<TABLE width=500>$ g& |' z3 c. a
<TBODY>
% P) \+ p" U& x) E- Y* ~<TR>, v; c2 j- {* P% O6 ~
<TD><PRE>Method 01 6 i* \6 @1 Y0 J8 T
=========
2 b6 R$ c/ a$ [* P8 q! t( {9 d. K, M: y- l3 {0 u: O
This method of detection of SoftICE (as well as the following one) is
' x- h& u* l: `: [/ B; Dused by the majority of packers/encryptors found on Internet.
4 L# \4 C1 k1 A+ O( ^! q7 GIt seeks the signature of BoundsChecker in SoftICE
* f: H/ m0 `( x* Q3 ?# G6 j8 ~( p- J/ y* r
mov ebp, 04243484Bh ; 'BCHK'
+ }: c; f3 h, S X mov ax, 04h
2 u4 L: Z4 T; z! m0 b$ H int 3 3 V7 b8 [& Q% o+ D% U6 d; C" z
cmp al,4! w1 w9 f( Q- M' j1 w" D H
jnz SoftICE_Detected
; |# R8 s, G& O3 _1 T3 O y0 l/ ^; [& z( F) c
___________________________________________________________________________
2 S7 q/ d! z2 a3 z1 ^ O1 j5 G& K5 I# V- |
Method 02
( Y/ j! c* h/ c: V% l4 w=========: Q& y1 N' Z' C$ u
: P p, X5 u! n; ~! e8 Q
Still a method very much used (perhaps the most frequent one). It is used
5 t$ c, R9 L) B: p4 m/ N0 W- N M: N2 Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( G2 O$ |5 G8 F3 w/ J4 u
or execute SoftICE commands.../ A+ J$ g- C* t. i# v+ U
It is also used to crash SoftICE and to force it to execute any commands* L' A! R) C" @# q7 V$ y2 n: P
(HBOOT...) :-(( $ f) P1 Z) L" h
! [7 I! ]9 f$ ~, _7 Z: o
Here is a quick description:& S% U2 w0 z' D6 a
-AX = 0910h (Display string in SIce windows)
) a: o. \/ Z9 o6 Y( l; a: Z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): B. g/ H' H/ r4 A& u2 [; `
-AX = 0912h (Get breakpoint infos)
6 A' a( ~% x$ h* O# F-AX = 0913h (Set Sice breakpoints)+ k* m, a8 Y7 q- b" T
-AX = 0914h (Remove SIce breakoints)
9 [! ?2 @1 s* |% X9 r$ j! [ D& N! m1 [) X
Each time you'll meet this trick, you'll see:1 V0 E$ V# K3 S; s5 E3 H
-SI = 4647h& R) p2 M* I; \1 i9 d+ A
-DI = 4A4Dh& A7 [( | o% `$ Q3 b
Which are the 'magic values' used by SoftIce.
- U; o4 I4 n5 h' t2 R% u: }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 @3 \: g4 X; b1 S5 H4 d/ o( B- ]
3 Z/ A p3 @; @4 U+ E0 d9 G+ y8 XHere is one example from the file "Haspinst.exe" which is the dongle HASP
, Z1 V3 j# R% W. O1 ZEnvelope utility use to protect DOS applications:
6 E! J! W1 t' |7 E$ C6 O' _6 M" `5 G) [* Y0 W0 |. H2 A P v. F6 E
8 j/ E3 `; M& \- }- f! C; Q
4C19:0095 MOV AX,0911 ; execute command.9 M2 E3 @( h: T8 y) l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., R) g7 A C" O( _- a0 h- f# Y
4C19:009A MOV SI,4647 ; 1st magic value.
. Y7 D! b$ Q, q0 O( z0 R! P4C19:009D MOV DI,4A4D ; 2nd magic value.
4 _# Z, i+ w$ p6 H5 Y# b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! q" m+ z* q2 h) p* Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 ]% S4 M6 }/ @: q% D/ c) o% \( o4C19:00A4 INC CX
. `5 g( _! P& U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# Z, C# k8 {7 x; t, y f9 L4C19:00A8 JB 0095 ; 6 different commands.
( Y. P6 E8 c4 o j/ y4C19:00AA JMP 0002 ; Bad_Guy jmp back." i% {1 I! A8 d u
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* R" Z* C1 t& G+ s
8 X6 O' R. b6 `8 q
The program will execute 6 different SIce commands located at ds:dx, which; K Z% [4 F& K# H( T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 L( F3 ]% d. Y" x0 N/ ]: m
8 i6 |. |0 g) i' w
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 S/ ?* v1 U& u& y
___________________________________________________________________________( k" a* k9 D) o$ @+ P" ]! t
2 n; g) I) M# V4 h# ]' u. [) P2 ~$ o2 u- u- B* f# Z0 C
Method 03& y1 F3 W! t+ p; {4 r
=========
+ O* L9 J5 ?5 U: ]* |3 I. G: q# L; G* S: n! K$ J7 W4 I3 L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 C5 z) k2 V5 v4 O
(API Get entry point)
( M* H5 g) M7 n0 a u6 U
) W- L0 M; { d# G- T: b* Q3 L
& k" i! ?# Z, q. q2 | xor di,di
( X6 a+ s; O& |: | D; f: _ mov es,di
6 F+ R% v5 Q+ |4 c mov ax, 1684h * V" ^2 H/ u: l
mov bx, 0202h ; VxD ID of winice/ F; d; v, U0 S8 w7 b( Q
int 2Fh2 |4 w) O" J8 F* P
mov ax, es ; ES:DI -> VxD API entry point
- f& o0 d' k" u+ Q2 ] add ax, di* D% u' A7 y8 H8 ^: O- j( K
test ax,ax3 C8 @& A6 i2 Z4 E+ F( m
jnz SoftICE_Detected
( }4 i) v! `/ P: D; B9 N: I+ w$ u A- W) |* i4 A
___________________________________________________________________________# g6 ~- ?) v" k$ h5 r7 Q# B9 Y
9 |# Z, q Y) t0 F# b4 YMethod 04
3 p) ?" z' J& T1 x& |! ^( v1 [) k# l! W=========
3 G! C0 C% V/ n( j @' K2 D" q6 ^6 {5 X1 N+ i( e+ ~$ t
Method identical to the preceding one except that it seeks the ID of SoftICE
' k; h4 P2 J+ CGFX VxD.5 e1 W D. I: F" v7 a
. K# j% h9 c& l4 ~
xor di,di! s$ ~4 \9 F1 `7 {
mov es,di! D$ o9 o/ l0 x7 h" R% c) j8 w% M
mov ax, 1684h
2 k4 A8 e% n5 w" ? mov bx, 7a5Fh ; VxD ID of SIWVID2 i- z! L1 }& A/ S. u, N% R. c4 X
int 2fh! _2 C5 `5 J1 i+ ]. t* a+ R) i# k
mov ax, es ; ES:DI -> VxD API entry point
2 I1 D* B' c8 s# k add ax, di
$ x& ?8 {& c4 k6 d9 x! V, M0 l test ax,ax
$ S0 ]( C0 H4 N; t6 t5 f5 g3 b* c! _ jnz SoftICE_Detected% @ I% e5 W5 a$ r9 G
( x- q7 @& \0 E1 N( h0 B4 P/ x__________________________________________________________________________5 ?) O9 ]% \9 a Y' V- w/ g
, {: V3 @7 w2 b2 {) Z' l6 A. v0 w3 Q
Method 05% u' r' t1 J! t+ J) i$ B0 d. f
=========9 u( D" Q+ r& p! U
; x) c# \3 R4 o5 s
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 J8 l8 Z, v) \+ K8 b3 G
debugger. It calls the int 41h, function 4Fh.
+ J% @' [$ v6 ?7 f2 k5 K$ fThere are several alternatives. ( B3 D8 \7 u7 I; z3 A
- T" r& q" ~8 AThe following one is the simplest:9 S& w4 G: r; e4 j# ]6 l
8 k# g7 m- O- s4 b: I3 p" | mov ax,4fh
: u# ^1 e. Y! B/ y! p5 U int 41h
. j: N* n8 s0 l4 z6 f, B& e$ d cmp ax, 0F386
" D! c3 m" s- m2 M2 a jz SoftICE_detected( i+ ]3 b5 Y9 U, B4 A
; j+ ~) P; {: F2 v8 w1 ~
/ q% Q6 r' N3 E/ s! h( Y
Next method as well as the following one are 2 examples from Stone's ( Q9 H8 t( U# o: T! {' L
"stn-wid.zip" (www.cracking.net):
& k" {1 B' E4 a7 C3 e! M5 u$ ?: g: l% U6 B+ F
mov bx, cs
' z5 V0 {4 G; ^9 \! D# j lea dx, int41handler2
* U& g; \% m: e. W6 e xchg dx, es:[41h*4]
7 G2 h( S2 a4 h9 E xchg bx, es:[41h*4+2]
7 U& s( S( @0 V& z* i- P mov ax,4fh1 B- R: F- U- o2 _) {4 ^+ O# A& l
int 41h
5 U0 |5 ]) }9 e4 ] xchg dx, es:[41h*4]
) w' a8 Z& L: i xchg bx, es:[41h*4+2]( _ _' |% R( L4 K0 R
cmp ax, 0f386h
0 Y; t0 p8 N! l4 Z( f9 z _7 p- v jz SoftICE_detected
1 V7 n' ~7 \* a% ~9 j$ w0 M
1 M+ V% M/ b/ u, r& |6 i: S% _! Uint41handler2 PROC/ p" q/ H9 }* H5 v
iret
; p. j/ I8 A a. P1 [2 S( yint41handler2 ENDP4 h, y8 t% o" |0 S" B
; ]$ d8 i1 ~* }- H& o: \' [" |: f( g; f2 p7 g
_________________________________________________________________________$ ~3 `" e+ [$ D( @" @
% B$ S, F6 h! k3 ^+ }& T% r; G
) p6 k4 z, _4 ?7 E- _* c8 CMethod 06
4 _: ~# a; x/ i* y" o) w=========
& a# H) f' b; J6 ?% z8 e- I' G$ i- i) `/ Y* ^7 Q
$ U( I2 r3 W7 N' F. L, F$ x' r5 l
2nd method similar to the preceding one but more difficult to detect:
" R# D, o1 k/ T7 @3 ^' S) y
% `9 [" d% k- v; g/ K$ V. s" h7 o
( K0 P% }/ g+ Y% ?" S4 ?int41handler PROC
, [1 k5 M/ m5 \; z- D1 l6 m e mov cl,al
4 @& R' |; D; i% s( z iret) d/ T; t& o$ [1 V
int41handler ENDP k' u w; H& I9 Z+ P- }
5 t8 K' ]4 Y+ K) _
5 w2 b9 b8 ~8 m3 h
xor ax,ax5 M! V' _, U- _7 M3 N, A( k
mov es,ax
9 K% N- h6 z: W8 z$ Z7 D" X: r8 X mov bx, cs* u' Z* L y1 j' S# c
lea dx, int41handler) W2 }! F @6 r5 u: \9 s- V5 h
xchg dx, es:[41h*4]
1 ~1 ?! W- }% H8 u4 ^: m. l' @! Q9 w xchg bx, es:[41h*4+2]$ u Z5 z6 g/ w8 Z0 P8 K
in al, 40h9 D% O2 Z3 L) M7 e7 U d; Q2 h
xor cx,cx' Z% @: d6 M- {) A) q( v0 R: l
int 41h
+ {1 o# ` W; H; H9 O5 U3 _. b* ^ xchg dx, es:[41h*4]
$ J; l' c+ c1 u6 b: e/ V xchg bx, es:[41h*4+2]
4 ]+ w' ~3 p9 X2 c& Y cmp cl,al
! l7 _$ a5 [6 w+ q jnz SoftICE_detected: i" {" E0 V8 @/ o
; ^; y$ U9 S% f+ b_________________________________________________________________________
% r) g v! {% X$ }, | r8 w$ q; Z/ U o1 V2 @ b( x+ T
Method 07
8 w. T1 S) N& K/ B( t=========+ n: W8 _: \' P! A1 A6 F% d
- ]/ O/ H* D! d. X
Method of detection of the WinICE handler in the int68h (V86)! d- D: m! ?( F# N, [/ u" o% k
# I4 `3 x( I; ]1 ]5 X& w/ Y mov ah,43h
5 r) E% P4 t7 R4 W# w7 _ int 68h
6 g) n; X3 P& z, u* e8 h! l! A cmp ax,0F386h
O- s( f* v" P& K' C: Q, W- Q- d jz SoftICE_Detected
5 o) M8 a7 J3 E$ |/ R8 F
$ l+ B4 W n3 Q* D
8 @, u; _4 j+ s* p* y5 ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' ~2 F7 s7 h& h- j: l app like this:
' K$ @* f' z/ P' T& Y% d; [1 [1 ^( B" _5 ~
BPX exec_int if ax==68
1 X N7 |+ g( V# { (function called is located at byte ptr [ebp+1Dh] and client eip is$ S# T2 }! Z4 r
located at [ebp+48h] for 32Bit apps)
! ]; V" H9 a% g. i__________________________________________________________________________
) m% y" j0 A- g; _* N! b# {( }7 H4 D) z$ C
% |' G/ {( ]0 Z
Method 08
0 R( |3 R, k* K, z/ d$ i=========
! ~. A$ t6 J) A3 F2 Y3 f
5 `/ N. X+ _/ Z$ U* cIt is not a method of detection of SoftICE but a possibility to crash the
" q0 n2 ?& F4 N7 u8 U1 y$ ?) W, ^system by intercepting int 01h and int 03h and redirecting them to another
2 W4 J$ {! O1 groutine.
7 {- ~$ c$ X4 l) H# i9 e' s1 {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ R K3 m- j5 N( X- m' x5 W! W4 Cto the new routine to execute (hangs computer...)6 ~, o- ^2 w% U+ |5 L
/ j- m+ Z1 U$ m m7 n7 Q3 Y
mov ah, 25h
" f/ t) v' |- x& R& \ mov al, Int_Number (01h or 03h). z# Z) q5 P6 m1 Y9 @/ J b0 C6 |
mov dx, offset New_Int_Routine
$ n S* c! P4 w: h int 21h3 w1 M9 `/ D' a& x
3 M/ K+ s& O: z4 \4 i: s
__________________________________________________________________________4 X0 {$ x$ I# C- Z$ d7 i
( y$ o) g: R0 K! V1 q0 E9 o* I) l
Method 09
, [9 d, W \# d; Q( _& l=========
0 E0 m7 ]0 N: S- b+ E" Z8 c# G2 \) A( e& k" B) a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
x! d9 t* y2 G8 `1 K* Eperformed in ring0 (VxD or a ring3 app using the VxdCall).2 [5 m8 b- K" f/ @+ D/ [
The Get_DDB service is used to determine whether or not a VxD is installed T- i) ?$ d4 N' f7 t' Y' u
for the specified device and returns a Device Description Block (in ecx) for
& E; l* Z+ H6 C3 Jthat device if it is installed.
. k( a# s9 J6 f1 F) M" f' T: D: `" n _$ {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' R* j7 I0 t- ] mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ Q# k: Y) Y' [% y
VMMCall Get_DDB5 h. b1 @5 l S% G% J6 R! p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 q6 y1 O" S1 j% j9 k! c" V t$ V5 V, d+ z* R4 O
Note as well that you can easily detect this method with SoftICE:& S% l3 v0 I0 f- O
bpx Get_DDB if ax==0202 || ax==7a5fh' U& o: e. x- ^3 U1 t4 o5 s
, M5 [+ x1 ~3 R! V! Y0 L/ T5 j__________________________________________________________________________; H7 o1 `4 s5 m8 ?' Z# ]
! w* s8 k6 b. L- T4 R; CMethod 10
0 l- ^) L' U. Z4 ?" N, h=========8 l% f; ]8 a5 ^' ~5 r) k2 |
, h% o$ |, @9 _9 d# t( N=>Disable or clear breakpoints before using this feature. DO NOT trace with. T) @: N0 M. ~' e5 A2 s4 L2 R1 h
SoftICE while the option is enable!!
& [. f6 G3 e B% R& f' j+ d( o3 C7 v1 b3 w% _
This trick is very efficient:
: z' }7 o- D! oby checking the Debug Registers, you can detect if SoftICE is loaded
* B" {( F# S. K+ m, \- P6 }6 |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if @6 a# [. z/ _4 a! M- ?- k
there are some memory breakpoints set (dr0 to dr3) simply by reading their" U& c4 _' l, `+ {
value (in ring0 only). Values can be manipulated and or changed as well
& H& f6 j4 P8 r8 |1 ~1 R(clearing BPMs for instance): I) U- o% S& e- a
$ I: R) B- [+ p0 c9 R2 h__________________________________________________________________________
5 P q6 H) E. W8 R! Q& B% H
( `# |* J. L& L7 Z3 z4 ^4 aMethod 11, `% H' L {# d) m& q
=========3 m% U; s4 Y# d2 z1 l7 r
; V) s0 v( c+ u8 K9 {) j, n7 u1 B# ^This method is most known as 'MeltICE' because it has been freely distributed
. o7 ]6 g; q# E4 mvia www.winfiles.com. However it was first used by NuMega people to allow
( h+ C+ A' _" ESymbol Loader to check if SoftICE was active or not (the code is located D9 F9 ^8 n/ s7 ^ k7 V( t$ D
inside nmtrans.dll).: s; I9 Y" D9 B; K2 L6 `8 n
* D6 W) w' ` uThe way it works is very simple:2 M+ z4 R! o; g& ?2 Z, m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ _; A3 x1 R% X
WinNT) with the CreateFileA API.: y" l9 A2 A4 L
b2 n( w; |" d% KHere is a sample (checking for 'SICE'):; z/ {2 s z% w* I+ y
" W& {$ C7 N5 A2 p+ \1 e
BOOL IsSoftIce95Loaded()
+ d/ d+ H5 L+ u+ U4 ]6 n$ z2 q/ L( Y{/ f% O1 J( k1 S4 n" F; s; M
HANDLE hFile;
( L5 e# |7 y) V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, Z* h& Y) a! J. l9 o4 D FILE_SHARE_READ | FILE_SHARE_WRITE,. q- F! G2 R" B3 h' g; d# I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 n0 w! F$ l/ N" N* w- n
if( hFile != INVALID_HANDLE_VALUE )
' {3 l# E1 N2 r' d9 q {
9 [. ?8 K2 d% q" h7 O) T- Y" O CloseHandle(hFile);
9 D, k1 ~) e8 V. w' y4 f+ o( F | return TRUE;
; V0 Q8 W4 K. F' N$ t Z }
: B/ ?6 f7 A: I- p* a return FALSE;. g! z+ @1 A/ `; K$ M
}; _/ l! F' P. d/ \: ~
% v' X1 _: k. s$ n9 r
Although this trick calls the CreateFileA function, don't even expect to be: T( y# {, j7 q, r$ y9 Z
able to intercept it by installing a IFS hook: it will not work, no way!: C* s# d7 S& O7 D* d" }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ e" T' U3 e/ u7 Y$ Y! J5 I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* {# ^' r; E) W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
{1 _1 C1 P$ u, B8 Rfield.
! w( w8 a# v& C$ Q" D, U& ^9 N: s; gIn fact, its purpose is not to load/unload VxDs but only to send a ; y8 @' N& w# } c! o0 g" I7 Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# X/ e6 ?3 [' T& w- Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
% S* m* o' G; \5 pto load/unload a non-dynamically loadable driver such as SoftICE ;-).. }& h1 ?# J2 U j2 e) _ k! w
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" J! R' U, O& {) G e: C! Bits handle to be opened and then, will be detected.# [* X F1 ?$ O* P8 h' F4 u! Q) V
You can check that simply by hooking Winice.exe control proc entry point+ w/ J" D* z+ }8 _- F4 G- H: [
while running MeltICE.
( e& ~ L6 p5 `: A$ H) g- E( w
# j* S1 {6 m3 l% z2 ]
, C& K+ }9 g) g+ Z1 E 00401067: push 00402025 ; \\.\SICE
. m2 t) A9 s. j6 e4 o 0040106C: call CreateFileA! @: F. x N$ p; b# \, r
00401071: cmp eax,-0015 S: H- x! `9 O/ u* u' R% \
00401074: je 00401091
l* y2 t9 F5 ], T! h
1 F4 ]9 }: s G1 Q
1 N$ d) l1 B6 M7 vThere could be hundreds of BPX you could use to detect this trick./ n0 T: ?8 _7 C. o( u' ~
-The most classical one is:
" E0 _1 G# h0 p( \& W* I/ | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% s7 G' [0 i7 ?4 x+ P *(esp->4+4)=='NTIC'9 ~) c% S( j$ X: e
5 w& b3 T" a/ ?$ p; l-The most exotic ones (could be very slooooow :-(5 b* v! L o/ I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ k5 _5 Y, B' |( b0 ` ;will break 3 times :-(
# D8 C/ i! X6 J( w; t O* d& Q1 }
-or (a bit) faster:
# W5 ]0 _. _ F! N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! u. h# d3 O4 J. u, X
5 l! h6 E, y$ { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! p) U* D A8 ^ ~
;will break 3 times :-(
$ j4 T& e' s3 D/ u& O4 }1 h( e# j% Y( h, l
-Much faster:" R( K( v* [& ?6 i M% H
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* M5 a. Q2 V9 {! e0 T1 O6 ~
# F! B2 l8 t$ ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 ~& |$ x, {' c" Lfunction to do the same job:
6 |5 v" [6 ]# F4 d: C, x
7 [5 m( G0 W! [ m push 00 ; OF_READ
8 f9 B- G _% {. W, q9 }5 x mov eax,[00656634] ; '\\.\SICE',06 [) i0 a1 n6 [" X3 Q$ v) q
push eax
% A' P% {1 l5 r1 i3 o g call KERNEL32!_lopen |2 E) F8 n- T, }* o+ s
inc eax
( f9 Z) P- K- g' C jnz 00650589 ; detected+ l/ o8 y3 d8 v, c
push 00 ; OF_READ v3 n3 X* ?1 m' U$ e
mov eax,[00656638] ; '\\.\SICE'
1 @; P4 X/ y% n! ?$ B/ F push eax
9 ^2 u u8 ?* M; s. } call KERNEL32!_lopen4 A: q; d9 J" U5 x3 A W( h
inc eax7 }8 m* e }* {
jz 006505ae ; not detected
: U9 c6 ?8 A R1 ]+ L) D$ ]3 J5 F5 {& X# ]4 D5 a3 ]9 ?
% Z$ R. o `! w. H
__________________________________________________________________________- ]. n0 j% V/ q g# A p' h" I/ I
9 V2 f- B3 \+ T2 R% g
Method 12* `. q2 g" n3 J/ g( ]
=========) w- N6 Z2 W; T: Q- J X" b; q* G
* I7 A4 X- Q, K& @. ~2 d- R+ B4 sThis trick is similar to int41h/4fh Debugger installation check (code 05. b( L: U, f8 B2 v. }: ^
& 06) but very limited because it's only available for Win95/98 (not NT)
/ p; ?) G! ~8 J8 sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 h, o( h1 n- Z8 |/ U' w+ |& {/ X: \, \1 u0 e$ l! Q6 {
push 0000004fh ; function 4fh# F4 J8 B4 w5 A0 h( c- ]* f7 Z
push 002a002ah ; high word specifies which VxD (VWIN32)5 E# O7 ~! C9 H- K! T6 P
; low word specifies which service+ G, {0 | L9 v) J% J
(VWIN32_Int41Dispatch)
4 ~3 r) \0 B+ g" G call Kernel32!ORD_001 ; VxdCall/ M5 O: n. h0 E
cmp ax, 0f386h ; magic number returned by system debuggers
6 p* j& b& K# h) L6 S jz SoftICE_detected* F) {$ n `! J, |
3 }+ k2 f, g2 W& q
Here again, several ways to detect it:
7 L6 v% v) R" _+ S
: \/ F( Q# M: P+ K! v" d1 ^# R BPINT 41 if ax==4f
Y8 D5 e8 y3 _
5 `) o w. l& F# S4 b- b8 u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* R% i8 V+ Q1 [1 ^: n
7 f! c* F$ g5 W& r7 F BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* ^" H, d& k9 [" D" u+ V6 w9 P
& V2 N( @. M3 }$ D# N; Z* |# V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& ^% }7 I( [) ]) o0 }$ H
- v! l1 }+ f$ H) o5 ___________________________________________________________________________
' e! @% d/ j" H) x0 ]$ m. H2 X; C, H3 T
Method 138 i/ j$ i7 k9 u4 q/ j) w
=========# y* D Q1 B- d+ _( C5 a) ^
5 @" W8 @' @* z) j% A
Not a real method of detection, but a good way to know if SoftICE is
0 x9 u ]" m8 e8 hinstalled on a computer and to locate its installation directory.
* q4 \& n+ T5 w" {8 Q! [. WIt is used by few softs which access the following registry keys (usually #2) :' M, {2 u% F* @1 Q$ T! k
' j( F5 \& W: `( L" t' ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& U$ j6 A6 d1 w+ U Y( E\Uninstall\SoftICE" E1 z3 @3 p0 p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 y* x7 D/ W, v: Q7 \! g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' D. q2 r7 |; |( v6 ~
\App Paths\Loader32.Exe
9 Z. j- K, n6 B/ i
6 B4 n8 B! ^* e# f# J0 C* m$ D2 p1 ~2 V5 y: c( f9 T. S3 m8 U/ a
Note that some nasty apps could then erase all files from SoftICE directory
$ _9 p6 p% \/ S5 d2 l3 L(I faced that once :-(
( {) g$ o5 a7 Q1 M" `6 `( a
2 X0 a1 b0 m u+ V0 L3 f# Z) w) ~Useful breakpoint to detect it:* e0 @. @ w- {" T
* u' Q$ |3 q9 Y, N1 l8 u' z R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 _8 d7 o0 c: ~3 |" T- B7 ~3 B5 G
6 P3 d$ x* Y; J__________________________________________________________________________1 c$ {6 y6 P/ P0 E6 p
! L9 P+ I& M' I; i7 F& r1 v( \/ N' L% f m
Method 14 6 ~+ `' [7 p& H- e2 ]9 }+ J, ~& N
=========
. v% ?% _- O1 Y2 Q2 b" m+ g
+ w3 Q5 A: s1 M) {; u* W' KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- a* l+ S6 |' D, Fis to determines whether a debugger is running on your system (ring0 only).
8 ]# p2 ^# _* Q% q% L/ A6 ]
$ V+ U4 D9 y% m1 Q( \ VMMCall Test_Debug_Installed
* g, L% M- g+ u- g* C je not_installed7 B: }$ {8 e2 ]# t! N; S) C
4 _* E$ L; S9 Q, D
This service just checks a flag.) @2 P ^) D& ^! ?4 E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡