<TABLE width=500># A3 e+ F& u6 G4 A
<TBODY>
% ~# @8 }3 y) u3 K9 N: j$ m; f<TR>" K0 {9 o4 U. u, v0 \4 i8 H
<TD><PRE>Method 01
' [& z7 P9 w9 z: J: b. b: G=========+ h* m! E$ \( }
$ i" P5 [; S: u/ @( I3 v/ B! M" ?This method of detection of SoftICE (as well as the following one) is
7 n3 d9 t `% I; A, V1 Pused by the majority of packers/encryptors found on Internet.
* x- n3 M2 ^8 @! {: V; p0 q8 M* `5 `; ~It seeks the signature of BoundsChecker in SoftICE: @, V5 e; Z1 x% p9 m) a
+ ^) v- r2 T) P7 g
mov ebp, 04243484Bh ; 'BCHK'" z. J0 M4 z. o& [$ r
mov ax, 04h0 E9 N- }: q7 {
int 3
; k) U- G# ^0 S( H. o1 B cmp al,4
5 {, C- C! z: }! L9 I jnz SoftICE_Detected6 \0 ^2 J# ]5 I
3 v" m+ D0 N2 A5 D- q& j0 e6 e3 ]___________________________________________________________________________% i2 J# C( t1 \ `
. `! O7 p7 S1 U1 E) ?' kMethod 02
0 i5 i+ y8 P$ l/ ^! g n4 o4 {1 y=========
. M. a: B+ O6 T1 ^8 u
. F: m. B% j) L8 Y7 b! P+ Q/ o& [Still a method very much used (perhaps the most frequent one). It is used
- c1 L/ s- [8 l7 J9 Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 e/ D# Y8 _: u- r# R- n& A9 ?or execute SoftICE commands...
: @* }9 J$ ]- [7 eIt is also used to crash SoftICE and to force it to execute any commands
& }' S7 e0 j+ }/ o(HBOOT...) :-(( # E+ | ^3 h( @- B" i! m
0 I" _6 q* {3 O
Here is a quick description:
4 J- X! M$ j& H0 c" ]-AX = 0910h (Display string in SIce windows)6 `$ ]1 P( Z5 f m% E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 L4 b6 n o: K [
-AX = 0912h (Get breakpoint infos)# S# Y7 X( e+ W1 p6 |
-AX = 0913h (Set Sice breakpoints) x, v" f2 _0 S" M5 m6 e
-AX = 0914h (Remove SIce breakoints)* Q4 i' z+ k0 `3 m$ Y3 ~
. a" ~' ^$ h) V0 t# SEach time you'll meet this trick, you'll see:
% B/ V5 k+ ~4 l" l! {$ @" z% A-SI = 4647h) J3 M/ n. ?$ f4 \& n7 Q
-DI = 4A4Dh
5 z) h5 D$ L4 O! G+ |+ K$ _4 XWhich are the 'magic values' used by SoftIce.- y, o6 E, @5 i, r7 F8 M, H
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 W2 [9 R7 W' c; t3 i" d# K. y
/ g" H8 N( l- A/ N/ fHere is one example from the file "Haspinst.exe" which is the dongle HASP& F4 I0 e( d2 t. k3 s
Envelope utility use to protect DOS applications:6 Y5 L4 u8 N, e$ d
% c1 ?0 b I: i5 v& ~, D6 @- @- K1 i3 d$ C7 d8 V5 }/ n
4C19:0095 MOV AX,0911 ; execute command.
/ m4 `" {) M, d4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
I( W( o" S8 [* m0 b& Z4C19:009A MOV SI,4647 ; 1st magic value.
: p8 s. ^1 G* C2 l4 X6 _4C19:009D MOV DI,4A4D ; 2nd magic value., M2 n- d( w2 v; ?; Y i7 i# Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" R3 r/ [) }8 z% ?. L: f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ U$ i* ^& f4 m4 a5 U- \3 Z) F4C19:00A4 INC CX! E$ ~& q$ \5 }; s
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 \" {& ? L( j& n7 J) t; v" z4C19:00A8 JB 0095 ; 6 different commands.
4 L( Y h* s" y2 r4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 L, ?- ?# `, u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 t% g3 P, J7 R* w2 E( y) Q# |
k+ ?# W; A2 M' u' M0 JThe program will execute 6 different SIce commands located at ds:dx, which" l# }& _3 u. N0 j4 j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 w( `) C4 G. G! j- ?
6 X W1 {- ?6 X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ g) D; c3 f0 V& W___________________________________________________________________________
4 J7 X6 T+ w( x9 W2 q2 P( w$ }8 d5 k) @0 n4 l2 V- o+ E
* r9 I- b; t' D) lMethod 03
- h& i" r+ i& C/ g: T8 c) Q4 J=========( l4 Q2 } g# h2 O: i8 G: _1 L
$ k8 i0 U/ F0 T9 B: V3 Q/ Q3 @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- a, }/ L, X. u(API Get entry point)
. a4 W( Y1 N, ^1 S+ V
. `% X) `# |/ Z" M Y
/ @9 K; p' x; z! h/ {4 i xor di,di
/ _! N/ K4 e) {4 n mov es,di0 C7 H! y5 I1 C9 B+ y
mov ax, 1684h
$ I* n8 z% o `: W) M7 k- j mov bx, 0202h ; VxD ID of winice/ U! Y# w: }) ~6 j M& \
int 2Fh9 ?2 D# F8 B1 C9 ^# i
mov ax, es ; ES:DI -> VxD API entry point
4 {- n- X; N5 l B: q: _ K1 [' i6 z2 @2 J add ax, di
. y$ F( D1 D4 ^0 a5 W7 m4 U' H test ax,ax, |% _& l0 H9 ]( O: b
jnz SoftICE_Detected
3 h" p" t, A% j; w0 {0 Y! G
6 c3 m( Q$ U) L( [___________________________________________________________________________
' V/ K' Y0 F2 U: m8 P
/ v0 D. p, I$ X8 bMethod 040 \' \" O' _& z# w0 S
=========
4 m5 ~5 ~- q0 s" S" ` f, z2 f; b" |% a
Method identical to the preceding one except that it seeks the ID of SoftICE0 @ w! y* x' W7 A& T' I$ B2 {( S3 u. E. m
GFX VxD.9 i E0 N1 G, r* X* y( t( m
: ~7 F& f. q# k# k2 N
xor di,di/ s7 u* P- W6 a { e
mov es,di
& g7 }, g) v8 `. ` mov ax, 1684h ( f; l6 I X# v1 j8 K4 m" J
mov bx, 7a5Fh ; VxD ID of SIWVID0 |- w& i0 r, y! q4 b' f! X0 T
int 2fh! W6 B8 {' X0 @* j' p1 |$ b. K
mov ax, es ; ES:DI -> VxD API entry point
6 V2 U5 g3 K8 G7 c3 N# Z5 ^6 [ add ax, di
5 A& q, }* ?2 y8 q4 r) l test ax,ax
4 \: R/ A ^, I. x# o. W' y& N jnz SoftICE_Detected
" j z- f- I1 F4 L* _4 f
( ?& o2 p3 h9 }__________________________________________________________________________5 U9 s) W/ f7 b) e( p
# l, t( m8 Q& T. G: W0 Q9 W
! E6 K2 I' Y$ |: Q k( Z
Method 05
6 g( r( T I9 w! R=========
9 v5 b, M$ [) r7 @6 c7 k. n# c0 g! l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 m2 t2 p# H0 ^4 j, i- Pdebugger. It calls the int 41h, function 4Fh.
9 J6 r# k/ m/ o! U/ S% j: V9 E- eThere are several alternatives. ) n6 V$ k; R5 f
$ D& l; U/ z! N3 O' T% EThe following one is the simplest:
2 ^6 C( n; N& l3 z+ I
% S \- C+ y! R$ w mov ax,4fh! R$ F& h& E- w& P' Y
int 41h
) C" s6 o$ G: A cmp ax, 0F3863 m) T N" S: C; u: T4 y
jz SoftICE_detected5 l0 l$ U4 j) d
0 L7 Z! U3 X5 v9 J4 J
, i; ?4 b1 A) A4 Z; [Next method as well as the following one are 2 examples from Stone's 5 q6 F( F. ^7 S% u* z+ H6 T
"stn-wid.zip" (www.cracking.net):
2 d9 j$ x% s# a" o9 `# B) u* G! C. h, j9 ^7 Q. C# r! V' X
mov bx, cs
# z* p" Y u: H' J lea dx, int41handler2- ~' ~# o6 ~- n ]* k
xchg dx, es:[41h*4]4 P) @5 ^! c) B8 y: h& i
xchg bx, es:[41h*4+2]
2 J% ]1 u4 X* k- p mov ax,4fh' P4 [. ]; n0 c! S
int 41h2 g# \8 T/ D9 {; w0 c# G
xchg dx, es:[41h*4]
( S4 Z2 ` y9 J: W/ S T xchg bx, es:[41h*4+2]
9 z+ r4 o0 d0 N% f+ w cmp ax, 0f386h. h' Q; l5 m# b2 N! T; [" b
jz SoftICE_detected, k# }3 c" g* g8 P8 n% o' M
* O. X0 x" V- V3 [
int41handler2 PROC
8 h' x9 h- x+ B" @: A iret
6 k& m0 e7 _$ h8 N2 Z' aint41handler2 ENDP
, d7 k ~6 n1 V9 G) Q3 f0 U& Q( o3 J: B0 B: K4 v4 c! @% i5 C- b
* K3 P) a; o* E/ A/ H, w N5 `_________________________________________________________________________
! M$ S0 T" F) u& Q D; T" [8 B# J J4 h# `" c# s \7 k$ N
6 m/ N$ P5 M( `# R1 t6 p3 GMethod 06
) @% n7 n2 V- y=========
1 [/ M7 w0 A+ h- F% a' S" z
: ^- Q8 w# n$ F4 S+ V# S
6 o- V% p+ r* M3 r' ?2nd method similar to the preceding one but more difficult to detect: M; G6 O0 z+ v6 s+ }8 U
2 J8 X3 w) m3 j# u, b% A, G- G
, F2 Q. l! A$ K9 _
int41handler PROC
* j8 Y e6 Q5 Y6 F" y3 Y mov cl,al! V$ A6 N7 q& M- r8 z# o. s
iret
~ T6 E' g. P: Xint41handler ENDP
4 _4 P4 A+ C) K: ^* F+ G, w/ A6 J$ g2 v1 n, S4 u/ y
I: U4 n8 w( k) t8 U
xor ax,ax7 F7 r$ y, M& i& y% P; f$ O/ \
mov es,ax9 T# L! n+ ~ K" }
mov bx, cs. t. t# ~. `+ X6 T! L' M0 p9 t
lea dx, int41handler( p# |/ C! K3 S& h7 R* W
xchg dx, es:[41h*4]# u, w$ I" D3 G8 a; x" w
xchg bx, es:[41h*4+2]& G- q/ N( \' v
in al, 40h1 a% o; Q. K" O
xor cx,cx0 n, {3 G5 ~' s# K& y
int 41h; E% k2 x3 i8 U8 C
xchg dx, es:[41h*4]/ V5 y! l9 \+ T% `
xchg bx, es:[41h*4+2]
$ ?9 D0 Q3 {" s& H5 e; V/ y cmp cl,al5 Q9 g! a) K2 d7 f) B* p
jnz SoftICE_detected
) r8 V2 E1 S- o! Y, A1 p
3 g; g q2 ?( [_________________________________________________________________________
5 t) }, @& @/ G5 u0 e4 ~; w H- @ ], Y
Method 07
2 p, {' [4 B: q8 A6 L2 h=========
) u. e1 C) M! E. w2 s; ]$ Z2 g' K3 C" J0 g
Method of detection of the WinICE handler in the int68h (V86)! O0 P0 h# \, c2 O
" \* p5 y# ? J$ `
mov ah,43h( [3 a5 \: p1 l5 a, F7 `6 F, M
int 68h4 ^. c! p- G4 U& @1 r
cmp ax,0F386h6 \1 A6 R7 }( F5 o
jz SoftICE_Detected
# z5 j) I2 D3 o5 Z" Q& {4 E$ [& I" _: a
' K0 _' @1 P4 T$ d& |; N
; r" A/ X+ N% g1 F9 L# z0 I! U=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- p4 z1 ^6 n4 c+ b$ }1 s' t/ R
app like this:
( q0 _5 h* ~9 |2 a" {
4 Z7 O+ J. J' m+ N* G1 n* v0 U BPX exec_int if ax==68
2 e- e+ C, P D' y+ x# z5 c6 T. N (function called is located at byte ptr [ebp+1Dh] and client eip is
Q1 J! O6 C" x& n* d' f( X located at [ebp+48h] for 32Bit apps)
; {% p& ]. ^/ ]! z' N__________________________________________________________________________
& |/ K4 R# f% _( E$ n" H- p" \5 \/ [& z. A: M7 J+ P- w
- r. X8 `. O" T# ^Method 08
6 F9 Z1 A. U7 l4 c' Y! J=========
5 c8 v7 a7 q, V' Y2 e% F& M
0 s) {/ d3 F! ]5 wIt is not a method of detection of SoftICE but a possibility to crash the
2 a4 I' f5 g+ z* x. B% ksystem by intercepting int 01h and int 03h and redirecting them to another8 B: c# Y% b* N! i" N
routine.
* r: F, Q3 w: W: zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 l( Z ]& g9 C5 S/ T" E- J
to the new routine to execute (hangs computer...)+ \5 q* M) J0 `4 U
. a0 Z9 d( _2 l+ ]" s! T; A
mov ah, 25h: `1 [, b, [3 x+ E7 H p! d A
mov al, Int_Number (01h or 03h)
7 M8 f* j C1 t# m* T6 f3 t mov dx, offset New_Int_Routine
0 e' D1 d, k; P. e1 N; R int 21h& q0 `+ `, R9 W4 l! T) ^
8 |" V8 [) H; w, i__________________________________________________________________________5 R" O4 f/ c0 H3 ^4 ^
! L7 v0 a- \- t" x I
Method 091 L; J& \: H1 J$ M
=========
$ Z- F/ q9 D4 Y* t3 _) |1 m
3 S: H7 S. z+ r+ |( QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
S6 k9 T8 Y/ O" B8 b7 u* rperformed in ring0 (VxD or a ring3 app using the VxdCall).! n* Z! R! ]! W- D! Y" I1 z
The Get_DDB service is used to determine whether or not a VxD is installed
N6 _" M. c( Z8 a- D; Q1 |% o) rfor the specified device and returns a Device Description Block (in ecx) for2 H3 X f Y$ K k6 M
that device if it is installed.3 E" e1 x) z2 H; ?9 c( }( M5 L! |( o
/ h- E7 C; c1 o2 t5 C& m6 D. L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ \- n3 T; s% n# [+ ^5 b( R6 i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ A( U' S/ P! `+ i2 A VMMCall Get_DDB3 u( N) A8 N5 D1 y/ O" K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
l0 S. j/ K. c8 y* I" _7 L$ A6 C P3 h3 }0 l% |
Note as well that you can easily detect this method with SoftICE:
, j4 D8 s" Y! X bpx Get_DDB if ax==0202 || ax==7a5fh
/ b" Y. ]+ g/ L- I
' \1 ^1 r( I5 Q7 Y$ w* ~2 L__________________________________________________________________________, I6 k, |! S) _6 Z3 g
, U D `, ~2 p- c" l7 aMethod 10" }$ d2 A$ S9 E
========= A# Y2 C, a; q+ Z0 w& a
& J1 p" L) G( w( R=>Disable or clear breakpoints before using this feature. DO NOT trace with( y. @5 d" s3 k0 _
SoftICE while the option is enable!!3 j. Z) q' @; I# y) c( G0 t& W
- y: d3 e5 c; t$ L, |4 l
This trick is very efficient:
5 j; l; G5 b, S' M+ _5 l* Q+ Gby checking the Debug Registers, you can detect if SoftICE is loaded* L1 K; y8 E7 S) z# f
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# }; |/ Y, n2 p" b# k$ i' v! Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their* }& K- N v) x# j+ u9 W0 r% }- Z
value (in ring0 only). Values can be manipulated and or changed as well
6 Y, R5 Y# F8 b. E. R% b- R(clearing BPMs for instance)
- G) z l; t) S: E+ B5 E2 S/ r: U
& \) n3 _ r% d* n' [* d( j( l__________________________________________________________________________1 s9 R5 y9 T# E2 O
9 ^9 q/ n Y( Y; L" f- f
Method 11/ P$ I+ s+ ~9 C" J
=========
6 j; [' {9 N5 J8 N7 s# @. t- l% d" r3 U+ g, P2 F' p
This method is most known as 'MeltICE' because it has been freely distributed2 v$ B1 Y$ W9 Q, o# |
via www.winfiles.com. However it was first used by NuMega people to allow
% X0 X; g" S4 \, S5 l3 c1 WSymbol Loader to check if SoftICE was active or not (the code is located& |$ {1 O$ c4 z7 s
inside nmtrans.dll).
; S6 C2 b& C2 y8 d3 t0 W4 p6 @( t2 A+ L- Y
The way it works is very simple:9 J' `3 m, q ~; T; z1 |
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 l2 X8 A# M' X" n+ @ B
WinNT) with the CreateFileA API.
9 K8 u5 n8 |( a4 i
" d7 ~7 ~+ _8 t i. i( LHere is a sample (checking for 'SICE'):2 A$ ^' D% j2 B4 W" `* y) h: [
! x9 r4 D! d& i# {4 zBOOL IsSoftIce95Loaded()) B( \* C0 u9 i% ]
{
q$ h4 n9 f* `8 b0 G HANDLE hFile;
& M7 Y& n+ C# ?9 E+ V% R( B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," _8 s- k- T) q* G; d7 I
FILE_SHARE_READ | FILE_SHARE_WRITE,9 E- _( }$ {' ^! K6 L7 k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 c+ t5 h- c+ i( p: w- E# D- v
if( hFile != INVALID_HANDLE_VALUE )
5 W+ u" j2 i6 P3 u {. Z' a, f8 e+ M7 O& i7 n. A9 H
CloseHandle(hFile);
( N* ^8 k; i; A1 ~4 V, k9 o' u- F return TRUE;
) M0 S0 J2 S4 L& n1 e3 k( O9 G; l# D }
$ Z" J8 ?2 q( X/ o' R/ Y2 L/ y return FALSE;
k$ c- S. i7 Z: u) M- t- G}% U5 r. A! b+ u1 t/ n6 T. ]$ [
' C& e! w& ]: \" J; n
Although this trick calls the CreateFileA function, don't even expect to be
B; }) _0 U9 m7 w3 qable to intercept it by installing a IFS hook: it will not work, no way!, e+ j2 C/ M: g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 D1 ]& ~! ^; }8 L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); d. b' ? S6 T! d2 ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ V Z1 Y0 y1 |: j9 j5 qfield. o, R6 Y# q$ e) F! n: R
In fact, its purpose is not to load/unload VxDs but only to send a 6 F% _7 p) |# ~7 M% C2 n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( @) d S% y0 _- s# B% a! Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
. ^- y6 y4 i% c, ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 `7 m0 \9 }$ q9 qIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 S1 E2 G" p$ I( z; t) ^1 hits handle to be opened and then, will be detected.9 W, L6 {* F) V& \1 W1 f
You can check that simply by hooking Winice.exe control proc entry point
5 J* M2 c2 q/ p: G& zwhile running MeltICE.
4 ]) O8 \ D0 W1 [% I U; A6 U0 b; K1 q R4 x, z- o7 N7 r- l
! N6 v) U! Y; u4 F+ @
00401067: push 00402025 ; \\.\SICE
2 C) X3 L4 j1 P6 L3 b m7 ^ 0040106C: call CreateFileA
1 z8 Z1 b) r+ \6 A) u6 b2 d 00401071: cmp eax,-001" E3 v5 A/ H5 K3 U5 e. W/ ~
00401074: je 00401091
) T- y, T. }5 c+ _
9 Q# N/ \. m: d* S- V- ]
) K# g' C( h. W4 lThere could be hundreds of BPX you could use to detect this trick.
) L/ }' V& V4 G& ?# q- M-The most classical one is:# ?1 M, {& C A* j: p8 S
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( b5 `; S1 X L1 ?! r2 H *(esp->4+4)=='NTIC': ]- i3 D& E: E( [
2 w G% L! N$ }* g7 }( ]-The most exotic ones (could be very slooooow :-(( ?2 p d5 s/ X. H6 d/ G5 c9 d- F
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 z, `. U3 ?& W4 Z& g R' ?% s
;will break 3 times :-($ k- p' n7 o* G2 Y l8 N% K
. \, e( k9 ~( a' K# d" a
-or (a bit) faster: $ ^, b1 l3 P) u- x6 V; ~
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* u) J8 S3 e! U% P2 Q# ~9 L% D2 ~2 q( X5 x8 {' s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 Z- g8 n9 h# m4 H$ e% T3 r/ d
;will break 3 times :-(
4 T. P: R6 O, u
i! M% i' t& y9 ]-Much faster:
8 I9 r- ~9 Y9 f; R0 P6 ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ ^' ^0 Y: L" j7 W
# K* f7 `* @. dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 Q7 d/ H% d3 l/ Tfunction to do the same job:/ o# ~" l" c$ Z, V* h
; }+ n3 j- G3 @7 L" I
push 00 ; OF_READ$ O6 B' ^: W; e# p0 [
mov eax,[00656634] ; '\\.\SICE',02 l: T4 z$ D& Q! r; {
push eax* ?+ X0 t! {; v5 u* n
call KERNEL32!_lopen2 l" I: l- Z) @1 Q2 V
inc eax
' P1 p, K2 J y( J. x jnz 00650589 ; detected
3 r* b' k, H5 ]" b# V push 00 ; OF_READ% l4 X: V) m9 ]& ], T
mov eax,[00656638] ; '\\.\SICE'
0 i, Z8 p# ?6 r' \- g5 ^ push eax
+ W' G H7 s) o, F. F' d- U$ x call KERNEL32!_lopen
+ {/ A; M/ Z2 k: U$ s8 M4 R+ e- C. ] inc eax
' u9 k: w) I. a, h Y jz 006505ae ; not detected
" Y0 W; w8 d" y2 I9 x
f7 g, q* b$ P" L# l* n: y, h
$ e2 D9 z; A0 |__________________________________________________________________________: t) t+ {% K, Y8 w `! n
5 Z" }6 |% |8 _ b0 X5 P3 \Method 12. j7 I4 r2 H. q2 T( u7 `/ q
=========% I6 ^3 A0 v4 G2 D3 A
" N2 X7 ^; m4 P+ ~) N0 |7 B: zThis trick is similar to int41h/4fh Debugger installation check (code 05/ @* C; f& X; R% [$ |) x3 ?
& 06) but very limited because it's only available for Win95/98 (not NT)
) R9 A/ z, Z N* }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 v% m; L7 u( P) a# R3 S
6 g6 b6 A* J& s- @
push 0000004fh ; function 4fh
/ h; A7 q& U8 l2 m. e* H/ t8 J* J5 ^ push 002a002ah ; high word specifies which VxD (VWIN32)
2 @% T2 D2 v. s0 q) }/ O ; low word specifies which service0 q3 i; l. p% Q) O2 p6 p' p
(VWIN32_Int41Dispatch)
# {! n- D. u; H O; @ call Kernel32!ORD_001 ; VxdCall& l- M+ E1 w3 }6 u: `; P% g
cmp ax, 0f386h ; magic number returned by system debuggers( }7 n9 P& V$ t2 n9 F2 h
jz SoftICE_detected
8 \2 [; h4 N+ J
& K0 K8 F/ A/ g! ^. Q, |Here again, several ways to detect it:/ ~; o. ~% ]! ^
' B% g0 ^* J9 L2 g( b' p BPINT 41 if ax==4f
) [; p% _) e* j7 j. L9 C
& r* J$ H R- q7 J* k( V+ ]3 O! } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. R. e z( u% |: [
8 X$ j! o+ L8 C BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) L# b; R. O2 r& z) |) K
) O; q2 [$ w$ c BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 T& Q5 M4 H% _) _, H
; X$ n( c# L7 a. b6 S- d, ]- P+ i. M__________________________________________________________________________1 D) I4 B- c0 A3 H& b. v2 Z3 u
$ y; |8 ^; h4 x4 `
Method 13' j* i! w. Y9 Y6 z: i6 W
=========
/ R9 n3 g# E* K. S8 }; O r) l2 k
Not a real method of detection, but a good way to know if SoftICE is( g# B2 ^' I' }; [5 [& ~5 i& U9 Z D
installed on a computer and to locate its installation directory.
" u/ a- P" D" ~It is used by few softs which access the following registry keys (usually #2) :. V! K {; U: z. i
0 w4 H% g; q, B; ~. X6 y+ K3 M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 }5 B3 ~8 B# D7 f
\Uninstall\SoftICE& V% F! ]2 N" h: O7 l4 }$ `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 z2 A+ ~7 M/ r9 X6 `4 c0 }, \+ n1 P/ i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& [& Q) N- P: d) j: J' z8 ]5 m
\App Paths\Loader32.Exe
- R" ]4 z" y( z: u6 z& J8 r
" w7 O& c/ B7 j9 Q+ b0 X- B* y3 t. [
) X( X0 c$ [% x. o5 MNote that some nasty apps could then erase all files from SoftICE directory
& F+ j7 Y* F# j8 [) @% [5 C8 t(I faced that once :-(
; c$ ^: G) W1 B- {$ r5 h* i( [; h: y: m7 u$ F8 x' o
Useful breakpoint to detect it:* k" W. B! A: v; e& W T9 J8 Y
: L- t4 e. C0 W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% P" y* P5 \! \$ Q" C4 D
p3 N L, o" I- K, C__________________________________________________________________________" x3 `" v0 Y! ^- T: T% o
1 G) _+ u# N; L9 [' q2 D( R
+ E" j; a, C, ?0 c& T8 F# WMethod 14 ) G: O* F. Y9 m6 ~% a* W4 M! l
=========
" x; X& l, N+ Z) A9 c; q
+ ~0 J4 W+ d. j; e% dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 ^* c8 B' p0 i, _
is to determines whether a debugger is running on your system (ring0 only).
- s6 W1 p* Q8 c) N- }0 v8 c% b. W# n9 U; ]
VMMCall Test_Debug_Installed
" K% a3 N% w( B" g7 n+ \ je not_installed" L* a: y9 \; z# Q. \/ X) w$ ~
7 B& q5 x$ X T9 Z- m; d% ^
This service just checks a flag., K( d* _1 k% Q9 J' g: A' F
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡