<TABLE width=500>! f; p3 [) S$ Q `9 L
<TBODY>
/ b! ~1 d: F$ c; ]<TR>
4 n# J7 q/ j7 p3 k% c& r. D<TD><PRE>Method 01 ( \, M+ s: u S H& {) Z1 ~
=========
5 e% l, ~: L# S. e1 m
4 }9 }# K: Q! ~4 XThis method of detection of SoftICE (as well as the following one) is
; H. u+ Y% b: T/ \# {& w( w, [used by the majority of packers/encryptors found on Internet. K8 I6 g( T) k, [4 X
It seeks the signature of BoundsChecker in SoftICE/ i2 h; G8 ~8 A" J* O8 Y
, [5 e. L" ?* I, \8 x9 q
mov ebp, 04243484Bh ; 'BCHK'- @/ t% v* p) t) [
mov ax, 04h
8 @. N9 b/ i" Z6 b5 |* s9 T8 f! \- O, h int 3 / t/ P4 v5 r% P2 }7 c1 t2 n( T& |
cmp al,4
- R; v t9 D" H' r) O; O* a jnz SoftICE_Detected
! d$ t, E1 { _/ f* Y2 |4 G$ }" s# K$ J6 T5 k% Y
___________________________________________________________________________
9 s4 l6 l: }8 r1 ~" i' v d1 w8 V, w7 O9 \. a" U1 w3 [
Method 02
A- m M! X: K1 a1 S=========2 p- N5 M/ U( a* V) ]
/ p0 a0 P" c, x/ V' |: w+ Y
Still a method very much used (perhaps the most frequent one). It is used
* }5 W) c7 g& P' yto get SoftICE 'Back Door commands' which gives infos on Breakpoints," ?# t. [# ~& V, `! r1 i
or execute SoftICE commands...$ r4 c3 E- ^1 B# \2 l/ g+ E
It is also used to crash SoftICE and to force it to execute any commands. U6 x4 f2 Y# _6 w! c
(HBOOT...) :-(( 4 _7 i, T4 i4 L- z
+ U; e, @2 M0 I( A8 IHere is a quick description:
. d$ z7 v* t0 E. D0 w9 s-AX = 0910h (Display string in SIce windows)8 I4 ?6 v/ T& ^5 O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& ~$ S D" ]! U4 ]8 Y( g/ H-AX = 0912h (Get breakpoint infos)& F$ A8 Q" V; H1 f% Z
-AX = 0913h (Set Sice breakpoints)
, U+ O# K' F2 y8 T" g) _-AX = 0914h (Remove SIce breakoints)5 e0 s; I) D* Q1 N9 D( \
( O$ _3 {; ^! @1 K; J2 z1 P! _Each time you'll meet this trick, you'll see:5 O$ ?: P2 Z7 l' K2 E
-SI = 4647h+ Q+ w) X* Z4 R, k# K" J
-DI = 4A4Dh
+ P$ f4 \8 H3 d1 x1 o1 [Which are the 'magic values' used by SoftIce.. o# ?% s3 K7 Y" p0 U. M* Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# q1 y/ L* u6 Z
$ r: U* ^ C* b0 v& sHere is one example from the file "Haspinst.exe" which is the dongle HASP
! P8 ], A; O" lEnvelope utility use to protect DOS applications:
* T# ]; X" T& ?) f2 o! F) m8 p
9 Z9 S E! C9 s
4C19:0095 MOV AX,0911 ; execute command.
4 x' \+ R3 [& d# b5 R4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 ?: M) w1 \7 ?8 W0 e& c9 G/ H4C19:009A MOV SI,4647 ; 1st magic value." N2 N2 D4 D9 G* m3 u* D
4C19:009D MOV DI,4A4D ; 2nd magic value.
/ K0 S0 I6 r) f$ M }! @9 n6 B) H4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( O9 t, I7 H; G( f) r1 [/ v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, M5 ]+ r1 p( `$ A6 [9 [0 e4C19:00A4 INC CX0 Z1 c$ l; u" z( ?" k
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* e( m0 a- W/ o. k
4C19:00A8 JB 0095 ; 6 different commands.6 @7 o( P. H" r) v5 H
4C19:00AA JMP 0002 ; Bad_Guy jmp back., {) c' H5 ?! W" e4 G6 i
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 D8 `4 u( [7 P6 i/ b
9 A* c: s1 A* u0 H; @6 b7 b% a: sThe program will execute 6 different SIce commands located at ds:dx, which
7 b* P0 a3 Y, h, dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! d6 f) o7 Q. [' ~$ Y) O! Z* ~3 C
; F; {9 A% n, S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* t# C/ ]2 I8 K7 s- {$ K5 M" D___________________________________________________________________________
/ o5 u8 `+ b2 O( _, C1 v
, @. }1 m+ r, r8 G' F
( Y8 C" k0 x8 q( pMethod 03
w2 `" {2 |' C=========% c5 k1 h" P: p0 S; ?9 D
7 @6 D6 v9 n" @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; ]5 t8 ^, E) q$ K. Z* a
(API Get entry point)
& S. a2 E$ X4 Z: V! _, X* Q & g) { m5 i. d! @: g* ]3 D k
( h( O# a+ q" @7 l
xor di,di
9 H3 R9 ~! J0 T. y! |1 X3 |1 S4 a mov es,di, a: R/ |- C N5 m* e
mov ax, 1684h
& w' g, y9 I- Q" w& y mov bx, 0202h ; VxD ID of winice% f4 ]* v: i' g: U5 M. q
int 2Fh
' p! {( P$ j* I/ M, h! o2 T mov ax, es ; ES:DI -> VxD API entry point) b8 K8 y0 w8 i* u7 p. y$ Q5 L; y
add ax, di
% \, t6 G1 L! u; K' ~ test ax,ax
1 N; q+ V4 \( Z o# }! Z jnz SoftICE_Detected& J7 J4 w% g! F6 R
: E% x5 Y' r7 j8 Q! ]4 n7 z" N5 D+ @# @___________________________________________________________________________& J' U/ @3 O3 q+ d- | j f5 g
2 a0 _1 h4 Q0 \- d& Y6 ]( ?0 b; X& YMethod 04
" ~5 o* m7 N; ?3 P1 ^, Z7 S8 V=========" @. w$ k4 a+ f, m. l( y" U6 j, F
: y/ w7 V' w4 |' I( b/ z2 Z$ XMethod identical to the preceding one except that it seeks the ID of SoftICE
5 Z7 Q1 J" S; \- fGFX VxD.; N2 M( ]( O; L6 ~+ r
* @7 R+ W- z, i7 N v; A! l# O xor di,di
$ ]7 C! ]+ ?2 f0 i" L mov es,di
, A! `8 S( G4 C mov ax, 1684h 6 d# ^) {; ?/ H& L2 d* W( l" d. X
mov bx, 7a5Fh ; VxD ID of SIWVID
6 ^3 P* ^5 }' l4 x int 2fh
, g& U: c% n* d- L$ b9 V mov ax, es ; ES:DI -> VxD API entry point/ ?* k4 J* H8 d* c
add ax, di) ~; {- s7 Y; l+ ^' R( T
test ax,ax+ P. h9 J, S# d" Y
jnz SoftICE_Detected6 F: ^ ^1 b4 V' |
8 t, y+ w, y4 ?__________________________________________________________________________
5 i+ p, ^4 _, @/ f5 W$ q5 r# `9 \. d+ x, a
" n. [3 q& X0 WMethod 05
( {( R) S6 P7 T4 F8 V=========0 [, s& Q: J& ^4 G1 m( d) e' m8 l
' C+ ~4 n& J' Y/ e* g8 \% e, G
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& s3 F6 n! B: V; Rdebugger. It calls the int 41h, function 4Fh.
7 c4 x. Z( B' A6 F/ N& p; JThere are several alternatives. : N- a ~7 B7 l
5 F2 j9 q4 _) t6 r
The following one is the simplest:" d$ A1 z5 @2 N6 o
; j( m$ n0 ~! O5 M
mov ax,4fh
5 B# ?2 ~9 h5 m2 m int 41h
( f u" p/ A# n2 d$ y cmp ax, 0F386/ h; b' ~6 p1 c0 W
jz SoftICE_detected/ U/ h3 F' \3 s/ D' \
- ] k G+ V- S" _3 U2 Z* w P+ E0 @ A7 h' F: I% a
Next method as well as the following one are 2 examples from Stone's
5 J j3 z4 M) t4 _- c2 |"stn-wid.zip" (www.cracking.net):1 C, N. ?4 l* ]( u
2 x; G) F" r( `' v6 v4 f/ i mov bx, cs
3 i+ W( R+ d0 W, a lea dx, int41handler23 Q# s, s5 s1 j' F" P; h. h( U4 ]
xchg dx, es:[41h*4] l0 O% ~& e9 U7 a+ w0 \2 y
xchg bx, es:[41h*4+2]6 D' P5 a% c. U0 w& V
mov ax,4fh4 N4 D( }6 P% D9 W
int 41h9 r( z) w+ ?9 t8 d8 E0 k( I+ Q
xchg dx, es:[41h*4]
$ ]! v! b# `) B U, V7 z xchg bx, es:[41h*4+2]
& B5 Q- A% `- k2 u. ?' x+ s- @ cmp ax, 0f386h' ]& U; z2 T7 B: V, n9 k
jz SoftICE_detected% [8 z' a; T2 ?9 d E; j$ _
h ?, E$ j- i5 M9 s8 f
int41handler2 PROC
w( g7 m: w6 s8 c% D! A iret
, J& z7 L7 f9 I C; o: C0 F j/ c, Hint41handler2 ENDP
& v4 ]6 o0 e, v5 o# }+ a( e O$ [! X' H1 V. A3 ^
u+ D! j9 ^0 g( j8 y! a_________________________________________________________________________; V# p! k8 o! n) t _
' l! p w% |; O) p& f
) N) t. k/ K9 T) t# x3 y8 wMethod 06
2 e `) t l6 y/ C7 A* M=========
5 `& K9 @4 }7 g/ u; [% R# p! J2 e- o
; D) s; P! @' W/ d( k; i2nd method similar to the preceding one but more difficult to detect:
5 b1 ^( P( p3 l9 W$ X( e8 k- P; b* T7 o4 F1 j4 P+ J' }
0 |& I' u( ^/ t _' I8 xint41handler PROC# t' L$ o6 f3 \1 J- g
mov cl,al
( l/ \$ |- `# r& M/ b/ m iret
" z2 M, K, v% f9 @- ^int41handler ENDP9 L# q- R% M) ]
6 [+ y7 q+ s$ H# s
) _! k1 S& U& P) A- | xor ax,ax
. S9 W2 U; `) t) P mov es,ax2 J1 r/ Y5 E) K# K9 w/ ~3 q
mov bx, cs
( E* {/ O$ X6 s0 T lea dx, int41handler5 }5 `+ U {& ~( l" I, U+ |. g" J
xchg dx, es:[41h*4]
& D# X8 [0 n& Z6 M xchg bx, es:[41h*4+2]
6 @( g$ I: \! E0 q8 _ in al, 40h0 F$ m" R4 T9 o' M# ?# \( T
xor cx,cx9 h X+ ]& o' L0 a k. w# V' ~
int 41h
$ s; I+ ?8 x- m% D5 M* |; p xchg dx, es:[41h*4]0 g4 N0 ? E8 X. k
xchg bx, es:[41h*4+2], P: \7 @7 g. G. x
cmp cl,al
2 @" p5 h9 X7 }+ I5 | jnz SoftICE_detected
/ ^! a+ g' v+ w1 P- y( j- @
* K! O7 P+ u2 X% m. y9 A3 v/ b_________________________________________________________________________
, b" h9 Y! d ^) G* q+ i `
7 s% J& K* C3 E& ZMethod 073 w) i7 X% S) X
=========6 h4 P( p2 r' h
8 J6 P# L& ?; w- ^4 AMethod of detection of the WinICE handler in the int68h (V86)
; O+ p& H6 a, \7 b& X
0 Q8 q7 R+ Y: q D# b6 E7 J mov ah,43h
2 n8 W# f* N7 R8 T# D- E1 |& U4 c int 68h
' i+ ~: x# j. Q0 Y cmp ax,0F386h
* t4 F' s g1 b4 ~3 [* {+ l1 J0 t& s8 n jz SoftICE_Detected
0 C3 n. _; C( \7 | U4 {
U' k9 I P* k! C
' ~" z. g4 S3 R# f7 l=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 [0 S4 b/ L0 d8 R# ? app like this:5 B# Z/ `5 J, g! b. G( ~
0 j. f: h& E* ]) D4 z' }
BPX exec_int if ax==68) v& d# S! J; h n: B4 j
(function called is located at byte ptr [ebp+1Dh] and client eip is2 B2 U1 I7 {' E4 Q6 y
located at [ebp+48h] for 32Bit apps)
. H' h9 U9 t0 N__________________________________________________________________________
( i' Y9 w& b# y( j
0 u& g4 e8 ]' T- k$ \) E+ w; v( h: s7 B- A
Method 08 f) P' n& W) w \- N
=========; P4 G: q! W+ C
+ Y/ I+ o4 Y2 `9 X% m) T
It is not a method of detection of SoftICE but a possibility to crash the/ v, w/ d3 _' d* {3 P
system by intercepting int 01h and int 03h and redirecting them to another( g' a! b" ~' w6 j% U* R
routine. S6 ~" e' `( f! b+ u4 J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% j* K9 O9 W) a2 P. G1 }0 m
to the new routine to execute (hangs computer...)0 E( y! g- `; u& s% {
& B. c% @/ W2 K mov ah, 25h' k& \1 }: y) ] a$ p: u
mov al, Int_Number (01h or 03h)
3 X0 N, L' S8 K, a4 U1 Q+ M+ A mov dx, offset New_Int_Routine4 I' S2 _- \+ S
int 21h
- \0 I( h0 x( z
! r- c, L& V) r+ x' H5 S, [__________________________________________________________________________) l* q" K+ t: c
. i- k! x9 c7 x" ^Method 09
. U) U$ R% }/ i6 W4 T* q=========% j, i/ j: M; g
0 G' z% M- L/ w9 S: ~# Q, Z8 @$ V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 ]8 D0 ]! N. Jperformed in ring0 (VxD or a ring3 app using the VxdCall).: d) q. v) R H5 H: H
The Get_DDB service is used to determine whether or not a VxD is installed
% l& H7 h- h+ ^6 z! e% d' ffor the specified device and returns a Device Description Block (in ecx) for( a, \4 ]* A: I. d& i9 I' I
that device if it is installed.
7 u6 `8 Y) e3 z+ v4 P3 b, [5 _# F( m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; U! W. D$ C- ^! T
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) m+ b: d- `* D: X1 L1 }5 `: u VMMCall Get_DDB
7 X' G, g( r& I5 O5 f& F mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 l4 H0 U& J: s/ i
% R+ _" Q) A+ T( P/ m% L% m& W; WNote as well that you can easily detect this method with SoftICE:' \, h$ e/ z( w) Q8 o, ~6 R
bpx Get_DDB if ax==0202 || ax==7a5fh
- ^6 c3 K8 z$ T/ |6 L
4 n8 m9 r% ?. O: j" U9 ^8 Z7 X__________________________________________________________________________
% L4 G. R8 V* Q/ P) O
3 i0 P+ v, ~# }. K% U) I: HMethod 10
# L; m6 n; [6 f% W, E% ?3 h=========# J$ z. h- X# _: a6 m/ t1 j7 t5 _
) Z0 Y7 I! ]" |- Q& s
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ j0 b3 Q% t% A& z! h8 {' F* X
SoftICE while the option is enable!!: A- r* ?% y. ~: |) E8 G" b! v$ O
3 o" N0 J9 G# p* {( pThis trick is very efficient:4 n0 V6 s8 ^0 ^* e; w7 ]# Z
by checking the Debug Registers, you can detect if SoftICE is loaded
# @* x r8 t3 `1 I8 w. G$ A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ f* c. b4 i6 T" }8 p* wthere are some memory breakpoints set (dr0 to dr3) simply by reading their" U& `& L9 x5 K( K. _
value (in ring0 only). Values can be manipulated and or changed as well6 F9 L+ ]* }' p& @# S3 N
(clearing BPMs for instance)
9 O4 O' j: H" }: m, n3 M5 Y& {+ p% f, i+ h# f
__________________________________________________________________________* j' H$ { g/ p% S! l
) J9 h9 v' J O2 N9 M
Method 11
) x/ T; e1 W( v( r# G2 P1 R2 |0 ]=========
$ e7 R$ s* ~$ p' [7 x" c, p0 I _ t; |0 i9 L! `
This method is most known as 'MeltICE' because it has been freely distributed
$ g3 @+ e6 u- @via www.winfiles.com. However it was first used by NuMega people to allow) J, o1 K; ~; r' O$ W
Symbol Loader to check if SoftICE was active or not (the code is located
7 ^8 C% x, r6 C D8 ?inside nmtrans.dll).
8 ^9 w3 `! s/ k. \1 j3 C( P
( A0 \8 Z8 z8 uThe way it works is very simple:* i* s. j" e. T5 G1 U0 b. q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ y! P: m4 E5 O$ ?WinNT) with the CreateFileA API.9 T/ ?% O/ B7 |+ }$ n
- B. h j8 v. } h: `! ^ v# m
Here is a sample (checking for 'SICE'):0 S8 G8 G3 S, G0 z1 L
( ^6 G% ]& Z% t* {& z" j
BOOL IsSoftIce95Loaded()3 r: Y5 w1 }; A2 n- q5 r- P# D
{2 a2 }, I2 y$ }
HANDLE hFile; ( d( M2 y9 \5 I5 D
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, t/ \9 ]) O4 y& c! ?
FILE_SHARE_READ | FILE_SHARE_WRITE,
- P5 K& o D1 G! I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& V( c3 F$ e* C9 `/ o
if( hFile != INVALID_HANDLE_VALUE )
0 \# N$ b) X5 v7 ^/ m, f. O2 Y {/ b7 z; J" Q0 |5 m; Z% w
CloseHandle(hFile);
! q7 Y: V* W- Z) B3 H- k# { return TRUE;$ W6 u _9 D4 t) K+ d: U
}
' h$ D, L4 ~5 o7 Y return FALSE;
6 i1 T5 U& E& P" e}" F/ z. q# P; g4 }8 p. H- J: ?0 [
! e/ F: M9 g. d6 N$ o' k
Although this trick calls the CreateFileA function, don't even expect to be
3 N$ w# G6 [) e% Iable to intercept it by installing a IFS hook: it will not work, no way!4 P) x5 Z: a9 O; }) [9 G1 L
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 ^1 @& ^( X) M7 [% e" B; G3 d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), r, [1 P3 c2 w, b! \- y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* W' e* c& _3 F
field.6 g- h3 G( D- a3 i' r
In fact, its purpose is not to load/unload VxDs but only to send a
9 O: I2 [0 @: e% }' ]8 d8 g1 @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 b- G g: f' e3 V3 V6 Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
r6 | z- ?; b" `, Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 y1 } Z& _- L: K
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ G& ~: h# y0 F4 a( d; p3 S
its handle to be opened and then, will be detected.( ]6 p! Z( P0 ^, y; H( ]
You can check that simply by hooking Winice.exe control proc entry point
: p9 S& v, m4 W9 nwhile running MeltICE.+ y+ w6 E5 s, S! G0 _
& s; K& |* Y% \+ n
/ a s @4 A- y 00401067: push 00402025 ; \\.\SICE
; G d$ L; h8 ]5 f0 b! l' U# h" K 0040106C: call CreateFileA
7 p/ L2 l' m4 K/ r( q" ]0 u3 N 00401071: cmp eax,-001+ e' X7 F2 ~( k/ S: L
00401074: je 00401091; D* V. j" v" I% [$ U3 A
# B" [; M7 G5 b9 r, f' C
3 ]4 \6 ]. v. {/ Z& n( `, {( i
There could be hundreds of BPX you could use to detect this trick.
8 ]/ H: ]% D; x) W-The most classical one is:
5 c7 f" K O2 d% B$ r BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" ~# z. j e/ q3 ^8 e. i1 c *(esp->4+4)=='NTIC': L% Y$ `! Z4 E! C, [. }- `% `- O; R
# K+ B9 r7 \/ C3 `4 n+ C-The most exotic ones (could be very slooooow :-(
/ A( q6 p$ ?% T& y0 X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 C1 t3 y- S% |, w8 T% F. s$ J5 H @ ;will break 3 times :-(! e( Q1 n( }% u% g- w. d
3 }3 M9 ~3 o) c) x8 J3 H
-or (a bit) faster: , K$ ?6 \# L* Z5 w5 ~7 x$ Q! b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 Z; X, Y* [' E7 X, f$ M" L1 k
- Z1 r ?) t' G6 N- a5 D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' e( x+ M7 W- [: B W ;will break 3 times :-(( |$ u" R9 P# K/ }! [
- B2 Z. L* X6 L) L; J-Much faster:
5 ]4 n+ {5 ~8 e1 @6 H. g) l8 ~0 Z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 K. i7 h2 ?, R
4 ^# w' Z/ R/ sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# \; H& {" X' n) t& J7 f t z
function to do the same job:
9 O! D( }0 m' {. L# N6 j8 }8 F- Q1 X2 w+ d# C
push 00 ; OF_READ
1 A! _% I# {7 H- r mov eax,[00656634] ; '\\.\SICE',0. P# m6 g0 C1 g( _
push eax6 P; f; N% U5 Z8 O' R7 U- b
call KERNEL32!_lopen- ?6 G6 j) \( Y: Y
inc eax6 f. z7 G) l3 l
jnz 00650589 ; detected
/ h2 s+ ?. @1 Q2 {" J! x# M# f b push 00 ; OF_READ' l1 A r/ D. O7 v/ R! O" y8 A
mov eax,[00656638] ; '\\.\SICE'
0 r( Q+ H2 y: p( R) l push eax+ |3 c4 `8 v. h3 ~* S0 O$ S( G1 ~0 g
call KERNEL32!_lopen
/ R5 H( \0 d! h% a& M" d inc eax4 E1 C" D( j; s8 J8 u" E' W
jz 006505ae ; not detected' Z% e, c+ Y) s5 s5 f9 k
. F4 t; h* ]6 `+ J: k$ I1 p8 F" a/ r) Z4 q. L& f. ~7 J- z
__________________________________________________________________________
; u$ f- \+ K3 T' N3 E7 l9 k$ g$ n+ @
Method 12. t) n; b2 |8 w; v& c
=========
* e* ^8 s% w& s" o* ]9 v6 m Z- y4 |- n/ U, a6 b$ @$ [
This trick is similar to int41h/4fh Debugger installation check (code 057 w8 {1 ] g! R+ Y6 x; b
& 06) but very limited because it's only available for Win95/98 (not NT)& H. c3 p! F/ \% {# n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: k8 T* a- z. c9 S" y+ b, |! U2 h+ w
- _% c3 s: ^3 U# {; q, l% D8 W push 0000004fh ; function 4fh) y& s; @* z* i! X% P: o1 @
push 002a002ah ; high word specifies which VxD (VWIN32)
+ I l1 J: Y8 o P! o' Z2 z3 h9 p7 B ; low word specifies which service
* t# }/ z- z5 O4 b (VWIN32_Int41Dispatch)7 l) p" M6 ^2 c2 U, o5 ^
call Kernel32!ORD_001 ; VxdCall
. R4 Z! q/ ^" H7 k cmp ax, 0f386h ; magic number returned by system debuggers# I5 H- F/ V* `; M+ | g
jz SoftICE_detected
4 ~& e$ \5 V8 ^: c: f- q8 Z# a& @! c# [( l6 w Q. R# N4 T+ @
Here again, several ways to detect it:
9 W6 S% p4 i R4 ?. C+ {0 r+ l7 g% t9 j( c& v0 w- n5 F
BPINT 41 if ax==4f
3 X$ h8 m+ U5 }" Q; }# p0 z2 ?% I" A1 F" D. t% E: D# {9 M) q" \! r$ g
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 K- ~* d) \9 y* k9 |8 K9 e4 K
, R2 t% a8 ?( T; s# x2 l) r) { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ H! v+ Z8 ^: h0 ?; `; i3 U
/ H6 w9 k: c5 g8 @; j8 [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ b5 b; Q" H: V* |& O0 t+ W* x
8 G- l; o! Q* N+ Z. g& P1 T7 y% N) E- ]
__________________________________________________________________________
9 U6 \6 z& F b* @. k* C i4 W8 J3 X
Method 13
: [$ p f3 O. w! x% x! Z=========" j# @9 D! H1 O# `$ c/ K3 v: Y
3 B, D$ U( O4 n( I+ }
Not a real method of detection, but a good way to know if SoftICE is
, }% w. S* V* Z P; g; h& F. K& ]installed on a computer and to locate its installation directory.
9 z- c. v3 H1 UIt is used by few softs which access the following registry keys (usually #2) :
) G; S% x% d1 W: j. D
; n( l0 W. T: F$ E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' w! H/ Y* V7 {9 m- ^6 \\Uninstall\SoftICE
+ t& r: ? i; h5 Q4 q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 _' i, F) ]& @. }* e. K
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 B, X# I; ?% p9 S& _! K: l
\App Paths\Loader32.Exe
& T2 R" u; [* i& Z6 G$ F( h$ c' h1 ^9 p4 s4 X5 C5 j
( \; |' I2 r6 h" g+ A7 \5 X) ]
Note that some nasty apps could then erase all files from SoftICE directory$ }1 G; S/ v! H5 o6 j" u! q/ X
(I faced that once :-(
$ y( X$ I) r( @5 p& h( V' c' X; v1 [
Useful breakpoint to detect it:' Y( b# h! y+ b
* d; K0 x7 a' C/ M0 @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 o# ?- F: n8 k, z
3 u4 n$ m- ]: b: w__________________________________________________________________________
& C; M, d$ x0 n5 }7 D& ~. M8 ~ @3 D: b# y; \
9 M: s8 r- Z" m% S0 }+ q# t$ MMethod 14
2 n. {% o) n6 k8 o. h, `% m# W. R5 y=========
4 Y9 A/ g7 B( E* A* o8 y4 N h/ A ]3 V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 d( B( S& o' I7 j
is to determines whether a debugger is running on your system (ring0 only).
( x7 R9 W1 A# E8 \7 ]7 n g5 f2 d8 I% ^" b4 c, J, A% m
VMMCall Test_Debug_Installed
/ d$ G1 k5 b0 M# c) i$ ? je not_installed
+ j6 B/ a/ p: t" q [
; {! D3 a# t4 V4 GThis service just checks a flag.* n- I. W) O$ X6 k3 y0 A! Q: x
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡