<TABLE width=500>6 X' x( N+ v; O0 n9 L
<TBODY>
9 Q% q" Q/ J. Z% f& H$ L<TR>3 @1 {7 Y/ z) q. J7 d
<TD><PRE>Method 01 , k" Q- Y8 m/ C% H0 ^ f1 e$ z0 O8 C
=========3 a$ u7 a% t& C7 Y# `
; n4 s8 y- z9 i8 o; i5 `0 ZThis method of detection of SoftICE (as well as the following one) is1 v5 B# @2 j* J# E( Y0 }% S( A
used by the majority of packers/encryptors found on Internet.
9 \7 K- c9 f) F. `0 B# B9 AIt seeks the signature of BoundsChecker in SoftICE
3 ^# ~' j) j. j* N4 A9 ]+ J
3 s( \1 i1 j: [: }* C' C& C mov ebp, 04243484Bh ; 'BCHK'( q" H, L" L7 I) H- p
mov ax, 04h
" R6 d0 p8 c& T! }0 i7 u int 3
j! V7 y" G7 H cmp al,4
2 s+ N3 X% E8 ]3 `% ^* O jnz SoftICE_Detected) d: J- f- X# u4 Z
. ]3 N( K' j: x! ]% ?
___________________________________________________________________________
" R2 n9 M4 |; f7 W; [, u6 I: N8 @7 Y; H& }$ f1 H
Method 02% g F! b- U# w* E( F- V: T
=========
8 E/ y9 k8 t5 r9 Z+ H9 L
+ C$ c% u7 L2 x, |4 {% C% D" [) uStill a method very much used (perhaps the most frequent one). It is used
! W. r- j6 v2 M# i0 G8 ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 w! Z0 u( I1 ]5 E& Qor execute SoftICE commands...
5 o4 W6 ?9 o5 h1 @It is also used to crash SoftICE and to force it to execute any commands
2 {$ K; i- n+ K+ }' G0 k% u' i& {$ b& T(HBOOT...) :-(( 2 i6 g1 ~+ M$ g% u
: l! T; H3 r% C6 n* w
Here is a quick description:1 \! U6 o, } t+ U+ s
-AX = 0910h (Display string in SIce windows)
9 Q: @1 ]4 h$ ^6 k8 h' H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. |- j8 S* [3 m( ^) j' G2 k% V-AX = 0912h (Get breakpoint infos)
, ]0 J/ m; \0 z+ ]-AX = 0913h (Set Sice breakpoints)
2 M5 Y1 g( j7 s7 r9 X' U-AX = 0914h (Remove SIce breakoints)& e- B3 k& T% _
% Z2 E: Z1 }; W
Each time you'll meet this trick, you'll see:- T0 M. p" l, r7 z8 ^/ `$ Y6 W
-SI = 4647h* f v8 B& d' h( C7 `( q5 F
-DI = 4A4Dh4 @8 t) s- |6 u/ @/ D
Which are the 'magic values' used by SoftIce.
( _- w: E: g/ @6 n+ @8 K( sFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" \; ~! d$ c! ^: w6 w) m p0 Q. V/ d6 ]5 n+ B: I- U! V
Here is one example from the file "Haspinst.exe" which is the dongle HASP& q' A3 I9 k0 C: [' U& m
Envelope utility use to protect DOS applications:
7 G. ` b2 G% k$ h! w! F0 L0 b7 g+ F
8 Z3 F2 H: r o
4C19:0095 MOV AX,0911 ; execute command.7 Z" o+ N0 X; b3 A& O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 @; W2 I$ {2 f1 U3 q
4C19:009A MOV SI,4647 ; 1st magic value.* M; Z$ }0 V/ P) |
4C19:009D MOV DI,4A4D ; 2nd magic value.
! w! X) n7 K D' a9 Q6 d4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- ?: Y& @& m. e4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ `1 i) J: A" h9 l
4C19:00A4 INC CX9 x% u' \* I3 W' t- Q3 x0 M4 Y! ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 x2 \. p1 @: i6 R% b4C19:00A8 JB 0095 ; 6 different commands.8 t9 x& H3 Q8 s2 J6 d, r2 U
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) `/ L w& V0 s# t- p
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' u, b) P7 f2 \9 I% Y7 ~' u- p' h* H6 n# i
The program will execute 6 different SIce commands located at ds:dx, which7 A1 o7 I6 n6 _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 b, t! e9 f1 v
& T, n; m i% r1 { ~. r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" H4 s2 h) R& S& q' l___________________________________________________________________________; n, i6 B# T$ b, q, `- i
7 Z& [2 Y( ?" _* n2 N9 B- Y0 x3 n1 ^! R3 P
Method 03
1 z3 B% }7 k, W6 T2 A8 W7 A5 k; @- i- `=========. ^& T1 l" ~# u) a4 n. F" N
* }# ?' R0 t: tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 A1 A4 M4 T2 Q* t* u7 y
(API Get entry point)
7 X+ v+ ]; t$ V$ D+ q& k5 e
. Z' _0 ]+ }7 d/ ~( k
2 H, A- k5 ~% M# K- S xor di,di# W: V0 ?. \3 R3 q
mov es,di! [' [. `! L2 m2 e2 x& p7 S* c4 A# x
mov ax, 1684h 4 P+ K, q$ \4 X' [, W; M P
mov bx, 0202h ; VxD ID of winice
2 t" g6 j* W+ N$ D) I4 Q2 T int 2Fh) l. Y# c/ M5 N* f, F6 U; w9 y
mov ax, es ; ES:DI -> VxD API entry point% L1 H+ r( K/ ^
add ax, di' M0 m. c7 M0 r( t2 {: {+ F! m+ f6 w
test ax,ax: U K q3 N4 M. S
jnz SoftICE_Detected
. l$ C2 |- N2 u+ ^/ }- a6 i3 y# {8 ~2 ?3 `- f2 C" O
___________________________________________________________________________" x2 R; X, T' x" D) M0 _1 E
; y2 h, b' a4 {) A+ _3 N
Method 04/ r3 y9 j- v9 r4 V+ `
=========
$ O Q0 I2 O2 E2 ^1 c1 M$ C: q% T! U# ]8 u9 J- r
Method identical to the preceding one except that it seeks the ID of SoftICE# i) R8 K( r. w# M9 Z
GFX VxD.+ m* Q1 r( J! R7 Z Z! |+ a
) |" \, ^# t" G! L7 e' v7 v
xor di,di5 F% w1 H. `1 c( B4 ~% ?& f4 p Q7 @
mov es,di R7 s9 k: k" G+ k$ S F
mov ax, 1684h
7 c5 }- x$ d R" _9 s" I: j1 D mov bx, 7a5Fh ; VxD ID of SIWVID' ?- ]; H2 v& }; S
int 2fh
. s+ S( C, M, ~% k8 k mov ax, es ; ES:DI -> VxD API entry point9 z+ O( p% W6 l9 Y& e% ~3 m
add ax, di
- ?. k" l. H. ] test ax,ax7 j7 _7 R3 v( p" g4 K
jnz SoftICE_Detected
}: d( w+ @0 D: \- ]( z: n2 O9 i' _# f5 T
__________________________________________________________________________
7 b: u! ?8 s9 |/ Y% K5 N& t0 @, h5 J4 g. L: A- n G$ m% t
: O% D( k2 {+ r* t. uMethod 05
" d- n7 M9 P# d/ m=========( E a0 L: k; B! v+ U0 R+ g
5 f' l) k* @5 V$ L$ b( S/ J- K
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ J$ I: T5 x5 O. F0 e# k2 U( x9 }
debugger. It calls the int 41h, function 4Fh.
' R6 m; I/ Z/ H" r" d+ pThere are several alternatives. % I7 Z% \9 u5 Y7 \4 c8 H3 m, N
& M& w4 c* G B# m, Y2 pThe following one is the simplest:
# ?- r7 T1 y, B6 V* r
" }& e* Y1 L* E. q$ j+ O, q; m mov ax,4fh
( b* k% c, M% i1 U' `7 l3 s; d8 { int 41h
/ |9 s5 d9 Q5 i8 N8 X; O! U# E! M" L cmp ax, 0F3863 w3 a* ~* ]0 S* Z5 R
jz SoftICE_detected
2 m7 A& E G" G3 o9 K
' P: E" F7 z V5 n+ _
4 T+ C4 n' x4 k- `0 p2 R$ H1 tNext method as well as the following one are 2 examples from Stone's $ f# \' z [+ w! {7 Q; g b- u% n
"stn-wid.zip" (www.cracking.net):
" ?: `+ C+ S+ ]# ]- U
3 w1 k9 ~& O$ v8 U* X mov bx, cs# _0 D! \: A' K- d* q
lea dx, int41handler25 u8 C3 X. Z3 N& t- W' ?
xchg dx, es:[41h*4]( |* t) k0 z; c9 N d1 X% }
xchg bx, es:[41h*4+2]1 i7 ^5 U o# q \+ w0 M. A" M
mov ax,4fh
/ }5 Z( q% t' ~ int 41h# P) b$ X; P/ r, B$ y- X
xchg dx, es:[41h*4]; Z' e' O) q1 j/ Q% i4 v
xchg bx, es:[41h*4+2]
; F$ F: M( U& g* Y cmp ax, 0f386h
4 k. J7 }7 E3 U jz SoftICE_detected
9 \8 M4 s2 a2 h2 S* Z- `, q3 L& R& L, g. c! f' j7 _$ T- t/ w0 F1 s7 Z3 S' ^
int41handler2 PROC
" P- _9 k( K v" J# ?; x iret
8 e: J3 j4 s. `: B) |int41handler2 ENDP; y: X2 I a* R- @8 l
5 t6 E9 H7 A4 o' u% \+ n: P4 v+ m8 g6 i. ^- L0 ]. e: A
_________________________________________________________________________/ e I0 |. y7 l. ?0 q7 S* v# B
$ i* f# D L* U7 q Q5 O4 ^6 d
4 `' W: F k4 x# Z( L) ^0 W B
Method 061 @% z* V0 p% O* [+ j
=========% z, q5 G( Y: j$ M4 c7 j5 N h: P
' M$ f/ x( a7 ]) P
G; J, a' M' V% [, ]
2nd method similar to the preceding one but more difficult to detect:
* G" B) B+ ~- {4 L& P% ]7 J6 F
# t+ o2 ~5 Q) r: v3 M( t3 i; X. e
9 D. B! b4 @( L& X+ oint41handler PROC
( o5 r% i8 m: H) Z mov cl,al
7 k$ }" `6 _# d) A" C! \( D3 | iret# p( O7 E/ m* j' U5 M" u& |
int41handler ENDP
' T2 P' y; j7 j7 I$ I, j0 b$ s7 i) Y. C4 G
! \* n+ I; Q- |4 M. m3 f( i xor ax,ax
* n! G/ Z; k+ J" G! r mov es,ax
3 h: k7 I0 H! y, Y mov bx, cs
* o, Q. T1 _! x* K. v8 ^5 B1 x lea dx, int41handler X) E( F+ L0 L
xchg dx, es:[41h*4]
& ] t- V2 H& c) Z% j xchg bx, es:[41h*4+2]
4 ?! L& c5 p& p in al, 40h4 n1 \; v1 w3 ^( P% H. p, ?
xor cx,cx% u: M; W) D* ?8 T
int 41h+ C) R' d7 J/ K: n4 }9 L* A
xchg dx, es:[41h*4]
- t J3 x9 q& _ xchg bx, es:[41h*4+2]5 |! t) M, y' U; K: F3 v. t
cmp cl,al( @$ u g B7 [' d: _1 n: k$ N
jnz SoftICE_detected0 x, P# q' T! M9 s4 P8 l
6 G8 r5 ~2 }+ [' t' g% ~_________________________________________________________________________
6 ^$ D- z% {( f( U/ }2 ^7 e3 A, G! Y4 J
Method 07
3 L F; M* X/ Q* E" v0 b9 R=========
9 Z B+ h7 E$ z( H4 ]# g! g
1 |/ \# R( n, I. a* X% gMethod of detection of the WinICE handler in the int68h (V86). D( d1 ~9 {) x' v/ e" ?" C
9 b5 l) x+ h2 l7 {7 _ mov ah,43h
' ~5 H _2 T! _+ f; \' L' u4 J int 68h
t w( ~# R5 @$ A cmp ax,0F386h4 L1 I. t! c/ \
jz SoftICE_Detected% ^) i7 t3 L' x+ H- }- S5 b; F
( `* S' [+ W2 t8 f
1 [4 r+ M2 K* a" K9 u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# D7 v1 }5 ]* |4 z$ N
app like this:
, ]6 J8 S+ I7 g8 c5 W0 O0 B1 f$ a, q) I( ^ c
BPX exec_int if ax==684 a7 J' y l) k) r. U
(function called is located at byte ptr [ebp+1Dh] and client eip is- m5 l, @0 \6 t5 ?) `" Q
located at [ebp+48h] for 32Bit apps)
8 T( }- ^1 m1 v. J2 C/ c3 S- X__________________________________________________________________________
6 S; x, i7 O) {) L$ G$ N( i3 D0 K
. |7 [, l) R8 Y' j- vMethod 08
+ X- D2 L) d+ I# D+ x. C1 _) [=========0 V. `3 t$ Z$ C& g# L% q) q1 ^
: w7 O9 M( }4 y8 M' T
It is not a method of detection of SoftICE but a possibility to crash the
: T2 h. } `/ r! gsystem by intercepting int 01h and int 03h and redirecting them to another* ~2 G6 @ S x4 i; ]' c
routine.! q: Y0 m7 b) j3 u4 l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ ]# f( x# N, x' G k+ M( F6 Wto the new routine to execute (hangs computer...)3 T" F0 w. [) C- G2 V1 p! H+ s
. s$ ^* ?, `8 M) B
mov ah, 25h3 ^2 [8 I4 b7 v/ \
mov al, Int_Number (01h or 03h)( X5 I3 Q2 e$ o
mov dx, offset New_Int_Routine
0 i4 ^4 \$ d1 p) i* y% W int 21h
2 A2 b) R) p5 q% a: `! m! _+ D( k3 _8 x8 T Z# |; K
__________________________________________________________________________- ?6 A. O' _) {: X X3 c
+ K3 Y. m, a/ i6 c* H4 @% m5 IMethod 09+ Z# q: |4 @* Z
=========& n% ^* q( C& x D! B x1 x
3 Z/ l0 a! A5 j3 r8 i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ _+ r" f! D& I6 D7 \performed in ring0 (VxD or a ring3 app using the VxdCall).& J, y2 g" @" U& ]
The Get_DDB service is used to determine whether or not a VxD is installed. z! k/ t& Q! o# u! o
for the specified device and returns a Device Description Block (in ecx) for/ I: m; _. O+ T1 Y' U/ K
that device if it is installed.7 j* q4 q0 i! C2 D7 j
5 M, _9 C2 ?9 y( d; S" |. g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ p( Z2 K$ X6 }5 |" l! U6 y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 Z. w+ Y- T4 C, {* P9 P& _/ z8 O
VMMCall Get_DDB7 d9 ~5 A6 O" Y/ N3 k* x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 y7 j4 u* o" s
9 h" n5 v' L# k/ y. m! ~Note as well that you can easily detect this method with SoftICE:
0 [- O" X i0 W& Q. z' _" B bpx Get_DDB if ax==0202 || ax==7a5fh
+ e5 k x( a6 ]& t" g
! S' i7 T/ ~0 L__________________________________________________________________________8 r" g% q% Q5 @
5 E8 p. T' P6 g2 k% |
Method 10
+ j8 ], }; ]( E3 N! ]" _; ^4 W+ x8 q=========
0 U8 v5 g: l3 K( Q g2 r8 a( a$ @' z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
) w9 |1 S# S- x+ y; A7 E0 [ SoftICE while the option is enable!!
2 O* `& @- ]& m& g2 w; D. [1 J9 o# g
This trick is very efficient:
; S s/ ~6 @& R6 R9 }! u( Cby checking the Debug Registers, you can detect if SoftICE is loaded
" Q. z! t3 V+ g1 Y# i8 A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ P/ G1 ?+ ]3 `) j/ H7 E4 `
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 c3 n T- d9 U3 `) @' L6 f( F- zvalue (in ring0 only). Values can be manipulated and or changed as well
* \5 E) E. n7 F$ U0 t; b(clearing BPMs for instance)
) R, R6 [0 l' V9 q! Q3 Q+ n
) S; F1 x/ y. R# E. d) ]! O6 t__________________________________________________________________________
: _! B4 q% W. Z u0 n
& Z# b8 ?% a1 }7 i7 YMethod 112 K k0 I( M8 G! }/ a
=========
/ D8 h8 i* @! C- q0 n
9 h H0 r0 A8 o7 B+ hThis method is most known as 'MeltICE' because it has been freely distributed8 M6 W, L" D. p! o3 |
via www.winfiles.com. However it was first used by NuMega people to allow0 b: {7 H: `7 l6 U
Symbol Loader to check if SoftICE was active or not (the code is located, l$ g% w* ?) C
inside nmtrans.dll).: ~, e7 b6 m0 w5 O- n; K
; O% u" @8 c5 K1 M1 |# _; b
The way it works is very simple:
2 q, ~3 ?! P3 i6 h; F$ kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 b3 c ]3 r0 M. ]/ YWinNT) with the CreateFileA API.4 _; E1 Q+ |/ {. C3 K- z
2 O7 s$ q% P5 u% s- Y
Here is a sample (checking for 'SICE'):/ Z5 I0 {) g+ w- @/ ?2 B
5 e: P9 [. F9 a5 a( X0 Q# W( A$ s' q+ C
BOOL IsSoftIce95Loaded()" x- D" F: e" [, k9 h( p
{
9 @6 N) O3 {, L; e) w0 ~ HANDLE hFile;
! |& H* _3 m# _* h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ R2 b4 d8 [0 [5 N9 J FILE_SHARE_READ | FILE_SHARE_WRITE," Q& R3 h% T! S# Q- l# r) @. ]2 Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- ?3 h* J. T: d8 f; @' T, z
if( hFile != INVALID_HANDLE_VALUE )
) R. p4 `' i" u0 S( W& u% b {. N4 [& ]* P4 z
CloseHandle(hFile);
8 ~5 o1 b n6 G) i1 O return TRUE;
, p1 ]8 c: g2 F! y, E& T( x }8 ^9 w' e7 j; e
return FALSE;; P" X+ h V; q$ d* T" V) i
}/ A2 a' i4 [1 g; A' b
; D A& s$ T/ j/ A
Although this trick calls the CreateFileA function, don't even expect to be
- x3 j7 }- l) s1 Q+ Q! C# x+ Sable to intercept it by installing a IFS hook: it will not work, no way!
1 r& P5 [2 l5 D: b; _" j4 [) a, ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F* c4 c7 F _, X
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% }3 {) o3 b& q7 Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc, d6 |5 H& z9 t* `' p" V; Z
field.
2 \2 d: l8 Q2 ?5 F6 vIn fact, its purpose is not to load/unload VxDs but only to send a
6 G9 l7 m7 y/ v# {7 u6 pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# w1 p9 o! h8 Y" j) r- N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 j7 J+ P# n6 q/ B$ p i% gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& ]: ~2 t6 q9 f0 J& pIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 r' m1 W; e) y; Wits handle to be opened and then, will be detected.- }( G; J9 s2 u+ t
You can check that simply by hooking Winice.exe control proc entry point- |9 d4 Q/ b% ?/ h: a2 s( ~
while running MeltICE.
. ~! k2 u# Y- T
6 R6 A: p" H& ^: i. @& B6 w! {4 D$ Y1 [
00401067: push 00402025 ; \\.\SICE( L8 C' G+ H8 S. z' u) S4 H2 X
0040106C: call CreateFileA- c& I: X3 N5 U" Z
00401071: cmp eax,-001
: t6 F( R6 T& x. [ 00401074: je 004010917 X5 r0 D p8 ^0 D( h8 ?5 |
8 Q0 x9 o& n4 S5 ~4 b k2 [1 f6 z6 D
There could be hundreds of BPX you could use to detect this trick.% n& t' L9 A7 C8 [/ n
-The most classical one is:
3 P% \$ i% T& E4 ` BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* S, p" {" s& F G1 m *(esp->4+4)=='NTIC'
2 q* H4 I- c4 B; U1 P! r
5 ?' V) o5 Z# a: N8 L5 p0 P-The most exotic ones (could be very slooooow :-(
: m/ E) I6 R# A1 [& b7 F8 A6 P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 {/ p8 h* K( `7 c
;will break 3 times :-(
1 z. @ H' O! Z
f) [0 N; {( e7 D/ D' X& V4 v-or (a bit) faster:
8 P/ _7 {2 K& W BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 w4 ~" t. Y% Z# ~/ ]2 Q
! o A1 ~+ }4 @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + ^) D4 X1 b# e# s5 G" h* E
;will break 3 times :-(
0 e* h2 `7 H5 o2 b- ~) A* s; Y4 t4 I3 h) }0 W _
-Much faster:
! Z4 {2 ?: ?" w: o O; y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; l |, L0 a" }4 l- B* |* ~2 _' h& s' ]9 K! O% m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; i- b# n9 v( Nfunction to do the same job:' v$ R0 B; c6 ~; V$ T
" z$ A6 N( Q2 w' h1 c! y+ H7 |
push 00 ; OF_READ
, B. x7 N1 n* z' ^% G mov eax,[00656634] ; '\\.\SICE',05 V: b9 L0 G' D7 V1 L
push eax
6 A$ l& q+ k, J5 X& ~, M call KERNEL32!_lopen
1 X- b5 v. z# @, t% r( b inc eax
" x( `# K# _) A jnz 00650589 ; detected
% k5 V+ L5 x+ e push 00 ; OF_READ
. v, F. K$ f; U# h! A6 ]$ c. O: ^ mov eax,[00656638] ; '\\.\SICE'
9 R, E0 ]0 d6 j: X2 H) [ push eax
1 j5 T1 _8 s8 z& q3 E+ ? call KERNEL32!_lopen# b+ k' |+ j) C* m/ I3 G
inc eax
2 v8 H2 g, m6 j$ J. P/ Q ^7 Z. { jz 006505ae ; not detected
/ o& \) D8 o7 Z: d& b' A
# B1 {, P% a) P& U4 C5 D6 Z' T; V9 z# }- b" v
__________________________________________________________________________
% y4 _5 z: J: _* U* J. _/ _* r
2 Q8 }6 m5 g( j4 K0 ]Method 12
3 p: W* h- k8 O=========
* Q5 F* i7 _0 g
$ [' K0 J2 g9 ^4 R. fThis trick is similar to int41h/4fh Debugger installation check (code 05
: O4 N2 w0 V/ B$ N' d& 06) but very limited because it's only available for Win95/98 (not NT)% P4 J2 d9 w9 I! C6 A" K- q- C, {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 {+ B4 c' ~& R) }1 \& v T5 A& s% `
push 0000004fh ; function 4fh: U/ {2 X3 t0 z( }) J2 u. P1 q
push 002a002ah ; high word specifies which VxD (VWIN32)1 ]8 h9 o" X! B# K' [* s x' m- K
; low word specifies which service
c; D- ?1 q ~3 f7 Y9 p% B5 B' W- ^ (VWIN32_Int41Dispatch)
9 A: c+ J, f8 g$ w- n# R% g( r call Kernel32!ORD_001 ; VxdCall7 I+ V. E9 r+ d8 I: A) C u
cmp ax, 0f386h ; magic number returned by system debuggers
, x) u( T3 N( R$ v/ T$ w# k! P* M1 c" B jz SoftICE_detected5 O& x# X$ _0 P% Y3 l5 v
- x5 f4 x R# h$ b
Here again, several ways to detect it:8 z8 }5 L" {9 \2 e
% I2 M9 U+ w- l$ I
BPINT 41 if ax==4f" G. q; \- T6 p! q1 ]! ^6 Q& k
, K5 _6 m7 V, ~6 w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 x1 h$ }- f. `! G% \( z
3 r8 |9 B, Q3 B! m+ l8 S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
O5 Q0 X: t' n% [% [6 U
8 ^& S( D* P. ^ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" G4 G K3 u6 p- T5 X7 N9 L: F0 Z/ O
__________________________________________________________________________' P. c2 Y) k& n8 f* t% [9 h6 [
/ k- D9 a. E) A, Y& Q# K7 ~Method 13
8 t4 }' |( Y+ R- ]" H! U# m, b, I=========! L3 @, P2 l5 [
5 n. t# ~0 w4 D x
Not a real method of detection, but a good way to know if SoftICE is" g8 k$ E C6 v8 F
installed on a computer and to locate its installation directory.$ X6 R6 V0 ^8 t
It is used by few softs which access the following registry keys (usually #2) :1 _ @$ a$ z' n, z, m6 S3 O0 a, }, C$ k
~1 h& T- x7 _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( M2 }8 F9 l/ x$ w
\Uninstall\SoftICE' p, N2 a* G2 i- L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ q9 \9 g c; ~/ v
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 ?2 j- U% ?& B( I
\App Paths\Loader32.Exe0 W, q# I5 m6 \, ~- O2 ~9 `& B p8 W k
$ N- N) D$ V3 c
* p6 }; L; ?* D% X6 g4 W9 g, LNote that some nasty apps could then erase all files from SoftICE directory; d# C: a9 ?: p- V9 C
(I faced that once :-(
) Q5 E: N( |' c3 n/ {3 p
5 D9 W4 w) V) g8 c* ]; V6 G; vUseful breakpoint to detect it:, z) l9 V F6 Y9 v+ A& O) A- B
& s7 d4 W+ P4 ~% e
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 ^% V& \) c, }* R. U* _1 {4 ^( x0 N) [5 M6 V, R: W" w
__________________________________________________________________________
$ r' C0 K* d( G, b1 L
; g; M5 D3 d+ x! |; I1 y6 W" P0 c1 f
Method 14 - z+ i F- ]8 W" A1 E) r
========= c; M4 W. r% ?/ A2 j: j
l; S8 }3 P9 V( |& n1 y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, c, ?: n# D8 n. l; I, t$ yis to determines whether a debugger is running on your system (ring0 only).
# `+ g! j) P0 k* X# k
$ W) `7 I) [1 k6 S# m VMMCall Test_Debug_Installed
2 t2 z# u: H4 _* Q9 n2 F7 d$ {% R je not_installed# R \. n% U: l" y( D6 B
2 u4 N6 z9 Y+ k6 r# v0 ?This service just checks a flag.
2 S6 S5 ^* o# y* U/ d" h</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡