<TABLE width=500>2 U& X& r+ }9 `# R, I- g. c
<TBODY>+ I/ X1 R2 J' f3 F
<TR>; M7 ?0 }% F- v, r( u/ ^6 g2 x
<TD><PRE>Method 01 & D/ H% ~9 o8 `6 F% i
=========
# a7 n' M, l$ m% O% k# T# m" z8 B+ l9 g
This method of detection of SoftICE (as well as the following one) is
, O o: \& `, H/ u5 fused by the majority of packers/encryptors found on Internet.
4 B" ~# C: b' J- ZIt seeks the signature of BoundsChecker in SoftICE
% H1 M- {$ ?! ]: s, \
6 r$ o- }- F' @, @/ { ]3 ^- ` mov ebp, 04243484Bh ; 'BCHK'
- s% \- T$ S) ~! u; ?4 C8 o; Y8 f mov ax, 04h
! F+ E( r+ @$ t/ w, Q% M5 Y* h+ U int 3 ! Z0 o8 }3 l5 Q! b% D7 C- e3 L8 M! a6 k
cmp al,4
% j3 x" _+ k# @ jnz SoftICE_Detected
0 Y; O. A7 A* i$ \0 m1 F# A2 C& Z; g* B- M
___________________________________________________________________________; }# ~1 [$ L$ }5 R' W3 ?
! K5 T8 @* D# R! a% Y
Method 02
# Y0 B6 S/ R0 o$ Z=========: s }* R: ~8 D- d9 I3 C: o
4 F; C. L& l! ~
Still a method very much used (perhaps the most frequent one). It is used
1 n0 I/ C+ d y: s1 ?+ Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints," {& K8 x# t" ?& ^) ~/ w, m
or execute SoftICE commands...$ n3 Z4 ^7 o$ o1 Z: k3 s& Q- u
It is also used to crash SoftICE and to force it to execute any commands
8 w! w0 G5 j+ J& Y" W(HBOOT...) :-(( : c7 W6 M) E7 C! S b
' N2 k, ~% Q7 iHere is a quick description:- j8 C7 s# P, ?; K6 m1 O
-AX = 0910h (Display string in SIce windows)- o; ]; E" j: Y! a; z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 g5 I8 G$ j5 U-AX = 0912h (Get breakpoint infos)
: \3 s/ B* F9 P0 r( c-AX = 0913h (Set Sice breakpoints)
4 x4 k- M- K) G8 k-AX = 0914h (Remove SIce breakoints)5 }: `+ l& W0 ^2 H
5 [. h/ \0 ~4 D2 \0 H0 d3 }
Each time you'll meet this trick, you'll see:
, A( g) o' n( K- D-SI = 4647h+ u* |, n/ W/ Y5 \% ^
-DI = 4A4Dh
( A9 H/ ~. n/ dWhich are the 'magic values' used by SoftIce.) E( Y Y ~) q4 R& c) n; G% ]* L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- L' E# u3 j+ h* D3 K1 w) ]/ I0 ?# m' v
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 }! j1 v# W3 K2 w! g, ]& i5 [
Envelope utility use to protect DOS applications:6 [* f& v* a' c0 l" Y0 l
! N* T. d$ R8 X! M7 g! `# L7 q( L9 y* w9 d. W1 s: p; W" X2 {* a J
4C19:0095 MOV AX,0911 ; execute command.
' }5 E+ K/ m; I0 Y: ~4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 J: n5 `8 `6 c4C19:009A MOV SI,4647 ; 1st magic value.4 O6 l1 c7 `- p N
4C19:009D MOV DI,4A4D ; 2nd magic value.
- v$ ~+ s9 Z9 O9 T4 v4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 J& n8 x* W0 n4 H* z' V4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 k: m$ G; `- q7 t) `' Z
4C19:00A4 INC CX+ M# D ^! H) T* p% \& ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% v5 H8 R9 e% g# @
4C19:00A8 JB 0095 ; 6 different commands.8 _5 u6 W1 U. i, m3 v. T; M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" x4 |2 f2 H% I6 \8 {' j% [3 @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 D2 r: o& q# V# m2 i3 d8 h# P: }) ^; B! H O
The program will execute 6 different SIce commands located at ds:dx, which, u1 _4 D% K# I( x0 N: Q X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 K) [; k6 v5 }+ Q! J8 L
* f) `( \* k' n2 r C: M; B% c% \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 m) P# ?6 b8 g9 I1 c6 i9 y
___________________________________________________________________________
z8 ` x+ d: }. Q
: S. ^2 z# m2 j
; q [6 n1 |$ J/ m! NMethod 03' |% y( |* x: g" W; N1 x
=========
& g5 {3 ^2 a3 r; r4 o c& B: A# k3 ]8 Z* T1 q+ `% A1 B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 Y% s2 U# S( {" n' | B(API Get entry point)+ z' J' Q8 w* J" A" M% [/ z
/ a) h F- _. M2 I
B2 s6 G& a1 u! w* Q xor di,di5 d# w" g' D3 q; |8 ?1 l% _
mov es,di
6 t9 J* k3 G. o# p. G& F4 z' u# { mov ax, 1684h - u* d9 A/ H3 `0 V) l
mov bx, 0202h ; VxD ID of winice( S6 m: ?1 V" J) g! `9 i/ k
int 2Fh
, v/ [& J$ x$ M) O% U0 W5 r2 t mov ax, es ; ES:DI -> VxD API entry point
% D4 o+ u0 x3 J# P# {, E add ax, di1 R% S: ?/ \3 P
test ax,ax& L0 h2 K. K9 I
jnz SoftICE_Detected7 j2 f5 _6 L: B- e/ }
# E4 c F& `; }4 _4 x ____________________________________________________________________________9 J. ~* d1 u' G F" c$ e5 {9 Z$ v
( G. i& L8 b; f9 F1 G
Method 04$ q/ H" R# ?" p
=========
$ q& g# w& ^( T' O2 m+ Z6 h
+ X5 R- x5 f! A7 [6 D2 h5 bMethod identical to the preceding one except that it seeks the ID of SoftICE
$ A" Z/ d! t" I3 w- L' k$ ]. ~GFX VxD.9 z/ \/ A6 a5 i1 p
, i: g( g/ ~- v" c& W3 l1 ? xor di,di
% r" N3 J, F* n! v$ h, l% u0 t mov es,di( w+ O; Y1 d( ~; ~( }
mov ax, 1684h
) p5 e7 {, a* l) a- {5 N mov bx, 7a5Fh ; VxD ID of SIWVID
& h9 H" W& A4 g int 2fh
, S \: H$ ]0 m* R mov ax, es ; ES:DI -> VxD API entry point8 A! i* l) C' ]+ t( Q I* v6 J
add ax, di
* E0 e# C D u" H8 u- u* ` test ax,ax
" \$ Y0 i5 ?; N/ \6 [) _ jnz SoftICE_Detected
5 k7 Q, `# Z/ P) S# T' G- Q+ L |4 [0 n& C8 ^" c6 d7 j
__________________________________________________________________________
" O# e" M$ b M) T( B
% d8 X& j5 j* g0 f$ e0 X- C% t, B; M- h9 i
Method 051 I% v; { L1 i% i
=========
, \5 N2 f3 V( x: }2 K6 u' s/ v5 h
& i4 K7 {- p) z0 j' x M0 q4 bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, k, N/ K1 y, [debugger. It calls the int 41h, function 4Fh.
z, O+ b* s' e H$ |There are several alternatives.
2 K- P& d2 s6 S) M* Q( n2 _, i8 E( a
The following one is the simplest:8 H. p4 I( L8 U& ~3 N9 J7 V- r
: J& \+ u: O7 Q: ~6 R3 ~ mov ax,4fh
; [! ?- V, z: s ~$ w n int 41h( }' l. P% l3 f" V/ {2 e+ m3 c& h3 k
cmp ax, 0F386
$ j8 O" Y! s7 P jz SoftICE_detected* t; m/ \) ?% p' f; G9 X
) k( \7 f' C8 `! X. g
( I3 N' D% _. I& `4 h
Next method as well as the following one are 2 examples from Stone's 1 U- i# ~( W* v$ x
"stn-wid.zip" (www.cracking.net):
; K, @% p+ D0 \5 N- O n# e3 p
% B. Y# z8 E4 H; J' s6 u mov bx, cs% ~% ?5 C# L0 |' e
lea dx, int41handler21 J6 ^& w" }& v7 ^# m, d$ O: b: V
xchg dx, es:[41h*4]2 \( d, a+ J6 u. \3 L$ L* r
xchg bx, es:[41h*4+2]
: B- H* z/ z# e) u7 C) W8 X) M mov ax,4fh" m2 F4 I" r7 }3 M# i. Q
int 41h
& q" G, {: {; y5 l' a xchg dx, es:[41h*4]
" p+ h. R2 @! `5 f8 i xchg bx, es:[41h*4+2]
2 q" ?) y1 |- ]: i cmp ax, 0f386h
( d, n/ [, e& Y ^2 b# n% w* h( J jz SoftICE_detected
* ]; ^% W( B" C2 o+ P4 R% R" s1 i7 ^5 U; l/ X# Z, }
int41handler2 PROC N( P2 [1 ?, x/ T2 P
iret( @2 R' h9 m( h! V0 T
int41handler2 ENDP- @0 x1 E1 _9 ?: M) s- ^) L& u, S m
* s, ~; X, ^' H$ |- L
9 a) Y3 ?3 v: u; I+ X_________________________________________________________________________
; U# u0 L6 G+ U$ N
3 ]. ?5 H# l/ p$ C) r6 L( T8 x; \1 Z
Method 062 X i# L" b# b+ A* ?9 D/ b* l4 y
=========
2 X3 K% H( N" U3 b) J- t, G- c* y% C" |4 c: d+ ]* E
( ~' o* B% U( D# c
2nd method similar to the preceding one but more difficult to detect:
/ Q6 @, `' H9 ~- U8 n
9 Z2 o$ }2 p0 k$ }+ }! A, `3 F. K2 ~: E3 [, y! X
int41handler PROC
8 m% {0 U+ y# [0 E9 V mov cl,al/ |& G, a3 q/ c+ R2 z6 o
iret" e8 t: x( `9 ^+ e; _3 x
int41handler ENDP
# T- |8 k/ D5 q6 m X1 X: R
) W% P& {, ?% U: e+ K& A1 c. W4 h B; }6 M
xor ax,ax7 N) {( \+ D5 a$ _: \) [3 k
mov es,ax
N5 F/ z5 u2 z mov bx, cs1 w1 C. I1 r- j8 G6 Q2 C* m( L
lea dx, int41handler3 f4 g- Z& {+ p2 n
xchg dx, es:[41h*4]
6 M* L7 ~5 w# e- C4 Y1 m0 ] } xchg bx, es:[41h*4+2]
; w" z2 o4 D, X9 f: D: V in al, 40h* j. o# \! g* j- K2 R" R& }0 S1 i2 c
xor cx,cx0 I3 s. y; `) c+ [( A7 M9 k* ^* o$ k
int 41h6 g( h' C7 r2 X$ ~+ B7 J4 G! M$ @
xchg dx, es:[41h*4]% z8 X9 i3 j1 a, ?8 l# J- A# Y1 _
xchg bx, es:[41h*4+2]
9 b$ q4 F# L; m cmp cl,al) A u2 t3 z; y1 m3 N
jnz SoftICE_detected/ ?0 W! x. z- K; r' S! {
- o3 N' ?8 `2 {. C% m_________________________________________________________________________
: w1 E8 T% @8 W
9 m3 v9 V K6 }3 E3 j/ \4 VMethod 076 S7 b9 F M. O0 \) Q) t' z
=========& O0 U) ^2 V, w- [' j& d2 ]* e
) ?4 Q: u. M9 z( Y7 VMethod of detection of the WinICE handler in the int68h (V86)9 f1 k3 `5 I! F* U X
0 V& M( l* b+ [
mov ah,43h
7 o- q# {1 l6 O x$ a6 P# N" a2 Q int 68h4 k" U" ?$ F) \: K, [
cmp ax,0F386h
$ @5 W( M6 ], t1 G jz SoftICE_Detected, Q/ I; p) r" B; R3 }" A: ]# n
9 @6 [+ |3 N. b) `
\+ ^ N8 R, m7 u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ l( S) r4 V: @& R/ \/ d+ n
app like this:9 t2 A0 _7 h" G( I* V% B% s) m- ^
5 \- |" g Q% d+ ~- y8 K% y* ^
BPX exec_int if ax==68
8 h4 o; ?! H4 U+ N (function called is located at byte ptr [ebp+1Dh] and client eip is
- C4 X; c% {2 [8 e8 D located at [ebp+48h] for 32Bit apps)& s- K: d6 X% w4 n4 ]" s
__________________________________________________________________________, ` ^) b# R. h# |" R; a5 q& G# \% j
- N3 G3 W2 Q2 O5 a- Q- ~; ~0 h
$ e m8 _0 L, G8 u- _) y2 f9 NMethod 08, V+ F' C) E- D* p+ X/ Z
=========3 P+ N# u, e$ g/ \+ l1 y% d
6 p0 P. F$ W9 {1 W b8 k9 e
It is not a method of detection of SoftICE but a possibility to crash the4 L; ~# N# N% k* W, `/ [; i
system by intercepting int 01h and int 03h and redirecting them to another( Q, p4 y7 ]; E2 z8 ?9 C1 V" y! x
routine.
' y: l$ d' i0 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( B( B ?. s& x- yto the new routine to execute (hangs computer...)
8 p2 a1 `& E( f7 y
% x& }3 K: g2 F2 b mov ah, 25h
& u6 R ]( N; L mov al, Int_Number (01h or 03h)5 m' f8 o# L0 N' @" I4 j; t$ p
mov dx, offset New_Int_Routine
$ a8 W' M0 v h9 N3 ~4 M int 21h
2 C: O' P% {( H; w7 G' r/ O/ g% U V9 e! @# R
__________________________________________________________________________
1 d8 k9 I( L' y+ O0 M ~
" O8 ]4 S3 I9 i9 @$ n0 j4 b1 _Method 09& q0 w4 Z' h0 b" [& N; O. h
=========
2 g1 L- h/ i0 O( V( ^% x/ R; P+ Q2 E* o, d* Z0 Y7 E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 `+ Q. E: B# K8 G9 g. N. w$ E( {, \$ l
performed in ring0 (VxD or a ring3 app using the VxdCall).' O5 ^. R2 M( R
The Get_DDB service is used to determine whether or not a VxD is installed+ I/ d8 \' }: H5 E
for the specified device and returns a Device Description Block (in ecx) for
) u/ H3 y8 W9 m: ]5 G# Nthat device if it is installed.$ Y2 B/ Y. V1 T! q9 \1 ?: T/ Q1 @
1 w5 i( A9 _# p7 _$ H$ b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 }% p6 F, b6 ~0 N mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, n& l. a0 M N) m3 Q% ]7 s0 ? VMMCall Get_DDB7 Z9 @3 T; d# C+ G' \% y& m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ p: Q7 }9 h. ]! O+ p- v7 Z9 K2 S
Y; E( }* T5 Z1 D
Note as well that you can easily detect this method with SoftICE:
8 Q; j# B3 a" J6 B( X" B bpx Get_DDB if ax==0202 || ax==7a5fh
# b# ]5 A% S3 E3 e6 @( a4 ]6 f2 e y, a9 r6 b5 m3 ?- H1 {3 O
__________________________________________________________________________
6 [1 o% n D* H6 P9 s1 d7 s2 w, a. I* `9 m7 ~
Method 10 s p. \# K" |9 P6 r* R, z5 t
=========
% n) f i7 I7 W5 V5 _
; r0 N. s% B! {6 @, F ~ [=>Disable or clear breakpoints before using this feature. DO NOT trace with# m( e. S/ G4 E$ {& H
SoftICE while the option is enable!!1 c# K1 v5 I" k; l+ l
1 I/ I7 a: M6 GThis trick is very efficient:
3 h' A' X1 _+ d+ T7 M3 `, eby checking the Debug Registers, you can detect if SoftICE is loaded4 W7 m! @& q7 \
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 F& J$ c* A, n
there are some memory breakpoints set (dr0 to dr3) simply by reading their6 k# L8 C# y9 Z1 I
value (in ring0 only). Values can be manipulated and or changed as well
- l! L3 D, p; ~) P) r* W$ T" ?(clearing BPMs for instance)0 A- @8 W* @$ y. v
, o& e$ @6 D% x; B* Z5 ~4 v
__________________________________________________________________________5 S( K) A' O* [ c* P- v9 F: S! R
: R/ I( ~9 s3 y; e
Method 11/ i' ~" A4 v. K: F0 B$ _4 A2 n& b
=========
$ u" g! x/ `( q4 a1 c* W. Y1 S; q7 A1 c2 ]' U/ i
This method is most known as 'MeltICE' because it has been freely distributed
, l5 s% k3 R8 Cvia www.winfiles.com. However it was first used by NuMega people to allow) ^! @+ ]8 t# I. f+ p
Symbol Loader to check if SoftICE was active or not (the code is located
1 s% v9 _9 I: cinside nmtrans.dll).
& r$ ?" [4 c, x3 k; [4 J, a8 m: ?1 O: w& E7 Q
The way it works is very simple:
# s1 u: n" ]% @: g; i2 R4 xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! m% |) l( G- {# {: x) F7 e
WinNT) with the CreateFileA API.
7 y. O( W( c1 c2 F6 a
& `- ?1 m. ^, j! {* mHere is a sample (checking for 'SICE'):
/ h/ k/ N. t5 w# F2 \2 O) K a) f1 \$ I# m( m( D P2 d
BOOL IsSoftIce95Loaded(): l9 h/ x# k# h3 v
{3 x7 O+ a' P1 L( d+ D
HANDLE hFile;
J0 h: j0 e; q0 J) l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 S! g( C8 Y5 L$ F# m3 o/ ^ FILE_SHARE_READ | FILE_SHARE_WRITE,
; W/ m1 e% v: E ]) u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 Q8 v( \( `7 @; W" L8 B
if( hFile != INVALID_HANDLE_VALUE )1 |2 q% O+ F) v( z) k \$ z! J
{
" p; n% A! c9 | c CloseHandle(hFile);9 P9 j% [( n: v, l8 I/ s$ {
return TRUE;' j Y) G- X/ v' c
}! Q; j% V) \) V* S
return FALSE;
! c( N" [1 c0 c9 `$ v' ^}) x+ e( ]+ @8 U1 {& ^9 B
" d) _# I6 z1 ?, k2 f3 w
Although this trick calls the CreateFileA function, don't even expect to be
& l9 R# F4 }* g: bable to intercept it by installing a IFS hook: it will not work, no way!' S/ [2 ^; a. `+ M/ o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. k5 W7 S$ o0 ?% N" U$ Z i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& b# ^6 q) L+ |( Land then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 [; Z0 q( z; T: T: zfield.$ \- k) q/ j5 e! h
In fact, its purpose is not to load/unload VxDs but only to send a
1 r4 |: ~4 Q+ W5 y, tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( w' n# ?* v# x! s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ W' ]2 t! E3 _9 |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# z7 ~" }+ E& ~5 |6 nIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ d2 z& d4 i4 V9 s$ w$ H7 ~its handle to be opened and then, will be detected.: y0 g! d, z) M* {" u8 l" ]6 f; o
You can check that simply by hooking Winice.exe control proc entry point7 R4 j/ c* f# m1 d% U
while running MeltICE.
0 W/ C7 C. j6 g0 r/ c, \& o9 i2 F, `% E0 ?- v% H7 E3 _2 N
5 J7 y5 I9 `7 b4 ?, l5 `
00401067: push 00402025 ; \\.\SICE! `$ V \ n F4 ~( S ~
0040106C: call CreateFileA
% N; d! L* E! ~4 _3 p$ f& h( u 00401071: cmp eax,-0016 K. ^: y$ |/ `
00401074: je 00401091
: w [" B8 C% P6 B6 x: g, u m3 G5 {# T+ l4 @
. ]4 s; S/ o% o
There could be hundreds of BPX you could use to detect this trick.
9 P% c3 r7 N3 O" M-The most classical one is:* }7 @; ]5 V% b3 }
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# ?' Z+ k ~. T
*(esp->4+4)=='NTIC'. E# L5 y! g$ Z9 l! y0 E
) s' C' f& h" x+ r4 n: s
-The most exotic ones (could be very slooooow :-(
. C! X# u2 G# X* ~4 g6 ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 @% s" u: m" S. t1 L) @ ;will break 3 times :-(& E# i. c! r; p& _4 X% s! f
4 z4 N( I! ^4 e! s5 X-or (a bit) faster: + s8 f+ Q) f+ c8 T& T
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 G2 b* ?% N% g u: t& c+ p; M$ M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ A* \$ t: D& k1 [; a, a( N ;will break 3 times :-(
; G9 c5 `* f4 o( b. b/ |/ v: z* v- M( G0 W8 f. Q9 `' M% s
-Much faster:
, t( }) ` A) m4 b" ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; _+ I3 A- M9 k+ h# @
" ^! V1 e3 c6 h+ jNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 p- q+ x& y5 [/ j2 v
function to do the same job:, L' Z9 V% y% J
' K* l7 v+ e# A6 ] c push 00 ; OF_READ
6 K& c1 ?. z# s0 t mov eax,[00656634] ; '\\.\SICE',0
: R3 u5 w4 \) w1 b9 h/ q" \5 | push eax
1 I+ c+ }& s" B call KERNEL32!_lopen! H: \9 m' I" Z9 o3 T
inc eax
6 T9 f& E: X2 y6 N; R5 M5 h9 p( r( y- \ jnz 00650589 ; detected
+ h9 h) O* k' @" V. t2 Z: R push 00 ; OF_READ
# r% m0 X) s. |8 w% n% n mov eax,[00656638] ; '\\.\SICE'
3 Q7 R' H: @5 \% b# J/ v push eax) z- @ t- ]/ m3 L" ]
call KERNEL32!_lopen# j, N; i! V8 Z: }9 D
inc eax+ f. t }( h/ K! M% j& E# r
jz 006505ae ; not detected% h) k8 F$ U1 t
9 J5 X- Z# m) X; u0 i& m- h4 `: I2 D; J! J( m" y1 d: A4 O) @' L
__________________________________________________________________________" ^1 @( u- o5 Z) J! B+ T; T$ P+ q
5 g9 z, v7 O. ^/ f, T) z
Method 12, D3 c, V- |9 [4 c1 i( ?% m0 Y3 J, c
=========
# E& w5 p( f2 ?2 t( X* m% w
i [' f0 q% r8 [0 k ]1 |This trick is similar to int41h/4fh Debugger installation check (code 05
! }) h; k! t6 U1 w% R& 06) but very limited because it's only available for Win95/98 (not NT)" N3 M3 g% q# X n% }6 X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 e4 o E- W5 {
) f9 E0 d* B! n3 f t
push 0000004fh ; function 4fh; V2 N! M# ^$ V; P4 i( k9 Z* G
push 002a002ah ; high word specifies which VxD (VWIN32)4 L0 r$ ?3 W1 y6 \
; low word specifies which service
& [. o' o3 N$ I# J9 e$ [ (VWIN32_Int41Dispatch)2 S# S, {4 i8 F
call Kernel32!ORD_001 ; VxdCall7 v7 X- Y- x: v, f* l/ C/ e
cmp ax, 0f386h ; magic number returned by system debuggers
: g Y+ P! ~5 v# P% v, T/ d, V- L jz SoftICE_detected
9 x% Z/ ~8 k$ `' P) \ z( E+ H# V% T0 O4 G
Here again, several ways to detect it:
9 k( s: H0 I% y+ e' C% b
' }: k$ j8 S7 I- d+ d2 [9 W BPINT 41 if ax==4f `5 n; }; @9 n& p5 d
: {" }0 c. C8 N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& u: |8 U; p2 O* m; T! e! z
2 o6 _7 W! r, E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 B+ G3 p L: ?7 N8 D* O h% b6 K: P" O1 f o# G5 x: p( R2 E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ T7 J* c5 O! w) O' H S9 P
7 A" l8 z) R! h__________________________________________________________________________
u# L6 V" k- v3 |; T+ [. r. t4 W }. A m: A
Method 133 A) l9 `: K1 k1 p: Q) S
=========0 h+ x& {0 {" m4 F7 q- }# I, u
. u# P) {0 l1 }! c! e8 Y; s* O
Not a real method of detection, but a good way to know if SoftICE is
1 C" B/ t4 u2 u) @* Y. s( Linstalled on a computer and to locate its installation directory.
8 s4 M$ b2 x: {! a6 J% X1 g3 u# q5 gIt is used by few softs which access the following registry keys (usually #2) :# j1 H6 j: Y7 ^ m2 i" O
: z5 Y: V( _* |9 T, F# z0 I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 p0 {5 E2 ?! W$ {/ _: _; X
\Uninstall\SoftICE
' k2 P) F) y E4 P: w2 k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ Y1 e* e" t( B) n6 q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ u% H3 W9 I& d
\App Paths\Loader32.Exe% L' I5 I5 J: E& g( E, M; K
. u- |" k7 e+ h- n, O+ j9 d# k
3 W+ I: p1 K D$ FNote that some nasty apps could then erase all files from SoftICE directory
: J3 ]" Q, k0 d# v. ?(I faced that once :-(
n3 T* A7 L* [1 P# p* \
& }: B8 C& {8 TUseful breakpoint to detect it:
) u1 [* H+ l0 g8 l _) t! \( w' D, x0 I: k$ s& [: u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 P0 s# R) O. R0 X' C9 n
$ x. j4 B; F1 H' q l
__________________________________________________________________________
3 y$ A+ n- h- W* D' F
. i6 \& E* n4 q* P
# p, d2 c6 @4 qMethod 14 * \1 l: R5 i! I( O9 R
=========5 A! }( R- t" n
6 k2 p V/ x; `& r4 w( d3 f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- l+ y. t2 I, _is to determines whether a debugger is running on your system (ring0 only).
. u( c2 T( J& X5 ?8 P* t
8 Q! G8 M* j# T6 ]2 d- F VMMCall Test_Debug_Installed
5 U, U% A4 L8 m) e* L# W je not_installed% p% ]. h- Z8 \1 j% h7 C& ]
6 \1 l0 o% j9 s0 G
This service just checks a flag.: ~- O" k* M( G( r9 h. ?" E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡