<TABLE width=500>7 w0 A8 J7 [& L3 E
<TBODY>
. m2 z' N9 x3 s+ { D% t0 U<TR>" @7 E7 {8 {' `+ R' V) E
<TD><PRE>Method 01 $ E( D- i2 j# m% f9 o1 ^
=========
! t1 R O* k- l; |: T/ J; y- u+ b z$ V) R
This method of detection of SoftICE (as well as the following one) is
. h" E+ O' V* H! X, dused by the majority of packers/encryptors found on Internet.* R' ]2 i, h1 S/ h
It seeks the signature of BoundsChecker in SoftICE5 P" w D3 U! I8 x- W* ^" h# v
; k$ v% V" X! C. o: I+ G
mov ebp, 04243484Bh ; 'BCHK'! o2 M; [3 a; O2 ]
mov ax, 04h
) S3 D$ b# `& y+ ]& \ int 3 # _0 y# x- I1 x7 S2 D* `! m3 d/ T
cmp al,4
) j- z3 W+ j2 I# K: z$ H& P( z jnz SoftICE_Detected
& v6 U9 T/ Z% ~. }( z: S* K7 d, {& V& {
___________________________________________________________________________
4 r2 [- i8 ~9 a: p" _% n) R5 m) s% \( |# T1 {
Method 02" W4 ?& Q5 r5 `
=========/ x- ~5 {- S6 L
0 C! d- M" p" @2 q9 K' n* D# iStill a method very much used (perhaps the most frequent one). It is used
; K1 q2 p; c& G, m6 D, k+ z$ Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 N$ L7 @; w8 p: [; ]or execute SoftICE commands...
' H& |! d7 h3 f9 _It is also used to crash SoftICE and to force it to execute any commands
+ a! O& T9 v. H2 m& r" \(HBOOT...) :-(( 5 X) t, _$ z( [
+ |9 n4 ~9 Y/ Y. M" i# z: zHere is a quick description:" ?1 w- m+ `4 E
-AX = 0910h (Display string in SIce windows)/ m) V8 m$ E1 w2 j+ ^2 e
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' W. e2 p6 l0 P2 ^! s1 \-AX = 0912h (Get breakpoint infos)
1 v2 d7 y3 `4 O-AX = 0913h (Set Sice breakpoints)
. Z$ I6 ~. A+ ]9 ]; U0 G7 D-AX = 0914h (Remove SIce breakoints)
4 h# K( _% A+ T# V- W% j# |5 y
: }8 q9 g2 d3 N1 o4 j6 }Each time you'll meet this trick, you'll see:
( f" a7 y" ], t3 l( @; ~+ S/ O-SI = 4647h
* e: f, |" W& L-DI = 4A4Dh6 i6 H9 m4 [! |5 w9 w
Which are the 'magic values' used by SoftIce.% i/ `) h" |% |1 Q) p, M2 u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ a# x, p8 B N! m5 B
& m4 Q( K/ R$ k6 K, T
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ @* l2 B/ n9 g7 V* C4 jEnvelope utility use to protect DOS applications:
/ J. R( e0 M5 R: }, y% q. G( W9 B3 V: u* t
. J$ U, q" t5 ^+ }1 Z; k$ Y4C19:0095 MOV AX,0911 ; execute command.( t0 {' B2 M7 m% ^, K( w0 c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; M% s+ F$ V/ d' P8 w7 B
4C19:009A MOV SI,4647 ; 1st magic value.
0 x% r* ~9 c/ A) @4C19:009D MOV DI,4A4D ; 2nd magic value.0 d9 |5 ]# Y! ^) v( s
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! H4 E- D% m7 k0 Y; ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 n- C6 o+ D+ L
4C19:00A4 INC CX
& u+ l( z, o- \3 b4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; X' c' ?5 u: Q, J7 D% ~" K* H; |4C19:00A8 JB 0095 ; 6 different commands.' j& [( B7 ^, K1 b4 Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: T* _1 @# Y; S5 i
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ P R/ c3 n6 g+ f! \7 F9 G. n6 C
The program will execute 6 different SIce commands located at ds:dx, which% U+ q$ \" F6 T: t5 \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 J! Y. t8 s8 l' _2 ]! r6 S, G; X! z0 ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 @; {! k7 f/ \& Y, U___________________________________________________________________________
: e0 }% k1 ~! h9 |8 O! l8 S8 t- X# v6 r. y2 |2 h, U3 h
' k8 { C% w) i' }- pMethod 03
- |/ C* g. c, ]2 x=========3 u" M# y0 r A- W* y
% _3 |! [1 O. S' y$ o; vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ s" X" H- Q* d(API Get entry point)4 v# v" ~2 }4 @; @- @
7 o9 A m! i0 T# ?# K) P3 l
+ _% U4 m9 ~7 Q6 g9 _' x xor di,di
$ q& ]/ m; `$ N& s! l$ [ mov es,di, V. u# ?& ~. C: }8 l; Q2 M# l8 @
mov ax, 1684h
" x4 w. F* W! x! j" U# O mov bx, 0202h ; VxD ID of winice1 x& r" t4 I3 o* X0 m
int 2Fh
/ `, u; R" g* Z$ F mov ax, es ; ES:DI -> VxD API entry point% b4 Y$ d6 H6 @' Z& J3 r* ?' J, C
add ax, di
* k ^; C* x; f! u" m3 K& n) j test ax,ax0 N; F- S M3 \# L, I7 H. j4 k5 s0 t
jnz SoftICE_Detected
6 K: j$ O& O/ q# p
1 y: F& J/ p) n) O# S3 K___________________________________________________________________________
5 _9 v* S& [) ?! ]% p
0 ~: M' Y+ \, RMethod 04* ?+ r9 p1 S& X( T: M* J
=========( t* t2 g3 Q- Y' N! t) b- T: ]
- F" w7 F8 p& k6 ^% X9 ^: b" k
Method identical to the preceding one except that it seeks the ID of SoftICE( Y; Z0 F |; b
GFX VxD.
1 t% b+ t+ C' i( |, U( Q1 t/ E) T# f; g* r Q7 t, p; T0 o3 Z0 E
xor di,di
! O0 ^9 d1 w4 ?* \) }: e2 m mov es,di$ x8 o# A( t: _2 y
mov ax, 1684h 3 z b) c' M' C1 u1 {0 G; m" C9 O
mov bx, 7a5Fh ; VxD ID of SIWVID
5 R; s1 T" T. y0 u) l int 2fh
0 V) D' s) x- R% R mov ax, es ; ES:DI -> VxD API entry point
* a' f% m: T3 c' ] add ax, di
: E1 N- ~# i7 ^5 [$ W; i test ax,ax6 e7 |3 R4 n, Q& L
jnz SoftICE_Detected: G# Z$ i$ l. _0 j2 b. P, o
& l1 S( Q% `5 u8 b3 n
__________________________________________________________________________
- i F# L5 b# G4 S1 R6 Z
- C- c. S4 U5 _; N n9 L9 F z1 w/ x1 }/ a0 k+ A7 e# A; Y
Method 05
' x0 P: W% u' v0 ~=========
4 z6 O; y5 f5 q' h1 D0 T
- p+ }# Z! s* O WMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' O" w) |9 d: @% q; qdebugger. It calls the int 41h, function 4Fh.
- ~# Z2 H0 {7 d' F& ^: VThere are several alternatives.
|" v }# }( x! K" |, C; j" S3 N- S
The following one is the simplest:
, J. E) Q' |8 R* c4 y! M7 Z; {% M* [, @7 c+ O" H: r, @( H. C
mov ax,4fh
. c' P- h9 U: S' `: _' ^0 _, ` int 41h
$ J8 \" R( S. `. f' h cmp ax, 0F386
4 a% t, ^' j6 j. v jz SoftICE_detected
% D3 Y4 y3 c; b
4 J5 T9 n d8 q# _, K: s- s& E0 {7 q' F% M, f0 {- h
Next method as well as the following one are 2 examples from Stone's
$ P$ D! x/ }) i7 W$ C: @"stn-wid.zip" (www.cracking.net):
( y0 ?, h1 H$ @4 |: s& m x( n# k6 N0 x/ y, {
mov bx, cs
8 N$ K4 J/ B5 L- G! ^& e* N lea dx, int41handler2
6 N' K! N6 M/ L! w7 h) V1 P xchg dx, es:[41h*4]& }- X ^" a0 I$ t3 ?' |! @, h
xchg bx, es:[41h*4+2]
1 l( G1 r! g) ?+ e A [ mov ax,4fh. h: \, k/ s5 e1 \8 k, {
int 41h
) T# U* a0 G9 Z+ L xchg dx, es:[41h*4]2 x2 Q' n! b8 F" J/ h" W
xchg bx, es:[41h*4+2]9 O3 N& x$ B; i
cmp ax, 0f386h6 K3 ~+ W5 @/ e% j6 \
jz SoftICE_detected
) ~5 b+ C9 ^5 Z; e8 P- q
/ e( \* s( i5 |; B" q3 sint41handler2 PROC
7 I4 ^- E# S( ~6 P2 L% t iret
$ P9 P8 Z2 V* t' i8 y" h! W( h- ^2 a( eint41handler2 ENDP
9 V# Q7 M2 _0 r( g; Z4 R) y, ~/ X
; a+ |( W# V& u8 Z) ^* K! l) S6 ?: I* E& z T; U
_________________________________________________________________________
. S) X3 E: `+ M5 z! _; k0 P
: z8 b1 f) s" s
/ |1 q9 _. `7 `! J# Q# dMethod 06
0 y6 m" L2 A5 a0 s5 r: ?========= L3 r& w1 O" Y. N* M8 ^3 ]% l) \
* o/ z( @ C8 j$ m. `9 O+ T; V) j" Z
; c& M0 a7 K" R, @. w
2nd method similar to the preceding one but more difficult to detect:
. W; U& t/ B- Q+ Z# W
+ ^8 F+ i8 x5 I3 ~% E" g" ~
' s6 y8 P# p7 g, g1 m5 O% i7 X5 O9 yint41handler PROC8 y" S3 j0 N- y9 k4 a6 `# l
mov cl,al) _8 U/ Q5 J' h9 e) \
iret) S! K8 v( w5 r+ O% g- X9 t: |
int41handler ENDP
' L# W G, @" O: k& r6 i$ i) W% ^$ O- Q" J
* M3 i+ A) x) |
xor ax,ax" h: V" J: \) G! T+ B) {, U
mov es,ax
: _6 E6 ]1 j* V mov bx, cs7 i7 [& T9 _, b3 C4 [! Z
lea dx, int41handler
( j0 p" M3 s' g4 T9 D% B" h xchg dx, es:[41h*4]4 y. F/ N+ Q6 H2 Z- @* r. i8 s
xchg bx, es:[41h*4+2]
7 u4 b" u* f) u( J- N& W+ A in al, 40h7 m+ O4 P+ Z9 {2 J+ W7 r
xor cx,cx
6 D5 i3 c3 _, O7 F& q6 p int 41h
: ?' ~3 @4 a$ R" \" H! P3 B xchg dx, es:[41h*4]: }9 v' z3 S1 X5 h Z( O! f
xchg bx, es:[41h*4+2], M2 t: ?. V; _! k
cmp cl,al* t$ l6 ~. z2 R& X# s+ ]3 ?0 ]
jnz SoftICE_detected
' r! @* ~+ `$ @! W1 R& p
0 t6 [, H$ a2 w/ ~4 Y8 y_________________________________________________________________________; e1 x6 m$ E: R. g
+ j( P8 ^, w- q3 H4 D* v8 E" G2 i2 r
Method 07: }( ^$ `/ v3 B' z6 a$ Q
=========
' E- G4 l+ |& M3 y
7 E- O0 J2 l, I3 b) ]Method of detection of the WinICE handler in the int68h (V86)! L9 _0 V F. L1 {, v% M/ V
+ a2 O- E* D- c y
mov ah,43h
6 e- ~. i' i5 B" J9 U int 68h
, ]2 Y/ n8 ]" b/ E) { cmp ax,0F386h7 G9 y' j: Y( V5 J6 f. T
jz SoftICE_Detected0 u3 f9 v5 O( ~: `6 t
5 n+ V& P+ V& l$ x
$ F* ]+ C' j8 ?& `% }
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 E% m) o. Y3 D- r app like this:4 f4 d2 T4 I M. f$ `* G+ X' m
- J+ M- C; S" {! S; z
BPX exec_int if ax==684 v' N/ _4 h& Y/ N5 ]7 v, [( N) G
(function called is located at byte ptr [ebp+1Dh] and client eip is' \: c8 `* c2 w6 [
located at [ebp+48h] for 32Bit apps)
' {! y% q, a$ A( M2 T__________________________________________________________________________
8 H \* u" [, W6 Q
+ e1 X+ M4 F& L, c; F5 ~$ [1 }: J) G
; _; K! @( R* N0 A. r% IMethod 08. p9 N5 A; {( u' b
=========
. G" J! G: h7 T5 d/ @4 f# o! ?* w9 ?: r# g8 q
It is not a method of detection of SoftICE but a possibility to crash the
8 `! [# @) _/ {0 W& Tsystem by intercepting int 01h and int 03h and redirecting them to another4 I7 X6 Q! a& y# b
routine.# I0 D( {# L$ m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 ~/ G* d: x) M2 Q" ]& o+ Nto the new routine to execute (hangs computer...)" E J& B5 N! J) v/ B
6 J4 ] W) i& J% |% r* L6 ?
mov ah, 25h
2 ]- ]8 r$ ]. u6 i! H& W mov al, Int_Number (01h or 03h)
q7 L* e+ N5 v% `( { mov dx, offset New_Int_Routine
% m# R6 w/ M4 p* _ int 21h3 R% ?; _" Q6 U6 Y/ w
) s" |9 `+ M: b e6 w$ s( A
__________________________________________________________________________( E4 i, ~0 O ^$ }: \4 H- t' J6 b
3 C- `/ b/ g3 @& L
Method 09
: A1 `& v$ |. C# @=========( ]5 ? L0 X: s% C1 x z) N
r9 Z5 |1 w7 t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ T! q6 d5 e! v. q2 ]4 P& z1 n- G* O, s6 yperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 p: O' k5 y- P" \" vThe Get_DDB service is used to determine whether or not a VxD is installed
+ m5 C3 E3 K0 n1 u; pfor the specified device and returns a Device Description Block (in ecx) for9 v/ T1 b }9 q& M+ s& z$ p! x
that device if it is installed.
5 J4 D2 y) G/ R8 K [4 T& s+ K, K3 K; ^% R% Z& F- q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ F, X* N4 G6 N/ ]% {
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) l/ s" W( s7 d" j2 x H# H
VMMCall Get_DDB
' N5 w; T% m6 Y+ M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# Z& Y1 Q0 j. V3 o1 x$ }
/ B6 a, [* E9 l+ H# W/ rNote as well that you can easily detect this method with SoftICE:( }1 J7 l; I, x6 e! Y$ {+ A, N
bpx Get_DDB if ax==0202 || ax==7a5fh
% S" ^6 |3 v7 B0 i' @' d, }0 w# l N; y6 b3 X0 d
__________________________________________________________________________" t: v; `- c( h. k
0 a5 Z' m: n" _8 K- R8 |
Method 106 N+ v, G7 c- E! i Q
=========
m V2 |! k9 V- I9 m4 _9 u m1 p/ s) P+ B" S6 O6 Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with: z' V5 n" p8 z6 V7 D: n# d
SoftICE while the option is enable!!
3 i1 `+ J4 ~. i2 V9 |
0 Z& Y4 S* l8 s, A) QThis trick is very efficient:
0 }% E# N5 \1 ~by checking the Debug Registers, you can detect if SoftICE is loaded
" A {9 y- X' W6 x3 n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 ?8 z$ t8 k( h ], G3 i( ^& B" pthere are some memory breakpoints set (dr0 to dr3) simply by reading their# S" {# ~ A2 K; @. Y
value (in ring0 only). Values can be manipulated and or changed as well% j l( V: I! m0 K6 W9 m
(clearing BPMs for instance)" |2 X) u+ Z4 P" j+ T
" w- J2 h a$ ?9 l2 J: n: j1 z
__________________________________________________________________________6 p# A6 v/ Z4 Q
* h4 @: o2 n/ Y( kMethod 11
; V# D% I% f Y# {& N=========( Y0 a5 Q9 q! |7 ~, _& V
& B$ |0 G& o- K: N* S
This method is most known as 'MeltICE' because it has been freely distributed
: T5 H ^( Y2 b/ I$ e Dvia www.winfiles.com. However it was first used by NuMega people to allow
- A+ E2 F2 n5 G- vSymbol Loader to check if SoftICE was active or not (the code is located1 k: k$ s, Z! t; Z2 K! A
inside nmtrans.dll).4 T3 m: b" z- g3 H* [: ~( y' s
" i3 `+ Q5 o. x3 `2 I$ |$ rThe way it works is very simple:
9 R. R& _9 c5 y+ ~! CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ W x' J2 F$ L* Y/ |WinNT) with the CreateFileA API.
* X- o4 l" l. E, s' G3 |2 C' f0 L/ Z- [
Here is a sample (checking for 'SICE'):
4 X3 }$ b/ I9 a! y7 o* M( f( I8 g7 ^8 l8 @) W
BOOL IsSoftIce95Loaded()- s8 f. I( B2 w0 K+ z9 y- ?
{5 L7 H5 M% d. C
HANDLE hFile;
" V* {" R6 K3 q9 S1 S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% N; t% A- ?: a0 K& i FILE_SHARE_READ | FILE_SHARE_WRITE,
% B( ?, _# W }) [1 | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% g9 P$ J9 o( v' r6 W
if( hFile != INVALID_HANDLE_VALUE ), Z7 Y6 h7 L- f) n% P' L2 ] ^7 M
{
5 t/ {# I( i4 v CloseHandle(hFile);
; o0 S$ a G5 ^/ C' f- J9 x& {1 }2 Q return TRUE;+ z: v) U: K- k8 L6 S
}
7 k" d( m- B, K" s' }1 r1 E return FALSE;
' m# X7 F. @. A5 E9 A& \! T} s5 M8 C1 K' u* c" {& F4 I# {
2 E6 E+ v) J$ T) n3 n- C. `
Although this trick calls the CreateFileA function, don't even expect to be# i& ~7 c9 ]& g2 O8 I4 [5 i
able to intercept it by installing a IFS hook: it will not work, no way!% x+ N7 ?0 j: |# v- K+ u2 s7 A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( a* T# i5 Q/ C# |5 s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. ~/ Z% e# A. ^' z" }1 Y1 L: [+ m' uand then browse the DDB list until it find the VxD and its DDB_Control_Proc& [' O4 j" ~7 v9 C
field., D. D& n3 e. G9 `
In fact, its purpose is not to load/unload VxDs but only to send a ) _5 H3 d' u6 h; T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ G+ @7 v9 L' S/ Q0 g O' Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
* _% f5 l. N" Y& ^3 j/ bto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 K2 m$ k# v1 i. I
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 K# T; \4 D4 h: ~
its handle to be opened and then, will be detected.
) t# L3 _- m; S2 h8 l2 Q% ?+ F) rYou can check that simply by hooking Winice.exe control proc entry point W8 O9 ~1 `8 H5 A* ~* V
while running MeltICE.3 \) X( A3 d' m _8 _- e
3 _. b$ u9 N& }2 C4 q
& ~/ ~2 V' t t7 u6 D
00401067: push 00402025 ; \\.\SICE6 R) M- ^+ W+ p( Z6 D8 J
0040106C: call CreateFileA; ~3 p$ e5 _2 G( Z. F" Z2 H
00401071: cmp eax,-001
: H p& L: ^+ X @8 R4 n$ W 00401074: je 00401091* b* m }+ m: |6 n9 O- c3 I2 v
+ \' p5 N- R/ R; i. m/ g/ T% v; V" O$ G7 L0 ]
There could be hundreds of BPX you could use to detect this trick.
- a u* I# F8 ~$ u3 i5 T# J# E-The most classical one is: l c6 g6 h5 `6 y; d- @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 b! e& B7 A& @: C# Q
*(esp->4+4)=='NTIC'5 P4 K5 ~: h1 A7 @/ _' s# b4 L! _
4 m! a2 u: O7 [) d-The most exotic ones (could be very slooooow :-(. d! ~! \ Z v2 Y$ \, n! I% u- j
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 L! T( q' M. H/ W8 H' q ;will break 3 times :-(4 i! L, C6 y* t& v% w
1 I# |1 n4 E1 _$ j& q! r; }) }* ~3 h
-or (a bit) faster: 6 b' M( x6 `6 ^8 {) ?3 j0 i; t' U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), U; b6 M8 {5 D2 O
6 n2 W; G' l2 }" }. r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ n( g4 N, Q* X W* _ ;will break 3 times :-(/ U3 z" O& c0 \- [
$ c. f8 A+ |# ~4 Q$ \& V% Z/ g, @& @-Much faster:/ d s$ w3 u# h% q/ I- S! F0 ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') U6 W: W( k5 J7 E5 E0 G% e
$ E( o6 Q/ ?1 y; p1 I" ^5 m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 m) z* b( T. {! x$ {function to do the same job:
4 e& F h6 J2 H; z/ {& w" d8 T7 k. W
push 00 ; OF_READ
7 @9 E2 n& A2 I% u mov eax,[00656634] ; '\\.\SICE',0
$ s/ x4 W# y) V! I- _4 v% _ push eax; C j0 R( s1 C2 k# T; i* w* }
call KERNEL32!_lopen" n! c4 Y! R* E% _& D# R9 F6 z
inc eax% }4 r' ?( @. l w
jnz 00650589 ; detected
H/ H6 c- |6 f, C, v push 00 ; OF_READ, P/ Z8 Y+ D/ i( E# i2 ?7 ~& S
mov eax,[00656638] ; '\\.\SICE'
+ F& d2 a3 E# H c1 } push eax, Z7 i# Y% u8 F( Q/ }$ J- K& U, O
call KERNEL32!_lopen9 b! u3 H: K' w }0 z9 ^
inc eax
% |( v( R- q4 l4 y v5 V' s jz 006505ae ; not detected, \, u q3 }, X0 ]: X# F* W- ~
/ n$ }# Y' o& o1 \6 d3 i! h
0 Q, G8 H y5 B, o
__________________________________________________________________________5 W( R5 t7 \, ], U$ b% w
& X7 ]( B& R: P6 |+ fMethod 124 G4 T7 M4 h- B& n
=========0 Y* I) d: T1 A+ L
; ~9 H8 Q( q1 u8 A+ v( JThis trick is similar to int41h/4fh Debugger installation check (code 05" A" t5 v1 F3 ]; X* x
& 06) but very limited because it's only available for Win95/98 (not NT)
3 H7 y6 Y% c4 ~$ U/ tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ Y( A' E+ n7 v4 Z- x5 o
" J! e: l+ T( I
push 0000004fh ; function 4fh3 x& F; H8 w- Z9 I& t# l5 ` D
push 002a002ah ; high word specifies which VxD (VWIN32)( j7 r* h8 W' w: R
; low word specifies which service; t: c; J& Q% ?( @/ F
(VWIN32_Int41Dispatch)7 w6 h; ]1 o! _8 T) r3 i$ N9 Z" s
call Kernel32!ORD_001 ; VxdCall" {& {& \" I; [7 u7 a$ @
cmp ax, 0f386h ; magic number returned by system debuggers
% H5 F; l8 D; l7 y$ l4 O2 `: x jz SoftICE_detected
' A2 n5 s& M. j. ]9 ~" Q$ p# M" e
9 i. x: q; e9 K( P. t& UHere again, several ways to detect it:
8 K- }) H/ m/ X$ [( T# c
* w) ~) e$ w% ? Z8 U- R; S BPINT 41 if ax==4f6 \: T1 a5 F9 N3 F4 ?
4 o6 o2 x5 X8 R2 z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 J& @8 T* `$ \% e1 S1 y
; i- ]/ M# n3 \% ~7 T( v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# A' `2 [9 s# l5 |, m7 e. k3 d% q* @" _6 _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 b9 M2 w% K; A+ r# w; J9 a1 u3 v2 Y5 e: a4 p, ^5 E4 f
__________________________________________________________________________
* q4 r/ N$ D! M$ V# G' x8 T, t% ^2 H0 t9 t2 `
Method 131 o$ l7 b: _7 L; U" S1 q
=========
2 x9 y4 c+ B% D# U: E
" [' e' {$ j- Z p. `Not a real method of detection, but a good way to know if SoftICE is
/ I. |! @4 ?- _; ?installed on a computer and to locate its installation directory., E0 l7 o! X& I8 m" ~1 M
It is used by few softs which access the following registry keys (usually #2) :
( {% c- P4 {; l' j$ h+ q, ~" E! x: x% z, n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, I$ [) \3 c8 f" F6 N\Uninstall\SoftICE. i' d; Q8 d4 ]' Y* w! X3 x* ^
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ H# ^* B6 v+ H& d' _; [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" Z# x% H: H( Z. u5 R7 J+ B
\App Paths\Loader32.Exe
8 g) J. ^* _' O6 N
4 W! [2 N/ D5 I8 o- T$ y5 f( @3 D& |8 Y+ n- a- u9 z2 E) \
Note that some nasty apps could then erase all files from SoftICE directory
# \8 b+ R0 a/ U* q0 r' u(I faced that once :-(" S( B* ]' J- n3 \" v* n( l" c( h
9 r# e- H q2 e1 s
Useful breakpoint to detect it:6 j, i/ S- ]# n
/ j9 x/ ?/ z9 s$ i2 q+ E$ E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') \* b$ @) C8 I
, O- A5 q: i# B# l
__________________________________________________________________________
/ r2 ]# L3 `' B& x" p% }) Y! a" u9 A/ x3 l8 _
, u5 a$ h: Y4 k& Z) l* F
Method 14
* W% z1 d! M# G/ E=========$ E2 l1 [0 T. Q* R3 R- X2 j' ^
* I0 Q( s+ H. k0 C1 t$ h# _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 x8 j. V% l/ e' z+ Q! p' x
is to determines whether a debugger is running on your system (ring0 only).
. k6 ]( E) e8 b, a, p" @( T0 n/ _$ I3 w1 W! U# m
VMMCall Test_Debug_Installed
' r% H% C+ m, I9 G+ v je not_installed+ j. w( Y* G2 K W) s) D) q4 v
2 P! C! ^1 e uThis service just checks a flag.& G- h6 n# s3 \& V& R& [- `# T
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡