<TABLE width=500>2 W5 m/ d, n! {3 Z1 ?: J7 B; U# g
<TBODY>
& n( e; s5 ?/ r) W4 u<TR>
. f! f* D5 P/ z/ _. l<TD><PRE>Method 01
0 f) O$ H8 Q" k% ~; q=========1 b3 C+ Z( t$ ?* w7 x) w1 Q
" D! j) Z! c3 h' M6 D
This method of detection of SoftICE (as well as the following one) is
X* l6 q# y6 h+ y. e. V$ Wused by the majority of packers/encryptors found on Internet.' B/ M% I9 N0 `7 F
It seeks the signature of BoundsChecker in SoftICE- o( P# r0 h, ]6 [, O
, N) ~6 I' r6 G Z& ]0 j/ ^) y5 Z
mov ebp, 04243484Bh ; 'BCHK', C) ~8 U- D* |/ }4 u- s
mov ax, 04h
3 e8 ^* ?! N9 p int 3
z, u; E# {9 J/ S( K# n* x* c cmp al,4
, _) ?( P) C" o jnz SoftICE_Detected
9 i# D8 b' X+ A+ y1 ~2 O
2 A" N4 U' w* Q$ `& x___________________________________________________________________________: [5 H# o2 w2 Y5 q, l
) R5 {9 J. `8 f1 H. d/ K2 H
Method 02, K {% A3 Q' V2 d: |1 O
=========' O, o3 T. s% N. W6 i' M3 i
' s5 N2 @* Y$ d4 H& ?2 _Still a method very much used (perhaps the most frequent one). It is used! p9 x) c1 I3 k$ r# B$ [( K4 ?' {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* b0 b$ c' \0 O3 u- | x
or execute SoftICE commands...8 d3 k9 g1 z- ^5 }; Z1 \
It is also used to crash SoftICE and to force it to execute any commands
5 t/ H% l B, |4 S* a% @6 X' t$ {1 G3 j(HBOOT...) :-(( 6 N' N- N( w$ W% B9 t; K3 q
* g- y3 M# p3 }9 q- f2 [' g0 V9 V0 C
Here is a quick description:6 v a% F' G6 q4 o& q
-AX = 0910h (Display string in SIce windows) U! \3 f8 D% W4 F, f; P
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 [4 R% S! P7 ?4 S: }! f
-AX = 0912h (Get breakpoint infos)
& G3 D$ c8 b3 L! O4 |/ a-AX = 0913h (Set Sice breakpoints)
" X& Y& w5 I5 `. }-AX = 0914h (Remove SIce breakoints)
! H& a4 i: E4 }9 ~
5 W, p, d/ l, n! Y! _; ]Each time you'll meet this trick, you'll see:
; W6 Z. c% b2 W, S2 J) l-SI = 4647h
' A0 ]# i) h" v3 Y) }-DI = 4A4Dh% k$ y. b! c' S$ r N
Which are the 'magic values' used by SoftIce.( G/ W4 i7 R- o$ Q5 O }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. w1 i( E6 f7 X8 p: V* M' B& d
: v* x/ Y c' k- eHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ W, ? o$ x9 t9 o5 F% gEnvelope utility use to protect DOS applications:
" x' c9 B6 H( x; w1 E$ _( u ?
9 @" ~* t% w C4C19:0095 MOV AX,0911 ; execute command., B! T7 E ^3 J6 D; u; N" R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: B0 r5 T0 [5 w( x4C19:009A MOV SI,4647 ; 1st magic value.
9 O6 |% p# p/ b& y8 `4C19:009D MOV DI,4A4D ; 2nd magic value.+ s4 I$ @+ ^) W2 S
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( Y2 d* F K6 K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- ]7 S9 g6 `: n: _
4C19:00A4 INC CX+ y O3 Z8 p) Q) Z" _
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ t q' x c- K% [( N0 n# G
4C19:00A8 JB 0095 ; 6 different commands.
) A$ G6 ]% P3 ?% K4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! g! B1 W7 M8 U4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- T3 T) f3 S; B' n
: ~: S5 u( w! n& p4 yThe program will execute 6 different SIce commands located at ds:dx, which+ n% n; S! _8 v/ \. ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% J9 v# T4 o$ W# L1 L& E9 q1 E1 ?
# I) x( ]2 V! {: @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ A5 N2 P# Q9 b
___________________________________________________________________________
1 u( O( l3 s9 n& W
& x; B" P# @3 P9 i$ ?! |0 |2 G7 E0 i3 u6 v
Method 03
; }$ E! b! b$ |=========
- _7 Z1 g; X% w, o) `7 C% P: w8 O' H( p0 R! Q' C1 H5 B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. r9 d t; \8 J8 ]8 l' c, D3 i
(API Get entry point)4 b* f) n+ `8 `" Q3 ?% l* W7 Z
" ?* R* O# _( {
) R I1 u/ e$ E xor di,di# ^. `0 r1 Y9 S- x% p7 D
mov es,di
; f) ?+ ?. B4 E mov ax, 1684h
$ [* g+ ^: I# m8 L) S3 C mov bx, 0202h ; VxD ID of winice
2 A( r) T) Q3 `& b, l( [0 ]' b int 2Fh
8 R1 h5 c+ k3 f* l/ Q mov ax, es ; ES:DI -> VxD API entry point! p4 Y# `: S0 ^' v' [" D* b
add ax, di
, O. Y0 K4 h5 k2 q( ~# a test ax,ax$ d3 {+ \; E; X* f6 X2 f" c4 {7 j8 Z
jnz SoftICE_Detected4 K6 P- ?- G9 Q- {/ q3 n
1 B/ u. _: l$ _4 A/ y' Z2 J8 ?0 R___________________________________________________________________________; G+ W6 u! X' [. }
7 V% B% ]" S4 H4 s9 `8 EMethod 04
+ `5 |! W9 m. ?4 X! o% q2 ]=========
4 ], T: ]! R4 J! R; Z0 X, @' X: i" w# t! ]$ O: b: g
Method identical to the preceding one except that it seeks the ID of SoftICE" |9 G' t8 Y4 |
GFX VxD.: J) s: v: H6 S) F8 d8 Y. R9 B6 s
. _: l9 L& K+ F+ \6 O! ~6 ?' D
xor di,di
- n) G4 a* ?. _! x mov es,di G j9 u1 t) d& l2 a/ z5 i0 |' x
mov ax, 1684h
7 o/ S" V# w4 \5 D+ Y b+ M- h; P mov bx, 7a5Fh ; VxD ID of SIWVID4 Z; l, X2 b! `* z' V2 P: e7 M$ N
int 2fh
! c3 e" m. @0 \( }- e2 F, h' F mov ax, es ; ES:DI -> VxD API entry point
* y K0 Z8 [* \( T2 ? add ax, di: [8 B2 Z( k8 V
test ax,ax0 d q- B Q8 o" C" ?# K! q4 s
jnz SoftICE_Detected* Q% E4 Y) a' y6 O- H& R0 V
5 @- G# h& z+ C9 N9 s8 p1 x$ k$ {
__________________________________________________________________________
; Q; l9 g: Z6 c! ^1 J- V. ]% a
* p, q. i8 _# t2 _) F
; E: X3 l; i7 _ mMethod 05
" I) N! c4 ^2 R. A=========
& G5 r" t, V `; ~6 g/ S- j% q; R$ l; F4 i
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 h3 g2 u0 u# D6 t2 C) V; J. D& v
debugger. It calls the int 41h, function 4Fh.3 t) |3 ~$ U1 K- N# ]: G2 S1 I
There are several alternatives. ( F8 p* R) L e$ G( e# i6 O
- @' u5 l# ?" S3 }8 Z, T4 @! P( FThe following one is the simplest:
/ L* n, d) U/ ~8 A3 W4 w
( X" U' S0 X4 T8 ]& h# g mov ax,4fh% Z3 ~2 V* t& r
int 41h$ w8 L: Y% K: t$ V9 N q
cmp ax, 0F3865 Y$ J4 {, q: O1 c# w0 u
jz SoftICE_detected: `2 k, f0 q) x8 M! J' W1 G$ K" N
) X* a! O4 a4 D4 X
4 `: a: v; I" T z+ ~Next method as well as the following one are 2 examples from Stone's 1 f8 p7 v/ @# j1 N0 C3 \( I( f
"stn-wid.zip" (www.cracking.net):) |! [% @7 I) k
) W6 O b1 e \' S9 i8 u
mov bx, cs
* \. x1 ?' H+ q/ { lea dx, int41handler2
4 U7 C2 P1 a- @9 L a; K8 Y xchg dx, es:[41h*4]$ S8 ]- ?. F% }3 b
xchg bx, es:[41h*4+2]; v/ e3 W+ W- T( W/ p' U
mov ax,4fh
; o# f1 w6 {3 K5 v5 X int 41h( L0 E! s( I/ y2 M0 f
xchg dx, es:[41h*4] L2 B# C6 k5 i6 m" L
xchg bx, es:[41h*4+2]
4 {, I) Q9 o( I! Y1 M9 { cmp ax, 0f386h" O; o1 J2 c/ u' B3 i+ P+ q
jz SoftICE_detected: d$ T- _- H6 s, [, |( _! k% A9 S
* H- m. j- d1 p- p& a
int41handler2 PROC5 _* }, p y, k7 g7 R6 J
iret, Q0 J4 w4 f a3 C% O
int41handler2 ENDP9 a5 y( Z* I7 F& h
. J& r) ]7 H% U% W+ J$ w H3 E& @7 X5 B7 z6 [8 k
_________________________________________________________________________/ o r: V8 l, }/ V3 `& h
9 W. A! F1 b, a9 `$ ~- {7 b3 Y! ~, C, f' C; |
Method 06
$ [' q' i) I6 O# b4 ^* n3 w=========- d: l; Z$ B0 {
" t( C6 C1 b# |, j. c
( j' A$ A! ]! I. a' f
2nd method similar to the preceding one but more difficult to detect:" L( [) c; [7 M
6 W2 r6 L7 G" G. e" i
) N$ O& }2 ]( j( h A! u' t7 G
int41handler PROC' @' e1 m+ S; ^" M
mov cl,al
4 m l5 m' J' s. L. ?/ j/ W iret9 O' f! K/ O% y% l
int41handler ENDP
7 n8 z8 N; O# x6 P# P7 T" A7 B- L; [; @, U: M9 I- R" L
+ u z% P: l5 G/ ]; Q6 |% E3 n3 Q xor ax,ax
( _. j6 m" V& ^, f mov es,ax
! S) m6 H ~/ \, Y' r s7 M1 S mov bx, cs
/ b5 S. R$ t/ Q5 b0 `1 x' c lea dx, int41handler# A- p# K. G W$ w+ x E: h, M
xchg dx, es:[41h*4]
, z* f5 {& k2 V8 m8 U4 u! T& L1 `' Z xchg bx, es:[41h*4+2]5 N$ z* I+ V% i K8 Y0 [0 I- k5 C
in al, 40h7 a5 W1 c7 w& x0 S8 W
xor cx,cx: o9 z5 \! d/ `6 c9 K
int 41h
0 j7 Y N2 x8 |, \" X: u8 I; X xchg dx, es:[41h*4]
- K7 R5 ^6 w8 ^; Q5 q/ Y/ | xchg bx, es:[41h*4+2]2 e; s" t' y8 D' u# t1 P
cmp cl,al# w5 p% x1 G8 `
jnz SoftICE_detected* q: k- P+ T6 G h/ k
" H2 q$ M% A2 b9 v# l
_________________________________________________________________________
+ t& X) N7 a# Y) M$ E5 ?/ }+ T9 k1 z6 s: i0 w0 I7 }
Method 07
) l" g; B" n3 N=========
) F2 z+ z7 `6 w
% B7 N! t0 i7 e% NMethod of detection of the WinICE handler in the int68h (V86)
7 I5 Q4 k3 K. g9 R3 v* v! R
, f" E( p6 w1 G6 ~ mov ah,43h8 w* P7 ^4 s( z5 O
int 68h7 K4 V' _* m- K" M1 t# m x3 o
cmp ax,0F386h6 X- g6 V4 P- K/ M: K
jz SoftICE_Detected2 Q3 l q: \6 |; J3 P g/ ~
* |$ ]0 M* k5 u8 N
, R" d) G( a5 p9 }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* N% v; _( ]& Q" L- K; \% v7 B
app like this:+ g! E/ F3 @% P7 R! W n1 b( D
4 d$ q, z5 I7 U, h( D; Y
BPX exec_int if ax==68
8 U, a( N3 w: G# L3 N* B (function called is located at byte ptr [ebp+1Dh] and client eip is
, G0 y, o8 U8 J$ |( g8 ^ located at [ebp+48h] for 32Bit apps); v* n* p' l% S/ ?- d' J$ Y
__________________________________________________________________________
9 a/ @) e0 E+ k3 s! |, |9 `2 ?, v" B& Z
, {6 d) \ V; ]( `5 n: o9 uMethod 08
+ K( U$ @7 O/ Y& p=========
1 _" t9 e! u5 ^( q) O, N# N6 X- _5 w0 z$ L. M g' ?9 F% T
It is not a method of detection of SoftICE but a possibility to crash the
9 H. ^6 m6 b/ I8 K6 e% osystem by intercepting int 01h and int 03h and redirecting them to another/ ]' k T( S* n1 C) _) y* u! y- f
routine.
7 b# y* ~$ P F( E: }7 G7 K3 a1 ~) G# BIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 t# b9 w2 T9 P( F+ ?: g
to the new routine to execute (hangs computer...)& L8 y S2 n- k+ }/ I# H
8 w) j, m1 {6 `* p' m
mov ah, 25h8 ?; ?4 T5 O6 J; d3 U( F
mov al, Int_Number (01h or 03h)" |; _8 |$ b7 D# E4 X- E: @9 A0 I
mov dx, offset New_Int_Routine2 X F; j0 _3 i N" D* Y9 p6 m* ~
int 21h7 y! z0 q( c0 Y% Q. @
0 A/ R% E% v# g9 h4 n/ u: v9 g__________________________________________________________________________
, O# V7 @1 q) k- G' J3 p2 v
* {! ?% H2 B6 q. }" K9 N: X/ {2 fMethod 09# r6 R4 @6 h: ^! T0 O4 ~9 H1 K
=========
+ u- |2 x+ M/ I, `: W4 E
; Z, {! j, q) W: g: ]6 ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 j2 e# h1 X) J N5 \/ Z( }
performed in ring0 (VxD or a ring3 app using the VxdCall).( D7 P; T6 c) K# L/ b+ b
The Get_DDB service is used to determine whether or not a VxD is installed. k3 |: b) ^# C$ a- j4 ]- ^5 ~
for the specified device and returns a Device Description Block (in ecx) for
$ b/ N3 p5 \8 {; l/ gthat device if it is installed.
Z% {& q L+ N0 u" {" s! u3 | M% Z' p0 [! z* f( d& M4 d) l8 b* z9 K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 k( {2 s$ h/ N+ i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" j, T: Y4 Y7 A7 a/ }0 u' t VMMCall Get_DDB& Z: o8 T. e) `3 t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 b, D" L) w2 U6 j9 ?" |1 `
9 m# U [" D% r, Q& `+ _Note as well that you can easily detect this method with SoftICE:
& L9 }" h7 y8 x& ?* s9 d bpx Get_DDB if ax==0202 || ax==7a5fh+ U" b) ~, X/ q9 z0 i
N0 I5 s) k4 r- e q__________________________________________________________________________& ?9 M# \6 r. _2 N2 Q
: m: G+ i/ I0 }9 J- R
Method 10
- r8 b9 a2 f/ U- m0 X=========
1 E) g/ B& ]" @0 Z- D; u
' g$ V: v! ^9 w" s1 @=>Disable or clear breakpoints before using this feature. DO NOT trace with5 y! j! ~9 m5 P* q7 r" v* Y
SoftICE while the option is enable!!
. _0 w3 X% N0 s/ V3 e W
- _7 Z {6 p4 ^; V0 eThis trick is very efficient:9 g* S7 W. p6 N
by checking the Debug Registers, you can detect if SoftICE is loaded
9 [$ T8 D/ b1 q- F# u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 R8 p! y K U; E- T5 t
there are some memory breakpoints set (dr0 to dr3) simply by reading their+ d8 X' U h; J- |7 M! ]: F
value (in ring0 only). Values can be manipulated and or changed as well* L; q) o7 R& Y: Y' `/ u
(clearing BPMs for instance)
( z, ]3 X9 h) x; O/ s( b
; h5 X$ a6 j; \; I: M) ~__________________________________________________________________________ Z% }+ I- R% u' J% `6 ^
' W# I4 Z* ^2 q3 VMethod 11- R/ j6 t5 \8 t1 V) x
=========5 O: B! q0 E, m5 p f) v
. S* U$ J3 O7 j0 }
This method is most known as 'MeltICE' because it has been freely distributed
! }! J* p) h6 f2 w4 jvia www.winfiles.com. However it was first used by NuMega people to allow) b' D1 W9 N) d
Symbol Loader to check if SoftICE was active or not (the code is located
" ~6 d. r4 J+ |, Kinside nmtrans.dll).1 U( B+ n( v y
+ p$ m; K) v6 m
The way it works is very simple:/ h# f. x, i1 i8 h1 A/ ^* H. A0 s5 S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# G8 t. [6 g, {5 i! N5 T) O
WinNT) with the CreateFileA API.$ v. a3 g. b9 |) f
' b$ y8 Q) k0 R8 U$ t
Here is a sample (checking for 'SICE'):
& x. [) j* u) {5 ]( t9 R& K m
# v6 c3 C4 y4 KBOOL IsSoftIce95Loaded()
" [# k( R) ~% a2 K, p{
& S. r6 u$ ?. }7 L* O HANDLE hFile;
: C- r; B5 H, \6 L- s3 @ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- \" F$ R) z/ D5 M! w5 p
FILE_SHARE_READ | FILE_SHARE_WRITE,8 M6 F# v- W" J; v2 I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& Q/ K; f" F" L2 P, [' L- ^# o3 H if( hFile != INVALID_HANDLE_VALUE )
/ R% V" [7 _ v {1 S' M1 L- [: r: [8 w
CloseHandle(hFile);* \; L; v6 s K7 c5 T
return TRUE;
% t) P/ R( ?3 x3 q) v }
) }1 _4 t4 J+ j& j5 Z9 o return FALSE;
' _! Q4 P2 F- }7 s}
5 r0 d/ @- N0 v: w% Q0 w n9 m+ A* j( E, C( D2 c
Although this trick calls the CreateFileA function, don't even expect to be/ K# @2 c9 v8 B- H
able to intercept it by installing a IFS hook: it will not work, no way!: w5 Q: L) @( u$ q, R3 {: o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 d) m3 d2 a) ]2 Q' @9 }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( r7 C% J8 B. A" ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc @! x6 s, p! E' B- B+ b$ C: M4 S
field.
# r' F6 e4 M% w5 H" P4 [: |In fact, its purpose is not to load/unload VxDs but only to send a
/ ?; r1 \& n, Q5 q0 }5 L, a6 {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- o' Y6 b# u }# V( t4 R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( v' `$ B% V! V1 K% xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- f4 c; d4 K- {3 A0 k$ F2 X/ `If the VxD is loaded, it will always clear eax and the Carry flag to allow* x# B( C2 M3 f6 \, H
its handle to be opened and then, will be detected., h/ p# x" F3 r9 q1 |
You can check that simply by hooking Winice.exe control proc entry point6 H3 L9 O. k9 M* \8 V' L& Q
while running MeltICE.
* y( M7 j7 V, n9 v5 |' d. M
5 k) Z- |+ C6 \' g3 m" a6 G! l5 f p% s$ e8 z$ t6 q& ^( `
00401067: push 00402025 ; \\.\SICE
4 }/ j3 a: X g* a 0040106C: call CreateFileA
8 V+ @0 T6 W Q, h1 x 00401071: cmp eax,-001+ L& t# q. m2 m
00401074: je 00401091
: S9 ? ]' H0 ~0 J$ w3 T2 N3 y
& F# C0 K m6 u8 D% @6 y* t1 U- Y4 m9 D
There could be hundreds of BPX you could use to detect this trick.
+ G- C) }% ?6 h# Q0 e' x-The most classical one is:
& R, j/ s+ G' l) Y! a2 h8 {4 E( b BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- o# D$ e" T( P: s. M% O& e
*(esp->4+4)=='NTIC'( w0 O4 l5 D! u" W3 E
6 D1 u4 \' e2 M) k% }& }& Z; h-The most exotic ones (could be very slooooow :-(: N3 p* D0 G# _5 T" r z2 v- h- B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + M8 U1 s+ o4 ?% C! V
;will break 3 times :-(
8 M5 S, B2 i) X8 X" ~
6 r, O4 q& D( O) | [-or (a bit) faster:
$ j6 T N2 W2 S R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 x: g( P' a f2 X
; P, s. G ?; {0 q4 k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 A4 C8 d8 c( e2 p: Q& }8 y ;will break 3 times :-(
$ [& D# T$ w4 s! c4 S# h/ a
( W% R @; m1 M5 U$ B; l-Much faster:$ R9 H. K& _2 X I, j" T1 x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- z6 `; e; ?1 p
1 l7 _/ ]6 u, @6 g- H6 h7 ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; J0 O3 `& t/ ?8 O* Afunction to do the same job:
+ D' h2 i. C' j; _( K# @1 O& A
4 q: ?% O7 x9 a& Y push 00 ; OF_READ
: H. O# h3 v, P( |; l mov eax,[00656634] ; '\\.\SICE',0
% X1 `: e2 i& `" h! M, p push eax
6 V, G0 ~( u8 S4 Z* @ { call KERNEL32!_lopen7 y J2 U' I9 S2 c+ g
inc eax
+ t& h) r! z4 h5 B) M8 \! S jnz 00650589 ; detected
' P. Q6 Y% u9 H# g: U: X, q8 m3 j push 00 ; OF_READ
t! N. j$ K! A% ?/ S% H mov eax,[00656638] ; '\\.\SICE'" P! \0 U+ h6 n$ d
push eax
5 n1 }2 q# |3 x; G, V call KERNEL32!_lopen
. r3 |& ^) Q: ~0 ^# g inc eax" R, O# V: T; k1 |: Z
jz 006505ae ; not detected
7 x l- U6 ^2 @+ L9 k7 J8 h) [$ K* C8 q9 f o9 }, t& D
1 A8 x6 b( w" Z2 L |2 `# Z, a( w
__________________________________________________________________________
3 w# Y* U7 m0 s5 M. g
! k- @6 d6 Z5 q$ g" V! I" K0 N! MMethod 12
" y- _% O" \& ?1 ~* Z. H Q$ M3 y=========; U r5 Y. p. A; B' O
% x0 w2 p1 d: e. S! V WThis trick is similar to int41h/4fh Debugger installation check (code 05
+ ^3 {5 {; q- f) I! j: V8 c: W& 06) but very limited because it's only available for Win95/98 (not NT)) U; [" E) F2 l& T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; ~# l9 D/ n" [, p. j
+ I$ q! X. Y6 I! l" p+ M' _* q7 b push 0000004fh ; function 4fh
' b1 q. ?/ w/ V# s7 j; s1 M# b" f( h push 002a002ah ; high word specifies which VxD (VWIN32)
8 X1 {; {* j: o ; low word specifies which service! x- i" r9 I4 `- X4 ?0 S" p
(VWIN32_Int41Dispatch): ?$ D% z/ u. I$ H4 ~9 L
call Kernel32!ORD_001 ; VxdCall- r& H( Y5 ^8 y3 w
cmp ax, 0f386h ; magic number returned by system debuggers
+ O2 b" n! @3 X jz SoftICE_detected
4 T9 U: N3 s. h- `: o+ {5 v! ?) K6 }+ t% A7 k0 E- ]* B+ ^ @
Here again, several ways to detect it:
2 T- f7 i4 k5 q1 n y/ C. a0 ?8 f
BPINT 41 if ax==4f* G) B4 C" ]4 J- [! r4 z- l
+ C+ X" O* U' k6 j- G2 @+ v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 y5 l# V2 ?6 q& p, f) ?4 v6 J/ a' ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 A2 s. r% k, d( C: T! p
; Q7 w; f$ D7 [9 ^ o/ I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ c G0 z/ h5 `( F6 G
( p$ \# B2 \6 s/ B/ k! a3 I__________________________________________________________________________
5 Y. C3 t- t) U9 V4 I2 T0 c
: y9 W9 t% U R$ T( {Method 139 e" @& t- ?. m$ i9 ^: i! F& ^
=========
: F( `. f2 W4 G1 D, }2 D4 S
, a3 q& H% h; E% WNot a real method of detection, but a good way to know if SoftICE is, p G) ~0 `/ \; \- ]( `8 T: o
installed on a computer and to locate its installation directory.* M1 R! `/ V j& \& g$ b0 u1 ?# P
It is used by few softs which access the following registry keys (usually #2) :4 V$ V+ T+ |+ n' _
# |5 ^- `6 [. J7 H" q7 H% I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* B6 M9 C$ \: U1 Z& j7 \+ V0 _; a$ U
\Uninstall\SoftICE% i( }/ A( g3 T6 y H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 k0 }% Q9 Z2 W6 n-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, i* N; C( h3 o% U
\App Paths\Loader32.Exe
/ w' J+ I+ ^1 k* k. U: ?* H, B9 c0 [& g! ?( V$ ]. k
0 p S0 Z4 X" } C7 D2 h kNote that some nasty apps could then erase all files from SoftICE directory
- l2 F- z6 q, g2 j(I faced that once :-(9 [* ]: Z- w& B% R5 h2 o7 l
2 B2 F e: w/ x( N$ cUseful breakpoint to detect it:
' B9 ?2 ?/ q+ q
- L5 e: X; u& E& L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# [3 p( H! y! {$ D0 Y5 k9 P
& q; n4 z* n. \5 r/ u3 l__________________________________________________________________________
/ B" O9 k- u8 l- k$ Q5 T+ g
* T& u5 i1 U R7 t' p- S% m( O- z5 j: s6 J
Method 14
$ g& ?# v7 |+ Z" Q% R=========
& X6 _) {: I8 ]( {
1 j0 _# _6 N, ~7 l( N& D: a& tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- q, {$ M4 g5 {. S: h4 C: M
is to determines whether a debugger is running on your system (ring0 only).. W0 o# c6 i% b$ O9 F
. v5 W6 T8 c9 V/ q4 z5 u4 g2 Z7 N VMMCall Test_Debug_Installed
& [3 I- S/ s5 g- `; R1 p je not_installed. g$ `3 Q- j1 Y) E+ ]/ j
% |" f7 x+ O* D! V$ T) JThis service just checks a flag.
. b& e8 B# Z1 P9 N6 L9 Y, I- ]</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡