<TABLE width=500>3 c) u) q4 C7 W# a( o4 F
<TBODY>
7 L* r) k8 k0 C" d+ d8 T% H9 ^$ F<TR>1 P- w" J/ {2 _0 B u" i2 I
<TD><PRE>Method 01
+ {# Z: J/ y+ m. g- ?" D* D; E6 ]. B=========3 \2 _7 h. d- z+ z% M& N8 h
1 v/ ]- T9 s+ V1 K# X, {, c
This method of detection of SoftICE (as well as the following one) is5 L8 t" G0 V9 e, l
used by the majority of packers/encryptors found on Internet.4 m. m+ `: d" ^, L3 \
It seeks the signature of BoundsChecker in SoftICE: N% F7 L* X5 |3 N- }
. X9 ^( j h- `+ f# T4 A
mov ebp, 04243484Bh ; 'BCHK'( p2 f9 J; I2 d
mov ax, 04h* `7 O( _* |2 Y7 F( }
int 3
3 G2 f/ `" _+ J cmp al,4
; m' V/ u5 N, ~, j: ?9 o. |" o# U jnz SoftICE_Detected/ z6 a* |* X" `8 W l
. I5 @( v6 H% Z* s1 C4 }4 W
___________________________________________________________________________6 `5 o2 F+ {' o% n8 [! w* l) a
4 W* z; a, c7 Z. n0 H
Method 02+ i! W* h* Y+ R _( M7 l
=========# v& v! Q$ B! o
* y8 n ]5 f: d2 C
Still a method very much used (perhaps the most frequent one). It is used9 N5 B# K3 @: \* R/ ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 o( C! r/ F( [1 h$ h
or execute SoftICE commands...
3 X9 a& r+ P3 e! C% e% C. u6 ?" R: mIt is also used to crash SoftICE and to force it to execute any commands
* z4 l( S1 ~: n5 x(HBOOT...) :-(( 2 @" g% [. z/ J. v L! Q
* q; u2 h+ i+ l1 t* D
Here is a quick description:; }4 `2 ^! }1 @+ @
-AX = 0910h (Display string in SIce windows)
6 _. t. f8 c: `- H: r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& z# i: d2 r+ h, ?. J-AX = 0912h (Get breakpoint infos)
. h6 G% e* f- N* _7 V-AX = 0913h (Set Sice breakpoints) O1 l/ B, u7 w# w$ Y
-AX = 0914h (Remove SIce breakoints); h- \ _4 R) [9 {( c
F! y* g: @; n( L/ y) Q+ ~Each time you'll meet this trick, you'll see:
, Z2 `: _" s Z3 M% f; v# B3 E-SI = 4647h
. a2 K9 u$ f9 Q! P% n-DI = 4A4Dh" C, {5 E- Y1 j
Which are the 'magic values' used by SoftIce.
- L0 y# g( K9 O* cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* X' J( d& g' k# ?: d8 t
# v+ _. ?# x! s: x% W) y, G+ Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
' r) I1 k: S$ E6 kEnvelope utility use to protect DOS applications:* o4 @5 H# _. B
. k% Q. A3 v: X0 \% W: F% u3 x2 a2 `0 Q, K
4C19:0095 MOV AX,0911 ; execute command.
# p8 j( k, P7 l" O: T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- z+ m* i# H$ V$ Z9 W) S4C19:009A MOV SI,4647 ; 1st magic value.
; p: { R% @# w4C19:009D MOV DI,4A4D ; 2nd magic value.! Q1 X: o9 n3 U9 [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 G0 c, ]2 G! P) Y6 h3 c) ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* a7 ~- Q% O! m0 u6 R |! C/ y% a4C19:00A4 INC CX$ `/ u& i( x5 s5 Q/ _
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 x1 v1 c. b! c! R
4C19:00A8 JB 0095 ; 6 different commands./ P" b( T9 }8 O) A) V( @& D2 W r. I
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( K) K* s3 e, x, [$ }% [4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 r& ^5 p8 V% {/ ^! O; h) z& W
6 }: k9 K( ~# M) d- [" mThe program will execute 6 different SIce commands located at ds:dx, which- e. ] l( p7 o" T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. V% ]; Q! u' ]6 |# d$ ?0 b! r* d9 D% \
I" n5 p: S& F2 r2 o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. n9 v& t( e7 @) w* r& k/ G$ G
___________________________________________________________________________) W$ x6 c$ r& K! {$ _) @
. M: y/ s* z/ D& W4 A: l
. Z( z5 j" _ ~6 ]& O
Method 03
# s4 f D/ d. ~" I7 `% x! Z=========& a" i0 o; L4 g; l
+ E5 |4 \: n2 E' S8 k- C' q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ S1 _% i0 y+ _ d2 n(API Get entry point)
* B" W& x6 P& L8 L; T3 y* q% k
. j, X- W9 \) m3 ?, ? N
4 M8 s9 x Y- a, A6 A7 M5 Q xor di,di/ }4 \5 V7 d* [' F" l
mov es,di1 J N' i% p- q! n7 G
mov ax, 1684h
7 o$ I; o8 r; h1 o$ [ mov bx, 0202h ; VxD ID of winice: A1 |' G% R: G0 p+ M
int 2Fh
: S' Z) X c. D mov ax, es ; ES:DI -> VxD API entry point+ N* u- s! z7 P" a k
add ax, di
7 t9 w. m' I9 n% p7 T$ y7 A test ax,ax
6 c, C1 s8 j% u jnz SoftICE_Detected
, @) i7 S$ b. E) b" D1 x8 [3 E# o( R' E8 O: ~
___________________________________________________________________________( U' S% U/ a3 q# e& o5 [
4 Y# d3 f) v8 S1 X1 L7 N% j( qMethod 04
" c' ?. s8 _, T. x# m=========
( E1 ]' s4 h9 Q; [0 n7 C9 z/ w. P4 e* P1 d* i& t+ X
Method identical to the preceding one except that it seeks the ID of SoftICE) j. p# C1 t5 ]+ c$ w; R( s0 p
GFX VxD.6 j3 ]+ s B& c
G3 ~2 j5 D7 G6 I xor di,di/ e0 D8 p: L7 x2 n. W; q
mov es,di
2 {8 j5 E8 o$ R5 w3 }; _ mov ax, 1684h
# M: O1 L) ]+ W7 Y mov bx, 7a5Fh ; VxD ID of SIWVID3 ]; r. Y) y0 b$ [
int 2fh
$ P0 s1 q( ?- U4 r( J' L$ S% u1 E mov ax, es ; ES:DI -> VxD API entry point6 A) D3 A" `' S* y! D/ k3 \
add ax, di+ ?2 A6 I2 x& K" h, G2 u
test ax,ax
) u5 i' K5 ~& {" ^: a# S jnz SoftICE_Detected- U9 p5 A+ C& y
1 k1 a& Z* Q$ {8 W! z. d3 n__________________________________________________________________________0 U; v. E: w7 }) m
/ d) E+ [! G! G8 g2 \$ G' |* O/ [$ l, L% m
Method 05( F% I# d* Q* Q* R; l0 }$ S
=========
% o$ f( f) H+ x! f) M, x$ U3 ]. R9 Y/ R9 _- c3 b& e; }' o' Q7 n
Method seeking the 'magic number' 0F386h returned (in ax) by all system, r2 ~- Z( v9 [: Z1 S
debugger. It calls the int 41h, function 4Fh.) G2 j# _& y" C# i6 X
There are several alternatives.
% F0 c2 Z' j& Y: d6 H
( j3 N( t& y6 ~0 j" ~7 `# ~6 MThe following one is the simplest: a3 Z/ _' ~' D% h$ b& r+ C+ e
& I! N# a& V6 T1 h# }3 B mov ax,4fh
' R- F/ q) {0 V8 A& u# l* [ int 41h/ p! b4 M) f: I Q$ x4 b
cmp ax, 0F3863 h1 f) N$ @8 o; u6 N
jz SoftICE_detected
3 \8 S5 G$ }& S$ E) P4 t% G1 x+ N# ]- U4 N b e: q# H
; r6 k0 C0 S" G5 nNext method as well as the following one are 2 examples from Stone's - k& \& t) I0 x# c7 x4 R! D
"stn-wid.zip" (www.cracking.net):
) ^2 g0 u# r4 U' m1 l4 {
$ g* J9 x, O2 Y% i! ^0 y7 s/ u$ S mov bx, cs
( n& L9 [0 M- G1 S lea dx, int41handler2
* {) O% I/ {% J$ A xchg dx, es:[41h*4]+ g; O i7 g G( K2 x
xchg bx, es:[41h*4+2]
; ^7 z! ~5 z& ^ mov ax,4fh+ E# F: O7 m' \1 |! w- ^, X8 m& Y
int 41h' ?( X" A$ |% A+ r9 m6 s
xchg dx, es:[41h*4]
9 ~+ ~7 c* z# B, ]$ s, z0 O6 ? xchg bx, es:[41h*4+2]: D& w1 K; f) e* l3 `& i
cmp ax, 0f386h# [8 V3 G; f6 f: l8 L
jz SoftICE_detected% v5 S( O1 O1 h
1 b3 S+ R! N! Wint41handler2 PROC4 D3 I+ Z+ f/ c% Y) \! p3 O
iret
& @) \( k& X! d0 t- H' dint41handler2 ENDP
* C% R- k4 O/ l; b0 P* M3 d$ L5 Y& c; R) c1 H
% Y A$ c- \( v; W8 W$ j& [
_________________________________________________________________________
3 |& z' V' d" E8 y/ R# X4 \. z( a+ _
. Q9 U3 S& G( m2 ^9 ~) [( ~
Method 06) T, z3 g: o+ t0 N+ [
=========4 t: l! l3 _ @: I$ ?* `$ y" f0 r
5 z5 s; l& X0 g/ x; v* f9 E$ ~& r K/ `. F' l
2nd method similar to the preceding one but more difficult to detect:
# |4 r% e& S7 v& g: j. Y/ |5 F1 ~
8 Z6 q9 Z Z, }
* E8 }/ j9 m' l' a1 @# ^int41handler PROC
+ e! ]# i1 w/ q6 ?* J) m6 ]* ? mov cl,al5 B; D$ t; V U% U1 h$ y
iret- V: I) B& Y' ^9 @, z" r! r$ I: R
int41handler ENDP
: `* N+ ~: C# ]/ e
6 Q+ j* ]- \2 d8 A
1 z- g" |4 i: p F: B. Y4 K xor ax,ax6 D" O% Z' Z7 g+ D
mov es,ax
8 t4 N. s) f# \" c+ I# M8 U3 s* ]9 B$ V mov bx, cs
7 M. A$ p6 K" A0 }* V' z! j. F ] lea dx, int41handler5 d7 b7 Y3 }0 t5 Q4 v* q8 m+ I" I
xchg dx, es:[41h*4]& v5 S+ P k4 O* k- a) ~, D
xchg bx, es:[41h*4+2]
- d- o2 I) X6 Z/ b9 w# n: O in al, 40h
. D$ f K$ B2 v% R. G xor cx,cx* d+ q6 T) _. q% g3 M5 H. H7 B
int 41h
0 v' Y7 \- m0 m0 H$ g( [& n xchg dx, es:[41h*4]: s0 M9 D' f' C5 ~
xchg bx, es:[41h*4+2]
1 j% \8 t$ ~+ w" T cmp cl,al `8 A. {# B6 n& \: w2 r2 Z4 U
jnz SoftICE_detected, H* i7 }4 M6 }' K% t& Y
7 ]4 a. t7 O) A Q/ l
_________________________________________________________________________! D5 x, Q# l0 w2 G2 b0 a
t. f% h# Y ?7 H
Method 071 {# H( C+ r O: F8 k
=========( k% G% X' w$ o4 q* q. b* ^
) P, @( `" U9 lMethod of detection of the WinICE handler in the int68h (V86) `4 v3 h X4 p2 A/ d
n' k( l A0 h6 t
mov ah,43h% u2 j/ z2 @# p1 F# m: x; Y/ I
int 68h- O, u6 A2 {9 Y! ^: E
cmp ax,0F386h
6 x* I, l& o# i! v jz SoftICE_Detected, J8 _' ]+ X: s1 k+ n
1 {/ r8 j; u g
) W; z2 ~; g+ E" s# t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
\2 e, \# E, g# Q app like this:
- j0 I: A& g% h+ G
6 {& v" H' Q. y" w/ u2 G- { BPX exec_int if ax==68
' j: i% d* c( D9 \ z$ e8 P6 G (function called is located at byte ptr [ebp+1Dh] and client eip is" F0 t. b/ W1 `3 v
located at [ebp+48h] for 32Bit apps)
$ C3 d! a% H. I% O8 R. T__________________________________________________________________________
) q% q" o' v' a4 U
+ M( `) t! C: X) k: q4 F% E# L f3 Q1 P% Z/ z+ r
Method 08$ d; k6 K! d# `+ q; X
=========* r4 S) P: ?3 O8 h1 r
! A* p6 q9 o1 W+ F
It is not a method of detection of SoftICE but a possibility to crash the
, C* |/ X' g1 T1 H7 r6 Xsystem by intercepting int 01h and int 03h and redirecting them to another3 u2 H5 `) w! b7 H+ l- g2 I' D
routine.
& Q9 U o# I! {* n& G; IIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 {8 X! d/ r2 k8 A+ u
to the new routine to execute (hangs computer...)8 |8 y7 ]& [$ L# b! _
! R9 U. L, l6 k
mov ah, 25h
( q( v) ^: U# S0 W" a; D mov al, Int_Number (01h or 03h), t( j+ i4 a" p o* o8 ~: s6 Z
mov dx, offset New_Int_Routine
5 L6 \8 o |# ^+ X' k" X int 21h
$ V$ F! n5 ?7 n7 {3 H/ a3 ~( B
% G! a9 D0 F' o' K' P__________________________________________________________________________
, S$ V& i. S5 X5 {
$ K- T [/ t1 R; c0 K' wMethod 093 {' `4 D8 f3 G+ r$ R! c: }9 S
=========" a* x- q' Q# G. ^
( F( Z/ ^: O1 [. c( f% B% x1 `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 D* [- s4 m% i5 B! J- Z: p" E* o0 bperformed in ring0 (VxD or a ring3 app using the VxdCall).
( p6 p; A: r/ EThe Get_DDB service is used to determine whether or not a VxD is installed2 @$ a, ?$ ^7 f- w- L+ S$ Q
for the specified device and returns a Device Description Block (in ecx) for' H* j8 }; S- O8 u" j% ?
that device if it is installed.% P# n- o* G9 u' k
( ?5 C: R& u. r' J6 U9 b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ ?( w7 E2 Z' k+ w3 y2 h& j {1 j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# d' V/ Z9 I- ~1 b% }! U% `6 ?* g5 E0 J VMMCall Get_DDB; } y! z- l( {" j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed H! {7 Y# r- d
) i' l2 b2 x2 @! I' o) R- dNote as well that you can easily detect this method with SoftICE:
5 r, U! B7 b8 C% ` bpx Get_DDB if ax==0202 || ax==7a5fh
) |, |3 ]+ u# ]. b k$ V! t4 X) H+ g4 H& ~8 |
__________________________________________________________________________& L1 \0 ~8 \% a0 X
' X( A% b& H5 R2 r% l7 v! f
Method 10
* R# ~0 w! E) ^0 l$ N=========
4 d1 {2 B7 f, F g( J o; Y/ B; {% U* y+ {$ a2 w, D
=>Disable or clear breakpoints before using this feature. DO NOT trace with Z- a! S0 @: {
SoftICE while the option is enable!!: J% k% C Z9 \' t7 A
$ V6 k9 ~2 t) e( [4 R
This trick is very efficient:
% l9 Q6 s/ t* j+ T2 mby checking the Debug Registers, you can detect if SoftICE is loaded
* t% Z$ Q2 M7 L7 d* w9 Q9 A; ^* u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' z/ k @0 N+ H% F# wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ ?4 f2 h; \ j/ F7 u. a) Gvalue (in ring0 only). Values can be manipulated and or changed as well' W: C* r1 p2 ]1 `/ p8 w' U: ^; K* m
(clearing BPMs for instance)
! n7 y" f2 G& i5 u# X, ]0 k n- k& [4 q* l4 d0 l6 u3 V
__________________________________________________________________________$ u! [) C L) b$ W9 e8 w
# g$ k5 k5 L6 W0 x" {Method 11
' T ^: }9 Z6 m% J# S+ Q7 R=========
/ \3 Q. L' f7 D# ?
% c8 ^* I& u' D7 _This method is most known as 'MeltICE' because it has been freely distributed
$ N8 g Z# q, W: T k5 K! S- `via www.winfiles.com. However it was first used by NuMega people to allow
2 g; W& f$ G* T9 jSymbol Loader to check if SoftICE was active or not (the code is located& B9 O+ X( ]$ Q5 i
inside nmtrans.dll).* ~, ~8 P; ~5 ]4 n
( x+ n1 d, f& D* `
The way it works is very simple:( V7 b" a5 P+ _# y, ~: J+ x- f/ N/ W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! [9 W# `" S: c% }: i" _WinNT) with the CreateFileA API.7 G/ E& M# n1 N8 r! ]7 Q& k- R4 W
8 b4 k0 i" d/ [- C' L- z& z6 \
Here is a sample (checking for 'SICE'):
( L: d7 r' K6 N1 P6 U# d& g" k3 b: w! H; \, z6 ?/ I
BOOL IsSoftIce95Loaded(), M* A2 F" U F0 c7 o
{ I% Q5 t0 ?2 ~
HANDLE hFile;
/ V6 y$ Z' c* k9 C5 r6 \! }6 b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 l$ V7 m3 `; e4 @- D* V2 y8 E! K
FILE_SHARE_READ | FILE_SHARE_WRITE,
' p' }& H0 I. ?8 {6 J/ h3 k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 s# B' j2 Q" _+ r7 i" S+ ^
if( hFile != INVALID_HANDLE_VALUE ), t2 B: m1 `2 i
{
0 l" B8 X1 _$ G3 e CloseHandle(hFile);
0 E. G3 _9 ]$ p. S( j0 j' { return TRUE;
" h3 W9 R9 ?2 f5 n }) D9 x: Q, P$ ^% E( ^
return FALSE;1 P& X/ z6 Y$ Y* ~
}
; x4 R+ T' \: I# N
8 q5 @2 E( y* u: y! Y+ MAlthough this trick calls the CreateFileA function, don't even expect to be
: ^( b7 R. r; a% Yable to intercept it by installing a IFS hook: it will not work, no way!
# J5 _* I9 J3 K8 IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; Z0 J, H0 J' c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* F* w, n6 J, \# Z9 c7 l3 j- Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc. a& Q" \" Y1 |1 g9 y- ]1 g3 ~
field.
) j0 x3 D9 E' T1 ^# v- D5 ^In fact, its purpose is not to load/unload VxDs but only to send a + W b. M( n3 X% s: y0 B/ n) x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ L8 P2 p% e! O2 k3 W# Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 H4 f' C/ {% J" nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ H. p! N" J) M6 U. Y6 ^If the VxD is loaded, it will always clear eax and the Carry flag to allow) D3 o' }0 t) x- }6 Y. s- b) V% V
its handle to be opened and then, will be detected.
2 T6 w) Q9 g, s2 f+ n+ _You can check that simply by hooking Winice.exe control proc entry point7 Y. g: k- } S- H% Y
while running MeltICE.4 y( [5 U. i1 a3 R
: b P O8 I: o; {" _) `5 X
; R' g6 ?/ l* T! M 00401067: push 00402025 ; \\.\SICE5 {/ o; G7 |8 Y& q7 |4 {) ^6 L
0040106C: call CreateFileA
2 ?! \ f* F2 \/ u" `9 e 00401071: cmp eax,-0011 s. L+ q' K9 k% B, U
00401074: je 00401091
4 e5 h& f9 i& v' T; ?. O$ e. L
5 i- r* u* }6 r" d; G5 v9 w& n$ [# w
There could be hundreds of BPX you could use to detect this trick.# u: ~4 n, p! P. l* H; }. |0 W
-The most classical one is:
% ~8 T5 W r. E- O/ A% F# W p4 L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 I0 N0 L: o0 L; }+ n- Q) R *(esp->4+4)=='NTIC'
; F6 o4 X0 _1 ~. n, n) p; E& u$ Y# v. [. `$ m- v
-The most exotic ones (could be very slooooow :-(
4 ~; f: \" R0 J$ z$ R/ N4 D: o+ A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 p3 Z9 Z( I0 | o' S
;will break 3 times :-(
^, r* u' o) V; Q' Q
1 }* r9 ^* y" y5 r8 Q-or (a bit) faster:
6 P2 O7 r. y% x) l! u7 [0 I+ V BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); ^; \. G1 Z5 U, x/ G; v+ G
1 \4 q/ ^8 Y& }( V BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + S2 q9 Z9 T* K4 b0 W' h
;will break 3 times :-(' z6 K5 l& i( T B2 O1 r; V0 Y% V; k
- y! |, R5 Q5 D6 Y. h: d* J; q6 X-Much faster:( q$ m3 d8 {, H% W- F6 h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; [6 h0 @1 ^) \/ I1 t! {
" ^: I+ R+ K, Z; [/ [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 ?) y1 ^% }. Q' [0 @+ e ~+ v
function to do the same job:9 p. `: s6 v4 [8 V8 Z2 A
; } |/ E4 T0 s6 p" ?8 p9 ` push 00 ; OF_READ
9 ~ |) m* @% P7 G# ^ mov eax,[00656634] ; '\\.\SICE',0& { P1 R p% B0 c& }. X! t$ [
push eax
/ E9 H+ V- O! G: Q6 ] call KERNEL32!_lopen
! U3 L* x9 b1 T/ K inc eax
+ w# D6 c% s2 H2 h) u5 [9 | jnz 00650589 ; detected% i) Z1 q S0 x6 e
push 00 ; OF_READ
$ R6 K2 n/ _) g' O mov eax,[00656638] ; '\\.\SICE'
1 k- T2 O: O& t7 h. c$ f* K push eax% I4 Z# Q4 L `) Q5 n9 }0 q& p
call KERNEL32!_lopen
9 M9 |4 Z0 `1 I5 T# j inc eax
( H; [- o7 ` S, s) h jz 006505ae ; not detected
) z6 ?+ M& W8 ?& G6 T+ b& o( L8 C' a
5 V2 c, y2 S- a) [* c" O6 N__________________________________________________________________________
5 F+ t1 o6 y! n% ~ o6 H8 ]) e$ t4 \( K+ w. Y1 ]/ r& l
Method 12
/ O* _( @* W3 u$ v3 V4 e& h' O$ c7 X=========
& d( t K; z4 v+ H. g0 V1 D* T: Q
This trick is similar to int41h/4fh Debugger installation check (code 058 D; G3 O/ d s" o( z( o
& 06) but very limited because it's only available for Win95/98 (not NT)
$ m- `' z; h. n mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# Q; q& ]1 R, F6 K) L) E
" `2 q: m0 h) p; j- M( Q push 0000004fh ; function 4fh b$ L, u8 z- Y/ ^
push 002a002ah ; high word specifies which VxD (VWIN32)* S+ W) l) C% }3 ~7 Q
; low word specifies which service
/ e1 j% {) v$ U, g2 q (VWIN32_Int41Dispatch)
: C* \8 C: U& z$ [ call Kernel32!ORD_001 ; VxdCall" k: K8 P+ u( J, `+ m9 O+ a
cmp ax, 0f386h ; magic number returned by system debuggers
' N$ j) ^- r) J9 f4 x7 x jz SoftICE_detected
9 p" `7 ?& h5 @: b. H
# E8 n: b, l( x( ^$ x) N/ oHere again, several ways to detect it:. }7 N! |# r" O& K
$ t) k' o7 F9 {5 E! N$ \. w& u
BPINT 41 if ax==4f) {3 [$ P% Q/ Y$ L3 [
) y, x/ B' g7 V2 W$ } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 d% e- X$ Y1 b2 L
/ O7 o9 g; T' K5 f7 ]" @1 V8 t
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 w0 @1 C1 j( w
3 Z9 z# f( M [7 [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% S* v! F/ l" K1 |. U' b$ r
7 Z( |8 T# u @2 `' i1 y9 f__________________________________________________________________________
! M5 w* J5 ^ G3 x" z+ g# O( g* n N5 D( q5 O
Method 13
6 p+ B$ i0 D& f! K% P9 `=========
3 `% v6 W5 b% n7 E: s7 V+ v+ I2 u8 ?' Q" k D+ Z
Not a real method of detection, but a good way to know if SoftICE is
* e* W3 ^* Q) L* }: x u/ ?8 Uinstalled on a computer and to locate its installation directory.
* m' e' f# }* C! aIt is used by few softs which access the following registry keys (usually #2) :
/ n4 B" b7 `/ w4 ~3 {" h+ P+ u: ]8 l$ @) ?# b7 Y' A5 n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 E6 T1 P" Q S' P/ V7 r* n% C\Uninstall\SoftICE
# [# ]# ]$ d* C8 J) j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 i0 i. P! _: _1 }" I9 G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 p6 m$ u/ ~+ i7 M1 g
\App Paths\Loader32.Exe; c) K4 ~! V! e1 U& m7 k
5 ?6 s( H( x: e; u8 f2 Z# L( D: N2 A
Note that some nasty apps could then erase all files from SoftICE directory! h4 i5 k/ a {) h$ t w
(I faced that once :-(
& F/ |) b0 i! b/ K
# `4 @. E, J; J' H1 vUseful breakpoint to detect it:. H' I. u! X( `1 Z2 r9 E) L, x
& N* s8 P% ~% f9 ]; R# d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' K: s- v; {$ s# a4 J6 X8 O
: j6 n5 p4 c6 F& R; C# v
__________________________________________________________________________0 [5 t! F. I. u M( z
. X# T( G9 Z, b4 k0 e
l: F0 X/ W% K* e2 W! n
Method 14 ; d* Q6 s2 q/ `, o
=========
: T" S+ D7 G5 e- X1 t3 b5 v9 a& l2 x4 b
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 X( O( G, q0 d* Pis to determines whether a debugger is running on your system (ring0 only).9 \9 a3 ~' N4 O; `7 v
. J5 A: _! n& `- ^
VMMCall Test_Debug_Installed' b+ T$ ]* H, T# x, {/ O& q! _
je not_installed
5 o e' ]" x: V \0 X* D1 ]2 d2 t3 k# i% A9 q
This service just checks a flag." G3 Y+ r9 \! A; V3 p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡