<TABLE width=500>
n0 ]. d. n2 ~. q<TBODY>
9 K" B% W G- `( Y- @# z<TR>; N5 e* g) K# R
<TD><PRE>Method 01
; P, B: s Z# ?; F9 {1 S! V8 d! D=========
0 ~% O+ [3 `( \) _% u3 U3 g* h) J
! C/ M. r! c, y$ [$ qThis method of detection of SoftICE (as well as the following one) is5 a" ~. m, D8 d1 J5 J
used by the majority of packers/encryptors found on Internet.; M( d6 F; Q+ B) O/ u
It seeks the signature of BoundsChecker in SoftICE
( E4 \( Y% H: c" u1 m+ l5 ^0 F- s& \
mov ebp, 04243484Bh ; 'BCHK'
$ w2 z" z" \ e* U# p- P& D1 K) u mov ax, 04h
! [8 b$ m& o2 b9 a8 X( w1 ^ int 3 : N' n( e. ]. Z H- |
cmp al,4# e; M4 k! O+ P3 ^9 ]/ I; g. }
jnz SoftICE_Detected: l' T6 K' ]+ T; ]/ n! u
3 ~3 D* K: Y# [" b! b; @
___________________________________________________________________________4 F. Y* W& C5 [ H. S/ R
1 O; h3 a' Y5 a
Method 02
o1 D' {* {* d: F) W& v' a- ]=========/ ?' E1 a% g/ }
) i0 a4 S6 y8 l i
Still a method very much used (perhaps the most frequent one). It is used, x7 o+ @5 w) d8 ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& C* P3 O- x* kor execute SoftICE commands...
) O- X) b7 [! E, ZIt is also used to crash SoftICE and to force it to execute any commands* q+ _0 A3 K8 Q7 E2 p/ j$ t
(HBOOT...) :-((
% l/ `3 T; c6 [) Z8 F6 r1 r. F: T* J/ @$ u4 M2 h7 B0 x
Here is a quick description:) F& k7 H" B9 E! K
-AX = 0910h (Display string in SIce windows)9 L ^4 @1 E% l3 x: l1 h+ t% g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 p' H' T1 D- m
-AX = 0912h (Get breakpoint infos)
# A+ n/ @* C; f1 [8 m& {4 f( o-AX = 0913h (Set Sice breakpoints)
2 _3 x( ?4 j+ i5 V: V8 M4 }& s-AX = 0914h (Remove SIce breakoints)9 ]1 U+ t! v1 L( W$ i) {' {- F: d
* q" {0 }' }$ Q" _
Each time you'll meet this trick, you'll see:
+ `4 s4 @& a, M0 P( P# `-SI = 4647h
9 G& \: B4 F, L* a-DI = 4A4Dh
0 l* A# d$ V1 r# z# aWhich are the 'magic values' used by SoftIce.
' Z/ A8 u7 Q: OFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- l3 e; z0 c9 F- \3 I3 ~
. N2 d: j: `( G/ aHere is one example from the file "Haspinst.exe" which is the dongle HASP
% }# J% }+ e% A5 Y( TEnvelope utility use to protect DOS applications:
6 o$ Z4 k, A. c9 |$ Y0 q4 C$ W4 E" J f" g# t5 l
' L! O7 k) P* f) l% h1 P
4C19:0095 MOV AX,0911 ; execute command.
& ?# ]5 {. n8 L/ j" C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 ]" y/ j6 F+ \3 H9 Y8 p5 I4C19:009A MOV SI,4647 ; 1st magic value.9 F* m. G) E) Z9 }
4C19:009D MOV DI,4A4D ; 2nd magic value.
& _5 }8 A6 G$ C* V4 A5 U+ r: _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' Q& U( B) k, E5 d1 K$ B
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: A1 M: C& m2 ]! Y: {( `4C19:00A4 INC CX
1 s8 E8 Q, u$ }/ a9 N$ x. v9 }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ H/ h# C9 B3 T+ P) m4C19:00A8 JB 0095 ; 6 different commands.9 R) \/ ?; L' ~1 I* S( C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 a# P, m0 [# W4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# O( a2 i8 U, G% X3 C; B
N, @7 X0 x u, p1 ~The program will execute 6 different SIce commands located at ds:dx, which! h j% g% E6 U* V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. ?$ A( q% H# v% g8 ?1 N, ?* F% t$ }2 ^; A5 e+ v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) Z1 I$ l- e- |# t4 a
___________________________________________________________________________
& `- q9 A* u$ B" m$ w I
; M0 R4 c3 w9 j* f1 A5 b8 l
' x! M6 N4 u6 ?8 N' d- U4 w9 n) oMethod 03
$ d! M% g* P4 R3 \- x+ m6 f) T" _=========
+ I5 r; y1 a' A! R7 i- `! Y6 `3 {' x2 p; j3 b3 y6 D! J4 ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 q! |/ P9 \7 t+ q3 X: a8 m(API Get entry point)+ N* @6 X+ ]9 B: o
- ~( M3 J- t H: u9 e7 B/ ?) O: L3 Q) d: ~
xor di,di
+ Y) L& H* k* `3 H8 t5 s mov es,di
! ?- {3 [( C" ?5 i( ] mov ax, 1684h
$ ~6 ]- `# b! b* t- { mov bx, 0202h ; VxD ID of winice+ V, U/ |: s6 j8 A& A# {2 |
int 2Fh8 x3 P5 Z/ M0 A4 ^# h! C& i$ a( ]
mov ax, es ; ES:DI -> VxD API entry point
4 ~% {. }" \: B. d add ax, di: H# o; v" k0 ?# G9 q. Y
test ax,ax8 A) s& ^. I; n# t1 L
jnz SoftICE_Detected; p+ F' s+ ~ c' _
/ f) t/ n; K: n" k
___________________________________________________________________________4 l$ z. l4 p5 @) C- J7 D
/ z3 }. |- H0 t- o( ^Method 046 X) O+ ~& e( H% `
=========! P3 j& ?+ ?' [
, Z( @: e5 m3 v" c, ]$ u
Method identical to the preceding one except that it seeks the ID of SoftICE5 P5 F. N& T9 J, U2 u
GFX VxD.
; H: H, o& t6 C n1 k" s2 ]9 P8 D4 A
xor di,di
( d& h5 g. T @3 m3 f \7 m6 y mov es,di
3 i' h2 ^& I" Q, } mov ax, 1684h & d! {% v) d: T7 |
mov bx, 7a5Fh ; VxD ID of SIWVID
0 C! e7 k- j$ N, {% r$ S int 2fh* o& L( f2 V2 s" X
mov ax, es ; ES:DI -> VxD API entry point
" v' s- ^* \# N, a- W$ _1 | add ax, di& j2 F9 C4 `9 J0 k# d
test ax,ax
2 D+ s; N+ j+ L+ }: V" ] jnz SoftICE_Detected
5 T7 V3 q, t! G
! x6 M/ ~3 X O: h* T8 m% |7 a5 ~9 E" P__________________________________________________________________________
; ~- ]+ I+ Q5 Z$ l$ E* D
* d1 `0 |% n% J' H' U& [$ v5 k/ y* a! X
Method 05
% b8 X, @4 {* [, `3 U' e* R=========
6 t- b% x) R; e7 | @, `/ }' X% M. n. G; u6 D4 R3 @9 k6 S
Method seeking the 'magic number' 0F386h returned (in ax) by all system. J; M; m: t- P: G; N$ C
debugger. It calls the int 41h, function 4Fh.
' U, f4 E1 L2 T i8 lThere are several alternatives. ( ?4 S6 g4 T$ I1 K9 s
8 R, V$ _+ k! f
The following one is the simplest:
' e* V! F v1 C* k" i- d- k& E, _1 o5 I# q2 _; o% s( C8 c. D3 x
mov ax,4fh
% e2 Q8 r+ [; u: d; z int 41h
9 v" D% l# D! a9 F0 B/ o1 ` cmp ax, 0F386. N4 ~) s3 c f, S; e5 V
jz SoftICE_detected% F8 T5 p" \( _5 m p/ `( Y- P' M
9 x I3 Y8 D# y! y& W, O/ x- a' @, x! ~/ _0 I2 D
Next method as well as the following one are 2 examples from Stone's
n; ` ^7 j$ }9 e! ~8 L" u" L0 p"stn-wid.zip" (www.cracking.net):
. a7 `5 y8 B+ H9 O, J+ L0 {" C
6 s: g2 }+ x( J5 G A! {2 O mov bx, cs* j" L' M* z$ I V# S, b, p$ u! w2 N8 \
lea dx, int41handler2
! y, D3 y7 p9 e3 T8 s0 I2 I, J xchg dx, es:[41h*4]
4 r* H. m1 u' A% |) b xchg bx, es:[41h*4+2]& g+ ^# ]5 D8 B+ m
mov ax,4fh7 p% U6 D' O/ |) {' |5 y- N
int 41h
0 U% B' B: u8 `& |# S+ y4 K xchg dx, es:[41h*4]5 b0 G. g5 h1 M) O \; _
xchg bx, es:[41h*4+2]& J6 X) @0 F& r/ l
cmp ax, 0f386h9 r% P3 ` j' O! \1 K' ?" ^. B
jz SoftICE_detected9 w1 ?0 M8 Y5 [
- x" x# n) q5 m/ ?- O1 X' k: c9 Yint41handler2 PROC. h% ], G& u9 B5 ?
iret
0 N! C: [4 k5 \6 O2 ~int41handler2 ENDP
4 w/ x N2 \; E0 @5 R' f: R; f$ u! i; @$ a3 Q |- @' H
, }% J* n1 m; I, t_________________________________________________________________________
4 U$ n& `) i; m! \7 f! V* [( M* N. @, _- S
Y* u. ~% ~7 `' ^5 t0 ^Method 06* x# ?4 z( @0 |, t5 g
=========
6 P# I0 B8 l% d7 L
8 f! b' ^( Y1 N% `6 ^6 o: [$ i* }1 V2 c8 w4 J+ ^% h, o
2nd method similar to the preceding one but more difficult to detect:7 _9 v3 D' c' B' G9 h" u: A w4 y
8 B/ W4 @: h. F6 Y! P2 g& R" M3 d; N2 Z5 _8 R+ `9 I5 }- p
int41handler PROC [ c' I3 l; s! J- E6 `
mov cl,al0 i/ n5 I3 k K
iret
+ M4 j: B5 m" {1 n- f$ \int41handler ENDP; v5 V9 y( g$ p" s7 Y) [
( B+ p0 |3 y! O* u7 g& Y: P7 F. e; z' X$ ]. [
xor ax,ax* n' R* Z i( {2 t9 w
mov es,ax
2 I; @) z3 y3 x- b mov bx, cs1 V6 i( E( X& b0 w/ {8 _" j: n9 S
lea dx, int41handler
: q; k( \; J: m6 ` xchg dx, es:[41h*4]
0 o& {9 h1 r' `* V2 _ xchg bx, es:[41h*4+2]7 p$ M4 Z$ C7 \
in al, 40h
8 ]1 m# u: w; I" ~% B xor cx,cx0 O- c& P& t! {6 G$ d
int 41h
! d! x% T! T4 y n) W xchg dx, es:[41h*4]
6 E8 O$ W9 x3 J c( n$ W8 s xchg bx, es:[41h*4+2]% o" O Z7 C V3 y- f
cmp cl,al- h0 s7 t: k7 U( J2 ?' {
jnz SoftICE_detected
4 @( ^ j, ?0 `' p$ U/ R& ~' F( k4 B; U0 c
_________________________________________________________________________
' g+ c( ^2 I1 S+ {0 R8 I
3 O+ t5 I# {. ~6 i# kMethod 07
2 o! w7 j6 s3 @0 T=========5 i. Y/ l$ C; T' P; ~% }; e& d
4 Z' `: l( W4 ~% Z' ~: gMethod of detection of the WinICE handler in the int68h (V86)0 Z$ A _* O. b
8 D3 W- @; V$ P! O: E, D& ?. i mov ah,43h
1 l: u, `" t" z7 ~# | int 68h# A% y% k4 E% u6 N5 \ i
cmp ax,0F386h
$ L0 F; x7 T2 C; ~5 l. _ jz SoftICE_Detected; ` z. ^& A/ k4 c
{! s8 ~, p1 E j& O4 y
# p, b- }8 I5 e9 |" Z0 a9 N" h* i; g5 e=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ [0 q* o/ R) T6 b7 H
app like this:
: z- ]7 n$ @- g; e$ i$ I
, z: p2 R6 |9 ^ w! o* G! k+ V- j& {" S BPX exec_int if ax==68
" `! b9 M6 f" I (function called is located at byte ptr [ebp+1Dh] and client eip is/ t$ ~/ Q2 B) k) Z, R% S
located at [ebp+48h] for 32Bit apps)$ U$ h6 Z; u R o. u
__________________________________________________________________________
8 s# q, s$ _$ W5 M% E
* [& r! N8 k5 i* S; \
: F6 s3 H8 z& B/ J) v, nMethod 086 W3 P1 N' D+ O1 V$ \' W9 e
=========
, I- J1 \, B8 X# Y; n4 { n) u( J" C9 y( g! m4 R
It is not a method of detection of SoftICE but a possibility to crash the
- r' i& [- h8 v0 w; ssystem by intercepting int 01h and int 03h and redirecting them to another$ J; p# _: ?" l8 e+ N' c2 U* T
routine.8 f$ y7 {: ^5 \: U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 A; U9 `/ H; b9 l* N W: yto the new routine to execute (hangs computer...)% G' l, |0 @/ _( ?3 U2 ]- [
7 m3 v3 i$ P7 A6 v, f2 Y% z# Q6 W* w
mov ah, 25h0 L& C c% ~) k6 J
mov al, Int_Number (01h or 03h)6 j% Z! H. l1 L6 U
mov dx, offset New_Int_Routine' a# g* l# f6 g3 k4 m3 J
int 21h
: O' x m& f# y3 |4 A/ N/ [& ~" F. {( v/ q
__________________________________________________________________________
6 {5 O" Z4 u- h4 N) I/ P- A& c) S) l# k) |
Method 09" Q& Z" J$ m/ _( b6 X' u
=========
- y6 Q6 A/ B6 X5 u
+ I7 [: h" ~' H4 fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" t) ^3 ^& V! N4 A3 w' H, qperformed in ring0 (VxD or a ring3 app using the VxdCall).
( w7 e. o6 h. ]5 Z+ XThe Get_DDB service is used to determine whether or not a VxD is installed
% D. S* P# l2 O, r8 p$ Nfor the specified device and returns a Device Description Block (in ecx) for; Z3 a* U2 W- {
that device if it is installed.
$ e, h8 g5 n3 G, I* l3 s$ d! k7 b8 Y! D5 X3 Y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# W% P) M% n$ k1 k6 M& o7 C7 H
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 e* p/ c3 X( o- `4 P VMMCall Get_DDB0 h5 P6 g& ], j `) y8 _, r/ w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 q1 Z1 {4 A9 k9 E" o9 z1 P* K l4 a
! _" \7 ^' ^: P1 d( L- E- @
Note as well that you can easily detect this method with SoftICE:
. m y; H. ~2 T bpx Get_DDB if ax==0202 || ax==7a5fh: Y- b J3 W# b* g
# ]1 @. B+ ]9 n8 r__________________________________________________________________________ a Q. b+ N r( J$ u
5 r( E6 d! Q* ^% P, t# P. _
Method 10# m1 l7 X) B7 r& Q7 @8 }
=========
7 U+ t m# A. h' w2 @, k' j) g3 m w" y' C3 K) l7 D
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ R# s) D' e/ D SoftICE while the option is enable!! S& t" E- Y4 l! S3 z3 m; M' w
: n8 q# j, @/ N! k
This trick is very efficient:
3 @& X! d( T- p. }" Wby checking the Debug Registers, you can detect if SoftICE is loaded+ c# l; l3 D: ~* G5 o0 a8 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) b! @+ T9 N) t. } E- @$ }1 W' vthere are some memory breakpoints set (dr0 to dr3) simply by reading their4 D2 o8 Q& H+ H) F+ j- s' G% a
value (in ring0 only). Values can be manipulated and or changed as well* R3 i9 F+ y: x. S& Z: n+ ~
(clearing BPMs for instance)# `5 r: o6 ]( m; f) K
; ]7 H# \" H8 X# M__________________________________________________________________________, w5 n9 Z+ t' e0 L
- M9 _' t) |: V/ c0 q# C5 u1 v
Method 11/ D0 H) G! p9 w" o) ]
=========/ t+ d, d/ v9 ^% d, X# N# _6 ~
4 d2 R. X0 F. u6 D! f5 L' ]# [This method is most known as 'MeltICE' because it has been freely distributed
: I2 i( L9 h9 [9 xvia www.winfiles.com. However it was first used by NuMega people to allow/ |) L. ~/ x1 O+ g, c; H
Symbol Loader to check if SoftICE was active or not (the code is located
* C5 x9 c8 o9 X, D. l3 r# |% Q5 Pinside nmtrans.dll)." E1 S* _: p. x* \
1 x) K8 ?$ _" p( Z$ D7 _$ O2 ^! NThe way it works is very simple:
- M5 q9 J: l) g4 k" zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 @3 w* L4 b2 v, m# s L
WinNT) with the CreateFileA API.
2 q( b$ T; y0 x( v* U
# {; P9 B; \5 a! N4 @, |Here is a sample (checking for 'SICE'):
, b4 b4 v' F8 n+ u e/ ~% a$ u* g n; ]: k3 H
BOOL IsSoftIce95Loaded()
# k9 ~+ i. A: m7 ?5 Q{
) b0 v# b- R- d HANDLE hFile;
' G" [6 s- Y& C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& S0 M$ l1 n% G: O8 ]: V1 _
FILE_SHARE_READ | FILE_SHARE_WRITE,
, x& f1 z0 i6 Y6 r NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. o0 S- N/ ^6 O( q& S8 z# l; Y) y8 ^ if( hFile != INVALID_HANDLE_VALUE )
) D: k& \0 x" f" @, x {
9 E# ], k0 e7 w. b3 |, [2 M& ?, k CloseHandle(hFile);
0 J, U7 @5 O8 E! I/ d2 x4 J/ k return TRUE;$ Y% J# |; Z* X0 w D5 D X; n2 D
}
, w2 H8 F6 g% u. @, Z return FALSE;% z9 a! S( M# ~- s8 Q" Z
}
+ o6 ]$ \+ d. X# `1 r1 z9 f" c" B% E y
Although this trick calls the CreateFileA function, don't even expect to be
2 i4 }( x9 U# D" m4 d Lable to intercept it by installing a IFS hook: it will not work, no way!
! \9 d5 D( _: H4 HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F7 o' q. D- X2 O+ r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% g6 U: v# z0 D' x2 H, Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 @0 w4 w1 d$ S% D$ o% w2 bfield.& e4 T( t0 u9 F; B/ x% Z7 B5 ~
In fact, its purpose is not to load/unload VxDs but only to send a 4 Q: y8 i5 k2 n" h) ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), T- }( j( A& ` j9 L' ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% F; e/ F3 u# ?" q5 yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 F s, N3 g4 aIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, ?* O3 n$ a, j D- E2 N) @its handle to be opened and then, will be detected.
; t- h3 j, G& ?4 u0 O+ GYou can check that simply by hooking Winice.exe control proc entry point, y7 T9 a! D3 A0 [1 }( [
while running MeltICE.: U, n6 b0 }; X" q3 R) w& X
1 C( S+ T6 w- f8 S* d
8 A& h* M+ l! V
00401067: push 00402025 ; \\.\SICE
. {5 |. f5 y+ a% c 0040106C: call CreateFileA3 D8 B. X" X* c
00401071: cmp eax,-001
: t0 r2 D/ O8 N% @0 b% \ 00401074: je 00401091
% K* A! d1 l) g0 ]5 {1 n( M: p( C5 {% N
+ h) J5 g: o6 b! l- b
There could be hundreds of BPX you could use to detect this trick.5 K( @5 D5 m1 ?) f- t* ]
-The most classical one is:/ ~4 ~) e. i, K3 A: {; y7 T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, h4 \$ o$ {- G* E0 {2 g
*(esp->4+4)=='NTIC'
* e. ]% Z' H% Z8 l, N" I/ L, T6 O% ?+ J8 D8 O6 H" l9 t
-The most exotic ones (could be very slooooow :-(7 P: L0 P; ~6 `2 G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * Z* U, K2 g5 p' I( ~
;will break 3 times :-(
: M" t$ N% v& O) w% T @! N
: M+ a" h: {# b; H0 K-or (a bit) faster:
) L. R7 f/ Z5 h! g( M$ S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: M2 T0 j% H3 ?. f! {/ _+ y3 V( q8 S# ~
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 U# c" m& b. o. B a' r' O% f ;will break 3 times :-(, Q3 H$ o* f8 o. r; R# m" d
0 y0 |3 A7 \/ O5 i/ s-Much faster:3 H& ?9 Q% k! C0 O& P* v0 _+ O
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* n5 Q1 k# y. u1 ?1 b# P& M7 Y
9 M$ i6 S9 O! cNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! B* \9 D1 X& n8 ^
function to do the same job:, M# F) T* `9 Y! U, d- J
! |$ T8 f' t8 z! C- H# h& i push 00 ; OF_READ
) R. U/ y+ B; s' j( ~; @2 W mov eax,[00656634] ; '\\.\SICE',0( K1 h; F1 v [) ]4 X$ Y
push eax
, m4 o+ {8 g4 w call KERNEL32!_lopen
/ U8 Y+ R D- @8 S inc eax8 T: L0 j8 b6 c$ ]7 }' M' S4 M# Y
jnz 00650589 ; detected) n* K+ O q y- V6 ^
push 00 ; OF_READ
- O( u9 J4 O$ v mov eax,[00656638] ; '\\.\SICE'
+ k* o2 h$ A7 [$ k* k+ @ push eax7 n5 N5 b/ l) L8 ~& C9 [+ O
call KERNEL32!_lopen; z' H, s; \. N: m
inc eax" S6 P0 }( u7 @/ } ]0 Q
jz 006505ae ; not detected
X% m: X- M. ?0 y. B4 s+ Q3 {& H
1 L/ c9 m+ I7 L j8 f2 q/ }! I6 L! H1 Y7 Q, B8 Y' A# @5 Z) O- o t' j( M( d$ a
__________________________________________________________________________5 F3 U, a& p8 f1 ^! Q) E
0 n8 J; p; J, V6 k0 b
Method 120 D' \1 P! K: s0 p
=========
( ? E7 B ^5 v) _# W' I, i. [, e3 V: l5 S4 U
This trick is similar to int41h/4fh Debugger installation check (code 05
) W( B# t1 b; j3 ^. z& y% O& 06) but very limited because it's only available for Win95/98 (not NT)
. N" x" m! @$ s" z% Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' h! \6 F- `$ E- {' g5 ]# f$ E$ m( p0 G l; ]- k
push 0000004fh ; function 4fh
- ?; X: V& }% e4 { push 002a002ah ; high word specifies which VxD (VWIN32)) @. l: m* A6 D; U. Q9 Y9 \2 r
; low word specifies which service
/ R" U, K: w' m8 G5 y E (VWIN32_Int41Dispatch)% G. g! W: w% u4 ^$ @/ m: ^( { e
call Kernel32!ORD_001 ; VxdCall
+ u" T1 p6 B F cmp ax, 0f386h ; magic number returned by system debuggers
- W, m& P* M. u" j+ m- | jz SoftICE_detected* J: }# y# a1 ]
: A8 o% i$ f: @$ ~
Here again, several ways to detect it:, D, p! L4 j9 h0 V- ?, J* f. F' T
3 u* b1 y8 p" _ u7 \; m# d
BPINT 41 if ax==4f, W9 H" @4 W6 |. a# Y: ~# j
( F4 n; R6 ?' _1 g, a% E0 [
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% h9 O7 |5 M7 F1 X& H; ~1 r7 A
( a0 h: ~& M$ Z" ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) p; |! N8 J% F& [0 ^
c L, v( _6 U! o& x7 p M- x& X, e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# @) C$ p l8 w8 V" }4 P2 Y! k! g/ O6 c$ r
__________________________________________________________________________& ] T4 K! b' y8 e
: ], L- y4 g4 s8 g, u' zMethod 13, \, I8 d2 j3 ^8 v ~
=========
' ]7 B7 M; j$ O. r4 l
7 m2 ^' {' U5 t& t& F5 d: ~. ENot a real method of detection, but a good way to know if SoftICE is
$ ?' Z: u- R5 n8 w; _installed on a computer and to locate its installation directory.
- ?& |0 X5 ~2 \ c5 l1 JIt is used by few softs which access the following registry keys (usually #2) :
0 d7 e. l8 u* u5 m3 q* M- t
0 Q8 b. X I; t) ?5 S6 }8 q" Y9 Q. h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; ~ Y1 Q* ]8 D9 C0 L; l5 b9 m1 a: F: A9 {
\Uninstall\SoftICE. K2 q6 ~ c9 J9 @5 g0 G _1 I+ d4 u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 K7 z1 u3 B% E2 D2 d! _3 j; l: k! V-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 `1 [: q8 M3 U, P/ x\App Paths\Loader32.Exe0 d2 r" P! @- U3 C* P# h
* L/ c$ ^/ H; s0 p: [9 T
+ z* g: Y; j( s1 m
Note that some nasty apps could then erase all files from SoftICE directory
. J: X k$ `4 ]2 H(I faced that once :-(& y: S$ Z* U p) b+ `' ^
4 F# t. Q% O$ n) [' u+ d2 _Useful breakpoint to detect it:' v+ V# Z* C3 u7 }9 D- v P& [
) N& d& L" y8 J+ g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( U3 A. m& ^" I- o2 h( ~( q7 K% F: O( ]6 s( S' `) X/ l
__________________________________________________________________________- U; v5 U) p! i" {; e7 `( h
3 d/ Q/ l: h" F4 v; Z
) m$ f1 t& o: C5 X$ FMethod 14
9 W5 S! x b# E3 h: v0 H=========& Q% N2 }; i* b b* t' L* k. t
. c- K3 h) {- p. M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 @1 I d/ Y5 J5 ~! p4 i; W$ Cis to determines whether a debugger is running on your system (ring0 only).$ r: d4 _( V1 H- E# y- _. k
/ j- p3 c, y' e& q! B
VMMCall Test_Debug_Installed
4 E8 j3 G7 ^" F# E. R je not_installed
$ M. a" g. s+ d* H! G& r& V- r: X: r
This service just checks a flag.
' E% `8 t- s3 m1 C# n1 T0 i/ w2 Z9 Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡