<TABLE width=500>7 k, p) Z$ ?! z7 ~* ?, F
<TBODY>' s- U* V' n4 Q h/ F
<TR>
. _6 U$ U8 L& b4 e( l& x4 _) D* ~$ C<TD><PRE>Method 01
- O4 R1 [* Q' }=========' w% G# e0 l" v$ K5 K* T
6 {* t. @1 m8 i7 {2 x0 C; Z/ b- Z
This method of detection of SoftICE (as well as the following one) is" |2 C# ?. V7 i n9 ]8 c4 U
used by the majority of packers/encryptors found on Internet.' Z7 B3 J; f' m: u
It seeks the signature of BoundsChecker in SoftICE$ k( p' _) Z- W& l0 r1 v
$ z- c! q0 z: E4 ?& j mov ebp, 04243484Bh ; 'BCHK'
( f) y: K0 a! E9 g4 M5 s mov ax, 04h# Z2 ^6 d% T) X j4 m3 y: o
int 3
. a2 k- y7 z# f' G3 F cmp al,4/ ~) p/ V2 C# K# T+ c# ~
jnz SoftICE_Detected
& v/ `3 n7 w) F3 L" J- z+ Q9 L* ]- X0 r3 v4 S3 a' Z8 j, I7 R- b
___________________________________________________________________________3 L0 f. o% G- U9 v# [5 h" f
( I3 h2 q7 f, V2 y, @% A
Method 023 L7 X3 M9 L/ _0 L* o
=========
. C+ @( n) }- l/ e0 v+ R$ e8 ~. y" D1 u1 ~; \
Still a method very much used (perhaps the most frequent one). It is used' ]( ]% {( p8 X& Y3 x5 c7 r8 l1 P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, j+ o& t, f0 [- K2 L: Xor execute SoftICE commands...: q7 o8 b" g T6 g4 H) M; k, ~! ~
It is also used to crash SoftICE and to force it to execute any commands
$ _* R X% H& \; P8 ]! e+ k(HBOOT...) :-(( - h2 p1 o4 F2 Q9 k- w- o
2 S. e. w6 \5 V5 n" uHere is a quick description:2 z3 I3 Q) x+ X, l+ N
-AX = 0910h (Display string in SIce windows)
" c4 S8 x& e* |) r4 B8 X: \' L s Z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 D% c L8 Q7 _
-AX = 0912h (Get breakpoint infos)
- n9 C! Y# m9 _3 q-AX = 0913h (Set Sice breakpoints)
: ~+ W' q1 `1 h$ t, s-AX = 0914h (Remove SIce breakoints)
" V% m! g6 Z' {, r! B
0 f/ L# t0 U& A+ Q- c, e7 J& REach time you'll meet this trick, you'll see:
* `5 I/ k, ?% \9 B/ H- ]0 B-SI = 4647h
! C+ K: y4 T5 j3 x-DI = 4A4Dh; p5 c! Y6 i4 R8 f0 l. v& {
Which are the 'magic values' used by SoftIce.
4 H0 `$ u; b5 M7 SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." D' t" K' |. }& p1 q5 n
0 u$ z4 H3 h* n3 ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 E) f- f! h |% T
Envelope utility use to protect DOS applications:
# I& h( @8 ]4 N7 O0 U
9 U0 V& C* W( Y! y6 Z& X
+ e9 t. `" J3 C5 `' W4C19:0095 MOV AX,0911 ; execute command.
, j- r1 K# X# g; z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 d* l& O) o3 r0 d+ d. I3 S
4C19:009A MOV SI,4647 ; 1st magic value.# j, w" }+ u) ?! I- a; Y
4C19:009D MOV DI,4A4D ; 2nd magic value.1 X8 F t, t ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ j" }3 g& ?% g9 T# \. X3 G% F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. m( |- w, x( j1 @
4C19:00A4 INC CX
" k5 Q* |* `6 J, M+ _7 i4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 t: V) M4 e: a/ ^9 f4C19:00A8 JB 0095 ; 6 different commands.
( Q R0 F3 c N) @: W4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 r; H) F) s7 a4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( r6 M+ m! u6 E; `7 n# S# A0 v1 y _6 ^
The program will execute 6 different SIce commands located at ds:dx, which
1 b( e6 v: _9 t [# A: e1 Q& Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& R! v4 p0 w0 A$ X/ f
2 y& S5 |* A' \( g0 m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ K( o0 X: H5 E/ U7 ?6 C
___________________________________________________________________________: @; @8 [# l1 W( K6 y! n% Z& R
# _3 A0 j& b- e3 E( Z
: e1 v$ @1 x/ U) S6 E; k; I+ [
Method 03
8 k$ @- s5 C2 N+ O' l+ R& B=========
8 [% | L: ?* J# l4 D% }/ N1 _/ W: d! n) ?8 i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: m0 }- X) s# h! r p(API Get entry point)$ J1 M- Q7 r; u; E
3 J2 V8 i' f& I% I0 y1 w
# [5 i& p& E0 D* A9 |* v& ~ xor di,di
8 o" b% g5 t' \8 J5 O mov es,di
0 I/ @( e& H0 g: e( S( x mov ax, 1684h
, y! i$ e& }! e# H8 r" b+ `' w mov bx, 0202h ; VxD ID of winice
$ [1 m) c% P3 _( K! N! e6 H( Y int 2Fh& ]" `5 j# ^- k" c" k; z
mov ax, es ; ES:DI -> VxD API entry point
; O9 E! s( f) E. w add ax, di" r( a; m# B/ a* T' [- N! `% X
test ax,ax3 S ^! E7 M. C9 ^
jnz SoftICE_Detected. B& W$ I/ O8 X, k8 o: j4 {, x; H# @
3 N' k# o. x; b, i. o___________________________________________________________________________
8 u1 q8 h1 p6 k5 l2 ~1 G( `9 M$ C2 e- N" i+ n4 G, B" M
Method 04
) P" I; Z! x) T- h6 I% P6 Z=========+ e" n7 h7 ?8 y
8 e4 n3 ~% V! s; M% f2 ^4 J
Method identical to the preceding one except that it seeks the ID of SoftICE
0 q9 ^% d4 E: x+ R' D; x/ K$ nGFX VxD.; z0 l+ B6 k* p7 _% x
0 t! W) K$ E9 d xor di,di
) G) d& I4 J0 ]8 ^5 \9 A; L; Y mov es,di5 t9 Z/ X! R; Q; M. Z
mov ax, 1684h ( _5 D6 s1 r [6 p L8 ?
mov bx, 7a5Fh ; VxD ID of SIWVID
* z9 F: y4 S' i0 h# ~; v int 2fh7 ]0 ?9 h4 l$ O5 s) I% d g
mov ax, es ; ES:DI -> VxD API entry point4 {9 y# c0 N) E
add ax, di
$ Z7 j& ]5 J, _" V: x test ax,ax2 L& E1 R8 d+ h' P
jnz SoftICE_Detected
% A& h: q7 U, H# w- p/ Q' g. w$ m; t7 o1 W, B8 Y
__________________________________________________________________________" q# G$ N# W* {: K- Q* n5 @8 u
7 B1 s+ A2 D2 }7 J$ d3 t8 Z
3 a. J2 |5 R, l8 bMethod 05
: @& o6 b, i% u+ b4 Q=========
$ k$ v- p5 r/ n) B& d
# p; i. p6 p1 q5 e7 \Method seeking the 'magic number' 0F386h returned (in ax) by all system* o+ ~! s2 z' | w3 H p
debugger. It calls the int 41h, function 4Fh.
$ F& d$ N1 `3 zThere are several alternatives. 5 m+ i, z) N) H0 q
* `5 \5 v+ ^. V* q( q. HThe following one is the simplest:
" R; B2 u/ Z- Z4 C' a! w4 n% u
, `& ^. b7 u5 c* i$ M7 a9 u mov ax,4fh! c; s3 j* r3 R( S5 a6 A0 S+ _$ y
int 41h
6 ]: X) z( N( L cmp ax, 0F386
M" t3 U$ m" h! I jz SoftICE_detected
0 T0 B9 _: ~: z
; ]0 V& N; O- @4 S5 u
8 z; H3 b Y6 e: g4 @8 UNext method as well as the following one are 2 examples from Stone's ' \0 V/ s x' V
"stn-wid.zip" (www.cracking.net):% w4 T; L! |* ~6 y
, l/ A( j- @8 u- d* U# X
mov bx, cs
9 ~3 D' z3 |1 Y+ A* x6 f6 m lea dx, int41handler2
+ R2 S0 p( m5 l7 G% W4 l xchg dx, es:[41h*4]7 z2 D# d5 y- K9 y' O5 r
xchg bx, es:[41h*4+2]+ B9 Q* L [, E% s5 R& ?" X
mov ax,4fh. e3 y, U4 o0 d# q& y$ F$ }& B
int 41h# Q- ` j: _! w* S- W
xchg dx, es:[41h*4]
& ~3 t7 j0 {" o# A; d xchg bx, es:[41h*4+2]
% o$ P# e- O2 ~1 z8 | cmp ax, 0f386h1 Z; W! \$ I, N% f
jz SoftICE_detected' p7 H) I3 q# x* \( ^
4 v- o c; @/ F6 l9 f
int41handler2 PROC7 R9 h7 V1 o6 v3 H/ R5 u
iret
8 v1 g* G. g( ~& u% ^2 Xint41handler2 ENDP
+ n, S8 `' |$ R( k" K' \- ^7 ?% v7 Z1 C5 l
& H# U, X; r& ?2 y+ q_________________________________________________________________________" t$ [, S% D6 X( b3 \8 `( e2 X$ T1 U
! m# w3 v' k) m
( V3 w, }2 P8 a% D* q
Method 06& e3 ]4 C9 @9 X* N5 q$ {
=========
! T1 n' ^3 \1 N+ U) y$ m4 m$ ~2 B" e+ s! g/ o s% l
3 s6 O6 @+ z9 R7 l2nd method similar to the preceding one but more difficult to detect:. P& F* n i% ?: Z2 [' g
- h/ I7 r, ~ u- f& m
. h' C8 @- M& [0 B4 Cint41handler PROC
+ V& m7 a% z) @( O/ { mov cl,al
( \0 q( l" K6 W iret* |/ O. M7 ?* N: @) K( |4 f
int41handler ENDP
3 s) M3 w* X% T9 I, r) `5 p% V
8 J1 R' l% [7 B9 V" I
# b+ t- J: l+ U+ f4 M! I! M xor ax,ax
. `6 i* y. `7 M4 A mov es,ax
) D# b7 Z9 x6 I mov bx, cs
% A; d) z/ N( W3 E1 U lea dx, int41handler
& O" Q% Z" v$ o8 ~& n7 | xchg dx, es:[41h*4]/ V$ K% W4 ]: L! {% z0 N; P% r
xchg bx, es:[41h*4+2]2 J: R. ~) Y( W9 W
in al, 40h
! j; } U& W8 M) l% W xor cx,cx
, V0 l6 G* p5 k+ b! @ int 41h
$ Z; ]6 d# C" G- W d xchg dx, es:[41h*4]* F; I9 J; d2 z. }6 d
xchg bx, es:[41h*4+2]
) P C+ ]. A6 k3 I$ a+ ] cmp cl,al
$ x8 G0 `" x; c2 N1 Q, z. q3 ` f jnz SoftICE_detected
% Y+ N1 ^. K. T+ o7 Q& k; {8 H: Z# c4 j( M- [* k' y
_________________________________________________________________________
S% i; d$ a6 e. E- O4 C, a, L# ^0 B9 F8 Q
Method 07
* B( v- S# h: H$ S; O=========" E1 Z- a2 ?6 i9 Y# u& {" w
( }, E$ I! \) W9 T7 J+ ?2 MMethod of detection of the WinICE handler in the int68h (V86)
/ e% n/ t) q: G3 I
" C, m8 v) k' D1 R- P mov ah,43h& c% t: M) L! f4 I' \7 }
int 68h* l0 o% G( A/ z/ Q/ k
cmp ax,0F386h4 M9 o% v* X3 k) c2 x! b
jz SoftICE_Detected
' a: I9 E- g* [3 M2 k
: p `& f; f! t8 t" `/ a3 u. t, M- q7 r, A: N
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ G5 d3 ?% P( l* p: h app like this:
3 P4 Z& K: O8 \+ E( }: Z( q7 l% ]; M4 Q; N/ h ?* ^# i
BPX exec_int if ax==68. `! f! d/ I1 l5 I: L8 d5 L
(function called is located at byte ptr [ebp+1Dh] and client eip is
( U, w4 \. _5 |+ j* [4 Y located at [ebp+48h] for 32Bit apps)! Z$ f7 s% d" D" N- A
__________________________________________________________________________
# k- l* F# v% w5 W: f' a8 k
' n! M) o2 L. L0 Z) V1 M/ ]$ P7 S4 Y
Method 085 |( M; `( ?7 [7 t
=========
' I+ i7 L2 |8 O7 V; S# e
* ]" W( W1 b3 b) E, aIt is not a method of detection of SoftICE but a possibility to crash the8 U( v# [; k2 t$ O* A5 U4 @
system by intercepting int 01h and int 03h and redirecting them to another/ D- Y- T s5 Z5 a( ~) |- q
routine.
5 D9 s0 A, i! {( f0 v% w) U# z X' vIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 r$ v4 m' E% t9 @4 C! Sto the new routine to execute (hangs computer...)
0 Y. s( k" r9 O: I$ }' D3 [' O9 d: E/ h6 ~: ?' H
mov ah, 25h
$ {! Y% k9 r8 f. h1 E: J. E# } mov al, Int_Number (01h or 03h)
( G' f) \5 ]' E+ o) I( d4 b mov dx, offset New_Int_Routine* g: u' A; ]- p4 R3 {
int 21h# V( W- Z3 ~8 J; w* y$ t4 z
7 O& g/ y7 ~) b. d__________________________________________________________________________
6 t) d2 C$ _, B: T, k0 v m$ g# t
8 B+ q( `0 e4 C9 h. GMethod 09
# q- g5 o$ j( k1 [3 |" t. y/ q=========& D% v0 u1 z6 I; w- h
: k+ H% t _) k! B! F4 \This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) l# ~# T# |/ a; |. }6 o% f" J! S: wperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 n# X9 ^! z7 N, P: F/ s. U7 J2 s& KThe Get_DDB service is used to determine whether or not a VxD is installed
8 c9 U, `( ]: t/ k- J. |& Y4 v9 bfor the specified device and returns a Device Description Block (in ecx) for
5 R, x' Y- G+ w, B4 e0 A: _that device if it is installed.9 d& U2 f& o8 ]9 l6 Y
7 B/ [+ T- q2 g A9 Q- g) f( d
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* i$ r; {% X- S
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# y& a2 d: H. v" W" C/ {& {: S
VMMCall Get_DDB
0 \2 t( ]% e, s# h" e mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed T0 K: T% k* u. d% N1 F I$ l
% z( t' A1 S; j9 z4 G7 Z1 W
Note as well that you can easily detect this method with SoftICE:
7 c9 M, q8 l$ s+ b9 B. ^! @ bpx Get_DDB if ax==0202 || ax==7a5fh
; n3 P5 ~ ]- D) |
2 P# X+ j1 z G__________________________________________________________________________, s* P+ C" M: G; q
/ v' Q$ n$ f0 w; sMethod 10
% f5 |" u, c1 i7 h. C=========+ r% c5 T' F6 x5 k% B7 `
: G# L) g+ O7 w" h: s. |0 C=>Disable or clear breakpoints before using this feature. DO NOT trace with
% q" l5 D' Y' | SoftICE while the option is enable!!
: ~+ h7 X a" s* J, Y, N
8 I! V% m& X, M+ z: G5 M/ bThis trick is very efficient:
6 F8 N! i7 e$ qby checking the Debug Registers, you can detect if SoftICE is loaded' ?5 ~+ n$ c E) u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% h T/ o- q7 W0 ~# othere are some memory breakpoints set (dr0 to dr3) simply by reading their
% k6 X% k- v1 F' ivalue (in ring0 only). Values can be manipulated and or changed as well
# [5 e7 N% D) e( T8 Q(clearing BPMs for instance)
" B9 P8 G9 _, U1 x z% v2 L: D( c$ s4 q. p. N
__________________________________________________________________________9 B5 K$ y T) w; r
( W' B$ G9 l6 R( e% X. U; A$ O; ^5 ^
Method 11! |. Z. B3 e/ X+ p+ `
=========- b2 E7 S4 n2 }
! G9 L8 n( R1 ?5 c' b* T% T
This method is most known as 'MeltICE' because it has been freely distributed
, T, K+ \% F2 |( H1 v0 Xvia www.winfiles.com. However it was first used by NuMega people to allow
, T1 L+ p) L: P1 o3 zSymbol Loader to check if SoftICE was active or not (the code is located
2 u; o, d3 G% }, @4 D7 ^inside nmtrans.dll).
" b, ~; t# S* `) L# `4 D, M+ ~
% n5 u# W: H& E/ t9 z3 p! @The way it works is very simple:5 G. G4 y/ d5 q/ C- R+ c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! }$ }7 W2 S( g0 b4 U2 RWinNT) with the CreateFileA API. m- ~2 A, N( n5 |; O) ~( c
# L0 E8 m/ J7 N8 {' nHere is a sample (checking for 'SICE'):: U" d4 z1 i) ^+ u
% A0 d$ v( O0 c+ \0 j; p& K& G
BOOL IsSoftIce95Loaded()
( s, s/ [* s. [# `' z{+ S2 k* {6 \" Z2 {. n
HANDLE hFile; ' Y9 m1 P$ o/ l+ x! ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! E1 ~( M; c& ~4 i6 R. e
FILE_SHARE_READ | FILE_SHARE_WRITE,7 s- q; e& n1 n6 X! d$ w
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 E! K1 s- W# B a! Q if( hFile != INVALID_HANDLE_VALUE )* e6 g m: Q0 E* _# M1 L
{
( b+ x* M1 p; u& \) q9 p# d+ U( r) v CloseHandle(hFile);
& \- f: K6 W7 f0 ~4 h9 M. J return TRUE;
X% L- ? U' u- f% Z9 K }6 T0 g. m: M2 s; }
return FALSE;( t8 J$ r1 o0 O- _5 a& z
}# s2 @0 G; u" N. e; v1 S
0 q# K, ^; P( q& Y. YAlthough this trick calls the CreateFileA function, don't even expect to be
: c5 v. k$ W9 g/ {; P2 ~5 P, uable to intercept it by installing a IFS hook: it will not work, no way!
) u+ J7 Q" U: J3 g- ~6 N! ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 d" Z& \: y7 e- xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ R" n& u( N0 p+ f# e. G. N$ P0 O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* Q' L) m7 w" R7 f. v$ \
field.
7 R1 L- A0 [" i$ g' G2 e: EIn fact, its purpose is not to load/unload VxDs but only to send a
1 V; F9 X; W7 W3 m% W9 d( NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% @0 O# M, w! `4 @to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ Y! b- A8 Q5 |. a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).: T9 a# P: G" F; f8 H) o9 W/ o6 L
If the VxD is loaded, it will always clear eax and the Carry flag to allow, ~- U5 p1 J0 `" n/ s
its handle to be opened and then, will be detected.
. u1 G! z8 E: V8 ^' Z4 J( j- h. O- eYou can check that simply by hooking Winice.exe control proc entry point
- C3 d% O% s" w6 bwhile running MeltICE.
$ f+ F6 k7 R- ?, {% X# {9 ^# g; U$ o8 ?0 Z! h- {: K, b8 q
7 t& T' ?8 p. a% ?2 t4 T1 f
00401067: push 00402025 ; \\.\SICE: p; V. {4 W" B K
0040106C: call CreateFileA& {' z4 ]4 m8 b2 Q- T9 W
00401071: cmp eax,-001+ U K+ r9 y& f5 F/ |0 m6 W! k; |' |
00401074: je 00401091
# n _) B) ?6 u' n8 m, C* R3 i4 a+ F
7 Q" x* B% _1 z, \9 W, g( K, h
There could be hundreds of BPX you could use to detect this trick.
/ _0 e9 d( J* p+ P: [) q-The most classical one is:
4 W+ r: x. }& B8 P3 q' y3 h BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 W7 k! I" b( }6 |
*(esp->4+4)=='NTIC'
7 L4 _9 Z% L# ?% K$ K0 ^
0 v0 a& ]2 W; v& c! L% o-The most exotic ones (could be very slooooow :-(' a/ o7 f9 ^6 v, n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : `6 B6 C' O4 e+ N, E) }
;will break 3 times :-(( ^. P8 L) @0 H/ l: i' D
! P' Q+ q3 q- T. E( S, \
-or (a bit) faster:
: n. y- j# {5 P; P' J) l) k BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): @( e8 y* P6 l( s7 }" X2 D
) g8 \7 O3 I" `4 x* l! `: }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 v2 ` W' e4 `2 N6 |
;will break 3 times :-(
% ~0 _& u; G i) {4 a) N. S6 y, Q& p( H7 n K
-Much faster:
$ r( f6 x7 Y( I* N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 P/ d% R2 Z% |% H+ R, {; N
3 K1 t0 F+ h% G. E/ U6 `8 ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. g/ [* n8 | }5 t, G$ B- nfunction to do the same job:
* Q( L d- Z' A1 m3 J3 S! ]9 _1 ~& Y
push 00 ; OF_READ! C: \. f/ d* P; d1 A$ {5 D/ B
mov eax,[00656634] ; '\\.\SICE',0
j$ U9 U) M% ` \0 u8 u3 | push eax z. [/ X8 F9 r& k; B" F+ k7 p& Q
call KERNEL32!_lopen
$ q% \/ e4 h1 h0 t4 T/ J inc eax; [( M2 e3 |' g7 H* i
jnz 00650589 ; detected+ y. ]$ h6 j) O
push 00 ; OF_READ0 Q% k, I5 ^) C3 f$ h/ ] Z7 t
mov eax,[00656638] ; '\\.\SICE'+ W/ C3 S% J9 _, D
push eax
+ U C& m: a) k( f" R5 S: P call KERNEL32!_lopen& E/ _- G' j. x$ H8 f- G# r# r
inc eax# W1 `3 [, ]. [5 Y
jz 006505ae ; not detected2 E. k% S9 j+ U- ?
9 i/ m( ~+ R* J7 e
2 t+ M8 ]5 _# I, {
__________________________________________________________________________
! [) P- y6 ~/ E1 y1 L* d7 P0 F t v) w
Method 12
: I& v; H' ~2 {+ ?( L=========. M/ I. |' U- _/ f1 P. @: M! ^
3 K$ }! g, G! a2 xThis trick is similar to int41h/4fh Debugger installation check (code 05
# H: U0 h Y% W4 l& 06) but very limited because it's only available for Win95/98 (not NT)! y) ^; o% y- J5 m5 E/ P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ H! C; o; e* s& ]9 J; O% G5 l* w
, b' r$ x! ^2 l8 W9 L/ c: Z5 q3 ~1 W push 0000004fh ; function 4fh. P4 G" ^6 V- R( I4 O
push 002a002ah ; high word specifies which VxD (VWIN32)
" _1 [ x& g8 T a ; low word specifies which service; C# {5 |! @' c* ]' Z
(VWIN32_Int41Dispatch). J7 A. M! |! J7 Q
call Kernel32!ORD_001 ; VxdCall0 c* q) w0 z7 c8 l$ m, p' A5 w
cmp ax, 0f386h ; magic number returned by system debuggers
$ d5 R2 }) s- i) u% Y- z# U& K jz SoftICE_detected% j0 O# P+ t; w3 d) l8 ^" L7 n
: C3 f" i6 W. r- P
Here again, several ways to detect it:; {# F5 F! V- {9 e
5 y& J& k) r" E% ]. B, q
BPINT 41 if ax==4f5 ^2 e: @' _ v5 e' @+ V# f% U
7 S% M3 n5 e4 U, n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' h/ O! I4 j" ?9 Z* e; h" w" n2 N
, d/ b3 C# w3 T0 u. C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! N5 l" C# x. m) w8 A
2 z( b! A7 X: Q' \' I9 p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% k- o3 e$ I$ W$ ]; X7 ^2 j
4 K! n2 J# L% l
__________________________________________________________________________
3 w3 j" i6 C( G+ k2 @
3 o9 }5 b# v! g! oMethod 13
5 d% E; k; C) \$ P' o=========
5 `& f8 z/ ~2 H5 U
3 @) D b0 ?! `4 ANot a real method of detection, but a good way to know if SoftICE is
7 k7 K6 e8 ?. p" linstalled on a computer and to locate its installation directory.+ g0 V* y# S. n- B
It is used by few softs which access the following registry keys (usually #2) :+ ^. `+ R4 }. x) ?! c
. p5 J' U+ s, {& V% ^ g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& ?6 K/ ^' \: y& |\Uninstall\SoftICE7 b& z+ P( ?/ m( a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ y: l8 K; D- |! |' G" T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' X. F% l8 P/ K# K
\App Paths\Loader32.Exe( Y, v% \0 P( ]/ H" N# d: k3 @( C
% U N, K5 {- A% N+ M! c' ]* k
, G% L' s9 s- |5 P. d2 g- ZNote that some nasty apps could then erase all files from SoftICE directory
6 }+ f7 ]. i8 k0 K, M(I faced that once :-(
( m8 a) |; b3 }8 Q# {
0 ~3 l, O8 ~! k) \- Z/ eUseful breakpoint to detect it:
! @1 f% i) f; _- A" M* v. q8 I+ {; O) ~( A, |6 U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' c$ i% {# n( y7 ?+ A9 B
i3 A+ E& T: _, e9 P0 f
__________________________________________________________________________
3 h: r0 e: @& I6 t& u. j5 o( l$ q! {% c
+ H' D* |' [( K" Q( @
Method 14 9 S6 y8 \: W k
=========
3 a( G6 ~) ?2 u' X* s% \9 E- G, ^3 y1 n* K5 B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' \4 ?) O1 C3 b W) ]# c( `5 N6 Yis to determines whether a debugger is running on your system (ring0 only).
! P! Y" }# ~) Y1 s3 U( T5 O% ?8 Z/ b6 c3 [
VMMCall Test_Debug_Installed
% s4 a" s! H5 N je not_installed
" R9 ^0 e& }9 |. ?2 R9 z- `3 o: `1 I: K
This service just checks a flag.
' t3 G. O% l1 z; b5 e; R# W</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡