<TABLE width=500>
5 P @6 C& {- e% k<TBODY>
/ `- P- {, D8 y. f2 A0 W; B$ R& v<TR>% y* {' g2 L! B, R p
<TD><PRE>Method 01
$ Y% {, A1 r4 n: Q1 K=========. W7 D& Z$ c3 |
9 R, U- ]9 y, m) \: xThis method of detection of SoftICE (as well as the following one) is
3 i2 I0 q0 c% i2 E9 I! Iused by the majority of packers/encryptors found on Internet.
1 n) @8 O1 n# G% N/ vIt seeks the signature of BoundsChecker in SoftICE
0 M' z2 C! |" U$ @+ ~4 i% C$ x3 A1 ?, [: h x7 O
mov ebp, 04243484Bh ; 'BCHK'
9 b2 S" U [- D; d7 b# D" I mov ax, 04h
# D" L4 M9 j; U. h& G$ c8 m2 x- N0 b1 Q int 3 d" x. T" s& h- M; |9 ~
cmp al,4
6 m' |- s6 q$ w" w* l. I jnz SoftICE_Detected
7 g# ^( C* O; M
" a. l6 S6 S6 p2 c# D___________________________________________________________________________
: E9 O- L1 T, _0 C$ j/ X5 R; m4 e9 E' r
Method 020 E) i& p$ t% K# l0 h
=========1 v5 `5 ?7 g/ B# t! u/ c) A
$ R+ ^# R: [4 D& t6 K
Still a method very much used (perhaps the most frequent one). It is used, g; I1 C. U& R: I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, @3 `/ w/ a) ^7 Jor execute SoftICE commands...2 @/ V. ~$ N9 R+ U- g' m
It is also used to crash SoftICE and to force it to execute any commands
6 a1 X% g9 H% |4 v! S0 U9 g2 E0 c% P+ v(HBOOT...) :-(( - l" J0 }+ S/ Y
7 h# z4 ~& s1 K/ \2 K
Here is a quick description:
& d t( U4 [9 e& B+ {/ z-AX = 0910h (Display string in SIce windows)
- c0 O6 t5 h4 J0 x' o0 D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ s6 Y% h' J" M8 H- Z
-AX = 0912h (Get breakpoint infos)
0 ?8 z# h' @5 g9 j {. B* J" g-AX = 0913h (Set Sice breakpoints)- D5 k3 z2 n' S, {6 Z4 F; R( A0 N
-AX = 0914h (Remove SIce breakoints)
- d. O+ K5 t/ h' [; _, L
' H& ~& F9 C9 g' v5 ~5 i& x" KEach time you'll meet this trick, you'll see:1 X a- \- s* J8 n% D1 L
-SI = 4647h
- _- \4 b9 {" a/ S-DI = 4A4Dh
* q# i5 x/ s$ V0 l) _$ a8 L; rWhich are the 'magic values' used by SoftIce., ^; C. u& ]* ^4 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 x+ g8 T* U, {; `/ o/ h
7 {2 E' b7 ~; Y2 v# ?4 HHere is one example from the file "Haspinst.exe" which is the dongle HASP% e5 ?; P6 v% Y% A" e3 O% R( d. i
Envelope utility use to protect DOS applications:
0 b9 j( ~0 B- r+ @
- G4 b3 e6 i+ i. F( L5 Z8 V1 F8 B$ u! A
4C19:0095 MOV AX,0911 ; execute command.
% W2 C! _% E- S2 t" c: c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 c" m7 C4 }. r' ~
4C19:009A MOV SI,4647 ; 1st magic value.7 O# H& K0 T. B" [' |9 l& K
4C19:009D MOV DI,4A4D ; 2nd magic value.
* m; O! i7 ?/ V3 ?& G4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 b0 L7 D: k! D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 O3 i& c( x S/ S i# A# _/ w4C19:00A4 INC CX
$ q0 _3 l0 B0 h6 G8 p. p& _( M( l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 ?, u$ K5 i$ m- d8 }* s& x
4C19:00A8 JB 0095 ; 6 different commands.
# y* y& @2 [6 D q/ [4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ \4 R- z' m' ~ \4C19:00AD MOV BX,SP ; Good_Guy go ahead :) H. e7 v6 A* i! a$ o: Q
- h3 k% z1 l0 k# R7 {' z
The program will execute 6 different SIce commands located at ds:dx, which
$ j) n% n# [% Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. r M! o" x- [" O- p+ N' y
, {6 B2 e$ W" [: h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' V; M/ G; g- z- C' {! e___________________________________________________________________________
; |* |" @ _0 _$ M$ x6 A; ~9 ^! H/ o! r1 G
# T8 U& c% O J2 {' A& o
Method 03
* o4 Q; x3 o% o=========9 `; I0 i$ J( o& G' K& L
+ g( ]: f, \5 H4 Q0 {: m% T) H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 e- t) `& {" ]5 }! a
(API Get entry point)
) ?+ H, b( h# n 0 m! Q6 N" j" w$ O( @
3 S" C% o/ h6 P4 U; N. F
xor di,di. z v& I" b0 X* ]
mov es,di/ y: K" f7 u+ I! C+ [9 v: e
mov ax, 1684h & ~% [7 a5 L$ s$ R9 l, H- I
mov bx, 0202h ; VxD ID of winice0 ^" p/ o0 P% m2 p: q
int 2Fh
8 V0 S0 q( n- t( L8 t! d& S& S7 A mov ax, es ; ES:DI -> VxD API entry point( Z! W9 `5 A, v+ K( z- D
add ax, di
8 B" B$ ?# H1 y" Q7 Y/ N test ax,ax
' Q7 b) {1 \9 b7 V7 E jnz SoftICE_Detected
4 `& I0 i2 G8 W! v d. U
- H# Z+ X5 A( ^3 i! e# R___________________________________________________________________________; \& I; y8 ]" @% Z$ P: }& b
( J! v9 [, Z) h5 s# ]Method 045 F/ o, n4 R' j5 M( m/ K/ G( o
=========
; Z% z- d: d% e, Q5 d ]
6 J9 w0 T" q+ m, z' ?Method identical to the preceding one except that it seeks the ID of SoftICE
7 p1 @8 A C% q l" @. b1 `GFX VxD.
, y/ M9 d+ p3 y! a6 h; S. U& H$ v' N/ C6 c1 B
xor di,di
% w+ D. C. N& ?8 v: m% _# ? mov es,di P" U+ R2 a$ a$ r1 Q2 }9 U
mov ax, 1684h
: Z3 R8 L1 |( X/ G: ? mov bx, 7a5Fh ; VxD ID of SIWVID$ [! w5 S( E* `: X2 h$ }8 n
int 2fh6 L& W _! t- o7 [ X0 Y# n( ^# }
mov ax, es ; ES:DI -> VxD API entry point
" T4 a, {7 z. m: e add ax, di
1 |6 F; ]" k( @0 H! T- f3 `; { test ax,ax
, L/ P% e" ?* E* o1 q jnz SoftICE_Detected
& s+ y, a$ p B1 v, B4 {) s0 Q
8 x, T; y, Q% P' V. ^__________________________________________________________________________, S) X- h$ {* Q3 e6 r: b3 L
% S* | A6 N7 ^* d2 y' p. F0 z8 M$ J4 M' \
Method 05& f4 ~$ a/ x; o* @1 O0 k2 l& Y
=========
: A8 T# m8 u2 d9 ^! p' B
! J' G0 x2 {7 S! |Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ W1 t/ l! j7 U, g( @4 fdebugger. It calls the int 41h, function 4Fh.
+ L( l: a8 O' Q& A$ J; J2 F$ pThere are several alternatives. + c0 w0 e! l& i% T( r) g
/ }; s' w. Q4 X. V5 P% UThe following one is the simplest:
+ n' _+ k% J- m' D. @
/ P( F5 W8 C# h mov ax,4fh; O3 `9 k& p9 e( l
int 41h
9 r+ r" p- u: u cmp ax, 0F386
7 [ C7 h3 L1 J jz SoftICE_detected3 L0 a3 ~7 v" Y$ T
0 s* r" W d! o4 x
& h$ r% e$ ^, J. \$ w( J7 P0 ]Next method as well as the following one are 2 examples from Stone's 6 b5 C: X3 ~& p( E
"stn-wid.zip" (www.cracking.net):
0 ~' ?% n& q6 G
, D' w7 @8 O. E# F8 [9 l& L mov bx, cs _5 a9 O Q2 I4 H
lea dx, int41handler2
, w& ~" I9 T4 v1 C# M xchg dx, es:[41h*4]$ g. U5 f$ U6 _) t& d
xchg bx, es:[41h*4+2]" T9 @. g- H1 A# n# w6 ?0 D
mov ax,4fh6 Z9 `: A1 f) r* H* d) F* b
int 41h q% o3 o; ]9 ~/ ?7 }" I8 j
xchg dx, es:[41h*4]
5 D+ T' ~! j% g6 |. d xchg bx, es:[41h*4+2]
4 S$ m& g6 r S/ p) ]; f4 A cmp ax, 0f386h
: s* a1 u9 R* p9 A" D4 G0 e jz SoftICE_detected
# s3 F" m u2 x# t9 o) ^) q2 j# U* R9 {2 i8 u$ D
int41handler2 PROC; n" Q/ q$ i% A U5 ]
iret
( Q2 H M$ z2 p/ `+ J" G: j* tint41handler2 ENDP- ^. ~/ z: H: y# U4 ?* c
7 |, `$ ~# P" }1 U) j8 Q2 |7 U
# y* w" L! W6 q4 |5 q- T
_________________________________________________________________________
# F$ g* R" @2 W4 k$ S6 W$ \& s% ] v. ?- B |0 |$ F/ }, o: }
0 T, a% ], d9 f/ o W( f
Method 06
- \: ]. @( y$ u2 S: w. }" V+ v `=========: X* l& J" x+ @* s
: W: U% _: X' w& Y1 ~
" N H) A8 k$ C5 k) G3 i5 W
2nd method similar to the preceding one but more difficult to detect:
' }+ U# X8 i: m% \7 a# U, t% y+ A1 c+ H: O) Z5 R# \. b$ V
( l* |0 L& P' H9 _7 G' P3 I; Yint41handler PROC
/ n. c6 y, D" } mov cl,al1 b0 |/ T. v2 {0 N4 a% E8 m
iret
; ]& @# O8 q6 A1 @& @int41handler ENDP
1 O6 M& s5 d M y' E
/ r3 Z6 q5 a! X0 |1 G9 e
9 E3 F4 N$ n5 Q r" j, c3 o xor ax,ax
. Z& \) C9 k/ E$ } mov es,ax
3 o7 @; ~0 x7 |* z1 E( g mov bx, cs [7 L$ {3 X' I5 j- g
lea dx, int41handler
8 ~+ f- B; \+ S' @" D* o' V/ ]8 T xchg dx, es:[41h*4]
2 ~# P1 c" h* E2 p xchg bx, es:[41h*4+2]
* [. x' h3 U+ n/ k; r1 y* Y in al, 40h! b" I0 o* V' b$ B3 J' g
xor cx,cx
+ ?1 G% w5 W" v int 41h
: V" ~2 V: G! |" s xchg dx, es:[41h*4]! i+ p4 Q u3 f# D& u L/ F) O
xchg bx, es:[41h*4+2]
" y' t- ~ p& ] cmp cl,al
, q( A3 C0 `& H7 j& A+ y jnz SoftICE_detected( g F# k4 o$ U) `0 O5 i2 M& l0 b
$ Y' L/ l& l; U' a w_________________________________________________________________________* X4 v5 H# w( a
6 ~6 b) g7 H1 ~) \+ N' d% ?Method 07# B9 K* u& g4 x! w3 [
=========
3 B4 ]- t& |2 y- R/ ]1 h, T
/ X4 L% G$ ~9 j% m7 LMethod of detection of the WinICE handler in the int68h (V86)
0 g! z0 w5 z- \, K) K P5 z1 c* q) A# C3 q6 d- \
mov ah,43h! j7 T) c; x2 ^
int 68h
6 g$ \0 V! L" [# D1 j' Q; r cmp ax,0F386h
) L6 Z% i2 S: o+ w jz SoftICE_Detected
6 @5 N9 w" p. M5 g+ ?
/ D+ f9 F e+ W
# P: t l$ [$ O; N2 V0 o- @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit G" v* G2 R8 e! `) \& X: z5 L. T
app like this:
& I4 m! H; `" d" ]) @
$ w' V1 g8 V# b+ n. l' q7 P BPX exec_int if ax==680 d) e, r' n3 _2 {* u
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ t: Z: S: C% @0 V C located at [ebp+48h] for 32Bit apps)
6 _ k( ?- _3 ]% r& R__________________________________________________________________________
1 U, n# F0 D6 w- O1 h3 f: r! ~ M, c: P! }. s+ X0 z3 I4 s
: `. `6 h8 G d( ^. y
Method 08
7 `4 T+ n+ t9 D( H=========
* { t5 x! z0 I/ @
( W$ T' `% f! m+ ~, S, [It is not a method of detection of SoftICE but a possibility to crash the
6 z, A1 T- Z0 N* }4 M9 [7 gsystem by intercepting int 01h and int 03h and redirecting them to another
/ a0 s% m" F0 x; s# G( M- u9 q. vroutine.
% W4 a6 E# [* O0 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: ~3 [9 x' C+ O* cto the new routine to execute (hangs computer...)4 Y c9 k$ W. S# O
9 I7 \+ `3 d6 l1 c3 l8 n
mov ah, 25h
8 T* Q( J( B2 x1 R mov al, Int_Number (01h or 03h)
/ Z& E: ~2 P( P Y mov dx, offset New_Int_Routine
: O5 C2 y( N6 s0 A/ q. k int 21h, F" N+ G5 ^* |. D7 w/ h/ ^
, k8 q) R# O9 c2 ^. U) M3 D: }% j
__________________________________________________________________________
+ n2 C( [7 ^7 e0 x# o; Y5 Y
2 N# s4 Z5 E" l/ k$ ?1 H9 tMethod 09
; ~, A. C% E* w+ L7 {=========
( d9 a. |6 G. t: _0 s; P# z/ q
+ j* O% H3 a9 t" Z4 Y; G2 D; kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 \3 ~' H! |, a; v, Z' s/ _% yperformed in ring0 (VxD or a ring3 app using the VxdCall)., w, e; J/ `5 \
The Get_DDB service is used to determine whether or not a VxD is installed- D; p% s6 r$ C* I1 r% v2 }
for the specified device and returns a Device Description Block (in ecx) for
+ d2 Q+ k$ O& D. rthat device if it is installed.
3 m+ m" C' H# e2 Z) ?9 [- J9 }/ M4 ?) r* |5 l6 L: h% @* o5 p+ @
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; M4 \3 z4 ^6 ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 j7 g6 d: N5 V, O2 P$ f/ V
VMMCall Get_DDB' I9 Y3 o1 O( T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ y T, g. c# z9 C/ ?3 m2 D7 p, t x1 A
Note as well that you can easily detect this method with SoftICE:
+ o/ M2 ~3 |8 `) P( Y5 | bpx Get_DDB if ax==0202 || ax==7a5fh
1 a1 E2 a5 n/ ]5 s( x8 [0 X
- Y E' l; V& t$ [) l0 M1 q__________________________________________________________________________$ K! i/ z6 l- b. l* D# {' i
: Z/ H! k. L* a# X# v& v
Method 101 J0 H, l) W3 `% R
=========
; b; W+ \- l) r) j0 `2 _: R: @, M5 a: c* j! f5 P3 |
=>Disable or clear breakpoints before using this feature. DO NOT trace with2 h0 j3 x0 M8 C9 Y8 `. H( w
SoftICE while the option is enable!!
, d5 P( T+ w/ { d
. V( a! @/ O: D' j# z7 S9 y' Q7 ?This trick is very efficient:
5 m: h! Q! c& W9 tby checking the Debug Registers, you can detect if SoftICE is loaded
$ R# B8 {9 c7 y* C9 m. l, v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% a- I1 L) p1 b2 z9 X d8 ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their
s# ^( c! [$ Lvalue (in ring0 only). Values can be manipulated and or changed as well$ ~) [# ]6 S) K. b4 A
(clearing BPMs for instance)3 x% S3 z4 O- j; z
. H8 k& t n! e/ D% m2 J) n( Q
__________________________________________________________________________& z! \; ?( A. d! g# f
. q1 u+ U$ c: ?$ J
Method 113 Y5 F) P# X4 S2 g
=========
1 L; t1 s2 Y. q7 u2 i4 i; ?
+ P8 H7 B& B5 s' S& z! q2 j5 mThis method is most known as 'MeltICE' because it has been freely distributed
1 M" s% E2 u. k9 ]8 Xvia www.winfiles.com. However it was first used by NuMega people to allow4 m2 H! e2 S( w0 D( N- Y$ i
Symbol Loader to check if SoftICE was active or not (the code is located
0 k1 a" H/ e7 I6 N) Q( Z( pinside nmtrans.dll).
& `; m% j) H" r. ]* k( I' {) }/ J; ^. V% [6 U0 Z; A' F
The way it works is very simple:
& L. q. r1 G: gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 n+ J8 q1 d5 G GWinNT) with the CreateFileA API.6 n# K' R; o0 D# J1 ~
5 h/ V+ J1 o( O; x% A% MHere is a sample (checking for 'SICE'):. s4 N2 j- k2 \$ O0 X C7 h
4 Z6 G: b7 z& @$ _9 o
BOOL IsSoftIce95Loaded()
. V' n& Y7 i6 Z/ `0 [3 ]) ^{$ F5 l; ? M0 Z4 K" }& x" [
HANDLE hFile;
+ i9 E" |, \: `4 t6 W: J J- ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 T4 p7 z4 t; b" R) W- Q5 c: l/ `
FILE_SHARE_READ | FILE_SHARE_WRITE,
! P5 b8 K! V: E' y' T NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 }! v5 `" a% }3 w ]9 F, V/ ]: E! u if( hFile != INVALID_HANDLE_VALUE )
0 W# q% m+ w# w: | {, a O6 ] H: o8 z) x2 d
CloseHandle(hFile);
( J6 s- H- h2 A# g8 u. _ return TRUE;1 `5 O; t& n8 n+ H5 L- G
}
' j4 r+ y& K* N2 Z1 \! S6 [" b return FALSE;
5 h1 L2 C7 G6 D3 Z2 h}& L. H+ S$ Q3 y/ a2 {0 @/ C1 Z
) K) i) C+ v/ \' O7 z
Although this trick calls the CreateFileA function, don't even expect to be5 e8 X6 ]0 f* z& G3 l: T
able to intercept it by installing a IFS hook: it will not work, no way!6 y0 v y$ V, Q& S3 t0 H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 [$ B, X& Q$ [# b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 ?5 }6 C C) z0 ?: }and then browse the DDB list until it find the VxD and its DDB_Control_Proc' w* M/ o1 l- s9 q9 J( B! o# l
field., X5 X; v7 X3 p* x2 E6 S6 e( D
In fact, its purpose is not to load/unload VxDs but only to send a
$ H* ^/ T8 S8 }, L# t' @& H& hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), P; Q7 M& w* d# V
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. D/ x/ V# l; @7 _! f/ f" H8 lto load/unload a non-dynamically loadable driver such as SoftICE ;-).6 R' _+ q% Q" ?( E9 l& j: i% Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ f6 |! |$ e6 q+ Dits handle to be opened and then, will be detected.
# D; Z" A% e0 |) ^. gYou can check that simply by hooking Winice.exe control proc entry point
3 w! h5 K" x% L/ m; z) uwhile running MeltICE.8 y7 v7 ~0 L' L3 b" D
$ n% T. E v0 p' W. ]2 g; p
, `0 w% [5 ]) j" R$ i- E# { 00401067: push 00402025 ; \\.\SICE8 x! _9 Y* B: B
0040106C: call CreateFileA
: f# c. h ]8 r2 c) y 00401071: cmp eax,-001
6 k. N1 x- ~1 ]) A$ } 00401074: je 00401091. ^0 D0 c/ h% [" t, N L
% s) M$ w9 Z6 Q, V0 k3 |- a" u
; d P7 y5 }% [3 W( o+ g; t6 AThere could be hundreds of BPX you could use to detect this trick.9 Q+ ?8 b3 i; F: ^" e6 c
-The most classical one is:1 \ N( O+ F' D# J" ?: h, d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, W9 s, h% q! W- b *(esp->4+4)=='NTIC'
Z2 Z1 W' g3 Z. c T1 B R7 E4 L. i3 b7 Q$ v" d
-The most exotic ones (could be very slooooow :-(( ~4 N) B7 D6 p* j+ v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 H' l4 D: @) n: j' f L/ x
;will break 3 times :-() k+ E3 Q4 c; \" |
; L, n" F" P8 c6 j8 @
-or (a bit) faster: - T* m1 i' p; }: C3 B& j
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') [# d9 f5 Y1 q5 ^" F
" L+ _9 j1 v6 U8 [9 b# g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( X, N% n4 [- f! P c) H! q. x ;will break 3 times :-(1 E" t" \% }( k) w
9 J3 {4 ]7 l! X% O; R, v3 `
-Much faster:
# |& v6 G" v6 B7 o6 n2 W. p BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& T' ]7 y6 `3 `# M
* ?( `8 t8 j; i' i7 UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ {/ g7 h' l' w. f% Y
function to do the same job:9 H2 M( V; ^2 T& N( s8 u" a, h
; A" d7 |2 M2 {' [( }0 V push 00 ; OF_READ& _7 b" G5 X/ j$ ]6 E3 p
mov eax,[00656634] ; '\\.\SICE',0
) W4 n; q, M/ V7 M6 d( `: h' v2 ~5 g push eax5 P8 b" r, a. W6 [8 e
call KERNEL32!_lopen& H/ R, a# a$ y/ q
inc eax9 k1 \2 x* j8 F! W% `& V% `
jnz 00650589 ; detected
^* B# M: |) u- s7 a' P push 00 ; OF_READ) H0 _- y; \( ]. ?, Z9 p
mov eax,[00656638] ; '\\.\SICE'! D. y( m9 @: e0 s) S
push eax: b5 P/ y0 b. P" ^ ]. e# b1 ^, H
call KERNEL32!_lopen
$ M0 X6 {4 k) b inc eax
/ d8 X q7 G: m% w7 ^ jz 006505ae ; not detected
$ n/ F( T N7 X3 @
3 D6 g5 [* g0 Q: P0 V5 i: p& b
c& f0 G( s8 Y. C6 ?__________________________________________________________________________
$ i$ w1 r, r3 b: r8 _3 t/ B3 P6 J ^+ A$ a" Z5 @1 X$ Q$ Y
Method 12/ K. z2 S7 ?1 s1 k! l
=========
4 E, ]. ?6 ]1 ^" E. w' L/ M2 E6 {
0 H8 u# Z( |+ P5 WThis trick is similar to int41h/4fh Debugger installation check (code 053 ], y- o! d4 c5 l* K+ v
& 06) but very limited because it's only available for Win95/98 (not NT)
. [; H/ x/ X, |2 S& C) Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ o8 u+ N6 ^) C& T& D
/ M/ z: k1 Z" |' D9 @; C, W push 0000004fh ; function 4fh
1 m2 \ F# N% i push 002a002ah ; high word specifies which VxD (VWIN32)
/ ^: y1 S) ?4 s5 I c$ f ; low word specifies which service
+ }% }, ~1 n: t" N+ X, V (VWIN32_Int41Dispatch)1 l) t s& L$ I. f0 Q, T
call Kernel32!ORD_001 ; VxdCall* _4 X+ \" V" {9 Y' J8 l
cmp ax, 0f386h ; magic number returned by system debuggers# y1 [8 p& j& m5 ~, @3 N
jz SoftICE_detected
9 g# T8 Z5 x* |/ [% J6 X3 F, I1 k8 j. l3 @
Here again, several ways to detect it:! K( f0 l4 d/ g# X$ i/ W* j* b
; d( n. o# m4 R BPINT 41 if ax==4f
* }+ W+ F2 S5 C! T, Z3 W5 E, T- G) n6 n) [7 |0 b7 }
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" t# B4 ~8 }1 n8 u% z
1 Y& u# u( {: F0 r7 T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 Z* R- L) F+ }9 E1 J" e- T( L0 x- E+ v e4 b% a- Y/ U& }, W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ t3 z$ X+ [3 o$ e$ M' s( |
8 Y+ C$ D+ @( r
__________________________________________________________________________
2 _0 m& t4 K+ t& W) O# h% Q7 V! ^% X9 @
Method 13! u- w% A0 g2 d0 Z4 r% H. f
=========' ]# H4 j8 w$ T6 d* v9 G
* y# Q( b4 t% [0 I* t; qNot a real method of detection, but a good way to know if SoftICE is2 N3 j+ c! D- ]3 c
installed on a computer and to locate its installation directory.
. s7 N9 r' r! s+ l) R0 H. B9 NIt is used by few softs which access the following registry keys (usually #2) :
5 z% T1 j' R- {( |# s* F
/ V: f S$ c# u% _0 F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. |; u z& r8 S9 k\Uninstall\SoftICE
/ k& F q7 J% T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 ~# v& m0 L! c+ E8 }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ J' I; \2 W9 l5 h6 ~. L, u\App Paths\Loader32.Exe9 C8 S+ G1 o3 P1 u
' `; }! R" q% }2 j4 T2 F, p
! e W0 q1 Q6 a. oNote that some nasty apps could then erase all files from SoftICE directory5 q& F5 q; W1 V: O
(I faced that once :-(
& O% _( i; w3 i- |" {! L; j9 N8 p# U4 n. G1 E
Useful breakpoint to detect it:
6 F. v" \4 P7 i5 Y& v- B6 ^, p/ G2 Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
o! P# g/ A, N+ z4 }: U& W1 j ?6 Z0 r! f0 q. i
__________________________________________________________________________
9 K8 I+ B& X ^# F+ ?* G1 `! q: ?& f" U2 y% S) ?+ e
- ^; c" R6 ?9 ]% U7 b& OMethod 14 - }; V1 w7 f) z
=========/ a1 h5 n& |+ S) m/ f7 _
- r) A% j; h5 [) C0 z# f! W, VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 p$ z$ q8 b6 q, N& `, J! S2 j: Ois to determines whether a debugger is running on your system (ring0 only)." w' K" v0 y) j
& o4 O2 O5 E3 v3 ~ VMMCall Test_Debug_Installed( N2 @) V5 ^ {3 H
je not_installed
4 F2 @% G6 S' `" E4 u3 P
4 E) G2 C9 H* jThis service just checks a flag., P: i9 Y8 O) r0 ^, f" o9 |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡