<TABLE width=500>( Q2 t7 j: [9 `/ \; I& _
<TBODY>
+ q# l: @4 \ J- w8 n; V4 D1 M' I<TR>. c W, U( S5 g' p
<TD><PRE>Method 01 * i% D3 Q5 b4 ]( K
=========/ s" ?5 n9 c6 b
% K$ L3 ^$ \7 h$ ]* C$ f5 I
This method of detection of SoftICE (as well as the following one) is! e3 i8 m# ^4 s. Z7 d7 i, X% h- D
used by the majority of packers/encryptors found on Internet.# L2 v/ t# K; G( }% z3 P t
It seeks the signature of BoundsChecker in SoftICE
& B7 y1 I% X9 y* r u) Y; a
1 _! V* q6 N! }0 M* K% { mov ebp, 04243484Bh ; 'BCHK'
x2 s E I( {; V; M mov ax, 04h
1 e3 I) q& H) O6 T/ s- [( W4 o int 3
+ H% ^9 S8 b6 ^7 u) `* ^ cmp al,42 h8 C( W7 ]4 ?& l7 p4 |9 _( p. @
jnz SoftICE_Detected. U3 }; L+ I8 y' _; U; X
4 T9 E2 Z- X2 } N. m+ X, c
___________________________________________________________________________
; x* B% u4 l( [0 i. E7 u9 G1 U2 @
Method 02& w; Q, z! h' a# Y
=========0 M- [4 ]4 A: T2 w
1 _- t( T2 i% E/ a. Q3 s% L/ VStill a method very much used (perhaps the most frequent one). It is used
& o" U; Z# X: N8 Z4 gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 Y8 A1 F) Q- F1 A4 Y/ Zor execute SoftICE commands...
3 J. o& K3 d; o, G/ YIt is also used to crash SoftICE and to force it to execute any commands3 l9 n4 t0 |8 {. X) D
(HBOOT...) :-((
( _# W4 Z6 n6 v8 n( [1 Y/ s' j2 m- t
Here is a quick description:* q: O) h9 E% g N8 O
-AX = 0910h (Display string in SIce windows)
8 B8 U9 P7 I$ I6 l' E-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" a r% S' j4 r# j* t- V-AX = 0912h (Get breakpoint infos)
# ]: H3 C& T% _* |' X-AX = 0913h (Set Sice breakpoints)
; d& }, T! c2 g3 K-AX = 0914h (Remove SIce breakoints)
: F. u5 h! E( T4 I) F8 F O
& x k( Z$ T$ p7 V- `Each time you'll meet this trick, you'll see:
; I; H- q A+ b. l-SI = 4647h
p! z* N. r/ p+ h8 D1 F) n( J-DI = 4A4Dh
. Z* C' ]: ]! u7 ]7 MWhich are the 'magic values' used by SoftIce.) d8 d) F" k, S, j, ~; A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 d# P! T; P2 w8 P
# Z4 o, V" A9 _1 M$ e5 f6 {) qHere is one example from the file "Haspinst.exe" which is the dongle HASP
; s9 B2 }& T! O" c; K. }) e$ K7 \Envelope utility use to protect DOS applications:
/ \8 b C S6 w+ U; w; H& U1 N' r
5 T$ c! ?7 I- A1 s2 W. `
$ i4 L: B( z" ?5 ?( c+ o4C19:0095 MOV AX,0911 ; execute command.# ]0 n$ a% u* r: k/ \$ u
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- i) _0 A9 l2 B6 I! @' N; B1 h9 z
4C19:009A MOV SI,4647 ; 1st magic value.
" ?! W; M. L0 R8 ^4 v4C19:009D MOV DI,4A4D ; 2nd magic value.$ U4 p- w9 x5 K( }+ F {3 u8 O- {
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; G; S- i$ j7 ~* \" y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; f! ~( V( B% _& [+ B
4C19:00A4 INC CX- M( ?% i1 P8 f, ?
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" p `3 ^3 `8 @5 n. I0 k4 I9 [4C19:00A8 JB 0095 ; 6 different commands.% [# Y: S" n; k. O5 ^/ |
4C19:00AA JMP 0002 ; Bad_Guy jmp back." h* m' j4 b- E x# O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* f- R& _: d3 h6 b* Z& e$ J# ^% e' k8 g" i! a8 D7 k- ?9 ~) n3 O
The program will execute 6 different SIce commands located at ds:dx, which
9 h( W* Q4 X! l* yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 f# ]3 G# Q9 `5 G4 o
$ z- q3 B- f% v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! F6 }8 a: u6 |- F5 K% ?. C) x ^___________________________________________________________________________
6 ^, z2 h& K% n% t) n
) a' B/ k# f8 L: j1 O2 x/ l7 l- H s1 P+ t
Method 03
1 u- H2 Z* c6 O& o! n. L. y, T=========
- @$ h0 i4 m! @4 [* n1 K6 Y, |9 ?4 u6 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 M) O# O8 b) b& L5 O% [
(API Get entry point)
" F" x% U+ e6 D- N$ C7 D# w " y% G. u, W4 C- p' W
1 Y, r5 x, ?$ R8 @7 W$ e xor di,di$ o1 \' O! W$ ]; E5 k
mov es,di. D/ U' m6 p+ F& c9 B$ z& p# i2 u
mov ax, 1684h
' Q2 D( \9 ?/ x' G ? mov bx, 0202h ; VxD ID of winice2 ^8 C2 g+ R' t4 w6 T
int 2Fh& m% d1 e7 C, `! u# f( A
mov ax, es ; ES:DI -> VxD API entry point
& L; L! D# I& O; O6 v8 Z3 S add ax, di
. R* K1 V/ l8 N9 [ test ax,ax
6 H: x1 S6 g! d$ w: W3 X3 Z jnz SoftICE_Detected
% R# J) t2 H) `! K
* T, @ \6 B" g8 n4 a' }! M___________________________________________________________________________' C% Z0 H+ n3 T) ^9 q
8 n6 L8 [- k, W" m0 w0 M! H5 m
Method 04
) _$ r" ]- G0 x$ o! J=========& f" Y! i1 r& E& ^' T3 _+ k
2 k% J* s) ?8 {; yMethod identical to the preceding one except that it seeks the ID of SoftICE
- I2 d( `& S5 W/ U: Y* t$ f# i9 G: ]GFX VxD.0 y* s1 d8 a0 e; f: j1 x" k/ `
$ ^1 n; ^' h9 C. x: x' n5 ]
xor di,di
/ x# L* J* O: s mov es,di
& e3 s( I+ Z" R0 N5 w Y } mov ax, 1684h 0 r3 w- E3 C* T% p, X
mov bx, 7a5Fh ; VxD ID of SIWVID* u4 o( r' G5 [6 g5 e( i: }
int 2fh7 ? F5 D1 v# U7 x! H0 P+ w9 C9 t
mov ax, es ; ES:DI -> VxD API entry point
+ `3 S0 R- b; m3 l7 N1 I7 I. G1 ? add ax, di
( q* o6 u4 {0 z test ax,ax5 f! t: z8 V3 U' \( d K8 n1 x
jnz SoftICE_Detected
1 j0 y4 p4 X3 N- L* V/ q. C
+ @4 ?/ n2 d4 D/ [9 A__________________________________________________________________________, @* i( k) N( @, K% z# N& [/ \8 W. f
5 I4 @) m" W1 u" O. O6 K5 v; O
) |3 l* |" U5 @; F4 ^# S
Method 05
% w1 i3 {3 i, v4 ]6 B. B8 u=========* t* G8 L" b# E- k- L
- P' E' I6 _5 X* @; CMethod seeking the 'magic number' 0F386h returned (in ax) by all system
t6 H) ~; Y c" `; v/ ]debugger. It calls the int 41h, function 4Fh.' E: z# d: N) G) {! w
There are several alternatives. 8 L6 x6 D$ B7 a0 x2 ?$ w
M `" K. N5 F
The following one is the simplest:2 F2 k n+ Y; Q+ q4 k- ]
/ z! F5 T5 H. i0 n mov ax,4fh
) ~. z4 p/ B% P" ]& E" E int 41h8 t7 O. j2 I5 `) p7 `- c
cmp ax, 0F386
& \/ t! m" n. | K. @+ V) u jz SoftICE_detected
% V9 ^- m! J# b# M0 a% g* F0 h$ s; h1 q4 F% z# s2 ^/ I; P
+ [. d* \' `( z/ Y; A4 _+ VNext method as well as the following one are 2 examples from Stone's
- K: \) c2 r7 ^( Y/ Q" O' a$ u"stn-wid.zip" (www.cracking.net):6 G' A9 d% c/ r! s
* p0 Y& Z& S- e# u4 [) o9 f
mov bx, cs4 p( z% i' s' L5 i$ _( m
lea dx, int41handler25 G( A6 q% w+ U6 W& E0 A
xchg dx, es:[41h*4]9 U, R" }7 P8 f" J) s9 P' B! ~
xchg bx, es:[41h*4+2]
' F( N+ d) c1 j/ H8 X mov ax,4fh; I7 q- Z6 C' d
int 41h- a; }7 T! z9 D+ E1 L
xchg dx, es:[41h*4]4 s( f, C3 j9 C- B5 ]
xchg bx, es:[41h*4+2]
0 t9 ?! }2 `3 O2 ]2 F2 Z cmp ax, 0f386h0 ? O M, ^4 q/ ~9 K5 u
jz SoftICE_detected
, m' d- |$ n5 P5 n# b5 l7 @5 ] d$ q$ j) F
int41handler2 PROC9 \. Y/ S! ~$ o9 L& R3 K: r% e
iret5 r' H1 f" S" F! V8 K' S; _: j' j w
int41handler2 ENDP1 Y8 }' y) R6 K* m1 c5 `& h- h
$ E; S$ v. P. \- a0 n/ G" E: v; l5 V8 Y+ m# E2 r
_________________________________________________________________________9 m" i. w$ ` f l; w V2 D/ S, n
& i9 J* L( O, X9 f! @% j6 I' F' X! O5 s$ r2 b% L. m) n* N
Method 062 i# E! ]7 }0 t' B G
=========6 f& W) E) k5 k1 T- T
' |6 s# @. [- J* ^5 h2 k1 R+ t1 ^0 \ Z. Z* B g4 H7 l5 o( u
2nd method similar to the preceding one but more difficult to detect:/ _0 I! y( X6 T! c
2 _/ S4 p! Y% G( k
2 g& \6 c: W: L8 c6 h# O9 rint41handler PROC" q, h5 @8 ~( ^1 V% n
mov cl,al
% `) R$ ^, F ~& E iret, k o; S) p5 {) i8 C) d: j
int41handler ENDP' J$ U4 S6 B5 @: k3 S& x+ d
! A4 \! ?" O! j. G T3 R5 Y8 e- n7 [0 X7 T9 o5 Y, w
xor ax,ax
2 N9 F6 G6 f/ u! U mov es,ax! Y5 {$ x+ p1 H! \' n: h
mov bx, cs
4 R, |" Z8 T1 k lea dx, int41handler
# H" ~* u4 H: Q0 h5 _1 W xchg dx, es:[41h*4]
# l% T' u3 w4 W+ }4 A* s& S# m xchg bx, es:[41h*4+2]4 x( i9 u* E$ I
in al, 40h
8 a4 C4 y8 N3 | xor cx,cx0 m. q4 ?8 D# O; H% S
int 41h
" x5 W9 A" }, o* m" p% y, Y+ E xchg dx, es:[41h*4]
' Y: d' i; _) q( B xchg bx, es:[41h*4+2]5 [. F* S" |8 a0 D. ~- W- p
cmp cl,al8 \0 O6 B* x: d" W6 ]
jnz SoftICE_detected
* P' [7 P! @0 m% S1 t# w1 O' ^( `( e' }" w6 Q% ^
_________________________________________________________________________
; a0 E/ P" Q& S. v7 `2 C! w8 m2 k4 T: |$ Z: J. n' {
Method 07) a: T( ~' J6 {" ]4 s
=========! ?9 F4 `! X; x" [
4 }1 y& F2 ^' J" j8 x' O0 HMethod of detection of the WinICE handler in the int68h (V86)
: y4 H1 v! S1 x* l- k1 x7 K {" t( @% ?1 L
mov ah,43h
/ a' a% T! l$ O: w$ Q! r int 68h
: Z' |: G9 C2 |5 u5 w- I. t+ M cmp ax,0F386h( g5 R* w( ~) H( z( _
jz SoftICE_Detected
3 ], u9 v! t8 v: h( y5 T" p0 J/ }7 w; l6 S, Y* q {9 J5 E% S
! k" C7 k. n8 a7 V
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) y6 v# U* M; S, K+ M app like this:9 N- Q4 m2 R" B4 u
6 E' e9 A( X5 F7 w2 `) k BPX exec_int if ax==68
+ h: H* g5 u" A; ] (function called is located at byte ptr [ebp+1Dh] and client eip is4 F' Z2 a' d1 C6 @% N4 q
located at [ebp+48h] for 32Bit apps)$ C: [& L! p2 H3 q' G
__________________________________________________________________________( d: E3 d! @% u- v6 y/ [
) Y% c+ @$ P" n" q4 i
( }" y$ Y3 j3 o b8 B5 rMethod 089 d/ O V0 q" G
=========8 d* |, p/ Y. V: H! c* o" R
% j. ?* t- @" ]5 t" ~! e3 EIt is not a method of detection of SoftICE but a possibility to crash the* j. B' T$ V# L' j' _. N
system by intercepting int 01h and int 03h and redirecting them to another
) [ j8 J9 z o* |5 Z0 K/ Droutine.: @( p) g0 P& ?6 m2 y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( ~& ~- x2 M) n( o! nto the new routine to execute (hangs computer...)
$ _0 v# R, h9 F" U' i5 Z( ?3 ~' ?% s1 ^$ U# R r1 A
mov ah, 25h
% ~* e. z5 S z3 U m! c p mov al, Int_Number (01h or 03h)( e6 }0 b" f5 V, A( ]: D( M
mov dx, offset New_Int_Routine
" R- h0 p" p5 @, T int 21h" j$ i3 _! E+ c# h: t
$ \! E! k1 j" y* t- O* a__________________________________________________________________________( R5 u( J/ N8 ~' F
. S# `6 Y4 d& l1 U- n. U. KMethod 09
! D# S7 n; _1 X$ d& e4 G# _. R3 v/ [=========/ z" S, _+ l. Q0 f
! ]) l, k' P; R6 b6 {1 X c m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* f7 B$ V6 d2 q. k+ ~
performed in ring0 (VxD or a ring3 app using the VxdCall).: j# ?+ w1 Z- D L1 N
The Get_DDB service is used to determine whether or not a VxD is installed) B5 w# b! z# L% E! B% N3 J% ` p
for the specified device and returns a Device Description Block (in ecx) for
1 x, `2 z# B- e. @that device if it is installed.
, e# J4 X7 t: J& k3 _( P* v! F7 J0 z! ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 R8 P' X. r" j# R9 V+ E- s
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- N0 a) d! g7 j; p7 D6 ~& N VMMCall Get_DDB
+ B6 @) a, c5 p mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% w9 O+ O W4 P- R
4 w& ]- R% I5 CNote as well that you can easily detect this method with SoftICE:
" W; {- i8 p! x2 X bpx Get_DDB if ax==0202 || ax==7a5fh; `0 l8 f/ j6 X$ q' G' ]
! P( M+ V8 D! ^5 m# N, T__________________________________________________________________________
W: H: \. y) y" P
1 S5 j+ G; ?! }; T1 ]Method 10! ^; `1 M# q# T! h
=========
, j1 s4 p0 g6 b: R3 @7 _5 P6 U; Z6 Z! ]1 n: b6 U) l/ o$ q
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 [4 y- }1 D4 T( K% O4 D& J
SoftICE while the option is enable!!' D! _: F% M9 l' L$ t0 V r4 r# ~* N
! Q" [1 `7 n0 N8 |This trick is very efficient:
) P" j8 n/ J( m; u, s5 tby checking the Debug Registers, you can detect if SoftICE is loaded- o6 u6 v& @+ t2 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( q5 e# I1 u/ L2 ]+ t! W8 Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
' r+ r2 i4 E5 Hvalue (in ring0 only). Values can be manipulated and or changed as well
8 A# u- ]9 E6 K# r6 d: [( b+ \; a(clearing BPMs for instance); ?; ?, ]( k5 J1 W; n% f) g* ~
; W e* J* L; e" u* e- b+ a' C4 F: ?
__________________________________________________________________________
3 l. H; h C9 l q! c1 E) C! h3 C" R* \# e; L
Method 11. [+ v' t* l" e' M4 T3 t
=========( J* e! M6 @% y8 }, G
3 b: a3 L7 s0 o6 P/ UThis method is most known as 'MeltICE' because it has been freely distributed2 J; e! \8 v' |& L0 a) l
via www.winfiles.com. However it was first used by NuMega people to allow; ?/ d- |( N8 d* k3 @6 [- @
Symbol Loader to check if SoftICE was active or not (the code is located- N! i( V: p0 U* z8 A) c
inside nmtrans.dll).) R) j& q( K% r6 u' z) L
" @- D) V6 K7 B7 s. X p2 a
The way it works is very simple:9 s) U; w7 E1 z+ K
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* t! H, N. g/ g- [) d5 r+ KWinNT) with the CreateFileA API.
, D' x0 s: y5 q% N: J' w: A) P0 Y2 p2 R
Here is a sample (checking for 'SICE'):: t; \; E; U% L4 q! ?2 y* o
. N; g2 m; H# D( M! H" x. \BOOL IsSoftIce95Loaded()& V: b% O) k- N; e
{
/ [8 M5 P# Z% I5 Y; t/ [- o HANDLE hFile; 4 M3 O3 a+ N B) g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 G. v- S6 i/ l8 C8 o) L1 _) @
FILE_SHARE_READ | FILE_SHARE_WRITE,
) E0 h' Q) M4 Q! O1 a# f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; {0 H1 U: t x# M; N6 h if( hFile != INVALID_HANDLE_VALUE )
: B+ `- r3 f9 u' P1 c; N {3 F% N: }2 t) L/ k
CloseHandle(hFile);
4 G: _: z7 Y6 w return TRUE;$ o' l; F9 V. N& |3 ~& g6 z& M
}' ?# V7 W. Y! g: q0 k
return FALSE;
: r; I% f; N4 f, N}
# P; c/ j* c% @) n% M _$ ]# v) H+ _' q
Although this trick calls the CreateFileA function, don't even expect to be
* c6 s$ f/ y6 [4 l& K7 }; }able to intercept it by installing a IFS hook: it will not work, no way!6 B+ ^, K" o8 _+ I# `$ l3 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# X; P1 {! v% O' ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: B- Z' {0 e3 E+ L: u6 ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc! s/ l* i& T- n9 M9 B2 j/ x
field.
, y+ k$ h0 O; G6 s2 d% S3 yIn fact, its purpose is not to load/unload VxDs but only to send a
8 T8 C8 h0 J7 A& ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# Y: `4 g) K: V9 t! F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 G/ i) q, w/ j! z6 B: C% q$ j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 k* D% ~$ S$ L+ O$ |7 z& I& xIf the VxD is loaded, it will always clear eax and the Carry flag to allow! ~$ N) M! L8 E% Q$ X
its handle to be opened and then, will be detected. T" S- y4 G1 ^+ m9 D; U* @
You can check that simply by hooking Winice.exe control proc entry point
6 W% u3 O2 i3 C# y- z3 J2 L& Y& rwhile running MeltICE.# D- n# J* ]6 v# z. g$ Z
: Z2 Y) U' ]* w; X, q, D8 d6 K
+ [6 Y+ C1 g$ O8 s/ S6 | 00401067: push 00402025 ; \\.\SICE2 N0 V, I; `$ M- t# A% @8 p1 d
0040106C: call CreateFileA
/ [& Z, l! K. P5 Z9 P! T7 c 00401071: cmp eax,-001
+ o; X- w! r0 o+ @8 m, h3 a1 b* g: G 00401074: je 00401091) D1 x: H' X' v6 W6 j% T
6 ~6 m0 H3 {& P A0 h
+ \; c8 ^2 K+ W% k: f1 cThere could be hundreds of BPX you could use to detect this trick. o! B4 j$ @% r
-The most classical one is:
% w2 F- @# S- ?4 b1 z3 k BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* B+ H2 ]5 U: T A6 G8 P9 @
*(esp->4+4)=='NTIC'
( E# w2 f* B% ~
; j8 a. r: }, k* ]% t-The most exotic ones (could be very slooooow :-(' F- x& [7 M( ^- Z8 L8 T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * ~5 ^. N1 U% \/ o
;will break 3 times :-(
) l4 K6 l8 I1 M
' ] q ]) S/ c7 M$ x7 r-or (a bit) faster:
: ^8 \! h- c ~0 H& I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 E9 w+ e, a, n, a
$ M7 W! v- Y( m) e$ J! n7 ] BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( Y8 e% y" c& X
;will break 3 times :-(
/ n( m, q$ j0 K
% q+ o* W$ [) l, }$ i0 E-Much faster:
' B2 D+ h0 ^9 r# s3 d3 b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 g& Z' ~0 c+ I2 l: v! N; g' Q4 I& o0 u3 r: E' v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- ?) |' t% c& j6 \7 V
function to do the same job:
' A& g; _+ o$ s4 O7 w
; b: w( h) Z6 l- A2 {$ J: [1 P push 00 ; OF_READ
9 T9 y7 ?$ ^0 E* O# [ mov eax,[00656634] ; '\\.\SICE',0. y, y3 [9 B- W, d
push eax
5 _- N1 J" \ E% ]0 b call KERNEL32!_lopen
2 b, A# l A! B+ r3 f2 _: F; O inc eax' d6 r* n4 Z0 k1 Z" c
jnz 00650589 ; detected
) g& a0 k4 H$ t4 c push 00 ; OF_READ4 z5 q$ G7 P0 } v( ^9 R& |5 |+ r
mov eax,[00656638] ; '\\.\SICE'
* @# ?- W7 ?# @; P' _ push eax5 T, w" ]* z/ `& Q @7 g& w/ U7 L% J9 @: b
call KERNEL32!_lopen! _- {/ X6 o; Q
inc eax
4 W/ }; Y7 g2 Q- R V jz 006505ae ; not detected" H* d7 w) r. e/ f Z, [* ?
3 N% A8 ^& V" b% a1 ~! g# n
- N- q a) ~6 [
__________________________________________________________________________
( [9 a' R1 O1 l# p1 h+ d- J" _* u" ~3 m
Method 126 N) C g2 u. U8 X; {- |/ j
=========
1 r! W# [0 w# t- Q$ Z2 K
+ J# n* K9 C% h" P8 bThis trick is similar to int41h/4fh Debugger installation check (code 05
- X. ]& s5 }/ ^* w# X+ a9 ~ ?& 06) but very limited because it's only available for Win95/98 (not NT)
9 d8 x9 d6 E4 ^9 x$ ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 i0 ?, {& v, N! _ I* Y1 k' p( h
push 0000004fh ; function 4fh
$ B7 Z: r, ]) r- K7 Y% X push 002a002ah ; high word specifies which VxD (VWIN32)1 B( F1 V1 V* p4 H7 C6 V6 n
; low word specifies which service
; {$ X: u& i: c h (VWIN32_Int41Dispatch)
+ i& e8 u9 R1 W: }) S$ U1 J A call Kernel32!ORD_001 ; VxdCall* h5 e- L" {8 a- P" q4 E2 U1 f }
cmp ax, 0f386h ; magic number returned by system debuggers8 p8 P7 U! g8 x6 T; ]" Z# ]3 O5 u
jz SoftICE_detected
5 ]. T% ~& H* C2 G$ A5 L' A5 L2 }" w3 I: p+ e
Here again, several ways to detect it:
+ T3 D! `% [$ Q/ J; _
1 v4 j4 C6 R8 f W, j/ T: H BPINT 41 if ax==4f* g5 w4 M% A" y( x
' k3 }+ }& Y# X* C0 v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" G9 f! Q" u9 n% Q
. s' v0 k% m& q& [% Z7 ^8 B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 w2 I0 n7 A5 C, I- M. x
, h" ~& E' o' f" L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 e! P5 J0 R P' u+ e; Z6 q2 D3 x* c4 v
__________________________________________________________________________
7 I/ p$ b- J4 H# C+ \6 i% Z0 H: }3 G g7 t
Method 13
) l" O) W! W. a) l! n=========
1 n9 z8 o/ z8 v( [0 [7 N0 f/ o# `( y' L+ N" O
Not a real method of detection, but a good way to know if SoftICE is
. s2 W! D! ?1 Z# c# [9 finstalled on a computer and to locate its installation directory.
+ J) d; {4 B- R8 i: VIt is used by few softs which access the following registry keys (usually #2) :) D, Z9 p; f" g6 n6 F/ q0 L! y
! x& y* @6 ]) M2 ?+ Q0 j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ Y" x* m k0 o: v\Uninstall\SoftICE0 c) m& l- S2 a7 j+ a* ?0 |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" @( g5 |; Y, _1 H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; s* P" X6 J) L) }
\App Paths\Loader32.Exe2 p+ ]) H9 c8 c3 ~' X
+ Q: L0 @- v) D# i9 t% u; ^& n+ E3 O" @! s0 W% L
Note that some nasty apps could then erase all files from SoftICE directory
' S2 B" b# w* b* I @. @! D2 T(I faced that once :-(" s" M8 f, O1 H# {" w
0 O5 Y0 K+ Z ^1 m' e
Useful breakpoint to detect it:3 D3 L: B. v! z9 G
" }8 Q( S3 C! d: H8 e/ A+ i" \2 P
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' z/ ]; M: u9 e& {5 s; n+ ~+ O: d0 S9 z
__________________________________________________________________________
: a% a( j( {! w I" l* J4 ~5 {) s0 E$ j9 @7 M/ g
9 V% i: Z) H0 CMethod 14
. l" ]( Z, d& t9 A3 p& y=========0 z0 s. F) e/ i* [0 p
& N9 {" l% Z, T* L. H0 zA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) s# Z7 ~9 ^& N9 s
is to determines whether a debugger is running on your system (ring0 only).( e5 D8 z9 a* l# K
0 \2 C/ ~$ K$ X; v" w' m. n
VMMCall Test_Debug_Installed
3 C1 Q$ @- b6 A9 W je not_installed
. C0 Z# V h- l0 ]$ v9 }
( w2 l" F6 F* z( Z! _This service just checks a flag.
5 m% i9 K& _$ _. O) P</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡