<TABLE width=500>) M: q0 c& ~' }
<TBODY>! i9 `+ p! i8 x
<TR>) D, n- E/ f# o, K0 O
<TD><PRE>Method 01 3 S$ S! J V1 r. I9 m* p; \# q2 M
=========7 B5 Y% c! `& \ \) S- w
0 H& R7 o- t1 jThis method of detection of SoftICE (as well as the following one) is. M7 m0 W+ Q( u- l! h
used by the majority of packers/encryptors found on Internet.1 t+ L' u- D8 A! N
It seeks the signature of BoundsChecker in SoftICE: j# U6 F" A! z
2 h% f$ R u4 V3 h8 g3 J mov ebp, 04243484Bh ; 'BCHK'
- S* n1 t# F' `# L5 O3 L6 S mov ax, 04h
6 k- Y) D( w& u& w# U int 3 , m" o, D1 g! h. Z
cmp al,4! V: b' }- I, z2 A; i0 @8 Q
jnz SoftICE_Detected! I4 V5 o5 x M: D5 R' \ v, T* E
/ b$ d+ N6 j C" n1 C% x
___________________________________________________________________________6 F; W+ P# `) a5 t2 P
9 z8 J( e2 t Y, c9 h- `( CMethod 02
! ]. p$ c/ H7 r! B/ r3 a=========' `$ a2 H- @2 S5 D- M0 k5 }
. O: F" D3 t" b4 Z2 k0 q5 a$ ~Still a method very much used (perhaps the most frequent one). It is used" Y6 w4 }. W! ~2 F4 d* S3 C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 w/ N) U; f4 _. Sor execute SoftICE commands...
" l" Q2 x4 L9 g) c* m% d! F( hIt is also used to crash SoftICE and to force it to execute any commands! g; @. `$ b% `0 M+ f1 J
(HBOOT...) :-((
7 Y5 d5 d. s( ^
3 \ f$ o b& }3 m6 lHere is a quick description:/ W# j! k: M& Y o* }% l! I) f
-AX = 0910h (Display string in SIce windows)
9 H ?2 f5 s& O1 l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) I; `1 x. u( k3 Y( v, J
-AX = 0912h (Get breakpoint infos)
0 g m) x( X. K-AX = 0913h (Set Sice breakpoints); S" a+ J( Q! L7 T
-AX = 0914h (Remove SIce breakoints)% R3 p. |; {* @4 |0 w9 w8 r
9 i; R1 o$ }( e% Y) e
Each time you'll meet this trick, you'll see:% I7 p% k5 W( q2 U! G4 e
-SI = 4647h
6 S( E; m* _. j5 t5 p1 y4 \% U-DI = 4A4Dh
% t X6 }" c6 rWhich are the 'magic values' used by SoftIce." U" o7 L( E# ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' }7 S0 i& U" c2 c+ [: i+ x/ G+ L8 r. c/ C+ ~- ^7 A
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 t0 G4 G* c+ z+ z9 W% A+ G) H0 ]
Envelope utility use to protect DOS applications:1 p4 z0 L, t4 ], e) N! T" E0 ^
7 o( l6 V- U0 Q0 n; h* ~8 f4 y2 b1 i# r$ L: S2 x
4C19:0095 MOV AX,0911 ; execute command.
6 d# b ~- d5 @+ N' }+ n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; O( N0 l7 z+ |9 V9 t( G& Y+ K( ~4C19:009A MOV SI,4647 ; 1st magic value.
* \2 K6 b; ^; F* Y0 H- X/ \9 i6 I* y4C19:009D MOV DI,4A4D ; 2nd magic value., X4 O1 n" D! \# J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 P/ e( @9 P8 t N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& s/ f& ^' v, U$ E6 V8 B6 z( p4C19:00A4 INC CX) H. r, a, x$ c# H2 Q1 a+ Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( M0 T# P [7 q& [: N, d3 O! m; u7 l4C19:00A8 JB 0095 ; 6 different commands.
7 t" y. g7 Z9 l* A2 c. j4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 F3 U X4 X i2 r% s4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) F- F* S% }6 Y: F z# h. p( w" q9 s/ t- i! `5 L( M
The program will execute 6 different SIce commands located at ds:dx, which
+ c$ S6 t7 G. K: ]8 nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 E) f8 u3 k( E& H6 m }3 s+ N0 T# m5 @* I2 ?0 K# g. @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" Q+ A; G/ z/ ]) i6 ^2 B4 a___________________________________________________________________________
: i' f1 g/ V D l' c7 {9 u& X1 g! p- A# x& \
1 \+ ^# ^3 |% c" d# Q7 H, jMethod 036 S. f" U6 f l2 q* u
=========
( u; ~* S0 c, B. y
! q% x* E& P1 A" X: ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; B! S' j) p/ p4 v(API Get entry point)
+ H9 A7 M2 {2 N- c/ Y, v
, @ C3 q( h3 A
; w; N! K" f5 p& @" E7 e xor di,di! L/ n! @; ^: S8 G
mov es,di" R3 q2 N- D0 o7 I) w
mov ax, 1684h + O8 I: C: D) G
mov bx, 0202h ; VxD ID of winice
. s' [" B5 D# c; c- K int 2Fh; `4 d* X& Y) \! W! h0 \& c
mov ax, es ; ES:DI -> VxD API entry point7 L8 l* o- ]$ k$ O' A
add ax, di- ~; t1 K: |$ H* |1 @' }$ I. g/ q
test ax,ax- N- l' r# Z0 Z# A6 [+ I! {: P
jnz SoftICE_Detected4 l/ M( e! A' _$ [( Q6 C& w' |0 h
3 n3 z% o2 d6 i. [4 K3 j9 k; Y___________________________________________________________________________" f# p# q# V% J% B; J* o+ l% I. O- d
; z1 Z: P _3 b: p6 |& zMethod 04
$ n% Q" K4 c7 n6 e/ ?3 N* W+ D0 I=========
! j6 Y1 w4 J$ C4 u- R2 u: m" n9 {7 z( G1 ~, k p; F. p( d7 [- W: j/ q# o
Method identical to the preceding one except that it seeks the ID of SoftICE
, g+ s* M/ X6 I/ C# ^# t3 f; [# j6 `GFX VxD.: K3 [% ~- y8 h/ @
' r2 f- P2 c8 `# \- {* Z
xor di,di- P' |2 \$ W! i, F' m2 N4 l
mov es,di
) A/ W3 k% ]) j: i mov ax, 1684h 5 ^, P# q% ~& y
mov bx, 7a5Fh ; VxD ID of SIWVID
- s3 G& M/ z. C; m- p! R' P int 2fh4 w# B! J/ N3 n4 b# Y
mov ax, es ; ES:DI -> VxD API entry point: y+ P$ M0 ~% ^/ g
add ax, di* s6 j M; T9 }6 i: ~
test ax,ax
# y/ B/ J" j# r1 W* e8 n jnz SoftICE_Detected
% L E: g6 g7 |7 _5 ]0 Y/ W5 `- o9 r- B1 p; U
__________________________________________________________________________% {0 k2 h, F' H# l9 D. H
" j( m, o- h- N) Z
3 I; `" F, `1 t5 F; @Method 05
" {# ]5 {; S; D=========
& p3 o2 S9 v4 r( a7 W2 j* ~
; q; V$ A+ v' r$ U/ IMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& E/ l- Q/ j' n: N2 k" bdebugger. It calls the int 41h, function 4Fh.
# T& K4 C# @5 U& UThere are several alternatives. P$ N% y. h9 P, m1 h3 m$ S& K
! }& B) D1 O) C2 L6 q, f# oThe following one is the simplest:
# Y6 X5 i0 A- w- l* k S7 g4 R; o( m
mov ax,4fh
: ?* O" |% E+ } i8 K$ j* p9 p+ N$ z int 41h
# G& _( g3 d7 r0 X F8 M cmp ax, 0F386
" p: @( G+ j c) @" @$ F jz SoftICE_detected
: q8 Q$ K% F M1 G, ^0 u$ j8 r
/ e; b3 s- s6 w! _9 ]+ ?. }* A. d
) w( V% b" T' q2 R4 A0 lNext method as well as the following one are 2 examples from Stone's
' u& s+ k) n# T6 k0 P; c, W' p# I"stn-wid.zip" (www.cracking.net):& X/ w1 Y0 t1 w% }, s
% _. O/ q g" E# p mov bx, cs
* Q( v( c% F$ X, H0 k+ g. E lea dx, int41handler2; i2 E. ]1 A- \
xchg dx, es:[41h*4]: ?7 L1 w& [4 q" h3 K( P* L! n3 d4 {
xchg bx, es:[41h*4+2]
! a8 U/ [9 f8 x+ w: i0 X$ }/ j mov ax,4fh6 W' J+ g _5 D6 h6 H
int 41h
; Z- g" y) c- I% V- p) ] xchg dx, es:[41h*4]$ p. Q7 |- C# N
xchg bx, es:[41h*4+2]
# k$ S( d! ?9 E$ a( r3 _* n cmp ax, 0f386h+ N! `3 b! g, w1 U& o. |1 y- K. S
jz SoftICE_detected
% ~ L6 L# S4 M$ O- a: o' _* f u6 h' @
int41handler2 PROC$ L' p7 U/ O2 I, ?* t# {
iret- B, N5 F! o0 c0 u2 y7 R! e; l
int41handler2 ENDP. B9 ~) @$ t v: s" Y# w
6 ]8 Y% @: m. \# w( R8 q
) A8 Y$ D& X, @; @) n; {_________________________________________________________________________
& H6 W! X+ t- i9 j" k
0 u) q& h% g2 U/ C& Q1 S( |' r7 \7 ?+ Q. g p8 H1 |( R
Method 06$ Y7 T& O5 e* @' v: \4 \% L
=========) O. E) U8 y+ L& g" P- `8 e; c! ?. h
1 }& v6 G: k& K0 y$ @* P5 i- h
+ Q: U+ c4 L- I H- t2nd method similar to the preceding one but more difficult to detect:
0 s$ y2 t' t6 M! U# _+ K) r; ?5 C! k/ G" ]
. ~- B) t [% g+ }/ q4 g$ Q& zint41handler PROC' }* m7 j4 `1 _3 v0 m
mov cl,al$ \, C1 j8 X* \( m2 I# l
iret5 l: H3 q% n9 M/ a
int41handler ENDP0 e, S- ]/ m, z2 {) Y6 g
5 g9 e, @' D. H& H% F/ \: _+ B5 L
xor ax,ax" Q- X/ W w4 N/ K! Z u5 G$ ~
mov es,ax
* L- H+ ^, K0 @; i4 J9 B mov bx, cs
/ z! k, L/ `' R+ D/ t5 b9 j lea dx, int41handler
# ^/ j+ o( } [' V7 P xchg dx, es:[41h*4]1 k( ]* u: g; x! _' \* w4 d
xchg bx, es:[41h*4+2]; W+ H) f5 A3 Z! T- E6 b
in al, 40h
. c. w z# X+ s' Z5 h+ d xor cx,cx3 ^4 U2 c P$ |- V
int 41h
% r" C) W, R( d3 } R xchg dx, es:[41h*4]% H- u) s0 F$ z; `3 K# d3 m+ A
xchg bx, es:[41h*4+2] s# u8 n: d# Q0 n, b" P
cmp cl,al
+ K) S0 P7 A# q1 \; H+ F jnz SoftICE_detected
( V O; E( j9 \2 g+ c7 y9 z& ]% s: E! m& d, x( X
_________________________________________________________________________$ `) X( C" k( T6 Y8 b5 c/ [
" n0 ?/ B8 `: O. PMethod 07
4 S7 N/ K$ i: f c) C3 u6 U4 q=========9 p$ t+ u' ~3 z% u5 r- }
3 Q$ ~; ?# {4 s+ P# K
Method of detection of the WinICE handler in the int68h (V86)
3 N" ^; U% p9 ]4 M1 ]7 s9 I* w: |. h. r+ Z" H. S
mov ah,43h
! v! K$ b& r1 k- z2 W int 68h( `7 C$ g& e+ Y7 r
cmp ax,0F386h
4 Y/ c' o1 S7 x- F" F jz SoftICE_Detected" {8 g; d2 \* u0 [/ }6 v' ?/ {
# o* n7 x0 M* Z8 z f" Y6 D
2 f( A$ h$ I& f4 B- Z7 L- t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* F+ \: v5 e, o3 I4 A6 {3 O+ u
app like this:. i; i4 D* T1 A* N7 s
+ ^2 N4 u. O. H4 E d4 x
BPX exec_int if ax==685 P( V6 y* q) {. Z! w
(function called is located at byte ptr [ebp+1Dh] and client eip is M) c F; z4 e( I7 r
located at [ebp+48h] for 32Bit apps)
3 A3 W$ C" S: f" \4 g__________________________________________________________________________: G* w' o9 ^8 q D
1 ^# D* n; ?$ j1 u0 n! l, u- L
) z# G- ?. Z. f- Z5 q4 U D
Method 08+ }1 x2 }0 I7 i [1 j* v u: g
=========2 J" ^ t5 `9 p! {6 |# R9 a: b! u
1 n) d/ A) L E9 @5 A* H3 P) sIt is not a method of detection of SoftICE but a possibility to crash the
5 b0 T3 V/ a2 U" m( ysystem by intercepting int 01h and int 03h and redirecting them to another2 t+ t2 v, C9 _/ S9 ~9 ?1 |- e) ^
routine.
% _, z% B1 Q$ F8 pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: \, ^. p- h# n) n: \6 o7 nto the new routine to execute (hangs computer...)
3 u2 n4 M Y7 ]0 Q5 T. S
~9 ?' v5 K3 {: z, Z* Q+ M( T6 n/ t$ F mov ah, 25h
1 z$ K% @" G4 ?2 B, h mov al, Int_Number (01h or 03h)& u( K7 h+ i" a a, T N8 M
mov dx, offset New_Int_Routine
# P5 f. N$ q. V5 q int 21h
\4 c1 @9 \/ K- y! I, Q
9 v# y3 J4 y7 [$ h$ r__________________________________________________________________________3 m; L# x% `8 ~! a/ }5 y4 O- |
1 z* s$ Y$ S! U# c; ?9 s
Method 09) E# s8 `( a5 w
=========) v. g1 G: t x2 E# r8 f, r# o0 w! u/ J
c6 m/ ~, O1 Q+ C6 f2 Y& h
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; V( L- T$ |0 u& _
performed in ring0 (VxD or a ring3 app using the VxdCall).
% n: W( \' c5 Z/ \- L q- d {The Get_DDB service is used to determine whether or not a VxD is installed4 A% N3 [9 I4 E. y
for the specified device and returns a Device Description Block (in ecx) for
0 r8 l z8 v% O" _# t" i1 bthat device if it is installed.5 F# _9 S1 }7 p4 @
" B6 W/ H, k; w9 F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 I9 x* b& f' ]) {& j+ j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! p o: }1 d# t7 A" | VMMCall Get_DDB& S) C" G2 A% q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. S, i* f# E& i! W1 A0 v
1 M& g! I0 ?$ z
Note as well that you can easily detect this method with SoftICE: S- d( r d! O1 C# N
bpx Get_DDB if ax==0202 || ax==7a5fh
+ p' ?0 n! d, v5 B+ n, |" e0 L' n' t( x K6 B( \0 D( Y( A( W! G
__________________________________________________________________________
5 N' ^1 R7 ?8 L1 S7 _* K
" f% O7 T6 [" [' W" Y: sMethod 10
: Z2 y- k2 G d! h8 K=========
D |" q5 [& _4 u% v$ u+ I
1 T6 B( k' l; o9 L=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 E: G% V* A! Q2 Y/ g SoftICE while the option is enable!!
- _! H$ a: R k: ^5 ?2 k* i2 F1 D- c5 N0 B) {3 k
This trick is very efficient:
& g0 C0 K7 c1 }4 S* d4 {' Xby checking the Debug Registers, you can detect if SoftICE is loaded
: t+ }* c! I. B6 H+ [! n- O- L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, M% G$ s9 _5 P N0 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their& ^' F, }# Y/ m6 p' c8 j+ B; k
value (in ring0 only). Values can be manipulated and or changed as well- I! x( I2 m5 L$ o9 q) e+ d+ _
(clearing BPMs for instance)' h+ Y; w7 s- R) m# d+ d
' T2 i7 s8 I4 c( o* q
__________________________________________________________________________( m3 H$ H' y! M* H! {8 F
3 w* `+ t7 y) n" @) [# R. G, b
Method 11
7 B1 w2 f& j3 m" f' n# r=========
; @+ G- ~7 i! d
( G- s) N; m4 s+ Q$ ?5 [This method is most known as 'MeltICE' because it has been freely distributed
! e# I! L4 O$ K+ ?* x4 ]via www.winfiles.com. However it was first used by NuMega people to allow
* A4 D4 Z& _/ [; GSymbol Loader to check if SoftICE was active or not (the code is located
- w* w3 {( K8 O7 ]; x* uinside nmtrans.dll).
* K: z2 b+ I& ]8 e. F' }
. h2 o. O! E. `* ?The way it works is very simple:
! J# r. j0 U" O! b+ V. U9 vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( p& [* C" H8 T3 m2 o, e5 s4 VWinNT) with the CreateFileA API.
% D2 S d9 X: i% r1 n6 E; }5 G; f& e: K) V$ S1 I
Here is a sample (checking for 'SICE'):
2 H; M/ x. }- p1 F; B2 V7 ?7 U9 Q- T' [6 @, g
BOOL IsSoftIce95Loaded()
4 s3 r: q0 [, g8 t1 }6 o6 s' x{! W0 a# X9 e# {0 _. b+ \
HANDLE hFile;
: |$ Z, w8 C5 Y5 b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) p' ~5 u ^. U FILE_SHARE_READ | FILE_SHARE_WRITE,+ v3 E! d1 o9 | j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ Y' ~6 Z$ ^* J6 `9 o* v if( hFile != INVALID_HANDLE_VALUE )
6 ?% k* k0 o' t m. Y: A {! b) j+ o- k+ a# @0 Q
CloseHandle(hFile);
: z3 H0 y# g6 z% }3 n* R; I" H return TRUE;
! m$ f# G; t3 f' U4 q! o }6 B( I& A) j7 ^
return FALSE;0 q, {' M# h; u7 U! L/ u
}" m7 e* Y J- g' q; R% h R' L
# o0 y9 [$ F' y1 P, M' z
Although this trick calls the CreateFileA function, don't even expect to be
& g% h" ~. i5 G% s& p, ~able to intercept it by installing a IFS hook: it will not work, no way!
5 {5 p2 }2 ]. l% e# J( B3 SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) U9 y# G9 c5 H# T& W$ [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, K& l# Q& p" O' \. h( B: @ Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 U. p& f2 B, D! f# [7 y! b2 |field.
8 ^( T' o# r+ ^+ f4 Y1 f8 }In fact, its purpose is not to load/unload VxDs but only to send a ) f1 m/ K# p, Y$ s b1 D0 b# ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# d$ |5 D, W/ s( F; A( O% m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! Y/ B6 ?8 A! z j' h% Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& J [ l# r8 b4 }9 X6 F) K! X1 lIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ M5 V3 n6 g: Sits handle to be opened and then, will be detected.
6 r2 z. k* m# ?5 f" {You can check that simply by hooking Winice.exe control proc entry point
; R4 y6 Z" B) ]0 E. nwhile running MeltICE./ _* w3 V- |& w$ }: K+ l6 l0 H/ k
8 I l: b8 } h t# j
9 O! P" v+ c3 F
00401067: push 00402025 ; \\.\SICE# o% V6 a6 k. w; ?. W6 ?
0040106C: call CreateFileA
: E" ]5 h, `, P9 }7 i6 [ 00401071: cmp eax,-001+ V# N$ a, [% s1 j8 k" b% e* {
00401074: je 00401091. k) B+ E7 c+ W+ {
) X. B$ C y4 Z3 f* D
1 k( T6 X1 S, BThere could be hundreds of BPX you could use to detect this trick.. Y- i7 ]8 w% i
-The most classical one is:5 h# _1 x" n% j) y* N! w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 p" U: ~) t! W! Z0 @" i
*(esp->4+4)=='NTIC'
) a. p3 V2 c/ u* s$ D! `0 w
- v) f% |3 ]" h( E$ Y8 j-The most exotic ones (could be very slooooow :-(
?7 q5 ^' A8 R+ _6 N0 ?) V BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 W0 x: k u; s ;will break 3 times :-(
6 }5 M- k( v. ^' U" x z+ {2 h# S+ d9 I
-or (a bit) faster:
: i# b3 [: c5 U3 ]7 A" ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" ~0 s! p- N# R0 K Z# n
6 B. h! ]; D7 N4 f1 l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; Q8 y8 q. D: K* h; @ e
;will break 3 times :-(. v# Y2 R# ^" a. I ~! m
; ^2 d$ L4 V! E
-Much faster:: S! j2 `+ g9 u1 B0 S
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ K4 o, R9 E/ q1 k J8 P9 h' Q# E2 V! z# a1 b( s9 |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 i, s" h' @4 F
function to do the same job:; P# ^2 Q5 |! O$ c: K# B
/ v' p8 ]% d6 S. f0 i' A0 Z push 00 ; OF_READ
: D9 K2 c( A6 I0 G) A mov eax,[00656634] ; '\\.\SICE',0' a& n7 O& r$ u9 i8 y
push eax! `; x- M& F5 \: x" V
call KERNEL32!_lopen
0 @/ n* {/ M7 T6 }& r2 F inc eax
& W, h3 z5 v0 A0 W! n- m k/ [ jnz 00650589 ; detected
' V* X3 i! r; x* m( {, c1 p8 c" z push 00 ; OF_READ
6 C& p) |; d% `5 n mov eax,[00656638] ; '\\.\SICE'
7 |3 G7 L% \, x# _ push eax
9 u+ U5 T2 Q; \/ p% m call KERNEL32!_lopen+ w* Z2 G0 A. o% I
inc eax5 u5 j. s! _8 o F, i. N# o* B' \
jz 006505ae ; not detected! G& B6 H$ S& D; ~
) ^4 j5 Q! G/ h2 [3 E; g, ~/ d+ L& \ A* s# f3 ^
__________________________________________________________________________' X+ }( `" k* n4 B! `
* L- Q/ G: w9 ^) q& M# n, P( IMethod 127 u7 w: s1 V8 q6 W$ }4 [
=========
q' B- m* K' }
- x" t% G* B. }7 ]This trick is similar to int41h/4fh Debugger installation check (code 05% `3 n0 o/ B. u3 K% O! M7 ]
& 06) but very limited because it's only available for Win95/98 (not NT)
& d" b! r, s7 |: h1 yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 P. I6 p' ]4 N; H) k- v
& A/ v8 a/ W# ]; G push 0000004fh ; function 4fh
9 b% c3 Q8 u7 M% C# { push 002a002ah ; high word specifies which VxD (VWIN32)* v4 j* `2 v. ?1 n
; low word specifies which service
2 a; ]" m# O+ I/ N* i' [ (VWIN32_Int41Dispatch)& Y2 h0 X2 s8 K$ m# y. J$ ~
call Kernel32!ORD_001 ; VxdCall* K% l" ]1 C6 x9 W, g5 ~$ {
cmp ax, 0f386h ; magic number returned by system debuggers
8 T+ c) ?$ r y4 I2 \+ N jz SoftICE_detected' B$ i( a) e, D0 l& B/ L
7 x# u2 P' v* H! K" X6 ZHere again, several ways to detect it:6 l7 `! y2 O- E3 W! v, V; z
. ^" Q' C, @ F
BPINT 41 if ax==4f% t4 f) R5 \7 x" i0 b- H1 @
) z4 n; {$ G& t% W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
d0 Y! ]6 _( U: Y3 ]5 y
3 j: ^; {; `% x$ u" v9 y4 |3 o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' S2 K& l5 L* Q
) a' S7 a0 B/ `' _/ Q N
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! o" C" T3 v1 q% a$ @! J5 F
8 O1 Q; \% h4 i6 K. k$ l6 W) q% `5 e& O
__________________________________________________________________________
+ O7 S0 n0 w8 F6 v+ V e5 j3 f2 A, F* @ h( a
Method 132 H3 X! {4 T. O. X' \. r
=========
. k3 {* o( T* }0 m
! a! j6 }7 d. K7 w& {Not a real method of detection, but a good way to know if SoftICE is
+ Z+ e( x+ l; r x/ G: O- Hinstalled on a computer and to locate its installation directory.
7 B9 j5 N" D5 U8 S- GIt is used by few softs which access the following registry keys (usually #2) :
i% ^+ Z/ |9 T7 n7 v2 w' \: A$ z8 i7 }: m2 i2 k& w+ {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 R6 s* u" x" Y7 d* H3 p; I; G\Uninstall\SoftICE
) x; w. K; C3 Z& l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 @2 s4 l1 i& s' w5 B% r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 @" z3 k* y6 g! p/ B
\App Paths\Loader32.Exe6 o% I% U( i `: z, I
8 D! s7 t! e4 s) ]5 m4 t7 ]+ ~0 x& m1 y" {+ c6 z
Note that some nasty apps could then erase all files from SoftICE directory9 f& e# V' H# S! b
(I faced that once :-(
5 r0 p3 M; s) W( O, U2 Q* J" Z f. N A2 g; N6 P& o& s
Useful breakpoint to detect it:+ {8 P% s% R9 I' Z
! V9 m* s6 M1 Q: T, G; D" @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ g( M9 d5 i# h2 h# x
9 S- A* K* |: G1 o! ~ ~) L__________________________________________________________________________
9 J) ~/ E* [8 G# h# K* X
5 l- C# `. s4 X9 n u8 o6 N; E6 }0 r. r4 \" R7 G9 M. T0 m
Method 14 9 z0 H- d% _6 V/ Y6 Z' h
=========
4 [' {: ], ~2 a7 f& m! d6 v
$ ^: _3 X1 R, H% QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 j9 L* V% K& [. b0 Dis to determines whether a debugger is running on your system (ring0 only).
$ x9 c0 s. b1 o& Z
9 Z# q" M- \2 N2 L4 X* u VMMCall Test_Debug_Installed
; A2 s" W$ ~6 J% [+ h je not_installed
& T: y7 C% {1 C+ Z) s: R" m5 W; b: A* d. I. z$ }& v
This service just checks a flag.+ g o; m5 J" C" L e. w7 J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡