<TABLE width=500>( `, } O9 Q: i
<TBODY>$ u6 G O1 n) O, w6 Y* k' y
<TR>
) N( _6 }3 Z; |1 X7 ~! T<TD><PRE>Method 01
- m a; K( q% R) F0 D6 P! x- V=========
6 m& |. Z: j; K( o9 n( |" U" F' ^% H
This method of detection of SoftICE (as well as the following one) is
; F9 o5 J, ]% e# Z# J @( _used by the majority of packers/encryptors found on Internet.
0 X6 s7 W6 ~5 n" ?* Q" |It seeks the signature of BoundsChecker in SoftICE
5 I, `, J6 T, ~. {# `6 Z- i+ y
1 w( x7 s8 S/ [; O6 S& J8 d4 R mov ebp, 04243484Bh ; 'BCHK'4 x2 D) Q+ H! T+ }
mov ax, 04h
3 ~% T, R! w, p9 F3 K$ n- t int 3
! h& K$ z, k* w cmp al,4& ]. G0 H& O5 h$ A; I" |
jnz SoftICE_Detected
( C* m$ q" H1 } E4 w
0 c' A! a; U w___________________________________________________________________________& d$ P4 L' h4 }, b7 m- D- O8 l
K. h9 D2 d. t6 DMethod 023 p, I8 z9 @: S& b
=========
% q' l# g! V4 h8 f" F b2 a2 j ^
4 R, k9 O$ x+ I( z' C4 t* I3 ^2 aStill a method very much used (perhaps the most frequent one). It is used$ x V- M% z7 {; Y7 \7 H. J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' \ ?# l) d# e$ tor execute SoftICE commands...
6 O( f7 o* x8 |, M% hIt is also used to crash SoftICE and to force it to execute any commands
# w$ o- x- J) F2 o7 q/ x* T7 t(HBOOT...) :-((
3 `) e1 e4 M: e8 ]1 Q1 t3 x& `; N1 @0 D4 \7 ~2 O8 N4 H; }
Here is a quick description:2 Z/ I t* ?! |5 ^ |" x
-AX = 0910h (Display string in SIce windows); y/ g |% @: x' a" r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ j. C, F& c h/ K% F2 s& h! Y! ~
-AX = 0912h (Get breakpoint infos); e: n( r8 K" L$ G0 A
-AX = 0913h (Set Sice breakpoints)6 t: E0 C: ^9 M8 N% D
-AX = 0914h (Remove SIce breakoints)( o2 x0 r- G0 C3 }5 G, O
8 x8 h: r5 r$ ?/ f; Y3 W" X8 nEach time you'll meet this trick, you'll see:$ u' t& A. O7 h9 g2 d2 J4 K
-SI = 4647h
3 j: B% b7 \* u4 n-DI = 4A4Dh
: R- q1 A2 P2 I2 n) A( {- SWhich are the 'magic values' used by SoftIce.; g' d/ A; t* X" Q0 M% R3 e) ]5 Q- A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 w. M: ^6 F% n! h* Y1 Y. b" o
! U) j: R% c( P' x( v- T" HHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ ?$ \3 a- t, I8 rEnvelope utility use to protect DOS applications:% B9 ^4 m4 e+ T$ f% W, M8 e
/ e8 [* e* B$ Q- Y2 P- ]
~* q8 U, j2 U
4C19:0095 MOV AX,0911 ; execute command.
% M# a0 h# O4 y4 D. }+ F* G: h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( E6 O5 }* r3 F q' `
4C19:009A MOV SI,4647 ; 1st magic value.
/ X9 q+ P" G3 R3 G( j' b) T( w8 U4C19:009D MOV DI,4A4D ; 2nd magic value.& B1 z2 L/ `- h. p8 ?* t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ w! r: r' i8 _. c' X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! ^% ~+ ~6 w! ?7 `/ N3 u* B
4C19:00A4 INC CX
: _3 I* x6 x* |' l" N. L4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 c. R5 D7 m7 i# `$ e' y& @: T4C19:00A8 JB 0095 ; 6 different commands. Y6 E, S! \2 {' l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 t( N) L- ^8 ]- a. l8 Z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 h- I# i4 a0 W: P: Z( R7 ~5 x5 a% `
The program will execute 6 different SIce commands located at ds:dx, which$ r* A( k6 s' O- y- D$ U3 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 x5 s+ E/ k7 p! p! ~: @
1 H3 B% J/ a/ @; P$ ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ G* s$ `! V# M5 v7 r
___________________________________________________________________________
5 D8 k* y2 n0 t4 r# R% }* l8 ^" x+ b/ \* ^# K) b- D
7 E% c, a- K _ E2 b$ KMethod 038 L7 c2 N, v1 f
=========1 j* u$ h, K. q
/ o/ r! ~- U* n `) VLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 S( i7 b( S' _9 t, v9 q(API Get entry point)# k, T' ~# d, k: K1 W
/ r& E6 l1 H2 |! j7 q
. p* p& m. M5 F- N xor di,di
3 q6 |, l2 K3 Q& [) s' \ mov es,di
7 H, y0 l/ F, p mov ax, 1684h 7 I2 }0 \5 K# N6 j/ ?
mov bx, 0202h ; VxD ID of winice" n4 e2 W' v! V4 D" |
int 2Fh
+ Q1 Z. N% \. l: `' ]* X mov ax, es ; ES:DI -> VxD API entry point
+ T% I8 m2 i- U8 _ add ax, di) z% D. f' [1 b/ j4 _8 k* L3 |+ R
test ax,ax3 ~4 i3 {7 T9 s4 H
jnz SoftICE_Detected* D+ t- C0 Q) B$ d# t
% S. N' a1 B8 ]7 y2 P
___________________________________________________________________________
% X+ E6 m7 X. I% t
) _) u& y2 i, P% [- K& oMethod 04
$ W' B6 q% J5 @% h( h=========/ [. I7 E3 x! m: [, K9 T
+ G9 H* d: ?9 b0 f
Method identical to the preceding one except that it seeks the ID of SoftICE
' u9 d5 |3 W- \3 n# |- EGFX VxD.
/ o) o( G' f& v/ F9 W1 N, j
3 k0 B/ [( W7 A5 d xor di,di
v% v3 ?6 D8 t3 R$ ?8 }$ K; d mov es,di2 [) H, P& D, T' [: U2 E1 v; q
mov ax, 1684h ( m% K. f N. b& ^6 W
mov bx, 7a5Fh ; VxD ID of SIWVID# \, j* B' ^# m
int 2fh) P* U: M0 w/ k0 y
mov ax, es ; ES:DI -> VxD API entry point
4 j$ N: v6 ], k: w add ax, di8 f) Q) v0 x4 c. d7 _
test ax,ax
: `/ K! Y, [. n jnz SoftICE_Detected' |6 g3 ]: b$ B0 i
: ?) u: l; l- v6 r__________________________________________________________________________5 I3 T: b2 b2 y: H* g) s: |
/ F: [/ M: Z( l6 V
% Z0 F2 D3 i# ZMethod 05
$ l5 V T; @, i9 [=========
) J8 t( _ X9 X
" X' L1 i3 C8 ]: p/ N+ y, MMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 p6 K+ e# x: a/ c J3 [6 l: P& Kdebugger. It calls the int 41h, function 4Fh.
/ o$ x( p. [! R9 d9 qThere are several alternatives.
4 v7 Q6 j$ E" r( `4 \$ m
& w- j H( b" D9 f- y/ |$ WThe following one is the simplest:; ]: B: x% ?3 n* c8 N, S
/ m4 b' f( s5 s3 c
mov ax,4fh. s1 n: t1 c+ G4 l
int 41h" u6 D) t P {9 d
cmp ax, 0F386. [$ ]+ d8 w+ a; s$ _# N
jz SoftICE_detected
0 f3 q, f: l# O6 ~! k' w( x; {' c3 ?* k, w
' i5 c! X H0 {" }
Next method as well as the following one are 2 examples from Stone's - Q/ Y/ A/ F& E4 T; k, u
"stn-wid.zip" (www.cracking.net):
% o# S! t3 Y, B3 y, C; Z: j/ O6 E) U3 N0 x( x+ T
mov bx, cs
* n7 L6 |, s& Z( e/ j lea dx, int41handler2) W" N# I( e$ J, U
xchg dx, es:[41h*4]1 n: @6 X. d/ T9 q" P
xchg bx, es:[41h*4+2]
. {) ~& E; @ |0 M" a4 @ g mov ax,4fh9 S9 Q$ ]9 A2 Q
int 41h
% T! j7 R$ w) f3 M; F1 _! n7 D xchg dx, es:[41h*4]
a0 {& t2 l9 V) K1 R xchg bx, es:[41h*4+2]+ W! _% Y! t& W* v8 g
cmp ax, 0f386h/ @& Q* f, x% {' C M
jz SoftICE_detected( Y5 S' [ o) u$ B
) b8 c( O- ]& @
int41handler2 PROC. x- N% X0 g8 d! D
iret" H8 l# I7 E3 E* Y$ f9 B/ H
int41handler2 ENDP
+ g# ]8 O8 H( _8 t0 w/ n$ G- `
- b: A( o0 `/ @8 ]1 a5 K. p' v2 T3 u1 k! ~$ p. @
_________________________________________________________________________, Z- Y" {( i5 X1 Z! X
7 a% h( R8 V3 j$ J
0 ~, K' [* t- l Z+ ~: G, C, q# P: E, JMethod 06: M' P: B) U5 r5 O/ x) }2 P
=========
- ?' }5 ~9 Z: O5 N% k3 U; {, m
+ E+ m5 l' r! S% R. Q& N1 ]( s7 c* ?3 x$ M
2nd method similar to the preceding one but more difficult to detect:+ L5 B3 M, `+ H/ d, @( F
% m1 p8 V' Q2 N
5 n) v. c$ W' P, ?int41handler PROC) W% S9 h3 H4 I* X2 _- D
mov cl,al
3 a7 F1 O- S/ V: i6 _( z( j4 _ iret
/ J$ V7 o6 J" K8 Iint41handler ENDP4 M( p( f. Q6 e9 S u
% ]- i7 |4 ?% L _+ P9 b
8 h c0 ?% l) F7 e5 P3 i9 v
xor ax,ax) [: I& l. V( o, t* r( t
mov es,ax
4 i; s3 u" Y* O$ w$ i5 r mov bx, cs
# U& j4 X/ _! t2 d/ { lea dx, int41handler
# f0 c' k$ U+ ?) O; c. ^% N- K, E% ~6 v xchg dx, es:[41h*4]
: e. y7 `$ O' n xchg bx, es:[41h*4+2]" F" q6 V, E* H
in al, 40h
2 \) s1 I/ ^+ f- N- c1 k# @) x2 e! C( F xor cx,cx' P! ]+ o. G$ r; g! e3 {$ m
int 41h+ o9 \3 k( S/ h/ ]: e
xchg dx, es:[41h*4]4 U2 z7 E+ T+ j! E) w
xchg bx, es:[41h*4+2]3 L3 R) S8 T! W+ s8 D
cmp cl,al
: a% u1 c# T0 Z jnz SoftICE_detected
. t1 {! ^' m7 h. I- X0 U( J7 C
_________________________________________________________________________
0 F/ c# a: M4 _$ q& y+ c2 h, m3 y; l& ^/ d" Q) j' I
Method 07# f: |; w* w" f$ i
=========
4 N5 @9 t5 O' E/ X: }
4 `) x1 e R/ M0 p/ o) t: mMethod of detection of the WinICE handler in the int68h (V86)2 N3 ^. @5 U* b& E$ [4 x
- A* u# E; q; n% U# {
mov ah,43h$ Y; y t9 j2 m/ j4 F
int 68h9 X$ r: L; Q! h6 A; o; ?
cmp ax,0F386h3 b/ V& n) ]2 _
jz SoftICE_Detected. q! Y/ P# C! s4 w$ F2 D
8 i7 u, A j: s* N' ]- Y
: B, l8 u d; l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 ~0 r3 h8 T4 N' I" U. A e app like this:
# m% S. _& M9 W! A2 m7 b+ ~ {6 \, A# s% _1 F
BPX exec_int if ax==68
4 z' V9 T* E& i8 U (function called is located at byte ptr [ebp+1Dh] and client eip is3 P$ V7 G2 r: Q) ^6 P2 q
located at [ebp+48h] for 32Bit apps)
/ ~& G v, ?. ?__________________________________________________________________________* L: |' U F d
# P9 M2 X# k* @; @5 b: U% M6 w0 k
1 S1 M& o8 b7 W+ I- M8 f, t& S) eMethod 08, E' z: c, @& m
=========& V7 a5 I7 l9 |. Y
7 ?6 k' e1 \* b9 @
It is not a method of detection of SoftICE but a possibility to crash the, ?# d2 w- d4 G9 W4 Q
system by intercepting int 01h and int 03h and redirecting them to another$ N% \+ \: o. I8 C! d1 M5 _- q/ A) o
routine./ g% B; g, k9 n# s8 n% {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ ]( R# `+ u4 ~2 U& D5 V- yto the new routine to execute (hangs computer...)
1 U! R9 h& u6 J! T1 f
! H- k. o, L! u1 d. ~ mov ah, 25h
. x) A! U; K" ^; Z: W9 J mov al, Int_Number (01h or 03h)3 @$ N( G. D4 K2 ~ t w
mov dx, offset New_Int_Routine1 ~( M# N8 ]' o- s
int 21h9 \& F0 x0 t- k/ g
) D; s# t5 |& r2 d1 Q/ o9 }9 E0 ^: N
__________________________________________________________________________ o7 x! ~& j) s; V
/ j' q5 i( y- K% i2 ]) a6 [ k
Method 09( W- k5 k) E8 {6 G: X7 }
=========
8 s' L# n) h0 ~# E* E$ _$ f& U
5 r- ?+ U" y; h5 m' N, \: b# cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 d0 x0 u) _( D R% h$ h
performed in ring0 (VxD or a ring3 app using the VxdCall).' I8 A9 v# U, ~4 k7 s1 e" ]! s7 Z
The Get_DDB service is used to determine whether or not a VxD is installed* W: O6 n9 ^* H! p: }
for the specified device and returns a Device Description Block (in ecx) for3 [9 {9 E3 }# H% W- B
that device if it is installed.
* M% j& Q. b2 a
. ^& N4 ?! b. K4 L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) Z& ?* a0 \ R d4 T! O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) y) I) N* n' G. u; S VMMCall Get_DDB u# f' {$ z( x7 M5 V* `7 K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 z* D+ E3 W5 X, M0 W) Y2 X+ b
- w& b; F) f v. `* PNote as well that you can easily detect this method with SoftICE:
; L1 w( C( J# j" E; ^7 x bpx Get_DDB if ax==0202 || ax==7a5fh
+ I4 p: V! W% ?' I1 W' b H4 L- C# F& I4 C9 v1 q3 ]
__________________________________________________________________________+ S' O4 r! `! Z$ Q$ ]' c
) S0 ]; s) a& t8 L/ ~5 X6 EMethod 10
0 D e% h5 Z) |6 d; [=========7 k, h4 {! G" ^' `. r. U* s
2 V4 P) _3 Q$ M1 H8 ]& @$ V0 }
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 q9 B. B2 ? x3 w8 n SoftICE while the option is enable!!
! M/ W& E. @8 C/ h9 a Q6 }( w/ J2 K5 g+ ^8 E0 V# A1 B
This trick is very efficient:
, O; M. t/ t. C/ Hby checking the Debug Registers, you can detect if SoftICE is loaded3 t: s1 T5 G4 b" }# l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# m1 T+ u G8 A6 {& Z3 `
there are some memory breakpoints set (dr0 to dr3) simply by reading their6 J- u6 x1 |) N1 p7 m
value (in ring0 only). Values can be manipulated and or changed as well/ m/ B% `! c& i; ~" V5 t/ F( S m6 v5 I
(clearing BPMs for instance)
4 L% D9 z4 N, r- O5 k) h* L
( Q1 t( Z* { z7 j2 z1 e; A__________________________________________________________________________1 O+ g% {; g1 N
* G2 J4 K: C6 ]1 \8 I2 \Method 11+ T$ ?. v/ i: m4 l! i
=========' d3 g1 y3 @- N
! p8 |+ J; t& L9 b
This method is most known as 'MeltICE' because it has been freely distributed) O3 F1 _/ M7 U9 N
via www.winfiles.com. However it was first used by NuMega people to allow1 z& D6 u( o8 l% p! @
Symbol Loader to check if SoftICE was active or not (the code is located9 Z0 C9 [( O! |# f0 M9 i
inside nmtrans.dll).
# m0 N V* _0 g4 v7 a% l; W$ B3 O7 ?( C5 n" ]
The way it works is very simple:
+ }+ @ Y+ h1 ^/ ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! I& H$ b% k5 {* x9 K/ p; N
WinNT) with the CreateFileA API.% W7 w) E2 m8 L- e) q
8 z @3 W7 w4 K9 }- EHere is a sample (checking for 'SICE'):
( O# P6 K/ f0 w% M/ L, `$ q
`% V- m) E7 q \' Q0 I; LBOOL IsSoftIce95Loaded()- y! I! [1 I7 j9 T9 L
{
% z0 f8 y% d( ^! X+ E' ~ HANDLE hFile;
' H% f9 E, n6 Y- \1 i/ q& _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 W% n) Z7 h) ^4 m5 g- U; K9 s FILE_SHARE_READ | FILE_SHARE_WRITE,9 D9 W* U% D! i5 S5 P$ H
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 a/ } T6 e. J$ X. a5 K if( hFile != INVALID_HANDLE_VALUE )
& V( z$ z2 G: N4 v' ?, O; a ~. Z {8 b `" k+ D! @3 q' L
CloseHandle(hFile);5 A# b7 g7 B4 T: Z2 r5 n$ B
return TRUE;" N& o Z% z" l% R, C
}; N$ ?0 H6 T0 }
return FALSE;" q* t% C: E5 C! _* ]/ q3 G v
}/ [: Y2 z7 W; t4 p1 ]6 @
' n, M3 `+ x! x5 G4 y; G, F3 S, N
Although this trick calls the CreateFileA function, don't even expect to be
, \8 ]7 e+ C5 S3 u8 I# @6 _able to intercept it by installing a IFS hook: it will not work, no way!/ A1 K' \) K2 L
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 H( M; W9 p" Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 [% c) `$ b4 l" @/ d" T+ mand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 j! p1 r: s; E4 w7 o: V
field.% n0 P3 O0 N- j5 O2 U3 z7 B" x8 e
In fact, its purpose is not to load/unload VxDs but only to send a
8 o3 b, Y# Q- d) O- o- @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 Q1 X; u! W) Z3 uto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 a/ x* s8 Q0 J! A8 f: S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, ?5 E: l# S0 u) g, PIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 q/ R' `) N" S( }" c1 Q
its handle to be opened and then, will be detected.) u9 h8 P% k: T' a+ W
You can check that simply by hooking Winice.exe control proc entry point
+ Q0 h# m( B: D4 |, M% g" Xwhile running MeltICE.
% k( f5 F _, q, J5 N8 s% B8 C& H3 g; D1 k& U
& f+ m6 b1 g6 Y0 L
00401067: push 00402025 ; \\.\SICE
, ]. R8 S6 t; n! A) w* x+ g 0040106C: call CreateFileA% K$ F" U8 S: E% o& U6 w2 |5 F' L
00401071: cmp eax,-001
4 S, \, s* f; B* M0 Z; g. q3 b6 m) k 00401074: je 00401091
; j2 g/ Y9 B$ w8 l2 G$ g6 |/ _. ?9 F1 U9 u$ l8 Y7 Y: _
7 q5 N/ k1 a( }7 G8 U4 y5 pThere could be hundreds of BPX you could use to detect this trick.
5 O3 o* ?- R, K/ E% g6 n5 ^: R-The most classical one is:3 n8 C1 \2 R J. m3 t- {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" G' ~9 k' l( j6 X' W& F+ d6 Z4 p9 V *(esp->4+4)=='NTIC'
, a; {" ^; ]0 W; e# ]
6 l# o: ]0 G$ C6 M6 {-The most exotic ones (could be very slooooow :-(
/ V+ D/ n' W7 }; c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * X! b4 q# o8 t; B8 U; f
;will break 3 times :-(8 T1 _4 `3 A1 Z7 j g, ]4 ^+ b
- j+ G$ t0 N7 I0 g! I9 l-or (a bit) faster:
' y% S* s+ V7 N+ D! ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' t4 h9 k( o7 Z
0 Q. _& _7 B8 W. A BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . q- v, n8 J; v# _. G" T8 u: _
;will break 3 times :-(- j) E$ @% R+ h, {9 b, E4 T$ G3 n
3 N" u* g1 O9 {5 r+ p( @-Much faster:5 P! }) i2 N/ N6 L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; s2 u; }& V, ^# B1 z% K. X" Y5 J
" r* R6 e* r, I# s B) F6 u1 UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 L0 O3 x' T1 ^% S: i& }0 ^4 t/ L
function to do the same job:
' A& u8 M! L' `: a/ z
( d' \6 S9 }; R' X# [ P push 00 ; OF_READ
7 ~4 g% `6 C/ L$ h* V# b mov eax,[00656634] ; '\\.\SICE',07 X- r8 P o. l/ I. A
push eax* c' G g9 G% ?
call KERNEL32!_lopen
9 v% x7 A- y' T0 y4 h3 s/ j inc eax
4 \/ Z- H+ l0 a4 ~: S4 c/ ? jnz 00650589 ; detected
+ F- w7 W% V9 v }# L, G push 00 ; OF_READ
7 R0 D' m- y) G# M mov eax,[00656638] ; '\\.\SICE'
% y4 J8 v0 |. b1 s H2 |/ p; `2 l push eax& \8 g' M8 i- f7 E
call KERNEL32!_lopen' j! A2 [+ u& ]
inc eax
/ m9 N5 a# P3 b( A/ ]3 o. H( K jz 006505ae ; not detected
" n6 [9 s9 @* c! [9 ^& H6 Q" t* G- C7 c2 U
+ Y) f9 G6 t* V) C$ U/ r__________________________________________________________________________# o2 L* V. f0 f' G
: {' y N7 a" r0 w& n q9 U `# K
Method 12
9 Z; h- V( x/ b8 n=========' @( M% L) K' v0 w" O6 E
+ `7 Y' i2 C7 Y3 w' p. t9 q3 L" O
This trick is similar to int41h/4fh Debugger installation check (code 05
2 Q* Z! Y7 T" B" \. C! n& 06) but very limited because it's only available for Win95/98 (not NT)' y# d5 O4 e5 a# j9 S9 u4 e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ W5 ^$ h5 a+ @# W' v5 p
% c4 h3 z# }" i! g# s2 E7 N2 @
push 0000004fh ; function 4fh
* [3 A$ l8 c: ~ U push 002a002ah ; high word specifies which VxD (VWIN32)1 Y1 ?' n6 G8 \7 b1 l9 x
; low word specifies which service) b9 m* o$ m( Q" l. ^# q
(VWIN32_Int41Dispatch)& q$ g- \1 [) @8 q% `
call Kernel32!ORD_001 ; VxdCall/ u. H, b1 B8 v) J
cmp ax, 0f386h ; magic number returned by system debuggers0 h1 E. `: @% n3 W
jz SoftICE_detected' ]' b H. _/ x+ T6 W$ `% v
+ I& [' ~- q$ f7 a) Q, ?Here again, several ways to detect it: d! U1 O( c, @6 \5 L7 \! u
, }, F l; F1 e5 F
BPINT 41 if ax==4f
) j$ x' t0 S/ a$ ?$ `5 O1 H# n u2 J8 y, m) _# n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 Q& A: Q8 r) T9 [
6 {/ b0 e) L4 C: l& r" O' Q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* _8 [ b9 X( w( I& ?# T. a
9 V! }' q8 O: \' u" ~+ n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 p- d6 q. d; I2 G$ E1 d, x0 B6 s
/ Z `: p+ B; ?" y
__________________________________________________________________________: [. M' [7 V; `4 Y) j5 K2 [1 G3 [
& J7 _+ @3 y1 R$ e
Method 13- J. `$ U0 U5 W0 D( J
=========
! V. k8 D9 k# i9 ? k0 x }" V0 a$ f$ Z4 p4 T& b6 r. K
Not a real method of detection, but a good way to know if SoftICE is- F5 B( S4 s. L u3 a& V! r
installed on a computer and to locate its installation directory.: W/ {, D- m" Q: b( X3 R
It is used by few softs which access the following registry keys (usually #2) :0 F9 s1 k+ m6 b$ Y
9 N1 n% W- N: N2 [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' o0 i" g1 K! B" v1 u. X
\Uninstall\SoftICE
) I8 K! d% Q6 |4 F6 s! H( C2 B) B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 C7 t ?6 M* L* B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 R. ^" J' A0 W7 Y& N
\App Paths\Loader32.Exe
' B6 U' N. {8 N6 i9 i8 R3 X% D+ n: d- R) j
6 m7 K3 k7 [ m) p! b) BNote that some nasty apps could then erase all files from SoftICE directory
" Y* A6 v- m) B(I faced that once :-(/ t. x7 e( m5 L3 F6 [& b. _
( x/ @% l3 N3 _: J g( \6 h% ^
Useful breakpoint to detect it:
. X9 f1 E% x: k4 r2 a. e1 C
& }3 v# l' |/ C H2 I BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 s1 W2 |4 J3 N" }" P( s, {7 g1 l- k3 |; i: s, f( Z# c* {* e
__________________________________________________________________________
; X% S- M8 j( W- E) T' i
- s2 Q2 }. i4 O" j1 v
3 a; D9 n5 A' |0 L. K8 jMethod 14 " ^9 y h0 T6 h. i2 {
=========4 |; [( b a4 e
& t( I% j& Z& u* L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 @1 D* p/ _; h. ]
is to determines whether a debugger is running on your system (ring0 only).) {$ L& s3 w, L5 ]6 z7 ~; `- X
+ X* K( x- Z; ]9 N
VMMCall Test_Debug_Installed3 O I; @- x R( [/ r& q4 n
je not_installed
5 E0 n+ I3 f. T8 Z& }
- D) m6 @1 @# `; ? wThis service just checks a flag.6 n+ H7 O) B" d0 y" i
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡