<TABLE width=500>
% I0 d4 ^1 c* E2 p<TBODY>! i) ^: S+ K1 |5 {
<TR>
+ U% o+ @, l" j- k5 }4 H! m<TD><PRE>Method 01
3 c' d( q" H3 _% `. C- E=========0 B3 w" `; ~5 x9 ^% ^; f/ Y& b' r
: N4 J# X6 K, U |' j$ b- ]This method of detection of SoftICE (as well as the following one) is
( [# J" @9 X y$ qused by the majority of packers/encryptors found on Internet.: Y( G. b- ?5 x6 }" z$ U
It seeks the signature of BoundsChecker in SoftICE0 l, k) h0 @8 m3 B7 U2 k+ i [
3 Y4 \+ ~4 J2 u2 M
mov ebp, 04243484Bh ; 'BCHK'
' M: s; Z' v: S7 S; g+ n mov ax, 04h
7 d0 _( _* M# e( N( [; | int 3 3 `8 y& @7 q0 D0 I
cmp al,4* I% q$ V' v3 ~
jnz SoftICE_Detected7 I5 r+ R W; e' u$ {
+ z+ v( ~+ s. o$ E7 D( n3 o! w
___________________________________________________________________________
* R, Y6 p9 z* r, ?% Y: F+ _
- ` {5 c# s9 n5 z" k5 S/ y: W# DMethod 02
( z+ t5 D' G1 }3 A=========# v u1 y' _$ r) H( K) }3 e
$ g. s5 _0 ~7 a6 KStill a method very much used (perhaps the most frequent one). It is used6 ~ r9 b' u1 @( P, \9 h4 I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" g/ V) u0 C3 g: [% f/ C8 bor execute SoftICE commands...
" [0 b* A$ ~1 j$ v, s6 mIt is also used to crash SoftICE and to force it to execute any commands, Y' T4 @2 O7 T6 M3 R1 F6 C' O
(HBOOT...) :-(( 9 p# _+ _4 ]2 }. _5 E
$ t6 q% O$ z2 Q* G, \' o6 B2 k! [* ^Here is a quick description:! L* L$ Q# W2 j, W( }( N
-AX = 0910h (Display string in SIce windows)! S* ~, b% d s+ ~! Z& H
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ {! x, w$ j4 U-AX = 0912h (Get breakpoint infos)3 \; M) _0 l; X, l9 P1 J8 c4 }* C
-AX = 0913h (Set Sice breakpoints)
' W3 Z1 j8 f7 c: n- r; c-AX = 0914h (Remove SIce breakoints). L% z3 Q& R3 B4 P
& |! q& P0 A7 |: `Each time you'll meet this trick, you'll see:
0 c% c, L9 V/ @% u. T-SI = 4647h# z, X$ H9 d9 O. z' j
-DI = 4A4Dh o& w- K7 W/ j+ d1 N) A
Which are the 'magic values' used by SoftIce.
# o0 @. A9 D7 s- k. f5 t* hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: k: Q# N6 Y" u# S. O
8 ?' p1 m. U. N2 n2 N+ a9 _+ lHere is one example from the file "Haspinst.exe" which is the dongle HASP
! e) N6 X! P, b1 ?$ O& h( f/ E) {Envelope utility use to protect DOS applications:7 t6 \ Z+ H: C2 r
/ r- M8 G$ f8 @$ B, a1 q
9 W8 z8 i. `+ L; E3 L/ T, a/ n* m4C19:0095 MOV AX,0911 ; execute command.9 k( V& }. i$ j5 s' ~$ j$ k! F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 E; h6 B9 M3 o# i4 s. Z4C19:009A MOV SI,4647 ; 1st magic value.4 H- H4 g; J5 c( y/ A6 z
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 J# g1 C% u0 U* Q$ g: T) C( m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) o( W1 m) \' z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ a. M, u- k' n# i4C19:00A4 INC CX
7 q5 Z& D3 ?' h; n+ b+ T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 C/ k) r! p& m! p4C19:00A8 JB 0095 ; 6 different commands.
8 y. _9 F7 h$ }8 i2 \7 r; x4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) x% c9 J/ C) l" A- N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% }1 v: E) W1 ?2 I( f7 S
6 m5 T1 ]( V7 M9 y, m/ H8 uThe program will execute 6 different SIce commands located at ds:dx, which6 W+ z8 S% f* e) o
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 k) }9 |" T/ `3 P' B% I1 y( f8 g; \1 H9 n) F# s
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ L" s% ^% h& X# l# A
___________________________________________________________________________" w5 Q, j7 J; p3 `& |
$ D: u) @& S' [6 t, T: T& }' B r9 J
Method 03( N) F0 Y8 u, E t: D( L) a4 h
=========
- A# u5 ]9 G5 r
0 l W; x# e5 H n8 _7 m2 SLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 @1 M, P( o! J. B
(API Get entry point)& m( T9 O0 l( Q) _6 [6 _
, Y/ n: P, `& P4 ]& N2 [# p# S. F! u
xor di,di4 n3 W& C* Y; o/ {2 T5 y. B+ g
mov es,di
+ Q& u* v: | Y( M mov ax, 1684h , \! b3 }5 U/ W6 x
mov bx, 0202h ; VxD ID of winice; {" |* @* {3 @: b. H2 s# v
int 2Fh
! S" q [! h3 F. e4 Q7 U mov ax, es ; ES:DI -> VxD API entry point8 m/ Y. K1 h H0 u* q. f; E% _
add ax, di# l: A# q( X+ b* l. u3 A# m
test ax,ax
' B" T$ S9 A; P; ?, U4 d) U# B jnz SoftICE_Detected) L9 @; j$ D: j
J* z- h* _) ?' S: }3 z
___________________________________________________________________________, m+ ]) q. e6 s4 s) A
5 z5 t# x, } D4 a# _+ N7 OMethod 04$ I2 \' k5 A5 @/ w. k1 x
=========
9 v* H2 m! U% L, K0 e' y& X/ p; ]6 v; R, m
Method identical to the preceding one except that it seeks the ID of SoftICE; A7 h" V- E$ J6 R
GFX VxD./ S. J0 g7 z& d
* D0 D( `- |, ?* p: R6 W/ m xor di,di
0 {3 l: F( i# n% m mov es,di
" q1 {0 ?/ a3 C/ Y5 @ mov ax, 1684h
# |0 G2 @. }7 k, I6 L/ y mov bx, 7a5Fh ; VxD ID of SIWVID
6 I/ F J7 {3 X int 2fh, _ Z1 g8 p! y W; ~4 b
mov ax, es ; ES:DI -> VxD API entry point' v3 a- ^/ j1 T2 i) R, z
add ax, di
. r% x: y+ h: ]0 Y! Y" T test ax,ax
0 ]+ C8 q+ \4 w5 X7 s } jnz SoftICE_Detected
$ ?. k! E1 ?& S% }) N. g H
$ R- R" P7 @/ @, e( M5 m8 p__________________________________________________________________________5 ~7 q- Y4 \% l2 R3 G$ N7 G# a
/ @& B3 _5 [; z, }/ Z3 e! X0 t
( o# f1 t% t5 n% p! Q* _6 ^Method 05
3 d- k6 v9 `& O( H4 f=========& i6 K1 T# J6 c9 g
, h; I" z& e3 `% e/ f/ N) jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, Y& l4 }/ c3 \( Mdebugger. It calls the int 41h, function 4Fh.
* j. ?8 g9 ^5 `! lThere are several alternatives. 9 D5 a* B* o N. V& |# o
1 l+ `- r# ~' l. e; o% O; P
The following one is the simplest:6 E! d* c& m6 D* _' w, S
& R' q/ a j o- H) r
mov ax,4fh
' o/ A4 y7 |* X* o; P# o! h0 O- G z int 41h: D! y. M+ W1 q. n _3 x3 c1 X, w
cmp ax, 0F386, X( u9 F# M2 i! E
jz SoftICE_detected# |8 r4 O# b+ a$ I7 v
, v3 w8 ~4 K- T/ A9 v4 ]+ Z- A# f8 ]0 u* B. q2 P
Next method as well as the following one are 2 examples from Stone's
5 U6 |! G, I/ z! E/ y8 V"stn-wid.zip" (www.cracking.net):
3 N5 s% } k- _3 P9 O3 `7 {8 I0 e6 E- b* v& r
mov bx, cs
1 R! E# Z; p: e* K) Z5 l lea dx, int41handler2# V: c! r% A) R" X- {& a
xchg dx, es:[41h*4]* N) ^0 ]; o1 y3 X9 |6 S
xchg bx, es:[41h*4+2] t. T, p- l( A( \( k6 t+ s
mov ax,4fh1 k c, j7 w, ?( l1 x
int 41h5 C; e: V9 t( M+ i7 F
xchg dx, es:[41h*4]" Y5 {4 ?4 E# b" P V P6 F
xchg bx, es:[41h*4+2]& X1 b( k3 G; S1 E
cmp ax, 0f386h
1 b$ t$ a& B, }7 B8 H" y. }2 r/ S$ M. K jz SoftICE_detected
6 b" e' K, n! Q8 i6 E1 X, l; ^; l/ ]* T$ g
int41handler2 PROC
. @/ u) ~7 M& z! B' n2 V; I iret
' I2 O/ r% C3 N# Mint41handler2 ENDP9 H* N7 \' I' Y6 H
0 v# e, Z! O& u* |; L1 Z6 q; O, Z$ ]) Z, n& X& i: X# k* K' n* V
_________________________________________________________________________0 ?6 b* B, \8 W* o
0 q0 r8 [- n4 T8 r$ w8 Q0 u
( Q8 V3 F, t1 G" w) ]! H
Method 06- C k# Y1 m/ j# v: b
=========
; z" A1 k: w# _- V+ `0 c& }% A5 a/ a6 b
) |# \8 h6 J) ~9 G8 |4 R
2nd method similar to the preceding one but more difficult to detect:
5 ~6 a6 q1 a6 p1 J
2 C, n& T% [4 K
( u7 T3 e: u9 S1 w1 uint41handler PROC
' c) L# s, Y+ i W mov cl,al
. L6 i8 S8 f2 F1 ]& M! T8 y. j iret# x5 E* T F8 o& J
int41handler ENDP9 V7 @. B o' S* X" x
0 M2 D9 I: y4 [" f; A: |, B5 V6 T, n& u
xor ax,ax( W; t( J& [/ b, r/ b8 u9 F/ A
mov es,ax
) u* P3 P$ z; _: l5 T* K1 J: ^ mov bx, cs; m! W* s, L+ ^& i2 n
lea dx, int41handler
3 t5 J B$ Z" A, [1 @- I xchg dx, es:[41h*4] ]. G( I2 @7 s& I' }$ Q. g Q, C
xchg bx, es:[41h*4+2]
; [7 S3 U1 J0 `0 t; Z" m in al, 40h" x* T5 W3 h9 |7 r# Y( G5 j
xor cx,cx
' `6 v4 R; _( p1 M) s2 i. ^- Y int 41h
8 h7 O( n- @ p% f xchg dx, es:[41h*4]* [' P; _$ ~! i8 X
xchg bx, es:[41h*4+2]
# t/ j, f) R! u- x# F cmp cl,al" d( G. Z, a0 P) ?
jnz SoftICE_detected% l4 ?7 ~# ]3 a: k- N, f
8 b( a6 C! i2 q% }+ A1 x7 Z
_________________________________________________________________________: D2 G8 ^! J- o4 V1 y
{4 Q4 y8 Q7 [* [8 g
Method 07
) K# g( L) v5 D=========( W+ w* j$ C- B7 L( V, H
' d" y; c# }2 o# V& v7 u
Method of detection of the WinICE handler in the int68h (V86)( c3 z* [; q: T
7 n- d9 @4 ~0 e
mov ah,43h: V, d2 t; h% A W; U( }% \( F6 E+ v
int 68h
) }) N7 u+ S* _$ M5 v' F* r* P cmp ax,0F386h2 h( G1 [, k# _' v/ P- e# S
jz SoftICE_Detected) h, }4 X8 S- N1 g9 f; l) p
0 r( B( r' o7 ~# ]- e6 k9 {/ H7 r/ Q- m0 }
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; N+ d% k" f* p. G app like this:( l) G. D7 F% Z8 ~, H: @5 [0 O
# {/ j" G1 ]0 I9 L BPX exec_int if ax==68
* Y0 Q- D+ _! ~% j( R' A (function called is located at byte ptr [ebp+1Dh] and client eip is
( j$ r3 j0 p# [% u8 T4 U+ c located at [ebp+48h] for 32Bit apps)% K- c7 l. E2 H# ^7 [
__________________________________________________________________________4 r+ E( K( X6 Q: d" f9 b
6 T S) N1 t8 z) w1 M6 |
; i, z+ |$ n/ {# N- v% _Method 089 s9 u* c% x/ H8 d7 f
=========% i- J4 S& @$ O3 ?8 l4 Z" P
1 O5 {! Z5 \) c* K
It is not a method of detection of SoftICE but a possibility to crash the% z; |- l8 [8 ?+ E% _( S
system by intercepting int 01h and int 03h and redirecting them to another
* i. ^, y% f- r; c3 }routine.
& s+ k( I/ P0 f! ~, ]; x' n" ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: M/ u% z3 i4 ?) l7 L
to the new routine to execute (hangs computer...)
4 R; D( L2 ^/ k p- y
3 u/ y3 k. H: g mov ah, 25h) `# T6 ~3 ~( S, z
mov al, Int_Number (01h or 03h)
, S9 t: r# [/ Q6 y- J% I- D mov dx, offset New_Int_Routine. E9 m2 E# w2 @' {; f2 ]
int 21h
/ `$ a5 Z. W8 E# S; q+ e5 N/ D8 \8 K$ X
__________________________________________________________________________
5 t; y5 m" d/ r' ^
! M$ L8 h' R8 H" LMethod 09. l. X3 ~, S* C9 c' R7 P D% _
=========
1 c D2 ^; |9 v7 h3 A3 x4 l& J
/ Y, r3 \, W0 g4 ?- t! B4 M8 H+ d2 QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 i: n0 o$ T8 ^: A8 y4 q; X
performed in ring0 (VxD or a ring3 app using the VxdCall).) v- P* r" l0 R7 C) z7 [" p9 k
The Get_DDB service is used to determine whether or not a VxD is installed2 E- [7 ?7 s% C q0 p% g
for the specified device and returns a Device Description Block (in ecx) for
V; o# Z; ]7 q5 X$ Ythat device if it is installed.
R3 l, U1 f; ?' G3 U5 @# y# A$ K {4 r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, B& v* o' u6 f; j* }$ `7 e; T" i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& p3 u9 u( `% b0 T/ H
VMMCall Get_DDB$ x* D/ ~) Y; E6 p N5 X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 d K5 Z' q, c+ d! ~) f0 q. ~6 Q4 |/ [& |8 g+ i
Note as well that you can easily detect this method with SoftICE:
. X: s' m& V# q* o0 X4 g bpx Get_DDB if ax==0202 || ax==7a5fh
, E" K1 k$ r2 h% U7 e' f8 J( b" J! x/ k- ~! h9 w
__________________________________________________________________________$ [) \9 l/ u$ W/ Y5 y( A4 g2 t! w
9 q3 T0 v) i9 X7 {6 Z5 @% \
Method 10
3 ^7 ~: k6 T0 D$ X7 ]5 O G=========' p7 A# ~$ R5 d; \
" E, w7 y) b7 b8 T=>Disable or clear breakpoints before using this feature. DO NOT trace with V* R- i7 T Z; D
SoftICE while the option is enable!!, ^! s% Y4 c4 l3 Y) H4 X0 ?1 \
8 G" ` B5 E/ D: s0 m# F
This trick is very efficient:
9 I) V2 s* r2 V. Xby checking the Debug Registers, you can detect if SoftICE is loaded: v. ^0 I1 @7 b- Y; V ~: p8 Z, l, ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; T2 F) j, t3 n8 D6 \) Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their# {$ y2 R x$ T8 y4 P
value (in ring0 only). Values can be manipulated and or changed as well( z& i) U% F6 R4 T- `: y' Y% {
(clearing BPMs for instance)
; U: K5 k% y$ | [8 }: }; O! m$ q/ Z
__________________________________________________________________________8 M0 W! l7 P7 L1 F3 S
$ L8 i: ^: i8 s& L& X8 r3 J
Method 11
" ^7 z, A3 r- R3 l G' R=========
: V+ L' h* p) p W$ F- d/ i, b \
! W& i% ^8 t* M4 C% i/ ^$ x: DThis method is most known as 'MeltICE' because it has been freely distributed
8 ]7 `* F" B2 \- G% M; F% n# q* uvia www.winfiles.com. However it was first used by NuMega people to allow
9 c k; _+ ^2 v# H* z) b6 \9 ZSymbol Loader to check if SoftICE was active or not (the code is located
9 L9 O6 T: _5 winside nmtrans.dll).7 [1 Z7 [7 b/ _7 C) \( |4 E
% n9 @& `2 G! U) `0 u* ~
The way it works is very simple:
0 t1 [2 p8 Q! h: M1 I8 dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ B9 c) d: F8 _. [WinNT) with the CreateFileA API.
: R& k& ]1 }9 R* v0 T5 D
! E% w9 V8 _ k( gHere is a sample (checking for 'SICE'):
( `0 C- a" ~4 t9 z
) h1 x: w! C; L0 Y+ eBOOL IsSoftIce95Loaded()) B0 u- r* l( p" j! e" {4 l9 q$ }& W, f
{: N2 j; y/ X- f0 J
HANDLE hFile; }, Y1 o. y1 Y3 u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 F7 V- K" m9 C FILE_SHARE_READ | FILE_SHARE_WRITE,
" b: g# \9 n* Y& D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 n7 u5 e% j) D. @1 I if( hFile != INVALID_HANDLE_VALUE )* N( F$ Y1 Z3 m! G7 y8 \& o
{
3 S8 t/ B/ U; w8 T CloseHandle(hFile);
: ^+ i7 J9 }2 @" s return TRUE;! Z; I+ E- X! m( Q6 h2 a
}
7 s0 X% }0 H1 B% d" I% k return FALSE;% {+ u& ^. V; Z. b
}% ~! @7 U1 u+ Y' _; g7 f6 Y" T4 m
7 Q. @5 \: s. D1 l- p0 v
Although this trick calls the CreateFileA function, don't even expect to be
. Y6 C6 m. u' T# {4 F' X$ u$ Hable to intercept it by installing a IFS hook: it will not work, no way!
/ Y. }0 @, d1 ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 A/ V. ^( { A. E4 J4 W# g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! L* W4 @4 K! K, f( s2 Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 W8 J6 K" r) U' r+ E$ Vfield., U, X$ I9 u [; Q9 `3 U* a# U
In fact, its purpose is not to load/unload VxDs but only to send a
, j4 L7 `9 ]! T5 {1 c! IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 O/ }' P) _; `! V* \9 ~0 {to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; g$ C9 d4 c4 qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ K) Q; _+ {- r# ~9 u" T0 I$ p+ yIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ c4 X( M- A& P4 W3 h' o9 `! Hits handle to be opened and then, will be detected.
1 h" h, Z0 ~8 v' U) A7 p' T9 YYou can check that simply by hooking Winice.exe control proc entry point' R# o6 {" Z! l/ M( g
while running MeltICE.
* h6 |- f+ }4 p4 R7 h% o
$ W, o# ^3 t& i# q% H( P1 p) o1 W' _
! p1 z! d% G! D; V$ D) @ 00401067: push 00402025 ; \\.\SICE5 X- {4 U7 S' \4 _" _
0040106C: call CreateFileA
2 X4 f9 v# F7 ~# X+ [% k 00401071: cmp eax,-001
% R) L$ R* F! J! W2 c R& A0 f 00401074: je 00401091. P0 m4 Y7 P, m! n7 B
5 R. M" O) P4 A5 a! `, z$ H3 G7 X; f r2 u+ x7 O
There could be hundreds of BPX you could use to detect this trick.
) @! S" O/ m, Z- _" W6 G6 L-The most classical one is:& L. A ^2 ~( w: t& b3 E9 V
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 k' ~' V; ?& V
*(esp->4+4)=='NTIC'
7 g* E$ A! O% G% o
- q. L$ B" c q: V. g-The most exotic ones (could be very slooooow :-() g1 `8 b8 M3 M) x. R" R( b& ]+ z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ j: d3 {. M$ Q2 I& O ;will break 3 times :-( N; H+ J& ^" O3 m
: p5 F8 U; q4 Q& ?5 y$ m-or (a bit) faster:
7 ^7 k) t4 q' e) L: q$ x$ w$ | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 I1 O1 e" j5 R4 ]( h
5 |0 t$ U/ o+ j1 a BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 k8 n1 }7 [3 l! c
;will break 3 times :-(% R% t* F+ o7 v5 v8 }1 Z: m! t
3 h) D) _ r. E2 |-Much faster:! b/ x% _: w8 }
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; a2 d( e$ u& f A6 ~
- d* N$ ]+ o9 PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ G7 o$ s5 d& U( Y9 Y" w. ~function to do the same job:2 B( C* U6 O2 w1 j
& Z0 E2 A$ X4 L$ ~& d. g( F push 00 ; OF_READ
7 A( c3 L4 C: U mov eax,[00656634] ; '\\.\SICE',0' S! \) G# R$ e6 l
push eax4 R8 K# {* Q5 P
call KERNEL32!_lopen
I$ y% k: l4 C8 X" C inc eax
0 E0 \8 q, C ]+ V, P3 B% x; ] jnz 00650589 ; detected
3 n" ?6 H1 p* ~* a% O5 n( K push 00 ; OF_READ6 Q. `* D) Y# X! Q2 X* r! {/ M
mov eax,[00656638] ; '\\.\SICE'0 P4 r! y* `$ q- p8 y& p
push eax4 M2 _ @. r6 S' ~; u
call KERNEL32!_lopen( |% m+ Y7 Q/ M7 |3 ]
inc eax n0 k" @) v; x' G
jz 006505ae ; not detected7 o; P$ W6 f1 Q$ P5 Z! I; \ V
6 F/ ~( H6 q: F9 ^ ]2 Q- I1 k. _
* F/ {3 {: a, E9 E
__________________________________________________________________________
, ^2 n+ o0 x8 s% {# x5 Z3 s
- N1 }8 d" I; u. S" O- [. a: D' VMethod 12
1 J' S" y( u; q9 |3 M. t" e8 t=========
! ?; s6 x7 T2 J f! H- B- ?: i, F7 k: G! m' [: Q5 N+ J
This trick is similar to int41h/4fh Debugger installation check (code 05
% L6 ^* C3 ^3 U6 i& 06) but very limited because it's only available for Win95/98 (not NT)9 u7 }% w& [6 K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 d8 S4 o2 _0 O6 V+ S
5 ]6 r& Y; D' \0 }
push 0000004fh ; function 4fh
% N& d6 _6 ~- D3 g& m push 002a002ah ; high word specifies which VxD (VWIN32)
- m% }+ ]7 q/ c5 w ; low word specifies which service- C, G5 t( l/ s' {: i4 h
(VWIN32_Int41Dispatch)% \. f5 I+ s6 I7 n- i
call Kernel32!ORD_001 ; VxdCall
$ N P Z8 v% G% Y5 ] cmp ax, 0f386h ; magic number returned by system debuggers
8 V8 c/ S }/ ?7 D: ] jz SoftICE_detected1 N5 C8 {5 _3 U8 `
- ~+ L5 J% k, ]/ Z# Y, M* Q4 @
Here again, several ways to detect it:* @& X$ D3 Y9 a3 D! k$ g3 i' C
" N2 N L% I& ^2 \/ |6 ]0 W BPINT 41 if ax==4f
6 R" r7 V+ H& ~& H2 ~ @" E& G2 @3 {" I* ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% a+ u. h/ w* B, H! d
7 u# }. G9 j: E% n+ { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 g: i$ Y3 X7 {5 n
* y1 t9 [( T, w* u% | BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 g. G8 ?4 p0 t% M* m' M/ q6 ~+ s4 q) V+ u
__________________________________________________________________________
: i' w1 q- J: m9 W( ^1 I+ x$ e& |- y
Method 13) n- a! Y; H7 D' q$ _/ I
=========
4 }' b9 ~* ^2 y. z' S- H. r% h; ]! u4 E) q# q1 W/ O0 u& v% G! d1 J; i4 K) T! b
Not a real method of detection, but a good way to know if SoftICE is# t1 a5 L1 R# N+ v
installed on a computer and to locate its installation directory.
/ f4 ^6 @- ~! |! q VIt is used by few softs which access the following registry keys (usually #2) :3 H, `4 k! E- O, @4 n
" ~& V/ E; d3 e7 M2 J) r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" ? j/ S; \5 b- _7 Z\Uninstall\SoftICE6 ^' l9 `% @/ x; q$ h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ ]/ U2 f; D) @5 q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 H8 M/ N: o, y( A; w\App Paths\Loader32.Exe2 }3 h; z# ^) N& c0 j
# D& A" }. U! k& |$ E6 S9 ] ~1 s
6 d) t7 ~9 D# t% h5 z. Y% I" uNote that some nasty apps could then erase all files from SoftICE directory
; ^# u* G% \* w# H7 [; C/ D(I faced that once :-(, o2 j6 k% {3 d5 `2 g( N+ \4 g, T
^8 |5 W4 I n2 m' [# t- J
Useful breakpoint to detect it:% x. O! O, Q0 T# l; f( N/ E5 D
& H/ q3 I, M( K# r
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( o: A' Q) C2 V6 Q" g* o/ z
/ L1 x& W: D. b: ~7 Q1 M__________________________________________________________________________
. z" a1 j: X5 X* D; ]6 `4 o c; `) _1 A/ [& ~2 X5 _$ y
0 P4 M) _0 z" p+ j1 c
Method 14 ' s) A2 t% v) V2 T' F4 C* D) v
=========+ k& g G, k& [5 |* t i4 b
) }& D& I9 N% _, `2 B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 t/ ^, R$ L- d5 R) }
is to determines whether a debugger is running on your system (ring0 only).5 j# a! g: C' e) f/ T% n$ i" }4 R7 F8 q
5 U1 Z$ l" \% X1 {7 ~! S- e VMMCall Test_Debug_Installed/ p* G) y/ ^& m3 D0 o9 d
je not_installed
9 y& A0 ^* w3 E% b' k! Z0 d. j5 |- F/ w F: W" U; L
This service just checks a flag.7 _; i6 S; t+ ?8 q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡