<TABLE width=500> j* `9 _& W' L# }
<TBODY>/ J! \ S, \2 l
<TR>
' K+ T9 t! j* Y<TD><PRE>Method 01
5 x4 a7 U3 G4 q- k( F" b) s8 l! d8 E=========
+ p5 `( Q7 |: Q8 c- t8 P0 _; p# h; D) R% S8 \$ m. E( _
This method of detection of SoftICE (as well as the following one) is3 q4 g) C# l. f3 o8 ]# O# p
used by the majority of packers/encryptors found on Internet.
9 q* b5 J# t F0 TIt seeks the signature of BoundsChecker in SoftICE
. }3 G. w3 z) k$ S: S: U. h
! I3 Y: t' B4 d3 }2 l: X1 u mov ebp, 04243484Bh ; 'BCHK'
+ Y& R1 E3 D* l* @$ T+ O( Q mov ax, 04h: Y+ q) S4 _/ T. ^9 O
int 3 ' ~) M1 D0 k, v- T: S3 ]. V/ H
cmp al,4
4 J7 ^4 G) X, ~% [' e$ c4 C B jnz SoftICE_Detected
# |8 h: N* I/ ~( k
+ F4 B w7 H' W' h- S___________________________________________________________________________2 t3 r* A* V4 V& R1 B
( P* E# Z3 E& ~4 G \+ m4 ]Method 02
% d' E7 b$ s6 t=========
4 P, w) `3 i2 ~6 C" M6 y7 j* C& D. N9 C# o$ n) y- k9 Y
Still a method very much used (perhaps the most frequent one). It is used
' I0 y. U0 o+ [8 F& q- o' ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
d4 h/ d. \) |, ]or execute SoftICE commands...2 A3 W1 z2 W5 N# M. U, ~
It is also used to crash SoftICE and to force it to execute any commands
5 w" D1 a; Z2 M& O3 x1 u(HBOOT...) :-((
0 p9 f, [2 E4 D4 h( K2 ~. P
' B" [& A: y" q% @# ~Here is a quick description:
- M+ u( O& f6 u. }0 c5 w-AX = 0910h (Display string in SIce windows)3 T0 E% h; a1 y0 w2 \+ C
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 l* a7 r) a8 g0 t, U/ n-AX = 0912h (Get breakpoint infos)
+ m. }* I4 h+ J+ W-AX = 0913h (Set Sice breakpoints); Z7 j* |4 P4 Z1 c: E, Z, Q
-AX = 0914h (Remove SIce breakoints)
: A' f! ]4 d2 p. b5 i) C' D" v" l. D. m& d: x4 X! |* a# R. y
Each time you'll meet this trick, you'll see:
0 }6 I; ?3 @& u# |( q-SI = 4647h4 f1 L, f* Z2 D9 ?8 h; I
-DI = 4A4Dh- m, `: a& M. ]0 R; g
Which are the 'magic values' used by SoftIce.) y0 E2 A8 r% ~" d$ @# Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." K+ U- {9 A- e
) [4 Z! t: R* H: n" Q2 Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 T0 N. }8 I- D4 z8 G) OEnvelope utility use to protect DOS applications:% l+ d( ?7 Z: A( l/ P) |& p
- R2 \) k4 I! H" t% b
) d" l8 e# m7 ]3 @* c* ^$ K8 v$ ]4C19:0095 MOV AX,0911 ; execute command.
% u2 E+ s- Z$ ^7 r% r0 X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 e. o8 {5 o( w% d9 j; P
4C19:009A MOV SI,4647 ; 1st magic value.
5 N# }8 P$ j# V4C19:009D MOV DI,4A4D ; 2nd magic value.
9 y; q( i& {/ B' \4 O, }( ^* Z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, k5 X- f9 g5 f# @4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) `* W3 n$ G$ ?- F9 _ H( G4C19:00A4 INC CX
8 h! @' Z0 L$ W1 N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* p9 ?; h8 \* [+ } p* t4C19:00A8 JB 0095 ; 6 different commands.
* ]7 ?9 J3 j9 O. _8 v) h0 e4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# A4 K2 m1 K9 E6 s- k4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ @# h5 I8 W; D! M, H! _0 Q; a
( k# _$ V6 Z9 k/ S
The program will execute 6 different SIce commands located at ds:dx, which: |9 G, ^9 p0 I' i# R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 W2 Y' ~2 r1 W \) V2 f% G
8 @& I8 `( p" N+ Q/ l* Q' l3 X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- i1 X7 Y6 C' T" ^5 @___________________________________________________________________________1 y# m3 b- l2 U/ ]+ {* |
( L" E; z1 Z5 w
# p3 @3 A7 h4 K8 a6 M4 m3 `0 ^5 F" rMethod 03
7 b& H* r; {" Y. @/ x" r=========/ z2 s* [2 j( i# ~! x, z& `5 t
# N! J7 A& \6 N1 c! F' ^5 BLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 G( z1 {: X& t5 i4 U: ]8 {! T(API Get entry point)7 U. t! A3 Z$ O
+ M* k1 v. g: B( F3 p' T. F
) @5 D; v5 ^, K6 \ xor di,di$ B: n8 d9 u" A5 L3 Y
mov es,di
" x2 r, o% \% @$ l/ Q: P mov ax, 1684h
5 F9 s" f& B- w" E0 ^ mov bx, 0202h ; VxD ID of winice2 {, w3 ]% i+ Y% ^2 I0 l- E! n
int 2Fh
& t: ]. |6 G, u0 ^/ `! j4 g mov ax, es ; ES:DI -> VxD API entry point6 A! m7 D5 {# c/ w, Q4 i
add ax, di& ~# q" D2 T5 m) s
test ax,ax* l) n8 E I) U9 Q& V9 q i# J
jnz SoftICE_Detected
. A3 B% h: S. y
) r3 X) J, \: a___________________________________________________________________________5 K' p0 t4 N2 b! f* W# O8 w
( C+ Z8 O: ?2 u1 Z3 v: H
Method 04
9 f8 G \2 G% R3 C- R; Y F=========
' x2 b( [7 z5 X- I7 f: u2 R& W* J9 ~+ ~- i1 D6 K" g; s
Method identical to the preceding one except that it seeks the ID of SoftICE
/ H# \0 r/ b, O, V2 h2 T) sGFX VxD.
: x" {' x) O9 j2 f2 Y2 B) @' x* ~
8 f& @% O2 t/ d# W xor di,di" t: h9 g/ G+ _
mov es,di9 J: |9 ?* ?: p+ G& o, T
mov ax, 1684h
* w p4 A; c: G0 s: R+ o8 l8 \ mov bx, 7a5Fh ; VxD ID of SIWVID% f% {! q* O1 d: v
int 2fh, p$ C& S5 V" ?% Z% g4 k
mov ax, es ; ES:DI -> VxD API entry point
7 p( F* j2 L9 Z4 R add ax, di
, L4 Y$ O' R# D: P8 }9 ^ test ax,ax
2 }9 D: f# o) x7 M; y7 l jnz SoftICE_Detected
, O% T3 l2 h! x/ t* _/ r9 i. S) K3 T1 I8 `7 m$ `
__________________________________________________________________________
) o, n. f2 A, a
, b* L8 @" {9 @% ]6 j# X" ]. x3 t
Method 05% E' f0 f7 v9 t, [9 `
=========
* g0 g, h p/ @. j0 x: ]( w% I& `: t
Method seeking the 'magic number' 0F386h returned (in ax) by all system" c! V2 K" F% y; w
debugger. It calls the int 41h, function 4Fh.
3 J" t# _! {) T/ M( c# ]: O1 IThere are several alternatives. ( u+ u% W# N( F- ~
& Z' ^" X% G7 l! R4 {: w9 wThe following one is the simplest:
+ K/ c) `1 ?" ~+ H3 [2 d2 _- {6 e0 M# H
mov ax,4fh4 x8 u- p: y0 H5 O7 C
int 41h
% a5 |, b* w# Z/ [2 a cmp ax, 0F3868 M/ P7 P4 ]$ H% m1 m: V
jz SoftICE_detected
# s( C5 i. ~, ^8 p- J; k' V% c/ f$ J; I! G+ G
0 e% K8 z( ?$ @$ d/ pNext method as well as the following one are 2 examples from Stone's ( {8 ~& D' j' O" b+ d! f$ n
"stn-wid.zip" (www.cracking.net):
. {/ f: H U% X/ Z$ c; {# i
; c& z9 B0 Y1 ]# ?. t; z mov bx, cs: r" l2 ` m f- I6 b0 P3 B
lea dx, int41handler2
& l0 _$ [' R$ g" R9 m% n* Z _6 Z xchg dx, es:[41h*4]$ b7 h P( {3 W. X& z$ V& u1 U
xchg bx, es:[41h*4+2]- }; Z: u% f4 I3 I
mov ax,4fh
- d- X. g8 F6 `/ ^+ W- K int 41h
+ w1 i& H+ N: j) j* K xchg dx, es:[41h*4]; Z: f6 W/ L; x
xchg bx, es:[41h*4+2]7 p% A) s) ?- ~( D
cmp ax, 0f386h
) W& X+ E7 X: G( r jz SoftICE_detected0 I2 V9 F/ T7 r( a D+ s
8 K9 E1 |) j* ^int41handler2 PROC
# y" ^8 i: v/ A iret
, M+ i; Q, `: J$ k. uint41handler2 ENDP8 |- l9 z1 p: C B
( z* u( i, {2 E" C9 K9 L+ s: d5 B1 b U3 R9 U; A; x
_________________________________________________________________________2 p' D9 e' s/ d6 b7 a4 x, r
# e6 K* S" [4 K, A6 d$ H, Q+ t
$ P2 I2 A, ?5 C+ [* \" p7 x( h
Method 06
8 [3 t0 h4 Z6 L& i w- r, z=========
0 G) Y$ [4 w; _- o
/ D" I' {9 z0 c7 h
) k: y3 n& U/ q2 v, N' @! `5 M2nd method similar to the preceding one but more difficult to detect:* T9 B% a9 ^; L0 C7 q4 o& r! s( n. l
' E( O7 `+ `4 w+ K
( g3 q& ^" P7 W( }
int41handler PROC
+ I% u# o1 M5 ` mov cl,al& T# g( T3 c# I! P8 e
iret
. T2 X) ~* ? L* @! l: e# J# `4 U7 N" Cint41handler ENDP
9 E/ T$ N% [5 \+ e
/ m6 r$ r; U1 o- {& V. o* }& C5 O
% A4 g2 \0 j( s8 ^$ B xor ax,ax
* _7 `( k D4 o0 _ mov es,ax
! t3 K7 h9 ]% u) }6 ?+ Q mov bx, cs! Z; r% `% H1 N# v6 a, H. @
lea dx, int41handler
; M* S6 n } d4 h: e& _ xchg dx, es:[41h*4]
- k9 o9 l1 E O6 h' G# ], S xchg bx, es:[41h*4+2]4 v. ~) M" U1 W' a A
in al, 40h
0 G9 b0 V$ }# [: _# D- u) t( Q( t xor cx,cx
2 l" C' s# p) x int 41h
: M8 ]% E1 x3 T2 ` xchg dx, es:[41h*4]
0 B! G6 s# n c1 o4 s4 O+ k f xchg bx, es:[41h*4+2]/ C I! L, M2 k' N7 M
cmp cl,al
/ J% m; O. n: Y0 o jnz SoftICE_detected
4 M$ H' m$ I* d* W, ^
( J0 ?/ K4 D" D( M* z_________________________________________________________________________0 I |5 v Y( [1 Z- Q& }7 v' N* |
( I6 u- j; t$ ?3 s9 E, h7 P- wMethod 074 g, |0 W, e, f3 e7 W% i/ y8 F7 {
=========
# O3 h T- [; H: }' ~0 _* d0 k2 X3 A
Method of detection of the WinICE handler in the int68h (V86)
( s" C, e& \; A: M
2 o$ Y* `& Y4 F5 f2 { mov ah,43h
9 B* f6 w6 G C) q int 68h
( d5 d/ |( m% c, B; M$ j7 p" h cmp ax,0F386h6 r Q+ e# O. f z0 v
jz SoftICE_Detected5 u0 G3 I. c" r. v7 z# c& I
$ @3 K) `7 d% \( m, T2 i$ p6 M$ i" w2 f$ T8 s2 d- b8 j% q! t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ d3 ], K. x& H& Q0 O
app like this:
# m8 }9 s, r' s) P
8 q( |9 I' \+ A* N- h X7 y+ h BPX exec_int if ax==68( N$ W+ r) O6 v T
(function called is located at byte ptr [ebp+1Dh] and client eip is! j1 l e3 A' S) [/ R) O' z
located at [ebp+48h] for 32Bit apps). z5 \' L4 {5 Z! L( Y
__________________________________________________________________________
! {' k3 F' I6 k3 o! d1 r$ g" A6 _7 _! J7 u" X* h; D! X! B" p% j6 k0 k/ x
/ v& p4 u3 I4 S! u& x ~( p8 OMethod 08
. P" z* _* k5 _; D4 j& E=========" Q( H- C5 `9 ~. ]' x
) F" O/ _- }8 u0 e6 a/ b9 r( ]It is not a method of detection of SoftICE but a possibility to crash the
! g- t9 t1 @" e. esystem by intercepting int 01h and int 03h and redirecting them to another- A3 P7 z, b$ V( T
routine.2 O5 Q; ~3 W7 I2 s6 a' U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% C1 b u* S" ~6 \3 j4 T- \0 F
to the new routine to execute (hangs computer...)
% a5 b3 h, m Q4 I$ u6 I- G
+ J9 Q3 |6 L! r2 K& P5 G mov ah, 25h% V2 \9 W) @/ V3 H( K4 M9 n
mov al, Int_Number (01h or 03h)" Y6 M# u/ ^2 v) K
mov dx, offset New_Int_Routine3 n5 n+ x$ h& N/ w1 r( Q7 Q
int 21h( j+ H( _. u( e
) F5 Z" z' O1 \$ e$ w
__________________________________________________________________________6 j# K+ |* D* P5 n' C: h9 l
7 b, J- w% X" ?3 ?Method 09
5 g( K7 B2 d+ N$ v: s; q9 G( {; O=========- E$ ^5 p V; }# g6 H; a
6 f$ d4 @# e' d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ Y6 _# Q/ ~) I
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ I0 Y7 R/ U4 K% L3 C$ MThe Get_DDB service is used to determine whether or not a VxD is installed# E- `1 N8 _0 D, k% `7 {! X" i
for the specified device and returns a Device Description Block (in ecx) for3 J+ ~3 o( F% F7 ?) y) M4 }6 e
that device if it is installed.# c4 [! R U7 g0 B" i7 C( F
9 l5 O, P% i" M& Q9 ^" a9 b) E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
c Z; [4 \" X3 b& n( r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). J# R7 m8 o4 K) d+ ^$ \ x
VMMCall Get_DDB) s- a0 u9 I6 o) Q" z' m7 d
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' l! ?# S. W" k" n* x
6 s6 I% d: c3 a' Q
Note as well that you can easily detect this method with SoftICE:
) l4 Q. f% Q/ E8 f3 d! w bpx Get_DDB if ax==0202 || ax==7a5fh. E6 i/ D- x6 s2 R: W( W9 Z
/ P" ]5 o# U3 @9 C" ?__________________________________________________________________________
7 G9 }/ z- I. _2 t$ W6 A4 F4 S4 X1 w" H
Method 10
7 r0 p$ F4 f: d x=========9 h8 M1 H% e9 W# Q
% x0 m" L2 |* g# m=>Disable or clear breakpoints before using this feature. DO NOT trace with
% B- ~( x. M. B; {; S2 L SoftICE while the option is enable!!
" a/ y$ M+ O U P7 d/ [6 _" T7 w1 ]* E$ K. A2 A L. a
This trick is very efficient:# C, I# H0 b0 L- w
by checking the Debug Registers, you can detect if SoftICE is loaded
" e$ K2 a. G* t# m8 n" A M6 H: |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 y! }. z% N* v/ y8 Z4 O: L
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) Y. i) d5 { r7 {value (in ring0 only). Values can be manipulated and or changed as well' K" x5 f. a$ T6 H- U; D$ u
(clearing BPMs for instance)
8 c: I# H6 q$ H1 u9 O% L4 s. J1 z) F
__________________________________________________________________________4 f, q8 p; b8 N% f9 o/ ?5 K
1 `; w) M3 p2 `# E' I" I
Method 11+ \& o' m; @# Q) T G4 f- s J1 D7 W
=========, Z7 T2 O2 C/ I0 @9 \
' U! g* O% ]) S' ^
This method is most known as 'MeltICE' because it has been freely distributed6 T3 P, k6 ~ D0 m, l2 Q* R
via www.winfiles.com. However it was first used by NuMega people to allow" ^& C- U) E& u. |" j" _
Symbol Loader to check if SoftICE was active or not (the code is located
4 R: D4 `+ n$ Z0 L& c2 minside nmtrans.dll).
7 e" f" c0 M7 o' x: i& c/ C
% @* f g$ B1 N- b5 U0 K' AThe way it works is very simple:- q! r6 I L- T/ }+ l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 P" r( L! V' w: ]7 x
WinNT) with the CreateFileA API.
' u% o# G. u) q$ k0 e7 M0 c/ d/ }3 [
5 r. O, W. I- P, d( z- O* Q) `" \! LHere is a sample (checking for 'SICE'):
9 A: ]% s, J' @# ~8 {& _) G) m3 H) _" N& v: K( N) O- M$ g
BOOL IsSoftIce95Loaded()
% e1 W6 Z; P) w) v. L x8 n+ E{
: D+ j' A2 X4 e9 G4 P5 R HANDLE hFile;
$ O% n. c$ r6 G5 {2 w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& e' G- l" O$ v7 l0 B# w" B FILE_SHARE_READ | FILE_SHARE_WRITE,
9 ]2 e) U4 {. f$ Z2 _3 r+ o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 N' G2 v- a2 N if( hFile != INVALID_HANDLE_VALUE )
. k4 M* D. x# ^/ D: H {
$ [( b& G/ i! C( p7 f CloseHandle(hFile);0 h- O7 o3 @2 W( [
return TRUE;
, `. X+ e$ q1 V' S }) A* N9 e# Q* _/ s1 V5 F
return FALSE;$ O! D, d( q9 `* h" H
}
, F1 g v1 Z1 m1 _7 c/ U
5 D" k0 v% K: G, [2 ]: m4 nAlthough this trick calls the CreateFileA function, don't even expect to be4 A% n7 `1 e6 z
able to intercept it by installing a IFS hook: it will not work, no way!
d, z8 [2 d- xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- P- M' d) Y, sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 B/ Y( q* p4 d" p* I) O8 J
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 d N2 H/ O, i2 S! A" D$ U" yfield.+ X! I1 x0 i1 I$ ~
In fact, its purpose is not to load/unload VxDs but only to send a
, @& H! V# J" j+ jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ f$ y6 X/ q2 G6 l O0 r
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; A" p7 e: N' Z* J- R
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." N, i! n1 N" M1 h
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) Y# g# f2 u7 r4 Vits handle to be opened and then, will be detected.
7 ~) C7 }" E) ?: u8 qYou can check that simply by hooking Winice.exe control proc entry point
+ \. e5 v: V* `; z+ o3 ~while running MeltICE.
2 m* X& \; }& t; y% {+ b( \: k& E0 c' V
# i7 e- a) I f7 H) ]8 | 00401067: push 00402025 ; \\.\SICE2 O! Q" _ T% |5 z
0040106C: call CreateFileA: }# |1 H3 @; u6 w
00401071: cmp eax,-001
) b G$ K) d. I1 ^ 00401074: je 004010919 n& Y2 S5 |' t* y( }9 {2 J1 n& Q
7 Y( G3 U0 C3 @& z; x4 C
& b5 K$ b8 }. G% }6 @/ |! MThere could be hundreds of BPX you could use to detect this trick.4 n/ G9 L, _: P( r M7 E/ ?
-The most classical one is:
# Q8 p" u' B: y1 v# g7 w2 R, o @7 R BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' T- m8 Y/ s: d; K% h
*(esp->4+4)=='NTIC'
2 M2 s K r+ B2 I: t2 h }9 A% _- ], c7 D0 E# i
-The most exotic ones (could be very slooooow :-(
* i9 e1 o3 J3 e9 }6 u* \ Q' Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; X: X. T# _# j
;will break 3 times :-(
# s/ o' ?' g2 @: Q/ ^/ w x0 f( l
, P& S( D, g; ?-or (a bit) faster:
2 c" b* k, a7 t0 C! Y2 d( f BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' D4 }" U2 ^9 U n6 Z3 V0 I) ~5 u& L; @* e. \# ]
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / w0 y( }9 J; o
;will break 3 times :-(, S- d4 b# ^' N/ J
# q; {/ l, E. e/ ^% X
-Much faster:1 ?; _* n3 f j* U9 w1 h3 B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ f5 u" ]/ a* G( T
) j* h7 G8 E- }3 p! |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: F& `# z5 B! k. B& {3 r3 Ufunction to do the same job:
1 K: i& W* Y0 w9 q$ F
/ v3 t- b1 d" A/ a/ n- ] push 00 ; OF_READ! v( Y/ U/ D7 ^0 y8 ^
mov eax,[00656634] ; '\\.\SICE',0; R4 b* h: O6 J) p& c/ H) H% B) L
push eax
0 {. K! k5 | ? call KERNEL32!_lopen
7 B4 ^$ u6 J+ Z4 _ inc eax/ B* V4 I+ C: x1 M, `
jnz 00650589 ; detected
3 R0 |$ a% w: g* ]0 M3 C7 \# y$ ` push 00 ; OF_READ
3 M2 N" H& e6 Y# k mov eax,[00656638] ; '\\.\SICE'
3 j/ Q" ]' d" q& ~ push eax
4 |+ m* @5 b H$ S8 e+ Z/ [+ ^ call KERNEL32!_lopen
$ z4 C& d; @7 T0 `* Q inc eax) Z3 A$ p Z( h3 h. [
jz 006505ae ; not detected
: L1 s( x8 C' N4 W' M+ C7 S8 V$ V( j* w
' [/ G4 X' g& ]9 J( d
__________________________________________________________________________. Z w6 x, ~: g9 D% y# A
c. k$ R% _# A9 ~6 I6 FMethod 120 Y ]( @4 V# c- U' u
=========
4 @2 n$ l9 m: {( E% K
9 p( w' A! U' b H' @" n7 d% pThis trick is similar to int41h/4fh Debugger installation check (code 05 Z+ T6 Y7 x2 Q! d
& 06) but very limited because it's only available for Win95/98 (not NT)/ p7 m$ j% M0 }5 l g5 R' M/ _' E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' |, _4 r7 e$ v) \$ P [1 l7 h& w4 w3 p R( x# d
push 0000004fh ; function 4fh% d9 Z! z# ^, O( i: z/ z
push 002a002ah ; high word specifies which VxD (VWIN32)! B. i. p/ U9 E' ~5 f/ f
; low word specifies which service
+ S' K* h6 S% W+ j0 k (VWIN32_Int41Dispatch)0 L$ N( Q7 c/ {$ p4 C
call Kernel32!ORD_001 ; VxdCall
! S j" {7 b% x3 X7 T' K/ `7 z cmp ax, 0f386h ; magic number returned by system debuggers
7 ?+ A9 w, n1 N$ G0 } x! j jz SoftICE_detected! ~2 N& W8 b: C; ]" y
( a0 Y) L- a y' DHere again, several ways to detect it:) C! ?! t* @$ k4 O h# @& \3 \
; x5 a8 c$ ^% _& p/ P
BPINT 41 if ax==4f
* l6 l. q7 U$ N& _$ P) `, E
% B" J! [& G6 q! v3 K( z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one x/ `9 @7 d' O) h+ e8 u" R1 ^0 K
3 X. g. b u u [/ n" z( ]" L
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( i H& e1 m1 V8 \+ q& u2 d& ]" `. f! T# p) I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 I7 V" m& k7 V/ c( R
+ g2 a4 v: G$ G8 F, P1 A+ l
__________________________________________________________________________
t6 X! g& }. L/ ~
$ S3 |+ B# Q# m( KMethod 13/ Q- L+ D4 g4 L2 v& N1 E ~+ C! {
=========
/ x$ ?4 k. ^! h; q( v
% b0 ?* A" q$ d1 f/ @" SNot a real method of detection, but a good way to know if SoftICE is
C: F2 c& o- c, M+ H) H2 k" }/ minstalled on a computer and to locate its installation directory.7 e! _+ F1 h+ ]1 g Y
It is used by few softs which access the following registry keys (usually #2) :
, @( b5 g& f/ Z5 N* X- F, K; F
- r" z6 i* {" e5 H v* U-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ w G* ~+ l* i! |\Uninstall\SoftICE
$ Y$ X1 w( W, ?3 \+ h; }6 D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- j; R. Y! D" Q2 m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 H. G0 `9 j% x+ O- [. |0 a
\App Paths\Loader32.Exe! I- H8 }( V# e% C3 l' \& c# ]; \
, z7 D) g3 N$ Z9 w# v
3 I3 Q# v, D: [% j4 |1 J8 DNote that some nasty apps could then erase all files from SoftICE directory& p' y1 e( |# `- j2 u) H' U! d
(I faced that once :-(
3 r' a2 R+ |/ `- Y. R
8 c6 J4 T) }$ B' ^4 s! m: AUseful breakpoint to detect it:
9 W" M. G9 O0 j2 B& z
- Q6 O: ~( l; m! r6 n' o, ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ n0 ~0 k9 V) h& C+ U, g9 z1 K
. t0 P. |- l8 ]) K n$ X& T__________________________________________________________________________
, g- @$ V1 E" @' H, M
$ b" l- E4 O$ t6 C, q
) o) p0 c. ]5 O7 {( v+ W, `/ ~' d- sMethod 14
! b" d" M' h h c# o7 V0 |========= h3 T' u2 o8 Y3 v6 x
9 c2 ]7 ~6 ]; v' N: F: Y4 ~A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ g* b$ [. E7 l' Fis to determines whether a debugger is running on your system (ring0 only).# y% Y+ F5 ]# |" m
: t( P6 q. e3 M$ d& J9 w' L! }
VMMCall Test_Debug_Installed* @- Y+ O b# I+ _4 g6 o
je not_installed
6 B. ]) m! R0 l- q/ q) \" `' b2 F; t1 Q" s2 }
This service just checks a flag.
+ y" _& M) [# `5 u/ G/ b: a! V</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡