<TABLE width=500>/ x' O7 b, |, O5 [$ o
<TBODY>) X& P" @: C. a3 {& m* d- B7 Z$ D
<TR>
( W2 l1 C2 h/ A<TD><PRE>Method 01
* q$ d. l1 U1 M% B=========1 }. j0 o( g- M. y2 D
/ s, b( j! e6 C K7 S2 r+ H: sThis method of detection of SoftICE (as well as the following one) is0 B; W( ^' u H" r, r! z
used by the majority of packers/encryptors found on Internet.# m: X W7 B+ c) p& ^' N
It seeks the signature of BoundsChecker in SoftICE
+ g6 a5 v# n. v$ e/ C+ h) M
" }# H7 T$ D# ?4 A0 t1 U mov ebp, 04243484Bh ; 'BCHK'
, }' U0 M) ]# q* g mov ax, 04h, J8 ^& h Q8 p7 ~: k
int 3
. P# M) Z B3 q$ S& p cmp al,4
0 Q2 l9 T/ `4 g& M3 c jnz SoftICE_Detected
. [4 O; M E% f
. A' v1 o! `# y, _1 Y. F) {___________________________________________________________________________( o0 }8 m* f; h* O& E6 h5 N) v
9 M" @2 x- v; n# d4 @4 X
Method 02
6 ?( E+ ~7 \3 d( M! `=========/ X" }8 D, t- J4 M" i" g- O
5 l0 v$ z+ A' l. P& i
Still a method very much used (perhaps the most frequent one). It is used
4 q) F8 g* r. Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ k9 z9 |! h. c% {1 |
or execute SoftICE commands...
9 v& T6 v5 C* H& V' uIt is also used to crash SoftICE and to force it to execute any commands
( |; u f1 g |8 G3 c, l* Z" ~3 K(HBOOT...) :-(( ) G; N% P( w* b: w( X
, K% @) y" I* q5 C+ M
Here is a quick description:
% s0 t/ K ?" C8 L+ N" g4 {5 G# a F-AX = 0910h (Display string in SIce windows)
. J. n+ m9 D& v! s6 J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 |, T* E, G# [5 ?" l
-AX = 0912h (Get breakpoint infos), q+ D& r; K n
-AX = 0913h (Set Sice breakpoints)
. i8 j/ ~/ S5 |7 C7 g5 I* E- J-AX = 0914h (Remove SIce breakoints)7 Z0 [) E: h, |2 x3 O7 X C7 Z
9 j0 Y% e5 G5 {8 n0 aEach time you'll meet this trick, you'll see:6 h* j! V2 G6 [, r0 ~
-SI = 4647h
% I+ c+ h3 W* u( L, _, |-DI = 4A4Dh9 Q6 u3 r) ]" V3 l4 D
Which are the 'magic values' used by SoftIce.
* p, S; f6 @ A" YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., {, ]9 [, _, s: @( V# }
+ V9 N: k7 h" u' n7 EHere is one example from the file "Haspinst.exe" which is the dongle HASP9 F$ W, q! r0 H, m+ q8 K
Envelope utility use to protect DOS applications:" P) T% Z( w6 k, Q- i( [$ K; R" i3 l
" O; B9 M, f/ ^' F6 W
8 U& j& [" U( v K3 u5 {2 \8 G1 t4C19:0095 MOV AX,0911 ; execute command.
( d8 d; l7 l' b& H* }. j5 W4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. O3 r9 `; B6 W# A4 H) ^
4C19:009A MOV SI,4647 ; 1st magic value.
6 t! E9 k! U# W4C19:009D MOV DI,4A4D ; 2nd magic value.
" H' j5 {# n/ \% `" r6 r) i+ L) W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( q9 A; m# L5 ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
N1 o$ c1 n: G4C19:00A4 INC CX% { c [% B; C2 k
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) D& Z: \7 d2 Y m. h8 r2 F# z5 h
4C19:00A8 JB 0095 ; 6 different commands.% `$ g, k0 b2 O, P% }
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# v) t0 S( Q) P3 P$ V: ~6 q7 a4 X& W, Y4C19:00AD MOV BX,SP ; Good_Guy go ahead :), v1 V6 }4 y8 V1 f0 g) Y( L1 u
; Y& f% }( U) l( l' ~6 oThe program will execute 6 different SIce commands located at ds:dx, which2 C0 c; i$ G3 Z& _0 i1 }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., C/ O$ J) P% ^2 k( a' ]
/ W6 S" l" z5 b4 ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ h8 y. L$ j$ v j+ F1 \: J& t! f' A___________________________________________________________________________
5 A6 K/ {' ~ \: }" s8 y* h# Q1 E
% L2 q( t- v- A. y* s7 k! F
7 j8 `# R% \5 o1 w( kMethod 03
6 p- i7 E5 o" l/ N/ z7 B1 L=========
! P0 ^, r" M8 A" M o( \( f5 J, o
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h s/ w' s/ D( d& m& }
(API Get entry point)
8 u6 V7 {4 F/ f9 M( a! O5 j
0 i4 }& g$ a" ^; e/ e( k
. Q" N9 s8 y2 e s xor di,di
& P8 ^: a1 u6 h; A$ _' Y4 e4 h mov es,di+ z# L. ^* w( a" p. |
mov ax, 1684h 4 T) s* ^% I8 Y2 u
mov bx, 0202h ; VxD ID of winice
1 U1 }* b. M" W0 X9 \3 D+ z int 2Fh1 V4 |6 S+ m0 U4 X# i6 w5 b* ?
mov ax, es ; ES:DI -> VxD API entry point
, `% g4 ~$ B! i+ z0 X" L add ax, di
2 W8 ?* L" ~1 T+ Q8 \3 I% J) L/ f test ax,ax, t+ A5 M2 Z: c8 r
jnz SoftICE_Detected3 s8 |% S* |& V+ H' ~/ {
: G. X/ t7 ]: u9 C$ J
___________________________________________________________________________
! {9 a) ~, V" |. Q! F9 z: ~' B, P
2 ?# |& s2 ^* _0 r7 K" |* v+ j2 gMethod 046 i* H1 a1 L. \, V
=========
9 ^$ H+ u! t6 s1 d, \7 x
" B i& x" b9 [/ g* j5 Z6 jMethod identical to the preceding one except that it seeks the ID of SoftICE6 M' [* b7 U/ d. A) h; z
GFX VxD.8 ^& \8 j4 K% g6 X
0 i, `- W; q/ C% M1 s- P
xor di,di
7 w' H/ v$ n; v' {' k& p8 ` mov es,di
- C" ^# v$ Q4 X; i/ E mov ax, 1684h
: h; E" ]2 x" l0 ]( w mov bx, 7a5Fh ; VxD ID of SIWVID# y- |, q: u# x; n' @: y
int 2fh E5 d: G" U8 ~$ r
mov ax, es ; ES:DI -> VxD API entry point
8 r" \3 c* j! t% Y' D V add ax, di
: \6 ~5 Y$ e3 g+ y test ax,ax
, d; [3 s9 H5 x jnz SoftICE_Detected+ J: r3 O5 m/ c# |1 H
0 P) Y @/ Z3 h9 M. z__________________________________________________________________________2 v2 L) K/ a3 U7 r2 j+ H
& |+ H# u8 E s
4 [8 \, R7 C- k, JMethod 05
" w# y" z/ Y& v6 {6 M=========
) e. g5 H% E. u% b" Q' N+ W7 X
( A8 w1 x# r. O- U3 |& VMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ M- i* \* X( ]6 Cdebugger. It calls the int 41h, function 4Fh.+ V# p7 V- G* n. A4 O5 l: m. T
There are several alternatives.
1 x# Z2 s+ l. x! o) p0 {$ N: }7 S$ J
The following one is the simplest:
5 X' `& H' [- x& J7 f1 P& W2 m! R9 [( m" u% Q0 V d1 Z* P
mov ax,4fh
6 i5 g2 H0 [! X- ~+ L+ a( U int 41h4 f) B. F0 j2 }8 l+ ?
cmp ax, 0F386
8 j; Y0 p# X6 e; s jz SoftICE_detected; }8 I9 @& v0 }+ v) Y: t, M
3 D P# d6 c* E2 a* e0 n7 C; j
! x0 w7 q" L7 X1 aNext method as well as the following one are 2 examples from Stone's + o) |! N y' a; b
"stn-wid.zip" (www.cracking.net):5 b+ m: ^" M. F" q$ n% p( }" |
& e! K5 j; K% e9 e% @5 K
mov bx, cs
1 N' \/ g9 S) n- l lea dx, int41handler2
- _ Q( s) F2 B, D xchg dx, es:[41h*4]
- l( V/ {$ @! C7 R xchg bx, es:[41h*4+2]
3 o8 R B" V) _+ g6 s mov ax,4fh) @& H- h* g% N9 Q9 I ^
int 41h! t- J5 @7 y7 h( u- Z) F
xchg dx, es:[41h*4]/ N! s, A4 e- N- A
xchg bx, es:[41h*4+2]% d. D+ ?( ?) |8 A
cmp ax, 0f386h
, D6 W3 X2 z$ H E jz SoftICE_detected2 ]% y1 Q0 g+ r: y: u6 C- k ?4 n3 F
. |( v+ q {9 i7 o5 L bint41handler2 PROC
! b7 q5 P! B2 l2 s T8 d) u) }% y% C iret
. t% {. r) I8 H! jint41handler2 ENDP
5 N( U$ Y+ E# \5 I
7 R; D, j W0 N0 ^; I) n* E( N$ `. f9 O/ B+ o
_________________________________________________________________________/ x1 s$ B4 i$ E8 M! e5 q4 s
. U- b' A1 m6 p$ a' d, e% e- Z" u
+ U `* m+ b5 M. y# KMethod 06
% B% R4 L" \# t6 C H7 X=========; E: l# N( v& t# Q8 N
+ o1 l/ n. M) Z
' v3 \; M1 F* Y2nd method similar to the preceding one but more difficult to detect:( \% q( n1 S( H8 q: X: o$ S) J9 q
; S7 i9 N1 H3 T9 H' |8 m& f- y9 K8 R4 G# b7 U- | _! W) b
int41handler PROC
) u+ G3 r" p% N mov cl,al
3 @, I: V7 y1 H0 W% ~ iret
3 C0 k' t; m) P, Yint41handler ENDP( a% E3 S4 ?: O& X& V
# V- @- N" [. R/ y, i$ A9 F# O( Y! @" \5 X% F2 a" `$ S
xor ax,ax
! d& H5 {5 E3 {! T0 e* V3 B mov es,ax/ `) B$ f% C, T
mov bx, cs
# ^! M1 T, Y9 L+ ^ lea dx, int41handler
& k2 }! \$ s8 @6 ?* G+ i xchg dx, es:[41h*4]2 R% |7 D4 i% _! K; |- j/ O' O
xchg bx, es:[41h*4+2]3 V4 r& n% ^# D2 s
in al, 40h' l; f' T) \7 A' @' f5 _
xor cx,cx
9 s' J$ N: Y k$ z4 v int 41h
O: H0 w# |6 t) h5 r+ W xchg dx, es:[41h*4]& K8 \9 {$ u: {* O7 o
xchg bx, es:[41h*4+2]
+ C. f2 X! _1 g cmp cl,al
- Y5 o" v) R4 K6 V( x( e2 s jnz SoftICE_detected
# S( T" r. w) W' d$ v9 ]- B" j' S, C3 g8 }8 g0 p9 ~8 O
_________________________________________________________________________* c5 ^5 p J" ^8 w& S/ q
/ w3 ~% O5 D$ H5 U: b) ~: _2 KMethod 07
6 x5 x1 d6 Z; p/ c=========, e% C4 _3 X' r5 A; F. z7 }8 W
; ?6 \5 V0 X4 m1 SMethod of detection of the WinICE handler in the int68h (V86)
- Z0 I; X& J$ l
, e% v( `. I* ~9 u% V4 a1 V' K' C mov ah,43h
# j0 c3 z/ ^5 |. W+ r: e4 u4 p int 68h* }! [ P [/ o1 m
cmp ax,0F386h
/ P$ K* }( u% z0 I0 W jz SoftICE_Detected6 w' H+ D5 p5 s7 x" I
: d5 C7 X& h% ?+ n6 L( t$ p
# B8 p- y' T5 ?$ N; q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ \- g, b0 _2 Q& D" w0 K9 q5 w8 X app like this:
j$ d- M$ a0 s( C- l* K/ L5 d$ O9 K3 _+ f. h1 p3 i) a
BPX exec_int if ax==684 K6 j" a) X' y2 o" u& B) U% A
(function called is located at byte ptr [ebp+1Dh] and client eip is
0 E* L2 l( { h7 z( G+ | located at [ebp+48h] for 32Bit apps)$ m/ T8 Z4 q, K+ ?8 `. s
__________________________________________________________________________
& o% f6 [( L1 W0 E3 {! |7 C
2 i; H2 O% i7 S7 Y8 M
8 L4 M( K! O8 {( I, v1 E7 _6 MMethod 08! p2 R/ I( ]6 a; O( N) e
=========: y* b0 w' i7 e. j) G; |
; o* ?) b% i o% C) _
It is not a method of detection of SoftICE but a possibility to crash the
( A. N" m+ X7 U4 j' n" Nsystem by intercepting int 01h and int 03h and redirecting them to another
/ W( A1 u! Z5 D$ Iroutine.
5 x& F0 h; J9 k$ H" t, n! F9 v% U/ |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 ]5 ^5 v% F) R7 w: s2 e
to the new routine to execute (hangs computer...)9 h4 l3 W& H+ R
. X# z6 @4 N$ n: U$ P mov ah, 25h
8 V' [6 c1 p/ C* W3 C+ j4 A mov al, Int_Number (01h or 03h)
4 I$ |' J7 j; \7 {* G mov dx, offset New_Int_Routine/ F5 I8 [+ \) q; E4 U& f4 ^/ w6 T
int 21h
D1 @$ B6 S1 J3 u4 s! {
) ?; T& T2 M2 l+ i. f__________________________________________________________________________
: c0 ~: X9 V6 T: j" w4 a" ^7 Z& z1 W
Method 09
$ Q5 g: F! X$ S7 M f=========
$ T9 o# ?6 H3 ]" Q6 i3 V0 f
0 H, W6 z$ U3 ^# i& B5 sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% m( @& H9 b3 P# k3 ?5 P( @) |performed in ring0 (VxD or a ring3 app using the VxdCall).
- c t7 {1 m; ]1 I4 EThe Get_DDB service is used to determine whether or not a VxD is installed' A5 L; S0 a" [" [
for the specified device and returns a Device Description Block (in ecx) for4 M+ S, f. O6 c# g9 X) Z
that device if it is installed.3 a4 w' g7 X. L% v6 \% f
+ _5 X3 b3 o9 Y9 x* H3 f0 N mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# h3 E* c( f, ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ F1 \5 ~* U5 o; Z) L
VMMCall Get_DDB. _# u/ g f6 x) w( p; C. J2 P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( D: G, P$ H0 U
. m; p9 Q' F- R. k* ONote as well that you can easily detect this method with SoftICE:
4 ?; @7 _. R* L bpx Get_DDB if ax==0202 || ax==7a5fh0 v, g7 R' R7 Y( Y2 n& E( B
8 a4 M0 e' u. e2 ^
__________________________________________________________________________
6 e3 ?5 j. }* `' G4 |( @- n- A* x% E( Y( H+ Z; a4 h/ W
Method 10
9 I: q! |4 X) i! g% A J9 y=========0 R! I8 Y& O& j$ c# R; H( G
9 z. w* m- \7 S" c8 o7 c=>Disable or clear breakpoints before using this feature. DO NOT trace with2 o) v6 H& w! J7 C+ W- ~8 n: x
SoftICE while the option is enable!!
4 D5 q% X. U" K- Z+ a& A) C4 z z
7 \" c, p9 i n+ rThis trick is very efficient:( l( g, D% n3 d# |2 j( k- b
by checking the Debug Registers, you can detect if SoftICE is loaded
# p7 M0 r) w* \5 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( V) S, D) n6 k$ G G3 I0 C! Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. l5 ~- x! n0 [1 K; A( m' \3 mvalue (in ring0 only). Values can be manipulated and or changed as well
/ V6 v- e7 |4 M. M' Q(clearing BPMs for instance)
' C) {5 `% C4 k" _* ~* J. h" W2 H3 q" Q7 g
__________________________________________________________________________
- N$ _+ o, V0 A/ x! I
( |0 P# ]0 o. o' C. P4 G9 p+ n( OMethod 110 _, P q+ O6 Y0 z
=========
% T" [" Z3 x1 W4 N( k7 W) s) [! w9 L
This method is most known as 'MeltICE' because it has been freely distributed' H- k8 E% U, x/ z
via www.winfiles.com. However it was first used by NuMega people to allow, t6 k* ~% Z$ `# n' S* q1 o8 B
Symbol Loader to check if SoftICE was active or not (the code is located: s! D6 o4 g" v Z; j
inside nmtrans.dll).% Z* }& x7 m" n9 U$ \7 E0 c
% B1 [8 r+ @; r) f- j1 E& {
The way it works is very simple:
% e0 A8 x( Y4 TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 ]) L0 L- N7 E" }; y. b2 B
WinNT) with the CreateFileA API.
9 i& {# u4 ^" ?* D3 [; } J
8 E. }: a; G! ?7 x" MHere is a sample (checking for 'SICE'):% o2 H1 ?: I1 m, @- p/ ?
/ L$ t5 W8 W0 i$ _) K/ ?/ b- h
BOOL IsSoftIce95Loaded()
: {0 a# z( @7 z' B8 c{" U# H: `" p: `/ r2 ]
HANDLE hFile; ! a/ o4 q2 \* M5 {" u/ Q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 P3 B/ g9 ]! k4 r( a FILE_SHARE_READ | FILE_SHARE_WRITE,! Y2 X- p7 g7 D& m
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) \+ [+ w" I S8 Y1 e
if( hFile != INVALID_HANDLE_VALUE )1 ~+ b7 k& |5 P+ D8 p6 \
{" [& h. l) Y# E h% Y' ?8 \; g( |
CloseHandle(hFile);$ X) V$ D/ E( ?
return TRUE; H+ X {, G: g& J) u
}
, f6 L* S5 |0 f) N9 n* }4 g; P" Z/ u return FALSE;* e# N3 w+ @9 j% j" o1 z
}9 v6 r) M# J, \ y8 h
. t5 g$ r: F( z- k8 }( KAlthough this trick calls the CreateFileA function, don't even expect to be
+ [, I$ ?- Q5 h+ y9 j; Yable to intercept it by installing a IFS hook: it will not work, no way!
; v& b- R% E) U) x! u( nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 f" C, o, g! R3 R! } f% k" aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& S% T" p9 O; S, ?! T# p. ^6 m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
E j' g: c- {) cfield.
/ N, j. `5 I3 q. `In fact, its purpose is not to load/unload VxDs but only to send a
- s4 u) b6 N$ v7 X0 h: SW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( v* H3 P" H* f; a2 f$ A9 Z: tto the VxD Control_Dispatch proc (how the hell a shareware soft could try! f7 }8 ^4 v6 z) C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& i, @6 s- Q" A9 c
If the VxD is loaded, it will always clear eax and the Carry flag to allow) v6 D+ f, P* L' M0 F) N/ t
its handle to be opened and then, will be detected.+ Q! e1 ^2 ~- ~; i" x9 u- J) \
You can check that simply by hooking Winice.exe control proc entry point1 |- u3 g# ]- l U
while running MeltICE.
0 k _# P; Y& x9 h3 }- X1 B9 S8 g6 h2 S2 j- Z3 `$ Y
# H8 b+ M: O, Q# `* A, J 00401067: push 00402025 ; \\.\SICE4 }* R \# O% k9 Q
0040106C: call CreateFileA
' g- l r5 O" t$ I6 F) {, ~ 00401071: cmp eax,-001$ K7 p6 F3 s/ g" _. q" F+ b! l
00401074: je 00401091
/ U" b$ _" e! ~- B. D; x# u# q
, i3 `- l/ s% H2 g' {, ~1 w2 b4 ^
- i8 Q9 M; Z, x) OThere could be hundreds of BPX you could use to detect this trick.; A6 P/ U4 u$ n; x
-The most classical one is:
f8 \1 `; A0 ?8 ~7 M BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 q* |7 ]% `6 A$ h
*(esp->4+4)=='NTIC'% W: R4 o! E5 S% d6 i) l
: Q8 g: n2 P- z; L* C$ G5 x* b+ C-The most exotic ones (could be very slooooow :-(% I' ?/ c5 h- ^" h; w: K
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 {4 I* Q* {! n% c
;will break 3 times :-(
: E& V4 v9 z0 [/ k% W1 W; l9 J; }' X- e3 M4 x8 w
-or (a bit) faster:
4 ~$ f, o2 h+ n4 J/ J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( ? D3 r/ y1 t" k8 G, l
q: E) F6 S4 R: u' _4 n2 F) k; X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # q1 _. M# S; \* }& w
;will break 3 times :-(
4 [* E; a; Z6 S6 B' i |6 _! y
! K, i' u4 s, D! L7 {/ N-Much faster:& ]* O$ k1 v# B6 m0 Y7 T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" ]. ?- K3 X) Z/ ]3 L8 f# p
5 N @0 n- g: v5 M+ r" l5 ^* s2 zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 [1 x. O0 A3 Lfunction to do the same job:
) Q3 }# K/ s+ j' v) S7 s
5 M. J+ V1 {2 S# x2 } push 00 ; OF_READ* q+ ?0 G2 B6 L I
mov eax,[00656634] ; '\\.\SICE',0
) z# ~2 C# R: Q9 }5 w3 P push eax
& o# b1 q) `9 Q! H' n call KERNEL32!_lopen3 p1 w( i; a+ }& g- b
inc eax
) @6 B# W9 t, r9 i1 P8 p jnz 00650589 ; detected$ U8 u+ f" K1 F+ J. f) Y3 W$ M# ?
push 00 ; OF_READ
* R1 T4 r4 c* Y8 h9 p mov eax,[00656638] ; '\\.\SICE'
( e% {( L! l! j4 a, g8 L; } push eax/ [' Q5 H0 ]1 j: Q( q! u
call KERNEL32!_lopen8 D5 W) q* F: [
inc eax) i) I! s- K$ Y' o
jz 006505ae ; not detected
- R. Z) w# U8 L- l$ X1 x' I6 I5 u: B# m' S# p
1 ^$ z' O* C, i+ l$ L4 `) |
__________________________________________________________________________
8 c/ C3 f" W! M6 E8 x* |
" _2 A' k: J; P) ?$ jMethod 12& z" X5 ]8 r1 l
=========
0 U) i& A- S' t$ p1 d+ E! f9 X/ d9 `; j/ i$ G$ y' v$ \
This trick is similar to int41h/4fh Debugger installation check (code 05
+ V- n/ L- E1 ^& J B7 s& 06) but very limited because it's only available for Win95/98 (not NT)4 g. j( m0 ^8 }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 I% M6 ?* ?; Q2 x
6 e6 Z; G r; C: ?
push 0000004fh ; function 4fh3 e' H8 j. h8 U9 l1 F7 |
push 002a002ah ; high word specifies which VxD (VWIN32)
! w& @: K5 v/ U) @4 m& y7 C$ G1 A ; low word specifies which service
! x8 O) N7 Y# v2 r8 R. r& e (VWIN32_Int41Dispatch)* q3 c) G/ q- o# D3 O6 y
call Kernel32!ORD_001 ; VxdCall
& M+ B+ E7 C' }0 M n cmp ax, 0f386h ; magic number returned by system debuggers
3 m4 o! f# [9 S jz SoftICE_detected8 |8 [7 Q2 @. x' a3 k$ Q- ^
! E% W2 f7 j) o4 \. x: I
Here again, several ways to detect it:* |. d4 D0 W( h% C( s
$ Y6 |0 i5 O. U BPINT 41 if ax==4f" |7 M+ k7 t" C2 F; v: C3 b
8 y9 w8 @+ n: p, _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: f6 z- K! A: l x8 r/ F- f1 L# G3 V" |
( r7 r% x$ H3 m. p% k7 p; Q; r. X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 u3 ~( \ }1 w+ G
0 R2 T) D. m$ d& ^! a4 [# t BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, D8 F! d! l8 e, e1 \% S9 G4 t
% ?0 C9 g" `6 P+ g; B
__________________________________________________________________________( R# @, A9 F) ~. W+ R$ y( v4 A# |; ^
) B! d6 I: H$ UMethod 13, H3 E2 N; Z$ _: U2 f
=========
, ^' n2 ?" x n
2 K: d! M5 o8 n/ zNot a real method of detection, but a good way to know if SoftICE is
S+ j; F S$ U) y- D3 F3 ^0 ?installed on a computer and to locate its installation directory.
3 Z6 X) j# Z0 y. x% i4 e- S9 `It is used by few softs which access the following registry keys (usually #2) :
( L4 ~9 E" ~; j5 D8 z
. L- y7 |! r) @* A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
e5 v/ _6 I5 }; {/ z1 ~\Uninstall\SoftICE) B* @4 {$ Q# a" s$ K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, x( i. N" W5 A* f9 R; M- U- F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- {! n) M% p1 y% _. e
\App Paths\Loader32.Exe
$ P2 Z+ H& e; |2 ^6 D/ K
* k, B: O. |: L) x" a
% x: o$ b& T2 t2 F7 ?+ yNote that some nasty apps could then erase all files from SoftICE directory! q4 G' R( X9 l9 J" y
(I faced that once :-(
- P9 v- s2 f, h2 D( Y% c8 d2 [6 L, v, n* f1 ?! w( f
Useful breakpoint to detect it:
# F# S \; y" E9 T& {, d
8 C6 Z" b0 ~- k( j6 q" l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 d' o3 h3 M: H% Y: J) J5 [' q. b7 S' F# {9 d8 M' ^
__________________________________________________________________________
6 v% ?, l( e& x$ [( q
2 I# ?/ `( D C+ \0 B
) [6 O9 v# o( X# o% SMethod 14
" d* f8 B0 b3 `& B& Z=========. ^! ^! d8 i4 R+ h7 n
* K+ N m/ k0 z- jA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; ?4 d6 ~* k+ Y
is to determines whether a debugger is running on your system (ring0 only).
5 @2 o v6 `$ m/ n# a. F- Q
- \# |8 W7 O0 s$ e. c6 [5 g- z VMMCall Test_Debug_Installed
+ ]& L( r5 J: X& x. ~5 B je not_installed, {$ G* {1 J/ F; ]: p
. w' u' J% T3 X. w* n# I
This service just checks a flag.3 w7 x* Z; H% P, y Y' ?
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡