<TABLE width=500>
7 G g3 b' N( X: ], X( G<TBODY>
8 H% {4 Q( @2 M j' S# r2 `<TR>
6 Y3 i- |+ B9 R3 ^8 L6 A<TD><PRE>Method 01 * `7 s9 ]+ t; i; Z. p1 S! l- U
=========
+ M( s9 Y& m7 W5 W: O' s7 J9 v0 M0 x' v) ?
This method of detection of SoftICE (as well as the following one) is
" f" F/ w3 N2 u% C# h- [1 Qused by the majority of packers/encryptors found on Internet.$ J( z" J/ u3 ^) O( r* M5 Y
It seeks the signature of BoundsChecker in SoftICE# M: E* D7 V) @$ k9 y4 t
+ q8 |& Z$ X2 r3 Z mov ebp, 04243484Bh ; 'BCHK'
2 @* g; Y: R0 u4 z6 y% [& c mov ax, 04h
b* G2 F; K: ?# B; | int 3 7 z& F) i- N# X( a/ ~
cmp al,4
4 y0 A7 w* p9 _/ a1 x/ z, R5 N jnz SoftICE_Detected# Z/ t8 f% k; ^9 g8 n6 ~% W, ~
" i3 `1 u' J1 G2 @
___________________________________________________________________________
1 g5 S3 v# r) O7 z+ Z4 B9 p$ U* b; o+ w; O
Method 026 h8 J/ Q0 ~# h8 K# [ N
=========- m$ s6 G, O |# |$ A4 ^9 s0 W
* Z5 ?4 U9 L. Z) }; c7 S. j& RStill a method very much used (perhaps the most frequent one). It is used
+ g7 E# L! r; l" w) fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 n# M' J& `- ~) g5 H- w jor execute SoftICE commands...2 F! \ A7 O3 M0 `
It is also used to crash SoftICE and to force it to execute any commands I l" l* Z- T; l# j) @7 [1 [
(HBOOT...) :-(( 0 a7 D, y9 a7 ?" K! A e* w' m
5 e; ~- k' b4 f o
Here is a quick description:& o; \6 ]; i7 W; |% b
-AX = 0910h (Display string in SIce windows)5 ^. @5 }% m6 z* W9 }7 q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' _* P* U4 s+ o) w
-AX = 0912h (Get breakpoint infos)
- `! Q r+ {- X) v" @% V8 ~-AX = 0913h (Set Sice breakpoints)9 g1 [" U( L2 R: C% {/ b
-AX = 0914h (Remove SIce breakoints); R6 y. p H# ~( Q2 T$ m
' n0 z# y3 _. x9 C* M' d
Each time you'll meet this trick, you'll see:
9 L' I0 [! {) t1 c-SI = 4647h0 }0 A& [1 v$ B- g
-DI = 4A4Dh" @$ o! K$ S" l, I5 |8 r/ l
Which are the 'magic values' used by SoftIce.
8 K' ]/ R' [( F! q8 k& NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( i ]3 U. K- W4 O# G- p- ~- r2 H- ^9 r/ m/ n6 m: V8 s
Here is one example from the file "Haspinst.exe" which is the dongle HASP _; z, [! U5 N
Envelope utility use to protect DOS applications:
$ G$ }* }' b' k4 l7 `
6 p/ r3 e8 x$ |+ {6 t: J! i
. A% x% E9 a6 D! \/ h9 L4C19:0095 MOV AX,0911 ; execute command.* M) J/ n4 O8 A* L: O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' [3 \1 B1 L5 ?. y) D6 n' r4C19:009A MOV SI,4647 ; 1st magic value.
# P6 a8 a4 X# Q8 Q8 k9 L" r4C19:009D MOV DI,4A4D ; 2nd magic value.
* E( Z: `) b3 Q, M5 r4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! Q9 }) v. @$ Q* R0 m# j* t4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 A7 ?2 \4 H0 z+ N- a
4C19:00A4 INC CX
4 ^ c! p8 A3 D+ l( V: P4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 q. e! e- E) R" n4C19:00A8 JB 0095 ; 6 different commands.. Z- w: S) o3 X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 g y7 B- H9 E$ a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; F' U: t7 R) E! \
h: }" M3 n t9 d- ^% dThe program will execute 6 different SIce commands located at ds:dx, which# v, W; V) F& c6 D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ T3 q+ | V2 x! d7 j
# W3 r0 W% R- J" B5 [" j3 X! L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 h) x$ c7 E' `8 a! g! D4 q___________________________________________________________________________. r, B3 P- e; D) V' j C
* C4 \1 D c( e: R# ^. o! i
% m( S( K* w( fMethod 036 U/ V4 i* Y3 i, N
=========( d) ^5 ]( @! x) q5 U1 F: J/ j) X
* E0 H3 O9 m' v
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 Y" L. i7 m' H: f; K
(API Get entry point)
0 m9 Q& j# W5 Z* d. s$ E. t9 w 5 t' i3 i: J7 d9 s, A
7 s8 N2 ]$ \0 s xor di,di
$ }- l! Z% W( ? mov es,di1 |+ [: x5 l0 g* y; m
mov ax, 1684h
! c( w. Y9 c: I. T% L* y% W mov bx, 0202h ; VxD ID of winice
3 B! }8 L9 `+ i4 P) ] int 2Fh
8 Z; d7 {8 o3 A# i mov ax, es ; ES:DI -> VxD API entry point
( o9 i/ e- N- b. y$ V* Z add ax, di
$ w6 m4 ?. E* C( _$ H7 X7 T( o test ax,ax
& {) O3 h) }* a9 N4 X0 D6 N jnz SoftICE_Detected) d2 d" c& t0 ?; @
6 H5 U! u' y$ m! t- G& `# G& h& r___________________________________________________________________________/ Z& o8 }" R- [ r- h0 T( |2 y
4 p- @8 F$ B" A1 ]3 o. ~# i
Method 04
( L7 i/ x: d. L( v3 x=========
/ g4 u& ^4 M. y7 o: g- q2 G* k* F1 Z2 ?; E
Method identical to the preceding one except that it seeks the ID of SoftICE
Q+ E; }5 {# I9 F7 vGFX VxD.; N, E$ ?: J# J, ^
/ @ ~$ C; {( T4 y. S% ] xor di,di3 x f- H, G' x7 L8 |0 T* Q
mov es,di' b# X* n. n g9 a1 L4 l8 N/ x
mov ax, 1684h
. @3 a' l# j9 C4 R u6 J mov bx, 7a5Fh ; VxD ID of SIWVID# C+ q) s, I0 K, J; G
int 2fh. J* g6 p8 e+ U- y
mov ax, es ; ES:DI -> VxD API entry point9 |& J2 p9 _* F% M, f* k
add ax, di# x4 K: Q+ ~/ Y; g3 B0 i
test ax,ax
, L" {) A1 e. Q0 ^6 B( Q$ |+ s; m jnz SoftICE_Detected6 C# W3 P& F( @" R
6 X- B# [( k4 i__________________________________________________________________________
5 x* d+ S5 H- N) d* f) l1 ]5 ]# a
; M& c. M L- ~7 C6 k& {
+ U n. o, q$ M3 v6 ]9 F. I% BMethod 05
& r4 Q9 V7 ~6 V' C: _' P( A=========& B: h6 m; f+ M' B9 R
3 ^. ~8 k2 f% d2 k$ g
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% ]3 `6 p& o& R, Vdebugger. It calls the int 41h, function 4Fh.' F6 C1 K; ]2 w5 K. I
There are several alternatives.
% h, C: v. B' G1 q; a8 b2 n% R
% _) z9 `- T4 m$ pThe following one is the simplest:% ?# t6 }/ O8 a2 U! Q! ~" Q& I
# S4 T9 V, z* F0 M6 l
mov ax,4fh
, S ]8 e, R5 W% F int 41h
+ q+ q& b$ J6 N& Z cmp ax, 0F386
) T H. u. H) s& k; {2 \; u jz SoftICE_detected
5 Z$ f& X F6 w" O0 z Q3 p+ e
9 f# m% `7 x- z2 ]7 h N4 o
4 A* N9 n; ~# }Next method as well as the following one are 2 examples from Stone's 4 [3 M1 u& j- y. @" p8 F* |- o, X
"stn-wid.zip" (www.cracking.net):1 q' L& Q7 O. |
5 I( V7 a' Y0 k+ r' j6 g c mov bx, cs! `0 }8 n$ O% B* v0 D$ s2 y
lea dx, int41handler2
( y' P1 } U; U; `. u+ H8 b xchg dx, es:[41h*4]
9 [$ }5 o* M5 D& ~, u) N3 J+ i$ q xchg bx, es:[41h*4+2]
8 k2 y5 h; @% f% O8 g mov ax,4fh
+ b, b }5 W6 H; E int 41h4 c( V' l2 h% x, R
xchg dx, es:[41h*4]
+ j# {- s" i/ S' \& [ xchg bx, es:[41h*4+2]: M E4 I$ ]+ J8 N# ~% L: B' N
cmp ax, 0f386h3 M& T0 X# O0 f9 [0 ~
jz SoftICE_detected
- B3 g% h3 c( e6 z* m/ e. B4 _5 S3 s$ K3 h B. u- w
int41handler2 PROC' X5 U0 [3 J& l2 I" ^' ~
iret% U- p% Y7 ^" _, X2 R
int41handler2 ENDP
, v d: G) @6 z l/ N. F, \5 S: I" p S# ?
" F1 v! |: t1 v2 M& U0 h8 U% h" J* H
_________________________________________________________________________6 n0 U/ Q/ i# w# y: }" [( j
7 G. ?/ j0 d3 D( Q0 y& R; z
3 o* @1 s* k I" b' d6 v- YMethod 06# I( W* X* I0 L: S; K! D
=========2 l7 V3 G- N- M7 W0 d# O
; E! k2 [/ V9 r2 s/ A
8 H% k2 M* u v; v+ B& n. ?2nd method similar to the preceding one but more difficult to detect:7 |4 ~* m( ~. p/ X1 N6 O9 {
. ?9 l% F# Z1 u! q; c v/ r A; q" `9 j( O; x9 _: ~* z
int41handler PROC. m3 C2 Y6 z2 x; `+ h6 N3 }
mov cl,al$ T. `9 s5 |, P" W- @
iret
2 F8 b8 ] n3 }5 y* w, \ Z4 xint41handler ENDP
# G) a( ?, z7 n) `, m
) L' T$ }2 j3 I5 H Q8 r! K
5 T# I8 R5 ^* p' `" R- L N. `& ~ xor ax,ax
! i+ R# i% h$ K; D mov es,ax
p$ S2 w* S% S+ R3 q; ^ P mov bx, cs
# f2 Z7 [- P# O* L lea dx, int41handler
% V' \8 I! l# E# @2 J xchg dx, es:[41h*4]. `) O8 m' O X8 T+ E: W
xchg bx, es:[41h*4+2]1 k% A0 \5 n* Q
in al, 40h c( h% G5 b# O7 Y5 U+ }* Z' H
xor cx,cx) B/ U, f1 Q t0 g
int 41h( s3 i2 M% X8 t
xchg dx, es:[41h*4]
0 K! f b m; k+ [# F/ j xchg bx, es:[41h*4+2]7 {+ z, b$ Z/ E4 u
cmp cl,al
% R7 B- ]" G# ?. p jnz SoftICE_detected9 x% \: r1 k R; U4 R
- Y" B$ F9 c% ?& b4 o) I_________________________________________________________________________- d3 H) e" X: e2 N4 K# @+ o; |
- X# M) i+ [* r- ?$ |( N& B2 e
Method 07
; q ~- g# C+ T8 S- U; `=========
) z% K/ b. w, T1 {7 W! b& s
3 @0 n0 Z( h4 ] W( h8 j: lMethod of detection of the WinICE handler in the int68h (V86)/ K, r& t1 b/ U% q3 a- k" x
: @" a6 }$ u) Q+ U& }3 F. |. I3 c% z mov ah,43h
% r* X: e9 s( n' f int 68h
9 q9 c1 Q, e, F$ x2 A; l7 ~$ k cmp ax,0F386h7 t/ V* L8 }( s3 ` c7 V, a* o
jz SoftICE_Detected
* a- k, t/ K, L' P. y' l- j8 s% f4 p7 w0 |
( H# N; ^! w/ N( y+ r=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) u/ V3 @5 C/ G' C* J0 H$ E
app like this:6 [" H: [" J- ~
/ q- [: }. |4 p8 }2 f; | m
BPX exec_int if ax==68
( O! ?2 d9 B. `+ d2 A (function called is located at byte ptr [ebp+1Dh] and client eip is7 q; N* F9 L8 B8 \ D d7 X* D
located at [ebp+48h] for 32Bit apps)
N! z7 g7 l! ^, s: L, ^6 B__________________________________________________________________________
2 p7 A4 f8 Y5 P) x1 H! C9 i* j2 N1 U' }
; T4 f2 C8 z% l7 k$ NMethod 08& O! X& s8 O- S
=========
2 v" ^! p! l9 K, {: r: A( d0 A0 `$ h
It is not a method of detection of SoftICE but a possibility to crash the
2 S+ g) q+ R1 X- m5 osystem by intercepting int 01h and int 03h and redirecting them to another
4 R8 C$ U ~) T$ p6 R3 E: @routine.
: R& K1 e- W P/ ~( K( s4 t7 XIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, u- j6 J% {8 E1 T+ y- f+ |to the new routine to execute (hangs computer...)" N7 Y) `3 n* S+ G, s" h9 b
- s' T8 _. \1 L& C
mov ah, 25h/ i2 W V- l- p
mov al, Int_Number (01h or 03h)
% A) X: a2 K; R8 y- S mov dx, offset New_Int_Routine5 x2 m) L8 a3 [6 G
int 21h" u) K8 Y9 J/ W2 {. X P
0 W6 ~( N* ` S. V- `__________________________________________________________________________% @* [% M- i; ^8 ]8 ~ a% o: w
8 B& `9 F" D- {: K
Method 09
( P. M% C( i" C=========
7 ]. v. s5 M+ H! b( N( l. Z4 L: V; e8 h$ U# r" i8 }- j, b J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 g1 P8 O9 \: V T2 Y0 q
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 \! }8 ]# y- |3 }) vThe Get_DDB service is used to determine whether or not a VxD is installed
: h2 e. Q: i$ r& S$ H$ E4 v4 [" y9 Q( @for the specified device and returns a Device Description Block (in ecx) for8 _' p% @' H/ y2 y2 R
that device if it is installed.6 c% R6 I! W O2 X; I" u
+ ~% O% {2 E6 y8 {6 p4 @) p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& }2 [- ^ b/ P2 z2 Y! G+ q8 K
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) j# b$ @2 d9 `5 |- o4 j+ m# @$ J) Y5 g VMMCall Get_DDB- S& [1 r8 K$ r5 ?+ r8 ? J
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 B% Y) B* b, J) P6 [* w- N& w0 ? A" q" C- }
Note as well that you can easily detect this method with SoftICE:
& R) L( O( p+ x: i% w, } bpx Get_DDB if ax==0202 || ax==7a5fh- F# S* v. G5 _
2 r6 L m4 x' @* p% d" {6 X B5 X
__________________________________________________________________________+ d, Y! k c; c0 `- u( l O2 c& y3 {6 V
1 H( G6 D& `# s$ T; `- ?4 P* bMethod 10
& w% c4 O, U y4 Q' T2 D6 R7 ]=========9 l6 O- r8 H# }( u
7 a( W! G5 I6 B) w/ N5 v4 m=>Disable or clear breakpoints before using this feature. DO NOT trace with) N$ p# H: S, h( W8 O! p
SoftICE while the option is enable!!$ D! M1 j6 I9 H, ^2 ], M/ K* z0 v
* E) q3 E7 D: P3 {3 }
This trick is very efficient:
7 q% w& Q$ S; y. r3 T: `by checking the Debug Registers, you can detect if SoftICE is loaded$ Z- q9 w( l% _2 O" V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 _% i* Z4 @) d) y- b+ Q0 C8 E7 Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
& W& F. d6 w3 a3 W- `7 C5 A( |value (in ring0 only). Values can be manipulated and or changed as well
- W% n+ c" v/ @+ ?(clearing BPMs for instance)
7 {- D( ~5 l' D* a
3 g0 V7 d- J7 n# @- u__________________________________________________________________________- l! p1 I4 |; M
3 a5 ^5 m8 s5 @" U( g" Y
Method 11
+ i# h4 E1 s+ B6 i=========7 Z8 z7 H/ r/ z& \( Y7 O1 I
! \& P: @- a4 G I; Z2 x% r+ E& }This method is most known as 'MeltICE' because it has been freely distributed5 G0 S9 ?4 [8 d3 x' d. l
via www.winfiles.com. However it was first used by NuMega people to allow" C* N' _3 U1 x. q0 W f |
Symbol Loader to check if SoftICE was active or not (the code is located3 h( D4 L4 s. [' O, L8 n7 N) e+ o0 P
inside nmtrans.dll).1 K- O; K$ D9 U( e
; u* p; Y8 G# N% O" tThe way it works is very simple:
; R" v! |. h: C0 x6 r, B2 OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! H4 J' o. R0 y, w& G6 ~# K+ |
WinNT) with the CreateFileA API.! ~# T, p# v) y; h
" j# [2 L0 `3 K, M" v# s
Here is a sample (checking for 'SICE'):
) h1 v/ ~$ q. E& B' q; U( X
( I7 z" }; c! m+ V F4 r- G# HBOOL IsSoftIce95Loaded()7 u% `' R* l2 @/ D1 `' m$ `- @
{
$ L( i& a+ W) ~ T; b6 C. H HANDLE hFile;
( N3 J. G7 i l& K6 Q& g# | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# y" t1 o$ z* ?1 M% `, C- I FILE_SHARE_READ | FILE_SHARE_WRITE,
, H3 `6 h1 g6 J2 M% v6 `& f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ I# f' A. }( y, a! m
if( hFile != INVALID_HANDLE_VALUE )
N Z6 i9 A( Y# O {
! B8 L$ S1 R" S1 \& p CloseHandle(hFile);
! S$ g: b9 f6 d5 g return TRUE;, n( N& N0 Q" l. v* T$ ^9 y4 P r
}
6 X5 l2 H# c9 m3 ` return FALSE;& g @' \' ~8 Z6 y4 ?5 V
}$ M, T" S) l3 C; t0 O2 B7 w+ \
a" p. C& s( P8 ^. v7 EAlthough this trick calls the CreateFileA function, don't even expect to be5 J+ k; Z, y: @% M
able to intercept it by installing a IFS hook: it will not work, no way!
: ~+ j; q* Q; n8 _- ^0 ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# T% }! `( T- l* e% `- Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ {0 b* ~/ u7 O7 m0 {( Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 W& C- @% ~8 c; Sfield.: M- s) L, Z! A/ u" ^( F" l
In fact, its purpose is not to load/unload VxDs but only to send a $ t+ R6 u) W4 V! ]& b- j9 h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); P) x( S6 Q) o3 K/ { H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 Z5 X0 w. R9 j& U0 x- d* l+ P
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# X4 D& q- d1 mIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 I( G- U& [! \' f) T2 q F3 n4 \* w' V
its handle to be opened and then, will be detected.! ]3 _' a" _$ B9 N* Y, G
You can check that simply by hooking Winice.exe control proc entry point
0 n Q6 d' b7 fwhile running MeltICE.- @% B" X, \+ J: ^0 X% o4 O
: q0 q0 d, }$ r F; p* B
2 {. q4 l! o2 W- q4 P
00401067: push 00402025 ; \\.\SICE$ Q3 }+ S- e- o) U
0040106C: call CreateFileA
7 t8 k! q$ y9 B2 _3 g+ R+ U 00401071: cmp eax,-001
, P1 P" _& I$ {( k 00401074: je 00401091
$ C* I1 I5 _! ^/ r7 k' @7 q {8 v b4 Q8 V" v" A q' _1 E
( Q# N* F& R1 v; x U+ HThere could be hundreds of BPX you could use to detect this trick.5 n* [1 {/ e! R* N
-The most classical one is:9 H+ t1 D' u i0 {; ^' @0 N% O; F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' @: L* y$ Z$ m, m
*(esp->4+4)=='NTIC'
; W8 i1 D# c$ k6 e* l+ }% d x7 r: v2 ~$ d
-The most exotic ones (could be very slooooow :-(
$ O9 ~% s9 j2 x BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: I3 ]) [7 q( Y w6 ?( K ;will break 3 times :-(/ x! ~* {9 f2 V7 w
+ Z, v% [+ I, s `% h/ T
-or (a bit) faster: 1 Z* b9 r! F5 h; G7 K
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 ?2 A" g" j( l! f1 D' _; Q
3 p8 g" L- R9 l
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # J6 ?4 {2 @2 G5 j2 X
;will break 3 times :-(
) i& @; D" h7 S6 ]
; J6 ?/ q' C4 V- o+ g-Much faster:
. }/ b, L$ r+ ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 V% m9 l5 E) f( i. Y. O
6 {" X, l0 O3 I2 h4 t( K0 ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 q( X6 W! c% E) A
function to do the same job:; }0 M$ u9 k) I6 U# b
z# ^8 ]) T8 e5 `0 w& O; @7 ~ push 00 ; OF_READ
$ ~1 O, g S" j! z. B mov eax,[00656634] ; '\\.\SICE',0
' b `6 I; |/ }, Q0 F& j% E+ ? push eax
* x. i9 }$ P9 Z/ J; F call KERNEL32!_lopen
: `" k8 h. @; `% Q inc eax; D3 O: v; J+ i5 s+ M
jnz 00650589 ; detected
4 F2 b5 J j3 W' x3 t" H; `7 G5 C push 00 ; OF_READ" k/ L& }) X! m- i# _
mov eax,[00656638] ; '\\.\SICE'8 X$ S$ }2 [( ?; E. ?
push eax# w5 I8 e5 O* W( G6 m
call KERNEL32!_lopen
' y3 x; W9 U) s0 V) h* S$ J: y$ `# b inc eax
# Z! G2 [% `5 A" E6 L. I7 h' { jz 006505ae ; not detected. w6 X; [/ w" w4 X8 T7 i
; h; G0 ?; h4 v$ E
9 J2 f- e$ y) e0 t# H# ~__________________________________________________________________________
$ B1 H0 V: W2 i: y( N: t# q1 A8 q
Method 12
% a5 J7 B: w" S. G5 F% V& l4 s=========
) ^6 M8 e& @; _, b9 I& ~0 G& Q. y* R
0 l" R& P' H2 j0 d: ]3 g' kThis trick is similar to int41h/4fh Debugger installation check (code 05* k, z) u+ H$ V* D( I* i
& 06) but very limited because it's only available for Win95/98 (not NT)5 F3 P- F5 h( |/ k9 }4 k ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ v$ X+ i2 Q. Y H3 H0 w- X. S3 |
+ V0 t$ W/ f/ m9 S# |: s+ n push 0000004fh ; function 4fh3 X5 g' t w; S
push 002a002ah ; high word specifies which VxD (VWIN32)
1 D7 u) G6 k* Y ; low word specifies which service
; e7 g8 G6 w- B; |+ a$ I5 U! n (VWIN32_Int41Dispatch)
# c8 b/ O5 ?* f! M& T9 a call Kernel32!ORD_001 ; VxdCall
- P8 A3 R% e- J; Q cmp ax, 0f386h ; magic number returned by system debuggers( @! E$ V4 E' k& @8 u2 u* W
jz SoftICE_detected+ g( Q. {1 S. p* @7 V
" U5 W1 G, P* Y) J3 qHere again, several ways to detect it:
% C" [: _) Y. D1 Z+ ?- N7 u+ N
3 W+ t- _9 ]# P K2 w5 }! ?. D BPINT 41 if ax==4f* \6 a. Z4 Y: M5 j+ f" |+ h9 t3 @8 V
9 j$ v$ @1 ^, u" K
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; i9 Q+ ?8 E& b& g# f- u: A" k1 o. W1 U; n- @5 D% S! g, c" _* q2 v6 a
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 H7 ]8 d2 p6 e2 E. Q
; c3 O) D8 g- `* \" _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 U% a: g" M/ J
- S7 M; `# l' ~" r; \4 X__________________________________________________________________________
3 _2 ?. X9 y P7 n+ y3 D4 i1 i! H" D6 m1 U/ f" a
Method 13. X/ H# Q' s8 {5 z) c! [/ V4 N
=========
& O+ O5 k( E6 z+ Q0 P0 y* J8 a9 w4 j% E& R
Not a real method of detection, but a good way to know if SoftICE is, r& h& u# {( P% z; ~+ w8 a2 p
installed on a computer and to locate its installation directory.( s0 n# A; {! z8 P3 k
It is used by few softs which access the following registry keys (usually #2) :/ e1 t* I3 u. A0 r2 M( @% J5 a
+ u' u+ V/ L0 B9 q) n: q/ \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 x8 w/ z( I1 O- h* w4 o5 |$ v9 Q2 g\Uninstall\SoftICE
[7 W; B- p6 f, i3 B+ m+ x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 ]* X$ z+ ^/ \! R4 M6 C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 e7 ?6 c* u4 V* D, Y' T0 W
\App Paths\Loader32.Exe3 {9 Y; _( ?+ P% V0 D8 w2 s, O
0 A/ m( S9 Q8 ]( s5 {
+ Q/ d- C- C5 b; }$ `! PNote that some nasty apps could then erase all files from SoftICE directory- L6 j ]! R9 ]- P, t' a
(I faced that once :-(7 E V( c' S6 F1 t" q m1 b. D% Y4 k5 W+ p
- r$ y6 H6 D; W2 R5 Q; ~( Z
Useful breakpoint to detect it:$ s4 Q% {5 x r0 P- ?6 V8 f
+ F1 o* R* A7 F) P. l0 @. ]
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' {7 _- `: X. f. q
* H% M1 c- d+ ]- Q6 V5 m__________________________________________________________________________! N$ Y e( S# V; e- t8 [
) J6 |0 l0 ~. G7 R+ \7 r
% f! t! ^. p# a# k4 ?6 F+ xMethod 14 ; o1 j8 R6 O) E, ]1 t+ A: Q
=========
* u( y' Z. J. J2 l" O# ]; k! ^. P; S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: ~7 j2 o7 d2 t" Y9 T6 B5 l& Lis to determines whether a debugger is running on your system (ring0 only).
" g5 @* ]* J: b# W
3 {2 T5 T+ T. n/ }7 {' g% G' f VMMCall Test_Debug_Installed( J* p0 T9 |+ D; q; T4 H5 J% j
je not_installed- e- W- u! _( n! t- N2 e
- ]) [) R6 w( k& C2 v4 I* d: l* q4 r$ ?7 q
This service just checks a flag.% @& r& t, {% Z$ i, y7 \9 p' [5 z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡