<TABLE width=500>3 ?0 t! \. Y7 x1 A
<TBODY>8 Z! j3 d" I' I# ~
<TR>
# l1 _9 x3 u5 c<TD><PRE>Method 01
: p, R. E' ?& Z0 }. c=========1 j; q1 s, f' H) {$ v: \0 _" M" Z
k1 M; O8 y3 o. vThis method of detection of SoftICE (as well as the following one) is
/ [3 e) E! S1 X9 O: @7 ?used by the majority of packers/encryptors found on Internet.) E( y5 X% U7 G, B
It seeks the signature of BoundsChecker in SoftICE
* R7 o" {0 j6 R8 s0 H( ?2 G# g9 f7 U
mov ebp, 04243484Bh ; 'BCHK'3 b$ ~; w# ^* Z/ `" y0 J
mov ax, 04h' s$ a* b. h( L0 J5 @
int 3
' |. n5 N4 P4 j4 a, }: j% s cmp al,4% z" A T' n. k/ G" B9 c9 ^4 F
jnz SoftICE_Detected s+ B& R6 c* D; u& k% L$ X
4 c* L+ M: _, |' M: s
___________________________________________________________________________. Q* h6 p. a3 G7 o- d+ y% J
) i' `, B/ ^$ Y+ b! NMethod 02# l+ ?/ o) O/ O6 U/ h
=========
# [4 P$ n) r8 u. |3 M3 {' w7 r$ x
- o0 S N: E$ K" dStill a method very much used (perhaps the most frequent one). It is used
5 p7 `% c' H6 f2 xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: E! Q9 |) h1 N z8 \or execute SoftICE commands...
" P, ]" H: Q( i9 X+ tIt is also used to crash SoftICE and to force it to execute any commands
: E7 G0 F8 F! J+ b, B. E$ S( P(HBOOT...) :-((
$ B+ G' D' ?5 |1 d; ^3 j
. q7 q% a' q1 {/ }Here is a quick description:
& M2 l$ E4 ~# v( h, [4 p2 e-AX = 0910h (Display string in SIce windows)
- _6 t% U( w* q3 Y, f8 i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 ~2 l2 U' b( E( N' Q# Y! X9 h
-AX = 0912h (Get breakpoint infos)$ E8 _" P& r. f6 B' E6 X
-AX = 0913h (Set Sice breakpoints)
4 I: N. u' D& x0 _% ]6 v-AX = 0914h (Remove SIce breakoints), w1 t9 w% x7 u9 T- b
/ H' N' q; x1 t' b- o6 k% DEach time you'll meet this trick, you'll see:# }7 `% s* [+ E% F3 b5 V
-SI = 4647h
% k0 ?& @( K8 X. _5 @( L-DI = 4A4Dh
' h# h( T: W( }) w1 s/ K2 rWhich are the 'magic values' used by SoftIce.
, I3 ?4 A x9 {* E! }( R+ nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 X+ k5 x9 a% D: _ } P9 l4 ^
+ }' e$ I/ z3 l! _0 oHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 m) R5 c7 S' iEnvelope utility use to protect DOS applications:. w s2 V' @* W( L9 r9 S
; S" ~- h! z. G+ u/ ~. U
a9 C0 _; C2 N5 D2 q$ A8 T. C, e0 h: b4C19:0095 MOV AX,0911 ; execute command.+ O4 Z8 }8 `5 ~4 Y% h3 y7 `9 P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( S" w! {* r, ]; i" R0 L
4C19:009A MOV SI,4647 ; 1st magic value.( @+ Z( I- i6 W
4C19:009D MOV DI,4A4D ; 2nd magic value.
- r/ h7 h) x6 x5 o! L6 {6 n0 Q9 J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ H' U5 m8 { r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute B$ o) @, P+ M/ H/ L% f
4C19:00A4 INC CX
9 {6 E5 H& R7 N; X- m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
}. S9 U* ?3 {0 w e7 b4C19:00A8 JB 0095 ; 6 different commands.6 @- q2 B2 J! Z- u3 J0 S/ A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 I. h) d3 A4 F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
H$ t* u) T; b0 I1 z
- z7 Q6 b; s" VThe program will execute 6 different SIce commands located at ds:dx, which
$ |* x1 a+ W7 K/ J/ Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! c2 B( O4 Z7 P5 h! }* p# ?2 X4 U) X( z7 z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& \0 H# U' ~+ A. V" I6 U& g___________________________________________________________________________
6 l( ~- E3 Y( n. |/ e# t6 ]0 {4 d2 _# U' j( l3 k4 X7 Y
( i, ?/ X) a/ b5 pMethod 03
2 ^# f' c% j2 W: a1 E=========7 @! N) j# Z! C4 z1 A
9 S6 C# _; p* ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h }& A, O% l6 C6 H
(API Get entry point)
7 O9 b$ @; u1 N. |7 ^. ~ # G( u2 Y _# A1 R7 n
/ j p( }5 w3 x( h0 n
xor di,di2 Q6 Z. e8 ~5 K0 s1 q. Y
mov es,di
- G, \; R F- P9 i8 j1 ` mov ax, 1684h " Z8 _! d6 D7 r8 e
mov bx, 0202h ; VxD ID of winice) C/ C) {7 e0 T/ }: e u# W
int 2Fh
$ m4 G5 m5 g% r s mov ax, es ; ES:DI -> VxD API entry point
$ s m' o3 ^) p add ax, di
) ^5 h* R _) ~8 ]$ _: l test ax,ax
5 H* }1 e; ^7 H J) t( N jnz SoftICE_Detected
$ x7 T) c& V7 P' e" o5 A1 k# a; j3 `9 Z) O8 V
___________________________________________________________________________
( K& [( O& n/ k6 i: r# o3 h7 B4 F# K: b: `% T5 ^
Method 04
( v# e% E, i Y! y" d5 z" p3 W=========, F& l0 ^! y6 \2 r4 J+ g
% Q$ j$ D+ Z) U6 {5 a0 P/ w$ p
Method identical to the preceding one except that it seeks the ID of SoftICE2 T; T; Q, U1 y
GFX VxD.
& Y+ b* \7 U+ [( J- m
5 R* h! f# q% @$ @; p8 v/ @ xor di,di
3 a2 | k' N0 _' P9 J9 f mov es,di
! L! K( Y0 F- _) v mov ax, 1684h
+ ]$ Q2 u, c+ [ mov bx, 7a5Fh ; VxD ID of SIWVID
5 q: F; j" |, R3 g( F int 2fh
# C) {, d; A7 E0 [+ G' s# \ mov ax, es ; ES:DI -> VxD API entry point
' F! @* b; t; \$ F7 _8 c, G# u add ax, di
& u5 {2 Z v) ~ test ax,ax
7 D* p5 o* L, s; [( d3 y jnz SoftICE_Detected
: M2 h( [" r0 m: `) Q. a
+ L# M) \) u8 K. c__________________________________________________________________________0 ^" f! v3 |6 Y1 w
% P. ]5 \9 B$ n9 l0 W9 ?" S5 u
4 O P* ~7 z' a2 nMethod 05
- M% D; m# z- r=========2 U; r) t/ S/ k8 c' ^/ R
, n' G$ L- D( H2 V4 wMethod seeking the 'magic number' 0F386h returned (in ax) by all system a, u4 C% M8 M3 j2 y
debugger. It calls the int 41h, function 4Fh. K0 u1 c, i1 T' d. W+ d
There are several alternatives.
. `7 s0 r; ~5 { y. R! m' a0 O ]2 K1 G
The following one is the simplest:# E. L/ S3 V0 s
: U! L7 V* P, E; x K
mov ax,4fh
$ D- h% W! X0 B" v- s# { int 41h
" S2 Q5 Z7 h. \# S cmp ax, 0F386+ h/ F" D2 C* y9 U+ Z
jz SoftICE_detected
: t6 q8 l, F: [; v! T, d9 E2 o. u& H$ H) x! ] k- O N4 b: J F
; B& W* d+ U1 a
Next method as well as the following one are 2 examples from Stone's
: E0 [7 I- ]. b. R9 c"stn-wid.zip" (www.cracking.net):
8 ?6 x6 M6 k& y1 f Y$ n, f- J, T- ~# }1 C/ f
mov bx, cs# X# G9 j* d: L, Y" j, s9 Z
lea dx, int41handler2
* K7 @6 b; s& h- l8 m xchg dx, es:[41h*4]
0 G: G# @ x9 S$ y/ q0 v# u xchg bx, es:[41h*4+2]
" h4 R4 D- X: N {7 m: }) q8 M mov ax,4fh- X/ R, g/ I( ]* z6 K( C0 ]8 Y; a& F
int 41h7 X; ~# @5 P% j
xchg dx, es:[41h*4]
: |& a, v* T5 G2 F xchg bx, es:[41h*4+2]
7 w- D$ b, C3 |% h; y cmp ax, 0f386h+ E9 ]* X! u; L" h- S) \
jz SoftICE_detected" Q% ~! Z4 m8 R5 q& [) t" [
, E! |! Q3 V1 [8 D4 _, j1 Xint41handler2 PROC
- b9 j, u1 `6 e& [+ a iret
9 y/ P' D- ?, H" e( n7 Xint41handler2 ENDP
3 l: w6 E( w9 R3 W, [; n g( p
# u' k1 p, G, S, g; J1 w9 Z" T0 ?1 @$ A$ H( T9 @
_________________________________________________________________________% h) |8 \+ j8 i
2 H. h+ z3 u3 u; [/ z: C$ ^7 o1 d2 c& t" t
Method 062 i& j/ y& u6 ]# h% V
=========
2 L" C6 p, h. D9 M5 `9 O0 G8 S
% u# B# h" p4 V' \9 I
& l- S" M( R3 g% n2nd method similar to the preceding one but more difficult to detect:
) |* ^0 v* E% L, S# T
, d2 Y( V9 W' N8 r0 `( }& O) Z
- \) }9 ]( l+ P! e& }int41handler PROC
1 i" _0 p. p) y4 I mov cl,al
1 [5 K% H! f. P2 r8 \5 x iret/ T7 y0 i0 Q/ C/ E/ W
int41handler ENDP
# o B7 U" S7 {4 L1 E& O: q7 O& `4 s$ K+ F3 G
; N7 g' i2 k0 }: M5 l% D
xor ax,ax
; j1 P( D F: H! o! e0 U mov es,ax& x: q- ~: l. r( ^
mov bx, cs9 |. {2 ^7 D1 v( J3 D9 k) _* x
lea dx, int41handler
: b) t" M+ h1 E- ], L& \ xchg dx, es:[41h*4]% t* c2 f8 W& I5 T2 R. X
xchg bx, es:[41h*4+2]7 ]7 i7 X; W" X, f4 V) E: d( d
in al, 40h
; e9 q' g3 H6 r& k. u! J3 |$ P+ q xor cx,cx
2 r! Q& o' c: {' {, @- M! C int 41h
* s8 g$ |1 m1 f5 d6 D/ M xchg dx, es:[41h*4]
1 O" _2 p2 S% ]/ H7 f xchg bx, es:[41h*4+2]0 c X0 M( P) Q3 q
cmp cl,al: H- A; S' n9 [0 F
jnz SoftICE_detected
M; [; b( a$ Z& I& m( G4 G! _% V, t8 T
_________________________________________________________________________
/ d {. G8 y8 R7 G2 r
$ {+ n4 n. |0 [' B- B" x0 nMethod 07- m) g' s" h: e$ f' @% J
=========: b1 ]& p$ \& x1 {
; k: w; g4 a3 a4 `: OMethod of detection of the WinICE handler in the int68h (V86)$ g/ ^0 v/ W, X# q, j
* g' R* ]- D9 }* N7 D8 l3 z {
mov ah,43h
, [- R+ k3 f4 z* m. v6 E* I; Z: X2 C int 68h
( X* m! N9 l. L cmp ax,0F386h
$ }6 k5 G9 N1 B( c0 a jz SoftICE_Detected# x8 z! q0 ~4 F- B2 g9 }9 f
. O& {7 d2 n/ ?& H6 C8 n' w& ^* w
+ Y1 d, B2 k0 l6 E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 Y4 B4 c5 i* ?) [9 d: v* ^7 A app like this: f0 _6 X H( t" u3 J& `. H( K4 q
% }3 j: ~$ K" F* q6 @. D" x
BPX exec_int if ax==68, j6 M% M5 \' @! A9 K0 r
(function called is located at byte ptr [ebp+1Dh] and client eip is+ P; X# S" u: ~ m, m
located at [ebp+48h] for 32Bit apps)4 ?/ d% v! p# d$ X
__________________________________________________________________________/ `* {* I$ \9 c) \5 w+ h+ ^$ e$ Y
% i2 i8 N7 ]! ], ?: u% q* H$ _* H3 n: L1 R1 ]" Z, p
Method 08
$ K2 p& p9 f' y9 |=========2 P5 g0 \. J6 s( _0 m- L
t1 [8 S$ y. l* U2 ] CIt is not a method of detection of SoftICE but a possibility to crash the
. \( p" Q% P) Esystem by intercepting int 01h and int 03h and redirecting them to another0 X% ]% H/ \+ x+ e
routine./ ]2 b$ ^. `& b* c* w
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! Q( M+ R& k; q
to the new routine to execute (hangs computer...)
# F* D) W7 W/ A( a) L1 H* M# \1 I$ x& q2 L+ @! k. C
mov ah, 25h' ^) v; a! Y7 r0 b8 t" E
mov al, Int_Number (01h or 03h)
k) O. x4 O( l: a4 \- r) ]& W mov dx, offset New_Int_Routine# L% _3 J$ [( S. B! z# v
int 21h
) S" G5 q& y* u1 r2 q9 v
9 D' [6 ~- a! j2 n__________________________________________________________________________4 u2 f* y) J" ]8 x0 M4 _4 v- g: T$ I
/ y" P# _ Q3 n0 W) NMethod 09/ X% d& D5 h, s/ Z- ^) P( N6 b! W
=========
6 m* l" H/ k/ ~7 i; A
" ~. I2 H3 t, ]% N8 [: m7 f1 ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 K+ X3 r, r: I" X7 Z3 {8 O% Cperformed in ring0 (VxD or a ring3 app using the VxdCall).+ n: u, j/ X8 @: t
The Get_DDB service is used to determine whether or not a VxD is installed
1 w6 t' ]3 ~# ?+ G3 xfor the specified device and returns a Device Description Block (in ecx) for9 X8 R4 ]0 H) T9 z7 |
that device if it is installed.( X$ |& \6 T' r; t" v: G
( ?! l$ A" N) B6 y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% p& ]' S8 a) C( _' w0 _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" @# s: g: h3 z- p" J! R8 I0 |9 T$ V
VMMCall Get_DDB
0 j K; B n2 d8 j# H2 d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# F# y( ]0 T8 y' t% r K+ m
( D9 K' k, c. f: J/ @Note as well that you can easily detect this method with SoftICE:. J5 b& ^- \ W8 F& b3 {* _
bpx Get_DDB if ax==0202 || ax==7a5fh2 r! Y8 Z& o) P1 \6 c+ U3 h8 `
. g' K: V# l6 I
__________________________________________________________________________
+ i; s, X- g* C3 F4 _/ V6 N2 Z* q9 \' d T2 ^& o/ B7 J! M
Method 10
$ q# s8 s; l( \9 k$ F=========
' p7 D, N" r8 u4 A$ B R+ L
2 U1 ?# E0 x$ E5 p7 W0 R=>Disable or clear breakpoints before using this feature. DO NOT trace with% ~' _5 f! I6 q5 K/ D' }
SoftICE while the option is enable!!
: E: T0 V' k, o( X
! ^1 _; o4 N# H9 A BThis trick is very efficient:
: L' }1 z( O( D- Q" Jby checking the Debug Registers, you can detect if SoftICE is loaded
- K) K- [3 g3 |8 t8 t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* W0 t. S# z# [ @7 d- W' hthere are some memory breakpoints set (dr0 to dr3) simply by reading their: u1 h/ J1 L: ~ M7 _4 Z/ u# z
value (in ring0 only). Values can be manipulated and or changed as well. w) {4 f; c' E; z0 ?8 D9 g
(clearing BPMs for instance)
6 r# V4 Q: G' ^) ^% v" ~' L+ D9 V, |* m% c
__________________________________________________________________________
0 u2 ]2 ?, Q2 {. ~
+ K5 f5 o. D$ U& P. `6 RMethod 11
\8 V" T( u! Z% \=========4 u6 s! N8 t3 p
( {5 y3 p" j5 d. ZThis method is most known as 'MeltICE' because it has been freely distributed+ E4 r* u9 X" F+ k! }+ n1 V7 @: y$ D) ^
via www.winfiles.com. However it was first used by NuMega people to allow/ r# L& {3 O# S Z& _
Symbol Loader to check if SoftICE was active or not (the code is located
% K% ]7 X: D' p4 a/ g- D m) |inside nmtrans.dll).
, Z. ] Q9 }/ _8 H, X- c
0 P; H0 [% q- T& b; X+ JThe way it works is very simple:+ [( v7 R) Y8 L3 P. H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( M2 P$ u2 w. i; o; zWinNT) with the CreateFileA API.
! o8 i4 x" q: Z. ^ d4 W1 {: D7 T' z' |9 _7 |
Here is a sample (checking for 'SICE'):
6 Q) ^: c: ?7 Y% \9 g* A/ v. o$ u& {% \* Y: r) o& {
BOOL IsSoftIce95Loaded()8 w4 K& C1 p; ]1 W
{# r2 k$ l/ m0 S
HANDLE hFile;
2 t) f4 q# H% Q$ V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- ?; B; `0 H) x- g1 {- E$ C% L
FILE_SHARE_READ | FILE_SHARE_WRITE,
% {1 L5 f+ W' K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 [1 R- `; E; Q5 u! ^
if( hFile != INVALID_HANDLE_VALUE )
9 D0 G" e5 c; L/ M/ t5 `+ U {
4 |, P/ q/ l: w6 `5 z ~ CloseHandle(hFile);
3 U$ E! `3 l+ M& r: ^ return TRUE;
) y# Y( R5 U \, v* I/ Z5 H4 P! l- \ }0 C# c, l; J8 v! z7 F: M% w1 J
return FALSE;% u0 ~: R" h; U0 J- |6 K2 f! O
}( @: H8 a+ u. K. ], q
1 z, Y K5 C* fAlthough this trick calls the CreateFileA function, don't even expect to be
9 E$ x+ o, ]- c: Z/ a7 K+ K* @5 qable to intercept it by installing a IFS hook: it will not work, no way!
6 U3 p* R& k8 ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! r& m8 V; l) Vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ S; s( L5 o3 B/ n0 I. E: a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, v) [/ X- r r+ x" Y' g A
field.
: F5 V' T; [/ c2 w" xIn fact, its purpose is not to load/unload VxDs but only to send a 1 ^! ]5 z, M$ X- ~' y! w8 c* u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 n3 I6 k9 U& z( r4 c1 P! d+ w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- _7 [/ ~! ?+ A. \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 W) j0 N% ^1 F6 h! @3 eIf the VxD is loaded, it will always clear eax and the Carry flag to allow- Q o- H& \ W$ h0 ^
its handle to be opened and then, will be detected.2 _2 h8 q! V' a% J
You can check that simply by hooking Winice.exe control proc entry point- F, @1 T' f3 q1 p5 ^3 ^
while running MeltICE.! z8 s j* ^6 R8 Z" S% V- M
, S/ N4 |9 T9 F7 x! D
7 ^8 b) U: P0 r0 V' m4 u" u. q
00401067: push 00402025 ; \\.\SICE$ r4 E7 C4 ]0 ~ P& G% U m
0040106C: call CreateFileA
" ~7 ^5 t2 }$ q8 ]+ z+ l1 E 00401071: cmp eax,-0019 n' e# `4 @$ E1 E0 P* G9 W
00401074: je 00401091
. I7 t" i1 h# d+ \$ {5 W$ l/ W
, A$ ?9 m0 ~( R# j$ d5 ~7 j7 c& p" K. y7 Y8 b$ N! N5 Y: s
There could be hundreds of BPX you could use to detect this trick.
* D* @6 H) t) R# \& [-The most classical one is:
8 t) b+ n* t3 R BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& J3 F# C4 t% T2 H+ e *(esp->4+4)=='NTIC'
$ P; g! L$ g7 ^$ A/ M3 R" E
: o# V$ \, T1 w" I) [# ~-The most exotic ones (could be very slooooow :-(
- `( A2 ^* b: E0 B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . _* x* H8 Q" M
;will break 3 times :-(1 r5 ^# p3 V. ?: Y. H& `7 t; z8 s' [' s
4 N- g9 E( M+ k$ c-or (a bit) faster:
4 b4 d4 s$ @! s7 r4 E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 _9 p3 W: u T- I
3 h6 T B: p9 P$ y: F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% @4 {- }! H5 {' v9 K9 o( h# t ;will break 3 times :-(' G' |$ h. O2 G, E% W" T
, @& e$ Y6 J3 j% s: {/ B-Much faster:/ y, v; H' T- {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& Y- {3 _, \: o- \2 z3 ^6 q, `% e2 M. d8 ^* ^7 D- j
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 M) t5 {; y) E( V
function to do the same job:* d& p; ?9 _5 [& I/ v" Q: B4 K! G' |
. u* ^& m: b1 q* k' I1 V
push 00 ; OF_READ
' M) O; j o( {: [3 I. ^9 X mov eax,[00656634] ; '\\.\SICE',0
; G: g9 a/ S3 I push eax- H! b; J# n4 R5 F
call KERNEL32!_lopen g4 K) A* _) v# n4 j
inc eax
& K) J m( T% _2 e+ U7 J jnz 00650589 ; detected" `2 ~1 \' b5 F1 r% ?0 I
push 00 ; OF_READ. _* w& ]( k4 l1 g/ s, M6 N
mov eax,[00656638] ; '\\.\SICE'8 G+ P. |8 c/ {( z, }
push eax
/ t" f/ P7 Q0 C# F( ` call KERNEL32!_lopen/ s5 @! v! c4 T& x- }1 w
inc eax9 C' [3 t6 }5 k1 Y5 C
jz 006505ae ; not detected
. H0 N6 Q! X. [: g+ J& E
2 B3 E. E2 F4 j& V
p: i/ u: v5 a# B. B4 v% f3 O__________________________________________________________________________
; O% ]3 w. [1 a2 q2 q. C* X6 g2 d
: Q1 b: ]( l, T5 s8 a8 yMethod 12
4 Y) S8 d8 N5 \2 [( E3 \# Q U0 k=========
' n7 o2 D, M5 o1 F& i I1 l# ~8 a7 Q8 L4 C
This trick is similar to int41h/4fh Debugger installation check (code 05
# s3 s1 {& `4 Y+ P& 06) but very limited because it's only available for Win95/98 (not NT)
( O' p/ A1 V j5 p" @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' ~6 ^1 @$ W1 _' _) J: a, w- ^, T5 v# l& W* T& d5 T4 |
push 0000004fh ; function 4fh e2 d$ k& k& s
push 002a002ah ; high word specifies which VxD (VWIN32)
' d* K* o8 J) y ; low word specifies which service+ S, H+ G1 B. j! y; j( G: F
(VWIN32_Int41Dispatch)
l& | S" i3 y( q call Kernel32!ORD_001 ; VxdCall
( |7 [" z* I; t( K# O5 X) k cmp ax, 0f386h ; magic number returned by system debuggers
; z( O2 [5 x7 N m! X2 v) S jz SoftICE_detected
( W9 M, ]7 d) H/ @- g8 u$ K! ~* q. r* u$ V+ m: [5 H; K
Here again, several ways to detect it:
" U! w: H/ M8 E6 X1 a
. o* @5 f9 e/ \4 p BPINT 41 if ax==4f
+ U8 x5 j+ B s" ?
: y& {% n) J0 A( p% K9 E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! n. \: u# X- R2 k
9 i) ]- @: j1 [" x! t* [8 e) C ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# t- a6 l$ R! n/ [3 q7 `2 ? F& Z2 E# o8 V; I9 U" f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" _! p6 N" B- o/ w$ S
0 c) d7 r m' }! u. E/ x
__________________________________________________________________________9 r0 E, l8 w) ^; k
7 z+ G$ x# p8 E% `Method 13
5 N0 J$ f5 r& G1 o D7 D=========
: c! s/ C' H; X- f; F. X/ y& _
0 I: V6 }% \, t2 Y/ U6 E6 \Not a real method of detection, but a good way to know if SoftICE is
9 e+ H/ B1 W% \/ q' Ninstalled on a computer and to locate its installation directory.
9 I0 F% h# z% u- \It is used by few softs which access the following registry keys (usually #2) :. B( k; i G( ?0 w" r
' P! v1 ]7 A( [/ }) P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' N4 U; ^/ T+ V0 ]9 q
\Uninstall\SoftICE' P9 w# y @: p; ]3 i c3 U& ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 X0 r/ Y& x# q5 T0 e2 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* L) o6 U; ^8 Q5 Y) n R$ Z+ f
\App Paths\Loader32.Exe6 Z" d" _, N) U0 m! V+ g L
8 j2 O+ m* V6 H0 b% `' [$ r6 N6 @
: S6 L3 D6 [+ r1 Z/ Q* t) ?, b, lNote that some nasty apps could then erase all files from SoftICE directory
Y9 z, x" P+ b0 A(I faced that once :-(
, Q6 c/ b$ {$ o: h+ s1 d3 Z) K3 Y+ h
Useful breakpoint to detect it:
2 h0 F% Z$ r7 j: [6 r- j6 G* l, m( j. s! O E3 X5 x$ p7 k6 I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ z; r4 }. N4 j0 ]1 r3 M9 q+ L. ^
7 M7 }$ H1 Z: R8 a( [; H% N+ J
__________________________________________________________________________
( P7 S% Q F* e; `- l. Y! Q: r( D. f8 j; _0 ^ `# v; m' @
3 E) x# h7 e- P. o0 z+ w) ]
Method 14
7 i+ l: d9 J6 o=========9 x# p7 s& k2 J
. P7 T! O+ D! a* _$ C9 vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: ^% g, |# q9 E x. `
is to determines whether a debugger is running on your system (ring0 only).! o& J" c* f* s; D* s. h& H
# g- F% d: R4 J! k+ i/ F VMMCall Test_Debug_Installed
) @! w3 w! P- d je not_installed
0 n- Y7 ?9 x$ r# N$ s" k, H! {- P! p+ @" z3 M
This service just checks a flag.) u) q8 ?4 T7 G P- I( V$ ^. Z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡