<TABLE width=500>9 K1 D5 A1 Y' m
<TBODY>
# z+ X; s |: Q( m: z I3 F! r<TR>
$ V+ k6 Q% o$ M4 h0 M<TD><PRE>Method 01
1 k/ I/ g" C+ z( f=========! ?. a$ z6 N( n9 x! Y: u$ E
% f% p% r2 V5 L' W9 N) Y8 R- p7 y% h
This method of detection of SoftICE (as well as the following one) is
/ J* E, M$ {' z, y) p. ]* _* H. Iused by the majority of packers/encryptors found on Internet.# F' v# F' ?5 \+ C+ b+ Y1 E1 b6 e
It seeks the signature of BoundsChecker in SoftICE# u8 H3 J: W( E6 q
0 q: J# O1 s" x1 f) }
mov ebp, 04243484Bh ; 'BCHK'
! V! F w- N. |* p0 E: ^! g5 k mov ax, 04h
- w* Y( o. K1 I3 }2 u; h; o int 3
, t- z2 l/ u! v+ W, M) Z2 n, y cmp al,4
0 f. _' k5 w) q2 q8 o* q jnz SoftICE_Detected
/ B8 ^: Z" ` n9 `* m7 t( j9 f& g% F8 }
___________________________________________________________________________% n; F+ ^5 J( Y: k( N, o
4 }: n9 M' g: ^; h( N3 W+ @3 G1 s
Method 02
# o# P0 e; \& ~* Q) o=========& E( q) l( F, t0 Z( f' \1 J
$ e5 @" |# M) D! W! V( Q1 v: ^Still a method very much used (perhaps the most frequent one). It is used
2 ?$ z/ n# ^/ I2 c- Y; e* {6 D/ ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( ~* b" m t; { p) bor execute SoftICE commands.... v& ]1 E ?1 n; i5 z; s
It is also used to crash SoftICE and to force it to execute any commands
& e8 X. K. o+ ~6 x' F. s& {(HBOOT...) :-((
$ D% l) v) \* {
6 `. s, j# n- K, v* d# [% XHere is a quick description:: j6 Z3 I% Y% g4 u9 v9 S) y
-AX = 0910h (Display string in SIce windows)6 ~; A H2 D, f: p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! X5 n3 P% C# G& v* K, ^9 Z$ Z( G, W, t
-AX = 0912h (Get breakpoint infos)* R& X+ e% U) n( D
-AX = 0913h (Set Sice breakpoints)
" z4 ?. `1 m* p3 T8 e- H1 u% Y+ t-AX = 0914h (Remove SIce breakoints)
' M/ |( c$ O9 A, b2 T! ?
$ ~7 d O8 K: `- J; ^5 l: Y: H5 ]Each time you'll meet this trick, you'll see:9 ]" ]& B9 {7 }$ t1 `' m1 h- w
-SI = 4647h
5 q4 k+ i: z% v-DI = 4A4Dh9 H- R+ @; |2 Z, U/ |; a
Which are the 'magic values' used by SoftIce.
$ b& u# k4 U0 w2 |) UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ {+ U4 K' ]* k
' V% x2 Y7 j4 n/ ^Here is one example from the file "Haspinst.exe" which is the dongle HASP0 V1 D+ E+ Q$ s) Y# s1 e6 v
Envelope utility use to protect DOS applications:" ^' A' ^, D6 u7 S6 G# s- v. u+ i% r
( W! V9 G: Y5 r$ {& \
) j D H% [1 v% a4C19:0095 MOV AX,0911 ; execute command.
7 @! A, N1 M! P- [) ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 m2 F' F z& l" B- N' `* v0 i4C19:009A MOV SI,4647 ; 1st magic value.
" g0 e. d' N" `; s3 q- O4C19:009D MOV DI,4A4D ; 2nd magic value.
4 n! ?& K" @. o3 h4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 d: d6 V0 t9 A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 ?: d4 y( l) P" P5 N7 `
4C19:00A4 INC CX1 l( y+ P) t9 f! Z7 \# C
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 M" s, U1 G- l e1 O4C19:00A8 JB 0095 ; 6 different commands.
* R5 F3 L$ Z% e) j5 j4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 I! v. N$ r; i! _9 e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 H$ ]0 o- e; i% R& u5 O" d; c! F$ T3 Y' | h" D u
The program will execute 6 different SIce commands located at ds:dx, which
/ ?5 I7 F2 x8 q* _: x+ Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 u# v6 {3 L5 e, Z
8 w# `0 B# o' Z0 w9 ]1 H, [6 h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 {! ~& B, V, ^; B+ M' a
___________________________________________________________________________( U7 T3 W; D; p' X7 N$ T& ~
0 M9 [6 z3 j1 I+ X: h8 X; C. f
( \+ d7 E3 G, V' \+ {% G/ _Method 03$ U9 }, x! Q- l& j+ t6 Y% [; K' k
=========
. U8 N N5 w" x9 ^0 V- J8 |3 f( o L" y9 ?' l% w$ U, y/ u" l4 f, T
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( ~1 K3 h, V- t$ G(API Get entry point)
/ C9 ]5 e: o. }
+ [# ?& X1 C* K+ Y6 }; D x8 @0 Q; p6 v4 ^: L
xor di,di
* C0 n: d4 W1 ]7 d- x mov es,di
& [) X% t3 G. k9 g mov ax, 1684h
7 F7 }4 f9 v% @2 X/ ^ mov bx, 0202h ; VxD ID of winice
) }" g2 P: |$ y( S6 S" y, s int 2Fh
( a3 O! m; I: h1 Z7 i7 ]5 I9 e: v mov ax, es ; ES:DI -> VxD API entry point
A4 y+ D6 V2 \9 a' g$ ~/ G; J add ax, di: ?' y: _( ~3 K1 f1 s
test ax,ax
5 t* q2 \# A% x6 c+ }/ n jnz SoftICE_Detected7 ]2 b! J2 K! K! W% p
* |- _6 X$ I- G8 e___________________________________________________________________________5 G7 e" T( s+ A
& m! ?% d5 b) z$ @2 B& B
Method 04
% t$ Q; x2 _. m5 h6 J=========
7 F* m6 q% ^: b2 V& G1 p' K# q
' `1 q0 r1 n8 } M7 A4 pMethod identical to the preceding one except that it seeks the ID of SoftICE! \5 [) C& ]% p1 O
GFX VxD./ \( \- i# L% d4 i: N( M6 H
. Y4 B$ ]5 i/ m. A; H7 a. O! N
xor di,di. X/ s5 q; ?2 x# J7 U- w# l
mov es,di7 d* R+ m% t; ~% B; c
mov ax, 1684h
" L8 `+ x% @, u7 X, a7 {& d2 { mov bx, 7a5Fh ; VxD ID of SIWVID
1 i9 V4 l) Z& F* D5 L# ^! @ int 2fh. Z1 {0 y3 d( s8 F3 ^- H4 w
mov ax, es ; ES:DI -> VxD API entry point) \2 h. E) _) M1 P
add ax, di: n0 F1 ^6 ]& Y2 O3 Q2 N' x
test ax,ax
0 l6 a3 {- R, _; J5 X5 o jnz SoftICE_Detected2 ]* c6 Y) }3 ^5 c X( @
( T0 f' {( h1 ?; L__________________________________________________________________________$ c' |, _* z- G! c V+ R
' B4 P u6 n" R, [
4 _# G6 K# ?- t. @, _Method 05- F/ d# k4 G) L) T8 \! g: Q6 c
=========
+ S' H z, X2 y; ^7 e$ S' A$ B0 d# t6 f" B' n3 o& U
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" Y( G2 ]4 G$ u# H& Ndebugger. It calls the int 41h, function 4Fh.
5 @) Y' U- f& b# Q/ g+ `There are several alternatives.
" y/ r" m- J3 b( P6 x8 o
% Q9 ^8 m! z* G$ HThe following one is the simplest:
. P$ D+ l" I a4 m1 Y# {0 k+ J6 R% [& Y* D1 c% N
mov ax,4fh+ L. G) p# F* b) e
int 41h1 y6 }0 p0 _7 V7 e i0 _/ Y$ m/ {- S
cmp ax, 0F3867 B6 h* _5 }( e! {. `8 C; j
jz SoftICE_detected6 k1 d( B! h$ c5 y) }! K
+ [" t7 F- ?) u
7 |* P; z( I- b. O Y. R1 [# bNext method as well as the following one are 2 examples from Stone's " {3 W3 y. z" M% U6 E) @
"stn-wid.zip" (www.cracking.net):) K* C+ _+ x- K: a2 x8 X7 |) U# }3 d
3 \& e5 H3 \2 i/ B }0 D8 N% [
mov bx, cs
/ }$ F1 L. T# }& n+ |' L lea dx, int41handler2, w/ n/ u- c' N
xchg dx, es:[41h*4]8 k, d u( _0 |) @% q
xchg bx, es:[41h*4+2]
3 r3 O1 |) n* k mov ax,4fh
9 x$ h7 D6 G) {# Q- r- f int 41h
" U! u- a) f, D) v7 _ xchg dx, es:[41h*4]- t/ x2 E; z9 C
xchg bx, es:[41h*4+2]
4 e; E, ^$ Y! q6 U5 A cmp ax, 0f386h
) e9 [/ z3 \+ J) H jz SoftICE_detected
3 E7 I. I* i: K7 L$ g$ z+ Q3 a3 |3 A8 E! i
int41handler2 PROC5 n9 K0 C* L" {* N& Y9 S @4 g
iret ]4 `3 x2 D9 D- j
int41handler2 ENDP5 N; D7 s9 e$ R
' J% L q8 c4 x4 D# h# ~1 m; ^% l3 U0 H
_________________________________________________________________________
/ ~$ u# a& G l' h9 s6 p
; Y: b* T) g& s6 @ c# F' G. {. B; _- H& T* ^3 O
Method 06
- h7 K% s4 _$ F5 g5 E) y5 _3 E=========; _+ }0 Y$ S, j B* S
, b( C" |* b) T( a: x
) v3 a" V" n0 c/ ?7 f! e2nd method similar to the preceding one but more difficult to detect:6 d" H1 a. b) V- c' S2 N1 h
1 d- N1 \& O5 g1 i6 m1 G0 C
% c: d( G3 X$ a
int41handler PROC. q+ v3 F5 N( G& z; z
mov cl,al' Z- y; m7 g" }5 ^+ y# w* W: j/ F
iret
5 C: A: c+ {+ X$ T' Mint41handler ENDP7 K* S& i& G( k6 ~& h" `; ]: Q
3 d; Q$ g9 C5 p- e0 l4 g0 z- Z
H/ P x# {( m7 @, G% ^) |3 I: [& @
xor ax,ax
L/ m: O- V, S7 N; L mov es,ax6 b5 N- T& c/ E, s
mov bx, cs" A' _, J9 d; P4 ~& |! \. k
lea dx, int41handler
, D0 a" Q8 s; s$ K; ^- N xchg dx, es:[41h*4] }+ g3 y$ u- w% {. b5 d
xchg bx, es:[41h*4+2]
' Q+ h1 i( i+ `4 }/ ~ f& I in al, 40h
# G: j% z' J; Z" y' t- Q xor cx,cx
, u$ [3 z y% _0 _ int 41h7 z' m1 m( |) w( `
xchg dx, es:[41h*4]* k( @. B. }/ }3 [
xchg bx, es:[41h*4+2]
# }; F5 I6 X. j, t* x cmp cl,al
* s. ], N0 r$ m: N; O2 J jnz SoftICE_detected
; V- ~- z6 }3 Q, [9 U& x2 @% z$ i. f) T( T5 L" z& R
_________________________________________________________________________
# D' D- D, B/ z
' O* @ R2 h4 U2 q( U; A6 rMethod 07+ O6 ?. X7 S0 E: L% s
=========1 O) y0 U! c. e3 @
- \. Y7 B+ |8 g6 }5 S3 q0 s- Y6 CMethod of detection of the WinICE handler in the int68h (V86)5 h( o) c. n' F* C. ?" h
) k8 _6 R7 n2 n( R/ L mov ah,43h
" ?$ [7 V. m# N/ W# L/ }$ i A int 68h; Y& i" C5 b! ?2 T v( q" R- n
cmp ax,0F386h( V1 z# I% h+ N* S
jz SoftICE_Detected
8 E+ n( p, c/ ^( M+ D
8 e) o- W' e, A8 x4 |. F7 b, Z x: g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! a! d' P5 [6 u. e% _; z: c app like this:
$ {( W* [! L% U! v% i9 Q6 k5 _; }* k5 s5 E! R. O
BPX exec_int if ax==68
' \1 W7 ?6 n A9 M( c (function called is located at byte ptr [ebp+1Dh] and client eip is2 E7 i; B7 |3 G3 I% q4 e9 A: a) [* w
located at [ebp+48h] for 32Bit apps)
) t9 E. n4 @. `7 W8 S__________________________________________________________________________; s2 ]$ R4 a' @1 B* U' x) c- S
2 c+ P0 [" t7 j+ ]. k- w
' o. y' r" ]8 j; `1 [+ GMethod 08% ^% h- g& G. e; H1 ]; \
=========" w {/ q" J2 J$ E; X2 A& j
9 L- U. n7 O ~
It is not a method of detection of SoftICE but a possibility to crash the
7 o; h0 q, W! W; asystem by intercepting int 01h and int 03h and redirecting them to another
' U8 u4 w$ S3 proutine.+ u: w+ y2 J( z/ P& U0 O: u% h1 f$ W
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 p) s1 x2 \" d, Fto the new routine to execute (hangs computer...)$ s: F6 A7 H3 G* `) p* X0 K
( b2 }4 _, {) M& x+ {# s2 `- {! O
mov ah, 25h1 i4 u: P1 A/ r9 I: A5 [
mov al, Int_Number (01h or 03h)
, f! z3 c& y, C0 @ mov dx, offset New_Int_Routine' _7 c4 j/ @3 C* ?1 S& t' w3 N
int 21h
4 d- b: k+ C1 f2 m1 M) J2 O* @; s. G4 t9 J
__________________________________________________________________________
[! R8 n+ G/ i+ i0 t
+ K9 Q$ S3 m! b# z$ g5 B1 Q' lMethod 09# X- j$ c+ h8 ]) H" C
=========
( q& j) a1 K0 D D w
3 q' k4 A3 C1 V/ hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( e4 n9 \& C' w( k' a
performed in ring0 (VxD or a ring3 app using the VxdCall).
% J# e% ~! J6 F2 LThe Get_DDB service is used to determine whether or not a VxD is installed+ S% O( g% A: G- F3 j# p8 {
for the specified device and returns a Device Description Block (in ecx) for2 n9 J( W/ C9 Z
that device if it is installed.6 z2 Q" S: i% G5 d
7 b) {$ {! J8 ]1 ~ }5 l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( I e/ P! R8 a8 \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 `& D( j/ ]! k+ S
VMMCall Get_DDB* t% m) F0 s+ C* \; w* f0 M, N
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 C l2 V! B6 Z* J4 M0 M
# ~8 x2 ]2 t1 v& f3 SNote as well that you can easily detect this method with SoftICE:/ K$ k5 \+ ~5 }# \6 n6 x) a' m; u% M
bpx Get_DDB if ax==0202 || ax==7a5fh$ D1 r0 o; q) z% C5 l5 X
1 C" E$ X' R% Z' i# m9 {4 E__________________________________________________________________________" Q3 R8 R/ F4 w/ j+ z$ R
) ]4 B ?5 E9 ?* J! jMethod 106 }- f0 E0 ^5 |" g5 O2 m6 r( }
=========3 V( S8 R w7 s# g* U
! p5 @ Q9 M. y1 H& \
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ o& o$ {. ~8 H- B7 y# O
SoftICE while the option is enable!!
, j3 K0 F# c: l+ P- t5 R1 Q
/ a" ^* L& ?1 U* DThis trick is very efficient:
" j, X$ ?( n; p0 E1 zby checking the Debug Registers, you can detect if SoftICE is loaded
: U$ w' L& C) m( p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 ]% q( E2 Z. S' B
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 |: A+ `8 m |5 K' Jvalue (in ring0 only). Values can be manipulated and or changed as well, y/ |. y! s& r! j' _5 d
(clearing BPMs for instance)
3 X* C6 u ]* q1 o. g
j6 c2 O) ]; g* M7 s+ x' u__________________________________________________________________________+ }5 x1 n6 K8 ?" O0 O$ u- d
2 [+ b- c: l, GMethod 11
- f0 ]8 o) ?" {- M; J5 U8 u2 e' G=========
& W# S) |9 A3 D* P2 z3 d+ N5 Z b8 C8 i2 e: A
This method is most known as 'MeltICE' because it has been freely distributed2 t/ N y4 @4 w
via www.winfiles.com. However it was first used by NuMega people to allow& u4 b2 [: F+ p" i E% @% { D
Symbol Loader to check if SoftICE was active or not (the code is located
, Z/ T: c+ o0 I Ninside nmtrans.dll).6 G. |( V" `& L
% E: E( e/ }' d! t# C; Q" V- V6 qThe way it works is very simple:* O# I. L y* j2 V! o/ p
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 p% y$ |% s- k2 ~
WinNT) with the CreateFileA API.
' i% {( h" s% A, z5 V3 G& l7 M! v' _# Q
Here is a sample (checking for 'SICE'):
- \. \8 f/ ]. `$ Z5 @- D
" i: I( Q5 |' M& m8 ]7 ]4 d# ], HBOOL IsSoftIce95Loaded()& q; u1 [8 N1 V# F* d0 k
{. H2 e, b `8 B
HANDLE hFile; ) j' a0 w, o B
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ ~* {$ {% J! n* a$ s FILE_SHARE_READ | FILE_SHARE_WRITE,( ^' w5 {# l' ?
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" ?! @# @4 p5 x: @4 l, z2 q
if( hFile != INVALID_HANDLE_VALUE )9 ?# A& i4 Y) }7 c/ _
{
. ]& U. q+ N4 y: T CloseHandle(hFile);
' i# g0 P& X4 o# P' Q( c+ J: e; B return TRUE;, I$ w6 o( H( d0 c
}. G$ u* w+ u1 z1 j
return FALSE;, p9 y" d" Y2 H7 O5 i ^
}
" Q$ F7 m4 i+ a2 d. @' D- i! B* J
Although this trick calls the CreateFileA function, don't even expect to be* @# ?7 c& Y/ y' }$ p( c! H
able to intercept it by installing a IFS hook: it will not work, no way!; y- `4 F4 a, o w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# |5 s' m, w/ w5 R+ x5 q$ t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 D- P0 n. w# i' M* C2 X- D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! {( E- L2 T" j$ @2 n$ _( R" }* v
field.
5 @8 G# ?7 O- u( J3 AIn fact, its purpose is not to load/unload VxDs but only to send a 7 j: g, v9 P6 x' z' ^8 N9 T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); c4 ?( L0 k: Q" ?# |: A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' t9 C' Y6 w8 V# B1 B' |to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 d/ i, d9 j$ w4 q
If the VxD is loaded, it will always clear eax and the Carry flag to allow# j9 Y7 P" [. Y0 {& C* y. Y
its handle to be opened and then, will be detected.
) ]- j5 F: v& AYou can check that simply by hooking Winice.exe control proc entry point
9 l0 Y9 @5 r3 y e- _9 H& z7 k* Zwhile running MeltICE.
4 C" h. t# }( \. _2 L7 w3 I/ p
# e4 }1 y( {3 s6 ^
1 c# Y; Q& r1 T: P4 q0 h/ L 00401067: push 00402025 ; \\.\SICE
0 |, V; [6 y! b 0040106C: call CreateFileA
7 `$ d) x- L8 q% T( {( u: h 00401071: cmp eax,-0017 I7 Y& K2 U/ }/ z2 u
00401074: je 00401091" b- f( _ f2 s, A& F
6 P0 G6 X& @! y1 V# ^
% l/ c' r, R( S% Y3 S+ Q
There could be hundreds of BPX you could use to detect this trick.( ], L7 {8 G! b0 j
-The most classical one is:" \6 ?7 ^) \4 H. J1 t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 O! E- Y6 w: i5 d: h
*(esp->4+4)=='NTIC'
. n! N: |5 O) a: L1 ?) @
Q/ z1 Z, h( ~5 U1 L4 [1 p. e-The most exotic ones (could be very slooooow :-(
5 a4 D, x# D6 C, ~( k BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 l7 I. |0 \5 Q2 t
;will break 3 times :-(
7 i) A1 F' O H, z& y; F. P
% G: }( ]7 ]4 g-or (a bit) faster: , T, s! \; W' F, I9 O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* u) [, ^7 h v+ h" |& h
0 L1 X' M2 w' U% V* L& r/ r4 R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" Q+ u6 ]: L: i, Z+ m" h$ Z9 f ;will break 3 times :-(; I2 k" `- o) J" b$ R6 y
# s, f: O3 h8 v ]+ ] x% w" T-Much faster:* I, A. L2 o' {: c- R: x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 J+ b+ y! f9 D! {1 Z- S
1 n6 k% W! P: }! v" n2 Y; Y DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 F+ f3 W- C6 `6 H
function to do the same job:
( }! V. G- H/ @ y9 D. \, B3 B+ [' L% r6 M& Y
push 00 ; OF_READ
1 O4 {1 ^& l6 h6 L mov eax,[00656634] ; '\\.\SICE',0$ u: A2 F4 P* X- W2 I
push eax
* j' v7 t3 s. u! r* k2 M5 W call KERNEL32!_lopen( C1 z2 [7 [4 `# N
inc eax
2 g+ B5 _4 i7 c8 O+ a( [ jnz 00650589 ; detected0 t `+ V& B) F6 k4 r
push 00 ; OF_READ8 }" }- z4 K. }: p7 w- i" V
mov eax,[00656638] ; '\\.\SICE'
& s5 r0 ]. A7 r2 l push eax3 j( ]$ f5 @% G2 \5 j9 X" N3 R8 }
call KERNEL32!_lopen
5 e2 P1 y9 } Q, a4 |4 ~0 h inc eax
+ _' B4 A) I+ U/ k5 i6 K' B m jz 006505ae ; not detected9 I7 P3 J& y4 a& G2 e
2 O: t1 f1 P- M" `" V W+ B- m( f5 J+ G$ g$ c7 @7 u
__________________________________________________________________________
8 Q6 G L$ V/ z: b6 L5 _' K. y |3 E8 J$ d- Y
Method 12
" H0 U4 a- R% g1 Q. y- W- E7 {=========3 ^3 C* I, }% G
0 i& K' v1 w8 Q' b
This trick is similar to int41h/4fh Debugger installation check (code 05
3 U- h, a! n4 u) d7 ?2 t& 06) but very limited because it's only available for Win95/98 (not NT)
8 G/ D& e6 d* A7 v% i9 Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 v; F, ?% \" q) S2 ~: p* t4 [! L( y+ c3 _- k
push 0000004fh ; function 4fh" |. n" o. r J* }! {* J
push 002a002ah ; high word specifies which VxD (VWIN32)
5 L/ y4 l6 [4 l% O' c7 `; q ; low word specifies which service
e/ m/ _7 c# u (VWIN32_Int41Dispatch)
" t% X7 n# G- V8 m# F9 }" L call Kernel32!ORD_001 ; VxdCall$ U8 z2 j! G+ N
cmp ax, 0f386h ; magic number returned by system debuggers
8 ^6 u7 `* k- M/ J$ \4 d jz SoftICE_detected
5 n* ~. T- m- d X7 ^7 s
5 i2 d z O8 r- aHere again, several ways to detect it:4 j6 N$ p( n' E) X9 j8 p0 R+ a; ]
i: W- g/ c& \0 b6 |4 V+ k
BPINT 41 if ax==4f& ]6 a" i; x, c, K$ q% s; f
X! j9 H* z7 h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) \! M( |2 ], g1 T$ m
0 L, z/ J, }( d! G' t3 Y" R
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 U/ I, X0 h; v3 B
! B9 k# j8 B' G" [& A8 q: } BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( ~' m. V' y7 e3 t8 M& U
) }+ V) x, k4 a2 j) U- ~' H6 S
__________________________________________________________________________$ a, b9 V: f7 @( \# c
& s1 V3 _3 ~9 @% v5 B b. I
Method 13
9 @. ^: M8 F& P+ ^=========
, Z" z8 R" F+ S& b4 e2 {5 j
* g8 m" f# P" f4 b- p) v+ `Not a real method of detection, but a good way to know if SoftICE is
3 Z, }6 n n* t* Ainstalled on a computer and to locate its installation directory.
# q$ w, q3 S2 I! o! i/ uIt is used by few softs which access the following registry keys (usually #2) :
) [; z: @$ R" t' O( y) k
) B! m/ E* D! w2 h; {! a-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ q; j+ l+ e z0 U3 D6 x\Uninstall\SoftICE
% i3 B, h8 w; C3 D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, o; w* M0 F) i7 J) `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 Y* F/ Q1 Y7 O( ~/ n
\App Paths\Loader32.Exe. T3 [8 ]2 m/ e$ T' X
! ~ l+ r, s9 r: a
5 |! l4 A, N# i& C
Note that some nasty apps could then erase all files from SoftICE directory
% X5 t" d* S4 a/ _2 C( F(I faced that once :-(
; r- ~' N8 z% Y( @8 B# H5 I! b& `8 J6 Y
Useful breakpoint to detect it:; J( ]& u' y7 w. B2 `, t4 H; p) I
/ c, s N; {* a* r' N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# A& L& Q* }/ |* J& A
2 c# r5 P$ P& H__________________________________________________________________________; K* k6 {- \; k4 p( N; ^! `2 A, I
/ O0 K. F( i5 v! x m# m, u4 H" v) J: I2 w6 h' _0 W$ \0 {& T' _1 E# o
Method 14
( z, l1 H& s- P1 u9 t=========
3 c7 J+ ?" z% u% R* w) g* B! N- m; a7 G1 W* m9 O, `0 @& L( S/ j# i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- Y1 D9 v/ s8 Y0 M8 \7 w
is to determines whether a debugger is running on your system (ring0 only).
1 U3 z& s; v, T4 g4 l/ c. E$ C# e* B/ r: ]- i, E& K1 [/ t
VMMCall Test_Debug_Installed* k7 @+ ~( O. I' |) I
je not_installed8 ]' a% w5 I/ t! s _) C2 B
8 ^8 n& W% t; ^# r$ FThis service just checks a flag.! F; J3 y2 ~, E; D* g
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡