<TABLE width=500>( v: j c: { O# ]/ y: H9 ?
<TBODY>/ x: j) R+ L$ L7 W5 |( k9 j8 s
<TR>
4 P4 o% U7 z8 x9 _<TD><PRE>Method 01
) M: _$ ^. U c2 a; Y=========
- Z" S' ~+ _) T$ V8 P0 n3 V" A: `0 P( R- t/ [3 q* e
This method of detection of SoftICE (as well as the following one) is
) }1 v% J7 ?7 _4 T5 H2 eused by the majority of packers/encryptors found on Internet.9 b# o3 _ L, Z# V
It seeks the signature of BoundsChecker in SoftICE1 z9 X5 C* P6 c% m
2 f: u" X/ k( t U9 j5 C4 S; w mov ebp, 04243484Bh ; 'BCHK'
+ A' b% [/ P: T7 `( d: U mov ax, 04h
% _( p9 s/ b4 g$ N, K2 \& q int 3
2 y6 @* j! W F6 z/ ] cmp al,4+ y/ M% H3 ?1 Y
jnz SoftICE_Detected
i7 p! d# w+ x% ]' ]5 Y F( `; o6 [6 h) u. K3 y7 i8 h5 b4 A
___________________________________________________________________________! h2 U: ]! O' j! h
+ N6 k4 b: S, r$ ~
Method 02
, j+ Y7 j' z; g/ \1 V) z=========' V' ?3 q/ @ W' F. t4 m) t
, y/ ]0 K* a/ [2 k- v4 k j
Still a method very much used (perhaps the most frequent one). It is used
: z% |* q' d" dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 ^! L4 H; B/ d' W( |
or execute SoftICE commands...
2 z: E5 M4 Z; A" N* s+ n2 HIt is also used to crash SoftICE and to force it to execute any commands
* T, P J2 {! O(HBOOT...) :-(( 5 a8 G! C/ u0 b# a* Z9 a. i
- p* [$ _. ^- m J6 i* u
Here is a quick description:
+ x, _4 J% S( c, B! ~2 ?-AX = 0910h (Display string in SIce windows)" V7 z+ d, p8 b, L2 n
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ U/ c- p6 ^- n7 |( O d- s- A
-AX = 0912h (Get breakpoint infos)
0 q9 c8 q; o0 Z, W/ J5 @" a-AX = 0913h (Set Sice breakpoints)9 J8 E& L6 X f5 u. H) x- b
-AX = 0914h (Remove SIce breakoints)
6 b, R- ] y( j9 b0 F0 ^4 F: \2 _" u* R5 ?8 H& ^* X9 G* C
Each time you'll meet this trick, you'll see:
4 a5 J3 t2 u, {+ n" i2 v8 z2 T-SI = 4647h) a5 R9 W+ y3 B6 A1 d' d e/ j$ Q( i
-DI = 4A4Dh: n( t. ~7 |6 E' `# m$ d
Which are the 'magic values' used by SoftIce.
* R1 N- r# T T3 TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. [/ `0 `3 ~3 T2 ]4 \8 C* t! B% {% X* B/ f1 n# `4 b( p2 G
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* _' @$ H% i2 Y) e ]# e! aEnvelope utility use to protect DOS applications:
+ l; }$ j U! r3 T6 s5 M; g8 K. N, r, N( }% i) @
: r9 ~' A" G7 @% |& y$ Q, a
4C19:0095 MOV AX,0911 ; execute command.7 }2 i8 Y% f- M. x1 l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% W+ z; ^: e; R4C19:009A MOV SI,4647 ; 1st magic value.
+ y5 a' @8 g) N. l# |4C19:009D MOV DI,4A4D ; 2nd magic value.1 C5 b4 n; D L9 ?, T x5 [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; ?4 m# m1 k- `" A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 h1 W8 ?: ^" z4 i3 Q+ S% q9 ~) @* y4C19:00A4 INC CX
* S* N% q% ~4 X+ ]1 d- h, f p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 b* j$ A7 c2 j! D' f9 _4C19:00A8 JB 0095 ; 6 different commands.( T- j0 @: J* \
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( u5 ~, {& Q* r% K1 j3 @( n6 a4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& ?& m* x# T4 V7 Q+ a+ ]: E- S8 X, E0 h, p: T
The program will execute 6 different SIce commands located at ds:dx, which
& M- U( t" f. Y2 X6 c; {0 gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 k4 `' g" |" P: N# I
; { x7 `. ~& \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 ?' E- y6 f: Y' v+ Q___________________________________________________________________________# i7 s* g- f4 ]
|: n' \9 d. R3 r$ V t, \3 y; Q
1 u7 I( v* {, _0 K2 uMethod 03
! ^6 A+ B% `3 c% h) w5 }=========: V) ?2 S" A# {7 m6 O {
R \3 R; [# _/ t" O. ^+ ~Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 k# l3 I% ?6 N# ?0 B/ B(API Get entry point)
3 L o% j2 V9 `* q0 x
2 s8 C% Q1 a" o: T
5 S7 U. f! m; s6 b; y0 `; Z xor di,di
i! ^. t5 @7 L) A mov es,di
! z0 x: B# p1 ?4 R& F: o2 k2 h mov ax, 1684h
% l: R) _. \9 ` mov bx, 0202h ; VxD ID of winice
! K( I3 v9 E5 G, B1 l! v. j int 2Fh. ?1 |. y4 K8 A
mov ax, es ; ES:DI -> VxD API entry point: q9 u1 G$ I$ ?* k
add ax, di' c# u2 X" ^) W5 A. s
test ax,ax% W7 A6 }9 u8 i2 [5 [- J h( N) k
jnz SoftICE_Detected8 r2 h) h* d1 ^% P
6 y4 D) t: Z& W% l7 m7 B/ M0 K
___________________________________________________________________________
% e% l4 \" @: z9 s o8 q
' I9 n- f, ^4 [6 xMethod 04
) Y* Z* u( W2 H=========! a; K S% d& F& ~# R _8 S; g
0 H" M2 m) ~. N+ N( ~7 {Method identical to the preceding one except that it seeks the ID of SoftICE$ q4 e2 Q! d! Z) l9 ^$ u, y7 m0 Y
GFX VxD.
4 \9 K1 P2 ~; Y+ c5 Q. e# M' O6 n" x# V
xor di,di" ~" Z% W/ A5 k& F$ w3 Q
mov es,di& Q8 B/ {* K L/ V6 r9 A+ g
mov ax, 1684h 7 m! k+ W6 L4 ?2 ]" U& |
mov bx, 7a5Fh ; VxD ID of SIWVID
& Z8 A6 V! q$ {4 E. m int 2fh' |! l0 {8 t$ | Q% c
mov ax, es ; ES:DI -> VxD API entry point
- y$ Y, p, `2 R7 {' M add ax, di& m3 z! A! @8 j0 O# K9 P: Y
test ax,ax# \# L) I/ u- t5 I
jnz SoftICE_Detected1 |+ |% i' T2 f! N
P* M0 d+ ^3 |0 m__________________________________________________________________________1 R+ U k/ |1 X
0 N4 k( t* A* p! W7 a/ u$ @
9 v9 C+ A1 ]5 _% D# F1 l9 OMethod 05
" n" H4 _) d3 G=========, v5 K5 X; s1 T3 w$ Y( H% B+ E
- U- F9 F5 {1 t/ r/ Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 j4 E; u: e5 y/ k- u# Ndebugger. It calls the int 41h, function 4Fh.* {5 a" N. h5 y4 E2 ?
There are several alternatives. / }# P5 Q" P7 t( b
8 X1 z' Q7 ]8 Z: m
The following one is the simplest:& d( g i/ S ?. [1 s
' _& U/ x5 Z; y+ B
mov ax,4fh
) {) P) ?' u4 P: F int 41h( M5 G' m, i, [9 O) R$ m( o6 [: {
cmp ax, 0F386
9 H8 Z% [2 d, t$ v/ d. j% S jz SoftICE_detected
2 L" M' B4 N4 e2 v6 A
* ^' M' A/ I8 h5 M0 l% Y% u2 J/ e9 P" H
Next method as well as the following one are 2 examples from Stone's
) p4 P+ d+ M9 ~" K2 ?: { y7 H"stn-wid.zip" (www.cracking.net): o. Y! b& q5 `' T3 t
2 f o- U1 {' g( l% w6 l mov bx, cs
9 C' N5 U* \# N5 O3 \6 a lea dx, int41handler2/ A- D3 f" [+ u$ d) s# |# b
xchg dx, es:[41h*4]2 @& t/ Y% _9 e3 X+ {2 m, l
xchg bx, es:[41h*4+2]3 j( S+ _; a- X' p1 G8 A
mov ax,4fh
# D, f B! y1 C, o0 A( E0 L; _* t int 41h) q3 r8 i- n7 N' r+ w6 [/ P
xchg dx, es:[41h*4]
' t# _7 Y: u9 j7 l- K xchg bx, es:[41h*4+2]
) b) O M! d/ z# `9 U cmp ax, 0f386h
( l' o9 V/ }* U' W+ O& [, O& U jz SoftICE_detected
4 h; u6 Z% s5 X" Y- t: B! ]5 b7 P+ [4 N* `& q
int41handler2 PROC1 N0 ^, v9 ]2 h" h! L- Z' H N7 |0 C% m
iret
# r8 p0 v) ^/ q+ `" Aint41handler2 ENDP
5 k3 O" Q; E U( v- v3 I9 A3 g$ n0 b i9 R0 ?; Z
; N6 E) p' ?8 u
_________________________________________________________________________
" F5 w# X% f) @: u
* |; Z( e+ y- c5 E
1 P! S) j) [- e( J( cMethod 066 n& g& @/ d( I! I: F& I
=========# d3 u I. E, s' ~9 \
2 i4 F+ U' F( U3 q" N& {3 d
" x% V! x* [7 G% k2nd method similar to the preceding one but more difficult to detect:/ A0 U" ?0 {3 r# n* J
1 l$ k% m7 w0 c7 r$ G
) \& S) }7 X2 E8 r( I# [+ z& ]9 nint41handler PROC7 y$ |! u6 f3 l" ?7 Z
mov cl,al4 l8 \. |# s% k. b1 N: a8 N1 R
iret$ G5 Q: p7 Z |* B& ]5 c
int41handler ENDP+ C3 q& }$ l' W/ o; y
7 @' K6 i G3 d2 k4 k* `) G
' ^$ J& u! q- x& h. A xor ax,ax/ W* p* H) C3 n6 O
mov es,ax
" h5 y1 F5 \& B mov bx, cs. m' o6 N7 o# c
lea dx, int41handler! W4 A8 C+ d- B, r, x3 w
xchg dx, es:[41h*4]
" D/ G! _& y1 y0 T' |2 i xchg bx, es:[41h*4+2]
n1 X: S I; [ in al, 40h
n& \+ J, _, @6 x% a$ o xor cx,cx: \$ h9 d0 {1 s/ Z$ u
int 41h
- ]! U3 ~/ j0 t; ?2 G% Q" ? xchg dx, es:[41h*4]2 W1 k7 l0 l6 \8 ~
xchg bx, es:[41h*4+2]1 {1 P' U; E# g/ d: z* o* h
cmp cl,al8 i! |- f8 |1 }3 M3 w
jnz SoftICE_detected
7 f, a# c( x+ @
7 D! p) x# ~& a8 A* Z# g. Y4 S_________________________________________________________________________
& l2 k3 @- j8 L7 C8 M) @) [% |: l6 v# q1 F
Method 07
7 R. r) V- i+ t=========
3 l3 n* W$ {: k! R7 w: J8 `% o' l, l
1 P, a, O) j: P# O/ S. }Method of detection of the WinICE handler in the int68h (V86)
' T/ `5 h1 V& K# {2 L( h* n1 H. o
mov ah,43h1 Z( s" X5 |/ d: W* x
int 68h
. J1 K8 |! V$ z' Z& u" ]% W0 { cmp ax,0F386h
* J2 V8 F# P% E7 S: w4 r jz SoftICE_Detected
; {4 n/ b+ m6 U- t/ Y
% [& x/ y0 Y+ v; r5 U( S) Z* H1 x, T9 g3 t' i r7 ]# L, k; k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% `0 O6 j- O! D; @1 d. x7 t app like this:9 a* O' u; b& s& n/ W$ V
5 Y, Z& w. Q r$ x
BPX exec_int if ax==68! v, n* N5 A. p
(function called is located at byte ptr [ebp+1Dh] and client eip is
G8 {6 |1 w8 W located at [ebp+48h] for 32Bit apps) k, ?, n& t( A! v5 C$ {2 r0 x
__________________________________________________________________________
. `. G- \9 l+ E* P0 j* z0 ^ q) r' `7 ]/ F. O+ S# p W
8 h0 Z! P& R1 @" Q" c! p0 V
Method 08! M% q. ]0 n$ ^# u& H+ c+ B$ n
=========
8 f3 W, _4 v5 z3 r6 x7 g8 l
7 m8 j2 X8 z- \1 \It is not a method of detection of SoftICE but a possibility to crash the
4 e5 N& w8 U* M: G% Csystem by intercepting int 01h and int 03h and redirecting them to another6 D, C4 H( W% h$ T& s
routine.& m3 y w. l, W2 k7 E6 [5 q6 Z# G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 I2 B' H& k, y# P% T6 A" n& q y; eto the new routine to execute (hangs computer...)
3 R9 w, z* g, u" P# Y/ e, |& Q- ~# _$ C* Q" @
mov ah, 25h
2 } D, x: o, W: |/ q mov al, Int_Number (01h or 03h)8 ^1 [/ h: R7 O
mov dx, offset New_Int_Routine! n' P' _8 I7 j5 G l
int 21h$ B( X8 D" d7 ?9 S; \# n' @+ z' u
2 [, F1 M) d8 n# U4 s__________________________________________________________________________
3 s1 ~; T7 d5 x" c) Y1 S1 V6 Z& W+ W" B9 ~# F1 q
Method 09
' v' V5 e( X) R=========+ v* O* N1 p1 h
+ r7 o9 `: z' m5 P9 j6 f' [6 Y* c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; ?6 o* a; `# V- Sperformed in ring0 (VxD or a ring3 app using the VxdCall). L( f: O$ m# j* |8 E
The Get_DDB service is used to determine whether or not a VxD is installed0 P3 v* C9 I$ I' E+ _
for the specified device and returns a Device Description Block (in ecx) for% A, \: Y* Q8 O0 S# U/ {
that device if it is installed.2 ]4 o( G d* V9 y; L( E0 c
6 ]6 M: i7 }) C! u& d5 F' R% b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ q# _. A" V: [: @9 ]) { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 R, q/ {1 r7 ?% ~; f" T
VMMCall Get_DDB
7 H! X$ x1 ?5 M' X3 I mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 T) m% L9 n1 [+ |3 y) M( n& J2 q! ^$ D
Note as well that you can easily detect this method with SoftICE:
3 ~& C1 f1 ^. v5 o8 S9 g4 { bpx Get_DDB if ax==0202 || ax==7a5fh( y, `& T v$ A" Y" ?' X" {
6 r3 S2 G& [1 h& {* p. i* [* A__________________________________________________________________________
( h4 ]' K) S& |( f+ V- Z
# D. O. L5 B: VMethod 109 f' F5 L8 }, w4 u) r6 ~1 f! }
=========0 Y7 x: s$ m% Z( I6 H
2 ]$ N; `5 J$ y Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ i6 m5 U d0 \; D SoftICE while the option is enable!!9 S+ P! Q% Q |0 U; K- _$ R* N
: U) a0 U- [- z8 ~2 s. e# @This trick is very efficient:' k# {$ f8 X# V1 n6 V' f# ~8 ^
by checking the Debug Registers, you can detect if SoftICE is loaded
3 @7 J* I1 T; s8 G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if q0 U n! g( ?1 Q. K* B! N3 W
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 i+ e& R2 p) p$ ?
value (in ring0 only). Values can be manipulated and or changed as well
. x* t( ^3 x" o0 F( p5 N8 }% d(clearing BPMs for instance)& [ `; X( i& B
n0 v* B* l& l
__________________________________________________________________________! B2 H4 `. B1 Y1 y. S; `
9 A# ]% I9 Z7 M7 l5 \Method 11
# p8 A5 s7 y. j4 K1 _5 v t=========
" F" t& ]1 T% V* i! E5 p
! E+ K" P- y2 V+ O% aThis method is most known as 'MeltICE' because it has been freely distributed7 o( |0 V+ p* f' J# w, M4 L, n
via www.winfiles.com. However it was first used by NuMega people to allow1 d- h: J+ B- t/ z
Symbol Loader to check if SoftICE was active or not (the code is located
l* Z' ]2 Y3 {3 ^3 Zinside nmtrans.dll).8 ~+ x$ w) V" U+ R' Q
. B, y1 |) l9 c$ B, FThe way it works is very simple:
* U" u1 a+ I1 {. U9 }0 ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# l2 u2 B" S* |. ]. S' N8 d
WinNT) with the CreateFileA API.6 b+ L6 k0 X/ u4 s' G- w9 u' M* ]
3 ^) ~/ }1 U. x
Here is a sample (checking for 'SICE'):
0 E! B9 S5 B. O" O
6 B7 R Z( A# H. y* U5 `$ DBOOL IsSoftIce95Loaded()
; v9 n6 K A& N5 ^, v0 M4 ~1 i{
: S! t+ E- _: J: F1 n HANDLE hFile; . L3 v5 k- \. s" d
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! Y! x, m) X7 y9 p; m! c- C FILE_SHARE_READ | FILE_SHARE_WRITE,
9 L2 P5 t$ U2 R; p+ ] NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 w8 S0 p+ z- b: K
if( hFile != INVALID_HANDLE_VALUE ). O7 h% b, ]) {4 v1 I
{
0 d) I8 }# n+ J% u2 e CloseHandle(hFile);
, V8 y( u: e Y( }) M8 a return TRUE;2 _, f- v/ W! L5 |$ L! D+ s( p! ]
}
7 }' p2 U0 b/ @2 f6 U return FALSE;
) z0 ?- b2 r+ d% T6 u}3 k- m8 z9 w+ n
4 u# k1 z" a- o% D& D! ?Although this trick calls the CreateFileA function, don't even expect to be y D% V: o% \) z
able to intercept it by installing a IFS hook: it will not work, no way!
7 f/ {9 O6 f v' OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F( b9 W2 X. u# q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 [7 g( _ z& Q6 T" g$ n! V- R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 p. T& U2 S$ Y" I5 u. Sfield.. V- D/ a" q/ g: Y
In fact, its purpose is not to load/unload VxDs but only to send a 4 Z5 `- x6 V# v% D {0 ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" ^6 ~& B' {& e, Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) K S- s" ]2 w) _, C8 p: {to load/unload a non-dynamically loadable driver such as SoftICE ;-).: W! z1 i# S2 G4 a& D
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- ^- Q* A% p6 N) rits handle to be opened and then, will be detected.
- [ c0 w3 v7 V" YYou can check that simply by hooking Winice.exe control proc entry point
1 E- Z5 i0 g, Swhile running MeltICE.
( y: ^, X8 z% n6 w" `/ T
+ p3 R+ f. u* \$ J# a* Y1 u* g" T# N# j" i. ^8 f& @$ h5 O2 _# e
00401067: push 00402025 ; \\.\SICE
" d0 h: {; K# `% U) ?2 } 0040106C: call CreateFileA3 }! r- ]! p M) @' T" w
00401071: cmp eax,-001
& W& h5 k8 p# F& i" D- M# m 00401074: je 00401091
( U4 _$ t9 Z5 j
; R+ m) N" }, G6 `1 s, m9 M- E2 ?5 Z9 }$ K
There could be hundreds of BPX you could use to detect this trick.# C5 |' |* F( p! @: Z- y8 S) O
-The most classical one is:
0 }( C3 \; I' ?- l A8 Y3 j4 d3 T6 p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* `3 f3 B) B& J( K2 m0 d
*(esp->4+4)=='NTIC'
$ j8 T; q+ ]# a; h1 y) U8 k M4 o$ Q0 t& ^) K+ J
-The most exotic ones (could be very slooooow :-(
" W# Q W0 H4 ~/ K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 o/ F n6 O3 R h) ~( ?+ H2 I( L% `3 d
;will break 3 times :-(0 Z4 j3 ^- u& ?( L1 m
( |% r+ Y5 h0 ]4 f
-or (a bit) faster:
/ x' N. o+ _( F8 W2 h6 k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 c. Z3 b" F3 `% M8 l
' L+ n9 N7 Q% c6 T% ~
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 A4 Q, \$ O3 c$ k) E ;will break 3 times :-(/ \" |4 ~3 I2 N4 k/ y( g8 N+ |* o
7 e" s; W8 N7 a& D7 g/ u' J! W
-Much faster:
" ]8 V) p% v7 R" ^* H: d$ l9 g" f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 ?; V: l" e4 a4 z h; X, F
) i5 x4 i$ @7 n2 \5 W" |6 INote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 T( q7 s- [4 C! q* u4 O
function to do the same job:: H2 m6 ~+ X4 z. n, D/ ~# w
, i: ]9 [, Z# K/ g7 t7 J7 O push 00 ; OF_READ
8 N4 f4 d$ n0 l* ?8 r9 B7 | mov eax,[00656634] ; '\\.\SICE',0$ l4 z9 H- g5 R* ]6 n- k
push eax) e, G3 ?/ z. [3 e5 M+ X, p' ^& h
call KERNEL32!_lopen6 C' E7 T3 v& F, l# K" I
inc eax
9 I& R9 e& d J! [; [% J, k jnz 00650589 ; detected
' E9 n2 x+ ]0 n5 k8 I9 Q push 00 ; OF_READ
) Y# `5 @1 C$ b6 [+ N mov eax,[00656638] ; '\\.\SICE'
3 U& v* g- N* N6 P5 o% z push eax
7 e/ Q* U$ L0 ?) |. R. F call KERNEL32!_lopen
, c0 s6 K7 J; g inc eax7 C4 \9 `$ s, W8 R. |
jz 006505ae ; not detected
3 g! P8 V' W2 I5 W& ]6 W( R- k4 f5 l/ K4 q% ^3 V
3 m0 ?) @/ m5 F! a3 d9 |4 t__________________________________________________________________________9 W# c, T+ p+ B& }& }* Z
6 N9 t5 e2 i# K/ y: U
Method 12
0 U& J5 O4 e G=========( Q. E _4 S8 ^- e
# N# u. q2 O, l( K: ?
This trick is similar to int41h/4fh Debugger installation check (code 05+ |" E2 h6 O/ ^
& 06) but very limited because it's only available for Win95/98 (not NT)
" U) W7 P) ?) O, b' {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 Y- Q- K$ U3 }( g
4 k9 J" D5 ~9 P8 ~
push 0000004fh ; function 4fh
4 m9 Q+ K: U# e) L4 J, H! f push 002a002ah ; high word specifies which VxD (VWIN32)
Z9 F& h8 j4 {2 ^ \ ; low word specifies which service
7 I. A9 w8 e" C( X8 e (VWIN32_Int41Dispatch)
- ]! f* B7 i9 X! Q call Kernel32!ORD_001 ; VxdCall0 b3 p5 P1 r$ B- C; U
cmp ax, 0f386h ; magic number returned by system debuggers# X5 d$ N* k! k( S& \( R' p ]
jz SoftICE_detected
# d! J6 E5 N3 N; D* I9 H/ t1 w
9 z4 R0 D) s# i& r" uHere again, several ways to detect it:
/ E; u* S$ m3 L
/ Y% G3 J& ` ?) a9 f K+ b$ X# P BPINT 41 if ax==4f
- {3 N* Q! ^ U& n# [8 X6 d, e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 Q* o; E8 E8 Q+ L- I
- i. C( o' s+ I! k& m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 q" F% b3 k& \ D
( B; U+ g8 W9 W/ M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 X: v1 ~5 q+ E4 o9 K7 r
) M& w4 O" U6 P__________________________________________________________________________0 K# A! |7 q6 i# N
) A9 D7 h3 ^% p, a$ `3 E- b
Method 13. I7 \! S% x/ M7 K; Z
=========
; ]5 ?- H: C3 D# L3 K3 b9 s, c M* X0 ]9 y6 `; I& J8 f6 J r1 s
Not a real method of detection, but a good way to know if SoftICE is) _) v( f+ E9 F$ E
installed on a computer and to locate its installation directory.
. W1 k: P2 O# F8 gIt is used by few softs which access the following registry keys (usually #2) :
# b/ J: x1 b0 ]* {. ~* u$ ~8 _9 e/ }* L, t* a3 E, H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) ~6 H* O, l0 O; P# r$ M2 R1 j
\Uninstall\SoftICE
& w) @/ O. ~8 |1 c+ ^2 z4 ?+ o-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; z: ^" _3 ?/ T3 Z; T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: m8 p+ g1 V4 ?: U, X7 A* A
\App Paths\Loader32.Exe
& M$ W! H' m. X' T$ P$ m d; m' ^/ A: K: Z9 F9 R! B6 X+ _2 y& k& E3 ^; c
7 i1 j. `& L# Q2 {
Note that some nasty apps could then erase all files from SoftICE directory
# e. B9 y! h1 P+ `' |* q0 m(I faced that once :-(1 p7 h3 F" N* c
9 w. m' \) z' V# nUseful breakpoint to detect it:/ U( `& L9 Z7 I o% @. T9 j
" }/ X% v) `4 p0 ^ A4 Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 j5 S4 y+ M" J7 t! A6 p: ?) y
% b: E& B ]4 S0 n* z__________________________________________________________________________3 N4 y$ G' I; {* z" h9 N
* n4 ]! _, D- F/ q% ?
* Y+ a ` O5 j/ ?2 R7 @3 B
Method 14
6 h" j! i4 J; @+ b1 w=========* M+ e" I/ s. O7 ?, {7 Q
% F l! H# {" D, hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 ~1 ?- D/ i3 K# ]' C! @% {
is to determines whether a debugger is running on your system (ring0 only).- B6 E: A& w4 O, Z/ H* V
& F4 @- [# l/ M' \8 Q
VMMCall Test_Debug_Installed
% E) l( I- [0 ]$ I0 Q je not_installed
8 d0 E9 U! s- F) o0 {! X1 A& A2 ]& C) U. |6 f) i9 }
This service just checks a flag.& t7 l. v6 r) ~3 f3 M8 E" A& Z" z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡