<TABLE width=500>& F7 l( Y0 Z* N2 _6 x8 A
<TBODY>( t, _) {+ l( X- p9 N
<TR>
2 @! e1 F: W6 P* R# X<TD><PRE>Method 01
' i: A5 E3 o/ D- [" B) `& O- a' s2 v8 t=========5 ~$ K5 Q9 w) g0 l
N, l1 l3 X$ p9 [4 b
This method of detection of SoftICE (as well as the following one) is4 V; Y* D' t: O/ ?$ I! W
used by the majority of packers/encryptors found on Internet.
# S7 P5 S3 e; j, {" c" H' wIt seeks the signature of BoundsChecker in SoftICE2 F" T5 t6 g2 n7 b% i8 l7 U9 }
M6 }- @! J; q1 e' p) a
mov ebp, 04243484Bh ; 'BCHK'/ i3 V" e! s+ s2 p
mov ax, 04h* |; l1 H4 s$ Y7 H0 ]; D- x
int 3 5 m( C/ f4 T4 q' p5 a
cmp al,4
5 U+ s* q9 V- q+ c6 \7 O" w3 m1 N jnz SoftICE_Detected: _" A2 c' R/ }- G+ C
; O8 k/ T5 U8 u: K
___________________________________________________________________________4 @; ^6 g S7 m. O$ i8 {. U
+ F3 [$ U4 p' ^5 W+ [1 y+ PMethod 029 G" A7 ^/ s4 \% S9 e
=========
4 m8 Q9 B9 o7 R* s4 u+ E
* C, J/ _2 P7 z4 g) V+ TStill a method very much used (perhaps the most frequent one). It is used
# B( U; i* J0 h! k- d% hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ O+ p: g- t/ G" vor execute SoftICE commands...9 P9 S- e2 S8 l' V( S
It is also used to crash SoftICE and to force it to execute any commands7 M. c# s4 p6 }
(HBOOT...) :-((
2 a! L/ v, \3 ?
' |! _ j8 a7 l% Y; @3 dHere is a quick description:
/ c5 q P# O4 H) }-AX = 0910h (Display string in SIce windows)
6 j" k- @" F0 \-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 Y) q) R- J9 b" u: i-AX = 0912h (Get breakpoint infos)6 g6 y, [3 w, ]& }
-AX = 0913h (Set Sice breakpoints)
* J5 m1 m2 b' J* A+ r7 F-AX = 0914h (Remove SIce breakoints)* a1 f: ?8 Z& ^1 c0 V1 g9 d# @
: u$ A! g/ G- x4 REach time you'll meet this trick, you'll see:
/ k+ T' ~9 p! j2 b# X j8 o-SI = 4647h
1 x7 n6 }# N( M-DI = 4A4Dh
" n. v v# g: E# |Which are the 'magic values' used by SoftIce.
' W% y2 }) c) a8 w6 PFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 O3 T, O1 _2 l6 l- j/ |$ W+ H6 L
( ?: b7 o2 I4 `. d4 AHere is one example from the file "Haspinst.exe" which is the dongle HASP
& @: E; {# N; t7 W0 jEnvelope utility use to protect DOS applications:
$ l6 Q `8 K* X/ X4 }3 n* `0 C
' X* a' D8 E( @( n" C& V7 \
5 q& y( ~4 L4 U- m' D7 `4C19:0095 MOV AX,0911 ; execute command.
% b+ B6 r3 K; L, e0 ^6 D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 @) j3 [6 w; N4C19:009A MOV SI,4647 ; 1st magic value.: H% z+ P4 L2 Z
4C19:009D MOV DI,4A4D ; 2nd magic value.3 ?, X# U" i) |: X4 o5 r! k- Y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" H8 h6 @/ m4 j3 e; u- }# I0 m
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! L& {3 }4 y( C. H
4C19:00A4 INC CX3 j* A: S x; t2 a0 R; J" ^% o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ H/ ~, b( ]$ N1 j$ o) S6 h$ j
4C19:00A8 JB 0095 ; 6 different commands., L; R! D, k, c9 M! C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# X; E! ~. N7 l6 P% z5 h7 b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 S$ s/ t( Y9 S" J# d9 D: W3 Y4 [( h- f# m5 {1 f
The program will execute 6 different SIce commands located at ds:dx, which. r5 F2 P% j5 ]& G6 T! o" f- E. c
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! H* {1 Y; K2 |. h; v4 \, C7 g9 \% p) k: {9 l# q( w
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 ^) L6 S. Y- a6 D v8 h
___________________________________________________________________________
) H# z" l! X2 n6 s
; S4 t$ u3 D% {6 U+ S
7 Y X1 F6 l, x& g4 G3 OMethod 03
/ L* T6 E j, m2 e; W K5 ~. d=========
+ w# X- \9 k8 b4 |4 f" T0 x4 ?* G1 R. Q, g- c" Z: l# p2 H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 m: @, e/ `! R1 F(API Get entry point)
0 P9 {( M9 ]7 Q9 N' M$ y+ ? / U4 p" _- B, f2 g) a8 S9 t9 i+ a* i
% M3 z2 ~5 K. Y xor di,di5 y! X+ ]3 ^* Y! ~! `
mov es,di
[" v% d3 y0 D1 F mov ax, 1684h
. d" M) k6 b! ^2 J4 {+ c% V3 |3 C5 ~ mov bx, 0202h ; VxD ID of winice
7 ^4 f" L1 x0 `- I. ]7 Z2 W; K int 2Fh
+ X9 R+ y: V8 s* M9 f mov ax, es ; ES:DI -> VxD API entry point
6 Z, u- @: H6 Z4 n+ { add ax, di D8 c1 T: S2 }, P
test ax,ax
1 Y5 Y$ A) P# K* p# ` jnz SoftICE_Detected: m% H0 b3 {: ]( G
+ Q/ b$ D, n7 W___________________________________________________________________________" v. K4 `9 W* X2 O7 ]+ m
C# M- G4 H7 J5 a) {Method 04
) K: a: t6 s; y+ k=========
# j6 ]. h% S# |, ]1 }1 u" y; v5 ^. S0 O e
Method identical to the preceding one except that it seeks the ID of SoftICE
& u) \/ a& v0 y, |GFX VxD.; l7 E- k- D( e6 @% h: B9 M1 d* X
2 f' m/ q7 @$ y8 M) a xor di,di
0 _. x- i: l6 K% A/ t mov es,di
* I% U! ^. c Q {& B* O mov ax, 1684h 4 C9 k8 w4 W0 @% {2 e( r
mov bx, 7a5Fh ; VxD ID of SIWVID
* {4 b" x5 _7 y' B3 y+ n6 y2 { int 2fh7 e: e$ ^. N+ I7 X+ k
mov ax, es ; ES:DI -> VxD API entry point
2 `* i6 x( E9 i1 j5 U! U0 T add ax, di+ n( T; y* x: [& K; C! Z Z+ t
test ax,ax% ?' k6 X; [, ^' a
jnz SoftICE_Detected* a0 d6 W4 h( J5 n
0 Q8 ~$ k. q& v7 |
__________________________________________________________________________% r3 k6 a& x( d0 { {
- I8 p: b2 j# t$ ~! j3 G# u& v, e1 G: \+ T' ~% C F2 l
Method 05! u+ o) }$ e4 u6 b
=========
) y6 y# V0 d4 s: f3 X+ Z9 f# Y- _9 K* l9 d$ w& \: C+ T' F$ B
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 U! C2 }* \, N# W
debugger. It calls the int 41h, function 4Fh.6 Z2 @' R& { @1 B: i0 `8 J& w
There are several alternatives. - }, J: @: ~( E0 n4 J! E3 f3 @2 |
# m. c' L0 A$ }8 Z" O+ E2 A: L
The following one is the simplest:8 l% S6 h7 k) ~; @% \
- C2 p7 a+ f7 ?5 s/ p% ~ mov ax,4fh. `' ^, ?% P, p/ Y
int 41h
, R4 s, i- D5 N0 K( [+ x: X& e cmp ax, 0F386
9 F. ]+ D3 y: |4 r, v! Q+ H2 V jz SoftICE_detected& u; v, i1 n1 T& `) X! a
& Q% q; [3 `5 s& Y5 Z }# _& a
! a4 P. m+ g/ }5 N
Next method as well as the following one are 2 examples from Stone's
& T y- K( N# o( ]1 c7 U4 m0 I"stn-wid.zip" (www.cracking.net):4 _1 E! k, Y; \! b; |
I0 x5 p; u* _ mov bx, cs* e- Z/ _% B9 p% S# f! S1 M
lea dx, int41handler2& U; j4 q2 ^" W& q4 H' i
xchg dx, es:[41h*4]
6 ]* W. \$ U0 Z xchg bx, es:[41h*4+2]. X2 X1 e @; z6 b) p5 F H/ U5 A4 |' v
mov ax,4fh
" _8 R. I5 U: c' y1 M5 h int 41h6 o X/ v1 n9 \$ H" E
xchg dx, es:[41h*4]
: {- v+ ~) C- L# }9 o) V, B! B# T xchg bx, es:[41h*4+2]
0 R4 [ D5 l t+ P" ~ cmp ax, 0f386h+ c% h6 U2 _, \1 W8 T+ t
jz SoftICE_detected
1 ~+ O, [" u% ?( s) t
1 B* V/ o2 q9 S' L+ Sint41handler2 PROC: l' Z0 O' ]' B. H, @" ` E# F1 f% O
iret
) l1 [$ F/ X$ z2 W- Kint41handler2 ENDP$ A; ]3 N3 q3 {; d; q2 A
2 ?3 |# K& Z) ^* B+ {& w/ {. C
; w2 e) |4 J/ o1 J) D% ^_________________________________________________________________________
; K1 J. W4 w1 ?, s4 q! H" S
+ J8 b; H3 P! K$ T7 e; ] `- _0 x( |, [0 k1 Z
Method 06
; i l/ T( d6 G4 U=========
6 Z3 X+ h' ?4 a9 B5 y) V3 n. ~8 O
- h# d) d+ n: T9 K! F& d2nd method similar to the preceding one but more difficult to detect:
/ ~- `1 G2 P6 z& M' [4 j7 R1 x0 T4 h5 |
. ?( [, G- i" j2 K/ f. I- P
int41handler PROC
% ^9 h$ H7 m/ F% F. Z, i; ] mov cl,al7 z) h8 Y# [2 x [# ]. F
iret
, e; m2 Q% |! [. L3 t: Mint41handler ENDP
0 F- H+ g, f, W5 g# F. q, |1 k- N, P& C2 I( i+ v3 U! Y; L" d
% m/ m; L* W) J
xor ax,ax
3 {! p C6 m7 m mov es,ax- ?( y8 m% y, t6 J2 X7 `% M V4 @
mov bx, cs* Y4 `# k3 ^) g, D0 u
lea dx, int41handler2 H+ { d* I* q- o+ p; Q3 Y
xchg dx, es:[41h*4]5 t) ~6 `$ r+ L' u8 X/ y7 w5 j
xchg bx, es:[41h*4+2]
) R* I ~6 Q! h9 ?3 Z2 X# s/ u in al, 40h2 n5 Y. p$ N2 ~3 G, a- O' d
xor cx,cx
1 Z; D l. g/ S) x4 F: l `, @5 ] int 41h
; \1 ~- H1 O% G- ` xchg dx, es:[41h*4]- B- n4 V# c8 Z& D5 S; P" p6 J
xchg bx, es:[41h*4+2]5 m5 G$ `0 p, s
cmp cl,al) N# K8 v4 I+ U; A2 y
jnz SoftICE_detected5 }# e) A5 R D# W A! p" N
% {; j& D) i4 H" ?1 ~7 ?. T_________________________________________________________________________! U( P/ j9 Q' A9 Q, }
4 t- h( x6 e3 HMethod 07
& P$ b( ~& k) s0 G t=========; p/ b! a; s! F' b k- `
9 o2 y7 u: N- s- Y% F
Method of detection of the WinICE handler in the int68h (V86)8 |/ Y3 s w. K( C0 m: q
1 B0 u$ o1 n% }0 L- r7 C
mov ah,43h
* h. s4 D4 w( G( J/ b! n- @: V int 68h
: E- B3 e) Q6 p! t+ U; l cmp ax,0F386h( @; @$ \7 l3 \- D' D
jz SoftICE_Detected9 k' K6 U. N) }3 _. H
. L) o7 ]& G/ A* r+ J
: W7 b' r* A7 X# |5 Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
R: ?( p; q7 g3 E" u app like this:% |) B; ?$ ]$ J1 k Y/ X
* l/ B/ W# z1 v& ^
BPX exec_int if ax==685 G3 d& P! O F1 s: z- f9 d
(function called is located at byte ptr [ebp+1Dh] and client eip is! S6 L: L# c9 \$ C
located at [ebp+48h] for 32Bit apps)- P5 f. v. q2 W4 ]4 C
__________________________________________________________________________
& ]+ p; G" B9 G8 M5 h! z6 f. K4 T, ~# X( Z4 m0 X* f! Q. I5 S2 s
1 n" x$ r, W; U2 o- m+ X% zMethod 08
2 T" R+ d4 [3 |=========1 U, g" \" K/ r4 a5 |6 a
& Z, z5 U* E( Y# O, ]It is not a method of detection of SoftICE but a possibility to crash the
3 z- J4 m2 ?! h% w/ ^# ? csystem by intercepting int 01h and int 03h and redirecting them to another, p# y7 p8 G) Q* i" C6 _: V; l$ q9 G
routine.
, n5 K V) j$ S. V6 tIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 H! Z1 E' B# x
to the new routine to execute (hangs computer...)5 P- R3 d0 h: N$ W$ P2 s- p! ]
/ {4 _ i) `4 l% W! X mov ah, 25h, a2 u0 H4 w7 D/ z" F W
mov al, Int_Number (01h or 03h)8 |- i! F* V( e0 Y
mov dx, offset New_Int_Routine
1 ?: ?2 X p# b' v" w int 21h
0 J. D% Q j% z* s
$ s& q7 Z4 n8 m8 n% @__________________________________________________________________________
/ @8 R! G. q- [. u4 h: Z6 d5 E0 L( z: b
Method 097 n4 g" `# {, ~5 d
=========
4 P! o* R; Z8 R9 ]2 D; R4 s: w0 M; N7 L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 X$ i2 s: l' z) h2 ~1 _ kperformed in ring0 (VxD or a ring3 app using the VxdCall).; L. x9 O) x1 ^9 }2 c: ?
The Get_DDB service is used to determine whether or not a VxD is installed
: i- ] h/ O& E) f o% K; ufor the specified device and returns a Device Description Block (in ecx) for7 ^ P1 X$ l( X# t1 e
that device if it is installed.
9 k0 D) t/ A% e6 X; \; q! g. F7 F) _, v% P: d/ `
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! k7 T8 v2 r8 | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 O: s5 v9 ~9 G2 `- u0 z8 e9 ?3 G
VMMCall Get_DDB. V6 @( i& T) k! F) U, g- L( B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 l& F; ~ M. N9 L k! V6 m% v/ ~( v }0 K3 F: I
Note as well that you can easily detect this method with SoftICE:, ]6 e! D, Q$ E
bpx Get_DDB if ax==0202 || ax==7a5fh' E6 P, M/ k! d) j: {
) J8 W/ D4 t/ s4 g- d1 ?: h__________________________________________________________________________ Y7 O! d+ p8 h7 w' Z
& S$ b5 b$ t" \9 _$ Y$ V
Method 10" f/ ?+ j3 H2 k0 @
=========
8 G# h% z. j) ?" t
2 f$ ?* R7 Y6 ~4 o9 e& {=>Disable or clear breakpoints before using this feature. DO NOT trace with
' e. X- ~3 o8 o p* D# G SoftICE while the option is enable!!: R+ Z e3 G# k
! M3 L# Y! ~ M+ W7 EThis trick is very efficient:8 A4 {2 n/ m2 K" F
by checking the Debug Registers, you can detect if SoftICE is loaded
" z$ \3 Q7 _: A5 q9 ^8 X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" H6 k) f Q1 a- I3 u0 ?there are some memory breakpoints set (dr0 to dr3) simply by reading their+ J! L9 g( T6 B: T8 a3 d
value (in ring0 only). Values can be manipulated and or changed as well) G9 i Y6 M( { u. H8 X
(clearing BPMs for instance)
, z: \2 L0 N% s3 U4 J W8 D$ f' d$ B C4 Q
__________________________________________________________________________: Z; k% G2 @, {' \& c
6 P. O3 d7 i1 _9 B
Method 11" M9 U( `4 E7 G; B, m/ M! F# }0 y, ~
=========* j9 x- h4 u8 }7 w! x% \* Z' K
- r- J' v; ^; A& x5 `0 G+ \7 t) ^* oThis method is most known as 'MeltICE' because it has been freely distributed+ R) \5 g# y7 p7 H* f# ~
via www.winfiles.com. However it was first used by NuMega people to allow$ k, g9 O4 t8 L+ e) [9 B
Symbol Loader to check if SoftICE was active or not (the code is located6 w5 U+ D/ g* k* S. q
inside nmtrans.dll).
1 L8 T$ n, p5 L8 m- {* `
: H6 O5 f% e$ SThe way it works is very simple:
% e* g- q$ a( u0 u9 R5 ^, d2 dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ c; x4 K" N4 [5 Q5 c* j
WinNT) with the CreateFileA API." f1 f9 o J( |5 y# i
' ~4 E) A4 n2 r) S1 PHere is a sample (checking for 'SICE'):
! ~9 v9 k/ Y( R' m8 B7 g# N/ V# q" V5 w" J- O& s3 E
BOOL IsSoftIce95Loaded()
' w, N, `* o6 Z3 K( @8 \{
( U$ x2 n: Q, a4 e1 A( ~/ K7 p& d HANDLE hFile; " u$ H; e; b/ V$ e) `$ _8 n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 G! V" J4 h# ^9 |" J- j
FILE_SHARE_READ | FILE_SHARE_WRITE,8 o, O4 U2 s0 f6 t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ m- c5 f1 S. [$ |: u" I if( hFile != INVALID_HANDLE_VALUE )
) t# e# \, X6 B1 x8 P% R {8 x+ h# ~2 {& Z( v: N
CloseHandle(hFile);
% z/ i% v* O; ^/ ?9 w: M return TRUE;: A; ?0 ]0 \ B! W% J
}
( a! w# \. h3 Y return FALSE;
1 Q0 t+ I/ R. K}' G- _) E0 C5 O" J+ m. S
/ V. c" N+ o$ |- f& iAlthough this trick calls the CreateFileA function, don't even expect to be
) m( L* }2 {4 E% N; Y xable to intercept it by installing a IFS hook: it will not work, no way!# c# ?: c, {) |. n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( `$ y/ V: l5 m9 Z+ {% S, Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 o' \! a. |; u' b6 i5 G" ] fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ ]% C( e# T' @field.( E2 m! T8 q) {9 W2 z
In fact, its purpose is not to load/unload VxDs but only to send a
7 X8 M7 O! _( X% r% k( b7 e/ s3 EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 B. F6 e Q2 \& dto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 x# A- m2 c( ~" M+ ?2 x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& Y# \, ~ Y% u* W. m1 S# g1 ]" o0 j
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 x1 a Z5 a/ T1 q& C
its handle to be opened and then, will be detected.
$ G! l" Y# M s# p8 x) O( W4 fYou can check that simply by hooking Winice.exe control proc entry point+ v) V9 }1 E, m; Q# r
while running MeltICE." d! A- v; D' B
* d/ M" }2 R& ~. _6 V9 ]0 u* T" o7 M
7 L+ [/ m8 P; p$ }
00401067: push 00402025 ; \\.\SICE* [, Y3 O7 n) ~: ^& g& m, q5 Q
0040106C: call CreateFileA
, e& @" k9 f4 Q7 j& h5 k 00401071: cmp eax,-001
3 u: [6 \4 a% ?* _' F7 [2 u: R 00401074: je 00401091- I& L/ Y7 M/ T/ d) I# e
9 p2 c$ p) Z/ r7 S; G, K
6 p+ r; \2 o' c) r4 ?5 a( CThere could be hundreds of BPX you could use to detect this trick." c9 E' [4 O+ `! e
-The most classical one is:4 `6 u4 R' B+ j5 V5 U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 l+ O* l5 x; k0 H3 k: S *(esp->4+4)=='NTIC'$ H1 B! e8 `; V7 H2 F3 |
- i, q U7 ~4 e! a$ q2 J" J3 Y-The most exotic ones (could be very slooooow :-(
/ l0 z5 \; D! N- @8 I2 h6 L, V3 ]* ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , S5 N5 F6 [2 y! h" S
;will break 3 times :-(" c* O, k, { b" ]7 O$ d
: {7 z7 d' @. H0 W-or (a bit) faster:
9 u5 L+ @0 U% f BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 |- `( b+ T w9 } ^/ c
) V- G& u2 A: \8 \/ g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ J: I) b( ] k$ {; l) H E" Q
;will break 3 times :-(
8 {" n5 v! z: U. F1 G4 i# d
( d0 F6 L0 Y. K$ a b1 k' z! S r, @-Much faster:
0 i i4 U9 E& K6 [ f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& V3 V. U! ~, e) o
0 [- }* M3 G) X A/ w) M0 uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# n- m# \5 T4 o* y0 L5 ]
function to do the same job:
5 m- Z0 Q9 D' M: r% g
6 \, e; w. p2 s$ M push 00 ; OF_READ
; l/ V4 N, F0 l W+ X mov eax,[00656634] ; '\\.\SICE',0
4 @: z/ u- H9 W! h push eax
6 O2 r1 M( u! @% Y call KERNEL32!_lopen
0 h/ B$ @/ \3 ] inc eax
% m0 [% J- c/ c( a+ m/ \+ T$ ~; L! h jnz 00650589 ; detected$ d1 i0 [# K- S; i5 u: S
push 00 ; OF_READ
) n* S7 r' ?, p2 c# ? mov eax,[00656638] ; '\\.\SICE'7 o, O; `3 e6 V8 ~$ q3 i/ z" ~! P/ {
push eax l. C( ], M9 D% b/ v
call KERNEL32!_lopen9 }: Z' _ v) ^$ e# v0 i
inc eax
8 R3 `! ^& w; R! R jz 006505ae ; not detected8 _3 J4 d- ]9 k3 ~$ z* F1 I
) i9 l& o4 \2 \) b3 P: ~6 {. Y; u, E9 Y% N: j; l
__________________________________________________________________________
4 n- t( F$ {3 d2 j1 w, e/ W4 A' k# n; F4 @+ ~- H6 a3 G
Method 12; `/ A, v6 Y0 S* h
=========; D* R/ E; L! m
+ [! |2 t3 B S, T7 ZThis trick is similar to int41h/4fh Debugger installation check (code 05$ h, A- ^, p- ]: e* z5 d' F- w- w
& 06) but very limited because it's only available for Win95/98 (not NT)
" _6 k, N) ?+ Z( f8 X" R9 nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.; ~2 |& |" f- r$ _
+ E& x7 H! k- o7 m" a9 W/ s push 0000004fh ; function 4fh
8 Z- p) w7 ^2 ~' e$ Y push 002a002ah ; high word specifies which VxD (VWIN32)
+ o1 ^3 {# S$ o: W( j9 A ; low word specifies which service
" H; c* S5 X1 | (VWIN32_Int41Dispatch)
1 F }9 E4 j5 e# W) h# p9 r call Kernel32!ORD_001 ; VxdCall( f; c3 ?8 x4 g) d* Q. s+ s
cmp ax, 0f386h ; magic number returned by system debuggers
) | x# i8 B8 b3 n# e( }% z jz SoftICE_detected& J' Y& F7 E" C
* }4 [+ d' T) W2 t1 I- n( ]5 I, X. C( o
Here again, several ways to detect it:5 m8 x) L- f5 h2 c/ t( a; |0 I
% L; g" k7 C" ?1 t4 ^; ~& ^ BPINT 41 if ax==4f
& }; i6 A, A- W8 X0 J( Q+ Z
8 \: R- S; K& K, _ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" } v9 z: b9 A0 T9 Y9 o
7 X, ?0 o- \6 A5 L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% E; _3 R) u! G) N) d: o1 @1 O
7 S! p$ Z M! q7 ^ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 {3 C" e! Z; L! J4 Y
9 w+ Q& y6 T8 b7 I__________________________________________________________________________6 N4 r* H" O/ b, H, ~% s& e, m
, c# A7 p8 m: A% o# N1 w7 A$ Y
Method 130 Q H% w8 q( u8 |3 C& E X
=========% N+ L& _8 \5 Q* L
" L, Y5 u% G& u7 L+ c
Not a real method of detection, but a good way to know if SoftICE is
! ^7 T9 B7 X: [7 m& m. W; m7 F7 o# binstalled on a computer and to locate its installation directory.
x! E* |6 |+ k% |It is used by few softs which access the following registry keys (usually #2) :* l, S- c, ~! s& t- q$ a8 t
, F; |/ e! y G/ j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 X* o6 V/ P+ [) z; G\Uninstall\SoftICE
) U3 s0 ?- ~$ `8 f+ K' I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 N+ [% r d4 l% T0 g
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) G1 x9 k9 r; h$ M G% h$ l\App Paths\Loader32.Exe4 k8 r+ Y) s4 T) X2 c7 J
4 n& ?9 }3 D8 ] x J3 j( S% X5 G
- w* x0 R: v- m) NNote that some nasty apps could then erase all files from SoftICE directory
. C; g/ i/ H m: f(I faced that once :-(9 k/ m9 z( X3 E M9 t" R
! g3 F- K; Y" M* a" E6 q$ A: _8 FUseful breakpoint to detect it:
1 t: a# r5 `, O6 k( J. F% H
7 k' _) H- j5 a4 j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, L. w0 D. C% h1 s v, @1 S
$ z# s& t) v+ x* S7 E; I__________________________________________________________________________, _' J$ o& n8 X! h6 I' `2 B1 K" b
* ^. l% g8 j h: w
5 ^$ x$ z5 e7 T( F1 _) r% ?
Method 14
. x5 ?! {8 `2 H% ^2 C=========
/ K: M- H! A @
8 J9 T; G. G+ X' h4 HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' k* g { h/ i$ ~
is to determines whether a debugger is running on your system (ring0 only)./ S2 R' `$ T- H; q
: q L4 R6 a0 U
VMMCall Test_Debug_Installed# O. [# u1 z8 d! Z5 [. u5 B
je not_installed
! [' l0 ~( `! w" u5 a' Z2 O3 j9 r1 y4 D$ D9 [6 G& c
This service just checks a flag.$ h; ^5 `, o5 ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡