<TABLE width=500># S5 }) [$ l1 A9 z. @) j
<TBODY>
. c4 O; f6 C) v6 d/ X7 C<TR>6 w6 ?7 I" _+ I* r
<TD><PRE>Method 01 E) d4 Z) U" f Y( @
=========
' i4 `7 J) p* G/ U8 M
1 n2 d @' t0 s; W5 `* N- H+ AThis method of detection of SoftICE (as well as the following one) is' D4 n& _5 z4 `8 l& p8 N7 ^$ b4 s
used by the majority of packers/encryptors found on Internet.9 ~6 {5 k2 _; W
It seeks the signature of BoundsChecker in SoftICE
8 J* K: i2 i- I+ u
9 V3 ]7 N/ ~9 X, y* E mov ebp, 04243484Bh ; 'BCHK'# M, s0 @/ r/ U# M$ ~% ~% V- _
mov ax, 04h
' ~, I: @' w& Y, J int 3
6 u5 `, w& O0 d v cmp al,4
5 K' Y+ z, r0 r1 k" d: w jnz SoftICE_Detected
# s; c! B o$ V" w. f2 D
8 ]5 D0 Y- e, ~/ P P, E. w___________________________________________________________________________
9 D% s5 q) ?0 t+ i0 h
) ~: m) C8 i3 @4 o! l: I% lMethod 02
. {# B! |2 M' \6 V! ?=========
3 Q! ^; \, o7 K g0 o+ h
) T8 B9 y" X8 e$ l5 v7 z$ F% KStill a method very much used (perhaps the most frequent one). It is used6 ]: r3 ?- e" j9 H I# Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* X+ {( u- i8 hor execute SoftICE commands...
& B0 { ?5 H! X: DIt is also used to crash SoftICE and to force it to execute any commands
- d- f; e5 K K9 \7 \/ @* s5 I( {(HBOOT...) :-((
7 W/ u# R" ^& e$ t
( w* N, W9 @) e+ {! }) N7 H6 n% iHere is a quick description:
5 x3 ]* M+ w& @2 K) g' B* U5 w9 t/ {-AX = 0910h (Display string in SIce windows)/ V& X$ \; {& q% F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 Y* {* i- w Y, k2 P
-AX = 0912h (Get breakpoint infos)
' t8 \" E$ X" A; ~+ Q-AX = 0913h (Set Sice breakpoints)
1 Z. m, `- p; q3 D-AX = 0914h (Remove SIce breakoints); L5 u0 j5 B' h9 Y& A
$ ?" H3 \! m" @. T# k2 b
Each time you'll meet this trick, you'll see:& A- M& a+ m0 ^
-SI = 4647h# ?2 H/ h* @: X7 @
-DI = 4A4Dh+ u; I L7 z$ e1 O
Which are the 'magic values' used by SoftIce.6 K% W& s- h( A4 k7 ]& p! m- j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ b; ?1 b9 u* z( B! J, X
2 I. i& h; _: nHere is one example from the file "Haspinst.exe" which is the dongle HASP' g" t% y/ Z4 a( t/ H
Envelope utility use to protect DOS applications:
1 @$ D3 I4 I i3 q% i& E/ ?) N/ F/ G3 q; G* @
0 E) L) u- s' z
4C19:0095 MOV AX,0911 ; execute command.
) ~+ F4 b- x% m7 H# O1 z4 G- ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 I' f0 y u+ _: |3 ]& H/ j* \4C19:009A MOV SI,4647 ; 1st magic value.: |: r/ h4 d2 ]+ @+ d
4C19:009D MOV DI,4A4D ; 2nd magic value.# [$ J/ b, \+ o, c) V! w" d5 X
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; H W0 B, @0 u7 P. E1 _! o4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; N% K0 ^: v7 i. _! j4C19:00A4 INC CX
( b0 k: r; G2 j4 ]$ a9 R4 ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( T. M8 t O7 o' `
4C19:00A8 JB 0095 ; 6 different commands.& V U# d% T3 Y9 L9 T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 G/ Y# W6 ^( N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 j C e8 H/ d5 H, q: n. T
- J9 F0 z+ y5 R; uThe program will execute 6 different SIce commands located at ds:dx, which
4 K. l) k% @2 @, b( ?2 Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' ]9 f h( R% V q- i: ?; L+ h. I {+ M1 ^. w0 N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ G/ v" u+ `' ]/ r+ p___________________________________________________________________________
9 ?! Y) p. ^5 Y5 M8 o. w
$ ^/ o( a: d3 ^8 J9 p) C4 f
* G F! T! T" }: D M2 jMethod 03
* @: E5 t% }% S/ h- a5 `2 S=========
7 k% K% |' t: V5 a( ~; S. }1 S+ I; B. S4 m% ?2 ^) J$ n6 B+ I$ C
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 {9 n; X3 {, t5 X' o(API Get entry point)
9 y% ?( E" b# K$ P% @; s7 T
9 [# Y ]* S$ g+ K3 Q
X' L; l9 A2 q6 Y xor di,di+ Q; L% A& T6 E# j; P# M. r
mov es,di* z3 }& P& ?) @7 o3 M" m
mov ax, 1684h 8 o, q2 H! r* z, F
mov bx, 0202h ; VxD ID of winice6 A7 B; ^3 m9 N. y7 j/ u
int 2Fh# }, g, l7 ~, W: g# S, p
mov ax, es ; ES:DI -> VxD API entry point
! N7 j& i7 m% M2 w, m) G add ax, di% H$ ]5 n( V( W# H
test ax,ax
. r4 w7 w1 t: T4 _, G& \/ m% h+ B0 e jnz SoftICE_Detected$ p/ x" u* o. ~7 c
* y; ^' B2 r [$ i3 d1 Z. g
___________________________________________________________________________; H' K8 g G5 Z0 }7 J* e
9 C$ ]+ j0 C. f: O+ D! ~/ ~
Method 04
) ^* T0 X8 M6 P% B: k$ r=========
! r' k# h; b" ~, r+ v/ N$ e- M& H+ x8 @6 v( S8 X1 U5 k2 d
Method identical to the preceding one except that it seeks the ID of SoftICE
1 z0 D Z' T0 nGFX VxD.
8 q' R4 F, k2 |8 C! o
5 e3 K6 w0 a9 W/ U; A; L U xor di,di
6 g' w2 j0 Q& \# h' q1 ? mov es,di' @. Y2 u* u7 @9 ]; d/ v2 V
mov ax, 1684h
+ T5 C+ M* x0 }; @. T) d mov bx, 7a5Fh ; VxD ID of SIWVID% I% i% Y; ?5 N3 n
int 2fh
6 W% ?- g; ~' y' b3 m! ~7 t( D mov ax, es ; ES:DI -> VxD API entry point
2 c5 i# g# d6 H! ^0 t add ax, di9 l# l, Y/ D. a# w/ J- Y
test ax,ax9 H% c1 _" }5 o
jnz SoftICE_Detected2 d) ]9 K* o- \
- x! d# L! @0 M
__________________________________________________________________________& n; ^+ {* n6 d1 |
% |0 e; U. ~" y4 F" D! w: x
. U+ C+ D, y# P! a' g" G( W( oMethod 05
, `- }3 o/ E/ C! J4 a% x) E% B=========
# g# D* x3 m Z) r
- ~# V" p) ^4 [- ^8 N: Z$ ]Method seeking the 'magic number' 0F386h returned (in ax) by all system( r# L4 O; V H5 p+ N3 |1 R& y
debugger. It calls the int 41h, function 4Fh.
/ N% q4 X$ d2 S2 J0 R2 M. NThere are several alternatives.
+ O4 v2 M: N4 p) `
9 @% H- q5 j6 oThe following one is the simplest:8 z/ i m) Q7 T5 M$ \7 ~
) U2 g& t' H( r) T; K# Q# A mov ax,4fh
. g! d! H. K9 v1 D9 T8 a int 41h- x4 O9 ]/ K h+ e
cmp ax, 0F386
* P7 X+ E" B0 P# s# i; M jz SoftICE_detected
& ~. X4 `$ h! {( V! F0 J7 U- Y* R6 H& H& b+ G
6 z' l' R: }8 ?+ cNext method as well as the following one are 2 examples from Stone's
6 [' @: I# G1 X( I% d E"stn-wid.zip" (www.cracking.net):6 C) T. s5 |* u! B" _) k" j
& r+ N# [0 _& ?6 R0 Q mov bx, cs
3 Q1 \3 E' W8 n1 ^) O. N+ [* T: S: C lea dx, int41handler2
8 B+ L3 w' R8 {! V/ W& W xchg dx, es:[41h*4]& v! `9 \5 l% F; d+ ^
xchg bx, es:[41h*4+2]0 ^0 ]+ i+ g) o8 Z
mov ax,4fh" r3 w3 t5 u" P! |& G
int 41h1 c v/ ^5 E6 Y* r1 a2 r
xchg dx, es:[41h*4]' L' }2 J1 c3 T$ k0 r% x3 F
xchg bx, es:[41h*4+2]' F2 O0 k9 ^/ H# i- W* s
cmp ax, 0f386h
' z3 A: x; x- _ jz SoftICE_detected3 V; z% Z* j- `& e0 C
2 l; ?( G3 @ E" b5 O& |7 @int41handler2 PROC
, `3 z5 i# d- H- \ iret. l( e" l; F/ O8 Z0 y+ ^
int41handler2 ENDP
- k. M2 v1 u6 j2 P% D9 U4 v" T7 f; [3 G
' m) o7 x' Y2 z% J- Q# w
_________________________________________________________________________
6 ~1 T3 R$ _4 n* G, O7 G* v6 R i0 d
) }5 t3 L4 t% @! J5 \
Method 06; |2 b( d! e6 f2 J
=========# Y# Q1 a7 G( Q7 Y/ t4 m
2 c7 g! G" s1 N4 Q) _
! S/ S2 ]# X6 \% g, D7 E2nd method similar to the preceding one but more difficult to detect:) ]3 g0 w0 ~6 j- E
* w' f# |' B( \5 k* Q
* J/ z" ?( V. z/ y, W/ p+ U! O( ~0 T
int41handler PROC
; U0 n+ D5 K2 f- u mov cl,al
' h/ H m% h# s3 @2 U* R8 B& R4 A3 y iret6 G( Y: `! g" h+ C7 x
int41handler ENDP
: [4 a% U' L4 m3 I7 O6 K: l Z& C1 i: ]( u
F" t7 ?3 c& R8 Z
xor ax,ax
$ e; x0 t% l5 i mov es,ax* i/ O' Z% F3 d1 e$ `4 E- X
mov bx, cs% u- y* B9 X+ S3 i
lea dx, int41handler, U' S% C! {- {
xchg dx, es:[41h*4]
# a1 V- k, U# Q" c xchg bx, es:[41h*4+2]1 v, w( J+ E( x9 t9 d3 [
in al, 40h
- P& j* v) ]/ o4 m. z% g xor cx,cx
* k2 Q" @6 o, f+ h% ^7 E int 41h
: }) R( Q4 H) Y4 q0 N xchg dx, es:[41h*4]8 ~3 D- R9 w- W& W l1 z( N
xchg bx, es:[41h*4+2]
$ P' p) K# D; c cmp cl,al$ [# H H P' M5 S# t( C- | ]
jnz SoftICE_detected
% t$ R6 V- u" u8 ]
# T& ?" p4 B2 w d: Z2 N+ o_________________________________________________________________________4 B b: j+ g6 Z9 t$ G
! O0 I9 G8 V; { a! ?
Method 07
9 p( p: F: E/ ~5 O=========
) v; Q; ]2 F2 v7 M( J( B; d1 U' |5 D' e# W: }/ W
Method of detection of the WinICE handler in the int68h (V86)/ T$ r+ r0 N' T0 i8 n L. m, s
8 s4 n" E4 G( q1 D, l, V; Y mov ah,43h9 d# i3 v! y! v# i9 R
int 68h: |' g3 c0 j- |, h9 a% L: K0 u
cmp ax,0F386h* l* [) k [" p! U& u5 @
jz SoftICE_Detected
! T3 I! N1 _! b# X) n
2 B! d! E1 ?; j; [6 b
" y; R4 D/ D$ g ?# h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* ?0 B7 R: s; F& }$ k5 z3 H- f& L
app like this:5 r) L6 `% L7 |# P Q7 k
' V! s8 K* P& G# i$ p6 _5 w BPX exec_int if ax==68 i7 ]( j1 t- @3 R' V% W1 w7 b9 x
(function called is located at byte ptr [ebp+1Dh] and client eip is, b# l n8 [7 i
located at [ebp+48h] for 32Bit apps)
0 \) }) }8 R* S8 G/ X__________________________________________________________________________
; h+ ]+ P: V) ]! d. v0 k0 G0 b1 U0 i# p0 } o2 m2 s9 j! H3 }
# I$ V. u0 j: X9 k PMethod 08, p' W% y- T% I7 J9 T/ d
=========
7 i" w, A. z6 @" X: f2 \2 R
+ E. k+ ^( d' Y+ ^It is not a method of detection of SoftICE but a possibility to crash the* j# @' D( h# d8 j+ H p
system by intercepting int 01h and int 03h and redirecting them to another. k" g6 ^( W. m, v/ N
routine.; t/ l$ v; p& Y: l1 e* N, U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) y6 S: C2 Q2 R8 \/ Y- v
to the new routine to execute (hangs computer...)
7 h2 F; b8 m2 y$ @2 n% O! {. e4 C, }! s, W" L& h* x
mov ah, 25h
( ]( n4 D7 p2 B w! K5 C9 K0 y mov al, Int_Number (01h or 03h)
k" K. P1 U- N$ L5 F' R4 ]4 [4 b* \ mov dx, offset New_Int_Routine
F5 B2 e8 O# g+ g% D% w( y8 { int 21h2 Z1 \- P1 }. g6 d5 I: ^1 b' B3 S$ B
. J) U% c. A; m, q3 O& A( B7 R
__________________________________________________________________________+ c3 r$ f6 q+ c3 {; v
6 g, r+ R) q$ b7 a) {) A8 @/ sMethod 095 y0 w# W! ]2 Z; `* Q3 d* T0 V+ O
=========
- X/ j5 }+ ^% k, T' o" ^5 B, k
" Z( X, L) ~" c9 O* y: PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* j/ z# d C2 K9 _6 i5 p1 o
performed in ring0 (VxD or a ring3 app using the VxdCall).0 L v) C- @9 Y, ^- K; q% I
The Get_DDB service is used to determine whether or not a VxD is installed' j" Y1 I1 y# I; X0 t8 Z' G
for the specified device and returns a Device Description Block (in ecx) for' Y' m; ~0 u& O5 z, c/ S0 M
that device if it is installed.
& D7 l5 K/ R6 [# E( R4 b4 K4 W; o' a( p o$ Q; x& C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# x: t0 v- b: T mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 C) d4 u% A7 k* d8 e& r" u/ h4 i VMMCall Get_DDB. {$ `4 J; M/ O( L' l( J) D1 X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& r3 J! M. R! b h* j- n; _# o, ~* i% s; k7 [; Y0 ~
Note as well that you can easily detect this method with SoftICE:5 ^ Y @1 l: F8 ^: }; K( O1 D" H. I
bpx Get_DDB if ax==0202 || ax==7a5fh
) ^9 K$ q$ ]. ]- [* B8 k& x) s7 Y
4 V+ C f* b4 Z__________________________________________________________________________! r9 g6 w. t( ^' G& L. W$ Q
3 F' d8 f4 Y! e. i$ j9 \% L- O. UMethod 10
! b$ s- B; W7 n9 J, a=========( o9 K1 ] \* R
6 a$ v3 z& L* ]+ ?' R5 _
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 @7 k7 \9 O# i/ k) J4 z, U SoftICE while the option is enable!!0 P7 Q1 t# f4 k6 T; m
' A! L `* q4 ]. zThis trick is very efficient:) _4 G% B8 t/ i5 k# O5 b. t) \* R
by checking the Debug Registers, you can detect if SoftICE is loaded
& W' O2 @; Q8 U( ?0 E" E/ i(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, `& c4 r9 D" F+ S" t" N
there are some memory breakpoints set (dr0 to dr3) simply by reading their( _. B( x) V4 ~* O Y
value (in ring0 only). Values can be manipulated and or changed as well) i& ~$ ~4 I+ P! W) P
(clearing BPMs for instance)
9 P) t' s1 {% o K0 @" D4 ?, s, l/ T3 v0 N
__________________________________________________________________________3 O5 X0 g+ K# m- f& N0 q
* A% u2 `% L. N: n. \' W& O- F
Method 11. B4 V; D% A2 X+ X6 q6 D
=========0 X# a& K2 T9 v; p8 \
0 ?0 A" i& O2 s7 a) O) y( n
This method is most known as 'MeltICE' because it has been freely distributed
; H3 U) d2 S7 I# F/ r) xvia www.winfiles.com. However it was first used by NuMega people to allow I7 Z0 Y) o: }* k8 E* P% W
Symbol Loader to check if SoftICE was active or not (the code is located& L, I9 i3 `* ? _" f
inside nmtrans.dll).% }2 J, i8 ]/ a" O9 T. q
9 E. N/ {; J5 Y2 @The way it works is very simple:7 L5 H. d$ |, c' e1 m" A( K/ e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% C5 Q# \5 Y6 n6 P& ?WinNT) with the CreateFileA API.
& L$ q( k7 O. m- F8 g" i; E7 r# Q9 ?
Here is a sample (checking for 'SICE'):2 ~5 F$ z. g6 ~
2 v: y3 V$ \& C, F2 h2 F# SBOOL IsSoftIce95Loaded() [+ U+ a" [9 m/ A5 |- X, c$ @
{
. z( W9 P1 d1 [ HANDLE hFile; . U _/ E7 \# ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! W8 D& E2 q9 L3 u FILE_SHARE_READ | FILE_SHARE_WRITE,9 y4 ]% y1 j" c- Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' {6 [$ X2 |* d: Y" b+ i if( hFile != INVALID_HANDLE_VALUE )
" ^. q1 b# q3 v- K4 M8 v {
; o7 ^8 J/ E/ o. h1 j. U U CloseHandle(hFile); }$ ]% q. t7 n$ ?/ n8 k
return TRUE;3 }$ x; A6 X9 v3 o) m
}
. v- z) m) f5 f7 I2 F2 }5 N return FALSE;) J1 d) V! v: g6 E! g
}
5 C8 I" E( w. j! z6 t
. U6 w+ M) }' C7 o2 B( OAlthough this trick calls the CreateFileA function, don't even expect to be
. ~3 d% c& y0 m' y6 y' Uable to intercept it by installing a IFS hook: it will not work, no way!
$ h" z% Z9 e/ v' u4 VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F9 x3 T) V1 @# j8 ?, Y$ p
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& c9 g0 z5 j9 K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) g" }% m$ S1 V, X) C3 O
field.
3 C3 N# q0 X% h8 J3 H/ Y3 H" bIn fact, its purpose is not to load/unload VxDs but only to send a
! {+ j$ J4 ~3 Q7 o8 v4 ?3 vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) _; w) d! y1 j* R0 Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% M/ d) U8 d* {4 F2 L3 n/ v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# U' _- `& c) a @$ {% f
If the VxD is loaded, it will always clear eax and the Carry flag to allow- ^6 K- S8 G1 c% p; D
its handle to be opened and then, will be detected." p. K- E3 F& I) y( P
You can check that simply by hooking Winice.exe control proc entry point9 c3 g4 q% p$ j5 B6 T) e
while running MeltICE., {3 _7 c! T$ a
& u/ m3 F, C/ I% d+ N
6 v: a% s+ ]# @* c: v% l/ k 00401067: push 00402025 ; \\.\SICE# x8 }+ ?* K! j' h8 K# j
0040106C: call CreateFileA
+ r& @" ~: w9 \2 l8 M9 E% r7 ^ 00401071: cmp eax,-001
: M# w7 }) b' \6 C( Q) G( ] 00401074: je 00401091
$ N* X% z* Z" W: ?" u! t5 ?; P( j* h. z p3 u
& R7 G) k& Y2 Z
There could be hundreds of BPX you could use to detect this trick.
+ n: w# a; v( d# l9 g-The most classical one is:
- O& J3 M" c9 Z% T" [: l2 ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- ^9 W2 r6 d* J: n K% Y7 z
*(esp->4+4)=='NTIC'0 ]6 t: e. z. W/ A1 a/ l* C
* Z% M% k9 p2 {: e# u
-The most exotic ones (could be very slooooow :-(
" p: d- c: v' t4 Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 i0 P& p& E" z, B. A3 Z ;will break 3 times :-(, q' V2 }4 r1 u
8 x$ J; f3 t, H5 r( ]; w-or (a bit) faster: # ]0 U; j% R% c; E4 Q7 f2 X! u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 h' N: Z9 D$ O: B6 `
, Y! |" N3 T( L0 [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 u' d0 {! T) D" Y d- p4 B
;will break 3 times :-(0 m" L8 h# |" m
* `- q% w, x1 y) _5 Y/ W0 R-Much faster:( _8 J& q2 S, I; @9 v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 t% V% K5 F3 E: P
, e3 t6 u+ M- [8 G2 r; o. FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 D( q; S5 U- {, H- T' \* b4 i
function to do the same job:& N2 d, D% N) r( M1 L }
2 n$ ^! a; l: M o' v) E
push 00 ; OF_READ
3 c, d8 s" L% i* P* o/ t mov eax,[00656634] ; '\\.\SICE',0/ L- {. @$ t* v7 c
push eax( l( i& @& |. `0 x( F
call KERNEL32!_lopen2 n- Q. W& |" y5 m7 V9 \, b; }
inc eax6 W: P1 L4 \. r' x
jnz 00650589 ; detected' {4 `2 y( H$ v5 |" p. X6 _
push 00 ; OF_READ
' {6 {# J7 M( W: b# B; T mov eax,[00656638] ; '\\.\SICE') u5 d: f+ s, a) O, @, T
push eax# }' F# V* ~9 E* K% E
call KERNEL32!_lopen
, J! [# p; h4 S9 ], _. L1 P inc eax: S" n. c: u% W
jz 006505ae ; not detected- w: e5 }+ Z3 \# i% ]& V
. h5 `' L: {3 j. x' A* x2 V) b
9 T t5 M/ j7 }$ v__________________________________________________________________________
: n/ g2 n5 o& J4 r8 E. Q
' O q& M+ `6 k9 H( Q& I( U. zMethod 122 B% m! L( t7 e& e. c/ V
=========
0 D [ D% _7 ~( l1 y5 p& K0 m$ t' e
7 ?) p% D2 V1 K2 ~' T0 GThis trick is similar to int41h/4fh Debugger installation check (code 05
( W' k. Q, R2 h' C9 M& 06) but very limited because it's only available for Win95/98 (not NT)
$ h" F- [+ d: S. Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% D4 k( V+ t; z1 \3 |/ b! `7 Q) F$ S" `1 A7 m/ m9 s6 m" O- H5 c
push 0000004fh ; function 4fh
, |4 k1 U; e' n- m. ^- Z+ N push 002a002ah ; high word specifies which VxD (VWIN32)
9 V9 j; G4 a; G P+ o ; low word specifies which service- M( D) d2 U! [) O
(VWIN32_Int41Dispatch)9 T7 V* j- J9 d7 x' ?' K1 i& H3 A
call Kernel32!ORD_001 ; VxdCall2 b) ]; c4 ?, T% V9 U; }
cmp ax, 0f386h ; magic number returned by system debuggers; f& M1 D4 \! `- I5 W' L
jz SoftICE_detected; ^8 t8 k9 c- a4 p% H
, ^! V P: O- Z1 N. l* @Here again, several ways to detect it:
* W$ @- m" y% ^0 x) d
# _7 R, Y' r% h1 i7 A5 @ BPINT 41 if ax==4f% d% Y- @4 b+ z
5 y+ o; Y" ~$ v3 [5 d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- C8 }: ]9 W( u$ n. c/ @: ~
; K: v! v+ [( B& S$ F5 g8 o$ N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; Q4 Y7 P0 s! s; z
6 ^. @/ K, k/ D8 f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 E7 f+ M) X. s+ B
7 R! t, } Q# G" [+ i: t__________________________________________________________________________4 e5 o" k& p' O
3 I# o# d7 e1 X; EMethod 13
6 ]$ l- H5 b/ g=========
9 F5 h( k% @* F3 Z; ~9 ?5 @( I" r5 E# x% ^# V, b
Not a real method of detection, but a good way to know if SoftICE is# p8 e+ Z: N. Y+ ?0 ~
installed on a computer and to locate its installation directory.. _# e' f; D- B# s8 y" ^
It is used by few softs which access the following registry keys (usually #2) :
: q0 n4 k# F2 q- S3 w1 a
1 W9 {- k3 t6 m0 ]& s* R1 [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. k# d. t* V. _# q2 J7 y
\Uninstall\SoftICE
; ~ R( x; N/ I) x" }: k$ P0 |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. @( q) h ^, @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# v4 ]+ r9 m o) i\App Paths\Loader32.Exe
1 g! r. [, Z# B8 X( E/ U" Q
; X. f- L6 Z( w& R& }3 z" Z
4 \5 i! C4 W' S4 C. M5 V( l! E1 UNote that some nasty apps could then erase all files from SoftICE directory
" {, o6 w+ m( ~(I faced that once :-(
& P9 O5 l# [! X( T, y& {4 y# P( |5 s6 O) w+ n* z1 E2 @" f- z
Useful breakpoint to detect it: a9 w7 }4 M& O4 J& m! F0 Q6 x" H
1 {/ ?4 J9 S6 J4 z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. S5 S! }; k" S7 ~
8 i z: y. V# C! L- k9 a__________________________________________________________________________, o% `6 j, a% ?# w
7 e& \4 C" r" [- \! a6 p7 L$ W& a9 z7 j$ H) J" |1 u, ]) P* ~
Method 14 ( S+ O" [9 o5 L; J% k
=========9 v$ W Q# A, e7 @1 ~* s
9 E; f% ^$ \1 I: U! q' E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. O" r. [! s u, Y+ D0 J& ^is to determines whether a debugger is running on your system (ring0 only).6 L; N" }7 N% I9 ]
5 g) s; F& r% a s, M- }
VMMCall Test_Debug_Installed$ N( N5 C8 ~2 G8 B* B9 h: A
je not_installed
5 W/ B) }! D) a# ]( ^3 ~2 S- V3 k
This service just checks a flag.
) E8 o9 Z. y! c6 C</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡