<TABLE width=500>
* K4 {( ]; X+ p; G) d5 v& l1 i- v<TBODY>
& P& Z" Y2 W" _$ a<TR>
! k+ H1 P4 e9 Q6 C/ ^) G' q6 b<TD><PRE>Method 01 0 L" D5 C& x- Z5 L
=========
1 E) P8 K/ R6 J3 k( O) C* Q; l- l) I# [* ^* L
This method of detection of SoftICE (as well as the following one) is
|9 t' r) |& z) ]used by the majority of packers/encryptors found on Internet.- l8 o; ~/ y4 p2 b, {* N2 |
It seeks the signature of BoundsChecker in SoftICE
7 w3 ]5 J/ ^5 o0 I9 j3 f
5 q! ^9 {1 |: ` H9 J mov ebp, 04243484Bh ; 'BCHK'
- K. Y/ P/ m2 k! `+ C2 i mov ax, 04h) g7 i+ V; W% w4 d) Z/ ~; [2 `* U3 q
int 3 6 |% E- O& v' O) C* @
cmp al,40 z; x- e3 q# V E: z4 ]
jnz SoftICE_Detected: @9 @' E/ ?% c G3 }
4 @# O, J% A1 X7 W# ?___________________________________________________________________________
7 a' z: V* y2 b: L/ H2 Z0 C
: t* y& o+ _3 `4 Q0 lMethod 02
' {: w E5 ]$ u=========8 `% c3 B9 l/ C# [# e- q! @
2 g0 v4 V7 p! q* }8 J
Still a method very much used (perhaps the most frequent one). It is used, v+ M* x1 n3 E+ E0 b6 {4 d. O Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
Y& P0 H# a4 V$ k6 f1 Kor execute SoftICE commands...
9 i; D+ G0 X5 oIt is also used to crash SoftICE and to force it to execute any commands
0 w+ P0 M1 I0 o(HBOOT...) :-(( 0 G$ i( |0 y+ \. G
7 z9 ]) x4 h; C! XHere is a quick description:
8 ~7 I0 k$ o1 k/ k-AX = 0910h (Display string in SIce windows)
3 U9 Q( L6 s1 P. I+ e7 `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, y, B6 }" P1 ^6 }$ K% a1 S-AX = 0912h (Get breakpoint infos)% v% p/ ?+ A$ f
-AX = 0913h (Set Sice breakpoints)
5 D l* v9 K' X: t% n) W& ]/ M-AX = 0914h (Remove SIce breakoints)' B1 I; a- R5 u5 j# c8 R* n, l% {
, e; p5 p% _/ O6 S% _3 |: n6 [" ~- W1 ?
Each time you'll meet this trick, you'll see:! \% @( m& w8 M- V3 w
-SI = 4647h
! Y- L( o2 j3 T: @-DI = 4A4Dh: T9 I B1 S$ t. }" g0 S, }
Which are the 'magic values' used by SoftIce.1 v& C8 l$ u" c- k8 \0 o( E( k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& W: D+ F4 I( F& F- u0 U: a& P# S
$ L" M. Z+ {! p) ^" }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ D0 O1 e; x4 q9 q8 K. lEnvelope utility use to protect DOS applications: B$ c5 ~: Z9 f. B4 W) t
* P% E; l. f0 d
9 v: q- C" @/ z! o0 t5 q4C19:0095 MOV AX,0911 ; execute command.
! y- k. R: j c) t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- \/ N6 B# t6 Q* V. |5 O% k0 E3 i
4C19:009A MOV SI,4647 ; 1st magic value.
7 L& D; W- |( x- ~) f4C19:009D MOV DI,4A4D ; 2nd magic value.( e% P6 K: W7 L) M) {. [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 ?' |9 b, {( u2 v8 w7 _/ j w2 e4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) L7 i) p: V+ t: t
4C19:00A4 INC CX& Q+ @9 e5 U5 G5 B! J. ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' |& _5 E7 f! N0 u4C19:00A8 JB 0095 ; 6 different commands.
4 x1 N' ^. y# D8 M3 v f2 S4 j4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ `4 j6 F4 w, P e4C19:00AD MOV BX,SP ; Good_Guy go ahead :) F z; J0 F$ x* ?9 R9 \$ X4 L5 ]
( g, ?* Q, x/ G0 z& U: VThe program will execute 6 different SIce commands located at ds:dx, which+ n5 ?" N9 T: ~7 x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! g1 [( i# w7 i* K- ?
+ W! s7 c! l5 u" }0 q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! e5 y( j) U1 O2 `( n
___________________________________________________________________________
/ S, E) V# `8 |" J9 g/ J7 x4 x; F1 y" ?9 g# B. G
' t) `2 Q) }3 j4 _% T7 s* W
Method 03
& ]. E; G+ M6 H" i7 _=========
' f3 }2 Y, `$ i. |
* s2 W' h8 R* o1 r; F% nLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ f7 m% D4 k: u, v/ l# s(API Get entry point)
& Q; l4 w7 m3 J2 D
& l, I" |+ G: N$ p9 C' j% s
6 ]5 l- ?$ {) j( a |" Z xor di,di( n1 H A7 j5 b
mov es,di
0 k( L, O) C2 q+ i mov ax, 1684h
6 {, @0 V0 _* B" e; ^! a mov bx, 0202h ; VxD ID of winice2 o4 m5 x: E# L1 W/ ?
int 2Fh
. J+ U& F# q5 H7 t: ` mov ax, es ; ES:DI -> VxD API entry point
* F4 J/ U, V& {( {, Q* b add ax, di
) Y8 @# g. x" w& j' T test ax,ax
2 z/ S) Q+ c- Y1 b" w0 x jnz SoftICE_Detected# n h9 `9 l( O) W+ C
; A' r4 V0 `- {# E( l
___________________________________________________________________________& u& z" H2 v& Q3 u( f+ h9 z( U5 f
! _, j0 _# W$ \7 a3 BMethod 04$ F& d+ [/ I g- G# ~6 } x, H' L
=========
" u5 M3 |$ c9 j9 n: k$ M% D7 p' I! ^
Method identical to the preceding one except that it seeks the ID of SoftICE
; Y3 I. T, X: i. [+ G5 ?; \GFX VxD.
4 Y8 k: G9 W- Q7 a% ^; f
. u- G8 V c' S5 h( S1 n# Y- \9 | xor di,di
% f6 |" _' F+ l4 h mov es,di- l' v1 t. Y2 X, w( j! n; X' C6 z0 e
mov ax, 1684h * S% n2 G$ h% [/ B+ p; c
mov bx, 7a5Fh ; VxD ID of SIWVID
1 I8 }' d' u% S0 I- U O/ ] int 2fh# I; X% f6 Z9 `+ I$ ~( I! _
mov ax, es ; ES:DI -> VxD API entry point
1 L. W5 l# k% k add ax, di
; e) D' m, O0 f test ax,ax
8 l& Z0 L6 H% y jnz SoftICE_Detected
: U. h) [6 O! w! z# x% _- y. Z+ D
__________________________________________________________________________
* S- v8 u5 t: s' M& @# `4 p- I$ d' u: Y9 X" p) U
0 l6 k6 C& }- v; @! u
Method 05* q6 Q4 T) S. W2 F
=========& R/ T, n2 O. W
7 W9 w; v/ g! U: O1 R4 f$ i0 Z" N
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& `7 o: R, a* r- edebugger. It calls the int 41h, function 4Fh.
" }! p4 g! y9 |! [& h2 [: c8 zThere are several alternatives. + ?0 r9 j' ]. J4 y' M* y- F; P3 k
& o F8 o+ t$ Q! g8 |
The following one is the simplest:* n! r7 @: ~9 r0 w! G6 J$ h, X
8 C. ^( j# Y/ t; e0 y mov ax,4fh
$ E) d8 l" B; K6 Y: i7 H: [ int 41h0 f& S5 p) n9 o+ T- R
cmp ax, 0F386
8 [9 k5 C) ^! b jz SoftICE_detected
9 c0 R' ]9 a7 z( q+ m8 m
# P5 w. k: Z) K! K, z- H+ Q6 @4 Y" d
Next method as well as the following one are 2 examples from Stone's
. `" s6 S$ B- ^4 V"stn-wid.zip" (www.cracking.net):
. T+ R W" D0 n: m9 P ~, G `9 |
4 q9 Y/ k7 ?: [ mov bx, cs5 R+ E/ |: y3 J" U0 Y7 |% y
lea dx, int41handler2/ T+ [! y0 U4 t- q8 s8 F
xchg dx, es:[41h*4]* c5 x9 K$ l4 i' L9 v! F }8 \: M/ f
xchg bx, es:[41h*4+2]
) w9 ^. T* M! o: }# [ mov ax,4fh1 u3 N3 K5 Z- @$ v* Y! M
int 41h
$ ] e3 y- U# M' ? xchg dx, es:[41h*4]
: A) ?( }5 _4 H0 U xchg bx, es:[41h*4+2]
8 b9 o: C7 ]- w% D2 G cmp ax, 0f386h
) { u0 c( h+ x0 e% ^; b jz SoftICE_detected+ i. _! o2 M3 L6 s d- f1 V$ Y
% }3 h7 M* {4 ]! h% J3 `& Mint41handler2 PROC: f r: O& T/ {5 p
iret9 D7 c! P% \+ R9 k
int41handler2 ENDP7 V! Z2 G! C( s( ?* V: }. k
1 a4 o7 N6 T, S* B8 a7 c
% t% [- o3 T0 f2 [_________________________________________________________________________
# W/ C9 r6 @; z" L2 S7 I3 P+ U& j# U& b3 e
* g3 O1 m& S/ S nMethod 06
2 M ~5 Z, ~9 v$ h=========
2 K& D6 a% X8 M# y M: i
; n4 \" J7 D# s; q: B) U/ d5 J% P9 Z5 n' x6 z' T
2nd method similar to the preceding one but more difficult to detect:4 z, `1 a4 k) d( U! T6 H) c
8 l" H: S e' t- J, H R5 D8 x! p( `0 N
int41handler PROC
1 O; e8 A9 n' h c mov cl,al
8 q" T2 a7 N- s& l2 k. a9 G, r iret8 b7 |8 c/ I- _/ ~2 j
int41handler ENDP: a% S( k8 Q. Q4 L" ?* o
# z8 [! y( C2 a/ Z
& p1 ~" m1 W6 k9 c1 f. S# ^ xor ax,ax
) x( [/ C6 f. u& L& D- R r% A mov es,ax/ X4 L- I9 D2 t$ q; b0 h7 u) n
mov bx, cs
* a" k* K5 y7 F: g8 @7 [! N lea dx, int41handler- L7 Y! M! {7 K) m
xchg dx, es:[41h*4]
' P0 x- a K0 |! C: v" c xchg bx, es:[41h*4+2]* J/ l ?1 _# b. n' k6 Q8 S l, n
in al, 40h
, x4 }9 x* D$ H% k9 y. O xor cx,cx
1 ]9 S/ K4 g3 i5 j& `" h' \1 e5 R int 41h
1 ~; k# g- M) N% l xchg dx, es:[41h*4]
% f# }& c. w a% X. R1 }/ Z xchg bx, es:[41h*4+2]
5 v+ `; Q( a4 I+ Q" y$ u& P cmp cl,al' k& B' l& B$ F3 _+ H# d l+ |8 c
jnz SoftICE_detected
3 a6 Q: F8 H. F, i/ T7 X
% E0 r" J5 S& m, P# {_________________________________________________________________________
/ L3 N/ w6 l3 k/ k- l; ?
9 r% J8 Z" \' L w# F/ qMethod 07& w! c3 M1 o0 V% h/ X: I. D
=========
R! O8 V2 y6 ? y
. o+ v& @4 D4 o: nMethod of detection of the WinICE handler in the int68h (V86)
3 v; J0 Z3 ^6 o0 V8 e9 e, L# s& b8 }( y U7 R2 c
mov ah,43h
+ c% s: l7 f) f3 a) Y0 [* C int 68h( v5 h1 k! ?; i
cmp ax,0F386h
- v* ~. F1 }; z- A* Y+ O) [* G- o jz SoftICE_Detected" V, B# H* A9 F6 A! \8 e8 _
; S' R; k- I; W( _* ]
( u- E9 i$ t5 c# I* T I, ^- ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" k5 p! U2 p% H. t
app like this:
7 ~2 z8 O; ^4 s- t: x+ z
' x( |: y3 N- F- T& V BPX exec_int if ax==68
6 g( H: `/ o' e+ U* M5 c5 ? (function called is located at byte ptr [ebp+1Dh] and client eip is& |. n' c$ F3 m/ D( s2 q! [+ ^
located at [ebp+48h] for 32Bit apps)) {- @* z% G9 |% S3 S
__________________________________________________________________________
# e& @ |( t& O6 h# c" | h9 `% j( b2 _+ E0 l. ?
) D/ ^, J+ m5 j( V/ k9 O- N! o7 H
Method 08/ w- \: u" C7 n# F8 g
=========
W- F" [! o' k, L0 R2 X
" m0 f- ^5 [% m+ Z0 lIt is not a method of detection of SoftICE but a possibility to crash the
( ~+ V4 l5 P P9 Msystem by intercepting int 01h and int 03h and redirecting them to another2 B9 p9 T& ]1 e) L$ H
routine.
# T0 b" H) p( H2 O. rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, b( Z5 L. Q, z8 v5 }% C8 O" |& T
to the new routine to execute (hangs computer...); C5 i6 B9 y n, {) i3 `4 G: {* f7 w
! g4 k% e5 R: \4 I, o% i# p mov ah, 25h. a- {$ U2 i' L7 w5 e# e( S1 V
mov al, Int_Number (01h or 03h)) T4 v! K$ [% i- g0 Y- B! s
mov dx, offset New_Int_Routine0 _3 g+ l) t+ o8 T1 W, k, l; l
int 21h
0 K6 z' c9 c. U2 \3 C
, Y& q/ q3 @; n, ~/ z0 F/ ~__________________________________________________________________________
n/ v0 T" {! n- _/ Z4 u7 Q8 |3 R+ ~$ M
Method 09$ u% W3 c' L& K L( t
=========8 G# Q+ H; `* S' m: z5 {/ b( n
! Y% S; I* f! z9 c, ~2 Q. I0 r, CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 d4 r2 V, b5 V9 W* E
performed in ring0 (VxD or a ring3 app using the VxdCall).
& o* B( ~9 R' H# W. {* S& jThe Get_DDB service is used to determine whether or not a VxD is installed
' H p, b% q- S0 Lfor the specified device and returns a Device Description Block (in ecx) for
2 p& N$ J6 t) ^that device if it is installed.( Q- X3 P) L# o
3 C+ m5 f9 n* v8 @& C9 U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, W# ^ g* Q% o0 v8 C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 m6 {3 \. `2 ~% v3 I1 y4 |
VMMCall Get_DDB* J* I3 Q* E8 d& q- \- K, T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 ]$ B5 A2 |: w' T
0 H# C: e/ J( b! x
Note as well that you can easily detect this method with SoftICE:+ U: R/ ^4 _& p8 W2 N/ P
bpx Get_DDB if ax==0202 || ax==7a5fh
0 ^( p t9 \1 i* Y. \; J1 }1 H, y0 ? a4 l( P& N! _! Q
__________________________________________________________________________8 O8 n6 e2 Y/ I! A2 x: W9 @2 Q
; u1 y( M/ j* RMethod 10/ C- \' R! E1 r& W
=========
% _& q; O" x. b. D& v; T/ b$ l4 q& s7 w
+ U1 j) G$ Q* N- i7 ~=>Disable or clear breakpoints before using this feature. DO NOT trace with3 C% j! u2 b( G9 k6 \) z3 c
SoftICE while the option is enable!!
. S) B F5 e a+ P( g7 `
' W3 q" P e- c1 V$ ~This trick is very efficient:6 Y U! S. A& f k; f M: O, S( T
by checking the Debug Registers, you can detect if SoftICE is loaded% a8 I6 {& S% Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* K: \4 T$ P' L; N% A( G& ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) o1 N4 G1 l4 x3 w( _value (in ring0 only). Values can be manipulated and or changed as well
h# s' j6 [0 K' }: l(clearing BPMs for instance)
3 U8 E7 e k1 n- a8 o o* U4 X3 O" t# l* M; l9 M
__________________________________________________________________________
. v; \/ t' q# Y
, |8 `( g' r' r5 g& G3 h7 k1 a7 xMethod 11
. i; Z9 f S* L! ?=========
@5 [3 r1 o/ @6 W# F/ e
/ ~ }* |5 G' dThis method is most known as 'MeltICE' because it has been freely distributed! w6 E; r0 s! b3 ~3 U7 X3 Z; V
via www.winfiles.com. However it was first used by NuMega people to allow8 Z2 D# d3 G' @$ |
Symbol Loader to check if SoftICE was active or not (the code is located
8 ~9 Y+ z4 K6 X0 Yinside nmtrans.dll).
& S: { d" H7 C4 j$ `" W! R" A
+ O; N7 k0 l/ f" vThe way it works is very simple:; o8 m2 X% w& x: v( K! r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: x- {& \7 f( d/ ?$ ]$ k- U
WinNT) with the CreateFileA API.
9 d& `# z9 P0 y D/ L& H$ H0 @7 Y6 W; u5 F
Here is a sample (checking for 'SICE'):
* F. C: ^. f: {8 g* G- \8 A5 X
* g- q2 P8 ^; O& \0 ]0 L4 _9 F" _3 bBOOL IsSoftIce95Loaded()$ L' I) i3 I4 n: S* ~
{
& h) u7 H2 w) q8 ?" ~& }* N! m HANDLE hFile;
. z U- l Z6 W s" V* g# v hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 k# D5 Q5 J7 ?! t FILE_SHARE_READ | FILE_SHARE_WRITE,3 C: j* z. J$ ]/ W, M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 {3 t& m3 B$ i$ C if( hFile != INVALID_HANDLE_VALUE )
' \8 i9 \; _# n {
7 y# S4 `4 P* i4 u CloseHandle(hFile);
+ L) I% V3 _4 ?2 [ W0 M return TRUE;
; {* y" K! C" S5 l& ~5 B& V }
/ i$ |' r- o! [0 }4 N% Q0 Q return FALSE;8 ~4 p1 L: z. c+ l( e( H
}
9 L5 Y; T* \; E6 k$ M7 G B$ s
; j0 e! n6 j9 e) j2 rAlthough this trick calls the CreateFileA function, don't even expect to be) J k/ n+ r8 \; I: M' b
able to intercept it by installing a IFS hook: it will not work, no way!# I$ G$ D( ~$ D7 a; E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. R8 z& D6 b5 \# U# ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# l+ ^7 Y0 n0 e; }& c1 }6 e# ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 l! t/ A- @+ z" z+ v6 G
field.
# ~8 R+ Z( t% sIn fact, its purpose is not to load/unload VxDs but only to send a * Z! L" P4 `* ?- K$ @, y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- O! B& V$ b# l( T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' R9 a0 G% c E6 j, G+ |% A) {+ jto load/unload a non-dynamically loadable driver such as SoftICE ;-).! x" U2 R* I9 h M! K4 ]. i9 @
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 }! ?" X/ L6 ^
its handle to be opened and then, will be detected., F+ f$ i7 U9 g) k+ f0 N
You can check that simply by hooking Winice.exe control proc entry point- G+ s! v* U( W8 p
while running MeltICE.( g1 ~8 j% ~1 w" s
* C4 l) J* d3 r- _
2 N1 T3 m* D" c# ?1 K6 t2 |
00401067: push 00402025 ; \\.\SICE" G7 Y; l& V' v
0040106C: call CreateFileA
) c9 A8 U7 s1 l$ W$ N 00401071: cmp eax,-001: E' O/ h$ g- Z3 b' h9 Y' `; ^! ]
00401074: je 00401091
- i$ ]) Q* n( i5 ^" N" o2 n' o+ c' s8 O- x7 ~- [* [
+ A, W$ R: v8 F# D2 n0 dThere could be hundreds of BPX you could use to detect this trick.4 Q* v" V9 |8 J$ x
-The most classical one is:6 `% \, S: T7 j' Z6 j7 U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 Y3 j; c6 N+ h1 j *(esp->4+4)=='NTIC'5 w' X) D5 O+ b' h! b) v
2 ^ B- r- T w-The most exotic ones (could be very slooooow :-(
. M6 D9 X. p5 z# h% y3 t BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% z! F# p# |3 p, z/ J1 p2 Q# ]0 S y ;will break 3 times :-(
% N$ F" L9 Z8 p5 ^
; n( k9 n/ P9 C0 J! K-or (a bit) faster:
7 \/ E- y0 q0 r: |7 r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 @+ J8 q4 s" r( A
8 i) q0 I! O, N) P BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 W: D1 Y P8 S- K$ m ;will break 3 times :-(
* w# y& l+ _( R) W5 B" H
0 P7 [6 k3 {/ k" d-Much faster:
& \5 i& w8 M* K5 @. B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& O }6 G% g$ X0 w+ L$ C5 i! P" ?
) }7 v1 P! M" w) pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 W1 }( \: z4 V4 k. afunction to do the same job:" s. T+ i- _0 r, I4 m
& I3 R& m4 n3 l! r8 d5 q$ d
push 00 ; OF_READ
' X }, k! f& A: H) ~- G6 S" A mov eax,[00656634] ; '\\.\SICE',0
; c" K# _7 B& x4 X6 Q1 D# f% H push eax
% t. Q% x l/ r; [6 e7 N3 S call KERNEL32!_lopen+ o% u6 Z ^: G5 W$ G5 ?" w
inc eax
* V! ^- X' f- p1 L7 t jnz 00650589 ; detected
" N, w+ J5 W( | P6 x push 00 ; OF_READ
4 ^) x1 M; l$ M) [! |$ q mov eax,[00656638] ; '\\.\SICE') ^& ^- O! g) v6 n& _) p4 z2 m$ }
push eax
/ z& Z7 b+ L2 r$ R: q+ _ call KERNEL32!_lopen
* u, X1 @$ R% Q) [: S inc eax
( ]. c7 \4 u0 B. f9 h5 B jz 006505ae ; not detected
! D. Z, d, ^% _) y* M( B& n! M1 f5 ~; J, j( l- Q, c6 L0 [0 m! c8 @
" U, _* d8 Q O' f- K__________________________________________________________________________
- K. G( J9 e1 o, r# W3 Y9 S- C5 A8 s6 f4 U% `& o# L0 ~- Z
Method 12# Q! r& N' A$ `
=========
- ^5 q! A7 f& C$ `# P3 g0 x; ^( h( l! C- F2 R1 Y: F7 }: f4 q
This trick is similar to int41h/4fh Debugger installation check (code 05: H- L4 ^' |3 r: W8 C) q% A, e
& 06) but very limited because it's only available for Win95/98 (not NT)
' \# B/ u! g2 ]- G9 I% N! ~ q* P zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.% s& \6 ?0 q' [6 X
! R* {1 n+ m* D5 Y
push 0000004fh ; function 4fh- |) Z6 w% j9 S7 U* Q" u( t- L$ A
push 002a002ah ; high word specifies which VxD (VWIN32)0 P' |6 A3 N5 w( N, m
; low word specifies which service
1 C1 z" F( D7 } S5 g& I9 Q, e( G (VWIN32_Int41Dispatch)2 ]$ k2 ]6 ~- D( m4 s
call Kernel32!ORD_001 ; VxdCall
: B! P% n; Q) @7 ~( j cmp ax, 0f386h ; magic number returned by system debuggers
: S5 I7 }0 Y/ w: R3 M3 q" c$ @8 b jz SoftICE_detected) }$ ]3 F6 h1 K' p
1 C+ @% ~* h) r$ T/ NHere again, several ways to detect it:- h& B3 z5 V1 [1 D6 h
v/ N- S" N* u1 R2 O* v
BPINT 41 if ax==4f
& q$ L! ~# _+ o3 b+ L7 |, e8 T$ a: M( J
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, K& O+ J4 d: h- t
* f" a v2 G( F5 S j# G( B BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 b6 M9 L4 U$ y) o7 ~5 R% t5 I" c. b0 `, x D8 q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' ]( U2 o8 v$ ^
4 J- I7 b# S! C+ J% y9 Q! i6 R2 C__________________________________________________________________________* f+ ~( S' O3 A$ n7 Z
. g$ k. T+ U3 R. cMethod 137 F; |- t" t" D8 R q
=========* b- S" P/ f Z/ I
{ K S* | U- M3 g$ KNot a real method of detection, but a good way to know if SoftICE is# g8 A r* B3 Z3 Q0 \
installed on a computer and to locate its installation directory.. A, {/ q4 h* \" Z
It is used by few softs which access the following registry keys (usually #2) :: v: S, x% u+ ?+ ^# d
5 ~. _( |; Y1 ?) n& V, m-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; O8 {, |9 t2 c* n9 Y: k0 \# Q
\Uninstall\SoftICE
( O4 i( C4 o% b( y4 g8 w' \3 r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE y' ~" R1 k { e: p" y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ?" Y1 e6 e3 K1 ]8 h' ^9 a2 F3 m
\App Paths\Loader32.Exe- ^& B( F+ T" q- Z0 V! r
2 v+ D0 j2 _9 h3 F8 }
6 k' A% ]" z7 s' }* _& k! tNote that some nasty apps could then erase all files from SoftICE directory
0 N' S6 z- Q( u: `4 _0 e# V(I faced that once :-(
+ Q$ O5 P, O$ E7 J
# u* s: L9 f9 W' d: C5 O! a; [Useful breakpoint to detect it:
; p2 W, ]4 _7 I
! K* m( s: n& m6 ~2 g% T BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% A" q7 U% `4 n! R$ M2 ^
$ g+ n# v3 l' l) ]1 d, j, _+ _1 m x__________________________________________________________________________
1 k2 I* C5 n V, C! o: R& Q
$ L6 S6 b2 Y2 S& B, s3 |2 b3 J s5 k3 A/ J
Method 14 9 ]/ f N: l4 u# P4 X5 i
=========6 {& l6 _ \$ P- c3 s$ a
, I4 k% w+ F( i/ K; f. s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 I" n1 l$ I+ d) o; V
is to determines whether a debugger is running on your system (ring0 only).# e7 n: N7 o6 n5 `) ?
0 V3 P W+ D- C VMMCall Test_Debug_Installed( }3 {5 [+ V% b
je not_installed: |" f; c/ c# F% T u
8 f& j# m9 ?9 o- ]( f: x
This service just checks a flag.8 u$ q7 [+ x! H: Q1 ~7 C+ g& ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡