<TABLE width=500>: f' V. K6 {$ T4 x
<TBODY>/ s5 x ~$ x9 @0 V5 b9 H
<TR>
7 \/ w- D8 l$ w<TD><PRE>Method 01
* Z# V6 P9 U _3 M=========
+ r5 J) D! O$ Y/ D- D0 {0 }0 V F3 C: P$ j. X9 ?
This method of detection of SoftICE (as well as the following one) is
/ [# `9 K; }" aused by the majority of packers/encryptors found on Internet.
. s6 P9 M$ H" @5 Z. ]It seeks the signature of BoundsChecker in SoftICE. N W5 p3 Z# _
& V& O, f7 |3 c4 e: T. ? mov ebp, 04243484Bh ; 'BCHK'9 L. h0 g2 W5 M
mov ax, 04h
- N0 {5 D c& s int 3 7 n% e1 b. s$ X6 ]
cmp al,4
5 j- q7 o+ F7 R4 g jnz SoftICE_Detected1 T: Y4 m' `% [$ g8 m
7 e+ @' q1 L7 G% }( [% B___________________________________________________________________________) B: }7 i: @9 m; L) M
' I8 l4 P; `; X2 r% H6 k" z0 ~5 h" F
Method 02
0 h: I" g0 h+ c; b" Z8 J=========
2 i5 |3 Q' x6 A6 x; I1 H
. U6 N. _" |" U1 `9 w2 R3 O" cStill a method very much used (perhaps the most frequent one). It is used3 I2 z6 N. ^1 p1 `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( i {8 g: f- e, L2 D0 a) n! B @or execute SoftICE commands...+ |! E3 b" V8 C& G. h |
It is also used to crash SoftICE and to force it to execute any commands1 V y4 \/ F0 |3 ?7 M) G: H
(HBOOT...) :-((
( I! Y# i" g$ o) c' F# @/ @2 S: h1 `. a% T! ?
Here is a quick description:/ N9 Q! _' f8 a/ |" g
-AX = 0910h (Display string in SIce windows)
% N. U2 J. ~9 {/ {: e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; |, z: y8 a2 h/ }# _/ a/ X-AX = 0912h (Get breakpoint infos)
6 l# n, I$ u3 K: p; A-AX = 0913h (Set Sice breakpoints)
$ U( B# f+ z% m {& ^) b-AX = 0914h (Remove SIce breakoints)
V) u8 G& l8 P/ t) U1 S% q4 k- ~$ F, n( j
Each time you'll meet this trick, you'll see:
' {( Y: B/ d6 d-SI = 4647h$ q/ X# ]6 e: H8 m
-DI = 4A4Dh
6 Q" V" A$ w7 b; z* q1 N% l( q9 P% F! e1 MWhich are the 'magic values' used by SoftIce.- J6 Z) g% T/ F8 @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 s( n7 t$ _' z8 J1 T
: j/ A7 @' ?5 ~7 ]& e$ HHere is one example from the file "Haspinst.exe" which is the dongle HASP' D6 E& c7 o% U) E
Envelope utility use to protect DOS applications:
5 i$ M+ ^) B2 }, S, f( A" u9 N `) b0 D6 [; A6 c }. ^6 ^! K
+ |2 t; S$ j& f9 z* I/ v4C19:0095 MOV AX,0911 ; execute command. u3 ^! N0 ?/ q; d0 K& _- r
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 g0 R: I/ A* d: n+ v% Q0 v
4C19:009A MOV SI,4647 ; 1st magic value.0 D" [: d5 I, v
4C19:009D MOV DI,4A4D ; 2nd magic value.
; o: [1 l5 U% m7 ^0 |) `% [3 W% o6 A4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 p5 f# m& e; S9 E9 s7 Q3 ?& z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& j* T! b) B1 I5 F
4C19:00A4 INC CX
( c" _% v* y# n. v P" ^3 _4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& s8 i+ g4 y7 @
4C19:00A8 JB 0095 ; 6 different commands.
0 U7 k, R A" j4 _/ o$ |3 c k4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 q4 X6 w7 [: S: w& t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% [, C0 v3 g8 p% q- Q4 m. d8 Y
C i L1 |! yThe program will execute 6 different SIce commands located at ds:dx, which: I8 _. v5 R1 G, c0 q6 h1 A ^2 a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- ?' E" E ]+ \: D: v5 C: h
- U! a9 z6 Q. c7 h9 o, d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' J5 `, f& m) n1 N0 g8 d# C! |) C' ____________________________________________________________________________
1 [, {0 `: w, e
3 i d K* g% M7 a% T) T z5 w9 r& I0 W4 l% y- k/ k; Z
Method 03
) H* N* b) c$ s8 g/ }) g6 x2 G=========' ~7 p" X% \' x7 M0 ]
" p+ S/ X6 C4 _3 M. ?! F0 LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, `' `- W. U$ F8 E: y
(API Get entry point)
0 f: b3 c& c7 k3 A, ~
. i( C/ L2 N4 q1 q) z* X5 ^- T- b
xor di,di5 e; E4 I, y" L5 c8 j
mov es,di' `5 @# o# N0 j1 K" N* ^
mov ax, 1684h ( c( @, i q) _ J3 h
mov bx, 0202h ; VxD ID of winice
+ E6 D; A; `3 ~7 G int 2Fh
: E3 |4 P" d* a( V3 F" \ mov ax, es ; ES:DI -> VxD API entry point8 G$ x4 M5 |3 d$ M9 `5 W9 z
add ax, di
7 M8 t1 `6 Y2 \* `0 W test ax,ax
- Y7 n6 o, u+ `; Y jnz SoftICE_Detected
& x4 n- S& L" a6 a$ V n. ?7 d0 I' `
___________________________________________________________________________% v6 ]; b$ U# [; r
/ H u$ G2 l o; ~8 _# l3 B. F3 Q
Method 04
! `" w, d- j) K2 `6 w. C. ]' P=========
$ H6 r& G, T6 m4 g# P
: r) F* M; c# U6 a2 G" m7 hMethod identical to the preceding one except that it seeks the ID of SoftICE
5 T; A7 O; f* F0 ~GFX VxD.4 c% K4 p3 O& G1 O; I. j Y
2 H4 a I \; M) c4 W3 d+ l
xor di,di
, z3 a1 s" @% P; |- U4 D) F C mov es,di
( W2 M9 s; K \7 |# @, M mov ax, 1684h 0 m# z8 [, V$ m4 U8 N9 D
mov bx, 7a5Fh ; VxD ID of SIWVID! E, g' d! d+ V) D
int 2fh3 q0 T s$ R- x5 R5 T
mov ax, es ; ES:DI -> VxD API entry point8 _/ P W+ P5 C
add ax, di
: m% V' g( a4 N5 B test ax,ax
5 V: w! G: C# U/ l1 L4 z n7 A) u- g7 F jnz SoftICE_Detected
' \) B/ O1 j. X5 w7 [7 `0 {$ p$ A$ y* n
__________________________________________________________________________
' j: H# e1 D1 K; f9 J$ J% k: c# b8 {3 \% q- P0 ^7 m
- {' i: H$ _+ X8 w5 I+ L( V; {9 rMethod 05
) [% H( _* @" x, t( x/ U c=========+ ]0 d( r1 n- I
$ V2 d# h; a, M" Q; s, k" I
Method seeking the 'magic number' 0F386h returned (in ax) by all system, k7 o0 ^) ~) [: N3 k
debugger. It calls the int 41h, function 4Fh.
3 Y& r- ] u8 I2 @# u$ S; _7 ~There are several alternatives.
; J) O9 p! I9 D; a
, e3 m- v `' F1 BThe following one is the simplest:9 I! Z, Y: E1 h5 L* W
1 i5 f4 ?. ~* P3 n/ v- g; { mov ax,4fh
% D6 e) g: s& `4 ~5 B, a/ Y5 ~ int 41h
2 J: D. i( y% Y( T6 @2 N: w1 t7 J& E cmp ax, 0F386! Z5 W! q1 l F- R3 X# `) b
jz SoftICE_detected
" y5 P3 z, u# y$ r
8 ?7 h V5 i4 p0 z1 K) y0 E/ h) R4 V- |4 k3 |- {8 b1 x
Next method as well as the following one are 2 examples from Stone's ) \, }" b5 `9 _) h
"stn-wid.zip" (www.cracking.net):
! h9 l! ?# B: s$ R1 |% z1 [- N% X* @/ Y" ]
mov bx, cs4 p( P9 B7 e0 s7 g
lea dx, int41handler2
" G f4 L( h" R0 C xchg dx, es:[41h*4]" C4 x0 \4 u" y0 S
xchg bx, es:[41h*4+2]% \! k, D2 l* C1 Y
mov ax,4fh
* F8 `7 F/ O0 F7 S: m. r3 T$ e int 41h
0 r( _6 I- M" ]0 L9 b+ @ xchg dx, es:[41h*4]
! T1 ~7 h) c3 `$ w xchg bx, es:[41h*4+2]
8 ~3 K$ X! R: Y7 M g) z' R cmp ax, 0f386h
4 { S6 t& s' l5 N6 s4 K jz SoftICE_detected# q! k- |* ^, r1 |
! l) g+ C1 I$ |
int41handler2 PROC
3 c: M" b" ? I; _/ y. H( d iret1 l3 \( L2 N% g
int41handler2 ENDP6 G0 f% `* C g8 P: h3 k+ |0 i: r; r
$ T4 i6 }! o1 U9 r# G# D) l* q( r7 u# y
_________________________________________________________________________0 b8 n: X) {# |; b0 {3 |3 W2 D
6 k: o1 j8 d( x2 H) H
0 Q8 @- w) v1 ~+ l' eMethod 06
% n6 Q! t( w8 [- s" j6 u- }. w# j=========1 u) w4 B# Q5 ?
# k9 ^6 \6 R u- P$ C) l1 c0 ~: x! k# W9 J" s5 \6 L4 S! L- u& I% k
2nd method similar to the preceding one but more difficult to detect:
2 u# l7 h% }* i9 A- y& S2 ^( ?8 f4 K* K: S% s* N
% k9 G9 I' \ i7 @" c2 Y# A3 ~
int41handler PROC4 r% Z. c5 a( H+ v+ D, ^4 Q
mov cl,al% d0 _) v4 E6 d: d
iret% g/ Y0 j7 }- J1 }! v9 T
int41handler ENDP% a. r5 j6 C& f7 H
% ~8 B0 j$ `/ q6 t! p
5 M6 t* n5 q* L0 v2 }2 I xor ax,ax
+ D( Q. e9 [/ m0 c mov es,ax
$ h T* g" ~ j8 @8 d- H mov bx, cs
4 y4 l7 I, _7 d7 j7 P0 e: W7 x9 i lea dx, int41handler& J0 `6 S2 Y3 U, G7 b$ i1 u4 w
xchg dx, es:[41h*4]4 h1 L+ K& K" r( D1 B& g! G! q, i
xchg bx, es:[41h*4+2]
$ S0 n$ M) y8 R6 d4 a) Z- f& J in al, 40h
7 y- B9 M% y! M( O xor cx,cx
" g' w1 N8 W5 |9 ?9 J int 41h) m3 ` E% d" B3 l# a
xchg dx, es:[41h*4]
' J* A+ D* m R/ N) ~) z xchg bx, es:[41h*4+2]
) M4 C P& W( v! P cmp cl,al
) V. ?) h; y4 e4 l! T( {8 } jnz SoftICE_detected& q) d, R% d( T1 C8 T5 Q! m
% J6 n( s6 l/ D' i, m' l
_________________________________________________________________________$ U M% k ~! g
+ X" e. K) p4 c( S/ d- V4 Y
Method 07
- p3 ^1 Q# K$ V0 G ~$ a=========
" ]5 O2 I4 x! v% G+ r
; Q% r% w2 }) X+ E }: d- IMethod of detection of the WinICE handler in the int68h (V86)
- c+ G( p; g8 n: F
- j$ A$ R( a1 K8 c5 c& O mov ah,43h I+ S2 X( ?# {
int 68h. j4 \0 z- F% T
cmp ax,0F386h
1 H: O0 z$ [4 A! u J jz SoftICE_Detected0 o) n R7 S! E% z; f( Y
' {+ ~( r4 ?7 ?2 m, D0 L/ @
7 J8 F: T' G8 G; c=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 o5 o/ d7 t0 E+ y% e7 X
app like this:
9 U1 N6 \; ~# V$ q' i) Z$ c6 K7 V' ^' _- I& M% @
BPX exec_int if ax==68
4 i* A9 V, f7 Y (function called is located at byte ptr [ebp+1Dh] and client eip is
1 i1 l2 g1 L1 D, p5 O: @& t located at [ebp+48h] for 32Bit apps)
1 S9 v) c- S, x" [& V7 |8 v__________________________________________________________________________
3 j. n9 {. b9 W; a$ \$ B% u. C. D$ p& g3 \, m7 X( T( E
1 d4 \% s( T7 B. ^8 ~1 o8 N& \
Method 08
6 @. x9 ~" ]' F; e4 u* F=========
) o; w W6 V6 o3 S. u9 J! Y* u8 l* C
6 V2 p- x% s9 ^# S) A/ \9 O1 gIt is not a method of detection of SoftICE but a possibility to crash the
q [9 G. t7 }( M* U' x! c8 F. Fsystem by intercepting int 01h and int 03h and redirecting them to another
0 @( n3 w# a3 C3 z! m; |# Q9 ?8 Troutine.
; Z* ?+ h/ y1 b- }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 [) ]# O9 L) {' R- p
to the new routine to execute (hangs computer...)$ ^" N- g3 X: _2 l
7 n! n" Q8 R2 F5 Y! t mov ah, 25h9 K, W5 S& d! t
mov al, Int_Number (01h or 03h)
* c7 K# k3 H: a8 J: U, z mov dx, offset New_Int_Routine- z8 S3 [' K) S/ b. U# W
int 21h3 l. F* m* d5 f: p& e# b g* ^- T
; K2 L/ K) I# `7 `( y: {# ]__________________________________________________________________________& [5 \2 ~4 r( I; }' B/ x
- u- M' l. D5 r6 |5 D% QMethod 09' R2 S4 N! c! g( T5 M1 J
=========$ `5 O8 ^( Z T2 P, D
# k6 h+ p6 D/ p) ^8 b, y- O/ XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 X" J% Y5 D: j5 x
performed in ring0 (VxD or a ring3 app using the VxdCall).- w3 s1 G8 [0 s. W9 V' I* w
The Get_DDB service is used to determine whether or not a VxD is installed
9 u- l5 L, j3 n" G) A, o9 A! ~8 ^for the specified device and returns a Device Description Block (in ecx) for2 e" {* s* Q& z. o
that device if it is installed.
5 H w2 w1 K( d$ Q$ C9 x% u, X6 W B9 b* N" Y/ q+ P3 H" j- N, [
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 l+ z$ o8 n1 m) Y# Q6 V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' Z1 O9 y3 U' ] T
VMMCall Get_DDB
7 U! c& Y8 x' c( @ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 m- y3 h# j. k1 @4 \0 a" q% Q+ ~: ^
Note as well that you can easily detect this method with SoftICE:
$ ] a1 J% [* M* k+ S6 m bpx Get_DDB if ax==0202 || ax==7a5fh; n. P4 U% g& D3 l+ d' R+ r% `3 U" i
, d: u7 U' E& W! e. a. k
__________________________________________________________________________+ ^8 Q$ y' j( o7 v- x
9 Z- z5 z5 B5 T: f' W0 C8 r
Method 10
) a6 o+ Q }2 ^% Z- w+ H+ {/ ~1 x=========: t Y8 F) W0 L% H# W6 @( c
& O. T9 m8 H# x) R# u2 _
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, o2 E, @8 _. |9 m6 o SoftICE while the option is enable!!
) N2 H3 E( S( b4 H9 g7 o z; U/ |0 d% U
This trick is very efficient:5 D5 M j' n% C& T0 X7 S+ k9 t
by checking the Debug Registers, you can detect if SoftICE is loaded
9 W( G% u! c0 \ ^" Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. Q; Q0 n3 F0 }0 S, g- f+ T
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 J. t5 i( q7 D* {5 y7 A2 Dvalue (in ring0 only). Values can be manipulated and or changed as well1 g0 c, h3 J2 f# {
(clearing BPMs for instance)* G1 A' a4 u3 M- }, {0 g
* Y0 L5 k% ]2 [0 A' [$ P; K
__________________________________________________________________________
$ J+ J/ C. s6 d$ Q) g- W
1 Q$ h, t' L" q; GMethod 11
6 E& e" f8 Z/ y=========
7 `% \+ d D8 B$ }" n6 l1 m
) p n: M8 O4 o' \6 i) s% CThis method is most known as 'MeltICE' because it has been freely distributed
* i. r0 m. c+ E& Y' ?+ \# A) s$ mvia www.winfiles.com. However it was first used by NuMega people to allow
, ~& Z' u5 D$ T- e8 s- BSymbol Loader to check if SoftICE was active or not (the code is located
6 P4 p* U, ~) H! ginside nmtrans.dll).
m' ?* _: n0 g
% q, r) _7 c: P" ?5 Y8 s% g! GThe way it works is very simple:; [: L7 ~) S" N$ L2 X$ w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: C+ y9 I# O- v* v
WinNT) with the CreateFileA API.% @; ?$ s2 d) K7 n& Q; F# F
3 p- g+ Z& l! ~* B! x9 ~. I9 AHere is a sample (checking for 'SICE'):
! y& a8 L) }- ^" ~2 K: u
+ H* y" E% S {6 aBOOL IsSoftIce95Loaded()
5 Q$ Y; ?# U* G+ I: R& z, B{/ b8 \0 L- j8 _4 {( U8 p
HANDLE hFile; 0 V& q$ w( z/ y3 {: C
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% n; c& c/ I# `- |( B
FILE_SHARE_READ | FILE_SHARE_WRITE,( C0 ^; O. h& ~; v4 }/ C
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( W- `0 A( @" _! z+ S4 f, V- q" B+ ^ if( hFile != INVALID_HANDLE_VALUE )8 r% q" y0 P; _6 O$ X" v
{
2 }# A O8 b/ D4 o CloseHandle(hFile);
8 u8 u0 a) c+ I0 z: U return TRUE;6 x! ^$ J g# y% @ N& Q+ x1 J
}
! E" m6 A) z: ^) i# | return FALSE;+ u! \. n3 U- }2 W* J% } S ]
}
7 ]/ o% X$ D# d3 w' R7 M1 r( N1 h( {& D& j& a' h6 N+ J; U7 k
Although this trick calls the CreateFileA function, don't even expect to be5 Z* g9 s9 J& r3 @7 v
able to intercept it by installing a IFS hook: it will not work, no way!
4 }9 F4 _# D& r0 C8 K1 U* q1 sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% ?2 N: q) h0 U( h& uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
v m. H0 ?9 `+ Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 y! N+ d2 S7 ^5 a% C: G) [: F
field.
% C) ~; i9 f, _+ o9 b3 g0 a; T) RIn fact, its purpose is not to load/unload VxDs but only to send a . u. L; R: q3 k% u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 e' c5 e. u6 p/ t/ o
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
H: |' a A* G; U' R( j0 U4 bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
, U( W" H( W" H6 Y a2 d( AIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 O* w s' d t/ O+ Rits handle to be opened and then, will be detected.
* k2 [: B* D2 a Z! R P: \You can check that simply by hooking Winice.exe control proc entry point$ h& B* V! ~, S3 E i- N1 B+ _
while running MeltICE.! k6 |; i4 l# M) } L# B: X
# R8 T, z7 Z. c+ Y7 p& y1 u2 {' A! C, e
# z- `9 P* c3 Y% k
00401067: push 00402025 ; \\.\SICE% i x- ?' q/ C% C4 O
0040106C: call CreateFileA
! p" \8 p8 u& v' H, X; H) Y9 R- ] 00401071: cmp eax,-001: y# B1 F {" q# {6 ~& m
00401074: je 004010919 x% W, k8 h6 y
9 d4 A2 j+ T/ O8 |6 k7 v5 u: ^; H
7 n- D6 i' z3 Q( t$ v( rThere could be hundreds of BPX you could use to detect this trick.
F5 z5 ?7 ^2 I8 k9 a5 B-The most classical one is:, h, V2 ^# Y6 B# U5 _; P% ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 s( q' @' |# n( n
*(esp->4+4)=='NTIC'; u- E0 B8 d: ^
2 u$ ]) K* N3 v5 q-The most exotic ones (could be very slooooow :-(1 ~1 g0 o \0 y+ {
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : b, w6 a8 r; z1 p: m$ O, y
;will break 3 times :-(
' | D& _5 U6 @# y% ]+ u' H3 {
; P! ~) T& z& A-or (a bit) faster: 4 d$ N) I, T5 `; V
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 E9 `$ }6 V) _1 V: {) _. {
# H. M( x& o3 D$ N3 C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 S! o: I# H" D9 p% q6 q0 A
;will break 3 times :-(
3 Q8 c# {- x7 F7 b
( Q8 ^. a) l3 K- _-Much faster:4 a6 J+ M( V' ?$ w- b+ H& w
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 a+ h) D3 [. D- ?4 W
0 s/ z8 M7 G0 tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, f& {; f, R% D, `: O, Sfunction to do the same job:
4 Y8 N1 {7 @( [- C$ ^, }; t) S, G' d, B% i8 r) r4 t/ ?- i
push 00 ; OF_READ
I$ h* |. ~ X s9 ~- H; y mov eax,[00656634] ; '\\.\SICE',0' ~+ J4 {: B m* L3 n5 q
push eax' ^: T: R7 E$ |
call KERNEL32!_lopen
0 H- W; s* _9 h inc eax# }4 m5 E$ m4 `" O6 ~! E% G' @) G
jnz 00650589 ; detected; k! B L7 g ?! m
push 00 ; OF_READ
4 p+ `/ q6 G3 Y" d mov eax,[00656638] ; '\\.\SICE'
5 |7 U& H, S$ d push eax
: N t. _& o$ S4 g: b# y call KERNEL32!_lopen/ W/ C8 [; D- [% a
inc eax6 u, y) D: p+ y
jz 006505ae ; not detected
$ j& Y0 C: e0 }5 L7 l1 N0 D4 ~0 A; D' O; K
8 ^2 J6 `( Y3 \% i/ L8 E3 e; {__________________________________________________________________________
0 w1 \! _ `; j0 J4 [0 v# H7 ^. P
2 S: k% t) f5 }1 E" ?Method 12
* F7 J+ u8 t, f, |- Z) s5 {3 m=========
2 o+ P; G6 y/ k/ s [( N. ^* e& r2 S% d' o! ^6 p# D
This trick is similar to int41h/4fh Debugger installation check (code 05
7 K+ R9 k( [' ^$ p( b& 06) but very limited because it's only available for Win95/98 (not NT)
' d4 ^* F- m6 E2 q& g# ?" l, Y" was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ s. A; C, i: f8 C2 S( v/ `
% R5 @$ B1 r/ W! b, S1 A push 0000004fh ; function 4fh) H" P2 u) {" M" H1 X& M5 G
push 002a002ah ; high word specifies which VxD (VWIN32)
9 H/ H" J* f6 @; {/ l ; low word specifies which service
5 ?9 G4 o [+ N9 F% E% K9 Q+ j (VWIN32_Int41Dispatch)
- |0 V* P9 ~" @+ w call Kernel32!ORD_001 ; VxdCall
; ^4 ~0 f- ~. B4 k cmp ax, 0f386h ; magic number returned by system debuggers
% }7 z' e- U2 P9 W jz SoftICE_detected/ F2 h7 f( W p0 V. ^# m
3 @2 l8 k. b0 Q% t3 N
Here again, several ways to detect it:# J/ G" N: C/ \1 Q! e& L* ^
8 w2 M1 e9 h, \- d0 n6 w/ W BPINT 41 if ax==4f
7 c, L0 J/ \: I. t% i
0 g |0 k) _ q' a' o7 z1 k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 f2 \9 R/ W- a9 c* X- i
& J) ~: a2 q) D- s6 q5 ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 E' t" j! [( {5 Z, I
) k0 p* e+ r3 [# X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ s$ q8 Q) O/ @0 L0 A7 s
9 |* e) Q0 v8 X; B__________________________________________________________________________3 }" ]- t) c" O% r
, }+ n& `+ X b% I7 V* Q, oMethod 134 }5 I; p( J5 s$ i# K4 K
=========7 r3 x ^$ u. k9 R+ g
; G# z4 ?& ]* `# F" [2 |Not a real method of detection, but a good way to know if SoftICE is
& W1 E5 w, s6 r- w; L0 y" S6 Oinstalled on a computer and to locate its installation directory.
5 [3 m+ ` I/ QIt is used by few softs which access the following registry keys (usually #2) :, G, f! X/ _# R9 H. m
0 ^/ I |# `9 s2 f1 n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- i" j6 p5 ^5 h* u2 L/ S( C\Uninstall\SoftICE
8 A; ~8 w- }" r4 Y, D$ ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 \ ?0 `$ V& \2 F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" r9 d) f/ x! F& i# Q& A* q
\App Paths\Loader32.Exe" L& X2 b) x! [. g+ {' ?
y$ s5 L. _4 I' u2 q2 L+ S+ _
+ V9 X, A5 u+ W- g7 cNote that some nasty apps could then erase all files from SoftICE directory2 B: \, q4 S# X9 s1 K
(I faced that once :-(& T m: X8 O! s
$ b" U1 x+ d8 `" _7 e2 `. M8 yUseful breakpoint to detect it:
* r) X+ p4 n# w! h4 R
: \9 \, F C: U+ f, K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
j( H3 u4 a$ ]% p& w8 t ?6 p% g7 r7 {- B) T, e
__________________________________________________________________________
! p$ A9 v0 t7 r- `2 ?( i
: ~! S6 Y4 N, e) v3 H5 P- I" h+ Y5 w3 W2 e# y
Method 14 : Y6 P4 w( R/ r' k
=========5 R" }7 }6 w' y
. h6 e$ R1 @) l0 R$ B, M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 z3 u C9 a6 r: S% k" l+ J5 A3 \0 his to determines whether a debugger is running on your system (ring0 only).9 u; J' `4 G" c6 Q
/ |; d3 D. B; N @7 N
VMMCall Test_Debug_Installed
, k* N7 v& Y! ]8 Y4 } je not_installed
n# B$ p; X- V" i8 k, h- E5 f7 S' p% R/ P! X
This service just checks a flag.
% c! S' d; @1 K1 v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡