<TABLE width=500>
3 T! P" F0 G- r+ e<TBODY>
8 M; N, `6 D7 t. | v+ ^' q o<TR>, d) W9 a) Y2 Q% X6 _! A; I
<TD><PRE>Method 01 ( j/ W) Q6 q5 C6 f) f2 M
=========
: u/ [" Q# q7 j
; Q& X* y7 A0 Q$ z2 i- O$ FThis method of detection of SoftICE (as well as the following one) is
, d R9 J" @7 ^( mused by the majority of packers/encryptors found on Internet.
& `, g$ x8 G; S5 j0 V+ U6 tIt seeks the signature of BoundsChecker in SoftICE
+ C o0 m- s. n }0 G
! D% T* j/ }: `& \- k# ?, t mov ebp, 04243484Bh ; 'BCHK'6 m2 B1 e% G) }2 D* o
mov ax, 04h
' l E& ]9 }* o- c7 F( d int 3
* W5 G: w% {4 f3 L$ Y cmp al,4
) n8 a- M' D# V' C/ c- \" p jnz SoftICE_Detected
3 x( U/ Y& A# X8 u& P" r& H. y
- o8 Y) e3 E7 q2 O- }0 |' v9 s___________________________________________________________________________
! K0 T5 {9 I$ I, I4 ?2 X( u. Z9 K6 U. ?$ [+ W
Method 02
+ F5 ~2 q+ ~$ P% u. `. t6 _4 A* P=========
( `% U+ b; X* r* K5 s# }, k, b
/ x$ S" s G% K F2 k) Z$ ~Still a method very much used (perhaps the most frequent one). It is used
! j0 o6 | |' o# W8 E) ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ h4 l% \. C7 q$ h+ q0 Nor execute SoftICE commands...
9 ~) y6 \& z" \" ~- QIt is also used to crash SoftICE and to force it to execute any commands1 |! L2 b" _# _$ g6 S% i
(HBOOT...) :-(( " g) x* C; j$ ~1 [0 J
5 V, A/ o. M5 Q4 MHere is a quick description:
8 l. t9 H" z4 f) \; l' @+ }-AX = 0910h (Display string in SIce windows)
8 n7 @3 g& U6 o- U( u Y+ `, E- Q2 L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). q4 k3 S0 ~8 q3 ~) F" y
-AX = 0912h (Get breakpoint infos), i7 d. ]. e4 o
-AX = 0913h (Set Sice breakpoints)8 p8 y" \, D( W3 F
-AX = 0914h (Remove SIce breakoints)
4 k* X% x5 K& `* n# m8 N, Q/ K- q
+ H8 h$ W1 V5 _ V: F2 @' |5 a$ ^Each time you'll meet this trick, you'll see:1 A2 @9 v4 \0 C
-SI = 4647h- L7 ]8 h9 J' d
-DI = 4A4Dh3 ]" j: X* J6 H! x
Which are the 'magic values' used by SoftIce.
6 Y+ e2 L( X0 p' ^" zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.. x' b: P+ @% M1 Y/ u5 I: S
( d7 E/ }, @7 a6 p9 Q8 ]" S
Here is one example from the file "Haspinst.exe" which is the dongle HASP
! }3 l' p: H# y6 z! h: i6 S* bEnvelope utility use to protect DOS applications:* P8 Q3 j5 E& T) d5 }
% o! b3 p/ |& g( T4 b5 q% Y) c6 z5 B a( D& P. R1 S0 z* c
4C19:0095 MOV AX,0911 ; execute command.
8 h3 t( ~1 t Y. X: [5 |/ U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& S) d) a/ r/ ]( h, l1 {
4C19:009A MOV SI,4647 ; 1st magic value.
/ }; f: ^4 V/ o" c: P8 Q4C19:009D MOV DI,4A4D ; 2nd magic value.- }6 ^1 j4 E: U
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): I- |. B7 R j: ~ b; m% o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ ?9 `3 j6 q. L7 e4C19:00A4 INC CX
$ U3 }' l6 x L+ F4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 N% W1 V& o' \4C19:00A8 JB 0095 ; 6 different commands.) X4 _' e+ q- T+ a7 B$ u
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& {4 i" z3 Y; K+ A# ~
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); O* H# d0 z. D; H! y) l/ \/ K3 I
% D6 `. W' d# r0 M+ g* |The program will execute 6 different SIce commands located at ds:dx, which
2 J8 o' a5 a }( F3 S' Y5 [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 ?! p8 e% H0 o+ k! d( [/ g' `
2 F9 o3 A2 A5 k* E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: M- S2 d( x$ N# A2 ]8 _* R5 z___________________________________________________________________________" D* G- M) I0 [
( q# v; W, F6 A- s. n6 x4 ?
[# C" v9 M3 t8 z1 B* u) [Method 03
5 O3 ]( [( i, W3 P=========
# R- t8 m- Z& C* v9 z6 E( o
" M3 j# M8 n/ a. Q7 m; e" H1 ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 d7 @& _2 _1 {" J2 v2 u(API Get entry point)0 j* E( Z* b8 j0 H7 p
4 H; v" j/ K; |) i5 d2 D
1 O+ `6 {5 x4 D9 E5 ?. t5 u xor di,di
# g; k- N$ p% V4 l: U/ E( a mov es,di; {, @4 v2 b2 D5 x/ C
mov ax, 1684h
& i2 ~, Z! B) I4 A mov bx, 0202h ; VxD ID of winice8 \) I) T) w% P: r7 f2 t) [
int 2Fh9 _- b; F- f' d, S7 Q1 ]6 I, z
mov ax, es ; ES:DI -> VxD API entry point
9 \* O( H, i: F+ Y5 ^8 J add ax, di7 H5 s8 G4 C' m7 P q7 j7 I6 o
test ax,ax
0 I h) p) Y. B- S" T/ ]# n jnz SoftICE_Detected, @- m/ B1 n8 r* |' Y! t
7 E* X- t' h$ e% Q___________________________________________________________________________, C1 k0 E* O. H
+ C' `/ U7 Q0 U' mMethod 04
1 P- U1 h5 m% R1 \* u1 e* G ]=========+ a* K% T! V7 ]1 q2 _; K0 \
9 k& b! ?; U# f. }Method identical to the preceding one except that it seeks the ID of SoftICE5 ^( R& p0 [8 F. [# C5 \
GFX VxD.
" x8 Q8 ]1 G/ K2 U' S# _5 \5 C
+ n5 k- a3 N7 T xor di,di
! h# ?8 T" [% O$ H4 E7 q6 q; H/ o8 V mov es,di
3 I5 E+ g6 V/ f$ r7 B2 A0 R mov ax, 1684h ! `7 B8 K, u. C l
mov bx, 7a5Fh ; VxD ID of SIWVID
7 ~# I* }" a8 R/ J! K/ t int 2fh
3 T; `% a3 @3 _; ~4 ` mov ax, es ; ES:DI -> VxD API entry point# U6 R; }; `- p
add ax, di
- k7 g1 [) ^4 d- c% u2 e! g test ax,ax
' N7 U# P3 l6 N0 J0 Z jnz SoftICE_Detected
8 c' C* e# E9 Z" E6 Y0 D
( @0 f6 @7 j9 `9 s& x__________________________________________________________________________
; J2 _1 {" x) ]+ U9 p5 M O* E' M1 V" P4 k' D
; e, B) y9 D1 M9 i8 h* k. F
Method 05% Y; r2 |' r8 W r* A; U% `7 r+ U- O2 \
=========
, b- e5 k% z$ B: U* d& u
; j4 {% i$ U& C& l: zMethod seeking the 'magic number' 0F386h returned (in ax) by all system
: _ C( z+ W* Q) h9 D/ i- Adebugger. It calls the int 41h, function 4Fh.( G3 D* ^+ S, S6 K
There are several alternatives.
) J$ I, }& d r+ _1 w
. K/ }+ |, U: T# nThe following one is the simplest:, l# ?' w8 y1 w) G
# c6 q1 K) A* |- X6 \1 Z mov ax,4fh0 N; `! H, t. [
int 41h
5 F1 O2 X" g8 R- c: o# g+ b cmp ax, 0F386
& ~* N# k3 r) _ jz SoftICE_detected
9 w' m, c6 {1 g0 G; w+ e. l3 x8 C7 S' p) B& E$ P; r
# [; N& B- f! K' V# G1 `% NNext method as well as the following one are 2 examples from Stone's
# A6 E" k7 l- h2 F. Z; v"stn-wid.zip" (www.cracking.net):; \9 u i/ D3 g7 Z& l9 r
8 R, p6 d' r2 S- d, k$ D
mov bx, cs% d! C; x4 Y1 I) r# Z4 b
lea dx, int41handler2* K( t! L) w) E' ^6 _* h8 d/ ?$ M
xchg dx, es:[41h*4]5 N D5 m5 k) K: D# w
xchg bx, es:[41h*4+2] _2 W7 p; R! l7 U% @( z% L9 P3 _8 {
mov ax,4fh. w$ H+ I) \- [6 `8 z
int 41h: P& a- T2 x5 _# ~6 ] \. K
xchg dx, es:[41h*4]% [& S# j- O, s; c4 u
xchg bx, es:[41h*4+2]
, h! D) T* u' O/ }, [ j cmp ax, 0f386h
) k# D- G! ~& J3 N+ r jz SoftICE_detected0 ^8 u* a5 B! H
7 ~: m( c. \4 t2 h9 U$ E$ ]int41handler2 PROC2 O% J5 D! ^, ~/ Z; q. M: |
iret
5 |( M8 P/ L# U6 m% S, V9 i( dint41handler2 ENDP
' ]* w |' ]1 K h/ P: P5 K' m
& G$ V$ @8 I; ?1 K) X; t4 P0 M: C) G5 R
_________________________________________________________________________
4 W- e) Y$ @( e& O
) [; W4 k& V# k) g" Y- B% Y( ^; T3 ?! P9 S6 a4 m, R
Method 06) {6 C- f, F- t, I* J1 ~) z6 F
=========6 j s& W2 B ^! y/ B* t
, ~2 }+ V: \! f
8 F1 c6 d! J, d3 i. N+ E* r2nd method similar to the preceding one but more difficult to detect:8 T! n+ c% ]5 W
6 u# d' Y) z- d; W
8 z X! h5 B9 h% _7 I1 u4 l
int41handler PROC
4 z' }9 x" `7 ^ mov cl,al) [/ ^6 X& V( p" ^% ~6 G
iret* m% y0 [0 X( J
int41handler ENDP: `3 A* x; V0 e% [: b* e# S
: h( p# J6 W; u6 Q& o
( _+ y l/ b9 o r7 O
xor ax,ax
( B4 `) @! t2 b- [4 k3 }& n9 K mov es,ax
9 j6 a5 w7 ?: E- P: I4 g% I3 K mov bx, cs/ U& e+ f/ y/ B% F3 c4 K- N2 W
lea dx, int41handler
- n4 g3 }! T& j2 F xchg dx, es:[41h*4]
# E! }8 E( Y, ]& O( i xchg bx, es:[41h*4+2]% g5 U3 ^! k) k
in al, 40h& y0 v/ ]2 p S0 y# P" o& K! `4 a
xor cx,cx% j! a8 a& i! w" I* U
int 41h
* a! |/ Z. k) O5 n xchg dx, es:[41h*4]
+ Y0 j. u" H6 T; h xchg bx, es:[41h*4+2]
2 O& h1 g1 D3 J0 B: Q, z cmp cl,al9 y7 s( P* O4 [* a! K
jnz SoftICE_detected" j) q! J$ g" i
/ R# m& K% u8 i- x z_________________________________________________________________________2 a/ L& p& h+ `9 G4 Z! q+ i, P: Y' k
! ^2 ~& k" D* o, V5 B
Method 07
1 E3 t+ d+ ], u% o9 v=========
3 b) B5 d( l' f9 k- ?! @) M
5 s4 J2 k$ s* ?% J1 M* tMethod of detection of the WinICE handler in the int68h (V86)
7 w( o* m& A! P! R- I% B
0 g/ ~9 Y# P6 J7 { mov ah,43h8 \% s9 {$ H Y, e
int 68h
: E6 |/ U$ a4 ?" Y cmp ax,0F386h5 e2 ~- {& C! J9 z4 U
jz SoftICE_Detected/ y) k2 u2 A$ H! ?' [1 ?4 G$ d
& v6 J. g/ E* q
. O* D! X0 ~3 {=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 W. S# R) O3 d$ m2 h
app like this:* ?! F( j% V5 F/ m) t. `
. I0 c" z9 C9 ~% M1 ]1 t
BPX exec_int if ax==685 K2 I. x, b3 l3 N. L- g4 ?
(function called is located at byte ptr [ebp+1Dh] and client eip is
" {- f/ B: E: b+ K located at [ebp+48h] for 32Bit apps) z2 v$ F: N& E" I) t0 R
__________________________________________________________________________
6 J" Q4 }+ }/ C0 K; S- I) Z6 G- \6 d3 K8 ?' ]
0 J. f4 d7 k$ J1 nMethod 081 h+ N- `9 V- [+ ?/ [
=========$ s7 }- l+ t* z* o- Z& S
. z% Y7 j) m' N, x* E: T- r
It is not a method of detection of SoftICE but a possibility to crash the2 q6 R7 p* V+ y
system by intercepting int 01h and int 03h and redirecting them to another# b" `" ]* B0 Y, K, e4 b
routine.0 L) V2 S! {- v' i4 j, M. q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& E; d$ y) x$ m! r& R( B6 a) qto the new routine to execute (hangs computer...)" k! Y+ H, w0 N* B9 X- W) J6 y( z
) x+ C* C* A+ o, H mov ah, 25h
; y! Q/ z3 N t- w: K1 G6 V) H# J/ k v4 g mov al, Int_Number (01h or 03h)
6 C! t) I+ c* F& \, _# {5 ] mov dx, offset New_Int_Routine0 R3 ?9 @+ H: S# V0 D2 f
int 21h
* l6 f) D0 g, n- n1 B: @& O0 h ]2 r6 i! L# h0 c4 W ]
__________________________________________________________________________
! T: t: P! E0 o/ T6 V2 H2 a
H) n0 N7 L" ?5 }0 A: J5 e- fMethod 09% g& v0 ]5 R8 p- K
=========* d- u0 u7 h" l4 M% J8 p* ?
2 x) _- \# Q. l. U
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ F/ U" c) o6 o* L* e
performed in ring0 (VxD or a ring3 app using the VxdCall).# h. R8 [ j: Y+ l( D9 Q# o
The Get_DDB service is used to determine whether or not a VxD is installed
. s5 x4 U( n% u! l1 i/ v& T+ N- Lfor the specified device and returns a Device Description Block (in ecx) for1 S+ A7 z6 ]. m, U
that device if it is installed.+ C- E3 p/ }. U% A& T
M& I# N/ ` K9 ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 o7 C7 S' M4 e4 i! k, y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" w7 _9 A6 Q' i1 f" |: ~" J VMMCall Get_DDB6 [/ g: z- P# @1 K' I: j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. E/ S' x& G$ c) m# @2 t
/ h( v3 l$ T5 i' u
Note as well that you can easily detect this method with SoftICE:. R8 S' a1 b8 L4 m7 c0 V; P/ g$ U
bpx Get_DDB if ax==0202 || ax==7a5fh
7 k5 \9 r' T9 `& }# ?, Y( O- z( i+ c
__________________________________________________________________________
5 ]/ q+ F+ d* h7 b: p, ^
3 \1 m+ U7 s: m4 rMethod 10% a" `9 c( }% o: |
=========6 `9 X8 X3 }1 f( j0 h! l
8 U/ o3 u4 a4 g
=>Disable or clear breakpoints before using this feature. DO NOT trace with' F! L; b j1 u! J
SoftICE while the option is enable!!8 A" Q5 ~- m6 f* y# L- k, E
/ g) N7 C5 W C* n* _0 k: b2 J
This trick is very efficient:
, j/ ?& r' m8 e6 k: a( d- aby checking the Debug Registers, you can detect if SoftICE is loaded
8 ~ [5 e5 E8 T1 j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 F# D' Q3 ~* f
there are some memory breakpoints set (dr0 to dr3) simply by reading their) H$ Z4 X$ B! H! u
value (in ring0 only). Values can be manipulated and or changed as well
: Z" L5 Z8 A8 p; @(clearing BPMs for instance)4 y$ @. D2 }* L$ ]
& F- e$ ?$ Y, g7 K1 F( u! m__________________________________________________________________________/ I: v! n& \9 z: c3 T( B( f
- ]. j+ ?6 m( U3 l" U" M) n! `Method 11
: H/ F% ]( F+ y- z=========; v- B# O" \: m/ Y# ^
# A: N% v7 n! f) ^# TThis method is most known as 'MeltICE' because it has been freely distributed
( u' B" O9 h; | `via www.winfiles.com. However it was first used by NuMega people to allow
& W7 m9 f4 d% P7 x" |" aSymbol Loader to check if SoftICE was active or not (the code is located
! l |, N. X' M. @% e3 xinside nmtrans.dll).
. I3 ]6 `, i, g! a) u% h
# f9 L2 q) f. L$ B& i$ yThe way it works is very simple:& x/ n( q! b- p' s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! ?6 A2 ^4 C8 |6 [/ [; N
WinNT) with the CreateFileA API.' ~' q' A# B" b( S
$ y9 }( n% V- {( m3 hHere is a sample (checking for 'SICE'):+ X u5 V) h+ i0 l0 U
1 h5 }) x' M" ?3 h: P$ eBOOL IsSoftIce95Loaded()
' M) s7 l, x9 {: P. F" V& o{
1 s+ t: p5 Z: a7 `3 l8 q HANDLE hFile;
( b1 U; K' n% N8 \- O3 I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: H+ O: H: V6 Z# g, q [
FILE_SHARE_READ | FILE_SHARE_WRITE,
& b2 s' ~) S1 N% }6 ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ L, G+ u& X* A' |( k
if( hFile != INVALID_HANDLE_VALUE )
2 s$ V" A0 |# u' \. O8 y {
1 D4 L3 U# W/ l" {3 D6 U CloseHandle(hFile);
+ s( P6 }; ^# Z! A- O- n return TRUE;
! Z2 U* n) \: f6 ` }
E3 v- p+ d2 F2 Y$ Z return FALSE;
* N/ H& U6 E7 ^) l}4 P3 w) w# M8 D) C. ~( a
, @7 T( r# b+ t, D$ F7 W+ P- [3 d
Although this trick calls the CreateFileA function, don't even expect to be
. I9 J, Q; ~- w' C% q. cable to intercept it by installing a IFS hook: it will not work, no way!- E3 j) r- e4 Z- D9 X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 M% y+ H/ l/ ?, N; {% Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 Z s$ Z1 m/ f- h4 ~) S W4 fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 { P r6 P0 ?/ _$ W6 Kfield.
' D* p& G; ] ] I* GIn fact, its purpose is not to load/unload VxDs but only to send a
2 a# B* `2 z( a6 P# w! N h, Y% ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. k4 A: V0 i& J. N) Yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; T# x8 E1 s% t; _! d/ {to load/unload a non-dynamically loadable driver such as SoftICE ;-).! m5 _. O! ]' q9 L; |& m
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 q' `3 d+ k1 B' e6 Nits handle to be opened and then, will be detected.' F* w- M. q, X" r# d \
You can check that simply by hooking Winice.exe control proc entry point
$ w2 S: ]) W+ c- ^/ [0 \, k- U# E& a3 h, Jwhile running MeltICE./ i" t/ F* s- ^
, b8 u [ F# B& z% S8 ^# d
! s/ G }- l" I1 z 00401067: push 00402025 ; \\.\SICE) c5 s" [) z4 F6 q
0040106C: call CreateFileA
1 K, m5 C, x5 \! `- p9 @# o3 \+ C 00401071: cmp eax,-001- A' j- i* m% M# X+ t% q6 e4 C
00401074: je 00401091
* ^) \0 m- k$ d' }9 m0 v. Y- S& w* }$ J7 |
4 H, T/ ?: `# o2 l5 U: OThere could be hundreds of BPX you could use to detect this trick.5 Y, D. C6 l0 |. A$ c* E
-The most classical one is:
3 d# w T% V, V% `$ @. Y- I BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 B- t% Z( |0 O( M; F. u) r *(esp->4+4)=='NTIC'
- ?+ x, d' M: z9 W R I9 S: Y6 U- a& x' F! j6 {% h* t
-The most exotic ones (could be very slooooow :-(
6 K& S/ T9 C# v+ S" l% k$ t5 I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' ?4 W% Y0 U& f' N1 M ;will break 3 times :-(
* \% }. s% F1 R8 |1 g6 j( c% B* z8 R) F: ?3 D: I
-or (a bit) faster:
8 l/ v4 r9 ~% I$ ]) A1 d$ G BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 N# D+ {3 l# }: |7 U! A
& v) ^6 y; t7 O, H
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ s I1 F6 i0 l; b4 U4 y1 s( c) z ;will break 3 times :-(
. d9 V+ j( ?* U( |0 v
+ u. P! f- A$ l+ e-Much faster:
1 Y: [, H' W( n" l BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ F. f' z$ ~" Y6 a$ B2 \8 e
6 z8 L, P( u2 |9 g( g% ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen V, l& X/ ~) D
function to do the same job:3 w/ I0 c: y7 a* ^
2 x" ]7 R, s4 s1 T9 P push 00 ; OF_READ" G) i- B2 N$ ^
mov eax,[00656634] ; '\\.\SICE',0' V' \2 m; k: C& t9 O# t/ s$ o9 _
push eax
7 }: N i) z; s$ }* p call KERNEL32!_lopen
0 ?- X, _/ F) ^! v& Z inc eax
3 f$ {/ {* V( A! y5 D7 [( c jnz 00650589 ; detected/ g' V6 C, Y8 r* G
push 00 ; OF_READ
0 V+ J |2 k5 N/ \4 \! c mov eax,[00656638] ; '\\.\SICE'
& ^* A; v' i; v. M push eax- }. E4 v) s( y/ ]
call KERNEL32!_lopen+ p3 f5 x& q. ~6 W( K7 u
inc eax
, N8 i# M; y; [ ~7 a+ K1 H8 @ jz 006505ae ; not detected
$ i( o& r* {% u* v/ ?! |1 I8 F4 {5 k4 b# I
, E; d, g, M/ v x' N* Y& G__________________________________________________________________________
+ d; z9 u1 v" K5 ?9 F) c% R5 K( K# N& X4 }
Method 129 N! Z1 g, M- J X; Z B, s/ b
=========" K3 G" x) `4 `% p- o
5 y: f* Y; G5 b0 GThis trick is similar to int41h/4fh Debugger installation check (code 05% u9 k% v3 F5 T W' m' e' c
& 06) but very limited because it's only available for Win95/98 (not NT)% U5 z- ?: Q8 \" }3 A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ A5 f6 M6 s$ ~9 u, g
5 N- T, I6 @6 q0 i push 0000004fh ; function 4fh* K- A8 W& x' ?) L3 ~. e% m6 S; A2 ]8 q
push 002a002ah ; high word specifies which VxD (VWIN32)
/ k1 C3 c' B, H7 x5 j ; low word specifies which service
/ i: c/ ~5 Q7 Q! |; I6 y* I (VWIN32_Int41Dispatch)( @8 a f6 a( W' }0 p# A8 \' @ t
call Kernel32!ORD_001 ; VxdCall& s* p9 u6 R5 T
cmp ax, 0f386h ; magic number returned by system debuggers+ `7 M" L2 x: f% H
jz SoftICE_detected
b7 `) |3 n% g: d$ V
2 F/ m1 b$ K/ s# ?Here again, several ways to detect it:
* G! O# r( T& v) E, F& }- e6 r
" r0 W9 Q5 y3 E Q/ s BPINT 41 if ax==4f' N2 d5 o0 r, o4 Q6 h( k
/ l. C: d$ @. B* z" ^ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: y |4 C* K8 }6 t9 G# u# ^7 m5 |6 o5 J% `8 D: x, i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 W9 E6 F3 e% w2 E; p
, r/ m, I5 c. R# J7 t/ S8 d BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" b! Y* M+ e% W
4 s9 W; c% s1 j1 a- |5 `0 h__________________________________________________________________________5 o; ?& f, D6 A0 [
2 k, v' L9 {' e8 AMethod 13: R7 S" u" \1 K4 g# Z: a
=========5 o' Y5 G% K. D2 @( ^$ W; o9 B
6 F5 `2 E4 b* W* R1 g. wNot a real method of detection, but a good way to know if SoftICE is
0 ]6 ~: O4 N v; I$ d, ainstalled on a computer and to locate its installation directory.
4 w* K' Y$ B' Q5 M6 \" j- JIt is used by few softs which access the following registry keys (usually #2) :0 E, X6 R" k) x) J
5 U# f# p$ F8 J- g+ W; U9 H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 x- \7 l! q% A+ u# P- N, ?
\Uninstall\SoftICE
9 `( H; f& v) B! J2 @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: _/ g0 ]9 i) r6 X6 h* h- `2 S* y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ q4 v# H& u3 E/ r+ p\App Paths\Loader32.Exe
: h$ ^5 w6 y$ g: y
/ x* p: l5 K+ a. v. [4 p2 l* t3 P: C# o$ s+ I4 u
Note that some nasty apps could then erase all files from SoftICE directory' d$ N9 |& c- i6 B" r! V: T
(I faced that once :-(
, J. K; c4 d4 I
6 [+ o5 x, }: |3 }* y! FUseful breakpoint to detect it:
! V$ d# }2 U$ S0 a% b/ M) S) O, c# q; v
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# @8 K0 z5 g$ ?5 G/ `8 R
2 T6 S. s5 d" d__________________________________________________________________________
, U1 I/ a$ J4 j7 ^! ?+ v, d9 T: v4 t7 S5 A$ f5 ?! |
' b9 E3 x4 U( z8 z. x& G+ y$ Q' VMethod 14 . q5 F. j% B8 T* u5 v+ v7 @; K- ^
=========
; |$ H3 x- L7 S# `9 J3 G7 @7 \
9 G# x7 Z. ?' I: P, M) r: u) s3 i. E. uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 p# s+ K f: n% Bis to determines whether a debugger is running on your system (ring0 only).
: L8 {- Q2 G% }) P% P7 u9 j& {4 q0 t3 P R8 T" Q' E6 c
VMMCall Test_Debug_Installed
1 p* i" Y0 T3 I# Z8 p% }* |4 ? je not_installed
a+ f% l/ F3 a# S% `% P4 N" z! z4 _
; A2 W; N( _+ @# t8 N/ v9 p4 KThis service just checks a flag." w2 X# N& w9 w4 ?' ?
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡