<TABLE width=500>
: F& i8 a' o7 f8 g+ F& D<TBODY>
7 i. d) V: C y5 \: W<TR>
. ~; A0 A8 _% Z2 Q: }<TD><PRE>Method 01 * S0 O0 Y; W9 ~; A- i6 @
=========7 c2 ]0 v7 \- X; j- I; o
2 y1 Y( D$ h. s
This method of detection of SoftICE (as well as the following one) is+ Y* o0 m+ H0 `# x3 m( \: K
used by the majority of packers/encryptors found on Internet.
: w a" x2 r5 ]5 \/ EIt seeks the signature of BoundsChecker in SoftICE
& b% U! ?& c8 o8 h \7 ?' f3 U3 V; v+ G/ Z8 b
mov ebp, 04243484Bh ; 'BCHK'
; N$ m( `. J' ~! V4 ? mov ax, 04h/ Y8 h0 G9 q1 s
int 3
4 J: A/ M1 @5 ]8 P2 R cmp al,4
! M% Z5 x! j5 r2 z% n F jnz SoftICE_Detected
, W0 o3 e. D: N0 B! ], v' l$ z# U6 m+ A: {2 C J* m' [" X6 Z
___________________________________________________________________________
1 h; H6 s: F1 @7 y5 h B) U2 C/ I1 B$ P. L0 @3 D. D g
Method 02
3 [. T5 ^6 f5 k4 c2 X2 Z$ K5 {=========
8 h5 [* o, a0 ~; i9 z4 H* X7 p! C3 p* Y( Q# @, ~8 l% N! U
Still a method very much used (perhaps the most frequent one). It is used6 E" P. G; f' p7 u+ x/ j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( F e$ N$ ~. P/ A
or execute SoftICE commands...4 P7 u/ C# w: w; v; ~, R7 A7 H
It is also used to crash SoftICE and to force it to execute any commands" A* N2 p/ C$ r) `3 K; M1 z
(HBOOT...) :-((
# A4 }, E9 r' H' q" Z
/ {! J: B# U* G4 MHere is a quick description:
2 Z/ u9 e; u6 ?+ b8 P2 R4 x4 j-AX = 0910h (Display string in SIce windows)8 w6 r1 q; ^" k1 \
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) D6 p9 T0 K# x$ M3 P; L' W6 h-AX = 0912h (Get breakpoint infos)5 n7 @2 M! D+ R
-AX = 0913h (Set Sice breakpoints)
0 L3 A" w9 s1 e2 b6 |9 ^-AX = 0914h (Remove SIce breakoints)
/ t3 g" r) ]9 x0 S( k$ Q
8 D8 f: U( b6 X9 P6 X1 [- t* ?6 REach time you'll meet this trick, you'll see:! T: U; \+ N6 W$ @) S7 O
-SI = 4647h
! Q: s$ K& b6 N; C# S2 V-DI = 4A4Dh6 j5 D+ \+ z/ \; j( _" v
Which are the 'magic values' used by SoftIce.% W) {. S$ Q& b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ v6 z. ]; u6 X2 a* b2 o, T* l6 s; @( r0 p, r" Q/ s3 Y' O
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ j, g& Q/ O4 p6 ~+ I; r# J$ H
Envelope utility use to protect DOS applications:# f/ T/ ?: J4 R2 M# g
) b& l7 o* g$ }( Z d
8 }8 P+ N, l$ ^0 H5 R4C19:0095 MOV AX,0911 ; execute command.
3 m1 f; C9 A9 R- V' M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. d0 j) u( s+ t! z- _4C19:009A MOV SI,4647 ; 1st magic value.
3 D" S. y: H8 @& x2 g4C19:009D MOV DI,4A4D ; 2nd magic value.
+ K2 P- T& r' [- W9 P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 j) Z) F& _/ f/ E5 V+ q% H; w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; p- x8 o* `- i% Q: J7 |8 `
4C19:00A4 INC CX1 p1 x# G' @ Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 N, L& V4 y9 m7 N6 q
4C19:00A8 JB 0095 ; 6 different commands.
' J; J- D. `: T' y6 l4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 ]) {; y+ A( R y* U8 n0 V% P o4C19:00AD MOV BX,SP ; Good_Guy go ahead :) ?" e, \" Q( }" Y! U9 ^# m! |
0 j( q! `8 V3 ]9 f L* A
The program will execute 6 different SIce commands located at ds:dx, which( v; |8 `+ F2 t; y5 u" }" a, _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; K+ T. K8 M, [4 R3 Y$ U$ t
! V- }5 j- o3 F7 p# o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& o) O1 V* v. V( _% S/ g
___________________________________________________________________________
8 [- `. O# O8 y1 Z2 z I% J; A5 L9 d$ L+ Q B! _6 P1 G
# p' |5 j* C3 U' m8 T) cMethod 03" _9 t; i% b# M0 S3 n& I+ c
=========. Q* J8 D9 [+ f8 l3 U+ j% [1 Q0 T
- W- S: m) `* {; \6 p4 n: h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) K6 K% i$ t% w6 O) `* w' h(API Get entry point)% r4 C4 q( y* [& E8 q# f9 v
5 x1 x+ H! a/ F9 C- j& p6 B
4 t1 u. g6 u6 v3 B3 y8 d+ |$ ^
xor di,di
2 P# d! Z, u1 U1 Z H2 t( T& q mov es,di6 Q5 r1 R0 _9 j
mov ax, 1684h 0 `( p; E' i6 A
mov bx, 0202h ; VxD ID of winice* b9 K( ^) X3 t1 Z/ l
int 2Fh
1 `* R/ D( g8 q1 Y) t; e mov ax, es ; ES:DI -> VxD API entry point
9 V Y7 ?3 _; p add ax, di
# A, i3 Q' Y$ s4 O% r* F test ax,ax
9 Q! H6 H& ~+ K/ C' [5 A+ s0 w jnz SoftICE_Detected
& L- V3 J& t P3 w* e
! m( V& w, P9 l8 f___________________________________________________________________________8 S) ^- M+ O. o6 H# r& {- f! ^+ A
& g: q$ d8 e! w# k) x4 h! Y) sMethod 04
+ j8 @: m! A) R( r" _; ~; E" f=========
9 j1 ^+ q4 y+ b% G. m7 o+ Z% p7 V6 X/ l7 S
Method identical to the preceding one except that it seeks the ID of SoftICE/ a) W" r: ]: M9 ^# Q. {1 ~0 g, P
GFX VxD.
. M% n* H) c1 r. L- v
% H* [% L3 q" m! R/ a7 r xor di,di
2 Q" ^( d" r9 `6 `6 w9 w. R mov es,di
- ~6 r( Z7 H/ B3 |5 J mov ax, 1684h * @- d( E w1 e6 r9 d2 r j
mov bx, 7a5Fh ; VxD ID of SIWVID
8 V; O! {3 {4 f9 H t6 S' M int 2fh! M5 X% v1 O7 y W9 |( c& R( P' g
mov ax, es ; ES:DI -> VxD API entry point8 x5 h- K4 g) ]+ T; D4 l
add ax, di
" G7 a8 E% L ^ test ax,ax- C2 `$ I8 c; t( Z4 R- U
jnz SoftICE_Detected9 Y# Z) {1 u1 Z& w3 ?
- m. e. n# H" t: M4 L$ Y& a5 C+ {! K
__________________________________________________________________________
! Q* t0 B, ~8 U2 `$ b0 D* Y7 R% h# o0 x
& |, H6 F, ?3 j7 j3 q
7 {( ]" g7 B8 BMethod 05
% {1 G" [# K) {4 m/ R& F=========
2 t* i6 X! W& L& R- m0 L
' n8 }0 C% R" S" J: sMethod seeking the 'magic number' 0F386h returned (in ax) by all system: |2 m5 W% X9 ^! W D
debugger. It calls the int 41h, function 4Fh.
$ n! ]# T( i1 zThere are several alternatives.
+ {$ f! {/ d8 l4 X r4 I# p: j) v5 ?
The following one is the simplest:8 s; v; o7 R" R; u! p: j1 o5 H: e
* L+ W( s6 s+ U7 z6 r( I0 x
mov ax,4fh
: {" [) O# H `% Y" a5 N int 41h' r1 N2 P/ R" S4 t% B
cmp ax, 0F386* G- v- o0 f6 j% V
jz SoftICE_detected
, I9 w' H8 e+ }1 ?( P
. }" F9 D- G# h; a4 i+ y, a! W5 Q/ _4 o1 |
Next method as well as the following one are 2 examples from Stone's
+ m/ a) Z+ C8 Q( Z9 y! `! x8 e" |"stn-wid.zip" (www.cracking.net): s9 \0 U. O5 |; \
3 K. e% Y2 }" n
mov bx, cs
9 M: u$ K" h0 G lea dx, int41handler2
9 v- w8 {* |, m7 v xchg dx, es:[41h*4]
6 m1 e; {+ l; m5 p- p( u xchg bx, es:[41h*4+2]
* S$ }( x# N% v8 C mov ax,4fh" v7 ?, `) \+ _$ U: V
int 41h. K* @1 I, G7 A
xchg dx, es:[41h*4]' f5 K! z( U+ \3 X+ Y$ P
xchg bx, es:[41h*4+2]
5 b1 X9 `4 l( y, L3 N% ? cmp ax, 0f386h- Q! J ~( r/ ?" `9 j
jz SoftICE_detected2 R. E* _% s7 p) d" k. p' r
0 j/ \5 b! \4 }9 _
int41handler2 PROC
% k' q3 m2 T4 p7 j/ [ iret
6 |/ a' m; S, o7 N* e. m0 h0 cint41handler2 ENDP9 L* s2 f' y0 M$ \
. r4 [( x. E$ `3 `* _% L8 ~
% g3 |4 s; g/ h. V, D; w_________________________________________________________________________1 U' X/ L2 e, k8 p8 F
1 O0 |" _& Z% [
3 d2 c9 P0 s* x6 d8 ~ J9 i) X( mMethod 069 ?. X5 R9 ?9 {* r' V7 X
=========
. N0 x$ W( l/ D2 Y: |0 j. z: X& c9 A% [! ]* ^2 s4 p0 @' ^1 F
6 k8 h1 V6 I! r) I; X$ p/ r
2nd method similar to the preceding one but more difficult to detect:+ N1 t7 Q9 m( i$ |/ _/ y
% ?& E7 w" H* y
' p5 h- y4 U4 b0 w- ~, x$ kint41handler PROC7 o0 c: p" N5 o
mov cl,al1 a; [" u1 d; l6 ^4 e$ b
iret
. d' j# \3 R' r C( s* R* a; x; t; Zint41handler ENDP3 A- `. u6 R- n6 g* Z
! [9 Z: l0 K2 Q9 H' ?( m
% H2 ?7 N* ^0 h9 e' Q
xor ax,ax
; v( n) e$ m3 z0 i; N mov es,ax
# Y" K* x4 c. l mov bx, cs
& Q: p7 n; [6 ] lea dx, int41handler! h! ~" i1 P5 V" L2 p
xchg dx, es:[41h*4]: o! |" _! Y* x9 |; Y
xchg bx, es:[41h*4+2]
3 s$ S( B/ @* l in al, 40h* l" q, u5 B8 w$ x; e! R( i
xor cx,cx$ e1 p! B9 w( s. b$ n9 f0 U4 b& R
int 41h
7 |, w" _* S, e4 Z xchg dx, es:[41h*4]/ ?0 H6 N3 v# t: G
xchg bx, es:[41h*4+2]
2 E0 _4 W, c3 X, R0 E cmp cl,al: t7 f$ w2 t% a$ I( L
jnz SoftICE_detected) X* g( K3 h3 P
[( z, a0 u; C1 A6 z& Y_________________________________________________________________________" l: s6 Y! ^8 w- ^2 l9 x
' d" ^3 H e9 ^" N, ~Method 07
$ w. q# W3 y3 d8 e1 Y=========
9 V, ~9 M9 T6 Q4 r9 @3 R! f
, o' u& m! Y" i$ xMethod of detection of the WinICE handler in the int68h (V86)5 O( c5 V3 k3 \# j1 N9 T
% z( A6 k3 Z B& d% m/ D mov ah,43h; p$ }) H# a5 t
int 68h
& P! K* L8 i" Q- U cmp ax,0F386h
4 ^1 z! E+ X2 I% c+ T) V e jz SoftICE_Detected
2 S! q; C7 f- \$ D
9 G" R' v' [' R, w% J
) j* v/ C& M* H5 _& `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' P) v k: j' w8 l3 s4 `4 o+ J
app like this:
3 z5 T1 ^+ a; g5 F2 K) V& ]+ G* J+ g+ \0 S6 f) F
BPX exec_int if ax==68& Y7 q7 g% Z9 @) v' Y4 s
(function called is located at byte ptr [ebp+1Dh] and client eip is
; _/ q2 P; V' C0 _7 J located at [ebp+48h] for 32Bit apps). O6 b( @! A7 S5 g% a
__________________________________________________________________________. s+ A+ E, u4 }* t
7 v1 s! J h+ n6 M2 W) c* N
/ m" {. T' F. n; x3 \) ?Method 08
# |' S* A8 D/ S=========2 z' u3 S8 l# H; r( _/ I/ W
5 y7 S- w* G1 s
It is not a method of detection of SoftICE but a possibility to crash the
- r* g- `" W7 a7 n0 U+ h/ Zsystem by intercepting int 01h and int 03h and redirecting them to another4 Q0 `# d: t5 t& P2 C6 {$ N" q
routine.7 j5 m0 \' G2 z: x! u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( U2 B c$ ^; E8 R# Y
to the new routine to execute (hangs computer...)
+ J( l! {& I3 u
* ^ k2 E+ s- L! i7 U% x mov ah, 25h r: _+ d# O# V1 ^. s& q
mov al, Int_Number (01h or 03h); k4 i. t t$ ?; G J
mov dx, offset New_Int_Routine
+ c8 ~1 @7 q3 ^4 F2 U k int 21h7 ?( E3 A7 L! s' x g
" r1 _5 Y! B9 K* |__________________________________________________________________________0 a* A, }- a/ ~$ @( q& W
$ ~5 f8 f3 q( JMethod 09/ `! b/ n: E5 U% @8 Z. r# E0 k
=========( B. r' ~4 M: [# H9 }
: X, E, l5 I; s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! ~" D: `: {' L( E9 T9 a8 I
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ D2 K# O8 x& }The Get_DDB service is used to determine whether or not a VxD is installed4 V4 N! S5 E+ Q S- g
for the specified device and returns a Device Description Block (in ecx) for
8 s! t% P# L* z5 Z& l7 Ythat device if it is installed.
1 I8 M1 H% `3 Y R4 @$ A$ U$ K9 R; v5 _$ `
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
X* |1 Y4 M# X" z, s6 `6 E' } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* q9 B( ]) p) c: N A: V, [2 p VMMCall Get_DDB
6 ?. i3 y2 ]4 x5 R/ w% | G- w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. a% {6 @( v! B+ Y/ c6 z4 `
, ~+ }4 s' w/ B+ bNote as well that you can easily detect this method with SoftICE:3 I( U2 n9 ^3 W7 S" t7 O' ]# y
bpx Get_DDB if ax==0202 || ax==7a5fh
* Z" D8 D/ G: U" p9 w/ n# |, k6 M: ^+ b5 }
__________________________________________________________________________" `1 r v) I$ K: d) a3 _: B0 F
2 }% O! X2 R& h7 KMethod 10
* R k5 W' E. }% W=========/ x1 J$ ~* `! e; ] M- I
& G+ Z1 k- b. \: ]
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 f& J4 U. T3 w
SoftICE while the option is enable!!
; X* t& T% J# y
$ v9 {4 {& |+ ~+ sThis trick is very efficient:
+ r( J6 ]) u/ y. C+ X+ }by checking the Debug Registers, you can detect if SoftICE is loaded
# P$ h' j* e( |8 z+ i1 L2 `9 j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 R8 m' ~, E' O n2 C
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 g3 \# C9 M% _! ]3 v
value (in ring0 only). Values can be manipulated and or changed as well
8 l# k- j: F \(clearing BPMs for instance)
5 N" J6 P$ n9 j1 r% d6 `9 F
, `/ M8 D, B" m! E5 D i0 s( `__________________________________________________________________________+ R5 j* T8 U7 Q2 i
# u2 |9 } a% z" CMethod 11
# q4 G5 j/ D( ^=========' L" Y2 _4 Q) F8 O, k5 u" E) V1 g
4 i* h- c4 c# T) C$ \$ w! p
This method is most known as 'MeltICE' because it has been freely distributed, ^% T6 C; S! A( m; b
via www.winfiles.com. However it was first used by NuMega people to allow
( [/ t V) m6 W" VSymbol Loader to check if SoftICE was active or not (the code is located
4 ]% l" a! h, l6 f4 v) r4 jinside nmtrans.dll).( P" r$ l4 Z5 }% O
6 h5 G; Z2 U% y2 j0 t8 I1 G% I
The way it works is very simple:
" s0 b0 `$ {5 k3 v3 H" VIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! n8 z# F+ v/ Y% T$ s, P# K4 d
WinNT) with the CreateFileA API.3 N+ I0 E- Q: H/ I: c: l1 ]4 w% T
8 r8 M9 }, K4 k% ]) }$ O$ QHere is a sample (checking for 'SICE'):
- o" }- u( u& V) G5 f1 e" L3 J8 H5 a
8 q$ Z3 P( E) ]BOOL IsSoftIce95Loaded()
1 u) t- H7 t# a! A! p{& M: @' ^0 w1 M; g# [* ]! E& ~
HANDLE hFile; 6 k% F" b _# H$ y5 Q6 X1 ?; y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( A" ]7 c+ L5 q, G- ~/ _
FILE_SHARE_READ | FILE_SHARE_WRITE,3 F) L& A! s- {+ T- S5 O: E
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( ?# n& {9 L5 c1 ^0 j if( hFile != INVALID_HANDLE_VALUE )9 g( C; e' e# n
{
2 z l z- J( w7 X7 m: o+ u8 P CloseHandle(hFile);+ M$ K8 D* G# G1 A+ `& w" L
return TRUE;
, g1 d6 u- S; j6 `; T }
+ z5 a* K, N' f# f8 R return FALSE;
6 j s! |9 D; {3 h4 e} ~% E& x1 r7 J2 ^9 N
& }- B& L, s6 l3 h% E
Although this trick calls the CreateFileA function, don't even expect to be
; A' E2 n5 p& s7 C) ~; Cable to intercept it by installing a IFS hook: it will not work, no way!
! f) G4 C0 p& V; n1 sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 S1 @; S* [0 G% k" E! X/ [/ j/ k2 Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, \& K* E* [9 T* b6 c2 dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) E1 `* S4 y ]2 G* C% ifield.7 [6 O, R2 i, k2 c0 s4 J
In fact, its purpose is not to load/unload VxDs but only to send a
8 J# t& S: @% z0 T @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 K# |0 Z. v: Z3 J, X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 c' F9 Y5 Y; M* ?+ \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 S1 [' U, ~8 U; X6 fIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 E# d5 _- V( O9 h |# `
its handle to be opened and then, will be detected.
7 P& h% X2 q, s3 G" B& }/ _8 ]2 ?- `You can check that simply by hooking Winice.exe control proc entry point
% q: S e0 R+ Z- J& l, Iwhile running MeltICE.
- ^8 O0 I* ?- Y( I* _+ n7 A1 v: b8 w8 n
* ^+ Q% y/ i* J, s( z 00401067: push 00402025 ; \\.\SICE6 o8 \* P# R. G; K
0040106C: call CreateFileA
s* D" M$ Y$ n4 U. D; h" G 00401071: cmp eax,-001
- R5 D# n# ~6 @3 W9 e4 i: ?9 F2 h) Q 00401074: je 00401091- V) n8 S6 l# G9 F4 S/ g" ]
# r" G2 ^- S9 H
V/ ]7 W$ p9 y) D+ M
There could be hundreds of BPX you could use to detect this trick.9 B* X( P6 s6 M
-The most classical one is:- ?: r/ B4 C* O( R, n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" H- x; ?. x; F- A( F
*(esp->4+4)=='NTIC'# O$ w- J" m1 |0 K4 R! [% E1 ?
5 `* u8 M! v2 r5 r {4 a* B
-The most exotic ones (could be very slooooow :-(; m& ]% ~) d; K/ { t1 O$ }
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! H* E- f' {; g ;will break 3 times :-($ o4 k* a- h& e' {1 k3 k# C( [: R3 d. J
1 Y- I1 O- A9 g! S- ^# o
-or (a bit) faster:
$ l; P+ u" _% Z. p# H# h" _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 C; @. E% b2 I# A. e- F
. E: V# K L( F, L1 R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 A" Q+ U9 X7 A- D
;will break 3 times :-(
& V0 q# ?4 t) ?" @; [0 h! G# H$ _% g/ D
-Much faster:% ^3 J1 D7 H' w& ^ J; M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 [0 T+ P$ p; x# t. Q
9 Y1 Y7 V( Z: o) W6 WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 }! p3 Y$ Z3 ?8 y8 ?
function to do the same job:7 A; w" n9 \6 N" f0 m; ~$ O
0 x) m2 M5 s ~4 u push 00 ; OF_READ* ?+ A0 G# E) p8 P# v
mov eax,[00656634] ; '\\.\SICE',0
* R7 G7 n9 a1 h1 P; E6 r2 t; \- w push eax+ e) i; o% y: u( \3 J8 \# U
call KERNEL32!_lopen8 Z1 V" M% S2 |3 R- J" q: v6 \
inc eax/ ?8 n! W: l) H, Z- A5 E9 U- C8 N8 @: a
jnz 00650589 ; detected8 r3 d) c- s2 a) t
push 00 ; OF_READ1 q8 _; [# S4 Z1 l8 u* {* [
mov eax,[00656638] ; '\\.\SICE'5 L: _3 ]: \( i- K! {7 p
push eax& w7 }# q9 A9 F8 l6 A+ S
call KERNEL32!_lopen% d5 p l4 ]/ g9 s V- g ~3 V% F* h
inc eax
+ Y! `' A3 q+ Y# S& \ jz 006505ae ; not detected* l* P/ P% e# B' j
1 t" j/ }, x' V
- D' l- a# b+ H: d7 Y3 u5 l& `$ V" j
__________________________________________________________________________# B! A9 d" |. K+ X" C
/ X' ]$ `( c# e( Q$ d+ C4 E1 k4 WMethod 12
* [. f) }+ j/ b% b, x2 V) c% H/ j" {, o=========2 u. M3 m1 p. M7 Y, M; x/ c, |1 O
3 q0 D! l5 o2 d
This trick is similar to int41h/4fh Debugger installation check (code 05' }/ U( p7 T5 e& R1 D( f8 H; Y
& 06) but very limited because it's only available for Win95/98 (not NT)6 B' z3 m( {% l( N* a" ]" X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 z. `* ]1 j$ Q+ n% b9 f! V1 @% m
) m5 T* e$ ]! h0 T% _4 U6 D [! b push 0000004fh ; function 4fh! ~. ~, `. U8 Y
push 002a002ah ; high word specifies which VxD (VWIN32)
/ X, R$ y! a O8 `% d9 K& l* z" e( S3 q ; low word specifies which service
8 ~! v+ ?0 W- u0 [0 Z2 @$ u (VWIN32_Int41Dispatch)" S2 I9 r, R2 Y1 V
call Kernel32!ORD_001 ; VxdCall
1 F) }& K. Q* M! z cmp ax, 0f386h ; magic number returned by system debuggers
6 E* {, R# {- c+ B( S jz SoftICE_detected
! I" ?/ \" s% x
; o2 ]6 M% r! AHere again, several ways to detect it:4 ?, C6 W- i# i2 e. ~' T* G
: Y" |0 U/ m" C- _, _& b BPINT 41 if ax==4f
7 {# _! G& o, ]6 n" ?" S/ t3 K" `1 ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 `# Q+ k' d& p& c0 j6 _& O" S
2 j5 H9 K: W. X: t# i( e BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. \1 Q, Z+ r( Y4 Q: m& Y* ~1 v }. z. b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! [8 D( i: z0 L- f4 g+ s Z# g( r5 [4 E4 C# }
__________________________________________________________________________+ H' S. |) c0 f1 F/ H
* w3 U8 v+ t/ Z" E ]) K
Method 13# x) t# U4 _# D4 @
=========, v7 ` G3 Q- H( p: \5 m' D' q2 Q
* v6 U5 Z- b! _/ ~; G% G. RNot a real method of detection, but a good way to know if SoftICE is$ R d3 a" Q; S* e7 R' P
installed on a computer and to locate its installation directory.. n) ]( ^- @% Q' P) I0 z
It is used by few softs which access the following registry keys (usually #2) :% ]7 e4 Y/ S, e+ V/ I
$ n: f: |+ R3 J/ n6 Q0 `/ i
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- O! ]- Y5 W; } X0 H4 ~; v* F\Uninstall\SoftICE# L1 B0 X- q+ G/ A+ X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 r# ] r. d* r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 y. k1 k3 Y+ ~" l\App Paths\Loader32.Exe# r& D& r9 q+ _$ m
# n% _0 K5 q7 H/ l* n- Z7 c
7 f" F' Q% O6 w) Z' U0 s, `Note that some nasty apps could then erase all files from SoftICE directory
! k& e0 {1 L' F2 A! j(I faced that once :-(0 X8 w4 \3 Y E6 m5 n' Q V7 w
( W$ C6 d" C% f$ ?Useful breakpoint to detect it:2 d& U3 v' a# I1 W
0 l0 _ R; H2 r) o7 F% q2 X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, L' V: Y6 y1 F3 q: I+ ?
1 c: ]% x- z; g__________________________________________________________________________! {% U3 q; p/ ?# q
; h$ e3 g J+ B' H% B
. d7 t2 H7 ^( w0 |) J% ^% h8 E5 U, HMethod 14 $ G- Q7 L8 Z* x# V
=========2 o4 n5 h0 ]& r; X2 a
C& Y' l8 n; t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 }- n& _4 g1 M D
is to determines whether a debugger is running on your system (ring0 only).) F* I% F) o' F8 V
' l- A \1 T5 ^3 Q
VMMCall Test_Debug_Installed! Q# ]0 p6 ~* v. Y2 R/ A
je not_installed, E3 W& h h& c5 E
* l( ]! C0 I! F; C1 I/ _& d; @This service just checks a flag." c5 \8 s3 f2 L, s' I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡