<TABLE width=500>
5 c! C/ F' I: c4 n2 ^<TBODY>7 U8 v: r" N/ M& v4 v
<TR>. S0 e1 O1 {$ I |- J
<TD><PRE>Method 01 ( Y- q: H5 M: {
=========
* V( x# F ^5 B, L6 m+ f( l& W9 ?& O" ?" }' k# o
This method of detection of SoftICE (as well as the following one) is0 W5 Q$ X9 F S
used by the majority of packers/encryptors found on Internet.) X+ }7 V+ u+ S# r3 z+ ]6 }: B
It seeks the signature of BoundsChecker in SoftICE4 j) y5 q& p- \' X0 G+ r
9 b5 f" R$ N u1 o, y _ mov ebp, 04243484Bh ; 'BCHK' X- ~2 H9 ?4 w8 J7 d& V7 T8 k
mov ax, 04h
' f( u; I, Q$ a5 e2 f int 3
8 D+ T5 P; W2 p2 [( |5 i cmp al,4* H! w9 p0 _ l! n
jnz SoftICE_Detected
' S; X3 B- Y: c* J% U7 G1 h% D% e! u* S
___________________________________________________________________________
$ t. q2 \) R4 u4 E* S5 J% M/ J( B4 A: E$ r7 a0 @9 T' b4 U2 Z
Method 02) P! y8 K* H% y2 T# ]; \, e0 `$ b
=========/ R1 _3 A; j4 k9 n
- c$ q% C' j; J% ^* r! @
Still a method very much used (perhaps the most frequent one). It is used& r- \: j2 g: u7 V8 _0 W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 F/ J4 g5 k3 G5 j3 a9 j
or execute SoftICE commands...
0 `; H" l x8 j# kIt is also used to crash SoftICE and to force it to execute any commands: s8 Z9 e0 b+ x/ O
(HBOOT...) :-(( / y, _% P% Y2 @: i$ o6 c: {
# |$ l4 Q0 g7 ^Here is a quick description:' Y' M- g3 ]8 y& A5 m; A9 M
-AX = 0910h (Display string in SIce windows)+ ]( D/ z* ]1 p. m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ a3 N3 \$ S, d0 M* a6 ?
-AX = 0912h (Get breakpoint infos)
4 ~7 R4 V- g% B" j8 F; [1 a-AX = 0913h (Set Sice breakpoints)
% ^( {& q( d0 @( t1 r! m: n-AX = 0914h (Remove SIce breakoints)
9 g( g) m* D2 w6 ?1 b# ]$ E, f
# C" C, o1 {1 OEach time you'll meet this trick, you'll see:
4 ]' A7 g5 E( Q: j3 | `-SI = 4647h' J* x; p% g/ ]; F
-DI = 4A4Dh
" V; V% f0 v- P3 T8 C! H3 V2 lWhich are the 'magic values' used by SoftIce.: b. ?9 n6 ]) Q: v) p6 C$ y' P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 V+ ~8 x6 U! @$ }: Z' q5 O0 @; ^9 ]% _6 A' n" J
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" R& ], k$ V3 q- Z: @. p; f5 gEnvelope utility use to protect DOS applications:
2 H9 j) a" S7 s0 F5 B4 {2 p3 g; L
: J: ?+ i5 `& {1 Y9 E* v
3 W( v" U- r! _7 w& v6 y+ [+ h4C19:0095 MOV AX,0911 ; execute command.. n& ? v8 `$ [/ ?: n& h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 u, V2 R0 c" R/ e
4C19:009A MOV SI,4647 ; 1st magic value.+ u+ r+ u" h2 x" r1 A1 z& w
4C19:009D MOV DI,4A4D ; 2nd magic value.
' e% u; q i1 L2 p+ o" `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), S. ~- j$ a; ~+ U6 E2 ^# a& H
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( b* U3 z7 C, B; y
4C19:00A4 INC CX
6 r& N7 I; m& }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 ?$ O( I+ }3 a5 M4C19:00A8 JB 0095 ; 6 different commands.+ E1 H) k1 A$ y& D. I
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ z3 q/ S h6 k( M8 t l+ H' [. G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 s9 l* i ~ _4 A; U; G
( m8 C: _, `( {# {
The program will execute 6 different SIce commands located at ds:dx, which/ P3 j+ s# Z2 d6 P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* `% M6 a3 v1 _; _6 d2 Y* k( R# r; j+ v# Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: t+ [' X5 L% a* W$ J% E$ o1 ]
___________________________________________________________________________
: d3 k6 V% ?3 [0 S5 h1 v+ w2 z- H, z4 n8 S2 [* t( X
, f, A) A5 {; H0 C/ b7 v2 K# C) f1 hMethod 03
$ i5 `1 Y4 S& g4 S1 b=========' m8 {& t2 h, h+ | I
& }. y8 k2 v% L( f" ?0 }
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 z2 N" Q( C) Z(API Get entry point)5 B1 L' `! Q0 e+ U
5 B: G5 l% K& V2 F1 J
1 Y* s' r6 e5 y) @1 ]- j xor di,di0 Y9 A# o2 p) U: r' m& m
mov es,di& {2 s( F% T: Z: P2 O/ M
mov ax, 1684h
9 _; q/ [& _: N mov bx, 0202h ; VxD ID of winice3 X9 @% ?3 m8 ^2 k' G
int 2Fh3 F3 Q3 w) l% _8 L
mov ax, es ; ES:DI -> VxD API entry point7 A% e# {- w% X4 z( W
add ax, di* R" W, s8 w! ^% F2 `
test ax,ax
. p; v8 G+ ?/ d8 S( @. Z. x# ^$ B+ p jnz SoftICE_Detected
: @- Q! V8 ~6 W8 h
" ^7 J8 ^5 i* ~( u2 n0 ~. l. z0 M___________________________________________________________________________
) |+ G* U4 w8 c# R
8 q3 p6 r) D2 l U0 O7 @& A* | N! g; CMethod 04, ^3 E. K+ M- Q3 y
=========
3 g. A1 |& }% I _/ o( q. y1 T! }9 e; \! J! h4 g
Method identical to the preceding one except that it seeks the ID of SoftICE* i* \' x3 c0 _
GFX VxD.
( R( z3 x6 D" D# U- i$ e, R! Y! V0 J0 W! l. D* L" ~* a. y
xor di,di6 v1 D# T/ d! ?8 R- D4 [/ U2 T
mov es,di; B* z4 t8 I3 l; {' P' H F1 M$ b
mov ax, 1684h
( q+ }+ W! Z' ?/ } mov bx, 7a5Fh ; VxD ID of SIWVID
K) Q' x+ o( J- W# O0 S int 2fh
" X4 W2 [: q3 o mov ax, es ; ES:DI -> VxD API entry point7 N& A7 q Q: ]9 P0 l2 T! ~1 S8 a
add ax, di
- {7 i- W4 P. h test ax,ax) ]9 u% X8 ]" _& S* V: x6 k
jnz SoftICE_Detected7 [$ `" _3 V' V( R% a3 Q
* g/ R }! ], R% l# \1 o__________________________________________________________________________
: q$ j* T" s! j* s
: ]8 W- r0 a0 u. z- D% U Y. O4 Z& s. _; g: x+ p# {
Method 05
/ x( m1 ]8 N3 J3 x- a=========. C, r+ N- o1 N4 T
1 w! ~2 d7 g1 G3 h; ^% Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) [1 _# v1 b8 Z5 ~1 u: L0 m7 X7 Ldebugger. It calls the int 41h, function 4Fh.4 J- u& ?$ A( C. d: ]" n$ F8 Y
There are several alternatives. 9 @6 l2 c7 u8 f' g: v+ Z
{5 |9 T+ U5 B8 o) z- f& P
The following one is the simplest:2 @! k1 u, F7 x: G* v, a5 r, n
- v1 ^* Z; j/ k" m; K" j
mov ax,4fh" W/ B' ]$ X4 \; m; _6 n$ p8 `$ d
int 41h2 W+ [3 A2 g T+ y0 m
cmp ax, 0F386
9 ?/ Q% C" Y( h4 x& R jz SoftICE_detected7 _8 {7 H# @, L) s& k0 c
! Y7 }* {3 S; y" _7 @1 U- ?; B( i5 o1 k9 Q9 q0 f& T* z0 Q5 a, Y2 J7 g
Next method as well as the following one are 2 examples from Stone's : K* |( H' _6 z1 m) L; J
"stn-wid.zip" (www.cracking.net):
% u; I7 [! g' T
`2 ]" V0 i; B: X mov bx, cs" x1 u, [5 K ?2 Z0 b
lea dx, int41handler2
/ h G5 E* K: V/ V& |* v& v xchg dx, es:[41h*4]
( {3 G* r4 F& X xchg bx, es:[41h*4+2]
~- d4 s( P6 ` mov ax,4fh
6 s( B! V* `" G2 l6 ~6 ]$ p int 41h
1 U( {5 u" [$ F. P xchg dx, es:[41h*4]6 K* U! Z K9 ?
xchg bx, es:[41h*4+2]; s4 x; ?! N& H* x( S) _ b
cmp ax, 0f386h
U a7 |" N& p jz SoftICE_detected2 Q. U7 Y: w6 X8 T3 u
! v) a: g# [7 v J# I. P# `
int41handler2 PROC
4 h# i( H% c9 \ v$ ?! _4 c iret
$ C$ Y o4 X" w# s: L' Y: vint41handler2 ENDP( H6 \2 \) s& S, H. ^- H. e
9 H8 w: l/ q/ r: m0 Q9 {) _4 E; E4 E+ F5 T
_________________________________________________________________________. h0 O5 r, I {( S1 {" S3 Q
" |- `0 r7 c F7 c2 f; e3 d
; `+ E/ {2 z# N' T8 @$ }4 o" ^
Method 06. u7 k9 j* ~( f5 S5 z
=========
: [( C: i; h% |- _, W! q& _( ]
- Y; I( k4 L6 e7 }' \- X1 t
2nd method similar to the preceding one but more difficult to detect:6 O7 b0 b+ H! V
; L' T, b5 L0 g: D; l! A! l( Q
: H9 x ?1 Q3 Z, z. W& e f0 ^int41handler PROC% l6 }6 }) W$ U5 s5 A. o- |! Z
mov cl,al
" E! l' c) L; e( ]7 c% h6 b iret
2 ^3 |) j0 L+ x1 T& I& }* D2 f" l' Sint41handler ENDP
0 [: T& U1 I/ o) C4 z
7 J8 h' ^, q, V
8 G" B4 O* s- l/ V3 H xor ax,ax2 _. |7 e5 w2 f0 o/ M
mov es,ax) B- I# E3 m4 F! _* T6 N
mov bx, cs% v5 y$ R' X) N* g9 O$ G
lea dx, int41handler; u, N! w% Q9 ^% Z
xchg dx, es:[41h*4]! F+ M$ u- e' P: [& I4 V: g" }
xchg bx, es:[41h*4+2]
: |& A% p/ u, p; i- {8 K! I in al, 40h
: U3 z$ Y8 r" K xor cx,cx! @; _/ h" d# M- c& [& a. }
int 41h
" h) K* j) k) I) ? xchg dx, es:[41h*4]& v2 A- h% V# I8 ]2 O
xchg bx, es:[41h*4+2]
9 l$ ~' x0 Q( _6 i3 o" l2 T cmp cl,al
" U: x, Y/ c! X$ |7 L0 z! a jnz SoftICE_detected' Y3 G$ g7 b4 ^
1 [0 U/ i0 H6 c2 ]% M( `; Z, l0 I8 D
_________________________________________________________________________. W6 J" E+ u8 {
" ]8 ~1 C4 v6 m; XMethod 07
, P5 _) D e }0 U( i/ L=========
) e7 h0 [* X! b
5 ~# |# e4 U8 ?" q; ~# o& tMethod of detection of the WinICE handler in the int68h (V86)) ?$ m/ Y! U6 {
* N1 ]- w9 ?: l l& e9 j) { mov ah,43h; k7 \ v* S" o1 h4 d* o
int 68h" u; d. U( F) ?0 q6 E" F- g9 z. p
cmp ax,0F386h
9 w& T; y; b4 r! u" J1 u jz SoftICE_Detected
! `% a5 l4 s- w6 j4 D: J: n
# p; t% `* {8 Y$ s2 V# u5 `
2 I% H! F" Z% j4 o# T8 u4 ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! n7 X( n+ N% w, u, s( `+ Q+ |
app like this:
" T- W1 X/ b+ Q5 O4 w% N& q. \# Y2 @- r7 H+ w$ q. D' i2 [2 C
BPX exec_int if ax==68( G, }1 \1 [" X9 O; w
(function called is located at byte ptr [ebp+1Dh] and client eip is
3 V/ R; ]) u/ I. G( N4 C located at [ebp+48h] for 32Bit apps)
4 d+ l: n: I6 g( B__________________________________________________________________________
+ W/ |4 v+ O3 O
( I0 \1 S* b5 K+ t+ q: {4 ~; f
Method 08# p! L' H7 D4 m
=========$ ^4 B/ ?) D. I9 V
& R) Q5 ^1 c+ c% `0 xIt is not a method of detection of SoftICE but a possibility to crash the
! i! H, {& K' x1 esystem by intercepting int 01h and int 03h and redirecting them to another
7 G" y9 {+ `1 Y t. @3 r" ]# O' nroutine.
: k _; [; B0 I4 l) K0 ?, k: vIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) {( I% f; T7 hto the new routine to execute (hangs computer...)5 i2 }& a D. ^. n) }& Y4 @/ c
4 ~! f+ K/ g8 y mov ah, 25h
. f4 _& h5 ^1 q1 z) k) Y mov al, Int_Number (01h or 03h)7 e* N1 i, O( t' `2 L- }
mov dx, offset New_Int_Routine
9 [1 | Z) _" {- `; b) w( u int 21h
& S8 L3 l, ~; I8 B2 ]. @# w4 R: z9 `0 G+ z2 D$ }( Y4 a
__________________________________________________________________________( Z+ Q: y8 N$ p# e1 g
# Y; s5 A4 k3 F9 g3 b6 CMethod 095 Z- c2 X* X* {! E: g
=========4 T8 _6 Q3 m' e* M8 r; y
9 D2 l# i1 H" H2 J* }; e6 `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 D# |2 R* ?/ p, O- g' E2 uperformed in ring0 (VxD or a ring3 app using the VxdCall).$ C% W& Q! f N' j& a- p
The Get_DDB service is used to determine whether or not a VxD is installed
. d: j* W9 k! {" {5 p' ?for the specified device and returns a Device Description Block (in ecx) for
H- b2 ]; K5 r5 T8 Bthat device if it is installed.
# k+ Q) q- B/ U. z9 ~: d+ M3 S. _
" _" ~) v7 m7 [/ t1 k- a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' G! }; }" r% w9 c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) d$ I6 e( ]% i2 r* a @, p7 W
VMMCall Get_DDB
$ C% {/ C; V6 w$ l. Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ k+ t( g" g: d1 J L9 v. @( f8 \2 }) p U% p) `
Note as well that you can easily detect this method with SoftICE:
' G U+ U$ c5 x) ~5 F bpx Get_DDB if ax==0202 || ax==7a5fh
6 R2 g0 B4 Y- s7 f% t' j Z% Q; N b4 K2 |
__________________________________________________________________________
6 [) G: M4 _% j2 r+ L+ m/ K- Z+ F. L) w; v1 p, b2 y# `6 r2 d3 J m
Method 10+ g! H1 M: X# i$ F7 W7 D) y7 e
=========3 J/ {8 ]( a# m+ Q( l& ~
8 K3 c5 O9 v3 E* \
=>Disable or clear breakpoints before using this feature. DO NOT trace with( @2 I7 _$ _; T7 l- C2 K7 c
SoftICE while the option is enable!!
- L4 J/ @( a, Y& d y
3 o$ P" \8 Y/ iThis trick is very efficient:
y5 z% w3 J* _8 B) _by checking the Debug Registers, you can detect if SoftICE is loaded4 z' N8 }4 ]9 n3 a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; u2 R' k& [8 d0 z2 sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 j& D) w: m& H, @value (in ring0 only). Values can be manipulated and or changed as well
1 } d% N. }5 P- I(clearing BPMs for instance)( r) f4 h+ T6 O+ \+ N6 w, Z1 e
# ]/ k- N( J* ^. g4 t# d__________________________________________________________________________. }# @1 y, _, }# \' k0 Q/ \
. s3 u. l% p& [5 YMethod 11
0 A8 y7 T; W* M, }2 k [0 N=========
5 p* F5 A4 T6 o' ?( j2 D# N
) w8 n M4 [$ P. |# c* b! R; PThis method is most known as 'MeltICE' because it has been freely distributed( A2 J$ A6 x! P" t# l# m' ^
via www.winfiles.com. However it was first used by NuMega people to allow0 |5 P. s T* V1 [3 M
Symbol Loader to check if SoftICE was active or not (the code is located
! v8 b4 V1 ?# T" z( a1 R3 Minside nmtrans.dll).
5 u- c. L# M" S* b- g0 e( X& _
; b6 ^8 Z- p3 V# @The way it works is very simple:$ n4 R/ U+ P9 O! v- ?+ E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% B2 Y8 e* A7 T' y' e+ R
WinNT) with the CreateFileA API.( k& e, |8 O( {. X/ B
E Y4 ]- t# U; f0 pHere is a sample (checking for 'SICE'):
" l2 u: ~2 ?" M; v2 l1 q4 U. C8 P7 a1 x, K1 [
BOOL IsSoftIce95Loaded()7 j4 X4 e, ^( m) ]
{
2 l9 q; S) v& j) L. G. J HANDLE hFile;
/ p6 V( }* V+ S/ @8 S6 V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( }1 X5 t( e# b" R0 r
FILE_SHARE_READ | FILE_SHARE_WRITE,
. s% P+ T$ z# a7 v# s) l NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' v" H6 r7 o, j0 [& s2 A- I+ i
if( hFile != INVALID_HANDLE_VALUE ), R; _# I, g; R7 G$ `
{6 x4 K1 C" R: ]- [; r F! }
CloseHandle(hFile);9 ?0 V" S0 ?. n9 e3 E) h" U" v
return TRUE;
" [8 {+ l+ k/ K# c7 o }
! f1 W7 a J7 @6 j4 i8 t return FALSE;
% X1 H, [1 I2 Q4 T}
# Z4 P U9 \7 Y
9 l5 q( O: o* w2 RAlthough this trick calls the CreateFileA function, don't even expect to be
; `! k( K4 F( l0 _able to intercept it by installing a IFS hook: it will not work, no way!2 v: U ] A- B- x
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ J6 k# j- O" R# r8 T% d8 gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 _# F( s" i& m5 @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ m1 ?- `4 T8 u6 m3 Z' t/ lfield.
1 I& g5 p+ p# N( P) U& ?In fact, its purpose is not to load/unload VxDs but only to send a
" f- S! }, O i! WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( E6 R; Z& s: q! N3 ?( Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try: T+ |) E4 n$ R3 N5 `
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." L# f1 x2 f( Z
If the VxD is loaded, it will always clear eax and the Carry flag to allow- d$ }' w- N7 `4 {2 o5 {
its handle to be opened and then, will be detected.) p: E& c3 ]# t- H4 Q( x
You can check that simply by hooking Winice.exe control proc entry point
5 J: z: C/ A6 lwhile running MeltICE.
7 J A' v5 i+ @6 A" E5 I) t1 p: m+ P1 Y4 T$ x
2 K8 [& k( L3 ^+ a% a( V7 P 00401067: push 00402025 ; \\.\SICE
1 y) {' P. I5 d, K* j1 C 0040106C: call CreateFileA$ w5 D! [8 L3 V! i
00401071: cmp eax,-001
+ T. c) m3 k: U3 m( X6 K: y 00401074: je 004010915 {6 @1 n9 ~1 }
0 y% m9 [ e$ b
; J! ^9 q+ o$ y1 aThere could be hundreds of BPX you could use to detect this trick.
$ a, h" Y' P* w4 }+ {-The most classical one is:# x+ M, \+ z4 A& A& `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 v8 w8 ^( k1 [( Z/ H
*(esp->4+4)=='NTIC'2 X m: k' c, [# Z0 ?
% R3 b3 M& n7 m% ]* W ?
-The most exotic ones (could be very slooooow :-(
" K9 M G' V- q+ R& O" Z+ k6 w- @8 e5 x BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 \& q g" r& k3 y* A" [ ;will break 3 times :-(
( d/ U, G/ I+ O3 H: P+ Q
3 Q/ {/ C9 \) q) C9 k-or (a bit) faster: , P# e5 Y' C9 R4 V3 D# f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 B* y% ~' o( {) M% J
2 Z! L9 A# T+ A- E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 D% Q: ^! @$ g4 [& M) _ ;will break 3 times :-(( }% o, O2 z# z$ {" L9 g8 F* [
, L% ]( u& i k8 v6 _0 |-Much faster:! E7 Z6 F: }) ?/ ^- s+ D3 M! J/ @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 q, f6 A v. P" u
$ w8 G1 d# ~+ p! |1 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' m( w5 j0 l' N7 N7 @: ?
function to do the same job:
S1 D% c, I2 M/ f" H5 M8 p6 l+ [' U' q8 b, }) d2 u" H
push 00 ; OF_READ
* W; u+ L2 t( s. {3 O& r, ~0 N mov eax,[00656634] ; '\\.\SICE',0
" m- c/ f2 }4 ?/ [7 _/ p# } push eax
+ g4 q7 l! x: L7 h( B! D call KERNEL32!_lopen* v- [4 L9 R3 S" l
inc eax
% P C: m9 k* y8 z jnz 00650589 ; detected
6 l, S2 n" H! E0 i& j7 a push 00 ; OF_READ0 O/ P t& E, B7 s/ r5 R, H
mov eax,[00656638] ; '\\.\SICE'* Z0 S* N( p/ M# ]" F
push eax
3 @7 K0 i$ Y* A4 z/ U- i) ^ call KERNEL32!_lopen4 S0 \& O. k0 {: _" x x/ T9 f
inc eax% Q. U) E9 y) \0 D/ g; @
jz 006505ae ; not detected4 c! _5 k) z, d2 F* f& C
% w6 ~+ s' q& N3 j' E6 o
" u& e4 W# t+ o& y$ M__________________________________________________________________________! W$ H2 w- M6 v( s/ h$ l ?
+ s" ?3 X8 e. d/ PMethod 12! X9 b# C; E$ V# A. m- o
=========
( S0 ]7 @' [. |3 {# u: d( V% P& @0 Z
% \- Q, A) ^1 X" O- p! g2 sThis trick is similar to int41h/4fh Debugger installation check (code 05
/ [( Q, R; G; h& 06) but very limited because it's only available for Win95/98 (not NT)' L& f- k* Y/ b* @- Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 a" W2 r" u6 c, _( r
! M# Z' ~: w5 D8 T
push 0000004fh ; function 4fh
& W( F2 Y: Q! l push 002a002ah ; high word specifies which VxD (VWIN32)
) l) c( @( C3 b7 J3 o( y ; low word specifies which service
) n2 m9 o$ A5 `- C1 { (VWIN32_Int41Dispatch)
8 V+ @9 g% z0 G7 k( z" m# e0 S9 g call Kernel32!ORD_001 ; VxdCall
" G) `* f4 V+ }5 p1 i cmp ax, 0f386h ; magic number returned by system debuggers
0 g- V+ l+ m8 w( A( X9 m" \ jz SoftICE_detected$ E! d! m% ^: N! W1 ]2 g9 S5 j
2 M* c- C( ~' G9 F ]Here again, several ways to detect it:
& C" t0 z- r! K6 I+ a6 p6 ^6 a& j2 p# H/ T p4 E$ l
BPINT 41 if ax==4f/ }8 S& T- e0 Q2 M2 ~9 E+ j
7 I1 i( _6 s- t' M BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( x% e8 @/ Z% Y; m& y4 Q i8 l! m
: `; w3 v1 G8 c: [' U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 G @- n% L2 w
- o8 f& {! c; F1 v# f8 ?
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. F, l2 j2 L- M1 O1 f' C
1 Z2 f( w; d7 h1 i3 Y
__________________________________________________________________________
; T# x9 @+ s e) D7 N8 x8 y# P# j6 w) A9 V( w0 A0 l1 [
Method 135 O( {( r0 w5 Q; o9 ?: d+ K
=========. z& b8 E2 i9 b7 z: K# {
5 r5 _3 e6 w+ d1 B; TNot a real method of detection, but a good way to know if SoftICE is1 X% K% r3 {% S. |; H7 F
installed on a computer and to locate its installation directory.
3 ^3 Z) j# g* `" r" p' L4 RIt is used by few softs which access the following registry keys (usually #2) :" `7 G9 |+ b |( U# S
4 i8 m; @' q) o# [0 _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 M' ` P7 q7 U( t+ M
\Uninstall\SoftICE
7 K0 W1 R- q0 i5 t+ \) ^ l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( V- u. L0 G0 J8 G3 e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 G# q* h" J1 ^+ ]5 x\App Paths\Loader32.Exe
! Y2 a8 Z7 ` @8 D$ ?
/ M1 j& n0 l3 {( @. h
( N5 ^6 P& b& Z4 x$ L7 t) UNote that some nasty apps could then erase all files from SoftICE directory7 z4 b' t- b" c7 ]
(I faced that once :-(
6 f% P3 [" ]# `* V1 y
+ \# `6 A2 t* X( j: f6 {Useful breakpoint to detect it:7 K# z2 v8 U5 k, |% m8 k2 G2 _
! f& d* y3 V+ G, T# V BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 v9 M9 a7 [) b, S. s* k) g" d: T+ D- q+ [* ?1 k6 ^' e; F
__________________________________________________________________________+ J( ~' i3 J6 _/ E
+ |6 Z& K+ [6 U4 B2 ?. M+ m) C1 H9 S
Method 14 # ]7 x% m* R/ _
=========
" w& f5 @) X# h+ l, d$ h1 k6 K- z# u# z* X# I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 Z( p7 i- f/ W g& }
is to determines whether a debugger is running on your system (ring0 only).
( \% W( m7 o$ [2 L7 B! ]- i) C$ d' D8 |% u
VMMCall Test_Debug_Installed5 P; w; g( [( U; u
je not_installed4 P. N& |' E/ |+ t6 s
5 q. u- U* @, Q( Q
This service just checks a flag. @: y5 W3 m9 P7 z. ^+ K7 t
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡