<TABLE width=500>
' X' G; _1 t% n9 F<TBODY>$ T1 I7 i* \; ?0 `
<TR>' {6 H0 }8 m. z" K& E5 }& s" r. z! d7 k
<TD><PRE>Method 01 + I, C, I9 c. Z5 q
=========
6 Q. {6 g( q* Z, b' L- @
5 J8 I3 K9 N' Q. aThis method of detection of SoftICE (as well as the following one) is
8 j7 p0 k( O& q. h; W5 xused by the majority of packers/encryptors found on Internet.
; x2 e- I+ B6 J; d ?It seeks the signature of BoundsChecker in SoftICE) q5 u) [# v% r' I
/ R$ o" ~% X) k2 e% |, Y' W mov ebp, 04243484Bh ; 'BCHK'
: z' q; ^- R$ m" [, O6 g2 h1 b% K mov ax, 04h% H* _5 x5 ?& `
int 3
, Q3 w$ \/ X5 j _1 V cmp al,43 R2 o: N5 j3 g R' w8 @
jnz SoftICE_Detected
9 D" `1 [( ^6 ?7 P( q* k! C9 M! V$ o- K9 n
___________________________________________________________________________8 }0 G' S& A; ^4 \
$ z/ ?( b' e$ T. E8 M% C3 e& AMethod 022 q$ Q6 G0 T% D7 U9 c5 u
=========. z! A5 ^1 V# c
0 k( B6 S' W9 E4 ~6 J0 dStill a method very much used (perhaps the most frequent one). It is used' [, E, z) E$ l- _/ |
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) [4 I i `+ e* g) J/ Vor execute SoftICE commands...
, I5 [/ w" L3 b) i1 X9 n0 WIt is also used to crash SoftICE and to force it to execute any commands3 g; y; R' a, L
(HBOOT...) :-((
% v* `& g5 b }6 y( O
3 Z' o1 B/ D& u- P5 FHere is a quick description:
# \/ Y8 k! M) e- G; Y! Q3 P5 D: q-AX = 0910h (Display string in SIce windows)
( U+ j. R$ b& w9 c) v7 t' K- {) b( c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 i: L: |1 K( p8 }1 x O6 f-AX = 0912h (Get breakpoint infos)' L% s/ v& P1 ~3 `. a
-AX = 0913h (Set Sice breakpoints)# }; N" T+ o$ c- _' v* Y0 ^! j
-AX = 0914h (Remove SIce breakoints)
) i+ O( @5 u/ R% X+ \9 q' n7 b
9 f! m* m) W" LEach time you'll meet this trick, you'll see:
/ K: l% C: w# {( p" R, H- P0 ?/ P-SI = 4647h" v, n, W4 {1 O# Y9 ?
-DI = 4A4Dh
; g' |% p, k9 m- m* Q- @Which are the 'magic values' used by SoftIce.
/ p+ z7 S! ~/ N! `3 F; W, H, yFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& x: l+ [3 q$ q7 f! a W \1 C6 @" j( h; I, M. B. D4 t0 ?7 y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ u8 }/ |/ v$ j. @/ U- |. [Envelope utility use to protect DOS applications:. g/ }; \3 \' T) L
* h% C `$ Z7 b* Q3 x( v0 |. w$ X# r" J4 Y& ]
4C19:0095 MOV AX,0911 ; execute command.
: |, M) I" f: W; {- E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; I% ~1 x* G* M: F2 N' c4C19:009A MOV SI,4647 ; 1st magic value.& M6 C0 H% N& x( V* m/ S
4C19:009D MOV DI,4A4D ; 2nd magic value.
% p6 x2 }; t+ K! s9 j m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 x+ A: v9 o$ S- S! |( r R
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 T! I. P- |" f4C19:00A4 INC CX9 R: {. T% H# @5 J. i2 S1 [ W
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: M3 W7 R8 M# {. B- `% j7 R3 S4C19:00A8 JB 0095 ; 6 different commands.7 d8 x" }- _! J% X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- [; `5 T3 [' `2 ^7 h; b! L# K4 K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' J M5 V4 A* W
) t, z9 S8 v4 h+ o) \
The program will execute 6 different SIce commands located at ds:dx, which- b5 ?5 z' {# h" A6 X% D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 `& d- g: }3 W, @9 n' [, {6 p8 C# v, G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: A1 G! s& O, E- X8 Y$ }___________________________________________________________________________
+ j3 B5 E( U+ w
4 P" S" }8 b! a6 |0 u
1 c; G; F9 h8 D7 K3 @0 s" x& [Method 03
: ?; n% B3 T0 w8 p: O2 f=========& H4 M9 ^0 q* F: J' R& _% v! E( S
7 l; k& j- ?4 C9 W. b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! u6 \' X9 G" H# _! J N(API Get entry point). n2 }8 |+ Q+ U4 D
6 D4 M, p8 ]+ c2 n! g% D5 g2 n
8 |& X1 W3 C } q. Y xor di,di. a8 |0 x* R; U
mov es,di& R* ~% C9 C a) N
mov ax, 1684h * p" L/ k4 }# D( Z8 ]# x
mov bx, 0202h ; VxD ID of winice
; r6 G1 `9 D9 }" x" }/ D int 2Fh9 t; {; X- @3 I2 b8 D% ^: {
mov ax, es ; ES:DI -> VxD API entry point
2 C. e0 Y! }( e7 p' c add ax, di4 |2 U9 m/ i& z$ m
test ax,ax$ E3 }* v1 ~2 w4 W
jnz SoftICE_Detected) i" a/ v$ y$ K! \& w, h0 G
! ]( Q4 {& T9 v* F1 Z
___________________________________________________________________________0 e! s/ T0 T, B+ [4 V: ?( P# H) w: V
! |* |; [8 h+ D( KMethod 04
$ T& Q3 H0 W7 o: \/ t* h# I$ ]=========
% s* }! e: F$ {; ]9 z- a
, y! ]- k3 o L8 aMethod identical to the preceding one except that it seeks the ID of SoftICE. l" @" @8 `1 h* y4 @# g
GFX VxD.
* x6 t2 V. O3 j+ m% d! G
: `" M" V- a9 F( } r xor di,di0 S7 ^4 N" [6 z4 y3 @
mov es,di( m, D) O; Q; \4 K/ {5 |+ l, x6 S
mov ax, 1684h . j2 Q3 @; V8 q4 N6 Z% o( i
mov bx, 7a5Fh ; VxD ID of SIWVID
1 Q$ F. `- m8 }% _% t( e int 2fh% d& m! c- l1 o/ `# p; A H' W
mov ax, es ; ES:DI -> VxD API entry point
/ ] g, Z0 o* V3 Q add ax, di
, d" A! R5 y7 N- I5 }" L test ax,ax2 a- U1 F: v3 J6 f
jnz SoftICE_Detected
- c5 Z, d0 l9 _. F$ c" u
0 W/ ~) p0 ~/ Y% |: _% Q+ J__________________________________________________________________________
( p8 I/ y8 D) ?- `; ]. n- y# x% m( m' q
9 B7 S& V$ C) ]Method 058 K9 B* T, p" b1 s( b T- {
=========7 u3 j5 R8 ?( L
9 o4 x: c+ Q4 l: U, r" C0 AMethod seeking the 'magic number' 0F386h returned (in ax) by all system. v6 @$ x1 {- [# v: I5 R- ?
debugger. It calls the int 41h, function 4Fh.
* n5 z# P( S* H9 `4 ^9 XThere are several alternatives. 4 {% ~) H4 M$ C3 I" K6 T( V; l
5 f" S* R# B4 w2 d( qThe following one is the simplest:
" k0 `/ `' ] }& c+ Z
: e, T4 F) K1 q6 W* u8 s s mov ax,4fh
3 [" O' L) E; \8 ]& e int 41h8 e0 f0 F2 t! }# V* i$ a3 K
cmp ax, 0F386
, j1 }9 z2 a! r8 L jz SoftICE_detected f# }1 L+ I w
+ z: Z" q/ Z9 f" @, z
$ ]4 x+ |' F" F% z2 W2 S8 B7 @Next method as well as the following one are 2 examples from Stone's " L. w2 b: ]$ }& |5 Z* t* W8 O- ~
"stn-wid.zip" (www.cracking.net):6 Z* x9 v; I' M& I3 @' ?
! B- I8 P% ]' H' _
mov bx, cs$ N/ W0 z' s. |+ X
lea dx, int41handler2( L$ P& O4 s/ ~3 N$ T0 q
xchg dx, es:[41h*4]5 w' t0 e$ C4 g2 D- m
xchg bx, es:[41h*4+2]( H6 Q0 I/ [) E
mov ax,4fh
- N! q" Y0 R- O; d1 a0 ` int 41h
" ?% l3 S0 R+ z" T! k, x2 x xchg dx, es:[41h*4]
- c2 U$ |* X, E( q: P/ k1 a/ W4 P xchg bx, es:[41h*4+2]
1 m8 C# z; k8 @/ j cmp ax, 0f386h }6 f; a2 ], _* B0 I+ l
jz SoftICE_detected
4 o' Q1 s- x+ R+ k( v( O0 e! v6 M9 e- E# _3 [) w( z! ^, Z
int41handler2 PROC% A4 {- c( Y1 W" L. P- `
iret4 e/ K M' m7 p! p6 o! q
int41handler2 ENDP
6 {' j, G& C2 v, F/ S- B0 j$ p7 t; h8 F
+ |# l" Y8 R: g8 [9 A0 G, g
_________________________________________________________________________
8 L& s4 ~7 W/ a3 D4 k# y- ~# ?4 b2 [) w3 t4 i+ @! w, K& f
1 `# _9 Z; ^, K9 _: `
Method 06
, N7 t: @- B+ F4 D9 y2 G$ }=========
9 W( M% }0 N- I/ a. C O+ _) v/ s
8 h8 y6 l# @' f' @; v7 U
8 N" a; s' }- s6 B7 W' J" K( {' Z" ~2nd method similar to the preceding one but more difficult to detect:# C8 u& X! _( S) I) c
# {$ j2 f) o- ?' J; {: t1 }& V/ H
! S# I5 R$ k& @+ ?int41handler PROC
3 j$ m% G' O+ e" o2 t5 b4 |4 U* y mov cl,al8 M+ X i: [$ B6 ]5 r9 s9 g+ H
iret& S7 I% q0 @1 c# l) n
int41handler ENDP5 t4 a8 U }, ]% Q# i
9 A2 |- y1 I- C, U8 \6 X
7 Z; ]0 |! f' e/ T" P9 g xor ax,ax
4 N9 d% c+ n( _4 B$ x" \# x" K mov es,ax
* j# I! Z2 B4 s; Z mov bx, cs
- K& l& m( i+ l1 e/ W lea dx, int41handler4 g2 T: n9 s! f c
xchg dx, es:[41h*4]
2 h( y( B+ x' d$ G$ N3 Q* D xchg bx, es:[41h*4+2]4 W/ X& J: V+ L
in al, 40h
- ^( y, M& O: k+ i7 o0 C8 ^8 v6 t5 B xor cx,cx2 B7 t; z/ |1 s5 W1 ?, U. {% @
int 41h
5 T' e4 S2 z; }) T, H xchg dx, es:[41h*4]
9 Y3 [- h; I, R# d, l/ v xchg bx, es:[41h*4+2]
. _% f+ A' E* w0 h2 G& P& ~% q cmp cl,al) b- D6 V3 F s4 r L ~5 g
jnz SoftICE_detected$ P; p" B/ U& g6 u: g& _/ F
5 U$ B1 q b' |2 m& w
_________________________________________________________________________
: @# k8 E0 f+ |
5 O% k* r- w" q8 MMethod 07+ r, S' }: w/ \9 r F/ M3 a
=========7 p. G$ P `% j: S6 D' E& ?2 u! W
7 |4 L$ V: a! D
Method of detection of the WinICE handler in the int68h (V86)# \% j( D0 h1 j' ~( Y
6 |- M5 k8 H+ w" I$ { mov ah,43h
, I: I3 @/ f% b) Z2 k; `; } t int 68h
' {* Y% k0 R- x# o5 ?* f1 l cmp ax,0F386h+ x$ W* D# D7 F
jz SoftICE_Detected" p$ N2 E3 W' a) J% l
$ v( Q3 l% Q2 y2 C! C$ m" D% L7 ]" P# J I6 }; u) M/ `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 B2 \9 L: A' g" d app like this:
/ w+ b9 [3 h* ?. J- ]/ i
q" k2 I0 o8 D) w BPX exec_int if ax==68 l3 X0 I3 ^: G, {
(function called is located at byte ptr [ebp+1Dh] and client eip is
: u" H0 {. S' m located at [ebp+48h] for 32Bit apps)
% w7 k1 ~# Z. ?8 Z. T8 D) ?__________________________________________________________________________$ ~( ?- J, ~" a% U9 l0 s
5 ^# r! j2 f4 a( D3 D; a5 R4 [; N# H: z) E, Z- J
Method 081 b6 [7 g- f" ^- I- j4 C6 h
=========5 ~) K2 O0 ]% q4 V; w
3 Q6 R' Q0 y: H( D5 N5 ^It is not a method of detection of SoftICE but a possibility to crash the; f% p( H7 @" [# q2 y' H
system by intercepting int 01h and int 03h and redirecting them to another- n' r( Q7 \5 Z4 r4 j4 _8 h/ @
routine.
" ]; x: }1 O) c8 \" gIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 |- Y8 ]0 Y Vto the new routine to execute (hangs computer...)& I0 _! {$ i7 W
1 t% z2 [4 O7 R; d2 f mov ah, 25h6 w/ B+ m' ?1 k6 G0 ^
mov al, Int_Number (01h or 03h)
/ i/ ?$ a3 \' ~2 r; @ mov dx, offset New_Int_Routine
h* M9 f, x4 L' b int 21h! @; G, l+ Y; j0 l; C; G
- B2 U) L9 [& }1 a__________________________________________________________________________8 c9 _9 g# K0 ]0 M+ f2 H7 c1 B
% ^& I2 Y3 k; B$ W! n7 zMethod 09
; c. i- q7 @3 m& D& Q* k9 D' R& V/ |8 N=========% H5 f3 G7 g- |9 c9 ~) f
+ _% G6 v% c# J0 e+ ]. G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# A2 q$ i6 d! U9 ], z8 Jperformed in ring0 (VxD or a ring3 app using the VxdCall).' v5 V4 i1 M: P, O
The Get_DDB service is used to determine whether or not a VxD is installed
I8 {% @6 ]4 ^; m l. Vfor the specified device and returns a Device Description Block (in ecx) for
1 y4 v( z8 k6 w' s8 H" F* o3 E6 n7 ?that device if it is installed.
2 r: q( l$ N3 B: N4 t }+ L7 M+ `# [1 I- G4 j; }# f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* {. d# Y3 l1 ~7 O; e+ f3 }
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" \! f3 t: u* T/ N; i VMMCall Get_DDB" W1 p' [7 _% P1 [5 o, r) P0 t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 p" K( S Y# Q& r/ ~ `" Z2 N& @$ l" v
Note as well that you can easily detect this method with SoftICE:
0 T7 }- [+ m3 Q6 B bpx Get_DDB if ax==0202 || ax==7a5fh" N1 U! z/ L! O! }" E1 Y/ _2 U
( x6 h/ N& `% R! ]3 K3 R__________________________________________________________________________2 ]$ y& N" c# K" Y$ Q& I
, w. L& z& g1 H/ |% q; q
Method 102 Q% `' D$ p2 d& Z4 G
========= S: [1 K+ E3 t, p/ g
8 z& R- k9 S D0 R
=>Disable or clear breakpoints before using this feature. DO NOT trace with
?" a' Q7 x+ T {, ^; d SoftICE while the option is enable!!, ~( Q) }; g9 e
$ g) b6 P* N' y2 b$ o I2 I
This trick is very efficient:
7 v2 ?; }3 c+ Tby checking the Debug Registers, you can detect if SoftICE is loaded
. e% K f* @5 v$ U5 Q3 b2 }(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 c# U& p* g& @there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 K) a ?6 Q1 R* z) A. G- {/ M# Bvalue (in ring0 only). Values can be manipulated and or changed as well
5 `. f( Z* n; `" h' O(clearing BPMs for instance)
- v1 y# R! ?. l0 U/ K# w. F
: c& p) u1 ~' ?, F9 n9 [__________________________________________________________________________: V9 r" w; P+ n* m8 l! ?
+ e6 J3 |* a* p0 f0 b) h6 i2 e# OMethod 11, c" Q8 l, ^0 `# V( n
=========
" M: B$ {' m2 {
5 q& Z4 L2 R: h" d- F5 y! D0 Y& [This method is most known as 'MeltICE' because it has been freely distributed
4 v S9 p v! Z" l: B; _4 C& ?! }via www.winfiles.com. However it was first used by NuMega people to allow2 h9 x2 f3 C B* @6 h2 }- t! }
Symbol Loader to check if SoftICE was active or not (the code is located; u; U: B1 K6 n
inside nmtrans.dll).. j ^& ^' l) k+ W. E
/ u# m7 f/ B& M+ m! W
The way it works is very simple:* S) {8 Q% t. S9 w+ v" K0 n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 E- M; f; A! t$ \/ f
WinNT) with the CreateFileA API.
( D$ a; s4 O* W5 a8 k3 A1 y5 h' ]0 i w
Here is a sample (checking for 'SICE'):
f( {$ j! F7 m" V6 W' @0 w. d. c" A/ r: ]/ {
BOOL IsSoftIce95Loaded()
8 Q( `5 D1 q1 S) s& F/ g& @9 B' _% S{
6 N$ j5 V, {; K: `1 E HANDLE hFile;
, W6 b0 c6 g9 p h8 s g3 l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 J& d0 t/ T Q6 z
FILE_SHARE_READ | FILE_SHARE_WRITE,
. W) ?0 B3 K1 j) L6 t' m( m$ L @( P) _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' T9 u. v) a/ _
if( hFile != INVALID_HANDLE_VALUE )* H$ O9 c* Q* U" z$ P
{
5 `3 }3 \. ~( s" _( n# I# p/ J CloseHandle(hFile);1 G4 K+ }- |" R- d
return TRUE;. M A% D5 M. V8 R# S" v; c
}
- d8 ]; l9 q8 K9 D2 i* X return FALSE;, }! ]% R4 R+ r8 B" g; E
}- f6 s6 o3 o' }; {) s+ j# L3 R
- V- W- D0 ?* y& }5 J$ o$ \% ~
Although this trick calls the CreateFileA function, don't even expect to be' |, Y7 w$ ~* g3 p6 u1 \
able to intercept it by installing a IFS hook: it will not work, no way!, a: ]# B1 H% E7 P. P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
P0 c' T9 m9 I% c3 s+ h5 ~" Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ c; N, F2 U. @( Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc0 ?& |5 p7 q3 g8 K: \
field.& H- m! y4 k, ^+ D: _( n
In fact, its purpose is not to load/unload VxDs but only to send a
1 e8 N8 [# @ |1 Y$ |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). W; H4 i2 v0 i6 a$ z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 f# w8 l- |7 f; L8 d* _' C( V4 j5 A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, h! p7 f9 h% c' YIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 y6 ~$ \: M! e d* O9 m0 w! N
its handle to be opened and then, will be detected.( X# e) b& N* n: G9 w
You can check that simply by hooking Winice.exe control proc entry point
6 [& ~4 e( h( J- ]while running MeltICE.) p8 d, k( s" m; f
3 `. X" {/ V) G
. A" z8 ` G2 W
00401067: push 00402025 ; \\.\SICE: F! y5 e4 w9 F4 j3 H% [
0040106C: call CreateFileA6 C8 L+ x- G8 n0 |
00401071: cmp eax,-001
0 c, G3 ~- U# g" C' e8 U 00401074: je 00401091* F6 g* N3 Z+ t! N! {& [
1 @5 ~7 X- q8 }0 k" ^' t2 M+ m
* N& l0 G( X1 @. t0 r3 I
There could be hundreds of BPX you could use to detect this trick.8 ]' r4 Y0 p# W* } L5 e0 _) `
-The most classical one is:6 z+ U& d9 C8 t% N; a" F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 G! y/ }; v/ h F *(esp->4+4)=='NTIC'
$ L, r+ q0 S' c% v
4 U( }2 P2 e7 Q' M/ ^0 z-The most exotic ones (could be very slooooow :-(; E9 B: [0 f# {7 X1 p6 E
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ }/ r6 W* a# B9 {! V+ g ;will break 3 times :-(
: ~2 _4 o9 q( j
4 R7 m) r7 K: e* J6 P-or (a bit) faster: : Y/ S& s) D5 C# j$ I+ f) l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" N( s. q' Y8 w7 k5 r9 a# [) w" V3 b q: R( Y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* n6 m6 w! S; `& E1 i( E/ v ;will break 3 times :-(
" ~# i" O: ]6 Y' i [0 R2 \4 |
+ @2 Z4 f* z' V* k2 W+ k, p-Much faster:
, t2 y, {3 n3 L" x/ u; B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 [. S- h2 M/ I; M& A% d* V4 q
' Q$ o4 }- w: d; mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) w h9 Y6 S7 s7 R" t6 G5 J1 S
function to do the same job:
, f( A! @# h1 T P
# j# i; ^. N7 H+ n5 u push 00 ; OF_READ
* K+ ?, X, X" n1 d mov eax,[00656634] ; '\\.\SICE',0
7 L, L; H9 u. K7 O" P push eax
: P- o9 Z1 T$ c' U3 i \/ D) r call KERNEL32!_lopen+ Z% g" Z& y0 Z% r7 @
inc eax
% U R- ]# A/ P3 u jnz 00650589 ; detected
; K' L8 w7 J( L% O( H push 00 ; OF_READ
9 b" X# a- V1 b mov eax,[00656638] ; '\\.\SICE'
$ r8 b. k& z+ J; c5 |& t5 M9 e push eax
$ Y, g0 E! I, }- u call KERNEL32!_lopen
% p5 D' @% P1 A5 S inc eax/ O* o9 W0 L6 x" I
jz 006505ae ; not detected
% `2 M9 F+ \& Y0 q' n1 [ p- C) q4 n3 o: x$ P
$ P. c3 V- r$ P- T__________________________________________________________________________
( \/ `2 {* L0 X7 _. R; N8 {7 e
9 r3 M- N2 U# o/ M0 \Method 126 v) _3 m, w# P' Z3 K
=========
9 g- }) Q7 u0 N( b
1 y) [! f4 Y# X! S- W+ u4 P# x% s. e4 RThis trick is similar to int41h/4fh Debugger installation check (code 05
3 b1 K4 w) x8 K7 p8 b3 P5 P- v$ E$ S5 H& 06) but very limited because it's only available for Win95/98 (not NT)" d t# N$ d# r/ n6 a- x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 f3 S4 o7 L# F+ p: _- y1 H- W
4 i( k; z D$ P' [% j% {: M* g
push 0000004fh ; function 4fh* R9 y8 T; |) C2 z8 t
push 002a002ah ; high word specifies which VxD (VWIN32)
0 O8 U# s, M% [ ; low word specifies which service
$ R$ r7 J! Z' ]. U" {1 A4 _3 h7 } (VWIN32_Int41Dispatch); I6 @) `7 j. g
call Kernel32!ORD_001 ; VxdCall
8 ]( N- v& X9 w cmp ax, 0f386h ; magic number returned by system debuggers
5 d1 |# F5 M; R1 _, \: O jz SoftICE_detected
( l- u$ f* G. i
5 E- J% q: a( Y2 T2 PHere again, several ways to detect it:* v: C6 Y7 |! A0 z. i- t" \# `, c
8 h J& \% t, R0 g BPINT 41 if ax==4f- b$ H' A; O' N$ s
2 m# {6 F2 g( c' N* \0 n% u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ d: o; O2 \4 F- w
) j: H1 |; o0 s. E c3 j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ {- M! @% S b- W- A/ S; @" h( P9 v8 g( ]! U1 e) a9 m% j0 k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 g6 m* b" K) w/ A0 {: ?- d
+ }2 U, Z4 k8 i' Y9 t: L__________________________________________________________________________! A! _7 n: o% C' X
( H2 |8 J4 J8 K& q4 ]! K- n$ V
Method 13' G- M: m& ? n: O7 W3 G3 z
=========5 ~4 Y5 {' K7 p9 F
% E) w9 x* m1 o. l; T" H
Not a real method of detection, but a good way to know if SoftICE is: S# R. G+ f' g: j1 G i! q
installed on a computer and to locate its installation directory./ w$ P; @' u& m: e. u
It is used by few softs which access the following registry keys (usually #2) :; `( b& A; l4 t0 ~# I/ E
! ~# |" B" p5 ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% W2 {2 H: a6 }+ l- s% u1 \) r5 b; ~
\Uninstall\SoftICE0 p! O! f0 F( @+ s" c* ~# C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 C$ Y1 k5 x0 u* m2 T
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! t. o1 E% Q8 ?6 D) W+ w
\App Paths\Loader32.Exe
5 ^2 m: `! @1 H/ ]; J5 L
; Q* l1 L v' y$ z# b" c
8 w( I2 r7 i" S2 ^: \3 xNote that some nasty apps could then erase all files from SoftICE directory2 t# ~9 G9 t2 A
(I faced that once :-(: N1 Z# {6 y$ M, L: M
$ p1 w/ T3 m$ w/ l2 h
Useful breakpoint to detect it:& g$ f! t+ O) X& g2 L3 P+ c
0 w1 F$ a* q; i+ m+ J3 l( x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': o# H% u% z0 k! X' B
+ e9 k# D3 K u7 I9 B- C C9 ?- n5 a% v
__________________________________________________________________________' J. [0 w( A# Z+ ]8 e* w# W
7 ~1 @) ]9 r2 s& ~& [; D1 W! A3 \7 N1 z( l( u
Method 14
( c- ? R7 D) s m$ ]=========0 z- |! Z1 g% o ~
$ `9 a! l: c& b9 ?" J" o* B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 i0 R. F- \4 ^1 W
is to determines whether a debugger is running on your system (ring0 only).
0 w, y( d4 I( C/ z/ b1 j% z
$ M- u/ [" j' e3 N. o% x' g# v VMMCall Test_Debug_Installed
/ H- K# S X! X je not_installed
5 q8 T( ]1 A& {% _( W
8 [8 C9 y/ j+ O5 j TThis service just checks a flag.
; l) k) H- L$ ?" K% P</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡