<TABLE width=500>) ^; h: m5 Y! w; O
<TBODY>
1 u( @2 Y: R* [* o) b+ R' Z<TR>
/ d; ~3 ^& R" Q2 ] |* D' z<TD><PRE>Method 01 $ M6 S# d* j$ q) ~* F6 E! J! b
=========9 S5 C8 u# V# u1 \6 f# i
j2 m% g0 E. C! L/ vThis method of detection of SoftICE (as well as the following one) is
0 F8 n0 {3 ^, ?: w# Aused by the majority of packers/encryptors found on Internet.
% |( v3 i4 W$ l! K/ [" `; WIt seeks the signature of BoundsChecker in SoftICE. a8 M' j1 G( r) o( ~
5 `& p' T5 x: Y mov ebp, 04243484Bh ; 'BCHK'% Q0 x; S! T, t9 c- Y/ {
mov ax, 04h4 H3 Z+ B. `8 W8 D/ Y# x
int 3 $ N S$ p# C1 x2 t
cmp al,4
' }. e$ e3 r7 s4 b jnz SoftICE_Detected/ s3 g+ A8 g* M6 Y' T! n* r
( } j( k) F7 y+ V
___________________________________________________________________________
5 \& y! k0 S) `$ Z" G3 J: `% j" W4 h; @
Method 02+ ^2 u/ M( M4 }2 s
=========
) h+ }+ b3 U; V7 n [9 @; Q. V4 _. K* A
Still a method very much used (perhaps the most frequent one). It is used
) x1 W' r, F& s7 sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,& `. H3 r$ Y2 Q
or execute SoftICE commands...8 N4 w; m; \, M
It is also used to crash SoftICE and to force it to execute any commands
# C/ J! z3 `. w) }1 u- f a(HBOOT...) :-(( 8 H$ m& n# ]$ t& x
s3 x: b+ y0 a! b
Here is a quick description:
' U' |8 K! G) i- q( j6 l; F-AX = 0910h (Display string in SIce windows)3 j8 g6 u1 {" J P! Y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 f* E0 _0 [( _- c9 j [
-AX = 0912h (Get breakpoint infos)5 Q" C' x7 A; q; q! l2 x
-AX = 0913h (Set Sice breakpoints)
6 Z/ r4 ~$ F% l-AX = 0914h (Remove SIce breakoints)
' `1 o _5 ^6 U+ V$ p# @" o$ }4 M( {6 N6 t$ N" Y. z
Each time you'll meet this trick, you'll see:
4 Q) m. o% a" B- F& c-SI = 4647h4 E# c6 y; ]( w/ _/ X; f3 h
-DI = 4A4Dh/ `" k: n& c+ g) R5 r r- V+ W
Which are the 'magic values' used by SoftIce.1 O/ o/ M- o+ U0 U! g+ Y( ]) l
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ c0 u8 y' ]3 W( d+ Q# `2 c9 \" F# _8 F2 V& ?" F2 V/ h
Here is one example from the file "Haspinst.exe" which is the dongle HASP! C1 A9 E& W/ W5 d
Envelope utility use to protect DOS applications:
- ?) d2 H1 |* G9 e
% l( r4 Y' d+ e0 }9 s0 m5 g( ^- i6 [( D
4C19:0095 MOV AX,0911 ; execute command.* q. F0 v& c/ L3 x; _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 l6 r0 @' S4 w4C19:009A MOV SI,4647 ; 1st magic value.
/ q2 \9 B4 I G/ z* U( F/ _4C19:009D MOV DI,4A4D ; 2nd magic value.5 o2 [1 } ]3 F; p- X1 z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 O/ \+ _$ {+ b7 a) a, z" a) t
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# n6 G1 |/ H- Y- _* R" c
4C19:00A4 INC CX
- i& H+ P) j* b1 ]" X) h, Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
e* y" M! q1 Y3 M' \; \/ ]( m4C19:00A8 JB 0095 ; 6 different commands.- Z& I% p; t. B5 d" H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ ~- S% @( h' W9 [6 S- l8 R) y4C19:00AD MOV BX,SP ; Good_Guy go ahead :). U a( q+ e; h9 b2 W- F
4 r* ^) [# _0 h6 C9 K) fThe program will execute 6 different SIce commands located at ds:dx, which' K, T! o) a* E @. R$ @( v' @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 J5 K, Z* R B" j. P5 W. D+ n
* H# _/ L5 O6 M) ~, k6 S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& ~0 O# j! t# X G___________________________________________________________________________# V/ [* G. v, N. ?& ^
1 `. l1 {, \/ y" q* l; H6 [; r
- n& }/ p+ H7 d1 ^Method 036 |8 I# W. @# P# A' u
=========, X7 Y! N# X- v
$ A8 q) f; |. \. t5 a% B* {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 K1 r0 r, D3 G9 g& v9 l(API Get entry point); Y/ ^9 s, D0 N. D
' a3 w* w; `+ t/ {8 v
' `4 M+ J) y: n- H- P2 `
xor di,di
/ X& n9 o8 _1 P0 a mov es,di0 D' K% ^: i3 h: A4 a
mov ax, 1684h 0 ~1 O# W5 x. e' \
mov bx, 0202h ; VxD ID of winice
8 t! c! F; A$ z9 f int 2Fh* u+ @) P& B0 g4 V$ f
mov ax, es ; ES:DI -> VxD API entry point
2 z# K/ v6 y8 T$ U/ |6 j6 n add ax, di: G5 z: s c ^
test ax,ax* k1 N& p9 T X U! c# [4 q3 d
jnz SoftICE_Detected
8 P7 Q. I7 Q# j9 E. [7 @3 W1 o h, Q/ r' b5 I H6 B
___________________________________________________________________________7 y9 B) @6 j$ K; @
; w: F O- J+ X3 N7 `Method 049 c4 _& n6 y$ \$ h
=========) Z0 s* Z3 y' a& |0 O! N
9 O3 n. q/ k% r0 O' S8 h0 s* `
Method identical to the preceding one except that it seeks the ID of SoftICE
7 O2 ~0 T! k, K: aGFX VxD.
2 L3 ?0 K6 E7 f& @- R+ L: E) E+ Z7 y3 C4 V: y6 L0 {) n% I$ [
xor di,di
; x* S2 q, K9 w% F) z mov es,di0 u9 X$ V7 C. ^& z
mov ax, 1684h
. [5 F2 F9 h6 H2 i i mov bx, 7a5Fh ; VxD ID of SIWVID
# X% @$ B Y% } }! [: I M/ N) { int 2fh
( q6 v" s$ ^' F3 C9 w9 h mov ax, es ; ES:DI -> VxD API entry point
3 i7 ^. i8 Y( m2 l( k N add ax, di- u+ a* D5 C6 d4 E2 s: p5 c: t
test ax,ax
% y7 x1 z0 g9 y8 Y jnz SoftICE_Detected
2 y3 ~9 C) m! u- B* S1 B b; N" i3 r. q! x/ A5 i* C
__________________________________________________________________________
& |8 J5 g; C! d5 u6 z) p
* w8 I) w, u* ?9 @, a3 v _2 }% n1 s
Method 05# h! ^- B: y, ^! O3 R+ ?
=========9 y$ G0 R3 G; Z+ S1 D
3 z/ S" r0 {0 T- f- l; x
Method seeking the 'magic number' 0F386h returned (in ax) by all system! Q; x9 S- j9 f7 ?1 k x
debugger. It calls the int 41h, function 4Fh.
* D! d# ?, g% J$ `6 w" C7 c6 ^There are several alternatives. 5 }; \! S9 w: o4 y/ M; n
& f! t% {0 z) \& M8 ZThe following one is the simplest:
1 C9 ]; ?% _5 P
4 Z2 G; w4 ^& k- |0 P3 Q/ a mov ax,4fh2 p, I! ?, B* C! k- H# I' q( D+ [
int 41h- U6 g4 @$ [" O5 }$ y; D
cmp ax, 0F386% R4 k8 \7 ]1 j4 z( a6 P
jz SoftICE_detected; g4 H( ?! N2 }, i
. v4 X) Z+ Q, D( D- S! ~: |
7 S' H& D) V4 g) K/ INext method as well as the following one are 2 examples from Stone's
' f* ]0 r: B0 o3 t5 U$ s- k# Z1 ?"stn-wid.zip" (www.cracking.net):. U9 O- E3 A' {, B. @
+ z8 h# M {3 A8 `7 p( u* [7 r mov bx, cs x4 V6 S% q/ B
lea dx, int41handler2/ P$ N7 M6 q6 u5 o" W$ o! e
xchg dx, es:[41h*4]
4 d* t+ G& {5 p0 s$ P- o xchg bx, es:[41h*4+2]
3 _6 y: X4 ]# s5 y mov ax,4fh
7 z3 Y9 F: y+ q7 m! j$ E int 41h
B' V, N+ ~+ h( y; t8 N& p$ n4 D xchg dx, es:[41h*4]
: c% Q7 N, Y: }7 i4 N5 j( a xchg bx, es:[41h*4+2]
/ e6 ]7 x& A7 A8 Y, ?2 n cmp ax, 0f386h$ j: g i% m* y5 k& N. \6 X! n" i
jz SoftICE_detected5 e% |+ q2 ?9 h) v$ d# i, e+ [! l
5 E0 ]' v1 m: f6 I- Rint41handler2 PROC& W- h' j7 w! u* Z5 n' V6 m0 R: b
iret# p- b7 k6 O7 @( U; p
int41handler2 ENDP+ _5 a3 J# |, A" q& j$ [5 `
% }7 j6 F9 M3 l+ B5 b8 \+ F8 J0 K
% t6 \ k$ ?1 U( P, N_________________________________________________________________________6 E& C5 Y) P$ Z. y. j' j/ S
5 d0 i" `# p/ Z
. t( O8 Q" o9 c! Z' _& o) MMethod 06% T1 d+ H, @; c' l4 T; C, M
=========
7 u f3 }9 r0 Q4 c9 n3 h3 S0 q" P5 p. A& G: {- [6 b
n* L0 x1 Y$ I( i' ^5 g( q
2nd method similar to the preceding one but more difficult to detect:5 k( H$ p. S& m! c; \
. q- l9 [8 {4 L4 Z7 H: }9 C+ E6 A, L
int41handler PROC+ N2 P6 V/ l( v+ I/ k+ N3 r% A
mov cl,al2 C- l6 ]6 o* M% X
iret
/ c, N4 s; N$ i ?" }; hint41handler ENDP
! W6 e% d" ?' }! [5 a, i; X: r" _! A* E2 `/ `; e
: N. N) F% c; V( a, \" l( v# b xor ax,ax' h3 q! q. g# d! @1 W/ l
mov es,ax
, u6 c& P- z- p mov bx, cs; e( \0 c g3 j( A1 g
lea dx, int41handler4 e$ h5 h! ~' X8 v. ^. H/ E
xchg dx, es:[41h*4]; N! k% f6 \' m5 p! i; R1 [
xchg bx, es:[41h*4+2] L2 D+ P- a1 R2 h
in al, 40h
" c% H) N3 r0 y xor cx,cx s0 ~+ @5 a2 Q- N
int 41h% P- K5 Q4 u! c! O/ L3 E2 X
xchg dx, es:[41h*4]
* P: D% g$ n8 X xchg bx, es:[41h*4+2]! U$ g; k) c0 Q/ u0 I) R. n+ R7 g
cmp cl,al: N' L7 s% u( R7 ?' B& v0 U
jnz SoftICE_detected* e7 d( ?- Y' {* ~8 L$ e$ g) h
! d# E) [! N+ J$ a t& K* L: G_________________________________________________________________________1 V9 ~- p* p+ |% _. Y
5 R3 \/ M% _: i9 |1 ]Method 07
- M! q3 i! Z) V# ?8 Y4 v7 I* u& l=========2 |- k* B" d# H7 j: l$ E
% J+ w' Z; m' n8 h+ W9 }
Method of detection of the WinICE handler in the int68h (V86)
4 y+ `8 |* R: P5 ~. K- A( `8 n2 ^* F' k* w
mov ah,43h- K- i) L. W3 \3 M4 Z2 `
int 68h$ V3 _& f- k+ Z# W, z1 o
cmp ax,0F386h
3 X! M7 w t3 R& ]. v jz SoftICE_Detected7 L6 y; ~9 x+ _7 U' ~
! Z N! r J2 D# c! P0 t
. T* Y$ Z2 _$ i# Z: ~0 [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% m- U5 w7 s' v3 S! U% F. r app like this:4 l% O9 v5 E) ]! k/ V5 c% U3 Z% @+ z) r
- L5 u! h, i1 _3 ~3 d% M BPX exec_int if ax==68
5 ~. m9 i8 r: J. ?3 k5 P (function called is located at byte ptr [ebp+1Dh] and client eip is
2 m' G7 K* I( b0 J/ ?! N2 H+ z located at [ebp+48h] for 32Bit apps)3 h( D, u+ z6 O" ]
__________________________________________________________________________! W$ H$ u8 r2 p& d0 Z2 F4 f/ b
, {; s1 y0 _9 `* Q" z; L' L' ^2 |2 e
Method 08+ h; B* ^; C" \4 O4 P! l
=========1 @ t ?, X% s4 G; W
+ E$ ]6 E' C( H4 f _/ B5 PIt is not a method of detection of SoftICE but a possibility to crash the" E. B. X. E5 c$ _" U
system by intercepting int 01h and int 03h and redirecting them to another
$ ]4 |7 u7 p' u& ]' Kroutine.$ v# g- k6 T$ _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# Y* F# h4 E0 S$ t% ~5 M2 l, ?
to the new routine to execute (hangs computer...)
- y$ C) T, Y; n, o" m
5 k$ a- F6 G* b( T0 \ mov ah, 25h
3 \1 U0 u# a& n0 ?, w mov al, Int_Number (01h or 03h)
" z: a+ A9 b. I! z( l0 a0 x) H mov dx, offset New_Int_Routine1 r: C- P/ @# |3 @6 e
int 21h* L3 r' K/ J: c9 u: |* m* P
4 m/ D' C8 E: {% B8 T
__________________________________________________________________________! I. ]7 b. @ Z% Y. {! {
- y/ S+ v- G- i N$ G7 i; v T
Method 09
; z7 M x1 I& O4 K) c. p=========1 @' _5 i& h# ]0 W0 V2 G
; s! r5 q, P& J- O
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 G$ p4 g' W) S8 {$ {- Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
) l* J: S" j( v0 \1 xThe Get_DDB service is used to determine whether or not a VxD is installed7 _& ~1 x) C/ g% e9 _2 F
for the specified device and returns a Device Description Block (in ecx) for
& j5 `4 p8 S& w' W# [- I, sthat device if it is installed.1 X6 e. [7 l9 \8 ?- @* X w
0 @+ b8 g8 N1 A8 i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ x: b8 }& a" v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. h, B8 u6 R& |6 R1 f VMMCall Get_DDB
: D$ V* a# E1 B. r$ h mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& I& {% B$ J% O$ l9 ]! }
# g- t( w4 V) V, F1 gNote as well that you can easily detect this method with SoftICE:3 y6 b3 P7 C. M) i$ h% v
bpx Get_DDB if ax==0202 || ax==7a5fh
9 ]3 y0 u- K6 S6 U0 n) v$ d1 h+ B# \& W8 O/ b- o3 U# \
__________________________________________________________________________
) ` L4 {1 t: t r: e6 W0 S( L7 ?% g! [ s: A1 z
Method 104 z R3 m* ]# I6 O$ J( R8 z
=========2 g3 Y" b. T* e" M9 X
1 z6 m1 K& {* Q=>Disable or clear breakpoints before using this feature. DO NOT trace with
. J* n3 n8 s' F$ r9 t' K SoftICE while the option is enable!!
9 f8 j/ l% K1 u1 a+ h/ r/ q
7 ~ y- R5 N1 m4 Q4 C% T K$ HThis trick is very efficient:
7 P5 q" m& o4 i" T' ~' s2 A5 A" l& |! tby checking the Debug Registers, you can detect if SoftICE is loaded! H5 Z1 n( Y+ J( n2 S; w O5 Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; {# T5 \* u8 X' a6 z
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ h, I X, `6 d" ~
value (in ring0 only). Values can be manipulated and or changed as well; c" a' X& V `( S1 `7 c
(clearing BPMs for instance)- Q* Z1 \- P( `/ K+ r% r. q3 l
% U$ Z+ g, B& f, K5 g$ `
__________________________________________________________________________& k: ]1 H) j$ p, N- V5 [, {$ c
0 U; i( `6 K* Q8 ^, S- W" \* q
Method 113 J9 d- }: L8 v; v+ u
=========
( O& f: }/ L4 k- o7 w9 e0 E: ]- g+ `0 T/ v% M7 l3 D
This method is most known as 'MeltICE' because it has been freely distributed& e9 R: v+ O; C6 Q5 M
via www.winfiles.com. However it was first used by NuMega people to allow
$ q8 c: A: z; `. USymbol Loader to check if SoftICE was active or not (the code is located0 O. m2 R/ M% L/ E
inside nmtrans.dll).& j& \* k* _( U% _
6 a- S- W/ M. ]The way it works is very simple:
' w4 V+ f. G+ P$ W- kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! Y5 V$ B: }6 v8 G |
WinNT) with the CreateFileA API.# q4 {) ?! s+ w# H1 n' K7 u
2 _# v$ r! S6 Q; v) Q& O' \
Here is a sample (checking for 'SICE'):
& {# }2 Q6 }" ]6 S) J
6 H7 i' s9 l9 y" ]BOOL IsSoftIce95Loaded()4 H1 P2 e; C( n+ N1 ]
{
% s# n' {. j# A) J1 ] HANDLE hFile; ( _/ U# L6 q# f, Z. l8 `- X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 ~, [6 J4 u0 _0 v0 y FILE_SHARE_READ | FILE_SHARE_WRITE,% J) P" u2 T1 g: \) ~% ^! p+ P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ X+ `( K8 |& d
if( hFile != INVALID_HANDLE_VALUE )
; G; J" R1 G# h* s" E {
! q. B& h0 {6 t6 j- ~, Y CloseHandle(hFile);, G0 K- p6 F$ T
return TRUE;2 H7 y8 c8 ?1 Y
}" h/ F, _( y" t$ @; n" U; Y" ~. E s
return FALSE;
3 M) F9 W9 i( ~4 A9 b. G}
1 B. |3 Q8 V3 K( R5 P! [9 r
s. A: Q( q0 _! @; `2 Q0 vAlthough this trick calls the CreateFileA function, don't even expect to be) v& t* y7 l+ I3 o# {8 V
able to intercept it by installing a IFS hook: it will not work, no way!* L$ X- f7 R: o S# {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# o" x+ n1 |. @1 a. _1 lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 }% D+ R) {5 T, w2 E$ i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* |( `% ~3 b# u+ p; [+ M6 \9 {4 ?
field.
. ~0 A K+ E& d; V8 EIn fact, its purpose is not to load/unload VxDs but only to send a ' e" J H( M1 _
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 D' O8 s, W: ?- F/ G
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: T7 R5 Y' }& L+ w5 |) ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
' X, A/ S4 Q/ i- `! B( GIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ P, X7 L0 @* v& P+ ?2 A: `* Eits handle to be opened and then, will be detected.- B: S5 k% c! X5 ~
You can check that simply by hooking Winice.exe control proc entry point
6 X) Q1 D# ~# o9 O; i4 Fwhile running MeltICE.
7 Q% [" U, E; F$ u6 K
' k w) u5 s3 j, l3 c9 _4 P7 K
3 Q1 l; J# N; ]0 Z2 H: s* \# a5 m! C# H 00401067: push 00402025 ; \\.\SICE9 P& ~+ u; P7 N# L3 \% R
0040106C: call CreateFileA* g5 s1 b2 A D) U: E( ^7 H7 w
00401071: cmp eax,-001. k9 \! W* x7 l& g) `' N
00401074: je 00401091
: O' B% i$ s+ @& o' i7 o
8 M& E/ Y2 M& ~- G# Z. N5 w. Y! Z. F4 H# h4 h4 V! y0 Y$ E
There could be hundreds of BPX you could use to detect this trick.; V: g! {; w) C, c5 F
-The most classical one is:
% M' E9 h/ Y* r6 G M! G8 [- T; J( D BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* E* C+ w2 v8 K- e3 n$ x* p *(esp->4+4)=='NTIC'6 H+ q' `- ~& h/ O
. q$ {( h f0 s5 f# }* Y-The most exotic ones (could be very slooooow :-(
8 q1 M$ @( V" R p1 n% W' Q, y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : Z' k: ?) v3 l3 Q
;will break 3 times :-(
0 z; Z$ w5 y5 y9 R9 ^* W7 n+ a, w1 d) p$ C4 D
-or (a bit) faster: - p% R. R" d, u( a+ Z( P/ S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" S& I. ~, g1 ?- l% f
5 `$ Y8 s" E4 ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' P) i" m- a% T& t& z
;will break 3 times :-(
/ x% b; d9 N* H6 B2 h8 U# { J0 x; `/ z
-Much faster:' P1 x9 u" P: U1 O" ?5 G2 {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 k6 w) ]/ ^" F% W5 |6 Y
, G/ d0 _, w- ^" T; f4 Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 U# R" k5 B% ~0 p
function to do the same job:
# X P7 \: f! @+ o- R1 N( J1 u. G- A9 O$ x# }* y4 C
push 00 ; OF_READ
4 ] H8 u: ~, K- u% h mov eax,[00656634] ; '\\.\SICE',0
2 R+ C4 [ f2 t7 E push eax
' F- d* D3 t! t$ |( m# } call KERNEL32!_lopen; f4 ^7 l* N/ w5 ?5 c
inc eax/ ^4 E/ J! O3 H7 n
jnz 00650589 ; detected4 G8 H6 U8 O; B, t. b& p
push 00 ; OF_READ: @& z8 j0 U5 @& t4 t% [; H' N$ b( {
mov eax,[00656638] ; '\\.\SICE' Q' c) S* G! a4 Y& S
push eax1 e4 ~; U ^! v
call KERNEL32!_lopen) e5 R0 w) G7 d, L, j
inc eax
- P( Y% x5 t$ n( v7 Y* E; U U jz 006505ae ; not detected0 M) `- p5 G" D; `
# {, |' J( q# d4 O9 U+ i' x- `
% W# m: u. o. s" ?$ `2 A3 L7 a
__________________________________________________________________________
' m% e2 ^8 e" Q# R. k) ]& M
. ]' R& T5 R0 e, z1 r1 r" oMethod 12/ K& k0 @+ |0 N5 Q
=========
3 Z! Z N3 o) b; w5 _/ ~# F* ^$ j
$ R. \3 X( N aThis trick is similar to int41h/4fh Debugger installation check (code 05
6 S- H% Z9 d( X5 c3 r/ R! p& 06) but very limited because it's only available for Win95/98 (not NT)
, k% G# I8 J& l' q+ F7 `! w% qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 Q/ P: _, g0 k8 [* y) O* K! O& O% z- f( V! H9 u1 H4 r
push 0000004fh ; function 4fh
a* |' j* p! a6 y* O push 002a002ah ; high word specifies which VxD (VWIN32)
, j p ~$ n% {9 C& \ ; low word specifies which service
' U' J( R F" ]6 u (VWIN32_Int41Dispatch)2 X! t7 r6 k8 n
call Kernel32!ORD_001 ; VxdCall- E6 L7 i4 V/ ^6 ~: m0 {2 k
cmp ax, 0f386h ; magic number returned by system debuggers3 Y a7 v) U, P% }
jz SoftICE_detected
( B5 b5 p: T0 l
. u" M% I4 R# I" g& {9 g- I, C, z2 ^5 eHere again, several ways to detect it:1 l# v* o6 C Q* y- y: O4 P
( v0 X3 L% ]$ ? BPINT 41 if ax==4f
7 Q/ h7 B) i9 }. S' ~
9 B$ I4 s Y8 u6 K7 G6 W7 z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* f( |3 b0 L) o# c/ ?
5 N, m5 |: ]( h5 u' s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" I. X! j! U: G, u
, t5 _) X) _+ ^8 H' [
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# ` D# g9 k: X) y/ r0 T. P5 h
+ a8 y w4 X/ Q8 G) @% e1 L3 p9 _* e2 ~__________________________________________________________________________
* J9 t4 w+ l, g" h" }5 G3 P( }( M- z2 ^, P- x% ]
Method 13
8 m6 c* r' \' w) u=========4 U/ N9 Q# U) Z4 p; B* \0 X5 S
9 E+ M9 g! \" P2 PNot a real method of detection, but a good way to know if SoftICE is
& q5 h* n' k2 b! y( }installed on a computer and to locate its installation directory.2 [3 i i, I2 @3 p J* Q
It is used by few softs which access the following registry keys (usually #2) :
3 q0 J# h" E; d: o0 z0 R9 b; E' I& u3 X* M/ Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 \% v) f' M ]3 b$ M0 a7 T" w+ G
\Uninstall\SoftICE
8 _. X9 J6 e5 c$ L/ [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 u# e- c2 }5 ]* M6 U/ K+ F- N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; O* Q3 l2 X$ m5 B\App Paths\Loader32.Exe1 W9 ?2 U# ]$ o# Y; V9 {
5 t( C+ C4 A) ^8 l
8 |) D$ @1 ^0 ~8 h; a, ]9 n& \5 L0 a5 z
Note that some nasty apps could then erase all files from SoftICE directory
+ u" }% A6 w7 X(I faced that once :-(1 e# b- `& G$ k- Y( ^. B
5 n' J9 `3 U7 L8 bUseful breakpoint to detect it:7 j' D$ r% |* k% H- O' M/ L2 j
`9 W" |& v) D
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 H4 v! U/ }, B3 D; T a' {
0 C/ \5 t5 E6 `) p6 U__________________________________________________________________________
0 w$ U- q2 U2 T" c/ D+ }
$ G; i( \, h: {* S7 r3 ]
+ U% e' }+ a6 h3 v- ` l0 ]2 D# cMethod 14
+ f( M" ]. o5 e" Q=========
) D+ X" {2 g4 C6 v- X0 {2 r5 U! @
) t: ^! F& k6 @0 s& B G& yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 F( C. P N# u8 j3 D* s
is to determines whether a debugger is running on your system (ring0 only).
% @7 n3 D0 z- g% _" s* R4 M; g& F6 q, u+ C
VMMCall Test_Debug_Installed
! }1 G2 w# C. I3 V9 i je not_installed8 Z' u1 B! J, u, I2 h& l" ^
! ^- s0 K9 w3 O; Y7 J& d& a8 n2 ?This service just checks a flag.
+ w' b' w* N8 s! m</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡