<TABLE width=500>
+ G. ~; ]; M0 T9 ^! Y4 X+ ?<TBODY>$ o+ e5 _8 ~" K3 y# ~
<TR>' \9 @$ A; w5 w8 v$ |
<TD><PRE>Method 01 S# W9 ?3 b0 [2 q: M
=========
" U2 ]; p& }9 j% R; I/ C
, [7 p J$ P; o5 y6 \/ XThis method of detection of SoftICE (as well as the following one) is- j# a/ K0 o# ?1 `
used by the majority of packers/encryptors found on Internet.
0 [% P' k5 y' V. I+ s- b0 u) y! ZIt seeks the signature of BoundsChecker in SoftICE
- F: \6 D- H/ B( j
5 k( @6 M" x( `5 C* x$ C mov ebp, 04243484Bh ; 'BCHK'5 b3 y( Y+ Y; X
mov ax, 04h
* j$ s) H7 @3 W int 3 9 N, i. U( G7 [3 `, G
cmp al,4" t0 j9 N @# F/ T. F/ I
jnz SoftICE_Detected
% Y( a( s. w" C1 r8 {3 v/ Z0 ^. }) i5 L' [! o7 X
___________________________________________________________________________2 A& A" E3 K( Y
4 h2 v3 H: S# T) L' U/ ~
Method 020 Q( B/ C9 q. O/ n7 M+ [: C
=========
5 ^9 ^, I+ D9 G1 n9 \2 w2 Y0 t. M3 b8 R( |
Still a method very much used (perhaps the most frequent one). It is used% t4 G _. `/ c9 X) x: e- [; N$ u2 Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& @) m+ ~( M0 j9 m' \# |or execute SoftICE commands...4 E$ h j1 p. R. M% n5 o2 V
It is also used to crash SoftICE and to force it to execute any commands
, v0 w/ H9 H& p5 r& B/ g" s(HBOOT...) :-((
0 u! {5 M ]9 q' i/ q+ k; _. u6 F0 i3 k, @6 G7 I2 \
Here is a quick description:' ~( P. h: @; c; w3 i2 }7 _
-AX = 0910h (Display string in SIce windows)
4 p/ U' _ c; |( _5 t( _9 ^7 A' n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 k# @) n" X6 z
-AX = 0912h (Get breakpoint infos)
! Y% Z* V: a+ E* A3 [, b-AX = 0913h (Set Sice breakpoints)
! y+ S1 O0 A' I5 r-AX = 0914h (Remove SIce breakoints)
$ N+ x. R. V |6 A# S' K( S3 t3 i4 y/ h% A$ Z0 I) f
Each time you'll meet this trick, you'll see:3 h* F0 A- {( _3 p2 O
-SI = 4647h
4 j' f$ y* T% P3 [ ~8 W3 @$ u-DI = 4A4Dh
! g4 n6 \& n, e; Q4 u; oWhich are the 'magic values' used by SoftIce.
/ e2 B4 H; H/ t, c- F( zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# _5 d) K% n* h* A' N7 R
" q; {4 C+ f0 M5 w8 NHere is one example from the file "Haspinst.exe" which is the dongle HASP" E6 T: n- h& k2 p! n6 |
Envelope utility use to protect DOS applications:
- }0 G& H4 {4 {2 G! k; _0 f1 P0 L7 }$ N" r
6 L' S2 a" H: i$ C" g' E, F) ^
4C19:0095 MOV AX,0911 ; execute command.0 O3 R6 k+ b1 ?+ G8 `/ A
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& _8 p$ c0 S! D% R# R7 `& | l4 o
4C19:009A MOV SI,4647 ; 1st magic value.$ I; h8 t& \# J6 r$ V/ f$ U; _
4C19:009D MOV DI,4A4D ; 2nd magic value.
' M# B: w3 E6 s3 X& \2 a* r9 O+ o4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 a. P. x9 E7 U- O+ S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# G$ e+ s, p# C+ Z* C
4C19:00A4 INC CX8 ^% s( U9 _. T) s4 p2 l+ Y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 n! ]- v' W9 K! f4C19:00A8 JB 0095 ; 6 different commands.9 C4 J& Y' t1 _ w. D) _% J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ \3 m/ h2 n% ~+ E! u" ?' O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; E& U5 U5 ?1 c5 _
; t. y; a. H6 O/ E* [5 q% f* D7 nThe program will execute 6 different SIce commands located at ds:dx, which- ]8 {0 `) g) }4 o$ R/ s. d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 I* S* B$ N% k& t, Y
. I; E; K9 q% i4 K3 |! w3 y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 y; p' o9 L Z6 V6 A+ y8 S7 m
___________________________________________________________________________) q# n: ^3 h8 K5 g, Q o
# h4 K+ L9 K. ?8 [9 o% x
0 h/ x( @% v) _& x A/ N$ \. L( }5 AMethod 03/ _: x8 e' c; L9 l1 y
=========
' P6 l" v- I+ s* ]8 ]5 l6 O. _5 Z0 h/ w) v8 M" V! P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; L5 M) {. `! `2 |1 n% _/ N
(API Get entry point). `( T. E/ r+ {1 v9 q* D' A
8 y# _9 f* s0 i0 q! t% f, N% |) W
2 C q$ H3 c8 | xor di,di, a* I) b# B1 N
mov es,di/ @$ Q4 Q% z/ O& O6 h; {; t+ V6 ^
mov ax, 1684h $ V5 v6 T6 i* i0 R& a
mov bx, 0202h ; VxD ID of winice! R8 |& i' F' |6 b. |! _5 G
int 2Fh5 W J3 u% K. y2 J, O) ?9 u( ~5 B: S
mov ax, es ; ES:DI -> VxD API entry point L# c1 K- P6 z$ ~; V
add ax, di9 S9 n. t- R$ R- ?1 v
test ax,ax3 ^3 U/ X! s/ @9 c6 C
jnz SoftICE_Detected
$ s# e) \# ]6 i8 D# B. u2 V# @5 G* E0 j; T3 f0 _7 o7 l" d
___________________________________________________________________________
) N9 n( h0 c7 Z9 A& Y% E4 K, S, n
" w$ n0 z3 x' [& h( W/ qMethod 04
, X% I( w. J; N* k1 @=========
& I/ \% C) y. e* ]! j
1 Z. @" [9 c4 Y+ U1 V" T6 G; c6 {Method identical to the preceding one except that it seeks the ID of SoftICE
/ U. F1 z0 U9 B' u4 SGFX VxD.) u- m$ X! Z$ `3 Y n7 k6 n6 Q
9 [+ q7 \9 X, [ xor di,di
' A# p: O. J1 v; ]9 h mov es,di! } _6 t6 h y& Y2 r5 v7 ~
mov ax, 1684h
7 C2 Y" z/ ?5 _: K/ p# x1 Z mov bx, 7a5Fh ; VxD ID of SIWVID
- g% [$ u$ `& e8 `. H2 z/ S int 2fh D0 ~" c& _* v" ?- z s' A7 E: y/ ?
mov ax, es ; ES:DI -> VxD API entry point
' G+ Y' h9 r! v, C add ax, di6 s2 ]# f' f1 h8 Y, P$ q' o
test ax,ax
, p/ u/ @( g0 c, r jnz SoftICE_Detected
% Y" l9 w/ [# y
$ B/ Z4 ^1 @: h8 s. S0 I# J' f5 U__________________________________________________________________________' ]& m r% E- V/ c# `# { m1 ]
; v$ \6 ?: _2 P
/ E$ k3 N; G" ]" v+ h9 v" IMethod 05. g* [$ N1 q6 U, a5 G) w+ M
=========9 d! X9 m* C* z% S3 O
4 Q& r1 i* c: B* yMethod seeking the 'magic number' 0F386h returned (in ax) by all system& s/ Y' T8 Q! c. D
debugger. It calls the int 41h, function 4Fh. p- i9 L5 m% j% E+ C& M; @( o
There are several alternatives. % o( k9 e3 |+ T: K% _7 p9 H
7 N( N4 q4 `. b: j5 G- V. V( `/ V
The following one is the simplest:6 s% K8 d0 k" p$ R$ q
, y, n3 X# k8 d3 M! C W4 l3 E mov ax,4fh
- K+ Z; J8 ^. U3 u" ?) ]' N int 41h
; J" H5 o5 ^+ w/ D* _* c- s cmp ax, 0F386 S0 o8 r5 o# s0 D
jz SoftICE_detected
- C3 b$ F( f1 L M
5 ?: G8 K$ X) I) J" O/ l$ U( [( e) }2 v7 M9 s9 b7 g
Next method as well as the following one are 2 examples from Stone's 6 ^/ y+ d; g6 g
"stn-wid.zip" (www.cracking.net):
7 V1 [% G8 Q3 E, I; U6 {! K! t* [0 X& X6 o6 ^7 [! t5 h( `6 Q$ d
mov bx, cs& @; m7 ?! M3 M
lea dx, int41handler2" L6 e0 ]% z( ] Y; E" m
xchg dx, es:[41h*4]9 B6 @1 O; M: j, o) ]5 T. r
xchg bx, es:[41h*4+2]
* ?, w& z1 a8 t# P mov ax,4fh( C' R# a7 b" g( G
int 41h
: \2 C/ D, j, E/ q2 }- K xchg dx, es:[41h*4]
; A* M" I9 i$ \/ N0 N xchg bx, es:[41h*4+2]$ H% O# z0 r- ], E
cmp ax, 0f386h( |+ ^+ }: V$ k' C
jz SoftICE_detected
* H- ~9 ]2 X* S% I( x$ @& c4 Y2 h/ \( i3 d% M- e
int41handler2 PROC
8 G7 F! |' K- { iret D+ M; t) T# F/ m& K; H2 t
int41handler2 ENDP2 C9 @0 u* ?6 l* x! }( J* p3 N% o
9 G0 b( s5 g$ ^7 ?* L) E( l
- y5 p" o5 k, K_________________________________________________________________________6 K# f4 g: ]; N! Q( S! o
+ p; m. z& j) Y$ R/ y$ P
% {" t* Z7 p1 C- B
Method 06" n" Y/ k& }5 t& h6 Z* [' ~
=========) `- ?& j5 f& @ R6 p, l; C8 ]
; h m- S; v4 h: _
, A2 \7 X8 O( j
2nd method similar to the preceding one but more difficult to detect:
5 Q# | u) f7 i0 ?
7 N# w% U8 I2 y0 \9 u4 }" R9 _* _* U6 `5 F
int41handler PROC
3 Q& ?$ |' g, a3 d+ L! D- R5 \ mov cl,al
3 n9 v$ u6 @+ C- q! L6 y# |* {7 Q iret
1 C1 Z" N( t* M4 w2 F( z* rint41handler ENDP+ S/ q4 u+ a7 C e( K
" l; G: b. Q, P! a
; [. r: t1 w6 E* c' {* B8 h xor ax,ax
& V2 z N: P" s' S( S% O mov es,ax' n h) @6 ^: @% w
mov bx, cs# `! G2 R% [* D+ I
lea dx, int41handler
. X, Z2 E# |+ a* H9 O6 w5 e xchg dx, es:[41h*4], X; i" A' m' T% B J# ~1 l
xchg bx, es:[41h*4+2], x# ?4 l. H# o- e6 n- B
in al, 40h5 U4 Q0 {5 u' S) d
xor cx,cx
* S8 H0 M ~' d3 ]8 V int 41h( l: P' n/ L4 z$ i. U
xchg dx, es:[41h*4]
- u& ]4 X) @3 {2 v0 u$ Z xchg bx, es:[41h*4+2]
% I; C( ]7 K; z x cmp cl,al
6 ?" M6 G3 d" `8 ?% \* G jnz SoftICE_detected
( A+ U8 G5 h' A4 \2 e
3 O- s7 P- a6 x& b' G" t_________________________________________________________________________
' u4 `$ q9 i a5 t% G7 O8 V% U0 t1 e- J
Method 076 {. R. W& F) y, T+ w
=========
+ m6 }0 j2 g" r/ U( `% H
8 B0 }$ @* V2 D) W- W/ lMethod of detection of the WinICE handler in the int68h (V86)2 Z! b1 J `( U4 N0 `$ p% }: b" ?
) y0 I" e& K& `! j0 | mov ah,43h/ m% f% d5 W% e9 P" p* r8 k) l5 j
int 68h
W p+ Q# H6 L' K cmp ax,0F386h
2 j1 q" R( w1 Z. S+ ?7 { jz SoftICE_Detected" }3 S% g* x e
U& x3 C" I: [4 n# P7 M
8 Z [! ^; k/ t$ [( f=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 ~ `, X& b* N6 l9 L" l9 b3 W- Y app like this:' Z$ ?. v! e y' u5 n. }$ |
- U$ V' k6 _( ~4 T BPX exec_int if ax==68 l+ m# Z3 I ?' _
(function called is located at byte ptr [ebp+1Dh] and client eip is
+ z" f- y" N5 x located at [ebp+48h] for 32Bit apps)- }) o, a9 n$ w7 [9 |2 M- E' O) M
__________________________________________________________________________
, U9 `+ ]; F* C$ M/ J! l& S N% s" E
, [" Q3 x5 g" t
' @# a4 c) _5 L# g2 wMethod 08
5 u9 ^6 o' P( U, v=========0 e2 ]& G7 r9 t1 a9 O( Y, v2 q
: [. X% r3 r9 I0 }It is not a method of detection of SoftICE but a possibility to crash the
/ Q0 u5 r l. @9 R/ x5 x- j: A8 ^$ qsystem by intercepting int 01h and int 03h and redirecting them to another2 {" E* A8 K* c- H8 Q0 s8 Y
routine.
1 N& W; I9 |# b8 GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 a1 T; Y& o2 g( \3 p! [
to the new routine to execute (hangs computer...)' v- O( ~( F% n7 |5 W/ p
, m. _9 V! s" u% V
mov ah, 25h
) Q; J" V: u- P7 J mov al, Int_Number (01h or 03h)
! {3 K0 T$ |/ t' ~2 | mov dx, offset New_Int_Routine0 F. ^/ v$ Q3 c* n7 n1 Z2 U+ Q
int 21h
" |+ C1 D! s+ e
2 A' ]; q7 b1 z0 V4 i# v/ N__________________________________________________________________________
% T, A. x* Q7 A* H) g
' X5 q7 i# d% M8 |0 V- p1 ^0 gMethod 09
3 ~$ E5 C! w/ k0 B=========- }" T: B9 \! Q& `+ |; E4 i
& J* s' |* y- D0 P; J8 NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
}5 D; E* a% M% l; R) _performed in ring0 (VxD or a ring3 app using the VxdCall).+ d5 S5 W$ M, \3 k& ]8 ~- m; s( w
The Get_DDB service is used to determine whether or not a VxD is installed
- G% p, c/ \ h, ]/ ffor the specified device and returns a Device Description Block (in ecx) for( U% u# N0 A9 I, w( q- ]- Q
that device if it is installed.1 l2 Y9 W* K6 i5 X8 }
2 R8 N' Y# l# T2 z; L+ ?' F
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 c8 a- [; P1 b4 H7 M# d) u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* o8 c& _. l! {% E+ S, F% N VMMCall Get_DDB
* K3 v* n! g; b( \* {* t: P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ Z8 g7 G9 G6 w- E( \. h- K {) B9 h* L, o/ L7 h o
Note as well that you can easily detect this method with SoftICE:& ^; v; {4 j: E. b% X4 d
bpx Get_DDB if ax==0202 || ax==7a5fh6 r6 W. p# o$ l8 H; g% G/ ?3 D( G
9 r0 B6 v! e) u! D2 X, p: _
__________________________________________________________________________
# w+ t, G7 m( l, Z
4 Y/ V$ O, t0 w$ H. n9 Z0 JMethod 10
: E) q$ G( a5 W7 I5 f' f========= s9 M3 Y( L: u, z( d n0 i' Y4 f' l
' d F- Z9 w) A. d- m& U" a) c& r=>Disable or clear breakpoints before using this feature. DO NOT trace with
& J8 M. b `7 {) n SoftICE while the option is enable!!
7 z2 @% p4 U4 L) _3 r3 w2 Z0 l( L) n' Q Q' t
This trick is very efficient:: ^0 \( T, `8 O* n2 K' M
by checking the Debug Registers, you can detect if SoftICE is loaded
; ^! ^! U d( X2 _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 ]- ^8 |! \ p2 Q" X+ H1 e7 Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their- R* n, C* L- q. a' K# w2 `$ M
value (in ring0 only). Values can be manipulated and or changed as well
" O& C; Z% r, B( Y(clearing BPMs for instance)+ C% Q8 J& a0 e( Y6 C4 ?1 C
7 \& O4 w0 u/ ^1 V- V4 I( D
__________________________________________________________________________# ] r% D- h) Q3 K4 `8 O
; ^# F- q2 p: r- D2 ^# ?' v
Method 11- t a$ G" F6 X$ g6 |2 G
=========4 m- h4 ^# `2 G
* h9 }: o4 O- u; A% IThis method is most known as 'MeltICE' because it has been freely distributed
: G( |8 J! `# ~- u9 H$ o. g9 cvia www.winfiles.com. However it was first used by NuMega people to allow6 a2 ~+ F* t" M7 B8 M
Symbol Loader to check if SoftICE was active or not (the code is located
4 [$ }& }6 @: qinside nmtrans.dll).
+ C) _* k" \! l! u* g
' D# Q! b2 L( q3 p! C+ aThe way it works is very simple:
9 O: o3 W2 g1 Q" i0 J) |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! P4 C! {3 U- H9 i
WinNT) with the CreateFileA API.9 Y& G; m1 q' h6 W
8 o( ]8 l8 t5 G1 e! M
Here is a sample (checking for 'SICE'):
; P _; H. I8 {' I/ H/ o# S. A
* V$ A, N; o( v6 }" b OBOOL IsSoftIce95Loaded()6 B/ X" Q) Z- o6 z! T7 ^" x
{1 G. ^/ x9 [2 P+ l0 l5 s4 X( h
HANDLE hFile; $ c [! ^" [5 j
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ }5 a: ] p+ C3 p
FILE_SHARE_READ | FILE_SHARE_WRITE,
) {- D" }( h, i+ ^! K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% P/ u, B/ d* U. z S
if( hFile != INVALID_HANDLE_VALUE )
0 @5 L5 q5 Q8 r8 O% j1 \ {
, S7 r! I$ k4 l1 b N& G& B4 h CloseHandle(hFile);. W+ S1 k; X+ V: F
return TRUE;3 V- V, h4 ~, X# S
}
7 F6 _' G- W; `1 s return FALSE;
+ e ^6 y; [: t* N) \9 [1 K( c7 B5 t}, h( B$ f k' U$ O9 W4 L
; O: Q( j$ t8 ?& b' u% ?0 [Although this trick calls the CreateFileA function, don't even expect to be
3 Z0 y1 ~ u' Kable to intercept it by installing a IFS hook: it will not work, no way!! ~2 w5 p) l$ a% }; R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! O) G( Q, d: C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 o. E/ j0 c0 M% ~ t! w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 I! B7 j5 g( L1 a. a8 s) e$ zfield., b9 H( p1 x- p: m% u
In fact, its purpose is not to load/unload VxDs but only to send a
/ Q: P/ t4 [) fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! k: W# T. ^# q/ _
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* n! z- |/ V* t- ?7 |5 L
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& s* I! F6 L* X; `
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) R) s6 z- R s2 t9 Uits handle to be opened and then, will be detected.
# R8 ~* Y" ?; O7 X5 RYou can check that simply by hooking Winice.exe control proc entry point7 s7 A8 C. i7 n4 y }3 N# G
while running MeltICE.1 a% i- e* p4 J- ~9 ^) s7 d
8 H# E/ i$ s- S
4 l+ i3 }! Q" ]$ D6 o# m, R 00401067: push 00402025 ; \\.\SICE* K! x6 R* {* ^
0040106C: call CreateFileA# w. v( a7 a c1 p- n
00401071: cmp eax,-001
/ a1 _0 e8 ]( v% J2 E6 { 00401074: je 004010915 n- D" s* X3 l
/ p( R& a% n) ^$ n5 X9 E
6 l) z" N# ?( I9 U/ m, y
There could be hundreds of BPX you could use to detect this trick.
- d* `: L1 O( _/ s-The most classical one is:5 P- ]- r( ? {% C
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% X7 i- i0 |% m: s; u
*(esp->4+4)=='NTIC'
; b# h) D/ s" D: } F% d" T# I; g, I6 l) E! j2 n( M# ~+ c8 M
-The most exotic ones (could be very slooooow :-(
# f7 ?& E* C1 R' W- ^) R. H* I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 ^$ ^' z- p* G9 a ;will break 3 times :-(# \- G! C4 M2 `6 c" s8 W. b
& b6 G* I( m. R$ G-or (a bit) faster: , w& z- w, P0 g7 c0 Y7 } ^/ x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); X% i" z7 i' X2 l' V; z
, H$ k5 _8 z$ \* T; h8 u0 s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / S/ _' h) I' R7 v
;will break 3 times :-(6 @ G" Q1 n* _" m. M7 U8 N
; z- F( J2 t7 k* }% _5 M5 D-Much faster:: ^9 K& U7 r1 B$ t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 C R5 N2 s7 F) `$ N4 X
3 F. c( I' w/ Q8 [6 dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. K8 K( d. l! |0 b. d, B" ~" Rfunction to do the same job:7 b) x+ t( [. Y( `
7 E6 A4 u6 a B/ U' U; D
push 00 ; OF_READ8 y: k. t' y6 j$ y2 Q
mov eax,[00656634] ; '\\.\SICE',0! ~, V! d% r1 D$ c4 j- s5 r
push eax0 v3 G5 r2 ]# l$ g4 Q
call KERNEL32!_lopen( Z* I8 q0 \, q
inc eax# q6 b! ^5 z9 w* Y M
jnz 00650589 ; detected
% x- d( X$ @- ] push 00 ; OF_READ9 [ { K5 I# |+ q7 P
mov eax,[00656638] ; '\\.\SICE'
9 _1 v9 X% i: Y7 W push eax' t' j5 q( J; i6 {5 P
call KERNEL32!_lopen0 s2 E, r* ~' z' l B0 D
inc eax3 Q- z* {8 @' Q4 k' C( z6 Z
jz 006505ae ; not detected
* ]9 M& S3 f6 r& K6 q* b6 m' U$ h
1 k5 p6 e2 B" b8 B- Z__________________________________________________________________________
. z) f% M" l3 Q) I5 t. j5 g8 e4 ~3 [1 u1 J5 a* c
Method 12
+ G( E; Q& ?) G z=========
: T6 V, x$ k. T! ^+ y6 |4 J M9 p% y7 k
This trick is similar to int41h/4fh Debugger installation check (code 05
' |- V) X% `# p% n3 Z/ w4 C: j& 06) but very limited because it's only available for Win95/98 (not NT)
& Q8 }# R4 Z1 l6 ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 E( L$ @* f# U' D& W4 J8 @
' X; |/ Q+ O l1 F0 H push 0000004fh ; function 4fh
+ u, y! y( n+ p# E- o push 002a002ah ; high word specifies which VxD (VWIN32)% Y: n8 \$ s- E V2 S6 W. |1 t
; low word specifies which service4 x* [+ F1 {6 Q* G
(VWIN32_Int41Dispatch)
' N7 ~5 P5 \5 V call Kernel32!ORD_001 ; VxdCall
) w) ~% b# y3 a0 S/ E cmp ax, 0f386h ; magic number returned by system debuggers, M) F: P% H+ Z. [1 ?1 u% R2 G4 D
jz SoftICE_detected
- c6 e# T! F- y, g5 m5 h% i. E" w! }) n/ B
Here again, several ways to detect it:3 K1 d9 h4 Y2 l
7 K9 N% a# j' J% m' ]& u( r3 J- } BPINT 41 if ax==4f
8 r0 v# b) J6 j; d; X
8 s3 t2 P M+ z5 K* t6 G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& e2 M' I0 F# G9 c6 f6 ~# n* m! d# m; p. M. U. K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 |; Q# K' F; u
6 n6 ]7 k2 |8 e! G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 I5 n% \5 c( ]. I& c8 S* ?( C( H+ I; j' I, y# N3 x
__________________________________________________________________________
# E; }6 r2 j! _1 h! g
], f% x8 V7 a1 c/ u+ Y* I pMethod 13! d3 r2 | f8 I3 y1 j7 o- Y
=========2 n/ W( d1 L0 {
' R5 U2 n+ r: @# M+ j+ S8 l; m% I
Not a real method of detection, but a good way to know if SoftICE is
# {) X, {6 E/ Vinstalled on a computer and to locate its installation directory.& p6 p+ V/ _# s# y0 H" S! f" B
It is used by few softs which access the following registry keys (usually #2) :' p: Y+ R% s$ k
5 N" A! K ~* V9 N5 [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) n0 u8 l8 l# `1 {& m
\Uninstall\SoftICE1 V% a9 q# N' V- ]& q, K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, N7 `- S( O. N5 x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( S7 N7 {) r: X. n$ X. b
\App Paths\Loader32.Exe6 t+ }5 T5 r, ]3 j& ^, C
3 [. B/ J7 l; i3 P
K5 U9 J3 M ^. X9 ] o S- U kNote that some nasty apps could then erase all files from SoftICE directory
1 C1 L1 G! l9 Y& f+ E8 X+ q, v(I faced that once :-() q8 _0 j- \4 x6 V
; p& @7 [/ n, i8 H0 P! T, \/ r
Useful breakpoint to detect it:
' i5 p; a5 I5 d4 r: Z0 y4 p9 e# S7 N. b- e( }5 c
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 R1 G3 G; q5 y6 ]# g& \, s
3 s4 ~5 }. |1 O$ K) K1 `__________________________________________________________________________
6 k; y8 g% Q4 f2 t& x: ~% q+ Y g; n. b6 x3 ?- Q$ g( D! n- a
, K( T+ ]- |2 w$ o3 D" u; A. }
Method 14 ( j$ f3 g5 s4 f: M [) |
=========
5 s7 ]6 k# A# K `/ W7 l
2 ^2 `- E% J. TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# J/ ?8 Y7 F5 p1 |& n9 ois to determines whether a debugger is running on your system (ring0 only).
3 \9 z( i: q- g. ~' z7 U
% N% I( A- c1 N8 X* m, x$ O, q VMMCall Test_Debug_Installed5 {* c+ b, n+ u0 ~
je not_installed
& M% R( o ~; `7 z. V3 i7 N
% I& n# @' w, {This service just checks a flag.8 c' }! ~ V* c0 h/ e# T F
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡