<TABLE width=500>/ ?2 x' b$ t4 s0 z; M8 V
<TBODY>
% H, H; o, G3 w2 ]2 _* h$ D1 N! Z<TR>
% c1 J9 H$ K5 R2 c" B<TD><PRE>Method 01 , m: w# ], _4 B5 ]& a. T0 l4 I' O4 r
=========* B% u( _- [4 y; R% J, o9 H
# [9 C+ z4 ?8 {" E
This method of detection of SoftICE (as well as the following one) is
7 P9 m+ ~0 s6 j; D" Dused by the majority of packers/encryptors found on Internet.& P) C1 ~9 G, Z9 l4 e" U: ]
It seeks the signature of BoundsChecker in SoftICE
5 A5 {. g) M/ {, R( S3 @: d c, ]) V1 E9 x( o
mov ebp, 04243484Bh ; 'BCHK'
, E& _; o f" ^- i4 w" }2 [ mov ax, 04h
! t) Z& g( {% g# d7 u6 G$ x" \* S int 3
. e% n9 A' t% \* e9 I cmp al,48 Y% {* s/ P9 H& |+ ]
jnz SoftICE_Detected9 I) c6 C+ l2 }2 \9 K4 s
7 @0 t. `, e& Y! u4 t
___________________________________________________________________________
. {' ?3 }9 g$ E7 L7 Z9 J4 l- D2 G, E" Q, E+ l
Method 02
# H& L8 p" ~ E0 E. E% t=========
$ j; j2 p# J, e/ r6 F
; O+ F7 g2 {( v1 ^8 x# O) oStill a method very much used (perhaps the most frequent one). It is used- o/ b9 S ^* L. m+ ?* b
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ J) E# P( n+ i
or execute SoftICE commands..." m) H9 L7 K0 t k" W+ l* b
It is also used to crash SoftICE and to force it to execute any commands) Z: R S3 E6 m) f
(HBOOT...) :-(( 2 X( k. p# d9 G- Q8 \
0 J) }! i; [7 N; C3 g* h- H
Here is a quick description:
9 D8 V' R! A: ^9 h9 g' d) w9 H( t-AX = 0910h (Display string in SIce windows)
7 X8 D8 o+ k0 T0 ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* r% r" R2 w! [3 G4 q
-AX = 0912h (Get breakpoint infos)
8 \# X1 Y! ]9 v# `; w5 d' R( L2 B-AX = 0913h (Set Sice breakpoints)* f# u6 m5 d0 e/ l' {
-AX = 0914h (Remove SIce breakoints)1 _! a w9 t7 n) E: P& y, C5 W
6 o4 L' z' E+ T6 L
Each time you'll meet this trick, you'll see:
( G+ \ j% Y+ O1 H0 V-SI = 4647h+ j5 O5 Z/ ^* o& U( E3 h
-DI = 4A4Dh
3 m' _# F3 l- S2 hWhich are the 'magic values' used by SoftIce.
) [2 ~: V) U( y o6 j H% IFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 `% B2 _) R& R5 E0 L, q4 g, u- h" k
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ r+ P+ A/ K/ E+ A0 U
Envelope utility use to protect DOS applications:
7 d9 S5 v8 P6 r8 \/ M% D( o; k, ^2 C. v7 \
( T5 J3 H' v& {% V* g' p$ J V4C19:0095 MOV AX,0911 ; execute command.5 Q: G: a' j/ Y/ i' U$ E) d1 \
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' p9 p1 R$ Q" F- t w0 j. _9 ]4C19:009A MOV SI,4647 ; 1st magic value.
9 V. O$ |% @7 o: m4 }4C19:009D MOV DI,4A4D ; 2nd magic value.
1 y' x0 Y% K; ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ o* w2 Y( J/ a4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- Z6 u/ b+ u, d+ p5 N3 v4C19:00A4 INC CX7 L# A' i2 A; m- g+ S' ~& e& x% k
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 I. Q% U ?; n0 Z3 F
4C19:00A8 JB 0095 ; 6 different commands.
0 P& o1 L d) r( W4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 |( C: l9 Y, | [8 M4 ?- S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 q$ j$ t- f$ d8 r$ E9 k! l8 s7 h1 h# E. w9 c
The program will execute 6 different SIce commands located at ds:dx, which$ v! ]7 F1 w# a. x$ _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' e' U: `# W W
& Y% S$ `: B A4 l/ R' T0 B" w
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ x9 {5 d9 v8 v1 L
___________________________________________________________________________
' e# }% ~& e- Z% S9 d# ~
. W0 f/ [4 [7 j! @8 }3 y' A: a8 f; C4 ]' ~6 k9 B! n
Method 03; g5 U( H2 S& u% q) H
=========
4 H4 B8 ]- p7 F9 N X3 M) {9 u5 @( @8 f5 N1 H+ n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, v* B1 G: I5 y; C+ `
(API Get entry point)
% B& v2 M! S4 C 2 |% Z# ~( i, |* n4 b( C
" U/ z9 H( b8 i3 O" }6 \' K6 Z4 X1 L xor di,di# z- i! Y* a! G
mov es,di: e2 p- I- D& N
mov ax, 1684h
+ |$ e, {% t5 x; x- }7 L; j% H mov bx, 0202h ; VxD ID of winice6 L$ @: |% y Q8 |
int 2Fh
& Y7 V/ Y7 h9 |% K8 a3 t mov ax, es ; ES:DI -> VxD API entry point
, q; t# d+ o2 c% p add ax, di
( j; t5 Y$ U" r4 U# [ test ax,ax8 r6 j+ H% Q, `" c! T, o
jnz SoftICE_Detected9 [; p% |5 `: c- E4 r3 ]
, H# S9 w% m5 I$ Y& x& x5 R___________________________________________________________________________
1 ?, K* Q4 L/ E0 O: U1 V V5 z5 C- @% y( E; m- ` Y r/ r
Method 048 ?; @9 E) ?' C
=========
: N/ J; ^# V5 j- d$ B; e: P2 d
1 a2 L" N8 a" g; yMethod identical to the preceding one except that it seeks the ID of SoftICE+ ]1 t" i. z4 _) j! ], o& N
GFX VxD.$ a9 t4 q- q( q5 k, v7 L
- ]* A9 d& @ t& ?4 h xor di,di
6 O+ z; R: C2 _" Z. Q* ~6 B9 c mov es,di
! |! B, h+ l5 v3 Q2 F% s mov ax, 1684h
: ?" z' z/ h6 v% ]4 M mov bx, 7a5Fh ; VxD ID of SIWVID
9 U1 N2 x& J7 B9 d, T int 2fh- _. t4 d4 \6 k: O# U6 ^3 F2 [
mov ax, es ; ES:DI -> VxD API entry point
+ d( {- l, `& i0 H) W+ Q) U3 l: j# O add ax, di& `8 j0 a: d( C9 Q; ?7 c
test ax,ax
: n5 A6 C: N) y; t1 s% x/ D3 @ jnz SoftICE_Detected
8 i, w8 _, }6 x; }& x" S+ z$ S0 W- @6 E9 R9 }2 s" y
__________________________________________________________________________
! Q( r8 J9 g% L5 `
6 U, J: A. e" ]$ A& C Z5 ]* R
* P7 s9 B8 ?' X: R# _' ~Method 056 L% @ }. Z$ ^8 h
=========
. i: q1 p6 W2 M
, f) h' n8 S1 K$ v1 O+ P ^0 cMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( W9 h8 k* m$ edebugger. It calls the int 41h, function 4Fh.
- F4 l" t" m- r3 VThere are several alternatives.
, l- r0 ~' H; T& Z0 |" h& C9 ?8 L. j D5 X) n9 `
The following one is the simplest:, e2 Q( q" D: X# z: v' z ^
6 Y3 k4 i4 L5 c/ y mov ax,4fh0 z: r& Y- R3 z
int 41h6 u) A8 q l3 P+ b
cmp ax, 0F386+ z& Q; w# y, s) E, C9 p3 A
jz SoftICE_detected
$ b; P5 N, Q0 g. ~: V7 C# J4 E+ W! P; ^9 N
5 n }# e0 W- h* `; Q9 \
Next method as well as the following one are 2 examples from Stone's % p3 _6 @% B. A+ s) b9 F5 ]
"stn-wid.zip" (www.cracking.net):
) r/ c" H" r1 [4 ~, L0 \3 Q
$ g7 H4 Q7 w7 M1 ~4 h7 f. R. }! v6 A mov bx, cs
0 V4 H) j. N9 M( g& v& o/ o lea dx, int41handler2/ r& @5 K0 q6 e; |( m( Y" W b
xchg dx, es:[41h*4]
- f) ?. {4 t5 }/ S: \ xchg bx, es:[41h*4+2]7 u, }5 s$ ]9 J: ?
mov ax,4fh
1 v% k8 s* B5 s3 p5 ~ int 41h
2 B/ L- S! d0 y+ j xchg dx, es:[41h*4]
- a& E5 l; ~6 W# X% _ xchg bx, es:[41h*4+2]
" S: i5 t p7 B7 x- ] cmp ax, 0f386h
; T* L+ O3 B( {/ L9 F+ S; s& u jz SoftICE_detected
( m u- a8 h- K! C
7 J- @ Q4 v4 u3 G" Sint41handler2 PROC( _ @; @5 m3 F4 O8 U
iret) }* }! O8 @( {5 B) P
int41handler2 ENDP
& u# p8 ~. j4 X3 j, s3 f" D6 ?3 Y" {: B7 m/ t R* l: K; k0 U) B
' s) A; G* g9 [- E. {
_________________________________________________________________________/ T: M% c7 z- V" l
0 d; L/ C( `% |* t- {- E+ r
5 ^+ Z. T9 Z( v6 f& p* `
Method 06
6 y) A1 {$ K1 O+ j8 d=========+ f2 C7 r4 o8 w) A
M2 ?1 O y& G3 w3 k7 d; W* m/ W1 p6 y9 F: t: K
2nd method similar to the preceding one but more difficult to detect:5 b {1 V) v; l2 b! S6 V
9 o+ g4 F, t3 A3 ]/ ^; ~2 `; [! h: F! s( t) a: S
int41handler PROC
0 D% \ N' f C& H$ ~& E) O8 H: b mov cl,al4 `: Y4 h/ x9 @' j6 D$ ^
iret
) s# c) i( r, H: I, D. @- Xint41handler ENDP
" e# O6 |! E1 s7 T" e% Q' m& V# ]: t
n2 t( L g* ?; n$ X7 @ xor ax,ax
4 L' _0 {8 U# S mov es,ax: |* V' o5 E) D5 s/ K( E
mov bx, cs" a. {; O; V, x
lea dx, int41handler3 E2 o2 a9 a: v
xchg dx, es:[41h*4]
9 ~4 { N2 T* q/ i xchg bx, es:[41h*4+2]
' E6 c3 I% `& O# P7 Z! {* w) C in al, 40h$ q1 k3 g6 [2 H, K! y% @8 M
xor cx,cx
! K* F% n+ w3 |8 |, R int 41h
2 i1 l$ E( ?, {) k& j& A# i6 C% {% o xchg dx, es:[41h*4]' M. W8 Y- h) g/ l) u o- }% T' U+ t
xchg bx, es:[41h*4+2]
" w: s4 R9 j$ C# Q2 [ cmp cl,al, t9 P! J( }( v& s; c
jnz SoftICE_detected7 k1 `7 d w* D1 e* c* @& }
( z. F' M# v$ N8 D x& f
_________________________________________________________________________& k6 u7 n0 c6 I
& U' c' z- T# T7 s/ B$ |Method 07
* k" n8 }" f9 y& C5 E' n9 _=========
, E5 o2 R+ l2 V, t% @8 ]7 D$ N- j: g* q4 |$ _3 W
Method of detection of the WinICE handler in the int68h (V86)
8 q3 x6 V% \* F c9 Y4 p% W! `4 ]8 O2 o: Y' o* M' I* p/ s
mov ah,43h
% H- z6 Q. m4 J ?. P int 68h: M. M* _7 e# d$ V
cmp ax,0F386h
4 E% ]6 w( ~+ Y, |5 q jz SoftICE_Detected
; r" i! D1 ?9 h* P) ?; {& @; V' H& H* R, ^
5 p- [& |6 \4 L& D, x& b W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 h9 ^- _* B! M! d% e app like this:+ U$ l( W1 g9 K. c1 y2 w+ B/ r9 m
3 S7 X1 G2 \2 d( @3 y BPX exec_int if ax==687 f" p0 x1 x6 {0 g0 ~
(function called is located at byte ptr [ebp+1Dh] and client eip is z/ T) f/ }- r3 }& Z
located at [ebp+48h] for 32Bit apps)! h6 X" B" Z2 V
__________________________________________________________________________1 u: S) ?/ U; w; i) m
3 x! O/ _' A6 G2 i
7 J9 Y/ w) W: u0 O9 G6 {" s
Method 08
: L5 B$ y+ \; e5 e, e1 C1 J=========
( N' t. M! R7 U- f, z9 `8 v: f+ l4 s
0 b& t& o3 f; |6 v; C" d7 QIt is not a method of detection of SoftICE but a possibility to crash the
# s2 k) Z" i1 B, }9 Z: x; o+ ]system by intercepting int 01h and int 03h and redirecting them to another4 b. Y2 a/ [% e5 r
routine.
9 n N, H3 h- n8 R0 ^8 U& YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, ^8 r' g+ `* x; t: o5 C3 _
to the new routine to execute (hangs computer...)
4 Q9 v# E/ d( a7 o/ b) c4 o8 b! S; ?: t9 E
mov ah, 25h
o6 \, H: W+ e. Y% i/ {6 X mov al, Int_Number (01h or 03h)
$ L" m. ?8 Z' |% g# S1 E- |1 H mov dx, offset New_Int_Routine
2 I& @7 o" G) K int 21h! u' j$ p' x- U$ w' k/ |
. N8 ]! I9 u1 j$ K9 t3 M
__________________________________________________________________________0 C$ G: y% n# ]8 C& g
: R1 f; b( z9 Z
Method 09. C+ g, R8 W& u0 W. `/ X
=========
0 W( S& `: P" N9 u
9 z+ V! l X4 V3 u( D) H NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 }4 F$ ^: F$ p) N8 w) xperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 l1 g8 N" b" ]( ?The Get_DDB service is used to determine whether or not a VxD is installed# y* N( n6 `5 ]' Z2 G) c9 ~* o
for the specified device and returns a Device Description Block (in ecx) for- x3 J7 x, {0 c6 q: i( M) [
that device if it is installed./ {2 c+ W' B0 w! V6 J$ K8 r
* Z2 |- c0 x+ p) B% w2 `% S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 p# c2 J9 [, B8 @& I. ^% i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( U6 g {# C, C
VMMCall Get_DDB3 y2 s3 C' D7 d2 V" `* W) ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# s0 o5 ?) P/ M* ~9 e" P5 r% }+ L& {! O% X5 C
Note as well that you can easily detect this method with SoftICE:. o% |- f* v* f# c# C4 \5 W
bpx Get_DDB if ax==0202 || ax==7a5fh
- w1 k+ L1 U; n' C) c1 C) e- s
__________________________________________________________________________
Z" L) t+ X& T/ h! b
G1 O4 ?2 Q4 L# J3 C) n BMethod 10! D9 x& ], T) H6 |1 F2 x5 i+ Z: \
=========
5 E; H1 A, p& C8 b3 h
2 e. j& H* Y) n$ d5 }/ p- x5 |9 n=>Disable or clear breakpoints before using this feature. DO NOT trace with# Z- ~+ N4 L5 q2 L1 V, u
SoftICE while the option is enable!!
8 N2 K9 h% g- H# ~
% l; y X* G: n& u. B- lThis trick is very efficient:) g; v6 S) |# R% m* l
by checking the Debug Registers, you can detect if SoftICE is loaded R$ K$ e) }$ b2 b: ^; {4 `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! P3 V6 i ?( N& B* Y( k* pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
# I7 L1 l9 g) ?& F x- dvalue (in ring0 only). Values can be manipulated and or changed as well. _' q; D1 P3 s' O- |
(clearing BPMs for instance)7 X% A* i' h, {
. L: ?+ o, ~8 N; ~$ s
__________________________________________________________________________
: N8 Y/ Y3 j" m, j! v; V
7 r+ G) c5 {1 F! j% r$ zMethod 11
4 O* J: ~. e( y0 {/ O; q F/ D=========+ c: _, C9 d) F3 p% o2 l# E
/ k8 |* a+ j" ^6 GThis method is most known as 'MeltICE' because it has been freely distributed8 z' E3 H! C+ w2 s4 G* E
via www.winfiles.com. However it was first used by NuMega people to allow# J8 z o) r! @% Z* N; k9 F( X
Symbol Loader to check if SoftICE was active or not (the code is located1 Q( R( b m8 |) X/ h0 \0 q8 `$ n
inside nmtrans.dll).
8 y6 \8 H$ X+ W4 w( v) V% s" r2 f1 x& @' e* Y# J
The way it works is very simple:% l/ q9 n* f3 C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; w4 ^: [- g, e0 }
WinNT) with the CreateFileA API.
' r" f( k, Q: S
7 W0 ^! L* T/ G( _: ]" k0 pHere is a sample (checking for 'SICE'):. Y! t j# r' D+ {
& C3 h4 K7 @ _( {* b- x0 x
BOOL IsSoftIce95Loaded()6 n. r, c4 c. n3 s
{
. M4 l4 T4 F0 \ _2 V/ t) E HANDLE hFile;
% A* y) C% {7 o9 O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," _' o9 a+ Y0 s$ g
FILE_SHARE_READ | FILE_SHARE_WRITE,0 I, P" o9 a( D/ Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 B0 |" c0 {& e( c) ^
if( hFile != INVALID_HANDLE_VALUE )
% Z1 J( v+ f' C7 _ {
, p0 h3 q0 G" T1 }" q6 J CloseHandle(hFile);- k' j# s2 _) t; Q
return TRUE;- x$ a: L8 _# u
}
5 P O$ k$ F5 l9 D# v) L! v; ^ return FALSE;
9 c, B# n- J0 Z9 V8 b4 y}
2 ]& n0 [( G3 o( m. {2 E6 D$ c3 I l
Although this trick calls the CreateFileA function, don't even expect to be
( Z; W0 C, q% Q0 w9 F" Table to intercept it by installing a IFS hook: it will not work, no way!
( O8 b& S" ]% _+ v! G* v' R1 @In fact, after the call to CreateFileA it will get through VWIN32 0x001F" j# {& O0 g7 z, }: x6 t5 ?; M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. r& A( C. _8 Y7 y6 qand then browse the DDB list until it find the VxD and its DDB_Control_Proc( r7 b$ I5 i( O( a* ^- H
field.; e' d2 z/ I* m# W/ q8 S) O/ n
In fact, its purpose is not to load/unload VxDs but only to send a ' L7 B. t9 o1 x( b; i: \0 q& q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% R5 N( ~! l# p+ V; s" E) oto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 [5 ]" w$ }; Q' C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ V" Q2 c$ d4 bIf the VxD is loaded, it will always clear eax and the Carry flag to allow- ^$ ^% [3 [1 Q5 P4 q
its handle to be opened and then, will be detected." |6 L' I k( E0 h# f
You can check that simply by hooking Winice.exe control proc entry point
; k/ _5 X. g& L) J( ]; A+ U8 Pwhile running MeltICE.
, W/ s6 ?+ v0 \8 v6 t! M( R2 F* k
3 o3 O8 ^2 [4 Q) z! `7 q( s
00401067: push 00402025 ; \\.\SICE
% C5 N3 @+ N5 `* h7 ^- L% Z0 u; P 0040106C: call CreateFileA
+ _/ b) {/ j2 q2 Z2 T7 \+ ] 00401071: cmp eax,-001/ C/ T- B9 s3 ]' X9 u0 a' [
00401074: je 004010918 W ]% Y0 o# Q0 f) L0 v, A
# k3 ^' p ~2 T' U
" A3 _5 m+ W! h5 D& h8 T
There could be hundreds of BPX you could use to detect this trick., z- g# d# O( W& t1 I l! t( i5 P
-The most classical one is:$ \. Q) k) I' R% t) d: u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( B7 b3 R) t( y7 w" I0 e6 x: l
*(esp->4+4)=='NTIC'
; }' b4 a9 {- l, k; t* J% n! E' K9 z
3 _ l0 T1 x! Z5 x% H8 v-The most exotic ones (could be very slooooow :-(
4 j3 Q( @3 w4 V4 J+ B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& b( m- c; a3 y: g6 J1 U ;will break 3 times :-(
' ~$ `% W9 T/ q& q" {
! p! A! b* T; g" Q) p-or (a bit) faster: 4 t# |3 C: r, s9 j3 E5 `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). Y* P2 j7 k7 _! m* s: y
# r6 i" N% L- C0 W* Q1 w) K# e6 s3 ] BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * d; z8 e' N% x5 J% O& y% `% B
;will break 3 times :-(( C" n. G1 ]* u; h9 N( q
! `5 K' F% N: V" `( T5 h
-Much faster:
: f4 E) F; p7 Z' V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') y' a [; {$ `8 e3 p
- V' l: U6 K; R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 U/ B& a! y$ o7 ]* r8 N( dfunction to do the same job:
$ \; r4 i) U9 H2 t, z2 y6 Z' `7 B5 q# A; f. s$ V W9 r, v4 ^5 x4 A
push 00 ; OF_READ( A, l. J. _* g
mov eax,[00656634] ; '\\.\SICE',0$ ^7 b1 ~+ R+ O$ R* ]
push eax
& j! x8 g* f' Q+ H, H call KERNEL32!_lopen" D! ^3 W& T$ o9 @" E
inc eax1 u% H L( E" G+ i. _1 g
jnz 00650589 ; detected0 e6 Z# G$ _7 T; i
push 00 ; OF_READ
) m, k1 q0 V! E6 E9 u; \ mov eax,[00656638] ; '\\.\SICE'
: ~% B" {- A A; P. s8 d; z* }# J8 J push eax
- n) h9 x* l5 |! i2 k6 g call KERNEL32!_lopen
: B4 r5 H- a( s/ V' k* ~3 O inc eax4 u6 ?: B* \) y$ g! Q
jz 006505ae ; not detected
7 j. t- R! W7 S1 h& Q
0 R, l; N$ D! B% C+ J
2 I1 i* `) M8 I) D__________________________________________________________________________( N( R( d" \% D9 U( T- M' D4 P
% X2 q! y9 v7 L% u0 w) qMethod 123 I: {0 ~ W/ _! W1 \
=========
5 A! H/ K5 v6 |% G, r. X- }# t) J1 e. K) W4 }
This trick is similar to int41h/4fh Debugger installation check (code 05
; T4 p+ h* f6 O. I; I& 06) but very limited because it's only available for Win95/98 (not NT)
8 h8 j( j/ P3 H8 q/ g" ~! A) gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 M6 `& `( f: y& T" `4 S. Y* P( W; K% S9 b% i3 b) N K2 t$ u
push 0000004fh ; function 4fh
: N$ o5 K- d; E! y* I, j push 002a002ah ; high word specifies which VxD (VWIN32)
5 V- w- q( Y7 E) J ; low word specifies which service
# e$ j1 }' A$ h" N. G p$ W (VWIN32_Int41Dispatch)
6 Q' n+ Q8 p1 r$ H! c5 W t; ~ call Kernel32!ORD_001 ; VxdCall
$ B) y* r0 }% }! Y0 C) ~ cmp ax, 0f386h ; magic number returned by system debuggers3 X( [) [- n( a% o2 `6 C8 x1 [
jz SoftICE_detected
1 G2 z# @) N- b9 @9 R4 a% V. y# Z6 A. ], M- b8 G8 J& ]$ \" a; z
Here again, several ways to detect it:
4 c7 f1 X/ u: a- I) Q
: E# u( Y T$ `! |# C3 F! y BPINT 41 if ax==4f, N2 I( T$ {6 l7 @( O+ t2 a8 S
. x" h7 E( H1 t" e) m: |
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 \+ T# h# s3 ~# r) G# a% c" [) z6 m: k3 x" }% |0 u6 [
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% O( L# o4 B# y2 z( ?. x) z& I2 C
: f" u9 G T1 \$ C; g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 {% y) a& V% m+ I& |; I
5 O, C; [! t v, R5 A/ I8 X__________________________________________________________________________% D: S; B& c" t! ^) z* X! ^" _; [
9 T* T5 F' O% ~7 J' kMethod 13: a4 S+ d, Z5 Y; T. g
=========
8 @0 X' f3 S' m
! m( c4 P- l/ V3 P) UNot a real method of detection, but a good way to know if SoftICE is' [! X2 B+ a/ m6 x$ K5 T
installed on a computer and to locate its installation directory.
* r% M: Z) p" b, c5 m; \ v' r6 ?It is used by few softs which access the following registry keys (usually #2) :
0 n7 c" L" h. S% f% I+ S1 P% y- }2 _. ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 V6 o) i3 {2 _( w6 I/ K\Uninstall\SoftICE7 r- G z' Y5 i0 N0 F; f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 i, v3 r6 \5 \+ e0 y0 |$ {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 g4 s1 k7 M/ _* V9 q, i( W F$ i\App Paths\Loader32.Exe
9 j- C6 r( h& |* e
1 p- ~. F; Q+ v8 G3 \. U2 O5 x* \1 w2 ^+ F
Note that some nasty apps could then erase all files from SoftICE directory
1 U; Y; R; W& j$ z0 D(I faced that once :-(
# A% `7 A% T; {- N& K& a
+ Z x- y7 `* d. R' E& hUseful breakpoint to detect it:
1 h; J( w8 w1 V! d, i9 g( D$ E3 W4 x7 D$ _
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* E, @3 U! D, E1 H; d, e
: j% ?3 Y. e& F/ J__________________________________________________________________________
3 w3 d( I" v* r1 @: {: h: B2 Q$ S% m! t: Y3 ^1 E1 E
- c3 h$ K7 Y# Q% c
Method 14 7 f- C+ e1 l! @9 w8 S
=========
5 s- {% Q* i% M( |0 ~ l* N- N' M& R; e0 t* b+ ^) z/ x* Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) J- b, t0 {0 B3 s# V, lis to determines whether a debugger is running on your system (ring0 only).' \" B7 e2 c9 B9 a! }, C
: i( d5 [- G8 }) m- m2 V/ @" e1 S% P
VMMCall Test_Debug_Installed
" q* M; ~ ^3 G; e je not_installed8 L0 ~3 J9 a1 O) `( j
& G. d! \1 l; }/ V6 I- C; x) R: QThis service just checks a flag.
& y! F% s! m0 p! G' m</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡