<TABLE width=500>
1 A+ q0 {) N+ n& I0 r/ K<TBODY>8 v( D3 t4 P# s, ~ ]
<TR>6 d' P% H" P* K- J/ U9 o8 o/ B+ C
<TD><PRE>Method 01
: @3 v+ X$ q; U. t7 P=========
1 p, K5 {4 [4 q# B4 Z" Z
: e3 \+ Y/ ~; Z0 B# j3 y# ^This method of detection of SoftICE (as well as the following one) is. D& t) J) a( M# \; T
used by the majority of packers/encryptors found on Internet.. r, _1 v# b3 O, J/ U1 F: ]
It seeks the signature of BoundsChecker in SoftICE9 i* l8 ~. d+ l
* R U4 n7 B( e. o$ \ mov ebp, 04243484Bh ; 'BCHK', `2 G5 B+ \7 f$ l2 f! X& D! ?
mov ax, 04h
) l+ Y3 X* \- e5 T int 3 8 |: f3 y( o- [. t) O! I
cmp al,4) e3 i; Z3 D v7 Y
jnz SoftICE_Detected3 T5 B* N) U# W6 e
4 Y- o6 C W0 v) O
___________________________________________________________________________' G- _1 ]1 [& t) s8 G
7 C o" W% K% C1 g- l
Method 02
5 h; v. J- {; f* I: d2 k=========
' ]% o2 t0 P: ?2 |
! P3 e7 l5 B3 t$ X: y7 g8 a( dStill a method very much used (perhaps the most frequent one). It is used
8 X F4 i! _6 e- Y! t) Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ |1 t2 P- x* G. ^or execute SoftICE commands...6 e, z4 K9 G! `1 Z0 O) `5 J' ^
It is also used to crash SoftICE and to force it to execute any commands0 s) J/ ~1 J$ }( H9 t/ _
(HBOOT...) :-((
- M8 l! Y9 S- O0 C7 `4 a( i% R" o |* D) @8 N
Here is a quick description:
# o3 }# w! ~4 B1 M: f, h. @' U-AX = 0910h (Display string in SIce windows)2 c: V( S ?9 ]7 E) w, l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ T/ @+ F$ b( D
-AX = 0912h (Get breakpoint infos)
% m, J F' Q T+ x; A4 G$ @-AX = 0913h (Set Sice breakpoints)
R) a6 r! j% _7 t( }-AX = 0914h (Remove SIce breakoints)
1 k9 A, L1 w" s% d
h- m, Z. S1 d% fEach time you'll meet this trick, you'll see:
1 d4 y8 I4 N+ k- Z% l" x9 s) O& V-SI = 4647h
3 r4 N) N6 `' u-DI = 4A4Dh
\' K8 K- r$ @6 @5 G9 _Which are the 'magic values' used by SoftIce.) V' U! W7 ^: V' p* S7 y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! D9 _$ }- j' b
6 _0 N- z# s; SHere is one example from the file "Haspinst.exe" which is the dongle HASP
& a0 T& g: S( H, D' eEnvelope utility use to protect DOS applications:
F0 @6 `( x) a& q" f/ N' O
2 F% ?- k- J% c- \
& X I; R4 ^. Z4C19:0095 MOV AX,0911 ; execute command.
: Z3 s; }, x, K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 E$ n: t: t- ^
4C19:009A MOV SI,4647 ; 1st magic value.
/ v& A! Q7 y4 c/ m: F6 `6 O4C19:009D MOV DI,4A4D ; 2nd magic value.
# A. [7 h# \+ U3 j% z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! u9 R' Y2 R' {9 ^% c# F) S/ t
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 `! E/ P$ g: E$ m0 G4C19:00A4 INC CX/ S3 T' z2 L: ?6 ]# \$ h3 i7 k2 w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- c& C. Y9 q# q/ j/ b- |$ s; ~: p
4C19:00A8 JB 0095 ; 6 different commands.: N* L9 E' a, F; a3 w2 T+ a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 o) J/ k7 A5 t1 ` D# M' V6 }7 Q) b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ J$ L+ R- W' P1 `5 }
* Q* o6 H& {& V2 T1 `The program will execute 6 different SIce commands located at ds:dx, which
% K2 Y! P# T2 }' Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; h* t2 r; x0 r* ?
% r0 ^5 i! n# d6 u/ i! m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) Z3 _3 M/ c1 F+ Y( O
___________________________________________________________________________2 B1 Y" ?# _5 H( N k3 r. o3 Q
6 p$ }( ^6 ]7 `1 j1 T! X5 B$ O* g, X0 q4 c1 i
Method 03; _: ?! ~/ M. K; E; R; b0 f
=========
7 H; \& O$ t6 R5 A0 { U- p o
' |& O' _; v' b' v* f0 dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 s9 m. L4 z% D(API Get entry point)
/ K" d- T7 t+ V; a
1 G3 T- Y/ p& J! b% ~' W Y& @ A. M1 Q1 {
xor di,di
1 r: _" d, X2 a% Z2 b- k- V }% u1 e mov es,di
! x2 P9 o; M9 E3 ]$ D# S mov ax, 1684h ) u" x+ L& ^/ s( u7 {$ Q! ?
mov bx, 0202h ; VxD ID of winice
+ h0 \* U F/ @) w% `# Z int 2Fh
5 n& ^! Z0 i" y3 X2 s Y! U4 @ mov ax, es ; ES:DI -> VxD API entry point
5 h$ P2 F1 o% y, I! j+ u add ax, di
& D# q1 v( }# z- L% X2 t& c test ax,ax
. Z$ K |# B- B1 t2 L* i jnz SoftICE_Detected7 G' ^& T. z. J
2 }4 c7 a3 {1 ~3 C1 `2 W s6 l) T
___________________________________________________________________________
7 ?4 Z7 @8 \1 U4 Y i, J+ i6 ^4 f) T
Method 04- y) l; p! t: B7 @' _ f$ J! Q
=========
: f4 j+ H# U6 e% Y& G* G; H' W
5 p7 Y! s1 N k1 NMethod identical to the preceding one except that it seeks the ID of SoftICE6 i! i3 M8 d/ D5 a3 m
GFX VxD.& k# G: {. n" \8 R
; D9 {8 l6 r& {, x6 o
xor di,di
. V. W) w3 O2 V! @ mov es,di
8 m7 n$ z7 F& {, k& c S: H mov ax, 1684h g& t% S1 {( A2 r
mov bx, 7a5Fh ; VxD ID of SIWVID2 v( L& l2 N8 L2 R" }8 d
int 2fh
7 i$ ~! g6 H9 K* Z mov ax, es ; ES:DI -> VxD API entry point
2 ~8 u6 E0 m3 T+ G1 G add ax, di
0 I1 ?. v" I$ | test ax,ax. [3 \) h2 `) B& ~6 a
jnz SoftICE_Detected) b; o& a! U2 R) {% |
$ J4 a( f4 M' R( P( _
__________________________________________________________________________+ a3 R% y @9 _/ q: V" e
* o" B2 t1 h0 U H" g, g
( u0 b! x6 \6 B% s; W2 |Method 05* }' e. X. [0 x8 X+ v
=========2 g. y. Z% ^- R b0 j
! d6 s! o/ ^) {7 @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 e+ X9 [! L4 E/ ddebugger. It calls the int 41h, function 4Fh.
/ H* I( e m$ y& E5 fThere are several alternatives. . S- q5 `! Q3 x% d' V# Q
5 R K! [: Q% B, A6 U$ v3 G& G
The following one is the simplest:
, s! J2 T/ }* i# f/ U2 Y8 x
) O6 S& W* |. j. F1 b mov ax,4fh
/ ~; A4 W& o* N; y/ T5 [ int 41h
. \2 a7 Y" G9 S cmp ax, 0F386) H( \& T3 n# r. ?3 p* n0 Z- ]- u
jz SoftICE_detected9 W. h: E/ @/ n k0 T
7 U+ K/ {: v( ~9 _4 F
' t% t, T- N; Z* x" C
Next method as well as the following one are 2 examples from Stone's
' b' h1 s4 k! T% v. P3 l# r: S I"stn-wid.zip" (www.cracking.net):7 `* h L$ ~3 }! s/ a- K
& K8 l E8 L6 J/ e! W) ]# g, t3 H mov bx, cs
) V, I# y- d Q n- c, L' | lea dx, int41handler22 f5 \- c. Q7 |/ r$ C/ Y
xchg dx, es:[41h*4]$ X% V, b& a0 N e1 Z6 g8 C
xchg bx, es:[41h*4+2]
3 Z5 Y0 C! G5 t/ s3 e mov ax,4fh) m' R% M) O S' W) q0 K: m
int 41h
+ F0 q, z( W$ r( t+ o xchg dx, es:[41h*4]
: {; [% g. K. L0 d, m9 A/ _! O xchg bx, es:[41h*4+2]1 e! b, ~# j# w
cmp ax, 0f386h
' _2 ]! O" s3 [3 A5 R( v jz SoftICE_detected+ B8 h, d! J& W! q- F- i
; s5 s+ P1 U5 d7 T+ |int41handler2 PROC3 v7 z9 T3 m: v: ]7 A1 G c
iret4 g9 a; S" ^# m, o7 |- r
int41handler2 ENDP1 j7 a5 U$ F$ O% L0 p
2 i" m1 |1 l8 I" Q! q
7 v; N+ y5 I5 _# Z
_________________________________________________________________________ t! p% Y8 D, i( u- H, M! D
( ?( w$ L' G% w( C. |5 L& O- X( v! H
# s# ^' B! C& MMethod 06% R1 o( `( |; L
=========
6 e. G/ I' B- O X8 p* V, U7 e4 b6 ]
( |, [0 Q R* Z; Z! G1 j) s! R/ u$ C) w. `6 A/ }' O% l0 M
2nd method similar to the preceding one but more difficult to detect:: F [7 m9 `4 E: E2 K- k8 ~9 \1 ?
1 X: C6 _# w7 l) k# r7 _" D- p2 X' M" H7 S+ D, V* u
int41handler PROC
* g1 ?# y* d0 b! J! S3 w; z# l mov cl,al
, V" W. M# v i1 K4 p+ t8 g iret
- D* k* E/ `+ n# gint41handler ENDP1 Y# U0 |; K! c5 _) ^! \
) y( g: o$ q4 `$ \! q$ J1 E& k0 p* h/ p& q$ t/ m, M
xor ax,ax
7 `+ w9 r4 s: S" c9 \8 L9 ` mov es,ax# A8 G6 r- Z* @+ n
mov bx, cs# @# f( a! U& w/ H: ~% j
lea dx, int41handler6 A2 E. _; M" Z/ Y5 G
xchg dx, es:[41h*4]
1 ?+ H2 q; \8 c& k7 M xchg bx, es:[41h*4+2]
4 I/ n& @3 Q. @/ x, |3 ]+ | in al, 40h4 J, x6 i2 ~5 X! R7 O
xor cx,cx
4 G0 g. k' j( G0 H int 41h
3 o7 Y8 i, c7 c( J xchg dx, es:[41h*4]4 T/ `9 [1 L6 a3 B$ u/ ?) B: d. O0 |) ]
xchg bx, es:[41h*4+2]1 |% _$ |, M2 D2 f
cmp cl,al" t4 E( }, F$ }3 o/ O) Z/ [
jnz SoftICE_detected
6 X+ Y) d% y, R: m8 O6 b" ]
; ]; f. ]4 s6 ]0 C_________________________________________________________________________
( I. z+ c0 H& k+ C' A6 Q& P/ T* f2 K5 ^
6 i/ `, \: z+ c& _' EMethod 07 a0 f7 ^% o. e# S+ Z1 \
=========
1 N0 h9 W1 ]/ @% N6 T: C& i* B- \; k3 p0 J, \
Method of detection of the WinICE handler in the int68h (V86)
# a+ u8 A3 Q0 D$ W8 y0 ^' Z0 \( T( k3 w" n, D. ?( e
mov ah,43h
# O5 l- M: ^+ T1 J9 c$ E int 68h
8 d8 v0 B. U2 S3 W cmp ax,0F386h6 I! G- Q: L, C2 b5 N c
jz SoftICE_Detected
) G" }; L# \) G% x5 ~9 V
2 j9 [6 }7 P+ ~1 Y
4 p! x0 q: x3 N) ~: h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 L+ N- i1 p. J, s5 P5 L
app like this:
( l7 P# ^3 } ? ?3 `! I5 f ?1 V3 h" e& a
BPX exec_int if ax==68
$ Y! x/ R# u* E3 x8 D$ [2 ], G" V2 _ (function called is located at byte ptr [ebp+1Dh] and client eip is& P+ I4 r0 `) z& }, H
located at [ebp+48h] for 32Bit apps)
3 B2 _0 j/ r3 w1 H% `__________________________________________________________________________
) f, b6 ~3 ^, `# u2 V3 V7 t2 m( U7 q3 }( ~% m& i* ^
( a1 c0 ^' y) `* H
Method 08
3 c; _7 h8 V" `0 C J; H! K( _: I! V; z=========& w3 i$ o, n) e' J7 k& [
- @; ]8 g* ^( h- _
It is not a method of detection of SoftICE but a possibility to crash the
+ n$ V S) q, t5 Asystem by intercepting int 01h and int 03h and redirecting them to another; I4 q. ^. R" ?6 s
routine.% P, y: x$ D1 }; s0 S0 ^
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# A( B7 I/ z: h1 M) [( A \4 j7 Q# }to the new routine to execute (hangs computer...)
1 D/ o2 T' s% G% |- k; I( \
P3 c; a4 @2 G6 O7 K+ h mov ah, 25h
0 F" O7 E. O: T8 o mov al, Int_Number (01h or 03h)6 @& o( R0 }$ F* j- E$ ~1 g3 Z
mov dx, offset New_Int_Routine
0 D* S+ ?& C& Q7 `+ t+ z int 21h
' t# w; l' l9 H7 f P8 d9 o1 I, E! M, y1 m: Y
__________________________________________________________________________2 L2 u2 B( d4 y1 I2 q1 K: m
8 [, j- o* V. D( uMethod 09
. s6 t" H$ r- | t4 ^; d; {=========
" h8 f, s4 [( u, h8 y
9 ]* {3 g: Z# L4 ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( `/ R( O$ v; S3 m' h3 Z# F, Q
performed in ring0 (VxD or a ring3 app using the VxdCall).; @$ N T) `0 C4 A/ j% r+ S* ^
The Get_DDB service is used to determine whether or not a VxD is installed
7 }! {; C! s7 Kfor the specified device and returns a Device Description Block (in ecx) for
" {8 e8 A$ f/ D1 P) u8 \7 Cthat device if it is installed.2 U5 H0 w2 w3 K2 O. C7 J
/ L/ X9 E: f, q0 G mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
c: P3 x) j/ N% L/ _( O3 e) j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ d; o7 s7 d0 O3 Y |
VMMCall Get_DDB
1 {1 n* g, J: u5 p' G mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* e$ j0 ~8 A% ^- g" j2 o8 p @3 X
# Q8 C' Y3 Z! H# ^) Q) d) ZNote as well that you can easily detect this method with SoftICE:
6 |/ c p0 ]5 S H+ n( f bpx Get_DDB if ax==0202 || ax==7a5fh% U4 v$ y5 v* t5 m
) g: d: a1 A3 F3 P( Z$ e! O6 `
__________________________________________________________________________
( Q' N0 _% O$ m8 w, ^* S& p6 R2 ^7 x( N) q% l$ H' I; U1 ^
Method 10
& \4 G! B) Y/ Q, u1 D=========4 y" x% Q1 e; E' E) ~0 f- p4 C8 X, b
/ x- G* `( T0 M
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 |" J0 D) ]+ l! Z( K: z SoftICE while the option is enable!!9 `6 |+ [: W2 o$ q. x3 m% P% l
$ Y7 h; z1 B; D# t" YThis trick is very efficient:
1 Y) U1 H, Y* ]0 s0 e0 F! Pby checking the Debug Registers, you can detect if SoftICE is loaded
) }; T- K6 s( h v! I. D; [& H, |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 F$ Q$ j8 y5 e, Y Z9 S. Athere are some memory breakpoints set (dr0 to dr3) simply by reading their* b! m2 ^- T5 ~7 v
value (in ring0 only). Values can be manipulated and or changed as well- h& R- _4 I- Y$ r0 k
(clearing BPMs for instance)/ A7 H/ M) P) A& l
% h! y6 i4 |' Y& c3 `9 D__________________________________________________________________________. O. K% @, [3 h1 j3 r; ]
3 d4 T9 L3 x1 z, L
Method 115 g! J& p$ O6 y k5 d
=========$ ^6 Y, Z0 }( b8 F' f
" O% h! O5 J% [7 a! \1 CThis method is most known as 'MeltICE' because it has been freely distributed
; F) a% A4 |* c A/ w @via www.winfiles.com. However it was first used by NuMega people to allow5 ]' X: Q1 M6 L+ a' c+ Q! D
Symbol Loader to check if SoftICE was active or not (the code is located6 Q% g8 l& {7 t+ p: G/ R6 |
inside nmtrans.dll).
, A6 v4 w& k. q0 b. i7 m' V; d G# t
6 t5 S% U9 I1 |. wThe way it works is very simple:
; x. h2 ?& k; u hIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 K3 `2 Q- ]: K, G) _, tWinNT) with the CreateFileA API.! m. F5 ~/ [: a& r
1 [ {' i) _ d- {* M7 u* W- e
Here is a sample (checking for 'SICE'):- X* e" ?1 Z* ~$ W9 x1 |; _- T
0 T4 Y$ |; G; I: eBOOL IsSoftIce95Loaded()/ j' o% Y! k2 K/ c7 i+ i
{
2 }* k0 G9 \* k. |/ @, U$ l. I HANDLE hFile;
1 o* [) Z* r; @5 {' M7 e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* A2 @2 g% J4 J4 M# ~ z
FILE_SHARE_READ | FILE_SHARE_WRITE,0 U5 t3 M1 i+ s s: `, B2 j2 R
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 I: M8 }# v# X8 K- r/ b* Y: O" L if( hFile != INVALID_HANDLE_VALUE )% ^# w/ A) u- C9 k0 N2 K5 m
{
* y- p- f7 ^6 `1 n/ t2 o CloseHandle(hFile);) E. a2 X9 R2 e4 L5 q
return TRUE;
8 X. f! c2 p- v7 F0 E: j. R }
3 [/ }% ^0 x9 ?1 ^ return FALSE;
" |6 s' O3 L9 H7 [+ B}
% W% y# x' U' {- f& C% C! c1 }0 j, B6 [: N
Although this trick calls the CreateFileA function, don't even expect to be
: D) x$ Y* q) g; r6 ?able to intercept it by installing a IFS hook: it will not work, no way!+ Z, {1 H4 f, k' A0 X9 K( _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 R' Q, B ^+ } ~5 Y! q0 n0 l% jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! ?& x, _3 Z9 ?$ Y Land then browse the DDB list until it find the VxD and its DDB_Control_Proc
! N9 A, Y7 U+ ]8 }field.
; T1 L7 l& @1 a4 V% DIn fact, its purpose is not to load/unload VxDs but only to send a
/ D, @: N8 ]: A# K+ XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 i- F6 C q) ~0 k* @to the VxD Control_Dispatch proc (how the hell a shareware soft could try# k4 \1 X* c7 a j+ {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
K. r: I n UIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. A- l/ O. j1 d Gits handle to be opened and then, will be detected.# K m. V3 n4 N* M7 c4 p4 p
You can check that simply by hooking Winice.exe control proc entry point
. w T% e; _6 a/ M: m" Zwhile running MeltICE.
% d/ j/ R# V9 c+ e6 ~8 f N9 T# b5 }5 H
+ H; `. U# k1 z$ d5 n
00401067: push 00402025 ; \\.\SICE( ]. w, i& F r6 ^6 B
0040106C: call CreateFileA
+ d2 m5 n- F8 b4 Z 00401071: cmp eax,-0011 F/ I8 L$ K$ _4 [' Z& D( x
00401074: je 00401091
- w1 T0 b3 P$ N) v6 p7 T
2 S% N2 t: E! y# g3 n3 U- k& }( K4 I, `& V
There could be hundreds of BPX you could use to detect this trick.+ e6 l! W5 [' f @( b% G
-The most classical one is:
& j V* }- R: @ i- {. A+ K4 q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 h7 N- d" A! ]2 ^/ C2 E; c
*(esp->4+4)=='NTIC'
F f2 g. c3 A* S6 j
7 c3 Z- r/ J- w# F5 V-The most exotic ones (could be very slooooow :-(
. Y+ c+ W; c# I9 @/ C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 a/ b1 M) L& t: U# w0 F+ r ;will break 3 times :-(
0 f& P& A N& M8 J4 Z5 m% E1 l: _& h8 l! [8 ?, _
-or (a bit) faster: 3 v7 H: ^( \+ q& L
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% s) h; H- D# t7 s
T/ I- }( Y5 |( h Y. B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- L/ b! B" [" B6 T ;will break 3 times :-(1 @% R7 t8 r7 T$ ?8 M
: e% y% r4 ]* b: l, w# h
-Much faster:
* W2 k2 D9 }* y: h! G! A4 C3 r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" k5 S' k5 r! p" [0 o: V
2 ^! x+ j" v! o* K4 g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 U& _: y9 m/ c) i8 _function to do the same job:; a( t' z9 B- p+ \% u3 y' [& Q
! Q6 D. F9 s* o0 [1 R7 z/ F' `
push 00 ; OF_READ* K0 M+ ?5 ]; h
mov eax,[00656634] ; '\\.\SICE',0
* R7 d7 b d7 s0 H8 e' [6 Y push eax
$ }! x2 P- `$ Q! a. L1 \ call KERNEL32!_lopen
# ]+ `8 r# x% C inc eax; @9 R2 }6 Z8 B# R9 p
jnz 00650589 ; detected: X: A; Q2 C! g3 ~" ^6 h0 v
push 00 ; OF_READ
- W9 `6 o% Y' E5 k+ s+ Q( Z9 f/ W mov eax,[00656638] ; '\\.\SICE') V- U8 n/ \) N" _8 z
push eax6 y% a% Q; ?. N. }2 d. Q
call KERNEL32!_lopen: l2 C& G: v' y" Q% Q) X
inc eax
, F& m+ Y* ^! J6 |+ _% J# Z jz 006505ae ; not detected6 C. ~2 y5 S& Z
$ H" D& m4 i, B6 \. Q4 M
( t0 j% {7 a: P7 |__________________________________________________________________________" Y5 D. Q l! l9 K$ J
' I/ J" `5 N& h% i( ^, J" i! wMethod 12
6 d3 p* ]- M8 u! x) ?- P: E- }* q=========
7 K0 j8 V9 E. B3 j: b1 y; O4 e d
6 c( X+ [5 h" C* H0 T+ ]) WThis trick is similar to int41h/4fh Debugger installation check (code 05
& N$ t8 u( I; P: e3 l& 06) but very limited because it's only available for Win95/98 (not NT)
1 S& e3 ]% N$ Q6 @6 D0 U; Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 A; n/ x# F# t, I. V2 S8 n1 S
# r2 y8 i# y8 K0 ] push 0000004fh ; function 4fh
( o+ U( o/ _# i$ T% @& D push 002a002ah ; high word specifies which VxD (VWIN32)7 J! ]6 H, m6 F2 n: `) F3 q
; low word specifies which service
) A& d5 w3 ~9 b9 m (VWIN32_Int41Dispatch)
@: a, Y# Z/ F% h" l call Kernel32!ORD_001 ; VxdCall
+ n2 M& ] _% C% M @" } cmp ax, 0f386h ; magic number returned by system debuggers
1 [% M. X& x2 F jz SoftICE_detected
$ d' ? f1 F0 l8 X1 Q" F* Q0 x) `
Here again, several ways to detect it:
; F" N! s) z" W) U. ]! A, T- y" R4 @) W2 X
BPINT 41 if ax==4f/ j9 M9 }8 C2 k( ~
" n8 Y" |; H u( T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 w B4 H5 m$ O7 x* C7 X* |6 ]
& D+ J# Q+ _3 E/ k+ Y0 h" \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ P1 n" `5 C1 j7 Z& g! O2 Y$ B) K# J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* [- l* N) B' \! u# w0 l# l( ]& J3 M7 `3 `0 D, y
__________________________________________________________________________) W5 f% W; d4 d3 @! s% [
# O- l: j4 m3 _; }! }Method 13
& o- N$ L) x9 S=========
) q3 k. z, S0 \; R6 _1 j8 [9 ?, R/ B
Not a real method of detection, but a good way to know if SoftICE is
2 K f5 l$ M$ q6 D+ b6 Iinstalled on a computer and to locate its installation directory.4 M9 j: k; _( q5 k
It is used by few softs which access the following registry keys (usually #2) :
" {6 ?0 u2 N. _' E
8 v, t$ k+ C5 G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- }! [; F* F. j! \, U3 j- L6 n\Uninstall\SoftICE
b W/ \/ O A2 {$ }; l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* {/ `( `) Q P: Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% T) M# U, z/ Z5 N. |! ~\App Paths\Loader32.Exe& A3 R8 Z$ Y5 ]# K5 |
" {3 R2 o$ d' E4 \$ |7 b
5 {: A) e* J0 R* ?# S3 M
Note that some nasty apps could then erase all files from SoftICE directory
* u9 _5 m! q- _' E(I faced that once :-(3 ?9 N: U& t2 |: U4 _- X2 B( D
7 s* }; Y# S M6 q h
Useful breakpoint to detect it:
7 R. B, e% @ P$ a( t2 l, K+ ~
) E$ x5 D- X+ g3 ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 r& X7 \% Q; [2 G4 f
! Y4 d T, j' P__________________________________________________________________________
3 M; U) y3 c' Y8 b+ ^ z7 S. d3 k2 ~+ h- E- j. S$ x5 C
, L: V* Q5 q/ z; D% |Method 14
6 R. `7 w6 w: M=========3 h* [3 r5 y: {/ X) p- Z0 U
: z4 G! \$ |* o+ G; N- m7 \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 P7 m% C- O0 B1 f* |, r' y
is to determines whether a debugger is running on your system (ring0 only).
8 }% [% b; Z# k; s, o( J, `% O" V/ F: ~* w" }! t
VMMCall Test_Debug_Installed
T, r* L: H u je not_installed1 T+ L; d j. L
8 t% ?; k8 Q8 H' _This service just checks a flag.
1 y7 _) k0 b+ L</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡