<TABLE width=500>2 o6 H) c6 W" g/ ?" X. Q# ^
<TBODY> t: N+ ^' P% L# c' d1 D
<TR>
8 C3 y: i( k. X' x' |<TD><PRE>Method 01 6 b" Q3 p" n4 ^! g c
=========
# q7 o% v8 x8 P4 k( U% ?/ \4 e9 E7 n- j! S4 x5 Z
This method of detection of SoftICE (as well as the following one) is
* W* N5 r7 X0 h' eused by the majority of packers/encryptors found on Internet.
& X7 M2 }" `$ G6 a* JIt seeks the signature of BoundsChecker in SoftICE7 U8 N( B9 \& E3 p7 M( n
, L/ O9 o8 l1 h/ u& n8 y$ V- e2 n" ? mov ebp, 04243484Bh ; 'BCHK'
( l+ |% k2 P) X, k9 g9 i u mov ax, 04h
! P6 A5 a4 B$ O int 3
" B. W; \. |6 c0 m4 O cmp al,4
! }8 Y: e: K7 M- s$ Q! W" ?! m jnz SoftICE_Detected
' R6 F' r% U' ^- Z& |( I) r. t
___________________________________________________________________________7 T3 H! V1 e2 k. w5 {, _ Y* Q6 O$ Q" `
5 w9 }! ^0 c3 k7 v+ k3 o0 ]
Method 02
0 Y6 V& Z) D( s" U$ @: y1 [=========8 O8 g& J, \0 B8 M( y8 e7 {$ i
5 d( d% i- h& G0 E0 ]: h1 H# @9 d
Still a method very much used (perhaps the most frequent one). It is used
& R9 C3 u/ k/ j2 e# l. nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,, `( B% F- Y, i$ B* c2 ~2 {
or execute SoftICE commands...9 }# S4 ?- c6 e7 M6 U6 J6 m* O& H
It is also used to crash SoftICE and to force it to execute any commands
I4 z7 p% O, K) `; v J& j(HBOOT...) :-((
9 l d/ T+ N; d2 B$ E2 ] i
$ P+ c" L. X7 R4 V6 A7 iHere is a quick description:3 j( H& o- D& i( Z+ W, M% D3 u8 c
-AX = 0910h (Display string in SIce windows)- A4 `2 a: I* C' H
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ z" g/ L- ?7 d d F; F
-AX = 0912h (Get breakpoint infos)
( n8 y7 H4 h$ ~+ v" D7 _9 K-AX = 0913h (Set Sice breakpoints)
" _7 K" L2 j7 m+ I' S: u-AX = 0914h (Remove SIce breakoints)/ n5 ~* S5 _( r4 T) u! S
8 E6 }* G( M, ?3 b
Each time you'll meet this trick, you'll see:% D1 S' D: |7 n8 L% }3 u) X
-SI = 4647h
% s1 }2 N( f- F9 B5 Q* ?% K-DI = 4A4Dh( i7 G; \. R& O' e
Which are the 'magic values' used by SoftIce.5 R3 r6 M. W6 n8 i2 Z' l3 g
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 }9 l( |2 g0 G) @& |2 z3 `9 W" n+ ^' j. C
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ ^# Y5 s+ V* g. E4 u* n0 DEnvelope utility use to protect DOS applications:
2 C6 M1 }2 I& H+ Q7 P/ F- H
& l4 u A; e+ H( H$ b* N- f" a' `# A8 Y+ C! b# x+ {5 ~: V# p) y
4C19:0095 MOV AX,0911 ; execute command.
3 M/ U$ C. M4 i0 U3 H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ R2 Y7 ~' F9 a8 e' P) ^& L4C19:009A MOV SI,4647 ; 1st magic value.
, e' y7 c w" \7 u* c" @4C19:009D MOV DI,4A4D ; 2nd magic value.
+ S; ` S5 r" O5 z [" \1 O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 c: m4 M N* e9 y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! B0 D; V7 u& B9 H# x; Z4C19:00A4 INC CX, O& a/ `* i: t; T; j; |- T Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 m3 F) o& h3 g4C19:00A8 JB 0095 ; 6 different commands.
+ f9 J2 V4 z5 l# d7 r. p: T4C19:00AA JMP 0002 ; Bad_Guy jmp back.* E. v# P8 _7 G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 u, ~' C |4 W0 r% G
+ {' S2 F5 z6 R* Z
The program will execute 6 different SIce commands located at ds:dx, which' [* t* z" U+ E+ K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ r6 q# a9 K0 t3 L+ g& X( A8 L2 J# Y6 Y6 n: b7 D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ A" g l: b Z1 h- X
___________________________________________________________________________" D. Z3 j" q r; ~1 m$ ?
( Y7 D% y% n3 ?! G; K( m! k7 C
: s* [% R, s3 |3 C) bMethod 033 F( s4 v1 Q8 {8 ^! F
=========* a, A$ P8 S/ m
& s% c/ J( J8 Q9 `1 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% p7 A7 k6 }8 o7 s. G
(API Get entry point): r* ~& S6 f0 A
1 m3 T" k: @3 {# r' Z" T$ X
/ W0 t) Y0 }6 s* d4 R9 n xor di,di5 C& u& `" u/ W4 K3 z0 h! }
mov es,di2 ~# f0 K) \0 s9 o* [3 W
mov ax, 1684h
h: Q+ e/ P! p mov bx, 0202h ; VxD ID of winice8 i+ h8 A1 q+ ]7 l
int 2Fh
' a- h( b5 M8 ^# _; D mov ax, es ; ES:DI -> VxD API entry point& T7 Q' P* l9 X: b& P
add ax, di
0 r J+ a3 B; J+ y% y" R# X" s test ax,ax3 q8 C& o: K" T: C- o7 B3 ~) r
jnz SoftICE_Detected
1 N4 k6 u4 m1 f. B2 l& D# s. V: {) B6 `, ~3 C. \* Y
___________________________________________________________________________
' {. Y8 v/ x) Q+ m
A" g5 k: h' ~3 x1 JMethod 04
- _+ G( `# ]9 o, l( f=========; ]& a: v% M) c, r; ?& q* ~
( z+ v+ X: G2 \: L$ E6 g. F% vMethod identical to the preceding one except that it seeks the ID of SoftICE' D6 z7 g: w& f( d
GFX VxD.
4 K) M# C1 k' ]0 d, @
0 F) \+ E4 r5 } D9 f7 l xor di,di
+ [( O8 Y8 B1 N6 X mov es,di
9 W( z7 G, `+ D! ?2 v1 S8 M' z- } mov ax, 1684h ! h6 [( A+ @7 z& l/ `
mov bx, 7a5Fh ; VxD ID of SIWVID
, @0 {% g: i! a- j" k" X9 ~8 y int 2fh
/ o- x0 j; j6 T2 W2 [1 N7 Q# u mov ax, es ; ES:DI -> VxD API entry point
) ?% h/ k3 g) [, s- |. G7 M add ax, di
; B+ d% R) a7 M3 V B6 H, i test ax,ax
) f5 i1 w; ?2 {" I# g" t( w jnz SoftICE_Detected
$ y# Y8 m2 q$ t6 t. o
; f$ m5 R4 i/ |" ?- [( ]6 u__________________________________________________________________________
$ p0 y N1 |# W4 Y% s. x7 v0 o7 x
) o u6 R- {4 @
& R+ n7 `1 ~4 `! L( H9 c2 n) AMethod 05
0 Z0 g; p; y0 m=========# M+ ~: q4 M2 j F% q& ]2 J% w
! B0 S: Z8 p" \" J2 S( HMethod seeking the 'magic number' 0F386h returned (in ax) by all system
0 U- W; D+ J; N5 v) j: Gdebugger. It calls the int 41h, function 4Fh.1 h2 H0 w2 u R& N9 k
There are several alternatives. 4 ]6 ?" z4 T8 _ j4 M
8 g0 j$ V' a/ W3 @. E/ O: RThe following one is the simplest:( N8 B: e& d7 E9 L
0 a, r. H. K0 n& ]: x mov ax,4fh1 g7 f% N& b7 U6 t
int 41h, g8 m( P3 t& m5 N$ t, ]0 b; H% R
cmp ax, 0F386# Y, r' ?, ^* m- o; G- f# E
jz SoftICE_detected
" X; ]. K/ t* G2 k7 F* w
. P+ r6 [* }0 A# B4 z0 x9 C
3 T; N4 V# Q( _; i& ?" SNext method as well as the following one are 2 examples from Stone's / |/ @3 a* H5 E2 Q
"stn-wid.zip" (www.cracking.net):
$ w- F2 D/ \4 y g5 r
2 b' Y8 v2 l( U* L mov bx, cs
3 J- a1 ~; @* C$ F) n# ?( ?/ u lea dx, int41handler2
0 `9 L2 C- ^" t0 _* E xchg dx, es:[41h*4]2 b9 g! N9 _& e4 u1 B) t
xchg bx, es:[41h*4+2]
/ ?' [: [" a4 O' R4 I `( \* S" H mov ax,4fh7 |7 \9 v( \0 W4 a' i$ M
int 41h
7 I- {7 f( m0 |1 L+ d, y xchg dx, es:[41h*4]8 e! a. v7 Q% V! j6 S; U
xchg bx, es:[41h*4+2]" Y" |. S7 q' [+ \9 Z, [5 X+ i; M
cmp ax, 0f386h3 m' Y$ I. B _. Y) \! O
jz SoftICE_detected. b# Q9 D- |& Q" v/ g% P3 {
b3 a* ~" R. o" N$ o' m. l" V8 n
int41handler2 PROC
, G3 P8 W+ m& v& x% w8 j iret9 i6 i( |' q; c* s0 B2 H3 S$ p. a
int41handler2 ENDP, _# [4 R o" D' W3 g
( _" N& S' d, N0 T
4 C3 n& P$ I, i% [_________________________________________________________________________
' Y: L% B" { w8 l
% v/ _% Y) Y8 y3 Z5 R
, y' ^: D0 g4 y$ B* j' iMethod 06' y( V& H6 v( S
=========2 y) I m N" j: b5 p4 t( |# s4 [
5 t: h) @9 d8 P2 \# L' ^+ c2 \4 {
$ ~8 R6 I. Y6 G1 G5 p, X8 Y( Y2nd method similar to the preceding one but more difficult to detect:
9 R6 }. C0 Z+ t8 }: `3 S9 J. |+ n Q
. v) b7 e" \8 v9 q- t& m! M% K0 z) O. t. ]9 j
int41handler PROC
) ?2 W* I- S" |6 Y- m6 Y$ _ mov cl,al0 d- X" Z% L; U/ Q0 G, \
iret
: T9 o3 h, f, Y; p: O3 A7 Z( Rint41handler ENDP
. Q0 u4 C1 ` x: c0 l
' x) e2 g9 d; }9 @1 ?; h& L( D* U
& O4 Z5 L( g' ^0 @+ l$ z8 J xor ax,ax
8 m4 I6 q" }9 e mov es,ax
' a7 u- j7 t0 P' l mov bx, cs, [% s4 ^6 z. s. i- E4 O
lea dx, int41handler* R1 O k9 ?1 I
xchg dx, es:[41h*4]
/ ^9 `% i* Y$ E2 P xchg bx, es:[41h*4+2]
+ i8 f+ u$ [2 h in al, 40h5 ]& u: Q4 A) K/ Q
xor cx,cx
5 B. G- X* |6 i int 41h
. h6 i7 x- M2 d xchg dx, es:[41h*4]* |2 R2 U" Z7 f# J* }4 H: X4 T5 i
xchg bx, es:[41h*4+2]
* M- q3 _3 h) [+ V% }+ z5 g; @% x% l# B cmp cl,al& Y, a* ?& E6 K
jnz SoftICE_detected3 `( p2 {( ]% L6 o, L
0 I* n2 o/ Q7 [+ ?7 m' i8 P& C_________________________________________________________________________, K9 l" V7 N/ d! |$ M- L1 Z5 g
+ x7 V7 w4 C3 z" r; [: zMethod 07
6 L6 F1 ^ q0 ^9 c1 u, `5 g# @3 c2 T=========) {1 |4 }* u/ p8 V
/ b7 b9 q' ~2 w
Method of detection of the WinICE handler in the int68h (V86)( z ]% O/ O1 j+ O& _1 d
: j7 d* V6 O/ Z% c
mov ah,43h! B; u" |4 V2 R* M& \$ v
int 68h
& f, X. s, |! [$ h. C cmp ax,0F386h' }0 R$ Z) c+ h$ V4 W
jz SoftICE_Detected; @: X- @2 k9 R) g7 a
9 J$ c0 c; B4 ?
q; p7 ?7 U$ V* ~( I8 O7 d0 ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit c3 J( j$ n5 s0 K' E; M
app like this:- k: Z' t5 k, ^8 ^# a3 l: N) {
$ g0 e- u( y% m A- w: S
BPX exec_int if ax==68+ T5 Y7 E2 X2 [
(function called is located at byte ptr [ebp+1Dh] and client eip is
3 n& G5 G! d) _" K located at [ebp+48h] for 32Bit apps)/ l7 ?+ z- }1 n6 Q7 x$ D# c1 y
__________________________________________________________________________
) }# G+ M6 C+ ~- n! Q" \1 W+ h
. W; W/ b1 @) `' Q- |% m0 w h* h8 U& y9 b) o# b4 j4 n
Method 089 A9 L0 w7 y9 A0 D! X
=========
: i, M* y8 e5 z5 ^. c7 J
( U' I' x5 O) cIt is not a method of detection of SoftICE but a possibility to crash the" U+ b5 H- [) ~/ _
system by intercepting int 01h and int 03h and redirecting them to another
2 Z, G2 b# I" s$ a8 iroutine.
+ i' R! v& J4 yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" G7 q. z. v& H4 Vto the new routine to execute (hangs computer...)9 C. `$ y4 U0 U, b* {2 w
; W* D6 v) k4 o mov ah, 25h
: N8 N9 ?9 w6 Z, N) d7 l mov al, Int_Number (01h or 03h)
+ E$ K E' b8 X( C: e( a mov dx, offset New_Int_Routine
. j0 ~$ F% J8 U- k* x int 21h
: w; T, f2 `6 L; a( q0 w* \
# R/ ~; E& z9 \ i4 O+ h4 e3 H# o- T__________________________________________________________________________
" M( F7 T, [7 A& m9 w. v
! a: t; T7 f6 Q& c* hMethod 09
7 P" q* s5 O2 V# a6 @) E, l: s* w8 \=========
* X" Z# u } r9 m# V1 }
( ]) E. r- ]0 {( U- BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; }4 O* s. g ~. h5 Nperformed in ring0 (VxD or a ring3 app using the VxdCall).
- `2 j5 g6 ?( h0 N1 ^% cThe Get_DDB service is used to determine whether or not a VxD is installed
6 T" i9 `* c Afor the specified device and returns a Device Description Block (in ecx) for. i8 Y e5 c- b0 W
that device if it is installed.
( _# f; G, F% F# [5 s Z1 u% x! O, B& E" w" x( o0 \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' f @/ w/ N+ k mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ x$ A9 X; D1 \2 o$ Z* ?4 c8 H VMMCall Get_DDB6 W) I" C* c; I% l" H, \
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* w* s# S3 V0 d
( ?( {. p9 d6 V& ~
Note as well that you can easily detect this method with SoftICE:1 w x+ s+ j, N7 j6 @2 N* _. x
bpx Get_DDB if ax==0202 || ax==7a5fh! V# a* C+ m3 u6 M% S
( v9 I5 t# p; g/ w) T m+ P7 H
__________________________________________________________________________
2 d; P6 b9 j) }* x, }! ~) N: v Y! Z! c _8 C# d' h" Z
Method 10
8 F4 ^1 p0 d: k9 t' A3 }* p0 ?=========
0 o9 c8 m+ `- u- {: a0 V! r% s) U' W0 I' E4 i
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 I: u" o$ N: F: L( E, o d6 ? SoftICE while the option is enable!!
}( F: f r1 u4 k/ ?, U0 S. }0 q" ^! U/ \$ P- Y
This trick is very efficient:. G3 { I n# S4 ]% I: B
by checking the Debug Registers, you can detect if SoftICE is loaded
0 x, n% R/ D. H/ k! A2 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' Z+ h7 _' X5 G' I; Z# E
there are some memory breakpoints set (dr0 to dr3) simply by reading their) ^, o- A4 M5 r& w2 h
value (in ring0 only). Values can be manipulated and or changed as well" D Z- s" ~( X; v( R$ ~
(clearing BPMs for instance)
4 v# q( @, g$ K2 A' s" G) q. |/ F5 s) }7 D- |6 s- m- V
__________________________________________________________________________
9 R, x7 |9 j: t2 l" ? f$ V6 j4 k" K, B; { ?2 L
Method 11- S6 h t h" b: a7 {: c- Z
=========/ a# x# \: O( Z1 z- ~9 v
# ^* k: v3 A# F$ `+ ~# qThis method is most known as 'MeltICE' because it has been freely distributed
- E v! A2 t3 H' Jvia www.winfiles.com. However it was first used by NuMega people to allow
! ?1 l, T# @, w; z. @Symbol Loader to check if SoftICE was active or not (the code is located
+ @+ q4 t' `9 Ninside nmtrans.dll).
0 f/ H& |, g" U% }. p3 n% ^6 ~5 h" f; Q) Y$ D
The way it works is very simple:4 A4 ~2 V8 s) I0 _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: S, }4 m6 n9 i, t" P- H- \( mWinNT) with the CreateFileA API.
# L4 C+ s5 q% [+ D! {6 ~3 @
7 i& @" e, y; Z8 s z( q9 uHere is a sample (checking for 'SICE'):; _. } I O8 [
* ^1 \" B! r* G- R S
BOOL IsSoftIce95Loaded()7 _4 p5 }/ h, u0 I& u; M) W$ b
{. l/ y( I9 w/ e& |
HANDLE hFile; 5 \5 F4 T' o2 W1 n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 Q6 K) G7 i/ C7 d5 x& U+ O- a FILE_SHARE_READ | FILE_SHARE_WRITE,8 L1 n1 c" }/ s* }% {$ j9 {
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% i, x" g% b" t( x0 Y; {
if( hFile != INVALID_HANDLE_VALUE )
; h" n5 I* f2 K1 Q) e: @( i {
& l5 k5 o: C. \ CloseHandle(hFile);
* U$ S1 U2 {% F4 A0 R( x' ~ P5 d( x return TRUE;5 u' d# z" M0 t |
} G! O* w; ^+ `
return FALSE;4 w( U' Y3 V# |! R0 ^
}
- N8 Z/ j; a9 \' O
" N2 j+ J% x7 b1 ? \, MAlthough this trick calls the CreateFileA function, don't even expect to be3 h/ n+ t" R+ X; V
able to intercept it by installing a IFS hook: it will not work, no way!
% s0 E7 q g8 v8 @) q$ s- `- r% GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 L' K* k% t* D& W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! `8 S% S T) b) _$ S. Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! U: o! w1 d! Y9 Hfield.) V- U2 p b' L0 q$ T- }9 Z
In fact, its purpose is not to load/unload VxDs but only to send a
2 @1 R* D1 W; ?8 v2 V+ ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
d& g% n( W$ `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& `! t* F% j; f" `to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 Y1 i6 u& ]; B0 x0 ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 Z* K8 H, u+ d. \# N6 xits handle to be opened and then, will be detected.* V) q6 d0 }9 U! w, x
You can check that simply by hooking Winice.exe control proc entry point
: F; ^/ w2 U8 }2 o' i L# ?while running MeltICE.
( a( J3 a0 C3 h" g; f& m# ?& M" G& Z$ i/ y! F' e
, e9 _. W# m8 [) m2 M 00401067: push 00402025 ; \\.\SICE* }. Q) ]' e1 d# J
0040106C: call CreateFileA
+ ~8 `2 b& T, V 00401071: cmp eax,-001
( N0 J! |, v$ w6 _ 00401074: je 00401091* M. R4 x! |2 a1 D2 ]! ^* b) x" `
& p: l$ I# j9 b+ k" L8 N; A' [. t# x/ ? \
There could be hundreds of BPX you could use to detect this trick.
1 D! E3 l, V4 U5 F% G-The most classical one is:' W% a% H k8 P7 L, s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; I- ?# c$ E6 Z& d* V, @) k. N: |
*(esp->4+4)=='NTIC'
H: A Z4 v' l( J9 j
P( B$ X- @4 g) ?8 L-The most exotic ones (could be very slooooow :-(* G, w0 c! V; u4 F& C, N( k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 w3 u9 i% I" n6 e' |
;will break 3 times :-(# p5 s2 Q7 H8 ]7 j% n# b1 _
2 J& R9 Y: C" ^ A
-or (a bit) faster: 3 t/ h' c" V5 K; O8 `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), N) \: {# O5 j6 I2 ?0 {
& T& A. D3 o4 d
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 h9 {; o. \7 ]4 k+ y/ M$ F ;will break 3 times :-(
4 h/ G2 a8 z5 F' \$ V
H7 b, o M1 U6 Z-Much faster:
0 D4 G: v" w& O! s; e8 `" W5 L- T BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ u' d' ~# M. Q0 C# F9 y) J5 \4 r5 l8 S" B$ e3 t( ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, U; G- C) ~/ m, b* T0 u7 g3 Rfunction to do the same job:! g2 E/ q& P) \. y4 T+ S
- l& p6 P) q8 ]
push 00 ; OF_READ- J( g9 ]4 E/ X7 b# l
mov eax,[00656634] ; '\\.\SICE',0
4 a2 L* Y0 S& N+ F8 s: L L9 H W push eax
& O# e6 ?9 f, F call KERNEL32!_lopen
y2 q# q0 ]9 r# L( }1 [ inc eax$ {; F8 H H2 ]# t( t, n: ~
jnz 00650589 ; detected
8 B! }6 M0 d# Z( G( D push 00 ; OF_READ, \% t4 l% m. \* q7 j0 a
mov eax,[00656638] ; '\\.\SICE'
! K; X; B1 W8 ^% E push eax; Q/ E; E% n* s$ K$ M
call KERNEL32!_lopen$ C) ^& D& ^ Q$ j* B/ }9 P
inc eax
/ p! E% j* Q: f/ T jz 006505ae ; not detected6 y* ]: ]/ v& X5 }$ p" u4 i
) r/ D9 I% G" P. G X# _3 f4 b* [4 F% w( o( F) P0 b% O! b
__________________________________________________________________________
. e) ]* @% e( ~6 i- a! C2 T# p# ~3 ]7 q' M
Method 12
; `. q. D# L1 x8 ~8 f% T6 m=========
7 N% ?9 ^- V u; p$ @. ~' U! }, i7 N8 w; y" o& q: m% `
This trick is similar to int41h/4fh Debugger installation check (code 05 i. U/ `5 Y8 m: s0 o( ?& x- I# C
& 06) but very limited because it's only available for Win95/98 (not NT)
* H. t8 n4 V7 R+ | E. fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; x$ d" q; G0 _& f, P s
) |* r( @3 Y; V2 a$ v push 0000004fh ; function 4fh% W$ H9 M( S# d: C! R* R# Q( o
push 002a002ah ; high word specifies which VxD (VWIN32)
( C$ j0 f" Y* e ; low word specifies which service9 E- t0 Y$ o0 W& |, x6 V2 O! A
(VWIN32_Int41Dispatch)
" v/ m. c4 X. a: L1 u call Kernel32!ORD_001 ; VxdCall
% D8 _5 H. |0 I5 q cmp ax, 0f386h ; magic number returned by system debuggers
& a. J5 M6 `; H- ~5 H, S- h' ] jz SoftICE_detected
1 o0 m8 {% ]% O# _# Y
* W+ t+ O/ H K. ]Here again, several ways to detect it:) r- f O+ s- j
( B) x/ h& ?$ Y" ~' \
BPINT 41 if ax==4f
# l" F1 R4 |, ~% b" ]% T/ S4 P- O9 F2 m) A& E
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 i. J) J9 O, J# m/ r
4 d7 S8 g4 t) }' v& W& B BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ Y" C# i, T6 I+ ^6 Y3 K4 i
4 a* v, Y! C+ g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" E5 [2 B& P6 D1 S
+ O2 a$ i7 ~, K Z8 p- h0 h( A__________________________________________________________________________# ~' s/ _5 M5 P3 `' L9 x
! ^! \8 r$ r8 c9 K! C' L# G4 d( g
Method 13# i" K4 L. q* d3 z8 Y
=========
0 k( I3 }; p2 M8 E
# O# z" @2 W6 {Not a real method of detection, but a good way to know if SoftICE is* N" R2 F# }" C2 p6 a
installed on a computer and to locate its installation directory.% T: n3 h! {, `: `. c# U5 @$ V
It is used by few softs which access the following registry keys (usually #2) :
( G; b; g- j2 s; H. w9 x
/ a8 O4 u+ G! |: v {. Y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: `% ^: h" E* i; S2 E
\Uninstall\SoftICE
0 i( i1 y& V( R% B+ k0 r8 z( F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 K+ t- G( X: m8 u$ o$ S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ i8 j/ N2 `+ E" B\App Paths\Loader32.Exe
2 X& n! s" W; O5 H5 k) g$ f8 v. c3 G; v! Z! R* G
: E! T# e" Q0 L: h/ _3 t& A
Note that some nasty apps could then erase all files from SoftICE directory
. k- O% d# @; e6 O(I faced that once :-(
+ B4 e7 Q: ~# c3 R; `
4 M2 w& k4 n3 Z$ GUseful breakpoint to detect it:
' S$ o/ \1 d. V- E* ~; H# I$ n) T: Z: z% T3 M: J2 |5 G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 t. C7 b2 `; c+ I; h! r
3 B+ ]5 s) p% r9 g {0 |1 {__________________________________________________________________________
" l; ]' G. |/ C/ b6 b! T% e# n& E. {1 Y& L7 q
+ m0 p2 {! q% M; A6 n
Method 14
6 l! X) Q; B/ R=========" v t& l! i% S7 u5 y b0 q
) E2 A' [- r8 s4 M7 N+ a; {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* U! R! h9 T3 B+ }
is to determines whether a debugger is running on your system (ring0 only).5 ]: p, a7 Q! ?! V
! \) L9 ~& l% F8 z! ]
VMMCall Test_Debug_Installed
' O! Q* j+ r7 A1 T8 _( V" c0 l- K) g je not_installed
* a, {+ b) Y3 k0 V7 t1 H& ]
8 t& Z* ]( y* \. }+ z3 q! @6 SThis service just checks a flag. Y! c5 _. @7 ?: \) b5 D/ |' @1 e6 ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡