<TABLE width=500>
4 K. a$ C- I! f. S$ G<TBODY>6 D3 Z- O- Y2 O P& N3 Y
<TR>
- O6 _8 {8 r" m8 ^3 q<TD><PRE>Method 01
( ^/ z: V6 s: K' F" x=========
9 u2 v0 ~3 H4 `1 t4 U/ Y' D+ t" d' t, X, G6 _2 W
This method of detection of SoftICE (as well as the following one) is
% t5 Q8 {" Z* Z5 ` N3 X" I4 Lused by the majority of packers/encryptors found on Internet.
, T8 G; l, L- Z6 n% `It seeks the signature of BoundsChecker in SoftICE
- h8 w- {6 I# E9 Q+ W$ B& j2 }2 C N, v% r. A% k9 C! s, z
mov ebp, 04243484Bh ; 'BCHK'
* }6 }* ]: M; w( R- O" D' y, N$ Z mov ax, 04h
' v# y" v% D. o1 I/ x) N int 3
& ~# O& j; O" g6 M( y$ C cmp al,4$ ?( z* e. [, v0 @- k8 e) G
jnz SoftICE_Detected5 D" X. J3 D2 g
# B% u! Y: }4 e4 q/ d [) r___________________________________________________________________________3 D( I6 m3 n# |1 c
+ X8 ?: P2 }: H
Method 02
" a- @ N: W1 _=========' ~% d/ y4 Q' E3 f3 L2 Z3 ]! r
+ n3 c! g7 t- c s5 Z& a$ M1 z$ {Still a method very much used (perhaps the most frequent one). It is used
$ w" A1 F7 W' b; lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: o5 Y! a' G1 ~( @
or execute SoftICE commands...8 j7 X- K( Z" M C8 S( H
It is also used to crash SoftICE and to force it to execute any commands
6 ~4 }( I3 n Y(HBOOT...) :-((
( g: \1 h; a! Q# J
h! c' ]$ Y- C, n& S+ X9 gHere is a quick description:
+ n+ }4 c3 c( s `! [) [-AX = 0910h (Display string in SIce windows)
5 u4 U1 Z1 S3 m' i2 Q" G-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 L& X9 K4 F* |4 h5 i0 c8 J" S$ \-AX = 0912h (Get breakpoint infos)
! M( Y$ f r* R R7 E-AX = 0913h (Set Sice breakpoints)* Z3 G2 R4 {1 e: R! _# n0 U% S
-AX = 0914h (Remove SIce breakoints)3 z) s# X0 U+ d
6 D( e6 p- i5 m0 ZEach time you'll meet this trick, you'll see:
" e- I. S$ o! _9 W; L) }$ w-SI = 4647h
. E+ h9 \- `# n$ {4 [-DI = 4A4Dh
! k, F. h" m8 C3 P7 S' Q& U9 G, XWhich are the 'magic values' used by SoftIce.
$ W) y) t9 o& SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 H3 o* E% g* `# g' W) }$ }4 e1 u ^$ R. {/ s
Here is one example from the file "Haspinst.exe" which is the dongle HASP# c1 G% e, ~& w, p# L% x
Envelope utility use to protect DOS applications:0 z( n: {' J- f1 P
2 {9 B# @ E5 w+ Y1 c/ W
7 z% m2 r, U' s6 x& I. o( r4C19:0095 MOV AX,0911 ; execute command.( r" `' ?* A; r+ G9 |) [" P4 x6 Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 d+ P3 L" C2 ~4C19:009A MOV SI,4647 ; 1st magic value.
5 a$ k, V- H5 q8 ~' b% Y4 W) P/ w2 E4C19:009D MOV DI,4A4D ; 2nd magic value.
) o- A2 _$ i$ [5 j9 D% G4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ v# X7 z7 S( L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ \. j4 M* e& S1 @/ F; J9 G4C19:00A4 INC CX
8 W$ u+ d+ l( O1 g% Z+ k9 u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; v. n* B0 S8 n& e! e) o9 P2 z4C19:00A8 JB 0095 ; 6 different commands.4 ^/ q% d! N6 m+ Q- b: C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: j. Z: P6 L, C8 Z$ s3 ]9 U
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( Y/ b# t8 ~' x- i+ P l' `3 t
4 j* b- A! r+ i* u" K9 U
The program will execute 6 different SIce commands located at ds:dx, which2 k# ] ~# t5 b' }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" v& z( c% c. c, q8 D3 p
# {0 h% }6 l8 @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( R$ z$ z: c4 i9 x___________________________________________________________________________
: D7 `4 F8 f( M! ?/ q; J5 H2 d0 u" E
$ W# V/ F" J1 m- D# S Q$ H
Method 03$ E3 [9 q# T( d& I u8 ?$ {4 J
=========& z% {: e5 I( I5 j/ s T
1 u' a: z; F$ @- T
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 } q- q4 ?! @8 @5 }( t
(API Get entry point)
, N3 w$ W( Y: L0 l4 x9 b9 |) h : D" _' @& b: k/ X
" j/ Q5 s5 B$ c- l7 Z9 J xor di,di
6 Z; z9 p4 O* H/ u, G' K$ J# | mov es,di. @7 T) o1 A, \. ]
mov ax, 1684h & ^0 I2 Q% J3 d% O- G1 `& ?
mov bx, 0202h ; VxD ID of winice
( ^ h) k0 Y" Z5 ^ U" g9 ?) ^& j int 2Fh
( A6 }- t3 c7 I, U mov ax, es ; ES:DI -> VxD API entry point( f7 p) c0 j3 U! Q
add ax, di
7 R C% R, C) g0 T test ax,ax9 R$ o% S! T6 |4 Z& T
jnz SoftICE_Detected9 Y' a+ W9 ?2 }4 r: P" R
% Q: ^ F* I# `: i: J2 D
___________________________________________________________________________& S! j7 i" J& K+ {' D
8 X' y9 V) i5 w0 r5 c! F3 ZMethod 043 f! H5 H1 U* ]6 Y: y* p w
=========
; Z; I, G& c, {5 J/ Y/ k
4 p* g) x* ^* ~7 v# n7 oMethod identical to the preceding one except that it seeks the ID of SoftICE
/ \* D5 \) i* N+ m. Y! M# WGFX VxD.
6 Z5 I' n& @8 `; a$ ?* ?" Z4 B$ K6 T6 B5 f6 @& q
xor di,di. i x! m4 i7 R9 Q* ?2 J2 ~! N
mov es,di: P3 Z; y K3 ^% [
mov ax, 1684h
5 o" i2 l4 R" M3 C4 |1 P6 E5 C4 s mov bx, 7a5Fh ; VxD ID of SIWVID
8 H7 @; T8 T1 K$ x2 P4 M: {/ a# z! M int 2fh
4 m( k4 i% e/ P7 v9 [ mov ax, es ; ES:DI -> VxD API entry point
3 O* O/ h6 R/ f' c) V add ax, di# E% h6 e8 X( O$ U/ w! r' o
test ax,ax
- e0 N0 n X& ~ jnz SoftICE_Detected
8 j- k! D. H& f U) ~; a, I5 D# o- j6 A( N: d0 D% _& W Q
__________________________________________________________________________) @2 d, z% [* }. D6 W
0 x- V; u1 G( I) L4 ]0 y: S3 v2 l4 b3 B" O* z
Method 05
8 D- J% N" `% l=========
; ~! i3 e3 }9 w* G# u$ k6 J
3 C7 p1 W y/ |0 [7 W6 bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
3 h# V' i6 ^* S2 adebugger. It calls the int 41h, function 4Fh.7 @8 a# Z8 J3 R
There are several alternatives.
$ u$ I' J" e' _" u& T) y& N2 l. V
The following one is the simplest:: q; r0 S h9 f6 U% ]1 p
3 o e4 N* |, v i8 U' |
mov ax,4fh7 u2 E2 b+ s7 E
int 41h
8 C1 U$ Q8 H- L: ?& ` K* C cmp ax, 0F386
/ i+ D( q. W: _0 O w$ i" z" v jz SoftICE_detected
( j4 g `. T# W/ V& _$ f$ Q& D* D
) x0 }& V1 @8 f; |
Next method as well as the following one are 2 examples from Stone's
% s. j D- B2 H% d/ {# [, w3 P3 f) R"stn-wid.zip" (www.cracking.net):
1 I- F; h' p) `9 v) Q' H. d0 V W/ U8 a" a+ E
mov bx, cs" g$ `) x5 ~: J8 @% w
lea dx, int41handler2: r+ B- {& j( b( {+ c
xchg dx, es:[41h*4]6 R0 N! j2 u! h4 s( N) g& Z& u
xchg bx, es:[41h*4+2]
* y( x, u$ h( o: p) `8 @3 A& X1 n mov ax,4fh# ~& m r, d6 q9 s
int 41h
2 E- X1 X" ^' F xchg dx, es:[41h*4]7 t' ?2 y) Y, `: W
xchg bx, es:[41h*4+2]
2 o5 O$ _% v5 `4 U# } cmp ax, 0f386h8 F& d7 X* }. R/ E
jz SoftICE_detected% e+ K6 g7 j# B$ u3 U
( G# V3 a: H# c9 d
int41handler2 PROC7 V6 }! ^7 G$ a! N' P
iret4 v. w: c! @4 h& P: D, s# t
int41handler2 ENDP
8 x) m& W$ J2 V0 L" g4 Q: O
, A2 i- z. H# F. P$ T
; z2 s% @0 `. x0 w* ^, N_________________________________________________________________________8 `2 o# H& j, L, I, g; e u# i) g H
V% r1 ?0 y3 H" B
9 N6 A. q4 @- e& l. E# `9 Y
Method 062 h9 h" v. B, I
=========9 c. F1 N; `9 O8 @0 D
! f' u4 A) U$ l' m* S9 z2 T+ e6 k; J) L9 T! y4 z3 [0 Y6 @
2nd method similar to the preceding one but more difficult to detect:
9 o R& Y* [0 a9 S( ]# _$ }
* W: s( V0 Z. ~. n3 `' L
/ z" f' F1 Y% V! ~0 p; ~int41handler PROC
, u; c7 L0 y$ G, ^( o mov cl,al% G& T4 o& ~; P, E+ Z; \
iret. J- G0 F4 I, n$ i- f
int41handler ENDP
/ ]( C" z; B; o7 e" u$ ^2 h2 Q) @8 @4 l: } s
5 M7 i/ C j0 C xor ax,ax- ], h, F9 l& M( }
mov es,ax
8 F" f$ L. d* F% w3 }! F mov bx, cs
4 F' |8 g) P; K5 ^" E; {# j/ i' X lea dx, int41handler
- u; m% Z( U, h- p& _ xchg dx, es:[41h*4]! b6 T0 b* r3 a/ g! Y q7 k0 V5 V
xchg bx, es:[41h*4+2]( a' c }$ f2 N+ l
in al, 40h
4 S0 m( ~# \# v xor cx,cx: H! Q# p: A9 r% _
int 41h
2 {% v2 `; o" S- h xchg dx, es:[41h*4]# a& f* B8 t+ U* ~ h
xchg bx, es:[41h*4+2]
" y% q1 o' `% u% Z! u cmp cl,al
# f5 M7 _' \4 p q jnz SoftICE_detected
- d L1 n, j$ b/ \4 w. i$ K
( @9 P8 C, _" A5 Y, q' L_________________________________________________________________________
% J' l+ W7 A0 m g
+ L% C: K0 l. rMethod 07
$ W% ?6 `: p, W k% _=========
* Z" X5 C2 X$ k/ R; s+ b2 p) ^* a: h) ?! @0 z0 e& ]
Method of detection of the WinICE handler in the int68h (V86)% D& y8 f$ R# w4 z3 D$ a( l
- _ u. N! ] v# [1 b+ {( V$ W! `, x
mov ah,43h' M" Z3 j2 T% X% c4 R1 ?0 Y s
int 68h
* O" a9 a+ S7 O. |: j; i. P* i cmp ax,0F386h
% B4 n( n5 ?) X& S6 m V% m jz SoftICE_Detected2 O. f# S8 `# U% l
/ P( f& @8 |0 t8 m8 {" s" t5 m+ J- [; Y1 j B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; U5 F/ \" e& J; L' v3 [
app like this:8 o C4 \) ?5 b7 B. p5 K* o2 Z) b
8 ]- H% J' A4 {! | BPX exec_int if ax==68! U* o$ `$ ]: t! u- J" o9 Q
(function called is located at byte ptr [ebp+1Dh] and client eip is2 S* V# F* }( @1 d% l, q$ f
located at [ebp+48h] for 32Bit apps)9 H, f) N; x1 i/ g% M# L, ~
__________________________________________________________________________
' V( g1 U0 A+ o$ S+ G* S
, C4 h# @. Y6 d0 {# X7 s7 @! Z+ |+ b8 c
Method 08
: K$ z u, \ _. o) \6 O=========
% g; q: g% t3 V7 y' d0 Z- V1 P/ N/ ^3 R- G" W8 o
It is not a method of detection of SoftICE but a possibility to crash the
$ f7 Q" }; f+ g' p5 Ksystem by intercepting int 01h and int 03h and redirecting them to another6 a3 |* A6 z/ N
routine.- U1 \6 \) t. M* U5 N5 n7 L5 q4 L I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ h( x( `, M0 t# g C
to the new routine to execute (hangs computer...): I& O& f9 o* |7 T/ O9 b6 z+ x& T" i
( U+ [! q4 e* P6 O9 d' R% ] mov ah, 25h: s1 q" L1 N3 B- P& }. [
mov al, Int_Number (01h or 03h)7 w& w$ |0 c* t' F, `7 y
mov dx, offset New_Int_Routine
. A- ]* Y' |2 B& `0 ^; @ int 21h
. o$ G- Y1 y7 z$ J
0 l, `: o/ ^' d# v: y__________________________________________________________________________
. S* Z A5 r% l# {9 j( g6 _% r3 V$ e$ X I" @
Method 09; X3 i% O6 t. r+ l ]6 l. j" ~
=========8 L6 B! Q! j9 R1 m9 O; [9 a
% D8 F2 J7 B( K- k3 z: F. Z. J6 Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 D$ b/ d$ E# J4 C* Z! j$ t* dperformed in ring0 (VxD or a ring3 app using the VxdCall).
* } L3 h- C' Y* rThe Get_DDB service is used to determine whether or not a VxD is installed
5 h5 I# R7 c7 H' z( Q- p3 E; a0 jfor the specified device and returns a Device Description Block (in ecx) for8 q! R4 _$ X6 r! x1 @
that device if it is installed.* w: n( ^3 }: B, v
t* p, Q, i& p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 ~0 R& x9 _% ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* W0 A, t5 N. f6 |/ z+ t# [ VMMCall Get_DDB& L7 m3 ]* u% Y4 I( B d. N
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! D8 E, C- m" L8 B3 o) @
( W4 F1 w4 i; e/ t; JNote as well that you can easily detect this method with SoftICE:
; G3 c5 h; D8 f# V7 y9 ?; B+ T9 |- t bpx Get_DDB if ax==0202 || ax==7a5fh
3 k) E1 `* a9 A) }; q# N
) x. `8 ]6 w2 T__________________________________________________________________________4 W5 K& b# y9 r8 m7 @' S$ D
: b8 S' G' H2 ^# p. Q0 i6 V# hMethod 10
* L8 j+ E. K1 y=========
6 }& l( w/ ^4 C+ U7 a
3 d& [" y" `, S) x2 n, I. ?=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 o" S- F( R5 Y SoftICE while the option is enable!!
) ], E' i& I8 n% G$ M" b' l+ Q; z$ y! y% N
This trick is very efficient:
6 Q" D9 q, T! A+ U9 q# Wby checking the Debug Registers, you can detect if SoftICE is loaded0 d9 n p7 o- |" x# z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 J. Z4 K$ S# M( Q% a/ k) d! _
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 F8 [ t- W/ P `2 mvalue (in ring0 only). Values can be manipulated and or changed as well) p2 h6 H! q5 \7 `) D
(clearing BPMs for instance)
$ O( _3 j: m. J- E0 m2 D0 X% }9 }% H' W: q& I, v+ |
__________________________________________________________________________0 m8 A" u! q- p# M. L, G
) H, ~# N9 x2 p3 K! Y7 J# B
Method 116 ^) { \4 K7 j! x3 Q; X5 I
=========4 y1 z* k; ?" \5 ]9 J" A; \- }/ U
( C* \4 d: s( d! w2 L$ a S
This method is most known as 'MeltICE' because it has been freely distributed5 {/ I* |8 K' o" }& ]) C
via www.winfiles.com. However it was first used by NuMega people to allow% G* D5 r7 J. M" L* s
Symbol Loader to check if SoftICE was active or not (the code is located1 ]! _2 ~8 c& f. F
inside nmtrans.dll).
4 C" z* b; k; ^+ |' h0 X! G6 n# d% O
The way it works is very simple:$ X) w0 H5 f& l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( g' D: U% [0 y2 lWinNT) with the CreateFileA API.
7 K5 ^1 X8 h* N- d9 |* E) \! P
8 ~: D9 L2 V( G" G% L9 M. PHere is a sample (checking for 'SICE'):3 u! |+ m# q1 k% J- B) n F
5 E- f; n _/ `8 b% a* k6 S
BOOL IsSoftIce95Loaded()
" X s' \/ h& ?{
. V. A# `1 O0 \. k& c+ t2 H! |8 s HANDLE hFile;
; C/ ^' A2 c Y0 E- c. o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# @* ~; n8 H$ B" Q5 n; Q S* E FILE_SHARE_READ | FILE_SHARE_WRITE,6 a4 }4 X2 n2 \5 q# W+ m
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 n: g. X) o) s5 d8 T if( hFile != INVALID_HANDLE_VALUE )+ b" F2 _8 ^' o. D% w7 S; }# _6 P m
{
* Z+ o# c' c8 h9 i# ]/ @* X CloseHandle(hFile);
- G9 e4 m/ O% K/ P4 S0 Z9 | return TRUE;
; o- }# Z/ P' W: M1 R }$ w: G8 o/ a+ m
return FALSE;
9 ]9 s. A2 t+ t, M6 L}
4 ?9 ?8 D$ K* J, H
q% C7 ]! \! T+ Y* t6 l. @8 MAlthough this trick calls the CreateFileA function, don't even expect to be% p) _% b/ g& e6 [9 R6 q9 p/ f, g
able to intercept it by installing a IFS hook: it will not work, no way!( k; u& }/ b. B6 t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 L* q2 g- e, u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 B* a9 Y' |7 vand then browse the DDB list until it find the VxD and its DDB_Control_Proc& n; v, J, ~8 |
field.
" Z; y4 k* ~$ ^& [, HIn fact, its purpose is not to load/unload VxDs but only to send a + L( ?% W; I( D1 i9 t7 W5 n s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 E! n# S$ q# ?% ]( y0 b0 |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 I, | U1 q D2 i; a. G+ O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 |& Q9 N$ w7 }" A9 i7 LIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, l7 D* i* I& d0 U9 L. S" tits handle to be opened and then, will be detected.
# m! Z# |( g) S; |+ `) OYou can check that simply by hooking Winice.exe control proc entry point& T' b* c0 @& U" A+ L% {+ w m. L- E
while running MeltICE.
4 z; t8 n6 @1 J0 U0 p5 N2 M
; t! a. V) d% q! {2 }& b" R( W2 x3 z! Y/ q
00401067: push 00402025 ; \\.\SICE
{) I! h- u% z3 a 0040106C: call CreateFileA' E! o7 E1 y. u5 v& E {% u
00401071: cmp eax,-001
V# g- q) a6 X/ U" }; p 00401074: je 00401091! u, j# _/ _) J! |* Z$ v* S
$ ^5 E8 Z7 z* t1 a
+ Z: d' N& h$ [: A4 GThere could be hundreds of BPX you could use to detect this trick.
& D I( I& {8 R6 q3 \-The most classical one is:
v, _; k" q1 q& a4 W+ Z" [, {7 ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# }! Q! b. Y' u# C1 |& \% U
*(esp->4+4)=='NTIC'$ @2 a6 Y% w4 p" a2 \6 L) g: X
& V3 @* r( x, [+ l* ~-The most exotic ones (could be very slooooow :-() ]7 N9 C, ]0 V$ L) D8 ?
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 _5 g+ p2 R0 v
;will break 3 times :-(
3 {! D& }* C! ~
1 e" h1 s9 [' H; |/ g9 t-or (a bit) faster:
4 W9 J. i1 }2 s X BPINT 30 if (*edi=='SICE' || *edi=='SIWV') y! g3 B6 M# z0 N
' Q% k9 f4 @. I( G; m9 A+ x BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' `2 `' L8 {9 D/ c$ F9 Y. w- \ ;will break 3 times :-(( Q5 x8 h! L! J+ w$ B2 m
& z6 m2 m, {# X5 U7 F& }# @1 r
-Much faster:) d5 n! k; R0 G
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 u7 L5 g0 k- \: i4 r% R% k
! z; ]: z4 d( M HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, K! J( K1 E9 u. x# ofunction to do the same job:
8 y7 e0 G- G3 V! W/ o$ y* K* f/ j1 S$ ?3 f; }, v9 V5 G
push 00 ; OF_READ
+ g D4 `1 X* v* W* ~! H; ?. L mov eax,[00656634] ; '\\.\SICE',0
9 e3 l" j6 v) {- z/ S C. Q push eax
( ~$ Z+ `# ~6 | S# o call KERNEL32!_lopen
& h! K6 K7 H1 n( g8 v2 e5 E( C, q inc eax. @" W( u% C; I4 F0 v$ d+ [$ P
jnz 00650589 ; detected! m/ b7 \2 z- C3 U5 \. o& n
push 00 ; OF_READ
( _3 x( ?0 {. b* x s% Z mov eax,[00656638] ; '\\.\SICE'
* E( e+ S2 |. q) c% R8 @5 R push eax
# Q2 r }4 _8 o2 _ call KERNEL32!_lopen+ _" }: u7 m7 j6 v3 h9 m
inc eax
% B2 m$ q, R( N1 x- T jz 006505ae ; not detected0 D5 G$ v; y* W0 \
7 Q/ ?, c% g( m4 E7 Q1 e
) p8 {+ P) D4 g' [__________________________________________________________________________: q+ d4 a( i% l# p; I- p$ j; ]
9 ^3 O* R( v* `9 l7 f2 U. XMethod 12( K3 ~% z0 Z6 a6 l& H) o7 g, l9 B2 V
=========
+ x8 z8 _3 N/ i: {- p8 }* w% | h) }, }1 Q
This trick is similar to int41h/4fh Debugger installation check (code 05. u1 z+ T: M4 H1 E" P+ V3 s+ m9 S9 o
& 06) but very limited because it's only available for Win95/98 (not NT)
7 ?1 g3 W' P5 v r& pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! b- H* S* s4 }2 d) B {
3 \5 |- b" Y# S% @
push 0000004fh ; function 4fh
8 R2 s# G. _% X9 {* H1 O1 V push 002a002ah ; high word specifies which VxD (VWIN32)
' F# R% d$ H3 C& J ; low word specifies which service: Q. X( b3 Z6 u1 O$ V% N
(VWIN32_Int41Dispatch)
- e- I, ^' E' `3 t- v" @( m8 f call Kernel32!ORD_001 ; VxdCall
) H9 C. r: J# a8 d& G+ C8 v" U2 a' O cmp ax, 0f386h ; magic number returned by system debuggers
. z0 u4 h4 b3 T4 X9 F8 ]/ { jz SoftICE_detected
: N A, H/ ^+ e' c* r! U) @7 B& E) p0 B# z
Here again, several ways to detect it:
6 V1 r# T8 c( |, C& J
% E8 A# ^5 E0 w BPINT 41 if ax==4f, c' a) @" S2 |7 ]/ ~" ^, Q, q3 |* [
$ \" ? z6 n) W& v" M Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# D7 l8 q: u3 i D
3 M2 J2 r7 Z6 \, l3 a1 p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 p% s2 @' m4 E3 {& g7 G
/ v/ }* t( F" O8 C8 V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ e8 o* @4 |% g- q/ p
8 y% J, M- Z2 r+ p! U+ P__________________________________________________________________________
- X: O8 G' u* f: n1 q5 h9 w8 J, }+ L7 f4 R1 u7 ?, y2 x0 a
Method 136 J5 A9 P; L3 D2 n' ^; k: ? K
=========0 O2 S) _ D6 T' A6 ~( C
& y( {+ N# }2 v! e$ _
Not a real method of detection, but a good way to know if SoftICE is
$ v$ l$ \5 R0 @installed on a computer and to locate its installation directory.3 f5 e+ G/ m5 ?) u/ w5 K
It is used by few softs which access the following registry keys (usually #2) :' Q- e% ]( |8 D |
8 a% V( y+ t7 J2 }0 _0 ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 J) M' H, c; R$ L- ]$ N\Uninstall\SoftICE
9 H- u+ I, l3 F: G4 |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE k$ q$ T9 T* s& `5 I6 p7 \4 Q" l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 J0 H- B- v$ F3 d2 x\App Paths\Loader32.Exe5 ]5 K+ L+ s1 B/ [4 m4 W% G
% ^7 g& K% Y, P8 F& V6 f& p' K: s2 ]$ k3 F" C \1 w
Note that some nasty apps could then erase all files from SoftICE directory6 f/ _. Y- H8 X* Q
(I faced that once :-(/ @; ~! e& p7 g$ h- u
* V5 y* g* L! m, I$ g% Y8 wUseful breakpoint to detect it:
) ?& @3 A D, j/ V$ L# o1 p' A* h' ~% n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. X( D% r2 U0 E" U ~
/ B! Z- S2 \# w( x" M8 ]. Z5 C__________________________________________________________________________5 O1 l4 G# S7 S, T
5 W+ j2 j. B9 c5 r+ c+ o/ U& O
' W/ v- M6 z1 `& e, u, R
Method 14
7 X, K6 I" n) m=========
. Y/ R% m' d( R* n9 |9 Z, j0 ~) X3 w! W) W# X
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: e, r" }* h" I) O' dis to determines whether a debugger is running on your system (ring0 only).- W* G9 o' d3 S" a
) _- k: j/ x' Y( L, P/ @- H0 v VMMCall Test_Debug_Installed8 [7 j$ x6 K: ^: x; c! {7 W0 E m
je not_installed+ Q3 u) E* f4 W- h
4 L% P% }3 h2 Q9 ?This service just checks a flag.- m. g3 ^) s2 q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡