<TABLE width=500> }- m9 R8 |( w& Q o. \# O
<TBODY>7 j; g- y0 z* e( |
<TR>) F, D7 L- O7 M# ~" P6 i% e! j* { i
<TD><PRE>Method 01 8 |8 {0 u/ {, @$ j- p( p i! u
=========" N/ V. _+ x6 j" A; O- p3 h% r
3 k! B& h: k* V' QThis method of detection of SoftICE (as well as the following one) is
8 O% ]# d, w$ eused by the majority of packers/encryptors found on Internet.
( U+ u( d/ K* Z9 ]; ]; FIt seeks the signature of BoundsChecker in SoftICE+ {) M& u) [5 N, i1 O3 f. Z, f
1 X* F9 s3 R6 F
mov ebp, 04243484Bh ; 'BCHK'+ o" h S1 o, r
mov ax, 04h
+ A a! e$ J$ Z1 J4 ~# ] int 3 / |2 P4 I c6 F- B
cmp al,49 H5 o$ w0 ?/ ~% q. ^) x3 r7 ~
jnz SoftICE_Detected
" L& U3 [0 k4 b( O @" F' S- g
5 f1 B' i. Q" h9 b0 I___________________________________________________________________________
/ x+ j- X! T$ G# m K) x( a0 D3 r/ s9 Z' Z, ^- H' G, q: m3 Y
Method 02
/ |$ u! w% M+ B=========8 d( M* K2 G% W. b- a7 V+ g
% r2 I! [5 U' z, k+ F
Still a method very much used (perhaps the most frequent one). It is used
4 Q& V3 M( \( n1 a: v" ` Zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 p8 C# y$ r, Q( W+ E4 C
or execute SoftICE commands...2 ^9 n: K0 r. c9 g. l
It is also used to crash SoftICE and to force it to execute any commands- _! C2 N( C2 s
(HBOOT...) :-(( 4 ], E+ a+ X+ R8 g& W
* z( g7 p' J0 j% ~; oHere is a quick description:3 T' M0 G, G5 n& a% C) D$ v+ [! ~
-AX = 0910h (Display string in SIce windows)2 w+ e8 x) s4 C( F- J, W4 q3 A/ q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' h& A, T4 Q: c
-AX = 0912h (Get breakpoint infos)' A X1 H& q% e
-AX = 0913h (Set Sice breakpoints)$ e' b8 I8 Z/ ]9 H# [( b3 @
-AX = 0914h (Remove SIce breakoints)
* h6 X8 P# y+ _5 ^6 F. ^" G9 L/ q! \' u3 N1 W
Each time you'll meet this trick, you'll see:
' Z, t, Q# ~! B: u( H! {. T- g+ \-SI = 4647h$ a# Q! a4 m# m" F' c
-DI = 4A4Dh
! e3 w8 R) ?7 g8 L8 q2 t0 L% bWhich are the 'magic values' used by SoftIce.
6 Q/ W; E2 w+ u: J3 E; t8 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 @# W0 k' u3 A# H8 V5 f( ]: U& B; z a
Here is one example from the file "Haspinst.exe" which is the dongle HASP. J, {4 }( d, c& p7 q0 J
Envelope utility use to protect DOS applications:
7 Y% r# m/ y- w: ~, A# p9 S' c+ v! z
5 G; A: F- c; H4 y# z
. e$ S' `8 r7 ~ S; J; k+ c4C19:0095 MOV AX,0911 ; execute command.6 @1 ^% a$ S7 z4 a1 p$ g" F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ c: c) |. g7 ~0 v2 Q) Z4C19:009A MOV SI,4647 ; 1st magic value.
- w3 b& v* I t8 P0 n# j) [4C19:009D MOV DI,4A4D ; 2nd magic value.+ M# F' y1 y0 N9 x( ^4 M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' s/ f. C1 n. b: A% Y( b4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 `- a$ Z# x+ d6 M- `; o1 S9 O9 L
4C19:00A4 INC CX+ W5 q- k% \( ~3 c7 M& v% L. m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, X4 L% O! P5 P: G9 A4C19:00A8 JB 0095 ; 6 different commands.
% Y; `! k) F- W, x4 n* g4C19:00AA JMP 0002 ; Bad_Guy jmp back.( q; n+ t2 e2 O1 ]
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 K% p6 ~' {! ^2 k
2 L! D4 G/ i' z+ F: ZThe program will execute 6 different SIce commands located at ds:dx, which
* b2 Q: m/ @8 H0 [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) b9 I& A9 v. y, ]
- m7 _; O' ~4 b- o) F4 T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 C, z4 {( }- j# Z& ?___________________________________________________________________________
* V6 U3 r2 V& f5 P, a4 K4 w# ~. T; o$ X- U0 {+ U0 e
, \+ v6 C0 |( W- S2 \Method 03
" ]) D8 v1 C- Q/ Z& j=========
+ I' K8 ^2 _; A" V% z
/ V8 `1 c7 ?9 o7 P/ ]$ m- yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- S9 ~1 n7 p9 N% N# n
(API Get entry point)& d2 j" I+ S1 l+ D5 o
k/ r# h/ [4 e; R: J. e. y2 j
( q2 d8 u5 L: X
xor di,di2 w/ p/ x: |9 c
mov es,di Z( q: d4 e" p( ]$ `* @- w8 c5 Z
mov ax, 1684h
H! R0 T" }3 J _& w0 @ mov bx, 0202h ; VxD ID of winice
/ d$ x+ R6 o7 @( K2 k int 2Fh
. H% W3 w+ l7 W mov ax, es ; ES:DI -> VxD API entry point
- s. n: j' _8 h/ u add ax, di
9 s- r& R8 n$ b* j test ax,ax
) S3 b; @ ~4 V. ], ]5 M d. W5 D jnz SoftICE_Detected7 C O- O! Y- ?& g& g& P
0 S5 U6 q" D7 c$ d- W( [! l___________________________________________________________________________" Q3 T0 C3 q6 E
- P# F( X |3 D7 {
Method 04
& i, C3 q4 Z' |* S=========& z& w; U; Q2 C6 y5 d( u
1 }: V; [$ {9 _# G M. [Method identical to the preceding one except that it seeks the ID of SoftICE
8 X4 u6 `' _. J, k8 z3 xGFX VxD.
- j. M5 X5 V1 E+ k3 [) C
* C' ]& F1 |3 N6 A% G xor di,di e& Q$ r# w/ [+ \- @
mov es,di
" D1 o* u! S, n0 C mov ax, 1684h
( c4 x b$ q7 O9 v, {, Y0 i mov bx, 7a5Fh ; VxD ID of SIWVID4 E" S' f! d) S& ^) Y- y
int 2fh
/ v" o: X# Q! P" i mov ax, es ; ES:DI -> VxD API entry point
& r7 R5 u! N$ v% D. s" w: N add ax, di
( H! K- ?1 p# ^) F4 ]4 f test ax,ax' \+ X" D& r' f' \
jnz SoftICE_Detected$ h' A* S6 y0 L7 W9 x
- g4 M1 Z/ z: Z2 {# G__________________________________________________________________________
& H( L) V0 N" f( W
3 z3 ?% a4 s; m. |* a6 T, [& _4 r
Method 05: z$ b0 j- e2 R( \
=========
$ i+ ]! `6 g1 c# W- t, m
% i& K9 d" ]+ i- p0 MMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% [& p4 [ F; o- H" O6 v' u0 fdebugger. It calls the int 41h, function 4Fh.
+ M, Y, E4 @( T+ FThere are several alternatives. # o: Z- c. ^' B5 q8 I; b0 `
T% X- x4 r, U, r2 u" ^The following one is the simplest:' O/ L4 D2 t, D4 r% t4 p ^+ y
; J1 M. n9 S( I# g" |/ i mov ax,4fh
. o1 b4 D" Y' J# o int 41h
2 C5 q q, `! V+ F2 R cmp ax, 0F386. H( G' k* M( [; t, L, j3 i
jz SoftICE_detected
# s- {. z+ ~( @3 s- B1 \$ S6 W
# D4 [" T d* u4 \/ {2 w+ n
/ \7 o2 i1 X R, G' I1 ^Next method as well as the following one are 2 examples from Stone's
8 y& C$ Y* @5 \6 G7 \* p"stn-wid.zip" (www.cracking.net):( O. E, e/ i3 K) ~0 ^/ R/ j
& a! T4 |) l1 _4 ~ |" B; f6 J mov bx, cs
1 N7 U5 h% w( @ lea dx, int41handler2
3 V1 q! M9 F" R% ?* k4 X, S- }, Z xchg dx, es:[41h*4]
9 \+ x& s( m- D# z* P6 w/ o xchg bx, es:[41h*4+2]
3 ]4 e5 P H; @4 Y$ k6 C! m" S4 E, | mov ax,4fh
: U: e* G) b, w5 g: H J2 Z8 V int 41h
4 n' u# L; D. E1 b; i& t xchg dx, es:[41h*4]& V1 N0 F% b4 P
xchg bx, es:[41h*4+2]
1 t8 S8 N( a" q% q z7 O- c' W cmp ax, 0f386h
/ s, t; p3 d' x: d jz SoftICE_detected
3 R; j5 o9 T$ r! Q. q
1 c3 h/ V1 Z( |1 |0 P; ]4 iint41handler2 PROC
, [9 N1 V3 w0 _) Y' l% g' [0 F) v iret7 W2 ?. F5 i, S; g$ w
int41handler2 ENDP. `" A/ h4 X9 c% M# }
. K U+ M6 K% `# s: {- e9 y U) `
/ b$ l. O1 l) E: s* l4 h_________________________________________________________________________5 L' C2 Y9 S* v! z+ m, c
, a! G7 M1 ` ~+ v' V/ ^ z6 w, t
8 j% K, h/ r( K+ I4 DMethod 06
' x+ W" h$ V- o/ T/ g; I=========
- v3 f) C+ [( ]/ D( j# y+ `; L# D+ H' j% K8 {
9 z. @/ v' |( B, p- G2nd method similar to the preceding one but more difficult to detect:
5 S' t1 `+ z: @* `# {, w# {- \. I/ n, O$ w
/ }- S' m9 }$ D9 Mint41handler PROC
# N% N) S( [4 @' {7 u mov cl,al) |0 ~' l: L3 d% J& J* x
iret
; j$ [( J8 {& a# Mint41handler ENDP$ D y1 q$ m6 |% T1 u/ J; S2 C
$ r7 P+ V i8 L
7 {& M4 K1 h1 F( u xor ax,ax- [& q3 j, y9 d: X
mov es,ax
4 L: G1 l7 _' G3 H0 G6 d- N$ ?0 R mov bx, cs
; v1 H( f0 R. X9 j, g/ t g lea dx, int41handler, P$ k- G4 i3 \7 X4 B( n, S
xchg dx, es:[41h*4]
% y4 {% X3 X( k$ |9 @ xchg bx, es:[41h*4+2] `/ R7 e& O# V9 C V
in al, 40h8 P2 H2 P B- I
xor cx,cx
3 b% t/ s- z" h3 l5 {5 }6 E int 41h
" E; M, I, ~5 ^( k+ F* Y" s/ L0 l5 ?6 z xchg dx, es:[41h*4]
" V2 b M3 W1 P+ X* [+ o xchg bx, es:[41h*4+2]5 H$ u0 k0 h5 u4 `) n
cmp cl,al
: `* F4 \# g9 J: J, u9 v jnz SoftICE_detected
$ f0 k: ^; ]2 W8 {5 d4 P" A* P! e2 z7 P1 \
_________________________________________________________________________
* T7 S* j" N6 |- ~
7 y8 x% n9 J" ^. ~' ]Method 07
/ T$ V t$ Z, @2 X# `=========
9 i5 t; q* T2 M* j% Y; K" h; l4 l. @9 n
Method of detection of the WinICE handler in the int68h (V86)& A* n/ d- L% x: K% V1 v
6 h0 K4 ?! f/ h, c. |. \
mov ah,43h
+ P, u" h' V! b, T( N2 p- \ int 68h
% V0 Z6 y- C8 L- q. T" U cmp ax,0F386h9 \+ t; f# p' X4 N, q) I1 [
jz SoftICE_Detected
* G* `+ r, F* _1 j% d z, z" c
, t0 B# n) ]- R& [6 h2 c9 h" p
. Z& J( r9 X+ w0 g; y* J+ O=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" v! u! G5 x3 {. ?9 C6 E3 k; V0 M app like this:1 Q0 N2 T: Q" G9 C) M
t# f; ]- }9 ^- ` BPX exec_int if ax==68
7 B5 w; G. f& Q& f9 ` (function called is located at byte ptr [ebp+1Dh] and client eip is: R9 @3 {/ c, o+ R- d1 O6 [* e
located at [ebp+48h] for 32Bit apps)
2 t4 r) s; F8 c& f% a9 k2 y: ]4 J__________________________________________________________________________
1 I" ^0 N$ d M4 `; b5 T- X/ e( H; j
( J1 i4 f; ]) p' j
: l2 Z' |, X8 K' V P: b5 _Method 08
3 k8 B2 r' }( S" d6 j8 I4 e=========7 C- x5 z Y Z/ O, l( p, m# `: |
- p" j% \( f3 z/ k
It is not a method of detection of SoftICE but a possibility to crash the
2 q) J( z0 |) {' Ksystem by intercepting int 01h and int 03h and redirecting them to another& p9 z1 o s$ N$ s
routine.
! ]( w$ V, V( ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points f7 P. [7 ]! v6 y* w8 B/ T! e
to the new routine to execute (hangs computer...)7 \7 a: D2 Q' L0 P1 l( h) z
# Z; K. I* Y" ^7 S6 P, n
mov ah, 25h
, [- \, n. N8 l3 m8 ? mov al, Int_Number (01h or 03h)
" \( X8 d( q3 w mov dx, offset New_Int_Routine* b, v: \/ C& _0 e! R
int 21h& ~$ N ~# g; B: }8 f. ]- \$ `9 d
! F3 ~$ F9 O- z4 C" V; h4 m
__________________________________________________________________________
- M y$ o. i7 y: |. k* J2 x0 k# j7 ~/ z' I
Method 09
- r8 D& r) u# w/ N=========, N7 u$ a& a' w! Q
1 s' i. S0 ]8 H! I: u! F9 w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ e5 R. S% `7 |' g* o/ Dperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 }1 |& n5 Q& \7 ~' rThe Get_DDB service is used to determine whether or not a VxD is installed
4 p k5 R4 }& X8 K* j# l8 jfor the specified device and returns a Device Description Block (in ecx) for
4 k9 Y; F, p4 p3 a+ Hthat device if it is installed.
& p Y- ?: _9 K7 N# `
) m) z5 [5 L6 Q G3 Q2 L" V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ o' ?9 y0 T% k( K0 b* m! P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 p3 v4 \. Z: }: e/ V$ X VMMCall Get_DDB
0 _5 ?7 T" ~$ G" v( B0 a3 ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 ?4 m) c' x$ G0 V- M
6 J$ N4 l& V a! z0 e+ u) TNote as well that you can easily detect this method with SoftICE:. P+ L# ~6 F9 e* {3 c! w: Z
bpx Get_DDB if ax==0202 || ax==7a5fh/ s: S; {6 x, h G) c4 R- ?, p0 @
3 n; E" _- k1 ^& p" B__________________________________________________________________________' j; S& H R( V3 M4 y
( b0 o' W% i/ G8 }$ XMethod 10
* k! Q m7 k4 s, N5 X; `9 ]" h=========1 g: F0 J1 g1 l; }
0 }' k( H9 w' {0 W& P
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ J% P4 b! M9 b0 j, J2 o3 G9 r6 \ SoftICE while the option is enable!!4 I: k {( b# t# _$ D; o
8 M9 }- C& E; P: V) m$ \
This trick is very efficient:
) F) k+ X9 n# j8 r. M2 l- R" s! Vby checking the Debug Registers, you can detect if SoftICE is loaded
5 Q: ~) T* k8 w" E1 G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 M6 p3 W3 x0 p. g1 ^. H1 c
there are some memory breakpoints set (dr0 to dr3) simply by reading their# u. b- c9 G( W8 v+ M
value (in ring0 only). Values can be manipulated and or changed as well {) ~" _: T8 u3 k( h( r; I' p
(clearing BPMs for instance)
9 o+ Z& _+ T: W4 O: L, M9 n4 H0 d4 \& S$ `
__________________________________________________________________________8 ]" b- Q3 x+ \; x/ q. C
( f- o, S% t8 {5 t/ D
Method 112 }) L6 U, a! O% P9 W+ d6 c" y& m
=========9 W: _+ @& q- q% q+ \2 C4 q- u
8 c* R6 W% v$ n) c' [0 WThis method is most known as 'MeltICE' because it has been freely distributed$ I1 b* P# G2 n @3 r
via www.winfiles.com. However it was first used by NuMega people to allow+ {4 l& s6 |+ H0 @* N: Z
Symbol Loader to check if SoftICE was active or not (the code is located {; J; w! |0 }8 W! C
inside nmtrans.dll)., r/ k# o, w! ~9 ?3 T( z- p/ M
6 k7 Y& e( z5 w9 q3 k
The way it works is very simple:* {0 [( I9 e" r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& ?5 H1 d8 x3 R5 F! ]3 AWinNT) with the CreateFileA API.& M2 C5 A' z0 ^5 y: c+ H* l
( U. o( L: k0 n" S2 B
Here is a sample (checking for 'SICE'):# c( f0 y( C9 g6 W% M
1 H' T# r) O+ \) aBOOL IsSoftIce95Loaded()
6 Y! w/ J* V+ e+ v- X% m{
X# O8 j1 W& M4 `+ n' S HANDLE hFile; $ a/ D/ w' j- C- Q) _
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 @, C Z9 j( U" C5 ^) D FILE_SHARE_READ | FILE_SHARE_WRITE,8 i7 R" p5 w8 U, P! A7 r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, @- ~" t' x6 s5 D
if( hFile != INVALID_HANDLE_VALUE ): E- b1 i3 w c% G; t$ s1 d& P6 u
{2 y5 x+ |0 A J4 `6 k
CloseHandle(hFile);
9 ]9 U) l: G6 V: X* A" k6 @ return TRUE;
/ ~, z, o, i( |. m }* ~; J4 e7 {5 M* X0 P
return FALSE;6 p! J2 V* h; |- d
}* Y7 m( ]4 x6 V+ v6 u
0 m( U' ~* X8 X
Although this trick calls the CreateFileA function, don't even expect to be/ Y7 G: g6 } G- I/ Z' ]5 m' o* |
able to intercept it by installing a IFS hook: it will not work, no way!
0 h# G3 @ i% y* uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 i) M0 T$ A+ q7 y' Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; g( R. f$ w: w7 G! R+ Land then browse the DDB list until it find the VxD and its DDB_Control_Proc
* L$ s9 b5 q# R! [0 B5 \field., K, n9 ?/ f3 ]. ]1 }: o+ W
In fact, its purpose is not to load/unload VxDs but only to send a
6 W3 @) n8 X. Z" s) ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 K) m' c) {8 ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 {$ s; E7 w1 w9 _ D7 j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- w) ]! G, k& X0 ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 Y5 M6 K9 y; Z. Q! L
its handle to be opened and then, will be detected.9 ~) x1 @( d' K' @
You can check that simply by hooking Winice.exe control proc entry point
" }6 ?: H) a/ l; D0 r' nwhile running MeltICE. Q9 Z$ D, ~3 c& P5 B6 C( E
) z" a$ y7 s. v* ~/ e% {7 ]
) F3 J( B% O6 {" X/ E: q9 \
00401067: push 00402025 ; \\.\SICE
1 u: t- z7 I, H 0040106C: call CreateFileA
3 h; B$ k* i: i1 i" s 00401071: cmp eax,-001
3 c& T3 A; U. {* F/ Q [( t 00401074: je 004010911 I" O" e7 ]2 q" Q5 ?
4 c9 R! P, C, I# q4 I# z* y5 x) ]6 w) J' }* x& a
There could be hundreds of BPX you could use to detect this trick. Z* y0 H* ^) I1 b8 `+ j7 I
-The most classical one is:
" C( ]2 O" ]& M) f7 @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# C( M9 a- H) x7 @9 b/ H5 x6 p! E *(esp->4+4)=='NTIC'
8 O0 r2 |! A9 u. t* a2 [* f. [: w6 @7 x! M @
-The most exotic ones (could be very slooooow :-(
6 y( q4 R) i& D0 x q' v! `8 u% d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 z( C) R8 K! n* Y+ e6 V, `% y ;will break 3 times :-(
! l# i. C& G% E* P6 B5 B
# V" ^; \! S& f, E2 {: B-or (a bit) faster:
4 x# F7 x4 \2 n0 J0 @; o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( F1 x7 B B( |0 i5 h6 O2 z u2 n3 b/ G6 d) Z8 Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - T' ~+ U/ O$ z5 v+ p
;will break 3 times :-(# Q: I; o: U( Q; _# K) ?
6 n$ P' u. D& y+ g-Much faster:2 [8 \+ u4 P8 E4 A1 V+ O1 w
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# ^- F3 b5 o+ k$ ^# q. {4 I7 w
6 f$ u; r* R9 S5 hNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' d6 `. ^4 D. L: }+ V% \function to do the same job:
, V5 _% R8 B6 v& g5 u$ l$ b
0 ]) ?6 H5 h# H6 K push 00 ; OF_READ
: a9 r6 F# R& m- g2 R P* y mov eax,[00656634] ; '\\.\SICE',01 D% m* W6 ~, Q7 j: d: m+ {
push eax
* j. e6 J& q. s( o1 g0 k7 S2 E# J call KERNEL32!_lopen! c# ^# r/ W0 j: B; i6 |
inc eax- s* l# K/ W1 n# x$ n2 E; Y
jnz 00650589 ; detected0 e" W \7 E' c4 W4 C- l. I) x# B
push 00 ; OF_READ
, t/ E0 x! g1 f2 ?! E mov eax,[00656638] ; '\\.\SICE'
0 H1 v: W" U) i; U2 r! d$ p ~, K push eax
5 c( E; P1 j6 T& c call KERNEL32!_lopen
+ Y5 `4 i, O7 M! O inc eax+ `( l0 @7 W) Y& @" y* @: m' T
jz 006505ae ; not detected* L5 Y$ d& ^" N f' \0 W2 ]+ e8 w
' m2 J* I2 ^& M) d. }
; h( M) z+ |$ {# [7 W7 o' o5 B7 f
__________________________________________________________________________3 l! ?4 P! v2 y& d& ]3 w1 p3 U& t
# {4 w# k4 X, E$ G7 @ c# vMethod 12
. }, r2 T: u- i; Z=========1 x9 p2 {( P% [1 z* U
) q; H" M" k/ v' U; S
This trick is similar to int41h/4fh Debugger installation check (code 05$ S9 q+ i, ?) ]. _: Y, G8 y( o
& 06) but very limited because it's only available for Win95/98 (not NT)
. z6 C+ X# E* tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# e# n, ?, H2 n. M/ G
^8 F1 i$ @0 j& U; I$ C U, T! K
push 0000004fh ; function 4fh6 E, X2 _% M+ c9 ~
push 002a002ah ; high word specifies which VxD (VWIN32)$ U1 K) S) {2 y+ C' s2 ~( ^8 J
; low word specifies which service& }! ~; [* b' _5 e/ b7 ?* x! Z7 i
(VWIN32_Int41Dispatch)0 B% ^' |: p7 u7 s f
call Kernel32!ORD_001 ; VxdCall
! L9 p5 a9 E0 p( C/ F9 h cmp ax, 0f386h ; magic number returned by system debuggers* y" A8 W$ X$ R
jz SoftICE_detected
; V: i: \' y2 p2 `0 M, [
' j: q7 B4 F" S, F; ]+ R% ]6 RHere again, several ways to detect it:: n9 F& H7 ~: C7 i( u
4 W0 p" w* |. T; o8 v
BPINT 41 if ax==4f
) D% [; k7 ~8 j! B! t, L
) s, D7 s, o/ V BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! U" `, n9 }) s$ V- R+ y
0 j" V3 k: Z6 c7 C$ ]" B& H' @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 t' Z/ h& p+ L6 |: C$ Y/ }2 c8 J+ s8 [: e* I) { A6 H i
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 a+ T; b9 [* m; D5 B
8 S5 s, c; j8 r% r/ |5 W__________________________________________________________________________
0 V" l! ^, ^( t" J$ P' r! a; w! l3 } B& R
Method 13& E$ h" {1 u9 X% @
=========2 J! h# {$ k) E' t2 E; D
9 j! @8 A, J( ]/ w8 d" |9 d
Not a real method of detection, but a good way to know if SoftICE is7 p8 N% e+ Q( f3 e1 o
installed on a computer and to locate its installation directory.
- P# r) R f; g* KIt is used by few softs which access the following registry keys (usually #2) :
z. C: t; j$ E8 F9 G- Y
: e$ k3 Q$ i' }8 o( B9 `8 I& k, @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 e! k: B% q2 p Y
\Uninstall\SoftICE
' {, R! ?0 ~- d" d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 z( i; D* D% N& W. H; a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* a( |6 o) H4 Z; Y- J
\App Paths\Loader32.Exe
/ c& U! P t/ Q$ Z
/ Y) l0 @5 i# ^( ?& V* R# l9 i4 K$ G1 A
Note that some nasty apps could then erase all files from SoftICE directory L( O/ l( t, ^$ M, y
(I faced that once :-(
! M0 f6 ]5 i" g" o( f1 Z
. l" z1 R0 O+ s1 U) OUseful breakpoint to detect it:
9 A# J, ?. _+ T8 g- J7 [: w( V2 z B
: O1 r7 R. T+ m$ J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# {: F6 l' F2 _# H( `
: }% |5 r* S# e9 h4 v* Y6 u9 _
__________________________________________________________________________7 O2 L0 ]$ S& N6 z
9 M9 ?$ E6 |3 ?9 E- M! ^+ f) f+ [. A/ c, X1 ~% v! b: `3 \' n: C! T
Method 14 8 \; A* Y9 M; J1 w: f* N
=========
: o3 _4 R. L; ^. |/ Y: \# D/ F* D
1 K( [. f: } z$ sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. T' S% ^1 H$ u2 H/ F3 T
is to determines whether a debugger is running on your system (ring0 only).
' r4 v/ g! H" `4 j, v W3 Y7 d8 v! y2 o$ n
VMMCall Test_Debug_Installed7 Y- T3 E# w0 A7 M, m' V: v$ y
je not_installed# L& `( T' {' Y$ S3 s4 h! _
. @* ^3 |8 U, }1 O7 L7 [) ^
This service just checks a flag.3 @' q X% O, g3 @9 N n0 E, ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡