<TABLE width=500>
2 C" o+ y7 C* O+ p, [- l9 W<TBODY>
2 h4 b3 w$ y0 p: x( |<TR>
$ ~+ T5 U$ g c/ y9 ?% I% z% G<TD><PRE>Method 01
5 V Q0 S% L7 m( H4 P========= m; J" {& J$ Q$ G; a
8 l7 O2 A$ d( Z/ B3 g% [1 X& HThis method of detection of SoftICE (as well as the following one) is2 t: Z7 f& L, j; P5 T5 x
used by the majority of packers/encryptors found on Internet./ [# ?8 G% g7 K$ f3 m
It seeks the signature of BoundsChecker in SoftICE
/ _: g- b* G% Z2 w& h/ v, m6 Y7 i5 ]' D3 _5 w
mov ebp, 04243484Bh ; 'BCHK'
( |* t" p8 D- S3 i4 O2 [. \ mov ax, 04h
, k& @! J3 p( ?- ^! N4 I int 3
, D$ A3 g ]' J4 x( k2 n cmp al,4' T0 C/ f# |+ g' Z' q6 g
jnz SoftICE_Detected% e/ y! x- ?) U
: m @- R# t, f: ]) O7 _
___________________________________________________________________________+ L8 t) f* M# s. c
, V% Z- F [! f
Method 02* T D3 Q* y$ k, h- f# E5 V
=========; U3 p3 A1 [; _; K: o
. n5 J6 A8 f: u( [- g" x+ x! y
Still a method very much used (perhaps the most frequent one). It is used
% Y. T, B0 J# p5 E3 H/ jto get SoftICE 'Back Door commands' which gives infos on Breakpoints," J& q9 E+ t, I% n
or execute SoftICE commands...
/ ~) f/ v4 r& N2 w+ SIt is also used to crash SoftICE and to force it to execute any commands
- p3 e5 T1 `$ p(HBOOT...) :-(( 9 U, M1 O/ G- y. N
: ^4 _1 C8 |; x- E; n: dHere is a quick description:
$ a# e0 O6 o9 r. u2 Q-AX = 0910h (Display string in SIce windows)( `3 Y+ K" ~) ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* N' z/ B/ b: B( P0 t
-AX = 0912h (Get breakpoint infos)
6 ^7 T; F, B1 T1 k; ]# D% K- P-AX = 0913h (Set Sice breakpoints)
b) e0 Z/ r' L! O, o# Y3 ~/ `' s& I$ d-AX = 0914h (Remove SIce breakoints)
L( y+ S% A1 f2 V$ k0 w5 N( {3 [2 V F2 E5 f3 b" @4 h
Each time you'll meet this trick, you'll see:
( Y8 V. N1 z) ^-SI = 4647h
5 H N3 m( i5 T8 h9 L* Q-DI = 4A4Dh% t6 n& |. S! l1 P' C0 T
Which are the 'magic values' used by SoftIce.; j9 H0 R7 v- d2 ^1 b! Z8 A$ d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 r# k9 U d- w6 b4 d1 `5 S) l
& {1 r4 f3 V/ ^: ^1 |Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 T& ?9 ]# K/ O: tEnvelope utility use to protect DOS applications:# {, B8 e, S) C' ~) n
! e( p% M* c# I- ^- o
, ~0 ~3 E3 L: _' E* l; u: N, S, I9 Q( D4C19:0095 MOV AX,0911 ; execute command.
" b6 E7 Z0 p8 a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. M( Y }- ? P' b0 B( {; T& P4C19:009A MOV SI,4647 ; 1st magic value.: ?. ^) B. Z9 e0 q1 U
4C19:009D MOV DI,4A4D ; 2nd magic value./ X8 k$ q; w1 g2 j9 ?9 J; S& B4 A& x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), T! D- r4 M, L' }) v
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, R5 W$ N6 v$ }5 m1 q2 w4C19:00A4 INC CX' k" U3 n! x7 b+ d! P8 v4 |( d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* |* I$ o: }; q9 ?0 S$ Y+ `4C19:00A8 JB 0095 ; 6 different commands.
2 B9 l: l0 B! A/ Z3 w x4C19:00AA JMP 0002 ; Bad_Guy jmp back.! h! f( m, t( \& N* k1 L
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% w3 A/ V! i" ^, R! I4 k) Q4 P/ v
The program will execute 6 different SIce commands located at ds:dx, which
2 o, F3 ]9 }7 U, G( mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( E; E+ |+ `# Y$ G* }8 r
, |$ A! P) C' c+ b+ ^6 E+ n6 \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' j/ S: R1 B% P6 {8 r
___________________________________________________________________________6 }- `, m. D$ }/ C
1 R# J3 g5 _" K/ s
0 a2 t/ ?, r O/ d8 f2 l2 E
Method 03; V8 y5 V8 a/ X, U# r3 `7 q4 u3 Q
=========+ j* {1 g+ N H3 D7 L
8 q! e( ^ G2 ?# C! DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- b) S# n# T) b: H0 `" n+ X' M
(API Get entry point)2 j; o0 t4 }1 j l
0 T! H' e$ ~- a
# |* |$ T; X( D) s7 Y* H4 P3 Y. y
xor di,di
5 j" x5 X) f- T mov es,di
# Q2 K: x8 ~9 B7 I mov ax, 1684h / m) L1 {. r* J* d% G
mov bx, 0202h ; VxD ID of winice
# F+ R" _: e" M3 t& [" s, b int 2Fh8 U) r/ i: w* e0 v# }1 |
mov ax, es ; ES:DI -> VxD API entry point" E) g$ R3 ]3 f8 ~3 Q( ]! r
add ax, di
6 F" A+ e5 h6 q5 Q$ F test ax,ax
6 g$ l2 i# p9 d# r. C6 Y; C, A jnz SoftICE_Detected0 [6 M. r' P# v' }
- E, ` }: \1 I6 ^, m
___________________________________________________________________________
% m" E/ M8 R' d) L# [3 _5 ]' R, j% W; |/ X/ G
Method 04( a+ L+ t5 B, q+ L4 W
=========8 t8 x8 K" b6 ]/ l7 R7 I9 u
! L8 h4 Q- Z3 |, p3 R9 h' d
Method identical to the preceding one except that it seeks the ID of SoftICE6 f' }2 h$ h: w
GFX VxD.
) w/ Q' B+ @/ r! i5 `5 r0 s, C l7 I/ h- m3 T( l/ s
xor di,di" A5 D0 e/ W2 L: S- j* C
mov es,di/ C# D' V! B, G; ?+ `
mov ax, 1684h ! r9 ?( D+ H0 n" A5 M
mov bx, 7a5Fh ; VxD ID of SIWVID5 m% k$ h7 Z0 ^, b$ \
int 2fh
& B2 z! c7 a7 {' a$ \8 ?! d; o( P mov ax, es ; ES:DI -> VxD API entry point
9 [7 B, T. d. [4 g! P/ \ add ax, di8 R2 S* q+ y- [, c h& z
test ax,ax) A" H2 k! w$ N. R
jnz SoftICE_Detected
1 y. k5 T$ y- s6 h/ n3 {9 F- N+ h0 D' k! i. C5 r3 |) S
__________________________________________________________________________& V" R6 K( y$ K4 ~$ H
+ \9 y; g) u. v- E# L
6 b: d9 |9 d, k, t0 ]Method 05& T# A# e* T0 q) T0 b" Q
=========
/ H" s. \1 |5 [; ]. }
9 O# E8 ^1 U0 x( W. o. i9 d, \$ nMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 K: ]6 K2 C# A; g( L0 m, h# v
debugger. It calls the int 41h, function 4Fh.
J; P; v" o; A1 Y. `5 LThere are several alternatives. ! {% Z% o" z! u
2 O( ?- m& |3 }! m- u( \6 b
The following one is the simplest:
$ h, D7 H( b1 o; y( Z; O: Z: k6 U
9 P2 i; O- F% w$ L; M mov ax,4fh5 h* {- p& a. t4 B. j
int 41h
1 r0 a9 ~; O* X* z cmp ax, 0F386
# ]! z: w' z2 q$ t. N/ a jz SoftICE_detected3 V) m' S0 f- [: w
) C* t1 M7 b/ S* B5 n# {. @
* `7 E1 q8 D0 F, y+ bNext method as well as the following one are 2 examples from Stone's
7 g$ A2 Z2 T. X+ \+ n# U% {"stn-wid.zip" (www.cracking.net):
3 N" k7 `2 j' ^7 y' C7 ^5 m, z% r/ {$ A5 @/ O
mov bx, cs) O% Q' z; p B
lea dx, int41handler26 u5 y) ?, ~& b# a
xchg dx, es:[41h*4]
8 K4 e1 s& W; ^, d- O xchg bx, es:[41h*4+2]
& d1 C6 \8 Z( V. H* b" @! x& y0 l mov ax,4fh
# u0 Y j& s3 d* w" I5 T; ^ int 41h1 z! s% N% P2 u4 {3 B' W
xchg dx, es:[41h*4]* v5 \( g" e; t1 k) V- d# N4 q
xchg bx, es:[41h*4+2]
/ ~3 k& f' ~4 @ cmp ax, 0f386h
/ g' V$ v9 J; K; q D9 w* y jz SoftICE_detected
# B+ X( H* }* w
. z/ p6 N" [& aint41handler2 PROC
8 W$ g2 K5 m/ z: l0 Q iret/ ~8 L @/ l# ?1 p3 p
int41handler2 ENDP
L1 L# T6 z0 E& m0 `% d# y8 d ~2 o& c2 S7 \0 L
7 y( {) L( o+ ?0 z
_________________________________________________________________________# g9 h5 Y1 X: G' f& A
, n" \: b6 n" \" ^9 o' P& Q o; H) U9 e6 ?, L1 d( j
Method 06
5 e- {# Y( t: u, s* k- z" @4 Y5 S=========! p! B3 x5 ~% I; V
+ K$ M3 h" H* @* A
( O: y$ N" K: ^. C& G$ {% H2nd method similar to the preceding one but more difficult to detect:
8 d; e6 t3 i j8 v/ a/ ?* F8 ]0 k! y, }
- _7 v) y8 U+ s4 k# Aint41handler PROC: w3 G0 r) v& b) e, L2 @3 p
mov cl,al
& l/ p! w( t& [7 S( ` iret0 f& H+ h2 q% \* j/ p) }6 L7 \+ D0 O% P
int41handler ENDP$ z8 a: I3 R0 n
9 N. k- }- {& {8 h# Z
. s5 V! Y) y' n: r/ m
xor ax,ax$ v. }% w A# {; s/ @
mov es,ax
% r3 z. l. G; \8 b F mov bx, cs( v* z D& R% e: c" l
lea dx, int41handler
6 g7 Y# V" q* p1 B xchg dx, es:[41h*4]1 ]0 A' D% t0 G* G1 K! o
xchg bx, es:[41h*4+2]
8 e4 G% a* e* A4 T. {$ m: t in al, 40h
8 C+ i3 l e# o. I, _ P8 M xor cx,cx
1 I; C p f! p int 41h- v* A- w! J3 D4 d+ |
xchg dx, es:[41h*4] }( m9 e# I" f9 w
xchg bx, es:[41h*4+2]* |8 d% j: w: c( [- G
cmp cl,al1 n4 S* E) j, R1 Z
jnz SoftICE_detected. H9 `6 g+ L7 q
& `( g, ~7 q8 g& U
_________________________________________________________________________
# f/ N* `4 x6 o: X7 j- k. Q9 \$ ?) _, m
Method 07
( ^( L9 R" D. n$ [=========
( r8 l+ `5 \3 _: i5 N* z0 ^& ~
0 J9 r/ z( ^/ j5 t' G0 H1 G- BMethod of detection of the WinICE handler in the int68h (V86)1 X0 w0 ^( P2 m) ~1 t! p3 j- _
! P& I8 t( e( C2 ~; l/ c# Q
mov ah,43h
' T, {/ {/ K( C* q0 B4 T& k/ U p! r8 x int 68h! a/ d( W; u7 S4 a1 S: ^0 m
cmp ax,0F386h7 Y0 ~+ k: e, `
jz SoftICE_Detected, Z5 z" N. C+ y3 ?
8 E; t! d/ u0 ?) \! h5 J- b3 k1 S$ [( H0 }6 n, K8 l" j: W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. Y+ S7 h p. P- Q8 M% P
app like this: S9 Q( x. @' G& {
4 \7 ]2 T+ ~( h9 Y( A BPX exec_int if ax==68
) ?: o N( M, _6 D. ` G! A (function called is located at byte ptr [ebp+1Dh] and client eip is: G/ R! g4 w( k# K
located at [ebp+48h] for 32Bit apps)( a1 U( L% n7 Z4 N- z1 O4 ]8 S
__________________________________________________________________________8 D$ J5 W+ M% p' ~& p" r/ s
0 \0 f0 e. q5 u, ~4 E" g7 x: p; J
6 i. C9 o9 x9 T% S7 `6 \' k6 cMethod 089 E3 a) _8 k: ~# n/ m5 I! U# I4 \
=========+ P2 |# k& n& U* N/ m3 m: i
$ b+ p$ B# F+ L+ r( zIt is not a method of detection of SoftICE but a possibility to crash the' m$ q9 T, ~7 Z1 g! e0 i
system by intercepting int 01h and int 03h and redirecting them to another" O2 A8 t+ }- I# O1 W( ?
routine.. y. Z) @" W. ?7 [' r+ o: p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 F9 O. t; J+ e# X
to the new routine to execute (hangs computer...)) t3 \7 m1 O; e# y! L N: m1 x
/ H' l8 h# _4 f/ u3 Q' C# d
mov ah, 25h' v& d- b0 M8 _6 f$ g& {# s2 X$ h# V
mov al, Int_Number (01h or 03h)
~% T+ l' X6 t: C# M5 ^+ {7 _ mov dx, offset New_Int_Routine8 L/ s3 m4 p' c
int 21h
, l2 |; A! J0 Q
# U' v* `; I( P+ z5 d__________________________________________________________________________# f; `6 X d k1 B) w
, [2 m8 ~' z+ K
Method 09% r. {$ I% {" T9 t, l3 r4 d; P
=========1 J5 H. i6 _: {( S
1 Z% Z* I" A6 k5 u. T j. OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( }# p* x3 l& x2 uperformed in ring0 (VxD or a ring3 app using the VxdCall).
& ]# c& s2 [& Q' l0 m4 uThe Get_DDB service is used to determine whether or not a VxD is installed
2 v# U& [3 V4 O7 P5 lfor the specified device and returns a Device Description Block (in ecx) for; x" r5 c8 r& u) E6 l. M
that device if it is installed.
% L2 U V, w) `' ^) I
- ~$ ?* x8 z* @- ^0 G8 _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ P- |6 M/ [) B: A/ v8 Y7 K) y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 ?0 z6 v, Z1 o9 N4 ?5 t2 ` VMMCall Get_DDB9 W* n. X+ B; ]1 M2 R6 m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% _. s: v' G$ o/ w
- a- ~& X8 z* Z( I' n0 Q; F) \* YNote as well that you can easily detect this method with SoftICE:
# k0 }- |* i4 b Q bpx Get_DDB if ax==0202 || ax==7a5fh
/ R( p, `3 P+ a* B! C$ O' Q
/ [% E; J8 K- k; j* ]__________________________________________________________________________6 j7 S1 |% a4 S c% @
: c0 F3 D5 P0 z; a$ @
Method 10
+ H; v5 x i$ h7 w8 ]6 f: {9 O=========2 v# ~: t( x6 S; g# e; `; B1 }# z
, N$ M" a% c* a1 h% Y=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 M: U, i( y1 c0 v! `. M SoftICE while the option is enable!!
1 t& [3 n5 E# G# a8 Y: n w/ c; |1 C4 r+ }
This trick is very efficient:
, ^8 V7 I# [( E; N9 t; t- E: Uby checking the Debug Registers, you can detect if SoftICE is loaded
0 T. \$ J2 }7 m3 [" p! N; W3 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 a' p* t) a5 H* ~) i. Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
[# r4 O1 b: P; N8 fvalue (in ring0 only). Values can be manipulated and or changed as well
! f# x1 D5 U+ ]1 M0 q7 I( U) f R(clearing BPMs for instance)
' C8 T4 V1 ^: ? R7 _- k- G% b, t) c
__________________________________________________________________________3 g* Z( S5 M, r
& r( {( v0 z' X# ?Method 11
' I- X, R2 d' m0 r5 ]/ b7 _& I=========
; D' F; }+ `& P8 S2 u* [0 @$ O a2 D' `; r' k
This method is most known as 'MeltICE' because it has been freely distributed" x* W1 j: U) a0 {* P; q7 Q8 A
via www.winfiles.com. However it was first used by NuMega people to allow
& R7 S3 f7 M7 ^+ YSymbol Loader to check if SoftICE was active or not (the code is located
7 V+ Y6 L' I5 x6 d0 R1 C4 p, F7 ~2 W3 oinside nmtrans.dll).
+ S# ]% S6 Y; k
) ?8 m* v1 B* W1 p7 ? n0 }6 I/ TThe way it works is very simple:
% q" G$ c7 r$ A0 hIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( X8 g9 M3 ^/ u, q8 z& _
WinNT) with the CreateFileA API.
: F- B0 B; p! Q; a4 e& U7 U: S
Here is a sample (checking for 'SICE'):
) N, a5 s+ z8 @
; w' i2 ?, d) B: FBOOL IsSoftIce95Loaded()9 P" I. _1 ^# S; o# Z8 X
{8 j* g" {% E' g0 t9 A3 N* b
HANDLE hFile; ; X1 l8 S2 w1 w: J9 p- V. H! t
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 ~9 z/ T- ~6 l FILE_SHARE_READ | FILE_SHARE_WRITE,
* }: @! D, G, I" E NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: o' q E+ {' i: }* J, L6 G if( hFile != INVALID_HANDLE_VALUE ): _& N) z6 S! s/ E* K" Q$ g% U/ n
{
# r, m! e+ P- t3 r% |% d CloseHandle(hFile);
# W1 I% z6 c/ m return TRUE;* O ^; D" U/ f7 T
}! Y- I' C% G0 X+ X" L
return FALSE;$ _- }& X! d! J: K, S+ O
}
$ H k! I) @. ~* K
8 O1 P1 E8 o y+ m+ fAlthough this trick calls the CreateFileA function, don't even expect to be
! w- j; J, C! J' {: N) mable to intercept it by installing a IFS hook: it will not work, no way!
& Q4 b. ^! {+ q4 X {In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 R5 m+ ~* q2 l' x% s1 fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); ~% N5 Y2 f: F. c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& Z8 ]' d& v5 z$ O9 W( e
field.
/ x, J \+ t9 S* cIn fact, its purpose is not to load/unload VxDs but only to send a ' M( K* T$ d2 S# ^5 N/ v( b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ U" D5 \# d9 C. Q4 a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* U5 `4 [6 V6 K4 Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).) X& d; E5 h9 V4 L
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 O" J: G8 {. l5 g# @" K9 [its handle to be opened and then, will be detected.! O/ W8 p Y% v; O6 b9 Z
You can check that simply by hooking Winice.exe control proc entry point3 C; V! ]+ s" U' j* W
while running MeltICE.6 h0 V( B! y1 b% _7 b
9 ]6 \4 c/ ~5 S4 o! b+ w+ u
6 Z' C2 c, A. W1 N6 j 00401067: push 00402025 ; \\.\SICE
/ a% [; i( S* v7 @. O/ x3 V% Q 0040106C: call CreateFileA
& y6 S4 f B2 F. V/ F 00401071: cmp eax,-0012 D( t' j2 d9 T7 M5 u
00401074: je 00401091
: i6 {: h5 q! D Z# R$ k3 F$ v% ^9 m
& w0 |4 S& S; S, N: M1 x+ d0 h8 @( h: X! i0 ] a: w
There could be hundreds of BPX you could use to detect this trick.
2 F+ w5 L l7 V! m: }-The most classical one is:
j8 E6 p' j! x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ a+ ?7 v& \2 y) U; P; D
*(esp->4+4)=='NTIC'
$ {8 s7 C' m ?& S" ~8 p; S& i( n8 {/ g7 }" m* ?; B R8 _
-The most exotic ones (could be very slooooow :-(
6 X# C# J% i M" @ o( }: k6 z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' ^4 K6 R. Y0 g; [
;will break 3 times :-(; _" L! N2 {( V- l6 W `9 P
5 h8 |/ W* F3 j9 \8 T( Q+ P-or (a bit) faster:
8 ^% h- s9 q0 d/ @% y1 H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! {5 r. m8 e: ?" T
8 o z% Q: C2 e" W3 H: d+ { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# P$ q! [! U) D% C: N$ X( C: P ;will break 3 times :-(# _! {9 r7 j" T
5 A" I0 H3 P1 e, v( h5 Y; }-Much faster:9 P4 _1 s4 Q3 S3 D4 f# E
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# B7 q3 z( o* I. L3 c; e G' j
; t, g# t3 y8 D( y( m9 k: GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 S9 ]8 q4 o; w: o- ` Cfunction to do the same job:
2 g" k$ f i. L
9 M9 O. Z5 \3 c' X2 X push 00 ; OF_READ
- c1 g( k3 z3 ]+ Y% ^5 a0 D$ m" O mov eax,[00656634] ; '\\.\SICE',02 X% [# U2 o' M4 o. |
push eax* D, a( f3 _8 S' l8 D7 x) a
call KERNEL32!_lopen# Q" Z; k% U# s
inc eax
2 m! [, h- q1 E: P! G/ N! K jnz 00650589 ; detected
: h& X+ A; c- `! m* X W( ] push 00 ; OF_READ
" }; D/ o! k) e% Z- C mov eax,[00656638] ; '\\.\SICE'
) U: Q" ]! R" l) N push eax1 Y3 y/ k' ~' ^3 L2 `5 A+ y+ r/ P# C
call KERNEL32!_lopen
% x1 Y: W7 X6 r8 F inc eax
( B% J' t/ d4 v: N% X7 M" T5 y& M jz 006505ae ; not detected
2 m: a9 @* i* I; V3 }: U' c% O. v4 D% _$ |
/ B! v8 a( r# b1 z7 r' g( J, d3 g; ^__________________________________________________________________________
: g2 }# @$ O z; S. r/ j
+ ^' @' m' a6 }. X1 B7 z" AMethod 120 B/ e% l4 q g: M
=========( ~5 u4 d5 ^ ?. q/ |
& n2 Z, E9 r' e$ l0 j; B2 b% B
This trick is similar to int41h/4fh Debugger installation check (code 05
3 h, e" N" L- W& 06) but very limited because it's only available for Win95/98 (not NT)# i8 T9 W, Z; Y9 k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* X: r/ J$ T+ e* [; r
* ~2 i% F2 R' I i; y push 0000004fh ; function 4fh. @& W' t0 Y, n3 c% }' M/ r( I: z
push 002a002ah ; high word specifies which VxD (VWIN32)
2 O0 z. H( L7 x' g) n) R ; low word specifies which service
% C# ^; e+ x" A4 Y. Z2 x (VWIN32_Int41Dispatch)6 S2 p9 L7 A, k4 `5 T
call Kernel32!ORD_001 ; VxdCall
6 l* b. }3 z- Z8 t) B cmp ax, 0f386h ; magic number returned by system debuggers
+ F% j$ x( t8 Q' D: B9 R* S' y jz SoftICE_detected
, m) f: R$ h9 D B2 s
* D- o% F' w0 Q7 f0 ZHere again, several ways to detect it:
i7 z; {1 Y% O/ L2 G
, g% z {; j" j! l8 F- }( w BPINT 41 if ax==4f/ B' W# g! w+ V2 t' j! ?
# C Y1 V, D4 t# t" ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 Q- M1 ]% X9 ]8 r7 A
3 W* |4 Z- i2 F. p9 c7 g8 R( E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; ?% Y/ e: w$ q: a# t5 n: V0 l3 e7 ~! C, W8 _% _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, }8 r) P5 b1 v. m/ r0 Z' P
4 O! t3 _1 F+ o* m3 m% X__________________________________________________________________________
0 K7 t+ K* @7 h* _7 Z# A& `6 M
: n7 L' c( e% \# R. oMethod 13% B0 n0 e. x0 {7 @ T
=========* x0 D1 V3 ~8 i8 t
1 e6 I7 | Q3 s( P, f% y+ j" VNot a real method of detection, but a good way to know if SoftICE is
5 t8 z" E! ^7 p4 f3 jinstalled on a computer and to locate its installation directory.
7 L4 p5 @* z% `+ r' QIt is used by few softs which access the following registry keys (usually #2) : |$ e. B8 _* Q; @
8 G9 v5 l1 {2 d; Y) r5 E* E5 V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 Y) D4 F& ]; g1 N% y1 O\Uninstall\SoftICE
6 }/ a8 H5 ?+ ?, M+ h1 w, j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 j0 S/ y8 }6 r; M' @1 i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- c4 L7 u w% T, y" W: I! X g\App Paths\Loader32.Exe
S; p5 _+ T y5 p# R. n
; ^$ z. P V# J$ H5 H. h3 } i) N2 G4 y S% v6 I: ]
Note that some nasty apps could then erase all files from SoftICE directory. Z/ `5 e9 g# U$ h; r& ]
(I faced that once :-(- D7 [6 w& w7 Y7 d4 ~4 S) c+ ?
0 v' p; L% Q6 C- Z3 C0 j
Useful breakpoint to detect it:6 g) J# r' s0 x+ y' z3 G
1 Z8 a8 M! D) V% ~; I/ N+ ]' X, @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( S: l3 m( g: u! }' t. i9 y
. ~- W7 `; R! F% \, w8 l
__________________________________________________________________________
. |8 Q- g. C( w7 ?* W: O
; p6 ^* i6 ^# m7 E6 [$ P+ M: o- v8 W, Q
Method 14
/ `3 v: P+ ?7 d=========% `; k# ^$ e" ]/ F, W( G" R: }
, O& _( s: t0 a2 n5 OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ F1 Q! E' G6 Eis to determines whether a debugger is running on your system (ring0 only).
& T, W$ j5 e4 }& v% d
4 A9 l1 |3 L2 M# \* p VMMCall Test_Debug_Installed/ s. s' ]" K4 D# S$ [
je not_installed
: O9 y( b9 q- z& l( ^' @
, P$ ^5 t$ O7 w0 R" s# H2 u& n' jThis service just checks a flag.4 s! `2 u8 B! y" q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡