<TABLE width=500> `8 Y7 R! D& ?7 E6 v
<TBODY>
1 r, f) m1 }2 f9 e/ Z, m/ O<TR>
L" b* S. t* b" K<TD><PRE>Method 01
0 l6 x+ D+ N' ^' q7 _=========4 s2 Q- V! U7 O6 @5 e' z3 {
! W2 [- U8 s S! j* }
This method of detection of SoftICE (as well as the following one) is
$ U. S5 L- Z2 B% |5 Cused by the majority of packers/encryptors found on Internet.# ]. z: f) x9 i8 [. E0 Z
It seeks the signature of BoundsChecker in SoftICE
* a2 Y/ o4 _% u/ J5 Q. u( e7 U, A; J# ?4 V$ J& V. i
mov ebp, 04243484Bh ; 'BCHK'9 `' u# y0 o1 ^' e* _4 `1 O; g
mov ax, 04h
3 q- }# f H/ x int 3 ( b$ y8 H/ f6 a5 L. S8 f2 V
cmp al,4
6 L, ]% J" n$ Y y jnz SoftICE_Detected
; X7 E. R0 g% N+ A, G' D1 @
5 z; F) g. ?! K' M( s; O___________________________________________________________________________" n6 [+ n+ l' d. S8 f
* H F' }' v) ^+ Q; ]0 d LMethod 02
! c9 ?5 ~+ i3 a* w1 U2 {. D=========0 M, |6 T; p! R0 ^0 P
% x4 p0 N; W2 C' N9 @Still a method very much used (perhaps the most frequent one). It is used2 p1 H$ U. O' |+ `) {7 a; u5 N7 I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- `$ Y% E- W. z c; C0 uor execute SoftICE commands...1 e1 @9 E0 b0 }$ |$ Q% s1 L
It is also used to crash SoftICE and to force it to execute any commands* T7 R! U3 ~% N; o7 Z- m
(HBOOT...) :-((
) R9 o- y: x. `- x C; k" A/ F& Z4 @
Here is a quick description:
o+ }. U, S G( J" J-AX = 0910h (Display string in SIce windows)" S, u' z* G% D
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). l; U3 c, f4 ]& M' h G; G1 x7 X
-AX = 0912h (Get breakpoint infos)+ T+ Z, ~( @% z/ z; U
-AX = 0913h (Set Sice breakpoints)
4 f8 P! y& V3 }- b- m-AX = 0914h (Remove SIce breakoints)* e1 O- I4 g" y- t
: x! T2 u: n& \% QEach time you'll meet this trick, you'll see:8 [ {, s* u3 @+ T) ?8 Q# b5 Z
-SI = 4647h) J3 f- d/ X& p- m5 D
-DI = 4A4Dh
' ^+ f K, b5 S i8 m5 D$ ?Which are the 'magic values' used by SoftIce.
' y0 B" ?8 \ A+ u' ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! {6 O4 |* q# @1 U! S; t2 |2 Q% E
' E' ]" c2 U: s0 cHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 Y0 l. d7 D7 _! Y$ qEnvelope utility use to protect DOS applications:0 [. W* k; _( V
- S) }; x) h- V+ l1 a0 k& ?) h8 |5 B2 |
4C19:0095 MOV AX,0911 ; execute command.
. W8 T5 m. F5 Q E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, u- ]; H7 L2 d" S: [4C19:009A MOV SI,4647 ; 1st magic value.) p1 S5 I9 Q' Q6 o
4C19:009D MOV DI,4A4D ; 2nd magic value.: Q. s8 S7 B( E! u( o. U
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# ~9 G5 |# X) v
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ t8 I# T1 f' Z- H% V
4C19:00A4 INC CX% y6 P3 t/ |! z( ?3 @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* L( z' y* D9 }: J0 a6 x) P L* @" }
4C19:00A8 JB 0095 ; 6 different commands.3 A/ @9 T/ D: W
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( _0 _0 B- L' Y! `3 N2 P* K+ O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; x) U8 c$ {4 \8 r$ y5 L3 Q" j, W, u7 l: s3 H2 z5 [4 W3 v
The program will execute 6 different SIce commands located at ds:dx, which' H5 G: ~/ Q* O2 U! x8 P* X5 q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% ]# s* e0 D6 M$ ?% q1 |8 F" `8 _, B& i8 l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( ]7 ^& f0 g9 k/ E4 v% s___________________________________________________________________________' B3 q- p: T5 Z. q6 a
! J5 k/ k* `3 q7 K" p' `( \9 Q3 e
8 L$ w8 d; v5 S9 ]- JMethod 03- x/ c7 G9 r8 a% ?1 P$ M- F a; s
=========+ `8 `( h% a$ \( O0 @2 o' f
- c6 F& k0 [) h1 X5 A' j
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 b! u Y" J% t# |4 e! k2 J4 M(API Get entry point)4 L1 x9 M: e9 |/ F0 W; k) e
; z- A2 v/ S( V0 b" X! A* a
( L, T. ^: z" H z3 K6 Z& X3 k xor di,di
9 V* x& F; M' } mov es,di7 ?8 }1 w( l# s& Z* v3 S
mov ax, 1684h
9 e' J5 Q3 p( q! O: Z9 l mov bx, 0202h ; VxD ID of winice& E, h' z( n/ p6 d) m' b: i) y/ @8 D
int 2Fh
4 |+ T8 ?/ w+ u) l d7 U/ q3 t& U mov ax, es ; ES:DI -> VxD API entry point
" w; \+ O7 r4 [- A add ax, di
[4 d; P2 O7 j test ax,ax9 O" d" m5 `: B4 {4 b% \9 L) p
jnz SoftICE_Detected* F& \8 q3 N0 ^" U$ Z2 X. x* w& Y
5 {4 Z8 |+ f( `$ V7 a/ T___________________________________________________________________________, S& H% E1 m% [/ T) B' o1 ]# b
( G6 x" w, M& r& P. c/ mMethod 04
! R5 u1 y0 d j: `1 S=========
* r0 A. O1 Q6 S$ W& o/ m3 W+ P8 }2 ~7 [9 i
Method identical to the preceding one except that it seeks the ID of SoftICE) a5 \( A9 P- `1 Z8 k D- K& A
GFX VxD.
- O( y2 U* F$ e
9 }- O" {4 v6 C0 f xor di,di7 M2 l# J& Y# ]# B3 ^$ N1 b2 v
mov es,di. J3 g1 k' V+ U2 Z
mov ax, 1684h
' k: n, ?! u- h$ w5 @( H mov bx, 7a5Fh ; VxD ID of SIWVID& T d2 x6 A6 T% R4 |
int 2fh
9 }; q- s: n |! x mov ax, es ; ES:DI -> VxD API entry point
% [7 M3 ?1 s* r! r add ax, di
( Z8 v) p, z+ u5 W4 ~4 q test ax,ax
4 L8 v0 i$ Q+ I0 c/ S jnz SoftICE_Detected0 d. e! O" v C9 Q
7 c# }' l% Y* D2 z% T
__________________________________________________________________________. D7 W7 s1 `4 G" z
0 Q' r# Z* J' d% c- P8 r# M' u7 o
H: A {. g! e, R; s
Method 05 [. ~: c$ m6 f1 ~
=========
$ j( o. ?7 M& H8 g$ d o; g8 ^' F P+ T; f7 O
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# [; \: O8 n6 }0 Tdebugger. It calls the int 41h, function 4Fh.
! @1 b! Y$ h, |" {, o) j) fThere are several alternatives.
1 C# i0 {+ U o5 T! {) f
) b2 d- V# }( L; I+ L/ H+ iThe following one is the simplest:
3 L$ Y( y/ n+ d6 z& `! g: i1 D9 q0 Z# V( \
mov ax,4fh) c9 _, ~8 \; U4 b4 ^) _9 X3 U
int 41h
3 E7 \5 |7 T( l. ~ cmp ax, 0F386
6 @1 A. s1 h% D( h2 ] jz SoftICE_detected4 r' g! }# Y6 U7 N5 o# p9 ?
+ i) c8 k, }7 L0 u, T2 W3 k# N
1 b- }( I' \& J) l6 ]Next method as well as the following one are 2 examples from Stone's
* \! N, W3 f$ G"stn-wid.zip" (www.cracking.net):
# M- i' o+ b( I8 P+ t \, b4 R# I2 W0 W8 r8 k: Z
mov bx, cs
6 o/ ]2 K' g) \* c3 u lea dx, int41handler2
, \& Q: E- h$ q3 A7 ] xchg dx, es:[41h*4]
4 Y" S9 f. I0 _; F7 W xchg bx, es:[41h*4+2]. d: D9 g8 i V/ o$ E& f
mov ax,4fh
" t! B) I8 D- v0 K( ]+ l" t; Z int 41h
+ w& z# H0 u( P/ ~2 l* H" c9 E xchg dx, es:[41h*4]
1 a( `5 _. v$ U+ O. Z xchg bx, es:[41h*4+2]
$ b; ^( n, X/ N& ?) j. k, H x cmp ax, 0f386h
8 W) b( E- V0 ^$ A jz SoftICE_detected& E5 M0 s' E+ i0 E4 {- n3 b+ d
$ G3 M( C$ |! r$ Q" a- H% E/ j+ u5 _1 g
int41handler2 PROC
' r) J) e( @0 V+ U; z" Z* ? iret
J( k' L# j5 I/ J4 [int41handler2 ENDP
+ P, \& C4 Q: {
5 G. w' w0 O. S8 o! F2 }0 a4 ^* g* w1 O
_________________________________________________________________________
' J k. e6 R4 K- _! a4 }) \# \% b4 Q3 q' M* ~
$ J1 x+ R* S% W9 J( |) C* GMethod 06
; m; R$ f( ]+ a6 q- c t s4 ]=========
1 W9 s" g; E3 h1 d" }4 z
- U( ?, H: R5 j: V
/ J- Q7 o7 U1 ]: E+ i2nd method similar to the preceding one but more difficult to detect:1 I$ i2 W* Q9 ?8 h6 M/ q
, T9 R- s! u5 x: v, m
! [% Q9 G5 h2 D: d ~ q. N4 [int41handler PROC! S4 |8 Q* m4 V% b# u- _' X9 T
mov cl,al
+ Q+ M) y9 v5 U1 Z. o# @ iret. ], T% }, r2 X0 ]$ x# O
int41handler ENDP8 g. z; J& S4 B, Q3 d9 y. c
! f5 d1 ~# G( Q5 S' |% A. I- F9 K9 t/ g' K1 @( H$ z8 ` n2 k
xor ax,ax
6 h8 |5 i5 r4 ]% p4 K6 M. x mov es,ax: f, z" B2 f# R8 H" [
mov bx, cs1 M% v. o: ^' g+ `
lea dx, int41handler; Y& g+ g1 `. w7 y9 X+ v
xchg dx, es:[41h*4]
) N+ T7 b- K" S8 J xchg bx, es:[41h*4+2]4 e, L0 m& d0 |9 n% J* P @
in al, 40h
' {* r; @+ }' ~1 m* K; D xor cx,cx4 l% T- j7 E: A: z
int 41h0 z: U X1 K5 s9 s/ W
xchg dx, es:[41h*4]( y- Q9 k' w0 q% [% W% c
xchg bx, es:[41h*4+2]
& z7 ?2 g* L R3 W cmp cl,al4 c" V5 [+ l: u% V3 v4 Z
jnz SoftICE_detected; z% \8 J# E; L4 v9 |
* [/ ^( P& m( H8 o4 ?
_________________________________________________________________________* H" e [, B5 Z. s' W' x' p
) h2 W+ q4 f& C( x- u
Method 07! d$ u- E( R7 Z# [7 {7 G
=========
0 B8 v9 X9 E5 U3 o( x, ^; A
! J/ F: a4 i; Z& h8 {8 H" Y5 ^! RMethod of detection of the WinICE handler in the int68h (V86): A- D. }! e \+ C8 ^. u. W
) _+ @3 f" W/ J- Q! `$ @ mov ah,43h
1 Z- h+ l# k) A# w. R9 L% t int 68h: u$ c5 M) { ^$ b; ^) S& b
cmp ax,0F386h3 g/ v) m: a" E: q. U6 @
jz SoftICE_Detected
; Z9 L6 Y( x% g# M( |8 H1 W% D
9 f' V# c/ `" i% ?
! v6 b0 M1 ?0 k3 G1 J$ G=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& ]; z& S3 E* T6 m
app like this:
/ S3 ?) S7 ^6 a7 q a- w+ U) V" m# F/ D
BPX exec_int if ax==68- A8 Y( O' c- z
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 `1 u( O* Q5 w8 O- z& E located at [ebp+48h] for 32Bit apps)
, h( `" t& K3 W! \" D9 B' X7 J__________________________________________________________________________
. m H8 l& m% K: n8 P8 ^
' ?$ V; L* s/ [6 W1 y. x, o# x t# h$ h; k; `& R6 E6 r5 a! d
Method 08
* |: O, W' E( F' \" C=========
3 k/ @" u/ d+ x W7 O6 C; V! w, \ x( x& R! e( r( Y
It is not a method of detection of SoftICE but a possibility to crash the/ j1 m5 m7 L2 A. q8 C0 z$ Q. R5 l
system by intercepting int 01h and int 03h and redirecting them to another( M# b2 `& C4 ]' x
routine.* i! D; W5 ?1 ^
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, b0 K7 G# [3 P
to the new routine to execute (hangs computer...)( R$ v8 J' b' T% v c. w
' G' M: `: n# ~# v0 l mov ah, 25h
1 j5 j+ c* Z0 l+ n. D% T mov al, Int_Number (01h or 03h)# E q: M' T5 D* U; y1 T
mov dx, offset New_Int_Routine
! y' S% D$ v, X p- h int 21h* O5 v. p0 r6 c
7 x, P. ?1 P+ H* n1 d/ \7 A__________________________________________________________________________/ l8 L A$ _9 l: v4 X3 C8 G9 X, l9 \
1 O$ l1 f: r. X
Method 09, _$ x; t. `* C/ S5 T
=========5 F7 M; B; J$ L* o7 h
( k' a* c1 g' b3 o3 C5 {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 ~8 T- ^: T4 P* ?( t7 C$ q7 xperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 k! N* h# m. h( q( ^The Get_DDB service is used to determine whether or not a VxD is installed! u! M% O3 m; x- c0 V
for the specified device and returns a Device Description Block (in ecx) for3 h3 P9 x1 X$ k
that device if it is installed.4 h2 M# _7 [3 t& g |7 g$ r: p
( [; K$ _6 Z/ A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( Q& @# b0 u" q/ L4 f3 o mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), R! @+ Q2 T2 E3 {2 f
VMMCall Get_DDB" ?1 I3 U8 J, L3 f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 u, r& ^+ s, i
, v9 k% O. o! B) t- ~/ K2 T9 o" ~Note as well that you can easily detect this method with SoftICE:: C! P, `3 s( a+ J
bpx Get_DDB if ax==0202 || ax==7a5fh ?3 b+ h" t. z0 v3 f
3 ?8 c8 W J1 w; v__________________________________________________________________________+ ?& j5 g s3 |( a
+ `' ?( x, X/ A) j5 o( Q, P3 g
Method 107 a8 B% e* h, R+ W
=========' } G6 Q* `9 m9 [' r% Y
, s2 s& d3 c/ G) M=>Disable or clear breakpoints before using this feature. DO NOT trace with
; n G, e5 U9 s( X8 j' e) \ SoftICE while the option is enable!!
% Y2 L0 O- c7 w9 z6 ^
: `1 ^% w; J0 M. ZThis trick is very efficient:" j8 \' S8 T: G3 {- n4 z
by checking the Debug Registers, you can detect if SoftICE is loaded
* l; y8 i, c4 s4 T& j2 K# J" f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, S7 S- |* @5 a' W$ U" h# u
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 F: p V7 M8 f- |1 [( a% G( ~3 e# ^value (in ring0 only). Values can be manipulated and or changed as well7 @* U1 }: j5 G5 b
(clearing BPMs for instance)
* }6 \) Y; O5 z- s* [3 \: R/ T% e; F' \+ z
__________________________________________________________________________$ V. e+ O' v& ~/ a( U, b# ]
6 m! Y& r7 J# N' r3 [& rMethod 11" ~8 Z/ c2 L l8 I" t: ^- Z
=========! Y% S. o7 ?' B. d5 w' {/ E
& z, f% D; R, r$ B( u) ~
This method is most known as 'MeltICE' because it has been freely distributed
, h ~3 s+ I4 b+ \, [ ~1 m% zvia www.winfiles.com. However it was first used by NuMega people to allow0 l, r1 ]( [% i: t" D- q9 c
Symbol Loader to check if SoftICE was active or not (the code is located! d L4 b# p1 _& b
inside nmtrans.dll).
1 P- A. x7 T/ }7 W4 z0 ?9 ]: ~
' u' C) z4 _$ o5 k- r5 @ SThe way it works is very simple:
4 Z6 a2 K; W) gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ l( @) d/ E0 C* P, _WinNT) with the CreateFileA API.8 T- V: V$ V; Z) {
# [4 M) d6 x. e9 o6 u9 E/ wHere is a sample (checking for 'SICE'):8 @; ^& ]3 z0 U2 C
( v( V, H- j+ Y6 XBOOL IsSoftIce95Loaded()/ \* ~6 s/ a# ?1 t! X
{
& k3 F7 s) \' j5 _1 h5 g HANDLE hFile;
. g }' {8 x( z8 g& k hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 _9 F7 N# v5 Q FILE_SHARE_READ | FILE_SHARE_WRITE,
x7 n4 }& m% [1 v u. d NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* M4 p/ z- [4 e/ l* H
if( hFile != INVALID_HANDLE_VALUE )
# g& s6 z( j8 x6 f {, l8 r" t a8 f% q) A
CloseHandle(hFile);: D7 }7 y9 E4 B3 p Q! y# d. V7 H
return TRUE;6 S# K! M0 V' r$ o- A5 W$ m
}& |0 h- L# s% s% X! r! b
return FALSE;" q t6 O. N+ b* Q
}
4 I0 D7 ?! k0 T5 M4 h
* v1 S: t( P. v! d7 }( A# nAlthough this trick calls the CreateFileA function, don't even expect to be$ x' k) z/ Y) _ h) |* ?
able to intercept it by installing a IFS hook: it will not work, no way!
6 p# w) y7 B) T& U: |) G; VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) X6 j' h) _# z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ B( W/ X$ h! f# x4 b& f) |and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ ?3 k8 g1 V8 G( x
field.
$ o% M$ p6 x& C: [In fact, its purpose is not to load/unload VxDs but only to send a
5 h! h [2 x! `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" q- T" L& k! x- f, t+ m1 \$ a: [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" q# L! H$ a h# g; mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; j: f/ C& _* f3 y8 m! aIf the VxD is loaded, it will always clear eax and the Carry flag to allow, v- V9 o' h7 @. n. \
its handle to be opened and then, will be detected.
& N9 w4 H7 \/ @' I7 @- dYou can check that simply by hooking Winice.exe control proc entry point
. N3 E* ?9 x3 c( vwhile running MeltICE.
; }+ J8 y0 |0 f+ \$ h
E) P8 e& Y& P" P4 L+ I: Q) ?3 H7 _, T) R5 j- w
00401067: push 00402025 ; \\.\SICE
* ]8 L y0 w0 g- t* A 0040106C: call CreateFileA
" R' Y; @& C9 M+ Q% C 00401071: cmp eax,-0019 z" _, l2 S7 L; X- k8 c
00401074: je 004010919 Z7 Z& M% b! p) ?( ~
$ P* J9 b; s- Z9 n, x/ r. D T( v
4 y- o! p; J# F. I' |There could be hundreds of BPX you could use to detect this trick.. [! [, j9 G; U$ \) s. s3 t# m2 W) E
-The most classical one is:7 S" l$ \0 X% t1 |, Q: q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) } Z3 [/ W/ e, l! n *(esp->4+4)=='NTIC'' B$ [8 ?1 y/ j
% F" t5 b9 t: p* a-The most exotic ones (could be very slooooow :-(
m, P4 V* k$ G6 L4 F" i* W BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 g9 O, R1 S7 U" J# F: E2 j$ D9 P ;will break 3 times :-(
9 e* u. z' B b, y$ Y, C
; v2 h9 {' ]$ ?5 E9 n/ b0 [% ~) R( ~-or (a bit) faster: ( {. _4 c. K5 J3 ~$ a2 d7 N2 c8 Y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); N+ W9 ]$ F+ ]5 ?0 }. f' e
, G0 S3 C6 I5 I. i! k. L BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 ]$ |: U9 l* N! j5 K& ~ ;will break 3 times :-(+ J" Y! h/ v6 ~& n1 W7 w4 e/ o" C
& p- [/ U9 D8 D! z- H-Much faster:. ^2 @" Z; U& L8 b
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; }- n& [' f. I6 R5 J& `! S, Y4 [; Z0 _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 U3 A: q: Z3 c u; m
function to do the same job:
5 m, Z2 N0 U/ I6 P/ h8 L8 e* j. v, H$ @
push 00 ; OF_READ
' P: P9 U' h. A; c' g( n: q" T' b mov eax,[00656634] ; '\\.\SICE',0. O: ?0 d! u, p" F G ^
push eax
5 M# Q+ i0 [/ X call KERNEL32!_lopen
# b8 k& |2 P/ p2 @4 H4 q inc eax
1 u, L2 l: |, z$ { jnz 00650589 ; detected5 w* P8 i8 [4 g# z* s8 K
push 00 ; OF_READ! O* ^. I* D7 b7 E/ D8 b$ p- k: k; x
mov eax,[00656638] ; '\\.\SICE'
& I; t1 T9 ~& V4 r push eax! X0 m/ q. M' a: l* e# E9 R
call KERNEL32!_lopen
' p" s3 G% ^+ X/ T" {9 f inc eax4 v' Q% a) g, ^! a" P* K2 Z
jz 006505ae ; not detected( O% W& o; P" _7 R' o1 x3 d0 m9 G
0 k9 K, A0 z; ?7 }2 D$ B+ I3 B4 F; O3 q2 y9 f
__________________________________________________________________________8 e6 l/ s6 h+ n7 m! j% [
$ |5 {; N% V& U7 D! _+ v9 sMethod 12 C- k1 G* s& S/ o3 }: X
=========
' g& b( Y4 j, H( b6 w8 H/ c" b7 X' I( q3 T. X
This trick is similar to int41h/4fh Debugger installation check (code 05
5 R( d+ N* J) s' v9 V2 v# Y0 F: z& 06) but very limited because it's only available for Win95/98 (not NT)0 A+ O% z' b, [& @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 _- [) H6 x* K0 S" m( n
9 d+ v) x3 b m9 y! I# I- N8 K
push 0000004fh ; function 4fh, ]9 h' G) i0 ^& R9 D }
push 002a002ah ; high word specifies which VxD (VWIN32)
* ^( b! W+ J( F- Q+ z w: m! t ; low word specifies which service, f: {, ^6 S! `' d7 X
(VWIN32_Int41Dispatch)0 _+ Y/ B8 T6 p2 h B* o
call Kernel32!ORD_001 ; VxdCall
, ?7 v. p$ ~3 P8 K cmp ax, 0f386h ; magic number returned by system debuggers
& n( t2 D$ [9 J" R; Q jz SoftICE_detected
( B3 _( A5 _$ Z9 ]4 ~5 g" Z4 M7 d& T5 ]+ o8 z: F( m
Here again, several ways to detect it:
1 j( c0 t+ [5 \; |% I, G9 W3 A5 M+ ? E
BPINT 41 if ax==4f
5 q% `3 r* o; |9 M/ o* i3 y7 i* W
+ R' p2 r% m9 v+ H/ A# j1 h1 W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. {5 \4 m" ?% F
3 h0 i/ V, K- A BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 y) b% W. Z; y
3 n* S' v6 B( [" p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ C7 J# W- w8 _0 k" G$ Y* c+ k
2 A$ s6 X. ~" {. h& F$ l! b__________________________________________________________________________$ r5 i, l3 d1 a( F) O6 v
; }7 O: Y, t. l% n0 ?
Method 13$ n( B2 [: q9 J9 P# I
=========
2 t4 [, L4 U% i Y: P- g( C- d4 Z+ @ l8 s: q! R" u
Not a real method of detection, but a good way to know if SoftICE is
0 {7 e3 H6 Q1 i% x2 binstalled on a computer and to locate its installation directory.5 [( }# p# X: r; b+ w
It is used by few softs which access the following registry keys (usually #2) :
6 H# D' t' k7 R9 t' t- Q$ k5 M# r" }! F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" {0 H4 @" t( c& A\Uninstall\SoftICE6 j- ?3 R! o% f! Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' B$ ^9 j Q3 x7 R( J! l! m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# x& e$ `* c- s) f+ G0 X/ a5 W\App Paths\Loader32.Exe
* h h7 y, ^( \( E6 W1 U5 [' i/ s+ }! C: ?3 a/ ]4 U/ F7 T8 n1 d
0 W! Y) U3 J, {: k# t4 a3 ANote that some nasty apps could then erase all files from SoftICE directory
% O$ G) r. H' j- p(I faced that once :-(
7 m8 V+ k1 h5 ~ }8 g" I. k- W4 f' m* f' X9 z- [2 T9 l
Useful breakpoint to detect it:
4 p4 R5 q* S3 v3 L6 D f6 X6 b8 u# P% Q, e" V" h5 Y0 r
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 d3 i! `- i9 `
5 [& v ~& b2 D
__________________________________________________________________________
/ l/ g4 w/ ]' N, ?; }' @& f9 |5 x' Z! ^# o1 B8 G( S2 I- w6 E
. f8 T) P7 ?6 l) `Method 14
8 h6 k; ]8 U! Z& S8 G4 [ I3 P=========$ U. g$ u2 G" Q, E# T8 O
( L/ {; B7 f% o* k# J6 [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ U. l0 ]6 `$ I; F4 a' R( k* @! e8 t
is to determines whether a debugger is running on your system (ring0 only).
6 i x( |4 |! B, S
7 W- Q' ~0 a5 o+ o( u% [, X/ `$ K VMMCall Test_Debug_Installed
" h( J9 Q) O% W( E0 U! j je not_installed
1 u' f6 T8 |) N# R) }/ ~0 W) k1 D. x/ \$ g% r D( T
This service just checks a flag.
% M1 ?. k9 D6 z; e( Q( b8 [5 n2 w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡