<TABLE width=500>5 A' J* r- |9 b) {' d* [8 q6 c
<TBODY>
- d/ x Z% G1 p. ?<TR>
8 s% W9 T1 c q1 _6 E<TD><PRE>Method 01
2 F9 b) h. i+ z0 ?5 n7 C* C=========( U; N, d8 M4 c$ Z2 A+ M; ~: l
3 q2 Q3 t U' {
This method of detection of SoftICE (as well as the following one) is( g; M+ F5 n) G* s
used by the majority of packers/encryptors found on Internet.
0 l) D* k3 j! C/ }* TIt seeks the signature of BoundsChecker in SoftICE
" x) U7 y, u& d) ?2 M- D& K4 r) {$ u% ]; h6 ]
mov ebp, 04243484Bh ; 'BCHK'
5 f: P! _# n7 f1 M mov ax, 04h% e3 B0 A! T# r6 d( w) _1 D
int 3 " N' Y( \4 Y1 d _+ ^
cmp al,42 e2 W: e4 _1 @) v, o p( \7 S
jnz SoftICE_Detected
/ P6 o* H, X j
- x! f$ f; M3 y- l7 h___________________________________________________________________________
* U0 ` C# L( `- p
0 N$ o1 u- Q( P- o. ^$ v) [) lMethod 023 \- n- M! d1 H8 _
=========
+ u3 _4 P2 ?# n& I9 P6 I l7 k' _' s! Y! ?
Still a method very much used (perhaps the most frequent one). It is used4 B7 J- {( u: K9 F4 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ y# B, i2 h) q. E+ @' c' i6 mor execute SoftICE commands...4 U4 W+ y$ K: B: X
It is also used to crash SoftICE and to force it to execute any commands6 o' Y' ~) {! @& K k
(HBOOT...) :-((
$ C) Q; F a8 C' o$ V- j7 H7 U$ i( J1 W5 d! a3 k$ ~# f
Here is a quick description:
2 M: I2 ^' s, \6 {8 C$ i$ D-AX = 0910h (Display string in SIce windows)& {- V& F4 C$ W" ~: m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 l. y H- z5 p: j5 @2 K6 C0 r. d-AX = 0912h (Get breakpoint infos); g5 Z5 B% }# t) b! Z5 n
-AX = 0913h (Set Sice breakpoints): X# W; M! U. Z. Q
-AX = 0914h (Remove SIce breakoints)
7 w: O/ V! K3 ^+ f6 U
& M; x% m8 |+ JEach time you'll meet this trick, you'll see:2 i2 r$ t7 l' `$ S: O8 D5 A2 `' ?! N
-SI = 4647h# a/ \5 S# T2 C
-DI = 4A4Dh
$ T2 z8 T2 p! _3 e' j1 DWhich are the 'magic values' used by SoftIce.1 Q, d9 E' h# u$ d0 {0 i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 U0 ~1 F& W7 ^) ]% ]0 J% v( _
2 |1 e4 h$ N# jHere is one example from the file "Haspinst.exe" which is the dongle HASP
* X* X' K. t9 o" [2 ~' r7 ~3 dEnvelope utility use to protect DOS applications:
" y4 ]/ ~! L3 ]6 P% G6 E* K: d1 ~
7 Y/ W* j, `' ^5 F
7 r3 e0 C- X4 q6 _7 W+ i: [" [$ M4C19:0095 MOV AX,0911 ; execute command.
0 D: k) z3 \) P+ S' H; H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 x; O, y" u' r7 z" M4C19:009A MOV SI,4647 ; 1st magic value.
+ f' j; j# N7 M2 {4C19:009D MOV DI,4A4D ; 2nd magic value.
" c# T% ?( Y3 E: q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) N- S" q7 P* i/ S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- H# {5 F& o# e% V' G4C19:00A4 INC CX( x* a0 v6 t: M+ y) M4 d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* A6 J% I& @8 \2 A1 Q3 {# V4C19:00A8 JB 0095 ; 6 different commands.
$ [1 e, X5 i* g9 o4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 L1 A2 Z* c# [6 I8 r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" _8 ~: R! P7 L; A6 @
& d- h/ m [0 i! ?$ N
The program will execute 6 different SIce commands located at ds:dx, which
* M* `, ~0 U9 j. |! J7 X7 _$ }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 e: h) k4 m! \7 J
( A$ t' l; S# E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: e+ Z, n5 q& L___________________________________________________________________________" g6 G* A1 ]% v- \3 i' f/ o
* D! r) L" ?! l& R \! ?) R$ C
3 ]8 g3 u! J6 L; } i2 \! C1 o XMethod 03
9 Q9 C; @4 W: z) z! A8 q0 {$ Q=========
' S' d: L' \7 V, b+ W8 Y( u/ a0 ]
5 U5 ~; ~' a: Z! d9 c" v0 G9 vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ I* v! j' o6 l% A1 z% i* D3 U$ R
(API Get entry point)
8 T( k* c7 d9 s% o% e3 z 2 W2 J! z T' v& y1 s* x
- R& \) r, o2 O9 `) G( v xor di,di
+ C$ b' f, Y8 a( j3 s. r mov es,di
6 s( J7 u0 W- n+ a6 L mov ax, 1684h
( k' L! _2 U- r4 ~ mov bx, 0202h ; VxD ID of winice
2 R4 h! \, W( c- @' t- J1 L$ ~ int 2Fh& G1 q, M; d) \# t$ ?8 N
mov ax, es ; ES:DI -> VxD API entry point' F0 [' s" A! P
add ax, di
7 z. b4 m: G% @, t% b; ~ test ax,ax o7 f# G- h! N' h0 A/ `
jnz SoftICE_Detected H* m0 _9 J3 I+ p% B
* T# H0 w, g: u0 o. U/ g
___________________________________________________________________________$ T6 q7 v* Q2 L4 ^& ]/ A/ e. e7 e/ H
U0 j* s4 ?1 }# H
Method 04
( y6 {/ [" n6 q; w9 `=========5 H" P2 z- U. _. L& j: e: r- C, `
3 q& ]/ f- U5 m; a- w3 h
Method identical to the preceding one except that it seeks the ID of SoftICE; q3 h6 a- m) s) v* C" ~. g
GFX VxD.
4 k( H8 e4 P' B' ?; D0 J( z' s; G
# r( G. H9 b9 D xor di,di) V" I6 {% b2 k% K+ G: o
mov es,di
) P# O4 p8 N" v mov ax, 1684h ( I1 ], \$ l1 z9 D$ W$ I* u
mov bx, 7a5Fh ; VxD ID of SIWVID
2 y) V4 f8 Y' r int 2fh/ d N6 J" g2 x& ]0 m7 P: }8 M
mov ax, es ; ES:DI -> VxD API entry point
- C, g& u. Y* u* H) j! T6 { add ax, di4 r* [' p9 C9 G9 f8 N' b5 t5 ^
test ax,ax
' B @7 R4 ~3 V) x jnz SoftICE_Detected6 k: i! M5 E# x; H' ~" y
; M3 E' h3 K( t O4 Y, B1 E__________________________________________________________________________
* G7 ?9 u0 v% a* p% v- N% k( T, s: |' l- {) N' ?3 P
4 D( ?) ?, n, j' Q$ B# y/ D
Method 05, ]1 B. ?( @2 l6 O/ ? C. k" P
=========
; u7 I J8 f9 H7 d" i
$ }: p2 M, d; r7 G4 Z( E2 FMethod seeking the 'magic number' 0F386h returned (in ax) by all system: I( W3 a( m+ |5 ]2 o9 {( G/ z
debugger. It calls the int 41h, function 4Fh.' H* i+ |4 M; d
There are several alternatives.
7 c9 t+ y3 m; V0 w2 R0 z' Z" |$ ?7 @; J8 A. v
The following one is the simplest:
7 {; x5 a4 P# M1 [. `' O% P2 z( C
6 K5 |/ H/ Z- o& u8 v& |, t mov ax,4fh2 [6 T, z+ @2 Q6 U
int 41h+ W. S- _8 d: S2 ^! ?
cmp ax, 0F386" D$ a. }$ ?$ }2 l
jz SoftICE_detected
0 H8 E7 T1 ^! t$ G9 A+ m
' q* `0 `# f# p, a" e& p% l8 u5 u9 x9 K: @3 o* W* x
Next method as well as the following one are 2 examples from Stone's
) @; ^' b$ F# b- ?6 B8 A"stn-wid.zip" (www.cracking.net):, ]8 a0 k+ R0 ?8 ~2 K3 A- b" o
$ d. W' ]5 A2 x
mov bx, cs' n6 H1 r: ?9 l: j& H. c+ ^
lea dx, int41handler2, F4 e0 }+ A! |: R/ v
xchg dx, es:[41h*4]
9 Q& b4 I4 Q( ]" k) K: t xchg bx, es:[41h*4+2]
' d5 p0 L3 [/ } mov ax,4fh# H7 N. }! `" f9 X8 }' t
int 41h' s$ x5 a( g b- A- J# j
xchg dx, es:[41h*4]
. Y; G3 _8 o% i$ e6 C8 p0 J xchg bx, es:[41h*4+2]
0 y v- i9 }3 S- F. i" Z" u# J+ Z cmp ax, 0f386h0 j: |& G8 g$ ?! t
jz SoftICE_detected: f s- W. n3 ?' z4 h* X
3 d, e: A( u/ \8 i; |9 Bint41handler2 PROC
$ [$ k' u5 C% o6 g, R9 N" o iret
, ?% u( d s/ t( Q) W8 @; _int41handler2 ENDP
2 l9 R3 [- M2 z6 g
: h' |' p$ Z. P
1 {% ~! [* ?# n2 F7 g( m- K_________________________________________________________________________( _. p \; R" B; y" d5 E
/ y' `7 f- \2 g$ D0 M/ m4 x+ Z* ^1 X2 b1 C2 [
Method 06
! N5 d) g1 o1 p! v=========0 r7 S& Z6 ~: v
7 G# w$ d. [* C7 e4 r0 X. ~6 Q0 K% k+ t# `8 m6 ^5 V: J' f0 V7 T
2nd method similar to the preceding one but more difficult to detect:
# [+ s/ `. u& y" [* g7 ~* t* A5 x3 R5 @3 G; `
- W) H* I- o" d7 E9 d7 _9 lint41handler PROC/ M K4 p" D3 r
mov cl,al+ G% }- _( i# g1 B
iret3 S( H/ s9 d$ A' ^7 L3 I7 I' j
int41handler ENDP
( N( Y4 G" m0 J, a H$ N6 h4 c# J* K& T& ~: \
1 w. p- @( x# z( m/ f
xor ax,ax' ^6 o1 m4 u0 C- K# o5 s3 H9 s
mov es,ax
' a4 \! i' M' k' |+ D: B mov bx, cs
# j: n4 o R4 {/ E lea dx, int41handler/ k$ Y5 ?$ o$ N; W/ U% i. y" l
xchg dx, es:[41h*4]- H* z# E1 E5 X$ K
xchg bx, es:[41h*4+2]4 H# G, ?7 w. \8 x) L+ t# k
in al, 40h
- @$ Z# Q [, X) S3 }6 v! c- q xor cx,cx
: |3 J$ i2 g% H. g4 Y, S. L int 41h
$ s& n( ~# a. |9 [: h0 y xchg dx, es:[41h*4]
& Q& N' u9 W0 I+ l( |9 L xchg bx, es:[41h*4+2]# D* S8 |- y& `3 J* @/ t2 c' i
cmp cl,al
4 P! X) W6 f3 l I/ m/ D$ n" m jnz SoftICE_detected
6 P! g0 t6 H8 v/ Q0 b- N- S& r( p/ [) W/ S; f" N
_________________________________________________________________________
0 {7 ^) B; S. z1 Q5 d0 I% _
2 Q5 a2 ]& N, ?! A2 K* hMethod 07
4 Z% ~! N) v; i' M- H& V" l=========
" j4 W6 b" c" {
7 @+ U7 g J" v# uMethod of detection of the WinICE handler in the int68h (V86)4 o) }4 I5 N! A# S* Y% l
! r5 H2 S* ?) r mov ah,43h8 q" }4 S& \/ ^9 Z+ y
int 68h
; [$ _' C F5 E cmp ax,0F386h
8 _5 ]: b: `/ x jz SoftICE_Detected( i9 L, ^4 ^' F ^# y" {4 E6 [5 D3 F
+ E) y, y! _. v4 V; m8 p2 D
6 q- ]% L) m" M: z: v: a5 g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. f4 Y ^5 ` f* q) s* }0 ~3 t
app like this:
4 }. d) P* I6 [& x- O9 p3 D1 `( C: i/ c0 X% `/ v0 V9 K0 I2 m/ ]( H
BPX exec_int if ax==68
8 h& d- a" ]- l2 E- _9 v (function called is located at byte ptr [ebp+1Dh] and client eip is
$ W9 f/ \! f" M located at [ebp+48h] for 32Bit apps)" @% x# \* i e2 R0 g' C+ y4 W
__________________________________________________________________________- n8 Z; o6 z. g1 _+ f; w* K9 C
% l8 s' _% ]8 j+ S+ v" I$ g
1 @( B/ i* |( Q3 B% r# Z9 r
Method 08
( Y J' \; O$ R=========
& P+ m' ^& x8 B+ B B; t
. J% g1 R/ ^" n- l6 KIt is not a method of detection of SoftICE but a possibility to crash the
. g- o- }( ^( ?1 \2 usystem by intercepting int 01h and int 03h and redirecting them to another* c1 T: D6 N5 }6 N9 g2 H
routine.
# p* V! n# ~4 k# i0 YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 x; {$ O* f2 v/ N9 E; Z* Yto the new routine to execute (hangs computer...)' [4 b8 @& D5 l3 r9 g4 _' e
% c, E, G# Q) F& G& Q2 L" N$ ^ mov ah, 25h
5 w/ r; v4 f4 O9 M mov al, Int_Number (01h or 03h)% h: [( \5 Q, X O Y
mov dx, offset New_Int_Routine
+ {- J; |9 z! g" y. N1 ]" V int 21h( I8 q3 L1 l; ~9 ~: @, S& e8 g
8 _7 F& i" |3 G, z__________________________________________________________________________& F+ a# N) k* T7 g/ Z: R
5 L& i. N( O% k+ mMethod 09# t+ S* K; H8 s' ]4 k) S r* M
=========2 Z. D1 e7 g4 x7 @3 q' E$ x
0 P! u/ E8 T" D3 d7 k0 \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 R$ q; w; ]$ f: f
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ Y1 Y. o% ^% I% r' {& A4 z! RThe Get_DDB service is used to determine whether or not a VxD is installed( R6 _/ z, k# v& Q& v$ o3 d, |
for the specified device and returns a Device Description Block (in ecx) for
, ?* u4 j. J7 T; C* q# q* c2 {that device if it is installed.( P- P4 i9 c6 Z. d
3 M% v& U; ?; s; v5 P; {. L5 H) f( m mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 j2 o6 Q J5 M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 E* |/ f! D' H' O) S' _ VMMCall Get_DDB
& W" M+ Z/ X5 h( K4 I& k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 S: Q- G% Q/ x! \) l* i
& R4 }% ~, D$ }: \2 I3 `Note as well that you can easily detect this method with SoftICE:7 o, P7 m& u/ ~3 w% _
bpx Get_DDB if ax==0202 || ax==7a5fh
+ o( `/ j( B" S, O/ m8 W% `, k" r Z5 T4 O
__________________________________________________________________________* w! e2 ?# D0 f, C: k! o
" S/ h/ p' W$ y- n$ p& K. u
Method 103 |: q! |; Q' b6 j
=========* y# i* m; Z* C; V; N k$ x# \! A& i" C
2 U* B. _5 y4 {
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ M- `7 f' @# z0 R* ~
SoftICE while the option is enable!!& e- y o8 i/ c
r# j5 q( }1 H9 k
This trick is very efficient:
" \9 E2 ~ P0 t' yby checking the Debug Registers, you can detect if SoftICE is loaded1 D# I5 P6 R1 V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 P2 Q. s# x- t) A
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 V$ ~1 {9 M4 h, qvalue (in ring0 only). Values can be manipulated and or changed as well5 n+ A3 `/ ?- e. ?: q/ t) A
(clearing BPMs for instance)
* U. E1 A: I/ X# {" M" X
: W' Z- [$ U, @6 [__________________________________________________________________________
0 O2 i5 W" I& Q; z( E4 l
: R; k* s8 E3 Q7 S1 I% P4 T' vMethod 116 z3 T+ z5 l4 R- L' [$ Q {
=========& x! Z( L: Q' p! b5 L$ {. H l
3 v- J/ W- D- B7 q) u
This method is most known as 'MeltICE' because it has been freely distributed
) r5 d: t, \" M" c4 w1 N5 [+ evia www.winfiles.com. However it was first used by NuMega people to allow' S" K5 `1 s' t! T1 A7 _
Symbol Loader to check if SoftICE was active or not (the code is located
+ @0 d# n% H' F/ T# b9 Rinside nmtrans.dll).9 N) d+ {* e8 J
( l/ S) I6 P1 e# [' NThe way it works is very simple:. }+ H/ A' X7 R9 {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 Q: i; A. a, BWinNT) with the CreateFileA API.; {$ b) s! r o" V% i9 c
: B) G6 E2 w8 l+ E/ kHere is a sample (checking for 'SICE'):
: p& J2 h9 E6 w. x" Y% J4 @
0 W% ?/ g+ B) D5 q) ]4 KBOOL IsSoftIce95Loaded()! k4 U+ m; I' _1 V% P' I. j% a
{
5 k0 Q# S& i% P1 R& z' }' x* r HANDLE hFile; 0 |$ `. S+ d& f( R) }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 [1 M) l$ c$ W$ |; Z/ n6 N7 d" F FILE_SHARE_READ | FILE_SHARE_WRITE,
" {& c0 u$ ]! o) s2 y: e NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. y- n" y# p, w" \3 m
if( hFile != INVALID_HANDLE_VALUE ); J3 k8 O& p* ]6 S, x
{
. w f! X1 m* F0 a7 w" p CloseHandle(hFile);: }2 p+ R. z8 F1 G M
return TRUE;
F6 ^2 t) }& ^* Q* O }5 k! s4 F4 k8 V, S, L
return FALSE;
: l8 A: ^4 X& q! z- `}
' y. S, J: g( [3 h: u5 G, y* P' h: k% Z7 S1 G& ~8 Y* F
Although this trick calls the CreateFileA function, don't even expect to be
; d, Y! X* Y6 ^/ `$ Eable to intercept it by installing a IFS hook: it will not work, no way!
x5 v. `; R* z: \7 l1 rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 `0 }; T/ c7 [6 ]. i8 {# [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# z+ M4 x' }/ b$ s% Y6 H yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 @0 R9 B; S" f/ \% pfield.7 H1 o2 f" T3 d2 _/ D' w2 s
In fact, its purpose is not to load/unload VxDs but only to send a + r" M1 a8 {& Y% k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: h; ^/ C1 A9 j# ]9 z, \2 jto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 D# ]1 o. E! Q8 `; ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- o8 q3 s' z' h- M
If the VxD is loaded, it will always clear eax and the Carry flag to allow' E4 I$ [0 H5 p# q
its handle to be opened and then, will be detected." W5 u+ F5 _, p8 w
You can check that simply by hooking Winice.exe control proc entry point
" N* @: l, S' F& @; Rwhile running MeltICE.( R5 q+ C% T: P% I0 ~
/ |0 e4 T( {! Y& ]; o$ }2 H# {8 W V/ Z' i
00401067: push 00402025 ; \\.\SICE7 J* _ R1 }! C$ f S8 ^0 w
0040106C: call CreateFileA
) K. ^" D, \* p" x$ m 00401071: cmp eax,-001
; @# i8 i" Z2 z7 R5 f7 Z3 n 00401074: je 00401091
& \: n4 y. W$ p" M* J# }. n9 k6 {% _$ c9 v+ A% b0 U+ P' F6 v
7 A" F6 c ~. _% G' Z! n7 | WThere could be hundreds of BPX you could use to detect this trick.
) |3 K# C( C( T6 e& g2 T( a- T/ e-The most classical one is:. H, n* _! T+ t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 u1 h. i, C) _# T+ z *(esp->4+4)=='NTIC'
- a- g; C/ \6 i: o
! C/ o9 Y+ I7 I1 |0 _-The most exotic ones (could be very slooooow :-(
% f1 p0 c2 h' a* a% v, s BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # F) |4 _6 ~' }4 K, E
;will break 3 times :-(
8 A" }8 m" B/ O' _
" [+ Z3 L( }: I) P9 D3 Z1 w-or (a bit) faster: 3 h9 L3 D$ e; l1 i8 O( _* M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: V( w" y: e, V. y0 T/ o! N0 Z. d: V, f" j5 Q4 I) g( [
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 z8 E! l( w6 K' {* h+ ~
;will break 3 times :-(
\! P, K: U5 C" h! K4 l1 g
; I: T8 \ @- U% L+ S# G+ k-Much faster:2 b( d m0 S T2 |5 ~6 |7 F
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') J4 m, r* N9 X5 S3 n6 G" T
0 A( f5 A% O8 c( O& _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 I `$ [; Z% I9 V, P( j% J
function to do the same job:
7 u) p& P4 C, p- U8 e/ n) H6 n
9 f- Z, \5 H, F! Y push 00 ; OF_READ
e8 [* n/ d6 }) n; u mov eax,[00656634] ; '\\.\SICE',0$ Z2 |8 x; O0 I
push eax
! P; G9 Q6 d: [( J T( W call KERNEL32!_lopen
" s: A: R5 N) e. a9 c" U( m/ |- t inc eax+ Q6 K; B+ H$ U, O, W* W
jnz 00650589 ; detected# ?/ a1 p- d1 n8 [- B; K. a
push 00 ; OF_READ
$ |# f3 S- n" f. q' V4 q mov eax,[00656638] ; '\\.\SICE'
+ C+ C& X" }, n* [0 p push eax
5 D1 \7 ?( B6 U9 B6 m" j call KERNEL32!_lopen
6 ?6 C- e! r( o& u inc eax/ x9 m9 i/ M9 ^% \
jz 006505ae ; not detected
/ k% d' C# L* @2 T/ \5 @/ {/ t) i! I
7 `/ Q5 Z! H% p
) d# `& j0 I! Y- V# R% ^__________________________________________________________________________
4 {' h/ E9 M, I2 D- @: A1 Z
- {, A- f1 a! O" X; e2 [7 S4 L/ `' {Method 120 O3 `: Y5 `, j2 f+ e
=========8 Z; E ~. `1 W9 W+ A
; s7 o* Z# }( I, x4 ?6 t# n
This trick is similar to int41h/4fh Debugger installation check (code 05: C/ F7 p$ o; k3 ]
& 06) but very limited because it's only available for Win95/98 (not NT)# N8 e' t( k5 R7 {/ y, D4 @9 j) T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) U" U4 c& `: `' T. ?7 j* ? H. t5 j' ]2 F9 b/ u7 `* U% V6 d
push 0000004fh ; function 4fh, z/ H3 Q* b7 |/ F6 w
push 002a002ah ; high word specifies which VxD (VWIN32)0 \3 Q; m* ~7 y& e' e1 x- ~
; low word specifies which service) n3 {. X% V* p- x* q4 [
(VWIN32_Int41Dispatch)4 ]$ a# j: W. P/ ~. K
call Kernel32!ORD_001 ; VxdCall
9 `1 d9 q8 r( ?4 f cmp ax, 0f386h ; magic number returned by system debuggers
6 D% l) v4 F( P( p; r4 I jz SoftICE_detected; m: ?( ]0 {$ @
+ t L4 I% q; I1 B* }; a: E
Here again, several ways to detect it:
7 S9 {$ H' v! z- O8 k
. x7 n0 c! w t2 b6 ? BPINT 41 if ax==4f
( U( ~) F/ t4 B% S7 d6 Z ^7 m, N: l( ?' _% Y: }( x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% u. w1 ^0 w+ H* s5 p! m0 I
& a! f# `% Q7 F d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; p' w+ ?- |" v* N$ U: @6 F% @
6 r0 y6 v H( i5 ]& L6 i3 u( i8 C( X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' n, |7 `! h* `: ~, \$ R
- P) @; _# i* F( @' S__________________________________________________________________________
5 g' Z, c4 L1 c
$ L1 K6 E3 H/ d7 fMethod 13
# @* A6 h+ G9 o# E( E+ W=========4 \% m; R8 f) G! M
: w& z; o4 |( P, z& P/ HNot a real method of detection, but a good way to know if SoftICE is: p; t$ C: d4 G8 L/ z6 N
installed on a computer and to locate its installation directory.
% e; n& @# {9 S8 @It is used by few softs which access the following registry keys (usually #2) :
" i6 W3 T C6 A- ^1 k Q
+ G* ^6 Q8 L2 l* g-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 }" `/ ~3 V2 w& J\Uninstall\SoftICE
, v% ^4 D$ b; p# q5 p+ x, f$ C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# ^+ S$ j0 d/ V- ]! |- p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ |# v+ ]3 Q9 b* N\App Paths\Loader32.Exe
c0 e4 u* B7 y7 B. \; A# i0 p
" K5 C( g2 g9 t) n5 W r2 S* y& E% h) C7 ]% E9 V
Note that some nasty apps could then erase all files from SoftICE directory
( P! {/ X* F3 f- `(I faced that once :-(
* s# X% r6 j, ?- \- j# H% ^' f% Y- w/ G. c0 h k) s: A
Useful breakpoint to detect it:
% J+ l7 t) f' h& ^( }( _+ y: c3 p8 {( ]
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 I" o4 D; Y5 W3 _
4 x( }- {2 j$ n- D% z% G__________________________________________________________________________: N6 o k, P# @; a
# k2 o' m1 y+ R
* Y& [3 z+ c# V$ o4 l/ J' W; A& u8 LMethod 14
% ?2 k* H: s6 \) [=========; D9 R9 s$ e7 Z6 I* C5 u! ~
9 S; F* X& Q4 U4 u$ h' N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, H" E5 |2 s4 V4 s8 b7 qis to determines whether a debugger is running on your system (ring0 only).
$ C3 b' M/ g: @8 i4 x3 T; S) |2 V" u5 [& p
VMMCall Test_Debug_Installed# O( D ?" D6 T
je not_installed
$ Q9 K# i- B7 ^6 k4 t9 ]
& |2 r0 W) N& P& cThis service just checks a flag.1 r7 J4 K0 {5 \( w+ h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡