<TABLE width=500>
. l' j, b x; N; R0 Q<TBODY>2 C7 ?0 j2 S$ G. b2 \( q+ x
<TR>* S' d+ F( \" B* x, T/ t, Y4 u
<TD><PRE>Method 01 " ~$ D& p7 Z4 t/ c" v8 L
=========
$ i E( ]" G |& I4 D9 M+ o: ` u, i$ i* p) w
This method of detection of SoftICE (as well as the following one) is3 I) L! y2 s' n, l3 ]+ z" I( [
used by the majority of packers/encryptors found on Internet.) h1 N* M, G" x/ U. Z) Q2 J2 G
It seeks the signature of BoundsChecker in SoftICE f) i4 G. m' X7 O9 H8 n
+ e. w. z7 H; L
mov ebp, 04243484Bh ; 'BCHK'
6 J4 V7 p# o9 }+ I# n; Y$ j mov ax, 04h6 p2 A5 X& W& J9 X
int 3
# U1 g$ i) Y; a! J1 A( A* K cmp al,47 Q9 y6 J& i$ ]( ]0 J
jnz SoftICE_Detected( M, l4 e9 E( O
2 [8 Y( P9 ^# m `5 g1 O; n$ |___________________________________________________________________________
; j# A& g4 e/ ~; N' Q/ E7 o+ ?9 y
: {3 f8 Z& X/ o& W% ?9 |. M/ V$ CMethod 02
2 j2 V; E0 N6 ?: f% \; l=========
* E4 L* t# @$ P# J/ Z) m' \
1 t, Z- w$ z- L: ^) [4 \Still a method very much used (perhaps the most frequent one). It is used/ G& r2 ~+ w( U0 \$ g+ z* g; b
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& I) r' r. i3 E5 r+ r
or execute SoftICE commands...
" G- e, P2 @9 t2 v1 j# ?It is also used to crash SoftICE and to force it to execute any commands
# N) q d+ I. ^4 k) l" C(HBOOT...) :-(( " W7 t2 R! X5 d, G' s' v, M h
: C6 `, L& l1 D0 |! AHere is a quick description:
" [: R( h! o9 y S# n9 h-AX = 0910h (Display string in SIce windows), r0 Q& s% N* c8 [
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 E+ e$ Q/ b' K i$ Y3 k
-AX = 0912h (Get breakpoint infos)
+ F/ m+ B: K, ]. [% r1 ~-AX = 0913h (Set Sice breakpoints)% i8 J+ |8 l& h" `$ g
-AX = 0914h (Remove SIce breakoints)
8 R# F" t. Y' B! t
7 B& V2 p% C( h8 X# Q" F dEach time you'll meet this trick, you'll see:* h8 b8 l5 B/ ]
-SI = 4647h
* Z# T+ [7 [7 Q-DI = 4A4Dh
4 c! L* S1 q( ]3 D3 TWhich are the 'magic values' used by SoftIce.& i! Z: W, c' D/ S4 Y1 `- y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; _* O# f" N$ y4 a% P
6 Z6 z3 u* I9 z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
H4 J+ m% b( g2 s/ J6 W ZEnvelope utility use to protect DOS applications:/ y6 z8 X; Z# c) e. c5 O
6 T) }0 G4 T4 F- j/ M5 |2 ^$ F; G1 Y
6 H+ k. ?/ e' y4C19:0095 MOV AX,0911 ; execute command.0 J# A% O w7 ~& I+ q0 z& x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 U. [( x2 r2 t/ Z5 i% C4C19:009A MOV SI,4647 ; 1st magic value.
9 {. H5 q& K- |( Q; o7 M4C19:009D MOV DI,4A4D ; 2nd magic value.
( J- G7 W! s2 ]0 C5 K" z( e4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* ^! }1 p( g; ]) l5 D7 {9 Y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 h9 E* e/ S/ [8 \& `. e+ ]( @, c4C19:00A4 INC CX- Q7 E. h# q, Q- X/ M. r9 i
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! A) j) D; n$ j: S# i4 F z: k4C19:00A8 JB 0095 ; 6 different commands.
6 D& K5 M6 v$ P! n6 H4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# x) Y+ ^ I% e; ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ v' X' @: T$ o ~7 D
# U) v& o8 B4 P2 G* _# QThe program will execute 6 different SIce commands located at ds:dx, which
( O3 R1 s; W0 G2 e( ~1 V) Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: y; Q! T0 V4 h/ m! \. \
0 f6 H4 L2 I5 }, P/ V. K% A( i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, R0 \3 A6 M/ g+ r9 F, l___________________________________________________________________________1 I7 l, o' Q# w: E
! |7 R- j/ d' @: T, S& k
% g$ r( ^, m9 M1 h5 L9 k; P/ x+ C8 QMethod 037 y Z1 v$ W7 e; b, h" }. z% L
=========
+ Y# ]! }0 A j: ~1 a8 f2 ]+ L7 G( I3 i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 i& n1 U: x9 _9 r8 @1 L
(API Get entry point)) Y" r& b% K8 I& c. q# w% O
5 x, y3 o: f2 u$ \
) y/ H9 J& C& \ xor di,di
- Q0 v# Y4 j7 o mov es,di' K8 g% T1 R4 A3 A; b- h( v
mov ax, 1684h % E- K; t" U2 n$ D' S: ~$ Q
mov bx, 0202h ; VxD ID of winice
' u: x: U' A) T2 H5 i3 G4 X int 2Fh3 s9 `) X( N9 s
mov ax, es ; ES:DI -> VxD API entry point9 C3 s4 J% y7 n* K1 }3 E- E: \4 m
add ax, di& k) r w$ G& T$ @! U
test ax,ax) J6 N1 |% r' l
jnz SoftICE_Detected/ K Q& \0 _1 o
2 \! s3 T0 S# `) ?) P$ l# y___________________________________________________________________________
7 K- y; A! F+ `* T3 `0 e3 g1 ~# C; @0 s
Method 04
3 u9 `# W7 F0 L=========
$ y3 M+ K- W/ E. O
! ^8 w( p! g4 R! _0 J, c7 BMethod identical to the preceding one except that it seeks the ID of SoftICE$ t; }! w0 m* |$ [* K
GFX VxD.% U e& N$ u8 W, H4 c
9 B, |. A! _/ F& Q/ m8 a1 p xor di,di
4 y$ Y3 V$ G, L mov es,di T) R* p1 f; y* `5 Q+ a
mov ax, 1684h . v. {4 V, v- F) ?2 L3 }
mov bx, 7a5Fh ; VxD ID of SIWVID
2 N, v" P- A4 q. b- T4 J int 2fh
+ b7 ?5 t7 i/ s( i! b mov ax, es ; ES:DI -> VxD API entry point% f' i7 O1 j/ W$ y: p; }
add ax, di8 d$ t$ q0 m: w
test ax,ax
3 Q) U% M* Y) N% G# K jnz SoftICE_Detected
; E$ ` j1 t/ T. C7 ^* Z8 z. |( b4 ?- U. @4 ?
__________________________________________________________________________
1 c7 k4 G% z1 V! G- @' v! ~0 u: H! t7 c# x7 x
8 N# S0 u- |" S- Y3 g% t# G. q
Method 05+ W6 L* [5 J1 I0 T
=========
2 x E- L6 n# }1 I" C2 m* W8 p8 ]! T! @
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 f# e/ y9 I: H. } `
debugger. It calls the int 41h, function 4Fh.
& [. m0 i) E4 ~5 ]. M; X* QThere are several alternatives. 1 p; f. @% W; w5 G1 a5 {( S+ B
+ i" _( z( U! m) h' A: j% `- LThe following one is the simplest:
! E3 o& A. c& n8 q
# G. l/ Q0 y8 g9 l% C0 C7 w6 | mov ax,4fh
1 p# s9 r* {7 V+ y! W int 41h$ R: z' H0 W) @; Q. G: Y M2 I
cmp ax, 0F386! P$ G! }" Y# `) B
jz SoftICE_detected1 _ W b( m/ t- T
; {1 `# Z3 e$ i5 h& U( Z% r& G- U
$ T4 [$ J o# t8 N+ S1 v% n( U mNext method as well as the following one are 2 examples from Stone's
+ K8 K: ^ ?; l- w1 S1 g6 ~"stn-wid.zip" (www.cracking.net):
& t* Y) @( z% q. C
; ]6 e0 L# o5 u9 V* b mov bx, cs f8 d) E+ `" f8 ?
lea dx, int41handler2
! o7 W; ~* r5 z; J0 j$ s xchg dx, es:[41h*4]: ~* h& }+ v% U/ Y( D. D: \
xchg bx, es:[41h*4+2]# B5 Y" I' Z- i0 Y' U( t
mov ax,4fh
% Q; Z, M6 `& i, K; b8 F/ _ int 41h) E$ r5 b! ~" A
xchg dx, es:[41h*4]
- i/ G5 h2 p# ^, a xchg bx, es:[41h*4+2]& a3 i) n$ l1 {0 _" C- T9 {; h
cmp ax, 0f386h3 s3 |' A/ w) M3 r9 [
jz SoftICE_detected$ {# W( t, W: M5 q
) a. ~: N6 @$ R3 aint41handler2 PROC
. X: u3 z' n8 P9 C T& b6 o iret8 U1 c& [( q7 e5 F5 z7 e( K! g
int41handler2 ENDP
7 W. D. @! m1 q E! B3 Z$ b7 z2 i
1 u6 H& F' R4 Q+ e1 ?' \
_________________________________________________________________________
3 M6 v) C$ N' g+ [( v" r' u- Q$ `' u$ E+ A4 }; @. X: |9 L
& Z, \" w1 C0 [2 M) n9 U" u* Z9 nMethod 06) ]& k5 H$ ]: W z, C
=========
# x q3 f7 L- B( d! q! M( Y% v$ E. {3 v8 d% i# n+ ?$ T
5 x) J" g k- v& a1 t
2nd method similar to the preceding one but more difficult to detect:
. |+ _6 c8 Q) ~" E% s8 y2 x5 B0 R& J; o+ p! K
* g: p% a i- |3 u% {; x' lint41handler PROC. M9 K' r* I9 S4 J7 S/ e
mov cl,al6 ~% S8 T6 S) C# Y" m
iret
* l {& Z2 n5 B5 R/ L7 ~' O9 ^int41handler ENDP9 h* r3 N% q4 Q2 G9 y) K
1 P' v9 v& W, |, r$ h! K, F* {- e
xor ax,ax% ^% J1 A ], z6 M2 P- b7 @
mov es,ax* u' ^ p# y" j: d
mov bx, cs
% l7 c e* p0 B' U/ P lea dx, int41handler# u% n& C1 |% w4 R. x' m4 j: K
xchg dx, es:[41h*4]
8 p! X6 [6 W/ p0 `+ u' x3 @5 @ xchg bx, es:[41h*4+2]$ P0 m8 q6 ~! @; J: X9 n9 Z
in al, 40h. x- o' A/ c; A( |9 J5 x2 z
xor cx,cx4 X% U1 X" Y h" U
int 41h) N2 d; |/ \) n7 v0 o
xchg dx, es:[41h*4]2 i. Z/ F3 w; z. ?5 c
xchg bx, es:[41h*4+2]
4 h" O- r8 U( ]* c p) I$ q cmp cl,al
, j6 S: C$ C! \ jnz SoftICE_detected
& y/ @! w. i! _
% }" I9 L9 }2 x' u2 u6 F! c: T_________________________________________________________________________/ f1 {0 Q# A2 J+ ]
! `) c/ P, J2 p/ k" j1 bMethod 079 g7 Z; u7 }, r2 k1 r6 c
=========( i5 o4 T/ L7 e# ^( L9 D* ]
! j# I4 y2 I, O4 z' j
Method of detection of the WinICE handler in the int68h (V86)
9 B$ [2 s# j# g% ~7 R! e1 c; o" l( W" X. n. ~0 j, s* w
mov ah,43h
4 d# A0 | W# o/ B. c7 |' G- u% X int 68h
# {1 G2 B2 H. [2 u cmp ax,0F386h
8 T1 W! i, J" j! u jz SoftICE_Detected; |& ]2 @" ~' M2 ` U4 ]+ U1 f
; P% ]( e9 k _' w6 V$ ^. y# `$ j, G Z1 y$ a7 i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ R- B% d0 [" z+ J1 E3 ?* q b4 }
app like this:: D; o. I; |: N" p/ g @$ I/ D% e
! `7 Q5 k% h$ h- E" E! d3 y( t
BPX exec_int if ax==68' f _3 F% t# q" ?8 A2 B- y: A
(function called is located at byte ptr [ebp+1Dh] and client eip is
, J* }, O$ o; t. F$ _ located at [ebp+48h] for 32Bit apps)
' D: z1 |+ h! L* S! a( y7 s8 U__________________________________________________________________________
' L1 Q- \. g* L' a: [/ s8 g9 d2 P" V* o$ V1 _% f h
2 r& K& a2 d* j2 P! M
Method 08
9 a: X' q# y, Q/ I; v) h0 q=========" b3 {* M( O4 C9 C
7 A) Y/ @2 M9 _, A: `7 W6 N
It is not a method of detection of SoftICE but a possibility to crash the$ E* i+ J, f0 R/ y' r
system by intercepting int 01h and int 03h and redirecting them to another
; H+ ?5 \/ t+ S: |routine.
+ y% I1 a" n- l% R1 e# MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! @+ A9 z8 }6 o( ]9 m* P$ e
to the new routine to execute (hangs computer...)
j* M7 A1 D! W7 Y2 v3 v0 |/ ]
6 M- l. y% R4 {, U3 Z& F* d mov ah, 25h) l: \7 C/ [, k$ |
mov al, Int_Number (01h or 03h)0 t7 z8 w9 R, O# n& T
mov dx, offset New_Int_Routine4 ?0 l. \9 w8 n8 I6 C7 j1 x
int 21h
( T9 w% [) B2 X3 B' y* J3 `0 |
__________________________________________________________________________" i; c5 x& H+ P
5 h8 {% u+ K* T! ^, kMethod 098 t5 T( H9 G- k" ]* r
=========
' d% Y# q A$ @( [; v& Y
# O; @- }4 O5 N4 h/ [7 g( r( j3 v8 EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 X5 {: q0 E* W! t" a' D$ |
performed in ring0 (VxD or a ring3 app using the VxdCall).
& Z+ D7 C4 ^5 [# t) wThe Get_DDB service is used to determine whether or not a VxD is installed
2 ~6 i- ?5 A2 y, E o4 @2 @for the specified device and returns a Device Description Block (in ecx) for
/ ^4 B+ \6 x3 e* x; }$ Tthat device if it is installed.
. x0 y, j# U$ Q2 ~# [7 G3 H# H, f3 ^1 ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& _* B* Z& F, }9 b: m' r
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ T- y5 @( U; _
VMMCall Get_DDB
: G3 ?( p$ n. A; ]# u1 t mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ o8 k( I( t, \0 I# \
: O2 P, G% G. I; rNote as well that you can easily detect this method with SoftICE:
* r( D: C% r+ U& l bpx Get_DDB if ax==0202 || ax==7a5fh
6 W1 W) Q) `3 V2 i# K- L
0 h+ p" X; q$ U2 W+ _5 ]__________________________________________________________________________
2 R T3 I+ r* o- }7 [' V6 p7 U
8 H e3 h, H" M6 T) K& u* [# zMethod 10
' u% Q/ F8 |7 b=========
6 ? Y j$ g' _- g$ A n' H6 X3 L' y: w1 @( z4 B
=>Disable or clear breakpoints before using this feature. DO NOT trace with* @$ c) a# |, V9 _, L
SoftICE while the option is enable!!
$ O ?; z! L( B/ u; t+ b. E0 x, O3 P" v
This trick is very efficient:2 E {1 F; `; K9 m" C
by checking the Debug Registers, you can detect if SoftICE is loaded
( S) ^) v7 E# ?0 K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 r( l8 a. _: P- Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
# Y4 w4 g- K6 B9 N# I% Svalue (in ring0 only). Values can be manipulated and or changed as well* N* i% ~: R5 V: L
(clearing BPMs for instance): x/ y- d1 K% Y, M5 O+ A1 B9 I' ]& m; S
9 t. W: h6 Z! r8 `2 B
__________________________________________________________________________. Z" O. M d; W1 m
" z; ]* T5 M; xMethod 11- d& l; K; Z- ^! t/ t) L$ a
=========1 {- H% v5 F1 i
% l7 `+ s, ^0 v: _0 I' UThis method is most known as 'MeltICE' because it has been freely distributed
% N( N3 j' n' t$ V r5 Fvia www.winfiles.com. However it was first used by NuMega people to allow- B& U2 M6 L% K1 G1 s! P. G* s
Symbol Loader to check if SoftICE was active or not (the code is located
' _( T5 z2 K* K! e* n1 t3 ]/ Tinside nmtrans.dll).
; R; C7 v; u& L" H' q( Q+ F$ i/ A8 x6 m
The way it works is very simple:, A1 B: o8 ?% }- }2 n: G
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 o2 r; l( o" a+ z+ \8 n$ x2 AWinNT) with the CreateFileA API.5 S/ I4 \6 y$ `: H) Q+ A% E5 F
. b" J6 e, U* Q& vHere is a sample (checking for 'SICE'):
3 r2 ]$ x7 T0 y! P1 Z- i- h# [" |) O" @( ?5 l
BOOL IsSoftIce95Loaded()
* ^" f2 E# o- o) j{0 m4 N! v, @0 z
HANDLE hFile;
/ m" M1 |$ e% B' j0 z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ E! H ]" k" }( S6 n
FILE_SHARE_READ | FILE_SHARE_WRITE,
% o# C w) G/ s9 }# r4 x3 W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! K. ]/ o* e" T" s6 R, ^ if( hFile != INVALID_HANDLE_VALUE )5 F5 A8 N, Q) l9 V- E
{
+ I& l9 P* r" R/ X CloseHandle(hFile);
( A) n7 y; J! j: i3 i6 L; p3 _1 U- ` return TRUE;# Q) y* ]6 }+ \+ g' i
}
9 p" F1 w; X7 d% p) Y* | return FALSE;. a/ \3 D* w5 h
}3 t/ C. S$ T( K/ ^) q6 u# u
; Y; W# C8 \% y( y: DAlthough this trick calls the CreateFileA function, don't even expect to be
: m0 g8 N5 z4 e6 pable to intercept it by installing a IFS hook: it will not work, no way!
8 x9 U6 p; s/ L% m% I$ j m/ o- wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F9 b7 q1 h6 U% {+ i( _! r, f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ R4 b6 \. B/ V: l! E2 E: vand then browse the DDB list until it find the VxD and its DDB_Control_Proc% S3 z* ^8 x/ U) j& ~& ^
field.
- G: X4 C! Z' R+ v; J7 rIn fact, its purpose is not to load/unload VxDs but only to send a ) I8 a- u; a: }1 U' |( }" O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ f, L: }8 t' F% |0 `# bto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 M4 L' C+ D7 i! Z/ z% k0 w3 g, Z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 O3 f) D) k4 k$ ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow! g5 W( f# S7 E" J. k' `2 u" B
its handle to be opened and then, will be detected.3 K. O* {0 k! X1 D& v! b
You can check that simply by hooking Winice.exe control proc entry point7 v8 ~7 t, K3 Y! V5 u( i& [0 t
while running MeltICE.6 E- m! L5 y6 Z
9 u# y. l8 Y7 C/ d _7 g& f1 K2 n3 `
00401067: push 00402025 ; \\.\SICE
. D. }, |4 ^- M( q7 ?. O 0040106C: call CreateFileA! j3 c2 Q0 u) E8 F8 {
00401071: cmp eax,-001: K' J1 h& d' P) _. c. D
00401074: je 00401091
6 f7 h+ H7 w0 g+ `2 I
6 v4 x- \! A9 z% d7 C3 W/ |
. a8 K# G% i+ pThere could be hundreds of BPX you could use to detect this trick.
1 k$ \# |! k2 X$ Y5 X& U-The most classical one is:
, r* t$ Y8 e1 T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ X( I% z1 O- j% i% P$ V
*(esp->4+4)=='NTIC'
, U1 k' I1 R0 H0 N0 o2 W' e4 L/ |+ f3 \) |
-The most exotic ones (could be very slooooow :-(
( ^6 V4 o F _: S! q6 q$ m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 V! U* m5 Z" t, l! D* |
;will break 3 times :-(* _0 j& ?0 o" l* c6 ^1 t
) X0 Q. K: e: g# g
-or (a bit) faster:
" C5 u C; s2 o" h/ B BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): I" l& s7 I4 i0 p- j" ]; W8 |
$ m; t3 F9 x1 l9 ~1 O BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # e0 _& J* a, ?5 q% k8 n/ J- n
;will break 3 times :-(/ W$ F3 |( @/ s4 s3 T `2 N
V0 H/ b* J1 ]& E8 j1 \; D-Much faster:& o) b% w3 M. g3 H6 M. W
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 I8 i- P! |/ P+ [. k6 m9 _- Z: y8 P9 C. x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ k6 h' s- j3 I$ i; i. Nfunction to do the same job:
* i& U8 M8 L* H+ y+ j8 f3 o& V& L7 s/ U% [" [8 E/ L1 N j
push 00 ; OF_READ
4 Z4 b& b0 C+ Y, S: n0 X mov eax,[00656634] ; '\\.\SICE',0
9 R: L% J* V0 }* a7 w# R push eax
2 P* v- {9 a- o! ~) Z9 a1 Z% m" s call KERNEL32!_lopen8 m" }- q" f; F2 V# J
inc eax5 ^' s z1 G: H& T" W# r3 D
jnz 00650589 ; detected/ L3 ~5 W& w* C, _2 U
push 00 ; OF_READ( e4 T$ ?& ^) v7 G+ U
mov eax,[00656638] ; '\\.\SICE'' O# O, K* r( \( w* C, r( m" C/ X- F
push eax
$ j. Y( O6 Y! h. ~( f: _' z call KERNEL32!_lopen3 ~, d# Q1 G( U. U) l" W
inc eax
( T7 f1 Q/ q, Y; W& D s4 | jz 006505ae ; not detected8 E& |! Y% \0 C' q+ Q$ Q. ]- [
% b/ D; A8 g ?. D
2 m; ?8 L, s8 G t2 [__________________________________________________________________________
# X' P) a% N R9 ?0 o7 |5 e5 d
* P, O, F- x% d$ ~: T6 pMethod 12
$ A6 m% Q6 h- A& x6 a=========0 d! m2 H6 L7 C! y
" V4 W- R" W# @- U
This trick is similar to int41h/4fh Debugger installation check (code 056 I" c% l5 o; q8 Z$ X
& 06) but very limited because it's only available for Win95/98 (not NT)
8 b$ O0 l7 w+ k( mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 P) a) @; T1 H7 @+ u5 Y. j. W# m. G; s
push 0000004fh ; function 4fh
2 M& a, c" ~' C& ` push 002a002ah ; high word specifies which VxD (VWIN32)
- V/ \& `1 d! W0 q ; low word specifies which service+ _1 X8 y! r b9 f7 s$ E
(VWIN32_Int41Dispatch)
9 [9 m/ Y! ?& H. r call Kernel32!ORD_001 ; VxdCall/ u4 Q2 g) L: t+ O _3 b2 I3 \0 Q
cmp ax, 0f386h ; magic number returned by system debuggers
+ ^4 p, C3 G. J: C jz SoftICE_detected! U' y* I5 r1 Y/ c
6 ?5 T7 [/ ?( W/ a, L. }0 Z3 f8 r
Here again, several ways to detect it:1 U: x1 t5 ~$ B4 O! C9 A1 g
5 Q& a' }0 V7 Q, \' ^& c
BPINT 41 if ax==4f$ l* b: r# ]1 i; g
' a0 Q1 p3 w+ x/ O1 E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 b8 d! K: j9 J% K+ `; z3 |: ]! n4 m) G0 f' H3 W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% }5 H0 {! _4 N* }
) U0 [& n: A$ _3 n! T8 r+ w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) f" B i5 q% _. U% N" U
7 X% h [; T; D( ]- G. Y; \& N, o( L__________________________________________________________________________8 H( @2 [5 F7 \( Z
- w, h$ w) L D. l7 R7 r9 FMethod 13* e& x5 h3 G# V$ y. ^. i1 m" s
=========
4 H& y9 R" w" ^8 M
" N3 F% U" l% g" MNot a real method of detection, but a good way to know if SoftICE is
8 U9 B' k8 {! z- B- b" x' X3 j# rinstalled on a computer and to locate its installation directory.
+ c$ X3 d6 j: |It is used by few softs which access the following registry keys (usually #2) :
& b5 w( J& j6 U( p5 z5 w9 g3 l' H M3 z! K7 r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 R$ H/ g/ @- d! Z/ ?( h0 N% q4 R\Uninstall\SoftICE) h. y1 o# [; K5 u; z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 y" {4 W' N6 d8 `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 J! A- u5 o) I! s) O\App Paths\Loader32.Exe4 B( Y. ]$ A: ^! V" a1 ]7 @
k# f, g" A) Q. Z" U3 }' `5 [( G
% u( {# z$ E3 o% B& i1 F5 G$ iNote that some nasty apps could then erase all files from SoftICE directory
5 _' o1 T/ | f( N" Z) ~( @(I faced that once :-(
; ]4 n( K0 z8 I6 R0 L2 ~0 C8 a# N# Y: s1 T6 B# F& p+ O$ \
Useful breakpoint to detect it:
9 \$ v% M( Q" x* n4 r% \9 y7 k
& Q5 c' h! y4 Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 \+ J& }$ |9 m3 V4 K: h
' r; Y1 ~% o' V2 P__________________________________________________________________________
: H$ c+ J+ k2 v) a; J4 o) a. B/ ]. {8 e; X; u& \0 c' v
5 {, p9 L2 ^" N% O/ r5 J
Method 14
1 ~" U9 @/ r; e1 k8 O( H9 f( ?; d=========/ a" V2 {4 `* r5 s- U: ^) R/ s
% V+ J* H0 A8 x/ U& W/ S0 b2 r: L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 N, t7 f$ o8 F- { }5 his to determines whether a debugger is running on your system (ring0 only).! ?- r% c$ c5 S- R1 E2 r
. d8 x w, [7 F% k: H VMMCall Test_Debug_Installed
6 |; q" p+ A9 w6 ^# N je not_installed) } p# P ~; D/ ^/ K, R3 n
7 R2 c1 ^ P. E3 EThis service just checks a flag.
7 L* b. Y! K6 n2 F1 t9 L6 ?) e</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡