<TABLE width=500>! A A7 ]0 K8 H" i
<TBODY>
+ ?3 Q1 \2 Y) ~<TR>
% |+ X# f8 d% P5 v<TD><PRE>Method 01 ; R7 \, U% P! l6 _
=========
% L2 d# Y5 ^; V) I" P. F6 C. F* f( N( N4 l: m7 o
This method of detection of SoftICE (as well as the following one) is) n: s' n6 a. N! k: Z- i
used by the majority of packers/encryptors found on Internet./ J% \. H5 K% l0 S) E% m$ z5 e
It seeks the signature of BoundsChecker in SoftICE
* t F0 [/ b3 R- W7 }0 d+ x( y3 Q# ^; E" D3 `
mov ebp, 04243484Bh ; 'BCHK'% u3 v' X1 W% e$ p
mov ax, 04h7 y0 ~$ @0 o2 w9 F5 O
int 3
5 i, S% E5 I* g& k/ h) z, V; A$ D cmp al,4) A" G7 g X: }- h" ]7 {
jnz SoftICE_Detected
) z" D, Z, a* w8 Q) |9 @# J0 \. R0 ]; k2 x+ b+ ^
___________________________________________________________________________4 _, u$ `* u- d3 J3 D
! f5 w: {. y+ f ^/ k) g# [! \" GMethod 02) \8 I: y1 t8 x) g$ m- [
=========: l/ v0 e/ Q3 ]3 f2 s/ F
( _0 `5 l) Z5 x+ t# B
Still a method very much used (perhaps the most frequent one). It is used! j* ?' |0 y4 E4 A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
D# V |7 e \" R2 eor execute SoftICE commands...: w% |$ s; u% l
It is also used to crash SoftICE and to force it to execute any commands9 Y9 G/ K9 N7 S0 U. Y% f
(HBOOT...) :-((
* V* I% g" B4 ~- r5 O
4 k9 c1 w$ `7 {+ r* E9 bHere is a quick description:* [# {( }8 N- p
-AX = 0910h (Display string in SIce windows)9 R" f: q$ ?7 X) b# O% k& I
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; H9 {/ o0 Z3 `* J-AX = 0912h (Get breakpoint infos)6 d0 `: s1 |. E4 L* D A9 }
-AX = 0913h (Set Sice breakpoints)5 \4 B! ?5 q. ~5 k8 v' I2 p% n& C
-AX = 0914h (Remove SIce breakoints)1 |3 F2 K& _/ t( L* D
6 G4 y, J1 ^- \+ f9 z0 u& t# g
Each time you'll meet this trick, you'll see:
$ Q6 o+ S0 W5 _+ U# \! [5 c-SI = 4647h
$ p8 f N2 s8 o6 N-DI = 4A4Dh
. }& L$ k4 w6 |, C/ G$ YWhich are the 'magic values' used by SoftIce.
) q- Q( q) T: x0 F) RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. b5 F t% M# R5 W; l
% u. s5 e8 N7 a& t' \# uHere is one example from the file "Haspinst.exe" which is the dongle HASP" ]4 [0 B$ s! S- M/ A: ~0 k3 G
Envelope utility use to protect DOS applications:+ ?) G1 i7 H% g8 s" @
4 u1 ^3 h2 H! s$ q+ I9 ?8 G
6 L4 F, }2 w2 y1 b- E# }. R& J4C19:0095 MOV AX,0911 ; execute command.7 x( n1 f+ U" @5 E6 |" I% y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% d" E. H+ F8 q& s" ?8 y4C19:009A MOV SI,4647 ; 1st magic value.
8 k! e8 J: a, G. r9 |6 H' M4C19:009D MOV DI,4A4D ; 2nd magic value.
# n! ], a% A. p9 Y8 ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( ~$ g' J; h$ z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! X# X9 p5 E% j
4C19:00A4 INC CX
# R7 Q! L- g% x! R ^# T, ^$ y% Q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 X( x% T* C* q, y# o; S
4C19:00A8 JB 0095 ; 6 different commands.
: }1 M$ N7 D) C$ @0 Q3 A) \4C19:00AA JMP 0002 ; Bad_Guy jmp back.* ]7 \' A3 l/ J6 v) K1 Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
R! ~& l# [% ~6 m6 m- ?/ `& H" l2 E X& _6 r
The program will execute 6 different SIce commands located at ds:dx, which
& @4 x0 G. K; Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( c4 b0 a/ a4 m5 G& Y
9 H5 N" s6 S% c4 M: }( l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. r2 C' m, N- P0 s& ?
___________________________________________________________________________$ J# S4 w8 h$ N- B! h2 x; c* r
" @; W, o0 K8 S- Y, R3 M& N
/ U1 L. f; F) ]- n h4 p( IMethod 03
, |0 f2 |% W6 B8 l9 f6 c3 y W=========
4 d- T( q' g1 K, M6 c% c
& e. b- C7 n( @( A g6 V* r, _Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' b: x1 _, Y, M, T0 E" n(API Get entry point)' ?. d- z* l2 P6 ?
, o5 [8 e! a, @! i8 G4 I9 X
) t# m( z$ A: t' h9 b- W6 S xor di,di
( O5 A5 @0 |. g* N, _ mov es,di
% Q6 G( X" g5 y& j/ l1 d' D) g mov ax, 1684h + S' ~: \+ F! F# U, p8 `
mov bx, 0202h ; VxD ID of winice
$ V0 ~ V$ p5 x( H+ D* _ int 2Fh: Q, t8 ]& ?# x! @/ f
mov ax, es ; ES:DI -> VxD API entry point( y" M2 i( C! v, b D" f& I
add ax, di
/ b! t1 x" c! ^ h( E& I* e test ax,ax+ A* K) A. i! B9 V8 ]
jnz SoftICE_Detected( R9 P" t3 a7 p6 P; x- I8 s, P
7 g" \$ h6 x+ y* t' w___________________________________________________________________________- `8 G" R+ {5 x% H
" K: ?7 B, E, w5 C/ vMethod 04
6 M! w+ {9 w8 E( }* ` t=========
$ C! B6 o. [$ l! v ]
/ g5 p: c) @& Q: r9 YMethod identical to the preceding one except that it seeks the ID of SoftICE, A c/ m( y$ W5 R6 [
GFX VxD.( `7 ?) Q) c: c2 P% s; G& g2 O
# S( w( a: r9 S% c) ~" C3 X- \ xor di,di
- F" R7 j; |3 E1 s/ D, O mov es,di
9 X6 _4 C7 p8 U1 Z3 I$ ^, f mov ax, 1684h
" o8 ^' _) f) o' i. Y mov bx, 7a5Fh ; VxD ID of SIWVID2 E: m0 [9 O3 R( }% \& @
int 2fh
% `, z) A8 [5 d mov ax, es ; ES:DI -> VxD API entry point$ E) E" a& e; y$ }2 E7 }/ i
add ax, di
4 G. \# N. f+ i, m1 h3 [( ]9 Y) p test ax,ax
, Y5 S/ _3 ]8 p jnz SoftICE_Detected5 `2 B# J8 g' @
6 S# o* w5 z5 K
__________________________________________________________________________
& j5 X, C( d& W9 v( Y2 v6 }! l7 o# G6 o$ m1 m, W9 f! E
) l; N: t! B& Y" L. S
Method 052 Z, i5 Y% k; X. b+ |' T, \
=========) k7 P# P2 E3 n% `5 ~3 J
3 P K+ I6 V- f( r0 r$ C* HMethod seeking the 'magic number' 0F386h returned (in ax) by all system% J/ X9 x( A; F& `* v* Y
debugger. It calls the int 41h, function 4Fh.
$ l- I2 B6 O: O9 oThere are several alternatives. 9 L u' s+ L! ^/ N- i
2 J2 V' W$ Y0 @. ]; O% N1 m$ c) X' Q3 C
The following one is the simplest:
/ _6 i5 y6 x. q ~: b" v
8 }* G% y. [0 n4 y* L# u- [0 s+ Y# i mov ax,4fh
1 p" ]* n; J( t int 41h! I' \. @5 \* C' \6 o
cmp ax, 0F386( `- W' J& \4 A( Z; ]
jz SoftICE_detected
2 s6 |1 @3 ~, i; A: \/ m% e
! N" K, M1 s" F! Y7 K' n7 m, D9 O6 J4 V6 T5 N. ?, o1 q
Next method as well as the following one are 2 examples from Stone's 0 e6 i' W$ d, Y. X" ?" W1 P
"stn-wid.zip" (www.cracking.net):
* Q& {& i% ^7 l+ }
3 W) e5 `* y" ~" d' | mov bx, cs( O3 s& M; U! d+ r) Q. v$ _" s0 U" e
lea dx, int41handler2) _3 c7 ^4 K6 F" M# V
xchg dx, es:[41h*4]
9 b- A' x0 U" m0 v& g$ } xchg bx, es:[41h*4+2]% ? Y# K4 G: s- D; w
mov ax,4fh* V1 N7 e/ _# g P# r: p6 l& y
int 41h2 f- H1 J4 s9 f7 z: s
xchg dx, es:[41h*4]
3 k5 u* x" e/ K# `) z xchg bx, es:[41h*4+2]
4 f( C8 b5 a+ c! o- |2 A) l cmp ax, 0f386h1 U3 K% u) e- w" b
jz SoftICE_detected
3 b; `8 N, S- q1 f9 K
' }8 e$ I* y" n6 Cint41handler2 PROC8 m6 p% E& [, u/ A
iret+ m/ M* H l6 S0 O
int41handler2 ENDP O2 O, @* n3 v
: d. i1 ~! h$ O' Q5 Z \) u0 R9 Z; Z& O( ?- ?$ @, N* g
_________________________________________________________________________( h) X: f" B) D8 x; A
. O' f6 S$ h1 @$ D) O$ L3 J4 d
# a. ?0 Z) ~4 m3 hMethod 06
3 H% e: S5 M% C6 |% I9 G. d=========: Q! H9 |- j$ s0 [( u
( @* X. c4 ^5 H( j& Y( m% z- y; t0 i# H* z0 W, R. a: r
2nd method similar to the preceding one but more difficult to detect:
a) U w3 j0 t0 {& X6 S5 u
( p. _" c, O8 Q- J' A
+ f$ ~+ y3 }7 l( G: \' ^9 yint41handler PROC3 S; }) ^1 L. h, B% a+ [. n
mov cl,al
1 I$ P; z* D$ W) ^' V) r iret
+ }2 c/ O: R* K: W+ a! m8 f# Eint41handler ENDP
( ?: t2 F8 p% W) \# T, p" ~/ W" R( S$ `; U$ F5 Q& x
4 t# c" ]) R/ j+ H2 N7 A% X/ P% H; J: N
xor ax,ax ^8 c! s0 t. ]) b# ~8 ?/ ]
mov es,ax" A- g" l' I; Z
mov bx, cs# L; Q' O: j1 p
lea dx, int41handler+ }' ?! O+ H2 @+ h6 o9 o
xchg dx, es:[41h*4]
& Z1 l7 G5 |( o; |. E xchg bx, es:[41h*4+2]
: I0 C" n. o, [+ j- h in al, 40h* \1 C4 t# ^0 E w5 Q* F1 w4 |
xor cx,cx
; S* N' k* |' w6 h int 41h
1 P: U$ R* C/ ~! | xchg dx, es:[41h*4]0 n% _) m, C6 i1 x
xchg bx, es:[41h*4+2]) _& g' _/ c! @! e2 ~
cmp cl,al
( W C; @8 k( S4 p% @ jnz SoftICE_detected* h% o" H; ^2 k) X, d( c0 E0 ^' M F
$ _( z" \ \, j, r8 N5 |5 }. i$ J_________________________________________________________________________
" z% S) A- Y9 s1 i
" l; Q2 b& t' J* G/ K% mMethod 07
' U+ U ~% l' P+ |: V: C! F=========! i* I( O# y6 W5 z
0 @& E" K1 g, c M4 d6 {Method of detection of the WinICE handler in the int68h (V86)0 @5 ]- h/ h0 z1 a
' \2 {$ W4 y M" _; B) I
mov ah,43h d( O" ~ Q) `. ~, b) ^
int 68h) |0 J' f I8 q
cmp ax,0F386h$ p, P" q l1 l) X. ?6 @
jz SoftICE_Detected% G2 O3 Y2 D' g+ [6 h. Z/ g2 t
- S% s- h; h& _0 Y+ f
& T( Y& K7 P: s+ [; N5 Y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( @, m8 R7 S. S# I N app like this:% K$ k. c7 v* S+ }6 P. W W
6 U% Y6 v/ V, f' W* j) C
BPX exec_int if ax==68
( ]# H S8 m* K/ P" R9 i (function called is located at byte ptr [ebp+1Dh] and client eip is2 o9 X- a4 |/ J( O
located at [ebp+48h] for 32Bit apps)
( O9 O% e! O& V__________________________________________________________________________ V b# k# P+ a3 w1 Y+ e; o
" _! G: s" h$ O9 ?
9 H: R$ q' V2 B" jMethod 088 ]* [" I1 _/ X; O- a1 U
=========1 b1 w$ R9 y: i4 F! y- q, [
! ~/ X' ~, N' O. C! d. q- x% \It is not a method of detection of SoftICE but a possibility to crash the
: u4 k8 \8 T8 i9 Q2 d9 Q5 ^system by intercepting int 01h and int 03h and redirecting them to another1 }/ b {0 I: p O7 v; `
routine.& c, q0 p" I0 c: D: S& C/ f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% C6 I' B' f P* g: Rto the new routine to execute (hangs computer...)
3 T1 i+ O6 Q3 r8 a' y; x3 A8 F! T4 C0 `0 s3 f# R
mov ah, 25h# S8 z; i9 W2 L# k2 _# I
mov al, Int_Number (01h or 03h)
* ~ _" L0 y% H3 S* c& M mov dx, offset New_Int_Routine
& D) |- S6 s+ o; m: D3 C8 v int 21h' L' }# D. h! a1 H4 U! S1 W6 ?1 w$ D
1 f% T6 ]' i7 O__________________________________________________________________________$ q1 K; C& r2 ]8 n
0 ^5 P# I$ v( W6 q: A) N
Method 09. n' E5 ]/ R* O/ V/ l0 w
=========: r2 |; e; M" e" }, ^
9 m" V# `- f4 p7 P+ M( ]3 |+ u# JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ h9 z" L, j( k1 Z/ |; T! i% u
performed in ring0 (VxD or a ring3 app using the VxdCall).
: c2 E7 G! ]4 h1 j0 C0 oThe Get_DDB service is used to determine whether or not a VxD is installed
) p# k/ t# K* i' Pfor the specified device and returns a Device Description Block (in ecx) for. r9 j4 L4 y+ Z4 N
that device if it is installed.
# Q! c \6 z7 j7 R- T; l$ k; K4 D0 `; |; G& j$ e# [* U( T1 _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID i B6 d# u1 a! k$ _ M* }# z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 r6 X- K7 o- S# W
VMMCall Get_DDB! x/ K1 s1 j0 `& T7 i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( F/ k9 C: h/ a8 A' M0 O& M) x2 j" j4 [
Note as well that you can easily detect this method with SoftICE:6 ]' d4 n q5 O
bpx Get_DDB if ax==0202 || ax==7a5fh) v5 H3 P6 H5 O4 }) G
! G* p8 T$ O- o( ~
__________________________________________________________________________
$ o6 q* R1 y: `% p0 a
7 r+ J' J, |' QMethod 10. Y( p* }) d& f" Y, @; E
=========
& k' K4 H. Z P& A! J, D2 g6 U0 S1 `- g0 v) ]7 w
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 w: F1 |+ _7 n* Y1 q0 c
SoftICE while the option is enable!!
- H; m& Y* y0 ~2 n7 G8 X: D; A- W0 k& X' |1 _4 L0 i
This trick is very efficient:# I" e; P: W, Y: B+ N5 @" }
by checking the Debug Registers, you can detect if SoftICE is loaded
0 `* ^5 d- T' E0 e+ {. d, y! w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% l" W y: P4 j% m/ Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 y# I: ?6 ?0 @% \* f" R
value (in ring0 only). Values can be manipulated and or changed as well
+ }% p0 a. @' C. o) s" M- o2 [8 R(clearing BPMs for instance), c/ ~4 r" J- R4 p7 t9 i' S
9 J: v3 X* }6 b C1 e/ p0 ]* @
__________________________________________________________________________- F" S8 h! ` ^) d. m2 u( v
; g; X: p- J4 }7 p- d& S9 ^& oMethod 11, a) [9 o: w" x8 j
=========, |" F% E2 j+ L% z3 ]
3 q/ f. u3 o( N' [, `
This method is most known as 'MeltICE' because it has been freely distributed
7 A& ^' O, M) b y4 D' {via www.winfiles.com. However it was first used by NuMega people to allow
, z2 t0 W. s! G8 i. sSymbol Loader to check if SoftICE was active or not (the code is located1 `4 _. \0 u4 w: P
inside nmtrans.dll)./ G; k9 p& x) r9 ^- q9 H: D1 d
6 W# [" `( o4 h6 d! ?The way it works is very simple:3 A% T' \$ Q$ q6 v7 c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 O/ f" }7 Y1 O: y
WinNT) with the CreateFileA API.6 j2 S+ F! q! W n( P7 F5 L6 U
5 n" ~ Z; s2 e2 ?
Here is a sample (checking for 'SICE'):) a* B2 a1 z. F
# @7 V$ w5 \$ U, YBOOL IsSoftIce95Loaded()& h$ i* p c6 ]1 y; [8 {
{% E0 T- ~+ f! h. Q
HANDLE hFile;
* e4 B( u9 j. z$ f9 F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 q7 U# p2 g8 q7 J* D. G FILE_SHARE_READ | FILE_SHARE_WRITE,
- H& f2 ^0 b4 V! m7 T7 M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 h& T, J$ C" N, D& Q2 K
if( hFile != INVALID_HANDLE_VALUE )3 e- w }1 A* t8 y
{3 i: V' ^3 ~+ }! ^: S
CloseHandle(hFile);* k$ ^7 j0 S% A
return TRUE;# B; T, G& s3 U8 i; d
}2 K7 S) s* e4 K8 F2 Q8 w
return FALSE;* q$ e: p! b0 O$ x; x7 F4 I% t+ d
}
5 u$ Y6 j$ [! n' k6 ]# Y1 H7 g' n# i' ~( f
Although this trick calls the CreateFileA function, don't even expect to be' O2 S. r9 |) Z* L* f
able to intercept it by installing a IFS hook: it will not work, no way!
( j% b0 o$ b) f# ^3 O1 w' JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 b! q8 b1 s% ]) ~% T0 J
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ O( m) @( V H2 m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: n& j9 _- V% w# Xfield., t+ K E4 d* A4 C9 u. O+ u8 |% l- q/ L
In fact, its purpose is not to load/unload VxDs but only to send a
4 d/ Z' J# ?) ]) _: K; Y* uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" \" L$ G6 E# L% r. ^7 h; X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: s4 g9 N$ j. ]- \" P4 x, \to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! a7 y+ ^' @* dIf the VxD is loaded, it will always clear eax and the Carry flag to allow% v2 t/ A+ K+ |, F8 J8 K6 n; J$ w
its handle to be opened and then, will be detected.
7 ]1 u& j1 J* U) HYou can check that simply by hooking Winice.exe control proc entry point8 j7 C- x5 e1 F0 ~& Z* M2 q
while running MeltICE.
0 f+ L2 l3 i% y& s* `% }$ G# C |0 |5 G& R7 W& ]) S; f: u' G
& F! o' z4 g/ `! D& ~! \
00401067: push 00402025 ; \\.\SICE
3 y/ w( Y! n6 ^2 D( V 0040106C: call CreateFileA
& _2 e+ I) p/ ]5 _) C0 Z8 L5 Z! f1 i 00401071: cmp eax,-001% R* L. V' l, b" I* y) s
00401074: je 00401091
; W" R3 h6 A3 z4 O5 G" a2 e. a0 f f: p) x/ i
+ Y1 N0 D5 W5 l; O. SThere could be hundreds of BPX you could use to detect this trick.
' D( o# G2 q' R. ], f+ q-The most classical one is:
9 S5 X/ @& \6 L5 C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. i$ j+ z$ e, g" @$ |4 X
*(esp->4+4)=='NTIC'
4 z& f$ R: D0 n* j2 ?$ c
) D* c, \4 |- @5 _# C4 a9 ?-The most exotic ones (could be very slooooow :-(# N6 q7 r' r. e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & }3 ]1 G: F( w( Q$ Y5 R
;will break 3 times :-(( f4 P Y" u* P# P) T0 [: H+ A
- Q- f2 W+ H1 _' s4 N
-or (a bit) faster: ; t, W; ]" c7 ~9 D* }
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 r5 j) Q: u8 J3 o' ?
! f1 B7 m3 @0 T1 q- A$ f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 `' p3 ?8 P0 P6 {6 S9 O3 W3 ^/ [ ;will break 3 times :-(0 U. o' p; U7 O5 X* A1 ]8 ~* K! x
# N: w. O8 g8 C, e
-Much faster:( N7 z) }$ j ]* j" d+ r8 e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 F4 I5 K& Z, D
6 n+ h- X! M9 \, I9 oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 t, n4 W( G8 I; g* k6 W# D* Zfunction to do the same job:
3 K0 ~! u0 W. F3 _) E
, F" r e/ ?. ?9 a1 W0 T1 ` push 00 ; OF_READ! i- [6 r7 G4 ?8 O6 I% ?# i
mov eax,[00656634] ; '\\.\SICE',0
: P; |) q3 c6 a) b push eax
# E) F. i, ]+ [& r& F call KERNEL32!_lopen; z0 L9 v6 l' P j9 q- Z" F0 N0 x
inc eax
& C4 I8 D4 y- | jnz 00650589 ; detected
/ g- L" J9 T+ X- t7 x1 X& |' q push 00 ; OF_READ; q& [# [. D: m/ Q, ~1 Q5 |; [( A1 d8 J
mov eax,[00656638] ; '\\.\SICE'
, C2 i: x8 S F$ m8 g7 H! B push eax2 A& k4 H: Z. m( f2 N- [$ l
call KERNEL32!_lopen- N+ K" |7 Y L# Y1 l
inc eax
9 c5 N1 x8 ]; I jz 006505ae ; not detected# j1 A1 p9 d# a
* x7 Z* V2 }3 t' P, V- q \
# c) X" _; u8 ?: }
__________________________________________________________________________
$ s( M( X/ r. [6 |
m% Y, J: n3 k8 j+ \Method 12
$ k- {9 Q i! W; B/ T=========
+ q+ J9 u( e) t) i, m N7 A8 @: u1 R2 H) c( ~ e
This trick is similar to int41h/4fh Debugger installation check (code 05
1 D+ w Y+ s0 I4 z& 06) but very limited because it's only available for Win95/98 (not NT)- w% A; ?% z- m( V
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. z2 p4 m8 Y; S( v, q1 w) y7 M
# z4 p. y$ ]# d" E' n push 0000004fh ; function 4fh% k% a. i, W; {( p9 l
push 002a002ah ; high word specifies which VxD (VWIN32)3 e6 q. \* j) P
; low word specifies which service2 ]9 |( B4 c7 N
(VWIN32_Int41Dispatch)) Y' T3 O- ^8 T: O: O' {2 m: _
call Kernel32!ORD_001 ; VxdCall
- f! E6 b, ^7 O$ \" @ cmp ax, 0f386h ; magic number returned by system debuggers
/ Z" U# x0 Z2 A$ o8 C jz SoftICE_detected$ a. _/ l& y" V2 G
4 d* z7 ^& k; k$ w- a. y5 _6 g+ dHere again, several ways to detect it:
0 ^" N& x" ^; k9 N# Z# @5 F8 S. B: C. Y. W% X+ U2 A
BPINT 41 if ax==4f" V( I7 |4 j2 I1 y
, t# F$ X3 U' } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 C6 v, F$ O2 b0 Z1 k, Y% U6 P
% I) y, j3 J% l; {0 j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 B6 U O& z2 ~. n \6 h j# I4 u- g/ I. X& k; d$ h
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" |/ `! Q) a% g
" Q: [# F6 B, ?. I& e1 P
__________________________________________________________________________
+ N. E, E- ^9 B Y+ }3 C9 c/ A4 T' L& \, y5 X
Method 13
# T+ N/ r5 S( B( t* D=========
" I& R5 Y& ?" H, Y, M N! r7 i/ [) Z: G8 u' p) T! j" [
Not a real method of detection, but a good way to know if SoftICE is. e* u4 U' E; D
installed on a computer and to locate its installation directory.3 O8 s$ K2 c+ c3 `+ P6 y% q, V
It is used by few softs which access the following registry keys (usually #2) :
7 |7 X; l l! t6 {. t$ b; }# i8 r6 u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. s+ e) H9 B2 C) ^2 i# e" L4 r
\Uninstall\SoftICE
! }& S( i5 e( x+ r" R2 m5 V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" Y1 u* E3 j. | C) }& r, d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' _3 A! e4 G/ g a5 R\App Paths\Loader32.Exe
4 B" h. g- a) g& w p) M2 B* Y& L6 A2 Z8 y
: P4 n- u1 a! P
Note that some nasty apps could then erase all files from SoftICE directory' N# j& F2 v5 c8 W7 c: Z& m9 f
(I faced that once :-(. R3 ]/ y0 T* n$ [0 h1 q/ J/ o
4 b& ~2 F r& D
Useful breakpoint to detect it:
# L/ v0 \! @7 f1 N
' s3 }' E7 k9 J. ~ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- n& c* D) n5 M \& d; N
: f: C. D7 ~1 N3 Y+ p
__________________________________________________________________________2 J1 I) w' E- m. \7 [, u. G% x* p2 }
I) a7 H& Y7 u) x. |$ \' n
' [4 c5 R; p4 ?# vMethod 14 ! }, N* G- b& d% L5 f+ {/ K
=========
/ S; N5 h" r- k6 P7 |5 C" r' p
: J1 a5 M0 K" d% jA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# Q: Q& U* v) A- F$ G1 ais to determines whether a debugger is running on your system (ring0 only).
; z0 M8 N6 v2 c$ z! ^: x+ R
- _/ L6 c$ l2 U2 v. C8 D VMMCall Test_Debug_Installed
7 }4 U* z1 I' k3 n( i7 i$ p je not_installed5 ]' ]+ b& i* M2 r( Y @- x/ k7 ]
+ r t8 y R% V! X* S; sThis service just checks a flag.
0 K4 l1 u) m4 g3 {$ N/ o</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡