<TABLE width=500> c6 c) C2 u- [! [$ l' @' x
<TBODY>
7 l, U! S$ {8 S<TR>
5 r* {' v5 ?7 c1 n% \/ K) A<TD><PRE>Method 01
! |1 t/ X0 U$ I5 g0 u=========
# o2 B; @6 p( @" }0 J7 I
# Q$ G0 A! D5 uThis method of detection of SoftICE (as well as the following one) is( {: q) z/ H Z- D
used by the majority of packers/encryptors found on Internet.
! m0 w O1 Y; E( NIt seeks the signature of BoundsChecker in SoftICE
# p4 d O6 Y0 j: b& E D2 D$ M) S# p8 V5 q+ H+ w
mov ebp, 04243484Bh ; 'BCHK') p. f2 f6 P' J5 H+ }- _5 o
mov ax, 04h
; z8 C8 s( A$ [- D3 u. l5 A: Z3 c @ int 3
" }; Y/ Q4 w. v6 H+ v cmp al,4
7 h+ j! I: o; K3 Z jnz SoftICE_Detected
/ S* \2 ?9 U+ t: S" w3 y* |
: v" |* ~0 K4 {2 s: d___________________________________________________________________________
8 C8 ^' a; { x& S, ?. J6 B4 G1 j" |/ R/ z+ |* r b w
Method 02
/ `2 t, `5 c- g. B8 k' K6 {- |=========+ Z: j# Y' N4 H
6 g1 }9 i) E: K5 \
Still a method very much used (perhaps the most frequent one). It is used7 h; J! |; k) V' L' L, m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 p3 K+ r( w( L' e, Y, i4 x6 U* mor execute SoftICE commands...
$ ^% P. M" m% I2 c" j, ZIt is also used to crash SoftICE and to force it to execute any commands
. j+ G2 W! s% g8 y2 w(HBOOT...) :-(( ( V9 k O2 Y5 V6 ?7 A; K
. d- \& \0 e8 y+ E8 ?9 ?. J, N
Here is a quick description:
# d# w |: d" f- x7 D+ X+ R-AX = 0910h (Display string in SIce windows)
/ k6 E$ `# a- K% T7 [-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 C7 ]* e, |- d) S
-AX = 0912h (Get breakpoint infos)
" t; V( v Y7 P% x-AX = 0913h (Set Sice breakpoints)
' j }' Z, k2 l/ D! M8 h0 {9 {4 k) Y-AX = 0914h (Remove SIce breakoints)) u# V* _' d) ^; A
& [) H: a* M: ]2 o
Each time you'll meet this trick, you'll see:9 v: a/ Q0 f4 I. Q f, Q8 D" n4 i0 |( A
-SI = 4647h, D& @0 P$ \# G, Z( z4 p
-DI = 4A4Dh. c& U! i! K' P" @# x" G
Which are the 'magic values' used by SoftIce.
# Q. m' m! D& D2 \+ LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 R/ V R# s# a1 W3 d3 ?) e8 i& o2 O6 o: m' s9 P; L9 P2 k
Here is one example from the file "Haspinst.exe" which is the dongle HASP: }: [" Y1 Z" d5 a0 A; q
Envelope utility use to protect DOS applications:$ V, m# c% D0 W8 n
0 ~* l7 u+ d9 v/ J3 A5 S* m3 {0 W, Y3 C1 n) e/ A5 P5 a
4C19:0095 MOV AX,0911 ; execute command.
. e6 W, J' E6 x& H+ ~5 y$ A4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: c4 G0 `; ]- U' C1 q: J4C19:009A MOV SI,4647 ; 1st magic value.' [, o: Q" ]' H# j
4C19:009D MOV DI,4A4D ; 2nd magic value.
: v# V4 g8 l4 p5 ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ i+ s7 t6 }# y. a; I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, x! T6 {+ C, d% P7 o
4C19:00A4 INC CX
( k, G2 r+ _3 f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( z; O: T# K9 \& R1 R; T4C19:00A8 JB 0095 ; 6 different commands.
- T% v9 |" y+ ]; O7 i J( P4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 U1 T; T0 x1 }4C19:00AD MOV BX,SP ; Good_Guy go ahead :), F# V) X4 n5 G
, N; g" b/ i/ E+ @2 U- D& \9 Q( Y
The program will execute 6 different SIce commands located at ds:dx, which: p' b4 S/ G) Y# t( p7 z. `) t2 t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: j" V0 b& Q% p4 O
& U+ z! V. T4 I& d5 |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; E" k! x0 B$ d/ Y0 ^* Z
___________________________________________________________________________
7 Y) E+ X% S5 u. R
/ a/ n7 x2 G4 {4 \2 ?! @- O! ] P2 O" I3 D! w
Method 03
5 m4 c, K- X0 `& q=========3 \+ P3 ?0 ~0 N
& I9 o' n0 o( y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 T/ G# o+ x# T( L& ]) A(API Get entry point)! {" A" i- e( }# r* m. _* _
. c7 |# p6 X! R8 r4 f) V
8 K* i% u1 z& Z0 n xor di,di
8 V2 v8 K, s: ]6 r) u* L+ u) ]1 T mov es,di
5 ?4 S4 P. b$ X: X mov ax, 1684h - ~# K6 D0 t2 m+ c% t
mov bx, 0202h ; VxD ID of winice5 y. L* S& M; v
int 2Fh' ] |% _: {" n5 W& C( G' D# M; f! U2 A
mov ax, es ; ES:DI -> VxD API entry point
" l0 h7 A6 z! D* \9 j- [ add ax, di
* q. U+ O$ R; ^& z, G test ax,ax2 e& P+ \. \" N1 |1 g
jnz SoftICE_Detected8 D( S N) G) m
8 V7 p; Y& _2 Z+ Q% N- N___________________________________________________________________________+ E* f- o0 d H/ r9 N& Y
\- _% @/ i* r1 }; I: N5 }Method 04
! Q8 F! D; V1 ~0 K=========
4 R' ]! Y) L$ O' ]* V+ X4 o; A' Q" B1 D0 K" c, b z5 T
Method identical to the preceding one except that it seeks the ID of SoftICE2 _* ^7 D% C1 z7 W
GFX VxD.: Z% E& p3 l( I- e
( [" m. P6 A# d& F
xor di,di
# U: N% e8 c$ I. U mov es,di
; R8 O9 U6 b7 v' E mov ax, 1684h
, d7 x- x7 z7 |" y D mov bx, 7a5Fh ; VxD ID of SIWVID
, ?0 Z9 F* b$ z w1 t int 2fh
; ^- O7 }! U! X, ?; M& w% l mov ax, es ; ES:DI -> VxD API entry point
4 J$ }- |! B& a8 p/ Y add ax, di
. t( O- }6 O! e( I) D test ax,ax
" L3 N1 T" C' [, O4 W jnz SoftICE_Detected
% k6 r$ d$ O8 c6 _. r/ H
7 h) t; L, G- A# m2 R3 t0 D% y__________________________________________________________________________
8 N+ M# U a- e1 d9 Y) }: H! z& J: t! @
( V; s! A$ ~' }5 v6 Q I
Method 05
8 ^9 s' y/ U [0 l- A0 T========= e7 i" D% i! `8 s/ }
* u0 h5 D1 N9 k% u; b2 y
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 M5 @8 e9 p4 S, V5 U4 e: f& _
debugger. It calls the int 41h, function 4Fh.: G* D6 h4 N( E0 h: \' {& O
There are several alternatives.
- U- | N' F8 |; i% {1 Q: o" m4 p0 p# ~9 D' L3 U9 I7 e6 [4 D o
The following one is the simplest:
% f% R+ r4 a0 l* E- B0 u7 v
+ x3 C" ]9 g# w4 J; ] mov ax,4fh% S. U( X1 t# @- l
int 41h
3 ~" q7 ]" l, r. w1 ? cmp ax, 0F386
' I) a. X6 j0 b* P, L, _; u jz SoftICE_detected2 y, p8 i c% ?" }
9 _! b; Q, \8 ~' k, b2 l! Z5 ]& A" S Q
Next method as well as the following one are 2 examples from Stone's ' J S* E8 c& E4 \* M9 q3 k( X4 N
"stn-wid.zip" (www.cracking.net):' ?: b# `# q, r* k+ q, u7 D
" S0 V( a; I. Y( ?; e mov bx, cs
; A- G6 ^% d/ f; ^# R7 |# Z% \' Y1 v lea dx, int41handler2( f( I3 [( y3 U1 i' k! t
xchg dx, es:[41h*4]7 h8 e& a1 E( f
xchg bx, es:[41h*4+2]
7 i$ y' }) ~, |! \# `7 h0 S- Q mov ax,4fh
. C( _: i4 e$ K# j' [0 ~& `, J6 K int 41h
4 s) C' ]5 \ f; ^) t) h8 G xchg dx, es:[41h*4]
9 I$ S. v1 P, C: h xchg bx, es:[41h*4+2], P b( ^( Z8 w. }& T p
cmp ax, 0f386h7 T$ D/ }: v; S+ j5 g1 F! X1 E2 C
jz SoftICE_detected6 B# O; s' t. K" {
4 \) F5 y! V4 h% m
int41handler2 PROC
2 X9 N0 g/ ~& ~ N iret4 @0 B$ B" a. z. F2 R$ i8 @
int41handler2 ENDP6 r! e/ _$ E1 v- {8 Y2 V8 P
1 C9 k# h8 j& n% A
0 c* V [/ R" c( |9 A! e_________________________________________________________________________
3 r4 d, }, Z) [8 v: N6 O. N2 Z( \9 k4 W( h
6 Y1 S' Q. S9 `( u& N1 ~9 z
Method 06
- {# s9 m/ G7 N. f6 ~. r( R. W=========
! K6 y, R, E9 N/ g+ u
$ q' t( d* P( @0 A9 I M0 `% R. x8 U7 d2 s) ]9 B1 u
2nd method similar to the preceding one but more difficult to detect:5 ?2 L& N# F2 F0 j. m
! p& e4 e2 M4 P5 E6 U# b: C2 e/ c5 Y# }7 y7 \7 x2 y
int41handler PROC. P$ F! w* t* \5 [3 @5 h
mov cl,al
( \8 b6 w( H" J3 Q+ | iret
/ Z; Y( V3 M# \- m( kint41handler ENDP- }, g' G7 T9 y1 Y! b5 C
8 d4 t' }9 {1 g
( d# d5 z! v. Q( U
xor ax,ax
# g5 O( B& H! z9 {( w6 R3 G& Y/ W mov es,ax
2 J7 q, k- Y- i% i: j mov bx, cs
4 }, J* S, ?, H( {6 D lea dx, int41handler$ `8 r8 E( L% Z5 j. {8 d
xchg dx, es:[41h*4]3 f0 c4 s$ K+ E4 |8 n* _2 J
xchg bx, es:[41h*4+2]7 l! O( J8 E( [3 N0 d1 g* v4 i: C
in al, 40h' }; T! I, h& H1 `& j
xor cx,cx( S! M x" ^# J1 S+ U
int 41h" ^" p6 x7 y" d2 Q% H
xchg dx, es:[41h*4]
{# v0 F8 ?/ U1 j; l xchg bx, es:[41h*4+2]
" R$ C3 s m; i0 S5 z- B cmp cl,al- ^8 P/ i% x: u2 s2 r7 b
jnz SoftICE_detected+ G8 e1 `+ q# w% j+ f3 M
% R' |5 }8 f$ l4 s- r$ v
_________________________________________________________________________2 n9 Y: _0 {; _/ r" ^
1 @$ S( k# X: B0 @' TMethod 07/ l; Z& ?6 i) w/ ?- @
=========0 [* N% D6 b( V; n( v
& j9 r+ t8 x, XMethod of detection of the WinICE handler in the int68h (V86)
8 G. ?" ~0 K3 }9 F6 j
$ V5 [) H6 w. T( |' i- ?7 C1 A' p mov ah,43h
! u; g# n% p( c+ Y8 k- [9 } int 68h, q! x) {1 @4 k- u' j& A. V
cmp ax,0F386h5 y& ]) A. _ V/ Q
jz SoftICE_Detected
$ l$ ?5 ?9 u5 q$ W5 `' Q8 K; n* { v; J% r: M) k% ^
: o4 m1 g* o0 [1 O- L1 l=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: M6 u7 P. O1 M1 T app like this:6 \2 ^ Y6 e: e9 @3 P
$ d: I5 F) c3 K8 U! h BPX exec_int if ax==68
A' z1 a( S5 L3 B* |7 O4 ^9 \6 d (function called is located at byte ptr [ebp+1Dh] and client eip is
$ M( l' t* N, [- j located at [ebp+48h] for 32Bit apps)
, m+ ~" t" c/ R! q! t/ N) h( I# P) b__________________________________________________________________________' F: v. |% Z2 e; Z! r# E
& B, Z% _' c3 R8 Y' O
) i1 S' j- N* DMethod 088 U' q7 d! |3 k3 S
=========
; b2 A/ S. Q, i5 h. w: i- Z( Z* |! ]1 Q, v! q/ P7 n3 R) ]" G* P9 E
It is not a method of detection of SoftICE but a possibility to crash the; ~* K& p4 G c1 I" ~
system by intercepting int 01h and int 03h and redirecting them to another: F. q( Z8 d6 s' }2 W
routine.+ f9 A9 |; R& [% M; {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; ~8 x( \+ I$ ito the new routine to execute (hangs computer...)" n- ?+ l* R3 ?& o9 X7 E2 a
( I: q1 J& d* w/ I
mov ah, 25h+ s. u7 i: Q) n, Y+ I8 f% \! N; v
mov al, Int_Number (01h or 03h). X6 `) ^4 ~4 a
mov dx, offset New_Int_Routine& l! H5 H3 i( E/ r- T4 X, d! N
int 21h1 x+ Q8 E/ A5 k$ p- y
- X9 o0 {5 ^0 i2 R/ R, s' B: q/ \__________________________________________________________________________
% C- _# K3 `' [ V$ _0 e! e8 M# `" Z0 }
Method 096 [+ V1 m- A8 ?; ]
=========
$ K7 z3 G v9 d: @4 x+ b% ?
* ]! n( J* N% T" A+ g, s U' hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 H& M" N4 i4 m. c2 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).5 @( C# L1 S7 C& ? o. {9 ]
The Get_DDB service is used to determine whether or not a VxD is installed, R$ [6 c) |. y9 K0 R7 v
for the specified device and returns a Device Description Block (in ecx) for4 e+ g( M; R3 y* s. X' m$ Z
that device if it is installed.1 ] P; b' q3 S& m& n. l0 a0 [8 m
0 u4 x9 k4 s, M9 j0 I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* `# P; D q/ f y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); R) l3 N0 I% O9 I4 o# X
VMMCall Get_DDB1 N# |* C7 P" ]" Q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ N( @2 c h0 t5 y* `. M
" L' y' E- j, B- @- T" @
Note as well that you can easily detect this method with SoftICE:0 s9 h: }3 G% R7 Q8 t4 ~
bpx Get_DDB if ax==0202 || ax==7a5fh0 N; u1 G$ G( w( N2 a
* F( P! [4 T; |5 ^. Y9 X5 s__________________________________________________________________________( |1 ~0 F/ l* h( A- f9 e
+ T) X$ e) ~% x; D5 y0 PMethod 10
$ h1 y5 d O; K' @/ n=========4 K3 v( v# G$ t; Z, f# O- W
) t' E( W6 {1 J# M/ J+ C; i=>Disable or clear breakpoints before using this feature. DO NOT trace with
* s9 L3 r7 J5 a# n3 a3 H$ A SoftICE while the option is enable!!, o6 ~+ c, O2 {: o2 @. v4 x
) L$ N( D) ^( _, r
This trick is very efficient:1 W- i. ]" P# h; ^0 g5 X4 S
by checking the Debug Registers, you can detect if SoftICE is loaded
/ L, r; Q* C9 `0 S( b' X- ]- M7 K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ B' u. o% c# V7 H: k3 {3 N. b
there are some memory breakpoints set (dr0 to dr3) simply by reading their# o5 ^& k0 J" m
value (in ring0 only). Values can be manipulated and or changed as well
) b+ I- Q6 D+ m& c(clearing BPMs for instance), o' w5 K; `: e# S) @1 k5 d
' X4 \0 J: I/ ~. W; B__________________________________________________________________________
: v0 i1 i3 m, z" _' [) T; p. n n, Q6 B, ^
Method 11
9 Y y. {- |5 `=========4 S1 d/ N2 @8 x c+ p, G' K7 H; L
: Y+ ]( ?' f3 a( {, {& G! n* fThis method is most known as 'MeltICE' because it has been freely distributed5 u) a% }5 x$ s" ~# }
via www.winfiles.com. However it was first used by NuMega people to allow9 y$ o6 U: s( p2 O3 `! V9 w
Symbol Loader to check if SoftICE was active or not (the code is located
4 S! e9 m& F$ Hinside nmtrans.dll).
! O% O" D3 R) |
2 @! Y y P% p$ n- m! |The way it works is very simple:
& }, Y; [) k% \' @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) f) ]/ x) D' b( l, c$ H+ h: R
WinNT) with the CreateFileA API.6 X1 i3 s$ P# k) `1 ^* {
4 j2 M+ b' E5 I
Here is a sample (checking for 'SICE'):+ E: S& n1 o2 n6 {0 n& j8 a
; E& h6 X% K: O% U! Q
BOOL IsSoftIce95Loaded()$ n) M X& J: I8 p, E6 H% a1 _
{2 k+ _8 H3 j9 g- a2 ]9 K
HANDLE hFile;
5 Q5 `3 M+ P/ j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, `7 I1 y% o% H4 v
FILE_SHARE_READ | FILE_SHARE_WRITE,
, R; }; x# s R' B v7 m7 S$ ~" A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 O9 j8 M( l S& i, W if( hFile != INVALID_HANDLE_VALUE )& ]; d3 y5 W- ]9 S
{6 W8 h' o/ p, f- P9 F0 T% s1 `
CloseHandle(hFile);
) P4 O6 S3 Z8 C! ]0 l return TRUE;* b; v/ Q7 {2 \. o% F7 ?, k
}
5 Q' m: ^, V3 }, R* Q$ z- n return FALSE;
5 @+ V, p" ]7 o! `& I& Z}! g( s+ G+ ^8 s* ^4 Y5 }4 R
7 n, F5 B5 @; W- P8 M5 u: _Although this trick calls the CreateFileA function, don't even expect to be2 u$ q; L( {1 j( _9 [
able to intercept it by installing a IFS hook: it will not work, no way!) _2 ?" O" ?# Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 J6 ~/ m0 f0 e0 l5 gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 w# O8 t6 M( S* C8 Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ ^, K4 y- k2 v& V' i2 Ofield.
$ [8 A& j6 o& R U4 }7 ~' A) C" fIn fact, its purpose is not to load/unload VxDs but only to send a
; Q5 d; g9 ]3 P2 {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; c8 ?( p' D8 s* C9 k. uto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 E- }' T1 _( j3 U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# B2 Z! g) u6 D8 x0 C$ z9 }! tIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 x& b' d0 W. S1 b bits handle to be opened and then, will be detected.. U) p$ x6 ?; R
You can check that simply by hooking Winice.exe control proc entry point
; [8 |% q% P) cwhile running MeltICE.. Q4 v* V- w: g
, t; Q! C% i; g" C2 ?' `; z0 e% t1 I* o I- h
00401067: push 00402025 ; \\.\SICE8 L* n$ c" w# l$ N! ?' @7 m. Y
0040106C: call CreateFileA6 c* z7 Q0 ]4 i) v- S
00401071: cmp eax,-001
1 h3 W o9 D0 V2 @ 00401074: je 00401091
- S, d2 K! a" v, ~6 `- S" } |: c( W$ ?# M! G) I8 a
* X7 |* g( o- z4 O3 k# Y. R' YThere could be hundreds of BPX you could use to detect this trick.
' H# |+ y/ q6 K3 I; ^1 R; `- d. Y-The most classical one is:
7 I( Q6 s3 x4 g: Z8 K$ P$ c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 F+ P) Q, {, T
*(esp->4+4)=='NTIC'$ s5 e2 }% u T) \' |0 y
' ~4 p! C& Q3 n! n: i-The most exotic ones (could be very slooooow :-(! _/ `3 r2 e: V$ p' r' C2 t. I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. i1 b9 O- s% v ;will break 3 times :-(( }2 j: y. f% S" L& s
0 ^% M( m: V( }8 S9 J1 ^% k$ {9 c
-or (a bit) faster:
+ d; l7 M* o7 p$ ~8 q7 L BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 h7 f6 B# ~/ k1 q* j3 X
4 Z! y3 A6 Y- W n8 c8 e8 R; c% F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: h8 A! k/ L. Z+ ? ;will break 3 times :-(
' C; ]3 s, s% ]$ l4 C6 O$ W B. M1 {0 Q7 w7 Z
-Much faster:' Q/ ?" c, m0 C$ }$ s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. L/ I) H; `) u: [+ T- Q
. z3 I1 A- J* P4 z" ^# Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& c: H" P7 r. o: F/ K# I
function to do the same job:
0 |. m; e( E/ ]/ y2 P5 [) f2 c, C. V7 [! p$ M6 \2 M4 y
push 00 ; OF_READ4 s6 T) T4 l4 L, Q
mov eax,[00656634] ; '\\.\SICE',0
; R6 f6 d; f% ^3 ]; E push eax; M* G. M. I) m8 c1 S
call KERNEL32!_lopen0 m* R8 i6 p" M) @3 x
inc eax+ X( C# P6 {0 Q. K
jnz 00650589 ; detected5 V2 @+ \7 {2 C& o+ v, p+ Q* e
push 00 ; OF_READ
& x2 H' @& [6 H3 C mov eax,[00656638] ; '\\.\SICE'& T4 w4 O0 X7 O9 H: N5 o8 p: F
push eax
; l! R9 S% z, G call KERNEL32!_lopen/ Z5 L& h; {# G9 j* E/ M1 Y
inc eax7 P A, _. c: P* [
jz 006505ae ; not detected' V& {9 V* |& X# C
7 Y. P3 o8 D3 l
% X( Y6 u2 \6 Y% W8 C5 V' I' y__________________________________________________________________________
7 }6 _- i; b+ M" D
# z' W$ g v0 h" VMethod 12+ m w6 Z9 ^5 z/ `( o0 n% [, x
=========
; | _8 m& J5 S& m$ A% E* m& }6 F0 l
This trick is similar to int41h/4fh Debugger installation check (code 059 G4 V) b+ j5 Q9 a
& 06) but very limited because it's only available for Win95/98 (not NT)
: ]- y2 F/ N# X' D( p, D/ p; u: ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.: k2 D5 N' A: @/ M2 ]7 L2 u: h' V5 t7 y
6 ~/ D4 O6 s1 x
push 0000004fh ; function 4fh
- `0 ^: Y" G7 ?5 g B# g* P2 v push 002a002ah ; high word specifies which VxD (VWIN32)
# ~9 }* G# T- }; g5 M" t: h. Y ; low word specifies which service
* E% h+ P2 m3 e/ g (VWIN32_Int41Dispatch)8 E0 a& x3 E9 X/ ^- \
call Kernel32!ORD_001 ; VxdCall& C/ o( V- G+ A% H
cmp ax, 0f386h ; magic number returned by system debuggers
p# V4 s" @. u; [- r jz SoftICE_detected
2 l' G# z2 G/ Q7 e3 b' f9 l8 ^2 G `8 I, y4 o8 X o6 J" `
Here again, several ways to detect it:
! d _* I( m( V3 J8 t7 D* d% q0 T% _! c
BPINT 41 if ax==4f6 }" p4 M% a7 N( B
: _+ N) i1 E! N7 L( L) g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) Q/ q- U& M" w6 ~+ d
( m0 _0 n L5 B$ t o" f BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 h; `% X) N, m/ y! m. l, M' d; s( m: n! o' b1 v; ^: b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 ?& @- z8 P- m5 f0 u
# v; w1 ?) ]* D% F9 U__________________________________________________________________________) } e, F+ c4 @' @. Y2 g9 `* z
% O9 c: ~4 Z& R: n: oMethod 13
0 b; W& U6 }. i& k" v" C5 T" o5 {' y=========
/ w" _# _ ?7 d2 J l% A4 w* h( a4 s4 e1 o* u Z
Not a real method of detection, but a good way to know if SoftICE is0 p$ g" K* u' ^' U T
installed on a computer and to locate its installation directory.
: g7 O0 N" W! V8 `8 k# rIt is used by few softs which access the following registry keys (usually #2) :
( N E& }. f% s( Y8 k' A- J. W. s
9 Y0 H g2 F+ }6 J: h) g$ U" G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; c# F$ Q% b# @\Uninstall\SoftICE
- l/ l$ |/ Q2 B/ V( U& T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% h4 R2 V z' V" X0 F" a; A# i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- y( c0 B0 ]6 l( c; r8 Z. O9 n; L\App Paths\Loader32.Exe! N# k8 P! ?. H% O* ^8 o. D
8 z2 t2 Y2 C5 G# C8 K2 f) ]1 f* K2 k, d3 k
Note that some nasty apps could then erase all files from SoftICE directory
+ l% n) Z: ]2 N* g; H(I faced that once :-( X, F2 v6 z' g' C5 M
7 t: B" o/ b! B, g O2 @6 W7 l
Useful breakpoint to detect it:) L0 S# l& ?3 F: M5 o0 i
. `! i* V0 `7 q" n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' V% ^6 F) W# c/ L9 I. n; ^
+ V E) Y% W* m% M__________________________________________________________________________7 F$ M0 q' K( h
+ t2 r3 C. U" R% b. d4 z
2 \" ~* g& z- g" i* S0 E" R6 `9 e0 xMethod 14 , ?* S4 `5 ^+ m
=========) n; }- k; ~7 O
& c* Q- `7 ^/ D8 N4 D1 l/ Q3 ~: TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, n9 Z/ S7 n8 t' S' L, Fis to determines whether a debugger is running on your system (ring0 only).
5 a1 h: R3 A' r' l e. U2 q& \9 V) u+ ^+ q2 |
VMMCall Test_Debug_Installed2 [' f" S6 I+ [& D0 r
je not_installed
8 K4 X; y5 m6 T/ {( y) r L; f3 [$ C' \1 R( W6 q
This service just checks a flag., p. @# K& H3 D% |4 U
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡