<TABLE width=500>
$ o! m7 c1 B. b<TBODY>9 Y6 P/ J' p/ S, _* N( L0 T/ v% y. Y
<TR>
; \ P( X; t; X( I$ R: W# ^ y<TD><PRE>Method 01
: w M3 Q' G! n! V=========
8 `; G. v8 J- ]* z" n! m
& p/ b1 o& S/ T% NThis method of detection of SoftICE (as well as the following one) is
( l8 z" b4 X# f, Y9 Lused by the majority of packers/encryptors found on Internet.
+ c: p0 t1 q/ B0 U5 l) vIt seeks the signature of BoundsChecker in SoftICE) d) w' `$ T, c4 z
) y1 X( x9 L2 F0 a" g
mov ebp, 04243484Bh ; 'BCHK'; |* F4 z' u! w- F
mov ax, 04h6 t& R& h) q: ?& e, [: F
int 3
% \" o$ f. f9 ?3 z; P0 j; G cmp al,47 V6 p& O4 z- Q; K7 t- J& A
jnz SoftICE_Detected
* b5 b' ~: R$ \7 N+ }8 e& N% ]# r x) K/ p+ A
___________________________________________________________________________
9 A1 E. |! O: A }" X4 Q, Q0 l. x" q7 Y" `
Method 02: J5 V' p, |: X& u# F! h5 G. l
=========
/ R+ w. ^% D" i. R: W/ V8 O ^2 L; n, e) p" o
Still a method very much used (perhaps the most frequent one). It is used. N* I6 X7 \: ~& ]6 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ C1 m) C( }% @
or execute SoftICE commands...9 e/ j0 r: N+ e6 L4 k3 Q8 m. `: q' r
It is also used to crash SoftICE and to force it to execute any commands8 @5 u, I, _5 L! l& `! d+ z
(HBOOT...) :-(( / Q, V& I9 n3 @/ F
+ ]& W/ _, P2 v* u9 wHere is a quick description:
- I+ j* W% ^- q1 @9 @8 @! e-AX = 0910h (Display string in SIce windows)! W+ j& n: _0 [6 Z; u3 q' E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: M4 C. l% ^2 K& o/ X! U, b3 k-AX = 0912h (Get breakpoint infos)
/ n! S2 |) j: l6 u0 M' d-AX = 0913h (Set Sice breakpoints)
" M( O' i1 V& x R0 ~) l-AX = 0914h (Remove SIce breakoints)
& H! T: ~9 c' L! }2 B% R. {9 ~) l
* F$ D6 W$ E$ B% b3 YEach time you'll meet this trick, you'll see:9 H3 G: O: i! ~ U* a( o
-SI = 4647h' G( k: t6 w; Q/ d2 w7 E/ K2 b6 n: T/ X
-DI = 4A4Dh( `3 r- ]1 N5 q. Z) F! [1 N
Which are the 'magic values' used by SoftIce.
& w/ `* e; b* ^/ s1 BFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; h" H' j( g0 w$ P2 ^+ l: ?5 }5 i+ x7 D" C+ j4 ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 n" p1 O/ X3 E5 V" U1 b `
Envelope utility use to protect DOS applications:
1 V8 f; K# _# s6 R3 D) B! e ?
" }2 A9 w2 Q: _7 B0 C0 g
* S- g4 b) l+ f) w3 H4C19:0095 MOV AX,0911 ; execute command.1 o: F0 `. p4 J Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 l7 T# X4 E" n3 Y- P! o
4C19:009A MOV SI,4647 ; 1st magic value.( c2 A: ^& P% M
4C19:009D MOV DI,4A4D ; 2nd magic value.$ f; z- H; y1 I+ Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). C4 a- s! y( U# W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 m9 a* m% U$ M& `0 v4C19:00A4 INC CX$ D, P3 n5 J( P# F; E7 a. Y- e6 X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 Y: L# o/ e$ j+ y/ P. b4 K4C19:00A8 JB 0095 ; 6 different commands.4 ]; t. Y' P' W/ c; a S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 M& z* t( s- }; l( X" J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" I; V/ E: z% a$ q9 p& c E: v Z6 M8 O: z7 O; t$ i# {
The program will execute 6 different SIce commands located at ds:dx, which/ g% s$ v; z& `9 t; K- ?
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 r5 w* f* K( w" b, q$ c$ |) N+ S# G: E' Y: s
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 S% P. n% k4 A8 k___________________________________________________________________________0 C# i1 h. [. X4 ~( I/ S
1 c( y4 O5 v- D8 B9 } M
( L7 X& N- r% Q7 k5 CMethod 034 q1 E2 G5 |; ^
=========
5 B6 v; t% \0 P( n6 q: O% y. y$ |8 @* Q) N0 y, r/ Y: k1 s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ t) R% I5 v# n8 L7 I$ m(API Get entry point)
$ ^4 b$ K4 U% |! G' z
) X3 E% w% V$ V3 D9 y, m. [5 B
; ?0 R1 A, Q% F" N! L& Y4 W% @ xor di,di
" W# S- _' Q1 W! C mov es,di+ Z2 k' ?- D( [$ g% K
mov ax, 1684h & S7 ?6 l. |$ s" r9 D6 g( ^
mov bx, 0202h ; VxD ID of winice1 N3 U6 ]( T) `% O+ W1 ~, {$ G" c4 V; g
int 2Fh
9 O* @5 B1 E1 H. E mov ax, es ; ES:DI -> VxD API entry point
! p1 d9 g. `% e. o" b0 d add ax, di
; l9 p) Q8 o) ^! L' D# K test ax,ax6 k( h8 F: r3 d; r
jnz SoftICE_Detected
% ^8 n/ l3 f7 u8 `
3 `6 ~& T1 m2 V( Z___________________________________________________________________________
1 \4 M# t% h0 L* X( [; c4 ?9 U$ d3 }9 H
Method 04
' x/ ~. t! G2 m" {( V0 L( A=========9 L( A, r3 ~) \" q
]7 z6 `1 j9 U' _: {+ a
Method identical to the preceding one except that it seeks the ID of SoftICE) l0 L* i# x8 m0 [0 h' |% S3 X2 [# }
GFX VxD.
+ c- O9 |2 h6 W% C( ?8 ^
# `7 _2 A' I# z( J$ A xor di,di
3 p9 E( N% c+ ]# X0 R mov es,di
9 i4 \ W# T- V6 r; a& T, } mov ax, 1684h , T9 P; i/ B6 Y. T* k. K
mov bx, 7a5Fh ; VxD ID of SIWVID
. {. C1 B, C; ]: k# P int 2fh
3 M: U5 X/ b# I8 y; i! m2 s0 u! c mov ax, es ; ES:DI -> VxD API entry point+ F n; i W4 M$ U1 [- }( Q
add ax, di9 R) B* T& ?0 U& K2 D( N
test ax,ax
$ `4 \9 K. F7 `0 T% W) X1 T4 U `- A jnz SoftICE_Detected
/ z1 j1 p( c A) g6 R4 `
6 V3 W( @ k/ I+ t7 p__________________________________________________________________________
$ u: k4 X7 t1 W# i, }: F6 f- b0 |. v
: [2 M5 V6 e* T. D7 a$ }
Method 05
3 d+ U2 z8 p5 O=========" }+ A3 k5 V8 C% q
' ^$ V- _7 K- m C9 P7 i
Method seeking the 'magic number' 0F386h returned (in ax) by all system" k7 ]& }0 s# j- Y- ?
debugger. It calls the int 41h, function 4Fh.
9 r: G6 @3 F2 K6 jThere are several alternatives.
2 {# D7 C) j' T; c- D* k$ L: L! B: [; y- x
The following one is the simplest:5 B$ H6 M, c N! l6 G
) L- d8 m" o: ]# O9 q mov ax,4fh* ?+ \4 w4 K4 ^7 t# u- l9 F
int 41h3 a( T! w) X1 e- j
cmp ax, 0F3860 S H1 U7 ?; o% C/ S3 ?, I1 _) i+ E' F& d
jz SoftICE_detected
, U* b. n! c3 H9 ^
$ R' }' L" Q- K) _
7 W8 k; I7 l4 C. Z( BNext method as well as the following one are 2 examples from Stone's
# Q& Q# v) U8 K5 W"stn-wid.zip" (www.cracking.net):* y, B9 _0 a) O& b4 A
) u( P# ^2 Q4 c2 Q" Z& K mov bx, cs
2 }2 n g5 r4 k lea dx, int41handler2 v" ^3 a! k( x, Y/ L
xchg dx, es:[41h*4]6 S7 a1 V$ \0 Y( q n1 ^' I
xchg bx, es:[41h*4+2]7 f2 V# G! S& D* |
mov ax,4fh
+ G" U8 _7 n# U) a b; O! \ int 41h; U8 T N A/ R& F
xchg dx, es:[41h*4]/ s6 S P, @. c' O2 f" F
xchg bx, es:[41h*4+2]) n: g) [1 I2 C, x" Z0 r
cmp ax, 0f386h$ e g4 [; g2 F1 J, p% d. u' r
jz SoftICE_detected: q# N3 z1 m, ^3 U* j2 r7 y7 ?
, [( y. e& X; z$ zint41handler2 PROC
( A- L6 O! f) ?% b2 H% I- I3 d% A" N iret
1 W, j+ \5 t+ h- Q, o+ G0 Nint41handler2 ENDP5 E" m r2 Y- r7 G' g# l O, S
% e9 `2 ?5 Q; f% L% X& S/ Y& b8 }2 Y8 w, p# M
_________________________________________________________________________
( ] u- A$ i: D( x" D/ e$ m/ _% K4 ? U& z5 ?
! Y1 Z X! S8 v6 P, }% [, r6 `/ QMethod 06
. w3 h4 u" d; N=========
5 S$ H2 i+ n0 Q8 K- \' l1 |2 Z) }8 W" p1 o ?8 P2 x
- Z" S: _: {3 ~6 F! K
2nd method similar to the preceding one but more difficult to detect:+ s" W7 L& m; v5 S# ^
8 h& D* r. x0 R& l
8 K8 H: c D- u8 I oint41handler PROC
- g" [9 a" x8 t! b( I mov cl,al
" h6 g j6 h l5 E. |3 _% R iret
9 R( D3 F h. { C1 X8 q N. ^int41handler ENDP5 C# j+ Y, t: g, ?% j$ U
% S+ k$ _- q/ T% Q4 {4 }8 X) z6 J' V6 J7 e. J$ W2 v0 q
xor ax,ax2 \2 S- H4 c2 ^) y0 ?
mov es,ax8 H( T! @5 p f( T: c/ k
mov bx, cs; u% _# P+ X$ }9 K3 D
lea dx, int41handler6 L. R; C# s/ i Y0 C. B/ ]3 ~
xchg dx, es:[41h*4]/ N+ n! o. h0 N9 c. C9 l
xchg bx, es:[41h*4+2]+ ^$ \$ V7 u6 r% g' M
in al, 40h
& C2 Q q7 B! T* f2 m, i# M' } xor cx,cx
7 o+ G7 v7 C' o; r int 41h
7 v, @4 d, c0 M; ~+ x1 F- s xchg dx, es:[41h*4]8 p7 a; k4 h: g
xchg bx, es:[41h*4+2]3 g4 X5 v Q% x3 M6 N) m3 k
cmp cl,al5 L- Y7 Q" R' V. H
jnz SoftICE_detected
9 Z$ p( |9 M: J; A6 Z) X- g) X4 z* z; y6 h) n) [' A5 @6 C
_________________________________________________________________________
" c8 n, y+ C, F/ u7 ~8 w2 q
1 A* s( \ A" W( Y, c% ?Method 07+ ^' S3 `1 Q* Q% w5 i, P- B
=========
/ m4 Q5 e; I. _& M3 B6 ~2 b
) z5 g) c# L7 Z V* R* Z* n0 [Method of detection of the WinICE handler in the int68h (V86)7 E4 n- F7 U: F* V4 ]
- P, [: Z# N- n+ H! F% L mov ah,43h
* ]* Q' K4 j% P% J int 68h$ z% ]0 W A H7 R
cmp ax,0F386h
) W8 H. N- {. S. G% [; L jz SoftICE_Detected6 v/ i2 r- D& ^" c
* R# h8 w- ~% w2 s$ P' J) d
* Q' A3 k" L' T) g5 P. j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 P5 i0 h) C- A! Q; c! o app like this:
8 E4 a( f' E5 j4 l( ~
& B. _! Z/ O2 W BPX exec_int if ax==68
8 _4 s J4 H- o4 T (function called is located at byte ptr [ebp+1Dh] and client eip is
. n6 H4 ^+ b1 e7 F: S4 A located at [ebp+48h] for 32Bit apps)
% J! }# q0 d* P__________________________________________________________________________
0 V# ]& a+ o5 }; @. M
$ |* H9 R0 Z4 Q! t( U, {! I* o. L7 ]% I9 |9 H3 [& c
Method 08
M' K& d5 A6 T/ f3 }=========& z" J& F, p1 f
, j1 B5 B4 x+ E4 A9 n- d5 t+ A7 yIt is not a method of detection of SoftICE but a possibility to crash the
' u3 x. Z4 z. Q! ?system by intercepting int 01h and int 03h and redirecting them to another
; v$ f% f2 {0 F% Croutine.
9 X$ w5 R$ R% F$ {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 Q- l/ D: d- P y8 tto the new routine to execute (hangs computer...); O" D, ^ j8 e L! x
$ i) B0 e8 A1 ]7 ] mov ah, 25h
6 p# B* P& S% U' m mov al, Int_Number (01h or 03h)+ U$ K( n, ? [$ W# H
mov dx, offset New_Int_Routine& W+ O% Y/ x! j; d0 N% ^( ?4 G" }, j
int 21h
. f) G& `, U! I" U' |, N0 R4 G0 d
2 B/ w6 I0 b; J4 b. J* a& c__________________________________________________________________________+ Y9 s! x1 D7 H0 E
, v+ _$ @# J; f4 S* ^. f: PMethod 09
5 ?6 M! I3 v. I, E- y6 E=========
( y1 r6 x5 s: @+ w/ C
7 k3 G( P# B' C+ |6 CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only q* n+ k2 M( r3 ?; \/ R
performed in ring0 (VxD or a ring3 app using the VxdCall).
. A; j3 J3 c: IThe Get_DDB service is used to determine whether or not a VxD is installed- y/ R1 I# s2 p: Y' `+ M% Q: X
for the specified device and returns a Device Description Block (in ecx) for
& D/ v/ W0 r7 fthat device if it is installed.
$ w. k; a3 O3 F7 h3 o' y$ f, F8 I& J0 S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; N7 W9 o, S3 B* _4 @* Y- v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- J& z) m; y7 \0 T: b( c VMMCall Get_DDB
: K, Z0 `9 u0 B) ?/ L; w# s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( P* q8 H( [" K8 H6 e# {0 C& }5 N) H8 n4 A
Note as well that you can easily detect this method with SoftICE:6 K1 K% y' t' a# d4 `: [: {
bpx Get_DDB if ax==0202 || ax==7a5fh
6 ?4 Z0 w( K3 [) @2 W
5 c$ j; y8 K' J- ?0 g1 T__________________________________________________________________________; o6 F2 q9 W3 b" }9 ~. e: V
8 I# a8 N5 D, e8 r: e1 fMethod 10$ M" |1 U" {8 o! \! W' d
=========5 f9 T$ t, b, r \
i% x' t8 v3 A% o d=>Disable or clear breakpoints before using this feature. DO NOT trace with
" d6 I0 r7 E2 j9 E! y& W SoftICE while the option is enable!!
( J% I( m6 B* E) G% d* j: Y) o. s
- `8 J% @* F5 x! YThis trick is very efficient:/ \0 Z# S; g8 N. k& q0 |
by checking the Debug Registers, you can detect if SoftICE is loaded. X7 ~' e4 C: ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ u$ G3 E/ X7 Z1 o$ F0 uthere are some memory breakpoints set (dr0 to dr3) simply by reading their& e# s0 t+ J6 [: T
value (in ring0 only). Values can be manipulated and or changed as well* G# ?+ O/ S0 j4 o3 b/ Y* Y
(clearing BPMs for instance)
, Y6 R' c7 R, T
6 X1 }! M3 ?9 p- V__________________________________________________________________________
" z5 v% f/ _8 _/ F0 f. p- M% w( C: m9 Z( @1 @5 |+ k3 ~' A3 }( o
Method 11
+ y* G' ~, `7 U+ L=========3 z2 O4 w1 q9 z! n9 @
' v q% D( `, g5 D9 Z0 W% Z9 X; }This method is most known as 'MeltICE' because it has been freely distributed) {. f; S' a0 ^ W; F$ S" b
via www.winfiles.com. However it was first used by NuMega people to allow
' O/ @% r; ]6 NSymbol Loader to check if SoftICE was active or not (the code is located; `- j5 b9 \4 X0 ?4 F. F- g, s
inside nmtrans.dll).4 z) Z, z7 o1 P) h8 J" k
1 f9 J* _6 Q8 a2 G: r6 m% UThe way it works is very simple:, r" G v8 p ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# W E- F1 S' C; p O0 Y+ I8 |WinNT) with the CreateFileA API.
6 {) @# ?) Q, s+ c" ~% t
/ U' [6 O# p# q" y9 A" IHere is a sample (checking for 'SICE'):& E; M9 V+ O) l3 ?
! ?8 _8 j; U& O2 w( z% q; p6 M3 pBOOL IsSoftIce95Loaded()' j# f3 F$ l& }/ `1 e# L) i6 o
{
3 C9 S! j9 n( f; r: L2 o% H7 a HANDLE hFile; ) r8 Q, E) h) z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' S2 n- d8 P+ Y
FILE_SHARE_READ | FILE_SHARE_WRITE,5 f& i& c8 i) h+ Z2 Z# z0 X8 t/ l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) N* h* q, F# i/ t: N if( hFile != INVALID_HANDLE_VALUE )- g. ~- [; |. L. H4 ` C2 q/ A% z- c3 X
{" N$ R O/ z( B8 a k, z: X' ~ M
CloseHandle(hFile);6 c6 H. i. N0 H- g- U* U
return TRUE;6 G$ ~; r+ {- a
}4 l" `8 ?/ T1 O0 V% F
return FALSE;3 s5 i/ _0 D0 p# s. H4 {* K
}
# ]) b8 ~* h& T. R6 Z/ ~
$ E8 |8 n; U& I4 wAlthough this trick calls the CreateFileA function, don't even expect to be% P. y, `' e4 o. {; V/ Y% _+ l
able to intercept it by installing a IFS hook: it will not work, no way!
! k- [- h/ g% X q1 NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* q) u, o( F0 U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 g5 k `# @4 M; X. dand then browse the DDB list until it find the VxD and its DDB_Control_Proc. v/ Q3 I7 u1 B0 g, s
field.
) }6 r2 I# C* f6 z8 y2 fIn fact, its purpose is not to load/unload VxDs but only to send a ( d5 l3 ^# o9 B, [$ C" u. D3 E8 C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* y! X6 u" j( h W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( H5 c' W5 Y+ @+ i6 u% |
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 t! ^( P3 E9 ~( ~, F; G7 RIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ S9 ~! P8 ]% |3 eits handle to be opened and then, will be detected.* `. ~. n' Z# L2 ?2 _1 y
You can check that simply by hooking Winice.exe control proc entry point
8 I. X& H5 H+ n; ?1 {6 wwhile running MeltICE." p$ S* q- y% o1 U! i
# M [+ a9 |! J" p3 [2 A
' ~9 s5 e2 u1 d( y; V' t. n
00401067: push 00402025 ; \\.\SICE
1 a6 z- i1 c% K$ | 0040106C: call CreateFileA" P2 Q+ P/ n7 F% g
00401071: cmp eax,-001
1 F/ r$ S: W. [1 x+ \ 00401074: je 00401091
% {$ c P2 ~6 K# e1 O( C7 b) \) P) J* q" |" @
) O" h: k9 X& d) e* N
There could be hundreds of BPX you could use to detect this trick.& c( t2 N1 N9 y: _- G
-The most classical one is:
- D s# k' n1 \ D' D BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( d. r- B# \1 p. B; s
*(esp->4+4)=='NTIC'$ l0 z( f" R0 H! D
; x* B0 X" H1 _5 C, o2 C5 H-The most exotic ones (could be very slooooow :-( d+ q2 I, p. x) n5 k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) a; {% Z/ d! S! n% t
;will break 3 times :-(
# V/ Z/ h D/ B$ I% G0 F5 L- q, ~% r) \
-or (a bit) faster:
$ @) L# M0 L* w# ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 [$ t/ l& A6 @3 k+ b, A# ~5 q* G' J! `9 ? z) R- s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ B4 W6 }! ^6 B/ P ;will break 3 times :-(
4 D& k3 l4 n- m C `9 O4 P* q
! U% f y. \$ s9 R7 _-Much faster:
& A# s' f' N G( { J* O BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
H$ K) I& B }' ]! h
8 w4 n0 i1 d2 W0 jNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ {0 j. z6 n& S: Kfunction to do the same job:5 _8 x! S, A) g# z, J
- y: X0 u/ Q5 w- E2 s+ q7 ? push 00 ; OF_READ) u4 T3 K0 p; h- R" x
mov eax,[00656634] ; '\\.\SICE',0, p7 }$ P; M, O' ?1 g+ m6 u/ x& Y
push eax
6 n5 b/ Z- ?$ I- B+ c v8 N) Q call KERNEL32!_lopen
8 K( y. l, C6 S4 P inc eax
; r! ~! Q4 o$ H2 ~1 P; p1 a jnz 00650589 ; detected
7 d! z' a, s! G push 00 ; OF_READ
: H1 I( d/ h6 \# n0 X/ p( A; Y+ t mov eax,[00656638] ; '\\.\SICE'
( O3 ]5 L7 U+ k2 F push eax$ l% ^; ?8 `+ ^) B9 m
call KERNEL32!_lopen- {" m( ]4 O7 h* Q/ E; {
inc eax F0 I& h) @# Z% B
jz 006505ae ; not detected7 j4 S, ~9 C4 V2 Y( \1 e
+ L3 y* w8 f5 M5 A( B
$ c& }8 z1 K% U8 F& e. }/ `0 J__________________________________________________________________________
5 G/ M% M* }3 N* [
/ _9 h: C7 _& p- V( gMethod 12
! {) A+ j; T! @; L+ `=========7 h' C4 k% @1 r( d) P8 R$ u* M
7 c$ i9 X ?$ x1 q+ |This trick is similar to int41h/4fh Debugger installation check (code 05* f4 N9 Q$ B8 w0 F0 o1 ^) Q
& 06) but very limited because it's only available for Win95/98 (not NT), R" m1 p9 N; J P: R% W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 y& T$ V# M8 w! ^( B* C% } n; u% }- k4 d9 B1 J
push 0000004fh ; function 4fh
/ w- R5 R$ n9 ^ push 002a002ah ; high word specifies which VxD (VWIN32)! Y( l% _4 Y# M
; low word specifies which service
# Z& F! q; p. D (VWIN32_Int41Dispatch)
( q3 G/ _4 v7 L7 n; V; W call Kernel32!ORD_001 ; VxdCall$ u; z9 k; }0 w$ E+ y, X5 f5 l0 m
cmp ax, 0f386h ; magic number returned by system debuggers, X) R+ T* {7 E2 I5 C3 k) x
jz SoftICE_detected
3 B) T: \2 D$ I9 h
1 w( S9 O. T- W1 qHere again, several ways to detect it:
0 T* t3 `! M" G* b
! B ^$ `& ~. O! o BPINT 41 if ax==4f! f6 D- p( i* v( ^+ f
! p0 E6 G$ ?' l+ Z- H2 U( E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 H. u- [' @2 x4 z9 `' `3 I! n2 W, {: T% N, V) G" O8 J/ R2 w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! d! L0 ]' M, U$ q! h. h) b- ?
3 p1 C5 y8 L/ q/ l BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ `4 Q) F4 [6 E, n1 F# Q8 w7 G9 C4 L
__________________________________________________________________________! R/ B: t. G" Z" N$ C$ @3 y5 I4 h
' ^& @5 c1 L6 V
Method 13. j% f! ^- i4 f" ^3 E
=========
t+ c, k3 T, q+ c) v; R3 b" c o4 b1 K1 N) o6 r
Not a real method of detection, but a good way to know if SoftICE is
, w/ v7 G, B1 O7 H" W d1 `5 r0 U7 einstalled on a computer and to locate its installation directory.
7 t& v7 Q* Z+ _( hIt is used by few softs which access the following registry keys (usually #2) :
3 ?$ B, Z0 J7 ^, V
0 P6 C$ W4 t6 V' { }, D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 P% H. y6 x7 Y: Z
\Uninstall\SoftICE) K2 e5 f+ K) W1 m2 o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) \# t, L* i+ W6 M6 j1 P) |! L-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ B& S. [8 o4 `2 O- w" j2 C
\App Paths\Loader32.Exe$ [: ~% ?3 c1 e. I" S' N& Z
0 H5 G i8 P" q8 ]$ B
7 R3 Z3 d& V; T+ a7 MNote that some nasty apps could then erase all files from SoftICE directory
% h: ~1 z$ f$ J(I faced that once :-(: ^( u: q! ]& N3 v5 c
- D8 X8 [ n; q8 \, a2 u" qUseful breakpoint to detect it: {. V( f/ O5 a+ p0 G: T0 p
" x: S. Z3 |& j! @2 d; l M; s2 @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! Y/ Q9 d/ H: ~" X: r
3 C7 E$ ~0 ]. M% Z* O
__________________________________________________________________________
; l( M- i$ L- k2 `
# O' \4 @$ y/ r7 K+ r
) Y: Q2 L! O/ K: t% \; C& lMethod 14 . z3 I1 U; y, {
=========9 A2 y0 M3 {9 D
0 q# o% O% J# [* iA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: ?0 t+ ]% F' `, M6 a$ [is to determines whether a debugger is running on your system (ring0 only).
- M0 d( f r& I. p. c
1 f* B' t9 C- g v VMMCall Test_Debug_Installed- [5 J, G4 M4 ?& G. ?* v( s
je not_installed
8 D4 U2 Q$ _7 u( n
" H! p1 V4 J( U5 _This service just checks a flag.
4 ^/ K: g$ V. q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡