<TABLE width=500>
0 @: _5 T/ R- L3 l4 a& c<TBODY>! ?5 l5 h" Y/ f% \9 f( |
<TR>/ }7 P" ]+ @" W
<TD><PRE>Method 01 $ [! o! x! p+ ^# [
=========4 v6 I8 E) ~7 `1 g* w
z, ]3 D z( e1 K( k3 TThis method of detection of SoftICE (as well as the following one) is
: Q! u, V+ W: i+ w- G" T+ @used by the majority of packers/encryptors found on Internet.
' w' @# {. o R/ w3 b: K0 }It seeks the signature of BoundsChecker in SoftICE$ D/ i* E! z$ t4 h1 z4 V/ g( U
0 f3 R1 _" m% _0 U; T0 I mov ebp, 04243484Bh ; 'BCHK'
8 X5 A6 L' W9 X4 |2 f$ b0 T: X mov ax, 04h2 _) r) k, ^; {
int 3 7 \. i9 M/ H8 S& _% D' b
cmp al,4% d/ ^: e2 V$ T& o2 J7 K
jnz SoftICE_Detected
4 I0 _6 z( z$ |( [+ ~, F9 a" _ a' j) i4 j
___________________________________________________________________________
1 W. j9 Y7 ]1 \" _! r6 S) L( o8 ^8 t% v1 \
Method 023 W `' m* b) D* t2 ?
=========
% Y8 H8 M. ^# j
; e/ L8 E H" T4 I* }9 NStill a method very much used (perhaps the most frequent one). It is used
) E R. q1 F( i/ E1 Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( P/ z7 r1 \5 j/ t, o1 p ~* W
or execute SoftICE commands...3 e2 t* z- U' J) h1 l
It is also used to crash SoftICE and to force it to execute any commands( j' I- ^, P# O! \/ }
(HBOOT...) :-((
% Z- M- P) p8 ]& c8 A: y8 o; i/ c3 I0 r# d) ~; W/ v
Here is a quick description:
9 r0 ^0 \7 L5 M# w. J# V2 M-AX = 0910h (Display string in SIce windows)* A5 [& L _5 {& R1 H. w8 a: P Y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) \* p" ^: d7 f+ c: M# G/ s* k
-AX = 0912h (Get breakpoint infos)8 b# J1 }1 n# U- N4 y+ i4 J
-AX = 0913h (Set Sice breakpoints)
/ W; C3 B9 F: u) Y9 L* ?, |/ G* a( j/ M5 y-AX = 0914h (Remove SIce breakoints)$ u1 `6 h2 C W! v% T" {8 ]+ x* i; r9 z4 G
2 V" N+ N! `5 g0 W) c( Q
Each time you'll meet this trick, you'll see:
) J0 v, }" F* d7 \1 t-SI = 4647h8 w2 H, I' r0 Z2 @
-DI = 4A4Dh
; a2 \5 D; v" ?7 c- b" BWhich are the 'magic values' used by SoftIce.
. g! E# Q/ U# ?' `% S& C# y/ VFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% H3 d) Q Y* S" r* k; \4 c
: m$ V5 W4 D- d) vHere is one example from the file "Haspinst.exe" which is the dongle HASP( _( f4 [& w2 M' J5 b$ f8 V) w
Envelope utility use to protect DOS applications:
" @9 [! k2 W+ M: E# r1 H/ C+ P$ _/ n6 a
: }4 N# T! r1 r" a) _( d
4C19:0095 MOV AX,0911 ; execute command.
* Y6 V3 Y9 y+ ?8 _, p4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). n9 V% q% @& b" y1 e
4C19:009A MOV SI,4647 ; 1st magic value.1 N$ i' v0 j, v) V, Z
4C19:009D MOV DI,4A4D ; 2nd magic value.. t! y- J1 O* V% V9 t" @
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! {. k: h* h9 Y0 }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 i; Y4 A1 @# ]5 ~/ T+ u( }0 B! U" H4C19:00A4 INC CX1 ]) j2 o$ x& H* X9 @; D* n- u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& ?5 p, d9 q2 t3 w7 c, K! |4C19:00A8 JB 0095 ; 6 different commands.; h5 S- k3 }2 q5 X, a4 W
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& K+ B) d3 I' ?3 d* d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& A, h; d/ K" s# t! L. V% ^# K
1 t" v/ ^- t' w
The program will execute 6 different SIce commands located at ds:dx, which v1 T( C0 q, X2 ]- d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 M9 @6 n5 W6 X K
; Q1 h; b/ E$ r! y: A: l0 q3 V: f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& r- \* q0 o- j7 d# E___________________________________________________________________________
7 n8 X. F+ i n0 f2 B
& ]# ?9 p3 o, r" p. w j
. V1 @9 d2 N# KMethod 03, z* i, {9 R* b1 g- [
=========; B- F% k& Y' R; N" |6 y) {
& y( b/ }( u/ L( ~Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 b1 x, u: d8 p(API Get entry point)$ ~2 |$ b; B% O! p$ i: G0 s! r
" r: X( t7 u7 X* P$ u2 @
+ c( H5 T. n" I6 u% F9 [/ k xor di,di$ l5 y3 r' k; w+ s5 o- K7 Y
mov es,di
) ?+ B% Y# ?/ h6 B+ p/ l% Q$ {! @ mov ax, 1684h
4 E$ r/ N& ?4 a, |) r0 L mov bx, 0202h ; VxD ID of winice
$ V9 n2 P1 K0 D9 @, I int 2Fh
2 C0 ?7 f+ o- b7 G mov ax, es ; ES:DI -> VxD API entry point0 Y: j8 y0 K3 X8 N$ G/ D5 b, F
add ax, di% V a+ W6 f+ g+ q9 A7 t O
test ax,ax
7 x; B6 V/ U. m3 z jnz SoftICE_Detected& F( w9 X- q0 }; y
% P. w$ {! b+ n5 A7 F
___________________________________________________________________________
$ z; p$ }9 D6 m: t5 {. O- `" E H7 ?4 ~+ t0 Y
Method 04
/ @- C' o8 I7 h* d# R=========
B/ D5 k5 {. A$ Z$ V" _
3 y# I9 W8 x' f# R9 D; jMethod identical to the preceding one except that it seeks the ID of SoftICE
n: |7 C4 P( r* k" }GFX VxD.; E: l1 x+ ?1 H- t
% z; U5 k6 E: d3 ^ xor di,di
8 J, V! W" a2 J' G, L! B% O) W mov es,di& _. J- c3 u& f, @2 |* ^ y7 Z
mov ax, 1684h
2 S8 S) }; Q, y q" { mov bx, 7a5Fh ; VxD ID of SIWVID
- f3 t3 l$ J" H! l int 2fh0 L( K( U# j0 s! Q+ G
mov ax, es ; ES:DI -> VxD API entry point9 c. {5 |, R& G& g5 O: _; c
add ax, di
& F p2 {6 Q& @$ W" G" ] test ax,ax
7 |; S/ l2 X5 X7 N7 @; h jnz SoftICE_Detected
) U5 A. U9 ~7 S }
$ L% w4 E6 ]+ G9 @& c4 M__________________________________________________________________________
( Q* p' _) X! e( \+ Z, `9 O
( N# N7 u7 ]2 U9 E
, Y5 U/ X- @$ u6 L \Method 05
# z. e( v3 A* Q/ }2 D: R! }% |=========
1 V, \; ~# _$ h/ K2 q$ z* j/ Z* w- s" X% P# L y9 J
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% }' X7 B& \* u6 l# E" [) qdebugger. It calls the int 41h, function 4Fh.
/ n. O% R; ^# {, X/ }There are several alternatives.
9 E" r% {0 O4 j; ^1 i1 o# T! m/ W4 H- Y4 O+ s
The following one is the simplest:
* A( P: Y+ t3 D* ~8 c4 q" }
- m) P6 u* G$ n) ` mov ax,4fh4 u4 l9 W# f U G. F
int 41h
) \. u0 W) ~, U, e7 z cmp ax, 0F386+ I. S. P' a3 a' J" V+ m
jz SoftICE_detected
3 R9 |4 P9 K5 l; r- j2 x3 ~) Q( w+ q( Y& n' G9 r! R# q
+ H% Z7 m" @0 @$ n0 WNext method as well as the following one are 2 examples from Stone's ' |' X0 c4 s: e2 } Y5 \6 _. M
"stn-wid.zip" (www.cracking.net):3 X' C4 E. w+ y; o3 ]
- y7 P& C- W) \: e) | mov bx, cs9 t% j7 p- \) b8 l5 W
lea dx, int41handler2
2 S; d7 O) C1 l0 w% d xchg dx, es:[41h*4]
/ E i" b$ W; u6 q' ~ u/ T! e d xchg bx, es:[41h*4+2]7 `2 Z. \% {8 h/ x% h1 J7 n! i
mov ax,4fh
6 \3 Q% I) _! t+ @ int 41h
1 X! o" x0 ~ e7 q xchg dx, es:[41h*4]
) j$ j5 r: ?& e& `5 i xchg bx, es:[41h*4+2]- |* m. F; f" w4 f+ r/ {7 v5 K
cmp ax, 0f386h
; e4 D l1 H% f; o jz SoftICE_detected
* l# ?5 b0 E# R: M$ |
3 D; x4 L0 V% l, H% jint41handler2 PROC
& T) G/ i# w0 b' j iret' u/ E4 h2 _* H5 Y1 P2 ?
int41handler2 ENDP3 x9 p* P" P# ]
3 p4 V3 Q, H/ ]7 Y* w. F8 [/ e3 ?# T! } L) E9 \% J
_________________________________________________________________________
/ N) ^- A, z& Y$ V% C, s4 r. G5 u4 K, i& Z0 l
0 Y4 U; k+ G% b0 S
Method 06$ O' E2 {$ q, s. [" C
=========
# _# w- q$ |( G% X
1 F4 V+ [' M8 N5 Y, B; l: w
7 a: p6 E6 O6 O1 t/ R) N2nd method similar to the preceding one but more difficult to detect:8 V9 Z! Y- |" u5 s- X- x' _
/ y0 |( r" t0 u
; W) a( C% {+ H
int41handler PROC( V V! g9 D9 F3 J0 Z5 T
mov cl,al% q* |$ K ^2 g1 k/ o# |
iret
3 O: m$ x# M1 e) h$ T- gint41handler ENDP
h/ H$ s8 A' o- r3 N" b" Q0 v, Q
6 ?! e3 T; ]$ l! ]! [
* v8 Z. M; U0 L" r4 l xor ax,ax5 m( F7 {% T' N8 L1 A- j/ p# p
mov es,ax( ?# c I9 F7 c: f0 n: K J
mov bx, cs
# o1 W1 u( F) O s' f lea dx, int41handler
2 u( V) z7 v2 i& J- a xchg dx, es:[41h*4]
# H, o' k: K+ H0 S# o& q xchg bx, es:[41h*4+2]
* F* Z3 i6 |3 H% ]3 h in al, 40h' P- X0 T7 M+ v) s6 c
xor cx,cx
$ c) G: |, L1 e; [& L: J int 41h0 j0 W0 j* V( T d
xchg dx, es:[41h*4]
. l" O& d7 M4 W% u xchg bx, es:[41h*4+2]
* [/ p) G0 n+ X3 t& ` cmp cl,al
, _' w. z6 Z6 v$ \ jnz SoftICE_detected
^9 V9 |+ ]) v5 j8 ~7 @
, @5 g% U- a. M9 |& e_________________________________________________________________________( Z: W/ h9 o1 v4 w3 U# W) n
8 v; U q8 G2 ?7 u
Method 07
- C' R Y2 c+ T: R2 j# _- }3 P9 g=========
4 `0 `. J5 t+ N" @- x7 K1 O& S2 w: \5 }- r* a
Method of detection of the WinICE handler in the int68h (V86)
& h: K( a1 D$ s1 r
2 \7 G& F5 y# g4 c! r% [ mov ah,43h& U' V1 H2 A6 L
int 68h
) M$ l5 x3 N% k3 ? cmp ax,0F386h
1 a- O- q4 m, @8 s% t jz SoftICE_Detected
( o/ r2 w! K. t& q; M! I ]
; m' ? i; E+ j% a/ V& i
# v1 W- ^( v4 G7 v* K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 X7 q7 f7 T! [2 ^. g0 N app like this:6 N' O$ `+ q# D5 ?) z9 g
4 g7 l! T+ T2 }5 u1 ` BPX exec_int if ax==68" P& c( b. U# j! V# ^" M
(function called is located at byte ptr [ebp+1Dh] and client eip is( c4 s4 I; V# o/ T m* W# I
located at [ebp+48h] for 32Bit apps)) ~& O2 ]( s$ D8 [8 |" ?+ A
__________________________________________________________________________! H V ^8 z B2 t$ {' b
8 j: ^9 ?5 n; M/ D
+ m( h9 d' V7 g; QMethod 08' o' n6 }0 K5 l( H! p5 o _9 H
=========
+ j9 l( h& c% @, `4 H5 X2 v9 Z2 S6 O+ n* I4 @
It is not a method of detection of SoftICE but a possibility to crash the6 w3 C) B! q% p4 P2 C
system by intercepting int 01h and int 03h and redirecting them to another
- k8 J6 ] D- }0 F0 {routine.0 P6 C: S0 Y" ~+ [
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( p/ V/ ~% r4 I) q$ e+ d% }8 c. ato the new routine to execute (hangs computer...): ^4 W7 c9 H) ^: b( |* F. ~' A: R
- |. c2 J3 \/ X. O ? mov ah, 25h
9 R; X$ O/ Z; ~# O' q mov al, Int_Number (01h or 03h)/ Z1 [8 {8 m, ^/ L% ?
mov dx, offset New_Int_Routine& f; d, u! O8 Z& d* a
int 21h
% B3 R, M# H4 r2 S5 Q+ b$ ~, K" F, Q; H4 I2 ~
__________________________________________________________________________# V+ o8 F8 b5 C2 u: c5 W
& @+ @4 j# j6 O, kMethod 099 s& }. E# t+ B' s& q3 y
=========0 P2 `1 ?9 w1 I5 ]8 e
+ E: Y! ]+ v" ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only h& q& P) U1 A1 o" p6 Q$ w
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 a! V. B* ]3 N1 pThe Get_DDB service is used to determine whether or not a VxD is installed
2 C- X) W# S C8 k- W' J, h: }for the specified device and returns a Device Description Block (in ecx) for
, R h) Q" B: xthat device if it is installed.
# k( t6 Q' q1 A0 q8 m
. t5 B, Z' D6 g9 e* g7 t0 H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& F, S: \0 E. s* m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# x, R5 X9 }9 s4 G1 ^) ]: k VMMCall Get_DDB$ c5 M, i8 }& r1 F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% N8 q/ P$ T( T
" c3 G# v r3 c2 ~
Note as well that you can easily detect this method with SoftICE:0 _6 g' M; ?0 r7 Y m
bpx Get_DDB if ax==0202 || ax==7a5fh B6 w8 b0 {& y6 _0 z9 l8 D
! ?0 Z' Y* \' Z) z1 R__________________________________________________________________________$ O, J& C/ d2 c4 U
4 u3 I: J( e' ~. @Method 10! T6 K0 T( p; C$ x1 A
=========0 M2 ~1 b8 r/ t3 ^- o
9 w$ M4 o* K8 P* P" i=>Disable or clear breakpoints before using this feature. DO NOT trace with* c: x8 q& v$ L$ B
SoftICE while the option is enable!!
) ~$ W5 K, E0 w1 I" e3 q& k
- }& l9 v) q! t9 a" [% Q1 ~This trick is very efficient:
3 P( v# Q q% t0 A5 qby checking the Debug Registers, you can detect if SoftICE is loaded7 r! s7 a( g& y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# H" g1 T/ a" i: B
there are some memory breakpoints set (dr0 to dr3) simply by reading their
?9 v2 S( f- w. ]& \ rvalue (in ring0 only). Values can be manipulated and or changed as well9 I$ C. _: q( I. K
(clearing BPMs for instance)
+ y; x/ r" y- T- l6 p
3 b+ d$ n( p" q) ~- h__________________________________________________________________________$ D6 j5 U0 {. g' G) ]
! I! r9 n2 C x, eMethod 11
" o, F$ K3 C, Y$ w7 a4 n) ~=========
8 V* z, Z- x/ H
- Z0 V0 F9 p3 C- w( B; BThis method is most known as 'MeltICE' because it has been freely distributed
9 P. J! ?7 |+ ^! D) y, Mvia www.winfiles.com. However it was first used by NuMega people to allow8 C2 M4 r# e0 f4 \
Symbol Loader to check if SoftICE was active or not (the code is located. g9 ^1 m6 f; _# e0 ]/ c6 E) I& a; U
inside nmtrans.dll)." D1 Y4 d' {3 K% z1 L8 h* {' j
' r, Z# }( R% n( f+ i' y2 vThe way it works is very simple:8 K9 e6 T# ?" D# j
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for A9 r# j' _" A: j4 S4 A9 G
WinNT) with the CreateFileA API.
7 X# b& a* U0 ]- ?. J$ a/ l$ f. d2 ^- ]
Here is a sample (checking for 'SICE'):
. ?" h) n$ A, o& K6 f) [, @/ F5 W" E1 W, J/ ~
BOOL IsSoftIce95Loaded()6 H" |/ o* Q' k3 E5 N2 s+ E
{0 J* H6 i+ l' b ?
HANDLE hFile; ' L+ c4 q1 L6 O$ ?2 S" _
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, a2 R6 [- V3 `% @/ M h- O. R
FILE_SHARE_READ | FILE_SHARE_WRITE," Y% A5 c/ Z0 T: a1 o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, U4 x9 v5 r/ O: b+ }
if( hFile != INVALID_HANDLE_VALUE )7 @# N+ |4 }! o6 M1 u% e6 i
{
6 f' D" y0 x' {# h \% ` CloseHandle(hFile);
% Y6 m9 u- k5 Z. D- W4 U return TRUE;
1 R, ]& D, Q5 C }( p/ n2 D& D- V. J' }; S# e5 `
return FALSE;
7 ?; D' A3 ~. @+ t% l: Y}
3 G2 p j) \# i8 `: U
+ A% {6 H; e0 i: w9 cAlthough this trick calls the CreateFileA function, don't even expect to be
' _5 l2 ~; o- ^6 a0 hable to intercept it by installing a IFS hook: it will not work, no way!
8 R- {# E2 e MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- w/ Y m( x _3 Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. O1 B$ m0 B9 p1 B0 ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 Y6 [* G3 F7 X4 P' S! e7 ~
field.3 y' L( o2 u2 S- Q9 e" A
In fact, its purpose is not to load/unload VxDs but only to send a 3 D# Y0 `$ V r3 O1 {& c% j1 l
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( J% a$ m' N) G# H9 g: Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
. d2 R5 s+ A( m" P+ E4 |' m4 z' Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
( w5 {! ]" s: M- {" vIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& e/ L) K+ I$ f D* u3 nits handle to be opened and then, will be detected.
6 i2 `$ t0 F9 |5 X% oYou can check that simply by hooking Winice.exe control proc entry point
7 W/ f+ y# d0 B, A: ?# Qwhile running MeltICE.
+ d. M' T6 k5 {* O4 G$ W0 a% W
9 P6 \/ i. n5 b* Y1 m8 _. M ]7 e6 ^5 y# p6 A! U2 Z
00401067: push 00402025 ; \\.\SICE
/ E+ \; t( p% h: r0 W) X k 0040106C: call CreateFileA t a! N) m/ ^& P: Z
00401071: cmp eax,-001
4 d* L- C8 ?! `- a0 e6 U- x 00401074: je 00401091
3 V* R( c0 W; u; K% p/ I/ u
+ L5 V2 A1 _: [2 F9 {% F4 i
! Z/ s2 {0 A" ~3 |" T, pThere could be hundreds of BPX you could use to detect this trick./ f9 E2 g3 D: m, c& n( N( y: O
-The most classical one is:+ I- |0 v' d4 \; { ^1 B8 c
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 }8 ]7 M: s* M. G1 \3 x *(esp->4+4)=='NTIC'
, t: Y+ y8 N4 V. A' m- d0 z% U
4 w. y( |8 z- h9 i2 f* `-The most exotic ones (could be very slooooow :-(0 \" c' z1 G& C! W7 ]
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 U: Y, P* s: e+ n& `' _
;will break 3 times :-(: J2 J" E4 y+ N8 j2 @. L% P4 w
, \) O' [# s$ M, A, C7 u-or (a bit) faster: ; f n! q7 K8 S, _; ^" R, |$ b( o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). d6 t: T, M$ i- I1 \) h
# O. b9 v% L3 N+ K( L: [
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) N: K/ C3 J3 h& p$ P
;will break 3 times :-(
) }- [7 v1 W/ X2 F+ {( Q( P8 P8 f5 @8 L: ~& x# T+ T
-Much faster:/ G9 S7 d# l4 x: w
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. i, L# H5 b: r* i D# O
( g) i" Q7 ~3 U9 T* u) ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 e/ y) Z/ O7 r+ w2 X5 N
function to do the same job:, i `# p% D! t: ?
1 U0 w' T; j% O4 p `2 q push 00 ; OF_READ6 E! j1 I" z/ J# N0 a
mov eax,[00656634] ; '\\.\SICE',0
% _* [7 t+ Q3 I) ]7 H8 u6 P. ] push eax# S* ]7 S) T( `: W6 I7 P
call KERNEL32!_lopen
! A2 e% c/ g N# U# K; n; Z inc eax
_0 o* ^ q" l* l: h1 z/ M jnz 00650589 ; detected
- i1 s/ t. z8 u( ]5 g" z) t; ~' f push 00 ; OF_READ: v2 r* H0 Z. ^( e& ~6 K
mov eax,[00656638] ; '\\.\SICE'
2 U4 v' K2 D a1 d push eax/ Q6 W/ s/ O0 S6 A+ x( n* d
call KERNEL32!_lopen
" b' D4 E# E. Z inc eax: i6 w5 F) S7 n2 L; p2 q# q5 H
jz 006505ae ; not detected- O6 [! m6 h2 I2 Z8 n2 [4 v
$ }& R: b8 b: U( p8 L, P9 O
( ^7 C$ N# F; M" h' ^" }! C__________________________________________________________________________
, s" C- I& i6 K, l! K6 Q- F0 g& R% p. k: Q6 D9 e+ j4 l
Method 12( J0 x+ f6 v. a( c6 f- B
=========; R. h" M) R) U0 F; l! o
& V' o1 }" I$ HThis trick is similar to int41h/4fh Debugger installation check (code 053 [" Q) ~, Q+ W& v
& 06) but very limited because it's only available for Win95/98 (not NT)
/ Q* V2 n" _/ r# I8 H2 B( |& W3 das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% Y; T* t. M& O' E
7 w5 |2 S1 F% X; f7 j push 0000004fh ; function 4fh
" k# Z3 ?, G8 W$ M9 Z push 002a002ah ; high word specifies which VxD (VWIN32)* z4 T$ r' O5 w1 b( f( w9 {
; low word specifies which service
! G+ k/ t% g3 w# _' { (VWIN32_Int41Dispatch)
$ U8 P! }0 i1 W, h6 L# i- \1 x2 l call Kernel32!ORD_001 ; VxdCall* k4 P/ N; [. H0 [( ~0 E$ l
cmp ax, 0f386h ; magic number returned by system debuggers
# Y O5 E* {2 g jz SoftICE_detected: V) y0 N! V+ |4 \* o4 |9 l1 e
4 |6 z; q8 S r. g' fHere again, several ways to detect it:! d; F. n5 u8 `: J B9 M! I
! r$ t0 V. O& A/ a9 ?& ?
BPINT 41 if ax==4f
4 z/ {3 `( I& m6 ?' y* o( V1 @
2 o3 \! F% x2 E' _9 R BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ f' Y( t8 S, L. b) y( `
+ s4 {. ~8 q/ l. T" x/ J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 K& E: K2 T: P* J
7 u% G1 |0 e- v' G! p, U3 M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 A6 d( ]- O, g3 U' F
% }6 A. v7 t0 u__________________________________________________________________________1 _5 v- L' [$ G, n
8 c4 ]7 I2 o2 @5 QMethod 13
4 h& Y7 l3 Q" t, f& g. o+ U# S=========
0 |( U. C( S& z9 N; h/ R2 [4 ]& t5 U& N* C/ h
Not a real method of detection, but a good way to know if SoftICE is2 R. N/ m' W+ B- l, `
installed on a computer and to locate its installation directory. J/ o8 R. H2 F% V5 \: P- b
It is used by few softs which access the following registry keys (usually #2) :
9 }+ M0 m+ J6 Z
8 F3 }2 |) }) f2 @8 d5 K0 ]# Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 a; m/ f$ J. B
\Uninstall\SoftICE
; o- ^8 m6 Q0 I& t) Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 t9 V! m* N0 @; i5 m2 r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( w; b: p7 z' M8 v8 R3 q' |
\App Paths\Loader32.Exe
$ S5 J5 M% E! v- m
7 {" k* K0 x j! k# b# Q5 h2 M# K. j9 p: x$ P1 }( {% |' d
Note that some nasty apps could then erase all files from SoftICE directory
3 p) I2 }% W: G, k; \1 T) m(I faced that once :-(5 ^- v/ u' R$ G H
/ _! f7 I9 W( D: F
Useful breakpoint to detect it:
6 S9 Y* e) W- c; h' {9 c6 L" d
% i; m, w( a4 Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. ^$ l3 V4 `3 I. U$ L! b5 \# Y
# q* L2 ?/ k+ M6 s& ?
__________________________________________________________________________8 _: D9 A8 V' A' s( r: E8 n
' k6 E% V) u. n% M4 }9 d; w. v1 w/ S& g/ x
Method 14
# e' j- O+ t) X; H=========: \1 c: u+ h* X" P8 r
- O% z# V& P) x0 q0 ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
P( y5 N' ]% Sis to determines whether a debugger is running on your system (ring0 only).
/ Q: A4 O1 B$ f% S5 C- y3 t$ l: ?& F
VMMCall Test_Debug_Installed1 Z) Z8 r! n" V! X _4 [9 n
je not_installed( u3 Z3 _" q/ l$ }
. b' o5 `; P. T7 U+ @: k: f
This service just checks a flag.
3 @% @, {# g4 e" R5 c. G1 @</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡