<TABLE width=500>
, ?6 y0 z) j3 w5 a<TBODY>6 S" E8 ?) R' u! L' j7 Q
<TR>
9 |$ T* n F5 |5 U5 m. ?<TD><PRE>Method 01
9 _- [ U2 ~" m6 E1 y' S: y4 r=========
' k' W; r9 _( @' |1 v
) m6 z$ b; Y) BThis method of detection of SoftICE (as well as the following one) is
& @0 k$ O5 a: ?- w; [6 T: J. bused by the majority of packers/encryptors found on Internet.1 g L/ D1 ?3 \
It seeks the signature of BoundsChecker in SoftICE# W8 {0 A+ ~- ~0 |0 M' a3 M
- I' D# a# l) x
mov ebp, 04243484Bh ; 'BCHK'; r+ G) m; c" T
mov ax, 04h
1 ]5 \3 p% n1 P7 i# a int 3 + X" K- r9 U. K: N' p8 U
cmp al,4
/ j# I& k, V+ B( s1 L7 W jnz SoftICE_Detected
- f# k" |3 J' b: v7 g' Y. |! g2 J5 i( ~$ X+ P) o, P s9 v
___________________________________________________________________________
" T% k' s6 B7 {; q% P4 B1 W- S1 ]" w# A q
Method 02& G: N- V" }; Z$ Z0 ^* ~/ F$ {
=========
( s" O S" C1 }3 \
: ? P/ m9 V; i* M# `3 L6 j* VStill a method very much used (perhaps the most frequent one). It is used
. C3 F Y O1 @* E9 w" Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,; |' S( h1 v+ `5 g; Z9 @# O
or execute SoftICE commands...9 g; E4 P1 s. `# j$ J
It is also used to crash SoftICE and to force it to execute any commands7 U7 d# a3 M: y# Q. ?( l7 @4 [: e
(HBOOT...) :-((
" q2 D# |/ V3 O& [3 ^4 r! ~# N
! U$ f2 Q5 [& c* jHere is a quick description:& X- N. Y, ?& K! r5 p! M: @
-AX = 0910h (Display string in SIce windows)
- p- `5 j5 v$ m N, J* Y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; F/ n! [6 E( \: H0 J-AX = 0912h (Get breakpoint infos)# i3 }! O, N V9 M$ F$ P4 [
-AX = 0913h (Set Sice breakpoints)/ e% S4 x \7 d8 o- r* b" k
-AX = 0914h (Remove SIce breakoints)1 S, a6 l# `' G& l, ?4 m9 f- g8 K
$ i6 b. K. h d& P
Each time you'll meet this trick, you'll see:- m9 ]& X5 E, G* i/ B: ?) v! w
-SI = 4647h- a$ v9 F! Z a% r; v* E5 A
-DI = 4A4Dh( o! ?5 ?' b7 P2 D2 ^/ v8 w, }% o4 U
Which are the 'magic values' used by SoftIce.! q; g {/ Q9 d7 O+ r3 o# s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 o2 j0 U1 K" t! y) ~' P9 T+ g+ B5 u- W! ~9 [( ~2 D
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* N A9 p3 [6 T3 {. cEnvelope utility use to protect DOS applications:. ]* O0 a Z+ t7 y
# L6 \- z0 V( y0 P* D( _. a K
: ]2 I7 |1 T, {+ ^* f
4C19:0095 MOV AX,0911 ; execute command.* S1 ?( y% H9 q' F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ {- R$ s3 E8 o+ @0 |
4C19:009A MOV SI,4647 ; 1st magic value.
; K7 u& K4 [1 k; {4C19:009D MOV DI,4A4D ; 2nd magic value.; q+ g$ }& L1 v6 N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 S$ S7 b7 t2 V! v9 W+ X. T3 M
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; E+ X4 j) c1 }2 H5 `; R2 X4C19:00A4 INC CX
+ Q, s6 B8 c! \; s; W0 [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ x% Q m+ [, m0 V
4C19:00A8 JB 0095 ; 6 different commands.
: o+ Y. S6 E& g7 K( Z( l; x, A4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ P" p1 E6 e% n P+ h- f& J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 c1 U" L r, x4 n* s* Q+ K$ p: \/ } A0 f0 E1 ^3 P
The program will execute 6 different SIce commands located at ds:dx, which: ~$ a0 l3 n4 R" _1 V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 y# O. ~( g1 g$ [ K# b
9 I. F2 D, f8 r7 p6 Q& M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) N5 \, ^9 U$ P/ y, F% K; Z- |
___________________________________________________________________________/ g7 A) f0 e) q7 r8 O( w- H6 o- r
/ K! D$ ?( Z' Y% W7 ]! \" F* R# b, y& q; B
Method 03
: T# d/ x* A4 Q/ h5 S$ x=========0 K& p/ O0 [/ s
- {2 A6 W |3 I U& W
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% c( z% g: U" P2 \8 s: ]
(API Get entry point). G- i t2 A6 m3 \( S1 \
/ _& Z' B4 S3 |; r% x6 `( s N. G2 z" h) F$ p5 m$ h
xor di,di& ?: O; C0 ?7 [) j7 C$ }
mov es,di( }! r9 c9 \9 s- j$ I0 h/ W7 k4 a) O$ ?
mov ax, 1684h m/ l5 c9 W d
mov bx, 0202h ; VxD ID of winice
6 }5 J- u) p! ~ W4 x int 2Fh
) Y5 J( s8 {+ o* v! i mov ax, es ; ES:DI -> VxD API entry point
* }7 d/ a. e/ X5 Z7 \. ^' S7 X* l add ax, di0 p1 M E' D0 ?2 O8 M
test ax,ax
3 Z6 S0 c# R+ m/ d* O jnz SoftICE_Detected
/ B" e1 e0 r' q+ e+ X1 f0 [8 M" \
: _( e: _4 I/ p___________________________________________________________________________
{% F! Q2 }6 N- }9 R- k
5 M6 x/ x- T' f9 ]% VMethod 04/ q" @# l( ]2 }( _% ~
=========( r9 H: N+ g" T9 t6 g$ T
- v- k, R' }6 J7 r2 [/ b/ J9 b, j
Method identical to the preceding one except that it seeks the ID of SoftICE* C w% H2 p; Z% `8 n; ?3 b& m& B
GFX VxD.
1 h7 N* F O! B; |& X( ?! Q
) L; ?8 h, N* z) Y6 n/ V4 J xor di,di6 l: z/ L/ `% o6 ^5 S5 a
mov es,di! U& d4 z: T/ U& ~" c( s) Y6 S
mov ax, 1684h
0 d# }: i& D7 K' C0 G- A5 m9 s mov bx, 7a5Fh ; VxD ID of SIWVID0 `2 k5 `; H2 y4 W0 Q0 @
int 2fh9 e/ |, e3 K, H# ]: L
mov ax, es ; ES:DI -> VxD API entry point2 B" z9 d% r. l4 M
add ax, di
+ @8 v/ `; z+ k0 g- L test ax,ax' ? y+ p; D$ S% X2 R' U
jnz SoftICE_Detected# p `( y2 z9 |$ \% e" Z* C
6 o* T( T$ |6 R8 A2 p& \' }2 f) \__________________________________________________________________________
! X7 N# {5 r* \( u
; q/ h) i' p; P; U2 y; m8 l: C
Method 05; l$ N4 c/ y, E+ \1 m
=========
2 \' j$ |( P% ^2 O1 e8 C- g3 _5 X" f
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; f. d9 t- u7 q" }! Mdebugger. It calls the int 41h, function 4Fh.
' x" Q! h) F3 q H% a% S" JThere are several alternatives.
+ z6 j; P: t" t l3 }3 l( r( d& C; _1 r9 i; f' i6 @- a
The following one is the simplest:2 U# ]1 {! y: F9 G
$ ]* I, z4 Y F. r! r4 G6 V
mov ax,4fh
+ V! w* \' C% p5 m int 41h; m4 O1 V; @2 u
cmp ax, 0F386
4 d- W2 M1 x4 ?' D9 k: _ jz SoftICE_detected9 b! L1 `& w/ T# f9 I( d6 B
2 e. N$ U# A7 {6 M7 C1 W2 z/ R+ x
6 {4 } _9 i6 m& Z& S+ ANext method as well as the following one are 2 examples from Stone's 3 `2 Q/ F) d) T1 F; u x
"stn-wid.zip" (www.cracking.net):$ h+ a; h/ C/ g t' D* b
3 @, K: c$ K. b; n$ ~" T- M. J; x
mov bx, cs
^3 d! y& L) x( }& U lea dx, int41handler2
8 O5 n- S* g" k4 x& b; M xchg dx, es:[41h*4]
6 m0 C5 M. a, n; A' l xchg bx, es:[41h*4+2]
" }- o& L& N+ `0 C, y mov ax,4fh3 k5 K" p7 g# J. }
int 41h
- P9 A4 L% D8 v/ ~2 v xchg dx, es:[41h*4]" | m( ]/ [6 p5 X
xchg bx, es:[41h*4+2]3 H) S2 k I, j! _7 J
cmp ax, 0f386h$ R7 R v- I$ H
jz SoftICE_detected3 p& K/ B/ a+ J, o/ u
/ m& T9 G7 o1 A& |int41handler2 PROC
, H P6 J6 R2 y* G+ G) N5 J$ k; \ iret0 N+ P! f q3 G- ^; x$ F
int41handler2 ENDP, \ T2 w) u' G! |! c. `
% i, U; q" o+ E
( N$ z' ~/ |2 t! l' n0 r; N. u
_________________________________________________________________________
! h4 c# V8 H2 ^' l" O, b8 ~. q; `- A
* O9 ]" p8 S: I7 s
Method 06
0 m9 i5 I$ V9 M=========- _( u/ q; O& [4 R8 h. E# h
. l% E/ s& ]7 G! G8 i q6 I# R% p2 {9 G# `2 t/ @
2nd method similar to the preceding one but more difficult to detect:
( b K! }1 Z9 ~) g) Y8 P
. B3 @6 X$ _) W
" @1 `! y7 g1 L7 V$ @1 A/ Bint41handler PROC
4 E) N2 v7 G% u: Q# |8 _& Y) H6 f mov cl,al: F' w. ~, h2 H8 {+ f6 b6 x
iret
% s4 ^6 T; I* A* A. {int41handler ENDP
! d4 Z8 m) c( L* a" o; n- P: a4 R8 t J, H) o
$ E. j, N4 j$ \. U \
xor ax,ax3 f6 ^5 ]! v* n7 J" u
mov es,ax
8 a( |: L- A$ B% S. P# v& G mov bx, cs1 X0 S0 j: @. k6 O
lea dx, int41handler- O7 v) J) _7 r* ~) V7 ~
xchg dx, es:[41h*4]
: \4 k7 ]7 |, w- _, a" } xchg bx, es:[41h*4+2]
, `3 T7 v" C3 D8 L in al, 40h7 p" u5 Q! d5 h& a
xor cx,cx
7 ~( h; Q. v. Z int 41h4 F, G1 ^" Z) o/ \9 }
xchg dx, es:[41h*4]
$ k3 H- ~9 ?6 T( C" \& K: _ xchg bx, es:[41h*4+2]
+ N6 p2 O( h7 D6 R0 k cmp cl,al
( g4 K* G0 _& T jnz SoftICE_detected
0 Z8 w+ B6 K) t" v9 o0 L+ ~3 e: A6 j- e8 v: d1 w% P. r1 o1 b) ?
_________________________________________________________________________
6 V. Y4 ^! p4 d4 f; n) l! O( z m+ _8 u
Method 07: Y( E$ A/ R4 V, |8 [- W
=========
) c4 [, ~6 g: ^/ q8 G2 W
6 s l( ?9 }' i9 S5 dMethod of detection of the WinICE handler in the int68h (V86)
# _0 P' [5 j0 D5 l, L0 U
+ V, [% V9 ~1 D$ h' T j- F( W mov ah,43h
& }$ v x- l# K1 X int 68h
( |& B T, z5 v4 C cmp ax,0F386h, M8 m1 O; N7 j6 {9 P: m( l; Q
jz SoftICE_Detected; N+ E' @& r) v U: K
6 u+ c: K. H! N- b
5 D p& c, x! ~+ S=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ L8 | }4 U6 l- B% v! E- S app like this:
; X- p) z' O! J7 m) c, z
# g. w3 U5 t* o4 z: a BPX exec_int if ax==68
9 M3 Y! o6 }9 Y6 h9 ] (function called is located at byte ptr [ebp+1Dh] and client eip is6 `! c# n0 ~& F& i. ^
located at [ebp+48h] for 32Bit apps): S7 l/ _; S7 q: ]: R( }& ?
__________________________________________________________________________9 O+ p' a0 J h. o+ V$ ]
6 p6 C* e: Q3 J" `- S
0 V3 u7 ?& b4 k" XMethod 082 }. d2 [8 V: r* r! V4 |7 J
=========
1 u7 z8 A8 L0 v4 X
0 F7 c( H- W& L3 x lIt is not a method of detection of SoftICE but a possibility to crash the
; n8 \1 W) n8 Q8 a8 ^* v8 Vsystem by intercepting int 01h and int 03h and redirecting them to another5 g- q/ x/ t, \( [( k4 M: U. Z+ x9 Q
routine.& d# o* x$ O' @# \3 Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. V2 G9 W, G# J% `" ]to the new routine to execute (hangs computer...)2 l' M/ f/ ~+ X. s' c# |1 D
+ b* N7 J, W- O L. k2 z j- A5 ^% v
mov ah, 25h
9 f I: Z" b) H- E3 I# x: B- H2 @* g- A [ mov al, Int_Number (01h or 03h)
0 W4 b1 P( M; z8 v6 ^' H mov dx, offset New_Int_Routine
' U% \# t$ Q$ t4 R+ f int 21h! i& O8 D& b7 M4 w" ~. J$ V, k
% P" }/ n) `, Z4 T. v
__________________________________________________________________________
; r/ B2 n- l5 D0 T
7 z* m {. R# dMethod 09, U& M5 w( [& x
=========; [( H' R0 E" S: j1 B `6 n
; V! ]/ K" S6 p$ _- g, CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* I0 E6 ]+ Q. Z& ]performed in ring0 (VxD or a ring3 app using the VxdCall).
' B3 R% o3 j6 TThe Get_DDB service is used to determine whether or not a VxD is installed `' x; Z: X2 v& C) l
for the specified device and returns a Device Description Block (in ecx) for# }9 r+ o$ _0 o
that device if it is installed.0 M* R! G* Q+ i, d
/ q [1 o) b- g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' N( Y! x+ J% V) ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( k: t8 \( m' r6 k" n: _8 @ VMMCall Get_DDB7 `+ u8 O _9 ?. q/ U, v9 l# c2 A8 V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed m! u/ [& m" d. u; Y
Y( ~( [' @7 ~( P" k+ JNote as well that you can easily detect this method with SoftICE: i6 k6 T( c# q$ b
bpx Get_DDB if ax==0202 || ax==7a5fh
- d( g6 n- x( w: t( P0 }; i5 u- t! k, K8 ]1 S' r
__________________________________________________________________________# F# y ]. V' e
9 C% ? ]+ G3 `+ s4 C- `+ {3 kMethod 107 Y& ^, w. u1 S8 p* C+ F8 k$ m& L
=========
n8 \5 k4 e8 M' X5 U% d( C1 Y9 u7 l3 ]2 U' o
=>Disable or clear breakpoints before using this feature. DO NOT trace with; |$ g: y8 U1 c5 x& n& ]" J" N3 r/ d
SoftICE while the option is enable!!7 k, J3 u- g* E( L6 K7 ]# r
' S+ }1 h/ _2 ~8 x6 P, i- @# Z% ?This trick is very efficient:& y, `. Z6 H8 [
by checking the Debug Registers, you can detect if SoftICE is loaded5 O/ E8 T! w+ o# p! J7 b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& h' a5 Q2 D0 m% n/ ]9 S4 q1 Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their- t6 \1 t) Y$ R/ x" V
value (in ring0 only). Values can be manipulated and or changed as well. X# W: z3 P2 X% ?
(clearing BPMs for instance)+ G# P" ?! e) h0 G! v
. s/ B8 x* u' A, s
__________________________________________________________________________+ s: W r, \/ I2 O9 f& x
+ t, A1 a- ~& m/ E! {Method 11
" |+ w$ D: u1 E ~=========
. M+ b, Q3 {; V/ J2 }" }' M! b0 {4 J! ^0 E; U# W* r
This method is most known as 'MeltICE' because it has been freely distributed c6 q) @' K6 I1 r+ W4 {
via www.winfiles.com. However it was first used by NuMega people to allow
- h6 L+ ]! X) H( W! PSymbol Loader to check if SoftICE was active or not (the code is located$ [) z' \1 P* q; c+ R
inside nmtrans.dll).
' J* \2 q- E6 K! R/ Q* T4 l Q$ o5 y7 i1 ^% _, T6 R: ^
The way it works is very simple:
" u9 b. \ j6 R; w1 Z( g% |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 w( u8 m$ X( f. a0 P/ E, K
WinNT) with the CreateFileA API.
7 t/ S# G) ~5 y) v3 }8 t
" L* P; |, j3 }4 P3 N1 Z+ vHere is a sample (checking for 'SICE'):( C S: ]) w& D+ c# A
7 D" b4 k$ Y' J- c U% cBOOL IsSoftIce95Loaded()
$ L O0 i1 ]5 R$ c{
7 f* M% y1 w3 h: g" x/ j& o; { HANDLE hFile; ! ?3 r' |' R* O( y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 y8 h! L; H9 L! l: r# F/ ^- m FILE_SHARE_READ | FILE_SHARE_WRITE,
: h/ F6 B1 c) ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 B/ @2 w) p1 \& x1 e" p if( hFile != INVALID_HANDLE_VALUE )
) } S( r, i$ E {& ], j, [6 ?& M( I# \
CloseHandle(hFile);
V0 v0 d. ]8 G' \4 I return TRUE;* i$ E2 _, W4 h- C0 r: m2 N7 |% U9 t7 X
}* J& ^: g1 b4 V. T1 W4 W
return FALSE;
u% D% q/ x6 r}0 i/ Z+ F' l# C$ d7 z, Q
$ x5 W+ `; W' D+ C/ _* p0 gAlthough this trick calls the CreateFileA function, don't even expect to be
8 D' v5 i. o9 A7 y+ R* @8 }able to intercept it by installing a IFS hook: it will not work, no way!# m* |- I, K0 m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; I+ J& T& _+ Z6 v) a' eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 i4 j" f6 Q& U A8 p% p8 ]/ N$ ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 X0 t1 k4 Q! }* w5 ~" O' K
field.) h. p* \+ n- J& ^! i+ N: j
In fact, its purpose is not to load/unload VxDs but only to send a
6 j; n( u" j. y1 L( H& ~6 nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) ^# c2 [) `# w1 n( ^2 m8 Q) y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: K$ W+ `7 K; f- m7 ]) t; @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 j( t" Q' T9 u, I8 x; p0 }* mIf the VxD is loaded, it will always clear eax and the Carry flag to allow) m( e( B& S) \; Q5 t
its handle to be opened and then, will be detected.
: I- }7 |: l( F! mYou can check that simply by hooking Winice.exe control proc entry point& W- F/ e+ k' w
while running MeltICE.
" e; k: s" M3 d8 \. g8 y/ a* Z8 V8 O+ {4 d H1 p0 S, w5 O0 V
: L; B1 W, C0 |! T 00401067: push 00402025 ; \\.\SICE# R2 D; P$ _+ s0 W- o [! y
0040106C: call CreateFileA
1 I6 m; i) M3 f- F' A 00401071: cmp eax,-001
1 F* ?; b/ j8 i: p$ [ y# w1 a3 s 00401074: je 00401091
( G9 V$ h; c& G
4 w4 @. {( `4 F# \3 ^$ `
" i4 p' _! L5 S0 `( Y+ ]There could be hundreds of BPX you could use to detect this trick.
5 ~5 |! u6 d# s" W-The most classical one is:
$ I3 e# [7 Z/ i8 t5 w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, q+ |+ z/ x3 e& ^3 S *(esp->4+4)=='NTIC'9 f/ v" g$ ]' z! M7 p
, L* A- E+ J, C r( k5 V
-The most exotic ones (could be very slooooow :-(/ X; q+ U( l- l2 F9 y1 f
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. ~* u$ }8 U) H3 Z3 @ ;will break 3 times :-(
! a5 K- v8 F) J$ m5 t8 ^
1 y x! w0 Z: G, t( P/ L0 j-or (a bit) faster: ( T$ l* J4 w7 k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% G8 G4 ~) u/ D
7 Y; E, P, S& S; n" t2 e6 Q ?" g BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ X1 K M6 |$ \1 V6 l ;will break 3 times :-(* y. q: ]* x% `/ S5 }& }+ P+ O
6 J6 J2 U& K0 A. [" w& f
-Much faster:5 c) p7 _% e; m5 U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 Y( }. _( ~* J& |+ J# _2 g! T4 L/ U# t) Z) Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 R1 ^) }9 Z* M, h* T& @1 h5 q* q7 Jfunction to do the same job:
0 k. d$ x" ]5 ~# ^5 |7 Z9 N; B. S/ ?! L) j, v! Y# a: _ @
push 00 ; OF_READ; y1 X' I* L3 |: i& P( F
mov eax,[00656634] ; '\\.\SICE',0. w2 T% O( ]5 Q0 S- ?( N
push eax
4 E9 z/ a7 k7 f1 ^3 O5 Y call KERNEL32!_lopen
5 R4 x ~8 Q, h inc eax+ |. [: I7 M- `3 k9 R
jnz 00650589 ; detected
3 o ]7 b8 d: U! g5 l6 } push 00 ; OF_READ! s/ e/ }$ O) o# S# ` o. m* D. {
mov eax,[00656638] ; '\\.\SICE'/ P) L5 c2 H4 |& `1 _
push eax
! Z* ]) i) z! w6 R call KERNEL32!_lopen
0 @8 s4 E! \ ~0 W, a z inc eax8 M! u; X& ~) l. U/ W2 w& x2 x! R- X
jz 006505ae ; not detected
4 ?. T9 s6 P* \, f% R$ @
# d4 ]+ J/ g$ ^( ^5 i, O( Y$ k0 A) |( j1 c6 x
__________________________________________________________________________
- ]% \7 w. i4 i9 E2 h* _7 K9 W% g( X
8 \- K& e: f; x* R2 eMethod 12, G1 N. Z3 ^' s! r' [
=========) T. D, V2 v, [6 Z9 Z. c6 B$ ?
8 N1 C# s0 k, X/ H# X( l8 ]7 V
This trick is similar to int41h/4fh Debugger installation check (code 05
5 b/ g7 R1 w& F7 ^& 06) but very limited because it's only available for Win95/98 (not NT)4 _# {) F" V. f- K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! [! a' W) r! z
: D5 R# J/ o; @8 n
push 0000004fh ; function 4fh
4 T8 K7 g9 _* q4 a push 002a002ah ; high word specifies which VxD (VWIN32)
+ D- N4 E9 @& @/ C3 A* ~- f* a ; low word specifies which service
# w6 S4 C. x% ]: f6 Y+ s5 g (VWIN32_Int41Dispatch)2 K3 |2 ?# y9 L) m0 R
call Kernel32!ORD_001 ; VxdCall
. }; P& }$ a6 \: n, Y4 n& X cmp ax, 0f386h ; magic number returned by system debuggers
9 H+ k5 H/ J8 a9 B3 l: ?6 x jz SoftICE_detected) W8 m8 m _9 b& ^
+ D( i' \* V6 {9 y: t7 @: G/ yHere again, several ways to detect it:: s1 |, p" k, |6 c& j/ f. S+ C+ b, V
& I: X3 h+ q3 w7 X9 l+ A
BPINT 41 if ax==4f
( |8 H$ c$ }: J! q f% f- u M0 l/ c( z4 I0 V1 }* r" c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. V" U3 x2 `4 X
% |" f( m6 Q# ^2 R9 P) s3 [ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& V$ L% x$ m. W0 M& ?2 Z! s) Y' {& k4 b+ v$ G6 C0 I9 C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' o6 E8 |' e8 ~4 R
3 t) G' ^# W( \
__________________________________________________________________________
% O' \2 T1 m+ E) N9 D6 D* O, h2 G9 U3 `8 o
Method 13
. r' i4 A0 D* L# w) t2 ]=========; {( q' i: k+ |) g% q8 }; b7 }
# ]2 e1 X8 b4 Q" jNot a real method of detection, but a good way to know if SoftICE is
^4 T1 H, l! r; zinstalled on a computer and to locate its installation directory.
4 `+ r) K' N/ U: D6 \+ }0 a' JIt is used by few softs which access the following registry keys (usually #2) :; ?" `4 L) K. A' Y7 J
/ ^) I; v! L$ X: M6 b0 l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 S1 I5 ^) h0 y! r
\Uninstall\SoftICE
" \% ]% k- r* A5 G6 P* V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 z$ w* a& z7 Q5 Q, w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& y& Z$ r+ l- {! D: N\App Paths\Loader32.Exe: O5 ?4 A f) W* f: [
0 h' W- i" R4 v% [
0 |# ~5 h3 `) n$ {2 x
Note that some nasty apps could then erase all files from SoftICE directory
6 B1 @2 {& l% F4 f7 ]6 H(I faced that once :-(0 a! U% p. H1 g) u
( v* V. h1 A, U+ V- g( Y3 W M7 }
Useful breakpoint to detect it:
1 c9 l" n9 A5 Y; ~6 P
( b1 x- Z3 L# B/ P+ F1 x: W, d BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; H7 c' p2 m1 c2 ]9 i- L, E3 |
, f' T: P2 q- S9 J, c* G$ V) w
__________________________________________________________________________
: C% z7 d6 p% F0 A0 w* ]
0 d9 ~# D: i" { w! D, ~& ]
) P5 s* w2 ~8 d/ t# cMethod 14 9 T- n$ n4 z7 z# x' }7 R0 A/ }& J5 ?# H
=========
9 x- w5 Y+ _; e4 ~; A7 ~
0 m, f$ U: D9 j: x( e9 }: a, ]8 r2 zA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 i* g$ P( Z! [3 |% v' pis to determines whether a debugger is running on your system (ring0 only).0 P6 _8 [2 C5 x n6 g
5 c# {! o5 m8 x9 C5 ~3 t! X8 f
VMMCall Test_Debug_Installed
+ C m g t) K' n; _% O je not_installed) j. A, P# }6 E0 W
p: M6 Z& F ~$ f. v& U: P. hThis service just checks a flag." S$ S/ f( e/ x+ W# X! C
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡