<TABLE width=500>4 x/ h9 W$ W: I* g6 |
<TBODY>
; ]# c6 I( G0 @3 t7 ~) W2 Z: `8 S<TR>0 M/ d( ~% U3 u& {; b3 u
<TD><PRE>Method 01
- d6 V$ N; x5 \, K( c8 d=========
6 P7 z; k1 a% q; Z6 V) A" l9 D9 q" n7 B; x% m+ _
This method of detection of SoftICE (as well as the following one) is2 Q/ Y, h9 A1 N; p7 Z
used by the majority of packers/encryptors found on Internet.
) t. h6 m7 z* \7 u$ X8 GIt seeks the signature of BoundsChecker in SoftICE" J! ?: ^% i* F3 M" ~
8 r0 V& X! u5 }( F( U- C. m
mov ebp, 04243484Bh ; 'BCHK'0 ^+ Y, V/ _# v f+ h q: a9 d
mov ax, 04h
" t3 d% a: t+ n; |, f% _. o) h int 3 & `3 c) R% l3 M$ y
cmp al,4
& e4 p( N X# Y: }% j jnz SoftICE_Detected
2 l9 \0 R: P2 C1 F# W- Q# g7 ^& S/ K+ r
___________________________________________________________________________
/ E# q) l) h2 m. w( l8 |$ U$ N
# M! _0 j- `7 E# tMethod 021 R1 T+ D' f# o8 T0 _; E3 p7 ?
=========
' g: ]+ }8 T+ W, z9 x3 Z/ Y- u" e+ R F) R- ~
Still a method very much used (perhaps the most frequent one). It is used+ ~+ p0 Z7 y) E* j# s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 { ^) Q! p6 l' {2 ?or execute SoftICE commands...2 \$ t7 z! x, ]' R7 D! L
It is also used to crash SoftICE and to force it to execute any commands
$ \! s6 V! O$ _. _(HBOOT...) :-((
; \- j4 s8 I# S
/ y, B, g4 }( X) v- V5 fHere is a quick description:+ ?/ N5 G' w; j: h& {
-AX = 0910h (Display string in SIce windows)
- K5 l1 u- F/ y# A-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 A9 [0 C7 }5 I+ q: E7 Q-AX = 0912h (Get breakpoint infos). f+ P: B$ f8 P9 n
-AX = 0913h (Set Sice breakpoints) t/ R; @8 O" m/ a
-AX = 0914h (Remove SIce breakoints)
+ k" [8 u, S/ i$ W, U6 }9 p X ~
; ~4 S. H, Q( N5 U" hEach time you'll meet this trick, you'll see:3 f, h3 U4 v B( E; s. ?( w
-SI = 4647h! R: A' z' A2 U9 t$ N# y' ?. t
-DI = 4A4Dh2 m: `( T+ [( M
Which are the 'magic values' used by SoftIce.( N7 J! I1 x, {1 I4 U& f+ Z2 O1 I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 r) V& O8 j, R5 [
9 Q. F* d; I$ P2 {7 g' kHere is one example from the file "Haspinst.exe" which is the dongle HASP* a" {! Q7 X* T2 M
Envelope utility use to protect DOS applications:
' `7 d* ?( |6 p2 ^
' P! }: o4 X j& Y6 r( t! F$ \1 z0 m7 `1 Q2 G7 Y& B% ~6 ?5 @
4C19:0095 MOV AX,0911 ; execute command. L% a+ q2 a; G
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* ]8 [2 ~4 n m( B
4C19:009A MOV SI,4647 ; 1st magic value.
4 O# c% x' K. _) G/ v1 W! ~4C19:009D MOV DI,4A4D ; 2nd magic value.
9 i) ]: m8 t) f. O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( Q0 }3 g t/ z- G2 x6 w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 v. l r+ b$ l5 l. a+ s5 ^
4C19:00A4 INC CX) L3 `1 x% r; E9 @& Y$ T' X# ^
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' s/ \8 ?8 E0 V, ]; e c8 _9 j1 S
4C19:00A8 JB 0095 ; 6 different commands.
# Y! Z. }7 V6 ~' t. G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- a+ \* H8 F- D/ h0 Y) ?8 B$ c: ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 d# b7 K6 Q, K, Q* ^! X9 P4 f' w0 C# @$ F7 `, g- p
The program will execute 6 different SIce commands located at ds:dx, which! I4 v, o. E8 H* X( D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 F# y' e5 R" M. p7 w. h
$ V- S9 @' t$ X* `8 Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( [8 E I2 U: P1 P$ X6 C0 A: f___________________________________________________________________________
& ?9 z7 R. C( |- S/ J* b" ?; k* J. W4 s* N' ?
+ n N9 {- y5 d
Method 036 K0 v4 ]* b/ Z4 h/ F# O& i
=========* y6 i) A" X" a8 j
& F/ ]2 s7 d: B% X. M% xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 L4 k8 H+ U6 H" m+ r' u( r! j
(API Get entry point)
1 ~7 k$ ?' _0 Y3 p5 W 2 l7 S! P; k6 T% R6 g; L
/ M2 i" ]* k( p2 {# l; r$ {8 \) L xor di,di
( |' e% }4 \1 m$ F4 M mov es,di5 i" ^, ?5 Y7 M4 E: N' r; l
mov ax, 1684h
1 X5 t) t- u) T2 F' j( R6 I3 p: Q mov bx, 0202h ; VxD ID of winice. T4 q! ~4 c6 i: c
int 2Fh, x1 c( N3 q1 m7 F
mov ax, es ; ES:DI -> VxD API entry point
_$ M+ B) P; W add ax, di; |. [: u" p/ _5 v& ]5 a/ \
test ax,ax
/ O) K8 M0 s m! f5 G* _0 C jnz SoftICE_Detected
4 z& o# k2 h, _+ J) }
& _. ~: W" H" b& b! L2 H___________________________________________________________________________
' D$ ?; `3 Q) F" A5 A8 o" D# z+ I( Y4 r9 D- }% _
Method 04
5 e! r1 A: t% S! E$ @( N=========
6 y M' B; q. g
$ K6 s2 [# A+ M) QMethod identical to the preceding one except that it seeks the ID of SoftICE) D, U0 L) }9 t. O9 \
GFX VxD.9 v$ w V6 I& c4 U2 i$ T
# m4 c' `! R$ v0 \# L5 ^: d
xor di,di
! }! E6 x3 J8 K/ Q1 P5 A3 [ mov es,di
1 d0 w. Q3 s$ H5 }/ n mov ax, 1684h
) k4 {/ B9 j9 H) B8 K' C9 ~5 Q mov bx, 7a5Fh ; VxD ID of SIWVID2 W1 m" \4 s+ h* H) q
int 2fh% G; ~' W9 n( o1 ~5 R
mov ax, es ; ES:DI -> VxD API entry point. V9 s4 z' ]2 w& E* m, J" S
add ax, di
9 K* b% K: n3 \8 X; y' c i test ax,ax+ f/ N' P7 D; _/ l: q, m3 X
jnz SoftICE_Detected j/ n! J) v' A3 U6 j
) G# m7 a) ~1 h. I ^9 v/ x4 x, F/ f
__________________________________________________________________________
* S" B! K+ u/ c( V6 \
. U& x7 N7 ^# a* L: X$ |6 u( ]/ Y. u' A& E
Method 053 P# y7 X, w8 i' E! }+ E7 j3 t
=========
& I6 c" \/ R1 g, ~1 Z7 z% i7 g% Y: o3 s
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 m/ G2 o8 I2 j: M; Z, ]$ W' tdebugger. It calls the int 41h, function 4Fh. n3 L" }9 b. X0 O8 K
There are several alternatives. 7 v1 r2 B o& V: `6 g# I
. j* E. D. R+ c) F3 V6 U. P* A
The following one is the simplest:
8 |9 Y7 o2 W4 h" e' _6 n: F4 w) n" f1 y B& q6 R: j" U
mov ax,4fh
T- `) Y: r! F int 41h; H U0 f$ G w- e$ m0 j- ?
cmp ax, 0F386" |. N z5 I2 _* L( y. s1 G+ W2 G; q
jz SoftICE_detected
2 T6 g, \0 R7 n' G
: o9 v( Q* C# r. c- b
5 {- ` l7 w3 _5 y1 N! E$ YNext method as well as the following one are 2 examples from Stone's
" O' |% `' P" ?0 p$ Y x: B"stn-wid.zip" (www.cracking.net):
' s0 \) X. Y+ u$ v2 }" A
8 V# r& }& N6 B6 O/ s9 u4 Y m mov bx, cs
6 d% y0 E& }; v1 z4 V# i lea dx, int41handler2
' h v2 M* G: H* S) I" F5 U1 c xchg dx, es:[41h*4]3 V4 k/ F, O k% Q) L/ s- ^
xchg bx, es:[41h*4+2]: P/ S7 n: G$ w( S
mov ax,4fh
$ B' F2 M' D% U4 i& f8 { int 41h7 z1 b0 ] A4 r1 y9 _: E+ ~
xchg dx, es:[41h*4]
" s& \, h: g- i3 q" M* v0 X xchg bx, es:[41h*4+2]" C9 P) P8 a$ F
cmp ax, 0f386h
* Z& y1 X4 D' a5 l# P4 e% L jz SoftICE_detected
7 O9 ?% h% N+ n j" F6 @0 x! O
4 H7 m0 H4 i2 ]) e2 lint41handler2 PROC. K6 q3 e2 V( x; v( A
iret4 E P5 \# T0 M* p
int41handler2 ENDP1 C: _( p8 n- W% d8 C0 m, s a
2 t4 b1 T1 |# k$ C
- ^/ m* E& e+ r# t' F, A, c4 x- o_________________________________________________________________________' Z$ h9 E+ [ Y3 u$ F& \
) }3 h& o; R" a2 ^3 q5 G( D
; I3 w6 W- \" }- k7 j- P
Method 06
( g) o }1 r8 }& f=========
; P9 R' m* [4 [1 U0 k5 @! @
1 F) N! z- D, E9 N$ m, }, D& \
z3 }7 ?" Y2 S- s/ a2nd method similar to the preceding one but more difficult to detect:' P( g+ t* i% e- k, c. y$ U3 b
( W; m2 X% ~& A2 y+ p
" G4 Q) p9 N! Z3 s3 cint41handler PROC X3 i/ {" H9 E- S" m
mov cl,al5 u& k$ a4 }* p0 @" \: L7 z
iret
7 |/ ~9 O" q6 x' Xint41handler ENDP
0 |& A1 |% h; S* C% z
# L3 m" Q3 ^3 _
/ B6 c7 k2 C* I$ R! _& v$ @/ R# b+ T xor ax,ax
( ?* M1 e5 v7 D5 ~5 A! A mov es,ax. h$ j, D4 c# P( W! w& G6 f1 ~
mov bx, cs3 m" x; y {* \3 s! Y+ q
lea dx, int41handler$ m5 X! Y) B* z$ J( w: E
xchg dx, es:[41h*4]
/ k1 N0 O/ q" e: G+ P9 F( h xchg bx, es:[41h*4+2]
' d, Q, K0 s- D, z4 L/ I in al, 40h
* e# ?* F9 T. u3 z- d" ~ xor cx,cx% r! l% T, O& _, w2 o9 K g6 @% W @
int 41h
2 U) W) m! B7 u' o& d xchg dx, es:[41h*4]
7 T$ l' l" ^: F xchg bx, es:[41h*4+2]$ P$ F5 H( i$ f
cmp cl,al
1 Y- d7 }4 V7 d. w( x. x jnz SoftICE_detected% l8 k# W& x3 Z: j( U
% N+ v2 V# C- }6 Q
_________________________________________________________________________
2 N" t. [) y% [0 U. R( p U1 u: r
: z7 b4 ]3 q0 j1 S ^Method 07: L/ w; V& z" F6 D
=========
{- _8 h1 \' f: W4 K7 I. K1 l% x2 I4 \
Method of detection of the WinICE handler in the int68h (V86)
$ }2 x7 d1 l. I+ Q" I/ h1 i; O- B" U& D6 e) J( k# O
mov ah,43h4 E5 ?' {3 X% F* R4 f5 n0 z
int 68h
$ V' K. H e+ I3 T cmp ax,0F386h
! m" d d% n' W7 C jz SoftICE_Detected
6 i% }8 U# b$ i% A0 E0 h" B8 u/ |
/ r E2 |% s, Z6 [$ P; h3 R
* I; z8 r- u: h5 ]) j4 n1 e J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 w6 b1 A7 e8 D. a- `9 } k" K app like this:) @2 d9 ?7 w K0 j9 D b* H
) C/ D: X* \1 D `8 O, K! a" g& [+ ]
BPX exec_int if ax==68+ a' n% Z1 | ^0 I; L$ B
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 y0 y2 L1 C1 d$ ^0 x; z; A located at [ebp+48h] for 32Bit apps)! B) S- z( z7 C" r
__________________________________________________________________________
' E# @! E' V8 b1 n- a* f& s# [
6 W7 d5 }& @( N2 d/ X$ |4 Z9 o8 G8 v0 c! v
Method 08
$ `; ?8 h) u, l- V' ?7 a=========
5 N9 d4 q, {2 ~7 Z0 |& o3 Y
1 \6 v4 f5 n, S. Y- U* OIt is not a method of detection of SoftICE but a possibility to crash the
O: z" ?7 y% ssystem by intercepting int 01h and int 03h and redirecting them to another
" S% w7 ^& e! [, ?8 V0 ?routine.7 `- L; K B7 l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 K* }: ~' ~$ a; l
to the new routine to execute (hangs computer...): v, C5 [5 J3 n; r- |) y
0 W+ `; R% N; O mov ah, 25h- }( Q. `' R! N4 k
mov al, Int_Number (01h or 03h)
/ M" W0 O1 o1 ~( ^2 ^. r mov dx, offset New_Int_Routine J( o9 C j& Q$ m
int 21h
: M! x+ V8 s! N1 o& m5 V
! n/ [6 [' |2 A7 {__________________________________________________________________________
. i/ S0 ^2 | a5 x) n" {- `$ f1 ]
Method 09; t) M! H% w- d2 c5 ^/ g- I! m
=========8 w$ w1 g& ^- d( O9 H! C: M
6 w) }8 b" Q2 k6 C; y# MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ |& r; t1 f8 T7 s# n: L
performed in ring0 (VxD or a ring3 app using the VxdCall).
% @1 J9 o5 Y, `+ C/ AThe Get_DDB service is used to determine whether or not a VxD is installed" T+ D4 i% l6 m( ^
for the specified device and returns a Device Description Block (in ecx) for1 D! |0 _) A2 ~3 P% R
that device if it is installed.
. ^. \5 m9 y" @; o! r
2 Z4 g: m' D) E; I( l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 {( b- f) A4 K5 D) ^1 K2 k
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) F. \5 B8 i5 f" {8 A$ S6 X9 _
VMMCall Get_DDB3 A: P! i1 n$ L0 s* [9 K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) g$ P! \/ z- [ t) a3 Z+ F7 g
8 N" j' E' q& NNote as well that you can easily detect this method with SoftICE:
7 A8 H; S X8 ]6 x bpx Get_DDB if ax==0202 || ax==7a5fh
+ }/ G M3 b9 s) M# L& C) _. [: s) i p
__________________________________________________________________________9 b' x& |' M1 i/ M( n+ t. P! H
. C6 K1 l+ x( E
Method 10
2 ? A# f8 Y! X+ M6 S# z* Y7 d=========
4 _9 N$ p, j7 r9 O" _' ~" M9 |1 h% V. s) L
=>Disable or clear breakpoints before using this feature. DO NOT trace with) g' ?) f% ~# m2 v9 O9 _! I
SoftICE while the option is enable!!. \: q5 [# c* [+ ^0 j0 s
' I3 {& w5 e* E, A
This trick is very efficient:' C, c2 o. D9 g, G4 R' i
by checking the Debug Registers, you can detect if SoftICE is loaded
. U" q: R$ N: ]6 u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 o5 E/ l; T, ?( W: p8 M# t
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; w: K( a, `: C- L8 G5 a N# p6 Evalue (in ring0 only). Values can be manipulated and or changed as well
5 y% X; Z# D! A3 L1 T0 m(clearing BPMs for instance)
/ R6 }+ s7 I+ p2 T- } h& Y3 }. ^. {& V# j' i& v
__________________________________________________________________________
3 I6 X( y+ o- z) s; Z. h. e/ c$ ]1 X
0 O& ~: e/ B( \$ A* u+ _9 Z; B8 wMethod 11
. F" u, T# z5 d* ?+ ?7 D=========
4 k$ i5 P7 ~* @0 `7 H7 `; T; y7 b( L! y; v# T( o
This method is most known as 'MeltICE' because it has been freely distributed- H1 E, V# Y" t
via www.winfiles.com. However it was first used by NuMega people to allow
7 M. H T: H" PSymbol Loader to check if SoftICE was active or not (the code is located
6 K+ `* `8 e+ |2 Uinside nmtrans.dll).; h$ F2 R/ \( D3 ?, G0 N
$ V1 I5 y: ]4 o# q3 C) b' D6 DThe way it works is very simple:
+ D. }. h# e D0 |8 i+ wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ t$ P* L: u0 A+ V( TWinNT) with the CreateFileA API.
) _; n3 V, O/ |% D& y2 T) v
, P: r$ K K) N5 X2 iHere is a sample (checking for 'SICE'):$ i9 I# {! W E$ }3 k
2 }: _- w; @+ b Z3 T0 _# e
BOOL IsSoftIce95Loaded()
' m9 m) w- n4 `' Z{
9 t. M. i$ O" b; m2 @' m# [ HANDLE hFile;
: s. Z1 G4 k# p2 m$ A5 g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) A2 @% ]7 n( u9 v8 y6 c6 _ FILE_SHARE_READ | FILE_SHARE_WRITE,
! F7 R( I7 t. V- b3 G7 D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 }4 ]' o3 U; B: }' B3 q! D3 w
if( hFile != INVALID_HANDLE_VALUE )3 t" G2 b3 c6 v$ q0 u! H7 j. o
{, I$ e- L9 O; ]5 m3 Q) r; x! ^
CloseHandle(hFile);/ F$ G( c- e0 Q' ~6 z* J* H: N$ l
return TRUE;8 S8 b1 u8 X0 Z! l2 b" Y1 |4 B: O
}& n) r% W" \( S2 ?3 ~/ I1 H C( L
return FALSE;7 R! K2 x9 }5 B% l% F
}
' P4 |' B: d# f- `, e, ]# v. }# m
Although this trick calls the CreateFileA function, don't even expect to be8 C+ g+ _. ^2 g: D
able to intercept it by installing a IFS hook: it will not work, no way!& G2 d/ c$ A4 x4 N6 w5 O2 F1 [$ G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 Q. a& O6 W+ @. U. @# }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 ]( H3 U0 H7 u# H1 h
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 g4 ^8 G( i) E1 |; I: j
field.0 `5 }# N3 w3 S; n
In fact, its purpose is not to load/unload VxDs but only to send a
3 ]( }/ Z0 y, l7 pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 r( l) _5 X# Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ i" Q9 W, i6 {; ]* \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- M" k8 _$ e* T9 X
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 c, ^, `' b( Tits handle to be opened and then, will be detected.+ Y' P7 x* H/ x
You can check that simply by hooking Winice.exe control proc entry point
2 s* B& H$ k1 v( M9 f( {while running MeltICE.
7 a1 s; P$ U, e8 [& n; I/ c% X8 H
4 `. B W' d, E S
% `" z% }# N, E# F$ F 00401067: push 00402025 ; \\.\SICE
8 ]: I8 } z4 m4 d6 { 0040106C: call CreateFileA: Z2 `& x! J! B# V1 M" o0 G8 p- c4 [$ w
00401071: cmp eax,-001
0 { a6 C0 G% g6 E9 }. ^3 d 00401074: je 00401091, |+ H, q+ t8 L3 J8 p
5 X1 Y g' G; G, L/ s
# f, ?! j; I) Q1 R. w( c
There could be hundreds of BPX you could use to detect this trick.
5 R( G- G3 ]& n-The most classical one is:
' |5 K; j1 X. |* k+ e/ ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 m% N' v2 y" E, b6 n
*(esp->4+4)=='NTIC'
% ?4 `9 Q- ]. }% m
. d d% f8 n% ^# M-The most exotic ones (could be very slooooow :-(% N& s1 h) _$ e& Q5 e4 [; ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % ^- Z D7 I1 Z1 \+ h& T3 ]
;will break 3 times :-(2 r6 a3 _; N* i9 z" L% p
8 l4 j# x: A0 A8 r( k7 V3 }
-or (a bit) faster: 7 U9 z) }9 m; F, a1 x" W2 p0 v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ j- x7 i: ~! g8 |
0 |" j! x+ N5 o" u; X) b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , O; j0 t2 `' c
;will break 3 times :-(4 x. g' Z5 M; H) a! I# J
% W: ]$ O. w! z+ v% t* L) j-Much faster:
! m+ L# E* a" O; t6 G$ e BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ s2 d g0 V1 M. p% {/ f6 l8 J% k% Z) k! O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. \; c5 x* j! Yfunction to do the same job:
' r+ [! G- q2 _" h6 p7 Y7 ` {' q6 E$ l/ D6 v: [& `9 [
push 00 ; OF_READ
- x5 d& W9 J d r mov eax,[00656634] ; '\\.\SICE',05 g6 T* i" W1 Z6 p9 ]
push eax
% h. ]6 N( j+ [! J5 y3 D4 L; V% A call KERNEL32!_lopen" S; P( E, L# y8 |7 l& m$ e& n. C: C
inc eax
- g! S0 |4 Q9 _& e8 z) C jnz 00650589 ; detected
! Y+ Z7 a8 o# y push 00 ; OF_READ* Q! [" R7 Q1 @ Z
mov eax,[00656638] ; '\\.\SICE'
- O; `1 o- ?! `3 r4 x4 z* b push eax
3 @: Q/ I% N+ v9 Q call KERNEL32!_lopen
& A1 j, x9 i/ h a5 t* o inc eax0 t4 c$ _" x5 z% I
jz 006505ae ; not detected: a3 H9 ^: M ?* e5 N8 p
0 n2 _2 T# u1 }7 h1 A
+ Q* V- D0 \9 F: Z2 J
__________________________________________________________________________/ G" U0 a/ L1 X( x7 G, n9 c$ |
( h' `5 J( H+ g8 w" }. N# A/ Y# jMethod 12, y- `8 G) L! E, g2 ~# p
=========4 h) E& E$ L3 K) `
. ~! v( \% g$ n6 Y2 f4 KThis trick is similar to int41h/4fh Debugger installation check (code 05& ?! e/ ^5 T' p& V# \6 a( Y- u
& 06) but very limited because it's only available for Win95/98 (not NT)* G6 X# \3 }. v! ^1 i/ o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' j9 w' \' M4 ?; q9 c- E
/ s- j e+ ~) G% E& A* O8 h$ I push 0000004fh ; function 4fh' r P6 j' O$ o$ H0 s: T
push 002a002ah ; high word specifies which VxD (VWIN32)8 q: [( T- R i0 i# j
; low word specifies which service T2 E7 Q8 r9 z' P& a& g( m$ z
(VWIN32_Int41Dispatch)
& J2 P+ H8 s" r& b call Kernel32!ORD_001 ; VxdCall& E, W# K# X6 l- Y+ K; R/ }% \% U
cmp ax, 0f386h ; magic number returned by system debuggers
9 M6 ^0 W* M. P% r, i& u jz SoftICE_detected
* u1 D6 |* X4 B; }: d0 S; k! n+ Y( k
. K2 i I6 _3 M& T4 Z# ^; @Here again, several ways to detect it:% v6 J) \- M: T# o
' i9 H ^8 t0 Y4 q BPINT 41 if ax==4f. J( n- |8 u# P5 J
6 X8 C* D+ l3 K, ? BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 P: {' D4 W( V. A! x# E
% x$ g/ s/ k( v* F2 _/ s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, p) q' Z1 h* @% C+ g" C
9 g/ G/ L' Q: K6 c6 d$ o6 c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ Y5 {/ V x3 g# L7 n/ B9 X6 F, g2 @& g; j: N, W! S9 q
__________________________________________________________________________' b* {! g/ `% L o5 ?3 r5 z
% p8 T1 n. ^, u
Method 13* ?- O q/ Z' u2 y$ _
=========
: a" }3 C: T$ C# v8 N
0 k$ {9 p; ] a7 ?# P" BNot a real method of detection, but a good way to know if SoftICE is ^: W- l. t3 M
installed on a computer and to locate its installation directory.- i/ ^( G. p5 b; e
It is used by few softs which access the following registry keys (usually #2) :
- h9 |& N# V: p$ \/ u# Z! A
n, G/ H8 h. i O- m-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' O( d2 J I$ l$ |
\Uninstall\SoftICE! I; a7 [3 L& b2 T9 a! U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 l2 \1 X% M. F4 U) @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* x- O7 m3 ]5 H7 w) g/ ]\App Paths\Loader32.Exe
/ i- g. { h, ^' S
7 s: R0 E0 d4 z, ~+ A! J' Z
1 u/ ?- \3 S) \7 ZNote that some nasty apps could then erase all files from SoftICE directory
9 C7 R; J: t& P- Q; [(I faced that once :-(
) k% S8 \$ G% a+ J" j- c
6 Y( B0 W! s/ }' \/ g! P6 c. v! DUseful breakpoint to detect it:0 d/ }0 r" o, }, n" D6 \; e# |, x" E
' k2 i1 Z2 W' Q5 \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 U, o3 {& _8 u$ Q" G
0 O# _9 X# N6 E__________________________________________________________________________
9 a% ]( y" h0 q& N6 b( {, T# o; {7 R4 O
3 G. \( n# t2 o$ R/ Y7 b# t8 C- F8 DMethod 14
; I1 k) r' r7 d- a9 x. Q=========: z7 Y7 I9 e* V$ _3 @
" H$ ^6 Q$ l8 [* y5 r
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: W4 [0 F( A7 L, I) {' ~- k* Yis to determines whether a debugger is running on your system (ring0 only).3 m6 ?; S7 `: R8 f3 Y$ q; u7 N
" v* f# e# @) d4 k
VMMCall Test_Debug_Installed% p& [( n8 f: ]* f6 @
je not_installed
& L: R! |" n T) w0 F& a+ q* l0 O
) F9 P. W7 R7 X4 B2 R: @! xThis service just checks a flag.
2 f3 O; ~4 I- G e) _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡