<TABLE width=500>, o2 y4 ~4 j( Z" V+ G/ o/ n& r
<TBODY>4 v' A/ M+ N5 H- g
<TR>
/ q- w2 q9 l, E. l5 m b<TD><PRE>Method 01 , m! G/ J! `+ k* E0 u$ h7 k
=========% J' X7 G2 l. B$ v ~& z
. s1 S3 c7 ?5 ` W
This method of detection of SoftICE (as well as the following one) is, \: _; U2 w3 s
used by the majority of packers/encryptors found on Internet.
+ ^! K, q- c! ~7 M* oIt seeks the signature of BoundsChecker in SoftICE
2 ~6 ] A8 l4 b1 q' Q& v6 I
) B0 s; h; i0 i# F! ]# ~ mov ebp, 04243484Bh ; 'BCHK'0 O1 y5 \* T1 A) ]7 c% L/ T
mov ax, 04h
3 R+ C! e. w |% i int 3
2 E3 z3 m4 k. U9 B0 J cmp al,4' o3 c [8 J K: E B3 |: E% S
jnz SoftICE_Detected
6 B4 J/ T* v# |. `5 s, u. }0 ]: E% }+ x
___________________________________________________________________________
- |# M- |1 A4 j" E0 x/ F. p3 o9 I: E
Method 02
& X1 ?. V, i( p' Q=========
/ Z8 m* @' U. ^4 Z, F( c/ H; W c, G6 p7 o) b' [5 r
Still a method very much used (perhaps the most frequent one). It is used
, Q, K. o, s) }! i) r5 `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 E% X0 d( F0 y- D% u/ I+ \1 L
or execute SoftICE commands...
& @2 k2 m( e& e8 |% HIt is also used to crash SoftICE and to force it to execute any commands
/ R' C" ]2 G' ]& N(HBOOT...) :-((
: ~6 V$ U3 i5 a7 N# z/ F" r
: {1 e; x' x g$ U. h4 |( [Here is a quick description:
, P1 U% L5 @1 l& E-AX = 0910h (Display string in SIce windows)+ j' e: `2 C7 P& s, E b$ K
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 O7 c. w: [! F0 s4 ?1 U! h% B-AX = 0912h (Get breakpoint infos)! R9 J; M) _ m$ p# F, E$ j" J
-AX = 0913h (Set Sice breakpoints)3 _ {" q0 Z' v# W
-AX = 0914h (Remove SIce breakoints)# ]1 p8 H) G3 q! |( g0 ]
9 @& S7 J3 b3 z+ r. b, B! g
Each time you'll meet this trick, you'll see:
& r! a" B* [! \! v8 F-SI = 4647h
6 U" k& k6 r- m7 p$ u-DI = 4A4Dh
! `6 q' J/ `+ t, t$ d; Y. `9 hWhich are the 'magic values' used by SoftIce.
( `( F; n- Q+ Z+ C$ S7 J0 {, r- vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- a' J U- K: i6 u& ~
. c+ Y# r8 M$ M0 P6 R5 MHere is one example from the file "Haspinst.exe" which is the dongle HASP/ R: p5 y/ Y+ ?4 y
Envelope utility use to protect DOS applications:
7 [* y/ Z2 }! d" O7 T7 c/ A# R
! D, B* ^" c9 e- ]) H9 e; f5 S! i1 F$ u, O4 \: }5 c' O: E% w0 H
4C19:0095 MOV AX,0911 ; execute command.
# `" m. \2 D, G- M: _; }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 S9 }+ @6 x, p2 i" B& i* m C) _4C19:009A MOV SI,4647 ; 1st magic value.
' p/ r4 ^& J1 y; }4C19:009D MOV DI,4A4D ; 2nd magic value.
" {. e; \' B" {1 C7 c3 [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 u( P' u& C" `% `4 U3 V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. L8 j6 W( @" _# D |' k+ C4C19:00A4 INC CX% ?. ~8 Z; }/ J' ? q( `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 X2 I. L X' C5 a7 T, o
4C19:00A8 JB 0095 ; 6 different commands.4 B- H& c W: z/ z- Q* n( P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) \* i+ G9 G' n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* ?/ U, A1 f% B4 r/ a8 v& p/ m9 H( w( C) K0 c
The program will execute 6 different SIce commands located at ds:dx, which' ]8 a/ ?9 A4 s$ ]: w; D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. R4 l6 Z) r( p/ k" K% \' ~
; [# r) V1 c8 M7 ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." g+ R! R+ U+ @' L; ^6 ^
___________________________________________________________________________( }) v4 q& d4 c6 f: K2 k
9 x* D2 p/ I' i' z/ k& u
! F- M2 R( }& xMethod 036 j3 Q( o2 M. |/ W. D
=========3 z, E' y$ f5 }/ ~8 g
0 N, X! S0 U: E! c2 x+ RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- l' j E- \$ e$ W; ~1 c
(API Get entry point)$ K# z! Z# ^4 k$ R! I
" S! x# t( e' C5 y! N3 F3 H
/ X/ \) @& w# q/ D4 N xor di,di$ ?" Z, m7 Q! f6 ^( c
mov es,di' G( i% d* U p: V' H- o! g( O
mov ax, 1684h
8 ]3 c; q+ w$ I) m/ o8 {) ? mov bx, 0202h ; VxD ID of winice
0 W$ T1 p1 O! R1 r8 D int 2Fh
5 ?1 r$ q5 n$ e mov ax, es ; ES:DI -> VxD API entry point! c( j3 k7 w+ e* m& L
add ax, di
6 z& a' e4 I7 G" N2 X$ H test ax,ax0 R6 G3 }$ c" z
jnz SoftICE_Detected
3 U& C6 Z# j$ j2 p: k7 e3 c$ u- X' A% J1 } \/ y' C
___________________________________________________________________________
& O" p( e( G1 N! W7 Q$ t4 x( B7 x8 f$ w$ V+ ?; ]1 ~4 M- X
Method 04
) E" _* l u0 G5 y5 y% L=========5 L! J! [! z! B2 a# e
* ^4 M3 ~, u6 u8 O0 c8 N1 {Method identical to the preceding one except that it seeks the ID of SoftICE B5 @7 l. o' j
GFX VxD.; j& R, U6 x* ~
; v2 C! {9 O; p0 {" G
xor di,di% x$ h3 p$ c: {
mov es,di1 [1 @! O4 L/ h
mov ax, 1684h
* J9 W. I o/ H+ m5 [% w* B mov bx, 7a5Fh ; VxD ID of SIWVID# h; x9 @! b% R8 d/ y
int 2fh' V b( F8 N# O
mov ax, es ; ES:DI -> VxD API entry point ~, C. G9 d ?8 c# l( e3 ^* R
add ax, di E1 {$ R+ K# O e
test ax,ax$ b5 m1 n# ?3 a7 |/ `) c
jnz SoftICE_Detected! Q; m6 F3 x+ Z4 F
" G) \ J0 F# M2 d4 `9 p; v0 J__________________________________________________________________________
- ?% ?5 a% ~% B3 m3 P6 S4 n9 A0 V; K4 V8 j8 L& e) Q
0 ~4 h; J; b7 ~/ r0 C0 D
Method 05) C/ U! J3 ^5 c! D @
=========# p8 h! j) Y. W% J, j4 f7 {% d
2 ~+ i9 e5 U8 E/ a0 \- x8 DMethod seeking the 'magic number' 0F386h returned (in ax) by all system
* R5 B) [9 g, Ldebugger. It calls the int 41h, function 4Fh.6 U g! S0 a; j$ Y& `
There are several alternatives.
* W- [$ O& E: W5 g; t- ?( }. K/ p \4 o- z
The following one is the simplest:6 X/ A2 ]" S4 d& {! J
% r# N9 [- A9 z* g" c; _
mov ax,4fh
1 s. {/ i4 j- A& Z l int 41h% ^0 V0 m: \# \# s: {' q3 K
cmp ax, 0F386
! }9 x( G7 m3 l# C, g/ } jz SoftICE_detected
' Y/ Z: t- ]& d" o; ~9 H5 b8 @2 ~
8 V' X P/ y+ l4 d
, J! K! J2 K* J) b) v8 CNext method as well as the following one are 2 examples from Stone's 4 S' z" G1 v) D6 B
"stn-wid.zip" (www.cracking.net):6 i( |& u. Z) S0 t$ C
% p& X! r4 n* b/ F% j mov bx, cs
+ _; `5 l: o- e' r% s lea dx, int41handler2( c- V: J4 y( ]) C* [* E# t
xchg dx, es:[41h*4]
7 j1 B8 m {, H! t) @ xchg bx, es:[41h*4+2]
u3 h% `# f. b mov ax,4fh
" D$ ^4 C: c5 p' P U int 41h6 m! J7 H" M* H1 F8 b/ `2 l
xchg dx, es:[41h*4]7 D8 h) `1 I: G. S3 x$ Q8 e9 @" M
xchg bx, es:[41h*4+2]
) [% ^3 @4 H5 l# X6 ]2 E cmp ax, 0f386h. A* c4 @; D# M7 q+ i
jz SoftICE_detected
! x& N8 f# S; A9 \3 x
+ e# z! D i- u% xint41handler2 PROC% ^$ ]; |7 U' E/ B6 f& B
iret
$ O( g- J3 _9 Q C5 x3 v' `& h2 |int41handler2 ENDP
% H6 F, ? }6 P5 T) K" j1 S$ ?, R# ^! `1 S5 L
1 s, y% q7 T! \2 J6 e5 o
_________________________________________________________________________5 ?' t0 s) O) }4 d! n6 i X7 o
) x2 b. P" e5 U: S4 ^5 {' E
. E; {1 F$ k3 Y$ Q+ \9 v3 j1 nMethod 066 V7 P0 ^0 P* i7 N' |) i2 o
=========
( f- a5 X; k8 i1 R/ R! Z% ]4 I9 d
" g+ m5 x5 ?* v. F7 t
: f& T- j0 [5 L3 }" h i& w2nd method similar to the preceding one but more difficult to detect:
* x6 _7 b: q' J1 Z9 a5 J d: v% l/ M9 r% x) Y* g
( X6 @: {# N' f, c1 |* a
int41handler PROC
; k- O% O9 H. t! B6 Q3 G mov cl,al+ u) [4 x! `% D/ K5 x2 }% _6 Z
iret, [4 B8 e* S% v: Q" m5 i1 D/ c
int41handler ENDP+ c. r4 I+ b* E. `0 A
" n, q( K t# }! r( E% d6 j- {( Q8 {
$ S" D) G a+ M) _) W. d xor ax,ax
: H, h3 c0 t9 O mov es,ax+ p4 O2 n, J9 L- a, W: \( d' Q5 y
mov bx, cs
9 \' f: S; w1 {! U- F lea dx, int41handler
" f0 v6 u+ c; ]% S, N% r' o xchg dx, es:[41h*4]
3 o2 t2 y$ I) Q; S# E xchg bx, es:[41h*4+2]
0 D, s6 p( u8 l0 P1 w in al, 40h
@+ O+ p- H! n; @# z( q xor cx,cx
# [' T7 a' `+ d$ i6 `& s. t, O' L int 41h
2 ~- y( J a( {# C& n( S xchg dx, es:[41h*4]
$ u7 U/ i2 a" h0 L- U xchg bx, es:[41h*4+2]
: R- ~( {7 | a# _ cmp cl,al
0 I( [; y$ `: {- p, _8 m' y4 N jnz SoftICE_detected
$ Z* O% N) K5 `! D/ \
! S+ ~% d( N, O3 e- Y! @_________________________________________________________________________
5 w q3 o8 R7 P3 `) c L: ~8 n
0 b) o+ P& ]# L3 g4 m' JMethod 07
: S6 M( ~* |: Q% T=========- K- [, l5 P. k- x
4 E9 G; I5 s# M8 t, Y' qMethod of detection of the WinICE handler in the int68h (V86)
V+ U% K: \5 N9 Z, k: \2 j- q, x- ^, K2 h
mov ah,43h% I# Y" T8 L) [7 d
int 68h4 ]* C$ q1 f/ T5 m" U
cmp ax,0F386h4 |7 X% P2 X5 O; [2 L8 {$ E
jz SoftICE_Detected$ Y# _) b. v" D" v
/ O5 ]+ u/ Z5 [1 N7 \% x% O+ p" [! E( u/ N: |5 J; I8 P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& h( [! `% G5 r7 t | app like this:$ v1 i; X2 {$ {. R @
8 A/ J! Q2 `/ s$ C8 T* z' I
BPX exec_int if ax==68
1 h# c4 |: ?9 d$ y (function called is located at byte ptr [ebp+1Dh] and client eip is9 ?& j3 w$ A7 ]9 b2 l% D
located at [ebp+48h] for 32Bit apps). d" {2 z+ l8 R1 x
__________________________________________________________________________! }( @4 c9 i5 C# q" ?. r% }1 @5 t: O- G
3 M* N- p1 r: J) }9 a0 x- X% C* C; C* C9 d! W' }8 H% Y' V8 b
Method 08: Y' t0 I$ Y1 k$ ^
=========1 K4 t( Q7 ?% s* K
! N9 W! m: {% O6 H- Y* L0 k) nIt is not a method of detection of SoftICE but a possibility to crash the
# n8 r/ e2 Y4 A! Psystem by intercepting int 01h and int 03h and redirecting them to another
3 I: r, o: o8 L& |4 |8 Troutine.
' m- i; L( b/ X! B4 T" X6 p2 e: ^) |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ C& q1 r2 c. \9 ^
to the new routine to execute (hangs computer...)5 }% v6 K a6 s7 C6 q W
2 v+ @ ^" I7 [/ \) z mov ah, 25h" x* u: \% `4 ?! J4 |& t2 Z
mov al, Int_Number (01h or 03h)% b6 D4 W( Q7 X6 B+ @8 P
mov dx, offset New_Int_Routine
2 I2 B2 x7 i k# r% r' a( L- O: Y int 21h
- D: B( G" b; ^( Q: [2 e& m G I7 a7 @. z
__________________________________________________________________________
+ c3 l( p7 L4 L4 B6 Y$ @% P6 D2 ^/ D- T @5 [
Method 095 M: u& C$ R5 C; X+ I& v$ D9 J
=========: n$ A0 H+ s. {1 g
( q# R' m0 I$ FThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- H' @" k) e; I* n" O8 Q& `
performed in ring0 (VxD or a ring3 app using the VxdCall).4 V* ^" l' J4 C' }' o. G* P
The Get_DDB service is used to determine whether or not a VxD is installed" r2 o9 X9 p% i5 l$ q7 [: l9 k
for the specified device and returns a Device Description Block (in ecx) for
4 Q+ a- |& s+ X* ]% K( {that device if it is installed.' a6 ^; a$ X; `6 P( F8 B
0 Q+ i3 d7 }. ^3 D9 ?
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 r$ Q; K) i+ L: L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& M% j& Z7 `* G
VMMCall Get_DDB
( E8 X+ W* g5 l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% ^& Z. I* m+ c* X( g; P( o! n- A$ P" O3 u, Q$ q
Note as well that you can easily detect this method with SoftICE:
. H+ b3 N$ ^* n }& S* ]5 i S2 {. [ bpx Get_DDB if ax==0202 || ax==7a5fh
3 S8 \3 ^* s0 y3 D* S
6 o/ ?4 I: `4 c. E3 c0 p% T) T__________________________________________________________________________
9 _; J \ }' _. L: j
$ \) C6 L( m, W2 n% AMethod 10
( M# T8 G9 k3 a2 [. o7 B=========8 q( ]+ X! t1 k1 ]
7 w3 m' z2 e4 R6 E8 j' X/ L=>Disable or clear breakpoints before using this feature. DO NOT trace with
. }6 j: Y% H* @! p& E* B; i SoftICE while the option is enable!!, G' G! K; q" S# T/ E9 e( O' `
$ O6 D+ j- g* l0 l' E2 [
This trick is very efficient:7 H. l8 N! p+ w& F$ M
by checking the Debug Registers, you can detect if SoftICE is loaded" b2 B5 q- f2 ?7 U9 W3 W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) ]; E8 ?8 a+ I
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 }1 _* `* j- M* K5 p! evalue (in ring0 only). Values can be manipulated and or changed as well1 L( g( y9 I7 o
(clearing BPMs for instance)
+ B4 C! s* S0 `- e, g& y2 L( `. @% k+ [3 w0 ~8 X6 d
__________________________________________________________________________! Y+ B* q& M; s+ O. G' R8 @
6 V% U: a8 w: s$ x' Q+ _Method 11, I& Q* M) F: c% q
=========
0 |& V5 E# b0 A$ j* i+ Y9 l8 Z, T# C; p% l
This method is most known as 'MeltICE' because it has been freely distributed
' v% E- M6 @% f- K3 Bvia www.winfiles.com. However it was first used by NuMega people to allow+ o0 s5 G3 f! V
Symbol Loader to check if SoftICE was active or not (the code is located: y6 x( r/ ?4 q9 F E
inside nmtrans.dll).
% l+ z' V% Y c- X# {, m s" E3 ~; P0 G, Q4 u5 R# S/ D
The way it works is very simple:
3 N" I3 ^( h% Y9 k" q0 ^/ e3 P& @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! j( i+ D- d/ |9 n2 A
WinNT) with the CreateFileA API.5 i( {2 ~2 p0 I) @3 y4 M
- [# |& }2 \) k3 P6 C" N! S
Here is a sample (checking for 'SICE'):
, @! p( i; l @9 \. y8 \, V
3 a( F' d, J4 q( z8 `4 \( @BOOL IsSoftIce95Loaded()
J4 @, k: b9 M6 v# @{
' [9 j. e; ^3 y1 R HANDLE hFile; ; X2 |, k8 w3 w% A0 v: [, B+ X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% ~7 ~/ _5 L! p: ^* j% }
FILE_SHARE_READ | FILE_SHARE_WRITE,
% I) U' W: ~) W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' |7 A; y x' | if( hFile != INVALID_HANDLE_VALUE )9 s7 N. E$ X4 D* o. X: e
{
, a @' N$ V% h" I3 r2 M CloseHandle(hFile);$ U, P/ a |/ h/ Q. B1 E! q
return TRUE;
2 X' q: r( [% u/ n ^! e }4 n$ V: L1 g' H7 M% M5 r
return FALSE;
/ [* a4 b1 k* B}
* B7 r( T3 d) x2 u
2 G) y3 ]! O% x7 O8 J7 A E9 W6 wAlthough this trick calls the CreateFileA function, don't even expect to be$ J! h' s8 {( n) X( ^) L
able to intercept it by installing a IFS hook: it will not work, no way!; |4 [, F4 K9 E. |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! A. p5 H8 G' u7 d: c1 ?. Q: K; ?( u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. A' |- K5 i# t# e2 v+ O9 Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# ]5 g$ S# O! s# h& q! `field.9 R/ \* K% Q& Q
In fact, its purpose is not to load/unload VxDs but only to send a
; f) R" J# T, }7 x$ b9 _) JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
Q- b6 `8 p' Q2 G. kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 m2 _- ?0 r: w/ M6 I. \to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 y7 O S1 u( f+ Y' E' g' WIf the VxD is loaded, it will always clear eax and the Carry flag to allow) J2 b0 t; ^% Y% X% |! ^& p
its handle to be opened and then, will be detected.
% c" Z _$ X6 e# m0 T4 u; HYou can check that simply by hooking Winice.exe control proc entry point
/ O1 Q9 X6 s0 I- R, f) Swhile running MeltICE.9 ?6 ]- A9 x; S( H& e. H
L' c X. m4 X3 [: t( g: ?
) D9 N" O7 q0 B. a/ Z+ d: T! C
00401067: push 00402025 ; \\.\SICE
. H( \- X7 W) n* \+ h: O 0040106C: call CreateFileA" v& T% k: P% E( B5 g; {
00401071: cmp eax,-001
3 [ @/ h% z' M4 V r# t 00401074: je 00401091
5 `, C' z: {' f. u4 H
2 U( j# Q2 m! D, z2 a2 V! K- u& k/ t1 ^! v; }0 Z: B2 z5 X" m: {- j
There could be hundreds of BPX you could use to detect this trick.* i6 D4 u# w K2 M$ V+ l6 r
-The most classical one is:
7 V K& k, G+ \2 x# l6 B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 ? S7 v4 |0 |( |2 d$ q7 ?% s *(esp->4+4)=='NTIC'; i" T# z7 q# j# E i+ |# ^" r
0 C4 [8 H/ x# O7 N' y: D
-The most exotic ones (could be very slooooow :-(
, s/ U3 d) a: K5 z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 o& ^/ J7 h. ^ L* s6 e
;will break 3 times :-(
$ P; M7 {* N' `! Y9 Q- H) U2 G9 t9 F& }! w
-or (a bit) faster: 2 U/ t! g) ^) l% U' `- f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ M4 R7 |9 n# E
- e7 J7 h0 @4 S/ H: o- C5 E. _ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 z+ W( y/ Z( t" N6 F" V h3 n
;will break 3 times :-(- J1 u9 ~- D. Q/ Z+ c" G& W9 J
& W& m+ z" G, n1 f' Q
-Much faster:$ L* K ~1 r% j9 e& J" q6 P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! @3 S/ [+ x `& f( U% J; ^# c! h8 G/ z. }- X+ T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% f! w! e, G/ k! r5 l: b9 }: H) i, d5 U
function to do the same job:
% T) ]" U0 E# v: k3 ^4 d& G# q9 o8 q1 ]
push 00 ; OF_READ6 E* A6 I5 D+ A7 q
mov eax,[00656634] ; '\\.\SICE',0' O) s, m: a- `
push eax# y' Y7 e; q" F8 e+ q6 L
call KERNEL32!_lopen
- N& q$ h# {1 Y! |. Z inc eax
! T' c, u: M3 H6 p3 Q; p' c' n jnz 00650589 ; detected$ ~6 t' C% o9 z- T- P/ j6 W
push 00 ; OF_READ
6 V" L6 @% j2 ^1 F9 ]7 Q+ m mov eax,[00656638] ; '\\.\SICE'
. T0 R% m% t# f; { push eax$ u" {; h5 R) D$ Z
call KERNEL32!_lopen
9 A) T& {9 j" R& `0 c inc eax% b' X( u$ `# T, z: V% m
jz 006505ae ; not detected
6 O) [6 G' R+ ~& Y3 ^5 Z4 I4 C: [& q
m F6 H" x7 z3 W) T8 g__________________________________________________________________________
2 ]3 k B: u# x5 S0 i" T
4 E4 O/ B8 x3 B% |2 U! TMethod 12
; U+ A; U# s2 D=========
/ Z/ I, v+ E1 `; A' k( h, X' Z+ W( g3 r1 P1 H
This trick is similar to int41h/4fh Debugger installation check (code 05
s+ ^. z0 n) M" Z" H9 o* Q8 v* Q& 06) but very limited because it's only available for Win95/98 (not NT)
; w8 C: `. x8 `1 w0 Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( k. R# n# [! \
* q! a6 T& s* ^" l, h% }, C
push 0000004fh ; function 4fh( k. o* U- U! z( \& l' V
push 002a002ah ; high word specifies which VxD (VWIN32) O8 y! g# p& o3 t/ t
; low word specifies which service
* C: `8 I+ u# L2 F/ ] (VWIN32_Int41Dispatch)
" \& ?3 Y/ R! k) Z) I call Kernel32!ORD_001 ; VxdCall
# J( T8 h [" K$ F' w, l cmp ax, 0f386h ; magic number returned by system debuggers
% P1 W! I+ Q0 K' e) ] jz SoftICE_detected4 \6 \) b+ I% o- R& n2 ?, Y$ `
1 |6 k# o0 D9 V" ~ F* L; {! J
Here again, several ways to detect it:
y+ y8 ]9 q9 A" c/ c4 ^+ J9 U8 f9 z# [
BPINT 41 if ax==4f" M, `; }2 \4 a* L
, j& v& l. l$ @3 ^; \6 r9 \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 z0 ]8 a0 D' b! Y# u) Q3 C
- A% H; [0 S; Z. N( o" b& L! q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( @, i8 z7 D/ \0 i. G* r ]! n5 j6 z: f% w9 B
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- K- M9 K, }* K+ o; F# }
! W5 \" }* X# }3 g__________________________________________________________________________
$ c# }6 Z5 M1 B7 F5 L' f/ m1 z5 N/ p6 T7 X& _$ o6 I
Method 13
- T+ z5 c9 C b* m, W=========
b) n8 }, T* z# O' D6 g
" u$ W) w$ `! e4 TNot a real method of detection, but a good way to know if SoftICE is- b% l+ ?' [. {; O: d4 M
installed on a computer and to locate its installation directory.
0 [% A5 Y- O: n0 x2 h) h2 ?3 h* R' r OIt is used by few softs which access the following registry keys (usually #2) :
6 x+ N: \9 P/ E# [+ [+ V: R- M, m6 k, g K1 u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion e! I+ F) _8 K+ w: L
\Uninstall\SoftICE% T6 B8 N/ H" D4 @" [
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 |4 V u/ W- x3 }9 v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ _1 i+ k. [8 I0 d& ]
\App Paths\Loader32.Exe
$ l+ W" v F' Q7 T# t1 [; ^
/ v; ]0 s. \; ], T% O8 B& P" v: n$ q
Note that some nasty apps could then erase all files from SoftICE directory) a# Z+ f* L V3 ?: }2 P
(I faced that once :-(( O$ X4 P$ t+ _; J/ B9 ~# E1 F
& @# G, D% }3 G" A
Useful breakpoint to detect it:. R2 K/ s# z' @2 N, }* n
5 ]% T* }# L, z- d& x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" o7 ?: q! z; T: a! {
V l! i6 C b8 b+ `$ N3 u2 q__________________________________________________________________________
1 ^5 Q; t0 s. }9 j. V! x
; Q% C6 k' a: h9 \( d/ Q7 Q
% j8 \7 X7 t' \& W' T6 J/ XMethod 14
, ~3 @/ y$ U" [9 N3 S=========. k, f& |. o9 p& C
$ F. W* J( }8 ]4 c+ A4 Z9 j- x5 MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# Z" I! I3 O) L. \# w
is to determines whether a debugger is running on your system (ring0 only).
( c8 ^8 ?6 b d; F, H' o0 B$ h
8 ?! M) r! I6 H3 @. e r1 @. M4 D VMMCall Test_Debug_Installed
- M2 a7 K' F5 G; d6 s je not_installed" ]/ y1 L7 [- r2 w3 |* L1 g; z: \7 @
5 d `1 q2 O; L+ ~- IThis service just checks a flag. |* R' [1 k- I4 x* Q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡