<TABLE width=500>
! g7 P. ^( q0 `2 h" D1 l$ \5 D<TBODY>3 L5 V' h* W/ s! R0 ^
<TR>: J3 t/ ]3 N6 G3 i8 g# o: q
<TD><PRE>Method 01 - M% e# c# _1 L
=========
l& V- q6 K% w' e: t3 w, Z
1 m. E6 ~. c+ Q2 q M' W3 wThis method of detection of SoftICE (as well as the following one) is" O5 b( e5 K) b8 T' c4 v
used by the majority of packers/encryptors found on Internet.: S; J) t7 H& S' H8 C
It seeks the signature of BoundsChecker in SoftICE
0 G, v/ G8 T6 r9 N" R+ y1 }$ x# [* i: w9 P6 L
mov ebp, 04243484Bh ; 'BCHK') z2 C: D& P! D: o" q8 L: {
mov ax, 04h
! k# o4 m" R, {/ Y6 ] L' C4 N4 t int 3 , [, u z) j5 d& O' J
cmp al,4
9 ]# v% R# [- w2 m1 w2 d jnz SoftICE_Detected& p& p2 g5 Q2 u5 B0 b8 e- ~
( A$ e6 o5 e" U
___________________________________________________________________________2 U' e/ W6 I( B6 X2 a" y5 a, C: g
# N2 o. |/ s5 A4 { `* W
Method 02
( o4 b! q/ b% ^=========
5 L/ J. B# ?; M. g- I' ~- a% v3 s8 l# J- _- C- n
Still a method very much used (perhaps the most frequent one). It is used
) ?! L& C% ?: D& Y. H) Q, qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) ^! R: _2 s: l8 N8 }4 s
or execute SoftICE commands...- s: M6 i& v, E* g$ A8 D
It is also used to crash SoftICE and to force it to execute any commands
0 k' x5 v% _" M1 V# }' S% s4 u(HBOOT...) :-((
* b# d8 o: O @4 O! f! P! ?. Q: O" A) B! f- z6 c8 @
Here is a quick description:9 H7 y- S1 t/ N8 \3 p9 i
-AX = 0910h (Display string in SIce windows)
+ @$ V. q/ J2 x. Q- F8 L6 }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), Y( a, V' N G2 }
-AX = 0912h (Get breakpoint infos)
8 y/ X5 {- F; F0 w) y5 b4 K3 E; T-AX = 0913h (Set Sice breakpoints)
) B( S' [5 H4 l$ [) K0 p-AX = 0914h (Remove SIce breakoints)5 O" r) b7 Z6 I& O* i. ?1 F
0 L' S- G; K! o+ h$ cEach time you'll meet this trick, you'll see:
+ {& P N ]0 h0 }-SI = 4647h T9 w1 A4 ?5 }; {
-DI = 4A4Dh3 {+ |! T' d) u9 |6 M2 u4 W1 d
Which are the 'magic values' used by SoftIce.; x4 K1 z; ^. x: W* ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ O/ i# ]- N f. L4 c& n
" s0 a. e: r1 x4 oHere is one example from the file "Haspinst.exe" which is the dongle HASP
# z( n* X* e4 f3 t) sEnvelope utility use to protect DOS applications:& `0 E+ Q0 a1 U: s9 n e
: s' P' c! r3 @; |' |& R8 k% [; h! B+ Y$ p
4C19:0095 MOV AX,0911 ; execute command.
' q' B ^- J& D x3 k% {4 Y# f4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; f: m+ P) S/ [- m: |- Q4C19:009A MOV SI,4647 ; 1st magic value.' X% h7 a/ \# m- {
4C19:009D MOV DI,4A4D ; 2nd magic value.
I3 M5 \7 x: Z( ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- M0 v4 q4 w: m# b" I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, u& ^: V$ j- X4C19:00A4 INC CX; B3 |2 W8 d( U& W F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 J/ \% s& l% |6 R9 D4C19:00A8 JB 0095 ; 6 different commands.
3 I+ C* A8 M. M U* B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 ]2 Y/ t- `) A3 |$ |, d& B; U& s4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& Q3 L$ l# [8 S$ l7 R
6 v \4 U, j* s- x" ^, ]$ N( S1 vThe program will execute 6 different SIce commands located at ds:dx, which( P5 t( Q4 G; p' B! I3 F1 F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 l$ v5 F' }* H! d, m/ J' ~& P
# n1 p. p: S5 c7 \# f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. S( N. m: a- n9 N0 C/ N
___________________________________________________________________________8 |9 \* t, j: x! F
) P/ l6 T* H; R, b( L! m. D, X6 U# l$ X
Method 03* X# a! t" b( c. e$ }1 _3 y, n' u2 s! z
=========
: Q7 }. L. ^1 A: d
2 z4 m9 x2 d# f8 o( LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ m$ I0 [+ ?* ^6 [1 o8 C(API Get entry point): U+ F4 y; B4 |1 v: x5 {
. A* v& _7 u- H# R8 e6 V) I$ W8 b2 F2 E1 \: w# z
xor di,di
r, a8 b3 \! e4 n1 h mov es,di" S- ~. q3 y- i' i, g% ]1 J4 \% p
mov ax, 1684h J- C( t7 }0 R8 Y- j$ ~& x
mov bx, 0202h ; VxD ID of winice; l( @* R( v, h3 ]
int 2Fh) R+ E3 U$ E, o# D; }1 B; N+ o: f
mov ax, es ; ES:DI -> VxD API entry point
0 M$ W b7 U$ K. L add ax, di
, R* v; \& m: H4 X5 E$ W test ax,ax% b- o R1 p) t, u
jnz SoftICE_Detected* ~! j# b9 Q- m; C/ i! }/ a
. w- X* L: z( A) o
___________________________________________________________________________5 {/ Q' k- C7 b. m; r- Y% }: e A
8 V+ d z k1 u% q6 m2 GMethod 04* B! O1 J0 d' f; b0 \/ A
=========& ?8 h u% T" l( N5 a- w
5 b9 [9 V- e" J) D
Method identical to the preceding one except that it seeks the ID of SoftICE& w8 {7 Q, U4 w& ^
GFX VxD.
4 }. l h% m2 c" w! g9 a/ ?5 Y$ R) h9 e
xor di,di+ @ P9 t# N2 k
mov es,di
/ J' ? F+ A) q# [0 K$ ^ mov ax, 1684h
+ k# ~ G0 Y5 N4 Z" N# W mov bx, 7a5Fh ; VxD ID of SIWVID4 a" X1 Z2 ] u2 P0 M& B+ x9 o3 j
int 2fh
# ^) F8 @% x: t1 e( i. _ mov ax, es ; ES:DI -> VxD API entry point
$ k% q2 _7 i# q0 z- s, d1 Z T add ax, di
- E, C( n j5 H( ^8 J9 L test ax,ax
& i" z" X- h" I% v7 b jnz SoftICE_Detected4 a. E8 O# t( M t) Z
. \ u8 \: ~3 h5 x3 d/ J: H
__________________________________________________________________________
- C+ H2 S) X8 H3 ?! S3 M1 z, P# c' Y5 S6 p' I% C
; f' q- M: l/ b2 J( J- hMethod 05' Y' t* {5 Z' K/ g" L
=========
5 b" {' F! @4 O* M9 F; ^6 p5 c7 j6 u8 f7 [
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( X L' X) e* q" U- Fdebugger. It calls the int 41h, function 4Fh.
/ ]" K& r% {1 Y( C% G* `* iThere are several alternatives.
* L/ g: Q4 t, r' G& D: J! A/ L% p5 F$ Q
The following one is the simplest:5 ]$ r4 q( } h1 g) h: \" y/ o
, l1 M+ l- s1 E& q) S
mov ax,4fh
5 V6 y Q% f# {8 V, h int 41h& b; L: C: m, ]+ S( Y2 K- @
cmp ax, 0F386
$ m9 s% Q1 W$ L3 \$ V7 T0 F jz SoftICE_detected
, b) v* G9 g1 C; ~6 {
) Y& I9 F/ N- A( y1 c$ f4 W7 g/ ]. i1 V
Next method as well as the following one are 2 examples from Stone's
! t) s1 E6 v# S4 h0 }9 G"stn-wid.zip" (www.cracking.net):
9 Q' Y" d- ]+ w& G; z5 l) O
. N; {) ]* e8 [ mov bx, cs
: x6 v7 u6 P d0 o; E lea dx, int41handler2* ^1 W: |! D& {" D/ x& o7 [, \
xchg dx, es:[41h*4]; Z) ~8 }4 J& y Z" h" L. @
xchg bx, es:[41h*4+2]7 T& n/ ]3 a1 E& ^6 i
mov ax,4fh# I( d# q0 B" r6 k# y# P1 G9 |
int 41h
; F& c$ F3 o4 s xchg dx, es:[41h*4]( y8 g- k h% l
xchg bx, es:[41h*4+2]
8 E( w1 N- Z9 d4 R0 i cmp ax, 0f386h* f, P0 @) q3 d: L7 L3 O
jz SoftICE_detected' `0 `+ k1 b3 F% f, ?7 v* l7 h8 P6 S
, _8 l% L" [1 E7 p1 m9 O0 K: g4 q
int41handler2 PROC! r9 d# {& a ^& a# }# {8 w3 y
iret
& ~) v* y& |; yint41handler2 ENDP
9 c7 p" P9 T% N$ h/ Z: a6 _2 g" p0 F2 k4 \0 R1 z
; `+ m! O D; z9 P7 f_________________________________________________________________________
$ Z: p8 A& Y# Z% x9 v" R' ` _
" }) l+ Y7 [. s* l9 V4 q5 [) z! K
, A; N1 \: S2 v$ t, qMethod 06, n x" P* w) d3 b' X5 `* l8 E
=========
% R' @2 s/ T# `. {; V5 T5 z- g3 F
# X) U8 R5 M, e" [& d; l+ a
: f9 f7 G$ L2 I0 n" b' h2nd method similar to the preceding one but more difficult to detect:, k& L' g# h* ^9 z' x6 v
( S! a; @( D. d7 ]# _- K
# N) J) u- i; u9 c6 ]
int41handler PROC
- F9 q. N+ y6 u mov cl,al
0 r) o& L( R. ?' l iret. k/ A6 W1 k8 g
int41handler ENDP
4 s2 z7 v7 _6 }1 q, A3 G0 ]% \3 C2 K+ v' }+ W
9 H$ u- A; m1 u, Y7 M
xor ax,ax( ?, E9 y0 H1 V+ V% H; Z
mov es,ax( X/ I& M: f ^6 Q! G
mov bx, cs' u- C4 p" K* v, ^; b: z+ [
lea dx, int41handler
Y6 {. x R3 ^% m+ B xchg dx, es:[41h*4]
0 A$ Z7 b, F0 N9 i: k& ^( X1 ? xchg bx, es:[41h*4+2]4 D' z4 D0 ^- ?; f2 S& T
in al, 40h; T0 I, P, z+ C V& u; [6 @& r! n# s
xor cx,cx! D" X% d$ a% c
int 41h; W2 M) [5 u4 O6 R- s
xchg dx, es:[41h*4]! f# Q" C( P0 z2 a8 ]# N
xchg bx, es:[41h*4+2]
0 \( g" I( J0 T8 k cmp cl,al
) p) v# P3 \' B& ~ jnz SoftICE_detected
; J& d$ ]) f1 h% y( R! s8 |5 I; j/ c: l( N' Q& ?, @ @ Z
_________________________________________________________________________6 ^% t" j0 n' [7 w* A/ D
1 r+ Q. g& F. Y6 H
Method 07* K7 x' t: [1 H1 b8 v! e1 z
=========
4 ?7 F. T0 `% w3 Y* {$ e& e8 H0 \7 V# w
Method of detection of the WinICE handler in the int68h (V86)
' X' q$ v Z4 t, d$ U" }" [# n# `3 N; B( t! b+ C
mov ah,43h
3 w9 J5 \/ c9 P# _8 U int 68h8 E# Q7 p! K; B6 o' d' D
cmp ax,0F386h! \4 E+ C- c! R+ U$ F
jz SoftICE_Detected
9 a# A8 d& g, ^7 c& i; A8 `
7 r# n9 \8 U( I# F+ R! f* V- ? U$ L" w! L- A. d1 ]
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- p: R# w' k( ]* J' i @
app like this:! h1 W9 G2 F) a7 @
3 B0 a* \* h9 \8 L BPX exec_int if ax==682 d1 \% f; O8 p) {$ I
(function called is located at byte ptr [ebp+1Dh] and client eip is0 b8 p9 \8 J e6 f3 b% g
located at [ebp+48h] for 32Bit apps)
! f) a2 R& U# b- @' T( f: g4 P! {__________________________________________________________________________
6 \( h) O$ q( ?+ k, {
# M: F. i8 ?2 e' l
* N0 @3 [' J" c! O, [Method 08
]( ?7 a1 u+ u9 W: d2 n=========9 T2 }! k1 z; J: g- N
" E b' Y# V0 C
It is not a method of detection of SoftICE but a possibility to crash the
2 H9 P% ^' c) H$ S" k6 l( G" k# Msystem by intercepting int 01h and int 03h and redirecting them to another
; l0 u" Y) s* f- m! n- f5 k# lroutine.
, J+ w, `0 ?; F. B% oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 O9 _. G5 x" D! `- pto the new routine to execute (hangs computer...)" f! a* j8 E$ @
+ L' r! A- e8 j$ A$ S+ A' N4 Y mov ah, 25h y$ c! {, s W& U
mov al, Int_Number (01h or 03h)) L2 X d3 _' {" s3 p
mov dx, offset New_Int_Routine
0 ^# Q# }' ~. P int 21h1 O; [# q9 z& P* Q1 d. _6 k0 A
* N) m2 e4 Z1 O0 [
__________________________________________________________________________* x) x) g* }9 ]6 x* |
& o$ ?% z; `- K" w2 e5 |- D
Method 09& a$ ?. ?+ \! f6 L
=========: q6 g9 _% ]$ F8 m4 T; K, y0 d9 i+ s7 {
4 p. I+ S ~/ z t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only P8 [* {1 H% x1 ~9 Q2 I$ G, V
performed in ring0 (VxD or a ring3 app using the VxdCall).1 g9 r4 v9 U7 B1 N* [- X" a: L& D' y
The Get_DDB service is used to determine whether or not a VxD is installed# k* X" M, J) a% m: j) x4 X
for the specified device and returns a Device Description Block (in ecx) for
8 W0 u- w$ z* n$ m Bthat device if it is installed.
4 s" k, m6 {* ]9 }% v6 T" Y* p
4 t2 I7 M, ^& u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 [! a; G. u- J; Y% j5 T" _ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 ]5 Y* Q) s+ s* f3 D
VMMCall Get_DDB7 u6 h2 r' O: r+ ^2 D, z2 U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. Z# I3 c) e7 J
0 w1 K7 J' I! U3 n+ q2 n
Note as well that you can easily detect this method with SoftICE:
% q/ o% f# R/ ~ bpx Get_DDB if ax==0202 || ax==7a5fh
/ O$ p% _" Q4 m4 y% ^4 J
2 A7 |, I& z3 `( H# T8 t0 I8 i__________________________________________________________________________
j, g1 m: v% M% u
' ^" e+ H; h7 U. T9 M8 PMethod 10
1 i. m2 G2 r9 ?1 c0 d2 t=========
# Q' z6 I; ~1 k# w2 \7 q) A+ P T' Z) |% s" U1 E: o& P3 F: |
=>Disable or clear breakpoints before using this feature. DO NOT trace with! D3 m4 C$ M3 i
SoftICE while the option is enable!!9 u! N; M6 P/ t% o
- A' m, C. Z' q1 f( Y, Y4 W/ s, H
This trick is very efficient:) i$ _# [- u' x0 `1 P. t
by checking the Debug Registers, you can detect if SoftICE is loaded2 W, ^; G/ j" A; Q& [* k! ]7 f( L0 i
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( P% H, I% H+ h' u/ q8 Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their* I/ k4 H# q: v Z: f. l
value (in ring0 only). Values can be manipulated and or changed as well
/ o/ W0 `* P+ w# a1 @1 J% C( F: |(clearing BPMs for instance)% D9 t- @$ F" b& c8 K* ?+ Q% d
: A' R9 r+ j6 ~( _/ A* ]/ P
__________________________________________________________________________
6 \9 X) j! B" Z; @! w5 W6 \2 E: F( H! z! g8 P/ j
Method 11
: x& J# W0 R. j=========
' ~! l k6 y+ O( y4 s: w$ d
5 P) _3 D8 b9 `: CThis method is most known as 'MeltICE' because it has been freely distributed
$ x( t1 F) E1 \, @" `via www.winfiles.com. However it was first used by NuMega people to allow' X5 h5 w/ \/ j& t' \, m% Y3 ?2 j
Symbol Loader to check if SoftICE was active or not (the code is located
1 u& R, i z, U: u% l- Kinside nmtrans.dll).3 n$ p+ I3 O. k# Y0 D
# |& [( ^- Y" i- Q$ T4 G. I' Y
The way it works is very simple:
, l& w. t. ^" L% ?6 EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 i. f8 @9 z& w: g d3 i
WinNT) with the CreateFileA API.
, `/ S$ Z- L9 W$ _0 d9 `5 ^( ?' ^) r/ q7 L
Here is a sample (checking for 'SICE'):
) W- G* q# s I) j6 t
- |" Z# a5 }0 D! U+ t0 c! ?BOOL IsSoftIce95Loaded()
! R5 G" C8 c2 w* j W{: j: w' H% U1 @/ c8 O. B
HANDLE hFile;
1 E& `1 N0 n0 F/ X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 i, k0 @ q6 A$ L' _6 |+ z FILE_SHARE_READ | FILE_SHARE_WRITE,
/ u+ a. Z0 ^7 s Z. G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; W) _+ k: V6 q/ D2 T8 L- c P( @
if( hFile != INVALID_HANDLE_VALUE )
, h- f! B; P/ Z. m/ x {8 S9 w" z' ^$ Z8 L5 S" m m4 b
CloseHandle(hFile);
- e! }: k* h# Z \ return TRUE;' Z4 l, L! i3 `2 M4 H
}
, o1 D1 i; a' U( C return FALSE;
3 j6 u( C! r: p0 j4 \, V}( s5 l7 ~$ d7 A$ ~+ y$ u
8 K* l# ^1 k; s- c* x! N: t
Although this trick calls the CreateFileA function, don't even expect to be
/ H, N0 X; u- {, N" h7 J( c2 |able to intercept it by installing a IFS hook: it will not work, no way!! Y) T3 D! R& o; z# \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 Z# O8 d! _& ^1 x- C* B6 t" O5 Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 u2 K# x7 F/ L+ v3 C
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& J' y* [" F) S" Q6 `% r" ?% u' Nfield.) S. x4 a! }! ]/ f
In fact, its purpose is not to load/unload VxDs but only to send a
7 _6 M" R0 t2 e2 dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' F( K8 \7 ? b/ R% }: E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* ~8 c# |8 r! qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ R* { |& _, d; S' B- d' f+ ]' wIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! j9 H5 H( e9 U+ a3 e- k; y; `its handle to be opened and then, will be detected.
$ H6 P% V- R6 u! \1 }You can check that simply by hooking Winice.exe control proc entry point
5 e& E+ N* E0 f( Q% zwhile running MeltICE.
" C5 }, l9 v# l; q+ k9 S) ~6 b+ f! U! K# j
. }1 R( G, |& B( W4 { 00401067: push 00402025 ; \\.\SICE
9 ?5 d. w- z) j8 ~' S& k 0040106C: call CreateFileA5 s6 a: j7 u" l9 [6 V* k* o# M
00401071: cmp eax,-001# U% e2 V9 y# m, F+ }4 g
00401074: je 004010917 N9 W3 t7 O4 c" Q; T v
( q9 U- G6 d0 d, J: F
7 S$ l( o! T `$ Y3 H8 ~
There could be hundreds of BPX you could use to detect this trick." W5 E0 }' D' H: K
-The most classical one is:
8 z$ A/ a5 m4 D- A$ B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 D( E% z; Y3 S" W5 }. H/ G
*(esp->4+4)=='NTIC'8 i& X( f: C4 E6 ` W
# S+ T1 a% |; {1 {-The most exotic ones (could be very slooooow :-(: @& n3 J* {4 y/ y! Q- S. N b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' h; s1 V8 q5 E
;will break 3 times :-(% m5 H& @* ]1 W: m; b
; `" [4 x3 p/ \( ^' p8 J# M-or (a bit) faster: 0 A* H2 ~! S, d, q$ s, s2 _; U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 A6 ^. W* D4 J0 H
2 e& B6 w+ F, s/ [8 e5 I* @. m9 a BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& \( ]8 w3 h7 b3 [% v. ] ;will break 3 times :-(7 W6 A! c& y) n4 W6 y" ]% s' |
6 W `) J4 t0 X% y5 e- x9 d5 E
-Much faster:8 {; B0 H) f5 G" a) t3 T) A$ _
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
`8 x% m9 P" f
- {1 ?3 h) C. D. b* z: sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 g. @6 O) K/ rfunction to do the same job:, `- j* @9 U3 M
' t$ o' k+ c4 Z push 00 ; OF_READ! N: P; B+ H9 P" n s
mov eax,[00656634] ; '\\.\SICE',02 L) x x1 {& _! u% f u' Q
push eax+ H! u5 Q+ S; ]0 N+ O
call KERNEL32!_lopen/ X+ P( O/ P F* s% F) q. L2 h
inc eax& l/ w. P: K, A2 _6 y% ]; d1 Z
jnz 00650589 ; detected Q: x+ Q% n3 k3 D+ U/ A# F. F
push 00 ; OF_READ) |+ A" `. V) F( G7 P: i
mov eax,[00656638] ; '\\.\SICE'
7 ]: ~9 @% F, I, [% r4 \/ n push eax
8 b7 Y' a% p7 e call KERNEL32!_lopen
; K/ a5 k w1 _% l |8 Y inc eax, C5 @# n! O/ ?$ Z0 V$ P
jz 006505ae ; not detected: Y* {; z: o7 q) b6 n" F2 P1 T
* \* N2 e8 Y2 {# W
- H4 ] m1 i3 @__________________________________________________________________________9 N% c# h) M( l- T' t
' u* N& V4 O" R
Method 12
' y1 Q6 b5 A# w& K# Q=========- q; e5 W) d- R: }7 W$ q
+ ]& e" s1 k9 ~; g, M
This trick is similar to int41h/4fh Debugger installation check (code 05
% H: ^) v% P0 N' C& 06) but very limited because it's only available for Win95/98 (not NT)
a* x' z& u. a& x, _* `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 I" U7 a* g9 O* I# r. O. d) C( b. X" R3 Y4 A% n
push 0000004fh ; function 4fh% l$ v. t' X# \% C) a
push 002a002ah ; high word specifies which VxD (VWIN32)- q- X2 N2 l; S, ^+ b' j1 Q
; low word specifies which service
9 b; J4 a5 ?& m$ \" M! h (VWIN32_Int41Dispatch)
0 K; }/ F# o1 ~9 w& T$ y call Kernel32!ORD_001 ; VxdCall
! t, i' n/ `1 v# S# L2 f cmp ax, 0f386h ; magic number returned by system debuggers
& K1 o% H* G5 T3 e( T& y jz SoftICE_detected* Z! N# X( R5 f3 T6 k4 h0 n
& }- [- f7 M8 V6 f2 Z/ k S. ?Here again, several ways to detect it:
0 W& L) r2 N. r4 H% C
& B- I6 |. a2 `- ~ `, K2 b BPINT 41 if ax==4f3 H" C/ c& R/ O; T; ~' F
# y7 S! `8 X$ `* F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 b. R; ?, m' A5 ^* x
0 I3 \0 _$ B9 i) z. q3 g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) \- x, u: O& S9 S8 f! }# T4 M: l2 G4 e C9 A
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) y' L# b! i, J$ W9 F: q, S, [
7 a% L7 B& N" ?# F; u- ?0 e
__________________________________________________________________________
; r3 M% Z. N+ s9 n* [* r) V! b4 A9 l
Method 13. J6 w$ F7 J, w3 V* a o2 {
=========8 h V( S" @2 D+ |1 N
' Y% U4 K$ G, mNot a real method of detection, but a good way to know if SoftICE is
& n0 [8 X, A" `9 ^; V* u: }4 O9 ~installed on a computer and to locate its installation directory.
4 H W# k% d9 w0 a4 yIt is used by few softs which access the following registry keys (usually #2) :4 _( p, W4 Y7 ^$ g
+ G9 \( A/ z; h
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
r# v2 V' R+ o6 e3 V7 @+ j\Uninstall\SoftICE
! ^) m0 H1 [8 O. b-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 u( j* ^# p3 w6 K% q1 B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 \" _1 p# R! L, ?" f/ L) n; I\App Paths\Loader32.Exe4 o/ b, _$ Q6 f$ X5 E' x3 n
# ~4 Y" _) j/ v, ]( |9 P
0 V4 L8 J' I \0 n% LNote that some nasty apps could then erase all files from SoftICE directory/ N3 l& S4 f2 y2 }# X3 \' T
(I faced that once :-(3 D f+ {* V( F
+ K: I5 \: W1 e8 B1 b" j( m$ r
Useful breakpoint to detect it:
: n' a" z2 C1 e0 j* g% H8 x. |: O" l( L/ r7 y8 K* w6 {# m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 }) n5 F& i' m* a
/ r' \% u! {$ o" ^. [/ R& Y2 b( E7 ]5 j
__________________________________________________________________________
6 h6 @3 d) h3 r2 C+ v* ]% j$ @1 U6 `9 L! D1 B
- D; v9 P7 ]1 T$ w- A6 ]% k1 JMethod 14 9 q) g9 T3 M% A7 y
=========
! j0 Y& X! U$ E+ e
% X2 r' }8 b* U4 @% ]7 D9 Y/ C8 iA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% Y. v, D: I7 E, h; v+ ]! ?
is to determines whether a debugger is running on your system (ring0 only)., A1 Q; b1 M2 T8 \9 P
/ J: `8 B; Y8 v1 S D
VMMCall Test_Debug_Installed
) m A$ F/ S' X# y/ i je not_installed
& }# W4 ^ N% B" D3 M* Z8 f8 y. L( D" U: f
This service just checks a flag.3 {. q2 r6 p( K. g/ r
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡