<TABLE width=500>
+ d( z; _2 ~3 F2 j<TBODY>
: J6 t! G$ a9 F1 p. L<TR>
- O c3 Y3 W$ e3 Y* e7 }! A<TD><PRE>Method 01
( o% b1 F6 X3 h) M8 v: d! p' I=========
+ ~3 u4 p+ K4 O% j7 [7 k, N' p; X- N2 ?) u- W' u* e
This method of detection of SoftICE (as well as the following one) is4 r$ N) Y5 j8 `9 E* ~
used by the majority of packers/encryptors found on Internet.
1 G( A9 e$ U. Z/ t' m7 w$ gIt seeks the signature of BoundsChecker in SoftICE
( I# Q& v# [: N8 x" v& X
/ g% E3 q: y( N5 a: Y% u mov ebp, 04243484Bh ; 'BCHK'
% H' Q W) X, t$ o% {6 \ x7 @ mov ax, 04h( g4 x+ U' s/ E& R8 w0 T2 g
int 3
; s/ e l' x& t' S/ J4 H cmp al,4
% T" c# }$ J: N1 D& ~# o1 V jnz SoftICE_Detected5 V# ]' ?0 C6 n+ e8 u
0 \. M+ l- A+ k. g' f___________________________________________________________________________
( {2 K% N* A) I, r- S
8 S: d/ o5 t2 b' m/ e$ UMethod 02
: K% H3 M8 J# e. W=========9 n" o p! S7 H2 P
' O) `2 E' G5 X! v* i+ z0 UStill a method very much used (perhaps the most frequent one). It is used7 U$ Z* `2 {2 t: D* Z; I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 V; v+ j" O7 \6 T G" P' C) ^
or execute SoftICE commands...
+ R. w6 }: F8 wIt is also used to crash SoftICE and to force it to execute any commands
/ Q% a' s7 `3 T/ a% ?4 ^" d( j; r(HBOOT...) :-(( 8 ], a* K# }" g
, ^4 ? W) H' {* QHere is a quick description:
5 I8 }/ [3 X$ @ D0 U. j. v-AX = 0910h (Display string in SIce windows)
( U: a. }5 p6 K6 I# a5 x c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ G% D2 X; g1 T* [4 r9 s9 p* n-AX = 0912h (Get breakpoint infos)
, J0 v$ |( h$ N-AX = 0913h (Set Sice breakpoints)+ T' S) \2 H: \7 O* {
-AX = 0914h (Remove SIce breakoints)
. ]- [# H7 d! Y0 l& ?/ a
8 t2 E2 g$ X3 b% _Each time you'll meet this trick, you'll see:
% F8 P1 o. r5 V' x-SI = 4647h
7 c5 Y$ p* b9 }& O! c) S-DI = 4A4Dh8 J) r' Q [! ^: l
Which are the 'magic values' used by SoftIce.
2 M4 }3 R$ h! |/ X% \! X8 g! e8 XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 f' W& }. Z& R. n7 U
2 g9 `8 }( ~) p& X! kHere is one example from the file "Haspinst.exe" which is the dongle HASP9 }6 L( j" }2 F8 t8 G
Envelope utility use to protect DOS applications:
2 h/ b& x1 @/ }% F0 C. ^# u6 Q! z0 Z- _7 v& H8 U# N& _1 L* d
6 i0 b$ h5 F% C) R9 Z# f+ M
4C19:0095 MOV AX,0911 ; execute command.
7 `( y# {) Y$ m x+ m7 |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! i7 B6 u! R) `+ o( b L4 T4C19:009A MOV SI,4647 ; 1st magic value.
+ ]! U' h& r9 D* B& k4C19:009D MOV DI,4A4D ; 2nd magic value.
% | e/ [/ o7 g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ i$ }. G- a8 f: h# p+ `% p# _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 r# F& R$ x" y% {
4C19:00A4 INC CX
& n* T& X9 J0 N' {' w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 N8 |5 B& K8 }
4C19:00A8 JB 0095 ; 6 different commands.
% _5 B: R; x' m3 _4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& }3 F5 m$ z" F. s4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" o# u }3 R3 C+ i3 l) G5 G: S0 m, ]5 E& H
The program will execute 6 different SIce commands located at ds:dx, which
0 R; ^- J5 r: vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ I3 A& w& I; @% R3 W
/ t) \3 u6 ]3 G; @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( V6 g% q" g; I2 P1 [___________________________________________________________________________
) n4 x. }+ B; k5 \
4 D u7 t% o+ E: j
( K8 c6 S' U6 d3 d/ @0 ?Method 03( @& q" {3 s# t1 w& `& N
=========
6 E( _& L- S; s4 X( ^/ ~" t
. K& g( n$ m9 n3 b# }; v9 aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 v: E. K1 Y4 Z(API Get entry point)3 u6 k ?/ q4 Z7 D0 g! k U
9 N* M0 z3 {: `# |
: \; |- ^/ n2 p- E; \( | xor di,di Q4 I5 A9 K! D. c
mov es,di
) a3 a) F7 v1 u1 \9 L D) q9 [! z mov ax, 1684h
2 g5 H& K0 v9 ?: T' @7 _ mov bx, 0202h ; VxD ID of winice# p- f$ s- C: R. p. y0 q
int 2Fh
b1 }1 B C- @! K* ^ mov ax, es ; ES:DI -> VxD API entry point
$ u) ~( Q. G7 s, e9 Q; o add ax, di
9 c8 D/ q W% h: H1 a7 G test ax,ax
5 ]; a# y: G Z) M; Z$ G. e5 ]3 S jnz SoftICE_Detected* x* j# u Y M, T9 Q
A: F+ T; G: ]: U9 U
___________________________________________________________________________
/ D; G0 {- h# S% G9 \) n, ]9 d' i7 Y# U9 T
Method 04
! M6 u" W5 ?7 M=========
9 r' }& c. A# Y C4 i5 s+ x4 Z( A) P; w8 Z: Y3 O! t9 u
Method identical to the preceding one except that it seeks the ID of SoftICE
8 r; V# H7 i' X, G! IGFX VxD.0 ]: K- x4 K T2 r: q
3 L6 h/ w' M4 h' @8 y3 r
xor di,di
, G" A4 G$ X0 f$ V: Y6 Q mov es,di
$ l" g$ B- X( H mov ax, 1684h / ?2 S0 K, y' A* F- K( V
mov bx, 7a5Fh ; VxD ID of SIWVID" q- K' T! |" Z5 J
int 2fh$ Z. E9 `; r/ _* D: i
mov ax, es ; ES:DI -> VxD API entry point
+ i! u) Y: [! C add ax, di9 a0 K: [% T, _" r2 O; _
test ax,ax
6 x4 ?% Y, G" f, H jnz SoftICE_Detected
- ?) v) i: f3 |8 e: O
; Y1 L6 a$ i. {8 P' I4 T__________________________________________________________________________0 E( f; H" W6 R7 [- F
8 e) L) c: X6 r7 X5 g5 _3 m4 S6 ?$ b2 g
Method 05' b- M$ s1 Y+ W* g1 u
=========/ a3 @$ G. X) z+ G3 E" n" }+ x0 X
) u) T) N+ e* v! |) u6 U) Q' w
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 X. e+ C- i3 D/ o# F# k! ]debugger. It calls the int 41h, function 4Fh.
! U. O, \: a/ A- B, f+ \( @, ~* N0 pThere are several alternatives.
6 _2 A2 m: h& q, i% ~: Y
9 K! D: m! z" BThe following one is the simplest:+ m F+ u. c+ V+ U! Q& e! J
, _1 h+ e" V2 B" e8 a3 n
mov ax,4fh7 h$ ?; z6 p, m
int 41h
- H% n0 a9 R3 |6 e8 i7 X cmp ax, 0F386' r' C) \) \, n. A8 Z
jz SoftICE_detected8 A( }& j) \1 P% V T9 g
8 t0 o: @3 }1 \0 f2 P* @1 i/ y" R
# N3 P) l2 K" A2 I4 v" t8 X! f
Next method as well as the following one are 2 examples from Stone's
0 b) p- `4 j X) v# N3 h L"stn-wid.zip" (www.cracking.net):, e7 Z& C# \; D5 N
) c. U7 Q5 w; ?4 b5 `: G6 g
mov bx, cs
$ N# \7 |. o, u" G+ D lea dx, int41handler25 R; @* ^6 |6 G3 L: D
xchg dx, es:[41h*4]8 H' E* Q1 k8 A$ X- t6 h8 z
xchg bx, es:[41h*4+2]
- q# {/ i! Q& |- M C mov ax,4fh
, }$ H* Q$ J! C5 m# S/ R4 a# l- I int 41h
! W( d, O: E* g" s# `$ H% q xchg dx, es:[41h*4]( O1 X, H7 q0 Z+ A
xchg bx, es:[41h*4+2]
- T8 f; b0 e, j4 f; ~, H cmp ax, 0f386h$ `$ b; G0 X; U# n: c& C
jz SoftICE_detected9 I }7 L; v: M
4 Q8 I r8 y( g# ?4 A. \+ ^5 B9 F- qint41handler2 PROC
T( |& Y# Q B' h9 E/ B iret
* F7 F0 {* e% D: E6 X0 _int41handler2 ENDP, k" {6 J: ~# c9 O7 m; P' Y0 p6 m" F
( i5 L4 m! P: ?0 Z- h' l6 P/ Q$ N" C3 f. k; q h9 W
_________________________________________________________________________
# E/ B! F$ d: l. D( ~
; y. T5 E$ _4 J) X) }8 Y @) T: e! C' w
Method 06
. L: J0 c: ?" B1 `: ~=========
* C1 O8 w \0 N9 A
7 b9 ^1 C% T. e. u. ^9 M3 }4 |5 A
7 p: P) ?( }7 h4 Z' {: C2nd method similar to the preceding one but more difficult to detect:( X5 l9 `3 K" ^, h. @' f
) X( l- g' R/ q) _& ~6 G
# `1 h+ L3 [ m3 t, P8 m) ]int41handler PROC
0 ]# W5 N8 M* a1 c2 ^. F4 k mov cl,al
+ n e% y# k L8 _9 g iret
( S4 u# \% ?) g) ~+ Q0 iint41handler ENDP
7 ?" U- u" ~# r# s( g, h5 e# P7 Q" z% b! I( q
7 f" J" Q3 w% Q& v' j- a
xor ax,ax$ Y2 M% x1 T! l5 J o# |/ s
mov es,ax& j$ j* e9 k* A3 a
mov bx, cs) X5 B$ ?1 C$ K& ]8 Q! K
lea dx, int41handler" v5 f' D H2 G+ ]
xchg dx, es:[41h*4]) X( j* \. e) x& r
xchg bx, es:[41h*4+2]
' p' m* n* }7 F, r in al, 40h6 O2 }4 [9 I, k) ^9 c
xor cx,cx* ^% B4 E* W" d: D
int 41h% J# D6 c, O; T3 H
xchg dx, es:[41h*4]' v& {, m" K4 Q! m, M. U* E
xchg bx, es:[41h*4+2]$ f4 x+ w6 {. ~# V/ [) I
cmp cl,al. y" z! k0 C% ]
jnz SoftICE_detected: l; q) [! T# \" S
6 ~# S m" K7 b7 D0 k_________________________________________________________________________: Z5 C7 J, a! [+ B; w# @0 ^
- v0 L( H% P" I$ V6 G
Method 072 Q! A, x3 a: r; s1 U
=========
3 U. t+ w9 T) h$ L2 c9 H3 S- t4 S
Method of detection of the WinICE handler in the int68h (V86)3 Y+ r, M) H4 R
7 I) q$ M' `; p- C6 ]+ ]
mov ah,43h
% H6 e8 N8 ]6 c# c0 y int 68h
7 b5 m; X1 n4 w; G3 \9 H u: x cmp ax,0F386h9 l/ }/ B8 ?4 D! y0 w& D& X- S
jz SoftICE_Detected( X; {2 t) c# j8 w
0 f! a$ Q. e% [# O
* N! x: H0 P F& R- H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- v9 x8 \5 o# J; J. @, V5 b: ~# B app like this:7 }5 n2 K, W5 q+ r. V& v/ W/ Z8 ?
3 t- e1 T# c5 |" l. H5 |" ]& U/ d+ l BPX exec_int if ax==68! u) v% K% E! D; L7 _
(function called is located at byte ptr [ebp+1Dh] and client eip is
: Z I I, Q. _% E! |% W located at [ebp+48h] for 32Bit apps)5 B) o# O/ P' q+ W3 U; o$ p" N) d3 l
__________________________________________________________________________4 ]# T, y: |( A2 T |
' S' B% D: u& T0 ^: v& y+ W {% k& F* }: C
Method 08
h& E; H: D, @" G- J" k=========
1 \5 V: E6 b; K. _. b$ ^
7 _( ~3 |1 p& s, {It is not a method of detection of SoftICE but a possibility to crash the
6 X8 j2 B2 @. ?& m$ `0 e$ msystem by intercepting int 01h and int 03h and redirecting them to another# p# }& q% M: p) @
routine.
8 ^* o' R0 f" m4 E3 iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" |, A7 N# {/ N1 I2 U$ T: ]( x. t0 N
to the new routine to execute (hangs computer...)
& z. L( X; Q4 [& ~' r
( y! h/ o( E: y* P' M mov ah, 25h% u, S* S: Y" W
mov al, Int_Number (01h or 03h)
+ T( U' p% O4 G. | mov dx, offset New_Int_Routine: F5 f3 W: x$ t3 q. z5 Q' z1 b
int 21h, ?0 q8 f& x& O4 g$ u5 J
7 P8 ]$ V3 W: x' N+ g4 w
__________________________________________________________________________5 s! }% c! ~ B4 J, }) `
( w: ] w3 r3 k+ ~4 s2 y9 |Method 09
6 x7 I. u3 m8 U5 A* h6 U8 f6 k b=========- M6 J9 I/ P! A! M/ q
) [- y. |7 Q: vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ w7 h2 W( U" M2 qperformed in ring0 (VxD or a ring3 app using the VxdCall).
1 ?, O8 t$ ~5 KThe Get_DDB service is used to determine whether or not a VxD is installed+ _6 N6 `0 J/ A& ~# i. P+ [
for the specified device and returns a Device Description Block (in ecx) for5 I2 L4 \2 p7 C+ y: ^, f
that device if it is installed.0 |; X6 m0 j( r8 P
; N; @9 `# n* o( M0 M3 m2 H; M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. [1 B0 x* |4 c. ]+ q( m- r f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ @4 Y9 [/ K8 ~' `' g
VMMCall Get_DDB3 Q: b6 Q0 r' F |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 s8 y( H7 e: x7 K9 ~( L
' I: l3 N$ C+ K7 O1 E. S" U. \8 s
Note as well that you can easily detect this method with SoftICE:& _) `6 p8 G2 F4 m/ F
bpx Get_DDB if ax==0202 || ax==7a5fh
9 u4 E$ ^2 a* |: t$ m/ U
+ X$ [* `+ ~7 ~- `# G0 E__________________________________________________________________________6 I* |3 f6 ^; i. E
( s0 n1 Y X! v8 ?! ]4 lMethod 106 W: j1 `$ ?4 v7 }" D
=========! j. w% j+ u% P: n+ o( [4 w2 H! h
+ x- c* N1 \0 u5 v) h=>Disable or clear breakpoints before using this feature. DO NOT trace with1 R. Y2 c/ Y5 ?
SoftICE while the option is enable!!- [! U9 n3 w- {- P j* `5 |
5 r$ r6 U j8 v& X9 S$ E; Z& {& X# |
This trick is very efficient:
/ h2 y( }; l9 k3 r* K6 O: N% ?5 vby checking the Debug Registers, you can detect if SoftICE is loaded
4 i$ a* L% G& w0 r# g0 I0 ^7 G x(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( N# P- G) x( @/ @
there are some memory breakpoints set (dr0 to dr3) simply by reading their# S) K+ s- _ P/ d$ s" G6 V4 [
value (in ring0 only). Values can be manipulated and or changed as well
* |6 ?; O1 K; Q+ |: Q1 h% |' k(clearing BPMs for instance)
- J4 G. y. l0 Q4 F; b0 s$ m
. k, r0 t: N- ~, Q" T. g9 d__________________________________________________________________________( s# \) M' K' R; `) f3 e7 ~; A
' I, H9 `0 K+ h# ~( ^1 U
Method 116 `7 Z( ~4 t9 S* ], b% R1 k
=========
. b1 `& K% J) s# _9 Q' o. z1 d0 Q& a3 q4 z7 \ @
This method is most known as 'MeltICE' because it has been freely distributed8 \% u# K, |; i; U3 H5 I6 c" Q
via www.winfiles.com. However it was first used by NuMega people to allow- X5 D+ Q2 ]6 }( O
Symbol Loader to check if SoftICE was active or not (the code is located- \' R. f+ i4 F8 c# @. i
inside nmtrans.dll).2 L3 ~. Z" [. B) ?, A
6 @( i a" u- s1 o7 }" sThe way it works is very simple:& G8 Y2 Z# x" a/ s1 U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 W2 P! w3 v s/ W; \* c1 N) ~
WinNT) with the CreateFileA API.
. b$ D9 W* l3 ~6 _" C: g; I E; [3 l. Z; E% e/ E8 E
Here is a sample (checking for 'SICE'):
' y2 B# f2 V3 }, t; X% U+ W+ @ A
4 R! d) I, X8 W9 r& ~3 bBOOL IsSoftIce95Loaded()# \9 k6 H$ i$ P; ^
{
/ i1 q. `7 p: W HANDLE hFile; # @% y" K0 m3 t( O' h: D
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 U% \6 h7 o' e+ W: F8 M& D FILE_SHARE_READ | FILE_SHARE_WRITE,
6 J0 {6 U; R+ e$ |9 E8 U. E NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; U# _9 S% z0 ^( F) }
if( hFile != INVALID_HANDLE_VALUE )& r9 I. t- C6 z" p2 d0 L0 D* }. Z
{/ O- k9 }9 s7 v: B5 u7 z! B8 {
CloseHandle(hFile);+ c& a6 G$ O: Q0 z
return TRUE;/ O: Y P" ]7 u) G
}6 L$ Z- `% g. i3 n( ?; y
return FALSE;8 f7 K( X3 [9 C/ |% v* X6 `
}1 ^) U/ X: ?6 P2 R8 c
: Q/ N# D9 |* |
Although this trick calls the CreateFileA function, don't even expect to be
' [# h, B$ g/ B, ]$ t# m( Kable to intercept it by installing a IFS hook: it will not work, no way!
$ @1 P d" b0 G$ W! i% l2 ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F s2 ?" E9 s1 C' A! l _; d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* h& n9 e1 v5 b: }and then browse the DDB list until it find the VxD and its DDB_Control_Proc& {0 ^; E% i$ l( N
field.6 n( j; ]8 U/ f. |, M# [
In fact, its purpose is not to load/unload VxDs but only to send a
+ P% D, d) B5 U$ n b; VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 e$ g$ K- j4 d: ~. F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: h: \5 W/ J& U7 |1 `to load/unload a non-dynamically loadable driver such as SoftICE ;-). m: a" e$ }+ C4 a: G7 c) q3 S' j
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 `6 N- t0 C9 ?) I# [3 o
its handle to be opened and then, will be detected.3 N* Y: R0 m: U2 g6 D" e
You can check that simply by hooking Winice.exe control proc entry point
. r% @2 `1 y4 swhile running MeltICE.
# B0 d" m6 t- l% `9 A: l
& E2 ]( M" T. k8 _9 M1 L# l
8 [1 y: g) x+ W! J$ [6 q3 \( u; v 00401067: push 00402025 ; \\.\SICE0 m9 h4 [7 z7 k& @% K9 D: t/ F: P
0040106C: call CreateFileA0 F* E0 ~; T* U8 R8 V: N- s
00401071: cmp eax,-001
2 \4 B2 r) U+ W 00401074: je 00401091
8 x+ N$ H, a# [5 Y4 Z3 X; n+ M1 t4 D8 c
, f+ B0 p$ }$ T4 `; O r& z$ [7 F6 r
There could be hundreds of BPX you could use to detect this trick.
+ S# J4 r, M+ t$ i6 S3 @/ F( ^-The most classical one is:! e7 m+ p8 P" b+ o5 v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || j, U% ^7 [3 l
*(esp->4+4)=='NTIC'1 v3 }, [+ w8 W" D9 }' |
$ d7 B3 m5 M$ N( W3 f
-The most exotic ones (could be very slooooow :-(
+ x3 |/ h# Y6 i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 p n! b1 E; B6 _6 R: v
;will break 3 times :-(
# W: R9 G; ]9 `
& w8 E* c6 P0 S-or (a bit) faster:
% m k; G, q& Y' @$ N3 c BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): k' X% u2 r! q% d5 \) P1 G" j
3 `6 u7 b8 l$ ?, e; G- f" M9 O0 r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ s, o. H8 N' c R6 k, D ;will break 3 times :-(- Z( \: I- ], P) u$ A( b
5 H. |1 m$ t8 @-Much faster:1 K1 B0 @$ \0 N' Y: {1 W: _4 ]# m1 B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 o# u, T8 S! E% u+ s9 S7 @" F; Y3 _& X, x# `% R( g3 }- M2 U6 d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% T: k: o5 C& R. Q5 q
function to do the same job:
( Z) r# V' J6 a4 H
9 q6 R+ k( ?3 \# A q push 00 ; OF_READ
6 }, j5 Y% z, N" u mov eax,[00656634] ; '\\.\SICE',0
+ t( |& s; V ^, N7 q/ j push eax
4 l1 J ` ] j+ u& u call KERNEL32!_lopen
- i2 K; o3 _2 `# G5 H- V, u& } inc eax
7 P7 o; \0 I- g+ s3 p/ w, _& n3 V jnz 00650589 ; detected( ~. t, ~0 E% P) T, H# B" e0 [
push 00 ; OF_READ
0 C1 e+ \0 f. x7 _7 d mov eax,[00656638] ; '\\.\SICE'
j* g5 U( _1 r+ V# m% X7 c push eax
7 j1 K! R" L( e. F" h; Z' X call KERNEL32!_lopen
4 }; ^: k% u( L7 @/ @' g& U3 `7 @ inc eax
7 A" z: D; }! X( {7 b jz 006505ae ; not detected' z* t2 T. _4 L2 `: k1 o6 o7 z9 c) w
' B7 Z4 {2 z/ B2 L4 m
6 p. F- F& X4 D/ f__________________________________________________________________________& m6 R# ^- |* z1 A
% U1 u+ b# Y9 kMethod 12& H' }; }4 d4 w, T
=========
8 n. q& f; @- I: a' } ]( v5 }; _( u; ^) V9 U
This trick is similar to int41h/4fh Debugger installation check (code 05, @6 z, v2 g' v- m/ r2 C
& 06) but very limited because it's only available for Win95/98 (not NT) p0 w8 P0 h$ y1 t" o& j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; W6 A% z2 e3 I9 [$ E; t( z' I. G0 N2 D) N- R# ~) j) U: I! z, D
push 0000004fh ; function 4fh2 q1 \) l- i6 F8 }* {9 j+ V
push 002a002ah ; high word specifies which VxD (VWIN32)" L( z d$ R7 E6 j* `! P
; low word specifies which service: ?& a8 ?7 x9 i- W/ _
(VWIN32_Int41Dispatch)
2 y/ {: G9 E3 m" ?0 X* n call Kernel32!ORD_001 ; VxdCall
& F1 G$ k" x& i& R& z' o! B# R cmp ax, 0f386h ; magic number returned by system debuggers/ B& z3 I. _' B
jz SoftICE_detected
5 T5 {$ g; g( a. n
( ?% k. s% s. n. J: P$ g3 q. KHere again, several ways to detect it:# R; u! [+ c) N$ m v8 i0 U/ c
8 W8 A) M+ {& r( {- z( o0 v BPINT 41 if ax==4f8 ^- g. y7 { Y9 X( V5 v
# j# l6 C$ j# N" B- f' x BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. M8 N' C, c" P* O- J* f( l: Z9 O+ h& a9 J6 q) b# y$ D# W6 ^
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; c! j$ b" t. b0 G2 N& H) ^1 K3 j. x) G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. ?& T7 y" A! k) ]$ i/ @0 W9 l# ~1 _6 G- Q8 U
__________________________________________________________________________8 K4 u6 S8 [ L( w- t' N
$ f* i8 C# ~4 d9 Q" FMethod 13
: A V+ z% y* A8 T' G. O( u=========
" _" l" }4 Q3 o$ C" Y; C$ H( l
3 Q+ m$ t+ ?* C6 q! XNot a real method of detection, but a good way to know if SoftICE is" [& m8 d- ^4 M- w( {
installed on a computer and to locate its installation directory.4 h. I) H0 n0 a8 ~
It is used by few softs which access the following registry keys (usually #2) :
V6 } g6 ~) R4 c
5 Z( G" e+ I9 I! i- N7 Y b( k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 [5 p, j9 G( X+ q7 D\Uninstall\SoftICE) z8 P/ }; ~- [" z; m9 U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! S) N7 \1 ]' L) y$ i( n: G2 x" r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion w3 Z c. F6 g! K# j
\App Paths\Loader32.Exe
6 V' t, a- ?2 C4 w2 o9 N; G8 x. z' G6 s y
( U. D- G: @/ x% U' v. U5 ^0 {# Z
Note that some nasty apps could then erase all files from SoftICE directory
: n( J, x6 W# Z K8 f(I faced that once :-(9 @" D4 @# j. U- g t4 t3 g
2 d( T4 z2 J/ l$ f
Useful breakpoint to detect it:/ |" \' r2 m* K7 h& z2 J" h) ?
, a$ [0 G w- H& f: u: D/ T
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ |3 G$ R* u" ~3 v9 {0 q% e c
1 C1 y7 m0 F! L! Z7 r
__________________________________________________________________________
5 q. m4 A' W2 ^6 S# o# z
# M4 I" W4 `2 H" f e" @0 b/ b, B8 a* n8 n" W8 ^: p
Method 14 0 A/ n8 I. L- x( W# z* S. z
=========
% r x; b9 T2 ?; G
. q# \- }2 y2 Q2 J9 \ NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 d: a& n6 j9 ]+ y. Fis to determines whether a debugger is running on your system (ring0 only).. d( M1 Q+ L0 G1 O% c% \0 C
# r+ i0 _! \* y, l) M VMMCall Test_Debug_Installed
; P5 [) X7 u* L5 {7 \2 ^- W9 Q# G je not_installed4 T0 C; }( `; T$ S! Q% z
7 j. C# ?7 i1 @) ]. mThis service just checks a flag.$ p7 N: o: T, b c' u! p, _
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡