<TABLE width=500>
9 ~. i8 v7 Q A<TBODY>" q) _$ }% p1 v6 _" o; ]7 s
<TR>
8 @2 i3 Q7 r+ }<TD><PRE>Method 01 ; U: d) |$ C6 [: }/ ^
=========
5 k$ G+ x4 l# ^! B0 Z: W
; t5 E) ]6 z# B* E4 jThis method of detection of SoftICE (as well as the following one) is+ C9 E/ U* j* H0 V% |4 m
used by the majority of packers/encryptors found on Internet.& Z5 T3 R R) O3 s
It seeks the signature of BoundsChecker in SoftICE9 K9 q0 X. H% v# i
/ l. Y) |% z, e. f0 ` mov ebp, 04243484Bh ; 'BCHK'
; T( v, Q2 R: v5 F' f mov ax, 04h
8 p, L* o( J6 _* b/ g int 3
1 `# J% u0 G# d4 H" S cmp al,4* c, x1 A+ Z. i" z* t- ~! a* T
jnz SoftICE_Detected
$ S; U( M# E! ]' P% e) Y% Q
8 p$ C9 t! U) P& T7 q___________________________________________________________________________
b' k u; `: N2 f1 ` E6 b* x* C8 J+ v4 F% ~
Method 02
, Q" p/ _, S3 p' [3 f. g=========: `8 _6 p- S$ z5 R
$ n. I# c. i3 w8 LStill a method very much used (perhaps the most frequent one). It is used
0 U/ n+ l4 L/ I, u4 q& R6 n; Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ {6 i V4 P( h9 W( l, ^or execute SoftICE commands...
* o; g) l4 M* b0 G4 b# z5 sIt is also used to crash SoftICE and to force it to execute any commands
# A& c. r5 K- P# \5 n0 z0 l(HBOOT...) :-(( . D! c8 L: V0 O8 F U% L: C
4 Y4 f& D' ~4 \
Here is a quick description:
# l2 t( c' V* Q-AX = 0910h (Display string in SIce windows)1 j- W# g( t. [) c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ E" J4 d: K9 F% G' O5 _6 m
-AX = 0912h (Get breakpoint infos)3 C! u& D5 o% ^" H. W8 z1 |9 k* Q" y
-AX = 0913h (Set Sice breakpoints)9 I4 q# A; s0 z/ X. ]
-AX = 0914h (Remove SIce breakoints)0 N! k7 ?5 {; t( K6 B
0 S a/ l5 G4 s2 v1 m3 A: y
Each time you'll meet this trick, you'll see:- i( x2 e" n; R: {9 t
-SI = 4647h1 P+ m" O- u, H8 V: s
-DI = 4A4Dh
9 h8 P- l: p/ lWhich are the 'magic values' used by SoftIce.
; k+ P B, J" I3 A3 Z' m0 t1 HFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) E% s6 }/ U# ^1 I' ^
; ^1 J5 u6 }2 Q8 S
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 b- z# n; M( iEnvelope utility use to protect DOS applications:
, B. E& \1 c6 U
8 ?* q! _5 {7 `
( G& e! z3 U1 {6 M$ _4C19:0095 MOV AX,0911 ; execute command.) @% `4 y( m! s
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 \4 ]) }7 N# _- ?9 o% s. _
4C19:009A MOV SI,4647 ; 1st magic value./ O; a; ?1 S" V' J3 }
4C19:009D MOV DI,4A4D ; 2nd magic value.
! _5 E# E% {7 L ~2 a4 Y6 Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& P: t( g) C: F' h/ s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& C' C2 m; ` ~3 R8 K" M* G- o% f
4C19:00A4 INC CX# t+ B+ ]0 w3 Z; [% l+ M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( p/ V4 Z5 U, G5 c9 Z% A$ @) z/ I$ v+ k4C19:00A8 JB 0095 ; 6 different commands.
* G8 |8 D' s* O5 B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 }; r6 y! u4 d$ I6 f3 P6 I+ I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 X, C2 ~6 W* ~, q Q O3 y ~
9 U N0 a9 q5 o% A; ^ M3 T
The program will execute 6 different SIce commands located at ds:dx, which* K: h" K9 ]& n, ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* t7 u3 {% j) c8 B1 Y5 [% G9 ^/ M3 l" _2 ^, f6 P6 c1 P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* z" Y7 \2 P, N
___________________________________________________________________________
# i% s7 G. S+ K0 K$ I0 B8 F/ ?3 n' U' Q$ E
, \( J+ _0 U- j7 J! n6 K& ~
Method 03
6 Z) x# ^) G* q7 y* ]=========0 l, j! e! O( U7 d
: ]/ u- y% K: S. C( f. P3 t. B4 YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( ]) Z. `2 K$ ]5 b5 N! ~) j+ ~: i
(API Get entry point)
; n3 @- h+ L5 E2 p8 | % M- D, z8 ?0 ?* P# u# M
/ {% U' J$ x$ S& v* O# U1 e xor di,di
! _3 B" j% D1 U) e' e% `4 M- q mov es,di4 O" {+ i' o J- n" Z. P
mov ax, 1684h 9 Z) p( q% M# b& [+ ]0 F
mov bx, 0202h ; VxD ID of winice
5 f, e; m9 ?: ` int 2Fh. {, p z2 w7 k6 z7 Z
mov ax, es ; ES:DI -> VxD API entry point+ h2 d5 c: g3 W$ d
add ax, di7 [7 i7 v- i% ^$ H
test ax,ax3 h1 G G/ Y: C# c
jnz SoftICE_Detected I# Y4 o) b( S5 d- U
* X! _4 m! j$ W6 A
___________________________________________________________________________5 u3 b& t2 W1 H" @5 H
) p: p3 x2 V/ n- f' x$ t5 }# v
Method 04+ H3 Z- s& @ r0 `
=========
8 V/ {( x b5 y. Q4 M( u5 z& l% ?
~) W, F3 ?& B! ^2 YMethod identical to the preceding one except that it seeks the ID of SoftICE
: i1 h2 H. V% n' \% {4 v& F9 ~! GGFX VxD. q! T9 U* N$ @+ Z
0 v F( m7 J8 E3 q/ o, A" K( j
xor di,di: O8 d6 s+ u2 w0 K" @6 V. m* [
mov es,di
1 l i% d/ L, s: N" a5 v( W) t mov ax, 1684h 4 o- W. A$ \8 Y- C$ g
mov bx, 7a5Fh ; VxD ID of SIWVID
3 z/ @* X4 i5 H& }3 T% |7 b int 2fh$ ?5 ] B4 Q. N! J
mov ax, es ; ES:DI -> VxD API entry point
+ {4 F. s) ^$ h5 M add ax, di
, y7 h6 |# z( c! } test ax,ax
3 s; y) y* f: X1 r5 P: n* {3 S7 w jnz SoftICE_Detected
1 H3 }" j5 o; Y9 ^! P1 v
% O! B/ y( w' U8 B1 l__________________________________________________________________________0 _3 U, ]* q0 F8 t
7 M% A1 _3 k! Y: V# S
9 U; z6 G) ~: w0 t, h1 c0 ]! M
Method 05$ o7 O9 t/ I4 s2 ~6 @
=========6 H! e8 G9 _: i! j& |0 [0 L
$ G0 y1 z2 H+ a+ L q% C! R0 H$ YMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 j6 {. l' ^6 Mdebugger. It calls the int 41h, function 4Fh.2 _; h2 r. J% X. |
There are several alternatives. ( ?* l$ W# E4 ^+ s9 c
- [0 K0 y% U$ |" Z- x
The following one is the simplest:
. H! o6 [3 L; e; Q3 o& C& L0 o# ?, J3 \! W ^ M
mov ax,4fh' K6 q# q2 `3 e8 q7 E
int 41h% U( i3 {) a9 ]* f P9 P' y) Y
cmp ax, 0F386
; [ d, A, T) [. Y# m7 a jz SoftICE_detected
$ }9 E# f/ L* a/ Z4 _2 Y9 w. I* |, W4 f; b& j$ N# v3 `
, ?" f; }1 f" o
Next method as well as the following one are 2 examples from Stone's
/ }' ~9 G7 y5 L5 j"stn-wid.zip" (www.cracking.net):9 V- x1 H8 Q C1 l6 s: I
) {: L$ \6 o/ c
mov bx, cs
% d9 n% x/ P6 v7 M& k7 j' @5 L lea dx, int41handler2' V/ m% |; k9 `( F v* a7 a3 |
xchg dx, es:[41h*4], u( y; e+ S5 z! b
xchg bx, es:[41h*4+2]3 X% ?" O6 }7 r6 I7 {5 \
mov ax,4fh
. O7 c# \, m5 z* R3 i: r0 o; x int 41h
/ K1 v0 T) Z( _" W0 x: _: F0 q xchg dx, es:[41h*4]; J- ~8 _% k' {" n5 ]- \' P; J! y
xchg bx, es:[41h*4+2]
) d. j) ?/ N! [1 Z/ ?& ~ cmp ax, 0f386h& V& d$ }" S s5 G, \1 j
jz SoftICE_detected$ U2 k( E5 F) r: ]
$ X2 f7 A* i! U( R6 s
int41handler2 PROC0 X: C4 t, ?6 ?$ S4 p' o+ p# b* g
iret! S4 Y3 Y# } q2 F. k
int41handler2 ENDP
$ S" s+ m& u+ |& W8 q1 E" z
+ X0 @ g9 A" z, u( }) k; O) n7 X* ~: t% e, j& P! v6 R% I1 R r* |" S
_________________________________________________________________________1 r2 _ }: i/ Q
5 l* y+ @( J- n/ G$ G3 d$ D
/ {3 v1 Q& G; hMethod 061 S- z5 f [5 `7 i! b
=========
+ c* a+ q6 X$ b$ J6 t1 h/ Q* }8 z7 u1 W4 b
/ U, X9 h, _+ b9 F$ r' ~
2nd method similar to the preceding one but more difficult to detect: F! | L: a {- {, s7 q5 ?2 E
6 P% d7 ]( R$ d
9 a' y( G7 I8 C5 F) o# [- Fint41handler PROC
" j) f. ], A/ l; _& ^5 K: r mov cl,al: h6 |) O: ]0 ~4 b( G
iret
6 o' T) @: q" }- @, vint41handler ENDP- l, L2 |( a4 h: w* {6 p
+ i( B, P: O6 ?" ^, H* B
. e" d# Y7 t3 a$ [8 e% E6 v3 e xor ax,ax6 S# v7 }! k4 ?7 W! }' Q
mov es,ax' S; b' L, T& W& n( v% d
mov bx, cs
7 M& [' M! @9 T5 O lea dx, int41handler" p$ k6 ?2 K& J, o: _
xchg dx, es:[41h*4]$ M/ N3 s0 a4 z$ y
xchg bx, es:[41h*4+2]
# K( @# ]% Y! h8 B t in al, 40h0 I9 z2 [4 ?% Y
xor cx,cx
4 V5 T9 e( A# N7 E7 A; {2 i int 41h9 |4 j6 H2 b$ f+ I! P
xchg dx, es:[41h*4]
: O8 @, I6 v: Z7 A$ x: H xchg bx, es:[41h*4+2]
! N8 z, Y, O$ q8 _2 H cmp cl,al
/ @) l; ?2 z; j& V6 I7 A jnz SoftICE_detected0 k+ R/ ~! F# `
2 Q. Q' ~$ e8 O" C
_________________________________________________________________________
" s3 g- t T1 Y" \, {9 h7 b n$ R$ U- ^/ k/ H
Method 07" x! R# [ v- B! [
=========4 S" D6 e2 q, c4 \# b# e
* _% B1 W5 E) |Method of detection of the WinICE handler in the int68h (V86); u! m9 t% s( N4 H
5 e, c! m. S; o/ F( v
mov ah,43h
+ h8 n7 e6 m' I# E1 \: h$ R int 68h: v' r6 \- p6 p4 j
cmp ax,0F386h/ b Y F2 c+ B' U7 g7 T
jz SoftICE_Detected F; A% C k3 i; H- {
' J4 d+ L0 o8 `1 l
1 \. [& \: A# f+ g) G) u6 J; o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ v3 |5 F& C3 D$ ?3 k
app like this:
* k1 U: T+ D2 K4 R& V& }5 j
& {7 d) L# F9 c1 X9 ?! a BPX exec_int if ax==68
9 d3 C6 ~& N; Y0 T/ H" l (function called is located at byte ptr [ebp+1Dh] and client eip is; N+ k2 E8 c# o8 M9 s) o3 b: w' C
located at [ebp+48h] for 32Bit apps)
6 o/ d" G* d+ H__________________________________________________________________________
" ]) d4 ~! ?, y* g4 N6 H* O2 {8 G u; H
2 ^3 V" g5 j# W+ g p3 W' q3 g3 a
Method 088 o9 b) v9 F F' C3 g3 g0 S7 R$ O
=========
6 B4 C& Z2 `# x/ A! a& u# v ?" a5 O4 O+ S+ g( x
It is not a method of detection of SoftICE but a possibility to crash the5 e8 N2 v" Q5 R( C! V
system by intercepting int 01h and int 03h and redirecting them to another
' W( A0 q; O+ A$ Sroutine.
, @, g$ a/ ]. c* t S* i" V0 RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* G# `4 X; c: t7 E% T5 qto the new routine to execute (hangs computer...)
* O l% s/ {7 O. B6 }0 e( K( B
H% b( N0 W! [9 K& `* z9 Q mov ah, 25h' h% }6 T0 k( f$ X# u L, z1 Q
mov al, Int_Number (01h or 03h) D- d; ?) _ O2 Y7 V4 F
mov dx, offset New_Int_Routine
) B+ o* f' D$ Q9 H( V int 21h
8 y. _5 E& M" n3 u* u& M/ f" z6 {! E5 V( }$ f* [+ ?4 S
__________________________________________________________________________$ c: t8 J& v% C- t0 W0 _
( v1 W! T, _. F& b3 v sMethod 09
4 m( W. w) @$ ]& b. Y* x=========
7 Z+ Q. ^- Z$ u. g5 L& m ]: m0 o' K* p* }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" D& M9 K- Q( R- N" X4 iperformed in ring0 (VxD or a ring3 app using the VxdCall).
. V3 D% {) S$ }6 sThe Get_DDB service is used to determine whether or not a VxD is installed1 u/ D- N3 Y& J9 T l `
for the specified device and returns a Device Description Block (in ecx) for- e" M% Y% T0 ~9 [# b
that device if it is installed.
8 ]+ C7 I, U) t" a5 I: V
$ ]# \0 L* |* p# A X; F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 i! T7 \& ^" K4 H mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 u0 e$ W" U7 c* X5 O" l0 p; M
VMMCall Get_DDB: ]. a* Q9 x4 `
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- c( D6 i, O$ u+ X; f! Y
, J5 G1 A" k2 X* o) _4 `0 ?4 R
Note as well that you can easily detect this method with SoftICE:7 Q' k! ]1 t2 ^
bpx Get_DDB if ax==0202 || ax==7a5fh
/ }" |' d$ ^( f. Y6 L9 e0 L( E# _& F9 E; {6 s7 t# _# G2 n% l
__________________________________________________________________________: C5 k/ ~# s/ g
; S2 ?# y, e4 i( K! @7 O. i
Method 10
* e9 _5 d( K4 h, I=========' `4 V; n0 t2 E, b& T, H
$ \1 i( X" L* v5 t' k
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: b6 j0 W `- v+ I% C) D SoftICE while the option is enable!!
$ U, g3 t+ U! U- h# L/ v8 ]* p* D- m6 ]* L/ h
This trick is very efficient:; D: x8 g# \6 b: K E6 ^: m( V
by checking the Debug Registers, you can detect if SoftICE is loaded. k* I1 x* Y7 ~' f) N! c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! b3 B) G! f3 Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( \" V5 o9 c U1 Jvalue (in ring0 only). Values can be manipulated and or changed as well
2 C, }' O# I! n6 u8 t(clearing BPMs for instance)
+ x5 I0 ^ Q" R, Z/ j; Q
7 c' t3 b8 Z$ Z* |7 x' A2 U__________________________________________________________________________( Q# ~% e/ J0 d/ T" j$ o4 ?
/ d7 @( N7 W7 c
Method 11
9 a; ~/ A# U% e% Z, C" {=========
5 M" }% k1 x+ Z$ ^" j8 W0 N5 b) I% n2 a4 S6 F
This method is most known as 'MeltICE' because it has been freely distributed
! Z/ C5 d+ V& e" t3 v( }via www.winfiles.com. However it was first used by NuMega people to allow. e% F: e4 V: w9 f3 R
Symbol Loader to check if SoftICE was active or not (the code is located
" C6 p3 Z7 z- x* T, N+ z7 g; finside nmtrans.dll).2 g- v$ |/ ]. z
" R* j) q% D- j9 d, \
The way it works is very simple:
8 `: U0 m. c4 [ e/ Y8 x3 y4 RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. r: G5 k3 Q2 x- l( r' U
WinNT) with the CreateFileA API.4 M( ^9 `# Y$ e2 e& b* h
/ g# o# L- g0 E4 E" yHere is a sample (checking for 'SICE'):* m3 [$ z- ?6 I9 [: |, m
' G4 }8 |; G2 BBOOL IsSoftIce95Loaded() D. C* F! J. E8 D/ L) m% {: T
{
. P( Y9 M5 l5 s2 f HANDLE hFile; ' Q0 k( H' @. i1 Z9 x/ O& R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) Z x- w# m* Q- o6 S+ H: M- d
FILE_SHARE_READ | FILE_SHARE_WRITE,
# D. U! Y5 t- z2 i" k% N, x5 r8 Q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) r- O* U2 n: E1 }7 w
if( hFile != INVALID_HANDLE_VALUE )# F3 ?2 L8 f7 x2 W7 l0 e
{ `. K" Q7 m0 ]) B2 `
CloseHandle(hFile);5 |# D9 {7 \. |
return TRUE;
* }$ O' j' D+ R" Z" g" O. ^# h }3 q2 r8 a' T; @! z
return FALSE;6 f8 ]( w! S y$ u
} P; C) N- v' F" M& Z0 u
4 O9 ` O3 w) f( `" ]Although this trick calls the CreateFileA function, don't even expect to be0 i6 `+ `) X1 J4 ~5 j- a, }, m
able to intercept it by installing a IFS hook: it will not work, no way!2 p7 C \$ C, G0 L; v8 e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 M- H- _ n- F5 N, `. c$ w) L$ ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) j' V6 k0 K* _1 m8 g, }4 K, kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
' @. V7 \5 q' T* y/ Y1 o/ jfield.
( L8 c% Z1 f) c1 oIn fact, its purpose is not to load/unload VxDs but only to send a
: Y$ Q- Y0 D, w8 l" s Y1 WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* w) U" k$ n' h$ {6 p5 S
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% P5 O7 [2 n- O) |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 \( m+ D4 x6 M) P( N/ L6 SIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ P" |2 V* c/ K% y' g7 @; M
its handle to be opened and then, will be detected.& d( {% M+ ]. c" _
You can check that simply by hooking Winice.exe control proc entry point
. K8 F0 w& Y5 m% C$ @; Vwhile running MeltICE.
: d- n0 H4 f3 M/ }) G4 b; ?9 U& ?$ p- K3 u0 s1 Q
% t2 i0 T8 }: v$ {0 Q 00401067: push 00402025 ; \\.\SICE7 |7 ~1 H3 M/ m6 r
0040106C: call CreateFileA& J* p R# T3 i0 V1 }; b$ s
00401071: cmp eax,-001
9 \5 l8 E+ N8 c+ A, I 00401074: je 00401091
' D6 `& [7 a# G
6 ?: M4 ~2 ^" F. {! w! b) H4 a' B3 i) z$ [3 M+ Q8 O+ a
There could be hundreds of BPX you could use to detect this trick.+ L6 V9 m* f* x
-The most classical one is:
+ j$ ?. b9 J1 k4 R BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* i- U, H0 C8 u6 t4 G+ s2 g4 }# ] *(esp->4+4)=='NTIC'6 ^* V o# v+ Z$ V' X' ?' X
: H, u+ |0 z6 K5 U-The most exotic ones (could be very slooooow :-(! g1 ^; i2 H t* _$ K" B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 x2 P Z# [) x4 e \ ;will break 3 times :-(2 S" t4 u$ E3 e
8 G! k/ L) w- \) K-or (a bit) faster:
* t/ ]: N5 O+ n. E5 N* z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) O* j: Q( P/ ^
# q8 T1 s' R& S( @$ l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* c3 a2 X" H& j; W ;will break 3 times :-(1 Y8 a/ W! X5 Z3 _9 t
, L: d% h4 I" h/ C" V+ m4 f) ]-Much faster:
( @+ r; \9 }: f7 l+ \7 ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! u9 z5 O3 F4 W
, G1 |) Z! `2 R9 _' {# LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: J4 Z: S" ]0 S6 gfunction to do the same job:5 c( C$ z, f8 X* e
5 ~% o( e8 L- P9 ]/ V4 e0 A push 00 ; OF_READ+ S7 y& E6 V! `) g' x
mov eax,[00656634] ; '\\.\SICE',0+ l, }5 R1 ]+ r" j# ~6 W
push eax f" ?: y5 W& _4 E) p
call KERNEL32!_lopen& D. ~; c4 x9 [! D$ n- d
inc eax5 u2 [* X% J' H O
jnz 00650589 ; detected3 G* u' e N6 `1 d3 ]5 y
push 00 ; OF_READ8 a+ Y' ^3 T1 ~ q
mov eax,[00656638] ; '\\.\SICE'1 g' Q! a7 d3 a0 E
push eax6 J/ [2 P( E( h1 @8 X3 V$ s
call KERNEL32!_lopen( x+ F7 Q2 h+ t! A- [
inc eax( k$ b1 o. [5 u
jz 006505ae ; not detected
^! E8 B2 G2 q- T3 O8 P# D7 Q2 y7 G5 A4 Y
4 J: y$ w( V; [4 x# s1 Z2 Q4 p: L7 O__________________________________________________________________________
1 Y% d( c2 g' X/ Y! ^) z& k7 |4 P2 O& s* {' ?1 v
Method 12/ J6 G Y3 L# e1 M) B
=========8 ?$ b) s% o* Q
2 ?* ~- q; a0 h% {1 Y7 g! y |This trick is similar to int41h/4fh Debugger installation check (code 05% q1 S2 o9 O/ {7 [" f" z5 R( v
& 06) but very limited because it's only available for Win95/98 (not NT): M1 J3 M0 \4 y8 y# z. Y1 F/ v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% N7 T2 l( l8 O# H5 w9 M6 K- d" F5 \/ @) v0 [
push 0000004fh ; function 4fh
6 d2 Q0 J! j' o+ M6 i push 002a002ah ; high word specifies which VxD (VWIN32)) \( S0 k7 S1 Y3 `, e
; low word specifies which service1 F) c1 Z5 @# B: V1 Q
(VWIN32_Int41Dispatch)/ a$ y7 k3 N& h3 q
call Kernel32!ORD_001 ; VxdCall
" V5 D! L; ]& s# k0 i# M Y1 x' W cmp ax, 0f386h ; magic number returned by system debuggers
! u, {# q; i/ r$ G9 r/ w jz SoftICE_detected2 |* c9 |, J+ v; f
( V' [2 i, ?1 L4 Y2 p' ZHere again, several ways to detect it:
6 S3 w$ z' Q/ \9 z4 [5 `0 L% @' O( Z# N* K
BPINT 41 if ax==4f
0 |$ a5 c' e& @$ z4 G# v0 Q' |* j% S" |
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 n+ \( g9 o' u9 V2 |) Y# [# V$ Q# L5 [3 x- a6 c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: H# ?% X0 k! k3 l( d
' f0 t: d' ]" S# P) l6 q5 _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 v0 W) ^. y/ w2 t. m( I6 T- _+ U
/ ?* O( ?/ k- l( ]3 V& P6 S__________________________________________________________________________9 f! s9 [# E7 Z3 g6 y1 E
( x7 w5 R4 \0 I1 Y6 l# G
Method 139 u. a; l5 r1 Y- u; _
=========
7 o- i X9 c$ b; i1 `5 S7 x# D
0 g' E& x; `+ r. r5 UNot a real method of detection, but a good way to know if SoftICE is
" {* c) a' t, Q4 r: linstalled on a computer and to locate its installation directory.( M! w& k& X/ a3 `! u% ?8 }3 H
It is used by few softs which access the following registry keys (usually #2) :8 L% e8 [8 w) w+ r
: z9 X2 B2 R+ s2 v1 @" Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, {8 g9 {, w: r/ \# V" G\Uninstall\SoftICE
, v. B9 c! B& x3 b% T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE e7 M: n4 }% z7 u9 H
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ n1 T' u" w& Q
\App Paths\Loader32.Exe: l! D; {, }7 c1 j
9 ^$ `% B2 k9 y2 E
2 k2 i- Z" P9 @* a% ?3 ]# dNote that some nasty apps could then erase all files from SoftICE directory4 x& g8 ]+ Y& Y; z" U1 M
(I faced that once :-(2 c6 {) r7 S" I% p9 Y( [3 F
7 }6 z' j9 M5 s& S# N
Useful breakpoint to detect it:1 s4 u/ M' J$ F1 ^0 k
0 x8 S" M. F) [: i, S% g" e' j
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 g) ?" j( N( D$ `) p. D7 w7 v y4 I0 m
__________________________________________________________________________
4 y8 z k0 Q8 [) [( R
" O# E- {( Z! u( a- t# p; }3 D6 s1 J3 h/ Q
Method 14
% y# q" U3 ~( Y) m" m: H=========
; h5 r2 D5 H5 w# D
, Z. Y8 r, m2 O' CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 `* @5 x7 g4 N# I- c# P7 Lis to determines whether a debugger is running on your system (ring0 only).
+ S3 N2 S3 ^6 g2 b8 i! T
?) G+ f- \2 J' b# n VMMCall Test_Debug_Installed
# k# x9 d6 r+ i$ e4 M" L7 q0 F* o6 Q9 | je not_installed
0 g& W8 Q; t& g
& h6 @; ?) j2 Q9 cThis service just checks a flag.
! k- [! D% ?5 s* C2 J! [# ?</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡