<TABLE width=500>
. s* J# f; G5 } T4 L6 Q5 H. r: t d<TBODY>
' ]5 t' [8 _" ~3 f9 b) T<TR>8 u& K+ d: L- J) j
<TD><PRE>Method 01
' F' l! ^; E4 C1 C* `=========
9 w r! n, ?. H- q6 u; W; J# Y" `$ y" }9 v. d4 j3 B
This method of detection of SoftICE (as well as the following one) is) E& e9 |& Z7 ~+ z/ I+ o) l
used by the majority of packers/encryptors found on Internet.
; `' X3 Q( I- b! pIt seeks the signature of BoundsChecker in SoftICE3 E% W6 S' V+ ^8 K
O/ q2 j9 \$ L/ R, S
mov ebp, 04243484Bh ; 'BCHK'
) o" o7 f; F9 E8 p mov ax, 04h
- @7 C8 h( x; p E" ` int 3 ' w8 ^# q4 G: g% A+ E; M1 ^' `" l" h( U
cmp al,42 {+ s% W4 f l3 p
jnz SoftICE_Detected
6 z( |" V/ v% h. k( f% H: L4 ^
- [, i% R& e. b$ A7 ` a___________________________________________________________________________8 T U7 T0 ~$ c
, k' s( z, _1 F3 F; sMethod 02
9 `" ^# a) Y9 i) U7 |=========
+ n7 h% K3 f! C9 w9 }4 [8 G
( D+ `$ n+ G, c: S: I1 E4 ]Still a method very much used (perhaps the most frequent one). It is used, A1 k+ x3 R8 c
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& L1 O: l$ _6 Q. `0 D1 P' D
or execute SoftICE commands..." H* J7 G) ~/ X* {8 h
It is also used to crash SoftICE and to force it to execute any commands$ _( B3 U# E" U( d; j& M- m
(HBOOT...) :-((
5 M: u# ^. T, |5 T M* w* I9 I5 R" i% h9 S9 x/ i: v
Here is a quick description:2 ^ P* i' \. }2 u+ `+ ?
-AX = 0910h (Display string in SIce windows)
6 V3 i5 G) f0 X! v) `6 E-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* N: Q; Q: A) ?( ?. ~; q
-AX = 0912h (Get breakpoint infos)
' J2 _+ x1 w. B2 V( B5 v-AX = 0913h (Set Sice breakpoints), @+ V. D8 U' e0 L5 \( X
-AX = 0914h (Remove SIce breakoints)9 ]7 V$ q8 f9 Q, F9 M2 J0 ]* W" }
1 k8 R p# ^& u* e0 m5 KEach time you'll meet this trick, you'll see:
* N$ i0 [% _ Z! x* H. ?-SI = 4647h
/ I& G' w2 X# M# g9 d-DI = 4A4Dh# ^; S* C+ |# ^+ M/ J2 j
Which are the 'magic values' used by SoftIce.
4 b' R' o7 p& o4 c+ B+ {4 [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 H o4 }1 F) K8 @) K& [* V2 b' m% J: d. [
( P/ M/ ~4 W: w; o$ k* ^4 M% Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 J3 `5 S5 I& p3 h6 U2 {Envelope utility use to protect DOS applications:* N/ r+ ~" [7 y0 V9 U
4 }4 \8 n) r$ a6 i' T! p& a
' t+ n1 M9 F( i( m4 n4C19:0095 MOV AX,0911 ; execute command.7 X. f* l9 S7 {! Q$ H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 y& I9 t, N) s4C19:009A MOV SI,4647 ; 1st magic value.
R, i+ u: K, J o3 s4C19:009D MOV DI,4A4D ; 2nd magic value.) h7 b2 H' i2 J. M8 i: A: [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ Q, a1 y, ~2 u% ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 R1 j1 F) K* F! b2 _4C19:00A4 INC CX" T$ g/ @6 | x j
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 N8 S" I: Z; } x3 s
4C19:00A8 JB 0095 ; 6 different commands.) J6 X5 p; I: k8 A: C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& k+ b6 o( |0 F% }, V" o( h$ P4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( \) m4 S1 b( _( [- {
+ r7 R; M/ g8 J# \The program will execute 6 different SIce commands located at ds:dx, which6 z, x: Z, N" j/ r: C2 v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# M# x! D i+ v% {7 X# t
# {$ Y" y7 l" n6 C7 j( z7 {: E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. P# y- C6 B( w2 h
___________________________________________________________________________, J( i/ x1 M: g) @
) s: A# S, [( o
1 I' O) o; S) k) j( s+ V4 GMethod 03- u9 l1 j8 ?4 ?- B5 W: I e/ r
=========( w5 j7 y8 Y7 v u
3 D d/ h J; k9 TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 t7 H9 ^ _, _2 v$ c* w
(API Get entry point)- B& ?: o8 `$ O5 Q& k
5 x0 I0 O, t5 y8 Z
$ i- U# ]3 p- w: i xor di,di
" N% w% m/ E) z& }3 F1 R* P9 N mov es,di. o) [6 [( X' p. ]1 Q1 ~; U3 W
mov ax, 1684h
3 v- J) \! |+ @5 g/ Q mov bx, 0202h ; VxD ID of winice
3 ~2 I7 M# M6 h; b int 2Fh
6 r# k: ~4 h+ O. ?& [6 A) @ mov ax, es ; ES:DI -> VxD API entry point
( [2 j& ~* }2 }. B$ I+ b: { add ax, di
, k+ R& _& U v# f" Y, P test ax,ax
3 ~# b2 g7 v! A4 I! } jnz SoftICE_Detected2 _& T& E4 h: {
! |7 o9 b1 H' F2 n+ x' m
___________________________________________________________________________* m# j2 @ z* Y' e. c
" X6 h% z4 O! V1 J3 J U5 N# k" }Method 04 |+ F# X0 f) ^7 Q# O. i0 [
=========
0 T) y+ j) {6 I$ D1 W4 [1 j, x+ J# f; l2 I( C3 q
Method identical to the preceding one except that it seeks the ID of SoftICE
2 s7 b7 {2 z1 Z9 f' FGFX VxD.# g$ g: v& |! q# V+ R* M0 I
: ]8 q7 t& c$ D
xor di,di- a6 m. P+ O: \* C* u: m
mov es,di
% y8 w2 p- [+ D! x) f9 o! I- i mov ax, 1684h
- i/ \! O$ U! k D# b mov bx, 7a5Fh ; VxD ID of SIWVID
; _6 L# F) A. T l int 2fh
' D; @; j) n9 Q% O8 C6 j* ^1 B/ A2 c mov ax, es ; ES:DI -> VxD API entry point
9 \: g0 o+ O9 @ h; P3 N add ax, di
3 u/ J6 n4 {' ^, j# s R test ax,ax1 ?/ R' R" X# U
jnz SoftICE_Detected- y8 z1 \, {+ d
' d9 |% P# U1 I5 |! [__________________________________________________________________________
) Y3 U" r V1 h& K4 `/ q
, ]6 C5 W5 v" Q" C4 [3 ~
6 b5 C6 u" P7 a4 o* q6 g" C j0 PMethod 05
' D, ?" \0 k$ W=========% H; o/ R; r5 r' a7 z: K* {
9 [+ T' W' z+ m4 j; \! wMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 A" |' R+ f4 J: {. d \1 x- k
debugger. It calls the int 41h, function 4Fh.) I2 f; ~- d F
There are several alternatives. 0 R9 ]% w/ K" d0 n
& }/ q V" |3 j- K
The following one is the simplest:
, u2 V; _/ w7 z) p* H3 _8 @* f
& p" U& Y( d$ y mov ax,4fh
& x- v1 Q8 J R int 41h% T( v( H# \3 @3 F. F
cmp ax, 0F386
7 S/ {, x4 E+ A jz SoftICE_detected$ c/ U: z' D' V- Q5 W/ `
$ L! [, x1 m& D' E1 ^) o( s' S [2 z4 R7 b9 b
Next method as well as the following one are 2 examples from Stone's
3 D5 a2 H! s0 y( U' X"stn-wid.zip" (www.cracking.net):
: @# s0 R, Z6 @
, }4 P4 X7 Y: m/ p% K% ^ f+ y mov bx, cs; z9 c& Z: l5 ~$ x1 A0 p& T
lea dx, int41handler2
0 h, f8 {0 n3 ]: N: D) D xchg dx, es:[41h*4]* h6 ]' u- D+ L
xchg bx, es:[41h*4+2]0 ^+ x! H r7 ^
mov ax,4fh' g4 P. q: ]# Z- n! @5 O
int 41h' q5 b9 s6 F9 o. w5 S" D0 V
xchg dx, es:[41h*4]. E v6 e: }" @! D0 f
xchg bx, es:[41h*4+2]3 L5 @0 d N9 @" g$ R; d
cmp ax, 0f386h
* @' }6 I Q, w jz SoftICE_detected
/ r C( ?0 l- ?7 u$ V3 W
: Q) ^$ x. I+ D( J3 Vint41handler2 PROC) i( @* v( U+ w S, K
iret8 [/ }& u+ P. }
int41handler2 ENDP
1 M _' j0 f3 f0 d$ c# r
( S, Y& v' n7 V% s$ I2 x& \& A" d
# W4 z3 @9 }- a5 M+ R4 v8 n, d_________________________________________________________________________! _+ s0 n- W% i# W2 p
2 }; B& @6 | Q8 `
4 Y, y+ A: ~1 fMethod 06* C/ [3 G. C, y1 w$ \+ o7 i& i
=========" A! O) V1 ?) ]
( e9 x3 G# f& x1 [' n$ w7 z) k. f: s4 R% j, Q
2nd method similar to the preceding one but more difficult to detect:
: H4 l m0 a/ N! x
; k, J3 O5 M7 j: |1 V; s& |1 x4 X; _+ Z& Y& M! m- ~7 v& }% ?
int41handler PROC
* m9 D, q7 _" E4 U5 l mov cl,al: Y y! k. i( F- a$ i& K' D6 K
iret+ C7 i# p4 K" ~) b8 {0 u
int41handler ENDP2 V. y% n$ Q+ T
' D( f" x( ~( |* H) U Z
! j3 Z0 H9 F8 E7 ?9 W1 I; U xor ax,ax
9 z c' n) i# T9 V8 z mov es,ax2 n" c6 |' e! b+ B' N
mov bx, cs5 ~, g) u7 |! E+ [' t% a
lea dx, int41handler w8 ]4 c# _& {, R, q T
xchg dx, es:[41h*4]
; c; k* _2 Q* |6 b# R) ^2 O2 ]) h xchg bx, es:[41h*4+2]
1 ~5 d! j, C; S4 |7 T1 g* | in al, 40h
$ o& N# B3 x- o* r' _6 {9 o. P# U xor cx,cx) v5 ?3 i( ?. q# a/ v: }
int 41h' P( U, M) U( X, ^" T& k/ C% a
xchg dx, es:[41h*4]2 O- m% c) S& o% l- z" D8 ?1 w+ [
xchg bx, es:[41h*4+2]- V2 ], }& s, D3 `8 a% [
cmp cl,al
! l. M, V$ q/ b9 a7 J6 [: k jnz SoftICE_detected
; ~9 ?4 }0 Y+ V: I8 u
$ Z7 J- P% P P$ U p8 r_________________________________________________________________________- R1 Q- k, A$ k
8 w7 }4 z$ p% e
Method 07
& S! B. R, H' v- C5 c' n6 S9 o=========
5 a1 B) M# A( V, |8 u
2 Z# J4 c9 E; o/ e: ^6 {' W9 Y6 CMethod of detection of the WinICE handler in the int68h (V86)
7 F+ M% E+ P( @7 c" ^% \8 z& U/ B
mov ah,43h. _5 z: [5 y8 x( ~5 H
int 68h
3 p5 K$ x( [, p# G* _& U/ @4 a+ w cmp ax,0F386h
0 v* r, v: Q0 Y1 I g jz SoftICE_Detected
/ _* t( p- k6 }5 k2 e3 Z/ f% J$ v2 g, M+ ^) `1 _4 i
- \" |4 F! K9 w1 @$ |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& G# q: D3 M, N% Z3 R9 n r& \2 F& Y app like this:5 x% [9 G& y0 L8 g5 d& e* q3 T
1 y; u) @1 V4 R* l0 r$ Z BPX exec_int if ax==68& j) c ?. ~$ |" I$ S6 B# W0 q+ f
(function called is located at byte ptr [ebp+1Dh] and client eip is
u1 C! v @ R; ^ located at [ebp+48h] for 32Bit apps)
* E6 O \! a+ f) [__________________________________________________________________________9 a* d' d3 y& n' B" k$ ?
+ K+ q* k* I7 c4 n6 Q7 v! Z
; v" x) e( [2 P$ x4 yMethod 08
, S2 b. S: Y1 ^5 a4 I3 I+ w=========
+ w4 }7 ?2 B; l Y/ y- v2 B: R/ r; Z1 H4 [8 n
It is not a method of detection of SoftICE but a possibility to crash the$ T+ z& W! D9 e4 c9 g' A5 ^
system by intercepting int 01h and int 03h and redirecting them to another
+ x6 h3 l* n6 Q3 Rroutine.% I* ?1 o1 }8 ^7 g' o: ~; B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& R4 i# {! r0 K( Q. U9 D, U' ?+ P
to the new routine to execute (hangs computer...)
; I8 G. c9 I$ \8 J
) ?/ H; ?$ G' w D mov ah, 25h* \/ j4 o3 Q z
mov al, Int_Number (01h or 03h)$ q/ W: \3 [8 M# S# @
mov dx, offset New_Int_Routine# q' R5 i3 `& f
int 21h: v& U& y" a8 x1 `* W7 A
4 w8 J+ U }8 {; @; T
__________________________________________________________________________& B6 b, q7 |8 l4 |6 L) u
* ^0 O, X U2 S3 J: W" `1 pMethod 09
5 m5 N' Z/ b6 M2 D7 Q=========
x: G/ i' J. C, H
- m) {% B' t. ?3 }9 bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
H8 H& {4 c+ `( r0 Sperformed in ring0 (VxD or a ring3 app using the VxdCall).# Q1 H4 {2 K9 Y" D
The Get_DDB service is used to determine whether or not a VxD is installed
$ S+ e4 O% Y7 L& O- zfor the specified device and returns a Device Description Block (in ecx) for
. y8 v5 Y" a) _' E& f# vthat device if it is installed.9 L, m$ g7 D ]' B$ ^1 J" g6 ~
- c2 h5 q, U8 V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 q4 w: W" }1 T/ s- ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( _: _# O2 @5 J, W: p8 d; k! Z
VMMCall Get_DDB B! {6 n z2 M* w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ M' a& \: f: G. m2 ?3 v, m
; L2 }" B$ ?0 b- e5 N; q
Note as well that you can easily detect this method with SoftICE:3 q( ?7 f- B [: n6 H- W
bpx Get_DDB if ax==0202 || ax==7a5fh
9 r6 f5 ]6 H! U6 d( s
- V8 c( F1 a. {& r) Z7 M__________________________________________________________________________; K7 A/ K/ H. q! ]; ^2 Q
, {7 D1 J2 d) ?1 z
Method 100 \! N7 s2 {+ d# o" B$ o+ L
=========7 Z+ A" l9 W$ {' }7 f7 U* c! f) p
0 U7 L) @- K0 P( N' n1 y7 G=>Disable or clear breakpoints before using this feature. DO NOT trace with
& l: N" h$ {9 i4 P' U1 f SoftICE while the option is enable!!/ q5 z/ T2 I+ E. E
) f7 F* D# h* B
This trick is very efficient:/ Z4 O8 r1 b% r. v% T) K+ N( I! s+ F
by checking the Debug Registers, you can detect if SoftICE is loaded
! {8 D& j! H: E D8 A' n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, h5 M+ L$ z3 W1 n
there are some memory breakpoints set (dr0 to dr3) simply by reading their% r* P' `# |& Y2 Z# C' U& X; P V
value (in ring0 only). Values can be manipulated and or changed as well
: B% O- Y' l4 ~ @* s0 _* D(clearing BPMs for instance)
6 d5 k$ p8 c9 D7 J' I( M" ]3 T4 ^: W, C& z4 U& P
__________________________________________________________________________
* { `8 E+ J- b. ^4 t/ F4 t9 D6 `
Method 11
* G; V& D8 ^' s=========* t5 W/ R* ]$ E4 ]. B
( P i" y9 d1 v2 E0 fThis method is most known as 'MeltICE' because it has been freely distributed
( D7 i5 i% u( I# lvia www.winfiles.com. However it was first used by NuMega people to allow2 n- W) G- @# P3 g5 B
Symbol Loader to check if SoftICE was active or not (the code is located0 `6 D1 E- j3 b- e# \0 I
inside nmtrans.dll).
, ?) t' q$ g$ p1 N! X( r: Z4 S* h3 O" \* ^2 C
The way it works is very simple:
" H/ h" T0 X# B$ q- NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 q' l0 [% ?2 M& ^3 \5 R7 ?WinNT) with the CreateFileA API.# k+ V1 D2 N! w
8 S* x$ ~; y" j. x
Here is a sample (checking for 'SICE'):, Y& m& `9 U% N6 t1 ]
; Y9 \ @' I2 D7 K# J3 S5 M$ u
BOOL IsSoftIce95Loaded()
" W$ w( c' ~- f! p7 Y5 T{4 n( S4 E$ y% H2 ^9 f6 |7 m4 U* z
HANDLE hFile; 9 Z' h+ I: r- ~: g8 P! y, m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, l" n8 |7 B# z0 U5 s4 i
FILE_SHARE_READ | FILE_SHARE_WRITE,1 W( l. K- [% ]& U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; Z, O4 [9 y" u. I
if( hFile != INVALID_HANDLE_VALUE )" E/ c1 @* i3 c! I
{8 M1 g- u k9 t0 \. ^$ U( Q
CloseHandle(hFile);
+ R: S, r5 y$ A9 ~9 s: L* H$ N return TRUE;
1 ]% Y0 S$ p/ L2 V }+ s. V% v+ E2 g4 J) G0 D j, O
return FALSE;$ |2 l) C& E8 w! z
}
7 n1 g* E; M! G# b, g+ d
0 Y$ s$ H$ x/ k2 U, uAlthough this trick calls the CreateFileA function, don't even expect to be
/ I1 q' k$ X; c" n ^able to intercept it by installing a IFS hook: it will not work, no way!
# `, n9 s/ O; D; m1 sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* j" p7 {6 T( P' ^6 @. |2 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 a1 ]& u# h" i# |9 v/ Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc# T5 w2 ~& a6 ^; V& Z7 p8 k
field.
2 t/ X. r1 Q7 _+ q' e, Y" BIn fact, its purpose is not to load/unload VxDs but only to send a
' k$ p L- N- g U. iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; w+ a& J# R! k' \ Q6 Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ ?, s( j4 ~& V/ B" l6 Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 M, G% ^. J$ y& H$ q% q
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 d$ n1 @/ x) A+ ^. \
its handle to be opened and then, will be detected.' _* b) ], L' X" D6 G9 ?
You can check that simply by hooking Winice.exe control proc entry point
1 q+ v' r$ J/ Ewhile running MeltICE.- F* G6 u6 @* ^6 s
6 j0 G# [7 }7 g+ M) x/ I! R# T8 S3 S& E+ y
00401067: push 00402025 ; \\.\SICE
$ `2 W, t% Q& b8 N) M' ?& w0 v9 { Y 0040106C: call CreateFileA$ @, w5 k+ Q) d& Z0 x
00401071: cmp eax,-001% Q1 A6 W# i6 T6 G
00401074: je 004010914 R9 U. u" x P5 @% o0 L9 V1 V
) H( _* Z8 x( i/ h9 ]# W1 ]% @4 g1 B# \$ G2 o0 o- A
There could be hundreds of BPX you could use to detect this trick.! T3 G2 [7 c3 g5 h
-The most classical one is:
$ \% C" ` ^# F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. _5 B) E; V: K' u% M+ i* u
*(esp->4+4)=='NTIC'5 @9 L% h# O: U; _) P
9 f/ J' r3 ~& i; T; l
-The most exotic ones (could be very slooooow :-( U7 V4 f" I% Q) j4 u& C" T8 ^
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 o$ v5 u9 K/ K+ e) C# Q. B ;will break 3 times :-(# R2 |2 @$ S* r
" E! v; u' X) V$ ]. E' R-or (a bit) faster: - ~ V6 D# }% i3 A1 A3 D- ]
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ X' x1 ^' R" K$ y5 t+ [4 j) A- z' a* I( A6 f, p3 U+ t: u/ L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 U! x0 h: B. _/ D( x. t ;will break 3 times :-(9 W Y' t5 Z2 |- v5 Y% a% H
5 p, H, P5 q- g2 G; c3 n8 a5 z
-Much faster:1 t' Y5 o" r0 @" G/ ~0 A' f
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 h- L$ A0 z8 X: w0 p) p8 J* R
% q; `6 i6 D: Z$ K+ u# }0 ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( m. d9 n% V. ]" F [2 K3 K0 Lfunction to do the same job:
. W) x" X6 z& h: b4 g. U& ~+ g a$ u; P T! b
push 00 ; OF_READ" P4 V: o% F2 ?, D& g' [, [: W
mov eax,[00656634] ; '\\.\SICE',0& ]0 g. \ c0 c
push eax5 k- a9 G+ |% c& [2 E
call KERNEL32!_lopen/ S8 L- p& {! N4 t W `
inc eax
/ x( \! H8 Y8 r jnz 00650589 ; detected4 \2 q' j0 h2 q. r2 |' x3 Q
push 00 ; OF_READ
: V: }0 W% c K% A mov eax,[00656638] ; '\\.\SICE'+ C1 E7 t+ c X3 W) _9 D2 O$ g3 o
push eax% B1 t6 @0 N' D M5 z7 l
call KERNEL32!_lopen
+ }5 D$ W2 i5 F, x& @. l( c' G inc eax
$ B; H- @, L- y+ ]7 @# q jz 006505ae ; not detected
6 d' Q3 @' n0 j j
( ^1 l9 U4 Q$ j/ J9 f) r. U5 R
* a% O" Q0 a5 n( Q J__________________________________________________________________________+ g; c2 D0 a8 e7 a, R# G% K
$ S8 G% V2 g0 f$ A$ F ZMethod 12
$ s) {" _* a6 a) L( I; O=========- T7 [: T4 k% [$ Y4 D
. p! R) C! L$ l1 K5 h3 F$ j
This trick is similar to int41h/4fh Debugger installation check (code 05
2 R H. C) g2 ~( V3 |& 06) but very limited because it's only available for Win95/98 (not NT)6 X/ I2 P4 {1 r* [$ Y, z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 W4 Y! Y; n, ^# O. D5 F+ {% V, `
& b. K! Z0 i" b" {# q' f; B push 0000004fh ; function 4fh3 Y# Z9 Q3 F) y
push 002a002ah ; high word specifies which VxD (VWIN32). E/ ~ o( I y
; low word specifies which service- i& k" u1 L& U" E
(VWIN32_Int41Dispatch)
0 E/ ]4 _% [ {5 S6 g" k" M call Kernel32!ORD_001 ; VxdCall
8 P, x" G j3 X+ T9 H- V0 k' s cmp ax, 0f386h ; magic number returned by system debuggers
$ ?+ v8 ~+ O8 o, B5 e jz SoftICE_detected! S" K6 }; l& B5 g2 ^2 _
" V6 h0 ~2 R6 b& b, N3 n$ ^
Here again, several ways to detect it:; B1 F5 w _5 Q8 A+ C- |" x
- D1 \( W4 c- c; ? ^) O
BPINT 41 if ax==4f1 h% g$ ?4 L0 ^9 h3 D+ o5 Q
7 R7 s- T5 e4 A) ?3 T3 o4 {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- }/ q+ r: D7 x0 q
7 l! e# a4 i2 Y8 f1 A/ [5 q+ J' q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) j" K* E0 o) I2 k5 N
0 g+ S) K, m" h% n* M4 V. i" f3 e" f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' N& T. B- ^ F
/ N# i. F r/ o1 P$ }# s/ W__________________________________________________________________________0 f, E0 {9 H1 Z& d; J$ D9 @
) ?5 D$ X3 F+ }7 y1 |2 O" f* w" B
Method 13
& M; \+ C3 Z& W( C8 j=========
- P' _ [" T7 c2 w1 }7 n
+ l/ B1 v8 x4 u5 Q/ {! VNot a real method of detection, but a good way to know if SoftICE is
" T; ~/ r8 O0 A* C8 v( w2 Minstalled on a computer and to locate its installation directory.7 T/ @0 ?7 \( m8 @, C
It is used by few softs which access the following registry keys (usually #2) :; y) [2 z$ \: v( r8 @
- J* e* D7 U* R7 y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) ]7 p) L$ g* i9 p* v8 ~) j% V\Uninstall\SoftICE9 ~" v# Z( j5 @, C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. L- D; `6 ]$ h3 E/ h3 x# R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* \& t9 `7 x, n# Q; @% O% E8 _2 M3 b: _
\App Paths\Loader32.Exe
% d/ r u, Y' a$ m$ B' h8 o/ W6 }' g) o+ _, I2 G9 ]" B6 q
3 R5 J# A* i+ O/ W% N
Note that some nasty apps could then erase all files from SoftICE directory8 \8 N5 I/ v. n% E8 H
(I faced that once :-(& u: W. h* r G- ]4 s# X+ p
0 b9 {0 ]/ h, E/ v7 G, z, A
Useful breakpoint to detect it:6 ]" `5 g3 j- I& J3 {4 L
7 E* n" S$ d7 s- v! D; \" I6 O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 v& u4 J9 D/ }8 R
) V! P4 k3 U; y6 e$ T/ ?! T__________________________________________________________________________
' f& W2 v8 x3 n* a1 F/ [& h9 c* Q! l& [9 R, _
0 G4 P$ w- z8 PMethod 14 4 o8 x( V, d: ~- g
=========
) \' f% h% Z8 j& c7 {. ^
" C/ y1 d: E) c4 x9 m% A: [1 K2 uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 c, J! `+ @# K8 D$ ^# X8 q5 M3 q
is to determines whether a debugger is running on your system (ring0 only)./ e6 `' F& N C2 Y
+ l/ S; c/ a+ c J! _ VMMCall Test_Debug_Installed
- W1 [. u3 E& Z8 t je not_installed- S/ f5 q7 N; Q
6 B5 E6 @ ?% V# G! D4 q
This service just checks a flag.& e8 c; D+ O8 Q3 V$ i
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡