<TABLE width=500>2 M1 ]* j! [' R
<TBODY>
5 Y5 B( i: E1 r& u x# |! Z& E$ m<TR>1 L) u# [% d4 m, b- M
<TD><PRE>Method 01 ) m4 L6 C% O0 A D7 F) e# V
=========1 R7 ^+ O* ^% J7 |4 V% a
! h2 Y7 C' ^4 O5 s0 \This method of detection of SoftICE (as well as the following one) is i d5 f H# w2 e
used by the majority of packers/encryptors found on Internet./ o8 F* G0 [% p; i7 W
It seeks the signature of BoundsChecker in SoftICE1 w( S5 e j/ P7 i: u" t0 p9 J
4 w9 Y2 G, m2 C% d5 n mov ebp, 04243484Bh ; 'BCHK'
0 M! D/ K. h0 H; ~ mov ax, 04h0 B( Q# b* I0 t; B# [& @( a
int 3 0 y) {. T V" e1 \8 z3 A; g
cmp al,4* r8 w- X' a# [
jnz SoftICE_Detected. Z3 Y3 {# c* d% U$ ?5 m) y+ Z
8 B5 o& p9 @' I8 K
___________________________________________________________________________( j' M. F) n9 V3 G5 Z
; @: h4 \8 g: E7 j! N, |
Method 02" f* Z G1 E" h! r1 T) Q( Y
=========& Z" C" z4 @1 _. p
( V: U. I5 |4 e0 [$ }9 W
Still a method very much used (perhaps the most frequent one). It is used& J% E; Y5 M# q) s; \/ i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' ]* j8 F$ m0 ?3 Nor execute SoftICE commands...
3 t& U6 e2 u; l7 C2 J" b, wIt is also used to crash SoftICE and to force it to execute any commands
1 Y. L( h# M3 p2 [(HBOOT...) :-(( 4 a0 T+ U7 n; _5 R4 _4 H$ k6 p) s
0 e. k6 J: t4 F3 f q1 u
Here is a quick description:0 {. h7 ^* Y* k
-AX = 0910h (Display string in SIce windows)& F' q7 e! S0 w, e0 Y0 ^. ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# P& [' H' z( [) x2 I
-AX = 0912h (Get breakpoint infos), R% o- U( p$ D) ~: v! s
-AX = 0913h (Set Sice breakpoints)
7 O# ^4 t( o! n) c7 U5 [- e-AX = 0914h (Remove SIce breakoints)3 A! Z% |: m( t1 m' u
+ y, |! \& g# DEach time you'll meet this trick, you'll see:' B8 M, e# k; }- g; ^
-SI = 4647h
, O w7 n" j# m8 D* _1 ]# u-DI = 4A4Dh
: H* h- X! L5 KWhich are the 'magic values' used by SoftIce.
6 U0 O/ h; q0 {5 u5 Y8 }4 c7 uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' O. h1 a1 I0 J, N* g9 S- K
( s/ ?6 s3 G9 EHere is one example from the file "Haspinst.exe" which is the dongle HASP
) M* k# j6 L; tEnvelope utility use to protect DOS applications:
8 U4 x4 Y2 W, ^& X
( R% Z, z8 G6 K& ^* @0 v4 l$ y+ d9 S# Z& n& h
- y2 n, U; t, y, Q4C19:0095 MOV AX,0911 ; execute command.
0 r. g$ ^3 x) w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. J1 T, u# n8 I" ]. X4 g4C19:009A MOV SI,4647 ; 1st magic value.
p2 Q/ e6 I6 I- S, G% \4C19:009D MOV DI,4A4D ; 2nd magic value.
; `' }& f3 F# U4 c4 |& E3 V$ f# }9 q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 H7 l5 l! W1 v& M/ O x4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! r" O: @3 _, Z2 \
4C19:00A4 INC CX& [$ B; M( E" a @1 O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ h( x* k6 {. s3 G! Q! H+ Y4C19:00A8 JB 0095 ; 6 different commands.5 d5 e0 M* ]5 [# C' k2 a( `# J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 f$ L% b1 e% r, Q d+ r {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 C& y( g4 X8 y" s( S" p X1 }9 J6 H& g7 D5 F. U
The program will execute 6 different SIce commands located at ds:dx, which
/ E5 P9 e2 W* S- M8 A. y) Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 f9 F' X y' w. a2 v1 k
& J' J/ V A- W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 g9 B1 H% ?8 Y8 S0 z0 u& ?___________________________________________________________________________ _7 c. f9 ]4 @# Y
; F- J( `- X( Y! S$ t- Z6 N1 g. a7 K% z+ g
Method 036 a2 `- D1 c) }$ k, s
=========
) p, \4 ?5 |( \: q3 [
/ J1 N9 \: p1 V9 D1 b A, ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, b* [) K. h S+ V) F$ d(API Get entry point)
c* f/ q6 O* K
. \8 j6 r) M( `: h) e3 k0 P# j
9 h9 Y* B( K& Q! c& S. g/ h xor di,di8 q9 f7 l2 U1 D& M k+ B; ~
mov es,di X4 g# f8 p% @' E3 Z* k8 M+ Q
mov ax, 1684h
9 F' c' W6 N7 K* a mov bx, 0202h ; VxD ID of winice. \5 j6 t0 h5 Y
int 2Fh
% G: D( e7 J, t% s& X mov ax, es ; ES:DI -> VxD API entry point
/ o- W, `0 c) }" j6 O/ W# f" L( w add ax, di' X6 p' [5 [" h9 Y$ p- Y: d
test ax,ax+ i9 c$ A& H/ W) ?; ]6 N8 T: f4 E
jnz SoftICE_Detected
! j# Y+ f% ^8 {( h9 d
3 v& p) E: S# y9 J___________________________________________________________________________
. m+ E; x' N. y. Z
/ f, |& ?9 t( ^, D( A. IMethod 04
# O3 a; S7 [) K5 \) G=========' ~' p5 r0 Q" X& \7 t3 F
$ u2 Y6 [ ]- m2 }4 `; O- K3 UMethod identical to the preceding one except that it seeks the ID of SoftICE
7 ^' I* l2 s! C l+ G M* h6 PGFX VxD.
0 `3 r( G- o* W5 a
+ s8 E9 _3 x- W+ N. ^. [. x xor di,di" u2 U1 @- F. q( J
mov es,di! `. V+ ]. t7 c+ z x+ k
mov ax, 1684h
/ G- L, V# B* {. e mov bx, 7a5Fh ; VxD ID of SIWVID. z4 A. p3 D/ L0 n1 j
int 2fh
6 B8 K- O1 [$ n+ d mov ax, es ; ES:DI -> VxD API entry point2 W7 z8 G5 n0 G/ K' U7 }
add ax, di% x% W, b% m' y7 p/ l# X
test ax,ax
0 s! R0 X. ?! t6 p8 W jnz SoftICE_Detected' p- g6 } ~0 z( `- Y
% h. d) u& [7 F* R6 p
__________________________________________________________________________9 t! S V/ `2 \3 q- h! e
5 r: Z& \, [. K$ t& q; T2 B3 ]
+ u5 Z( n4 ]2 s5 |5 e; wMethod 05
' ], ~: i: P; h$ [) S4 z- u=========0 O& `0 z$ M( W2 e
' K( j$ q% a1 O2 a! O
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 x/ h- W; z! S8 a) z7 J% K2 Cdebugger. It calls the int 41h, function 4Fh.0 }& N5 f+ \9 q2 g
There are several alternatives.
8 ?# f {6 `# s# N! V6 m' a# M' ?- l; a( U( y7 J- y
The following one is the simplest:
6 x- X/ r' D4 k3 c; ]; v" B1 M5 b* k& M+ D5 X# A4 p# t# w
mov ax,4fh0 u- a) ~- T Z
int 41h, P' T4 S: a, y! a5 ^" g
cmp ax, 0F3862 x5 s3 I2 O# z6 f3 |" ?4 X
jz SoftICE_detected
3 J' o# c6 U' ]! {2 Q) p; C% M
$ d2 g" W3 I8 y1 B" ]; C" q& A J# S1 S8 G9 J' i% A% K4 v- y
Next method as well as the following one are 2 examples from Stone's * \1 `+ m7 L! O7 z' ^1 q- |
"stn-wid.zip" (www.cracking.net):
6 @" P# h7 z1 B( D) O
# F7 k; }/ d' p9 |+ q, Q% e( [& L mov bx, cs
0 f) _, R& ? A7 L lea dx, int41handler2: o9 N& o' s% d0 D% s. b0 w
xchg dx, es:[41h*4]9 K! U8 s& {" N5 W. N" Q
xchg bx, es:[41h*4+2]
2 N0 {0 N% M# a' W, r8 z mov ax,4fh
3 r- v( o' j4 t! C8 c int 41h4 h, o0 W% ]& l2 g, _& I$ M9 P) m
xchg dx, es:[41h*4]
/ N1 O$ b/ Z3 @% y- o5 \! t xchg bx, es:[41h*4+2]6 v- b% p% e6 n; Z
cmp ax, 0f386h
+ _# |& H* \5 s jz SoftICE_detected
% \) t) d) ], E6 `% e; {1 Q y4 y- V/ t3 Q' g$ }
int41handler2 PROC3 t& R' ]4 t8 l7 c" D2 a( v( a
iret
& W- A" {; [$ t. G3 c9 c1 {0 @# i" e6 Lint41handler2 ENDP
y5 l& N; n7 r! ]3 ^1 U& H$ Y
) z1 E6 r+ J2 \$ d# D7 v
0 D# @( h1 m7 R" {' \_________________________________________________________________________
0 P$ {% y9 Z$ M7 {4 g! ?
6 q- t3 t+ v; x7 V& [: B" b$ P' c2 W7 M' M
Method 062 a+ ]/ Q8 ?2 l# P m+ `0 w* R9 _- q
=========5 N: H% @) `- v6 S
" r' p- M. t0 U. s& t
* D& p+ P" ^9 b0 p6 o, l: }2nd method similar to the preceding one but more difficult to detect:
& z8 {! p8 W3 _6 f; y0 n9 S# ^. `" C
' T z# z }% V9 W, Aint41handler PROC1 T5 H3 A, j B: z
mov cl,al3 v9 J& J3 j& R+ H
iret: R) g+ G/ m+ ]( _
int41handler ENDP
$ m7 E% }& _8 A1 y8 j1 `4 a9 Q/ T2 ]4 l0 {8 {5 a" Y" b+ H% ^
* n2 b3 T* ~( G% b3 ? xor ax,ax9 \% [6 C- ?- N" h6 {2 _/ C5 n& I2 J
mov es,ax
$ U" j+ r: ^0 _ ^ mov bx, cs0 g8 Q @9 m9 D) l
lea dx, int41handler
2 G$ o4 [8 G5 l" f; h* u# s xchg dx, es:[41h*4]
$ g8 f5 l- B4 ]1 `2 T6 a6 W xchg bx, es:[41h*4+2]- b- }. Q) ?" e9 Y
in al, 40h* ]& }, H* p' s3 m, @" [9 d( z
xor cx,cx
! N2 ]1 I, B* ^: N int 41h
1 `5 G% Z7 `; Z* x% F xchg dx, es:[41h*4]
6 s- F9 Z {; W! E0 M/ f! F4 @ xchg bx, es:[41h*4+2]
5 _" v2 l: B0 A cmp cl,al9 y3 l5 {* e- |, l. X
jnz SoftICE_detected- l) X- E" F9 Y# c* @( |
: q2 w( `+ W6 B& w9 S3 ~_________________________________________________________________________
! W, K) [8 M. f
' v( ?& g/ c9 Z: m1 _Method 07. U& b4 ~( y( i3 p f- v
=========
1 o% O7 z% {0 A- L6 B
|. l9 w4 }8 f) \2 x: h6 ^! o; }Method of detection of the WinICE handler in the int68h (V86)' \: b3 x& O/ @( j! X4 W* N0 t
& q. v$ `6 S3 [# i4 L mov ah,43h1 K# U9 u% A7 n* n* i; o
int 68h) z6 j9 t# j- ?3 n
cmp ax,0F386h
; T+ g1 t( Q9 U7 E& X9 P2 l jz SoftICE_Detected
: d) m# `; S( l! c; N4 E$ _# K- b+ V
" G! E: j% K9 e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( d) _" ?# B) L/ f: n U
app like this:
2 M" q" I: D2 H3 `. H
E0 D. n9 m0 w0 H BPX exec_int if ax==68 S0 H" f0 l7 ~0 {; k$ z
(function called is located at byte ptr [ebp+1Dh] and client eip is
- z4 M! g8 x: Q; e9 Q/ N& ~' F$ U; K$ R located at [ebp+48h] for 32Bit apps)8 G$ t: T" ?& }0 x$ ~: i7 @; w
__________________________________________________________________________
+ d8 X+ e* y: m! p0 G! j; x8 g. M" G* v5 ?, x/ m+ p0 u
/ ~1 M+ g5 K& k( |Method 08, d1 J% W$ A, }( K
=========
, b- w F7 w" C5 H$ @
* h% D3 a; p4 y! t2 t2 W( P, O7 UIt is not a method of detection of SoftICE but a possibility to crash the
! Y% A* E7 G5 j% O) \3 Zsystem by intercepting int 01h and int 03h and redirecting them to another, d/ p3 B9 |/ i9 z) s
routine.% j6 Y, I' u; b" M" i" J; L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ e6 [- t2 M) J0 h" V# I' fto the new routine to execute (hangs computer...)
0 T: H% j1 ]& F) O
- x6 P" k' h; G( O1 A, A9 N mov ah, 25h* O5 q" V% D; b( ]; q3 c3 B$ T
mov al, Int_Number (01h or 03h); W; ^6 G6 j3 v5 z0 p
mov dx, offset New_Int_Routine
" P! a2 B' r0 y$ j0 g: t( z% \ q int 21h
( y1 r# }' w) X3 ^8 ~5 g
9 Q. p4 B) M, o__________________________________________________________________________/ Z3 P! [* q& H9 h
4 H0 R5 j! P1 E" ]4 u/ Y: @ nMethod 09+ B+ ^5 }9 T }0 m* I' l
=========* k+ ^" u% q5 t# h, n" V, n, c
) f5 R7 M, b$ i4 @ kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 H7 ]; b5 r4 i" G9 Cperformed in ring0 (VxD or a ring3 app using the VxdCall).8 B4 d3 h7 @: b, P5 o
The Get_DDB service is used to determine whether or not a VxD is installed& V1 t& u9 c6 N) |. \/ W0 Y
for the specified device and returns a Device Description Block (in ecx) for
3 ^* f) l( k$ T5 x' S7 nthat device if it is installed.
8 V) L/ P/ e% a# B* s- Z
3 v* M& L! y6 i% d2 ]7 e. g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- n. W1 F, M) y7 h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ n& T% b3 M5 Z5 e: G B
VMMCall Get_DDB* p* ]& F# c0 y6 j3 w( |/ F. L1 K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& K* m% Y; H9 V+ E& U4 Q2 a" v* {" B- O* {! }" m7 B
Note as well that you can easily detect this method with SoftICE:
/ o+ G/ j$ e5 O: K8 \ bpx Get_DDB if ax==0202 || ax==7a5fh3 N& d6 R; @: M1 W5 f7 t( \
1 d9 h& E8 S2 e5 A( G
__________________________________________________________________________6 b& @% @* [# ]" k
- _6 n, j9 _, t) ]
Method 10
$ W' b6 O3 u' ^* {- q! u=========0 U) p: I, C" ^ [
; M& N3 z; d3 h6 G k# t
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* ?- C& t% K4 d$ H: x SoftICE while the option is enable!!
/ ?) M+ V6 k0 s/ X* R3 s9 g" e z# E! {6 t1 R. C# z8 q
This trick is very efficient:$ m$ h. d- d( w9 ]- S4 W
by checking the Debug Registers, you can detect if SoftICE is loaded8 R$ W1 Y( J1 F. Z; j. |2 |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 ^2 M2 `6 ~0 ]& F
there are some memory breakpoints set (dr0 to dr3) simply by reading their: F& l/ t( F* q% R( r" D
value (in ring0 only). Values can be manipulated and or changed as well6 J$ B$ r4 m. w$ r/ |1 x
(clearing BPMs for instance)
* [0 M; q4 \$ U* w) _/ V% R6 {1 l& \% s4 C
__________________________________________________________________________
9 M5 t$ R, c* [. [% e2 J4 D" D( p0 P/ ~
Method 11) [, N. c# M# i- [
=========9 t5 c/ x- R1 b0 e& m. V
, A1 U/ n- E/ @This method is most known as 'MeltICE' because it has been freely distributed- n4 t" A( u. }4 E
via www.winfiles.com. However it was first used by NuMega people to allow9 M9 i6 |7 Y+ P4 M" E" L
Symbol Loader to check if SoftICE was active or not (the code is located
3 s" T" M( m2 _" j. Uinside nmtrans.dll).0 M8 I8 C9 d. i6 u0 s: D
6 O. Q8 h8 |0 {$ P
The way it works is very simple:: J. G$ t: z: D8 V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# q! i' ^ Z% [0 `# [; ?WinNT) with the CreateFileA API.% ]# O8 k0 u: q' J) ?9 W
3 S) G& A6 T/ a
Here is a sample (checking for 'SICE'):
+ r; \: T2 f1 t" u* H
2 A& Q5 s L' {9 c0 o/ M& V9 iBOOL IsSoftIce95Loaded()8 r1 \; H! E# y5 U% x/ ~2 ^
{0 P' v' Z! z1 V9 g: u* L8 d
HANDLE hFile; 1 A# \6 g: L, n7 R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ j4 R2 C: n4 I1 C4 L FILE_SHARE_READ | FILE_SHARE_WRITE,/ Y3 Q/ Z' a( R5 \0 ?) [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 y- f2 { A+ `- x) t
if( hFile != INVALID_HANDLE_VALUE ), [- ~5 }1 ~* D' Z+ O% Z
{
1 R/ F. z$ J1 _4 o* [9 A! i CloseHandle(hFile);
/ G1 t% r" f+ j2 O2 `, E8 B+ e return TRUE;, K @! v! }8 ~7 S! Z
}
8 ^ V; v4 B' [1 h3 Q4 J return FALSE;
4 h" P T2 r* |# E}
% M0 y1 a( i' U9 @# T: ]$ Z+ W7 S* }$ o3 B2 { [
Although this trick calls the CreateFileA function, don't even expect to be
4 _) p3 N/ b5 U8 n3 Q3 Rable to intercept it by installing a IFS hook: it will not work, no way!
3 r. Z2 D9 N) x! KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' C. ^( o6 _( H( \+ T/ |3 Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 \( l" ?0 {+ S; t- F# }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 i5 w2 ^" k. F* [) Gfield.
2 x% v7 K% n4 K3 @; c& aIn fact, its purpose is not to load/unload VxDs but only to send a 8 a$ Z, U8 \- ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- l5 M4 P* k0 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& y6 y: X/ S$ ito load/unload a non-dynamically loadable driver such as SoftICE ;-).) p# l7 x7 B K$ L
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 N. X* c' v" H7 E# B$ Tits handle to be opened and then, will be detected.
& Y4 v) m5 f6 VYou can check that simply by hooking Winice.exe control proc entry point
4 M9 u! k* p' ]+ L5 G3 Ywhile running MeltICE.
2 s ?! v9 |9 e& t& j/ g( \& a$ |4 i O' s- _: H2 g
4 H c7 i; D$ C' y 00401067: push 00402025 ; \\.\SICE
3 N q. ^; F7 W# | 0040106C: call CreateFileA
7 [) M& J0 V9 U- O0 f N+ C% v 00401071: cmp eax,-001
1 K3 F+ A' D+ }+ o, [ 00401074: je 00401091
8 {+ ^$ x+ h9 v6 k5 i3 M( f& i( J% S" i5 z1 @* e$ A5 u5 V0 R- g
% T8 e: F$ V$ b, @; k7 H# ~5 j6 n
There could be hundreds of BPX you could use to detect this trick.8 B8 w V' z' {3 F
-The most classical one is:
8 T; J. i6 N) d# P BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( X6 [- W4 A4 z9 K1 G
*(esp->4+4)=='NTIC'
+ W0 L: b t2 W
6 D# ?, J6 W+ x( G: u, ^& e9 ^9 I-The most exotic ones (could be very slooooow :-(9 E4 W3 Y. i) a
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ m* W& i+ T. P( f
;will break 3 times :-(, `; N$ j6 C' K" A4 a) C+ I
9 D& P% n5 ^9 g) Z
-or (a bit) faster: % d1 H; p9 K; |, O- M: l) T l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% r: E% |; ^' n/ ^: y* w( X/ g; E4 F5 e% G4 l
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + S ?) k( _, g! v3 z
;will break 3 times :-(. l; ~3 X0 d7 S0 o
" {7 @& s; V) z v
-Much faster:
f" k# u4 K' i* L3 p* I3 e BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& P8 l4 p8 Y8 ~: L9 r
1 R! D* z0 `8 m" ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" H/ r' @: E$ D' N) Q& sfunction to do the same job:8 Q. W+ \4 q" E8 Z5 o# q. E% C
1 }* {4 Z, l. ~* ]6 K, ^) B
push 00 ; OF_READ3 w( [) w* j7 u8 `9 n9 Z2 p
mov eax,[00656634] ; '\\.\SICE',03 A* A. ~ ~; R0 M. a6 B( s
push eax3 }) D# H/ [1 M/ s& ~. w/ g
call KERNEL32!_lopen
5 P6 u2 L- A7 k8 N" e inc eax6 [6 z2 r- l" g8 W5 D _6 w$ x
jnz 00650589 ; detected
! T. m3 j6 E$ D7 }) W1 ?8 T: q( ~. E push 00 ; OF_READ
$ O$ ^' v/ v S mov eax,[00656638] ; '\\.\SICE'
% b6 {: k' ~. Z+ @' r push eax' P0 O6 K$ X0 \' L2 x2 T
call KERNEL32!_lopen
- Q5 W( q* D- r2 z9 c! R4 @7 k$ x8 R4 V# ~ inc eax8 ?' c D$ i/ x$ H7 D
jz 006505ae ; not detected
; x. ^" Z3 G+ t& E
J- P! s; _2 U7 w$ w+ r% z
$ Z! m7 T6 o1 R' [; R9 J3 x4 U__________________________________________________________________________
H" I9 ]0 X. F' e, V: j7 |+ j% G, l* D
Method 12
$ Y5 h2 f0 ]% ~! M- Z=========% g; Y# A1 W8 U, d! N+ @% E
' S# C& D3 `1 H6 m
This trick is similar to int41h/4fh Debugger installation check (code 056 [+ O- ^ B4 _" o) c) f
& 06) but very limited because it's only available for Win95/98 (not NT). k) t% M I* ^. G" ]5 }+ F3 t4 |. t
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" j' C2 e" I. }* S! l- d. e" {
! K- M3 E5 D) D! E8 t1 l" H push 0000004fh ; function 4fh; t$ S* b8 U' G0 i, V) S, {
push 002a002ah ; high word specifies which VxD (VWIN32)2 x }" ~; L6 v9 P& G7 |
; low word specifies which service
# n4 t# [( {9 J. |! O2 B4 Z1 y+ j (VWIN32_Int41Dispatch)
* L" z6 G. t# f* f4 i call Kernel32!ORD_001 ; VxdCall
& U+ E$ ?6 P4 T& {' q: _( q' x cmp ax, 0f386h ; magic number returned by system debuggers: D5 g v. E \" I y) V# D
jz SoftICE_detected6 t a3 G5 s5 J
5 d9 R. }% o+ ~/ F! d4 j5 c. B: CHere again, several ways to detect it:9 N; V# w( e# \) q3 ?8 |3 C* @
" Y& s/ s) w0 I5 C
BPINT 41 if ax==4f
" U: E4 Z; B( H! C( t
2 M7 }- [3 K1 ^: m$ P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# m' B- V: ^5 a4 W3 q" U X
7 {/ i7 v9 f( ?! b' @) n" }
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 T+ _% N+ Z& h" B$ Q; B' m0 X
' M0 G2 O) Q/ e" e5 P+ l, B
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 P' c1 B3 e3 z- V4 G& i! Z+ o/ _
1 X# K) h. W2 b H4 ^5 c__________________________________________________________________________1 T" `) H3 r3 }, P/ m w0 @
9 t+ y- s' C) \4 F& W. v
Method 132 `" d( s0 o* P) i3 Q" u
=========- c# c7 p$ W6 |+ S" }
) B: i3 o- c9 v. f' n
Not a real method of detection, but a good way to know if SoftICE is
$ L1 g7 `8 ^! |2 |, ?installed on a computer and to locate its installation directory.% A3 ?* x# l) m# {8 K. l2 e+ w
It is used by few softs which access the following registry keys (usually #2) :3 X- C$ ?" y+ t8 C
; ?8 u( \% z; P! {7 z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ v5 A+ Q7 y) t }1 p: B- p8 D) @
\Uninstall\SoftICE
7 M4 h7 k X, I2 K* t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 w" Y* T: _, c* i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; y- ]4 v% h9 i f6 l* @
\App Paths\Loader32.Exe
7 {# m! k* k" S: j! e. k' @7 _
j- A, a) R2 f3 g, L
( ~- n6 ]) w! z7 WNote that some nasty apps could then erase all files from SoftICE directory& [. E; W- b) B; [5 F( K! o. P7 A- `
(I faced that once :-(
# v' V) g6 X( A2 L- t- ?
* ]' m' m R1 @% BUseful breakpoint to detect it:
# t0 v; f* ^$ I Z6 r# ]1 J n8 p7 D! H( i Z$ F# v; }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 D! ?$ `+ ^. A' n2 k) o
! P3 O5 v1 [+ g6 F
__________________________________________________________________________
, F/ d, r+ q+ {! s2 K/ M
- x4 e( {6 O" W J; X( V% S4 N; w, k- u- g- j8 i0 [0 h5 B1 W$ `
Method 14
+ }6 y) i0 q J1 q ?# i=========: F; T `3 Y, Q( O& c
; S- m; r1 V! n% f6 H/ @% `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, l* O: ~; P$ A* G4 [9 X
is to determines whether a debugger is running on your system (ring0 only).- p2 D- w% e3 l
# W, U1 l! V; m5 ^8 d% ^
VMMCall Test_Debug_Installed2 e' T' F! u* T& @# v
je not_installed
; _$ ~/ Y) q/ [) @: C- g8 e+ b# [3 H5 X V) M
This service just checks a flag.! a; ~. W* J. O; y: N8 V
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡