<TABLE width=500>" G: Q% k7 o( q$ {2 m
<TBODY>9 d* p' k3 e/ G1 u, @+ Q7 |
<TR>
# _: D/ k9 m9 g& |' L& W<TD><PRE>Method 01 , s+ F1 D' ]5 u8 s: Y6 Z
=========
0 z+ ]& Q$ G! i: Y: U9 d# ^- v5 C8 L: I. R) N8 o5 t* Z( z3 r' ^4 I& U
This method of detection of SoftICE (as well as the following one) is
0 ~8 Q1 T& T! z3 I2 ?8 r' Jused by the majority of packers/encryptors found on Internet.
' \& J! ]( U, H2 g) dIt seeks the signature of BoundsChecker in SoftICE
$ I" \- Q" U! P$ s1 L; v) x4 I; @) M
, o U' d) I% Z$ L+ N- S* e& | mov ebp, 04243484Bh ; 'BCHK'% z7 u( V& E+ T8 n \9 D
mov ax, 04h) B; L# y `" r) Y. l% t6 ?
int 3
$ o: O' ^8 F9 P/ Z0 t; d+ b& s& n* f cmp al,46 B0 ~4 m! A, p5 s
jnz SoftICE_Detected' `- _4 P' }0 O
$ E- l: H- M9 p+ ~* t
___________________________________________________________________________
" L3 }( j5 T% _0 N* l8 _$ d( m4 Y- d/ g9 @" V6 A! l1 b0 o4 f
Method 02" K% f, H. `: t2 N2 j$ G: N( ?
=========, X. s5 N- a' K' V1 r
6 @' y4 I8 n( k& p
Still a method very much used (perhaps the most frequent one). It is used0 A& X1 p; Z2 o2 B' [) W, t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& J- v; b6 K1 J3 g: o. V
or execute SoftICE commands...
. u- v% k4 ]' [9 @. G3 |, Q4 bIt is also used to crash SoftICE and to force it to execute any commands
5 {5 o" I' D' C; q W3 r(HBOOT...) :-(( 5 d" L7 I/ R% Z
3 D9 D' G" a: _) }
Here is a quick description:
2 `! }1 A; r, Q, @& F-AX = 0910h (Display string in SIce windows)
% ~( s1 z8 r4 p8 U; o-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ X ^: Q9 k2 ]/ a6 m
-AX = 0912h (Get breakpoint infos)
( ^- t6 C7 _ B& O: s-AX = 0913h (Set Sice breakpoints)
/ [ s9 |- f$ w# \7 M% C! `-AX = 0914h (Remove SIce breakoints)
1 G* V( i+ h0 f D' p6 i' |( Q4 x O# J1 @
Each time you'll meet this trick, you'll see:8 E/ u; b, t- [0 F0 }
-SI = 4647h! p% ]& A4 @* s' j. z- H( G& Y
-DI = 4A4Dh
k2 A* u+ o( C* c7 D" l SWhich are the 'magic values' used by SoftIce.# N8 G, j/ u; ^1 H& y9 l' T2 X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) z- o# `+ W' q) X& }8 N6 c! B1 D3 g" P" ?$ F
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 c6 b" y6 ^; x) U4 M) B8 u& o
Envelope utility use to protect DOS applications:6 H/ D: a+ D0 \0 j2 B, f, E) B
8 W* H. x* e; {/ f& W
, U S$ f% k) Y* g6 l4C19:0095 MOV AX,0911 ; execute command.
4 q/ h8 m4 D9 m m& W2 T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 \% ] i/ |8 W/ g) C# c# k4C19:009A MOV SI,4647 ; 1st magic value.
" a+ \. z/ a0 l4 c0 d4 m! I4C19:009D MOV DI,4A4D ; 2nd magic value.+ } l0 x" X/ }; _# X( p1 n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# M6 N* ~9 M" o- ? }4 B; w* f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ z. |# z. l- ^" p+ i0 m4C19:00A4 INC CX
! y2 o! ~' e+ c" M! v' E9 w" e2 o2 E6 I4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) Q( @. w8 Y+ G4C19:00A8 JB 0095 ; 6 different commands.
; R% b1 j$ B4 u4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 {8 z# o0 M2 J% e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 K+ A* \! R. U
: a8 m+ t1 c5 x' M' m
The program will execute 6 different SIce commands located at ds:dx, which9 {; H4 n* Y8 a3 A! S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; |( K- }' X0 s3 K, ]
2 [# @. F5 I8 x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: R$ e ?+ I" P- {" ]# v___________________________________________________________________________* n% K2 x( F* |! Y9 j$ w8 L2 c
% `& K6 G9 a6 v7 o" N6 B, N. e" r2 K X- k2 R' l
Method 03
0 Y# w6 i1 r5 p& k, G9 \1 B1 T8 m=========
( J3 x+ q+ i# S7 d* j& u; }2 [/ b& Z1 I1 j9 R) x( ]' X- ~8 }
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* }7 Q, V0 m9 R, Q8 k. T, C/ h* n y(API Get entry point); [: p" K3 }( \- a# E
8 \5 n' r1 M w; o! w. N
+ R/ Y" @) L( I" S xor di,di
( I" }9 h: m# t mov es,di
, G) I8 ~/ o) z/ q2 k0 a" q3 b* N mov ax, 1684h : ]" a! w8 x) D" I* f G2 i c
mov bx, 0202h ; VxD ID of winice
1 n. x2 n/ T6 y6 m# P% c int 2Fh3 _! |! `. }+ D: {8 g$ H
mov ax, es ; ES:DI -> VxD API entry point
) v% l$ i; A9 q add ax, di
* G0 U& o, D$ s! A: j+ `5 f" q test ax,ax
4 g5 ?: _. e+ _ jnz SoftICE_Detected
- b5 ~' g2 q$ |4 a
" P# t/ {6 Y) I7 D( N3 m___________________________________________________________________________! b+ @" n! ?/ ~ ~$ }
2 P0 ?" x n/ Q9 e, X, dMethod 04
* t2 L% A @' ~% L o, j=========
* N" K* c: a& m. R; C' ]+ f" s' W5 e, {+ k9 c
Method identical to the preceding one except that it seeks the ID of SoftICE
& ` R! p) a. J& sGFX VxD.7 Y/ @2 s, ^& d4 U1 X
' c) Y/ B7 [; r: Q
xor di,di/ @% C/ R# g" q* B! m8 g
mov es,di: v7 I4 ~' b' S
mov ax, 1684h + R7 I7 b! S$ [$ Y' M% j" t+ G& F
mov bx, 7a5Fh ; VxD ID of SIWVID
: k3 H' B- L4 k! Z. E int 2fh, }$ @+ T% Y# }9 Q& J2 w& c) D
mov ax, es ; ES:DI -> VxD API entry point
- p. S- B7 |( Z& b add ax, di
) e! H" E6 u, I7 q: Q; D/ R test ax,ax# @+ i3 p' Q/ Y) x4 ]& W, d
jnz SoftICE_Detected6 P! J' ] P5 f1 t
4 \0 V& k) |% O4 f( J+ ~__________________________________________________________________________) ?* _# k; _# v5 q- M
# j* F2 ]6 I( r& a7 v0 i, A; R0 i
! g6 f- }& W8 z! DMethod 05
0 X4 @7 L9 u5 V! m=========
9 u4 j& ?+ f0 I
1 J# I, P" I+ J& x: w9 IMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 E% ]0 {$ }) _. Cdebugger. It calls the int 41h, function 4Fh.! E* w7 Y |# J1 i( \0 t/ x, Z
There are several alternatives. ; _2 U/ G5 ^7 u% y; [# y+ b
' N9 O a. G0 h7 t, h6 A' FThe following one is the simplest:5 }: F: j1 M5 \1 F
& _. h, C3 b6 v: M( s% C mov ax,4fh. B) K. {, d' n2 H. k
int 41h. C; U# j2 B& G4 H" ^
cmp ax, 0F3862 k, i0 m% V. J
jz SoftICE_detected5 `" _. `) V; u% ]+ X; U2 {
# H' m2 w9 U4 Y6 G" a
- C* v& m; t( eNext method as well as the following one are 2 examples from Stone's
: [4 V/ ?! i0 U# d"stn-wid.zip" (www.cracking.net):
5 v" V4 X# n0 {0 }/ Q9 j% T3 q( x0 i# z! e. @7 e7 x
mov bx, cs4 i$ _0 i, u) @) M% J% |, h9 Q0 y
lea dx, int41handler2
& K: B$ q A: g5 m7 m' P; u xchg dx, es:[41h*4]
9 Y) t a, F1 d xchg bx, es:[41h*4+2]
- J6 }% o2 G5 J) L7 c) ]% ` mov ax,4fh
' D/ l+ J$ m- h+ ]" u int 41h
4 I r; {( J9 c. V& Q xchg dx, es:[41h*4]
$ g, T# j( u" ~3 I xchg bx, es:[41h*4+2]
; u. C w7 P% i! p; i cmp ax, 0f386h% \, x) C/ \8 j" v
jz SoftICE_detected
7 |/ ~! L7 I `
) h% F0 g% G! ]" P2 D2 M, Zint41handler2 PROC
3 {8 M$ v: @' ~, l! I+ c4 D iret
' n) \" p: G* Y6 ?/ Nint41handler2 ENDP( \% D% M# c6 ]
4 H$ S; w& E2 m) j( b+ m
/ }; @' y B% u) B" o. U( O
_________________________________________________________________________
0 {9 P- A. W8 c
5 m4 q) w7 P0 U8 a/ E6 |) K& s6 \) w7 e! L1 ^
Method 06% n( `8 e7 k% R7 m- ]9 ^: P
=========
& \8 K9 g( D' Q+ f: K" x! ]" T+ Q& X- H/ ~1 [" H# m
2 C- {" Z9 x9 J4 H- o
2nd method similar to the preceding one but more difficult to detect:
* t1 s# U$ g/ P' D7 e/ D, q! {) q: _4 x5 B! b
! f/ ^' M% O6 [9 s
int41handler PROC
6 C, [9 @% e! Y( X# y4 y mov cl,al
+ i8 R7 T8 c6 c& E8 J; ^ iret- x5 k0 {5 k: N- _/ Q/ N
int41handler ENDP2 P1 n' [) R. S$ t' P6 P
' c$ V, v* G A2 O) ]" q# \% _2 S
. P4 U7 n, a. o8 m; ~' f" A xor ax,ax
$ L- j( L! f% @: Y mov es,ax
6 N' a5 ]# C- z" `, M mov bx, cs
+ v# y, q( l5 X, |. f* h lea dx, int41handler
4 i7 |9 K* O+ A+ M* k: ] xchg dx, es:[41h*4]
3 G+ S, w5 c$ `% l' p7 o+ b xchg bx, es:[41h*4+2]$ }6 D/ w% W0 [6 N9 H
in al, 40h$ A# z1 o5 ^6 F& i. A! d
xor cx,cx8 I, k7 d% @% g/ g2 b: c* Y
int 41h z; i$ g' s8 E( d) W( v
xchg dx, es:[41h*4]
/ ? ^7 n. [8 L8 U) H3 `* B xchg bx, es:[41h*4+2]
/ v4 `7 t0 Z. a/ m: n& O8 q8 } cmp cl,al2 @' S6 }9 _' }* T5 t6 i# ]
jnz SoftICE_detected; I6 _# R1 ~( v5 c
0 ^9 {1 w' d3 I8 ?+ U_________________________________________________________________________& c9 l( {% f% i" E0 d
& E3 N' R9 T/ D GMethod 073 b5 F {- c" B( m5 a8 W, C
=========
. y/ d/ K# h* h# r
/ `+ b- Y# Z YMethod of detection of the WinICE handler in the int68h (V86)
$ v8 g1 {1 p. a4 }( D4 `6 F
( D. w- E) S( p/ F mov ah,43h
; N. ]' W: o& z5 E1 |/ K int 68h1 x' N' B! G, Q+ x4 \5 T
cmp ax,0F386h' S" B2 `% v$ u+ R
jz SoftICE_Detected+ \9 |& U. B7 W( h! {: e0 L
0 {9 m! G" t0 h2 C- |$ K! l
$ t5 u% @! m" ?& I% z% A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, p6 u$ n1 u4 B/ v$ [+ O
app like this:
% c; s2 m& d! J' d9 R& f& |6 C
& X" H! P/ l! r. ~3 p$ J( J BPX exec_int if ax==68/ g; B! e! [" U. w' i, S3 e
(function called is located at byte ptr [ebp+1Dh] and client eip is
" ]' |: b9 H0 x9 b located at [ebp+48h] for 32Bit apps)
8 S8 A L; j/ O" x! Z0 P__________________________________________________________________________
4 k9 G9 T# ]' |. l
. c- k1 |, `( B9 @4 C$ P8 K! c! R1 C
Method 087 S* ?6 I: S) D& _9 o4 Y
=========
0 L4 a5 m% N9 X( l* W3 b; U7 v! c4 x
It is not a method of detection of SoftICE but a possibility to crash the
q; h6 W0 F2 i, ]% xsystem by intercepting int 01h and int 03h and redirecting them to another9 }. x" q, f: E# W/ `* _# v' O
routine.
3 J. d+ ?7 E: Q/ xIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' j1 t9 `/ X# \. X% eto the new routine to execute (hangs computer...)6 o! p; ^ A! E- [3 E) }% V
( L- c1 T1 n8 z' B5 n: g- Z mov ah, 25h
# ?8 P1 `0 o, |. U! b2 g mov al, Int_Number (01h or 03h). B* a8 h" E2 o' F. w
mov dx, offset New_Int_Routine" V0 D8 r% N% z% i2 }& |+ Y2 W+ I. o
int 21h; h0 z, R: h$ O# |8 K9 P
% S/ d# n0 Q; ^- \: z6 i/ h3 n
__________________________________________________________________________
3 _' V) A7 r$ `4 }$ J4 Z2 d9 S
. L5 [% A5 ]4 v8 hMethod 098 d* j7 f4 Y3 m; r4 _% y9 Q( t2 S
=========
& [1 q) k! c u9 Z9 W9 T4 ]2 |, w1 J6 \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 D) W- Q s( s; K+ o
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 |" F# x& T/ }" i3 @. TThe Get_DDB service is used to determine whether or not a VxD is installed' M4 I0 X, k! b" ^
for the specified device and returns a Device Description Block (in ecx) for
. x! u& d2 A$ ~, o1 f# f, a! d$ Jthat device if it is installed.6 \1 {8 z1 y8 q. _% T1 h/ u1 A
+ ?, q3 M4 _! q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 l0 {* K& A, n8 ^9 @$ j* a4 e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 e, S. K/ {" v/ D% n- @ VMMCall Get_DDB$ Y. \& m& R& D7 A- u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 H s3 V0 f$ h$ l" r# a
& h! t/ z! f& v! _6 H# c7 C7 q B4 rNote as well that you can easily detect this method with SoftICE:$ \1 i9 ]# Y( m% y
bpx Get_DDB if ax==0202 || ax==7a5fh+ ^! Q! C$ z, Y4 K+ }& e
" U7 g7 u6 b8 `: ?__________________________________________________________________________
/ L+ _' e- w9 c) D; h9 w
$ R, c V7 C% K5 E6 Q- AMethod 10$ P4 _: C2 l+ s) J/ ?6 \3 ^; ^
=========
; y" x, P) }! j- F2 @% A
Z t+ O( a p8 h! W3 b4 z=>Disable or clear breakpoints before using this feature. DO NOT trace with. s" a7 l4 p/ q7 O6 Q
SoftICE while the option is enable!!
% Z! g- A( q7 j+ z$ b3 Q0 J+ H5 Z: @! f3 `. {' J
This trick is very efficient:
9 V. v% n) ]0 D- \+ wby checking the Debug Registers, you can detect if SoftICE is loaded
. o) Q0 M" ~ a7 C/ C# z# S* ~- f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% C# ]; |) E. ^. @there are some memory breakpoints set (dr0 to dr3) simply by reading their
L& H6 C0 z' { ^1 {0 U! e/ Q4 {value (in ring0 only). Values can be manipulated and or changed as well
1 Y- P2 c" U6 e$ {# Z(clearing BPMs for instance)
' ]/ u8 j8 ?- A7 {6 I
& i) `: \/ W" x2 Y& l# j& _9 |__________________________________________________________________________; i0 S+ g# d* p9 t
6 h- ~0 Y( J4 N4 ]* E( U
Method 11: H( b8 d2 b" |7 }1 x: N& d
=========. c3 x- k# @5 k7 ]% ]
( Z9 p& ^: X. X- n5 m# b% L8 p0 ~
This method is most known as 'MeltICE' because it has been freely distributed
r1 ?1 y7 r+ H+ D+ F& N. H: _via www.winfiles.com. However it was first used by NuMega people to allow
+ a$ |1 e! c( i' zSymbol Loader to check if SoftICE was active or not (the code is located; }9 Q/ f( }9 \2 z
inside nmtrans.dll).
. Y' K1 ~( m& E0 t" I! ]2 ?$ x- m0 g0 u* \1 T
The way it works is very simple:
; j# t1 p: \& {It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! h( H( d, P* g1 u% Q( q
WinNT) with the CreateFileA API.* r; Y% r/ \. m% g8 G6 f
2 `- i5 A1 X! R1 V7 g8 A5 |
Here is a sample (checking for 'SICE'):
2 ~; Y0 p2 |- Q3 s* t* w) v5 b$ Y( J1 K3 V
BOOL IsSoftIce95Loaded(), u% Y1 \$ z! ]" T& B
{. F: q5 t k) w
HANDLE hFile;
' G; K' j8 _) F7 A+ R% ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 v+ P4 j$ m1 c FILE_SHARE_READ | FILE_SHARE_WRITE,; H8 u2 l8 }8 I( L7 g& f, S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ @+ @3 R H* l
if( hFile != INVALID_HANDLE_VALUE ), |) b+ V, L) o h0 z& Q
{8 f4 {4 z& Q5 C" B
CloseHandle(hFile);9 @7 w; [: \4 R
return TRUE;
$ y5 g. c. w g; G3 c" Y5 T, e }! w4 i& j; Y! @9 C, t# `
return FALSE;) y% Z% s2 b, o9 _ |( E: L
}
- j# u* b) i" k. u" g
! J+ p! _( t; G- ?Although this trick calls the CreateFileA function, don't even expect to be6 O4 R( z, I g; c5 V! G
able to intercept it by installing a IFS hook: it will not work, no way!
T# f- E: U% B: LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F4 ^# [. S+ t# q' z0 a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) ?" |* B, {: e1 W/ N4 E* n% b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 S0 F- U$ ~, ?" T, g+ C2 C6 N
field.8 U0 ]) V- K0 q4 b% z1 j& Z5 |7 I
In fact, its purpose is not to load/unload VxDs but only to send a
( M( ^! _( u+ L% m: ?) S8 k9 ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 l+ z* ~. P4 `6 Y5 m% Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( [$ c* K' d v3 Y- ~6 j) gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ y F3 L; ^7 v2 a# yIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 f5 C4 |& Z1 s" U
its handle to be opened and then, will be detected.. @! W" U5 R7 ^- F6 n! W
You can check that simply by hooking Winice.exe control proc entry point$ g7 y2 n# w7 R3 R* P& b
while running MeltICE.
9 J* ^9 {# ?/ R3 Y, k1 I
, [5 i+ X1 ^/ x* G7 G7 p$ x5 M8 z, x! U
00401067: push 00402025 ; \\.\SICE
* J5 }1 T0 e& U- |0 ~ 0040106C: call CreateFileA
M5 v3 C9 m f 00401071: cmp eax,-001$ A$ k: B: _* x* ^3 }6 h" l R
00401074: je 004010919 Y7 E+ O3 v) [( J
# J" y: a0 e! w/ M3 @: ^0 {5 R @9 N9 e
There could be hundreds of BPX you could use to detect this trick.; i3 k; d$ l7 |* X' x f; l3 M
-The most classical one is:; N' b6 v% u! {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || E* @$ U0 P) ?3 f1 W1 z/ g5 Q
*(esp->4+4)=='NTIC'" w- ]. P7 r, t9 S7 I3 n( Z; j
. w. y# x J. V$ [: ^
-The most exotic ones (could be very slooooow :-(, c: [7 \' H8 I0 g! l9 h+ f( R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 O( n$ |5 ]8 o% ^; J% S4 q
;will break 3 times :-(* t" d" g' [. r6 M0 C4 g
4 F" l/ E Y# }
-or (a bit) faster: 2 [+ y# M- @3 u5 S9 b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& d2 g* Z* L) o: F' C' L& g! b& R2 P2 {7 j2 ^# }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ N) \: q( k! K8 o
;will break 3 times :-(! |4 t, q& i4 n
9 j2 |* ~, u( E' c
-Much faster:6 E" a" u# }8 ]. g/ ?
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ b' c3 n* @( S+ D; U: X& m0 K& l+ [; ~. L. c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 E9 q& j! |" i! k' q! Cfunction to do the same job:
- V- `# W& r- e# A$ S; L4 R) _. t4 M4 {& x9 ?. `
push 00 ; OF_READ
. a5 J4 j, H0 x( O' V mov eax,[00656634] ; '\\.\SICE',01 E2 v4 `+ ? Y9 ^$ t+ K5 O$ l
push eax/ R, e, p7 w! D! I5 r
call KERNEL32!_lopen; O: Q T- x' w- l! S
inc eax- w, D; h1 ^$ W
jnz 00650589 ; detected! O! V" B* h- t5 \
push 00 ; OF_READ
: |) J- O' E# M7 E# D1 N mov eax,[00656638] ; '\\.\SICE'
p- }( |0 H- }" m push eax7 ?+ M2 N/ f0 ~ A4 i; z: y5 }
call KERNEL32!_lopen
; p# j$ s, e, R7 x% n inc eax
& ~+ B( X+ P$ K; |" v5 Q jz 006505ae ; not detected
% `! n0 R. L6 g2 S5 y
' \" R/ F0 |0 b9 `$ g% E- M: n0 e, z0 i& S j& T/ {
__________________________________________________________________________
! n0 \$ q& v( u" \: o+ m* f) G% _2 M, Z6 j
Method 12
5 b& S6 [6 ?3 {0 h% P9 F=========, I8 V% _1 k7 S6 ]1 ~
- Q/ {4 f2 Q7 D0 h8 n
This trick is similar to int41h/4fh Debugger installation check (code 05
9 U4 |) K! C5 `1 \& 06) but very limited because it's only available for Win95/98 (not NT)
# S: z+ O( e' |. I H* T7 ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 l# z- x7 ~: s H! O
+ E8 n: y4 s m3 m3 P push 0000004fh ; function 4fh
7 S* d/ F5 J# E, {' U push 002a002ah ; high word specifies which VxD (VWIN32)
! y1 t7 J; S. e8 {3 k: u, ` ; low word specifies which service- b' \- T' Q ~8 v" s" T+ r
(VWIN32_Int41Dispatch)
1 G8 M# M, K. ^3 n( i B call Kernel32!ORD_001 ; VxdCall
' ]- |: ~6 ~. U; ] cmp ax, 0f386h ; magic number returned by system debuggers
# ]5 D2 N6 [" T2 E* I2 N jz SoftICE_detected7 A$ b j. {5 Z
8 j6 c% h! E! I w5 E1 @2 p, o6 N
Here again, several ways to detect it:
$ P. v6 M, A4 O3 F8 t. t9 [% e/ f$ F. ~, \# ^ n
BPINT 41 if ax==4f
; D, F. Q% e5 P$ i3 q+ _! m6 N/ A7 s7 m: d/ a
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 R; K, d9 S# ?8 c" K
/ }* W+ E: P0 G+ N% O6 M
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% ^ J+ o u/ f( X B/ R# Z/ T7 \( y. {7 Q7 j+ {
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; ]6 c! j! W# k D0 k6 V
( ]/ @# M$ ]4 @- t9 l5 B' y2 {5 ~
__________________________________________________________________________
5 ]+ u" e2 p8 o7 L" ]2 f
8 p, Z& b* V# b. G: j$ MMethod 135 s) B+ l1 s! T# |. ~6 J: E
=========
3 F! K' y" A1 O
K4 }4 L: ]; o, e$ J) R7 L; sNot a real method of detection, but a good way to know if SoftICE is
5 B: e5 i; W5 M6 T+ linstalled on a computer and to locate its installation directory.+ d: @$ o0 F g+ X
It is used by few softs which access the following registry keys (usually #2) :
: B9 X+ w4 [1 v- i7 ]. d
& D9 I2 M) }; C6 w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 T' u3 P8 z: U) g\Uninstall\SoftICE
8 o' e, ?! Q, Q8 o7 m3 k; U0 @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# o) ]8 I K: q6 B! O% R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: W$ p) C/ ?; Q* I& j4 N# i
\App Paths\Loader32.Exe# h/ ]5 I' z* C3 K; k' y
# k! p4 V3 ]* a( q- i
* q( X1 [# q1 {Note that some nasty apps could then erase all files from SoftICE directory
" c9 Z7 U- W4 ]7 z* \! E(I faced that once :-(7 G! c. d3 w2 u7 b% X
3 I& `" K. t( G- F, a9 iUseful breakpoint to detect it: g; X- Q {5 c& h
! v3 @ }) {: {+ p9 I5 Q! G- d BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ \6 @; V. N* \ Y/ o' ^
. Q& z$ h; e$ F' M/ o__________________________________________________________________________
, M' G: t. G" H; d, F+ Q; K: J
8 y, `. Y, e' K& _% o: y5 N( N7 v( O% [ r
Method 14
- J. X3 i. g) r% J. w=========- q% B, N0 c9 z( r( ?+ ?
o- f# M2 O( p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 D: w g* {) p! B1 iis to determines whether a debugger is running on your system (ring0 only).+ ~+ F6 Z6 [( @* U# U, C# \$ ?& I
+ Z, J) ^; [) Q/ W
VMMCall Test_Debug_Installed
6 \* F) w- U. ~ je not_installed/ C% g/ o& m! `8 J/ W( ]
9 _9 I; P2 I" t
This service just checks a flag.
& [7 K* m s" U2 C5 h2 _$ s0 V</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡