<TABLE width=500>, a! ^. l$ L! S7 I% u6 l9 X$ E w
<TBODY>
" ~) Q0 i8 y X( `, }: Q/ [; \<TR>7 I7 Z! n5 \- F! E
<TD><PRE>Method 01 + E, d6 }7 A9 u W
=========
0 Y4 N8 d# A |" [7 k# }3 G3 B) m# M; g0 p( v X$ y
This method of detection of SoftICE (as well as the following one) is" ~$ V( B9 E+ m7 y: v' @
used by the majority of packers/encryptors found on Internet.
6 N& }. d5 Z9 M$ e6 \) SIt seeks the signature of BoundsChecker in SoftICE+ V# U% Z% m- {9 H! h: w
# ?: L* \+ ` [/ c* i
mov ebp, 04243484Bh ; 'BCHK'
5 L2 y+ @7 j7 O& N) k' G mov ax, 04h2 G8 }% o; E$ {% L2 y7 D: z+ a# Y+ |
int 3 % K8 ~% j0 D( |: D" m# h
cmp al,4& G1 h; a4 A: n2 [4 \
jnz SoftICE_Detected
" [9 a% h) j/ N- j
* N1 \' r3 P7 R7 H' ?' w) Y___________________________________________________________________________6 R/ H4 B1 P3 p" m. c
3 J* D" A5 p2 {* v( ~Method 02
" `; v! J8 a. M; P5 q1 U5 w! A=========
6 Z6 ?9 e$ p- \5 H: r" T& T! A6 Y
Still a method very much used (perhaps the most frequent one). It is used
& v4 D( H# a/ P- Y' G. u8 fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
B# `0 }& T2 N }% Hor execute SoftICE commands.../ ^( J3 z% i ^* h. P; V
It is also used to crash SoftICE and to force it to execute any commands1 d) z% X4 b$ ]$ G* C
(HBOOT...) :-((
) p, ?: w( E' S0 e) v6 P4 F6 n
( b4 ]% y+ c; M- q9 u3 Q6 b& U/ H7 [Here is a quick description:
( E5 S7 Q+ b8 I7 K-AX = 0910h (Display string in SIce windows)
3 k7 Q/ f4 {0 B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) ~' o( q* n( s. w
-AX = 0912h (Get breakpoint infos)
: A! v6 R7 ^' p' r7 h: U-AX = 0913h (Set Sice breakpoints)
& q6 u6 M% ?2 Z1 P-AX = 0914h (Remove SIce breakoints), E! {+ Y; Q. Q6 x1 R
5 h. @9 _, S$ sEach time you'll meet this trick, you'll see:
6 Q+ n; u* R$ a, I-SI = 4647h5 o& A* V0 k) A+ M
-DI = 4A4Dh
* ^6 i9 a- I: o" x- n4 bWhich are the 'magic values' used by SoftIce.
6 Y9 _8 R" H: V5 o3 g- m( RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; u& d9 M/ _+ W- u/ J1 w
% [# ~7 @0 e& AHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 {# L2 K c" v0 C" GEnvelope utility use to protect DOS applications: w7 g4 r& H Z! L: ]: e' C
5 P0 Y4 X3 g2 U* q/ G
5 L5 h& W9 V' w# Z+ ?: ~4 b9 s4C19:0095 MOV AX,0911 ; execute command.
/ [6 a: [9 S! B u6 E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 g* w) i" @* c1 p6 V3 O4C19:009A MOV SI,4647 ; 1st magic value.
+ v+ E7 U( O& j* r, F- j/ v4C19:009D MOV DI,4A4D ; 2nd magic value.0 z' [. c4 l+ h# b% A1 [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
S8 R& |, ? F# R& Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 f) s( X! I3 ]" ^3 q
4C19:00A4 INC CX
/ r5 J" B$ O7 N+ n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" g* w z# S# r. m& @
4C19:00A8 JB 0095 ; 6 different commands.
! p( }/ j0 z, D4C19:00AA JMP 0002 ; Bad_Guy jmp back.' S9 s- e7 \) _/ g& F2 Z0 M0 O$ a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 U2 H8 e) c( ^/ o4 u! o0 T2 v, s- s( v; _# z/ l p8 s* B% L
The program will execute 6 different SIce commands located at ds:dx, which% q I1 @" T- X/ M$ @9 v9 ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% E' Q% c& w1 o2 A' \* \
5 _3 ?9 q* ?7 o+ E5 B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( {1 P: \$ ]- I
___________________________________________________________________________% Z8 k# Q; p$ s$ a
% a6 J1 I* H7 C
! T" m5 f& k/ K! k* SMethod 03
& d; Z4 r: }6 f7 I=========
: _' M" j$ p$ x/ u4 R S
0 b! g0 Z" {6 m0 w0 Z' Y) ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) M6 O# O, J) p; w' c' ^# \
(API Get entry point)
) z/ f/ \6 S- b! D% q# v
6 L" l) F8 s! Q
: n0 r; X9 c7 e, Y xor di,di( J7 V/ G' h$ \+ V
mov es,di0 s% w9 Q C, ^% |
mov ax, 1684h
1 C" o5 D# {- H8 d mov bx, 0202h ; VxD ID of winice( M6 J0 R% ?, U9 z% i+ W
int 2Fh
+ _$ A6 t7 g5 T* w mov ax, es ; ES:DI -> VxD API entry point
% @8 n: C W" q$ @; Q; ?4 O Y add ax, di
2 o, @$ k' B' K; \6 D test ax,ax
, L9 P& q- O$ S/ Q% a5 q jnz SoftICE_Detected
+ x2 u% h7 i0 u
, A- [ X4 f0 ]5 g: }___________________________________________________________________________6 b( K% U, W+ o0 N5 }6 c
: T* X) L! V' H# ?% u3 ~6 ^Method 04
' X2 C ?7 C; {, t4 t8 f: J% W; R+ U=========
1 \/ v. y, N: s8 `4 J7 H
. e% u0 j' L4 f& C1 FMethod identical to the preceding one except that it seeks the ID of SoftICE
* e% G+ d: ]; |+ s2 j3 B* i. fGFX VxD.
1 z4 l" F( K7 P: ], Z
7 E6 F1 j/ p! r0 u3 W xor di,di3 I- ]- ~. o7 W
mov es,di
0 r; O2 \* m6 T% X0 q1 L' S mov ax, 1684h 6 Y# @% ?; d m/ q+ e! t3 ?8 Y
mov bx, 7a5Fh ; VxD ID of SIWVID: l( r# ?( t- X+ p/ U& [
int 2fh" B! S8 E; Z6 }+ R+ n5 U' Q7 y
mov ax, es ; ES:DI -> VxD API entry point+ t% Y2 X: d- C
add ax, di
% N8 i) w) T. q6 d C test ax,ax5 N6 X6 E$ `" U o7 ]" Y
jnz SoftICE_Detected
7 |# d; o3 `7 ~5 y2 A2 g* A9 x5 H% ?. r0 f. [3 R, |& _! {
__________________________________________________________________________/ }4 Y1 G8 q5 `" |4 y) `5 q- E, `4 I' ]
3 J$ ~, n" k* d9 `% {% w! r6 X, Y: P6 w
Method 05" e) ^+ r0 x8 h! g3 c3 V
=========
; g. V3 O6 ^% m0 A, ~+ w6 Q/ G; ?" A) j% a1 x
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 _+ A* t6 S" b8 M1 l! s! M h+ L1 Cdebugger. It calls the int 41h, function 4Fh.4 q1 Q! Q0 `7 I1 h; D
There are several alternatives. # _- B% U; P" \& b
7 _1 A/ o6 X9 r V
The following one is the simplest:
o0 h. K; a" g c; ?% v) t0 z+ d6 `4 x# T
mov ax,4fh8 F4 N6 O5 h+ ^6 \" H9 ^ t
int 41h
+ y% ~2 Y5 z$ _9 n2 g3 `) r/ h cmp ax, 0F386
+ j! R/ \, g. H2 H, M b jz SoftICE_detected
$ X! E/ D0 [* N) X _5 p1 V& u& j& c$ G5 I* Z
, U0 E- O; i7 p+ ANext method as well as the following one are 2 examples from Stone's * [6 @+ k" n7 \
"stn-wid.zip" (www.cracking.net):
/ Z0 d" ~0 U. j( V% A; n0 m# c, L
* E$ ]6 {4 ?# o+ ^' a( l* j mov bx, cs1 m# P+ d4 k& h( M
lea dx, int41handler2
- K. U" Q6 ?$ a! d xchg dx, es:[41h*4]
4 z* X1 |% L2 M7 t xchg bx, es:[41h*4+2]
$ d& q* N! G- M mov ax,4fh6 @& B8 W- U8 ?
int 41h
2 @" T$ F" \/ p( Z" x xchg dx, es:[41h*4]
9 O+ ~$ E& L( J L! w xchg bx, es:[41h*4+2]
& o. F6 d' t( I4 x cmp ax, 0f386h
5 Q) V) E2 |' Y, O jz SoftICE_detected
' p9 z1 ^( X, h' p; ?
' _3 |; v4 u7 sint41handler2 PROC
* w! t8 N, d2 \1 u2 e: j/ y iret
) M4 t9 D6 T) z, I* i9 w4 Lint41handler2 ENDP
: y+ v u' H: {, {& y' W7 g
' ]2 H# M0 o ` S4 E; b
' j5 ^3 @6 L( X g$ j* J8 |& ^+ S_________________________________________________________________________
0 i$ A4 n6 K) ?: I) f+ `3 I+ n4 h/ @: h; P: K# u
% a. ^; h; j$ Y& U2 G& }, A1 G! K' P
Method 06
; W$ _3 I# _( A2 A ~7 _=========
# v# V1 k- }0 e r9 u( P$ R! B
& y W, e! u3 ]4 V2 ?& W8 ?% G8 D4 _9 q* N) Y8 ]9 n! O- t
2nd method similar to the preceding one but more difficult to detect:8 O( j& y p8 n$ [2 ~7 K/ {$ M: |* g( I
4 x! V: Q6 n! @4 { g: L1 L' O+ k3 m+ `3 C2 i o0 {; f/ s
int41handler PROC
+ {% S" T" t& j/ r+ T0 ^ mov cl,al# x9 f, \# M; e: S" Q; A
iret
8 X2 R! }: i2 P+ p* e1 ?int41handler ENDP
* T& Y4 ?" T9 d2 |9 u" w" D# c8 f: {( R8 M
# M8 ?$ E, [( F+ G. j5 W" c/ q0 I xor ax,ax, I! Z+ }8 Z7 a
mov es,ax
6 x: r1 t9 i J) I/ x mov bx, cs9 i& J6 T/ x8 Q
lea dx, int41handler% G3 C0 f9 f: o G8 O5 X6 a6 J7 Y
xchg dx, es:[41h*4]/ P4 @5 b: [# i+ _/ m
xchg bx, es:[41h*4+2]7 p* C+ c2 Y- F3 p* ]
in al, 40h: k3 y4 s6 p$ T1 m- [. S
xor cx,cx5 Q: P4 o. K {# l
int 41h
' [" k! f; a- O+ r/ u* w2 C' ~! R xchg dx, es:[41h*4]
* g& w: X$ Z& ~- o1 L1 ]- E. ? xchg bx, es:[41h*4+2]2 O1 p, y, |4 v0 S
cmp cl,al
5 m- F* {( @- V jnz SoftICE_detected
7 S- D8 O; x6 t. I) O% H6 L- }4 s* e, I' D2 O
_________________________________________________________________________
- k$ b' u6 e# B) j
; i5 x0 O, s2 K) h0 [Method 07
! Z. T* f! v3 }( B4 a=========
) c( @* N% ]% ?) h2 ~) P3 }' q4 X8 [; x9 I4 S P
Method of detection of the WinICE handler in the int68h (V86)% S" \( c; E4 w
' D! _( K3 d3 y7 z mov ah,43h: }! c( ? X2 J
int 68h% A- Q; H% K: k6 e, p" e1 S9 i0 W
cmp ax,0F386h
' p& J# C) j. Y+ i' ] jz SoftICE_Detected3 O$ ?2 O. h) G1 S
, d6 o5 a" c7 w0 \: H# r5 z
1 X B, Q3 w$ V" m0 y% U
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ J- ?) ?' r/ p3 J; ~1 H
app like this:& B, R) g3 I! R+ _8 z7 e
) K# F4 y5 p2 C* X BPX exec_int if ax==680 @) j$ T& q! z/ z3 C
(function called is located at byte ptr [ebp+1Dh] and client eip is
- o! U, H0 x7 _; d+ Z8 p located at [ebp+48h] for 32Bit apps)
9 o9 a% I) @5 a* A v__________________________________________________________________________
6 f) B- H5 |1 g1 ]+ ?( b# |
1 G2 x0 {" X k, c" E; l" m
, s1 R5 s! S3 {. cMethod 08( {; V" B. d* Z( r2 m1 C
=========
2 p% r8 i$ v+ v
5 h& V3 g x1 q, y3 X3 s: RIt is not a method of detection of SoftICE but a possibility to crash the! ?6 A; h( ]0 R2 u# x& b
system by intercepting int 01h and int 03h and redirecting them to another+ n+ X9 K- I$ N" `
routine.
) T8 s- Y+ I( a: a1 l- aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! {7 {" W& y7 P3 n2 M% m# ^* T
to the new routine to execute (hangs computer...)) Y3 E8 {( G2 v8 r
- B( k8 ]& s8 }! @% e# i2 k7 Z
mov ah, 25h4 M2 F4 Z% V) E4 X }, y
mov al, Int_Number (01h or 03h)
) Q# L, b N. E* Z' @ mov dx, offset New_Int_Routine$ N* a+ G. j6 y& J
int 21h
1 r! y c* ]' E! r* T1 t( v& J' k/ d4 P8 C* g$ r* q: I
__________________________________________________________________________! m* u& U% @- u
: n2 o. k& D( R( n4 c8 f9 T: K6 z$ L! R
Method 09: y) |% C4 j x/ ]8 q+ q- b5 w
=========! D4 b' M6 ]) A; R$ c
( s) m4 v q* c1 h6 jThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, @* y& f( `4 V% G
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 k( {0 L# U# x! e* lThe Get_DDB service is used to determine whether or not a VxD is installed
9 q# Y; x( B! F! _, d5 w3 c& bfor the specified device and returns a Device Description Block (in ecx) for
4 U; o. j4 o; Mthat device if it is installed.7 z6 {% y% E! C, T$ ]8 T- C. u
+ J2 _' `1 {5 h/ E. g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 H# p% l2 a6 l ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# _2 z5 @( p @) Q' h( D" V* l+ h
VMMCall Get_DDB6 {2 P* v5 w9 C+ k" e7 Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 q( I& U. K: u" M: O+ N# [" N8 P( ~: D/ m
Note as well that you can easily detect this method with SoftICE:/ [7 k" N; V! i5 }' D) R% X5 E2 J1 ~
bpx Get_DDB if ax==0202 || ax==7a5fh: p# d9 v2 [5 H+ }6 [
) M4 G7 S" i5 P
__________________________________________________________________________
: P2 P, b ^$ H( w
' D/ W: L0 ?0 l$ ^* a+ WMethod 10* Y7 X0 u& `4 ]
=========& _. `; Q0 B& @# g
. J3 ~" K0 x" W& Z3 f$ m=>Disable or clear breakpoints before using this feature. DO NOT trace with% f. @2 Y: i0 K1 q w
SoftICE while the option is enable!!# s8 P- Y1 [$ P) [" E ]' H, ?% a9 O) ^
% l `/ [6 e" f1 C4 x) V4 f6 jThis trick is very efficient:. y5 K1 g. [: w+ k- \' v1 l
by checking the Debug Registers, you can detect if SoftICE is loaded
* K4 c+ v7 o- C( {4 i* ]4 \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" G; D3 W4 ~3 [' H. ithere are some memory breakpoints set (dr0 to dr3) simply by reading their% ~) A8 z; V: t# }! U' T" |! G2 G
value (in ring0 only). Values can be manipulated and or changed as well
& v' ]. o6 m( b, s3 N(clearing BPMs for instance)+ @4 s, o3 o/ `" a3 _ ]
) V7 [8 M# a6 `6 l* R5 V3 a4 t
__________________________________________________________________________" b/ G0 N5 y' u4 G! \' ]
/ |( S: V& d5 f2 r* SMethod 11
. B0 w) Z! {$ @7 f$ j=========
4 r0 q3 C2 A9 F' a4 Y5 ?% v9 k9 l& D" R& v3 z1 E* S
This method is most known as 'MeltICE' because it has been freely distributed
, t# \) r/ B! E5 |2 R% H' Q1 z6 |via www.winfiles.com. However it was first used by NuMega people to allow! ^/ ]. b+ j- [1 x" d
Symbol Loader to check if SoftICE was active or not (the code is located
3 D7 N/ n5 D- n+ }: P( x1 J; Zinside nmtrans.dll).
4 C0 P- P. P1 a' s0 M6 w5 Y4 h" @ D# N! Z' \6 q5 r
The way it works is very simple:
6 P+ G( ?$ y- ]. ]/ g# Z8 G7 lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 e1 w/ o& t+ d) t& f: m/ @# VWinNT) with the CreateFileA API.% w: m% A9 L, P* U5 n$ z
- z1 s e/ s9 eHere is a sample (checking for 'SICE'):: g0 p- U I$ ?( z# X1 c) r) ~, d: M! V
) u& U( c7 r1 `2 \5 k, `
BOOL IsSoftIce95Loaded()
) `$ u( H% F! W! g{( i% r" k- J0 r& ]: i: M/ N% i
HANDLE hFile; + Y6 E- a- E0 U
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 Q# a. E j) x3 p' O FILE_SHARE_READ | FILE_SHARE_WRITE,- l+ N1 } u) T$ q c' q3 n- g" [9 l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 ?9 I, [; Y, t* n0 M3 ~ if( hFile != INVALID_HANDLE_VALUE )/ K" {4 }7 V6 Z
{
, m# @9 _3 X( k CloseHandle(hFile);/ S9 @ w( N/ b) X% z
return TRUE;
" ?- |: e ], q6 W }9 O: v( k: G4 F! w7 x+ Q+ A
return FALSE;
; E' |+ e7 O, O}' D# x p7 p- Z( U
/ d9 C1 N( l1 V' |
Although this trick calls the CreateFileA function, don't even expect to be
) x& A7 r, T. ~; R( l% x4 ?' uable to intercept it by installing a IFS hook: it will not work, no way!
, M1 Y: \3 l+ {% GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ c' y) ~/ r, S7 v# G3 Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 P4 X8 U. e' J- m' b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, W. S4 B W# X% |field.
- x3 [7 G; k0 Q6 h" b! s7 P( TIn fact, its purpose is not to load/unload VxDs but only to send a
y' ?, ~: L4 e. f, q/ g1 d( WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 v w. S1 ]- T/ r3 v) Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 @+ \ j5 m0 G G2 {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 F: N8 j- ^: @: l J8 J3 TIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: [: k" k2 s; Z8 Gits handle to be opened and then, will be detected.; G% \9 r% {/ N- w
You can check that simply by hooking Winice.exe control proc entry point* T, F" }# q( H9 u5 Y. G
while running MeltICE.. |# W9 _ q2 m' L( D1 H/ N
0 [6 r; O4 w7 z3 z f `( k" `$ V$ R. Q1 _
00401067: push 00402025 ; \\.\SICE
! L4 K( {" C+ j 0040106C: call CreateFileA; ?0 L9 q% H) b( T+ d( ~0 x
00401071: cmp eax,-001$ A* p- A. c, F0 G+ H; h. i" s2 \! E
00401074: je 004010910 W6 e+ w+ |% j# I& W$ W, s
3 I# Y- i; r5 T# I: [
% J0 I9 W8 A$ b
There could be hundreds of BPX you could use to detect this trick.
( Z. q" V l+ p0 W. k) n-The most classical one is:
2 c) W' L' m& H% j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* F! K' ^2 K$ i0 \+ D
*(esp->4+4)=='NTIC'
1 m; g- u0 J! x: Z" p* \; K; m7 F8 a4 t6 h6 L9 [: W
-The most exotic ones (could be very slooooow :-(! K) s# M( j6 Q* K& @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / v4 m5 P$ S4 O: n4 c. m6 x
;will break 3 times :-(
. A o4 q/ Z; \; o
7 f8 v9 B' J& L. J# |( C-or (a bit) faster:
4 X3 X- e& m) x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" a: m' ]8 r5 X
h' h+ x7 ]" L4 S! F' G6 D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 J9 i( [/ y: `+ u( z7 A. w
;will break 3 times :-(
A1 {7 _4 K' B2 [3 u V& {" e* a
6 v( F. N5 v) W4 E- ?, [* e/ F/ T-Much faster:
# o) W. U/ e5 k4 m" H) N7 ~% D- h: S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) P" b0 b9 \; ~) z5 o% J
) E/ Q# Y; Z3 O/ @5 q8 v7 BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen3 i4 d4 V, C. u. i
function to do the same job:
N1 Q' S9 ]* n3 L3 T) {2 @
+ q* Y" _- u7 t3 ^% `- M* J- e push 00 ; OF_READ9 g3 I" y1 _/ h6 M
mov eax,[00656634] ; '\\.\SICE',0
- t f) a: G4 T5 F4 Q3 F I push eax
% a, ~; Q7 p- u. b( L call KERNEL32!_lopen! K8 w# M& @( ?7 t! s) @, o1 Y) a
inc eax/ N5 Z# S0 U9 v) i3 P6 E) ?$ |
jnz 00650589 ; detected8 Q: \0 T4 r$ ?% g
push 00 ; OF_READ
+ q* K7 f$ } i. ^: p mov eax,[00656638] ; '\\.\SICE') k |( a% v) Y% v
push eax: i. t4 l( b1 V$ r6 g: E
call KERNEL32!_lopen( B9 B9 Q' R9 m: O6 b) o7 }
inc eax
2 x1 q9 P+ ~. F) Q jz 006505ae ; not detected2 i7 W1 X% ^5 E" v6 G" t/ ?* k
5 t5 c, Q+ i$ _/ ~* i8 U; G6 ?
8 s- e% P, c/ n; a__________________________________________________________________________
, F! ]9 M1 X S" m1 i8 q1 D6 y* K' ]" L0 q8 B! U0 {4 Y6 |
Method 12
) H* C$ C) E9 g# s. F=========1 J% I; D. F c% c9 E7 B
# _7 v1 u" \. l4 i5 jThis trick is similar to int41h/4fh Debugger installation check (code 05
5 b- f5 m# w8 J! w# D& 06) but very limited because it's only available for Win95/98 (not NT)- Q6 h$ z# ]4 i7 e- l& G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( z5 @0 a) ]1 `2 D* p% _! y
7 k a0 z6 Q/ s* f% U% E# C# f* U) \ push 0000004fh ; function 4fh1 y* b( ?+ V0 w3 E2 P
push 002a002ah ; high word specifies which VxD (VWIN32)
# D) ~' C- V+ X ; low word specifies which service o( S+ U" }! ^: a% \: p
(VWIN32_Int41Dispatch)
1 S6 M; \5 K. b5 D$ l call Kernel32!ORD_001 ; VxdCall5 M1 {; T( V: Y* Z, Y
cmp ax, 0f386h ; magic number returned by system debuggers
1 u0 W1 u8 j Q1 Q- s( P/ d jz SoftICE_detected4 C9 A$ |: M3 S/ D% n
+ q: B) N/ G P: c3 tHere again, several ways to detect it:7 H r3 s& `9 B" h1 b. w' t( _
/ R$ _' @; q! s
BPINT 41 if ax==4f
" O2 m" A+ V2 H; y, {5 W5 z& M# L/ [4 o# y# I
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( B2 ]) |* n3 a9 y( V* P$ Z
' I7 V3 y. S% \" k9 u R- E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; c1 m% b4 O" L/ {2 ^3 a: q& [8 \& b2 H1 ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
~; z: o3 N" U* v5 Y$ A% C/ d, _+ N4 T" b; T
__________________________________________________________________________
4 c9 K/ \2 q/ a8 A
; F, d+ H }1 \6 Z5 o5 `& MMethod 13
6 S6 _* n. Q3 ~* [6 s=========
) d: j/ e5 z) h3 b" o+ E4 N4 J; r; R) Y1 t: C; @. a! w6 V
Not a real method of detection, but a good way to know if SoftICE is8 V( [* G7 o- H! N9 E
installed on a computer and to locate its installation directory.
) s0 u b0 d/ V: PIt is used by few softs which access the following registry keys (usually #2) :
% X) Z' e7 q; @. { e, T! `! d6 r
( r& z5 C' z& Z/ x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" E) }5 H6 H4 I+ M0 ?7 s\Uninstall\SoftICE
2 [3 d. {% c3 A9 o/ ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 Z2 N8 ^6 i& t* l; m( I) A. ?8 T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( T: ]' T% t' }7 ?+ b: A6 C
\App Paths\Loader32.Exe3 U) L1 Q# C$ q
; o4 S8 y' Z- `4 B) p
8 v4 f' M! [% {. y/ Q- ^
Note that some nasty apps could then erase all files from SoftICE directory5 E% R$ ~0 @5 H& E! h; ^, m/ j
(I faced that once :-(
' X2 i4 B C8 I8 b/ u% B3 ?6 F w& J f8 U3 e- ]# W& p
Useful breakpoint to detect it:
) r3 V) y7 k2 U! g2 ?6 c4 }% M: ~
- M- T* |6 j/ E, [+ } BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 S7 P3 C8 f0 p
- y1 W w4 P4 ^# ^$ y; r7 c__________________________________________________________________________3 s/ k4 G; P5 Z% ^
+ j- h9 a5 u! {* @& Y+ w% [- m7 s+ O0 O# M, S7 K
Method 14
& b* i A$ o6 u/ `# j& A=========
' O2 l, i. l" u& b+ c* P; x% x" a) ?! m% O! ^# U& x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, W* G% v+ S! ?: }6 Vis to determines whether a debugger is running on your system (ring0 only).
" Z9 v8 o1 w+ a/ `* X% [" {2 F8 E8 Q- i
VMMCall Test_Debug_Installed
6 ]1 m7 Q* }5 D, Y5 ] je not_installed
6 C% Y# k3 |2 M& c* h! p) M6 a' b% ]& {1 A/ a3 z
This service just checks a flag.
! _, S' h$ c- @5 ]</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡