<TABLE width=500>* {7 W: w" M) ~5 I' @/ L
<TBODY>! b$ H7 B m+ c* J6 T
<TR>$ Z- i1 \( c3 G$ V0 ?8 J1 ^
<TD><PRE>Method 01 3 R$ a' `' a n; o
=========. b% j7 m( c2 e* B) f/ k
; n+ I6 b, ~& p7 b7 Y
This method of detection of SoftICE (as well as the following one) is& Y& T2 t0 m6 N( Q/ C& ]
used by the majority of packers/encryptors found on Internet.. n$ t+ S! \* K& s
It seeks the signature of BoundsChecker in SoftICE, g; z, F6 S) p, |
% R& z* B# h) N* J4 T# D
mov ebp, 04243484Bh ; 'BCHK'& d% a8 y# }* d- R c3 P% _- V; M
mov ax, 04h
# \. l, P6 y+ M8 ` int 3
6 o* G! c. U* O D cmp al,47 \8 b8 A/ ~8 |1 U' @
jnz SoftICE_Detected
, ~6 q9 I5 p5 D! Z% ^% i. X9 P4 s% f
___________________________________________________________________________
6 | \+ y0 t9 e: C3 p$ F; M7 X
Method 025 y+ c; w( C- y7 C, H
=========) \* q8 {' w" r0 q; C
& D$ r: Z- S6 X7 ?1 v6 ^
Still a method very much used (perhaps the most frequent one). It is used K6 n6 g3 a- E$ z' g7 I8 ?4 e' y+ M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ t% f2 N, A5 h- p o% Q' N, u! Lor execute SoftICE commands...
) ^* {+ C# G2 A+ [It is also used to crash SoftICE and to force it to execute any commands5 K1 y4 R/ e9 G/ ?' Y
(HBOOT...) :-(( ( w1 _; m" x: {
3 N( p# S0 ?8 m' A4 p* vHere is a quick description:
* G% @( Q# V; [- q+ a-AX = 0910h (Display string in SIce windows)9 M u# u3 w9 R5 b" i0 B; t+ {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: C, `/ B9 p J+ B-AX = 0912h (Get breakpoint infos)
% x" Y* F& L$ ]4 h-AX = 0913h (Set Sice breakpoints)2 S }4 W; J/ Z2 ]8 e- [
-AX = 0914h (Remove SIce breakoints), {& b! c% ^, o" S
l, h( [0 J1 [+ V; ^Each time you'll meet this trick, you'll see:0 B$ z2 H9 v/ ~+ _
-SI = 4647h
: _3 X: A# l8 _-DI = 4A4Dh: L8 `. n: ^% {% B& _. ]7 U5 G M
Which are the 'magic values' used by SoftIce.
* d& Q, \2 m7 sFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 t9 u1 I/ G5 v% e+ l" E- P* y6 u8 v8 S* K% L$ w
Here is one example from the file "Haspinst.exe" which is the dongle HASP( ?! F0 k# _- H% c- w
Envelope utility use to protect DOS applications:4 S" V0 T. _! ~5 t" L
0 f# a+ p7 D+ k
2 x' B4 D9 d4 K4C19:0095 MOV AX,0911 ; execute command.& J- T* ?+ j% t5 L3 i5 g) p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% N+ E$ x: ` ~+ ?8 ?( d: V
4C19:009A MOV SI,4647 ; 1st magic value.
5 k# ^: T' B& w4C19:009D MOV DI,4A4D ; 2nd magic value.* A+ U$ [+ ]1 Z# ~% l2 N9 c, L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& R4 p0 s% x% o8 D# p: g0 G: V4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' X+ [) b3 I- S! F! a
4C19:00A4 INC CX/ L$ T) |# a C! W; }) x4 P- g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 S+ [% ~4 V3 v) {- h4 z4C19:00A8 JB 0095 ; 6 different commands.
( i" p _1 u- d H( Z& S1 y a4C19:00AA JMP 0002 ; Bad_Guy jmp back.
?1 {* J/ _& H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ h9 X# W; t9 _9 A
7 T1 y# g2 k( n E$ n C
The program will execute 6 different SIce commands located at ds:dx, which
1 C4 c& p8 H1 G- M% Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! u3 N1 S8 U! _0 c
w/ T9 ]5 J9 [8 \. j; q3 Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 F6 Y9 Y0 v8 b. b; v7 U
___________________________________________________________________________- D7 r4 r/ L* }$ P; U9 W3 V
5 F" @- m$ U2 e- W8 B
2 z& N/ Z: V4 xMethod 03
% D7 ~; R) g* W=========
1 {! R6 ^0 t- A' @4 \% K2 B9 Y5 U8 K
- B8 p5 S: v4 p" d/ VLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 {0 K$ R N- Z5 ~, m
(API Get entry point)1 P+ c' c, X) h: x' s* R
, W2 g8 @& {7 j/ T/ b% G! n2 z
) H! ~8 u& E* ]# M' B- q xor di,di
w1 v, a; T' a1 S mov es,di7 j) [) ?& o( @* u: z
mov ax, 1684h
- Z5 f+ ~3 y) }1 z0 s9 r$ g) F mov bx, 0202h ; VxD ID of winice
1 E( u. A9 l$ o8 i int 2Fh
8 U; `! A0 z" K9 l: f1 c: O mov ax, es ; ES:DI -> VxD API entry point
0 x Z: f1 n' d add ax, di
) J! G1 w1 w7 |2 e) ] test ax,ax
0 V7 m* t) }6 c4 t5 Q jnz SoftICE_Detected: a# E; {) s6 P8 ~
/ l# q2 K' u P___________________________________________________________________________
7 I7 U) I8 a* y9 R2 W4 c+ T' R7 O$ f1 C" _/ K) @
Method 04, d M% a, @0 o6 _* g6 h* U
=========. A% t0 D! T$ a
- `& X. u% P( p- Q! G( t" S( }Method identical to the preceding one except that it seeks the ID of SoftICE* B8 e; ~% T7 p- c! Q( z
GFX VxD., P/ {3 u7 ]& A: J# d0 f% Y
5 t4 }8 m1 O( Z& X xor di,di' M0 f; p1 H) r& j5 ~% ]: }2 f
mov es,di6 y/ ?& B+ ^8 }. v9 I
mov ax, 1684h ) Q/ P5 k$ [6 ?
mov bx, 7a5Fh ; VxD ID of SIWVID! h) F k6 D) ]. v2 F
int 2fh1 {% j( o: r+ i, T
mov ax, es ; ES:DI -> VxD API entry point0 \& L9 T! r3 N: b
add ax, di4 b) k) m$ f/ e3 f# w9 h2 F8 f
test ax,ax
4 r1 q5 N: U( ?' L jnz SoftICE_Detected& f: H) j! P& Y* t
6 d, r% T( a k% {: I+ }__________________________________________________________________________
' N, Y" g: n6 U3 l9 d: a1 p% c7 Y- S! o/ G0 j
; I8 f; B& m6 [7 K" V4 [6 @/ `Method 05( ?1 h) L+ t$ a; |
=========
: S3 J6 ?) D( R1 y
2 {1 t+ d* F* K5 }9 g' pMethod seeking the 'magic number' 0F386h returned (in ax) by all system% @4 I! V1 o! y6 |# x8 J
debugger. It calls the int 41h, function 4Fh.
7 y/ V7 z5 v, h7 Y0 QThere are several alternatives.
$ d& Q- v( s( i- Y7 b$ |5 F# z# ?. v; {) X$ ]
The following one is the simplest:
e+ A+ I5 i5 z8 ]% Q. C/ r; H
mov ax,4fh
4 q5 i$ c8 h i int 41h
: [( I3 Q9 e X$ t6 r cmp ax, 0F386; j; I4 m W. U7 t
jz SoftICE_detected& V/ n9 G! w$ _) k! A* @# D9 s
4 S0 Y6 o7 }$ G: ~) @
7 i0 \$ u' ?1 O* M6 V' ^. H. O
Next method as well as the following one are 2 examples from Stone's
2 B! P& R$ K3 M+ t y+ k"stn-wid.zip" (www.cracking.net):
( i& O3 m1 G* \8 R! N8 y* q
; ^& ?7 J2 |" x$ s mov bx, cs
( J5 v) M# Z r# T8 B5 k0 k5 X lea dx, int41handler2
% `$ S/ m5 K. g+ ]: \% @+ |6 ^- J; c, e xchg dx, es:[41h*4]
" b. _% @* p! |" C) G" j xchg bx, es:[41h*4+2]& m' ^$ Q! Y" | G4 w3 s& g
mov ax,4fh
8 w4 f! c5 e1 R7 E3 B int 41h
% n9 w f( d5 t# i6 F% W' k xchg dx, es:[41h*4]$ \1 Y* U7 Y/ E
xchg bx, es:[41h*4+2]& E1 g, x9 K) i
cmp ax, 0f386h. Y/ U1 ^& F( t
jz SoftICE_detected
1 z$ M' Q6 i" _" L7 B; I* t% E% x$ B- A. K( d
int41handler2 PROC
7 f6 e8 f4 d3 X* _ iret
% T6 q3 H9 v+ Y$ p# ?, d0 `7 Pint41handler2 ENDP6 H7 U, H1 W9 j& ]3 s6 f
$ h/ j: J& C) H) t7 y- r
/ y% V4 L6 G5 W3 c6 ^* w
_________________________________________________________________________
: j. X+ e q. I3 u3 z n) W9 A: L# @
& M+ J9 H& {; u8 s/ _6 @
Method 060 [! j. i5 ]7 j( R7 e* J
=========
1 @" |9 V0 r5 y( f# ]7 V
$ Z* t% G' u/ S6 U* t ]7 E; W% z0 `2 d5 s+ P
2nd method similar to the preceding one but more difficult to detect:
7 ~3 o+ [4 \6 y4 M! ?8 W3 D, e+ }1 f
5 x+ H; r1 ]* T8 Y A G
int41handler PROC" p6 q1 K e8 V* ~. F
mov cl,al
* J+ P/ E+ z& I$ V iret
7 {6 e' k a$ p: y/ lint41handler ENDP
9 D! M) O0 I- p) x3 ?7 g1 ^, u7 u) d0 |
; J" \! z$ H- X& E3 H* |: j2 C3 \/ Z xor ax,ax; \3 A3 ?% m8 T3 u* ?0 m
mov es,ax7 z& S! D+ E$ k' |4 ?3 S& D9 d" ?
mov bx, cs
2 o4 b a, K1 D# ?! T6 y9 t- X lea dx, int41handler( o# U6 v4 Z( R7 E& M2 i$ [( Z) P
xchg dx, es:[41h*4]
$ r9 F6 ]7 ]; J8 Z: P xchg bx, es:[41h*4+2]
: E5 l2 B5 b ?& W in al, 40h
2 ? h. u$ ~. {. F" w6 j5 l xor cx,cx" {% p+ o. d6 P; S2 c4 p5 ?
int 41h
* Y6 G d$ @3 U$ [ xchg dx, es:[41h*4]
2 N4 N3 C& Z# w# C5 S; \2 b$ y) H- C xchg bx, es:[41h*4+2]! f8 D% G7 K: ~+ H0 Y6 @% i
cmp cl,al
}$ S1 R9 H: q4 n5 ~5 B* m jnz SoftICE_detected
" L+ @; @; R) g n1 k. K5 f! s3 {' V! }6 N H" b
_________________________________________________________________________
k# M+ F1 ?0 Q* l/ D
* v% B' y% w3 J2 k$ F2 `Method 07
9 y. \. ^6 H: U H4 o# u* B' Z=========" c4 E" r8 H# Z% e2 b5 J0 U
! J/ ]* p1 u ?# i3 `
Method of detection of the WinICE handler in the int68h (V86)
/ R. y2 S* r, q3 k. f
: n, m, u8 \+ ^4 F- p5 `! @ mov ah,43h
5 b2 [5 V0 y& J' U) D' `& I# f int 68h, Z6 p( K7 z3 Y; c; F! ^" {: }
cmp ax,0F386h$ s9 o5 [, R- n. Q* }
jz SoftICE_Detected
% b9 a9 J' z" _" c1 I8 L! r* P; N: K7 n' ^4 C% ~6 i) E) X7 Y( X% M$ G
; M/ R3 z/ U! }! ~. o+ I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ P4 a v' o) K; t4 n app like this:
& O8 e k6 u$ d7 P" ^9 W& {5 Z+ `9 e: } ~' ^! E: h: ~# w
BPX exec_int if ax==68
2 w! O3 ?. g7 t+ u% q- F (function called is located at byte ptr [ebp+1Dh] and client eip is; Z$ B- ~2 p" v* d) d
located at [ebp+48h] for 32Bit apps)7 }- Q( A$ ?8 z6 J2 w* A ]" \
__________________________________________________________________________% a, Z' Q1 m. O
; j0 g4 p7 f# F8 Z
# Q& m+ w2 u2 D6 c' n- VMethod 08
; W3 z7 }* a% v" E) F5 u5 T3 m1 N=========
" Z% R8 S# w. W0 [; L, b7 r$ F5 r) r
It is not a method of detection of SoftICE but a possibility to crash the
9 H' C2 ]8 }4 Hsystem by intercepting int 01h and int 03h and redirecting them to another {1 M( x: k8 g* \6 U6 h) |6 A
routine.
/ `. m I8 r6 |- x( W C+ ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. J" k6 A$ @# a( n' x* M9 `to the new routine to execute (hangs computer...)+ B5 M3 W% K5 r/ _6 d
5 m! V$ w3 \# V; g9 Z7 J* X mov ah, 25h m- [" y1 C( p: a" v
mov al, Int_Number (01h or 03h)
/ ^6 n* H6 `) ^( D$ g$ S! D mov dx, offset New_Int_Routine
0 H& B7 Y5 s% ~0 e5 r' w# { int 21h7 y/ r7 L9 a a M
* R' x. G! S1 T6 ?. Q__________________________________________________________________________' S9 z0 j! z( w% H. [, d
8 r6 J' C% Y. B' X, j9 E- kMethod 09
1 _% n' X' H% }2 P( x- {=========
$ p- E) t# t0 Y0 c% Q
5 c$ h- j% w/ N# Q7 xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" P9 h3 f1 D) { z# _performed in ring0 (VxD or a ring3 app using the VxdCall).
$ m! ~2 }- p8 k7 e& {The Get_DDB service is used to determine whether or not a VxD is installed
6 @* D/ o, T X; W r0 O6 ofor the specified device and returns a Device Description Block (in ecx) for% D& ^4 I: [+ |0 k6 V8 Q
that device if it is installed.% Y2 `# z' [8 ~+ r2 w1 S u
" X* \5 u0 o* |* M6 U7 x$ K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 o' x0 k3 b2 |$ p R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 K' M4 _+ x+ I9 h
VMMCall Get_DDB
8 D; ]5 [) e4 Q- \6 }# l& J! k* N4 A( ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. F2 k' J, Q" a* W7 d( Z
: G2 L7 l2 T7 D$ K& q0 a
Note as well that you can easily detect this method with SoftICE:, O/ g+ _$ ~) V2 p- t4 l
bpx Get_DDB if ax==0202 || ax==7a5fh
/ K" |2 i4 _) B$ X* s6 @* f. J4 E1 c
__________________________________________________________________________
' u. x8 f. w" d% ^; F" R: p; ?+ j e
! }+ c$ _! \) B( b5 oMethod 10
' h2 t/ S: q/ N% f, d=========" D& ?5 E( i* A, p4 [& M1 i% I
/ G/ |) P* L1 g- R$ H5 Q=>Disable or clear breakpoints before using this feature. DO NOT trace with
' h4 a" ^" b5 I& ]7 k SoftICE while the option is enable!!
7 Z1 y" ?, S: Q( q L3 a3 o! d& q/ ]" ^ J" e
This trick is very efficient:
( Q& q8 I* a& k0 Bby checking the Debug Registers, you can detect if SoftICE is loaded6 s. L0 @; Q+ D, j: E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 L+ k) k) s5 u, Athere are some memory breakpoints set (dr0 to dr3) simply by reading their
! x9 C1 k) c3 g' S( Jvalue (in ring0 only). Values can be manipulated and or changed as well
& X3 A8 g9 x% P+ `. n(clearing BPMs for instance)% c. H: _2 p* H$ H. h$ B0 s# J
9 t) h: M+ m: d* Q__________________________________________________________________________1 y& {- u- I' R2 [& B$ L) w" ?2 N
9 X% }0 I/ j3 O6 O. ]. d. \
Method 11
7 `3 P" Z; _1 I, N+ e2 J& L=========/ i/ e" g4 R6 l* ]# m E; V5 P. A# s
( y- F% D) Q" c( {" M# G) QThis method is most known as 'MeltICE' because it has been freely distributed
+ x+ H% p- |% ^" w; I0 q! Uvia www.winfiles.com. However it was first used by NuMega people to allow
& [( d$ N# R# L* B- X- s W* KSymbol Loader to check if SoftICE was active or not (the code is located7 R1 G: }+ c; p p6 Y9 z- [ G1 \
inside nmtrans.dll)." {+ {7 @% n. n+ n: P5 u# X/ X a
7 _- v" z% H9 p m) @* b# _. j
The way it works is very simple:3 j- m7 Y; [# e8 b8 ]# u) C5 O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' x/ c) g h ?6 u' WWinNT) with the CreateFileA API.
" r/ z- {+ F# }- I6 o, H& F3 \ Q) `& O/ f; w
Here is a sample (checking for 'SICE'):
( N1 X3 ~' ^/ O; x0 G5 o
: U, v4 Q" O9 B1 ?, QBOOL IsSoftIce95Loaded()0 ?, z% _9 ^5 ~/ q
{3 N6 r+ n& \/ f1 b
HANDLE hFile; ' e% r) K8 \5 m) o; G. u$ ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 k. t- Q+ t0 ]+ l FILE_SHARE_READ | FILE_SHARE_WRITE,
% G! W, |1 }) k& K- G4 ?% B6 @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
r, ^3 |' w/ |1 | if( hFile != INVALID_HANDLE_VALUE )
6 _9 I; {+ n9 M0 P {
, Q8 ~: O/ h1 S, ^/ {: G CloseHandle(hFile);& V4 u6 o& d! t7 V; n! p4 G
return TRUE;
3 Z% S- Y' r4 p8 b @ }+ d9 Q* O+ g* z9 v2 n4 S
return FALSE;
6 u1 U! P7 e$ G) U5 D, ^+ a$ E}% `& O0 I. q+ f& x% n ~
6 z1 C0 L& u i: Z/ g
Although this trick calls the CreateFileA function, don't even expect to be2 Y. x" W4 y+ @* s1 v0 a8 l
able to intercept it by installing a IFS hook: it will not work, no way!
/ j4 N( Z+ I# _0 l+ F9 YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) z. v- r1 \- y' E) l8 }5 n8 `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' I" _1 F1 Y9 g$ wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 f) t2 b5 I, w' j. Bfield.
5 n; Q, u2 P* k6 s$ @: z$ W4 FIn fact, its purpose is not to load/unload VxDs but only to send a
% r$ w) q6 T/ `" s. C: fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 [3 I. M) o) V' s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) Z) w2 w, b4 K) l8 ~5 W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! x( d2 k9 v# w! F
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 h! B' T' |0 e
its handle to be opened and then, will be detected.8 p$ t0 Q5 u5 Y0 r% Q- Y3 }' N6 \
You can check that simply by hooking Winice.exe control proc entry point
* w: N9 w. x" O, S. | m0 H( bwhile running MeltICE.
1 p( o# O: [; C* p
2 H& w, K, x& Q; R
% E+ _) P, R2 S, I: ]8 |* i R" ^ 00401067: push 00402025 ; \\.\SICE
9 M* Y- \; M; M- D, J 0040106C: call CreateFileA& k* L0 b# `( f) q* T
00401071: cmp eax,-001
9 A8 Y$ a; C- h& Q! r$ c 00401074: je 00401091
" J8 H* G2 m+ A, C# M/ r
% s* i4 h" [/ n4 ]# l( v' O* S' |, S% h5 Q8 L4 P0 {. |
There could be hundreds of BPX you could use to detect this trick.
- V# C4 s; Y, E6 K-The most classical one is:
( d- _7 Z+ e( u" Y$ p; A K BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" M* l; q+ ?) q) @, G: `0 o1 d( D& C: x; A
*(esp->4+4)=='NTIC'
. q7 v, b+ S; T# S1 V* @, Q4 I M* Z& R+ o) @
-The most exotic ones (could be very slooooow :-() I4 T; N7 i6 Z, F1 h( A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 l4 d; `1 }# L6 Z }! n& a Y ;will break 3 times :-(6 E$ d# z8 Z" f
* J' R, f, R4 _' ? K
-or (a bit) faster:
; `& }: G% D% s9 s9 i* ?) Y4 N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ k, v9 q8 _, p2 ?* q6 d( f( x9 ]% r& S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! G! P& d: K+ L( t0 ^
;will break 3 times :-(( Z# g, r2 ], m& Q% @
) q$ y$ |$ c: J8 L
-Much faster:) j; q& o/ H# X
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, d/ ?1 J/ _8 }! @% I4 A4 b$ N+ \ l, d: c+ r, a) b( c" s- s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' q, f3 J2 K `; w3 K9 Sfunction to do the same job:
: _' S' G, n8 ?4 a1 [+ b5 m
5 t/ q" I( w* J, J4 M push 00 ; OF_READ) V& D2 F2 `6 U9 j- u$ T
mov eax,[00656634] ; '\\.\SICE',0
' Q3 v* g6 y" ~7 s. j, j) W push eax1 T6 L7 @, U8 M- d7 B3 Y# [- ?# A
call KERNEL32!_lopen# z0 }, ]( }% w
inc eax* |* X, m" L3 e
jnz 00650589 ; detected6 `3 X0 y9 F4 W9 @
push 00 ; OF_READ
O8 j2 B% ~! q* g t mov eax,[00656638] ; '\\.\SICE'' A2 b6 [4 c* b2 u( [" E* n
push eax; @5 t# e3 T$ Z' f
call KERNEL32!_lopen
" E! u; [: @6 R& C, n inc eax0 }/ ~* l3 ?' @8 V+ V
jz 006505ae ; not detected
+ b4 O& O" i6 ^# S% l+ O V4 R- ]6 H1 N& s: |
% S3 g# N% X% o) K o
__________________________________________________________________________
$ e9 d' M4 m; b& }
; j) l# j6 X/ J' g+ _, w& |Method 12, m7 R7 H1 v8 V+ h1 h! ~! E
=========
. Y; J$ n4 x9 i% [1 D9 U6 d& @: V7 K& f- n1 }" N+ Q! c
This trick is similar to int41h/4fh Debugger installation check (code 052 e T. u' J/ E2 D/ }6 x8 }
& 06) but very limited because it's only available for Win95/98 (not NT)
" N: n7 ?& ^# X1 Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( m6 w4 m9 e& i5 {3 q% L5 K
5 t1 _# y/ P2 |) b1 g% E3 K* r
push 0000004fh ; function 4fh2 F0 K" w v- l% l# a: `, I! e
push 002a002ah ; high word specifies which VxD (VWIN32), X. v% n4 k( y" p+ J/ f
; low word specifies which service9 e3 }$ i. X$ k5 I8 ]. }
(VWIN32_Int41Dispatch)& r4 y4 H: C& k/ \3 `& `
call Kernel32!ORD_001 ; VxdCall6 a0 T% a0 \) ?8 L3 D/ J
cmp ax, 0f386h ; magic number returned by system debuggers# @! O1 S7 R8 \! s
jz SoftICE_detected+ L; O' h9 p7 d) Y3 W4 \! I
5 k1 G, e/ `6 Z A! y$ l( E% a# b7 gHere again, several ways to detect it:
* t# \! d. b G& f. K# g
" V( V1 I* p9 K+ Q BPINT 41 if ax==4f& c6 \$ n/ W* {( J6 E
4 w+ \/ v& V- P' s BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 n" X/ C% A: L& E
; C6 D% y% G) w7 n! r" L; e1 e! S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 F; `: a5 \" i, O( D4 m3 q
2 P7 g9 ?3 F8 s' d$ d z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& ^8 f6 m- A; K0 c; u" \
0 e( E" r) V2 g' ]2 Y. V- L__________________________________________________________________________
: Z Q- E( R2 x. J) k
4 z/ h0 _0 N) C. H1 d! U1 xMethod 13 K9 i5 m) w0 B# y- S5 g
=========
" o, A) d* N: n
! T2 z4 t( E3 L8 v8 `0 r& ~, hNot a real method of detection, but a good way to know if SoftICE is. `" F, @8 ^# D' {/ t6 Z
installed on a computer and to locate its installation directory.
6 a9 o( C2 R! D& b: E) cIt is used by few softs which access the following registry keys (usually #2) :8 ^, |5 p5 S; [' Y
5 N0 S! m% N' N/ C2 {/ ^! m
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% p5 b- S" n( V$ Z6 G3 G4 {
\Uninstall\SoftICE
1 c( Q" J" {& o# P; S4 n$ j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 x1 Y9 A0 U, A& _: V1 X4 K; u
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ k# y- Y+ R9 i: L) W
\App Paths\Loader32.Exe6 f7 V7 v$ ?' A! n4 F
' `3 k8 }- Q) P R: L1 S0 M
( `" V- \% U# d' ]Note that some nasty apps could then erase all files from SoftICE directory
3 W. v) H- s' o& x$ \(I faced that once :-($ N4 p8 M, [" O3 ^4 W& A* ?
1 T; [- H, Q* I( n6 a
Useful breakpoint to detect it:; T' J' y/ H# ~ C# F
! W {, i9 H5 z. ~; }+ n' X8 }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 \. C' Z& h* z, P& n) t) x
- x h% m$ f# u__________________________________________________________________________
7 _8 k8 o2 |& Q) c! f3 I
% Q/ w1 Y. {2 O% S8 l) {3 _5 _ p/ ~6 @# Q
Method 14
- l9 U( \) M9 y3 x=========
$ q/ l) S7 o5 j! c: L% P Q+ w, t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 c! O* C" w8 j3 x. @is to determines whether a debugger is running on your system (ring0 only).
. k0 O; Q* F; i; u
2 `9 h5 @( g5 C7 Y4 t VMMCall Test_Debug_Installed
/ N7 U9 K; @/ X F) \ je not_installed9 k4 i2 ^( a, N# B- j
+ G0 A' M# d/ `$ C' xThis service just checks a flag.
. T d2 \# s7 f- T. V4 p9 ~</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡