<TABLE width=500>$ L. `1 |, {; o* g( u
<TBODY>' o# B' q0 V$ ~2 r/ t1 L
<TR>8 F% b6 C$ q+ j3 |
<TD><PRE>Method 01 $ q: ]5 x, O `3 H1 @4 e g3 \
=========% ~: o1 J& X$ r
9 s& c5 u( k2 ~: r
This method of detection of SoftICE (as well as the following one) is
* i3 W% x0 L/ qused by the majority of packers/encryptors found on Internet.
/ ^4 ]& @0 I" Y! f, v' w1 `1 ZIt seeks the signature of BoundsChecker in SoftICE
8 _$ t5 Q/ ^! o% `) ^0 c' ?! I* [& P( V# v8 a
mov ebp, 04243484Bh ; 'BCHK'
2 }6 [9 r, M2 h0 J) r mov ax, 04h# r3 @. B! d7 `7 @, j- {; W$ O
int 3
* m8 y$ ], G) R" \& j4 n4 b cmp al,4
5 X' G/ C4 ]9 p, O% Z( K0 E K jnz SoftICE_Detected. T d% n# w- j3 Q
/ z: B1 H$ s T
___________________________________________________________________________
. g6 H& ]2 a8 _/ C
) n8 T1 s: n+ {7 U1 I. wMethod 027 G0 |8 ]: U6 \0 I" z1 R" T
=========
, W; X. @ r7 n% I1 [4 s" P- t9 U0 x, O* A9 y
Still a method very much used (perhaps the most frequent one). It is used6 m- w, X3 K: R& U, a* Z% u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; L2 R2 R4 u2 F- i* |' Eor execute SoftICE commands...
2 z/ N% a P$ K4 aIt is also used to crash SoftICE and to force it to execute any commands
& \1 ?' i# A L4 B, g(HBOOT...) :-((
* P+ s; ^( R E
, O" f9 n& J4 W7 D: iHere is a quick description:- z, l( u9 S5 q/ p- s1 ^( P
-AX = 0910h (Display string in SIce windows)
2 Y3 v1 i8 ?2 V7 N) v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( L& D3 L u6 m. k( P-AX = 0912h (Get breakpoint infos)
; l: ^" ]; k( d7 [7 d-AX = 0913h (Set Sice breakpoints)
# {! V! I8 X7 [ M( F-AX = 0914h (Remove SIce breakoints), Y4 X+ @; J7 T: d* i/ \6 O2 }
" C& T3 [+ N! U+ |% c E7 pEach time you'll meet this trick, you'll see:( Z3 I1 s6 ]% t% s9 t
-SI = 4647h2 j/ T& Y: N# Z F
-DI = 4A4Dh. O! P* i4 j" U* l- ?+ c# `) G
Which are the 'magic values' used by SoftIce.
% w1 Y5 h0 N! f' TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# o* b+ |1 Q& O" V$ R1 G9 {) D' ~9 q( d$ F- \
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ D# m a, c# s4 ~9 v
Envelope utility use to protect DOS applications:
* K1 s+ A9 _( G W; `0 x4 g i6 G, d
, L+ F0 z B+ A X- b% p' _ j, P
4C19:0095 MOV AX,0911 ; execute command.
" |, ^& S. y8 b+ p+ [# y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 c3 W! r( ^" o. }% a3 F2 J+ Q
4C19:009A MOV SI,4647 ; 1st magic value.2 o. M$ R& \, C/ g9 x2 n0 ?0 J. [
4C19:009D MOV DI,4A4D ; 2nd magic value.
7 U: w u9 p6 R. f4 ]% j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& s. @, t5 f3 s. S' e! Q5 t! ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 Y- y6 a) P- q& u
4C19:00A4 INC CX
, b* x) H, w6 s4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ R4 f; [3 F6 G5 `: e4C19:00A8 JB 0095 ; 6 different commands.
) T" J+ `1 |5 V7 f8 ^/ m3 L4C19:00AA JMP 0002 ; Bad_Guy jmp back. M2 ~6 N7 c: I, |) ^3 f5 K" b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" S) |4 T+ D: j
; }& A: D( A* O) WThe program will execute 6 different SIce commands located at ds:dx, which. j6 ~ J; J2 a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ u" c1 i- m* v8 J2 v; ^. ?
2 ~8 U( A7 X8 W# _3 W# l& c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( n+ i3 t8 w7 {6 Z# C& U& N+ M. g___________________________________________________________________________
. N. V+ \$ \0 e2 ~9 G7 Q
* e. U& U( W5 ^1 l! h) s$ M& U7 N* `0 k" Y& p ^) P! A0 l
Method 037 W0 L' `2 g* f) g
=========
/ ]. m" }- n7 C2 ~' W& N2 m+ b. F4 p9 p6 R
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- [) L! A% q4 H+ Y4 o(API Get entry point)
& ^( S+ u: D! A3 M) c 6 Z: k: ?, A0 L: c3 A/ m
9 b* ~5 G- }8 m3 u! {9 r% c
xor di,di5 O3 @! v$ ~1 P. k3 i+ P4 B
mov es,di
" l% m" K6 o+ X$ q& _; G# x mov ax, 1684h , \% r7 r; t2 a7 T
mov bx, 0202h ; VxD ID of winice4 V) Z; v8 O3 ^! o( Y
int 2Fh
2 `" v+ U& k9 `" h5 g mov ax, es ; ES:DI -> VxD API entry point9 g5 h0 U4 W6 H3 M6 H# n6 h
add ax, di
# R5 i* a1 k' A5 i test ax,ax& W* a# V% y2 u. a, }! q
jnz SoftICE_Detected
1 ^ C( H) B2 }; D
, O) p6 x% W+ w4 z: m___________________________________________________________________________
6 n' n8 v$ Q* R+ e+ F- g2 S; B! H8 h0 \2 U) t* I \3 O
Method 04
2 m4 A3 I7 E" m6 W, {=========; e& u m% \, u2 m
9 T( e6 ]4 S% z) Z7 n# ~
Method identical to the preceding one except that it seeks the ID of SoftICE" @0 r: z, T' ~- V2 U8 U
GFX VxD.7 ~9 v0 X; E i3 o4 @0 X
, z' [0 J) Z; V. ~1 Q, p
xor di,di
, A, \2 Q5 h, j. y$ B% v mov es,di, R* A" ?9 G0 K& F+ G, R
mov ax, 1684h / l* E4 |, ?) Z& q) M/ j* c8 |
mov bx, 7a5Fh ; VxD ID of SIWVID
! S& Y+ \. |" ^$ k6 n; i int 2fh
; E! r) i, p9 W( `! U5 i5 c3 N$ ] mov ax, es ; ES:DI -> VxD API entry point
, d- l) m" P, _3 b0 A add ax, di
5 B i& }0 C( g7 l test ax,ax
6 E/ F- U$ o. N4 }+ ^6 v6 | jnz SoftICE_Detected( M9 \7 o. [3 Q5 v
( f0 y1 G* q8 e, L! i
__________________________________________________________________________6 i$ C9 R) T5 V+ @
# V ]# t& X2 _* f$ R2 m
3 Y5 i4 M: o$ RMethod 05$ @8 Q" f6 @9 p' ^; O9 x
=========; N$ B( Z! _1 p) N
# \6 w) D$ e6 j
Method seeking the 'magic number' 0F386h returned (in ax) by all system& k+ U7 [+ b& @3 X
debugger. It calls the int 41h, function 4Fh.+ z5 w0 K; }& k( Z* @
There are several alternatives.
2 N" B- p" Q. N( {9 @( _' u; u
# K+ y3 `: j7 I* o( _8 F1 eThe following one is the simplest:; c) _, ]9 P* [; }/ p/ q0 B
s% v( H5 s* D5 `. v$ b% b; x& i
mov ax,4fh
- b% B' f. [/ Z5 X/ f G; M) b int 41h5 C$ s; L- Z- ?+ I+ Q1 n" c2 }
cmp ax, 0F386) u- p: \# v# n8 a7 L
jz SoftICE_detected
: h% j( ?" ?* C5 `( W7 n; b
6 ~- f4 z7 s3 U; y M8 O; o/ D" j0 o& n7 K- t2 Y/ W
Next method as well as the following one are 2 examples from Stone's 2 E i( Z$ ~2 ]+ w1 e
"stn-wid.zip" (www.cracking.net):. m! ^( s* l" {% E( Z H
6 n6 Q' f; z# e' k8 ` mov bx, cs
; d: [; y% z3 D: ?8 M9 \) B lea dx, int41handler22 N7 C$ k( g$ h. {/ B0 S9 h
xchg dx, es:[41h*4]
; N" d$ Q c/ _4 R; e6 C3 }5 Z1 [ xchg bx, es:[41h*4+2]. K5 Z1 z2 J( O! { ^3 e
mov ax,4fh8 O$ w B$ Q! ^8 X3 z
int 41h
& \/ C# D/ u* @ xchg dx, es:[41h*4]
t, ?5 }+ k. A& F. a. E! l% P xchg bx, es:[41h*4+2]1 i& Z; q0 ?% m/ F+ a
cmp ax, 0f386h: N: B3 d- G4 m) }$ g
jz SoftICE_detected; H# v( h3 t+ u4 O8 Y* ]
+ s2 N" i0 L4 N. gint41handler2 PROC
/ M/ A; n( a+ ?( Z( j, ^ iret
* B4 d$ |" a' `3 R8 q& nint41handler2 ENDP
8 d' a: o' t- s! T) i. N/ h6 z. A! h1 a9 k' S
! V3 P- w3 h9 j( V# X5 Z
_________________________________________________________________________ x1 `, Z3 `& V: K, s
; n* Y& ~% k6 h. W
7 z7 U. C3 i7 A6 H" z
Method 06( }2 P2 I' ^+ n5 Y; ?. a
=========
) Z A- e: H f
* y! t' ?* J7 G2 g* m! E9 n3 a6 S5 `" e5 O
2nd method similar to the preceding one but more difficult to detect:
' G( H; c; p9 S$ V# `: r+ n0 C. ` L/ w& v7 c% | A/ U- F8 w8 p, b
0 W# v7 G. g$ @& L6 s
int41handler PROC* E/ _) Q& X. D/ P
mov cl,al* F6 h/ Q' c9 i8 g
iret" E* U% ?5 P6 g( G5 N+ R
int41handler ENDP+ X* e; w" @8 B" Q! [& {
: ?5 l0 j; y0 |% m6 r/ X3 o( i8 j
7 T; Q- ?: u$ j8 c; k1 D' [ xor ax,ax
/ X) x9 m! d+ X mov es,ax5 ?7 K1 M; r, K+ V
mov bx, cs& I& E1 V r9 V3 k3 j9 L+ |
lea dx, int41handler
( J" o6 S9 c6 |8 p xchg dx, es:[41h*4]+ c: \- s1 x. ^
xchg bx, es:[41h*4+2]
9 h* P. J- K2 z( @0 {) [9 @- u in al, 40h) K% l* }+ p% u F8 Y" M! f
xor cx,cx
- S0 I% x" f" l2 Z( P int 41h
; }" K$ g4 t9 Z xchg dx, es:[41h*4], j' T4 ^: g2 K$ R( D
xchg bx, es:[41h*4+2]
; u+ G+ {" `0 T c cmp cl,al+ s! u6 @. v$ F( Q7 T1 X0 o! v
jnz SoftICE_detected1 g8 W5 Q/ k7 _' j3 U! d8 x, r
# U6 ?$ j2 j* O! \1 ?_________________________________________________________________________6 O( _4 M$ }' O0 A& s% e
% F% `3 B* B& i! @: o% n, ^7 R
Method 07/ ?+ \. K; ~, J# F$ [
=========4 g9 s: W% ~5 B5 d) Q
; Q+ M* }4 u; a m2 @' |
Method of detection of the WinICE handler in the int68h (V86)
, K' X, k$ u3 A$ f7 s# Z V
- Q8 g, `0 k, B% b: O3 k! j mov ah,43h
" V5 S3 o9 C# g2 d" O int 68h
2 q1 Y: g/ Z5 F. F# b0 d% U( c# ? cmp ax,0F386h
* V: @' t" J1 V6 V1 ~# N jz SoftICE_Detected7 s5 [' k8 ?+ L" v" n
# L' _3 b5 Q* E% Z* n8 `9 p G# n
v) @* d4 g. K+ V3 c4 F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ R5 B% I# e( m. ` app like this:5 @& \- }2 E6 k* E8 m* ~( W
$ o6 L4 K; L! S6 s BPX exec_int if ax==68
. Z+ o1 n( f1 K. N8 G$ p" v" [ (function called is located at byte ptr [ebp+1Dh] and client eip is7 `% P; V. X2 }. U0 _: f# ?: g
located at [ebp+48h] for 32Bit apps)
2 D. N& y& W* \9 J! C__________________________________________________________________________7 w* {6 V! x8 M( y
3 k* k8 f2 w. b' }; M: N! w, Q* P
Method 08
. m' g' x8 p/ B9 X: _ y2 Q=========
' h4 \: N+ N8 M) q0 Z$ u; {# R
6 [' ^4 K* U* u. T" l/ I" U; g& X+ D0 ]It is not a method of detection of SoftICE but a possibility to crash the
$ t9 K9 }, T$ l0 B) ]: S7 isystem by intercepting int 01h and int 03h and redirecting them to another, m) q! x, |7 x3 o* ?. [$ `
routine.' N7 a: Y8 j$ \* S) R/ k, M( L( F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% ^1 _. y( `" w, s l- [
to the new routine to execute (hangs computer...)
) Y. R3 S( w1 h5 l7 F: p) {9 M, W/ R
# b. r2 @3 p' P1 I, u$ w mov ah, 25h
7 E! }: n' `, `! f! o7 ^ mov al, Int_Number (01h or 03h)" ?. A' ^; z; A' P
mov dx, offset New_Int_Routine
5 E; C; g+ v p$ C& t; O) j3 q int 21h+ N* \- `, j4 i( V
- L4 T7 |* V4 J/ t# _4 O, `) C N0 L
__________________________________________________________________________
: N0 W% \" k: ?, @; ~ t
6 {7 O- o5 x, T6 \Method 09% v+ _3 B8 u' b# n5 p' [
=========! M$ G( B0 [% r! j
# T8 S' o9 {, X5 l5 {" aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) W3 a3 s/ P5 @& W* Y, Zperformed in ring0 (VxD or a ring3 app using the VxdCall)." M" p7 Q- H7 J/ E9 l: j: D
The Get_DDB service is used to determine whether or not a VxD is installed3 ]3 ?/ ^" A5 M
for the specified device and returns a Device Description Block (in ecx) for N: T$ h+ k+ S
that device if it is installed.
& O( E* A4 M8 ]$ x! Q3 p2 J0 u. Y3 g0 x; o. v l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ ?) E' U5 R; |! a4 j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 _7 T% p7 `+ D: N6 Q5 v VMMCall Get_DDB
( I- L: p5 Z0 ]0 O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# |/ i6 E6 A$ f: h* T( P2 c6 B0 x4 w9 B4 O0 T0 e: b
Note as well that you can easily detect this method with SoftICE:+ W0 B) w) d9 {& ^, m
bpx Get_DDB if ax==0202 || ax==7a5fh3 Q: I6 w$ o0 o0 b: F# I
* b. E, z3 {1 `0 |) f+ l
__________________________________________________________________________
- R6 v& C! W) Y) P# ]( L: l! P; B7 v/ N0 f" L5 ~4 S* j
Method 10, y0 A/ B/ b1 J
=========7 c5 K8 }/ ^4 W) r1 z- u' n: u
) _3 i' i3 {& Q, ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" I: P$ ~: p' [5 q+ m SoftICE while the option is enable!!* k1 I( ^6 [6 t) z0 }
# ` i( L& V. `9 X4 N
This trick is very efficient:
' |' Q. o, i4 X( P7 A" F2 Wby checking the Debug Registers, you can detect if SoftICE is loaded6 s# g* \% ?% Y; s0 i5 m/ a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" F. H) \4 O5 X9 @% q. F+ [3 j- |
there are some memory breakpoints set (dr0 to dr3) simply by reading their
r$ Q0 W: I7 S9 A; y7 S% r) @value (in ring0 only). Values can be manipulated and or changed as well
8 n+ }( S X6 {8 u Q(clearing BPMs for instance)8 _6 ~ M% U3 h% y7 X; k
1 W' d3 e& H+ O8 i0 }
__________________________________________________________________________
0 |- J1 \0 k1 w! z9 f1 J3 _& l7 W/ `/ M4 T1 z
Method 11
. r" U$ v9 A' \1 Q% u% K0 |=========
) c( v; f3 S) l+ O- ]3 W# a, u0 G: w" ~2 @" k
This method is most known as 'MeltICE' because it has been freely distributed0 d# j3 x/ ]0 \1 J
via www.winfiles.com. However it was first used by NuMega people to allow" {0 F2 L' [& d" q4 b# X
Symbol Loader to check if SoftICE was active or not (the code is located
- U' l _2 E9 P/ Q2 Iinside nmtrans.dll).9 z& z! s: |& I) i( K" R9 o
/ p7 x; Y% E E& o" |5 h
The way it works is very simple:
: I2 q' P( ?3 _: `8 @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: G" b E+ I: E6 k2 B8 dWinNT) with the CreateFileA API.4 G- n, K# ~* ^# J
% Q. P8 f9 z/ ZHere is a sample (checking for 'SICE'):
6 k+ o6 {" M: q% f' o0 E9 I A
& l8 t0 n2 [5 h0 `8 EBOOL IsSoftIce95Loaded()% i- y" @0 ?/ r: A) X
{
4 L0 B, l. ^4 @: _ HANDLE hFile;
9 K" t) n* e0 J/ ~# y" U hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- H: O/ b2 V7 V: l4 _ FILE_SHARE_READ | FILE_SHARE_WRITE,3 i7 \+ X- T- S' ]
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% N' J: \' `" _! L/ j! B if( hFile != INVALID_HANDLE_VALUE )
- e1 Z: ^0 j! _9 O& ]. [% I {
6 k2 Z y/ U* Y, L/ l. ^6 h CloseHandle(hFile);; R" C( Z2 {0 Y: u" d+ X1 b
return TRUE;7 B `* x6 U# l8 `5 n
}
; ?3 l' G5 y3 Y/ o+ e, H8 c return FALSE;' E. A4 R; }6 e1 Q
}
5 r6 L* c+ ]2 \4 }0 p+ v9 O K, G8 `+ ^. P* f0 C
Although this trick calls the CreateFileA function, don't even expect to be
% q5 Y! L* i8 A4 ]5 u) Vable to intercept it by installing a IFS hook: it will not work, no way!
. S; w# Q. x, U/ C2 h. uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; M6 g( L9 X. ]" r! a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% g0 S! m. I# b4 I# A0 x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% V' d6 I: D) h' |) Z }* ~) rfield.
$ @. ], I- E. t8 ]In fact, its purpose is not to load/unload VxDs but only to send a ; D+ O( _8 |& P" j+ E7 e
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 s, p8 S# w" p. b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) t# c- c* O# z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# I i* A1 n4 o0 X g+ q( n
If the VxD is loaded, it will always clear eax and the Carry flag to allow. C. v5 a% C( L
its handle to be opened and then, will be detected.3 v1 D: O3 ~4 u6 v A) ~
You can check that simply by hooking Winice.exe control proc entry point5 r& t7 I' L' z! }/ X5 Q
while running MeltICE.- |1 n4 e# O* p+ a9 P+ r: O5 t
9 I, X2 L; p& C1 j
* i/ @$ n# C* Z. x# e
00401067: push 00402025 ; \\.\SICE
1 B4 l1 H; F% W1 H 0040106C: call CreateFileA8 u" P- k9 E8 a" f
00401071: cmp eax,-001
1 U Q# j$ H' L+ a- o 00401074: je 00401091& J+ _! F m2 u( A4 y
5 X5 g1 r7 W/ _2 `+ K! O3 {, _( x/ v* E
& X9 ]1 h& q. B: ?There could be hundreds of BPX you could use to detect this trick.
- C* ^" p; _) ]0 U/ ]0 `-The most classical one is:* y) j+ D9 W/ \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. A6 I3 \, Y& ]3 E2 V M1 q' C
*(esp->4+4)=='NTIC'
+ Y; K: }6 L: p6 u
9 ]8 v/ T& _5 o1 ` H-The most exotic ones (could be very slooooow :-(
( o* b2 e$ \6 t0 p9 t9 |* M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - G; R3 B' K& x9 Z. M7 z% X
;will break 3 times :-(
- j9 }& x! Y' m7 e# q c. g) Z% `2 ^. \4 X8 s. J" R) R' N
-or (a bit) faster: 0 g1 Q+ N! D4 o4 @$ w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 v' O. g' f/ c& [
7 Y) C% V( L* F. _" B, T
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , U5 {$ V3 O% r t+ u: z+ L/ ?2 O: U
;will break 3 times :-(
2 D$ q6 T3 J/ E# Z; w2 S0 F& b6 U9 d; p) W1 l- b
-Much faster:
! G+ X! N3 |6 h0 T8 D4 h5 O BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 e) i3 K* T, l! m
( E4 D+ j# l6 T, J) s, JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 P# ]8 \0 C3 t! ~6 zfunction to do the same job:
9 \" z' r% u- E4 c6 I1 b* b) q' g2 F4 t% _" Z' ?8 N
push 00 ; OF_READ
7 G* S0 z8 a' Y; E* l# O mov eax,[00656634] ; '\\.\SICE',0
5 Q! B4 T- |- p# d2 n3 w; h push eax
# o* K5 f9 A# k: x# e call KERNEL32!_lopen
) j% Y. k- h" L1 n% Y3 ^7 ~% ?( T inc eax+ I) J( `" N9 R% q
jnz 00650589 ; detected
8 z& Q$ D/ q3 }/ L push 00 ; OF_READ
) }& R7 k' o9 i5 y& T mov eax,[00656638] ; '\\.\SICE') A5 D* g# o; J: ~ v9 w) I& |
push eax: }9 F" k& k# p, y \
call KERNEL32!_lopen
, I0 Y) I0 N0 `4 i inc eax
4 X% d! g& x0 O$ b( ]6 z jz 006505ae ; not detected8 n: o4 B7 Y; i9 Y, x! q
# J- s8 v3 u" ~+ ~4 ^
$ c- J4 d- s: H__________________________________________________________________________
, U9 F& O- i8 P. p& p- m" @
6 W( v3 B! {4 p" M# CMethod 123 B* w+ j5 }: L. p! D( g4 O( |* w# P/ H
=========) x" [' @0 s& J( q( Q
3 x4 _2 S( S0 ~6 J3 P8 z) T
This trick is similar to int41h/4fh Debugger installation check (code 05
& ^" F0 `/ W& _, ] z$ z& 06) but very limited because it's only available for Win95/98 (not NT)
, h& z2 i: A0 s% U) `) |( S( e8 zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ F7 O( x& z/ B$ o4 l
- |) e4 c9 B9 Y \! t' z push 0000004fh ; function 4fh6 R, r7 Q& S, a& Q6 [/ n( m; h6 M
push 002a002ah ; high word specifies which VxD (VWIN32)
& K+ N, ~5 H, \$ V- E1 P! T ; low word specifies which service
$ O/ a+ T( J( s! s+ O2 J (VWIN32_Int41Dispatch)
$ I: H5 |& T/ Q1 u call Kernel32!ORD_001 ; VxdCall
3 _5 C8 n C: m, i$ t9 b cmp ax, 0f386h ; magic number returned by system debuggers8 ~2 J; ?% R: f; I5 h
jz SoftICE_detected
! Q) l# @: R8 ^$ m
6 Q+ g* m1 z: A! P% qHere again, several ways to detect it:
. N ]8 u2 I& E p; h, s+ t+ Z" N4 f* }/ z6 [& X' M0 S& H
BPINT 41 if ax==4f
' {9 I1 V, n' [" a4 a7 j. g# t& m* Q, j8 z. _' {9 Y5 H% V
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 Q1 o: k: [" i: P7 T' c
1 P& {' |4 T; p8 l, [) V: f3 _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# |* z& J& R2 @- N
% J4 w6 L: Q9 ^3 l3 @( {- F
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( h) T u+ K! [: v( j0 P' G8 g
- f2 L- a& a/ p6 t__________________________________________________________________________
% Z3 C8 A' d0 w& A! w& h5 ~( ^' D+ e
" f7 c4 P6 V. Y- ?, k0 Y) AMethod 13# S' Q8 x8 ]$ |2 c3 ]/ u
=========
3 D0 [/ C$ H. Q! J( m3 F* z! Y4 F t2 ^; Z* @& D8 c* G1 R* @4 l1 q
Not a real method of detection, but a good way to know if SoftICE is5 e1 z/ a- k3 U
installed on a computer and to locate its installation directory.7 d$ \- Z2 n; y
It is used by few softs which access the following registry keys (usually #2) :
" Y4 Q! W5 w9 E
) m6 r" v) ]7 b* Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 b2 Q0 ^! \/ V+ v\Uninstall\SoftICE
! {+ [8 [$ H1 m' U% U# N2 Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ k" C! |' H' D1 X" K; Y$ c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' U* ~( V7 Q5 r1 Y( N3 K
\App Paths\Loader32.Exe8 ?) |' I/ {! c/ l% N
: y4 s! a! f' n
3 O; o% h( i2 s3 T5 C" P$ N( j" E) X
Note that some nasty apps could then erase all files from SoftICE directory
/ W& X7 m) Q5 T6 n(I faced that once :-() k+ `, B# ^9 I
& Q* Q" i8 a+ ~, e# k! X7 rUseful breakpoint to detect it:
8 x1 k9 H. Q4 F; L" ]. G) t; H( H* \) g6 n8 y O6 P0 ]
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 y6 K5 F. i: [/ ]) f
, n5 `- \- U4 G1 o( @__________________________________________________________________________
3 N3 A: F; X/ D3 N8 r F
; o! p9 d4 H9 ^; |; ?/ e- F8 k0 H# h
" }6 A: ?% C: D8 OMethod 14
$ O; N2 z. ]4 u8 C=========
; _. i! ^5 e! L# d- u1 F: E
- U) a3 s, s0 D [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( V- E5 {9 m3 K v, C. Gis to determines whether a debugger is running on your system (ring0 only).4 e1 U3 E: g$ D! x! x
6 K. ]- S3 Z. @/ m9 W VMMCall Test_Debug_Installed' ^" @: \8 s7 X. N5 {( C4 E
je not_installed
' Y B& j P9 Y$ _- t. U1 q; R, S+ r$ V
This service just checks a flag.+ Z1 n; `8 `6 }# F! [- j
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡