<TABLE width=500>
; c: ?" n( w' c2 [% ?<TBODY>
. {6 N0 }; ]% B& F2 q+ C<TR>4 F) i, y& z0 X. M0 e! @
<TD><PRE>Method 01
' J, @! ?4 [% d$ o=========( z5 L7 `; f/ V. X
" o8 ?2 g# r9 B: ?This method of detection of SoftICE (as well as the following one) is
5 Y; v: c4 X1 g% R/ }" M9 oused by the majority of packers/encryptors found on Internet.
# y' m8 z0 _/ ~8 |% ]5 xIt seeks the signature of BoundsChecker in SoftICE. u2 Y0 X' m- ?/ Y* [
; w- t: ?9 Z1 Z3 S8 _$ b* j
mov ebp, 04243484Bh ; 'BCHK'
- F# _0 U9 L9 G mov ax, 04h. w; d3 F1 h% B' ^, M
int 3
" L& R9 A" l% |! n( u cmp al,4* ~6 X8 u5 @$ x+ M
jnz SoftICE_Detected
. T# V% b. I$ s9 |; y ~# E
. r" o) j6 T0 s___________________________________________________________________________
, y$ V" Z7 o# x! H
8 j6 U) o! U5 K% ^4 A4 LMethod 02! K+ L8 E. I& ~. ?& Q! i* [. n$ f
=========; L4 }" f$ R2 S) D- ?
( X) m a. s2 K m3 q3 l6 VStill a method very much used (perhaps the most frequent one). It is used
/ i" C7 L- O, U( b5 Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 d' J8 Y$ l0 hor execute SoftICE commands...
" d6 ], O: ^& K! C: n, hIt is also used to crash SoftICE and to force it to execute any commands- p7 Z6 H f7 G) u1 r' W1 j7 {8 c
(HBOOT...) :-(( % ~2 X% {7 N* T8 Q% Z5 R
- ~4 }, A0 p. vHere is a quick description:
& ^7 U( X) e9 h/ y% }& N0 E-AX = 0910h (Display string in SIce windows)
; ]) l) p4 n* o1 [2 J" E-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 T5 z" @: x# O' B7 u3 v5 l-AX = 0912h (Get breakpoint infos), k x, }+ |+ g0 }
-AX = 0913h (Set Sice breakpoints)
" _9 _8 Z( u! ^& Z; l, X& D, c. u/ a-AX = 0914h (Remove SIce breakoints). L- K) z! b, P v' a- Q* }; P g
' j" o, n6 M' j) x2 U3 m
Each time you'll meet this trick, you'll see:
6 E" P+ K) H$ V6 a% X; d2 d Y: }-SI = 4647h2 J1 y* s4 d# b: ~8 O1 f; N
-DI = 4A4Dh
d5 F$ B8 j4 T+ G+ L8 L, YWhich are the 'magic values' used by SoftIce.% [: ~1 e$ k" m) @: j7 p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 U) N0 S* I* Q2 x2 f! G0 P
: g9 i5 t; @' _! _- \
Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 x4 H$ L8 ]/ t. O% }Envelope utility use to protect DOS applications:
% v% ]7 a/ S8 e Y7 n. c$ _- A9 z
) h0 A! a: [. [# t& D
4C19:0095 MOV AX,0911 ; execute command.) x$ y4 n1 ^3 m9 D/ E4 t+ c8 ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 o# r; P3 S% q' r/ p5 ?
4C19:009A MOV SI,4647 ; 1st magic value.9 N: t) A1 `2 `6 _
4C19:009D MOV DI,4A4D ; 2nd magic value.* E% F8 Z( G6 E( a5 I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 ]5 _8 m* k# O& X9 z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! p8 h% z1 {! s
4C19:00A4 INC CX
& `& I/ l3 Y7 x& d' A. F- `$ M: r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 r2 J/ h, B+ x+ @! z2 Z4C19:00A8 JB 0095 ; 6 different commands.
( f: a) D4 H8 h3 V: x4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 i; C; {. E' |& x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 V/ @& S$ a# }9 {
$ e% J9 G/ m; aThe program will execute 6 different SIce commands located at ds:dx, which
2 q. R6 Y7 {& _/ T. g) o. a: uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 H" Y/ S+ W9 E$ O& t
1 w7 @. h+ t: H+ h6 M: K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; y: F L( ]3 X* c* g8 \
___________________________________________________________________________
8 q' d- x- @9 x8 n r3 T# O! t8 T. [' X J/ z
2 S6 {) |" r: V: u3 p( A% V; `
Method 035 M6 G* K J% g, o- i, o5 ^7 b
=========$ z7 M o+ S. S
: a; }, O) Q, L" A2 w3 yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 x) N% G5 D6 Y5 c" N5 h7 R, ^! V
(API Get entry point)
# Q* o* ]1 C( x; \3 f* v( S) ?+ S
& `- t4 S% M4 k& z- I O! u1 c8 p6 h- S
xor di,di/ w5 \9 d8 K# C5 P
mov es,di
! b) L4 i9 ^4 |0 @! S$ ?! h2 E0 y mov ax, 1684h 5 T) O) k9 C7 i& ]6 L
mov bx, 0202h ; VxD ID of winice" B; Z+ i( z2 N- O7 _' B) B( b0 h
int 2Fh! x4 Y ?' \3 N2 ?1 s
mov ax, es ; ES:DI -> VxD API entry point6 k1 T" t+ M4 E3 y# u
add ax, di$ J" q3 }" v% L7 W
test ax,ax
2 P; i7 `' h9 ]$ |3 d3 a2 U. z jnz SoftICE_Detected- J1 J3 x/ F6 k# u/ \- U; R) r
0 G1 m( D7 t K___________________________________________________________________________
' I* P1 {) f/ B2 P5 u. N/ K3 Q8 Z8 r; Z. K7 Y
Method 04( M7 K \; p: _9 d; c& Z; Q% s
=========! z$ w: n9 H8 j7 [/ A0 q0 g% f
+ ^* {; L9 p, KMethod identical to the preceding one except that it seeks the ID of SoftICE
# H0 J1 D, w/ m- B' H( HGFX VxD.
% e6 y% Z( R+ c7 d- D3 j: n! _& ~6 ^/ P% `- w; a9 C6 M
xor di,di' V6 S' u6 O0 D8 s( T& y
mov es,di
+ q( |, {( @9 ?! N( `6 \, P" Z! k mov ax, 1684h $ |) X' V/ l7 _ b. q9 w( L8 } ?
mov bx, 7a5Fh ; VxD ID of SIWVID3 n. S s0 V9 t6 J [
int 2fh( {$ |$ |. ]0 O2 L5 q A( s
mov ax, es ; ES:DI -> VxD API entry point7 Y; T2 J) n& h) j) [
add ax, di
3 |3 n* S7 N3 |8 R1 ?: N, a test ax,ax" R! T+ P- t9 y
jnz SoftICE_Detected
/ f/ i! e1 G5 M2 K; z8 q( t3 ~
: c7 e! p4 v1 B0 w9 \: P__________________________________________________________________________; Y7 x9 G+ @1 B' }' c
9 C& R8 w3 }+ X+ E- l
7 o( v. M! a! W% [. L$ |1 b' j' MMethod 057 o- r, i E7 \- J7 b$ ]: ~/ F" q
=========
& ^8 W5 n/ k# k# u8 y# P
' r0 a9 u7 c* @4 `+ ^7 R% _Method seeking the 'magic number' 0F386h returned (in ax) by all system
- Y9 S, S$ ], x. Q7 idebugger. It calls the int 41h, function 4Fh., K. u9 {3 D1 z
There are several alternatives. 8 U+ d- \8 L$ j: U, W( q
3 J" v5 ~. r: K* VThe following one is the simplest:; l; b. V- D9 J
8 T9 _6 f' \& `$ y( K7 e mov ax,4fh
1 ~8 j- r1 E0 s, o. Q+ J& C int 41h& a. B$ A/ `) E3 D" S
cmp ax, 0F386
6 p. A, q3 h' O jz SoftICE_detected/ k4 _: d. L& Y
- V% s# Z" |- ]
% N/ q1 w* Y8 G' dNext method as well as the following one are 2 examples from Stone's
, S$ d! s& B; v- W# y"stn-wid.zip" (www.cracking.net):
1 Q* c/ N( w" n; n8 B# q
/ s0 X; U7 X* l& P7 V; R mov bx, cs
' }) p0 i8 L8 ?7 Y* Y3 o8 c+ `/ ^ lea dx, int41handler2
8 L* s+ @0 s4 ^: y# L. d" [ xchg dx, es:[41h*4]5 s0 ~6 _1 f. J9 J7 D9 }
xchg bx, es:[41h*4+2]* h% p0 M& B% Y. G. B( C$ o$ Z
mov ax,4fh) J4 U- L1 \- B
int 41h
( \" Z9 g/ l. y Q, V xchg dx, es:[41h*4]
# h& L) e' T' ?' S9 T c) ]* e. R4 ? xchg bx, es:[41h*4+2]4 `7 g; \$ ^4 S7 I! O3 }7 p
cmp ax, 0f386h
! k6 l1 _( u- m/ v7 ?& `3 Z4 y jz SoftICE_detected4 M8 X4 D; h: W! T' w, V6 m
) e) A2 i( C, M0 R3 S9 Q1 G7 j; \int41handler2 PROC" C/ I/ V4 _7 i- o6 y% p
iret
% N+ Z2 y, ~) G5 ?1 J! pint41handler2 ENDP
6 H1 m: A1 r6 ^9 e4 o B$ Z' T3 ?, S8 Z4 z$ p- ^1 l3 A' D. R
0 w+ [" ?. [ Q! s7 |) C e. S5 r
_________________________________________________________________________
$ l0 v s( W/ ~
r9 i7 T9 K5 ~- f' x$ O }
* r- O$ h y2 B0 P) G1 [Method 06
5 _: n( i* X9 a=========! N0 y$ `- C* n; K% P
% N% }% Q5 ]" U8 c& c# P( u" k! m: H6 `2 u4 X( T2 ^, \- j
2nd method similar to the preceding one but more difficult to detect:# }1 L4 v4 V8 u2 @- p* [7 \: H" ^
( ? {% u- F/ H& [8 K R: C+ M h( X1 @* h0 P
int41handler PROC
' {, n6 h6 a+ c3 T mov cl,al( l; Z: Z4 V# U( G- D. `9 {! m
iret3 \1 H1 m' @* K0 z
int41handler ENDP" {, {9 z7 X! v- G* B" ?7 G
: Z9 M7 c. M3 f) ~' S% x' ~
+ | l1 _0 G5 p2 f$ S1 ?3 s xor ax,ax. |% p6 s! I& g" H6 D3 F/ m
mov es,ax" c, a; S2 W! _! k: j
mov bx, cs
/ S7 x1 _' A5 R! J, p# O# m* D4 W lea dx, int41handler
2 @# Z+ l/ O+ Q: D/ X A. y xchg dx, es:[41h*4]
# F1 k4 D7 {8 I( W) F8 u xchg bx, es:[41h*4+2]8 @. O" y# g+ J" k/ h
in al, 40h
+ J1 z) _. _1 {7 b xor cx,cx! U3 Q+ V$ y$ D, o- A0 l
int 41h' V! Z7 f q. Z8 @* _
xchg dx, es:[41h*4]" @5 t" F$ ^. [8 ^3 I& \
xchg bx, es:[41h*4+2]' R1 a. G, u; ^6 ?! H; N
cmp cl,al& U5 u) c1 ^# {0 a7 s
jnz SoftICE_detected$ e0 ]: H6 P: v, t, |' G
8 d) A" u! E- Q6 m8 D3 M I# m/ @/ c
_________________________________________________________________________' U! ?3 J* A8 P+ [
2 m& a# W# l0 [/ `& {Method 07
0 J! s3 k/ {9 A8 I- g8 Y=========: x. m, v% n/ }8 Z$ U3 c/ Y" F
: O; z6 E, w, C
Method of detection of the WinICE handler in the int68h (V86)3 k- s. u9 K/ A+ c& x0 a1 Z
5 ?; m( K4 m e( s8 S mov ah,43h2 t2 s, i# F" p6 e/ z
int 68h0 z L2 S) X" H2 u
cmp ax,0F386h
: }# U# a l$ I5 }% n jz SoftICE_Detected
' [* z# a; r5 n o
( D" Z2 ~& o$ F/ H$ J5 j7 ?+ n V! Q Y5 j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 @) |& T' f5 `' J: i! Y4 y# Z6 @& n0 _ app like this:% f) I, h/ a4 y" \7 j
5 t9 J7 ~ }' D
BPX exec_int if ax==68, ~( d0 a! ] x" Z
(function called is located at byte ptr [ebp+1Dh] and client eip is( b6 Q1 e% ]& R/ }: M6 ?4 V
located at [ebp+48h] for 32Bit apps)0 W; ?+ F; @1 i& D) _; m% j
__________________________________________________________________________- F0 \) W8 ^! H
# O2 {$ x8 E" w, z2 Y8 u9 }
$ O+ k' U; n! g I
Method 08: W2 H& i# u( [: y3 [
=========
' R Q( z( c. ^6 i3 N
$ D* c. `# ?$ S; P7 mIt is not a method of detection of SoftICE but a possibility to crash the7 e. ?" g0 o. o# J! n( L
system by intercepting int 01h and int 03h and redirecting them to another& d4 \) o |) p8 q4 v' O( n- z
routine.
) n9 @$ A8 _8 _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ f& L+ ]' `: R" f
to the new routine to execute (hangs computer...)
' { C2 ?9 b. H7 o
1 `9 T3 Y) ~6 Y( P, q# ]$ W mov ah, 25h" s/ W. I6 ~+ s4 k3 ^, R
mov al, Int_Number (01h or 03h)) ]5 Q0 H8 L4 W4 z
mov dx, offset New_Int_Routine& R) Q7 S) H4 ]2 k
int 21h& a5 C/ f3 h, g- k
9 ]0 l9 O/ E( G1 }9 b% v5 E" h2 K" `
__________________________________________________________________________8 i7 u3 S, @& k/ I( A- R
, {6 |: m- o. aMethod 09
- {4 o* n6 A+ t: h5 W- t: G, K" O========= s* Q% f, j9 k3 E7 Q
7 O, G8 h" A9 o# B
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 T" o. S; [* J8 C
performed in ring0 (VxD or a ring3 app using the VxdCall).& R' r; c7 t4 s: B3 e1 Z
The Get_DDB service is used to determine whether or not a VxD is installed
/ a0 s& U5 O9 k8 Mfor the specified device and returns a Device Description Block (in ecx) for% @- E% S6 M0 n2 n
that device if it is installed.
4 w6 H: h$ D' t# P+ h& a
; Q& ?( i: t% ]5 p* G+ E mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 q& ?& g6 v6 Z' f* q! | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: D/ T3 W0 {( e4 K- p VMMCall Get_DDB9 u3 {. t0 k& h: @7 o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; A. Y3 e1 s/ B2 V8 ^' B: i' ?' M5 Q- N1 o8 Z; m# i% }/ k
Note as well that you can easily detect this method with SoftICE:
) H' e2 |% _- V( d6 f bpx Get_DDB if ax==0202 || ax==7a5fh% X- h/ M& n J. R# l1 h |6 n2 V
; L- A) ^7 ? j8 q. U9 P% o3 B__________________________________________________________________________
5 l I, z% T& ^* N y& K0 J3 {4 V# l' Z% f6 x1 |2 G
Method 104 w5 y( [( K# `# h5 p" q, T# [
=========
, p2 M {- D0 { V# G" o; {: b8 }8 e( Z! _: c; q3 v+ c6 _9 l
=>Disable or clear breakpoints before using this feature. DO NOT trace with& |3 i2 v* G' J- d2 v0 `* {0 D
SoftICE while the option is enable!!" o7 B6 u9 T! o: Z# `( T
% Y0 |% ~5 Z0 G
This trick is very efficient:
2 {3 A) U* |/ f8 xby checking the Debug Registers, you can detect if SoftICE is loaded
, ?0 k- `% y. k6 y {9 @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& k% \# C5 M, ?# Q( e
there are some memory breakpoints set (dr0 to dr3) simply by reading their* @. P1 G# Y0 M1 |* I: d5 |8 z
value (in ring0 only). Values can be manipulated and or changed as well
6 R) u; i9 e6 u/ B& b(clearing BPMs for instance)
/ ^3 e! g+ |. U2 ~3 e9 }$ T
. u0 C+ t8 O- f2 K__________________________________________________________________________
$ n& p) e. U }* n4 r, T2 f2 X
% y! I# P4 |8 q$ UMethod 11' u7 ~7 I4 c1 B5 [3 w% z4 q. |' d" X4 C
=========% z2 Y3 K, z4 l1 b" u9 [
" J1 |$ h0 Q: u; s- {This method is most known as 'MeltICE' because it has been freely distributed
! ]5 [3 q l" A: Z) O. `via www.winfiles.com. However it was first used by NuMega people to allow+ D3 C' d/ w" o" |& s( o! z
Symbol Loader to check if SoftICE was active or not (the code is located* k5 G+ k' q+ G. S: D
inside nmtrans.dll).
& N& l: h1 u0 `5 O0 z2 j+ u+ L
% _0 k- Z( d0 `- RThe way it works is very simple:) G! l" M+ Z; A; g4 @4 \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 R: o( C1 P( A$ G- v$ c
WinNT) with the CreateFileA API.
) t7 l/ o" K0 ^/ v4 f3 i0 W- N
% |7 c% k- p1 {/ Y9 }# y3 `2 ~Here is a sample (checking for 'SICE'):" a/ _" g: g# w- ^
1 n8 h2 @ O0 c' o0 I
BOOL IsSoftIce95Loaded()0 H9 m- A/ {- a7 l4 W
{
( Q% L4 F3 N5 T7 J/ _% u HANDLE hFile;
) G; a; i1 `- u1 p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," V* q! w6 d" u
FILE_SHARE_READ | FILE_SHARE_WRITE,- s# X( N. B# g- v8 q( J
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' D6 `' c7 }2 V( n" A1 Z if( hFile != INVALID_HANDLE_VALUE )
1 V# o( v2 g9 `# J* Z9 Q8 g {
, y( R8 S9 b) Q CloseHandle(hFile);8 l9 T( h+ v$ K$ f9 c
return TRUE;2 T5 }1 q0 \! J, O7 Q
}
7 R, P% h$ p8 i return FALSE;
4 i: w# D0 V! z! h- c}
G! M! u5 {4 ?$ \( X
. V, t# A! _1 F% d2 S# LAlthough this trick calls the CreateFileA function, don't even expect to be
1 O) @/ B4 \8 v B Rable to intercept it by installing a IFS hook: it will not work, no way!
) v: l* C2 @- \1 W" B' R+ lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& m0 S" |0 Z" ]7 Xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' |3 s- x; \# _( d$ o; dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
I/ s4 w6 a, O! q+ i+ Ofield.! B- r- W; P' S
In fact, its purpose is not to load/unload VxDs but only to send a * q4 p8 Y1 J- ?1 q3 R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% o F0 p" j% K7 H- F4 r2 v8 s. u6 j
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; m# d& Y v) h+ k% e' I$ Pto load/unload a non-dynamically loadable driver such as SoftICE ;-).! B3 p1 a" P6 G' y5 _+ N) n
If the VxD is loaded, it will always clear eax and the Carry flag to allow- g7 V1 Q# z* @1 Y- y1 M: {
its handle to be opened and then, will be detected.
3 r4 X$ @0 l8 v% aYou can check that simply by hooking Winice.exe control proc entry point0 |( B6 e, |! C! @% v
while running MeltICE.
, v$ V) ]4 ^1 f. J/ _0 L) j0 c% V2 N! x- w2 j1 j
% ~% Z, s3 w+ T/ ?$ o 00401067: push 00402025 ; \\.\SICE
1 H0 Q! R' ^1 s; n- }, t 0040106C: call CreateFileA
' ]3 s) |$ [5 F' C7 U 00401071: cmp eax,-0014 e2 c" j$ S! A* r7 ]7 A
00401074: je 004010918 X4 t5 D- d* u7 j
% G F5 M* @0 G$ D
% `3 M' \: e- ~: B
There could be hundreds of BPX you could use to detect this trick.
5 b- s) H; c$ {0 m Q: ]-The most classical one is:
+ F ?( @2 b1 O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- O: Q J1 r p, F8 I. l r4 F! i
*(esp->4+4)=='NTIC'/ \: e( ~1 e8 D: I% A
2 x" U' Y6 Y' P-The most exotic ones (could be very slooooow :-(
- r$ { @$ {# ~# s BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* y& D/ m5 T! x, S; j6 f: R/ Q ;will break 3 times :-(# e7 e) n+ I0 I5 v- w
3 e# P$ s' j! W% T0 Y9 y( |& [4 Z8 r
-or (a bit) faster: ' B' I! E1 Y5 ^, o+ ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ z8 N3 F' t) C8 T$ g6 e
* e: s0 h0 p- u# {3 |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 a' Q4 N6 D# K" S& [2 h1 K- s ;will break 3 times :-(
4 A. c6 z8 v( {- k' L9 }4 _4 d( s' w9 M* X5 X# {$ u- u6 i
-Much faster:
# L- C; \1 {, `+ x% r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 _# Q' T/ C) W: M! {& O
! J& |' }: k3 m- E5 [# C, `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 K5 n, {) S1 x/ ^: L# p
function to do the same job:
9 V, F/ L* U6 e2 |2 Q$ y* L* E, I+ I7 W" t0 m
push 00 ; OF_READ
0 _+ P6 W+ v u5 i0 f2 m) g b mov eax,[00656634] ; '\\.\SICE',0
% S* I% r' J R* D+ C push eax
* A8 ^1 T- I) I" }" @ call KERNEL32!_lopen$ w' r+ z" @' T" M: a: ?
inc eax
/ i( w8 F: e# Y6 @ M/ ? jnz 00650589 ; detected& s6 t* [! t$ q( P% d
push 00 ; OF_READ, O% s) w5 M. y# W: U0 e! b
mov eax,[00656638] ; '\\.\SICE'
' v/ t8 r# G0 l% S& X push eax4 L" I3 L* T1 J5 ?6 H$ V, Y# E, r( r- Q
call KERNEL32!_lopen( V7 B/ h+ Q0 \* q
inc eax' k3 E+ ~2 i J$ u- n
jz 006505ae ; not detected5 L7 a( l) ^5 F. h! r$ I3 D
7 a/ [8 M" `( W
# j' ]2 K A( k; J0 w0 t1 x
__________________________________________________________________________" l B3 _( \: |8 U$ \" U
5 p) k- F( c, l8 TMethod 12/ u1 f$ t% {' m& _5 u3 @, ^' h% _
=========
^( g* g; O& {" x5 c9 y* t3 z4 b6 T2 C. F# j6 R3 b( G9 W( N
This trick is similar to int41h/4fh Debugger installation check (code 05
2 N9 C6 q$ u/ z& 06) but very limited because it's only available for Win95/98 (not NT)% P! R- o. W6 [2 P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. f; L2 ^1 Z% A- F f9 W9 A
7 Z8 j7 H# A) j# ?3 t1 h push 0000004fh ; function 4fh8 Y! L$ h& N0 ~& e8 S
push 002a002ah ; high word specifies which VxD (VWIN32)
2 X; R' t! m' M# M, t* C4 { ; low word specifies which service) U: x4 w. R7 w" e; t
(VWIN32_Int41Dispatch)2 W% _8 H9 ~3 F. Y8 Y' B# }7 ?
call Kernel32!ORD_001 ; VxdCall9 W. p- A7 X* c) m+ E, X5 p7 h
cmp ax, 0f386h ; magic number returned by system debuggers
. j$ X+ |4 K' F4 s jz SoftICE_detected
5 t! Y* | W) v" k; I7 ~
" `. v: M; H8 b: m5 D1 ?! BHere again, several ways to detect it:) d$ p/ @# w6 [# g( n3 [1 e4 k$ }: |9 z
- |8 w! s& m, s) }4 u$ e6 U; s
BPINT 41 if ax==4f2 S/ [' C' K I4 J) F: x
0 m9 P" u. U% _/ d2 k/ m. l% J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
Z; O. R6 a: q5 t: N6 S
% ], U" B# M! Z$ f8 ]/ p( j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A o; d. ^6 |2 W/ j* a' G! }* x2 z
+ L" c1 R0 H' t3 e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) }% M! H3 c! k: F
! w; c; ^# Q, P' R__________________________________________________________________________
- K8 [ U8 p: Y2 }# D9 F: `) c- ^, t) P+ E ^7 i& F, I) e
Method 131 m( P. M+ ^) k+ @0 r
=========5 c$ \6 u% b. [6 C. V- F+ F9 V
, ~' r, `) L7 t) P
Not a real method of detection, but a good way to know if SoftICE is. \0 J+ a/ ^5 @# s; N
installed on a computer and to locate its installation directory.4 }2 \0 V$ @/ ^, v: d+ f' i- X( v9 }
It is used by few softs which access the following registry keys (usually #2) :; ^! y6 Q7 A8 ]' c5 v% \
; D! u5 Z7 l: |- p, K) v9 s* i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ e( u+ W0 y/ f0 v\Uninstall\SoftICE. p6 L |" _5 n. v9 Q( y) I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. |: p; j. S4 V) l+ {; R* q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ a7 X* F( ?5 F8 S y\App Paths\Loader32.Exe: H! N7 F+ z0 d% S1 T) h
+ y. a6 R; K/ ^+ X0 ^5 L" p, Y# i
" g1 C# h/ L2 F5 W/ WNote that some nasty apps could then erase all files from SoftICE directory
% m( q5 F& M3 B(I faced that once :-(/ E( h. H, ], j R! G6 y: V: m
' V- |4 S: c AUseful breakpoint to detect it:
- V* L# T, W2 ]/ c2 P* f: G
5 Z7 a L, w( j0 s" R+ P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 B7 v4 v# u. {4 i7 I7 p% S% p
9 k, k& F; E# o8 R' W+ E# A& P6 o+ n
__________________________________________________________________________& [" x) g; F# V
, x/ R2 i! A# }
! I/ h6 ?* ~! u9 M- v1 f3 ^+ @Method 14
, V4 b8 g* U5 R9 ~0 G=========- { n) y% J3 W- q, M' v
; O" v' {8 h3 g& i5 O' ? l# nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' I s( e! A8 B! N! l
is to determines whether a debugger is running on your system (ring0 only).
7 u* H E# C6 J2 n% g& [& Z- x! y' ~# s. b5 S3 h& M* g% Q3 {
VMMCall Test_Debug_Installed; m: U0 P/ A9 L5 J, ]
je not_installed
: }: S0 J7 P6 L' n% s3 V" o" g5 @
7 U; Q1 \+ ^# B" N: w xThis service just checks a flag.
) x6 e9 f+ ^5 J6 `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡