI -> VxD API entry point
+ Y! b Y5 {9 J& x add ax, di
N( Y: J2 E) V" X1 I% e test ax,ax
+ d% e8 X: v' _5 } jnz SoftICE_Detected8 R+ e3 O6 ?( h4 I
7 X8 b5 h4 e; `% E% l1 f; X3 i( m
___________________________________________________________________________- `6 B8 e- U, @ I6 f
; d2 r1 l& i2 o% I6 e, ~
Method 04; R! R. W) I) x% M* _& Q/ l8 f
=========
, I5 s& ?! L+ Y; r0 N) a' J [. J8 h }1 B R7 C- _
Method identical to the preceding one except that it seeks the ID of SoftICE
- q) m/ R6 W6 a1 @$ R8 v6 UGFX VxD.1 l7 @( P- V0 X7 m( B3 q
% Y( j1 Z' a3 F" l' I# P! L1 M xor di,di {! e1 J' m( ?) Y
mov es,di
. G+ X' \( |/ u mov ax, 1684h
; b7 T( U, n' v1 Q7 W2 U mov bx, 7a5Fh ; VxD ID of SIWVID8 n: g" [4 u& y
int 2fh
) ?6 ?! g7 E: B0 O b' n( E mov ax, es ; ES:DI -> VxD API entry point' N4 f, c6 ]. D( J: | n
add ax, di
+ ~7 x( K3 e: u) O. ? test ax,ax5 H: N% h9 T* b- G! b5 f$ K0 v
jnz SoftICE_Detected3 A8 H1 c3 a7 Z0 o% L$ V i- r
8 ]# L% V1 t& X__________________________________________________________________________
}4 R& _# T- a6 f4 @) e
: f9 N+ W9 y! i* A- c/ t- Y6 A+ |6 o4 m8 U: ?
Method 05
/ L( ^7 X& z% R' H/ T, y=========/ M+ L! M# H7 ~1 n* e: Z. a
- C0 ~* a& X- U; {Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 x# a2 x {- E& T8 D* P8 ]( {4 P& Tdebugger. It calls the int 41h, function 4Fh.( ^1 i K% X$ T9 Y( D
There are several alternatives.
8 ]) [( z. m6 }6 I" f' h ^
& F8 r- l7 R1 {% T: j- UThe following one is the simplest:0 c9 W5 Y( t8 X7 _- Z" z# W
. M9 N0 C7 z! n9 m' _- B mov ax,4fh
7 M! C4 [. G B% E int 41h3 o; O/ _4 a( d: o# K L
cmp ax, 0F386
1 L3 M+ N3 r) T6 A1 F jz SoftICE_detected, n: o3 D; }: B2 X2 x
6 P! G* V6 \. {$ `; ^
9 K- E4 J! u) M) O" _
Next method as well as the following one are 2 examples from Stone's 2 [1 G4 }6 E; Q! A6 r: ~/ ^* N
"stn-wid.zip" (www.cracking.net):
5 _) a n6 Q3 z* G
7 \' N2 K& f9 q8 V( ]" U# k0 Z) r mov bx, cs
+ u l0 G8 M1 Z) ~- y lea dx, int41handler26 x% a% l) S& u% z. R* Y1 H) _/ n7 t% k
xchg dx, es:[41h*4]3 W- V5 s v7 M+ Q K
xchg bx, es:[41h*4+2]
& T! g4 F) R: h) H mov ax,4fh7 y0 D) i3 N! L
int 41h$ f( o1 D% [& I2 @- e1 a" [
xchg dx, es:[41h*4]! G9 a9 j( y8 D
xchg bx, es:[41h*4+2]
; y& v* h) @. @: V cmp ax, 0f386h. s9 O6 W% H: m
jz SoftICE_detected9 d6 G% j% `' D+ ?1 j; ]8 M ]7 N
% f0 X5 i/ F9 ^! q: o
int41handler2 PROC
a w, h' }( \7 T( G iret! l* _! v/ v" G0 [3 u6 A; v' \
int41handler2 ENDP/ g9 [5 @" U* z
4 d# s5 s! R+ f6 v4 _) k9 {! Q
( S( b4 q e ^( D4 _* X/ X_________________________________________________________________________1 \' @4 z" ?7 }8 K
; Y4 `$ K+ p6 ~7 D0 O b
- K" X' d, _# _# I, EMethod 06
4 f' a8 e4 @( s# F) g2 P=========' [% F9 s P3 T6 |
6 M" w, M. H: z- F! ]* z8 o/ y4 M. _7 ?& q- W8 F9 O3 ^
2nd method similar to the preceding one but more difficult to detect: e( X( I* b2 B
7 z3 y' r4 `9 M. T6 a5 k4 h
! {( |- X$ r- w/ I ]int41handler PROC
: B( f4 W- {4 v- A6 b mov cl,al
. l$ Q0 }$ G' [+ s( j/ @; n7 e# o iret
: e: d4 o% B* b, [- Uint41handler ENDP
: g9 D3 Z) d( @ C/ f+ W) c
6 g* K& \, p, C/ v; N; p* P# Z
]; a9 U) w% L: w xor ax,ax
& l+ `1 F- z5 M7 p ?5 J mov es,ax
: V0 H5 a- M7 I mov bx, cs
; z. a a4 L" u. {3 v2 G lea dx, int41handler
3 X# a# A/ V e7 M( ^: z5 k; b: r! M xchg dx, es:[41h*4]
C N# d! n* @9 { xchg bx, es:[41h*4+2]
0 _/ B& M: ]# F! B/ J% L0 A in al, 40h" ^. X/ z. K) S- g
xor cx,cx2 X: Z; {( v( K# n% d% L7 n! r* f4 H; ]
int 41h+ c9 D, P4 h7 G& y+ d) v. J" r
xchg dx, es:[41h*4]
9 L$ u6 e9 V% ?+ D" F" v xchg bx, es:[41h*4+2]- U. C0 l- ?1 o
cmp cl,al
0 g) y# M* Z M/ F$ J. L$ e jnz SoftICE_detected
9 H) E8 z, Z/ f: ^# q }
) W1 q- S+ ?5 p: G4 P& d- I_________________________________________________________________________- o/ w% f) m$ \! k" `0 e& E4 v* T0 W& S
- f: `9 \& z. L2 L4 E
Method 07
+ e4 D# `8 Y9 j/ j( I a4 `=========2 g# u& ~4 v- s. W
) h) y* { g% Q3 \5 c8 c. y2 {Method of detection of the WinICE handler in the int68h (V86)
& O- F* W4 R' t8 r9 I' [1 n4 v) C7 U
) b0 F5 E5 f. t8 r mov ah,43h. V) U- E8 L& d3 B4 M& B
int 68h
- v/ P4 L9 c% R/ l) R2 L9 A cmp ax,0F386h
! W: z$ m1 w! U/ D! ~' d jz SoftICE_Detected
P- A; f* e$ x0 b7 H0 k M3 _$ p2 v) U: t7 l, g7 Q
0 ~& ~; t! f+ J* f
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! ]2 }; G3 z) q; P5 Y) v app like this:
- L0 E3 I3 Q1 p$ r+ a' {" B7 x( p6 s4 I: _+ l5 v
BPX exec_int if ax==68
7 j m* J% i( a( { (function called is located at byte ptr [ebp+1Dh] and client eip is
1 j2 k. B$ t* W* q4 E located at [ebp+48h] for 32Bit apps)
7 P1 z ^, _/ ]( y0 L* }3 F9 q__________________________________________________________________________; B5 f. h, t K+ W0 o$ Z
5 E6 ^ J# ^. J _. F) F& d4 Q1 @+ M
: [; Q3 G* g$ X, T, V* u
Method 08; V0 J$ {# Z% W& R4 [
=========+ l0 E) A$ M8 U% l6 s
* H- ]7 Z0 d9 @& A {
It is not a method of detection of SoftICE but a possibility to crash the0 [; ^1 w1 l" _9 x+ A
system by intercepting int 01h and int 03h and redirecting them to another
& A' a$ o0 ^( W0 Iroutine.' R6 f! s$ ~& Q$ p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 P- G- n$ q u2 g. `to the new routine to execute (hangs computer...) z) A6 E( e4 ?) u {
- k$ u" |* j1 H mov ah, 25h( w& \4 F' Y6 t |4 c& R
mov al, Int_Number (01h or 03h)
, i$ f8 l3 r3 o3 ~ mov dx, offset New_Int_Routine
5 {6 y; n, H) u3 y1 O; k$ B int 21h
3 ^* k+ j7 d' Y# w% p0 d
( a' D2 B4 z7 N__________________________________________________________________________
. m2 c: B3 V0 g+ B8 \& H) R0 t! g
Method 09
t6 G5 D5 L7 Y/ H" w3 Y=========
. T7 F% Q! Q+ T5 l' V" | e* ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 }' P7 R7 t; e0 m1 i' Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
1 \; w- B* O: F8 n, R& {+ UThe Get_DDB service is used to determine whether or not a VxD is installed% L# A7 W, ^& x2 S
for the specified device and returns a Device Description Block (in ecx) for
# p* {9 ^) R- W3 [# U% Dthat device if it is installed.
( _# N& a* B {) o% f" X
, d, [! s; D! f mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 X( \ I$ @, `! j3 ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). _; n# Y1 D9 y1 L4 ~% _
VMMCall Get_DDB
, p. N* B- a8 f% n0 V( s4 y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- x0 ?$ F5 R* n* m. ?' u6 X: j" C* G
Note as well that you can easily detect this method with SoftICE:
M }$ H( @0 r2 u' w: W' o bpx Get_DDB if ax==0202 || ax==7a5fh
2 j$ m5 h B/ b5 b5 |! d2 b1 t2 x$ R i% H
__________________________________________________________________________0 B' c3 w1 p4 Q; Q" c% |. {/ b% |' y9 ?
& h, O4 A5 m7 Y/ VMethod 10+ F" k7 {# Z0 [1 a8 m; ]6 d9 J
=========! i$ R* m! R* W; |
1 j. _+ f( u4 S. b- v7 S+ x" k( w& ]+ X
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# j2 l1 O; K$ f# T8 C1 o9 f SoftICE while the option is enable!!
6 _4 X+ L% J4 R; L- ~5 h& X' {, X; n) J' c: Q# O& S Q5 ^
This trick is very efficient:% D, x% X0 a3 o. F3 Q' H( y
by checking the Debug Registers, you can detect if SoftICE is loaded
( o9 d$ T% J4 t6 }, L( o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ c5 T/ N. N* fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ k; h2 `- X3 S# a: b6 L, pvalue (in ring0 only). Values can be manipulated and or changed as well
* A6 P3 ^2 _/ f1 c( o: m- y(clearing BPMs for instance)
. |6 C7 n- G4 u# o$ b: z
* x4 ~5 j1 @( G% G/ `__________________________________________________________________________6 k3 P- J0 p0 u# W1 m8 `7 E
) K7 j+ B! a4 V6 w
Method 117 I6 H9 ` }% z0 k" b
=========& r2 I& v* U. H) U5 O
3 M# H6 R* f( C& L. L5 p4 @; d
This method is most known as 'MeltICE' because it has been freely distributed0 \3 ?; j8 k* r
via www.winfiles.com. However it was first used by NuMega people to allow, }" t! S+ y! ]* O6 a
Symbol Loader to check if SoftICE was active or not (the code is located I5 l; z' n6 }' M; M, ]0 i
inside nmtrans.dll).& d0 O j/ Y" ~! J4 Y: f3 @5 D
6 _3 d6 U' h" f
The way it works is very simple:
+ {' D" j; l- WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ [0 f! E5 [' @2 _5 ~% Y2 c; C
WinNT) with the CreateFileA API.
, [8 `8 D+ Y* R4 i5 V$ B* B, f+ |+ o" ~! X9 R
Here is a sample (checking for 'SICE'):9 {$ C+ e/ F3 [( D4 [' Z- ?
- e' D3 h6 H/ ]' V# ~/ x
BOOL IsSoftIce95Loaded()7 w; D9 p6 ^. n1 O7 v
{
! G6 Z. q* L( T6 X2 J HANDLE hFile; 7 q0 K! ~: i) N6 T% h
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' A, r' C9 M& b3 z9 B3 S8 g1 o9 L
FILE_SHARE_READ | FILE_SHARE_WRITE,/ X3 _% v1 |3 ]& ?* N3 K; Y! i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& [9 |/ @* T8 r) {9 [
if( hFile != INVALID_HANDLE_VALUE )- l7 N1 z' @, C
{
/ M* E. w, B! \% N. {, Q CloseHandle(hFile);/ \& e# o/ n8 {; u+ w! E' ]
return TRUE;
4 g. P% `! B6 r) M# M' H+ k# H }+ H3 c& n' \$ y* g( l" p9 @0 c
return FALSE;" B" ~7 N( ^+ A) L' y: n, I+ Y1 D4 r% P
}( n8 F8 p4 q8 X) E- C0 ?3 s
' N1 O3 E% ?" ~
Although this trick calls the CreateFileA function, don't even expect to be' n3 z8 l" u! s2 ]
able to intercept it by installing a IFS hook: it will not work, no way!
8 D+ ^/ G3 w0 jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ U- B+ ]1 }. }3 S; Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 Y$ V4 m8 z4 B# b, a9 Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! Y4 ?9 u2 H2 F/ f! Cfield.2 L" @, F+ f4 S# `$ @
In fact, its purpose is not to load/unload VxDs but only to send a
) _$ f4 T4 p. y2 O( l2 @" }8 ZW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ j+ K3 R7 ~( Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 ~4 e" |; J9 v, rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 \8 P2 J5 X% U) z$ X( Y) y: ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ ]/ J; t w$ l; Aits handle to be opened and then, will be detected.
: K6 l4 ^, Q5 d! }You can check that simply by hooking Winice.exe control proc entry point" d' K4 t) w& }8 z/ L8 |; z% V
while running MeltICE.3 | E$ @4 G* C0 ~* j9 F5 T
: w1 h; i8 V' `1 u/ t" F) D) P+ P
00401067: push 00402025 ; \\.\SICE- @) P. a3 X% P' c4 {1 }
0040106C: call CreateFileA9 p( z) ^) V) Q3 z. A2 P% V
00401071: cmp eax,-001
% L; A3 o, u6 g# o) X3 f" v! ?/ J 00401074: je 004010911 A' F' W/ {. ^* `9 R) F4 J
4 N8 f4 F+ N& G& N
; _' s( r3 l6 O& T( }$ oThere could be hundreds of BPX you could use to detect this trick.+ y: H5 E3 T" ]5 S2 P
-The most classical one is:
. f! I6 q7 |8 h) W! \/ o k BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& ~0 ~. W$ G& f6 B. \. @ ` *(esp->4+4)=='NTIC'. v+ E- X$ C. f3 ~* j
5 m1 E; V$ I, e* U" U3 r) I-The most exotic ones (could be very slooooow :-(
! G: K2 J5 J7 \4 E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( P+ [: h' U0 t& s$ L# A* {1 T ;will break 3 times :-(
# S# C: \( `0 R; ?5 A& K v/ ^7 u1 S" ?& ?9 }: s& i3 ?4 n. t
-or (a bit) faster:
- u( z% u! b, Z5 f5 @0 h ^, M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ e# D, ^5 y, x5 c/ J! M. q E
9 _+ r" t3 C0 z- y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : n3 |$ |. v! f# k
;will break 3 times :-(
( j% o: Y! s. q* w3 A/ E [- |) `; h" w6 [% s1 m0 U1 h
-Much faster:4 c0 l+ W o! a! K, O5 F9 c
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 ]- g9 x. I0 _ M0 R( m
5 X7 U, a% H8 b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen [( P7 j0 x( j8 h V4 M7 E
function to do the same job:
6 b) l ~9 P! Z* D9 B/ Q* @# w+ }5 ]5 F
push 00 ; OF_READ
. @4 m) D; d7 o5 a) @2 J mov eax,[00656634] ; '\\.\SICE',0
8 z' e6 K+ ]! N& u1 d; o4 ? push eax
- f: b6 t3 Z7 t+ T call KERNEL32!_lopen
0 d" I; N# ]: i9 q inc eax# n1 R4 k& b! l
jnz 00650589 ; detected
& U1 g" V& ]0 G& i7 l push 00 ; OF_READ! @2 _% [- z M4 a
mov eax,[00656638] ; '\\.\SICE'+ v+ j$ P: v4 x
push eax$ {8 O, \ B) f) D* r& F) R
call KERNEL32!_lopen3 p$ @8 R- L; y o
inc eax0 T6 _' D5 b1 W. K+ c3 b; x
jz 006505ae ; not detected
- Q2 g, C8 {5 e. r8 ?: R
: \4 t3 s d, `
3 d; ?4 y3 ?4 p5 f8 S+ s% F__________________________________________________________________________7 u" L+ h$ _# r
$ Z. q* P5 E/ t& q/ ^Method 12
+ X3 Z! k% Y* v- u; C! n6 r=========
7 C1 _( L2 `- Q3 X* S# ^5 `3 y/ F; E- j: @/ v
This trick is similar to int41h/4fh Debugger installation check (code 05
7 `$ q( g3 X B7 x; d# ^. y6 X& 06) but very limited because it's only available for Win95/98 (not NT)
/ J6 F! N8 T' K' }, r0 Y; ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- b! h/ C1 a$ n
- G/ q0 k/ [7 z6 f/ O/ K+ X push 0000004fh ; function 4fh
7 c7 D- b) S* Z7 H) a* h+ b push 002a002ah ; high word specifies which VxD (VWIN32)% X; Z: ]" `4 |9 x- o' v5 Q
; low word specifies which service1 t# k7 R l" M4 ?( V
(VWIN32_Int41Dispatch). W+ h! Z# D; `% o
call Kernel32!ORD_001 ; VxdCall
* W5 E* K: `8 r8 r$ i+ e7 p% o* Z cmp ax, 0f386h ; magic number returned by system debuggers
. X- e9 S J0 ]1 M7 L/ P jz SoftICE_detected
" W- S8 t* X- D; G
. \0 ]6 T7 ?' v( K6 EHere again, several ways to detect it:" _8 _+ H: @( c/ X
% F! `# `) ]2 l, v* P' \5 S+ ? BPINT 41 if ax==4f
& i# d* X( o0 n+ j
9 f. y3 V5 {, u! c; I* x BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! g9 M9 Z7 C% b% ~4 r) P
; {2 }; h+ d+ V& a, o1 `
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, ^8 [# X# n2 }, s o" q
1 \, K& K/ j i; w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 }# a0 D4 y& R! ?
' J% u ~. M- c5 A
__________________________________________________________________________7 V% f/ I& z9 X9 {
: C' y$ |, ?) _' y
Method 13 {: y+ F! X1 d- O1 J3 M
=========- a; G/ R6 M1 l8 e
* f. L5 Q8 ~2 T7 b' p3 o) kNot a real method of detection, but a good way to know if SoftICE is7 ]" u Z! K- V
installed on a computer and to locate its installation directory.: Z; E3 q$ f5 L6 E+ V$ P$ l9 X
It is used by few softs which access the following registry keys (usually #2) :
" y+ |# x0 \/ [+ n, p4 W. [6 V' D7 O' ~, X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ {) x8 d6 z1 @1 o3 ~9 S
\Uninstall\SoftICE0 W9 X. s6 x" W; {2 Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. Q) e5 R/ H M0 [2 J' T
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" ?, d! g$ k( r. Q\App Paths\Loader32.Exe
, R, m; V4 [& v+ _1 v8 q5 |7 W/ ?* w6 z
( |" [! M0 j u0 v" L5 k5 NNote that some nasty apps could then erase all files from SoftICE directory8 H7 _1 Q. `- m* q
(I faced that once :-(, z3 U5 m* C4 k, s
8 H9 y' p4 {9 h7 u
Useful breakpoint to detect it:( @; S3 ]; j6 Q. a" j8 h3 O2 ~/ s
$ f& C8 ?7 o' _4 L/ ~9 x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ @" e, ?) @/ e, V
. f4 _8 e+ s. D. \, e3 Q0 p& G9 W
__________________________________________________________________________
4 q) t6 B' i% [2 e3 Z# z2 H
# ^- a1 E3 B( b) L1 y
: t) u' m8 s( g9 W UMethod 14 : }% Y9 a8 s) j. `: x# V
=========& |! U0 o/ k3 z6 B& w
9 w3 d. s% |4 a5 f: OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: H' E# e* n. `3 E$ ]6 f9 ]; h
is to determines whether a debugger is running on your system (ring0 only).
" z9 @0 {" K# R7 ~ n# C: ?- `( v4 @) B2 k4 L/ S" v# `7 [
VMMCall Test_Debug_Installed' Y) B% S6 w- {; G! j
je not_installed
) j+ x, s- I2 o a" ?' A- k2 e3 f0 V6 E+ s( C% {
This service just checks a flag.
/ V; Y+ z, q" V% O</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡