<TABLE width=500>6 o( p9 H0 L" V& ]* Z& h! X5 J
<TBODY>2 n& m0 q% e6 s6 H$ g
<TR>
5 y3 K4 t0 {. W0 K2 y* h- W. |<TD><PRE>Method 01 ( z ~ I6 U; x) R, h4 o
=========
& W( g7 z) [1 s) _' j' T, p; A4 E1 v1 G# D' Q' I
This method of detection of SoftICE (as well as the following one) is
$ W% l- @; u; i6 `2 n: qused by the majority of packers/encryptors found on Internet.' }" Y. g. J; a8 ?
It seeks the signature of BoundsChecker in SoftICE
! k. K' y9 \: C/ C+ u* W, [- W# O
$ @0 v% e9 b0 U4 o6 s" A' x G mov ebp, 04243484Bh ; 'BCHK'8 S5 s0 E* I4 G9 P2 {) B- w
mov ax, 04h7 {' J" i9 d: E( m
int 3 7 I: i: n) v9 n* g* S! Y" a9 _
cmp al,4% g2 A+ F- G5 W+ X; X- D
jnz SoftICE_Detected
5 m, o+ f+ h7 q- |4 [! H* n$ E9 U3 i' T) J1 B
___________________________________________________________________________+ e8 t- {' R6 O& b5 |4 s2 @. ?
* y+ s3 m. R* d' l5 w$ X: g" XMethod 02$ v4 I. L5 u4 h# ^: J. R
=========; w u$ V, e$ x$ K. E( t
# _# t* G! @( c- G7 ]Still a method very much used (perhaps the most frequent one). It is used
- @8 k6 L( V6 w* M# H! K! fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,, C ~( r+ l, f* ]5 y- Q. f) c+ b
or execute SoftICE commands..." r3 m$ T* [2 J+ T6 `6 f I
It is also used to crash SoftICE and to force it to execute any commands
4 ]& t& V) D/ B(HBOOT...) :-(( 2 `" ?( o j2 W0 e$ ?
7 J% Y, K+ w7 p' e( m# H
Here is a quick description:0 |' j7 c2 ]/ M8 x' A) }6 O
-AX = 0910h (Display string in SIce windows)8 g2 r$ s' G1 a0 a+ s; k/ C
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, M7 A% X8 J* C" b% }" Z-AX = 0912h (Get breakpoint infos)3 C( w5 p4 I4 i8 `
-AX = 0913h (Set Sice breakpoints)
& ], a7 R; u6 e5 T" z+ G7 Q-AX = 0914h (Remove SIce breakoints). ?$ m6 A% G3 k: o5 |: Z
" V/ B3 ]9 E0 V6 j" cEach time you'll meet this trick, you'll see:
/ N: y* p/ a: m7 K( l% I-SI = 4647h
}5 a& s8 j" |' b: W, U1 J-DI = 4A4Dh9 F3 f5 k# F" i: ^3 {
Which are the 'magic values' used by SoftIce.
- l, q D4 t: f5 m8 i# ?, V. \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& p9 P% S/ r2 ^% z
+ X$ i& F4 S/ Q' R2 p- |7 f2 lHere is one example from the file "Haspinst.exe" which is the dongle HASP
# ~/ K- W' b4 E5 P5 p4 ~' CEnvelope utility use to protect DOS applications:: A( u$ m9 u8 v1 M* w
6 U1 m; Z7 a6 G* l7 v' b
3 P1 ?9 d- n/ r) A- S4C19:0095 MOV AX,0911 ; execute command.
/ }* d8 g% G) d% \' k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., ~/ z' A7 _: g% y4 g
4C19:009A MOV SI,4647 ; 1st magic value.
+ ]) V% J: {) L4 Y! f4C19:009D MOV DI,4A4D ; 2nd magic value.+ X+ F8 p1 h) f' O# A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ s" q9 g2 y W" f& s4 T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 I6 I3 {, x; Q1 w
4C19:00A4 INC CX$ Z5 G8 L# p+ K$ B8 b
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ ~1 f p. N# \2 c+ h% b
4C19:00A8 JB 0095 ; 6 different commands.
8 T+ \) O3 Q8 f) }% Z8 p4C19:00AA JMP 0002 ; Bad_Guy jmp back.* M, t; Q! A2 J% B j, y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# L8 p" A( H; o3 h- M, Z0 z
2 }$ j* d; }$ C0 V( ~The program will execute 6 different SIce commands located at ds:dx, which
* v- a' K7 ]* [' N! g2 a) ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT." }/ @5 A! \6 [0 b/ k) S4 E7 y
) T8 [& i! M7 W5 J+ B" f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 |: d" {3 B- m g$ x) {7 P; e: D___________________________________________________________________________7 I2 ^0 \! Z5 P) w1 O
2 N8 H) L0 L+ S) r/ z( R8 y2 G; B* b, v! C5 d/ v
Method 03
, b2 k+ K5 \, c5 X=========* |8 b* N( ~) ?: e# m
: K0 o6 f) X" y+ N. o" T! s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h v' N6 j* a1 d% N/ d$ J! u
(API Get entry point)
) |8 Z8 n6 y4 x" A- t) [
& _9 X/ P# Y5 }5 H/ _
# e$ H" T( P. N: u+ }. W( f- J xor di,di1 _& d ?% s' c. @! W7 U$ E
mov es,di8 M* R$ E, d1 Y; Z- e3 l$ X
mov ax, 1684h
' J+ j& c6 O! Y8 Z$ V mov bx, 0202h ; VxD ID of winice9 a) `' S# p1 q" g
int 2Fh" P5 \- m* c& x4 ^! ^; D
mov ax, es ; ES:DI -> VxD API entry point
5 K/ r9 D7 e0 q add ax, di3 T! l y1 T# h! `
test ax,ax0 E0 P+ F6 l1 Q- C1 x2 S! C5 V( ^+ ]2 b# o
jnz SoftICE_Detected4 i7 Q+ M; A& S" j1 O
$ i3 u& f9 h7 w& ^5 R5 p___________________________________________________________________________/ ~3 u' b6 s8 i% f3 [) d
/ ~. m, S8 b. V/ PMethod 04
# n; p% G n3 ?- e, Q1 q" e=========
: Y m6 B9 F) a+ ~$ t/ u5 }7 p# u1 g- R+ }4 V
Method identical to the preceding one except that it seeks the ID of SoftICE5 s. G b# R- q
GFX VxD. c# @+ N+ {# E) s( q. |
& G" \+ Q( q! |3 F4 J
xor di,di
; @" S! Y8 z, D6 U mov es,di
; Y3 s* p3 |+ y) h k mov ax, 1684h ! T$ U% U% w. W. t) ?: Z$ W
mov bx, 7a5Fh ; VxD ID of SIWVID
" x6 Z3 c, x7 q$ [+ }% R int 2fh8 i+ M# Y! [. H. N( f$ L. e- I
mov ax, es ; ES:DI -> VxD API entry point- A8 X4 `" B- v0 m
add ax, di
7 b" x- h4 `! ~2 x t T1 n test ax,ax* I' V7 C( N8 _' T
jnz SoftICE_Detected
3 A* I3 W: [5 W" g
+ ?$ G- r; F" D__________________________________________________________________________
# [8 h; A, e0 _8 Q6 W& a3 v- k. Z4 r% E) P1 m
" L" q& l N1 b5 t% P1 h: mMethod 052 t' ]) S I9 t( ` _9 s
=========
$ O1 _5 c' V6 {. S) _9 T' V
+ |/ @+ [4 M2 X9 _7 q$ w: P$ }Method seeking the 'magic number' 0F386h returned (in ax) by all system8 n* d \! |' Y" z; X6 h; L4 P! M
debugger. It calls the int 41h, function 4Fh.
+ N* E4 a; k& F$ cThere are several alternatives. 4 N6 A( X3 j" v1 Q
. w; n& k3 l$ b( E! d2 n
The following one is the simplest:
: ^- R# U! w/ x
+ @3 W5 l- h6 G* B# d mov ax,4fh. i9 D6 \0 f/ t
int 41h
, Z2 T {6 Q/ Z- C2 a" c cmp ax, 0F386' o& ^$ m2 s* v! B, ^# A q) {1 ~
jz SoftICE_detected B( n% T/ f! z
# T0 J; Z6 ~0 @; ^0 X
! O7 y9 i! b G/ g( e& fNext method as well as the following one are 2 examples from Stone's / |2 w, o, {4 M+ S) U3 H' L1 b K
"stn-wid.zip" (www.cracking.net):2 A' X7 i! E ~. B; K
2 m3 W/ e, q; n2 c) z
mov bx, cs
# w( v# @, C& Y! q& \! }1 Y2 a, o; e( G lea dx, int41handler2
- y( l2 w) v1 u) E8 r xchg dx, es:[41h*4]. h( I2 w. x4 O) D. n
xchg bx, es:[41h*4+2]
' ?% j- x2 V& I% R mov ax,4fh
1 t) b/ L& J$ I* e1 C7 v$ s int 41h
5 i2 g8 G6 V8 t; ~( O! V# u6 x& V2 B xchg dx, es:[41h*4]
) Y& d: b* q% @6 i. a xchg bx, es:[41h*4+2]; L, ]! t ^; M& e& y
cmp ax, 0f386h; T5 j% X4 X4 r5 v6 O. O) X
jz SoftICE_detected* ]# _8 P7 X1 \( V& R
3 g3 E4 A, z- G0 j& ]1 |9 z
int41handler2 PROC% |: R; u0 T8 f7 k
iret$ |: U) E8 ~; ?4 p
int41handler2 ENDP+ Z% g$ J f- L# j* ^, I1 r# {
+ d4 t+ B3 w' d
& s1 n5 D5 @$ A( j% B0 E1 ~_________________________________________________________________________
8 C6 j% [0 z2 P# g1 S0 `* \: f2 v* {$ e+ D' t
* M$ x& Z" K' X; U$ wMethod 065 f: L: h0 e3 z* F5 b
=========
. j0 L% z: o2 C; Y+ _5 N
( q6 @: |1 m9 ?/ d# a+ x+ L2 l* H( D9 y. Q: X
2nd method similar to the preceding one but more difficult to detect:* }+ x& _, a8 m; Q( A, m
% E. q+ g( V3 {7 J
+ U5 ]% Z3 [2 m$ t* G! G( Jint41handler PROC
, l& P7 r; s; i$ H' H7 b mov cl,al# x+ l0 b- O* T2 {' X+ I$ d' W
iret7 ^7 G7 u1 }& w! S% m4 D+ I b
int41handler ENDP$ z; T+ ]- P' \8 s
; h, `; ]- y" y8 n1 K; Y: l
! h9 v- L- u* [ D3 w
xor ax,ax
- _* R8 o9 j/ r, X! t mov es,ax
+ T# P) ^6 u5 I* `; D, s mov bx, cs. A) n% M% {+ K8 S$ t( O2 N1 }
lea dx, int41handler
) t5 r' R. \) C5 z- _. q xchg dx, es:[41h*4]# A* S! m5 s! C$ \% v
xchg bx, es:[41h*4+2]' B- M) F! {$ F: b6 g- s- F# i# _* |& N: m
in al, 40h; a4 q% q2 ?. c F
xor cx,cx% P! y! ]) u" w) s3 r. g% n
int 41h m( _ j" k2 q
xchg dx, es:[41h*4]+ j! q3 \9 G! v# b( p7 ~
xchg bx, es:[41h*4+2]
) a$ k$ L* E1 a; K$ r7 k: A cmp cl,al
# A: s* [8 F9 A" g1 P jnz SoftICE_detected/ J- ^0 `, p1 n: H9 R8 v+ m
# o4 x( [! O- ]( ~2 n
_________________________________________________________________________0 D, c8 g5 g/ G0 A
( }$ V) u- l- [ IMethod 073 a8 g( Y* n" {1 E: o
=========
Z: N' g! v& w# F/ C2 E- U
# N7 v" p' F; K3 o# }Method of detection of the WinICE handler in the int68h (V86)7 n3 Q3 k- I! ~; o8 h+ H8 M
3 \2 c/ X( `' V; D mov ah,43h
9 _; G$ z4 Y8 u& {* ~' d$ W int 68h. u% T) ~+ r' _9 Q+ u, i
cmp ax,0F386h
- l1 }9 G5 L$ \, Q# z; t jz SoftICE_Detected6 K0 Z. x, v6 a: {
/ K, m1 ?. w9 ?
* k0 W4 F$ L3 p4 L7 D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
M8 @/ f$ I" ] app like this:* i- D. ^) f" K1 |
; E* a% F- m# }
BPX exec_int if ax==68
& [1 t( Q Y: P2 M' ^1 { (function called is located at byte ptr [ebp+1Dh] and client eip is
+ S5 s; V: x9 }' r" \& c$ Q6 H located at [ebp+48h] for 32Bit apps)
. t( v' `6 V! O__________________________________________________________________________
% Y* d7 Q& o$ }. O; y
# s( j) w+ e( i- ~9 x2 `3 M" W# v6 X1 q! p, j+ D9 X
Method 08
1 z' m0 J, e, E5 ?' X=========+ K" x+ b( g" ]3 z8 }! M" G* V
5 \/ E! s) O" x3 f, DIt is not a method of detection of SoftICE but a possibility to crash the! l$ Z+ ^! @0 ~! \; d/ p
system by intercepting int 01h and int 03h and redirecting them to another
$ A. s/ K8 ^) z2 Y/ f1 M6 Z# kroutine.
o1 _# o4 t" M- b- cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# g; \& N6 l1 j2 K. @to the new routine to execute (hangs computer...)1 z) j7 k9 b' X0 j) _+ t
( q5 @9 f, A5 y7 p6 v& u/ [% R0 N# Z mov ah, 25h
' I/ z- _) [5 w M+ B mov al, Int_Number (01h or 03h)) M8 o# }- b: a6 f8 H
mov dx, offset New_Int_Routine
8 `& c9 W4 ~! |1 x int 21h% L( P* W$ [3 I$ Y# ~" c
' C3 a4 j0 j( c; N( y; h5 I
__________________________________________________________________________) C( H+ Q& Q& D0 `5 Q
$ r) X$ ?" t4 G$ u( cMethod 09
1 d/ e4 o: w/ n$ @2 F! c========= [# F( W7 ^& {1 H$ y( f& V
' ^/ b9 z, ]7 P, G8 y9 Z" E( h' pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. M5 l2 f) l; d
performed in ring0 (VxD or a ring3 app using the VxdCall).
. P0 D6 N4 f" S7 p% G/ JThe Get_DDB service is used to determine whether or not a VxD is installed( i( C: e5 d; Q! c! _
for the specified device and returns a Device Description Block (in ecx) for: \" T' F. d3 w. ?" r3 i* S5 H0 r( {
that device if it is installed.$ A6 M( f( N" P% r& l# z. B
& {, l. M7 S( F) c- j4 w V6 x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. W/ h8 d7 t; T
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ H0 F% C( M G) J; D$ s7 ]+ e: p8 } VMMCall Get_DDB
4 T2 p# I8 `2 z3 N. B9 s# h/ r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ j: I" i6 h; O* a
J) i. r: X9 O4 c5 y2 E3 fNote as well that you can easily detect this method with SoftICE:
: T8 g- p9 l& J( w- K+ x( _: M9 m" G0 _ bpx Get_DDB if ax==0202 || ax==7a5fh
# [$ r& a# W" j, v4 H2 @( q8 K9 e- H8 E! R: ?% A7 B
__________________________________________________________________________0 h* U$ U" O2 x
k& x1 o) b& o, u1 n2 BMethod 109 p# x5 S( t- U, @( ^! C- U/ z
=========
$ V) p# a% a# [% l$ F* ^( @, |7 n; S y, C/ r
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ p9 o9 ~; X; O, a
SoftICE while the option is enable!!# S2 p: ~# U' Z$ f: z$ a
+ w7 Y; g3 L7 Z! d1 K+ D
This trick is very efficient:- \ E8 M0 ]& j# k: e" ~! n
by checking the Debug Registers, you can detect if SoftICE is loaded& G: b, r- C; a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 a, _1 v3 ?# g3 e2 N3 Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their( U1 T3 E: w; Z7 N2 g) x
value (in ring0 only). Values can be manipulated and or changed as well2 W/ ~9 z% Y7 ?4 S7 M
(clearing BPMs for instance)$ X, P0 w' G, L; t) s
4 r- }" F' ~3 d( C( r% v6 f3 M
__________________________________________________________________________
. ?3 q/ J, f. }5 o, W, |4 c9 n' R. D' a
Method 11' E9 h# s( z: ^4 s; a D- Z4 ^
=========
- q$ a6 E! M$ y+ A8 T' z! T& v: N1 o' |
This method is most known as 'MeltICE' because it has been freely distributed
" r; R, [% k6 h% `) Jvia www.winfiles.com. However it was first used by NuMega people to allow
' h) \" j& a7 K, Y. f9 wSymbol Loader to check if SoftICE was active or not (the code is located% b! p* L n2 \) b/ C
inside nmtrans.dll).) H0 V7 x& U; I& S
; b% q/ w& s1 ~+ _2 S, V
The way it works is very simple:4 L& M7 k3 y3 m, j+ O7 v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ I8 g2 f4 l, R2 x
WinNT) with the CreateFileA API.
5 U3 ]" Z7 ]1 }. W) k
5 h9 x; p# I" Z4 z: R1 UHere is a sample (checking for 'SICE'):
8 l, i5 f& X; U8 P* H/ y6 v
I, Y7 q, ]" U) sBOOL IsSoftIce95Loaded()" E2 E' `- Z: F& [: S$ [
{
M0 h# @' K) `$ Z& i HANDLE hFile; ; ^1 P( ]& |& Z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 y- K( l4 {2 [$ h: M. b8 E4 \- [
FILE_SHARE_READ | FILE_SHARE_WRITE,
+ r x) T% P9 P. D, ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: B! P4 ~% _0 y- J5 Q+ c* {6 v if( hFile != INVALID_HANDLE_VALUE )
8 y9 k) C" k8 x2 f2 i {, o" h* F5 A1 U$ n# y
CloseHandle(hFile);2 w$ w5 y6 K& W0 G6 a) ^* i W5 q
return TRUE;5 t( |$ k5 M5 y7 H, z
}
* J9 i* M1 d/ L return FALSE;, `4 t8 g1 l: Q( V+ I2 j
}3 R# y1 {; X8 i- s. `$ N( S" X
" @8 E3 z' ]* N2 O$ m, V5 O& N
Although this trick calls the CreateFileA function, don't even expect to be( S6 h$ w# B2 _' z+ x) U7 c
able to intercept it by installing a IFS hook: it will not work, no way!& I, p" v! d; E! j" r# J# d6 @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 Y. t/ V& O$ j6 d7 Q8 }6 Z: h, x* p
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 ^* Y/ J/ [" @$ D, q# m5 Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 _" c. x) {% k# T: M- z( |* Yfield.
$ c" A4 Q" r9 ~; O* m. `' T7 k( QIn fact, its purpose is not to load/unload VxDs but only to send a
- d+ Y7 y L" x8 c& OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 e' R5 f+ d+ C" B, K. T9 O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' n: b5 j: J& f7 ?' Z, j$ d3 e- eto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ w( p9 w' C" G3 H+ Z8 F- A
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; H' x/ }$ K k# vits handle to be opened and then, will be detected.
# V0 C; e% h: ^/ M( V# X7 j' ~# ]0 XYou can check that simply by hooking Winice.exe control proc entry point. c& U6 L( F, U" r# I& C% v
while running MeltICE.+ f- O& L1 v+ ]5 L; h
3 E* C6 U. w- J2 o# P e2 p5 P+ i
/ Y- m* V2 ^. ~. j6 c
00401067: push 00402025 ; \\.\SICE S, x( T' B6 g/ [0 a4 ?
0040106C: call CreateFileA2 C9 I( |* U/ p; ~
00401071: cmp eax,-0019 M8 x5 I# k0 @5 d
00401074: je 00401091
4 ]0 s; \; ^% {
' Z; g X4 b+ i" a4 o4 O5 D$ g- w
There could be hundreds of BPX you could use to detect this trick.9 M q. i3 l) E
-The most classical one is:
7 V, `) v# _) M% A. A: B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 s/ \! F* ~7 a
*(esp->4+4)=='NTIC'
! w& q; y! ]$ j" ~' Y( k/ Q
3 C2 Y" k O. }0 L" a-The most exotic ones (could be very slooooow :-(/ E1 Q4 U4 _- U! B" N* _9 w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! L: D) n- V+ d8 ^
;will break 3 times :-(* n4 a3 @" K: r- Z* }7 t: s% U: p3 m
$ n& }: r0 l3 r-or (a bit) faster:
1 S2 x# j2 m: z- C' m) {# F BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, {: k% s, V: f/ M7 o# u$ C3 L
$ r$ F7 w: ?, T' y! J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' ], g" N: A; c0 W% Q9 ?5 X ;will break 3 times :-(& q% F7 ]% p8 v3 s3 k0 i' i
% e+ M8 T. x' F-Much faster:
! P7 \7 |+ i! D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', u/ n2 ~- q8 W0 m( E! `6 n/ \: _
- J6 _$ F' X C' `+ aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: l& W8 i I& j. t+ ufunction to do the same job:8 ]! o0 h+ F& l7 D8 }
A& T8 C/ O9 `% g5 y push 00 ; OF_READ8 q4 n& G" v1 a8 G, u, b6 S
mov eax,[00656634] ; '\\.\SICE',0: R8 @; [ E* B; h$ |
push eax
7 {3 d9 k! n0 h2 q7 B- ~. _- y call KERNEL32!_lopen
0 f/ w& Y3 v! G2 D* R inc eax
3 h7 A: M% |$ u; o0 X, E jnz 00650589 ; detected5 M$ m9 }. ]/ i9 i% s
push 00 ; OF_READ
) o% d; @! G1 m3 g% s* H* u( ] mov eax,[00656638] ; '\\.\SICE'
$ \' z' F/ O5 C$ ?. H) V push eax
/ _/ o8 b* M+ u" y& L call KERNEL32!_lopen r4 I# W9 A7 o
inc eax
V0 K0 @: }+ R# n$ A- ^ jz 006505ae ; not detected( ]3 r* c: F+ r% m4 \; ^
, N/ r# q1 z6 b9 _# F2 P$ G
" i/ T' L: w+ Z; ?6 C__________________________________________________________________________. `3 R7 I- |. j9 a
% G; |! ?% f% V4 O# YMethod 12+ X6 j, P3 h8 S" o, ~, r
=========
' z$ [6 M5 Y9 l F" M8 d$ U
- c1 E2 K F& Z# D" KThis trick is similar to int41h/4fh Debugger installation check (code 05/ F& ^; F4 a% p% f. I" d, _8 i
& 06) but very limited because it's only available for Win95/98 (not NT). C+ E% b4 h- h( w3 q9 C- k2 ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 ~. z; R/ R; G8 ~/ J9 ~* |
?7 _0 T5 p! E) M# p6 K4 \$ |
push 0000004fh ; function 4fh h3 T) V. W. L4 H2 |% W8 [! x
push 002a002ah ; high word specifies which VxD (VWIN32)
5 z; r$ y( `/ g0 d8 o4 A9 v8 _ ; low word specifies which service
: u, Y6 t s4 V4 W K1 [! L (VWIN32_Int41Dispatch): S( C5 l" J& \
call Kernel32!ORD_001 ; VxdCall
; G$ L$ j( M" y; Z& i! O4 ^ cmp ax, 0f386h ; magic number returned by system debuggers: z4 l. x" o4 V
jz SoftICE_detected
# q2 g7 n. J- ^* J& G, }/ f
9 \9 b6 r. S1 uHere again, several ways to detect it:
9 h5 U; w/ p( ~* L8 {# P
( K( k: W9 t7 U8 w& f- A* `$ E6 T BPINT 41 if ax==4f! M. g+ w- s7 |# z+ a) [- ~4 C
, E# _4 B' l! K* m+ ~' Q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% ?3 F9 x% e5 b* F3 {7 o- T a& w7 v; x( Q9 Z1 {
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% K- |: `+ \- B& F) P$ @
( V* `$ @. S4 F/ e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% e) G; N5 K" x; L1 C ~
! p3 V, v( ]6 r* e4 s4 n__________________________________________________________________________
9 Q2 C, |6 T1 s. t# F( \. Q7 J2 n$ h% J' {$ \0 u B; w
Method 13. E# Z! o+ O% `
=========
; v& T1 p7 t% n% P3 W+ c) d3 A/ h0 z4 K# j+ R
Not a real method of detection, but a good way to know if SoftICE is
2 g( [! _" S% `: Ninstalled on a computer and to locate its installation directory.
) i# k" y0 Z' kIt is used by few softs which access the following registry keys (usually #2) :
8 f! T2 u: q* ^! g+ t& O* y7 I1 `# F( v/ ~" `$ y+ b; Y# a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& N. c+ e; O- T4 A% m\Uninstall\SoftICE L( u6 r7 f" i$ b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 p6 ~; B ~# \# u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, s; l* L1 j/ Z) R+ J* E' O\App Paths\Loader32.Exe: s+ |* S2 q& U7 D8 _" T( ~" v
# m1 |( L4 F8 c) M+ r) z" K4 x) @. D. c( W0 W% t0 d- Z
Note that some nasty apps could then erase all files from SoftICE directory
* _8 A% @, C2 _: ? { f$ t(I faced that once :-(& w9 b7 S1 ~$ Y6 C% O3 J8 C0 y
# _( J1 L/ Y0 m7 ~0 U
Useful breakpoint to detect it:
5 ~1 h/ C+ }5 F7 W, I, D' Z: {& R q0 s5 |- R$ n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( D% n! R& O5 Q1 m) p# c, R* W1 ?* s4 y0 E `
__________________________________________________________________________
3 h5 u- z% ~" F1 V
; n O8 r0 d; u# w0 c+ g) a
7 M k# \- Z$ u2 q$ n, ~* n3 c. |* NMethod 14 ) D. x/ n1 L- I6 M4 \
=========
( Z5 }9 K# z" q" n/ O6 v- T a" C9 o; ~5 n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& ~8 q- |& \# }* Eis to determines whether a debugger is running on your system (ring0 only)., [, S( G$ [" e% {+ S( p
7 t- s* P& o" I0 [% O( i! {3 w9 @! V
VMMCall Test_Debug_Installed
6 h3 V! ?0 d; F% n1 h je not_installed e8 X' a# }( Z- T3 l H- f
8 [' u9 P. J1 t9 b
This service just checks a flag.
: l; T( p+ @6 Z: F1 _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡