<TABLE width=500>8 L+ v$ c3 E) N5 ?1 s8 C; d. Q
<TBODY>4 b4 H: q, v7 h
<TR>3 P: V4 H% d: Z
<TD><PRE>Method 01 * J H3 j) G; J* m9 d5 v3 P' ~; g
=========2 g( _0 j, S6 ]4 V( S, p
+ `; r" W3 Z& K! k6 H& Y+ s' Z$ R
This method of detection of SoftICE (as well as the following one) is( F% f$ S( n3 r
used by the majority of packers/encryptors found on Internet.3 G) u! G" [0 k& T7 _+ l
It seeks the signature of BoundsChecker in SoftICE( ?0 q P% I* e, i; Y( ?7 q
8 y. h& F' ]. w/ @ mov ebp, 04243484Bh ; 'BCHK'! [0 F6 `" L" R# n) Z
mov ax, 04h% u# B7 L. i' u! k: n
int 3
3 g2 _, V2 d* _% e6 @4 ] cmp al,4
( b1 d( M9 P3 g% ~" I# a( e4 X, F jnz SoftICE_Detected
0 ~' A* c/ B( v1 E. X V0 R9 q9 R
' ~! @: I. J, f* i* }___________________________________________________________________________
y, R5 }8 ^1 i# H; ?- y) a3 B5 E X6 P; f3 K+ E3 J" R1 t
Method 02
4 _. ~* h; B3 E0 r' W& e=========* r. f" K$ M; y, @; R! m
- w0 A; d3 `( n- y
Still a method very much used (perhaps the most frequent one). It is used
7 [, H- P. l0 _5 _+ H: ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 `; _0 t) u( f' m0 nor execute SoftICE commands...
! z7 L3 w! ]3 ]. cIt is also used to crash SoftICE and to force it to execute any commands- t8 @% l% B. M/ {% l1 r8 O0 D
(HBOOT...) :-(( $ G9 R: ?. b2 M i i. q
' p* l+ j: o v' o- Z1 kHere is a quick description:" E+ f; R; j: S
-AX = 0910h (Display string in SIce windows)6 P- j! w7 ^& f* e! X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" J1 y/ _8 F, O, P& l( Q-AX = 0912h (Get breakpoint infos)
& E' @) i7 g, W9 N9 M" w* K% j-AX = 0913h (Set Sice breakpoints)) G6 K0 x- J: O
-AX = 0914h (Remove SIce breakoints)
4 {/ B2 s5 L& @% v; Q" ]# M0 U k$ Y. ~) y7 ~
Each time you'll meet this trick, you'll see:
7 w! F8 Z6 T5 `-SI = 4647h
* M, e, O8 z T8 y9 T" n$ Q-DI = 4A4Dh
1 ]7 `2 [0 f# c" P, ^2 HWhich are the 'magic values' used by SoftIce.- V2 {- L8 o) O; _5 M) o. y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- F& i g. t7 E" M# e4 D# V- o4 ]9 w+ o7 w% a' f, u; M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 Q9 g0 @1 [! ^; eEnvelope utility use to protect DOS applications:2 \& L( T3 h0 W# F
2 C' b9 F- H+ y- ^) R; j
. t9 l% T$ C7 C( Y$ h3 C ]
4C19:0095 MOV AX,0911 ; execute command.& X# B$ e, g) a5 S% h5 B V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 ]% l, f! ?; u/ @4C19:009A MOV SI,4647 ; 1st magic value.
( O# \( [, X+ F2 V& j6 a4C19:009D MOV DI,4A4D ; 2nd magic value.$ j7 R* ^7 a- B( x r |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# V: p& S+ U- J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute T5 ?1 Y H0 b4 q4 m
4C19:00A4 INC CX V& ?4 z g* F8 ]! _( \7 i5 }5 ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- c6 t( {% V* P# L! V5 g
4C19:00A8 JB 0095 ; 6 different commands.
6 V$ }4 f3 a, ]( ?& D7 S; ~2 C# w. G, R- v4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 G/ S& A0 x6 `6 E
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 Y9 E; u8 I$ W2 f. M! D
5 ?) M7 x5 A4 w2 {7 b% |) mThe program will execute 6 different SIce commands located at ds:dx, which5 o& e# L( N) Y" D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 w l3 ~* X. q/ n/ I* m$ Q- M0 c/ d7 B$ i$ ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 E0 z" q& _7 J% q2 W8 i0 K___________________________________________________________________________
3 V7 ?; A2 f3 N6 f) M2 T) `' k1 M- a
: u& [! @2 J6 U- Y' {8 N: Y: mMethod 03
; N8 i6 E7 Y5 f& ^=========$ S1 r+ @' \; z/ k: a. p; K
& a p6 G; h" R, S: rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! g2 i; P4 K% F$ a8 Y$ ~
(API Get entry point)0 S/ G& _& y0 ~- p' F$ {* ]
, I2 ^/ C( @* V4 k2 I B( `
' g# Q, C3 @) G9 S2 x' W
xor di,di0 t6 U* q A9 F2 N/ T' X
mov es,di. U4 H" L- S. P9 T8 I
mov ax, 1684h ! `! `: u9 {5 G( T3 w
mov bx, 0202h ; VxD ID of winice# k- l) [! v+ K; E
int 2Fh
) p2 c) ~. E4 {2 i; M: E mov ax, es ; ES:DI -> VxD API entry point7 H' p, c$ p# Y* \* a# P
add ax, di6 }6 |0 }2 j1 t! m! }; s
test ax,ax7 v# z0 y/ |" ]( M$ i* [
jnz SoftICE_Detected; g$ Z0 V4 {6 ?
: q' H# [; o6 c5 G
___________________________________________________________________________
# w- y5 R" U6 s o# b7 o1 c2 F9 d: q8 B
Method 045 ~; @3 N+ R8 N$ I! |. J
=========7 n) g6 |- b! n% Q- Z) ~
& d$ e1 {4 X* q( ]Method identical to the preceding one except that it seeks the ID of SoftICE1 C* J \; S$ G8 }
GFX VxD.
& }) H$ ^) N$ M: L4 w% z8 Z5 q1 L1 D) _/ \1 ~. J/ f! r( I; }
xor di,di3 B2 N+ Y! s# @$ g- c
mov es,di: k5 |/ N$ ]% Q2 q( B6 ~- d0 m% t
mov ax, 1684h
; t3 p4 N `: s4 i mov bx, 7a5Fh ; VxD ID of SIWVID& ^% d! l6 R" I
int 2fh7 U# I8 E7 m# y) ^6 _; t7 l
mov ax, es ; ES:DI -> VxD API entry point
" I' Z; i _, R. N add ax, di
6 r+ k: n' h# [! X test ax,ax
& W! ]$ y c, E& B9 H9 ^( `0 b jnz SoftICE_Detected
& A& m! x" l: W
# j9 b1 C" s& `" n2 A* d, x__________________________________________________________________________
A$ ~+ O1 c# A3 v& D/ r; }5 `3 b- e; ?1 m& q4 _4 B) g& q: [, g+ y# _
4 e- N# A+ W9 E, D& |Method 05
4 Q9 B5 p4 q0 E+ {9 }) U* S3 v5 _=========
1 z% y. i7 c- X4 ]1 `# t- C, Y( N9 o1 Y1 _2 ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 [7 ]2 e, u. T% z* h; G mdebugger. It calls the int 41h, function 4Fh.
2 O1 [/ D' p, [There are several alternatives.
! |7 Y& R; p5 I2 \
, Q2 v+ `, q& v# \The following one is the simplest:
A$ d/ {! n; ]; P( K+ I' ~
N4 A* r( e4 }( J. H$ R: E/ y1 U mov ax,4fh
5 _6 { b4 w9 ]% U; p" [ int 41h8 ^, _' u$ L6 B R9 R
cmp ax, 0F386
3 C V' F( _' {9 u jz SoftICE_detected2 j2 F8 u' c5 ]; }/ R" E
; f6 }( U1 H6 _0 F- n
& q J5 v ]) s1 w* ~! V& ^0 f
Next method as well as the following one are 2 examples from Stone's
' y" o% [( N" _; ~) d4 {"stn-wid.zip" (www.cracking.net):
( D; N( _ [9 m4 t0 R8 X$ F+ G* C! x7 D& V# O( t. i& o2 i
mov bx, cs0 k$ W! T; M1 Y9 @7 v; J
lea dx, int41handler2
# }3 \5 y- C8 B3 Q+ {' j7 V xchg dx, es:[41h*4]
6 V; n) Y3 G! A- o8 y xchg bx, es:[41h*4+2]
/ A' }! O1 M# y/ \: L7 ` mov ax,4fh+ Y+ P7 I- i) b- I9 w( D5 S5 j
int 41h
# b! G( L" ]- f/ e xchg dx, es:[41h*4]
- f& r+ l7 G" I8 f6 Y xchg bx, es:[41h*4+2]
" F2 P, |( R7 P5 b( ` ^ cmp ax, 0f386h0 f1 \( |( ~& H/ z
jz SoftICE_detected
. @4 {: Q, e. w, `3 d' f" b, t8 ^7 ~# Y/ h, \- y
int41handler2 PROC# h: A. A5 Z: C! {/ f
iret
* o y7 t+ X6 Z7 J+ X, z3 Y4 J5 Rint41handler2 ENDP
% G- S4 W/ S$ T
c4 ?! \1 X4 c; g1 r' G: V0 S& p6 R; T1 y
_________________________________________________________________________
; p0 w9 W T+ X8 J9 H* V# ~7 W! X. v/ v2 b, F
; G7 S6 ?7 M, Q7 L! E+ r$ K" eMethod 06
- L' Q4 D+ r3 I+ n' ^+ s |=========
7 u# c+ N1 [) V% u6 h7 h7 m
( R* q* ?7 |! Q% p0 n2 ]# x
/ I5 k1 C, ]% X5 C$ b" v$ t) f2nd method similar to the preceding one but more difficult to detect:+ f% m! N; G6 C* h1 z, ?
) S7 n) u7 g* F4 W
$ `5 p; h& Q' P) g4 Z8 k: s& mint41handler PROC
# _, ~! N! D4 U" D z mov cl,al
& t0 v! F4 q. U/ Y iret$ r% h% s8 b, V+ f! [
int41handler ENDP# x1 }5 x7 ~5 q+ V+ f5 R
( h6 X1 T# i4 {* p* g ~# U
3 i( |! S6 O8 Z* l: E& k xor ax,ax
% {: e) `7 f: t- W/ |4 S# e mov es,ax
2 A, X: s, f% \7 r# x mov bx, cs
& u* }' Y; a7 b* @1 T4 x/ S lea dx, int41handler
( t8 f7 x2 t' l xchg dx, es:[41h*4]* a* @6 j' x3 J: P, c
xchg bx, es:[41h*4+2]
- u4 z2 d2 i7 X) ]1 v: m in al, 40h
/ p, V" @$ f$ n0 H3 T xor cx,cx- H$ a1 W% q1 \7 E8 I. b
int 41h
! P4 O3 x' D5 e" h9 ~ xchg dx, es:[41h*4]5 S! E# \: N w2 p4 ~
xchg bx, es:[41h*4+2]5 v! j# w$ L3 ?$ g9 x) J0 U6 m
cmp cl,al
$ H& O: f0 O, L# L& Y; B/ C& j jnz SoftICE_detected
9 z* w4 G8 W e* M' F. @3 x7 S+ ^) E7 _
_________________________________________________________________________$ S) X, Y! X" W
/ [& I0 N; c, z# r# h& L; n* ?2 z6 {Method 07
, b7 t8 i s) C=========# Y1 n- C4 \0 e: Z* r4 n
' X3 z) `2 S& t6 W1 h% ]+ }Method of detection of the WinICE handler in the int68h (V86)
3 a: l5 f% G v) {2 Y" W
, W+ W! S0 ^% d5 C9 K mov ah,43h
; D% f. m. y5 W1 N int 68h$ k* K. |# L2 C
cmp ax,0F386h
% Q, b# r5 U! r! c" P+ h; Y9 [ jz SoftICE_Detected- q" @/ w! }* u5 s
, T5 U& ~ }6 ]- Y b+ P* S+ v8 ~
0 Z) g& l* |4 C/ @
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. B- h9 `* t; W6 Y6 r+ r- y
app like this:: r: J7 s) \3 u
0 U6 E8 {1 b0 Z: M" P+ o% u8 [
BPX exec_int if ax==68
3 p# f. E( z: F0 A+ ^ D/ D4 |4 q5 J (function called is located at byte ptr [ebp+1Dh] and client eip is
. C& g0 f' P$ N) J/ K/ C located at [ebp+48h] for 32Bit apps)
2 K! |+ [" a Q6 U5 \__________________________________________________________________________/ C5 t- j3 p3 z. Q
( e% S7 c7 M1 Y4 V4 ?
- w: U. m! [0 X% l0 O# oMethod 087 k/ r9 Z4 A7 T0 j- h0 o
=========
& t) O& z' `2 Z# @: M8 k0 u, S
( a5 J% H0 C# M& W5 iIt is not a method of detection of SoftICE but a possibility to crash the
# V! }4 a( K9 S, G# S, j v% xsystem by intercepting int 01h and int 03h and redirecting them to another
; ^. l% m. @ ?( z) j3 w& ^; groutine.
* J3 L0 a0 T3 g7 g' {7 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 { R% f: Z' S! `. x( K5 p# w
to the new routine to execute (hangs computer...)
+ W3 j7 {/ j- W% e7 ]
- E( @' R( o+ n; D mov ah, 25h; M0 a6 w. f( s& W
mov al, Int_Number (01h or 03h)
! h; q/ F7 m) o- m1 i. A mov dx, offset New_Int_Routine; G$ T) P7 v3 E
int 21h
, r, Y8 s: E# `, y$ W$ v
y/ m/ \, [ t. N: N! A__________________________________________________________________________
6 `: w! z! w' g5 q# [$ H+ Q
$ @3 X6 b* l$ J2 m/ @+ f' v A0 {Method 09* Z" `! |3 c7 f# _% n6 V9 B) w# f X
=========
5 V2 [0 ~3 l5 Q& o4 {9 ]
d' b, X3 {1 Z+ _1 b3 X! NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( K9 H) t6 m+ K( m' w: c+ Q/ O
performed in ring0 (VxD or a ring3 app using the VxdCall).
# F4 h( W' V* P2 q! \4 n# }The Get_DDB service is used to determine whether or not a VxD is installed
5 ]$ [/ Q. w& r3 p0 w+ o: [for the specified device and returns a Device Description Block (in ecx) for
' F& s5 w" A. B* ~9 cthat device if it is installed.
& r$ W. o( i t. N: G `; I+ W
9 d4 {. H; p7 B; m! q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* b3 g; y9 d, l- w6 l- h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
d+ Y4 g. S3 }9 W7 I/ A VMMCall Get_DDB
' s. g$ N# x/ a' L* ~. B1 b6 L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 N" j5 j/ Z0 w0 r- k
' A! X1 z3 [$ z6 K; m
Note as well that you can easily detect this method with SoftICE:
7 @( r; Z p" z6 @ bpx Get_DDB if ax==0202 || ax==7a5fh
7 V2 F% g, X: M0 T8 f
8 w+ z9 n9 c8 R__________________________________________________________________________6 _; U' y+ j' v" ^8 A% d$ O
' W! b0 ^3 i( M( M' U. gMethod 10
8 I$ L( p. Y! {: a3 R, F=========+ S1 v0 R% m) Q7 I' @* a
L& P" g+ ^, `" [& q) d) r6 }
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 U1 n- i$ o. q0 [. S. h SoftICE while the option is enable!!) w5 B/ [* k& B: D, D/ e
% z# X9 W5 K4 QThis trick is very efficient:. C! T$ m! ?) L c
by checking the Debug Registers, you can detect if SoftICE is loaded1 z& K% M' i6 q8 R6 j0 q% j( b, U1 T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 S9 y7 q/ k* ?# S6 s: r( f1 G/ Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ k8 ]& E7 ?+ pvalue (in ring0 only). Values can be manipulated and or changed as well
5 j0 d d( @8 E) U8 A+ w' d% `5 |(clearing BPMs for instance)
: }% d1 p6 O5 b! R4 \$ }+ ?
' \ a0 P6 J0 V: Q__________________________________________________________________________/ R0 z# K9 r1 h9 Y
' N- M: a4 i! P, w) A- L8 ]Method 11: h, e5 N% p: t- I% h" h: K7 j
=========* K6 O4 b f6 a5 j5 D4 c
8 r& B/ s7 y" W& |: H
This method is most known as 'MeltICE' because it has been freely distributed/ ? ]: e* Y2 `0 b, @& e% i
via www.winfiles.com. However it was first used by NuMega people to allow
& J% R3 N6 ]8 nSymbol Loader to check if SoftICE was active or not (the code is located; E3 N: d8 d- A2 H4 S4 B
inside nmtrans.dll).1 K- U. X1 L- ?9 S
( N% O' X, ^* Z8 ~) c
The way it works is very simple:
! |2 b, J% v) h- a$ r2 D) Q" A) ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! a* N0 v/ N7 [4 N. [
WinNT) with the CreateFileA API. T! ]) |& F; a: `, F1 _
1 A6 c: x" a% g# S) k4 w( N+ u, JHere is a sample (checking for 'SICE'):
/ v+ e2 i, w0 t% }$ R3 G
2 Y/ ^( t, A# f! |# h5 vBOOL IsSoftIce95Loaded()
% D# `' g6 H: i& x) M4 T+ M{
: }# N! |6 N% X3 S; P, H( q HANDLE hFile; 1 w2 a1 v/ o5 |8 B2 N7 e i( i% V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 U& \" w* a. h0 U* l
FILE_SHARE_READ | FILE_SHARE_WRITE,5 s/ ^9 Z( Q( h! r( S/ ]
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: f. h1 S3 K" A# r' @! Y if( hFile != INVALID_HANDLE_VALUE )( H# |4 c) k# ]) w( B: y4 x
{" I% X0 M, d* |/ x6 z
CloseHandle(hFile);7 d7 F1 j0 }; E
return TRUE;9 x- Q# O8 e( R. b$ V
}
# j6 I" n9 ^2 j$ ^: o return FALSE;9 G X7 n0 E/ o
}
& N* j/ ^: f' [/ ` D+ W: o7 h6 @; L6 |& {: Z" @, k4 I+ i/ {
Although this trick calls the CreateFileA function, don't even expect to be9 e$ |7 t3 q& o. x. f" x8 \
able to intercept it by installing a IFS hook: it will not work, no way!- {- y9 o& E8 t8 I* y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. C" F/ p! s7 I$ l) P) @5 x, x
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); a5 ? q* p( o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, t% @+ a/ K" yfield.
2 H t. s1 R# q5 YIn fact, its purpose is not to load/unload VxDs but only to send a
' U3 `: A- N4 J0 jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( }/ s# P; H; g- S; `* n, i6 n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ e# X+ \4 j# U7 H4 B% ? Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).$ I0 ]0 Q6 Y) S% ]- C8 J9 u
If the VxD is loaded, it will always clear eax and the Carry flag to allow F4 z, M3 }# g k& P- o% K9 I# K
its handle to be opened and then, will be detected.- F3 q2 z9 M* |2 C6 E/ M
You can check that simply by hooking Winice.exe control proc entry point" e/ {1 @! e0 o
while running MeltICE.
; Z, E! S% O: o& A1 c9 p) e! ]( ?! B# y0 F, n+ C+ G
- S1 |; I. X: u2 a- n 00401067: push 00402025 ; \\.\SICE
5 y* G U0 u) q7 }) | 0040106C: call CreateFileA1 h" B3 o+ k* y
00401071: cmp eax,-001
- I# j8 \ M v6 U 00401074: je 00401091& Q; w. e6 V1 s' k8 p5 W
/ p6 F- z/ B2 L: \
+ y7 h" [7 t$ |7 p( r& kThere could be hundreds of BPX you could use to detect this trick.; h* w' v1 ? Q3 L
-The most classical one is:( t; b6 _/ }, C* v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 e8 q. l5 I3 L& e$ ~2 D$ ?, ` *(esp->4+4)=='NTIC'' G0 \# P. W) i9 h
! |( c q8 t/ B0 I5 U
-The most exotic ones (could be very slooooow :-(
6 K0 A, k7 c+ K& C( d/ U6 i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 a$ w6 L Y9 o' T0 r& H
;will break 3 times :-(
- R0 F; L! a$ ^8 p7 A
; b( w3 @/ Y: t, Q: e& a4 ^-or (a bit) faster:
8 z9 B8 o7 W' J( ?; f ]8 p BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 D! `8 B' W9 G& g P- J: W8 z6 j7 {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 v, y+ ]& R5 T |/ E: q' _3 V
;will break 3 times :-(
" y( w; T5 R% N7 k/ C0 M2 s: W4 X
-Much faster:
8 Y/ E B/ T( k2 ]0 c BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# t) J! J8 p* x: N- ~) ^0 P5 @5 w" B
% h2 u9 j+ v$ }6 k" a; w- t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; ~3 D6 B3 U/ d1 s. B" x" O6 @: f2 h
function to do the same job:9 x1 {% E& X- r# r
. D, P& H5 Y$ \$ K, C' I p push 00 ; OF_READ
% V# A; J" c2 \7 S S" X" Y1 ~ mov eax,[00656634] ; '\\.\SICE',08 E; C9 Y: }" y0 z* m
push eax
! Q2 ]( ]" k+ ?. c+ A' c call KERNEL32!_lopen2 x7 q9 s( Z) O& e' g6 f/ h: O" ?& a
inc eax4 K1 T. T- O/ W( N! ^
jnz 00650589 ; detected4 X K0 N1 L- r8 M H1 U
push 00 ; OF_READ" ?" y+ A: _& t2 L X2 X
mov eax,[00656638] ; '\\.\SICE'/ E% a. q( l2 W; b
push eax0 w w2 Q) ?8 _3 ~
call KERNEL32!_lopen
* Q+ N# C: U9 L2 k3 l6 J inc eax6 a$ {6 p4 J8 U6 F" C! L2 h& I
jz 006505ae ; not detected
- I4 M. F/ f7 E; B
" g1 S4 j/ P, O8 q; `3 Z3 M+ ]. F. h2 d1 P, o. ~0 R' o
__________________________________________________________________________" z& z6 V, u4 S& Z- ^
: m! e: s: M' \8 o t5 w
Method 12
) [" b# ^, a2 s: p+ v9 G" g; a- a=========& ^" L9 Z+ `! T' S k+ ^, G
( `. n8 f/ s0 x! ?This trick is similar to int41h/4fh Debugger installation check (code 05# E |: ]. k$ ^
& 06) but very limited because it's only available for Win95/98 (not NT)
: s, d4 F3 ~6 `& f1 has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! x6 U; I+ J/ \8 \6 y# D: S* ~7 G; t. f/ ^- i6 d8 v
push 0000004fh ; function 4fh
" g, n* k# E. g2 }8 f& t, b push 002a002ah ; high word specifies which VxD (VWIN32)
5 |0 K% h$ O/ @" @- s! z, N( T ; low word specifies which service
/ m! a! q1 Q3 h, k (VWIN32_Int41Dispatch)2 s( g) b* l& W. Q1 A& G
call Kernel32!ORD_001 ; VxdCall( P+ N# Q& R9 N- z
cmp ax, 0f386h ; magic number returned by system debuggers h( X( D, F( m% O' _# K0 j
jz SoftICE_detected9 h+ C' v# {& K1 a
" D+ w) R% I6 O( A8 j9 I
Here again, several ways to detect it:- [, A! S6 Y, g' C
+ Y* M" P; i4 K* [7 h; K. X5 M+ W5 ?
BPINT 41 if ax==4f5 x( E. T8 R) r- J& R
( a3 M' D' e" G8 S7 M5 ~. u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& Z, p1 \5 t% H7 \/ X) _* A
6 O2 n$ `/ E2 W' b6 G0 B6 F3 l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* k/ S/ w; `" f. B; p0 \
0 c% n9 V5 V( A* g: Q3 J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 h6 u7 P% b( R p2 L- B8 J
; c( J5 O7 b" P1 S
__________________________________________________________________________. P. C% q+ [- Z6 w `7 I: r
- k- B! @, M3 S9 r$ d- C
Method 13
! h) j* X+ i3 s0 L=========
8 M/ C$ e# B" w& D$ [ w: K0 }4 |
Not a real method of detection, but a good way to know if SoftICE is
8 a. e! k' [# ~) g6 q0 |/ finstalled on a computer and to locate its installation directory.
5 T3 f8 D% Z( r: zIt is used by few softs which access the following registry keys (usually #2) :2 b6 u; N7 R3 I! s
$ i8 L3 G9 l8 @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% D8 C& k- Q g1 H' ~3 K; S\Uninstall\SoftICE% W4 ^( W% J5 T; W" |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" v1 n6 d. d e& l& X; [/ i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* T' h9 K1 `: _; f0 v% V! |\App Paths\Loader32.Exe
- \; ]* T' n, M0 Q* V+ w4 U6 W' r& Q3 k
2 r4 h' w. w: [7 y0 ANote that some nasty apps could then erase all files from SoftICE directory
: l( O. b* }& z9 n U(I faced that once :-(
* H9 ?) ~: F* m5 S* y" k5 D7 q( q4 M2 [; h7 s7 h. P
Useful breakpoint to detect it:9 f5 k$ z7 |; m, ]
. b$ c! k( Y; p* a+ h BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% W1 H- v; t6 w' R9 k
+ w( N8 O4 r% g3 V6 A3 T q
__________________________________________________________________________7 I4 M8 V& _7 C3 `8 m* I
7 d/ J- o, Z9 B
1 ^ a6 U i$ \Method 14
# c+ J- M0 V+ k7 i) O=========; A A v. P+ ^2 y3 l1 o
- d7 b. Y7 X1 X" [! e8 ~" @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# \. O; ]8 a N- E+ j5 k% i) e8 o* c
is to determines whether a debugger is running on your system (ring0 only).
8 A! t# `5 H. Q# h2 M
9 `; j5 }# J+ w/ ?: \8 [ VMMCall Test_Debug_Installed7 A) t) z0 [5 u" S: n
je not_installed6 r/ W# n. R& U; ~
' m6 V6 f) T) z( L
This service just checks a flag.2 W/ }7 r$ A. N7 E* c9 B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡