<TABLE width=500>
/ C* ?3 K9 M& V8 S4 q<TBODY>
) g }: W M$ R X* D/ X' S<TR>/ U. V) Y* f/ U3 E3 D' S1 Z: s
<TD><PRE>Method 01 8 O# m, k& {1 Q
=========6 N+ ~; F( @: f! K$ i
' K6 n, w, P6 q
This method of detection of SoftICE (as well as the following one) is
- }8 ~5 t* M& Sused by the majority of packers/encryptors found on Internet.
, z- |8 m6 ?2 P7 CIt seeks the signature of BoundsChecker in SoftICE" b1 e# [$ b1 `! W0 [4 c t1 _
! F! \ W: o2 [ mov ebp, 04243484Bh ; 'BCHK'+ G: ]; `. s% Y# v' F8 I/ F1 r1 D
mov ax, 04h
9 @5 _2 p1 k% |5 X% L3 U: C; Y int 3 : M$ q$ _; g6 J* Q5 T" M
cmp al,4
0 Z+ c# X( h) ~' [% R4 m, P Z jnz SoftICE_Detected- L8 m3 |6 l" K* e" d7 v; i
+ ?& |# p+ M4 Y0 K* x4 K6 j___________________________________________________________________________* \2 f" M* \3 E/ A* o2 C* W$ q" T
" S& p. l: g% X5 \5 Z3 RMethod 023 U' g; V* i( L; e
=========
* \+ E. y7 [9 u: c& e5 y
L7 _7 `" f* {7 w) Y( CStill a method very much used (perhaps the most frequent one). It is used
! U# ]% p8 g/ ~/ g5 N$ Q8 sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 M7 e {/ H) M6 L& C
or execute SoftICE commands...
, B% K I$ v- F5 s& p4 S* gIt is also used to crash SoftICE and to force it to execute any commands" B& Y7 P) S% ^3 B' q/ \" |& `9 E
(HBOOT...) :-((
/ J1 [, `0 C0 f' t. d0 e2 V* J- b- z
Here is a quick description:% X/ A+ E- x4 t6 \# B
-AX = 0910h (Display string in SIce windows)1 |. \( P2 \) Y4 `/ ]- P" s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. m. p( L$ B) Y7 [' {# O, [9 f-AX = 0912h (Get breakpoint infos)
+ z0 t9 Q' @! ]4 q: X-AX = 0913h (Set Sice breakpoints)
# S" N5 r. }2 r5 R-AX = 0914h (Remove SIce breakoints)2 b7 M' T; j7 o1 @# X
8 m& I* S# Q! y9 Z7 {+ D
Each time you'll meet this trick, you'll see:
! _+ j2 D; p5 G6 r-SI = 4647h
! J' u) K7 f8 o& e; m- _8 x$ k% b5 C-DI = 4A4Dh
6 }# A2 V! k/ y- j# WWhich are the 'magic values' used by SoftIce.
6 C/ o. T. n; [( `& \( t/ k- WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 A2 d( o7 G. q, ?
; U' s8 {* E+ P; YHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 d' k" J* h8 _2 j2 ?" M* mEnvelope utility use to protect DOS applications:8 J8 Q- \' w5 L3 d
2 o! K L7 c3 R' m' d0 X, c6 r
( e9 j( q( u# c3 U4C19:0095 MOV AX,0911 ; execute command.
1 g, L: A7 m/ q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ K9 H6 Z! n1 m" ?: L2 I K4C19:009A MOV SI,4647 ; 1st magic value.
" b7 ~5 x+ _2 b/ U4C19:009D MOV DI,4A4D ; 2nd magic value.
; h0 ?: J& j: ^* i: C! A l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, a8 M# S9 K) ?0 z' C, Y5 E4 M t4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! n$ g! W1 z5 ~9 `3 I4C19:00A4 INC CX1 r D/ A, l3 |% O6 @# @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, C7 y, F2 `$ ], T- S$ |4C19:00A8 JB 0095 ; 6 different commands.7 E1 H# A( Z% ~9 b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% g5 J& X. O0 X# T# ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 h7 K+ j; p e% v5 W" s- q) _# T
; Z: V* z. G4 HThe program will execute 6 different SIce commands located at ds:dx, which. Z8 S) p1 ~+ ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 N5 i1 f' o) o8 [/ | G5 b, ~( n# i+ }6 ?4 L$ R" y0 r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 y5 s) G) Z" X* s$ ~
___________________________________________________________________________
' J9 o! f1 p$ T# _- k% {/ }+ [9 [8 ^% Q2 {
2 v0 V3 X, W! p3 b
Method 03# |. B8 b" k0 b9 a& i
=========
' y+ n" x( W2 F+ L0 x# v+ x }$ k$ u' |' Q& j; v' g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
q9 C0 a7 P) O6 B( V* g(API Get entry point)4 E/ u# @/ V7 k* ^8 e; [* b
3 V5 b8 q, L) Y+ \& z0 I
7 o* O! h( D; F( g3 c6 J
xor di,di! L/ X; D# T, ?
mov es,di
/ Q, S; ^7 i0 E& v mov ax, 1684h : g% ?+ z( f7 F; x. O U
mov bx, 0202h ; VxD ID of winice
" \8 M: h v6 a7 @1 Z int 2Fh
2 y; j9 K, X! z) W) B% P8 s mov ax, es ; ES:DI -> VxD API entry point
2 @$ ~% u, @8 g$ ~: q add ax, di
# b% m) j: P9 a+ B test ax,ax' E: Z# c* T8 t0 w6 n. o9 Q
jnz SoftICE_Detected
N# V/ L# c+ y) G; |& Y) V. P# ?1 f8 }4 M3 w/ |3 @! N
___________________________________________________________________________" q" y. j; X3 c( P& ]) i
2 I8 s& Z6 r: yMethod 045 K7 u% B `" ^& m" e. F
=========8 h" w) s9 V1 q
) d$ i/ I. z( Z% nMethod identical to the preceding one except that it seeks the ID of SoftICE
( U7 O( i% C: q" H, w4 c: o# B+ WGFX VxD.
; z0 W! n% R: |- {
. s" n/ J0 h5 a/ Y1 X xor di,di" j6 G' }+ b9 c5 V) g/ g
mov es,di
$ n0 O5 }+ w' C7 W mov ax, 1684h 0 B: R! K% N0 r, O
mov bx, 7a5Fh ; VxD ID of SIWVID& P# p$ C# \5 j8 e P7 P6 J3 I+ [
int 2fh
7 S$ c$ B" P" e4 f7 a2 h mov ax, es ; ES:DI -> VxD API entry point
1 k( ?0 Y6 k" B: b9 K add ax, di
7 W3 {6 T7 w' e; d test ax,ax
5 ~, N0 [! V: l; g# Q7 K jnz SoftICE_Detected/ F9 Y8 P8 v+ b7 z9 C/ z
, s& C4 G( s$ |4 ^/ \* b
__________________________________________________________________________
& r) d# W7 z+ X) ~) J' n* w- N/ t! F/ N; [2 U3 B
+ o! V, j- m3 B4 q5 c3 F# ^% z& vMethod 058 k# T1 n) X5 T, N! S, {) [
=========4 B+ M, d& [. {8 H0 A
! P% M( ~- {, X) ?Method seeking the 'magic number' 0F386h returned (in ax) by all system2 O8 L. S. Z, X' ?2 S. A# {
debugger. It calls the int 41h, function 4Fh.
' ^4 N0 P. D1 w6 D& T/ u; IThere are several alternatives.
2 \1 S+ C- b1 ^0 H* k# Y( {/ G7 n" M
The following one is the simplest:7 [5 r( H! ^+ o: H1 ~: B$ f! C
, e9 e. k: u# y mov ax,4fh0 i: ]8 C+ q# W' ~" C! C: E6 r
int 41h
% b- ]1 C6 c) c E; L cmp ax, 0F386: s8 \/ P9 E8 c# [
jz SoftICE_detected
0 L/ B. ]7 H1 e) ]/ P' f* A7 x
, J C' f5 j q: h& u8 K& H- }. B# o4 c8 _
Next method as well as the following one are 2 examples from Stone's
* k! N- Y1 [& z! d( e, t4 [2 p/ S"stn-wid.zip" (www.cracking.net):
2 `1 x! R5 Q# Y5 ~3 u9 J6 C. v5 u5 L6 J" I( _# H# O4 B
mov bx, cs
7 O9 d+ B" ~, s5 Q. W lea dx, int41handler2
6 \8 F" Y! J' W% Y. ~ ~ xchg dx, es:[41h*4]4 ~. A1 Z) t+ w& Q
xchg bx, es:[41h*4+2]
) w: Z( E4 R- S4 k9 V mov ax,4fh7 j: e. v8 I( w* ~0 E) Q- n
int 41h: e4 ~' v, X7 s! E: _
xchg dx, es:[41h*4]
7 x9 Q0 T, S$ l+ s6 F xchg bx, es:[41h*4+2]
+ s; q& l5 P8 ^7 m4 v! @8 l cmp ax, 0f386h' |. U b5 |. J( f; H9 X6 S9 N
jz SoftICE_detected
: K* N. |6 s' _, j
8 j3 R, l9 v- m# j& N1 _1 Fint41handler2 PROC* H. f, U: {& Z2 Q
iret/ i( q. b8 k7 g5 [) @
int41handler2 ENDP
8 W, H- B; }3 D5 W, b( {+ ? ~7 Y+ p! a! b" R
$ g: U/ N; h8 H5 o6 X; Z* z# g
_________________________________________________________________________: t# X1 S, p7 v0 D5 ?, X* ^ q5 }- |, n* E
) O0 H" |3 T/ P/ |' q1 _7 w8 F/ D8 i0 }" `3 K' [0 x* @ h
Method 06
5 H; ?6 y0 @+ J8 T! _=========1 E' G" b: P% g( Z( M) R) y
: E+ O A* _6 h2 B4 o1 f1 A5 \5 N5 T! L* r3 O' d d0 R! j2 ]
2nd method similar to the preceding one but more difficult to detect:
9 c! u/ W7 i; i+ I
0 u: D0 E/ H! ]+ ^1 M
9 n) I- q) B% M3 b# m" v# P7 gint41handler PROC
" `/ `& Q n( H5 |. ?% ?; ] mov cl,al
$ ~. q, n _3 h6 R iret
: Z! [0 E5 e2 s qint41handler ENDP2 ^+ i3 u9 [. i# P
1 I w. h- B% B$ S9 S# N3 y/ X5 b) N- _/ x. @) u2 H
xor ax,ax, \& D) [7 P- K
mov es,ax
% T" Q7 C4 H# Q/ V mov bx, cs
$ H) c* H( v o2 q0 v4 g lea dx, int41handler
* J# j0 ^3 j$ L; V9 G: [ xchg dx, es:[41h*4]
, e/ b) h/ J, m6 U xchg bx, es:[41h*4+2]
1 k$ W, w! @; d7 ?( x in al, 40h
& f# y5 j( M, h6 y+ e: E: t p xor cx,cx! K+ `- B: Y% Z6 y: g
int 41h7 Y5 l. `- v% Z1 g* `2 a# S4 @1 u! g, e
xchg dx, es:[41h*4]9 w! E: z+ u+ }) h% n6 N. I
xchg bx, es:[41h*4+2]4 x1 L1 P$ ^' N+ v# c
cmp cl,al
6 Q( C% a- c* j3 E+ e jnz SoftICE_detected) ^ t/ a1 s5 t
8 ~/ F( j, j9 d' c_________________________________________________________________________
) } P% X; V: t5 ~
e; O* n/ o) lMethod 07
! `- A4 ~: e% J( o* ^=========
; B' Z( n5 v: Y
5 P' y3 R9 C" W% J' ?/ GMethod of detection of the WinICE handler in the int68h (V86)
5 I1 \! ~3 r# J$ r, L- @& R6 c7 a
mov ah,43h
: ?3 ~$ i6 p- ` int 68h
2 F) }7 t2 S. L+ J6 c cmp ax,0F386h* U4 r) O2 y! P* ^/ L1 \& U0 o
jz SoftICE_Detected
, Z9 y s3 p' g, ?7 T4 p% }- j6 E% f i9 O( W0 h4 G" W* T# G9 d
& C* a+ |/ Y+ U" Z+ b" P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
S, U& m0 A* S3 Q app like this:
+ s! z5 w$ C: i: v! |" E
% |" l% r& n9 x9 w- T8 a BPX exec_int if ax==682 T! t: \# b! E
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ {7 r6 I! P$ D' e( d located at [ebp+48h] for 32Bit apps)
; I9 y$ @9 n3 ]! O__________________________________________________________________________5 r+ M0 r+ w! b* t
; q( |4 i( {# D# @: r8 P$ [9 R C7 n! W5 p
Method 08
" ~% d& N X1 ~- a9 q5 X0 R2 C$ H( l=========( R7 N5 _* q% C+ \
5 b `7 X0 E, I! W* G6 `+ a- wIt is not a method of detection of SoftICE but a possibility to crash the5 U" }' z3 P7 g/ ^- a0 Q
system by intercepting int 01h and int 03h and redirecting them to another, {- ?8 P$ w; |$ L( D6 n9 F2 @- p
routine.
2 {+ {. ~- B2 a5 K0 M6 ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& s2 ^9 j' K& d. o5 yto the new routine to execute (hangs computer...)+ V2 G1 f8 c( t) W3 V( i J
0 u. i9 [7 \' \3 x J3 U* O0 K
mov ah, 25h" Y# q- m8 q& v8 W+ U+ c) Z- f
mov al, Int_Number (01h or 03h)1 V( a, a, X) ?* k2 I
mov dx, offset New_Int_Routine6 T# o4 u' X( L1 K* Y n
int 21h
l4 I* B7 ~! i4 ^6 l7 i% n$ a
5 j6 G# W8 _7 q$ s$ r__________________________________________________________________________- t+ ^' ^+ W. u6 ~0 O$ y
4 d5 ]4 F' _! r& a) A6 I9 c3 Y
Method 09
) N0 }$ K7 S1 i! I; P. S$ v=========
9 [! G" X$ h* L1 @& w- X+ V
5 V1 E7 M r: n! {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, k( \5 T; L* ?; K K
performed in ring0 (VxD or a ring3 app using the VxdCall).: `) K; m6 e8 z0 F
The Get_DDB service is used to determine whether or not a VxD is installed
% p8 _8 R; D6 J* F1 k2 J# \4 R# Ifor the specified device and returns a Device Description Block (in ecx) for
+ u* |9 i( {5 n8 m8 i2 o4 \/ N* athat device if it is installed.4 h6 H0 g" Z( N4 \
7 m/ W* b$ W5 C2 }5 e; J8 W' D/ V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ h6 m0 y# F/ `6 n- O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 Y! w$ ^1 D8 j; V, q6 H/ M8 g VMMCall Get_DDB
B5 D- f$ M5 B$ |8 @! {9 J" t mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 p0 e+ x/ R; p/ s ^, w) V6 x; x
+ `3 P4 ]+ b$ T- K) g8 J( hNote as well that you can easily detect this method with SoftICE:& k, w& M* e4 C- V, [+ ~
bpx Get_DDB if ax==0202 || ax==7a5fh
* V* v0 r. `* a' w4 s3 x; g1 s& e2 s9 M+ c* [
__________________________________________________________________________0 B: t! W% @8 N
6 N j* b$ p& J! l7 Q* o
Method 10* I( a1 J, W( F% e' m! {
=========5 l, z. i2 |$ o- o' S# J+ \$ L$ I
/ L r6 N) N; {( \
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 W/ D% _) a" x* Q% @; L0 ^7 t
SoftICE while the option is enable!!. ~6 @; U4 [+ T# R4 f T1 R7 |; C
9 |6 d) ]. q$ t2 {This trick is very efficient:
# G/ h( `4 _$ a+ s7 v/ M& b0 I1 p2 tby checking the Debug Registers, you can detect if SoftICE is loaded O" S+ S/ `4 Y2 p' n4 O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& Y( P% V x% C( U' O+ ?' B" R
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ f _% v3 @* Z: D; D
value (in ring0 only). Values can be manipulated and or changed as well! E+ i$ d; N4 F s
(clearing BPMs for instance)# H# E. \8 q: I
: K; o. G' A: c' S7 \
__________________________________________________________________________
+ c3 T$ A; i& a2 ^8 u# T$ }9 `& K* r8 W3 K2 w/ y
Method 110 w0 }3 `# {0 @* l5 P, ?7 U
=========0 r9 Q/ p1 `8 N O/ }, x3 v
* g7 a; T$ h1 S7 l5 OThis method is most known as 'MeltICE' because it has been freely distributed
3 e' B- {9 T8 b8 g# H% {via www.winfiles.com. However it was first used by NuMega people to allow0 {% l+ J6 l" @4 ]( ?0 g
Symbol Loader to check if SoftICE was active or not (the code is located
& e: X% w# N9 \8 z- c+ G: F# [inside nmtrans.dll). j. m1 [; b( f, b, V3 |
# t& Y2 ]! X" K Q; yThe way it works is very simple:
3 l8 w% g& Q7 C# @/ f" j4 G' @+ f* zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 h3 m& X8 Y- a% b1 Q" F
WinNT) with the CreateFileA API.
& J2 N4 n7 k0 r* e5 e ?, R2 K4 v% T9 `; z! U: m' e4 x
Here is a sample (checking for 'SICE'):9 N$ g8 A- d* {" L% ]
( v: e( [7 E' t7 q# q; I
BOOL IsSoftIce95Loaded()1 Y% F' m2 G2 W* o/ d4 h, k
{
) {* x! h* |' W6 g' @ HANDLE hFile;
& h6 ?% W l; V: f2 ] K, p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 w `6 r) q9 c# k
FILE_SHARE_READ | FILE_SHARE_WRITE,
( j1 ^( c* |: P ~' S3 a0 _) } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ |- g4 x5 I9 Y6 T& t. ~0 \4 A% ], i
if( hFile != INVALID_HANDLE_VALUE )( p8 f! N) i5 O" D6 H# m/ F' `
{
! R" Y* `9 @5 x+ c, }' h& N8 _$ J CloseHandle(hFile);
8 l( W: d- {8 H return TRUE;. h% y! z$ L& E2 n& ~4 I" p
}
+ Z7 Q& V0 q3 ^! z, [$ Y1 S. X return FALSE;
3 A. ]% ]1 V3 \}# t* V2 i: V3 ?, d, k: @% A0 O9 z
* r5 m; t3 ?5 hAlthough this trick calls the CreateFileA function, don't even expect to be6 Y, j! G' S- P
able to intercept it by installing a IFS hook: it will not work, no way!
2 V# h+ B6 P+ _- wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
N5 _( o' `% c. Z# Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 P3 }) p8 @/ D1 } ?1 E
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( Q: C7 D. I% Q) a5 S- B' `
field.% G+ J Q$ T$ J
In fact, its purpose is not to load/unload VxDs but only to send a W7 ?' A7 p5 K0 z9 r( n& a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 E [! s& v2 A0 vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ @- [' k8 a4 H& P, @to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 b5 D d1 x8 D2 i3 c
If the VxD is loaded, it will always clear eax and the Carry flag to allow& [' W7 _0 F1 ^: ]4 e6 V
its handle to be opened and then, will be detected.
8 N% J* @1 f0 B' i3 D( H, j7 x8 nYou can check that simply by hooking Winice.exe control proc entry point+ W0 q5 F# r3 @2 H9 x V
while running MeltICE.
" b4 V9 c: d& u8 i+ l# i/ h! \* D- l3 z) g& V$ b
+ L1 P( v6 n/ _1 B* y6 t l
00401067: push 00402025 ; \\.\SICE% n5 R3 I+ N3 R% A ~$ w
0040106C: call CreateFileA
% P/ ^3 B* x3 p 00401071: cmp eax,-001- y( m" q! O2 H% Q( ?4 r: h; a+ V
00401074: je 00401091
p3 [2 L) R1 n% t" B' q' E y" O( f4 N$ I) S5 O
) |! w( w0 q- ^) c( n# |7 n
There could be hundreds of BPX you could use to detect this trick.
+ T4 f5 ^% C6 u7 i( B, D-The most classical one is:6 V! M: V* |0 l) w# H/ a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ D2 j" H& q8 ~5 f- F _
*(esp->4+4)=='NTIC'
7 V/ n" F" K) W7 u9 C1 o# C4 w) `. i6 E" {6 n, } \: x- K
-The most exotic ones (could be very slooooow :-(. B; [1 N& c& s; I2 i
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, X( F3 y3 O4 F# m! X8 S1 S ;will break 3 times :-(
* \, | F" y. e" f' C/ Y& n2 q6 e. \9 G5 a( E
-or (a bit) faster:
, Y! _3 M8 [- |: Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 C- o; Q. V% j5 L
1 t) @" ~, k1 D$ E3 Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. Q. v& S9 C F2 ^0 X3 w ;will break 3 times :-(7 ^4 |; g$ h% k, K/ b8 T% U
' E: ]; H; n7 J4 n
-Much faster:
% F' d9 L* D# W; V9 S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 q5 C+ V; r7 T: X
2 l, g$ D `2 H4 Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- e/ e. t( q' M; V: Qfunction to do the same job:
' D) w7 ?+ E5 L; L# B" E0 v! c/ z- b
push 00 ; OF_READ+ H% h# K* p! t; ^
mov eax,[00656634] ; '\\.\SICE',0
- d8 F1 @7 x* X' I- z push eax* J0 o. r1 J' [; Y' h' X# b
call KERNEL32!_lopen" q& J; U1 ?, e4 @0 S
inc eax. W% ?. [. i# j5 G0 a3 z/ @
jnz 00650589 ; detected, z, G: n) w' f! t* m
push 00 ; OF_READ
# s9 F$ o( b, ^ mov eax,[00656638] ; '\\.\SICE'' A3 K O2 i& A D
push eax3 r/ Y3 p! f$ d2 h/ N9 I, ^$ [1 l
call KERNEL32!_lopen
1 y" i+ ?0 \/ s: Z inc eax1 E$ `( l7 Y# b1 y- a# I
jz 006505ae ; not detected8 {' {( v! G5 m5 v/ j% L' B" M& L0 ~
) h2 W. o; k/ w F7 L& E' x
/ t% ~& _3 X) \ ?3 X% H
__________________________________________________________________________
5 J/ I' m0 Y( Y
1 K1 o* l5 U' {+ C) VMethod 12
: G' `8 p/ a) _=========0 r' y6 Q8 r) }, t' l* S
* M# t; a4 w# d7 p X, I! G
This trick is similar to int41h/4fh Debugger installation check (code 05
' s: G; E1 v: _( Y# p' L& 06) but very limited because it's only available for Win95/98 (not NT)7 A% |) [3 p$ F ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 H, H, P3 w3 `; }8 {) c6 s
o$ s" w, ^$ @6 I
push 0000004fh ; function 4fh
1 m' R( q9 a3 ` push 002a002ah ; high word specifies which VxD (VWIN32)
% z9 y2 X8 Q. @! G# z ; low word specifies which service
( u( e3 f3 K/ M' W2 a! l) h9 W (VWIN32_Int41Dispatch)
$ J3 k0 M( m* J( l( y call Kernel32!ORD_001 ; VxdCall) T8 O' F& ?) T2 Y, e
cmp ax, 0f386h ; magic number returned by system debuggers# |5 }- Q' K: J+ _2 x: |
jz SoftICE_detected; f6 i, s) W4 [9 J1 b" a
8 b+ y- \* r$ O( T, H8 }5 {% eHere again, several ways to detect it:5 O0 E5 V2 T# }7 U
4 R- A. M& E6 G9 r3 }$ X1 m
BPINT 41 if ax==4f
/ \( y9 T' a) E" T$ W* M
, Z% a, @2 ~: a, D( l, x/ j7 G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% T# ^4 z+ X2 T- H& H3 }: P+ P" o: E" U. z2 T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 n/ w0 t3 c" k1 @" D" ]8 C
. r& k+ V% ?5 l' o5 s2 B. J$ d0 v BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" p, \$ F8 x. r7 |8 f. ?! c# o9 T
/ E* y$ p1 v: p* ___________________________________________________________________________2 H( i3 |/ D8 Q: x T/ P
# k' ~8 P. \$ m1 Y& m
Method 136 q2 f6 J& {+ O, B& m
=========
( P$ ^: Y8 b. x0 }) j% C* E( k6 L5 Q* m0 i
Not a real method of detection, but a good way to know if SoftICE is
( h' h8 e( r5 tinstalled on a computer and to locate its installation directory.
% ^3 @ I. J% h$ A, IIt is used by few softs which access the following registry keys (usually #2) :6 U0 X7 m: ~+ z, y) S) F
; f J/ z; z9 b6 \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, I% q8 I: @( j$ R5 v: M# ^) x+ j
\Uninstall\SoftICE- u9 q1 A2 f% ~8 p0 w' f+ g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( J) I% g% q1 G/ `( Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* {2 U+ |- d0 P; |7 j0 |\App Paths\Loader32.Exe
" G: d, M5 V/ K- L# I+ ~6 J
* m6 T! c0 A3 Y' S2 [
9 u1 k2 \: [* A5 HNote that some nasty apps could then erase all files from SoftICE directory
' a6 `* J8 T% c% I4 ~% {6 @(I faced that once :-(
; M: j1 T- |2 G
/ r6 R) H! g& M1 s. v9 hUseful breakpoint to detect it:; J1 _! h3 z* A* x* Z) K* Q
3 ~7 z8 q: q9 z; T, B( x' J! ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 Y3 W9 V d' a0 Z9 m! ^$ c4 E+ e( @3 @/ D" i* H# {
__________________________________________________________________________
; D; b' ~$ e4 v Y6 _% ~" \
) I' @. l+ f3 V2 V7 K" f4 \5 O, j! f! J \
Method 14 - I- o( V3 d `
=========1 `2 {( a: y8 z1 n7 \! o- d5 j
; s6 h+ f! {6 t8 r$ ^7 mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 K+ v& ?/ r g6 B* s1 uis to determines whether a debugger is running on your system (ring0 only).3 v4 t! H% c* M4 G
9 p- \' p5 }; R! a2 {: @/ B4 u
VMMCall Test_Debug_Installed9 Z$ ], x, c( Q- u4 o3 Y
je not_installed3 {, ?" n* q* ]$ X; E7 ~7 a
, [8 R6 p& G8 ?" ~3 O7 L
This service just checks a flag.
, [4 r' o* |5 t</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡