<TABLE width=500>
5 A! y! L. O4 V# Z% R/ l' v<TBODY>+ l0 h M- e& W
<TR>% I7 Q0 n& p/ y! p' S$ j5 S
<TD><PRE>Method 01 6 Z+ I2 ]2 K' P8 F" N
=========) D' z1 S* Q# B6 U2 a* U6 _0 |
( D6 G' |: H! A2 p- B: t) v
This method of detection of SoftICE (as well as the following one) is
9 R) J4 c; e& y1 a' I! ?/ Hused by the majority of packers/encryptors found on Internet.
4 u' s Z1 ]5 y4 x- N6 I: U9 bIt seeks the signature of BoundsChecker in SoftICE
8 o" d' {# h! m* j* s$ n( i/ p7 {' O& \! U7 e& }: V' k* d
mov ebp, 04243484Bh ; 'BCHK'
0 g% Q3 V7 U) _ mov ax, 04h; z* z# n' f$ w* T9 l3 A
int 3
5 D+ j' P% [9 s* K6 \ cmp al,4
$ a4 o2 \. p d% W jnz SoftICE_Detected- l8 t) R6 X$ I0 g2 Q
! V# ]. ?' [* Z4 h, G___________________________________________________________________________
- b8 t$ _# Z3 v" D3 W
2 K! Q0 A) |/ C$ m0 J$ Q' @8 ~Method 02# Y& v5 P: `% d5 J- W
=========% Z3 i& q% t1 f0 }: E
. e( N' j. i& s1 _/ Q: S- S! I# {. eStill a method very much used (perhaps the most frequent one). It is used
5 d* ?) M% W. c/ hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: v) f( Q5 P" T' ~5 p' e) m% S
or execute SoftICE commands...% V# v' L# ?: U8 p( p
It is also used to crash SoftICE and to force it to execute any commands4 P. k5 G0 B, F' N" a% g
(HBOOT...) :-((
5 \8 n1 m2 Z6 g: P, {
9 M8 F6 |: V# U" XHere is a quick description:
% d E% e) ]! d L: Z" j8 I( N-AX = 0910h (Display string in SIce windows)
4 N7 x' @/ v. p4 E& P9 }' d5 L" {-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 Q. |5 w @; C1 N4 G
-AX = 0912h (Get breakpoint infos)
2 D5 {6 o2 q$ H) Z7 X) \3 R4 C-AX = 0913h (Set Sice breakpoints)! N; I* c" V3 q$ ?# y8 [8 Q
-AX = 0914h (Remove SIce breakoints)
. @/ p- l! M. X3 m1 ^& n% d _
2 R9 t! m4 U* uEach time you'll meet this trick, you'll see:
' G. e: b& m/ ^-SI = 4647h3 F9 t4 x, }' H0 D/ q$ P
-DI = 4A4Dh
$ T }0 w5 D' T% UWhich are the 'magic values' used by SoftIce.7 x1 s F: y1 g
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 ]& d3 Z( \% W0 B
* ^0 m1 [4 ]' r0 }Here is one example from the file "Haspinst.exe" which is the dongle HASP
) I9 h3 {6 N7 _$ j7 I7 \# rEnvelope utility use to protect DOS applications:/ m3 |8 [7 `5 A0 e. H( \6 ]& @
2 e7 r; J$ ?4 y' K# E% {5 l4 P ]5 r) ?1 v% Z
4C19:0095 MOV AX,0911 ; execute command./ l: L6 v; H3 ?& e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; v$ _$ S% ]: i. p+ ~4C19:009A MOV SI,4647 ; 1st magic value.
6 n: G. d" J* o# X M4C19:009D MOV DI,4A4D ; 2nd magic value. m" W3 `5 d" H9 R" I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): ?: P5 A% E4 c% I3 j! r- i
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, n$ k, N* O# p+ R5 X* q
4C19:00A4 INC CX
) f S" _7 [* n$ R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 Z: J+ S( R& m8 |; m$ t
4C19:00A8 JB 0095 ; 6 different commands.) @4 ~% u5 k, y4 c3 @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' c/ H- G) X* j+ t: J% L, F9 y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 X* z: H; q1 `7 j6 V3 o2 T* T
1 o! X: N: s( v/ DThe program will execute 6 different SIce commands located at ds:dx, which
* R, z! s V; \8 ^1 }+ U# Q; Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) K) p- G9 w% O, V* F( b9 T% C: a# _; _& f2 F4 h" ?" C3 u, `, s( |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 P% ?. w2 k3 {- |7 R j___________________________________________________________________________
9 F1 T/ `" t3 s9 }' Y. O! k2 M
% K* P! [; ^( M) K) D
2 [/ e7 x V: [+ YMethod 03
, `8 T z* Q2 z/ f; c3 J& F" P=========
2 ^8 v( ~4 C/ {( ?6 \# _/ H2 C5 |/ {/ V- F6 [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: ~! H3 Q1 M3 ^3 f: K2 C(API Get entry point): d& I% \* Z( ]- _9 z/ {) V; J
2 A( C5 |4 n& H t0 s8 m0 \& l1 q: F5 o% c i' c
xor di,di
2 m4 k( j0 k( V! ~3 D mov es,di$ ~. a; L* x4 k. c) o9 C# n4 W( _, j! e
mov ax, 1684h
; d$ C: v- X$ j4 n8 C mov bx, 0202h ; VxD ID of winice& }0 \9 i( o5 b
int 2Fh% e j9 L# [( \+ E% K" s- x9 Z
mov ax, es ; ES:DI -> VxD API entry point& K- V4 M. f1 m, V8 B
add ax, di
6 ~' _4 K. `0 q test ax,ax
# a! ]- m2 F+ T. i jnz SoftICE_Detected1 U0 U9 v* [" p. ^
! |- z$ v& g9 ?
___________________________________________________________________________" O# G, q% n u6 [
& x/ o1 j1 h. q4 e% h; W6 `
Method 04
& ?# t( O4 L8 ?& D+ ]5 i=========# q2 z: V% ~5 a ^+ v
; ^- t- P+ d6 \) R9 O
Method identical to the preceding one except that it seeks the ID of SoftICE; |" [5 X" U5 `6 o% m2 j
GFX VxD./ c6 i9 B9 m. w
, X% K: _" g) S' \+ \
xor di,di+ K0 K" s% c7 p+ J9 M4 F
mov es,di. |: j" Y' C" U# P6 s( u
mov ax, 1684h 1 Z1 B( M/ C9 ]" P: n2 m
mov bx, 7a5Fh ; VxD ID of SIWVID) d# s! T$ n+ g7 Z- l# }
int 2fh0 I2 X: `4 A) V5 W$ q% |, _. h
mov ax, es ; ES:DI -> VxD API entry point
; u9 \, i, U9 t. M add ax, di K% T; Y9 C6 i% \
test ax,ax
) e& K% e1 S/ U( W. V jnz SoftICE_Detected
+ b6 {& f2 J# F' Y: I! H U M+ X7 {9 k4 C& n1 k
__________________________________________________________________________9 Y) w- p0 R9 x2 [6 B5 ^' } \7 n
: l' b9 h( X0 B) N3 Z# }4 r! X. @% c; G
Method 05
1 g4 L) Y6 H1 l$ K" y=========( m1 h, G! f9 @/ [" ^
; F$ s8 g$ G! p7 LMethod seeking the 'magic number' 0F386h returned (in ax) by all system0 p- [% w( s. b \1 K
debugger. It calls the int 41h, function 4Fh.
5 i9 d4 T2 M# \3 N+ x& `There are several alternatives.
# E+ h4 w& A6 K( J }
- g* |) x9 o! jThe following one is the simplest:4 i: _$ ^; F# d2 n- e; j' H
4 Q" O5 W" z0 o6 U mov ax,4fh
( A1 c5 |* k7 x6 ?+ Z* j int 41h
. B$ D, l. m [/ h1 D cmp ax, 0F3869 |' M" r B7 X- v7 `8 K/ L/ p) Z+ y
jz SoftICE_detected
- B- k; d3 {' w: ?1 K" H& ] U9 v# N. A2 j9 Z* q
6 G: l0 z6 x2 |2 w/ U8 u, UNext method as well as the following one are 2 examples from Stone's & b/ H% _8 |; j. q" x/ v
"stn-wid.zip" (www.cracking.net):
/ i" V# f4 c7 j) K. w% `' @( U
) U$ G% k. J# ?0 [ mov bx, cs
- I* m1 h; ?. G4 {# M/ B lea dx, int41handler2% f* X2 h- y6 e
xchg dx, es:[41h*4]4 t: s& h/ y4 v+ y
xchg bx, es:[41h*4+2]
; F7 p9 [1 W& B! O* U0 J3 j0 s mov ax,4fh. D/ X, X/ O; t) ]
int 41h
9 [3 B/ c. q( {7 t4 e. ^ xchg dx, es:[41h*4]
) ?* F% T5 F* J8 V9 O N1 U3 n0 p( ^ xchg bx, es:[41h*4+2], B, h& U. M% q ^! O; s" o6 z
cmp ax, 0f386h* |/ ~9 G2 R& |! V! M; F8 J4 J" f
jz SoftICE_detected: o8 P' a3 k3 ^" ~
! p) s3 u3 U) ~9 T8 u2 Y! M) A# K
int41handler2 PROC. U, c+ D, U( Z) p# E
iret0 _0 K: F: V. d% X& K8 Q7 @. J' k
int41handler2 ENDP
: B. H. R* d8 X! m6 U
R' o& q; S; j1 A0 E8 P! n$ i: q2 }7 B2 {# M6 _; `! Q
_________________________________________________________________________
/ A, D# |) @* Y7 u2 C' X4 n/ c" k8 ^" I4 o8 K# ~3 @3 z4 l h
8 o/ t& N: z" tMethod 06
" O# ?1 Y2 L# Z) h; L' U3 I/ s; ^=========
0 W6 D$ ^ |# H6 Z; j7 N" u* ]: i z9 [; A
O1 q6 _% z, i" c" S% n
2nd method similar to the preceding one but more difficult to detect:1 N+ [5 }* g" F( h" l- C( n
$ Z- u0 T& U) M
- ]& b5 h) ]& X" B- W+ Dint41handler PROC: c! I7 E$ X- Z3 k; \ t
mov cl,al
' E% P6 Z, n' Z+ G6 g( x9 N! I iret" `- e* ]% g9 S/ Y8 M6 b) L
int41handler ENDP
5 a, L0 F. o5 u
8 q x. }, [# @6 _4 y1 {
) k. k7 `( n. y* r, I xor ax,ax" A7 i( Q/ ^) s
mov es,ax) `0 @* I% F! C3 ^0 D
mov bx, cs
; K7 x9 n* L- z$ s" w$ Y lea dx, int41handler
: g$ Z- m Q9 W4 ^+ C" p3 b, Y. V xchg dx, es:[41h*4]- s9 n6 _+ D# D' a& w$ a/ ?% I, R8 f
xchg bx, es:[41h*4+2]
1 O0 y0 D9 C3 I1 {1 {9 }3 R in al, 40h/ S; h6 `% J2 m+ Y3 }, S' }7 p" M
xor cx,cx" r% D- e) i4 L- M
int 41h
5 O# g: F$ s; d! C% d3 v) ] xchg dx, es:[41h*4]
% m, a! Q, l+ Y, J' l( f- ] xchg bx, es:[41h*4+2]
$ {" ]" |3 I; D+ A& F8 {8 z cmp cl,al) `% K. M! J% y' Q$ f, `6 m: z8 L B1 I
jnz SoftICE_detected% p' g& y5 h7 {3 ~" ]: r1 E* w2 `
9 }4 q( n) Q+ I9 T) I) ]1 g
_________________________________________________________________________, ]- r/ X3 X# r! v
, i) V+ F0 `: j& N4 g n
Method 07, \; w( J" l/ n3 U
=========( K: J6 o) g' O: q* g) L6 s
! d: d& C& I* t5 t# yMethod of detection of the WinICE handler in the int68h (V86)
5 C( M. G; O/ O+ ?. O" L! m5 A/ z, v. f9 }$ ^: z: {
mov ah,43h
$ { J; ?! O2 Q1 f5 M, f int 68h
8 L6 j( J2 U/ |' I. @ cmp ax,0F386h
+ {0 A/ [* m6 E$ S- z jz SoftICE_Detected
: c( g) ^$ ?( _2 }" T6 F$ J! R r7 q" M5 t' L& b# O
% F3 g9 `0 E$ ~* r- ]
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" _6 Q8 c. C" { | app like this:# ~, c6 G# i# j8 H
. O |, u+ {7 c! O- l9 X( s
BPX exec_int if ax==68
6 O' B: Z+ c7 K1 i& @' c6 b: M, a (function called is located at byte ptr [ebp+1Dh] and client eip is
' c9 U7 J3 v2 V9 z located at [ebp+48h] for 32Bit apps)* @9 @& Z" @- ?; E D2 W) t" P
__________________________________________________________________________' b! c& A3 ` W5 ]# C: e
5 A$ @/ }# W& Z4 K$ n1 ?- ?4 X0 M4 G/ `" x
Method 08 G! g8 j2 g1 ?. v" Y6 b
=========2 |6 G9 s7 D$ R4 d
$ N$ \* S/ ]; o
It is not a method of detection of SoftICE but a possibility to crash the
, ] \; t9 u& ` F% `- _" b6 osystem by intercepting int 01h and int 03h and redirecting them to another
4 T# N& d+ D9 E7 yroutine.
% P# V% Q% L% _7 t% V- b5 PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* y( ` |, p# A* i# B
to the new routine to execute (hangs computer...) V7 r9 T) y8 Q- D, z
$ i0 z3 v" R4 I6 i
mov ah, 25h
4 M# }8 [; T0 g/ I7 z! ]9 e. [. _ mov al, Int_Number (01h or 03h)9 i1 e& g. ?; o5 F
mov dx, offset New_Int_Routine
7 M K2 |( Z9 i5 r4 B int 21h* f6 m0 K2 |! E9 D2 p2 e( Q
! Q U& `; k3 y8 J2 w* X* c! L) a% `__________________________________________________________________________- v+ O7 ]4 t: V+ a& a* f6 U# C2 Y
# f+ X9 X& P+ C, C" I) _* CMethod 092 s: R5 Z$ | F7 }) R& E
=========4 Q1 Z6 e3 m* e: w$ Y
* s6 w; @. i* ]7 n4 }) q1 W- `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& t) @8 T% Z6 w. @
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 ^, c% y7 \3 ]! G9 O7 tThe Get_DDB service is used to determine whether or not a VxD is installed5 E4 u& ]& s% _* ^9 M' O+ o
for the specified device and returns a Device Description Block (in ecx) for8 O& G* C% Z T) a# L
that device if it is installed.
% x* ]2 ]( s7 Y# v+ M* i! U; x4 B( o' T* G: f; Z: B/ E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( j) s, `$ C$ \1 f mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
q7 b: u9 U4 @$ L VMMCall Get_DDB
7 w5 O" k2 i+ H0 c; p8 J2 B3 M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 A+ n- m" b8 W5 n/ {; I" p8 P! o6 e& }2 t
Note as well that you can easily detect this method with SoftICE:% U5 Z5 W, b& w2 t
bpx Get_DDB if ax==0202 || ax==7a5fh
- Y, B3 l1 g/ q
3 m+ @# i; w' J( {- H__________________________________________________________________________
0 u. }3 R" o3 t* B# W9 L4 p5 _+ ~/ u, E6 u
% _# a& v& A' T8 G' |Method 10! a/ H5 n8 I: m7 M9 \
=========' Q1 ?8 `, l; X( p/ K
$ ]- h. y& }4 @+ I: H
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 W4 f2 q5 Z; \/ o SoftICE while the option is enable!!# S* v2 `3 ?( z0 r& H% r4 s
( a$ j( Y4 W. p$ `. @* N0 m
This trick is very efficient:
; Q" h) z- V; \; Lby checking the Debug Registers, you can detect if SoftICE is loaded
! l i: N1 M- a2 H5 E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" W1 P z# s1 Q$ y7 ]: v, y( d* A4 wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" ?( V$ y/ h+ t2 x2 gvalue (in ring0 only). Values can be manipulated and or changed as well
: i: ^* R! K7 t! f) g; E(clearing BPMs for instance)
' H* J! r# t& ~/ ]! z, H9 H. U8 ~2 S2 K( i
__________________________________________________________________________
# ]2 [) {1 e4 i8 U7 Q
% a$ g7 |' p. i0 W) P" g' ZMethod 118 d% a% L7 @3 h7 H! {
=========4 c$ T" u i- ]
/ u# _8 E6 w! H( C
This method is most known as 'MeltICE' because it has been freely distributed9 k8 I- R. N. U2 Q2 Q! |. A
via www.winfiles.com. However it was first used by NuMega people to allow
& v! @/ O W7 BSymbol Loader to check if SoftICE was active or not (the code is located
- ?# R1 u* S( f- Xinside nmtrans.dll).
5 z, u2 c% q% L1 B5 s6 J
% Y l' g, d; \The way it works is very simple:4 q9 V. n4 y* l; x# ]4 T. ^+ C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 F- Q8 W" m. `$ R5 ^( E& {* v1 eWinNT) with the CreateFileA API.# U* A+ o& w W+ J4 S* s/ q, O
8 e0 l' N7 u8 ~9 N* z5 T
Here is a sample (checking for 'SICE'):
: y8 R: t7 e2 u' Y) i
9 S7 ~+ Q8 Y& Z5 G/ m" Y" p: HBOOL IsSoftIce95Loaded()/ a |( M( P" I- V8 T! U4 p: E' G
{
h" A+ M) n7 ]5 x HANDLE hFile;
# S# x9 y2 O" g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 E2 P( |: P e6 Q1 {: r" d4 \ FILE_SHARE_READ | FILE_SHARE_WRITE,
5 e+ c- j- q+ P& c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ }1 w9 V* f. d o B4 t4 b* [ if( hFile != INVALID_HANDLE_VALUE )
0 R9 x0 Z1 k0 H% F% d {/ u9 _0 l. F7 u, |3 v$ Z# D
CloseHandle(hFile);
/ S) x; X/ O$ ~% ] return TRUE;% ?* K% a# F2 r
}
+ ?# @6 {3 }/ M u6 o return FALSE;; w3 F' p1 ^! \$ [2 d
}! ~) z6 }1 I! v- q k
- J4 D4 }+ O- X0 ^' Y& K# \/ x) M
Although this trick calls the CreateFileA function, don't even expect to be
9 v% Z9 y# ], Z. ?, p b. Xable to intercept it by installing a IFS hook: it will not work, no way!+ K8 A g6 I& L! k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" ]0 i' `8 ]1 Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" }- m" n) E& } ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 s+ p- I( Z" G) ^/ e8 t
field.
v) K# Q) {0 v, U# p: S! `! kIn fact, its purpose is not to load/unload VxDs but only to send a
4 S" v" H- V; R j8 bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
L3 \3 S% y9 H& Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 ?+ q4 |% K3 O% j; Z Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; Z9 L+ ~" ~- C# E# O* f/ ?: kIf the VxD is loaded, it will always clear eax and the Carry flag to allow' K' v# y" r) V0 w
its handle to be opened and then, will be detected.4 C. E. i: A0 } `
You can check that simply by hooking Winice.exe control proc entry point
7 M9 d4 [8 k) J1 Z. Ywhile running MeltICE.
: I' ~' Z: [: h: F0 E2 Z7 |
- z6 _, B6 Z' I& g+ {6 H: N3 K3 U
* m, U7 |, S: j) U' }1 |4 S% f 00401067: push 00402025 ; \\.\SICE7 X0 x9 A+ E. n9 Q' `. ?5 Z' b+ b6 L
0040106C: call CreateFileA
' U+ L7 k6 O* h* Y" m8 j 00401071: cmp eax,-0015 o- K8 J. D2 ~# ]! v
00401074: je 00401091* c6 `: [; m$ P5 {4 ?
: F" {* P- F% _4 {1 V
& [3 w; v! D( E0 tThere could be hundreds of BPX you could use to detect this trick.
! D# P$ {# V4 S8 _- G-The most classical one is:
/ E$ h W1 v Z5 n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ B; Z, L6 ~/ c$ N* f2 h
*(esp->4+4)=='NTIC'
6 N1 q( s, o+ o, k/ x
; U' a/ a8 T) R3 u-The most exotic ones (could be very slooooow :-(
* y8 @! p/ Q. \3 G: ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 m$ Y) ^' s6 Z$ j, O1 x( P1 T ;will break 3 times :-(+ C1 M/ K) n# F% }) s9 z
$ b+ q% R6 I& d' n8 a4 z* e
-or (a bit) faster: ) W" Z+ c1 P3 I4 N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* X; Y5 l! ]# {% L7 |8 q* b3 M+ U5 H h5 V( j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# ^% K7 U$ P) j& f ;will break 3 times :-(- E$ _& y T0 Z7 F P! m
# @& {. U( ?/ }( J
-Much faster:1 J9 X1 _9 O* k
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: I* |2 e2 ^0 u P/ b
. d- P) u# m9 BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# J4 h$ m' S6 G8 Ofunction to do the same job:
& c' D% N" F- K9 U1 @+ X; q
: O- q, T: i( M5 K push 00 ; OF_READ2 O+ f1 S: d( e/ ]& [
mov eax,[00656634] ; '\\.\SICE',0
}. Q4 s5 @& F- u2 T; d8 ] push eax0 i$ z; O- O/ W/ q6 d, w, I+ S
call KERNEL32!_lopen
n4 _- ^6 v% ]' Q inc eax4 P: F' @& @7 Q6 M7 V& H2 \
jnz 00650589 ; detected) c4 E q# U$ k" w
push 00 ; OF_READ& ~) I& H% [9 M3 D6 S
mov eax,[00656638] ; '\\.\SICE'8 O' F- y: ~* v3 j9 N2 T
push eax; t1 h3 f q# _8 r3 f, g" o
call KERNEL32!_lopen* v H" a A7 G
inc eax
6 O* P, `! \' n) I$ { jz 006505ae ; not detected
5 ~/ J6 O' N5 n: G5 ~3 [1 _8 l, H+ F9 w; u9 N' R$ @9 X
0 o: X. ]' _; V' g5 i+ O__________________________________________________________________________; G4 _+ M' n( F% `& z, u0 s. O
( {- J' w9 J: |Method 12
& a. n" |# _" |7 f. w=========
& P7 u' P6 c Y9 ]8 I8 d
0 v' h9 N0 h1 jThis trick is similar to int41h/4fh Debugger installation check (code 05+ h; L9 r3 C3 P7 f# s. K& k
& 06) but very limited because it's only available for Win95/98 (not NT)8 ]" h# f; v4 W/ w" g4 ?8 N. K7 ~# X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 r. ?2 {' P* Y; y6 x8 H3 s: @3 q, L
push 0000004fh ; function 4fh
B( B& {4 s) D: P, w& n push 002a002ah ; high word specifies which VxD (VWIN32)5 L& g8 T: |( v d7 }
; low word specifies which service
9 a$ T, r$ G" {2 _# I7 m (VWIN32_Int41Dispatch)
1 G( m* _; R3 D call Kernel32!ORD_001 ; VxdCall u/ `2 T6 w/ V# @
cmp ax, 0f386h ; magic number returned by system debuggers
5 c, t g8 m$ a( ?7 k jz SoftICE_detected
9 W9 y( T" B0 Z* D" R4 A
0 ]9 m* w4 H& g3 e$ s! X. CHere again, several ways to detect it:
4 i$ c: S' U/ W, P; F: W3 p2 b" ]5 Z5 Y. Y. F0 V. `
BPINT 41 if ax==4f
8 V; n) N( k) @6 u5 X# U# @& i* {* N9 E4 T, p `
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# d h- q& {* @. j' u5 C- c
9 { u- f+ Q& Y8 [$ V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 H& U$ h2 q7 {! V& E) n3 T9 `$ p! c5 R
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* D3 f6 N, V7 @6 Z4 S3 B4 W9 b- \" c! F2 N9 j- _4 A
__________________________________________________________________________
& M% E) k: E* ?) P5 [! e$ U! t
$ N: [5 v# v/ v: m, kMethod 13
( O: R( p k/ h5 c! |7 [3 g5 J=========/ v5 Z# g+ P4 J4 `, Z
7 N3 n1 [( o( d3 k
Not a real method of detection, but a good way to know if SoftICE is
$ P4 p# T: ?8 Z: g) \2 linstalled on a computer and to locate its installation directory.
1 `; a- y+ `* j" RIt is used by few softs which access the following registry keys (usually #2) :
3 q' q& L( e# G ]: j$ c' P( k2 n6 k3 P: S$ ]5 d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 ?- b2 l* Q' o. S3 ?
\Uninstall\SoftICE
) x2 \* K$ X |0 W$ S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 G- H& E s5 O, c) E: {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 }+ J/ V) _2 E/ t+ p% S\App Paths\Loader32.Exe' D6 f! e! Y; L3 M' w. t1 x
+ @. U. `! p" M
8 y* K4 _! w \0 a kNote that some nasty apps could then erase all files from SoftICE directory
]; {. C: r' z7 P3 T1 e(I faced that once :-(
9 ]& h/ K3 _5 V5 s4 w* F5 d4 V: m
9 ?' x- f2 w! h- Z' PUseful breakpoint to detect it:% I# U& `3 q8 F1 o, g! u
2 M4 C8 ~" c7 O% e9 S/ b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* ]5 b( n; P5 X" i3 L- H' Y9 n- u- J/ F% J0 S0 S3 {7 G- Q
__________________________________________________________________________( C, Q ` Z& O& @& N
+ m% _9 L5 K( j3 s
9 r: s1 W5 e/ h" |) R+ rMethod 14 7 L/ p; k2 M& o' o( a7 c
=========9 ~$ }, \; I% ^4 ~2 _6 f7 y2 l
3 n& I5 {+ a7 x; S6 B9 [) b! J2 RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 ~. z( a4 P5 f. q7 t3 x% L. }
is to determines whether a debugger is running on your system (ring0 only).! i6 r* M* R3 `( d+ E, Q
* h3 ?& @ M7 I! F
VMMCall Test_Debug_Installed
# ]0 }& S: i) H) f/ y je not_installed7 R) z& P% s- g0 P: r4 T
' t8 i* v# D2 p- b6 PThis service just checks a flag.+ v7 N$ L2 \4 r p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡