<TABLE width=500>
6 j! h1 ~) [3 K% D2 _' H<TBODY>) C) J y( {; g+ \* P7 E
<TR>
3 ? F; t* t# m6 r2 t" v+ O' z, @<TD><PRE>Method 01 7 e1 q3 t) P+ t) b) E
=========/ Z+ n" w% v5 ]# S7 {2 ~2 g
; x/ G: P" _' r# K$ R. TThis method of detection of SoftICE (as well as the following one) is7 r6 \) x% Q' U3 z4 J: K: r b
used by the majority of packers/encryptors found on Internet.
+ v; K, e! ]+ L/ A6 f% xIt seeks the signature of BoundsChecker in SoftICE
" B7 C/ W/ ?) T+ _! c' n0 w5 Y
mov ebp, 04243484Bh ; 'BCHK'$ k" ^% @- O% x1 X" O% |1 x
mov ax, 04h' N4 w4 Z. B9 q
int 3 5 g7 {( D7 m; x( |5 N
cmp al,4 E. Q; _. y; U- R# ?' q; F
jnz SoftICE_Detected" \6 n1 }) r! w6 R0 v3 v# Y
* [6 n, r. w; L' u
___________________________________________________________________________, i/ P( z8 J; f: n0 y% y
( [7 }9 [; I; H/ c# b' v
Method 026 t: n! ]' a( v8 }- U$ y( h8 G* B
=========& o7 R7 H. {# d, _- x5 v" R- n4 n8 \& Q
" u6 b* L. i% T eStill a method very much used (perhaps the most frequent one). It is used6 @4 N8 @: E2 U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 H1 T( U8 t* g+ H( }" d1 Ior execute SoftICE commands...4 _1 W, A2 C( L
It is also used to crash SoftICE and to force it to execute any commands
" o: z: y9 @) A, ~, }(HBOOT...) :-((
C! c- c8 c! m) @0 S8 | N* N, l9 j8 Z( ?$ x) I0 u
Here is a quick description:7 e' V2 k6 ?3 O1 Y0 w" k" ~
-AX = 0910h (Display string in SIce windows)
1 T6 G2 Z: t# _+ t3 p t7 ]6 z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, [$ T! c6 D( b7 S1 G-AX = 0912h (Get breakpoint infos)
& M/ b- U6 m& L. T7 Z-AX = 0913h (Set Sice breakpoints)7 i$ q" n$ ~1 A4 l& h$ o0 E
-AX = 0914h (Remove SIce breakoints)
5 N. V5 I1 w6 L5 w0 M
. c2 o) F6 N: C iEach time you'll meet this trick, you'll see:4 Z" x( A, }. A$ j* D; J1 P
-SI = 4647h
9 O" I5 T- N5 c$ g-DI = 4A4Dh2 W. A$ T: R5 K9 j7 r( G; m& _
Which are the 'magic values' used by SoftIce.7 G. j7 P$ W7 S4 h) @8 j# ?$ b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ J( a; B7 f* F, f7 [
& x; i c3 j4 V6 i; _; m) ~+ Y3 A# |Here is one example from the file "Haspinst.exe" which is the dongle HASP3 B ^5 Q1 ~( u, X1 D2 R3 W. Y
Envelope utility use to protect DOS applications:" g8 W. Y- U1 H# r5 j; k2 c
) {* @/ Z" r5 v6 i$ J- u$ s6 K4 Z+ H# C n6 X8 _' `
4C19:0095 MOV AX,0911 ; execute command.
1 W0 Y1 K5 `$ v+ x" _ i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# D9 f4 G( C& ]$ K
4C19:009A MOV SI,4647 ; 1st magic value.+ \3 u8 p6 a6 J: T) c$ r
4C19:009D MOV DI,4A4D ; 2nd magic value.
, S$ M& a7 L L" \8 d C! B4 k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" P# h/ |! F( M% a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 ?( Z7 V+ `! ~- U9 X/ Y9 e
4C19:00A4 INC CX
+ q- S P/ L9 `/ R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 ^/ S3 [) [ k/ ^4C19:00A8 JB 0095 ; 6 different commands.
L1 ?- P& l, ]' v& I4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) I& m$ W4 ?1 v7 H( G" ?+ b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- {# T2 p+ j8 C2 D [% D- Q+ U8 G3 @9 E4 }! c
The program will execute 6 different SIce commands located at ds:dx, which' y1 ~" j: r* M% X) X7 D! X T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- ?9 N: Q2 V8 D9 r
" u d$ Y7 ~% v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 y& U. _) n: I5 e' Y& T+ `___________________________________________________________________________6 f* v3 Y8 G; _' L. e
- g/ \4 t7 G' p- y6 ]% Y# U/ l& R, _! Q5 o: T6 k
Method 03
9 x. G' l! K- @$ |6 H=========
3 s' Y$ s. S* A+ v' ~- k' m7 m4 Y4 J) ?' \
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. L' ]; m. S, y" A! O' B(API Get entry point)
3 |2 E& J5 g/ }1 J) S, T
. c/ ~ S m$ @3 s1 k) Z" v) o( p7 I2 B4 c9 E! c
xor di,di
# a L- q& o: ~0 Y4 l4 g( R9 u mov es,di
& r/ I: o$ ]1 r3 K mov ax, 1684h
$ D/ F9 S( o' t, [/ ?: q. A; R0 \ mov bx, 0202h ; VxD ID of winice
8 T M$ t* ~/ ?% T6 {1 W int 2Fh
- Q: L9 z6 Q- p5 l8 q2 O$ d6 j mov ax, es ; ES:DI -> VxD API entry point
+ y1 q/ L# l/ a" H3 l' r% x! G: s# L# m add ax, di5 s9 [8 p' a+ K; _8 c7 [! h
test ax,ax
( N" f/ Z, }6 V; v jnz SoftICE_Detected" f8 L/ _% `9 W4 i2 A7 R
+ s- o" J _1 a* u. h2 e___________________________________________________________________________0 a0 X/ {; z ~8 Z' G4 r/ k
7 s6 s8 D6 U' PMethod 047 z3 ~) M2 _0 V8 N8 O |
=========' T8 i1 \) X+ q( v: o
; y' m( {5 a; Z5 O0 S9 j/ P2 |/ }
Method identical to the preceding one except that it seeks the ID of SoftICE: ^* ]5 A b/ H" u0 ]' X
GFX VxD.
, B$ Q7 C! [5 Z+ Z" B4 W# P7 }' u/ ], j/ i/ H8 u& v
xor di,di
9 ^- d% d4 f/ v mov es,di
" j/ x% s/ p& S, U mov ax, 1684h
@$ I% k ?7 o( v* S9 L- W mov bx, 7a5Fh ; VxD ID of SIWVID3 E/ \* Z) x3 ~- T {4 E- O( V
int 2fh
( d: `5 u7 \2 T$ ] mov ax, es ; ES:DI -> VxD API entry point: l7 ]5 i: l& c: I
add ax, di
9 i, d- B1 J7 T1 |4 e* @ test ax,ax' t! D$ m- ]8 w$ l3 ]
jnz SoftICE_Detected
4 U6 J0 g1 R1 b$ C8 f/ r/ T- J6 e( X2 z* |& [! W' R& h& c6 V6 V
__________________________________________________________________________# n) G$ Q4 b. r( [
+ N* B0 o/ p9 B% v( [
4 k7 {; A7 u/ Y- H' ^% E- `
Method 05
$ T. V$ M5 W" u; Q& ~=========8 m0 v0 V5 P, |& R
. Y! `* n7 _# K' TMethod seeking the 'magic number' 0F386h returned (in ax) by all system; l! A$ Y5 e7 d* W/ {
debugger. It calls the int 41h, function 4Fh.
& M8 g7 v: y6 ~/ E% y% `' qThere are several alternatives. 3 z- d7 ^' V7 J5 |' F1 U
7 O! ~0 G6 A! U% vThe following one is the simplest:
( H) v& D4 G3 R6 y$ \& n& E: t4 W. x1 r1 o
mov ax,4fh( G4 B8 w$ G- Q8 s4 u
int 41h
# J: x4 S% m* a+ [) y cmp ax, 0F386
! t! e$ z# ]5 ^$ Z4 N jz SoftICE_detected
* X7 ?" h2 L6 K) m! b' ^
6 H% O/ B9 \% G* w6 \" S3 F1 i
- w% m k( W2 V# G' k2 N jNext method as well as the following one are 2 examples from Stone's h ^. x y" Z1 y
"stn-wid.zip" (www.cracking.net):. h3 j8 |" `. C- v5 K
4 a; \% ~: f( W8 W" s mov bx, cs- L: q+ t# ^2 x) E# M
lea dx, int41handler2
/ }: v3 y: z3 H5 ]1 @* h4 b- A. h xchg dx, es:[41h*4]. J! l( z+ ?: i4 A
xchg bx, es:[41h*4+2]
6 ~% M, N; F8 ]- a. T: j7 f mov ax,4fh
% v! j6 H2 |( @* R1 a" O7 V" ]- ~ int 41h
3 z" ]8 r/ R/ j; O4 z: x xchg dx, es:[41h*4]
6 q; z7 k" x. D8 g! T/ d xchg bx, es:[41h*4+2]
; {5 o' j- W' I+ i cmp ax, 0f386h
7 A6 Y2 S: p" l# c jz SoftICE_detected
3 ]9 ~5 O [& Z: N& d$ ^$ H
[% K; ^# c$ Q% c1 gint41handler2 PROC1 r( f2 q& Z2 J9 g" k7 |
iret
2 z4 y( V; ^" C: V* T' d- B$ |int41handler2 ENDP
# T9 |" F/ S) l% i' M) x
+ m7 N4 J# m9 Q0 Z$ z$ J% U1 l# k J: P' C! y8 ?
_________________________________________________________________________
7 U9 V1 [8 L0 M; @8 I0 ^2 w3 J. P+ l' w7 N# k
2 z3 C9 O# _! u! K+ tMethod 06
+ m" I' f3 f# m4 T' K=========4 f7 `3 j, ?; V/ `
7 _4 [* P, ?+ E2 z. N( d
8 e/ |/ Q" K/ l7 [; O( y7 L2nd method similar to the preceding one but more difficult to detect:2 A# r' S0 C- F
+ ~7 u% L0 z9 i3 V: g2 [! f& ~1 z9 N- b/ {4 a) H6 q
int41handler PROC
, n' K9 t9 y: z7 [/ P; a& N mov cl,al
4 O- t5 |: { b' }* V/ ^" N iret
7 g) ]% t% B; i I2 D9 uint41handler ENDP
! a/ d4 Z( s# L
/ k* z$ {, ~' z [+ y" {6 x% d+ ?3 u ?7 x0 g- a( W: k
xor ax,ax
3 H6 {, r! o3 O9 d2 N2 E( S mov es,ax5 g$ r' a) N& A9 u
mov bx, cs& I6 W; K5 o- }$ T5 k" o
lea dx, int41handler
) a5 m. t* @1 v% C7 I xchg dx, es:[41h*4]
" W% w( h4 G3 {1 E' H xchg bx, es:[41h*4+2]
4 c( c6 i' t+ t# D) d6 j in al, 40h& }( j* [' Q! b9 j ~" W& M
xor cx,cx4 Q1 W- H; t/ l, n E' T
int 41h
) M" }" |' f: n6 [8 M5 w0 _ xchg dx, es:[41h*4]3 x b7 k& t* Y9 R" r' |! _6 _
xchg bx, es:[41h*4+2]
8 D J1 h9 s5 y1 U' m cmp cl,al
5 O2 n& @" t9 T9 t! D2 _" q jnz SoftICE_detected$ l; a% ~3 r# f# X
+ }; V4 k. V9 u) o7 [_________________________________________________________________________! n: e4 N/ I! q/ N( F4 Z
( S& e, Y0 _, i- `
Method 07* B% a) T9 z! A( N+ O9 E+ \1 M
=========9 g9 w5 ?( Q* [- u
2 z/ U. A7 E) V: S0 AMethod of detection of the WinICE handler in the int68h (V86)
! G) { ~* T! Y. Y X4 k/ ?! u- l
mov ah,43h
$ R# D f1 i8 C- ^1 S+ P3 G int 68h
3 Z4 |8 `& }0 ~7 ?8 H/ F cmp ax,0F386h
3 r; A4 x/ J% ^ jz SoftICE_Detected+ u8 Z/ T% k% V8 ]0 p4 `
$ v5 R6 t0 \' Z$ U; @( x. Q; X. y6 D+ F3 z/ y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. u0 n# X/ n# H1 {5 ~ o: }
app like this:3 U- x& d Q# c) Z) g2 X& z( `$ O
$ U, ^( Y9 J0 b7 a! b
BPX exec_int if ax==68/ @0 a; J2 F, s# x* z
(function called is located at byte ptr [ebp+1Dh] and client eip is) }! o! |7 D: I" O( |$ |2 u( r
located at [ebp+48h] for 32Bit apps)0 K2 P+ c4 [" S i& D# B
__________________________________________________________________________
, y7 \- O; f% H; L, g! Z& o/ b& K; ^: l% v; n0 S
+ j7 k: A; v k* }* M7 GMethod 080 Y5 Y# Q6 R ]2 n% K
=========
[$ k$ p- N H" v, j! p2 D
) E6 t6 M1 x# y8 v, k/ OIt is not a method of detection of SoftICE but a possibility to crash the' x0 L& w5 o4 t/ r
system by intercepting int 01h and int 03h and redirecting them to another- _; P# d/ L$ B& l& [% w6 u
routine.
3 [" r" m" L5 z% }& ^, x( @/ W/ lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( X; d* h9 j* j5 gto the new routine to execute (hangs computer...)
% G: Y$ Z; \0 l2 P2 x
1 _& k! b% z: j mov ah, 25h. O, G1 w. u1 L/ r- m2 Y- S4 n# ]
mov al, Int_Number (01h or 03h): X$ W- K# _, T$ o, U V/ P
mov dx, offset New_Int_Routine
- P* l- ?9 u. j int 21h
! g5 y- _# ?8 Z& @) @" K4 B' y" m5 n/ U5 d" R! f! A
__________________________________________________________________________5 v, g) e) A# j2 Q t2 E" ^5 w. ?9 @1 ~
7 f+ R( C5 N; a: L4 I- z: oMethod 09' G% Z7 S6 z" O, Z6 T
=========
. s! J) A% N$ @: e
4 x: `. p9 Y$ `( g2 |6 i7 `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 J" ]2 a! ~. r& A
performed in ring0 (VxD or a ring3 app using the VxdCall).% i9 I* x& M. e' ~( X4 C3 ?
The Get_DDB service is used to determine whether or not a VxD is installed, F0 o9 b3 H9 @
for the specified device and returns a Device Description Block (in ecx) for
4 a! ]6 q7 n, wthat device if it is installed.
* V9 ]& ]& E- X3 q2 x3 ~" t; ~1 J! a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 e- a2 Z' S+ v, N0 V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 d7 P: c$ ]3 S' W# W VMMCall Get_DDB6 Q, \9 _; F* F" F1 f4 M. R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; ^$ X# E9 y& i. H
; ]& w3 f2 j! l2 v8 y
Note as well that you can easily detect this method with SoftICE:
/ I/ l* n% n# N, K7 s" e* n bpx Get_DDB if ax==0202 || ax==7a5fh! {" i; m' s; v6 y7 Q
5 R8 _% d( v9 O( ?& O8 x" M__________________________________________________________________________
4 `* Z0 t) z6 g3 a! U5 B
2 [$ j* Y/ X" S2 x3 w+ T" J! J$ fMethod 10. e& X( x+ w, f6 W- H! [' L" D4 {
=========' Z7 L# n; v- z3 \" y! I3 }; t
2 L7 j; Y# ~) F& k. e$ U: U' b. o=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ [0 f: ?: h! F9 }3 D6 t& { SoftICE while the option is enable!!; g* @$ E* r/ Z6 U1 j ?" i! c
, e" o6 W- u) P/ f6 t2 L9 z6 i
This trick is very efficient:
4 I. `' P2 }5 A0 B7 n4 Q! W/ rby checking the Debug Registers, you can detect if SoftICE is loaded4 J6 d! u3 t0 L9 M; u* {3 Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 D, z& v. f+ e( }- C" nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 c9 t5 b4 P( B' X Evalue (in ring0 only). Values can be manipulated and or changed as well
3 w1 v+ ~7 ^. R6 O% {(clearing BPMs for instance)
, n" e5 b, f& C W+ N9 j/ w5 T, I# K
__________________________________________________________________________- i+ C% L+ _6 i. ^
# K* t+ Z$ i5 Z( l# g6 H: [
Method 11& z4 x4 i x' D& k; p
=========) S4 l, j9 ~- u
7 z- O9 V8 K/ ]! Y4 C HThis method is most known as 'MeltICE' because it has been freely distributed! F) \2 n! {8 W4 k5 t9 L3 D
via www.winfiles.com. However it was first used by NuMega people to allow
* [5 K& ~$ J' K# A0 a0 vSymbol Loader to check if SoftICE was active or not (the code is located
' Z1 ~* I0 ?; t" iinside nmtrans.dll).
) K( H' p' s: R# T s% J: w7 t" G$ g
The way it works is very simple:
; m3 X% C; \* i8 m3 L/ ]7 `) P2 J. NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* c/ f; e: J5 O8 R* y1 SWinNT) with the CreateFileA API.
: S) T+ U& y0 c5 i/ Z u5 u6 O7 h- D3 u$ G$ ]8 f7 X
Here is a sample (checking for 'SICE'):3 w2 t2 B% O8 W6 Z- `
4 l# s8 N3 B2 Q
BOOL IsSoftIce95Loaded()
, n3 z, u- Z1 U& W9 P{
1 |& S. S/ F! I HANDLE hFile;
+ ?# H1 Y% p) M9 q6 G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! B- C& t6 ^. I1 {) v FILE_SHARE_READ | FILE_SHARE_WRITE,
# q7 y$ W; H d. c8 w NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 P* n' F( l+ c& v+ R! \& V if( hFile != INVALID_HANDLE_VALUE )$ W; C a, {* T, s4 B, b
{, D, H3 D- J* V+ u( Y+ D
CloseHandle(hFile);
_6 N9 I' Z/ F7 [, B9 ]) T return TRUE;
( p$ i5 _2 t* \, s. R# q }# X& X5 z& `( J! F
return FALSE;
, v4 d2 T7 \: C; r}
3 E1 H ?/ i- B# {: m8 A9 P5 B6 Q$ C; i& S" ?% V
Although this trick calls the CreateFileA function, don't even expect to be* |2 c# N" k5 b* G
able to intercept it by installing a IFS hook: it will not work, no way!* G, }; o3 M$ c [4 V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 \/ ^4 z; a: f9 A6 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; W/ t0 g+ F! [& L3 H5 r5 O r K' x/ hand then browse the DDB list until it find the VxD and its DDB_Control_Proc. q, p: v& C: R% y. y
field.! R! Y3 d1 r$ T- U' s, ]
In fact, its purpose is not to load/unload VxDs but only to send a
3 f2 g+ v3 Y# u* Y6 hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) b1 j6 W' w9 c) j6 b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 S {: u6 k* _1 j) c1 T j: H& y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 s; G4 k! Y, R. p6 M' |# jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 Q% i) x9 a9 t+ t% H/ Hits handle to be opened and then, will be detected.
; {, v9 P9 b2 F0 UYou can check that simply by hooking Winice.exe control proc entry point
) j/ p8 s+ L6 N2 `/ W) G* }while running MeltICE.+ ^* G- I M+ \6 A
, |' \8 l% q. N$ y& f* e% n$ y4 L! O& I4 Q5 s
00401067: push 00402025 ; \\.\SICE
, ]8 c# W: A' n' \4 p4 i1 y 0040106C: call CreateFileA
) ~, E9 T" C8 W 00401071: cmp eax,-001
3 P1 [. F. u1 x! F' A: p1 F 00401074: je 004010914 z$ I. h0 F5 P7 D# F6 G6 b
1 @; X, b2 J3 D( ~3 `
; g. h. Z7 \2 k
There could be hundreds of BPX you could use to detect this trick.% L6 W9 P9 y1 u
-The most classical one is:4 p+ R0 l D/ R3 E" k
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% D- D; s7 N+ [
*(esp->4+4)=='NTIC'
5 M! f" K2 O" G0 i3 j
6 f" ^8 w. _5 b% b-The most exotic ones (could be very slooooow :-(
V1 U2 Q l% K* Q8 r4 J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! B/ e5 q' D% z5 U& |# o" D ;will break 3 times :-(
" g* O1 C5 ~1 a c. P" n$ m
' A/ c$ F1 r ?. E' C( x7 W4 N-or (a bit) faster: # U/ N( q6 n/ \6 }& x0 N& n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; a9 F$ D# o: w+ s) T6 e6 p3 ]& F" u$ Y0 E. }& A7 @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 d- w: ~2 \- s) k; Y6 g& j( K# C
;will break 3 times :-(
/ T1 L2 Q" \1 O/ |+ [4 I2 E6 i+ R* g
-Much faster:/ g* R- q2 {* t% }# P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 ]) x0 a1 j7 f+ q. u
1 A0 _9 [2 g( l! E2 k5 sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# P# S2 A `" A$ Q7 T- ~/ E' w9 ^function to do the same job:
/ i7 E; m' O( d3 j/ H( I, E3 B' P7 `( N) \$ A
push 00 ; OF_READ
3 u; r5 l1 r! \3 q) M& {4 f I mov eax,[00656634] ; '\\.\SICE',0
/ n1 f8 G5 ^7 R5 P6 T C, E push eax
( e" W9 y; [/ s, k' W call KERNEL32!_lopen, E- [! F- u0 a
inc eax
' d+ g* p- Y* y# ] jnz 00650589 ; detected
' v+ B1 ]3 O* ~3 I& P3 B4 e push 00 ; OF_READ% S$ ?+ x; @) {3 W% o2 Q$ Q8 K
mov eax,[00656638] ; '\\.\SICE'7 `% H. @' A0 z" Y& j, X1 g
push eax9 r e+ W4 L% T9 B1 ~
call KERNEL32!_lopen5 ?2 O) P6 C& D/ P5 c3 H% Y2 ^
inc eax
1 r* k# ~; [: L7 o4 Z) c2 s4 b+ K J jz 006505ae ; not detected
1 m1 I2 \$ E. e$ r& g h7 R. v, j; u* i) H- v1 p6 y& T
6 o T! w% f6 E5 o! J. D/ I$ {__________________________________________________________________________. J3 [9 X; K, n- u% P/ l# E* M
8 w5 ?- M( _& M# o. @/ KMethod 12
" d: z! c0 M3 Z3 K H# q=========* j, m# ^2 ]; H* ~7 a" p8 {
( Y, y4 k; M0 I* v1 h) c i! @2 p$ E
This trick is similar to int41h/4fh Debugger installation check (code 053 O7 @: F& Q, \2 n
& 06) but very limited because it's only available for Win95/98 (not NT)
' a: u+ T' r4 _: S8 Yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( W. ?5 [: g2 E* G: A4 L3 J5 V" B% I5 J- o3 r) d
push 0000004fh ; function 4fh
5 s0 r! u- w2 `6 @ push 002a002ah ; high word specifies which VxD (VWIN32)
+ ?: r3 Z0 C; H, U3 H3 J& r ; low word specifies which service
/ N) ?; _6 m/ j( k3 P- ]( r# C% K (VWIN32_Int41Dispatch): ]$ U: T; A1 w2 ^6 I
call Kernel32!ORD_001 ; VxdCall
0 ?. Q0 x( z# E* C% D- e cmp ax, 0f386h ; magic number returned by system debuggers
- c) |* G6 z6 V/ D5 z! a. j jz SoftICE_detected2 a( u% j/ G+ i- \$ }, W- t
' [. f1 H( k3 t o; O& a Q8 C2 uHere again, several ways to detect it:
: c! S" g' `; q# [2 {2 z" A% a9 q+ |2 W# z d, L' w' ~
BPINT 41 if ax==4f
9 p5 o1 ]2 m2 S" o7 P# A) i3 H8 s: g, b; g) c8 v ~" _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) ]( O/ k4 X4 g- x% t, r' P g
1 x$ m# R" d9 @% z, ]; e0 h2 W BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, ^5 B( L! ~, y$ ]9 k6 i! D6 n, L: c: J1 P* H
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; ?3 z! G& m4 j7 X1 R
9 S4 `6 H2 C' l' m
__________________________________________________________________________, V3 _5 W% j7 j9 P/ O7 F) E
( e4 Y! x" u* Q, _! p( W
Method 13- w$ F' C+ h k9 K! p- _ z0 L h
=========
( K ~ E/ H T u' _5 @8 T0 |6 \5 x' s- p+ \: R% a* h* f
Not a real method of detection, but a good way to know if SoftICE is
+ L9 x: A; ^2 C6 sinstalled on a computer and to locate its installation directory.
' g' v! C6 q$ x9 }$ P+ ~It is used by few softs which access the following registry keys (usually #2) :% Q9 J9 F9 m3 D0 T7 _" v0 i% v
* j; ]; S; k0 K* O-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 Z( `, a( F* K1 R( n/ s
\Uninstall\SoftICE C5 {6 h7 K7 v- e6 N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 s3 ^9 _! ?: P' s, V- F- y2 q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 }! R8 k* k) o9 Y/ ?. c3 C
\App Paths\Loader32.Exe
: b* {9 W% M9 P! \( J5 _: i/ R6 A2 T7 `6 L% {
2 O* z2 r" n" \5 N
Note that some nasty apps could then erase all files from SoftICE directory! g9 M3 p r N4 i/ ]7 `
(I faced that once :-(
) t L- n' l8 F( x& H
2 G2 w/ }) s1 L( i; ^1 CUseful breakpoint to detect it:
' }& f6 C# M4 }7 g% E: N! O: g: F5 s1 V$ c: m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 X! c) C2 y* S% _. Y& _
$ |; Y) d& D4 p% J$ Z/ F__________________________________________________________________________7 u0 H- h. B* _/ q( L# X7 ?2 Z G( [
F7 ?1 R8 j% e8 n ^' }
, m2 n% K9 L2 F* E% T3 k1 WMethod 14
' v7 T4 `1 }, V2 }6 }=========) \" a, T9 Q7 p) p& t! ^
/ s5 m! x/ M8 U% R3 ~& A6 a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 [4 A3 |) I; P: _& i# |
is to determines whether a debugger is running on your system (ring0 only).
% [- ]+ P! y/ K j4 P1 f, u
9 X7 a) e$ |6 n4 d# n& r8 ] VMMCall Test_Debug_Installed
$ N% J& [/ e* R2 x! Y' v( N8 L/ _ je not_installed* e8 F" M' u( ?+ J l
, g8 |3 o3 k% s! z8 ]0 }' W
This service just checks a flag.
: W! i% `4 R" E; m, V9 s</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡