<TABLE width=500>
! P- Z3 J; e9 e) N \& @<TBODY>' v6 I% h. J) {9 f2 ]2 W2 Q- L
<TR>3 i8 L; u! x0 m6 K+ o( c4 Q9 B' {1 `
<TD><PRE>Method 01 ! _* Z h0 p- i1 W* }
=========/ S1 e* y. d7 w* h- L
8 n* K9 L ~0 t1 Z B" R% y& RThis method of detection of SoftICE (as well as the following one) is
0 N& p& A* d' Y' F5 R- Hused by the majority of packers/encryptors found on Internet.
( ~* F8 f7 ~+ x; OIt seeks the signature of BoundsChecker in SoftICE
`( D$ y4 }1 ]4 J: P* ^
# @4 \5 B; d0 U2 c/ z( M+ n7 I mov ebp, 04243484Bh ; 'BCHK') ?/ l. ^6 Q+ p% z- u; k; N
mov ax, 04h
, {7 A, w7 _, R int 3
7 ~2 }& I$ p9 r3 a7 O6 h cmp al,4! s8 ^0 H3 j9 `0 Y! j
jnz SoftICE_Detected
: q- m8 F4 p, i9 \2 y% p' D; p% F: W' W! j) e8 d' M
___________________________________________________________________________) F: _ \: j9 {8 h1 r9 @9 L
, n# ^* I/ S( x+ q3 N% q5 lMethod 02) f5 Q$ ?) X2 ?2 r3 P! y# n o
=========
8 [6 ]9 ~* @& F- d
7 O j# Q0 Y! w# Z3 V( U NStill a method very much used (perhaps the most frequent one). It is used
4 f, W$ t& C9 p7 S+ }6 `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 _. X: V1 C1 ~9 k
or execute SoftICE commands...
! n' }0 a, K# s, i, @! AIt is also used to crash SoftICE and to force it to execute any commands5 ~6 k9 x1 t7 F, z- ?
(HBOOT...) :-(( & l' k( |4 }1 ^! v- Z
, t! a, \* \% N. D8 Y! f4 t3 oHere is a quick description:. m! d0 D) {3 }4 Y
-AX = 0910h (Display string in SIce windows)
4 u5 @" D" R2 }: [! t( u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 N, R0 N+ }4 U" b/ R
-AX = 0912h (Get breakpoint infos)# s0 ~6 f& Z& P: C
-AX = 0913h (Set Sice breakpoints)
. Z7 n$ V' f5 K) y6 ^2 v. q8 R# u-AX = 0914h (Remove SIce breakoints)
/ k" y% { O2 v1 M* e$ g0 l8 E. g% x, |5 W
Each time you'll meet this trick, you'll see:( r" H1 l: T4 X# q3 Q# s
-SI = 4647h% E; E$ {2 [& R
-DI = 4A4Dh
$ j/ `( y$ K/ M; t9 xWhich are the 'magic values' used by SoftIce.
4 j( Q, U. G( G" L5 E$ ]% [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, U) R9 G8 |& C+ O$ i( M! ]8 s1 A5 [$ o) K
Here is one example from the file "Haspinst.exe" which is the dongle HASP& t( K6 I( b1 d B4 h7 D
Envelope utility use to protect DOS applications:
3 S! w9 D6 f/ r7 j
" w/ A- a2 T o' w4 x- p# p# y3 s1 A9 ^; y+ M' ~4 h
4C19:0095 MOV AX,0911 ; execute command.
0 T2 g* d# Y8 N% ^2 W& H. m4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 E" }* Z( i- a" c. J
4C19:009A MOV SI,4647 ; 1st magic value.5 { V" V! I3 X$ |: p/ {
4C19:009D MOV DI,4A4D ; 2nd magic value.! a9 v! b/ Y! p5 Q3 J5 \4 N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: `4 P9 D2 N, j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 F7 q# ?: W. K" |. f
4C19:00A4 INC CX" K9 E* _/ e$ a1 O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
g/ v! A& c+ H# f% ?- d" n4C19:00A8 JB 0095 ; 6 different commands.) r' w; `& \& y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: M6 z- F+ L+ h& O/ \& A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 H4 g, c, s9 ]5 ?) v
9 d5 E3 m) k; q
The program will execute 6 different SIce commands located at ds:dx, which% C; ]+ K* k4 A9 Z+ u& X" z, N4 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 b z# ~) ]' Y. ]
2 [- c. {1 W- n: p. o# ~) }' Q4 W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 z* `' s2 O/ m7 u. b
___________________________________________________________________________
% F- F' |3 _* L0 j f9 c0 r! l @" }0 _. M O, z8 p5 Y
& u' z- B6 J' K& d: \$ i
Method 03/ J! [ |* j" F$ ^
=========
; u- G8 a# n- Q4 X% ~! B6 K7 w: r$ n# d L# P- x3 g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( J, H7 p0 g6 f- I6 K- |
(API Get entry point). @* ]9 j' D, F. F0 S
' d a8 y8 {- X$ n2 c8 h' w
* V# ?4 {! o/ G. _$ \$ `
xor di,di1 ~. s, `5 s5 m: D0 v
mov es,di
F/ T y& U- J7 \# E$ `; E, P8 u' O mov ax, 1684h ; B. c2 E* E5 J
mov bx, 0202h ; VxD ID of winice
: ?$ p: ?/ g6 R5 B' l int 2Fh
4 e6 H- P6 j' }' s% }' ~8 j" n mov ax, es ; ES:DI -> VxD API entry point8 |3 [' @ Z- f8 O! R) A4 b
add ax, di
9 K2 _7 Z7 M& W7 o/ ~) T; j test ax,ax
( ^, j$ @* w5 r& O A2 T jnz SoftICE_Detected
4 Z5 ?0 H" `2 W% t: x$ Y
$ D$ _! S5 U) Q0 K___________________________________________________________________________
) o" A( ~0 p8 _7 ~+ S/ W5 B O+ \6 C _) @9 u- W) r
Method 04
- T. |( N( x: _" P=========
- h' @0 n0 B7 e8 k9 A/ V
! ~; o i x, w( ]9 e. _' n( rMethod identical to the preceding one except that it seeks the ID of SoftICE
& a b' q e6 ?GFX VxD.2 m& ~' ]* p% k/ j& z
5 ?/ H* d( _5 n4 J+ l0 I Y P xor di,di0 x8 E; w5 J; w6 w- s1 ^
mov es,di8 E9 Q0 q9 p% a% ^. e* ]" \
mov ax, 1684h - l) u5 p( Z+ N+ `
mov bx, 7a5Fh ; VxD ID of SIWVID' v7 o! P7 C2 W: R, h. a# p
int 2fh
4 I }/ }: q" b( t- I mov ax, es ; ES:DI -> VxD API entry point' m& b1 `: A: _& j/ w+ \7 k
add ax, di
. ~- w2 F \5 W f0 Z test ax,ax
" y7 A) o( }! y9 O& q+ x jnz SoftICE_Detected- H8 ] w9 ?6 s9 p: s2 R$ I
. O6 u% [1 V. v% Q* m9 j6 K, O__________________________________________________________________________8 G4 w% W. H) w" C8 `
( k. T2 I" Z) T5 c3 x* p7 h9 e: V3 b& C' @7 f
Method 05# G0 `9 D4 A" w1 @# {1 ^
=========
& z" @+ v* v& Z0 M* A: F& q+ Z: q: ]% k! @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ b4 u9 k! k! `5 q! m' A" xdebugger. It calls the int 41h, function 4Fh.9 C3 U4 N: {0 M( q8 R, Z0 ?0 L
There are several alternatives. / b% _' [6 s y. _- N6 P
9 j, [: x# ~. O& T* b
The following one is the simplest:
0 `& F% Q' e6 ?) b5 m( U3 f: i; S
mov ax,4fh
, O" C! g2 l+ V) @ int 41h8 A! T+ B) w: n# D+ x0 u
cmp ax, 0F386. G, S; s2 r5 R1 e5 M
jz SoftICE_detected4 P8 P4 n! P: U: A1 F8 f5 x
/ ]& U1 o/ M) F+ w0 P6 k
, ?: U5 l! G* E: |Next method as well as the following one are 2 examples from Stone's
% c$ u& e. U# t# ] S7 U"stn-wid.zip" (www.cracking.net):* J& e9 J, W- p. E
( I+ p) m* l4 x e( S8 \ mov bx, cs
" N6 x- L% I! B, {/ X lea dx, int41handler2
3 y' ]" K5 a: b xchg dx, es:[41h*4]- o' h1 B' O( f3 X' Z
xchg bx, es:[41h*4+2]
# k: U- x- D r( [ mov ax,4fh
# L1 B' M7 C Y6 ?! ]0 Y0 Y int 41h4 w- [- |2 A! D- h7 f
xchg dx, es:[41h*4]
: d+ p* h3 Y- t xchg bx, es:[41h*4+2]4 A, v: A! b/ ~
cmp ax, 0f386h
5 R3 R: B6 c! v4 a8 ?6 H. y jz SoftICE_detected; i, n' T/ L$ o0 ?" x- h8 r: L
- ` ^; `9 `- B/ |int41handler2 PROC
+ w) x6 J- a3 T/ e8 F! E7 {" j iret
: F9 `" l" q. { z; Oint41handler2 ENDP
" k% E F% Z1 A5 \- s, X8 R" K
4 N" I) u8 A6 J. N
_________________________________________________________________________
. G( B! C# }1 p4 Y" J( k8 O- q J& } s1 ^2 q6 q8 c
0 ~/ ], i7 `8 o& w) P% x% }) Z, ^
Method 06
! S* ^2 D6 ~; k=========
5 \% F7 f7 t8 D% o8 [
5 a1 `( C; `9 {
" @0 k( C6 ^$ Z( C! W2 {5 n5 K2nd method similar to the preceding one but more difficult to detect:
7 _% j- G$ V' I/ A) L# R! M+ [# F; ~1 \" {6 m
T* \( u, z) M4 ]int41handler PROC0 z( L$ f0 {6 e3 @: P
mov cl,al9 i- [( d! ~* h* j, v5 J) V+ m
iret$ E- C" P% E/ a3 e- c/ N
int41handler ENDP$ k/ Z% N; `2 d) i# [
3 c' _0 R' w* c+ s4 u) m9 u
/ U3 \, V6 K3 e: N1 m
xor ax,ax6 `1 Z2 ~4 P. x
mov es,ax
A9 `3 _* p5 `* X* j | mov bx, cs
+ G6 M3 K& m' t+ B2 @ lea dx, int41handler
$ h! t1 {- D6 c2 \ xchg dx, es:[41h*4]; E3 t% t2 ^! T! ~ E
xchg bx, es:[41h*4+2]
+ U1 h# k* i, a1 P! ~% |, n) y5 R in al, 40h L9 D5 ~* M' I/ \ g/ t
xor cx,cx3 w- b9 p& R$ {% K
int 41h) K; d* k2 k/ ?. l: q
xchg dx, es:[41h*4]
* v1 e* f* i( C) ?! i. V xchg bx, es:[41h*4+2]+ g3 Q* s o3 Z" G
cmp cl,al( g- f! P/ G, p1 U8 Z7 g! r
jnz SoftICE_detected0 a4 a4 o) u& x9 ] }
5 P4 o3 y7 N6 o4 ]( x O
_________________________________________________________________________& r9 b, p* W! d* ~$ K; ~. t! ^0 g8 q
+ `, x: ~3 t5 G& s; i$ vMethod 072 o9 ?/ r- b: ? s, m. u# ^# r
=========( H4 Y w+ Z( f9 L* Y
% t0 U D, e; Q6 w- T" m, F
Method of detection of the WinICE handler in the int68h (V86)$ E# G, X, ?( F& F0 F0 C; o/ S' v
% k- S& n- [5 T$ e5 X! W mov ah,43h
& P' B$ F$ |5 }0 q7 s; a, U3 G7 Y+ ] int 68h
" N$ ~& t! X" z8 ~8 X cmp ax,0F386h4 O/ i. n/ W X W
jz SoftICE_Detected/ k8 m- [' g* p* X1 O; [
5 n' N% t; B! _1 P& s% I
$ C! z1 b/ Y) {9 S! o6 h+ e4 u( m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 e& X. T6 {* b9 x0 F! H, s app like this:; E! z9 R% b. H% e
* }9 I. A! z' k$ X BPX exec_int if ax==68
' B( \( w5 X# p7 d: ~ e (function called is located at byte ptr [ebp+1Dh] and client eip is& a- e' b. ~ Q) g9 m+ E
located at [ebp+48h] for 32Bit apps)# K5 g5 \; R4 v! p0 y" }! k2 r
__________________________________________________________________________
+ }. R J" U2 H9 e) |. @4 g* k5 T
8 Y- l f: V6 ? Y$ p' u/ B0 E& |: A9 _1 _2 n
Method 08
) B6 |5 C' Y1 e/ T5 `=========# q# s0 ^7 u, @" V1 O3 e; H3 i
- S$ H7 n- Z9 h4 {0 }It is not a method of detection of SoftICE but a possibility to crash the
/ I# \7 v+ p& K; q# m/ p7 ]system by intercepting int 01h and int 03h and redirecting them to another
j5 F( l' r) H! N% H% U4 i, q2 Droutine.
5 a: [, c" u" NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 R3 n2 f. g4 A# d9 y5 w
to the new routine to execute (hangs computer...)
6 P% Z9 O+ E `3 Q- `9 \
& s5 m; X: N' [: x% q7 ~ mov ah, 25h
6 q+ J4 |) ^# z mov al, Int_Number (01h or 03h)
% n% w- N/ V" r& ~) ?& ?9 t mov dx, offset New_Int_Routine L$ y, `' t6 k' B) _" K
int 21h' G& a. \9 S5 M& t) T- Q
; k' L, D* M, Z8 n) A
__________________________________________________________________________& I+ l6 [; m+ d
( O4 t' z* u' m* _& S3 l" d
Method 09
6 D' w5 L! `, v0 I=========: p% _% q! O! K9 g; n7 M0 M
% l1 z& t8 N4 BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 s6 h' B* H2 @) B( r# G! s E* R/ X Rperformed in ring0 (VxD or a ring3 app using the VxdCall).; L9 r( [' p4 n' E
The Get_DDB service is used to determine whether or not a VxD is installed
$ v) | l1 X/ i9 ~$ Vfor the specified device and returns a Device Description Block (in ecx) for
# v2 ?5 x' E* [1 p3 Qthat device if it is installed.6 s2 N2 o% ^4 x+ T7 P
- d0 _* W5 s$ a) ~* x- W mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( R9 K: @3 h& a7 t: b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 E( }: p* F: T+ ?2 N3 g
VMMCall Get_DDB
5 Y3 C$ V( f ^- C2 h7 x3 h1 R) N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! P; I9 l6 J+ a2 C0 D- f( j- N' B( ^- s0 l
Note as well that you can easily detect this method with SoftICE:
! e7 \% l; h1 u bpx Get_DDB if ax==0202 || ax==7a5fh- j k! q, u2 V2 b# u: x+ ~
1 ]1 @6 f) D' J% c: Z3 m9 L" B* ___________________________________________________________________________' y2 E3 G! z g9 F
. r. B- {) v0 D
Method 10( B3 \# K7 ~0 p- D- V5 T2 X( @. C
=========
8 t% ?0 |1 f0 j5 e; i- A& P+ v9 I* Q: f2 C
=>Disable or clear breakpoints before using this feature. DO NOT trace with: d# x: ^% l7 A+ d( ]2 z: d/ M
SoftICE while the option is enable!!5 G* a2 A: o" |4 o( Z5 G
/ n1 U( ~3 r/ l) a* PThis trick is very efficient:
7 v9 e. {3 j2 Q# [* s# E; X" D; Q' cby checking the Debug Registers, you can detect if SoftICE is loaded# }2 t9 A) y4 c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 `- Z8 N" v5 G* rthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 B' x+ W- {" H. z
value (in ring0 only). Values can be manipulated and or changed as well
9 ?3 G# ^6 ^/ v. d7 b' }1 R' k' y0 i(clearing BPMs for instance)
/ {' [7 q, C! H" W& U6 r3 e$ {- D9 Y0 P- G4 X: M% }: j
__________________________________________________________________________
$ P) T F: C6 x" h6 }1 _) c) p& Z. B- W* K) e$ O4 ^
Method 11. e" Q1 @# s. L9 x. ^% y' _
=========, ^8 h1 O/ \2 O/ @5 T' ~1 y
* [3 ^& _+ O6 C; y9 ^3 H( OThis method is most known as 'MeltICE' because it has been freely distributed& \; U3 F( x0 H( b+ Q$ T
via www.winfiles.com. However it was first used by NuMega people to allow- Z, t% S, T9 `' D! H3 r4 P) |
Symbol Loader to check if SoftICE was active or not (the code is located
4 U) V0 W2 U9 M( T, ~* P, T2 Iinside nmtrans.dll).
2 z2 Y6 K$ W, p+ a5 o) ~% T3 f
( \4 P# Y8 Z- [The way it works is very simple:: f( b) I( Z m$ Y ]& w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 S0 {# B2 }4 b3 K' V$ |WinNT) with the CreateFileA API.: y" L; b5 g! i# d0 y6 a! n; P7 c
% x+ m7 f8 Y; W
Here is a sample (checking for 'SICE'):. l8 c8 z$ k9 u; l% z- f
/ z* O- @) X; l& _" [7 S( p' k- n
BOOL IsSoftIce95Loaded()
% b* O: X; V K5 G* ]{: [4 m- C" X f8 S2 Z
HANDLE hFile;
, A! }8 G0 t, `) S2 U0 m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% @, T/ B0 A! J1 Y
FILE_SHARE_READ | FILE_SHARE_WRITE,
; o8 R; U( n" d5 I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ g& j2 P: w4 ^9 V h if( hFile != INVALID_HANDLE_VALUE )
& N& y+ U3 \ ^3 e$ ^) q {
& O: J+ i% W9 } CloseHandle(hFile);1 d0 }8 F% R8 D6 f
return TRUE;
! O5 ?) Y9 N/ U/ X% u }* o' k5 z& C5 u
return FALSE;5 Q1 `8 S9 N+ n: B' \8 E
}
) ~' W; L" M7 H8 i$ S {
7 Y2 t9 @- J4 z1 B# s1 p$ `Although this trick calls the CreateFileA function, don't even expect to be: _5 j: n. J' J0 n
able to intercept it by installing a IFS hook: it will not work, no way!/ ?" [2 b2 ?6 P7 v' i: l
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 K* j* e H* ] K! ^6 N+ Vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) c9 H2 T4 n0 a6 R1 K) g% a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ Z! F- h+ F+ v# o+ e8 X; W ]field.! f6 A5 p& S! {/ Q
In fact, its purpose is not to load/unload VxDs but only to send a 8 p- u( }" z" f3 @7 v6 a+ L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& ?3 o2 N% ~8 X2 uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 W) d8 H5 D2 E) mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
v1 o5 A2 {9 m0 K1 e1 a8 x4 JIf the VxD is loaded, it will always clear eax and the Carry flag to allow% m( }8 P% L, ~% d$ G
its handle to be opened and then, will be detected.* c; z/ F5 L1 n" e) `+ b/ u
You can check that simply by hooking Winice.exe control proc entry point7 b# I p! I g; h: n
while running MeltICE.6 m$ z6 {+ ?$ A6 p2 ^8 h: Q2 i
: B l# Q Y3 V' ~
+ E7 z5 E6 ~: I+ h 00401067: push 00402025 ; \\.\SICE2 [" m. J: [! A$ U2 r" g
0040106C: call CreateFileA. w" Q1 R3 x/ D
00401071: cmp eax,-001
( l7 x- W+ ^- r9 e 00401074: je 00401091( l# X: @# f! n0 |, |0 C
, m# B3 n, U$ M" [- j6 |4 ]
o1 F! @% o7 n& p |1 gThere could be hundreds of BPX you could use to detect this trick.
6 ?2 g9 R+ i$ S! u4 w2 ?1 W% C9 M-The most classical one is:. ?/ b P4 p# T& o- r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- M( R" x! t, D3 K w( H8 ?0 Z# x2 L4 h! w
*(esp->4+4)=='NTIC'
5 S- R5 B k$ J! l$ L7 u5 V9 n
0 g. Q' {" @7 q8 H8 c# l& ^-The most exotic ones (could be very slooooow :-(. [1 ]" J! G& R o: Y9 _, e$ B, ^
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ }. m+ y* R; ` ;will break 3 times :-(
! l7 K! M7 \, F5 E% _8 M: w: `
; n) S$ p4 W: R2 Z-or (a bit) faster:
; O6 ^* s, R$ w# w& V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 d: O2 c: X: t- T# s* c0 L; T5 Q. F6 Q4 a A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % A+ y! v/ {5 `$ ]: y; p# t
;will break 3 times :-(
0 }" f0 ^& y: j8 _1 d" i* a$ C' _' g" g- \& Q1 n
-Much faster:
" x; r5 K( [2 a7 R6 z7 n3 B% t BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 @, p& I0 f3 ~4 o/ r
' U% W% Z S; uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- d9 e* p0 p. b: H' ]. n" U
function to do the same job:
8 x+ s$ \' j7 W# \ N7 o2 e# A3 o2 G3 j
: ]# R! e! E4 ?# u5 C4 ] push 00 ; OF_READ5 M* N3 H8 J& X! y1 M. H
mov eax,[00656634] ; '\\.\SICE',0! H( a5 z' a& a, r) F8 z
push eax
4 r& t3 B* ~, M5 t! h) n" K/ F6 \ call KERNEL32!_lopen
6 @& @# h( U! \9 g inc eax
: Y. ^( Y& ^1 k! L- n6 s jnz 00650589 ; detected
. [% ]4 f8 v L9 ~ push 00 ; OF_READ) a7 ]) @$ n: [; X5 `- ]
mov eax,[00656638] ; '\\.\SICE'% N- L3 F0 c& q5 k! n- o
push eax! U$ _- G# u5 } w$ Y0 _6 M4 v; g
call KERNEL32!_lopen x# ?+ W. r9 D7 B4 D1 y
inc eax5 q8 K# z% C; c! k% E
jz 006505ae ; not detected! ^0 t: @& A6 `
. Y2 W: @9 G3 }3 l3 {
! {7 b/ Y- i# ~' c2 E__________________________________________________________________________
( v3 B% L% S: w
) B2 I) `, s' M& L# N6 P4 SMethod 12
6 U$ E8 T6 M# h=========
- A7 g$ b1 c) v( Z5 k- N
' K, b8 F: u5 U% `This trick is similar to int41h/4fh Debugger installation check (code 05, b' H3 s2 T& _6 `6 f
& 06) but very limited because it's only available for Win95/98 (not NT)' @5 K" J$ T: i3 w9 {0 h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 j* [: t/ w) b, L( `6 m+ w* b' Y. S }! |* d
push 0000004fh ; function 4fh
" O, b( r: H! G" T4 G* b) b$ b push 002a002ah ; high word specifies which VxD (VWIN32). q O0 D, w* l' J
; low word specifies which service
f6 [" s) ^) x (VWIN32_Int41Dispatch)
9 H+ u& t# z5 E: K2 U3 V) F+ f call Kernel32!ORD_001 ; VxdCall
9 G! m: n6 u6 G0 v! l7 L cmp ax, 0f386h ; magic number returned by system debuggers. i7 b8 K5 i4 Q. y" l% n
jz SoftICE_detected3 g4 `1 l5 g) q( s, H8 \! R
, O% }$ E4 B" `& e
Here again, several ways to detect it:
G; P1 _' a x a& o8 }( d" o
BPINT 41 if ax==4f3 A8 M3 z7 |# M! s$ l. U
+ S: B) a( R6 o; }! o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" p$ d: E. ]- Z% J7 ^. c1 b
5 L% P. |6 S* k! ]9 E- B4 T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: e7 J' k, v0 {6 N: U
! a& S* ~& y' C, \3 X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 e$ W$ K5 c7 U% G/ q# A
Q. ^8 G6 C& }1 F__________________________________________________________________________0 y+ J2 f% s0 E8 x
* W \ A0 f2 F) j, S* X2 [( HMethod 13
2 H. k- ? U5 {; B( I& p3 x6 J=========0 F5 i2 R* e; @# G4 \7 M
+ I i+ Z) c6 n% K _0 y
Not a real method of detection, but a good way to know if SoftICE is( P/ ~- F1 w8 A/ }, n1 s6 X2 W
installed on a computer and to locate its installation directory.
+ X; _; M% F/ s( `6 V% f$ l9 uIt is used by few softs which access the following registry keys (usually #2) :3 j7 v5 F6 b5 p
2 \& o( U' m/ X7 j( A) l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 i9 G9 p0 M Q
\Uninstall\SoftICE
$ r1 p8 T* P' F6 p, A) |1 a( E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE t* i8 F8 n7 V9 X$ r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 s% [7 `0 u, F' H0 D$ P& `) Z6 a
\App Paths\Loader32.Exe7 n% ~, F) U; M. \. F! k& v
7 z6 N; r2 H* D, ]+ G: D
% u( |- P. C- o b' H, X% b6 aNote that some nasty apps could then erase all files from SoftICE directory
/ o/ U* E) _, ^(I faced that once :-(
# S- J- M; U9 @3 Y* k7 s& n4 Y0 I$ e' L& ~
Useful breakpoint to detect it:
& m. u8 W8 C' C% E: W" Z" @6 e, v/ e( ?
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! V- p& s. ~1 M9 E! ?1 T, p. A3 }+ y% W
__________________________________________________________________________
9 C7 m$ x3 \ ~! e' |
& x& P+ i& X4 F
S/ Z- x8 X5 B8 f* {& u6 c, lMethod 14 $ ~0 c' `% V/ E' |" N; a
=========0 A+ F) H1 O7 t4 T
/ u9 t. c0 D+ B% o) l$ a0 DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 q" i/ L4 D. e8 uis to determines whether a debugger is running on your system (ring0 only).
% j$ l, _7 {4 P- L: e8 p) q5 n
; G" X% T" _: Z# } VMMCall Test_Debug_Installed# }2 `( k: t! g2 S; Y; ~
je not_installed
8 X m& w+ Y5 d6 x3 t4 g3 |
5 p/ t8 H0 P2 v8 oThis service just checks a flag.
7 c0 A8 V* {# b/ Z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡