<TABLE width=500> X9 u3 |, h7 R) O; Q
<TBODY>
. l$ {: W2 R9 V, |9 q2 \<TR>8 a' q7 U) Y4 A5 R( n
<TD><PRE>Method 01
/ Y* Y( f, u5 d* `) s=========2 A" k. m! C& U1 [5 N5 q) S$ G
2 I, X$ d! {6 V O; M" b5 K
This method of detection of SoftICE (as well as the following one) is
: Q+ x4 s% ?8 @0 p' }+ Aused by the majority of packers/encryptors found on Internet.- x6 x( y1 [7 U7 _
It seeks the signature of BoundsChecker in SoftICE# C- a5 o( @0 h$ Z
7 n# I- f% C" b; X9 h# A$ i mov ebp, 04243484Bh ; 'BCHK'! d2 }1 b- o+ ?, J& v, q- L
mov ax, 04h$ m; E" p6 f, Y$ H
int 3 4 G( e& p9 j% j) h% ~9 {
cmp al,4+ ~, H7 ^( ?! X% N7 _7 I2 c7 Y
jnz SoftICE_Detected, P# D0 [" b$ } ^
. O( }; j1 |, |8 Z
___________________________________________________________________________
. Q6 [' o" S9 }0 x/ S* T& `& J+ `) d( `: g. h8 w& N
Method 02 i4 a8 f( m9 k, ~3 k) _% L
=========+ W9 n1 Z" D2 |% h/ t1 p
4 }5 `* m9 v. N* ?8 D/ _+ T/ L
Still a method very much used (perhaps the most frequent one). It is used4 D$ r/ h, S$ c( W1 H# {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 ?( G8 k! R/ q S
or execute SoftICE commands...6 q. R3 @0 z: g8 L1 l) g( N9 b7 F
It is also used to crash SoftICE and to force it to execute any commands
+ H" h/ M4 d% c" l, {$ k0 _(HBOOT...) :-(( 1 V7 P" a' {+ T# e* g7 f8 ?
7 }$ {$ q4 A0 C7 [Here is a quick description:
7 S% Y) k- w, x; b0 W9 k-AX = 0910h (Display string in SIce windows)& z) v0 M/ h5 J/ ?3 b9 F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& n1 g' \6 K* l
-AX = 0912h (Get breakpoint infos)# ]! {" `; g( u
-AX = 0913h (Set Sice breakpoints)
: V- N) ?: T: h- l-AX = 0914h (Remove SIce breakoints)# g4 b$ j1 p/ g, g, [: K
! ]8 x& c- W# p6 ~- q- Z
Each time you'll meet this trick, you'll see:
. C5 A+ N, f* s: _! j, B-SI = 4647h- p7 |2 R4 l5 [& i' J0 Z) o9 j9 D
-DI = 4A4Dh
3 i7 h1 l2 A. d$ {$ ] D7 KWhich are the 'magic values' used by SoftIce.
4 r3 U" {* w7 d7 T9 e3 ^8 a) XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 E; @9 A. o9 J, R* ^1 s
8 c2 t% m9 W) I, p* h6 kHere is one example from the file "Haspinst.exe" which is the dongle HASP
% i1 w7 i& S& o/ P' bEnvelope utility use to protect DOS applications:
5 h. ?3 n4 h% |( n( I8 c
" N6 i* d+ E7 y0 {' }2 m, X8 b0 G! F. D5 A" c
4C19:0095 MOV AX,0911 ; execute command.
# n: ?" w6 X6 _! v: X8 J! b# @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ y% N2 e7 ~/ g9 w% E: v+ I1 R4C19:009A MOV SI,4647 ; 1st magic value.
/ `* s! c8 s! F2 E4C19:009D MOV DI,4A4D ; 2nd magic value." A: T3 r9 B, C- Z0 N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- R9 p. w* @, p+ n0 W, X3 T* Z* ~
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: n$ E7 Y( b8 C
4C19:00A4 INC CX
$ Q m: Q; ?) z0 o, ~8 f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ p K- e( b! x( U3 C
4C19:00A8 JB 0095 ; 6 different commands.
& \4 J7 ?( l" A! J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ H0 L0 h1 _' f1 c7 M+ ]+ y; Z( V) ~% C4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* x4 [8 V% M: @) |1 k; C: k
4 ~, Q) q9 E- X/ ~: `
The program will execute 6 different SIce commands located at ds:dx, which6 |2 P+ N5 h/ J \6 |0 u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. l6 c2 Y/ X8 K$ U
4 C9 X( O% S9 \/ N) \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, I4 C' z# H6 v" f1 }3 l___________________________________________________________________________- Y+ B3 x1 q! |9 o5 @
, Q, A& s( V) s/ E- S5 ^( T3 _" O
( m# b) w! g, nMethod 03- C6 H3 T+ ?4 m7 \: ? {
=========
& Z2 `/ @9 L3 I9 y0 N8 P8 I0 M# }) o- F
1 ?" X# a, p. l7 f: I1 w- `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, C' i/ T- p2 V(API Get entry point)3 D0 C1 Z; M2 C
! e( S# A# V3 V7 N$ o, b" i2 |$ z; m$ b
xor di,di
0 H* ` ?. D; e% s8 I mov es,di
; F, J$ w9 B4 l- o; q6 v1 A1 \ mov ax, 1684h
7 h/ i9 Z& Z! n. B- p7 y8 r/ a9 h mov bx, 0202h ; VxD ID of winice/ B* o- D& k5 @! o* K5 p
int 2Fh
1 t" K- ?6 g m mov ax, es ; ES:DI -> VxD API entry point
" }. {4 [9 S' F. A) C add ax, di7 E( b% Y5 _, ^6 k3 F. d& C
test ax,ax
; I: T% g3 z4 h$ T jnz SoftICE_Detected4 R2 Q1 O. K7 f$ i2 V, T' [* x) g
6 `! f. d$ v* `% F
___________________________________________________________________________
: X2 T, I3 Y4 _! e$ k7 y, ]& X3 C! e7 }; z
Method 045 O0 j, {& v! [# Y- G0 c
=========% t; L+ I& V) i% n' B' X5 }
4 X2 }2 T, r1 A, x2 O% i& L8 WMethod identical to the preceding one except that it seeks the ID of SoftICE- A6 r4 U) x+ O
GFX VxD.+ k2 f2 }2 b% Y5 P7 f6 ~
, N& M8 ?; X+ P6 @
xor di,di
- M% `5 O+ q7 H9 V7 z mov es,di0 V: p8 [- k* }, a! l: n9 J
mov ax, 1684h - |* l: D1 E2 i* T0 o- A+ @
mov bx, 7a5Fh ; VxD ID of SIWVID# e6 @' q# O0 b& m
int 2fh
; i! y) |1 M' h mov ax, es ; ES:DI -> VxD API entry point
: i- u" }3 I6 V( C add ax, di" D) z0 F% g3 U& G. h7 X, @& a
test ax,ax' t$ @4 y/ h( _, m4 v, J r
jnz SoftICE_Detected
4 U8 R4 P9 G9 K
* z* c, j/ m7 r; ~__________________________________________________________________________
( N+ g) k# `9 H; y T4 Y2 j9 `3 u. A. n- f- O" r c
: x" a. X7 T8 ]# QMethod 05, ^. t6 F& m, T) T% l
=========
8 o2 T) i5 Z. I) V% z5 N
- M4 }8 `" [- o/ w1 @Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 b* H# u8 j5 b& w2 P1 Cdebugger. It calls the int 41h, function 4Fh.3 K0 h/ @' D) V8 l
There are several alternatives.
0 k) R2 ^5 c2 ^+ L9 z
+ w5 J- k5 f% \The following one is the simplest:
4 w! s- l4 G6 V1 ?9 T9 K* q# {# z" [; D% v$ T: T" k7 f
mov ax,4fh2 `, f6 \' O2 r2 C7 R! u
int 41h: H) K; b* q3 p$ B) W
cmp ax, 0F386
3 `- V# n9 U. S" B jz SoftICE_detected
; \! R) U& k& t
6 ^/ O4 l# c2 v: R* W4 S( P) F
# k1 Y @- D3 ?) RNext method as well as the following one are 2 examples from Stone's * X9 v$ g: r+ i5 V% Q6 M) c1 d
"stn-wid.zip" (www.cracking.net):
4 d1 S# S1 J* c, _5 a
2 M; z0 f. X+ {+ _( ` }. `9 D mov bx, cs
# [1 Z2 o4 [4 `+ M& _/ G lea dx, int41handler22 ~9 T' A% y2 ?! U- O7 f
xchg dx, es:[41h*4]
1 _) e9 t; s2 l/ G* n xchg bx, es:[41h*4+2]/ ~# a& o) ?5 u( i
mov ax,4fh
8 F, X; I5 g. ]+ K int 41h
5 I+ @& A# r. M' k3 H xchg dx, es:[41h*4]
( W% a/ v) }% f6 Z$ q7 n" X, R. X xchg bx, es:[41h*4+2]
. \0 x: s6 x5 N cmp ax, 0f386h
1 h! f" b1 J2 |: @7 E& ^% v jz SoftICE_detected
' T+ F( |' v8 A7 m% A n0 _* [+ D* V
int41handler2 PROC' F/ Q. B. z/ R' `9 B7 B8 L
iret
/ L4 I$ k& s* _' m' m+ pint41handler2 ENDP
0 Z7 D- I8 y3 }# D/ r0 T% u0 b. ^9 i, ]$ ?
( ]& A8 g: Z( E1 O_________________________________________________________________________5 y& ?0 X7 W8 V( ?, `
- `8 `5 H8 [2 p- |
: Q+ `; `. Y+ jMethod 06
. P4 E$ e% i: o3 Z6 y1 N=========
8 Y+ z1 n1 E6 m' V& F' c+ C1 ^
! E# Y" c6 N. N6 b
- K; j. t9 b; L( ~' s- J2nd method similar to the preceding one but more difficult to detect:
( A! l4 b O) T5 D# U2 ?( b; I2 F5 }
; J; o: Q4 x& D+ ^+ cint41handler PROC
) H6 O1 G" W+ E. Q# [, n mov cl,al
( ^, a; v/ N' C( c# D! W$ P4 a, |0 i iret
1 G' c# L+ o5 o4 J) {0 ^# i3 q, Sint41handler ENDP
. F; @% H- K" h9 ^/ {8 e7 n# M
0 p' T5 a2 a( Y6 Y5 L1 E
6 T7 V# L8 _: H9 D' h# J: g xor ax,ax. D6 A( w2 f* |: I X0 W; ~
mov es,ax
' ?- r- m# p \+ J8 X( r mov bx, cs
8 p* M- s% \9 Q: U% n+ x2 X3 C lea dx, int41handler
C/ ~2 b0 y8 p/ c- w xchg dx, es:[41h*4]
! `0 L; b( ?2 K m0 Z: A' f xchg bx, es:[41h*4+2]
# a* z6 F+ ^, W. ^5 C0 k in al, 40h6 ^' `) I8 P) G- e. v
xor cx,cx3 |6 F) F0 B# z
int 41h
{8 J; _$ \( R7 P+ J- V xchg dx, es:[41h*4]
, F: n1 J0 |+ ?5 e xchg bx, es:[41h*4+2]% f8 O& B0 r" I; d, o. E
cmp cl,al9 r8 U& C. M$ q! c
jnz SoftICE_detected: X/ T# x+ T: Y6 G
N: d1 o1 g* c: ]_________________________________________________________________________' O p& a0 ^) x7 G
9 `' t% [# D# c# j5 v" `& YMethod 07
, I4 |" h! H0 \9 f- _# a=========1 J: ^0 Q- y/ h+ U- d8 g# ~
! N6 ?* J8 f# [! o4 `Method of detection of the WinICE handler in the int68h (V86)
. f2 ^; ~2 b8 z8 E8 o& E; r4 q( K
$ w) P+ L4 V% d/ I/ O2 ^ mov ah,43h8 E% z b5 ^9 w. Y
int 68h
( K- ^1 A/ N- i+ H9 ~. o7 l! | cmp ax,0F386h
6 ^4 f5 y' r& B4 j7 b# d jz SoftICE_Detected7 K/ b4 o! X L# J
% \( E5 l D# S+ x [
1 J/ h3 H+ H5 Q* R- C3 `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# F# E1 z! f& T# J) R9 V+ r app like this:
8 C6 T* f+ D7 {/ f7 i0 q0 p9 b2 z K% \0 l% @
BPX exec_int if ax==68) q) h. ?* Z% U( W
(function called is located at byte ptr [ebp+1Dh] and client eip is
. ~+ K0 d- A6 ? located at [ebp+48h] for 32Bit apps)5 z! ]: I% l3 `" M# Q- X
__________________________________________________________________________3 G b/ ~! _+ M& d) S1 e
p+ Q" b, d+ k& O2 F
* T1 f* Q6 n! C4 f8 K/ l9 [Method 08
/ M' g0 W% E5 I9 i8 i=========7 D/ W" D o) m3 u6 _
) ?' w) D4 T3 z a8 U+ ^It is not a method of detection of SoftICE but a possibility to crash the+ f6 k8 H/ b7 j1 H
system by intercepting int 01h and int 03h and redirecting them to another5 a: g/ `3 S W' N' D
routine.
3 J) m+ w6 ~/ M" G1 ?% fIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' U5 n i3 E$ @) dto the new routine to execute (hangs computer...)
A3 ]- t) l* f& u& d0 y
o5 e4 v! m$ y; O' I+ } mov ah, 25h
6 b/ f& c* \; v; }# w mov al, Int_Number (01h or 03h)
\7 C7 {, C; B# \, I mov dx, offset New_Int_Routine
1 b. ~+ X. [$ s! y5 f6 S% | int 21h" d. K Z% S$ O; C0 z6 p7 |' S3 ?
! p- S, M# ?6 H
__________________________________________________________________________
4 L3 e. k" D) p" a& A) s1 k! v% S7 T" b
Method 097 p6 y8 f+ _8 y3 J2 s
=========* Z, N9 s# W7 b9 j, ^' p) b
3 w' z6 U( x$ E/ E) v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 ~- E+ D+ I4 X% `0 E
performed in ring0 (VxD or a ring3 app using the VxdCall).! T6 n: C; a, @3 U
The Get_DDB service is used to determine whether or not a VxD is installed
- l* v* V2 W$ I) _; ufor the specified device and returns a Device Description Block (in ecx) for
: o0 W* d% C7 |* ?6 `5 Tthat device if it is installed.
a* ?: B) y. g. G
4 @" p% o- Z" Z& `+ W4 j4 c( _3 L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID r, h3 ?- ` ~. e: Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ V7 t' {7 Y* M J VMMCall Get_DDB
- P, j7 @( ?! B mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 }1 A. X% ^8 r2 E
- R" r2 E/ w" X! x& FNote as well that you can easily detect this method with SoftICE:
2 O: f) [& B8 P) h bpx Get_DDB if ax==0202 || ax==7a5fh( V) h* s0 L3 g/ u+ z3 ?. b
+ {5 h) j' c* y( f# V$ @
__________________________________________________________________________- w# `# t2 p2 ^: r. @- ^# j3 B
% ]" Y3 h" y0 F6 X- E- i4 b/ a! D
Method 10
2 z, j0 M2 `) @& ^' m: a=========
( N$ a: W7 n/ d1 H, q5 n; ]
) S4 q8 U) y7 R* V5 B; o=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 d! P0 g5 n" ^6 g0 p SoftICE while the option is enable!!" K3 w1 ~6 {( Y3 b+ N
7 E2 s& }. L& h; Y
This trick is very efficient:
! a% ]/ Q5 x% {+ s* u" n" @by checking the Debug Registers, you can detect if SoftICE is loaded6 b* ^* l' x' I& ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 p/ u1 P1 e! c8 {' O7 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their; x* U! x2 \% g" V) Z' K
value (in ring0 only). Values can be manipulated and or changed as well3 w" _+ u0 L( G; x' Y( K' `
(clearing BPMs for instance)7 ?+ T( \% l N3 o$ A7 C
/ K9 w* D& Y! C
__________________________________________________________________________
3 _! Z) [5 }/ R* U" S# U ?; a" ^' z3 {
Method 11
" _4 y1 |+ A" \0 n$ l% x. X========= w8 v. t4 R+ u5 Q
4 `" B& Q( M! v, C [' zThis method is most known as 'MeltICE' because it has been freely distributed
, F7 v4 c1 {0 A& u9 @* zvia www.winfiles.com. However it was first used by NuMega people to allow+ {8 T& ?' u3 k
Symbol Loader to check if SoftICE was active or not (the code is located
% a4 }% x3 N4 T) \+ \4 s6 F8 vinside nmtrans.dll).: W% q: l: T$ L% K
D* @9 d2 z4 hThe way it works is very simple:
! Z& r, v2 v, FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) _0 T6 t: }* h- c
WinNT) with the CreateFileA API.; C5 [# g! O1 Y7 U
6 d' ]( G: }. y. i O
Here is a sample (checking for 'SICE'):
2 R7 N+ W- _/ j* b" l& i* j4 x6 p5 Q
3 h9 I2 x+ l2 d, @3 i( U0 xBOOL IsSoftIce95Loaded()
( x3 {( _* n# F6 I' I, r9 C" |{
% B2 M8 a7 _# v, x1 J: b+ }6 @* o HANDLE hFile;
) o# X/ C: c a+ K hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& {! u$ |4 e. w- q7 n
FILE_SHARE_READ | FILE_SHARE_WRITE,
) t- j& Z/ U/ Q/ P7 I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" G5 g- n' z% r' K+ |0 T; ^ if( hFile != INVALID_HANDLE_VALUE )4 W3 H' K- N- p! N% X; c* W- m
{5 e1 O* R0 l( q& J$ d8 K3 R
CloseHandle(hFile);4 X" O3 L2 o/ r) `6 ~4 r9 [$ ^' |% W
return TRUE;+ L% z9 l8 R Z, }+ @( R/ {
}* i9 K S6 v, |) d( b \, \3 x0 N
return FALSE;+ a6 V- Q7 Y9 k" U; t
}
" m7 {3 F4 p7 \; ]/ o7 X7 s2 q; _$ {% w0 h7 Y4 h
Although this trick calls the CreateFileA function, don't even expect to be' ~' k6 P- R/ I# a
able to intercept it by installing a IFS hook: it will not work, no way!+ {( C) [, I! B' q0 X7 [; K( ]7 ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 h" P. f6 I$ a% ?1 ?; rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" _1 R& L/ T: I2 }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" P# r9 O6 V1 J0 |) Z6 Y7 e
field.
7 k4 {6 P9 [4 a7 x; ~& pIn fact, its purpose is not to load/unload VxDs but only to send a - B9 e4 U9 I& ]+ A2 X" |0 l$ J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 T. P& m) M2 d: f3 z1 y& l9 d; q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" u$ S" R' Z2 n3 B* y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ _4 w/ O5 G. k6 y8 E' l* s- G. O: Z* |If the VxD is loaded, it will always clear eax and the Carry flag to allow: y1 r$ q" X5 W; H
its handle to be opened and then, will be detected.! x' f; x% Y" X2 e) X
You can check that simply by hooking Winice.exe control proc entry point c- X4 b3 R. |! Q1 O8 B m
while running MeltICE.
0 J9 L$ ]: y5 L( i1 ~) P" \' s, |3 H' ^
9 T2 O* `8 H+ v' \/ p 00401067: push 00402025 ; \\.\SICE
4 z. W% J9 f) k8 N4 a 0040106C: call CreateFileA& N9 q5 d6 V+ {) l4 x) m$ _
00401071: cmp eax,-001, _) c1 w! h) f' @
00401074: je 00401091; F2 y8 F, ^/ y c; K
3 r, s, p" m+ a; T
7 k5 z& h( C2 O, h( x- y: T. zThere could be hundreds of BPX you could use to detect this trick./ R) {: }8 O% S$ J' d, z
-The most classical one is: ?3 d; F m8 }3 k+ C& L% o$ `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 \' }$ v. }0 n6 `: ?% X" ` p *(esp->4+4)=='NTIC'
1 {% I$ v3 ~( e, q* ]8 ?! x/ C& ]. @1 c& Y* I1 @
-The most exotic ones (could be very slooooow :-(
7 K8 U- m' ^" g2 ^4 s( c( ^. P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 f# k+ m- W# W- X) [) h1 C# U
;will break 3 times :-(7 X6 Y. d1 x( [0 h2 m8 q# o' L; w
' K# E& |, ^& W( Y4 T& w! ~: ]-or (a bit) faster:
6 R! B" x' P8 }) ?5 V6 O2 ] BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 q+ ~2 `& s, ~( @; F4 D
1 y% U3 O/ f3 t6 R1 q4 d$ s1 B) c* K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 Z- R( A9 [! _3 `# ~7 l( R& x
;will break 3 times :-(- M ^6 ~9 j7 H. u1 S' D
/ x& Y0 d! e, M
-Much faster:
; s$ z/ } _8 ~! x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' g5 F2 `! f! u. l. o* y/ J8 p( }, m8 w9 v0 w' D8 E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" v6 F# y+ Z: Q: w
function to do the same job:
5 B- E) B4 _' m
! J7 O* F) Q7 R4 } push 00 ; OF_READ# C1 E. N6 H0 I7 V
mov eax,[00656634] ; '\\.\SICE',05 V( V$ `$ h6 v0 V7 g
push eax+ ^. k' l7 o* @" w; O- F1 O
call KERNEL32!_lopen
% n8 x2 Z# y3 K inc eax
# {: Y/ k }% @$ r0 z1 D jnz 00650589 ; detected. Y5 D0 Z# k/ M, N% x; W
push 00 ; OF_READ
, e4 [1 Z3 Z! z3 t. N# W, I mov eax,[00656638] ; '\\.\SICE'* `, v$ l0 |2 J" ?- V8 l
push eax
1 q& a* W q& W0 Y call KERNEL32!_lopen! |# Z5 G- U0 ^
inc eax
6 i3 J, ~% e/ ?, n jz 006505ae ; not detected |* g! F# V, I! T3 ^2 z N
$ i) a9 I1 | q2 ~0 m$ }
: m. q; }4 Y1 y; f* H% i; X% E__________________________________________________________________________
4 s- D! G" I: e- U- A2 q" W* O: O3 D) k, j
Method 125 }2 U% H; R) Y$ ]* i! L( Q
=========
0 k. \& t) f( z5 }! d3 f/ m
4 a8 l/ l* l0 t& UThis trick is similar to int41h/4fh Debugger installation check (code 05: T- c$ F$ ?) U/ H
& 06) but very limited because it's only available for Win95/98 (not NT)
5 w# f( T* I- d" |$ Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# r# V# I9 n, [' B6 C; J. D
8 k. Q% a( k8 p" e+ A
push 0000004fh ; function 4fh( l$ ~8 x$ ?# Q# Q, h ]8 h5 \
push 002a002ah ; high word specifies which VxD (VWIN32)
! `; Y1 a& n% @: z- q9 N5 `) U3 d ; low word specifies which service+ c! p/ h9 n( Y8 ~
(VWIN32_Int41Dispatch)0 u& j! O# {: D) C" {
call Kernel32!ORD_001 ; VxdCall, N, [9 L' |2 t8 w" M0 m* K: x9 v
cmp ax, 0f386h ; magic number returned by system debuggers& p9 L8 f5 G( m- ^, _& q
jz SoftICE_detected3 b) d5 w9 |7 R9 E
: p7 K! z0 F( r& z! E9 V
Here again, several ways to detect it:( T7 Y6 A' V6 q3 G
2 |" O* ^* i; ~9 t) b BPINT 41 if ax==4f+ G; N3 N6 @# A- s7 R
7 e% \$ Z, t4 w+ V6 ?0 s
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 U. b5 K$ q M# F
( K% P& a" W( q% Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 O& ]8 i: v% z0 ~6 ?
" E4 q/ S; S. r. y9 Z9 f, @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; L' p* x7 x7 B
5 D) q4 F. g- [; p__________________________________________________________________________0 M' Y5 q( x+ b$ C& N
/ ?' J5 v* [9 r* y4 T1 G, KMethod 13: M% g4 Z) g; U8 q
=========
( |1 M3 D4 \( J: \) P$ b6 `1 ~
2 e% Z9 y: a$ |+ n+ aNot a real method of detection, but a good way to know if SoftICE is: D$ E* {1 \, s4 E3 u* y
installed on a computer and to locate its installation directory.& ]9 n3 c K' L( E
It is used by few softs which access the following registry keys (usually #2) :& V9 m+ r# c- Q
$ N1 I" {9 z+ k! E3 Y; C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ r3 G5 y* Y& s7 e$ f" N
\Uninstall\SoftICE$ |7 V+ U, o n3 v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; t) V( a1 ?2 S% J- Q; j( X2 t0 _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 ]7 T/ A* B% Q* H, j\App Paths\Loader32.Exe
3 d8 Z! C" K1 ]/ r$ B* h% C( }
/ Q: L3 \4 q' U( _( a. T) l/ l P4 U' z/ m! j/ P
Note that some nasty apps could then erase all files from SoftICE directory* a4 ?: ?0 p9 N+ u
(I faced that once :-(
/ J$ N! h- E, @& i; X3 G
! ~& r3 {4 ^6 O$ S5 W i7 P' mUseful breakpoint to detect it:
" o+ b+ }: c; p8 L& b4 J3 r9 M" Z7 V6 E9 c+ \9 ^. v0 k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 Q3 ]/ R8 I" R# P; l6 K3 ]: P0 K% P4 Z% j' f) e
__________________________________________________________________________
& ~) c8 _4 K5 x) }: {+ E# ^( }$ J4 X, b; G
2 D; u% Y3 d$ {! hMethod 14 / d1 }) Z: m$ M x& \* j5 i
=========2 [8 V; @1 o) s5 h% j* e
6 S# b- v* ^/ t6 B) n% x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 P: P' E% y! ?; x& {/ d4 o3 [0 nis to determines whether a debugger is running on your system (ring0 only).
' T, N, W. q+ `, j2 i4 l
2 _9 ]0 x i7 W' F( n; ~- F5 l VMMCall Test_Debug_Installed T% ?7 q. L* G; {) w
je not_installed9 Y1 |/ A5 C1 _' @1 s3 D
# q4 x: j _9 U- ~. }- a+ @
This service just checks a flag.: t3 p$ B, U* ]+ H& |0 ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡