<TABLE width=500>: @1 o2 ^: Y" }7 Y$ [& j8 U
<TBODY>
6 \" C3 ]9 P- v<TR>
+ }8 i7 ~# v, U<TD><PRE>Method 01 9 |2 O' k: B, x3 ^+ s1 Y; G
=========
1 s0 m8 B H! s1 }* K; Y, k- S$ J' W0 I4 _: o4 v
This method of detection of SoftICE (as well as the following one) is9 d4 F3 @9 `/ a' e
used by the majority of packers/encryptors found on Internet., {3 V b2 p6 F- z% J' U; C! r
It seeks the signature of BoundsChecker in SoftICE6 f3 n- L) o+ k* ?/ y& c7 E w3 T ?+ [
0 f; T$ w! v- h( l* p1 r/ Z( @ mov ebp, 04243484Bh ; 'BCHK'
$ j3 R( V, ~8 |( e; p mov ax, 04h) z% M* y8 I; z6 m% e* R+ X" O6 G
int 3 7 h1 t5 M2 ~- P
cmp al,47 W6 a3 r8 [9 @5 Y& D4 w3 j
jnz SoftICE_Detected
% c! P M1 g/ i1 ~. Q6 V( e5 b. S+ b6 G0 M
___________________________________________________________________________2 M! q4 P3 i. h; Q9 p( n
0 s. T: Q: s& P& s# h+ J
Method 02 C, O8 z% H; y5 G! W1 ^% c
=========3 k5 ^- j, q, R P, P
. Y/ F) R. r4 }- ?) S$ AStill a method very much used (perhaps the most frequent one). It is used
% }5 f# n; J! R8 G! Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# Q( T2 V) g/ |/ I/ R, r/ por execute SoftICE commands...+ Z) j' j' ~1 a% {
It is also used to crash SoftICE and to force it to execute any commands
3 C" j. W, T4 G: s' { i! N' {0 d9 q(HBOOT...) :-((
0 g ?4 J- u9 d, g1 Z9 [' N* w/ a: t2 ~- Y
Here is a quick description:
$ z7 M, n; O& _! w3 N6 u: d5 }: m-AX = 0910h (Display string in SIce windows)) k- m8 f* Q' R7 B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); i* _" E- o' g! |3 j$ d4 e
-AX = 0912h (Get breakpoint infos)! z: V" \$ p2 k( R& {2 Z* w
-AX = 0913h (Set Sice breakpoints)
( t7 o- H T. a d1 Q- o# a-AX = 0914h (Remove SIce breakoints)
( y; G8 m. j+ m1 n& T- c, S2 j. j6 M: S1 ^
Each time you'll meet this trick, you'll see:1 S7 g. f. q4 X B& R2 M! i+ Y
-SI = 4647h3 I6 a% M# E8 U9 `' V
-DI = 4A4Dh
[' Z3 J9 M5 Q+ H: Z4 N7 [Which are the 'magic values' used by SoftIce.! c4 v, ^3 E( x: K Y5 u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* |7 f& ?7 _- a( {% Z+ Y5 {
- \4 q8 Y2 C8 iHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 C `* v- _* ~. [; j. o) kEnvelope utility use to protect DOS applications:
- @; L% Y" o) }/ A$ a1 n9 ~
$ h1 z2 H- Q# b R. X* I( |. u
, A7 I" l3 t% e0 F" i5 W- D4C19:0095 MOV AX,0911 ; execute command.
+ g9 _) A$ w! i" z; } B$ h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 O. @9 r9 X6 m# e4C19:009A MOV SI,4647 ; 1st magic value.
5 u( O6 D; r7 ]" v# s3 g4C19:009D MOV DI,4A4D ; 2nd magic value./ T4 c8 w; r- |- A) B0 X
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) a }) i% ?# u/ u, b" c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* i( i+ g0 l' T; [
4C19:00A4 INC CX
! v1 u0 i8 S* ]1 l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) u# k2 R' ] z7 F: z2 X4C19:00A8 JB 0095 ; 6 different commands.
4 B; G* K8 f6 C: v( _& Q* }" q$ m4C19:00AA JMP 0002 ; Bad_Guy jmp back.( i, w- z0 J1 Y: t* c& Z: f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; y, X1 T/ z+ C, }9 ]0 B9 `. a% Y
The program will execute 6 different SIce commands located at ds:dx, which
- z$ D7 C _8 F1 h8 ]+ s: care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. X& ~5 J5 N, a1 }
+ n D; C6 J k0 J1 ~' g* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& l2 \) r' i/ A' e U! L f
___________________________________________________________________________
6 w- ~ p' L6 ?2 E3 G# n( I1 M! s
! O9 c: I3 t* H [4 dMethod 03
" y1 v) d3 y& i7 h( r=========4 ~0 C4 h! f6 n8 t7 Z% I* ^! K
3 L/ b# ~# x/ d4 c/ HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 Z/ d0 m% j$ S s(API Get entry point)# n f4 Z6 X3 O4 v
; \) e, A) ~2 U
# Z% K% L+ Z2 I% X' \+ \0 R$ N. l xor di,di
! g9 m& u) p: k1 j2 F mov es,di: f) k& V0 x' ` J7 @# o+ K+ _
mov ax, 1684h 2 Y/ A) P) x- |5 H: J
mov bx, 0202h ; VxD ID of winice5 n8 ]& A, r, ?- y- }
int 2Fh: Q8 a. p8 Z& t2 q8 l3 a& E% F
mov ax, es ; ES:DI -> VxD API entry point, C) y; @, T, K# q# X7 M) I
add ax, di2 ~" Z2 A$ G" B. I5 |+ K
test ax,ax" M7 Z+ D( \4 B4 j. t! p
jnz SoftICE_Detected. \; F( r* Z* m) K3 c9 U' q. ?
9 u1 o) w' M$ e1 C; A
___________________________________________________________________________- O e+ T8 \+ B! X/ ?
r$ l$ M# _6 q {. k7 B7 N3 ^
Method 048 r$ a# x% c# u: ]0 n8 \. M/ t
=========+ g2 o! Q# P3 E
$ ?( C8 r0 g6 M( p% z ]Method identical to the preceding one except that it seeks the ID of SoftICE* W; [8 P$ h# v2 {& \ y! R/ c% X: O
GFX VxD.1 d" C, P9 T" G" `; @9 A) D
& {/ [0 t2 b& Z! @' a+ M' R! ~ xor di,di
% G2 d) x* h- r3 r# W2 s mov es,di8 N! D. W. ?2 V
mov ax, 1684h
/ M* `, K! N4 G3 e: F b: ~8 t mov bx, 7a5Fh ; VxD ID of SIWVID6 U/ A( i9 X$ Q3 W3 _
int 2fh
5 t! c' v: }- w' W4 U+ v$ O6 r mov ax, es ; ES:DI -> VxD API entry point& \! I6 V- ?) Y( N7 e+ e$ t
add ax, di
& t) b+ m* a0 y* ]* S test ax,ax
5 s. D, A2 l. ~( M$ O6 S" r9 m/ O jnz SoftICE_Detected
8 z7 B! M# [$ \# U( @
3 c& D* p& C% J__________________________________________________________________________% `7 N& ?6 U2 y4 U [1 M9 g
, J. a7 N. D+ m3 S1 {$ z M
% O. B, v3 J0 w$ B4 ~$ a' P
Method 057 m0 d4 M+ T! C4 P5 }: z( c
=========
+ ]: z! w. `; f) [7 r8 k' j: X- }" B( I
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 n: v$ v8 Q$ n; s
debugger. It calls the int 41h, function 4Fh.: Y* F0 Q3 }1 y0 s
There are several alternatives.
: ^/ i& s0 {0 f9 Y! W) Y9 L$ } u) ]+ ]8 s
The following one is the simplest:. C2 m8 |( z- j. A- K$ T
% J' e' S& q2 O mov ax,4fh& k* w, h6 f n1 R: j* B
int 41h
: l/ {0 ^/ |) i, l1 J cmp ax, 0F386
+ ]6 Y7 P( i0 f4 U) X* [ jz SoftICE_detected
. x% i% z' m+ g2 l. z
: R l) C% S: I& [# U
6 ^& {0 K' S8 QNext method as well as the following one are 2 examples from Stone's ! n0 v/ _. _3 v9 d- k+ J* I) j" V3 m
"stn-wid.zip" (www.cracking.net):3 c- c; Z4 {& \- F. I/ [
a4 ]6 X. ]0 I/ ]2 A' `
mov bx, cs! l6 c' O4 B( Y/ H$ i) s4 b
lea dx, int41handler2# f, A2 W: r9 m3 h: o' M; O9 y+ ^
xchg dx, es:[41h*4]* Q6 V! r8 N& F5 W% E) O
xchg bx, es:[41h*4+2]' X$ |& q7 n% y
mov ax,4fh
, o- [5 B" ~/ G4 W int 41h. \8 X! ]" `% |) X. J' C& ^2 h# l( h
xchg dx, es:[41h*4]7 |8 ?/ P9 K, R" b* b
xchg bx, es:[41h*4+2]$ Q* m9 t: `/ f6 ?
cmp ax, 0f386h: @. m: a S% ^* L; p/ \
jz SoftICE_detected
, L) J( a U3 a9 C. } b, b- c% }7 @3 F. @) o; ^
int41handler2 PROC- y5 x5 F$ c5 d2 n0 e0 h" g
iret9 A7 ?' `2 `$ f$ S) i
int41handler2 ENDP
& c, d& f5 |5 L* f' U
. B" k/ i) H# D. q% M$ J
; ?7 f' l7 @: ?0 Z_________________________________________________________________________
+ Z& w% I u) C+ Q$ A+ T% x R+ @3 r. d9 x2 A+ I% K. K
: W# s7 s( {5 [- `* D2 G$ F. r7 V8 zMethod 064 I6 i) f# z5 N$ Z' ~4 [2 @
=========% c6 P0 x/ H) z& U6 D6 ?5 R1 U7 Z
: n( r* _% D/ V, g7 _3 A( P: B
* h, _; y% m+ n% ?; f [, d2nd method similar to the preceding one but more difficult to detect:
* R3 D Z8 n7 g
6 | i% u6 F' x, J) `
/ Z1 R# b5 ~* |int41handler PROC
, c7 x+ Y; {0 W5 I3 M) o# d mov cl,al
% \& F2 [' t$ y$ s iret
0 ]# z B! J5 ]6 rint41handler ENDP( h6 Y6 S% O# ]* z
+ ~: x% S9 P& \! L
8 T8 P3 g7 a H8 \, A xor ax,ax( ^. {/ r w# h; V7 }
mov es,ax
0 }$ g7 X$ u" T7 |: @$ b0 e+ l mov bx, cs1 A. I U1 C& U6 V
lea dx, int41handler" W/ L: z* s4 k& Q& i, d" v
xchg dx, es:[41h*4]
0 y0 H9 ]8 o8 d3 D `2 S2 k xchg bx, es:[41h*4+2]2 D* W' H6 H7 }9 N0 t
in al, 40h
# R) l( u5 ]$ b xor cx,cx" F/ I( x2 H& {% c
int 41h1 b! q( A! o7 C; n( _* a# @' B
xchg dx, es:[41h*4], l: V9 s% H3 |- `# _1 P
xchg bx, es:[41h*4+2]7 L3 K3 F' p" O0 w' }: Z2 P; {
cmp cl,al9 D* d& L: F j
jnz SoftICE_detected& ^- ~1 K/ [# B$ S: d' o
. d. J8 b7 v$ Z q4 L! ^# ^1 P* _1 i
_________________________________________________________________________
+ x. V6 b7 Y' R( v2 j( l0 y/ @. J% M4 j/ i; p3 L
Method 076 x' w% x2 J* Y* ~8 X3 ]) o! l
=========; o) G+ z/ _. u) \
& C1 i# _! V: d8 j0 Q: Y
Method of detection of the WinICE handler in the int68h (V86)
`3 O1 D/ \$ R) C$ k2 q; X- X( C! [. {9 S
mov ah,43h
) i& W0 M7 r3 c3 |) I# D' D I int 68h
9 N1 H$ |- s) ~ cmp ax,0F386h H1 f0 f8 k; v% Z5 q
jz SoftICE_Detected
# ]' Z/ @; o+ n0 w- }, G5 F
3 _0 w4 P& h, n
~# i! D- J5 j2 [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) |- `# L3 r0 @0 Z& W5 b! h
app like this:
/ n4 V( B4 j; q
4 N. Z! i0 ~/ R$ Q \# C4 B$ b BPX exec_int if ax==68
+ Z) M' J0 T, k; n' l( \ (function called is located at byte ptr [ebp+1Dh] and client eip is
/ B2 d/ P- i# x& [7 c located at [ebp+48h] for 32Bit apps)
1 m/ B2 B9 X8 }) [__________________________________________________________________________
9 O$ T5 m; Q) S# D# _
5 Y5 V7 ^7 x( l% [
! b d# T- @* R1 t8 ^! PMethod 08" {9 F+ E; M# v# F
=========
( @/ ~& Q( o0 z, z% `' q
" l" f9 r, l; O* ]8 cIt is not a method of detection of SoftICE but a possibility to crash the
* L! j/ Q5 }# L0 z- y0 F j3 h% Gsystem by intercepting int 01h and int 03h and redirecting them to another
6 A8 k: w6 V. }* S8 A+ Broutine.
/ _1 j$ z6 J# W" R5 Z* FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 N- x' x4 p$ k4 ?
to the new routine to execute (hangs computer...)3 c& I+ \7 H/ p; w" K
2 n8 u8 M. m# Z8 A& S) u$ U3 B/ N$ n mov ah, 25h
: y! e( J" i& \+ |1 {/ ? mov al, Int_Number (01h or 03h)5 R4 }/ B0 G/ Z$ Q7 [4 j# E
mov dx, offset New_Int_Routine, D( v/ T$ U* Y) C
int 21h
, u2 k- O O5 N: S. P! m+ h4 M9 u* Y4 Z7 u7 t% s' G* L
__________________________________________________________________________
' w( `- g8 V7 H
9 s) X4 U N: X. P+ iMethod 09
! i7 R6 P' Q/ N( {- V8 H=========
: @' O7 U1 W7 J1 {7 E) [/ X# r
* V, T0 I2 T. M) `" {. [/ k5 {5 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# {4 ^$ u7 v s3 A; E: K5 Sperformed in ring0 (VxD or a ring3 app using the VxdCall).& C. N: a3 u" Q/ M
The Get_DDB service is used to determine whether or not a VxD is installed8 e3 Y8 u- Z" R/ G
for the specified device and returns a Device Description Block (in ecx) for
: r% u- o6 L0 D# v$ E: D3 F* A. Mthat device if it is installed.
' {* |9 X5 f' j8 \3 o6 `( `' b9 u) o" C3 z4 [) p; `1 Z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ \: A, K* i: O6 E% g4 G( m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 [* J, s+ b! S0 g VMMCall Get_DDB2 t- u. @( Y" z' R% V- L
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ u2 {6 _: Q2 b* \% g. I
/ ^4 U( v/ p2 |% g6 C
Note as well that you can easily detect this method with SoftICE:
' c3 L. N3 a5 S bpx Get_DDB if ax==0202 || ax==7a5fh' p/ P% j* C2 a6 \5 J
9 q8 N$ x* m5 F# ___________________________________________________________________________. ]; Z/ q+ C; u* c, `
5 Y7 m% q2 ]0 }# f( D: F MMethod 10
) S1 c; o' D6 l=========7 ^! T4 l7 C/ u( R
5 c$ [& o5 s* E% D( B
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 i# w+ O: P: E. G* u# @7 c3 D) d
SoftICE while the option is enable!!
5 P1 U/ r( ?* S- {) _! p0 t. ?2 p' ]$ ~9 g
This trick is very efficient:
2 u" R3 ?3 A) ~% vby checking the Debug Registers, you can detect if SoftICE is loaded* J! ^1 j8 H) s1 l/ o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 {1 _ F/ l6 [+ t) P7 A( a6 }- \ B5 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 E9 G# `3 s( [( b8 R
value (in ring0 only). Values can be manipulated and or changed as well
$ b0 o' V) ]# A- E8 T3 @4 W(clearing BPMs for instance)
" B4 |1 L1 e' \. ` v5 H; l7 {2 A B$ H
__________________________________________________________________________
" Y( m" u" w' S& T, b v# j# z! r7 h5 ~
Method 11$ a6 z$ \) w1 `( G2 r" }" w
=========
* H b9 m0 g, n4 B; l% i8 B' z, D, U6 D2 g! G+ U1 d
This method is most known as 'MeltICE' because it has been freely distributed
* G5 }% h# }3 l$ v* wvia www.winfiles.com. However it was first used by NuMega people to allow# K: S: M' a% |: z
Symbol Loader to check if SoftICE was active or not (the code is located
# D9 Y: @ s2 sinside nmtrans.dll).; N( L# m' m6 \2 m' e% y+ K
* p- U5 @# @! {6 n
The way it works is very simple:
: j4 [, w$ P% P |% Q \It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* Q" D1 n/ p5 R0 }0 K7 S9 |) xWinNT) with the CreateFileA API.
4 l; A i; g- f, }+ n f& A- \ W- K8 I: ~/ {7 `( U2 Q5 J2 `
Here is a sample (checking for 'SICE'):
9 Y* [5 ^6 {' T- J1 l( G4 e
) r4 v. L8 ?5 O2 V3 ~+ G4 vBOOL IsSoftIce95Loaded(); ?4 h# W# X, l" h; @' I* A) I
{! y* t) [. K7 W. _; t8 f# ^
HANDLE hFile;
7 ?% A2 R5 K6 G# E1 V1 o- ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: M. [, n" ?7 p
FILE_SHARE_READ | FILE_SHARE_WRITE,) _- V0 x: a, P: M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 m. t0 N; @% H4 C; U
if( hFile != INVALID_HANDLE_VALUE ), I% [) _, Y, @+ ~
{
" j. k. {5 B3 B* M( x# [+ k h CloseHandle(hFile);, S+ }" \/ ^' z5 ~+ Y# X
return TRUE;
) s( s1 ~" v. w0 B }) t7 y( [1 [9 k' T
return FALSE;& E7 Q2 S3 T- f! e1 ]8 u* X% c
}7 I8 s/ l) ]5 u8 T( w
1 x' w3 S/ ? m/ EAlthough this trick calls the CreateFileA function, don't even expect to be
' M7 }' R$ U/ `5 d& [8 Q# T5 fable to intercept it by installing a IFS hook: it will not work, no way!
7 I% Y" q6 a, V- O# z, U# h. u! OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 j, A+ S1 b1 |5 x3 C kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! V H9 f' l2 s9 p1 p5 z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- a3 H3 a: d$ K; n0 `field.
* ~* H; z) Q. u7 mIn fact, its purpose is not to load/unload VxDs but only to send a
5 X6 L& ~+ D( H8 O3 \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 c+ l& B8 y/ u! [to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 ?* E5 r7 v$ i4 ?9 Q9 x( \5 Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 D" b; ~6 Z# l* Z) YIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 `* g% ?9 F6 a3 l
its handle to be opened and then, will be detected.' @ S6 _+ Y- O& z, D' g* J
You can check that simply by hooking Winice.exe control proc entry point
0 g+ q$ n+ d4 Ywhile running MeltICE.
( ~! e/ U* b4 J$ T! {- y
0 z5 O7 t6 r' T1 L
3 l& \. W, |/ N/ A% _9 [% B7 X. @ 00401067: push 00402025 ; \\.\SICE$ u4 X: D5 W+ V3 j, D
0040106C: call CreateFileA
& G; H* ^- K+ S5 r. d& P. Z 00401071: cmp eax,-0013 H* F( X4 s; \! N$ w
00401074: je 004010913 a: ^6 |# O0 E) p( ~
+ J8 X( {" U+ y/ `% F. B
1 o5 U& q0 h8 \' S* M" |) LThere could be hundreds of BPX you could use to detect this trick.
7 {# k8 f& k" {, ]0 g9 q-The most classical one is:( i) H; Y _* p8 r% o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. w* g p/ w W- X) u
*(esp->4+4)=='NTIC'/ w3 Z; E4 t) ]/ W; f' W- y2 d6 K
! Z ^4 J# A' T* `/ g( A! |-The most exotic ones (could be very slooooow :-(% z$ L! l; O' n8 @1 [+ S& t8 F
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: | ?& `1 O$ M3 U" H. L' f; N ;will break 3 times :-(8 T/ ]$ g& o1 c# u& ]0 h
: L- Z) s/ v! I2 I, q% N9 H-or (a bit) faster: # i z0 t, b% [& P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! ?2 H: q* B0 A% Q) H
m9 S7 h& u. |# w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! x* ]8 }- d; t) z+ G* X2 o( g ;will break 3 times :-(
0 Z% |4 J# n) G4 U3 |. D. \7 E2 ?% }/ K4 F
-Much faster:
& J: k' B% P9 F8 h BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% u z/ g! Q' v a4 Q" ?
6 w, h% [& W: w* T6 q7 pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 @6 K0 C/ R8 v# x+ Y% ?function to do the same job:
$ B, B, Z- |/ B0 b6 f+ C' Q% Y
c8 q& O: y* ]0 k push 00 ; OF_READ. p7 |# n) W1 l1 ^) h# Z& p/ h8 t; g
mov eax,[00656634] ; '\\.\SICE',0
+ _- V0 ?6 O7 R$ T push eax
/ k. h( }# S u" v$ V' j call KERNEL32!_lopen
3 s9 W6 s( F/ L8 g% h inc eax2 W' z" R/ A% i# [
jnz 00650589 ; detected
5 b! p) B& I" k/ _- ] push 00 ; OF_READ
: R' q# L" z% W mov eax,[00656638] ; '\\.\SICE'
0 @" Y2 L/ i G* n* a+ e& _0 ^1 k push eax0 e4 L( R6 v3 C
call KERNEL32!_lopen
5 Y! w' s$ [( O8 R4 Z; g8 a inc eax
( A& ? U; E C* n" N# ~' _6 b jz 006505ae ; not detected8 o$ k" y6 G' W1 S1 V0 F
1 g' c/ F$ }: O
7 f$ X9 j- \+ H+ k4 a3 C% ?0 Y__________________________________________________________________________
- P. D O& I1 o& n. e2 S* ~, v6 ^# B, e8 U$ G1 h; |) ~, c1 e1 j
Method 12
7 e3 [* f9 x$ i8 U# a" ]. S. s8 C6 k========= R: P$ i9 u: _& N Y0 p7 O
5 \/ \; Q2 p* g7 P
This trick is similar to int41h/4fh Debugger installation check (code 05
( y( U V! a, U# m& {5 x& 06) but very limited because it's only available for Win95/98 (not NT)
; t& \) L+ H5 j1 g0 D# Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ h1 H3 K7 L. E5 r) e. d V! ~1 Y; i) q6 H
push 0000004fh ; function 4fh' f2 T8 q$ G- _+ y, a1 t
push 002a002ah ; high word specifies which VxD (VWIN32)
, }( X( ^( S( ]7 U- k! n9 _7 W ; low word specifies which service: [" r+ E( w1 @/ F q0 g1 _
(VWIN32_Int41Dispatch)
& U) c8 F$ R+ e+ J call Kernel32!ORD_001 ; VxdCall
; I3 p4 |1 o+ @; y* U4 F* ^) h cmp ax, 0f386h ; magic number returned by system debuggers, Z% p3 O+ _; d/ j$ E) A0 }, m
jz SoftICE_detected) w& U5 t! p! |; ]* z% y( ?
, h% l- i/ j* YHere again, several ways to detect it:
5 s6 S, s; A0 @& G3 k' l4 {, v# |
BPINT 41 if ax==4f/ f8 \+ u, ^/ m+ a8 z! }
5 W* ^- U0 B* s5 ]$ ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ M4 l) I! w4 Y' X/ O" u
~' s0 X8 f) Z2 ^. ^, {* E. g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 S+ r: c2 E0 V' |0 t! n* l+ U& h/ h' n1 F
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- Z! s* s$ |" S, M; s2 v
- H( C: @2 @8 s5 Z$ _* j__________________________________________________________________________
; W6 s& I" W+ P8 |. h' |( F* w) S6 \: ?# d4 I5 X0 I& D
Method 13
# ^( h! D! j8 ? k" T=========
! l4 C. z0 z4 g2 E
% }: k6 k( d1 C* Y. B, u" v) pNot a real method of detection, but a good way to know if SoftICE is, `) [6 |2 z+ I6 n( @
installed on a computer and to locate its installation directory.
/ F% L- g9 n. L% H" P; G6 k& ]* S6 c3 ^: OIt is used by few softs which access the following registry keys (usually #2) :
! Q( G! Y S, P6 H7 ~
j! s4 h! t! F: @5 Q" D# a-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 l, S0 s2 }4 Y+ \* b/ M0 z
\Uninstall\SoftICE" p+ k4 Q0 U4 H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& a# p" w& V: G2 e; @8 g5 |# I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, E& \; H% Y, B4 E" h1 F. T
\App Paths\Loader32.Exe
- S# m5 v1 F, Q. v0 s7 Q$ d6 P$ {( V9 w' a
; ~7 {, D2 a2 L+ `* b% F7 ^Note that some nasty apps could then erase all files from SoftICE directory6 S& P; U% A1 _6 d/ z5 y( \
(I faced that once :-(
6 I i3 L! {1 _! i8 m' g! B- P4 C l( O0 u V. b$ H
Useful breakpoint to detect it:
* b. T) J& c3 z( ?9 ]
& } A) |8 `: y; D) e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, q d- e& a! l B# K; R3 D8 e9 [6 f! `- \ [- s& S7 u
__________________________________________________________________________
V( P8 X+ K6 M9 z
- `& J& F' _8 P
' H: z/ P8 L3 T. WMethod 14 % W! F& k' U+ `5 I2 ?+ y
=========) B1 n, n& Y a( K0 C& m6 F
' s/ i, M5 l, T: U4 h6 U0 A- HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- T9 J* N' G( g) {is to determines whether a debugger is running on your system (ring0 only).6 Q9 Z8 P6 ^4 ^/ [6 ^9 y1 U
r" e9 y, a/ E0 ?, }
VMMCall Test_Debug_Installed
, o# r4 t: C) @/ J, P je not_installed5 d. t7 `+ c4 _* r# R3 s
8 k6 \, Z9 y7 n7 d- j4 d, E8 d/ o' @This service just checks a flag.0 ?; Y \3 L r/ \" Z, p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡