<TABLE width=500>
2 p; w' E# x* r" A ~<TBODY>$ @+ s5 i- B3 Z+ W: ~! b
<TR>1 ^+ q+ n4 J1 F8 i4 m. G" D4 J5 k
<TD><PRE>Method 01 + {! H: T' g2 D& n% z- w7 T
=========
8 S. z0 z$ Q6 p1 E' b0 j" L- z8 ]: C. M
This method of detection of SoftICE (as well as the following one) is
0 w0 ?9 `& U7 k) D5 Hused by the majority of packers/encryptors found on Internet.
$ L1 I2 d8 I8 \) V0 Y HIt seeks the signature of BoundsChecker in SoftICE
# V. F/ c9 {4 x9 X# {# a' X7 l7 y' t7 |1 b6 }1 f
mov ebp, 04243484Bh ; 'BCHK'
" s E! r) U+ |9 s4 ` y mov ax, 04h/ _5 C' l: B4 F: {- j* `% A
int 3 % E' q' V7 \4 [7 Z
cmp al,42 i7 F V+ S. M8 C
jnz SoftICE_Detected: E# g- \" l# F! ^
' V$ h. y4 d. u$ Z0 l; b___________________________________________________________________________
( b) Z6 Z" F( Q+ m" b2 o Q9 J' y% @" y. z7 m
Method 02/ E9 ]% F7 P9 `: g6 a
=========
" q- P7 W. f7 g. _9 P8 O" i! U" h B- O, C; I; y. X
Still a method very much used (perhaps the most frequent one). It is used. W! Z/ g0 P5 F. K
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 K& h) H& [4 W+ G( u% @or execute SoftICE commands...$ u0 e% h' f M+ g7 n$ @
It is also used to crash SoftICE and to force it to execute any commands6 m; v d& N+ D! k; @( c8 K0 E
(HBOOT...) :-(( 6 Z! e9 [# d& h7 T: h9 c# x
6 q4 P1 ^, s& Q7 e. |9 f! C$ W kHere is a quick description:8 o5 {4 K1 _: r4 G
-AX = 0910h (Display string in SIce windows)+ L7 M. s `6 M- d0 S, R/ Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' t6 ~& z. ~# l' r* I( S! f
-AX = 0912h (Get breakpoint infos)' V+ Z) s' s4 a( G
-AX = 0913h (Set Sice breakpoints)0 ^9 M2 D' Z5 X6 x
-AX = 0914h (Remove SIce breakoints)
5 a6 B' e$ X! A% ?7 {$ e W( c
: m8 ?; ~6 J" _ ]$ s9 O, K) bEach time you'll meet this trick, you'll see:
2 W1 g0 N) M$ {2 d% J# J9 t" {-SI = 4647h i5 G, i& d y
-DI = 4A4Dh- j; E% q4 V! e# r( m
Which are the 'magic values' used by SoftIce.
, _3 v9 v7 ~$ c8 j, w) L+ nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 c- f L! Q5 V9 s* E
- p9 Q8 t2 N3 W; s8 {Here is one example from the file "Haspinst.exe" which is the dongle HASP
% X- }" |1 \8 y2 G- jEnvelope utility use to protect DOS applications:: w5 p& S. z* A/ d2 [! X
7 S& T: c: |2 E, {1 X3 x/ X! [6 X. Y, X: z2 g
4C19:0095 MOV AX,0911 ; execute command.
- {2 o& U) A# v- }: x5 v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; x' ?* a+ v$ B8 X# e4 h4C19:009A MOV SI,4647 ; 1st magic value.
* o% F6 [2 W' H9 Z7 l6 `4C19:009D MOV DI,4A4D ; 2nd magic value.
9 w' `4 @6 j0 ~1 F9 p( s* R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' l* s2 d+ C# v7 t. n# h; ]: ?$ |4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 P% O4 y& ^8 Z
4C19:00A4 INC CX
5 E& H; b/ ?7 d5 g! n. W4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) ~ X8 f* |: N4 k2 D3 t
4C19:00A8 JB 0095 ; 6 different commands.
# z& x; z, V' q( e5 a8 q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 {. Y3 f4 ] \$ [5 D3 S% F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; H+ q8 ^4 b0 Z" w: r; J/ p6 ?3 Y' S8 E9 ^! @) X& M+ V
The program will execute 6 different SIce commands located at ds:dx, which% B0 z7 D, I" B& D9 E
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 u/ m8 y" Y I& {# Y2 p( e; C" D: P' _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 I" a% b1 R' u5 E
___________________________________________________________________________5 `' R( d) \, k( G H/ a) Y
! x5 I. j0 c+ g: c
4 }) F+ T6 ]# z1 M+ Z) t) i
Method 033 t7 f7 V2 [: w
=========+ N6 l. \% ^+ B2 l5 U) \9 h. b1 f
' G" y R0 V6 X% D0 l/ O
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: Z) _0 }! K5 S, c! M. q5 Y# C(API Get entry point)$ v3 G, I2 q6 {; T
* A2 ?- w8 X4 p* Q# H6 m8 z+ j- ^7 |2 X7 F+ z( u& o7 ?, o
xor di,di
# K( D" t, C }) @ N- q) x# S& n mov es,di
: @) {& f. }- A: m mov ax, 1684h / d8 s) [+ r1 I( K1 F
mov bx, 0202h ; VxD ID of winice
5 z% }: x: D/ b ]1 ^- O int 2Fh+ ]6 L M3 E3 M" z
mov ax, es ; ES:DI -> VxD API entry point; O2 Z5 ~! J* k$ E0 @8 D
add ax, di
8 i: B: J; Q3 t test ax,ax
% w# U5 R9 Y0 B8 z8 @: s- Q jnz SoftICE_Detected
% y8 @, q# e% _/ Q: }: x4 S+ Z$ w
) k- Q# |8 h4 l4 D$ D4 l: v___________________________________________________________________________# {# @- P' Z; F0 S- p
3 w. k, q1 D; n- {+ QMethod 04% w/ K0 ^- y, u. ~) Z! j c
=========
7 A) G2 O1 s( y; s9 @- e! D$ M! S) t, ~ r) V' `% o- m
Method identical to the preceding one except that it seeks the ID of SoftICE
& ]+ z$ m' F, _GFX VxD. N' O! r$ y* t
+ O6 a7 B. @0 u5 s
xor di,di5 U2 m. s, G6 m: D4 D/ l+ [1 z: g+ J
mov es,di
5 C: r9 ^* A# A! e mov ax, 1684h
: f& |: K9 q: Y3 [* l% B- y mov bx, 7a5Fh ; VxD ID of SIWVID
0 W2 w, H9 j$ [! e int 2fh
[1 C, z: E: \2 ~* N0 l7 @: y mov ax, es ; ES:DI -> VxD API entry point
6 Q3 {# j, j& o( v' `1 y add ax, di
- t) X( s) m+ _- k1 r1 W N test ax,ax
3 F5 F/ f `, Z1 V- U2 F jnz SoftICE_Detected
' ?( Q% w% f# }7 r* W. o* I6 U7 c% B7 k4 V& s! Z
__________________________________________________________________________
. _' G5 U- a) G1 y% o, c$ Y, Q- ]8 T% N& A7 w- w
) M- U! I! d4 TMethod 05
. w9 o7 j9 ~7 d# I- @, \=========
; B2 b) p* X+ j$ t3 w- p K' u3 Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; @- W! R6 z# i2 D7 Fdebugger. It calls the int 41h, function 4Fh.5 v; e0 _3 o9 Y8 F* N
There are several alternatives.
4 f# l2 ] N7 ^/ l1 u* G; R& m9 }4 y$ ?- p) j+ D
The following one is the simplest:
; A& f7 q) f4 b! d& l# ^( m" k* |$ I4 D4 S3 c2 E$ N, _
mov ax,4fh ?% d# C5 A( ], f2 c2 a3 v
int 41h& A6 w: P# h; p9 ]+ n+ A
cmp ax, 0F386
6 g3 ^ H& O5 V6 i3 y4 y2 t6 x, Q# U0 O6 f jz SoftICE_detected
" N! j* [9 t' }, p% e9 m- b) u# F
. ?9 }3 c/ K4 W+ R. e
Next method as well as the following one are 2 examples from Stone's ' `" R& `9 t z) `% @ P
"stn-wid.zip" (www.cracking.net):' `0 c/ E7 g! i% d
: e% `8 R( L& O! a7 F+ R- X
mov bx, cs
6 g% M* q. U- D. }8 r2 D3 { lea dx, int41handler2
5 t: t) Y, p# S4 x7 _: [ xchg dx, es:[41h*4]
; ~+ f% M- N6 G2 I M xchg bx, es:[41h*4+2]
0 O, f0 t2 g g5 v mov ax,4fh6 m+ g" K+ O0 a$ l2 m ~
int 41h
) o) K9 t& f% ~8 y" `$ R4 ~ xchg dx, es:[41h*4]
( g0 U: i& `) `' p! M7 ?8 @ xchg bx, es:[41h*4+2]
8 T; w- u: u0 M" M N% r/ f, t6 w cmp ax, 0f386h$ K6 L9 B% y/ l, H- Q# P
jz SoftICE_detected
- ^1 m; U' T7 A1 c& @
8 u' K; k8 ]! f- P9 b7 F! s* j# Sint41handler2 PROC4 t! z9 V( c- u7 s- `0 }
iret
% K- Z4 F+ n# ~! aint41handler2 ENDP
, r& z S% l/ ]% _4 ]; V' d) G! }# N# P
+ d1 y6 i; b+ b. q. V
_________________________________________________________________________
2 U* W% O4 N2 f
( n( Z( C! p9 T- H: k! C
$ I, {, f! |( b3 PMethod 06
5 _9 m0 [* u9 C) x% t=========& ~1 _2 V) I4 g% y+ Z" ^8 @* ]
8 ^1 E6 r* B3 f6 l8 \
Y2 u! E8 Y5 S, Y' G+ }
2nd method similar to the preceding one but more difficult to detect:& p+ c$ O' p; I
G7 u9 X& O( p3 @# q& _2 n
' Y$ o* l1 K4 gint41handler PROC
* p V( H) Q/ v/ R8 x( N0 Q1 i mov cl,al
0 R0 ?# Y* k5 o: a6 c& G) P6 j3 w iret
" h1 D! y# j5 aint41handler ENDP
) s' \9 B9 K4 r/ j4 q0 u
* T3 S4 ^' R! T+ T* D7 _0 l4 w4 E' b; y- p2 ~
xor ax,ax
& O5 T5 M, Y- H, T2 G1 l0 H mov es,ax- u7 n2 U9 Q. Z3 o
mov bx, cs' w. o, D1 a7 S* L ]( D: a
lea dx, int41handler
( ?9 N: F' M- t xchg dx, es:[41h*4]
+ C F2 S S2 E* R+ n xchg bx, es:[41h*4+2]
2 v% T# ~5 p+ v" ]: x. W( ?2 l3 Y in al, 40h
/ i0 D) P4 p! q; Q xor cx,cx
# R7 j) e% z3 S% \0 ? int 41h
" k; w9 m- B$ K$ U5 J5 |4 L xchg dx, es:[41h*4]" ^9 l' e& R/ l/ U. v/ `
xchg bx, es:[41h*4+2]: \7 u; A" }8 p9 W5 b5 [: y
cmp cl,al% s c/ c% ~3 C& ~
jnz SoftICE_detected( Z3 L8 b/ K6 l1 a
: i3 }$ X' A7 c* `4 __________________________________________________________________________
* D# Y( y3 Q* V" J/ U) Y' R2 u$ x6 P! x# W) T- |
Method 07
% N! Y% S" ]. ?! R2 H=========
" g% I+ s, ^9 i; ?9 a2 B& a/ t$ r
* C4 q+ M, b1 r. R4 X" q- [$ Q. UMethod of detection of the WinICE handler in the int68h (V86)" z4 q R8 Q0 Y N3 i. V1 I) W
& @/ K; s0 w+ Q3 |% p mov ah,43h
6 a/ S' P7 y1 ]- q' _ int 68h7 T5 m* d8 y* _ g4 I$ x
cmp ax,0F386h9 O0 ~8 M1 w0 k8 i
jz SoftICE_Detected$ Z# u0 m5 e, k
9 X+ w* C5 ~! t N! Z4 c, B
6 O# p$ H+ T7 {0 O$ {) i=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 h9 g% ]3 m# C! X( o) Z& H" @ app like this:! Q0 ` v' H* P6 N" F) K- M
9 S G# g/ B2 \. r% E. \
BPX exec_int if ax==68
6 R5 U1 L# j% W" M$ M (function called is located at byte ptr [ebp+1Dh] and client eip is
% B' j6 J' @3 ~* u" h located at [ebp+48h] for 32Bit apps): c9 B, T8 a p5 x' R# O
__________________________________________________________________________
% e' ?0 D# U- H9 s+ @ h* v# Y6 D+ a/ y/ Q
% ]) W- G7 g4 Q( g+ _4 Y2 E
Method 08$ A: X- [* U+ b9 S/ f& \# y
=========
1 Y0 C/ O( Q4 z# n, ^5 X+ ~7 j! f1 D9 S
It is not a method of detection of SoftICE but a possibility to crash the* q" I& n( t X6 J
system by intercepting int 01h and int 03h and redirecting them to another
: B7 U# T* R6 O$ E1 M* [* Groutine.( z# }. F) W% H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% W0 v* a; D) ]- G2 N# t
to the new routine to execute (hangs computer...)
( s% U- ?$ A& k# `1 b0 U' q* d
% l7 w9 Z" L, t$ v# W7 w* O4 M mov ah, 25h/ X3 M! U8 X, A
mov al, Int_Number (01h or 03h). q/ ]* R# K( z
mov dx, offset New_Int_Routine# g* J5 c/ H7 K0 |' p$ [- A
int 21h
+ F" _! S) C# M. n
( e F- W7 \4 s7 S# |! F u2 U__________________________________________________________________________' V6 ~1 z% i8 {2 {
# ]& f: b3 D0 L) w% p1 v/ p e& RMethod 09/ o: c* ]1 M, p5 ^8 _
=========
+ N" u x' f" Y
& {! k* s0 c' ^1 Q/ HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: s0 P. G8 S- u* N" N6 [
performed in ring0 (VxD or a ring3 app using the VxdCall).
; b$ q* A6 a- ]5 P+ I( DThe Get_DDB service is used to determine whether or not a VxD is installed8 L; A7 n( x+ P
for the specified device and returns a Device Description Block (in ecx) for# k) U! T. A+ _
that device if it is installed.
% P% f$ ?+ b4 @) O9 W: X5 ?8 w# m$ d2 Z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) F4 j/ P2 Q. [1 z: |/ w5 N3 i9 T mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). O2 `" e y9 v7 b: {5 L1 u( q" j
VMMCall Get_DDB
! B8 Q. u$ e" z- Y. y: a5 {9 r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, F: i) _" U. g$ P
( q# t0 k! f! _, L8 ]! O
Note as well that you can easily detect this method with SoftICE:+ X6 t+ i* V/ u: P0 z# W/ {7 N9 E
bpx Get_DDB if ax==0202 || ax==7a5fh
; {) n, a4 c3 M# M5 B; A3 s' T% G' f* [ I2 q2 }& `* p
__________________________________________________________________________* K2 H% s2 B) h* \ r. T B! r% q
, ?* W5 w/ g" {# U- |3 K9 O; A" [Method 10$ e$ _( H# F* _* E
=========# H5 {% u' q+ D0 U
* o5 U0 [ P3 ]0 N' E; V=>Disable or clear breakpoints before using this feature. DO NOT trace with
" n2 d& I, d: }! P SoftICE while the option is enable!!( V3 |8 q3 p3 I2 i9 f( i0 i
. R: t: H5 ^3 K5 e* N Z
This trick is very efficient:
. J$ Q8 h# S# C: a# r0 N' Qby checking the Debug Registers, you can detect if SoftICE is loaded
$ j" G8 Y6 Z+ c B6 h- p" x& D( A) ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 ^4 r" U9 ~$ }* p, Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 O/ t# s3 L0 v8 E7 W* ?+ O! s' U
value (in ring0 only). Values can be manipulated and or changed as well
4 c, ~: X5 U' \+ K; e(clearing BPMs for instance)7 M- s) v: i3 R5 z) F' D4 O
2 t1 E# e w% b( g__________________________________________________________________________
3 Y- [* W& f- z$ j9 l
: O) H* S5 }3 h. EMethod 114 [7 \% a& P4 j+ k0 o" q
=========
6 x1 {* r' G' Z3 m. ~7 s2 w) N; M/ e! w& B3 V) L* H
This method is most known as 'MeltICE' because it has been freely distributed/ r0 ~) W7 b9 E" l5 }; f4 y0 W; @
via www.winfiles.com. However it was first used by NuMega people to allow T! F; {. q- v% E+ R
Symbol Loader to check if SoftICE was active or not (the code is located6 d2 B, t7 |- ]. K3 g% ~
inside nmtrans.dll).9 j% x$ E6 O1 V$ X0 I7 h- o
( P5 w+ i2 X# S( ?4 g. x
The way it works is very simple:
* A9 b4 N/ i! m# I8 v) RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 o* Z% y# \" z* z3 f- M% TWinNT) with the CreateFileA API.
; g! m+ z0 W9 J8 T& N- t+ ]9 U {* c) x' B; `% M: E
Here is a sample (checking for 'SICE'):
+ [1 D: l$ n) {; W9 g: x# e4 H; p) U5 r; J1 a3 ?% I
BOOL IsSoftIce95Loaded()
( g& l- Q# ?% g3 ]0 R; ?{
9 {4 s7 q6 h. ^3 C4 {3 R HANDLE hFile; : P, i3 Y' F, R. c
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ y3 G! l* p' _5 v" [
FILE_SHARE_READ | FILE_SHARE_WRITE,
' T1 w7 v2 G* G, V& }$ m+ A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( P, h$ o( d! T u if( hFile != INVALID_HANDLE_VALUE )
# u! N9 q5 b% @. v \$ O {
8 o ]3 U5 d$ B; K+ Q) q* E CloseHandle(hFile);0 A: k5 x7 G' n: d. K% l: V% I
return TRUE;2 S' C4 @& \# Z# J
}
* w' `4 f3 D% F, ~0 p# b! Z& w7 L return FALSE;) H3 {$ m( y" M8 T" v
}
: _8 P+ G* G8 R- R- w
9 h+ c" v5 ~3 E5 D' uAlthough this trick calls the CreateFileA function, don't even expect to be1 P, F" C8 Q0 N) g Q6 T9 Q
able to intercept it by installing a IFS hook: it will not work, no way!* ~- _. _& L7 `$ I2 D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: y- P* @$ x. |) r1 Z3 `/ w6 X, N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
Y3 `& y! N" v3 wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
' H& J% f7 D, s8 i5 `; B/ Hfield.
' @' O3 z3 N' u/ l. ~$ F: q# ?" ~, m, OIn fact, its purpose is not to load/unload VxDs but only to send a
! ~$ s* K, s' c# O) FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( z8 V7 c! L0 r6 X4 I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
|& Y% a. s+ gto load/unload a non-dynamically loadable driver such as SoftICE ;-).. A; c; l; h7 J7 B& j, w/ m
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 a- P4 P }- J7 r. ?/ t% H% C4 J! {, Sits handle to be opened and then, will be detected.; _1 Q! V9 v# T3 N, b! F
You can check that simply by hooking Winice.exe control proc entry point
6 U4 Z- R9 l3 C& bwhile running MeltICE.
0 }; E- x2 i8 M0 u
0 j" z! [0 G7 d" A9 X2 q
0 E* q' @5 v$ V& c 00401067: push 00402025 ; \\.\SICE6 M+ U+ z0 o5 Q: s0 E+ w4 p
0040106C: call CreateFileA
' R0 X" Z# `/ K7 l* F* q g 00401071: cmp eax,-001& e2 l& l6 ?- h. M; ^$ g8 B
00401074: je 00401091
4 ?# w8 z" u& e3 z; X6 f
: ?6 a9 a& ^1 \9 J/ X& y# S
0 r3 b2 l2 w; F0 }- ^There could be hundreds of BPX you could use to detect this trick.6 L7 R; r+ I+ F/ ~; {" f3 L" P
-The most classical one is:
/ A: B4 A D4 j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || T9 C# U; p4 @4 e- X
*(esp->4+4)=='NTIC'* [: m; p1 S$ X$ m3 m& B5 H- k
0 ~' F1 |4 h) J2 E-The most exotic ones (could be very slooooow :-($ I5 ~8 k" u2 R$ M6 G0 y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' f7 H" S8 G7 e& ~, y" i) f0 n8 n
;will break 3 times :-(
0 ]7 x* U. p; o
7 F! S# t* x4 Y# v-or (a bit) faster: 7 e; Y3 A6 q4 y; K
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 \% K* d6 c& b
% O7 _. l ~( x' y: ~$ ?
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + ?! U& b5 i, N2 c& c0 d4 P4 f
;will break 3 times :-(: ]# g, S( i6 D7 g: u1 c/ _7 G
( }( U5 u% q- }, {3 T/ V-Much faster:* x$ d G8 s1 v7 L* q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 S+ l/ x- h$ R* l g* ?, j# }/ {8 d) H: @7 t- m6 k5 [7 A: e# b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! J* c: l2 ^! c1 \function to do the same job:
' q9 \ _; \; ^) P( |0 K* [6 Z& g: f, z5 z4 f
push 00 ; OF_READ- j, [8 K. Z' k7 V
mov eax,[00656634] ; '\\.\SICE',0
3 i2 I0 w; l1 N- r" Y) Y% x k push eax& i/ u5 Q$ f3 A0 R/ g( [! D
call KERNEL32!_lopen! m# S6 E6 A$ }9 |
inc eax7 D& d& u: c, L9 X
jnz 00650589 ; detected+ E5 h6 s( e* ]4 J! p
push 00 ; OF_READ
: U% _0 r# h- N+ a mov eax,[00656638] ; '\\.\SICE'
* H8 i$ a! f0 e push eax
& {& l5 O6 u$ E call KERNEL32!_lopen! Z) B- y3 {5 ~2 J0 S5 `8 M
inc eax% W7 H6 }% w% K+ b: N7 n/ |2 M
jz 006505ae ; not detected
9 }* r* w. E; S" {
" l6 e: T r* b7 U
8 I; k& [# A) c1 @5 W* \/ ~__________________________________________________________________________
# c8 y8 L9 W! r% _! d* J$ |2 C) v' S$ V: U
Method 12' w# |# J8 k. Y
=========
6 A0 I& v9 q6 h! t) c" Z8 J* {! f) Q# v8 h. n
This trick is similar to int41h/4fh Debugger installation check (code 05
! h. j2 k; }4 h) @& T8 R& 06) but very limited because it's only available for Win95/98 (not NT)6 S3 }+ i. I6 n5 M I( K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% j! X9 v. u i1 l
* q2 i( S: m( n' s
push 0000004fh ; function 4fh1 _* ]/ V* U$ a0 Z3 S0 L+ O: b6 ~
push 002a002ah ; high word specifies which VxD (VWIN32)
& F* K% |. Z% Z; T# a. Z ; low word specifies which service/ f1 a* f3 J: B, T% q" c$ g) O X
(VWIN32_Int41Dispatch)% X( C9 h/ w, G
call Kernel32!ORD_001 ; VxdCall& ^/ n' D! w8 `0 P- z+ p. \
cmp ax, 0f386h ; magic number returned by system debuggers# E9 i/ `' j4 I: _2 T; V, e% A
jz SoftICE_detected' _7 c9 H6 |; j5 h
0 s# |) r5 e) l7 BHere again, several ways to detect it:
! e* {) O! O! {! r* @/ \! P0 Z5 |0 l5 _/ ~0 E @2 r
BPINT 41 if ax==4f
* ~. o# Z0 Y/ [. |# r* `5 u% s5 u+ x" ~: g d ]7 L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) u* }1 c& q, ~ A- u& } s0 | i
$ r# c6 n5 K% q% H. @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 w& }4 W$ q* g+ Q: B5 E; z- f! t3 Q+ b
9 F" ]7 o, `. s BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 j i& \9 O" k/ ?' c5 B9 a% u
4 ~( f: e5 ^8 e! [3 J__________________________________________________________________________+ v# W# `. D/ B" I" t# u
& G/ P7 |5 w4 h
Method 13$ M; o* J4 Q. V8 U! S
=========0 e, ^3 V' Q0 j% u0 J7 V, _
l: {0 T9 @' r' A; G8 |: P( UNot a real method of detection, but a good way to know if SoftICE is
, j1 }8 Z3 _# `( x4 einstalled on a computer and to locate its installation directory.
, D" ?% q- F. X3 SIt is used by few softs which access the following registry keys (usually #2) :1 \. t Z' Q' J) a* c) ~) r& _
, P4 V+ @) @1 u F+ v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ L, F% U& d1 {
\Uninstall\SoftICE
2 l4 ^/ T+ ^0 ~+ Q& p1 |( m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 _+ \6 H- u/ z1 i+ O3 [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 c1 j% x% i- Z& b7 W( H) B# c5 `\App Paths\Loader32.Exe# I3 @. Y3 d) V) C$ [8 I/ ]
$ h0 ?) Z$ I# R4 S& Z) W
4 P& U' P- h) D- ^Note that some nasty apps could then erase all files from SoftICE directory
3 S/ K- Z- p) x# b(I faced that once :-() K) \6 P0 y: h& a# k0 v& K1 ^+ n
8 b) ?! x# v( u5 ~
Useful breakpoint to detect it:
0 C5 y/ h: W) w$ k7 M/ r5 R- F! h4 W/ s) z# i! q' W
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', x- U, b2 L+ W0 G! d
- y* u( \; x' t# a# H! X/ o" `__________________________________________________________________________
+ X0 b6 k! F" @$ q
A5 y2 L6 D, m' D
' p2 S9 N) X! j1 x( b0 j! S$ uMethod 14 % G% ^7 K' C* @! v* ]" ]% ]
=========
1 l( h$ v" S: x( A! }& z# ~
# o2 r6 B& ]; x; }- cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ R8 n N7 ]9 ]. m- _: a" ?is to determines whether a debugger is running on your system (ring0 only).
0 Y- s" L) R, C0 Z/ g8 w
" j* \$ m. o3 T VMMCall Test_Debug_Installed4 e3 m2 @" ~' g8 o! W0 Z
je not_installed
, M) n" [/ f8 ~% z1 x h4 T' [; j! Y% t1 g* N4 C
This service just checks a flag.; l- b4 ]; \( ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡