<TABLE width=500>' \3 K/ Y% J5 ]! s6 N# g \" c- ^
<TBODY>
$ H- }9 u- @) g. n* `* a3 f# J2 [<TR>+ q7 D& M- ]! J5 ^
<TD><PRE>Method 01 . W* y% G+ H8 e k
=========
' X+ r* s( z6 X" ]& a! d g/ M& |' F$ Q/ R5 z* T
This method of detection of SoftICE (as well as the following one) is! C$ s0 e/ q2 H8 [) H \
used by the majority of packers/encryptors found on Internet.
2 b5 f8 N$ p! S3 C6 {0 aIt seeks the signature of BoundsChecker in SoftICE6 ] I: a) o' D4 m3 D# F
7 F+ f$ T# \/ v( i. I5 K
mov ebp, 04243484Bh ; 'BCHK') q3 H, M9 ?3 }/ F/ y
mov ax, 04h
" r0 A( B% X& p9 D( P; b) q int 3 ; ~. O8 s. o) f; C: Y9 R: W
cmp al,4
( J& U% `% d9 d, n# { jnz SoftICE_Detected
4 y& _% O: w, x) X* x: {$ {- D" v+ E$ W0 e, |# H: D7 ]
___________________________________________________________________________
3 f" @6 m) r. h& h& K& e
3 W5 {! P+ L; R" t, DMethod 02) o3 G" I$ \5 y& ~9 E2 E% y
=========
2 c' G. q+ P$ m0 o$ ]% U0 y
8 t0 n5 k' {' s) JStill a method very much used (perhaps the most frequent one). It is used/ e) E' e2 |+ O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: L) n/ O- N0 u% K. E2 j' c" [or execute SoftICE commands...: K# k' k4 Y3 K" a; f; Y
It is also used to crash SoftICE and to force it to execute any commands, J: v$ s; M; C/ x+ ]" z
(HBOOT...) :-((
: E; {# X2 F8 t/ B7 F+ q3 _+ m* I5 i( z. C6 o
Here is a quick description:5 s6 k0 ]# L( J- f
-AX = 0910h (Display string in SIce windows)% \/ l! w" m+ y7 B' W- k9 K
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 K8 M: \1 `1 Z m* ~ P9 y-AX = 0912h (Get breakpoint infos)4 f. R9 I4 E3 q/ g- P" S
-AX = 0913h (Set Sice breakpoints)
: m# Y c8 t* o, [* X-AX = 0914h (Remove SIce breakoints) a% @6 @5 e1 E* z' L: [: F; U
. E2 e( U- V9 I! KEach time you'll meet this trick, you'll see:
' R z) h/ p0 u8 E& R6 O& o4 e-SI = 4647h
) |4 E8 r1 v6 P# c/ Y$ @! e-DI = 4A4Dh7 ]: g. ]5 T: p2 |
Which are the 'magic values' used by SoftIce.$ Z) `7 U, w' ~! }3 @) W6 x) U0 V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: m$ h: {( I5 R# x5 C
1 P( v* Z% L b. b k
Here is one example from the file "Haspinst.exe" which is the dongle HASP& U* n/ D4 W( g1 H
Envelope utility use to protect DOS applications:
) |$ Y# j' f& E% C7 h8 b) j& |7 S r; p0 n F9 R$ I
+ {3 ?! s3 }! @, F# N" ]5 u
4C19:0095 MOV AX,0911 ; execute command. k5 v" ~' j2 @
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
b2 `9 {7 u7 B) K4C19:009A MOV SI,4647 ; 1st magic value.
6 q* `7 M$ s. ?. ]5 ]& p4C19:009D MOV DI,4A4D ; 2nd magic value.3 ] ]. H* X/ p. @1 A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 o: o6 f* S+ W$ _3 x, F u% w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) ] H- f p" F. I3 F
4C19:00A4 INC CX1 M! a( Z+ Z' w' j* m& D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 [) g4 G5 I* K) I4C19:00A8 JB 0095 ; 6 different commands.
, \- e8 C/ S/ E4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" u. `' r9 v% [1 t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 B- i) P& i- f0 Z6 f" S0 u7 k- K9 I" t v1 |8 g! n7 m& S
The program will execute 6 different SIce commands located at ds:dx, which
/ |) m- [1 I2 S4 |2 u6 h2 c/ |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; w) P/ A; @+ G. A( {! r
, y, l E6 {; @' A) Z. }; y: ^" P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( N3 W3 o& v& c
___________________________________________________________________________3 v* B+ y* K" k# x" [
; @" M( G/ O1 }9 j" F9 x7 j
$ p1 v- L/ R5 `$ R3 D8 PMethod 03
. l5 l- g1 B" d" C7 c2 Z=========
# d: |" K6 O) h; s7 f8 W# t& Z- s7 c" ]1 P' V, {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% [ S0 \4 ~1 R
(API Get entry point) ?0 `- f% Z( t( g; t' [% E
5 o) S$ V8 Q) N
) _6 j1 Q" X! c/ u: J
xor di,di# i/ V- w2 ?7 a) H- N+ _+ N
mov es,di
$ B8 O+ K) `3 y6 U2 A mov ax, 1684h
) p1 v. f* H j% k/ O9 R mov bx, 0202h ; VxD ID of winice
% I: o( W" \% Y int 2Fh/ @, V7 f/ X; H( W/ _6 b5 J0 P
mov ax, es ; ES:DI -> VxD API entry point( O4 x/ [9 m( d- V2 C! V, F
add ax, di5 B0 I, f3 a) D8 l5 h* T: G
test ax,ax9 x! V# O# |0 G
jnz SoftICE_Detected3 _2 S) p7 }; B- d) ]
/ q [9 W3 ~7 R0 u___________________________________________________________________________
9 W( k/ i0 O- u
$ ?% S- S/ y* y3 ~Method 04/ R* a1 p7 y3 e7 g. P
=========
) V' M [8 q. Y$ L6 l% p* y/ D+ n$ N- b3 y0 c5 |. F f' t. y( @
Method identical to the preceding one except that it seeks the ID of SoftICE, x- A8 G9 R Y$ i/ B3 m
GFX VxD.
6 P$ F# _% g" X
' }0 i" R0 e) ^0 ?. P8 a xor di,di
( u) e9 Y0 H3 ~* Z& P3 J! i/ r6 d5 ^ mov es,di
' M! N% a* e1 G mov ax, 1684h
8 F/ {. }* ]+ J% y* _2 {5 }+ j" V mov bx, 7a5Fh ; VxD ID of SIWVID# U* V% w+ n. k) U5 @) n$ W
int 2fh9 B: w) F$ C" w; D, @1 u" x: D
mov ax, es ; ES:DI -> VxD API entry point9 z% ] s) B4 J1 e
add ax, di
1 A6 d/ }( v" d, T test ax,ax
5 l* D+ p' c( R4 z& P+ O* v jnz SoftICE_Detected4 B) a* { l9 s2 g& x* n
+ Z$ i: R. N$ Q
__________________________________________________________________________/ ~ A8 Q. ?5 |1 b* W" c5 l
6 G) U) H/ [0 M1 F/ l
; J1 E' w; S# W4 Q0 h& PMethod 05: \: e6 L' G5 p' U! h# |4 K* B
=========
6 L; C4 A/ @; W3 l8 K1 H: n* l- i: G
8 P8 Z8 `( W( G7 Q4 ~( y! H& R+ cMethod seeking the 'magic number' 0F386h returned (in ax) by all system$ A/ c9 k8 z+ k) c; G8 u& u& I
debugger. It calls the int 41h, function 4Fh.0 p( `" d8 O! W( E; W+ V, F
There are several alternatives.
2 u: ^+ p/ F( `0 E; Z/ F# Z, k8 k$ Q8 J% U1 M" | D( b
The following one is the simplest:7 M! {) p9 `1 Y' J
0 w2 j& ^- I! w2 r% d2 R. p mov ax,4fh S7 b" u1 b! y% [
int 41h- _' |* r6 x/ w% y) Y7 S0 b
cmp ax, 0F386
a* D: N/ F' v) N8 S A jz SoftICE_detected* m6 a7 T# @2 {
# k/ _. M9 C. @; ~& S2 y$ G- J
. h3 {7 J0 i8 m* VNext method as well as the following one are 2 examples from Stone's 5 {" D) R- f3 c7 z# b, g
"stn-wid.zip" (www.cracking.net):
$ K7 g1 R" v! P& Z# [! O9 t3 [. t
mov bx, cs
' u6 D' b2 d: }, W O) l3 H8 o lea dx, int41handler2) V& _# w( X" ?& v: }
xchg dx, es:[41h*4]/ F+ i0 }* Z; G! {6 Q$ p$ z
xchg bx, es:[41h*4+2]
0 d& Y, g/ S2 Q2 i+ q# J mov ax,4fh, A2 u. F3 s. k; T/ W
int 41h8 e0 k+ N) p, I3 X. Y
xchg dx, es:[41h*4]
; y+ J2 a8 s; p1 L! f xchg bx, es:[41h*4+2]
) Z c3 F* J. p* N m cmp ax, 0f386h$ H; q! @+ S, D
jz SoftICE_detected, f: c) G" W# R+ d
2 m: Q0 t [7 r
int41handler2 PROC3 `% Q2 ?8 E: D# j& h7 o
iret
: m: ?* J0 v3 ~# ]! ^* n4 {, ]3 lint41handler2 ENDP4 b |* y; ]. ]3 d5 s
) O0 E# I* y* ` p, j
& c' \7 v* p% H( G- t# E2 D_________________________________________________________________________
& A% N( F; v! {3 A' K. V
b' Y; d7 V1 S3 L6 R. ^( l) q" y2 ]4 w! J, X( y( K2 e: L# f4 ~0 y
Method 06
: a9 D* W1 y5 w9 R; u8 p2 a- u=========
! o* b4 e/ L+ {7 I* c
& _) W! r }7 ?7 ~) A4 h$ y* E8 s* E" f8 I9 v/ `- b
2nd method similar to the preceding one but more difficult to detect:, k/ @9 r% N3 d+ @ N
, Z% S0 r! i/ W) y) Z: X3 @, u
; @: j' |. U2 @' Pint41handler PROC0 K/ z6 X0 X* b; T: f; Z" O
mov cl,al
- ^! P* h6 S! \5 C9 I \$ j iret
8 k! w0 z1 U8 |3 k1 J3 [2 fint41handler ENDP
/ F) W0 v4 M" d5 p% F: h" y$ T; p5 B z& b- [7 H
3 K% j9 A& C$ o5 s: F5 |4 S
xor ax,ax
# a& P& f% ~8 d U( `; f; z, K E mov es,ax
. U' B* A8 _" p4 n3 `8 n4 y, u mov bx, cs
0 z- V3 f# z7 k3 N$ v' B( ` lea dx, int41handler" C' J6 B% O& X* L, q/ ]$ f. K
xchg dx, es:[41h*4]
- F) K2 r! X; t" U. c4 R xchg bx, es:[41h*4+2]
- V4 i9 [$ f6 @/ B8 v* r in al, 40h
( t5 ^; u) V% n* H xor cx,cx, w5 z# Z0 ?% S
int 41h. k# h" p+ { C/ q
xchg dx, es:[41h*4]! y/ W; w. S# ^$ j. I7 C d* l4 y8 e! h
xchg bx, es:[41h*4+2]
6 J% x1 ^! X3 P1 `+ c% ^$ Y cmp cl,al
8 `+ ]! j4 _8 u+ g jnz SoftICE_detected
4 [. ~$ @" Q& O% I/ ?( l
- p: w+ p' M& d, ^_________________________________________________________________________4 h# G) {4 l/ h) p5 a; O
# O( ]7 b2 w' ]! A- p7 t8 S
Method 07* e$ W9 y7 K3 r& z* ?8 S
=========
$ }2 d% E, c0 R( I: R" f" e K* H! g4 F
Method of detection of the WinICE handler in the int68h (V86): v7 h+ ~# L% D4 m
. a1 \+ Z( s) A; C0 s5 \7 k
mov ah,43h6 N( p( r/ w7 @2 n0 e1 m! ?
int 68h. N0 j, {! k# h/ E( Y# E
cmp ax,0F386h
) P; O3 P; U1 h- q jz SoftICE_Detected( L9 N/ C* C; R: J7 X8 l/ e2 V
8 O! a p2 W; y' E
% @/ Z) n( R4 n5 G9 k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 x( I& `. d" s9 V. C
app like this:& T/ \& K4 ], G7 `( G9 w3 g+ H
2 \9 @; D1 a0 r3 Z& [& r+ n g
BPX exec_int if ax==68
1 o, q, c8 j9 o4 A# I0 g% R. j: r (function called is located at byte ptr [ebp+1Dh] and client eip is
0 [$ G# r$ ?3 E+ K3 p located at [ebp+48h] for 32Bit apps)9 m( @ e# P4 z$ P
__________________________________________________________________________0 q' I+ ^3 H( T" Y5 o5 t
, D% t G( N4 x# r* T& s9 f( `
6 C. C9 v( F& g* R ?; S& X5 HMethod 08
/ ?7 f( `. _2 z r8 ?$ ]0 D=========4 a7 ^4 p: R) \2 P
& M% m: l$ a' I0 P% I# D# E& s
It is not a method of detection of SoftICE but a possibility to crash the
' y* H+ c& \' P! g: xsystem by intercepting int 01h and int 03h and redirecting them to another8 G' y3 v0 ~9 K1 Y( `9 m
routine.
0 U' u' g( A. w9 e Q8 |1 H2 x) qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ H4 b5 d/ m3 ?2 t- {
to the new routine to execute (hangs computer...)
2 J& Q( R+ z% n+ s
8 U' b8 C" d8 {* b mov ah, 25h3 h' v3 I/ S! i/ [; V x! b
mov al, Int_Number (01h or 03h)9 |: u" t" o4 h4 ]" U6 w
mov dx, offset New_Int_Routine
$ G. a: U" i% O+ F int 21h
0 e( P3 \0 k, i% s3 e
5 [0 s+ ]. f9 l6 c1 `__________________________________________________________________________
+ {7 m: g' C* K% L, |) Q! ?! P* [! a; L/ @' S& M
Method 09
8 c( A- r; l3 s( L$ O @=========
" {# H" ?' w/ e4 E! w1 b9 o# s$ _' @) u* V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) q% P, X+ H/ }6 P3 }" _( l6 l/ e2 L
performed in ring0 (VxD or a ring3 app using the VxdCall).% `: l- d5 ?* I+ t0 t& P* }
The Get_DDB service is used to determine whether or not a VxD is installed5 U4 w* B% U+ L- F
for the specified device and returns a Device Description Block (in ecx) for
3 X z# U3 o2 T. |that device if it is installed." S* h+ ^# j/ [! D7 {
C' x$ m4 S/ o3 i+ ?* `$ N8 J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID f+ S9 ?% `+ _7 G9 o$ M
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" U" |- \5 h5 R
VMMCall Get_DDB
& F; j. v7 `7 R' ?' ?0 Z$ A mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; M3 B" ~$ n- w& I6 r% b
7 g5 ?) k( \8 q1 cNote as well that you can easily detect this method with SoftICE:
, g$ Q' ^) d5 P# d bpx Get_DDB if ax==0202 || ax==7a5fh
: v) x$ u+ s& O* n( j
* K2 r6 ^/ L+ E9 w3 m1 D__________________________________________________________________________$ x! o' O2 K6 F! K f) L, R
% h$ ?+ X% F$ ^1 q9 c5 _
Method 10
; x$ ]: K9 _, t% L2 f! w=========, @' g1 |; E3 j) J- r! |4 s
2 q1 q: y: o; v. z: `& p" I
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 ^; }3 N$ G, B" \2 [5 k* b SoftICE while the option is enable!!9 l1 m q. s4 I- w
( Y7 g% W7 Z A `' R# L: u9 ~This trick is very efficient:+ X+ w0 i# r3 ^! f4 D9 y
by checking the Debug Registers, you can detect if SoftICE is loaded
% H7 ?4 u6 o9 X1 Z- C+ g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 b" H8 t& z$ f3 f R2 q; R) g! M, c! ~there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ P. E% H7 t$ h2 ?4 U3 o( U! Wvalue (in ring0 only). Values can be manipulated and or changed as well; R1 l" E. h; G+ @4 w
(clearing BPMs for instance)$ j+ e" Z% G5 Q. w) C7 x$ `
* i; P. Y$ C% u& ?( h- l
__________________________________________________________________________
# O$ r4 ~3 [1 ^- o
8 K- ]* \& n# ~9 YMethod 111 g* S# U' D. O. e7 n* _
=========
$ l3 {1 u9 W& k) N* t, w* Y- u+ Z
This method is most known as 'MeltICE' because it has been freely distributed2 Y# W* c/ I U4 O* s5 n
via www.winfiles.com. However it was first used by NuMega people to allow
% j' ]0 y2 l8 ^Symbol Loader to check if SoftICE was active or not (the code is located
: U: e# l" _7 I- p; N+ Winside nmtrans.dll).
* `5 w) D3 I: `8 k( r- K# d" k
- }- k- b! a' s$ Z- {: VThe way it works is very simple:
) d( D! B9 G! c6 F# }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 G# t' h7 a& ?! [+ ?
WinNT) with the CreateFileA API.
9 D7 r m3 C4 z4 g( O) i4 [: ^' e1 O$ ^
Here is a sample (checking for 'SICE'):
" c% D8 Q) Y: _: q
! s) |: X- r! Y" EBOOL IsSoftIce95Loaded()* \ `9 p/ K! u0 b. ~6 E4 {4 E, C
{
# r, P' d. r4 l# h0 X3 [ HANDLE hFile;
9 c2 ^6 n W4 X: K' N& r hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% K7 w, q+ `, {# O! X9 u# T8 s
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 W: Y2 C3 ^- l) Y4 [1 }; j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 k% ~9 a4 Z1 G
if( hFile != INVALID_HANDLE_VALUE )
: f% V8 s1 ]1 Y: h {' ~3 l4 ]* K% z3 V3 g) @: d
CloseHandle(hFile);
, ]! _; ^' U3 w/ F" t& N+ a return TRUE;" o1 d# q: C0 r5 J
}4 o+ v6 _2 I6 L5 Q* t, v6 H& f
return FALSE;
, d1 a) I; n& z0 O" @}
8 J+ f9 I2 y) R& G, J2 Q& m4 q
# `8 ^( ?3 k' S9 \Although this trick calls the CreateFileA function, don't even expect to be
8 `7 M0 D" y0 s7 a& ~7 u9 wable to intercept it by installing a IFS hook: it will not work, no way!. L+ `6 c6 K' q* n) e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' N, ]& z% d' u* ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! y; a( V) H, g/ Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 R3 v" n: E, K3 U4 m2 t3 _" c
field.8 t t1 Q( R2 L5 D) K' c
In fact, its purpose is not to load/unload VxDs but only to send a
; j: B2 Z1 H6 W; Z2 j, _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ y% w/ x% R+ e: F6 N0 R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 N0 T8 @5 t' N, I' j& l" t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ }$ g) ?$ {. r5 {If the VxD is loaded, it will always clear eax and the Carry flag to allow
! |5 U4 O6 f5 t, C: Hits handle to be opened and then, will be detected.$ \, S: }0 ?. l/ g. _# @
You can check that simply by hooking Winice.exe control proc entry point
& a& n* L8 a$ gwhile running MeltICE.
2 ]0 y d$ B# e
, a1 e; b, m' i, x3 s5 O, w+ f
& s/ }: V* O1 J 00401067: push 00402025 ; \\.\SICE+ n7 b o: N# ~$ P$ j
0040106C: call CreateFileA
- C! d7 |- a, H( j 00401071: cmp eax,-001; Q: g4 A' y# e6 X" Z9 q8 V$ M
00401074: je 00401091
! G6 c O% L. @1 p* T$ a% g) f/ p1 f: [3 Q* z& G- `! O7 H
: [+ a3 j$ j5 C* O9 FThere could be hundreds of BPX you could use to detect this trick.
- v9 r4 ?, ~1 {; F: z. z-The most classical one is:
: e! N3 V* S/ l0 [, _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 F" G$ ` W* P, t
*(esp->4+4)=='NTIC'
; D: c H% H: F7 H8 }/ c+ @- A; H* ^5 _& @
-The most exotic ones (could be very slooooow :-(
% g7 t& T0 ^: O T/ ^* g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + x5 L* [0 z# T9 L. S# V! {2 b
;will break 3 times :-( w! I8 M8 X# i' Q& S
0 @" k4 B3 ~4 h7 @; s( F
-or (a bit) faster: $ X' f- Q9 I! M4 B) k; Z3 y5 \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): g: g; N7 y6 ~& u# @# M' [' m- k
* K( A: {- b' H% i5 F+ t BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 S5 c$ o& F0 I, [* M ;will break 3 times :-(
7 |) Z6 o# ?) E4 H! ?0 x7 G( P7 R$ ]& i; D- b( u0 |, B" p
-Much faster:
# ~' b. m, k3 l: [: z! j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 |, p3 E# A- Z0 P& H
# a3 f) N5 ]: b+ a' x# C3 f3 f0 t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen o4 U W3 [+ l1 D6 U2 h
function to do the same job:
" W# t M8 K: ]; B" ?7 T) s( s# Q( M5 d& |' N
push 00 ; OF_READ* r+ e; s' s: B# p& z
mov eax,[00656634] ; '\\.\SICE',0
) n2 W' `8 o1 ~, a' R push eax1 I7 G) ~6 v! R8 A: y, W
call KERNEL32!_lopen
; z+ V' Y8 Z2 {" ? inc eax
$ J* ]$ T' n& ]" O- L b' s jnz 00650589 ; detected6 [; D, O# J: ?' G
push 00 ; OF_READ
E6 R v Q, X+ `3 x" Z4 b4 V# `$ Y mov eax,[00656638] ; '\\.\SICE'
7 D. i* \% a2 y1 u% s- ~ push eax8 O3 X5 I0 A3 u- t+ p: ]6 ?
call KERNEL32!_lopen
. P. l0 g& b: j inc eax
% e J/ f; k% e B0 y$ ?1 w jz 006505ae ; not detected- E$ R! Y% @% L
7 p- {9 y' p2 n5 U8 v0 {( ]
3 F0 ]! ^% L- V' r: H( E$ D+ I
__________________________________________________________________________
0 v' _+ q' K8 E" b) K9 _+ n# C% N! O3 G
& r2 A+ O4 O8 E {Method 12
& |$ t9 Y% P' a/ U, T4 e5 Q=========
' {5 ?: l+ o: r
5 i: }3 O* H. O- }( RThis trick is similar to int41h/4fh Debugger installation check (code 052 b; P/ R9 N) L5 N! A
& 06) but very limited because it's only available for Win95/98 (not NT)
" ?6 o5 O- V7 F4 n" e( ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 l, @6 d+ s2 P. c0 G- \. y) F: F3 ~
7 F- l2 M5 k7 [% ?/ N9 I9 N push 0000004fh ; function 4fh8 F0 n+ Y( Y! J2 z! N7 ~3 C: K" f5 j
push 002a002ah ; high word specifies which VxD (VWIN32)
~- C _- @# d! N' k% A$ d ; low word specifies which service
! w* ^' h+ u0 o' ^( a (VWIN32_Int41Dispatch)8 L# ^, a( H- D& B4 T3 F: s& ?
call Kernel32!ORD_001 ; VxdCall; ^! c5 }' U1 ~" x# }$ y: i0 ^
cmp ax, 0f386h ; magic number returned by system debuggers
3 c% f c. D8 H* U# U jz SoftICE_detected
+ D7 x: e( S0 f8 Q# K
2 O2 [ D$ ^$ b8 v& v& G5 MHere again, several ways to detect it:2 D; `% r4 k5 c3 C7 b4 F. |
. l( T' @+ d+ d8 f, i w
BPINT 41 if ax==4f0 h' h9 E @9 j. N
% M6 o0 m5 t* p9 O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 Q. K* G$ e. {8 b
" T- k% N0 z5 ^$ z7 o& w5 o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 `9 c( O: p# R& F6 @
: H# ~# d8 `0 Q& w. S BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# ]' y* H9 G2 c! n+ j b* X
2 Z$ t5 {, R5 }( u0 H
__________________________________________________________________________0 v+ t8 V( R9 q ^; a2 U* {
0 D4 A- b% `5 i( G6 oMethod 137 r- D+ N- s0 |8 c
=========
9 Z0 X7 ?5 F$ k& k- K i8 c6 h$ h, Z0 F3 P5 E7 q
Not a real method of detection, but a good way to know if SoftICE is- n- b* I T! e% x
installed on a computer and to locate its installation directory.8 m! |' y; P$ R' Q4 e2 k K
It is used by few softs which access the following registry keys (usually #2) :
/ l! P. P5 v+ a* K" h% H" F( w. h3 f; r/ [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- n. O9 c! B# ?. Q: t\Uninstall\SoftICE
1 i! t5 r# u& j5 C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% |% {( J: @: ^$ G; ]4 c- B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 N+ o' Z8 T2 V: t( C. \) E9 Y
\App Paths\Loader32.Exe
# {4 ^, Z6 p# z9 c& M L$ ~; `2 [! [1 m2 e
2 m. Z, g) M e1 d2 x7 g) t m
Note that some nasty apps could then erase all files from SoftICE directory6 k$ o" V7 @' i. R- o6 Q: S
(I faced that once :-(
% r. B0 V0 p+ V$ w$ k+ m* ^% ~: w8 A- q2 }
Useful breakpoint to detect it:
: }1 T! \( ~3 X
7 y; z5 j; I# c, W: J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' B" O$ }3 l% W: W, H" |
x, `7 R$ s" N__________________________________________________________________________
$ z8 v- f, u0 w* K
0 N) Y! L) j5 S' Y, c- |
G! f, D/ f. c7 C5 pMethod 14
* `7 ?/ \ F- F* q* V+ X5 S1 q=========
0 B+ \2 _/ W1 R! b; M& _. b5 R: z1 w5 G R- v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# s, C$ M9 Q: ]. X g
is to determines whether a debugger is running on your system (ring0 only).
8 v# ?/ o. Z0 w2 k
/ y( ? h& r; r" o* X4 n VMMCall Test_Debug_Installed" \) ]$ c" ~/ _1 B9 L; A4 ]. x
je not_installed6 T0 w: u4 [4 U
7 i) Y% w( W" \, E6 @This service just checks a flag.4 n/ M0 {$ }1 ]5 ~ X7 }! \0 g
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡