<TABLE width=500>' b1 M) d7 b! @& Y- P/ |
<TBODY> G L; G2 t7 {* w/ I4 \
<TR>; ~6 }( \ _1 c! w9 y) _1 ?4 x0 q r
<TD><PRE>Method 01 ' `) f k; H6 W0 }* f
=========
/ i) N" L, g5 }9 Y$ O8 X$ A; q, L5 d/ u3 H* s
This method of detection of SoftICE (as well as the following one) is- W8 \+ D. L8 e I4 i
used by the majority of packers/encryptors found on Internet.6 U h# z G8 C8 i6 r
It seeks the signature of BoundsChecker in SoftICE
1 f( s% t4 G- L. n' v! \
# z3 N7 A7 a, h. w; l) y7 b3 x3 N- N mov ebp, 04243484Bh ; 'BCHK'$ w8 Y9 n0 M. h. V6 s! y6 u6 f( @& q
mov ax, 04h
: D% Q( t1 u" O8 ^7 ~ int 3
8 V' y/ r e- m1 K, f8 `8 p% j cmp al,4
0 g! A5 R0 v& \) @9 }9 b! H6 f jnz SoftICE_Detected/ O8 k2 l: w1 V H0 u9 U! l
' i2 O5 d, w( e9 o y( V) b. {
___________________________________________________________________________( s9 C4 t, |. T. R; Z" f' t/ b
$ ~( ?- f0 {' ZMethod 02
6 a5 @% i/ Y5 d7 V- k=========
7 ?5 e4 U: T% o. g: D1 N" [, u9 R, C' V
Still a method very much used (perhaps the most frequent one). It is used
2 M: z0 v) o2 e5 b9 ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, O: l3 X4 ~4 w" ]2 F# `or execute SoftICE commands...
3 `; V- A* `$ c* jIt is also used to crash SoftICE and to force it to execute any commands) [/ n0 s4 m" {2 ]# n$ o& P% H
(HBOOT...) :-((
5 _4 a* u4 p+ t( l
1 |1 b! y( A% N6 ^7 l& [Here is a quick description:
) }" d. s& C; l8 g9 s, r-AX = 0910h (Display string in SIce windows)
& ~6 n; j2 |0 f. S0 c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& k- w+ g" M: `$ Y3 r-AX = 0912h (Get breakpoint infos)0 V4 Q# Z" R1 ]
-AX = 0913h (Set Sice breakpoints); \" z+ }7 ?: s' G- m
-AX = 0914h (Remove SIce breakoints)8 k# U( {; c2 ^: K. K/ U
/ |7 E* v/ K j" f
Each time you'll meet this trick, you'll see:
2 X9 E% W7 Q% s3 e4 }-SI = 4647h
8 M r8 N# |7 G-DI = 4A4Dh: G# T3 q( E6 u4 }' j. ^1 Q
Which are the 'magic values' used by SoftIce.# [8 V- R* |" \5 N" C$ ~: P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: d+ v" o- K, f
1 t/ Q+ _. P2 J7 D7 NHere is one example from the file "Haspinst.exe" which is the dongle HASP4 J$ ?1 l: t7 h( |" C5 ]7 x
Envelope utility use to protect DOS applications:
/ p) d0 D% j) ]0 Y5 ^! k$ o. Z! q6 `6 m! w* Y/ ?
( h( ]4 b6 |' A8 l" g" R
4C19:0095 MOV AX,0911 ; execute command.
$ X% |4 L! d& `0 E# y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& X/ o8 i* \% \3 [- r! L. M
4C19:009A MOV SI,4647 ; 1st magic value.) N- w& K% j2 A) C7 t+ d }
4C19:009D MOV DI,4A4D ; 2nd magic value.2 I$ N! R9 D: [' H- X& q ]! _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: ~4 \3 b+ U2 }: R$ B- O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 ~6 r! g1 b2 S! }6 u, i; w2 o
4C19:00A4 INC CX
$ ]: G i: q& w) _/ m/ x( b3 Z3 T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 Z7 g; H+ ?+ _$ \, t! k
4C19:00A8 JB 0095 ; 6 different commands.
$ o5 B V8 d* ]+ i# N4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 ?8 Z- r4 L0 \, `4C19:00AD MOV BX,SP ; Good_Guy go ahead :). O% _& q, }& c) D4 ?9 M
, ~' w' B# [# Q; ?. j' XThe program will execute 6 different SIce commands located at ds:dx, which0 r2 M% M9 N3 [, ^- y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 }* t2 c0 j$ a6 r! |# a
" e/ [5 f' Z0 L* `9 i$ M4 D* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ U2 @& Z& ~; [+ i. g___________________________________________________________________________
! p' Y7 `- @6 N5 K( V/ I
, t, i5 ?+ s8 Y9 f& ~$ ?
% H7 Y, H% ]2 k( _; X- y: m9 i$ nMethod 03, d1 E1 Q+ r3 M
=========
) q& x2 Z% t2 N/ x3 V0 T
) c, Z5 ~7 y( p. z3 gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) V; g; s' `" i
(API Get entry point)1 X4 N- [! \1 U8 I. N1 p
; k: S+ @! Y7 q, Y& a
# z4 W% X1 \! j- ]6 n k xor di,di
( G8 M3 v' h9 g2 x' S0 U mov es,di
) U6 {, a" ^& X. M' l mov ax, 1684h {9 @' ]& x' O: f5 P( J2 D0 x
mov bx, 0202h ; VxD ID of winice# Z+ Y) v0 ] B& N& q5 `3 \# ]
int 2Fh9 p+ Q1 j% Y1 I8 h2 U
mov ax, es ; ES:DI -> VxD API entry point' k0 c0 \3 j' K/ K: r
add ax, di
& z$ g6 I& Z0 {& v( d4 c% X" T test ax,ax0 z, h( G0 e! K+ d; v* w. [
jnz SoftICE_Detected
. t3 ]. w; A/ q/ m: e4 O" T, a8 t- I" ]0 k k7 d7 U7 N
___________________________________________________________________________$ y" y0 f+ r; L2 u) m; w; c4 M
+ [9 H5 Z Y9 @3 H f5 gMethod 04
% d5 X( L/ l$ v3 Q# K=========
% m/ C9 E; Y9 Q: e& A9 O9 R
N' d' H7 C1 ~# E# ~1 k, M. qMethod identical to the preceding one except that it seeks the ID of SoftICE
5 \1 `. f3 ]& KGFX VxD.+ y! V. d7 b* A& T8 L( k# D
& X. `3 w1 Y' T% h$ Q9 g% Y
xor di,di3 v- C4 F! m0 \
mov es,di
6 @8 o& _( j) }7 M$ p# O mov ax, 1684h
" }& K. R9 k- p& ^$ K mov bx, 7a5Fh ; VxD ID of SIWVID. l6 g. C# R9 v
int 2fh
f4 A8 l2 `8 a n; @' N mov ax, es ; ES:DI -> VxD API entry point7 Y g# a, k S( Z' L! @
add ax, di
, O: V: g: d; @$ o- G" e9 n3 U test ax,ax4 ?! q% w% J6 ?2 m* d
jnz SoftICE_Detected
& D; {4 D- k& g! d, g* i' w
+ Z0 n0 c( y6 @__________________________________________________________________________" u" ~, ]! Z3 r7 J4 n) q0 [
9 e- Q" }2 p6 F0 R, K1 _* k+ h, T: {9 @; S# ?- U
Method 05
) ~1 o4 e+ J0 X=========, f$ h7 I1 ]6 V2 f' I$ ~$ ^& t
% r: u& l% J' P
Method seeking the 'magic number' 0F386h returned (in ax) by all system Z0 x0 D5 J' p
debugger. It calls the int 41h, function 4Fh.
# w) O$ l" V' m1 R0 |4 ~) SThere are several alternatives.
J2 F# y( B: ] ?* x( l
+ m- p E H% C# @The following one is the simplest:
" F/ y- M9 B7 X0 n: `5 s
8 O$ e" M( _3 U( l mov ax,4fh. Q& G9 F; j* x( r; M
int 41h$ T, K& X: F; g& e* Z$ A7 a
cmp ax, 0F386/ u2 ]1 z3 g; H, @% |, L& Z
jz SoftICE_detected8 d* l- J( ]# E5 S" q
2 h# q" t% @$ D$ L: _" z, L1 @0 M" L" W4 T+ N# | G7 J
Next method as well as the following one are 2 examples from Stone's 3 i l$ ]8 U% ?! V" m5 [5 ?; L. g7 b
"stn-wid.zip" (www.cracking.net):
. |5 Y$ }- Z& r6 e i
+ \" b& @4 X- {; B( w9 W A3 K7 l mov bx, cs
4 E, r' p1 X, n# V lea dx, int41handler2
' S7 A# z v, j: V/ f xchg dx, es:[41h*4]
9 v; L- `$ n1 X xchg bx, es:[41h*4+2]# K& X* [; O/ k
mov ax,4fh- c" d3 y; l+ r0 k5 j6 b) I
int 41h" K* ?& e8 p/ C1 y+ z. W" }
xchg dx, es:[41h*4]
, r9 L* ~" k! w" Y: Y xchg bx, es:[41h*4+2]) z* k8 ?* G' A( z7 t
cmp ax, 0f386h9 y" X# c* j8 ~7 s
jz SoftICE_detected2 k5 z1 y$ e. j. Y+ Y/ i2 ~$ X( @- I4 v
! B; }' P! K: u; K0 ~3 R# V& tint41handler2 PROC
3 Q: t; D+ Y0 Q iret
' O( W0 S+ T+ H5 R0 r- K& O4 `int41handler2 ENDP
9 S3 p) V. L' S) |! D
7 P( d( i" \ R, \, R ?5 G
! {% n! X; w$ b9 A8 |_________________________________________________________________________
5 O# h5 _% K* n. q+ Y
1 x0 ~% n9 [$ L1 h S* P$ U9 Q- }0 u1 G
Method 06
1 F2 Z: E3 v1 Q3 M7 t, X=========
: B6 y1 T0 C+ ?: a6 _+ t6 O: \" O( t7 b6 X- R$ D+ y$ ^' W/ d
; f2 C" O3 S& G( G" V
2nd method similar to the preceding one but more difficult to detect:
" u9 j. I2 ~' e/ G$ p5 d' j: O1 z* Y* R4 A; E" J% e, N
! X- m* d1 ]) o4 G
int41handler PROC
( W, s3 r. y, j8 M/ G! @ { mov cl,al
% w2 O: Y2 B9 J iret
. E! F; d: c7 I* N7 O* sint41handler ENDP. h* M9 B% @2 H+ `5 h, h% ?1 ^
* Y4 j/ ]/ q& a3 Q( ~8 l! @. P+ \# `$ P5 Z# q$ q
xor ax,ax
: x) c$ }- N6 H2 @7 A! [$ H! ]% @ mov es,ax0 ~9 j2 A, |6 R5 z0 h9 |
mov bx, cs
) R0 m0 ?3 }2 y8 J6 v5 T lea dx, int41handler/ o$ K( g7 j" A* }
xchg dx, es:[41h*4]1 }4 t& V6 Q* X7 n I
xchg bx, es:[41h*4+2]+ J9 T3 P/ ]$ M {5 g
in al, 40h: e" ^/ o/ F) H8 W
xor cx,cx
& m+ Q `" ?/ I* }. V- ?# q' v# `# G8 \) r int 41h- B) i4 g0 M8 z" U- O0 A {
xchg dx, es:[41h*4]
, b& Q, i; v0 y, O5 Y# t* B* e7 o0 q xchg bx, es:[41h*4+2]. w# `1 x- U% L9 d7 d
cmp cl,al! w; ]0 }8 L( O" P ~( W* Q x
jnz SoftICE_detected
- N" c$ p9 P# f# s, z. a U7 L n( n
_________________________________________________________________________
" ^: I3 b; T, R; j/ m
2 D0 x. X7 H' |5 m+ P: u& }Method 07
" m% D8 U. t# @! k=========2 O: J" Y2 @8 h5 t( t
$ P3 c- u/ R* @& @" l; U
Method of detection of the WinICE handler in the int68h (V86)
2 u, V c! }) t( R) [) c
6 h6 p/ \ |* Z- R mov ah,43h' @( Y R$ `# y6 U3 \
int 68h: I, o$ s9 R, m1 x" a; G; @# C, D
cmp ax,0F386h0 y3 b: r) E. \- V9 P1 ]* Y5 f# {
jz SoftICE_Detected+ Y7 |7 F$ F; e
/ Z5 w) V- z2 Z4 l+ {
( _0 H0 ]7 i: L2 {7 G- H9 l% S=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ s, B# u# I0 i3 X2 C app like this:
1 m, D& Y D. T* j* _8 y! x
! ?. l8 i% r0 E1 ^ BPX exec_int if ax==68
( G5 p3 O6 Z' O4 R! Y- ^( k (function called is located at byte ptr [ebp+1Dh] and client eip is& K# M7 ~; O7 F
located at [ebp+48h] for 32Bit apps)# Y) {" C* w# x6 ^1 D& y* M( V: c
__________________________________________________________________________
% h' o& w0 r; G: n( ~# ^
$ t+ h- v$ `2 [* ?& C. B* S$ K1 J
Method 08
) b( u: w D4 b' j% h=========1 ~6 b, }, U, I J0 s
& N- o# f' N( \. i8 ]6 `5 N
It is not a method of detection of SoftICE but a possibility to crash the" R& ^, h1 o/ ]; G) Q: Q
system by intercepting int 01h and int 03h and redirecting them to another+ R# R: n: G& y/ M
routine.3 c. x5 E" z( n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' l" e8 _8 [0 z# F" u7 c7 X
to the new routine to execute (hangs computer...); \' q' q! Y! O* n+ \/ g2 t- y
9 D L5 q3 z3 i5 { mov ah, 25h
7 y5 x. Q- j1 Z mov al, Int_Number (01h or 03h)
' s( m6 [) f e. m% L* j# A mov dx, offset New_Int_Routine( L- M' n: @& b7 V( P0 q
int 21h0 C: |& [( }1 V) l
8 R2 {4 c, F$ s) q% d4 C! U% |1 x0 X
__________________________________________________________________________0 ~/ F; K! _5 X+ N0 n0 t
- T% S$ I* j$ o0 T2 p( M
Method 097 W6 C+ ]# @& V9 ~3 m5 |
=========
* d7 A8 s! @6 F% k6 t1 E7 [
2 { y& K. B r& X Q: r3 T, |; _- Z' PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 f, P5 B- v& Y* J% E- ], ]
performed in ring0 (VxD or a ring3 app using the VxdCall).+ F5 ~8 ]! `0 C; S
The Get_DDB service is used to determine whether or not a VxD is installed7 ?; K" m$ { b Q
for the specified device and returns a Device Description Block (in ecx) for4 z( O1 l4 s1 }; M `
that device if it is installed.9 b8 H' k6 N1 R' a& M
+ T* j; o6 n$ p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% k* i5 {/ U& c- R2 t6 V5 O; b8 i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ U7 n1 ~( b* g- ]/ P9 h/ C VMMCall Get_DDB
5 ]; @) S2 W3 v- j! W" x mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% i" g( Y3 A; D2 z* [+ Q
1 s0 o; r( j3 Z5 y# TNote as well that you can easily detect this method with SoftICE:
4 D) G+ w5 s: u bpx Get_DDB if ax==0202 || ax==7a5fh
* Z5 D2 }+ \$ w9 R+ X) U7 h. P+ [: K. P1 U/ n
__________________________________________________________________________
! J/ {( @$ T3 _* I$ f- w
6 \" G. s' B/ ~Method 10
% b- L8 x) f( n% a. J. x) d=========4 H) l6 \4 s% o
j) @ n- t9 q7 b/ y" @* \=>Disable or clear breakpoints before using this feature. DO NOT trace with
- v3 c9 T' s1 n! N4 G; Y; c& I SoftICE while the option is enable!!8 i0 t2 t5 U6 Z' I9 X0 @
( b' ]- J* u7 tThis trick is very efficient:
5 P, }1 S4 C. bby checking the Debug Registers, you can detect if SoftICE is loaded
* h, _" Z& e# W# H9 K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 x7 N3 B+ G0 s- b3 [ m
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 T* ]) G& N9 q8 `8 y
value (in ring0 only). Values can be manipulated and or changed as well& [ b; m4 U! P, }( i1 H( V4 b
(clearing BPMs for instance)
1 h6 E) U2 n+ W8 {' F& G! g3 v* U; s2 u h. R; F
__________________________________________________________________________- `! _3 z# l# z2 D
* q( i# d$ F" _, P* W1 G0 e3 RMethod 11+ c$ i$ N: a0 a2 L5 B0 h
=========
/ L$ T9 N/ ^' T, W/ n& k. V" z1 L2 H0 ^ C# j
This method is most known as 'MeltICE' because it has been freely distributed
5 c. e% K0 o& V- C% k6 }via www.winfiles.com. However it was first used by NuMega people to allow! U6 s! I0 e( k
Symbol Loader to check if SoftICE was active or not (the code is located" G5 u" f/ ^& a/ D" g2 N
inside nmtrans.dll).
# {0 {$ S! Q/ g0 j+ O: q% J1 G; C) A3 L/ u, A: J4 u( h" B
The way it works is very simple: G0 ]9 q5 o' C2 [1 [$ Y. F R% x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ Q, ^* q0 Z6 q8 hWinNT) with the CreateFileA API.
! j' h8 {' Z% l4 t2 w5 M
' U7 Q# w2 Q7 K1 O+ U N# GHere is a sample (checking for 'SICE'):
0 M" \1 E# s% a% j4 k$ ^& j+ D E/ U |1 {5 Z3 ~
BOOL IsSoftIce95Loaded()
: u) l$ u0 `: @$ F; @, E{
* L) S" e1 b" W& b9 L& n HANDLE hFile; ( I( Y) [- @. j6 s) x) m8 w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 v+ s$ D' v/ h7 L! b) |# B FILE_SHARE_READ | FILE_SHARE_WRITE,
- K+ A/ \, C$ z" t. e, t+ V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, e( r$ r. j; q8 G% f if( hFile != INVALID_HANDLE_VALUE )
) U" H f n4 T& ~* x {3 g. V+ H) M \) W( R1 C) F
CloseHandle(hFile);
# }7 W+ u9 }# X2 X% [ return TRUE;
& h# J, c- U% c" `) b; Q( U }
& L1 ^" I- l8 C! `5 C- ?, m* G return FALSE;- r$ ^# H9 ~" d$ K# |3 l
}
& D$ O" Q5 W( Y \' x& ?2 _; f: {3 C6 z
Although this trick calls the CreateFileA function, don't even expect to be
. ]7 I' A5 O `2 Z; bable to intercept it by installing a IFS hook: it will not work, no way!
0 R2 Q" O1 F& P, _) O! KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 [3 K% k1 r1 t1 c& `; G1 kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- W, g% c0 ]3 C6 g! A! |8 h( s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 T; m4 x; G# r, M5 r) C* f! Tfield.
# ]5 J& d0 u! MIn fact, its purpose is not to load/unload VxDs but only to send a " n& X) F6 ], d/ @" f. o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* ?* {0 r% A8 p; A. ?7 G
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ V! Z) ^$ L3 x @: {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- [( M+ a( x8 D+ C+ GIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& j+ |1 w( m, a& jits handle to be opened and then, will be detected.
& k q% t& k0 S iYou can check that simply by hooking Winice.exe control proc entry point# E% L5 D+ i( `* _; r b( u+ g
while running MeltICE.
8 _8 a7 N3 @. b! ]
# _$ S1 T: Z' J/ n0 i
7 ~" I; p$ H. o$ c! n4 K 00401067: push 00402025 ; \\.\SICE4 M( ]# s I& {0 j2 d. _7 |7 ]
0040106C: call CreateFileA
6 H5 o+ }& ^/ K) i* K 00401071: cmp eax,-001& j$ x8 Q) \7 c0 I8 ?' n3 W$ E
00401074: je 00401091
2 Y m! r/ a: V- S! A
6 t9 \' y1 r U
0 b$ \) b- f$ NThere could be hundreds of BPX you could use to detect this trick.
& x/ C" H( P+ R# G* q& a1 F+ {, {9 @-The most classical one is:
) N+ ~9 D: G/ g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ b/ r4 w4 E3 ?
*(esp->4+4)=='NTIC'7 P8 Q) V# z' X/ q; N
* L4 Q3 Y/ F1 ~" L-The most exotic ones (could be very slooooow :-(
# a7 B0 O1 J/ i, n: A6 x; d8 J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 ^4 \- }7 B8 D9 e
;will break 3 times :-(
+ h+ Z; A3 {9 D5 B0 H! X
" N" C& H# z ]3 T. o) Z-or (a bit) faster: # g8 K. J! @8 \' k. ~! e7 t2 y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! }) i$ `+ m X2 Y" g. H# Q. o( c2 `% N, r8 q, i; J/ m
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ k5 \6 m/ k. s% F9 e3 } ;will break 3 times :-(. n" G" c9 g1 e: w# _- B' Q
( b5 t3 R G6 }5 n-Much faster:. `1 A2 u/ h9 y1 c% h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 F$ d, P! e. P+ P/ {6 d7 C" T- x5 l! J" q7 ]7 a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- O" _, N# }3 y' Q0 b3 ]% z+ ]* v: r6 \function to do the same job:
" h/ v" C5 T2 u+ E4 O6 G/ {: R2 i+ O# ]3 ~7 x% v
push 00 ; OF_READ
% r7 V: g4 G! h mov eax,[00656634] ; '\\.\SICE',0# w; I7 i' U3 g% \$ [( c
push eax9 O3 U n% l5 K9 J& M
call KERNEL32!_lopen2 S& p+ I% J5 r% t$ H1 l
inc eax
4 P/ n: Y4 B) V) |+ \: j jnz 00650589 ; detected
# ^* M; u3 @) W/ D; m) K4 E* g push 00 ; OF_READ3 [0 b& I* d; q+ s0 E H! ?' L9 @
mov eax,[00656638] ; '\\.\SICE'' }7 C; x+ A ~4 t
push eax
' |9 e) F- L* I1 t+ A# ^: Y) c call KERNEL32!_lopen
/ S" E3 `4 U* Z. | t1 V; c inc eax
5 j) f4 L; \4 J jz 006505ae ; not detected
$ @/ X1 l- s: V; p0 K5 ?7 K' v7 F4 h) a) `
4 m, L- C) b! i' v2 f2 K+ A
__________________________________________________________________________. ? O7 L* P1 p9 @
3 J( c1 i, i9 g( l3 |
Method 12
3 l& C: K2 N( l- ^2 y=========
1 x) Z3 Y: U8 @: u4 Z2 u
1 K1 B3 t7 a c# RThis trick is similar to int41h/4fh Debugger installation check (code 05
, b6 a; H: Q* T# Q& 06) but very limited because it's only available for Win95/98 (not NT)' ~5 D7 h9 I. X& ?( ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. f$ ]4 T! y3 l# O5 E9 _
' _0 J1 B7 o$ o0 o; r2 H6 F7 g
push 0000004fh ; function 4fh5 l3 t! [5 y' m
push 002a002ah ; high word specifies which VxD (VWIN32)
. k! r3 z5 t) B( d ; low word specifies which service: q' r& b# F6 H$ K' a6 C! \& u
(VWIN32_Int41Dispatch)4 r0 Y; p G' P! |( {7 g2 m) q w+ A
call Kernel32!ORD_001 ; VxdCall
3 ?/ Z2 g0 z i cmp ax, 0f386h ; magic number returned by system debuggers9 ~8 f. {7 a5 r3 ~9 |
jz SoftICE_detected
- c# @' Z" t1 h/ Z( e/ L( F+ g; Y% f- \0 t9 Y8 Q f% H# w
Here again, several ways to detect it:
+ B4 o" a1 O" ] U* O
4 @! `' ?. j0 J) f BPINT 41 if ax==4f
6 ?5 [- q% P, r; z5 L$ z6 v0 ]5 F" U7 l- g6 p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 t$ p! h0 v1 C7 L: c, i ^+ t
% C6 R# u( }: }4 s% K& \8 F BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 M8 z3 j1 f4 N0 d, D& K
- b3 @ L0 m: d- v5 ^( L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, s9 n1 Z# E: o5 Z0 K
8 v8 C1 ~0 {! |% _9 f5 T( t/ `( ?
__________________________________________________________________________& e$ t' O p* x% V. F
5 c# v5 d7 Z5 P9 V" `% S1 @Method 13
% i u' ~6 s- p5 I3 d, I( T6 |& Q+ Z=========0 D9 }7 x# \% V8 J, ]2 Z% W
' K) D& m' a/ p& E3 j; S' k! h
Not a real method of detection, but a good way to know if SoftICE is
, Y8 E6 C3 Y' K F' [2 r1 o; ~installed on a computer and to locate its installation directory.4 k3 ~* a, a4 T1 _# }! ~* e5 {
It is used by few softs which access the following registry keys (usually #2) :
- r1 g8 C' k p3 r# m; x! K# I. E' A! }9 O$ K. N/ X$ k! v, ^
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ V& V* p; ^7 e2 |- u+ e$ H9 z
\Uninstall\SoftICE
; `6 L+ F# ^8 ~7 c' e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 @( l( ~4 N: m( x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; u0 N" c9 f) a+ w. H: P
\App Paths\Loader32.Exe. E" {4 _" e0 F2 \( r* \2 ?6 j. A: i
9 K3 N( Z& t+ S8 L3 f. P. b7 {$ }4 z
Note that some nasty apps could then erase all files from SoftICE directory
/ X9 }$ h( l- w z" m8 U(I faced that once :-(
, v- v8 I( _( V [9 H& n ]1 S: S# H0 S3 h4 Z6 k! J! r0 p
Useful breakpoint to detect it:0 w* z2 @, n$ o) L
; z% I: O/ x0 B8 z* m+ Z, @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 D* |0 L" U( g p, [% `9 A
2 w# H; ]& z, C- g, c" G__________________________________________________________________________. U- e, N& F* f6 c( V" T
" r5 ^* v% ]2 P- w$ U
( s" n; l, B9 Q8 A& eMethod 14 ) x. ~' y$ c. d6 |7 y! w' z( P
=========
! x, a2 ^' Q. ]; u% I8 U# J
& r; u3 t! Z) _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 a! r& X9 r& dis to determines whether a debugger is running on your system (ring0 only)., t! U3 q. r. {/ Y) P
$ Y5 n# g0 [# u% r2 I3 `$ _! y VMMCall Test_Debug_Installed2 n" \, z+ z& m$ g w, q
je not_installed
" \0 t N/ A D% @! X
- G; Z8 d& h2 f% |& X1 oThis service just checks a flag.# H" j* V1 N& Y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡