<TABLE width=500>
) r: `0 K7 e+ I6 V( \7 Q<TBODY>" B5 p# h7 b: Q4 [8 W) X; z
<TR>( c% L) f7 o5 }& p3 Z9 {6 B
<TD><PRE>Method 01
; T1 q" _" k7 N! S( ^5 ^; m=========
+ x1 p c d% c! i/ f9 m
; m6 F& U x9 s2 X- CThis method of detection of SoftICE (as well as the following one) is9 u- n7 n9 q r/ k3 A+ N2 U
used by the majority of packers/encryptors found on Internet.
4 h* d1 \! M+ S# HIt seeks the signature of BoundsChecker in SoftICE
* ^9 U ?, M# {: ~" m) O! c8 H! v4 K3 p" \% h
mov ebp, 04243484Bh ; 'BCHK'; G% z5 h6 t3 P$ o9 q
mov ax, 04h
! Y$ |. q4 X8 C9 S' m* V2 V int 3 / w, r9 ] U+ {* V& C
cmp al,49 k; y f* H L. {' |
jnz SoftICE_Detected
# E" q! O" ^; T7 _6 {+ R9 a1 t
/ M) U; _3 T& {+ {___________________________________________________________________________2 g5 z6 @5 |, H# s0 \; n5 d
2 `9 L$ l ~: n/ t! n7 P" |2 bMethod 022 x+ ~2 K. v9 v2 H' d: L
=========5 f, e# v6 E* m( R/ w' h
- n( O6 l3 k: u0 H8 n& ^
Still a method very much used (perhaps the most frequent one). It is used
4 U# F+ j( O2 v/ o2 w+ _/ b* o) yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 ?, E0 q; r& ]' {' b8 x t0 q
or execute SoftICE commands...
G0 V" }& R. z2 ^It is also used to crash SoftICE and to force it to execute any commands( Z. T9 I% m# L% U& L) l! H
(HBOOT...) :-(( 8 J- e2 u% `& Y: n
6 e" i8 Q4 D9 g, ^Here is a quick description:. m" y1 a" C8 y
-AX = 0910h (Display string in SIce windows)' j/ k {5 P5 u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 O) t9 d! L! r* A# ~. k1 {+ [ Z, Z
-AX = 0912h (Get breakpoint infos)
: ]6 y, Q! h6 V5 l; ?( K1 r, p* E-AX = 0913h (Set Sice breakpoints)
% k& m- E- W+ k9 Z-AX = 0914h (Remove SIce breakoints)3 S+ b- h3 H& @( N. F' i4 \' `
) L$ j4 {3 ^! b* b0 P# gEach time you'll meet this trick, you'll see:6 p, E9 i" z9 k3 }0 f4 c; t
-SI = 4647h4 _0 k" A4 x2 M9 o z: s' y' Z
-DI = 4A4Dh1 {0 h; G6 A$ R6 [
Which are the 'magic values' used by SoftIce.
; r0 n% d( g% W# U+ z$ u6 bFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ n0 x8 _' H& B
' b8 j& {) a1 Q W1 }- |: MHere is one example from the file "Haspinst.exe" which is the dongle HASP/ b0 y6 J' m6 C4 {5 z" Q' x$ R
Envelope utility use to protect DOS applications:
, H- _0 a* G7 w0 }. R. R
0 G5 _5 q5 z4 J1 e
8 E( x; l7 _# E" X2 W( w, k; a4C19:0095 MOV AX,0911 ; execute command.
5 M$ d2 A/ q1 ?6 w% w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 a2 G) K8 Q& S/ J3 G/ Z& P4C19:009A MOV SI,4647 ; 1st magic value.
3 N1 h8 v. }/ Q+ D P' Y# d% n4C19:009D MOV DI,4A4D ; 2nd magic value.
1 L- H8 _7 `$ z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 K, C! ]% x# T5 K! P4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. f" M2 w: K( o8 z6 W4C19:00A4 INC CX3 ]5 l4 d" l1 F* R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 A+ D2 f9 ?1 r- r4 l4C19:00A8 JB 0095 ; 6 different commands.
" }( @. M6 }- H- I4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ \/ W9 i5 j6 N7 s$ d$ t4C19:00AD MOV BX,SP ; Good_Guy go ahead :): H4 R: f7 I. E/ u0 \# c
) `5 M2 z% p6 P4 @( |0 C
The program will execute 6 different SIce commands located at ds:dx, which
' ]! @" `" f6 I. rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. j$ [( L+ l- `& H( z5 V | x+ @
7 Z8 S1 O! N3 z3 Q8 X( I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! D5 p( X& K" l3 P, l3 [___________________________________________________________________________ x* e# \8 }- ?) e1 n! e1 {5 \- T
; Y# H( E% p6 H' O4 {
- B7 ~2 x2 @; C
Method 03, \4 M8 U. @. K* `
=========+ J7 [9 H5 J& x9 O) e p
8 z: E( F( k, e/ P7 _
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 m! b( m; ^5 B: R4 q
(API Get entry point); N( _! a v% L5 Z( v" F7 P! Z, W
" G1 q( V1 R+ {8 }5 |' H4 M# g: i/ f$ K# `9 y: _& z1 e# `
xor di,di
7 F6 G* _7 t. m+ B+ E; t) M: s mov es,di
+ m- w" c) V; u+ F" I mov ax, 1684h
% F v7 ^& W2 B( [/ o0 A/ P1 J mov bx, 0202h ; VxD ID of winice4 {; i1 G0 n3 J9 t' V7 D j5 m
int 2Fh+ a# ? Z% T- \
mov ax, es ; ES:DI -> VxD API entry point' M! r/ X$ p5 B* F; {4 T: Z; X
add ax, di4 j9 z5 l3 L: _, \, x5 z% v
test ax,ax
6 c& @4 m1 b; g# k+ o jnz SoftICE_Detected
( k H. y/ Q( R3 S/ N- h/ z7 D4 ?+ n7 ?
___________________________________________________________________________6 N; g( W0 K+ ?0 C
6 U" k2 w3 J* I3 tMethod 04
! U% R; y% Q3 \, W=========6 J$ I% ] B3 }; p. h
5 N7 F# y) y9 NMethod identical to the preceding one except that it seeks the ID of SoftICE
! k( o0 c9 U; I: dGFX VxD.) O+ y$ _. k9 E1 [
" I! P! s% C# E
xor di,di3 N2 ]3 f( B0 F, ]1 H6 u# T
mov es,di
* [1 k7 U0 i' \2 c2 e+ F* r mov ax, 1684h v& b/ V: c5 X0 `
mov bx, 7a5Fh ; VxD ID of SIWVID+ m% @% E( p+ ]8 ~9 ]6 ?$ C+ R
int 2fh# L# m- @0 X4 N& @$ k4 |
mov ax, es ; ES:DI -> VxD API entry point! V6 o+ _# m4 J' i) _3 x8 ]. V
add ax, di. o+ v: E; o" D. W. C- e
test ax,ax
5 U7 ~0 k, b- r$ S# B jnz SoftICE_Detected
4 D. r. ]! t$ g6 ^" k: L! L: a& \$ @0 C J
__________________________________________________________________________, M( N( [# P- _; r( v+ o6 N& m% _
9 A8 Y! ?3 B$ R% ^; L) F" Q3 k" z
Method 05# y& l- d8 s# _
=========
5 U+ N# O: P/ Q$ ]0 P3 D+ p* _1 I
. I& D: u. s8 jMethod seeking the 'magic number' 0F386h returned (in ax) by all system. Z! O7 k& h* n3 \1 A
debugger. It calls the int 41h, function 4Fh.
- |3 u0 h( _, m' L1 L' YThere are several alternatives.
0 P7 l7 [6 ?7 U1 T/ X1 c8 |+ ~4 z
The following one is the simplest:
0 G* [3 H6 y* C+ j0 n q7 J% ?, s3 G! U( n
mov ax,4fh: n# I- a3 c7 |: L; F0 v( j& b
int 41h& A1 {$ |& ], h6 l
cmp ax, 0F386, O3 I0 r, |! F( N4 v3 Y, [
jz SoftICE_detected
. P- x1 C6 P- Q/ g. K7 D) d. x- }
. ?, U2 U9 S) V+ ?
$ v6 n! ?, }8 _; L% O2 f4 J- KNext method as well as the following one are 2 examples from Stone's
/ T m1 V) ]/ e- c9 g"stn-wid.zip" (www.cracking.net):
; ^- ^, b/ ^. \8 c0 S
4 l: ]+ V4 B: D6 e mov bx, cs
4 i7 ?$ {& G* Y2 c8 `4 p: U lea dx, int41handler2. T% K9 L% I7 V0 P
xchg dx, es:[41h*4]
) q( [3 ?+ B! U. S* D" O' |: C5 l xchg bx, es:[41h*4+2]" n# ^$ \) Q1 p$ z
mov ax,4fh
- `1 t& P( L* Z' q, J int 41h/ W: c$ f' m5 b* u4 ^4 H. ^
xchg dx, es:[41h*4]! d5 e% y' Q: W: @* t) H
xchg bx, es:[41h*4+2]
: a/ F% M- s+ Y, {, w8 L6 C5 O cmp ax, 0f386h$ M' ?) M" w$ K) \% ^
jz SoftICE_detected
* p% w% H/ Z6 H4 A
; z* T W! X$ u9 P1 a, xint41handler2 PROC: b+ Z/ E \9 ]# }" w
iret
, T7 r W. l% H" M& \/ }int41handler2 ENDP
# V/ h, p, {" o7 F d) t4 A" c. [* p U& u( R# A
- W `) @, |! v7 i: Z8 c# X_________________________________________________________________________
% K- F/ L, S% E, e8 c6 k: U J) `5 d. s$ ~; \
" n; d8 y. T$ C$ s) A; u: _$ ^Method 062 g2 Q5 Q4 L+ L7 w" Y& V% `3 l& d* G
=========
$ K. X2 Z' c W/ K" Z* ^6 Z6 R [4 ]8 b* b& ^' T! N4 l5 w7 F3 H# f5 g! D
# ^* f4 t0 K6 Y
2nd method similar to the preceding one but more difficult to detect:+ f0 ` A4 f" t/ N& p+ w
* ]: d7 x6 |7 y0 \- z* _8 k4 ~& P [% T6 O1 D: \; Y
int41handler PROC
6 N( j) N6 \1 B1 t( S M mov cl,al
. G$ O+ [5 U- a9 T0 e: _ iret
/ i1 n; ]5 d$ U9 w+ C# s- x+ sint41handler ENDP" @( L5 S' L. |( J5 ?8 e2 t
9 C/ E. q& C/ E1 p8 E% d6 M
1 L; N+ i8 c) Z8 @4 Y h8 Z: d: a xor ax,ax
+ G' P- ^9 ^1 C/ x" F6 h7 o" l* d mov es,ax, H& s: v' `7 N0 s- n
mov bx, cs
C3 r6 v4 N7 C K lea dx, int41handler
( J6 @ C3 C& O+ m xchg dx, es:[41h*4]
& t# L$ d# a8 \* Y4 P$ B& U" d. w0 ^ xchg bx, es:[41h*4+2]# q' L; F0 d1 c. B W
in al, 40h5 h# n5 e/ }7 @+ @0 a# y
xor cx,cx4 ?8 p X8 F b
int 41h
2 s2 e7 C# s/ }- k* `, b xchg dx, es:[41h*4]( w7 A2 M, [$ Z0 @/ T, x
xchg bx, es:[41h*4+2]0 N( g" {- I7 g/ _$ `1 `8 N
cmp cl,al" ?8 V9 l {# B* Q/ i# |
jnz SoftICE_detected- q+ s6 M* x1 e% |0 K: T( k. ^: S: }
6 e- n1 o, H. [" k- { u
_________________________________________________________________________* |. z+ P/ L; U
+ g9 g: ?8 I, F& M$ XMethod 07
2 C& f9 B, a Y! t( Z& t=========
5 o. j! S3 c8 R# \- ?! a9 e2 k% @& S6 o4 y% u1 Y
Method of detection of the WinICE handler in the int68h (V86)
! L, V) W9 [4 P; L( M, W9 l- z: J0 L
& J, f& L" k4 U7 R0 G: o5 S mov ah,43h
; A+ o; `" S# Q, c int 68h8 x- h" S7 ?0 l3 c* ?
cmp ax,0F386h; J2 ^- A8 r3 T+ _& i5 W- Z6 |$ ~
jz SoftICE_Detected
w( ^# I+ u: R3 ~' ?' K3 `0 n8 p' W. x7 x9 p
( p$ \8 b3 u4 c
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; I! A0 H3 e+ [% A! {
app like this:
^2 e2 ^5 u; ~! D# C* j( n/ {" w+ e$ b& P& }' @9 U
BPX exec_int if ax==68
: R9 b* c i5 r, C+ _ (function called is located at byte ptr [ebp+1Dh] and client eip is5 o2 \) m, V4 o6 S
located at [ebp+48h] for 32Bit apps)
# U. J, T1 B* O% F% _2 S__________________________________________________________________________; x9 [) t" U$ K6 s2 D
$ [8 `; v. r! C3 F8 s1 b; z: Q
Method 08
' j- P- \+ M9 s; v* z' m=========
9 ?) L, y" v5 T/ M$ ~) V
9 f$ H! |% w3 O8 w3 U/ n/ `It is not a method of detection of SoftICE but a possibility to crash the
2 p! i* H9 _0 H Asystem by intercepting int 01h and int 03h and redirecting them to another6 E( Y8 K( A# X7 O
routine.
: S- [7 L$ A& z2 `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; d& d. `8 o5 x- o' K( q9 w# `
to the new routine to execute (hangs computer...)( E, y4 ?0 x9 c& R( Z5 u9 E. \
( P* f. ^; d4 J. s2 L
mov ah, 25h
6 E- Q7 @3 w6 v7 F( ? ] mov al, Int_Number (01h or 03h)* T0 \1 I' T9 F' S
mov dx, offset New_Int_Routine
6 K3 r j- s% Z; e( Y d# H" q int 21h, A: F% s7 d8 r8 G
1 ^. F" K/ e' O; {4 n__________________________________________________________________________
* c1 g+ T/ M4 s% F; N+ L3 d, B. s5 Y) e" S2 I; T' f. |
Method 09
- R7 f1 B/ B& i3 X. y; E+ z& H7 _* y9 M=========! q$ J$ N* ?& ~* v- e5 ^) u
' Q; O7 [7 C! h/ J/ h
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: H6 J o' X1 `: b( O9 x1 I1 pperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 N p" [; Z# Y5 W- t0 [5 J3 rThe Get_DDB service is used to determine whether or not a VxD is installed3 @( J; e1 Q( g% \6 m
for the specified device and returns a Device Description Block (in ecx) for! u- w+ a4 u9 [3 `: A7 H$ f( F& Q8 e
that device if it is installed." i! M- C" I$ z. |
v+ v/ F! L- }( s7 |$ E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) j9 |7 K( `# Y" e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 N2 h1 b8 @ B I4 n H VMMCall Get_DDB
' r) ?, H4 p/ u: y' o1 A mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& q$ }( g3 T' e( L& ? O" }% D, b9 ?
Note as well that you can easily detect this method with SoftICE:( X' Y9 y6 w$ l( c, N' y) g
bpx Get_DDB if ax==0202 || ax==7a5fh
- [+ L' N" Z# P' k. X& `! Y# ]3 \/ M: g* K$ b9 A
__________________________________________________________________________
% K4 V* f9 j1 w6 H+ {' E; E) ~, P- C/ `. o" H
Method 10
9 Q! H0 w% |/ K0 Z7 F! N4 {=========2 u' z. [4 D- g" _, E9 w7 a4 e
0 ?8 i. X; E4 E5 j$ N9 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ D* k4 k G6 W
SoftICE while the option is enable!!
; n# B) r! A" i/ r U- w" z& f3 E" ~& Q: ?
This trick is very efficient:
7 c$ o3 C0 S( C4 o- nby checking the Debug Registers, you can detect if SoftICE is loaded
# `: t2 R$ u9 C2 X. Z, o. D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ R5 y4 G4 Z0 t" M( T3 P( q; Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
; j9 ]; \* d7 q; mvalue (in ring0 only). Values can be manipulated and or changed as well* j( T3 l$ k" j* U3 C \
(clearing BPMs for instance)
4 H9 d# A# U8 U
- W/ W, i8 E( J) m( p0 W `; b+ v& W__________________________________________________________________________
% X* E" a8 N, t' |
# @9 z E2 Y( `5 IMethod 11$ f/ r; p" Z( _
=========9 [+ x. g. `' X0 {
+ E& E( E3 X+ U2 x1 h! b
This method is most known as 'MeltICE' because it has been freely distributed
6 h' K. y6 r k& Tvia www.winfiles.com. However it was first used by NuMega people to allow# s `& _: u$ @+ V0 s
Symbol Loader to check if SoftICE was active or not (the code is located8 T) O; P {2 d' y# ]
inside nmtrans.dll).
# K$ v& Z+ x! t+ S: {0 z9 K4 a, W" h
The way it works is very simple:9 o5 G9 P7 x; {) Q# \& w6 ~- v) {$ Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for S* z# Y9 L+ C. [% f; x8 k9 e% Z! O
WinNT) with the CreateFileA API.% D. I* O5 d1 S2 A5 G
+ s( n. R9 O' \/ IHere is a sample (checking for 'SICE'):) B: P9 L$ ^9 _
) {# j' o0 B$ h9 g! Q& k; Q
BOOL IsSoftIce95Loaded()& W1 ^: X, Q* n4 R/ z
{
: C, A# d: y$ w& a. L' G" S HANDLE hFile;
" M ?# _- Z0 `) m# t2 ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# a" |: T4 Q( P0 q1 q9 Z+ C3 h/ b) H
FILE_SHARE_READ | FILE_SHARE_WRITE,
, Z$ ^6 O, u9 L* L* o+ D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 u' @5 j2 K0 Z4 L2 L
if( hFile != INVALID_HANDLE_VALUE )9 @- {0 A# ` r& n% n0 P
{$ N, `8 X/ _- |! }! t% U, E L% o
CloseHandle(hFile);1 N: b# b6 T: ]. w% \ h
return TRUE;
I5 N# }' d/ a) s/ G }7 O: P( }8 A: H2 o+ E
return FALSE;8 x( Q; s% k, |; ~0 |# m5 X
}
1 ^ i/ E; G% e
9 M8 r* e+ b0 A& YAlthough this trick calls the CreateFileA function, don't even expect to be
4 B" ?; [6 C3 B6 \$ {# uable to intercept it by installing a IFS hook: it will not work, no way!6 b- S k. g% `; S! A6 ^/ b# C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 P9 q, i/ U$ e4 y* n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 @3 g# Q6 ^& M" }7 E8 l! sand then browse the DDB list until it find the VxD and its DDB_Control_Proc. W# {# Q: h! c2 o+ _3 S6 G5 c* s8 q
field.
K( E" v: V0 C1 R" eIn fact, its purpose is not to load/unload VxDs but only to send a ! F2 ^3 c1 k! r8 q& k8 ?7 H2 \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), l. W6 m$ p6 E( @
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 l: n- m. z. t8 r( bto load/unload a non-dynamically loadable driver such as SoftICE ;-)., |. e; i) z' l v: `' m7 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 o# ~4 B {0 Mits handle to be opened and then, will be detected.
1 y9 I& e& |- L' L( p* dYou can check that simply by hooking Winice.exe control proc entry point
! y9 g" ~! y0 [1 nwhile running MeltICE.
3 C3 h+ i) A- O1 ^ l, X3 B8 a5 Y4 C4 l8 ~! k2 w. D
* ?1 M [) \0 B. _* D
00401067: push 00402025 ; \\.\SICE
?( z, T4 _% @' W# S& }: V 0040106C: call CreateFileA) G6 ` @8 G5 F9 U. {
00401071: cmp eax,-001
) E- j$ K0 Q) r: L2 y- w. D 00401074: je 00401091
; N" u3 A1 J; ?- v# @0 H, M) I0 [" H( K7 l
. I2 `- c ^# g6 _- S- X% HThere could be hundreds of BPX you could use to detect this trick.# v! P$ _2 l- h4 ?. f7 @$ s5 Q
-The most classical one is:% j9 a& i1 n: q9 A1 A9 p& B# y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. ~( n2 V. `4 t" @
*(esp->4+4)=='NTIC'
, f* ^. `' C: X. b( a8 w4 S
p5 {- b3 X! L$ b% _* l3 Z8 i-The most exotic ones (could be very slooooow :-(
; b/ f& a8 t1 J; N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 M" b( \! s" L% e: ^ ;will break 3 times :-(
; i: l7 i& A% h" s- V8 i
6 \# h4 l$ m2 P( k) }-or (a bit) faster: . ~7 W1 U, V0 b, p
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 M) X8 `2 l; A# l
5 J& g3 r; g# h9 B* ~/ H' m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& M) g2 O. V2 L ;will break 3 times :-(9 ^# Z. D) [; ^( \6 _6 r% e$ L" u
. k3 r0 {8 v& }1 o
-Much faster:9 Q% }+ @1 H) ^& S' k" ?8 }4 e9 f
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 X9 e3 [% G0 ]9 ]1 j) \+ A) |: o9 f1 G4 q9 |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 {$ {8 J3 M. O$ \6 sfunction to do the same job:
& [+ B4 s: F7 ^$ I4 ]# w
V3 W, ?# k1 C8 Q$ ?+ d+ ~ push 00 ; OF_READ
$ _( b9 v; {/ g6 Q [ mov eax,[00656634] ; '\\.\SICE',08 d ] A/ X, Q7 s2 {3 ]2 @/ P6 A" U2 n
push eax
' V; @) h/ R) c, i/ S call KERNEL32!_lopen
I% h, S9 h) f$ k' |6 j inc eax
; N+ S1 N& x& P" d. a jnz 00650589 ; detected
2 q8 l% Q. |2 T$ G* Y push 00 ; OF_READ8 q; d; C% T0 G) f5 q" G/ J. I
mov eax,[00656638] ; '\\.\SICE'
) i+ p; S8 n7 H6 _6 p, J push eax. ]# p$ \3 r5 Z9 e
call KERNEL32!_lopen
8 s$ y5 ?8 j* Z ^/ m9 E inc eax- A r- q8 n. [0 \( `' S& A
jz 006505ae ; not detected
# C- ]/ i( T$ Q4 \* l# g9 L' ^
2 z7 d0 `8 M8 i& m1 n/ Z* T& A( `; G$ o2 \
__________________________________________________________________________
$ T* n- ?8 H! R, o% e) Y* K3 s/ L/ h& \+ R
Method 12
* b$ b. S- `: N+ r1 ]. ~* u3 v=========/ [4 q/ s$ ^6 Q$ V9 m" e/ _$ j& p9 M
6 H' a8 p. b5 I; V8 {
This trick is similar to int41h/4fh Debugger installation check (code 05$ x1 W" ?0 x5 n" ?5 g
& 06) but very limited because it's only available for Win95/98 (not NT)5 I$ G4 I+ c+ I% T" o* k4 }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 s; |9 O( T$ q* Y1 ?9 \ ]; w( a+ A1 G" T
push 0000004fh ; function 4fh8 b. Q0 B) h7 A
push 002a002ah ; high word specifies which VxD (VWIN32)
) x9 j- m$ Y7 w* E4 j) l* Y( f ; low word specifies which service
* ~4 b. ?9 _2 X8 j (VWIN32_Int41Dispatch)& h, d+ r2 C& f6 R$ P* @4 D
call Kernel32!ORD_001 ; VxdCall
/ G7 \5 g p; o cmp ax, 0f386h ; magic number returned by system debuggers
. F% V! D6 h4 c6 Q2 ^ jz SoftICE_detected
2 A; ?6 S# J4 ]% ?5 S6 M! h9 x# j: K9 F0 ^# A' \4 F8 C3 |
Here again, several ways to detect it:3 O* m1 z5 R- \
: g* y7 s7 i; [+ U' Z" f6 H BPINT 41 if ax==4f w- f& |6 u2 l! M+ Z5 G
8 ~6 G+ C* e# [# v$ D BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- w; f- N$ u# O' ? K$ Q$ O! y3 x
8 P& [* b" V7 O; a: N- F; _; v. z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 B! s! y6 V0 f
: P$ R/ y- s+ q; G( x+ V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# Z9 U0 ]- h, F
; T: g9 I) ^: n6 Y__________________________________________________________________________
5 K# R! @4 W- X! u7 m6 ]$ A: }' f, e2 F# x/ v4 D8 _- V
Method 13
7 ?0 ?+ {) s0 H. b- g7 J=========
0 O8 W0 |8 _8 a) c. O) Q7 y! i" t# c/ p" Z& K' L* t
Not a real method of detection, but a good way to know if SoftICE is; D+ v6 |0 z; T4 R: E) f8 R- o
installed on a computer and to locate its installation directory.
9 F3 P$ Z3 I) V1 N' {It is used by few softs which access the following registry keys (usually #2) :
$ I5 n5 H1 o$ e- V5 g L& i+ N2 R0 s5 J! c1 n2 f4 V; T7 ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" {9 ?" E4 C+ O7 x! _
\Uninstall\SoftICE0 H& C7 F8 U# g$ @; W8 x- {( B6 S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ F; K5 X4 _% k" Q3 t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: y' s# M6 C0 b9 Z9 g\App Paths\Loader32.Exe0 v5 A4 Z" ~( _' P$ {. A; b: t. E
. V2 v) }! [; d$ ?3 j1 I, y) v
, A% Y- k0 y- u' K- n
Note that some nasty apps could then erase all files from SoftICE directory
9 }- H4 }7 g( g+ w+ ?% p(I faced that once :-(
- V8 r" q/ v& Y( X6 U( P! {8 {0 ^# x4 E* `. P/ @
Useful breakpoint to detect it:
1 V! i* j J. Q! K. _
: t. ` X* x( q+ J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 l( j5 V. d7 C: p7 N
/ u+ x2 u7 ~* M/ E, |# _4 U$ V1 O__________________________________________________________________________3 z% U4 w8 h* A0 j5 x9 L
' S8 F+ v: X# X: w7 M, x. u2 z& [' Q' D
1 Y9 I! m$ N0 s4 ^& x8 @Method 14
1 e* P' O8 L/ \' Y6 c0 H$ j7 z=========
* E7 ^: \4 Z/ L- [' ~; e: x1 o% `, Z4 @( f, O0 X X9 y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# H( C+ d" k5 C" L
is to determines whether a debugger is running on your system (ring0 only).5 l7 }* ~6 q' ~8 }8 u/ `
' C' E0 l" I5 i4 E9 B VMMCall Test_Debug_Installed
5 E; q1 h9 v3 I6 ~ je not_installed4 b5 k) l- v. u* e7 N- O: E
+ f7 Y% I% }' b3 s- ]- R( c6 s
This service just checks a flag.: {% l: Z7 j ] |- e) G/ T2 |; ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡