<TABLE width=500>
) c5 S9 s3 `/ C<TBODY>
6 ]5 w6 A* k+ k<TR>
0 C6 u. J& r: _' X4 U3 @% n; j<TD><PRE>Method 01 . A# j$ ]4 \& h7 V
=========3 `+ j7 s: Z- z! P) H$ ]
1 H P+ S) R! C( A6 I
This method of detection of SoftICE (as well as the following one) is$ x' X; C. a6 `; O$ k5 B# R
used by the majority of packers/encryptors found on Internet.
( U; j" f: r5 U% I% a% T( uIt seeks the signature of BoundsChecker in SoftICE
[( s& y3 Y7 N- w( {
9 U9 z1 I6 o, W2 M% R+ k# [' P mov ebp, 04243484Bh ; 'BCHK'
: I& v3 d. i$ d6 a) _ mov ax, 04h# U; x: P# j2 P! K+ Y& {6 h: c
int 3 0 Z6 G1 }8 q# Z! @9 {2 l
cmp al,4 F3 W) w8 p# k% A% y
jnz SoftICE_Detected
# c8 C1 s y# B9 `% X+ l. c! f4 I: _9 o+ M( q6 @* b# e
___________________________________________________________________________3 Y2 n5 \5 m2 Q+ m; i$ s
4 M9 u1 V3 D3 T7 M0 m
Method 02 F% w$ T5 P/ t
=========
$ j% O/ o( J: G1 y) k5 f
& G6 ~3 h, M5 F8 q5 @$ t$ XStill a method very much used (perhaps the most frequent one). It is used$ a8 Q3 a# q% M/ f3 h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' R1 G. C2 f! X3 z
or execute SoftICE commands...) B& a: Y2 c% |+ N4 X; h
It is also used to crash SoftICE and to force it to execute any commands
+ _3 X* g# z5 x" J' B# _(HBOOT...) :-((
" y5 C* ~; a3 R
! n; Z9 I& m* g; }3 C, PHere is a quick description:
( n( V& F7 E1 U. p-AX = 0910h (Display string in SIce windows). w& i( [, Z0 n3 ~; Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 v6 V" D- ~' X) N& b8 D+ w-AX = 0912h (Get breakpoint infos)" i* \1 ]+ {) A! T% ]6 N8 H0 B
-AX = 0913h (Set Sice breakpoints)
; ]. h6 S" O; [/ ^0 h; Q-AX = 0914h (Remove SIce breakoints)
1 G @2 I/ J/ {9 Q- R1 v C7 _! K- I! I0 P
Each time you'll meet this trick, you'll see:
3 H3 a; h4 a* `" P) J1 \6 y6 h& _-SI = 4647h
( S& {& t3 P- f- @3 a# i6 x* ?-DI = 4A4Dh
; ^" W: C! O* P: W5 L9 ]+ K7 |Which are the 'magic values' used by SoftIce.3 H* W) K" ?4 S/ J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
L/ }- _/ b( X9 ?& C( ?& z z7 e# ^2 G: Z' p
Here is one example from the file "Haspinst.exe" which is the dongle HASP' [9 ?" M5 G) a( V2 [
Envelope utility use to protect DOS applications:
( Y5 x& ^$ I# S$ o
0 A8 g! s; @/ L) S3 v% K8 T1 U- [) g% o$ ~' @6 D
4C19:0095 MOV AX,0911 ; execute command.
' J9 w3 E( p6 }3 N. z6 p' ]4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- V6 Y2 ?1 ]2 A% r
4C19:009A MOV SI,4647 ; 1st magic value.* }) X( R- L) O: z
4C19:009D MOV DI,4A4D ; 2nd magic value.0 a6 C4 i1 W' f8 f; b# q! B) x8 ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 j" {* |, A2 o4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 @$ K2 P% {1 E O3 {( K# e
4C19:00A4 INC CX
8 P2 D- s0 J0 X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* C0 j# d0 }: i G9 f: u9 J3 d& u4C19:00A8 JB 0095 ; 6 different commands.. g5 g& _8 V, j
4C19:00AA JMP 0002 ; Bad_Guy jmp back.* D' ]9 m, @4 z# P0 d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ }0 m# z) U, ~, U+ [: N" ~! |5 I
% A9 e. {0 }! ?The program will execute 6 different SIce commands located at ds:dx, which1 [3 o& o3 |$ F) O4 ?8 }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. y/ [. E2 e8 K3 i* L' ^2 a
) e" F- [. f) g+ y) Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 e" h3 G+ W1 h4 O
___________________________________________________________________________0 f# L' T) n, G
) e; p: Q# L' m
4 s; Z, t: {+ g& H( LMethod 03' l0 v0 O$ @9 i5 e: @ W$ I, g
=========
+ ~1 k1 Q/ w" j* E3 X& [2 W8 V, G8 }0 L$ k. A7 V) r3 U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 X6 i- o) k F( d) I( S(API Get entry point)
6 }) T7 j$ U7 p/ n( J V
( V+ N0 q2 \) x7 i) n
3 g& x; v5 H, i4 J" ^' l xor di,di
S+ o" K, Z# X# i% S8 v mov es,di2 H4 X4 Y) g8 K1 `/ \( U
mov ax, 1684h " Y& e+ l8 K) q7 ~
mov bx, 0202h ; VxD ID of winice
& r) _6 x; C# o- R: o' m$ G4 K int 2Fh
, @, G$ R( J4 O2 _ mov ax, es ; ES:DI -> VxD API entry point
* e4 u% s# s$ w; j) p; _ add ax, di, X" Q7 f3 y" o% {
test ax,ax, S, F4 ~1 b [% s* P5 j
jnz SoftICE_Detected' Q$ G M. ~* @
6 J$ w" E$ R+ N. z& K& H5 F7 X
___________________________________________________________________________& y$ Z, Q5 ]8 S# I. L9 `
, A9 {) \* J6 e! ?. _
Method 04
8 j7 z8 ^5 N6 c4 j, G=========( r# i$ ^ S, N7 B
6 i) Q" `+ ~: \( I* a k2 cMethod identical to the preceding one except that it seeks the ID of SoftICE% `- Z x. n, Y2 w
GFX VxD.
! l) B" J/ H' Q: A( D3 ^4 Y) A$ E8 ~% b# E# d8 d; [
xor di,di
% P3 j6 I2 A- Y/ A- w mov es,di2 ]$ a! N! y3 w7 N
mov ax, 1684h
4 C" [) D: T( R" @; M5 j' S mov bx, 7a5Fh ; VxD ID of SIWVID
d, z+ A8 p+ l3 s) c int 2fh
& N9 y: ]3 y4 _1 _9 h4 F mov ax, es ; ES:DI -> VxD API entry point5 D: M! }* T/ y: K" G2 n
add ax, di8 m; H, V' j% @7 f. u5 [8 }) @
test ax,ax" [4 Z/ ?2 M9 Z0 W3 K' C4 ?/ n! {! c2 p
jnz SoftICE_Detected) Z& L, o$ O$ v( I, F$ w( M$ Y4 r6 w
1 o) ^/ l- U- \" I__________________________________________________________________________4 C$ C3 M; E5 L2 l1 e$ U3 Z
: g I# Z$ }( h$ P7 N
0 N! j, |$ b0 K' cMethod 05" Z0 w* v8 V5 Z8 a1 i
=========
: g! z, ]0 ~! ?" k) X) d: [7 }! W n) ^" n3 l" k6 |; O
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ Y+ ?% x* p- G8 i: Y( edebugger. It calls the int 41h, function 4Fh.: D7 j: H$ y8 k2 m9 ]3 A
There are several alternatives.
3 I: w: o6 t- `7 u4 z& x+ T) y# v1 i0 o: E) j% c
The following one is the simplest:& ?' |$ x& e, Q5 z9 I" @; g' x
+ q* v5 d6 N1 K2 I
mov ax,4fh
9 W/ y I$ Z% q6 Q4 f+ [' x: t int 41h
% Q0 J" E5 i1 R' k cmp ax, 0F386
2 ?& m4 K1 b+ d jz SoftICE_detected
J+ O6 U8 z9 J* G! I2 E) |: Z% s& l- ]; Z& i- t2 W, `" X, H8 o
& x) d: H3 X' W7 x; y+ c! jNext method as well as the following one are 2 examples from Stone's 2 z* w" ]& k( r n F: G3 z
"stn-wid.zip" (www.cracking.net):
6 w3 M2 |* I8 P) a( D7 H5 D7 ]6 o/ [% E7 Z0 V7 F
mov bx, cs
8 d% a0 h% W) _, ?* W+ G lea dx, int41handler26 N* }/ m) t) i( f2 a& T
xchg dx, es:[41h*4]" }: q3 t& O2 Y5 S' J' _8 j7 N
xchg bx, es:[41h*4+2]/ j& n3 I- w; j: E0 n: O
mov ax,4fh
* T- c; n: c$ o8 ?5 L/ x int 41h
: C9 [1 q6 }$ N/ }2 E" J; x xchg dx, es:[41h*4]
* Q# m* s, o0 u7 a# c: | xchg bx, es:[41h*4+2]& z' R Q. `; V$ }% M9 H+ E
cmp ax, 0f386h
5 g+ O' \8 h: ^4 D; y8 U jz SoftICE_detected# |* y' A/ Z! e' `2 u
. s# N( I4 [5 e5 L5 n, tint41handler2 PROC
6 z; ^7 c" k4 ~5 j9 R8 q) T iret3 t# Y/ m( s6 R6 {5 O! p
int41handler2 ENDP
; E2 _& k2 h f1 i" J; Y z, L6 x/ p
4 E9 L; A1 Y3 e! e4 g0 `' g
_________________________________________________________________________! P- _6 O/ k9 W+ F/ k" b
% o+ b }$ k8 k6 F" ]3 |2 f7 p
' n3 P0 ]4 {# Y9 t- ]6 w$ ~3 bMethod 06
: o4 F9 N5 B* `=========
3 ^3 c- e* j' ]* |
' q9 l v" j; n. _* j; g0 X4 Z E: S2 J5 ]( O/ i
2nd method similar to the preceding one but more difficult to detect:* |2 f$ t( f/ g
6 V" s6 B: p. \1 {& `! J8 O' O. {; ~* ~" G4 [$ O: b" B7 G
int41handler PROC1 v; E7 F4 R* J6 X9 C
mov cl,al: A3 c% `! |* @5 i0 _. u. t
iret
6 s# `& I7 D! o; x D2 G' Qint41handler ENDP L& N' `3 d' r' ?
5 u8 e. D0 f9 i$ G2 @* l+ @+ b
2 M2 \' S+ a7 R! j. z" K
xor ax,ax n3 h) j( H9 C$ t; \2 @' e% `2 h; q. u
mov es,ax1 y* v0 } q& S& P7 p+ T
mov bx, cs- U6 t* s/ F3 v6 d+ y
lea dx, int41handler# b9 X; L( O. S+ o8 G
xchg dx, es:[41h*4]
$ F, n) ~1 y6 E# t( l xchg bx, es:[41h*4+2]9 T; [' j1 H! j4 r4 u
in al, 40h$ J" ?4 f* f$ o! B" f& E
xor cx,cx
9 N$ E4 {8 f. C0 \ int 41h( {* l) H" S, m+ r
xchg dx, es:[41h*4]
6 s) j+ D |- ?% {. f: n xchg bx, es:[41h*4+2]
3 P8 @7 j/ k: Q( T' J cmp cl,al
4 z# n* n/ j* ?4 s4 M9 e7 m jnz SoftICE_detected
( w- F k3 l* u* M0 a7 t# G- H- o' D/ Z3 i% i2 f
_________________________________________________________________________
' _1 d) Y/ }# o8 K5 C- Q. W; Q8 } e9 }. |* p3 M$ y; p' E5 E6 W/ D4 v9 Y
Method 07
( C% \' [4 x: s, h* Q+ }* f! {=========* q8 }* ~$ ^" L" ^" J2 A: q1 D4 V
3 _: D6 O/ u5 b6 F+ o2 r+ xMethod of detection of the WinICE handler in the int68h (V86)
( o( `8 A6 Y! t3 A0 N) a4 A& d
6 _" g8 i5 ~; x7 ` mov ah,43h
7 V: @+ Q2 M L. V; b* {6 R int 68h% l) ?) e/ q! Q# f
cmp ax,0F386h# R4 R6 ^" ?* B- `! `/ X9 ]
jz SoftICE_Detected
1 Y5 f2 R$ q9 |$ f
& F3 K8 K4 Q5 H: F! r7 U; @# P
* Y; l9 b" q( N' d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& }. H4 V. n! e; |4 i1 l, n
app like this:
3 o% R- R3 `2 c2 z2 E1 [1 F
8 G2 I: d1 `1 Z; m* d4 E% E% ?/ q# Z' T BPX exec_int if ax==68+ e& y& A2 }1 _) a0 X: ~! q
(function called is located at byte ptr [ebp+1Dh] and client eip is
?( `/ ~+ F7 t' G Z located at [ebp+48h] for 32Bit apps)+ a |# F, G. Q9 \; p9 ?
__________________________________________________________________________
5 e: c9 j6 o: m0 C' m/ |+ L7 w2 y. w& s8 t
$ m/ _( J& M3 \
Method 08
4 w3 x& g+ w( O# ?: R=========
1 X$ h4 W" W, Q! a' @3 B- {( d
N' g( N: h. t/ b! V" ?9 ^It is not a method of detection of SoftICE but a possibility to crash the; g ?, Y. {7 d8 Y M& z
system by intercepting int 01h and int 03h and redirecting them to another
4 m) {6 ?) q0 _' k* z | I/ P4 f& i% V0 Proutine.
7 j s/ `: d% @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( p2 q- d2 |; C" {1 o1 |to the new routine to execute (hangs computer...)
+ i$ r7 T9 Q) L) s4 \; m7 [' k5 v f. s4 Y! v+ O& F
mov ah, 25h
- s- i" c( G" A' l5 V) W2 O. [& g mov al, Int_Number (01h or 03h)9 @& h0 H1 t" o. C
mov dx, offset New_Int_Routine4 T9 {' |% R/ t8 u- C' S" j) _
int 21h/ a9 B( W5 Z/ K7 |7 V% ~ B! Z" F
n. [, Q9 I4 w( W
__________________________________________________________________________) L: L. N* U( z! F& @
. H E# Z U- e# P. L; C8 EMethod 093 M; A2 R( x1 ^: M# c) @+ U
=========' D- d0 U; x+ @
" y% n ^9 g! U* `' N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& q0 F( x9 A0 H- ^1 u: operformed in ring0 (VxD or a ring3 app using the VxdCall).: s2 D- w$ G! ~
The Get_DDB service is used to determine whether or not a VxD is installed
' ]% P. h! ^) n/ j3 {& y0 T. Tfor the specified device and returns a Device Description Block (in ecx) for
$ O, m6 u& T" |that device if it is installed.; h! _5 \3 u* m, E! P, I
5 m" [2 f, i" Y+ I( S/ J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; }* m+ H/ X& ^+ T
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ B! x/ v1 Z9 d" L! t9 p VMMCall Get_DDB
' L# M) {0 x: D; M( S \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 g* y0 t) _* T! u2 G4 N# c
0 |9 b6 l, Q# h7 }8 }" F
Note as well that you can easily detect this method with SoftICE:
) W* {' c8 M& c8 Y1 I! X! S bpx Get_DDB if ax==0202 || ax==7a5fh
9 ?! z/ m2 f4 G1 \; \' U2 ~' i# m; W6 o2 g4 F
__________________________________________________________________________
& u0 l- b; u4 B. V
k! R4 Z: O* e$ {- F/ L8 a6 XMethod 10
. p. e# l) v4 {) `=========
0 M: O0 l8 a% z A4 d5 B) y# ~3 V" r0 w8 l h" Z6 f
=>Disable or clear breakpoints before using this feature. DO NOT trace with) D7 D: o6 B) R
SoftICE while the option is enable!!
' K- x$ W# \1 P; q
# ^, _0 E7 p& C- P& gThis trick is very efficient:6 p8 d) m6 z& q7 H
by checking the Debug Registers, you can detect if SoftICE is loaded9 x. ~4 \, E m+ e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% X* e3 z# j' T# D F3 k; U
there are some memory breakpoints set (dr0 to dr3) simply by reading their; G" P+ D6 P% ]) V5 E8 O
value (in ring0 only). Values can be manipulated and or changed as well
+ u+ u" a, l) @% a9 H(clearing BPMs for instance)8 \5 `5 A4 C5 m$ `" C# |
. D) q0 g" F, Q5 s
__________________________________________________________________________0 b' Z6 s/ d. x
" x/ m/ J A% q4 {/ sMethod 11' c1 Q. |8 i; S; l' ~% b. `( [! x M
=========8 z0 k; F0 u. L' O& T2 m, S/ v; B
1 Q+ k% F6 Q; R& [- t( O8 _9 N- l
This method is most known as 'MeltICE' because it has been freely distributed. L' h5 w6 J: b: c# I9 l* j
via www.winfiles.com. However it was first used by NuMega people to allow
7 b. T9 v. T/ z" gSymbol Loader to check if SoftICE was active or not (the code is located
) X6 A6 q. f7 `! N+ linside nmtrans.dll).
- ^" K$ D! B0 m; p5 g: ~
( t t L& l5 B& O4 P. ?+ bThe way it works is very simple:
2 j/ M- L) H/ jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- q# `- Y+ W4 {" |2 XWinNT) with the CreateFileA API.: g/ ^9 {3 Q6 Y& g9 u1 c5 _0 P- H
2 P* j! a& ^) U" N: S: x# R. j
Here is a sample (checking for 'SICE'):
5 q& R/ _) s; X
9 w+ F% X) g7 cBOOL IsSoftIce95Loaded() d9 |! {, n% D
{
" n. p& s% i# x& @/ @ HANDLE hFile;
& d" h0 `6 Q: t% d hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 Y, H( T | }' a% N8 T5 F FILE_SHARE_READ | FILE_SHARE_WRITE,
' A1 j; q! N8 o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# ]1 l- }) U& F8 i+ A z if( hFile != INVALID_HANDLE_VALUE )
* l& k' z8 E# y$ m) F0 |. S {
+ l9 f* T4 {) E- o7 V CloseHandle(hFile);" ?7 U6 ?& I- ] t, b8 ~
return TRUE;% m) V0 P+ c9 Y3 _
}1 x7 f1 S0 j; C' ]: R
return FALSE;* ]2 U. T: {- A$ p4 s% G0 H
}! L+ o0 O0 ?* C& i2 Z2 Q( ~7 O
7 A. k3 M: B5 K6 ?. Y D7 yAlthough this trick calls the CreateFileA function, don't even expect to be& D3 K+ t4 U8 B% q& C( J" }3 i& F
able to intercept it by installing a IFS hook: it will not work, no way!
' f' m8 X/ t8 U k9 v& g% bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 V" V L3 y* W7 \2 vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 K! C+ ~! Q) e1 R' [! x) L# R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ _7 a& Y4 f1 Q
field.& p2 M. K( V- C% ]* z0 x
In fact, its purpose is not to load/unload VxDs but only to send a # F: Z. j- A) o0 D. z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 f! q( G, k' {3 v3 W3 nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) f& Y7 T! C' {6 Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 F p c+ G( t7 C( a/ rIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 E% g3 E' d- g: Uits handle to be opened and then, will be detected.+ J/ s" h. R0 l6 r t' B
You can check that simply by hooking Winice.exe control proc entry point
* K3 _' r R4 c0 m% wwhile running MeltICE.
+ v8 H e/ Z# a( R
! C9 \' z }1 B; \8 a T: M) L T
00401067: push 00402025 ; \\.\SICE
. v# q+ ^. ]+ J 0040106C: call CreateFileA
0 m6 e& n* T8 j$ P4 k, D 00401071: cmp eax,-0011 k. g: v! y( Y) G1 x: @- Z
00401074: je 00401091
% {3 O* j3 p) Q5 }' X/ n3 Z/ [3 G. d- z$ G
8 i5 Q& x0 Y( y* z
There could be hundreds of BPX you could use to detect this trick.
5 z0 L( ]/ d. e, {/ O% k$ [# j-The most classical one is:: D- a4 t0 J# P/ G8 E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# S1 L& a. S: F' ^8 V1 D6 Q9 d
*(esp->4+4)=='NTIC'
* S& K. v9 o2 l, c# \% c% i8 z y v! i- w5 i/ `* `- j7 z
-The most exotic ones (could be very slooooow :-(
. Z7 u) x) J( _4 v' J6 t( B1 E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : L6 p; U& b# l U
;will break 3 times :-(
8 B5 B0 g: x4 t) E6 d/ J! R$ z' U9 y, D6 Q7 S
-or (a bit) faster:
1 e6 z8 f2 F9 c& b5 c( G BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- G( @6 q2 T& X h1 p
. ^. g* g! h; L& b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& R8 x- m+ G* y2 A ;will break 3 times :-(3 P( I2 k+ ]/ |4 J- F' j8 `
3 B* ~! x2 m3 C( k0 E7 k( O2 J
-Much faster:
6 V4 K5 W# G! e6 p. v+ T BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 r/ R6 J6 j/ ]7 F+ R6 ^
+ k( m4 p& z0 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: @4 @8 y- [0 Q6 ], jfunction to do the same job:
! I6 J1 [; ~% N8 G4 N |! e( L
+ a' T. q0 i ^* p4 u- d push 00 ; OF_READ
3 z: n# L" y0 l8 }: i l mov eax,[00656634] ; '\\.\SICE',06 k( g( Z- x1 M. ` J) N. c
push eax& J; M @5 e% Z! V' w
call KERNEL32!_lopen
; M) I* ?* D1 t* V inc eax& f+ ?( ]( z, p K6 y/ g8 P: ?/ S
jnz 00650589 ; detected
$ \3 m3 b. k* L& L push 00 ; OF_READ- D% c: o- p9 e; h8 X( Q. f
mov eax,[00656638] ; '\\.\SICE'
) n* `" t2 X) d) ^8 c1 x" m push eax8 n, O9 U5 {2 m5 w; I+ `; ^
call KERNEL32!_lopen N$ }; ~0 f# n
inc eax0 A+ E2 `' H/ Q$ V- n
jz 006505ae ; not detected; h/ c6 Y) [5 }, Y" j3 X- T+ Z: q2 @
+ X/ u0 j$ b# H J2 z
q( `5 [. l3 Z" i
__________________________________________________________________________
' z) }) j7 {' F3 u. h, F0 D7 p. j! Q7 \4 v; _/ h- @
Method 12
, [3 x1 y3 g6 Y) P# L1 H=========
2 u Y6 G- O3 t; k, L$ w4 I6 W4 s
This trick is similar to int41h/4fh Debugger installation check (code 053 V0 l! ?% c& t( F9 e6 c( [( L
& 06) but very limited because it's only available for Win95/98 (not NT)2 ]+ `- Z! ~5 ^% I5 K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! Q8 o" Q. C. _& x" T! X; ]
& l% A; C: M0 ^0 }, E+ Y, i3 h, x
push 0000004fh ; function 4fh3 J2 E% f/ h9 [, W& N
push 002a002ah ; high word specifies which VxD (VWIN32)
* w8 D( s, W8 J) s8 n' { ; low word specifies which service7 E+ a/ v8 u5 E. b: O# p7 v
(VWIN32_Int41Dispatch)- T* w3 f6 ^4 `# x
call Kernel32!ORD_001 ; VxdCall9 E: s" j$ U( L' V
cmp ax, 0f386h ; magic number returned by system debuggers! o7 Y, a! r' s, Y' I+ {6 p8 r3 c
jz SoftICE_detected
) T; F% I2 i9 h+ s+ G. X6 x/ i- Y
% L }7 n9 V; X$ k1 Q( F2 O8 PHere again, several ways to detect it:
3 s( X2 X9 [: \# x' C
8 j! {1 @7 M% x+ n- p) M BPINT 41 if ax==4f0 [+ g: i5 b$ V: s$ R6 L- g3 G5 k+ \4 }
$ x$ ]( r. f/ x# N4 b+ \8 h% s, w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 j+ \9 N' n) B
V, Z2 \# V/ d' p Y1 n BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' E: N1 E- u7 T" R
$ a/ D: e3 ~) i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 f) ~6 ~: F* Q' S, l0 X9 N
. o; S2 ]+ R6 M8 m" N/ C__________________________________________________________________________3 h- W$ t% b3 [8 H4 Y: o2 z0 z% S
6 p$ q( ]3 X" Y: A3 ?7 `8 z/ XMethod 13. N2 b% s5 c9 k4 \# P6 H3 m/ o
=========$ x! I9 y/ |) I" ~6 _* D
/ z( K9 M6 S9 z: ?! k
Not a real method of detection, but a good way to know if SoftICE is
, u' s" P4 L( ~# [9 Binstalled on a computer and to locate its installation directory.+ _7 W& z' T# m. W
It is used by few softs which access the following registry keys (usually #2) :
- Q, c7 A9 o7 R/ _9 ]0 u% H
: i, g# K" M# r- r. ^+ S0 T5 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! p7 D+ }1 ^- L( }; b\Uninstall\SoftICE
+ q) ?! _! L, z3 M' p5 R; z$ Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ B1 l' k( ]" P8 @# P7 Z8 r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ d# a- r/ P" ^1 G\App Paths\Loader32.Exe1 o7 G: A( c. L3 s
) \# w( Y4 I1 V3 y; y8 I
. ?' h2 b; o7 y0 R% s$ h6 CNote that some nasty apps could then erase all files from SoftICE directory$ D% \7 X% T* G3 h
(I faced that once :-(
; Y+ O, A2 [. p0 y' t3 \/ M* C% c) v' k' N+ Y1 d
Useful breakpoint to detect it:# T1 \0 e4 x, Q
! r. M# a4 M3 y# p BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ V+ q" \0 B: ]7 z! Y6 t3 d7 [: r5 K/ b& {
__________________________________________________________________________
/ D( h; `. }# D' @- z
9 |- L! I. s* p- |
4 X" n0 d# c2 K- kMethod 14
$ v& ?- ~5 f( j! Q+ U' L=========. R: U9 f# L+ I" w; z
/ ~8 G2 I- r! n1 C/ ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: H* V" l5 }* o/ a6 S+ j3 }8 t' J5 Eis to determines whether a debugger is running on your system (ring0 only).5 J! @; a" J" e) m y
5 }# O0 B6 u6 K VMMCall Test_Debug_Installed. h: S4 Z' q4 \$ x
je not_installed
; l, _. F, [; P0 k2 T! h* Q @/ R; O
7 ], L( ~, n [3 C1 w( y' jThis service just checks a flag.: g( m$ b( X' p) z2 z/ T* S
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡