<TABLE width=500>
. z4 }$ D# \( P9 T* F% z( j- ^<TBODY>
5 S) {" v; N& w+ ~<TR>0 a; `* G: G% U* f
<TD><PRE>Method 01
) N d! h4 _7 V" G# }=========
3 i4 w5 M7 R5 g; I& e8 X! h
L* F, V; Q# j$ e+ _0 H) u, f( PThis method of detection of SoftICE (as well as the following one) is
9 \+ J- i2 e9 s! Aused by the majority of packers/encryptors found on Internet.
" l) U2 g7 J) L" |9 C, q- |It seeks the signature of BoundsChecker in SoftICE
7 X) e2 W. V- V$ ^* Y: _6 B+ K. f3 q3 b8 a0 B* ^% a; v0 ^
mov ebp, 04243484Bh ; 'BCHK'" H ~9 U: @3 B% B8 r* F
mov ax, 04h
: x; k! Y7 s. D; q, u/ a& n int 3 $ t+ k( V+ Q! P8 {
cmp al,40 \( P t/ j2 S4 M& K% m
jnz SoftICE_Detected4 s# z' Z H& `7 V4 O% S$ K
) r4 a! X! `" z( e# U___________________________________________________________________________& Q! z* |4 B- G+ s! Z
/ ~/ w6 F) ^. u* C vMethod 02
' m% H5 t( Z; n1 V& Z9 s/ B& u=========" }3 m8 y7 ]6 l. U, t5 j9 @* j
9 N3 w* B& ?3 a0 xStill a method very much used (perhaps the most frequent one). It is used' ?) R% K# b5 s, \% O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
^3 |& E$ q8 K) m, k' qor execute SoftICE commands...
1 f0 _0 n) s& ~4 j! x- vIt is also used to crash SoftICE and to force it to execute any commands( Y$ l# O2 Z, g- N! [
(HBOOT...) :-((
+ F* P& P, D3 s6 o% j9 a" B' i: R2 W4 g7 x, @2 ]( v, m; x
Here is a quick description:1 r( \/ w. z3 b( W
-AX = 0910h (Display string in SIce windows) ]- [0 x9 i6 g1 I$ f3 L P/ M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). v9 \$ n6 k, P0 a: Y
-AX = 0912h (Get breakpoint infos)% Y3 T' x3 |$ c; I% G
-AX = 0913h (Set Sice breakpoints)
+ W: A8 A5 |0 G-AX = 0914h (Remove SIce breakoints)
* X& K/ v- Y9 F2 Q3 `) _' ]! m% L! a2 ~8 d
Each time you'll meet this trick, you'll see:
( d2 `5 B% ?% H-SI = 4647h
- i9 N7 ? n7 r! r w( |7 i-DI = 4A4Dh6 s7 J. k5 q" F- c* _( X$ E
Which are the 'magic values' used by SoftIce.
5 J0 o$ K7 b7 E2 P" x: rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" d" O, p4 @6 h1 r$ o# l' q' d/ _; k# _9 G* @$ c
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 q5 Z' Q8 y1 o& a
Envelope utility use to protect DOS applications:; b7 T9 R; z% B
( n$ O* `" F; K5 H2 u" r9 u
v8 s. u' L/ @2 c& v5 \
4C19:0095 MOV AX,0911 ; execute command.
+ u; t, D) s1 W5 r B( V1 ^0 {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) g G K% o, O7 D7 `7 X
4C19:009A MOV SI,4647 ; 1st magic value.
* w0 J2 ^& m; X+ U4C19:009D MOV DI,4A4D ; 2nd magic value.
, y$ N$ ?0 W+ t' r4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). y; J; k. Y" F" ~ F4 i
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ f: ^4 }& V3 ]9 A* K
4C19:00A4 INC CX
# \8 p4 E: b7 e7 Q4 g5 @$ F4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 s1 M/ q1 R! S& }4 x4C19:00A8 JB 0095 ; 6 different commands.# E/ r o* l9 P3 ], O. B5 [
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ ^0 n1 M) h0 v6 }# ?# X5 ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) ], p a% p) [
2 I; O6 N( `9 S( W) x
The program will execute 6 different SIce commands located at ds:dx, which
8 g4 n- o n" Z& ]2 q/ {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) W; G" Z* s+ C6 X; c5 q {) H. b5 G8 u5 }0 X: ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ ?4 L0 Z/ W' f___________________________________________________________________________. ?8 { i$ E9 }2 n: N+ ~0 y' G
2 o/ \4 t I" w
; a& F2 m( c/ O$ y' J9 ~+ g/ @* LMethod 03/ f0 M; }$ z$ m+ l5 L
=========! r7 ]5 P5 S: u' Y7 o" {6 U
8 L& i: m) r! M, P5 L6 L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! a8 A5 u6 C( A, {3 R. _0 B+ Z' F
(API Get entry point)
. k" F2 b* c) Z" r
2 _2 \/ n8 B0 O, I" S" t5 Q
: T# E; G* I5 R) F, B) O xor di,di
6 }+ a: Y# @# ~3 K* d) J mov es,di
) e$ _2 ?, ], l* x: e5 P mov ax, 1684h
9 z; d! I" R- n+ i1 f9 Z) P& ] mov bx, 0202h ; VxD ID of winice
, x( A8 i( |9 A* }) X$ V6 [ int 2Fh
8 I8 r( @- o8 s3 ] mov ax, es ; ES:DI -> VxD API entry point, y( a F8 h' z2 S
add ax, di
+ O7 ~. O+ i. i& n) e0 J test ax,ax
/ L+ |0 A4 q# K1 b; Q jnz SoftICE_Detected
6 w; r7 ?1 {2 W/ I0 |% {/ T! C- L' m8 h
___________________________________________________________________________
: D. v5 G1 p: ^3 `
) h- M) V) h1 R q. V; wMethod 04
0 E) t: w0 [8 x: r' k=========2 m, a( }' O9 m1 p
8 i+ L$ M: @0 g- {Method identical to the preceding one except that it seeks the ID of SoftICE
( c- d$ E, s. l3 C: b# mGFX VxD. I. f" M7 V% {/ X; e$ p8 q
5 O+ c' Y; W+ h1 o! Y! Q. t
xor di,di
: C1 }, v z$ \9 y; F mov es,di
* m6 I& U9 ~! X mov ax, 1684h
9 h% e* A* Y: n$ {2 O; w mov bx, 7a5Fh ; VxD ID of SIWVID& E0 n9 @- g$ ?! }1 o
int 2fh
# _ B- \4 F# N& ~ mov ax, es ; ES:DI -> VxD API entry point
7 t9 i$ p8 u" f, m add ax, di
. S3 h! e( y6 P test ax,ax
8 @) J. X& t; v& }; ~0 o jnz SoftICE_Detected
$ N7 s7 o5 ~. l- J9 o8 Z/ [3 A# P- [- Q* p. w" P0 J
__________________________________________________________________________
5 ]$ g& |/ i$ ?6 b4 e7 ~8 x2 n; ^5 h1 L1 o6 Z
1 O5 I. U0 X5 ~: }/ S+ k, AMethod 05
. O9 O! J- v8 B3 B: X; Z! |=========
Q$ ^( m5 U. W! [; U! u2 r, e5 j9 a g; u# I4 ?2 {" A
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ U4 c" c8 x; O6 L2 t7 k
debugger. It calls the int 41h, function 4Fh.
+ \ q! f- z! t" EThere are several alternatives. : b) c4 b! v/ y5 G& j6 Q% `
, C# m& }9 _5 J3 L0 x3 sThe following one is the simplest:, W8 C' g7 ]" }! {
4 X5 Q0 Q1 @0 j& e/ |( i9 L mov ax,4fh; T$ h3 |& A" j5 r3 |
int 41h
2 T2 L6 {6 ]! B, S+ ?& N cmp ax, 0F386
1 k5 i) ]) _ p$ | jz SoftICE_detected5 w- k/ X' j9 o% ^
- B r T" k5 J- y/ m4 D+ m6 M) d: @
" @& R6 g4 n& B, ANext method as well as the following one are 2 examples from Stone's
& R- M' u& S6 C"stn-wid.zip" (www.cracking.net):
4 P7 M* ~9 M& ^& a+ x" i3 L: C8 s* g4 J: P1 @) P8 ^
mov bx, cs2 t1 x* N- C& L8 F% m: @- J9 z: W
lea dx, int41handler2- ]3 z' z3 @7 s7 v: V' u# |1 W
xchg dx, es:[41h*4]
8 K/ ], i5 g& b& D1 W4 ` xchg bx, es:[41h*4+2]
6 W @! F( L( Y mov ax,4fh
, W. p8 @4 F- l v8 ]7 t: m int 41h/ ^" \. y; k3 i# \
xchg dx, es:[41h*4]
$ @# @1 V. L3 `* b xchg bx, es:[41h*4+2]
( W! k& ^8 H+ ?) Y( w: @- |2 x cmp ax, 0f386h0 n! [, w U6 |2 f7 B" f: e6 v' L+ c
jz SoftICE_detected
5 |* v E3 ^0 b2 C
" ^; ^# y. h1 Cint41handler2 PROC
2 U3 k7 e& l! l& U- ?- I7 E iret
2 u6 @+ s/ O8 j1 O! Eint41handler2 ENDP# i9 |" h5 y. n/ O- k% H8 J. B8 l
6 m4 C" ?+ w" r$ \3 w7 m3 _
0 W/ d* R) x1 L g' ?! R) p_________________________________________________________________________' i/ F3 K5 i- R
* l2 V0 z; \$ |+ S& d+ ]% P1 `% Y) k+ }4 Z; u
Method 06% m0 \$ `3 @: o* X+ u4 ~. o f# \
=========
# Z$ Y1 l9 b$ C3 x; b* x
% r# x; H/ V" V, @1 D
7 g* w) F0 W( X9 R+ W4 B2nd method similar to the preceding one but more difficult to detect:8 A; ~+ j5 X" G9 D
* ^; I! T/ e3 A! E: T" ~
) @. H2 u" G+ [ F" ~int41handler PROC
$ _, c/ v) m- f9 d* U mov cl,al
% J: o9 v# B& y+ B% ] iret% H# L( q+ T4 t; ~& g* b
int41handler ENDP
# L. u G/ H! G8 z! p
9 i& e" l4 J, E, y1 l/ a
" ^$ U: [' Q! e5 v; @7 ? xor ax,ax- u6 r6 c6 N& c; E! L8 G- z" T
mov es,ax6 n( L' ~2 _% ^
mov bx, cs
- F7 r, J2 u' W; o" s lea dx, int41handler
9 M7 q ]5 B! W `6 W5 b" i. ^* G# m xchg dx, es:[41h*4]
& l6 D& w3 }# A xchg bx, es:[41h*4+2]
$ l9 z! x" x) P& H. y9 ~% g in al, 40h a! ^7 \7 c# k8 ^+ F) C/ e. k
xor cx,cx
# d/ Y3 j* I; u# d int 41h/ o( C3 V( T! w6 C/ Z
xchg dx, es:[41h*4]
$ h1 k% H0 `$ N I xchg bx, es:[41h*4+2]) O p- l9 J$ ~- |4 K$ d
cmp cl,al4 _4 h) i$ z( Z& X
jnz SoftICE_detected9 n7 d1 R" A# _% R+ I
7 ~$ ?' x0 B" [5 w( l* P" O( m4 `
_________________________________________________________________________
9 G7 J7 Y$ F! w
5 C W5 M& ~% e( ]Method 07
3 `* W* q# J+ Y- f: M8 s D7 u=========+ [' K4 m1 V) l
8 I9 q8 @4 {3 C$ v' ^' V$ OMethod of detection of the WinICE handler in the int68h (V86)5 X0 p. L. m& D& u
f" H7 U. X/ Q5 q# M! T! P
mov ah,43h
5 g Y3 e- K0 H7 Q' F int 68h4 ?: Y! g5 N" d
cmp ax,0F386h: _" D) Q: h8 W# ?- i+ j0 S
jz SoftICE_Detected
6 Z- i) a8 g/ V$ z3 L; b- M6 j; d$ k, c' K# d4 r
: ^. f8 n* L" k: }0 Y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 B- _' v( T( }/ `) z% }0 |6 e app like this:
+ G2 h' T- F6 l+ c( L% a) U5 ?3 m c& A7 W& [8 E) _
BPX exec_int if ax==68
& L! ?! M" _+ k$ G8 P9 O1 b (function called is located at byte ptr [ebp+1Dh] and client eip is
0 B* p, J, S9 a% m located at [ebp+48h] for 32Bit apps)0 R& O2 |5 p! H! B9 Z( p
__________________________________________________________________________5 k: v& K0 k7 p1 d
( ?# F6 [" }, K0 G
S* Q# c i4 N4 l5 vMethod 08 Y+ i6 L$ B4 u/ H
=========8 ?3 J% W2 j% u: S% q6 H$ Y( O
% K" N1 I) G! bIt is not a method of detection of SoftICE but a possibility to crash the
+ @( {) R4 W. f! C, C2 Q$ P ksystem by intercepting int 01h and int 03h and redirecting them to another
' h- P4 v6 K+ m$ o: |$ aroutine.
Y) e4 u0 f! L" g2 x' {0 YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: ?& P7 Z( q. |% F z7 L! K' z6 kto the new routine to execute (hangs computer...)
; l5 i* N- ]9 K; t& `; W. n5 i- h/ Q- U8 v4 o; k( M% D; H
mov ah, 25h$ F3 M/ T k+ s3 U Z
mov al, Int_Number (01h or 03h)6 Y# X! y4 d/ l2 Z g' U1 f
mov dx, offset New_Int_Routine
2 |: ~4 C/ J$ a( O6 d- P int 21h7 ?* u- L6 K9 w. O: r. U# X
+ N8 a3 A B1 z" g7 S__________________________________________________________________________
) t \7 g/ C! d; ^9 Q% y v, k5 j: ~6 f3 D' }8 @
Method 090 R6 N0 S8 G3 T: o$ J& D3 B* I4 g
=========! F; |! B. |7 ?- g
7 F+ y5 l, r z. V ~8 a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ a- Q2 _# w0 O! ~! q' e, X D
performed in ring0 (VxD or a ring3 app using the VxdCall).
" e. Z1 Q0 C8 {! BThe Get_DDB service is used to determine whether or not a VxD is installed
( X" ?+ I( W1 m$ M- Ofor the specified device and returns a Device Description Block (in ecx) for
3 k8 r6 J( \, n1 p/ _/ fthat device if it is installed.) l2 T/ G; j( b, i! y4 J8 Z4 y
! m' N& V4 W. x7 q( O. w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 }1 s$ r- T: }- w% G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 R1 E& ?: m$ j2 @7 ] VMMCall Get_DDB2 _; h1 k) g& H3 ^2 m p9 L
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ b/ R; n) V8 ]" S6 H
, P6 U6 u$ ]1 G+ hNote as well that you can easily detect this method with SoftICE:
7 |3 }$ Z9 [0 v2 l, W; L: C/ L8 V bpx Get_DDB if ax==0202 || ax==7a5fh8 r+ L' X/ n2 e( [7 E4 m. y+ e
- Q7 e5 b4 c" y( V9 ?; }/ R
__________________________________________________________________________! O7 t7 F, t h/ [
1 e9 v) y( y4 J9 k* K" I& mMethod 10! z n! h/ V$ Y/ L8 S
=========# z4 e ?( }; y6 ]& r
, N. K& P3 x" S# i5 h2 I/ L7 P* P
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 z& B! M: w" T' Y
SoftICE while the option is enable!!
% P$ K0 n1 m0 Z% i! {$ Q* H U% O; a4 X5 o
This trick is very efficient: I4 l* A2 S, D/ A" K
by checking the Debug Registers, you can detect if SoftICE is loaded
% q7 q! v9 n7 ?( E6 @1 n$ P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 ~3 d3 A) k' g& _7 A0 n0 a6 U
there are some memory breakpoints set (dr0 to dr3) simply by reading their( r9 L7 S3 A! Y, ?2 {
value (in ring0 only). Values can be manipulated and or changed as well
9 m* J( t% G4 @! s(clearing BPMs for instance)( Q. W+ f2 _% m/ G) L6 K/ W3 o
2 M* a" n' I0 j$ ~# M/ U! @
__________________________________________________________________________9 q$ y) a5 W0 N8 |! ]3 c6 c" ^7 E; q$ l
9 g% U6 h5 ~0 ^4 v/ G( }$ pMethod 113 a/ _2 B# r: N# |) R. F
=========. o2 C4 N# A. r2 h& {
; v* J' N" _# f6 K7 Z
This method is most known as 'MeltICE' because it has been freely distributed
" Z, z/ E1 V, d' u! o* Uvia www.winfiles.com. However it was first used by NuMega people to allow3 W0 D2 }" g$ \6 y/ `$ j: R/ s0 n
Symbol Loader to check if SoftICE was active or not (the code is located) j5 t3 ~! A& I" @2 X( V
inside nmtrans.dll).
$ S5 l: b5 |% k% r7 e: E. D5 S3 P3 |
M: |% O& x; @: C- wThe way it works is very simple:6 S- H; m' l" y: z2 `& v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! K# P z! t V4 BWinNT) with the CreateFileA API.
8 U% `5 z% H; N- f5 L
( H" t) z3 P1 x& B2 O$ W6 {$ P' D4 FHere is a sample (checking for 'SICE'):
% j( [% O' ~$ p3 v3 }
8 \ D; {, }. |BOOL IsSoftIce95Loaded()
. _, N; }: }9 U3 X; h. B$ q% @4 q{; _2 q/ m- ?, O
HANDLE hFile;
' c/ D7 }6 h0 v. a1 k" Z% G2 y5 l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* d+ g9 F$ K" ?2 h FILE_SHARE_READ | FILE_SHARE_WRITE,
- u: t$ j. X: ^ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ n. c) H/ R+ ?* i8 B if( hFile != INVALID_HANDLE_VALUE ): d5 W1 m8 c3 D& }+ i+ ], ?4 z
{
( |! k1 W Y8 F4 q# n g CloseHandle(hFile);
/ y. |2 U" W# R' ~ @3 v! }% \ return TRUE;
6 j9 |3 ?' V8 Z @) {! U$ h }
) P" E0 T6 f# ]. m return FALSE;
/ M2 ]2 ?; {, ~* \5 }# n8 X. C& q}
4 S6 X `& d% K( l. D9 y8 H# s9 S! A) ^/ L2 _
Although this trick calls the CreateFileA function, don't even expect to be
9 D& A" q; Z+ N' dable to intercept it by installing a IFS hook: it will not work, no way!5 a7 u) U/ D: N( b! q6 L u
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 x$ H6 x' P3 l% |2 l( Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 z6 n( N" a! T+ B* s+ i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 R1 a! ? Y9 u0 W* [6 ?" T qfield.
* a, m& l0 l5 d! o% w I7 l" lIn fact, its purpose is not to load/unload VxDs but only to send a , i/ c! M! L. i: P3 y; M: L6 W9 x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 I! T. C5 T+ S Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try) I; n9 g, B3 ~& w# n$ o7 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 {6 E. P5 T6 g* g- T8 j
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# M8 E+ M/ ]; e+ ^ e. dits handle to be opened and then, will be detected.$ Z1 V) R/ V, V$ `
You can check that simply by hooking Winice.exe control proc entry point
" U R5 f5 w' _& B2 J* k4 Gwhile running MeltICE.
( {4 [0 Z+ D7 S( V; |% U1 x+ x, q# G, o, ]$ u1 y+ o; b
0 X3 P) T5 @" a% t! z2 |
00401067: push 00402025 ; \\.\SICE! d0 T' d6 H# q% b1 ?# H
0040106C: call CreateFileA* x, ~' l# ~8 _- |# A' X
00401071: cmp eax,-001) e. }! ?8 R. b
00401074: je 00401091
( P+ V7 a( X' G2 B- h- Y8 [
! X3 K* L2 I! O7 d( h# V2 V
: y7 H7 A6 c4 T& \! ]There could be hundreds of BPX you could use to detect this trick.
+ x9 h, W) M/ m [& J: Y& r, p7 H A-The most classical one is:, W6 ^( B5 j: G- }% A r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ Q- { ?' S7 g0 H$ t3 x. v3 t
*(esp->4+4)=='NTIC'
/ F6 }0 g, ~: Y5 I% G" R: c7 T7 N& m z. m4 D H0 x
-The most exotic ones (could be very slooooow :-(& j, B' K K5 [( J4 G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - s1 g) d' F6 a v/ W( S) T
;will break 3 times :-(. h# Y; t( f+ ~# O; @: j
& m/ q% Y6 z+ Q
-or (a bit) faster:
9 M1 m5 |) }+ W K3 J6 L- S) M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ y2 F- |9 j. g8 W
2 W: z1 v8 o4 m6 J/ k- e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: C/ w9 N% F, U" t6 E6 x" k ;will break 3 times :-(# N' D& }) M g `3 t# i5 T
+ j! w4 X0 t- J2 B: c3 |1 C. F
-Much faster:
' N. q7 V" \, k% n' a& ]2 b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; w3 o- _. Y7 u2 Q n1 @
4 \" m- a# z; M2 Q0 ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 B% y! A f) k; h6 Y, Ufunction to do the same job:
2 _8 Q. g* X# O/ z8 E% H+ @) {) N# W" A* @
push 00 ; OF_READ' O- h8 X0 @ @; J( X
mov eax,[00656634] ; '\\.\SICE',0& D' R3 h0 @0 S: Y9 L
push eax3 d$ x! y* o! S; a
call KERNEL32!_lopen
+ A4 b. u) H; s$ M* `3 v: Y& W inc eax" {# j0 k. t4 y% M$ F9 E
jnz 00650589 ; detected
/ I% f$ C0 g6 B push 00 ; OF_READ
; c# S. J/ V9 j) r- w7 h mov eax,[00656638] ; '\\.\SICE'4 b. P# s& l+ A7 }$ p9 N
push eax& w; L* ^. {$ E1 Z2 ]
call KERNEL32!_lopen1 r2 j% r, |% e& D, H
inc eax2 M, L- ] w P$ ^2 m5 C8 C( g! ~! Y4 |
jz 006505ae ; not detected
, @/ n2 s& Z4 {# C4 J/ c' L+ V! U; L
0 i- O, Q h; w3 {5 \__________________________________________________________________________
4 L4 K4 ~ m0 K+ S
: _* L' P4 |3 B) e. O6 |( BMethod 127 T$ g! ^& O1 e
=========
$ m9 U, H; o6 I9 Y5 J: x" L, k8 m0 g8 z7 K4 c6 o2 F
This trick is similar to int41h/4fh Debugger installation check (code 05
+ q) i: u% G6 k5 h" F9 x" H& 06) but very limited because it's only available for Win95/98 (not NT)
7 ^7 h0 J" O" @+ T. a2 @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# X) |' x. v3 V' {% q$ m( J7 u+ n
push 0000004fh ; function 4fh
) K e; Q- ]+ N7 [7 h/ d3 U push 002a002ah ; high word specifies which VxD (VWIN32); D- O$ s5 h; p1 _9 h: G
; low word specifies which service
" f( J% p- ^1 C' T, M N (VWIN32_Int41Dispatch)
9 |/ y0 E6 G# ?+ h call Kernel32!ORD_001 ; VxdCall
/ O& Y: w' X9 W y2 S cmp ax, 0f386h ; magic number returned by system debuggers0 t( o; {% ]: x
jz SoftICE_detected
9 B. T7 f0 c3 c4 S- [0 f4 h
w$ o$ Y- L7 w7 R. p: AHere again, several ways to detect it:* E" z0 R7 J6 V2 K8 x% L5 \
8 B" ^* j, p& O5 z: p$ r4 f BPINT 41 if ax==4f( @- L" K: k5 v! K- E! n+ {' C
; {% T1 I1 q( }6 C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 M/ o/ r, Z+ @6 G) |5 m) L( [) K2 l: O
) n, m7 C l8 A$ B9 a8 F BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 E( A8 q$ t6 G
- A" y2 m* S" s9 j
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; `) }, f' ~& {$ P9 Q. i, q( T/ E6 E |3 E# k& Q
__________________________________________________________________________
4 X3 ~, ^7 M: |, P* t9 h [0 C: z8 R- p- C# A. ^
Method 13% p1 Q& t9 x% U: X/ S4 C7 f
=========
4 A; p3 A- G# r. I) L5 D! W7 ^# S0 G1 o8 j# \2 U" ?
Not a real method of detection, but a good way to know if SoftICE is4 q/ ~, x" y$ ^ h* X
installed on a computer and to locate its installation directory.
4 u0 W5 K* }1 f* B6 `It is used by few softs which access the following registry keys (usually #2) :
2 X0 h% i5 V. L! b& ]( D1 x; ]' V2 ^3 Z/ N9 x/ d9 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( j2 e0 w) C' T* p# W; E\Uninstall\SoftICE! Y. @( n: i0 X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 T7 R4 p" o; u% m/ A9 v6 |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' k4 X. k) x( [, e: ~1 [
\App Paths\Loader32.Exe+ n0 w4 t! t* N5 ?9 s3 D
5 j" k* h1 } i- P! Y3 T8 p/ ?/ O5 N
# E+ O+ {" l LNote that some nasty apps could then erase all files from SoftICE directory
9 J! ^2 w* n- M6 Q! j( V(I faced that once :-(% D( r$ l( H$ d* ]( y5 P
( R5 o- D: s# D1 y
Useful breakpoint to detect it:% p. n7 n/ U" E
& f q$ I, H/ g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" \& W/ E2 e" d& ?* F
' F: W( q. u( ~' h2 J6 [
__________________________________________________________________________
6 a8 B% I( W0 f G
4 a4 O- F/ ?6 A3 H, r" _& }" P/ k
. X- \ o# c# pMethod 14
/ f$ a* {# k- P8 @" g8 ~6 W# Y=========
q8 w# X' M4 e' a" \3 m$ d( o* W3 ?
* D o. w; d3 z5 J' K/ |" O/ E, nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 @" E. l9 o; a9 } [4 l
is to determines whether a debugger is running on your system (ring0 only)., |; S( d6 \& j$ K4 J% G
% _# {! z# c) _- _0 w
VMMCall Test_Debug_Installed
7 @3 r+ j- X* x6 `5 P$ _, c) {/ O/ O je not_installed
: O1 {6 K; a7 ]9 J5 E1 k! ]( v1 n4 B3 M; F, E
This service just checks a flag.
$ ~% e- Z3 I+ b</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡