<TABLE width=500>
) F& G: L9 N3 k+ h7 I<TBODY>* i+ l: Y' k; @: o* @' [ q- R- _) L
<TR>3 z) L+ V% Y. G( h; A, z0 }9 `9 G; a
<TD><PRE>Method 01
1 k$ @, k4 M2 d& X2 u i=========: o4 D5 X. |& e8 V! M0 ]7 T( o0 [
7 N/ a% q8 R& n* C+ C! w( [
This method of detection of SoftICE (as well as the following one) is5 w6 o W0 O3 }( I
used by the majority of packers/encryptors found on Internet.
" K6 M& Q, t6 q# vIt seeks the signature of BoundsChecker in SoftICE
) B2 \3 w2 c& w% q4 |) X4 Z" L4 t$ j
% X; b+ r# l; h mov ebp, 04243484Bh ; 'BCHK'# ?6 \: B0 q. _9 Y+ y9 ]- d
mov ax, 04h" ~7 ]# I: s4 a i- T4 p/ l
int 3
% k8 I2 B5 m/ K' H cmp al,4; {1 b7 }2 n" `
jnz SoftICE_Detected0 ?, G- H6 r- }/ X) G! z0 C1 V
6 f; Y% P) f# P___________________________________________________________________________
0 B# v+ G; w: c# V% ~9 d
9 G: X8 f! r' d; J2 b; oMethod 02
0 d; n. Z, _7 {$ Z& a& D5 n/ A=========
* j0 {, k( J+ }9 z! t; L/ t2 L0 ?1 C! i' @; B3 g8 Z1 }/ J, f( \9 C/ G$ M
Still a method very much used (perhaps the most frequent one). It is used" y+ ^" b1 v$ R2 N8 _/ \) t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. h+ d- F9 Y* K5 ] X ^
or execute SoftICE commands...
$ L u! W p5 y5 [$ X6 SIt is also used to crash SoftICE and to force it to execute any commands0 ]) @. `, u- G7 ]5 |% p. a
(HBOOT...) :-(( ! h+ @3 i0 \: s
Z( W' f: b$ E0 ~0 Z3 D
Here is a quick description:) ]# l) ?. \5 `
-AX = 0910h (Display string in SIce windows)/ C7 z. [; U" Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); B! l" r% J7 g! J" T: @, m
-AX = 0912h (Get breakpoint infos)9 {. J! j+ W/ J) |
-AX = 0913h (Set Sice breakpoints)2 U9 T# p. o( }) S; A
-AX = 0914h (Remove SIce breakoints)
; R$ B$ v+ z. W8 s8 J
c- O) v/ Y7 S" A: J/ F9 CEach time you'll meet this trick, you'll see: O1 H/ K0 Q3 Q
-SI = 4647h
" T' z& m- P. s& O' `-DI = 4A4Dh: X; S7 Q4 i" Q R+ H2 }0 W
Which are the 'magic values' used by SoftIce.
4 \' _& [! v G: g5 @' V1 K! JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., o! o; `# ]. Z5 b3 o$ G- O
; d) K5 V/ [5 _; IHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 G( T7 ?3 S: e) t$ FEnvelope utility use to protect DOS applications:
: \7 n6 C H( E1 T( \, h9 d; I
/ l: W# z0 ?0 K5 M: E, n! |) C0 U% C
4C19:0095 MOV AX,0911 ; execute command. Y& L$ y7 H5 @8 ^4 f$ [, @
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( q: n: n2 K# C! T' _ w
4C19:009A MOV SI,4647 ; 1st magic value.1 X+ P/ E, Q3 p! ~" ^; w5 g
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 e, C8 r; v) H$ b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' N) w/ b0 }" u9 Q" [
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
O0 \: n+ L7 M \4C19:00A4 INC CX* E* }, V0 p0 s% ^6 V4 a" B( e, ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! M v- ]. F# @/ U2 ^" _5 Y7 {
4C19:00A8 JB 0095 ; 6 different commands.# V8 F- z$ f1 u0 h
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: A1 a; l, I5 M0 F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 E* K8 X: O# r/ u( ?( A
6 x$ _# Z7 x s. E5 t7 \The program will execute 6 different SIce commands located at ds:dx, which* Y9 P$ h+ \1 z/ i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
d/ c) e" e: O `$ t. Z, Y) ]- V; D+ x D" n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 r6 w. G. l0 X2 K& Y
___________________________________________________________________________
8 R* H6 z7 L* m9 {
( W6 O$ D* k& {/ K7 V! N2 I; m( n3 x, k8 S/ q0 a- l
Method 03
6 g1 u) p! B* x. g, r9 ~1 d5 d" \- q=========2 L! l. R5 N, |: m+ }
: G! v3 \" @2 h$ B- B) Q! s WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ z/ s( `: l0 G/ J/ H(API Get entry point)) m. F3 n; g7 c; ]+ s- i0 D3 c- z
; V$ w9 e+ B0 e/ D* h" a6 x0 f
! E# w, |# g9 `' j' U5 j xor di,di
: j) R( Y1 k6 u3 G; c) c9 g mov es,di
O( n9 k0 b# B' I3 V9 x mov ax, 1684h
2 A9 k( P$ g; }4 ]# u mov bx, 0202h ; VxD ID of winice9 J; P5 g: M: v; @0 \
int 2Fh! r. A( w# k9 v9 ~+ O, X; u
mov ax, es ; ES:DI -> VxD API entry point
6 t) r6 R) P, p# `7 Q+ \! f add ax, di% @7 w8 h$ I. T6 K- c
test ax,ax
' Z8 U, N9 l) A! \$ E% g jnz SoftICE_Detected
# O- k) k+ Y) v3 R( Z, q5 \) H$ h( c- P/ L7 \
___________________________________________________________________________
. p4 T ^. [2 ]( u: w2 S0 P+ l: X9 k
Method 04
/ H4 {' r3 @; Z( p5 h7 x& E3 U=========
% \/ T- e4 j7 O0 F+ \) d
6 P1 }; H5 {- W. z, `# [Method identical to the preceding one except that it seeks the ID of SoftICE
6 P; j7 @) Z h% Q* F; z' _2 GGFX VxD.
2 O1 o. o8 w* I) L5 G% Z
" c/ f8 k- U! k: e: M xor di,di
1 X9 U. `) C, b, o+ ~/ {" k, m& } mov es,di
# `0 J$ {0 G9 ]7 H: T mov ax, 1684h
7 j6 n! L( j }/ R7 v mov bx, 7a5Fh ; VxD ID of SIWVID# H- Y0 M+ M) E7 n1 [& B! @' P
int 2fh( R! W6 K" W$ D. i
mov ax, es ; ES:DI -> VxD API entry point. N( n. N& C4 K2 \
add ax, di
1 Z b4 Z" H1 v: v! Y F+ ^ test ax,ax
" `0 ?& r3 G7 S! r jnz SoftICE_Detected
# d i% C6 e; F* J% }4 f/ s d' A! M+ k' s* ^; z8 h
__________________________________________________________________________( \6 X8 z0 q; v8 h5 e- _; S
; b% G3 H" ^/ [) A$ p
- T# y3 P' b' Y" v: x8 v
Method 059 q. a0 \+ L3 [! K0 R7 _
=========
8 F0 g8 }. S$ ~8 L. D1 n
1 z5 {$ W9 |3 C2 ~6 Q% KMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! o% e; z% N' q; S/ t- e/ b2 Ydebugger. It calls the int 41h, function 4Fh.' c% V) E# ^( m6 v% D! d
There are several alternatives. ! p1 l) S! q. ]0 G' U- L! ]& h
1 T5 t2 n5 D+ g$ k" x. U% f
The following one is the simplest:
! C, w* t' Y9 W$ m. A" [9 Z3 A
" L3 T5 ]) q3 @ mov ax,4fh
' q$ b2 h# n# k3 K int 41h4 B+ Y' p6 B# x3 i+ D) K, b) p
cmp ax, 0F386
3 u. |# c$ G. w jz SoftICE_detected
9 N) q) i h! {2 G
! w) h$ k& H) V" v5 J: V+ S* r, r8 A/ i
Next method as well as the following one are 2 examples from Stone's 2 u6 V- [' X2 N3 ]: C/ H
"stn-wid.zip" (www.cracking.net):. K+ S4 B0 K5 ^7 k; G0 O
" e2 c+ i" H8 a& L* V
mov bx, cs
! X1 e1 `0 L0 ~: K4 r lea dx, int41handler2
& q4 ?$ ], w/ R" g9 N xchg dx, es:[41h*4]; c( B2 W" L" Q& |
xchg bx, es:[41h*4+2]' `2 P: ^3 Q0 Y$ j
mov ax,4fh
: c2 g3 m% i7 U/ L int 41h8 {2 d1 ~' ^( @6 z0 l5 L
xchg dx, es:[41h*4]$ M# |" P& d$ b8 r, ^' U
xchg bx, es:[41h*4+2]5 I0 d9 O5 q, c/ [8 Y/ E# ]. Q
cmp ax, 0f386h
3 s% e% n i- Y/ ]6 [ jz SoftICE_detected
% G& \; u- L1 T. X/ L# E1 E' L% V
4 T0 j) m# f" Y2 N8 {9 s6 n7 e2 Cint41handler2 PROC
+ f0 Q) W! ^, {* T# o1 ?! C+ p: L( ` iret$ ^$ B! f. g2 g9 s. q5 q2 l
int41handler2 ENDP
: I* [: x4 T" J7 r2 k" Z7 M# M! @# h- O
3 J' x6 t( x& g# d
_________________________________________________________________________# D8 \+ B1 a* `* G5 q8 [
& q: ^1 q4 ], q- e4 |
# B, B3 K1 A1 P3 \* s. {/ GMethod 06
$ x% d1 ?9 n7 D( V$ \' B: P$ Y* C=========' }9 I/ j4 F+ F. v
. m; O! s* o; u
0 x6 b e* @3 L: Y; a1 S T }
2nd method similar to the preceding one but more difficult to detect:# `; B2 w- |6 [0 b' o& O1 k* K
! W) t1 \: I" U- w0 g! {& e4 a' g. c# {7 e+ E( {& S; w5 E
int41handler PROC
! W$ o7 K+ n0 o, ~* B. i6 S$ z mov cl,al# e1 {! f1 C' q4 l; [* ?+ F
iret; \0 e% {) U$ Y! c7 U+ ?
int41handler ENDP0 a! v3 ^- a7 i6 u$ N$ F* G+ m
! ?* U$ Y% m) I4 m `9 v$ `8 T- s! B' e
. h) W# `( f6 c. Y xor ax,ax
5 I' V4 y8 r# o# k# U mov es,ax* A/ H! _; b; _7 Z
mov bx, cs
4 Q& l' o0 o3 p9 z/ @# Y6 ~ lea dx, int41handler
$ N0 R5 ^( y# h6 o$ Y xchg dx, es:[41h*4]
# |# _7 j6 o& Q$ O5 U) v xchg bx, es:[41h*4+2]$ Y, Q, G0 d% D9 m! `1 K
in al, 40h# N K) y# c7 Z% R; H% e
xor cx,cx4 u% Q! W6 m* b8 y+ ]
int 41h( S' l# A, u4 W; O$ k
xchg dx, es:[41h*4]( @6 T7 x- F7 }! y
xchg bx, es:[41h*4+2]. m; k& d6 o1 C8 r7 o
cmp cl,al
$ ]% {9 d2 n0 W. Z ]& d jnz SoftICE_detected
. F! M' x/ d; i8 h( C; M% b
1 P1 c& s8 l' f+ d2 R) w+ Z- P_________________________________________________________________________ g; c. B9 P7 H2 \+ b8 w
7 x. U [+ t& _
Method 07
0 Z3 U& p; j8 J" L9 ^; S4 Q" _- S=========* R: ~% h( F% [+ b6 `% j
- F* Z( J# W5 j' j) W4 ?! oMethod of detection of the WinICE handler in the int68h (V86)" t$ s( @7 u8 }
7 x* p4 e+ K3 E$ N
mov ah,43h% T6 _+ d5 S' Q6 t, o7 Z5 Y M
int 68h$ n* s/ y. k* L5 |5 L/ s. K
cmp ax,0F386h
+ r2 q' r/ Y5 X5 S jz SoftICE_Detected) v/ L }( G5 F5 q7 P- w0 d" }
& B U) a( R U
' H# ^. _: ~6 w5 s! R
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) @$ S6 J0 R6 l6 l! e$ w
app like this:. u* n& b7 H. B9 e% T) z- e
' x$ u% Z: q0 }
BPX exec_int if ax==687 v4 x2 U, [. S. Q% D; F
(function called is located at byte ptr [ebp+1Dh] and client eip is
1 C8 |; v: V# s" Q5 V, w located at [ebp+48h] for 32Bit apps)
" X* u: |5 m0 |2 W: ]; H__________________________________________________________________________
& ]" a5 h, g+ I/ S* D4 J
: b* b$ b! i8 ^; _* I2 `7 {3 s( `" Y& M
Method 08
1 m9 J; Z6 ?% z3 o' B3 I=========! T; V" U: q7 T) m1 m/ u) ~, l$ }; Z
2 ?( L W) U: |% H* rIt is not a method of detection of SoftICE but a possibility to crash the/ W/ Z3 c. v) V& T
system by intercepting int 01h and int 03h and redirecting them to another# T" t( O# h' k# [% y
routine.
' W n5 q5 R6 D& p9 FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. _& ^1 _6 i, @0 dto the new routine to execute (hangs computer...)) N& k2 @/ A3 P9 e. f5 G
3 I) k0 q5 x! s) B) T; Q5 _
mov ah, 25h6 }- u! }1 v2 ~2 p3 O7 w
mov al, Int_Number (01h or 03h)
W7 N1 U6 @9 j1 l/ h' ]8 } mov dx, offset New_Int_Routine
& P# ~# A. i: P4 k7 ?$ r) D$ M: ` int 21h
0 U# p/ _, r0 b" @8 a$ Z0 R% k
8 n5 h# _4 t( z/ R( ?6 q# a__________________________________________________________________________
; h: G; C+ z8 h
8 C" g2 q, a7 b4 o, a, B. |Method 09
$ k8 j0 v9 s ~" J+ h- k=========
- Z5 z7 ?' G( f8 f% z
6 ]( w P# R. X, j+ v# o0 [, Z% lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 H' [ Z5 A1 j2 {" {2 W
performed in ring0 (VxD or a ring3 app using the VxdCall).
( Z% J8 z% H% _; Z9 s; S5 ~( HThe Get_DDB service is used to determine whether or not a VxD is installed
) _, C% D; j8 `4 nfor the specified device and returns a Device Description Block (in ecx) for7 T! O! @, Q; q6 [# R5 G: ?
that device if it is installed.* s# b: Y& C; J: ~) \
2 |5 S$ o- Q- Y" Q3 }1 [* p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' ^% K7 {9 v8 D9 y2 Z2 q7 ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" o4 [- F) C: `6 n% S0 E VMMCall Get_DDB
8 E6 p2 ?' n6 a% d5 `! i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. h: E4 e' N; e @4 O
9 i/ |( U$ G$ P& O' u, c
Note as well that you can easily detect this method with SoftICE:
" h% e. s6 P( c/ u5 U bpx Get_DDB if ax==0202 || ax==7a5fh
% B' h3 q$ g/ t7 q8 t! N- ]- v$ l4 R
__________________________________________________________________________3 {5 ^. K1 R/ M; q' T4 ~( N
1 }1 ~. d: o& Y6 e$ F( B% cMethod 10
. g- K; N- Q, N" j, I=========
A! e; S5 t2 w
& \( C) k" V- L' H=>Disable or clear breakpoints before using this feature. DO NOT trace with0 V9 m2 ~( `# ?6 L0 V: F3 p- i
SoftICE while the option is enable!!4 V, B5 I' d+ T' ]* O! l
3 G4 U$ n$ w. L- n" R
This trick is very efficient:
% p3 U' ^9 V: e9 }by checking the Debug Registers, you can detect if SoftICE is loaded
& P. `3 W9 y; i( j' R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& j5 T5 }# |3 n/ Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
; X. g; c0 r( R* p P) avalue (in ring0 only). Values can be manipulated and or changed as well' j" @* i7 s5 p5 L) }
(clearing BPMs for instance)0 s9 s5 a" N- P% s: | M) e
" M- }5 }9 l% ?+ K7 ?% H__________________________________________________________________________ ]7 K4 ~6 X. K( B7 }; J
( x- x1 l7 }3 p. D$ u" bMethod 11
0 w# K6 O8 _0 c7 N* V. l=========+ d9 E# K3 t3 I d
O2 m: m$ E0 c2 s& ^
This method is most known as 'MeltICE' because it has been freely distributed
- d+ ^; L: }3 Y% @9 s$ V6 jvia www.winfiles.com. However it was first used by NuMega people to allow4 b5 f2 }3 P, M+ o
Symbol Loader to check if SoftICE was active or not (the code is located
/ @1 V" E/ j2 Z2 Sinside nmtrans.dll).
7 n" z- {2 P7 C! s6 g$ u: X. J9 `* e5 F
The way it works is very simple:
" c- l6 Y8 e; OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 ^5 C. B U; _. Z* ?! A8 _
WinNT) with the CreateFileA API.4 Z7 x8 w3 R3 \7 o# k
# e- v! S) D. G3 |
Here is a sample (checking for 'SICE'):
! y8 l% _5 x k. Q, N* ?; b( A" m s% N G" I3 P
BOOL IsSoftIce95Loaded(), Q* E; l% P" f" H) u
{
- X5 ^4 X& K3 B: A, F HANDLE hFile;
2 [% @$ R- O) N; m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 ^+ z e; y) p; }$ u3 L FILE_SHARE_READ | FILE_SHARE_WRITE,# l4 E+ ~- j9 u; [6 N% i- \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. e5 J) M7 H X8 Y if( hFile != INVALID_HANDLE_VALUE )
- Z$ G- `: ?' }! e) H c {
, \0 `( U. F; a, t" z CloseHandle(hFile);
- }3 n8 }! v( v: @$ P9 [$ e return TRUE;
- Q* H- A* M; l }
- f4 ]! {) r7 i% C; q6 L! x return FALSE;
" K$ {/ Y2 P; v. S}
$ V3 f3 _* K* c
# x, g, P2 P' rAlthough this trick calls the CreateFileA function, don't even expect to be7 s2 j- V9 D# \& `
able to intercept it by installing a IFS hook: it will not work, no way!
8 S6 t2 g0 G+ s5 S! zIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 \8 W$ M+ Q9 f! D* \' s, K, O( S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' ~6 T" X8 @) X0 x e% Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
R0 L' |: B) i0 d4 P$ ^field.5 B; \( j: A7 g* @1 |
In fact, its purpose is not to load/unload VxDs but only to send a : s4 q' u5 \) E2 T* i) ?8 B/ Z, u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) k5 }( G" _5 d) \' B( ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ o$ T+ S( _8 A# Z3 S4 T9 mto load/unload a non-dynamically loadable driver such as SoftICE ;-)." D! Z& W u R, I* _
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 ~/ [; T8 n3 s; ~9 C$ x; K8 k) x
its handle to be opened and then, will be detected.' j1 \5 L; O3 O' r( d
You can check that simply by hooking Winice.exe control proc entry point
3 J4 F- R5 Q; Hwhile running MeltICE.2 P3 T6 a" G4 h9 I
% Y. ?8 l h- |. ^& G& O! f1 U. q. T, o! e8 F
00401067: push 00402025 ; \\.\SICE
1 c; h4 Y8 K9 S3 J- v( W" i1 o: m 0040106C: call CreateFileA
A. p4 x0 T# G: A 00401071: cmp eax,-001+ W) X* \( `$ a) ]) J: b) O; b- s
00401074: je 00401091& i% J: I1 v# w& J8 b
% M, i8 p/ s4 q0 E* [
" k! ^5 ~) j9 x2 z0 M& xThere could be hundreds of BPX you could use to detect this trick.
9 K4 Q: J: E, l-The most classical one is:
( c8 T& R# I+ Z; x0 C: Y# L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 Q. x3 [- ]' u; F7 A. o% t
*(esp->4+4)=='NTIC'3 f- z! b2 o! A; P. S0 X( S# P
2 w! Z4 U [) |
-The most exotic ones (could be very slooooow :-(
& o& V# c9 _' u0 l6 G3 G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . f+ B) \, x. Q$ t1 q
;will break 3 times :-(1 t3 |! K( Y' d- Y
6 s7 ^7 [- q& K ~# Q) Q% H
-or (a bit) faster: , N' Q! e/ h* ]4 t B* D
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, x! z7 }' K$ \3 o- } l& }9 @, |! U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# s: y% E& M" Z6 y/ s/ y+ p ;will break 3 times :-(
, R* c& n- t1 G) G9 Q+ Q! j7 ~3 z, s8 o2 k: S* [8 R
-Much faster:
% T. S3 ~$ R% |9 l BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 u+ ?+ w& b$ A# p$ T% C0 }
, S! q- _, a2 c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 F1 s6 R( i5 E$ `function to do the same job:& U/ D2 l8 Q& j' a
4 b5 X, |: n8 R5 t" B push 00 ; OF_READ
& k. S% m- J% S, e mov eax,[00656634] ; '\\.\SICE',0
& O' Y+ p% z8 C! G push eax
9 P8 O0 Y0 [' W! o( ]$ | call KERNEL32!_lopen) ~& V# Q- s: L& v3 M; H1 \
inc eax
$ `" _% M8 _# @& q4 U5 Z' Z* b W/ w jnz 00650589 ; detected4 [0 _2 A4 ^& {& c4 H; S5 t
push 00 ; OF_READ" y3 g/ I0 e, |4 g( O( {! T A+ N
mov eax,[00656638] ; '\\.\SICE'
: b+ D/ `7 u% ?' r$ v push eax
; } W: x( u/ M& h call KERNEL32!_lopen
, w# i/ s- q' D8 l% ?* Z inc eax
' z! |' X/ f5 v% e. _) } jz 006505ae ; not detected
7 b( j4 V; n) Q% z1 ?2 h. y8 G/ V0 M9 _: U
# g" f+ X3 O! b3 z- J( `
__________________________________________________________________________
9 t" _9 D! g! \) o5 @; q% D+ `" @3 E& R% q5 e4 K+ Z+ x7 k3 `4 J$ Z3 X
Method 12
4 C T( M, i4 f9 M" n( _=========
' f: E# x% Q7 @; _. i( j. O& `# }
This trick is similar to int41h/4fh Debugger installation check (code 05
5 v9 [& O, z1 R' m) }" x& 06) but very limited because it's only available for Win95/98 (not NT)9 l. H; n( g8 q. _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 Z& a T: p$ D. Q
3 o( D( W7 k, B+ \5 [6 x! C( ] push 0000004fh ; function 4fh3 r4 P+ r# f, v
push 002a002ah ; high word specifies which VxD (VWIN32)
$ j/ k5 E4 m6 |" o6 ~$ `% N6 G ; low word specifies which service# z8 H h( q% y* H4 X
(VWIN32_Int41Dispatch)
+ h! ~) N+ x' v/ f call Kernel32!ORD_001 ; VxdCall
* ?6 t' q# m) n7 p+ L cmp ax, 0f386h ; magic number returned by system debuggers
9 V( u& ?7 K o a) @ jz SoftICE_detected# F1 a' Z' M( U. A/ Y# H# ]
" k: u9 ~0 D# A1 p
Here again, several ways to detect it:$ s( U7 S4 T/ M; K
2 H. ]6 h# w6 B% m8 l$ E
BPINT 41 if ax==4f
. T, Q9 K0 n2 d8 d4 g
2 M8 D& H9 Y3 c& T' _) } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( s( H8 i' e7 Q& ?! k! h! E
" }" i7 K1 {$ Q& x0 W Y; {( t6 L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 T9 I D& M; e- W% {) Y7 {: T* m9 B. z0 U" W. Y1 a* B. L; @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. p. p% u' M7 V% p% P6 S
8 i; `' {- N2 m: j' k
__________________________________________________________________________, A4 ]+ l j, B8 V4 h: `$ f9 p
0 U4 {# p4 d. [; I3 ]
Method 131 u" A+ U3 |" x) O: i! ~
=========# M/ X% ~% F: q& o1 _
9 `4 v# n0 M: L/ F% x' v! Q
Not a real method of detection, but a good way to know if SoftICE is
! w) p) F0 M/ p+ f) C) }1 oinstalled on a computer and to locate its installation directory.
9 E" R* ^/ x" @% DIt is used by few softs which access the following registry keys (usually #2) :# g/ s: g: J z* }6 S& @" Y+ U0 L
" S& |$ R& _( N. l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! L) h6 {( |/ j3 N1 M1 a' \\Uninstall\SoftICE
' X6 A9 \* d1 |: j- r+ j' b$ r) c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# a& u; T+ u& M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( c8 g! w/ l: s0 _* j1 M" @2 D! c2 @
\App Paths\Loader32.Exe7 N1 {2 U; D8 n+ ~+ r/ Z! u
' ^4 [4 X" s5 O3 E* T, c2 `9 e. @& R" j1 o4 R, W& z
Note that some nasty apps could then erase all files from SoftICE directory* c: N$ V6 q! u2 |# f; V- r! s; N
(I faced that once :-(
8 s, B7 u* ]0 Z) k9 m& K. R3 Y! s6 p2 t9 E" Q
Useful breakpoint to detect it:
8 m; F! k* W; C6 h( N. [$ }1 L8 T+ s8 F& e# _4 v3 e
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* U- b' U2 L, t
% N) w- S0 q3 G* D K
__________________________________________________________________________
3 f. E. g! J F8 J
/ X0 Y% N- p0 G8 l
3 ?' a6 _( h2 i' D" _Method 14 7 ]6 `9 ^! b& B' B% U
=========
$ q. I/ z) }2 F s6 G5 _3 M1 I5 F% }$ D5 y8 z( R w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% f7 t5 b+ n3 C. }% Z( h
is to determines whether a debugger is running on your system (ring0 only).$ J9 |- a/ E5 M4 ]' U
8 J- Y2 ~2 t) n* c# y
VMMCall Test_Debug_Installed7 S2 y! \# J, ?8 ?, `* }* s
je not_installed
0 G, X) q2 Q/ R3 {1 n& V/ W6 c- y7 Y
This service just checks a flag.
0 y* H6 R: O6 T* ~' M) R4 y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡