<TABLE width=500>7 S9 S7 I. x7 F9 k4 |
<TBODY>5 U: m: Y U$ w: D. F0 v+ l3 z
<TR>: b U* U, B" k4 R& z
<TD><PRE>Method 01
! S" R ~/ e% X6 f% |=========" X1 v$ g2 L) n B/ l, a; R$ T
% Y5 p8 r; U) K5 k: i! HThis method of detection of SoftICE (as well as the following one) is! C* `1 p1 W% l" {3 I: k) W
used by the majority of packers/encryptors found on Internet.- u3 u6 ]! O- P0 O" Y
It seeks the signature of BoundsChecker in SoftICE
( L, {! K9 u( W
* e2 g" v% b/ [8 Z1 Y' D2 @/ D mov ebp, 04243484Bh ; 'BCHK'9 \( s. E) U2 n3 c- V0 s
mov ax, 04h& e3 [. N3 _, P, M6 `
int 3 * P) K. v: Q3 N" u6 O
cmp al,45 @* }# Q- f& U
jnz SoftICE_Detected6 G$ G* `, w5 P9 o
, |# c4 \. _2 {6 D1 X9 n
___________________________________________________________________________) [! N& B5 }* V, S- r m
- k( e- w0 T. H
Method 02
; k7 U1 m6 L" g=========. S! G! V% r7 j& k, X1 G2 O
' o, P& z/ M; p- w
Still a method very much used (perhaps the most frequent one). It is used
1 ~7 u) _2 d# K, k) R4 G" _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 Q; y& P; V+ m6 I
or execute SoftICE commands...5 P) J# d$ H1 t& @: F& d+ P- _
It is also used to crash SoftICE and to force it to execute any commands" g6 M! L( k. [4 S' }
(HBOOT...) :-(( 8 x8 l0 ^' M" Q6 I9 q `* J, |
2 y* q {" a. @' r( m5 h+ WHere is a quick description:
" x4 o( O+ t; f- I0 `4 _-AX = 0910h (Display string in SIce windows)1 R7 I0 x; K* a8 d
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) C1 S3 }' V8 b- C8 C% f
-AX = 0912h (Get breakpoint infos)
/ i! s5 f+ K' I) A9 s/ h" b-AX = 0913h (Set Sice breakpoints)! L- {% n, P+ @9 [0 u' w" i1 s7 F
-AX = 0914h (Remove SIce breakoints)
6 p" p& K6 a. y3 J0 t
4 ^+ Z+ I( r0 lEach time you'll meet this trick, you'll see:4 E- ]1 W @* r* G7 b3 a( C
-SI = 4647h
$ @0 M6 y8 k" N+ r' L-DI = 4A4Dh! c( z t% B$ W O+ S S
Which are the 'magic values' used by SoftIce.; x0 ?4 d) N& n
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 k* P' Q" t8 k( ^; F1 G# T: p
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 H2 X# ^. e. p: ]Envelope utility use to protect DOS applications:2 K7 f' E- C+ d' i/ h$ v: U7 c
2 l" {( v, { R2 }( a$ Q
# r) O! [# L$ ]4C19:0095 MOV AX,0911 ; execute command.4 E0 j$ Z+ V2 Q+ n, X0 W7 f+ q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ H9 Q5 o/ r X) q. g ?! ^; ^
4C19:009A MOV SI,4647 ; 1st magic value.
" ~& J6 Y7 ^. o |& W" P: r) i4C19:009D MOV DI,4A4D ; 2nd magic value.( @2 ]: ]8 T8 |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
U3 B6 v# P& ~: \9 I( j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
H# R7 P: _9 R, X0 G+ ?2 r4C19:00A4 INC CX
" C) s! N; G' }. |4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 t+ M5 ]- R, T, x2 ~
4C19:00A8 JB 0095 ; 6 different commands.
7 Z5 c, t+ s8 M* F, x, H4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 p8 J2 O( J' Q. `9 q4 d P5 n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# H4 Z9 X- `9 K! c
; t% h+ M/ R! i, g. xThe program will execute 6 different SIce commands located at ds:dx, which; U9 l* f4 c4 v3 L6 e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( e: ?7 n& }7 D
e9 k' g# m! a* z7 l9 x6 ~5 u# N& e9 K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) M& C4 l/ P/ V$ C+ g$ O. E___________________________________________________________________________
% u& V. J0 _4 a, R4 ~$ @4 A
0 O, i* r* o0 }4 [
' A X( g$ \3 }2 JMethod 03
3 r# G/ p6 h* E( v=========7 s1 J4 l7 [+ h3 V5 ^1 c+ C# K
9 y0 T. G( F+ n) hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# B# Q* T2 g l- S$ `
(API Get entry point)
( n$ o0 M' y% l( [1 V) s( u) D ) h) ]$ Q8 M' x8 x
8 i0 Q! m6 u, ]! g; u6 ^ xor di,di. Y4 ^/ Y- U' S6 R% s( _
mov es,di
^2 z* m: X3 F. V. v$ _8 P mov ax, 1684h : A$ W% D/ ]8 p! r0 n
mov bx, 0202h ; VxD ID of winice
- T9 Q0 }9 s! A. h- k int 2Fh' \6 T0 e5 u/ i/ r0 r
mov ax, es ; ES:DI -> VxD API entry point
* u2 E/ X) g% j& y add ax, di
7 ^8 d9 [8 [8 d$ } S. [; O7 V test ax,ax
0 a5 P$ h% }% g3 @6 F% Y8 \( I2 b jnz SoftICE_Detected+ J. C% R8 Y: D! O
4 ?% h& q0 \- R: {$ G
___________________________________________________________________________* y' j5 Q+ f) v0 \: c$ a( H4 o
2 D2 }' \1 Q/ {0 A3 d
Method 04+ q1 h; r( D4 P8 ~
=========
% }" Q9 h H0 U) w* L
( T1 R( F, c# k/ iMethod identical to the preceding one except that it seeks the ID of SoftICE
) m! J; @; _( D9 `7 U: h0 \GFX VxD.' O) D8 s8 r: C% R& q% z
6 m# Z' y) B( n" G; Y xor di,di) u0 l- k" G" Y( U: X
mov es,di
6 J/ L5 W( v1 V, Y# `& K& B3 z mov ax, 1684h
# q: }: N; B, b2 x s4 w$ i mov bx, 7a5Fh ; VxD ID of SIWVID# D* |7 x5 W- l) H
int 2fh
b+ B' W& C4 m mov ax, es ; ES:DI -> VxD API entry point
1 N- X8 v7 [2 M4 P- q6 S add ax, di% R5 _. c1 B D2 u6 I" z1 @
test ax,ax
. o8 Z# C5 P' E6 ^' \6 R7 i0 w: R jnz SoftICE_Detected
% w" I6 m- Z, m" ]2 h! m) ?& X( u4 Z0 N' u5 Q6 n/ r- `( n& l
__________________________________________________________________________
. c, A3 f0 S5 r% r# J/ j$ ^- U A+ @( n- T: G/ V
" W( H9 l# y: l& q' K" K
Method 05
, F, W" M/ ?" X- Z1 B=========* S8 w. y; W- y X0 K* r
6 ~3 ]7 t: D# W, W" `3 `6 r* O' qMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 F2 Y, ~5 S3 V6 R* B j! b0 I/ Bdebugger. It calls the int 41h, function 4Fh.* V& ~0 i& o- I' v, P$ i* a
There are several alternatives. 5 _# r+ L. u0 w0 q9 ?# _
5 i0 |2 b/ H* N- u$ E+ @The following one is the simplest:
4 G& G- h& [& _+ ]" {0 L$ A4 o) I6 m) B8 M2 o4 l
mov ax,4fh
* {& Q# u# F/ y+ F/ Y R8 r int 41h
5 c9 J7 w- `/ _+ e cmp ax, 0F386
* f) C4 T. W% x3 D$ g }8 a" _3 p jz SoftICE_detected9 K; ?3 f5 N$ H2 @8 r- X! f9 v
0 u8 z" `" @8 q* K" O1 G R
2 p' L/ U* e1 }6 j( l4 X
Next method as well as the following one are 2 examples from Stone's
9 x" T4 Y2 |" j: m3 d) z0 C5 a"stn-wid.zip" (www.cracking.net):. f/ A, ]7 e& w& Z
( D/ f# g" G6 B7 G5 c5 n" ?
mov bx, cs( t* |, Z f4 x: X
lea dx, int41handler2
& O' w; ~ \" \( [, g xchg dx, es:[41h*4]3 A% l4 g$ e; U6 _
xchg bx, es:[41h*4+2]
, o% j3 {$ \+ I" @) j mov ax,4fh
6 ]6 s* k5 Q2 C int 41h" ~) T- i) ^/ B. N2 O U
xchg dx, es:[41h*4]
" u- P5 D0 r# S, F6 i6 b" ~ xchg bx, es:[41h*4+2]* J9 J4 w( l( H$ z7 g4 o( n: B/ X
cmp ax, 0f386h) s. g( \$ L1 Q1 E8 s
jz SoftICE_detected
- V& U" I6 L% C' S( u* _6 j6 [% |4 a
int41handler2 PROC
$ y4 I/ s' ] w3 ] I iret
* Y/ `* ]3 }2 [* uint41handler2 ENDP- V% V8 J1 q$ @0 f* ?8 B
4 n0 G6 |; O/ b7 {+ b+ P0 K1 J, U7 D/ ^3 J5 j
_________________________________________________________________________% e! a) @4 @7 X
" P m2 }- |% t) \' C
$ ], l5 L& K9 R+ ` O( n
Method 06
& O7 g7 Q2 n. m: E=========
6 B. n! t0 j3 h6 }) r! R Y$ z* n* Z' z4 M5 I D3 F2 O; @( f
: y* B8 b6 v" s" z0 X% E, m6 l9 k$ d
2nd method similar to the preceding one but more difficult to detect:3 d! b" u/ z7 b- k
/ Y! H. Q! @1 @
7 W2 N G, P% @9 U9 e: s; `
int41handler PROC
: t# j, [* b6 P2 R mov cl,al# B7 S9 S3 y) c# E
iret
) p4 V; B N# P# r" _int41handler ENDP
" K0 J7 P% t. S1 d+ u
. v( ?) M$ R5 [/ C
5 j+ P) H2 U0 w z xor ax,ax
' y7 ^8 A2 i0 |5 q( Z mov es,ax
! b$ g- ^2 i: f2 }& B' k mov bx, cs/ d& W; I% m3 ]* p; {
lea dx, int41handler) z/ Y4 a/ @( y" L$ `0 ^. l
xchg dx, es:[41h*4]" v0 j, {% `* s" a8 Y: \* H0 u
xchg bx, es:[41h*4+2]- U" ^1 [) V' H, H9 L, @
in al, 40h
5 Y @$ x: C, m1 a; | xor cx,cx
) C* i. Y% {8 z, b2 j& J int 41h5 ~* c5 a' K3 g4 v; j% ^' S
xchg dx, es:[41h*4]( B/ X! }2 B2 A, q Y" p
xchg bx, es:[41h*4+2]
8 A7 _( j/ a z. ^7 D* a, W cmp cl,al& M$ b I. L5 W; x1 f3 l
jnz SoftICE_detected4 s( {- J) a! C& F q5 s( f
) N Q5 N1 F) [4 d% B4 a! K
_________________________________________________________________________
' f# @. w( O. ?0 s7 G4 h0 D% M0 @- c L4 o& A6 S$ U
Method 07
+ n3 t3 x+ C" {. }2 J- R6 r7 O=========1 B5 U, r1 d- E0 Z: v: W! z' a7 t9 P( n; v
) y& ~; j- M/ k/ [* MMethod of detection of the WinICE handler in the int68h (V86)
- M' i/ U& C" @: Y4 u& R6 ~2 x. D8 Q* F! F; G; ^3 G; b: G" l
mov ah,43h1 _! w& P Y% z% c. {
int 68h
& {0 k/ a- I/ W cmp ax,0F386h
; y/ l! B: }1 S jz SoftICE_Detected
: M. o/ @1 Z: x( R* o6 L, x; Y% h' y' h# p
3 T, G1 R' _; X& ^. S# B) `/ @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 `- d9 r! X1 I: M1 [ app like this:
& c: L# M* q F$ f! s* y# |- c) W% I0 Z
BPX exec_int if ax==68
6 A- O4 x5 H+ } (function called is located at byte ptr [ebp+1Dh] and client eip is
( ?( w! z% R( F# n located at [ebp+48h] for 32Bit apps)
2 ]6 _; O* { _5 p' ]& {__________________________________________________________________________6 P# U/ t% S/ V w) R& @3 j+ Z$ u
. r; A/ P# G% w7 I5 U8 c. s& t4 R1 z: d
- `; Y" L6 I( N6 Z/ P$ d4 _" Z
Method 08
5 Z: e5 x& ~; }& {1 s=========+ @ J" t! X# |$ X$ Q
6 J* l* m7 L2 f# JIt is not a method of detection of SoftICE but a possibility to crash the6 l4 M( w9 t: @* D% h
system by intercepting int 01h and int 03h and redirecting them to another$ Y( o0 k) \+ x* M' X, U/ U
routine.) y2 ~5 B' y, G7 j7 i3 B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
q) O& W1 k6 d" Jto the new routine to execute (hangs computer...)
. |- `3 ]8 c3 j: k! z
* x$ z6 j) K% [" |2 d mov ah, 25h; k4 ?) V$ q& W/ j8 v
mov al, Int_Number (01h or 03h)
" X: K7 O% c/ I1 f% } mov dx, offset New_Int_Routine- [0 b# x0 M& _0 s: S7 }% P: i
int 21h
# |+ D5 c! X0 i1 B- _3 Y; o U
0 g, i9 L$ r% N) q% l" R__________________________________________________________________________- ], E0 E$ [8 E4 Z: h3 U
2 b( c7 M8 {" T) _$ m$ DMethod 092 t2 o$ H" `2 @: e+ y
=========4 U B& c( l: u# T- H) u* }
! k5 U, N* d4 \% i! f5 x JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* _: E- j3 q$ G3 F2 g: C. V" Iperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 L4 c; I9 L6 C8 W3 o. i4 oThe Get_DDB service is used to determine whether or not a VxD is installed, }( ^8 |1 h! U$ {2 u
for the specified device and returns a Device Description Block (in ecx) for
z5 O& u: M% {that device if it is installed., ?" H* Q0 }5 v5 R r, }
( Q" l* v3 ?4 g: B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ { c2 B' M9 V W: {5 }1 O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 K$ l, E l9 S9 w+ X9 b+ x. M
VMMCall Get_DDB$ x! ], [$ `5 w. k- ]
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 f0 k9 \. u. g: H
3 d! \0 L" L6 J. V& h7 U# ?5 T/ xNote as well that you can easily detect this method with SoftICE:
$ P! U% Y, N( k3 ~" _ bpx Get_DDB if ax==0202 || ax==7a5fh( N3 e5 C- b6 U" Y# o
3 C& u: C* B6 n2 ~: a5 |__________________________________________________________________________7 N; y2 [4 c% | w: e3 b
/ Q, A6 v! v3 t) Y4 D' C0 X" O$ a+ |Method 10
* M& n; X# O: G I; g" W$ ]=========
, s" g, \- d. q0 z( C$ [1 g- z" q4 _: w
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ H, t2 ?* ]7 j. a* P: q* L
SoftICE while the option is enable!!1 ?, y4 m, ?* | `& r5 A/ s5 q" I
3 X- V4 P- c" j! g, a0 I
This trick is very efficient:
9 a6 ?8 w8 V; s6 _by checking the Debug Registers, you can detect if SoftICE is loaded
( S* w* r! u9 ~: T1 \5 G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 M) g! j* F8 w8 I8 p9 L& H A# \
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 t0 ]% E$ r7 Hvalue (in ring0 only). Values can be manipulated and or changed as well: c+ m# I$ x3 O* q
(clearing BPMs for instance)
4 S- L# d; q1 _. N {) m8 g; T' A3 S0 _, s$ e! E. ]
__________________________________________________________________________6 `6 s3 b* D0 m$ q. _$ j
" n! u6 c& X( b1 Y- l5 ?+ h
Method 11
' O. o- b( K4 T* r1 s9 ^- @! F=========
; @; }1 m- t7 I I+ \; e2 {! _( ?. m8 _) [! a3 \
This method is most known as 'MeltICE' because it has been freely distributed0 m5 _# P+ Z/ [9 ^
via www.winfiles.com. However it was first used by NuMega people to allow! M& r+ I6 E+ L: i
Symbol Loader to check if SoftICE was active or not (the code is located
# \5 j3 y6 ~9 {: k/ I7 {9 @. o/ l9 Yinside nmtrans.dll).$ r' W, K0 L* h( f/ m. x
+ D; L+ S( Y, |% \2 i! mThe way it works is very simple:
1 Z( q; h1 K( qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 }, i0 U$ g4 b+ b: IWinNT) with the CreateFileA API.
% J% S# G- G9 a) J2 |
/ E, {- f% s: R# z7 SHere is a sample (checking for 'SICE'):8 _% u; q) D0 n* N N
+ i* B7 A& c% p% KBOOL IsSoftIce95Loaded()
% a+ p; n7 p& }; o7 `& @3 H+ m7 z% r{/ g7 w: @; C4 g1 L" s, @ D+ z
HANDLE hFile; 1 j) [- x( L, k/ C5 }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; ?9 N* e; ~$ z. V E FILE_SHARE_READ | FILE_SHARE_WRITE,! j) I; _: z8 S, C" y/ z8 c
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 [+ J; d1 H3 E- j2 Z) {
if( hFile != INVALID_HANDLE_VALUE )
) J7 \6 w5 O4 L' k {; _- @) A8 x% p# I6 `' V
CloseHandle(hFile);& b8 C) K$ X2 }8 g B. i5 O
return TRUE;
o% ^4 \* G! q, @ }/ P- F2 e% T7 l4 @8 E0 B- T
return FALSE;1 [% g5 }9 h) _' K' y8 j8 {2 m
}
+ O6 R9 V1 C6 p G' \4 x; a1 u( T3 C( y- K
Although this trick calls the CreateFileA function, don't even expect to be* ^: n; d! r; U( V9 Q' S
able to intercept it by installing a IFS hook: it will not work, no way!
* ^ C7 q9 E6 B9 T" ]9 QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ `2 a$ A1 F: U9 @4 p: `- `9 `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 C9 C' O9 Q3 ]% h z9 K% iand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 o0 V! [6 ^3 D1 G9 i" A
field.7 k+ ^# U/ C9 c, N [4 [
In fact, its purpose is not to load/unload VxDs but only to send a : z/ E, H- W1 q6 b6 J$ q+ r- x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ `3 Y- A2 J! ?# Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try# [. g: Y/ |6 x7 z5 h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).. T6 | o7 Y) ^, y% s( n! D* e& y
If the VxD is loaded, it will always clear eax and the Carry flag to allow. ^8 s7 X6 g. y1 z0 m3 x5 {$ m
its handle to be opened and then, will be detected.( |! k/ ]+ h$ s; m3 E4 W
You can check that simply by hooking Winice.exe control proc entry point
7 o8 k. v- c& H+ ?9 _3 T* X" Lwhile running MeltICE.
9 u0 i2 H' B. x' P! H8 o$ F
u5 L- w. v0 o: B3 U; J
+ |2 t4 k0 v: W, Q3 l 00401067: push 00402025 ; \\.\SICE
0 b8 E* R% c7 y. D 0040106C: call CreateFileA* L: ~& \' p$ Z# r7 h* r5 U. \% _
00401071: cmp eax,-0010 s$ R R5 T5 r2 R
00401074: je 00401091& d0 @; F3 x' t3 M5 e/ Z- _
% }; b9 J8 J1 `( M, ]+ I7 J$ u2 q& E+ f
There could be hundreds of BPX you could use to detect this trick.
8 x4 T+ y- ^9 Z |" {-The most classical one is:
( V R4 {$ F/ _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 r* h0 ~. j$ b *(esp->4+4)=='NTIC'1 I. K, ?* r" A0 j9 ?- o- C( N
" D5 S& K( t% q6 i/ f-The most exotic ones (could be very slooooow :-(
- l) M6 j4 t: n* q- _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 s4 {4 E* T' w, M6 Q% `+ u: g. _# A
;will break 3 times :-(
6 L D( g; g# Y' ~3 k5 g1 D; ~/ y Y+ A. v7 V
-or (a bit) faster:
$ M9 V) A9 h! d" b, Q2 c BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 T, B2 N' l i! N: b
! V+ R+ ?& r2 i9 N7 b+ K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- B* s- R: v9 F+ h2 _, P; d" Q- a" |/ U4 } ;will break 3 times :-(; l6 I2 ]4 |3 w: K
$ X; k( s% Q% I9 k; r6 d/ d2 r
-Much faster:& a! C( w `' L0 f) \$ m
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' s# ]+ S& a( U7 g( ~6 @2 C- X( J9 S, }# o! R0 c: |. w6 y! b" ?3 a E' w1 g$ i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 x3 ]5 U+ [5 _! T4 w" @+ O: D* rfunction to do the same job:
% u9 _8 t* s2 W9 v: i1 L
* O4 \) ~1 j3 W push 00 ; OF_READ) w4 t- p# | e4 q
mov eax,[00656634] ; '\\.\SICE',0
% r3 B! a+ Q) x7 I0 Y push eax6 }# u' p% y p$ z- C
call KERNEL32!_lopen
( H. K: ]7 b0 h( b P k inc eax
! h3 E9 C1 J) Z0 s jnz 00650589 ; detected$ L1 C4 s8 O: E2 P$ s4 a
push 00 ; OF_READ. p# g* S- w3 `6 n
mov eax,[00656638] ; '\\.\SICE'
) J$ Z: m" t( P% y6 E/ n push eax; l0 l4 N- L, s* S- [
call KERNEL32!_lopen
: ]: s: g3 P* F inc eax/ G8 _' \' c: ]
jz 006505ae ; not detected, P' G. x* A6 M3 ~3 [% `3 J
' y, H9 |/ Z( \& D1 ^0 J
, t6 n: |+ ^ J; o__________________________________________________________________________8 |8 i' s4 B# S! r$ j
, Q9 ]; q9 h0 QMethod 12' E I2 { P' W l
=========! V+ s0 R5 q5 V; t3 e0 Q
4 L. y" [4 N$ j
This trick is similar to int41h/4fh Debugger installation check (code 05
( k0 o2 Q2 V: D& 06) but very limited because it's only available for Win95/98 (not NT), q7 R; C- h0 e# J9 I' h0 @9 R; r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 t2 }3 K+ P3 g: g. Q
+ t, @/ C# D7 c9 @% X
push 0000004fh ; function 4fh
4 b3 b' T" U, {8 U% V push 002a002ah ; high word specifies which VxD (VWIN32)3 T) w) z7 L @: C
; low word specifies which service
7 {" c D! L e$ Z (VWIN32_Int41Dispatch)( @% ?2 _+ i! f4 t# H
call Kernel32!ORD_001 ; VxdCall2 |- \& i; \6 g0 Y+ t! a
cmp ax, 0f386h ; magic number returned by system debuggers
) {) K" Y- W0 T4 O8 z jz SoftICE_detected. j9 `& Q5 C9 f4 \ `& h% Z
4 m! Z4 S) N) N- cHere again, several ways to detect it:
. e6 m3 N9 g. b5 t$ l9 L1 Z, j: N, x
BPINT 41 if ax==4f5 [4 \$ T1 @0 A- r* b
% {% _ e2 J7 \8 ]2 R1 ]" ~& r BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* y" W/ s; M+ r' k2 K* S9 A3 ?+ e. h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! x6 S0 Y5 Z, E* K: ]- o
# k: c# F6 H" f- z4 F. x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 d3 s2 o( Y+ [6 p0 k6 r& ^4 G
! n% R9 k9 g4 N. r* e__________________________________________________________________________
: b2 g, t% s W9 O! i
4 G' V& Q6 i; a1 `) NMethod 138 b# }' P" j! j0 r
=========
7 l2 f2 ]. ?( i! m5 X$ X8 _- W. V3 H. B& R9 Q) |" V2 P
Not a real method of detection, but a good way to know if SoftICE is
" t7 j) r+ c: Ninstalled on a computer and to locate its installation directory.& I; _. q; Z& i# e, Y- [5 G/ g5 p
It is used by few softs which access the following registry keys (usually #2) :7 m# i. x& f" w% o! `/ P
9 n8 \- ^9 P5 @# d4 a* j* \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 c2 ~% l, f) a- a. P& [\Uninstall\SoftICE2 D6 S% ` r5 o6 G& [# l: \' P! c& @% |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" o5 L1 ^- c8 l2 ^ k+ a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 W4 x6 A" h' Q+ h. l, Z
\App Paths\Loader32.Exe
- j$ n% d+ M7 H. L: _' _" t( ?/ }
, I$ E+ M$ W/ p0 T' I' S- O$ d P; l6 q
8 s4 b/ V/ A7 O. @3 hNote that some nasty apps could then erase all files from SoftICE directory
- b+ K0 H/ I% }( p8 U(I faced that once :-(9 q, p; D, W5 x# n
3 X/ i. j$ X. lUseful breakpoint to detect it:
& |4 m; t. [! B1 x/ e8 B) o2 J
2 F( W5 F1 O# E( f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* _' a5 o, Y' F0 \: I, Q. \& ~( F% l* \* \# W0 ?( V. f+ B- T+ ?3 ?% l& H
__________________________________________________________________________
' w: E% r. k( X4 V
% h& _3 E1 q+ ]$ D# m: C ]# G. R( _% R& a3 @- i! X
Method 14 + f$ X! b% ]0 j6 U0 z
=========9 K, @# [* _4 r' K, R
5 h, M1 \* l9 V1 ` c/ {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 @* c9 w3 r1 J: m! N, Pis to determines whether a debugger is running on your system (ring0 only).3 X# B+ ]& h$ A2 }( [
/ [3 |5 }0 D8 I3 R4 L7 W
VMMCall Test_Debug_Installed
) l$ `2 f! z$ p8 Y6 S' D je not_installed# D5 Y; p, M7 s, T4 ^1 f& @$ X
" D( I8 y7 ?, l- a b
This service just checks a flag.
+ V* U$ r/ f! {8 l7 H" p" a</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡