<TABLE width=500>- g2 I7 W" N6 k1 d
<TBODY>+ g, S- P8 C" H4 U: Y0 h( x6 i2 h
<TR>
' R7 F( ]" P+ d# g9 A+ u<TD><PRE>Method 01 : q' G" r4 u" H/ l* K5 v% e
=========
8 K! _1 C8 U5 `9 {- R' X [( f' {" H( e
This method of detection of SoftICE (as well as the following one) is$ Y7 b* {* z- A2 O, N# w' `9 }. d
used by the majority of packers/encryptors found on Internet.& C# O5 O. W, L
It seeks the signature of BoundsChecker in SoftICE6 N, O6 I2 q+ l0 M/ F, g0 x w1 o
& M" k/ z; P, W) Y( m" j
mov ebp, 04243484Bh ; 'BCHK'' ^( ?% |$ [& r3 e( L5 @) U! ]
mov ax, 04h8 v3 T; u6 e5 o4 H3 o) A& x: S+ w" o
int 3 & J$ v$ m7 u4 X) Z, `" l3 [: P- J& l
cmp al,4
; O; C: K% A7 n) e. b jnz SoftICE_Detected# J" U' I0 }) H. C+ U: X) k
# H: v- _ s1 M' K___________________________________________________________________________
! {9 t2 k2 p+ o* q" n6 z8 k
3 H* I( P2 }# s- P' p, o+ uMethod 02
8 O8 ?1 |8 X8 {- z% x9 p$ q=========- Q9 _: i, k& ~- f0 y7 o* L
% t% o) C1 D! H- m8 B& Q; q/ K
Still a method very much used (perhaps the most frequent one). It is used
" M( Y% T) ?. a5 | [, Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 x0 X- n& S+ lor execute SoftICE commands...
: K# p! y1 R3 r3 Y& c" Z9 _It is also used to crash SoftICE and to force it to execute any commands
* m! |; s; x% q/ R# o" C(HBOOT...) :-((
$ T" x0 K3 o: c" x, I: N, s% q9 Q% G/ B+ }6 L
Here is a quick description:
4 G3 H" c `1 n1 {5 U-AX = 0910h (Display string in SIce windows)
i9 f, X% |% y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( f l: ^& S% o; s9 m) O; h) _% u8 {
-AX = 0912h (Get breakpoint infos)
1 i% p% r9 N& V9 N6 G" h9 ~-AX = 0913h (Set Sice breakpoints)! T1 \/ D, t" h0 B0 M0 y2 W/ `
-AX = 0914h (Remove SIce breakoints)
" ~% ?6 ^, c! {4 o# w# I% l8 c$ R/ B; z! B# u. Z& j4 O4 w
Each time you'll meet this trick, you'll see:
X1 g( c0 e" D# D-SI = 4647h
. q7 D# {. f! K5 P; t; v-DI = 4A4Dh
4 N+ I! m: \/ N( `, H9 HWhich are the 'magic values' used by SoftIce.: Y2 ]; e1 i8 Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 y, s0 E4 `- K7 `" m: |8 X' G
5 B, \& \9 ]2 aHere is one example from the file "Haspinst.exe" which is the dongle HASP
' B6 z* Y$ I! f9 t# w. l" bEnvelope utility use to protect DOS applications: b9 Y6 U" j5 W8 v) B! P
( C7 l. B. `3 F" r3 l5 `1 c$ e9 \! }' R3 X% h. {5 z
4C19:0095 MOV AX,0911 ; execute command.
" q* I$ c2 N0 P, [) L+ V4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, @9 L4 d0 C& e; b4C19:009A MOV SI,4647 ; 1st magic value.
1 |7 g& U- N' L7 w5 o% t5 ?4C19:009D MOV DI,4A4D ; 2nd magic value.
/ P8 V5 q- i* p0 p% {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). m5 l. X' }& K8 D8 L( Q0 x' @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 @/ j, q+ j' T" H
4C19:00A4 INC CX
. O& s2 O! s" p% k4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 l2 ?' j' q$ a% A, |3 w
4C19:00A8 JB 0095 ; 6 different commands.* g) N" s4 M' K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& B' ] F/ a' `9 k' b2 e+ B) U3 S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ X, a. A. x& G( R, m( k, j L; \' j! g
The program will execute 6 different SIce commands located at ds:dx, which
0 {, _4 m! g2 ^1 B5 ~# C4 l4 R% yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 F7 o y& y# J9 h+ }: k9 {. H
$ X! b0 z. ]) ?) X0 i6 ]! A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 ^7 f0 U: j5 G; R! Z$ \
___________________________________________________________________________
' K6 G0 M+ g* a) G6 k5 J) x& O* l: P, x/ {4 E
0 A6 _+ ^2 O% f2 N& sMethod 03
+ {' d/ z* P+ k5 G=========
# Z8 d, n9 W4 [1 S- T
5 `% N) ?- [: c1 i$ LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: ?6 }8 O% c4 l2 ^) p" p$ n
(API Get entry point) m6 W* v$ `* Z. ]2 E
" G" {7 g0 s) R8 O$ i( w. {" n, A
xor di,di
, K* ~ C% w2 ]2 f7 j5 U mov es,di0 z' B# R0 C! P. S9 M
mov ax, 1684h
* T9 X; `+ v0 y# j; S mov bx, 0202h ; VxD ID of winice
- r' c' G0 w0 |3 A; ?" [ int 2Fh
) X9 q' l: K$ ~; m& N mov ax, es ; ES:DI -> VxD API entry point B! r- S' Y" Y' W4 m/ [
add ax, di
! s3 ]' @, e7 y) r4 l- O% ?* P test ax,ax
. v" Y, G. o( f; t. B jnz SoftICE_Detected$ U# `0 |# r" c5 K
7 A9 T G" X9 m* l+ H___________________________________________________________________________
+ H7 ~( E; Z8 o6 C6 C# | j& l, q5 H, b
Method 04
, n' ~. H$ u, e2 P=========# g! D5 m- ?' T6 ?! W) s
6 f. B5 \7 \4 p0 F! Z& AMethod identical to the preceding one except that it seeks the ID of SoftICE( I( M7 }; d2 g0 \0 ?5 G/ B
GFX VxD.
* c% e/ ~; l& o- _4 g% M' D! t' l
xor di,di: v3 Z6 v+ ^3 e J3 X* m
mov es,di) ^' N4 d/ t) h4 F$ s
mov ax, 1684h
( c: D7 G% v* f& n& j mov bx, 7a5Fh ; VxD ID of SIWVID3 G+ s# \* U' ?9 z3 z3 M( L
int 2fh2 ~" r* r! {. g# d; w; v/ y( V0 Y
mov ax, es ; ES:DI -> VxD API entry point' [7 Q* m$ C2 u5 f' D8 q* H. n* g
add ax, di7 {, P$ ]1 Q7 D6 X
test ax,ax0 \# i- X# u( k, b+ L3 O9 }7 z
jnz SoftICE_Detected
: [1 n3 Z. I4 I I& _; P9 _4 }: h9 d- a% |
__________________________________________________________________________
: M) Y& g% E/ ]6 n8 S% J% d9 c" N/ B2 p" \4 ?
* [: \3 F9 \$ @4 T
Method 05/ z/ h8 N0 G/ Q# U# K- g
=========. |0 R) C" Y! M7 L9 K) X' c
( o2 t8 m4 O# H2 F
Method seeking the 'magic number' 0F386h returned (in ax) by all system; L# \ q( m3 w
debugger. It calls the int 41h, function 4Fh./ a7 \- ~# r# W' v: Q
There are several alternatives.
, o: I7 v- n0 D. i# F0 D) M! V4 e5 z8 p6 I) I% E
The following one is the simplest:+ S" s4 O3 A& b+ p/ O9 m
$ a( V6 I" u: V8 O mov ax,4fh
( K# ?6 M$ ]5 U$ A% Q int 41h A9 K1 T" U1 s- D. p; m; t
cmp ax, 0F3863 S* t% S( f$ B4 o/ W, z( q7 w8 k
jz SoftICE_detected- w( C5 b! g) Z+ r9 `( u7 _
$ S9 {5 `; Q: y" T: ?1 c
( q2 k# D1 Y& b0 `$ U
Next method as well as the following one are 2 examples from Stone's 2 @; n. ~. V* L) M- c
"stn-wid.zip" (www.cracking.net):
; ?3 A* y; e* _9 }* _: i
7 r G+ `' L) K- l2 ^ mov bx, cs! L" J' M! _4 l5 K. V" G
lea dx, int41handler2
- X% @( m+ ^7 ]1 c1 a3 U% \ xchg dx, es:[41h*4]2 D4 b$ I h4 q4 ^
xchg bx, es:[41h*4+2]
2 g1 r! S! c7 S$ b' v% v mov ax,4fh7 o3 N7 O! E4 n0 D% ~/ V/ W' s( n
int 41h, b9 @5 }* G6 L$ j
xchg dx, es:[41h*4]. Y! b2 { O3 ~7 |/ ]5 @
xchg bx, es:[41h*4+2]
% \' }! ?7 e( B; S9 A; _$ }+ G: {2 b cmp ax, 0f386h
) k4 ~3 a4 C1 f2 z% P jz SoftICE_detected
3 o" Q( J4 ]. G
" r% A9 i* J, j/ @. kint41handler2 PROC" L: |; A+ m1 A0 ~; {
iret5 Q$ P/ B- S2 W3 \5 F3 Q
int41handler2 ENDP V M7 d" z, K$ ?: B1 J
! o* I( X1 R ]5 o4 C- C' L& F8 l2 P- ~% r1 Q" `; Y
_________________________________________________________________________
$ V8 Q6 z0 f/ R* H7 g, P, i2 ^) Q' e& p' w a7 W' p8 X
8 v; C, I# P: X/ E$ N" p$ c* iMethod 06
b$ s2 F8 r; e( t- \: @=========' ~$ j, j- H0 O. _! l! z, ^3 ?
2 B- c' c* s" i4 B. U+ o
0 w# }# q* Z$ u9 r( f( u4 F5 g
2nd method similar to the preceding one but more difficult to detect:0 o6 u! y4 z7 w& W% `. z' r1 W2 Z
+ w, Z' Q+ r3 }
6 g) C- i8 B* m
int41handler PROC3 x( b; t3 L+ Y* N5 A* z, @
mov cl,al! r6 R+ R0 e$ e6 b6 A6 C( O' Y! }
iret
6 U* L& j; n e( q: F, J- Fint41handler ENDP
1 U# ^3 m$ Q" L+ q0 P
/ K0 v8 D- E4 x3 c% q/ ?& Q, z% \4 K: `9 y' r
xor ax,ax
, m# w4 \' P8 V7 w( W& b o$ V mov es,ax
/ `/ s. w% J# X3 t( ]7 f+ P) T( L mov bx, cs
3 j- W( v! r1 B: P- W/ c lea dx, int41handler' O2 l/ v) N4 ~/ y5 H. h; P8 Z
xchg dx, es:[41h*4]" f y4 I- y! `% ~
xchg bx, es:[41h*4+2]
% I( q3 I0 T# i3 J in al, 40h* F" h# Y3 f: b1 |0 T* `2 C
xor cx,cx2 |0 i8 P/ y, V: Q
int 41h- q3 A3 n9 L# Y) F# |8 w& S8 a; M
xchg dx, es:[41h*4]2 U- Y3 J4 x* {
xchg bx, es:[41h*4+2]- p( f% t: @ O+ Q6 O' }
cmp cl,al
7 A$ W0 K3 T. q/ f7 U6 B% z jnz SoftICE_detected
8 V x0 Y; o) |+ B( G. J1 r9 E W0 K% `5 \# |4 `' T
_________________________________________________________________________$ d+ l( s# i( h) w; h2 \
% D9 _2 a/ f2 BMethod 079 e$ X* Y0 _4 B* a+ t/ ?) d% M
=========
3 M' }) F& z0 z2 f# p1 ^6 c$ @( m: T4 N8 m" ?0 z
Method of detection of the WinICE handler in the int68h (V86)
) ]8 Y4 o* v& G1 H( N
: ?9 A. R# C# O% I+ _ mov ah,43h. I; m2 ? w) c# a9 a* z1 h
int 68h$ I' w8 ?+ }' z; s9 N2 g! X7 U
cmp ax,0F386h
5 x( x: K& l+ M- X+ G+ ]) N jz SoftICE_Detected3 X- z! s% U |, D- }0 q; f2 H
8 W1 a( l) s2 T0 d& ^
/ E7 @: w2 z: j2 ]% E8 z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# U: s& x" \+ c% t8 n/ U8 ]% \/ z9 I app like this:2 n% f/ ]; L( ^! e7 l0 l1 u/ {) s
; s: L2 z+ K! k BPX exec_int if ax==68' t G, \5 C/ o2 e
(function called is located at byte ptr [ebp+1Dh] and client eip is
# a1 U) Y2 `: a! R" z- [. j located at [ebp+48h] for 32Bit apps)
8 _5 C5 R' F) U$ |__________________________________________________________________________
2 o: x1 p. k$ g/ x' H* w+ ]7 B% A4 `1 L) b
& {/ K* v! v. N* B! f& SMethod 08
( a' u- H: Z. A- V [9 d=========
0 y4 H. \- p! T& c& ^' [1 M# g( `, g
It is not a method of detection of SoftICE but a possibility to crash the
2 \) r. C# ]4 j( O' v; @system by intercepting int 01h and int 03h and redirecting them to another' \- {8 `( [! p, V" D
routine.. N( W, A, Y9 }5 A1 U6 G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& v# f5 G. E. Z' M2 q$ M0 Uto the new routine to execute (hangs computer...): N/ r0 J( _# |6 d& V) Y4 M
, F9 f5 [! [3 j# i mov ah, 25h
1 v E' Q% H; a5 x% |$ Y( j mov al, Int_Number (01h or 03h)( I3 J% y3 b7 t" b
mov dx, offset New_Int_Routine0 Z; i" o/ I0 h6 v+ `7 a6 ~
int 21h0 [" C* L: q) m3 o: b
- ` P! ]$ \7 z- H9 e6 H
__________________________________________________________________________
8 w' _, [3 l1 R+ E4 t
. k! a0 h+ E# l. pMethod 09$ p2 q+ J: n; q3 D
=========
; U% F5 r6 h6 W" B/ R: l4 Y/ l1 X
/ r7 S" K- Q5 D* x$ XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' q' g/ _) n; A& lperformed in ring0 (VxD or a ring3 app using the VxdCall).- @; J& M( V5 Q
The Get_DDB service is used to determine whether or not a VxD is installed! x2 s9 C+ u3 ~) G
for the specified device and returns a Device Description Block (in ecx) for
8 F+ z) B7 L, Z+ t* {that device if it is installed.9 S9 f9 M1 T% ^2 v5 V
3 N6 B8 _( y& Y0 c3 d" B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ }, K$ {' E# h; Z( k1 ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# f" e3 f3 n6 \ VMMCall Get_DDB
; A4 W5 C8 s0 y% e! @( M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 t/ s7 D# B7 n1 i7 @4 f
; l8 o' d% S v8 \1 @Note as well that you can easily detect this method with SoftICE:
. D$ A& J: j0 W+ u5 o bpx Get_DDB if ax==0202 || ax==7a5fh3 f+ b0 p- a6 S5 R6 o1 M
4 x+ s0 S* [3 _2 h) a__________________________________________________________________________
C7 u9 ^' q) E& a1 O! C
5 H3 z2 Y0 D5 w1 R9 ~Method 10
6 y2 P$ Q" F% U=========+ K/ P3 H! q0 A! i
; t5 J& j3 Z/ H2 x- d1 j0 C+ I6 c=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 @" V6 D q- l: S! X6 S+ c SoftICE while the option is enable!!
8 O: y+ S* y- ]7 L, }! N/ s0 m3 C x' [6 e
This trick is very efficient:
0 T. M* ?5 l+ W6 U1 \- ?by checking the Debug Registers, you can detect if SoftICE is loaded
0 Z8 |9 Z5 m# u, h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 X( m- E2 o" S8 z" E* F
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) J c& \/ X f1 svalue (in ring0 only). Values can be manipulated and or changed as well
0 a, `! c& ?; N7 x; B+ i(clearing BPMs for instance)
}, X5 x5 l6 S! I4 z# f: o2 i3 d( q/ y2 [
__________________________________________________________________________' b! V8 `1 R2 G; L+ I
- c8 _# U. \7 A/ X# k. I
Method 11/ N/ Q8 x* \5 h# l0 w0 T
=========2 E& Y w: s( K3 N6 S$ N% D$ Z
# L9 s" n9 N9 z. w) Z4 }This method is most known as 'MeltICE' because it has been freely distributed8 N# R0 ?7 d, C, V
via www.winfiles.com. However it was first used by NuMega people to allow: l; u% W7 w! ~" X* w) w
Symbol Loader to check if SoftICE was active or not (the code is located
* }; l2 m' J$ L; z! F+ J+ sinside nmtrans.dll).
! Q8 r8 _3 h4 m* R( y
- J, r( d& k1 J3 ^+ n1 L3 eThe way it works is very simple:. ?+ o4 N1 l0 z4 w1 |$ @$ B# f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 _2 n4 Q: P: d1 k; t! z
WinNT) with the CreateFileA API.
7 l/ |5 h2 m% `4 S ~ h" C. j$ O) `1 K
Here is a sample (checking for 'SICE'):
; ?5 U8 l8 p- D. E. }+ S5 t0 d% ?% N* Q* U; i% v4 o4 b( T
BOOL IsSoftIce95Loaded(): N5 t7 ?/ Y0 Z7 h, f% E
{
6 H* d, L8 w* M8 } HANDLE hFile;
# p1 E* c8 F6 X9 g- D# j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, l; ]: s0 s- X8 F R
FILE_SHARE_READ | FILE_SHARE_WRITE,
- z+ A; g# ? x' N7 U D$ h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' N8 p2 Q G; n5 ?* A7 `, ^7 S if( hFile != INVALID_HANDLE_VALUE )' S" h2 R" I7 Q8 E3 s$ ?) }
{( h' P# }- t1 e' G _! {1 I
CloseHandle(hFile);. {. i z& h8 J! I0 y" u
return TRUE;
& q- J3 R, @$ s4 R3 M) ^0 M }" p; S3 w; [( }5 H- K
return FALSE;
6 u- a% p" }6 u" a- f& x, H, |2 A}
( S5 H. w, t: A7 a* p. Y! P3 I% R8 \4 D! X' j
Although this trick calls the CreateFileA function, don't even expect to be* k! U M6 ?- y( [" m
able to intercept it by installing a IFS hook: it will not work, no way!
{( |( x1 |% A. b c5 ~/ hIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 `# P& o) l7 y+ D2 Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 k3 r. e- @/ Y" U! D' c( G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) H$ t; ^( q# J: i7 S( qfield.
9 b) l* y! H' h# u- K/ K) v6 T9 gIn fact, its purpose is not to load/unload VxDs but only to send a
) ^* r3 x; t" [; ]3 b1 }W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' z6 K7 K3 u2 D# j$ d( |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( Z! ^/ v* E# p7 {( Sto load/unload a non-dynamically loadable driver such as SoftICE ;-). F7 k1 ~; |2 O; Z7 S- X
If the VxD is loaded, it will always clear eax and the Carry flag to allow* e* c& D5 N' H& d, _
its handle to be opened and then, will be detected.
* c) a5 C4 y% t3 I( h2 vYou can check that simply by hooking Winice.exe control proc entry point* N m7 d l4 z0 g( Y" j$ A' M
while running MeltICE.1 k7 f3 Z$ H, @1 Y
5 G, o$ V) Z7 Z( U
; [' d8 {; a0 d3 e# Y
00401067: push 00402025 ; \\.\SICE& I' T+ L6 s, o1 y0 `
0040106C: call CreateFileA/ w6 s* p* v4 j* L6 H R- ^
00401071: cmp eax,-001
% l3 T0 I2 z3 b2 H 00401074: je 00401091
% F1 }; S* S! C7 N0 q E
0 I+ B, n5 w* f
* u* t Y( Z6 P# [, {4 P$ O% }There could be hundreds of BPX you could use to detect this trick.1 @: y; h! ~. a0 h5 A# G8 b1 N
-The most classical one is:+ e( {" \3 b& Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 _- A. p0 f: A% P! Z3 b2 G *(esp->4+4)=='NTIC'
* |0 e- W& q8 {* q( F" O) Q
1 r$ S. c" Z: E/ [1 J% \2 T-The most exotic ones (could be very slooooow :-(
4 t0 y. v9 p% c- } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 L8 B \ L/ f3 I8 X# c) z: ] ;will break 3 times :-(
- O- H4 I- F' @0 {9 y3 P0 ^' l
O' Z, D! \! w-or (a bit) faster: + o: F3 Q" N1 ^; V8 ?7 u q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') ~* n0 W* F& H
1 M( u' e/ H# J! _; }8 T; H BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / \: o$ ?% w: Y$ b* ?+ h5 `2 M
;will break 3 times :-(6 X# J' O9 Q* }
* c6 O. D5 r7 Y3 w; M" `; }7 h! |-Much faster:
0 @9 R6 z5 n: \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. C2 S9 ^4 G0 a7 R* j3 t
, l# Q- u0 @2 Q3 p d0 PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen" F9 k/ D" O' ?$ M y
function to do the same job:
2 }, U9 ?8 v, i) L3 G) _# {% t; @7 |* V: y% E$ z' }) Y; j
push 00 ; OF_READ
F/ V/ R, Z/ o& G; m mov eax,[00656634] ; '\\.\SICE',0
: S' A0 Y; ?4 F; F8 g% J i push eax3 @+ x, U2 T; S5 ^! q
call KERNEL32!_lopen
' ?8 z2 W- N, h/ N inc eax' n, Q7 `- d& V% s* Z) m% T' e0 C; m
jnz 00650589 ; detected
5 F+ a, V/ w; F" \; Y push 00 ; OF_READ# m1 S, c7 D' Z5 C3 Z; u0 E
mov eax,[00656638] ; '\\.\SICE'
( ^2 g% D# H# A) h. i3 F7 v5 @! w3 L push eax
* |3 U9 T7 m0 g( O \/ L4 _ call KERNEL32!_lopen
1 w3 p3 Y% W, T! i inc eax
0 g: H; ^ r) W# P. ~. f jz 006505ae ; not detected" p; n9 i# |8 g
& {4 k/ z8 W1 y G# G" k; v0 m: l; \
__________________________________________________________________________ M% ]9 m2 e. k: n/ s8 q' R
6 V1 C' q( ?$ R' s
Method 126 Q! ^) o3 L A; z! Z8 @9 Z+ P
=========& ^8 `: K4 D# \/ w( x9 {
) s, O& N, Y9 |" a; Q7 ZThis trick is similar to int41h/4fh Debugger installation check (code 05
& t; E5 w1 t0 l( }; u& 06) but very limited because it's only available for Win95/98 (not NT)/ i7 H8 K5 p$ L) K! R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ V( V- |6 H+ a! _7 f2 G0 t- t* l! `0 B3 Y
push 0000004fh ; function 4fh
, X2 N2 |. C4 b push 002a002ah ; high word specifies which VxD (VWIN32)
& c% S T6 S2 F7 Q( P1 n8 x3 U ; low word specifies which service
" n8 b" Y8 O2 E (VWIN32_Int41Dispatch)
4 v0 z# p% C, U6 K3 Q& E call Kernel32!ORD_001 ; VxdCall( w9 T* ?& s! \3 {
cmp ax, 0f386h ; magic number returned by system debuggers0 z$ M+ i2 p7 m) N0 [
jz SoftICE_detected# t* s( E! n! k0 r1 {1 f
2 Z7 P- i1 |3 @9 M, B3 I" W) ~
Here again, several ways to detect it:+ A6 P2 P0 o, U' @! h
1 y" u0 a) k5 R8 b- z BPINT 41 if ax==4f
& s, ~/ s5 I: Q4 b+ z: _0 w
" V0 W5 Q. r# g% i! S& d9 u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 q; g q) P D3 a) s
5 z3 C( A8 T( w& ^+ R BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* Z8 z' Y' t# Z
% n6 A% y7 @/ j: L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. g8 I: o# q" N6 P9 s# b Q' f6 j4 n) b, m8 |, N7 M
__________________________________________________________________________ W3 E# D# m2 s* y1 G
8 \5 [- `/ Z0 e7 w% ]
Method 13% d2 w, @2 K' \( P7 V
=========- X0 m7 X4 k7 x: O; p8 a
, m& |% s( `" _7 U: F8 P2 T$ y9 j
Not a real method of detection, but a good way to know if SoftICE is
( G P% p% |8 Pinstalled on a computer and to locate its installation directory. I- y; }% Y* v
It is used by few softs which access the following registry keys (usually #2) :
. {0 {$ e5 R4 A! |$ e; D% d2 L4 F c3 D4 L' ^& d" N
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; x# T0 P+ y9 N' O1 `6 T\Uninstall\SoftICE5 e" k1 F' z$ \3 d2 S9 c
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, T3 D; L E, {( w% C" u9 D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: n4 U6 u# K d. H) k8 R5 c/ |$ e0 A\App Paths\Loader32.Exe+ L q _) n( K3 K
( n# H. v( Y$ Z K
' c3 N9 T& e& GNote that some nasty apps could then erase all files from SoftICE directory1 T! Y$ x- S4 v: s
(I faced that once :-(3 A$ |0 _/ Q7 s8 r5 `. G! A8 ^: Z
' Q+ a$ ~$ }) K2 S4 G4 D: E$ ~# DUseful breakpoint to detect it:
: e+ L8 p* I+ l" H( [2 i* { ]- g. q% j; E# _0 S, A* _8 P* _
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: L1 k1 j, L0 N; [; W9 S3 ~4 y1 ~+ q7 p$ ]. v4 x2 p
__________________________________________________________________________' z# I+ D* g: v9 Q7 u7 S) ]
. f2 U6 k( A+ s* d) h+ w8 v( P6 z
4 W3 B M: R4 c CMethod 14 % L: ^6 @# Z! R1 E1 \, \" M# p
=========
" U: g( G- t2 d3 o; K7 t( `
, x9 J# T$ h/ Q# i( vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ M0 }9 r5 H8 `7 n! a+ Q
is to determines whether a debugger is running on your system (ring0 only).
7 c% E# _* c: ~* q# P9 b
( Y1 ]8 W" r$ x1 T VMMCall Test_Debug_Installed
' N5 t) {. k2 X8 Y* z! _ je not_installed$ y! a; y& K9 h: e, x/ g7 E" V! C% z
7 w+ V# y {! q; G4 ~3 MThis service just checks a flag.
. y S. b6 l6 _3 A0 h- {+ C$ g</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡