<TABLE width=500>6 r; p- \% r0 v7 W3 |
<TBODY>6 m3 a7 L/ ?' k, ]) o) z. _; N6 U
<TR> O$ I5 C; g1 ]$ ?5 @# X7 d
<TD><PRE>Method 01 s ~. d. c$ O6 L. q$ ^. k1 ]. e
=========
0 n# F! N0 K2 Y
4 s. i3 z- z3 s) YThis method of detection of SoftICE (as well as the following one) is, M3 b4 l0 v7 r+ E" r) V' J
used by the majority of packers/encryptors found on Internet.
3 `7 l" ^4 n+ m% PIt seeks the signature of BoundsChecker in SoftICE1 s8 G5 j& A) M% q. B9 C
, o B: ?! w( t9 s# h3 _
mov ebp, 04243484Bh ; 'BCHK'
4 v( V! R& K6 W mov ax, 04h8 E4 @0 i/ r0 K
int 3
4 B$ {. _' c8 ]) I cmp al,4# S! @& _2 A% p, S0 H8 r( k
jnz SoftICE_Detected: [- U7 W/ x& P
: q; t( ]" z: _. J___________________________________________________________________________7 u9 l. z9 b9 X8 D
7 w- }) L$ o1 c7 X; ]4 [' `
Method 02" a- U' T$ I2 e w$ m" [# I- M" i
=========) M/ ^5 z2 t0 R# K: E& Y( Z
0 `8 r: b. O$ V, N4 P8 AStill a method very much used (perhaps the most frequent one). It is used! X( @; v& }, I3 s, H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 m5 T' \/ ~* t) por execute SoftICE commands...
& g) a3 n$ A0 c: ]4 f6 {It is also used to crash SoftICE and to force it to execute any commands
; |9 E2 X3 d' Z(HBOOT...) :-((
7 r" }2 q7 k; }7 F
7 D$ ~$ g/ T4 Z5 @& I2 @/ P6 ?Here is a quick description:
( x% F0 `! i8 P-AX = 0910h (Display string in SIce windows)5 ^+ Z1 l" d# g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 m7 `6 H: |. o6 c- w( R1 N( `( s
-AX = 0912h (Get breakpoint infos)
: o' R2 S+ n# `' K-AX = 0913h (Set Sice breakpoints)
) J. c: z& K* n( z( q+ n! n-AX = 0914h (Remove SIce breakoints)
1 O2 ~6 m& h {. ^: Z' I2 r& S( r. z; V) K$ a. N6 [! y
Each time you'll meet this trick, you'll see:
" q E+ V: U! V; @1 @3 a, N8 l3 K- B4 j-SI = 4647h
* G+ j2 _# p% n0 v-DI = 4A4Dh) S/ Y; R% k% b) u0 z* j
Which are the 'magic values' used by SoftIce.
+ }; f7 d- K( ?& V; aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 c+ o/ t5 s: h0 p9 x
1 m6 Y' f8 H8 n. |Here is one example from the file "Haspinst.exe" which is the dongle HASP
( [& z6 F- r1 B8 n7 C+ bEnvelope utility use to protect DOS applications:
5 u1 |. H: X3 L) M( p0 I
9 {/ s0 Z' P2 C" ~& O9 D+ p
4 i( Y( l( c2 M5 a$ j4C19:0095 MOV AX,0911 ; execute command.7 T" N. G1 U7 m) E6 S8 z2 o( Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# D- b4 n+ b3 y5 M4C19:009A MOV SI,4647 ; 1st magic value.
r, b0 p- ?& I1 g4 m4C19:009D MOV DI,4A4D ; 2nd magic value.
0 d% D, ^0 B! @ L+ v4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) m! a0 F/ a, ?7 C- z, g! T. R
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute j2 J7 e' d% t: z/ N
4C19:00A4 INC CX- s9 Y8 ^3 {9 d& |; k
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 a/ p! J& \' _; O& D4C19:00A8 JB 0095 ; 6 different commands.7 Z, f4 S1 A% }; H6 b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 [" z" O" x& l9 P- R. C% w
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: U5 U% J+ {% s0 _
# T0 L9 k1 M" hThe program will execute 6 different SIce commands located at ds:dx, which( J3 d d3 ~5 d4 j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 q' I$ L A4 T: ~, Y
$ L+ k; @" V& I" V3 v) Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ H; O3 y3 @8 l# ]; g. @$ T
___________________________________________________________________________
- r: g5 Z% W2 u/ q' M! }5 O
/ Q1 I6 H) Z9 |( c1 I6 E
! ]* \/ s% h" x% EMethod 031 P* P; X: L) {" D4 a( W
=========
: p! i8 u# _% ]" h2 W( ~4 S
8 O3 M+ m; U3 R/ g" \Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ j6 w9 G$ `3 l(API Get entry point)7 y; Z5 O5 e9 n A e9 C o8 i% D
$ W& r0 X8 h; G; J4 X- V$ h" p2 U4 \* h
xor di,di- t# }2 U" K% R* I3 c$ n' R M
mov es,di) Y3 o0 ^# d% e7 ~9 A7 e, o" B
mov ax, 1684h
+ B/ g( ~8 h3 Z+ P mov bx, 0202h ; VxD ID of winice
0 R' v, j( Q0 \, F int 2Fh
! q4 ?* w) B2 Z# o9 F) v& l) ` mov ax, es ; ES:DI -> VxD API entry point3 O6 \* O/ @1 B
add ax, di: l! @1 Y$ n- v
test ax,ax
( K5 z; ^) w# L' a. _ jnz SoftICE_Detected9 {+ i+ j @+ D* A0 a
9 K* R( Z; h4 O8 M/ C- r4 g___________________________________________________________________________: Y |9 P L6 r: y# C, L% G. E
2 V' Q: a2 S! }2 P; j) V7 _Method 04; a3 h0 R0 t: |' k3 T
=========
4 p: n f8 M$ g) O; s4 A+ _7 [9 L D+ ~: B
Method identical to the preceding one except that it seeks the ID of SoftICE+ f% ]0 _. x" i% w/ x1 N
GFX VxD.
8 \3 ^& w/ E2 n* v7 S, b7 L9 |. ^5 W; ?" }
xor di,di
I2 \# I% v5 P3 T" d8 K: ] mov es,di$ D4 S8 Y+ Z$ y3 S
mov ax, 1684h ) [! _& f- S7 b( e% z8 I
mov bx, 7a5Fh ; VxD ID of SIWVID
! C3 T8 v/ I/ i9 Q" s' Y int 2fh, h2 ]1 k! ]( X/ a0 ?# `
mov ax, es ; ES:DI -> VxD API entry point0 i% X7 a5 ?# A, e$ Y9 M
add ax, di, _4 p8 _1 w- j
test ax,ax
; v0 ^9 T. M# H$ K0 J' r jnz SoftICE_Detected( R! A+ \0 r; Q3 K& S
) O6 z, ^5 W! c: B. ?& k& [3 W, _( w5 {
__________________________________________________________________________
1 u- W7 |( A# ?" L+ o" t% P. [4 x5 ?% B1 t: J% B- G1 L
- j, C6 ?# K, uMethod 05" q, P. T0 P, G, D' Y6 H8 E
=========3 g0 R! H1 z8 j0 D2 T m' k
; F% `+ Z: Z9 J2 s
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* v9 O, O* x1 hdebugger. It calls the int 41h, function 4Fh.( M2 Z$ Q5 R. }8 S/ n1 u% W, U
There are several alternatives. 2 h [) | W5 v: P M* Z! D" G3 V
( y/ W4 R# Z5 Y4 Z% W& E
The following one is the simplest:
6 k2 @# e" [& d6 C% t4 z2 W& o7 P9 D, B5 `
mov ax,4fh; [) i' g" ^& l8 Q
int 41h
* i# L+ y! {, N' i: ? cmp ax, 0F386
8 Z* ^7 ?+ N/ M! e. l jz SoftICE_detected+ C" o, \" S& C# C6 z3 H; @! z
D3 H) Z2 u! z8 C0 }
3 z z( @4 \% ]( j2 Q
Next method as well as the following one are 2 examples from Stone's
4 U. ~, b2 [ f"stn-wid.zip" (www.cracking.net):9 h; x3 ^1 e/ I8 f4 w7 O' z
( T7 q) w, c) ]- h# }: b
mov bx, cs; N" r) k" M& `6 Y5 c1 ^
lea dx, int41handler23 I) ^) X+ Q4 h2 X
xchg dx, es:[41h*4]
# C* [2 A# g1 Y7 K: r xchg bx, es:[41h*4+2]+ l; R6 x9 S- Z, g# W( ~( t1 w% L, ?
mov ax,4fh1 d7 a. n; Y3 ~5 K
int 41h
* z3 n7 G6 @1 M. j5 Z- K4 @8 R xchg dx, es:[41h*4]$ ?, r o( f5 Z: i" J$ F7 s: I
xchg bx, es:[41h*4+2]
* ]* S/ k2 d' o# Z1 V cmp ax, 0f386h
7 \, j0 v. l3 z. Y# }/ c jz SoftICE_detected
; o0 E3 k' M* N q4 a: X3 n" N! R9 n+ i: C
int41handler2 PROC1 _7 g# k" p4 t
iret
) A4 }+ w' I7 e& f( @( l- cint41handler2 ENDP
# R5 o: i0 o9 O+ G; ^: E5 O- d, `: h" D+ D! L
+ W8 z! ?- m) j7 g; v3 f
_________________________________________________________________________
+ m6 E1 Q( h# Z2 l8 L, d9 }+ k
( {$ I8 u9 _0 F! C& q4 [5 k5 | f) w8 ?8 J1 _2 I. j
Method 066 a% A& s8 N" ~4 M# u! p' `( m/ i
=========
8 z3 q8 ~% b' Z3 z8 C! W: h, E" }+ v1 c5 B
1 E" b Q2 k. g' o1 y( ?5 v# ~5 l
2nd method similar to the preceding one but more difficult to detect:
3 ~; l; j% ^ X1 |6 m
- b6 E& c; R. o- o: p
) h: o w% O( T1 v( } T( lint41handler PROC
) v+ e1 Z' Z$ j3 k$ ~. o3 _( e; J) Z mov cl,al
( X* S' _6 u# n7 J; Q iret
+ }# Z3 q8 N8 i$ D; |" gint41handler ENDP
. i: b/ _5 I& F) M* Z2 R
; A! M- U. y8 p) ^, C+ \, W/ F" W3 @' b* u) Z( E W p$ e
xor ax,ax
. {. Y- Z o, G. }' ^ mov es,ax& Z/ s. v W2 A5 J, Y& W# y
mov bx, cs
^+ x1 S- g B. N, |+ U lea dx, int41handler4 y+ X8 A/ V! {7 h- z' x2 P4 N9 M
xchg dx, es:[41h*4]# p- o. T! w Q+ T1 _
xchg bx, es:[41h*4+2]2 V/ ?# {/ c& N8 G
in al, 40h: v/ D1 `1 [8 X$ r
xor cx,cx8 C: W4 ^% x5 F& s: ]9 b
int 41h* B4 G- g- \; T/ i5 @2 n f
xchg dx, es:[41h*4]9 L- e) m z+ Y$ g# h8 M: B( ?: q
xchg bx, es:[41h*4+2]
% q3 z' ^9 m( K! h$ u cmp cl,al
& b2 A* P+ t) M9 _2 c jnz SoftICE_detected; m6 e9 z) ~+ R: Q. x- [& y
6 K- @/ Q) m$ V, q; u) b
_________________________________________________________________________
5 l# m0 l$ w J
- l1 ]$ `8 x' \3 [! v4 H/ YMethod 07+ y! E% n3 ?5 a8 _! m+ l) B
=========) `1 Y* P6 E+ w* S. ]
/ w7 p% U) f2 j$ m7 N# r1 y+ T: wMethod of detection of the WinICE handler in the int68h (V86)
) N2 z- g5 h. q( U. a6 ]5 R/ r9 B$ b% z5 R" s
mov ah,43h* f) ~: M* C: e& H2 m: U
int 68h
! F9 G6 D0 P3 y" U- T# s cmp ax,0F386h' s; a! w; q, @ v" }- Z+ X. V0 Q$ x
jz SoftICE_Detected
. y, G' }1 `3 b1 a9 u# }9 m# W$ t# \" Z* ~+ p0 d2 L
# v. U! [; E8 T F/ S: J& T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 l; z5 e7 Q0 j, g app like this:) k7 c7 \; E6 N7 A6 S' U
5 ?1 i' _* o, b5 ^8 L" q
BPX exec_int if ax==68
; H- a) m: u$ N: c3 g; j3 G. v$ g (function called is located at byte ptr [ebp+1Dh] and client eip is
) ?0 w) V" B) h/ c l& j- @5 S$ w located at [ebp+48h] for 32Bit apps)
" u; W }4 S% [__________________________________________________________________________& c# p/ B" C( V
, N' {' x* x/ L# _3 I
3 E3 z7 f7 @- }( J0 s$ A) TMethod 08, _, c7 _. f9 {0 z
=========
0 w1 u9 M# n8 a8 ?* `/ b+ _1 E/ B
It is not a method of detection of SoftICE but a possibility to crash the( ?$ P7 N" n$ M
system by intercepting int 01h and int 03h and redirecting them to another
( l6 L- G7 R& h) D& Y3 f6 aroutine.+ W9 Y+ ?) @0 E9 p5 \0 o, U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% r) Z& T7 N( `4 ^' o/ H
to the new routine to execute (hangs computer...)( D' v' \9 F( O* F
5 O+ W$ p1 `1 r9 }+ y
mov ah, 25h
1 L @1 M6 N, L9 P$ I* c mov al, Int_Number (01h or 03h)
4 \3 V/ K9 C- x+ k mov dx, offset New_Int_Routine
0 o3 ?! U, W( A& _$ z int 21h7 V; a6 y+ z% O$ e" j# z* U' s
5 a! l5 O! ~) {7 d__________________________________________________________________________
" ^0 B* ?3 M9 R7 Z* `3 _
5 U; b5 _: i2 u4 t7 G. s9 e* dMethod 092 o* h E" _) O* v
=========
* ^; t v8 a+ H
. V W+ j3 f# ^5 `. l0 J- F/ f& iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 G* I' m6 ~( x9 j8 K
performed in ring0 (VxD or a ring3 app using the VxdCall).
) {7 k" r# U- i! Q3 Q5 [; W7 uThe Get_DDB service is used to determine whether or not a VxD is installed
3 c* |# o5 D' i5 ^& R. @, j- k* jfor the specified device and returns a Device Description Block (in ecx) for
# L0 c* a; I- L" {) Tthat device if it is installed.9 b# d8 e* N- j8 k5 _
3 s0 a. X; S# Q5 k$ o' k: u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. A7 z! q7 c! \5 u- V6 G9 O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 V/ W; d( z) G% E VMMCall Get_DDB
4 K, `0 `$ ]: ]/ O2 X' H mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! M4 x/ a2 w( w$ R! c2 P
2 L5 y5 A4 i- d+ K
Note as well that you can easily detect this method with SoftICE:
7 m: \- S1 t4 V g bpx Get_DDB if ax==0202 || ax==7a5fh
9 G# h* s9 M2 [0 m. {4 w' ~& v- g8 U) x) f
__________________________________________________________________________! ]& h) Z6 P7 N1 D" A* J
% y9 S8 O9 C/ i3 i2 PMethod 10, d% y! v' B& J; U6 t# q
=========
7 i6 l; [/ j/ P# h
* y% |% l6 k6 g: h) h=>Disable or clear breakpoints before using this feature. DO NOT trace with
- d3 } ?3 b2 `5 Q SoftICE while the option is enable!!
/ h- E5 R8 c; Z: v+ j8 \8 \" s u" w. z" K) y7 l
This trick is very efficient:
+ ]* P" i, e4 [- qby checking the Debug Registers, you can detect if SoftICE is loaded
( ]2 Z: [1 P9 X! t" b7 o a3 \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. w9 A4 g3 _4 `there are some memory breakpoints set (dr0 to dr3) simply by reading their( g; U5 L$ ?* ^ x% W" l
value (in ring0 only). Values can be manipulated and or changed as well% ?0 ~' T) L! Z* z
(clearing BPMs for instance)
& ` x2 C. j T- b: l& H+ |9 z) H d- h; l6 O9 U
__________________________________________________________________________ J: G! `0 F& |0 I
2 {- \2 `2 W7 |: t, a, @Method 11
- N5 j6 F8 g' e/ C( R=========
# c6 h# }/ f- r3 e1 b3 y+ s/ Q0 s
* ]: E* A. ~7 C& uThis method is most known as 'MeltICE' because it has been freely distributed
8 A6 Z0 @" I1 m$ k3 uvia www.winfiles.com. However it was first used by NuMega people to allow
0 A# A9 x$ H* M$ f9 h d& kSymbol Loader to check if SoftICE was active or not (the code is located
: k& }9 X9 b+ {. k$ ], p9 rinside nmtrans.dll).6 o" q8 {& @2 a& R- P1 o$ F7 N
! ?, i n0 l% {# Q) M5 P! v
The way it works is very simple:+ Z4 w2 V: l8 u0 E2 Q! @
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ P! h: d; L% T7 qWinNT) with the CreateFileA API.
8 S' O0 ? n! ~$ p: t% I' X" q* Q- ]+ s
Here is a sample (checking for 'SICE'):% \# y4 {: @# H6 w/ X% v
- G, u+ N# G( E% E' |BOOL IsSoftIce95Loaded() l w1 U/ X' ^* F+ Q i) y9 y8 l
{! x8 j3 c' L. L3 r6 G
HANDLE hFile; ' Y; a+ k9 \1 x5 R" ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! X! r/ ~" R1 r/ C( b4 Q* y/ ?% ^ FILE_SHARE_READ | FILE_SHARE_WRITE,$ J7 d. R M4 A; s3 Q- R) g7 j' q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; i2 x' v; r& h2 R# ?. h4 C
if( hFile != INVALID_HANDLE_VALUE )
/ v, I) o& q. J* Q% E5 @ {4 \" q8 ?% T& G7 j0 t/ u4 p6 R
CloseHandle(hFile);
8 V$ O& i& y0 v: A7 }1 \8 e7 T$ [ return TRUE;
) x3 X" E. b" o$ k/ d } f$ ~& } }% c/ {5 B3 |6 R
return FALSE;
" H6 T6 V. M8 p. k% U6 |- `}9 Y8 s; H. H6 A2 r* Y# f1 p
$ ?; ~1 d: P8 `9 `: T! LAlthough this trick calls the CreateFileA function, don't even expect to be. g; M9 z: i, D3 i- A7 m
able to intercept it by installing a IFS hook: it will not work, no way!3 t* c; b+ I- w0 B. y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- k+ `7 N o; n( A- i3 E' Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* b8 W+ I3 `" g. v8 g5 |and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 m( Q& p9 x1 Z2 {2 w: \ ^! Rfield.
2 i2 a3 T. b3 E& i; t$ GIn fact, its purpose is not to load/unload VxDs but only to send a 5 y+ |* O( M# E5 N4 J1 g K# \% y# r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). D0 ~8 e" ^* h' s( ^( B/ {; h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! E# @0 Z, ~: r# Cto load/unload a non-dynamically loadable driver such as SoftICE ;-).% B1 P3 J9 U, i5 x$ s7 y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 E3 ~2 ^) U( Iits handle to be opened and then, will be detected.. E& o( k9 ]5 G! |; r3 C
You can check that simply by hooking Winice.exe control proc entry point
' i+ [0 u& u# L# F% f4 Swhile running MeltICE." ]2 [% C4 h7 ^" `
7 F4 e8 W/ J, x: H1 _2 q3 ~2 R$ b' i5 F m2 t' \
00401067: push 00402025 ; \\.\SICE2 y% U1 |8 y0 w* ?7 X; n
0040106C: call CreateFileA
8 N4 k# F! j' l, ~6 Y 00401071: cmp eax,-001
6 b# k$ x) [* d 00401074: je 00401091
9 k3 q6 {7 J6 y4 T0 n$ D6 s# N. A
, a# S! s3 X$ \: D
There could be hundreds of BPX you could use to detect this trick." t' d! F* I& M
-The most classical one is:
4 q* E' X& ~1 J4 n) N4 f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! d8 u1 n" V% B* L. t3 a' V
*(esp->4+4)=='NTIC'
4 U5 A* d/ D( O# }9 b' [$ a# R- V4 n1 e% T) T4 G9 k
-The most exotic ones (could be very slooooow :-(; {, }% i9 N z) j& @0 @/ C. w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- ?; @: _7 q9 c ;will break 3 times :-() g- h7 |. Y5 x. j% q
# I) I8 z1 z7 k& y-or (a bit) faster:
: _+ M3 J3 O% K+ \; U BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 C* D" q/ E! G5 K& N
4 o3 ~1 _0 m. @; w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ F: F! U' }6 Z/ U/ o( h6 f
;will break 3 times :-(
6 i7 q+ Z: e: |8 D- r2 \5 Q+ v: w# U; q5 w
-Much faster:8 i2 @% f1 _( S( d8 L' H' d2 m( ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', G: N# y, i9 x0 ^: K; q
/ h1 }( h2 H1 UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 Y3 N, u9 [* E# }# t5 s4 S0 n
function to do the same job:
4 C1 O2 E4 t+ e) l3 ^. R! X, a7 {
- w' v* C1 \& Z1 y F8 D push 00 ; OF_READ
) I$ G$ Q0 s0 s5 k& b3 G mov eax,[00656634] ; '\\.\SICE',0
3 a5 r- u' r3 o) Q push eax9 `) I4 ^# J+ u! u" j3 ?
call KERNEL32!_lopen( R5 H, N% X: ^% s( [6 O' `% ~
inc eax, v; q2 l P1 n6 d& F
jnz 00650589 ; detected! A! T1 F0 ?, l- u
push 00 ; OF_READ5 v, z2 M( E0 D! c1 H0 X0 f ^# l
mov eax,[00656638] ; '\\.\SICE'
: E1 E1 E0 w \+ p- W2 J6 d, G push eax
0 a, z' m2 D7 G7 r v: i call KERNEL32!_lopen1 |! X8 G6 b+ m Q0 L: Z
inc eax; o4 }8 u- R' Z" e# ?& T+ @
jz 006505ae ; not detected
1 h" f' V7 d, Q/ g1 B3 ]& T$ W
4 b( M9 I# T0 u
0 F8 C3 _2 L S__________________________________________________________________________; u# |6 h- v& G( A
' m% i8 G, p) a* Y
Method 129 ] k2 ^7 `& p C1 _
=========6 [+ P! j2 H- k3 g6 d9 v4 c, M
" i- N1 v9 ?# p3 y5 M! ^This trick is similar to int41h/4fh Debugger installation check (code 05
/ q) [1 x0 w; I/ }. ^. L7 n. c' f4 I& 06) but very limited because it's only available for Win95/98 (not NT)
4 F6 a2 T( e4 Q' L4 Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. _ D8 G! A3 V, F, c
2 C. \' L. G7 j' a6 @% T# L push 0000004fh ; function 4fh. E. |: r+ K$ v6 P8 j4 d. D% v
push 002a002ah ; high word specifies which VxD (VWIN32)5 Y7 x e) \2 |, ^
; low word specifies which service
4 g7 p6 j* p/ ~. U* y0 |* k( K# R (VWIN32_Int41Dispatch)+ E; C% Y; U) z: O
call Kernel32!ORD_001 ; VxdCall
9 r7 ~* M5 w N cmp ax, 0f386h ; magic number returned by system debuggers
r2 z& T' s% Y; }+ a jz SoftICE_detected* Q# O7 a: \3 _" Q6 V
$ e7 h# R1 A& Z; Z4 V$ C
Here again, several ways to detect it:
1 S! S; y7 z$ n: |7 s' x, [! [# {1 S; j
BPINT 41 if ax==4f
P1 S# I i. L5 p; a
U: G/ i. {6 y2 E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! M( K- Y. y7 J+ m
3 R% f8 j# @2 H+ F, _$ d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. U7 f; N' Y9 x7 W+ S
- n# F) ]8 H0 x, I+ r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! E) U4 z; ]) z6 O2 I) B
$ D" E1 L" X" X& f9 F
__________________________________________________________________________: Q+ ^' ?$ Z" k3 _
' \, ~3 m7 U2 T' x3 [: {
Method 13
! g, o4 {3 X/ e8 q/ z! B2 [=========
6 [5 y$ z# m6 p* S# v' p! k: d" x- \/ j r$ N i
Not a real method of detection, but a good way to know if SoftICE is
- o8 o" k1 K& f' c4 o1 ^installed on a computer and to locate its installation directory.! e" y: O4 U R& ^. d. F. u
It is used by few softs which access the following registry keys (usually #2) :" m/ l8 b% H A- C% S7 t4 b
# Y9 V/ Z$ I3 Y2 d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& o) b; O/ D- e, J' v) x# O1 I\Uninstall\SoftICE+ I6 R8 `5 w7 A: ?4 M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 f. _8 z# i/ I N, z* a8 ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: L$ w7 J5 j% D, p4 k; Y0 T\App Paths\Loader32.Exe& q/ q- o1 h w5 H
4 m- M; o- I! u: y9 \
9 x/ H% q' C6 }3 x7 d p
Note that some nasty apps could then erase all files from SoftICE directory, v% E' A5 [# e
(I faced that once :-(- T) F c# F7 k$ f
" k9 `. [% l5 d! S0 I& a: q6 b
Useful breakpoint to detect it:4 a$ c2 d/ B n$ O$ p
% `5 f+ u1 Y9 U4 D5 k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( O8 k; q, C4 ?( E& Q0 X
) B: B; f P& l6 f__________________________________________________________________________9 l; m: ?0 k2 ~
* V9 m1 j- m/ X* ]6 l" ~: K6 b' O& A& j f# G, b
Method 14 5 d/ X& V- j# d& c
=========1 a2 |. x0 O% Y" U# |# l7 T
- f# {4 v1 j' W5 i8 H/ w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 f$ l1 f( o C8 M
is to determines whether a debugger is running on your system (ring0 only).
' F9 U: } t7 i: o: L
: M4 ~$ g9 N! M/ B VMMCall Test_Debug_Installed& d) O W, l! s. z- w v
je not_installed
3 e4 Y' P& |% ]: m7 W% Q
/ H2 Q' i( d( kThis service just checks a flag.
" O# G/ K4 N0 [) E$ x- z- W</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡