<TABLE width=500>
! Y. P& p& D( ? K4 ]' p<TBODY>- Z) J$ U: Q7 H# l
<TR>
& \3 K& S* x; Y) ~: g1 u9 ^9 @! K<TD><PRE>Method 01 ) e, d: U( Q. W1 A; |
=========- Q8 T4 m2 y/ a, Q
, l& V7 a( O) xThis method of detection of SoftICE (as well as the following one) is
|% N% }7 {# T% x. {$ Jused by the majority of packers/encryptors found on Internet./ z6 W1 ~+ n9 ~5 v$ r& A; f
It seeks the signature of BoundsChecker in SoftICE
- j- s9 O# R! Q5 l
7 _! U. E$ | r/ j; Z mov ebp, 04243484Bh ; 'BCHK'
0 J) ?' U5 {3 K7 J; N2 W6 P8 B mov ax, 04h8 F4 }3 N2 e$ c, W
int 3 2 V5 J+ w0 s: \9 U* B1 W
cmp al,45 |- X2 M, ^ e e
jnz SoftICE_Detected! p( v* z( g. j: O9 _
) Z& b; I2 V7 \# |___________________________________________________________________________4 K6 ?6 G+ q" ]
$ }4 y& G7 E) J! d$ s/ fMethod 02
+ d3 _$ h1 u) `$ A=========5 m8 A+ n1 m6 `0 K# L
6 f- r& D% l% E) UStill a method very much used (perhaps the most frequent one). It is used# _- {3 Y3 B/ m ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% }. t/ x/ h# Y
or execute SoftICE commands...
" R1 n* i6 V; PIt is also used to crash SoftICE and to force it to execute any commands0 ^( U. x" O! X5 k8 G
(HBOOT...) :-((
4 J9 n; p' L. X w8 d
1 ?0 X B+ h3 V; p' AHere is a quick description:
. V: D1 ~; h) W- v2 R5 S8 E6 m-AX = 0910h (Display string in SIce windows)8 |! L- Q1 h$ c# s. O9 W! s; `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- q5 }( r: [7 s: W4 B% N2 Z* U. b% n g-AX = 0912h (Get breakpoint infos)& n2 d* ^& z: e6 j
-AX = 0913h (Set Sice breakpoints)
X$ n$ r. L# ?" C. v2 B+ J2 R8 S-AX = 0914h (Remove SIce breakoints); J9 A8 g0 f" {1 D$ ?9 Z K' D5 e: Q( ]
- ]) J' x$ a+ G Y( ^1 B0 u3 AEach time you'll meet this trick, you'll see:2 n8 c- L& s8 {; [
-SI = 4647h
/ O* U$ C7 s5 |9 g) K$ y-DI = 4A4Dh
- {# O' O+ @8 w4 Q/ qWhich are the 'magic values' used by SoftIce.2 Y5 \$ c" g# [( j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 X8 z @ z N# X4 h
' y/ `& P" q" {6 u& K$ c7 q/ i
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 o. b9 r6 G. z3 t& n
Envelope utility use to protect DOS applications:
* N" u2 w% Q" S# G& o
( s6 M! w' \0 n' ?; B: X/ a! A- M! I+ U: R6 Q x5 s( O, H; `; _
4C19:0095 MOV AX,0911 ; execute command.
8 d9 f2 r6 Z- ]4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 `/ Y% P1 [9 ^) _& ?+ u! ~+ V4C19:009A MOV SI,4647 ; 1st magic value.9 O) O; J% B9 C0 I
4C19:009D MOV DI,4A4D ; 2nd magic value.. k+ D2 ]) C* R. I4 o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 K, o# b; O% b; _5 a& c4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) F: k, ?6 W, d) y! @: J+ E4C19:00A4 INC CX
* C( G/ X) B; S' W0 d4 J& s8 j0 R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ j9 b# x" a* e7 k8 V4C19:00A8 JB 0095 ; 6 different commands.! J/ Z9 W' ?, a' o# U& v3 @" f
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& U) G5 Q3 x5 h/ s# ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" T! c1 x( C" m* s$ m
2 E$ l- U' M4 r, P4 y' }The program will execute 6 different SIce commands located at ds:dx, which
+ p% |) U! `( S6 }2 w" i7 bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! s# A+ T; I8 G3 s) ]: `$ T
0 h0 [. n5 [( b1 F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" V+ e- ?- ]9 A7 a6 h- ^' D1 a5 ?___________________________________________________________________________# B! J7 A9 [9 `& Q# @- V( c
, Y" r/ L/ m: v* [
' t# z# L" Z+ P! O* l/ \- P, m2 u
Method 03, _4 N7 _* {8 i) ?+ ]
=========
0 R# `' _& o6 g2 d
" K/ ^! [ A: u! I) ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ W6 F0 I4 |* t! l( F# I5 r
(API Get entry point)
$ v+ A9 u+ f2 C0 x$ a5 I+ ] 0 C- t J; h4 B" z* t9 g
: m d% o4 `! W) |$ n) x6 }: s
xor di,di
: n+ Y. ]5 L S* } mov es,di( o& m7 W! g) D& f8 s- `, H8 Z. h! q
mov ax, 1684h
3 J5 _% n! D$ G/ P5 r mov bx, 0202h ; VxD ID of winice
: P! [2 k/ F" [ int 2Fh, g0 Z7 k6 g5 E6 t+ l6 k0 w3 @
mov ax, es ; ES:DI -> VxD API entry point% }; e6 h0 S) d0 V
add ax, di m! G0 t* o7 Y& ]; W+ v5 t4 l- D
test ax,ax* i0 B" \0 r4 z# p
jnz SoftICE_Detected
. R8 E1 u1 L* a1 \' j: R% _, ?. i' T% A
___________________________________________________________________________
2 h; d" H) c& ?% Q3 b6 L* N) u
1 W% ~/ c4 M$ o% m; `. VMethod 04" ]# p7 Y$ J' [5 |+ J
=========
$ P6 b* O# P; Z" g$ }7 g0 P9 j# M: v0 ^: w* ^3 T. n
Method identical to the preceding one except that it seeks the ID of SoftICE
, l! u% u5 ^8 \GFX VxD.
. w9 |) l" a* _) N# D; Q# n3 k# Z9 ]( p* V
xor di,di# a K( Z9 g7 ^2 w7 z# U- P
mov es,di
( G( J5 I# E5 M mov ax, 1684h
; T- ?9 P! {' ^2 F; X( y" S7 i& m mov bx, 7a5Fh ; VxD ID of SIWVID6 r, f) {1 t% D- C+ ^7 D# q2 Y; Y
int 2fh4 \ M$ r" A' q1 P
mov ax, es ; ES:DI -> VxD API entry point7 s: h% {& \* K1 `1 {6 i0 B( {8 O5 k
add ax, di( c* x6 z/ o% m+ O! E
test ax,ax
M, I ?: U N$ t jnz SoftICE_Detected
5 F6 w' L3 ?2 P0 |3 @0 b3 J
$ P* I% G6 Z) g3 |' a$ n' J__________________________________________________________________________5 T( S4 \ i7 T+ V T
( ]; p" L/ `( j- x+ z- a% A; e' Q& O5 c- W8 z- m1 W+ |
Method 05# ]' _, o5 W0 U: T M0 W( a* M5 P
=========7 E, n. ]$ X! R& t* F1 B
# S4 [3 E9 c. p0 `
Method seeking the 'magic number' 0F386h returned (in ax) by all system- I, W9 b% Y. {( d7 p5 Y: O7 ]
debugger. It calls the int 41h, function 4Fh.
3 |# j: |7 p% ^6 ~! v8 P2 z/ a ?9 o1 MThere are several alternatives. 1 t4 H- X3 J7 a7 K' ]
0 j1 c" X \+ X( H1 j) b2 s9 p: R
The following one is the simplest:
+ I0 N% c) L1 s3 U9 y) I0 G6 C4 c! G
mov ax,4fh# k" m$ ]/ Q j( H
int 41h
0 l) ?) J; ?( P; V6 t- I: [. S- b cmp ax, 0F386" P$ ~/ w6 H1 e* c% c
jz SoftICE_detected
# e. s& ^ L( {) p5 K( Q* ~/ F$ t; r- N. }1 Z
' N$ r" B% W; C& F* D, [6 i- lNext method as well as the following one are 2 examples from Stone's ( V$ l+ j$ Q, |6 y# W* X( g
"stn-wid.zip" (www.cracking.net):
7 F) H' k7 R4 a( ?/ i, E1 {9 r! L% l* N9 J3 u
mov bx, cs6 x1 F6 p/ Q! B! y
lea dx, int41handler2
6 i! a" b' ]! P1 ^- B$ [& I xchg dx, es:[41h*4]) \$ b4 F! j. a1 Q( G
xchg bx, es:[41h*4+2]
' ~/ n$ E# M' B, W8 g mov ax,4fh) y4 o5 m- ^+ ^( P: w3 }, z( P
int 41h
; c. L4 q1 v, c! ] xchg dx, es:[41h*4]
* J1 V- i' ?' u" p$ H xchg bx, es:[41h*4+2]
. Y6 _- B: a- t* u cmp ax, 0f386h, h% G Z+ T* a* j$ ~
jz SoftICE_detected
% ?5 C! |, E6 `- ]
# k# Y5 A" o) i( [int41handler2 PROC W( e7 [% p& }0 L9 q9 ^
iret
' z. l. S# q; uint41handler2 ENDP7 h5 e9 G6 [& `2 L
) j* I! G# Q" \4 ~
) g. _6 A4 a1 M$ W) t0 m; g_________________________________________________________________________
* c' P+ N+ n/ {6 F3 z
. O5 O- R" ~9 u+ X0 r. V
Z1 n8 A' `/ w/ f* g1 ] ?/ r" kMethod 06
! _1 p0 J$ ^+ T$ Q=========
- y1 F6 G" T+ g+ d
5 a/ H: \2 m) @6 a8 o. \( F
/ o. v( n" t5 ~& G. A2nd method similar to the preceding one but more difficult to detect:+ O9 Y& U3 s6 l% C M0 t# r
$ ?2 B( I5 i* K a z' X2 L4 ^. i! y- J6 V
int41handler PROC
5 o# D5 n H. `6 w+ x. }8 D mov cl,al
- f4 I! \% }. B4 V( c! V iret
; U3 [$ p2 h# O$ _! o2 p$ Wint41handler ENDP! b6 L8 r. [; _* B
3 u4 X$ K7 {- d
, p5 |3 P1 N4 @$ h: ?* i xor ax,ax# w1 \8 P% d* }$ D' L" [
mov es,ax) O# n& A- j, N5 x- O% }) M
mov bx, cs% d: t3 ?7 n/ r; i- Y
lea dx, int41handler
1 m6 C) @4 i; v xchg dx, es:[41h*4]
* N- ^ F+ n' a xchg bx, es:[41h*4+2]
, w; [$ F! T& [1 a- p in al, 40h
) X) n) i' Y9 g+ {! ]' e0 Q0 x xor cx,cx
* t* c' R5 L: l+ ^6 f. D int 41h
" W4 N1 e. g$ L8 f# h0 d xchg dx, es:[41h*4]. w8 j; Q9 H, p2 Q3 f) o
xchg bx, es:[41h*4+2]
1 L+ c* F) `, \' m0 |, C cmp cl,al! T, O0 n6 i$ [( x8 f I6 k8 h
jnz SoftICE_detected7 x* q/ T- P) ]+ c9 O
! ?8 K: R. h% D. v% m_________________________________________________________________________
$ Q, w. ~! u, P9 D) Q5 ?
6 U( N8 Y* ^, P6 ^! x- cMethod 07
% k# I7 N' f0 m=========( S8 e+ _. U( \; Q. @
" b! J0 g; D. T, L
Method of detection of the WinICE handler in the int68h (V86)
- M0 l0 K/ m8 l+ Q4 w
' N h1 R8 C. C7 H, E3 a( N mov ah,43h$ z! s8 c9 {- i ?+ `
int 68h4 g2 x& t; P5 Z' K( Q- b* Z5 p" u
cmp ax,0F386h6 s1 Y3 U$ u! p/ l/ _1 K! H
jz SoftICE_Detected
! Q* P! c7 w" E% L k
. f3 J; _! U: `) C2 U5 Q' n5 W% {2 Z# ~0 S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ O! d0 k" R8 c' z% [2 b
app like this:: ~/ ?% A+ v: }+ ~7 l
) X, h, x( z( K BPX exec_int if ax==68
6 Y) Z( j Z% e1 M (function called is located at byte ptr [ebp+1Dh] and client eip is) \- T h" r1 C$ i, I
located at [ebp+48h] for 32Bit apps)4 D5 q9 Z% U, r5 f1 X7 `, Y
__________________________________________________________________________
: h! _! ^2 @" C( f3 L, K& A: ]% l) Y) V
( A$ p2 n1 d7 r" [7 ?4 T! w% m
Method 08
* I! g7 U; U7 J6 e=========: r! t( X$ E4 ^# j I- L
+ m# `7 E0 U* [9 c) H; C5 qIt is not a method of detection of SoftICE but a possibility to crash the' R a% G7 |6 r' n- k) _6 |
system by intercepting int 01h and int 03h and redirecting them to another
8 N6 ]: p& a8 q% o! oroutine.
, Y+ g# a8 ^# S9 m1 g4 L! @$ ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* l, z1 q& ^( P* dto the new routine to execute (hangs computer...)
( ]) g5 m, i& g7 E. o
. ^' U4 Y6 q6 E# a mov ah, 25h) V: H2 F8 j; J6 {/ Q& F
mov al, Int_Number (01h or 03h)8 |5 k3 C) }; P& P0 W2 e8 k m9 \; A
mov dx, offset New_Int_Routine
2 d6 l. C7 H( K/ {8 C( t5 Y int 21h; u- V1 m; P% J! ]: @# w
: a, g7 p' {& R7 I" U) ~2 V__________________________________________________________________________
( {, m/ N n! D( L5 r) n( J# P3 ^6 q* v. X8 p; O$ R
Method 095 u! A0 L) {- {$ { q
=========: t. v$ ^; C2 `) u7 S$ E$ z6 f
4 v8 u% X8 J9 f+ j; C% F$ zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 M. M' ^, S% m* G, X# wperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ i: { H7 ^% oThe Get_DDB service is used to determine whether or not a VxD is installed
0 E; [1 ^$ n3 y" _1 H6 \( q( R# \for the specified device and returns a Device Description Block (in ecx) for1 `, U- w3 `0 d1 R3 @" ?" K) {
that device if it is installed.
/ l4 ]+ m- c9 U D! S
5 I% h1 h8 M& J1 k, a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 \9 n! x" a; O# m+ I7 s' d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- O# W1 y5 P; _" D. i! m4 E VMMCall Get_DDB4 n) e, z$ `8 x, B: t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 Q6 t9 L- N A; _+ i1 l" U9 z, r/ n! t4 ~: Y* P
Note as well that you can easily detect this method with SoftICE:( C3 X0 j0 H$ j4 T
bpx Get_DDB if ax==0202 || ax==7a5fh
1 v6 ]! I; ?9 ]; K& A6 _
$ k* C. R! _! d' k__________________________________________________________________________
4 u2 w2 B2 G( F+ `5 |8 S; S* H0 B( X0 w: ~
Method 10
. w' k- Q7 J% c3 U% `7 Z=========. o/ }% S4 u1 M5 h, m
3 N: `$ F7 T4 Z- _* k! _& Z4 W
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 ?% \! I+ \ w8 L( a+ | SoftICE while the option is enable!!0 _3 S; D3 |' _5 J6 T+ l
( M) I/ c0 ]' {" `+ }/ O
This trick is very efficient:
# z% ?9 y2 E1 v8 K+ Mby checking the Debug Registers, you can detect if SoftICE is loaded2 J J4 e$ S J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 Z# [" [) A% H4 g! I- B
there are some memory breakpoints set (dr0 to dr3) simply by reading their* e5 R9 s3 q% q* U* o( z
value (in ring0 only). Values can be manipulated and or changed as well
$ M; P3 I0 c: W3 g; T5 B(clearing BPMs for instance)+ n& c4 z; [) Q/ b5 A; J' u
0 M8 g* N& r$ C& y" y
__________________________________________________________________________3 B e' D& u& Y- m
* n) N1 x* Q+ o' ~
Method 110 ^- S9 ~) g t4 c! Y
=========. m) W- e; W- x, d9 h: Z ?
' t/ ^6 O5 A; y+ C. R" C6 VThis method is most known as 'MeltICE' because it has been freely distributed
* F7 v. W) @& s8 a6 E2 F0 vvia www.winfiles.com. However it was first used by NuMega people to allow7 ~% X2 C0 ]3 o- f3 i
Symbol Loader to check if SoftICE was active or not (the code is located
3 p( A; v' ^. p B0 N L9 Zinside nmtrans.dll).
( a* c' m( C8 W" g ]& H, R: B
1 c2 l2 e5 v; b' t' tThe way it works is very simple:
; v( }6 J h, x+ d+ PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 F: T4 Q4 ?8 ^ m' _/ iWinNT) with the CreateFileA API.9 A' n' O4 T5 ~& q; [
/ c) _% O+ d l3 N) k; E
Here is a sample (checking for 'SICE'):
+ u- B5 ?5 S" y6 V3 S
; ^3 P7 M' z. S7 i& c5 W7 dBOOL IsSoftIce95Loaded()
4 ^/ a( f/ w3 }0 `) g6 J{. |9 s" s! f6 c
HANDLE hFile; . ?/ S% ~! O! e/ |: F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& Y, H$ q, a2 C* \
FILE_SHARE_READ | FILE_SHARE_WRITE,
) f8 {" g) n" ?+ q' L2 A6 `, L0 } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 {) K9 h2 N0 C, }6 D
if( hFile != INVALID_HANDLE_VALUE )# [& v" ~6 r8 G9 Z$ F
{1 V5 U1 L0 }4 O( W" d3 z8 N
CloseHandle(hFile);
3 t8 y6 w+ F$ C1 D return TRUE;8 X# L1 Y' {/ a% g" R
}; {: n, {5 C' D1 C3 S: x; c
return FALSE;
" H& m4 C% j& K( o |# \ _}
! d6 F. w' m3 V# f" w9 n4 p( H0 s/ P9 g3 _! S5 ^
Although this trick calls the CreateFileA function, don't even expect to be
4 i, O1 k$ p' R& ~7 a# t3 aable to intercept it by installing a IFS hook: it will not work, no way!
2 n( {6 }; @0 C; q: I" a* AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 s' ~# Z3 P# Y6 K+ d/ e5 [4 Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 s1 w1 q$ S2 X4 pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) J1 H0 S5 I1 c- V/ ~0 }/ H8 Nfield.) D* i8 h' I" d
In fact, its purpose is not to load/unload VxDs but only to send a
3 p+ _7 Y: U- Z" x1 hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): x6 n T$ k! k E8 }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) I/ e" l& v% t1 @0 E
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# E4 u3 k0 P) ~- ], S
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 \) U0 M7 V, q, y& @5 z( K- m6 L
its handle to be opened and then, will be detected.
* W7 g5 O- d, r( e2 ^+ xYou can check that simply by hooking Winice.exe control proc entry point
5 q, _6 |; n: B: D1 r" u# Bwhile running MeltICE.- p1 u1 [' B7 _& F7 M
2 c% K) `* U& b0 Q7 o
6 g8 C4 g- l" N/ Z7 E+ ^( H
00401067: push 00402025 ; \\.\SICE
" z" n% Y8 Y! d) Q9 L1 Y9 A+ K 0040106C: call CreateFileA
4 f/ w4 m" B* X1 M: F( f H8 C 00401071: cmp eax,-001
3 U/ _4 Q0 z; K! B' l 00401074: je 004010910 q/ _ g) B: i( s ?' [
, t% \" X/ S" h0 c- H% p* ?. T. U$ R) X
There could be hundreds of BPX you could use to detect this trick./ I! v, ~' h( I9 e
-The most classical one is:& q1 o8 V1 m: Z5 _
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" y8 @+ s! }! p6 M, i% A% a' V *(esp->4+4)=='NTIC'
0 H% s4 F' z* v3 u5 |( v+ u% M C- o$ {
-The most exotic ones (could be very slooooow :-(2 P9 S0 i# ^# o+ e# g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( |1 L! q+ d+ Y2 g5 N
;will break 3 times :-(
! r# c9 [: ^4 O+ ?" e# T4 P, r0 K, b9 ~6 Q# l1 e: `
-or (a bit) faster:
$ ]7 @* w+ B- O( U3 n BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 n. J9 ]: f% n; R% ?6 v0 P
+ Y8 ?. M: J. {+ @: s" D8 Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 ]3 q. X+ r8 t ;will break 3 times :-(- J) y7 ^! r. I" y
. I. V* f: x! q3 k
-Much faster:2 z% O+ _9 j, _1 ]$ u4 O/ y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, S1 H9 f, r" X) f' x T& G" o. t, P7 p$ C! G) ]! q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 U S s2 F3 x/ {- L* [& ifunction to do the same job:
# N+ Y2 S% ~( {" `9 s3 ~/ I5 N" l; S
6 n9 R! f- S2 h& P# a, v5 E push 00 ; OF_READ6 M2 ], Y& Z- N0 v
mov eax,[00656634] ; '\\.\SICE',05 G$ ~9 j2 a* ?4 ?' u8 n _; s- d
push eax) l9 i5 T& v3 I
call KERNEL32!_lopen$ d+ o4 w$ o' t
inc eax# F' V# L9 Q; a* x
jnz 00650589 ; detected
; V |6 k# V; |, ~/ C push 00 ; OF_READ
5 w$ M" m- [2 w% Q( n& A$ K; Y mov eax,[00656638] ; '\\.\SICE'
: O# B' @1 p$ l" Z0 \ push eax
6 P/ N" X) h3 O( @: W6 P# h call KERNEL32!_lopen
5 U* j7 P q9 J2 l; d. O) U inc eax
/ {9 K+ l1 i, b( p$ m3 @6 \ jz 006505ae ; not detected
. T5 A% I: O9 X( q' H7 s# a+ X) J6 }! n. b
% g$ F! g, r0 P/ c& K3 r
__________________________________________________________________________
6 B2 z `( ]; t/ K, P! ]' U
; x1 p* n9 T! k) ?) }4 EMethod 12' w! u0 |- b; U, t
=========7 S8 V' f9 G7 o2 h. w9 [) F; J& E
4 r% z0 g/ k9 c. n* R/ x
This trick is similar to int41h/4fh Debugger installation check (code 05
" \; ^4 H8 m0 |& 06) but very limited because it's only available for Win95/98 (not NT)
- i0 A0 K% T, s8 j$ Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 v+ ^% R3 h- ]
+ ^4 G% [; y6 {! a push 0000004fh ; function 4fh
9 F3 |4 e( r: G" h1 V push 002a002ah ; high word specifies which VxD (VWIN32)% ]- w9 q* O! J: B3 X& K
; low word specifies which service
. x/ H, L q# f7 r1 x; q (VWIN32_Int41Dispatch)+ i) d. o+ W- a1 [) I
call Kernel32!ORD_001 ; VxdCall
7 y* p6 D0 \" v% y0 v, X2 L; s cmp ax, 0f386h ; magic number returned by system debuggers: }& s) J" r T. A/ U
jz SoftICE_detected( ^( o4 t$ X7 M6 D9 X# h% b: `
3 R t. e' S( b9 V3 f
Here again, several ways to detect it:
& C) M2 C% m" q2 [0 P6 w3 R; e( k# N+ |! M
BPINT 41 if ax==4f
6 V2 x8 b- g# u; |
$ t8 F0 ^/ E2 T! I, q; h) D BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 X" K# b% z; y0 ~2 F9 [- p% p0 e4 C4 G4 w% G
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" D0 D" A& i; L$ ?
* {9 q6 Q# Q6 E, Q6 ?/ ~* G! b/ K
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 e o6 c/ r- y1 m1 A* O0 {9 P
7 q2 {& _4 @+ S; r, V( t+ I3 R__________________________________________________________________________
6 |6 Y `' O# G- ?$ L* S
4 o. B3 D. v. {& p9 z GMethod 13
9 A$ B5 E4 ]: M* f: L2 U=========
7 p/ ^' K7 `! I2 T2 X! I# H. [- V+ T, S% u& A; |! h. G
Not a real method of detection, but a good way to know if SoftICE is
9 `5 Z9 W8 f; [/ U* C9 iinstalled on a computer and to locate its installation directory.5 F2 O( U5 |) \
It is used by few softs which access the following registry keys (usually #2) :$ }% `! U. `8 P( r. _, y
0 E$ N6 z. h! q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 t S* ?+ e0 U! h( o" S- q
\Uninstall\SoftICE( R) i% f) ]# {, d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 L- V0 j' q+ I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ |( G& L# e7 ~( ]) C, D0 J\App Paths\Loader32.Exe
# D" u) ^( {! a
" j" g# [" |/ ]3 z4 b, x
5 }, U* f# K2 SNote that some nasty apps could then erase all files from SoftICE directory
( ^1 V6 ]( V; r/ X3 b- z) p- Z(I faced that once :-(
( Y0 Q5 m8 m- |
M; Y5 v' D' _9 WUseful breakpoint to detect it:9 k( y& z6 X- }
( o* E( j" _% L* ~' d BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( a/ n3 O" Z, h( {) X. \) @5 x* s
2 M( X" A) W! I__________________________________________________________________________( b B$ ~" s& Z# e1 y) B1 l
* J( Q; e5 Q) g9 M* x+ X) ~1 J
+ k( r$ t$ C: q9 x
Method 14
" y0 L$ @+ A6 w- [" `, e=========
% H/ s# I9 E4 C, S- ?8 j# {8 d" F4 M1 W9 K+ K3 D$ F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ I. `& ~7 Z& z/ _, E% i7 N1 kis to determines whether a debugger is running on your system (ring0 only).5 v0 T( Q" R& ]2 \+ Z( w
( Z$ G8 m6 C. I; S4 @
VMMCall Test_Debug_Installed6 f$ D' Y% j3 W/ k4 l8 z
je not_installed/ U* J9 m9 ?; }: f7 F" U; w
K$ ~. m8 U3 h% g) [This service just checks a flag.
L5 X L# J1 t0 r( j" K6 d</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡