<TABLE width=500>% ~& Z% k9 m0 T+ V; v
<TBODY>- m" U F, j; g/ Q- z4 d* W& {) }7 M: c5 s
<TR>
8 }5 Q# Q9 A- C0 u+ E l2 U w0 H1 f1 _<TD><PRE>Method 01 + p* v. ]* a' p- c5 V
=========, N1 h" b* D/ [! P. C: j0 [( E
# k) ^, o5 P4 X# `) h& T7 iThis method of detection of SoftICE (as well as the following one) is; v, ]4 c3 D6 f0 M3 z9 @- F. w. d
used by the majority of packers/encryptors found on Internet.
2 M A7 K6 E) zIt seeks the signature of BoundsChecker in SoftICE
% f0 ^1 _9 A5 o; d8 x3 ~7 g3 X0 t6 ^: K+ c) Y: K& n4 o/ h" W
mov ebp, 04243484Bh ; 'BCHK' A% X- N9 O- _8 |3 M, \
mov ax, 04h7 z1 J4 e' }: P F; e; \
int 3 9 L9 K* b( v' D0 x2 g
cmp al,4! t. G) i0 c/ A( q, g% O
jnz SoftICE_Detected5 X+ e6 j3 z% n: c
5 t. ` K0 J7 ]8 v
___________________________________________________________________________
. f) ?) q/ z' k- G2 I" W8 W& r J$ D$ V% W
Method 02
! F, t4 E0 B0 }& F8 H5 |- d=========# ?! o0 i3 L/ S! f3 p/ V' U
' w/ t9 ^( t9 X
Still a method very much used (perhaps the most frequent one). It is used" T4 H. c% {# W3 \$ Z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 H0 q: c: j4 D, p% ~( N& eor execute SoftICE commands...$ W2 Y5 Y+ s: [# s0 c) m" w" \
It is also used to crash SoftICE and to force it to execute any commands% u4 B4 R- k4 C7 i" t1 o
(HBOOT...) :-(( 8 A6 X& k- I4 `
0 M- e1 M. N2 M6 p9 g
Here is a quick description:
3 J! P! D& V$ y M-AX = 0910h (Display string in SIce windows)
$ h5 O7 R+ S f, w$ V( U( L, Y; m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ H( K8 o( L1 @' i) j
-AX = 0912h (Get breakpoint infos)+ T* g/ d3 a; N! R9 ]
-AX = 0913h (Set Sice breakpoints)
, H% O4 I8 C! ~ j) J5 Y-AX = 0914h (Remove SIce breakoints)
# x2 ]2 m# L, Z4 g# y
2 p- {( f% ~& ^Each time you'll meet this trick, you'll see:
* S9 R& f8 x- z- C9 V/ o/ q# R5 P-SI = 4647h- {6 }" h9 v9 f) m8 C& l6 f- s
-DI = 4A4Dh; u+ x& Z9 z1 s3 ?
Which are the 'magic values' used by SoftIce.' o* _# W6 g- {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ l1 G" B* P' m6 A- p. A+ W; A% K+ I/ d' O; Q7 q0 ?. ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP( | H% X* Z* c+ s5 U. v9 s: S2 t
Envelope utility use to protect DOS applications:
3 b. T T; j4 v+ x7 G2 j7 E5 V3 C- ?4 F L" ~
1 c L/ q" m; F4 N2 `6 i5 ^4C19:0095 MOV AX,0911 ; execute command.2 Y6 }' n# l5 T- E, }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& z, E) d( L! z) w) ?1 _$ a# ]/ N0 S4C19:009A MOV SI,4647 ; 1st magic value.8 ~+ ^, s" r4 n7 S; N
4C19:009D MOV DI,4A4D ; 2nd magic value.9 _: g: \) u% K) s4 Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ Q9 |. X6 V; h4 d# M" n8 F$ r6 p( d J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' j# I( b4 v9 c0 k: q, d ?4C19:00A4 INC CX! ?8 R# W4 i) t: g: c; b- L) ~* r- r" ^
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' e2 a; q5 p' s! s ~, y; l
4C19:00A8 JB 0095 ; 6 different commands.+ a: z2 V) c4 X7 Y; E0 s
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 E2 l$ X: _7 n# o' }+ G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ v% ^2 F: k( W: g& |
' T. v. ?3 \: _6 [9 [$ V' H
The program will execute 6 different SIce commands located at ds:dx, which
: ]: U- b+ ^ d7 xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 C" Z" S* e5 @1 j1 r
4 M, f* S# P- r- s7 i8 N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: d, D& l+ Z' F+ [5 g0 l" X
___________________________________________________________________________
$ n' c+ }7 E0 h
/ S. ?: y6 ^) a1 U% H- c0 z1 @: E Z* \9 T) X/ f
Method 03
7 ^( c/ r3 p4 M) e2 z=========8 y0 m+ M9 \) E* w
' [, M& W1 r: |# o# @5 X; L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 m) ?4 O5 K$ ~* C$ P(API Get entry point)
( [# ]' f% g. Q* T- w4 A6 D $ ^, n6 {4 [7 P4 H# M0 s# w2 S# b$ a7 r
4 k, y7 e8 c. }: ]) M* j4 w xor di,di
( B7 C+ a* g) X/ v) M mov es,di
1 f+ \! Q5 [" ^0 |: C8 G mov ax, 1684h
7 e7 U/ z3 V ]& q+ L* @- h mov bx, 0202h ; VxD ID of winice* J0 ^/ H5 ]* ^! B1 i. r( M
int 2Fh) w/ D5 L' b+ D T* W$ S& U
mov ax, es ; ES:DI -> VxD API entry point
9 o" |# R( G" D* }% B add ax, di
; _: ?( ~' ], v1 q3 C* e test ax,ax0 j" E( u& |* s2 d; Z% c
jnz SoftICE_Detected2 x/ ^/ f" J" P% k* W
0 Y3 {3 g8 k* u" \, P* q+ N& i# P
___________________________________________________________________________$ K6 M* [3 n8 N9 W5 @
" G' W) i- \4 e3 mMethod 04, f. `- C/ ?* ?4 T7 {# Q
=========# A& f% M' P% y; _6 n) Y W
# X4 q2 `1 y5 T+ T) cMethod identical to the preceding one except that it seeks the ID of SoftICE" t* ?1 X9 Z" A6 z" o5 V0 \, \1 M
GFX VxD.
6 Y2 W+ A4 h" M7 k* j
8 v4 I" m, {4 o/ g$ n5 o% n$ T& [ xor di,di5 i2 G; `" A; T1 @4 }1 {/ z
mov es,di, m, B9 o" z! T% v6 y7 P
mov ax, 1684h ( w$ f! g+ Z! Q5 W$ N9 j
mov bx, 7a5Fh ; VxD ID of SIWVID
0 A4 x8 v, o$ E/ W) N int 2fh
8 N# V9 d- l0 p mov ax, es ; ES:DI -> VxD API entry point
1 @; ]1 m! ^* b" c, { add ax, di
: C7 k s. \1 O) [ test ax,ax' H( T0 K# G( F/ X c1 T
jnz SoftICE_Detected
9 ^9 W0 s8 O6 O% L4 p, \5 a1 z/ u1 q6 k4 H# N2 e
__________________________________________________________________________
9 {1 f( [ [; w! L n0 Z r/ n
0 H$ u7 O- @9 y4 Z
; @0 u# b8 h# k2 lMethod 05" z3 e1 }& d) Y/ F9 a
=========- d# }. y4 [1 V8 `* C+ {/ S: ]
( f- _2 t' d4 [( f0 |
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, x2 i, Q6 p( \ t/ idebugger. It calls the int 41h, function 4Fh.7 l+ {0 l& P5 N g x: u; R w
There are several alternatives. - B- J3 e+ y! n: d2 d& g. D' a% u
4 N. _6 a" R$ r9 JThe following one is the simplest:
) @ e7 v2 M: i6 G$ ?$ l
( |# G( I2 K8 W- a mov ax,4fh
4 i, C5 {# x' i) d- p4 H* \5 @! ? int 41h' B! M: L, u7 j, f8 \/ j
cmp ax, 0F386
\* X9 j. f0 c$ v* @ jz SoftICE_detected- o4 A$ b" j( U5 C6 V2 H
- I0 N, W- G* L N( j' } x$ K( B7 v# j) T9 \# z0 d
Next method as well as the following one are 2 examples from Stone's 4 _1 x0 B0 R' Q: `; w
"stn-wid.zip" (www.cracking.net):, ^# l4 u0 F. D. q9 G
7 i9 q1 ]7 u1 o4 r& t& T/ [0 Z
mov bx, cs
* F; x D+ Q4 `+ S) F lea dx, int41handler2
4 I9 |) o: n) X& o xchg dx, es:[41h*4]
4 y3 |" b8 [# e0 J. I) c+ T# C xchg bx, es:[41h*4+2]
! P1 Y+ e( V" {8 ~ mov ax,4fh
. O l# n! a( d0 s int 41h
' l3 F! N- B' ]9 [ xchg dx, es:[41h*4]6 n2 L6 ]$ W* ]. X3 |% `
xchg bx, es:[41h*4+2]
! m7 y$ r0 Z3 d3 l3 M+ Q* w X0 M cmp ax, 0f386h
! o3 y3 @1 Y- r! Z# u5 ?9 ` jz SoftICE_detected. m8 A- W. [1 A7 x5 h
( Q' a q8 F1 t9 W5 ^9 Nint41handler2 PROC
, |" K1 V1 U; N4 x g iret
- h) I: | w; _8 w6 l0 _! Kint41handler2 ENDP/ A6 H0 f, }$ c4 S( N
7 S8 J r: ?0 a4 b' R# ?9 d
' d2 g7 F% s. U4 [4 f) G_________________________________________________________________________2 X% E5 G9 m4 x: }, t
, r8 H* ~4 P d/ E% ?1 q( Y, [
4 }& | v% j5 W/ b* K6 OMethod 06+ B+ \+ K( S$ X0 N
=========
' ?, i5 I6 T8 l( u' a! b: V- f* C; @- D2 N0 c# t
% T" V6 ~1 R" k
2nd method similar to the preceding one but more difficult to detect:
% p! j8 E3 ^1 T. W% p& v
2 O! D2 t1 k/ {' {% d' F/ b5 y, b( h% x* g$ o9 f5 p
int41handler PROC' I# z! `# L! I
mov cl,al! I/ }( d7 q& K' }. v: W% V f
iret
& ?" u& l' v$ y rint41handler ENDP
% T _+ f0 f0 i$ Y5 o1 C& ?% F8 h9 V) \) p) I2 K; Q# E7 u9 ~* l
. l1 n& R$ l3 w) G; X xor ax,ax% M' X# R, r Y; _: U% F% q! [
mov es,ax2 P" l5 E) m. w; x6 e( m$ P
mov bx, cs, a( A/ V' ]: w9 L C
lea dx, int41handler
5 c, X S4 ^3 C4 A6 `; R' D) w xchg dx, es:[41h*4]
! w, F6 M" d4 J5 Y xchg bx, es:[41h*4+2] L0 V: D( Y- Q, u/ p
in al, 40h$ ^5 P9 p: w- F. w/ W& ~: h- T4 h
xor cx,cx; F! ?' d3 X% j
int 41h
/ ? O5 ~# }$ d0 U xchg dx, es:[41h*4]) b1 h T3 }' h! b9 |1 U
xchg bx, es:[41h*4+2]
$ z# F& W: t3 u0 B* [: s cmp cl,al) M0 Y9 f G/ r- `3 N
jnz SoftICE_detected
+ \( N) e) D; x# v. k6 e
; D- \6 a' u4 k0 _: R3 e6 X_________________________________________________________________________; i( c$ `! V* ^5 `+ P- v; R
9 i+ k( j9 k0 p8 t. k- J
Method 07
M. y' J& T5 {6 \, R$ t; `=========
2 N. p5 v3 Z% w9 @
3 x- w. y6 i& h* Q/ C! a2 AMethod of detection of the WinICE handler in the int68h (V86)
, V5 Q4 X( j2 x& w/ r) Y" B
; q1 Z9 J9 O5 p0 [ mov ah,43h
0 p, v; Z6 s1 n. Q( F int 68h
7 w) ?/ _" c2 c/ P cmp ax,0F386h
8 k- v1 Y8 P o3 [, n jz SoftICE_Detected
5 n+ [+ ?, n! @; G0 P+ Q" b. `% J
/ _. g$ |: x3 x6 o, ^+ s& U7 D" G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; J* N* p' C+ z {% { app like this:
5 C* K3 h9 l8 d" n
$ G N5 y( X& F/ o6 B BPX exec_int if ax==68# Q$ W6 a. V3 Y: h
(function called is located at byte ptr [ebp+1Dh] and client eip is3 f$ ~$ X* [2 v; b3 u+ p
located at [ebp+48h] for 32Bit apps)7 h3 w3 t2 k: T$ d- G
__________________________________________________________________________
, O5 `+ e% S0 t. |; k* B4 f
. W& r' A5 O2 a. H$ g
) W }+ H) s' ^* Q" \" O/ XMethod 080 Q5 ~* C6 I9 B/ P" Q$ \1 |
=========1 e0 W1 z1 K- b" F9 h# H4 W
" l1 v/ W9 ^: q8 u# hIt is not a method of detection of SoftICE but a possibility to crash the
3 l( W. s+ P- z. B$ ysystem by intercepting int 01h and int 03h and redirecting them to another r4 [4 @1 p3 B; V+ @
routine.
/ s2 B8 w. ?0 p( @' z9 h' cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ [% P2 ^* k4 |$ {9 I! @to the new routine to execute (hangs computer...)
. H- D" X- F# p- w0 E; J+ u4 O5 n9 o
mov ah, 25h
# W c1 `8 H, P- N: {# F* V4 k5 R3 J mov al, Int_Number (01h or 03h)
$ ^& p+ H0 |8 Y' A# q mov dx, offset New_Int_Routine
$ `1 Q# ^9 S* u0 E/ [! l int 21h
. O% j9 v8 |% \. Z; V: l6 `+ _" @* k5 `9 W% C8 T( K6 |' h
__________________________________________________________________________; x% b3 ^8 ]* ?( d( l7 j1 h
: l" _9 ]# G t4 I! g6 B* {6 r! dMethod 09
+ _% p0 t3 J) j3 [2 ~5 }4 |) o+ f8 L=========8 C" w" p; ~; {
1 Q" h# q& w( O2 ]3 pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ q- c" s p8 Q: q/ M* b
performed in ring0 (VxD or a ring3 app using the VxdCall).
) r0 o. |0 L0 z6 mThe Get_DDB service is used to determine whether or not a VxD is installed; ^3 v7 i* F0 j9 C2 A
for the specified device and returns a Device Description Block (in ecx) for3 q: C& |0 V- h
that device if it is installed.
" m1 B7 X+ `) H$ w; i/ V$ k) _$ \/ g% [- u! @( U- s3 ]4 a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 p7 L d" y3 q. d9 B
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 t( c) d: [* H! |! [
VMMCall Get_DDB# U% |: n, _. R+ ^, l' G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" k) L8 W' R+ v- ?' R. J) z `- N% [) N8 J& k2 Z+ a. ^3 e
Note as well that you can easily detect this method with SoftICE:
' @: N/ s3 N7 \5 c bpx Get_DDB if ax==0202 || ax==7a5fh
% _, ~# U9 W& B
& \5 C) y$ m% p) @0 H__________________________________________________________________________
) }8 N. f) s2 P' {5 {/ _5 ] i$ Z: Q$ L
Method 102 j7 q* b, O5 j# M3 A3 W3 K y( ~, O
=========6 t! e' R$ K: W9 t0 N
! c+ W' ?7 S H$ M
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 y- h' j* f x( [% l9 ? SoftICE while the option is enable!!& R) y0 a7 s! j1 q0 _6 |
9 M: R5 ^, {* T4 B O% K: HThis trick is very efficient:
( y, j B5 ?6 rby checking the Debug Registers, you can detect if SoftICE is loaded! {' ~/ e; O# A% C3 P6 w3 M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' G, H. `! w4 ?' d4 kthere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 O+ e* b8 l( Rvalue (in ring0 only). Values can be manipulated and or changed as well
& a. d/ [6 s8 l( J0 y(clearing BPMs for instance)
+ O& z; A8 Y8 P2 C6 X4 U
+ v. A; V2 p5 p4 M__________________________________________________________________________
/ w/ a0 z. a! T
8 h, e( l2 R F' Z) O+ RMethod 11& Z$ q4 q2 y+ q
=========0 _( Z1 s- f+ l
W; A+ n" c0 N8 a# AThis method is most known as 'MeltICE' because it has been freely distributed
4 s6 Y- D: u D3 ^- P @# T% a, |via www.winfiles.com. However it was first used by NuMega people to allow) d$ n+ o" t9 c* t$ N) u
Symbol Loader to check if SoftICE was active or not (the code is located
0 z# s O- g U4 _6 }9 _% winside nmtrans.dll).) }+ ]* @; [. w9 k9 Z: g
- w1 k, \! O, L9 f& n; A
The way it works is very simple:
% H4 |: e' I$ q0 WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 E" s0 a; G. V \
WinNT) with the CreateFileA API., S2 V: I8 K1 f- k
% w) ?9 f( [# N2 W
Here is a sample (checking for 'SICE'):
* z5 |8 w; p9 H# w; V% I
6 Q8 H' _! k8 l7 B# c* @BOOL IsSoftIce95Loaded()
; j! o8 q8 C2 Z: L$ d% f3 X: V{
8 C5 E( ]/ `8 w- j/ ] W HANDLE hFile; 0 w% T! k- O- Z) M1 ?: z }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) C1 ?2 ?! t1 H/ E( G# q5 S) e( t W% Y FILE_SHARE_READ | FILE_SHARE_WRITE,
* y+ z" B. W8 s; M6 U0 a, B$ A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* ^* |' ~- V* K0 s1 G) u if( hFile != INVALID_HANDLE_VALUE ). f/ G# _4 y" G
{7 ~, {6 _1 t V" W7 k5 M
CloseHandle(hFile);6 H4 x" X" Q/ e
return TRUE;6 u% f$ @4 E5 A& R K L& [6 r5 q
}" J- ]/ i; M; F
return FALSE;
0 [$ D, X: g) C3 o* F: L; S1 E2 }}
6 Z/ w4 j% j+ F+ w2 e6 M0 G0 Z
! b! `. H' |1 U- ]7 B4 uAlthough this trick calls the CreateFileA function, don't even expect to be
" V L' I# U) Y- j" |( Hable to intercept it by installing a IFS hook: it will not work, no way!
! C. D3 q; M, \In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& A: a/ M& R; {' yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: A' z! k% H: P9 {' {and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 F! r" ?7 y3 [' [
field.
: C# _! f. p/ v/ v" [; qIn fact, its purpose is not to load/unload VxDs but only to send a 0 J! Z% H2 {$ P) [( O7 {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 Y9 l0 N/ V6 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 _$ r, _# }6 v4 u% eto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ c' t4 j& G1 j S! G" j# y, M
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 T& ?1 n5 e7 g; H k" y% w* B
its handle to be opened and then, will be detected.
w2 x9 ?8 ^+ ?$ NYou can check that simply by hooking Winice.exe control proc entry point/ G! O3 T- a! h7 G k& C3 V4 D
while running MeltICE.
, n: Q& g/ h: K9 n6 S' P
, Q9 u6 q5 r: V m" g
* @: ~+ w j2 d6 k! u 00401067: push 00402025 ; \\.\SICE
: B" M- ]! ~" J" T" m% s$ A 0040106C: call CreateFileA
: f4 G, @! e0 b9 V1 g4 Q 00401071: cmp eax,-001
: @: d6 H8 u' y2 A9 M$ h 00401074: je 00401091( B* i+ D6 J, H8 c0 Q
; o* y& h ?: b9 i% s1 Q: ?5 t5 K% Q7 u+ W
There could be hundreds of BPX you could use to detect this trick.
X/ I7 ?2 A5 g, G" o, y! o-The most classical one is:
8 s* P4 u& D6 Q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! A8 Z. W5 C8 C
*(esp->4+4)=='NTIC'4 d, X: q) O! J4 D$ t
, ` Z9 x, _5 G0 s. m# V
-The most exotic ones (could be very slooooow :-(
& J( w3 q" k0 d! H# G8 l BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! _6 V/ E8 v* Y8 t" T2 w3 E
;will break 3 times :-(; O' w: @, w/ [- w: d" z- |
4 o6 \7 }1 Y! b2 |8 x
-or (a bit) faster:
6 `4 A' u; c. R/ c2 [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV') X( c: z( u7 @* u: |
0 G1 H, A) y9 x; [7 @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ B }. E/ O K- D2 |1 i8 _
;will break 3 times :-(( V$ b4 k3 q; R& u+ F9 _9 x X9 i# i
3 X' J/ j- @4 E4 P# e-Much faster:0 P& m- a! o/ ~! P! I3 f& M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 h i6 y; O' s6 i0 ^
) s5 \) p$ ?9 M* u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& g" k) ^' N% C2 v3 jfunction to do the same job:
0 ?/ s1 f2 L7 {2 |0 I
: `8 h" R6 v/ g# f+ i6 z4 W push 00 ; OF_READ& F$ p# R$ U5 B
mov eax,[00656634] ; '\\.\SICE',0) E; X) K ~2 _
push eax
4 d" d/ b8 K8 Y call KERNEL32!_lopen
8 r: M/ r/ a, }3 R& h) T inc eax
2 S% M& ^/ Z9 z& ^# y jnz 00650589 ; detected' V: q- _* @% u$ N' ~1 F6 J) q* _
push 00 ; OF_READ
1 D: I1 [0 B( d mov eax,[00656638] ; '\\.\SICE'
5 }9 H, l9 {* l4 ]$ w. }+ } push eax
1 b6 ~% i; ^1 S# Z call KERNEL32!_lopen- _, P! e' V i; R
inc eax
; [3 f, w/ a2 p# X jz 006505ae ; not detected1 P# C9 V- @1 o( z" S
+ K4 g/ P, F1 @: a7 x0 @3 k, h# l' J3 f4 f ~3 a
__________________________________________________________________________
2 u; g, R! L O6 a$ `) t6 }! p6 R: k6 g m6 v% p8 {7 x
Method 122 p" C$ G( B8 O9 g) h) O
=========) w" y/ e; c' B ]! [' Y( o
& K$ R9 E8 A4 Y. ~
This trick is similar to int41h/4fh Debugger installation check (code 05( w. h5 e1 K# J2 M" P2 q% x
& 06) but very limited because it's only available for Win95/98 (not NT)
7 T" z* v* G6 ~0 das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" A9 y- ^; \: X) k0 s4 H1 P# c" ~) q0 Z3 _" Q
push 0000004fh ; function 4fh
% I4 N8 `1 J0 L4 Q1 t push 002a002ah ; high word specifies which VxD (VWIN32), c1 C# d, I! ~
; low word specifies which service/ }" u: m! A+ V5 H! l9 S+ Q2 F; J) e
(VWIN32_Int41Dispatch)
9 r; K. k. t% ~: ]" x# L call Kernel32!ORD_001 ; VxdCall
x4 u! g. N9 J# G, C cmp ax, 0f386h ; magic number returned by system debuggers
7 |0 X) \' v* x" s. R- v) [ jz SoftICE_detected6 l5 @+ o: a3 D2 x. c- N+ E
5 @1 W5 q) l9 | }, A4 R
Here again, several ways to detect it:" _. c Z( r, [9 \ X
2 {! P! P+ `; R; M( x5 P( B5 P
BPINT 41 if ax==4f
; L) p" ^0 \ M" }4 Q" @% c3 u7 h+ u( S* `: o' A5 P- ^4 g
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( h/ [# N, X% i7 K: t1 l! Q, p! I0 w
1 Q% {( J% z" s6 N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 O$ P- b; W$ ?- v8 n- l3 v; k" }$ m+ E+ b* B8 Q: g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
p8 j8 ^ m$ v# |9 n5 ^: n: V0 Z- q! K( i; h
__________________________________________________________________________
1 s8 j9 U3 O6 X3 v
6 V3 N7 m7 s8 Y* r$ x6 P% q- QMethod 13) t5 u3 `3 c3 }' Z. a6 S. M
=========
! v/ d, C1 W# X3 A3 G" [! K! L. S; q4 m, g* J
Not a real method of detection, but a good way to know if SoftICE is
; ^. q( n) f7 linstalled on a computer and to locate its installation directory.
3 h0 U! n% I" U. U1 ]7 ]0 o' TIt is used by few softs which access the following registry keys (usually #2) :
( N( q ]/ |5 W: d* V; W- s5 x, s7 k4 I. X3 _" W# x! @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 n1 L4 [. |6 P8 @
\Uninstall\SoftICE. U' g* Z L7 n" A( n5 X6 E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" j( D7 d" s1 ]+ i) Z% J9 x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; s0 l/ c+ Q1 [. H* V/ k
\App Paths\Loader32.Exe
& ^4 Z5 N3 z2 N f/ m& i$ U/ X, c8 Y0 J
1 _! L) x. J5 \$ i8 e/ }+ DNote that some nasty apps could then erase all files from SoftICE directory9 K" {8 ?# L& t$ t4 d4 p6 l
(I faced that once :-(. g( ] \2 d3 e* c5 ~% [ x( C5 ?
3 _6 \% K2 ~6 W0 j: v' JUseful breakpoint to detect it:
+ i+ Q3 \# T H2 \6 N# i' b7 ?: Y
( v( a3 K( u+ ?0 n4 }0 g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 ~8 M8 d" y# w4 F
; ^$ ?' n8 t6 V: |4 g__________________________________________________________________________) U* x9 V1 g# S1 e2 U; e
/ F- A* N; h, F, c& S t# }
! Y$ m# L" ^9 ~1 O x/ t+ i4 a8 KMethod 14
2 F5 K8 a a: Z( v& I9 O- f/ G=========
6 N- e- f7 E! R- u( B7 A/ a7 e6 W! Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, U$ S t% X" M5 h. \" v" wis to determines whether a debugger is running on your system (ring0 only).
1 C x8 X! M' v1 ?( Y6 ^+ G- m# a& |: O' `: r% f5 w. H! \
VMMCall Test_Debug_Installed- k2 S& \2 W3 A
je not_installed) C' j: v/ ?; U& V
- P4 t0 Y+ i+ u( M; ]+ y- K7 M
This service just checks a flag.
! \* j8 @7 b, @( M) A( R</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡