<TABLE width=500>; L w7 R8 Q. j" k
<TBODY>. a. J" } \4 D" w4 R9 u
<TR>0 t* \- T: \/ q+ R$ b1 ?" A
<TD><PRE>Method 01
, R" g; S8 e0 K=========
( G5 y) i M, S2 n8 v
" R# y$ J& }4 n/ A1 n. K+ fThis method of detection of SoftICE (as well as the following one) is
- F. q, [2 C% w0 W" gused by the majority of packers/encryptors found on Internet.
( G- [/ E: ^- ]$ k0 L( PIt seeks the signature of BoundsChecker in SoftICE
) c7 k5 P9 v% A. _8 E; o- a0 W. Y, w6 @
mov ebp, 04243484Bh ; 'BCHK', w3 D5 Q. k7 a6 A. t) l/ P
mov ax, 04h/ o8 K3 I5 V% I! ]
int 3
7 m3 b S0 i, } cmp al,4
2 }2 {* u. h4 E2 t jnz SoftICE_Detected4 w$ R/ R* Y" x
1 q- ]6 ]% m, ~6 d9 k" q
___________________________________________________________________________2 @! r4 a# P2 F' l& \5 f, {& e
" A# q' m7 u0 o, Q( DMethod 02* I; L& M: e2 I) j
=========# b% h; Y! s& L2 _! \! J
_, g6 Y- F" J+ U" `Still a method very much used (perhaps the most frequent one). It is used
( q; @; D( x3 ~8 l Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: k R4 o1 x0 i5 j
or execute SoftICE commands...
4 @7 h- i' B5 U& ]It is also used to crash SoftICE and to force it to execute any commands# Z7 U @7 I# K1 ?
(HBOOT...) :-(( $ n6 V6 R4 e/ }; [2 t8 L6 o
( T5 Y$ F, S; a% d1 \6 u- k4 SHere is a quick description:
: i @7 d' R: b-AX = 0910h (Display string in SIce windows)
8 V L7 X2 `/ N6 l! h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( o( v$ S T4 j. f
-AX = 0912h (Get breakpoint infos)
. g1 H6 \; U l) x-AX = 0913h (Set Sice breakpoints)
3 M: Q0 d* h+ ^# g% J' ~% Z6 }-AX = 0914h (Remove SIce breakoints): c+ A; p2 P F% U$ q: w5 y7 L* u8 y
' x: E/ r' _9 o, X6 T7 {Each time you'll meet this trick, you'll see:
) C- O& ]8 S8 ?: [+ n/ |% d-SI = 4647h4 \; k1 z9 P4 I
-DI = 4A4Dh5 C0 i: p6 w. b4 H
Which are the 'magic values' used by SoftIce.4 i# ]5 q* C% d3 b: `: O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) ?" ?6 g. S1 n$ }% k( i
8 E( D z5 e! p9 f! E$ XHere is one example from the file "Haspinst.exe" which is the dongle HASP0 r, n ?, t' V9 F$ B" R7 y- r
Envelope utility use to protect DOS applications:
, t( m& y2 `; L8 i& _# R; _- J3 X+ H
8 \/ n, M' {6 Q4 A" e* _4C19:0095 MOV AX,0911 ; execute command.& ?5 H& i$ p) c; V/ N) p1 \
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 Q: z8 w' n/ m4 C4 d
4C19:009A MOV SI,4647 ; 1st magic value.
# S% q' S/ {8 R1 _) u4C19:009D MOV DI,4A4D ; 2nd magic value.' H: i2 z3 j& [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ x+ ]2 s5 w# ?, W+ u# h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 o% }: \0 k) p! g
4C19:00A4 INC CX
; w# G7 v% t. y% J4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; m5 j( L3 B3 e, H- V2 m4C19:00A8 JB 0095 ; 6 different commands./ t' b2 e2 M3 A2 ~) I
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ p1 ^9 D9 @, c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( U$ S% c/ o T8 @4 n3 b$ f+ j6 I; A, a( p& x
The program will execute 6 different SIce commands located at ds:dx, which
& P- p- p- n2 h! \% ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." ~7 V9 X/ D" g0 l- U
) y: d% j2 K7 p* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# U6 z% y: |4 @/ o
___________________________________________________________________________
: D& {: V- s2 F8 }& p, `) Q. o6 j; ]( a2 b+ T$ D, J) k
5 @ \: X% ?. v# O5 t4 p& I
Method 03
9 I \% W7 D& ^/ i9 M% @/ r% G% k=========
8 I: }5 }7 k- _( @9 H* o' _7 z, b w* I+ F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 r4 x$ h# n# c/ e9 H(API Get entry point)- Z" x$ j- k; y" z
: s1 `. C4 M" E8 I6 a3 _8 ~, h3 s P& n! A
xor di,di# e3 D x5 x: S8 T* g- W
mov es,di/ b/ G f0 G [+ m9 K; b
mov ax, 1684h ) V/ O5 S4 I& ^$ I) A/ U9 P
mov bx, 0202h ; VxD ID of winice
2 K+ c0 c) P3 t# e8 `2 [9 ]- s* P int 2Fh# L3 Q) f& Y* [' X8 }! I
mov ax, es ; ES:DI -> VxD API entry point
( Z6 c. I, c& j( c3 f0 U7 ^; J7 Y O add ax, di
5 N9 y& F. b6 ?8 C4 J' @" n& B test ax,ax: Q" G+ }8 v4 f) W3 c, |3 _8 n
jnz SoftICE_Detected: i" I2 y* d% n9 ?' Q0 f
9 n s) M6 l' J' N! m" U) {# ~6 j___________________________________________________________________________6 q J0 L, e& [" A w% w
$ P7 D' i9 E% j, u6 |Method 04) t( c+ K" X# y! z" d
=========) G: U3 ?+ M9 O9 ]& V
* \! A; C) D! R
Method identical to the preceding one except that it seeks the ID of SoftICE
3 q6 m; @0 F* ^ Y3 j1 x O& hGFX VxD.
, @6 g/ m5 C% z# W* a
% K9 N8 `' u. O) s6 C xor di,di+ ~, p$ Z2 x5 k7 H4 G
mov es,di
0 w" [1 |5 F/ g7 p. q9 I mov ax, 1684h ( M: Q/ V# B6 _8 z3 z$ t+ ?6 `$ ?
mov bx, 7a5Fh ; VxD ID of SIWVID6 [$ o! S( b6 @! G# U& k; i
int 2fh# a. q+ r$ U' m" \! D5 R3 Q# X/ J
mov ax, es ; ES:DI -> VxD API entry point& w. a3 X5 F8 j, ?9 E
add ax, di
) e$ G! l+ Q3 i2 }% w test ax,ax- |3 g8 C5 R( c- v9 S. H+ W: s
jnz SoftICE_Detected- O/ W+ z8 ]6 [2 }0 x9 O2 _
- q2 w* E; M+ N& x1 C
__________________________________________________________________________9 V V# S, T5 e' i' o
. H# i( D3 O0 a$ b1 @ v0 }: E& g6 m
- z" a7 ]0 H* J' xMethod 05* I4 O% g! D; D
=========* p3 K0 @3 O! W+ q# L7 r
7 d; `- }) _ H" w0 ?" ^Method seeking the 'magic number' 0F386h returned (in ax) by all system
. e4 O1 M# y* P) ydebugger. It calls the int 41h, function 4Fh.2 _# A7 N. t& n+ C* B0 f
There are several alternatives. ' C1 n2 I. F& R- a) E- Y1 n. t
4 {* }3 y# _1 D; W' S+ qThe following one is the simplest:* c$ C& _, @, e1 L; U# N; r* ^
2 w- z8 S1 t! \7 G; L mov ax,4fh0 F6 q0 X' {5 w& e4 v; P0 X0 g
int 41h/ d+ _& j' V, V5 E8 m4 b
cmp ax, 0F386- }2 p- G! C( A; O3 c( k) b' e8 B
jz SoftICE_detected
3 {) d$ u) }! ^) @1 b4 M* F
4 M. c; H) T. a3 R, t% Z0 E* o$ k
3 a8 a/ l# U9 i b& iNext method as well as the following one are 2 examples from Stone's
# e P, M6 [1 c2 ?) Q- A; R"stn-wid.zip" (www.cracking.net):# j( ?( r) @& ]0 r' B3 ^0 {- N
. _9 |7 a8 d+ M2 J) w
mov bx, cs8 { k0 J6 D, N, A. v4 D
lea dx, int41handler2, R+ h- y r; p Q
xchg dx, es:[41h*4]0 C& U2 u* v) `' l- S: ]
xchg bx, es:[41h*4+2]3 {: n2 |2 c" g3 p* G i
mov ax,4fh
; d$ P1 Q4 \* [) i% z; K. d$ Z int 41h( v( a6 O, T4 r" d6 ~! x
xchg dx, es:[41h*4]
. ~1 M& Q/ l1 S) ~' | xchg bx, es:[41h*4+2]. G4 H6 \" g8 P2 f. @) }
cmp ax, 0f386h
7 ^% y. w& Q6 ~ jz SoftICE_detected
0 D+ g2 b1 P5 P
+ r5 ~- P2 X/ Z0 h# d4 ?int41handler2 PROC3 a0 D0 I7 w& b3 D9 r+ _. k; O
iret
5 [6 e# z! l5 l0 t: G9 B5 E1 Mint41handler2 ENDP$ v$ K' u* U% \1 M7 i
" d2 j- a) u( N
# t& e: d1 w' ]+ p w# L* D_________________________________________________________________________/ M) Q; V/ z, A
1 o. ~2 p9 a; e4 d# q1 ]/ j2 K& f( c5 \# j5 {$ l
Method 06
1 Y4 H$ N. U% U/ x' o; w v# x4 A=========1 @: x# h: o4 N5 K! T2 c& ~
0 m1 D+ x3 |+ \% i, I# Y! J
. a6 G: I' R0 Y' ` M" W2nd method similar to the preceding one but more difficult to detect:
3 B9 t/ m/ Y4 O/ ]9 ]) K: h: l& k% g8 g6 l) v0 F; V* S7 b* O+ M7 Q
- I' u# }0 `0 a- ?
int41handler PROC
- o& Q9 v. i: X, v mov cl,al% I( W {4 }& _1 \, C
iret
! Q# s3 c3 f) b) \) Gint41handler ENDP+ W7 i6 ]+ C) @4 |: a, z
# I& d8 l- n7 i
$ o7 n7 Y. ?+ ?: n F/ ^# d8 v4 t xor ax,ax4 {2 H9 `+ }, `; x5 u% V e X" D
mov es,ax
, o) F9 F& |) O e0 z mov bx, cs
' E7 V& K# e" i& V& N- R* A. z+ K lea dx, int41handler
- |1 P$ R" B3 J xchg dx, es:[41h*4]
) C* _6 q- F9 c xchg bx, es:[41h*4+2]
5 e7 P& S& ?+ V# f4 g- p) v( T9 o+ s in al, 40h3 a# b( U- x2 [1 C4 h" F
xor cx,cx
& k" x+ Z- b' }6 I' Q6 H7 U9 P. X int 41h7 K4 ?* [( g D' o( v) z
xchg dx, es:[41h*4]# H1 \; }: p2 w! l2 h
xchg bx, es:[41h*4+2]$ `- V) o1 U# y
cmp cl,al
: p4 z. w) f- ], ?- z% a( e3 \2 a jnz SoftICE_detected+ H2 y% N# {0 X# ~2 U5 }) i
9 U5 |1 I( Y' ]: f# W9 F_________________________________________________________________________
7 h( x$ ?& S: O/ U6 V' U+ s
0 w2 T9 r, r. q# a" nMethod 07
0 Z, n5 ]& g# Y5 i- _+ N* B=========
2 b3 J7 D& ?1 q: Z: V: X: b
9 {& }5 ]4 s6 D- d& lMethod of detection of the WinICE handler in the int68h (V86)
+ M3 o! k. U$ G+ K" x1 Z/ S9 O
7 b* w6 w, } ` mov ah,43h
; B1 T0 @8 `( Z6 i/ n int 68h: A) B: U( ~7 |7 ~4 L' v' N
cmp ax,0F386h
$ j* K- K1 W" x: [$ j7 W* s* ?3 m# O jz SoftICE_Detected/ V$ l' T2 Z# N, R4 H% _5 j
. I) J9 @4 @0 _
0 A/ F# j5 V! s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' s4 b8 b: k- q
app like this:8 m+ o# u1 O# O. N
. z$ C& W+ E2 k) d! z
BPX exec_int if ax==68; f# R0 @% k; W
(function called is located at byte ptr [ebp+1Dh] and client eip is- I- _5 g) g( j' A2 @ n7 {& g
located at [ebp+48h] for 32Bit apps)
! v# b3 G* F6 G5 g! V" K/ ^# i" i__________________________________________________________________________
* ]( q5 |! P1 M; R/ m# T0 s* o- n% t+ k
- o5 j0 l3 m: x+ v1 }8 T- \$ sMethod 08
* S0 ~! `' S9 q% x- U# I# Z4 @=========4 V" j) d( ]' z4 t; c
1 a5 v* L# b! x
It is not a method of detection of SoftICE but a possibility to crash the7 i. K1 `3 ]4 l
system by intercepting int 01h and int 03h and redirecting them to another
K3 k$ F' O. C) ^, h; q) Q& E1 |routine.: P3 X+ Z! x6 b- B2 D* Z0 _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 N) m, X# \4 N# r7 W W. v! \
to the new routine to execute (hangs computer...)' ?* {0 c, N/ _' ^, N
0 H$ h# X( b) V
mov ah, 25h
6 |+ L- i q% s" ^9 Q# T& J mov al, Int_Number (01h or 03h)! ]6 C5 [6 j) }* B% W8 R
mov dx, offset New_Int_Routine$ [) i% P* f4 W0 f$ ^! e
int 21h
9 T; T1 Z. Z; N" q- w6 `0 M/ V, E/ ~
__________________________________________________________________________
9 W* w% B/ X2 J4 Q* X7 `
" ?* f! p0 Z, c" {: o$ x0 f! H8 YMethod 09, C' ?6 E4 ?/ W' O( A: D
=========$ n4 i4 u) r }
+ `! Y {& b6 BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- h4 c, N6 |/ X2 ?4 c
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ S* D" n. Z% Y/ ]* l- ]2 `The Get_DDB service is used to determine whether or not a VxD is installed7 V( o9 w: m* L N/ |1 N( @# N
for the specified device and returns a Device Description Block (in ecx) for
4 F5 t) I: n( m: l1 A6 y3 \% n5 o4 kthat device if it is installed.
; E& u! Y3 S( T2 N: ?* ^" T0 y" G1 R: }4 C2 b6 Q b7 G, s/ ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; o/ L P5 M3 x5 t5 w. K, x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: |2 Z) p0 p2 Q1 d VMMCall Get_DDB1 n3 B) Q! l8 T( ~) h
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 A% e7 q7 Z' S7 |, _8 K6 o$ m3 A, J# l
Note as well that you can easily detect this method with SoftICE:
; w1 o- Z) h( i @ bpx Get_DDB if ax==0202 || ax==7a5fh
6 L. c/ ^4 D7 {+ p$ q, X6 N, l* K9 m" I4 }7 U* K: L
__________________________________________________________________________& \+ `( K; w, l' C! C0 H0 w! l9 H: x
' _* Z, V& d/ K6 j: N
Method 10
/ i, m& F4 T- A x& O$ X/ ]=========- _6 Z2 x- T1 g& G. }) U: T+ f
& |: {5 }# j( S4 c: ]=>Disable or clear breakpoints before using this feature. DO NOT trace with3 E% m' Q# I. M" R; J
SoftICE while the option is enable!!7 e( p8 Q6 O2 N2 E8 z& J Z" ?
( l0 B' Z5 m- {
This trick is very efficient:/ c' a5 Y3 y( H/ }- B
by checking the Debug Registers, you can detect if SoftICE is loaded
' ^1 \+ b# a V& Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" q9 @& k, O; @ \: \" f+ Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
" N; U! F' x' s; D; n1 bvalue (in ring0 only). Values can be manipulated and or changed as well4 R3 b& c9 s/ s2 O
(clearing BPMs for instance)# i- V/ t: l* s' ]. K& O2 j4 B, H: y
2 l0 J r0 h4 {- p" p+ h3 M5 k
__________________________________________________________________________2 a) Y7 h. c- |5 p" z! d/ b
0 m' L" J# t. `0 U7 d! w6 _" F8 qMethod 114 a( T/ I' ^- X+ N
=========
j/ v* D; s& B3 C
3 k! O3 h7 k8 Z1 T# d6 ^% f" H1 O# l" GThis method is most known as 'MeltICE' because it has been freely distributed
; D. ^3 k5 f% P. @6 d, Fvia www.winfiles.com. However it was first used by NuMega people to allow
1 }4 ]! \/ _' u- U( Y8 _& KSymbol Loader to check if SoftICE was active or not (the code is located- f7 h4 l$ u- T3 v9 k4 t" L
inside nmtrans.dll).+ A0 Z( V: q/ X
2 M( }- y# W1 C* xThe way it works is very simple:
. S1 b, ]; _/ ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- ]2 X* n0 ^# x8 K: \- {WinNT) with the CreateFileA API.9 M2 D! O9 X$ f- X4 J! N; b
! D7 I/ [- H( h: g8 Z/ LHere is a sample (checking for 'SICE'):" n2 r; x6 k" M& v% ]$ B" w- ~
* V$ _6 n8 u1 ]4 `! ZBOOL IsSoftIce95Loaded()) b: o+ j' C# { m
{0 M4 Y; U7 ?& p+ o3 ]
HANDLE hFile; l& T3 g9 Q$ I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 r1 o9 U+ i1 F" \7 p y
FILE_SHARE_READ | FILE_SHARE_WRITE,5 {7 W' _9 }$ s. }; N
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. B9 D1 F S, j) W* v if( hFile != INVALID_HANDLE_VALUE )9 M9 ~" y0 |4 x' I) z6 \3 ?
{
7 R5 B' x- O4 u$ v CloseHandle(hFile);
/ a9 ~7 d: l+ V+ n ^% r3 o return TRUE;! V* K' ]# C" J7 s, E
}0 }( V8 l+ h2 A4 z6 \' T. P
return FALSE;
2 i8 u9 Y( k1 y; ^5 Z; p}
1 R( ^3 O( A2 _! j8 i/ n( _+ @7 r
% `2 K: V0 D. b: D) \7 X+ N0 n7 d" \Although this trick calls the CreateFileA function, don't even expect to be
+ l+ N9 E' h/ E. i& rable to intercept it by installing a IFS hook: it will not work, no way!
8 e6 w* K' @% z7 ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 m5 L$ i' {9 m' jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 k* _% ^6 Z* \. k2 B6 m# m* w2 r7 A+ hand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ A% n8 N' X+ F( A8 N8 |
field.) O8 F' A$ v; G5 u3 D9 H1 P+ ]
In fact, its purpose is not to load/unload VxDs but only to send a : J5 r0 I% S$ s/ z ?5 h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# U$ x' }3 g+ w/ ]" K! zto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 R& [" O1 x' y2 n# G- h1 @5 V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 _" i, s9 F5 i* L. ~/ w
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* T% F- u8 t c+ K7 l: p% tits handle to be opened and then, will be detected.
7 Q" c0 Q0 d8 aYou can check that simply by hooking Winice.exe control proc entry point7 _4 D' A" W9 y+ I
while running MeltICE.1 v! A( h5 L$ N; I& I9 ^
8 [% o9 d, b: d- z# U) D
" B& O4 l) E3 D; p1 Y 00401067: push 00402025 ; \\.\SICE
, @2 I: u8 N- t8 \+ m# {2 e 0040106C: call CreateFileA
* M0 p5 E- r- p: ]; T8 O 00401071: cmp eax,-001
; m9 \' c( v% J. y 00401074: je 00401091% F2 p2 u9 B; h2 a8 U: J
0 o. \8 G. h! u- W7 D, S( N Q8 r/ `5 D$ H5 o
There could be hundreds of BPX you could use to detect this trick.
+ _7 s; u; B2 t! Z# r& @-The most classical one is:
- w( g5 c2 X" w8 c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. n4 H J/ n( F& x) Y: q
*(esp->4+4)=='NTIC'/ m( r) b% ^* o' ^8 h9 a
# f5 N- X/ U9 J% V# U; X-The most exotic ones (could be very slooooow :-(
, E. a. f: v+ { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % B% {4 t$ c: D6 v" y
;will break 3 times :-($ L" f) f+ l9 _: k4 d* l2 O0 T
1 r: x7 {* A1 b8 g
-or (a bit) faster: ) {7 e, Z( b9 L! x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! X# O+ ~* z o3 X4 `
) x$ ^; h5 Q- I @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / I2 j, g/ J$ b
;will break 3 times :-(
! r) q; X0 ^" Y- i; F2 q+ ]2 z
6 u4 ]2 A+ @; V3 w( ^1 n3 A* t-Much faster:
0 y8 D4 {1 T4 o: b; W1 ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 k( W: S% Y8 Z" T" K3 d
. ^0 }' u1 \) }2 M: i& g* v: }% lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: Q% G# ^4 W; G. b4 @. j
function to do the same job:
" \/ G$ S, H- \+ i) B! M! {% |4 o5 \
push 00 ; OF_READ
) Z! `: G! E. {1 t# y. n, W mov eax,[00656634] ; '\\.\SICE',0
& q+ ]# L3 R/ V$ s push eax
/ Q3 Y: Q& _& U( }6 K# d# ^ call KERNEL32!_lopen" e: S3 V8 W/ C( G' m) _3 @
inc eax
1 X( I# ^; R1 t. _5 j jnz 00650589 ; detected
\1 j# P) o+ E, Y- O! z. G push 00 ; OF_READ
) V, Z6 j3 A3 t* { mov eax,[00656638] ; '\\.\SICE'
: ^9 K0 u+ ]+ S6 _3 L, ^ push eax
& u4 H. y) i. m9 S; I. Z; C/ O call KERNEL32!_lopen
" b8 k& i! @* B inc eax# X! w" G$ ?) K- ]' ?
jz 006505ae ; not detected
0 I7 f! \# B7 G" e! r7 `# V8 M5 d9 Z( z0 H
/ H6 w L/ l& Z__________________________________________________________________________
( k1 g8 U2 b$ n- L2 Q6 x
1 ?9 _' F' k3 v5 RMethod 12
' j! _/ f# W! S3 e=========, x5 d; L: J8 a5 Z
+ u" H/ X$ H O: ^1 P* \0 h9 }
This trick is similar to int41h/4fh Debugger installation check (code 054 ?* O v3 F ~3 n
& 06) but very limited because it's only available for Win95/98 (not NT)% R5 d$ A+ M+ B! f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ b! H- H# V- o1 ]
6 l4 t% r, G$ ~6 M ]8 Z0 u
push 0000004fh ; function 4fh$ Z ~2 v+ O; |& m$ z( e
push 002a002ah ; high word specifies which VxD (VWIN32)
& n, I8 J( N' L7 g ; low word specifies which service
+ b: U6 p! \5 Y1 J: j (VWIN32_Int41Dispatch)) n8 L Q6 p) L0 c, o8 C% H7 a
call Kernel32!ORD_001 ; VxdCall/ I- V S5 r' A- V. S' L1 Z
cmp ax, 0f386h ; magic number returned by system debuggers- k. q# f5 R9 C ?7 J
jz SoftICE_detected" N1 ~% q, t, |) Y+ X
' z, Z) i+ w: _0 T$ I- |& C" YHere again, several ways to detect it:) o& i) F u* O# h
7 U; n% ~1 f/ i S0 S5 H6 A. l
BPINT 41 if ax==4f
! a) h3 w3 l. m5 e
( n! ]1 K" Y+ a( C5 d5 | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 |$ Y) h8 o( ]: x! a& o/ P- m
# K8 }' x& U& O3 E8 Y2 T6 Y" ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ i8 F v6 | X% [2 [% \; }
5 n" ?3 U. O6 k# B' r+ t. n' E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ U. t2 J( C4 {% C( i
- Y) x- ~ s' K' W1 v0 b__________________________________________________________________________5 S7 Q# o4 _. O! t' C
9 y: U/ s' T( o' D9 a. R: u
Method 139 D/ ?' M7 t. \& w7 H$ z3 K
=========& B, `4 n+ V. r7 s! u' p c6 L
0 g- q! r! P" N$ w LNot a real method of detection, but a good way to know if SoftICE is
% [" S3 K1 ~* y+ S8 g8 H+ pinstalled on a computer and to locate its installation directory.
5 t9 h! S7 [' z! U J1 \It is used by few softs which access the following registry keys (usually #2) :" [. x, C( P# V& I! e4 @
" x* U* `4 R) W$ r2 ?, b# S# d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 L) |& K" s+ c) n5 z* Z\Uninstall\SoftICE
" q. q: `& P) Q. l s! O4 l# P. @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 F) L8 T2 t$ e. z% Q. i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& N- C1 {# l) e2 v7 _3 r
\App Paths\Loader32.Exe# b3 m# s2 M t) f" R K3 F
& F. G' R* Y _- E9 D2 h; C
- k* `% J v3 G% U. H% r9 ?Note that some nasty apps could then erase all files from SoftICE directory
/ O8 r" `, Y( c6 W# x(I faced that once :-(
' O' t% L0 X9 {$ p. U4 ?4 {) T5 t1 B6 R3 e) @
Useful breakpoint to detect it:1 [- \5 q$ S+ {$ h( k
) T+ c4 C& y1 r; n3 w" q2 c x% q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') }! ~$ V/ g$ r n
6 ^ H, z4 D4 g__________________________________________________________________________
c; p6 H: f3 z, N9 T
6 i1 x: p/ q- W T: W- p3 L( g$ H. }+ K& R
Method 14 % h5 t, M& V4 `$ ]
=========
/ ]* C6 R" ]0 V1 p, K$ ~' y4 D+ e* y: t$ }. M& a2 P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 ~8 D9 h# g6 B) s) z' \( ~: wis to determines whether a debugger is running on your system (ring0 only).
/ L# P+ z2 J5 p2 l% c* x3 W: W6 {0 S) X/ [ ?4 u- G: H. J
VMMCall Test_Debug_Installed
) A8 _% U( k" _8 ^6 { je not_installed
9 }" K9 ]% g# @" ?) m( n
' M; R3 q/ I+ pThis service just checks a flag.
1 b9 Z" s6 P' s0 a8 i- W9 R& E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡