<TABLE width=500>
0 F3 i" f* B6 t: R8 G6 _<TBODY>
. \6 [6 C9 }( [<TR>1 m& \& j4 E6 U; ^6 @7 ^
<TD><PRE>Method 01 $ |$ r4 L: D/ A
=========7 q4 a# E0 M3 \( ~
9 Y3 x" q0 o8 Y
This method of detection of SoftICE (as well as the following one) is
* t+ f. _. ^( ~0 j A. u. L1 Xused by the majority of packers/encryptors found on Internet.
- P6 E }4 n, I5 ^ |5 IIt seeks the signature of BoundsChecker in SoftICE
4 ]" C& D+ w# V' t7 O) a6 Z! L+ |$ r/ H) `* B0 v: C& A/ A& h
mov ebp, 04243484Bh ; 'BCHK'
; @/ N( K# ^! h6 j mov ax, 04h
2 O6 E* J4 ^! i0 ?$ H- g) g int 3 k) q% W( @, J9 I: ^3 c/ {# \! g
cmp al,4
2 e- ?2 ]' k1 @9 ~2 G2 g4 R3 ?" u$ r jnz SoftICE_Detected
' U( ]# J, N; k0 U7 Z
* y. x2 u% T) P___________________________________________________________________________1 J- ^2 k- n$ A" @& |
m. H) n' c* n* ~
Method 02$ l, L, b) @7 v9 C1 \) {8 i
=========
0 P: V0 e* n Q" B! n2 ? n0 K, I; [# z6 G8 a- D1 ?& N" t9 j0 d
Still a method very much used (perhaps the most frequent one). It is used
) b5 C6 {& M" j; e0 w) @' e& {7 vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,, }2 a, h5 g7 N! v
or execute SoftICE commands...
* `8 i0 k+ w8 b; ]$ Q1 R) t NIt is also used to crash SoftICE and to force it to execute any commands
6 ^0 ~: v7 Q6 @6 G# ^1 Q! p(HBOOT...) :-(( 6 W6 @% |( R4 N) S/ w* r' E% k
( L% h1 O' a, G$ r/ c7 p* Q7 h# }Here is a quick description:
8 D1 o4 m! D: S' `-AX = 0910h (Display string in SIce windows)
7 F7 B5 m! k" Q2 e5 Q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ l* B6 I" P2 U. D4 \' S [-AX = 0912h (Get breakpoint infos)* H* Z, T7 S7 t# R6 ~
-AX = 0913h (Set Sice breakpoints). }* x, @' d0 n% B4 a5 f* E' x
-AX = 0914h (Remove SIce breakoints)) H8 Y% i. o4 A, j
' s8 u/ M( ~3 s( z0 ?
Each time you'll meet this trick, you'll see:
* h; W. ~! S" i' M7 a-SI = 4647h
4 [2 K. w0 a8 k- d/ X4 e$ k: v-DI = 4A4Dh, ]+ u2 x0 O8 }
Which are the 'magic values' used by SoftIce.
- `* P# q6 B+ i8 b% R7 e$ p- W2 a/ wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.; u$ ]: r4 o! W i% ~8 m4 ^9 I
4 k# w/ j( z/ Y. ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP" n+ N6 y2 r# ?; c3 {3 x1 t' s" ]
Envelope utility use to protect DOS applications:2 b/ h4 w$ A) B- r. }0 |
% l$ V) }# d( y
( N6 L7 }& I- X9 f/ e4C19:0095 MOV AX,0911 ; execute command.
; R! \6 D3 T* {6 q, o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% @$ R9 a3 h# K$ Y4 g! X* |4C19:009A MOV SI,4647 ; 1st magic value.
" r2 \& U5 B& e& z5 z! |4C19:009D MOV DI,4A4D ; 2nd magic value.
' L. }$ z5 K( l4 ^/ n: P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' w, I4 K/ m9 X, ?1 Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" `; ?; W3 X6 J3 m, a4C19:00A4 INC CX
2 o7 W7 H/ ]' u' H. k4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 A9 R* y$ j& Z6 d9 B4C19:00A8 JB 0095 ; 6 different commands.
4 L: b# p* r3 w3 u$ U }4C19:00AA JMP 0002 ; Bad_Guy jmp back.
j: q' \- B$ v3 }4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ j% B$ m. S. E0 Q. d k
+ e* c" M8 s; }The program will execute 6 different SIce commands located at ds:dx, which
0 V# A& [+ n1 yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! e: S9 E6 ~0 J/ |! b( f2 w7 J5 @9 _% l" [4 y7 s) ~/ b, T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 m0 @% M" t8 ^, K___________________________________________________________________________2 A; r0 a) o7 {) q. O
9 S; \% ^- e9 E' e# v) x
8 V. A7 }& O- P/ K* ?; bMethod 035 ]+ _+ ]1 B) F
=========! ^/ G; |7 c- a+ s( v
# \7 I* T3 o2 R3 l" B8 N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& b. h7 I e& V6 M6 h7 Q(API Get entry point)$ E, }: w- S: n6 ?3 g% f. Y
% K, Q/ F+ f, M% G
0 `( h; A8 u' W! W- S xor di,di
; ?5 I- T( H o& X6 h+ _4 ~7 K mov es,di% s+ g1 e+ @5 G0 D0 J% s) ^2 F; H' R: O
mov ax, 1684h
& M U8 K/ G" e H3 M) k mov bx, 0202h ; VxD ID of winice
! i1 x8 P, B, Q1 r5 ]% Y. Y- t int 2Fh+ B" s, b9 H' K+ w2 _ `
mov ax, es ; ES:DI -> VxD API entry point& B+ j$ z' w/ O6 C) u8 _
add ax, di
o* h D \8 f5 |/ q2 J test ax,ax* n- M0 p0 t$ b$ Y2 l" ?
jnz SoftICE_Detected
/ t. d! q8 v% ^* _1 T
1 r9 n% E7 |$ u7 o___________________________________________________________________________
& I& q% g# a, V3 V6 S* y
5 M# w8 @# \0 R) a& ?, H( {& ]- @Method 04+ g: w# ]! c1 H) l! U
=========
, Z9 O! R2 \+ o4 R; t3 u. m/ X* \" {, b& _6 ~0 H3 O. n
Method identical to the preceding one except that it seeks the ID of SoftICE3 c2 f7 S0 i( U% v0 q5 O) g, [
GFX VxD.
! c Q& C$ m2 h0 w( [5 w! v& o1 I% D, }
xor di,di
* r! p9 Z6 I$ E$ g( v3 n& C mov es,di
C; I- c$ V& b, }3 w) c0 ~ mov ax, 1684h
" \) P$ Y" ^0 _9 T mov bx, 7a5Fh ; VxD ID of SIWVID. g7 x+ z( g* e7 U8 z
int 2fh: B+ M+ ]* F! b- u7 x X4 Z9 H7 j
mov ax, es ; ES:DI -> VxD API entry point* R/ }4 I5 F* x, G" g
add ax, di
( s# x/ \, t; U q) o# F8 g1 ] test ax,ax
- |0 z* s: I$ g jnz SoftICE_Detected
& t5 {( l( t' m; g2 u
x0 e, t/ b$ [; [! Y__________________________________________________________________________
& @; `% y$ N" O$ e5 u
2 L3 V+ [# P# F' C" R6 o: P
: x7 \/ z: `+ UMethod 05. E7 H& B3 Z( v
=========$ G! M" o9 r/ J' j& T" p
P. K' j1 G$ D0 i8 A( qMethod seeking the 'magic number' 0F386h returned (in ax) by all system. t: e2 m7 J; z2 N# B
debugger. It calls the int 41h, function 4Fh.
# u2 W8 l5 z4 x. m* d: KThere are several alternatives.
6 S2 o# `2 F$ K `8 w; b) j4 T4 G% i5 ?9 H0 @2 m9 w/ u
The following one is the simplest:
/ v2 P' ~( I( I) `5 R0 F, k, G0 q8 x, e N6 t* ~% X: \; ?6 \
mov ax,4fh
9 f) J4 }3 \1 z6 `( H( b int 41h& S, G# W! r0 K
cmp ax, 0F386
; W |( `# j# O# l8 q; d jz SoftICE_detected/ ~/ i5 _5 M% L2 r
$ q6 u4 [1 u* ?
' z7 N' H% w$ V: K) A( X+ o
Next method as well as the following one are 2 examples from Stone's ! T5 A% J# @! [7 s! n2 h
"stn-wid.zip" (www.cracking.net):; K9 t( H U6 y5 G
0 t3 \* S7 h$ X" }
mov bx, cs
2 `, W/ D+ g8 `7 i lea dx, int41handler2 {, t7 S0 }3 y" x
xchg dx, es:[41h*4]& S1 a' v4 H- }
xchg bx, es:[41h*4+2]1 D' n q) U7 H) K" T: p1 l" V8 T4 L' r
mov ax,4fh
, n6 k1 W$ R, A Y+ ] int 41h# l$ I0 ]6 @0 Y) U$ |
xchg dx, es:[41h*4]! b% q% h" S. q- A2 E
xchg bx, es:[41h*4+2]
( ?( [0 r+ }4 Y& C* d cmp ax, 0f386h
" \& b* W& _. x f& z3 y jz SoftICE_detected
; n! m) a# b1 I0 F
' `! S) i' ]8 ^4 F% V5 dint41handler2 PROC
! V/ u; r1 j3 v3 z+ C& H iret; q: ]0 R0 x3 }( u
int41handler2 ENDP+ U/ w: n# @: ]
! |$ a, m" l* i) h- W H( j
( R: ^4 ?5 o, K* O& a
_________________________________________________________________________0 H0 i; J2 B; e; G' x# y! K4 i8 ?
5 y' T q- R4 J7 X1 z% Z8 _- T8 k: h
Method 06, L. @1 G4 e4 J
=========
( V+ X4 a2 [1 R1 Q7 u E& Z
0 Z: F { q4 _# M1 ~5 T! \1 R8 @0 S" n: @
2nd method similar to the preceding one but more difficult to detect:
" n u5 O r2 K" N7 Q! g' {. \/ L- {. K( v, E! a
- M# {5 U: X' z# R. a) ?int41handler PROC
$ ]$ b! W- Y/ N. x6 p mov cl,al4 a; a! ~: y x! L4 ]$ t) z
iret5 N4 |3 {, Y1 n. j. u1 w0 A
int41handler ENDP
0 V6 D J9 F* w& r, n
) E; y) q0 [5 J1 y M# D6 _5 e9 o- j% `; Z; {' o
xor ax,ax1 f: h, G& O; J8 y5 E! x3 m
mov es,ax A+ v. ~; P6 v+ e/ q& I
mov bx, cs
9 A( ~7 p* F; S lea dx, int41handler
( a+ p- U% u% k% l" x xchg dx, es:[41h*4]
4 T1 y% f: Q4 q% ]3 A8 x3 x6 h3 z xchg bx, es:[41h*4+2], ~+ e0 U2 X4 E' n+ R
in al, 40h
3 `' i8 a' i- Q, R' M9 t5 H# Q% _ xor cx,cx7 q- S; ^% Y* n0 z7 g* l3 Z. \. w1 W
int 41h
. h s; O6 j. E" p$ o# d" l xchg dx, es:[41h*4]
. b' w: w3 D0 z; Y4 H xchg bx, es:[41h*4+2]' c0 ?# d/ h4 v$ A2 f2 T
cmp cl,al1 V7 ?; P ^' [8 I, r
jnz SoftICE_detected2 r3 j9 S: `: C; N+ y' E2 ~6 A
; t; t1 l6 E: g5 y: ^! ^* k/ [' C_________________________________________________________________________) B, U0 U* F t+ j- M- H
, s* Z. o2 i( X7 p
Method 07, J# P+ F+ m' n( }
=========) ~' k- ^: b2 x; A0 O
) G9 [2 C% n, Q" N) j
Method of detection of the WinICE handler in the int68h (V86)
( }! {( h5 j. W, f( B1 o2 @+ }2 J, K3 D, Z0 D
mov ah,43h
+ p/ ?3 I/ K8 Q# ~: y int 68h
( _$ G% o$ l7 ~% _ cmp ax,0F386h% \% H' S+ J) }% T
jz SoftICE_Detected9 o7 n% a7 E6 N! }) X' K. k, w' {* }
( X, \+ U. h2 Z" x' N
# z# J6 T) k6 C2 ?! Z- Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 W. R8 W% r) Y8 J, T* P% U app like this:! M! R+ m$ [4 c1 X8 \
( t) R: V( y; Y( R! P8 x, ^
BPX exec_int if ax==68/ x9 L. o/ }7 k, ~4 ?" w
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 a9 |. T7 x# K9 d! a2 n" t4 F located at [ebp+48h] for 32Bit apps) B4 q8 z( b' `1 W- T. c5 P& l
__________________________________________________________________________9 p b$ I+ s+ F1 n0 N+ [. S# R( z
* s7 v5 G3 ]; {* T
) O4 X, Q, M$ z: _6 ?
Method 081 ^2 W% o" t# s- R4 c& g/ F8 o
=========
4 y: S% R" n& S# f: J: ]( C3 P: Z7 I; c9 m# L" z
It is not a method of detection of SoftICE but a possibility to crash the2 `1 W" q) Q. _) V3 ]: {2 t" F
system by intercepting int 01h and int 03h and redirecting them to another) G6 d( P$ G( r
routine.6 S; y3 }) r! t' C
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( N: i$ d, r) C
to the new routine to execute (hangs computer...)& b/ g3 e3 ]5 s, w$ j& k' j
+ P& h r N, c1 ^! G3 ^( S Q" D, }
mov ah, 25h
; `! D! E6 X$ F0 H mov al, Int_Number (01h or 03h): z {3 D+ I$ v6 F% [# }5 D
mov dx, offset New_Int_Routine
- }# R& G1 K4 n6 S9 ~; J& |# O int 21h% ?: }7 c9 t3 Q
3 C& x- Q6 L; ]$ Z__________________________________________________________________________
. c* L, g& L( Z- X
6 Q" n2 J3 r4 p2 Z. D% CMethod 099 V% V7 I) o- k. N! s: B6 C
=========
1 ]( I) X6 Q8 r% [$ l. g+ n* _/ t" O) L3 |! j z# p8 z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 H; I+ W+ H1 s- N
performed in ring0 (VxD or a ring3 app using the VxdCall).
" ~& u; G8 O3 {) x" ]3 y, mThe Get_DDB service is used to determine whether or not a VxD is installed! B/ y9 G8 L0 B0 \8 o) w8 C3 ?
for the specified device and returns a Device Description Block (in ecx) for* E2 @* r( k) k+ g. d0 a
that device if it is installed.
" L N: D& X# ~% R6 ]# L9 E; f( \* W6 i* g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ ?; d, m5 V N: _, ~- a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% w& M& p5 p1 c
VMMCall Get_DDB8 @4 _5 H+ a3 P! e8 ]: ]2 R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, c9 f- y& y5 H+ a
6 K' a% z, J6 [7 h3 y( B* \Note as well that you can easily detect this method with SoftICE:8 I) m# l4 G7 @$ |$ z
bpx Get_DDB if ax==0202 || ax==7a5fh, `4 n+ N$ F9 R4 n, J6 r- d
- x6 `) a! R8 e. b2 l__________________________________________________________________________
1 X4 j4 U- k0 p# g( q& L9 R- O; m
9 M# u7 n1 |! _% eMethod 10
1 e& S3 x) f/ k5 R" i+ m1 n9 ^0 q# F=========$ ]. W! U' o" ]6 p: Z! e, n
7 x; w$ F5 ]! e* N% J( a3 H+ l
=>Disable or clear breakpoints before using this feature. DO NOT trace with
. U- ^+ }4 ?5 n3 _" ~) g$ ]" b SoftICE while the option is enable!!& V+ x7 \( n" ?4 r( Q# d% q1 W o
2 j& B& `; g- h) {7 J" \This trick is very efficient:
7 c5 F$ ]! A% r& }+ Z5 i7 y ~' V1 Uby checking the Debug Registers, you can detect if SoftICE is loaded9 l! N- \4 ]5 c) d) A8 G4 ~ h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# J: _6 P1 e& o1 U% B7 ?. X
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' a( l5 E2 j" I' a3 r( T# Avalue (in ring0 only). Values can be manipulated and or changed as well
2 R; Q3 V) k( v* O- d7 O" e(clearing BPMs for instance)0 z, T+ d! w( w4 A8 }: x! V+ V
. t: [- t! z/ A
__________________________________________________________________________
+ [: X; f2 z% A' C# t4 B- S0 e
# X2 e* s) r5 a4 H6 z ?Method 11- d$ B. ?4 O) Z
=========% G. G- o3 a/ H, C
O) u8 g: e& G) T. \9 X6 e6 ?This method is most known as 'MeltICE' because it has been freely distributed
" p$ i- w1 Y% f# x2 zvia www.winfiles.com. However it was first used by NuMega people to allow; K+ `' ]9 S3 z0 ?
Symbol Loader to check if SoftICE was active or not (the code is located
. Q) x( D: x# M7 P3 ~inside nmtrans.dll).
1 V8 p! K+ j |( c( z0 a7 X4 ~3 a1 o4 E* F$ c! k3 }
The way it works is very simple:* }. B' b$ Z" X3 j3 E* x* h1 g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 R) b |$ _# b9 N1 B% Q
WinNT) with the CreateFileA API., B; X0 F5 r T% {
' {! ?" ~ f" J! Y% k
Here is a sample (checking for 'SICE'):
9 [; F* E A* a+ P1 p# T+ ~, U, M8 g2 p8 p2 c
BOOL IsSoftIce95Loaded()5 b2 c: j6 o; d& V
{" R9 @+ `% @& c; Z( z- Q/ p
HANDLE hFile;
* Q! X5 C4 q5 G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 O/ ~) T1 Z, c( W6 h# [* Y
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ p) Z! Y1 Q6 d* C$ i( S" p NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' B \$ K! a' }! O9 G
if( hFile != INVALID_HANDLE_VALUE )
; X/ R7 t/ q/ u( { {
0 R6 K- ?$ V3 `$ | CloseHandle(hFile);7 i' c! E7 \8 M; ]- G: c# @
return TRUE;: X. G2 |. v A% C$ ~4 _
}
2 U M7 T2 s3 j0 |# P return FALSE;" @) \ }+ q4 }' n
}! g) o+ r8 S1 N% k) i* p* o6 ~# w
: d% z/ _9 v: i7 m5 xAlthough this trick calls the CreateFileA function, don't even expect to be6 S/ k# q; j+ `7 j4 f+ G* i" e2 N! L
able to intercept it by installing a IFS hook: it will not work, no way!" s* V! }; F( y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" C* i5 e$ d% }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 H3 g* ?* ?5 q* h
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 U7 @5 l' l7 }- J/ Wfield.( h3 x0 J" d6 q l8 m
In fact, its purpose is not to load/unload VxDs but only to send a 7 |: g) C4 Z$ O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 d# J& s1 t6 C" g, n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! M; e+ a7 Y4 s4 S. K, w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ A6 y: [6 K3 f- P" xIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 [" m; z2 o7 u% ^, Iits handle to be opened and then, will be detected.) U0 z- k1 z3 g# Y
You can check that simply by hooking Winice.exe control proc entry point2 R8 y2 p5 o! `( D: q4 z! N
while running MeltICE.- L8 g- T! H; d* `" J
; v- U( U9 j, q* z0 ~, h
Y. R% B Q5 f5 _2 ~
00401067: push 00402025 ; \\.\SICE
0 q' U( j f" K 0040106C: call CreateFileA
9 u1 ^1 P! ?- s7 P 00401071: cmp eax,-001+ T) d5 k" \4 r2 I
00401074: je 00401091
* @( j* d' t3 d$ r: Z v0 s# q: V1 y" q9 H' ^
2 M3 X+ I% M1 D1 Z4 yThere could be hundreds of BPX you could use to detect this trick.; R6 M6 c* b! y% L- e; g. U0 j
-The most classical one is:
. {* i8 z) z6 A7 J1 F8 j0 j* O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 n6 q' r, Q. V# m& ]# k *(esp->4+4)=='NTIC'
7 m% T4 y$ [- _0 N+ F
( K2 I V0 E0 K1 t-The most exotic ones (could be very slooooow :-(
9 n/ P% |1 _1 Y' i, x& }9 o8 K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 a: q9 v. S. e2 E. n+ s
;will break 3 times :-(2 E* i" Y4 I' b* B& V7 o: ~
2 P& n3 E" \5 H4 Y9 j; Q-or (a bit) faster:
a/ ^/ Y. t5 K# M& P' I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ w1 h! }- Q# W* [9 _2 {0 c4 {- ^0 U+ O: s% m: q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& _+ b9 Z) U, J; k ;will break 3 times :-(9 \( A; g5 s2 b& X" e$ g, I. C' ?
; U, |# y7 {6 o1 O+ X; ?-Much faster:+ C! a" T" ?# ~7 j5 ?( X( |
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 x% [1 ^4 n( H& }' d0 b0 ]+ B" n
4 t0 t( h: P: ~+ [* @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! T, [7 h& f- Q3 b& b+ D3 m
function to do the same job:& ?1 r' n' ^( F. ]9 F& a% U
; X0 h7 d# Q. t# n
push 00 ; OF_READ
! |% I; D5 i: Q/ d8 X- U mov eax,[00656634] ; '\\.\SICE',0, `0 x8 K- {8 I
push eax
6 \" R3 e* Y3 K; C9 M call KERNEL32!_lopen
7 F: I, b1 l% x- ] n inc eax% e8 v( g6 U( `6 E7 x n
jnz 00650589 ; detected
# l! [6 Y- X; R( o; Q5 B6 [ push 00 ; OF_READ
" L, C8 \3 r) T mov eax,[00656638] ; '\\.\SICE'
5 D5 R( s8 I6 ~" _6 u push eax" o/ ~ I& x, A" K: F& m
call KERNEL32!_lopen6 L7 Y; Q: q; b# D& y; \
inc eax
6 M" L" o1 {% l* {5 ~- O/ M jz 006505ae ; not detected' C( R1 l/ y$ H( Y+ K9 M9 V8 p4 ?% D
' D. n6 u, h0 E0 z
, _0 o' F, _/ k4 G1 ~" j( w t" `
__________________________________________________________________________ x% |0 h% H; { V& L8 d
& [, y) a _' I7 }
Method 12
: e4 V" |7 L& B5 F" G=========
0 ]+ @! s6 N* J: G& F; q7 w* I U: [! q
This trick is similar to int41h/4fh Debugger installation check (code 05! a. A! ~( C; U1 S2 V& r3 C
& 06) but very limited because it's only available for Win95/98 (not NT)8 Z" ?. m+ f. m& }, y; m9 ^6 t
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ E! B* b. {7 ]+ [" ]
( @# K* l( j% c4 E7 U
push 0000004fh ; function 4fh0 u6 Q: U l1 _* I
push 002a002ah ; high word specifies which VxD (VWIN32)
' [. N1 T# p6 f1 h ; low word specifies which service
4 ~# @0 |* ?. x, ~( x9 Q- K# o (VWIN32_Int41Dispatch)& L {$ P! l$ S' N" }' b
call Kernel32!ORD_001 ; VxdCall
/ M% Y9 j" }3 f; B! k, c7 P cmp ax, 0f386h ; magic number returned by system debuggers
5 S# z0 {8 l$ y6 ~8 E6 p' s/ f jz SoftICE_detected# z9 y) c6 W' _7 I
; F* v* v$ \, v0 [* }7 Z) h
Here again, several ways to detect it:- i( G5 U+ r* @1 x
8 e1 w. q* V7 }1 t5 a1 U
BPINT 41 if ax==4f
3 N5 ]( z3 e# W
+ ?' {& Y6 v) S& R/ x* {: i BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; |, R+ \" _) n/ U2 c
R* `* K4 M1 j* X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 z& Y0 u* T5 J1 {4 o9 H4 Z. k& R3 e6 n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ x F/ \) C! X; R+ ~" o% a3 l4 F- q) J9 t
__________________________________________________________________________/ [, e, U/ M: E, z8 D
6 N7 X* b' b( _3 {! F' I! O" A7 f
Method 137 S. s- q- W. u" C$ [# X
=========! b# f3 D5 y/ s- g) a' M
; |& s% ]* d. h# DNot a real method of detection, but a good way to know if SoftICE is; d0 |. m# C8 k! a6 `3 H4 m6 u
installed on a computer and to locate its installation directory.1 Q! ~) W2 D2 P& @3 [/ S5 t
It is used by few softs which access the following registry keys (usually #2) : a# k+ C' T: u% {; G9 R+ @
1 t1 f/ ]) N8 A5 {# G W! S# i
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: m6 K* Z+ i" ~$ \6 ~% m2 A
\Uninstall\SoftICE! @0 d! d" l8 k2 Y$ }0 V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" O; U: k8 \1 a' T9 _1 V-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' [, E' l( l* N9 h5 t$ I\App Paths\Loader32.Exe4 D$ ^" G1 U! q7 C
( R% d5 h! y+ X) }- J) p9 m$ f6 B, V
* A% Z: n/ T. q4 f6 k' X7 ?- ONote that some nasty apps could then erase all files from SoftICE directory0 [6 b) P8 r% E6 J3 L% E+ u j
(I faced that once :-(9 P' V9 x2 H9 e0 j9 M* z, H& F: l9 A
% A; @/ e0 Q9 `) L5 F
Useful breakpoint to detect it:& W" _6 o( p6 @- Y: W
r) L6 X2 n3 Q4 b8 @6 E, A6 |: w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 b) M; I7 G7 z
* ~7 E1 _2 R* l: I__________________________________________________________________________
; S$ O: J: G1 C. @3 V5 H: Y7 Z
) w+ W" m; S+ x+ n7 S
% f* u' i( I! V8 Z1 H2 y' n3 y) o w% nMethod 14
, N) h2 `3 G* _! m3 ^=========
1 ^- ^4 n% D$ S6 V1 i4 w6 W& Y* q( s) L: i$ e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% [& Q) S0 N6 p( Pis to determines whether a debugger is running on your system (ring0 only).' z6 R, T* f, G! H5 O6 y( l
& ~. A& F1 o* D: C" L* P VMMCall Test_Debug_Installed
( Y+ e7 J" x q/ T3 x( W je not_installed: n1 |. g: c0 m) o( k# L: G1 \
2 J7 g2 T4 b, h4 M Y* Y t! I1 d% f
This service just checks a flag., T6 U# ~" I/ U4 H
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡