<TABLE width=500>! ?4 B7 B8 h6 ^5 n3 V* q
<TBODY>
& y9 {/ J& t) i1 q# |5 l5 {& }' O" J<TR>/ Q. ~* K* C3 p7 G1 N. v4 O- T/ z
<TD><PRE>Method 01
- b( I0 g" {$ Y! f# ?=========% z3 ~! f, l1 I4 B' ~! i
& e# f# ]7 d B( M
This method of detection of SoftICE (as well as the following one) is
7 [. O* @7 d# r+ W. h4 vused by the majority of packers/encryptors found on Internet.* f9 N j" }* h5 p
It seeks the signature of BoundsChecker in SoftICE- W6 {/ D- `4 U# F& D" Y
" a. t: ^% {7 W1 A# M) I* M6 C$ r
mov ebp, 04243484Bh ; 'BCHK'9 [" A$ n; a; A
mov ax, 04h1 v/ J7 X: [1 |& u. x7 h- y
int 3 5 M' D3 ~: P! [8 l
cmp al,4% i) f m% M2 z0 b* c$ ~! z
jnz SoftICE_Detected
& ?: U8 L# g" B/ P' b
6 U8 j2 ~6 _# j" ^2 }___________________________________________________________________________
5 ^/ }7 B, m8 T; R c1 x2 s3 l1 K, k
Method 02! ?# w' I7 b: Y" c
=========
+ W# \. E0 u) v2 i( ^" M7 V2 G- W. J( }( n
Still a method very much used (perhaps the most frequent one). It is used: c+ b: G3 Y+ V ?. y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) B$ a# _2 H9 x' f" q, z: a6 ?0 d" } b7 F
or execute SoftICE commands...9 W' W; p+ e3 D* B. c
It is also used to crash SoftICE and to force it to execute any commands9 h0 H) f( L' B1 Q6 c+ E
(HBOOT...) :-(( 4 F: ]9 N/ _. R0 s
7 v7 f6 p5 Q; _' Z6 j9 ^Here is a quick description:* V4 b& F+ ^0 I" ]
-AX = 0910h (Display string in SIce windows), p; Y& A) X) `6 u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) X& U$ L4 [) b-AX = 0912h (Get breakpoint infos)$ U/ T$ h3 a* g, x5 D% \
-AX = 0913h (Set Sice breakpoints)& r7 G& B! ^# T
-AX = 0914h (Remove SIce breakoints)
+ y$ s* x2 y2 y7 N* w
% c9 U; [+ l+ k& PEach time you'll meet this trick, you'll see:
, k. g0 [$ F2 P+ y# l-SI = 4647h a: T8 e7 s7 J) {- Q
-DI = 4A4Dh5 l3 ]5 w! j0 z0 U* W8 h/ | r& V u
Which are the 'magic values' used by SoftIce., L ]. e( F6 F, f! @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 ]" u# F" G0 E" ?$ C& l2 L* k
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% P! H6 s( A0 E+ _1 OEnvelope utility use to protect DOS applications:. A3 C7 K p! k0 |
& ]. K7 c; l- u' Y* G# P7 N* Y- {* x5 u+ w. }
4C19:0095 MOV AX,0911 ; execute command.! d) Z7 J+ o" B5 @. g) B6 _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# x% z6 S# W% b5 k) D
4C19:009A MOV SI,4647 ; 1st magic value.8 D( x+ q, P( r m0 W3 b4 h |
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 y( d' t9 F: C4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 G9 n, c- W1 y. d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 \6 y9 g, |* E: ?+ A
4C19:00A4 INC CX, F& ]2 ]) Z% v9 p
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. q2 O' @* H B9 E, J$ g) V4C19:00A8 JB 0095 ; 6 different commands.
8 j, r9 {9 k6 g& C4C19:00AA JMP 0002 ; Bad_Guy jmp back.# t A' p* i6 @+ D0 A
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ v6 S/ Y" ?, P+ R5 o9 c7 ~/ T+ V( }2 N4 K& ^) L! X
The program will execute 6 different SIce commands located at ds:dx, which
" H! L" B+ ] r H4 [% _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( |3 X% Z. w! t- E& ^* p5 J) q
P* f9 w$ a% i6 [ j* y! d# ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 w( h# I) R7 ?3 i' T
___________________________________________________________________________
% u. Q, m k* V
# e5 n9 r! S$ l* l) K& k/ C! e4 u, g( I- J+ \
Method 03
) |3 d# D1 Z) W4 d- g! o) O=========4 r t" v1 y, [0 o* `
. X8 T" n# h% P, qLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- x( ^; \* Q/ l& r, ?(API Get entry point)
! b: e" W) U% ?8 r, j & a6 X! [! x# G; O
3 d" u6 I2 f* y. ^7 r; ` xor di,di
/ x2 r! z- \" v2 r' O4 I mov es,di
1 D8 x% b$ c, R+ V! t' Q6 `. q3 d mov ax, 1684h
H* U9 G. f7 M( } mov bx, 0202h ; VxD ID of winice& `; m* x( {, w8 a% X3 F7 X
int 2Fh
) R$ h/ O! p8 t1 X5 ? mov ax, es ; ES:DI -> VxD API entry point
4 {5 I' @# ?& @3 Z" F d6 O add ax, di
5 s4 |+ A! N, M% E5 y& b3 M test ax,ax
/ l0 A9 a5 I8 b2 q jnz SoftICE_Detected
" H- C8 v; l9 @0 Q, Q( @0 I3 v) I1 `: Y
___________________________________________________________________________
4 u) C) ^, }/ {$ X
5 ~, \6 y F5 d% ?Method 04
0 d1 Y o, X: t! a4 W. b& X& K=========
# X1 ] f$ L: O1 w7 r. ~% c6 u Z Y% e( h5 A
Method identical to the preceding one except that it seeks the ID of SoftICE3 M; B/ S6 D3 Y& b
GFX VxD.4 M8 _% ~5 S- _ c
% O, W; k+ o* C xor di,di; o4 x s v$ a$ n3 e' g5 ? c( H- q
mov es,di
) |) _' ?- ]6 A mov ax, 1684h & b0 M7 }# x, G1 k0 x& i% n4 d( `
mov bx, 7a5Fh ; VxD ID of SIWVID0 G% [3 S+ U& f& J' H" N6 o0 Y
int 2fh! n1 b3 b. g$ u
mov ax, es ; ES:DI -> VxD API entry point( G* }- v3 j5 x8 N+ U
add ax, di
) _: m6 i# r; o3 V, H1 I test ax,ax# R5 p, [7 x l+ P3 q' i6 s: K
jnz SoftICE_Detected J% F& D# k& p ~7 S2 D
$ P: r9 C' Z) b6 I% g__________________________________________________________________________
& ~ F0 T; [# L5 _. d
. t+ k* D: }2 j* \
, }; S% W4 R& e% o0 GMethod 05
' I8 Q! b: `! h; H- P=========% H- \8 Z" s' Q/ }% o( B- s
: u9 s+ V1 u$ Y) M) ~+ [1 |$ cMethod seeking the 'magic number' 0F386h returned (in ax) by all system, `2 a' }- |! N) N! ?8 A
debugger. It calls the int 41h, function 4Fh.
$ a$ r" [4 a6 w4 [1 ]7 m I' |There are several alternatives. - c0 K; ?7 \% w2 g- i: q
% |& @; q0 k" M, B, jThe following one is the simplest:
- t) T* l: X+ B& c
# k0 P* @; u* t' X3 w( B' r mov ax,4fh; W: T2 e) p: \
int 41h
2 B+ @( c' E6 R& C8 N$ m cmp ax, 0F386) g; A3 L+ m1 C2 ~9 V" a
jz SoftICE_detected) r# ?2 B: t3 O( L
3 r; p( m3 \8 R
7 Q) s# `; w! m% K3 o0 {0 @8 sNext method as well as the following one are 2 examples from Stone's 3 M! m1 w5 V8 }8 I! w; {3 G
"stn-wid.zip" (www.cracking.net):5 H X' ?9 F" S3 f: I: ~
. d" Y% {9 t7 ~4 F2 b( U7 B mov bx, cs
0 O A4 s: n) |4 \ lea dx, int41handler2 y. f% Z, X1 I8 H
xchg dx, es:[41h*4]- f* A- ~5 B0 \9 X8 Z. b; Y0 y
xchg bx, es:[41h*4+2]0 u1 d1 |# A+ Y
mov ax,4fh
- u, z+ j9 j' S+ \7 ]; y+ @ int 41h, h- N( g' T9 m6 L* K8 y9 a/ l
xchg dx, es:[41h*4]
, @1 r7 L, y) n% E" ^ xchg bx, es:[41h*4+2]8 `; e4 w0 Y$ C# w0 p% v- P- t7 C* e
cmp ax, 0f386h
7 P: o! s8 S# ]5 B' d jz SoftICE_detected. n. {! m. S$ F4 s8 i3 D
! M( ]' E- g9 L" e$ D& {/ Y) A+ U
int41handler2 PROC: v# K. V! g: s; X' m4 ~
iret
: g9 V& \; B' C1 H# p* ?& jint41handler2 ENDP; d% I V$ Q+ K1 J5 a4 q
) J+ K" ]2 z$ K: ]! u2 m% B; B# P+ \5 Q$ z9 L8 s
_________________________________________________________________________% \5 Y8 `( g( k6 ~
4 h' E) ~& ]- r
5 n- n3 ?7 H2 r7 C8 AMethod 06
: {4 D) N6 @& A ~; Y=========5 T8 C/ U' D/ V! e
@% [7 b1 ?" `0 {6 }& {
& r* `3 w0 J. ]3 s m2nd method similar to the preceding one but more difficult to detect:1 E! o0 |' j: t4 w. O4 @, R
3 e3 c9 b X2 O, I- {$ u: @& P j$ \2 G
7 P8 T5 v# u$ ]$ T. b8 dint41handler PROC0 f* z) j/ `8 D/ A6 W% _
mov cl,al5 \: i' o$ M9 ?; g+ [1 M, Y3 S
iret
2 o" f$ ^; D' R5 Jint41handler ENDP0 [/ b2 ^+ b; x, f% W! `' P
# _" j& H$ d4 g9 [7 ?0 H
( D6 f7 d; O3 m8 Q, z
xor ax,ax
4 v2 L# Z9 U3 R8 t+ H# T: n5 I" V mov es,ax: O$ o5 M" _% x3 M1 `9 w
mov bx, cs _/ H) `2 U4 z- q. I V7 y0 d
lea dx, int41handler/ @& Q, o' e0 Q( s" ~* X" k9 h
xchg dx, es:[41h*4]
8 s; b" z3 [4 l" ] }6 Y+ E2 [ xchg bx, es:[41h*4+2]) p) U6 b2 s( K4 [9 ^- D7 c" \+ L
in al, 40h
& Y. K7 X) f+ |% [ xor cx,cx7 y) ?9 b+ k- p& Q: G, z, u
int 41h
3 d5 E$ B0 e- d& a xchg dx, es:[41h*4]
O9 _- I) I% ^: t2 q& U xchg bx, es:[41h*4+2]
) n) b6 _. s; P3 ~ cmp cl,al
4 W5 C( o9 B" }* T9 _ jnz SoftICE_detected @" d. h6 R( @ G8 N9 G, W
5 E! z- v9 m( @) ^, I# ~" }. ?
_________________________________________________________________________, I' ?$ g) h: k6 J$ W* v/ B' p1 J
- E- C# m" v& l7 |4 o3 f( Z6 A& |Method 07
& O! o8 n% H/ |. b=========
/ F1 w, Z5 @( T4 I' F( Z9 i" l0 X. z" z9 C( [* ?, \% k
Method of detection of the WinICE handler in the int68h (V86)
6 n9 c7 w# v/ D8 ]: F& u& A4 c; G [$ ^- j
mov ah,43h
0 I/ h7 H6 G. D$ ]8 M int 68h
9 x" o7 H$ G5 n4 }* \ cmp ax,0F386h3 o3 C- w+ T2 F ~
jz SoftICE_Detected+ L; w h( @7 N3 Z* t
# Y+ x* `/ ?/ u% H/ H4 }4 i
$ _$ ]9 L0 k ^/ V3 K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 K# c% _) d- u8 e a3 E+ M
app like this:
% B- O& V( f' @9 c1 r. u; N' h: N" o- ]6 x% G
BPX exec_int if ax==682 D6 h ^" v$ s7 l
(function called is located at byte ptr [ebp+1Dh] and client eip is8 z) p: z2 V) d1 P3 h4 D
located at [ebp+48h] for 32Bit apps)! ^( D( C, T5 [
__________________________________________________________________________
. Y* j. J, B: N4 d: u4 l- b( L/ l) X/ W+ q( Q5 L
& K& u4 P+ v% \Method 08- ?3 J) K9 A: f$ x5 c3 Z' s$ y8 `
=========) F( ]+ q5 E$ a' I
2 q( H0 P' H( j6 `& {# U9 [; aIt is not a method of detection of SoftICE but a possibility to crash the
% _$ \4 {! x* `5 @4 rsystem by intercepting int 01h and int 03h and redirecting them to another
6 b, r4 @2 {' H/ O% r" v& {routine.
& {1 A3 A) G* e% R6 r5 b$ w# U* ZIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 d) P7 p4 Z8 Y/ Z7 S8 M nto the new routine to execute (hangs computer...)( M* W/ r5 A! p; ]6 @' y' Z
( H1 I% c" F& B0 r% o
mov ah, 25h4 |7 _/ Y( F0 |, l0 U, y& [
mov al, Int_Number (01h or 03h)- }2 {+ v1 G; i* i
mov dx, offset New_Int_Routine
5 @9 @$ P4 B3 ?7 t( k3 B. C int 21h
( |8 H& v$ k7 b! T7 ?+ W1 T
" ]" @9 |+ ^: o4 B; E, O__________________________________________________________________________
) S K# p6 Z7 R6 F, `, A+ I
5 g, z" j V9 w7 a5 CMethod 09
, W6 N% B, L( U( W5 o5 }& S. T=========
. d5 l. n0 T! Z! |, E9 Y' [1 |4 s3 A; N; l1 e( n+ g. @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: _7 P' ^ q5 [3 T6 {performed in ring0 (VxD or a ring3 app using the VxdCall).2 a4 _$ o2 m0 R* ]! y. b4 o$ \
The Get_DDB service is used to determine whether or not a VxD is installed0 N' y s/ x& T+ q8 V
for the specified device and returns a Device Description Block (in ecx) for P0 s8 r3 `# [! q& E+ J( [7 u
that device if it is installed.: U1 z$ j, X; |
4 n5 g7 ? x7 ?1 Y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; ^. D( g# R& t6 R6 Z7 I% ^- _1 G mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). _0 o/ c: P. [4 y9 b- A
VMMCall Get_DDB
$ k3 l6 l; C: j0 z4 |4 X2 y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 n7 E5 B$ p* K7 y) h# f5 e
& C I" H. |, A' XNote as well that you can easily detect this method with SoftICE:
]5 @* T+ X2 N4 m5 m+ C4 F bpx Get_DDB if ax==0202 || ax==7a5fh% ^" o, k. j, b) O. R% F
* x, i8 M/ ^5 ~! R/ F3 H
__________________________________________________________________________& S0 D5 _& C$ t5 v
; l9 C. `% k$ g; R! Z; i' M0 JMethod 10; q% G# H# o8 Q3 L
=========
6 L: V' g8 G9 H2 M$ u
; |5 h7 V8 W% F" h=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 P0 J! T. k2 W# \. u SoftICE while the option is enable!!
( @# g6 a+ H8 @6 Q3 d ]( P V# j! B* d0 Y5 z# y, ]
This trick is very efficient:
1 P' M% K( e( iby checking the Debug Registers, you can detect if SoftICE is loaded
/ [ h6 m! m. X; C5 p8 W(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* {7 L1 V6 r w! W# m: nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 {. x: {% [0 _+ Avalue (in ring0 only). Values can be manipulated and or changed as well
5 k% E0 ]0 {. `- D(clearing BPMs for instance)* p1 W* I" o. E# R' t& g
* L7 v) t2 g2 t__________________________________________________________________________
s9 H2 I8 J% `/ E" c5 N, l/ w9 s8 N& W
Method 11
, R0 v5 S) T/ R/ V6 c6 ?=========
; p* [8 a" h( D7 O* S. o" a
/ H/ D2 ]- z { vThis method is most known as 'MeltICE' because it has been freely distributed- J+ L+ U, }; y* z& s
via www.winfiles.com. However it was first used by NuMega people to allow
4 G" u, @! B- y: CSymbol Loader to check if SoftICE was active or not (the code is located
/ B& r) ?5 x) }$ _8 [) M$ f! Ainside nmtrans.dll).
5 q( R' I7 n u2 b. T! X* R! C' S, A% f1 I* W* R4 R
The way it works is very simple:- g3 r. Y! I( u2 W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ @+ [" k! O7 h, y3 I# O" Y/ I. @3 \WinNT) with the CreateFileA API.# S2 X" L M7 B7 q- c Z
# V2 ~9 R$ ~ T4 YHere is a sample (checking for 'SICE'):9 z' t1 B6 {: h9 U( w2 R" D" O
: P0 f/ Z$ N1 e" n/ |! ~: c
BOOL IsSoftIce95Loaded() u. `6 B9 j! r, E0 {7 G1 T; n
{5 x/ T6 T+ u1 ^, l6 ?% E
HANDLE hFile; 6 T% X: M' M* o$ H0 e
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 N5 e2 ]" T, g% R9 c FILE_SHARE_READ | FILE_SHARE_WRITE, u" i2 V# [0 a" `) p/ M$ S4 [! L
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, e; z; Z' I) g6 M8 u
if( hFile != INVALID_HANDLE_VALUE )7 j" @5 Q @/ @" I
{
3 g6 c7 p; ?/ E- i# K CloseHandle(hFile);
( i8 u9 m+ r: l4 k2 B/ Q4 D return TRUE;* h6 K: w# j1 d6 ^0 l
}6 q% f4 q' |9 Z2 B' u( H
return FALSE;
$ Y- o% h/ i- O. A0 I" g) c7 P}
0 n# @+ b- A5 Z9 p# N" {, }7 q+ h9 ]: m
Although this trick calls the CreateFileA function, don't even expect to be4 A0 U6 c6 \" F; V$ H* F. O# [4 `
able to intercept it by installing a IFS hook: it will not work, no way!- [. i5 g# \; S$ I8 \- I! H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ u; D2 P' W! d, ]4 @& T' n- W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 Y+ [, N% J, o' ?) L; oand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 i0 [8 p( l' H) t8 j. F0 w: i
field.
9 b. f/ i- k* \4 G: L& J5 F& f) \2 oIn fact, its purpose is not to load/unload VxDs but only to send a
6 a0 U9 p, Z2 j t2 q1 uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); f) P6 z: A7 E) H" ]3 r7 n7 P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ t5 e# j" [9 _1 W+ X _' qto load/unload a non-dynamically loadable driver such as SoftICE ;-).8 k( z% o. x) C2 H/ _$ u
If the VxD is loaded, it will always clear eax and the Carry flag to allow- l/ v# Y- K% ?- l2 E {1 j; W5 _0 a
its handle to be opened and then, will be detected.
" P) R" e3 G8 _7 _' }You can check that simply by hooking Winice.exe control proc entry point
$ t" `3 H- A7 P. b( H* t7 C- Hwhile running MeltICE.. ^! N" c* ~, D" o+ w2 b1 `
$ S& f+ Z# G, T' n( J: j. r0 L
+ z! O! M3 c2 F |, v% u 00401067: push 00402025 ; \\.\SICE
/ e2 m: w; h. e2 P( a 0040106C: call CreateFileA
% z+ ~, C3 |5 s 00401071: cmp eax,-001
1 c, u/ `3 @# _ U H 00401074: je 004010912 T) \4 b' d* K" T& ^8 l7 C2 S3 h
3 i( c P( A( u
, R0 D: p5 e7 |6 W" E% _+ K5 q: {( EThere could be hundreds of BPX you could use to detect this trick./ {; m d; |; R: F5 v. ]
-The most classical one is:
" T& z! G( `# S* j1 g3 f; u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: W. K) T7 p" t2 E6 }
*(esp->4+4)=='NTIC'
, A' X' s# j6 C, W+ I" u+ s% U: X4 C# Z7 h9 a7 H/ B }
-The most exotic ones (could be very slooooow :-(
7 Z; |+ Z) I4 T% e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% Q0 @2 |+ R) p! _& w ;will break 3 times :-(7 e" G) N& ?! G0 U
2 s) m7 W, J+ B( _' J. n-or (a bit) faster: ( B/ d# P1 Y6 I) N9 H* R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 |8 j4 f9 C! y1 \) N" H7 h+ s
4 i$ t8 W" B# E4 p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 E0 D# D; I' A! S/ s" C" q. @
;will break 3 times :-(! d4 b/ Y& E# a: o( P; u3 H7 V
8 X( K$ {7 d0 t" {( H( J
-Much faster:2 j, S3 @* U- S" Z, X: x& y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- F7 | f: K5 c: A( P$ H
/ v' J8 ?9 R2 c" K6 h: k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! }1 B2 r2 n: c9 W/ i7 A9 yfunction to do the same job:- H0 T& R* l8 J6 O7 n
) `) `( w3 P4 E0 r+ A1 w8 r
push 00 ; OF_READ
. x( K$ b6 K) b9 Y+ F/ z mov eax,[00656634] ; '\\.\SICE',08 A6 D! T) c& J8 w9 I
push eax
2 g1 f+ s+ |) ]# b. W! n' I call KERNEL32!_lopen7 D# T4 p4 i9 S$ F: n2 n6 i: Q
inc eax( K4 L0 N1 s0 L/ `8 j
jnz 00650589 ; detected3 p8 N/ ^ @+ Z* l( }% g
push 00 ; OF_READ
8 c2 W. P* H# A mov eax,[00656638] ; '\\.\SICE'9 `% k9 T$ ~$ a, E" c+ W
push eax
G) |7 F4 q! K, b( S9 z call KERNEL32!_lopen
- X9 E0 F& w/ \0 \( p inc eax
5 x+ N, b7 K0 A jz 006505ae ; not detected
! X" `# y; b, c4 ^
- p/ i! \9 l/ F L. p+ l8 b
9 K5 ]8 @* u% E# q__________________________________________________________________________
/ [. w3 M) c$ ^6 {, @7 p; c0 e$ d5 z
Method 12
$ s1 t* P q$ m% o. U=========: m: P5 Y+ n8 D% Z
! ^3 Q% z' @3 n* r: f8 M5 ?This trick is similar to int41h/4fh Debugger installation check (code 05% L) G9 R9 [) l4 H/ [' I' t
& 06) but very limited because it's only available for Win95/98 (not NT)- d: L4 t, c3 z5 j% z; I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 ^/ z1 j- t l
$ v& g' Q& ]1 ]! p push 0000004fh ; function 4fh
1 S' y Z) o. s2 Q2 G2 W push 002a002ah ; high word specifies which VxD (VWIN32)
. `! o) `. F, N) j/ i ; low word specifies which service
8 P0 I X. @, k% Y% D2 f! Q _$ Q- ?$ y (VWIN32_Int41Dispatch)
5 l; Y+ v3 [) \! ]( V( b. r call Kernel32!ORD_001 ; VxdCall
/ b" Q: n1 R m: ^ cmp ax, 0f386h ; magic number returned by system debuggers
* t; v# r+ J6 ]- y- V4 K5 V4 I( s0 { jz SoftICE_detected2 ?0 U- t, X1 ]* G/ k) l3 A, Z1 U1 j
: H6 U1 m" a! z P, U$ {) dHere again, several ways to detect it:3 K6 l G$ k7 K4 @# b
& a/ h9 z2 h# c g; v' R; T0 @6 h& H
BPINT 41 if ax==4f
0 B; {& O! [: Y" x. ]; j" y* b+ C( w) F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! i$ N! H; U' _2 U+ _* G P
4 B- s+ H0 P1 R. G) C3 j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, m0 ?0 R! D4 X1 m# b& j$ S8 s+ R. j* e1 n8 {. S7 a! r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 t& z0 S+ g$ g
1 ]# O7 T, f: r! i: |4 G- s" L__________________________________________________________________________
! p% a( T% ]. `0 @3 j5 F3 ?/ m
* C2 C4 w4 y/ j: ?8 K. e: i# {4 vMethod 13
{- X8 z2 c0 r* P0 K( ? T% r' K=========
& V8 k# J5 F6 a) W. q7 L0 l/ K6 R( Y2 e
Not a real method of detection, but a good way to know if SoftICE is
' q, O7 T" i) V* G/ i7 `' t3 |) W1 |installed on a computer and to locate its installation directory.
7 n( U7 B0 K( vIt is used by few softs which access the following registry keys (usually #2) :7 T+ K, t: H" e1 ~* Y1 X
[5 I( `* r. y7 y l" c1 o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
P& r1 L" g# P4 {$ V' A\Uninstall\SoftICE b8 m4 T: g! L2 O. r2 [* v E% W9 x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, `4 E, K9 Y7 d% V-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; S9 q* Q: K& w9 w/ Q/ S$ j
\App Paths\Loader32.Exe
& G( m& u( C& i9 I- X5 S. S. `6 I7 ~: D3 @ J" u
. o/ v/ t% ]0 U2 h
Note that some nasty apps could then erase all files from SoftICE directory R' y+ z1 o G
(I faced that once :-(" A# ]% \( T8 w" m
3 {# w: H. ]- i$ p1 Q
Useful breakpoint to detect it:
, E4 m/ ~( @2 m# Y: E7 _( k% {3 ~+ a' g( A' U H
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 \1 |! a2 ?! ]; { M! a
# E3 E) ?+ n; T) C: @
__________________________________________________________________________
4 ?0 W3 E4 t" [% D% ? u1 D& S. G# P7 l
; S, O2 W) `: `2 w7 H( V7 \7 A3 A. i9 d3 M2 \
Method 14 + o- z) D% i4 O* z, \
=========! S1 ]+ @! U6 B3 O
, p, a' B- W+ C! v0 D* a) h0 xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose C# |1 s& G; M9 k, t& u/ b9 j
is to determines whether a debugger is running on your system (ring0 only)." I2 N* s1 g2 r) E3 P, X8 F: D
3 }8 \( J: g1 u6 [ VMMCall Test_Debug_Installed; {- q! @3 B1 l, Z( Z( n) F9 y
je not_installed: _5 X' B* h1 j$ G* M& R/ T
8 V8 Y% u0 j' G+ p) @This service just checks a flag.4 _; C9 s/ ~- K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡