<TABLE width=500>: q! e5 h# p* E# W. [' |+ }2 y
<TBODY>
- ^% {7 B% M3 V8 ]: J& H+ R<TR>
7 x, j; |" j' P4 K [2 h7 J% g<TD><PRE>Method 01 5 S4 f) V6 [/ ^+ n z+ R
=========
9 a- r4 g. f$ i2 [! S0 s
6 S! V U! d7 s% c3 q- }This method of detection of SoftICE (as well as the following one) is
, D1 l% o$ x& l) K3 i1 |used by the majority of packers/encryptors found on Internet.
5 s9 c2 `: e9 A0 W! HIt seeks the signature of BoundsChecker in SoftICE
( l9 j6 `" m/ J' q; h/ C4 ]0 ?0 _
, g+ ~* E- Q7 z7 g3 w$ k mov ebp, 04243484Bh ; 'BCHK': {$ M, @3 H/ ^; d* ~
mov ax, 04h
' s2 L$ O+ v* _+ u: h: b2 |: S" x int 3
! H+ n* X$ P1 h& v2 R) ], r cmp al,4" V( X% K, e- G
jnz SoftICE_Detected
" C6 v( k( i) H* E5 Z1 ^: V8 b- Y' u- @8 D, k
___________________________________________________________________________
, P0 O* x) g/ P. J6 M
0 r6 R5 f% b6 X* _, u' i$ YMethod 02: X7 W4 s$ t [2 i0 e: ` c/ M
=========
) }; z: g& [) H" H0 {1 t, m5 B3 ?5 w6 o/ l% J$ L! o* Q% c
Still a method very much used (perhaps the most frequent one). It is used4 M: S6 h D' J5 M- n9 c6 I2 O+ Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 J7 k$ w" k, b7 Hor execute SoftICE commands...
8 \! O5 M4 n" l! v% EIt is also used to crash SoftICE and to force it to execute any commands3 H# B1 K5 c: w
(HBOOT...) :-((
8 k- n9 d3 v! L: ~' L& }9 f0 P7 H: t3 Q
Here is a quick description:( k6 X4 {; L) v; _/ M
-AX = 0910h (Display string in SIce windows)) Q) L: v) \- \( N( W& |! F+ D
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 l1 |) B c/ G% b3 a-AX = 0912h (Get breakpoint infos). z& n4 Y# [) v$ U R3 D1 A; n0 _
-AX = 0913h (Set Sice breakpoints)3 _1 F* G3 T5 w0 T
-AX = 0914h (Remove SIce breakoints)
$ }* {+ j T2 q! `0 e7 A9 Y0 Z% b. y( p- O
Each time you'll meet this trick, you'll see:
* m( v# N' I$ O8 ]1 Y-SI = 4647h
! D/ D* t! v2 D4 m2 {, ?-DI = 4A4Dh
% H/ E m: M+ `/ O9 @' V; ?$ i, CWhich are the 'magic values' used by SoftIce.9 g, F8 r! a7 U- Y% C5 _+ H- H
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' i0 s5 P6 `8 V, ^1 d0 x6 o( A
, q# F' j! H- v: H5 n: x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
- Z* ]& S8 b; z/ Q9 u" g! w4 S4 H: MEnvelope utility use to protect DOS applications:
. z* d0 S$ b4 M. ]) x6 p7 r$ D$ z0 h; f0 }7 W! |1 `: z& O8 g
8 H2 x, S- g4 ^5 X" m$ |
4C19:0095 MOV AX,0911 ; execute command.
2 D. F! r& d) c1 i' N( r4 r4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 h4 C& w- w0 W: f- \2 y4C19:009A MOV SI,4647 ; 1st magic value.
, I5 u- f4 a& B: r4 ^9 g& W5 A) Z" n4C19:009D MOV DI,4A4D ; 2nd magic value./ |! i( o8 l% F( A4 \& c8 T; C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 [. P! d9 m. h. Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' A& ? Z* j- p
4C19:00A4 INC CX
& [8 y# a/ M1 X7 Y7 b4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- ]4 R) ^. {7 Z: }" i# s4C19:00A8 JB 0095 ; 6 different commands.* y5 v0 @8 b. r' }) k0 i
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( p$ e2 y" V! a5 I
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& s2 f) Q' V7 l. L- _7 B* f7 z3 L) X
The program will execute 6 different SIce commands located at ds:dx, which
! |1 n5 n0 d! H% ]! f% {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
T6 T8 |; g) A# e5 ^$ V. ~
8 H* T% q8 I1 ], D& R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 H; J- S* r9 F$ G; Z, S___________________________________________________________________________
4 V! Z$ d6 A& U- b( a8 g4 {' f8 b L; i( i1 y
0 G# M G4 W3 N$ ~Method 03
, g) A/ O" L/ L9 k& x6 g$ w=========
3 z0 z, f, d. l% q- W7 i, T$ r* ~; R/ _' ~6 `0 g/ k8 q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! g2 O, ^; m) k5 K; s3 B(API Get entry point); b8 |/ o' z8 W
H6 O K2 Q) n. g$ _8 c$ X7 E
% H9 h1 |2 O" m4 y/ w$ ]
xor di,di
, E* D% W9 f v9 z mov es,di
! F( }% \& E/ m5 N mov ax, 1684h
; h! M. p( U- h& O, } _' v' c mov bx, 0202h ; VxD ID of winice
7 q! F6 a# n7 e; y, [& m; A int 2Fh$ m7 @. |) B- v5 f) }' k" e
mov ax, es ; ES:DI -> VxD API entry point
6 R: {: o" [ g# `2 I9 y. t/ c add ax, di
& y( d# ~9 D# x test ax,ax
; g! E- E* I# z9 ]7 X+ q3 D: @: M jnz SoftICE_Detected* z6 x* W/ d, V& e
! A* T' g+ ~; Q' e4 ~7 t. g% {
___________________________________________________________________________0 Y: U% U& c Y! c2 x, e) e
; w5 W, ]* @, J% z5 h3 `. l' TMethod 04( L$ ~' ~7 j1 V+ T
=========; ?" S3 J' J" w1 N2 I9 r' O; m
0 i& G% h) u$ D E" O% V; z3 NMethod identical to the preceding one except that it seeks the ID of SoftICE4 K8 J5 Y0 R/ \2 [5 G
GFX VxD.
2 R) H( m# L/ E7 Z) Z j
! z) g5 h' u4 I- L X xor di,di
) Z8 I; c, E2 N& Y$ \1 O, R mov es,di/ C6 J/ ^) N' ?1 X
mov ax, 1684h
, c! I' `" n& Q- R! l& @ mov bx, 7a5Fh ; VxD ID of SIWVID
6 N- M0 F+ j) k) C" E: I! R int 2fh
! M k. o- A2 v3 \ F mov ax, es ; ES:DI -> VxD API entry point$ v4 D+ K, L1 F9 m
add ax, di
$ {; a( u/ e9 k) e) o5 B) w, E5 J: l test ax,ax
3 f4 J# f: v5 U" L; |* P jnz SoftICE_Detected
2 u, T y% m" r7 S0 U+ H& |' ~: r% U* |- }' n; r
__________________________________________________________________________
8 o% U) P/ v! C9 x4 J3 W
8 q" i- c0 ]1 {' V% }
* M- F% c0 U2 O: G5 o( {7 c5 YMethod 05
: j8 G$ d5 K' B. a3 y( |3 B=========2 ]& f- z& M% W
$ W# f5 ^: }; xMethod seeking the 'magic number' 0F386h returned (in ax) by all system" ?$ ]. P" G; d. W* ^, }. D
debugger. It calls the int 41h, function 4Fh.
* l) E" t2 ^+ ?+ PThere are several alternatives.
; `, ]8 p3 N# w- |+ @" h4 m9 c% |. s6 I9 h
The following one is the simplest:
" q) W+ M6 y9 h) V% l$ ~2 S* E9 m' h' V
mov ax,4fh9 q, b) M* A9 x3 k& ~, k% `9 A
int 41h
$ I& L% ?3 i- X cmp ax, 0F386
| X$ F x$ x* B! S. a! V* U8 t$ f jz SoftICE_detected
( X' i) l% @7 i) O) {- L* r
2 i# ^. f7 `, d$ ~+ l* x7 i8 |# D1 ~8 `' z2 m
Next method as well as the following one are 2 examples from Stone's
6 }$ s4 A+ G3 D+ l: Z"stn-wid.zip" (www.cracking.net):
; r8 w, j3 J* K6 d
0 ]- ^& q$ u2 b7 v9 x mov bx, cs7 D: a" B! |( W( l8 d* [6 [' Q
lea dx, int41handler2
" _9 x* E9 Z: |' p4 v- P xchg dx, es:[41h*4]
# [& L6 E! ^. ^' g0 [/ ~6 s$ Y xchg bx, es:[41h*4+2]- [) N3 H/ l; z; o6 s4 ^; g
mov ax,4fh1 T" O0 F1 l) H. O( ?
int 41h
, @- ~! y; L }5 Q7 R xchg dx, es:[41h*4]% Y& g+ t" v- B; t2 Q1 P
xchg bx, es:[41h*4+2]
2 [6 h4 U& q/ T cmp ax, 0f386h
9 N3 W' @5 N5 R jz SoftICE_detected
' V8 O( E" |7 \8 } w
$ g( g& D) \' c5 i7 q0 xint41handler2 PROC) z' W P/ c0 }4 E& _, o! k
iret
4 K6 B/ J0 L: l" M o+ N& ~9 sint41handler2 ENDP' _9 _1 e$ b+ s' t& U0 U
7 m2 e9 {0 G, O+ }* q9 e
! M+ x. l0 _( E$ d# __________________________________________________________________________1 n ^/ e0 h* e: c% f! H
d6 m k. I: \3 N& t5 o
8 I$ i3 Q2 q6 L" @
Method 06; O8 P; r" u/ \% Q/ W" z
=========
; ?* w8 J! E/ g
, R3 d) Z a& ^" {. C
' N% {6 S8 x7 _) r- H* J2nd method similar to the preceding one but more difficult to detect:- M: @% F3 Q7 z9 X
7 j6 p. a0 o" o& Q0 ~6 `$ `6 ^9 Z; S3 G" f# n/ @6 `
int41handler PROC8 L3 e' e ~2 G* j W- ?
mov cl,al
, p0 V4 y+ f! @: g iret
[$ }. m6 h {/ d: H1 F: D* hint41handler ENDP8 h$ N; l; P) K
3 {8 }( u5 k) p) d, r c5 M: N+ e3 L3 P X, V5 X/ a
xor ax,ax
- d7 p$ E- x# a$ S7 e" k mov es,ax7 i8 W. H! [3 A% ], H9 h c* a- S I
mov bx, cs! o' c5 Y: x8 x) v
lea dx, int41handler
9 y5 u% ]) R# t- [. N xchg dx, es:[41h*4]
# u9 g/ I8 f6 G: H xchg bx, es:[41h*4+2]6 U. b g/ @3 v& q
in al, 40h6 H: g; T" ^8 r
xor cx,cx1 c$ q2 p& S' Z, N6 f
int 41h
& O( s. W4 M# m v xchg dx, es:[41h*4]6 u M& d/ k! Z$ Z
xchg bx, es:[41h*4+2]
: _8 V8 H9 T8 }8 s9 s$ L5 f cmp cl,al+ U8 S+ P7 [& P
jnz SoftICE_detected8 f- `$ r% c) N0 `, x6 d
9 G, P" u, J: M3 e7 e3 J_________________________________________________________________________3 x' Q$ U7 K% i$ V& a8 n
! n' T/ k# F2 N& B- t! u. O) h
Method 07
. Q" V# Z$ V1 ]/ Y- V=========
. v# E8 A# | w$ ]% _9 l; n Q" V5 W! @, {* Y+ K
Method of detection of the WinICE handler in the int68h (V86)* H8 P1 L' h O5 e, c' v
$ i) Z0 F8 p1 z6 \8 b$ O) o* s7 z mov ah,43h! S; Y9 q+ V. `! t0 Q
int 68h
8 m; y) C4 u. ?* J cmp ax,0F386h
' ]: k, e F2 k: c( N* C jz SoftICE_Detected
8 b6 D5 f& G! [% A
0 V, N) D3 S" c7 w& X! C) x. M2 P" ~) c: k5 j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 p3 \+ F# v6 \( g9 Y8 L app like this:
; a9 ?+ X4 E8 @# ]* N: s
, N+ b$ p- w# a9 I3 ` g BPX exec_int if ax==68
6 h& ~2 H+ G0 u8 [4 E0 h, o2 ]) T2 ` (function called is located at byte ptr [ebp+1Dh] and client eip is
. x. Z7 e6 x% [' _ located at [ebp+48h] for 32Bit apps)% u8 Y7 D, z: J0 i+ k# Q4 |
__________________________________________________________________________# |! o" n5 v, D1 `! R& G9 ]1 n* w
9 {% w3 i$ X: F1 g8 L, l
+ P7 U- L5 ?% N/ r7 P; M$ c
Method 08
: E3 @$ ^% f& Y3 Q$ e=========8 G+ M6 H+ O+ v% G2 `
/ \( v: M# I! V/ f: b
It is not a method of detection of SoftICE but a possibility to crash the
1 L+ y/ i2 x4 N4 {2 Ysystem by intercepting int 01h and int 03h and redirecting them to another9 `2 V* r3 w, q- \
routine.
& M* e$ P9 T G( Q& PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( ^$ z. i* {% |4 D' R
to the new routine to execute (hangs computer...)- S% c* V* z/ s
' `9 B, N6 I$ j5 P4 I, e3 Y mov ah, 25h+ [& d3 S/ U% A
mov al, Int_Number (01h or 03h)5 b& H% e- n1 Q$ t6 k9 z0 M: F
mov dx, offset New_Int_Routine
3 X6 w: s. B1 R" A- O8 { int 21h1 F; C% ~- X4 f/ y/ S0 K" }
6 [9 x4 o2 H4 D% \$ Z
__________________________________________________________________________$ O: Q3 b+ q; M- e7 V) y5 x
: ]6 K' L8 t" x4 I* Y' @
Method 09
, O' A/ z/ s& P; `" z0 ~+ D=========* }/ N2 L7 e+ C3 k; l, [* a$ q& f
0 m& ^. ^/ T5 | F* T( IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" I$ c w# A4 H3 U; C
performed in ring0 (VxD or a ring3 app using the VxdCall).8 F: A7 o( {& [& d! _( b
The Get_DDB service is used to determine whether or not a VxD is installed
, m$ n- [. ~/ p0 J5 A u( Afor the specified device and returns a Device Description Block (in ecx) for) O+ ^3 `) ^' z$ N( i2 g7 u2 u
that device if it is installed.
; [, \3 O A' e5 l2 S' B0 E& M( S* n% j/ i+ w% Y3 C7 V2 N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 a0 H6 d& ?% J H& X: A
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 G1 e2 I' [: d( s$ i
VMMCall Get_DDB9 N: J. I; |: i% N' T" w: i4 F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 {" N: v) p5 `* _
: }3 X4 n6 D. rNote as well that you can easily detect this method with SoftICE:
0 F% H5 d$ c# q2 l: ^ bpx Get_DDB if ax==0202 || ax==7a5fh
8 @" ]6 E) Z* y% x$ u3 [- s
1 U8 D7 f4 L/ G! T& @__________________________________________________________________________) p$ U+ Q6 ^3 P% D4 N+ \
* ]; X7 r% |) w9 j1 cMethod 10
! H! F u3 W4 A: m4 Q+ v=========
. s+ R2 y, }" V9 P0 `4 ]3 q6 k
1 J3 n/ u% _9 v. }=>Disable or clear breakpoints before using this feature. DO NOT trace with6 U! a# J' W( n; M
SoftICE while the option is enable!!# ?7 q# {' k3 d" P
2 a0 C8 Y: O+ O* _1 f9 ?
This trick is very efficient:
) A2 Z/ m+ M6 K1 ]! aby checking the Debug Registers, you can detect if SoftICE is loaded/ n: ]; G0 Z o8 |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# G/ S! P& }( P. v9 Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their. q+ [, v% P: R" y% a4 S
value (in ring0 only). Values can be manipulated and or changed as well" r. M! o( v7 `* P) s! I. m4 C* P
(clearing BPMs for instance)
! h) o( y1 o( [+ o
7 n7 \ E- K& N! @3 S) |& y3 c) |# g__________________________________________________________________________ ^! h# h* o1 K7 p( H
, \, W6 e/ ~3 p0 N% g4 Y! a
Method 11
) H- d. Y' ^: e0 r6 z1 p=========$ [4 }0 z/ N& k# A
1 M% ?2 G! W5 M) J* J, F
This method is most known as 'MeltICE' because it has been freely distributed
" }. x! r! W0 U2 `$ M! k7 ^9 e$ B! bvia www.winfiles.com. However it was first used by NuMega people to allow0 ?* t+ _& q' E, L& h, T1 M+ h4 Q
Symbol Loader to check if SoftICE was active or not (the code is located: {# z$ X0 y. f! r4 U+ l) `
inside nmtrans.dll).
4 P( S. h# l0 f; I+ `+ v9 I' Q1 W- |0 n% _& {
The way it works is very simple:0 ~; s& h; M9 S% D S; C% h! c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' e: p6 W% ]2 P) O/ a) b4 B
WinNT) with the CreateFileA API.8 V. {2 t, ~3 }) E, T
% i% e6 _# |" `1 J f
Here is a sample (checking for 'SICE'):. [, s% x; a) Y: A$ ]: H% S
" w# Z$ ` Y d0 Z4 D6 RBOOL IsSoftIce95Loaded()
5 T' `. Z9 v$ R1 h' F1 e{# e' P* J' h) Z; J: x
HANDLE hFile;
z$ N9 Q. B- m& r% ?4 y0 q4 c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 V0 F+ W8 N: \: c FILE_SHARE_READ | FILE_SHARE_WRITE,
/ B$ k9 w' }5 q b/ ~' M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; R Z4 r+ k7 q9 H: L if( hFile != INVALID_HANDLE_VALUE )3 ]# A7 I! x, q d8 D- X/ N
{/ Z3 n; B$ E6 m% S5 Z6 H- x
CloseHandle(hFile);
7 \" V7 q" Q( D% U9 k return TRUE;$ A! } _; t% K5 E* [/ h
}
! B% K1 A" F3 A" u% U' O return FALSE;
% U0 c; k" p$ H/ R$ N}
" b7 p$ Z% i; \8 X H
& L4 _5 M9 g' E7 c( ]Although this trick calls the CreateFileA function, don't even expect to be* N5 F/ y; R# g# i* \, S+ ^
able to intercept it by installing a IFS hook: it will not work, no way!. G% }) ?; W6 N0 b1 d( a, c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& [$ d/ g0 V! P( k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), E2 d. Z' l& b) J5 U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( L' |0 O1 m& _3 L& m
field.7 e: U8 r5 ?! a
In fact, its purpose is not to load/unload VxDs but only to send a
8 S/ T3 q: T/ \$ MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), P: w3 q* M% {8 b; c% ~9 ^! s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ T( D# l- _2 z# s& M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
g& f$ ^ ^% a/ O$ U9 BIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 X- c" P! M, P: w( [( Z7 {its handle to be opened and then, will be detected.6 |$ E# Y6 ^- C
You can check that simply by hooking Winice.exe control proc entry point
5 E, O& ]3 \1 C9 a* {9 zwhile running MeltICE.
- h5 J* C) o, k5 s' N* ?* _' i/ @4 a1 Y3 f
2 a: K" `. l0 a" W0 ^" {' |+ e
00401067: push 00402025 ; \\.\SICE; K/ ?4 [$ C7 ^ M& ~
0040106C: call CreateFileA
/ D1 _3 ^! w& @& o4 K7 M) u4 Z' @ 00401071: cmp eax,-0013 t2 M4 m& ^2 Q
00401074: je 00401091* b5 X, g8 N3 x5 E6 Z
& v4 z# E8 w% W2 R
! x$ O! n( g* k& M
There could be hundreds of BPX you could use to detect this trick.
, W. Q) C2 e8 m5 F, |-The most classical one is:
) ]8 n3 c9 M/ l2 m BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: N( I/ @; p/ Y6 f *(esp->4+4)=='NTIC'
( B' k1 O) `1 ?6 ]4 h% N
2 u; T1 k3 T8 M0 o6 c* d# N$ {/ @-The most exotic ones (could be very slooooow :-($ o/ I; _1 X' L W' \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ p, M* R; h. l. p: f! X; @8 Z* R ;will break 3 times :-(7 j4 U) n9 d7 O% w* y0 M1 {
" z$ `1 B! S) Z
-or (a bit) faster:
5 ^/ e K1 a- j( k1 c) C BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 Z" E" g6 ^0 S& g* @' |& j
: w: F* N E3 S+ g BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 `9 A0 I( O: C# x; E ;will break 3 times :-(7 g" L0 A1 _+ p
/ Q- _# Y/ n6 U3 W& X8 k
-Much faster:
# o, |: T" {9 w, H* O+ r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; M7 ~( m$ N0 n% A7 ^( b, ]4 g
4 s7 o! F% s; Z4 H/ k$ b |1 U; vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% }3 o) }! m/ v0 V3 B2 dfunction to do the same job:
: P7 N6 p0 L' N% @( a6 e+ ^
0 A$ |3 U+ N8 Q8 V3 e push 00 ; OF_READ! G) J/ E3 n; [! o# [- B! Y
mov eax,[00656634] ; '\\.\SICE',0- N* m" @1 O' _: P! B) L( L
push eax( @$ \1 V7 ~% }: H6 o$ u; v" |* f
call KERNEL32!_lopen5 p5 j" P% ~( f! u$ Q9 V
inc eax# G+ C; I4 e% u7 I& O/ W
jnz 00650589 ; detected
- A! N- Q7 j! n9 d3 u push 00 ; OF_READ" i$ [ J( N' l2 U
mov eax,[00656638] ; '\\.\SICE'
' C" g. l+ M2 h l6 ^2 [ push eax$ J/ W; u( |: |( a
call KERNEL32!_lopen
/ S! U+ ~" b! ^0 d inc eax; t+ L; T' f. ?) F7 H, d
jz 006505ae ; not detected
, I, L. |4 U) k2 t
2 o% U& R$ f' ^+ h9 C p0 E4 K2 v2 Q' `4 t0 G
__________________________________________________________________________
% t% Z$ x, o( D4 e) A$ G8 B% ]4 N1 b( p
, K, C/ h0 Q* G5 I8 f2 F' G: n# SMethod 12 o$ e. u8 f8 s7 H" {5 Z; a
=========
+ G1 ~+ J8 O! F( X8 v9 s; W
2 x! _6 A, B. j* tThis trick is similar to int41h/4fh Debugger installation check (code 05+ l! Q" e8 H3 U6 J0 X, c& R, v
& 06) but very limited because it's only available for Win95/98 (not NT)
$ M5 U. F; h; X( V5 bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 w9 Z6 R3 U) X2 U9 w5 j# |- W9 l6 w
push 0000004fh ; function 4fh) u8 k8 E" R& T3 E
push 002a002ah ; high word specifies which VxD (VWIN32)
8 Z) C$ j) F2 L/ B! g8 n: o3 o ; low word specifies which service
8 E' \5 {' a9 j4 N- @7 I4 _ (VWIN32_Int41Dispatch)7 Y+ }) `5 h; b9 r- @, @- {& h
call Kernel32!ORD_001 ; VxdCall
" J; I( |7 h! b: V cmp ax, 0f386h ; magic number returned by system debuggers
" M* U' e/ P9 r6 ]# v4 [- _ jz SoftICE_detected, S( g0 A+ m& ~2 S
" D4 [# X' i% V, F5 j) l1 x. ~
Here again, several ways to detect it:# C/ L- H- Y0 F. E9 n7 n1 K
% u8 ]* V9 h5 J* m
BPINT 41 if ax==4f% \' \2 q- Q! g* p$ t$ e
0 P" s2 a2 i. ? i* V
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 y& d* q9 O, x8 N
. |: k5 D6 j @- i: g6 V2 c( w& T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! m3 D& \! p2 d; w# |2 x
1 ^, g; C1 e" K: e* y7 I' a
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) J/ Q. q! }" L7 t/ ]
3 r* m4 n3 F/ v( r
__________________________________________________________________________. t/ m( I& i9 Z# |& G) S' D
+ x, l$ T0 R* ?1 Q4 |9 \8 H
Method 138 P" M' f0 K& z% l1 V; D- p
=========
3 n: ^ _% ^! \7 D- k
1 a8 i( K2 g( iNot a real method of detection, but a good way to know if SoftICE is
/ v7 a! t$ Q% ]: |9 o3 u+ p% m- \installed on a computer and to locate its installation directory.
% u+ c; @- L) z: v1 mIt is used by few softs which access the following registry keys (usually #2) :+ H, p) v6 r! u5 R M+ g5 R
4 ]1 X8 Y4 N* a' U2 P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: W+ @" L& |. K: U\Uninstall\SoftICE
1 C" |* q. L# ?7 f. I( y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) o& ]% _1 x/ h' @: x2 }3 n4 K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 `* ~, G, ~: F6 R: T
\App Paths\Loader32.Exe6 V( V$ T0 d1 |2 k' d
1 l8 h! u) D2 I. y+ L J6 h' q: J
8 a- I _7 t0 b; F; lNote that some nasty apps could then erase all files from SoftICE directory
- q# X5 K( t/ S( T(I faced that once :-(' w6 C+ K9 Q3 _1 r0 S& l
/ @* q8 N/ X/ b2 P& W6 h( J& {
Useful breakpoint to detect it:' K8 Z$ K' f/ r7 b% _! u4 k
. ~7 K3 N+ P& D4 i% i$ @0 S
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 V: }5 `3 i5 Z8 N, D& n W
/ m0 D7 x" {* s0 p/ L) u__________________________________________________________________________
# z( |, I1 e- v
& \& w' l+ f7 h% Y( q) I) A7 O
) h, Y$ Q- K* L2 F/ e) I* C+ r8 d) Y3 P) sMethod 14 ( C, t$ w7 W. f5 R
========= D4 l7 _1 J- J" r5 ~& I+ s+ A! W/ [
e2 X. `3 @4 w3 P( `. aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 g$ c& I% m4 {( {
is to determines whether a debugger is running on your system (ring0 only).$ ]3 T! |( y' f8 F& i' P
! K8 U' x# i5 m
VMMCall Test_Debug_Installed
9 \: s2 y# m6 W4 v je not_installed
9 H; ]. A) c6 m: W6 q4 j
% @* K7 Q3 L; n3 O- c w/ HThis service just checks a flag.$ L0 [7 \3 ?( U- n0 s% w
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡