<TABLE width=500>
/ L4 s5 X/ r0 u8 D! d* S; ^( d<TBODY>
$ |8 A. l/ ^4 q% p6 H" a; @<TR>: r* }" D6 X+ M$ I A4 y
<TD><PRE>Method 01 : D% ]9 Z. m" n7 ~: q/ @ h
=========
/ e0 M1 M; y4 X6 {% R( j
1 ^1 _" y+ I$ ?: _( S( A' E8 v5 ~' AThis method of detection of SoftICE (as well as the following one) is4 a) ^# E( S) _' @0 ?1 {- h+ [
used by the majority of packers/encryptors found on Internet.
, }' Q& e; e! ?7 rIt seeks the signature of BoundsChecker in SoftICE
* \1 V% m8 X: ^$ E9 u7 L5 t# X6 ]) `# i2 C
mov ebp, 04243484Bh ; 'BCHK'$ i/ m, D' S. C4 K; A# x
mov ax, 04h
# l# b& u% S0 u. T int 3
- c0 K$ ~3 s) x" r cmp al,4. y4 Y0 n- ]9 \# U
jnz SoftICE_Detected
: P/ y( a2 V I( V! C4 }! A$ d: b6 Z. O0 l0 C
___________________________________________________________________________
/ g) O! \6 F+ ~+ c s. Q3 q5 ]
' w+ ]& Y* w& U1 ]( tMethod 02
7 F; i1 Y( D1 J=========
8 ^0 n7 Y0 @9 r% N0 }
, y6 c: t& J3 C5 O/ M% q2 \Still a method very much used (perhaps the most frequent one). It is used
$ S' V7 n1 U4 B+ L zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( D' ?2 H6 t& For execute SoftICE commands...# Q" p$ W6 q+ c; R- u( Z
It is also used to crash SoftICE and to force it to execute any commands: ~" _# U" R+ N% @. K
(HBOOT...) :-((
- Q7 B5 @) V: _4 m+ v' R( m/ S5 U l9 V4 r8 Z% K- L
Here is a quick description:+ z6 q% r' @' k5 x
-AX = 0910h (Display string in SIce windows)
& ^& O% w' k$ G8 Q2 s3 a, C-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! R! G- ?# D# L- T- U$ M-AX = 0912h (Get breakpoint infos)0 j8 K1 }0 N3 v6 o' i1 T9 E1 D
-AX = 0913h (Set Sice breakpoints)
0 n& |1 K+ c4 E% Y' d) b-AX = 0914h (Remove SIce breakoints)
6 T0 A& T, l! J) ]' Z" [) L, m
9 w+ u, e g2 u- z4 }8 z" ^Each time you'll meet this trick, you'll see:+ G2 ?. V x1 ?: R9 ~# Y
-SI = 4647h6 l. ^& B% Y; q& e* v3 ^ }' U
-DI = 4A4Dh2 s) l- R2 s* ]9 M
Which are the 'magic values' used by SoftIce.
; Z6 \5 l! W- ^0 k# v# {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 E/ Z) X; o: @0 H& D G+ O1 ]
& ~0 b6 w- S8 THere is one example from the file "Haspinst.exe" which is the dongle HASP
! b* U$ |( Q4 L# t, z9 L0 \* k" DEnvelope utility use to protect DOS applications:
# ?7 d2 L& N8 i, C' w' o* F4 e( u5 h+ h: L% }( e7 Q+ Z
; q' a# b' T7 \0 m- J" y C
4C19:0095 MOV AX,0911 ; execute command.
# b8 }. f' T/ R* ]& S; ~4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 D0 n+ V3 z$ k7 ?1 F4 g6 f
4C19:009A MOV SI,4647 ; 1st magic value.
+ A* N. V& D9 u, Q4C19:009D MOV DI,4A4D ; 2nd magic value./ R6 i) L5 w$ [+ Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( X, t4 R7 m* g6 I8 I- j& F: E: r" S4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! B& O3 z$ q4 j" M3 p. u4C19:00A4 INC CX: z( X* T) M. e" G+ V8 V
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 G7 C" \/ F5 N# C0 p* p4C19:00A8 JB 0095 ; 6 different commands.
& x8 H* O1 o1 S+ [& N4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 g3 i- f$ T3 q, ^& H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 Q; M. `- G/ M1 N
0 Q6 F! @ S4 t3 T! K
The program will execute 6 different SIce commands located at ds:dx, which
; e( J0 w5 e( p3 q8 m) H. q/ yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 Y v. H: {2 H
. s. _" T: [3 b8 V2 D# l4 X! F, U5 e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ n8 _ s& b- ^ ~$ q% {) g___________________________________________________________________________
7 d0 G/ h% ~5 V) g! h( U9 { B1 x! b2 {9 d; P- s, Y
F" ^, Z, S% Y( |
Method 03
0 L# F$ e1 ~5 {=========- {; R* e+ g5 l6 ^
2 l2 h r1 }5 o; R( R
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& S( u7 P( L& _3 e) b
(API Get entry point)+ t, y4 \8 w8 p) C9 {
7 j3 V9 v6 {4 l' M8 S' N! z* v9 o' L6 r N- [1 p- k
xor di,di
8 b6 N. _; B/ S% _ mov es,di4 l6 ?/ X9 E3 M2 E+ ~/ N
mov ax, 1684h 6 a) q+ S- ~4 P; Q0 g k2 g& t
mov bx, 0202h ; VxD ID of winice. J- N% X8 @ ?. w; Q1 R% N' u& W
int 2Fh
* h1 K# x; n! i9 g* i- F6 ] mov ax, es ; ES:DI -> VxD API entry point
9 [" `! q+ S$ q. ?9 r8 X, ?( ^ add ax, di# e' [* j; S! r3 i
test ax,ax. B* ]# K8 y6 C3 N7 J5 ?6 I$ M
jnz SoftICE_Detected, L7 M# _& b& }3 r; P
8 X! U: I2 g* e6 N) t6 Y2 v
___________________________________________________________________________ X# i& o+ {/ w) r9 X7 I
1 H2 A+ y0 M* I
Method 04
0 n* H' M5 `* m5 ^, R* E+ y* M5 D=========6 D* `2 r4 o3 W2 M
6 g' ^/ c9 }' G" \& t, H
Method identical to the preceding one except that it seeks the ID of SoftICE
/ y5 M5 F5 E0 z- w6 ?GFX VxD.
( G( C2 v% R1 b: @; K- ^$ n9 v" ~% Y7 o S
xor di,di
& C- e; h6 X3 h; _ mov es,di
5 J5 l1 Y5 q+ f) W e. O mov ax, 1684h * H5 P0 F9 g+ D: H
mov bx, 7a5Fh ; VxD ID of SIWVID
7 O, q7 T2 o1 ?! V% e int 2fh: I+ i. C* F" g& o) _
mov ax, es ; ES:DI -> VxD API entry point2 }" n- f/ W/ g
add ax, di
6 w) M; D4 @- y: ^# J) W test ax,ax$ B% s6 }3 Z( K) N3 k
jnz SoftICE_Detected2 ?. F# t6 \4 N' s; ?( L5 i
2 l8 n6 ?$ J* K4 z! z6 Y8 \0 f
__________________________________________________________________________* L z3 R" l4 J" @" {9 O
$ C! m& F, |8 I/ m
( C2 V j2 i4 ]0 f+ Q, n
Method 054 z5 H6 ?+ C; X, H* t E4 ~9 l
=========! o! Y7 q! V' l N% B* |
# P1 `4 h, e9 S) m/ F. B; B" x$ RMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 d! a( S- o8 T7 \# odebugger. It calls the int 41h, function 4Fh.& d: u4 J" K* s: D7 l4 s
There are several alternatives.
* Q; y5 L1 G% x' U2 i3 [8 Y! w. n) T4 v' v' K; c8 @
The following one is the simplest:
. a+ [2 p& {0 E0 V( F4 y- F( ?+ ?; v6 u2 R' u
mov ax,4fh, ]- x" a3 [/ f4 J9 l
int 41h+ {/ j' x F1 K5 b
cmp ax, 0F386
* }5 R, N& e- M( l- y/ u+ z. ] jz SoftICE_detected
0 {4 i( U! ^+ e( |/ E* s; l; E+ h) U7 z8 D! i9 o
/ Z& Q# |" H D7 J) h& P
Next method as well as the following one are 2 examples from Stone's
4 W+ q5 e' v+ A* w5 }9 d# w"stn-wid.zip" (www.cracking.net):9 Q+ j; E$ C, Y' D' T% k4 ]
* T7 ?' Q7 i8 X! C, V
mov bx, cs
) r/ K7 R) r* m! A# d lea dx, int41handler2
& e: F! ?4 \' @0 y4 i xchg dx, es:[41h*4]
, k' |) _- {" ?( W. L5 T/ D xchg bx, es:[41h*4+2]- N- i0 s3 s+ h# L# n- d
mov ax,4fh( i6 h Z+ L" d
int 41h% I3 w% A+ w, s" D8 P. O* f& ^; h9 V
xchg dx, es:[41h*4]# s% N1 ]9 J. J c
xchg bx, es:[41h*4+2]4 Q1 _/ S5 {& a4 c0 \
cmp ax, 0f386h
! J7 w; X# W* l jz SoftICE_detected
- _1 |0 g8 Y6 H+ x. A* o, ^6 q# L' W1 L# s
int41handler2 PROC
3 @, ]" J3 c) b4 `9 M iret
3 H5 m8 |) T0 \" Iint41handler2 ENDP4 L% M7 ]. \( f
; I( A; }. r- _
4 |! G) r: [. \( B: W7 V
_________________________________________________________________________
8 D+ x# l0 f7 }+ J" o! O' l) ^# ^
; d; r. z" ]9 G. l9 E5 }
Method 06
$ J/ c2 Z: P' U/ m' [5 r6 |! i% @# z=========8 B ^8 i ?! V9 u5 l
# \. Z# f+ b+ J" H; S7 K
+ m0 [2 B5 U* S4 S1 ?2nd method similar to the preceding one but more difficult to detect:
& j" B2 K9 h; [& s6 y2 T
6 j' H) E: g k3 V, T% o3 L: u8 K! l) }2 Y) X$ f' a$ v
int41handler PROC$ N! F3 y( x4 C" ]' x& |$ N
mov cl,al
0 \- }: H* t E8 _" q2 w$ U iret4 q) U- A) r* R/ e& U
int41handler ENDP' U5 F! C# P+ D2 ^
K' d; [. v; b
7 r8 W( I' j& d" p) Y xor ax,ax
- @/ J% T3 s+ q2 c% l, J mov es,ax2 q# d+ V6 I& w, M, F
mov bx, cs, ]! R7 ^, `& Z% w6 P% I: c4 n1 T
lea dx, int41handler8 X/ K$ ~7 E' x/ M8 Z+ V! u- ^/ G
xchg dx, es:[41h*4]
: j" t6 U, N9 W6 Q$ y6 T8 ~* P xchg bx, es:[41h*4+2]- I" E6 j9 G; d0 ]7 H8 ^
in al, 40h
( w$ L# ~/ t4 ` N7 K xor cx,cx
0 z- _( L' e3 r* |1 b int 41h
; ?1 d3 I- q5 \/ u xchg dx, es:[41h*4], A6 q( W$ ]% P% _6 V: @. c
xchg bx, es:[41h*4+2]
4 a5 ^& {# H1 E' O4 N# G7 B: S- N Z cmp cl,al4 Q0 Y- K; @: x% l. |
jnz SoftICE_detected7 i/ C- U* Z; ^4 J6 M
. k9 e$ S/ [1 V4 p5 Y
_________________________________________________________________________/ ~5 Z( j3 o& u- G
( m `* l2 k7 B9 r! CMethod 07
7 Z# e m @6 ]6 D=========1 p" b; y; s$ H! }1 K
( J# K* c) P( v4 e2 }: K1 ?- f& L
Method of detection of the WinICE handler in the int68h (V86)0 Q1 |$ x7 p5 N( z
0 ], ~+ A+ i( f; Q2 r" g5 C+ t' ]1 `
mov ah,43h
, L% v8 M2 m, Y% M6 Z$ J int 68h
% S: Y ]% g1 X" d2 | cmp ax,0F386h: x! K8 b/ V8 e V4 o( ]
jz SoftICE_Detected
/ M3 S: v% |" C
; h% X0 F" Q! ~2 `* p5 O
' |# h O6 |4 `' R1 L4 a# X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ N5 ?4 R1 L6 w/ V app like this:4 b b! C, u! ?3 ~* S1 [% [# `& [
! O, z" j4 ~$ s: N BPX exec_int if ax==68
) V# r& s/ ?9 L. L (function called is located at byte ptr [ebp+1Dh] and client eip is1 M$ P' I4 l) u/ t: Y& I2 A
located at [ebp+48h] for 32Bit apps). t- H0 v0 ]! Q1 W7 f; p/ c
__________________________________________________________________________5 `( N$ j5 f. m9 p
+ o5 n3 `% [2 ~8 V, r" F
" y/ @9 l' q, [/ BMethod 08
# d* j; d" M: y/ k: P! V=========+ h, X1 v9 ^/ t2 A' x" o( P
6 C. m$ Z+ V' L5 E& mIt is not a method of detection of SoftICE but a possibility to crash the- x; \; C8 U" e, j. @8 I3 A! A
system by intercepting int 01h and int 03h and redirecting them to another
8 a( t- d+ Y h* g$ H6 B7 i% croutine.: K( X g( @9 s- U7 l- l# g+ ?& x6 N
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 s8 R# h9 S' Bto the new routine to execute (hangs computer...)" O9 t R6 H4 c4 q6 ~
: D) A# Y1 X) h; F2 Z mov ah, 25h6 ~# N$ E8 k2 q& ^. d( u* q
mov al, Int_Number (01h or 03h)# y' c( X9 c' C4 J
mov dx, offset New_Int_Routine
8 D" A5 w% }! C8 } int 21h: h0 K. e# u; g1 ?$ x; f& V
2 R6 O/ S5 O1 ?: f' Y
__________________________________________________________________________
& z4 l* h6 h) I
' A/ H2 c; `' Y0 [7 w7 U% f% Z. KMethod 09
) c/ S# K! p! j" F: n: A7 E9 r/ Y$ ~=========6 D! D: Z2 }/ W
0 D2 t9 B4 V/ `% kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# Z. ~7 Z/ T; j, x9 |- v3 b+ a' tperformed in ring0 (VxD or a ring3 app using the VxdCall).5 u3 m. W, v$ }+ y7 L- a- R
The Get_DDB service is used to determine whether or not a VxD is installed1 K0 s P" k4 M& S1 E1 w% y
for the specified device and returns a Device Description Block (in ecx) for3 Y+ d6 m0 E! ]& }) d$ R9 F/ t
that device if it is installed.
8 O6 m. f4 [# N+ p$ U, t, R
3 n3 Y' m: Q* K$ T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- \% i, S9 V/ a) l" q7 Z3 B; B
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) K5 N& a; {; C" I* e
VMMCall Get_DDB
% O( ]' X( p# r' d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 q2 S& Z: c9 |% |, R; z$ g' m: W
9 Y; w& t- G7 p% Y$ H8 F. n( P2 a( `
Note as well that you can easily detect this method with SoftICE:0 h6 V4 b$ W! s# b1 D7 d
bpx Get_DDB if ax==0202 || ax==7a5fh
/ C* M2 }9 c1 U: K! f& ~2 E! x* _* }8 q p( V% l9 A
__________________________________________________________________________
! Z* c& R2 V/ O9 a
( \) p* @5 k9 f9 O$ v$ nMethod 10( \7 @) E( j+ u2 w. Q i% m& a$ N
=========
, f4 W0 G' c( D0 C2 w9 T' w8 X0 v* @/ b
=>Disable or clear breakpoints before using this feature. DO NOT trace with: |' J+ m7 @2 J4 }7 Z) l4 T$ B
SoftICE while the option is enable!!( C( K7 ]& a: i+ L. ^
5 f- E9 I( L: w/ x+ @# `. s/ o
This trick is very efficient:# c' v: Z. i. L& c$ c+ ?
by checking the Debug Registers, you can detect if SoftICE is loaded
, f! z/ A8 F6 g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: |' x% H1 y+ i% i8 _there are some memory breakpoints set (dr0 to dr3) simply by reading their
" Z9 o! n/ @; b$ }1 Rvalue (in ring0 only). Values can be manipulated and or changed as well% Z& ~, X- M( A" M @( v
(clearing BPMs for instance)/ C/ N' ` \# M* G {
# c8 Q* l* b7 `# y4 |
__________________________________________________________________________1 N F* i9 `: `
f! m1 [8 w/ h4 [8 |1 y7 E) T: fMethod 11
0 A# i$ O3 j# M! r8 ^6 h% h=========
" {, ]: X. M$ c; f% A" v1 B
( [' h# `+ S) `This method is most known as 'MeltICE' because it has been freely distributed3 b4 {, S$ [ G( b
via www.winfiles.com. However it was first used by NuMega people to allow" ]3 n& L8 l. Z% b
Symbol Loader to check if SoftICE was active or not (the code is located# u/ k, |2 {1 m8 b5 L$ t8 d# a
inside nmtrans.dll).
3 r9 N' G/ X S: W. P- L& n9 E2 c6 E: u5 F, o
The way it works is very simple:1 ~2 g, j3 O5 E3 A g2 c( r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: A5 W* A$ q/ U' c% @2 PWinNT) with the CreateFileA API.- I* V4 g# m9 a
1 D# s0 ~5 {' cHere is a sample (checking for 'SICE'):8 F$ G; K- W' g2 A% |
: [/ A+ {2 L5 CBOOL IsSoftIce95Loaded()- u O& M6 p9 k: C
{5 \& F5 h% T1 V% M8 n( t' [
HANDLE hFile;
# k1 ^) T& ? }5 i& o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% G1 A: s. ]. ^ FILE_SHARE_READ | FILE_SHARE_WRITE," ~& n9 }# P: Z5 i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ V9 t% F+ s, x/ n5 H, j0 u4 d if( hFile != INVALID_HANDLE_VALUE )
# _0 R' I" z" J w1 E6 q: F3 J$ n {
+ O+ c: D6 y U% d6 [# W; _5 v& q( \$ @ CloseHandle(hFile);+ V/ P+ L! c: L0 D0 D
return TRUE;0 M7 C a$ R# h, |9 X* x
}
! Y P+ p, k2 n return FALSE;1 b1 M% U: M( M3 w' o* }; o
}4 r! V( s: m$ n
) ^) ?" A/ Y* ^0 g
Although this trick calls the CreateFileA function, don't even expect to be9 ?, {7 x' r) B3 x7 P2 {
able to intercept it by installing a IFS hook: it will not work, no way!' x( \( y8 B( T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, {% e# e8 J2 E1 T1 @' G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ ~$ U2 e: r& B8 h
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- Z+ }1 l; U1 X. p: O& g: y1 _0 lfield.
* m8 R0 o) s" ^+ {% ]! d7 UIn fact, its purpose is not to load/unload VxDs but only to send a
7 [. l3 Z( t+ _" R- k3 Q3 e0 I( r+ iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 f) w5 j) [: Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
# u* n8 j6 E/ C+ Q; @3 U1 t* Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).5 U! a& U0 Z) y7 h4 T
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. Y5 P2 E1 W" G, N- d! qits handle to be opened and then, will be detected.
[% T8 `* L" x: a( p) ?* p' hYou can check that simply by hooking Winice.exe control proc entry point
?& L7 z* ?* ]* |while running MeltICE.
4 @# f' |0 n/ l% w" S+ R, U. `2 T; x* r+ {) ^7 N) @
# C2 m; H$ T- |( z% }% P, P* n
00401067: push 00402025 ; \\.\SICE
& j5 g0 j( p1 X6 J& n 0040106C: call CreateFileA" m5 r& ^: R: Q F) @# r7 r
00401071: cmp eax,-001# {# W' ?% r( G9 {* F
00401074: je 00401091
4 G1 Z3 Z4 y6 C$ B
0 E3 `! Q6 @& c) A+ m E% u" I% i1 I: @
There could be hundreds of BPX you could use to detect this trick.
0 A7 p6 X) r$ z2 l# Q+ E; Z-The most classical one is:
6 W9 V. ~1 s: N( @3 ?, o' R BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ j( y) _& ] c9 I5 [' b *(esp->4+4)=='NTIC'# j' I3 Y2 s$ `# w2 k3 f! I8 b
3 ~. S1 d& r, f- ~4 g! i; T-The most exotic ones (could be very slooooow :-(; g1 `" z" Y% F) |* i
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 e% O- P0 N/ [2 ]: J G& \
;will break 3 times :-(
3 Z- n0 W, P5 ?$ T
3 l+ ^6 m; L% J" ~-or (a bit) faster: # c* J* V: U4 ~: V# K9 e
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: S) B7 G2 x8 ]* g9 B0 Z4 B# r
0 y7 j" h' l: \$ @5 ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 K1 s# x! D% @8 c
;will break 3 times :-(
% p X% _, E( `+ S- q3 A6 N( a5 J& u* r- Z7 i, e: E4 e! c' d
-Much faster:
- r/ i0 |3 [- T BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. o. Q/ l! o# p) R# {- g) V1 Q2 v5 a3 s8 v9 ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; `# o8 q# d. k# C* H) Y D
function to do the same job:% k, i+ }7 D0 S E4 G/ F
, `/ m" r9 g* i6 B: m) l; j& E8 I push 00 ; OF_READ! u( W! f7 a" d1 k/ `" z
mov eax,[00656634] ; '\\.\SICE',0
- ?' p- }6 E; e8 G push eax+ K% t) e; j5 b l
call KERNEL32!_lopen
" w7 q" P. g2 b0 D$ a inc eax$ Z8 ^ o/ j6 ]
jnz 00650589 ; detected
9 z5 u1 c. _8 Y, f. S3 O: a push 00 ; OF_READ7 u0 a/ D! Z2 p+ d1 m9 H1 }
mov eax,[00656638] ; '\\.\SICE'( Q+ x$ A. `2 E, B1 f3 I* c6 r e- w
push eax
$ P" }& l! d8 U0 s' f call KERNEL32!_lopen
/ `* o+ n+ m1 I; V inc eax2 G5 T c9 r( x( A1 ?; d9 X
jz 006505ae ; not detected
1 W! [; O5 x, W% u1 o
8 |+ u$ V7 T& H
9 {. i# v) M, d! W__________________________________________________________________________$ i. W/ t( m+ `
1 {$ `' j0 b4 B- {Method 12
' O1 `0 _: u4 A$ D5 @* D. m=========
( e# X/ [! t9 r+ p3 _ G1 U+ {3 W( R8 n Q4 p' ~
This trick is similar to int41h/4fh Debugger installation check (code 05
! P7 H$ X9 }$ d8 r& 06) but very limited because it's only available for Win95/98 (not NT)
+ B/ S' U8 Y. Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# B1 l/ H7 ^5 y6 Z7 w" x7 t, v
; `( Y1 _1 L' X; ?
push 0000004fh ; function 4fh4 U& u% G% B( t2 E6 j1 F: x+ y
push 002a002ah ; high word specifies which VxD (VWIN32)8 Z2 q. V* U+ O1 ?! X: O0 z
; low word specifies which service" D9 |/ g3 p; g
(VWIN32_Int41Dispatch)
) F5 @: e! A. I! |8 Q! Z' X6 Z call Kernel32!ORD_001 ; VxdCall2 B! Y3 E* [! y
cmp ax, 0f386h ; magic number returned by system debuggers' H8 Q4 Y2 E2 G( X
jz SoftICE_detected
" v$ d7 C4 K9 i* }
( Q8 j) n& R$ R1 |Here again, several ways to detect it:
5 f+ s4 {0 i9 k$ Z2 I. t
4 I8 v. z% N" }" x; y3 ] BPINT 41 if ax==4f. a; j3 f X$ f* C5 c7 y4 Q$ ~& p
# p" d- c( {4 f9 l0 B0 J+ j8 Z+ q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 L4 L8 |* k4 J1 F" {
. [, m5 c! u7 q5 O/ B# l, ^( ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 ^# S, j% K$ U
; L: C/ r0 w& ^8 w$ y$ a* w% J; b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 z) d4 [! T$ K4 e; P5 {
) |) S' \* o3 Y' n7 d/ y( @__________________________________________________________________________
" B* _* ]8 X! [' ^9 X! B) q+ U+ f T. S: P- M
Method 13
8 V \' t/ y6 F, H5 C5 F=========
- Z$ T8 d2 s8 B( N7 H; K
: L+ D; x3 p% u1 `# F/ @3 eNot a real method of detection, but a good way to know if SoftICE is
4 I) R% X+ g( c( I" u( Xinstalled on a computer and to locate its installation directory.
! A7 }4 ~2 P% y4 w' O: @It is used by few softs which access the following registry keys (usually #2) :
3 E% I- s+ ?6 @. \0 `+ |* W1 a; \# [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. E" x* [6 }: `0 h% }
\Uninstall\SoftICE
* }0 h1 C. D; E4 Z0 W5 u+ n. N6 M-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE u2 P5 Q' @4 f/ l2 L
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 L6 _9 i# h! D+ P' X$ ~\App Paths\Loader32.Exe0 D: Z+ g0 G; Y0 U* Y5 h
. Y# s; x* ^/ Z$ l; l
: R! f# J' g8 E
Note that some nasty apps could then erase all files from SoftICE directory& a9 {% |# w9 R( W/ f
(I faced that once :-(
& Z3 W3 O/ t! F0 |
; z" F r% ^' Y3 S$ A/ vUseful breakpoint to detect it:7 E5 m6 P5 o8 X
/ p1 [; v9 _1 V! `+ I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( |7 h6 f% v4 L! ^, ~7 \
: E% K: F' e I5 A' t- {3 p__________________________________________________________________________0 h) h& F1 E' C' h" s
! v( ?1 I, z/ {
4 q7 |' q( a+ mMethod 14 ( C% D( p' _5 l8 t
=========2 Y: }# L2 f! X& R7 B
9 L; n4 [& g+ f/ _" {5 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( o7 v* @% q9 o. H: |3 G- Q
is to determines whether a debugger is running on your system (ring0 only).
0 W* `: G+ e% f! P$ a- E( f- {
3 i! h+ Q0 u0 C e VMMCall Test_Debug_Installed
J1 d4 t0 L: s! I4 j" w je not_installed
# n: i2 f+ a$ _/ Z
' T1 z/ \4 g* Z' J4 lThis service just checks a flag.0 @# p% b. A2 q/ _1 E5 J% U
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡