<TABLE width=500>* I; }& y& Y1 g9 B
<TBODY>
k7 J7 t# [+ t/ b<TR>) V$ k3 ?7 M$ G4 ?! z
<TD><PRE>Method 01
6 c* G6 v w% b" L=========
/ D6 ]7 L% p" `& o( f; Y e/ f- V3 k: i' W
This method of detection of SoftICE (as well as the following one) is7 m' f! t4 P# l! o6 U8 a
used by the majority of packers/encryptors found on Internet.
4 K0 ?! y; t; Y0 J- X% GIt seeks the signature of BoundsChecker in SoftICE6 A N0 L5 f% U% b% [
8 g) A' ~& E" n0 p( F, P mov ebp, 04243484Bh ; 'BCHK'6 d5 {' }" n0 j9 [0 h6 W. m' ?
mov ax, 04h
! g0 m( o, n- w2 c6 I8 F0 F. `& b int 3 / b8 H. z, E5 c- Q9 U$ z
cmp al,4$ Q% _- M9 P( ~/ H# b
jnz SoftICE_Detected* l0 v6 C3 b5 h+ U- _
j1 X. {# U+ F
___________________________________________________________________________
* G8 T. e& o. }& x+ L/ A
a/ S k! ?" {- |6 X) J! m: I; d2 zMethod 02' x5 F% a# a1 m) O" P
=========
% ~ \3 s7 L& }% |1 m. I
+ l( M' S+ X! @/ CStill a method very much used (perhaps the most frequent one). It is used
% `2 ]8 s$ l4 a* Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 ?; w: j: [- Dor execute SoftICE commands... T- c4 b. @" `% @
It is also used to crash SoftICE and to force it to execute any commands/ r: c3 r; F! J) r1 i: F
(HBOOT...) :-((
! V& o r, `/ I9 [$ A S7 N6 F5 ^0 Z, }7 X% M% G! G
Here is a quick description:
; Z* ?' Q( R" Q4 L8 `6 J-AX = 0910h (Display string in SIce windows)
7 I: ]: x1 H% Y7 ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( p* U3 G( s4 M* H7 C
-AX = 0912h (Get breakpoint infos)
- l7 T9 F, P- h2 w0 b, S! l# F-AX = 0913h (Set Sice breakpoints) ]* P# d2 }: T+ W
-AX = 0914h (Remove SIce breakoints)
) t' d/ R' K4 H* n2 C! c
# `% T3 u7 u: W0 jEach time you'll meet this trick, you'll see:
9 x4 X- x- n4 ^! r-SI = 4647h
2 G9 z7 ?1 @$ x3 {& ?( a-DI = 4A4Dh( [$ |: A1 d8 h. }, j8 R% k
Which are the 'magic values' used by SoftIce.- G# q m: u3 m! |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 k g9 K$ N% N4 m% s' i2 B" _* p9 b/ f4 F
Here is one example from the file "Haspinst.exe" which is the dongle HASP! o/ x' A" G7 K5 i
Envelope utility use to protect DOS applications:5 c; U+ ~& G0 n, T
" W3 m! e: P x6 v3 D$ k2 U& l8 x* s S5 S7 C& P
4C19:0095 MOV AX,0911 ; execute command.
, @! h3 t, s. _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; ]5 K1 q- g8 U6 S6 z6 L2 s; ^
4C19:009A MOV SI,4647 ; 1st magic value.
' i9 Y% ?4 v* u4C19:009D MOV DI,4A4D ; 2nd magic value.
3 r9 L; ^0 R% p) I; o7 ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ Y* i% K/ {3 x) N0 u# S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: Q: d' i0 K4 f* s
4C19:00A4 INC CX4 E6 o! @0 g; c6 W$ M9 O0 M4 e
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 h7 O5 r5 l5 O9 H- L4C19:00A8 JB 0095 ; 6 different commands.
1 G& X' d$ d2 F1 D, r4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 W/ |$ ?8 i/ p
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) X" R, c; m% ^+ S- a
3 |; y7 M# L0 a& A9 } ZThe program will execute 6 different SIce commands located at ds:dx, which
L/ n: R7 a5 lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 I: `4 ~% o/ D* `5 m) V3 Z4 L1 G" w5 S; B6 t6 D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 q% r3 W& m; t* h, Y
___________________________________________________________________________
) |, N V1 n& ~ l: @) X% C* W# m" ]7 _ D! S! s+ e4 `
' n/ w8 R( S! I6 U
Method 03
. S% p2 Y) d/ [3 |=========
; V/ G% U5 z, P8 r+ t( k$ a S# X8 E& @7 P: D+ C
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 ~2 O& y" r' P7 \9 q! s
(API Get entry point)9 H0 w8 g* c) t2 w* `3 ? @1 z' U
; K0 E& t2 h( V" c" f: m( Q& r! u6 c3 h! P S
xor di,di5 t1 F% m! L) o8 g; |6 I" g2 y& n
mov es,di; z& `7 j2 w q4 c1 z; \/ Z( D
mov ax, 1684h ) X, V9 P6 t9 x2 t3 h
mov bx, 0202h ; VxD ID of winice1 l( G5 O2 K( U T/ \" g, \
int 2Fh
& R8 ]. }$ }" c+ G$ c2 A mov ax, es ; ES:DI -> VxD API entry point9 ?4 O- W" d, d' Q5 ^5 s& ?4 ~' \
add ax, di2 d5 t8 Y7 g% r) _% W
test ax,ax) ^) M! r1 C8 h' f/ z% o9 _
jnz SoftICE_Detected0 G# A/ i# K3 F! q' Y+ Y
- u. ?; P$ A! o) L
___________________________________________________________________________, h" P" G0 d9 M
; y) X" s$ p& |# b8 T3 l6 S. M+ `+ A' q8 v
Method 04
1 }1 [! z# y' m=========9 e9 X. P8 ^$ X0 q, Y
/ G, \- Y: }# o, @6 o8 UMethod identical to the preceding one except that it seeks the ID of SoftICE
7 t) C" u# N1 I1 f3 K) MGFX VxD.
9 {' t' @6 ?/ m" y
2 d8 J/ M4 \+ N xor di,di: W J' I$ q c: V; V! }- Y% p
mov es,di
, h( H$ m3 j U+ |. ]4 [5 z1 r6 T3 k mov ax, 1684h 2 N' J( Z& a7 q: r
mov bx, 7a5Fh ; VxD ID of SIWVID
8 r4 e b8 X( C& D, G; M8 R, O int 2fh
; t8 }. N6 ]8 l- |- T: X mov ax, es ; ES:DI -> VxD API entry point
& A! P3 R4 G% K add ax, di
: j6 ^7 |) `% P1 b( N( L test ax,ax
F) ]7 U4 O9 C jnz SoftICE_Detected
0 k% d+ p8 k3 u2 u3 s3 Y/ |0 j. U7 O6 ]5 v& d
__________________________________________________________________________, f, d% S) D6 o* U3 a4 W) [: ^
' e; Y$ I# c% s: M5 W: {3 @* M, d3 U8 S5 v5 U
Method 05
$ Z' k% H0 F9 ^' p# v! s$ c6 S9 ?2 x=========" S) r/ r. \& x! ]: L. S
' w6 U) R9 x6 {- kMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ x& E8 c- u& M9 l
debugger. It calls the int 41h, function 4Fh.3 _7 X" g) g- H
There are several alternatives.
# v6 Y) K+ b9 B" E4 l6 P' L, c
/ d) \8 M- S2 q8 X" B2 b5 dThe following one is the simplest:8 E% d. m+ N) \
- ]) b4 ^. ^9 T" ]3 Y5 x mov ax,4fh
/ f: B% z7 w8 W( Z P int 41h
' f0 v: g8 q2 |% v cmp ax, 0F386
, J& x% t/ e: G. l$ W o jz SoftICE_detected' ~( \" G! Q% q3 \& a7 q7 j
7 D! L+ r% W# L) I7 \# B% m7 ]$ M6 u; k' l- J; ?# i
Next method as well as the following one are 2 examples from Stone's 8 e* f4 G q( B6 a8 T5 n. M
"stn-wid.zip" (www.cracking.net):! L4 X& `6 t: b/ B
% ^, e, R/ D" {1 L/ i( g
mov bx, cs
# d: U! o) o. P5 d+ f/ Z7 P4 V$ T lea dx, int41handler2! w2 P1 H5 N3 [& x" }8 Y6 C
xchg dx, es:[41h*4]
0 Y/ F: [2 M# n; l6 ?" W xchg bx, es:[41h*4+2]
% t( d4 t9 ?* _ mov ax,4fh! Y M# A8 m3 _( w
int 41h
+ O( v. [" W" c4 z xchg dx, es:[41h*4]
, s% S4 V7 g0 e- ^, v! n2 i/ Z xchg bx, es:[41h*4+2]9 m+ f3 }! s3 ?2 H$ w
cmp ax, 0f386h
1 K: k) J5 n% ^* V; R6 |- S jz SoftICE_detected
$ X# z3 v5 k0 z( H0 O) w9 B; p4 ~. ^6 g
int41handler2 PROC
; X* m! u, H' |& Z/ [ iret
8 u$ L& M+ e) R- q7 `! f m( Eint41handler2 ENDP) n1 Y/ Y: I. z' U
5 c* Y8 `# @, P" j0 t: R$ F
' S, P Y' _* p8 X5 C2 Z5 ^$ C; u
_________________________________________________________________________# V* ]1 W& |0 \3 x G/ b( L
$ W- I# V* U2 F9 m, g- G, ]
& w# m0 B3 G9 s( X, }Method 062 @* B N- k, u2 @+ c$ b g
=========
$ o1 f0 T9 k$ O: x' o) @9 M& V2 O W
! x$ @ N9 K6 t5 b! Z1 \5 V4 l5 M2nd method similar to the preceding one but more difficult to detect:6 O: i9 p+ y% M( m$ G$ b! t
. j' ]! |1 B% `! O" ?+ J9 Y2 {- _3 t- @6 C( H4 Q" U
int41handler PROC% v9 _5 `" E( b: ~
mov cl,al
# o6 u3 U# Y* ~6 d iret
$ j4 f1 L7 d+ \# k3 {6 `: `3 v6 aint41handler ENDP
! G( {3 l& ~, i* g# h: k# P( G/ K
6 W6 O3 Y' { U
xor ax,ax
# g: A, K+ K% q9 L1 O0 H+ } mov es,ax1 v8 ?4 ^" n1 z" m( S
mov bx, cs/ E/ A* {% {6 z; W( _% i3 M8 Q. P' H
lea dx, int41handler0 @& u) e7 D! _. _
xchg dx, es:[41h*4]
: q5 g5 h3 I" q( a T xchg bx, es:[41h*4+2]/ m5 y* ]2 v" o7 s7 p7 T1 H
in al, 40h
* e3 u# o+ B5 W+ d9 P xor cx,cx
5 s% o$ `% Z7 v& p: E int 41h k9 u- r; U; _/ }
xchg dx, es:[41h*4]0 g: y" {+ Y* |8 P' Q
xchg bx, es:[41h*4+2]
% d% o: C% f5 \, J6 [ cmp cl,al
6 v% k4 D5 g+ f; V% F jnz SoftICE_detected- E, W; q4 z# }$ Z3 ?# q, b
/ C* s; s7 g1 L4 T_________________________________________________________________________
$ u' ~2 t- v/ ~- ]/ z2 l# P" d
Method 07
7 J& W! `* c5 I=========
/ p d0 ^4 W$ X& s' u. i1 U6 ~& c$ c) `. \
; a5 H8 \- ?& e) Z$ {) VMethod of detection of the WinICE handler in the int68h (V86), E! Y8 @$ J6 [7 F; C" C
3 B& V) p& d4 Y4 k# D" Z8 V
mov ah,43h( Y& i" o6 Q0 ^. j
int 68h9 ]" _ g4 g! v) k
cmp ax,0F386h
n( Q6 K# ]/ ~! m$ A- P jz SoftICE_Detected- t1 `2 {/ a9 j9 U( n- _( s6 N
( I5 Q0 k: P2 F7 {8 C' |7 b }
9 u; J4 |5 p; u: O z5 |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 e5 R+ [/ r' I: p$ T7 R8 C app like this:
4 R4 Q$ h0 z; x+ C9 U+ q
# ]% s; S5 s1 w9 k4 [' n" ? BPX exec_int if ax==686 k* r/ c( [" t1 W. r7 Z9 U
(function called is located at byte ptr [ebp+1Dh] and client eip is3 v" r" F: X9 d8 t! ~" x2 ^. v
located at [ebp+48h] for 32Bit apps)3 j0 _* n9 v! R# I1 I: v
__________________________________________________________________________6 K5 X% n) b5 N2 Y7 h; k1 g
( |$ h( o+ ^1 Z8 P7 a, J% ?; P
6 p( w6 t' F1 Q1 RMethod 08
9 _$ J: f3 R* @2 r! C' x) @=========
9 m+ U+ }8 t1 S+ z3 P
2 r+ e1 ]8 T% gIt is not a method of detection of SoftICE but a possibility to crash the7 N* L- X- Y( X
system by intercepting int 01h and int 03h and redirecting them to another
' U6 e _7 G! j0 G8 X% i$ \' Nroutine.0 `8 s r& }2 K! m: b# a- s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: M! W6 |+ y" [; w
to the new routine to execute (hangs computer...)/ V M2 L# U) |& O" l
# x* [6 G* w! E mov ah, 25h( U# x7 N5 T( F' i
mov al, Int_Number (01h or 03h)( K2 q0 N$ i& G+ }) c; H: f& o
mov dx, offset New_Int_Routine
* h' _- U9 @! x: Y, o% a H2 s/ g int 21h
8 J2 ^. I- \5 h) `" @% M# Y! n8 V
__________________________________________________________________________
1 Q" H+ I" Y* [- k/ p" m* s7 y- D4 K& m* i% R2 u+ h k6 ~
Method 09, z5 N/ y) m7 g) Z* p+ H
=========
: M; i! c' c7 \; n
" \* F0 a A4 x. S' n0 zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* {" g. G) Z6 q2 o) p3 I) [/ J6 W
performed in ring0 (VxD or a ring3 app using the VxdCall)., Y- ~! i" c4 }% ^0 u! p0 t! }! z0 \
The Get_DDB service is used to determine whether or not a VxD is installed
" X5 M# P) i& c1 x, [. g `0 M0 [for the specified device and returns a Device Description Block (in ecx) for0 ^1 w: W/ P8 p$ j; m ^
that device if it is installed., {& h: p- O7 B3 P0 Z
& @ @5 f O# ^$ k. V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 i8 w7 h. q6 n" p' v& N' l mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( i/ |! U& ~: Y1 k
VMMCall Get_DDB
& c3 z* @- F- [ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
g0 R# o) S" w* g# r5 x/ M
5 `: d) F5 [) F: O9 ~Note as well that you can easily detect this method with SoftICE:, M! q3 p. R9 K8 r8 F; z' c' [; q
bpx Get_DDB if ax==0202 || ax==7a5fh
5 E( d1 j, S/ c' U' G( G, H7 l8 J* I5 O3 H; \
__________________________________________________________________________
1 f: y% U5 @' E4 d( m! q, [5 `: j9 _6 s& G
Method 10
, Y$ K* M$ g# t/ V=========
6 r6 J# m4 j$ P l" |7 \$ s- J
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 _3 o8 q' t/ A! P' N; b8 z8 o
SoftICE while the option is enable!!
# S" }3 {: e# j; H# `" O8 Y J4 Z* ]0 j6 O' u+ E$ u
This trick is very efficient:. r- ~0 D9 H) ]9 v: X9 o
by checking the Debug Registers, you can detect if SoftICE is loaded
9 d/ K8 i1 B1 S9 t- Q' `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 F( J- y& a5 |- [
there are some memory breakpoints set (dr0 to dr3) simply by reading their, `7 Q6 H, z- B8 I! R3 z
value (in ring0 only). Values can be manipulated and or changed as well7 C+ f, b; M% P2 c! j% I3 W
(clearing BPMs for instance)# j& y+ Q6 Z* u. r! k' P
$ O$ d' W6 V# }+ X, a% \: t- i
__________________________________________________________________________
, [) M/ P3 [$ V$ n5 S
. u1 d( K7 N$ B6 PMethod 11
, K- Y. A' |" S* c" x/ z# q=========: }/ o+ i) g3 w: i. Q
/ ^/ D2 Y4 K8 M+ a4 @. P2 G4 rThis method is most known as 'MeltICE' because it has been freely distributed
9 {/ j: w5 j$ c/ {; hvia www.winfiles.com. However it was first used by NuMega people to allow
# n/ O. J ~* o1 y8 s; M" J$ Q% T6 VSymbol Loader to check if SoftICE was active or not (the code is located e/ R' ?, k: o
inside nmtrans.dll).8 F7 z: m1 ^& u! i+ u+ a; F3 e J
, k7 S0 N% Q" N% F, Q
The way it works is very simple:2 M% |3 t, d) S: y9 X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 e4 l+ U) E- l2 F6 o- [
WinNT) with the CreateFileA API.
( z2 w, _( t7 B7 Z9 y2 W
+ q- i& @6 Z- d- N# I# B3 OHere is a sample (checking for 'SICE'):: Z+ ]+ o- x! n$ U
L* W" B) c7 A: o3 O( ]
BOOL IsSoftIce95Loaded()8 t" l0 ^& v. P O4 j* o9 r m4 p
{
$ {) s/ v+ _1 C. h8 t HANDLE hFile; 9 }2 I% m" P1 M4 _0 T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 X7 X1 ^; f" G# d a# v3 [( ~# N FILE_SHARE_READ | FILE_SHARE_WRITE,
5 g* |8 _: @( r/ I" F+ ]( [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' S- U0 q" U, |
if( hFile != INVALID_HANDLE_VALUE )) t7 [. E- V: Z H7 y9 @% T
{5 P3 e+ H) b3 K: z
CloseHandle(hFile);
; w: k: Y( v- Q' j5 T return TRUE;: E4 g9 Y, T: j* N7 `4 x
}9 y' t$ B, y9 {
return FALSE;
9 i9 V' T5 T" s0 K* r}; O/ J: u+ ~: `0 y5 o1 s8 W0 U
9 f8 A* s# c" _4 i% C% F- F' r5 f# OAlthough this trick calls the CreateFileA function, don't even expect to be
& W" N" G9 v1 S; @( R2 h7 h0 G& gable to intercept it by installing a IFS hook: it will not work, no way!% t6 n% b5 }, G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 a0 K, L: G% O5 g4 B+ u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 G: a9 C4 j' n* x; l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 Y, b* r8 I/ O5 f9 Mfield.
: [4 l+ \' c3 o1 d; P$ I9 {) sIn fact, its purpose is not to load/unload VxDs but only to send a ; w1 o6 M. a- r+ h# ^9 q; l& z* h9 X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# Q, `$ X( L6 eto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ Z3 b. z6 Y3 T2 ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 c: x1 J- K0 }6 h
If the VxD is loaded, it will always clear eax and the Carry flag to allow& j4 E4 ?; V7 S" V8 H& x5 H0 A
its handle to be opened and then, will be detected.& o' a6 u4 x! m2 v+ \- Z( ]
You can check that simply by hooking Winice.exe control proc entry point
# D M6 Q' N1 U( G! D, }while running MeltICE.
5 v+ `2 S' M. j8 F7 ~) ^
( S3 U9 Y$ H4 L9 Z4 }% ~& [6 Z0 {# E/ C( v% }' k2 O' [
00401067: push 00402025 ; \\.\SICE; a* [. j2 X/ e9 c
0040106C: call CreateFileA
, A6 p1 |, w4 q' o, P3 Y; x( I0 A 00401071: cmp eax,-001: v/ a9 x9 P! g/ K7 F( d7 g. k
00401074: je 004010911 b9 s* o! G) a: T- q8 {5 u: X* y
2 Q4 Q# t* l6 U
* ^1 ^) x0 \9 G/ f& _There could be hundreds of BPX you could use to detect this trick.
7 X, @/ j/ w4 q2 N" m-The most classical one is:: p1 `. I( A3 N. W$ A9 N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# N- w& B: e7 T3 ~ *(esp->4+4)=='NTIC'' W7 R: ]. X& X0 U6 N& ?2 O
' A8 C4 ]% K* l, {7 I h6 v
-The most exotic ones (could be very slooooow :-(( m; w2 C& J5 r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 k+ v9 T. M/ v0 a* U
;will break 3 times :-() s- P; K9 l* a* T6 u- r7 S
5 j) c" J! W7 a% z-or (a bit) faster: 9 I( O/ Z1 R& Q% w: G6 `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( F- v. f$ X9 _3 }/ i
, c f1 ?, u% N1 @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' @; V8 P9 z( R& }( J ;will break 3 times :-(% `; @& E$ V. a p+ c* J: L
4 G( @7 a5 j' E* i* q) Q- N- k
-Much faster:
6 o& q$ W4 b% X/ U$ Q- m BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', ^$ i9 a. @- s0 a& H- |1 N
3 `% }* w$ c( n7 M: TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: }9 M. h2 a, ^" t
function to do the same job:
2 Y8 q: r$ U9 F' k
$ H$ D# o W! | push 00 ; OF_READ
2 y2 @! {0 b. `+ F: v mov eax,[00656634] ; '\\.\SICE',0
/ T+ d- d" J. m& Q0 f6 N push eax' n7 d7 z- ^+ t; s
call KERNEL32!_lopen) F) i) }$ B' |: l) \
inc eax
9 V3 r- Y. k" @# L& } jnz 00650589 ; detected
. ]0 z @$ K( p7 p, k push 00 ; OF_READ4 p/ G; V6 w1 X. O. ~
mov eax,[00656638] ; '\\.\SICE'3 |# h2 y+ k: P/ `6 N! l
push eax+ v- e6 y7 r+ J" B/ b; {# n
call KERNEL32!_lopen
8 p9 P, @/ N! g4 i6 p, d0 i' w2 v inc eax, r* K$ A6 ~0 b* l' c
jz 006505ae ; not detected
2 C/ t! _ C- d* ? T6 z3 S1 r" K- v/ F2 m
4 W4 n9 W; z/ R& l, L& z: m__________________________________________________________________________ b0 n7 k3 G; K2 W; k8 a
( J; D" ?7 _! O( h" |5 o( W/ b
Method 121 F. h7 D( j9 \9 U( C: J
=========
: ~$ N ?" m5 \$ ?+ b, t( e; x w
1 R" Q6 k# g9 s6 `, NThis trick is similar to int41h/4fh Debugger installation check (code 05
7 W& J! f7 J' }) J6 l& 06) but very limited because it's only available for Win95/98 (not NT)5 t: O7 [- P# A/ p, y9 Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) _, Y1 B6 N: S) Q! ~
+ S+ X% @+ Q3 t" g push 0000004fh ; function 4fh
6 G9 H* ]& h! Q. o push 002a002ah ; high word specifies which VxD (VWIN32)
: d+ T6 W1 G1 C u" l5 X- ] ; low word specifies which service
# L: f. g$ Y4 W& x, v5 d (VWIN32_Int41Dispatch)5 u5 Z6 H0 a: u! S$ |
call Kernel32!ORD_001 ; VxdCall
4 n6 l5 B' r9 S2 A' f* T* z% b8 b cmp ax, 0f386h ; magic number returned by system debuggers
9 X, w7 a6 f4 G( }, O0 E/ `' E jz SoftICE_detected1 J7 m& @4 _6 y& p
4 f( b& G ]0 W6 B) UHere again, several ways to detect it:& @1 l. P, S- A" d% O& [% S$ L
* R& v, J. j( R3 V! r* n BPINT 41 if ax==4f
6 p, e4 N* }1 v6 x. V* K: W+ y: c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* T9 W1 g% P5 d9 l
; x- P4 l- A6 N% s# Z3 ~; _) A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 i1 N) w; |1 `& Y0 L4 T* u
1 n' I0 @- B: _: q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- o! o1 n* S# Z
( D4 o- ~: ?3 i, G1 l__________________________________________________________________________
+ a K4 _9 B# \1 q2 J, c, U9 u
* M6 x. s% p6 s ~: }. nMethod 13
; H/ |- P/ T+ B# L$ A+ i) [0 v1 _1 B=========
' `7 {$ k/ t7 X* \% J5 g( H6 }% r. a! y) J* J& B7 z6 a
Not a real method of detection, but a good way to know if SoftICE is+ w. ~: b9 ^! x* e J7 P
installed on a computer and to locate its installation directory.
: O+ N8 T2 P8 i; n! }$ y+ A5 s% {; VIt is used by few softs which access the following registry keys (usually #2) :
% s+ X- ~# c! l4 n: R: H% T2 c# L5 n4 @4 i, ~% K4 J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# {- J5 ?8 i3 }7 O1 b: M- O' f\Uninstall\SoftICE
# P# ], r h# f( l# D5 s) G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% Q8 ]5 b3 x" I1 Z% J% W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- N4 U" e1 `! S7 I) R( R
\App Paths\Loader32.Exe
% {2 S" g- g' O
5 J; A8 g7 X% u+ F) I
3 m9 J4 S. D( M7 G7 m" }! q, Z3 S* ]Note that some nasty apps could then erase all files from SoftICE directory
7 B9 E6 T1 m) U(I faced that once :-() \& H" m" o1 ]
: T# H0 H! a: uUseful breakpoint to detect it:/ O* U% J: G/ l5 T
& p, b1 e" e( W0 v" [! w* D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', S8 V& M& ]7 G$ V" G6 B2 {- ^4 h
- T& v0 y o1 F8 W$ D2 I0 |
__________________________________________________________________________ }: u& F: W) }7 ?4 [5 ~/ S
! ~+ s: u! j v. W/ j- ?- G: J1 y7 ?+ u6 ~
Method 14 & D6 g. ]2 [; Z- O2 |
=========
& Z9 z( ]. H) B) V- Z; \1 Q8 v# C0 d; [ D6 o% M! l+ V5 q+ O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ ]2 d, o0 d' r% f9 i8 t2 i4 Ris to determines whether a debugger is running on your system (ring0 only).
$ h% [, d4 s+ j/ y& p7 i
4 M( n; K7 o; C$ g( p' K5 @" l. R { VMMCall Test_Debug_Installed! y% }% b8 c. n% p" @8 X; L
je not_installed; w( T( X8 S) j8 a, W
! z6 z i% p0 Z! d
This service just checks a flag.
5 Z: c/ [* J" C9 Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡