<TABLE width=500>
, @' D1 \7 o* ]8 V- E<TBODY>5 I0 ]! A7 h- r( E
<TR>! {5 w* A3 t F/ v
<TD><PRE>Method 01
/ L$ T' |2 y4 e2 r$ U7 N, \+ |=========
( N, Q1 F8 A1 ^) ?- L, a6 _
/ x. h8 c' E4 ]* [4 e) _This method of detection of SoftICE (as well as the following one) is7 J/ f, U) H- L7 F6 U: T5 d) M. Q7 ?
used by the majority of packers/encryptors found on Internet., G8 q2 C* H+ L7 @. ~
It seeks the signature of BoundsChecker in SoftICE
. v$ ?( Z+ e$ L! b2 q" \; }5 F5 d, i; G2 E5 V
mov ebp, 04243484Bh ; 'BCHK'
& Q8 |5 Z. G% \" Y$ d/ B2 b8 L mov ax, 04h
: q2 L" N7 \( z& t0 Y. D int 3 6 E* G4 `6 E( k, M; r- P3 ~1 u
cmp al,4* `( `3 u c3 {: u( q
jnz SoftICE_Detected
6 R4 _7 M. r/ B- {# D- X# N% K2 v- F# H# q1 L2 ]6 Z0 [- F
___________________________________________________________________________
7 k3 G5 l t4 W4 t" D* u; ~' {" W. \$ n9 @7 ]! ^$ E" {
Method 02
( n. S+ S7 S' X, t=========
/ i. _+ m0 [/ r
4 W/ J3 u3 J3 CStill a method very much used (perhaps the most frequent one). It is used, [- x# w/ H! ?& a2 p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& j/ m ?! a. |" J/ Dor execute SoftICE commands...
+ \. Y1 w/ o5 Z; G" j$ U1 N" _9 ~2 PIt is also used to crash SoftICE and to force it to execute any commands
4 Q0 V; r; y: \(HBOOT...) :-(( 4 F( j: V' F( \8 `7 t) _
* Z& g2 d' [% p7 X, w. R
Here is a quick description:( s4 _3 r( r, ], R; Z
-AX = 0910h (Display string in SIce windows)0 h" Z6 T6 P8 d. G3 N+ d
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! b7 U; h& S- B8 U7 S. L P
-AX = 0912h (Get breakpoint infos)
/ Z3 c1 q. C$ X6 c' \-AX = 0913h (Set Sice breakpoints)) L; m- q7 Y( w7 X$ Z, y1 s
-AX = 0914h (Remove SIce breakoints)
# _1 B6 T3 L) j# t- X3 Q+ T5 F+ E2 E0 L
Each time you'll meet this trick, you'll see:+ G) x1 _, T- h& N6 D4 Y$ ?8 i4 s
-SI = 4647h( _0 v0 \& M4 E1 B5 U
-DI = 4A4Dh
^8 e E) J5 ^& V; S1 x+ ^Which are the 'magic values' used by SoftIce.
$ o$ y# `0 S5 s. o2 ]0 {% X. MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 _1 C# j6 d2 I' v+ Z3 J8 `+ T A$ W9 d2 z
Here is one example from the file "Haspinst.exe" which is the dongle HASP* L A0 s7 p+ r0 Z* ], M' W( V
Envelope utility use to protect DOS applications:6 M: C/ a" G5 F N7 V8 j7 w
& Y1 k" H6 v1 }' C7 F, M$ @% ~
$ q0 s9 d& o9 ~$ J, ]* [4C19:0095 MOV AX,0911 ; execute command.
+ u( J9 _" O' F: q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 f& d9 x; _! A
4C19:009A MOV SI,4647 ; 1st magic value.4 w7 [) M/ u X! _& t! S
4C19:009D MOV DI,4A4D ; 2nd magic value.
- k, R0 T8 q6 V* m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); h1 D- s; n* w. S' |/ i
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 }# z+ z; o, _" e3 Y) ] q1 j B+ V4C19:00A4 INC CX
6 k. G6 ^7 ?9 C( z% H9 \* Q! v6 m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ l: w8 O) o/ ]$ G8 l0 z4C19:00A8 JB 0095 ; 6 different commands.
' T2 t: r% N* C+ W: G& y. z4C19:00AA JMP 0002 ; Bad_Guy jmp back.; Z# F0 J7 t( n' @' B
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
k/ Y4 s G- k
: K7 b+ g, G. d/ g9 qThe program will execute 6 different SIce commands located at ds:dx, which
5 `$ l9 D+ z) @3 dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% p6 Z: a7 x8 j9 L
! `- Q1 O$ X: s4 y9 r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, o" f9 o& U8 l___________________________________________________________________________
4 u8 r3 a* X0 |- ^: w
2 s9 |7 V' p9 t" Z& Q; V5 W
9 u! G9 V I( z) G( n" C5 v' ~9 H4 rMethod 03
8 w" Q; m+ i3 `: ?2 g=========" Q1 w& W6 I! M- J- j4 \( c
/ p! B/ k6 v5 ~/ V" ^ T+ OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* j# m E& N0 `& o(API Get entry point)
' G ^( a/ b8 R- p3 V + V& o+ u0 ?! c* j1 d
* K- @' D9 F: r
xor di,di: u/ ]7 x$ `6 r. i! v( ~8 E
mov es,di
. J0 H8 C7 ^% J mov ax, 1684h . I5 Y- O" Z& C- S2 f
mov bx, 0202h ; VxD ID of winice
! x9 Z. e$ p9 o" j* f& I int 2Fh& ?) {' {& r$ y
mov ax, es ; ES:DI -> VxD API entry point H1 a" O5 C2 P. s/ T) v9 E* k* D
add ax, di6 k. f5 {4 K% b3 n+ O$ w: O* N9 s
test ax,ax3 p/ N7 p* F$ ^5 i
jnz SoftICE_Detected! ]1 o5 m3 E3 h" p) ~+ j
' n9 o. Y/ D+ |1 g, a5 I6 {3 F
___________________________________________________________________________1 a9 B) z+ n! G! Z6 O0 A/ l
; s! O/ w+ e s& pMethod 04; n+ P& r. H5 |
=========, D: L. a, n8 M4 x. B- O
! f; R7 }) b; U# Z2 S
Method identical to the preceding one except that it seeks the ID of SoftICE3 j* X7 ^; D1 n ^, e
GFX VxD.% R+ G' l9 ^, x7 `6 a% j. t
0 q- T2 E! ~1 y1 u; G$ B% s$ d xor di,di5 Q' Y: ?/ R3 d% N- C- e/ z
mov es,di5 C$ g* Y q6 K) r
mov ax, 1684h 0 w- o* m3 _/ Z3 a& E
mov bx, 7a5Fh ; VxD ID of SIWVID& c z$ Z$ }& s! V+ N; j7 q
int 2fh
# i% { I: Y4 N6 f& [1 l5 L mov ax, es ; ES:DI -> VxD API entry point' @4 A- E: |" H# \2 r, r
add ax, di: Z9 @8 |3 Y2 p' O0 b
test ax,ax
7 L& U% q- ?. t3 Z0 _ jnz SoftICE_Detected
% B% Q. j8 n7 i* B! T* G. q4 \4 Q# `
. c! J, G" n5 \! Y' f J__________________________________________________________________________ h. a; {4 r O6 ?0 v' L3 C, D
/ A! m* i9 Y: _+ b
, r, s+ a/ J5 a8 PMethod 05) t, \5 V" V1 V5 u
=========- @3 M" d0 l( N1 W0 `3 {5 c5 n
$ n6 E h/ E/ ~" {/ o& oMethod seeking the 'magic number' 0F386h returned (in ax) by all system. y! {* @, q( _4 q
debugger. It calls the int 41h, function 4Fh.9 x f' K% M0 d+ t m5 ]* `7 X8 {; }
There are several alternatives.
6 \! a3 j0 ^5 i( ~
0 z) ?" }) N/ F' Z, PThe following one is the simplest:
4 g$ q+ K' G; r, A; L( d# e' a' A4 K" v: N: A
mov ax,4fh
[3 w1 y3 a% \8 l- w9 e int 41h
' W$ T8 U# K- J# ~+ h. C cmp ax, 0F386
c7 Q3 T- }) f" b jz SoftICE_detected0 K# t- {% p& w& [, H: j2 P. x6 r
# g/ c# X! I; b/ O/ O/ U
( n+ J! }1 I8 H5 q* [! t# L$ k" x" xNext method as well as the following one are 2 examples from Stone's
/ ?/ E, L- L; P' I% e"stn-wid.zip" (www.cracking.net):* A' Z% R7 z; a E
}- L( H, R" M% `% ]+ [ mov bx, cs
1 f% ~7 q# `1 q S' b! f) T lea dx, int41handler2
% z0 Z! m1 H7 w/ | xchg dx, es:[41h*4]
: ]& ~( a: q! w( P1 d$ y xchg bx, es:[41h*4+2]; i! ] q; s4 \1 z; h( c* \
mov ax,4fh+ v& M2 S( X! B
int 41h6 H- O; Q$ B" T' k3 S4 i8 r
xchg dx, es:[41h*4]
+ S1 T' r1 @2 A% |5 m( T xchg bx, es:[41h*4+2], {$ u4 ]* k+ j2 b& }
cmp ax, 0f386h% C. M& ]! k4 t
jz SoftICE_detected/ `# z3 g, f" k/ W* G* L
9 t* I9 H! w7 l& {int41handler2 PROC: v7 h0 Z0 x! @$ [! t B
iret+ H3 J3 ~' V" S" N! c
int41handler2 ENDP! W! h7 j' n# ? \7 k7 n1 e
) \3 O$ G" L( ?% j. a; j2 |1 @$ j; r& M/ F$ m
_________________________________________________________________________% t* V6 L5 D3 b: ]
# j" a, T: ?9 _. J3 L3 ?
* t, i- \' p3 N+ [9 f+ n/ WMethod 06
0 D8 ?3 K: O8 w2 B=========
# X, v! @ J z
- d- w8 v1 c7 p; H
$ x& w& w U8 ^" R. A9 ?0 A2nd method similar to the preceding one but more difficult to detect:7 o; ?+ I* t% Z( Y9 ~
! J/ Q e0 ]+ F
7 R3 r# r" c* h1 P- c7 k7 u: fint41handler PROC
" s& l) U1 S( v mov cl,al$ ` ]# a7 w" @; ]) E' [* |4 w
iret
" m. {4 d6 B, R) @7 Fint41handler ENDP! l( _! J% x* N1 N5 b* H
- [! `5 B: P! d8 u) A
& c$ ~# y( \5 Y xor ax,ax! j, i0 G. J: p/ Q
mov es,ax0 G* A7 A7 s* q# t
mov bx, cs" y+ D) p' S; F' n% i) p
lea dx, int41handler5 v9 C2 o) e6 L
xchg dx, es:[41h*4]7 j. J6 J/ H7 C" v3 p( e- E8 N
xchg bx, es:[41h*4+2]
+ z: k W' b! B5 S' s in al, 40h0 W+ [- w7 g! O
xor cx,cx
" A- D" L# Q. K7 u0 Y& S. o4 q int 41h
. K9 l, k/ ?/ \- w xchg dx, es:[41h*4]: [9 s' X S8 n
xchg bx, es:[41h*4+2]
) _# ]) e8 v; C: O cmp cl,al
4 K& d8 ]6 ? N) P$ O# c jnz SoftICE_detected
3 u7 g2 u2 X0 z/ s# A9 a, ~
5 V5 b0 }3 V4 n" A4 ~8 H_________________________________________________________________________8 I+ [+ Z* q- j! P1 l
; P, o4 b5 s* s) B7 w- ~Method 07; }1 {- C; U7 y0 E! n* {* d# u
=========) Q) @) j* ^ S5 z) }: k
' L0 Q+ L( @: G4 J0 [Method of detection of the WinICE handler in the int68h (V86)
9 E- n5 h6 k& w) \) x W$ F- Y9 V5 l6 n6 C6 b
mov ah,43h
9 ?8 Q5 l2 o" Z M2 F5 T int 68h
$ X' y& x. k& u5 f cmp ax,0F386h/ @% C/ ^% y1 N b9 D) I
jz SoftICE_Detected9 C. C) G) S0 T/ N) q6 D7 R# i- f
z5 e+ q% y: K4 K# z; o
4 g: u. I q9 h; f5 u, c) X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. {- ~3 a% T6 a; G( S0 N7 a- @% O app like this:
. L- ]; \# q' }0 h
& @+ ^: D. c( R5 y! z BPX exec_int if ax==68) W3 p0 m3 q3 H$ r d+ e
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 U0 [( \! w& O8 `! x* x located at [ebp+48h] for 32Bit apps)! m% q% l4 `7 N, @8 G m# l
__________________________________________________________________________; A* e" R) X* Q2 W7 i m8 c
4 Z8 j6 u1 F! g `
/ z: T% g5 ~1 f' K' Z8 R% W2 YMethod 08( g2 a, [6 G6 S( Q, w1 E' k& n
=========
$ ]+ t- [2 C5 V& ~4 o* k1 k" m8 t% E
It is not a method of detection of SoftICE but a possibility to crash the
7 V2 A/ P3 W. jsystem by intercepting int 01h and int 03h and redirecting them to another+ Z( a" r; k. e; H, x p* J5 t
routine.: C! R& h: R' r/ D9 {- Z( i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 T) W4 k7 m; f5 V* o( k Y
to the new routine to execute (hangs computer...)# C8 Y+ W" Y) A
w) v1 ?9 ?1 c" `
mov ah, 25h* Z5 L' P' p# x n; \
mov al, Int_Number (01h or 03h)0 X. _% X1 K; x& H' n1 _
mov dx, offset New_Int_Routine( r; l) r" c! n; J2 Z
int 21h8 H9 e/ \9 O1 C6 b' y4 t4 @
# E" C, @# g5 N- c2 C
__________________________________________________________________________# ~& D7 ^5 b E, @& B
! f9 \/ s5 G4 d# e2 d& a9 ~Method 09
) n8 Q# y/ J- E=========
0 W2 g, E7 L' k( I5 y
3 z& p0 @9 B7 }; | C( F& kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 @+ t6 x& u& I, A- |; x+ F! J& @ Aperformed in ring0 (VxD or a ring3 app using the VxdCall).
- Y: j' _7 [& b3 A$ q. w7 OThe Get_DDB service is used to determine whether or not a VxD is installed
/ y5 }" J9 p$ _3 S1 z6 U0 Vfor the specified device and returns a Device Description Block (in ecx) for
+ b) d- q6 T: p; fthat device if it is installed.
; U1 f$ ~9 \9 r9 \
9 a/ B* c7 O! s+ f0 J7 H% ~* k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% b$ ~1 C, x+ \' t/ R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( j7 d8 C4 P6 G VMMCall Get_DDB G0 }& s. R! Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, Z" y' s R" ^6 M# a# Y
' D+ L% b& ~4 w3 M8 @
Note as well that you can easily detect this method with SoftICE:, {% ?% h6 O$ O z% V' W
bpx Get_DDB if ax==0202 || ax==7a5fh
* n/ `3 _# \' ~& k/ _) K" P$ E1 I
" Q! C) a5 J0 v' i9 u/ P__________________________________________________________________________
4 H% e g+ }' P# J
5 t3 M# D: W2 p+ GMethod 100 B( Y4 s2 Y9 A
=========& U1 }/ b* l+ {! v
4 F; G ] ^: l2 H( k+ [5 a, S" }
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 L) R1 n# \' g( d; k7 x& s% H
SoftICE while the option is enable!!
' m+ \/ |' \4 o$ W1 F i0 T3 O- f7 M% l5 f) w# _' `
This trick is very efficient:
$ k3 n- L" }+ `6 }/ P, \- j# pby checking the Debug Registers, you can detect if SoftICE is loaded1 F0 Q D# m j3 w; B' D, ]3 U+ p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if w+ h3 t7 a9 z1 h
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 x+ ^6 }% Q* p6 n2 T& f$ Pvalue (in ring0 only). Values can be manipulated and or changed as well' _: C( j* }' g& J9 v _1 [" s4 W
(clearing BPMs for instance): K5 \& l' e/ ^( d+ |
% E$ h/ o( {# k! x' _
__________________________________________________________________________
I7 E! ]' r/ H$ X+ I
3 u/ O5 m$ V9 Z7 r; q, ~+ o; @Method 11
0 }6 _# u# Q$ |- N0 u" N=========
5 o% P. q2 _) w v/ I, D0 E0 r5 g) o+ C6 q4 C. f, K' d) R0 {
This method is most known as 'MeltICE' because it has been freely distributed
$ Q" U/ O' }* z/ M7 h6 A' evia www.winfiles.com. However it was first used by NuMega people to allow
! f) j, }- P8 r; B$ {& G+ M0 ISymbol Loader to check if SoftICE was active or not (the code is located
8 [* R; |* Q: m! a. Ainside nmtrans.dll)./ T1 V: @: S0 f
4 E' Y( v8 t) s* s: R1 J
The way it works is very simple:7 S0 I, C6 X0 _ g0 O( ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 X% P0 ~# X x/ B2 U0 `
WinNT) with the CreateFileA API.$ @$ z9 T2 t, r; M* H2 ^) f3 Q& i. c
# ^$ s4 B2 y5 N) N# x; T3 EHere is a sample (checking for 'SICE'):
; x: u8 p8 c. j5 m2 T7 t6 D
) u4 [9 s. C9 [2 W3 l) tBOOL IsSoftIce95Loaded()9 }8 @; N0 k7 v; |5 T
{
* ?) I$ N3 H* T$ s5 Z HANDLE hFile;
4 R' ]& D( \' b3 T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. y( N% p* y% L, ]: t( h$ e FILE_SHARE_READ | FILE_SHARE_WRITE,
- H4 d/ e% p, t: `! `. B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 m7 _/ H( R* x4 E: g4 O
if( hFile != INVALID_HANDLE_VALUE )8 \: I8 ^# x1 z, O( g' C( A1 l
{& o( y0 P, O! U7 W/ s7 J
CloseHandle(hFile);; I0 O$ [- D, s m v, U
return TRUE;
& i! j. J9 `: V' n }. S* ^! K% m- k* G
return FALSE;6 ~9 Y" b/ h3 J# E$ P
}/ D; t* y2 ~( k0 _ \2 S
' o: n! _" \% l2 B
Although this trick calls the CreateFileA function, don't even expect to be6 X/ x% H% W3 b- J0 E# E
able to intercept it by installing a IFS hook: it will not work, no way!
! X$ B( D3 O, \ M5 NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# Q! `3 z% ?( V8 C/ y7 Pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 L8 n1 L; c- ~5 W, G! B9 n0 Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
g- Y& g1 A* ]0 E- @field.
' `8 r$ z" @1 A4 GIn fact, its purpose is not to load/unload VxDs but only to send a
5 U+ F- J- s |! p7 XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, k/ g2 E7 s- eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
% J" E" E6 g& O' Z! P# }! q' n' qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ y/ D. u; ~* O) I: K4 u3 q KIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; g; I) V3 d) ?. A uits handle to be opened and then, will be detected.
! e- Y, u0 z t& HYou can check that simply by hooking Winice.exe control proc entry point
: _% d$ c+ Q) E; ?! q% z( fwhile running MeltICE.- K0 ]# [5 b7 e A$ Q- {
; ^3 P z( Y9 X% u" m& U9 T
7 P7 Z' L6 V7 Y
00401067: push 00402025 ; \\.\SICE+ B; k0 C# S( s9 F c6 g+ G8 [, r
0040106C: call CreateFileA* G0 ]- p5 n/ U6 h' P
00401071: cmp eax,-001$ D7 k+ l4 q( D+ a1 o, Q9 w
00401074: je 00401091
- Q4 l8 V* X* M, F1 Y) l3 n6 Z. ]3 ~5 Y- G
; E5 [7 _" Q8 L# q
There could be hundreds of BPX you could use to detect this trick.
% d% k3 c. I0 k- N0 m-The most classical one is:6 }4 `5 K; i7 v$ L7 n3 H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' Q; \$ C2 ?: H* ] ~
*(esp->4+4)=='NTIC'
6 D* y0 S% a3 ]5 Z
( d7 T$ k2 q2 _3 ]. f& n-The most exotic ones (could be very slooooow :-( m2 G. P2 Q8 u+ w. R) }
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( P1 S- j7 @/ C! b- A* P
;will break 3 times :-(
8 U# L3 a) ?- s" j8 S- x0 W; h+ ]2 l( l! C0 v3 P& k. R0 S, _" |/ V+ v' R
-or (a bit) faster:
/ i2 [2 K, S" S4 m$ g+ ^3 X BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ Z- V( s& Y; `" v: i
+ J/ o0 j% L9 q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , @" @1 U: ]& N/ y7 f) t
;will break 3 times :-(
3 Q& g; S* ?9 C" d
( ?2 B& v& a" y# x% \% R7 a. _-Much faster:+ O/ K N% [7 ]0 b. H$ i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' f6 h2 O( ?: f3 ^- N( _$ h4 H2 g& M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 b) ?1 e% _0 A8 P% F
function to do the same job:
4 W# n+ @7 u. R. \. _ `: ]. R0 t" w3 Z* X
push 00 ; OF_READ! _; X- W6 U* k3 F! z
mov eax,[00656634] ; '\\.\SICE',0$ v: h/ W7 L, Q3 y8 `) ^6 G
push eax
" _) D( S7 \+ Y# q" e' M call KERNEL32!_lopen$ `* n0 a$ P7 \. |/ l+ I
inc eax1 @' W. Z S6 k/ I- I* ^4 O
jnz 00650589 ; detected( s/ q3 I/ d* K
push 00 ; OF_READ+ f7 k: V* C, P* v4 U& c" M- {4 f( x! `! V
mov eax,[00656638] ; '\\.\SICE'1 t! L4 M% l/ b3 `
push eax' F* z6 V- h2 _
call KERNEL32!_lopen) k3 e& ], D- z5 u* A
inc eax* `, s. ]' z* a7 K
jz 006505ae ; not detected
% L7 g: n1 C4 t& @+ r( F' y( g0 d. h5 g7 p2 }* f7 o
# F! l8 \) L# O$ x4 E9 V( W% p( |__________________________________________________________________________
/ s/ Q+ @* C- X: ?
0 s2 E8 V; @2 P$ d. r2 ]* XMethod 12+ l! o. y; y) L
=========7 [: U) ^: x9 Q" w ?% O
6 O8 ]; l& J; B- V: z& [ }! [
This trick is similar to int41h/4fh Debugger installation check (code 05
- l3 J B# [" y! x) y8 ^/ {& 06) but very limited because it's only available for Win95/98 (not NT)+ R! ^' I- `$ P* r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 b2 b0 A7 }( o3 V
1 \5 s! }6 Y2 Q u7 [3 r, v
push 0000004fh ; function 4fh
( X! o+ I1 \6 \$ [+ y( x push 002a002ah ; high word specifies which VxD (VWIN32)" `3 e7 r* K( L& v$ A* W* ]
; low word specifies which service
/ H3 B f/ ?$ o4 r (VWIN32_Int41Dispatch)9 ^, T. w4 M; h$ t: N- O) C# U1 r
call Kernel32!ORD_001 ; VxdCall
1 C- h8 d6 M. C cmp ax, 0f386h ; magic number returned by system debuggers
! a: @/ e9 x& w& @! o) Z: D+ d6 a Y jz SoftICE_detected
1 H* e9 c, z+ l0 X6 o# q6 c4 i( Q; _$ H& K* N) b
Here again, several ways to detect it:
/ {5 p% B! F, J" k# S2 ~, \ ]8 q+ G0 a( Z* s2 E9 G
BPINT 41 if ax==4f
6 c1 T( ? _& s# u
6 l k5 n2 O; Y$ C BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* q* |$ [6 y7 H- s
$ ^- ~) K2 b, a; u1 V3 s1 A } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 e9 z/ p9 h2 \3 x" X* J7 s% b
& p) [. E3 ~5 S+ d$ S5 w' V) E, z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) R$ C! D* |, P. l
) Z( s9 Q, v# s6 m3 k- z__________________________________________________________________________7 A6 Q% R6 }3 v! y* ~
, O. L6 B( c5 h3 WMethod 13
# h% N, O& A& q% T2 |: I- C& R=========3 _6 h, T) ]* {. R l! q$ j& l
, d9 s* p, E9 E* j; U: oNot a real method of detection, but a good way to know if SoftICE is
( Q+ I+ B5 B) ~ ]: Binstalled on a computer and to locate its installation directory.
: Z9 z5 G' G2 l. fIt is used by few softs which access the following registry keys (usually #2) :
) M, d' e& X. j" T2 ]
4 D" M# S8 \. G/ h0 l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 ~) M, _9 q! R5 z- E* `( }
\Uninstall\SoftICE
. m5 m- ]$ x1 p% }; h r! t, Y6 ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' |' D5 N. ?9 N1 @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 x, [! ~! E9 |
\App Paths\Loader32.Exe
. W2 Q* l) b! {" u8 h4 B) \# K0 v6 Y- w' z* C/ E/ w
+ j$ n5 Z' {$ _" [% T
Note that some nasty apps could then erase all files from SoftICE directory9 ?& S0 e/ r2 i5 K* R
(I faced that once :-() }$ T6 B* F6 n! b
* q: d! Z$ p3 m( hUseful breakpoint to detect it:
4 d. r2 H7 j0 Q+ I- l
( Q: X8 s9 E( Y$ w; k5 |2 [* F9 M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! S: m- q+ C4 d4 X s$ o- e T
2 w/ p' V! k/ t- _% i! I__________________________________________________________________________
' }! K4 Y0 v/ E- `) z$ o, m
) m4 ]! O: M* A4 ~
) M* O7 g/ x; @. vMethod 14 ' L7 @8 B! C% a2 e% o
=========
7 T; o0 }( F4 r5 D' i4 L; i* W# C
1 L/ M, j: z/ Y2 x7 T' hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 G8 F5 l! u( ]( N2 b$ n0 jis to determines whether a debugger is running on your system (ring0 only).6 x" R0 v Q3 T$ X4 o% e( e5 P* I
) Q4 Y& _0 ?3 M1 P! m) D& ?' Y% r5 A' e
VMMCall Test_Debug_Installed
7 o4 W5 N, T4 _- }& O je not_installed1 y- {5 W- L, L+ {, @
: G; g) \9 a% H) ^% G! P9 }
This service just checks a flag.
+ w: _7 q& F0 ^$ V/ W8 R5 J# Y7 U! ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡