<TABLE width=500>: O0 o9 f+ _* k
<TBODY>
; E G; D' F. ^; O" c) O7 |<TR>
1 b, Z9 V, p5 M6 P5 s<TD><PRE>Method 01 & U* h- t/ G3 ?! g5 X U/ r
=========
3 r* z" K, I4 P, |1 I \. x* H0 A
3 u/ L4 V& y, T* e$ SThis method of detection of SoftICE (as well as the following one) is6 c1 p0 R4 g, F
used by the majority of packers/encryptors found on Internet.
[/ b5 W8 e6 y2 w. r# @It seeks the signature of BoundsChecker in SoftICE& V+ {0 R( r: d1 ]# ^6 ?6 H
4 Q W6 j" Y: v5 w, ]
mov ebp, 04243484Bh ; 'BCHK'
1 ]4 [" X* B, |( t9 K mov ax, 04h
; I- {" s0 L( M6 m( w5 O; y int 3
/ h" h6 m+ S3 U, W& a- a cmp al,41 z3 s( Q% G2 Q( y
jnz SoftICE_Detected, _' M! w" x+ N5 S$ }5 s/ ~
) m7 ]$ Y6 G1 D3 W a___________________________________________________________________________- }6 E+ {6 J' O" v: {' T3 c7 T- a
9 M. r( o; v' K
Method 025 J( X4 I1 o4 ]( t$ @: t3 }
=========
$ ]4 B) |) a# G9 q L1 u5 c
1 ?7 d, z! Y# }* m2 S. vStill a method very much used (perhaps the most frequent one). It is used. I4 C3 }2 `% k0 G) ~6 B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- _6 Q7 x2 X# M$ P4 Jor execute SoftICE commands...6 a9 P# p, o) a6 F9 P# d! E y
It is also used to crash SoftICE and to force it to execute any commands
: e% R* v3 h- ^( m(HBOOT...) :-((
4 b& Q+ Q6 m# U& {6 z( f+ i, z' h7 V% Q$ {
Here is a quick description:
2 u, v; g9 T5 h-AX = 0910h (Display string in SIce windows)- }, V2 m/ ~( J* W, k6 J0 ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 X8 Z3 I* {, H% U0 P5 ?/ y; R-AX = 0912h (Get breakpoint infos)5 v, ]3 f' O# ]) S# S7 q4 X; r
-AX = 0913h (Set Sice breakpoints)' N3 i+ N3 H7 m; A+ p) D2 O
-AX = 0914h (Remove SIce breakoints)
8 t. U# J! l, o I% i) I5 T- I2 D1 @ Q* ~" I0 s) k$ J+ |" ]
Each time you'll meet this trick, you'll see:
6 C& G5 ^3 s* S. x& |-SI = 4647h
! }6 E# E t0 _-DI = 4A4Dh
4 I& x- d j9 [ d( ?Which are the 'magic values' used by SoftIce.6 A% w0 ]! ]6 s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 {4 T; ]- j7 C3 Y
1 O+ t( E$ ^3 L6 a& k
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 J5 k( b7 R# \! |6 s; C) KEnvelope utility use to protect DOS applications:5 i* C, H A* d( I! h
" h, h5 a' B' O$ D# z3 u9 R$ {8 \/ j9 }8 I6 K; e% w; |
4C19:0095 MOV AX,0911 ; execute command.% F) o4 o5 K! I1 V5 k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 R+ O1 M) K! }
4C19:009A MOV SI,4647 ; 1st magic value.1 [+ H, n+ l' [0 z3 ^. Z) e
4C19:009D MOV DI,4A4D ; 2nd magic value.4 |# Q# o% |+ {7 V, e
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! s' \# t) Z# V' B+ J5 Z/ F9 a4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 V7 v+ M% u4 ~7 i' c
4C19:00A4 INC CX! H4 Q$ J H( F; o# _. {6 f
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# r& Q( B2 U$ j4C19:00A8 JB 0095 ; 6 different commands.2 G2 D0 o, }5 J/ {! I l. P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) z+ Y4 P' y3 R' o$ {* s4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, o0 ]' S5 J+ @# L/ j1 t! n
3 V! Z2 C0 v% n! g+ pThe program will execute 6 different SIce commands located at ds:dx, which
& N- t9 C+ Z% F" Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, Q( ~0 y+ K/ _3 y5 _$ m1 u2 J. v* B6 G! J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( c# Q% D; Z2 i: a6 S/ [7 U___________________________________________________________________________6 M. K: {1 W# H) g6 c
. ]5 t( ^! P% f+ z6 V p
" z0 ]; U$ m5 e
Method 03
* S6 x. O) u; F, c! f# m=========: `9 Z! h# f% A8 |+ t+ y
! H# B: a8 c7 gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 j4 L/ X( z: x/ K9 B(API Get entry point)
d! d6 s8 S5 Q" P : G9 |# Y% F" g6 ]- x) K
! B" ^1 B) Z+ s xor di,di, u: k9 m0 f6 C5 v
mov es,di
& r$ X+ c1 o0 p/ @5 x mov ax, 1684h # V O( v0 x% K" ~+ {
mov bx, 0202h ; VxD ID of winice
( j, Y# A4 E. S int 2Fh
2 _, c: ^4 |3 ~ t) N mov ax, es ; ES:DI -> VxD API entry point
2 ~9 W! X, j" q( [# s6 {% } add ax, di$ \; H( [( u3 \" t' W% V
test ax,ax
$ F3 o6 v ?( N4 l9 ` jnz SoftICE_Detected6 \* ^8 P; M* O. ~1 ?
2 v8 T. K# U+ H+ B( `3 S s
___________________________________________________________________________- g6 W' ?" T* g& z$ E
" M2 ~8 ] L$ [" G6 F! IMethod 04 o4 |1 \2 T, Z8 o$ {8 w
=========3 N+ x2 o( Z; S2 @) e( i
e( a4 J5 O! H1 u: r+ EMethod identical to the preceding one except that it seeks the ID of SoftICE/ _! W& [7 [2 V/ ~
GFX VxD.
$ B6 A8 K; o+ M: z0 q2 r! J9 W0 S3 H; B
xor di,di0 S# C" ~) \# w" m0 |$ m
mov es,di. n% E3 B$ W T7 U* q, l; b# G4 L8 U
mov ax, 1684h % b% C6 m& F" ?+ o% j
mov bx, 7a5Fh ; VxD ID of SIWVID) m: {+ P _; F8 Y9 ]
int 2fh
9 @- M* _6 P3 O9 `' @ mov ax, es ; ES:DI -> VxD API entry point7 ?, J7 E- t( c6 k, D7 n5 c
add ax, di. D* m R5 k& G8 A
test ax,ax
1 t2 p4 I! T' h3 Y+ K: ^ jnz SoftICE_Detected
' O* W$ g- G6 x. l6 j- X6 b/ G, j& S# }$ l& `* ^
__________________________________________________________________________
& H \) F7 \9 C% W2 E$ ]0 p0 `: M. z. y+ i; L5 W6 ]
) i/ V0 {0 t7 I# @Method 05$ @+ p" s( J' n, e
=========, K/ _ ?% E, J! E6 y7 D
6 Q$ v1 n, r" m5 D, Y! T
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) d) r( F. w+ R# M( @7 f. U( z- cdebugger. It calls the int 41h, function 4Fh.
1 }" H& v2 y8 S' uThere are several alternatives.
% R; G1 }4 z1 _9 ]$ h) e+ Y t, p3 C- D
The following one is the simplest:, Y; e$ Q E2 O8 _2 l4 B
8 q) n. b, F( S$ ~
mov ax,4fh) U. ?0 L! I% B! O( @
int 41h, v+ h# h- Y( w7 `
cmp ax, 0F386
9 @0 Z& g8 f5 h5 P0 ], \- g jz SoftICE_detected, Q2 m, k% K7 I1 a
+ V; f9 u3 f) ]
( c+ W; Q; B8 S4 y% @% ~Next method as well as the following one are 2 examples from Stone's 3 Q; p9 ~" H) j
"stn-wid.zip" (www.cracking.net):* @$ C1 A3 |9 `: _9 a6 B. g4 O
3 n4 m; ~) m" G$ _9 h
mov bx, cs& c- o, {4 c/ @ B2 ]' p' }/ j
lea dx, int41handler2
) T9 ?3 O- W q5 b: _2 I4 R xchg dx, es:[41h*4]0 `; T& l v" a
xchg bx, es:[41h*4+2]
5 U4 L: w2 V, w3 y/ I* s9 V+ U; i mov ax,4fh" F* f9 U7 |1 Y+ k( ~8 e: X: r4 e
int 41h) E5 C4 M V; g2 C! R" y8 y; o0 W
xchg dx, es:[41h*4]
" ?: j' ?; U& l9 w xchg bx, es:[41h*4+2]
' d% l- A$ N8 R# \5 f, E cmp ax, 0f386h0 s5 X& v# T9 j6 Y0 j9 ^0 ^ e
jz SoftICE_detected
V6 ]& H. ^% j
/ h8 e" a) r+ f0 O" [ i9 i0 [int41handler2 PROC4 e% L1 l- g3 V4 P
iret2 _. M- I# d7 d4 _4 x! E
int41handler2 ENDP, J& c8 J1 y( n; Z3 `2 _
; g P; O0 D9 t, i8 c" x
% s% E: @- C7 K; D( O# i
_________________________________________________________________________
# n: v7 t8 T# C% s
" K- e4 I0 C4 b
8 u# A8 K. {+ [8 p5 }+ xMethod 06
p% \, d3 L& L% e/ j7 t=========: W* A! f, ]; J* v0 ]% `
/ N7 E5 O6 F* c( J8 ?9 a8 E# w4 b9 ] v) l
2nd method similar to the preceding one but more difficult to detect:
' v$ J& I J& T* ~) R
- ]- n- c; |: z* p' ?* i
. l# i: B# r3 Cint41handler PROC) Q3 J$ q- J9 B! [# f6 M
mov cl,al, _8 O0 |2 J4 s' Y/ t# w H
iret' `; d% U6 u. @0 J
int41handler ENDP
- @1 _7 {5 a7 B9 X3 q, b& n' m6 L/ A7 Y0 ]3 O/ @7 \8 f; ^% z: ?. |
! i! l( a# D" o2 V9 t' c xor ax,ax1 J0 ~: L' K0 [: D4 C! B
mov es,ax$ N" \& h% M! @) l: [8 b0 `
mov bx, cs, T/ C9 Y f' `+ x1 N3 x2 r$ G h
lea dx, int41handler
/ j) Q& Q& O' ~2 @& t0 Z1 G xchg dx, es:[41h*4]% ^7 |' G. Y0 y! y5 |7 |+ G
xchg bx, es:[41h*4+2]- O! H+ S( y1 Z! V$ E
in al, 40h
0 c! v7 V2 Q G6 _9 O! F { xor cx,cx( E9 i- a2 L$ L( g
int 41h" v( x- B/ c6 r6 F; ` A
xchg dx, es:[41h*4]+ T" G& i- V4 c5 m$ U8 U
xchg bx, es:[41h*4+2]
( ~/ R: b) [ K1 ]. o cmp cl,al
' V( A# n0 g) k6 ^2 h8 Z jnz SoftICE_detected
3 S p3 X. s, G0 W0 R
1 t. ~- b" s: c_________________________________________________________________________
7 q( y4 U4 H& m8 q' [% X& {0 x
+ G4 S9 c* v" t( s8 `Method 07
! j: ?% y- p; E4 n8 V# r5 p=========
' C! x5 g4 m7 u. N& T( b* ~* x$ K5 o+ f
Method of detection of the WinICE handler in the int68h (V86)
) d3 R; Z5 E7 F# I a! W* Y
8 }4 o% L2 N& [& ~8 s: _5 i mov ah,43h8 b6 G6 n) @/ ?# z7 }0 b
int 68h
7 B: w2 y. k& ?; V' p cmp ax,0F386h
5 o1 K- W/ Q# ^1 U( F& X jz SoftICE_Detected5 z6 K! ], Z7 r/ ^: d' q2 Y$ Q* R
; S, X& l$ G4 o, D t* ]1 W; A. Z: t2 V4 x) `0 Z! Z2 u( V
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! R3 y( s8 `0 V# L- ~2 t
app like this:' d) S4 {% } h t. w4 @2 ?
. k! `5 X" h0 g
BPX exec_int if ax==68
& z9 t- X2 \% k' I2 D9 X (function called is located at byte ptr [ebp+1Dh] and client eip is
2 F( v5 a$ T1 |% ^$ S( ~ located at [ebp+48h] for 32Bit apps), L: N6 ~$ U: C
__________________________________________________________________________; G& c: T; V( q9 u8 S
6 Q# ^7 [- Z. ^; w' I8 {" v# ?3 S* y3 O) q7 Q, X- P% d
Method 08
) ~- C; E, \: M, b. O. ^=========+ U) h, E) E$ h3 K
/ u0 ^- n8 j: G8 i) i' w* m
It is not a method of detection of SoftICE but a possibility to crash the
: V5 M+ h* g; x6 Hsystem by intercepting int 01h and int 03h and redirecting them to another
8 |& [2 `' _, ~& R3 K. Q3 proutine., Y0 F/ I4 W; q( E; E0 Q0 A4 f5 C3 R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) L# p! L4 m |7 m4 _9 s) s! c
to the new routine to execute (hangs computer...)
J6 P% B5 i0 m7 J+ l; n7 L7 y& O1 f9 X4 q$ `: t7 L. l: |
mov ah, 25h
" R' n- }1 W" \! t$ E" ?" F mov al, Int_Number (01h or 03h)
+ C( U) K" B8 v8 R0 r. _ mov dx, offset New_Int_Routine) T, ^' d3 T0 \/ q" D1 h+ i
int 21h# u5 q, M# j3 I: z5 e8 c
$ J" L8 m& o" B0 f; ^# }
__________________________________________________________________________
" M1 j2 u$ ~5 ^3 P* s- M. X
+ n# D8 [0 M8 |' b5 v; k) C/ s* P& P% LMethod 09
$ J. |: r) m, V8 l; D=========
: q1 H$ n' G( G' m# i0 V: R9 z% H& b+ i# N* s6 ^' z6 s0 {0 i6 N! i9 @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 B, K) W. }7 D6 b! ?performed in ring0 (VxD or a ring3 app using the VxdCall).0 {0 g: j, H) u* h
The Get_DDB service is used to determine whether or not a VxD is installed
( H! e/ V6 \% r6 ^for the specified device and returns a Device Description Block (in ecx) for) S2 g6 l& g: Z7 a
that device if it is installed.
4 A5 c# P( C x, b' S& q- i2 I4 Q: \# w" _6 |6 X$ ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 d4 ~/ v! l; L8 e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& Y2 h; m( K2 d/ d( o VMMCall Get_DDB
/ c( r" h+ {6 I9 h$ y! r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: w0 M6 u( g! H1 f x Q$ ? q0 A/ M' U: q" T y& c, U7 b9 f
Note as well that you can easily detect this method with SoftICE:
# {8 Z6 ~* n* [/ b0 T. n- H# O bpx Get_DDB if ax==0202 || ax==7a5fh
M8 U8 l7 b! q4 Q- ~
6 w. Y* D: C/ r) u9 \__________________________________________________________________________: S3 X9 s' O( ~ U
' b8 R" b% q0 H: I- w
Method 10
$ [2 s; y- B- ~! d$ a" m( V=========* J" k, C! n1 O# P" @1 B# B
& e1 j; c" ]% }6 r; Y=>Disable or clear breakpoints before using this feature. DO NOT trace with/ ?; W4 c" ^. @) [( J
SoftICE while the option is enable!!6 Y0 z6 D3 f# u n Q' ], _! b
+ L v$ b2 ? K5 LThis trick is very efficient:: H4 C; K0 N1 D+ Y( s
by checking the Debug Registers, you can detect if SoftICE is loaded
0 t9 c; t5 \) x) n- o; l6 K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 E) v& b. }8 V+ O) N
there are some memory breakpoints set (dr0 to dr3) simply by reading their ^, i& a, _0 }5 @9 i
value (in ring0 only). Values can be manipulated and or changed as well b+ [% x. J+ \, W1 ]+ V0 z
(clearing BPMs for instance)) ]9 z/ g/ T, B0 w0 }/ k9 b8 |
. ]8 N' A) n) Q6 a Z/ \__________________________________________________________________________: G4 ?, u, m) j
2 Y0 l, S" U, L p0 _1 n7 V
Method 11& c8 B4 p# u1 U# @% }. E
=========
( @" `- s- R& K. n# H2 R1 u) K. |) P5 C! O
This method is most known as 'MeltICE' because it has been freely distributed
# E. i+ z4 ]" [1 Z0 m( _via www.winfiles.com. However it was first used by NuMega people to allow
% u4 P( I4 A4 o4 i6 n# C* HSymbol Loader to check if SoftICE was active or not (the code is located
: X( V+ D7 \/ Y* A6 @inside nmtrans.dll).
1 P8 F/ o5 C8 q: c
7 |5 l) ~5 d! _* R' u4 G/ P z9 e& lThe way it works is very simple:
2 v7 i6 B+ }+ pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ ^* D, B! K- J5 Y0 Q: m4 y5 r
WinNT) with the CreateFileA API.
" t% ?: |/ O' o) [4 P% M- p9 o, @6 i
Here is a sample (checking for 'SICE'):
/ t8 u$ K* v; K P
0 t3 C( i* P5 c$ V0 uBOOL IsSoftIce95Loaded()
$ d9 z% q$ q6 ?8 q" B- B{
6 T9 k& @9 v2 [0 ~) {& p, ? HANDLE hFile; ; j Z; q- B) O& f: B
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* |* y3 C8 O$ S$ e
FILE_SHARE_READ | FILE_SHARE_WRITE,
' T. X& [7 t% T5 s' C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- i4 L0 \: h4 X+ G$ [( Q
if( hFile != INVALID_HANDLE_VALUE )
+ ?7 d8 @4 `- C& j {' R: W2 i6 X& Z3 N
CloseHandle(hFile);
0 d5 \, t* ` D3 Q a return TRUE;. B3 ]# y" n1 Q
}
: L* `6 N3 S& ?0 F/ X! o u3 e6 g return FALSE;/ s( G9 m9 W4 E3 E E/ P @$ d
}
- p5 T/ O( U7 z
# g; f' h# a( k" k( VAlthough this trick calls the CreateFileA function, don't even expect to be( x, Z% `6 E/ o* Q% @
able to intercept it by installing a IFS hook: it will not work, no way!
" b( D1 W: {6 ^* U1 b6 J$ {In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 L, m1 G2 Z$ ^& U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; M, C$ Q- @- ^& uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
. ?+ G; _6 a5 j" Bfield.$ L9 B' A! E: v5 y! a6 R1 S
In fact, its purpose is not to load/unload VxDs but only to send a
$ S- r7 \ h6 p4 s% A% iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
~; d3 f$ |2 b. A" jto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ j1 Y# c- i0 v' U/ ?/ [' ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 \8 | a z; ~3 E8 Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 w7 m4 G& P* nits handle to be opened and then, will be detected.
! k* F2 _5 W# [: p# X4 ^5 bYou can check that simply by hooking Winice.exe control proc entry point
# p- |0 Z3 `; O; wwhile running MeltICE.
2 [0 L/ C- i. x4 @) _: B$ G ?$ T; Y$ v
% s5 V7 i8 Z+ R& e" z, V. } 00401067: push 00402025 ; \\.\SICE
( e- i" _8 x, P* c6 |+ O 0040106C: call CreateFileA
0 i/ M. P2 u4 }+ Y2 { 00401071: cmp eax,-001
& m/ V7 B% ^3 E% Z$ e) h 00401074: je 00401091
: C( |2 }4 t4 g! W% w+ ?( Q8 i) j0 l* {/ Z# \! i+ y, w }
# _2 P+ ] K" e3 f) TThere could be hundreds of BPX you could use to detect this trick.. H$ I8 G( E, w
-The most classical one is:
- Q( m2 u# g% d. Z0 ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) y/ ?! Z" X3 Z; i# `7 ?- V) a *(esp->4+4)=='NTIC'4 n$ Q0 E* m: |. m3 t& F, M6 Y
/ \6 j+ E) O. B, Y* D2 u-The most exotic ones (could be very slooooow :-(
+ r: B* j t) M! J( q* N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 F$ A) J% L: l3 F5 F
;will break 3 times :-(; h& |6 k; D# p' X& D
$ d, N; x5 j. G/ P7 c: x+ \% c& I-or (a bit) faster:
z* s/ a& u) c5 }4 w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# W5 g( j8 \5 g0 r
9 }/ G+ s. ]5 x; A# s9 V% k: T# e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 e) q9 C, d. z4 g" X4 w0 E& v7 Y ;will break 3 times :-(
4 i. z* g2 x2 ?) I1 `# O" v! @7 R; ?
-Much faster:2 J5 ~. R+ ~) r# G9 U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: G- \+ \- ]" c: S5 Q) k
' x: q( h: H. ]) ]9 @" i) pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& P. L8 Y1 ]/ V) Z0 _6 ?6 ~function to do the same job:. N: b0 H* L! l! E
$ K. P! _9 o5 D5 K push 00 ; OF_READ; P# |7 B/ z4 f. f0 |
mov eax,[00656634] ; '\\.\SICE',0( c% l* d7 K$ `) {. Q& C
push eax
2 s/ B7 B& m- L% f" n" y! F call KERNEL32!_lopen. S4 D$ U& K4 p+ i, @
inc eax/ Y9 w8 v) o# F2 c& m. o9 F. U( P
jnz 00650589 ; detected
. l/ O$ v" O; S! j% C push 00 ; OF_READ/ N0 Q4 \+ I) o! T# R0 y
mov eax,[00656638] ; '\\.\SICE'; g. S/ e9 q- i9 a
push eax
6 M! J" C& S5 `. Y' y5 {5 Q& i8 O call KERNEL32!_lopen3 L4 n( |1 |# x7 p: }8 K1 l9 u
inc eax' d, Q3 k; z' U: [
jz 006505ae ; not detected
: F3 s' P4 U* m* Q, X8 Y z! t- k! a7 i
; P& c2 r0 z$ u0 p5 l& F4 D__________________________________________________________________________5 {, s# n) h8 `+ ^( _2 w' c- y
; X/ y# H9 H/ Q; Z7 c/ v) [0 m" w/ f- G
Method 12
' c/ U- c. `" Q* m1 _5 f& {' n. J, ^* R=========& W5 ~+ f! C7 y% x
+ Z( X* E% u: W3 J3 T
This trick is similar to int41h/4fh Debugger installation check (code 05
; A, x4 K4 D* A w$ E& 06) but very limited because it's only available for Win95/98 (not NT)
. C+ ]& E5 @; s/ g2 y- ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.% n/ M5 q2 u9 N. w* N X- z
0 }# v; G2 f) a2 F. C; `2 [$ _ push 0000004fh ; function 4fh
6 u a. E/ f" F6 b3 `' X push 002a002ah ; high word specifies which VxD (VWIN32)3 o, b: W! k7 L
; low word specifies which service# S. g6 X# m5 b2 m/ X
(VWIN32_Int41Dispatch)
8 u E/ A* t1 T( q) G7 l call Kernel32!ORD_001 ; VxdCall8 `9 t; Q' l; f9 b
cmp ax, 0f386h ; magic number returned by system debuggers
6 R6 A& O& \& N! k- r2 Q jz SoftICE_detected- z8 p# A$ Z4 d0 M* Z
$ b- Y, Z+ q4 V+ F, |2 k1 z9 N
Here again, several ways to detect it:4 X) h, D6 z" X+ o# V- S) W* O; i7 d
2 I& o( E2 ]3 }; J9 i
BPINT 41 if ax==4f- n2 G: W* N% L9 `
& V. ?6 y. w, d) h: P; E4 c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* ~0 H' `0 G! o
# p4 b5 \ V+ c8 a O+ O/ `
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, g* k! c- ]+ R, ?8 }( h
, a% T- U0 {1 ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( k6 l7 Z: \5 r6 J6 G$ T- [
9 u. L$ s! l% y( G) m1 J__________________________________________________________________________; P+ c8 F* k X6 c
2 H$ x9 S& C H) _Method 13
, _8 z# }0 W/ d/ ]=========- P" J; e. L( H2 _" I
! n7 ]+ q6 G, G$ h+ n! }) B7 n/ ^Not a real method of detection, but a good way to know if SoftICE is2 X. d/ v. Z, M1 D S' G7 O
installed on a computer and to locate its installation directory.9 V) P! |5 R; S1 D& o' z4 ] N) |
It is used by few softs which access the following registry keys (usually #2) :7 `& _4 d5 H% C& p0 ^0 }' l5 x8 L
9 q2 u8 W7 @0 E; q& w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 Q1 [5 g( u0 S# z6 I& h9 K' G8 `\Uninstall\SoftICE
5 z P f0 A6 i7 f( F" @( o-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# A7 o' K- t0 a: ^7 u% ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: b6 J( ?/ y/ T* Z, K( q- C\App Paths\Loader32.Exe, k/ T8 o) j$ v# v3 k( a) B
, [- o1 X$ |* A, g8 y1 u% ?6 Z
$ G! y* T# A1 F# ?; UNote that some nasty apps could then erase all files from SoftICE directory
1 ^/ n/ p& }+ h- A7 ~# w m(I faced that once :-(
, b+ B8 r9 }" U3 G/ n$ J2 O2 [5 o
Useful breakpoint to detect it:9 m; S x$ p- W" ~
$ J* w7 p& a6 b9 v% T BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 O3 E' n* Y7 m6 f2 c9 {9 j* [! X, U
__________________________________________________________________________
7 N! [' Y6 h3 e( N+ c& ?
2 w+ p/ U. L# O" O7 g4 }" B! X2 J+ k- c& `9 R n2 L9 z
Method 14 3 Z8 n6 d# a w C8 X
=========6 U3 H; g$ Q4 U( P) D% k$ }2 p" J
8 G( X0 {* S6 z/ ]0 m8 D6 mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# c) D; Q3 ~5 l( V/ c; Yis to determines whether a debugger is running on your system (ring0 only).
1 q5 t/ ]+ a! o- x$ K6 \# l, Q& o( Q; U4 P9 `# L
VMMCall Test_Debug_Installed% r$ c* T; F" O
je not_installed0 b" s8 c+ e$ T6 [$ `
9 X- y4 X3 ]9 h
This service just checks a flag.& D- y& r: c! s6 O) B6 E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡