<TABLE width=500>- ?' ?! S/ [' I4 q3 v
<TBODY>/ d6 {7 H- M5 C' O) m, B) O
<TR>
' l# ]5 A. L0 z9 N& ]2 s<TD><PRE>Method 01
( \/ h/ s- ?4 F& t% ~=========
- c6 G, A Q9 k
; h2 ?1 I: u% ?( ?9 G7 IThis method of detection of SoftICE (as well as the following one) is
5 [% w# T/ {. g& Eused by the majority of packers/encryptors found on Internet.1 Q" }5 f' b( i$ D! F" U$ O
It seeks the signature of BoundsChecker in SoftICE
% T; @. Q8 z; P6 I% @5 y/ u# C3 P4 M# N0 {
mov ebp, 04243484Bh ; 'BCHK'- j# k3 y; A- i) P
mov ax, 04h
& C$ M$ B! I1 }. ~6 h; o: V int 3 % ]8 F, ~& B4 m: X, R
cmp al,4( _( X" f( Z: Q7 L
jnz SoftICE_Detected8 U! `& z3 t6 g% t
& c& Y; t( D5 `9 n4 s5 B- o___________________________________________________________________________
5 Q- ~# n- w" }+ F8 A1 S, G2 @' `; P; M. i* y+ f
Method 02# f; G! |( l1 W9 n& q/ D
=========
]# K+ h" c8 M6 R( c* D! [/ ]# L D8 i
Still a method very much used (perhaps the most frequent one). It is used
& w' F, C$ O- T; @to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 c& E9 x+ |0 ]5 E! ]4 `or execute SoftICE commands...
! w5 h1 o, v: R, O N" wIt is also used to crash SoftICE and to force it to execute any commands
7 n! d { _* d! Y7 f5 E(HBOOT...) :-(( 5 m; |* N: I8 Z; j1 r
+ Q- L4 Q% F: E" \5 wHere is a quick description:
4 ]1 f I/ I' F. ]- C-AX = 0910h (Display string in SIce windows)7 l5 \% d; m+ b5 P/ Q$ h: Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, Z3 d) d# V+ C1 f0 Q-AX = 0912h (Get breakpoint infos)4 g2 S: o* B1 d& Z. w( f" ?1 m
-AX = 0913h (Set Sice breakpoints) C; @3 @) b u; U6 @ s& ^
-AX = 0914h (Remove SIce breakoints)
2 E5 h6 f; z: B# l3 g- y6 J6 `% K* _4 F8 W" z8 ~
Each time you'll meet this trick, you'll see:
' I4 H/ a, [' H$ X-SI = 4647h
2 D' X6 v& v# N; o, `1 P-DI = 4A4Dh
( Y. c3 }: @4 ^8 C5 a( T5 a% ]Which are the 'magic values' used by SoftIce.4 G, o+ Y4 `: j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. }0 n! d1 M, f' ^3 k
3 G2 C& E* U- U9 w( iHere is one example from the file "Haspinst.exe" which is the dongle HASP" H q$ r. E6 g* X G- H& ^
Envelope utility use to protect DOS applications:' [7 Z$ s+ ?( _5 l& _
1 ^4 L' i- p5 i0 e3 \/ \: W7 m. Z; E
* ?/ k) q! B- b) I% x+ q6 R; F4C19:0095 MOV AX,0911 ; execute command. R1 ?# Q2 ~0 D/ [9 ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) r, x3 d' i1 I8 _: O) i0 a/ [8 F4C19:009A MOV SI,4647 ; 1st magic value.+ Z* n* k$ N0 l! h# N! s2 w7 |
4C19:009D MOV DI,4A4D ; 2nd magic value.+ w+ K1 i. p. a w
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& L- B( E$ ^+ w' x: `5 |0 q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; G9 m/ f9 D, `4 M, X
4C19:00A4 INC CX- m" G8 S: ~7 y" a8 M' T5 x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* {. \% o) U: G& y5 A" w5 Z
4C19:00A8 JB 0095 ; 6 different commands.4 t- D7 u* ^. A/ W3 P$ m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 |8 ?7 m6 |7 C9 c }4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 i7 T, U) x2 r7 u7 @3 v
) B1 V) ~( A+ X O1 ^1 eThe program will execute 6 different SIce commands located at ds:dx, which, o0 F" y, l& R# ~ o: H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
{: S+ C7 s% l- K7 y; ~
! n# ~3 W! G5 g- h H% R1 @& |2 n: E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
[" ~! T) b2 w! P* _( n___________________________________________________________________________
; z9 k+ W/ P* d. F9 D# K: H
7 z+ {' z [3 ?5 t9 ` \' H4 z+ l: X, Y: V. }% z& F, z
Method 03
& a; d$ o4 m. U/ ]=========
' z9 g4 D _6 @- _* \
- I6 n! _/ a) Y( C4 N8 \$ n/ YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 y3 x) A' V( C) H" I1 m
(API Get entry point)# d) L# a5 ?& l. y; n& F% U. ^
+ Y& J8 }$ w4 ? v F: h z3 X2 O! h; J0 U# q
xor di,di
3 h6 I+ K; @: j8 G mov es,di
, ~' ]4 F6 Y8 H% G/ B mov ax, 1684h : g; X. H I/ i; T3 L V! m0 D: j0 A" V
mov bx, 0202h ; VxD ID of winice; v4 i" j3 w$ m6 h+ F2 @( y
int 2Fh
/ c, j! j! l% w( T0 m% Q: I) I. x mov ax, es ; ES:DI -> VxD API entry point& z* k7 v' B! U5 g/ H* m
add ax, di
5 |" G2 k7 ~0 s J5 U w test ax,ax
% P4 X, l4 w1 Y1 N2 G+ ~, n$ O jnz SoftICE_Detected3 Q4 h9 N' e9 k& D0 W9 J1 G7 S
/ V: D; A$ a+ j: g. D. A0 J/ ^! c' e___________________________________________________________________________$ Y; [. a% Q2 Q3 u6 X5 [
3 \% @; N( U* T1 n2 o; d
Method 04
; _5 n1 q- d8 p. ?# ? D=========
- B3 j& N8 M$ ~ n& y$ B9 b5 c3 ?4 Q. Q% ?
Method identical to the preceding one except that it seeks the ID of SoftICE
/ Q/ M6 u# a0 H4 R+ sGFX VxD.$ I1 G9 ~8 v3 a g9 ^
( S) k) n9 `" d; r$ `
xor di,di
) |3 x! E4 u V% b9 n/ _1 M. H4 s5 H mov es,di# I7 h: b+ O; R9 u- U& I
mov ax, 1684h 2 R8 _: N' G5 q8 P; C
mov bx, 7a5Fh ; VxD ID of SIWVID* t! D+ ^- V9 w
int 2fh
4 |7 a+ |; F# I! H3 \ mov ax, es ; ES:DI -> VxD API entry point
/ n% ]+ N0 N/ s. t* o$ O9 { add ax, di
+ B, D5 D1 |4 o' i& R* [- C test ax,ax5 x4 ?1 M# `4 e, N; D) H" |# |: J
jnz SoftICE_Detected
|+ e7 l. f( F1 T' \6 t
# L# z% p# Z& |, S__________________________________________________________________________2 C0 `0 ]) C2 w* D# t/ s
5 T( o/ `( k# F2 F
) M( C) w! F. T1 X# b0 ~2 f* cMethod 05
& `! ~: F7 L+ @5 H5 k5 f' D0 V) w=========) J$ I# L" m3 x( ~0 d* @
! m; H! c6 S- Q# ~9 |
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 l1 } G% w3 H& v/ [
debugger. It calls the int 41h, function 4Fh.& e7 Z. s/ w6 f$ ^: t' ~$ J1 p
There are several alternatives.
1 R/ i2 @: j; x& z4 A* P& u- M: w8 t, E Z( @3 g' ^, V2 ?/ p
The following one is the simplest:
1 s( c! l1 Q9 b( z- d# K, \& @. Z( r( |, ^; S
mov ax,4fh+ v# d% `7 D: S# s0 r. x& w5 L
int 41h9 `: P( j3 R* L4 W* X( _
cmp ax, 0F386
0 E W2 G& w% }3 u5 G$ g2 a; H jz SoftICE_detected4 J$ ] c3 F1 j
$ P* \2 ~. e. e) T
4 f. f- }+ Z+ L- ONext method as well as the following one are 2 examples from Stone's - O( v: }1 C- I+ e
"stn-wid.zip" (www.cracking.net):) a) o( ]2 y" b2 i! x" R
+ J \# H$ S" a
mov bx, cs8 r J8 a" n! [2 _' n/ ]
lea dx, int41handler22 [+ [% D( _: }! g8 p
xchg dx, es:[41h*4]
2 x* E* L& _9 r- Q xchg bx, es:[41h*4+2]& }8 s2 h' c+ w# R1 m
mov ax,4fh( ?1 j3 U; f9 K% ?
int 41h% c" R' l2 m( ]# h0 w5 a1 q
xchg dx, es:[41h*4]
. g9 {7 {" H4 j; u xchg bx, es:[41h*4+2]4 M9 G5 r: k% o! t
cmp ax, 0f386h
5 V2 p0 |( V' S$ g3 I/ a6 b jz SoftICE_detected n" I% H& S8 I! j3 e
8 W4 F5 _& V( o0 u3 m9 Q5 o" l4 w, wint41handler2 PROC
. q' L& y0 P; {+ H" H' j iret# p! H; D+ K6 g. P
int41handler2 ENDP
) v$ @3 S5 O9 \5 Y! |6 Q4 t$ i+ H
- h7 A# m5 T, @. z; F6 H" Y5 C5 @' k& S
_________________________________________________________________________& {1 [( N) L/ O, Z9 C, K
: D- B x, L5 g% M* I
0 w5 S/ n3 o: pMethod 06
. l+ Q3 ~7 p4 G! r, P=========
3 q6 W9 H1 D# ~4 b5 k: H2 K2 q& g2 W$ M# g5 V! S
+ A7 ?% P5 Q( n. N2 B
2nd method similar to the preceding one but more difficult to detect:- s4 B8 }9 M! d R$ q/ b5 ?* ~- Q4 g
5 {" R! O; g9 e |7 O: t
- n7 ]8 ^ J( n
int41handler PROC- V" s' h8 t" \; `9 q0 x
mov cl,al
( O% m; \) q, J7 A8 L7 {( ]1 z, ` iret
1 Z! d$ @" Q- x( m" H# L. }# C7 sint41handler ENDP3 C8 e# u; z7 n$ ]7 \8 M
/ a5 f/ A% A/ e
% m5 j& C" T& ~& j
xor ax,ax" D6 m; X) p; T; e5 m
mov es,ax& u( v+ P% A1 Z2 V* P3 q
mov bx, cs- W8 |6 p4 K" X, U
lea dx, int41handler! D- M( l% |* R$ a6 j7 y, Y V
xchg dx, es:[41h*4]0 Q2 }: k( A. F( ^
xchg bx, es:[41h*4+2]
2 W; ?, J2 v7 S1 V. i5 |$ A5 P& Q in al, 40h9 N. C" V* |. F
xor cx,cx
0 d& t0 a9 x+ @1 Z int 41h
) {8 g# {' p& M: v+ P! b xchg dx, es:[41h*4]
! h- b1 i: ~0 } xchg bx, es:[41h*4+2]
5 ?! N: U/ m# u$ t cmp cl,al
7 L/ \/ c6 l9 ]- b' F( e: I jnz SoftICE_detected
+ f6 J$ Z' p8 f" D9 U2 @# t+ T+ d" g0 q3 x+ ]+ }
_________________________________________________________________________
) B' O: h8 q# C ~
2 n1 o7 S* N" eMethod 077 s- Z3 |$ t: M' u! m7 T3 A h5 u
=========$ o) ?8 @1 d+ ^4 |! J, o
9 {" f D: b; r7 u0 }0 f% \
Method of detection of the WinICE handler in the int68h (V86)
9 i" D5 U+ t0 A% k4 n' G4 `. d8 ~ M$ Z5 k$ ]% K. a
mov ah,43h7 k8 `# d+ a- ?/ A0 P
int 68h5 q) l+ ?" I3 z/ R$ e3 B, a: K' g
cmp ax,0F386h; i( Y7 C( n" s$ H1 h7 R9 P+ D
jz SoftICE_Detected
% f0 E7 [* V2 Y$ G5 Y
5 H- Q. x; L1 W: [' d' j6 z3 R6 B; M' x" x
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ Y( E# i9 Y( T( J- a app like this:1 K# y6 I( k( p3 M8 H3 P/ ] \0 I
* |4 S- k1 x: D2 }. h
BPX exec_int if ax==683 O9 |8 C @ c
(function called is located at byte ptr [ebp+1Dh] and client eip is5 ]" \0 ]8 Z9 ]! y2 u- \/ O: j1 {
located at [ebp+48h] for 32Bit apps)
) l: a" K0 A/ x& }3 N- E__________________________________________________________________________
& V9 |& J% w; O& y: I. w
+ A" y$ h ^! r# b
, p2 r* h/ w" i2 N8 s1 x, TMethod 08! {) z2 l7 q2 ]+ N7 q# U, ^
=========
0 W) p$ L' p/ W7 l3 z$ t1 H* Z' G
y* s a8 m* [& ~* i: n/ KIt is not a method of detection of SoftICE but a possibility to crash the |( e L' [ \# o
system by intercepting int 01h and int 03h and redirecting them to another) ]; w2 b0 _ L
routine.
0 [- K; b" _& W: xIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
q% S# I1 ]- S5 ~to the new routine to execute (hangs computer...)
% b4 s. r8 z( y# c) [! J8 C g% ^) e3 l. C& a: J# l! s L; c( ~
mov ah, 25h
% {( _; N6 h# Q' x mov al, Int_Number (01h or 03h)# b, D( w, N. K' a
mov dx, offset New_Int_Routine
* ^8 O7 d( {' G9 R' z8 H3 a int 21h5 Y: {# j( r4 V3 q
* z% Q) ?- a6 Y6 U$ Y2 n, a2 r
__________________________________________________________________________& |. E3 i j$ c3 g
8 B" X$ a- x. N/ @Method 09
6 E: \5 Y+ m, w1 Q=========
& |" a$ y6 l3 j" H+ D6 G8 Q6 W6 c3 D E+ Q' @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' J4 |+ p4 o. B: P) l4 {performed in ring0 (VxD or a ring3 app using the VxdCall).2 s; E" c& l/ b, q1 ~0 k
The Get_DDB service is used to determine whether or not a VxD is installed2 X; O) `1 @+ C" A6 c
for the specified device and returns a Device Description Block (in ecx) for; k8 f# C! c! B1 S; S
that device if it is installed.
: k* X) f. V- U8 o2 u4 Y; p3 k; u: G! J, ^% x1 ?
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( t( s# [6 ]0 L/ w/ _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' h: H5 u, P4 F( s# O1 J: Q
VMMCall Get_DDB
: u0 d" J. N6 A2 O+ e9 e: p mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 _' y* `9 e) Y) B0 V1 ?3 P. Q
; Q2 }8 i: Z6 {' _: ZNote as well that you can easily detect this method with SoftICE:1 v; n* d0 A$ |) M
bpx Get_DDB if ax==0202 || ax==7a5fh
1 ~4 C- b K* f. k# E; t4 }6 k! }; {8 r% a8 l5 ]: A% z
__________________________________________________________________________
3 T/ H& V( E& Z/ ?5 ]+ `
6 V/ S: p+ k; x( kMethod 106 }( P# i' D0 f2 d
=========( P6 b. z2 U3 {( E. o$ l/ N
/ V9 ]8 ^) W, _8 p; O$ O" e6 g
=>Disable or clear breakpoints before using this feature. DO NOT trace with
- a5 F$ r8 K5 s$ M# D6 r* g* C& @ SoftICE while the option is enable!!
M7 K4 D4 {' a1 z2 P7 `8 e& b0 _1 ]: h
This trick is very efficient:
" H1 p2 O8 j* I- b/ ~by checking the Debug Registers, you can detect if SoftICE is loaded
4 r7 d& x. @! P* h' C(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 G" A9 r% e8 M! d9 D) bthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 m3 R7 o4 ]3 W
value (in ring0 only). Values can be manipulated and or changed as well
: G% b% v: \! d+ h$ h% a* |(clearing BPMs for instance)' z" W/ {, E4 C. t& B4 ]) y( d
: H- _$ x5 X% c* m d
__________________________________________________________________________) d0 ~5 C, O6 b4 ~
/ B! B8 K9 M* K4 }, d6 v8 u" ]
Method 11
9 D k7 y& _% H% t=========3 t1 t8 X( @- u& G/ }
- i" |: C3 Q/ w
This method is most known as 'MeltICE' because it has been freely distributed+ k: Y. L$ o. V3 g s, _, g
via www.winfiles.com. However it was first used by NuMega people to allow+ w/ S @6 i8 ~- j" K
Symbol Loader to check if SoftICE was active or not (the code is located, y. |& H" ~, O9 A0 b; L% u& H) L
inside nmtrans.dll).
7 U- E1 U' ]4 f1 W0 n' u
1 v& s5 ]! q3 i- A/ O _The way it works is very simple:
3 a& R7 m! t* uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) ^9 I0 f$ [$ p* ^/ Q) V# j2 gWinNT) with the CreateFileA API.) D# v' W2 T2 ^# g% n
! x0 T+ t" \( o# N( \8 S/ EHere is a sample (checking for 'SICE'):7 m- Q3 O; ~, J9 J+ m/ |( l
1 ^1 ~. N z& j
BOOL IsSoftIce95Loaded()
& W3 X' b; l- W{3 ^# _1 P1 `5 y$ ?& ^
HANDLE hFile;
; K! m+ o, u7 _. x- g% h# ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) \) }( {4 P6 H" k. h FILE_SHARE_READ | FILE_SHARE_WRITE,
: u, i5 F6 J6 C9 e2 `0 E NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- @/ C; ?6 [( ?$ K& b) V" k9 X* A2 | if( hFile != INVALID_HANDLE_VALUE )
: j/ r% a& w Q$ I; i+ ] {9 d# W* M6 E1 v; P
CloseHandle(hFile);
" U0 {/ k4 r x* M8 `6 M1 q' r return TRUE;
7 u0 j1 W, @. J& ]4 k }3 c5 [9 Y! j/ A% i& S
return FALSE;
6 U+ o6 c% ~) ^5 q6 ^! v U+ F! C}
" V- e( } _8 R, F5 a- F" E6 y$ I
! P) M( E; {" ]% RAlthough this trick calls the CreateFileA function, don't even expect to be5 C2 ^! y% ~5 s# u
able to intercept it by installing a IFS hook: it will not work, no way!/ G0 D: Y" p: o" J& u8 P3 w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 S. b1 f* J# _) v. Q& {/ w0 M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 G* \" @7 ~3 c# [, t. x/ b" [and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- Z, `# |) v* M4 o; A! nfield.
8 k N# ?' t2 P+ {. LIn fact, its purpose is not to load/unload VxDs but only to send a + M: g1 @, {; X- {6 [0 o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 _/ D/ k7 E4 |+ Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try! l9 L9 C% Y7 D' I# f8 X
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 L- B8 p4 p& w! ^8 GIf the VxD is loaded, it will always clear eax and the Carry flag to allow. O# T9 `5 C, H# N/ i
its handle to be opened and then, will be detected." n9 u' F5 r% X* H
You can check that simply by hooking Winice.exe control proc entry point+ d- Q/ I6 X3 [- R) G/ t
while running MeltICE.
- x. T3 Z- m6 o8 r; M# j
D0 P7 T. W' G& `: ` T" @3 F+ T2 Z
00401067: push 00402025 ; \\.\SICE, S8 K" I! e" X
0040106C: call CreateFileA0 R& L3 U5 |( D+ a( d7 n; j* F
00401071: cmp eax,-001
* S" {2 Z& N# ?, Q4 m$ R 00401074: je 00401091
- O% L0 e4 {+ L: L, ?3 K! e1 _+ e0 }6 H2 t6 T1 ?
& d9 d( I4 b$ l4 F
There could be hundreds of BPX you could use to detect this trick.
6 x) K; r8 H9 a d- F6 A-The most classical one is:% m4 I" p' i& G% U2 O% ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) J/ S7 H' J9 O; E/ y" i9 j+ ^* L *(esp->4+4)=='NTIC'' G0 h5 S1 L# @6 ~( n" o! ^
* _7 n1 s2 V! _-The most exotic ones (could be very slooooow :-(5 q" O1 }& }8 [- F# ?2 k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- B0 `- L4 Q( B& d# J4 F ;will break 3 times :-(0 N( c9 R/ u' {; X
/ }+ x3 ^- Y4 x, f! L
-or (a bit) faster: % p1 Z% {9 P7 @+ t: C. B1 @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! ?) {6 C4 M* v1 G- E( k+ ^8 |$ i4 S3 C8 T3 o
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ r) @7 I' B- A ;will break 3 times :-(4 v/ W: o8 E0 Q; W0 t: o6 F
& j$ W- ~$ d. s0 `& y2 G
-Much faster:
/ ~( u0 A" w5 ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' w, H8 a7 D3 J: r! x+ C( B/ G8 K
7 Z; D0 F, t* Y: CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 c9 {" r9 e$ R% O* ]' G" D
function to do the same job:
2 k" J5 v# |* I+ H! m$ I8 ~, s' T H# ~0 r# G6 o
push 00 ; OF_READ
0 f# D. \& u9 ]& I7 V3 P& O( } mov eax,[00656634] ; '\\.\SICE',0& J$ B! ?- O; c. Q1 J+ o
push eax5 w' M' F! c( ] R
call KERNEL32!_lopen, q% L1 M i) w! n. r. h$ Q
inc eax4 m$ d9 f4 P4 h. u% Y
jnz 00650589 ; detected
- N# M: y e- Y5 f& m push 00 ; OF_READ
' }" |4 a, A8 E1 E& p/ c% ~1 a4 T mov eax,[00656638] ; '\\.\SICE'# ^) D5 y: ~9 o# Y; ?& I0 O
push eax" z' x' j5 w( Y% J2 }2 j: H0 Y
call KERNEL32!_lopen+ r/ @ c* T. W6 p* T
inc eax
$ d" k/ ]; F7 V jz 006505ae ; not detected/ y5 o0 D* X) r: f
" U( w8 D K+ @0 O( `
2 h7 G" b p: F
__________________________________________________________________________. V( M7 {5 P& {9 V
: S( W5 @$ Y: i9 D) F8 t6 C( e4 OMethod 12
6 f z$ \ O" K0 G2 w=========9 k& A! ]0 r' [! D4 c, O8 U. l
* K* _3 u0 d/ T5 y$ H
This trick is similar to int41h/4fh Debugger installation check (code 056 Q; ? P Z3 X- Z3 A
& 06) but very limited because it's only available for Win95/98 (not NT)
4 }" J/ D* ~* r, C2 tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( ^) D% t P5 [8 r
0 H% m- p0 D7 o' h0 H8 ? push 0000004fh ; function 4fh
1 V: E# Z/ _. U5 I# j/ N push 002a002ah ; high word specifies which VxD (VWIN32)
) U0 g! E7 g$ f8 f' l) P$ {1 d: A ; low word specifies which service' a# W3 }+ x- k d2 ?! {
(VWIN32_Int41Dispatch)
: X/ l: ]6 X8 g C5 L call Kernel32!ORD_001 ; VxdCall0 K8 ]5 m$ a& p! @$ H, F+ r$ Z
cmp ax, 0f386h ; magic number returned by system debuggers
" n; Z2 p0 n% g, F jz SoftICE_detected
* P) v0 M. w+ C- z2 }) K6 l
. g* Z6 |$ e. V" R4 |3 E1 Z( A, ?Here again, several ways to detect it:
% p5 a* ~; C, V# f% W3 G' C& P* }: U
( O) U8 F# c9 m BPINT 41 if ax==4f/ r; L, x. Y9 b- G% ?! v* O2 `8 U
6 Y& G" F; B$ A$ `" Y) x ]% d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 E, p7 {0 I. l1 e/ O
/ V1 e% j+ n. s2 p; V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 n0 L0 m. q* f; M# U s# B. N( y( C) q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' B6 \* i x S, z8 X2 B9 p
* l8 Z7 a) w0 A' _6 f+ z
__________________________________________________________________________$ @1 d# c8 W9 X* b
: B! @4 h5 O8 V# Y
Method 13% y8 j# `$ {3 u$ Y
=========) F. ]* K$ v( D# I0 X. c
$ n5 g* k9 l. W- R5 K4 u2 F# YNot a real method of detection, but a good way to know if SoftICE is
( o+ I* n/ r ?: u3 ]0 I" iinstalled on a computer and to locate its installation directory.
* A; x. J' r% K3 PIt is used by few softs which access the following registry keys (usually #2) :- }2 K) I2 j& L. G4 c
/ P. a3 e1 k5 U/ O+ s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" y" n5 U9 \1 Q$ N
\Uninstall\SoftICE
, N, o3 w) i* p- t/ P5 h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ `9 l5 V9 [, x$ n" [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 Q( R! M: a5 N6 i# J8 u: e+ q6 q1 n/ ?\App Paths\Loader32.Exe
1 T' _6 Q h! |9 \* ^) N1 C1 @7 `: O. s' M
1 T. {- g0 e& A4 M/ CNote that some nasty apps could then erase all files from SoftICE directory
+ D/ m- s3 E _) y2 q. ~(I faced that once :-(8 ^; t; t1 Y7 T8 Q
! R- U+ ?0 z; Z% `( n& h6 Y: WUseful breakpoint to detect it:
& f5 f9 i6 \2 t
2 n& X& v5 E' q5 q+ ]0 H. _ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 E5 c& r) ]1 K. f4 _& K3 X# b7 v( Y# C D
__________________________________________________________________________
/ F/ J, L8 }* @7 E) o% P- |
+ T: I1 E9 X% w5 s( a! T8 z. M; W3 E, {5 S
Method 14 8 J5 f6 W3 t( P2 a: P7 h {+ x6 [
=========
F/ ?( ^% k9 |% Z, H2 k# \0 d) X# h% Y$ z( J0 ?1 A1 w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& |& Z. u" K% ^' c3 L5 lis to determines whether a debugger is running on your system (ring0 only).4 E" R. d! K: d6 R. Y2 ]/ @. B
; y: g' R9 Q. s* _2 t
VMMCall Test_Debug_Installed- ?$ K. Y, v( a4 b( l
je not_installed* v# A1 n( E$ B$ g7 ^7 R" j
3 w6 e" J9 T+ I7 ]3 U
This service just checks a flag.
6 y+ K: H, y* v9 ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡