<TABLE width=500>
8 W" \1 @, \6 T% P8 _5 i. J<TBODY>4 Y$ P+ K6 E0 c1 f) e; d8 g. s5 y
<TR>3 {$ @8 |" V% E" B. }! D* e, M
<TD><PRE>Method 01
6 j/ Q6 ^7 h. F" T! e+ i=========
: V, D/ F L. D
- \2 d s8 m) V& X8 H& k: [5 b5 s- EThis method of detection of SoftICE (as well as the following one) is8 r& T. h* p! ]8 p& h2 G2 ^: M
used by the majority of packers/encryptors found on Internet.& @% r! G% E" t% M# E& b- q5 x- ~/ E
It seeks the signature of BoundsChecker in SoftICE
* p3 W8 f& ?( w) ^. N4 ^* J5 z7 b& g8 {
mov ebp, 04243484Bh ; 'BCHK'* d& h1 T/ @) i# m+ T% P% _
mov ax, 04h
/ `7 l, K5 R* P$ `3 a7 }5 W int 3 ' @0 O$ r: o# h: p7 g1 o0 t
cmp al,4
+ |, H: M, ]8 k+ t" e! e3 f jnz SoftICE_Detected
: Q1 I: W [* O, ^3 y
- [/ U. u& ~/ b% T, |7 W___________________________________________________________________________) t& y( }; m2 J3 W' l/ I! i
. C$ s& f; e/ B" z7 T; }: e8 `Method 023 x0 D6 w! N: x7 _' Z
=========
* z/ l2 `" D1 t! d" }$ ]7 K5 F& m8 R. l# N9 p) h
Still a method very much used (perhaps the most frequent one). It is used
4 V) M b) a$ M+ Q2 n7 G3 Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. w, g9 ?6 C* h; `# X" V" v
or execute SoftICE commands...
" {, U6 ?( B. m9 R# D1 Y& CIt is also used to crash SoftICE and to force it to execute any commands
0 F" T% h6 O& `, _$ j/ l# I(HBOOT...) :-(( . R% h2 N$ H; e+ w
0 K6 D" h& f2 q3 CHere is a quick description:
% ]4 G* T! h; {' y4 o+ X* w! t$ y- ]1 J0 T-AX = 0910h (Display string in SIce windows)' j3 X4 e0 J$ V2 `; H' ^/ I3 B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): E3 v. P& U0 v: Y+ b
-AX = 0912h (Get breakpoint infos)
* s0 }8 W, O% _) b( _-AX = 0913h (Set Sice breakpoints)5 c8 n+ V2 J7 x. I8 e2 O$ \
-AX = 0914h (Remove SIce breakoints)
% E! @' e2 a- m& e! f! Q4 i
7 m" {" Q! V$ _2 R+ D5 U2 Q4 D0 eEach time you'll meet this trick, you'll see:
+ m8 Y# q- C, I i7 q8 `3 P- P! k-SI = 4647h
% k) K2 `- n2 q-DI = 4A4Dh3 h6 D* F3 i S' F L* y; _) e
Which are the 'magic values' used by SoftIce.
2 z5 {$ n$ b- L8 ]7 }# [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 w# @8 o3 p$ J
( {5 C. M% b! y8 N. r. q6 Z+ ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP( T2 J- }4 [' }/ L e) O* ^' s
Envelope utility use to protect DOS applications:
! m4 V3 y! c9 E
3 p" p: c+ C. k9 b9 c- O; q9 f
0 f3 P1 _; @ ^& ~+ S- j: H" y& q4C19:0095 MOV AX,0911 ; execute command.
6 c6 p2 d% B2 O1 D& D c2 ]4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- N! U6 E8 f0 W! C
4C19:009A MOV SI,4647 ; 1st magic value.
1 u) z5 v$ z& D; z4C19:009D MOV DI,4A4D ; 2nd magic value." Q7 _4 ?+ J) k8 Q0 N9 x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' Z9 f% M. ]8 k% v }9 k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) E" U" [& Y! t" N9 ?
4C19:00A4 INC CX
2 `7 R6 \( Y3 {. b; H7 }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- [; X. G: M9 ^) N$ Y! j
4C19:00A8 JB 0095 ; 6 different commands.3 @4 q5 _8 w. u+ C. T5 Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 E5 I+ Y. r5 N Q* `/ Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ J' E# S$ F2 h8 n1 s! [$ k0 C7 i
The program will execute 6 different SIce commands located at ds:dx, which2 E. ~$ r) j! x( z2 S# O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( X8 V/ W7 p" y& D- f" \) y2 V6 V/ d% X5 T7 q
) G+ D* q$ Z6 @# {* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 k. k0 }: S2 v
___________________________________________________________________________
; h, r+ C# {3 o, l; J) d, u; q2 k
$ q1 m+ _5 \" S' k& {) E9 k! s
Method 031 F8 h/ q$ Y: O# z" R B
=========5 n% o. |* E& S$ ]1 |
# H2 {+ K+ y$ J0 Q6 F _+ SLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! `9 R$ @; k' q: l& ]# \/ P7 o
(API Get entry point)% U6 {. p0 W9 B* s* x- @! N
0 ^) c; G1 e4 t( I8 g
, k# K( H6 j$ y/ A+ @
xor di,di
7 z' _( `. O& Q' s# c3 ] mov es,di( F- N1 ~9 ]# O4 c
mov ax, 1684h
9 e+ y5 v" o; f& I8 n mov bx, 0202h ; VxD ID of winice/ N5 P1 Y6 ]" O+ N- U+ R0 X
int 2Fh
' v8 z% h( P! K mov ax, es ; ES:DI -> VxD API entry point
0 g& _9 t' }# `1 D- G add ax, di
' X: M8 D: t8 ]& s- a# B test ax,ax
7 A s1 V0 l. b jnz SoftICE_Detected* W6 O, b% D, T6 c2 a
- ?# ^' ?1 [" T. W___________________________________________________________________________
$ T, W8 H: N; W8 _ M4 N! K' G/ j! u" W. U
Method 04
6 N$ {, x& l5 x. S. X7 _, w=========/ n# z$ t3 {* s/ E M3 X
* g# W) K8 g) bMethod identical to the preceding one except that it seeks the ID of SoftICE' j! g$ b! p+ S5 ? X/ X3 H
GFX VxD.4 {: _7 }/ x% l* G% @9 @
" q4 B% b# k5 g! z
xor di,di
9 Y# U1 x' N( h7 k" J, Y mov es,di
5 y2 W9 U* ~4 A) x mov ax, 1684h - ~: J5 v& q! z5 K- R9 N1 l
mov bx, 7a5Fh ; VxD ID of SIWVID4 o$ u" x* Q; u$ K& M
int 2fh! ~1 b3 q! e& k+ [
mov ax, es ; ES:DI -> VxD API entry point
; k7 F) I/ Z3 f3 I* d* l6 ~ e add ax, di
+ B. w6 c5 d$ ]8 P test ax,ax
) B1 q( b3 ~) {1 L4 W$ j- F4 y jnz SoftICE_Detected; g2 M. S; q; n9 `/ L" c! |
" k8 F8 n* r% D
__________________________________________________________________________
8 ^! O1 K$ z1 i& h) ?
- H4 s* T% l+ W& f4 H
- F8 N$ S/ S* ]) k+ RMethod 05
: R$ n$ C1 o, z& a! N. Y=========
5 J2 J5 J9 r8 |" y7 d* I( M8 f0 m3 a+ t
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" k! u& d2 Z, {3 ^' Ldebugger. It calls the int 41h, function 4Fh.; S% J) l* C5 o
There are several alternatives.
9 S& {$ k+ z0 J9 P# B" X3 H
2 h0 H a, B( p, YThe following one is the simplest:# ^! L1 b" G9 u" z
; V8 `+ }) ]& z% N6 M
mov ax,4fh
8 z4 [8 d/ k+ R3 t int 41h3 R1 b- G* a& \" z
cmp ax, 0F386* q' o4 @8 s* ^6 X* r0 C1 z
jz SoftICE_detected# D* v/ `8 c$ @1 z# S4 I3 ]: d
8 ^3 u; g# `6 _4 D9 v
2 m) a6 x+ s. Y. ^4 N* PNext method as well as the following one are 2 examples from Stone's 1 y, ]' a b) ~& _
"stn-wid.zip" (www.cracking.net):
' n7 l# S% ~2 P& n* q' z+ A; v/ W
mov bx, cs
5 ]/ q+ Q: B" q% c- W lea dx, int41handler2$ |+ t5 q/ c, J: |9 ~ r o% ]% U
xchg dx, es:[41h*4]3 m- c7 U* u( J, w& ^
xchg bx, es:[41h*4+2]3 D2 e2 R D% k7 g; L+ D* E; H
mov ax,4fh% T# d2 l/ u3 I8 j6 p* J
int 41h
0 U; M/ x) I) s! X6 A4 { xchg dx, es:[41h*4]
l" e6 f7 M9 c, Y |' O xchg bx, es:[41h*4+2]
1 z' X# X+ H6 p4 w6 e/ i cmp ax, 0f386h, A- l8 p- X5 y6 B0 Y. P
jz SoftICE_detected
5 ]% r' F/ I( v# @9 [- R) L" Y# |) k* I) W) e' c4 j: b/ ]
int41handler2 PROC3 h5 C0 w3 ]8 ?. V
iret( c3 {; t2 h- d
int41handler2 ENDP: r/ S0 C: s' t# L
8 T" G/ j f5 b; ]/ {+ d& ~
5 W* \: _* m x* z_________________________________________________________________________; ~5 ^) M- {, \6 S& `- J4 d
6 M: J0 Z' {* b; x7 z* R
+ v s! d; w6 d: C9 k7 I- J I N
Method 06
0 J7 R; i- O& S6 X# D=========5 _( z1 q( j' O0 s4 n; x) G
* i! `/ z1 C% F6 s
3 N) b0 y! r" d3 I2nd method similar to the preceding one but more difficult to detect:
3 N( F e9 h& A/ z# U1 `. k- l- Q: o$ K
2 E; n" W9 _7 f; O
int41handler PROC: |; N v1 T$ w8 j& ?
mov cl,al, C( W, {% ^, U
iret5 `9 J- j# K" e- X( W
int41handler ENDP4 I: T' A) y+ N5 v4 z9 _
Y! C# F% S* A9 U4 p3 r
0 n9 X1 k# @; Q* t( ]1 p* {
xor ax,ax
& w& N5 W" V& o8 D mov es,ax
, B1 P# S, A6 l# N6 D mov bx, cs
+ ?3 ]4 n/ @* [. C4 B/ q lea dx, int41handler; K& ^' O1 G2 s
xchg dx, es:[41h*4]( q u# o, }4 a% K+ j" d( R
xchg bx, es:[41h*4+2]
% z& y* g4 P7 Q! f; n in al, 40h8 o) g3 ^& c7 K, |3 u( ]
xor cx,cx% L: I$ B3 B8 g' L; M
int 41h
4 m( U V, j3 t' B4 E5 D xchg dx, es:[41h*4]
4 A8 E) F/ I) S; k xchg bx, es:[41h*4+2]
) d( F% `3 F9 J1 h' x. u7 l cmp cl,al4 W% I9 j' A, E9 \. ~
jnz SoftICE_detected
! Y) V4 q$ f& H/ A1 l; }+ W, a7 t# ], ~7 v) b8 u* \' W1 b" I
_________________________________________________________________________
2 X. k+ t. s9 P" W% q& G1 |0 d \* S2 o' Q) i' U5 @
Method 07
2 C/ l/ H" ^" e$ W; |+ t0 C( w, @=========
: k5 h3 j* }; j0 j7 u) T
8 G2 V; q# }" I) s6 FMethod of detection of the WinICE handler in the int68h (V86)
) a8 s/ ~# I s* S7 x2 n) n
% H2 Q! r$ ` q0 u& O mov ah,43h0 Q) d* O, j9 F# Z
int 68h: E" A, |. A8 N& Y% c. G7 U8 y
cmp ax,0F386h
+ U4 ^) X( n, ?' s; h jz SoftICE_Detected
! M6 B k' m& w. o
7 `) x' Q' a9 K1 ^# w4 ^$ g2 F5 _& S6 h
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- x& ^. B( T8 M, B
app like this:
7 P3 h+ s6 a* {, L% L( w0 t% {& h0 g/ I& d/ D) i( D- v
BPX exec_int if ax==68
# i2 I. H; B1 ^* E9 Z (function called is located at byte ptr [ebp+1Dh] and client eip is0 `7 G$ @/ Y5 Z- ~! @
located at [ebp+48h] for 32Bit apps)' W/ T4 G( `, P6 [4 s" y. y1 e
__________________________________________________________________________
: x% i& k9 l t( y0 G# `* k- J
& x, P+ @! D; `
4 ~* L5 p+ }7 j! ]0 H1 k7 n- m8 gMethod 08
+ J- K0 V `. |- O$ I- y$ k/ K* p=========9 Z0 c4 w( ?# M. C
. z4 ^, J! p5 o/ \+ M1 k
It is not a method of detection of SoftICE but a possibility to crash the
! _3 x3 @/ s5 G; W" Rsystem by intercepting int 01h and int 03h and redirecting them to another( V; j4 f8 G. c" F
routine.! M+ p [; s* S0 L/ z5 ]5 O% `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ y$ r9 c) x- z( ]3 I# G) v" Rto the new routine to execute (hangs computer...), q0 \$ Z- _: ]( f* _
3 x5 R* x/ k, v4 ]' T+ L1 b# Y
mov ah, 25h
3 D% ?' O2 V, s, j* d0 H mov al, Int_Number (01h or 03h)
* f1 r* W% S) S) p# } mov dx, offset New_Int_Routine+ A& p) k2 f5 k+ x
int 21h
4 c- Z, O# I4 C8 a; G( x- ?# t- |
- b* {' X" z3 w( P# M. k8 }__________________________________________________________________________" v' L- g% A" a, Q- j) ~
. S7 F9 f1 h% MMethod 09+ I$ B+ a6 ^& A, Q
=========$ J$ b- p/ s6 {7 H* |
( `' P! M; w7 h# X( hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 D0 S1 E+ K3 O, G3 d
performed in ring0 (VxD or a ring3 app using the VxdCall)." i* G: i l6 P: L* J: B5 z- K- S
The Get_DDB service is used to determine whether or not a VxD is installed
x+ A, A) u* y( d, r5 ^for the specified device and returns a Device Description Block (in ecx) for
5 o* n3 P/ c- r: v4 n( L% A5 dthat device if it is installed.
3 k& Y% s) R# ?* i; M0 J# G+ x3 |7 R3 [; Z o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 q% H8 `: n( @" C! k
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 o" f1 R6 T/ j0 |1 @$ D; R! m1 N
VMMCall Get_DDB
0 Y) g1 \2 o! P1 ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; ]. p$ y* m n" O& x' }# Q+ ~. b3 _+ f; m/ b, p* m, A* X0 d
Note as well that you can easily detect this method with SoftICE:
1 t7 S- ?+ R/ K: F% I, g7 m bpx Get_DDB if ax==0202 || ax==7a5fh
# Z2 i2 C. e" F% r
9 H9 o$ s; m5 ~+ B& O__________________________________________________________________________
d( \7 K: B* C. D2 @- G. Y/ Z1 U4 C& ~( p0 [4 g
Method 10
2 a5 ]3 ?: a$ Z=========
$ A3 @/ K- H/ S+ H9 p8 G3 ]
1 k3 B! k6 N4 e! k" G1 v6 h5 |=>Disable or clear breakpoints before using this feature. DO NOT trace with
r n4 i& L+ y# |1 ^& v+ g- ] SoftICE while the option is enable!!
Z+ x l `2 q/ d: _3 b2 g6 G' H' W$ B$ K
This trick is very efficient:
1 o0 }3 R1 M; E, h) qby checking the Debug Registers, you can detect if SoftICE is loaded) f* c6 h4 x1 [! ~% }( x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if B9 Y5 W' g. ?1 T+ U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; l$ `+ N, t* }# T6 M1 Kvalue (in ring0 only). Values can be manipulated and or changed as well+ U/ T2 o% n4 @+ ?/ Q# b
(clearing BPMs for instance); A0 x/ r4 y1 @3 x
/ K5 L) R, d3 }* N9 f2 W4 g! x__________________________________________________________________________+ c6 ^+ X. a9 R2 f6 P+ O
) S! [; B% d7 ]' x5 @
Method 118 M+ w- e* V0 s( J
=========- @2 U6 E3 n+ l
) C: v [: \* f6 c2 a1 P+ O8 y. CThis method is most known as 'MeltICE' because it has been freely distributed
. b- ]5 b. u% W( O/ |via www.winfiles.com. However it was first used by NuMega people to allow/ b- Z e* |2 c. t; @ W
Symbol Loader to check if SoftICE was active or not (the code is located
' _. J( l, @. Hinside nmtrans.dll).
0 }" v+ Z; w2 j6 n" f( {( w
r7 g! Q& r; W$ ^The way it works is very simple:" ?( s' H. w/ x) S0 n- U( a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, j6 ]# t3 ` I; m+ Y
WinNT) with the CreateFileA API.8 }0 A4 [$ G3 [: @& x9 ^" u: ~% ?
# b4 H* A& F5 R' s
Here is a sample (checking for 'SICE'):2 |6 s/ B* ]9 t% T! Z0 Q
7 k8 F2 l0 R% L* p: tBOOL IsSoftIce95Loaded(), y0 L* C0 x. v* T! L, u
{
9 R- p$ _; p: c7 I! {9 v HANDLE hFile; ' h0 x. D: f" J% o# b6 }- J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 ?7 a9 x i3 o9 y, S FILE_SHARE_READ | FILE_SHARE_WRITE,
5 |9 k" V- ?! w NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 @8 k! ~/ k6 a: b: l4 [
if( hFile != INVALID_HANDLE_VALUE )
# j. S3 ~2 I. }( A, C {* N3 S8 F! `: Q9 @
CloseHandle(hFile);" i" q9 h$ T5 D/ I3 `
return TRUE;7 D* }) F3 t4 n; O9 `% g
}
( g( A7 D/ F. X0 K* l5 E$ H return FALSE;- V5 w& H& a: [! U$ V. |: U1 y9 N
}& r7 a& ?4 I- m+ y/ B
; a' H3 M( P/ Y9 S% o* f$ F6 S4 k' hAlthough this trick calls the CreateFileA function, don't even expect to be/ q& S. J6 A8 R4 M# K
able to intercept it by installing a IFS hook: it will not work, no way!# c* Z7 m& [5 z9 j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 m% U5 B+ O5 w p$ k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! T& |0 B& E& V1 I* ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, h3 Q( i4 @% O4 K9 V4 j$ nfield.
& d" ?* s) ?. z. E$ X( JIn fact, its purpose is not to load/unload VxDs but only to send a
6 x1 H( W4 |3 s; uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ I4 E9 T3 E3 j5 V' j. n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' L8 m5 Z6 t8 J9 Y1 r( vto load/unload a non-dynamically loadable driver such as SoftICE ;-).! K: O0 Y8 L7 p+ o3 U' ^/ K
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ y9 P( ]6 [. C$ e
its handle to be opened and then, will be detected.
" A1 @ r3 b5 a3 X( s' iYou can check that simply by hooking Winice.exe control proc entry point5 I/ e/ @3 x7 ]0 }4 k2 o [8 ^
while running MeltICE.* h# i, A2 y! \
' a) e+ o, g5 t+ N1 H3 ^4 R3 B# P# P6 W# l
00401067: push 00402025 ; \\.\SICE
r* @2 E- \. p 0040106C: call CreateFileA. S" X+ {9 O6 k$ S
00401071: cmp eax,-001# A/ {' O% }! ?2 s9 `; o0 w
00401074: je 00401091$ Q0 c! j) A- ~
/ U3 F% [; C* L5 }7 H8 X' ^- J! e! W/ g! C4 W; G$ B6 T% j
There could be hundreds of BPX you could use to detect this trick.
" `, @& V+ w3 u0 [# r-The most classical one is:
$ I7 R& Y( ~1 W( k9 A# z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& J9 D+ [# k8 f3 H$ e, A+ g" o
*(esp->4+4)=='NTIC'
8 z, y" }; r0 k9 Z8 y) ?0 a" }* J
' n. v' k' S3 w# l; ]$ M3 f-The most exotic ones (could be very slooooow :-(
Q- |" T5 Z8 C/ [) o p BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 ~7 t2 ]+ I. Z' C' t- @
;will break 3 times :-(4 {9 }3 }- u7 ^$ K" F
" I/ f/ J: B/ b6 q: W$ a4 j* f
-or (a bit) faster: / D" ?2 |5 @2 S* Q9 h( O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, R/ M% W: u! G1 H1 b' |) E! @1 c3 w a: a9 e& F% a2 P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) j* u4 D! j$ T0 Z4 a( `8 p, S
;will break 3 times :-(
/ \, o+ U) Q2 I
2 N I7 l9 @9 T$ c, `6 L" j-Much faster:
# \- ~/ J; t2 B7 t BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* P4 j1 B: r4 a7 l/ m4 t3 D( W' u; R/ _2 @% M9 D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! t6 Z9 P' z3 R, r5 X* yfunction to do the same job:. A2 v" g5 C0 P" ]% C( @
, g/ J1 u& @, Y push 00 ; OF_READ1 M& |5 s: y8 ? B
mov eax,[00656634] ; '\\.\SICE',0
5 n$ k- E3 e/ g' j! B& K push eax) y' s2 E! A* r
call KERNEL32!_lopen, k0 X( t2 ^- ~" \% l$ S9 S. }
inc eax
6 N6 T# {& V/ f6 i" l; C; @ jnz 00650589 ; detected, y- S* T2 ]$ f0 I1 |9 u
push 00 ; OF_READ
6 A9 \2 u; b4 J. X/ D) t mov eax,[00656638] ; '\\.\SICE'# A% T% F B/ r5 k" s6 r
push eax
4 v, Y# Q* t$ q0 V; ^0 V! u1 q call KERNEL32!_lopen) j1 @& r5 B$ G
inc eax
8 A9 I/ x/ z5 e, O jz 006505ae ; not detected
. M. h) x2 @* ]$ g# a' F7 j7 l" S5 g% e2 f E
" X' r% ]0 A, x- h: z* }__________________________________________________________________________- q3 n! g! f( p2 l
+ Y$ l$ _& `4 F8 r$ i; O4 I
Method 12
4 r' T4 U7 {* [; ~* l; J6 m=========
2 Z6 e, J0 c" f* @- G+ y* j2 m3 E2 l; e
This trick is similar to int41h/4fh Debugger installation check (code 05* J# I9 u+ b$ E* H9 \5 a/ A9 M
& 06) but very limited because it's only available for Win95/98 (not NT)
$ X1 w n9 P0 M8 das it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 _. H, q& J. g
+ Y5 C% o: P$ e* ?$ L push 0000004fh ; function 4fh
6 [" G/ O% Y- \7 v# m9 X" m push 002a002ah ; high word specifies which VxD (VWIN32)/ S- j; S- j5 X( _: ]- v3 x; {( J" s
; low word specifies which service& v" i# W' a9 b- a; l" x) H+ k
(VWIN32_Int41Dispatch)
) h! ?5 E$ @, Y" F8 G& D- W call Kernel32!ORD_001 ; VxdCall3 y5 R- w T+ p8 H3 J" n% P. u1 n
cmp ax, 0f386h ; magic number returned by system debuggers
. F$ J7 }) Y7 M6 g: {6 }( l jz SoftICE_detected! ?) E4 Q5 U4 v, ^6 C' k: F5 R9 L- Y
+ A4 K! ?8 r c. p' B0 nHere again, several ways to detect it:
0 ]$ \) Q! P) q' ^! F
0 e- c4 \6 M' E. @- @5 b0 u BPINT 41 if ax==4f: r" ^; w3 G2 ]- V0 U
. T- I! m8 s+ o, G/ J! |' z% E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: \3 M! p6 ` i9 e2 ]/ I, f3 d0 k2 O+ A7 k0 F/ j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# n/ |; K0 I1 a' c7 d3 Z. v
( T. Z7 m( x& K3 U$ y% R5 @# f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* u- {& M) J& X. r
& F6 a6 H: ~2 C7 i6 @/ a& \! d) p0 p__________________________________________________________________________
: I. A2 S! t3 K% X! \- h
8 _( U O( C" ^2 W* E! MMethod 13
|& l6 P R1 i$ z {3 K& }8 g" m=========
) i: f& ~! H0 a% e* ~6 n
& R" j( h/ [: PNot a real method of detection, but a good way to know if SoftICE is: k( k; N4 |, G% z2 h6 _
installed on a computer and to locate its installation directory.+ m6 @; ?5 G1 O- r3 @
It is used by few softs which access the following registry keys (usually #2) :
8 J0 @5 M8 {4 N4 Q& L$ d! @# o" P& `* g7 Q: i
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 o! s' C# l$ s3 T9 p
\Uninstall\SoftICE5 \4 w( }4 r0 h9 K+ I7 b4 s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 B; f S( Z2 } N* G# @5 ?-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& W. l$ W% G8 D) R1 p% q
\App Paths\Loader32.Exe
. s9 D( Y1 h) G0 \0 M8 R5 k# e+ p, u! S
7 X& Z1 i6 }# v/ {
Note that some nasty apps could then erase all files from SoftICE directory6 B* R+ L- k4 A/ u$ N
(I faced that once :-(
! i. d! Y! A; H* ~8 M5 ]7 O
- n# D2 l% }. F# @4 {0 H8 NUseful breakpoint to detect it:
- K ]' ~/ ]4 K* a$ \& [# `' }* O/ t/ j. l6 Y* x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# l* |+ K+ ^5 j* w' B3 o: _, V. f! e z& m3 z& [
__________________________________________________________________________
( A) ~, I P! O0 m* T& e* }5 ]
. g* w& m% @6 y- `' [* F
9 {3 X9 z4 O6 b" t' S" bMethod 14
7 t& G5 \' m' \: v4 ~( w. l=========
% D* {2 b% S! g
1 r) M" [% n! `% ?& [9 u# tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) B3 `8 ?/ d1 h' O, \5 K2 Q2 o
is to determines whether a debugger is running on your system (ring0 only).8 f( W9 y9 b8 h! Y& X4 `
6 z4 W, k2 y, H4 a2 I, s4 } T+ Y0 S
VMMCall Test_Debug_Installed
6 O/ Y0 C$ E( ^' @ je not_installed2 c) c$ [$ e1 r$ R6 Q
. Z- }4 ^ A* i$ x; _This service just checks a flag.
, B1 q0 t8 M- S/ B# @</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡