<TABLE width=500>( D6 p4 Y1 i/ u+ J- n- z
<TBODY>" _: p0 R1 I2 L$ q# g# [
<TR>; Z" p E8 n a+ c2 s
<TD><PRE>Method 01 7 S, p, P/ ~9 j- B S8 i
=========
8 F/ P9 q. Q) U/ E$ t6 K2 f4 D% m
This method of detection of SoftICE (as well as the following one) is" b W! J6 @/ x' {7 W
used by the majority of packers/encryptors found on Internet.. [: Z7 S' N# B0 P5 n2 w7 I( s! u" w( |
It seeks the signature of BoundsChecker in SoftICE5 V# t3 R, X* S1 x0 H0 k
: q; T/ ?5 x+ f/ E1 z% e
mov ebp, 04243484Bh ; 'BCHK'
: W- V2 t0 s4 U! E5 c) C mov ax, 04h
3 }% a! z C1 }1 O' s$ @ int 3
6 L2 S+ ]. O" X5 t4 u% F, I cmp al,4
; }0 K a. k* `" {4 a7 k) a jnz SoftICE_Detected [7 N9 J. h: q8 }& N
( r5 C6 n0 a! d5 i
___________________________________________________________________________" j: _/ H6 u7 A- s; ~" O1 ?
6 b( W$ C. s! Z) S; Q0 ~- a1 M' |" pMethod 02" l/ e5 l. J3 T- S9 j; o
=========
4 E' S' [' E: {" ^1 H7 ^! W+ v" b4 Y4 e3 t" \: T L" v+ m
Still a method very much used (perhaps the most frequent one). It is used
& C6 H' y$ y2 \0 b2 Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' f+ {* T+ `% V1 n0 [. i4 For execute SoftICE commands...( j0 L; @+ b, j5 b$ |
It is also used to crash SoftICE and to force it to execute any commands6 ]$ m/ b% h( ~# c4 p) W7 R
(HBOOT...) :-(( q' `1 Z, r5 _; [ ]# ^
/ u/ u9 G- @' Y7 ?* _) |) k
Here is a quick description:! o/ ~0 P, a6 o2 U4 S! ~4 j
-AX = 0910h (Display string in SIce windows)0 u+ R. O0 \1 U& F, B9 r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 s) n/ z# S D r: V9 ?- K
-AX = 0912h (Get breakpoint infos)
3 O8 Q8 }; X( f9 q7 J" s-AX = 0913h (Set Sice breakpoints)# b' n$ }5 I; ]. w1 h
-AX = 0914h (Remove SIce breakoints)
. V; d2 @- X5 k7 r2 K+ s0 L
2 A b& _( z: z. n) e' d4 LEach time you'll meet this trick, you'll see:& Z3 X" h; n) V. ?) U4 i
-SI = 4647h
$ O1 {) H/ w, p& C-DI = 4A4Dh
% G' W/ h6 v4 b. }( n- B+ s vWhich are the 'magic values' used by SoftIce.9 `. m( ?+ c7 G0 _: f9 p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& R& [4 P4 \9 k2 ~: D0 u. y/ p
" M: R( B p6 u+ h3 XHere is one example from the file "Haspinst.exe" which is the dongle HASP! u% w" v2 ?) N- @9 ^
Envelope utility use to protect DOS applications:
; ?; N3 i( Z: L- c
1 G8 m3 v* v0 w7 n. z; u, j8 o' w% \0 ^: Z T& a
4C19:0095 MOV AX,0911 ; execute command.- y- I) m1 c$ l5 L3 c- k- q$ F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% g) O5 u L# Q) D6 @4 f7 B! X# K) Z
4C19:009A MOV SI,4647 ; 1st magic value.
2 g1 h/ h( m( n9 c1 Z* k& h6 k4C19:009D MOV DI,4A4D ; 2nd magic value.; f- e2 R. N$ l" `" _+ D
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! b% Q1 _0 Z- B/ v/ u8 B# A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) J) ]/ n' A0 N- Z6 B4 r# ?4C19:00A4 INC CX& H" I2 c8 F3 z- E+ _ t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. ?" {- p) d* f# g! S8 r9 ?4C19:00A8 JB 0095 ; 6 different commands.
7 T+ Y: G, ~% m9 e, Z2 y1 ]4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( G$ V" a3 B# g* S9 H/ b' Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, ~* w: ^6 U, f5 b( B E w! F- H a# l# V5 r% |
The program will execute 6 different SIce commands located at ds:dx, which
1 H d8 B; L L3 kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: F3 }4 S& a# ~9 } \. `- o7 v8 T" `0 Y9 Z' e* T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& L' Z7 l! A2 |2 C3 Y; t; i
___________________________________________________________________________
9 {% U2 \9 G- V: q. l# i6 {: t' X) b1 E( x" o: ]
. T' ~+ U+ o3 G* x3 l
Method 03
9 L) _% X6 @. B# I6 H" ~=========
8 n4 w4 c0 B# v% C
7 l( I9 b* Q, \0 f' LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) B: n- }& i$ y$ F+ m0 ], ~3 S
(API Get entry point)
) ], u. W9 I7 r, L 7 U. [& K8 k6 g' i8 y5 g+ u- C
% A6 C6 C4 }& N) c0 V4 t% s1 K
xor di,di2 h* k5 ?9 [% |4 ?1 c
mov es,di
% P `! J1 \7 W mov ax, 1684h 1 L- d+ L/ s3 s9 m
mov bx, 0202h ; VxD ID of winice
9 d* \5 _' O5 L, v% ^ int 2Fh
+ F+ U5 Q, n, l" g mov ax, es ; ES:DI -> VxD API entry point8 W& U9 J& Z# @; X/ l" V
add ax, di
1 j1 Q, j8 z6 X0 g& T; u3 t test ax,ax
X* h q, P/ Z jnz SoftICE_Detected& M/ s6 Z+ w0 B$ b
% c F, B5 Q0 o7 @ w" L
___________________________________________________________________________
0 J- R. ]9 `9 ~: u+ X7 N0 G
8 T3 b9 S# @+ Q1 J& Y8 S% h0 H* iMethod 04 O3 H1 ~5 Y2 `
=========- v; C. O/ |0 R7 h* I; h$ X8 _
) E+ k) j/ \7 t1 P* L! TMethod identical to the preceding one except that it seeks the ID of SoftICE x% }, n, L: c5 q+ d
GFX VxD.5 m; T" j k' Q, T: E
, f) x; `% X' Y3 j
xor di,di
9 b0 Y! D. _+ z- C mov es,di2 ^5 S) B; @. `
mov ax, 1684h 8 ^! q6 ~2 r/ W
mov bx, 7a5Fh ; VxD ID of SIWVID. k A2 E! m7 `/ c% G! n
int 2fh
) ^) n% ^6 ?! w% v" T* B& d& i mov ax, es ; ES:DI -> VxD API entry point s$ L( `0 u; g
add ax, di+ s! @: y3 Q5 X; [
test ax,ax4 B7 `3 Q: G4 J! l
jnz SoftICE_Detected! K% X6 @+ R8 v D
5 m3 O0 l) m& q# @__________________________________________________________________________% p+ n4 A, D* }0 f2 B: u+ R6 h
7 ^9 q! ]$ ^! K6 O+ r
# Q) W. W; P: t% G9 k( OMethod 05
, k: w4 j; n5 U=========: u1 q5 z8 I% o) h/ D; R, ]7 {
% y) ?4 P4 _: L! b% XMethod seeking the 'magic number' 0F386h returned (in ax) by all system- B* }1 F& X+ @
debugger. It calls the int 41h, function 4Fh.3 Q3 u9 _7 B* z" {
There are several alternatives.
; r6 U/ T0 e K
6 k( w; Q) j( K/ a' x3 vThe following one is the simplest:
- @( f7 {( C2 d5 U- ^# d5 C1 ~
: X+ L! }- L; y mov ax,4fh
$ U3 S) ?! q3 y- R int 41h3 P" h: v. I) \/ r
cmp ax, 0F386
( u! [" m. u' `! d: ^0 I jz SoftICE_detected
o( x8 q+ c3 P* x# k& F+ S- k: z4 l6 n8 [8 l
/ D" t. i9 S# ^3 O
Next method as well as the following one are 2 examples from Stone's 3 O3 }2 U, W3 I- H+ ?( \$ E
"stn-wid.zip" (www.cracking.net): v* f. c" u3 f: }; {- u5 r; Z
# G9 Z8 [, x2 P3 Y: o: D+ Z mov bx, cs
6 E. X6 f. ]; u0 @' `" g6 e lea dx, int41handler2
2 J& E4 {- o: h5 h5 l xchg dx, es:[41h*4]" I6 u" n) }2 f4 P6 J
xchg bx, es:[41h*4+2]
/ E# a$ [8 S' s! c mov ax,4fh8 }2 G. I* f1 v
int 41h
5 z8 z9 {+ _ Q8 a# K# S xchg dx, es:[41h*4]- a2 y7 S) @# d
xchg bx, es:[41h*4+2]% `" m' \, K5 }9 Z
cmp ax, 0f386h$ c Y" h5 h, }
jz SoftICE_detected
9 [" ^- B0 k4 L% a `2 Z7 t2 j. x2 D1 u9 p U
int41handler2 PROC: K+ n9 }1 ]- G1 M8 ~1 `
iret
7 r' h1 H' T% p- k- Qint41handler2 ENDP
1 T2 d1 U4 `$ E9 E% ^
8 Z8 L) J' W. G- L2 I
: n3 m; R- E7 l! s# T" T ]_________________________________________________________________________
+ J( n) b' V {+ o& t, Y! `# o3 l" w% g
9 W/ n/ y" w: Q/ K# @Method 06; I' v$ C) p5 f4 f0 L: z x6 O
=========" |: {. y' A" l! A+ W" g
! U- G+ }- I, }$ ^! b' A$ ^, H/ U0 r" Z- i' H
2nd method similar to the preceding one but more difficult to detect:
$ T/ I7 ?" I8 a+ H Z: g
7 l' s/ l( _# q) ^3 a* A7 t8 |1 M; ~4 h$ s) ~
int41handler PROC
6 B: \8 N9 ~/ B6 G: D mov cl,al
( H; z+ ~6 d) ?, q5 X' \) d$ H- N8 l iret
5 _4 ^$ K* P) bint41handler ENDP
2 V1 q# M; W2 }5 l, s5 ~. \0 c" y5 i& p; t
0 a7 @( P) i# M( w7 P9 { xor ax,ax! J1 S3 L, n) j* s7 t
mov es,ax
5 _+ u( Z' n& o& l mov bx, cs! _/ e! |2 O- G. R' |
lea dx, int41handler
# a. L, Y/ D& E3 i& y xchg dx, es:[41h*4]
0 W, Z7 |9 c5 d8 ]& r xchg bx, es:[41h*4+2]/ C8 m1 U0 R& ], N3 C |
in al, 40h
/ Y* g' c2 B" j( ?8 {( d9 N$ m' Q xor cx,cx2 d: X. W" ? a5 E* X: f
int 41h
( r$ P- f, i; y6 h. ~% | xchg dx, es:[41h*4]- B2 P- q# T( M, f; ]
xchg bx, es:[41h*4+2]
8 ] _: C; z4 N! D+ b$ U% g g7 c5 q cmp cl,al" u& U W: f- f) l( D
jnz SoftICE_detected% `# u! u; e! Z7 u( f
+ k" w3 @6 U# ?% O7 Z- a/ F/ b
_________________________________________________________________________
% s2 _- i9 K2 g- y; v& y6 Y
1 H2 d7 [1 k; }# z! h2 e9 aMethod 07
0 K0 i* h" y7 i' w6 T=========
( @* N8 M7 H$ l; q5 h8 k
" o. F$ I( ]3 Q8 ?& y2 E, E0 Q1 SMethod of detection of the WinICE handler in the int68h (V86)6 M$ V8 a7 K. \1 H6 x& J
0 [1 C- N% D0 R5 I o" E3 K$ ^! l mov ah,43h
2 C2 s" L' \. f5 D# S int 68h3 F: J6 q5 E0 i
cmp ax,0F386h
# H1 ]6 D6 a+ D# a; I jz SoftICE_Detected' P1 _6 I) }0 {1 w! n
4 p% \! C% U! P1 y# g+ w8 v0 z
* n, V: n, S$ w3 ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ r6 B1 p9 T7 ], t5 @5 o app like this:
$ z, V( _' }/ j. z2 `( x, \/ s8 I6 [8 k. W t1 N/ t: _
BPX exec_int if ax==68
) s; B, K; p) ` (function called is located at byte ptr [ebp+1Dh] and client eip is8 _1 ?" b) g) P3 R% T
located at [ebp+48h] for 32Bit apps)
- H, d9 e7 x0 E$ c* H* E/ x$ t__________________________________________________________________________
$ s d f+ L) b0 A9 u1 C
6 j- }9 j% O0 N; `) @3 S) N% R) v
! z4 m" }3 n7 p, D CMethod 08
9 f8 V7 M2 l2 p" M0 ]=========# n$ {: \, a5 R l0 S
) c1 t3 M* l4 s4 i' q ~9 H
It is not a method of detection of SoftICE but a possibility to crash the
( i3 {. f4 l# j9 `' y% _2 {- k9 csystem by intercepting int 01h and int 03h and redirecting them to another+ ]/ X* \7 h* R7 c* H0 P2 b4 W' B
routine.
! }6 i+ A! Z5 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, a) }3 [" |6 W. c$ N' s( A4 D- p' i
to the new routine to execute (hangs computer...)
B& r# P" v4 R( e5 W9 d5 o3 c4 D$ ]& c
mov ah, 25h/ x. Y+ T" {$ s9 M( s) w8 o( K0 O
mov al, Int_Number (01h or 03h)
9 F0 F. K, T( _ mov dx, offset New_Int_Routine
# H1 P4 x; }5 V int 21h* a7 b: P4 V' h
% F; k" K: P9 H, k( r- O$ [__________________________________________________________________________
( o6 b" O! Y: O; J# e" r; O
" _* H% S, J, xMethod 09
& S" i. }7 m5 P! T9 O& N=========
9 S: f% J: p h9 E+ r4 ^. z5 S$ S% ~6 ~2 N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ b) C: _4 M5 R9 L+ ~performed in ring0 (VxD or a ring3 app using the VxdCall).
( F! m8 J) [& H7 J2 cThe Get_DDB service is used to determine whether or not a VxD is installed9 l5 L' m5 b% v3 u. {* n- _( p
for the specified device and returns a Device Description Block (in ecx) for5 X/ u; g+ |% L t2 w8 ~
that device if it is installed.
% L# X" X& ?6 t. b& y9 j! _, u: p" K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, p- j( _, \2 J# x
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 _7 ^. f5 Q6 N7 V6 P9 a VMMCall Get_DDB: m! _& X! V+ O- e4 ^, R# W
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ h* I! O% W+ A5 }0 R) g6 o w( J7 h$ l# C4 q) G' \
Note as well that you can easily detect this method with SoftICE:1 a9 W- j) F4 f$ P
bpx Get_DDB if ax==0202 || ax==7a5fh
- f6 k. ]( J( y: W! H E
4 L2 x( w" h# Q+ G0 A__________________________________________________________________________
6 i. q' n. {% x2 t Q0 a
) F; N7 B# t& x5 Y4 i4 ^6 n, KMethod 10
; Q L9 _! j, w4 l9 r( S=========) z; N7 [/ S1 i* h
$ ?# I' Y5 z+ C6 i" j0 F- ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ E; A- F8 ]1 y, b7 K SoftICE while the option is enable!!4 ~0 a V. I9 s% P% `
/ N$ t& i6 {: v7 h3 o0 E3 T# H/ E4 W
This trick is very efficient:7 n. J4 l. {+ l& [( T: V% t- \
by checking the Debug Registers, you can detect if SoftICE is loaded+ f: D4 n5 e# a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 V& W$ r' {& uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& c3 L$ Z3 G; r5 a$ m) a2 `value (in ring0 only). Values can be manipulated and or changed as well
2 c6 q- s/ h7 {# _(clearing BPMs for instance)/ O" J; n7 v% l" N' O
; P8 A2 P& k* M
__________________________________________________________________________
- ~! x+ E. h3 ~: A$ S, N2 C( a# C0 L! X+ i+ r5 z+ N" n$ l
Method 116 N s# A* o% i, r2 f+ C1 J
=========$ k$ x9 ^( g5 R0 A e- T) D
4 a! K3 T& d I6 P+ h
This method is most known as 'MeltICE' because it has been freely distributed. R" U N& ~! q
via www.winfiles.com. However it was first used by NuMega people to allow
: l* Z6 j) D; OSymbol Loader to check if SoftICE was active or not (the code is located! H$ f. T7 y$ ~4 d8 J b" R! }" @) m
inside nmtrans.dll).
9 b5 b$ k7 @' w) t* M( s9 K3 D* @! }. N
The way it works is very simple:* i9 f2 B' a: c' x# ~" v+ }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) k+ o3 g. i) ~
WinNT) with the CreateFileA API.
+ d- p1 z% N9 B) b
! U- ^& U, K# [1 v7 xHere is a sample (checking for 'SICE'):. n4 f4 o. [* @* x
) m0 m2 O" O% |3 w- v
BOOL IsSoftIce95Loaded()% f" C! E" E. j; O; L9 @% {
{
' w& l7 U$ @# j' ]1 p7 i: R! f: J HANDLE hFile; 4 c; i8 p0 P, s, |) _0 @
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 @8 C" y) g% l' G$ T5 G, i4 V FILE_SHARE_READ | FILE_SHARE_WRITE,
5 I8 s" N1 j% F( q& d% B- v/ r NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! j' U" r0 W! C
if( hFile != INVALID_HANDLE_VALUE )
8 K, G- ^% j6 J# Z' | {; e! }. T3 {6 r
CloseHandle(hFile);
' n% @. G' s5 {' W return TRUE;
1 y) \$ ^8 g& ^ b& k: F }" r6 Q F! n% u0 s4 S3 S
return FALSE;& r. v7 i) Z/ c" [
}
: ^; G4 A6 A' z" [, X9 V
$ v1 v! | J8 j" g2 ^ ?/ T( e3 KAlthough this trick calls the CreateFileA function, don't even expect to be
- M4 e0 }0 Q# P2 l: M& Oable to intercept it by installing a IFS hook: it will not work, no way!
/ Y9 |+ J0 k. zIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
H, H0 O& R( a0 r3 Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 L0 S2 n+ j1 r& |/ f5 Y& q7 b% b; j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) B2 r, q6 b9 M8 T) W) k
field.+ l5 D: q5 h: C! a$ t5 E
In fact, its purpose is not to load/unload VxDs but only to send a
, W4 l- n9 D" B1 D" J2 BW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 Y9 y) f! |. ?8 c- nto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ n' a# e' P0 O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# \$ {$ t5 D# f; \9 mIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ t& E( M+ j1 \( ~9 m
its handle to be opened and then, will be detected.1 H2 v; ~5 ^8 `* q8 K8 ?
You can check that simply by hooking Winice.exe control proc entry point
/ G) t# H* v4 N A7 N/ }8 xwhile running MeltICE.5 H7 x: T, Z- \3 K& p+ Y
( w I- }; N* ^8 P; e
3 ]3 A6 m$ i* G, w1 }
00401067: push 00402025 ; \\.\SICE
. I' X4 T5 P% `0 Z; d 0040106C: call CreateFileA
* O+ X* w7 x P' v3 {) T3 q9 W7 ] 00401071: cmp eax,-001
8 F7 C" c0 b2 A4 N- C8 o 00401074: je 00401091
: n. G1 ~6 l# B0 g7 Y7 M9 W" a! p: W* T2 y" b# G
1 O& ]1 _1 Q4 f! H9 jThere could be hundreds of BPX you could use to detect this trick.
( ~1 a- S+ d7 P1 F7 `-The most classical one is:
# @( `( Z; m1 T) ^1 V$ Y" d1 ^, U1 J0 N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; y* ? j* h7 @ *(esp->4+4)=='NTIC'
$ \. r3 G+ n, P" {/ I e" E% C) }6 G1 U( m* C2 H
-The most exotic ones (could be very slooooow :-(9 k; Z, B0 r! i. a7 a# M" z2 A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ ]$ i. A8 j7 O ;will break 3 times :-( g' G9 t4 X9 r/ k# Q0 T) i
, @6 T) }4 v8 q( L' f0 D-or (a bit) faster:
& @/ A0 T$ a) ^' F g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, x! w+ {" c# b4 Q, O" ~
5 `' ?8 m/ o; V! ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 ~( b4 `4 b" t# s7 G* C
;will break 3 times :-(. w: N& @" h T- Q9 h
E+ _5 Y; A+ @& n, g2 z
-Much faster:4 {- ^; @. m6 {- B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- m( Y3 F& u/ o+ R3 x4 p+ j
- [8 w1 x* a: D4 ~8 J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, n) M/ w }$ l
function to do the same job:6 R) L$ f) j7 |. _2 J+ D. V
1 U: S ]- h( A6 D }/ L }/ u# c push 00 ; OF_READ5 d4 H. P! z! V: I9 g2 V
mov eax,[00656634] ; '\\.\SICE',08 a# c; W# H; \/ U8 S, R- ]% l, y8 b3 N
push eax
4 o6 P3 w# p& e; O2 \! Z2 o4 L call KERNEL32!_lopen9 B( @8 A2 u9 i# J; n% w: Q3 S
inc eax! l0 F+ V; i6 t# S9 I
jnz 00650589 ; detected5 p3 y6 k7 W/ D8 V E
push 00 ; OF_READ
/ @) g5 x5 `* N, z: u mov eax,[00656638] ; '\\.\SICE'
; L1 `( [2 k& Q; A6 R0 ~. Y push eax
& J& L+ B% D7 [2 q$ t* c call KERNEL32!_lopen
( Q! U! s$ G( n; A! ~8 v' @ Z- y inc eax
- J7 |$ C9 }# w+ ^0 l jz 006505ae ; not detected% j' W, ~1 o; u- ?5 Q
* d% d/ v' u- e( X, r0 J8 N- q
+ J' f. ]8 O4 u2 N! ?0 _0 Z# Z/ |
__________________________________________________________________________
, U0 Z) U( h# X5 l- A. D
0 j% P* u" r HMethod 124 r7 U- P6 t7 q0 r. `0 X' [1 f
=========% p+ \2 G5 N, Z/ [# s: V
' S2 E1 \* ]* {2 F2 G# y
This trick is similar to int41h/4fh Debugger installation check (code 05# q# o) u& L! m/ y: t
& 06) but very limited because it's only available for Win95/98 (not NT); K" v+ V1 a% A3 T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 H5 Y; K( C) [, r( X4 J3 z8 V, |
h! D/ W: w" A" w4 r# A push 0000004fh ; function 4fh
7 O8 _! K9 ?0 n5 D2 {$ S4 F* M push 002a002ah ; high word specifies which VxD (VWIN32)# D5 @4 F+ i, Z( a- B3 n+ |
; low word specifies which service) h8 Z3 l& f4 f3 z, Y( _+ L r
(VWIN32_Int41Dispatch)
2 m4 Y4 c4 y% a3 h# B4 l call Kernel32!ORD_001 ; VxdCall
- q' ]( m* h. |6 V7 r cmp ax, 0f386h ; magic number returned by system debuggers! N8 T1 E5 W+ o, A5 `5 ^
jz SoftICE_detected' j6 k2 N& t# B1 e4 d" C
6 w' d: W. n* a5 ^8 G0 ~, i1 ^
Here again, several ways to detect it: i& i X/ P1 r5 J( u2 p) s
# I& b, ?6 Y9 s9 O7 K& w3 N; x" a BPINT 41 if ax==4f
( _( K3 ]# d" N9 K5 ?: q$ |
2 r+ t0 @1 k9 A6 z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 n0 Q8 p: A- g n
3 o8 X6 q( W1 N- M t$ G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ ]5 u6 [: ?3 c- ?# h! W
+ {3 L% `* g6 y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 M" f0 H0 b. j% S' {, A% U3 r8 M
6 W8 h. s8 v* Z% b__________________________________________________________________________
- S" }" x/ P) M# D
) }0 P, O- X. K7 L0 {# v; s0 I: hMethod 13
8 X5 f) B7 n7 E2 X0 h% |7 F=========
& `/ s8 k1 a/ V: b$ @' g0 z, ~4 B
& [. {3 s( i# C: NNot a real method of detection, but a good way to know if SoftICE is: c" X$ w' X& z9 Z) G6 Y6 R
installed on a computer and to locate its installation directory.& |# s" Y: Z& D+ ^. z
It is used by few softs which access the following registry keys (usually #2) :: ^, Q) v9 Y. n# g7 [# {) u1 h) c& D' \+ x
3 T. K* S7 P- r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 C/ ~; P0 p) `/ h, |7 \0 F6 D\Uninstall\SoftICE, W: s) p/ n# f& e* |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, Y" f% |/ ]/ i [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion Y' |: U8 L! I& o+ J2 r& O S- u
\App Paths\Loader32.Exe
( Z9 O. P) [" I5 `9 S) m' o( _% S$ r5 L- p1 D+ h
4 g$ v' h7 E3 V( J. H
Note that some nasty apps could then erase all files from SoftICE directory' D( ~/ k: A& e0 V5 t2 x
(I faced that once :-(
z+ E! e% W C' m! W# J" v% U
2 i+ [0 h, J1 A& QUseful breakpoint to detect it:
. I9 L( h3 y1 |8 V
$ S. n2 w; Q5 Q* u) Z* m* E BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( D3 i7 n# O# d! K h
; T* }! `6 x" q! D( m% O y__________________________________________________________________________
8 i7 K3 p- w" M u# T/ D8 U X
* J) A3 u% u$ \4 V6 V) @( R
' p: e3 Z7 W) V0 t0 B9 e FMethod 14
& N- @2 |7 i5 T=========9 e P. E* X. [) N
" e c) S6 q) q* [5 @# M. OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# h* z) u6 Z6 b1 F
is to determines whether a debugger is running on your system (ring0 only).
, @# j4 i7 R2 y/ R1 N6 [
% P; A+ _0 k% r; L7 N3 b VMMCall Test_Debug_Installed& c" Q @3 |) i) r$ R+ n; ~
je not_installed
) G4 ^$ |6 i1 l# W& q1 R) j7 F& Q- ~/ p1 ?" s4 Y" W& }( q
This service just checks a flag.
4 }+ t! ^- _# P! _: @</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡