<TABLE width=500>
' k9 s2 S8 o* g/ P% W1 C<TBODY>
" f* a, L* ?3 L5 X& {<TR>& v4 v3 O" a5 U% F( z2 w
<TD><PRE>Method 01 $ z( `3 o1 ^/ i- v+ S9 [# E
=========9 Y' S7 p6 `. Q- z' ^5 |; B: m
% n& h! q+ H/ v# W2 z* L$ l/ TThis method of detection of SoftICE (as well as the following one) is
# k, b; \& u2 ~+ M* Aused by the majority of packers/encryptors found on Internet.
* f8 ^1 `4 Q4 x- y" I% U) U& YIt seeks the signature of BoundsChecker in SoftICE0 R1 l% A, W! _3 h( C7 c" q# m
9 O u$ ~" {( I) A/ O9 m. D3 B mov ebp, 04243484Bh ; 'BCHK'
. A& ^& R- z' E5 W mov ax, 04h4 Z$ y8 s* ]5 ^3 x& |
int 3
; `& L* p x8 X' N cmp al,4
0 N' T2 |* s7 i+ k- C3 J8 U' D jnz SoftICE_Detected2 w" ]* p4 n- | |6 _5 [. z
' j- k; Y; B( X' X___________________________________________________________________________
: m$ @. u. E" o) V# D" s. x
( q2 R2 h8 ~/ OMethod 026 {* |6 z% B' A* w* _
=========
& e9 r& S9 `: ?1 j9 P+ O" \" {4 x- x: ]
Still a method very much used (perhaps the most frequent one). It is used
I: A$ R* u4 k: r( r, K/ z& E! ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 {4 Y( f9 M4 `- C8 {
or execute SoftICE commands...
9 z4 _( E( Y6 l5 a9 t+ GIt is also used to crash SoftICE and to force it to execute any commands( G# A) h, O' E2 r. ~) U
(HBOOT...) :-(( 4 I* d% i/ q) E5 I
+ h" }% q& s' F) _) ~Here is a quick description:
' e* i8 k; C. j3 H-AX = 0910h (Display string in SIce windows)
6 E6 |0 o3 H. _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 ?- F: H% {- U( ]: ^: n-AX = 0912h (Get breakpoint infos)
* c: W4 j, R2 R8 V' Z8 M6 x-AX = 0913h (Set Sice breakpoints)
2 x% i3 X. m* D9 A L-AX = 0914h (Remove SIce breakoints)
; K- g' i5 O! t7 p q' z4 K6 T$ m Y# {7 V9 ]4 d" y, x
Each time you'll meet this trick, you'll see:
) J" Z1 j" k+ ]5 w$ x; k A-SI = 4647h/ ?5 @! V7 J! B T7 w# `8 z
-DI = 4A4Dh& h" i9 r0 }6 i( P+ u$ j
Which are the 'magic values' used by SoftIce.% c# E! m" V! j b0 |/ F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 C6 b- F3 e) y7 ^
* ?5 Z1 W |, X+ ?" F& sHere is one example from the file "Haspinst.exe" which is the dongle HASP9 c/ Z. W" y7 V: I# c9 z
Envelope utility use to protect DOS applications:
8 C: t6 l8 e) c& @
" J4 M: D: _/ j6 Y. f5 M# }
# f- v, z' X6 d$ Y- |4C19:0095 MOV AX,0911 ; execute command.% B$ r) g" e K3 U' Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ d3 n3 G! w& O; c$ k
4C19:009A MOV SI,4647 ; 1st magic value.% B. `8 P5 T0 m( S% B8 E3 [
4C19:009D MOV DI,4A4D ; 2nd magic value.
/ v& b/ E3 G* g4 r5 e& ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 W2 A5 p. M7 A0 |
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 T6 j: I3 \0 ^! D$ c4C19:00A4 INC CX
! m: P& a+ W- w/ X" e4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( r- q* d; L7 \/ U6 Q! i2 U
4C19:00A8 JB 0095 ; 6 different commands.+ v2 J- C5 O' k5 ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; z- ]: h. } `- I) V. S" `, }0 J4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 x5 W# t; O0 d( p/ O. Y" s# E p- x, E# O
The program will execute 6 different SIce commands located at ds:dx, which
+ h% o7 l0 b2 F4 c! c% ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. J- F2 s+ z$ _2 N$ T- F+ h# a6 n2 c: w
0 I4 g; ~, c* T; P0 \: Q' d+ V3 c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' J4 ~/ C! g4 A+ G; \
___________________________________________________________________________
0 w& c' [3 R& e) M6 _
- J- ^3 G1 c0 F+ N: y; ^. p2 D. i. p
! {; `; L8 ]# |0 N" p3 KMethod 039 m, n B2 I5 K# r( C7 O
=========
9 Z2 l# L3 U, [0 J# b- \1 x' x+ D+ r: a
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" r' ~5 r+ h4 T(API Get entry point)
& r# k/ M2 [; Z9 d) m
. k1 j* d9 r) A( j. r
4 L; Z: f. x& |' ?1 E% j xor di,di) Z4 U' z# l h( I
mov es,di- [5 b/ E* m, Z9 l3 h# b
mov ax, 1684h 2 I+ x9 n: T, ]- D
mov bx, 0202h ; VxD ID of winice
& i: o9 \ d7 X9 } int 2Fh1 j! w7 a1 l9 X6 n7 q9 {- W. _
mov ax, es ; ES:DI -> VxD API entry point4 `2 Y6 Q: w; B* S1 b# Q! \$ E
add ax, di; r0 J- G' z- A: j. z" r
test ax,ax
. E& @. V2 J. J6 ]1 e9 l | jnz SoftICE_Detected5 g3 @- Z' \) e' w2 k% _; [
7 s4 ^$ H# I" J& i5 T( Q9 W
___________________________________________________________________________8 }, h" }# ^$ a: b/ ?( V7 r$ e
& W3 E" S* f5 G( K
Method 04
( s* H* j7 W( q, ?" W, u6 S% u=========- q4 c8 }7 [0 J1 N
' Z v. j/ g# q8 J( |7 K+ r2 S5 n: X
Method identical to the preceding one except that it seeks the ID of SoftICE: [6 v4 x& g' j1 V% p% y
GFX VxD.$ _- a: H% l- `! d" u
5 R: N! O5 u* K- j& {
xor di,di& D; O+ e" s0 U; j6 o! C- I6 c) d1 z
mov es,di5 ?7 w6 S$ Y" l
mov ax, 1684h - C- Y* Y# |8 X3 |4 c% |8 L3 W! X& f
mov bx, 7a5Fh ; VxD ID of SIWVID* @& A4 S: y {6 A, l& k! J
int 2fh
/ K7 P+ N/ t1 g& g mov ax, es ; ES:DI -> VxD API entry point
6 h$ O e" i1 |) M add ax, di* Z" h; h$ ~/ e; o, X
test ax,ax
, D& w5 E* \# U2 {4 v2 b jnz SoftICE_Detected9 r, n& @$ G( a# h
, b/ G: M+ T4 @% O! t0 L
__________________________________________________________________________
; D- ?9 J9 Z9 k+ z2 [6 l. @! a
1 Q1 [- {: o8 ?+ z: cMethod 051 w% K4 g! T7 n/ P* b5 B; m
=========2 y/ T; X. y, `5 [: y$ \, z
! a5 T; w4 J& v8 @
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 g4 a5 ?4 x1 C2 G& n8 a7 Q! k
debugger. It calls the int 41h, function 4Fh.
6 u7 \ H7 }- f5 R) \- T, Y3 cThere are several alternatives.
$ [" U1 X! H% D+ u5 C4 K! w) z' J1 B4 @) Z, F/ t; H
The following one is the simplest:
. m. R v( }9 Y; ]2 a' m3 t g* w+ F: h/ W; ^" F2 O
mov ax,4fh1 F% Z' P$ a: [2 [! \5 @
int 41h
+ U/ Z. S" P' x% J8 C& b, x cmp ax, 0F386( O4 f. a1 {7 [" }5 A
jz SoftICE_detected- {# E; w. ?3 `4 y& V+ k0 ?1 ?; e% z
$ L3 X5 Q l5 r9 i' a/ l/ h2 j9 S& z6 C
Next method as well as the following one are 2 examples from Stone's " I* Z% `1 [% A
"stn-wid.zip" (www.cracking.net):
. j G) R& ^7 p( A" A7 V! C2 P4 g& {8 x7 s* Y% e- o# U* g
mov bx, cs7 X7 ^2 f( a/ s# J9 B
lea dx, int41handler2
: R" f; H3 t, t8 U xchg dx, es:[41h*4]6 j+ R. Y' l% J+ J4 ]
xchg bx, es:[41h*4+2]6 n$ E/ n4 J) b) n
mov ax,4fh, z z. } t! W$ J
int 41h
0 q [( E) ~' m+ N1 b. E xchg dx, es:[41h*4]
0 v4 g* A+ [0 X6 M- p* t+ h3 f xchg bx, es:[41h*4+2]% W* o- t8 M4 m# g
cmp ax, 0f386h
% O6 k3 C4 E$ Z1 K$ S) v% I# S, h jz SoftICE_detected
% {' S# z: x% \* l4 L
, _* M U2 u4 k |int41handler2 PROC
; L; {# V" D6 T2 J iret
1 p! e1 o: H, q4 Nint41handler2 ENDP* w4 r; l7 G6 g1 j' d
. H2 m p2 I; L, s8 [! ]1 r: g0 _1 R( d. n+ _; X6 p
_________________________________________________________________________
- [+ o" h2 ]" p0 A1 [- Z @$ l7 o" `( T& T/ ?# a7 k
( w" {3 r1 s1 nMethod 06; s- U) B$ l$ ?1 h) [7 [& }
=========" p* i( J: w0 T5 b
6 [7 a( k V$ Z" O3 b
& u. k* y" |) B# A$ t7 A* \2nd method similar to the preceding one but more difficult to detect:
% K! R# Q/ k# r1 O2 a/ o/ I; j+ O3 ^' P; k8 W- j4 h1 T3 ]
4 b1 M* p' k- O+ T2 E
int41handler PROC
* F' L: z u; N7 i& E mov cl,al* C9 r# f! R0 Y/ e+ `9 J
iret" v4 z) K0 J# w' v E& A5 X
int41handler ENDP0 k1 c$ X1 U& V5 C
; W) ?. V. u/ Z
9 D( v1 }3 i, f3 _' f% f6 u0 C/ N xor ax,ax( R- z7 Z) J% F) p
mov es,ax* M" S: _( u: A2 q
mov bx, cs2 q6 y* }7 g0 @9 c9 M# E3 a: R4 W
lea dx, int41handler
" p7 L9 x5 G# H5 u# k7 x xchg dx, es:[41h*4]! w5 j# r' Y7 M( {: V# t& Q' z1 I
xchg bx, es:[41h*4+2]
U% s2 H# }0 ~% y- `* V in al, 40h3 k! Y% V6 L4 G `! ^2 W
xor cx,cx
/ x W+ @' |( a6 E! N; [) O0 Z int 41h
* N+ p/ }! g. y' n xchg dx, es:[41h*4]
, F1 }+ J- | _ xchg bx, es:[41h*4+2]. b. N2 A( J G9 {/ Z( n) G
cmp cl,al
, t2 Z2 y" F+ q8 M jnz SoftICE_detected
5 C2 S6 Z# j/ |1 ^3 K3 B* c2 T5 f: [* S+ A$ F
_________________________________________________________________________
( d2 x7 Z1 X9 ]8 P" H# k, \6 q
B% U" X' ?3 ~4 K: {Method 07
6 B( G" }3 m: y5 }4 Y=========1 ]0 n! Z$ v% c: m
% {9 v/ @: D6 m$ J, V, m7 AMethod of detection of the WinICE handler in the int68h (V86)$ w0 ]; D9 K3 `; U% w
9 ^3 @' X s& N& v mov ah,43h9 e9 P/ ~+ x; G* J- V0 s* A6 V. E
int 68h
' J. }5 m9 @4 d4 a, |" U& }! ]* T cmp ax,0F386h
0 v& P8 u$ K0 |7 e' E* a5 n6 U: N jz SoftICE_Detected. ], ?, r. `3 |" G) f# y0 [
7 d9 C$ F* n% h- [
/ r- k4 I6 L( |0 V" y" L6 b8 Y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! ?% W4 v& s9 E app like this:
! w7 w E1 X* f! n, H* }/ _- F" @5 C( ~3 @- d
BPX exec_int if ax==68/ T9 J; l/ p5 o# v! Y' N& |
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 M- m+ h7 ?) }) U+ g* s located at [ebp+48h] for 32Bit apps)& d, |0 C( `2 O2 n
__________________________________________________________________________2 E) \, H. o8 j! l+ g" k# |
5 I) a) v+ V6 O w
; z# Y' x/ n" O& y4 V. H) Z
Method 08
" p9 S3 \8 l9 N ]3 z. p=========
2 c: ~: q& |0 d) w1 c4 m( { c u; ^8 {4 w! `8 {" @* J5 h3 C
It is not a method of detection of SoftICE but a possibility to crash the
5 |0 P- m. s. B0 I. esystem by intercepting int 01h and int 03h and redirecting them to another
$ m8 z. k/ x' Q ^2 p8 mroutine.2 r1 V, K" | a9 J* ?. a2 t D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: U! j# v: l- o$ B5 b2 S2 F1 uto the new routine to execute (hangs computer...) y' T: {7 f8 M
2 W" y$ K6 n- c2 A
mov ah, 25h
/ o3 p/ e9 I% X7 z$ z5 k P" S mov al, Int_Number (01h or 03h)
4 q3 [% h ?. g' x5 t& x0 C mov dx, offset New_Int_Routine; t7 ?0 R3 |1 w9 P% }" m- O8 A
int 21h
! A$ w+ Z) P8 e+ u
8 K+ P* B8 C8 t# [6 U7 f__________________________________________________________________________
+ d+ ~: b2 Y9 G- Q# \
7 W4 X# a8 H( t; Z7 c' i4 wMethod 09
$ k7 I, l6 R" w5 s! m5 Y=========
$ c% c/ u$ X/ H+ h4 [; h' \! W8 C" v% X& Z2 h8 t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* f+ ~3 y) F% s# X8 H" P
performed in ring0 (VxD or a ring3 app using the VxdCall).% l/ V+ d& b2 S1 g+ ?4 h
The Get_DDB service is used to determine whether or not a VxD is installed
5 H l- j4 g+ }0 a7 j% H+ [for the specified device and returns a Device Description Block (in ecx) for
?1 |- f& x( N. b8 @: tthat device if it is installed.
/ w* N/ X. c9 d/ P' e- @! b; ]. ^( w% l) V$ b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 f- u4 U9 |7 D& j8 e' M1 |' Y* t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 |, m+ U: Y/ ~4 A VMMCall Get_DDB0 p# A' j0 \- S* B+ w- {* t! K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" |( V$ \8 Q+ b
5 e- B! e9 L' X( o9 C1 Q1 P9 Y0 v/ Y
Note as well that you can easily detect this method with SoftICE:; K! {& b# G. d8 V
bpx Get_DDB if ax==0202 || ax==7a5fh
2 r4 H- G8 \4 }5 n1 ` |" w3 [( w7 m9 f" \; q) ^. w
__________________________________________________________________________
: P9 c/ ~3 ?& g! X7 c b$ M: ]( o) e% [
Method 10
+ Y7 A8 y) i6 `( @=========
- c1 S+ [; Y7 ?" ^7 z" s! u* G: u% r& }& x a
=>Disable or clear breakpoints before using this feature. DO NOT trace with- ?1 f! W# g( a0 e0 Y1 t1 X* Z
SoftICE while the option is enable!!' m6 b# O+ W3 V1 n+ Q: B7 S
" `- p( u* G; I2 Q. L9 Y3 \ F! w7 C
This trick is very efficient:* V7 N! K& m& d
by checking the Debug Registers, you can detect if SoftICE is loaded4 ~( ]2 h, b' M/ E W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: M1 _; Q% s1 Y+ d% E
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 g8 X8 u5 X; t, N
value (in ring0 only). Values can be manipulated and or changed as well
( ] @ G: ] w/ u3 }(clearing BPMs for instance)
2 @+ y+ [5 r3 {3 N* E; [8 ~- e: S" `
__________________________________________________________________________
, t6 ^! A* R' }
+ |7 d2 I1 d5 E3 I+ jMethod 11
, G2 Z6 [+ k9 n* e, V" N=========
g! H& A/ [0 d* t- N. X' D0 T. u7 ?3 e6 m4 z5 `
This method is most known as 'MeltICE' because it has been freely distributed
6 `$ h+ o/ R Fvia www.winfiles.com. However it was first used by NuMega people to allow
4 J+ G2 s2 O8 v: }Symbol Loader to check if SoftICE was active or not (the code is located6 ^6 [! |5 N% W0 a- G) t/ g, G% B8 X6 E) I
inside nmtrans.dll).
5 L' v& u" a4 b9 e7 z4 Y4 K( h1 h6 {6 i J; c' y
The way it works is very simple:- h* H2 V5 b' @, R% S5 h# d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for O( S1 |) R4 ]9 I5 m+ \
WinNT) with the CreateFileA API.
7 `% r& E% S4 G/ r& X6 V
2 X3 h b2 d7 O. G8 \3 c1 B- \Here is a sample (checking for 'SICE'):
% `5 o( y4 U, r( h( x
( Y, Q& V- h) S, d- tBOOL IsSoftIce95Loaded()
' C( E. P% g! _8 P/ p0 Y3 G{
/ j, k4 |" T" u- Q1 `/ x: N2 r% t HANDLE hFile;
( Q. X0 N2 N; ]8 e4 H4 [3 B1 ^, | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- k' @6 _+ K; `9 _( o/ @
FILE_SHARE_READ | FILE_SHARE_WRITE,
( G' D0 R( W. f0 _- E5 f& s& f+ ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 O( O3 k: v6 j! F& Q if( hFile != INVALID_HANDLE_VALUE )
, ]* X# U, }8 W! }( p! B {
8 O- ^* ?+ m a# ] CloseHandle(hFile);
$ m) Z- L7 d1 A) P3 z return TRUE;) P; z/ y8 J" V' P
}
7 c$ D" B: t' g2 n v$ C return FALSE;
' y8 `) O/ ^* h; s6 ~$ r}7 h3 A- U2 K. |, M/ l7 `0 }
- q* T7 a5 h9 Z( f( rAlthough this trick calls the CreateFileA function, don't even expect to be
H I; O1 x( r: w( G, h2 A$ Aable to intercept it by installing a IFS hook: it will not work, no way!7 V9 I" r" Z/ m; W' n. y* _, Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' X# R Q! _/ I, v: lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 d. S* a& {& Y* C1 w7 N
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; n! T: K2 o! d9 Jfield.
' e) R6 P( J3 _1 SIn fact, its purpose is not to load/unload VxDs but only to send a 5 L+ T& v r% ]( h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): ~0 Q/ Y/ J6 e' E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, o U+ j. Z/ N# E3 ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).% c( R e% \+ ^( \8 S
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% C! ?: Z- P0 o2 ~& P$ \$ gits handle to be opened and then, will be detected.
4 d N: n# l% y; t) uYou can check that simply by hooking Winice.exe control proc entry point2 n1 C% d0 D4 ^1 A
while running MeltICE.
) E& Q% X& {1 q* m2 S& h) J% Z
- c/ l- ~% V, [( u, t( K+ b l8 @% A- [
00401067: push 00402025 ; \\.\SICE+ `; p3 c1 M( d9 b' Z
0040106C: call CreateFileA3 R7 B8 b5 {+ N* b1 R. ^& H
00401071: cmp eax,-0014 ^- l- ~0 `+ O" [
00401074: je 004010915 ]5 |; H9 y) K9 J" |3 u) A$ @
. W3 C5 h" o( C. }8 W
8 a. I' v2 e/ a) M( Q ^There could be hundreds of BPX you could use to detect this trick.$ R' B) [( a5 o% z" E
-The most classical one is:
N6 `. x6 _6 J6 ?7 T! c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, a- ~ {& m) x+ m" K( W
*(esp->4+4)=='NTIC'
1 d5 D N1 T/ ~/ d T0 v" q
) M3 a* w& | C-The most exotic ones (could be very slooooow :-(( L; d9 i3 {% ]/ W6 {
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 F+ n3 j( @6 s0 P0 G# \% l
;will break 3 times :-(
) d; x4 ]- {% A6 g; c+ n& E4 |
( I+ O* B1 `* A6 V/ I! {-or (a bit) faster:
6 w3 r; `: e4 P: T$ z7 _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 N1 d H, _' `) J" v
8 k: [, R$ }$ L1 [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 ]# y1 z0 x9 O- R" J% e
;will break 3 times :-(& n) M# }% {1 E) P9 F% b
6 U# v$ `6 x' j. A* z-Much faster:6 _9 u) a1 A( r" X" X O! L. V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% @: h* ~/ Z5 R
" t2 S( w' m$ x( U; ~% j$ O2 d* rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- T, I8 [0 S) h( ^4 ffunction to do the same job:2 ^! G( H% d( a: S3 v2 O
: E9 f( o2 Z. t, r
push 00 ; OF_READ' V: t* P8 n% P! x: f
mov eax,[00656634] ; '\\.\SICE',0
4 k* y& w5 ^- A; r4 {& B push eax* Q0 e( ]" p4 h( }0 t
call KERNEL32!_lopen
- I s* L5 H2 K/ ~; X3 {& Q inc eax
% v" g7 |0 [5 F' A jnz 00650589 ; detected; K4 o: a/ ] d/ N% X
push 00 ; OF_READ2 D4 l) B2 y9 {! M4 N- R& z
mov eax,[00656638] ; '\\.\SICE'6 h, _ J5 v/ h v5 @# T7 }$ @
push eax
* k" g6 ?4 O% U2 u" A! p call KERNEL32!_lopen
2 s: ]2 L; {" e5 h8 J% O2 o+ u1 r inc eax
+ P+ v5 q/ Z' r1 O jz 006505ae ; not detected; G; D, b' v1 T0 k0 V ?% j
, a5 p5 r* M1 I. y7 o
8 B5 V" B- J& t* z. w! ^__________________________________________________________________________
0 s( C# I0 ?- [, e! ^( [4 w6 j( {( K- v9 Q6 e/ Y
Method 12
+ d# @) w+ q9 E* \& ?7 T1 C- ]) I=========
# l9 H: C0 E* @& O: b3 _) ?7 {5 U" @+ {: }6 `
This trick is similar to int41h/4fh Debugger installation check (code 05
0 V$ [7 w3 ?! R2 }& 06) but very limited because it's only available for Win95/98 (not NT)
N- |7 \4 K& I! d# H, ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.; j. ^% H a+ q( t( M
5 r( T: j" }1 \, ]; X
push 0000004fh ; function 4fh
, Y$ g6 w) z! Q& k0 x& h2 S6 [ push 002a002ah ; high word specifies which VxD (VWIN32)$ \: X+ F& u8 ^& b
; low word specifies which service3 s6 R) R, I+ O
(VWIN32_Int41Dispatch)
8 ]" Z) ~9 ]2 ?& W ?, [ call Kernel32!ORD_001 ; VxdCall
- ], G' P% O. x6 o. W+ X% N$ k& B. C/ x4 p cmp ax, 0f386h ; magic number returned by system debuggers
+ B* e0 w. ? v8 q2 k jz SoftICE_detected: w: c* n3 W4 ^* }' U/ _* S' M
{: T# I* c! c) M! UHere again, several ways to detect it:
8 j, e! D1 q5 t+ Y% C: m; l s
& W$ r0 s) ?& b. L( R6 g$ M5 ] BPINT 41 if ax==4f* P3 C, c' {. n9 I& R3 ^$ e1 H
; z& ^* D A4 ?. N8 N4 Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 C# U# @; t' c7 ^: }* ~
$ K4 W. M0 R: t6 y5 T0 i, W. ]
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ T7 R& s5 g6 D+ O5 a- J+ `/ G% X+ ^. k' k% {9 T! ]3 O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 c8 ~7 x0 j A+ r, l: U
* V4 v5 k* v3 ^- v2 x0 j- r3 A__________________________________________________________________________) }/ P0 {0 g- v9 y( n
. v, L; @9 @* P5 i2 A
Method 13 } T4 g$ _. _7 a) j9 ~$ D/ c* X
=========
7 i& G% N" w T& r: W [% Z, L9 c: k& a0 |, t d
Not a real method of detection, but a good way to know if SoftICE is1 H# q) d$ p ~0 M
installed on a computer and to locate its installation directory.
2 l5 O8 N$ y1 ~/ d. Q y6 \/ hIt is used by few softs which access the following registry keys (usually #2) :8 }, U5 @; n* X/ n6 t$ Z
4 ]9 t. d/ y& s4 H( S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 P% p Y ^ }+ ]0 {$ O, e
\Uninstall\SoftICE- p! i' U! W1 p. L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, d" d3 s4 N6 \; m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ R- h2 h- a9 y: L\App Paths\Loader32.Exe' l0 o' W9 A& F. ]. S8 F& @7 Q
! Q5 X7 v, [0 ]& ?
3 n* l$ J/ [3 W* w) j, I' P* [* @Note that some nasty apps could then erase all files from SoftICE directory
. v8 c/ U9 P% w1 c X(I faced that once :-(
+ K g0 @8 \( e6 B0 n# x" A& l: `7 F
Useful breakpoint to detect it:) ` g- R& N8 L/ [
) `* B# t0 o2 y+ s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# C2 a) F4 w1 R
, K# L1 q2 A: G: [7 N__________________________________________________________________________
# z9 O1 a% d+ b1 W1 a. U% z* U% [) e/ C' ?& g: v/ H" ~% n" d
& K( ~( P9 q/ ]0 S# ]Method 14 . v7 u3 [9 j) }' g2 ~) x6 v9 W* y
=========7 S6 ]- i: ^1 M- `5 E; E% d" k8 ~
* d5 E* @( @" q1 t) C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 J" ^/ u" q* P
is to determines whether a debugger is running on your system (ring0 only).' S1 R1 A+ I. X) h! ~" m
5 u( b0 F9 d# U" z' p
VMMCall Test_Debug_Installed
, p3 _# C% }8 ]* |2 m+ y1 y je not_installed
- B5 a* W. V/ i4 Y8 @) I
9 e2 U- ]5 c; o* fThis service just checks a flag.
8 v0 M! a* p3 L' x; P</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡