<TABLE width=500># _" b Z: z K9 M4 e+ I
<TBODY>
) a; B: D% Q2 r: }0 U- K# ~<TR>
5 r0 _; G8 \* n* \ X<TD><PRE>Method 01 3 K1 O) y2 r$ L0 e I; H# B
=========
7 G ]6 |* N5 e$ X# l2 S/ S( w" V8 G# G
This method of detection of SoftICE (as well as the following one) is& J0 N6 L& U. P5 E
used by the majority of packers/encryptors found on Internet.) d' w- N- l, ?! G z, ]# N
It seeks the signature of BoundsChecker in SoftICE- j! Q1 z% |) J$ M/ v
5 ^6 V. T) f5 N9 G7 N0 C' f
mov ebp, 04243484Bh ; 'BCHK'# X/ H9 ^; \' O
mov ax, 04h
8 u1 _1 ]. O* M7 A: Q. h int 3
, y5 `4 J G& m, z9 C+ X" N' l cmp al,4
' P% \/ ?. V. u; H* Z' l jnz SoftICE_Detected
/ o8 h. n$ T- }8 w }9 A
& G1 r g* m/ b6 m6 j___________________________________________________________________________
' f8 h1 t9 {: N [1 U1 O
. M4 h; _$ ~" }& C% dMethod 02' I, `% |, t' y* S
=========. E8 _; z6 X1 | {
6 `; F; @* S ]Still a method very much used (perhaps the most frequent one). It is used
' e6 p0 F8 Q5 e* ?# Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 S9 x5 V$ c: ] gor execute SoftICE commands...) ^6 K& ]7 j5 T( {' ^# |5 `
It is also used to crash SoftICE and to force it to execute any commands- Y% k" e' y2 b1 G* s3 |4 p0 C+ U" [
(HBOOT...) :-((
, r9 t+ e) j0 `8 F
/ g8 z# D0 e3 w# o; a5 _Here is a quick description:
2 d; T1 F6 b$ g% \0 ]4 V* ~) f-AX = 0910h (Display string in SIce windows)
. d8 G: H' l6 Q9 \# j3 x-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ J$ _* p# K K1 I* f" O; g-AX = 0912h (Get breakpoint infos)
4 _: a: y/ V3 V1 B m-AX = 0913h (Set Sice breakpoints); z' e L- a/ \6 @ Q# f9 R
-AX = 0914h (Remove SIce breakoints)
0 u3 E4 l% e; |2 V( D4 i
! n0 A( V. X1 W* {/ bEach time you'll meet this trick, you'll see:' W! I) `: @5 f& d) s1 H, m
-SI = 4647h! `; ^- ~) B8 @1 f5 q, ]
-DI = 4A4Dh, o/ P' D6 f' ?2 e" u1 T
Which are the 'magic values' used by SoftIce.
: Z" x5 J. ?6 y# j, B6 j1 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* R* l) t$ Q$ G) [& j1 Y0 g+ F: G k3 H' A H
Here is one example from the file "Haspinst.exe" which is the dongle HASP3 \, [8 z9 V' @& a$ O( o7 @
Envelope utility use to protect DOS applications:
% E3 q* h: t# i3 R+ \) H8 D8 x) Z% \: P/ A
' S" C8 k8 ^' \( c" M" x
4C19:0095 MOV AX,0911 ; execute command.
1 I: G" o2 B+ j! _+ {; @8 q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) Y' }9 y. X- }" p: K
4C19:009A MOV SI,4647 ; 1st magic value.; v# b( R0 k; f1 C d/ k, S
4C19:009D MOV DI,4A4D ; 2nd magic value.; `8 y1 m% ?: x L( r, s/ k1 F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% Y: `0 ^% C3 @ G
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 u' y. K4 \6 |, P. ~1 W! J. t
4C19:00A4 INC CX, ?$ Z: I" ]/ y5 ]% i1 z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 Q2 y d; ~0 G3 {. R& P4C19:00A8 JB 0095 ; 6 different commands.
: n+ _! }$ j5 \4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, N9 F3 T0 N3 |4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 {, G. ^. l( g; C
2 l) m6 g1 r5 E+ y$ w3 oThe program will execute 6 different SIce commands located at ds:dx, which
6 j3 j+ l; b8 e# b' care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ N0 e' Z: _. Z2 @! _* o- y
- F4 F+ q% E$ S/ z* a9 q' Y) }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 ^" _& ~+ }: Z) q5 w" J3 z$ B
___________________________________________________________________________" y( D8 |* a" u" h! ?& f
F( T, L# f1 c: G+ ?
+ T m. `* k% `; [1 qMethod 03: w+ q5 z3 v! J9 q
=========
, F( {4 l" p3 ?7 W i! R+ ?. @# h
# B9 M" x& L+ S& s& f* e. xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 }6 p. J% [6 X, n& V4 W3 C(API Get entry point)
! I3 J3 i9 y) r) h0 R4 y4 [3 [
+ f9 y8 A I1 A& g' J1 X1 c
2 ]! N- M1 B4 `8 L xor di,di
- [2 R4 }. M1 s& T) B6 B7 \$ Z. w mov es,di
6 K: d" J- h: W! c9 a. v mov ax, 1684h # F" S& ]. _2 e
mov bx, 0202h ; VxD ID of winice4 W. O9 v8 x" \) L# [* ]; u, C
int 2Fh
( }9 M# v: k' r" x9 M9 P mov ax, es ; ES:DI -> VxD API entry point
( N" n D) j* n( b% @9 } add ax, di/ j7 C9 | D* _5 N- a% u: b
test ax,ax, Y; N/ q' u+ u- ]( [ f
jnz SoftICE_Detected. a: A% C; R1 u3 t5 W3 G* J/ t
3 E" [* k# m/ R2 N6 U
___________________________________________________________________________
/ a4 {. v/ B6 q8 n; o1 N7 R
7 u3 n, L9 }& h. N2 eMethod 045 L7 O. O0 }5 ^( I2 N
=========
1 ^$ I/ V4 }# e* X Q' w
" R. A o/ O5 _) ]Method identical to the preceding one except that it seeks the ID of SoftICE
; V `5 ^- T- U( u! @GFX VxD.3 ?/ y8 H, }" `$ U3 B1 u
, V+ Z+ n/ z; d2 B% V9 `) U xor di,di8 c( a* I1 e5 W/ q. g) R# X* @
mov es,di5 t. {% j) p' s, A* Q1 z8 p/ N
mov ax, 1684h + \4 _& t# d( [$ t P
mov bx, 7a5Fh ; VxD ID of SIWVID
- V& g3 ~: y/ }# g6 t- ^( w: m. ? int 2fh( x5 m. Q( s3 g4 P
mov ax, es ; ES:DI -> VxD API entry point
5 z/ Z f0 Q7 l add ax, di$ h& i8 Q# I) j! w
test ax,ax
+ H0 V. E, x3 _9 y jnz SoftICE_Detected# S5 T) m+ j7 J, r. d
$ E. f" N2 `2 W q0 z; |
__________________________________________________________________________
2 b* e7 _2 z$ ^* d, f$ n/ k; F7 s- H, z$ n. Y& c7 o% `5 k6 I- W
0 G7 i0 a3 g* `8 `: ~$ @
Method 05
$ v( y7 m) J' E' a6 y' U& n1 g=========8 s0 _* _& p, b0 K. @, s( D
, \ F% \% x5 |- E2 K C, |& cMethod seeking the 'magic number' 0F386h returned (in ax) by all system3 e" N' y) \4 n9 u2 r% D/ p
debugger. It calls the int 41h, function 4Fh.0 l4 F/ {2 m, u4 m: T( X
There are several alternatives. # w5 d7 e w" q: i" B
; E B R! p% X: h8 i0 p3 I$ oThe following one is the simplest:
% H, F0 [) f4 K# p4 F% X
3 `1 S+ }8 Z1 ^- E2 u mov ax,4fh
9 V2 D M# Q1 @ int 41h( q1 U) i7 c6 ~' M3 F
cmp ax, 0F3867 B( u( L2 }* L/ b* t2 H0 k
jz SoftICE_detected! u, X; O& x. I, @. z2 `/ {4 A
3 \3 M$ y+ f0 m4 @2 q" K
' z5 H, x4 ~' y- bNext method as well as the following one are 2 examples from Stone's
( o. x4 R) g4 D4 c+ n `"stn-wid.zip" (www.cracking.net):
1 i% U9 L8 Y T
6 V$ b% P* T0 Z- r# J. {- {" ^: Y mov bx, cs! w3 H9 {. N5 b: [3 E
lea dx, int41handler21 Q) v$ @# o: e! f. q0 S
xchg dx, es:[41h*4]- P- C/ P2 B* d
xchg bx, es:[41h*4+2]
0 _& G8 ^5 Q% y8 \, H, Q) J mov ax,4fh+ s9 Q2 T' _5 ]+ _+ K
int 41h
7 R8 Z2 ~8 Y- B3 H2 e4 |+ O$ e xchg dx, es:[41h*4]% Q4 }4 @7 Q) q3 o( T8 U
xchg bx, es:[41h*4+2]) Y$ H2 h5 A2 i4 O( O, G
cmp ax, 0f386h, {! Y" K/ t5 Q- t
jz SoftICE_detected$ g r' S, V3 ~7 Q. G8 I' G
) C' }, G; J5 j' d" _, Oint41handler2 PROC
: d9 w# k' z# {! L9 A$ r iret
0 H! M7 K8 @9 q, cint41handler2 ENDP- g" [ D9 _% P7 b# r" ]! B4 g
/ d' e4 u6 {, K% |, P" Z# L: H9 Q0 s2 m. m; \
_________________________________________________________________________
# q5 E2 g+ w5 s K
7 E7 u) p0 W7 K1 g1 q) W, o/ Q1 S# R& B
Method 06
$ r; Q; \4 f7 k! M$ N=========
( s: k7 v' }( }
8 ^+ e1 n2 u w* y2 w' f, I2 ^" m3 V X% s7 Z
2nd method similar to the preceding one but more difficult to detect:0 N2 Q, P9 f% J1 O; s$ M0 @7 j
1 i4 m9 T$ `0 J& H
$ T* u/ b y3 o3 z
int41handler PROC
& {- H3 F# Z- q- h7 [ mov cl,al( g. e9 `% M9 y
iret0 h% w F% U+ i& R
int41handler ENDP8 r ^* ` g& X/ H& h
8 i/ a* t& v _3 v' o# X- Q
' H' W$ O4 d7 s& c/ ]( m8 v5 S xor ax,ax
: {* }0 A- z0 F4 _+ e mov es,ax
, h( _/ s; F* d" b* Y mov bx, cs
7 [# J& k, n T- d* e lea dx, int41handler
! N" D1 p# e; `) ^: E& p xchg dx, es:[41h*4]
' n* d% {& z8 B L xchg bx, es:[41h*4+2]
- Y0 j% q2 m7 K; x1 W- c9 `# P3 ^ in al, 40h# }8 j- w. Z5 P7 D
xor cx,cx) x1 b+ [" D: o+ R) K7 C" [
int 41h
% a: g) b8 s1 Q G8 H6 k xchg dx, es:[41h*4]3 v9 Z- b, O# E$ A% H b( d+ S% G
xchg bx, es:[41h*4+2]
) n- T. c! I( Z( J cmp cl,al
, n- Z9 [( w% S* J' F& m9 U; e jnz SoftICE_detected8 P; b" m% p/ h, U. I& ?5 g
% w. }2 r- t) A' @# R
_________________________________________________________________________& a7 V/ M- B! f* G1 J
6 t; g5 x! u G: a* gMethod 07
5 h( d: u% ~& n9 r1 ~+ Q=========
+ v, R/ H1 N. d& [6 L
+ J G2 F* `1 u/ O4 w2 r/ \9 gMethod of detection of the WinICE handler in the int68h (V86)
: k Q( P5 C) d
$ y' W& F$ ~4 [) k5 O' u8 o" _' P mov ah,43h* g/ j* `2 |9 D3 ]0 j5 j- p
int 68h
! E$ V$ e& w+ r. Q6 d cmp ax,0F386h% ^9 T7 W/ o/ V3 w; f3 M
jz SoftICE_Detected) q3 }4 R3 Y' C1 g" @: m0 x1 Q
" Z0 \" H# f2 v. |& R( L
% B, w: b, ~) m _8 o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 y* I4 |, _" s; J( {' Z app like this:
W; V& B( H% s0 d4 t" a2 W
5 x q/ o. ]* M9 A* M* |! Z8 S. V& h BPX exec_int if ax==68$ o m/ q) T! C6 K. Y8 S( M
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 y) u# o$ s' P* u' [- _ located at [ebp+48h] for 32Bit apps)
2 D) T' L5 M1 O4 `__________________________________________________________________________
$ ?) [- L5 c4 _& \
: n/ w( U; r6 ^/ @/ N/ o' v) s; V& o: c( P/ e
Method 08( P+ K+ e; a- u: ^' M2 x# W0 b( s
=========. T6 {5 b3 X# f0 q* @4 x S
. I0 R8 R2 E9 Z7 x) \It is not a method of detection of SoftICE but a possibility to crash the7 o) ?5 G, g# _
system by intercepting int 01h and int 03h and redirecting them to another+ |: { j! \$ o
routine.
2 y w* s' D2 N; q0 X z! KIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ K/ R0 |" b+ {: P; ]7 C: Gto the new routine to execute (hangs computer...)
6 v# w2 o& U. a
( @) t, e5 V/ b9 q7 \( i mov ah, 25h
8 _! u3 w4 V7 [2 u @+ F mov al, Int_Number (01h or 03h)% F% A7 `! \* V! d4 }
mov dx, offset New_Int_Routine
0 L' ^$ i% T4 P# {! `- s int 21h9 c6 O r8 n2 a9 g7 _# j
' V/ O8 Y) S8 l) W__________________________________________________________________________9 b$ X% K6 w# ?# M) O( m7 E6 r
' y1 M7 g0 @. Y( MMethod 09
5 c# R" R! P8 P3 o4 C=========# H" ] x5 c$ a: L
8 i" a4 Z2 ^# D- m/ u' { BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 N1 h* D6 u8 |0 E# Lperformed in ring0 (VxD or a ring3 app using the VxdCall)." u! Y) ^8 K. I% z! [) k3 i, g
The Get_DDB service is used to determine whether or not a VxD is installed
+ [5 v* B3 ]) M5 {# ]/ `+ d! cfor the specified device and returns a Device Description Block (in ecx) for; Q1 k, v3 R8 v
that device if it is installed.9 c3 A4 q! w) ^6 C: L1 q! ^, t/ U
' h- K' s6 L2 A9 G. X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ _/ O& o* C+ e" y5 ^. u: a4 r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ ]# x9 \9 j7 H- h5 a VMMCall Get_DDB
7 {( |5 Z6 [' _/ o- ]. O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 T) i7 I7 `. f/ n! p O& K- O% R6 X/ U& g* c6 E& {
Note as well that you can easily detect this method with SoftICE:
+ Q9 d! O5 X/ K& W3 u bpx Get_DDB if ax==0202 || ax==7a5fh: H+ {, R3 k* D7 B: r, a
' K6 F$ Q! ]/ l8 N. z__________________________________________________________________________
, X0 K- \* ^7 f' a* ]$ Q: E! o
% ^( H6 B- X5 o1 o0 Q/ m; ^Method 10; L3 ~ g) E3 h% O
=========( ?9 |; g- `6 D' R J
7 G! t. H5 l" {5 N6 i" g& X
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ R5 n0 U# m$ F: ]) D& v+ z. h0 K
SoftICE while the option is enable!!4 |7 k @$ Z, Y, g
0 o4 m! ]! q1 bThis trick is very efficient:
1 Z, B7 t- ]. tby checking the Debug Registers, you can detect if SoftICE is loaded
0 K, M) K. i* m! U(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( A0 L+ s6 u' b7 s. ethere are some memory breakpoints set (dr0 to dr3) simply by reading their; b a, k; q" m. E7 ^5 N
value (in ring0 only). Values can be manipulated and or changed as well
6 q9 k, f' s! J" \, A(clearing BPMs for instance)
5 R2 s5 i; K1 |5 `* l$ ~' {. |. c" Y2 T
__________________________________________________________________________- p; R; x+ c2 U4 A+ S
! f& t$ w! I* o6 i0 C e1 KMethod 11
3 r1 a% ^. q7 m& b7 y& |8 b========= H& P- |, f" ]" @; I! A
. ]- E% K4 j u) jThis method is most known as 'MeltICE' because it has been freely distributed
0 x# S1 |2 H: P6 b5 F% @2 R5 @# ]via www.winfiles.com. However it was first used by NuMega people to allow
3 p& H0 `; u b* l0 S0 _Symbol Loader to check if SoftICE was active or not (the code is located2 a) ^) H, f/ V* h$ E$ x; m
inside nmtrans.dll).
* p' {# M7 Y7 ^+ o! \" I8 z
; T( V# H+ U% w* S( Q0 BThe way it works is very simple:; L* D9 t9 n* b( H4 g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 X' X$ T; b$ {0 b8 O- Y1 e3 p' M
WinNT) with the CreateFileA API.+ E) ^3 Y' [0 _# U
/ x, A" W9 D8 E$ v4 x5 Q$ }4 k, N Z
Here is a sample (checking for 'SICE'):: |6 s: S8 a3 @5 o6 e
' R5 `- M9 w6 R4 I5 A9 k
BOOL IsSoftIce95Loaded()/ W( x9 K, ]# ~1 p- \4 z: V
{
8 d( ~9 `+ s }, v0 h HANDLE hFile;
$ ~% H4 x& l* ~9 U1 u! d hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, |5 p6 q- o) m& i FILE_SHARE_READ | FILE_SHARE_WRITE,8 H m: n( y8 W/ [& [9 A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ I6 a5 g/ u! ]( h if( hFile != INVALID_HANDLE_VALUE )
. z* O+ G4 ~) s }% L: O {0 x1 U6 f8 b5 ? J' A r. {
CloseHandle(hFile);% c# K4 r" p2 r. o8 P$ I. b" A' Z
return TRUE;! J4 @4 ]1 Q- p E) M; }! [( o
}2 \& K8 a3 K; j4 } q z6 ?
return FALSE;# x$ h1 S9 y/ h/ J
}
6 X% R8 K I5 T! ]1 @$ w- m$ M* Y5 f. _" _. M* |5 D2 d. }
Although this trick calls the CreateFileA function, don't even expect to be" q* z5 S. w) c) a0 H" x. o
able to intercept it by installing a IFS hook: it will not work, no way!% Y" C4 G7 t, X6 V) X2 E- Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' J1 L5 g H& O2 p- Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! _' ^) _2 y2 f. Q4 Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 _! I% ^8 ?$ j3 ?
field.
2 m1 }0 w9 r0 y0 P! V9 }+ oIn fact, its purpose is not to load/unload VxDs but only to send a
- ~8 h( K3 C& EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& O% ^9 y" [3 L' U: U$ i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) G; q! k$ _ \to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 O# M6 |% M3 {9 @/ l! ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 |( c# X' a% k7 t9 Rits handle to be opened and then, will be detected.
q: `, h: y. i7 A: T# bYou can check that simply by hooking Winice.exe control proc entry point
0 G7 r- A, z6 O S+ Wwhile running MeltICE.7 b; S- {3 N6 j5 Z4 v5 T
/ f/ q9 W2 C% I+ z! V1 N1 s+ ^
6 j4 v/ S6 M0 m1 W8 G# b 00401067: push 00402025 ; \\.\SICE* G0 j/ e' h2 C$ X( e9 I3 X/ e
0040106C: call CreateFileA. V: c0 b3 u5 h, W" |& w
00401071: cmp eax,-001- X( ?+ N9 k, O3 l0 h
00401074: je 004010910 C9 o2 K: O4 M0 b. o
) h6 U3 L4 ]! W+ C9 Z
! b- y- {0 | S6 e' c% q
There could be hundreds of BPX you could use to detect this trick.
2 s M2 n# z+ ~-The most classical one is:% B/ K/ C: \9 A* Q# C4 d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! h* e5 _) [; A" p8 N5 p4 ~5 q *(esp->4+4)=='NTIC'7 i: m+ E J" ^
4 P$ f' `" ]' ]! n8 ]6 N( c-The most exotic ones (could be very slooooow :-(
: y0 X, ]7 z' {7 w BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 o$ b: H7 Y# h. l% j ;will break 3 times :-(& V S8 k4 t' h( `
7 O; ~2 O# `1 |1 ~3 G/ b' a
-or (a bit) faster:
Y. F( P+ g5 |/ w2 K) w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- z: ]0 D% g) J0 {, p* r$ _
& u! W( @% t: v: n/ w' N% V1 u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' g$ c6 R( |, Q' t6 ~ ;will break 3 times :-($ L2 L* \. l( ]( C, k8 H5 |7 S# U
t3 s. v+ ]8 l" K-Much faster:2 U- X1 f' K& F, |. R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 i8 i. @7 X# n' @+ H
1 ~0 s3 m% |: _3 l. A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ Q6 V0 u4 y, ~' W# W: c
function to do the same job:
7 z' G$ [0 G: [3 `8 ~6 { f$ A
4 H* H! n' g! U; v5 R push 00 ; OF_READ
# c; B! F( r7 N; \- B mov eax,[00656634] ; '\\.\SICE',0" B2 H/ W* s9 ? V) s$ R$ z' j3 R
push eax* f$ y0 u6 J+ |4 @# m3 k% K
call KERNEL32!_lopen
7 C2 q5 B/ L) M7 s/ O) `/ \/ `! n* g" Q3 f inc eax5 p( v' M" Q; i
jnz 00650589 ; detected
& e9 K" L6 j8 X. d7 x3 } push 00 ; OF_READ
( L3 |+ Z! x& h mov eax,[00656638] ; '\\.\SICE') S4 B$ F8 l7 s' v0 l$ P, l1 N7 \3 ~
push eax
1 x9 c5 E$ ^; E7 H$ A& m call KERNEL32!_lopen
: q$ \4 p% a) K9 k% b1 A' A inc eax
+ g9 g4 R+ S; W; B+ o* |0 \ jz 006505ae ; not detected( j! a+ ~' y' ?; F
+ L6 }& v' H* r. U% ^
: L+ b9 L( l- i" V" x__________________________________________________________________________) r3 r( V/ c; S9 z& j3 l$ V! C
4 K! u1 [, d/ K+ M
Method 12
1 e1 x9 M0 j6 h=========% O) Z7 D) a: |
+ ~ Y$ f7 h( V* [This trick is similar to int41h/4fh Debugger installation check (code 05! R, K0 n" E3 d6 ^$ t W
& 06) but very limited because it's only available for Win95/98 (not NT): C3 Y$ O1 s, I5 P$ s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* F9 C- n2 j. a1 W- s+ F0 q \* U
6 T9 z+ _( o$ W# U& g
push 0000004fh ; function 4fh
( Z! `2 J" n! F2 P! N- P8 t% p push 002a002ah ; high word specifies which VxD (VWIN32); L) R0 {0 J4 F& E9 r- Z5 A) e/ g2 M# c+ x; i
; low word specifies which service
( Z1 X5 i0 h C# x6 j9 Z+ @: Q (VWIN32_Int41Dispatch)
) v7 A' o9 Q, M; v call Kernel32!ORD_001 ; VxdCall
5 A$ _' ]; i3 i3 S& P0 m7 D2 S4 G cmp ax, 0f386h ; magic number returned by system debuggers% J0 d, s O* R+ s# i x
jz SoftICE_detected. @+ O* \0 L$ N" K2 B
' O* q; i% F% H$ E% O5 d3 w
Here again, several ways to detect it:6 P* E2 i9 @+ o' @' o. c) `
9 E* w( z3 o. R* [* d" }0 J
BPINT 41 if ax==4f. i3 G& \, e4 o" y- ~
2 X0 P2 X- }6 R2 x, _3 e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. Q7 V1 U2 N0 p: }5 Q5 @) q2 y) F' N( c( v! s4 w" ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 Q2 Q# v- T$ T: h' `" f5 A X$ ~9 V# Y- L& q/ e; M7 Y5 q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ V" [5 J( r! t! ^0 I! |
8 A2 F( }7 U$ k1 Q__________________________________________________________________________
- l5 D' f8 \; o4 S% Z# P% |: M* p. K& H- w; G& V
Method 13* O3 m% Z. O! D5 ]; H
=========$ d8 Q v: A4 p. p' J+ k' T' I
6 Y$ l8 e$ E# h$ E3 mNot a real method of detection, but a good way to know if SoftICE is2 I* u: u5 _; Q& _" i; o
installed on a computer and to locate its installation directory.
) }3 [( A5 C& d3 l! b7 DIt is used by few softs which access the following registry keys (usually #2) :
0 ~/ Z/ `% C% n) |
% _5 t( Z$ W% }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. v& h6 r: k" `8 Y5 B5 ]& L3 U* e
\Uninstall\SoftICE
. ]5 f/ S% v& _# _1 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, P$ y8 q* f7 h/ P. ?: m! N% @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 a0 o2 s) b9 n8 g\App Paths\Loader32.Exe
4 I1 F4 o% k* I/ G8 U# j f4 e- j" e1 k7 ^; e
7 S1 p- |& ]2 N# A% O5 Y
Note that some nasty apps could then erase all files from SoftICE directory3 D" N* M" g1 P
(I faced that once :-(
2 l0 Z' [* R, |9 R: `/ @+ k* |$ t; X
Useful breakpoint to detect it:- {6 I+ B! `. i1 f+ g! t
% h+ _' ?0 K8 U6 ] U/ c2 b( Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') Q( b- G1 E* ~ L
% `2 h" P. B0 V/ ~7 k& k& f, D__________________________________________________________________________1 C2 y4 y' h& x
' g# H, @6 L* ~( U
' q; \+ K* k& U5 K+ q* VMethod 14 7 ~& x; h# S0 Y6 e0 E2 D9 n
=========7 J( @1 {0 C# ^* H( P2 k
6 S) W- G+ Q r% `, R3 K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 ?& q" p- F# Tis to determines whether a debugger is running on your system (ring0 only).7 Z0 k* n& J, P3 @7 F# q! b' q
. ]- k9 O. e, Q+ S8 F, l
VMMCall Test_Debug_Installed
( g2 a. f- ]4 |5 x ^1 b* B+ H8 \/ O je not_installed( o% Q0 P u( K( [
) J" D. L1 i" V/ [This service just checks a flag.1 m- I7 X; }0 j
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡