<TABLE width=500>5 I0 j! j! z" Q! j' W
<TBODY>6 D/ X) @0 `. ]/ k8 [/ q
<TR>
* j% g4 C. C! z$ |' ?3 H<TD><PRE>Method 01 7 q8 V3 B1 S# l* |
=========6 N% h+ R, j/ J0 _7 B. s
1 D7 ]$ G5 x! D1 b8 @0 iThis method of detection of SoftICE (as well as the following one) is) `" O j( J9 \2 f( M( r9 Z* i4 k
used by the majority of packers/encryptors found on Internet.
5 ?8 z% w, i! O+ R' L# r7 E% pIt seeks the signature of BoundsChecker in SoftICE0 w& ]1 b) N9 w' H
* H Z6 M! _' @# B6 O) w
mov ebp, 04243484Bh ; 'BCHK'
+ T7 f( {7 P9 B9 z3 @ mov ax, 04h
: P3 O1 @* V4 c/ i, \4 s8 ?2 i int 3 ' u5 ]6 @; E. K( @( c V' t
cmp al,4
. o# H" p4 r, U" F: m- w1 A+ v: Y jnz SoftICE_Detected% S7 _; D- S. Y) i% ^ |
7 K$ ^4 e. ]. A1 A% r___________________________________________________________________________
! X, |* i: P6 \3 g( j* r2 Y9 t9 K' \# g6 F, x# R
Method 02
% l- v' }- C7 i) M( q5 ~" `) p; N=========
; w' [: p$ {- O% ^& F' D: e5 J s4 \3 P
6 ~' J5 c5 E; z0 M) RStill a method very much used (perhaps the most frequent one). It is used/ G9 @/ ]/ M+ w' N9 o' k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* ~3 T- W$ f3 x j
or execute SoftICE commands...
1 i$ e$ d$ \& [0 Z3 rIt is also used to crash SoftICE and to force it to execute any commands3 B C2 q* U: U
(HBOOT...) :-(( + C7 g* f+ c& u9 z
" t( V. P3 W$ ]. T, c( u! q. v
Here is a quick description:% |: Z/ h% n1 S9 C5 r
-AX = 0910h (Display string in SIce windows)
! [' f! u: G+ C-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 p0 b' E3 t! k1 H-AX = 0912h (Get breakpoint infos)& R! Z8 {3 w9 c" s; W% I& Y# s4 ~
-AX = 0913h (Set Sice breakpoints)0 ^4 Q) \ j! I7 e" O
-AX = 0914h (Remove SIce breakoints). R! t) Q) A8 O7 v- t- F. l
$ c5 U6 r z9 {( ^. E- oEach time you'll meet this trick, you'll see:
4 R: D" [, I# M( g* N! J-SI = 4647h' }6 [( X" z& K8 h
-DI = 4A4Dh
- U* e* W0 d- |* hWhich are the 'magic values' used by SoftIce.% y: @$ \* _: `9 N
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& _5 M' q+ @% E7 N/ H. r4 n
) s1 ~' @9 Y/ _# r CHere is one example from the file "Haspinst.exe" which is the dongle HASP' O0 u, d( S4 b2 i
Envelope utility use to protect DOS applications:
9 \4 L7 i5 \( T6 ]: e. _) n Y: F9 C9 _. X( F
8 O. R( j% i1 f. L) s4 x
4C19:0095 MOV AX,0911 ; execute command.
/ E2 C f5 S8 ?7 K9 E1 m* f4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; P" x2 G0 O' U: N4C19:009A MOV SI,4647 ; 1st magic value.
* c+ o, m7 o# F) z4C19:009D MOV DI,4A4D ; 2nd magic value., D6 Y8 {* U" B; @3 V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 j s' O3 \' I1 s9 m8 X8 @1 n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' l! S, V! B! H/ T7 ~
4C19:00A4 INC CX/ r' v: ?, X9 | N6 e
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# r1 Y8 K3 x4 x* m
4C19:00A8 JB 0095 ; 6 different commands.
6 u6 I T" M! p0 ]8 u( T- w4C19:00AA JMP 0002 ; Bad_Guy jmp back.* ~0 k2 @# N' J1 ~: g0 k% G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 H7 K% V5 O5 k) `+ M: o
) n# o9 q/ [, c/ C: c
The program will execute 6 different SIce commands located at ds:dx, which
: K9 Y4 I% Q! V8 mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) C$ ~& c- s! I1 S N, i( s/ j5 k( Z3 x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." k0 z% p) ?9 G$ P
___________________________________________________________________________
3 j+ n$ J1 ^" O4 V+ R% c+ U# r# U' s
, p7 F" m+ q5 O: X& zMethod 03
! l2 j* w, G7 v% I' N) u=========
& c- {, h2 S, K4 ~% }$ j) j- _, H/ [, t9 P) P" c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ @& C5 A: h. ^- { x
(API Get entry point)
6 Q0 M6 w8 L3 p
7 N/ e5 r/ D1 V# [: m) `
$ z. _3 w( v+ ~4 P9 ` xor di,di
% ?4 S# m, N* T mov es,di
7 z) N4 w& L( { s1 y" O mov ax, 1684h 2 ]& m) R7 |$ E( _
mov bx, 0202h ; VxD ID of winice3 N, m' R. P3 ~! k& |& y3 x
int 2Fh; o! S+ q8 o, E2 q$ O" F- @) b. r
mov ax, es ; ES:DI -> VxD API entry point
3 N% _! [, H n! l add ax, di
+ Y3 h, l3 c e3 k8 |8 d8 ]! @ test ax,ax9 ^# I, {1 [. D2 z& }. e
jnz SoftICE_Detected- {& X3 ~4 K/ L) N1 \3 Z7 A
9 ]( j. Z$ Y% }; g( [4 [
___________________________________________________________________________7 r1 q4 n/ P& v3 V
) S* l0 t' `! K' _Method 047 |9 w. v6 E' r: ~
========= ]4 }, x* S; R' B
9 _3 z) z) u; _ `) Z1 A1 Q2 B0 xMethod identical to the preceding one except that it seeks the ID of SoftICE: {6 d& ]+ f6 U- B ~( y9 J6 A3 O
GFX VxD.0 |( e+ P$ h5 p1 y4 U# m
/ o& a* ^! t9 u$ F8 K4 W6 J xor di,di! ?; t$ A& Z0 X" {4 v. k8 V# k- K
mov es,di1 K: A; r. V$ {/ p O2 y
mov ax, 1684h ' u1 T; A9 p! R) V
mov bx, 7a5Fh ; VxD ID of SIWVID9 A. n9 h' B G, t; l. l
int 2fh0 J- {+ P8 S7 N0 t
mov ax, es ; ES:DI -> VxD API entry point
. [( C: W9 t k' s$ q" b7 C add ax, di
D3 b8 S" i/ z$ B2 A" F& n test ax,ax- \2 r" m/ z$ T; }5 B
jnz SoftICE_Detected9 ^. r+ q2 v" Q- L# K' L
" ]6 @7 K% k! j
__________________________________________________________________________
- G. k3 d7 ^2 k, R. N3 }/ Q e. Z& m3 D+ M% F7 C e
# m% A4 o' \2 l% FMethod 05
2 k! [" k, t5 g3 ~* C8 E=========
G: A; Z' n4 A: @2 C2 d3 s# s- z! E8 s- J k* p$ B/ a9 U# @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& @: S/ x' l+ E& U( mdebugger. It calls the int 41h, function 4Fh.2 p7 s; `. S8 a5 \
There are several alternatives. ) ]9 n! B7 V6 Z2 P& ]
: ^8 E5 f; U+ n6 h" \. ?+ m! H. h
The following one is the simplest:5 @ [% q( E1 I4 g. o9 ` u; U; h! k- G
1 |, e1 T9 M$ e5 d2 J1 Q
mov ax,4fh
5 R3 _- H6 x8 E1 _ int 41h& Y; z8 X ]6 r4 s
cmp ax, 0F3863 \, r/ N e) `* p
jz SoftICE_detected. ^, d9 n% w2 z0 Q
, Q: s: s7 j1 A x8 Y3 N0 V( G# Y- E* E- l# `- N- d; D1 a, q
Next method as well as the following one are 2 examples from Stone's
$ d# Q1 R; N, I9 R$ Y( D& P"stn-wid.zip" (www.cracking.net):
6 ^5 `, p2 Z/ b( Q0 A4 c \! i: C
; R1 c, _; r* ]) ~, w! A, O3 S mov bx, cs
4 H6 O7 w5 G1 r, ]2 | lea dx, int41handler2) v: }& O3 m6 _: j0 V
xchg dx, es:[41h*4]' {% F3 P+ l, S) o& U: ]& E4 n
xchg bx, es:[41h*4+2]- d( T' n7 f! B
mov ax,4fh3 c7 s, p; m$ H
int 41h1 |6 o1 _1 w3 L
xchg dx, es:[41h*4]4 n# S. @) I9 s/ q/ I' a
xchg bx, es:[41h*4+2]
2 G* ^* ]2 U0 r8 L9 I4 ?3 M cmp ax, 0f386h+ B# w6 u" @) K: e
jz SoftICE_detected
k9 v! i; [; Y
7 s( b& Q" t8 Y/ b5 e. ~int41handler2 PROC
^" C5 Z% G X8 a7 t iret" `3 k9 a1 C2 M
int41handler2 ENDP
! j' w1 C$ M' k. J7 H9 S, s. h% ~- p8 k$ l1 T+ s& ^
( U0 D# Q2 E7 p_________________________________________________________________________
+ e+ w5 z! }5 S' e3 F( A
2 { v) N" g L) D% _3 {1 J" [$ f8 U# o
Method 06
/ l1 Q5 r$ l2 g3 u4 {, R: ]=========
5 m- i+ p* K/ J# m$ p/ t8 y$ \: I, l6 \5 k# r9 f$ E
7 l0 Q' ] X) Z4 J; [
2nd method similar to the preceding one but more difficult to detect:
( c W# M. L N# G y
+ ~2 U! Q" ?& ^8 c% k4 c! s3 s' j/ k1 g
int41handler PROC( E! Y; z$ S( C8 ?7 l9 z
mov cl,al4 t; @# c9 Y0 C# C( F
iret3 e( m3 Y' }$ ?$ y
int41handler ENDP. F/ e# h2 e+ G6 n
! M" L9 d) r) n* |& d1 `) q6 g
) r z. L0 d) v) Z$ \* E$ p# E4 K xor ax,ax
! [6 @4 m* A' z( X+ H mov es,ax
V9 h1 i U! T, A7 w. D7 C mov bx, cs
8 i1 q! g) H$ Q# v9 V lea dx, int41handler
2 r# g" W! s! z3 m xchg dx, es:[41h*4]' y3 g( G4 [2 R5 d
xchg bx, es:[41h*4+2]
2 r: }' y& I/ ]3 h: O in al, 40h
- a. _% I: O( R5 ]7 a6 }$ K+ N xor cx,cx
! \6 e o+ w% d e/ g) \4 _ j int 41h( Z# c. l8 b$ ~+ R6 U+ X
xchg dx, es:[41h*4]
9 M/ O+ c7 @: c9 G% A xchg bx, es:[41h*4+2]& M+ U) {1 z$ u: V
cmp cl,al
( M6 {$ s& H, P! `8 O% R y0 t jnz SoftICE_detected. Y1 {7 ]: U; _& u% ?
4 K3 t0 p$ E' Y6 \_________________________________________________________________________
) ?* K& W% h# f/ T8 A" R$ N) a T# o3 X, q: C1 x- Q
Method 07! |( X0 |( E% F* u5 v0 c
=========
: t9 I* M! Z) B2 l
6 M# D4 R1 X0 }' QMethod of detection of the WinICE handler in the int68h (V86)
6 C5 o, j! U9 E
" n* S2 b1 o, ~) I/ H! _) l" P& U* A, U mov ah,43h; n# g! _" h6 `9 l' j7 v
int 68h4 ?/ X1 k6 ]4 g) I
cmp ax,0F386h v' P) y5 w$ P/ x {
jz SoftICE_Detected
w& z! o' }& y Y4 }+ A+ x* R4 s
- t, @6 E: ^: u% c
7 [ X; i; ?6 F' [: H3 D0 [( Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& |* I. S( {+ p8 }9 {8 m app like this:
# u8 _- V1 n- h' ]* f- g' G! x. o' Q9 _- U6 g8 ?5 w$ p
BPX exec_int if ax==68: |9 m" t: ^, Z- n5 Z
(function called is located at byte ptr [ebp+1Dh] and client eip is
; f# C- a4 c0 H1 S( N1 r" N located at [ebp+48h] for 32Bit apps)
8 I' P9 e& T2 |7 }& d) M, X__________________________________________________________________________) E* l, ?% P; D6 q2 V6 T
0 f* C. p) ]8 g8 |
0 I7 Q! h8 c i" ?, u2 c j( \" T* N
Method 08" ]# a% P2 _5 y% l1 W
=========
0 @; L ]- s' Z( l$ l. Q5 f* u9 H' B
It is not a method of detection of SoftICE but a possibility to crash the
" K8 l1 G! f' B8 O1 gsystem by intercepting int 01h and int 03h and redirecting them to another
7 t" L5 P l2 b1 s. c9 w5 proutine.' K4 [" e; u, H& v, i+ ]) u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 l2 i* U8 T. x: o6 ^to the new routine to execute (hangs computer...): P% D) l8 q) k7 G3 v
, o8 y1 G$ v( i( o4 |+ m
mov ah, 25h
# W1 J, |7 f6 B5 g* i4 {- c mov al, Int_Number (01h or 03h)' P8 t: d& _$ N- w( e
mov dx, offset New_Int_Routine; y k2 A! a; t. I3 _) ]' c2 d$ V5 ]
int 21h
. P$ ?6 K! j ]) \- D
. d; @9 W* s+ G# P; ^2 `__________________________________________________________________________6 @" Z2 I$ \7 e4 i$ j
0 n9 A+ w& ~3 D7 m9 Z
Method 09
7 Y0 W% [. y8 ]/ x0 c$ U; J3 y=========( i$ X5 ?) F3 i& [
{2 a& U G) A- f* d: b2 [% o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 `6 x( k* H; {- Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ P2 F' [1 S" o. c% cThe Get_DDB service is used to determine whether or not a VxD is installed
. p W6 h. B0 s) efor the specified device and returns a Device Description Block (in ecx) for# b# M8 R2 @5 X$ P7 V
that device if it is installed.
# c8 E& t/ N1 {, p+ G7 V/ O6 G4 g; o3 I# d* V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 \+ o. R$ ]3 K
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 q3 J" J- @3 s4 O5 l9 b VMMCall Get_DDB1 Z% c3 A* K( g+ b
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 O8 Y9 k6 g% p" p2 c$ M/ D; C) r3 y1 w
Note as well that you can easily detect this method with SoftICE:
/ a8 a' `) I( }, Q bpx Get_DDB if ax==0202 || ax==7a5fh
9 s3 [1 } T7 ?4 R/ K- H7 m1 |2 U( C$ a4 b6 B$ h" M' X
__________________________________________________________________________2 O5 ? B" B3 j" M
( m% R/ W+ L& R& ^ b$ y4 M
Method 10" L6 _7 [" p: J" C! S) }4 W$ N
=========
: ^/ n) j0 u9 k6 |7 |( O6 S# P0 A# j4 d$ d! K( j! I. X1 |
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: v7 e( n0 i$ J# R% [( a* s2 c SoftICE while the option is enable!!
/ c! l$ ~8 R2 p" Y8 r+ p" `+ X$ J7 a) P6 K7 b
This trick is very efficient:
* s: I0 Q l- [4 `' cby checking the Debug Registers, you can detect if SoftICE is loaded/ f8 O, |# o, `# \; O1 A9 \
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 n8 p6 v2 d3 z; z, t, ^5 z' y" L
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ [! m0 i2 x" N
value (in ring0 only). Values can be manipulated and or changed as well6 _( k1 ^% Z! T! d
(clearing BPMs for instance)
* M3 |0 E4 t- z8 e0 K, B$ i4 [" u" h9 K, w2 u: p: L) X
__________________________________________________________________________
3 _. ]' h- Q. n9 H4 [6 s8 X \9 y9 W* w
Method 11
) W. c1 v6 A6 E7 j( G l========= r4 n% ?2 N2 U, W# o: I; q1 ^
# d/ T7 {3 C2 W- l! V3 G0 W" J2 hThis method is most known as 'MeltICE' because it has been freely distributed7 y( f4 i" ?& B1 a1 d+ `: r7 a: ?3 P9 K
via www.winfiles.com. However it was first used by NuMega people to allow# Z$ a4 b7 e, J9 P$ ~
Symbol Loader to check if SoftICE was active or not (the code is located5 f% @5 c$ v; g/ I' A
inside nmtrans.dll).
$ {; m2 R5 j$ T; k% g, m& w8 D3 G& }2 Q3 z5 f- P
The way it works is very simple:8 d. ?; R5 X$ h8 R# O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; k3 l; m5 c) u: O5 G4 X* @( {WinNT) with the CreateFileA API.
2 T3 x' g6 O j- \; u! W2 \& |0 J' o* o+ [, y
Here is a sample (checking for 'SICE'):
/ V8 O& g D8 N$ @0 Q/ \- }+ S. [9 X; {- c; @' \. t; c( ^/ B/ s/ p q
BOOL IsSoftIce95Loaded()0 e" S' C8 R; _9 S U9 f3 J4 [
{
% e% p7 d) a3 [$ s7 a7 l ` HANDLE hFile; + o" ?% x* e9 F& J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ x7 @/ B1 e* H# A6 h
FILE_SHARE_READ | FILE_SHARE_WRITE,
. A9 T+ F; {3 S4 ^* ~2 M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ z) h5 z5 k6 t: m0 ? if( hFile != INVALID_HANDLE_VALUE ) f* [ c' c4 E! R( [$ C+ E, q
{
" {. ^- ]! b! ], H3 l CloseHandle(hFile);
" u6 F& C3 x1 P return TRUE;
2 T1 ^! z- O/ J9 P }( i0 A, g7 ~: ^5 U5 w7 H+ C% G
return FALSE;
6 j. Q) w' }7 P5 i( L}. f3 o7 q# ^' l E$ `3 O
+ t. G- b. {. O) _
Although this trick calls the CreateFileA function, don't even expect to be
: Q! ^: O D& u/ P4 L ^! _able to intercept it by installing a IFS hook: it will not work, no way!! ^3 D) d6 C! P. i5 q7 W9 A( W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! _8 ]& H1 s& X, t+ T+ @3 Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: u# @3 ]2 Z: S+ d$ D8 ^/ ?2 r* [+ oand then browse the DDB list until it find the VxD and its DDB_Control_Proc3 P6 ]6 W/ j" L( B; h
field.
) I" e% ~7 J" B9 i3 OIn fact, its purpose is not to load/unload VxDs but only to send a + T; w3 x) u3 W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 c" I1 y3 m, m2 C# a# d. L
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% _+ @ @4 c" C" n/ r4 G, K& Y3 ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 W0 F% W2 x( h( b5 P5 p
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 n1 | a {% t, E
its handle to be opened and then, will be detected.7 i( n' ` y$ T5 v# q
You can check that simply by hooking Winice.exe control proc entry point
6 T% Z1 L$ U9 f: A0 |0 {# ?while running MeltICE.3 X: ~: z! v; O0 _" q
! T. b$ L- K n; b- L$ C6 ~
: N% Y- _' D! n* s7 O% G 00401067: push 00402025 ; \\.\SICE
! R G7 @- n# y1 Q9 _ 0040106C: call CreateFileA
3 z( _+ c( J# Q" k m 00401071: cmp eax,-001
: O- y4 P+ U* E2 L0 k 00401074: je 00401091
( t0 v+ w6 B y1 x( b1 c
8 N8 U6 b; z" O, m0 y
! x% K. M$ Y: W$ \8 BThere could be hundreds of BPX you could use to detect this trick.
$ ~8 L. `8 [( f8 u; |$ W7 Q-The most classical one is:4 d$ @# o0 p0 H5 p$ O2 a" H7 u$ ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" Q: ~; l* ]' x7 o8 ] *(esp->4+4)=='NTIC'
2 g$ W* I. A( S/ N: e5 d% W3 p! {% x, I# @
-The most exotic ones (could be very slooooow :-(- G" C3 K+ G! p9 V9 u* I0 c* D+ m. g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 }6 h/ p* e. ] i/ l. `
;will break 3 times :-(
# n( j9 c1 ~1 i0 {
% Y F f. U% T1 H! q4 |2 d-or (a bit) faster:
# X% E' v1 s+ p% { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ V- P. V- I2 Q2 m' m% o7 [7 r
2 I$ d ~3 [. `( i6 I- y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- a3 ]. x3 [; x. N+ r. ?: G1 Y ;will break 3 times :-() N: H: D1 p* R; s$ }1 @( L
+ e2 ]4 h: J! D$ \5 {, u- _
-Much faster:
1 W |$ j# d5 D" U BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# S, _( C+ |- T8 e; _' Z& I! H
+ V Z3 k" g# q) r4 ]5 B' ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 [) I7 W" W. a* w' J; l9 lfunction to do the same job:* n- l1 a6 l# P. p# W
7 J8 w4 T8 T& w' `( N u
push 00 ; OF_READ
5 `7 p9 H& @4 Y% p3 r mov eax,[00656634] ; '\\.\SICE',0- u) ?- w9 |3 @& ?% k5 u% _
push eax
. B9 V8 u: c! M0 r+ Q9 K call KERNEL32!_lopen. U% n6 m/ @0 A
inc eax
8 i, T c3 K' s& O% C, N* c0 x, ` jnz 00650589 ; detected' Z+ u3 Y( J/ P5 G: l- O
push 00 ; OF_READ7 F4 m; X! a, P
mov eax,[00656638] ; '\\.\SICE'# V# N. g7 i8 K3 \( Y
push eax9 `4 `, [, ^! x2 Q1 w
call KERNEL32!_lopen, t; h6 w$ z8 {& `9 h5 T `
inc eax( T |+ p7 ~4 R+ a7 P x
jz 006505ae ; not detected4 e4 i5 n2 ?; l$ ^2 n. k/ n
/ x `# {: @6 y2 W: z) [6 F% n
$ K4 w5 G$ T# z3 X' G; [
__________________________________________________________________________
( T h+ s4 c2 |! x) W* j8 Z. ^: r, x. _" V
Method 12
5 H9 e) Z* p) ~: a1 V/ ~; w& j+ H=========$ U& T% T) z% P; ]
* b# \% i/ O$ m4 zThis trick is similar to int41h/4fh Debugger installation check (code 05
) E( B9 l$ X. |( j' g: L4 D; ?& 06) but very limited because it's only available for Win95/98 (not NT)) P) C/ B" g( D2 N0 Q, N: S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- `8 E0 H$ b7 o$ r# l7 ~& c w7 b! M2 r/ v, v
push 0000004fh ; function 4fh0 b. h. }5 P& @ @6 j" L
push 002a002ah ; high word specifies which VxD (VWIN32)
' r1 m @8 H* L0 B* v6 F ; low word specifies which service, |+ @" D y: d# L1 B
(VWIN32_Int41Dispatch)+ }: T, h' w B2 y7 v
call Kernel32!ORD_001 ; VxdCall
8 Z( S# Y$ J, a3 q) P6 n cmp ax, 0f386h ; magic number returned by system debuggers
. n% [9 a( m8 [$ n, A jz SoftICE_detected& K2 ~) u8 I! X( I$ J) z# J A% D& u
9 F% Q/ P4 T& k7 e0 G5 c
Here again, several ways to detect it:( d( [* S$ Y: Z4 r& d- R6 s
; x8 X' \2 R. K- U3 B BPINT 41 if ax==4f5 Z H4 r( T; H+ u1 e
\. l! T* S& l! R8 y. I$ c BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 D2 M# S: J& @5 ]# Z7 v: B- _% S' b% u. s* G
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 V& b* |: w/ U2 J k% _& \4 F
0 j4 y# H/ p$ n+ D: A3 f8 U) X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ v3 t3 ^# `; Y: m2 I1 J8 ?9 [9 O) g; }4 V/ m9 ?
__________________________________________________________________________+ c, [* O5 V) Q& r: z
* M; Y6 \6 a% ]- w, BMethod 13
* f' h& m b4 F5 E=========' I$ }6 m# k2 ]' w) {
- n" B k; K* V/ n- a" z H0 JNot a real method of detection, but a good way to know if SoftICE is
! n* H& B1 q! v3 P* e9 S# Iinstalled on a computer and to locate its installation directory.
& i/ ~. w5 d6 K! `( {. gIt is used by few softs which access the following registry keys (usually #2) :
/ L" t1 | D& J; O# C' S# T0 U6 E9 E3 k1 r# P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) ]4 Q Q8 H1 Z\Uninstall\SoftICE
" w' A6 \9 h M-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, f/ y: R! Q1 C/ Y4 r8 A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion s: b; m- G1 B3 _6 X/ Z
\App Paths\Loader32.Exe
/ x/ ^7 Y3 L0 D4 F! p
- B' Z7 X" d/ ], c+ z* p! P- p2 P9 i' S. |, }9 z. V7 S
Note that some nasty apps could then erase all files from SoftICE directory- s; ~- w9 e2 C9 a& X1 v/ s$ h! [9 E
(I faced that once :-(" h( }2 S0 e, F2 Z6 O( }
* D+ G3 V3 n2 Z; y; e' J
Useful breakpoint to detect it: I/ v K! N% K, @
6 J7 r7 y& F$ p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', Z: C% G/ f8 @% |
$ |) {! {" P$ C- E__________________________________________________________________________
' V: [/ i) v, I3 K' y9 c z* C% K* \6 Z N
- O5 J+ ?7 |* U' }Method 14 7 o! j# {" C( k
=========
5 J+ I+ g) j4 [/ ?3 z7 Q5 K4 z: l5 C- e2 p" a6 Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 J, ^4 y, w8 ~/ H6 V2 l
is to determines whether a debugger is running on your system (ring0 only).
2 B5 m) t$ X( x
- O: x, V) [+ r8 j. k0 |; Q VMMCall Test_Debug_Installed- x6 Y5 J( ~. w# y& ?) f1 \
je not_installed9 D/ e: i4 d4 @# a0 Y
* g3 G& e5 a# U7 r5 \ a
This service just checks a flag.
i8 U0 \- n- K _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡