<TABLE width=500>
Y7 i6 E/ ~5 ^" J- p+ W7 w; C: g' D<TBODY>7 \ K2 _- F6 X/ k1 b9 m
<TR>
- O6 _& ~+ b: |+ z8 v$ V, i<TD><PRE>Method 01 * G( U) J) `2 {+ {& f7 w1 O
=========
" n# ~+ ?, K9 ~3 I
& j5 k9 r) S) o: c0 O- \This method of detection of SoftICE (as well as the following one) is |: d, |$ c; D
used by the majority of packers/encryptors found on Internet./ ~$ g) o; V" Q5 M# P, r
It seeks the signature of BoundsChecker in SoftICE
; X+ z$ Q" P% H% p0 v; K; L
% s1 T: G. w+ S3 {7 L5 i1 S mov ebp, 04243484Bh ; 'BCHK'6 ]* O. `* i& Q8 e5 u
mov ax, 04h3 [3 Z0 ]! g T' G, O
int 3 # u/ F: {3 i( q, i
cmp al,4: M& i1 A1 b' ]: ?, N R
jnz SoftICE_Detected
6 m+ ]. o o8 n$ P& Q+ k* V% b8 o4 y4 \
___________________________________________________________________________- U3 r! P( O! c8 \/ ~ c9 y
! v; Z0 s1 z: { V" e, ZMethod 025 Q! A# y9 x# E. j$ {# H7 {( q9 c
=========
0 O9 R, b/ R, {# e/ T) N; k0 A4 r0 u3 u
Still a method very much used (perhaps the most frequent one). It is used9 l! b3 i6 W: `% k* i+ _1 ~8 a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ j. L+ `0 f% {or execute SoftICE commands...
5 P. v U$ m9 F: s* g2 rIt is also used to crash SoftICE and to force it to execute any commands
6 L! s L) m7 r- I3 l% M- p(HBOOT...) :-(( * |: e n/ o; [3 M' v
8 U. Z, u; R6 ^- h6 S2 Z) e1 _' ~Here is a quick description:
" u' N$ z) F- W: X7 [" R1 f-AX = 0910h (Display string in SIce windows)' M4 Y& c2 x- c0 M) \' ?4 M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). O) [' v' k, m) ? X( S
-AX = 0912h (Get breakpoint infos)+ }8 D! D. _- E1 X7 a8 x
-AX = 0913h (Set Sice breakpoints): X; A( T I9 a S/ u2 G
-AX = 0914h (Remove SIce breakoints)
& C0 B" g# Z# ?6 c; y$ ~6 F, `* X" M$ i) }8 B
Each time you'll meet this trick, you'll see:
/ N, ` s Z0 U5 m. N-SI = 4647h3 d# `/ y1 H3 X5 k2 D
-DI = 4A4Dh6 I' P+ r: c3 b3 _+ @
Which are the 'magic values' used by SoftIce.& C. x7 O" T/ o
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 F" @* w1 Q) C# n8 e8 A! H
. A" x* u; M5 cHere is one example from the file "Haspinst.exe" which is the dongle HASP
* c0 E- N1 ?' {& v7 U0 cEnvelope utility use to protect DOS applications:
6 s4 ^& P6 [$ H& o- h/ h7 U
4 i& I- C- U) f# y; n- p' }! |, }$ k) i. _
4C19:0095 MOV AX,0911 ; execute command.
& t! {! H$ L3 m! _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 n* ^' H9 Q9 ]- j! ^* ~4 b$ T
4C19:009A MOV SI,4647 ; 1st magic value.# ~. h1 R/ f# I7 q# T! G* b
4C19:009D MOV DI,4A4D ; 2nd magic value.
; S/ ?4 w5 z" b2 Y& |4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 h' A7 x/ L+ L3 T: k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( H3 ~' T/ a2 f4 A {0 N$ y9 H
4C19:00A4 INC CX
8 C4 Z' E1 P6 ~+ ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 G( [4 v V6 i# U Z
4C19:00A8 JB 0095 ; 6 different commands.! j L* A% g5 j
4C19:00AA JMP 0002 ; Bad_Guy jmp back." [+ A a8 w& |6 S* i# }" m) @: t. t
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 u. `9 F8 s) ~1 U7 Y
. b/ R0 E% Q. ~# g0 t3 LThe program will execute 6 different SIce commands located at ds:dx, which
( ^$ A3 M7 @0 I( f! X6 H) Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 w, B$ V) l+ W* Q, e# d) K: j- }+ L% g6 D! a Q! q N& k% a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ n- ~$ W2 e5 | ~1 W7 y# {! ?7 m
___________________________________________________________________________
" N: @( m2 @* a9 l& C& t
8 @& k2 C( C ~7 F0 T0 g$ _+ v; ? J4 `6 L2 F( o
Method 039 e$ M' T5 Y: `% x# R: D- s
=========
/ I; Z" @; W$ ^& K: {5 E
7 K* \# W: B# w* Q" g- l- mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. }% ?) t5 a5 i6 U8 {; S2 D: G" U
(API Get entry point)
; n# P, ^ e9 [5 O; P- W( T0 G9 c 9 ?3 P- x% c+ X. D* N$ g8 l7 ]
7 g' K" E- K; P: [, l6 o
xor di,di6 x% `+ u2 c+ ~" ?& _
mov es,di0 g. @! F; E' @5 l
mov ax, 1684h ; [# w' e* T" t/ ~4 ^
mov bx, 0202h ; VxD ID of winice1 c# H, y9 h& d) g3 d5 w
int 2Fh8 E- V, v+ L$ O% w5 n M& i
mov ax, es ; ES:DI -> VxD API entry point
' Z; B' B. @8 f- n add ax, di0 ^3 s$ m5 q) k' R. B7 m7 T
test ax,ax2 T$ _* Z! r) k
jnz SoftICE_Detected5 J' n# k0 P3 d3 [5 p" K4 J
# P9 c7 b6 j r
___________________________________________________________________________
. v# P5 P0 R7 _! Q" Q6 |
% c" g" G1 B! l! Y5 }9 r8 MMethod 047 s- a" e i. s' T# S
=========( a# i h- E0 j* m1 K
; G5 V- f+ K, K: r+ n0 U
Method identical to the preceding one except that it seeks the ID of SoftICE" D$ w( ]3 R7 b
GFX VxD.; i3 i3 s+ I% t* a
, s2 A$ z) [8 ?! J) l xor di,di* R. j# o* k5 M4 z8 p6 [
mov es,di b$ Q6 x8 n# L: f- _* v% ~
mov ax, 1684h : ]; ?, H3 v H/ _* r& \2 B
mov bx, 7a5Fh ; VxD ID of SIWVID& @* w8 J) }1 @( F, i, h
int 2fh
C3 k8 Q5 ?. D4 u- }0 M mov ax, es ; ES:DI -> VxD API entry point4 t* l5 C4 b ], f j# O- y% A
add ax, di: c7 {/ R g, V" ~) y9 ]* U; \9 j
test ax,ax5 X2 p. `! l* a1 x) q) E1 f9 T: t, B3 f
jnz SoftICE_Detected
: }4 q6 t+ {6 m4 G) v, j0 E# R- Q. j( h5 R, p1 S
__________________________________________________________________________$ `) u! [! K3 l1 ]+ j
: q, m6 c4 @/ i
( C" ^# u! z! r7 v: OMethod 053 h+ g# Z( x9 ~
=========
; R7 V5 x1 C8 J; B) ?' E: P7 k0 H! X: t9 ~; ^" S- |$ J9 W/ ~
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 T6 }/ S9 [' }' ^, X" H* |debugger. It calls the int 41h, function 4Fh.
, p# z; s* w$ e$ |; D. bThere are several alternatives. 6 j! a8 p) D5 d7 q
( u( t5 W4 I& ]0 |8 D( o: h
The following one is the simplest:
8 L2 O& E& }( y' v8 o
! f* m! B# J& ] mov ax,4fh
7 b4 S; i1 w6 H* ^5 v# { int 41h) a$ i1 ?8 j; _' J& t7 z& S
cmp ax, 0F386
+ {; \0 V% `4 n5 _ jz SoftICE_detected
0 g3 y' T, K J: s) Y' t8 H7 i
* r8 `% B, W5 P% h. E' d0 [& T
7 i7 R9 f6 v9 e( f% G9 GNext method as well as the following one are 2 examples from Stone's
( U; E# s7 r) N9 z4 C"stn-wid.zip" (www.cracking.net):- a1 M7 B9 M. V" I
% w; y' V" J$ k
mov bx, cs
9 y; B8 D+ y8 [8 R7 c5 p lea dx, int41handler2- w/ ` h; m$ d3 c0 K
xchg dx, es:[41h*4]
# P, |) ~0 d8 I6 \# m! O* X- v xchg bx, es:[41h*4+2]
/ R1 p2 H+ h" c! W R1 H7 M mov ax,4fh
( ]$ O8 ^6 V1 j8 ?; b. t' E: i int 41h
' v' ^! { X, m xchg dx, es:[41h*4]
9 b }! L6 e. y# D+ ^& Y xchg bx, es:[41h*4+2]* h$ y8 L% A; X0 e/ D, `0 K
cmp ax, 0f386h+ e$ D: D4 h* ^( r( U
jz SoftICE_detected
w* |" L) \$ {$ r6 w, a# k' l {
s3 S/ c T3 A' Z& {/ Wint41handler2 PROC
- N+ u" ~5 N5 x! F) ]$ q+ } iret
7 M7 Y( f$ q+ @: a) }* w. kint41handler2 ENDP
) S% e& v% v0 @1 q3 ?5 f& j, g3 c5 f' t2 |5 [9 ^
) R3 V" v8 {' d+ e8 Y, G
_________________________________________________________________________
# {( N, @. d; k2 P+ t+ T3 c
+ ~) z/ ~& s! R, ^: h/ D, r1 R7 s5 C- Q
- s1 o% P2 y* Q3 aMethod 06+ F7 P" `* N- Z- Q
=========
. e3 }% H4 u( R! ?! m4 T
* M. G' X. _ l( _
$ ~2 o9 W7 s2 S% d! k. d" T2nd method similar to the preceding one but more difficult to detect:$ x( F" `% J4 k. [% A
: \9 R, ~% T& k) d" R
- g# q( h. M* d' B$ O
int41handler PROC) |# e' @, v! u! w
mov cl,al
# t- w3 J, I' _ s% u* Z# J iret1 A* X7 ]! a% _. ]; w
int41handler ENDP- l; i5 H9 V! V7 V' X- d$ \6 |
, U6 [$ N6 m/ x
" t6 f% b4 r8 K d7 [6 q
xor ax,ax, C0 {8 k, _$ Z' J
mov es,ax, {; {2 R* L8 d
mov bx, cs5 d# ~# t- b5 o( N6 a; i% M* C
lea dx, int41handler
# n: y/ C, q) G' n. g' }- l xchg dx, es:[41h*4]2 _( ~1 p6 K. w' _1 V- D; n
xchg bx, es:[41h*4+2]* j4 i( m" o( a L* Q8 ~3 t
in al, 40h
& j: j/ u. h. @, p( o xor cx,cx/ A( d, ~% F) V5 l( X, L0 t
int 41h
8 Y) ~1 p7 K8 s! M( Q _5 a xchg dx, es:[41h*4]
+ V" @" \7 F$ G4 |4 b8 Z& W xchg bx, es:[41h*4+2]
) L& Q7 Y" m8 H" Q cmp cl,al
' l+ h! ?' W) a jnz SoftICE_detected
. @7 I3 o! ?# u) S& w2 z0 c8 X, k. t0 W' e$ m, ^% U
_________________________________________________________________________
, }" f W) F; f. E) n( D. M1 H# o3 v
: T& u& f5 B* G3 S& x: E1 DMethod 07
' `) I3 G2 ]5 H=========
; r# @1 x+ [. M9 i' O+ B- ~" n. l B+ _& k3 j2 ~
Method of detection of the WinICE handler in the int68h (V86)$ w% n/ Q- q* E/ q
r6 H9 W7 f! |, V* O8 p
mov ah,43h
% r; j6 [; u0 f! |. Q% q int 68h
+ X; v2 ?+ q" i/ ~ d5 b' F cmp ax,0F386h- R% c- [/ y( Y$ U! C1 ?
jz SoftICE_Detected
- M* g1 T+ p3 F% I. z ~/ r3 P' k5 h0 x+ x% ^
# g/ O9 s# K0 O5 ?% A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit ]4 W8 J# T0 k7 D& v. ^6 k
app like this:
- K v: e" s1 T5 H0 u
& i W5 n f$ f: D/ d0 U& G BPX exec_int if ax==68
4 H1 ?. l% @9 r) Q" | (function called is located at byte ptr [ebp+1Dh] and client eip is# m1 `$ b5 s6 u, O+ z
located at [ebp+48h] for 32Bit apps)
9 C# v: F- D2 [) B" Q1 g__________________________________________________________________________5 e. u" ]9 L. Y/ F0 D4 i
- y q; y, u& h, l+ [4 n& u" x/ |& X% x4 K. M2 |! d" S
Method 088 L1 _- n2 X# X4 ~
=========" V( x3 A4 Z1 W; j. L+ e' \. _
. m3 j( I9 r0 Q- C! nIt is not a method of detection of SoftICE but a possibility to crash the
; f" {+ j" S% r! T9 B' gsystem by intercepting int 01h and int 03h and redirecting them to another
; }% a% J# F) b Wroutine.
; @3 R+ N( m ]0 W, B3 OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. E0 ]' H0 _3 S+ F6 Jto the new routine to execute (hangs computer...)
( s7 U' J4 w+ d8 V' M3 k* Q" T7 O6 y! M1 \
mov ah, 25h
& j1 c0 }2 }7 q: d, n% s; F mov al, Int_Number (01h or 03h)
& T$ P' t: _. E/ O+ l mov dx, offset New_Int_Routine
1 Q5 L( o: F2 b2 B int 21h! e$ X, K; V8 M0 L! Q( `
* ?! u |& w! i" j1 `__________________________________________________________________________ q, m' d0 [, m) }2 y# d, [
9 h2 T* g+ U! E' G% sMethod 09
" i2 o5 k* g' g, s3 X=========, J2 V x) L1 S M0 m' L
' H, o8 p: U, ~+ ^% r$ KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: T, U& o9 B6 i8 l" @3 R5 \, Xperformed in ring0 (VxD or a ring3 app using the VxdCall).. Q. y& @. f4 @9 n5 n
The Get_DDB service is used to determine whether or not a VxD is installed
$ b/ F3 E" C- x# x' Lfor the specified device and returns a Device Description Block (in ecx) for/ p8 z- E j- s* S
that device if it is installed./ w* A0 @0 W/ }" k
5 b2 w. V8 R+ i+ f. O; p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, _, ~6 \$ y, Z6 j* A `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) b& f k- ?; j, J& l- A# X VMMCall Get_DDB' y3 N; Y5 o4 r* p6 k$ K3 k, J3 Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. W+ l3 l$ \' E/ ~0 w
$ _% P- Q+ m' I' eNote as well that you can easily detect this method with SoftICE:! }! c6 z- O# F1 x0 n
bpx Get_DDB if ax==0202 || ax==7a5fh t8 ~, D* L! r. G
: X5 Y: a' w! ?$ z__________________________________________________________________________! Z1 t& R1 d8 ^" M( w P
6 @* `' Y* t7 LMethod 10
$ V$ W% U: a# I" G; S=========
) B9 r! o3 V6 C7 t7 f! ~3 u( J
4 E; Q& h8 u, Q' O g=>Disable or clear breakpoints before using this feature. DO NOT trace with9 m% O: d" \# v4 M! s0 {# M
SoftICE while the option is enable!!; g$ K* e# x( y: w5 [
. m: L5 d! U2 z3 p) ?) b7 x# NThis trick is very efficient:
) [/ V z2 w3 B6 j4 [$ b. Oby checking the Debug Registers, you can detect if SoftICE is loaded! q2 ?$ H2 r4 v4 z1 y Q8 m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 _( I+ Y6 z" a& b: H- M3 Y3 b
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; o/ |- w7 @" X4 M. Ovalue (in ring0 only). Values can be manipulated and or changed as well
. [9 a3 P0 \" e# C1 C8 n E(clearing BPMs for instance)$ `1 n/ M9 U9 `/ c" `/ c) ?- L+ ^- e
! z" _. ~; z- \6 \
__________________________________________________________________________; H) }( A4 S+ N6 D/ r& q
! ^6 `* k) Y2 @2 j L" r6 {
Method 119 Q' Z w; ^9 @- _. A$ X. }
=========/ `7 x! {) r5 R2 n: E, S( S
( w; @) j7 f6 a
This method is most known as 'MeltICE' because it has been freely distributed
( y3 K3 G8 l, L1 h+ m" g* x0 fvia www.winfiles.com. However it was first used by NuMega people to allow. `1 W+ a4 X# p
Symbol Loader to check if SoftICE was active or not (the code is located5 T6 p0 B. V( r7 Z0 f8 F
inside nmtrans.dll).
' H' o" B2 m3 |1 t5 K f! U1 d
The way it works is very simple:
4 m, e' n4 A, }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" y% }0 F8 z1 {9 c( A4 `. X, OWinNT) with the CreateFileA API.- J3 D! J9 g5 P, C, s
8 n3 [% g5 m7 w' W ^- IHere is a sample (checking for 'SICE'):; \/ f6 Y; U; ?0 v4 y
3 b) s- m% C3 C5 M; W, r0 e4 B3 A
BOOL IsSoftIce95Loaded()
. K9 N5 C8 d8 \# |7 H" P{
3 Q3 [5 {: g% D) B$ w5 P W) T; x HANDLE hFile;
" ?: _' ^3 x" w. s9 b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 b {' P% S6 j; _& x* X FILE_SHARE_READ | FILE_SHARE_WRITE,
8 O0 s, N# X6 l# l+ a( \ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; W U! B5 Z1 ]+ F* S if( hFile != INVALID_HANDLE_VALUE )) Z0 m+ A6 { a* u/ A
{* R/ C1 v- p' J7 o- R
CloseHandle(hFile); i7 H4 E4 _# I; u. |
return TRUE;
& T0 b) l( P4 \, B. T }
# Y2 c( g5 i c) B return FALSE;
0 H2 f$ \1 K6 T. l I1 O}
~+ j3 K# ?* k U T% b$ R# i% T# m0 j. ~
Although this trick calls the CreateFileA function, don't even expect to be
) N5 ?& k( c8 X+ z+ ]& jable to intercept it by installing a IFS hook: it will not work, no way!
. k9 D0 O, `' X2 CIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- D2 K9 e: Z; |. ?0 }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 |+ j, |! u. L5 q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; v; m9 R& J# x. ^+ W" x& o: M- V4 tfield." L5 o2 ~) U6 W
In fact, its purpose is not to load/unload VxDs but only to send a ! _8 }3 [5 }. ?) H/ g) i" z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% a( o Y' K- z( P( g& N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; K: ?& g8 R6 L" g" r% bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ A5 B* J' j; k- U9 K$ @% M* v1 hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ F5 i& M0 Y4 A' f$ Uits handle to be opened and then, will be detected.
! o8 Z/ ?/ g) N% ~2 cYou can check that simply by hooking Winice.exe control proc entry point
. `7 I2 L/ Y' ]+ ^" Q i& G7 r I- zwhile running MeltICE.
* y* T4 S9 i6 H( u2 A3 P# D0 A1 z' l4 o; [' W, z, r
* M A3 u$ q/ c8 U 00401067: push 00402025 ; \\.\SICE
$ l2 K8 x7 W4 s 0040106C: call CreateFileA
) @( @& P. `* @- Z- J5 c8 b( r 00401071: cmp eax,-001
/ k5 w$ y, `% D" L1 O- y+ c 00401074: je 00401091
; s o7 F2 O, ?3 N5 [' {4 t3 w5 P1 N6 T) x# m
, ]1 @; w; e; w4 JThere could be hundreds of BPX you could use to detect this trick. _) |. k% @, ]+ C2 f$ G
-The most classical one is:. R# ]* X( q/ M" ~- p" E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( Z5 s$ k) S2 c& c *(esp->4+4)=='NTIC'- N7 j/ z) P$ R. C' c+ U. h
) B5 |6 q' F. `* P4 K8 m. Z-The most exotic ones (could be very slooooow :-(8 @3 S& w8 w. b+ X( i H/ y" O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + x& g( J& j' q/ b, r1 ^" U& ^
;will break 3 times :-(
- w. s6 J4 n% a; G& t3 D) j8 \, {' V
-or (a bit) faster: ' v4 w1 f; ^, d/ X" R# N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 z+ V' R% f9 {* \* b: P
2 [+ F9 i. ], S% p8 a# w! \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( D0 Q7 R( e# z X
;will break 3 times :-(9 u. k1 d' u# E4 L2 U, {+ p
5 z7 u- p- ^2 n2 d5 F$ l8 y-Much faster:
. D `0 s; x: }! N, d' f z+ x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, J7 _+ ~+ E: Q7 ?$ N% v! C$ k" c
, `3 [0 ]: t6 FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, o) ]1 Y$ b6 C$ Z* U ffunction to do the same job:) ~5 G4 V7 W/ y8 d3 I
O+ O! K# C, n1 a
push 00 ; OF_READ* g+ @% W3 e$ `! P# A j$ T
mov eax,[00656634] ; '\\.\SICE',0
6 b7 G5 m% _+ ]) W push eax
, V2 u# h4 B& T$ ~# s1 j call KERNEL32!_lopen
1 M; ]5 c4 O0 g6 A* J, A inc eax
# w. m. w2 R: G' {( U ] jnz 00650589 ; detected7 D j& r9 ?" z g6 s5 ~ c% K
push 00 ; OF_READ* ^$ ?4 L: g: Y# ]+ {2 r6 T1 f
mov eax,[00656638] ; '\\.\SICE'0 p3 c: i0 b* X; s7 \! D3 K
push eax
5 ?# {1 U# f5 a/ a, k3 h# G call KERNEL32!_lopen
5 p2 N4 c# V" k inc eax( N4 v9 R1 O' p% O, E4 N# b
jz 006505ae ; not detected* v- P" k" w1 c( v; g" @4 q
& g) R7 ^2 h, n- }- |% B; ]6 G
4 A4 a9 O: z x( v__________________________________________________________________________
" i7 q% c0 E2 {: J& s
_0 s) t2 e& @ u9 I; LMethod 123 a+ [; P/ R6 a
=========
4 ~0 I6 D r3 y3 S7 ?" U+ p$ ^$ Z( ^8 e/ }) L
This trick is similar to int41h/4fh Debugger installation check (code 051 q7 X! |5 t5 O4 w' h+ P& Z* H6 e
& 06) but very limited because it's only available for Win95/98 (not NT)/ i) c: n7 r u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 V0 F v+ W. j
! h' D4 n7 b, ` push 0000004fh ; function 4fh4 W& A" j$ i/ B1 o$ f0 w) v
push 002a002ah ; high word specifies which VxD (VWIN32)% q. M1 [1 A" \) u) ?5 q
; low word specifies which service
3 o& M% K) {4 _. f8 T (VWIN32_Int41Dispatch)
" S0 r% |' H1 ]3 y& p call Kernel32!ORD_001 ; VxdCall
* g. S) [) t/ @+ p7 c! r e cmp ax, 0f386h ; magic number returned by system debuggers+ O# W9 h5 {0 C2 |5 L; w7 n% l
jz SoftICE_detected
( t! r% g. {) V& j2 \* k, k3 m
3 D7 S4 f8 e+ i6 uHere again, several ways to detect it:7 c7 ~ A$ A# L
- K- ]3 D0 Q0 [$ F2 k
BPINT 41 if ax==4f1 [" D8 j- _' A% d1 v
U2 B1 ]9 v) U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ w3 v% Q" a; L
9 T, [% W6 i5 s( T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 i" U2 w, M: [4 y. T- i2 y6 p0 }9 g- w- V5 @7 W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 e- n! d7 z3 [; v4 W/ _" @
) K, Y. U7 N7 i7 f- Q# I
__________________________________________________________________________
, H4 M, c$ B) K/ \1 q- ~5 H
7 a7 k% J0 q5 y( l p7 D4 D- h' B% rMethod 13, N9 E6 f5 k" f& R" B8 g
=========
" u Y& W6 P' m: r9 m
8 W& s. v+ }. qNot a real method of detection, but a good way to know if SoftICE is
g3 r6 Y6 f: O8 h: B! Binstalled on a computer and to locate its installation directory.
6 q* _0 a( A$ { ]+ E- eIt is used by few softs which access the following registry keys (usually #2) :
( k2 b1 g; ]( K t" P5 ]+ i" d B: R f. ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% F3 R- h; L n
\Uninstall\SoftICE
% J1 ]* h: [8 x: `* O0 s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- G& _# @: G* P/ d! D! \8 H2 y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 T) F: m+ r8 i\App Paths\Loader32.Exe7 }3 M0 y! a- R# ~2 i$ Y' T1 B( q
# t( ^ ^1 J" R. r3 c3 ~: ]& H3 ?; r0 |0 I- H1 Y4 v
Note that some nasty apps could then erase all files from SoftICE directory
/ n- O8 n7 M" g$ `4 G(I faced that once :-(
9 B; H2 P2 O, N/ u$ h' a7 e- U+ Y7 F* B: F8 U8 g
Useful breakpoint to detect it:: W4 _) l3 n7 w( e; b9 d
+ k e; ?# J2 E BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: J( y- C- W4 Y$ _7 W2 p6 j R( N/ k6 C& w
__________________________________________________________________________5 r" L6 o; g! d( c; k2 A
/ t" q$ d1 d T% j
# U* G" H. V) _$ RMethod 14 }" B0 a& w0 m1 M9 ?) C4 Y( p3 p
=========' {' I( z$ S8 r1 w( `+ Y8 r8 G. S
, q+ A f7 P. }. t4 w/ C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 u; k$ f6 F9 ^
is to determines whether a debugger is running on your system (ring0 only).
' o4 l/ s, Q* I" C- ~6 R6 p
2 w+ U: f2 N2 k* P! L4 `4 a2 T VMMCall Test_Debug_Installed4 d( G; k% i7 Q3 i/ L- o+ O7 I
je not_installed
) j' T$ p7 Q' {3 O( X' L
1 D( ~$ j" M0 j4 X( F. AThis service just checks a flag.
( M# {( ^# z3 o2 ^& _% c</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡