<TABLE width=500>. q# `6 h4 R4 {: C) d
<TBODY>
) [, z4 `# V( k' p# c; j1 W<TR>" K- x/ A- J6 ^+ G, \2 d7 q4 [
<TD><PRE>Method 01 ' @4 c: @/ }+ T9 O/ n0 t! Z
=========
/ T# V# O; k6 b
% P! G \ C4 L, n1 v/ SThis method of detection of SoftICE (as well as the following one) is
, n' m9 m1 c# a0 w1 e% {used by the majority of packers/encryptors found on Internet. R% \' }9 r$ ~5 S" }
It seeks the signature of BoundsChecker in SoftICE" @$ r% _8 _) d ]9 V
, T' ?: q, r8 C$ f0 I mov ebp, 04243484Bh ; 'BCHK'0 h- |2 H3 \- m4 c2 x( O
mov ax, 04h
* f& e! v5 N" T9 n" A int 3 ! p8 e! B; Q" N* R: b" J( ~
cmp al,47 h2 d- e* X4 |' y* Y$ S5 z- }
jnz SoftICE_Detected
$ w$ }* q! r; ]! ~# v" `& W, z+ b6 @8 z7 H5 s2 F7 z2 F3 j
___________________________________________________________________________
% [1 H9 m1 ^* O. N) a; M e! T: C9 T4 K" R% y6 Q
Method 02- V6 ^. _0 ~6 _1 y' E! u8 Z
=========
' |4 o& ~6 Y1 r4 N; H- o* t( ~/ _ ]- x' i9 t+ W/ g% k" W
Still a method very much used (perhaps the most frequent one). It is used
6 P1 \) ~' ^ M5 K% }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 A& P" b ~4 ?: w/ Xor execute SoftICE commands...
* j9 j. M& |7 gIt is also used to crash SoftICE and to force it to execute any commands6 Q7 _) Q7 [& M1 W7 V+ _
(HBOOT...) :-(( " c3 H9 o/ q* V! P7 A6 n) Z0 i
. A/ D9 n2 s1 q3 x3 W. zHere is a quick description:
3 V3 j, J/ S4 {" ?-AX = 0910h (Display string in SIce windows)$ b7 p, G' g% c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), `9 E; _0 S9 Y. T
-AX = 0912h (Get breakpoint infos)
+ _7 B) J1 m) a P5 o-AX = 0913h (Set Sice breakpoints)
: u+ ]; b" J; E- B-AX = 0914h (Remove SIce breakoints)( H) O- J/ o3 P# _
/ e* d0 q* s* H+ H' K ^: CEach time you'll meet this trick, you'll see:& o% @. n; V/ g" V t2 A) c
-SI = 4647h
' ~9 x1 `! s/ o: H-DI = 4A4Dh
3 k) ~0 t1 h" XWhich are the 'magic values' used by SoftIce.
8 R$ G- x3 E6 F6 OFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. F+ ]5 r# L; j& f# b6 w- Z# ]8 F' a5 {
Here is one example from the file "Haspinst.exe" which is the dongle HASP% W7 E( B* ~9 l9 ~! |
Envelope utility use to protect DOS applications:, h2 e8 r- A$ h' k3 \# U" `" S" r
6 P& l7 J2 }) z7 s, h3 C: T4 E9 Y
! }, l, \; I; f$ @+ A% r, _; i5 s4C19:0095 MOV AX,0911 ; execute command.: O9 L, o% R& O! U/ U% Q+ ?4 P$ m9 K
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." A" J, i& G/ ~* t# k
4C19:009A MOV SI,4647 ; 1st magic value.
) c' O4 l; R7 x. I: k- q8 p9 B% o" Y4C19:009D MOV DI,4A4D ; 2nd magic value.
" o8 \& M- U! u8 H4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ w; x' C& t) k: r C3 V" n u5 E5 T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* C- n0 H7 f4 _& f- ^& M% |
4C19:00A4 INC CX u X0 L. y8 B/ o/ H" t) p: F& G( a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. A; G7 G3 E- Z
4C19:00A8 JB 0095 ; 6 different commands.9 U! K7 i+ Q% D: K' T' o' Y1 P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 G/ m& e& c6 i8 S- t. @/ I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ L' b! k4 u# L( q7 Q
) ? u6 I) h4 G* ?7 p8 _8 S( d
The program will execute 6 different SIce commands located at ds:dx, which
# o7 I, a |$ M( ?' e9 care: LDT, IDT, GDT, TSS, RS, and ...HBOOT. T3 m8 b0 }$ I# c" c
5 x% w" U+ z; f8 d# O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! N* ~! Q/ ~! w* c
___________________________________________________________________________
& }- _3 s; v, Q5 D4 u
9 u" N G3 i$ i5 ~# L3 p4 z/ w; y: o7 M/ C; p, O. }
Method 03
0 P7 U$ c2 u; |$ m+ q6 [- K=========
/ A+ S7 |' \' X2 D6 b0 x" Q
. I2 e* v( ~- K" ~/ ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: z7 H9 v8 U+ k0 R" `( G) I(API Get entry point)
% Y6 R/ T' ~7 F; V+ F% H6 J/ ^ L 7 P1 ~2 c: t! o- e
+ R% _, G2 S: T: q; X
xor di,di
* f; Y7 h7 h( D0 ~# K- \+ ? mov es,di
S$ k4 V- N/ L: N. I mov ax, 1684h
0 l! K3 d$ u, A& ]0 D mov bx, 0202h ; VxD ID of winice6 s% P* K' v9 m% J. \ y- j, j0 ?
int 2Fh, a4 o8 q" w# y" U% `6 d. [* S/ v
mov ax, es ; ES:DI -> VxD API entry point
: I" s1 S ^- K0 Y' h add ax, di
- _* M# M4 h1 A4 p' ~ test ax,ax
7 Q: ~* X# K: F$ [+ i- g jnz SoftICE_Detected/ F+ ~, S9 B1 R, Y$ ^6 _
( E* c' K( a3 ~& a, J7 Z% u___________________________________________________________________________
- V, E8 `% I7 I) R) ^: k7 `
4 J! ~- |4 `# [' \1 h I, N: oMethod 04
) _; X7 S. ?9 m C* Y) @" L1 j=========
o) \, _5 q: |6 z0 O2 |
. t; R6 L8 C: ^7 |8 ZMethod identical to the preceding one except that it seeks the ID of SoftICE
& h# T$ [* g1 v0 i8 uGFX VxD.6 L. p4 V; h' u5 D2 ?. i
- i* L$ M8 Z& y. M: ~ xor di,di" F/ {! w( g' D' U9 q% C, M/ Z
mov es,di
9 `: C. f u4 X4 Q1 c) ? mov ax, 1684h 5 V6 X' F$ v% d6 m
mov bx, 7a5Fh ; VxD ID of SIWVID
% R* c7 y9 B7 s q int 2fh$ @; e4 t" ]- _
mov ax, es ; ES:DI -> VxD API entry point
. o0 P z) Y5 r8 Z add ax, di
$ J8 ?8 A9 u+ j+ x! g$ _2 \0 g$ F test ax,ax. u6 B8 S; n% S
jnz SoftICE_Detected
( E" Z \% z6 }' N2 T
9 R$ M- n+ O; G! P__________________________________________________________________________
1 _8 A: A4 B2 w7 }- P
% m" O8 G3 M4 T7 {/ ]2 x: D2 o8 C
$ @( g& o6 I3 M0 B1 K4 y+ ?Method 05
6 j& I# l5 {1 D=========3 q. w* e+ B/ B: ]% ]
4 |. g& i% \& t6 f S8 CMethod seeking the 'magic number' 0F386h returned (in ax) by all system
3 Z ^! l8 u& `: Udebugger. It calls the int 41h, function 4Fh.
`% B4 G1 k) T. Q- F o7 M0 N6 BThere are several alternatives.
5 J$ P- H& n9 k6 B) K9 }5 e1 p% _2 Q, V8 \4 p8 [
The following one is the simplest:
' z7 q: n1 c4 @
7 L# u% E5 q5 p! {% F mov ax,4fh
D+ o: h- R" ] int 41h; k0 z* \7 G9 {3 k) b2 Y+ b
cmp ax, 0F386
' i) ~1 L0 J8 G! H' ^2 [ jz SoftICE_detected" y7 E+ K4 O2 e1 D
: P8 M8 s/ Z' L, @4 f! z6 B$ w* t! o5 |$ N2 p' t* r! c- K
Next method as well as the following one are 2 examples from Stone's
# K. Y) ^& f" C5 R) R"stn-wid.zip" (www.cracking.net):
. f- s0 q/ r/ L2 v+ I
- ~- B) S4 V4 \3 q& H- D$ S! ? mov bx, cs
8 F3 a9 a9 n8 }, d lea dx, int41handler2
7 L& |$ N1 P% d8 u% v5 B; e xchg dx, es:[41h*4]+ B/ z+ ]! p4 l
xchg bx, es:[41h*4+2]! I9 q2 ? y8 o: s
mov ax,4fh7 B9 v Y, q: K, a n! X
int 41h
4 n: J* u6 w0 G! h9 c. y# G* q& P xchg dx, es:[41h*4] b0 z Q( m3 P
xchg bx, es:[41h*4+2]1 I4 V0 ]: c' }3 t0 R* }" |
cmp ax, 0f386h
8 t% Y- y) K; S! \; k6 y- ]: ]+ M jz SoftICE_detected
9 \# [# C: @; K* u$ D# l3 v& h! j8 P6 t. w/ I. k
int41handler2 PROC, c3 \' i8 c" O# ]
iret4 P' m$ V- f5 U% l4 D
int41handler2 ENDP2 B _% b) k" u; H5 @6 c
; Y, O5 o; e t: [+ a2 y
& ]# p& O1 P5 ?+ T' [* a_________________________________________________________________________, {8 b' m0 ]6 C" z) i5 N$ x
; S5 h. |3 h: R/ m
- R! i: u! L* [1 A
Method 06' a5 _/ z( _, m
=========
% Z6 u# `: F) M6 C7 W' a6 V' d7 g
, s3 h3 L5 J- a# V7 g" N! A0 ^; h& J. A. c/ g9 P
2nd method similar to the preceding one but more difficult to detect:: y4 z8 D& h9 P5 J Q) a2 T$ j
- X6 G5 A( S: G' ^
/ }. `5 I {# U8 Z _5 x3 Uint41handler PROC# p7 w1 q, Z& `8 E) p* L
mov cl,al
1 Z r( c1 w6 B; u* @ v' ~) \6 Q iret
4 P, \. l. m! f2 kint41handler ENDP( x( J! m: H& }
! L4 G( }' H. p7 n# I3 Y9 T& T
* T' h, p8 A% G: u xor ax,ax* V) h7 q+ {. @* v: v' ?
mov es,ax1 b* R# ^9 m5 p' u7 \4 P
mov bx, cs
4 O# v2 W" {+ i+ ~5 X2 w lea dx, int41handler
, w5 z& e: I, {, Z5 O8 e xchg dx, es:[41h*4]
' [) T7 n: m) `7 X6 r xchg bx, es:[41h*4+2]
6 x8 ^$ K7 U& O( k$ E( R in al, 40h4 P; X9 \7 @9 y+ b" F) F0 Q
xor cx,cx
/ D6 e' A; q7 I int 41h( e: V: ]! T4 c( Z% S' `& F
xchg dx, es:[41h*4]% A$ s) H; t/ R; O6 M$ m
xchg bx, es:[41h*4+2]" Y2 Y# E2 V! F: `/ {$ g: y+ R: M
cmp cl,al7 |% s5 y9 c2 i$ A; @- c* Q' c
jnz SoftICE_detected
' V0 e6 Z( b3 N& y& m* {) u' F5 ]7 X* A' F8 o% t) Y
_________________________________________________________________________1 v A( R7 T( g9 \
6 ]2 `8 g1 R; G* h& ~9 kMethod 07
' V0 j) ]" p* j5 c=========0 {0 y0 N0 r# o7 E
7 f* i. a2 y- I9 o. S6 y; A: X9 G
Method of detection of the WinICE handler in the int68h (V86)( G- K. P* X5 F& y7 ^( R0 h
$ Z+ V+ y2 e4 u& v) ?
mov ah,43h- e7 X$ `" x% P, ^- G
int 68h6 n. x5 L8 \9 z
cmp ax,0F386h
% S2 f" w3 Z5 H8 G- ^7 h, l jz SoftICE_Detected! K) K; d! p0 U* u, C9 p# q6 q' ~
" U; j1 m" w9 U& i) H
7 e- m5 r" j' |2 g1 Q5 o, W4 Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* I( P+ T5 Y* k" L: N
app like this:* K. A% _3 K( q, i1 R H
- W! C6 ?, H) k- O% ]
BPX exec_int if ax==68
5 c* h' A( S2 g6 O5 e: e (function called is located at byte ptr [ebp+1Dh] and client eip is
, d3 j* z- ~% A( b located at [ebp+48h] for 32Bit apps)
9 X V# Q L+ o1 \. t& R: F__________________________________________________________________________ P3 T6 |1 _* }7 p4 ?0 M. v/ `
4 ~: n' b$ C2 `0 L* d! `' Z. D0 w! I; z; Z
Method 08
, J7 r% E; D; B8 t8 ?=========4 V% Q' v7 C) y% D0 E
T/ V! h- \& z2 gIt is not a method of detection of SoftICE but a possibility to crash the8 w) _# F4 O2 ?$ u4 D" w0 e
system by intercepting int 01h and int 03h and redirecting them to another; U4 e% m- {9 p6 S
routine.1 `" r* e8 e1 l* L5 D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ M) L! g0 o5 U$ v! ?. g, Mto the new routine to execute (hangs computer...)
/ K5 N$ c2 I0 V& F e' c) }0 l: s* f
mov ah, 25h
1 j* Q8 Z, \2 M mov al, Int_Number (01h or 03h)
: u1 n5 ]9 ]0 s, L" m" k/ [' V mov dx, offset New_Int_Routine
5 E4 L3 E# [; h; D b int 21h9 d+ U3 W/ C: Q( T/ _
& j, s. O( z/ }0 W, G" o__________________________________________________________________________
9 E9 I0 |) ^' h1 }) e
% ]8 F8 m4 U" ^Method 09
. J0 m% ~+ @+ I$ A$ R; g1 e8 K=========) I/ b) n0 Q# F
! L9 q" }8 p N2 g" R9 g: I* D w/ KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 k. N# |' E$ m" j( B- Zperformed in ring0 (VxD or a ring3 app using the VxdCall).
* c4 v$ y0 t6 bThe Get_DDB service is used to determine whether or not a VxD is installed: ?8 c( Z8 G7 Q" d% m& s, `/ l! b
for the specified device and returns a Device Description Block (in ecx) for+ H }/ c. L9 \9 z) \" t% }% Z
that device if it is installed.
% W6 A2 M! p8 g% o1 _0 e7 @! F- A# z5 g* B+ r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 t: |, }& [8 N, ?1 P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 Z9 a; g( P$ c( T: O VMMCall Get_DDB
5 A( U2 J9 @3 J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
\8 ]* L" z' A4 L/ R/ ?, |0 s, {6 O2 ]4 l2 k- R1 U. f" k# h
Note as well that you can easily detect this method with SoftICE:
' i8 m1 X9 M1 }' B% H* H/ p bpx Get_DDB if ax==0202 || ax==7a5fh9 D+ L; V7 ~& L7 S# M
6 A1 X4 [& v, \% K
__________________________________________________________________________0 [) L( M2 r6 N9 ^& F7 _ S
! Y; C. Z( M9 C* d$ x! vMethod 10$ i1 j6 I# D3 b8 c; g, w% f
=========* J7 `' d, J5 j) c! g5 U+ @$ ^
S) v5 f4 H' h
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: I& f9 w; {- V/ h j SoftICE while the option is enable!!
9 Q$ Q$ n/ g" V2 B5 \) f3 q: V+ `6 P# C
This trick is very efficient:
! K2 `* k- E4 d9 Dby checking the Debug Registers, you can detect if SoftICE is loaded
( T% ]+ D6 _2 i. j4 j4 g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 }/ H! ~! M* O: w$ I7 ]7 ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their
l+ q3 R. S+ E$ p' [( n4 mvalue (in ring0 only). Values can be manipulated and or changed as well& Q5 c% ~* q, T* ?1 {* b+ E( p
(clearing BPMs for instance)
8 s: g( a# z5 @# A; [- t# P
4 v$ ]/ I$ k" U__________________________________________________________________________" p- I; v, \+ b" v& `) _2 Y1 ^- W$ [
$ \6 [1 T: y( o3 g/ [5 o k/ r/ nMethod 118 ?: b3 G# f$ y4 Y8 m
=========: P+ ]5 [6 B; h/ d/ S2 z' u
& p6 _% d0 B7 y! l) Y; U yThis method is most known as 'MeltICE' because it has been freely distributed1 v( T+ m$ i$ |5 a: b6 t8 r
via www.winfiles.com. However it was first used by NuMega people to allow3 c8 P* {* ~# L h
Symbol Loader to check if SoftICE was active or not (the code is located
1 z7 T/ i3 v! j' w0 j- [3 @inside nmtrans.dll).
2 b' u% j( F. ?: l1 U
& m n( L6 P/ [% J% C7 SThe way it works is very simple:7 f- X% u8 \7 ? Z! [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 P5 g& W3 n# aWinNT) with the CreateFileA API.
4 ?5 Q( v6 w5 K" Y5 \0 }( g* {' c1 Q5 `9 D6 l4 A; A9 n/ q
Here is a sample (checking for 'SICE'):5 U u4 ~* h/ N
. k+ @: y7 |1 j- o- v# dBOOL IsSoftIce95Loaded()
5 f1 A& j4 d+ j2 K2 Y9 M& J{
, O& h* v1 _ y: x2 |- { HANDLE hFile; 3 r2 } T- T5 x$ g' k* \- q* X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ ~- Y, O$ r6 e FILE_SHARE_READ | FILE_SHARE_WRITE,
! r. a! o( S8 {% q- o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 O$ B% o4 v/ R
if( hFile != INVALID_HANDLE_VALUE )
6 T4 M9 o! J4 I, o( p; G* T7 t {
& w& S2 d% D8 z* J# K- h CloseHandle(hFile);( p1 S+ s1 t W: I
return TRUE;
1 \: o0 f4 T" D4 S& Z/ x }0 F. V$ I9 b+ y4 R) F& U1 I
return FALSE;( y* t. [8 g1 w7 R; x, K' S
}
/ e: _, }) O9 T! I1 i& V$ J' z' @; B) W: @* r9 Y/ \' r$ @% y- {
Although this trick calls the CreateFileA function, don't even expect to be
" z! a& |- w. {able to intercept it by installing a IFS hook: it will not work, no way!
( Z" n8 Z Z9 Z3 }In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# F/ R$ d" |, Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ b$ R% W. I- h: n& z# ^* b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 p$ v3 ]4 q3 ?& N2 h. wfield.- o0 l: t- A' \# K5 [
In fact, its purpose is not to load/unload VxDs but only to send a ) z+ C! s5 G& H# Z7 c% `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): A" Q Z+ g# e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% o+ f y+ x8 q( t, E
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# p1 a! E" X! B6 r- ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
* A) v3 F3 F% \% sits handle to be opened and then, will be detected.
6 U* r' j5 L; s& v/ [& g# Z( jYou can check that simply by hooking Winice.exe control proc entry point
( C0 y$ E' p% _6 Z5 p, X) v0 cwhile running MeltICE.
4 d7 S0 P9 R; T2 i# c0 H2 I0 F
8 Z; P. i2 U* T1 X, O
0 W, T2 t* J! K5 ^ 00401067: push 00402025 ; \\.\SICE
e2 o; V4 x1 n- N 0040106C: call CreateFileA; I. p& k' g" z( }4 P; R c6 Y
00401071: cmp eax,-0018 ~6 n0 a# h! v) _2 u4 z
00401074: je 00401091
9 l; L8 ^7 U8 J6 l
& P! ?; E: p; o6 x( ~5 d+ j& |
) }& i7 d8 D/ N; _There could be hundreds of BPX you could use to detect this trick.
, }' [8 j/ U! h% C1 a-The most classical one is:: e7 L3 L2 i4 ]( d! ^! x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* X. I9 u. b# G: g6 r% d
*(esp->4+4)=='NTIC'
: e. t$ {/ P6 E* V) F
" {( Q1 c+ r2 O* ]-The most exotic ones (could be very slooooow :-(
O# d" `8 n- A& X, Y, I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ Y1 |) d; S! K$ g4 e ;will break 3 times :-(. `, K; ^1 T Z( a( C' W* _& f Y; R
/ |& c# x+ F9 y
-or (a bit) faster: % j8 J7 j0 G% I$ u0 M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' b6 y) m; I8 N* s0 e Q: j& \7 e9 M& f2 U& p2 E9 S* b% \+ P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 a: \6 B; }: G- I% k0 D
;will break 3 times :-(( }6 N+ H& s7 m- [& W4 |, `
$ K* }2 U* T9 H% }* {0 t8 v; Z-Much faster:
" f \$ x& _4 q# N% F BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
k7 ?4 h0 S7 \' X/ \3 { z1 `' m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- }& B7 P3 Y p! e* r' S( I$ Gfunction to do the same job:
0 F# p) I7 ~4 F" T& O% H% a! G% @
push 00 ; OF_READ6 s$ o$ p) O5 S
mov eax,[00656634] ; '\\.\SICE',0$ ?" l" t2 H: W+ r
push eax; i, P! [8 X& L
call KERNEL32!_lopen
" o* h( J- b& K, a4 e9 `# V inc eax. ^7 b3 f d/ g; {! S4 B7 B
jnz 00650589 ; detected" M, w9 ^1 W7 E+ a) I m+ i1 `
push 00 ; OF_READ7 b2 J3 T5 w) X, i5 o
mov eax,[00656638] ; '\\.\SICE'
: i; C% A% E; N( {, e push eax5 a V+ H, z1 }' x M3 Q; O% s4 S
call KERNEL32!_lopen
" T5 d9 D! t! }* V3 q7 ^ inc eax2 v, u% a3 O V& Q$ x
jz 006505ae ; not detected8 ^+ ?, d$ p5 Y4 W4 U1 L- I3 J; U/ B
- Z& Q- h$ f' C. u$ C/ B2 a
) B1 } X' T& c: O* H/ l__________________________________________________________________________$ [ n) K! R* Z3 j+ @: v: L
+ c. J, g" M: Y# r! ?& z& D
Method 126 Y' [& V# j2 F4 C: G% }
=========
; e* a9 q; g0 i n2 M- d3 Q% U$ A
6 Y- U8 {/ ?+ ^" R) a$ dThis trick is similar to int41h/4fh Debugger installation check (code 05# ?) g+ |3 G8 B7 O2 o* k' W* v* z
& 06) but very limited because it's only available for Win95/98 (not NT)! _: `1 i, L' G* N1 z9 _$ r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ w( f& k% w( k4 _6 B; o
2 D! x/ @$ L% J& Z$ {$ O push 0000004fh ; function 4fh. S2 Z% `/ W$ m. s4 E, L Z$ k: |
push 002a002ah ; high word specifies which VxD (VWIN32)* x" W1 y8 V% }( w: r
; low word specifies which service
& Y+ X4 o7 j" y! X (VWIN32_Int41Dispatch)0 {+ c$ B; M* b3 h5 j: r
call Kernel32!ORD_001 ; VxdCall' |+ _. Y( k+ j# ^
cmp ax, 0f386h ; magic number returned by system debuggers) `, ?0 [: Z; e( \! j6 g
jz SoftICE_detected
2 E4 V. o% k9 O
. _' L1 C: O: ?: x: A& ~Here again, several ways to detect it:6 v# P- W* v" w, E: H F
( U l: [& ^; i8 v3 a
BPINT 41 if ax==4f! H( F4 d, ~; J# l& A- G
! K" ^, w' n4 i2 g! k9 L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' q) z1 t+ c, T7 X" `& b! k! o c7 T$ G
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ u1 C4 T2 c; D& l: j
, i/ U, G8 y: s, ?2 ?
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 w! } T! P% _. \7 u# s$ h: ]2 k6 Y# p
__________________________________________________________________________7 t; f& {, B- l& y$ |
3 B3 N4 u" Y) ?0 j
Method 13( u. S! ]: K ^' T+ j* G3 j
=========
! f4 r) h6 ~* ^0 z1 @5 |4 K( L- C4 |; Y5 I. s
Not a real method of detection, but a good way to know if SoftICE is
J, Y% Z4 J: Iinstalled on a computer and to locate its installation directory.7 T8 s5 n- I+ ^& O
It is used by few softs which access the following registry keys (usually #2) :, v+ I5 l5 T/ ^! P$ {
& I5 | f" m. X1 ~, `! m5 B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 Q2 w; G0 N9 }. ?# I# S\Uninstall\SoftICE+ }' E; g7 A3 ]9 K( B( b2 q) p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ ]( R, y, q6 _0 l5 u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" r* G+ f: n: c' k0 K9 g) E1 O
\App Paths\Loader32.Exe; W( P* t* P1 S3 s. G& Q2 i8 w# ?* _
' A0 j% U8 |+ d J* n0 ?
' }, b' f" i. H; C# e1 mNote that some nasty apps could then erase all files from SoftICE directory
" F5 v) f7 Z9 x) k x(I faced that once :-(% \8 b) c( Q. \0 D. V
* K8 E/ J" A/ _Useful breakpoint to detect it:8 B% Y% B2 V1 |+ u: B
2 _1 f) f8 S( u. D! f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) s/ X/ X: V+ S1 j+ s4 B- M% a3 Q, N
3 k |9 C. }- v__________________________________________________________________________
R# u" I! z' C+ H1 I+ q/ ]. G
8 l: [# V2 N* M _, I3 G3 _# L9 b- s7 n) m5 w4 M" R: i6 z
Method 14 v1 J" K* `& c6 g% w- i O9 N
=========
+ }# n+ Y- H4 \: B# H
& m4 v! |) u* s! b' _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 N+ i) \3 C9 W9 w% S7 ?7 e. J O
is to determines whether a debugger is running on your system (ring0 only).5 ^3 Z7 `. @: Z
! k! f9 T; q8 V# g, G/ G
VMMCall Test_Debug_Installed/ H6 d6 d% c+ G
je not_installed" `, m [6 a: \2 K
' o7 N4 [( Z% K5 ?( g5 u4 n
This service just checks a flag.
$ m; P$ |2 k% t0 y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡