<TABLE width=500>
$ ?) {' n* |) p3 V<TBODY>
6 `& V u, L4 C' N2 S+ q<TR>9 {% s) q! e4 X8 Q! u" h- @$ Y* b$ {
<TD><PRE>Method 01 0 {# B1 G4 G# d: a% b1 S
=========- P, f |3 P; L3 k6 S
, U* M8 ^6 X! B+ I4 e( V9 ?& `This method of detection of SoftICE (as well as the following one) is
, _1 ?4 ]8 j3 ^* J" J4 jused by the majority of packers/encryptors found on Internet.2 x# j5 s% M4 i2 }
It seeks the signature of BoundsChecker in SoftICE* @* g: d" U% ^1 M9 L; H$ C M
- |/ e" b/ ~6 S0 P- N& h mov ebp, 04243484Bh ; 'BCHK'
& w, x& J$ b) q! c: t mov ax, 04h; O! ?9 z4 |+ x5 m0 ? g, f4 D* I G
int 3
; t! H- Z7 W+ w3 N1 d8 p7 u cmp al,4) N/ o4 W* `, s6 {# K
jnz SoftICE_Detected
" t1 h# e# N5 m: l7 [
/ F8 o* x' C) ]' u___________________________________________________________________________2 O( @5 y5 _$ u
2 R/ [3 w* }* _) lMethod 02* W7 q- `+ W( N- J
=========
" w; d) z6 ^( a* G" x! {" R. \8 k0 H* N% m& R* O
Still a method very much used (perhaps the most frequent one). It is used( _+ v+ y6 n: W# t' l1 n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 b. o6 i1 t8 Q& ~% H
or execute SoftICE commands...; u+ l" J' G; ]% j9 b! `; A
It is also used to crash SoftICE and to force it to execute any commands; _; p( |8 J) n v2 _0 G$ I% u; F
(HBOOT...) :-((
4 G% G- x, b9 u3 X0 f2 \
1 c3 [& f4 X5 ?, F; M, XHere is a quick description:
a( m( Y- b- Z0 G2 @- W1 A-AX = 0910h (Display string in SIce windows)
X$ [# {# X% O4 @0 {-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 A, I& k5 V. E
-AX = 0912h (Get breakpoint infos)8 `# q) R; a" F% b: Z0 x& u
-AX = 0913h (Set Sice breakpoints)
% b( v+ f5 C* A9 }4 ?-AX = 0914h (Remove SIce breakoints)- f" c9 d/ N: w7 t0 ^, L4 `( A
1 l7 q: l( J6 T7 c$ QEach time you'll meet this trick, you'll see:) |# Z& T" o; \+ @0 w
-SI = 4647h
" a2 X }, `- ~& I$ C6 h% |-DI = 4A4Dh/ d! W; a4 G+ f8 x( d6 b" n
Which are the 'magic values' used by SoftIce.
$ _. p! `; @9 C# E9 h& sFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( [2 L X6 i, o% N9 K% d7 [
( f! ^# x4 }& X. C1 D( g# a2 C; rHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 U4 R2 q# q( z& |7 p( P7 N6 AEnvelope utility use to protect DOS applications:
$ y" e+ t7 J+ a* N. T7 }
2 }% c# r" I: K/ b( y1 k5 a+ @' L0 G# f7 Z7 h# P3 }
4C19:0095 MOV AX,0911 ; execute command.
: O$ a) h z( N3 ~0 D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 X8 a- T6 P) F# R! v8 Y, g
4C19:009A MOV SI,4647 ; 1st magic value.
- ^5 G: C# C z) X6 t v& ~4C19:009D MOV DI,4A4D ; 2nd magic value.
- e2 k% l0 n+ [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- b. s, \" N5 r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- U4 |) B" p* V% m4C19:00A4 INC CX8 m# m! o6 r6 b5 n0 [ m& Q/ }
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 o+ @9 y: _) R- }. a1 Y
4C19:00A8 JB 0095 ; 6 different commands.
7 \! M) v! u. }) R- @4C19:00AA JMP 0002 ; Bad_Guy jmp back./ M! s1 P' d9 d8 o
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# k- R- C- |( |& e |5 T6 R$ b7 I. G
The program will execute 6 different SIce commands located at ds:dx, which
y' E2 r. o: |* Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* c! e4 c3 Y9 D( ^2 f8 f" V% O C, H" D, {/ }, {+ i6 D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* B ^3 D* p7 w$ [. P* w___________________________________________________________________________
, B" B3 X0 ~& C- @3 e) ^6 A7 Y! U- b: L8 J0 `5 N, M9 A# z
, N5 O9 ?8 }/ ]/ ?1 C5 S3 J w
Method 03
' l/ g1 n" X0 I W5 @- V=========# F) g6 L; f) N3 n! M
5 G0 g. J% [* Q2 F: E3 V0 pLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# d4 n) v, F6 w(API Get entry point)
# j* _6 O% n. R) ?- I9 P s# l& Z
, b4 q' F1 e% N- Q' {8 B* z' T6 y5 k# q: s p9 P- W" P" t
xor di,di+ i% u) _. |; i7 ^! I1 ^- i
mov es,di
% J) ^# J/ L9 F( b& W mov ax, 1684h & Q' E. [( A& y& U9 B( V; U k3 K" s
mov bx, 0202h ; VxD ID of winice
8 e* Q) z! h. @ int 2Fh
+ i( S% E0 B; J' t mov ax, es ; ES:DI -> VxD API entry point
( w1 W0 V" ]: P3 _ add ax, di
, y6 ~) h1 `* h/ | test ax,ax
' s+ i! B3 H3 h1 w6 t5 c. [ jnz SoftICE_Detected
8 e3 J. |, | }* l( c& z* I+ r7 q" _( `7 `. j$ k
___________________________________________________________________________4 C! J+ I9 R- E3 e! {: j
6 q+ H# G# `4 h3 _
Method 04) ]2 A6 S& c: `: u( _
=========/ g' i* x9 S/ t5 |) e
( ?: `( P, O9 X$ G! P0 X6 x; iMethod identical to the preceding one except that it seeks the ID of SoftICE
" R* S2 f1 a3 b4 h! f; P5 hGFX VxD.
8 K. A& G9 v/ t; _: D0 \% T7 U6 f* N5 M/ c7 J
xor di,di
; d; X9 s0 R6 J& v0 b& M mov es,di) g; d, a, \- q3 O4 T
mov ax, 1684h / A0 s6 ]6 N. q0 ]+ E. l" Q7 [
mov bx, 7a5Fh ; VxD ID of SIWVID
/ R. Y) v, a1 g! \3 U+ W" G9 J int 2fh, M: S6 {& ~1 _ H# F1 p
mov ax, es ; ES:DI -> VxD API entry point
2 G# X! E3 W# q" g& C add ax, di/ u: n5 \# _+ o. o' q0 B
test ax,ax
- ~% O9 B3 c& m4 ~) n; h( o jnz SoftICE_Detected* Y" z* }" R% V: u! K
3 N! S3 X9 z! S__________________________________________________________________________
7 y9 V8 |7 I1 ?9 l
$ n4 b: `) U. M: Z; n2 w3 P: ?- o8 \& j( `+ s
Method 05* I! [8 s. ?' B
=========
% y g/ M$ s; \6 a' M. j0 v5 R$ Y; H7 w
Method seeking the 'magic number' 0F386h returned (in ax) by all system( k+ M. c: G2 n' u5 P$ x$ y T
debugger. It calls the int 41h, function 4Fh.) B0 o* \' @0 g4 Y
There are several alternatives.
o' J5 ~( O8 h. k6 C. Q% q+ E, f6 Y3 G
The following one is the simplest:% f4 y! ~2 U5 ^) p; h
6 z4 n/ u) l9 S+ I/ x
mov ax,4fh q1 |& I+ @7 m* c) s0 u
int 41h
* s% }$ ~& C) g* y cmp ax, 0F3863 _0 x; ~/ F' A6 F' U6 r9 Z
jz SoftICE_detected5 L8 i# t; X! v' U" Q0 \1 O) r
1 S5 d; G& c5 a7 Q7 A' t) S: X! X( z r& b; y
Next method as well as the following one are 2 examples from Stone's
" x4 Q! a# K. j) f4 t"stn-wid.zip" (www.cracking.net):
* [4 p' J- M# Z! \5 M$ ^
9 f6 m5 @3 r t" O/ A9 I" L mov bx, cs2 U0 j: p) Q1 y3 |
lea dx, int41handler21 J$ x3 y: F$ ^
xchg dx, es:[41h*4]
( Q9 R- R* n4 u( g" ? xchg bx, es:[41h*4+2]* }) d4 @) a5 u( W7 _3 W7 s) M' Q0 Z
mov ax,4fh
" v9 Y: `- i9 U* J, l6 R" s int 41h
" k$ i! y! g$ S1 }* K) D" Q9 k6 g5 ? xchg dx, es:[41h*4]- c! e# s1 L' j: L0 o7 \& g. e
xchg bx, es:[41h*4+2]
1 \" h1 l- o" J1 L cmp ax, 0f386h. ~1 [3 I$ d6 Y+ v7 @- b
jz SoftICE_detected
3 O8 l. @3 r# n, |! v$ e
* O" m' l- B. m. ?- yint41handler2 PROC
' t$ y, E9 @7 W2 ? c iret
) ]9 R* h4 t. r/ nint41handler2 ENDP
1 d; ^3 i* x9 q: H, |- b- _. p! ]& f+ v
# D7 O$ i) ?% e6 q4 f/ B_________________________________________________________________________( J+ y, y) L u& k* L( x5 u
9 z/ |4 A; u* e( m! z& k& _
7 v# |* H: X2 D% L" h3 }Method 06. c3 k0 o+ B$ x# u% Z* e. I; N) p
=========
& p1 b& L. e8 T0 q' u
6 u6 P- a9 H" I _1 c: ~: G6 F. H
. ?& |/ ?5 w6 T" t' O2nd method similar to the preceding one but more difficult to detect:" {0 Q& ~ M8 ?9 J& e: {% i. T
, D. F P: r! z$ Y# x- _, t
% F: ~) [8 o4 q8 T& V) _
int41handler PROC
9 Q7 f# R, I: x6 F5 w$ { mov cl,al
+ l4 N' R5 Y! X. S# Q' e0 D Z1 l6 k iret# I' e# X! Q k9 Z" X# {
int41handler ENDP n- W3 \) c- B+ w
9 |! E& S9 d( y0 u
. p6 C' j( v7 W/ T( f
xor ax,ax
8 q9 C+ Q+ d, J" S+ K0 k mov es,ax% ^" W: l$ y4 W+ M4 z+ l
mov bx, cs
u5 j; M" y' T lea dx, int41handler
7 q& ^! _# W3 u8 p" w3 U) f4 { xchg dx, es:[41h*4]4 K& A4 K6 R$ e: L# y* k: W
xchg bx, es:[41h*4+2]
2 C9 I7 L& m. v; ]- j: y in al, 40h8 m0 f8 d8 D; A" p( q1 S
xor cx,cx, J1 j, A0 F% X" F3 ^! T
int 41h' s9 \, a9 w, X# ^
xchg dx, es:[41h*4]
* u8 n) [/ a, L! U, E8 }( D; L) V xchg bx, es:[41h*4+2]8 S9 M; @: T9 N) U
cmp cl,al
+ s( P4 _& v! w$ W jnz SoftICE_detected: n Q+ Y7 b: @
1 ?4 A: l6 e" H8 y' J_________________________________________________________________________& Q- q) k k4 _7 r* b2 |- S: [
, M4 b6 O2 r4 \4 X2 y
Method 07/ N6 ]4 X: {# K" y& u
=========
# b1 _" C# [/ Z! O" p# @5 I! v/ P) i* |" R
Method of detection of the WinICE handler in the int68h (V86)5 w' k2 S. e, h: C' l
7 W+ T/ z+ j! A$ ^( G mov ah,43h
* J8 q8 q6 i) d0 T1 h2 t+ z int 68h
. H) q! V6 B8 A, v cmp ax,0F386h
% x2 W$ l- j* y; D* T, v$ I0 \ jz SoftICE_Detected' W( ^% G' f3 G+ O5 N5 V
; @9 P: h B2 y$ r0 J4 Z _3 x+ N
- o) |1 d/ _. m" R+ c5 `- \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 ^5 O# H& x( a" d( w. X2 b* b app like this:
0 K f4 X9 ]# a- d4 q! h! r/ w& p. y1 g c
BPX exec_int if ax==68
1 p& b/ }$ z& G P. p3 h (function called is located at byte ptr [ebp+1Dh] and client eip is
4 |! U" L: Y( b; i located at [ebp+48h] for 32Bit apps)# D1 h7 s) D8 H
__________________________________________________________________________; M+ I& Q7 g6 j" U( X
4 H1 `! z7 Q: f9 s
8 c& ]8 {6 ~* T( u2 d# Z% PMethod 08
; z& S/ T6 t2 m========= \3 x+ m: i# m( y% g# H) B5 S8 v
+ p# n9 x+ x1 I7 I. IIt is not a method of detection of SoftICE but a possibility to crash the
$ h# b' l' Q! Tsystem by intercepting int 01h and int 03h and redirecting them to another0 s1 [- u4 w! T3 K
routine.
$ n$ b9 c- N$ C" Q. X& b7 n5 |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: M7 p9 F/ [2 C9 }6 v* w3 c/ ]) Xto the new routine to execute (hangs computer...) Y' C1 Q. {, R# B* h* c9 ~
6 r- z* U" L' w5 o& S6 y# r& n% X
mov ah, 25h
k$ f9 h, o3 S) b7 a mov al, Int_Number (01h or 03h)
1 S% y+ s; ~% i: N% ?5 b6 _# ? mov dx, offset New_Int_Routine8 j. ^# A, n2 U' ?( I
int 21h2 v5 ~% D; J% Z% H d/ R9 k0 ]% V
+ Z1 | b9 o+ ?
__________________________________________________________________________
% s) [* M. g% o& ]. P8 m" @/ ?, h8 T6 U% [) C
Method 09
6 `- D X5 }5 D' Z8 ^7 T8 C. ^" r=========6 U" X+ o2 c: H7 W0 s: T
" E5 d' a) y0 l8 ~2 @) y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 D& J. ~7 K0 ?/ I
performed in ring0 (VxD or a ring3 app using the VxdCall).% T9 z$ e' V- ^4 N9 b% v5 m
The Get_DDB service is used to determine whether or not a VxD is installed" q _, j- ]0 g# N1 B/ c6 e
for the specified device and returns a Device Description Block (in ecx) for
" y2 c; ~$ ^5 e& X& Z6 a) Dthat device if it is installed.$ y3 q3 Z% X) X4 b' [
. @/ i9 P6 i, Z. P D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 b% f: y, I% \/ C- r0 J& i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& U; F5 V" u4 e$ [- L VMMCall Get_DDB
( {6 W8 I/ _6 q4 o1 Z1 v: ^9 G mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- M1 ^8 |. T' v+ K g4 n5 N+ Z+ W4 ~ }
Note as well that you can easily detect this method with SoftICE:9 P' N! Z0 r3 ]1 m }( V6 M
bpx Get_DDB if ax==0202 || ax==7a5fh
/ N, u9 Z; t) a, n0 p2 X3 S
$ F: ]8 j, G& r# ?3 o. H7 W__________________________________________________________________________
% `! _4 S8 R3 n, l }6 R1 o; E) p, {/ r
Method 10. n# }; L6 J |, T8 J
=========' d; G6 |/ r8 U3 x8 K
+ y: E* E2 r# \4 _/ N( {=>Disable or clear breakpoints before using this feature. DO NOT trace with& i4 _6 S+ U* i6 ^ F% @3 C b
SoftICE while the option is enable!!
8 e+ \. B& O& ?) S% A( n. c/ _/ W+ n# `. A: M( J
This trick is very efficient:
& c+ u# y! D' @0 J! P: V9 yby checking the Debug Registers, you can detect if SoftICE is loaded
1 O2 u) w/ u+ v7 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 V: E7 }( e& B* Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% u$ K( [9 G; m8 [! Z- q# U( qvalue (in ring0 only). Values can be manipulated and or changed as well$ k% ~2 C# m3 a( m4 S4 w
(clearing BPMs for instance)
1 E) j! R: \% {' H/ q3 ] x2 K* o! J+ c
__________________________________________________________________________
& Y% c* R# ?0 G$ O2 L; a- E5 R; F* Y9 F2 H+ Y
Method 11
, M6 q4 B% H* ]$ T0 Y: U7 W# |4 F( ?=========/ J" Q0 i9 r% I5 F% V- p7 d9 N
2 h% Q- k: O# Y6 _+ {
This method is most known as 'MeltICE' because it has been freely distributed
/ `7 E6 n |+ y6 g4 fvia www.winfiles.com. However it was first used by NuMega people to allow4 j* O, \, K; Y1 X2 K6 d
Symbol Loader to check if SoftICE was active or not (the code is located
5 n: W7 U: L! w. Z; N. @, cinside nmtrans.dll).) h! s6 R$ f$ }9 g1 U
* a6 P8 `1 a) i, o3 h
The way it works is very simple:5 ^/ C5 p8 ~) Y( |2 C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, z$ f- ~+ `; |- ]. E) U' U! }* I
WinNT) with the CreateFileA API.
3 ?$ P$ b2 L; y' |
5 p8 u3 ~& k$ N/ `7 s& vHere is a sample (checking for 'SICE'):! l4 w9 z- M( m
1 N' v1 V, S0 X5 _9 UBOOL IsSoftIce95Loaded()9 s+ S$ ~6 a: n: e ^
{
! o# n- b- }) G: p+ V z HANDLE hFile;
( i" ~( P" }+ g! ]" y. J5 K hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# R# M* l( ~7 p FILE_SHARE_READ | FILE_SHARE_WRITE,) P$ [1 g& }' M- J5 B, r- z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 z* e! o' Y. G7 \/ ~' _$ Y
if( hFile != INVALID_HANDLE_VALUE )' X- Q% F1 j2 E% _: q
{/ C7 \, E# J8 o9 R/ j4 t
CloseHandle(hFile);
- ^: O3 v( `; u+ I2 A return TRUE;$ B; r7 C6 I+ h) `! S% r2 a/ `
}
+ N7 S) o) I4 i return FALSE;
8 ~- w' |1 e" ], M}0 y+ s+ [, N& q% l' m
! ~; J: i, H" N9 d$ @% X# RAlthough this trick calls the CreateFileA function, don't even expect to be$ i4 n1 p4 G8 H% _, K+ a
able to intercept it by installing a IFS hook: it will not work, no way!
- ?% H7 P7 m8 TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 m2 P* s+ y) S: b9 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( N) j! F7 T3 x, @, ]% i& L* W+ \7 sand then browse the DDB list until it find the VxD and its DDB_Control_Proc& a& [* G+ r; ~3 ]! c$ |& f
field.! u7 M, l2 e2 ?3 u& p/ c
In fact, its purpose is not to load/unload VxDs but only to send a 6 }) C. ~. V6 k3 c. p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& S/ C- g' {8 ~; n9 f7 I& o3 b0 [+ ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 u/ a% G/ S5 g! Q& }to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ ~% p% d m9 Z$ J* Q8 M
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& {; X# M. S: m/ b& ~7 m8 Lits handle to be opened and then, will be detected.
7 F4 {8 ]% d1 QYou can check that simply by hooking Winice.exe control proc entry point
2 V0 w5 s$ ~9 G" y Bwhile running MeltICE.
- t9 k& H# E/ T2 h& c4 e, Q+ E, t( b. d6 y0 `) H
* Y. _/ b7 M& M 00401067: push 00402025 ; \\.\SICE
( C3 s" b% F) c' V5 j: V' P& D# l 0040106C: call CreateFileA
% q/ W) D! s* y4 R 00401071: cmp eax,-0011 {" M) }# M* M
00401074: je 00401091
/ c l4 Z, @( m( `+ Y8 N+ Q$ l. e. Q- U$ d
* _- I( k. U/ F& Y$ B# XThere could be hundreds of BPX you could use to detect this trick.
9 k. X/ Y8 j; f {-The most classical one is: r: T& ~7 |* f5 D: H2 t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 X, `: w! l9 }; @ *(esp->4+4)=='NTIC') f1 d% `6 n- C! e) F- f
: ?% ~% L/ O( d0 x0 P5 \" k2 w-The most exotic ones (could be very slooooow :-(
1 ~0 B7 U# d. j, ~$ D1 L* o BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( A5 x) V. h/ g ;will break 3 times :-(
# l+ u% G7 r) P% I" ?" B
) u2 k+ G+ }- `3 s-or (a bit) faster: 2 n4 b' L# Z. q q _7 C
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 r6 o/ Y& |$ X
( T4 X8 ~5 M/ [9 F i0 q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 t( _- b' H0 O N. Z ;will break 3 times :-(- d; p# w- M, x. H4 w* X
) M( s6 k: G3 b8 C% ~
-Much faster:
% w8 g, R: ^, E/ ^2 H3 ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% ~$ u+ U. N" D7 p
* @ g9 A. P( t2 a, v$ C) aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ @. {/ k' F- P0 [
function to do the same job:% f! p8 `( W& [
6 n- Y$ m; i/ R Q* }- i push 00 ; OF_READ( I* |- W* h( J6 X5 V* Y1 s
mov eax,[00656634] ; '\\.\SICE',0+ I' F# Y9 u& P/ ~* ~+ q3 o
push eax
; @/ S6 D4 }" Y5 [ call KERNEL32!_lopen6 t& P3 _. N: F! D5 Z- \" T# u$ a
inc eax
4 q# X! l! r" k) X: p- d, f jnz 00650589 ; detected+ O# k T) J/ h e4 J" H
push 00 ; OF_READ
+ U$ o7 a0 D7 z& a! T, P# A6 u mov eax,[00656638] ; '\\.\SICE'
# S# p& l# T) @ v0 t- ?1 ` push eax
7 l$ v$ F+ b1 w" n0 G call KERNEL32!_lopen
& {3 \0 v/ G5 Z6 n4 j- T$ D inc eax8 I2 o" a. n1 f8 L3 Q& Q* D$ \. k1 `
jz 006505ae ; not detected
5 \% c9 S% r( S* u+ K; l8 [& M4 O# ?& R! e7 U, i- N1 A
0 r4 i5 G. Z' L: B__________________________________________________________________________
2 P0 R' x2 h* L3 q1 E2 ?0 v0 S) b& J% h) y( y
Method 129 C/ x" P. K$ ^ G, {& F
=========
; _/ D* l2 J$ Z8 O" S7 u
: w' [3 U: l4 L& m$ h! zThis trick is similar to int41h/4fh Debugger installation check (code 05. Z: D, L( C" {
& 06) but very limited because it's only available for Win95/98 (not NT)! w: J9 R1 T. _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- [0 X: T9 E& E6 _3 L0 }3 E
( c+ P9 |, {: {" u3 P+ X push 0000004fh ; function 4fh* @' P) O) f* W @+ g
push 002a002ah ; high word specifies which VxD (VWIN32)
! c6 f7 ^6 c, @ ; low word specifies which service- _$ j# u0 i6 T, t" ~
(VWIN32_Int41Dispatch)
. D2 ]" m; o P4 K" ]7 K/ o0 P call Kernel32!ORD_001 ; VxdCall6 C7 R* @: f! Y k0 [
cmp ax, 0f386h ; magic number returned by system debuggers
0 I* D0 a5 t4 D% Z jz SoftICE_detected- m0 F L, P1 i3 s
. N% u( n) V2 F5 G! rHere again, several ways to detect it:( a& ~( d. s" p0 }
" V2 h" P9 Y6 J. ` BPINT 41 if ax==4f0 s1 x# }( l9 h/ W8 r
# y) ?# M& w( a5 \4 |4 M! W& p$ P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& A. W0 s, J% o* B! t: u
! B" U& q: |$ j" t* w/ x8 C4 c BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* [" d% ]$ X, U) g5 B! W' l3 `
$ i4 r9 {2 g u" N4 ]4 M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ ~6 j; l+ |: e; H* g7 o' e
( o# ]9 f4 @( y* K% Z* R
__________________________________________________________________________
9 s. ]6 I u. z0 v8 L+ ]2 g: G, z5 A% t$ a/ |
Method 13: [1 [3 H9 h" e$ Z: E# C) n% D
=========6 p) h) ~7 w E. l0 }+ `
, l3 H) E! _ Y" W" B( H I% j; J
Not a real method of detection, but a good way to know if SoftICE is
: L0 ]. j' w2 b+ ginstalled on a computer and to locate its installation directory.
: T( w: a, b0 ] [) I6 Q+ ]It is used by few softs which access the following registry keys (usually #2) :$ y& u$ m M$ e w( e
4 ?2 h4 R& |$ ]9 p( a-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" ?8 j r* `9 e: W' a9 P* [8 F\Uninstall\SoftICE
! ?1 s' _$ P3 T0 }7 m% |" d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ p8 `7 T5 V/ J G4 i2 v4 J- ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ t4 Y/ M4 H8 r2 T$ K6 ^$ r6 l
\App Paths\Loader32.Exe% e7 C2 o) a! t _" B. f) ]
$ u0 d5 B$ w9 ~) K0 x* }5 |, F
5 H/ L( q5 z! D1 i1 N' [ k7 `% O0 MNote that some nasty apps could then erase all files from SoftICE directory
1 p) h1 p. s3 T+ j$ D7 H; v& j- f(I faced that once :-(
) A6 v. c f) z2 \6 X" y7 r- x
! Y) {# i& _3 c; q1 aUseful breakpoint to detect it:
) U* }% R, ?2 L, h
. p- a; d% z l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 m7 N. W; T6 f5 p; U. i, P7 c6 h6 X: F" m% j; g
__________________________________________________________________________% e6 {2 T5 x [/ @# n" n
4 Y9 h6 U0 G% t5 n- r$ `& O6 u0 w2 T. v! h% j. G
Method 14 9 o7 j/ F1 A+ m. R9 \: E: j9 f
=========" `# W s! c6 N
* y" L3 n0 [" D/ ~9 \A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, P7 m5 Q$ B: _5 f" |! His to determines whether a debugger is running on your system (ring0 only).0 c+ N* _3 [! v {, N+ q
- e5 \! W# a9 F8 t; a4 V
VMMCall Test_Debug_Installed! K" Y$ ?* g" w
je not_installed; t6 ^, _- _/ r
' _/ N, t# [0 k5 }$ d
This service just checks a flag.
N, P8 |* L+ _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡