<TABLE width=500>2 Y b( z- W G/ H0 Q! n8 u3 y
<TBODY>
8 w4 s" f- ?( Z( F, h6 g<TR>
; {( S4 p, w1 w" T8 O6 e5 s<TD><PRE>Method 01
+ ~3 n6 ~& N: D. I, J=========
. E8 e' W. Z. Q; @. X* t5 O# B& f7 J! t, g
This method of detection of SoftICE (as well as the following one) is
; D2 m4 ?% g1 b b! }: s. W5 dused by the majority of packers/encryptors found on Internet.: O$ Z2 E% ?* _3 ~4 a; L: S/ Q
It seeks the signature of BoundsChecker in SoftICE
8 o' G' }5 N7 D1 f2 }& A) `' ]4 ?8 ^; ^4 q+ t# l
mov ebp, 04243484Bh ; 'BCHK'
& L% E/ G, D4 E$ R( H3 u2 q mov ax, 04h
. X6 B5 s1 V# c int 3 . D+ X: w! o, @& R# |6 v
cmp al,4
% d3 i2 x% t5 ` jnz SoftICE_Detected8 f$ s2 z: K5 t* E5 x& g( I
' p" `2 @7 n. `4 P* z9 q$ `, K- T
___________________________________________________________________________
$ s6 `$ H7 k) }8 _
$ Z7 i7 I6 a1 Z) y0 F% qMethod 02
. J; z4 i: R# T2 ^4 c=========2 r0 I: Z% d) U' b
) C4 s; c X( R2 I% t3 x
Still a method very much used (perhaps the most frequent one). It is used
4 l" D% l: F* ^( p, w3 E5 u5 eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; _; p- ]$ N* l0 ~% r3 n8 Sor execute SoftICE commands...
]6 V, {2 U' E3 ~/ PIt is also used to crash SoftICE and to force it to execute any commands
& L0 u% \* y& e% r3 G3 r4 z+ F& A, C(HBOOT...) :-((
, ]/ b4 b: d% q9 q/ M' s& v
3 T( \: V. p9 v EHere is a quick description:
S' d- @7 B+ j3 B9 C-AX = 0910h (Display string in SIce windows)
2 D8 N" X |" B J! J3 v/ J% M' ? f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 \, z6 M) @8 G-AX = 0912h (Get breakpoint infos)
! [. I. Z% W8 ?6 H4 h( J+ A1 g c-AX = 0913h (Set Sice breakpoints)
' A$ R* J/ u+ g+ j-AX = 0914h (Remove SIce breakoints): N3 y/ ^9 V# w. U
! X2 l! d h" i% }
Each time you'll meet this trick, you'll see:8 G5 k( q+ S7 s% B, F9 W0 P
-SI = 4647h
, P- l1 `/ I g1 g+ P$ R0 J-DI = 4A4Dh$ Y6 o# q+ M' ]+ F2 ?# v
Which are the 'magic values' used by SoftIce. X* C+ s1 {4 L& X) G: N
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 P" e+ c5 g5 ^: X
) t4 ?6 f: i* V: M
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 @8 c ?* ^" D2 F
Envelope utility use to protect DOS applications:6 N0 U. ?6 n+ o! r
' R: e, n" Z m+ z: I2 I
+ w1 i+ w3 h9 O3 u4C19:0095 MOV AX,0911 ; execute command.) X! Z! t, o+ h' R( i
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ l5 b& `! c) M. z `' d4C19:009A MOV SI,4647 ; 1st magic value.7 q3 J2 ~+ q2 q3 B, w
4C19:009D MOV DI,4A4D ; 2nd magic value.
7 @3 Z4 W0 k# N' E0 A4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ F& E; h, p; I7 B
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: L6 }' C1 w+ m1 s. y! |: |/ Q9 U0 u" T
4C19:00A4 INC CX
: g' C$ F7 t* j. x5 F. H- e4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; ]( g8 S3 t+ Z/ x6 l: u4C19:00A8 JB 0095 ; 6 different commands.
3 x2 l& O7 j) s1 Y6 V4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. a6 {8 n, g! A, x4 T4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- q) [, `! |/ C1 ?; @0 V; p. e
) X, ` y& K' |* A. BThe program will execute 6 different SIce commands located at ds:dx, which
, D2 Q2 B/ G" j- }6 ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 T) n& g1 a" Z' K+ e- M
: P9 n$ z c! C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 l- t% P( e- F5 m- n) E2 t0 ?___________________________________________________________________________
8 ~) F5 z+ V$ V9 q
# c0 p8 K! `( o, e3 w" e- U
. w3 T$ \/ L9 w- m' B# xMethod 032 Z* H) S* ~4 H2 {5 h$ k
=========* z" O! \/ @ o8 ^5 `
. A: ^# g/ l' q1 c, NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% X! Q' }( j5 r' y4 W$ o1 M(API Get entry point)
/ c' q% ?. O+ \0 _, g) h( p
9 U: S( l0 y6 T! V5 ^- o
+ {# X6 \. U O xor di,di0 p# m* k' {3 h0 C
mov es,di
( {. q6 f4 g0 u3 n* E" k mov ax, 1684h 9 C: z. V# j$ G: d- f0 L
mov bx, 0202h ; VxD ID of winice
6 B! S* Z: P" @# i7 f' z int 2Fh: R8 |( a7 c' ~5 m3 J! I5 _
mov ax, es ; ES:DI -> VxD API entry point9 n6 O: h- h1 H% {0 P$ ^
add ax, di
( l# y7 X* I @9 O& x; }3 D test ax,ax9 r; c# o# M: B
jnz SoftICE_Detected5 d. k K9 p1 C6 @# v: B" Y; V
5 s J' j/ j, `' Q9 u8 Z
___________________________________________________________________________
8 H- D7 S; d# ]5 t% |7 M" Y' X& C
Method 04
, K b l- N+ D+ z! F=========
8 E+ A! u5 I; X5 I. k
$ Y- z- d/ p% [% P9 ?Method identical to the preceding one except that it seeks the ID of SoftICE- `5 z; c; X0 [" w$ G9 T5 f
GFX VxD.
* I, W+ X1 V* }, x {' [
, N! f, v6 r7 V/ o; k xor di,di
' V- |! ?; u: L5 A1 b mov es,di3 ~! _3 W- A1 E* y( t, O9 Y# x
mov ax, 1684h
( V, W% h8 f( v$ G3 ` mov bx, 7a5Fh ; VxD ID of SIWVID
- d ~! v3 c* t1 W# S int 2fh& N6 y7 r: z4 f3 I
mov ax, es ; ES:DI -> VxD API entry point2 _/ v5 ?. J8 Q. V- R
add ax, di L+ I/ R7 U. `0 N. X( F. i' X
test ax,ax
9 e3 i0 L8 e4 \, b+ ] jnz SoftICE_Detected
/ T4 I$ M0 m/ ?" p2 ~
, f: _" V8 x& ?. ]3 x- R__________________________________________________________________________/ z& [5 d0 {0 q5 p0 p
9 Z- U* c# J" b1 v- v7 W @ C; g: H7 J3 e/ P
Method 05
( s: s5 p4 w' v$ K' _ U=========
$ H& v0 o! U' `$ ]" V `# `3 p8 U$ k6 ?: V9 ~7 f, d! l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) x2 K1 I7 c# O Vdebugger. It calls the int 41h, function 4Fh.- [/ m5 d. \! R) a& I) s
There are several alternatives.
9 f! W4 `$ j' s0 _+ P( g1 d( Y0 x6 J- v; x5 f2 X
The following one is the simplest:
' _7 V; H8 H: r2 h' Y
0 q8 C, u9 i7 | mov ax,4fh
# v5 v" R) A1 @, `; R6 E int 41h
9 j C* P2 t% m6 [4 s- R1 D cmp ax, 0F386. V5 m2 y' D! b' t4 W; R
jz SoftICE_detected; A6 f+ {0 ^# k. }
0 I) i- `- w* i
+ X1 N# j6 ^; d% pNext method as well as the following one are 2 examples from Stone's
j L8 E/ u+ S o% ^1 g"stn-wid.zip" (www.cracking.net):
4 Q2 [% k' n9 ~/ C
, T8 K6 }- ]" ?# s; m mov bx, cs$ s+ i5 s( C" z) o' @# d$ {3 R
lea dx, int41handler2
& {( b0 @- ]2 b9 T, ] xchg dx, es:[41h*4]
" A6 w9 w3 q% Y xchg bx, es:[41h*4+2]
2 h, U$ D! V: s* `( ? mov ax,4fh
1 X. H: X6 n s! ` int 41h L# l# N! u! K% e2 M$ `/ W
xchg dx, es:[41h*4]: E( ?# d2 M% S, o3 Y; l. c) ^
xchg bx, es:[41h*4+2] y4 E6 W H1 D9 u
cmp ax, 0f386h/ j( x6 K/ N. Z: h- t5 U
jz SoftICE_detected
$ n, k0 V$ o6 i9 Q( ^; P/ i2 H& t$ R$ D& O) C, t+ m
int41handler2 PROC1 K( O7 H: w4 t2 b$ N% z
iret
( I2 y8 N/ o# @6 r' W. E% yint41handler2 ENDP
) Y% }4 d( u5 N2 ^9 l
0 Z) `4 Q/ E0 P# h, Y4 s% b n, r2 p) a: R; `2 I
_________________________________________________________________________5 U1 q7 J+ p5 F7 }
* v+ a% J. p! W# g
& @( H4 d. V& S6 D: Y0 [
Method 06
: h6 I- o! m* u8 d# R=========5 X5 B/ f! f, r1 r7 D& O- R
8 n+ D+ n5 f9 a: T" W; d! W
9 q( c0 l5 j, Z7 }9 `5 j/ p+ I, {2nd method similar to the preceding one but more difficult to detect:
6 r9 N. |) N4 D* F. Y: }% K# S% D0 r( I! G+ w% z/ m) } S
5 u0 I/ Q, \% A
int41handler PROC
# p) q; `/ ], V) E; c. u3 t8 b mov cl,al! e: J) r+ c$ \" ?9 W0 {! z' {9 H
iret% ~0 U- L6 [0 }' C8 C5 G# ]; F
int41handler ENDP
8 Q+ @! A! E: @) M Q* X) V8 P0 w7 i
; i& m. ?' x' |4 H! g
xor ax,ax8 c8 T3 m( e- E' _. x) S. l. S/ v
mov es,ax
4 R- v7 Z3 J/ h4 W8 o" G mov bx, cs. C% u3 l7 ~4 _/ I+ G% f/ T" `& u4 @: J
lea dx, int41handler
( n& O" Q. x C j xchg dx, es:[41h*4]$ _" K- k) }, q a& v2 s
xchg bx, es:[41h*4+2]+ E/ C- ]7 s9 r0 L. ?# V: p
in al, 40h; f6 r3 ` e* S+ T" i
xor cx,cx
& F( \/ ], ^2 j' { int 41h
5 z$ z- S; R" J8 T xchg dx, es:[41h*4]" P( `0 u! v% i9 H N7 B
xchg bx, es:[41h*4+2]5 H0 K* P% L% h L& H$ k6 z
cmp cl,al
! g$ u7 `, B' N7 n jnz SoftICE_detected
4 d2 g( O8 Z4 F$ T1 \* P3 L, R6 i6 \4 G6 g& x6 v3 D" \% a
_________________________________________________________________________
: E2 O4 F+ M% T4 l6 D7 I5 P0 x! q3 ~. j3 E$ R/ Y
Method 07
1 }, L( E! H7 V }1 C=========
- X* |; W4 [" I; f7 m) q/ r/ j/ P" r4 e" X8 {9 f$ t- g9 B
Method of detection of the WinICE handler in the int68h (V86)
- _% f8 i: v1 @0 }8 a+ u( s3 j+ A" M+ ?/ T! \, ^) k! m
mov ah,43h8 h p0 h- w4 w0 w
int 68h0 J8 S0 {. n" ?3 _' ^4 j
cmp ax,0F386h4 V6 e5 E& c( U6 F8 @( A
jz SoftICE_Detected7 S" J9 s* m! m S+ c
* K9 J( U" p* r* D/ V# s7 j
4 o- Y+ Z6 t' A3 |; r& [5 C! r8 ~=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 ^; X ]5 I8 a
app like this:" ?$ B. o. o1 Y$ A' ^: B
+ f8 K' j3 W1 v9 [1 U& ?
BPX exec_int if ax==68
* f8 v E* D4 z1 `* m1 t) x) O2 c) O (function called is located at byte ptr [ebp+1Dh] and client eip is0 j0 ]8 {9 A9 p' ^1 L$ ]
located at [ebp+48h] for 32Bit apps)
9 p# a9 q' _$ Q__________________________________________________________________________
; d) c4 y9 _4 r1 A( L7 [+ f% q& [* s6 P3 Q+ b
( ]0 W K( c! s
Method 08
+ O5 l6 `" n5 c6 Z1 N# D- s=========
, Z( ]9 m: K, J: M9 M4 t6 g' I% ]/ Z5 ]. z5 p7 e! v4 i4 `
It is not a method of detection of SoftICE but a possibility to crash the$ \* P6 r+ s. K6 ?
system by intercepting int 01h and int 03h and redirecting them to another7 ^0 i; U z) U, Z1 q3 N
routine.
2 }% b: e E. E7 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 E8 T* C) E3 d
to the new routine to execute (hangs computer...)3 S$ o, z: @5 P; i' j/ m# s
4 s" ], ~/ u4 ?( Z) B- \4 | mov ah, 25h9 L9 h+ p6 O. H) c8 s
mov al, Int_Number (01h or 03h)5 J, u( e* G9 Y7 G6 y
mov dx, offset New_Int_Routine
3 a; r. E. y8 Q0 m& k int 21h
3 ]9 Z, K3 T/ G3 _ n% w$ m+ M8 }
__________________________________________________________________________" E/ z1 N* Y; X$ ]
7 Q0 s/ A# U; f
Method 096 E* R* H! l2 H2 j' P
=========8 P _, h8 m9 f5 }% p
, ~2 G' y; G+ F* U1 fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ B- n* J5 P2 s) A$ R8 L' ?1 Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
: Q8 [ _, X4 dThe Get_DDB service is used to determine whether or not a VxD is installed( L7 |- r$ x8 ^' U" s
for the specified device and returns a Device Description Block (in ecx) for* m- Q' x8 i/ A/ ? q/ E
that device if it is installed.$ y9 |, P, V& \" ~
8 e1 H7 O5 f7 Y" I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 x" Z. V( J- R5 R7 J- q# S3 `( i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. W9 P% i: e B6 K VMMCall Get_DDB" g) D% j* m9 ]0 H+ n: }. Z G4 x% u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 H. Y7 m5 z4 \% s. T8 A' O
8 M+ R, X5 z$ W5 q+ H, n6 U
Note as well that you can easily detect this method with SoftICE:
' \% q; C1 h' b+ _6 n" g9 O1 ?: u* x; s bpx Get_DDB if ax==0202 || ax==7a5fh
3 P, l/ L1 I8 M7 ~9 q$ X8 k4 u
6 C% t# ]8 Q! [- E* q) s__________________________________________________________________________" ?$ q# M: Q, D( u! U; `
' a0 O' ?: P6 @: j; M$ nMethod 10
, y( m! [" |* X" g8 k=========: M. W* C% I9 n
$ H, \+ c% _- m# @. G# I
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: x* B9 d9 I* w! p1 \/ [- o' R SoftICE while the option is enable!!
% }8 X2 f) ^4 g
6 q: O% j! f+ h7 g. ]This trick is very efficient:! N& W, j7 t f- ?9 D8 ^ |
by checking the Debug Registers, you can detect if SoftICE is loaded) W- U% _) {4 M9 F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* n D# e" [# L$ Y- X+ p( e
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# [. l, Z0 Q8 Svalue (in ring0 only). Values can be manipulated and or changed as well0 F9 b. X: f5 [
(clearing BPMs for instance)+ |4 a# o* X% P4 T4 ~( V
2 y/ m; N$ x( _* l0 c' k, D- O__________________________________________________________________________
9 s" m* E% N3 d( l4 h5 L* U! h% j" F2 C \ @: J: Q( V( ^/ h
Method 11+ s) [$ o$ U: q3 a! W \
=========
6 i0 F0 K- g- }) L+ Y" _1 R {) G: U, K
This method is most known as 'MeltICE' because it has been freely distributed
. q9 E9 K% x8 R% M" @- u4 q; @# qvia www.winfiles.com. However it was first used by NuMega people to allow! b) Q) R5 K. `, I
Symbol Loader to check if SoftICE was active or not (the code is located. X K/ \* q5 z5 T; T' Z
inside nmtrans.dll).
5 ^6 m( _; k* p' N8 j$ M7 h' R" ~( q
The way it works is very simple:5 e, U- H$ \9 _" @
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 O3 }7 U$ T$ W4 b& u' |. uWinNT) with the CreateFileA API.4 }/ A% Y; B4 t2 |0 k" s+ [* N& @
+ n2 o% X1 W0 j8 j6 r" |Here is a sample (checking for 'SICE'):: ^, y. B, E+ V3 ~7 w7 j7 _. u
% x+ F4 a, j" Z5 ^. G% B# N) I! `
BOOL IsSoftIce95Loaded()
9 Q: w4 Z' C5 p5 C/ Z{
1 s9 D, a' J& S( x! |! K$ n HANDLE hFile; 1 A1 ]3 |; i2 w9 N5 B. ?, a$ ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& Y& l+ C8 E8 ~3 A& m( F
FILE_SHARE_READ | FILE_SHARE_WRITE,
% @7 ?- g! B: C$ J! h. f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# k1 v# v) V! W4 H9 J {. \
if( hFile != INVALID_HANDLE_VALUE )! B* w: ]: k3 x8 T, z, C
{
C0 M( o$ M! C9 h _3 { CloseHandle(hFile);
: x; D2 D3 V( M- F6 z" ?# j return TRUE;
( M, \: B1 e7 L; y# l }
2 ?3 m6 z8 U# @ return FALSE;
P/ w0 N; T9 j$ x}, H( `( B1 G/ W# D' }" T3 O/ o
& ^/ U) _ Q+ P2 l2 ?! K- O- U, IAlthough this trick calls the CreateFileA function, don't even expect to be5 e! [3 v3 @; t- t
able to intercept it by installing a IFS hook: it will not work, no way!
- o, _9 V' W, C* o! q" lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. E4 z# P4 A2 d0 @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 L6 D- T$ v9 E+ d! l; s4 qand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ s& k6 ~& e& `' S4 I2 K
field.
1 Z5 }, \) k6 |! S* U/ @% pIn fact, its purpose is not to load/unload VxDs but only to send a # s7 u% h( G0 B+ y& o! ]* y/ U9 Q7 T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# v |' f1 d: i, N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( H# `- e2 I3 h# n: ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 M+ u: t% h/ ?- i8 } PIf the VxD is loaded, it will always clear eax and the Carry flag to allow
4 J- d& O; D% pits handle to be opened and then, will be detected.
: X3 ?9 S6 Q& F# \6 X. h1 H. VYou can check that simply by hooking Winice.exe control proc entry point8 ` r: |6 |1 s5 x. w
while running MeltICE.
" [+ ]# u& c7 W2 ~- n3 M9 u) W8 g" Z; _9 o' O- l3 E' D6 r2 ^
) k" n" |4 Q+ D
00401067: push 00402025 ; \\.\SICE
- h" y1 O6 \) Y 0040106C: call CreateFileA
* V$ u; f$ }7 d, `: G: V+ T2 Q6 N Y 00401071: cmp eax,-0010 J# v6 A' M9 o2 o
00401074: je 00401091
- v- I' p S( d; x' O8 a& X G) B f/ M% y
0 t4 k: @, j) S) [+ ~7 u/ }' OThere could be hundreds of BPX you could use to detect this trick.
$ M8 d8 M5 X! m! j-The most classical one is:9 h6 Z* f6 c7 X/ w9 ~' g! e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& x3 w3 h' H1 [9 f+ s5 x
*(esp->4+4)=='NTIC': R& X( l- S, g, M
/ C! A0 k) E! u
-The most exotic ones (could be very slooooow :-(
. q. q# [% k+ x5 o3 s5 K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . m3 _0 Z) k' E
;will break 3 times :-(" S4 N4 r7 E& F: L4 @
" y6 Q0 i: B5 P# {0 C9 A
-or (a bit) faster:
. }5 w- l% _& S+ z( i9 x( E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& H1 g4 }5 @9 e6 h: d) l! q" `, O* r3 \: D
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' a/ j6 M) a+ _ p5 Q
;will break 3 times :-(
# a% R# `) |5 K' [4 r, x% ^- g0 x" C) c# s9 G/ w, @! d; i
-Much faster:/ _/ G$ d4 p- N0 D3 ~
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' |, k2 z6 r i- b% v& M+ H
1 l( X9 e) \1 X' j* v$ k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 b6 M! f# m* c; \; Z
function to do the same job:
. q7 F% S- ~7 F
. F* v) u+ q* }7 j8 i push 00 ; OF_READ
7 x% I {; v* a4 j mov eax,[00656634] ; '\\.\SICE',0: Q5 N) D6 w' Q/ x8 }% D6 m# x
push eax
; s9 n7 W0 @0 y9 Q call KERNEL32!_lopen. H4 m0 J6 l* a6 i5 a
inc eax( `- C8 h: h3 h( T
jnz 00650589 ; detected. {. p- _$ Z6 o! a' e1 U9 i
push 00 ; OF_READ
( O9 P! B+ ^& }5 N# ^ mov eax,[00656638] ; '\\.\SICE'
5 M- I4 h! S3 j0 `8 e/ P push eax0 j Y" g7 m. F7 \5 j! U- H* X# I7 f
call KERNEL32!_lopen7 n! S2 A% e# m! _+ y! d+ w, O" G
inc eax0 {2 N0 K9 ~4 S6 q. ~
jz 006505ae ; not detected8 b8 m8 A. v, o2 O
0 N+ a3 L2 H5 ~1 }) ^
7 t4 I4 G' W0 J P: g__________________________________________________________________________3 M) L+ \- t: V8 B% r/ ?' b
# R0 `" f9 V' d( P$ n h
Method 12
) f Q3 R) E4 m% c5 \=========- b# q; _0 w* b4 _1 c
' h, e+ s! u+ i3 `This trick is similar to int41h/4fh Debugger installation check (code 059 _% d/ u. l1 @
& 06) but very limited because it's only available for Win95/98 (not NT)) L% j8 _: C/ ]7 h5 t z: Y( {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
h$ T& r% B" m4 s
: z1 n' k0 ~! {' ?% C* }' e push 0000004fh ; function 4fh
: g, O% a; H9 P4 Y9 L8 _ push 002a002ah ; high word specifies which VxD (VWIN32)
0 Z4 E* R! B: o' f3 U. W7 I6 e ; low word specifies which service0 L6 L* o( q* s$ U# X, O/ T+ |
(VWIN32_Int41Dispatch)% v3 N% C0 _# v( n1 a0 { z4 _
call Kernel32!ORD_001 ; VxdCall8 C1 X& K( N9 k" V; N- Q' o
cmp ax, 0f386h ; magic number returned by system debuggers
6 w a B; [4 t7 K0 h% b jz SoftICE_detected
, Y2 ]: H( {4 w# X/ [+ D: g3 L" i8 q
Here again, several ways to detect it:9 _) d) r! i5 Z5 h ^ r) C
* c! w% V: [4 ?3 I' ~
BPINT 41 if ax==4f" p& w! C6 [- l4 U g/ |7 ?
! i. @2 x: u. R+ Z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- u, {6 [2 _. W) a
8 u' y- ^7 d# E. b; f BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( j2 N. ]6 @, J, \
# r3 K" g3 U2 X: G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" R' i" u- B+ \& X
! k6 T2 x, G9 P2 U- s8 m
__________________________________________________________________________
: v5 t! E' j( x9 ^* a# B2 F; g
& c- d. j; _# M5 f% `, WMethod 13
+ H! l3 B3 a- ]' x' l& y% U=========) w0 r0 {) N( u& A' I( B3 U
Y; b5 \1 C, B# R" \8 o: H' a
Not a real method of detection, but a good way to know if SoftICE is7 N0 q7 i) [4 f( o$ z
installed on a computer and to locate its installation directory.
/ I# Y& z# K) X. eIt is used by few softs which access the following registry keys (usually #2) :
1 U% G9 R, C- Q
# v, w+ R B: D0 q( S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" m' K( c* R1 h2 t2 x4 [4 t( i
\Uninstall\SoftICE
( P/ O5 y' y% k. O3 Q3 v7 [. W( c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 J2 J g: ?! A- x. M5 g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& r+ B. ]+ S {- x' y9 L4 _\App Paths\Loader32.Exe) e+ H% ]# _) F9 M6 H
7 A, Q8 @) n; D6 H; t6 J# d! {
) B- w ?) t3 @+ V, N) ANote that some nasty apps could then erase all files from SoftICE directory
8 T# E8 R; d) ^(I faced that once :-(
8 q' ?1 `# E) H- w3 D
. C& c6 @" [; N4 n" E! F- XUseful breakpoint to detect it:
N* Q, C0 g& \0 e( U/ w
$ Z& l* o# Z7 v, t. A4 U l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ L6 O w4 L5 U: z
, L0 l: B, y2 Q+ n& M D' a9 j
__________________________________________________________________________9 T- A6 H: N- d# `
0 [# m% Q/ e0 l1 O) J1 T3 Z! u
) K/ ]+ Y( O. ~6 q @ B. C. AMethod 14
) W; \+ k( ?/ }2 t3 u=========
2 Q0 J) D/ b% S% q3 f- z; p6 S" Q& }& Z2 b1 E( |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 d, `- e ]3 P& k( H2 |! pis to determines whether a debugger is running on your system (ring0 only).7 D8 }7 h! k$ v0 ~9 }; C* }
+ {6 Q$ ?: o5 q* `
VMMCall Test_Debug_Installed
; H7 Z% f5 V0 |% Y je not_installed2 z- W& F6 @; O6 ?: Z ?- E0 Y7 k4 l
7 J% B1 i. V7 J; L$ @; c
This service just checks a flag.
, z" C# \- [9 H+ C/ S, @2 C</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡