<TABLE width=500>6 L G# a* M1 P5 X0 @( S/ ?: m
<TBODY>
6 \( _* A1 z. p- }4 X<TR>
! s- X q% B4 E) A<TD><PRE>Method 01
7 Y4 a0 a9 e% K3 B3 w' K# \=========
$ D5 O; o. b; {1 E! ]( B9 K/ T7 t, O/ ?8 k9 ^
This method of detection of SoftICE (as well as the following one) is
" w( `6 X' N1 V( |5 Y8 bused by the majority of packers/encryptors found on Internet.
5 f& h* ^+ @1 _It seeks the signature of BoundsChecker in SoftICE
$ t: R6 i5 W- g b- {; w: s$ @: C3 N) k# M/ R5 P
mov ebp, 04243484Bh ; 'BCHK'
. K; r4 d' Y3 f1 \/ }, w* Y mov ax, 04h/ r0 i: i K3 S5 k. y5 g* {
int 3
0 R( P; f5 w& ]/ p cmp al,4" K+ V2 K" L5 O- b
jnz SoftICE_Detected* X* z! h2 J/ o
9 ^0 [5 [8 N( `
___________________________________________________________________________& x9 _8 S+ b1 F. O, s! D
0 h# P& O+ e1 f7 ~( H, u
Method 02
! g, o3 m- l6 k* n' E4 d; U=========
G5 M$ g( r3 A& [8 n- T9 X6 d. W, q
Still a method very much used (perhaps the most frequent one). It is used
* F' f( O$ @6 H$ y) ]! T7 ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) ?1 p q% ] Q+ j4 M/ E' u
or execute SoftICE commands...
0 O* C4 U k2 lIt is also used to crash SoftICE and to force it to execute any commands6 m# ~" D3 @4 l d. e% g
(HBOOT...) :-(( 9 b. e$ b- G! i7 j" R" M# R' N3 q
( |% f' \+ q% i" L
Here is a quick description:1 k+ f( a& s) D
-AX = 0910h (Display string in SIce windows)+ `0 }8 G0 \+ \5 n: ]
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 ~: d/ U7 h7 U; b$ b$ R8 d-AX = 0912h (Get breakpoint infos)- w/ G* a& O8 @5 B' k* |
-AX = 0913h (Set Sice breakpoints)
+ H* z$ w k' b3 u! X9 A* {-AX = 0914h (Remove SIce breakoints)4 o1 ]/ f& Q; i+ Z5 e5 U( n
+ s% C8 O+ ` r e( iEach time you'll meet this trick, you'll see:
, ~5 H, V/ ^8 y4 |-SI = 4647h/ R; F! f$ q; l! D( D9 W: r2 [4 u
-DI = 4A4Dh" j x6 A. h5 M: O2 B! N7 \5 j6 G
Which are the 'magic values' used by SoftIce.
) O( l" \) o0 i1 e- b4 K4 F8 [ }& OFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." k0 `) C% U# t+ E5 v! E2 B
! H0 [4 G9 s/ ]; b- C
Here is one example from the file "Haspinst.exe" which is the dongle HASP' Q" _, \, {& S/ e; c l* Y2 l5 ~! |8 L
Envelope utility use to protect DOS applications:
4 E- }$ v7 Y7 o9 b" }& B u
) a/ ?2 U- Z2 Q) @+ [' }* C0 s5 s- Z2 i( x
4C19:0095 MOV AX,0911 ; execute command.2 h3 m% I! [+ ~. ?& x j* c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ s! C8 z9 |$ ]* B: x6 Q# A& [/ _, S4C19:009A MOV SI,4647 ; 1st magic value.
, i! v3 J' I# X& y, A/ X( e4C19:009D MOV DI,4A4D ; 2nd magic value.9 E* v) Y/ |; K& |+ v7 \
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( d; Y! ~. \' s8 [; Z7 O( n
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 N- Z; c! ^( }% K
4C19:00A4 INC CX6 E5 E8 L+ F* ^( y1 n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; }! _9 n. A" x' W, _
4C19:00A8 JB 0095 ; 6 different commands.
0 z4 W1 k! [/ I4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ F2 V% T: [2 n& U- e6 g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' K. j& O* E' D+ i" s: R0 a0 V- N" x, k- X
The program will execute 6 different SIce commands located at ds:dx, which
7 ^4 s* l7 C# E! u8 \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 O/ b5 K3 M/ J8 F0 I
/ v& s% }% X* l. T& d* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 {4 ~9 X6 @/ B9 m- ?___________________________________________________________________________
" D6 Y2 {; H8 p$ t/ c6 S
$ x7 y0 n! @' t1 ]% i
) i; O$ B: W5 EMethod 03
- H$ [5 ^( P# D1 B0 l=========/ U; u! L' k* F; b1 p+ \+ s
/ Y. ^7 a% @! ^* A: J- K
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) Q1 L0 v$ i6 S2 h' [
(API Get entry point)" u/ {" t P) w' F8 q) P8 l
4 P& L8 u* T& s+ \4 j* r/ }! y% B+ a
xor di,di
- s4 z+ ]( @- j. ~5 b" H mov es,di7 T8 [- S1 z5 s) K( f
mov ax, 1684h
; W5 X! m; w& V5 h$ w J2 p7 j mov bx, 0202h ; VxD ID of winice( k1 o( G6 U9 R' y; a+ Q
int 2Fh
. e) x' g. C2 }2 I mov ax, es ; ES:DI -> VxD API entry point
5 _* F7 X, Y% X5 c add ax, di$ L' N8 D5 w* S: N% u& o9 n. `
test ax,ax
/ B8 e( m0 P# h3 H, c; v jnz SoftICE_Detected3 s, f& A- `' F! g7 H' R
; `5 u- V# T* h4 D8 l. j7 T
___________________________________________________________________________( k N6 U; @4 _; H. n9 P h
2 L8 }7 t* L( p% @2 s; lMethod 047 V- H' L) ~3 C M1 q0 s2 _
=========2 Q0 I. N* `! B8 p
+ N" s, K/ \1 [9 Z: J; e
Method identical to the preceding one except that it seeks the ID of SoftICE- {0 K: h) w% Z) d/ s
GFX VxD.
% @' F& t7 a. l$ j( ^
" G& F% c9 A2 g6 D8 U5 ` xor di,di$ p; {3 k$ ]- {2 W b# p1 l
mov es,di& }% b$ G" w j$ t1 ~; a
mov ax, 1684h # m1 O5 v" w9 @! Z9 G
mov bx, 7a5Fh ; VxD ID of SIWVID
+ m' P& B7 _$ _# ^' u" S& u3 \ int 2fh0 `5 p: i3 |* `- o7 K. Q
mov ax, es ; ES:DI -> VxD API entry point
* k1 p; D" n3 p+ ^3 c7 E- ? add ax, di
" T3 g8 G. }9 } test ax,ax
1 c2 z3 d6 W4 l: W jnz SoftICE_Detected
2 S3 |: {& E* T F
$ u' ^" a9 }7 Z__________________________________________________________________________+ W' c7 O& U ]$ e& x- ?6 j' z
4 @1 z& Q8 [7 {3 z- H6 H' |& ?# }0 Q9 S1 @4 U
Method 05/ N' o1 a6 n9 \+ z$ w$ f2 j; a! B
=========; ]4 y. U8 ?: X3 R
+ E& N5 Y: \; K+ N: E- Y9 M1 I
Method seeking the 'magic number' 0F386h returned (in ax) by all system, F: n/ m3 v- T# f
debugger. It calls the int 41h, function 4Fh./ a/ }- R& C, N
There are several alternatives.
# h3 b8 I1 n; J7 y9 Y0 ~! s5 R1 q/ }$ n6 u( D( e" h! U" b0 x
The following one is the simplest:
8 L/ [1 E# |0 E" e" H5 H7 O' N
6 _) n$ D7 l5 d/ _, `4 V8 I mov ax,4fh
* `; u4 h2 X; p+ H1 W int 41h) l! ?; x' @7 `; p$ @8 Z: W0 o
cmp ax, 0F3869 [' Z4 \2 n7 P# B# I5 I
jz SoftICE_detected* H) R3 b7 _ r8 t3 u
9 B* ?, N! F# W+ N: j! _
( c6 g4 Z3 e. X; S
Next method as well as the following one are 2 examples from Stone's
! V; u1 e& N& s5 ^"stn-wid.zip" (www.cracking.net):
* M! a8 J# L4 P# `; A: L
7 z% X3 }% H8 ]- |, } m8 | mov bx, cs
' b, `: U+ t' `+ g lea dx, int41handler2; C' ~6 G& {, s" b7 w
xchg dx, es:[41h*4]' P! `! t0 O0 o9 s* r( o5 [
xchg bx, es:[41h*4+2]
2 {, m7 O+ r+ C1 H0 ~6 q mov ax,4fh
: Y4 S7 H; H; e5 n$ `' {! @ int 41h$ |5 w% T# f8 {. |4 V, l% {
xchg dx, es:[41h*4] `+ B' k4 K( ]
xchg bx, es:[41h*4+2]4 \, w9 O* L7 G, K% I
cmp ax, 0f386h/ f& ^4 {* P7 \/ U# ?2 B
jz SoftICE_detected6 ~6 m6 Z! a* ]& M3 i g
+ P r4 b5 ?5 Aint41handler2 PROC
+ m, ~8 b: k+ I iret% P' Q0 e9 `# F& A% O+ R
int41handler2 ENDP
6 C6 }9 A* P0 T9 o0 Q3 J0 n( {3 W! r, |0 q& I
& s/ s/ [! H$ f+ ^9 {
_________________________________________________________________________
X. T8 b- u f3 y o8 b3 J% o v4 ?9 a3 E1 J: {' @
: d: d% t4 z2 J5 @! f! QMethod 06+ [/ \. v' x- V- o: y% U0 f
=========# f. j: R! L; q3 F2 Y
$ h/ h4 H3 I( `( N4 [- H* F6 S$ w
$ T0 @0 ]6 |# f7 @( t1 X ~6 J# N
2nd method similar to the preceding one but more difficult to detect: k: b1 ^6 s! }
$ P: t* q5 [1 i; z% X& }4 a% Y1 \: E% L) t% m* j
int41handler PROC
4 Z) ^0 \6 P& Z. M" w; i mov cl,al0 D) ]/ V+ `1 b" y8 f, K5 f
iret6 x" ^/ R% w$ ?+ Z& J% y
int41handler ENDP4 V2 a, E( A* Z1 x3 N& B; F
/ P' g9 d3 _( i( R4 ^. ~
. G6 o3 w, T4 C; F! X0 n7 _6 R
xor ax,ax) s7 i. y" r' ~9 d
mov es,ax d- ~% E. d; g2 f/ |% R
mov bx, cs- W: G% n: V5 Y6 b6 w: F
lea dx, int41handler
/ Y9 r0 l( `# v xchg dx, es:[41h*4], j; Y' |) L( n+ @0 t# d
xchg bx, es:[41h*4+2]# ?- k3 n+ D4 w/ G! Z5 f
in al, 40h
: v8 O6 O$ P1 ] xor cx,cx. ]: N+ x5 y; M; n T% B/ _
int 41h
. N- m2 ~4 I6 p% { xchg dx, es:[41h*4]/ Q: a* }: j1 `& b' O
xchg bx, es:[41h*4+2], u# `% u9 W. @+ o* }4 B
cmp cl,al
$ d {5 v5 B' L+ {( H# D* P jnz SoftICE_detected
) S0 N/ B3 A- }' g7 `$ j5 t9 p* i0 n
7 S& v! }# ~: B f1 t$ ]1 z& f_________________________________________________________________________% [+ h3 J$ j- N/ E: R; ]% I2 D h
4 g; E8 `( y H8 q$ t0 G# ?
Method 07
) q0 E }* A/ t2 @, j8 L! L=========) D# w! O5 X2 M1 q$ g- D
" S& {$ k ^* ]& n gMethod of detection of the WinICE handler in the int68h (V86)% Z7 ]6 D" V8 M5 b! F3 k6 I J
& l* z7 f, L: J
mov ah,43h
5 d) B. |7 _1 F int 68h* H B) q3 K7 j' H. c% J; `
cmp ax,0F386h7 D* [4 Z5 h5 N9 {
jz SoftICE_Detected) ]- p: h+ T" Y9 {! T
4 q' ?9 O3 M1 Q' I9 A& [: p4 l& ~% o
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ x+ K9 O, N, p a9 [% D4 b app like this:2 h2 P+ C) }0 M# ~6 C' T, k- Z
: ` q3 V& x6 R0 O; ~" T6 \ BPX exec_int if ax==68
, g; b+ ?3 u l, n (function called is located at byte ptr [ebp+1Dh] and client eip is, [6 ]7 ^- Q+ m$ K8 m5 b) F& ?- d$ W
located at [ebp+48h] for 32Bit apps)
+ c( K) Z/ {1 x' V__________________________________________________________________________
( j6 ~, K& h" ?1 R
. G% h! d) ]7 g. o ^8 j% V! F; w; L4 A( v% X# I/ @2 N' s
Method 08
3 p# a# L3 Q u5 {, f3 S=========
( u5 K/ X# Y3 I8 K* S$ Q4 Q0 L+ ]) X A$ W9 r4 S
It is not a method of detection of SoftICE but a possibility to crash the3 y1 \6 K5 {+ \1 U
system by intercepting int 01h and int 03h and redirecting them to another
/ t- X% A+ l9 B0 O. R5 W% s2 c3 d1 z2 Hroutine.
6 I9 ]" v- M/ k7 Z% f- lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& m/ `2 ~+ B5 q- t) h; O
to the new routine to execute (hangs computer...)
: K0 |$ A! y4 h x
# v7 f3 a5 B( L4 P1 { mov ah, 25h
/ s9 k8 `+ T; O* h mov al, Int_Number (01h or 03h)0 G% A' z* j! u2 E! H0 W y
mov dx, offset New_Int_Routine- V: E( I Y! X- A [
int 21h
' M* H$ R3 `! B3 r, }: `
+ y2 }* P0 z4 V N- }; Z# ?__________________________________________________________________________
! H o: {6 O5 L/ L8 Q/ q3 k( f$ Y& I% Q# D- t7 e
Method 095 U6 x* G3 ~! w1 d8 E
=========9 o7 J9 V2 _0 k3 K8 ~" m
7 F. H' G2 L7 Z5 L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 D* A1 I# C7 ~& f9 |+ I+ Wperformed in ring0 (VxD or a ring3 app using the VxdCall).0 H9 ^; P7 u4 J- X7 w. i2 @+ u1 D
The Get_DDB service is used to determine whether or not a VxD is installed4 t1 \) U' H& e5 g+ z. _; o
for the specified device and returns a Device Description Block (in ecx) for
* g2 _, }, H7 s. k; a) l0 `that device if it is installed.
. _8 x* N3 f& f% a K. \
, ^" {! b% ^. ~% {. S3 ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: q! {1 k( R- M/ G7 n7 ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* r& b0 L' P4 E; x
VMMCall Get_DDB
# d3 K% x- ]- [9 o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ M# [7 J1 J' u7 k7 m
% H: M6 y8 t& N! O5 U3 gNote as well that you can easily detect this method with SoftICE:4 s4 w. w8 [+ ]8 Y; S
bpx Get_DDB if ax==0202 || ax==7a5fh4 m, S5 z# O. B' G" o
# L( S9 P/ \% `; P3 T
__________________________________________________________________________
- D \1 e' w# t' j1 o, C6 [6 @# D1 Z4 I1 x0 Q. k! c
Method 106 x% U: t& f# B {5 O
=========
4 m! Q' M4 Q# o b4 J1 m; p8 B4 N/ Q/ f' N3 g* X& \1 p2 r
=>Disable or clear breakpoints before using this feature. DO NOT trace with% }6 f8 d; t& A9 t) N, E
SoftICE while the option is enable!!9 m. v @; r. n2 H b$ w4 C
9 L& U# `% p6 ~! h' {0 f7 q+ qThis trick is very efficient:' x U/ k3 |6 \3 M" @
by checking the Debug Registers, you can detect if SoftICE is loaded3 t7 |# |( o- o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 I; l1 B2 x* h% a$ a8 M9 n" F, Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 [' ~9 u x8 o3 X. [value (in ring0 only). Values can be manipulated and or changed as well$ h# K2 Q) A- Q" T4 k
(clearing BPMs for instance)
1 c _* D, v1 B: r9 k# T0 O! g* R2 O, p- d
__________________________________________________________________________1 q J: a% ]4 `: p* u' j
0 r! t' }0 J( B- z
Method 11
4 r4 _9 D' J2 ~9 R: B=========
; o2 T v3 ?) R& k ?
; n/ \) N! {# G3 @This method is most known as 'MeltICE' because it has been freely distributed
3 o+ U; y1 M h+ T7 S! Rvia www.winfiles.com. However it was first used by NuMega people to allow
/ T, x; R7 X. wSymbol Loader to check if SoftICE was active or not (the code is located
9 u8 p+ l" b8 I: P, Hinside nmtrans.dll).3 ]6 D/ J( [0 l3 g6 N
9 ^8 B% V% g) e6 ~% G3 ?: _: v2 LThe way it works is very simple:
* S% |, o p& S1 aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# K' Y0 \5 W) M- J" \% o- R
WinNT) with the CreateFileA API.
5 D* u5 W4 Q8 n% {8 h' A' n9 {$ o
Here is a sample (checking for 'SICE'):$ l% _' j1 N5 f# t
1 p% Z0 D6 P4 |+ [
BOOL IsSoftIce95Loaded()- e: h# C- @/ d/ N6 O6 x0 t; C, N1 N
{7 S8 V6 s0 q8 |4 D
HANDLE hFile; 1 h5 h r+ y4 ?, K% v& V$ X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- u9 Z5 l4 Z8 F* O
FILE_SHARE_READ | FILE_SHARE_WRITE,$ a( y8 K! w) i$ R. ?' E) a1 P% P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ K; @: n2 v& B/ ^# g# V( X1 ] if( hFile != INVALID_HANDLE_VALUE )
1 b8 V( e7 v0 f0 D7 z {8 A. g/ K- p% \& G6 Z* e
CloseHandle(hFile);
F8 W0 r9 v/ F4 ~2 E* y' M" B return TRUE;% b7 L) p4 U3 l: ^. l \
}- n4 a5 c0 M% E
return FALSE;
' l1 `9 o$ J0 G}
5 U% l. }4 ?) B3 v3 Y1 q+ o% H6 z. ]# f; l
Although this trick calls the CreateFileA function, don't even expect to be4 E3 v7 c7 }/ T
able to intercept it by installing a IFS hook: it will not work, no way!
# q! \$ K6 P7 Z- W, JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F$ |* g5 k! H0 C5 K, R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; g5 A8 w$ a dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ U" q$ I6 }2 S0 Xfield." x- g8 s& U4 r. [* Q, [
In fact, its purpose is not to load/unload VxDs but only to send a 1 |. V# S# ]$ B" S2 V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ \; {( e" L$ Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 ]7 P) j, D2 [: E, xto load/unload a non-dynamically loadable driver such as SoftICE ;-).1 L" x: C$ N% U: r; n: q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' S; S4 H; D7 K. ^its handle to be opened and then, will be detected.
! L8 w1 ~% k+ y* S3 G% h! [5 WYou can check that simply by hooking Winice.exe control proc entry point# c% W7 ?8 P* c/ I g* ?
while running MeltICE.2 m% b/ {3 [" S9 T3 K0 @
3 m) ?% @# R G7 ]4 o
9 x/ r1 x; u$ l% r) q3 w
00401067: push 00402025 ; \\.\SICE
, G3 }" P' `& f7 d6 S) m. Z 0040106C: call CreateFileA9 q! V, O/ g: a4 i
00401071: cmp eax,-001' _; c; o" D: h% o4 D
00401074: je 00401091
1 y; Y' `3 `# H- T; }5 y9 @$ v [* T; Y
, d) \8 t3 ]0 f( {There could be hundreds of BPX you could use to detect this trick., [8 C, Q( B4 I1 Q
-The most classical one is: h/ @! a- B6 {. u# ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 }+ L- c* O" l$ a *(esp->4+4)=='NTIC'* ?3 B, M" N8 t2 N
2 F3 u$ y# l9 y, w9 e! F' N% B
-The most exotic ones (could be very slooooow :-(
% E x; I8 _6 _" p, \% B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* |& p: B! o, a2 y9 x ;will break 3 times :-(1 w2 w: f$ N9 H u& V4 p
7 O( R0 I9 J: j3 D L
-or (a bit) faster: 2 p. s8 J0 |3 \ M" M0 F- f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! T5 c! a2 q" h7 H
$ [, D8 s$ F2 X( [7 c BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ {3 M; i8 D9 ?6 M- R" E; [$ h
;will break 3 times :-(
) E, N; e: S' z( |
4 k$ G b7 d' s+ D7 ~( v* _-Much faster:
% M1 v# O7 G L/ j$ j6 I BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* d5 g$ {" ^. m1 F% D' v
6 y- I" }8 [4 D$ V( V- QNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 J: e, }: B* i& T4 {8 Z
function to do the same job:
+ h. m" o; V1 M) [3 \ |3 M2 J
) i" J' f2 t# l push 00 ; OF_READ
1 w8 N5 R% q) I R/ K! _: O mov eax,[00656634] ; '\\.\SICE',0
: Y3 l7 }) m6 H% p5 v push eax6 h9 |) \& V/ D5 e7 c
call KERNEL32!_lopen, n% j4 i$ M3 O3 |
inc eax6 w! F6 l% f6 k
jnz 00650589 ; detected9 K- `6 m2 {( d0 i* r2 F4 q
push 00 ; OF_READ
! a# h$ h5 t- ` mov eax,[00656638] ; '\\.\SICE'
2 X. v* {( C( x' \% F6 W4 i/ [- E- \ push eax) i& p, Q$ N# i [% V- j
call KERNEL32!_lopen
$ D- P) u0 _- z9 [ inc eax3 m h5 O |/ z. L6 ?/ ]
jz 006505ae ; not detected+ |2 a4 ?4 o2 N0 X; ~. d0 t7 K. b: C
1 }' T( V* P$ L* ^5 |
' S; |: _& Z& b( ]% D4 d# ?: T! y
__________________________________________________________________________4 d1 Q/ E8 P- M U6 [: S$ _' r
9 b+ s( I0 ^. r* V* E
Method 12
/ k7 l9 E: P4 S; X0 K v0 N E=========8 ^4 {' e! }, o% O: Q, y- {6 F
. R r. L" x5 F' J5 ]This trick is similar to int41h/4fh Debugger installation check (code 05( F/ M/ x" Y8 ^
& 06) but very limited because it's only available for Win95/98 (not NT)4 z: ~/ T0 |% A9 H1 T: J- n7 d
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 k" p! K1 D1 W. K
6 | H# l% S0 \, p: f push 0000004fh ; function 4fh
0 G7 h7 e" u) w1 a8 R push 002a002ah ; high word specifies which VxD (VWIN32)# x( ]6 X" h( O6 E
; low word specifies which service7 V" J( h# V! r% F! o
(VWIN32_Int41Dispatch)
9 O3 X2 z+ q! D4 O; t4 \ call Kernel32!ORD_001 ; VxdCall
3 u, p, h! w, J+ a0 J- o0 Q# k/ s cmp ax, 0f386h ; magic number returned by system debuggers
; k3 J. y% [% u% [9 a! E) t1 [& ` jz SoftICE_detected: y7 y$ T& f5 ?. x) T5 T3 Z! Z+ b
/ D; G" {. `; ]' M; d$ M. Q: \0 N
Here again, several ways to detect it:
6 K O* m3 c f4 E: B3 R5 Y4 V) q6 r5 N# W p
BPINT 41 if ax==4f
8 ` ^2 I6 m0 D1 V& Q2 Y8 ?, _6 ~" t6 i H5 L+ B& X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* _& V1 T6 N2 P. G( a7 w6 t# U) D$ Q) \8 O4 t
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 i, e3 o8 c) K0 c/ e1 ~
* W! b6 \" u( W BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 d+ T( `5 Y9 b6 C' D# V& h0 V" o" w& Y/ K p2 ~
__________________________________________________________________________
5 F9 z- o% {; T/ J' |+ _( U
7 t; o; M0 M0 A, ?+ D7 ^Method 13! }2 { x+ x F
=========* v* B- B* r% j, J, ^! b
- h1 x2 e) [6 b" C* R. F% G
Not a real method of detection, but a good way to know if SoftICE is
: f+ t) u) d3 ?- m$ i+ ^installed on a computer and to locate its installation directory.
: G6 r& G- E8 R. R/ HIt is used by few softs which access the following registry keys (usually #2) :1 s% K# S% r+ _" h$ \( r- ]
) v" G" j& C& z! h0 w# o/ q1 H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" b7 G5 Q: I _! ^* M* i
\Uninstall\SoftICE# J" ` u: X& Y0 N3 q* m. C8 |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" F6 t5 N$ L1 T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 ~+ L: `4 E/ ]* [. Q7 k1 i+ ]
\App Paths\Loader32.Exe
/ ?+ g- r" M" F }6 W0 @+ V2 p6 ?2 B2 F* \) ]
: z0 M8 ^& j) K q6 y0 sNote that some nasty apps could then erase all files from SoftICE directory/ o9 Z% W. K K: R. z+ _
(I faced that once :-(9 n+ B( S" l% P) \
~4 r. n) E/ Z/ n% Z5 h6 Z
Useful breakpoint to detect it:
4 k, u3 C/ [5 R1 ^5 j4 Z7 A* i! U/ ?* M7 Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 Y3 v$ k# q) R3 d- [$ i* K T7 F/ g2 p
__________________________________________________________________________. D2 P! E/ }4 \4 L! W7 C$ i. a
! W" T8 H4 ?6 V9 |2 Y4 j2 _2 J- [: ^* O' a
Method 14
9 k: {, B& u! G2 z s2 d=========& H7 j& \8 W- |7 t8 s; |0 f
! l! j( p9 K* m: Y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 M/ v! W8 k$ D$ {is to determines whether a debugger is running on your system (ring0 only).
9 S+ \4 @* e0 Y! f# d* ^7 R# D7 S
VMMCall Test_Debug_Installed' f- w, O2 q& s6 i/ n1 C$ ]8 Q
je not_installed: u U! i5 P( I9 Y9 k8 p
. Q- C7 [# R1 A$ i9 _" e& c
This service just checks a flag.6 L5 c$ {$ Q$ w' q+ k$ z7 w* S
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡