<TABLE width=500>
- S @# B C. X. V3 ]) O }<TBODY>7 g2 G- t2 n; a
<TR>. j) b4 A; T2 H3 ?* h. x9 i) G9 Y# X
<TD><PRE>Method 01 ! U+ { g0 g% o1 _' q; J& o
=========& ]5 Z* |" w* t$ n" |
. Z5 k9 l# T% a0 L, G; w
This method of detection of SoftICE (as well as the following one) is
! _. y+ B$ L" ?9 Dused by the majority of packers/encryptors found on Internet.
) B7 z! W ?% t' \$ [, `+ X) CIt seeks the signature of BoundsChecker in SoftICE2 w6 \& s& g5 g/ q; I
. a8 D% h8 R7 X6 _5 c
mov ebp, 04243484Bh ; 'BCHK'7 a5 N% S& L8 L& }
mov ax, 04h- Y0 _+ _! f7 j" r7 b- ^8 c
int 3
0 v; t K n6 w1 K: V( d cmp al,4
6 {, p: K1 L Z, Z9 E: R8 v" K jnz SoftICE_Detected) ]0 |5 t" |# W6 b. ?/ J7 S0 h, f
5 }9 s0 `* e6 K4 T___________________________________________________________________________1 P' [; s0 x2 c3 `% ^
( i4 j) Q$ Q, x; QMethod 02
3 \- b! O* K7 o4 k4 s( j0 N=========
f0 @# S* y/ j+ z6 v( d
0 Y: D( a% Z7 d( x+ j8 V \2 bStill a method very much used (perhaps the most frequent one). It is used
! m- a E1 s; Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, k2 U4 I& |2 ^* ^5 C# [7 }4 sor execute SoftICE commands...
! `( i; X6 r1 F- ^It is also used to crash SoftICE and to force it to execute any commands; p- @/ g) d: `- N
(HBOOT...) :-((
" q( N2 _& N7 y2 i, F0 Y8 s# C, h6 V( l1 R T' ]5 I% b
Here is a quick description:
% A) t' U* w# J: U-AX = 0910h (Display string in SIce windows)
1 I6 |! Y( T7 a: m. W8 s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( U% _6 s. S. J-AX = 0912h (Get breakpoint infos)
, y1 `; N' k) p+ e8 {# c$ _. s-AX = 0913h (Set Sice breakpoints)' I1 H$ s/ g% i- x
-AX = 0914h (Remove SIce breakoints)
" `/ F+ i( \' g; D* J8 P
, |7 Z& ^/ c2 g- B2 d! {Each time you'll meet this trick, you'll see:, A. Y, [: [9 Z$ h
-SI = 4647h
" J9 C. A+ }% c' i. y-DI = 4A4Dh
0 ?3 q/ c9 z# nWhich are the 'magic values' used by SoftIce.3 L! N, G% k7 x- j3 \( H' Y2 P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 F* X& y4 M9 h& g' Y7 g; i) N' F
5 \5 @3 p% @% t% c# p9 f0 I
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: X( H" d5 s# R+ W( j+ HEnvelope utility use to protect DOS applications:
/ r4 h' t+ T0 p; X
( g8 B% m% D7 B
! C5 Z* l$ I/ A# A5 T! l# i8 O4C19:0095 MOV AX,0911 ; execute command.
+ ]; L* _0 d+ j' [! Z0 [- |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; }0 @- T' ]5 P
4C19:009A MOV SI,4647 ; 1st magic value.
$ J4 I$ f9 h2 o5 J4C19:009D MOV DI,4A4D ; 2nd magic value.6 _1 ]1 f' V0 A) J* q* S
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# w$ L3 y m3 C' c1 F4 L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 y! @! E6 d" G- N R4C19:00A4 INC CX
`$ B3 `! G' q. }' @: B4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 [5 ~" b. K8 N+ n$ Q
4C19:00A8 JB 0095 ; 6 different commands.2 R+ R. t: G* K1 c6 q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ i' N3 f7 d7 P; G5 E# i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 U& L. @( ^ w/ H+ t% p6 N Q5 j1 ~0 J
The program will execute 6 different SIce commands located at ds:dx, which
6 u2 w# E7 C3 [2 ^7 hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% H$ w1 S- ]* [0 ]; A" u3 j
; H' @ S1 Z* c: v/ W/ m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& z# q! G* q4 C" e5 X; l
___________________________________________________________________________9 V5 B# |. O/ G" I' q
& @6 S) r, f+ J) f4 @4 x X; ?1 O- \! `
Method 03
3 F+ C4 v8 M4 O" j9 N=========: z8 M* r @6 O( L/ r5 h
* F5 |8 ?( R7 z8 Z, V) E3 e2 Q5 hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- W$ c" ]$ U5 g3 i E
(API Get entry point)
- S2 p* |/ `, P9 r
7 _) [1 r, G9 _* [) [- A
6 s1 z- u8 _) L; o* T( E( ] xor di,di
( p: o6 w0 d1 W0 W, b4 R* H. y mov es,di
, ]" C R# s4 {" j% h5 P3 S mov ax, 1684h * f. _5 ^" r: ~6 G+ C
mov bx, 0202h ; VxD ID of winice( {( B& \& \) a- T, h& W
int 2Fh
+ }' Z4 O* \! P' D1 K mov ax, es ; ES:DI -> VxD API entry point
7 g: T3 }1 I0 g add ax, di+ ^# M& M; G- d3 p) E
test ax,ax4 ?- @/ o! G: {0 |7 D
jnz SoftICE_Detected
7 x) m$ l# c: h* [* l( s" T8 k7 s- v- k8 V
___________________________________________________________________________6 I; p( ^* B. r5 K) G. L1 w
; `5 ^. E7 q: {: D: _
Method 04
, S& a$ @" D) m% Y=========; T, k: ]* e d' l
* J: |# r+ F# n4 k- ~0 P0 B
Method identical to the preceding one except that it seeks the ID of SoftICE# ~# x& B. ^. }( _% {* C
GFX VxD.7 b: V3 P5 f6 d! C9 d
" ~6 \. o3 b! h% X& q
xor di,di( b2 J j/ l6 a# k! x7 s- M1 T
mov es,di0 f7 x6 m3 I6 B* ]* F7 {" O
mov ax, 1684h I9 C: o2 k& `
mov bx, 7a5Fh ; VxD ID of SIWVID
4 N7 S2 L) B% h! t; t int 2fh: Q8 \5 O) Z3 U5 J% g$ U8 L' i5 X
mov ax, es ; ES:DI -> VxD API entry point" H( d8 f) k3 U6 a( [- [
add ax, di
$ C% T8 c& [, L% C8 y4 T test ax,ax
" g& Z& l: Z+ x) F% q6 q, J jnz SoftICE_Detected( R1 U* |& P4 _" q1 _
, q* q- K$ N" ]/ h+ C3 Q6 U$ S__________________________________________________________________________
7 a8 v% g$ O7 O& ?- d* a, B4 O; w: w/ J" S: ~6 E, B% [
. f7 k! h% [4 l' M$ nMethod 05, g: d5 k$ g0 o4 m( ]
=========
/ D y- x) c- j% q" ?& @
1 r# E: M5 F+ p3 OMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( H5 m! l; |8 U& L7 hdebugger. It calls the int 41h, function 4Fh.7 b$ X- E9 @1 }0 P
There are several alternatives.
# W; Q+ b/ e0 b+ t7 [
+ {- R$ T7 s" R: YThe following one is the simplest:( C/ O3 M- J' \+ [$ f
6 ~1 X, o" F: i& }( ]8 m; r mov ax,4fh0 i8 U6 F% y" B/ i3 o4 a3 v& T
int 41h
2 `. M, |* E8 [ cmp ax, 0F3865 V8 w7 K0 D# T
jz SoftICE_detected- Z7 V/ I+ P4 b2 a
, n# @0 t: G/ x5 B% O: R/ A4 x' @2 {+ M. d& [ I, g
Next method as well as the following one are 2 examples from Stone's
, Y$ {0 g s8 }4 E C9 S"stn-wid.zip" (www.cracking.net):
3 G6 Z5 |' |, y0 j9 ^( Z
& N; c1 L- e! `$ n- B mov bx, cs" U3 a6 w" I) V' ~8 F- h' r6 N
lea dx, int41handler2
1 T: u2 W. @$ M xchg dx, es:[41h*4]
. B% h% W* e/ e6 ^ xchg bx, es:[41h*4+2]" c5 v3 U! I# m5 \$ B5 g
mov ax,4fh+ B: ]+ ]5 C0 c. {! z V
int 41h
/ l& w: z2 @7 d, P( c/ G xchg dx, es:[41h*4]( B8 z- o3 T$ `5 \" @6 ? K
xchg bx, es:[41h*4+2]
! C1 e2 a w8 L$ T" G cmp ax, 0f386h3 P3 U. J c4 j% B
jz SoftICE_detected6 e( m! A3 }* S, D
. q$ _$ Q* _, l" pint41handler2 PROC, M: e F- X7 T6 M! ?2 N# Z' [, ^
iret% l1 O& d6 z' b L0 U& J" X9 x
int41handler2 ENDP5 }7 O9 N. ^* G/ r5 t
1 q4 U4 I$ S" F; [; T% P3 H8 u2 N* J& d
_________________________________________________________________________
5 [- V! n( O+ m/ c; r+ ?# d3 q3 i) i
( v# u9 a( ?; l, l/ B) U Z( ]Method 061 R7 R& w2 a: z/ J3 c, H& b
=========$ Q8 D' z. v! n9 T- ^6 V& B# m2 U
0 M8 C- q1 F% U4 S& B2 ^4 D+ z9 g' Q
2nd method similar to the preceding one but more difficult to detect:
) B- E4 ~4 i1 y7 c" k, o0 Q* S, \2 X2 e! }9 r: |
/ Y' @. ?. z$ j/ M; C3 E9 O' e+ J, `! qint41handler PROC
! x: f' ]/ c W) T6 f! P mov cl,al K4 z9 j6 F* l7 O' D6 i7 {% v3 v
iret D" }) G+ G+ M! }2 Y& k( S/ z0 R
int41handler ENDP
5 P$ t! b( \# E1 j) Q- T) @; i% n- J8 X$ G
2 h7 j8 X" V" }# v
xor ax,ax
2 N" l( T m7 z7 b- p+ g mov es,ax$ y6 f: }: B, m( @6 p0 z; m
mov bx, cs
2 r5 f$ X& J, D# g lea dx, int41handler/ ?$ X0 S8 @9 [4 B, P/ W, y' B7 ?7 s; ~1 q
xchg dx, es:[41h*4]
% T9 @% I0 d3 q* {* a$ i xchg bx, es:[41h*4+2]( r9 ^; x* |3 Y( V+ ~
in al, 40h7 i5 |2 \8 Q, j: k+ m
xor cx,cx0 a: T; Z T! d$ m( ^$ P- \
int 41h( Y2 ^- [/ X/ J2 R: G/ x) g
xchg dx, es:[41h*4]+ e* {* W7 K: g/ U. a* X
xchg bx, es:[41h*4+2]8 x. ~! `+ t! x% Y: B( U; i
cmp cl,al. d! | h/ A' b6 Y8 l$ U
jnz SoftICE_detected
! F/ I/ G/ u, ]6 E5 s q& @% b& {! n5 }! l' R- L
_________________________________________________________________________
& t% M; j" r/ N8 L. l7 o c9 n b, `, i' w8 j7 b
Method 07
8 \/ `5 Y: W3 B# \$ s* A=========
/ F. ?9 _* u, n/ h8 b% d6 R) U% {& t8 l& ?3 t, K$ m/ W
Method of detection of the WinICE handler in the int68h (V86)
* K9 D9 U, Z4 B5 o* k; _% t6 m* ^4 a! K0 G4 F
mov ah,43h, \9 S, D5 j: O6 k8 W
int 68h7 g- J' k7 ^) l. {8 M1 n5 \
cmp ax,0F386h$ w& C1 y" ?! Z9 L' q" f* f
jz SoftICE_Detected4 W% ?( U8 W+ \2 N' l) q2 G
, ~& A9 u, X0 A4 F" t' L4 l8 ]) I( \3 k! p$ {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 @; d2 i9 |1 F+ w$ m. u# m+ @) ^ app like this:5 \& I# `/ `: V% J9 b o; A! |
, N) J9 U' m7 e% p$ p' B! G BPX exec_int if ax==68
( S$ P) u) A4 {( k (function called is located at byte ptr [ebp+1Dh] and client eip is
! U {/ }/ r) l4 s located at [ebp+48h] for 32Bit apps)8 G' K6 M" _3 F, T6 Z. q
__________________________________________________________________________; u1 }7 }% D* X1 L& q
1 @0 b/ `; _7 C
! W- a/ q- c9 zMethod 08
( v! V. X/ E7 ^, U=========3 i6 x, z7 ?4 B. Q k* Y: x2 C; M* H
. G5 y: L8 L; s0 c3 X, IIt is not a method of detection of SoftICE but a possibility to crash the4 m# ` V, M) U* {7 N' o; Y) c
system by intercepting int 01h and int 03h and redirecting them to another- A. ?' g- o3 `, T6 v
routine.% _& q9 @. E' O/ N# r$ F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 c. O0 i r$ q& Qto the new routine to execute (hangs computer...), |4 ^. D/ J* x* A8 y" l* d
; ~4 q' e* I5 G! {& A! N3 E mov ah, 25h" C8 g/ c ~$ t. v" {' e
mov al, Int_Number (01h or 03h)$ s7 W' Z. T# y4 A1 w. B8 ?
mov dx, offset New_Int_Routine
! o4 ~) [! {) t3 O4 E- X- r3 | u int 21h: K7 a9 D6 j. y) y! T' j
, k4 C4 @& v* c N__________________________________________________________________________
. `; n+ m1 Z A2 p7 s3 G5 A& s% k! r+ A, l" Q$ c7 E+ c+ N0 G k
Method 09
# G8 M! H. g8 [/ r0 F' g% I' M=========
D8 M$ a, r- V9 V }2 b5 _+ ~% }( q. j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 t( f3 A0 j; X$ @& t: C& vperformed in ring0 (VxD or a ring3 app using the VxdCall).' i) O. a! y' M3 W) r3 X* p
The Get_DDB service is used to determine whether or not a VxD is installed
/ G h4 i {4 b- u5 r' Q, n# _: K/ Vfor the specified device and returns a Device Description Block (in ecx) for8 y6 O: m7 x8 Z" T4 o. n
that device if it is installed.
" n- C A$ d# P' H0 c! I
2 H' A; w7 ^4 C! m7 T. F& A mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 Q5 @0 N/ Z4 _0 S. U- \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ \5 q" c0 Z5 x2 g- X3 `% A7 s VMMCall Get_DDB
1 V$ p2 S4 s P- M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" h9 }$ I6 \5 L' l4 N% a) ]% X$ J6 `
Note as well that you can easily detect this method with SoftICE:& N* [$ _9 ?' q: v* h* f
bpx Get_DDB if ax==0202 || ax==7a5fh
8 c+ V e, ~* |. ~( o; g- D, c. ]6 t1 F0 m5 Y
__________________________________________________________________________
8 E$ n2 @) Y% T: j u. ~) n+ B: |% j
2 s5 I+ a; i4 }7 a* V( m ~Method 10
2 ^7 [, w0 p6 Q: }1 P& ]/ b=========
. g/ v& W5 m7 ` P" E2 W$ o0 Y( D5 i: `: _
=>Disable or clear breakpoints before using this feature. DO NOT trace with; j, y* m& ~7 z3 Q1 \% I
SoftICE while the option is enable!!
3 c6 O% w; Z# K# ^4 T# c
$ k# P0 l7 n( f, O$ Z- EThis trick is very efficient:
% k. I3 F4 S9 v- E7 {0 C$ h& A1 E7 Aby checking the Debug Registers, you can detect if SoftICE is loaded' U; |3 \$ s" i$ r: z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 t% n! ~/ k5 M( w* C% m
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 J9 p; o- ~7 d5 E, h$ `; M, T9 X7 @value (in ring0 only). Values can be manipulated and or changed as well
?- B5 j& r; B4 o u( F(clearing BPMs for instance)
0 e" y& C. L* E% e
/ ~1 d6 N; s8 y& s' ]; o" C; v__________________________________________________________________________, ?' u2 \# f0 j2 D* {2 _$ G" ?$ W
& {' w) C$ T5 E. c B$ G9 vMethod 11
$ Y2 ?" ~1 r4 H& q* S2 F( a4 G=========
/ ~9 \( y5 r& h2 H
/ R+ q) z2 M- S* rThis method is most known as 'MeltICE' because it has been freely distributed" r* p5 m+ ?% a, w& I
via www.winfiles.com. However it was first used by NuMega people to allow; Z+ g" P8 Z: b* Q
Symbol Loader to check if SoftICE was active or not (the code is located* c3 ^9 U. R2 \
inside nmtrans.dll).
2 Q, O" F+ A X* C! L5 j
* t/ P! p4 l, o. `4 pThe way it works is very simple:
* Z: X# p+ y) G* y" i2 dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& ]& W7 z# A W8 W% u
WinNT) with the CreateFileA API.9 o \+ _# a# j V$ J! R
6 W8 j% q9 `! _" A
Here is a sample (checking for 'SICE'):0 y3 S$ ~" }! U! C( n
; W2 J- q3 i, q3 GBOOL IsSoftIce95Loaded()
; u9 N' r8 |0 S1 t$ Y* C{1 M' f9 d, z3 x4 e
HANDLE hFile; 5 E4 D7 }4 s$ s) [
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% b; h9 J/ m3 w# l" X" `
FILE_SHARE_READ | FILE_SHARE_WRITE,. g. N9 a9 ~1 r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 Q: j0 i7 J# B3 t1 z3 T
if( hFile != INVALID_HANDLE_VALUE )
* C5 c! `9 z0 u: S: k( E6 b {4 F" H# r2 k5 p* S( S1 @; Y8 j
CloseHandle(hFile);
u1 }2 e$ x# Q7 n0 \ return TRUE;
( y3 x5 J* R+ j, i" w }
' }, E7 p3 S& K! ?, A return FALSE;8 B% G: [+ J! ~ h
}
+ P: h. L* w9 |3 m! x$ J& s6 G2 B: m: i$ D0 n6 w. W, }
Although this trick calls the CreateFileA function, don't even expect to be
\. v. A0 o# P6 @9 eable to intercept it by installing a IFS hook: it will not work, no way!
& \8 v1 D6 ~/ l ^- fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, L6 X6 Q0 M: I- Q1 \3 Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& l2 C0 Z+ C8 J2 f4 v; h9 b5 j+ [and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 H) `% b* A6 @5 h
field.
( p9 F3 _- `( C& jIn fact, its purpose is not to load/unload VxDs but only to send a
' B' s8 |* C" n3 j* M' F# fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 [. `4 f" Q6 f, S& i: x3 i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* W" ?. x5 A2 ]* a: Cto load/unload a non-dynamically loadable driver such as SoftICE ;-)., ?& q: ]5 b1 n# S# Q2 z3 B$ L
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 u. q/ f6 J _* J9 K& B* v/ aits handle to be opened and then, will be detected.! v0 q+ q, ~. c9 v
You can check that simply by hooking Winice.exe control proc entry point
1 l3 W- c' }* }& x- Bwhile running MeltICE.8 g1 t- ~" K& S
, ]9 l3 h6 F P# A& z
/ c: G$ J9 _9 g7 @ 00401067: push 00402025 ; \\.\SICE% e5 ~4 e b/ Y, w
0040106C: call CreateFileA
( Z6 v. c: T/ U( E) s. F5 Q+ e+ _$ X 00401071: cmp eax,-0019 X7 f1 p E. s! p
00401074: je 004010916 z' f P6 T+ K0 O
% h. L! R* a) m
7 R, |) z1 d* ~" D# A, FThere could be hundreds of BPX you could use to detect this trick.
' e- y8 p) m" t-The most classical one is:
+ s: R* y3 d m% H; `5 P BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 R+ X) _3 z9 l7 x/ K3 u *(esp->4+4)=='NTIC'
6 r. U- _; d3 s2 G3 y
% _3 [6 M) m/ F6 P7 r-The most exotic ones (could be very slooooow :-(
' L4 J' V8 y! [& ]0 { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( r$ f8 A* P, ?* l$ v* s ;will break 3 times :-(
6 X5 B# m; l0 S. M7 k7 v$ O8 _
( _( L5 ^( V$ M- O3 P, ]) j-or (a bit) faster:
1 |1 r& y, B2 G' F( x$ A& S6 M N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ J( Q H9 b2 J' _3 q4 O1 P- _# H% {4 _* M
" d6 M5 C/ |8 P" ?8 W" @7 R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ P! T M2 M3 X7 v ;will break 3 times :-(
; b6 E1 o1 S& C- x$ D2 e1 L
7 Z) U; ]9 E4 u; n-Much faster:
: _+ w) x6 N2 s2 t1 ` T5 N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 J4 @8 O' r3 Z8 A
* d9 ^7 O+ z6 W# }8 v. P, F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 [/ v2 y( \" l: L$ R7 ?1 W f6 y
function to do the same job:/ Y' D. ?) g4 ^5 K" o& j
% o% v/ `- ^6 ?8 ~- }5 e2 a9 o push 00 ; OF_READ9 m3 n9 I9 X) F) Y
mov eax,[00656634] ; '\\.\SICE',0$ G# `0 R9 n e9 D3 j
push eax
?7 |% g( B- F8 M7 I1 ?) z call KERNEL32!_lopen* u- q S, q3 \( }
inc eax m: x& C- Q7 f
jnz 00650589 ; detected) H9 L7 ^$ _4 r6 s5 t) Q9 q% Y) P T
push 00 ; OF_READ5 g7 ~. E- B9 U! ^
mov eax,[00656638] ; '\\.\SICE'
! q. V0 p3 Q8 M! e$ I( S! I, ` push eax- E: A R. c; G6 o( T* o J
call KERNEL32!_lopen9 s7 o( o0 b: H+ F
inc eax2 D- j+ o; t& {) V. X2 h
jz 006505ae ; not detected, n( V! v$ r" y
$ i4 g, \) n3 d1 T- ?# m3 ^4 [
8 m3 Q" C" `! a+ `: _3 ~__________________________________________________________________________
6 m. N7 _% N5 E# u& v8 O+ U' y3 ?" A9 t! U0 W. w8 `
Method 124 ~) @# Q2 W) b, W4 _) W9 V
=========
# u, t7 j$ h5 e. s. h) z, ~
3 @: G( |% f+ A9 g8 `This trick is similar to int41h/4fh Debugger installation check (code 05& q9 g- s+ [8 W# p' ]# k, r4 I
& 06) but very limited because it's only available for Win95/98 (not NT); ?: }* l+ d8 n. o" Z( A. P. {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 m2 w2 h1 j" |8 X4 w! E: N$ o( ]9 [. ? L
push 0000004fh ; function 4fh* Q+ T! N( S9 Y( h d
push 002a002ah ; high word specifies which VxD (VWIN32)/ [& U m m5 s: W" A
; low word specifies which service
& i4 Q' {& W4 l0 s: b (VWIN32_Int41Dispatch)6 G1 A3 C; N8 W! ?
call Kernel32!ORD_001 ; VxdCall+ o) A' |2 S/ |+ w& o. r \0 r) u: F
cmp ax, 0f386h ; magic number returned by system debuggers
2 ]& ?) `9 q- q; U, }6 G jz SoftICE_detected/ S( s& x% O1 X; _8 W
! X- a' h; `( ^6 }/ uHere again, several ways to detect it:
) x' j3 I8 h0 W7 r; o8 p% \/ b( C
BPINT 41 if ax==4f
' D5 ~& Z* \: E7 N" W+ d- M" I$ W/ s2 [ t. b S% S- Q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
i( U! r! h0 [# v
+ | F/ P: J5 b o' A7 j9 |% a BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ A. t4 I8 \& z& r; Y+ |, o8 @) R8 h- e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 L4 Q E! \1 s0 K+ R: e- `9 Q1 C
' u U. Q, d4 h; A6 i4 K. J__________________________________________________________________________! s' V) v `8 ]; S$ r/ @
) }7 F# A7 ^% M. i: E- [1 UMethod 13# r6 u, Z3 o N" F# |2 {% _) `
=========
0 a& w3 \/ F+ }6 N5 q' F. L6 i7 ]( }" T/ i; B, c$ |* ?
Not a real method of detection, but a good way to know if SoftICE is! C8 c8 u) c$ t2 ~0 [4 H
installed on a computer and to locate its installation directory.
" i# _+ d4 a8 N+ U5 z0 b6 IIt is used by few softs which access the following registry keys (usually #2) :3 ^2 n: h2 R* S4 c- O% U2 T! h
# i/ m- A& v3 [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) J3 `9 Y5 b, \4 Z\Uninstall\SoftICE h- f t3 q8 A5 z b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 b- ^, c. ]2 j$ e ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ h$ @; \ x. I& r/ u
\App Paths\Loader32.Exe
; \) D/ a$ q* M8 b" P( o! Q4 }0 }4 S3 `9 Z3 b; B& W
( F; B$ H6 J$ y" m v
Note that some nasty apps could then erase all files from SoftICE directory
0 b, C4 L" F2 O# t) D(I faced that once :-(
( N4 a$ N% V+ J* H' O+ D) h: u( Q/ D, t% @7 b! X* _
Useful breakpoint to detect it:
8 M* \1 v# ?8 v4 j
5 \8 P1 C% L) K7 B/ e# X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, r8 `# r% ^0 R8 o: t7 \# B+ S8 `! n j2 G4 O1 j+ a, u
__________________________________________________________________________/ E& @- m" b5 t# B8 n; {% D
4 ~ K, R" P2 _
, {, A \: Z% C& ~( r
Method 14 ) A/ Q3 V D" j8 m+ k# v: v8 l
=========& o$ n( R# Z8 n
/ V1 G# ~/ X( U8 F+ VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose T% k; y) K! b: M' E7 V9 _: ^/ o/ r
is to determines whether a debugger is running on your system (ring0 only).
! M2 f- k& _* m( g4 A
. f/ W4 T2 H# e! W* z VMMCall Test_Debug_Installed5 `" w9 j, b6 v4 l& f1 w
je not_installed
3 V2 {+ J9 t" T# n" h7 ?3 O' \* l' ]5 Q6 G* A; g3 Y% S; A
This service just checks a flag.
9 u o" W0 u. @$ F1 O3 p</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡