<TABLE width=500>- n: O) Y% D8 N' t
<TBODY>: W1 v, Y( `3 F( S! g L# K0 J1 n& l
<TR>. |4 V* t* U$ b. n
<TD><PRE>Method 01 - J T; F" r* C( D! U2 b
=========
) }7 l, W7 O- @; D3 P
' l9 |, |. i7 D; J$ w1 O7 EThis method of detection of SoftICE (as well as the following one) is8 S+ Q: P$ w6 I! U+ R/ I0 E2 v
used by the majority of packers/encryptors found on Internet.
7 x, ~" K9 ?# }" F- XIt seeks the signature of BoundsChecker in SoftICE
' O A) o( {' N3 b! |
! O% l1 ?- K4 n mov ebp, 04243484Bh ; 'BCHK'' T, u3 b+ D1 D( l% O ^3 ~
mov ax, 04h( p) O# N) Z4 I
int 3
0 v7 C# b6 n# ~+ w cmp al,4
, \* y; ?* u" |- ]- ]3 R% h jnz SoftICE_Detected9 [9 c+ h& P5 a8 M6 N o7 F
5 s) } I2 v8 z! J! w1 S& [
___________________________________________________________________________
0 m3 i- x7 t6 Y1 r
! e Q* x8 S9 G) J* Z. tMethod 02
: l0 q& q2 U1 X; c8 K=========
& T" G" l4 `: n3 _7 R( P
, E+ c) A! t5 k4 r qStill a method very much used (perhaps the most frequent one). It is used' m0 w5 p. a/ N4 O |+ _; S7 s* C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 T4 }4 H4 h, v- oor execute SoftICE commands.... N! y- Z/ N# e$ ]
It is also used to crash SoftICE and to force it to execute any commands3 b+ c2 t% `2 z1 m; c
(HBOOT...) :-((
4 {! a5 {' Z9 R! R
" X3 O* U7 D4 Z# L$ c" O; c/ NHere is a quick description:$ r9 o. k; ^! z) r" b
-AX = 0910h (Display string in SIce windows)
+ j/ v5 ?/ K& w& v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! H. k1 ~$ A' v1 _0 U& d
-AX = 0912h (Get breakpoint infos)4 j7 Z# s: i" o2 I( _: M
-AX = 0913h (Set Sice breakpoints)9 s( A# O9 a+ K5 d9 R+ V
-AX = 0914h (Remove SIce breakoints)8 R; q& F2 ` O% F- ~: D( L& Z
v' Q* R6 s2 A
Each time you'll meet this trick, you'll see:/ m6 x3 E7 j0 ]* E {
-SI = 4647h
* z- U6 f0 w; F& H' V" b-DI = 4A4Dh
% Z3 a3 Y# F9 a9 M# _( P: S7 _7 wWhich are the 'magic values' used by SoftIce.
3 I0 R" x/ N: r5 w% zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' }5 m0 W- M; q8 H4 U/ Z7 q0 {
- \; _7 p8 @9 ^: S+ {5 B$ eHere is one example from the file "Haspinst.exe" which is the dongle HASP
) ]/ h( v* K( G0 J- u, R" k$ p& NEnvelope utility use to protect DOS applications:0 d$ P2 T) T/ X( C$ E( s' L
0 o4 x, U `. Z! S: a( [8 u
0 K$ _. H9 ]" r3 P9 A4C19:0095 MOV AX,0911 ; execute command.' U3 q. j, L& K2 C! K
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; x; U: L( X& S/ ?! m4C19:009A MOV SI,4647 ; 1st magic value." c% |1 N$ V7 m' Y' H7 L1 Y' @) N6 k
4C19:009D MOV DI,4A4D ; 2nd magic value.! Q/ m5 f7 P7 g1 [9 I( C+ A3 W! l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 ~3 ?3 Q% I' B; c$ |# U" K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' C8 d2 m" R0 o/ E0 B9 \' O* A, S4C19:00A4 INC CX
# G3 O- Z7 o" C7 A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. l0 M- g6 \* A1 G2 Y4C19:00A8 JB 0095 ; 6 different commands.. V9 {/ r3 X2 X# g8 @' Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ s# Y5 \8 Z* [2 ], d8 l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. I% S: ~" @/ s" {7 n
' ?/ z; t' Z0 y/ B" Z3 ^The program will execute 6 different SIce commands located at ds:dx, which
4 c6 Z& ^: ?$ t6 c- Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) @" [/ y6 ]8 @. |! O+ ?
% c8 f! k$ M& l: f V5 V' G* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: J- v/ T: O, Z0 s& C" I___________________________________________________________________________2 ^" d3 K' r- C' V" e
5 s6 D2 P/ ^9 a
2 [: F4 s) N0 q
Method 032 L, i4 ]7 I. Q& m* ^
=========7 {" V/ g+ {" X/ e' _: D
3 Z. w a \; P2 n/ ^! Z9 S; a/ GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# L: O) G4 N' }6 L; e4 B$ p" X(API Get entry point)
. E# p: M7 @' X& T5 {9 a! q) k
0 M, q( D3 }3 ?8 T W% O8 D. y, U0 p& ^1 | p2 `
xor di,di
+ T u3 w2 o9 V- L; ^ mov es,di6 U. ?8 l% `3 p% S4 S+ U( Z& @
mov ax, 1684h # _; N$ r( [, ~3 E+ p k
mov bx, 0202h ; VxD ID of winice9 J* x& y- `( {
int 2Fh, u9 d0 k5 K3 N' e* T: ?
mov ax, es ; ES:DI -> VxD API entry point) Z! \( h( q- A ^4 j
add ax, di
3 t1 ~! q2 x! {$ _6 o test ax,ax
* B" |6 ], w% I& r( S: v) @" E6 r7 @5 s jnz SoftICE_Detected
6 R8 w3 S; i- | J- \5 v0 E) V: F4 H+ {: i9 N) J
___________________________________________________________________________( T& \3 R8 X. [% G& Y8 E# `$ b2 y
! b3 k: {9 x" M' L; X- d
Method 049 e2 g& g8 Y& i7 j& A2 D
=========
2 A M' Z* Z$ [+ A' ]6 W
4 J2 P% ^$ q: }# i6 hMethod identical to the preceding one except that it seeks the ID of SoftICE$ I& F7 P+ z7 R/ ]" I& J
GFX VxD.4 m; g4 }/ W# B% y' @ z
' a) h4 Q" [6 b. A' q9 d xor di,di* L6 S; g! X9 ^2 x; N, p, X- c
mov es,di
6 h; R; V5 v/ _0 \* t$ E1 m mov ax, 1684h
7 o. B* p8 _7 b2 D/ f mov bx, 7a5Fh ; VxD ID of SIWVID
( M4 Q4 Q T2 X int 2fh+ A, R0 J; w9 x! D9 c: ^
mov ax, es ; ES:DI -> VxD API entry point3 U+ F" }2 N! H
add ax, di
. `; @. A$ g. R; E" C test ax,ax! G8 w" n, o; v; j2 h
jnz SoftICE_Detected# ^+ e3 u8 V4 e; l9 Z
* h/ I& `" N; ]5 X5 q6 `__________________________________________________________________________9 |$ _, W8 \3 l# _4 [
: h) f' M9 h9 I# @
6 h K5 C" O. N; d# {/ kMethod 05
' S c0 \# Y6 M6 B' E=========
. T o# H# b7 |( n$ |. j5 t* R5 k: L5 {: V4 @6 H! u5 m
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 R; N, k1 ^* A E' J" F
debugger. It calls the int 41h, function 4Fh.$ C2 C) s" Y/ y! J. d/ l- e
There are several alternatives.
; E6 M) S! v. U" K+ U; ]& Q
% _1 F1 x2 V* O4 CThe following one is the simplest:5 l8 i+ o3 Y; U- x
4 g3 J/ L; G0 G; K. G$ T
mov ax,4fh. q' Z- w. |- G I9 C! i% U& P! S
int 41h
& ]& w- U1 L$ N7 N$ P; C cmp ax, 0F3868 {: F3 G. Z/ k" n8 ?% o3 T! K. ~ u
jz SoftICE_detected
* x& ?; T) c6 M* A1 t" K4 Z m
, A+ N# v8 v: N: @! L; e
[' L. Z0 i6 {0 pNext method as well as the following one are 2 examples from Stone's ' v' b3 _" h( A5 y" Z# T& W
"stn-wid.zip" (www.cracking.net):
. s; L6 t/ @* x X) Q* U+ V7 c \5 r' u, z
mov bx, cs
N3 J l( a. V0 Y4 G* H" h# l lea dx, int41handler2( T6 E' Y. i; @( C/ C7 T7 t
xchg dx, es:[41h*4], K# _/ F& X ?6 h* h5 I
xchg bx, es:[41h*4+2]- F# h4 X+ j1 k. }. F
mov ax,4fh
[. @: s! A6 M( b6 O: e& c! J( E int 41h
- Q0 p1 W. B8 P xchg dx, es:[41h*4] l* d" K5 T" Y4 F% V
xchg bx, es:[41h*4+2]3 g5 Z2 m' c7 K
cmp ax, 0f386h
! q8 x+ d# _! {0 ^: s jz SoftICE_detected
1 e8 b+ r( H4 a8 M" L
8 Q. l% {1 J( i' z! M0 b; s* Iint41handler2 PROC# z. }# n; s1 g. }0 A" L1 P6 }
iret
! T& c& Q! M' K3 X- J8 k& T. @int41handler2 ENDP3 B" d7 _* A3 \1 M* n
- T7 X+ O0 ?1 Z# g, o1 q% Z
; Z1 ?, C$ r9 i+ J8 W
_________________________________________________________________________
5 t7 S2 w+ @. r6 G! q6 u$ |
7 n) _9 S* x/ v5 h: d9 X+ i0 T5 y2 ? W4 o+ n
Method 06+ z! A. q# j. E- a! F$ E8 m0 B
=========3 X. D' W$ u' t% z6 u
0 D6 P9 x- |1 u- y
' P8 U* a, u B: |
2nd method similar to the preceding one but more difficult to detect:6 C+ m7 W1 ~) x2 V: r
; g9 }! p. |5 f7 f7 a1 K! K4 @, [) T
" I1 Y: k- {8 N. d Sint41handler PROC/ K, ?! c% r! R/ b
mov cl,al
! v. o1 o/ g( J) i* Q1 {9 ]9 ] iret9 H4 h( Q) g! |+ u
int41handler ENDP% a. L; q: X3 g$ B& f% c5 [' V
3 E4 f! o3 p* c. ?
1 Y# ?' f9 O5 `+ l+ s8 G4 z5 E xor ax,ax% z2 d3 u/ A6 ?4 P/ W8 G
mov es,ax
& p+ u8 L" z+ b7 [, _ mov bx, cs# [9 q5 T& ~0 T' {, r, {' X
lea dx, int41handler0 }2 }8 l8 @5 Z6 W* g6 I
xchg dx, es:[41h*4]
! Q0 v" l- O6 I3 X3 l! w' { xchg bx, es:[41h*4+2]+ U4 `, U( G/ g
in al, 40h1 y; O0 H! o2 S6 L* ?
xor cx,cx
9 b# h! X: E' k2 Q4 I1 Z" F int 41h0 t) @0 z" `' j3 u- t
xchg dx, es:[41h*4] [: f+ j7 ]8 R% t5 L
xchg bx, es:[41h*4+2]
' p! N. b) O" T) t7 N5 \ cmp cl,al) N/ w9 h; I2 \# B
jnz SoftICE_detected0 {. A4 A/ @ K
6 @! M5 T4 G+ F' c' G0 R, Y! F+ N0 \
_________________________________________________________________________. I5 Q1 {3 L/ H% [9 L
x% z3 |6 m% |4 j' Q; D) C) a& T! l
Method 07
8 n: S+ c, m }/ c5 }* Z=========5 a2 X! O' b* ?" h% a1 k) _# k
! ~$ I7 D/ ]( M' ]0 S: ] wMethod of detection of the WinICE handler in the int68h (V86)0 W% F, u3 H e& {: u
; Y8 I. o, C- I- u mov ah,43h% O) u& B* o1 e- b! ~- y
int 68h9 b) L- P8 i) n" y; p7 D1 z l' E
cmp ax,0F386h
6 I( t5 h; h; T# N; Z" | jz SoftICE_Detected# Z7 o) q* K) _6 n+ J) {
( [# a' L" }7 g( u* W; @ a* h6 g$ r& t, g3 S* f8 F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: u& ~( w- p) k7 g& Z7 f0 t0 e app like this:7 l( I+ C7 j; U4 L; I# e$ t
. c" r" f8 I% r3 M. ^ BPX exec_int if ax==68* | I8 c7 C4 j) }1 g( o) e
(function called is located at byte ptr [ebp+1Dh] and client eip is
- ]# K8 D1 l4 ~ located at [ebp+48h] for 32Bit apps)$ _- z6 Y7 j; X1 F2 I8 k' p
__________________________________________________________________________
6 B+ P7 T+ I6 r9 g( I9 C( Z0 \) w" K# O9 y( w" P( \
' } i+ B6 ]6 W3 ^! r) o6 V' |
Method 08 ]% R* j9 R4 b$ T% n* i1 f; B1 n, T
=========
. V) b% K1 L( J- ^3 \6 C
8 z2 f' D4 @( @! A3 `$ UIt is not a method of detection of SoftICE but a possibility to crash the9 H5 d& }, X1 @6 m( P
system by intercepting int 01h and int 03h and redirecting them to another7 B* ]: ^3 r- J) {8 o8 @' G* D8 H3 o$ p
routine.
" o3 {- m4 @6 t/ N& XIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; C3 }& H2 n2 |1 L7 Eto the new routine to execute (hangs computer...)
5 d1 H" I& Z( w! z, s7 C0 s
# H- l! u$ h( m: g7 T& J mov ah, 25h
' |% {, p) V0 @+ e mov al, Int_Number (01h or 03h)8 [( q/ l' v- @' Y% W* Z+ N
mov dx, offset New_Int_Routine' \ ?; s9 c" P: b" T
int 21h
8 G) y% M; i5 T8 [' M1 y* ~$ v4 @" i5 Y( X3 W; o: g
__________________________________________________________________________
4 L9 |2 `+ {* ^) z4 N, s
, x4 H& }' W" T/ Y/ p) W1 Q3 ~% x! oMethod 09% v+ E' g/ @& V' {+ F
=========
; \& f. }. H h- f* q5 E
Z8 M% a1 M8 Z/ @; ]% NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ a9 ]4 n( w# \' ?performed in ring0 (VxD or a ring3 app using the VxdCall).6 o. D2 g7 ^ Y
The Get_DDB service is used to determine whether or not a VxD is installed! i* ?7 g3 p$ O; H% C
for the specified device and returns a Device Description Block (in ecx) for+ f3 ^) m3 D. D n5 g$ D; P9 f
that device if it is installed., O4 A9 X, C7 W; Y( {; a
! f, ^" L2 e! k& n& g1 K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 J8 @; J$ b* |5 b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; O- I m7 O; u" L; { VMMCall Get_DDB
& m. z" o2 S( d! u+ H3 r" | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ e6 w0 B; a! m2 i6 b4 Z
9 D7 U/ P" O- I9 HNote as well that you can easily detect this method with SoftICE:4 d; d% l+ F/ s" _' Y
bpx Get_DDB if ax==0202 || ax==7a5fh
+ N' V! i+ _6 ]' C9 u3 D4 ]
2 ^/ F, `3 `, U7 L& j& T# B__________________________________________________________________________
# L; l& P. M0 N* w! Q# w; X3 n, Z0 J% J6 e2 P) e; D @2 c
Method 102 ~ `+ {8 R; [% j6 K
=========
. c6 H# p7 U* h ~
& G' [& Z4 ~+ c2 [=>Disable or clear breakpoints before using this feature. DO NOT trace with1 t7 ?; i. o4 _& q' g: S4 x
SoftICE while the option is enable!!7 N9 y- \9 s7 U# `. E, B# E$ ]
2 C1 t! J2 D' C6 ?
This trick is very efficient:9 I7 O. C2 x5 M8 X, K2 r' b
by checking the Debug Registers, you can detect if SoftICE is loaded
) z8 F, m% k& @, n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 N/ A& [$ p7 \7 ]( L7 G0 b4 y
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 U: n9 o* m1 ]
value (in ring0 only). Values can be manipulated and or changed as well7 O# M; {' U4 S: ~4 d9 {
(clearing BPMs for instance)# b3 R a+ B- c" M( y8 b
" Z2 A8 v( B+ T6 A y
__________________________________________________________________________5 w) D7 P2 K) `7 S0 X- |
1 ~1 ]. R3 J* kMethod 11" m0 `& J% R8 W6 v( K8 W
=========
{4 X5 s' t) y$ T9 {' C$ V- g( }5 d, o. ~) O' I+ g
This method is most known as 'MeltICE' because it has been freely distributed
* X4 b& q$ [& ?$ _+ P dvia www.winfiles.com. However it was first used by NuMega people to allow4 u" Z5 x2 c! X& I
Symbol Loader to check if SoftICE was active or not (the code is located
g+ U; ?" Q" F7 k. h9 h; Tinside nmtrans.dll).
7 Q/ K6 u J, Y, i4 t- U. f( {" t& g
The way it works is very simple:7 T/ Z: Z4 N; t1 s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, c& d1 o% s1 `* m; y
WinNT) with the CreateFileA API.
* j" M$ L3 s" @- K. ^. o. @; k5 } X0 N: g
Here is a sample (checking for 'SICE'):
) F' D9 }. b9 W+ b5 t$ B. p$ x3 Q
BOOL IsSoftIce95Loaded()& W& Z2 G5 t% r4 [ ~- Z: U
{% x3 e5 k4 F" t. g3 Q" x& b' E0 n
HANDLE hFile; 1 a9 @- l2 e0 U6 P* r
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 P: p- v8 @0 T. p; w
FILE_SHARE_READ | FILE_SHARE_WRITE,# B v: r, ^+ J. {8 ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ }; B& Z% Y' p$ e if( hFile != INVALID_HANDLE_VALUE )
, Z$ \; P( b. ]' w7 f3 U2 J {
& C* l4 ~( u" n3 c5 D6 }' j0 }* G CloseHandle(hFile);
+ u' k, V7 C; U b" p! ? return TRUE;
% J' W; F% T& U% P ^5 v: o* x }
~% p- Q6 T! R) K" f return FALSE;
0 M: R' e: O! S) F1 n+ C8 D}
9 y1 z( |& l" z4 ]) W/ A2 o
% \' j+ P/ K# Z3 MAlthough this trick calls the CreateFileA function, don't even expect to be1 W6 C9 s7 Q8 a1 N6 Z$ \& [
able to intercept it by installing a IFS hook: it will not work, no way!1 L9 u/ T! c0 S, Q2 o4 S7 i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- Z/ T5 P& @: o$ `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" p# R1 A6 P& |) p4 jand then browse the DDB list until it find the VxD and its DDB_Control_Proc! d' T9 Z1 S, w1 W6 `
field.
* [4 }2 X# A3 ^+ Y9 HIn fact, its purpose is not to load/unload VxDs but only to send a
1 n' m* @& o1 r# X" I! a. W& ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' a0 g N7 Z$ q7 P8 ~4 @- C' J" p- ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. ~8 @# k+ w( u4 h1 y Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).' E' K2 x( F( }3 w
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ n0 w2 C/ k3 V N, t
its handle to be opened and then, will be detected.8 w: K* S2 L! a2 t; k
You can check that simply by hooking Winice.exe control proc entry point' P2 A7 a/ {6 u+ E# J& K" J7 V
while running MeltICE.
+ C% g% ]$ O# \% {, q4 A
$ ?) U2 B {6 i' Z2 ~8 _& `! E" |& W: H- h
00401067: push 00402025 ; \\.\SICE
1 y. }6 |9 A: i 0040106C: call CreateFileA
& F9 c# h4 n+ \* N% Q 00401071: cmp eax,-001% j- {$ @5 G- n
00401074: je 00401091
N% C! Y3 U1 k2 ?+ I. r, J D) l4 W: v# f6 C" O
* _6 a* R9 d/ V
There could be hundreds of BPX you could use to detect this trick.
' B) ?( Q) e- E% p-The most classical one is:
! b& W& q& l8 k" q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 @ k' I# ~% _! b) N% H, e *(esp->4+4)=='NTIC'; x) B: L- K, }* y( S
H* V$ [" _) m0 h3 [; y. j-The most exotic ones (could be very slooooow :-(
' n$ `; y+ m: {4 |( F, O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 y% X( y# W% Q/ x e0 i$ |
;will break 3 times :-(" H. A) N0 V! |* q
/ D. H, g' K: m3 J, o3 V-or (a bit) faster: $ t+ y9 {5 A+ t4 Q/ a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 o; j7 ?$ D# E; b% b7 O4 N( {8 ~2 _8 `! t( C# `- V! y" k/ d
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 Y/ y' v9 S* S! A! v! D
;will break 3 times :-(
- E3 }' n% [* s( U
* b+ h" ]& }5 H# T-Much faster:
8 L' r8 H( k% R2 T: r9 l6 [! O9 e) y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 B* P9 z1 F' `2 b% r( m5 d& {
1 e5 P$ g! M1 w) F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* r2 \/ j: A' j6 S7 i
function to do the same job:
* y7 l" ]" L8 j7 Y7 \* d) r- z4 l/ Q* C+ u; s/ R' P
push 00 ; OF_READ
. G4 K) I9 J" n, o& l7 q; C mov eax,[00656634] ; '\\.\SICE',0
4 e( u# s( X# ]3 k# Y' O push eax
# F7 ]# o5 S3 m" l) F' P: H call KERNEL32!_lopen: J& c6 i I m* e7 V* L
inc eax( P0 x# W" z, M% |: b
jnz 00650589 ; detected$ E& W) H5 a6 n9 d
push 00 ; OF_READ
' ]7 r; l% Y& v1 U mov eax,[00656638] ; '\\.\SICE'
4 ~& S" j8 ?! l, n# V+ @0 H$ ] push eax7 i D) j2 Q/ n8 R
call KERNEL32!_lopen, s% W! j7 A( h% T) U8 Z
inc eax
4 A( ^, H9 G' U t$ Y3 t jz 006505ae ; not detected1 J( u" b7 {0 g; P. ]3 M
7 B) {+ Y4 Q/ H; ?
: B/ p) @5 C/ l4 k8 ]# W__________________________________________________________________________ \* h5 K g0 T
0 D2 I1 V5 b1 K, i5 s6 p, o1 ~
Method 127 x% [/ w4 c4 @0 K: J9 f" {
=========
3 r; @- q4 R" E+ T5 i
y8 r5 H" @% ^3 t" j H* wThis trick is similar to int41h/4fh Debugger installation check (code 05
/ o7 K8 L x+ _+ n, u& 06) but very limited because it's only available for Win95/98 (not NT)
4 u# G% O) O, V1 Z% H: m7 x% }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& w' T8 |! B1 p: W
! M" S0 _8 s6 f& T( ^ push 0000004fh ; function 4fh0 W& z1 y. B, L0 o/ o8 A" s
push 002a002ah ; high word specifies which VxD (VWIN32)8 r1 l2 u) h' U P$ C
; low word specifies which service
% ^: {1 c$ ?; e (VWIN32_Int41Dispatch)
0 g* F# P# l, @ call Kernel32!ORD_001 ; VxdCall- G8 T' K y2 Y$ \9 t
cmp ax, 0f386h ; magic number returned by system debuggers
% F h( O6 B+ u$ a$ W. {/ P7 k# ] jz SoftICE_detected. {$ U* n, P7 V) e$ f& y- v9 A: z
% m" Q" ?1 w# }) o
Here again, several ways to detect it:; D5 p1 d4 [* i- o+ e2 p# ^. w
$ Y! a: W6 [" x6 L
BPINT 41 if ax==4f
& o) m. c8 M0 ]2 p
3 r. K- w3 |$ v' F1 ^4 L% q% l BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- e8 A2 G& a( P9 t0 z: h! X- l: F T9 D* a$ q) B% [7 Q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: q9 S! m u! M7 k" h
6 m9 Z) B% w$ X% U* W BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! N2 y8 i4 H4 k) \; l; \: V9 g0 E
6 O5 Y" z' m; Z# m$ `: S' x__________________________________________________________________________
: d( a* E: [" s9 w; A! e+ s/ [$ T( u! C5 ^% ?
Method 13
2 v6 K0 S3 T/ l( q=========
* c( \- S" U+ u5 R* U
2 S5 v D; u# v% ]9 }$ uNot a real method of detection, but a good way to know if SoftICE is/ l' X5 `& `0 f
installed on a computer and to locate its installation directory.
1 O! q# I- b/ {" O( }) SIt is used by few softs which access the following registry keys (usually #2) :
; j$ o; k& T% n$ z) V/ _3 o9 l# n
0 z. v& _9 b. h M3 O$ t* w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 G: v; }$ Q Y' ?2 D+ B+ i\Uninstall\SoftICE: ?% }1 P# |2 b( ]; K. x& |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: X! N0 i( e: z# w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 ?+ U) r& U4 }% n. g\App Paths\Loader32.Exe
+ v/ i$ _5 |0 B! k8 L
( v# `3 L7 T4 o) d a; F% l! d8 V( D! b" i( \) k
Note that some nasty apps could then erase all files from SoftICE directory& `& m% R2 [ h& U, `4 r( \: @
(I faced that once :-(
0 l$ _9 r2 g" a8 a2 ]1 a( M9 Y( m# C/ z
Useful breakpoint to detect it:
; I2 o* W9 t+ Z1 u: U- F6 F! T( I5 _+ r f3 ^" r9 P
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! F1 |- I5 o s) s) ~3 p5 B
- Y. I4 Y* J+ V__________________________________________________________________________
! ^( O" _, J3 r* v% D8 ~/ N/ ~, r0 @, R6 B# z
9 O5 f9 o; n N6 y- E, CMethod 14
* S$ f! s. k6 A( ]2 R. ^6 p/ @=========
5 `, a5 R3 n1 f, G; b6 C4 z* h7 {3 n* O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# l# B8 C3 T1 Q2 w v# ~
is to determines whether a debugger is running on your system (ring0 only).) |$ w f9 L6 J- }
" E- h) P5 I" H' r$ x VMMCall Test_Debug_Installed! t; P) [$ B- X: u
je not_installed
$ u7 f6 I+ _0 o
?6 a/ R, D3 B+ D! Y, w( FThis service just checks a flag.0 }5 e+ ]# z1 g9 X- V. y( R
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡