<TABLE width=500>+ k& k3 t6 j0 d' K
<TBODY>! t6 i% P# _ I$ L, [( n' Q, o
<TR>' G8 @" t' _, g: X4 |
<TD><PRE>Method 01 4 U" A& |, s. z
========= D9 s, j' y9 v$ i$ S
+ \8 \ t% v F, d0 \, R* oThis method of detection of SoftICE (as well as the following one) is( u- ~2 l# [$ C1 R5 b
used by the majority of packers/encryptors found on Internet.4 r$ y v2 c# l5 _% X2 S
It seeks the signature of BoundsChecker in SoftICE
/ J) ~* N/ ~4 s8 O- \# v- _
8 h0 y. |+ Q- m: O* R mov ebp, 04243484Bh ; 'BCHK'" L6 a# `2 L9 x- F' W
mov ax, 04h
e k" Y, k/ I/ A# H9 W" e% B int 3 9 l4 L, J( E; Z7 {0 t. u' b$ O& F
cmp al,4$ t) J: { D9 E
jnz SoftICE_Detected
- Z- R8 n8 k5 L6 T. R6 M: O" `7 H7 J/ @' B v& y
___________________________________________________________________________8 M( M- P2 x! Q, N2 W. N
( F% p7 S5 I: [8 `9 A TMethod 02
8 _( O0 o0 k( E8 u4 D9 V=========* L6 t' p3 _4 Y3 u# Z5 p& M; o
$ f; q" q* [; |
Still a method very much used (perhaps the most frequent one). It is used
( X* T+ g& A- }6 x7 Y0 cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. p* |9 Z9 y/ e& \+ B% Jor execute SoftICE commands...
; z7 @& e6 b* ]! N& S/ d; qIt is also used to crash SoftICE and to force it to execute any commands8 n' m' q8 Z$ ~3 H8 C o' y" z
(HBOOT...) :-((
7 z: y* G) Z8 J% p( D& |
" I" j- {* x: t# y" ?Here is a quick description:
; ^5 T$ \& g9 K2 N7 U-AX = 0910h (Display string in SIce windows) X' t* ^- B0 F6 S5 a# {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) o8 Z* g3 k7 E& r7 X/ W& |1 w
-AX = 0912h (Get breakpoint infos)
4 m! s$ b, N) d. f) ?( r-AX = 0913h (Set Sice breakpoints)
9 S3 q- m% [7 b# H) U( M. T( s$ b-AX = 0914h (Remove SIce breakoints)
% J+ I2 P3 Y$ {- d k0 l. ?4 |
) D2 s. g* |; m' S) H" w% aEach time you'll meet this trick, you'll see:3 e9 R3 I1 n8 n3 k2 k% ?
-SI = 4647h A; b) t0 m+ {! A R; I2 q7 S: }
-DI = 4A4Dh
' G3 D' Z. ^, U; Z! I9 K0 ~0 zWhich are the 'magic values' used by SoftIce.
8 a" W. [: x2 E. Y' ]# d8 IFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 R, u2 H) w/ O8 s [: R4 T3 w+ x) b$ g3 m" K0 ?6 g# R! X0 R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* c) D) M; v+ x( X4 ?/ T' S' OEnvelope utility use to protect DOS applications:
5 \ a2 |" g# [8 E+ j9 Z
^+ a* E7 h" e* v
/ g# g' |7 ?8 o E7 K4C19:0095 MOV AX,0911 ; execute command. y: H2 a* A2 j4 Z( u& v" _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% V+ a: @1 g$ w# H$ g7 Q% C
4C19:009A MOV SI,4647 ; 1st magic value.6 P; N$ Y8 y g% ~
4C19:009D MOV DI,4A4D ; 2nd magic value.
, @9 J7 M/ h& D/ x( d8 X4 x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! J0 l1 O' I+ ^. d( t) } x
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ J3 f; W" Y5 h W8 T! Z
4C19:00A4 INC CX) f6 z! O6 ]8 a* K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 W6 z! n$ |& \ V4C19:00A8 JB 0095 ; 6 different commands.
; q& r k/ E8 D3 ~- Z1 I/ k4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" V3 n* y$ h6 a' k: O9 U7 B: C4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# R5 a$ A% i4 a7 d; w* t' N* x
% r& [6 U% x( t) WThe program will execute 6 different SIce commands located at ds:dx, which
3 e( a! K' a% ]. `are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. c) |6 z& }7 J3 Q0 ^' S- ~2 }$ R" f1 x+ G# Z7 W1 a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) j F- E7 S) N% X2 R: h7 x9 E
___________________________________________________________________________, P4 D; m e8 T9 ?9 z( u3 [
: O) V6 m8 ]% H; J5 t
5 x9 s# ]# ?# {* ?Method 03
; W! U; p7 Z7 q3 ^=========
& G- r J6 a: i- O' i
: V7 b" o: J, F7 rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ ^- }1 @) B5 @- i2 \7 j(API Get entry point)
2 s) ^- L$ t' L5 H: _: j
; ?- ?1 {- I- P, e- g: d) J/ P5 h4 q- U
xor di,di7 G2 s# f. {4 [/ g3 c) L, E
mov es,di' t- O$ \! _' E. P0 J0 K6 A" ]
mov ax, 1684h
- g( ?" X! B: j! ?# T mov bx, 0202h ; VxD ID of winice+ Y; {# F. N2 P8 P1 J" P- i/ S
int 2Fh
% b+ }, g$ {. b mov ax, es ; ES:DI -> VxD API entry point
7 R; }# _! u: N0 T/ W add ax, di
1 |( g% |$ l, a test ax,ax
& y4 ^, A" U) N6 \( S8 f9 E jnz SoftICE_Detected
# q9 {8 Y' l1 j# ?' e$ M9 ~6 ]1 a$ C7 K* ~; `
___________________________________________________________________________
$ C2 r# A( a; o! {+ l! |5 m
; s2 S7 L7 z* a, ~3 z" w. m! vMethod 04
/ y: w* Z6 t" |- r! A=========4 s; N0 b- _& E. n6 `& c G' _
. p+ t+ p# B* O& ]- O) AMethod identical to the preceding one except that it seeks the ID of SoftICE
( q% w5 `" s7 E3 V, NGFX VxD.
' _( |' b* u' j/ S5 m6 j1 z% w8 D& H, }. D
xor di,di
* p8 z7 v: ~ o mov es,di
/ H3 |1 |* [/ T* u mov ax, 1684h
2 a) k- v* o ? V1 G0 W mov bx, 7a5Fh ; VxD ID of SIWVID
* k/ m6 U6 ?1 S8 g0 L7 e# k" P. F int 2fh
* t& x: l2 d; y9 S* m" A mov ax, es ; ES:DI -> VxD API entry point4 ]/ ^" P' D" L; ~+ i: @6 P
add ax, di# W( n- A. z1 i( P
test ax,ax
5 J# N* N2 D2 e1 ~8 y jnz SoftICE_Detected
2 O* P# {& g4 V, v4 [+ o: K8 b0 J" z4 _
__________________________________________________________________________- H% n# S. Z- S/ Z- ^9 X& S4 @3 g
6 O/ F( I$ A0 q% t
, a% i4 \9 K) ` c. W& Z) C3 z
Method 05
9 I7 l4 ^; H$ Y' d=========9 @4 Y9 x6 ~9 S7 {' P8 o: W! b
* H7 B$ }9 y! b1 bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 T! \" ?* Y! k3 R- W, q+ jdebugger. It calls the int 41h, function 4Fh.2 l0 J. k9 }6 M% a: }, q( }6 S( g# m( `
There are several alternatives.
$ @+ W# l( j9 @+ A; @
; Y& I+ _5 v( o# vThe following one is the simplest:' S( J& B: X( L( x x5 Z% J) d
6 v7 N3 a4 P4 u mov ax,4fh
% W# X, C/ z2 x int 41h: g. t9 L4 V8 g3 [
cmp ax, 0F3867 P E. _" A0 O! X0 v' U
jz SoftICE_detected3 ~* k e% |- N8 H' N/ W$ E @1 [
0 N6 G$ Q3 X0 v# v& K1 T
2 b' L% \! x5 i& p zNext method as well as the following one are 2 examples from Stone's
$ e5 ]+ S% R* T# R l"stn-wid.zip" (www.cracking.net):5 ~" w. R* z0 n& o6 U
u U3 Z7 C, ^: [
mov bx, cs$ @: `; }# H% R
lea dx, int41handler2
8 |" [1 U: v$ @ xchg dx, es:[41h*4]0 F! [) t% i. K# \' j x
xchg bx, es:[41h*4+2]
6 Z$ z: q( F/ W6 W mov ax,4fh
" T, n' H; u! s( n7 z int 41h
% q8 o X6 y4 l& ~, | xchg dx, es:[41h*4]
( x; N( A4 O7 C% P xchg bx, es:[41h*4+2]+ w1 @' g& M$ l) R0 v8 B
cmp ax, 0f386h9 V$ x! V5 I) |% V9 O) n% {
jz SoftICE_detected/ V; j6 J4 C7 J$ w6 E- y9 O
5 ~; ^) n* @1 a1 }0 C" ~int41handler2 PROC0 {* l4 i8 O6 i7 d* u/ w! e. ` Q, x
iret
2 {* e/ h) Q! }8 \# j/ Lint41handler2 ENDP
7 ~; g- B2 x' o5 V# Y
4 {( p+ k) \7 {, a* K, ]+ z; Y5 E
* x; A" v6 V* m" `$ a_________________________________________________________________________
& S: W0 Q( q/ U! T$ \' |
# C: G: S, M' V" G0 E
- T, A3 f8 X6 n% MMethod 06
; ]. z o3 p6 a# I=========7 Q+ G, m+ d& n% X9 U u: _
% r% L& ?% J4 M. y: X
4 _, j! ]5 H& G" S4 ^' q
2nd method similar to the preceding one but more difficult to detect:
3 O9 _2 ~: O6 v
: J) \' |' ?& c$ a
+ t: s. K, l' R; Z5 g6 @& oint41handler PROC
& s: {6 ^2 p, D I& _. r mov cl,al
* b/ X- U( S& A iret
1 t+ P' W4 _7 _( `5 Eint41handler ENDP, F2 |$ i! U9 j( a: _3 n- l
: K( d# r- s7 _8 ]( I# @& P# c ?, |) [1 j
xor ax,ax/ k2 k2 c+ C1 z1 |
mov es,ax
6 K8 B1 U6 S; s% f mov bx, cs. Q H/ I# h' L) c9 T, v
lea dx, int41handler' l# D, D6 ? V0 p& n' y. W
xchg dx, es:[41h*4]
" B8 X" H7 X8 L$ c" V xchg bx, es:[41h*4+2]8 Y9 Q: ? B; `
in al, 40h6 N7 \7 p& y, S4 z6 R- k: e
xor cx,cx! Z9 Q9 c7 ~: }2 ] z1 d: H
int 41h; q1 R0 u$ s* P2 D
xchg dx, es:[41h*4]
) M8 }2 t! C: A! ^" } xchg bx, es:[41h*4+2]
3 G' \& A& F1 h& M+ N) S cmp cl,al
7 N4 w/ s) p9 X `0 n. W4 D7 Y jnz SoftICE_detected
6 N# N! l6 {& h" y# \) e0 J
# m& ]% t. N! T6 U_________________________________________________________________________5 W5 O! ~ W* q, q4 C
; i* t4 G+ R% G$ H
Method 07
+ W4 X% Z6 A% a( d' W+ s=========
; N1 a: {7 X! t3 D1 @, D P7 n! ?4 c( R: o$ E; }
Method of detection of the WinICE handler in the int68h (V86)
# k; p+ J) B- g8 h6 _* Z9 k
; I8 |0 L1 F+ I7 D9 v+ ^ mov ah,43h% Q1 y, K% \; u& z0 w
int 68h; L% Y9 `/ R i" f8 e2 e
cmp ax,0F386h
$ d$ I( o0 a, `; V jz SoftICE_Detected. I% z# T+ _% d. ^3 B' a
) y: R0 ]7 }6 L$ g6 c! D# h) a% A. d- }2 I( P, I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 i. ]* F( R/ j/ g
app like this:
/ j2 G8 _0 m5 \# t5 ^$ X- ?0 G5 Y9 [0 V7 M4 Y" M) `: e: @( J
BPX exec_int if ax==68! k: W3 @8 r$ D, c) q
(function called is located at byte ptr [ebp+1Dh] and client eip is
& C& y3 c; U/ N; r M! v located at [ebp+48h] for 32Bit apps)
5 z' |" u% B# M__________________________________________________________________________
8 _6 Q6 I% K" e6 r0 ]& o
( m8 V# z7 O4 U1 a. G( j% A
; w; x! g7 x0 M6 o3 [2 ~Method 08; M+ n r: [$ x) O6 { `
=========) P2 A2 U: ?7 n
5 v# R; H2 G/ R
It is not a method of detection of SoftICE but a possibility to crash the
: ?, W+ r- A asystem by intercepting int 01h and int 03h and redirecting them to another& H4 x/ l# k! ^8 f! P) d
routine.
! P6 j$ h" | Z7 Q& Q& A) Z( cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 x: g3 I# t( `0 A3 ?
to the new routine to execute (hangs computer...)7 W/ ]9 Z, k/ X8 C! ~8 z
% V% ^# Q, ]1 y6 Y9 c+ I3 T1 \ mov ah, 25h
9 l/ |/ b4 F# N3 s$ n mov al, Int_Number (01h or 03h)
. ]/ r; l& D% H$ V7 o, J mov dx, offset New_Int_Routine& Q; T* e& t& I6 c/ X
int 21h
( e2 ?3 ?* F3 Y
7 \( V- k) t% u: F: k) v6 V__________________________________________________________________________
% T6 Y* p1 e. ~. R: U# i X5 Z( U" N! [8 E; a) Q- Y; S) G% [% a
Method 092 v4 B2 E9 y0 K/ s
=========
+ e5 k$ L$ n2 n- v1 ]3 d% L' H4 v, f2 X* W+ y8 t* w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ [- H v% f r! D+ wperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 G+ q3 B) Y& ^! u HThe Get_DDB service is used to determine whether or not a VxD is installed
$ O E: [4 V1 X" [, O* v" D0 ?& kfor the specified device and returns a Device Description Block (in ecx) for
( G, ]8 `& v. Q' d- S; {$ n% wthat device if it is installed.9 N; n8 L& e0 q" P) M6 F4 p8 N
2 [# \ W5 z" O# p+ r$ ~2 T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID v% |1 `* t3 Z9 e$ r
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). L$ k {/ m& `# I' X8 h
VMMCall Get_DDB
! ]9 o% f- X5 D. @/ V" @ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 k' E( j- O! r9 D
. F n5 \9 Z, s- lNote as well that you can easily detect this method with SoftICE:
k3 \0 r4 A/ c: P& m1 R O5 K bpx Get_DDB if ax==0202 || ax==7a5fh! V4 \# k! {0 y, p9 `/ w9 K
+ Q6 ^! L6 z, F/ M__________________________________________________________________________
% m/ M/ H2 m# k$ S* D5 [) f* `+ k
* p! _* r( {8 W6 X3 O1 B1 OMethod 10% I6 @" `; x8 U
=========
0 {) O1 Y. t$ e: k) r o' _# M; u4 }7 e# F: I c
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, S7 K) S2 l- d$ A- S. S9 V" _ SoftICE while the option is enable!!/ q3 R k) N8 ?3 C2 f
1 t J9 E3 _1 e# ^/ s8 V
This trick is very efficient:
3 Q# M J& A' I( a. C% i% Nby checking the Debug Registers, you can detect if SoftICE is loaded
7 |/ r2 |7 ~6 h; W; w# N7 @& q! w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) Y8 a m* x) Q6 dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. U; T* r. k' y+ n- k3 t% K) Svalue (in ring0 only). Values can be manipulated and or changed as well1 N1 x( _ \% K! i( V6 |
(clearing BPMs for instance)
% g- W {: f( P& d! Z( F8 r( z' b# b+ _9 n7 q3 \
__________________________________________________________________________4 |7 U1 C' ^' z$ }* {2 @
1 u' @5 X# Q0 ~) _Method 110 A+ Z; R% u5 t' W: A
=========
5 T2 B6 M0 z9 n- d2 r- n2 v" E9 d. B7 W ^0 z9 Z& g
This method is most known as 'MeltICE' because it has been freely distributed
. a/ r" M; ~) v* M, y/ \7 cvia www.winfiles.com. However it was first used by NuMega people to allow) t( L& k, W$ u
Symbol Loader to check if SoftICE was active or not (the code is located
* k" W [. ~8 Z- a U, H4 p3 @; p: l; Hinside nmtrans.dll).3 Z- l4 @0 M' R
f5 l3 @! `% j5 a+ k+ G
The way it works is very simple:
3 g( b( N3 w" l- YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 w" c- r. s" H( c; v( t, J2 i5 o
WinNT) with the CreateFileA API.' C& r3 z2 d' e* D% \
8 S7 m/ @2 m1 `( ~2 _% iHere is a sample (checking for 'SICE'):! B8 h& n, U! P8 }# X
; n+ X3 b& q# P9 Z: Y) |, A4 b
BOOL IsSoftIce95Loaded()
, l% ?3 u9 O7 S2 h0 D+ N{
5 O* H& P4 P+ C+ L7 f2 F HANDLE hFile; 3 q1 i. t* ^+ k8 ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 R; e2 L: K7 i FILE_SHARE_READ | FILE_SHARE_WRITE,8 c0 H- m; X2 l1 h. e1 J, g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; a- _5 O% W* x/ @. p) j
if( hFile != INVALID_HANDLE_VALUE )
0 ]; y! K5 x5 x$ \- e/ D {: Y; v6 g2 S" ^* i7 j* P3 V* T, s
CloseHandle(hFile);
& `* H) ?) f, r# S- r$ ^ return TRUE;7 p) u, h; R3 v8 v3 `' l; q
}
, r2 o( }' Q! V0 l9 a2 I! T+ ]; l return FALSE; H/ \2 e% Y/ K e& U0 [( {/ Z4 ~& A. e
} f9 ~& k; M$ g. R9 c: P% V
$ N+ ?* J+ S/ ] R* C& t: ]4 F' _
Although this trick calls the CreateFileA function, don't even expect to be0 @% ` D5 G& ?. |2 P
able to intercept it by installing a IFS hook: it will not work, no way!4 U4 l1 U6 i2 ]# Z' |( o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" T3 O" O4 O' ?) Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 \& m; N7 I* E2 u: w8 b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 I! O ]- _: ^0 x0 v& C' c
field.
, ^' g9 @0 m) v1 u7 q$ |& bIn fact, its purpose is not to load/unload VxDs but only to send a
4 ^4 m' C2 x. S+ v1 X1 ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), ?# \9 d0 t/ g2 b( n8 A6 _' r: P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" k0 z- c* G; L0 p1 F' fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- e+ B+ [- a# T8 \* u' H' AIf the VxD is loaded, it will always clear eax and the Carry flag to allow+ E1 D7 T$ z4 |9 ~$ Q" V0 |2 W
its handle to be opened and then, will be detected.
9 A# @2 B$ ^8 ]$ ^! Y; nYou can check that simply by hooking Winice.exe control proc entry point
( l: c# e2 P+ `& Ywhile running MeltICE.6 @" t. k+ k! w! ~
/ o6 m" W& o! r% ~6 n
! Q% `2 c% R5 e: D1 U
00401067: push 00402025 ; \\.\SICE
, k: y" H6 ^) P* \9 F _ 0040106C: call CreateFileA
/ a' S+ e' \+ ]! J- P9 A 00401071: cmp eax,-0016 @) C$ m5 D7 d- d& \
00401074: je 00401091+ K4 x* n- R& h$ B
, D- T! S' b& H( k2 r4 S. e3 H
. ?9 y3 u, [1 w6 b9 g( f) pThere could be hundreds of BPX you could use to detect this trick.9 h$ Q j# `7 t+ P% s1 `$ t
-The most classical one is:
) [; {( y; `: ] w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& M5 b* O* x9 v. ? a8 m0 x
*(esp->4+4)=='NTIC'; T" R. f U# d5 j- n8 G
9 B7 ]. X `( i- I u: k, j) a
-The most exotic ones (could be very slooooow :-(( B( K9 ~( H0 e# I# [( ^. L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . F" S0 L; T( e8 J5 y1 K- l
;will break 3 times :-(
. U4 Q- U$ y/ K+ e4 N9 v% \# Q" J
* O$ a; s: G q8 M4 w+ ?-or (a bit) faster: $ L' Y, M9 ~! h1 x) h
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ `: J$ U& k8 x( v' \- ^2 c
( P3 {9 A n+ ~$ e# K/ f& F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; O% S) s- Y. G+ [/ e/ D* B
;will break 3 times :-(
8 Y, B& j+ U8 k- X2 t( n/ I$ a$ W |( E- B9 ?7 `/ T. U
-Much faster:1 Y& G4 {+ w9 `6 @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 d3 T5 j0 I8 e. D( K$ E, I
. x. \) e% D* C3 }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- v Q/ K3 j" n
function to do the same job:
# ?2 L0 N* |; f$ Z8 y: r
l8 @0 r" L( I) a: [3 V push 00 ; OF_READ1 o5 S0 V, Y3 g2 Z: o
mov eax,[00656634] ; '\\.\SICE',0
- s- E7 W. S4 r# K4 q/ b push eax/ c* Y9 C3 ?) Y! {. a" L: o: Z0 o
call KERNEL32!_lopen
6 o% o9 t& j* x1 } inc eax
) [/ T- q1 e& ?4 I jnz 00650589 ; detected$ }# U6 ]9 N" U9 z: a6 h
push 00 ; OF_READ# y" s3 x. l! O9 [2 l0 z$ d* B
mov eax,[00656638] ; '\\.\SICE'
' `8 u( N; L* Y. A v1 e2 k push eax$ }) y4 x, F$ H9 ^! J6 W( L1 @
call KERNEL32!_lopen0 y3 {, Z8 ^5 M6 o; {& z3 z1 S
inc eax% {5 D ?" z' |0 x
jz 006505ae ; not detected1 _, v! x" G/ T. [3 {; Q, Q- y
/ C* |, L/ N1 G; o% [* Z. R; u$ ^3 _0 N) a( h
__________________________________________________________________________
- v! C/ |) |! [5 j# C' a8 s3 S7 s/ Y- H3 q# ]+ S4 d* A. t
Method 12$ j8 ^! g5 O; k" Z9 A/ L
=========9 a* R: J2 Q6 r T
. e( d" X7 e; ^: \4 s" N( G7 {
This trick is similar to int41h/4fh Debugger installation check (code 05. d" e: E3 r5 O; E) D5 N
& 06) but very limited because it's only available for Win95/98 (not NT). a" ~; d6 b, Z4 J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% M$ ~2 v$ Z4 Y1 } g, I% E j
. M; K1 v3 {$ {/ T, U8 e- N) l( S
push 0000004fh ; function 4fh9 t, I7 R( P, D( x; ~" C4 F
push 002a002ah ; high word specifies which VxD (VWIN32)/ }6 a& C, W8 U9 u; ^ E; [1 C6 A
; low word specifies which service( Q8 v o; h' ?, v6 ^2 [, _, t
(VWIN32_Int41Dispatch)
" n7 F. o0 W( s6 T call Kernel32!ORD_001 ; VxdCall
' `8 A f- Y( b' v6 \4 c cmp ax, 0f386h ; magic number returned by system debuggers' F9 ~/ f; {5 P3 h
jz SoftICE_detected9 Y' _. u3 v" }; F( m0 x5 M
8 A! a6 ~; {6 L; OHere again, several ways to detect it:
5 Q L% A; {- d) w4 g
8 J9 A# C6 q8 n& G& W, ^: q BPINT 41 if ax==4f- j, Q% s$ n/ t$ ~7 d+ i
1 c; u- _ c4 ? B$ y. z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ [0 g! |& c; A# v% @# @- O
, T( j3 L9 i) c" ]$ B8 z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; X+ }2 n( g# y% C$ l- z6 ` J/ f
: k3 c( r6 b3 R, s BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' A% r1 w* {# L. a! ]& I; K
4 k3 Q" h1 d( o7 X" V- h$ h
__________________________________________________________________________' |4 j3 ?7 y6 X. B4 Y
# V0 e$ F" C% rMethod 13; C6 |# ~$ c: r
=========# y, M) G4 P: M% Q
0 f( a" j; c, Q; c) oNot a real method of detection, but a good way to know if SoftICE is
8 q2 W+ c$ `% X' X! Jinstalled on a computer and to locate its installation directory.
- `( j- c. X1 l* F0 VIt is used by few softs which access the following registry keys (usually #2) :6 E2 O# J0 O1 d" p( X0 [2 o: q( {
% O F$ i6 h4 I) z8 a K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 w, t6 t7 v- J! G0 S3 Y\Uninstall\SoftICE( M% H' ^$ b2 A* F# L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 S, j$ l; `# V" ?4 ]" T4 p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( w/ k" u1 U( t5 a
\App Paths\Loader32.Exe
& w* t" a/ ^& v9 I; z8 T- u6 k7 e8 H+ n* `
: P( S+ i& T% J$ ?$ E8 cNote that some nasty apps could then erase all files from SoftICE directory
, q3 i' i4 r+ B5 W% e/ s, ~(I faced that once :-(/ W/ E6 J% u/ g) ~( R* N) u7 Z0 S
5 R# f5 @; `0 TUseful breakpoint to detect it:: I8 W+ C) C5 Y
! v+ a, V) z6 Q! X, z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ [* r9 I% J; L8 H! L: S: B; A0 W3 g/ @" T% o6 ?& E/ {
__________________________________________________________________________. M; E& H* s: q% H3 N( g4 u1 G
& @2 } @7 N; ~. k2 H8 ^" M: T
% q2 b; s& R" O2 v# J, o3 N, f0 c1 @Method 14
7 k& ?) T+ U' s( g/ ~7 U=========6 R3 l$ g. t6 Q8 R* d& S6 @2 @& y
6 @3 e$ x% y, H9 i4 z, e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- c. V1 t6 w0 y8 |# y8 n. m
is to determines whether a debugger is running on your system (ring0 only).% x4 z2 ?$ ]# V& Z: m/ A1 K( }
4 u E1 O8 n( C+ L VMMCall Test_Debug_Installed4 l, J( R7 t3 C1 ]5 a2 z# x* {
je not_installed
' J9 E! r* \& v) L+ o/ r6 L% |$ t# _; M6 J# H1 f3 g! P
This service just checks a flag.9 P" T8 n& Y$ c& O& |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡