<TABLE width=500>; P/ u! O% J+ F& y1 }& r e' e
<TBODY>
" u7 Y7 ]9 W7 N# o+ q# O<TR>
0 C0 ]7 n, Q, h s<TD><PRE>Method 01
z0 i8 V6 c, h7 L6 Y=========
7 |$ p, S/ N; `, T
6 k7 F- X4 t( ?8 f/ n: K! DThis method of detection of SoftICE (as well as the following one) is
3 M3 l5 v6 j, y, \5 Mused by the majority of packers/encryptors found on Internet.
- ~0 |% _' C4 k. \* ^: F! g% d9 XIt seeks the signature of BoundsChecker in SoftICE" {) y: o& K1 P: F# Z! t" y7 x
9 F4 N5 z6 D+ ~0 D+ X+ N [, g mov ebp, 04243484Bh ; 'BCHK'
4 s" O# R: U+ W3 N3 [ mov ax, 04h
) n+ ?( a" i$ l2 n) L int 3 ; g8 _% ^" t/ W9 s
cmp al,4 V7 R& W$ ^3 D0 _! d: t- j# K
jnz SoftICE_Detected
6 Q# t0 |3 K6 \/ R5 p$ X- o) o9 o& D
___________________________________________________________________________
4 K( R8 |4 [, A* E- P
% U& }& c, X+ U y1 h4 QMethod 02
/ `; `/ s, f2 W$ g- l=========
$ N$ C* y2 Z; l1 B/ z1 y/ N6 P( r, u+ ]* j; q- x
Still a method very much used (perhaps the most frequent one). It is used( ]! w3 k+ l* {+ A% C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 C# r4 w: m/ z' Y+ S" ~or execute SoftICE commands...6 p8 ?; Q8 m* G9 z9 q9 a
It is also used to crash SoftICE and to force it to execute any commands6 ?# a+ W Q3 V, p2 H
(HBOOT...) :-((
2 Q4 _. C; Y m; x
8 T2 ]( v; y6 g2 {+ G$ v* `Here is a quick description:5 c! }0 V7 m7 ? g
-AX = 0910h (Display string in SIce windows)
! f: x, |/ ~+ R8 F- X6 i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ B2 n2 x& d$ B& G" N: l' f- P-AX = 0912h (Get breakpoint infos)- R/ b0 X6 |0 M
-AX = 0913h (Set Sice breakpoints)
1 t9 m" _ I |7 I, p* @9 |% L-AX = 0914h (Remove SIce breakoints)
3 S+ O/ Q1 p9 G7 [7 \1 o% G% B, y9 n* C
Each time you'll meet this trick, you'll see:
; k( E* h r* y9 G( c/ R-SI = 4647h. e1 Z1 F& P1 S
-DI = 4A4Dh; ?! I$ |, n6 v; f" X
Which are the 'magic values' used by SoftIce.+ c f3 d L5 F0 O0 Q# e; z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) u0 C6 `- G9 ~ Q t6 Z& A @
/ V8 {$ D5 S& L6 v5 J& u5 K
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ ]# l' u$ B3 Q5 x8 F5 Q
Envelope utility use to protect DOS applications:( i3 Y$ t4 w+ I( R) T, ^4 b) ^
. {* v' U, `0 S: L- i1 C
7 a6 c( O* d2 e- E& E8 V4C19:0095 MOV AX,0911 ; execute command.1 @ f* n& D0 O$ H6 N* B9 [# ~
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" a) v5 q2 ?8 l6 q+ d! O! ~4C19:009A MOV SI,4647 ; 1st magic value.
/ o4 \9 i3 i# F" `1 |/ q; N4C19:009D MOV DI,4A4D ; 2nd magic value.% v) N$ E W8 d3 n: c+ C6 T1 q- e
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), Y! ^, x( n0 J6 D R8 n+ r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( ?& \& f5 g8 ?! |9 q* n" y
4C19:00A4 INC CX" E( ?$ ?! |7 o% ?; _9 `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 U1 {6 K- `" M" L$ C* C( c5 A
4C19:00A8 JB 0095 ; 6 different commands.
2 K. B$ Z3 p; Y0 {3 C" I* P/ [4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: z+ x6 Y0 E1 W% k% F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 N7 G+ i7 [+ f
1 a! f% u8 v( I" T6 u4 p8 X! u6 X
The program will execute 6 different SIce commands located at ds:dx, which' w4 E/ I" J ?
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( X* m* C* M& k5 k% O
7 d$ b4 D! y3 |( A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. j2 G: N+ u& q* }8 x6 I___________________________________________________________________________2 _3 P7 K8 J2 K1 q1 [+ d
$ J- c! @' t5 l0 F: w
, D3 R8 ` P9 F$ a6 D8 c( b
Method 03) d# y& y4 S0 G6 n6 A1 c0 M
=========
" ]( t+ Z6 A; Z1 q* d7 `5 h- B- e9 M2 a
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 D. ^- J& A9 U! O: }, e6 M6 ~(API Get entry point)% B' [: v1 q7 a& d& Q8 g3 E+ T
c6 L. h n: n8 T
9 Z/ w; e2 \ p' s, c4 h5 X xor di,di: H1 A% H3 n+ D5 H& l# Q3 v9 O
mov es,di( h1 p0 a4 s% n, S- ^+ R
mov ax, 1684h 5 Z' j7 M3 A: s2 t
mov bx, 0202h ; VxD ID of winice. S, f+ H" K" [( B" P: |' |: C- t2 D& c
int 2Fh0 r# _6 t) x. m; E7 v( t
mov ax, es ; ES:DI -> VxD API entry point
0 t% y/ r* V; Z( {( F add ax, di$ }) O% ?, g& T" H1 O3 a3 e: o
test ax,ax* U: Z/ [% v8 p T, o/ p/ }! _
jnz SoftICE_Detected
1 { f$ a4 q7 W/ l4 x) {
! G" Y* ]# {% I2 c, e___________________________________________________________________________
}$ Q- C4 ^: ? t0 ]$ t' g
" z6 C6 i" m7 j- @/ xMethod 047 p* a- }( W/ v9 H
=========* C# n: Z- t3 O1 ]9 e# B
; c7 [% Q5 V" L: S6 p' r: s( N
Method identical to the preceding one except that it seeks the ID of SoftICE9 ~7 Q2 w' e$ X; l- J+ d4 n1 F |
GFX VxD.$ e& ^, b( o8 `- X9 c
* j/ X; c8 Y+ r xor di,di% A, C8 [- W" |* ?3 b, k* A. k- R
mov es,di3 [ c5 ]/ P5 N! a% [$ K3 O7 d
mov ax, 1684h
2 I0 c' M' f1 A7 @6 M mov bx, 7a5Fh ; VxD ID of SIWVID+ F& e! Y) x7 F% b0 S' s0 k J5 e
int 2fh
+ h, |. e+ `6 X; x% P4 N: j1 U mov ax, es ; ES:DI -> VxD API entry point
; g+ n& l l2 w: [% X' Y add ax, di: ^( g5 B3 |7 p/ y
test ax,ax: N" U) _5 |! _( d! f# S% \
jnz SoftICE_Detected6 H) G1 s+ A k' d4 d2 [
$ f+ l, z: V$ e/ R
__________________________________________________________________________ a1 o+ N; r& k1 L: m
# ` i1 _$ h2 t8 c/ ?: A- j9 E9 V# a6 }4 E
Method 05; m' f" [' N" g7 b- H! G [
=========$ j: H* e$ _6 ~1 Y. y
W& K3 o9 j& F7 K( w5 s
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* Y4 ^+ q# D$ \. T! Vdebugger. It calls the int 41h, function 4Fh./ O. o2 E/ n4 c
There are several alternatives.
1 z* F8 q. \# a/ h* N/ x) W- T. z: y) }* `* L
The following one is the simplest:
; C6 B3 I9 {0 ~6 N3 ~
5 e: M# {# ]+ U- L) F- j; s# g mov ax,4fh
; |( E! ^7 x5 {4 w, j int 41h
5 V! s' O' o: j& j. Y cmp ax, 0F386; Y8 H z2 A6 Z6 b
jz SoftICE_detected
* o% u2 o. L/ ]" e9 d3 \% i5 J5 K3 R9 F* B$ r
1 c+ G/ P; D' z, Y) g2 W$ g/ u' qNext method as well as the following one are 2 examples from Stone's - z" \- Y0 p& b. @! B7 b
"stn-wid.zip" (www.cracking.net):2 T7 a6 D4 v1 C% i1 O
2 \* I1 O$ V2 {9 Q* a3 u! G
mov bx, cs
% j* C0 ~) C& H3 N( ]7 R lea dx, int41handler24 Y9 _* n' z, B/ p
xchg dx, es:[41h*4]
5 z. G+ ~, g, B9 P# |% | xchg bx, es:[41h*4+2]
, ~* D) i' f0 I. S+ ^3 U, Y mov ax,4fh
g7 Y0 O) n) d5 P& l! J int 41h
0 }9 X- ]3 I4 l; R+ A xchg dx, es:[41h*4]
! `$ n6 e1 ^9 V O, | xchg bx, es:[41h*4+2]
3 n$ J3 B- r4 ?% ?$ Q* P cmp ax, 0f386h$ N: ? |/ W( S s
jz SoftICE_detected$ E9 b9 S5 j) j
4 a: F7 L' q' W* @: r, pint41handler2 PROC7 F9 X; S G" s& r6 ?' [( l: Q
iret
1 w* R+ g6 f" |; Z _6 z7 b& ~int41handler2 ENDP
: s+ ]) \( B* ^+ m! `
4 P( p; @/ H4 k4 t/ }2 P8 z$ `9 N
_________________________________________________________________________* y7 O+ N3 S% w. l- K
9 X% P$ u' Y2 r: a
9 |) Q& z/ M7 x6 k. j: q$ bMethod 06& ^. }. J' c+ D! B; u
========= q1 w- v4 {9 E* Y! \+ ^
* l2 ]. L' z: e& l$ [0 C( ?! Z, `
2nd method similar to the preceding one but more difficult to detect:3 f* h/ @$ U; {7 E
0 R5 P$ W+ P# O
9 T" F7 A. N+ _0 m3 _
int41handler PROC
' m) g8 ]. I4 Q3 Q- Q mov cl,al# |9 P, c9 P, N9 f" @
iret
8 K, A: T P) R% k4 _8 q- Dint41handler ENDP
& S8 {* U9 v* p) l; G$ \# c3 g# d9 G4 w. ]1 N: n
+ A( F% R, r3 c
xor ax,ax
& t+ {/ k$ {* u. j9 y8 l. n mov es,ax( f1 ?& l$ A/ U: H( V
mov bx, cs
& g& Z/ Q) { z- j. _: A lea dx, int41handler
& Q/ e8 }+ z7 z* f xchg dx, es:[41h*4]
/ d( b5 A0 P0 o9 v xchg bx, es:[41h*4+2]
# |# w& x% Y" ^- S: F in al, 40h7 D- d: U' b! `2 ]
xor cx,cx+ m4 L3 `! ^5 h( N" Z
int 41h9 f2 r& P6 ~& }2 s2 |2 `
xchg dx, es:[41h*4]
& t8 }. [! E4 a* X* U ^ xchg bx, es:[41h*4+2]. F- J2 V& u. j
cmp cl,al3 l5 f: {" i) x. m) ?3 W
jnz SoftICE_detected. c3 J f5 \6 s) _9 M
8 l' l" O- `# O0 C$ ]
_________________________________________________________________________5 w* W) w: z/ N1 ]4 ~
$ E- x) n/ n2 H& J! G5 T8 ], V5 R
Method 07
6 z3 {4 Y+ y u# M" T' B=========
' p( W. r# B# ?) x! `
- G* q8 L5 N5 O/ a( eMethod of detection of the WinICE handler in the int68h (V86)
8 |9 b3 q( S5 E- [
1 a3 z4 l) W0 C9 F7 x0 I/ X mov ah,43h2 T1 ]) n, ?9 u7 g7 x
int 68h
) u. j7 @7 a& W" X, u6 P cmp ax,0F386h
9 x4 s5 a0 u" i9 {2 R4 e3 e jz SoftICE_Detected
+ o9 f2 U6 c8 |* d' s* P+ n$ A
g% g" j/ p4 M+ N& D' l: S2 Q% A# \
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ `7 D3 S9 t+ B app like this:
2 J, s9 o& C+ X0 j1 f
4 f1 Q$ V4 f% s! S3 P BPX exec_int if ax==68/ B; `) @- S6 M; I* d$ w
(function called is located at byte ptr [ebp+1Dh] and client eip is) Q0 Z- @! ~/ K; K8 k, r% K
located at [ebp+48h] for 32Bit apps)
/ O, @& W% o# `0 O& X$ a% f__________________________________________________________________________
5 x) Y% a9 O* m# q, ?& y9 s! ]2 `
' v: f( h1 W% V0 B
8 K2 L# i" E' A. e! p0 }Method 08" }1 Q! U. B. c$ {3 I$ \
=========
, l; V# k+ S5 B) P/ s0 A& h: o/ r8 V6 g0 b& ]0 G' }' I
It is not a method of detection of SoftICE but a possibility to crash the# K& T) g# v' ?7 j. d
system by intercepting int 01h and int 03h and redirecting them to another
% x+ ?: Y8 g; F' C6 g" J" j) Xroutine.) f) {7 L. b; O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 P8 I+ B0 I+ {% V( P8 M1 l" dto the new routine to execute (hangs computer...)
, o/ z8 w& E+ Y+ h1 k9 e% j: {/ Z7 ?* `, G
mov ah, 25h
! k1 M$ {6 `) s mov al, Int_Number (01h or 03h)% ^' V) ~9 d8 b
mov dx, offset New_Int_Routine$ I8 Z @; G- B: m! ~3 q
int 21h% T5 m; ~, E- U4 e/ s
) B$ B. V% P' b5 Q+ f
__________________________________________________________________________
; c+ H0 P5 U# q2 r3 a* r" ~/ y5 }0 k% I; y
Method 09
6 y; [( @* M. l" E: m% W# c0 \) B=========6 i* m7 {8 f! l: s# b) Q6 c
# I6 \- t7 o. u! \6 m0 h, WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 `9 p! G+ ~* v. @( R! U4 X
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 }* v" A( k* p+ P! QThe Get_DDB service is used to determine whether or not a VxD is installed
# P! m/ v4 y3 n6 ?1 _8 {; @for the specified device and returns a Device Description Block (in ecx) for# o. t/ o/ S/ u$ a
that device if it is installed.8 H# z6 M/ I* s6 w+ Z& x8 V/ P
5 E5 H [$ g) z( ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 w6 n) z# R$ }( X- Q8 E7 U
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 c3 b0 }! z) T0 M8 R
VMMCall Get_DDB) m X2 D; B: V8 K" y' j: I/ L/ r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* S/ F ^# i& t& T
8 C0 s! H! @3 q& Y/ _; W
Note as well that you can easily detect this method with SoftICE:
; r7 g# t t/ u bpx Get_DDB if ax==0202 || ax==7a5fh+ o E2 q0 \- z/ Z% F) {- h+ K
- j- k6 Q4 k" q2 X- A7 [__________________________________________________________________________
' r4 m" Z) C, R' M# l
7 Z% l) L& r7 _9 i! M. JMethod 10
" _$ A3 H! }, G, O& G=========
$ A' a$ H z4 P7 W) v
; \) p# ~- M# C; `8 H; }' P! p. F=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 ]+ V- H8 @* t SoftICE while the option is enable!!
- C8 {" Q3 c* B
5 K7 U4 |! `5 [4 GThis trick is very efficient: d; C$ J0 } M2 l T3 W/ V/ D9 N
by checking the Debug Registers, you can detect if SoftICE is loaded% f; V' l0 [- n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 u' S% R$ P: c2 y( q# N
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" @9 O0 ~# }" p/ I- I1 `value (in ring0 only). Values can be manipulated and or changed as well
7 k& V& h; P9 \8 `# T, S0 y4 k) Q(clearing BPMs for instance)5 m. V, ~6 K+ B3 O: a3 u
: Z- n9 n) q! O6 C9 N__________________________________________________________________________
$ U( y7 M; }+ U9 A9 m2 B# Z# s
3 b1 m9 e m2 N' wMethod 11
5 v; c; o! s0 ]* g. F" C; Z=========: L7 K+ A. [& @) `: G
2 o7 a4 D6 ^4 p/ h& A; }; h4 H/ EThis method is most known as 'MeltICE' because it has been freely distributed+ ^# ^$ K, Y5 z; t8 u- R# c
via www.winfiles.com. However it was first used by NuMega people to allow+ m7 f4 ^( t2 V! o/ m) \5 D
Symbol Loader to check if SoftICE was active or not (the code is located
7 B0 S. X2 J0 {7 d/ V3 k7 O1 Jinside nmtrans.dll).
5 m# B" Y& m9 s) U5 t# c2 R5 v3 M) T$ Y, V8 ?0 ?
The way it works is very simple:1 O( {: j/ i$ `9 e1 h, W5 ]+ u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! _# a( }/ F1 o) \
WinNT) with the CreateFileA API.
/ E0 d q8 t4 R! a
( B3 s$ Z# c$ m9 O; _6 kHere is a sample (checking for 'SICE'):
`9 u( x+ ^. k1 c: X) S: E2 X" W) U6 r3 x" _! s& _: s
BOOL IsSoftIce95Loaded()4 R5 H! p3 w$ ~- L* ^
{! Y- `+ \ U j3 H2 K# }0 I
HANDLE hFile;
: a( ]' E& Y! Y$ d* J: C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," d" W3 y' L# i$ J9 C7 t
FILE_SHARE_READ | FILE_SHARE_WRITE,' B# t+ P" H9 [+ f3 ^8 _7 `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ [* @, i9 |5 j+ T6 h( V z. o1 \
if( hFile != INVALID_HANDLE_VALUE )
$ a2 N& H( G! g/ \: g {
" H" l, g; b7 \; x4 V! V( y; F CloseHandle(hFile);; b5 V% |: k* W# A3 M: M
return TRUE;
+ B- X1 `0 R& E2 _ }8 K9 ?, M8 S% q0 Z* h( Q
return FALSE;+ o a( A( Y5 L4 l- D
}) g0 J& p0 A9 t$ i" D
- `/ c) Q& X5 K5 K6 h" _ NAlthough this trick calls the CreateFileA function, don't even expect to be( s% z8 g. o' \, B9 _
able to intercept it by installing a IFS hook: it will not work, no way!; t- O, a% t3 H6 V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( X5 d( `/ z# @8 W' V
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' K( @% E+ B/ ~4 Q2 m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: D* ^& m: \% mfield.
" `, x, A r5 X P$ bIn fact, its purpose is not to load/unload VxDs but only to send a 5 Y3 T1 b8 S. q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" w; z5 i* C: O+ H8 zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
* l% j9 o+ a0 V& e9 h% |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 W5 t6 `. N# P# z$ _& CIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 c: h# Z0 l0 n9 z G
its handle to be opened and then, will be detected.- f3 O' P8 j2 _3 P0 V; T* V/ ^ s( ?
You can check that simply by hooking Winice.exe control proc entry point
) v0 l! y0 R \8 D( P1 I; owhile running MeltICE.
( E( ^1 Z7 b3 [9 `& D* b
" m6 q6 j: P$ z. w. i: P3 W. S: `+ b/ o
00401067: push 00402025 ; \\.\SICE
7 i% A# q1 w( ~1 s1 s9 T0 Y 0040106C: call CreateFileA1 I0 E7 h' b3 `8 a
00401071: cmp eax,-0013 \* Q& @8 E, \- U1 R$ p
00401074: je 00401091
8 y; G: t/ l k; a; R& k& T1 U5 m: l) y6 }% ~) y; A
0 |( C# J! t' T6 R% R8 `
There could be hundreds of BPX you could use to detect this trick.
e: H: c: ]3 {5 k" L/ p-The most classical one is:4 w& I& s& [$ p3 z* Y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& Z3 K% [: k. D& ?( g *(esp->4+4)=='NTIC'
0 w. ?4 J1 p$ e( a7 ]8 V0 ]- R0 L1 t* Q \. }/ K, l9 l0 N
-The most exotic ones (could be very slooooow :-(
$ E6 c) z1 a8 V BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ i4 V* V4 o( K2 r1 W ;will break 3 times :-(
. d' N( O0 O! r) Y" C" U. T; i" }; T$ g" B1 a) z5 h# |: M
-or (a bit) faster: ) t0 {/ ^# ]2 G: {8 N( H
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
C2 S1 J. ^2 p% m$ n) R: @& ]8 u
. u- S+ J' p' |! I# |. s) C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " P2 W( j7 N3 ^% F. R/ G- r% `
;will break 3 times :-(
) s7 M+ ^+ k9 C0 N' [
+ Q/ K, Q( z; B+ e-Much faster:5 M9 Q# g5 K7 k, b
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% f \6 X( d! I7 h1 q6 z5 j' F
+ Y9 J3 W$ D( e& O! m/ gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 ~$ [6 k8 K. {8 H+ \" ofunction to do the same job:4 Y, H9 t B; `; I
9 }+ P# B! n# A2 _5 G push 00 ; OF_READ$ q, A. v1 K+ s
mov eax,[00656634] ; '\\.\SICE',0% T, ^3 k: b; ?7 ]# a
push eax+ Z! t3 z7 Q) E% |" l3 J/ H7 [0 ]
call KERNEL32!_lopen
6 |0 D1 I/ j- ^5 T" s inc eax
8 v; o8 ]; x9 j+ c3 _2 W jnz 00650589 ; detected% ]9 e( {& h- k8 k
push 00 ; OF_READ
4 M) D! u2 ?$ ^" f2 q$ p$ A* L- K mov eax,[00656638] ; '\\.\SICE'
/ \; X3 v, p/ n( @( R' l3 Z push eax
- T( ]$ g& v+ s9 L9 U$ | call KERNEL32!_lopen
+ r1 v; y) X( _. ~6 P3 [ inc eax
4 G$ k7 C* c4 D" @ jz 006505ae ; not detected0 X; L* E1 H0 H; c( b/ w
7 a( s$ u3 s! }5 v
& X/ o1 H' M1 b6 I" K; w__________________________________________________________________________; g- D- J8 T% I, h
8 U9 Y+ t8 T' b; ^+ b. z6 V
Method 12
, G, E# v: o0 K/ B+ s=========6 E9 H. |% t; J* P
0 p- ]5 N! a) F% s/ S2 zThis trick is similar to int41h/4fh Debugger installation check (code 058 e3 h7 \) n5 H3 {& Z( d; v
& 06) but very limited because it's only available for Win95/98 (not NT)( {. L; Y$ S( F7 P% z, {( S0 h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 a) b2 a6 Y3 S, f
0 L/ G! h, N/ ]- K1 e
push 0000004fh ; function 4fh# o; f* K! d8 W2 \8 h- a: h
push 002a002ah ; high word specifies which VxD (VWIN32)
8 _4 p$ w! O1 |; [2 n! K# ~' y ; low word specifies which service! @6 p! x" ?9 Q
(VWIN32_Int41Dispatch)
$ {5 \# `' J/ b, ^ call Kernel32!ORD_001 ; VxdCall
3 R% F) S; f; t- c$ D* | cmp ax, 0f386h ; magic number returned by system debuggers
_3 b# Y# D# Y& T, z% ] jz SoftICE_detected2 Y+ l& R/ s* o, u
7 D* G2 S8 K/ ?0 K0 F' t
Here again, several ways to detect it:
% ?. L( k/ z& C; m6 x# W1 f+ G1 M
/ Q6 r: P, F, S. I% g" J BPINT 41 if ax==4f
3 h. g6 c4 _8 Z* r' z7 ]& n2 o( e; P9 y) `) H# h* C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 Q' ~' Z. Q$ S
7 [+ z+ }4 b1 p% z' F0 V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# _, `+ a! O+ I# O1 h0 r3 ?% t7 [# T' t4 I% K2 X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) w, v u6 R/ B) ^) c
; i# N: n3 {+ G+ c! [__________________________________________________________________________
" p3 B# V1 q+ K- ?+ Y
3 F( E# k" j/ i: aMethod 13
" `( p- X& [+ p6 d9 k5 ^& |=========% A; ^9 N i7 \/ G; N# U; U3 T. @
9 E2 x! [; A8 n' b$ x5 b! D: X
Not a real method of detection, but a good way to know if SoftICE is
. M) i0 k4 [+ binstalled on a computer and to locate its installation directory.
+ R9 y/ [. I9 ?. T! K; HIt is used by few softs which access the following registry keys (usually #2) :6 S6 A8 x, w& o2 E+ N
7 i+ x( M% L0 y5 m/ g2 M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ W: C6 D1 G9 U X; x
\Uninstall\SoftICE
4 S3 O! x/ U, p, h/ R6 k. }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 r; m% H% R# l- X; [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ ~! x1 ~) x* H% |. L- k; {8 a\App Paths\Loader32.Exe9 q( v8 y. j; R# z% ]
1 R1 l) t8 M3 A: B, `
$ C) C/ D C9 F% HNote that some nasty apps could then erase all files from SoftICE directory
% B! @/ D$ l2 X$ v& k(I faced that once :-(0 `; ^/ P. r3 A1 ~4 [
. A) x9 J$ r/ t0 r, K
Useful breakpoint to detect it:
2 r. L* a) D; F3 i/ f! y8 j& d' J" s. k$ ^
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 j( V1 ^- x9 U8 \$ g
! Y/ Y, q& B4 K2 Y__________________________________________________________________________
4 b. F8 V- O8 @( g4 o) ^
# _0 g0 |- | J( s d4 c9 e
2 T* M! r! M7 o% y. TMethod 14
8 \# t) h: |2 c/ _7 @$ @=========
^$ |2 k* X" v1 e" c
1 ]" ?2 `0 O+ S# ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 X# _/ q7 \) bis to determines whether a debugger is running on your system (ring0 only).
$ O* ^. p9 B1 e+ d2 a
. R% p. J9 X" i+ P) u9 ` VMMCall Test_Debug_Installed) A5 B" [1 O6 K/ {
je not_installed
" x2 d! O. P4 C- Y( \6 m1 R7 u) |/ F a' ~* L" u$ P% `
This service just checks a flag.
( d7 n3 v" q. Y2 D9 v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡