<TABLE width=500> S# p- r8 o1 z1 J3 N0 P
<TBODY>6 E( F( r/ N+ t5 E$ n. M5 z
<TR>
5 k$ c" E5 V2 P( Y. G<TD><PRE>Method 01
- g7 c/ r0 [; v9 L1 y% Y( R========= L1 c8 Y& j: i
0 t5 L5 }/ G$ |0 P1 l- qThis method of detection of SoftICE (as well as the following one) is
9 n$ p- T2 F) |& X( l& P; L8 Fused by the majority of packers/encryptors found on Internet.! {3 W9 j P+ a% m: w! s% C5 |
It seeks the signature of BoundsChecker in SoftICE
/ J, B6 Z( \* n9 I, H8 h' S/ S: F; H' t+ N8 J# Q8 D3 o2 P
mov ebp, 04243484Bh ; 'BCHK'# \7 c0 k; v& C: O: U/ }# d; t
mov ax, 04h! e- [- c4 r$ U- H" B
int 3 6 T1 n* n& T" `1 B
cmp al,4
! b3 @1 ]4 x1 l" R; S) Q: J jnz SoftICE_Detected
' C7 n9 I7 C. D' p/ ^3 d' m9 s5 G" G
6 t* P* b3 V/ x; r4 X___________________________________________________________________________5 c8 z3 c5 E. ]
( w2 ~5 H% A' J" z0 X# i* WMethod 02
' m5 {9 u( Z8 Z5 O4 H% V=========
4 F/ G0 L/ S1 l& q* q/ D @) x- i. ^2 ~6 L, h+ S
Still a method very much used (perhaps the most frequent one). It is used% I" K: y6 ~! M7 j; T4 d: ^# R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' B8 D+ M: Z3 P- x. K4 ]/ H$ f, u# Gor execute SoftICE commands...
: z* F5 U, D# _5 d9 L3 oIt is also used to crash SoftICE and to force it to execute any commands
5 p2 G' }' u( ^7 ^. t(HBOOT...) :-((
' C7 h5 ]6 q9 h2 x3 m: j, A
; ~, Z( t2 p6 @& }: w. ~$ NHere is a quick description:! O% c' l4 {0 u, t" s* s+ h
-AX = 0910h (Display string in SIce windows)4 T* d/ F6 \' ]8 Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
R6 v8 D: b3 @-AX = 0912h (Get breakpoint infos)/ U4 D4 R7 l$ i7 R2 ]6 K
-AX = 0913h (Set Sice breakpoints)
, c# U9 H# a. k-AX = 0914h (Remove SIce breakoints)/ v. o# K' g% A' E) i
2 k; ], i- m# w+ w+ X x
Each time you'll meet this trick, you'll see:
* b( I0 J. m$ c9 Z7 v-SI = 4647h4 {" G3 [% n, D* o5 u
-DI = 4A4Dh! k5 t" ^1 \1 O: a8 l$ K
Which are the 'magic values' used by SoftIce.
( H( i3 h- {* ], @9 k2 lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: [. S: x/ ~- w" }- Z' S5 q, T0 d$ D, H3 P$ m# u, k# e
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 Y/ X7 h' C; B+ x5 g7 NEnvelope utility use to protect DOS applications:
. M; p( W- Y/ G. V
1 k+ l5 [: X; A' ~, S/ r0 m/ I0 Z/ I( b! e: u7 g
4C19:0095 MOV AX,0911 ; execute command.
* {. O$ K. s! y/ k# ?6 p2 H( k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' u/ b, ?- B9 c, H
4C19:009A MOV SI,4647 ; 1st magic value.
0 H# J5 a- X$ O3 @" Q9 R2 j4C19:009D MOV DI,4A4D ; 2nd magic value.
* o9 H: D- S$ R: `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 i4 U/ f7 p& j |! _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! |/ Q$ u6 }! L, p4C19:00A4 INC CX2 ^+ \4 g \ m7 [' R& J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" t- ~6 B* z* e B# y/ m4C19:00A8 JB 0095 ; 6 different commands.; P# h W/ u( w, Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ [5 O0 ]# t/ j/ x% C4 z. X& f4C19:00AD MOV BX,SP ; Good_Guy go ahead :); w8 J& w- M) ^* H+ J5 l8 ?
* @/ n8 {/ y! j4 y4 `
The program will execute 6 different SIce commands located at ds:dx, which
3 x8 J0 v5 Z1 p- _0 x' E3 r! Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' H3 M# U+ L4 ^9 T$ c! i" u$ h( N
/ W, c3 x( G" x3 B4 Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: M/ i' {% J L% W3 _* t6 \! Y
___________________________________________________________________________+ S% N+ z5 h- t J# y- v2 c& }
' F8 @; z! B# `2 ]/ d/ g
# V* c+ ~* v: |% W) F# ^1 u# J
Method 03
! Z2 U& b, {7 h- Z2 `. H=========
0 f" n1 G9 ^6 k
# e* T, q1 t& \) yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# j; |3 A8 c$ ~
(API Get entry point)& C% \" p! I# n# n& k+ a. V
& a$ K- S8 Y! y$ k \ l
& [9 M4 [6 R8 z B+ q9 n4 j+ N xor di,di5 b1 s' v8 A5 d4 Y) t
mov es,di# J; m7 `! C% e8 E8 w/ B1 i, d
mov ax, 1684h " A A+ R$ x7 f& ^
mov bx, 0202h ; VxD ID of winice# F) ~ P4 |% E1 @0 _3 h% @7 p
int 2Fh7 q8 k+ X" W1 o' Q6 O
mov ax, es ; ES:DI -> VxD API entry point8 d- N, g2 ^' _' w5 v$ {
add ax, di2 c7 g: v; @2 g; O: i
test ax,ax
4 z; s9 S. w6 \, J3 S jnz SoftICE_Detected
8 @ u; C# k9 l, U
: B: {8 K4 e, {! m- P. z7 Z+ k- ____________________________________________________________________________
% [% v0 U- l. y2 Y$ f6 E7 Z; r; Y3 f5 |9 x# i1 Z
Method 04
" z) u- s( Y( \=========
, B. O7 w9 m& `7 ^. b+ N: O0 l- Z- N) I- n
Method identical to the preceding one except that it seeks the ID of SoftICE
. i- {% a6 J- BGFX VxD.7 U) @/ T$ E- k, x. o, g: A
1 L* G9 M }' L8 B$ ~% l) l3 L1 B
xor di,di3 | Z7 j' g/ W# W2 l' j$ s
mov es,di5 w/ ?; Y2 V) H" l
mov ax, 1684h ( { M0 U, v/ d, Z
mov bx, 7a5Fh ; VxD ID of SIWVID. k& r' j3 U& V0 E b1 f, Y
int 2fh
; P( w4 I ?. ^, R' L' ]" M$ Z6 s mov ax, es ; ES:DI -> VxD API entry point
7 b# ^9 [. H \# {7 j$ o' e add ax, di
M' ~6 M4 g* Z4 d4 L b. _2 X test ax,ax
# I2 |$ Q: M; @$ M1 i jnz SoftICE_Detected* J8 _2 u) i; p' y
/ ^# N7 v' i. y
__________________________________________________________________________3 x P+ i! \' n$ C
+ l; V6 E* W* {) P
& j, |- X6 v0 s# n) a
Method 05
f) x% l: B3 f) p=========
7 e9 u0 |6 A7 \+ s. I( S6 `3 S2 S0 J, v) j% c: O: i- ^( w2 N
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 M% ]4 x) v" M0 _1 s+ X/ ?debugger. It calls the int 41h, function 4Fh.
3 ]6 ^! S1 X6 A) M, {% [There are several alternatives.
7 \/ n8 K) _; g# C3 |# z/ x. E3 J. U7 J: }4 i
The following one is the simplest:8 j1 H! M: C' x) j: F g
" Y' I/ w$ C+ Y9 s. N
mov ax,4fh$ r4 k" H. c8 w, i
int 41h
+ O& \7 Y' X4 G9 }- C cmp ax, 0F386
; u. L6 o" g8 f& v5 G" X jz SoftICE_detected1 D2 X3 Y; A) l: |7 Q. o: u4 [9 P
( E9 ]! ^& K; \- X% B; J6 T. B
8 n' x. _4 E& I9 j" ?1 Y; T2 d, E, TNext method as well as the following one are 2 examples from Stone's
8 j* ]9 }( |/ R$ E"stn-wid.zip" (www.cracking.net):
/ m8 Y9 ^* | A% r5 a' L L* h: J4 D% [9 ~+ S$ Y
mov bx, cs
2 [6 y. g; ~& H lea dx, int41handler22 z: ?6 \; P; `; F# m- C3 \
xchg dx, es:[41h*4]" C" L7 m4 u# F4 e$ f& l9 C! @
xchg bx, es:[41h*4+2]" y$ a: d% v& [6 _* D+ S
mov ax,4fh- r* R( ?5 z4 w9 }. |! x @: ?
int 41h
h5 h4 v- j/ a) |0 b8 ?0 n8 | xchg dx, es:[41h*4]
+ }3 L4 l; }9 s4 ?# W! ]: v5 ?3 v xchg bx, es:[41h*4+2], y9 A U( [8 B
cmp ax, 0f386h$ Q) d! |! x; W
jz SoftICE_detected* H" e0 \" q" W; N; I
+ k. A# C% W; C( Y3 R5 J( Aint41handler2 PROC
& a- q/ v0 V0 N5 K iret
; M4 T7 Z e5 P' @9 Eint41handler2 ENDP! @) V1 J+ A; X! e9 n
- ]4 j" `: ~! {& n8 A" F6 C0 H; y3 ]( F
_________________________________________________________________________- h6 u d# [6 Z) K
3 c( o9 ^9 J, R5 s4 \' ~
( S- I& T# V' E8 K P3 n
Method 061 o; W( |, p6 x6 n3 N
=========
( V; ?* \6 W; d( Y
% G' w* ?8 N- E$ E# E. J# X4 q; q- H' j' D5 Y2 K/ P b8 @
2nd method similar to the preceding one but more difficult to detect:3 F! D% a2 D# n2 L6 j* D4 U3 h- @$ D
5 O$ q# c( Z+ N, Z) N3 q3 O1 C+ l# c, X$ F8 m% X
int41handler PROC
# A( y7 E- f9 }" \ K/ K# g mov cl,al
J* j, e7 U( y. H7 h$ Q iret2 Z9 n$ U" h& B
int41handler ENDP9 E7 w7 U) m# I: S8 ]/ c
" @( d" O F$ C1 X% F( X, E
! ?8 r% z, b3 B
xor ax,ax8 D% @* E8 Y% g; Q3 j
mov es,ax
3 w* y- M# A/ S mov bx, cs
! J; w9 e7 |' d( P4 E& f lea dx, int41handler
- x( g, |3 b) ^1 V. C" x xchg dx, es:[41h*4]
2 C# [" b! l, F/ k9 x4 H xchg bx, es:[41h*4+2]5 `: Y' S$ ]0 e- O
in al, 40h8 W6 F# L* H' ~6 N: J0 q
xor cx,cx/ e8 {; l2 v% u1 H
int 41h
+ W# P [( w5 }$ ?/ X xchg dx, es:[41h*4]
6 o5 e1 J6 l6 t# z) ~ xchg bx, es:[41h*4+2]
# K2 F4 S* W# A9 [ cmp cl,al# G6 z5 r$ f+ w& N
jnz SoftICE_detected+ T/ K( v4 L8 N2 ?1 M
6 E0 m6 h# R% \! _/ @
_________________________________________________________________________1 b" L% C+ q# F8 S7 y3 b
; X! F6 L `. R7 n7 k* ?0 C% s _
Method 07
7 G0 ?# y9 C! V; x- T=========
8 _8 \% H2 H9 N t* |
: K/ [+ z% j+ ~Method of detection of the WinICE handler in the int68h (V86)
# P7 y; @ A, Q6 x
, Z4 r9 e# ^/ t0 T# B/ C. C mov ah,43h
, `* S8 B/ q' V1 e int 68h+ ~# S7 d& q+ f
cmp ax,0F386h
* w( e( r; p! i" S0 a7 I& U8 a( E1 J1 K jz SoftICE_Detected4 q9 G2 w6 n2 l
9 x$ f2 ?/ {' q5 _, F$ R) a/ C
* x3 D0 \% F0 a2 ]8 ~! a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 P) V1 T1 D# o app like this:
+ t" \4 Y9 N( ?- q U6 P; B
2 K, r2 G7 q0 ^ BPX exec_int if ax==68
# W. j! e7 c; p* C! H1 U' ^% q$ S( h (function called is located at byte ptr [ebp+1Dh] and client eip is
% m3 v1 G- M' G+ V, H6 i, P8 e) |7 o located at [ebp+48h] for 32Bit apps)
/ v2 W0 m6 `, d8 v7 Y: Q0 [__________________________________________________________________________( Z# I( a! c; `" L; d5 g/ Z, I
. q( s r( ]+ U
6 B, M( f* W, Z
Method 08: E( m2 v4 j+ q j
=========
3 k9 p2 K U v B
% S4 j1 x5 @- X/ tIt is not a method of detection of SoftICE but a possibility to crash the
3 `, p# }/ ~8 \$ O4 ?system by intercepting int 01h and int 03h and redirecting them to another8 I7 Q; C* \8 }" R' |
routine.
4 a) W" z& {7 {, o8 `, {2 \- gIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 W6 ]+ y7 H1 f1 H6 \to the new routine to execute (hangs computer...)
! [0 F9 s( u2 m) h8 b
7 L6 ?" C% P6 n W mov ah, 25h
- b+ \/ K4 G1 d4 h6 u, b mov al, Int_Number (01h or 03h)1 O+ |9 q- E, u; Y9 y, m
mov dx, offset New_Int_Routine
( }! D# D3 |! z! a6 J g int 21h, e U* C. l0 ?; E9 E
* t( R n" G6 Y" D0 V% b U$ o__________________________________________________________________________
- N! |1 P, z& a! D+ s3 s, x" @8 S" n5 Q
Method 09
% _2 D$ l, C% q& \9 O=========
! Q7 m @/ Q9 x! \
% m H5 H( o# ?- b6 Y( {, GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' m# Q* b' t/ s$ _ j1 N! gperformed in ring0 (VxD or a ring3 app using the VxdCall).$ Z: u4 r% T* G5 t
The Get_DDB service is used to determine whether or not a VxD is installed7 F1 c4 [ p! B! X
for the specified device and returns a Device Description Block (in ecx) for2 m5 Z7 R# x5 d! _4 U" e
that device if it is installed.& l8 A, r7 W/ n* a
2 `1 I6 j4 n o+ D' y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; v" n: s# N) f9 p, V6 m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 X% ?1 U, V; W
VMMCall Get_DDB
2 M) i% T1 v6 v8 {/ S& { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 K8 r0 F1 X/ Y9 O: o5 I" h0 E
& a4 Q6 P s! mNote as well that you can easily detect this method with SoftICE:
# d# t1 T7 j" ~9 W: ^. N( a bpx Get_DDB if ax==0202 || ax==7a5fh
. ]) @. \" @+ I8 ]- x6 Y. P
3 B9 a% s9 D& o0 Q& Q; W3 [5 v2 I__________________________________________________________________________ J: j; k+ z: Y9 u7 H1 Q1 j0 @
$ r2 s* [5 Q; F8 w" |/ f4 AMethod 10
- p* X9 V9 ]2 c1 w4 a0 Y+ u1 T% c# B=========
4 C/ B' Q# v3 n1 c6 ~9 l
6 J8 R2 I. _. B% U$ M=>Disable or clear breakpoints before using this feature. DO NOT trace with6 D: \+ L- n8 f4 o
SoftICE while the option is enable!!
, i: q9 W: L3 ^7 Y7 E0 |1 @3 y' e: e3 ~+ L2 \& b! Z
This trick is very efficient:9 @! K4 N" E" o8 x% s, \
by checking the Debug Registers, you can detect if SoftICE is loaded
9 a) U# c# ^1 }$ |! W- Q- u8 _8 l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 @; b$ T" I' C% `3 p
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* b; ^2 {* n7 b. V! Nvalue (in ring0 only). Values can be manipulated and or changed as well
; @8 g3 Q5 r1 R/ U) p(clearing BPMs for instance)0 `3 \- s" Q' w
& b* U0 d2 R6 H+ t k__________________________________________________________________________, Q t, k* f# y; i. M/ ~3 c" h
7 A; q8 s6 c L% A- c
Method 114 l) b. ~" }* |+ i' w8 p
=========
/ A3 t1 E0 [( S0 T- |6 W
6 C4 Z6 l3 [; ~ U B- [' ?0 [This method is most known as 'MeltICE' because it has been freely distributed
" x; v7 S3 R* p; v7 e# yvia www.winfiles.com. However it was first used by NuMega people to allow
8 N$ x7 n9 X+ @Symbol Loader to check if SoftICE was active or not (the code is located+ t" T: i/ v3 v/ V" K( b
inside nmtrans.dll).9 \; q9 m$ C5 J. R' B+ m1 u
% \! T) L8 E3 U# w& F6 k0 |The way it works is very simple:
2 R. @$ P# f" e, X iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! V& e# V8 w& h9 c) ~6 n0 pWinNT) with the CreateFileA API.% V9 @; g' }. k9 d9 F
0 k$ O" n9 h: XHere is a sample (checking for 'SICE'):
* ?) V+ U! s# \9 e, y
; M8 F$ k# l5 F$ E1 ^BOOL IsSoftIce95Loaded(); l. v$ u8 o j4 R5 E* K
{/ E( C+ c6 _" P% B1 ~
HANDLE hFile;
1 ]4 C& S% D9 a: l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 A/ c `, `* k9 a l FILE_SHARE_READ | FILE_SHARE_WRITE,
$ p; {0 N8 _- t- m; @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: N' o2 X0 j4 }) ?) P+ `4 S: G$ ] if( hFile != INVALID_HANDLE_VALUE )
( b! }, T+ g+ I# V$ B5 h/ u {
$ N& M" D, `# }0 _; H! ? CloseHandle(hFile);
' i' J3 f# Y3 v7 ? h& I return TRUE;
7 s; ?3 K& v4 o7 E* p% M }
- h# n5 Y4 m- B p2 c" h return FALSE;
! j3 u- C! }5 Q}
) W6 h+ q( w/ B6 f& G% t+ O, d" X% T3 G; P- I% z. r
Although this trick calls the CreateFileA function, don't even expect to be
$ J- z$ a( o- \" t) m! S! Yable to intercept it by installing a IFS hook: it will not work, no way!
0 Q& K8 b5 E9 b! `$ w iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' r' J2 @- a, K, Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" _, W9 d$ e8 Y f `' _. B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ K7 {! U- J# {field.
' Z& s0 x+ p0 n& N& T. e9 { Y: {In fact, its purpose is not to load/unload VxDs but only to send a
! c! [& c8 q) S: }$ D$ DW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' t1 `; K, O, i8 `! s) Q* ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( I" o. }, Z/ s i* `* x( zto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: W: J0 s; p( c0 QIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ h& U% W* B- q2 i* H5 f3 nits handle to be opened and then, will be detected.
$ [; l8 o9 _! J4 uYou can check that simply by hooking Winice.exe control proc entry point
. ^8 u0 D6 A% `while running MeltICE." u7 g5 X% P% K! B3 F
$ C$ I& b+ D# F& X
* z& ?; D0 r% X7 P% f 00401067: push 00402025 ; \\.\SICE8 G% R8 t( }4 a; s" g6 C. ~0 q
0040106C: call CreateFileA
d: b% c# N* k 00401071: cmp eax,-0011 V! U. X) h9 C+ M+ `
00401074: je 00401091
! @$ u! H0 D: o5 e4 q4 D5 `. R8 ~
( k; b7 a" }0 s% H, R" k" {' RThere could be hundreds of BPX you could use to detect this trick./ B) ]- T) o3 _- q# z0 p3 R N
-The most classical one is:6 {4 L/ T1 T$ K5 e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" R0 m% B& }' k$ }
*(esp->4+4)=='NTIC'
3 S( C$ |( F! S( F. f+ D: F0 K5 d
% A' C" V$ b; w4 r* o) {-The most exotic ones (could be very slooooow :-(
5 P+ g0 o4 f7 C, g5 P+ D' Q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- y9 }+ E5 f3 d. }/ Q8 { ;will break 3 times :-(. |9 U* ^7 F: Q( Q
6 T7 p& _. c8 Q+ p9 l3 {) s-or (a bit) faster: ( D! Y! P$ ]: M+ I2 n5 \, m# F2 A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 ^" d" e# }5 N( b. A
N$ ?4 {1 z; e' d BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- M* ]$ Y" L7 t/ a5 Q' ] ;will break 3 times :-(
+ h% i7 ^7 I( S7 H
* {5 ?6 l* G% u: K-Much faster:+ o; t8 |4 ~' }6 |4 A `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; s0 ]! ^! k* H0 @- a ]3 M! [ J1 z* E# f R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
T3 s. D! A9 }- a0 j" Sfunction to do the same job:- H# v5 B: f- _$ Z: E; w
( O0 w/ p k( m( j' o
push 00 ; OF_READ
: }" E1 X6 t; _3 `+ u mov eax,[00656634] ; '\\.\SICE',0) R0 ^3 q7 J* _5 S
push eax
9 d1 A3 s2 T' A/ h! J4 P2 D# M; [/ | call KERNEL32!_lopen
- H, w$ n- W" ~/ d1 a E- U inc eax' Z/ ?3 H6 o; R/ \9 n" H
jnz 00650589 ; detected
' p( X. `" X5 C push 00 ; OF_READ
$ u" z3 A1 G& ] mov eax,[00656638] ; '\\.\SICE'1 }& w3 j5 `7 d, w* x( O/ p
push eax; _; W: y7 ^& A7 f5 J
call KERNEL32!_lopen: q$ x& }; B* \1 h J% s6 `
inc eax8 {( }: ^3 P- r3 I- }4 q& W% F) B
jz 006505ae ; not detected
4 I4 S! r- ~* h1 i0 ~- S
- W# r/ i. w! J' P+ I) F7 d
# h4 T; T7 ?( F* J1 P6 e+ ^# P! l__________________________________________________________________________: l1 E# }3 i5 _ M( m7 u. t
. u& @& @2 S& W/ X5 u! x( u2 W; i
Method 12
. d9 h3 `4 j [6 x( P4 H4 C' F3 K=========0 @! t" S* c ^ a, V3 K- |/ p* q
9 U; X9 c6 ~) g& F) _6 D( ^+ DThis trick is similar to int41h/4fh Debugger installation check (code 05, [$ S6 f% p7 f, {/ e; @* G
& 06) but very limited because it's only available for Win95/98 (not NT)* B: z8 n" Y% ]& ?8 L6 T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 a6 B* v/ a- J' P; Q# c/ o4 ]8 D( C7 b& i3 u% N$ f6 Q0 [3 X
push 0000004fh ; function 4fh
: x ?" ^$ V, D+ J/ V7 f push 002a002ah ; high word specifies which VxD (VWIN32)
7 [/ w" b8 K- p0 o! B$ Y) |' @ ; low word specifies which service
+ ?8 k9 v) k$ D. J% J4 t! @+ Y (VWIN32_Int41Dispatch)( K9 r# Y* h& i% `
call Kernel32!ORD_001 ; VxdCall+ m' q0 H+ Q! t3 A
cmp ax, 0f386h ; magic number returned by system debuggers9 J' a$ p, r5 ?3 C
jz SoftICE_detected
: ]( j! f8 ^4 _6 j8 c( S; `
3 v. S0 f" R+ A) z, gHere again, several ways to detect it:
6 o5 g: h/ B6 i/ o0 z8 \, R3 Z4 L3 Q: i: X# l
BPINT 41 if ax==4f
# E8 _& s |0 B* o& j% w+ i7 f
6 w0 {4 @2 s5 a% c8 B0 p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 g' P+ z7 ?9 j4 W" v# S
( }2 c- D' k# ^$ q6 C BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 i4 ]( l! `" {; G0 V+ q( f O( {/ h% t: }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" Y" ?9 i3 E: l+ X% Z
) A+ u2 S" T6 U. g6 w F5 b7 e+ l__________________________________________________________________________0 j1 Z9 g5 s }5 A- |1 @7 B
$ j" y% E$ l0 b: zMethod 13* K; c- h# s# F# |8 D# O' Z$ c
=========
& Q6 _" |+ s& v2 w
6 Y! V" o3 ?0 N' I# A$ u. dNot a real method of detection, but a good way to know if SoftICE is
& Q s3 {0 U: [- @: ?6 Rinstalled on a computer and to locate its installation directory.' w# o0 L* R- S9 e+ @0 W
It is used by few softs which access the following registry keys (usually #2) :
, H. q0 `/ c8 A- T' n5 j0 L. W3 S+ I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- I6 r% t6 _9 g6 y
\Uninstall\SoftICE
4 d& z3 O1 ] u R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 F# p5 A6 d: Z! _" N$ x8 ]2 z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 g$ Y7 r4 p" v* G5 M$ \4 [) k7 H- O
\App Paths\Loader32.Exe$ v+ @0 f5 g9 W0 d- T
w1 [3 ^, T; m) q/ a1 s
% h; B1 `1 p4 ~4 \# D# b& NNote that some nasty apps could then erase all files from SoftICE directory
7 n6 G) _- U f4 c" _2 M( l(I faced that once :-(1 ^4 m Q+ X8 U) {$ d+ v. p
7 e8 h) _- w. N- A" zUseful breakpoint to detect it:
) e7 N* M2 F8 Z! X0 M/ v$ u1 N3 x( s, i" F1 ^
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') u, c+ J7 E! J
! e! {+ E q" r; g0 m" p1 c__________________________________________________________________________/ I* ], {! J0 }/ ^ D$ s& t! j3 `' Z! g
. }) A2 H2 x z% o$ Z7 T4 R5 X/ q
! f% }- ~5 T6 Z+ ^) w3 @1 \* uMethod 14
" Q. |. j3 A2 H" j, E$ C( w=========
: j* Q; P5 m" r1 k6 b; [. W5 [) y$ Q4 |/ T7 x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; ]! h7 W$ Z; L" o# ^is to determines whether a debugger is running on your system (ring0 only).
2 R0 c* B9 Q3 G. i H9 c M1 k! x7 w6 Q# d! R" X$ w6 P8 M
VMMCall Test_Debug_Installed
# Q, r% D5 }! v" F je not_installed
7 F& p: g5 n/ f" D+ B
# p! L' L4 `) I# G2 V! f vThis service just checks a flag.. C' C. c/ ?* T1 z+ |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡