<TABLE width=500>2 K- Q; t+ r& z& T# _, |
<TBODY>7 V6 k; g8 V# }9 H; l
<TR>
, w1 Y" Z( D) k6 ?( y O<TD><PRE>Method 01 4 c: F( k0 z5 \9 O* N4 {3 `" e$ n
========= G3 A; x9 N* N' |& V
, T T' \7 e6 Y) u. K5 EThis method of detection of SoftICE (as well as the following one) is
* ]: \/ V5 _, M0 Mused by the majority of packers/encryptors found on Internet.( i0 Q7 G$ Y9 ?2 p( }. s7 V
It seeks the signature of BoundsChecker in SoftICE
$ @1 n+ `7 j$ u: V* t. K6 X! `2 A; Z
mov ebp, 04243484Bh ; 'BCHK'
5 X! U# c8 u; o5 Q& C mov ax, 04h
& ?+ C; @" s+ U4 b. | p: D int 3
: @( ^, t# X# O) ^5 K% ] cmp al,46 v+ u0 ]/ u8 X1 b2 O8 N! H
jnz SoftICE_Detected
/ L& r9 ^( u, v7 [' c" ~
+ m3 x# J# i7 U1 ^, j! ]5 @' e; r___________________________________________________________________________: n, A3 b* G* S% `8 N; ^0 p4 R: B K
/ M+ ?; j' Z; R/ @Method 02
! `7 z8 s% s- d; \1 f1 ?8 p=========$ s6 P' J: l7 @! O( x( p
5 V; [! S3 A8 m1 d R/ Z
Still a method very much used (perhaps the most frequent one). It is used0 U! Y' N' Z! w0 O# d( A) J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, _2 M# ]+ X: Y$ m1 R ior execute SoftICE commands...
6 }* Z, W( T" nIt is also used to crash SoftICE and to force it to execute any commands
4 ]$ v3 v4 n9 n& k! ]; X8 V(HBOOT...) :-((
6 K$ b0 y; C! ?) A/ U" G& v, _2 F+ A- T0 l7 @
Here is a quick description:
: e) @/ r& O5 V6 T-AX = 0910h (Display string in SIce windows)
( h, W3 N6 j8 [. J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( X. T6 ?( [ I& U6 x F
-AX = 0912h (Get breakpoint infos)1 _' J! p1 v7 i2 L
-AX = 0913h (Set Sice breakpoints)
7 J" e. s; Z( i I-AX = 0914h (Remove SIce breakoints)
/ o9 ^3 l% H% X) O5 G; O4 l# h( i; x$ X
; f: J( {; M# CEach time you'll meet this trick, you'll see:
" b+ }; r) \4 `$ t' T n, \-SI = 4647h
, L) {8 l! e. v b3 o/ B-DI = 4A4Dh7 ]: y$ B9 {4 x9 O
Which are the 'magic values' used by SoftIce.
7 [. U( T- A; vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# h6 q$ k2 D) q" o; U1 v: @& z' C
+ f# X5 J) d/ m, y: ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 v( H) N. C3 ?. BEnvelope utility use to protect DOS applications:
0 p6 |+ F7 F' A4 j) w! U4 R/ _( }3 O
* q8 e7 z8 Z3 R' `; f3 b- F( |8 \4C19:0095 MOV AX,0911 ; execute command.
& q7 j/ p! `$ E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' Y, ^3 }( l" G* {
4C19:009A MOV SI,4647 ; 1st magic value.4 t* H# b! w) l9 C, |
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 |, B9 @$ n! G# o. J8 ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 p0 p0 J7 r$ r: |9 ^- l8 M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( z$ ]( H+ q9 p5 D0 O) |4C19:00A4 INC CX
& i# d+ n- _' W, T9 y' |: I( U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; ~$ [) g# D: h4 y; I+ |
4C19:00A8 JB 0095 ; 6 different commands.3 K, @( c# k2 Q' b( r* [( t' Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 }" M! M3 C" e0 g8 [4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' b- |! A' F# ^3 Q7 b
2 A& Y! l7 j8 oThe program will execute 6 different SIce commands located at ds:dx, which5 X; v, k- X1 a; l5 g: x% Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 Y8 q" S/ u+ Z/ _+ k
5 ?7 d, E6 J$ J" m5 }" |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* j+ J2 V1 f6 k3 |1 {& x___________________________________________________________________________
( A) K# E1 X8 V; k; W- k& ^
$ ^/ s# _0 z3 r
' h1 J8 z2 M# W" V+ \- L+ S5 HMethod 03
. r9 i( {5 F A9 U3 t: v=========
; t5 Y( ?2 l4 k, A# ]
& ]4 {; \/ N. s; U1 j* ALess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( t4 E3 k( G: y" ^9 k3 o/ r* m' U(API Get entry point)" R" c) `1 P/ T
' i3 ?- v0 V! l
* ` f! R" a; o# B& \ xor di,di
' m, D$ ], s2 s# Y, b7 \ mov es,di; H, Y" H! z6 ~5 i* _" D
mov ax, 1684h
6 W* z$ C! B7 v$ E7 P+ V7 a mov bx, 0202h ; VxD ID of winice
' J- J2 p/ U3 ^0 {6 T$ @ int 2Fh( q6 e6 f1 h. Y8 [' R
mov ax, es ; ES:DI -> VxD API entry point
8 C3 k4 `% e0 t5 v9 g add ax, di) f: j( T, M* _, E' ?. o8 O
test ax,ax
8 u0 R0 I& C5 x2 q+ q6 \% A" R8 R; J; S jnz SoftICE_Detected
4 `4 K) V: m) Q8 o
. c0 L% m t4 J. l" }___________________________________________________________________________
* X: P+ }: ]+ B+ U7 A( q" r3 M2 |- K( V
Method 04
6 `. p, O) d4 i/ L8 B=========
4 f7 r3 R, a8 P8 R& s7 O: ]2 N4 Q+ O% G
]2 S! \8 a8 B5 l4 gMethod identical to the preceding one except that it seeks the ID of SoftICE( G& ?9 D0 z7 o8 A5 J% p7 z# @5 q" V
GFX VxD.
3 M! i5 G9 X3 |5 L0 |: C- n/ j' }; w( v$ ?6 ?
xor di,di
+ x8 u, V2 O; z& {+ { mov es,di
1 B0 w( x$ Q9 @5 l mov ax, 1684h
' L5 [" @7 J/ k% J' b6 Z mov bx, 7a5Fh ; VxD ID of SIWVID
- c% g4 X$ U( p i5 E int 2fh& O6 m/ x3 H5 K
mov ax, es ; ES:DI -> VxD API entry point
% y% }- n/ J) [; k( D add ax, di
0 O C8 L+ \; z& _* n; M test ax,ax
; b+ P- G+ e% f; t6 L5 }+ y jnz SoftICE_Detected
' ?* q8 z7 k* a, I( k
& H5 ~( L. H1 Y4 l7 M2 Z__________________________________________________________________________
# V# o" e F" I0 M7 z/ e0 U& V8 h" e6 t9 P
" u" Z! C$ ^2 U
Method 05( d' z$ F$ ~' p- s" v. g
=========
?, c) i/ C4 x5 r
9 Z5 A4 X: J4 b$ L; r# d" hMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) t+ s4 ?7 B! T6 K$ k9 B" _4 _debugger. It calls the int 41h, function 4Fh.! O7 W9 K/ t! S: s: _ @
There are several alternatives. % X( ^$ F7 }1 h* N3 w J
M- K3 k% @( { d! |! ]5 V
The following one is the simplest:( c* i6 @/ @8 J9 Z4 I
5 C4 E1 L0 B, A4 f4 G. D mov ax,4fh# D1 K3 L ^* F2 q* T! O* I- o# w
int 41h0 }7 F/ t: i. [: m; z( k: E4 V
cmp ax, 0F3864 d7 H6 q: g( m2 r7 u4 @
jz SoftICE_detected2 v& y& c5 U0 O z& Y
( g" r& _. }& w- G. r+ f1 ?+ g5 j7 _( C8 e/ ^, s
Next method as well as the following one are 2 examples from Stone's
5 E) j9 T: B4 c4 W"stn-wid.zip" (www.cracking.net):' ]/ D& I! n4 s- j" C
2 t( t& x; T6 J- M( @8 o mov bx, cs, C& @: n7 C: g
lea dx, int41handler2
/ f7 r3 W0 Y# f% G. \7 a xchg dx, es:[41h*4]9 m$ G* a5 ?0 N6 m4 v8 Y
xchg bx, es:[41h*4+2]" S8 q% ?6 j9 }
mov ax,4fh
5 z3 H4 O- w. |* y) e9 Q$ P int 41h
- z- C! H( v7 R xchg dx, es:[41h*4]! V U/ f2 p* r8 |
xchg bx, es:[41h*4+2]
$ k- t8 n& h+ V4 t: s4 D cmp ax, 0f386h
" G/ d- M9 ^# C5 U' H jz SoftICE_detected* ^. y+ H, _; N) B7 R; k' ?
; p& R( r% m, [0 L2 J5 ?$ {3 b
int41handler2 PROC
8 C) I$ r& U& W; |8 C% @7 Q8 _* P. _! u iret' U0 d6 ?$ u- r' K5 l# B
int41handler2 ENDP
4 M" b, E. r" C4 U1 C, e/ b% P- p# m) }! u5 n, X
# U# [4 v9 d: m9 R. v; M_________________________________________________________________________
- L1 I" B H6 T$ l
6 M7 u0 J( l& ]% m6 L1 k# Q" k9 O3 }% F% e6 S# |
Method 06
! w% I+ S" H( j/ R=========9 [2 e+ U. s7 |7 f9 T: }
/ K$ C9 ~; [, S7 M9 h
# H3 f2 O3 S8 x4 g( Y6 q9 q
2nd method similar to the preceding one but more difficult to detect:
# u8 x1 g& U0 {7 A! H% i
3 Z5 J) a( @" u0 v) j$ y, J5 H$ }/ F$ g- ?9 S2 s$ R
int41handler PROC
0 p& J$ Y3 x5 v$ X& f; v mov cl,al
# c$ ]9 w- v1 ^& |* ?8 O B& n2 @! a iret
. G8 y# [4 Q7 B6 |# t7 G6 K+ i7 Eint41handler ENDP" v5 c/ V4 e& _+ s
7 `1 U# G, U" F* I7 ]6 f8 u" W8 a
xor ax,ax7 @( W/ `% M3 X
mov es,ax& K! g+ ]: c& x' I8 d* O" r$ A) D% e8 n2 Y
mov bx, cs
7 z( |( u+ L S: | lea dx, int41handler
0 F/ Z9 v" s; k4 K, ] xchg dx, es:[41h*4]4 p" s6 n9 {- q* s! Y8 E2 O- J
xchg bx, es:[41h*4+2]: I4 f5 k9 D7 E; N- e# Y7 W; B- v
in al, 40h8 |* W* W3 E3 y, G
xor cx,cx9 I1 |1 h+ ?+ T6 x# w& v
int 41h V: U; [) U, F# U" Y- s" F, U
xchg dx, es:[41h*4]! Q# v( X. D) q) X8 D
xchg bx, es:[41h*4+2]# \0 k2 z. B$ X3 x: c
cmp cl,al
% f1 D3 b% k) {# d& \" ~ jnz SoftICE_detected
' Q+ A4 c- T( r7 X) P1 A! d2 t8 o& p& ]+ g$ A% o0 w
_________________________________________________________________________6 k6 N: n. n6 S$ k
) n8 B3 S B1 B9 }; J3 oMethod 075 k: b5 s/ g* A
=========2 o/ \) q: \: ~9 a7 l
" J: I8 ~' R N% S
Method of detection of the WinICE handler in the int68h (V86)
% q3 |! t4 K0 a- ~( P. {: Y& y
% b' n( q/ k+ k" L mov ah,43h' |2 ~ H" \3 p9 ~' o
int 68h
! P2 {8 b' E. S n9 M6 Z cmp ax,0F386h
. M6 m6 n2 z4 r+ x# W jz SoftICE_Detected2 }- o- k, _/ I7 c, M
) D n) f% a; j
. O+ z" l3 p9 p, B6 O=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 k3 y( }" ~& ~; c app like this:
! W v7 @7 X7 c& o- E4 `1 @( l
4 u2 s7 U2 B/ a9 j' P* R: S% H BPX exec_int if ax==68
9 _; X0 y. N' t0 ~ (function called is located at byte ptr [ebp+1Dh] and client eip is
) B9 y1 Z: W# `: y located at [ebp+48h] for 32Bit apps)* |7 @ l0 g: F" J! S: @
__________________________________________________________________________, t% v, y; E v! s7 E- R
& y5 | U% H! }7 A5 P" f/ \5 K2 {" x8 ]- \8 t4 n
Method 08$ j: P! C0 }! i5 j5 u v
=========
% a8 I! _ H# ]" {4 l6 O
! R, Y9 I8 T2 ]9 P( o( m4 CIt is not a method of detection of SoftICE but a possibility to crash the
, u0 X. g1 ?* H3 s- ksystem by intercepting int 01h and int 03h and redirecting them to another, u k$ }' Y3 b. t. K; O9 x
routine.
s: W$ g, I5 ]) Y9 z( n6 kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( w2 x4 P2 A6 x& c8 Nto the new routine to execute (hangs computer...)
/ u, q" t- W+ D- M0 Y1 B& i% \1 G8 V. V
mov ah, 25h8 g2 Q" y/ @2 b3 C
mov al, Int_Number (01h or 03h)
3 A# G" K3 |) _: u6 ?) U0 V mov dx, offset New_Int_Routine
0 r S$ u4 {% I5 U9 s& x. k6 {0 A int 21h
3 N: t8 B* ]$ [; ?# [- M8 |! _' R/ J1 D7 R. P9 ] \- l
__________________________________________________________________________
/ Z* p( y* P1 `3 e+ h& _+ j# s4 W" Q% G7 O5 A0 K7 Y9 n
Method 09' x3 b) l c* s/ X) V
=========
+ M, U4 ^- n1 O* n, h3 x1 t
n9 j3 w0 c$ k1 l7 YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only }: d% z" h4 W
performed in ring0 (VxD or a ring3 app using the VxdCall).0 }; f9 l }/ V& n" D) a z
The Get_DDB service is used to determine whether or not a VxD is installed- @: \+ R' @6 n. I) s
for the specified device and returns a Device Description Block (in ecx) for7 [/ x: t+ k) ]- f n& x
that device if it is installed.. `+ T- @& L5 p! z' T
( z* ?3 K0 w: w9 \2 n3 ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: v: G- K# ]5 a/ F `- A; k
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). P& o5 l; G: o) L
VMMCall Get_DDB# a0 K o8 Y* ]1 \, L' ^& n! O9 T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) P- }7 |# a# j2 u9 [8 Z' L, u8 N2 `
Note as well that you can easily detect this method with SoftICE:9 w: d/ h% g1 t2 V$ e2 R5 p9 a
bpx Get_DDB if ax==0202 || ax==7a5fh0 k9 a6 e# L+ o- ~2 s) w9 m
2 L+ F9 D6 x' H$ E$ u+ d. k: Q; j
__________________________________________________________________________
% R/ A j5 T" m! o2 Q7 h5 G% R4 x$ U; p4 ?5 F
Method 10
6 ?, C( r& c& ]) B3 l=========
2 u; ~% y0 S( r# T) ]) i: w
, i+ G: {# t" G; L5 H8 V5 N m=>Disable or clear breakpoints before using this feature. DO NOT trace with
' V" [" X/ p; p8 w/ ` SoftICE while the option is enable!!- X# I/ A( Z& K$ B; i
( f3 D- {5 q2 _8 q; ]- v: Z7 r
This trick is very efficient:6 B5 H# {# _2 @) h- u
by checking the Debug Registers, you can detect if SoftICE is loaded5 J! x/ U8 J7 k- C+ Z6 y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" w- a6 D. E! ~, r6 h+ |$ n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( q6 I) u5 C8 h; \value (in ring0 only). Values can be manipulated and or changed as well- U+ N) z( M( c) S: {& t
(clearing BPMs for instance)+ m( V' \1 t- e% V9 u2 o
f; }4 D) I! O f! Y3 `
__________________________________________________________________________, k' a7 D) B# ^9 W
( |% d3 x$ @4 r4 `Method 11. l! T) I# \; ?4 F6 G
=========2 F# C$ ^- k8 x: H) z
6 g% Q5 i0 C" N& ^ C% G
This method is most known as 'MeltICE' because it has been freely distributed
& H5 q/ X9 m" C/ q6 T* N( L% w/ ovia www.winfiles.com. However it was first used by NuMega people to allow
2 Y" ^8 y5 t* XSymbol Loader to check if SoftICE was active or not (the code is located7 s3 f0 x: I5 t' K
inside nmtrans.dll).
* v5 ^% {5 r/ D2 p5 q3 \+ T/ F8 [4 y5 Y$ N5 |/ J0 |
The way it works is very simple:4 I) p. W* m4 G* `9 c0 g& ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. i( g2 E% [' p* t- H1 P" u5 Z ]WinNT) with the CreateFileA API.! o1 k: a# r# h# `7 ]9 v
3 K# `7 Q- ]4 M$ |" @
Here is a sample (checking for 'SICE'):
, d% T: z% }$ Z) p( s, O$ `
( u4 `- ^& R; ^" C* wBOOL IsSoftIce95Loaded()7 I' h3 K% T# f$ |# U
{
2 j9 g' W; I: v7 C7 `% ` HANDLE hFile;
: o& \; P! U1 B& m' t! A hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 {! h% U1 A J8 B, q+ P5 K1 e FILE_SHARE_READ | FILE_SHARE_WRITE,
$ A. I% I2 t* p. s; j$ J9 ] NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 f- x# ]+ \" m8 Y% O w3 F; `+ u
if( hFile != INVALID_HANDLE_VALUE )8 y, |9 f5 w/ {6 d7 L- e
{# O7 x; i3 Z% s" M' B
CloseHandle(hFile);$ v. S/ r8 N5 l4 m! P1 ~
return TRUE;
6 B' B% S. ]& ^4 U& B }
1 i5 M: Z. P4 w; U return FALSE;
0 r) l0 ]( j9 V* N- Z}) v" O# `2 U+ W8 L) g- o+ f6 a' `' j7 i
8 J9 l, b$ Y# Y7 L
Although this trick calls the CreateFileA function, don't even expect to be' a5 r r/ l- M7 ^ w
able to intercept it by installing a IFS hook: it will not work, no way! E2 h5 n" v, I( W$ V8 S1 c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! B3 N, S2 ~8 q) h! Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- ~1 t) M$ C6 t7 @. @/ Q4 f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ _4 Y9 y1 m! u0 d
field.
% Y& s0 n& R$ C: zIn fact, its purpose is not to load/unload VxDs but only to send a ! R7 ` U' `, {" o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# C# W7 g2 P C1 C& L4 y" U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ t# b5 f. i: p$ Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" I: M" Z: Q8 N5 b3 UIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ z, `# F, O- R3 ]- A5 T$ M5 S8 h
its handle to be opened and then, will be detected.! L/ k: Y- u b% Z |4 ^
You can check that simply by hooking Winice.exe control proc entry point$ k) Q# R( c' X" |& [% u
while running MeltICE.1 e+ h- @# _1 B$ `- }- p
9 a3 V; Q5 H3 {& j$ L/ I% C# N% M$ z& w' r) x3 T0 I
00401067: push 00402025 ; \\.\SICE" V) j$ O& h! v! Z
0040106C: call CreateFileA6 }- ^* ^, i B/ s% @) D: q
00401071: cmp eax,-001# y9 Z: [2 c) r3 Y( S' x
00401074: je 00401091. B8 b5 d" F: P1 p9 E
1 n) m7 ^" j( P5 E
: k' j, _) {$ o3 B H1 @$ j! {
There could be hundreds of BPX you could use to detect this trick.
& L4 e% a) q ]: ]+ H N-The most classical one is:
! \1 _& m2 y8 o; a$ A% _: t% f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 a' H; n0 |# O: l *(esp->4+4)=='NTIC'/ W7 u. `: v/ o, i% @' Y
5 o* v) ~4 v7 h8 _, ]9 k) v( F
-The most exotic ones (could be very slooooow :-(4 E# n# B R& V
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% f9 \. m0 ]( Y( r1 }' e ;will break 3 times :-(
2 v4 w$ \4 S4 u) x. x& m2 {/ |+ ^ B* q% x( p# `* L
-or (a bit) faster: $ w* u* S, C: w0 G1 O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; [* N4 n+ u: v6 |# V/ j- m* W$ X4 ^4 E2 ?4 ^6 U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% f' V: G; e9 w ;will break 3 times :-(& u7 @ N6 f( w
3 E/ s- e5 e( Z$ c" u' n1 n-Much faster:9 L: }: P7 Z D/ A' ~( P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& o+ {% D3 A2 I; m! t) m {* o5 Y) o( O& d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' s1 r, R' m& S. V- f; C
function to do the same job:/ w+ H ]$ {5 p
& {' U" b% \% N& H
push 00 ; OF_READ9 P! ]$ g, a- K0 q$ J; V
mov eax,[00656634] ; '\\.\SICE',0
7 {" c' D4 X7 I0 l$ u `8 t8 n7 X push eax
( k* g+ S* {4 ` call KERNEL32!_lopen6 z+ C. [8 T( q
inc eax
+ {% s3 ?4 N6 }, @+ w6 Z( m jnz 00650589 ; detected6 A* ~% w9 R) ^8 M- {
push 00 ; OF_READ& R% @ V8 W4 X1 @! \
mov eax,[00656638] ; '\\.\SICE': t* x! ?9 K; F& c" M
push eax
: M- Q# \1 Q6 Y/ D call KERNEL32!_lopen
3 D+ P) T1 N7 P# }, e inc eax0 l0 j; J) A% }' U
jz 006505ae ; not detected
6 \; x3 a; P) v4 F5 d4 W: V6 _1 W& Z2 _
2 L+ n3 O6 j9 W3 D__________________________________________________________________________0 `: G) i5 T! w9 L7 N# j
2 w9 {# X5 F3 R t
Method 12
: x8 Z: s) g3 `( f+ n; e=========
9 S4 Z+ ?8 z8 O/ ?, `( B( q% Y5 c1 l
5 ?$ a. _' L% w2 m; GThis trick is similar to int41h/4fh Debugger installation check (code 05& ]0 u1 ?5 v) A7 T9 Z, L$ E
& 06) but very limited because it's only available for Win95/98 (not NT)
2 ~/ V5 |! s: h, }/ C) G% G. T: K3 nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 z. H: ]$ @1 `7 k- g& z. x
7 |( I5 ?3 r8 j' d push 0000004fh ; function 4fh4 H- r2 T( P5 C1 u
push 002a002ah ; high word specifies which VxD (VWIN32)& o8 h5 Q; }. v
; low word specifies which service( T5 ^+ ?) w$ @8 A" Z: H
(VWIN32_Int41Dispatch)
5 x* R @* J1 v call Kernel32!ORD_001 ; VxdCall8 d4 ]- u8 a* J5 B1 a; ]
cmp ax, 0f386h ; magic number returned by system debuggers0 D/ E, p* U: s2 o: i% @& p; x
jz SoftICE_detected
: W- w+ G* m" Z" \, W$ M m
; P# k5 q. d, s; q1 ^- oHere again, several ways to detect it:
+ J6 W( q' c1 @' k
' G( Q+ v9 q* S) D% T BPINT 41 if ax==4f
9 j( Y4 |4 {: \4 [6 `; B
3 |/ ^$ p6 P' D: t8 Z; L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; P- ]. C8 k2 w3 G* J/ d6 r" G
- T( O/ \) o" \' U& _; X$ `7 M! \ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" }3 R/ a% R1 U3 M* _
' I- s N( u/ t8 {, v U
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 Q' L1 H" r% y: A* P/ u% A9 V) \ i" o3 C( g# I" Q2 s7 i8 K. _
__________________________________________________________________________+ g5 x: g' L1 h. V; w* Y) c
! l1 i6 c5 ?- t* \3 M9 o) s
Method 138 o3 {( q8 h, b( b7 p" Z
=========
0 u) p. |6 C+ N3 P( r
! I; ^6 m; e4 C- ?+ N$ ]6 K& HNot a real method of detection, but a good way to know if SoftICE is
% Y3 o5 I [2 ]installed on a computer and to locate its installation directory./ z; ]( x( W0 \' H _
It is used by few softs which access the following registry keys (usually #2) :
: m$ d5 [/ b0 R- d4 [1 h6 q& q1 n9 v& Y0 |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( h% j4 o0 M7 e% S4 c- s
\Uninstall\SoftICE
. p8 B" }+ m I, ]3 M-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- H4 f/ B/ P( K% @ x6 r/ v+ e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& g6 F T4 b) e, M- K+ u
\App Paths\Loader32.Exe9 X* d" `! B! O; L4 l- I1 Q
( @) X( J; A! o9 l2 l. w% B
0 Y3 `5 d, _0 j% \/ E/ u" zNote that some nasty apps could then erase all files from SoftICE directory
6 l1 n8 G7 b/ ~% m" r(I faced that once :-($ f0 p" v! O3 y
& W: o0 l4 f9 a5 \
Useful breakpoint to detect it: f1 P( w; J, S p5 |; G; ?
+ V0 J- z' O' W: B- b$ F* @0 Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; |8 I7 d2 I4 N0 N' q' g$ B$ {" l% O) ?
( g2 f$ U4 V! ]; w% g$ c! A__________________________________________________________________________
# ]; y$ t6 V) R0 w$ i4 z6 d: U$ |1 r7 k' }! a4 ?; G
9 b3 N& q, H2 d9 x, R4 P% IMethod 14
. Z4 }# R& x; s. M7 F=========
. w5 f) N* k9 U U y7 V; a( C7 x1 z, e3 [3 S' Z3 f0 i1 \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, R0 |$ m/ ?' q0 c- z
is to determines whether a debugger is running on your system (ring0 only).* d- ~. |& t" ]& ~( v6 U
* W/ l7 a2 r0 f" m" f
VMMCall Test_Debug_Installed
5 V- u" I4 I3 f je not_installed
, ^, x0 P. D& t7 z
# w; H; D8 [4 E7 Q" c; f6 c3 ZThis service just checks a flag.& K. i+ U) A+ T9 m7 |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡