<TABLE width=500># J* c6 s/ J; w; K! n. T& @" X3 q
<TBODY>
- @; ~# t3 B1 V+ v$ a! W<TR>/ r) ~# a7 k" a* ^* \
<TD><PRE>Method 01 $ l( z7 ^8 ^! l! Z/ H' k% f
=========
' } H$ W" P9 Q; s! g# ~/ ~" w! ~+ O' T! ~+ B* s
This method of detection of SoftICE (as well as the following one) is7 u D9 O& K) h5 _& \
used by the majority of packers/encryptors found on Internet.
6 p4 g4 R F0 a% O# \It seeks the signature of BoundsChecker in SoftICE
, o+ K7 g4 d% ]+ v+ C
: T0 a+ H) h V- h: S, | O mov ebp, 04243484Bh ; 'BCHK'
9 y3 m3 T* T: q( E1 Y5 ?* [ mov ax, 04h0 W1 U) H8 S6 a, v: q
int 3 5 ]$ g( e/ ?* t" V- X) N
cmp al,4- a+ [- ~* E2 O5 z5 Y6 |/ L
jnz SoftICE_Detected
6 i# c1 K N, F' J0 w/ P! ]7 K! a) L
___________________________________________________________________________+ W. |# V3 j8 d7 M5 b2 A
: D1 _0 l3 ]+ D1 gMethod 02
5 [4 v7 C/ O5 n4 J=========" |% T9 N( |- F( P
6 r8 s1 r, y6 R' e" k, E) h
Still a method very much used (perhaps the most frequent one). It is used
$ J- d* r" h6 \7 @' Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( Z( m2 g3 J% e+ p9 f
or execute SoftICE commands..., }2 i0 T( d R
It is also used to crash SoftICE and to force it to execute any commands& i' Z+ W4 m7 U3 \) N- W( V$ C% C
(HBOOT...) :-(( , ?" d2 P* l% F- J
* ?1 ? L$ {6 S- u U N8 F
Here is a quick description:
! Q. V* k# m3 ]* I( z4 \4 f Z-AX = 0910h (Display string in SIce windows)/ v# P& j; R1 |" b/ ?0 p) a. i- j
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). w$ C1 H' O# h- s
-AX = 0912h (Get breakpoint infos)
, D, ^; T! ]+ }! d3 i* |-AX = 0913h (Set Sice breakpoints)
3 d2 ]& ?5 K: y0 Q6 w6 h-AX = 0914h (Remove SIce breakoints)+ Q; z* V( v' }6 ?* {# ]9 ^* t* a
4 x- s, m" I$ B, \3 `: `8 LEach time you'll meet this trick, you'll see:
1 `) W* F3 J, W1 _-SI = 4647h
- z, t2 f+ y7 f: m; v7 M-DI = 4A4Dh
0 x' r, m; _! ]" U' m9 Z$ aWhich are the 'magic values' used by SoftIce.
0 J, d _7 i9 O* U2 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* z; ^& q% p3 j
6 x" L9 Q2 A a( ]/ @Here is one example from the file "Haspinst.exe" which is the dongle HASP$ T0 G8 e' f- C# l% e# \
Envelope utility use to protect DOS applications:
* p5 b3 W6 `1 D
: z0 L$ x- X/ k, t8 p+ L7 K- [$ A! R7 q2 e7 J, W) T6 @
4C19:0095 MOV AX,0911 ; execute command.8 G+ S4 F. a" g7 l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 R+ T$ [7 J- y4C19:009A MOV SI,4647 ; 1st magic value./ T% H7 l2 Y; P2 i+ [
4C19:009D MOV DI,4A4D ; 2nd magic value.8 D; ~$ N! e2 r* |0 ]
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 ^3 l4 p+ C7 U) Q6 }# ?. K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 Y5 h5 C, S/ e. ~3 C( M" n
4C19:00A4 INC CX
/ l2 Z v) @( v, t; N+ ?# _4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* o/ m. F5 X7 h
4C19:00A8 JB 0095 ; 6 different commands., t0 r" d/ w" Q- ^* `
4C19:00AA JMP 0002 ; Bad_Guy jmp back.. a) N- k; y7 K7 [6 M
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& F: M" Y# Z5 [1 Y& V: _; r+ u( h
x& D! j) ^8 L, [" V" r+ u/ ]/ @0 ZThe program will execute 6 different SIce commands located at ds:dx, which
& e) D* Y- }: `' H% ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 T% \9 i" Y1 x$ T1 v8 P* Z3 N4 W
; e+ ?: z; M3 L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 M, q7 C% j' X# H7 R
___________________________________________________________________________( Y, I- B: _' ^& q' ^! b* b
+ j B3 s" m$ Y7 z S. O X# Y4 D4 s; E: K
Method 03
! ~" S3 e. k1 [4 Z=========/ o: z7 I! I0 I3 a
. R v5 [: b. _7 \3 t9 r( ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
k8 }$ p: a/ w- s5 ^(API Get entry point)9 j, p4 D3 m8 m9 @4 A) T( Y$ x
% m2 K- n4 F3 T8 y3 {# W6 c7 G: k' j
xor di,di
! ^! ^% _1 k- c( e2 R* j mov es,di/ y) l7 c4 g+ N2 X# a+ V
mov ax, 1684h
3 x1 R* J( ~& B mov bx, 0202h ; VxD ID of winice: Q* o; _9 Z5 \
int 2Fh
, P1 i8 W/ |$ I' Z$ ^( E mov ax, es ; ES:DI -> VxD API entry point
, u% l" E/ m S; D$ `# c add ax, di* ?* e+ |" E: E: R; r# m6 C" M
test ax,ax
3 V _9 j6 W: q' f" B2 U6 B! |. O jnz SoftICE_Detected6 A* l) Z0 O/ Q( v; |% ^/ z3 J
5 P+ e+ G; C$ U/ K___________________________________________________________________________
+ _) @4 ~6 ~4 Q5 [1 t
. e0 u' ?9 N* b0 A8 {( q! U6 d GMethod 04$ X- D$ N, Y* n
=========
( O( t' _! K. H/ L' z+ t
6 r) i5 b2 Z. c% d; c) mMethod identical to the preceding one except that it seeks the ID of SoftICE8 y9 Y9 o+ }# a7 @8 U7 G0 ]
GFX VxD.6 B2 P- t+ s8 K q. o
& s( R& K$ \6 t! M4 b! u xor di,di
3 S Q$ n2 n; q! `, {& [% Q mov es,di
/ |9 P. K/ q; o5 g$ O mov ax, 1684h + }/ _7 |. s! o# Q7 D5 X( x- q% x
mov bx, 7a5Fh ; VxD ID of SIWVID
7 I+ \( ]) j7 x5 @ int 2fh
. y5 f. c+ i7 M0 {& m& b mov ax, es ; ES:DI -> VxD API entry point& `5 k% @! I: E* `1 {9 @
add ax, di
2 T9 D( ~. ]. {+ L2 p7 ? test ax,ax* I! w) ^- E* o$ d4 l n" x
jnz SoftICE_Detected
' g8 v4 o: F& t i1 x& [8 F
4 @% ~( ]( B6 X4 Y7 `" f( ___________________________________________________________________________
- W: C, h1 ?8 j
0 W6 w% g' @ w* \9 D: g
) G3 r+ i) N4 t( l* {) ^Method 05
9 o; A4 [& Z" C' N% ^=========
8 i% x+ j& Q# B- b4 j/ Y( a2 @
0 D/ U, x3 L; i7 u; l5 r" OMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 \* k3 N5 E6 y ?, mdebugger. It calls the int 41h, function 4Fh.3 C4 h4 |2 r6 v
There are several alternatives.
4 W9 K& G# g! h2 a
' ~/ t+ s) H! sThe following one is the simplest: ]& Z8 _1 W' l8 h" G
/ E0 C9 _: L& w8 e1 A
mov ax,4fh
7 ]) E* E- y# O9 m5 Y# _# j# V int 41h
* C9 V- \8 j/ G- [0 a cmp ax, 0F3863 V4 b/ `1 Q. l) G' o/ s
jz SoftICE_detected
% {, u: _; W0 l( u" A5 ^* [1 j: f. J# `5 N
2 |* @" t7 z3 u4 t$ HNext method as well as the following one are 2 examples from Stone's
g& y7 v+ z+ W# x" `"stn-wid.zip" (www.cracking.net):
7 `1 T# ?8 Q- a; G3 W! H& a- ?+ h) Y' X
mov bx, cs2 e" c3 W% V4 h( o! e- Q
lea dx, int41handler2
1 L: U1 d7 X4 r" \7 j xchg dx, es:[41h*4]
( e; m( H/ ]" H$ n; _9 Z, f4 ]/ } xchg bx, es:[41h*4+2]' B H8 q, \4 z
mov ax,4fh
& Z% f' S8 [! Y# f" g2 L3 u0 Y int 41h
9 R4 ?1 x+ l8 q1 I5 G0 G xchg dx, es:[41h*4]4 C9 J x! m7 s: g+ t' l
xchg bx, es:[41h*4+2]- h: @, F! W1 t9 Y
cmp ax, 0f386h2 Q* f! {7 N7 r
jz SoftICE_detected
# C) D/ K! _! `, S3 ?' k; |9 K& S) N1 [
int41handler2 PROC Y6 R# o0 g, I# D9 \1 c
iret0 @% B4 ^* s- }
int41handler2 ENDP. Z8 q8 ^9 `5 J7 V! z# o
6 P2 h* V$ ]! a, x+ m4 h- O& d$ W
! ~+ r7 u0 `" b5 w0 q; ~$ ]& d& K+ p, j_________________________________________________________________________
l( a/ X9 w1 w0 x M9 `, a- R0 u
3 T: x* U. f5 t+ `2 _7 q
Method 06! s) s' ~0 |. P% k
=========- C( y" d3 l) y5 J6 M! H
7 {; y1 G. h- C3 F- `& A; R
7 X3 L7 Z+ E8 W+ R3 }* R4 U
2nd method similar to the preceding one but more difficult to detect:% p! b2 N6 g% I5 a9 l* q+ y* {/ T1 r7 V
- @0 {0 @; \& n' I8 ^- A
" G; D2 C4 o6 \+ {; _' Z# G8 i* J, Oint41handler PROC' E4 o, y$ o8 R$ @& G
mov cl,al" n; E! m5 J" c
iret
! M$ H; ]) M% m/ n$ Aint41handler ENDP
8 k( k3 n) w4 f" D2 z2 G% S
& _1 [+ h; {6 h5 m' B0 S# `$ R$ c: F) {2 m
xor ax,ax1 I) e. l1 `, |7 v+ \, b5 a* p% B2 W
mov es,ax
* X0 F0 z$ B0 G; f$ @6 T mov bx, cs& ^ G8 u A+ c9 Q* l
lea dx, int41handler1 I. v; Q0 M' _0 U. _. g
xchg dx, es:[41h*4]/ S& |' C# A ]! C, H0 C1 q
xchg bx, es:[41h*4+2]
/ n$ F0 j7 [; O+ B, h in al, 40h
; e$ Q" E* M- s$ K xor cx,cx
% L' I# t+ x8 Y int 41h
+ R" f8 I6 r9 d( y% [1 W4 X1 e xchg dx, es:[41h*4]
& {3 X/ P: G4 l( X# |* j _ xchg bx, es:[41h*4+2]
5 K) ^; z' K. h; ^. `6 C cmp cl,al$ e* q4 x! I2 A0 D) U1 w- I5 ?
jnz SoftICE_detected8 F" Y9 ]- I- Q; Y% c
8 W; S3 F0 A0 b9 `) g6 b4 P
_________________________________________________________________________5 O$ S5 V9 ^ O; V
F4 d' i3 k0 }' _% _3 \2 aMethod 070 }" Z' p R" p4 J3 [. T
=========
4 p# v' z/ e5 P. A3 n& `: w
/ T1 Z; A: W3 z9 o4 x8 y) H5 X& ~7 p7 |Method of detection of the WinICE handler in the int68h (V86)
' T3 @1 Y2 a5 t ^1 @( [! p
, r+ |9 J: w0 H) c mov ah,43h& b" Z, f* O( Y9 ^5 o
int 68h, f4 |; ~# t- w K8 z
cmp ax,0F386h
1 y1 g7 T* Z9 {+ f7 k* e- z jz SoftICE_Detected
5 e* M# N4 U* L3 A' e5 ^* U8 f+ Y" `+ x7 a" B
: X) i' ?+ Z: I& b" |
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 O% U4 K \9 L
app like this:. m; ]; X9 i0 u$ z1 N8 r* w
; s, Y0 B4 G& S$ n7 D0 p BPX exec_int if ax==68
5 O1 l4 U4 }. ~, h (function called is located at byte ptr [ebp+1Dh] and client eip is
7 b7 q$ M) r \' M( r6 ?# Q6 N located at [ebp+48h] for 32Bit apps)( e" {) J: p! G6 s
__________________________________________________________________________8 z1 y* _& n2 H, l G8 o3 B
7 L9 j" l9 T7 a3 Q' M' ^$ q: q
6 O, c( W& r- S7 @% h
Method 08! z/ y" ~' a8 z
=========+ |$ `& n6 x8 u5 M( ~
1 b: \0 ]' `' z3 r7 P; c0 b7 F
It is not a method of detection of SoftICE but a possibility to crash the
& k8 g0 U7 |7 }. T; n: Fsystem by intercepting int 01h and int 03h and redirecting them to another
' n0 l; v% j; uroutine.
; A3 c" l, g8 n6 a( UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; d8 ~- T) }% d) Y! d3 k, R, f
to the new routine to execute (hangs computer...)
" A: g: u% m* p1 F# v/ @3 ^: `' V1 H5 I# }7 B- P
mov ah, 25h
' E# a5 @+ f# q$ {. [& A# H6 m mov al, Int_Number (01h or 03h)- k% l+ ?& X7 Q6 w
mov dx, offset New_Int_Routine3 l& `, f1 N: b
int 21h
: A1 t$ [0 S) y! | s
! s: g/ ^/ e. f& m% g8 T__________________________________________________________________________
& w" o' |3 J d
) `' `. k/ f% R: \- f+ fMethod 094 T, F( h! _' R- x* Q+ Y
=========
' ~7 [* t$ }! J, k6 W* k" Q+ o
o+ P. n' X+ ^9 ]% r! WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ m4 e0 q! E# w8 h9 x
performed in ring0 (VxD or a ring3 app using the VxdCall).1 B) v( b0 \. x' _2 `, O( W8 ^
The Get_DDB service is used to determine whether or not a VxD is installed6 H+ J& K) g* f/ L; S, Z
for the specified device and returns a Device Description Block (in ecx) for
1 c+ F2 U: L0 othat device if it is installed.
& m, f. |5 }" R4 E% p" D- g! D7 W) Q g: E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ y1 R# x* E) S" X d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' B$ c: J8 Y N3 Y0 h, X+ g
VMMCall Get_DDB4 } J3 w7 X& A, L0 X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( T& ~$ a1 M' E* f* p% V
+ H# R7 I" H% eNote as well that you can easily detect this method with SoftICE:3 C: m" T: x6 J( ~
bpx Get_DDB if ax==0202 || ax==7a5fh- i# z. t: N6 e
h* W- [% ^' [3 t$ s
__________________________________________________________________________
, M- _( f9 O7 w5 ^
# c* q- R7 }5 p9 ^+ e' N' g( S, AMethod 10
" L: p6 \# v" _=========$ }8 X' L& `3 \/ y, c; h
# F8 f& ]" h7 t5 u. m
=>Disable or clear breakpoints before using this feature. DO NOT trace with( W, E3 L; `* ?9 m) l6 f0 n
SoftICE while the option is enable!!
. X- C5 J: j2 y& Z6 M D9 E: X0 q8 N# j2 t
This trick is very efficient:7 M8 I- ?# q3 n2 {; B+ V+ f
by checking the Debug Registers, you can detect if SoftICE is loaded
* o7 G& j2 f9 W C( R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ T! ]& v3 L. m! _ l+ Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their( k w' W9 w* }2 H, t
value (in ring0 only). Values can be manipulated and or changed as well
4 w% s( \) p _1 S4 \. k4 H(clearing BPMs for instance)
, |. Z$ @- p( c6 G
4 g% f& ~5 C, l% }7 G( h__________________________________________________________________________. ^. s2 R/ I* T8 K2 {
: `2 O8 `9 Z' x: m/ S9 A4 }4 {Method 11. P5 d; P' }0 @' K4 y
=========
( C* E r; e! A) j- F' l
5 Z1 t( y8 M6 l. I3 AThis method is most known as 'MeltICE' because it has been freely distributed
# A t+ T! V% N. e# m* a: V ovia www.winfiles.com. However it was first used by NuMega people to allow
) v7 S8 m/ `& X2 S, b/ e3 m; ESymbol Loader to check if SoftICE was active or not (the code is located
# x( ]8 _$ }% I7 z6 `- Y! L; L; einside nmtrans.dll).
) Z* u! B" i1 v5 y1 I) j1 A' S% b% [4 }( F6 G# v! n
The way it works is very simple:& e1 `- y- W' \8 {, ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 D" O6 X, ~9 @/ Y9 ]6 k; D ~ v
WinNT) with the CreateFileA API.
1 P: ]- {: M; Z0 Y9 x
& N. e1 E+ a* N# a+ nHere is a sample (checking for 'SICE'):
5 O- S6 J' l- M# z8 ^4 H$ |$ M- d0 m& ~: p
BOOL IsSoftIce95Loaded(), p" Q. _' w% i2 k4 \- z
{
5 a& f- x7 l, v2 u HANDLE hFile; 9 a% m5 i0 N8 d& i( a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 o' T/ E' H& b) E) ^
FILE_SHARE_READ | FILE_SHARE_WRITE,
+ M( o. Q: M) ?! R. f% r3 t- y3 ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 S! x' Y @) {! h if( hFile != INVALID_HANDLE_VALUE )
5 f' Q% J& L) @( u) P s& r/ j2 k {
, \, m2 \7 X3 J CloseHandle(hFile);
6 f* u/ N8 ?+ U$ [" t return TRUE;* R5 }3 c( K/ U" }0 S
}, N. e* N4 u) ~# G
return FALSE;1 n6 d8 N* U0 y6 O9 Q
}5 K* g6 b% n# A+ |
9 X/ o) ?8 u& W* t- `Although this trick calls the CreateFileA function, don't even expect to be+ @ u+ x( K( f3 J! v9 s
able to intercept it by installing a IFS hook: it will not work, no way! k2 \( r, {0 `4 @* K1 D' p; W9 X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 ~% N+ ~% a) W+ u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ D% x: n$ s8 x$ H% {and then browse the DDB list until it find the VxD and its DDB_Control_Proc* q! a) z2 @0 H7 o9 _$ L
field. H2 r% ~0 G4 j; \( H- l
In fact, its purpose is not to load/unload VxDs but only to send a Y1 E r7 y B3 v9 b5 a* N4 |( S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% v& o2 a7 F% @8 n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 T6 ]1 W! `9 `$ E+ y% h9 T
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ A4 ^. a8 `2 f
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! t0 i& A' A$ Fits handle to be opened and then, will be detected.* h; |8 Y5 ]: l5 m7 `
You can check that simply by hooking Winice.exe control proc entry point
$ |! g# ^5 e' w2 C) dwhile running MeltICE.
! {2 P# y, e2 w- ` ?4 i) c& Q. k" f$ ]( m$ ~
. B9 j9 O2 m9 ?+ L2 D
00401067: push 00402025 ; \\.\SICE
& U" T6 B: N7 h. O# i, {6 P5 v 0040106C: call CreateFileA; b0 ]/ ]) \; Y3 i$ Z1 @9 n* I8 _$ f' S
00401071: cmp eax,-001/ C, L4 u- g2 d# r% `
00401074: je 00401091
; Y- }7 h- s* A, k7 D7 ]! G4 B' \
/ E/ d4 H$ z% `( T9 j
; D* v+ j; G. hThere could be hundreds of BPX you could use to detect this trick.- B! x' d- c2 n7 ]) y `
-The most classical one is:2 Z* I |# P% Y" S1 F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! d5 G) U6 K# l6 s0 i/ |! O
*(esp->4+4)=='NTIC'; Z$ Y. R2 O: W# b
' e5 [, y% Z0 s2 i b- N/ r
-The most exotic ones (could be very slooooow :-(
! i4 `$ g8 T6 s7 k5 p1 Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 [* _9 Q5 O3 T$ e! l9 [! o# ^# h: A6 z ;will break 3 times :-(
4 I7 V, @1 W; g* q' z( C: M8 A. f9 v
5 z4 O1 L3 X, o7 l0 w* A-or (a bit) faster: + s b7 ~' H% c( ^5 a: z0 i* P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ @5 \3 x2 A+ _* \
: Z3 x$ ]$ `% `* N! F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * k9 @% l8 h) m5 z7 X5 d
;will break 3 times :-(6 y; K" R8 u1 R( c9 [8 u) C
8 h" \/ {2 o0 U4 e9 |
-Much faster:
6 m- Q8 B/ F* u2 ^* v/ X9 J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 t9 a2 Z5 I C( ~* Q: \! S y; |5 S
% ]8 ~+ t* X$ c) W6 h" b! O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 D) ^8 I2 J. o4 {. i+ Kfunction to do the same job:
7 I8 w5 i% j6 n) B4 [' K* h$ `: [* N+ g6 {! K4 l' R* v& u% [
push 00 ; OF_READ
2 K0 B9 y' N, c R6 [, J5 r' h* i mov eax,[00656634] ; '\\.\SICE',0& V) m3 |2 {$ X/ m$ s0 T' O9 `! j
push eax, S$ i/ e* J3 ^
call KERNEL32!_lopen& B, F: F! \0 M
inc eax
' u4 j1 B+ @) |* N jnz 00650589 ; detected3 f5 z) f* g' m0 r. u: P
push 00 ; OF_READ
' X( F/ R1 g7 ` n& A( \ mov eax,[00656638] ; '\\.\SICE'1 {* v' K- B6 b/ M9 f$ R
push eax
( k! `9 Q2 y4 F$ B" N" j call KERNEL32!_lopen/ V0 B( ]3 u8 H" N7 e
inc eax
% ^1 d; _. k" Q# A( Q0 Z jz 006505ae ; not detected8 A5 w9 n$ w( o8 d
9 N- x& K+ `$ B0 Y3 M* ?- j3 `) E4 k; U* E+ [
__________________________________________________________________________
$ `- }5 \. {9 ?4 i+ @
- x% o: p/ m& H# V: `) QMethod 12* X Y/ L s6 x/ a+ S
=========
2 ~; {7 N+ F- f$ D* Y) }2 F& i- F; g3 z7 {( A% O
This trick is similar to int41h/4fh Debugger installation check (code 05
, t t* s3 c: @" X; s1 I& 06) but very limited because it's only available for Win95/98 (not NT)
; l( p" N3 N0 c1 Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 T; `5 Q& [' a/ B9 A' D& F1 @5 {. }* n4 h6 v; _2 y
push 0000004fh ; function 4fh O& p r* P' v+ T' j
push 002a002ah ; high word specifies which VxD (VWIN32)
& i, ?& ~9 d/ T" n0 y, {! k ; low word specifies which service
; U! F" ~0 i+ m0 b1 [/ E (VWIN32_Int41Dispatch)" C9 U% J0 M. j; B9 S$ Y u
call Kernel32!ORD_001 ; VxdCall
}" e2 R: ?& [7 o2 `/ I cmp ax, 0f386h ; magic number returned by system debuggers
0 N0 w4 `7 o4 t. w* c# _6 V3 \ jz SoftICE_detected
& D/ ]. B5 B2 r# U4 E
. k( s7 k! _3 @$ `Here again, several ways to detect it:
: g5 @, _6 A3 m9 c5 {" _) p3 _1 ~+ z+ c d
BPINT 41 if ax==4f
( U) q+ p* F, s$ [, [1 U8 \% J# }! E6 L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, J( w+ ]; y1 ]7 D) D. |7 z
, }6 T+ l2 S+ a( n; C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 m5 P* p3 t% o4 w, v
0 Q7 L# f8 T W9 w1 P BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 C/ s* W' T) P7 D2 K
6 d- _& S0 ?0 d+ x+ }/ ]. r( ^
__________________________________________________________________________+ O% u6 X. J7 @& Y% w, C0 R3 J
0 B' y" f2 J5 Y: _) V* _* NMethod 13
7 Z0 D6 J0 a$ o% p=========- q( ]7 D ]2 V' ~" p' n# x
`* m: ^/ n& @' |Not a real method of detection, but a good way to know if SoftICE is
5 Q2 D/ @6 o0 j7 Vinstalled on a computer and to locate its installation directory.( G% |4 S. D: a( U
It is used by few softs which access the following registry keys (usually #2) :
- d! e6 ~$ o3 N# D7 x* y1 Y/ A
# Y: `. C6 s3 B( h1 t6 J-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) B. Y6 W& w! u5 X' M2 p! y\Uninstall\SoftICE
) A- X- V% m9 D' W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ A/ O( Y) M7 ^" c" j) _4 u3 [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 q& ~' E9 v. d; t& {) }6 H0 x3 ~1 G8 d
\App Paths\Loader32.Exe/ R* P' f! M! D9 P. {( w
% b. Z. `1 b U: [+ g
/ L- {, C6 e- o+ T0 V8 ^+ d4 z
Note that some nasty apps could then erase all files from SoftICE directory
3 g B3 m8 \( l- }' _4 N+ P0 F(I faced that once :-(
- D4 k& @. ^( O4 V# y* Z7 @, s
) s6 L u5 ?' QUseful breakpoint to detect it:) e3 a, R$ M( f! L- m x$ o3 S; z
3 W- L3 }$ [; G. [ `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" e& ?; A( u& O5 M
- }6 F1 G: @# t$ h+ }' h" s, w6 o
__________________________________________________________________________0 l/ o: W9 d0 O6 S% C
) y9 V" Q0 V0 G* a9 I7 @' `* {* _' N+ c4 m: Y$ p- I0 f
Method 14 * d4 R+ J$ @) ?
=========( X: v( o7 v9 O L( J
' N- }& Y5 I; r% d$ h$ O, ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; f$ ^4 E, X* M7 ^- u% s
is to determines whether a debugger is running on your system (ring0 only).
2 K* [6 f0 h' e, F9 M+ R0 k, n( x! c( S. S) K9 k
VMMCall Test_Debug_Installed
6 H+ n! ]2 ~% X je not_installed9 f' a. ~# }' z, S) q: N
5 u z/ s9 ?, T5 O, o, S
This service just checks a flag.* b1 R- N# A7 w: n( L
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡