<TABLE width=500>
3 g L1 u2 Z# S w& c<TBODY>7 F. M1 I) c+ x O. |
<TR>
1 e% T" ]! [7 ?5 [8 U4 h0 t<TD><PRE>Method 01 [$ g+ s3 ~, A* M" ~, o: a
=========" I8 q8 b, p/ ?
/ }7 g, B9 i6 c- X% v. Q2 QThis method of detection of SoftICE (as well as the following one) is: r& F5 m- j0 I1 Y* b
used by the majority of packers/encryptors found on Internet.9 {& d) u, L. Q6 o! R
It seeks the signature of BoundsChecker in SoftICE
0 d. k# _" q' b8 I) Q4 ?
b3 j0 P; L& ?9 x. t7 a7 O mov ebp, 04243484Bh ; 'BCHK'1 R' k' r' m' G: M6 C8 C) p
mov ax, 04h- s2 i6 q1 Z/ V
int 3 / r& }4 I! b/ W4 d0 a" }" h3 i: |
cmp al,4
0 X9 _$ G7 O! E! ]; p" X& j! ^! ~5 t jnz SoftICE_Detected
* M- x5 H- f" C* @3 T$ B( H" `- E. C( ]) o/ K; W1 e
___________________________________________________________________________
, j# \1 T8 ]; Y$ `% Y# u$ p J" L
) x, K) |0 x, l1 u1 Q% z& O7 WMethod 02' ]. W! o ^" [6 C n$ x
=========. ?; L' G6 @; {$ r' F) @
. q6 Z8 H/ C+ w- uStill a method very much used (perhaps the most frequent one). It is used. v8 O2 h2 x2 o6 K( [4 o4 U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! B; T7 D" h3 X, l; `or execute SoftICE commands...% P0 T+ ~2 X Z/ I
It is also used to crash SoftICE and to force it to execute any commands
8 C7 R) @" ~. h% z- I7 \. c(HBOOT...) :-((
, U! y: f d( s. N+ v
! A5 P5 j" S; c- R$ @1 u6 }Here is a quick description:
6 D: ]6 T- y- N; M-AX = 0910h (Display string in SIce windows)
; e% q7 v" `2 c+ v% r0 v. [. T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) p- o7 g# | _2 o) M
-AX = 0912h (Get breakpoint infos)
+ q+ |! {& S3 h4 r3 L; l' `3 H7 R-AX = 0913h (Set Sice breakpoints). ^8 X" Q# K& d2 A. \4 \9 `
-AX = 0914h (Remove SIce breakoints)& Y5 `9 A( M+ p1 S+ [
5 A! C3 I _( Z+ A% L; j
Each time you'll meet this trick, you'll see:
0 _* F' \+ J5 g/ L1 N* D-SI = 4647h2 \' A! d- ~6 u
-DI = 4A4Dh
6 j4 g$ q3 W9 l" |4 W b; D/ h3 yWhich are the 'magic values' used by SoftIce.8 U7 h# G1 S8 \6 R8 d9 e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 K1 O' M5 B; L* g+ {* R7 @
. ^* I5 Q; M: I% uHere is one example from the file "Haspinst.exe" which is the dongle HASP0 h& O+ a6 w0 R
Envelope utility use to protect DOS applications:3 V' C1 S K, ], S! w
3 C+ i4 Q5 j* f3 I; ]" A5 V7 H
# \6 j @. P8 c3 m% ^4C19:0095 MOV AX,0911 ; execute command.5 {4 H# D: i6 X; o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ e( @0 Y/ B+ m7 ^4C19:009A MOV SI,4647 ; 1st magic value.
7 g; J1 b: O+ r6 p7 Y3 Z4C19:009D MOV DI,4A4D ; 2nd magic value.
+ d! _6 }% p7 v4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
z; ?7 B9 }- Z, T: ~3 Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' u3 X9 t f+ C; v
4C19:00A4 INC CX
1 l; N3 S* x8 S% T# Z. [7 f2 j# _" w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ |, E, j J* e' n5 @1 C4C19:00A8 JB 0095 ; 6 different commands.$ C, V3 |; i8 A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ A( E9 K- u9 u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# Y- _0 {) R, R& X
/ O2 {: t: }3 N" q
The program will execute 6 different SIce commands located at ds:dx, which3 P9 r( r+ b3 l( w/ }, @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 Y) S0 b( Q( A/ _3 k6 K' D+ V- ^
8 z' s) l: \' K+ E- u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 N, S- {! A" p& e2 m9 W___________________________________________________________________________ C! |8 P6 q; c7 c Y
! S1 i' s. N+ C6 H) F5 O3 G) N+ |* o" @1 x; {; C4 h+ j" s
Method 03
4 H5 y, V+ o7 C: Z+ @6 w=========
# u- k, w9 W0 i2 W& }: Q _: V5 R3 W
; x3 _, Z; |3 ?) OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' J( f# t: ^( J9 ?( i( C) _(API Get entry point)4 J' y5 C8 I9 I) Y9 o/ O: w
) e b" b- U3 o& ^' c
7 \7 V: f* `0 \3 M! K( X
xor di,di
8 F. o5 D, Z, l- c7 O4 ] mov es,di( J' p7 ?' v" Q
mov ax, 1684h
4 [. p; a$ K. J: {% G0 ]6 @ mov bx, 0202h ; VxD ID of winice$ t( x' v2 e" U4 O! E) g
int 2Fh; {! Q) c+ u0 S9 t
mov ax, es ; ES:DI -> VxD API entry point6 C/ y7 m! X r" q$ k/ O
add ax, di
2 N" I9 j! R8 L7 j test ax,ax
1 J( b) q5 s( }: Q8 j jnz SoftICE_Detected
# f( G) W8 e+ B+ r1 f0 a( f6 V- e/ ?; F1 g- R
___________________________________________________________________________
L' L& P a w+ f+ p, ]
5 j- H+ Y5 `% G. d$ [Method 04" s: E! v' q, W' _8 e x7 ?
=========. Z5 q3 z8 H: n+ i. L0 Z9 p
* F! s' Q7 k! t4 Z' P
Method identical to the preceding one except that it seeks the ID of SoftICE0 [& i/ ~( Z6 T. T! h; k
GFX VxD.0 \3 u( ]# v3 O3 e# b4 w- `
5 A% e% \ Z. d( X$ A& d9 w9 a
xor di,di
2 _ h. O" K6 P mov es,di
7 M( F# W! z2 o9 ]( b, j& ^: h! k mov ax, 1684h & J5 Z: @# A# u; ^0 ~, l$ \: A: F
mov bx, 7a5Fh ; VxD ID of SIWVID
8 s8 {( \* r8 t$ F( S) x+ |! [$ Z int 2fh
; W% N4 o0 s- D mov ax, es ; ES:DI -> VxD API entry point, R, Q; \* z1 z$ G Y+ ~9 ~7 g* ~
add ax, di
( A" J" O& t2 J- y; { test ax,ax
3 e' y9 C6 \4 d5 B, e. F jnz SoftICE_Detected
2 z" U( [: z9 d& n t. d# R9 ~! U% E) Z( A: z# q) l" e/ q, \
__________________________________________________________________________
" A& a# r. V! D3 [, g) L" x* A w G6 O) i
b; P( {. `: B$ WMethod 05
" ?* }! T- X3 u+ i=========
, C* ~8 `; l$ w% @
|! k C8 Q; FMethod seeking the 'magic number' 0F386h returned (in ax) by all system- @4 h. S- h8 l
debugger. It calls the int 41h, function 4Fh.7 A8 e: U: W" X& _2 F2 }1 g* Z4 y
There are several alternatives.
& r9 f4 j8 }$ j6 @" A9 b
5 Z1 X9 G8 Z" ~" tThe following one is the simplest:1 G: |8 C+ F, b' q& n6 S
4 r) P: }& m9 N8 h- x6 c' m
mov ax,4fh! ~7 B7 i$ G0 c1 k; m( l! e" e
int 41h
$ r* ^. \" |" M. ` cmp ax, 0F3861 Z9 `/ J, {6 W& _
jz SoftICE_detected
4 z: w; C9 ]9 [, N% a/ j
9 x" W s1 q+ f0 @ y* o# t b( `5 U4 M* ~" _- _+ r
Next method as well as the following one are 2 examples from Stone's - Z8 V& ~ Y4 h/ r
"stn-wid.zip" (www.cracking.net):0 D6 A2 @7 T9 k( x
3 F6 l6 Z% u* [" Z( ^; ?( [2 p' [ mov bx, cs( U1 R- U. V5 m- S# D
lea dx, int41handler20 u& U$ M- b8 C+ x; _' J( m
xchg dx, es:[41h*4]5 N* d0 m" `7 M+ N- Z- y
xchg bx, es:[41h*4+2]
% u: m# t. t9 H2 G9 c1 D/ @8 ` mov ax,4fh4 z( ~/ v" {4 {1 I7 m8 Q$ i5 w* {2 `: J
int 41h
8 B: p. m+ L7 W% K7 l xchg dx, es:[41h*4]
$ d4 B+ e! x- ^5 H: J xchg bx, es:[41h*4+2]& Q# o# o* U+ V, z- X
cmp ax, 0f386h
# M1 O( h* q7 n/ Y) a jz SoftICE_detected& e" A2 h+ D8 P! x
7 i, ~( i$ z; _0 y2 A
int41handler2 PROC! Y% D# K i# R7 U! o* A! V
iret
% U3 W& F" e6 J+ \8 O* e3 nint41handler2 ENDP
2 u$ e* t, {" ^) h8 d/ @& [7 n- x0 q9 ?1 w8 e
- z- z9 m4 g6 Y V$ j. M
_________________________________________________________________________) F( M7 c q( B$ e
% w& P& @( Q* l8 T) F
$ X4 l5 J/ G. _9 Q/ v. c2 x
Method 06, h1 S8 l! S" r9 G: F% |& W
=========
; j7 [7 ]! j! M7 }: g2 T) N& O! f! ^, _3 p& H$ z2 k
- k- x9 r. X3 x; H# [- J5 ]! P
2nd method similar to the preceding one but more difficult to detect:
) C' ^* e" [* V) O1 `2 H" l: U0 S8 q. w( U6 H0 _
" @% o9 \, D8 a6 L! S- y( l
int41handler PROC# _7 g; j: ?* s% X: z: ^
mov cl,al
' Q: R: f4 f# c/ w+ @( x& h+ u iret
+ w5 c- l/ Z4 V7 Rint41handler ENDP) n4 r5 g! f" u6 M+ Z* ~
5 Z+ C0 y5 \( @$ Z# D' P
7 f: N3 T0 K; v& h9 j* |: j6 y4 y P xor ax,ax
3 D4 E2 s: L( ?: U E( P8 V mov es,ax
( ~& V" Z- }; Y4 I mov bx, cs
5 M, D; Y6 @$ Y9 f- K+ U4 X! q lea dx, int41handler4 E: e$ o/ b1 n# E! X
xchg dx, es:[41h*4]
5 Q5 D7 W; O7 i8 i; p xchg bx, es:[41h*4+2]; `& {7 T2 y' t8 S( z/ }, y+ z
in al, 40h
7 r5 p# i6 A, a3 a4 F# @! ^ [ } xor cx,cx1 [/ O1 M( ^0 w4 y/ d/ c
int 41h
4 F' b' r6 a# h( c9 z9 U9 U2 k$ D xchg dx, es:[41h*4]) x! ?* B4 N& W& ~0 v6 J
xchg bx, es:[41h*4+2]# L8 E* ^# i. H1 K2 D# U
cmp cl,al# D" f4 ?7 k( r% H2 b: L
jnz SoftICE_detected
3 B% R8 w! s( ~/ @$ R& R+ K& ?4 m: c1 N5 P, w
_________________________________________________________________________
, [2 F U% d: o6 U/ O% b2 b1 c; L4 p2 H! Y9 W. H( w* g
Method 07
; ]8 C* u ]6 c+ p1 ]9 O=========
; d6 u$ S5 {0 T& b+ q4 R& V6 z* O4 E0 A5 ^/ P8 a0 ]
Method of detection of the WinICE handler in the int68h (V86)
. c' s8 F {* L% _! G, d7 j+ X* ^2 r# e5 B+ F
mov ah,43h' S# Q6 t6 I) Z9 e
int 68h
$ j% g6 u0 l" t, t cmp ax,0F386h: W& q* [& O* u' [- p$ [" Y
jz SoftICE_Detected
" `' n+ ^7 X) u1 F* m; v4 ]: `
% Z9 x8 k8 E5 n& x; I) C) C: b6 v8 ]. [: [# f/ m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; f" d' X' B& g0 Y( v! L! h/ I
app like this:$ l; S, I) O6 w$ E3 D
% w/ w/ K1 q" h2 P( S BPX exec_int if ax==68
6 z0 \2 U7 ~& W- K, Q- n (function called is located at byte ptr [ebp+1Dh] and client eip is0 \2 I# [9 m* r5 C
located at [ebp+48h] for 32Bit apps)
$ ~, a) I% q# ?' r: M__________________________________________________________________________
8 F5 B0 m) n0 p# S) n" U: B7 n
0 ^- y: Q. M, K: x0 H; P! I" l3 j' D( d! Y" W! `
Method 08
# L, j% F J1 T* ?0 ~, h7 _=========
7 W+ o- C2 w. C, t+ Z( S6 g7 _4 J, H! O. D1 W. N
It is not a method of detection of SoftICE but a possibility to crash the% ^* v+ w$ A( L6 v5 p
system by intercepting int 01h and int 03h and redirecting them to another' Z/ y4 T' o7 Q# g' C5 d
routine.
$ D+ x6 Y' d4 b% F9 g, C+ A& Z: MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 x/ r- `3 Z. ?
to the new routine to execute (hangs computer...)0 K' Z( R" h2 M# N4 T- R
/ {2 t2 x; ]8 S ]
mov ah, 25h
; Z; p* P' g1 P+ Y' |. a mov al, Int_Number (01h or 03h)
, H$ Q* R) a* n: U mov dx, offset New_Int_Routine
7 ]% l& o4 L3 A6 K int 21h+ X; u" J# g; c! d: I
, {: z1 ^: X) B( b
__________________________________________________________________________
! ^4 M8 s& J2 ~) j' l7 X' N$ L7 N
- q9 q1 @5 f9 B# {Method 09
5 r0 s. z7 l8 q' a8 w7 E* I1 p=========/ j3 V6 v" d" r/ y6 K' u
7 `' T/ P* R7 s1 iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ |) _) J1 A. Hperformed in ring0 (VxD or a ring3 app using the VxdCall).$ Z! K/ x" M8 k' b' d
The Get_DDB service is used to determine whether or not a VxD is installed/ z& L! q" C% l7 B5 a
for the specified device and returns a Device Description Block (in ecx) for% t$ `5 x& M! O$ C" d' N: K
that device if it is installed.# i4 {% @- H7 w4 \, j
( `+ N. h0 V6 I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' ]( M+ H7 z& _0 w* `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 M4 n' r* W% q6 a7 Q! V+ ] VMMCall Get_DDB Z3 U. h5 y6 S$ ^: k) h
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 n* h6 x! k* n' m3 @
+ x2 H: a& d0 X3 I3 b# H" ENote as well that you can easily detect this method with SoftICE:
- G) D2 T9 H3 T# Z0 W+ B bpx Get_DDB if ax==0202 || ax==7a5fh
) L! V9 `5 r. Y
4 w; B3 j& j) `: i2 k/ l__________________________________________________________________________
' u3 H0 z5 X# E& H. H5 Y# I7 U( C! S5 g" A$ Z* i
Method 10
O* v4 u: [' _+ J) `+ f4 Z9 L=========; g6 _: k8 H& `; n0 s6 k" `
f5 n& F3 h7 h1 E. O=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 c" v4 @' Y, E; k. f- {1 S! n SoftICE while the option is enable!!
8 D1 U; X& i3 q- P; a0 z3 W& }/ {1 \# Z- t- K# C
This trick is very efficient:1 a! p& g. u- k( d
by checking the Debug Registers, you can detect if SoftICE is loaded
1 G& m: E& D, c! f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ ?& Y k ^+ ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 D. [! N" z1 {4 P8 Q; C( wvalue (in ring0 only). Values can be manipulated and or changed as well
) Y( V/ V" o( |' z: G. v( K% K: f(clearing BPMs for instance)3 B8 L; K' C+ i4 ]5 w% W
! i* ^" A; T# A& ~6 a+ |8 k__________________________________________________________________________4 L% M. J# o2 [. H6 F" d- J
4 x, \6 ^8 |( {$ |4 w
Method 11
, |) n/ a- L: X3 g. [; U=========( n' m6 C! l# U+ O4 A; Y7 E
" X$ G" L |8 r$ t- A2 e: {% H# n; }
This method is most known as 'MeltICE' because it has been freely distributed
7 g6 e7 d: U/ I/ [- M9 u' jvia www.winfiles.com. However it was first used by NuMega people to allow( w/ l2 X# s8 ?- Z! ~4 j8 R
Symbol Loader to check if SoftICE was active or not (the code is located
+ H4 w. ]) D8 A% G' W) Finside nmtrans.dll).
4 `7 O9 X' t- w5 b6 o7 f8 q% ^3 c. D' }" C7 G
The way it works is very simple: B6 W F( o5 t {* Z: K+ H' e- ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) o$ }8 y8 N7 E! c+ OWinNT) with the CreateFileA API.( Z3 s/ [% {4 Y \8 A
) ^+ F; d. k$ F: P1 r7 bHere is a sample (checking for 'SICE'):; D5 M% ^1 P$ a2 o( J# P% v: N
R( K5 F8 p9 B3 f) @9 J4 G( |8 _BOOL IsSoftIce95Loaded()
% E. T. k: ~5 I& u{
: a4 e- [8 q M4 v7 L8 } HANDLE hFile;
+ q7 J" r1 p1 t" n6 [* Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, E3 p' |" }* @+ y( D. G
FILE_SHARE_READ | FILE_SHARE_WRITE,
j, J# v" C$ x7 |9 P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 W$ l/ g- v( ~( f if( hFile != INVALID_HANDLE_VALUE ), E+ |& E0 X. H0 u2 v
{
- b; @$ L" o$ M* g. h- R CloseHandle(hFile);
: D+ M; P" m. F5 C1 W; C return TRUE;
' n* M! m$ D* E& z J! a3 G J }+ f( G6 P+ f! ] r8 A/ R
return FALSE;7 L: j' Y0 @7 J3 M5 x
}
, S% x7 p! d/ ^; d
, n! n5 O% z# q+ ?3 A+ kAlthough this trick calls the CreateFileA function, don't even expect to be
' j w$ {& u3 f% P) [able to intercept it by installing a IFS hook: it will not work, no way!7 ?" G$ z' w2 b0 j4 j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' O0 c2 [$ K* a7 F! bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! _/ F! y3 j3 H3 T, V4 o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 @5 w, d0 w* U' Kfield.
" ]" ?" D1 O! p9 E# x% ]0 ?In fact, its purpose is not to load/unload VxDs but only to send a $ r, a$ W: i) b X) ]+ {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 y) E7 D1 y: p) J9 i0 s6 m( {to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; ]* l( k- i2 f. Z& j4 Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: v4 b5 B) Y% M& jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 @8 ]2 ?$ R8 Vits handle to be opened and then, will be detected.6 J0 B) `4 W/ f2 u" z P+ F
You can check that simply by hooking Winice.exe control proc entry point
, m: d. N3 W, P5 }while running MeltICE.3 E- l' o% N1 n. e4 u( j4 ]; G: B
5 P' S3 _4 E; T
4 \9 b" _$ } R! F! r 00401067: push 00402025 ; \\.\SICE
& Y1 ~. A4 A. V 0040106C: call CreateFileA9 `1 u& S* \: q* V `
00401071: cmp eax,-001
' q/ f$ [! {% T( V0 O6 A 00401074: je 00401091/ P) F P" i5 p* K# c5 K4 \
* V6 t7 S ?% ?2 R0 o4 y
" D9 y' T+ w$ U% oThere could be hundreds of BPX you could use to detect this trick.
, x7 f$ _& i+ c6 P$ N-The most classical one is:, H5 \1 r- p1 x2 w% Q) t) ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 s( e9 m* s- s+ S
*(esp->4+4)=='NTIC'
; C- p8 |3 g7 w ~; k v. `
+ \: g U/ b2 h4 t9 |-The most exotic ones (could be very slooooow :-(
) x! b+ K1 P# D3 ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : [1 d4 g" f% X' @) K7 u: @6 B
;will break 3 times :-(
" b+ [ s. {% f8 P7 J' H& t
; O6 M3 w$ g2 u-or (a bit) faster: $ H0 ^( R$ e0 j
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 U6 s/ w& k1 W# A+ ]( z: C ~) J f4 i' j3 \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % h( p/ U( D4 b; I( Z2 W9 _
;will break 3 times :-(
% H) D$ a+ Q. v) K, }1 r9 H
1 L3 B& A8 h: I. I. O-Much faster:2 f9 y0 H% u3 e! l3 d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, @4 b) _5 V, L* Q5 F" W, ]$ ~+ v/ B9 c3 ~5 {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ R% N: k' x/ ^6 f: k# m5 v+ t. }
function to do the same job:% G, [, S9 y. k
/ C4 W# B! p4 p2 U' ]
push 00 ; OF_READ; ^5 ~& Z }* E8 D; A6 U
mov eax,[00656634] ; '\\.\SICE',0
& V) A# H% [( [: q push eax
8 t+ g/ p$ w$ W- I. @) y8 z call KERNEL32!_lopen
. O2 e# J5 J0 P( j Z- v inc eax3 k. f" ?1 k2 }- I2 T5 ~; E3 o
jnz 00650589 ; detected2 Y( K* f. V/ a- c+ z
push 00 ; OF_READ
9 A! {6 Z1 Y/ ^9 L0 R mov eax,[00656638] ; '\\.\SICE'' y2 g) K _7 `9 \$ U9 A
push eax8 G+ G3 @+ c7 x( M5 S& |
call KERNEL32!_lopen
, R* G# W& t$ `6 N# _+ f' p9 {- b inc eax
6 J9 v3 Z* w# l, } C# N) e jz 006505ae ; not detected
$ t" ?! J( f' | e( X- a) N2 n9 W9 O- U
/ d' U0 p4 a0 D. K__________________________________________________________________________1 } i4 A( c9 Z! u6 {+ o
# T1 d: J( J% }+ b+ B, N$ w
Method 12
/ ]$ W* _1 o; x$ n3 {( w: g c=========
6 g6 k, ?: h" s; Q, d# \9 ~
* G% \5 r, t8 I$ y1 YThis trick is similar to int41h/4fh Debugger installation check (code 05' M9 G# o+ A# ]% Y! R; e- n
& 06) but very limited because it's only available for Win95/98 (not NT)) m; O1 ?+ a8 E6 `/ C: J: c' T; f0 h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" j+ }/ G; m- N# o1 q
" ?6 _1 Z. v5 z; q push 0000004fh ; function 4fh" L# A% P4 L, m O$ A* c: g
push 002a002ah ; high word specifies which VxD (VWIN32)8 o7 K( M0 O% i; w
; low word specifies which service z2 I8 Q$ z( b9 L0 P) w
(VWIN32_Int41Dispatch)
% m ^9 |9 A# }: c# i/ d8 o ~ call Kernel32!ORD_001 ; VxdCall
0 {( [8 m- M) |) P cmp ax, 0f386h ; magic number returned by system debuggers( Y F" M& Y+ W( Q9 k4 [8 z' B
jz SoftICE_detected
5 g8 S& y3 w1 d! y
G7 x6 L& o5 | J" r. qHere again, several ways to detect it:
! Y0 {! V* |; Q$ |2 }4 c) ]0 B- R. M+ e5 w
BPINT 41 if ax==4f
8 A9 P! Q4 m+ }* S) A4 l7 E+ Q3 ]$ D5 e5 l0 M: {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- n( \! ?# m' q2 M& u. R0 g1 S" y0 \
6 ?& }3 C' E& Q6 ~7 `% q m: A9 U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 L) k; l% p- c6 S! p5 f# g; R9 v
2 _* }# x S L. u/ @2 _5 u- S3 R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 w6 x! T4 c$ ?9 L9 ` A5 x
) s3 ]# `6 e# \* B
__________________________________________________________________________# A( ~) V! C. _( ?) M
n3 U% Y6 h$ p6 wMethod 139 O8 a5 }% d8 V7 h5 g; n2 P
=========
5 i7 T/ e+ u* l$ L% y, ?4 H/ N& s; M" ~6 T. c2 Z* K
Not a real method of detection, but a good way to know if SoftICE is
8 V, R. i5 A) l2 {, r9 T3 |5 L. jinstalled on a computer and to locate its installation directory./ M3 p/ K: ~/ M! ]" t
It is used by few softs which access the following registry keys (usually #2) :1 u- Q# R1 D( Z5 q$ s' K c
/ A8 {' U( T: N& d) `% T% Q- ^- P2 f. k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 d/ h% |% n9 b: d/ }\Uninstall\SoftICE
1 n1 q) `( {: Q; H4 M8 C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ R+ W5 p7 v4 Q. a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) E! m5 y$ M5 X3 f. R% S- s4 Y\App Paths\Loader32.Exe
' G; C- F" y# h3 N4 `/ T- b* W+ q
8 e, O6 y3 G( |1 _Note that some nasty apps could then erase all files from SoftICE directory
* S! S, A$ V* B# j% m(I faced that once :-(5 O! F# ^& u0 [ K
- C: P! Q$ A, ^$ y! M7 f. nUseful breakpoint to detect it:5 \# A" R3 q6 `" h/ l
3 q% I) r" v7 @' E4 m4 U: q" T
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- {& [1 Z0 \3 n5 Z' r# Z: Z
3 R* c! f h1 N1 Y; F$ C% t
__________________________________________________________________________
; {: [: s) }/ a* d* p9 e7 }! \' {
5 Y8 D2 e0 I7 ~" Q7 H' UMethod 14
/ {7 d6 m x! X0 G& w. S' j=========$ J9 _! @& H2 T, M3 _. w
$ K {" U2 Q3 Z: r5 uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. Z8 P" {2 V5 j$ R; u" g( T
is to determines whether a debugger is running on your system (ring0 only).
& \1 R7 M' N, T7 s5 p8 G/ ]9 t& E, s3 C+ `8 y# ^2 P# J
VMMCall Test_Debug_Installed6 b- \/ O0 e8 }9 g) n/ R! j
je not_installed$ z0 g( F, K9 ^4 {( K9 r( k
- I, G8 b1 A: G% V8 F% [9 X4 i# }, Y
This service just checks a flag.
( M% n8 T2 G) T7 c8 T( B |3 r</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡