<TABLE width=500>
- v" Z" d; I; j<TBODY>; N9 F0 C" D' b2 V4 ^
<TR>
1 D' E1 M/ Z3 @- x8 `5 L<TD><PRE>Method 01 ; G; n" u% X b Y' y+ \, z
=========. f) B `$ \# q4 E [$ t1 v
- T, ?; [4 _3 ?" f7 ]; P6 N- OThis method of detection of SoftICE (as well as the following one) is+ C, n L& U& {/ Y& k a- _6 K
used by the majority of packers/encryptors found on Internet.4 P7 n3 m5 Q- ?$ [ l
It seeks the signature of BoundsChecker in SoftICE+ @: k0 b* [1 K2 a$ X$ k1 n, \4 o
/ M; V/ M- ^! C* d mov ebp, 04243484Bh ; 'BCHK'
, N) @4 `/ S: r M mov ax, 04h
% \6 |; Y2 ^2 {5 K int 3
) A O' ]+ a2 c0 l3 X cmp al,4
5 c: n) P, ^+ V. K" z7 [; l {& ] jnz SoftICE_Detected' D* S. g+ a8 m% i1 _
" F5 j8 N5 i- I% B; X9 n___________________________________________________________________________, ^5 @. X6 b+ B4 R- N+ a; [
0 o$ ]. t* L. ~
Method 02
6 n3 L9 u( v" D=========8 I# b, D8 i6 d m6 D/ \3 ]! b
( n3 _' U( D: M- n0 L5 Z7 b" z% eStill a method very much used (perhaps the most frequent one). It is used [. R0 J. @) e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 o- F& P) V% |0 c; ]. Eor execute SoftICE commands...
- | j7 [- E% {6 M6 J/ JIt is also used to crash SoftICE and to force it to execute any commands/ M1 u& L: {0 `. v3 ~: ?
(HBOOT...) :-((
' E% H6 c0 @' W' K {, ?; I% ~+ ^8 f- n6 B
Here is a quick description:7 s/ v3 |% k' O2 o) L
-AX = 0910h (Display string in SIce windows)% x7 _/ f4 V3 r- r9 u3 f, K
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* ~' Q5 i4 N v% F1 T' m-AX = 0912h (Get breakpoint infos)% E# `2 {* ]- N7 D1 V* z
-AX = 0913h (Set Sice breakpoints)
* U# a6 D- z$ v: d; Z2 I-AX = 0914h (Remove SIce breakoints)
3 I; E |, H! ~
! J O. }7 y i$ N& x6 nEach time you'll meet this trick, you'll see:* x4 n. G1 s( A( E/ X3 n
-SI = 4647h; R" L( \2 [* Z9 y ]
-DI = 4A4Dh
) z M6 S, _( D% C8 LWhich are the 'magic values' used by SoftIce.- L- \8 a6 O# P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 j" F6 _0 Y& i; R5 e( g
/ v$ m# ^4 O4 F& `9 b6 s) |0 M& u. i. V. jHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 c; Q' c9 ^% p- @& z' a2 UEnvelope utility use to protect DOS applications:
+ S5 L1 k* r1 i% n1 Q: {
7 Q) B. p. N! ? Z
& K# S z& U/ s& Q& I4C19:0095 MOV AX,0911 ; execute command.9 y5 W/ F1 v0 J# T" j
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ `. ]1 s! O9 Q& J& s- i4C19:009A MOV SI,4647 ; 1st magic value.3 S$ n- c( P0 v9 p" J. l
4C19:009D MOV DI,4A4D ; 2nd magic value.; ^/ p' s( s$ ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& p1 v' e8 s8 X" i+ f0 d2 b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 h* I$ Z- A. r" A! v6 y
4C19:00A4 INC CX/ j3 o' A" \+ l Z/ V
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: W: \; E% X( ^6 x3 v4C19:00A8 JB 0095 ; 6 different commands.1 j" w. [) F# h1 L4 F) P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( A& A0 H( V6 H& [6 ^! t. f7 O ~' x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; w8 m1 n; I7 ]$ o) ]
! Y: h" c$ R% I$ y& BThe program will execute 6 different SIce commands located at ds:dx, which
/ C1 R/ ~' H" eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 K" n d$ c. I$ d6 ?5 l# }! \# {" ~2 D) Y; O' Y% {% J: O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 ^" }3 V& M" _% T2 M
___________________________________________________________________________: l f9 n2 U3 l. D* J: p
, Y& s1 g3 W1 L9 b5 {/ ^, R2 _5 C o+ O* t" ~/ P3 h' Z
Method 03
) g9 P: t p, B* b# c=========8 R( `" `2 C! D$ u5 P* R% C
, R; M, a1 a1 p+ f$ _$ Z- r* qLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ v+ H' u1 N: j4 |+ X: x
(API Get entry point)
- i! S; _ W/ a& [9 }
) j8 b1 t$ H7 c8 l% ]! T" }6 P8 v( q7 a V, [
xor di,di- U; V3 y: ?. l
mov es,di
! m. _- S7 h, P5 z mov ax, 1684h
0 Z, a b9 F( d: w4 L mov bx, 0202h ; VxD ID of winice
9 d/ D+ \! V" M1 [8 m( i4 ]3 { int 2Fh* `1 O; o! P+ a$ E# I
mov ax, es ; ES:DI -> VxD API entry point
: H8 W" `/ [; `5 {) N) f/ m add ax, di4 ^+ M# k8 @+ B( a7 M
test ax,ax# o' m8 F+ j7 S) h- c
jnz SoftICE_Detected
$ H6 a" O& ^4 }2 H! [/ ?0 @8 M6 S o! }$ Z
___________________________________________________________________________
C7 k2 L% z+ V4 s; M$ `* L9 u, ^) `. D# ~% O8 T# a
Method 04
+ E- M% A2 n( z( ~4 Y9 ^=========# ?+ `5 W. {* ^7 l
1 m# W ?+ ^, e! e
Method identical to the preceding one except that it seeks the ID of SoftICE5 i2 Y$ a9 }; V- D! g. C, n
GFX VxD.
: g3 J3 O" S2 ]4 I+ ^* K* f# m9 R9 N* F6 y+ K( M7 _
xor di,di4 t6 c4 q* V& f3 F/ ]3 b
mov es,di
3 ?+ G# u; X( u6 Z" J( E6 j1 X mov ax, 1684h
' o- u/ u3 o7 H6 m' [) K mov bx, 7a5Fh ; VxD ID of SIWVID& U g) q- \6 k- n
int 2fh
. f8 A1 Z* w; S8 ^- { mov ax, es ; ES:DI -> VxD API entry point
; ^- u. {! }) v* q add ax, di
* A+ G3 [2 X' ~+ C4 ~" r8 s test ax,ax
: X! `- I% c$ x7 x% a8 P jnz SoftICE_Detected
9 {; Q# S& }0 Q% w5 [6 u9 D/ C1 o2 X1 _, i4 L0 O% w. W
__________________________________________________________________________
! g+ [% I" @! d( c( ] H
9 H. ~) l+ Z* u0 b' \0 |, l% M% i& G* C ^2 l2 @$ Q
Method 05
* `4 ?8 y$ @" f8 }+ Y& C2 f=========0 l+ X. p* f$ z; x
) D: l J" T4 ?# ]Method seeking the 'magic number' 0F386h returned (in ax) by all system/ n# U; T6 [% @& z
debugger. It calls the int 41h, function 4Fh.4 N; y: ^7 y9 e9 `+ l( ?# Z6 e& N
There are several alternatives. 3 l+ b3 W. o0 ^5 w
( J y4 J& B% j8 C9 x9 L. p0 uThe following one is the simplest:
5 V; L& a" |2 z: \; _5 X7 T& B: a2 Y
mov ax,4fh
2 X! R1 K2 r% Q( R1 n int 41h/ q: ]5 a- N6 ~* y
cmp ax, 0F386
( w/ L& q8 Z( u! ]1 W jz SoftICE_detected
4 @* R+ J* j ~2 _6 v9 ^ W v
! W/ ]7 T1 H9 U, Q# y+ a! e
3 A- J! z5 U6 P7 T2 L4 _3 Y8 RNext method as well as the following one are 2 examples from Stone's
# t5 v# m; O& V3 S. E, x7 [6 j"stn-wid.zip" (www.cracking.net):
) E/ C0 R2 R) F4 P7 B& N) g& d4 P v9 M- g
mov bx, cs
* t5 M1 }! Q. t6 G% T lea dx, int41handler2. z/ w) w$ P- B6 p
xchg dx, es:[41h*4]
# x3 j% i, s& z9 R xchg bx, es:[41h*4+2]; T8 r. |- P% g7 \
mov ax,4fh
8 E" j% O! z+ A) G" X- m int 41h- i, t" D8 X4 p# b# h" K
xchg dx, es:[41h*4]
( E k2 Y! t( `+ p xchg bx, es:[41h*4+2]
0 Y% x, d5 I' F. j9 y$ @; w: r3 o cmp ax, 0f386h! [1 ]. R% H0 m3 _
jz SoftICE_detected, L' |) W: h1 L9 Y9 m
! A/ A( l* S/ V9 o, P$ nint41handler2 PROC7 B3 M" n8 {! A: C# `
iret
R5 p L) D! k ~- hint41handler2 ENDP
6 b; H8 b$ @$ }) d3 x' j" [/ I- s6 d/ `1 R. z' Y6 o( N: ?* B
3 F* b4 X& ?" p6 S1 A
_________________________________________________________________________
; O' u" j. [( a: X5 d2 r
, |, g% D% U2 D1 {/ c8 U% H% p/ r6 |
Method 06
5 `1 w$ |3 X+ k2 p! x1 r6 A( {=========/ E0 G! f6 o. Y% i* M* x
" _" g7 _1 O& m" u- }
! Q t+ E, D1 q+ E5 D+ T( f2nd method similar to the preceding one but more difficult to detect:
- t* \' H. p/ G# J1 k
: l/ G u2 b* K2 j. e/ \5 i% l( T
# j4 [- T( q" i$ Jint41handler PROC
$ N% ]; u( p& ]3 x" N" M mov cl,al
' t [6 f/ B, {( N$ A2 }! e3 o1 ] iret
1 ^6 ]& \7 }( _% lint41handler ENDP
9 D5 M q$ R3 o3 s
5 n$ I; g9 y G0 p% W& z7 B% ^7 k# ?1 l" e! t8 M
xor ax,ax
( J* ]2 A& q5 f4 ^( o mov es,ax
. s% L: ]! s' t! {5 b$ v mov bx, cs; V7 }3 I P" M! m0 V
lea dx, int41handler
8 O0 |; P% ]/ b2 R xchg dx, es:[41h*4]2 Z; \1 d% n! W+ F$ d
xchg bx, es:[41h*4+2]) |# s. ?. [" s6 G8 Z$ j
in al, 40h
, p; [1 j9 @8 P* ~8 |3 L xor cx,cx9 j/ ^1 j' W! l" c
int 41h
$ n6 M7 n4 d$ R7 o9 i0 ^. y xchg dx, es:[41h*4]
7 O0 M4 [! U) P" k4 l xchg bx, es:[41h*4+2]
0 S) X6 y: w/ [- E cmp cl,al
2 b1 O$ t9 I# A) i jnz SoftICE_detected
+ l9 R( a+ V" F7 l' R
% f" C) |+ Y2 q, w3 E* |# Q, h_________________________________________________________________________. D- W9 w( c' _) N( q9 a' B
) Q4 n8 ^4 R, f3 x; u2 |$ B0 mMethod 07" f Y) c; ^, K8 S' ~/ m
=========) D2 D# f# |& Y$ C7 y/ V) X# y
; S" u2 D. @4 g- q; E8 P
Method of detection of the WinICE handler in the int68h (V86)
2 W2 e- x# E+ e4 ?+ ^# N: _+ u9 M& }
4 U0 r& K4 q' w: n4 t2 E; K6 U8 B3 g mov ah,43h
; t4 k: ]+ I: N/ ^' f int 68h
$ ]+ K# n: E' e% m' ?0 A& M cmp ax,0F386h% f2 k+ j# |9 w. X
jz SoftICE_Detected
; J7 [1 B' ?' K3 O
+ K+ U" r$ j/ A( d: x7 y
1 r. \8 S3 C, I. j) V2 @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ g; N/ D; n( d
app like this:
% h, U h5 T9 ^8 W2 ?
* c& {5 H8 ?& L) T' u& _6 C BPX exec_int if ax==68
3 ?; f7 }- d4 O6 G (function called is located at byte ptr [ebp+1Dh] and client eip is+ v" M8 z8 S9 O- \4 U: j6 T0 b2 v* t
located at [ebp+48h] for 32Bit apps)! I6 ?0 ]) l# L' J' ?
__________________________________________________________________________
& h; Y/ W' y( x: o6 i
; S4 e5 Y5 c2 _9 y& D2 Z Z
' R# L2 X: |, J: } R" d- L4 D& O0 r5 tMethod 08' L1 {( Y& U7 V
=========
4 L$ |2 a. c$ v8 M) t: e2 }1 f7 ~) t" R6 ?" ^$ g# E/ Q/ p
It is not a method of detection of SoftICE but a possibility to crash the
) Q% R. v! s. J- J/ W4 y* Qsystem by intercepting int 01h and int 03h and redirecting them to another
& g- V! @. l* j3 Q9 g- K) Aroutine.+ n1 _3 I: N& R; u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% K- v6 ~0 S! A6 t& @1 Kto the new routine to execute (hangs computer...)
& A4 a' E$ Q% u1 q2 z0 s6 |! L7 ?% _% F0 M- P- r2 b' V
mov ah, 25h/ i/ J/ L! h' s, V
mov al, Int_Number (01h or 03h)- ^0 F4 q. H- \
mov dx, offset New_Int_Routine
6 _$ ^( M) w! C4 b; N/ n' l int 21h) h% ]8 X0 \' Z" q, x5 [, g5 V
2 A; s5 w% W2 M& G: ?__________________________________________________________________________, h5 T( a& \: E
: x# o: F6 Y* I; ~( E
Method 09
% q0 y T1 T' C2 {3 w5 U# W8 B=========/ G) h& G+ c7 ^$ t$ J
! M/ y* |' r/ U' b+ ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. b8 I1 _$ o. b/ F! u% h/ U) h3 H( s
performed in ring0 (VxD or a ring3 app using the VxdCall).# Y' j7 s ]4 `$ K! Y9 F
The Get_DDB service is used to determine whether or not a VxD is installed
' X- v# [* m; N% w G! Vfor the specified device and returns a Device Description Block (in ecx) for
& j: f" J# m' I! O+ Q- a/ r# lthat device if it is installed.- Y9 z3 M+ R$ o8 g/ w& a
; w, t# ?' Q+ b: ? Z/ i, w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 i0 s$ ~3 K0 Q! E6 M' P/ ] mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' \2 f1 S, y$ B K4 x% V/ V
VMMCall Get_DDB
- ]6 Q: y* o+ x/ F N2 D6 J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 E& j' L1 ]4 r. X0 |0 _( i
2 F. H' P3 }6 ^
Note as well that you can easily detect this method with SoftICE:8 Z, c# {$ C$ W& U& a
bpx Get_DDB if ax==0202 || ax==7a5fh
3 r- f( L$ @2 M/ ~: ]
0 M% [5 n+ L0 Q9 V__________________________________________________________________________% g4 L: \, A& ~" |: x: v9 u( [
% x) ]# Y: R2 f! {Method 103 J& [. B- C0 a; E+ r% O
=========
s# {1 Z+ _) v) L" t7 h) _( U! @8 {9 Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 p, M) O$ o& m! l SoftICE while the option is enable!!
2 X/ E: j5 t% J' r+ f' F- x2 d/ ^9 v3 [2 ~! e$ ]) J7 k
This trick is very efficient:! y9 F8 t& Z& N; ]- I3 c+ V0 F L" `
by checking the Debug Registers, you can detect if SoftICE is loaded, x* {5 S4 d' T5 a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 ~7 D6 {. b: ~: b; O. Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 U2 Y( `6 Z0 N L" X# r9 mvalue (in ring0 only). Values can be manipulated and or changed as well
i. A2 T$ i# n. Z0 ^& t) W(clearing BPMs for instance)
3 W5 M1 a3 v2 T/ z1 p+ @8 k+ ?: d! g, Y, e8 V4 G
__________________________________________________________________________* Q! w: z, ^. { Y" Q
6 K4 [0 M0 S* D V" NMethod 11
|; r+ J9 D4 }2 x6 U4 n=========& S$ j* A; f+ c3 Z3 U
; R v% t) m, x, j: cThis method is most known as 'MeltICE' because it has been freely distributed+ ^2 b; @4 j) F/ \
via www.winfiles.com. However it was first used by NuMega people to allow
5 ]; l; h5 u" F: p8 b' `Symbol Loader to check if SoftICE was active or not (the code is located
, x9 u- L8 n1 e: \9 A7 Hinside nmtrans.dll).
; ~: K6 M7 s" G6 W
^$ ~+ O' n# R8 v) i* f& SThe way it works is very simple:. K& w4 u3 u8 X. e6 O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ ^* G& f. r7 f7 Q" D% q# k2 D. A
WinNT) with the CreateFileA API.
% N. p- m6 U+ u" L" D/ a$ e8 V' i
1 R; V, b+ ?* Q- }$ NHere is a sample (checking for 'SICE'):
u' C2 X7 Y6 h6 ]# f6 i( ~1 v7 b" P# H, t9 Z* v2 J( o5 ]
BOOL IsSoftIce95Loaded()
0 H9 Z! S) f+ [# k{
. W2 [$ g: I3 I* h9 ^ HANDLE hFile;
( Q% v# j) E6 t# }) Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 c1 X8 U) Q# O1 e: m
FILE_SHARE_READ | FILE_SHARE_WRITE," B2 ~: \6 b( p- X3 V" \. t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. t! q8 k X1 M) M2 H if( hFile != INVALID_HANDLE_VALUE )
9 b* A8 y7 B6 g {
1 Z& J- S& j; W5 L+ ?$ Q5 V7 g& D% k CloseHandle(hFile);
9 |9 m# m+ i3 j return TRUE;
0 _6 V/ [* }: Z% J }
" A$ m: E) `& j2 t; {: v! b return FALSE;
% e- x! {/ M p0 K}
4 r6 t, p- `6 g/ m* F- v7 s ]: C! C* ?) T( V/ D) l% I9 q
Although this trick calls the CreateFileA function, don't even expect to be
0 P# X R/ @- g4 D; d- Wable to intercept it by installing a IFS hook: it will not work, no way!) ?7 t# Z3 n9 S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ [4 m- ^! w! [ Q3 _* M9 O- M$ C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): f, x- T. ^+ [/ \5 T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" Y5 V+ @" |; z8 A
field.
o% m3 n6 P) w% {- n5 ~In fact, its purpose is not to load/unload VxDs but only to send a
* J7 ]5 S1 u; q+ HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! t% U2 j! O" u) |0 Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
! l+ M; R. j! I% hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; u7 A) X5 _* z1 l$ hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 w1 Q2 O& w$ _/ B9 }9 \) Sits handle to be opened and then, will be detected.
0 C4 V) K# G" a: M0 U/ |" ZYou can check that simply by hooking Winice.exe control proc entry point
( d, Z. r1 f; ?% Y& R$ Uwhile running MeltICE.
- h6 ^( `! [7 k2 z1 K' k
0 `1 c; X6 k- [3 O
1 @; W, g- e9 ~3 f/ ]4 I9 b U, N) D. b 00401067: push 00402025 ; \\.\SICE$ r- l) h6 S8 f7 Y6 ?
0040106C: call CreateFileA
8 y" M) [# y( T$ j* j" N- H 00401071: cmp eax,-0012 L% @. Z# r+ n5 K, [5 `; @+ l
00401074: je 00401091
+ B1 U6 P+ x: X5 g% `% [
( U9 ?& m- D1 D; K8 n( _
- f. ~7 R4 E. a2 \0 aThere could be hundreds of BPX you could use to detect this trick.
0 X' p8 T8 S! b# h; _-The most classical one is:" G8 G' r. K! g! t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 C6 z% F4 r0 h+ R: v1 q
*(esp->4+4)=='NTIC'8 f4 n9 A% m/ f' e" o7 ?
0 ~; i/ c% A! J' x6 D-The most exotic ones (could be very slooooow :-(% E; k" Y5 ]! q' _8 E
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: J8 N! e( {, ?, B. h* Z) R ;will break 3 times :-(* o8 E, P0 A7 i8 A2 L' v: ]* O- |
- B# \, e- ]' n- C0 l-or (a bit) faster:
Q; w. r. q/ ~' y! O BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 V2 Z* B( S/ @( O- K) M- }! J8 T1 X) F+ R% A1 j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# |6 V0 g; _$ I' z( ~1 Q ;will break 3 times :-(6 Y% N/ s5 g3 ], P. M2 i
: B6 m7 {$ K( a% Z-Much faster:
+ g6 V! Q9 k" Q, U* h" L, ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& f1 }9 w: W- f* M* a, l) ?9 U
5 |" p3 n0 [2 e7 z! k2 a& }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ r& p! j; i4 n1 y( w0 {9 d
function to do the same job:- Q& [4 ^+ d8 Y$ }+ P
& v) ^) w B# k! W* V @! y( [ push 00 ; OF_READ
: S6 ?! H ~6 \# r5 q mov eax,[00656634] ; '\\.\SICE',0
( j' }& |6 T6 a/ f( N. [; K/ F push eax* M/ p. E, j4 ?1 S
call KERNEL32!_lopen
- G' C; X& x# n- R inc eax
0 S1 {7 s2 L( L) f. N' L" J5 p jnz 00650589 ; detected
$ q" U' \' F& m push 00 ; OF_READ
& r* D) @: x0 }+ [" z) _! G mov eax,[00656638] ; '\\.\SICE'
( `9 K6 A* \5 w* ^( E9 g push eax
7 N, X5 w3 G9 G* q5 _ call KERNEL32!_lopen; V; `3 Q9 X y- m. G9 k7 d- I# D. C
inc eax
1 \! J$ I0 C) a* ~% E; |# _- @ jz 006505ae ; not detected
7 V' k; y" K$ N9 U$ v6 d
6 Q$ R) z8 m( E P! d5 k
; ` H8 W+ d) J! c! b6 u' K0 P& W- ?+ Z__________________________________________________________________________
5 ]) |) k0 b9 O! n) u+ T, r1 J0 r
, e. O. c8 M7 ~! `: }, zMethod 12
' ]( F3 v$ Y8 U2 r: P W=========1 e3 g2 o/ z. h* n" q$ l: N
; r3 v$ N, c/ ^9 e3 v0 i2 g# M
This trick is similar to int41h/4fh Debugger installation check (code 05# ~9 k6 t1 `2 B, n) s# y! {
& 06) but very limited because it's only available for Win95/98 (not NT)0 E- m8 Q4 X+ [& q) _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% L/ k+ B% q( ]# Z3 S& X9 Q+ A5 ?7 S. L# `+ ?
push 0000004fh ; function 4fh
- p+ [9 H/ X+ E1 |' c" N4 T7 z push 002a002ah ; high word specifies which VxD (VWIN32)) [, X* f# ^' ~+ `' f; f5 P5 l
; low word specifies which service" |0 q" Z1 B+ q; [. m" r: F
(VWIN32_Int41Dispatch)
1 e* S$ a* k6 V4 b/ Y. M" V call Kernel32!ORD_001 ; VxdCall" @' f1 Q/ r+ C" P! o
cmp ax, 0f386h ; magic number returned by system debuggers
" S- v- W& {1 }* e' Q# Z4 z, U! w jz SoftICE_detected0 d# ~( n, V3 g! q& n, D
6 ~% J9 U' N, l# r( i$ m) c+ P7 K7 EHere again, several ways to detect it:6 g1 N% T) P X
/ O8 r% v2 A% ?
BPINT 41 if ax==4f8 U% R. v& M# _9 [6 A' @
" h; o: }; |: O ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* M7 Z$ v5 C: K, ^, l
' `1 K& o. R/ Z& g% ^! v- P) O1 i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ v& D: S* H; g9 s- T' I1 v* H: R* ?/ S6 e1 [1 ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 h' h2 D7 o& ^0 N; d0 o$ l$ G! A) S
__________________________________________________________________________
1 ?, I" t9 ?# T3 } W0 R& Z; h4 F9 G. y( `
Method 13" m0 g4 N( N6 g7 r$ K
=========
+ ~: {1 T3 R' p! \: f
; ]# k- r; U/ b! Y6 ENot a real method of detection, but a good way to know if SoftICE is
9 S+ L8 @" e# Y+ c. _installed on a computer and to locate its installation directory.0 [9 g* `8 y/ L: c
It is used by few softs which access the following registry keys (usually #2) :; q; \9 `5 L/ C+ o# T% J* ?
8 _, d( J- n6 b% p9 f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 q, u9 E1 A7 _. d
\Uninstall\SoftICE0 z! F& G9 a) Q+ w) L% x, M4 U' L( _0 N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- ]; s, t4 ?3 Q- ?0 G( g4 l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ Y8 X- }* i) u7 b1 R3 ~\App Paths\Loader32.Exe$ n! A9 e9 ^2 [+ v
: q7 m3 c- y F4 G# g* J
* e* }6 Q& a5 U0 t/ DNote that some nasty apps could then erase all files from SoftICE directory
, O( @: s2 F& N& G& f) Y' [$ B(I faced that once :-(3 p: W% m/ I1 l- |: \
( h _- f! N+ s% FUseful breakpoint to detect it:
; ?1 I( H8 l- y% H7 n3 q! q3 }) V1 L4 r; U- i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( O( c* z$ z1 E% A
1 j/ P! O$ M+ V5 c# ?8 R X7 E
__________________________________________________________________________% b4 U$ D4 f# ~3 g& J
- o2 h- a9 M; _- {+ H z- A1 t5 D
c1 Y0 q. u5 U; a, P2 T
Method 14
' {. ]3 z. s; a, G=========
- G) a$ o, `* E/ {
: r7 p6 z X# K1 v, ]7 B9 dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' Q+ X7 ]. Q9 |% b
is to determines whether a debugger is running on your system (ring0 only).
- C3 [4 O& S" K8 G B4 q+ Z7 L+ Z8 Y& t7 O; n) k
VMMCall Test_Debug_Installed
^/ R/ H2 M4 P; w* {/ \$ p' ?2 N0 d je not_installed3 U& H2 ?1 M6 ~$ G. h6 @, e
, T) ^+ L2 ]7 y& K7 ?2 EThis service just checks a flag., @6 k+ K9 X& {; k) a( M: g7 W
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡