<TABLE width=500>" Z" j3 B% U$ T4 F# P8 b3 A9 z
<TBODY>
- m7 M* ^( o2 B" w# W9 n0 J<TR>
) h1 E0 o8 d; K4 Q<TD><PRE>Method 01 ! q2 Q+ g5 X4 T! [- |4 i9 Y& d
=========
9 I. i/ O" X7 L7 e; F- C
" Q; L6 b" ?$ z7 k: ~This method of detection of SoftICE (as well as the following one) is
' F/ U# A. r5 h$ S$ fused by the majority of packers/encryptors found on Internet.8 ~+ T) E, \+ r; G4 E. g' i
It seeks the signature of BoundsChecker in SoftICE
; F/ ~$ r& j+ P3 W- |' _6 o' B1 V) o; L: r3 _- O6 o
mov ebp, 04243484Bh ; 'BCHK'
( N! h3 [, g5 `) ? mov ax, 04h
3 _/ @, W7 ?. `2 ^- x int 3
) m8 Q3 `& w& J- j" u, B. x, G. b3 ^ cmp al,4+ w) e. U& J8 q+ W- t n( I
jnz SoftICE_Detected
0 ~9 o- k, U( |0 K3 h9 i+ }) | ~+ d4 H) H5 E+ a2 }3 Q4 v
___________________________________________________________________________/ v0 k4 g1 p7 b4 ] |
" z0 O; I3 x4 C
Method 025 \% A- A6 j% e2 Q
=========; m- f6 O' y' C, V5 U
5 C7 O! Z3 ?; J; RStill a method very much used (perhaps the most frequent one). It is used
1 F7 B6 l; D, Q) xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( K5 J, l, F- r# B7 [/ o! c
or execute SoftICE commands...# B# O; ^3 m) F, ?5 `; h' X6 x
It is also used to crash SoftICE and to force it to execute any commands+ w+ p- f4 R# G* i( D
(HBOOT...) :-(( ( j9 R3 q7 |; R
% M1 Q! K/ B7 ?5 B
Here is a quick description:+ B0 _4 j! _7 t& n. O4 c
-AX = 0910h (Display string in SIce windows)
4 c$ X4 ~& i( i6 d+ f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 ?, `3 }, r! x& c
-AX = 0912h (Get breakpoint infos)
- w5 C5 ?1 b1 y# f7 ]-AX = 0913h (Set Sice breakpoints)
$ r2 p: v, v7 ]5 H8 @7 D* ?-AX = 0914h (Remove SIce breakoints)/ N Q9 c% U0 D: V) I
4 V7 H/ q+ [1 ]7 v/ TEach time you'll meet this trick, you'll see:
& R: p5 H$ _0 u3 [$ i- m-SI = 4647h
1 y9 r/ t( b. _. Q$ W-DI = 4A4Dh
' j, F- _( x8 r6 NWhich are the 'magic values' used by SoftIce.$ Y% E# {6 S9 n4 ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 g( d. K- ?( Q6 Z' F9 F: M8 L+ ^ K u6 f [+ h
Here is one example from the file "Haspinst.exe" which is the dongle HASP' e2 ]4 ?% {: H+ L; o
Envelope utility use to protect DOS applications:$ w* M7 `1 d, Q* i! a+ }
" G" f) }8 u( D f1 _% t6 I$ o \
5 F& b! Y& ^) g. q6 q# }
4C19:0095 MOV AX,0911 ; execute command.$ n0 T7 j3 }+ U9 }/ u( h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 J8 t, ~4 s8 H2 N, h" }) ~# v
4C19:009A MOV SI,4647 ; 1st magic value.
& A+ b( |( ^; Q) d7 u4C19:009D MOV DI,4A4D ; 2nd magic value.. o; R. ^* g' ^7 T
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 Z I# a' d0 f/ `4 E# f
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! ^- H2 b0 y4 \
4C19:00A4 INC CX. F0 W- Z* x u2 t& [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 _; z8 v2 X0 Q8 s5 A4C19:00A8 JB 0095 ; 6 different commands.1 U) r7 G, T7 F8 b4 v3 L8 T, c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 c; `! O( m) ^+ p1 c4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' o* ?$ f" h9 s0 t2 [5 j
2 o) c0 q* r2 {# W, Z' H' N
The program will execute 6 different SIce commands located at ds:dx, which
& K; P0 a7 N- {% P- v" p9 V$ }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 M: b' Z: R9 d: ? w
) b4 I* A) Q" M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 E( j* f# t/ W- v. ~2 ]
___________________________________________________________________________
: t) y+ }; J0 H7 u2 X: E, P! u$ W6 E3 c6 J/ o
& G* j. ~; G" z3 \. F2 d# f) uMethod 03! O3 n9 N* C4 b$ C1 }% \6 W
=========7 w# N4 l, {- F. ^ [8 o/ a' @& @
2 ]4 n9 m& C' m. A7 OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 l$ }3 \9 p2 K: d9 }. L; J
(API Get entry point)
4 q5 J, ^. o; t1 v8 I. T7 _ y3 T6 u" I( }, ?0 l/ n5 P
' |& }8 m8 o" `# H, b( m7 a
xor di,di6 o k# I' P7 y, ^
mov es,di! U M0 N5 n; E# Z
mov ax, 1684h
6 }- R! }- m( M2 a9 L mov bx, 0202h ; VxD ID of winice
/ g% E$ c6 {3 s. O int 2Fh
" J! i. x# a& P! Q mov ax, es ; ES:DI -> VxD API entry point& F( `7 ~" h! i' y( \& i# o# H
add ax, di
' m) h0 |' D2 P% a1 s test ax,ax3 T5 z8 B! K: t) z; C
jnz SoftICE_Detected" t2 [& u" d; w/ t
# {3 y" f: Q% I2 s. G0 @
___________________________________________________________________________& A2 A, X( p( _! I8 X
/ g/ c% C1 ?' E$ ^, d9 D, u) BMethod 042 q8 E4 b2 b2 _5 l6 X) X9 P
=========
3 P0 i& W4 p0 w* X" m
# U; E& ^- H- M! ?9 Q- L7 ~2 c7 t8 HMethod identical to the preceding one except that it seeks the ID of SoftICE
: Y7 e- D8 c# {4 PGFX VxD.: o6 O! G+ B" k
# R6 I- L9 i. R4 [8 d0 t2 ?8 \
xor di,di
* Y- q# L1 k4 j/ v1 a mov es,di
0 a0 q( `' b; m& l' w- z( ^ mov ax, 1684h 8 P% w% K5 a. |( A2 f3 g
mov bx, 7a5Fh ; VxD ID of SIWVID6 i& C8 v' J- U5 \
int 2fh
2 i' [' `& T0 Z# Z9 I8 t5 s mov ax, es ; ES:DI -> VxD API entry point0 M, s1 j4 V8 s2 v3 o
add ax, di
; K9 n, t# f1 N+ s1 d# @ test ax,ax
; {/ P& ^( c; |/ E; _% | jnz SoftICE_Detected8 S4 |8 }, n8 |( d0 `0 H, r& D
! O# W# f" c- x) ? P: o4 {
__________________________________________________________________________$ V' u# s2 ^# J, L
( v6 g) E d! S8 Y x; G
5 T# E3 {. ]: V1 J% ^
Method 05! G% ?6 X: P- q" I
=========
$ Y; k1 }/ I! |" u6 U0 q7 A7 b, L3 u7 Y; v
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% w( |: P2 h* c, _! tdebugger. It calls the int 41h, function 4Fh.
7 S" _( `3 W3 T" k8 x% x5 g) Z8 ]7 R- gThere are several alternatives.
% _+ u+ n7 W( N* u" u% @) r" I0 w
% c' G8 H1 b. ]7 @. t3 z/ xThe following one is the simplest:
( W* _ I6 e, w! F3 m K1 U" t' r) P! {
mov ax,4fh9 I& G% I' J7 h8 ?8 Q# g, M1 [
int 41h+ j1 M3 I0 e( G% t v
cmp ax, 0F386# Z* {6 j; Y3 V5 L: p8 `
jz SoftICE_detected
# x) I( J! Y9 Y" |+ r0 A5 I
$ w4 [5 p0 X; _$ X; h0 }/ H: U0 u# W* [7 m: t- X, N
Next method as well as the following one are 2 examples from Stone's & d$ ~6 ~ j$ X/ l+ }& m: k6 U$ l
"stn-wid.zip" (www.cracking.net):
+ _2 ?0 ~( L8 _% o9 T$ W# B. x n. J# F
mov bx, cs
* v3 _) Q8 d$ \: @* e. j$ R lea dx, int41handler23 o: Z$ v( f# f! _5 d
xchg dx, es:[41h*4]
# H. L, D) {7 ~: a A) }( R& c xchg bx, es:[41h*4+2]
& b2 i( Q* i+ E2 b& O9 N v mov ax,4fh \% p" w6 ]2 c& H8 r( Q4 N. d
int 41h& P j9 ]3 q# n d, w6 l- C
xchg dx, es:[41h*4]
# c7 b, j" E3 | xchg bx, es:[41h*4+2]) [9 T0 E( g7 \
cmp ax, 0f386h
! X, ^4 C2 W" x" _3 }; } jz SoftICE_detected
8 d5 G7 J/ P, p, b6 Z8 D7 `- G v/ v2 S7 M8 _. Q
int41handler2 PROC
* K4 T# s& n+ P0 U5 Z; ] iret! E. {2 @; v i
int41handler2 ENDP1 }8 P4 B" o5 p
' M' @% y: E8 P: q7 T. A. _
5 S/ V N/ C( i3 \; S4 I2 s7 q_________________________________________________________________________0 f( `" _3 ]+ G( R; v
( ]3 T6 |0 R' {0 K. I
7 L- E! i& F- W* \! K$ p" I( w/ aMethod 06
# i& n# o% R9 t* k=========
% X/ u9 r E' ]+ T7 b% M( S ^& @6 A& c# v. [0 S4 O
% }& N J1 C$ e! C! _2 g8 a
2nd method similar to the preceding one but more difficult to detect:
( J, Y+ D0 ^8 a+ c" B4 g Y# b/ x% |" _: Q0 s" s
) m' {3 R4 L; k2 lint41handler PROC ]+ a A; _1 _2 J
mov cl,al
L v1 Z% g7 k8 C$ w. { iret
1 S+ w; E* O6 _7 B& lint41handler ENDP' q$ S$ s; T) L9 [: \5 u7 m" u
& c. ]2 |0 `4 U/ l, _& [$ I! U, [! s0 {) |+ v/ u
xor ax,ax! D3 y; u1 k- p7 @6 Z
mov es,ax
( H' z% H$ ?0 H" d( v. ` t0 v mov bx, cs
' s0 H1 o% {& r6 o& T5 I lea dx, int41handler+ C+ `# J0 |; B z
xchg dx, es:[41h*4]' r3 t7 E( Y5 v9 \! j
xchg bx, es:[41h*4+2]0 k: S4 @6 |; p' N0 C0 f
in al, 40h
% Y( r! O+ G1 y4 \; `; b- C" U3 o xor cx,cx
# }) Z" S f" A5 x' h& q- ? int 41h
8 P- }/ A- [( ]) f2 Y$ t xchg dx, es:[41h*4]+ H3 Z6 ? }8 l. Y) G0 Q2 d
xchg bx, es:[41h*4+2]/ h4 E, S7 d4 S& x
cmp cl,al9 b: r6 j2 G6 ~/ n0 |- u
jnz SoftICE_detected
- U' X, a0 } A B3 V
# f! K) @3 d! F4 x* R1 O3 j_________________________________________________________________________
0 m/ e4 H) A( j, g- N& y0 X
! T; k" U0 }% C% _9 a) T# JMethod 07
5 h" K3 ]1 c v& ^8 E Z$ [. |=========
8 l4 Q& v# ]: l& `3 ]0 O, j4 q; ^% ]
Method of detection of the WinICE handler in the int68h (V86)
9 d8 u3 v0 B& h8 v2 X: H
6 n" a9 a9 O6 z1 s# F5 A mov ah,43h
+ O8 K/ V; S- U1 b! x2 i int 68h3 ?9 {, v& p, F4 X: b) r/ a! h
cmp ax,0F386h" \+ }' s2 v( _$ V
jz SoftICE_Detected
5 j! `3 a; L7 T% t- U$ H9 o, j( f7 B9 b5 l( `; I$ O! r i9 K
7 X1 x1 O9 @* @) @0 x6 D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* D, C2 Y: `5 O9 `1 \
app like this:
: R0 ]: _9 M. f1 B
8 K1 Q. X; s# m2 P BPX exec_int if ax==68- r4 q9 {( d% n! k6 H8 V
(function called is located at byte ptr [ebp+1Dh] and client eip is
@* H- |, M" c( X# F1 S1 s located at [ebp+48h] for 32Bit apps)* {, y, j2 j! J' U$ d* D% W' T
__________________________________________________________________________
7 |6 _6 M8 m& O- L9 B& J
- |& r0 j; k. F" Y0 A% _' W8 t! u+ M) e' R5 H U; E% T8 K
Method 085 d7 C4 Y5 D, n/ G; W
=========
; h# N$ Q9 e8 M; x$ O; ~- I
& z/ Y" n8 [ T4 V% O( d1 mIt is not a method of detection of SoftICE but a possibility to crash the3 Y# Y& X5 Z8 v! p" N7 k3 z; Z
system by intercepting int 01h and int 03h and redirecting them to another! o, B5 f" L, v; \" e
routine.
% _" m1 b% } W3 ]5 z- I2 oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: ?) G H! ^& c7 \3 l l/ k) E
to the new routine to execute (hangs computer...)6 S* J& ]! {8 o1 Z9 V
8 I2 D- o9 `( y+ J9 |( C
mov ah, 25h# J, I R& ?7 B6 n
mov al, Int_Number (01h or 03h)' p/ c# D, e& I ?- S
mov dx, offset New_Int_Routine
) K. _* [0 z- v- y. P int 21h" x1 [+ m7 X9 O: s, q
1 P( q/ M) R' f o
__________________________________________________________________________
. f7 p7 v& a' J% a5 `( ]/ A# q u9 a
Method 09- l7 e: }3 t4 G$ v) y# ^
=========$ O( s4 g* W; ^* l8 f" ?! Y
1 v, l5 R- ?) h* l' P. q0 GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ h1 `1 d! d6 {$ P5 s6 |5 H L
performed in ring0 (VxD or a ring3 app using the VxdCall).
# S4 h" @. s& fThe Get_DDB service is used to determine whether or not a VxD is installed
) l- R! P T! M% g3 i: O) D. E9 [for the specified device and returns a Device Description Block (in ecx) for
6 m/ c& A8 b3 r5 p2 \1 ?% T0 E8 A/ cthat device if it is installed.8 f1 L K) G) E# h
9 ]5 t; k5 P# c' y; K0 R9 {9 N$ |" W
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ h |: W" v- n1 {" @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ G! g2 V1 U& i" y/ ? VMMCall Get_DDB3 V- C. B3 |' u4 `
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. w; e8 x, }8 j6 k+ X: a; q! a- u* S4 L$ p3 C
Note as well that you can easily detect this method with SoftICE:
/ s2 [- W* z8 h% b# n o bpx Get_DDB if ax==0202 || ax==7a5fh4 F: i/ o' }- b: z- ^3 P/ }$ U, ^3 A
9 J, m8 F; O7 k: b6 N# C__________________________________________________________________________
" i8 d) Y+ \) e% `; y% k6 d' Y/ M' w0 w) W0 s' N
Method 10- d% m, s5 l6 [. r
=========
3 c, y2 @6 \. x6 n" k
: C5 h# ]6 s5 n4 M9 E( O/ p& V5 X% {1 R=>Disable or clear breakpoints before using this feature. DO NOT trace with
% \% N2 N. A& z: }- U' l! Y, b SoftICE while the option is enable!!
4 }2 P) U8 m$ g1 X3 S8 q/ p$ ]5 _1 y. Y/ ?
This trick is very efficient:
5 n: Y, P2 J- Nby checking the Debug Registers, you can detect if SoftICE is loaded
3 r/ ]4 i0 w) {/ D Z$ T* R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; A7 M" w7 u9 b; P4 I
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 V! U8 y# {5 ]/ a0 [) vvalue (in ring0 only). Values can be manipulated and or changed as well" `% z9 U" e. `% i: J2 _0 z; `
(clearing BPMs for instance)/ O% b( L7 M1 r2 Y! v
. l/ B0 s: l( |__________________________________________________________________________
! K) y: K1 |$ J/ O" ~- l
1 j4 g6 g* }6 p- M' |& c! ^3 yMethod 118 T" @+ Z G3 X# ]6 z, u4 v+ v
=========
, S( b ]% g' y7 b8 T
5 Z6 m P- t! R2 g( u- d0 P( fThis method is most known as 'MeltICE' because it has been freely distributed. B, m5 _2 h* D
via www.winfiles.com. However it was first used by NuMega people to allow0 }% ?* a9 X% K# c d' Z6 U @) D- ~. `" n
Symbol Loader to check if SoftICE was active or not (the code is located! E. v7 h8 D) w) I, ?
inside nmtrans.dll).# C$ j7 g4 n( u" {4 z+ e
( P- c1 p' M1 g, h& `; v0 i$ KThe way it works is very simple:! [9 T, C# c# Q' u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& k9 n+ j2 x* I+ ~% ?9 H
WinNT) with the CreateFileA API.
: v5 o! o2 i1 ]; |/ O9 i6 \8 b: O6 S3 U T* H: y4 B
Here is a sample (checking for 'SICE'):7 Q6 j0 B2 }# F3 u2 e: n. H7 t
# s7 ~: P) m( ]
BOOL IsSoftIce95Loaded()
- V- k$ Z5 }! z/ ^{8 b) c' h' a& N
HANDLE hFile; ! P* I+ m5 i2 j* \/ Q/ p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 n3 W' ^( G" v! ^' d" E5 M FILE_SHARE_READ | FILE_SHARE_WRITE,& N9 m7 `# m. _) h& Q; N
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; Y2 _1 u8 i# b, ? if( hFile != INVALID_HANDLE_VALUE ). h- M+ o, ]: `
{) N+ A, I( V# F8 L8 c
CloseHandle(hFile);% A" O3 r& R3 T$ g% F: X$ \. N
return TRUE;$ T: n0 s( Y+ L
}
5 L2 c X/ ~1 d8 r1 l' U( t# w- y return FALSE;
0 {" G1 r$ Q# n' }}2 U! ?8 o- ^0 W) Y" h) U" v& {7 W
4 |# U3 n; y4 `3 D2 B
Although this trick calls the CreateFileA function, don't even expect to be
& n1 e* A) r d C2 @able to intercept it by installing a IFS hook: it will not work, no way!/ L7 ]3 y0 u) X# Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! a d! V& b4 L- T# t. C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), L; M& l6 m0 w1 s1 z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 _3 d2 Z4 n# I* U7 W
field.4 N6 f9 O7 _5 }7 y
In fact, its purpose is not to load/unload VxDs but only to send a
8 a6 v% I6 I1 {; T; ]) p2 NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 H b; R( m d* N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" O4 ]2 g8 ~; D" {# C8 | W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 y k* a- K0 PIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 ]7 K4 E& O+ l- P0 P
its handle to be opened and then, will be detected.
' o0 ?( ]( W3 A! m& g2 BYou can check that simply by hooking Winice.exe control proc entry point
* P; `. U/ F4 z+ n/ c8 bwhile running MeltICE.
- Y. T6 h/ p8 i9 D1 x. x; y2 N+ N* D' b
3 J& U% X) |+ [2 Z' l 00401067: push 00402025 ; \\.\SICE
/ Q, g6 V3 {# Q5 V" ~8 U# A5 Y% Q 0040106C: call CreateFileA2 h+ A: Q1 p7 d4 r) Y
00401071: cmp eax,-001
2 c# E8 a1 @) J# U3 d 00401074: je 00401091
0 O# \: U0 ]3 @0 R' Z* H$ \- x, K* C1 ]7 y
* U7 \) a- P9 x2 q: O6 k
There could be hundreds of BPX you could use to detect this trick.7 T0 K l! E: ~/ a2 y
-The most classical one is:
5 f& z/ w4 K+ Z4 ^0 r* O/ \ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' Y1 k; C- x: U4 m/ T d) @' m9 O
*(esp->4+4)=='NTIC'2 P8 c8 J; E G0 J m
& i- ^' w- Z. L5 D7 B
-The most exotic ones (could be very slooooow :-(
# y t" q5 l+ F5 G7 p- v V2 i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 T4 z. R9 I& D; f
;will break 3 times :-(
: ~3 X9 [" M' v( Q# |& ]& J, c4 N9 K5 y W( Q& }2 D, o! A
-or (a bit) faster:
& w9 A6 N# c9 ~9 ?7 }+ P( V2 V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* i4 D3 q8 [- \0 M. d
5 P# ^+ A, C' Z2 d d0 W8 S BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 I9 c* v' ^6 z4 d ;will break 3 times :-(# c" o/ ~8 z V' i' E' k5 S
* C5 g9 [9 P* q, |% P-Much faster:, A. q2 X$ f$ d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ p4 e: C: M; U0 G p9 ~8 }% O) N5 K5 X, a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; l M b. c7 K) f: o8 x5 i& \function to do the same job:
; j8 a% O0 S' h' `$ M- b, {3 y8 ~
push 00 ; OF_READ
6 A) ?( I9 s r2 w mov eax,[00656634] ; '\\.\SICE',0
0 l2 ?; R* F6 W Z. o2 f: ~2 l push eax
! V0 d6 o7 x5 z- [# z# v call KERNEL32!_lopen
2 {. r) N1 C% ~ y! v inc eax
# [; E+ k& `- X* Y/ t7 w7 _ jnz 00650589 ; detected
3 X- w7 Q' r/ `4 B. S push 00 ; OF_READ
2 W3 A! i- |0 O0 t d mov eax,[00656638] ; '\\.\SICE'
0 m" [4 A6 P$ ^4 r2 X/ I6 f push eax
7 G7 e' d$ a( ~* ?) t3 K# H call KERNEL32!_lopen
. E/ u A M" U4 Z& h inc eax% Z5 O2 z/ O" r- |7 l
jz 006505ae ; not detected
2 h. S7 c( M. `/ |
2 @( r2 ?' J; t% |) j7 ~9 D7 v5 ]' U$ y
__________________________________________________________________________
* L; a, I- K6 M7 G. p3 P. P
( E: G* D9 h8 H; F5 vMethod 12& f4 R/ w0 |8 T& H* Q& a- _' W" j
=========: E J/ \3 R* v& T3 y
" k. K4 \( K# H/ D1 K4 n& w0 M2 QThis trick is similar to int41h/4fh Debugger installation check (code 055 J/ D( v, z% u) e* n# u. I3 T
& 06) but very limited because it's only available for Win95/98 (not NT)% t$ n! d2 D0 R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
}0 o6 V* E& D. J! H
, r, S7 e' M+ c9 o9 R8 c y push 0000004fh ; function 4fh( \4 R8 f+ }$ r4 q* }5 u
push 002a002ah ; high word specifies which VxD (VWIN32)
4 y9 A# w& v3 q* h ; low word specifies which service9 A0 l8 q7 E! T. U% [" Y1 s
(VWIN32_Int41Dispatch)1 \. ?' ^# y0 x, e" {& g
call Kernel32!ORD_001 ; VxdCall
* W p7 I0 _' o2 t8 G cmp ax, 0f386h ; magic number returned by system debuggers
+ t! @2 \0 ^+ l! D9 Z! w8 R. e jz SoftICE_detected
+ W G0 Z6 E# Z# i: I
: ~+ {* x" R/ _2 s& `% \9 \Here again, several ways to detect it:
' X- u$ e. L; @7 i% j3 N- n; {0 U) o8 s; ~) `5 z
BPINT 41 if ax==4f
) U* K# H5 C/ K$ L$ [ i" M7 l# P) p# _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) i) N, M& y3 t4 U9 e* l' G$ ^
! F4 y: t& G# U, i4 L8 E- N
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( V( [, ?+ r, z) K0 y# M
; M( O( O; o& o# u6 p+ R# E* I3 Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 h& p7 r) @9 E/ R! h) j* B
7 O F$ {. w" ~__________________________________________________________________________
' {8 E, [$ e n9 [$ E& _) A5 v7 @
4 w7 E! F8 {2 n5 ]0 VMethod 13
! |. n) V0 Y* `2 v/ G=========" U b/ i% h4 y9 U# k$ Y
/ I- u6 [) ]' n; F- CNot a real method of detection, but a good way to know if SoftICE is
0 }& g9 C$ i( x6 U4 m9 i4 N* Rinstalled on a computer and to locate its installation directory.( t9 ]. A G! |. w
It is used by few softs which access the following registry keys (usually #2) :
; ]$ d/ h/ h- F- h+ D( S2 ~4 c! {2 ]: |4 J- H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: c) e( [; Y: r* u$ S! K/ @% N\Uninstall\SoftICE
# e1 k9 w: o0 F9 q8 g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 }, {% T5 u1 R' _- i1 |3 i3 J1 r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 `1 C8 i: @6 C+ v, D7 |\App Paths\Loader32.Exe
* f: `- o9 q: O) H+ a& k" e/ V
1 g; h9 v' F1 h W& f4 F
! _ g" N% I/ LNote that some nasty apps could then erase all files from SoftICE directory. Q1 e4 s0 v) q7 r
(I faced that once :-(6 W- a% {$ c7 T
/ V: z3 B7 t- M: `# VUseful breakpoint to detect it:% b! w0 ~: h/ X2 I u0 D/ }
# J6 M( M7 S7 w* B& ~3 c BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') `% p2 ^) [3 l n. P
( s# u3 g( r1 D! h( m# }1 Q__________________________________________________________________________
% R' t4 @' P+ Q- `8 G
% c1 h( ]( M' W4 y+ Y
+ f. P# p. ^/ I# n9 O6 \Method 14
( H& D7 g1 x' E& o1 x; V=========$ ~) h! ^. j7 y
/ m* w0 N' k) `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ Y1 H; d+ t f' j* G' o, ]9 \
is to determines whether a debugger is running on your system (ring0 only).( q6 ^. J9 I: [' E
* {! D9 K& \/ y3 ]
VMMCall Test_Debug_Installed
! Z4 I: b8 B2 U, p% t6 A# P0 z1 I je not_installed9 A% S5 X* D8 z! i% Z1 _
$ v3 I& b& o/ y0 \2 E! SThis service just checks a flag.
( H) Z% E$ r- v% r& ^2 Y1 `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡