<TABLE width=500>7 T; T; n; h; _' E! `9 c4 F
<TBODY>
! A8 q$ {# x. _$ _% B/ V' I$ _<TR>
- T+ l/ I! ^) } t<TD><PRE>Method 01
+ y; f$ r& i& C- `, ?=========, m' y9 n& B3 e* v$ l+ `" ^3 _. b
* r9 ]) j. F. _" {5 Q4 l8 t2 }
This method of detection of SoftICE (as well as the following one) is
' `) e* U M) b# T5 u6 I4 Sused by the majority of packers/encryptors found on Internet., a3 e) r# V s" z$ _3 a' L
It seeks the signature of BoundsChecker in SoftICE# ?: }6 R+ Z! g+ U& e6 s; U
! s9 w5 o+ p1 N) P mov ebp, 04243484Bh ; 'BCHK'
$ v! ?* m" T+ s& m; [7 m# E mov ax, 04h% Q$ h! D9 b6 B5 y6 {8 l+ f: u
int 3
2 O0 g1 k& d' c8 d4 p' ` cmp al,4( U# c2 [6 x% M2 ^" a2 N1 T0 N
jnz SoftICE_Detected
3 p g w8 p) G% J0 ]
\. L2 F3 L5 W___________________________________________________________________________
4 r- c* w. |2 O9 F1 g1 ^# ]+ j+ i' W
Method 02
. T: `6 Q# u& C=========/ Q- X5 u1 @$ f. n
# @4 f- Y# h/ \9 v! k& Y* ^& aStill a method very much used (perhaps the most frequent one). It is used
( q" D8 ^8 H7 D& r) e- s2 Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# Y) ]4 Z: d; u6 @8 q: h
or execute SoftICE commands...+ R/ f6 v( @6 q E6 [
It is also used to crash SoftICE and to force it to execute any commands
. R1 k( O' f& N4 R8 f+ D t! g(HBOOT...) :-(( % ]3 P y& v; O+ X
* j6 P; e- J6 R+ x+ s
Here is a quick description:, N7 w7 G4 D! G! G8 }) q
-AX = 0910h (Display string in SIce windows)/ F+ Z" I6 {, x8 m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 Z& e" f" u% c" L; G/ e
-AX = 0912h (Get breakpoint infos)
" I. I5 g4 D8 k: q-AX = 0913h (Set Sice breakpoints)- F1 ?" D% m0 C/ F9 h5 e; B5 g: j
-AX = 0914h (Remove SIce breakoints)5 L: y6 C! }6 H9 ~2 K# C) D' k
; W( V6 u/ p* p9 S4 JEach time you'll meet this trick, you'll see:, |3 n. C2 d7 @5 e) e
-SI = 4647h w: ]% r- Z+ |$ _5 m
-DI = 4A4Dh3 Q2 C5 C6 B$ n, R. ^7 S
Which are the 'magic values' used by SoftIce.* r% ]0 l6 a, q$ @8 ~6 ~" @ {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ [, Y( p0 t; C Z
) {& E( k; e. ]) cHere is one example from the file "Haspinst.exe" which is the dongle HASP. F7 e9 H9 q5 @8 B
Envelope utility use to protect DOS applications:
. A% Q. V, k7 E4 T# q* V0 n' V1 m! K i0 c. m! m& u
2 N# }- _. p; _% F2 l7 t7 n4C19:0095 MOV AX,0911 ; execute command.
2 c0 l5 D9 t3 f0 ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: G1 G+ [+ i9 G/ B3 H! x$ S6 a
4C19:009A MOV SI,4647 ; 1st magic value.
0 o6 [* ?* J( L, L5 l+ \7 J4C19:009D MOV DI,4A4D ; 2nd magic value.
) }8 K7 B0 C% q3 T4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 F( g& l7 x* o- G) k6 D0 o5 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# G. y3 Z) j7 q/ C8 g/ i; N
4C19:00A4 INC CX% @4 P+ W% m8 X9 ]0 o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. m h+ C4 q- W5 ^7 w- U) L4C19:00A8 JB 0095 ; 6 different commands.
0 @1 {3 _2 {9 Q9 i% B4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 K# w2 o1 `8 P# Z) R/ e% Q$ l# T8 ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 a: I4 R! o% l/ L
! L& s: l* A/ a: J. T
The program will execute 6 different SIce commands located at ds:dx, which3 R. O% f6 W- H/ G8 g. h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ v1 {8 L, Y- E1 ]7 g0 m
4 u: k% Q* _" f( G A9 p* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% A, T" A6 l: m) [" ]___________________________________________________________________________
6 Z: k- k/ L/ b# `" h8 [' U, ]/ n3 y- Z
% h- h' Z1 A* L+ ^2 d: x1 K3 A
Method 034 _& v4 @) w! ~% K. Y
=========! ?! D+ v3 D. m9 `' W
7 d2 ]9 u1 e- g/ n3 K3 I! T
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ V( i0 o; K0 e6 v! ~# B# L; v
(API Get entry point)5 c* w& K6 L! M9 s1 [4 g5 [
( Y& L' K( H* Z
6 i) x$ C) E; f& u/ c8 a xor di,di
4 y8 c0 z6 y; J$ V3 N mov es,di! o+ o" H/ O& X5 h
mov ax, 1684h - q) c$ Q4 R. H6 u
mov bx, 0202h ; VxD ID of winice
' b) r1 e' B# L t4 _+ i int 2Fh
; i) a4 o) A! T' M' s( d mov ax, es ; ES:DI -> VxD API entry point+ \7 u: d0 i$ |! A. P. [; Z0 R4 }
add ax, di/ L" U7 A! T; d0 `# r; t' s
test ax,ax: r! x! V1 S5 d4 K; T# w
jnz SoftICE_Detected
8 Y( ]: G- x& c% X0 h5 O3 k7 y
( I- D& e; v. z0 G8 e! n; U___________________________________________________________________________ {2 @9 Q% e( m3 \" j
$ x: f" [5 v( I8 D4 G( e) KMethod 04
8 X% h+ `' t" Q- l=========
$ c! q2 Y6 e3 T. \2 U6 E6 \3 M( F: m% F0 q
Method identical to the preceding one except that it seeks the ID of SoftICE2 k8 K K; D" F, f# G( `+ P
GFX VxD.
2 Y9 p" s: I, h* U
$ O2 p& \6 E. z0 D xor di,di* v7 G. I& ^3 `7 k Z
mov es,di) f S3 t" ?( }
mov ax, 1684h
/ `: I) b( q, C6 s0 f+ u mov bx, 7a5Fh ; VxD ID of SIWVID
) r; m/ {' T8 j' z, q int 2fh4 \/ Z4 u8 e& h* F
mov ax, es ; ES:DI -> VxD API entry point
9 e* e0 z; D( z% _' M add ax, di
; _; ~! ^) J, @6 A9 ?. v test ax,ax
& t' s( l7 j; B jnz SoftICE_Detected5 T! S% }0 N5 O+ b
6 m+ J1 ^( ?) m. M; [1 `3 ^
__________________________________________________________________________; S$ n# m+ d# {$ {% U- i
) c" y3 U6 z/ q' b
- w t* S* c1 \& D, x0 QMethod 05( \- {2 n7 D3 ?: z( W, X5 x
=========
% b8 W7 ?2 I3 L) c% b$ |& i9 `# o: Q9 `0 z5 A( ?$ a8 S
Method seeking the 'magic number' 0F386h returned (in ax) by all system! _" N6 D+ N0 P" ]. f$ m
debugger. It calls the int 41h, function 4Fh." y& K0 z Y+ C% j' v
There are several alternatives.
: P/ D& e% I. c8 V
3 L9 c: I/ J2 J7 o# CThe following one is the simplest:
/ T4 T# ~# \% D! T3 C! s8 i) |- Q+ k
mov ax,4fh
5 P- F% }% k! t, k& W7 P& L& d int 41h% r U$ s+ D, \' l
cmp ax, 0F386
' G3 w) j X" |" Q; R! `' i jz SoftICE_detected q4 x m* ?. t% v# {
6 s2 K* F3 b: r" f/ K
" ^ N7 v) E4 d1 B$ I
Next method as well as the following one are 2 examples from Stone's 9 |8 H6 R; Q: C# j3 H/ @7 C5 D
"stn-wid.zip" (www.cracking.net):
: H+ z9 b; W* e2 v% B @% W
, R$ [- J0 n3 P mov bx, cs7 p/ |7 }1 P' Y, H) L9 q: V2 R
lea dx, int41handler2
( h9 C% _. u2 u( y2 w& g2 X# q xchg dx, es:[41h*4]
1 \4 H6 H0 \% ~5 c6 r xchg bx, es:[41h*4+2]" |! H k( N7 N) x1 y
mov ax,4fh
/ f& X7 y8 [- P1 c int 41h2 P8 v$ G# b# F y. ^" ]) i" r+ b
xchg dx, es:[41h*4]
5 I2 m: G- I; l5 E" M9 O" S xchg bx, es:[41h*4+2]
" R2 n7 T5 R4 K& s3 i: p cmp ax, 0f386h
5 H$ D( r! W% D# g jz SoftICE_detected# H! I/ f" X# Y+ l# F0 b$ u
+ S5 ~5 {7 |9 E$ d: X7 }0 S# Zint41handler2 PROC5 m4 e6 A: ~8 B- M, c) f; x
iret
Y7 V: I2 d/ T6 ^% |; O6 Bint41handler2 ENDP
/ M* a* M, n6 w7 t) H$ {
9 I) P$ D3 I( E* F- V% W' ]- Y. g
9 U) c6 o* j# C- h4 y_________________________________________________________________________
- K* p) W3 s% G: y* l+ R$ o- `- B- q7 a/ i% n
8 ^0 Y4 G, h/ k) G, C( T# I: VMethod 06& u3 A5 L# w- t
=========9 i/ Y- f9 G0 ?' l8 a( L- a2 |
3 `+ ~0 o4 x# ?# z! O9 d3 f5 w( w8 C# k' `9 }. K/ r9 }
2nd method similar to the preceding one but more difficult to detect:
8 k" y H+ V4 P2 G) M/ ?: b0 }; ?: P+ [+ F, H* L
" F. g5 n7 O/ ?* L I
int41handler PROC
; @( x8 i9 u: A9 { H! T mov cl,al% b1 T4 G; y5 Q3 @
iret
4 s7 s' I; X! R' p; H0 Hint41handler ENDP
8 ]5 r) @' B; B
- [2 K& |% ?6 J" S: j6 r8 u' V6 G' C- J; V) I" x! f' g
xor ax,ax' G, j, X3 _! n/ k& x
mov es,ax
4 P* {' e- J! x1 W% d mov bx, cs
2 {. p/ Y" a" f, W u9 x lea dx, int41handler y7 u6 [0 i$ j* @
xchg dx, es:[41h*4]
- b4 n6 D$ t& V5 c+ j* L xchg bx, es:[41h*4+2]" [/ A' Z& ~1 m7 |6 [6 ^& \+ ?
in al, 40h
& d% `( P1 h/ X, z; }$ {6 B xor cx,cx! H/ ?' N) @; U; H
int 41h
, C& N# W: u( ^2 q! J xchg dx, es:[41h*4]* c1 H9 x: ~$ G, l0 v+ l
xchg bx, es:[41h*4+2]
6 I8 _) E1 Y; s! `" R7 M5 u# E7 o cmp cl,al$ o& K& D' z' a/ W) N2 z
jnz SoftICE_detected
% G7 u) O- v5 S: V) O2 R
3 |: T4 v, i8 S_________________________________________________________________________
1 m! `" Y# l/ d4 E- q- e7 i6 B( J$ h# T) o& z* }7 ]
Method 07
- Y, Z* O1 P+ W/ g=========
0 p; R2 W% Y7 e
1 y9 @3 ?- J0 I( y! N, u' X% ]# YMethod of detection of the WinICE handler in the int68h (V86)
$ ^8 E& E4 ?: A' }) Q; E4 c9 ?/ O* A
mov ah,43h8 v1 m3 ?$ d4 d
int 68h) H* c9 R3 W' K% O% U+ S, T
cmp ax,0F386h( p2 u, e# K+ d U: E P
jz SoftICE_Detected
i9 S$ u6 B2 l( r. U6 k/ B; u4 ]$ Q3 e
$ ?' B' a, ^* Z* i- u$ r. V=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, f- Q* v7 _2 d! @ app like this:
. x, H; }$ i, d: W& s3 I. g7 V# t1 f% _
BPX exec_int if ax==68% N% R" q2 l+ a0 I6 ~
(function called is located at byte ptr [ebp+1Dh] and client eip is
) }* d' S4 b& m$ j) F3 J located at [ebp+48h] for 32Bit apps)* g, g0 A6 b8 ~. I7 [
__________________________________________________________________________
* G9 L- _) I4 A9 p t5 x3 C9 u1 s1 n' O
$ }6 {8 H( s/ w2 d) q: J% q0 i0 Z
Method 082 O8 D% z8 D* I4 V: w! j2 h! a
=========
3 H: P& } S; K" o/ C# @7 s+ U) W# S
It is not a method of detection of SoftICE but a possibility to crash the+ S: ~: j* v) |* @$ _
system by intercepting int 01h and int 03h and redirecting them to another+ m7 s# t8 [) \* E+ j( @* H
routine.* \( p5 M8 p! P! b3 }1 N
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ q8 g9 p; w4 ]
to the new routine to execute (hangs computer...) y$ H. P) o" |4 d: L& O1 n. q
0 e+ W4 n5 c' K1 Q! H# o j4 e
mov ah, 25h( }$ a2 e% {. B3 [& E. h
mov al, Int_Number (01h or 03h)
+ n: Y; j4 z8 Z4 H9 e, ? mov dx, offset New_Int_Routine
9 G, h3 D3 B2 V5 Q( P. f" [ int 21h
: i. D p9 v+ ?( a0 U w$ o; D! J1 _
+ _( q9 s0 c+ ~: c4 _$ ^% e__________________________________________________________________________
7 e) s8 b/ @7 k; r* U
2 V; L- t9 ~$ l- ~, p1 `Method 09& _/ ]: W$ Q9 {/ r" d
=========
& m/ D) b' Z6 O
7 A: E# K- L& g2 ]1 }; }! TThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) ?, S; |) z0 g n. V. ~' f
performed in ring0 (VxD or a ring3 app using the VxdCall).
% f2 H. s5 u- D- [ i. JThe Get_DDB service is used to determine whether or not a VxD is installed2 u' p6 H) K5 o+ B& M) _
for the specified device and returns a Device Description Block (in ecx) for
e# L" [3 [7 _+ Rthat device if it is installed.
4 i; {# d6 g% A* q# a7 M. e9 C+ V* V' X# E! b* Q) Z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# H7 a; M( A* d4 D8 S' Y# D% O8 a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ r$ c" \. H4 L; T VMMCall Get_DDB* \1 M; J0 R4 y% o& v4 S- z6 K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; k9 r- w5 q7 r1 g# }+ l
4 ~* w, ^/ J! ~+ ZNote as well that you can easily detect this method with SoftICE:
: {8 o4 E1 B; [$ o+ ^ bpx Get_DDB if ax==0202 || ax==7a5fh
7 D( ~# Y; _% g5 v4 {1 c, I2 \' C7 K5 _7 R
__________________________________________________________________________
: [5 k8 Y. \" c
w5 ^* W _- s4 C7 S! u/ RMethod 106 n) w9 Q% O" ]% e4 v! ~
=========( M( ], h& S) [
* S3 j: s3 f/ w$ q# ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* y$ C- M) a1 g3 u+ D0 }& g SoftICE while the option is enable!!- }3 _5 ~7 o) i2 X5 j2 n1 m% r
& t2 k4 }$ X& z) c! {
This trick is very efficient:
. T' n6 U% G- ]) Rby checking the Debug Registers, you can detect if SoftICE is loaded
+ U, n8 Q s+ y2 L" w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 ~3 y) p9 M$ w6 u/ ?4 r# G# uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 y$ N/ L' _7 C& R$ |7 y' uvalue (in ring0 only). Values can be manipulated and or changed as well
" s' }, m, W: [) e7 r! x9 l- P4 I(clearing BPMs for instance)
5 T8 v7 Z1 p4 K3 o
: |5 i; |+ n+ l0 G& v__________________________________________________________________________
. g1 h& Z5 b9 s4 `
; ?9 k+ K$ w/ b" R0 f, C5 HMethod 11$ L; Z' ?3 y9 W; }8 C/ t; L3 e" @
=========
3 l: R& T1 c" H5 f, u* v
7 D4 _. Y9 _# d5 LThis method is most known as 'MeltICE' because it has been freely distributed
# S$ }' v. x4 ^7 _3 k# Z0 C: lvia www.winfiles.com. However it was first used by NuMega people to allow! x. n- v' T8 ^3 d, v
Symbol Loader to check if SoftICE was active or not (the code is located/ G# ]7 ?8 r8 Y2 F, A3 h4 j
inside nmtrans.dll).
8 p, v% ^; E+ Y+ L8 s D3 Y6 O. X+ J. h
The way it works is very simple:: v @& ?) |& K$ Z3 W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ O% z0 ^4 Q0 J# I8 w) |- e
WinNT) with the CreateFileA API.' t8 k, ^( ~$ M- i( n5 A: h; P
$ Z$ B: x+ e0 G9 s- J# B6 E8 S
Here is a sample (checking for 'SICE'):
3 W" {/ M7 @/ q; G
Q# }0 i, N! h* W# N) VBOOL IsSoftIce95Loaded()
7 ~& J2 B8 b% x; a% ~& o5 E{" T4 I) ?0 t& e9 D
HANDLE hFile;
. }9 u8 \' S B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 W- y1 g4 o# ] p+ l FILE_SHARE_READ | FILE_SHARE_WRITE,
$ r+ r2 e& V- }, f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 E6 G6 O" [# b; D% {% ] if( hFile != INVALID_HANDLE_VALUE )( t$ b. @* M# v' G) Y
{" P. ]5 j- |" {: {. t5 F
CloseHandle(hFile);
% M; f3 I; x4 Q7 y, h7 O return TRUE;" ?% O( U3 n Z( _
}" l, w3 f- L. _% l
return FALSE;. ~8 {, G2 `- A
}
) L! x' |8 T7 l4 Y9 _1 c
; ^( z9 f: C7 r, }8 kAlthough this trick calls the CreateFileA function, don't even expect to be/ n+ M- |: a1 D# R& O$ `. [1 K7 ^
able to intercept it by installing a IFS hook: it will not work, no way!, L' S; x$ N* W b5 S" r! w. S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ J+ k8 L+ x2 W' \' c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! b1 x& p+ c# V0 I7 j, A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 i( y. k+ v2 ~$ ? m
field.
; d8 _& `3 j# SIn fact, its purpose is not to load/unload VxDs but only to send a ' R+ I- y: Z" I7 y, ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ B9 }2 I+ [/ C) r7 ~2 c3 S0 }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 t& l5 G2 k" q+ A) @5 sto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ g& Y E: W$ B. f
If the VxD is loaded, it will always clear eax and the Carry flag to allow g+ P2 z k# D+ q" k
its handle to be opened and then, will be detected.
; J# b* w! p( b( L- `3 u; bYou can check that simply by hooking Winice.exe control proc entry point
: i) e* m9 p! ]* \& l7 U; {while running MeltICE.$ O I1 q7 T( G1 m# F
# @6 a% ~6 p# V% v$ w* v
( ]9 n5 k- h$ O5 {3 h 00401067: push 00402025 ; \\.\SICE
! c5 I/ w: C1 y5 Q6 E5 L 0040106C: call CreateFileA
& H' C; t2 L& N% v 00401071: cmp eax,-0016 E+ H# J4 k9 S8 V' Q4 Z
00401074: je 00401091
0 l- z8 B! C2 a4 b# O" Y
# z# e6 O2 J# s+ z0 {' v) f) ]% d. u$ _9 ~2 Q2 ^
There could be hundreds of BPX you could use to detect this trick.* q7 X+ R5 Y2 S4 J+ c; J6 [: ]7 {
-The most classical one is:
& |" p% j5 E6 e9 S- i% n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 p; y7 J. m. Z- U# J *(esp->4+4)=='NTIC'
- l+ z- Y+ x, e, {1 t, R$ p/ {
-The most exotic ones (could be very slooooow :-(
; P, \) z, u9 c! p3 M$ W2 u9 L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 M7 n7 `2 ]! ^2 ?0 J3 ` ;will break 3 times :-(1 [5 a. z1 j6 l& a, b; i" g7 R
+ i ]4 i2 h1 x+ P" d
-or (a bit) faster: 0 ^) J. h5 ?1 ?# D: q$ U+ M/ k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* W( A+ I; H5 S X8 W8 J; ]/ p- W
& p, m3 ?" F, x$ U" G BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ E4 D! y8 j a2 [2 N; a$ Y: i9 g5 [6 I ;will break 3 times :-(9 w# q) D# i. ?
) q0 [, A, m h' c9 E& L-Much faster:& j8 j m( t" ]! l0 B/ D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* v/ Y- g9 l! l0 y' Y7 M5 s6 C$ p- [( ~! K. X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# S/ V0 ~/ \, B* H8 x* Ofunction to do the same job:
3 ^, J3 Z3 z8 M2 F4 Q3 u. H3 ^( U* c9 ?" p I4 I
push 00 ; OF_READ: `6 j1 X% r& O0 C2 n$ e
mov eax,[00656634] ; '\\.\SICE',0
2 p& q# u0 m$ ^* B. {; Y push eax
/ C% ?; |0 L( R8 t6 u. O# g call KERNEL32!_lopen
2 I/ c9 G& a- D* H" W; x! {' Y inc eax2 U4 G4 W8 {4 ^
jnz 00650589 ; detected
! x+ M, F- Q3 ^ push 00 ; OF_READ" h+ Y1 H" x+ t( ]9 o5 f. `
mov eax,[00656638] ; '\\.\SICE'
0 D2 C8 ~1 E) f5 w: B! | push eax
! h/ w7 |" l$ {% k call KERNEL32!_lopen8 B: m4 W# v8 R3 b f+ Y
inc eax
8 c$ b, J1 ~3 C/ b jz 006505ae ; not detected
. ^# Y0 m: z4 t) d0 G
( Z9 [5 q6 L& n- l/ ~! H- T8 F m2 |2 y8 `! H: g. v& O! F
__________________________________________________________________________
% F) V4 f! ^; l8 Y
8 b4 v4 ]* q: Y4 @& K: w6 X* EMethod 12$ F7 c; I9 G+ O' d
=========. q' y# M% I$ Y
( b0 O5 z4 A' o9 ?This trick is similar to int41h/4fh Debugger installation check (code 05
5 {, `6 I, K- e, h! q4 |) X) L& 06) but very limited because it's only available for Win95/98 (not NT)
" ?7 c9 A: y2 B: S% h% _as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ N0 ?0 d7 M/ u1 @% Y! T
* ~& l0 ^% d6 e3 F, `) Z9 O" C push 0000004fh ; function 4fh! v, l* K# }5 ~" g6 a/ y7 D7 _. |) V
push 002a002ah ; high word specifies which VxD (VWIN32)$ T, S/ \& e) x/ C
; low word specifies which service
$ e0 }+ Q5 y8 W S; u (VWIN32_Int41Dispatch)2 Z3 ]6 t! \" V1 m+ F9 X, S% S
call Kernel32!ORD_001 ; VxdCall% r" \; U/ N. D, |$ T$ W+ Y
cmp ax, 0f386h ; magic number returned by system debuggers9 q1 ?! _+ F( A0 M
jz SoftICE_detected
- f. L. A" W; s9 M0 X
/ u1 f7 A7 Z' U6 a0 U# o @Here again, several ways to detect it:" L+ f* [6 T. r' W* |
1 q) R+ F( ^( v; y- A& R+ ^/ k BPINT 41 if ax==4f( E. v2 Z) i6 Z. y+ N
+ `" e Z: f+ {# ^# t+ p+ M% R- f- t/ C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. k. F/ k( b/ C" k" m
% l* Q. O& h. r5 Y' {1 Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ I( v* Y7 h6 V( s @1 A) k7 K5 c3 W6 |0 F7 R( ?) g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ E/ \9 t7 x6 J2 q4 F, m2 c0 I0 ~+ I
__________________________________________________________________________( u5 d& H; t5 p r8 j- j% q
7 ^/ C( e; l+ L3 q
Method 13
: `; q5 J% w. Q: H& x=========; y, U4 L$ O4 p0 m. h0 M) e
" N: o0 G& | ]) ], eNot a real method of detection, but a good way to know if SoftICE is! h/ h/ h+ k; t: l5 l
installed on a computer and to locate its installation directory.
9 ?" P$ R c2 p: u/ IIt is used by few softs which access the following registry keys (usually #2) :
+ V( ~' u) b- r7 f: |. Z* ]" k; ?+ z3 B' n1 v8 P9 B, }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# K0 g- p" O4 z$ T/ q( l
\Uninstall\SoftICE
6 c* D. |0 p# z$ q7 R- T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& d& z* x$ ^$ g( ?* f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- h( {' w, w9 Y0 v
\App Paths\Loader32.Exe1 k: o0 T1 m& h# D- D
& c3 S( _# p+ X$ A+ i- z
8 k6 s7 s7 }! ~7 q7 M6 hNote that some nasty apps could then erase all files from SoftICE directory4 [$ f6 E9 b3 J7 c5 A! ]8 {
(I faced that once :-(# e+ |2 X$ v2 T/ w
# `6 d% Q% i( F9 o' nUseful breakpoint to detect it:
' p: c# `" W( V n9 g, s$ D+ L3 {: ~+ J2 a8 B6 D" n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 X3 S- r' e' b5 `
/ U8 {$ J, G) Z' Y" K& b
__________________________________________________________________________
- N- J! P4 o( }3 h9 J
4 o7 v2 s5 a, B2 H: @, J3 |5 M' m* c! F( t K& u+ A; y. n
Method 14 ' t' C3 A% {+ B" p
=========
" R J" \. Q6 p. w* i O9 m& B
' O1 L" l( ^0 L# q. e HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 {3 [; t& p; p( d/ {1 _is to determines whether a debugger is running on your system (ring0 only).
0 b6 D7 Q% h6 ~# U7 {6 X% m' n1 t L6 b$ m! a! s) t% i* ]
VMMCall Test_Debug_Installed# D' i6 |9 b/ i; j. G" g
je not_installed
" O4 X5 Q; f+ t0 G2 F
% e+ u* d {) g2 v! M: B J% A( @This service just checks a flag.
6 i2 y* A8 O8 q; @3 c8 \+ X</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡