<TABLE width=500>
9 ?- y6 @1 v% D<TBODY>
) z, e8 {& c+ ^9 _3 j" X. J7 g<TR>! w5 D5 A) _0 k% V( A
<TD><PRE>Method 01
- x+ }/ p, F5 n4 u5 x1 g=========
4 G& R: Q( Z5 R# M, X0 ?' ^$ g' Y& n* B- l3 A
This method of detection of SoftICE (as well as the following one) is
* V8 w' w- G) t% R/ v& R8 tused by the majority of packers/encryptors found on Internet.- x, C% x' }- V& J
It seeks the signature of BoundsChecker in SoftICE
: ]0 D0 O, V- i# J2 r- U
2 ?2 ~$ Q5 ?+ Z; _$ ?* ] mov ebp, 04243484Bh ; 'BCHK'
0 D9 Z' q2 B& r Q6 d6 _6 p2 P7 i mov ax, 04h
) E, S A; r5 q& Z8 [' [: u1 E( p int 3 5 t7 e1 V) F4 [/ \# ^* c
cmp al,4
( d/ {" D- P& b# y/ P8 _, `% E jnz SoftICE_Detected
: j$ o g$ A y; o; W7 I4 O7 v# `! ~
5 W1 b6 U5 x2 v0 I) @* \ }___________________________________________________________________________
' ?8 m7 p* }) C) |( y( a$ v$ D) U9 S# E* K3 }, X! R; [ i) ^
Method 02/ n3 ^ u2 N. ?2 s2 K% {
=========
% @: k: Y( K6 M0 M }, R$ c9 }, m, p% W" L$ d, w( I) `
Still a method very much used (perhaps the most frequent one). It is used
1 ^+ ]+ n0 J, R3 j f+ P/ q# ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 o+ S, k1 Z; Y3 O {( r& z" k
or execute SoftICE commands...
& |) _% T( q: {" W8 rIt is also used to crash SoftICE and to force it to execute any commands4 X+ w, {% F3 @( j, y1 {9 [
(HBOOT...) :-(( K, y. D5 u, P
' G7 J- b4 n1 t' p! P' aHere is a quick description:8 c( h- W: N1 m9 ]- u
-AX = 0910h (Display string in SIce windows). w2 q2 n! ~6 A" m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 Z3 T+ A! n: X) `- ]$ r, k$ h
-AX = 0912h (Get breakpoint infos)
2 R2 |* c# t9 Y/ Z' F3 j-AX = 0913h (Set Sice breakpoints)5 `; V. D, |& E4 I
-AX = 0914h (Remove SIce breakoints)
8 Q. p7 V' E& c+ U: O2 A J* w ^# n; }2 m5 R# |' H& D; T# `
Each time you'll meet this trick, you'll see:8 l( Q* Y) q* J; J% U% ?
-SI = 4647h
3 |8 x$ K) Y g-DI = 4A4Dh! B, y g4 n, \$ j, }9 I" R) X
Which are the 'magic values' used by SoftIce.
) E3 z; a& \8 `For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% f, {6 p6 q8 }8 h. v8 o- [* w- e5 K3 v
. y; j | @ y. QHere is one example from the file "Haspinst.exe" which is the dongle HASP
' F6 J+ ]% R5 Y5 l% [: rEnvelope utility use to protect DOS applications:
+ n5 E G8 N/ H5 q" p/ R0 h5 Q/ i$ W* x( b4 y; b$ z
7 `# g9 I- u9 P; z
4C19:0095 MOV AX,0911 ; execute command.* \, Q$ Q% E2 ~- r3 v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' P2 y; S% F9 L
4C19:009A MOV SI,4647 ; 1st magic value.
w7 J- L: a2 n4C19:009D MOV DI,4A4D ; 2nd magic value.
+ l' ?$ ~, G- y- h' {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 E, I, z; k# D- D0 W" J) l( Y9 s4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 K4 g' h/ R) V# z& L* I5 {4C19:00A4 INC CX0 d% l7 B3 X! w p% i7 B# C) P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. P* ~: {6 G$ n: m, L# N' e& O" }
4C19:00A8 JB 0095 ; 6 different commands.7 b6 b: p- p9 ]( j
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 j* [# o* k4 i6 W3 u% C" G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 Q5 y: G0 r9 V) F0 h3 P
; t' Z+ A/ U# y! _9 _+ s
The program will execute 6 different SIce commands located at ds:dx, which; P) X3 h( A6 d2 _$ v+ U& i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 l- f6 R8 @4 F- H# `( [. o9 b, }! K; ^. C9 @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- q- P$ M" s8 R# M0 ^+ z7 `2 N
___________________________________________________________________________6 H! G$ B. c! I# z8 ]% `( _
; b0 J. W/ p7 e+ Q; [
1 G, P2 c+ B# A( Y& j% _Method 03
$ L* J( C* [! Q3 R6 h$ l=========
! C( ^ i: A, l, m; R
* d" i3 s+ ~' i3 {+ Q6 v. Y& [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) _4 @$ I& C6 l
(API Get entry point)
: k# K0 y8 t* d4 C: E
. B/ E2 k) p& d% q1 u
1 Q6 U/ H) ?2 Z) _7 M xor di,di9 K$ P, Y5 M. i; z: E7 S# ^
mov es,di
- z$ S) b( A9 { mov ax, 1684h
: z5 i6 {3 b( E1 b9 L mov bx, 0202h ; VxD ID of winice
+ L# a2 ?+ h, R1 h% U' \& D int 2Fh2 N' l* ~) ]2 p; V
mov ax, es ; ES:DI -> VxD API entry point, V, E0 }. b# r# M
add ax, di3 E. L' j! I# P/ v6 W9 I
test ax,ax: z& _5 [6 m( S& i1 f' f
jnz SoftICE_Detected
& i. R5 ?! |3 m5 I, k" [
4 r/ U8 p! r" A* t' W! \___________________________________________________________________________
5 ^2 I; U4 w& ~) e/ O6 r" m
, _# o* c0 |6 _& y( S. z* d, ~/ `% t3 DMethod 04
7 z" C% U( t5 z0 J4 S=========
$ d& N! X3 x; E
' D# N( |4 I+ X8 S6 i( AMethod identical to the preceding one except that it seeks the ID of SoftICE2 O5 l) ?& b! K8 C$ N+ q9 ^
GFX VxD.
) }+ M3 W+ s0 t2 _ \
4 m9 @4 ?* F* [* N& F# K xor di,di6 ^' Y' C3 [1 c4 ~ l( i
mov es,di
; M; A) i# y" F" W- B$ e5 T- {$ h mov ax, 1684h , Z. h9 ~0 S/ U5 m4 o+ g! H
mov bx, 7a5Fh ; VxD ID of SIWVID
# b; ^5 k d; h. V+ g5 L5 v/ O% t int 2fh
9 C7 N0 [' ?3 o; X mov ax, es ; ES:DI -> VxD API entry point. s6 d! T" z2 e8 Z/ G- W
add ax, di9 D5 x4 V# |3 i ?! j- |0 T
test ax,ax
& |5 W- w6 H0 r! u# P9 F jnz SoftICE_Detected/ B) q/ N ^7 t+ ^) y4 Z
+ E1 {* O' M5 S9 K" J( T! j2 Q
__________________________________________________________________________' {: F; _- L* I4 l( K& V& r
' s1 l1 W2 Y2 s' G
, P9 o2 b( L' H* T8 ]Method 05
) t- `0 y, K4 [=========9 w4 N- z/ C8 }4 _2 w
2 [1 x9 X5 s% R4 ?' W2 UMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ a' k! C3 `, X- Edebugger. It calls the int 41h, function 4Fh.! Z. P7 v' E4 K+ V
There are several alternatives. 6 R4 A; S' D8 r- W i4 T# `! E
5 V9 x3 n: y7 ~: e- E
The following one is the simplest:
' [/ l1 v) f8 A M8 g
1 f. B6 W: ^/ S mov ax,4fh) u' m/ Y6 `3 H, n$ r% o1 e7 J
int 41h7 \6 S7 N2 @" n3 N3 k/ s5 Y
cmp ax, 0F3862 l: z$ r5 s |* I$ f
jz SoftICE_detected
( Z4 ?" l5 }+ L+ L5 f) r7 h/ v3 ?/ _8 \$ R8 f
0 h- i: }4 ^+ DNext method as well as the following one are 2 examples from Stone's
8 y0 P2 Q; E3 S$ G"stn-wid.zip" (www.cracking.net):' Z0 d4 J3 M) S, Q
# g8 f" l9 n% B7 K; I2 b; ^
mov bx, cs
/ y/ Y) ]" @( Y+ P lea dx, int41handler2
* d& R% G2 h' A( [* l3 Y! M xchg dx, es:[41h*4]! K) B' c. b! j W# O, m
xchg bx, es:[41h*4+2]* k! `( a/ f+ g
mov ax,4fh
' \4 ]$ A2 o+ {2 k% _5 I# V: y6 k% f int 41h3 Y) L* l# C" C; }7 s: Y3 p5 m
xchg dx, es:[41h*4]
1 i7 T. c# I s4 O0 u) P xchg bx, es:[41h*4+2]
$ E, @$ x7 P0 G+ U% y( C( Y cmp ax, 0f386h: P0 F6 ]- s' K' O1 `& b
jz SoftICE_detected. u) M' _) A- Z4 M3 s3 J
+ X5 `& I( \; D3 Q Qint41handler2 PROC
* y* v" u, d! y4 o iret
' H( N' c2 E6 z* d# iint41handler2 ENDP& l- n3 W- e) Y7 ^( ]
3 n. e1 f( S9 Z
+ D% k1 `4 Z+ I: n
_________________________________________________________________________
: T* J0 D4 O- ~& d6 T1 g. v1 C% ~# [; }0 ]6 a) u! s% ?3 j8 O
1 h+ C- d8 A2 ^+ s+ B/ }0 ZMethod 06' e' [/ ^2 C* Z: A3 B" s
=========! P1 p H$ K+ D+ Y* p
4 P- @% {$ B% F
4 ?: F0 E1 }" A2nd method similar to the preceding one but more difficult to detect:6 a4 J: M8 b; Y
2 I& y: x2 p8 V% B& {7 e. c. z
6 @5 C! x$ N$ E* i& M6 {( K
int41handler PROC
1 j6 `1 k0 k7 Z( R mov cl,al
1 \7 a1 b! I5 _2 \, X1 ? iret- Q- Y& h- e6 _0 {. }3 S( V2 l
int41handler ENDP5 N2 j$ v$ M5 p. r& H
* N/ P1 v3 Y W- i1 A% M" i
6 c# b% o" F$ g' ~
xor ax,ax
- u$ G' m H$ K% z mov es,ax. q/ w- L& y; [) Y1 R
mov bx, cs
5 m+ ^- X9 M" g9 p) U$ \ lea dx, int41handler: f6 M/ f% t1 \3 d- M$ J: f% D* q
xchg dx, es:[41h*4]
5 H& y: `4 t* Q$ O! l) y xchg bx, es:[41h*4+2]# D, B3 q1 C% @$ l- H
in al, 40h, E8 ^9 V5 m* i; d8 b! `
xor cx,cx
' T5 c7 |# o2 [0 S, J0 [: m* u1 z int 41h5 M, e; m f! t1 Y2 H
xchg dx, es:[41h*4]
1 Z4 m* ]! ]1 P4 ? xchg bx, es:[41h*4+2]3 B9 X7 \! B1 e
cmp cl,al' _8 m/ N* I) R- ]
jnz SoftICE_detected/ S/ p- ]3 p, V& g: v
$ ^( f& d, p+ h ~! }, p G5 c' Q
_________________________________________________________________________8 y0 i+ C1 }1 _" H6 i8 z
: F8 ~/ i1 g& m8 t( O9 MMethod 07
2 z4 y, E1 O4 G=========
+ \9 X* Q/ G5 ]% h8 b
( {! [- s# O, f" _, Z7 ~% TMethod of detection of the WinICE handler in the int68h (V86)1 Z7 g# i' P/ {+ ] `/ l
* [2 r2 P( v; M* a mov ah,43h. Q" }. ^2 u9 ]' p
int 68h3 Q: S/ ~+ ?# a5 _* P) E
cmp ax,0F386h
( a5 M; p% }4 O, y jz SoftICE_Detected# t; U ?1 M* S! d: M# g% V9 v
8 h( S; v, S" y6 V# S7 M
- H R( |: x/ s4 i' l. Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( G+ `( J" S7 `" q
app like this:' P3 C; ?2 G5 @& m) N
7 u1 B6 h: T% ^$ U) K1 a J
BPX exec_int if ax==680 T% M- Z# ?$ {* V. Z: C2 E& y
(function called is located at byte ptr [ebp+1Dh] and client eip is0 S( s; r- i0 E, e- x
located at [ebp+48h] for 32Bit apps)
4 {; ]7 T% b$ Y. t5 F$ D__________________________________________________________________________) _" y- D- |2 D' {2 L* h
% f' _3 c- Q( g+ t' Y! e5 U- T6 u3 _
Method 08' n* { |; b0 ?# N+ F7 w
=========! e: P/ W3 V9 w0 h) x7 n
$ `8 [: l# f: \" e2 E. U# k
It is not a method of detection of SoftICE but a possibility to crash the
8 K( p' l' D, k4 D! N, V2 dsystem by intercepting int 01h and int 03h and redirecting them to another
6 Z2 \4 f$ \; n- z5 o, Troutine.9 d5 j) @6 f1 h0 u7 C
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 u& N' C0 E# D, n% w2 S1 R$ Kto the new routine to execute (hangs computer...)
0 O$ s# x4 X4 U( \- }+ e/ c, Z/ u
( e" h& }/ l2 q! ]5 i* `, p mov ah, 25h$ O6 m, i; Y2 H v8 D/ A9 N
mov al, Int_Number (01h or 03h)$ q4 K, i+ P: a1 w
mov dx, offset New_Int_Routine' o6 J4 z+ M# D% f1 J/ ?
int 21h
& L3 W, G. S C: a0 ], `5 F
- H- P3 J+ s3 B4 u__________________________________________________________________________( U4 O, o" |, S2 @6 V" s4 S
& [3 W( ?9 A* x* B6 j6 qMethod 09
% L! z: D3 G, c$ W( }7 G. w=========
# ^; \) z: [, e7 B- e: J' l0 B: S! O$ T" u5 S$ j! k4 Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 o) ?! h, V$ T4 D2 Q! H3 [2 v* hperformed in ring0 (VxD or a ring3 app using the VxdCall).
3 P! ]9 d' g% ^ CThe Get_DDB service is used to determine whether or not a VxD is installed( C. O0 b2 j# g2 a9 J
for the specified device and returns a Device Description Block (in ecx) for
# ~. N# s+ r7 K# {; E0 Xthat device if it is installed.
. C* M! @, j. J0 e( p( U3 Y
- v0 g/ `0 N F$ h mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) N) u6 W: j$ P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); T s n5 Z: O7 |' x# X
VMMCall Get_DDB/ A. d, Y2 L' S- A4 a0 G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& k0 s8 L9 P* l! o1 d1 Q9 I
3 b6 y' i) m+ J5 X2 XNote as well that you can easily detect this method with SoftICE:
: ^' w* L" H2 n5 S* ]( F" } bpx Get_DDB if ax==0202 || ax==7a5fh
$ p% V9 w' a3 W7 G. V) t) c
& `* H5 x/ T3 N__________________________________________________________________________
2 [4 u0 x" J) R/ b6 p# _0 w9 [: D# V: K+ |8 Y3 ~8 T) v$ d
Method 100 I; A( Q* Y0 o( z4 O# U& Q
=========9 }# [. a: L1 T. _) W7 @8 _
q- t3 }, q6 ]( M
=>Disable or clear breakpoints before using this feature. DO NOT trace with- k% B5 F* I5 U% K/ B9 L7 R
SoftICE while the option is enable!!
" w$ p: O( X* i3 K
3 l; A: E- W& H# OThis trick is very efficient:7 o8 X, r9 _6 f
by checking the Debug Registers, you can detect if SoftICE is loaded+ j; x8 z) S" ^9 i
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 y; \# J6 |9 o& L1 ]there are some memory breakpoints set (dr0 to dr3) simply by reading their% A( B8 U2 N& ~
value (in ring0 only). Values can be manipulated and or changed as well
( v# i. ]5 d! H8 r, Y% d(clearing BPMs for instance)
, A4 M6 h% ]# k( K* _/ w7 ~5 |; n2 F* h
__________________________________________________________________________
1 |4 M4 z3 Q: c. y- t; E& r% C6 T! F0 U
Method 11
y. i' Z; T/ y+ c=========: v7 `5 N! w* g" X* x) B9 ~ r/ N
- Z! |/ A6 j* f+ JThis method is most known as 'MeltICE' because it has been freely distributed
1 D- c0 [% v) S( v" N9 D" Qvia www.winfiles.com. However it was first used by NuMega people to allow( n7 e* e$ t! _8 u J3 B: I
Symbol Loader to check if SoftICE was active or not (the code is located
" [* d6 r/ m7 rinside nmtrans.dll).
6 Q; A; v9 d7 L" L: u9 ]& g3 ]' }. W
The way it works is very simple:/ p H2 B. \3 H3 {$ z: B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* K0 O' j4 Y* a1 z2 L2 Q5 CWinNT) with the CreateFileA API.: H6 b" D! g; L9 d6 m/ {
5 c6 z( d7 ^" a; p+ ?
Here is a sample (checking for 'SICE'):
7 O i, q! h# ?$ i, ^
# k( v* `6 D% G8 Q9 gBOOL IsSoftIce95Loaded()! d4 `1 p" o/ z( `% K
{
: ?8 N0 C$ s- n; M3 J, m% X HANDLE hFile; . S3 ~% {% G X; J" R% ~! a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. i. {0 X' |: I7 ]1 q) D' S4 G4 o
FILE_SHARE_READ | FILE_SHARE_WRITE,
) t" [2 @2 b5 [. _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% I0 s% u& \6 G w
if( hFile != INVALID_HANDLE_VALUE )0 z; [( B( h' O" U$ h6 p }
{* w/ Q' i2 ]5 C7 h% ^. U- n
CloseHandle(hFile);* X$ x, O; F3 z
return TRUE;/ P9 v6 ]( [" b+ |! P$ ]
}
8 m) J1 ]) ? n( p( y- z return FALSE;3 |2 Y! a; o6 g; _- ]9 @$ o
}
" n6 s7 V+ E1 |1 r$ N( ] z/ h/ J* P! }8 c! M4 i
Although this trick calls the CreateFileA function, don't even expect to be) v8 p8 U! ^# E& U0 M/ N2 o
able to intercept it by installing a IFS hook: it will not work, no way!
; [6 M0 [& _* p* I9 ^8 p$ u# iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* @% [: D! `" H9 e3 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) t! m- w) P: @( P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 w9 ^' q8 `+ U& h& \% Xfield.9 u1 n9 q; A T! c7 O
In fact, its purpose is not to load/unload VxDs but only to send a % f! J/ V4 N, ?" n: f8 `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* Y! P- C6 s1 H, c5 |to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ Z, D5 w; r# f; }5 ?7 B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 H8 Z& [8 O5 M, I* j7 Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 Y& p# A' z$ d- \8 K# B( L
its handle to be opened and then, will be detected.7 C( e+ [* ]5 a F. u* x! G
You can check that simply by hooking Winice.exe control proc entry point
$ R9 B" l- d% R( |) g6 r3 uwhile running MeltICE.4 ~2 y/ s0 G8 A" `4 a1 p' h
: ?% j1 {+ i5 ?: n2 D0 @) `! s
$ r8 c$ a9 I8 s' j7 x9 _ 00401067: push 00402025 ; \\.\SICE5 L7 ]+ D, g% l$ L5 R2 {5 r
0040106C: call CreateFileA7 x6 A4 {% Q1 @+ ~; X) k
00401071: cmp eax,-001# Q. J2 x$ I* P$ }
00401074: je 00401091
1 h. G2 P0 Z4 T
% R+ p5 s$ J6 g8 J8 u2 [1 r; S4 _2 y0 c* Z% I* G* X' [
There could be hundreds of BPX you could use to detect this trick.- }7 G$ z' _, s( _; W8 s! m
-The most classical one is:0 J1 V* X+ ^. T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! k C! f( e% G+ Z
*(esp->4+4)=='NTIC'. t: J; Y4 \: x' k6 O
2 C4 a$ j5 z, k( D-The most exotic ones (could be very slooooow :-(
$ V& i; e3 i5 j2 K3 d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . t# u2 v; s4 v7 c" R
;will break 3 times :-(
$ u0 A8 _- u8 m+ V9 n0 y' q
+ x& }# h, @- T5 C) N! N1 q2 n-or (a bit) faster:
5 f, C7 I( F% a5 S3 V- o- _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% a4 c) M) Z0 |. X" p
r. ?% I' _* K/ N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 B6 @( C8 m, F3 E
;will break 3 times :-(7 v5 Q8 [: V, H( h& T) f# Y- x
5 h. U: b# y. V5 W' h q: w9 X-Much faster:
) @9 p! |, @8 n9 S* c2 \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. M, l9 s2 v$ ]) a* {5 K( n
# u$ a" |/ k; _: r9 M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) y, ~! e3 Z6 Y9 A/ ]
function to do the same job:
& N* y! q# |/ {+ U. m" ]6 F/ ^" Y# o+ L
push 00 ; OF_READ
0 u1 S2 r+ A& z mov eax,[00656634] ; '\\.\SICE',0$ s, l5 {' w: D
push eax/ f; w2 e# L; c7 j# C
call KERNEL32!_lopen
4 p# b% @$ Z* T: w inc eax1 T! a8 B0 A# I4 u* ]6 i5 x
jnz 00650589 ; detected
5 O) k% u! O3 x# x. h push 00 ; OF_READ
% j4 r g0 t# v6 f# Y' q, E0 ` mov eax,[00656638] ; '\\.\SICE'
: w. O# U5 v4 ~; L" Y! T0 C push eax
, u$ J( U' j) w& z) g call KERNEL32!_lopen
% H2 }) d7 N* Y) Y* s( V4 B! s inc eax+ L9 e% f% G7 Y' ]$ H! z
jz 006505ae ; not detected
- j( u- _' M9 F5 e: L- J3 Z8 [ _
0 B% Y7 T n! a+ j r+ o2 k3 J1 X+ X, P" i
__________________________________________________________________________2 `7 J f) S1 O% I
6 M! R; D: A4 k1 _1 V# Z% OMethod 12" ~& p$ E$ T4 |: h2 ]9 i1 [% k I
=========
) D# l/ k: D& Y+ r/ d/ U5 U0 M) P) ?, l. @% c' I" O
This trick is similar to int41h/4fh Debugger installation check (code 05- c3 h; V/ t0 }' z. t( b# ]
& 06) but very limited because it's only available for Win95/98 (not NT)/ G" i1 Z2 f+ N# T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- Q6 j! X6 [& N! z% b6 n
8 i$ d$ s( B. r( Q+ ]: @ push 0000004fh ; function 4fh
3 W! p* u J5 ~4 A push 002a002ah ; high word specifies which VxD (VWIN32)4 G4 Y' x# Q2 {
; low word specifies which service4 F# u: s/ k& C
(VWIN32_Int41Dispatch); D) O8 c2 \4 |0 s% _
call Kernel32!ORD_001 ; VxdCall4 x+ l" X% N7 U" }2 o+ d5 s
cmp ax, 0f386h ; magic number returned by system debuggers
0 `6 I2 X7 Z: T8 D5 a4 l$ _$ Q jz SoftICE_detected
; ?- h0 @( q- a* B, {" Z" M
c+ J) F) S' k- eHere again, several ways to detect it:
6 B$ h. t4 H0 k; V) g$ H* H
7 F/ P& z0 h9 q3 _0 m, y BPINT 41 if ax==4f( M) h1 Y) O+ H! E/ ~/ B6 Z
: R- a* T& d' ]3 f3 J+ E" z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& s( n2 B! t, F
7 @* \. v# o% I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* N: K* {9 ]4 i" K
* J* z) ~9 O& }! a( J' x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# O) g: r4 }; W" f2 b3 s/ M6 [( P$ _' {$ g7 Y( B
__________________________________________________________________________
" N( T! |1 a0 k% k( w
/ P$ o1 O( |+ v* i1 L; O1 `Method 136 ^( X3 W8 Q' z0 H% B
=========
' G4 M6 n$ ]! d" Z, K) I5 E5 j+ F1 }4 v( ?* x, h
Not a real method of detection, but a good way to know if SoftICE is
% @+ U, K* L' v+ H% j- @& Finstalled on a computer and to locate its installation directory.
( u2 O4 ^; e: `: y% RIt is used by few softs which access the following registry keys (usually #2) :
( T% r0 @/ t/ Z* {4 ^0 |% K; [" W
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 n, G% F& R) B\Uninstall\SoftICE
4 t1 w3 @5 s% x w" J6 n7 O. j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 G) ~2 j3 {+ \+ Z% [2 F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; S: R3 L! j! q1 t\App Paths\Loader32.Exe
8 J3 x4 T! \0 l8 l7 B. {4 s
. `1 H& g4 `; X0 x8 m# _
+ D& F' c5 A! U2 ? yNote that some nasty apps could then erase all files from SoftICE directory
$ e; \# q9 N$ Q1 C+ w" }(I faced that once :-(
5 y0 I3 V9 p; V# t9 Q; R j+ e% ]0 L" z$ S: j
Useful breakpoint to detect it:4 r5 z5 X+ `: ~* P; O0 H
* \' |$ d+ L: R Q& N) h. v( ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ t& l/ Y% ~. y ]
" A3 s9 }2 _ K/ M$ K__________________________________________________________________________+ {1 L8 F# Y5 V _
! c" ]$ U Y6 c! @3 a7 m+ }
/ ^! k5 m$ h v$ n2 e1 c& LMethod 14 # t) ]( H! T( }% z0 _1 `
=========$ V- J% P. p5 z* u( a6 M
) ?- E4 t% ?4 |. x6 ~2 u4 U0 f5 L/ uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; e, I% t2 J/ s- D5 [+ x4 I
is to determines whether a debugger is running on your system (ring0 only).: Y7 V/ I. _7 n6 O, z. A
- K% M. m0 `* f2 j VMMCall Test_Debug_Installed
$ x7 g! ], Q0 q: A1 ]* k( L je not_installed; K0 K: y# _ C
1 f5 q2 V3 y j" H
This service just checks a flag.! W4 ?+ t/ q+ j+ o' N
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡