<TABLE width=500>$ @3 \0 F6 f. A
<TBODY>5 }, P+ }) o G" Q: y
<TR>9 _6 {0 A, l* W$ m8 p* Q0 M
<TD><PRE>Method 01
+ |- n3 Q4 Y1 C2 w, Q=========, ]' t @9 W) y, @* }! Z2 \4 {( y
2 r9 r/ z; U% ~% C( R/ {This method of detection of SoftICE (as well as the following one) is
* X# y# X. g/ n6 qused by the majority of packers/encryptors found on Internet.
: _: c9 ?. }3 n- F' o" dIt seeks the signature of BoundsChecker in SoftICE. P# F6 N3 @7 }' H" A) p' Q9 N, K
+ T( E4 v5 Y0 X o* p. U' e- \ mov ebp, 04243484Bh ; 'BCHK'; O% @( e$ [ y+ g9 b% c: o
mov ax, 04h. j* B/ S+ W& V K
int 3
+ p+ B* P& y0 L7 d# G4 w cmp al,4" c6 J$ G6 n/ @+ `
jnz SoftICE_Detected1 N# ]/ I! z" u) q1 Z3 f
. _* d) s i9 u8 \
___________________________________________________________________________
! V# G& f5 _: J- K# U# m! T; h% K8 D6 U; ~9 o4 f
Method 022 R$ A; r$ g: h9 ?1 O. ^! @
=========# j- ~1 H+ {$ Y
8 b+ H; U( g6 V7 ~ C; _Still a method very much used (perhaps the most frequent one). It is used- x5 I3 O4 l+ G, ]7 s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( N3 }# y& [& e" k6 \8 A, yor execute SoftICE commands.../ ]! t6 L9 g" e! J
It is also used to crash SoftICE and to force it to execute any commands
& E$ P ?+ t3 J- y- `+ w(HBOOT...) :-(( - v3 S. y v. F+ W5 ^
, c2 @" N; Z* y# I$ x9 z: {- [Here is a quick description:/ K* S; H( d) O7 `+ @
-AX = 0910h (Display string in SIce windows)/ R; F$ a. M' a" O6 N, }1 K: F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 \$ @( v, G6 K+ ^- K
-AX = 0912h (Get breakpoint infos)
5 e0 J+ [+ K0 |$ a1 i }. ^-AX = 0913h (Set Sice breakpoints)- O/ T, f9 O+ ?% }+ h- ~" T
-AX = 0914h (Remove SIce breakoints). H3 f# m1 t H5 Q- [ p* }
% }. o1 u+ [' Q* t+ ]: H& h" f
Each time you'll meet this trick, you'll see:
+ b2 a6 d- |8 l* p9 G-SI = 4647h
9 X! _7 b0 D0 d/ A# W5 ^6 G-DI = 4A4Dh. z2 j) S6 V4 b$ a1 ]+ B: C' R
Which are the 'magic values' used by SoftIce.
, q: @6 C( v7 }. m% W6 Y3 i7 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." K0 {2 w6 l" [. O0 V8 ]
/ g9 W Y5 l6 V% E# {: s# x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ l! A& j. m; a7 b! d( MEnvelope utility use to protect DOS applications:1 p" r$ T3 p5 `& A4 w
5 L8 |5 e# G Q6 v0 I8 {
: u, }$ I( `8 t; {4C19:0095 MOV AX,0911 ; execute command.
8 F' R- a# K0 N9 J S4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& D3 T7 K5 _* r- |
4C19:009A MOV SI,4647 ; 1st magic value.( f4 y- o. A* U8 N' [
4C19:009D MOV DI,4A4D ; 2nd magic value.
& P5 t2 T1 P. ~7 r' S; k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 x6 z' `1 z% O1 O6 o3 J4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
D4 R' P b; t+ `4 t& d9 s* b4C19:00A4 INC CX
; y4 K d S1 V$ N# |+ w4 f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ |7 X0 W C3 y4 g! h' X
4C19:00A8 JB 0095 ; 6 different commands.
; K) p1 V- G7 |4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 ~, S$ C4 C. Q4 {, k3 @1 @% v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 a- ~. [, B2 l) W. N& G
( P k3 A& G& e$ |2 D7 m- |
The program will execute 6 different SIce commands located at ds:dx, which
9 x! H6 [5 G7 Z3 E. jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* Q$ G& r5 i/ M# j, P( W5 E# X( L
% {) L3 q$ T; N9 b* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 } j: g+ i% h8 N( A) R* b___________________________________________________________________________
! ^1 z2 u' F) Q. y) R+ q; R4 D+ W, P/ E9 `# m9 [/ n `. p
! E: R$ n: ~) n# G3 R1 B! OMethod 03
9 x- K# R* }- H9 C7 ~=========* M1 y8 ~4 ~: D/ z% X0 N8 P
. H) ~* k8 r4 K: `9 J5 ^6 h5 KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 c2 |; ~8 W4 i( D1 g; c(API Get entry point); W4 }& M; S* `1 c8 t! X
$ q) y# v0 J |/ o
, G+ r* o( a& l xor di,di5 h' R8 Z) Q) y0 j) k7 X& |( t
mov es,di
# w* u, F4 R: D3 O& ~ mov ax, 1684h
# R) h6 ^% S* T2 C mov bx, 0202h ; VxD ID of winice
$ R* ~# [2 A( F5 _ int 2Fh
7 }6 e, X* v. q$ O, V mov ax, es ; ES:DI -> VxD API entry point2 k2 p& W* s4 m0 u" o7 }
add ax, di
* L2 Q* J6 v/ \" @9 W f; e% r test ax,ax
2 w* _4 L7 m* v0 T jnz SoftICE_Detected
! X# x5 H' s# s5 Q6 J. x B
* U, D6 o. F L___________________________________________________________________________+ Q% H ~4 G$ X6 C# N
; r. p1 c7 b3 j/ ^6 N* s% j" E( ~Method 04# I7 J; c6 e6 G% r
=========
$ ]5 s1 `0 u1 t8 B' D; f C
S. n& L1 P; m2 G' ^& bMethod identical to the preceding one except that it seeks the ID of SoftICE
8 T4 C* ?! z, x6 `: wGFX VxD.& t. }" t* J, k# j/ V, w
+ n5 F& x/ t) X& c* L
xor di,di
/ z. m, t+ t8 a8 a% U& N9 _. I2 ? mov es,di. b& _# [0 k l+ a1 V
mov ax, 1684h 9 i5 p9 }. N3 W8 |9 S
mov bx, 7a5Fh ; VxD ID of SIWVID
T l3 Z. {% v int 2fh
3 q; T* i q; P. M mov ax, es ; ES:DI -> VxD API entry point
) r, E$ ]8 |+ ]# n add ax, di
, U# h/ v6 a0 [+ Q' M% W test ax,ax7 o u; E8 C, x( i# x" I
jnz SoftICE_Detected; R# f9 l! I2 y( J) N
+ U4 h8 d- M B1 t" X; q) l% Q__________________________________________________________________________; r+ C: C" D% w! d) v, y' @: ?
2 w* d$ O5 W" N7 f8 e6 O
' x2 ]* }9 w# w( S# [4 J3 UMethod 05
/ h9 S3 G. z" q) C% J$ g=========" b$ @. l: r9 E- }& s# `! {
$ b" n( x& K& o$ uMethod seeking the 'magic number' 0F386h returned (in ax) by all system& d" K3 v) _' M, a4 t2 s: X! |
debugger. It calls the int 41h, function 4Fh., I6 C' B2 Z' O1 Z8 R- c3 C9 Y
There are several alternatives.
, C" Y' Z* l, n) \! I- Y5 Z; _3 V) _9 s4 l) J* `! T3 a
The following one is the simplest:
# {" r6 E; s- x5 S! Q- l
4 Y* `- Q# ]6 r' i' B1 R- j1 l mov ax,4fh/ {9 @5 y9 s# x9 x* w' r/ a: S
int 41h9 A( K# @ d: a" t5 p: w" d. L
cmp ax, 0F386
* W& e) w' W' K jz SoftICE_detected$ k) c* [. ~9 _8 ]. ?8 Z
' \0 d* J3 S" d0 L1 }
5 e! Z6 o P% u, ~9 K* KNext method as well as the following one are 2 examples from Stone's
, ~6 c9 i- _ ~! V2 u"stn-wid.zip" (www.cracking.net):
0 E) D f" X$ r | W# }4 t, F3 U" K7 e; x" h& D1 [
mov bx, cs5 g1 c) X0 D3 a0 x$ S& r _
lea dx, int41handler2
( l I! }' S# l t xchg dx, es:[41h*4]
6 U8 i0 X! N' ?9 o D xchg bx, es:[41h*4+2]
5 W5 |! m7 q3 E4 v7 m9 Q mov ax,4fh
9 d8 a- U: i) T. L int 41h
- k* E. ] z& [, ]: P- y% L- F xchg dx, es:[41h*4]
9 e0 y1 e2 v8 I( _ xchg bx, es:[41h*4+2]$ M( B9 Z& Y d! }
cmp ax, 0f386h
) F9 R8 M' c. `; i% x" K jz SoftICE_detected& E& R$ B9 E. J! g
6 D! g+ v) h8 M0 [) Dint41handler2 PROC
! `. s& H2 T: o iret% b4 X/ a! [+ y1 j0 n, S
int41handler2 ENDP
$ W% W+ L5 j6 k6 k& I/ I3 I+ M6 K* ^8 g; u' U4 B$ D
2 |; R2 s, y; [) ?
_________________________________________________________________________5 `% l$ }$ _, u' f; g' q
" Q0 \9 d, {8 Q# U
0 l5 O$ J" o2 u) u+ A* p( MMethod 06
% q. ?* ^8 a3 }1 X( i=========5 Z1 O* U! G' L" R1 `; V
8 T2 b+ g! x- U+ y$ v, c
9 a% F: w! ]% W0 g+ t$ Q2nd method similar to the preceding one but more difficult to detect:" b- V! O" L1 V. H: q
. G: ~6 `' n t/ a, m4 }8 c" \; i
int41handler PROC, \) @& Z, }0 F; y4 f5 d
mov cl,al. t% N+ o# A) b5 I) s" e
iret6 b" z, @/ S0 z5 _! U
int41handler ENDP. r/ Y- B5 U0 j) H: @! ^( y; G
/ C6 I. h2 O; Z# |/ i( l( h+ o" R9 h2 y* @" [) r+ l0 J- p
xor ax,ax" K; z/ Z8 \3 }
mov es,ax* U8 j8 \3 H7 p$ {& F( d7 p
mov bx, cs( A# c# b( V9 z8 |# h; A
lea dx, int41handler% ]6 ~) m0 T$ B0 f& M
xchg dx, es:[41h*4]( ]) w, n! d B; ^
xchg bx, es:[41h*4+2]
* j7 [; ^" R+ U$ t- o in al, 40h
* j; l9 k% c* p$ M Z' o# R6 v xor cx,cx8 ~ l8 A- l6 n: s) C S
int 41h Y, {4 K7 S' ^7 m4 x0 G, `( f; }
xchg dx, es:[41h*4]
7 b$ v0 _9 B" M5 I$ w7 Y xchg bx, es:[41h*4+2]
; x, C& s5 B' b" a1 R. L: M cmp cl,al
* j; q% y7 S4 u jnz SoftICE_detected
4 c4 E% A. R$ V+ C1 i; J0 Q2 ^" V7 I0 F' ~/ R
_________________________________________________________________________/ Q5 R: X0 {& R+ L1 C- Z3 ?, J6 k
; I {6 M+ T( k7 T i. SMethod 07
) Q# `! d3 ]0 R( N! {; `& w=========
2 W0 I" ]2 M9 y# j% D, R
4 F4 C4 K0 d& _9 N9 y6 }- D2 CMethod of detection of the WinICE handler in the int68h (V86)
3 t6 x: _/ C& K. z2 S. n' X$ F& `% u; i: X: M8 U
mov ah,43h1 S1 I r+ I0 n! o2 W v
int 68h
9 q, i4 L& G; }* O8 n' a cmp ax,0F386h
# q' D w& p/ L7 `2 G- x* F jz SoftICE_Detected( _: m7 [6 H' N ?2 W: }# s v. n/ D0 d
4 D; t3 Y$ C O$ {8 v: J6 J5 Z" F
z% k5 T; [- N, y. L% N6 s# y7 b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* Y9 b( e. f0 N& L' ~" E! \; f
app like this:( j9 b R) e' T
! }3 o4 R: T$ f h0 l: k9 H
BPX exec_int if ax==684 R( v# _& Q1 m4 W, } {# u9 }# Z
(function called is located at byte ptr [ebp+1Dh] and client eip is
) X4 z' D* n: m located at [ebp+48h] for 32Bit apps)2 {/ j1 Y h+ k% ]5 F* V) J
__________________________________________________________________________
0 C4 d. N$ c# b; p" R$ d- |0 i* q" O) @' c
i# Q6 n$ q' d% @" S
Method 08
' K5 {+ ]3 Y# o( v) H% y! [=========
4 Q2 A% q) g& Q+ M' J
+ R8 J" P+ j lIt is not a method of detection of SoftICE but a possibility to crash the
* @, z P1 T' p+ a6 Z! Zsystem by intercepting int 01h and int 03h and redirecting them to another2 w: h/ x' A8 D j5 Y" u
routine.
7 G5 H( K( C! v* N6 U0 D# RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. I5 f& B# v& C+ z, L
to the new routine to execute (hangs computer...)
) G% d1 L8 y- @" L$ q* v& O$ l2 l* X3 Q; R& P! o
mov ah, 25h/ U/ W1 @ q" F% E6 W/ B0 d
mov al, Int_Number (01h or 03h)+ k6 A6 Y% K. v6 c
mov dx, offset New_Int_Routine
' K) |; u! D4 O) |$ `6 l4 J4 } int 21h
; H5 j. E9 l3 @* {/ {. \3 R# d( e5 q: t$ |: C
__________________________________________________________________________
5 y; ]: o8 Y6 u
4 c3 T7 \/ s; j D5 Q1 LMethod 090 j1 V! `: ~8 m
=========9 ^. g" V7 `4 B! c3 z& [4 K
. `: l* C0 i2 X3 i- t4 b; B: NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- r# A2 u7 `8 x2 }" O7 z, N! c
performed in ring0 (VxD or a ring3 app using the VxdCall).0 M' F$ ]4 w) C3 ?- O! s% o/ s
The Get_DDB service is used to determine whether or not a VxD is installed) C1 j/ E, R" r2 l2 x2 s
for the specified device and returns a Device Description Block (in ecx) for
/ h; P# ^: r6 F7 s3 Fthat device if it is installed.% |; P4 t/ [: z
& w$ @5 s' P, S4 p2 _7 c) B) W
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ e" \& r+ }+ I/ m# K
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 @4 N3 v& X! _, M! o
VMMCall Get_DDB8 v( ~9 J/ ?, i$ g4 z' Q9 R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; i* u" X& n) l$ l
& y& P# q' x6 R
Note as well that you can easily detect this method with SoftICE:
* P( ]) L) L2 H4 c+ O bpx Get_DDB if ax==0202 || ax==7a5fh0 s$ K$ b b9 }4 b K
3 b( x( G2 C, b; E( f) a9 x, x
__________________________________________________________________________
3 e" c4 R) {$ f4 ]/ b# s& R0 }
6 {( ?9 i- @ B1 l$ x8 f& AMethod 10 [' f$ S d+ [! x" e
=========! P0 }( P5 W, h$ Q: Q- ^
6 B3 U2 I+ q3 c, A3 r S& b/ Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with; |( n, ^ J! @$ d6 Y1 v* B/ z
SoftICE while the option is enable!!: x; a& N7 N7 @+ M) w3 X
' h/ y- q, s1 ]4 R- s: Z5 }
This trick is very efficient:
" i& _8 { W( P/ C5 pby checking the Debug Registers, you can detect if SoftICE is loaded$ C+ Y; G4 F5 ^+ B+ `- [5 {& K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 J% ]" R' \/ M3 T. q8 D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
`& n* i. j0 D" q9 v" C/ Cvalue (in ring0 only). Values can be manipulated and or changed as well6 w- L+ Y+ L9 V2 A9 i
(clearing BPMs for instance)' t1 s/ y: R! {$ X4 c( o) a) T
. T! K( F9 j. l$ Q5 I- V* \- c! V__________________________________________________________________________9 H5 ~& m5 z8 d6 x
& }/ Z7 Y9 R. y0 fMethod 11
2 a; x$ m: A) Q=========
$ y) ]! c1 ^9 }3 j1 F8 o- X# f+ x
* x' K( ~) {4 X4 H3 i& U9 H$ q! RThis method is most known as 'MeltICE' because it has been freely distributed9 g6 ^6 |+ L) O
via www.winfiles.com. However it was first used by NuMega people to allow
! \2 Z$ I9 N0 B# mSymbol Loader to check if SoftICE was active or not (the code is located- [; n C& r! y* \- u4 I
inside nmtrans.dll).
9 A% d& T) p7 d" x+ {1 T2 l) x4 |6 ]4 h$ Q1 H& a. c4 V/ }
The way it works is very simple:
5 m9 r7 w {1 R4 T* @1 [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 D, n& q0 S1 \! B6 \$ @) YWinNT) with the CreateFileA API.
/ B* C. {6 i7 C2 E: {( p: F5 p+ ?: w! Z# Q
Here is a sample (checking for 'SICE'):
( @& }4 D, |3 d/ N- S+ ]
$ H) A9 O4 {) f5 u0 }! CBOOL IsSoftIce95Loaded()# N# y* y3 n y; _
{& x' V# D& X% Z/ Z5 W, V
HANDLE hFile; % v6 g7 O/ U2 }) g z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) E7 C3 x# [9 l: m* B FILE_SHARE_READ | FILE_SHARE_WRITE,
0 z! N4 J# k g* y/ [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ q- o; ~- r3 l) ]( ] if( hFile != INVALID_HANDLE_VALUE )
) s5 I, v' G; f9 |6 ^ n% ` {' c6 {" s/ h% f
CloseHandle(hFile);+ l$ @7 K. `8 l. e! F4 W
return TRUE;: Y" _0 Y% _/ |& ~# Z; a& {) e
}! x: U5 [/ g1 ]7 c
return FALSE;
4 R4 t' T% d# ^}; U. J" }' b, ], Q
) |, w) i5 ?7 w8 e. Q% BAlthough this trick calls the CreateFileA function, don't even expect to be0 k$ x7 J! F3 w! {& u: a
able to intercept it by installing a IFS hook: it will not work, no way!- X# _' k. ^3 v b- Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 b+ F0 M( y3 P* p9 n+ Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); ]2 j) H+ i: }9 C( Z9 t3 Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) \* i4 t8 D9 A
field.
; w: x A3 [2 U4 W9 A5 h1 a* jIn fact, its purpose is not to load/unload VxDs but only to send a
9 S- x7 g {, p$ Y. M9 X* JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& P F/ J! U, ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# }. E/ e1 c' k1 I* ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 S, I# ]$ U% O4 `9 b" {If the VxD is loaded, it will always clear eax and the Carry flag to allow- ?! q9 r, n. i
its handle to be opened and then, will be detected.
V/ w( P- L% H/ dYou can check that simply by hooking Winice.exe control proc entry point& F0 H: P) r$ {
while running MeltICE.% L1 q! r% Y) N4 e% @- y& p V4 O
, n' a! M) i0 O) R' o" V2 f7 y* f" k( U. K: W
00401067: push 00402025 ; \\.\SICE
5 Y# X& |, w: [ b: R8 O3 Z 0040106C: call CreateFileA
) A$ Z- V" }- _1 N! H @ 00401071: cmp eax,-0010 e! T/ c) G/ a, h* Q m
00401074: je 00401091
9 g7 k& v) a/ G( F. _+ f( A1 a5 ^1 F8 J' j' S m" R. [2 |
, z6 K. S/ L4 m
There could be hundreds of BPX you could use to detect this trick.
$ }2 H( y. K- [4 F* h2 i-The most classical one is:3 e: c }) i% k2 c* [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 N, t; x: L, Q* M+ O
*(esp->4+4)=='NTIC'8 k" p- t7 B; v2 L
8 P3 m( n4 w6 \1 H1 j' E
-The most exotic ones (could be very slooooow :-(
( E" P; |- Q- N# B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, V6 |* K. I4 r ;will break 3 times :-(
5 u/ S$ B0 [" ?+ V
' w# s' p8 ?4 O. \% g-or (a bit) faster: . N5 H5 ?2 b) X( H+ p2 S' |: R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* @8 X" \& Q5 v* _) {8 K5 n
1 g( V. E3 h3 q, l$ p6 a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 p- D ^: }8 E" U
;will break 3 times :-(
8 U' u: a& w' |; A) w3 p0 e, G3 o' \5 C5 ^. f6 ~
-Much faster:% @% F# t$ ?5 Y, v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ l9 q( A2 Z( W9 u. i0 ?6 y: \$ B$ A) y3 P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- Y3 h0 K% I5 i7 u( |8 \/ f+ Ofunction to do the same job:
( H! ~1 p) x M6 C! n
$ u4 t9 d- ] k7 { push 00 ; OF_READ
, X0 P; _4 A4 t# u. O$ h) N mov eax,[00656634] ; '\\.\SICE',0
; T# p- L: ?( u. w6 I! q1 z( H push eax. j' g* X" a y& u3 L* e. D9 X* \" t
call KERNEL32!_lopen
' `- ~% ^. Q- I: L M$ E& e1 J inc eax
+ n5 R- E0 j( O. Q. S) g+ I jnz 00650589 ; detected
5 @ t v, Q6 z! ], {9 @8 {: ] push 00 ; OF_READ
6 Y* G* ~" L" Z# R0 ^) ~ mov eax,[00656638] ; '\\.\SICE'+ Y* e7 X* S. ^! h) H( c8 |0 T- d
push eax
! a/ y" Q- B( P call KERNEL32!_lopen
, l D+ x; ~! M) I# p2 k& ?* ~$ A inc eax
; u9 _" D9 g7 A6 X jz 006505ae ; not detected# m" h% j. s1 U f0 l7 a: R' }
$ I* k5 A8 k, t1 U- j z4 t
2 F0 _: h, Z8 s- t$ Z) [% m4 A__________________________________________________________________________
( j& J2 b, B. X# d. y! B- X0 b% I$ f& w6 }' ~& s
Method 12
' v1 j/ S* s3 p. k5 e=========
, ?. I- z5 E2 J S$ ]. Q7 z; U% e( Z! u( d X- S
This trick is similar to int41h/4fh Debugger installation check (code 05
" r% @- J, g9 N* I% W' M$ d& 06) but very limited because it's only available for Win95/98 (not NT)7 H# A2 I0 u, b9 o2 U8 s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* |& i7 u! j, t8 [8 Y
5 t) C' [- u6 E& L R push 0000004fh ; function 4fh; m* R0 w- H% t9 f& Q, w: q
push 002a002ah ; high word specifies which VxD (VWIN32)
0 x1 t3 z& ^+ ~( A ; low word specifies which service
6 Q; C/ X5 P6 C (VWIN32_Int41Dispatch)
" ~ d+ p: l0 [- g; A [/ L call Kernel32!ORD_001 ; VxdCall0 n. @; E6 B. J2 p
cmp ax, 0f386h ; magic number returned by system debuggers0 _: `; v8 m+ R9 ^- }# F, y
jz SoftICE_detected
/ H8 L+ q) Q$ P& ?: Y& w6 \
/ s, [4 B) K3 y1 j1 @) E% q9 t! ZHere again, several ways to detect it:
5 `: [2 X1 @" v) F
, ?, B! `' G3 D' ?5 u+ g/ D BPINT 41 if ax==4f& @4 S! g' G7 Q6 s
. G6 A8 D i- v$ R$ A$ b9 |' o0 q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' B4 n( @3 r# G t8 e ?3 L7 U' y7 P5 T* H. A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' Z1 r% V- C/ N+ j+ i( p1 `9 d/ c& A/ ?0 v
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 I _% g+ @2 w: ]. @
: \% w; R; Q7 U5 @; g__________________________________________________________________________( b" @% \. t( k; X9 {4 z& y, K
) [% k& [9 C I% {Method 132 g) E% x' g2 u( N0 m
=========
7 ~1 l* C u0 w& F2 R
7 e0 E. e+ ^* M. |2 aNot a real method of detection, but a good way to know if SoftICE is
! \' P) L; B2 M. Y# Dinstalled on a computer and to locate its installation directory.
% h w: P4 Y" jIt is used by few softs which access the following registry keys (usually #2) :
( s. ^( w1 v" O" Q0 W1 Y. k1 _
$ m1 o, V+ N" s0 z* M5 n; C$ Y& l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! n& u: ?4 E" M7 V: X9 R" p; N4 I\Uninstall\SoftICE
3 [5 u" Z1 z0 Q" E" _1 @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; r9 c3 @3 r" f/ m8 {4 O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 |$ e# p. V' ]* S& k
\App Paths\Loader32.Exe: @% d' z6 k; c& X* h- [0 p
; L1 {( Q" |9 ?* U# _. k# V# S
+ Y% A5 c: o) {, v! k* ^+ `3 y
Note that some nasty apps could then erase all files from SoftICE directory) Y9 ]. B+ }5 V' \
(I faced that once :-(7 S ?# f/ W9 \3 {) H5 b& J
" I1 v6 a6 m) z0 [
Useful breakpoint to detect it:2 ^7 ?, Y" e( X, X8 j" v% m
7 R& a. Z3 u; t4 z% K' \& M. i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 E6 t8 R) |3 m: r
% T! D# F& p: m y1 T( j+ e5 h__________________________________________________________________________8 O x; R" P+ k$ m6 n
6 Y4 B+ |8 J( S, y$ _- Z* m- c: v. i m# u( j
Method 14 , s7 X) r2 Q2 e* | \" t
=========% v8 T: \ A! s2 z- k
9 p3 a% l0 W+ s1 ?8 d0 J5 a7 M" E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% h# p( ~, g/ I# Sis to determines whether a debugger is running on your system (ring0 only).
( @" C* T: B2 d9 m7 P$ V$ E( W$ I
9 U' N6 u4 V% Z4 O6 X VMMCall Test_Debug_Installed- V: A' T# w) Z" A* D
je not_installed1 k- I1 [( Z. ?$ x& }# g- {) B
. @+ [+ A7 D5 `& f7 ^9 c5 BThis service just checks a flag. ~" N' T0 A7 X# t: T S1 H( O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡