<TABLE width=500>9 b+ E5 W0 ?1 F1 E0 T- ]2 {
<TBODY>1 c9 P8 U- h2 ~ T) p, d
<TR>! i* l) B5 w$ Z/ x
<TD><PRE>Method 01 . g0 l2 S1 i& F5 e1 l4 J+ M J/ P
=========
7 q$ w0 |# @4 r' o! I$ ]% }7 ?( p$ Z/ a! k1 T' G3 d
This method of detection of SoftICE (as well as the following one) is1 M$ I' ?: H1 l: Z- t
used by the majority of packers/encryptors found on Internet.
) J; k. G* `) U* Y2 I/ P& b# D- aIt seeks the signature of BoundsChecker in SoftICE
5 D2 c6 p" J" P/ O/ [& @3 N' \- ?& m) [
mov ebp, 04243484Bh ; 'BCHK'8 a2 H& Q: c. a& k( k3 ^6 f+ ^2 P. @1 _
mov ax, 04h
. b1 F: h. E) _! ^& w int 3 8 c% o# d# E% y9 [& H8 r
cmp al,4
" @ [: l7 K1 c" @3 y$ Q jnz SoftICE_Detected8 x) H; H# D! Z. Y, t
0 y* S/ n& u9 L, G1 w3 n___________________________________________________________________________ s$ D( I. B' t% G7 c$ x: o* Z
`3 e9 b1 l4 _, J& m% J+ R+ L# H) F
Method 022 L. L- }+ J* e9 {
=========
/ p! C5 r" a7 Q4 Z- l" @
" w' D( Z( e) q& q. d# @, ZStill a method very much used (perhaps the most frequent one). It is used
: w" u6 r3 `+ d l2 nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% k q$ u; d9 U0 Uor execute SoftICE commands...
+ p: r# V3 ]6 O: o4 E- C: l u0 RIt is also used to crash SoftICE and to force it to execute any commands
; r1 [9 `- j8 M V Z(HBOOT...) :-((
/ n9 {9 V0 v5 `* d8 p9 R, U
; b; F+ }( _8 O5 T# QHere is a quick description:
" L6 f: ] M4 y* A1 U6 W-AX = 0910h (Display string in SIce windows)
) c: F! {+ A! w8 t9 P4 P0 p4 F1 o-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 A- V! f3 Z" |
-AX = 0912h (Get breakpoint infos)
, f# @! j2 V: m-AX = 0913h (Set Sice breakpoints). |& d6 q3 f) u- y# ^
-AX = 0914h (Remove SIce breakoints)( @+ I- V+ [! E' G. Q
; r# ]4 C( j5 W6 t" l* c8 x( s3 |
Each time you'll meet this trick, you'll see:2 R3 ?5 @; Y x
-SI = 4647h
' I8 D, s# Q; s/ }5 f6 ~# m-DI = 4A4Dh
6 p# t" f1 L7 J: o4 ]3 n' eWhich are the 'magic values' used by SoftIce.* I# ~0 x; Q% c: @ x7 C! Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 z* s, d( R$ f) `/ \) D8 J
9 R7 W* b4 d y3 i
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 { l3 y, k2 N$ @' [( r4 W- \- MEnvelope utility use to protect DOS applications:
' R! g+ d/ w1 v. B5 l: l0 n5 |
; N8 x- U& d+ a
6 ]1 p( X) Q: _7 Y4C19:0095 MOV AX,0911 ; execute command.
5 Z: N ]* Q' b6 j; p* C4 Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 Q5 J: F" x$ q9 v. ~) x
4C19:009A MOV SI,4647 ; 1st magic value.8 c7 y# p& c( Z/ i0 C. B; J# G
4C19:009D MOV DI,4A4D ; 2nd magic value.! B1 X" Q- x4 k9 M; o! ]9 M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, b) B7 _/ ~' X" H1 V" z/ A7 s* L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: j- O+ U5 X2 y/ |6 u2 q7 j( r5 m
4C19:00A4 INC CX
+ G3 b3 o: n0 U$ Q+ y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 O+ h- j& i( Y# Q( S g4C19:00A8 JB 0095 ; 6 different commands.; L" r) z6 C5 E1 N' N- r
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& e4 P1 c) t( |* H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 i g } n: O4 \- ?+ |/ T6 J* ~; l3 y8 d/ Z* D2 D
The program will execute 6 different SIce commands located at ds:dx, which
; L. G4 v2 b! k( u- `8 K7 Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 ]& E& w9 y& y7 Y% z9 o" F5 N
* _6 f+ g8 I ]6 R" w* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 O* |: P( q" m" i% i8 f
___________________________________________________________________________
# j, _6 B( Q, _+ k! b6 r4 b, Y0 y5 k/ s4 M/ H1 K+ |
, O1 v W) {3 J) E" X% LMethod 03
. \! {6 \ R9 J! p+ I, C _5 p=========4 R1 w1 s) y. m: Y8 ?* C, r
8 l' m4 \( m' r& _ t- u: pLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: _' F( {' f. |% N" y
(API Get entry point). ^7 {0 k: w5 K$ b: ^7 h- O
1 P" q$ e) ]8 G3 w) R4 D8 K
0 n/ ~2 V9 f3 M; T' L xor di,di
" P+ E( v4 N$ R @. P: _* ?+ }* ~, O1 J mov es,di$ s$ m8 S9 K8 r- z1 }# ]: k4 }+ i `' D
mov ax, 1684h
: |6 Z( i. m9 z) G ? mov bx, 0202h ; VxD ID of winice: {# d) P5 }$ U) B/ P% I2 \ x
int 2Fh
]& H) [8 h- a5 V2 M. a mov ax, es ; ES:DI -> VxD API entry point( U1 ? P) N {- o( R
add ax, di" m5 O( o' X+ U
test ax,ax
! Q3 a) T6 T3 T2 f jnz SoftICE_Detected
+ M& Z. ]- _# _/ M
7 S6 c( S) @* [& ^/ F o___________________________________________________________________________0 v: d3 E: j3 [
. n1 @6 b, z5 T/ T( ?. s2 R/ f9 [
Method 04
$ u B7 g- h9 F=========
) A$ r' }. K1 l% H5 w+ ]3 d- k& [. Q
Method identical to the preceding one except that it seeks the ID of SoftICE
- [% h0 e% W# T) _- UGFX VxD.
, _" Q% T* A0 U% F& ~ E5 z9 V5 ~ Z" y. g ~' J9 Z# X
xor di,di6 B L! T, E: J- K2 E3 l4 }
mov es,di/ L( F: V: k$ T3 T r# i$ X
mov ax, 1684h . P# z W2 k# |' Y+ J, g2 c7 z
mov bx, 7a5Fh ; VxD ID of SIWVID
- d: u6 w. y+ d$ }3 @ int 2fh
4 p* V4 j2 m7 _ mov ax, es ; ES:DI -> VxD API entry point. X1 ]0 D- q- u6 w+ ]) I9 x: X
add ax, di* j5 x7 z- V [
test ax,ax# @" w6 p7 [! T2 \* F0 F' Z
jnz SoftICE_Detected- d* h! L4 D2 L
1 J0 l; X( v8 d* T* e% U
__________________________________________________________________________+ o2 r9 `0 b) l6 g/ O
: q% y+ u' V. T5 Q }8 W# N
; j2 l$ s! T- o. C) {Method 056 L- p% F5 O2 k6 ?5 a: x$ a
=========
! E+ J, O e6 r" P# A
[ h6 w$ [2 m% w( X# R9 k0 yMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 n% [3 m8 E1 E2 G. _) g
debugger. It calls the int 41h, function 4Fh.4 @0 U! }9 v4 p9 ?& c" i9 @, P8 u* u1 @
There are several alternatives. 2 j+ r- b/ i& s5 A. l% ]
0 m ^5 V+ i) H u5 }/ Q# b! H
The following one is the simplest:3 [- y$ H2 R* Q, }
, u" a! | z: T
mov ax,4fh; H" Z" `6 a0 k( D9 `
int 41h
7 |8 e+ q( m w) ] cmp ax, 0F386' a! l+ g, n" M' ?
jz SoftICE_detected
! X/ b7 A) k1 }. x& o
6 H7 ~! M& X2 t# m7 S6 E! o$ ^$ P- P
Next method as well as the following one are 2 examples from Stone's % F2 M3 n( a7 n1 P4 t3 J
"stn-wid.zip" (www.cracking.net):* I& Z* ^+ v+ _" ?9 G$ f
* {& q, k8 M- r( I
mov bx, cs1 y) W! R$ ~) T$ s; N
lea dx, int41handler2. |; c8 Z# k' w1 ~
xchg dx, es:[41h*4]
1 x( U4 A7 T2 W xchg bx, es:[41h*4+2]
6 l, E! N8 j4 M$ c: g mov ax,4fh
6 O$ x: f5 h$ k int 41h, j8 L! G: Y1 h# L4 p1 D# [
xchg dx, es:[41h*4]
! b: g$ p# ?' x, M xchg bx, es:[41h*4+2]
: o1 Y+ C* _0 \, r3 i cmp ax, 0f386h4 c3 g; o+ |& m7 U" B0 v
jz SoftICE_detected0 \0 v1 |& c. a
* P" ~* Z& Y: t) W5 X A+ k
int41handler2 PROC6 i6 M1 N" s3 a. z0 q
iret
2 t8 T5 |8 l) x: G# ]1 Tint41handler2 ENDP
: q3 z' B! C' E: |, l2 U
4 s' h4 E I0 M: f# m* e6 U% v$ ~
4 l3 I, C( {# O& ~_________________________________________________________________________# L5 R6 X! S& t3 H
% ` R; K7 c" F
7 n" s, Y. a* z# B& ^" i( m$ UMethod 06
: x1 Q6 N* n! t=========0 [" v2 T7 k e
: m& j+ L9 F1 L- Z* {0 Y+ z
: H( {+ h5 Q( U/ S: w6 t2nd method similar to the preceding one but more difficult to detect:" j% R6 C5 o; f& A
* F* L8 ]. B2 P( v/ c( }0 y
: n8 l0 w5 d0 E, o/ B i3 n7 Rint41handler PROC; J: u, |3 ` R' |; k
mov cl,al
( Z8 Q9 C; f8 w iret j6 O5 s5 l7 M2 Y
int41handler ENDP
5 p6 b: P! Y2 D$ h
0 s ^& X* k( f6 J$ b# n
; @, j' F) k$ y s xor ax,ax% B" Q) ?% M1 e1 I
mov es,ax
Y7 z% j, {4 i: g+ ]* M* c mov bx, cs
3 w2 E" i- {; M$ ?& b lea dx, int41handler/ |# a8 v6 w: W, Y
xchg dx, es:[41h*4]
! q! A1 ?4 Y& Z3 m6 I xchg bx, es:[41h*4+2]
( U" B( `+ d- W in al, 40h+ }, B N7 h/ H6 Y3 D
xor cx,cx
; H+ P4 f& ]2 G* D int 41h
5 ^: A6 W% O6 R" X xchg dx, es:[41h*4]' d/ D" Z/ Y0 p4 q7 o
xchg bx, es:[41h*4+2]
3 j5 ~0 `( [" j; w# R0 k3 v cmp cl,al
4 \; p; s# t6 R& o jnz SoftICE_detected
0 k0 v6 f, P/ v/ P) ]5 A. x
+ T" e2 P6 V& u1 a_________________________________________________________________________
$ c, l' w) d+ ?' G$ v$ c% j- n) ^
- G! F- v7 f/ X0 t0 x9 I, WMethod 07- v* P- F7 K5 s8 p6 `& [+ y& W
=========
- v5 J5 b; i7 q8 J5 Y! j
4 v: a; y2 D3 h% }7 ]Method of detection of the WinICE handler in the int68h (V86)4 L$ `1 y+ A& _. B- o! L
& ]# L t9 w+ } mov ah,43h6 V% y- U% `! `( _) Y5 z0 r, ]3 {
int 68h. q( ~( K1 |0 }' p! d
cmp ax,0F386h$ |) h# R9 Z# L! Y. B# @% ~, q
jz SoftICE_Detected
" T) Z% X, [4 }, ]: H3 V- r! N! ^: b, [6 H
) W8 w* E6 S" m* K. V) w1 R0 ^=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ L4 ?* R Z: o9 }2 z app like this:8 c4 d3 ]2 O2 V B4 O
: J1 D: j* Y2 {2 z3 d
BPX exec_int if ax==684 A" g' p: R& O7 Y: O* R$ S1 _
(function called is located at byte ptr [ebp+1Dh] and client eip is# i" w. b- v: H6 G( X
located at [ebp+48h] for 32Bit apps)) Y) z" q1 j* |$ d
__________________________________________________________________________
8 p, x9 {9 A) f2 z, \; ^ U, ~( w$ B; e
# n- j$ O% [$ p; \8 R6 u5 v9 o
Method 08
* ?4 v# T! j& G4 k8 c1 b# Y" w=========
5 A/ d7 ?8 T# V9 i \9 S8 j" P; f) J. `: a$ w: c
It is not a method of detection of SoftICE but a possibility to crash the8 W$ s$ b& T: W$ w8 _/ e
system by intercepting int 01h and int 03h and redirecting them to another
# M# m" S. g! i" A% {( P5 Mroutine.
" W6 |+ e0 i- h+ rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 }) @# f/ y) Q4 ?
to the new routine to execute (hangs computer...)6 }0 Q h" x% n$ l+ L
) g* Z: T: @7 H3 {% ?6 x& A
mov ah, 25h0 d9 y/ m J3 W. N: D) [2 R- r8 y& x$ Y
mov al, Int_Number (01h or 03h)
4 d2 ^& N8 [; j |) j mov dx, offset New_Int_Routine
' ^# e* _& v" [" P. @ int 21h
5 F; \& _' O1 W9 x( A* g) D( J5 T/ F0 e* H
__________________________________________________________________________
% `: r0 K; M4 S% g0 x/ v
% d+ q+ j- A( Z( V8 ~Method 09
+ U% h9 Q) J, n2 T=========
" I( X) u- F% S8 C" g
3 i: B3 T1 a" |1 i$ v, u5 _# o! KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* v3 h2 q8 Z* a7 E; j7 w
performed in ring0 (VxD or a ring3 app using the VxdCall)., g) _+ e; Y5 Y. s" u( m; U
The Get_DDB service is used to determine whether or not a VxD is installed* t; L7 \5 n6 q% |$ m: J
for the specified device and returns a Device Description Block (in ecx) for
" J0 e7 C9 a! [1 o6 U& nthat device if it is installed.3 y" i1 V& f7 ~ E
" A3 L% v/ M @* D9 p& Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 P H7 V8 z6 }/ _7 F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 U- X% P- ^# i& T: [/ g, l/ Y
VMMCall Get_DDB
2 @$ H* j2 [, c$ [' `# {2 j) d0 ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 y/ `; R' e, x$ h2 X0 e9 F/ ]% C! P% G& i3 q/ x7 L4 u1 a' E1 O
Note as well that you can easily detect this method with SoftICE:
- I/ P R ?) c& R bpx Get_DDB if ax==0202 || ax==7a5fh$ o8 E( d) w7 d
6 C& n# C: f% p* B2 F__________________________________________________________________________1 |/ B' B) U5 u2 ?8 d v' O
z0 M1 h' @. |1 L, `5 T7 E dMethod 10& W1 A% r/ r* n3 {
=========
' }# l! u/ @7 |
) Q! X/ k* {, y" a# \8 v# i9 C F=>Disable or clear breakpoints before using this feature. DO NOT trace with) w6 @1 Y3 y& j
SoftICE while the option is enable!!( _, T$ `5 k& S( H8 e: V
+ w: x; D0 H- ^
This trick is very efficient:
- q7 O* ?* _4 P3 M$ x6 J0 }$ |by checking the Debug Registers, you can detect if SoftICE is loaded% D& q" e' D. h4 p! m5 s7 `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 H8 S0 u$ G5 }# v6 Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their& W g. V5 T( q0 M
value (in ring0 only). Values can be manipulated and or changed as well7 m/ q+ ^/ t* q0 R9 Y8 ~* y) {1 H
(clearing BPMs for instance)
& [) U6 y H! `0 j* e5 @
& j. N' p. U, O _ \__________________________________________________________________________0 o6 n: c4 z; Y4 B( W) J
" Z) N X) d& r0 x
Method 111 N e+ [: f0 b, Z" {
=========- u1 ~+ H$ a5 s$ y' Q9 x0 X
! E0 B& }0 s7 \
This method is most known as 'MeltICE' because it has been freely distributed
6 F. [3 b( f1 V; uvia www.winfiles.com. However it was first used by NuMega people to allow
5 H } ~( u0 J. `4 X8 z6 M& cSymbol Loader to check if SoftICE was active or not (the code is located: r7 |5 U' a! [( {* {4 R+ d
inside nmtrans.dll).
- N. C& k) }: o/ x+ I. o* a4 v" b' V$ [2 {# K( ?, K
The way it works is very simple:; ?2 a8 N* X! o5 P) g' ]) ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
`! }0 x% I2 E7 ]WinNT) with the CreateFileA API.
: t0 _+ j5 X# X+ s
3 C" g' L* _( x0 EHere is a sample (checking for 'SICE'):7 A+ k' q, N+ q3 z" h% L: c
`! w* z4 v+ _8 J) m* q3 E. LBOOL IsSoftIce95Loaded()
. ^) B/ {& h% ?3 J9 y{9 @; \+ i! b" U& W
HANDLE hFile; + m( q/ n5 `, z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ N: i; P- _( J6 `: m
FILE_SHARE_READ | FILE_SHARE_WRITE,. @ M ]) h6 Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- P7 {# H' C. P9 r o( t/ g! C
if( hFile != INVALID_HANDLE_VALUE )
6 A6 U* Y! |! ]/ P; Z" Y- Z { P, N# E' C* U9 W$ K
CloseHandle(hFile);
2 N3 J8 N! ~1 @0 N& o/ } i. K return TRUE;# Q7 \, O1 @# m( @% Q# V
}
$ ?( T: R. J9 Z) b8 Q' K0 l3 Q return FALSE;6 `- B6 ?6 _* E/ n+ o4 ~" P
}
4 g7 p3 a* X) L5 e1 S7 v( y
8 ^7 ], e j/ L% {4 a8 tAlthough this trick calls the CreateFileA function, don't even expect to be1 M* i/ i/ w' b" T; D- q& w q
able to intercept it by installing a IFS hook: it will not work, no way!
4 [. Q" h- |' a3 s1 p" y; kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( r6 E( K1 Y$ l @) E- w4 z7 \service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ e+ |# ^9 W: N M4 I1 `+ C" V
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& e- L5 e7 G* U$ T7 N4 s; ufield.9 p& _; f, G& r* R; Y
In fact, its purpose is not to load/unload VxDs but only to send a ( O8 D* M: S0 r% B5 Y: B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 `1 ?; g4 z+ M" t7 \: A( `+ Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try J) Z0 H0 ?$ `" ~& {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
A5 g& e- K: C. I/ p2 kIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& u, ]: J+ @9 {' L. Vits handle to be opened and then, will be detected.
: j" p- _% {1 c* X6 y# a9 v1 x# }You can check that simply by hooking Winice.exe control proc entry point
6 N! C" q/ X0 v/ e+ M! R9 e8 x, Pwhile running MeltICE.5 o& b- N8 Y9 W9 o) R$ e
( E# U5 X/ g5 b8 T; i, [
+ x* f2 Q# ~6 d4 {1 i% q8 D5 x 00401067: push 00402025 ; \\.\SICE; G& O% ?8 E/ g8 t9 d
0040106C: call CreateFileA
$ a0 C; c9 L' l! p7 i 00401071: cmp eax,-001
7 r5 p& q0 T* K0 O$ T& o* Y$ Y6 N 00401074: je 00401091# K% R1 v8 j3 ^/ @& b
7 I; u9 u& c0 W, X# g N% X( o% B5 v v% j& D- U$ e- D1 Y7 s
There could be hundreds of BPX you could use to detect this trick.
' p' t0 m9 \, B1 [" F4 C-The most classical one is:
4 M; w8 Y) v5 D% b9 ]# I$ B4 L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, z, H) F7 h0 a& X
*(esp->4+4)=='NTIC'- [4 ~1 c0 D0 |
; U/ G9 c/ N0 z' J6 {! ^! t7 i! B' q$ n& m-The most exotic ones (could be very slooooow :-(- F" `7 D( a: R# O Z" _
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! d5 y& @- E6 c# \
;will break 3 times :-(
$ a2 r) |* H |0 q
e) y6 [( h1 a-or (a bit) faster: ; _! h0 I1 S7 V3 M9 t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( G0 x' L& f9 G( C" V# w4 J
# X* }1 n7 `2 Z: W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & k# e1 l! s, z+ R. n) g
;will break 3 times :-(
0 V7 p, o4 h+ }' P) L( y' P9 h7 E4 s4 P# ~5 V
-Much faster:) n' ?) @# j, I5 ]8 F, H9 ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ m- w `" D9 ^: y( l
! u; f: ]5 J: a( Y+ r! j
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- E* t- q2 J) a# {
function to do the same job:/ _6 D( m0 o- Y& g
! b) f* ], J- m& j+ d
push 00 ; OF_READ
6 D9 S& `4 _6 J0 u! _4 @ e" n mov eax,[00656634] ; '\\.\SICE',08 u5 T* x+ F' }% d
push eax; ?6 z8 \: e3 F. D7 t. F
call KERNEL32!_lopen$ `9 p0 o- @% ~) R* y: w) z2 P T' M
inc eax
! v/ I5 t8 P7 I5 d+ ?. T jnz 00650589 ; detected9 l& z! c& m, r$ i5 m
push 00 ; OF_READ
* E; d6 g! t& D( `* q. Q" n0 E `( t: d mov eax,[00656638] ; '\\.\SICE'3 i/ e; r c% b/ f. h: k; H3 r
push eax
8 L1 n# Y _7 y$ P; z7 k call KERNEL32!_lopen* Q& s _4 y& N% S
inc eax6 g6 V& M- T; S! @1 J* q
jz 006505ae ; not detected. o# m+ h& s v4 ?
- _$ R0 i1 b k' J# T2 D/ {1 H
! h/ l0 E* c' V$ _9 i5 l* L__________________________________________________________________________
" @8 q; @6 g+ p8 G3 I4 u% q* q& p" j$ q$ S2 w4 @8 g# L
Method 128 J% C. p9 f, W m+ ~' [- `
=========
5 j# a7 U- \! _4 ]7 r/ r$ c4 E1 l) b& { _! c
This trick is similar to int41h/4fh Debugger installation check (code 05
/ R0 m9 P/ B. ]8 Q5 f' k& 06) but very limited because it's only available for Win95/98 (not NT)
5 o+ N3 P! Q0 _* was it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 U( }) U" \3 j% a
~4 y' E' D4 d* K% B, m7 L
push 0000004fh ; function 4fh+ \( v* |+ j1 E! E0 o; Z
push 002a002ah ; high word specifies which VxD (VWIN32)
; N( P& M1 _" ~" X ; low word specifies which service9 T7 d) e& ~8 t. z; K8 n
(VWIN32_Int41Dispatch)0 r3 u# Y- `1 h( K% z
call Kernel32!ORD_001 ; VxdCall5 p, s2 i* k; @# D
cmp ax, 0f386h ; magic number returned by system debuggers0 ?) n) r# ?3 i' Q7 A! `$ p( d5 _
jz SoftICE_detected
5 U% |2 q( L3 g+ { E6 \% M) l+ s9 e3 X8 g3 C& |0 I
Here again, several ways to detect it:
) a2 _8 D; L. T3 u0 T F' r$ I: K+ Q4 u$ m5 k
BPINT 41 if ax==4f4 N. m/ ?. i) U0 K) E
5 a9 b$ i* v! H$ X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 I5 i- n6 u# S6 L m3 m# Y& {
# t1 @4 u+ B4 H6 i! W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 D1 W) Q+ V( h: n+ \
- b& A7 |: {: m BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 h" Q% f+ Q- M, P+ }
' v* {! a; w" n1 x# q
__________________________________________________________________________
) O: C4 U4 ~1 k; k' i7 g7 D5 M) a/ x/ I
Method 13
0 o. p- N& H5 k, ]- s=========: s' a* f; o: J. C" k7 f0 S
0 _1 W. \( ? _4 i) a8 w+ o M
Not a real method of detection, but a good way to know if SoftICE is. ?; f8 j" `" F& ]5 F0 q
installed on a computer and to locate its installation directory.
! z. b! z* y6 d5 {It is used by few softs which access the following registry keys (usually #2) :! l6 \6 e' Q( {% n- H# `
# _" _4 {( v: H* k) b9 ^" u: P1 h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' c# z1 P0 h* v2 r! f9 w- V9 B! i\Uninstall\SoftICE
( k: A! v/ o4 n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 b+ @' t6 u1 B: a9 c G* n-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 Y+ f, O! W, h\App Paths\Loader32.Exe9 B( D$ t: K; |' ^; R" V& Y+ o
, ^# U; _5 {2 t0 Z
0 h. U" u: m3 V! x5 H8 T' @2 P$ t6 ENote that some nasty apps could then erase all files from SoftICE directory) ~7 ?2 y& `% M* u
(I faced that once :-(# G+ i6 Y: V9 q6 W: C: _! W
* A I5 {3 g0 v1 lUseful breakpoint to detect it:
$ ^$ u( d! D0 j0 g
1 @6 j8 [ m# Z9 F; K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# S; J4 D, O8 `, P/ Q+ J) |7 S& a# x- b9 Y& r
__________________________________________________________________________
) q! [! u4 d8 F: d( V& j$ y
' F4 W; {$ G, I, U" B; M( m+ }, m5 \/ q/ u& L9 V2 f
Method 14 - m; X7 ~9 {& |% P, S5 Q
=========4 ^" U& V2 e w( ~$ {
$ d6 A. j2 c0 F5 D) b- Q. w$ L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- k. y0 ]/ s/ q/ x5 g7 u) [
is to determines whether a debugger is running on your system (ring0 only)./ ^$ m$ d5 f8 r9 `/ t/ u' K
4 L6 }7 g, V6 T d% [" X$ Y VMMCall Test_Debug_Installed0 |& G) C( c6 d! R
je not_installed6 k1 i( b& |; Y' Z& r
9 \1 G# G; M5 ?' g+ v* F# Q
This service just checks a flag.
' M" h: W; j% M7 g4 B2 y+ d j% G</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡