<TABLE width=500>* l1 @2 k3 f; K- W2 o& e
<TBODY>2 @. ]9 N$ [* q/ |/ ~' z0 `
<TR>1 q& |+ h) b+ \ c9 B
<TD><PRE>Method 01
- F! @/ O0 @( J ~( c, ? o! R& h========= \' S" T2 Z1 L) ~3 Z1 T1 ^/ d6 a; {
9 U, v3 d/ b J5 H
This method of detection of SoftICE (as well as the following one) is' M( d. y) k. d S E# Y, ~5 P e
used by the majority of packers/encryptors found on Internet.5 l( M! }0 \8 d* w# z
It seeks the signature of BoundsChecker in SoftICE
8 e; V& X2 b% K; n% H* U( J5 o9 ?
- O" f% i4 ] S% @1 Z3 s! Y mov ebp, 04243484Bh ; 'BCHK'4 A5 g9 A8 R# l% W/ e
mov ax, 04h j: M2 v' t& D k$ ]
int 3 2 b5 ]/ q2 b$ `6 y2 o
cmp al,4- E- V. g9 F" k! o
jnz SoftICE_Detected/ T8 Z7 p1 r: b$ s& ~- e
/ ]* a; y) l& _0 i3 ?" _
___________________________________________________________________________* V$ h7 M6 n) b; \. e! g0 l5 o4 ?
8 F6 M9 r. y8 Y6 z: A- F9 cMethod 02
+ x6 ?4 J; k* S3 e3 \3 o=========; J5 r7 Z8 X& K5 L7 h: O
& b0 E/ G; \7 T1 Q3 q7 v- wStill a method very much used (perhaps the most frequent one). It is used3 ]% m# [: B# M; n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; E& K4 T5 \3 O1 d
or execute SoftICE commands...
' i- o& x/ C: o5 t0 Y- BIt is also used to crash SoftICE and to force it to execute any commands
6 W, X o" j# M& r5 B(HBOOT...) :-((
1 n( G1 q: G3 k
2 L6 I3 ~. X1 h- Y z1 {Here is a quick description:
/ v' B: C# ~& N7 E) p" M$ J( y-AX = 0910h (Display string in SIce windows)
& W; [! f# i: T/ a f& w-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 {1 q( }8 h& K2 @, b2 v; E- {
-AX = 0912h (Get breakpoint infos)9 f7 Z* Q0 ?' e# [. `# a& N
-AX = 0913h (Set Sice breakpoints)
# K4 c7 V- B" k& l-AX = 0914h (Remove SIce breakoints)
, v/ U& b- M* p6 n
& s* f2 o$ C( u5 W* dEach time you'll meet this trick, you'll see:
8 i' `1 t' s" r1 P2 Y* z-SI = 4647h
7 h; B' D+ E# N- @7 Q# A7 ~2 x-DI = 4A4Dh0 s N# o% e( C# R4 }0 C
Which are the 'magic values' used by SoftIce.
( ~/ w# o/ u u3 s% ]% tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.( S1 k7 t6 D& P( j) s g
0 p" U6 O! j [) w, fHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 ~# w& A4 Y D& Q0 \Envelope utility use to protect DOS applications:
- r+ \& e3 @& Z
5 I& } Y" Q5 O4 \( ~1 t. R/ n$ k) G# m2 Z6 E h
4C19:0095 MOV AX,0911 ; execute command." W& T1 N( L9 a* I* B" J; J& U- W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 u+ c4 Q4 E4 g2 D0 K( L" i
4C19:009A MOV SI,4647 ; 1st magic value.
( L3 P4 d4 o1 O1 d k4C19:009D MOV DI,4A4D ; 2nd magic value.
& e: W/ g; b2 W# e! Z9 E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), f- g. G, H. _: D* t0 z4 F
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 u H2 y! W \$ d7 n) |
4C19:00A4 INC CX: I1 N% t7 D/ D1 o! _6 V' `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* S0 s# i, x+ j
4C19:00A8 JB 0095 ; 6 different commands.
, p, V5 g) D5 p6 ^& }4C19:00AA JMP 0002 ; Bad_Guy jmp back.& F$ R) l. a8 {* F `3 E9 U2 ~
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" P6 F! d) X% n; j* J
+ Y9 X! `6 E" c8 K0 |The program will execute 6 different SIce commands located at ds:dx, which* K* {# x5 F% |7 }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 i1 P" p; @1 p$ z$ ~
% ]6 K. j8 h( O0 l1 f* E; ]1 [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" b5 t. l! M0 s" t# w___________________________________________________________________________( y( o- Q* |8 p; H9 S# ?
X; N/ r! ?+ r% g' S
; @5 O: p! N. n: a+ ~( PMethod 03
# o1 z6 A9 s1 p' O5 r$ E" a=========& ^ w$ ]* [- f( a" v- d4 a
% |$ q' O& F7 H. |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 h& g( M# u9 t x2 l% @( W: a0 P8 [/ s- J
(API Get entry point)* M% A3 w; x# T6 H0 F$ s
i6 \8 `4 |8 k2 r
' ~. l* l4 e: S6 J, @3 H
xor di,di
# S( G* m/ w& r8 K mov es,di2 x# m* g6 O( A. z. c: Q
mov ax, 1684h
) n8 T& o% b/ a' ~ mov bx, 0202h ; VxD ID of winice
# z1 x' \) f9 v7 }6 K int 2Fh
/ ^1 @ W. n* G/ y" K% P' w4 [; _ mov ax, es ; ES:DI -> VxD API entry point
3 ^' O1 |( C1 U add ax, di& E, a4 z8 w* ?( h( P) s
test ax,ax: q4 H }+ c7 S1 I' `8 e1 c
jnz SoftICE_Detected+ t- z0 ]2 {+ t5 a# ~- J2 @
5 b' n; ]% p" w, }& w7 h___________________________________________________________________________
- h% J" J3 v: n5 y$ c/ r# }* ]/ Y: p
Method 04* S/ s: b: P& @; I* `
=========0 D" w& k6 J+ t p, k% m5 j
9 k% d3 W4 d \2 l- Q% U6 E9 o
Method identical to the preceding one except that it seeks the ID of SoftICE! X& J1 k! u- s
GFX VxD.
3 ~5 P$ M# @$ [' `3 z5 f. s
9 g! D( o1 H. ^; n6 l6 E xor di,di
3 U# d6 V3 z0 l% D9 I mov es,di
7 M2 a: j* _" Z mov ax, 1684h
c2 f* ~* `% }# ^" g2 s, G7 p8 k mov bx, 7a5Fh ; VxD ID of SIWVID
9 a) a# l: I' {8 r int 2fh
0 Q6 f2 D# C) l7 d& _& i- Y" Q mov ax, es ; ES:DI -> VxD API entry point/ V/ `: F$ G1 N5 ? E
add ax, di- h0 r0 Y+ C- I0 Z) t
test ax,ax
. q6 t/ m. n v1 Z+ M6 V/ m) \ jnz SoftICE_Detected/ A- y: V- |- P ^
0 z, B# Z/ R! |1 M2 m__________________________________________________________________________
8 v) h) U F3 K$ k/ y3 F9 U! E/ X' x* Z" ?# m' [
+ G- X e2 j( q; Y8 i/ C$ p
Method 05$ e% N8 t7 Y* C; {0 T
=========$ ]3 \; y& w. p" I
4 Y7 J1 B3 s6 ]$ A% Y3 N' oMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, O% u5 Q( `# b1 i3 v* U: ]debugger. It calls the int 41h, function 4Fh.5 V9 e6 H, ?$ e( a( O8 D9 P+ j* K; [
There are several alternatives.
" \; `0 y% v+ x, J
0 Y8 u* @) _: G2 mThe following one is the simplest:
( ~. s* q5 b. `4 A- F8 d
9 }) P& z# k3 S6 J6 l mov ax,4fh
) t2 e( }5 P; J, i int 41h' H/ G S* r$ \) D% r5 D
cmp ax, 0F386
! x( t& r/ q6 \ jz SoftICE_detected% F% ~! i* |) i: y, Q; ]+ S+ Q' \
8 E( u9 g; T# N
j( \& ]( n2 E4 A+ ^$ W. pNext method as well as the following one are 2 examples from Stone's " |8 k) m$ \9 v. c5 M3 V
"stn-wid.zip" (www.cracking.net):
- }; Y( L$ W) V/ C% r% X, m) _' Q. s% r
mov bx, cs: ^3 G1 W2 T5 e
lea dx, int41handler24 H% `0 v$ z4 k8 C- T3 C
xchg dx, es:[41h*4]
5 w; ~; _ }4 L xchg bx, es:[41h*4+2]
$ u6 B/ c4 p7 y: |5 ] x+ V0 i8 i mov ax,4fh
; |" M$ Z9 O0 n( \+ U" o) E int 41h/ g" L1 i/ U% J7 u
xchg dx, es:[41h*4]4 B3 k0 H& Q: W
xchg bx, es:[41h*4+2]* p7 g2 A. g; Q* j
cmp ax, 0f386h
4 Q+ O+ ^$ A9 w8 p: B0 @+ J jz SoftICE_detected
! Y5 P5 P/ N0 c. F7 @, L4 F' @1 H" t* N+ W2 }
int41handler2 PROC1 ~' _: U$ Q% A
iret
: l" Q4 ?! r0 q( Uint41handler2 ENDP2 {; t4 H, `& u- d9 r* `1 s A
2 K0 I4 Q- U! D% B n# s# H0 P) x# C; f1 e I
_________________________________________________________________________
: z; }/ |' {4 V9 ]. R9 o# ?2 j9 R; o; G
7 N9 p, S; v0 C- Y: V \! T2 HMethod 06* Z2 U7 O8 A t7 ^: a/ @
=========$ {, t8 ], f7 T) ?' z( J7 I4 O
& T% J3 r& i& D$ v( l4 Z# E. E
7 R6 v- ? ~, g" }! V6 [) S2nd method similar to the preceding one but more difficult to detect:
; ?8 l4 q3 u& H3 Q& N/ j. i; M9 \, e0 s
) l1 J, J4 @: r% w
int41handler PROC
, `7 L, Q0 N$ a$ X& g+ A* X mov cl,al
- N' l0 D' O& U, k1 k: A iret
2 E, x! V0 H# A$ k& pint41handler ENDP
, Y2 U. V& S/ M7 U( S4 }% C! d& Q% H z5 a& Z4 `" J
8 l. i' z0 \( L/ R) Z* f xor ax,ax( n6 \1 ^7 ?- E1 U1 N$ K6 o
mov es,ax* [! c9 t& Q( u) N5 e
mov bx, cs, r. d' e5 ]* z" D
lea dx, int41handler
2 o1 v8 ]/ b' M$ w xchg dx, es:[41h*4]6 P6 X& a4 C5 ]1 Y1 N
xchg bx, es:[41h*4+2]
2 b; i1 d) `( y- f1 Z in al, 40h+ D& C6 g' U O7 S6 V" R$ f7 h1 L- b
xor cx,cx ~+ h7 c! I2 A [7 y0 C
int 41h- B; P& c4 ?& ]; u A
xchg dx, es:[41h*4]
. G% D+ i$ ^3 q" Z2 k" T xchg bx, es:[41h*4+2]
9 [! n7 U% _9 h. Q cmp cl,al
. ^' N1 Z% y! n jnz SoftICE_detected
1 p+ J& [( Z1 o; G9 R* z8 _) m+ A" V+ q' }
_________________________________________________________________________+ S. ?! L/ X- M+ b5 d1 |
' k, j+ h. O6 [Method 07
" F# g1 N, m. t0 l. j=========
- [" |3 w& ]; E& k, c/ [' A: |0 n4 F% [
Method of detection of the WinICE handler in the int68h (V86), `3 U# D$ Y- \8 U0 d' l% C- G, L$ M
5 Z. p' X' ]+ t& l3 \$ {
mov ah,43h
+ S# t) i- g$ w0 M int 68h
; B) r# x$ T2 i8 s) k7 i8 t6 d cmp ax,0F386h; _& Y; L2 Q, x' L
jz SoftICE_Detected6 L" a* G. a v. K
3 e' M( H0 k. g+ g, _/ K9 \+ k
* h0 O2 H- M# V/ ^+ u) t# k! I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! b9 x2 d' T, K- B3 n app like this:
0 W7 C( P6 z0 Y1 L( O% {+ x9 I# J' d. \/ E2 x- C" ?' r& h5 X
BPX exec_int if ax==686 @( h1 U5 z, Z1 @
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ q. B) [- E9 \) {! G; y* G located at [ebp+48h] for 32Bit apps)
2 R3 C1 O/ f# G% f8 C__________________________________________________________________________9 z. w. J) R8 Z
: j+ w) x' y c5 u
+ {. l1 F3 g6 t) Y+ q) eMethod 08
( f" ?/ E0 T) U7 f=========, ?' H5 q$ e" C" B% [: e
0 ~8 c0 {4 v7 }9 w1 E% h- F
It is not a method of detection of SoftICE but a possibility to crash the# a& m! N% [( C- r7 \8 ?
system by intercepting int 01h and int 03h and redirecting them to another- h# o \& e/ N9 l. O( R
routine.
; P0 A4 X2 u8 W( ^$ }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 m9 w# K9 S( X# P, v" w, G, _to the new routine to execute (hangs computer...)# z" u) _: w/ T, T3 D' K
: n) t3 l) B3 f/ F
mov ah, 25h( [# M3 b- i0 Q$ P A# p! ^
mov al, Int_Number (01h or 03h)
, {1 x1 l; z8 ~% v4 m8 h mov dx, offset New_Int_Routine
: [: ]$ F/ X5 X' X$ V8 t" \4 d$ V int 21h! }; D# |! D1 g: N4 ~6 e8 X
- Y3 W/ S: E& I; F9 r8 E7 t__________________________________________________________________________
. m) b' r8 P% W" V [3 e( g( V7 \, j5 P
Method 09
6 B/ W- j; j) k3 R( J=========9 h) ^; U, S8 k$ e, |
+ `& Y1 B+ T* g* w% d" k2 S E# S
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' O' X! h1 p) B8 F& L3 T3 f* [* Q8 wperformed in ring0 (VxD or a ring3 app using the VxdCall).; ^+ P) \1 q' A/ Q F& C
The Get_DDB service is used to determine whether or not a VxD is installed
& H. D7 J$ D$ ?( vfor the specified device and returns a Device Description Block (in ecx) for
0 \& _8 @. o8 [$ p1 k! r" n ?that device if it is installed.
) ~; _1 W- R( i( v* J3 C
1 Y# c3 C$ F( D: n9 w: | mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 p( `& j, }, O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) E, K! g' M* V1 t, U9 i E
VMMCall Get_DDB
. F# u( m) K6 z s# O; L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ O6 l9 C* S# l. w
$ e' _( p0 x% L$ {1 l* u
Note as well that you can easily detect this method with SoftICE:
6 R+ ^+ F9 `# t3 p$ Z bpx Get_DDB if ax==0202 || ax==7a5fh& a3 E) |2 [3 K
% C0 e7 T# ^$ }8 P) x
__________________________________________________________________________, }$ y! @! N* s3 ^( {( i
. A' D7 V( q& {, y/ ~4 ]
Method 10
5 F. d! P4 A8 ?% p* ?8 S; q=========
5 K1 O2 a. Z$ k' O4 Y9 X' K! y% p9 V( a6 F6 k. \- p9 n# I( s
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 S! R- D8 G2 W& }
SoftICE while the option is enable!!& u$ G7 c7 c7 \9 m$ D& J1 g7 w
" t$ F' W& L6 p h) v8 m4 y3 n
This trick is very efficient:8 ^, s; [, K4 c
by checking the Debug Registers, you can detect if SoftICE is loaded
5 w+ Y& d$ O* r* M8 r# p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; ]* n$ l/ z6 S0 a: \0 J3 h/ rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 g( l8 ~6 x1 h+ I' I8 m/ O8 Dvalue (in ring0 only). Values can be manipulated and or changed as well: L1 t, z, n0 d5 f* @$ v+ R: E! W
(clearing BPMs for instance)
0 }0 J9 W; D0 h9 R1 P# \% A. @: L* c+ Z/ o7 x* Y8 }
__________________________________________________________________________
' ~$ w& y- t2 i+ v7 l& x1 w. d/ I: P/ a! t
Method 11
! W; ~0 A; B7 T9 j2 d6 @0 u, ~=========
' _) P6 w N2 U) Q% d7 e7 U
3 ^- V# B; Z9 PThis method is most known as 'MeltICE' because it has been freely distributed; ~4 }' ?8 h( ^' y8 `* @
via www.winfiles.com. However it was first used by NuMega people to allow6 t+ o* ~1 E2 C* s: i. _, f3 u9 q
Symbol Loader to check if SoftICE was active or not (the code is located
6 ]; k8 r* s& R e e8 Tinside nmtrans.dll).0 u* S, o; E% O/ K4 y7 W- ?
' \' T: ^( ?1 @0 P" C! |2 CThe way it works is very simple:
5 ?& n: [0 D+ G8 Y3 E" UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for n6 E* j5 E. v" I+ ~+ ?
WinNT) with the CreateFileA API.- T' O3 w: t& f8 w/ @5 ~3 e
, W5 h# M# [6 b/ EHere is a sample (checking for 'SICE'):7 D6 N% r' x: i( v/ J
# a; c: t6 m" C# P! e6 Z
BOOL IsSoftIce95Loaded()& u2 ^* v8 q+ k8 a" C& |0 n2 w/ P
{
! e% U- J1 \+ |2 W4 h HANDLE hFile; 5 G! n3 [ x/ @
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 B2 @3 V' E, Q- y/ N' C FILE_SHARE_READ | FILE_SHARE_WRITE,# H7 E4 a$ }( ^3 x+ y. o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- I `% q; t" T7 k1 B
if( hFile != INVALID_HANDLE_VALUE )
) Z" D) A( ~# `8 z$ Q; p. w {
# c, F( f& B6 D" h) h+ M CloseHandle(hFile);2 L, K; M5 q3 `5 }0 w
return TRUE;
& o9 O$ o: J, V5 u* O; e2 t9 B }
4 `7 R* G2 @& _- ? return FALSE;9 s% n+ c0 G# n% O
}# U2 s) }* @5 `
6 G3 L# S6 G, c7 G! F& |6 o; aAlthough this trick calls the CreateFileA function, don't even expect to be
8 V& s9 f" d+ E% Table to intercept it by installing a IFS hook: it will not work, no way!) m" _. W7 A9 F5 r v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ ~" D3 \6 v: S8 m2 Z$ c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- N! ] U: H/ K# w$ Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 P: K! g" w F# [+ z$ bfield." [; z' l I8 r: d( `
In fact, its purpose is not to load/unload VxDs but only to send a
2 }7 T3 T6 x7 y6 q4 hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): I9 x# b) Q/ s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- @+ f6 v0 S2 F V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( C' P, N+ [" rIf the VxD is loaded, it will always clear eax and the Carry flag to allow
s' c& F8 L& g+ Zits handle to be opened and then, will be detected.
, K. Q/ I% B9 L( ]+ RYou can check that simply by hooking Winice.exe control proc entry point- p2 D! ?+ C& L' L/ \/ e. c" p
while running MeltICE.! e! a4 ]' K8 ^ A- G) R
. n2 B ?- T% h$ t! @# l" W
* N6 [" ^5 H; A, n1 Y2 w8 r+ |
00401067: push 00402025 ; \\.\SICE- G- D/ P" s. b
0040106C: call CreateFileA/ m4 _) @9 i2 |$ C" j
00401071: cmp eax,-001
4 C& ]! m3 b0 @! B& ? 00401074: je 00401091 A# y$ B, A& @0 X. V
- Z" N: x/ U/ p- H/ z, K3 J# L
u% V" \7 K2 _ X1 b
There could be hundreds of BPX you could use to detect this trick.7 i% X t0 v0 `
-The most classical one is:
% N5 F; G& @7 y7 ^/ Y t BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 h" K( F; L d5 ]( N
*(esp->4+4)=='NTIC'
/ u( U& Q. U: b2 R% U2 u: ]$ o8 N& a' ?7 p5 d. K/ P w
-The most exotic ones (could be very slooooow :-(( u3 \' q6 {- N6 s9 R6 N# v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! D& r' r% `* |
;will break 3 times :-(
8 o7 J: k2 @8 I
2 m% q" @2 {, B5 q-or (a bit) faster:
- T4 o7 q }1 M T& P8 k2 b BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 ]5 e7 f; k! t9 c7 f, l; H8 q$ o2 b& X7 }% y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & M0 y" C8 Z4 G' f' z; W; p$ ~0 b+ {
;will break 3 times :-(0 W8 k9 Z' @8 q
8 x% u3 H' {- g \4 _8 |) ~* t0 e
-Much faster:
, ~( ?' @# E* F) w- T BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 m9 i. l$ T6 C6 N3 Y
* w9 H5 @6 O1 v6 t- Y' E4 S# Y0 DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 ~, \- M3 r. ffunction to do the same job:
8 s8 P. q+ W. U3 V6 _; c# H2 Q$ d6 J
push 00 ; OF_READ/ r4 W0 y9 b& [% W
mov eax,[00656634] ; '\\.\SICE',0
/ e; |$ H5 z! z$ P5 g9 n+ l, @4 _ push eax
0 A8 |* H$ e K: R/ q9 J) M. i call KERNEL32!_lopen, X8 n/ [* _5 \4 t
inc eax
0 ?6 a% H; h t1 q, b' k% U jnz 00650589 ; detected; F3 @1 ?& I/ \- u$ L; A
push 00 ; OF_READ
* N+ m+ [. F+ Q7 t8 ` mov eax,[00656638] ; '\\.\SICE'
% O+ M+ e" {, g6 I9 @0 |8 m6 h+ |6 e push eax
% U* x6 y' ?* M% \ call KERNEL32!_lopen' j* |) K8 {6 @) S' K
inc eax
' j/ `3 o, w: d7 Q# ]) S! c jz 006505ae ; not detected
( p: _- S' w3 _! M. `: ^0 j
5 ?+ Z2 o3 I: A1 O+ U9 d/ C; T, E1 r
__________________________________________________________________________3 d" ]8 \2 k' U0 A& a, g
' U( [ K$ V$ j$ zMethod 12# j! h0 d, z( O, p! J+ q5 X" F
=========
% N2 y: ` X$ i: v2 [
, o3 ?( N% g) N7 d8 F% O9 s/ ~This trick is similar to int41h/4fh Debugger installation check (code 059 U, ]" r- d' \* l" n
& 06) but very limited because it's only available for Win95/98 (not NT)% H' m2 _1 y: N0 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) |( O' Z. v% \
" G0 Z- ?+ ]( X8 G4 j' k push 0000004fh ; function 4fh0 Z6 \* u: s. R' H6 s; d& r
push 002a002ah ; high word specifies which VxD (VWIN32)& w2 ~4 k/ b% \! ?$ R
; low word specifies which service) W9 i& i6 {8 C. N! a
(VWIN32_Int41Dispatch)
* k, f2 w5 V. S# w$ } call Kernel32!ORD_001 ; VxdCall
/ t- c$ y1 f+ l2 a cmp ax, 0f386h ; magic number returned by system debuggers
. y( ^$ K L8 L& b7 m7 Y6 B4 N jz SoftICE_detected9 a2 b% {; x) {: b/ n" a- v3 i( C1 O
* }, J; u) B8 ~: ~% s; @2 p
Here again, several ways to detect it:
% `4 \' e6 |1 O- f0 y" Q3 p. E8 B% c/ l6 U. N6 @; J' J9 B
BPINT 41 if ax==4f
; S7 s5 O% _) j( ]
5 X ?1 i* ~/ a% h; G" G8 } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- K1 n/ C j/ \; e) \3 ? ?0 H7 ~. s% g: B" M% K- s# ~0 y2 k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 ]/ y q; _! K c; b2 N
# U6 ^1 l7 r9 f m BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 C' X0 ^( v% Q; y" e$ W% g( Q7 c8 s& q2 G0 p
__________________________________________________________________________6 z1 D# c. ?" Z) r+ Z M
' F1 ]/ x4 q$ |, R+ W6 HMethod 132 L+ J: }* I' L
=========" E7 }" w$ k& G. B8 e" K
) `- i9 ?9 Y* P+ B' |* s; W/ `
Not a real method of detection, but a good way to know if SoftICE is
3 Q/ N5 h9 Z3 Y) Q7 R9 Z" oinstalled on a computer and to locate its installation directory.
% P8 n5 D. z2 ]# v% H2 ^, A" h3 x6 ?It is used by few softs which access the following registry keys (usually #2) :
6 y. Z3 e1 [3 y8 A( u( }3 [* n9 n/ C8 _. ]$ u# ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# m% o9 l' M+ k1 L8 e% g4 ?
\Uninstall\SoftICE5 o& W, b( {$ X9 j# l9 y( b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, q$ e, G; I4 S4 h r& ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ v/ l2 n4 a5 j2 L- a\App Paths\Loader32.Exe9 y; A h! b$ M; Y6 ?" l1 V% n
4 H4 [; S: i* ?: }: U! a: Z
' z A/ g ~3 y0 l( QNote that some nasty apps could then erase all files from SoftICE directory
, A" W8 k# ^+ K2 g(I faced that once :-(
8 J$ `1 {' X0 J5 f5 s/ `
h+ m6 ]- N. j) ^$ B, y! l$ {% g% FUseful breakpoint to detect it:
W7 ?% \$ z$ K8 r5 g: K6 d
, i- T5 \2 c; s! u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# A2 T4 U4 x; g
- I, k1 G9 |1 K4 g R__________________________________________________________________________
- g7 M/ d: J$ u1 L; F: r, K1 `, l
5 r6 y% Q; x6 F4 q @; i: {
8 S8 p5 S3 F; c7 cMethod 14 # L0 l D( B! D, p
=========
$ s4 [% S0 z; R7 _" ]4 v& _9 [3 J* j: ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; h9 R1 [4 @) Y; `% z" M/ E5 tis to determines whether a debugger is running on your system (ring0 only).
0 N3 Q% a" B& K. p6 R* t3 @; ~: `+ ]
VMMCall Test_Debug_Installed
3 C2 R, L1 N7 C: C+ a je not_installed- X; w! B- G( a8 Z% x" @
# I ~, k% v/ ~# B r% ~This service just checks a flag.
' R* S3 \7 O0 j* T) J' Y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡