<TABLE width=500># Q& m5 e* a; ]6 R" V, w& l; O. d
<TBODY>
, I4 I' w( B1 q4 d7 I7 b! M+ U<TR>; ?4 r9 \* M! O$ L; P" }+ v
<TD><PRE>Method 01
$ R& A. H/ Z/ B7 u0 W=========
* S* l3 C' j7 o+ K
\% U( p1 _/ D5 o/ w8 C7 |& pThis method of detection of SoftICE (as well as the following one) is
% T7 P8 B% J! H' @& j. }; Cused by the majority of packers/encryptors found on Internet.
( i3 ]9 r1 }3 l5 `1 tIt seeks the signature of BoundsChecker in SoftICE- @! I. T9 j$ A, Z2 B6 k( W
2 U9 b5 y3 s- D2 Y( ?$ h% V
mov ebp, 04243484Bh ; 'BCHK'- l) Y. f5 g$ d; A( n$ Z1 D
mov ax, 04h
! X4 G) z Q$ H2 m n int 3
5 F" e1 y H' @& | R cmp al,42 O9 M& p, |) T/ S( g
jnz SoftICE_Detected) o4 Y0 u Q. A% s# |2 X
# [4 W) u& W( T9 T* }; b___________________________________________________________________________+ \% u& |& A! t+ L0 m. X9 q
6 d' d( E$ p6 h: n. O/ ~+ K+ L/ v
Method 02
9 D" X4 v+ M; x [0 H7 T E z( J=========
7 ~$ g N: S4 z' A' m' V
. q" Z/ B ]6 _, k: a8 B1 wStill a method very much used (perhaps the most frequent one). It is used/ S9 j2 V7 d8 }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 V! M; b& [% v( I
or execute SoftICE commands...
. b: u% L' Z+ Y$ k' p1 cIt is also used to crash SoftICE and to force it to execute any commands
9 M; U! j8 r9 a# ?+ N, s(HBOOT...) :-(( 5 t# h' C; U2 V7 ]( s: J6 u
. R0 |4 i. E+ s4 B& u2 F6 lHere is a quick description:+ }" U+ N( n5 A0 g: Y4 w
-AX = 0910h (Display string in SIce windows)
$ Z3 @3 P2 m& {-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 L1 p7 Z- v5 d& ~3 O4 w( I
-AX = 0912h (Get breakpoint infos)+ h3 a, ~" x% ^4 q
-AX = 0913h (Set Sice breakpoints)
! {6 W8 a* r" O2 }-AX = 0914h (Remove SIce breakoints)
! F; |( C( M' ~: f G, Y& O9 s# @; }( K, n
Each time you'll meet this trick, you'll see:. S3 Y3 M) [( i
-SI = 4647h3 Q/ o3 `% Z% j0 j, e4 g4 x% J
-DI = 4A4Dh' n( H4 v6 o# I9 x- `
Which are the 'magic values' used by SoftIce.
9 X# J0 x1 g) ~/ ]; W0 q: ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 K: Z L1 Q {# g; Y* I( u) H, m9 N a7 C
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ g2 }( U$ W n0 Y+ g# x
Envelope utility use to protect DOS applications:
@7 H* I/ ^* K6 _- V
: y5 S4 `9 S+ k0 K$ }1 [8 [% Z; ^5 s) f! Z" \8 R
4C19:0095 MOV AX,0911 ; execute command.2 x& f) _; k; ~$ F1 N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 o6 O9 `8 l3 f; O$ k- O
4C19:009A MOV SI,4647 ; 1st magic value.
7 r7 e6 f; ?! f9 o4 F) f$ {4C19:009D MOV DI,4A4D ; 2nd magic value.1 S) R* Z! I( J" O- |/ S$ p4 h
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ _; R) I# r5 E- G; l3 J' S. [0 T1 x4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 e* ~9 ^8 Y3 D8 y
4C19:00A4 INC CX
' T. N4 {. i8 X9 s1 m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 I2 X2 @$ S. H9 i+ `, c1 \- `
4C19:00A8 JB 0095 ; 6 different commands.& I6 l; @0 ~3 G* M' G# h# i
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ I, d- z5 D' c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). H- r( r$ E q5 d
) n8 ]7 M" O, a4 tThe program will execute 6 different SIce commands located at ds:dx, which, Q) ?- u8 x3 |( m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 {5 A- S. u$ I: g, C, h0 [. I- f& x( K* g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 E) {1 c) r; }7 d; s___________________________________________________________________________4 @+ ^# q9 T( E4 c
5 t. T* k+ i, u4 m4 ? b
2 ]( V6 u8 e7 A4 i" M. D4 s' F- tMethod 03
3 T, h; F4 Y" Q. @3 g=========
( Z) u& Z6 T; R. o0 n2 B! z- w+ N, P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. y) D1 g3 P9 |1 `8 F3 ~% N
(API Get entry point)
# e$ m" {, o8 i1 B* w# a1 A 0 I7 w o' B( x$ B3 s* O
& o, a. S* R) g& B$ E3 i4 I
xor di,di
( s+ X# |% y. X7 T: e5 L mov es,di
1 O$ C* d7 s) E, b) m mov ax, 1684h 8 \3 |; T) y+ \% X3 o. Z
mov bx, 0202h ; VxD ID of winice# v, b0 X$ r# D! w
int 2Fh. B/ G6 O3 y- A8 ^# R
mov ax, es ; ES:DI -> VxD API entry point$ G3 B+ ~& f: G6 o6 H
add ax, di' Q+ F u0 g: Q" v' J' ^
test ax,ax
[6 ^* i* M1 O6 j; `0 ~ jnz SoftICE_Detected# N! ?2 z& m! M
0 z0 ?. `5 Y6 h. o: o0 X* @___________________________________________________________________________
6 e* s; x' C, X+ `( i- A/ k0 X1 Y! S- G; H$ h6 i+ t
Method 04! a( _9 s7 k+ M5 u, Q$ P! l* P1 w
=========
: d- k# l6 h6 Y) b) O0 W# V: c' Z$ p; u, }
Method identical to the preceding one except that it seeks the ID of SoftICE
' k- l% B3 c5 c: F9 f- o5 hGFX VxD.
7 e* ?5 `1 ^. _+ Q# U: x) A. O) ~ s" E" M
xor di,di
) V- L* H; A6 X- V5 r% M mov es,di* f( v; z ~9 g( u W2 z
mov ax, 1684h
9 a8 f1 z( K, H8 k. H1 Y+ D mov bx, 7a5Fh ; VxD ID of SIWVID
7 `+ F( c) m& Y9 N: j int 2fh0 @3 B1 h$ G- |1 a4 w( Z% U
mov ax, es ; ES:DI -> VxD API entry point
0 n/ C% _9 h+ k$ D add ax, di( i/ I! b7 V: ]+ F X$ D
test ax,ax' a+ w( }3 g5 E0 _6 d
jnz SoftICE_Detected5 H% ^# V5 E6 L0 [% t- }
, y) [* i% L0 h( q/ N8 c# w- a__________________________________________________________________________3 I. Z- P F( B& k* p- |; ^
* x/ e5 V5 n: M y, U4 H6 V" ^3 Z7 ~; O
Method 055 @( o0 v8 Z: j% F+ i- W3 M
=========
! A5 _( w, x$ C3 \" S9 L# J7 H) b4 j8 B
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! h: Q. ~4 x( Q+ L+ ldebugger. It calls the int 41h, function 4Fh.
1 K6 j) v6 O( f$ r4 @- d6 d/ UThere are several alternatives. J4 P* Q8 K8 T4 ~9 N
4 I- U( c0 N+ @# Q6 UThe following one is the simplest:
) U1 t' y( l' u j+ X, }
$ ]( M" d. k) ^, D mov ax,4fh' Z) I# Y n! [# P. ^
int 41h
+ C# c* G5 g- ]7 x cmp ax, 0F386* ]: P6 a6 ]5 [* k) o
jz SoftICE_detected4 u, G9 G7 E$ k9 T3 k
/ j- r J0 A1 z4 s
1 ~( h8 I6 P9 o& H! r9 FNext method as well as the following one are 2 examples from Stone's
( t: g6 g$ l+ U9 B" W/ t: ?( j"stn-wid.zip" (www.cracking.net):- l/ L/ r5 L0 ^8 c7 _
, u# R: E2 D f8 N) [ mov bx, cs6 j/ |8 i3 j8 k0 m$ |
lea dx, int41handler2
6 m( \, Y2 i, V& ] xchg dx, es:[41h*4]
+ v/ W, I q: z9 t! C xchg bx, es:[41h*4+2]+ k8 T+ s; S7 j
mov ax,4fh
( ?* O# o2 Q; ~' c5 v int 41h! ]4 `9 z/ `1 P9 [2 y
xchg dx, es:[41h*4]- N4 I% T1 T1 \& v5 A- q
xchg bx, es:[41h*4+2]
$ F3 |, M& x5 V+ O- A cmp ax, 0f386h
1 O7 s8 f2 h1 i6 f" H jz SoftICE_detected$ ~9 G, _1 k% Y
/ h6 S( p% d/ y# {int41handler2 PROC1 ^- v8 b" A& @) y, A) Q& A
iret
) M, d/ y5 b- ]7 [* R: v7 lint41handler2 ENDP, Z9 L+ f* Y! }8 t
: o. x( B) Y# U0 x' O ^6 b" X3 x- n, h# q3 B# ]$ N/ p* ]8 _8 c6 _
_________________________________________________________________________% g& ^: |* \3 }- i! r+ ?0 u, \: Y
$ p* y" ]3 @5 N8 i" y
1 U3 y/ d! N) \- S% o( y
Method 06
* I3 U! r1 L7 |' {$ M- Y6 M1 d=========# I3 ?" T" B2 j9 J( e$ o# U& f
: d+ c: g3 G6 k! d* z/ a' m4 M0 z: S o0 v9 ]
2nd method similar to the preceding one but more difficult to detect:
# i7 X* s. F' F5 [( I, Y& F
0 H# O& o) S. ~3 v, P+ l* S
- P3 t4 b4 x4 s3 _" d* Q, e2 @5 ^9 S8 Tint41handler PROC
1 O9 ^( Y/ t; c0 q mov cl,al& m0 c/ H1 u* N1 z
iret
- K9 O# I: E* \2 Y5 Bint41handler ENDP
- i7 A- [% C8 ?! m( |6 |, j
n0 w. \- I$ h6 J2 s& A
2 u/ n: n+ ?' h+ {9 Q1 W- } xor ax,ax* }$ R$ ~% L2 u, [& G5 u, J
mov es,ax
/ L5 @( h& ]* l% U. ~6 o/ I- k mov bx, cs
, P9 ]8 H. o7 u& e lea dx, int41handler
6 l$ P1 I/ \. d- u, k/ V* E xchg dx, es:[41h*4]
+ {9 S o3 |2 x' _$ u xchg bx, es:[41h*4+2]
2 } ~8 @. P2 Z* m d in al, 40h$ P3 W7 p$ p4 p7 n$ R( m
xor cx,cx
# m# c8 o3 l& }, Z% j& c. _# e int 41h5 b& o: Q' t- s7 C
xchg dx, es:[41h*4]
. e/ q5 N# K4 h xchg bx, es:[41h*4+2]
6 ]; e0 Q% j7 A A0 ^2 } cmp cl,al# l- B0 m4 z" |% s4 h$ @( Z. Y
jnz SoftICE_detected; t2 o; _) @5 x' ?
. w8 z: O0 M: E" Y7 D; ~2 q: b_________________________________________________________________________: z" I, s0 R3 o9 z+ ], O
7 V1 F" [, @/ lMethod 07 b. ?# u. E6 Y# y/ O
=========
E: A7 S$ n% p" f
3 Z$ R% X% _6 T3 i4 y, y+ sMethod of detection of the WinICE handler in the int68h (V86)
# r% S8 C4 y/ C/ e, }1 @1 |/ e
9 t; H9 u, ?0 \7 n9 l mov ah,43h
) O$ Z h' M! R* O int 68h& `3 ~0 e8 N( J+ _+ d
cmp ax,0F386h
& r' F& O; |" A& {5 v) g( e jz SoftICE_Detected
( [) q5 ^+ a7 D { X
1 D3 ~2 \, x* A4 a8 n& O. G6 R! Z! _1 `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! h2 p( w/ w5 {- U+ U3 N9 I
app like this:2 I& k% M9 t1 V& v7 x
$ \7 C: v" }' Q( m% o5 k! ^ BPX exec_int if ax==685 p2 _% [2 [0 q1 a+ r; J! l" N
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 M1 r+ f1 h! b6 a located at [ebp+48h] for 32Bit apps)
& Y7 i" J; M: h8 X: c& Y7 n__________________________________________________________________________3 V" M1 S2 l1 S3 t
5 p2 J2 L/ l) a: M8 T
3 M7 o* @$ b; I$ d5 NMethod 08
7 m: }2 W" I7 ^# [: h8 u=========4 u2 a* q: ]: M9 J6 ?" h: o P
6 `. Z' s( w) n5 I
It is not a method of detection of SoftICE but a possibility to crash the
5 d# l3 ?7 O4 K6 g9 f# n- Isystem by intercepting int 01h and int 03h and redirecting them to another' j2 W" d- ~! a& W
routine.
1 v2 A" d$ G. e7 k; nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 A% E, F# T3 q0 W
to the new routine to execute (hangs computer...)) k/ o, l5 m4 N& V! Q% P' G R
5 K1 y5 D1 T( E4 t, k/ |6 u# }
mov ah, 25h* U. f1 ~1 O6 m( @ ^% z; w+ N
mov al, Int_Number (01h or 03h)) m) d: z. }* {4 _
mov dx, offset New_Int_Routine
9 T* x5 p! Z6 E0 P int 21h
/ k( r; y$ a7 d( p9 C X0 {4 {( m6 f9 m
__________________________________________________________________________/ ^2 H4 y7 L3 `! Z
" z# |- m& T7 \2 tMethod 09
l" X7 O, N0 _6 j2 i=========6 A% |6 `7 U2 P4 k$ U; F. E
, q4 j6 w2 p+ u2 {5 j5 h+ iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 y' ^8 ~$ f) Y; ]( v
performed in ring0 (VxD or a ring3 app using the VxdCall).4 v' b6 p# U* n# c5 j% a
The Get_DDB service is used to determine whether or not a VxD is installed
# a+ p. m3 g1 x+ z8 f% ~/ mfor the specified device and returns a Device Description Block (in ecx) for, D) D w) Q# `; [
that device if it is installed.
' _9 t/ g; g. |2 d# s
4 W% u, h* A& {( u# B4 L5 G mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( K- C7 i) B0 Z* {4 k0 h& r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 z3 Z7 z- V+ A1 @) C
VMMCall Get_DDB
7 [1 q U9 F+ a mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ @* `; G- { F: s6 Q
, _/ V% Y3 |% H& F) nNote as well that you can easily detect this method with SoftICE:* W* A8 A" Q7 m0 ?
bpx Get_DDB if ax==0202 || ax==7a5fh+ F( V. N1 Z+ u& @. ]3 x
; p' J3 f" F) o2 b
__________________________________________________________________________
3 T0 z' l. L- E4 e& M c. B2 Y3 r8 l+ W B: a0 v0 [, q3 \
Method 109 b( s; W5 @+ y- R, h+ S8 c# L' i
=========, \& _/ w1 l7 L% z
! @0 i8 J, p8 e1 B4 J) _) v' V2 k
=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ e$ r8 W( Q* }2 \ SoftICE while the option is enable!!) f" r( f; W5 R e n7 L
, c5 g/ ]) M @: _0 e. M! s5 P. @This trick is very efficient:
! a" t( M4 D% p# u+ |/ e7 rby checking the Debug Registers, you can detect if SoftICE is loaded, t/ G. d. M. }3 A9 M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 u8 D6 ^3 D9 S% E# r0 x% h' Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their2 ^' A; D) W' d. K
value (in ring0 only). Values can be manipulated and or changed as well$ l, v5 I( z$ m& M' b5 [+ L
(clearing BPMs for instance)
; {3 ?4 E4 }7 S
- a* ]* y: `; M0 H__________________________________________________________________________
& I( N1 j, [3 F+ l1 G, N0 F, i# l( X |
Method 11/ p6 D& D' _( `
=========# o* z3 q& r9 T4 X# W0 u
' s" K. o3 p- I, f* i9 k3 gThis method is most known as 'MeltICE' because it has been freely distributed6 l4 k7 \2 R( `. ]. X! L
via www.winfiles.com. However it was first used by NuMega people to allow) d( }- @* m9 W3 u, W7 V$ O
Symbol Loader to check if SoftICE was active or not (the code is located
+ T0 n; h, Y7 O& _( minside nmtrans.dll).
* U( Q* R5 U& o( D. \
, n0 h; o; W M- kThe way it works is very simple:0 `6 F- v5 c# s) A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' Q' F4 _6 B# t+ L7 L: a
WinNT) with the CreateFileA API.9 J s* \& O l& Z, D2 w
9 g/ y( X( Z- x% t
Here is a sample (checking for 'SICE'):0 j) Z" M' W, Z
% q8 W* T' W5 B8 V, H/ ~
BOOL IsSoftIce95Loaded()
( B' n! m$ W' h C" a5 J, o{
# K5 [) N8 r+ J% e* y/ T& F HANDLE hFile; : R7 I; O/ l% I4 I( T I' @3 _8 C
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& I8 H; ]7 v2 E; |
FILE_SHARE_READ | FILE_SHARE_WRITE,
4 L9 M$ j/ r6 V; G+ m) N$ G' j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& v8 A8 ]9 p0 J1 k: Z6 r* d
if( hFile != INVALID_HANDLE_VALUE )( R/ f; W/ [: n5 [3 ?: p. j9 k
{
% I: k: C7 \ n CloseHandle(hFile);
) `& k* R& u+ a! ]& H( X. ^& D return TRUE;
1 n5 ?; W: v! \" t* k% n4 Z" y }* c, n5 I9 @2 f2 Q+ _, c- T; K. b! P d3 C
return FALSE;
3 P: d' z' m9 R6 `}
; B$ ?- F# t! l u2 L
: E5 k, @8 P# v" E7 D% T5 jAlthough this trick calls the CreateFileA function, don't even expect to be! i% q7 s7 Q7 B# B
able to intercept it by installing a IFS hook: it will not work, no way!1 `; `" g& X! q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 N2 p0 @, q5 \5 F( m7 {: b$ d3 Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 x2 y q1 X9 E: E2 G2 q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ g1 Q: K& O* n6 q. ~3 z
field.
# T6 [' j( I; m" zIn fact, its purpose is not to load/unload VxDs but only to send a ; j: H/ O; B( Q/ `, O2 H `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. T* ?6 p- S# e% u% V. J, tto the VxD Control_Dispatch proc (how the hell a shareware soft could try" c9 m, S( O& j+ F9 U, E+ C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; d% E4 M4 u1 v3 e0 O9 s
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 [& {% {- m+ |3 V, F
its handle to be opened and then, will be detected.9 O. |9 u. b/ M9 Q1 R
You can check that simply by hooking Winice.exe control proc entry point7 @# a( ?; c1 w8 m4 L4 p
while running MeltICE.
9 b- Q4 a) a3 i+ e8 b. `, I: z, Y7 W( y0 \: \
6 I2 A3 @1 C% T9 P9 y9 X- \
00401067: push 00402025 ; \\.\SICE' J! }- g0 L& u- ^0 H: s! B0 h# C
0040106C: call CreateFileA' \5 Z1 x( c! X# c2 Z* O
00401071: cmp eax,-001& o9 T7 ?8 E# l
00401074: je 00401091! f/ R9 g: |" ~( x- {8 V: G' A
0 n; k8 U+ a$ i$ [
0 T/ A" r) f0 m2 tThere could be hundreds of BPX you could use to detect this trick.) q( W8 G) _/ V0 Q
-The most classical one is:
8 s$ v8 t9 o) N; x4 R/ x! ^# l BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 ~" Q3 q4 z2 A/ n8 I) _, ]" d *(esp->4+4)=='NTIC'7 p( ?& C$ p. P
3 p& \8 B% }5 Y8 E
-The most exotic ones (could be very slooooow :-(
; m6 ?5 ~ D% C+ p+ i# v2 X6 u5 X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 `$ c) S0 E6 f
;will break 3 times :-(
/ ^$ l/ j9 R" z8 c4 W2 S( n; j6 k" E5 ]3 x! z: e
-or (a bit) faster:
5 M: r0 Q) a$ H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" N' v5 J& N% E" r) W5 Z+ @; s
b* e9 W; H) o" p7 d BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. S" x: Z% W) u+ X5 \ ;will break 3 times :-(
1 {3 e3 {& G( f
: O' c0 f1 i, G-Much faster:; ~3 _ _/ g: Q8 e/ |1 c
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 U4 x( G) |9 d4 @. A
; d) s) H, M$ W/ q- zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* d* Z& ^: y9 b1 Z; K% ufunction to do the same job:
; W3 M3 y, d& z9 L+ k7 N
$ d2 U) ^2 n. r& K+ R3 f# f, S push 00 ; OF_READ3 C9 h! P0 _5 X2 Z2 E& g3 j
mov eax,[00656634] ; '\\.\SICE',0
- s* f( ~! B' q, U6 R* ]: ^. m push eax
' D4 p) Q0 p% k) L4 B8 K4 g0 C call KERNEL32!_lopen) ~2 E) h) {% G
inc eax- ~8 s9 ~# ~6 m6 n
jnz 00650589 ; detected
" G5 ~7 S7 a# l/ E+ v& D$ j: i push 00 ; OF_READ
# {6 L6 c7 D8 V0 ]4 \6 X; o mov eax,[00656638] ; '\\.\SICE'
/ k$ N1 u; A; ]& ~# [" y push eax
2 |4 K" b ~2 \$ l6 d4 Q- P% [, i call KERNEL32!_lopen; I ~' Q" O9 b; o* W& J
inc eax
. A5 ^1 F1 c2 k( q" r jz 006505ae ; not detected! g8 Q! {' g9 U: i& G
; e# y" O% t( V; L4 [. i% o4 Y# B% b) E5 u6 v3 S. d2 T& y
__________________________________________________________________________0 K) e! E0 ?" q9 @4 B
+ X, g/ O$ y2 J6 I4 c" }Method 12) A; ?2 r; P7 `2 I
=========
" W* @( H3 H$ P) _2 l, o) ~! S0 {7 i4 _- J. [
This trick is similar to int41h/4fh Debugger installation check (code 05
* W4 L9 b. Q: d% f( G& 06) but very limited because it's only available for Win95/98 (not NT)8 o" h: ~& A `
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 i$ b& }, M! R
& k$ R( @# W) H) t9 f push 0000004fh ; function 4fh% [! T# k2 \4 b- ?& M
push 002a002ah ; high word specifies which VxD (VWIN32)
5 x) X. i5 \2 U7 a* p ; low word specifies which service' ?$ ~4 H4 E& m4 q ^, E/ o+ w# N0 U
(VWIN32_Int41Dispatch)
) G" L. `3 ]) k. s' g" m call Kernel32!ORD_001 ; VxdCall
& q- j. n5 ?7 F" t, f6 { cmp ax, 0f386h ; magic number returned by system debuggers
2 o4 |2 z. O3 j! R jz SoftICE_detected
2 t0 [9 B. `# |+ h# m. t# q8 S
, j) v0 d$ [4 b8 w2 [3 A: [: lHere again, several ways to detect it:& S& O) {' ]* O7 c3 @
8 m+ V( V1 g" h$ r( F, T& S: e: }
BPINT 41 if ax==4f
& q, z9 f0 X J3 u2 ~# Z4 z8 U# q. Z/ I0 N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, m2 z/ {) w% ~. C% }7 m p
: n7 m: B( w+ k+ G- s$ q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 D3 {8 l5 e9 _. `1 z
" b3 R- l- x: j) C0 @% O: Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: R1 s% F" l4 _0 h6 D% u, \" |% t
# H% Z+ r2 U- s, z% ^, V__________________________________________________________________________
) L! B; }. a9 u+ R* `$ f
( |% ^/ f; S6 GMethod 13
% e4 a! \, p6 C3 N8 m, `& J0 o" {=========2 Y1 g; H' J+ z; l+ g
+ h# f! _& a* d+ L( e7 ^Not a real method of detection, but a good way to know if SoftICE is
, Z" v1 l" t& L- }' f' z9 ]installed on a computer and to locate its installation directory.
9 `4 C/ H/ A" |$ Y/ @4 c, yIt is used by few softs which access the following registry keys (usually #2) :2 r, e: |/ e& k; m: T' E9 [* C
9 g# I) G# u$ X- o. l- R j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 a8 s# `$ T$ r( `% {( e
\Uninstall\SoftICE' L+ h. q& d" c; \ S, _& B% ^5 }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% A6 Y7 Z$ z0 i! P# S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' E Q# e8 G( h( e0 g+ x
\App Paths\Loader32.Exe" V* _# {4 ]# l2 }# l( h' O7 ~9 U4 z
% ]! z+ R5 s: z2 q4 R% x
1 c" l* j* c% ~% v& e5 G- C% sNote that some nasty apps could then erase all files from SoftICE directory' h. y: y0 L$ |% v1 A$ B) z
(I faced that once :-(- v4 D3 U( @7 V
0 v m5 x5 ]% B4 d+ D# _Useful breakpoint to detect it:" w+ |$ \% H2 I7 w8 e
9 F: D9 W, m: t# f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 H! m H9 K; O$ `
/ q# s4 C# |" ]) a8 ~$ ___________________________________________________________________________/ y( h: u" s* s. N3 X! N% ? Q8 i
- s7 G. P% m/ L& f( D+ c# s
% A+ v' v; u# u( t8 _8 ?! dMethod 14
" Z0 R; o5 V2 p3 ^2 F8 v=========- O6 ]. @" O Y
( f* ^8 J8 D3 k/ L" BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
X# u5 T% V" _9 z8 R( A+ ^, W, B& x# [is to determines whether a debugger is running on your system (ring0 only).7 n) Z6 S- M- ~5 G$ h( J
6 t1 Y! c9 w" `# _0 V4 \& ^. A0 ^
VMMCall Test_Debug_Installed# n2 y! }8 J) B2 i
je not_installed* p0 r) C! |6 y, Q
3 c6 G1 n2 y0 {" e4 zThis service just checks a flag.2 _2 _( O: O% x3 }" f K$ M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡