<TABLE width=500>
- t" u! N8 M& s<TBODY>. r' F r) }0 y9 J: w
<TR>) k) A1 ]6 E9 z( s3 A+ {
<TD><PRE>Method 01 7 P; r5 l l8 s0 q w* \# [
=========
U( A8 `6 w! v/ x( ]+ s/ b9 A8 }* Z+ C- { A$ K5 V6 P! F
This method of detection of SoftICE (as well as the following one) is `( Q# C7 Q' V2 ^' j3 X/ c
used by the majority of packers/encryptors found on Internet.
$ n, m7 `; [% r! K- gIt seeks the signature of BoundsChecker in SoftICE
5 r8 T- P3 @4 h7 y/ W, I& M9 v2 Y5 h% b& z! P# l. F. V! A
mov ebp, 04243484Bh ; 'BCHK'2 v$ y3 |% Q) D8 O3 e0 ^. `
mov ax, 04h. g1 ]7 ` m' w) S9 C4 T
int 3
! n: z y& _2 k4 q! ^/ o8 F. h cmp al,4
/ o: y) @( ^7 m* }$ L" X jnz SoftICE_Detected2 u0 h% p- ^# i/ }3 e
m2 Y' q7 c/ F2 z/ z c
___________________________________________________________________________
6 t. W5 u2 |6 ]% L! j* X. l# u, g( H% N! t9 h, q& H3 M9 x6 }, x
Method 02
( E# G. R( S) B% i% J6 {$ \! [=========/ c9 E$ \7 c' F }7 C+ B1 \
6 b, y2 I+ x7 PStill a method very much used (perhaps the most frequent one). It is used
; L8 r( n9 S2 a7 Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. ^( R3 `4 M( C
or execute SoftICE commands...+ v: V) b0 b, L; m7 x+ g; R
It is also used to crash SoftICE and to force it to execute any commands5 R) H9 X' W, J
(HBOOT...) :-(( % J* ^, g; v/ ]6 o! ]! Y
2 q; `( W; V/ T0 I: PHere is a quick description:
( R& U8 S7 A2 s7 D* [2 Q7 `-AX = 0910h (Display string in SIce windows)
5 a: K5 W( t& L- i% K-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 q. M4 O$ M/ T5 d9 U& s$ t) k
-AX = 0912h (Get breakpoint infos)* X7 g9 L2 P, w9 m
-AX = 0913h (Set Sice breakpoints)) Q8 ~. p% X6 a6 j
-AX = 0914h (Remove SIce breakoints)2 h9 ]! Q; p r) L/ R
/ i- Z# {2 j+ t% Y9 ]$ [Each time you'll meet this trick, you'll see:
" J; q! O$ V+ L: w" A- `-SI = 4647h
. f+ r$ G5 M9 K: S; Y- c: a& b; Q-DI = 4A4Dh
" g% ]1 h1 j$ c1 `2 HWhich are the 'magic values' used by SoftIce.
2 A6 U$ e' ^& CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 t" i. H. h! L# v* [. V) {! T; \* n4 \9 ]" i) m
Here is one example from the file "Haspinst.exe" which is the dongle HASP, m K5 T Q1 H* n D8 f
Envelope utility use to protect DOS applications:5 w' x2 i. p2 Z7 r7 [9 ?2 j: l5 R
7 w2 R7 r8 v, X e \
' x5 `5 z' w8 c* R2 i% o8 t4C19:0095 MOV AX,0911 ; execute command., v0 u8 z3 }% s; v& |& g
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! M2 D* s% H, v# t4C19:009A MOV SI,4647 ; 1st magic value.1 [8 H6 E2 n* n. p. X3 R$ R6 | h
4C19:009D MOV DI,4A4D ; 2nd magic value.
% U- l- E1 S4 j. Q: X5 i/ A5 T4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 j4 }' G7 Y# y1 a0 `: g. f4 W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: B0 ^ d0 R. D* G5 S4C19:00A4 INC CX
1 ^- S" z# `4 d" h+ \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 r# p4 y- w4 S5 i3 D
4C19:00A8 JB 0095 ; 6 different commands.: Q: A/ A+ ^6 ?; g) L2 a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 @/ L! @7 l2 D R
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) { g; t x0 O% f! q
; O; R7 n4 \, }4 H2 z" WThe program will execute 6 different SIce commands located at ds:dx, which2 {- w- {6 x$ @' y$ R/ K# L: ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 J! _3 c6 V3 ]; _6 n4 {/ k1 M! w9 L |+ C+ e) v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: ?/ _4 b. D$ h1 s" ]___________________________________________________________________________
& Q1 r/ m' Q3 N" @8 T
1 t& v% B6 i0 B$ I2 c
( e& v- c, c# M5 P) v( W5 G2 ^6 zMethod 03
! ~( ]# Z- U1 [. g=========
( W$ @" F0 r$ I ^4 o
; S+ w: C( b1 L, [( C- n! aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- f0 Z7 e+ E, o9 x* S) M
(API Get entry point)
! r4 s2 |0 O: A- N0 |% @
: M0 o/ e0 K6 D6 `$ W: ^. Q" y
7 q% A5 s$ N, X: E% ?7 c/ @ xor di,di
' W/ D, v$ N) f/ d0 U mov es,di
& ~1 N' ^- T, J8 Y; d5 { mov ax, 1684h 2 z% c2 |$ r' h! ?6 O* h
mov bx, 0202h ; VxD ID of winice
+ ]5 r" x4 f% v( M6 B! u2 R1 h# s int 2Fh( ~- E( V6 d* e) l9 Y" y L
mov ax, es ; ES:DI -> VxD API entry point
) d* S/ Y% _) K) d$ @ add ax, di
) U+ l3 f# F+ D4 N8 a; i) [* x! }, l test ax,ax
: I n* g1 c8 Y jnz SoftICE_Detected
7 ?* W, R& H' A$ ^/ z) u0 F- ]! n0 i2 T2 s3 S I
___________________________________________________________________________
5 b* {/ D. S* C9 r/ L* Q! f. A
Method 04
3 \+ {/ ?' ]3 ]2 h; P* `=========* T X- u, v* j( C. s& x$ v! q* _
3 ]" X9 t! q: Z) O8 g J& k+ Q
Method identical to the preceding one except that it seeks the ID of SoftICE
/ H L( T" }8 H# i2 xGFX VxD.- g; u( n! C, w* j2 _# U
5 q* H n8 i1 Z1 u. L2 G( D6 \
xor di,di0 T. h8 U4 ~2 s& R6 W# Y; p# q
mov es,di, M7 ~0 s. z, t
mov ax, 1684h g F* t! x+ C. r
mov bx, 7a5Fh ; VxD ID of SIWVID! |) j0 Z+ ~8 O, Y
int 2fh
) A- }6 n/ D- d mov ax, es ; ES:DI -> VxD API entry point
; g3 B! W* [6 w add ax, di
% t" T+ R8 ]+ Q1 Z3 o test ax,ax
# p# H! ^) J/ s6 g3 T jnz SoftICE_Detected
! q; F+ W+ ^* d% d; ?) z/ U3 z5 V) S; T, n
__________________________________________________________________________; O8 P( ?9 T" L, g
9 l" z$ \% i" T! ?3 R! p7 U( k! y7 s" }9 |* o1 w" t
Method 055 ]- z2 k8 d6 X$ }# m
=========% P1 p r3 }; Q6 s- W: T1 G+ Y
9 G3 L3 E5 n) ~, r+ q+ v2 HMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ M7 q' q w- T& k8 Y
debugger. It calls the int 41h, function 4Fh.
& [( @! G& ~* N* t* ~1 Q7 Z* oThere are several alternatives.
- u. X3 a& l/ w% Z* A. V
7 ~5 C$ s9 g$ nThe following one is the simplest:3 i& }3 | m& s7 O& y2 ~) R
* A3 K: {7 q6 `. { mov ax,4fh% P0 N: x: _5 a) r( R; f1 y: Z
int 41h
2 M0 S# y# k8 L' {' v2 Y7 d cmp ax, 0F3868 V2 {2 |$ |$ s- c+ i3 J& X
jz SoftICE_detected
% |! |( `) l' p( ^+ Y7 {* T% |( o- V- g
2 X9 v( H* f" ]# }Next method as well as the following one are 2 examples from Stone's
0 n$ b1 @% Y5 {! S; `/ W"stn-wid.zip" (www.cracking.net):2 {9 Q0 ?9 ^; A
+ i* m. n1 A5 |- { mov bx, cs
, k! V' x g% {; W$ k. ?% c lea dx, int41handler2" ^: x' V/ N; F' n5 }
xchg dx, es:[41h*4]/ W) |- v r a8 z/ A
xchg bx, es:[41h*4+2]# I' p- M' s8 z
mov ax,4fh
' a7 P1 O- v) V0 q int 41h0 U! S7 i! h" d
xchg dx, es:[41h*4]
3 Z( J n& Y* m& h xchg bx, es:[41h*4+2]+ I! y- A% c/ h f% A" p7 A
cmp ax, 0f386h: f$ u( X5 U9 f* h4 }: m
jz SoftICE_detected
4 X" \ y1 G3 j$ q9 p1 ?/ a
7 [9 _( E3 H) N% @4 y, `int41handler2 PROC
. I9 z4 k, a7 L. {4 Z. R iret
7 V! S/ v0 |7 u+ r9 ^int41handler2 ENDP' s% K: g1 e/ W0 ]$ h5 w2 J
5 q- R% w& ^& ]9 D. j; B: P
; @ i; T0 E7 f9 ?( k9 D
_________________________________________________________________________1 U6 q; } [! l/ b
* \: [: I; X6 o& X; D7 b5 e4 x% E* t* r [( {
Method 06
: ?% R1 H; _' P1 i ?1 H=========
- I* N) V; A7 r8 ^
# `8 a! Q) g) K7 \9 j5 a, G' F) x0 l$ n, y4 C
2nd method similar to the preceding one but more difficult to detect:! S7 I% x9 q9 @' O0 q
( e0 |9 f" B9 M: [# d
6 F; i* W; _( k4 Tint41handler PROC9 v% b$ d4 S3 U9 m
mov cl,al
% r2 ?0 q& n( Y/ L iret
, f( Q8 _ ^4 z6 @% t. Jint41handler ENDP
5 G! e( s) D$ _ r$ M% ?; S
1 o o, S& s' k1 w5 }* | l1 X/ U, X) z# ?/ C) @; o
xor ax,ax3 Q8 X2 G/ F! T) D
mov es,ax
9 O& m! l* U% f. Y- q' J! x- Q mov bx, cs. O' R+ @# L5 e0 l
lea dx, int41handler) P2 o/ N1 _* f7 w% H
xchg dx, es:[41h*4]
* G. t- i: M2 ?7 n xchg bx, es:[41h*4+2]
2 N6 L1 J U# B% \0 m in al, 40h
5 f$ D# S2 p# p1 F) C xor cx,cx, |1 V0 v: s P1 f0 }2 Z5 b
int 41h
% K. Z8 K" V {1 t& N, H xchg dx, es:[41h*4]/ D: [ U1 I# r( T$ [" M: O+ F
xchg bx, es:[41h*4+2]
* r7 u. K. X* @5 V7 G8 _* U cmp cl,al
& g2 }* u0 @- o6 y jnz SoftICE_detected
- Y6 H1 y$ r' k" j2 c* U y& l! G, D+ m/ M, a6 K6 ^
_________________________________________________________________________- \/ N% ^. L. B2 E! M7 a0 O, \" h+ B
7 h+ }2 i/ v! @! ?% {, F
Method 07
8 K. |' ]- `9 K9 O% f d=========
2 T2 A" v1 ` H% Q" D" @! @
* E1 o. x0 Y- t, m# ?Method of detection of the WinICE handler in the int68h (V86)3 d" `8 O9 Q6 y; m* E8 I
3 M7 N- _6 c1 R mov ah,43h
; W: r2 Y5 G: d5 A& x! U. _ int 68h$ {5 l/ B$ p3 k& q) h& j+ B
cmp ax,0F386h4 v7 f0 C! T' e7 p0 a
jz SoftICE_Detected. E) R9 ^6 P" A) t* V
) |2 E$ O$ e3 [) ]
: t/ U' K7 D+ A=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% _( D2 V: K, s( n1 P/ x; A app like this:1 D/ A, B3 o, p* e$ q; h# ^1 h, v
$ a" K. s5 s& c: K1 L7 h
BPX exec_int if ax==68/ I8 v; b7 B* [ h. C
(function called is located at byte ptr [ebp+1Dh] and client eip is
, {- w6 F6 B5 `# ?; H/ k0 U/ b located at [ebp+48h] for 32Bit apps)4 y8 _! ?. v4 J& ]. `1 L+ ~% ]/ N% R
__________________________________________________________________________
4 n9 W: a7 ]' @& }$ G
0 k- w2 x8 w0 Q8 F
- M" D. f- ?% C+ J5 wMethod 088 [+ R* w V* B6 Y
=========8 y) n" m- G4 j
! A K* M! K; b, Q
It is not a method of detection of SoftICE but a possibility to crash the
7 [ q7 g5 a( D8 z' {system by intercepting int 01h and int 03h and redirecting them to another- [$ X/ [$ H+ O9 A! ~
routine." Q. v9 m6 J8 N8 g) ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ f" ~7 u. O1 R% l: q& Ato the new routine to execute (hangs computer...)% [! H1 K) N3 W0 G" P4 B# z
% u" R4 u8 R. o8 Q5 B+ f5 S, F
mov ah, 25h8 k% B0 `7 o* g, l; {. [
mov al, Int_Number (01h or 03h)
9 ?6 m% x3 C) P- { mov dx, offset New_Int_Routine( w: T) n' g9 f5 P
int 21h& u1 a! v! w* \ |3 V. b3 s
9 R. j* m7 x) P' `1 ?9 `
__________________________________________________________________________2 @- Q0 u4 E. S8 j& k
3 K. A! P8 x, f- p" L3 D+ _
Method 09" k9 B5 Z. ^$ u$ E1 s$ H) G
=========
8 [" q" f, Y- `& `; K9 a0 L( [ y& U, L( O/ [ {8 N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- y. ~( R, F4 L D" W) I8 V8 H+ C$ D7 _performed in ring0 (VxD or a ring3 app using the VxdCall). ` R% a( @9 m; I; V- ~
The Get_DDB service is used to determine whether or not a VxD is installed
3 [) s7 M1 p. g* [5 e% Y/ Ufor the specified device and returns a Device Description Block (in ecx) for/ D. I8 f) P F# I" v
that device if it is installed.
6 r; g: I% |2 @# g
# x. o( Z7 `, ~% k' o0 f# g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) O/ M# e8 g! P7 V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 a0 v& I3 L( W- t, ^& K
VMMCall Get_DDB
9 |! I( t& T' j mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! l8 R. j! r, A' p d
( ~0 F" m: _! v* b; k- C1 h9 @Note as well that you can easily detect this method with SoftICE:
6 r% C o: k% V bpx Get_DDB if ax==0202 || ax==7a5fh
. V) s' E. ?! r9 \/ u6 }' N
! j. |6 {% I$ \' K( Q! k9 A__________________________________________________________________________" D% t4 |0 Y0 R/ e; g; M# x4 h
' |8 K& N$ |; \2 C
Method 10( f f. S$ Q: g3 L2 ~7 D
=========
/ \; m n+ Z: k; C0 t3 L8 D
5 C( f4 [0 }1 v=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 h. c7 I4 n6 R- [/ U! e. D SoftICE while the option is enable!!
: L* ~5 @2 [1 C/ M1 g# t4 X% B
. L& m6 ^: Y U8 Q8 _/ ?3 WThis trick is very efficient:' c7 V. T) h' o: m! Q
by checking the Debug Registers, you can detect if SoftICE is loaded
: P* L( Z' `. [$ y+ A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 Q X$ ?6 h% w1 r3 e9 l' U. L! P, W5 w8 cthere are some memory breakpoints set (dr0 to dr3) simply by reading their4 V7 C; h% ^5 K+ [ @4 R' M3 \
value (in ring0 only). Values can be manipulated and or changed as well- a( Z$ A! \" H4 \1 m+ f
(clearing BPMs for instance)
" g5 ]' w& O5 `5 K: l: [' D5 Z$ y7 d9 l$ } J9 X
__________________________________________________________________________
5 E# L p% \8 C5 K
9 G0 Y! L; w4 n2 l. {Method 11
0 L$ H, H6 w4 L; q6 x4 h3 h=========) v% R0 g+ L4 |. E, u2 b
' \9 C8 [8 d) k' z/ J! {This method is most known as 'MeltICE' because it has been freely distributed; c. Y3 S" u( U0 N- L; u1 M$ h
via www.winfiles.com. However it was first used by NuMega people to allow
& U3 h# @* ]& {- m- ~$ W. y bSymbol Loader to check if SoftICE was active or not (the code is located/ Y, E, V0 H2 l
inside nmtrans.dll).% f# \8 o6 R* b i- \- C2 v+ F0 t
7 P1 F7 n' s- V7 d/ g: w
The way it works is very simple:. C) Q5 x" N3 R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ U2 W, G; D+ B0 `, n& f* K2 qWinNT) with the CreateFileA API.2 @3 e1 \9 K* K
2 f& L G# l7 x' d. sHere is a sample (checking for 'SICE'):: }& x! Y% Y1 d( O6 O
; q, z! I$ u7 X& e: @* f' O
BOOL IsSoftIce95Loaded()
6 M! o( i# _# m, _* z% x{5 s( u3 B9 Y3 H; B9 N
HANDLE hFile;
& X. l, h! o7 T3 Z8 S4 Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 T% d1 C' G! |% g( s
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ g0 {' E' X5 w2 E ]* K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* Y5 E/ k# Y# U+ w0 t# { if( hFile != INVALID_HANDLE_VALUE )2 L* }# B4 Z5 e1 O3 J& B3 E; Y
{
7 I' v# V7 _6 F4 G8 f' [5 B/ I; X CloseHandle(hFile);$ w9 j( I) h1 r9 Z R
return TRUE;
) }0 W5 c* B/ Z: O L& q/ k0 w$ z }
7 C7 {- w8 t9 ]/ R# N) L) z! n' r q return FALSE;
' w' `4 o- Y1 y& O6 G0 D}
. k& [- w0 ^1 w0 \4 K: P
) l2 f4 R* z5 V$ |Although this trick calls the CreateFileA function, don't even expect to be: Q9 o6 s. O) x5 f; ^
able to intercept it by installing a IFS hook: it will not work, no way!! f* Y3 C; B' t9 E: L+ X7 Y! ?& Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% [# N3 Q: B& Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& ^3 y% D( @2 s; a8 ^6 D+ S2 m& R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 l' P5 \7 X" f& ?& @
field.
. U5 c$ F' u/ ^, `' CIn fact, its purpose is not to load/unload VxDs but only to send a l7 r$ Q5 u8 K# {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* t/ I- e6 q Z. E2 a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ p( U9 J* n* E; ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' u D! J8 ?1 @* K% I1 }If the VxD is loaded, it will always clear eax and the Carry flag to allow) b t& s( e' c
its handle to be opened and then, will be detected.
! ?: v7 w4 M1 {9 X# v0 r. M& cYou can check that simply by hooking Winice.exe control proc entry point
7 j0 A& x8 \+ w* {" s: l% Q9 w- X" owhile running MeltICE.: J* l0 x8 _$ s) W4 F% _" }) C
6 z7 d3 ?1 L4 R7 F4 q
$ Y$ c/ Q1 Q* [( K* ]; ~2 R3 [* s 00401067: push 00402025 ; \\.\SICE/ |, f$ X. z6 ~
0040106C: call CreateFileA1 ]. Q4 x6 U6 l' ^. F, ~5 Z
00401071: cmp eax,-001: x0 B6 m. u. K d1 W3 K: d
00401074: je 00401091
4 s r( Y+ x, z- M! d8 U, a
6 x3 d$ J. v; j( g8 A; A4 I3 U( `( F4 z6 F
There could be hundreds of BPX you could use to detect this trick.9 ]: F3 G4 @( z3 B' q
-The most classical one is:
7 D# a$ j; H1 r: s9 w: ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 _" @ o/ j3 x6 E& e5 @ *(esp->4+4)=='NTIC'
7 O! f# C& L3 @
/ v9 d E+ f' i-The most exotic ones (could be very slooooow :-(% W& ]" \4 A) ?' R- Y [, y4 l* V0 }
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # W# D3 B+ }8 y
;will break 3 times :-(. Z, R' ]3 L& G& J9 V9 {; Z
j+ c, r. y8 i- E. ~0 G+ ^1 l9 n4 M
-or (a bit) faster: 0 a" {- L% Q. I4 |2 y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, L2 W8 T1 e; [( R4 r$ {8 N
9 p \ y: S* R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / g$ |) B5 i9 Z4 ~7 j
;will break 3 times :-(
/ l' u5 S0 ~6 q/ r/ Q: l7 k/ N; k8 b8 H y1 L
-Much faster:0 k- o2 y( h0 _& Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': n, e: E* b- r3 a
* |1 s2 q' C: b2 ?+ ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# a5 R# k6 J2 }. n8 o
function to do the same job:$ ~$ u9 W4 D$ N/ c' N3 y
6 S3 O: b1 D4 J& g' V1 z: C$ _ push 00 ; OF_READ; z a" G: k9 n1 U {3 C7 A1 b6 j
mov eax,[00656634] ; '\\.\SICE',0
; B+ l7 Q C: D) m' } push eax
+ z& W4 m( z3 i1 m- h call KERNEL32!_lopen
7 S2 d+ K, P l8 F inc eax) V' B* a* H) r: Z: N1 e8 b
jnz 00650589 ; detected
1 L- p# ]* ?+ w a7 f$ M+ f push 00 ; OF_READ
+ A: q9 ~( G% P) j6 X) Q4 _2 n mov eax,[00656638] ; '\\.\SICE'; H3 a3 K) W# H2 D* j; ?' Q
push eax( l6 r6 [+ i* D7 p" }' t9 @
call KERNEL32!_lopen
/ Z% L0 Q5 B. ~ inc eax
' \: m! g# d7 M0 [8 y5 H jz 006505ae ; not detected: G: x( E$ G2 ]. [0 w* I8 @
# P. p9 h2 B o j
$ Z+ H% j: i& ^7 U0 ~__________________________________________________________________________3 v4 n T; G: A/ `& p. Z9 K
|4 U9 |' ]3 J3 s$ ^Method 12- s& q) n6 f4 S8 P3 W: o, P
=========
- Y$ w H5 n/ h, Z" d- ^
1 F1 Y( Z( z) p* R& a; @* Z8 K# UThis trick is similar to int41h/4fh Debugger installation check (code 05, J1 K) c/ x# v3 J" V
& 06) but very limited because it's only available for Win95/98 (not NT)) ]: e4 c/ n% t# l$ n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. X, ^# L2 Q7 o" {7 |1 i# i) o
/ p6 q$ q6 P& A$ j9 \
push 0000004fh ; function 4fh; D& G1 N/ W4 z" R( V2 z! B5 S% p
push 002a002ah ; high word specifies which VxD (VWIN32)* b ~- Z) s( C1 L. S
; low word specifies which service
& U; j9 \; S2 t6 R0 }" H$ N (VWIN32_Int41Dispatch)+ \ |! L) z- @7 Z# \9 w
call Kernel32!ORD_001 ; VxdCall
$ T/ x: P9 u3 k2 Z8 h6 F cmp ax, 0f386h ; magic number returned by system debuggers. q" L6 b3 L( [7 p5 C8 c
jz SoftICE_detected2 X. B: |. ~& S! F" w
3 F, a4 A2 V' `( f) E4 ZHere again, several ways to detect it:
- q$ M1 J" S6 ]9 y' D
$ L, K" D" y1 S; L+ d3 b BPINT 41 if ax==4f+ p! l7 ^) Z6 c5 s
A ~& j7 M; B; n( y3 x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 o# T2 I, F$ V) E m
8 n/ }$ K6 ?9 H# W" x0 B/ e* ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ f1 o1 S8 c# z6 P/ @2 q$ U
% R/ t# R9 `' p5 Y$ d9 k' S BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. q. P: v0 R& S
9 u' T3 o0 e/ ]! y$ q& _ S; @* t__________________________________________________________________________
7 k2 @6 [, |' y/ `9 ^5 d* Z; T7 S9 W9 q) ^1 [
Method 13( b$ T- K) F# V- \! u3 r. l
=========
; S: b( p. r" r$ `1 c# a2 Q0 K+ {# u+ _; `6 r
Not a real method of detection, but a good way to know if SoftICE is
8 e7 b- e) w# @) o4 |6 Y% vinstalled on a computer and to locate its installation directory.
. k$ K' j" N4 Y( M3 g# r% S) xIt is used by few softs which access the following registry keys (usually #2) :3 d3 A7 L( q$ ]7 p' M# K
2 F% a7 v, f* A- I9 K; J- C! M( t1 _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# X/ U% V6 Q( t7 c8 }6 S
\Uninstall\SoftICE
/ X8 w5 s6 @0 z/ X4 `2 G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* \1 _. P- \, A9 u6 I# B ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: u6 b' w8 h& ^3 \8 X
\App Paths\Loader32.Exe
0 l( c2 x4 R% ^1 `' h( A9 F( N3 `
7 V$ a; K. c3 X g0 I4 f1 Z) \2 f7 l+ f# m) G
Note that some nasty apps could then erase all files from SoftICE directory, y" v/ \3 S" v
(I faced that once :-(: G$ g: O5 K) U0 X+ Y" C: n
' E6 V* q! G! l- M) \* R, R& l" wUseful breakpoint to detect it: O& c# g2 J( P
) f: {. D' ?, u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 J6 a: @" w0 K/ o: ?9 z; f
5 _7 i7 \3 O$ T% F
__________________________________________________________________________& R+ }. G6 z' _3 N# Z; e+ _
2 r/ B, N" w4 g8 n
* m$ P8 L" c/ QMethod 14
) z% M+ {$ f8 I' k* K. @=========( U9 E# W& N& t
" B, c/ a# A' b% Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 R% N3 c& N5 i u4 h3 ~2 `+ ~
is to determines whether a debugger is running on your system (ring0 only).
9 F3 N7 @) d0 k% R6 M9 a* e+ i/ a: ]! i& Z% C3 Y6 _, Q+ C3 q
VMMCall Test_Debug_Installed8 w6 m% y( F$ |; G" H3 O( y7 m$ T6 @$ I
je not_installed
5 e2 Z" r! N) `7 K- o. R
- \8 R9 ]' S, SThis service just checks a flag.% h; T5 c5 m9 J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡