<TABLE width=500>* F+ m; \! S% l+ f9 T' k9 ?
<TBODY>: _% J% x) A! P/ p9 B8 Y8 |
<TR>! r. P. i: C& g, X5 p* Y% l
<TD><PRE>Method 01 ! ^/ U' `% F: h, [/ F5 A/ Y
=========0 o; S1 X5 y3 J- _1 Y. s+ y
% `! L; E9 V5 |# Q4 N$ H
This method of detection of SoftICE (as well as the following one) is
) d5 l1 b7 V! e7 h; Rused by the majority of packers/encryptors found on Internet.
$ ]0 K% A p. h% O1 e9 P8 Q' {It seeks the signature of BoundsChecker in SoftICE3 P9 `6 V! E/ E/ p4 G& m
) H) e. Q& E; f2 J
mov ebp, 04243484Bh ; 'BCHK'
( R1 e: x4 e0 |! p+ }8 }+ V mov ax, 04h
2 j8 g" l9 u0 F3 M int 3 & A* l! @7 X. {
cmp al,48 [9 H; ]* K. {
jnz SoftICE_Detected/ Y. l& A1 P8 Q0 Z4 q& P
( i; u" T1 G \( s___________________________________________________________________________9 g/ @8 n3 t u
) q! }3 w: ^* j* X6 x
Method 02+ s6 J" r% F2 P! R5 h* H1 P: A
=========
& `! `, z4 ` ~1 P! Z" G% A L2 ?( I5 C; X- F P
Still a method very much used (perhaps the most frequent one). It is used
" n( Y- G, N+ w* E, Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: Y$ d9 K( G& ~) O y: `3 _& p9 ~' |
or execute SoftICE commands...( ` W7 i+ j+ j, x4 y y0 o
It is also used to crash SoftICE and to force it to execute any commands. i, z e% i6 E- R1 `" \0 T9 m
(HBOOT...) :-(( , s( m/ ~& L! q9 g' d
, E8 ^% d! `6 V9 YHere is a quick description:+ G7 {) g3 Q" o: K7 j' U
-AX = 0910h (Display string in SIce windows)
2 Y4 ^$ V2 r' L( ]7 G5 u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). r, {8 Q9 m# a. R; l4 t. H; v& M0 Y
-AX = 0912h (Get breakpoint infos)3 u7 n" p$ Q4 h& q+ t
-AX = 0913h (Set Sice breakpoints)8 a) V, N' |# p# q# w0 e" c8 S
-AX = 0914h (Remove SIce breakoints)3 W$ C8 |+ `/ s! N$ b( y4 I
6 Y1 x0 K6 p) T5 m dEach time you'll meet this trick, you'll see:
" J6 G# J2 h6 ]- n8 D-SI = 4647h6 w* i' N& t1 R7 X" z: o
-DI = 4A4Dh; F! _8 ~" F- @# H9 z
Which are the 'magic values' used by SoftIce.
1 v( [. j# i$ v: S- B( aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! l- j. V, T, b" b1 Y
* q. |9 L) ]# X8 L( b: MHere is one example from the file "Haspinst.exe" which is the dongle HASP& O- E; k4 f, l0 h3 R. R4 d# N
Envelope utility use to protect DOS applications:+ p1 Q4 e& c% [# y/ ]& F
2 w, f! @' ~- Z* i6 G1 N" ^( t
9 r$ ~7 W, ?% X) u5 W: u8 V/ j4C19:0095 MOV AX,0911 ; execute command.
/ {8 \+ l, r7 j+ w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ J4 M- w# s; X; {' A/ L* ~$ s) q4C19:009A MOV SI,4647 ; 1st magic value.
* {+ b* q* k0 M! r! |4 e4C19:009D MOV DI,4A4D ; 2nd magic value.9 o( C7 g+ u- ^) q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ n' Q/ \1 c) D( z3 E4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 W' A- H& N) \& D
4C19:00A4 INC CX0 ^- [+ ?4 Z& d4 Y/ t+ I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; @0 _* a2 k" h3 T* f! B
4C19:00A8 JB 0095 ; 6 different commands.
C: c4 C2 t! o4C19:00AA JMP 0002 ; Bad_Guy jmp back.( O3 K" T4 u( N4 @6 g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. T- k5 u% t; }/ g% U% L' q1 {; w7 ^6 g! E
The program will execute 6 different SIce commands located at ds:dx, which- ]& N" {, c S0 A; S0 ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; ]6 O& F6 F( N {& N8 }% Q7 A
( w( B( x3 H3 ?) {9 u# c6 s* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( @2 w8 Y0 o. M2 N' }" ~0 P
___________________________________________________________________________- T6 Y P7 L g6 M+ t2 f
J! c8 u# I) H8 \8 U2 p0 ~$ @6 k' U# R7 W- L
Method 03
# d; H/ Y& t! }: H=========% f1 K" l. v6 g6 x
! C% G$ x1 ]3 j; X. w$ XLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 q- {: u: q+ H3 s0 b(API Get entry point)
# a9 y) f2 T+ e; L5 m/ {
1 P% c% w1 O7 M z8 R) a1 Q
' h3 f; t2 K7 }- T) I xor di,di. n! Y! N+ |0 l" C# @& |& u
mov es,di
. O/ k) X* u- H% V# ?0 l) z9 f mov ax, 1684h ) k/ b+ Z2 g7 i: `1 N* Z6 G! }. f
mov bx, 0202h ; VxD ID of winice# g# @: j+ L8 P1 }, l+ N7 |
int 2Fh
5 a+ z) X$ p E& f$ x. V mov ax, es ; ES:DI -> VxD API entry point/ u W' A5 V" u+ I7 ~
add ax, di
' ^" |& X# p/ |, ] test ax,ax
: \& M* F# _5 D2 ~ jnz SoftICE_Detected8 i3 l, b/ D9 Z
, }. S$ y6 _( T x m___________________________________________________________________________7 \% C& Y* x% Y' g1 Z, _! M
6 W( c: G8 t( `& J" F7 U3 xMethod 04" k6 \" U+ H9 N/ f
=========$ P8 g f2 c; `/ ?$ _
0 q/ Q% m. R w& o& z/ f) F) L/ H" L
Method identical to the preceding one except that it seeks the ID of SoftICE; B2 x8 v/ N' |+ [7 {
GFX VxD.
% P2 c: ?2 B W5 k: [' W0 ]
# @3 y; [# C/ X& ? h4 @7 z6 P xor di,di
6 l6 D% G! z3 y5 L& A+ t mov es,di* L6 ]& T7 |9 x8 z9 W( \' T
mov ax, 1684h ) V8 c, A# O% b3 U0 e6 g
mov bx, 7a5Fh ; VxD ID of SIWVID9 t* |( ?; x$ k, o# `9 g
int 2fh
4 b; a/ _ _0 v) g0 j+ ~ mov ax, es ; ES:DI -> VxD API entry point
9 \5 e) D5 h$ `, s/ T2 `& r6 f add ax, di
, S$ R& }/ E- H2 w' K test ax,ax+ C8 [! ~# V7 C$ M) f
jnz SoftICE_Detected
y3 }) e$ h4 c2 L* o. R. u5 F
# g, n! o- P$ H' q* Z! }$ k+ x6 h__________________________________________________________________________! M/ j+ Y! ]& Q
6 [4 ^! |( F) u7 H( W8 n% h
9 i7 B G5 H% s5 b9 wMethod 05
1 G1 i8 l; J" K=========5 f! j% |. ~; D* ]( F
$ q7 J0 L I4 y* {: P2 B% n
Method seeking the 'magic number' 0F386h returned (in ax) by all system: I' G* |5 s& \
debugger. It calls the int 41h, function 4Fh.7 S4 D1 @$ S: ]% O7 t
There are several alternatives.
- i, r% c$ @! Y$ a# B( a6 l* v4 h1 c: F, N1 M- A5 [
The following one is the simplest:
. f8 z& c. p1 J
4 X6 L3 w4 S0 }8 X% C. q2 C mov ax,4fh
: C$ G( Z k, w( f, J: s9 ^ int 41h
3 }: I9 c) ^ e cmp ax, 0F3866 u6 j* G( K5 j
jz SoftICE_detected
3 }$ H$ c: d5 S9 [) ~
" P/ R# e9 j+ K- j8 e/ u: Y, \, a
5 \& T+ f6 ]7 L D! P! `0 e( o% lNext method as well as the following one are 2 examples from Stone's 0 ` D# W& n* v' a+ v
"stn-wid.zip" (www.cracking.net):
& N# y/ Q/ J- l$ z2 m9 b* i. N' r1 N, z8 j) |
mov bx, cs
* w9 y/ x* k5 k) A" w4 K lea dx, int41handler2
8 A! i7 b# F& L) z6 h xchg dx, es:[41h*4]
/ v3 z6 U& x$ Q! y. i xchg bx, es:[41h*4+2]' S4 i4 @- | Z; Z$ L
mov ax,4fh' U$ L# o- D# e: [/ k# B
int 41h( h2 y' l+ |" R) A/ ]8 s. g
xchg dx, es:[41h*4]
, s1 e# @, c3 z1 T# A! r# F' I9 c xchg bx, es:[41h*4+2]
- ]1 e6 r) \# w; R0 d cmp ax, 0f386h
$ p; Y; ]- L7 h, f1 K! R& a jz SoftICE_detected
8 q9 j% Q+ ~8 W
! r5 Y9 [1 h8 \9 k3 dint41handler2 PROC% d9 J2 Q0 f9 j7 I7 I8 h8 h
iret
& y8 D$ o' N6 P5 ]+ E% a) mint41handler2 ENDP
- V- ?' u8 N& o) u0 I% G# ` J) O: ?+ I' G- J
; I- p+ j P+ U8 `
_________________________________________________________________________
4 ~+ [( Z" Q; l0 C! E; p/ }$ ^ H; G
# l$ ^% f2 ?: p8 XMethod 06
2 d. T6 i( n' \9 h& g: Y# d8 f=========
! u) T4 i! e' X' E9 z; g% y* x# _1 h+ J3 E9 M9 G1 B ^( v, d
, r* J: M) S4 \2 r, C* ^2 h2nd method similar to the preceding one but more difficult to detect:
9 C% S- U4 G, f. Z6 J3 V, V8 O3 g' _; ~
& e, E2 J1 W1 {int41handler PROC) h& C7 }9 V/ G9 a' M3 J( t
mov cl,al
5 F/ s* u* p( D7 d7 b1 N$ g iret
! u3 E# _7 P2 b- L' g5 A$ hint41handler ENDP
! x" f& Q# u- p4 v+ q; x4 O+ G
. s" n. R8 W2 U
* h: [9 I. {/ Q xor ax,ax
6 R( T9 E0 Q* [0 \8 O, u- o mov es,ax3 m. V8 g2 y9 |" i7 |$ k4 a y K
mov bx, cs
; G: f2 [9 k$ i! e3 E: N- Y lea dx, int41handler
3 r9 e+ I6 U0 z1 q0 V5 P* s* ] xchg dx, es:[41h*4]
% q8 V7 p! h& t! T. | xchg bx, es:[41h*4+2]5 O) L4 Y/ c. V
in al, 40h
$ N/ u2 _% P, w: E xor cx,cx
d* B' L, @5 f% N* Q7 L int 41h
& C( b1 x' |# q. y- C L* d xchg dx, es:[41h*4]
1 i o) O! n G+ }0 y xchg bx, es:[41h*4+2]" S& O& D2 s) G
cmp cl,al
6 N4 D0 ^1 A, b. ~: s' B- f jnz SoftICE_detected- B6 ` u# H, Y& S
5 Z, N0 s7 P3 l3 C_________________________________________________________________________' @9 n& ]+ d6 Z* U! O$ s
2 z! f- {& ~# W8 a _; ZMethod 07; w- W, V& W3 \+ a" L# h( ?0 g
=========
* X. v" Z8 Q' G. t% x8 V2 n5 |4 q1 E. E6 a8 `( m5 i
Method of detection of the WinICE handler in the int68h (V86)9 o( V4 F" Z+ M$ R& h0 ^
# g- ~+ H6 d1 V8 E) n# R+ p
mov ah,43h+ i/ C( F+ v. f
int 68h
0 c( q# n1 z# W6 F cmp ax,0F386h, W) S# `$ |# b8 a8 |/ N* z
jz SoftICE_Detected
) z2 p$ D. U* p- y7 _. C8 s/ j# A( l' ?2 d1 a2 z
) x3 W: m) e, J; D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 P( A! u K j2 y. e M7 x app like this:: i" n/ q& N1 N/ w! J
# |) o) B T4 [+ P- D) G
BPX exec_int if ax==68" K" V$ s$ j& ~/ w; }/ ^' q
(function called is located at byte ptr [ebp+1Dh] and client eip is. K# g) M+ Z7 D7 {$ X7 E4 \7 z9 N
located at [ebp+48h] for 32Bit apps)3 C' e! W6 H2 y4 _! [; @* |
__________________________________________________________________________6 ~$ p5 M3 ~ S9 }. q8 ^
) q/ _- I' p5 W7 l. n; ^3 u
% X5 A% i" H3 l) o7 X/ _Method 08- Z( H$ N/ [5 {" j1 V# L! ^9 U
=========* n+ i$ @" @, G6 R+ h
4 I) ?2 _' u# @! M
It is not a method of detection of SoftICE but a possibility to crash the
- g: R* x" _" Y9 w$ ssystem by intercepting int 01h and int 03h and redirecting them to another
! ^# a$ B/ O7 Kroutine.
" e' H' T: a# i5 q; K' c7 ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 q! e, [/ F6 c8 }
to the new routine to execute (hangs computer...)1 l0 H! o, `4 ~. n
* ]$ C/ t! R, |0 `3 D7 y. t5 I/ B
mov ah, 25h }% n0 D( i0 I' b) Q7 A
mov al, Int_Number (01h or 03h)
2 w' T v% G Q4 [3 d, e mov dx, offset New_Int_Routine! i' c6 w7 Y1 g: u$ e
int 21h
: B4 S& F4 `2 \ a* R8 j1 [
( v! J# j) B4 K% p0 |__________________________________________________________________________
: z; p/ @6 S; n0 G V
4 u; V1 U% P6 u7 I: V0 n6 LMethod 09
3 i" P% ^# D( U=========
f, e- C* _6 q! |4 m" ~8 E4 ~. U% U2 W# [, O3 i( D2 M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ V( A$ G$ x5 x- h% ]( @% v7 o
performed in ring0 (VxD or a ring3 app using the VxdCall).
( U' C; W4 ] f1 \$ J1 ^The Get_DDB service is used to determine whether or not a VxD is installed3 y; k" l( k7 n5 o. y, l! K
for the specified device and returns a Device Description Block (in ecx) for
) s! q: z5 K6 g/ ]. t# `that device if it is installed.5 j' T/ Y7 l, t7 n& i
( {) I) `8 N. N# }* a ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 g* m( s/ {4 J* p mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' R+ @$ I W' x/ C VMMCall Get_DDB& f* U" I* J1 u) _. R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* x% r1 w* d. e$ }
) T: N5 u/ I2 o3 Q: z1 a% a, BNote as well that you can easily detect this method with SoftICE:
0 p0 A: @% W, R8 D bpx Get_DDB if ax==0202 || ax==7a5fh
5 P6 z. W3 r# ^7 U
y' k% P; x! w" l+ m__________________________________________________________________________+ r+ Y n, l3 _
& y' l% u: \3 T1 q9 T" X2 j. m
Method 10- s. l k# d6 z* V
=========3 }4 w% k! }* t7 t
( \" E( }9 P) K) f L=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ T9 l9 Y3 o4 p% | SoftICE while the option is enable!!
& a) D- A0 a9 v1 v+ ~- b
* Y, f0 X1 S3 dThis trick is very efficient:: x9 h. N9 B& N* F1 k
by checking the Debug Registers, you can detect if SoftICE is loaded4 w! |( z! z" G* ]) ^) V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 C; g( M9 t- @5 i6 Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their! N& ~! ~$ L: L4 z/ b" z- l: J. W: k
value (in ring0 only). Values can be manipulated and or changed as well1 H2 o/ Q/ p! w% [, ~
(clearing BPMs for instance)% y3 P1 F2 B* Q" I
7 M( I1 M! k7 x: `6 [6 V A__________________________________________________________________________& ]* @) M8 g/ k1 ]
9 h( e; H, P+ j6 V, j$ {
Method 11
, A7 B( G/ h8 [* R=========
( X2 V" e/ _' ~, Q) E' h- U
$ {! _" n J5 S' W% `4 CThis method is most known as 'MeltICE' because it has been freely distributed8 Z( W& z+ d. T
via www.winfiles.com. However it was first used by NuMega people to allow. c# |7 V% k8 x2 n! [$ ^
Symbol Loader to check if SoftICE was active or not (the code is located: x4 R+ r3 X0 d! x) Z9 U( T" b
inside nmtrans.dll)./ T6 L* H) h7 U* t
( x% U B# M' [- IThe way it works is very simple:
6 c* M* Q+ G- T* kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 {; }1 u9 c3 L: d. x& U5 K( X' x
WinNT) with the CreateFileA API.# C9 C5 n6 E a' X$ Q
/ v) j/ |! o; r0 r* A+ v5 X# M
Here is a sample (checking for 'SICE'):
+ s2 r: O) [5 U, U7 z, D9 T2 f7 w7 _, ^ d( O4 \$ N7 w( T& H+ _4 C. n
BOOL IsSoftIce95Loaded()
5 b. d O( N* p+ F{
. h5 C) i: c/ w; l0 h$ \ HANDLE hFile;
9 {8 i* g' t$ T; y7 m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. V4 w- o! j2 e# W4 Q( i& Q y FILE_SHARE_READ | FILE_SHARE_WRITE,8 e" n* ~2 b( S/ p% C8 N+ o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* Z) y( T" R) T3 D7 W) D if( hFile != INVALID_HANDLE_VALUE )# j2 f5 l6 s; N+ d
{7 Y$ r0 m3 E, {' L' l d+ O) f( \
CloseHandle(hFile);
, e/ n6 _) `/ k) l6 S return TRUE;
* h1 E6 h! w3 M: G& C }
3 G& E8 H4 ?. L/ ?, y: ?8 A return FALSE; ?( D( ]1 p. x3 {
}# u9 F; K3 W) P
& M3 u) Z" H+ f5 E' xAlthough this trick calls the CreateFileA function, don't even expect to be: H: I# n" h( q! O' r
able to intercept it by installing a IFS hook: it will not work, no way!9 f. s2 V8 H) ?& m- {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 A/ r; h0 ~9 F, _; b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 D+ A1 `8 e/ i+ J) k3 y! qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: s3 _. M( D% jfield.9 ~0 v, E2 e6 G& z
In fact, its purpose is not to load/unload VxDs but only to send a
* {9 D( K" c4 fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 a( P- t6 D/ p; `" H+ m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: ]! p& U9 F5 @8 c6 M: h% a" mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: y; T. _# B+ i" B- w6 f% @# nIf the VxD is loaded, it will always clear eax and the Carry flag to allow4 u a4 n6 R9 A$ j+ t
its handle to be opened and then, will be detected.' f) J2 r, U6 ~9 y2 P8 O
You can check that simply by hooking Winice.exe control proc entry point
. x1 X, I2 ?" Y* @1 Ewhile running MeltICE.
/ M2 T) [) j2 x! y5 ^1 ~2 c6 v8 r$ b5 H# V3 s
: n# @, n; D0 l- a! n 00401067: push 00402025 ; \\.\SICE
1 g& \$ F9 r: g 0040106C: call CreateFileA4 _3 a+ i, Q) I" Z
00401071: cmp eax,-001
r7 O* K, ?/ P4 _( b* h! r% Z7 G6 z 00401074: je 00401091* a- l% G" E. D; j% v: }# {' @
- d% q R. {3 I4 W! ]# W1 F; Q( N1 e" s% n! s T6 Y# C6 Q0 x
There could be hundreds of BPX you could use to detect this trick.
* R# r0 u- k6 T! q! e1 E-The most classical one is:
/ w! n+ q y$ f* e# H7 c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% c* r4 `& w' H
*(esp->4+4)=='NTIC' A) J- \5 H3 k! u0 V
m/ v/ p9 P% ]
-The most exotic ones (could be very slooooow :-(
& e( w; N9 P9 _8 N1 n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) s' o* I" l) _4 c( a3 h/ z
;will break 3 times :-(
' B- O! ?8 N) {! n$ S. T% t- T* {$ u) D8 W. q. A
-or (a bit) faster:
) H: U6 ?) l) x' w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 P9 w3 O" u6 r- j; g, D6 O/ w+ I9 V/ T, g6 _: x4 @9 A6 x8 r! S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 J2 N* F: o* j: y ;will break 3 times :-(
: e" H& V/ o4 m& i% ^' P- D
* L' Q; \9 o! t0 D( h8 o; n-Much faster:& Q$ I; R" w) L( {2 e0 l3 z% W; ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( a/ Y1 z1 k- }; j! J2 T
& ^0 V1 T+ P: S0 o/ W5 m: m. K5 g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" Z! J* r6 L# D( j8 I X1 ]
function to do the same job:
7 H; y2 Q+ P" i3 L! s: B Q6 X
' K( ]* N5 H% O1 u* e4 R4 J push 00 ; OF_READ
5 H4 i: P! i" j g: j% B7 X' q* ^ mov eax,[00656634] ; '\\.\SICE',0
% l. f! W I1 v7 J _; j$ I push eax2 a! n# E. t% I" Z( D
call KERNEL32!_lopen- J9 N: [: O9 e0 I. P: `
inc eax
( m, U; ]: n3 P5 }9 k jnz 00650589 ; detected
) e" P& j1 D* E, u" X push 00 ; OF_READ
) c$ d& k, K! k, E( F! Q' I! Q5 L mov eax,[00656638] ; '\\.\SICE'. @* G0 r0 S' h9 v: b- b
push eax) o) K* |0 ^- ?, z* L
call KERNEL32!_lopen: T" J" {" l$ V3 z! K
inc eax1 l& j- v' b! A: a; l
jz 006505ae ; not detected
- `& z: e" b: o K$ C6 u: I
8 I7 C) d- @$ |* B, Q0 _4 N! G: h# A7 A& ~6 z& T
__________________________________________________________________________7 W4 b: ?; |* E9 v/ `: L' r
$ N7 X( S5 J7 O( |: C
Method 120 k- ~8 L" _: G0 F) X* I! n
=========
+ o% i; U m% n( d+ P/ m( v! `4 Y3 n2 n, \; E6 r1 e
This trick is similar to int41h/4fh Debugger installation check (code 05
3 V4 [7 `. F+ `5 v( q0 A9 I& 06) but very limited because it's only available for Win95/98 (not NT)
: H1 z* r8 B! Y5 Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* b/ ^) T0 F7 _/ X7 j: @( c9 M, r
% K0 n$ P" k; c3 h# @ push 0000004fh ; function 4fh0 k: h9 O( E) a
push 002a002ah ; high word specifies which VxD (VWIN32)
1 ^$ [. _) x2 H/ M) F" h( W1 H ; low word specifies which service
6 v C. |$ t9 o$ o5 n (VWIN32_Int41Dispatch)
: W/ }5 X9 W, u- T' d& K call Kernel32!ORD_001 ; VxdCall0 v& Y8 S' l4 o' r
cmp ax, 0f386h ; magic number returned by system debuggers
8 I! f, @7 v6 W jz SoftICE_detected: v$ j) C2 [8 ~" W& T2 Q
0 P6 |+ r% S; W: t0 E! ^
Here again, several ways to detect it:+ v" L3 \, e/ [
; P& s) I' Z' l9 k3 f. F& ]4 Y BPINT 41 if ax==4f+ i5 h$ x' q! s! K& r2 b
+ K E" J* M$ H9 h# U0 x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: I6 j" M O3 i* @
! |3 c6 K X3 T' r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& B2 g$ T+ u* |& \( b
5 c" l5 ?0 r8 {( m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' | B5 \6 p( t+ o0 C u4 Z4 R, E* b( K) a: ~; D3 \
__________________________________________________________________________
- X$ h) r; c$ H3 n" U% q' m. I3 E" [9 ^3 J3 {
Method 13
6 r! f2 S4 |; t" B=========, W" M! I1 F* c' ?8 w
9 t2 B9 q# {1 L+ r% j" oNot a real method of detection, but a good way to know if SoftICE is
' h/ N8 y$ j# z3 ^- D9 D. e1 Hinstalled on a computer and to locate its installation directory.
; i- V7 y) j2 H# _It is used by few softs which access the following registry keys (usually #2) :
! P& K3 U, @3 E1 N4 c5 B. p" M1 N+ S- o! Z/ r- f% i1 C6 {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( D/ d, q$ U" c6 [/ T\Uninstall\SoftICE* C% h0 e8 w& r& i% Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, Z* Q" J$ V) X6 A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, u7 } R7 v) N* t& z
\App Paths\Loader32.Exe% D) C1 \" t& m2 W/ p% [/ G; I
. ^: ], S* Z8 Y, A9 S
, o6 a, F& ]6 a& s6 wNote that some nasty apps could then erase all files from SoftICE directory
( g' h" T* u$ z(I faced that once :-(* n5 `$ Q, ~2 T s- w8 A K, r: D F$ z
0 P2 A4 [& o, R& C8 q" nUseful breakpoint to detect it:& p: M, l m: L1 ^+ i
6 O; e% E F& x3 n4 @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 m8 w7 ~ d2 Z" ]3 F+ ~* u
/ H& C* j8 Y' q: A( r__________________________________________________________________________
3 {* V: u4 ~! l! c: M! X [& k. H' [, r7 G% a
8 Z4 J0 g* A# ~) B6 Q' k
Method 14
8 q+ ]2 S0 p2 f=========3 X6 @2 E; L( k# R. S
, I2 W7 W7 w. @* D5 w7 EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) L, S0 r; l2 I3 j: X" D
is to determines whether a debugger is running on your system (ring0 only).
; z! j. O: g# a8 W4 a" y
6 J5 ]5 b& i1 ?- @* c' k2 m3 | VMMCall Test_Debug_Installed! F+ E+ ?8 ], o
je not_installed
$ Y) {) [- K; c5 k& S# [5 s! R1 |# I8 _1 n, Z7 M4 k! g/ y
This service just checks a flag.( F Z2 x' H6 X8 Q5 p5 w
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡