<TABLE width=500>
+ E* O! V1 H$ N: K8 t3 \5 v5 _& ?' [<TBODY>( E# I7 n! d9 S2 w
<TR> Z4 w2 y% i. C
<TD><PRE>Method 01 2 S& k+ _8 m, b, F) C/ V
=========/ i: w3 c7 W! e
& Z2 E& X, P, H; [
This method of detection of SoftICE (as well as the following one) is# c5 N2 ~/ V v
used by the majority of packers/encryptors found on Internet.' w% T) _0 k4 D0 B% k& R/ M) h
It seeks the signature of BoundsChecker in SoftICE* h8 q0 f+ H0 q
6 m" V4 i' ]% K. C3 o mov ebp, 04243484Bh ; 'BCHK'
; S, j3 A/ J) A# J) S mov ax, 04h+ o$ ^7 S7 W7 D9 M7 {. w1 f. A
int 3 4 X! B+ k( J( [$ h3 w9 [% B6 Y" u
cmp al,4& H. m6 b7 |" Y' }2 M
jnz SoftICE_Detected
0 D2 [1 P2 m! i. v, t( K" U
5 b4 m0 [( J6 Z3 k, \( [" j- h___________________________________________________________________________7 Q7 o- c2 e! t& V: n4 M( c
$ V. B9 x# Z4 q$ r5 |& bMethod 02
$ ~% Q& f6 {1 e r. P; w5 h" P=========* ^: w7 U* w; y- j8 m
8 y% q4 P4 c2 a
Still a method very much used (perhaps the most frequent one). It is used* u9 m4 l, Z2 k2 ?8 l5 [
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! u9 ^' t, v( L' W4 z' Oor execute SoftICE commands.... r3 i3 g* d$ T8 P
It is also used to crash SoftICE and to force it to execute any commands% ]! @' p& l+ v: S( x
(HBOOT...) :-(( 6 a# @7 j- m# h5 P3 I: e
6 |" U ~- ^1 ]* [Here is a quick description:7 u% F! S9 F9 _) N
-AX = 0910h (Display string in SIce windows)
t7 J6 T" `9 |7 c4 |1 H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 U+ I1 p, n* s& p9 {" C-AX = 0912h (Get breakpoint infos)
/ P8 t5 I! s/ O' k/ }. l-AX = 0913h (Set Sice breakpoints)! d: P9 b4 ~" D6 E
-AX = 0914h (Remove SIce breakoints)
6 z- ^1 Q9 p: x1 d0 F/ c' b; _8 c# }1 i$ g p/ F L7 F) r
Each time you'll meet this trick, you'll see:8 t3 j2 {; C, K; L( p6 j: M0 p }) }
-SI = 4647h/ F5 N" p) i9 q8 `, G0 Q, \' h! k9 h
-DI = 4A4Dh; o. G! }8 B! S. T( p( _6 S
Which are the 'magic values' used by SoftIce.; A; p5 ?) k/ b) g5 t1 ]4 X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% p* x0 q+ H1 M6 x0 S* C8 E6 v/ K5 x& v
Here is one example from the file "Haspinst.exe" which is the dongle HASP, G: ? _* w' A
Envelope utility use to protect DOS applications:
* @8 w& k+ h; S l g( G* L( \) x e; d# v0 h7 H
, y1 m6 b& Y8 a( h1 |; V4C19:0095 MOV AX,0911 ; execute command.) N# x# a$ u1 V* G2 b& l3 F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 M7 ?) L$ ]* Z
4C19:009A MOV SI,4647 ; 1st magic value.
6 b K2 W7 O- l4C19:009D MOV DI,4A4D ; 2nd magic value.
$ g' L( O& \+ o4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- ^6 m% N- T+ P2 h' T1 `8 H
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' L ^! B9 }$ l v$ _( r8 e; l
4C19:00A4 INC CX
! e+ N$ A8 q4 v7 a' u; C! F4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ x" e' L3 ?6 R& i& _/ ]
4C19:00A8 JB 0095 ; 6 different commands.
- F( w+ f6 {4 _: }2 @& O, b4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 F3 F7 s( Z5 [% Z1 u) X; o4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 {" K v2 Z) J& o5 h2 `: `, t+ c% ^% v- @. `
The program will execute 6 different SIce commands located at ds:dx, which* k3 M v0 x- Q1 G7 K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 i: t1 Y4 S. p( n& p
! U5 A0 ~+ E/ t" Z. z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( C3 K2 D. C0 C) U$ R* {+ \3 A___________________________________________________________________________
9 r+ M8 {8 W% [0 h" u* N- q8 `) i' ?" f+ `8 s* ^. |) i, O
0 {0 U2 k% X, a% h0 a; _Method 03
& W4 g2 W( [- @) Q! q/ m=========
4 g# H% e. k8 C: n9 W3 S2 a2 ]: b" ~" |% L0 E3 J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 C2 r$ V* u/ D$ h) g/ w
(API Get entry point)
& v9 x8 D' a1 ]" i: Y. e 0 ^! T4 o3 T' M3 I! t: J
* {+ U$ z3 c' k* {
xor di,di
+ t7 q3 b) X' f3 b# a3 w, @ mov es,di
6 A6 n$ J, ^' H- b mov ax, 1684h
) b$ q* [# M/ R$ i% z0 Y& \ mov bx, 0202h ; VxD ID of winice2 I2 \% }" {' a& G
int 2Fh
' ?* R1 }( M9 p* n/ [+ D4 P5 ? mov ax, es ; ES:DI -> VxD API entry point" D- X+ D0 r2 F3 \! W
add ax, di+ x$ |5 o, o- ~" A3 n
test ax,ax: a2 P, N7 M R9 k' d- T
jnz SoftICE_Detected6 c3 w! k1 |0 L& N
# g, |& |& K* W$ c: T___________________________________________________________________________
1 P H) y; o' a2 {4 E. q* r. N6 F n7 K, G$ M9 l: p2 C
Method 04+ ^2 x }" M7 D6 d5 y0 B
=========
9 E) q3 x7 s3 E$ |& I1 z0 y, B: m# i# D" x0 E
Method identical to the preceding one except that it seeks the ID of SoftICE
; }# R; K# `5 K% XGFX VxD. h1 n! R: v/ z& ?) k! U8 Q" P. L
9 T5 z( _! b/ J2 H, v9 e# o/ t- s, P9 S
xor di,di
, `. ^# o' O1 d# q$ `# f mov es,di
# Q% R k4 [% ~; k/ w0 {& H& C1 d mov ax, 1684h
' R) ?7 |! q; I' W5 h% d mov bx, 7a5Fh ; VxD ID of SIWVID4 L/ C. d/ b0 [0 `
int 2fh
6 s4 E: ^/ P; E1 S mov ax, es ; ES:DI -> VxD API entry point% T& X# v9 i2 c1 A! x; o
add ax, di
2 y4 X2 f5 A0 s test ax,ax1 i0 u0 v* J _4 i8 o3 v
jnz SoftICE_Detected$ J3 ^1 K) x$ b* i/ X* Y2 i2 v
6 H3 v2 m# {. U8 S3 u
__________________________________________________________________________3 ?: i3 N. r- [
, O# b. R- r& w
1 z' C1 O, [! R0 oMethod 05+ Z2 o3 g7 c/ v b2 l! f& p
=========# s, g/ y$ `2 @8 b
5 M5 D: L$ w0 L; {& f# t- c
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 X& y4 j! u, w( d0 Tdebugger. It calls the int 41h, function 4Fh.- p: [8 i& x) M7 u/ }0 L
There are several alternatives.
5 w, P$ z Z. {/ p% J7 Q9 c( Z3 y
0 o& y+ `( @3 d6 sThe following one is the simplest:
- N# j! F2 a' i# c! q1 i) J( f! H
9 x+ T, E$ ]/ Y0 L" ]. s mov ax,4fh) f n @7 |1 ]% J
int 41h- q* U: l2 p9 k; @" W
cmp ax, 0F386
, c0 K9 |. v9 X+ e2 k jz SoftICE_detected
7 A7 M& A- z8 m# _# D
/ n" q# h* e7 v, b/ H5 L1 o$ V3 o- S0 B9 [- L
Next method as well as the following one are 2 examples from Stone's 0 R, M% q+ W Y8 d, ~5 F
"stn-wid.zip" (www.cracking.net):+ b7 C& C& C+ u; @; c% V# l4 x
% g, e& a; a; p( B8 O3 C
mov bx, cs. b% Z, m7 @+ W
lea dx, int41handler2& D0 a* X. `7 b& Z! }8 Z% g, [
xchg dx, es:[41h*4]
( J. Q% `- X$ u3 P2 |4 l2 k, K N xchg bx, es:[41h*4+2]
: u" L- @) E) ~& ^6 _+ y mov ax,4fh+ t! S9 |. t: V7 Z5 Y: k
int 41h2 s* J1 r( l0 p- D8 ]. \
xchg dx, es:[41h*4]
! r$ |" d: l% `2 g x2 G xchg bx, es:[41h*4+2] o- V$ s/ a6 V. Z7 v' R
cmp ax, 0f386h* u% g# ?. f3 D) n& q$ Y% M8 x3 y
jz SoftICE_detected" y) g9 H) [/ q/ k8 X$ P [+ |& v5 V
1 ?' O4 ]/ \% p2 M, Y" G! E
int41handler2 PROC4 ?+ q9 R4 E$ K9 A0 L
iret, U/ u# ?% E. X: \( |3 F4 b) Z
int41handler2 ENDP: e+ _2 _ M5 y" e/ G
% O7 a5 ]6 `3 V3 ]7 U7 ~
q! c/ y/ v! `9 x- W_________________________________________________________________________7 m+ V2 L$ Y2 N: m j7 ]: _" L
5 e% l6 x% y: p1 I3 u
; \+ Z* `6 V: Q2 g% u W
Method 06
+ `% G. C' @9 ?" u/ }8 C$ `' s=========
7 F3 q# r3 Y, B5 \# g6 B* t8 n1 g
1 G, l5 `5 j0 E* b) ^% |* g7 ?+ y+ o( z) x0 S( E
2nd method similar to the preceding one but more difficult to detect:
. N) \6 x7 N: p- ] p2 X8 D8 K" Q. O5 A) D
( X6 A: w0 p( J' [0 A4 wint41handler PROC
/ m# r" N* C0 C0 n mov cl,al
5 r3 ?" a- N E! n4 k4 ] iret
2 M6 ?5 a, Y6 a% p9 ], W' n# `int41handler ENDP
( h3 q0 U, h$ i! y; K
2 A7 \2 E* Y; @0 G0 N( e, C9 E- ]: `. j; `; l
xor ax,ax
9 b T' z" Y5 O* l6 k$ I mov es,ax# `. T5 n0 f; ^4 O6 {8 Y1 V
mov bx, cs3 N$ k& R) f5 z [* `$ m9 |9 n
lea dx, int41handler
, ]+ Y" Y" ]7 O6 _, V xchg dx, es:[41h*4]% h8 q7 _. R& j3 g5 I& K
xchg bx, es:[41h*4+2]' m$ x7 t* w1 j; `
in al, 40h" q( V, ^0 R. M; V! `
xor cx,cx5 c, N0 [2 r. F
int 41h
% v Y. o+ h) h* a+ y, W xchg dx, es:[41h*4]) r7 w% q; p" g! c
xchg bx, es:[41h*4+2]! S* J. e: P, Y7 M4 m
cmp cl,al$ e/ j/ G, u% M* M: Q: M
jnz SoftICE_detected4 U; e6 G' p5 W; x
+ E8 o3 H0 q) b. A, G' v
_________________________________________________________________________# {, h" b1 G9 z- N* x# }
7 B! W* P% V9 Y0 L. P1 r
Method 07( L! @8 u5 {( z
=========( ~" W4 R5 N U) g
7 {) y( | @5 f7 }3 e: r: y0 z
Method of detection of the WinICE handler in the int68h (V86)
/ R+ Y: [- }6 F8 w3 m7 S* V! e+ J5 D) ~; ]' x8 S
mov ah,43h
' N7 H& E; e& e% z int 68h$ n! j z" V& U& z, e
cmp ax,0F386h+ J1 R3 e2 _' ^. x
jz SoftICE_Detected ~. r7 n) u5 ^; l/ {
6 Z) N8 I/ x; j0 l
, D2 w `! m' B/ t+ R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 b9 \9 O0 N7 U4 \) n7 w2 b& V app like this:
9 Y0 Q- R, e2 H( w, t7 V8 _3 ]! F5 Q7 \/ G9 D. N
BPX exec_int if ax==68
9 V; E- D5 |# l (function called is located at byte ptr [ebp+1Dh] and client eip is
/ f: G" S- p. g/ q9 u) @ located at [ebp+48h] for 32Bit apps)
! E( D: {# Q' A5 L* j__________________________________________________________________________
' R0 `" q; K- `- g1 B
9 _+ \+ ~1 ]# n) ]2 _3 b& Y& \ h6 L* S4 t. L
Method 08, ~0 `9 V9 Q1 f/ S& f( _, [/ V1 G
=========9 s7 _/ a; G3 l
q: x4 o; Q) V# `* J$ k! v; W1 SIt is not a method of detection of SoftICE but a possibility to crash the
, c; o4 \# a, esystem by intercepting int 01h and int 03h and redirecting them to another8 S' b) _* g4 e x. Z) {
routine.
* B+ H7 _$ I3 t2 a& o6 f' c% hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; Z5 L- X( c9 \to the new routine to execute (hangs computer...)+ Q( T* N' ?& R2 ?, x. ?" B
/ A; s- w8 I4 r, @9 @ mov ah, 25h: n, h# s( z' e$ T+ `1 Z$ W$ ^
mov al, Int_Number (01h or 03h)) U4 F% ^; e/ X6 `/ J
mov dx, offset New_Int_Routine* C K% a" n7 X6 Z$ Q. B3 R
int 21h# I n+ o' A' e2 z/ r
0 N3 k) ~' Q$ Y6 T% r& \! J__________________________________________________________________________
" R3 t% f, n. l8 w( d* Z
! F6 ?4 @/ m: L3 C' |! MMethod 09
' L% Z; F) O8 D' ?6 j' O4 L=========5 A ^! ~% Q7 h4 x3 k# O& Q2 ^
. T2 M# d9 p, O. bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; Y8 H3 P* ~8 Aperformed in ring0 (VxD or a ring3 app using the VxdCall). f3 X N* u# h% L5 D8 n9 X L
The Get_DDB service is used to determine whether or not a VxD is installed4 O$ ]3 t5 r3 m: {& N; z
for the specified device and returns a Device Description Block (in ecx) for: ]! U3 A: [" m u/ E( c
that device if it is installed.1 T6 [* Z+ B( \3 T2 e N# g: V5 ?( Q
! n# K: W1 E5 Y7 @; y9 m& y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 a ]6 k& e9 h O d1 T. n, ~2 \; i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); F I( M V* X; L: Y
VMMCall Get_DDB
9 l7 @- I5 r6 G+ ]$ g$ b2 m# ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ H+ T1 r$ L6 A" h& y" B- G# o
1 B( W, `% M1 CNote as well that you can easily detect this method with SoftICE:
6 I7 d- R- E& z3 l bpx Get_DDB if ax==0202 || ax==7a5fh: J( |1 K4 _2 W6 p
5 A5 w6 y7 B7 M2 {" T" Z; F
__________________________________________________________________________4 B! ?' Z0 X* r2 N
! d! [$ k7 M* S$ b1 DMethod 10' v& G0 q- |2 z# ^. ~
=========/ K# }/ Q6 Y4 w" T& F
P1 |3 h. k2 u, |+ {/ Z" m=>Disable or clear breakpoints before using this feature. DO NOT trace with6 p1 r9 q/ v) {* j
SoftICE while the option is enable!!
: f5 f+ I' c \& C5 C$ C2 m$ }3 W" m
This trick is very efficient:: s2 f& ]" X7 ]; P* r. I3 F
by checking the Debug Registers, you can detect if SoftICE is loaded
0 g$ e2 j% a) P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, J% m4 P3 d+ f
there are some memory breakpoints set (dr0 to dr3) simply by reading their( s6 _2 {( W. W( E7 o
value (in ring0 only). Values can be manipulated and or changed as well- f. d+ e! o2 [ A
(clearing BPMs for instance)! x a0 Z3 ~0 _+ [6 b# y, L# B
+ m1 b; q# T9 h# N( W__________________________________________________________________________3 u5 q, k& O& L& q2 M* t
* v2 ^5 ~9 C/ D. K: @Method 11
6 K+ p F9 s5 w j4 }=========$ e6 z: n9 d' d. J$ @
3 e0 N, V; O1 \! i h0 QThis method is most known as 'MeltICE' because it has been freely distributed% D O( F: K4 T# I1 g
via www.winfiles.com. However it was first used by NuMega people to allow: ?7 P3 @+ \, ]1 @& r+ K1 u
Symbol Loader to check if SoftICE was active or not (the code is located/ H- I6 n2 L8 b0 O1 ^
inside nmtrans.dll).
1 b. i2 G6 G, x& `/ K3 I
' t1 {. Q# _: mThe way it works is very simple:
- A8 m7 h3 z8 ? ~7 H) aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- B! X$ x i9 i: j, k' PWinNT) with the CreateFileA API.
: Q: E. u, e- r$ l; T- F
! k6 L) _2 O; I' l+ n% ]$ k/ J' ZHere is a sample (checking for 'SICE'):
% Y, |( f& B5 E- z
' P, i) W0 [4 A7 T) nBOOL IsSoftIce95Loaded()
. f' Y/ x G. p2 [* T{7 I7 v( m4 y2 i0 E5 `0 ?
HANDLE hFile; . a2 c' ^2 u, @+ K4 ], \9 H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 D$ L* N8 e& }1 k, k FILE_SHARE_READ | FILE_SHARE_WRITE,1 s0 v7 s0 c) F
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 `2 H( U) {- z N7 }! t; q
if( hFile != INVALID_HANDLE_VALUE )! P( z* ~: c- a
{
6 j- i& e5 ~$ j3 r$ a CloseHandle(hFile);
% g* X2 M$ p. {; |' L* d return TRUE;1 `2 ~' v* A1 d @" ]( x1 X$ u
}
8 O- g* e9 j$ y z: I! \9 x return FALSE;& W9 D! n/ b" ? H" N/ z
}
$ `4 @3 L) y! O- c
1 x9 h$ g: R6 IAlthough this trick calls the CreateFileA function, don't even expect to be
) f8 ?4 y) B9 P- A; F H; M' Wable to intercept it by installing a IFS hook: it will not work, no way!! g3 j' { V' r+ |/ M/ @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# W0 T1 H; K( W! u# `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 V4 e5 U) k2 s3 b: ~& F/ V4 nand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 j! v( w: D5 n+ [# d7 y
field.
9 c0 v$ k, c! ]4 q" e) iIn fact, its purpose is not to load/unload VxDs but only to send a % D4 d2 Z" L8 ~7 ^4 n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ F: R, a2 Z7 q, ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 ]( s" @1 ]- Z( w5 [: f9 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 n: y. L# ?6 q$ t
If the VxD is loaded, it will always clear eax and the Carry flag to allow) P1 E4 K6 U$ A; q! G8 @7 ?
its handle to be opened and then, will be detected.; b; K+ Z) Q# z( W
You can check that simply by hooking Winice.exe control proc entry point; K5 @2 H; z7 y- |
while running MeltICE.' Q4 v" u- C/ O/ a9 b3 N
) t% S" Z2 n# [5 d0 P4 W$ ?( t
H1 V N8 N% b3 Q/ Y 00401067: push 00402025 ; \\.\SICE
0 a/ p! R+ J' q4 { 0040106C: call CreateFileA
! n9 g2 K& ~7 J) ~( f 00401071: cmp eax,-001
6 A% _7 @" ^, x. z& x 00401074: je 004010917 F* R5 I: g. T% J+ F4 p0 [
+ I4 M# Z. ?3 g6 J$ A; A
4 }% n' P5 J, x3 a' bThere could be hundreds of BPX you could use to detect this trick.
) i! q9 l4 `8 z6 C. |! W( t-The most classical one is:
9 I5 v4 z* Q3 P+ r- v6 C, {2 y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; {6 B! p# b Q8 L
*(esp->4+4)=='NTIC'5 T* P" {( f2 Z1 N% B( j j
" `2 M1 H$ {& Y) \. ^" K
-The most exotic ones (could be very slooooow :-(
/ C4 I' F) W$ \3 ]5 n; U+ } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! b) L* C6 ~2 _" D. E5 p+ r3 r ;will break 3 times :-(4 W3 A! b; D* x7 M6 l. }
2 e3 v- |; ]- R4 a" i-or (a bit) faster:
3 y% U" n ^3 x9 V* m+ } BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 a+ |1 N0 u# p1 o; T1 i
1 E2 c$ G- w) u% [3 i BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 _( b# Y. e2 u( |: r* [# p5 {
;will break 3 times :-(* J+ E( q- r" O' B0 C y
3 B; L a. ~1 D; P# |-Much faster:7 }& P a3 d# Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 K/ }! t" a& {
( ^( T/ k6 H# \3 CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 R( L3 O6 e0 }function to do the same job:
- ~9 @, T% ]4 n0 c5 s3 W$ W. y U* S, M- h( A2 x/ s
push 00 ; OF_READ# w! c5 |' l( h1 F& }( D" l9 g/ u
mov eax,[00656634] ; '\\.\SICE',04 c# i N/ W5 \3 D
push eax
* Z& k/ O A6 @$ e+ D5 E. Q7 X1 u call KERNEL32!_lopen% Q2 a) I9 v9 ` G& v* b
inc eax
+ P$ ~7 K/ A6 g6 j3 O jnz 00650589 ; detected
1 \. q2 b1 t; f, p* y push 00 ; OF_READ v% F3 }# f6 ^& |8 R& V% z
mov eax,[00656638] ; '\\.\SICE'! h; I$ m; x0 ~9 j6 s
push eax9 v; o- M! u }, ^- _8 O9 A) B% n
call KERNEL32!_lopen
& p# j4 W; L N2 H: Z) k0 _ inc eax
3 ~$ ]1 d* x9 w jz 006505ae ; not detected7 \! G, Y+ m9 e- s6 P, z( |
3 c- }% B' `; Z4 \/ M5 x) ?3 R. u% n! c3 {
__________________________________________________________________________
( Z! z/ I6 d4 k D3 E
x0 t9 ?: k H, d' qMethod 12
% P* q4 Q& g) m9 R% r/ |7 A=========
( _: n& _1 O( N, A: q8 G; V/ Q& ]% Z% r3 L r: Q5 f
This trick is similar to int41h/4fh Debugger installation check (code 05$ s7 M) E/ d3 X; b$ a: B4 M8 D1 N
& 06) but very limited because it's only available for Win95/98 (not NT)
5 |$ e- O" }8 Q7 s& a; g. {% [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: [$ Y( E9 Y, ~
7 _ Q* P) U+ O push 0000004fh ; function 4fh& ]" K, e! m. M0 J7 z0 t
push 002a002ah ; high word specifies which VxD (VWIN32)4 K# L- H% o7 y! D' T+ x1 M
; low word specifies which service$ k1 ?& w; y: w! H8 j- ^8 N3 r
(VWIN32_Int41Dispatch)4 a9 M, R9 {) f3 ]9 T5 P" |
call Kernel32!ORD_001 ; VxdCall# b% R" C i+ S" J
cmp ax, 0f386h ; magic number returned by system debuggers
7 D. L8 B9 C7 z# B& e# | jz SoftICE_detected
# H- t6 n8 J2 u8 m7 q c1 @& E5 t
Here again, several ways to detect it:
, u: ?, r6 B# F# g# `0 M: K# _
1 d' ~% ^7 g; U0 ^& {! ~$ _ BPINT 41 if ax==4f
- N, W8 f, x, B8 k0 [; M9 c" Y/ @( C3 h1 Y% I6 c8 h! S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; _5 Z; D2 U1 i2 b. `1 z- H
" M- o" v5 s3 A# Q+ X- u4 c3 H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' D/ a* E' u! H0 N, B
" D" t. a' k8 R, T' b6 Y+ O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 m4 b6 F5 }- [% ?
2 [3 C- h/ d! a4 s! w6 s6 e. X__________________________________________________________________________; \9 ~1 t% \8 m3 [8 G, y( X) ]
2 o' y n, d# _9 ?% F) bMethod 131 F# N4 u9 K( `0 [# I+ Z6 `
=========
2 n4 J, s* W0 m$ B2 q) E
( P% j7 T1 e$ s* O7 s/ \& W; @* r9 gNot a real method of detection, but a good way to know if SoftICE is5 f. O) X" _! b6 P% j
installed on a computer and to locate its installation directory.
" o0 X0 Z# o Q( aIt is used by few softs which access the following registry keys (usually #2) :( \1 Y: C0 S2 C# G, S! |
J8 ~/ U% e; n. n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ T. v* ?3 T" w/ w1 d) P' A- j
\Uninstall\SoftICE
2 o h* A6 o/ ~& \, t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% H: O# W. [, J7 x% ~) O' J0 q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; O" o2 \2 Q$ r
\App Paths\Loader32.Exe
- E9 C4 _- h3 c5 h& H1 A$ M
. U$ |- U, B/ L4 m0 g% z+ f9 @4 ^# z% f. Z* c" Y) h# Z
Note that some nasty apps could then erase all files from SoftICE directory, l' `' ]( g" \; @7 X
(I faced that once :-(
2 M4 \3 L. `* }# Y. V9 d
k) G( A" O2 B/ XUseful breakpoint to detect it:; ~4 a+ P2 o6 R
3 ?" f9 o+ C: [% T6 f+ O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
K' W7 d9 y) f' L/ I- ]0 O- H- P1 C6 G" l( _5 ]
__________________________________________________________________________
6 P. K: c/ |3 r1 y+ b% ?5 ?" v6 ] Z- y& A2 ]
$ D V+ L+ \7 j( @5 N& _0 qMethod 14
+ T1 m0 v5 x* J; v=========
4 Z0 K T: i8 C. N$ B1 O
+ O; @. [1 F. j. f `! I7 `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 i; U( s/ K, Z6 {! J( O* z
is to determines whether a debugger is running on your system (ring0 only)./ L% L7 v" r* A i- @4 K0 w U7 }
# i4 d4 X/ W F
VMMCall Test_Debug_Installed
7 Q6 p* G4 m" N5 p- P je not_installed
7 t( w' I1 N1 N6 k+ S( x/ o2 k, Z. N: o2 T
This service just checks a flag.
* D% j; g% W3 z7 }/ `6 S1 R</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡