<TABLE width=500>
' T g" z% C) E' X, r$ N* N1 f<TBODY>
- J; n: _" f5 z2 l; ^$ A( Q1 F! T<TR>
/ B; f: C: @% q' ~( q<TD><PRE>Method 01 3 | A9 u' p8 F' X7 H) N. s& {
=========1 }0 R# O% _. t3 F1 {
% ~7 N3 a+ f0 V2 [- D0 E3 x- M; @
This method of detection of SoftICE (as well as the following one) is
* b/ y$ F1 ]' H" @( nused by the majority of packers/encryptors found on Internet.
! ^1 Q. j+ m5 F# a5 X9 }0 Z. G; HIt seeks the signature of BoundsChecker in SoftICE; [' j$ I, B; _0 i, J7 x8 U9 h1 i' y
: j- H; o+ V5 i mov ebp, 04243484Bh ; 'BCHK'
4 ?! R7 v) r, ] {, B7 N/ Z mov ax, 04h$ ]" F4 l" |4 b; f9 B' L! d
int 3
5 @& R/ R7 p; q% c0 J9 m+ k cmp al,4
5 Q' u/ w" R- s- H. X' v5 Z jnz SoftICE_Detected7 e( W$ I+ Z% a
$ W/ `, u( I$ }) l0 w___________________________________________________________________________
3 ?2 Y8 P, L/ B0 M
' N" j( P2 Y1 ]. }/ N# {% GMethod 02 j' C2 |7 X- |( O- l- g/ E# `1 D
=========/ a8 F- g& s) T3 F& R
7 y; n$ V. m* @
Still a method very much used (perhaps the most frequent one). It is used
" V) J x2 d# X# [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& P* }" p3 v8 \& Y3 u" K( _
or execute SoftICE commands...
: z5 p# P8 `+ P' {+ b6 ] U+ BIt is also used to crash SoftICE and to force it to execute any commands
6 `% @2 M6 z, o n A' Z(HBOOT...) :-((
1 H7 o1 p5 h( @/ q. _: A+ X9 z5 X
: t8 \$ }" E& pHere is a quick description:3 ^& h4 ~' ~0 h [
-AX = 0910h (Display string in SIce windows)
" ]1 `4 D9 Z! A-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) x Z" b3 h: z# c) X. N+ |* E
-AX = 0912h (Get breakpoint infos)2 S3 J& d! g3 ]* m% _# l
-AX = 0913h (Set Sice breakpoints)9 W; `% z$ S/ c8 C1 ]
-AX = 0914h (Remove SIce breakoints)6 D; k" d: H* y9 e# @
T) F8 y7 `- U
Each time you'll meet this trick, you'll see:! c' _* W+ O V% K
-SI = 4647h- f/ a5 R4 u3 d X3 Z" |
-DI = 4A4Dh' j* F5 D5 i- L, K5 X8 e1 N5 Y
Which are the 'magic values' used by SoftIce.) N' H* r# [! M( g1 V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 v7 z- A W5 N1 d8 B! M* t' Y! q" M, {. k- G4 R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
~! T' A2 `4 ], s6 c6 ]5 jEnvelope utility use to protect DOS applications:
; A. V! U$ q' [8 \/ }7 d$ V" b( E* W J" w4 X w8 G' O
9 O* f3 e! V' ]. F# N6 Z4 G( t
4C19:0095 MOV AX,0911 ; execute command.
[' a" o) T% U" [7 L; ]4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ l. p1 i N: Z7 v' s/ \$ w
4C19:009A MOV SI,4647 ; 1st magic value.- ?3 K! \$ y" F, t! V1 ^
4C19:009D MOV DI,4A4D ; 2nd magic value.3 h0 C' \1 G8 F# x, P6 I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 [0 `4 H1 d0 h& R" P* V4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: Z" C" v0 l7 U/ |4C19:00A4 INC CX: t) l m6 H! ?3 q6 q9 e5 I! m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 f- n, ~7 c8 M# W) q5 V: s
4C19:00A8 JB 0095 ; 6 different commands.
; O& ?7 W" y1 t4C19:00AA JMP 0002 ; Bad_Guy jmp back., V+ f/ X8 p1 b# T
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), T. i! B* f5 R( j3 S, Z( q
4 d4 J4 _1 z& c1 ?& }, T$ U
The program will execute 6 different SIce commands located at ds:dx, which
A1 N) D% U* nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, k8 X6 t A+ f, W
% D b; o/ X9 k; [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; ?6 ]- c; f% ?; f, b
___________________________________________________________________________4 N3 E; x+ b0 }) C, z/ `5 j2 t2 W1 O
# w1 F- ~4 V5 o$ [
$ D) d. T: x- I* @2 e) i8 XMethod 03
8 {; t8 k7 z# }=========" j' [# U+ ]' H7 J
7 K! q$ b" W' S% k. e5 l( ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: i% ]8 v4 A8 |6 Z6 N m
(API Get entry point), x, ~* ~( t) R1 E- j
: L" W% s# a+ T; C' m$ s
+ A8 j3 R# h* |- s; d6 B. A6 b0 g xor di,di
) s2 i5 i+ e6 H. U Z9 ^- h mov es,di
$ r5 @8 {5 l$ f2 ^. @% ?; A mov ax, 1684h
6 g6 a! e! I; s mov bx, 0202h ; VxD ID of winice3 F2 w9 n* _9 Z
int 2Fh9 W5 \& U5 P0 d* J$ n! ?
mov ax, es ; ES:DI -> VxD API entry point
2 y2 |2 e' p2 [( Z! U" K; w3 ~ add ax, di
, o# I# V! v9 b( f" N& F0 z, s test ax,ax
5 B8 b0 t% P( i1 D p4 J jnz SoftICE_Detected6 M9 c) q* A: M X; O
" A: q9 W: T8 `" B- N2 ]" q; \4 Z( X! X___________________________________________________________________________
& c$ o! y# O. t) z$ f( @* u( w ` \ d; z
Method 04
* T" R$ `, ?# J=========# q( v& q; O7 \3 i+ F+ Q
2 Z% x( O( \ G3 a0 J
Method identical to the preceding one except that it seeks the ID of SoftICE) K' [& n1 q( a' [( u; a
GFX VxD.1 i, H Q% ~" |6 H5 l. n- F& c
/ z/ \1 B4 z8 z! Y5 L" z) E8 U
xor di,di
6 o) p( \' l1 m/ ~# w* d mov es,di
/ d1 D. \7 w, \; [ mov ax, 1684h 9 Z, R/ |: I; t k% c
mov bx, 7a5Fh ; VxD ID of SIWVID
, p8 i* o6 D+ C) D int 2fh
; X C& g8 c5 l9 u. Q' h5 } mov ax, es ; ES:DI -> VxD API entry point v; V9 Y8 z( t) w' s6 N* H0 Q+ p
add ax, di
4 `, L: f" A9 O1 X V I; q test ax,ax
! G$ R1 |( A; w. L4 s' A jnz SoftICE_Detected5 \# F" h! z s
2 S. g" U0 n0 d0 i
__________________________________________________________________________
; s& z0 J( ^$ P& ^' x, e8 ~1 p, J2 a( e7 w8 W, P, ]& K, {
7 B8 I* P1 p% A, [
Method 05
# ?. E, p4 c! X& ]=========
" Q. U" [- ]) s* x' h" e6 S4 O B0 m& H/ c
Method seeking the 'magic number' 0F386h returned (in ax) by all system% O7 q4 g8 D: J7 ?4 [
debugger. It calls the int 41h, function 4Fh./ A! W" H+ n+ J- D; c5 D7 s6 R
There are several alternatives.
7 T8 p! d2 H$ E. P# r: U' R) d) r: L6 `. @
The following one is the simplest:' p {- {& `0 N$ K& s
f2 T7 V7 L/ Y$ ~ mov ax,4fh$ K4 M o# W& B' ?
int 41h# K. V# I1 r, Z- ]; l
cmp ax, 0F386* B( |: w% T& M/ Q
jz SoftICE_detected
& J$ d3 b B4 J, W
! I2 \/ f* H: @" ]: P/ k& N( G
5 o7 f+ W1 ^& b o9 |Next method as well as the following one are 2 examples from Stone's 3 l# H$ z/ T1 Z, @
"stn-wid.zip" (www.cracking.net):
# S D1 \0 G( r, M' C: M) N* p6 v( d- O( I: K. |9 ?0 ?
mov bx, cs" P! e, o, I( w$ Q6 w N5 P
lea dx, int41handler2 }! p* o O# }9 I
xchg dx, es:[41h*4]
# h* i* p( h$ i: w xchg bx, es:[41h*4+2]) `9 C1 ?8 C1 ]& E8 P- p# f* y
mov ax,4fh" F, P6 C/ z4 E) c5 |
int 41h/ f2 T8 \/ \% r
xchg dx, es:[41h*4]
( K/ ]5 m# P# x# s+ C xchg bx, es:[41h*4+2]8 E# g( ~( h, d
cmp ax, 0f386h7 D6 E( O c* @3 [6 m' ~: \: a
jz SoftICE_detected
. I* _+ M8 |- W. |6 G$ x: w
3 C1 W/ Z) x ~8 K8 J7 _. hint41handler2 PROC
' l5 m9 x* L5 T, k$ D. o+ C# c* w iret( h5 s5 N- ]+ o# |8 D
int41handler2 ENDP( |9 c9 Y4 k G N
. `2 M6 i- [+ H+ Y4 Q* j- g; @
* E2 `& \- d1 {_________________________________________________________________________
7 e+ V- }/ m5 Z( F5 K
' \/ B. h) \ i
4 j; U( U* F! @: W% jMethod 06
5 O" c- K9 u8 ~& G=========7 L/ |- b- `* @
9 J/ i8 a( M5 }. T* H- u: M+ O% c8 _0 E' d! p* U4 Y
2nd method similar to the preceding one but more difficult to detect:6 j: b/ D4 |7 |/ y
. s) {) w& f, h- o+ B& y# c/ q
]1 E) t/ _$ ]( R5 Gint41handler PROC3 \ f5 T, w. P/ h
mov cl,al" {# x! c% y8 T& p V, B# m2 E
iret7 o. B4 M- c+ Q9 R4 R6 R
int41handler ENDP8 F! J6 }& J+ d6 o) u
- x* e* W1 d9 A/ }/ L2 B
. X3 ?4 K1 i. C% w- _2 W% z+ q xor ax,ax
: N' K9 P/ @2 Y4 L, z& t5 s5 I- s mov es,ax
8 |4 r; Z# E3 m, [ mov bx, cs! f) m" B$ R3 S; F! o6 _# J c- a
lea dx, int41handler
+ i+ Q0 x9 s, B' V" J& K# a3 ~9 o xchg dx, es:[41h*4]( O0 F8 F7 p) i
xchg bx, es:[41h*4+2]0 C& j: E+ f% H0 A3 ]
in al, 40h
8 t; l' ]3 o9 I6 F xor cx,cx' b+ _' h- T" k
int 41h* ?4 A$ b# k' E1 a6 k+ U$ u
xchg dx, es:[41h*4]
]% I3 {* o* ?% a+ o xchg bx, es:[41h*4+2]
- Z3 r- B/ s9 ?& j1 w. q+ i* n. H6 d cmp cl,al# b4 Q$ Y9 K ~9 l
jnz SoftICE_detected5 \. s9 A9 d+ s! {
/ v; a- |- t# Y# |( X1 w
_________________________________________________________________________# E+ H* `5 l6 C- P) f( x& f# ^/ d
* C1 A4 F9 d: Y: z' E# X# H
Method 07, g$ l6 I8 n+ x4 K4 c
=========; l8 c! g& W; ?
. k* [: Y( k7 u; ~; f* dMethod of detection of the WinICE handler in the int68h (V86)4 @4 A( B2 n5 N% C
% T5 q4 d, x7 M" L
mov ah,43h8 V/ x. A: @" K+ I' l2 E6 n9 B
int 68h0 I% R, v$ G* S
cmp ax,0F386h
- A6 E) k5 `7 _1 ?% X4 m$ U$ }' Q jz SoftICE_Detected* X" ^! S2 J' r8 r0 Q
, D& V& f* Q" a* R# E
' ~6 H( z0 H6 @2 D( C8 {=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& D( X; E6 K7 S" B7 m
app like this:) Z! m/ w2 w* b _+ e
3 S* Y; i/ }4 I, m* O2 l- v BPX exec_int if ax==68
2 _" x6 d7 G1 ~! [9 e, s (function called is located at byte ptr [ebp+1Dh] and client eip is6 z. P: n) I( \: |% X* A/ e% ?
located at [ebp+48h] for 32Bit apps)
* |" s a; ?, }+ H' H3 k1 ~" |/ U__________________________________________________________________________
# i, p) N, {( p o# y& r% L% A* S
" F4 F0 M+ u; g9 V0 @' s' O. M0 w+ e5 g7 ]
Method 08
) d; {; r- k! D. q1 d' \=========
0 E G2 a+ I H2 W' ^
; C" H9 \& f6 m6 QIt is not a method of detection of SoftICE but a possibility to crash the
0 G9 A4 `9 H7 r2 F( W) gsystem by intercepting int 01h and int 03h and redirecting them to another" E# e- j5 ?: u5 d a# v7 ~6 E& ^/ \
routine.
2 Y. X0 e3 v4 X4 e4 ?1 T' `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: L! P$ {$ S; z' C: {+ j5 W: mto the new routine to execute (hangs computer...)& S5 A9 t9 g) q7 n
" F: @* K; I) H6 {, b mov ah, 25h' {) s% {- k* A5 E! o
mov al, Int_Number (01h or 03h)
& H" x% }8 H5 T# E) Z/ f mov dx, offset New_Int_Routine( q# Y. ?7 w- a& D! h: g6 y; @1 }
int 21h
( B- `. t/ C0 q) b P
p; T @ v, B. J) { I: q__________________________________________________________________________
/ W9 Z/ P. v# K8 N8 u
7 z8 L9 k$ T( e7 bMethod 09
1 W/ ^ B4 p& M0 x6 c8 ]=========1 K1 ~/ `& q$ Y3 L" D
% V9 i& W" i. D, v3 v% a8 v& i% KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- R9 u/ P* q! M9 P! I6 yperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ `+ _8 l, w6 d8 F8 j) J- o% O* {The Get_DDB service is used to determine whether or not a VxD is installed: t, @" z( k0 y: }/ |9 S* ^$ r
for the specified device and returns a Device Description Block (in ecx) for
6 w, d- [8 G- n* K$ ]. }8 ?that device if it is installed.8 W; a$ {2 ?8 r% x' x% g6 |/ z
2 v2 ~$ p# c% U: j$ ]4 T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ G7 q7 ^% A/ `3 t7 p( u mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
]0 Q4 x$ r: d2 K# E0 w# S" L VMMCall Get_DDB( n, J3 ?1 T# [6 U) X1 V" ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ q2 \% ?3 W- A6 Q0 X7 j9 W: i+ V6 h
Note as well that you can easily detect this method with SoftICE:
. y8 j# s8 r/ k N: E bpx Get_DDB if ax==0202 || ax==7a5fh
* o* f+ |- y m7 H
+ m6 c5 W: K' n" l5 _- q__________________________________________________________________________/ e; _- a2 G9 E/ ^8 [& a
, ?5 c2 |( b( B$ Z4 D% G
Method 10* m* d: V& L& X- H
=========7 F" V# Q, X$ N7 n6 K' A! m
1 T4 o# l w( s+ Y, y# S- b0 o
=>Disable or clear breakpoints before using this feature. DO NOT trace with2 H7 I( {6 B& H8 N; N3 g
SoftICE while the option is enable!!! s+ V- A$ @5 {- g8 V6 o- K
' r! C7 Z5 w" a
This trick is very efficient:( R* }8 \' R' K2 u0 a2 j% E9 a9 s
by checking the Debug Registers, you can detect if SoftICE is loaded
- a* O" d4 K) S' M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 e, O: }" B+ U/ J e
there are some memory breakpoints set (dr0 to dr3) simply by reading their- e2 I$ y9 _9 _3 j. f
value (in ring0 only). Values can be manipulated and or changed as well
. |, F3 ?* B7 h(clearing BPMs for instance)
( Z. p, E( i* T$ K6 g# S5 I/ g. x2 w( r+ ~# V, r* K
__________________________________________________________________________
- W" z) @8 l* I6 L( d K0 w& j' t C: Y+ j7 ~
Method 11
9 }0 U, |; M, K+ K6 D( M, d' y=========+ m7 d: V) C6 U
3 m2 Z5 W2 ~5 P& q* J. h* @ s D
This method is most known as 'MeltICE' because it has been freely distributed
1 L/ O1 r" B: W0 ^1 }7 Xvia www.winfiles.com. However it was first used by NuMega people to allow! H c/ w& P! [ r
Symbol Loader to check if SoftICE was active or not (the code is located
6 L, j, Z; o1 @. e3 [( n" kinside nmtrans.dll).
- O* N8 p E' }) m4 p
. \4 } ?: b- w5 e2 f, CThe way it works is very simple:& \2 F/ v+ m( K2 D5 }; t- H3 j
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 E4 i9 Y$ Q* h: G. E3 f4 L1 b
WinNT) with the CreateFileA API.
9 w5 R) X# a% t C5 e+ a" A% w1 ~* x0 q
Here is a sample (checking for 'SICE'):. _3 H W% n$ |4 ~; K9 ~
/ b' m6 x; x8 a- z! H uBOOL IsSoftIce95Loaded()
; F! G y; b: s. n; V' M) [{& M$ Z; F% y6 F' ]) _ I; b- M
HANDLE hFile; ' T5 u% Z- R; C( k% P3 E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 J5 W* @8 S+ b3 j; X FILE_SHARE_READ | FILE_SHARE_WRITE,3 x; q& T# a4 V. A1 b5 _ p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% z! e3 {& I9 U% k2 j) V: e) W
if( hFile != INVALID_HANDLE_VALUE )
: \; F/ t% H8 u j {
& G' @1 ?/ Q& p; ?; p CloseHandle(hFile);# k/ L* [3 {$ l2 p6 ~3 `
return TRUE;$ I0 V$ t& Y# T S
}
2 T! u* w) M$ \2 _ g return FALSE;% {/ V; ^7 W g7 _
} U: n$ M! ~3 F1 k. p* q/ o
, `6 s7 b* a0 Q1 z0 ~; mAlthough this trick calls the CreateFileA function, don't even expect to be
4 A$ u+ H9 F- m5 B& cable to intercept it by installing a IFS hook: it will not work, no way!
% |$ d5 V& x3 S% c' G- qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 w6 c" k6 H& j8 O W) s2 Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" I+ G6 Z1 r$ L! u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: c& K. U% y/ _3 x9 E; H* Q$ Jfield.' C1 v$ F2 ]+ w3 m
In fact, its purpose is not to load/unload VxDs but only to send a
4 u: E5 Q/ `' h- y+ w+ uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- Y+ _6 q( u4 o& k/ @- O% Y5 {
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 X' \8 i4 [* jto load/unload a non-dynamically loadable driver such as SoftICE ;-).4 @; @) w, ~ r4 } T- S
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 p# K$ T( `7 u! T/ _) `9 ?/ rits handle to be opened and then, will be detected." k: k" u8 ]& }5 ^0 p4 l. D
You can check that simply by hooking Winice.exe control proc entry point8 z: \# Q% L' X7 b& N
while running MeltICE." Y0 e m& _% b& G9 _3 r+ k$ E
7 o4 X5 h: F4 k' s$ \: M" X
2 r8 f# g' M: U# s# f
00401067: push 00402025 ; \\.\SICE
6 O V7 }. A* g' Z, @* `3 ]* {8 I 0040106C: call CreateFileA
! A& k; I( E( V& i) i# E; T 00401071: cmp eax,-001
0 H# N2 C% N2 A$ ^/ A5 ` Y- x0 J' Q 00401074: je 004010914 c0 D% _1 c% Z3 s- a
# Q. _8 p: Y8 m7 z [
" K- M4 y* ~! |) M: N; ~( F
There could be hundreds of BPX you could use to detect this trick.7 D2 g2 a+ t2 f% ]( C
-The most classical one is:' i6 h- I0 c) l9 H$ B& k( L: Y8 Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# h0 e, V L1 f C5 L% {
*(esp->4+4)=='NTIC'9 [; K" \3 ^/ y8 r# Q& ^$ |7 ]) g( h
9 d! u. N* c" H @6 b7 ?3 V9 b-The most exotic ones (could be very slooooow :-(2 F6 n1 r" S; O* e5 I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 h( D' g0 F$ U2 y ;will break 3 times :-(
5 e8 M! p0 v3 b. Z3 I) O) I" n' y& A* e- t# J6 Y0 \& \
-or (a bit) faster: 0 T2 q7 s* G+ } ~6 S- C, g i
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 Q5 q& j. a7 |% }3 Z' ?. U0 y9 ~* R' S, y) Z: K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # f* b8 ^- p% \; c. q
;will break 3 times :-(
; d2 ?$ J* L8 q
6 L/ E4 n V, c) Z+ O+ Z. r-Much faster:/ i7 f! r! M j( @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% N! ~" u F$ `2 K# G7 @/ n2 a1 x
+ b$ D6 h2 } ]6 h i: W- uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 J" Q2 n9 c: l$ ^; @
function to do the same job:/ Y8 [/ d. A0 Z5 ^: m: u+ }7 V4 K
0 ?; q9 I$ y' B: p* h$ r g push 00 ; OF_READ
3 h5 H0 _& c1 F7 N5 E$ K& a mov eax,[00656634] ; '\\.\SICE',0
C$ K; w% m" Q1 n" g x push eax+ x" I' t7 l' \' ?* t
call KERNEL32!_lopen, y% z' z2 e* R6 V4 v: c/ r, v
inc eax
8 Q% Y# O$ k) `" n4 s jnz 00650589 ; detected
, x. }* m2 S+ f& y+ ^5 A push 00 ; OF_READ. p% r7 l4 x8 p( H: X" [
mov eax,[00656638] ; '\\.\SICE'4 w' A: C. `+ w: W. _! F; Q% t7 L4 Y
push eax7 s7 m' P1 @/ ~
call KERNEL32!_lopen
8 _! `! w, A- B- u) @- v7 O inc eax
" w' S& i. V$ D jz 006505ae ; not detected# H7 v2 F4 `' ^* S' M
# `5 @ u5 x* q4 T
" p! _- J! U% F% j' B- V7 C, D0 a__________________________________________________________________________
. J* x) e; {- y# U3 Y( X; u+ l4 K p3 j- ?4 ^! Q, _
Method 12
1 D0 F0 R' w p. B f=========
$ y( Q; R6 K" C4 g7 v/ U5 @& s7 Q+ c8 m2 r7 S# K1 h4 j5 `3 n
This trick is similar to int41h/4fh Debugger installation check (code 05( }) W, }! \, v* k$ w
& 06) but very limited because it's only available for Win95/98 (not NT)
( {) c# `; L) b2 w& t$ i$ K" d: D6 |7 g0 yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; x2 S Q7 V P0 C5 P& N: c
R6 [& G- k7 t& N, h: _ Y push 0000004fh ; function 4fh
- M1 O3 V9 I9 y push 002a002ah ; high word specifies which VxD (VWIN32)- D h/ _% W. V
; low word specifies which service
) X0 ~: _ S- g6 C/ r* g (VWIN32_Int41Dispatch)
0 g3 ]# }/ O. r call Kernel32!ORD_001 ; VxdCall
0 _) a* r- {6 }1 W8 k! i5 [; P+ p7 M cmp ax, 0f386h ; magic number returned by system debuggers
: {# w; F$ N! ] a) f4 l5 j jz SoftICE_detected+ y, Q. d0 l8 V* y' L6 _7 O+ I
+ A" ]4 b# I1 ?. C, \0 y6 m
Here again, several ways to detect it:
9 I7 A. e. L7 U' }2 p- _
* c3 b* h7 S( o9 e9 n BPINT 41 if ax==4f
. j) d& x) m, }8 X+ Z' R( _7 l- Q9 ^5 D1 l6 F$ F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 I- L- a0 G; p! c
. Q8 _4 q' ?* P) U/ p/ I
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
]" Z. o$ [: y; D
* U% E/ P( b* q3 k v BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 z- C: r' U/ f& d0 m
9 l' |, z" {& q1 m) y: S" Y# F; Q
__________________________________________________________________________+ p) I+ r5 S" V! f
L3 n5 x/ q# Q5 v
Method 13
- e4 q% [( j' _6 ]=========% z0 b- @! H6 R0 C' M+ l; X' x
2 M: ]5 |9 `( I6 V: _Not a real method of detection, but a good way to know if SoftICE is6 D% t. k9 O$ i" K3 R P, |
installed on a computer and to locate its installation directory.# A4 q4 B; O p% V- _4 |
It is used by few softs which access the following registry keys (usually #2) :
- w& P5 O9 j& D0 \- K: h5 ^7 n% g s4 q* }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ @8 r5 z( Z1 ^6 v; x& \: d\Uninstall\SoftICE
4 O5 m y* {) r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 I, E9 ]/ P9 l. H$ m3 i1 m* d. J
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" X+ C+ o+ c0 ?\App Paths\Loader32.Exe8 d1 F8 H- G- ~1 r' t
3 u& U; n/ `# G2 [) M' D% r/ [# E! q h+ `* G
Note that some nasty apps could then erase all files from SoftICE directory
) ^ T# @5 V% d. [2 q' X/ S(I faced that once :-(% j/ p! d8 i# e; ?. G/ @
; u0 b0 ^9 M3 I) `; b- W8 aUseful breakpoint to detect it:
. `0 V- q0 Q- M1 }# Q+ @4 A0 b- J. D; e8 O. |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; E0 F% a7 y9 O1 d6 \
& ^% z1 N7 R* v) X1 Q__________________________________________________________________________" {7 ^0 U, Z7 G
L h- x$ U$ z$ h9 w6 e: s
/ Q2 b e1 ?, B3 |% qMethod 14 % I1 z4 T/ _8 y! ~+ O0 ?& f2 x
=========! r0 L* A) v4 u# i
% z: {; y: H6 S+ ~# WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' z3 E* y8 O0 v" w) x
is to determines whether a debugger is running on your system (ring0 only).0 v' j0 Q7 ?# d ^1 l% Z$ o# U
' N( L$ |' g E1 z' U# e" o
VMMCall Test_Debug_Installed
0 t# `& N; k i2 q+ l$ w9 \, V% J! _ je not_installed
f1 O8 o4 o: a) k) _
0 T8 c) o9 B; aThis service just checks a flag.& w$ h) Q2 S, c8 p# ~) }
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡