<TABLE width=500>* ~* q% e8 \4 Z
<TBODY>
0 s4 J, S. z' l' D. s9 Z<TR>
! q' ^- e4 w; ~! H3 K" v0 ^4 ?6 @<TD><PRE>Method 01
$ _0 Z* k& P# s2 f8 B9 j+ C& @=========
2 m& }2 g) \4 o- ^) r. J$ k; Y( v6 r) Z1 w- S0 U7 t
This method of detection of SoftICE (as well as the following one) is+ R- S6 z6 \2 q, i) }8 r
used by the majority of packers/encryptors found on Internet.
" E! o1 ^ b0 X6 \; WIt seeks the signature of BoundsChecker in SoftICE3 d6 l5 i c# Z. _- D- b! K& P
( R, a; H9 H5 i6 {2 W/ J mov ebp, 04243484Bh ; 'BCHK'
6 I5 X0 Q3 W" u& B8 l mov ax, 04h; X5 H# H7 Y5 D6 }5 A
int 3 4 B& c1 E' x1 L8 R& I( a
cmp al,4
4 v' Q/ L& B9 e! Z) x" Z" R jnz SoftICE_Detected
3 x% ]) W) L4 p1 _% D' s" B W6 k. r" e+ E8 h5 _0 E4 U
___________________________________________________________________________. l% E* q6 ]" ]3 Q
1 E3 \- }6 Y( G! w* `* a) {3 `& eMethod 02! J6 C; ~6 t; s: U9 W% \
=========' S5 W3 }4 z" u/ w6 ^( c
8 J4 O% ?3 q9 J& ]3 {0 Y
Still a method very much used (perhaps the most frequent one). It is used* V6 G8 f- q0 Y I* L A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! P0 q0 O* h7 d9 |# H$ xor execute SoftICE commands...
) ^2 b, I# M, }" x/ J; uIt is also used to crash SoftICE and to force it to execute any commands: }$ Y, I, m( U/ t8 P; D1 G
(HBOOT...) :-(( 4 w. p& g$ m5 t+ \& d
5 R+ M- l6 _+ L8 A$ T6 n' {% o* OHere is a quick description:
4 O+ L. U/ r+ j9 r. d-AX = 0910h (Display string in SIce windows)
~- w' C" r* ^7 \- }0 I3 g3 E-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) Q6 |: X. Z' B0 P" o% [0 Q8 K-AX = 0912h (Get breakpoint infos)
; `5 s# m | b0 j-AX = 0913h (Set Sice breakpoints)
* {9 L# Q" H0 c-AX = 0914h (Remove SIce breakoints)3 p2 P5 ?7 T: A5 m7 h$ W+ i
; G) J* O, r9 w2 \Each time you'll meet this trick, you'll see:0 o* R- z3 T" `5 I0 r$ ]
-SI = 4647h
/ l$ ?. ?2 y" D6 k5 I) u7 o' `6 i-DI = 4A4Dh# o. c! z- [5 |; q5 M( _
Which are the 'magic values' used by SoftIce./ W3 q- L% Z7 B G' K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# \/ S( E! V/ ?; X; y/ u
! a* \) P {) D6 vHere is one example from the file "Haspinst.exe" which is the dongle HASP. N( h0 v/ z5 K7 ?
Envelope utility use to protect DOS applications:/ @' m. I+ Y& B: ^1 {) q* {
' k: M" s5 k" Y2 b6 j
' ^9 |* _! i. x( Y$ S4C19:0095 MOV AX,0911 ; execute command.
, V- b$ o i* B, [7 \! E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." }- a' w% K$ M6 y. Q0 c" C+ l
4C19:009A MOV SI,4647 ; 1st magic value.' V9 i2 m. u+ y) [6 {
4C19:009D MOV DI,4A4D ; 2nd magic value.2 O. F* i a* w' j& S, W! N5 Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
e5 n7 W4 d5 f5 w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 }1 F% y; D4 H& O5 Q4C19:00A4 INC CX
$ U' |8 d! L: H, m* e4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 Y, g6 I$ e% Q6 H/ E$ I! K
4C19:00A8 JB 0095 ; 6 different commands.
9 R0 [4 d. ~4 c; Y+ `: r4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 Y/ b+ D' L* @5 |* W5 j3 y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( V' G! i# `5 G! X+ Y! M
' t; }) E2 b# @
The program will execute 6 different SIce commands located at ds:dx, which v- P1 J% h' d, b0 M# [
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! z' G. R* F! `/ j' c; p
4 H1 A ], r0 Q% e) E* r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 z% |4 @0 e& a6 i___________________________________________________________________________
6 i) f _) d2 l8 c
" @. Q; R- L" J
+ Z* X9 t$ G# N, C( dMethod 035 x4 a. S' Y& I7 o- G
=========
; \! D& N2 ?" ~5 q$ L; s% s$ O/ _) k. i6 t+ [* H2 N$ x6 I9 {6 H8 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ _2 Q- ]" {2 P2 T% r
(API Get entry point)% b* q& K5 K- W r5 H& B! j
2 c/ q8 E+ R& S- w
; R1 Q: |' I% K( Z2 h8 i/ D8 i xor di,di
8 p, Y! T5 D4 S+ v mov es,di0 R, k1 W% K. J' x" e
mov ax, 1684h 0 w0 b9 g3 Q- m5 k
mov bx, 0202h ; VxD ID of winice; I/ {3 t5 r5 q7 _+ u6 g0 c
int 2Fh
; x) d2 J) G3 n& k mov ax, es ; ES:DI -> VxD API entry point
; V% n4 A; ^" f$ P5 B/ C: z add ax, di3 I$ S4 {: h5 i$ G: H2 b
test ax,ax
& ~! X. v2 h# h7 X jnz SoftICE_Detected) P" ]' e" e, i g( L
6 X ^8 Z9 w9 U) U& M: L3 p# {1 j
___________________________________________________________________________
7 Q: E% Y& C2 }, a# ~9 k+ h+ T
* ]6 I. l9 x3 g0 _) XMethod 04
+ j. }' y4 e$ K=========: T. v1 q7 j J, n! V
) i* `4 A8 `5 q" t: V( sMethod identical to the preceding one except that it seeks the ID of SoftICE7 M3 [' n- H+ I: P( g l
GFX VxD.! u1 D5 F& m* S) L3 @
# c" @5 C. D* E, Q xor di,di
3 B+ |7 i1 g% z" w4 L0 A( ~" z mov es,di9 a% o3 b Q; Y- {% r# p
mov ax, 1684h
" v) r8 t! r8 M/ Z, D U& J mov bx, 7a5Fh ; VxD ID of SIWVID! V7 \, W0 e/ } q# l
int 2fh, y9 }% K) i$ s7 O9 z
mov ax, es ; ES:DI -> VxD API entry point
, N" _% }7 y' _3 K4 @" @ add ax, di4 J2 q5 c2 i& U! |( ?4 h
test ax,ax
' j! g* r. @2 a; S6 w jnz SoftICE_Detected
c8 T9 r+ x7 [' M9 e, A \
. g! \: p2 K" A4 p8 m__________________________________________________________________________
) X( e- ~+ y% N: y5 t
9 u4 E3 x$ g: B# S* R0 d
5 o, R9 P1 _7 n5 m; I7 r0 TMethod 05
4 }% K4 N! Y6 `8 c! ]' `=========6 b; O8 |6 `% h1 S
8 Z# k! |1 |: I R; {/ o* [8 v0 M* `9 zMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 |2 h* M- R' t g+ O* Ldebugger. It calls the int 41h, function 4Fh.+ @9 R. Y. N0 D" }/ c
There are several alternatives.
4 k4 @- w0 T% |& Y( R
& _, @0 @/ ~$ a8 m* jThe following one is the simplest:
5 i( a N# M$ Z* y
* F" U% _+ x( s7 v mov ax,4fh/ Y& @7 h4 I. J% X
int 41h& w- {. _; y+ @% X' G8 K, D- m
cmp ax, 0F3863 v+ s" [% e6 q2 Z3 W4 {) m
jz SoftICE_detected
) Q |& \9 t$ X$ o5 m' R
2 K2 \, e; M/ }" L- F3 o. o D9 w# y
Next method as well as the following one are 2 examples from Stone's , ?; J$ Y4 K- @3 K$ o6 F
"stn-wid.zip" (www.cracking.net):9 N! }% r. ^7 ^
2 u1 z2 ]* M5 b
mov bx, cs
. P5 ^6 G0 ]4 O: M lea dx, int41handler2- D$ T0 @0 a9 ^. `, l6 h1 }# x3 o
xchg dx, es:[41h*4]
; q) U* m, h6 t7 v8 d- W: n xchg bx, es:[41h*4+2]' q# Z. d& e7 q* _0 Z6 y& ^
mov ax,4fh/ f4 L/ `; u5 X/ d& t( l
int 41h+ S5 k, m4 I/ A8 x4 i/ c! @& v
xchg dx, es:[41h*4]
/ ?) A3 } e' K9 e5 P* z xchg bx, es:[41h*4+2]
! L3 G' w+ f+ p! w) `. H5 x# ^ cmp ax, 0f386h
5 X6 P/ Z3 J$ f' i& D, A/ Y+ G jz SoftICE_detected6 Q* v4 R8 P" k7 @2 H
5 c7 R! K; |. l. v" P3 l1 }2 j2 |
int41handler2 PROC
" n* g5 c" F7 U1 H. l: F iret" |4 A2 B: a4 ^! z6 O
int41handler2 ENDP# m u) x2 G1 B7 G( ?. q; Q5 H, h+ V
! w( s! Z( |/ W: U# {
; ]- f; y0 ^; e9 q! M3 ?_________________________________________________________________________
; X. Y5 x2 _) ?. E0 x
5 _' d1 [- l* s3 }: Y8 K
" z& a1 G8 Q+ g1 W0 P% QMethod 063 y4 o8 P1 N) S3 u9 }
=========2 i4 n. s& P( D9 I' R: Y
& x2 Y1 H8 B, w" Q1 _+ P% I7 m. z- r; D# Q ]2 j
2nd method similar to the preceding one but more difficult to detect:
1 D5 R& K3 J* ]
. m( N* c- f G+ z* @8 L3 p; \. g. o5 S7 s' k/ C4 W i
int41handler PROC) R3 R% b* X# F0 ~+ R+ D7 ~
mov cl,al5 |) b, M% U, P9 w1 _
iret$ _& ]: t' M/ |2 e+ o
int41handler ENDP# F9 H% d- m: }! e6 z8 L/ R
' T' V; _# n- W$ I& y2 _/ A
2 d1 d3 O3 f( i) N; Q) x" M xor ax,ax
4 r) w$ a0 n- p2 I; F: n8 N mov es,ax
/ o& A( O; C; L! A2 r) T5 @% @ mov bx, cs! Q" f4 {+ G& t7 P$ U
lea dx, int41handler( @% C5 [9 \# R
xchg dx, es:[41h*4]
+ y6 f B& P' n xchg bx, es:[41h*4+2]
' b2 ^2 y+ o7 c) M2 w. L/ { in al, 40h
7 U6 N0 `) }" | xor cx,cx
" Q C) c G! \: A @$ m int 41h4 h0 n+ o" r! M. Z+ \- Z
xchg dx, es:[41h*4]' p$ \; a0 M {2 \
xchg bx, es:[41h*4+2], @3 S3 a( T0 B! j4 h- \9 }1 s5 G
cmp cl,al
! x4 G5 g ~! O' x jnz SoftICE_detected
& w7 e* d- [2 c. S
" s9 O0 T0 F5 }: f! [3 K7 t_________________________________________________________________________5 u- l9 I3 x, y3 \% x. ^
' t( w, J# f4 z& X' ^: ^
Method 070 }6 O8 V/ D' }( {- K
=========& Z: L" s8 a- X6 G' n. T9 L. L
6 m+ L8 p5 P( M. L/ r
Method of detection of the WinICE handler in the int68h (V86)0 q, P& l+ _* H6 ^/ {
2 ~8 N% H# N! T1 w4 Y: |7 S! ~! Q
mov ah,43h
, ~$ h1 i# R" G% U- r3 `' Q int 68h# G/ Y8 Z" D+ `; _" N, ?9 `
cmp ax,0F386h8 A H) h! S+ l* ?+ [% E- O
jz SoftICE_Detected% J3 Y. P/ {( o" n- S
9 }# F: L2 X! q
* M3 x4 I. [9 C=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! `5 w7 C7 k& ~# s/ C8 W/ T app like this:
* _9 s% \& E; w S
/ N3 ^" s! a) k; n% a BPX exec_int if ax==68% k/ E) U) @# z
(function called is located at byte ptr [ebp+1Dh] and client eip is+ ]/ i$ @3 n3 f1 Q% I' B
located at [ebp+48h] for 32Bit apps)
) j/ c) x* F% m- x" |) J__________________________________________________________________________
; _- _0 X) n% y) w. Q
3 `5 L) h5 r/ X8 m* R, E
* j$ k7 Y+ b1 P. LMethod 08( h; O: Z, L# p7 [/ i' J# E! a
=========$ W2 I5 n% e* n1 `( Z. U
" p) O# v! P9 l( S
It is not a method of detection of SoftICE but a possibility to crash the
6 V! p: C7 D% L- I" usystem by intercepting int 01h and int 03h and redirecting them to another/ v9 X8 Z3 v* a- t s
routine.
, w5 o! N( G5 e' HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( E+ w( y& w" f( k9 b+ [to the new routine to execute (hangs computer...)
; B% R) [8 k8 E9 C$ V% ?: w% y
) N' Y0 M5 F! t& t# I/ U, n; D2 \. v1 }- D mov ah, 25h
3 o* N* N3 ?$ m) X) {5 O, Q mov al, Int_Number (01h or 03h)' Q1 v; ?+ ?8 T* W( Y# o
mov dx, offset New_Int_Routine0 `! f0 q# W4 [% w) Q9 |; J
int 21h x" v- ?! B, O1 G- u$ k
' O) [0 M6 m9 c- q& g' {
__________________________________________________________________________5 T2 e0 P5 h D0 B8 \2 Z, v: H5 M" n
/ {* ]/ Y2 N9 k* B. W% U SMethod 091 P& b6 H9 |8 d% |' y* R9 x# Q3 M( a
=========
8 P: @8 D0 ~: c9 ^% @+ s& g
\- ]5 }; A8 M y! PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ {/ ^) h- B, k
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ f4 X4 V. \% F V. C7 H( fThe Get_DDB service is used to determine whether or not a VxD is installed6 i) z, ?) N# u' Z8 g& b7 Q
for the specified device and returns a Device Description Block (in ecx) for
7 \* v' _: i( C/ Q: @that device if it is installed.
- U+ T6 L9 w; O+ ~9 d7 q
; b3 `0 ~4 A( e4 `6 j( ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. V- @1 E: v3 e% q" f mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 A- L7 p. L5 R: ~ b; E4 C$ t VMMCall Get_DDB7 O9 Z) M3 e) g, u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( T1 ?7 x: ?* j% S
4 i7 i. T6 t' @) a& Y3 b1 }Note as well that you can easily detect this method with SoftICE:
( |% w# C6 y+ l6 ] bpx Get_DDB if ax==0202 || ax==7a5fh
; D& }- S2 [5 A
3 q* \8 |% @! K__________________________________________________________________________
! j$ j P& V2 W# f5 U n3 i" {, p( i$ O
Method 10
* t- `1 s1 {0 T& F% R! ~=========
- B& [8 ?/ |% S; Q8 g
`) m5 m! K- P# a=>Disable or clear breakpoints before using this feature. DO NOT trace with
( E* \4 ?# N8 ~+ u! i* {7 ^ SoftICE while the option is enable!!
& R3 f1 j" w3 O) k2 X8 N) N" h% H
This trick is very efficient:
; [" T% V! V& z% K- t, _by checking the Debug Registers, you can detect if SoftICE is loaded- n+ u7 t: y! u. S- |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* [; U$ J: |3 a1 ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their" b1 r2 x2 d$ J; D) Z5 x
value (in ring0 only). Values can be manipulated and or changed as well- z( W( e0 `1 y1 j, {. M
(clearing BPMs for instance)
! h$ j# v, Y6 l! x5 @$ b; b( Y. S) u7 k
__________________________________________________________________________
, j9 r- K4 ]8 r% p' \1 \# n" K4 F! b, H* s% T6 d
Method 11
3 T$ I, R. G- ~# }( b' C0 V=========5 S J0 ?+ S) v; [+ J3 V2 J# J
' m* M% [( I9 i& g- n" W9 b- E
This method is most known as 'MeltICE' because it has been freely distributed7 x/ ?: Z' _( p/ |% S) T A
via www.winfiles.com. However it was first used by NuMega people to allow# d1 m; x" W7 |( k
Symbol Loader to check if SoftICE was active or not (the code is located
1 e. p6 r/ ?+ h( j) Qinside nmtrans.dll)., V) P# ^0 i8 p+ g, v. o
, s" R4 ], R0 Z6 P* y! S$ x1 F
The way it works is very simple:
6 M' E2 C7 v/ }3 ^+ b% bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% c1 F! x! e, r" A8 B! l2 `4 lWinNT) with the CreateFileA API.9 ~- b9 b5 [0 H# R) W
' g. M2 T) [+ B( t1 `+ y; ~+ D+ |Here is a sample (checking for 'SICE'):2 |6 V! r' D9 [/ G" ]5 H+ t) d& }
1 j; p2 P5 [. y2 B0 { I+ QBOOL IsSoftIce95Loaded()
2 O7 [5 }# u% M$ c% N{3 f1 g/ i' r4 |- b9 W
HANDLE hFile; " Q ~' [) A' { y- U# N5 M( Q8 g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( E3 f1 o" I# N. Z: [ FILE_SHARE_READ | FILE_SHARE_WRITE,9 U! c! k5 a% [+ }8 N m, c
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 ^, D; ~$ Q Y( S5 ^/ z8 f# H
if( hFile != INVALID_HANDLE_VALUE )
) ~) \9 T& t/ w" T/ ~+ B, ~ {
[ Y( L% r, Z: Y CloseHandle(hFile);
) l* d* A! |' F6 N2 R/ I( Y7 _ return TRUE; I% Z S l0 Z8 Z0 w( k
}
5 H+ O0 z6 I, Y return FALSE;
% m6 G7 X; B6 }5 X5 }}
1 g8 p3 N; L: A: r0 d3 e) ^
& W2 w( K' o- h: w+ WAlthough this trick calls the CreateFileA function, don't even expect to be
- H# W4 @" K5 ?: v+ oable to intercept it by installing a IFS hook: it will not work, no way!
% J) Q. ^8 ]/ g: r! D7 GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 o! Q! N+ E& v2 ?. s+ N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ R+ t, B s9 b2 e: B8 t! c6 Q5 O6 f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, y" W5 A# i/ W
field.
; e( t- n% u) o3 r8 z4 V. OIn fact, its purpose is not to load/unload VxDs but only to send a
" S8 C! W6 T+ B& y; UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( B) o7 b: g7 o- Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
|- ]/ H. l/ T) Q+ @to load/unload a non-dynamically loadable driver such as SoftICE ;-).- b. K! B. U; |
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ H" X& ]% w+ Q' yits handle to be opened and then, will be detected.4 r3 Q' Q# v: {, a3 M+ e
You can check that simply by hooking Winice.exe control proc entry point
& b, d. C+ Y$ h4 t% X: |while running MeltICE.! e! U" \- m* D
8 G7 r: F/ c" c: C! o8 }0 W: ^4 L$ C1 B6 K1 h/ y$ `) d
00401067: push 00402025 ; \\.\SICE
& Y- c/ k1 R" z' r2 R6 @ 0040106C: call CreateFileA# L+ z6 I% x i7 F/ j% l$ [" H" u
00401071: cmp eax,-0019 Q. Q }& Q. y* Z8 E; P1 \
00401074: je 004010914 t' ] E1 `" P0 U+ C
! i! x R4 V5 x5 l5 _( Y
0 b4 J+ O* @! }2 a* ZThere could be hundreds of BPX you could use to detect this trick.
. R Y% d1 K5 I7 Z7 [/ S: d, p-The most classical one is:
& v A. n/ D Z- B2 i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ J% L: W K) ~ D$ a *(esp->4+4)=='NTIC'
, H3 `. I T: o5 f' n& G; R& ~; ]6 T4 A) G# k
-The most exotic ones (could be very slooooow :-(
& h; r. a# n5 S! o; T BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 f/ l6 G5 w+ H; y
;will break 3 times :-(
1 ?7 L! q/ z* ^# q1 d! M1 o
+ j0 o# ?6 [3 l8 ?2 u- h* ] @-or (a bit) faster:
- _. X) N. j& S0 @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) v# E7 b+ d% L# y$ D
$ R- s% E4 c/ N+ H; j3 t BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 c% [: w) |2 E
;will break 3 times :-(
) Z) c8 m! I6 k N
& `1 ]8 S+ w% I( t- K-Much faster:
2 \* o3 P* F9 Y2 c BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ t1 h9 \9 F0 _) ~
6 h% [8 ?$ v; r" L x$ p7 GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; V5 \' D' Y" f7 d
function to do the same job:5 t$ i# ]7 Z' A+ Z& Y4 v1 G x
; m3 Q5 B T& y8 f& U8 q push 00 ; OF_READ
# b* C+ t' ?+ d' d6 B c2 w mov eax,[00656634] ; '\\.\SICE',0
. u0 d( @% h# ?! H; U push eax* `% `/ b2 e$ E( t C7 L# r* @/ C
call KERNEL32!_lopen. M, Z/ i6 G( {" Y: m! H- A, R, _
inc eax
5 j; i. l( j5 O8 V* \ jnz 00650589 ; detected
: v Q% T0 w, i! T8 E% L push 00 ; OF_READ
% p) M4 r: @7 R/ i" C mov eax,[00656638] ; '\\.\SICE'
; u, q& I9 s% q `5 s push eax8 j- G& z+ P6 s7 O5 D/ ~3 @2 O
call KERNEL32!_lopen. n$ U9 k& X5 }: z, q" @
inc eax- Q, \# N! f/ h; p
jz 006505ae ; not detected
8 Q {! D' b; K* d5 ~
1 F q$ Y) x4 N9 R6 [" N* n2 |& Z/ J- ]. o: f4 O' E& D! u" J, e
__________________________________________________________________________, C0 f" s) r1 N6 `6 J# d* v' D
8 V: B9 h! H. @3 k% N/ T$ r
Method 12, q, r8 t. S' L \* N; U
=========
' w: ~4 i) H; P) U5 i, ?( F( g7 x. R' ]6 Z1 d) g3 P+ R
This trick is similar to int41h/4fh Debugger installation check (code 054 p, C8 L6 ?% q* C
& 06) but very limited because it's only available for Win95/98 (not NT)- f' |" ^) Z$ U Q6 Z) j7 {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' N/ M% b" E& X% e! I% C. R @
" z$ m4 d$ L6 l! Q9 A2 u- N push 0000004fh ; function 4fh( S' ]+ u/ \* h! N. i
push 002a002ah ; high word specifies which VxD (VWIN32)
: y: _8 e/ K8 R' r1 f+ y ; low word specifies which service! Q* A9 b% Z- d- T. n
(VWIN32_Int41Dispatch)* ~' d# j- ~ T: {: C+ t, n
call Kernel32!ORD_001 ; VxdCall- b# j/ N8 m# ?6 ~
cmp ax, 0f386h ; magic number returned by system debuggers( m2 ?. B, R) s" Y; g: w+ s
jz SoftICE_detected
6 @4 |; z6 B* l4 }4 J$ q6 z% ~0 i1 C3 G1 K5 C4 P, A
Here again, several ways to detect it:
8 r1 z' S' y- v, E" N4 T& r- S+ o6 y; d+ F5 ^" ?0 [
BPINT 41 if ax==4f& I- A1 _! [( t0 V, r
6 ~- s9 s k* O# u2 w2 \6 e" h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; h/ B# a! o% y) |9 ?1 J2 s, }' |/ D8 H" {- d! Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. V7 f# \, Q6 V) `6 h* z
( a) d0 H1 {0 e) W BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 q$ C, m" T+ o4 q5 v6 Z+ x. I/ j4 v- e @ F0 J
__________________________________________________________________________
1 C- x: d a5 _4 A# n- r0 F4 L5 L4 D S3 ?! E
Method 13
! }$ H, U) \& [=========% ~ `( k0 B3 g: j
" h+ b: _: N* B) N1 d, a1 kNot a real method of detection, but a good way to know if SoftICE is
2 N7 b; q& p% ~6 E7 Kinstalled on a computer and to locate its installation directory.
1 C. p& {8 o8 L* R- xIt is used by few softs which access the following registry keys (usually #2) :) d. ~4 g2 K+ E8 f
@7 P) H8 S* I, s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, a" B) D) w. C! Y1 b/ o& C# a6 v
\Uninstall\SoftICE
1 d5 Z- _2 j; h7 q! x1 u ? n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ S$ a4 x+ ?0 ~" Y: [+ [ {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 v0 p7 O; J* g8 I
\App Paths\Loader32.Exe/ ]8 _/ Y, U7 D- U5 u& n, l
( J1 l! s/ D& j& I$ T2 D
* Q5 s9 S: M# u2 G( x, yNote that some nasty apps could then erase all files from SoftICE directory
V" E; K1 \1 q5 k7 F1 \(I faced that once :-(9 X% G& V; p) \/ d. X
; D" N, p, r: Q7 u& fUseful breakpoint to detect it:
0 M t0 ?0 ^' o N/ z( ~* b' e$ t" d# z: T
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. p( n* a9 A1 p$ p l. R: A
! F# S! E1 Z2 N; Y8 e. u0 q
__________________________________________________________________________1 [ E( ]" B: z1 \, h* w$ c& f2 U
O5 t8 ^# L( e+ a. Q/ o
& g# q5 Q4 t: x. Y3 s
Method 14 , n8 y+ T! r+ s" c7 x+ x
=========
" r) B; L. v& ]" F. J
3 t6 z* j2 h9 OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ A% ]1 S3 D7 ]! a g
is to determines whether a debugger is running on your system (ring0 only).
4 ^! O: e. \ K! x" ^! z
0 Y/ M0 B3 Y* r- `. N5 J% j VMMCall Test_Debug_Installed% e+ t4 x5 Q6 Y5 ]' b
je not_installed2 b9 N& K7 p7 X8 X
8 X4 L9 Q% \( v% `1 a% w0 ?This service just checks a flag.% X, w0 A1 C$ @9 F0 O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡