<TABLE width=500>$ p( }3 v/ C0 \4 O, Z
<TBODY>% _) ^1 n. Z, M, U* R# s) T
<TR>5 E6 E& V$ t- ~
<TD><PRE>Method 01 2 @! V% G& Q& E% D/ L* O) ~
=========+ S4 C, O; u, U' t: t
6 l& I4 o+ o, J% jThis method of detection of SoftICE (as well as the following one) is' K5 I7 e8 A' b' P9 |) K$ |- ~
used by the majority of packers/encryptors found on Internet.
3 H. k( T- h8 T/ W0 g7 S) {It seeks the signature of BoundsChecker in SoftICE5 J% f) z: K/ W- G- H* E2 X
. K$ T; f9 p; z& ~9 U# F mov ebp, 04243484Bh ; 'BCHK'
8 y9 _+ u; l5 i- V: N mov ax, 04h
$ k1 F- C7 W' R8 `# h+ t int 3 0 }2 r7 Z# |" }, T9 G& G6 `; |
cmp al,4
5 k" ^3 h- ]7 [/ l jnz SoftICE_Detected+ a: M. m# _: T2 g! r7 ]8 E
6 p. e0 I+ G( M) j___________________________________________________________________________
, Z+ f; h# T" n) f6 N9 z- v5 b( ^: F! E( p! R
Method 02( v8 N' W$ ^% m7 b) k+ l% v
=========
* T: ~: S; C1 Y4 y# {* e) `
% V5 f8 M" s) X4 ~/ \0 }8 x/ [Still a method very much used (perhaps the most frequent one). It is used9 x! i# [+ l& O5 q- r3 [! Z- N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," ? j5 i9 n3 v. d
or execute SoftICE commands...3 b; S& q* x: @3 |/ ? s$ s) P
It is also used to crash SoftICE and to force it to execute any commands6 j4 y# y! L0 T4 m) \. u* H$ P
(HBOOT...) :-((
+ h# s% ]$ P& D7 C; z* C
4 J9 P/ j3 |& d" h kHere is a quick description:
% a8 f$ S% ^# e' G-AX = 0910h (Display string in SIce windows)
2 k& S& l8 ]/ u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 y% b( k" E$ K& I1 |5 w+ I0 B& l' ^-AX = 0912h (Get breakpoint infos)
% k4 _1 _: t' w-AX = 0913h (Set Sice breakpoints)$ e$ z* Q0 w* H9 Q [6 B3 Y
-AX = 0914h (Remove SIce breakoints)5 j, z3 b* V/ l6 D ^
. g, v4 y) G0 ]" C- o o; s. }Each time you'll meet this trick, you'll see:: ^. I( R. R7 y6 j0 s7 M: b
-SI = 4647h
; j2 O1 v$ s- ?" z# W-DI = 4A4Dh& R$ ^$ Z2 K7 i Z+ L
Which are the 'magic values' used by SoftIce.
8 y, q( ?& w9 ]6 DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 v2 J7 u& }8 a- ^+ G. Q" j
% y4 z7 G4 S& L i5 SHere is one example from the file "Haspinst.exe" which is the dongle HASP
- k. j) I. B& F4 K9 e4 R" CEnvelope utility use to protect DOS applications:
0 _7 @! N8 P. w8 G# v: t' c5 e8 z# B& T% Q
$ {/ M2 r! b6 O2 C, ^% B* [$ o4C19:0095 MOV AX,0911 ; execute command.2 I0 n$ c) y& W: N* Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% n8 O' k- Z j6 M1 l/ J) U4C19:009A MOV SI,4647 ; 1st magic value.; H: I; r p$ D7 e6 d& X1 ?
4C19:009D MOV DI,4A4D ; 2nd magic value.
+ o" p$ Q: g4 p9 i# |$ I5 |! C4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 `1 M- ~6 Y! w) X4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# Z4 }+ x% }) i# ^4C19:00A4 INC CX3 x. J) _$ U( k
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# ?7 b/ o' t& v7 M- m4 ^0 b: Z9 c& a4C19:00A8 JB 0095 ; 6 different commands., A7 J% J' ]6 J6 F3 i( X5 @; d9 Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- _% e+ s5 r" {( A [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ b9 D: F* N2 P/ c: O: L9 M( ?( i+ W' j+ ]2 ]: x+ x
The program will execute 6 different SIce commands located at ds:dx, which
0 [8 j' u8 D& n2 d( m( o1 Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 m1 w1 d) J- H8 J; P7 M2 [5 V
2 T4 O, ]3 Z z' ]4 z! C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 A7 a5 R, _, [___________________________________________________________________________
- V5 A, _! r& I8 Z: B! b& ?* u( l4 F/ I
, W* a) ~8 E- h& C5 cMethod 03
1 K: O( i9 X$ |; @( X=========
. J" ^# R* M* l: E8 X( M- x% \( r. B o. v& p" F* m
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 g! _4 h) P3 }1 S/ k3 h/ Y1 ~5 d
(API Get entry point)
. G0 W( U0 h" F5 g- g
' }& H" F; P( _) l' R" F7 a
' P9 e/ B! q& m" [) o xor di,di2 _6 T1 [: N( E) s: u, i9 R
mov es,di1 x; {. }9 F) B4 I7 y- L; X v
mov ax, 1684h
, E" {) F6 ~7 G/ Q7 { mov bx, 0202h ; VxD ID of winice& O( L- S- V0 a& w v9 ]' D% {
int 2Fh
" ~4 Y7 b H" s$ r mov ax, es ; ES:DI -> VxD API entry point
- K+ ?5 G% B3 K* j1 t! C+ G add ax, di, j# Q3 y* \) q) k+ S
test ax,ax
, a6 p% W; W L/ x- J: ^# ^ jnz SoftICE_Detected) I: Y7 s- _/ w3 ]
$ l" W$ w: f9 v1 B& a: p; `
___________________________________________________________________________
/ M8 o1 e4 f2 A; _; r4 I
) n7 ]$ N( i6 c1 w" C4 F* C2 `Method 04
: @) X1 ?- ^6 C2 ^=========- O; {+ N% O9 E2 e% f, _% L
+ v/ H Y8 o1 DMethod identical to the preceding one except that it seeks the ID of SoftICE& ~& g* i/ U0 H$ ]
GFX VxD.
7 F2 U, m K3 O0 K
[# [6 d. b( p7 x xor di,di
+ [% G3 Y! |$ Z7 ^7 L# M mov es,di5 `6 X, ?. F- }% t# l R& z" g
mov ax, 1684h 1 r3 L! U' Q9 O& y2 U0 d: Q2 ~
mov bx, 7a5Fh ; VxD ID of SIWVID
6 F6 O ]4 |' ~9 R int 2fh
. R2 G! e' J% F. f. i9 }# [# } mov ax, es ; ES:DI -> VxD API entry point$ x( v+ m3 I% r0 q
add ax, di
|; u- s1 K4 K) I: f test ax,ax% f' `, {3 K3 T( S
jnz SoftICE_Detected( {, B1 C$ U2 \1 [$ g; d A
: u' ~% T( u$ U& D3 t; B5 E__________________________________________________________________________
/ y- a* G1 h! L2 M1 P+ m# V( s: ?( t, s- I0 z1 }* P3 {" q
4 [# c# n0 k$ w2 s) W( \( hMethod 05! Z0 T& d" l6 d5 u5 f' v4 g
=========
5 e8 S! F6 l) s/ E' S- V
6 p( v5 I% R, u2 \+ jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% A- j7 T/ [2 n$ Q5 i2 vdebugger. It calls the int 41h, function 4Fh.) g" _. d: Q0 b- D$ `. v( Z$ F8 a: m9 _
There are several alternatives.
9 O# I* @. \/ i4 g
f, X3 s( j& }8 H/ n J1 [The following one is the simplest:
1 p5 e) t, k1 \" t3 n8 ^& c7 a: P( y: l, W6 }# i6 o- H
mov ax,4fh
9 w& H$ Y+ n4 N% L int 41h
) K3 a' e3 n/ ? cmp ax, 0F3866 b3 ~) T4 H5 X/ k
jz SoftICE_detected& T: J7 N0 j# |' }, y( c
9 F9 o7 }+ X) s- c- l/ k
Q$ J8 {; i1 n$ a4 d- G4 H# _
Next method as well as the following one are 2 examples from Stone's
4 | ^- q" G& ^; ^, x- Y" H, M0 v"stn-wid.zip" (www.cracking.net):
3 I) Y3 w! }$ ]4 k. [% [" E" c6 R" p) E9 T
mov bx, cs
U% R; f. r. F+ f8 K7 f! l' C- k lea dx, int41handler2
& ~: ^9 H/ T: b6 y& } xchg dx, es:[41h*4]
4 L1 J2 B" k' u4 T# s+ R, Q" v5 f xchg bx, es:[41h*4+2]
# v( g6 z' J0 k mov ax,4fh0 L( N9 k! G$ o$ m: l7 O- D( r
int 41h
/ q# y- x4 v5 l* ^* T) \4 w xchg dx, es:[41h*4]
, q! T3 S) B8 Y xchg bx, es:[41h*4+2]
% o+ l' Y7 ^) V& b+ F N- k cmp ax, 0f386h; ?, W+ e) W. w6 H, o* O
jz SoftICE_detected4 u* j3 M2 ?0 M& K. _" t1 D
- x- J* `' B `4 p1 Qint41handler2 PROC# y" c% F/ y8 z" u
iret
! T! u0 H/ I" n7 lint41handler2 ENDP
7 W; v: F7 f/ K8 g. L/ w( ]1 @5 O: {7 m6 y0 c$ v
: w2 I: }0 t9 [: \4 Q6 f, U
_________________________________________________________________________8 l, i, K5 {% B( K; M
9 j& }7 \% G- l3 s4 _" [7 Y9 o
3 e' o3 k5 Q' S# {) BMethod 062 Q; N" l! _% s* M' S% R" \+ c: J
=========
$ _3 U1 G7 i) Z/ C4 I$ V$ U! O# v6 H I) P1 P
1 B( K S7 u3 k
2nd method similar to the preceding one but more difficult to detect:
: w- B6 e$ f/ s+ r4 D: e. E4 _& l2 d' T+ W$ J: j8 o7 u: w# w
# F2 R% n6 |$ q. ]
int41handler PROC
' t9 N! z# _; } mov cl,al
$ J. n; D u" _$ ?3 Q7 I iret
( i" }1 L% ~, ]# b+ yint41handler ENDP
: F$ w t/ T) t }2 P# a. M4 b$ p F2 g
" Y" l; c U5 b; ]$ b1 | xor ax,ax
. |. Q! r4 H" T- `- Q, j1 n mov es,ax v! n4 K- w! f( g# \8 j
mov bx, cs1 K1 S) Z4 Q0 h }9 V
lea dx, int41handler
6 A8 @% c) m$ Q$ Z9 ~8 {4 W( N xchg dx, es:[41h*4]; Y* Q9 W# m8 O5 X
xchg bx, es:[41h*4+2]
( w0 n4 I" b y0 Q- v7 q in al, 40h
- K$ z' x! _: x/ }) P0 G# M xor cx,cx# u+ Q5 M6 R. }3 k P& g
int 41h, {: H- _- ~4 Q% \# a1 d6 T, q: i
xchg dx, es:[41h*4]
* o$ E% c/ d/ N% d xchg bx, es:[41h*4+2]
; h. r: G2 G& h. l% o7 b$ F; L cmp cl,al
4 K5 z2 q& m7 w* s; i6 j jnz SoftICE_detected' X$ ]6 `) k2 u% k
9 |2 D; h$ |' ^- s6 e_________________________________________________________________________# `( T8 O# U) y$ s. G7 v4 o8 A$ z
0 j6 N. W! p* P kMethod 07$ `7 p9 z& v' f, {
=========- R' S4 A$ ^/ p" X- f/ V
/ P. A, x: _3 j( J0 d/ q: U( JMethod of detection of the WinICE handler in the int68h (V86)2 _" C" C; s4 L e+ z
, |2 o" C; |3 O9 J6 N, I
mov ah,43h/ M3 v: v) y. g o
int 68h
# c4 J+ T) C( H( _8 @ cmp ax,0F386h
4 \3 f5 w8 A) o jz SoftICE_Detected' N; e* l3 J3 |$ q; ?2 }3 c
: \" n3 i* ]2 J
t8 k2 |7 R# M2 \! i9 L# \/ n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 d2 ~) p) J# J, O* e
app like this:- m) ~5 r4 _9 q& H: J
6 P/ r5 {+ U* ?5 G* w BPX exec_int if ax==68
: R2 u9 H& p+ \( P (function called is located at byte ptr [ebp+1Dh] and client eip is
& O# d( y; W. u: C* J5 y" _1 R located at [ebp+48h] for 32Bit apps)
: o" B1 V) ?; G8 C/ z v__________________________________________________________________________8 M. D' w* I% `- \( e
0 k9 C4 A4 O+ t! p7 Y5 c: ?/ y) `7 e
. |& Z1 _/ }5 `- k$ R1 Q
Method 08
/ m8 G6 Z4 K; s+ E5 }=========
1 }0 q+ ?' F# P% p/ R! Q$ |& c; j0 ^3 r {/ ~* M3 V7 o
It is not a method of detection of SoftICE but a possibility to crash the ]1 {4 T- A7 ~- k( n
system by intercepting int 01h and int 03h and redirecting them to another$ P: w& A9 ^; q, ?
routine." x% @, j- b6 Y# Z# B* U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! S* i% s8 v ^' ?# S
to the new routine to execute (hangs computer...)( m8 |( u7 P, u. p7 T
( m) m% P: U0 V2 B$ @7 j$ y
mov ah, 25h; N! l5 R5 O' J: J7 a8 r5 i
mov al, Int_Number (01h or 03h)
s( \4 R# Z( @" N4 F& m0 S0 e mov dx, offset New_Int_Routine" w- ~: T: J, a. M7 @
int 21h
! g: e. H! p- n1 o3 P H
. R/ D0 `; D! D__________________________________________________________________________0 ?3 c1 S4 _8 `( ~
, K+ X* B9 j1 ^7 @( R) N
Method 099 b- F- }2 R. g1 Z. S0 e# {
=========# `+ K) ]4 q6 [3 @ Q8 {- N
( C) O& ]2 g% a Y: E; e( J. j+ W/ E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 z$ ^" Z0 T+ l6 Y4 Gperformed in ring0 (VxD or a ring3 app using the VxdCall).) l" ~+ g; {* I( i1 j
The Get_DDB service is used to determine whether or not a VxD is installed, g1 R4 G3 a5 n( `$ G1 ~
for the specified device and returns a Device Description Block (in ecx) for0 x9 n1 X! K; b8 H
that device if it is installed.
+ `5 j( g. G$ O& g: }: v+ y1 S, U8 }0 H! I) ?1 u7 Z, e) h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 L5 h S( n- f, Y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' z# r& ]! }" _) v, j+ c VMMCall Get_DDB
4 v5 l: K: Z! |. ~6 n4 U) ^4 f& F mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" B# F* a. c$ k; |" _# I
[6 z9 x' W! S$ S: H
Note as well that you can easily detect this method with SoftICE:
' Z; A" J$ _* P9 L6 i bpx Get_DDB if ax==0202 || ax==7a5fh- [- U! R5 H0 Q! z& i' c2 i
9 \8 H/ M7 _" i* y. p8 V, ]__________________________________________________________________________
( A2 j7 X+ Z _# _/ g* v. Q" {" x# X- _) @: T2 J
Method 10+ ]! M, O( B2 G( C; K8 {: K
=========
6 N9 N; M8 [6 a& [2 `8 N2 h: }8 |& k- d! h
=>Disable or clear breakpoints before using this feature. DO NOT trace with( o1 s% a# r! i4 k' d9 |
SoftICE while the option is enable!!
( P t2 K; S# d+ e/ M( m
( W' X2 x$ l, T7 q4 l. KThis trick is very efficient:# Y) @& @$ k7 V% x
by checking the Debug Registers, you can detect if SoftICE is loaded+ T* Q' }4 ?" C( Q1 ]7 H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% F. K2 a* ?. j3 ]' D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! c/ X8 w" S. V& `value (in ring0 only). Values can be manipulated and or changed as well
, i3 u" Q0 i6 N(clearing BPMs for instance)2 u; c- ^) o6 E p; w
M: d$ J$ n$ f3 ?$ Y+ Y1 K__________________________________________________________________________% ?5 [! b0 r0 w. U
2 S* |( K$ |, ?- c: c2 Q) L& B
Method 11
" _$ T4 z" x: p, C7 z=========: Y" k+ p w# B" }8 j8 I
9 b$ Z/ U, n% U( K+ u, V
This method is most known as 'MeltICE' because it has been freely distributed
/ _2 o5 g2 G' O7 q8 s2 [9 _, Fvia www.winfiles.com. However it was first used by NuMega people to allow
6 }# V5 S4 J) ?' LSymbol Loader to check if SoftICE was active or not (the code is located
, T$ K; x- l8 f" q( k7 ginside nmtrans.dll).
6 r7 Q8 M: N5 H
& m& Q! T0 `( }5 V, s* {The way it works is very simple:6 G6 L0 |9 o; B4 i4 _+ G2 \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ N1 o$ i8 M$ S8 O$ q0 @) r- s
WinNT) with the CreateFileA API., F: {! E" [5 \7 R
$ C8 S: d5 y1 ]- a5 q
Here is a sample (checking for 'SICE'):
* q7 U, ?( f# y! H! O; j5 a' n. w9 D
( f1 u7 B3 b& i! R) d0 q" JBOOL IsSoftIce95Loaded()
4 q- H. [3 x1 R. t, j/ \, {{
$ p% p1 p" s) M X HANDLE hFile; ! ?7 Y0 e& L: ^3 i0 v
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ k% [% `0 X% F! `. U, d FILE_SHARE_READ | FILE_SHARE_WRITE,# b/ {2 a8 A; _- O( h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& k2 P* K! v4 M" Q if( hFile != INVALID_HANDLE_VALUE )
2 r9 V' W# b0 D2 r- \+ D {- _+ X; g: Y1 ~: @( \( w# ?
CloseHandle(hFile);
, r! \: \% L& T. P return TRUE;
( X7 O2 O2 P! k; A) [ }
7 F8 U9 l% H# m4 I+ n& g$ { return FALSE;) x/ n: D& D9 x8 X
}
* J9 Q1 w, S3 ]; e) U. w- `4 a% H
6 c- T7 m: X! _( [0 eAlthough this trick calls the CreateFileA function, don't even expect to be$ u2 X0 R6 a1 d" R& p
able to intercept it by installing a IFS hook: it will not work, no way!8 h2 A' F1 {/ y0 ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" g$ n/ ^7 R8 [" F6 m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 R, [$ ^# O' G9 `" U& \0 c$ t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! C, I: L7 Y, z! o
field./ @" s$ [3 \6 K8 Z. d: A, _
In fact, its purpose is not to load/unload VxDs but only to send a M& t% O+ Q0 h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& \8 r% r" m" Q: l- ]# Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" n, |; d. u9 u# X( ~4 Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).! |6 g$ f" l: s" Y7 [. i
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 u! N, Q4 O% Cits handle to be opened and then, will be detected./ }5 [( w, d/ u: u9 ^3 E0 {
You can check that simply by hooking Winice.exe control proc entry point3 C4 z* U% y4 O1 @( C" c- S% A
while running MeltICE.8 e u( `, j" r0 O, d- c( J* U
' h: ^2 X3 T# C; K: v2 c
8 A3 v9 V* Z5 ]/ w0 W 00401067: push 00402025 ; \\.\SICE
+ b" F; t1 L2 d 0040106C: call CreateFileA
4 m% Y: ^9 R' t; |5 v 00401071: cmp eax,-001
* z0 r( g* E* C! }' I- G4 w$ h 00401074: je 004010910 w1 P2 A1 x. k; Z
- X% r4 y- j0 @1 p5 X( b$ {
4 Q, Y4 e6 ]/ t
There could be hundreds of BPX you could use to detect this trick.
/ Q" |$ u8 `; c' C9 S) I-The most classical one is:
' \5 g1 d7 H: h. m! t/ ]1 k BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* a0 W# B8 b6 O( \5 m ] *(esp->4+4)=='NTIC'. D( z. `- o- J
9 U& h3 }' Z" l-The most exotic ones (could be very slooooow :-(2 _0 p7 {( q+ @4 i' `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 U% x& s, q. l' ^ Y, b: S( c7 b
;will break 3 times :-(6 V8 V# w/ i) ^" G B6 L
# P! c/ w4 }4 h% {- k-or (a bit) faster: 9 M2 N% W( t8 w( A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" r2 O; ]. S- M8 l, g0 B
p: w3 Q2 f7 w8 ` q5 l$ d
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 P1 Y7 }9 \0 A5 h) _
;will break 3 times :-(
6 g3 ^+ _0 q; z9 F3 w( }$ A% w) }4 e7 c; @- _ C0 z' ~& L: ]
-Much faster:! A! T( t3 q3 u$ `/ {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' j/ U6 w# x5 ^: s7 V7 X' m. ?. o" I+ {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen [4 u7 ~, `& B f* r
function to do the same job:" B9 A! R* W1 }+ J6 P
: B- C( H# X& Y9 N) f( o3 [
push 00 ; OF_READ* e4 [5 D; t g7 O" O
mov eax,[00656634] ; '\\.\SICE',0
4 }. b" _: E) q/ q) T push eax
6 I$ r& |2 l2 D9 J% N* e call KERNEL32!_lopen
* E& C: e7 q$ Y/ }' j5 J inc eax
( A- {: d( o. `, p jnz 00650589 ; detected
8 W- m0 b6 @3 R J- G push 00 ; OF_READ/ @' r- F1 B. {/ f5 d2 k
mov eax,[00656638] ; '\\.\SICE'
9 F3 ^ m: b# X push eax
6 S' ]' g, H" V- p" U call KERNEL32!_lopen
" h0 ]; L, G/ {4 \/ D inc eax: E0 q# u5 z$ J9 ^# c
jz 006505ae ; not detected6 h- V# B& e+ T0 l: F) {" U* U
/ O3 N) H Q5 U/ C) W( m: U" v- B
__________________________________________________________________________' J0 D9 w4 M* X+ d$ m/ l2 l1 o
1 N5 e( x6 a" y& n1 p7 r. B0 @2 `1 G
Method 12
5 A0 l8 w( n) Z9 u* F h=========2 ~* W3 i G$ G
, w0 J5 B3 l9 C0 j3 hThis trick is similar to int41h/4fh Debugger installation check (code 05
2 A. Q, t2 W0 R$ V& 06) but very limited because it's only available for Win95/98 (not NT)0 N3 [/ A! y6 F+ {1 ]0 I0 G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 f6 B+ i0 o$ `4 ~9 @7 q. R/ F6 `* E1 ]& [9 W8 \1 X
push 0000004fh ; function 4fh
7 a1 n* I+ a2 Y+ [. f push 002a002ah ; high word specifies which VxD (VWIN32)" ?4 N$ R G6 {# E" ]
; low word specifies which service
2 M9 s7 g( M2 D5 w (VWIN32_Int41Dispatch)
* |& g8 t) }+ k( k1 ^" q call Kernel32!ORD_001 ; VxdCall
, T! L7 _$ `, J i cmp ax, 0f386h ; magic number returned by system debuggers; A8 u3 e$ g# s6 r
jz SoftICE_detected
( t: z6 j) o% i4 u3 N. g) }8 _# X# ~5 C$ \" \4 Z
Here again, several ways to detect it:) F5 |4 l0 }+ W9 D
$ M+ S0 x( s, d4 ]$ i
BPINT 41 if ax==4f; i# r- z3 I+ x2 B! o
3 ]; A1 I8 r+ T7 e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 F4 ~$ q$ ?+ ~7 D
7 M, w) s. O4 F4 } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% C& Q, L8 P! }0 F! [( i$ x6 ~
@7 J4 _8 @ K
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) ^& C" S# E/ x9 e8 B. a4 R% q2 ?4 x" [) ]) u3 u2 Y8 ~
__________________________________________________________________________4 ~5 L" B+ ~7 I- P0 j9 m) p/ N
1 L! |" d, b' N, j- J- N
Method 134 A9 q" x- T; M8 i
=========
( f' x- b1 z' _' j y! H* m- k, G+ e+ m, C2 o
Not a real method of detection, but a good way to know if SoftICE is
" J, N6 ?0 o/ Z }* \% Q2 `installed on a computer and to locate its installation directory.
( d6 e$ D4 n" `: M; uIt is used by few softs which access the following registry keys (usually #2) :; ?6 P' T) i( k7 F( a
% G) w0 D; {8 ]" k4 `( h- P6 G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 D2 P) @ E; z' g J9 d9 j\Uninstall\SoftICE5 E5 U0 }$ Y1 a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- i M# b% C( J+ @( i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 j0 A4 ]+ a0 f9 }& q- q\App Paths\Loader32.Exe, H5 y" w* s, a/ z, y, e% o: }$ `
4 Z0 j4 e# Y) Q$ J! D
' ?6 F) J3 h. K5 kNote that some nasty apps could then erase all files from SoftICE directory0 y) h) ?5 ?; J( G6 ^$ @, n# m1 t. p8 a
(I faced that once :-(
6 h) L5 ?* }/ G4 v& B0 u/ v U+ p; A* X/ G
Useful breakpoint to detect it: B7 u V2 F) j1 g" M) ~2 E
$ w2 |7 M+ x' e2 \7 s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ ?1 S4 N' k5 { c' p* d( H+ X9 E5 g3 z8 m, G
__________________________________________________________________________
8 r h0 A" A/ O/ J4 Q* b2 S& `# D) s
; F$ x& u2 q& P7 ]* U" dMethod 14
5 c F& _& |; K {# W=========
1 a2 u0 }0 v& K2 ^; j
; e ]& `6 _4 S) {6 }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 V% t( F$ s" b9 l& qis to determines whether a debugger is running on your system (ring0 only).
! @; H# J3 {) Z6 V- }" `
6 z( R. V5 ?$ T- Q/ c q VMMCall Test_Debug_Installed7 b6 }- [; C8 [% q( H
je not_installed0 K0 ?+ F) I/ y
7 A! \8 {& r" ?" o. j; w
This service just checks a flag.
6 { c. e; T4 y0 V</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡