<TABLE width=500>
% m( B: Z5 f# J2 M. m* Y+ g# Q: W% `) t<TBODY>
* Y3 b7 ?! B' h' V9 R<TR>3 @ }% T" u' W. @) R1 a* ^/ q
<TD><PRE>Method 01 3 }8 f6 |8 }: y E% P/ e9 q* j
=========
e2 y" {* P; w
7 d; G1 c9 T7 m8 X- TThis method of detection of SoftICE (as well as the following one) is% L% [+ v' o( y$ m5 `! W0 A$ f
used by the majority of packers/encryptors found on Internet.
! |# T: H% R; h" fIt seeks the signature of BoundsChecker in SoftICE
: _3 \; M- k) n6 ~9 \3 ?- H8 q9 ~2 Y2 T
1 k+ ^( {, `. `0 k2 ^1 @: ] mov ebp, 04243484Bh ; 'BCHK'
" y7 a$ E9 F8 ~. _ mov ax, 04h
- }7 W- Q r7 S! J! S+ @7 Y int 3
( E+ \/ i* ~" Y3 b. }; `% y: L cmp al,4
, d l2 n1 w [* X jnz SoftICE_Detected! M- F( Z2 K1 Y% B9 c3 k( ^
# z" q, O9 L8 s
___________________________________________________________________________( y4 j3 M! S( B; m+ r
& _7 m! t6 z& E7 J" h4 SMethod 02
% {$ g; Q) ?" @) _=========
8 q% {; _$ O: g1 {
4 k8 g6 Z% J6 _) t& k1 JStill a method very much used (perhaps the most frequent one). It is used( b- v! |$ \+ u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- h4 Z% E) s" s# z* gor execute SoftICE commands...: a% H7 V$ b: Q3 h9 j0 B
It is also used to crash SoftICE and to force it to execute any commands! @7 f/ I% K2 g d
(HBOOT...) :-(( ' B0 s+ |# N- |$ N
5 P+ R) ]4 M Q) ^* Y
Here is a quick description:5 g& f. T: o- F1 `
-AX = 0910h (Display string in SIce windows)- \8 F% S& f! n+ O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 ]" g; f" h$ N. Z& [1 K6 R' `% o5 r
-AX = 0912h (Get breakpoint infos)3 O' Z# g5 D* w3 Z" i
-AX = 0913h (Set Sice breakpoints)
, k2 i, d5 V) k' W-AX = 0914h (Remove SIce breakoints)
# S( p; i, y6 J* Q+ s: t9 L) ~$ _( R8 W" `& l
Each time you'll meet this trick, you'll see:
/ a. b4 \# A* Q$ L-SI = 4647h
) d. A9 G& N$ N6 P-DI = 4A4Dh
Q+ S8 F& c* ?Which are the 'magic values' used by SoftIce.
4 c; e% Q5 \; h; h* hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 V( e0 M5 {8 l
7 q @1 h O% m: g& aHere is one example from the file "Haspinst.exe" which is the dongle HASP
) S! b$ y3 b9 J3 Y F5 aEnvelope utility use to protect DOS applications:5 N" u, a$ U8 G9 N$ a3 g
. t/ `1 B2 ~9 T+ X
3 a, }, t" M0 b1 K' n& N" d4C19:0095 MOV AX,0911 ; execute command.% ]' n0 n, g* A' p0 h+ w7 w0 Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 l0 B8 p5 B- G# x( A. ?4C19:009A MOV SI,4647 ; 1st magic value.5 y6 S1 E, C- `" l4 v1 A/ o
4C19:009D MOV DI,4A4D ; 2nd magic value.
) b0 V6 j' b- D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 I% a: D3 }2 {- B H6 _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 H6 w5 \. n \4C19:00A4 INC CX* M4 e+ s, N- V1 t- Q5 g9 Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute f) b% l. \; e# ^: T$ H
4C19:00A8 JB 0095 ; 6 different commands.
, w1 y# p, K+ _9 i3 `4C19:00AA JMP 0002 ; Bad_Guy jmp back.% F. r* c1 _4 W
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# K \- _, x: Y7 g2 D/ w+ a# L
0 T5 U( k7 E& v# c- c0 F3 r! iThe program will execute 6 different SIce commands located at ds:dx, which$ R' S* ?0 {9 Z0 i- b+ P2 K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. C- Y3 V C5 I1 N: V( U
$ h, O9 l# ]# g q3 D5 @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 _+ Z; X: K4 U1 o
___________________________________________________________________________4 l- u8 j1 b) j1 I8 c$ {1 _
8 m5 n. ?; \1 f. W+ o. ?
% ?6 ~0 O" C, S- w. F, y% o4 p) W- yMethod 039 X; l+ |5 U* _% U$ t8 g# X3 {
=========$ {1 B; }7 v* a. p/ _
1 `3 u7 X8 {* c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. R3 C% o# U+ R! c Y% y( f(API Get entry point)
4 m$ R4 f( a; w; Z $ E# I( o4 m% C. K
/ W. ^7 D, r1 @& E( ^* \% s xor di,di
n% Y: ]& l" a3 z mov es,di
0 A3 b" T) i; D; u, b% S mov ax, 1684h : _1 n8 L) V7 }, @8 ?5 d
mov bx, 0202h ; VxD ID of winice$ H( c, S4 r# e! U* X0 B# S4 d
int 2Fh
' s2 `* n+ n8 t; ~% K mov ax, es ; ES:DI -> VxD API entry point
. a9 D8 k6 E- f; _2 M add ax, di
& H' ~( j& }2 }: _( l* D: H test ax,ax8 D( r( w6 w: L! X! k' Q) Q
jnz SoftICE_Detected
/ b* @ \ e+ S3 U% W; f# M. |4 L: |: x
___________________________________________________________________________- f# Y4 }! e0 f. @
/ K/ p2 {: b6 a3 |: d+ PMethod 049 m( V& D6 k: V! i: M& E
=========
5 E; _5 i0 u1 B& r
) B* Q+ ?! q3 S) V% pMethod identical to the preceding one except that it seeks the ID of SoftICE
8 s+ d3 ~: \) M' V. rGFX VxD.' P( q2 Z( n; }2 b1 d
; H; @& o# N N3 O
xor di,di
8 b& b3 E' o! O3 y mov es,di7 ~; i& r5 J: r B& g2 \: l
mov ax, 1684h
" x5 o. i; ?( `. W X mov bx, 7a5Fh ; VxD ID of SIWVID
& K6 k* i8 B& r; A3 O int 2fh
$ o2 k6 u. F7 G" O4 T7 z mov ax, es ; ES:DI -> VxD API entry point* M% b0 s3 U. U5 m' O; ]- Q( G
add ax, di% c/ H7 b; W- n% F& ~6 ?
test ax,ax8 p8 N' G, x' S5 g+ s
jnz SoftICE_Detected
4 S* Q# R& ~5 U2 X: _* F4 D
3 j% g9 v2 ?7 r6 Q__________________________________________________________________________3 S5 R+ [; G+ i+ l# n
- X! o% @* w5 s
, n' `0 z2 U1 qMethod 05! d/ _. m8 S6 d* _
=========5 R6 U% Y/ R6 K+ j
/ z" k& @4 e8 H1 ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 u. M( S5 e/ U: L
debugger. It calls the int 41h, function 4Fh.
4 U' `2 ^! i p" N) K' [There are several alternatives. 4 \3 v- g5 b1 M/ e
5 F7 c) b9 W: ]0 m/ p; f
The following one is the simplest:; i4 L3 _- V- h
+ C5 d! j- x( V+ }) m8 _1 y
mov ax,4fh
$ D. i3 s4 J5 U2 y- k* A6 L$ ] int 41h
% H. \' l8 A$ z' e& ? cmp ax, 0F386
' }" T; [# z: \7 W jz SoftICE_detected
/ ^3 q5 K' U# g# `2 K+ \- V+ N& ?) o/ _7 M( W1 U
- _9 i0 b. v; ?9 z& h5 ]0 a) T1 v
Next method as well as the following one are 2 examples from Stone's % D" L6 D' y( B! y
"stn-wid.zip" (www.cracking.net):) g( C- X a6 ]) D H
* Y2 Q6 e3 M0 j8 C( k+ W6 ^/ B
mov bx, cs
6 Y8 [) J. i1 @, M* Z lea dx, int41handler2% m6 c1 p4 `2 V/ k1 B
xchg dx, es:[41h*4]- f% \) V2 J. }3 L2 z5 }7 ?4 `1 p
xchg bx, es:[41h*4+2]' k0 ^9 a V7 j& z+ E
mov ax,4fh7 I, g6 X* Y4 F( X8 Y9 W. x1 d
int 41h: v" d0 J# q" |/ ]8 G7 M) f
xchg dx, es:[41h*4]
! h6 B, S0 ]. w8 a) M- d# |/ g! ` xchg bx, es:[41h*4+2]" o. R, {$ D1 W$ y; w
cmp ax, 0f386h4 V/ s" K( c( g$ K7 D! f
jz SoftICE_detected( {$ g0 t+ G& n: b( R6 A8 j9 H7 i$ ^
/ Q$ \" c P4 S0 L: Z& T/ Vint41handler2 PROC
$ G6 Z! T U* g0 [# J iret2 t3 _* W: k- Z5 x2 g' ]; k
int41handler2 ENDP) |6 _! S0 v* F, V# Q: ^) X$ k! C
6 q3 n1 s2 D0 R4 s, c8 S$ }
5 ]9 ~* i- p5 d9 n: q
_________________________________________________________________________
- G( G, {$ U$ M4 {, m1 h" @- O* @9 d' {
6 T$ w6 K2 L+ U& f7 QMethod 06
; [2 ^, {( `, g3 N# ?. J, d7 v=========
) W1 c' i2 i! J5 H0 B) T/ W3 _9 N2 P% _* N$ |' t6 L1 Q
- R; t2 F! h5 X( Q. z+ V- t2nd method similar to the preceding one but more difficult to detect:) I0 d7 q% ]! O. ]7 L, G3 S
2 k* t/ ~ C( l* T* Z
5 e& ~- W. X& q; \int41handler PROC
8 ?3 M0 C" o. Z9 h mov cl,al
& k3 s$ j- _1 y( U iret
& P$ }4 [ y4 p, {' Qint41handler ENDP p( T0 n+ h! W/ e% f z
. {* Z% |. K; [) q, V+ c
# C' x J6 V/ V v( H; O+ Z xor ax,ax2 b1 y1 x9 [8 r
mov es,ax
2 `2 J/ Z3 Y9 ] mov bx, cs
" j: O |8 u( k. o lea dx, int41handler
0 j% q8 }; I( Q xchg dx, es:[41h*4]
" Y$ M# c2 G5 @( F( D xchg bx, es:[41h*4+2]
$ y# G) q) |6 n: i2 @! q in al, 40h+ z5 F! D; G" O- Z# r# t) j6 `
xor cx,cx! |+ _- c3 W! s+ A6 \
int 41h
6 \) m, \8 L0 [; K4 A, r" P2 f0 ? xchg dx, es:[41h*4]8 T/ s) w! m/ H
xchg bx, es:[41h*4+2]$ [" q( {, Y" r/ w1 w: s
cmp cl,al
0 l8 V4 R0 {3 \+ F j4 ? jnz SoftICE_detected
% F& A/ W2 P0 x, Q
6 C. w/ G) `6 F1 |5 |" m_________________________________________________________________________4 S" E: Y! }- G* V7 ^$ ]1 ^
1 ?2 o8 Q8 [$ P- xMethod 07
2 d6 _8 t0 a/ O. n' q=========
% w0 S% }) t8 r; U, W3 o. p: Y. m+ _! Z; q u& f7 e8 U
Method of detection of the WinICE handler in the int68h (V86), M7 Y! x& @: w
. _* i/ E I8 L( q) B) s
mov ah,43h
& K q$ \+ s$ Y3 l& R: a int 68h6 u' i) X$ p A) O1 b, l3 y8 [
cmp ax,0F386h) Q/ Y) s3 C0 h& ^. u* |6 [/ p# w% F
jz SoftICE_Detected
9 C* q9 Q" h( p: \ H( R9 ~% g0 {
* d5 q# L* ~1 u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 r7 g* G8 h. ]" i( t7 s
app like this:0 |3 w8 h1 t1 n9 c
* g! o. Q* y3 C$ M. E6 D# z
BPX exec_int if ax==680 c7 {1 h% }7 N4 B! O% | F
(function called is located at byte ptr [ebp+1Dh] and client eip is( z) D; X3 [7 m# j
located at [ebp+48h] for 32Bit apps)
$ |+ q3 J& c# B6 a# ___________________________________________________________________________4 H/ a8 U2 @, v$ P1 b2 N3 B
! Q ^* H; d1 Z+ X( ~/ H
0 ~7 x) G' B% |Method 08
+ d. m$ g7 P) X1 f1 z7 g=========
4 [, h, [8 g( I. k9 O5 u
) X# U& e* `0 A, t% ^- T( rIt is not a method of detection of SoftICE but a possibility to crash the3 D( ? i0 Z& _, @( l
system by intercepting int 01h and int 03h and redirecting them to another
' j0 n& Q. N9 ]* ?! P! Hroutine.) E8 N, o/ m! t4 y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 E7 t- D4 W m7 ~. Jto the new routine to execute (hangs computer...)# D4 l @: J5 s1 {8 I/ E$ D
+ m3 A( v( q! n/ b T' ]* p mov ah, 25h
8 n" m; _; W- U) k2 b& R mov al, Int_Number (01h or 03h)
7 I w7 h9 J" ?: g2 ] mov dx, offset New_Int_Routine
5 R1 w, V/ f; C6 l6 x" G( c) X: V int 21h
# ~2 t: B! A' i+ j5 I& W8 Y9 T3 v
4 t5 P l x* J1 |# u__________________________________________________________________________7 e. s% I% y5 w4 d! ~3 z1 M
: \7 ~ z( [/ V4 a2 HMethod 093 I& l; \" t6 K
=========! Z: O9 e, O2 f2 l8 g
$ e8 ^; z( [& R. O3 [3 x fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" O& o4 p* c+ C1 J) ]# _! qperformed in ring0 (VxD or a ring3 app using the VxdCall).
: _2 ?2 M4 I. r! `The Get_DDB service is used to determine whether or not a VxD is installed
" p0 P+ G* X! z# x3 ffor the specified device and returns a Device Description Block (in ecx) for
* e3 r( m% _) x0 rthat device if it is installed.
6 P0 c$ p6 O9 s* C" |& t7 K
/ g; X6 ?7 y. R: A' a2 X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; G2 z2 r* b! p+ }2 A- p& F mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 p+ @! F7 s+ O2 J* `8 p VMMCall Get_DDB7 e/ d% ^; k1 C. k
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ A- b$ |- f8 T {' l0 U
' z. B5 `% K: x
Note as well that you can easily detect this method with SoftICE:* h/ B7 ]6 J/ m' u9 M. g5 ?% `3 ]
bpx Get_DDB if ax==0202 || ax==7a5fh& ?9 B& v7 |3 K+ l6 S( p
4 v3 w0 o5 u0 V' O" R: N$ }8 q
__________________________________________________________________________
4 s g7 R: p) R& `% v; o
4 x; l- m2 d" ^# P8 u+ e5 f1 YMethod 10
6 q- z' g- ?2 n0 u=========6 W6 Z) ~# x: R- @% c; t o
1 {" r0 z) P& S& A; Q+ ]8 p1 G' f=>Disable or clear breakpoints before using this feature. DO NOT trace with5 j' i! o1 r3 E2 y
SoftICE while the option is enable!!) A. H+ l) W$ o+ a3 ]
9 _3 U9 o$ [5 J( S% N
This trick is very efficient:
! j# K9 t$ ^8 e+ }5 G) L! q3 Fby checking the Debug Registers, you can detect if SoftICE is loaded
9 W' K O1 l [2 Z* ~: ^8 _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ ]2 L2 M' Q8 k$ Y; C; a1 H% Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their" a8 L" {0 m" V0 J. S
value (in ring0 only). Values can be manipulated and or changed as well d! Y3 C7 [# S1 ?
(clearing BPMs for instance): X, v# h0 F: D7 `
3 |: p$ \ k& b4 }, J" E
__________________________________________________________________________$ n4 e/ v; c$ P0 z* k- O
- C: O1 V: n3 q" j8 tMethod 116 q5 q& D. r, ^0 @; v$ F
=========6 s3 M ^, L- A0 N0 L5 @
1 x0 b. z7 p4 {$ k" jThis method is most known as 'MeltICE' because it has been freely distributed
" A; k! J4 J' P6 A" l. W! v& s- l5 bvia www.winfiles.com. However it was first used by NuMega people to allow1 D6 W0 z3 b$ T& m$ i s- U a) d
Symbol Loader to check if SoftICE was active or not (the code is located
1 e F" P9 u+ T6 q: F I8 Z: ninside nmtrans.dll).9 L5 Z' ?& s, |- n- C0 Z# r
( ~0 i! Z7 [2 _8 M
The way it works is very simple:
& ]2 i8 ~+ i: w$ O# a) {0 P! E+ R, WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: D& U: c4 N, S& P" z8 L% f i4 A
WinNT) with the CreateFileA API./ N, H! E+ [8 \ c- U
% v1 Z( w/ E g9 \7 }- e6 S/ THere is a sample (checking for 'SICE'):
, e# E+ T& l! ~8 H, b8 p: R H/ K4 x
BOOL IsSoftIce95Loaded()
' [) o% @- n6 S% U- W{
( u' e. B, `5 V, K# v HANDLE hFile;
8 a8 s# i: O! I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) B7 X8 Z" k0 E FILE_SHARE_READ | FILE_SHARE_WRITE,
9 w1 P7 @. u+ ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( N8 B# l- ^. R! X if( hFile != INVALID_HANDLE_VALUE )
. J2 b" ]! k$ O4 { {
$ ~4 D5 I2 y+ p2 `- \ CloseHandle(hFile);( K0 @$ V2 E: f8 t/ E# {7 f* e
return TRUE;
, t2 F1 |( E4 _' o' ?, s' V }
. }0 g- ?1 f$ A return FALSE;( Y+ E. N5 ~* @8 v, v$ \
}
$ V, K2 Z+ I8 b4 w R4 y: G
, f. k! Q0 x' x+ H0 e8 NAlthough this trick calls the CreateFileA function, don't even expect to be: l, c' l& y- T( w; B% n4 f
able to intercept it by installing a IFS hook: it will not work, no way!
7 a3 n8 P! M8 O, r3 s: Q# VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F z5 @* Z2 W! a7 `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 S7 d9 f/ S. h* C8 \5 A1 ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc# P& r, \1 G C7 w
field.- v' N) s- [7 t7 \( @4 v: t
In fact, its purpose is not to load/unload VxDs but only to send a
) u8 X+ i" `5 T% g+ jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% p4 Q- O" @1 E% b1 ~7 Q0 q/ a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 I+ [+ H- _/ f3 d/ \* Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
t" u# o1 U5 BIf the VxD is loaded, it will always clear eax and the Carry flag to allow
O! C9 P' E. x c kits handle to be opened and then, will be detected.9 W8 a; Y$ }/ w0 u6 P; A @
You can check that simply by hooking Winice.exe control proc entry point6 G. N6 v/ y& ^& O
while running MeltICE." E# G4 r1 P% C( ] A2 n. n
. L, }8 m% I9 W; L+ S; e8 z& e
$ G0 N" `, `8 O" |3 h 00401067: push 00402025 ; \\.\SICE8 z2 U6 X7 N' m* B% h
0040106C: call CreateFileA9 ?" }% z% r5 _' r" Z, Q
00401071: cmp eax,-001
# h! x+ _& _: t: C 00401074: je 00401091$ h; k- R: n/ ?
( @) {- }6 I8 } t4 t. B i
$ {% E3 p% M) YThere could be hundreds of BPX you could use to detect this trick.- [0 J! U7 A3 ~1 @: I
-The most classical one is:
- Z8 }" ~- c( ]' r$ Y; d( [9 l6 B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 b- i1 y% I5 i' o3 Z
*(esp->4+4)=='NTIC'
7 g5 l/ ~5 X# _0 [- i+ M) \4 K
% f9 Z% N; M1 C* V/ _-The most exotic ones (could be very slooooow :-(9 l" L# p I( I4 M: n1 s; [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + M5 b4 h) F b* b: I2 C
;will break 3 times :-(
7 I4 x' u$ S4 R: Z9 h
! {! w# Y, c: T9 O2 s-or (a bit) faster:
8 k8 |$ N' w* ?0 ]' g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 }1 c9 {7 p6 A# V! c5 V1 K5 C3 B% l! Y: h) V7 x: r5 w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& t! n, Y x4 H7 @1 {9 o) P ;will break 3 times :-(
% @% a5 r: H8 U3 g) y+ j4 ?
- h, u, E$ o5 m4 i( w4 X% O0 H: T4 U-Much faster:
* h9 B# H& z2 N1 K0 P- _: M BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': B, F( Y# _" @/ {& _( r J; y+ t
: s1 e, h. o/ C N6 c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* X* J# V3 K0 ]5 S% [# H* z
function to do the same job:
2 m& {. v$ r2 E: @7 g% p
! C' s, c8 h* R4 A/ W9 u7 ~8 L/ q push 00 ; OF_READ7 i7 m5 s+ p- g/ N! g7 l
mov eax,[00656634] ; '\\.\SICE',0! U* P i1 w8 i( X( Y, b0 J3 c
push eax: M; v6 R; z* `" n& W
call KERNEL32!_lopen U" o, u4 Z$ s2 |( F
inc eax
+ D, ~9 E: P0 n8 i, E; D jnz 00650589 ; detected
) ^# z- g6 H" P# z R push 00 ; OF_READ
9 V* Z5 a) d2 c$ c7 N mov eax,[00656638] ; '\\.\SICE'
% G1 O5 w$ \; @' U9 ]1 M, ] push eax+ E, A# H% _/ j. L
call KERNEL32!_lopen5 H' Y8 L$ Y( Y7 z
inc eax' N+ }; k, B7 \8 S4 c; z
jz 006505ae ; not detected
A* g# K Z, m4 @- A. |0 x9 T- [: L( ]
; J: Z+ h5 |( D G
__________________________________________________________________________
8 z1 }7 Q0 `1 K7 L4 K& v: y) p: Z3 h
Method 12% K4 `8 `# d" m: E$ o
=========( B0 y N8 ^3 k J8 z" o( J
* y8 h, y% `, B5 Q E2 AThis trick is similar to int41h/4fh Debugger installation check (code 05
! J$ j( s( B5 w8 O0 d$ b9 p& 06) but very limited because it's only available for Win95/98 (not NT)
, [% B, D4 L3 c/ v! oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& H" ^, C+ f* V; Z3 @4 D
. _' k5 L6 j7 l" H2 t7 R2 ^% G push 0000004fh ; function 4fh
( d1 Q/ H: ?2 J1 C7 I3 }$ c/ X push 002a002ah ; high word specifies which VxD (VWIN32)# f# u, o2 i" J! I" |
; low word specifies which service% T& W- d, t- G$ F; f3 |9 W
(VWIN32_Int41Dispatch)$ M7 F0 f6 E2 K
call Kernel32!ORD_001 ; VxdCall1 W6 v/ X4 G) w7 E: M. Q3 D
cmp ax, 0f386h ; magic number returned by system debuggers
' L, D; o% D9 W, } jz SoftICE_detected
. k3 h, U5 w( t# {0 G6 U7 {7 G7 @# p# D0 Q3 n' Y( W6 |9 U
Here again, several ways to detect it:( @6 t& C c" [7 C4 {! j* k+ o( Z
# v6 B8 c6 s7 p; I5 |8 s BPINT 41 if ax==4f
; w1 I! k; ?3 b0 o3 o' s: g/ j- A8 `* C* K H z6 @0 F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" }% W1 Z/ N9 K$ M* ~5 c9 x Z& m& j' m0 X2 P) g y) V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( c0 o' N& V% q
w( I- M9 C& M/ C: k& M7 `* V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# E7 j6 k: _ r5 b2 V" b
& J$ k% O; S9 O5 ^* f0 @
__________________________________________________________________________
, s/ X) e. h3 H9 S. }1 ^4 B
) n6 x6 i& R s" S1 S7 gMethod 13
! T; ~# Z- V& k$ m=========2 E6 X3 p) j# M+ [ I" c
/ q1 o! t8 @0 s6 D3 m& ?Not a real method of detection, but a good way to know if SoftICE is; |4 z; T# [' m' y
installed on a computer and to locate its installation directory.
: S* \. o# n3 c* aIt is used by few softs which access the following registry keys (usually #2) :
5 p& u* u( {% X, A2 V F3 Z1 @+ }9 f6 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. @" X$ c m: L2 Z& t; b" Z: v
\Uninstall\SoftICE2 W' d8 l" K7 Y Y _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 a+ N; X D6 b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 U. O6 c- L) y* T. w
\App Paths\Loader32.Exe
: z2 ^+ U3 c" _! f7 {5 _" g8 {. N6 _, x" _* D: F& ^
! q+ B- ~, W( N; [0 m. ^
Note that some nasty apps could then erase all files from SoftICE directory
' \7 }) M, Y% z7 e9 d(I faced that once :-(5 x" S0 M6 x& j
( r1 U' ]& }5 L& |+ s: g* W4 R( {
Useful breakpoint to detect it:5 H0 m# x5 Z3 e" y( _& X1 Z
* C9 \$ q, [8 e- K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 H! Y7 I& c2 m5 M# i* e, O4 h1 ]" ?/ Y z7 a7 E
__________________________________________________________________________
5 Q8 r- Z7 j. H* _
" S* [* l4 n5 u w$ T
9 I/ e+ d# a5 t9 T7 c& ?Method 14
! ?; z0 g5 s. g, j3 `, a2 m=========( Z9 y9 [1 d% N
1 |! m/ [( h: {6 L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% P" o% X) [4 ^0 |4 Lis to determines whether a debugger is running on your system (ring0 only).( j3 c9 w; J3 X/ _# f
( a/ L' t' m/ h/ \/ v1 t
VMMCall Test_Debug_Installed3 [8 _. i) i# a- q" U# j
je not_installed6 ^1 E$ E+ S0 L
9 `" w! J5 r$ u3 R6 _/ U6 bThis service just checks a flag.
" Y+ x! E2 U& i( k# T7 ]/ V</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡