<TABLE width=500>% s$ ]. j) l4 J0 m- |0 h
<TBODY>
- ~5 V, n) ?0 P* X+ z<TR>
# V7 M3 W, @& P( C; U<TD><PRE>Method 01
3 J* Q% ?: F7 X" y% n=========
2 y9 S _$ e9 Y- R, L% `" `! N
* y6 `6 n ?. y) r+ w% `This method of detection of SoftICE (as well as the following one) is
4 J: O6 L3 a* X( rused by the majority of packers/encryptors found on Internet./ ?+ Y; i/ y( x |& @6 U- C/ \
It seeks the signature of BoundsChecker in SoftICE
6 Q; L, Q* [* Q2 l
# O$ w/ J# J7 ~; _8 @ Q' b$ a2 I mov ebp, 04243484Bh ; 'BCHK'+ f9 p- P0 e4 E5 s
mov ax, 04h
5 _; j2 _4 M }( ]0 l7 U: d _% S int 3
( u, a4 H/ V) u6 G7 Z, r cmp al,4
. V4 `0 x( @6 k$ T# Z, V) a jnz SoftICE_Detected
; ?! O) B/ t( B5 G
1 Q# p; ?4 r. m. g) f___________________________________________________________________________; R* u2 k: O9 \/ g e, T6 M
5 A6 r/ u: P1 s& g9 n/ _
Method 02( x% j0 o+ ^" V
=========
9 M. n7 C1 g6 q8 G. H9 L3 z3 k7 H
5 |! n+ A; { X5 l; t% TStill a method very much used (perhaps the most frequent one). It is used
% z+ e9 A" Z- p$ f! z q: Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 L! L4 H9 y: E9 v6 [! H2 B/ }1 V
or execute SoftICE commands...
& l" S" x0 q* n# l& I) oIt is also used to crash SoftICE and to force it to execute any commands( z l0 L0 C1 _2 i7 {6 W
(HBOOT...) :-(( 8 B( Y: Q2 K4 I J& l
{. m, g% U) z" V& N$ U
Here is a quick description:( k. {. Z0 I4 f5 m0 S8 K2 K2 }
-AX = 0910h (Display string in SIce windows)
9 W6 G; D3 q9 z. ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). `" L% L4 X! G
-AX = 0912h (Get breakpoint infos)
8 {: C% y: x6 e1 U-AX = 0913h (Set Sice breakpoints)
: u' e, X( m- ^0 O! V6 {$ Q; Q& l/ d4 H-AX = 0914h (Remove SIce breakoints)9 W3 h5 |$ p1 n! B8 ?1 C
- ?9 I8 Y( d7 i3 \/ m( k7 F9 uEach time you'll meet this trick, you'll see:! Y- A8 f2 M( l2 h* m/ r7 n5 f8 \
-SI = 4647h$ P% l% w' E5 f2 d& z/ j2 h2 V
-DI = 4A4Dh
: \$ h% s) i0 R' [% `8 z/ p; A; {: L& WWhich are the 'magic values' used by SoftIce.% k+ |! ~9 j, }8 S |. h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 m6 I/ N8 F5 q- \% [- K
1 O4 j% X/ W: C) J4 CHere is one example from the file "Haspinst.exe" which is the dongle HASP
W. [1 J. V( \( q/ EEnvelope utility use to protect DOS applications:5 N. T* e0 j" ?
9 K- X% _; k7 v+ W! B* W6 ~% }6 Y9 Q+ v5 A, m: t; ^
4C19:0095 MOV AX,0911 ; execute command.
4 p* {. G/ \! E# Y2 Y0 l* p4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 W( X3 C( H; u- R' ?) V* L; W4C19:009A MOV SI,4647 ; 1st magic value.: t R$ h2 ~, g7 i* N6 \- g) }% f
4C19:009D MOV DI,4A4D ; 2nd magic value.; q" Z, B( {$ v/ q c' n% g, z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), B$ P! k3 T$ ~6 U" ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 S. u: L0 t8 q6 L4 z- d/ h- s. f/ K
4C19:00A4 INC CX
! k" t/ r6 H4 U/ f% X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. d. Y. E3 l! F4 S8 ^4C19:00A8 JB 0095 ; 6 different commands.
$ O3 q- E M3 ?. W3 H+ z& k$ H4C19:00AA JMP 0002 ; Bad_Guy jmp back.: `: ?3 I1 T, C* s
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 `+ H1 |, a! _: `; v5 {/ j: c
$ H: `) q" Z7 w4 w: oThe program will execute 6 different SIce commands located at ds:dx, which
9 g C9 H! }$ h# p1 U) N7 B3 xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( l1 A! `/ k0 j5 g( c
, z. |# ~/ L# |' |& P8 D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! Q( D7 x2 I: s* q5 ^( m. E# ____________________________________________________________________________3 r( @1 M: A2 |! \
( z+ `5 a5 r) ?: K0 o/ A4 H# X& e) J/ r* u$ J9 v+ t- a
Method 03
6 c$ `: s5 k7 L' ]# \# q=========
n: H) }' V" |- k8 n
% I% b5 V+ g2 K4 B( _/ f1 s1 aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; \1 l( p% |$ P5 Z7 l3 C
(API Get entry point)
4 I3 K( r, q7 o2 n0 c 1 C+ U6 F" k9 O4 L
* A8 S) v+ x" J
xor di,di! T9 I6 r/ p6 m1 C' h6 S
mov es,di
; r$ [) u6 P2 C4 l" h mov ax, 1684h
6 Q" i+ Y9 B/ C/ |+ P$ E mov bx, 0202h ; VxD ID of winice6 w+ v; L. ~$ [9 ? o
int 2Fh: Z6 M$ q/ W8 C$ I5 L" J
mov ax, es ; ES:DI -> VxD API entry point
, `+ O3 N, f; _" t) i# n add ax, di
" E3 `+ n2 w/ s: L" ~& [. ~# ?# k) H test ax,ax$ t. m" r2 P' K7 W6 a
jnz SoftICE_Detected- x# v w9 X- l- |; @
$ R# Z9 i Q W$ M" b. Z; i/ M* f___________________________________________________________________________, s& l: y$ o' _6 z9 O
2 n) E! O+ i9 x+ i# |Method 04, f2 w* O# l! X8 ~" V0 k
=========6 U5 i) H1 k1 ~: ^8 {
3 N3 c6 q+ f5 bMethod identical to the preceding one except that it seeks the ID of SoftICE
& V \9 w; b& M& H. XGFX VxD.0 |: F7 w, ~2 \ [
7 O: |# L% c3 M+ T* M+ n
xor di,di
2 J. n- H# a5 B0 `2 D2 n mov es,di
& n0 @5 f. h. c& D mov ax, 1684h
" V. \# H; h2 K9 @. G mov bx, 7a5Fh ; VxD ID of SIWVID
6 g2 }! p/ K+ H" v int 2fh
4 g$ c) \) \+ ^0 q$ V. ~ mov ax, es ; ES:DI -> VxD API entry point
B1 g3 o+ A5 ~* j9 I add ax, di2 h7 X* v5 A2 ^8 {9 T
test ax,ax2 @& G6 e3 P( w/ R) Q4 K* m
jnz SoftICE_Detected
( ?# I, L5 V! G" V4 @2 _$ G* `7 p* \5 @6 X. A7 D
__________________________________________________________________________
4 h2 b! b" c3 d F0 c6 m
: a8 J; L- J3 O# r$ Q
+ {% i* F6 j+ f5 aMethod 05# W+ e) ^2 r! Q& w6 ?
=========
- r1 a, }0 j: n6 l, J! h8 f" L
2 E2 x% X, g2 o' pMethod seeking the 'magic number' 0F386h returned (in ax) by all system. i; E3 V3 B, o* n) |
debugger. It calls the int 41h, function 4Fh.# u: ]. F2 ^9 x5 ~
There are several alternatives.
# Q6 p8 @4 q1 d" B: Z! |7 J, P: `0 m8 t7 J
The following one is the simplest:
9 i, O8 d8 _$ c7 V9 }2 ?* w" s
mov ax,4fh& d% T/ r# m7 z6 E/ H" V+ S
int 41h
* A5 B8 {! H- H( X2 \& y' F& A cmp ax, 0F386* |3 ` Q- D! e( G M2 J
jz SoftICE_detected0 t5 M2 p8 J( {" H0 v
; T9 C/ w' I+ X/ s% Q& ~ `
8 V, X8 G$ P* ]+ z" h
Next method as well as the following one are 2 examples from Stone's ; @: a- ~. l, I/ m/ F
"stn-wid.zip" (www.cracking.net):
) y1 M8 @- H+ [( h: A" K& K& j5 K3 D% V+ g* T7 i' f
mov bx, cs, @; r7 R2 a* H. q( a+ n' Z: Y
lea dx, int41handler2% N3 U( j! M, m6 U/ }6 y
xchg dx, es:[41h*4]7 Q' |$ q: N7 v, b. G+ a7 w
xchg bx, es:[41h*4+2]
( M2 B3 u5 u- v. G/ H% U' Y6 |4 m mov ax,4fh. d7 M9 O. W6 ^2 Y4 Z2 `
int 41h! }( R5 ]- W/ ^9 U9 b- _ c2 q
xchg dx, es:[41h*4]
1 u q3 e, W8 C9 C xchg bx, es:[41h*4+2]
* f. `0 l2 N( s" ^ cmp ax, 0f386h
. W6 r6 _5 C' \' M" q jz SoftICE_detected: x/ j0 V; t' t. ~2 \1 u# K' e1 R6 I
7 h& \! z( t# K5 l2 y% Q! e
int41handler2 PROC
9 {5 Z q5 q4 p6 l0 d iret3 i" W( x& F8 @( g2 a# m
int41handler2 ENDP
5 j7 D/ J( X! l' M' G4 R. L5 e a5 Y6 e6 i
1 m# r8 ^2 S! O8 R" z_________________________________________________________________________5 N# v" U' c$ m. V
: _$ {4 c6 G: t4 l0 Q; ^9 i
9 t; a( y/ u( k$ Y) z4 p6 v" qMethod 06
" f6 F4 r7 S9 |: I6 Z=========
: g2 M) l8 n& u) x! d# n- e) k& u, G o1 F! R/ k$ _' p
4 n. ]( b9 J, k. \6 N7 c; b2nd method similar to the preceding one but more difficult to detect:
7 ?- Z: d' _/ f3 B/ R. Y. I% t) O5 D- a: h5 e* _
8 S7 j; m' ?# Y5 _7 P
int41handler PROC g' V) Z- [) J' _2 F. I6 |
mov cl,al
9 N# |5 s3 F2 H# \& ^9 M$ J iret
6 O5 X( B% c) i1 ]3 zint41handler ENDP. O6 {8 L7 e' Q- x( w5 c- C' C" B, j
* f# i$ I3 ?0 i' O! E, Q M# \
xor ax,ax
& h1 u- k( y5 P) r$ T mov es,ax3 Y1 D: }+ l; N6 r! R
mov bx, cs+ X. j, J+ w' X6 [( [6 e6 Q
lea dx, int41handler
6 _* O" u [/ ^! H" T/ y) T xchg dx, es:[41h*4]
8 T( S( m7 @& F; b4 H) k9 _ xchg bx, es:[41h*4+2]
9 G# k! F& ]1 ^. X in al, 40h
- G# F9 Q; N- p+ l" K \& m) i9 K9 B xor cx,cx
0 f" d) m% f# _+ w6 M int 41h! ]- O9 V3 q6 l* l2 \
xchg dx, es:[41h*4]' v) G D' R+ a$ V, ]" e
xchg bx, es:[41h*4+2]7 V$ h) r4 g: D3 ^, x+ o7 r
cmp cl,al& X5 |* Q* h9 ]1 B$ O3 A& G# B
jnz SoftICE_detected
w; z% B! ?) G! `0 I# y# _6 L( G: [4 u) ~9 n) {% P0 e4 s
_________________________________________________________________________
. C/ p r, \; _
' \" r: V4 y2 o8 P" J7 E h& BMethod 070 }; ^7 K# q. q
=========& W1 H$ T8 s1 ~% B$ h. A7 p+ Q
: P) l4 h8 F2 ZMethod of detection of the WinICE handler in the int68h (V86)
/ U/ W/ Z) D& q/ N. e
7 l% T8 k ? K# k0 \ mov ah,43h( W( w' Y) Q2 J( U- ^+ s& B2 ?
int 68h' p! r# P* c4 M0 p/ D6 G% k. @8 t5 V, J
cmp ax,0F386h/ X/ s1 p" l! m7 h, Q( W
jz SoftICE_Detected% `! [/ k& R/ [
# A- C# \( A- ~4 p
3 d" b) t' Z u7 Q. h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# [% A- `3 B' R# C
app like this:
* t& p9 ]; V: t2 S% c
1 V' I! d( p$ W- } BPX exec_int if ax==68- d) d; Z, K: d- t# R8 q. u
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 S7 q( S# A( N located at [ebp+48h] for 32Bit apps)3 q8 m v# N5 z
__________________________________________________________________________
' L. z% g$ H4 ]5 A2 l$ `3 r; ^
) N8 h7 l+ p) R: o& A9 b
Method 08
4 {1 u' v$ U" ]! q) ^& i& z* g/ t) _& z/ M========= s7 B0 p: w( T
) ?. C' _7 H3 Z1 ?2 ZIt is not a method of detection of SoftICE but a possibility to crash the
. A, O& S5 y$ M: ksystem by intercepting int 01h and int 03h and redirecting them to another
" V& x& |4 d& c" ^! J4 k* b0 troutine.. E( r% Z$ E. G5 b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, X: w# F0 Y8 W7 E8 Yto the new routine to execute (hangs computer...)
* @& V5 c- F. \! w+ U8 o
1 v, E3 S) ^& @: e% S mov ah, 25h& S5 |+ I) @. k0 m* l. E! `# X
mov al, Int_Number (01h or 03h)& ^" O; B8 s" y, A; G9 K
mov dx, offset New_Int_Routine$ t4 k2 _& t* _; V/ [: B
int 21h
% A% h+ @ I/ D ?% A2 U8 y3 k$ t& G3 n( K
__________________________________________________________________________+ Q$ A7 W- p6 f) \
* U+ D, W1 M, ]3 d8 S& K
Method 09
' X, d( \+ W8 J3 Q9 E, I6 W: ~, ^ d" R=========9 J$ W% S+ f" E7 Q" ~3 ^
+ U( F4 @: X2 U$ y( X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) m& n$ p3 E8 t7 i3 I( Wperformed in ring0 (VxD or a ring3 app using the VxdCall).& S8 S5 W+ g5 V `3 J, k
The Get_DDB service is used to determine whether or not a VxD is installed
$ ?, J6 r( ]+ K I0 Ofor the specified device and returns a Device Description Block (in ecx) for/ W! g1 [2 M, @" q( T
that device if it is installed.
( c9 V7 k& b# d X" U. x8 ^0 U9 n
! P& h( _) _, z9 c6 B mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* ?/ f( q8 O0 ?9 @1 \9 U. V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" Q+ y' r6 ?) t% C5 J VMMCall Get_DDB+ S8 v$ J4 @# m: Z9 s+ Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 M6 |) v4 N6 m6 R, }( J0 e l0 ]* n# ?5 g- c
Note as well that you can easily detect this method with SoftICE:* ~' W' V7 N6 S
bpx Get_DDB if ax==0202 || ax==7a5fh
4 s4 F2 i% p' P& ?, W
! s7 }. Q5 A# P' X. `# Q1 |__________________________________________________________________________
) E8 N0 B7 g6 H" x7 b0 ~; Q( ?4 f( L! `
Method 107 T& b5 o' `4 y( q
=========
6 W9 O) d' O# ]# l8 @: ^8 _2 E: W8 m4 u0 L1 I
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ C7 p* {) ^3 E
SoftICE while the option is enable!!4 [/ ~+ c% j+ U' k! _ l
4 N+ u6 u% u4 l7 V8 O
This trick is very efficient:% o R/ y) T. U+ x7 G8 S
by checking the Debug Registers, you can detect if SoftICE is loaded
2 O/ p+ t. \8 ^$ l) M) `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 G3 [+ |4 I( X8 tthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. K2 ?5 k9 g% b; U+ xvalue (in ring0 only). Values can be manipulated and or changed as well* a0 m+ D- S6 c$ O S! C
(clearing BPMs for instance)7 M3 F4 a ]8 M
9 x- u6 K* z! Q2 Q4 C9 n
__________________________________________________________________________6 g7 X. e" P7 u+ G9 `6 t/ z
( f, z+ ~% r' p$ Y7 B/ W+ W( L4 l
Method 117 V! [/ \# x& p( M u" h
=========
0 K0 }9 ^4 ?* i3 ]$ e' ~8 N. q8 L( Z
This method is most known as 'MeltICE' because it has been freely distributed
0 [. B& f% ~7 }4 `via www.winfiles.com. However it was first used by NuMega people to allow m, C/ }) `2 @ K) X, i& G$ K
Symbol Loader to check if SoftICE was active or not (the code is located/ w4 N6 l8 I2 |/ i5 w! i
inside nmtrans.dll).' P7 Z. V* P0 ~, m( R' h' ~
! O7 ?. @0 f1 xThe way it works is very simple:
7 P! ?# e5 ?0 o eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 O; K% Y9 `. M* gWinNT) with the CreateFileA API.
8 P) F- V4 R5 e$ `3 B' M% O& D' @, [( P& u+ B; ?, o9 B
Here is a sample (checking for 'SICE'): @9 `/ Q) `8 Z
( O1 D: h# `# a( zBOOL IsSoftIce95Loaded()6 d- h. x6 \7 V# u$ f5 t
{
; {1 d# P& p9 V! X4 ]3 @ HANDLE hFile; 0 f& l7 b. M2 I% Y; C8 m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 U5 T- V$ B }+ s& w. v FILE_SHARE_READ | FILE_SHARE_WRITE,
% s1 z+ O. U- m$ B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- e4 l' V0 x( i( R9 B" a
if( hFile != INVALID_HANDLE_VALUE )
$ s" U- \" n2 z9 X' D/ k0 T {2 A/ u, i) X' {5 Y& }
CloseHandle(hFile);
X& O9 c) r! k. l; R return TRUE;, z" f3 k' m- ]* g
}+ [) K7 N7 \+ x4 ]3 y6 y0 e7 ~+ `
return FALSE;
2 S7 `% _, P9 c4 t8 L; }% Z: o}
: Y' |) h, x7 u. d; B
4 Z1 g$ m$ U- [Although this trick calls the CreateFileA function, don't even expect to be
$ c( K9 R! }1 H% R; ]# R3 J3 wable to intercept it by installing a IFS hook: it will not work, no way!
, D7 e/ Z( X4 A; _9 ?. Q7 V9 K$ AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: B; h. z4 K$ ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 p9 I( S9 F0 ?" gand then browse the DDB list until it find the VxD and its DDB_Control_Proc0 l3 L0 s4 a" G: E" e
field.
9 A8 ^: u- Z0 [1 mIn fact, its purpose is not to load/unload VxDs but only to send a
9 L; {$ n! K8 i, ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ r' C/ z# \5 a5 N% b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
- O {# W" F A4 Q# U2 {* n( d1 rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
s8 z5 a0 u5 C0 O0 t& ^; x( mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 ^9 a& y) g/ P+ T z' _/ |1 Bits handle to be opened and then, will be detected.* C9 R3 l1 y3 a
You can check that simply by hooking Winice.exe control proc entry point
* U; R5 j: D+ e5 j, v) N. ~0 F( Xwhile running MeltICE.
% R5 O( `2 l+ ~/ K- g
; F2 ?) k, ]! i& A; J" C6 z# w6 b- n, }# d
00401067: push 00402025 ; \\.\SICE! x5 p. ~' q Z1 b
0040106C: call CreateFileA+ N/ O8 b: v: n6 {
00401071: cmp eax,-001
$ M m5 n5 |+ S( k" O 00401074: je 00401091
8 E4 s" s) B. s( ?* I0 o# q S
# ?3 V+ D0 X2 R# B9 e
# [. J. j3 S _4 b5 R0 M9 `9 F( IThere could be hundreds of BPX you could use to detect this trick.5 `6 n; F2 g2 U0 V2 h/ T1 C
-The most classical one is:' Z6 ?! P" _6 B" r1 e6 z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 K: V2 ?* q/ }. |% W
*(esp->4+4)=='NTIC'
1 a: g( i$ P$ J+ W# l+ V
, }, e+ ^9 R5 H& t3 Y-The most exotic ones (could be very slooooow :-(, f# ?; Z; [: `! A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! ^# b+ x8 Z) o) @" p ;will break 3 times :-(
( x$ V7 J( {+ H* ?+ x3 G7 I! _7 J0 L$ J) |$ w3 Z
-or (a bit) faster:
9 w! ]- \+ Z% Q, V' g* \; M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 W9 D& z" d7 B0 y5 T% r' R9 D) T7 S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 N! M5 g0 }4 q6 U8 L( {
;will break 3 times :-(
R' Z4 y4 S1 A( l2 m8 F- r2 }2 `' r: B) m! W1 `
-Much faster:
S- F. a: Y/ ?" ]% k; I6 b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# T4 I% q) g5 G6 V5 @/ @
7 g2 F- K0 @( E6 v' Q1 t; LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* A7 f* u2 w; i
function to do the same job:( A5 \& c* j3 l3 `
9 M/ ~; x& \3 r! B; D
push 00 ; OF_READ
, ~% g; Q, s0 m1 _ mov eax,[00656634] ; '\\.\SICE',0! R9 U4 W) a- }+ @1 s
push eax
( w" z% B# I4 Z' A1 D call KERNEL32!_lopen
1 |& ?: e, ?- X, x3 { inc eax) u) V& \, x" ^5 @0 y$ z
jnz 00650589 ; detected7 d! d0 Q) F- U2 s/ E" k% e
push 00 ; OF_READ
. i0 f) n8 \: L0 x( K mov eax,[00656638] ; '\\.\SICE'
% _1 k& ]! d6 X4 H# W& M: k, e7 T push eax+ M; P0 Q% I: ]) W9 N0 J
call KERNEL32!_lopen7 j3 C' ] h9 w# ^1 p* T- x2 N2 Z0 p
inc eax
, m6 K: j2 w0 h& \. Y6 ]# m) k* }$ M jz 006505ae ; not detected* Y" q9 b" _9 |6 t& ?7 p2 k y
8 ]+ I9 w2 J- Z) z+ J" D; f+ W. K0 `# V" k6 `
__________________________________________________________________________
3 f9 P8 y& P5 ~7 g* y# V2 t6 g7 O
0 _ I# O$ R: ~- [: Q" p+ V) F& PMethod 12
+ _1 ]6 H8 }7 ^0 B! ^5 J% B% v=========. N; b' y& N- @9 p* t9 d
1 _3 Z. b% X0 l- n z* z" L8 }0 o
This trick is similar to int41h/4fh Debugger installation check (code 05& p, N; W1 W1 O) b. I- |
& 06) but very limited because it's only available for Win95/98 (not NT)
7 ]7 L. {3 r9 L' z, Z& {as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ J7 n! h! ]- U/ ]# X
4 N- d v/ q/ o2 f0 x& C8 \ push 0000004fh ; function 4fh- e* J/ P& N& K2 f+ \
push 002a002ah ; high word specifies which VxD (VWIN32)
" T+ y* b' d. L ; low word specifies which service
" G* C& c8 F4 v0 @ (VWIN32_Int41Dispatch)
/ m! ~+ l0 O$ G$ G! T$ p3 ^ call Kernel32!ORD_001 ; VxdCall
, d' v8 E) E7 S9 |% q/ @ cmp ax, 0f386h ; magic number returned by system debuggers0 n7 J' T/ O9 z; C9 e4 {! B
jz SoftICE_detected
y8 u5 T) V+ n! o* N- h0 X3 d
! A3 m& V8 C$ K% YHere again, several ways to detect it:# w, V4 C7 N7 F* |# c: e- n
' O; ]! K* x- C: S# B6 j0 Y BPINT 41 if ax==4f' y1 N1 W+ c$ }) L
% H1 ~5 o2 l. F7 j: M3 r( k" m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ n: N4 N/ B0 f+ J' N) }9 S. ]0 Q; n: ]5 h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 K3 G- i3 ~ B, ^+ {6 @
$ V* ]) w/ j6 Y, v& D- a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, w3 D' h8 ~8 {/ {0 Q* h c# z1 {9 t( Q# n
__________________________________________________________________________
: K m% T& R. x' B; Y) c: H- o6 \! i5 h: |* X9 T5 t7 g8 y
Method 13! c3 ^0 Y: h# v2 E$ B
=========6 q+ G1 g) E- w$ Z' v' u
+ N, N! h4 o3 Y ~- z
Not a real method of detection, but a good way to know if SoftICE is
% C6 I, N: L1 zinstalled on a computer and to locate its installation directory.
0 g# n( z6 d t t% ]- L: n ~6 hIt is used by few softs which access the following registry keys (usually #2) :
9 [0 k8 N1 J/ v, M# H- x7 M9 \0 A; W/ \; A( ]3 {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- w+ P+ n2 p' K3 @/ S1 @ G\Uninstall\SoftICE
V6 y1 I k0 t4 `8 i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ J1 j9 D* k5 p9 l% Z, ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 T2 m; ?" a8 Y$ N\App Paths\Loader32.Exe$ ^2 c; i( V2 v0 S" J0 h6 l
0 [ A- _) k$ R* O. o2 K
, F P, p/ Z" Q2 j L1 f# M+ NNote that some nasty apps could then erase all files from SoftICE directory& W( s3 f% w: ]# m7 G2 \
(I faced that once :-(& [6 b4 T% I/ L. g2 Z7 U% s7 b' d
8 N9 ]- u' V. d' E5 q1 c8 v( o7 ~
Useful breakpoint to detect it:. c# D! a5 g i0 _2 u2 ~5 L& _
7 C; J, ?3 F8 V9 B2 X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 \# G+ A; P% h. _ H0 Y, o
, _( m* m* f( Y9 O8 f- w. U__________________________________________________________________________7 s9 S! o$ X4 _; T$ t/ C
O! r" \8 B. f$ q- b* Q2 Y+ @
! K% n) H6 ?7 L4 G- m* E6 iMethod 14
" \; ~3 s( h" a4 J$ _( D( ?, P=========
/ C" G6 ]6 n' p3 o3 {+ k; k4 {! o4 y" g' L3 \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 s& c0 Y- {5 Y+ r/ _# [
is to determines whether a debugger is running on your system (ring0 only).
+ e4 g: @8 G; R4 J) E) E. {! e; O2 ?6 w0 Q
VMMCall Test_Debug_Installed
# w* S# p4 o8 v( B je not_installed& r" m* N) b+ E# F, O# ?
: V1 Q- x& @9 s( F4 I1 r+ R7 x; G
This service just checks a flag.
5 x% I! n$ o5 D- x$ T7 I# B</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡