<TABLE width=500>5 i$ G4 p: h- b/ H6 g+ I5 G5 N; Z% z/ E
<TBODY>8 `- V. B) Q) @0 u; h: I
<TR>- V+ U* ~9 h& Q+ d
<TD><PRE>Method 01 ) r# H7 ]! h4 a0 Z1 d- K( F$ T, v" u
=========
, s; F# h C$ m/ ^
* Q7 D, m; Z3 Q$ D& l1 GThis method of detection of SoftICE (as well as the following one) is9 _. U4 x* s8 [3 t* f4 B
used by the majority of packers/encryptors found on Internet.
3 \, I8 A* Q( [2 c. A( ?) W, ZIt seeks the signature of BoundsChecker in SoftICE8 F3 b6 v7 G( f, q$ g0 v+ J/ f
/ \( N8 ^: j" N- g; d mov ebp, 04243484Bh ; 'BCHK'
" P* n$ l/ L3 U+ Q- { mov ax, 04h a. u) I! h* ]! I
int 3 6 {* p2 B4 h( s" L
cmp al,4% S, E! d6 Z, M7 ]
jnz SoftICE_Detected
# N* s8 s! C* y" O9 w( @+ c# H) ?7 O" d$ o. K
___________________________________________________________________________5 Z/ L. u4 W! @ E5 n9 l# \
J% r" m6 d' q& Z, pMethod 02
: F2 F3 v4 ^% V=========$ H; G3 n+ [! P; R# Q1 z/ n2 I
6 l4 R( j8 n% B5 N" D
Still a method very much used (perhaps the most frequent one). It is used
. D$ W# w1 `5 U+ R* Ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# k% w& r; D* \or execute SoftICE commands...
$ D' N/ I" n# g) n3 V! DIt is also used to crash SoftICE and to force it to execute any commands1 e# V( B& ^) f" h2 |. e8 L
(HBOOT...) :-(( 8 b U% d7 K9 r; _4 g
9 a4 e! Y+ \4 k
Here is a quick description:
; p' O# M8 E+ X) ]! _. ?-AX = 0910h (Display string in SIce windows)
9 s; w/ Y& ?2 r" X# I2 |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- f4 ~. U. [1 d$ \# ~- T# e8 _-AX = 0912h (Get breakpoint infos)
1 G- u3 o4 R0 T& q* s6 |8 L-AX = 0913h (Set Sice breakpoints)
# }! b$ z8 `. ]+ F) ~4 H" ^) a" K-AX = 0914h (Remove SIce breakoints)' K3 `2 D3 Z6 F
/ B5 x+ ^! @! @' O% c2 P- e
Each time you'll meet this trick, you'll see:
. P) I" i0 l0 z' [7 K3 @3 A; R-SI = 4647h
4 a0 f. M: r G' r0 d! {# A) k: j-DI = 4A4Dh+ o+ [& b s; R2 E+ D
Which are the 'magic values' used by SoftIce.7 @+ F6 Z1 {; I1 h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 ?2 A" C( W2 s/ G* a2 }- c$ ?
) {) H Z( ~- s3 K
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# d" u; U2 W; WEnvelope utility use to protect DOS applications:) g+ |) p/ A; Q
# r4 `8 ?) W% b" v& h# ^1 s: Y. U
1 {0 s( b. \) O# e' V2 {
4C19:0095 MOV AX,0911 ; execute command.% b/ c0 n9 O+ v% g# O: U
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). X/ o/ ?1 ~4 Q% `9 I9 \" }
4C19:009A MOV SI,4647 ; 1st magic value.5 ` Z( W+ H4 K+ Q( D! ^) |3 b7 t! K9 _
4C19:009D MOV DI,4A4D ; 2nd magic value.0 z/ l8 T, ~7 P2 i; G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 L v2 }1 O) C$ N _( {; [+ r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ k6 a4 \5 a- g4 j9 {, J
4C19:00A4 INC CX+ O$ P4 }( T8 z- g- |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& ?8 e4 M8 h ?. |/ R! R4C19:00A8 JB 0095 ; 6 different commands.7 i3 c, W& A* u; u" h7 y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ [! k' D0 a4 X6 W. h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ f' l- c) L; j- j+ P4 g ~
, V4 O' i- j5 \The program will execute 6 different SIce commands located at ds:dx, which! S4 B0 X4 a4 ?/ r/ l# T% R% L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! Z; P5 ^! j. Q8 E4 C5 q
" _- v( I! A0 v2 a, @( H0 n" F: z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ Y# N. ~& |# O$ s+ @/ G___________________________________________________________________________
+ R9 n9 j4 m( ~4 L+ r# m
/ }9 I. U4 R9 o7 d% T( ^- M- [! r0 h) ]% z
Method 034 E. C# b" ?0 D! p, u6 t" j( @
=========$ S- I8 U$ o& t# u l, |$ x! ^
; R/ V X6 |. R+ M0 L( t. s) j* o- Q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% n; Q3 p7 \0 {' g(API Get entry point)
% [: N" _) K' |8 @( h2 C & s& R" _+ J$ |8 ?- R3 d
+ r- ^# @, ~' t- I) j xor di,di
6 T' y- A5 s( R, { mov es,di, f {& [' L8 N
mov ax, 1684h 5 n8 j5 }0 j: ]) n: c$ D
mov bx, 0202h ; VxD ID of winice& Y4 t5 p, X# ~' T0 V2 P
int 2Fh; y, | d. t0 @* O, O& G5 U
mov ax, es ; ES:DI -> VxD API entry point9 \1 Q* P. f5 H* S1 O
add ax, di9 O4 H1 M/ X# x6 K; a
test ax,ax. x+ U" j1 O! N" K3 T
jnz SoftICE_Detected
& X, m; R* Z* n4 L0 ^8 F! K' }
___________________________________________________________________________
. o/ {. T* H/ _
2 I9 g) ?( `8 k$ d! A. YMethod 04
7 M6 i" C2 l! n" K0 y; Q6 D% i=========
1 s+ _4 I- V7 w/ t& T. h/ E: @+ G
1 a% t8 K: J0 s- \1 C- oMethod identical to the preceding one except that it seeks the ID of SoftICE$ t; R7 f$ J9 A/ k; R
GFX VxD./ J5 i1 U4 G6 N. T$ `
4 v) ~. H( N9 |/ u1 J8 h
xor di,di P/ i1 \2 I7 R% s9 i$ a2 y; v
mov es,di
" \# d5 T" [; { b: _ mov ax, 1684h $ k2 R# u0 J/ C7 C- \# I# P1 J' a$ y
mov bx, 7a5Fh ; VxD ID of SIWVID. [# u& Y6 T, V d, V+ I7 R
int 2fh
`- R9 ^; S& X X' s$ S6 x* x6 k0 [' M mov ax, es ; ES:DI -> VxD API entry point
# W: u6 D: z" k# L7 G# h add ax, di2 M( H+ D/ i+ G G$ W- D( n
test ax,ax" ?( [$ C) M, B% V" _
jnz SoftICE_Detected
$ b! f! E+ ^- a% `/ X# R- k2 E6 O
__________________________________________________________________________# K. q4 [8 S3 y2 _! ^: g
- ^$ \8 b; k K) q- v. S$ \
! r$ E+ F* J& H3 e' iMethod 05
4 r2 O6 |; @& {=========1 O' Q9 |$ c% U6 R' @; x( D8 G9 ^/ U2 s
3 T z# p* l5 L& W2 l# ?Method seeking the 'magic number' 0F386h returned (in ax) by all system
, h9 m; {' I! g3 {9 Ydebugger. It calls the int 41h, function 4Fh.
- D( h3 Y r2 G5 ^ _1 yThere are several alternatives.
: t( q- g+ u$ p; L6 T! H% z- c' ~) R# l, S! y5 q
The following one is the simplest:9 k+ s0 } W$ K; ~, W
7 Q0 D" O, F. l1 \ ]5 ^* K1 d' T4 {; D
mov ax,4fh( a8 K6 ^. F* ?/ x% D
int 41h0 t. Z" N" d0 m: j+ e& \
cmp ax, 0F386& L8 z/ A$ u. b& {; y. S- |
jz SoftICE_detected+ X+ R8 i" w! q3 u2 S
3 l8 t! v7 j: y9 u" u
% v/ c* b) U1 k, s+ O3 j
Next method as well as the following one are 2 examples from Stone's
9 C1 l+ J* V5 z4 Q% F- N"stn-wid.zip" (www.cracking.net):+ o) d/ J1 f7 R! X
" L: k' r* |$ c( x3 C
mov bx, cs8 k/ L; i% A. ?
lea dx, int41handler2
! i9 ~# O0 |( e" ?, h2 v3 H xchg dx, es:[41h*4]( o$ Z2 Y% ^- j& T% K" M: v6 ]+ ]4 Q. X
xchg bx, es:[41h*4+2]
3 v/ h1 b8 [% y5 G0 L2 b) M mov ax,4fh$ }( G2 l% v8 {2 J/ c
int 41h, v" ?! V/ _# {6 e' A6 y- n7 t, G+ x( G
xchg dx, es:[41h*4] ^' e3 \! c* b
xchg bx, es:[41h*4+2]5 L o0 l( k' C( F, v2 _
cmp ax, 0f386h
V4 K# Q3 |% G jz SoftICE_detected- j3 {7 X* [. Y4 O9 O
$ P7 ^6 G& x8 j* Pint41handler2 PROC
" _/ p4 N, D9 |6 j$ _: X3 l iret
6 o9 o! ?) `& H; D2 w# r# |int41handler2 ENDP' j- ]# |, n1 R/ y8 v7 D
! g1 w. r4 F# D/ y. q
" T& N: `4 t5 {: d+ o6 x
_________________________________________________________________________
" d1 B4 @& P# K, c6 }" C6 Z! E: L5 ~
$ |! G- f- o$ \6 SMethod 06$ p- X; R9 A0 T+ t' r. D
=========; S8 o2 V1 |7 J9 y3 H9 n
3 \) [5 }. S2 j2 A+ x& v4 w6 N
; T. G6 t/ I/ W5 o5 z- u+ @1 A
2nd method similar to the preceding one but more difficult to detect:
0 W2 l( _+ h& _1 c0 d, ~1 c; {2 g4 o) \! w0 C2 D$ ~
3 c# m i1 I1 z: [9 r5 Q9 g9 p
int41handler PROC: l6 W, z1 O% D+ H$ q
mov cl,al, }4 k4 b8 \7 A9 M' V
iret
9 {( g: n9 o y. }# Aint41handler ENDP
, p J7 s8 x# n6 y# I
" j( a# X L. r
5 P2 J" s7 R# R5 [* ~ xor ax,ax+ `; ]" L: z; A$ Z
mov es,ax
4 V4 L& _4 A7 ~$ T! J6 w, y. M mov bx, cs
) D% k- B2 B4 z8 r8 \6 k l- F lea dx, int41handler4 q8 c+ R: W- N% S3 [( k v
xchg dx, es:[41h*4]" T, x! U! J2 ^" C8 ]* u$ M
xchg bx, es:[41h*4+2]
9 P! m3 {4 n. q1 R in al, 40h
3 c9 c5 s( r4 o xor cx,cx
, X$ p. m% y$ j# @. [+ _ N int 41h( q' K: @6 p) P2 g5 H' }
xchg dx, es:[41h*4]
5 K% n( M, ~$ g: e8 l xchg bx, es:[41h*4+2]& B& T0 h2 ]* \( h$ `* C
cmp cl,al
x0 z1 _) o9 X0 S W# |. J jnz SoftICE_detected8 A: \/ b* J# U3 J: z
" @- X) J* \4 f2 s6 U
_________________________________________________________________________
. M- N: h* F0 F3 H$ m
0 p7 o9 L% r( }! W7 z) ^Method 07
: |7 |1 t! H% e) i=========+ f+ A- Q8 L+ I$ Z
, {4 _: ]& y$ g' c5 cMethod of detection of the WinICE handler in the int68h (V86) ~4 B, T" a Y* o* s' e
7 H9 x; h8 A3 d
mov ah,43h
* A* W4 f" a1 N: b int 68h
4 O+ p& e% x3 Z- g ? cmp ax,0F386h* y1 g) B/ ?6 ~, j, {8 K
jz SoftICE_Detected5 @: a4 C k9 s- H7 J
( X0 y) Y4 {# |( U1 w
& j R: a! M; ?% n* R! k, [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# ^( a( g t: [7 B. `# H+ {" E' x
app like this:
& J1 k- n5 ?+ i1 J; P8 m* g0 |" T7 T2 S$ \
BPX exec_int if ax==68 g: f2 x8 K5 |# y0 P5 T# Y
(function called is located at byte ptr [ebp+1Dh] and client eip is
! h/ j3 H! k% ^" l+ b3 n" b+ i4 a located at [ebp+48h] for 32Bit apps): R" T# F4 l2 }0 i- q4 o
__________________________________________________________________________
1 i/ W6 q( _0 x) L8 E( \$ h1 X/ l: K" o8 ^4 @
0 k' m7 t- ~- b( x" _4 v& S9 cMethod 08; |2 z, ^" m) F, O: f+ _
=========: }2 H0 R1 |( z f* I# @/ q& N
# P; r5 s: V2 ^It is not a method of detection of SoftICE but a possibility to crash the
7 n' t% F# c) c8 Y* n. Dsystem by intercepting int 01h and int 03h and redirecting them to another/ ]0 H2 o) m) o) m7 [$ A* @7 H3 B
routine./ S% O$ l( [: ~) Y9 \( t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ f! N2 i+ N& h3 ~
to the new routine to execute (hangs computer...)# w% _. t1 u3 |
7 O) y6 w. }: O0 }9 N mov ah, 25h
9 u5 {4 G8 u- N. p8 V- _ mov al, Int_Number (01h or 03h)+ V2 [$ f0 S, N: F% G% w
mov dx, offset New_Int_Routine& _9 w& j/ ?" e D: x: M
int 21h3 O- m8 F: f1 c- i6 ]
5 Z/ I1 z8 A% r
__________________________________________________________________________5 z) z5 z, U9 u0 D ]7 b
! n# \ u, K+ ~. l, R) i3 g+ ]1 M" x
Method 09
9 }: R% N2 O4 }. q2 m) c. C=========
1 h1 t- _, `$ ?# \ B2 p B( w3 t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 B/ ^8 g4 e7 M0 ^/ f. ?$ N- H
performed in ring0 (VxD or a ring3 app using the VxdCall).
- h/ @/ M- H! r. pThe Get_DDB service is used to determine whether or not a VxD is installed8 K; f' E: y* P
for the specified device and returns a Device Description Block (in ecx) for
- t5 x# `+ \4 J2 `4 R6 \that device if it is installed.
6 w5 D3 V; o! Y: A5 L1 ~9 D' l) `/ Y% C2 v- Q0 W" ?' o- ^' o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! Z# o% s2 x- }1 @4 L
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 k0 ], s) Y. W VMMCall Get_DDB
6 Q6 g+ C. M; M) K* A. B1 e8 }" Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) C( a2 n5 x1 ^# r7 _7 L
# M* ?- P! n& E( _4 T, v+ G
Note as well that you can easily detect this method with SoftICE:
J- r+ l! J, P0 M0 @* [* z bpx Get_DDB if ax==0202 || ax==7a5fh* A. I8 ?7 j' `% b9 P
5 z9 T) c5 A4 w+ ]2 R__________________________________________________________________________
5 E% i* L9 V1 A) E/ G$ y& ?# [& Y9 {! ]" e/ q8 f
Method 10
( u1 D! H( U/ z) S=========) b9 m4 e: A' y& ^$ |
, }8 Y' Y5 @% q- U2 @( ]) f
=>Disable or clear breakpoints before using this feature. DO NOT trace with
) ?' M, L; ~- }* C+ A6 e6 N SoftICE while the option is enable!!+ U2 P& k# M1 e( b# M
5 Z$ b( [0 X7 ^% ?# g
This trick is very efficient:
+ ^: `3 V |% @0 B5 P3 nby checking the Debug Registers, you can detect if SoftICE is loaded! L1 L, Z9 U8 y( }" `! g" X" P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% s" [4 x1 x7 h; h+ S
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 H( @" k$ o; @+ G) o3 Y
value (in ring0 only). Values can be manipulated and or changed as well
0 g6 z8 N/ V1 e9 D& ](clearing BPMs for instance)
0 ^; y; S; W1 f" [# V) s2 ]' t4 X0 a3 B7 O
__________________________________________________________________________
9 n. z/ x, T/ E# x( \4 O* n1 l2 L: @/ M0 J4 w+ h
Method 11 k3 q5 m2 ?) d/ m$ E
=========
( u- w- g) ^* w; ~% h% j( T
) z2 i; c, T4 {' S5 r9 b" ?This method is most known as 'MeltICE' because it has been freely distributed
0 p0 I! k9 |( H9 F9 gvia www.winfiles.com. However it was first used by NuMega people to allow
6 J% V8 C) ?( b# LSymbol Loader to check if SoftICE was active or not (the code is located
/ F* I5 k, p. b2 f! G+ g1 m5 r, ]4 qinside nmtrans.dll).' c4 Z e# k4 v% Z2 r
' H: \) u, L g/ C) ]3 q' |The way it works is very simple:" f( B. p/ a1 U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 D$ |6 J8 o, _1 vWinNT) with the CreateFileA API.+ D7 e5 j. a& S2 L% P ?
! y N, P( j+ BHere is a sample (checking for 'SICE'):: I. s. s9 }8 y
$ I6 z: \7 c' V* u
BOOL IsSoftIce95Loaded()
) n. v( d/ O4 W7 w! r: y5 j" r, ~# E; h{. Z8 `; t) P/ P: q* g' E0 a
HANDLE hFile;
" R$ c: m( p# g+ p0 V3 H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) j+ }% L9 _0 \ FILE_SHARE_READ | FILE_SHARE_WRITE,
, y- y0 w( A* U6 Z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! D+ G4 s9 d% y1 X
if( hFile != INVALID_HANDLE_VALUE )7 W, }+ a% U% X r( G. B
{ K1 y& ^# p* h! B" @% `9 k
CloseHandle(hFile);7 C5 _" f& S. v$ x: g
return TRUE;
* }$ J2 N1 a r( G }
$ e; v- ]9 U5 J; z1 S. j+ ~ return FALSE;
+ Y- j# B1 y! _}& q4 g1 t5 [' s E2 e& a; h
1 w. G! M1 j8 _7 tAlthough this trick calls the CreateFileA function, don't even expect to be7 C q, \1 d& f' W2 Y7 E
able to intercept it by installing a IFS hook: it will not work, no way!0 y6 _7 I) K0 G( j/ c& P" }; I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: g7 n" `2 q% g5 D3 ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): O( X4 j# y- z: E
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 |0 i1 y' P. L% i9 c' T7 w4 v% sfield.
1 \0 ], d. ^2 ^+ c& |/ G& | ZIn fact, its purpose is not to load/unload VxDs but only to send a # L9 r- w; V7 E
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 z3 Q$ Q* h0 R2 g6 X* Z- g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 ^) d5 P" j7 K5 ~ ^5 B( yto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 ]5 S5 ]1 h4 ^$ z: s/ ^% S0 J0 Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; E1 H ~+ o0 a) Iits handle to be opened and then, will be detected.; ?5 @( k; |7 g) a2 D! w$ e/ N
You can check that simply by hooking Winice.exe control proc entry point* s& V+ G" Q ?: s
while running MeltICE./ k$ _. I, j ?' l8 q4 k
' N7 P& _. j6 d) Q) f$ J- M0 o7 |
5 g5 a9 ?5 i Y( W, @8 b7 g
00401067: push 00402025 ; \\.\SICE+ O+ F- L" \/ _
0040106C: call CreateFileA- q0 q- c; @$ { z9 p3 H, F
00401071: cmp eax,-0010 ?/ r2 d+ Z5 _! ^$ _5 \7 o% B
00401074: je 004010913 y) I8 z3 E. T* E( l
( p" U9 E- B6 {9 e- U5 ]5 W
7 B; `1 u& z$ h8 H/ ~There could be hundreds of BPX you could use to detect this trick.
% F' K9 X. S* I/ a/ V-The most classical one is:
' l+ ?& I' F) V+ F8 w& A BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, n3 \# S* a5 j2 B3 q0 K" k& P
*(esp->4+4)=='NTIC'
0 q% K" H- h" Z ^0 f# c' F3 x! W$ q. e, I' \/ Z, U1 f
-The most exotic ones (could be very slooooow :-(
5 s: M1 p! A3 J" Y" m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& Z' U+ N$ j9 H ;will break 3 times :-(
* j6 v- D6 S, t# h- ~& I% x( Q9 q4 C2 B Q3 y. f9 Q$ D- N5 T
-or (a bit) faster:
: s0 Z: x8 ]6 `8 \0 |3 ~, u6 [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" w* r5 q' Q* p% k# _
. F/ q9 ?3 ^5 b$ X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' e! m6 B( D9 j ;will break 3 times :-(9 l* E! G* r" F3 J* d3 H
8 U8 m! q) t9 {
-Much faster:# w) c& G" h* ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ N: I4 C0 Q! k) }+ Q6 N& v( {" Q& W/ V! c% r F3 w- o9 b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ G& F2 }) o0 O
function to do the same job:/ W5 y' \. p2 s1 E& F" V/ o
( [0 { i' L* m# u' O( c push 00 ; OF_READ" l" L5 q2 ?( p" W. o8 z# u
mov eax,[00656634] ; '\\.\SICE',0, {. n' P% |& d% N& v/ c
push eax, v. w; _2 m: h, `
call KERNEL32!_lopen
% ^/ H" x/ W6 O* [- x inc eax+ ?% Y# f0 Q% y+ z
jnz 00650589 ; detected8 }* A1 A! [/ Q$ T0 I, z1 \
push 00 ; OF_READ
0 [7 P5 l9 ~0 z mov eax,[00656638] ; '\\.\SICE'
1 u- l0 [: d" w' {! Y g3 E push eax
- h# S% D2 g4 g call KERNEL32!_lopen& d: H, S6 g* L# D( `
inc eax ?+ H1 `1 S! C; }
jz 006505ae ; not detected
# K- q; G; e' k# A( P9 R1 \. y w
/ V( @ r( q5 ]
__________________________________________________________________________
$ A$ Y) l: w: ^- v8 ~# f+ p5 Y& H" H
Method 12
7 h- x) _6 l' X9 @& x7 h2 p& l=========
& L) A9 w: g/ w8 \; @$ D) y2 N5 ]; Q3 }
+ y9 w" I; H t6 V6 HThis trick is similar to int41h/4fh Debugger installation check (code 05' r5 X5 V3 s8 D/ y" ?
& 06) but very limited because it's only available for Win95/98 (not NT)
3 f- C/ I" J: a& X3 xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! r7 I! i. P: {% v* [0 e H: G6 A
/ h( T: r7 z7 g: O) _( ]# E
push 0000004fh ; function 4fh" X" Z+ H' o! ~" k1 h
push 002a002ah ; high word specifies which VxD (VWIN32)4 G! x8 _# I2 i# T
; low word specifies which service
& ]4 S! K# V" T5 Q (VWIN32_Int41Dispatch)+ z( i* {7 A e6 r2 e
call Kernel32!ORD_001 ; VxdCall1 F0 J5 N+ W. z3 @8 T' D
cmp ax, 0f386h ; magic number returned by system debuggers9 Q5 n: U. }; D& C
jz SoftICE_detected
; i4 u& z) X2 E5 s/ X( Y
3 y w) {- I% W" G. [ O }# lHere again, several ways to detect it:
: K6 z5 _3 q% ?9 ^( \! @+ j0 V8 D. O! |0 a5 J) U- ^
BPINT 41 if ax==4f9 }- I- s+ m* `! M" X) K
% {$ U6 n* L3 v: q; F+ E
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' [1 k9 Z4 @1 {
+ B5 c% ~3 u0 @5 _ |
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 b- m3 p) U; `: P, I$ @& Q# u% {% x) I% M+ U3 ^9 `/ O6 J% s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 x4 s& i: [: {6 U2 G" e* M# B( R$ j; ^) N+ \; }, f' f o
__________________________________________________________________________
/ k# r8 u9 ~; l" }2 v* O2 p* X% |+ d% Y9 K# `7 E
Method 13
; [! X" |' h) Z; J" X: w6 O0 ~; w=========
# l+ h) q* Y' I) y8 i( A# L8 ]# \" M0 L- U$ F
Not a real method of detection, but a good way to know if SoftICE is
2 s4 A8 [( a3 z+ C3 E) Vinstalled on a computer and to locate its installation directory.
+ E4 n g2 \) U- ^ {5 zIt is used by few softs which access the following registry keys (usually #2) :
9 d* g6 f$ y/ }
9 E9 o1 }! g7 z* `) L, M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 B7 p3 Z) P0 s8 ~8 J, \" p\Uninstall\SoftICE
! k" B; E2 h% Y3 B* `3 g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( ^; a6 b( O2 m% W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' l' `: C$ H0 a7 \! P\App Paths\Loader32.Exe- b" ~: B2 |( }- V- e5 x2 P
: g4 G2 e7 G6 D& P* g6 c( Y) X3 ~4 D# p" g; h9 k; E# k
Note that some nasty apps could then erase all files from SoftICE directory) ^9 U5 n6 h9 v
(I faced that once :-(( X( M1 p0 t) c
# {; h+ f9 _2 X2 R2 |: eUseful breakpoint to detect it:
) S3 ]( j5 x- c
7 V1 @. K- p* e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ d+ J: }# i. _' N/ L3 X+ z! N0 X* l
" s, u5 W& P' ]__________________________________________________________________________7 A5 ~0 j4 J; o- w/ G$ v. N
- q6 f% L1 l8 q: W8 q" ]6 b7 t' q. R5 ?, \; b. @% l' d* s
Method 14 7 q- M& Y9 D+ z3 |8 |
=========
; R: K3 z ^9 ]6 N8 F. x. X* R) @# N' l) l; ]( Q: ~' l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ O) H; w1 Q! {
is to determines whether a debugger is running on your system (ring0 only).
) y- T1 v v$ s
8 c- J6 Q' ~/ X VMMCall Test_Debug_Installed2 ^; {* N9 x2 u3 u+ q$ d( z
je not_installed6 ~( a3 r: ^0 N4 k, ]2 |1 X
7 x1 B( P o7 T3 x- }
This service just checks a flag.+ U' ~% ~( Z) p. p) j
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡