<TABLE width=500>
1 X6 J7 V# C$ W2 l- q3 n$ n; O<TBODY>
: w$ _* v1 Q- Y# n2 m- Y# L W& y<TR>9 u7 l7 w4 ]! G2 g7 s: z
<TD><PRE>Method 01 2 J( M, A7 I. N' l. J
=========
0 |0 }$ n; n9 u. s( f
+ z- {4 Z+ Q* L1 {- R0 jThis method of detection of SoftICE (as well as the following one) is
# }4 F) U. N) z, tused by the majority of packers/encryptors found on Internet.; o( _. y+ E6 S n- F; r
It seeks the signature of BoundsChecker in SoftICE; g$ z% m3 o6 n4 F1 n
& S [: _+ v) c
mov ebp, 04243484Bh ; 'BCHK'# l' T' L0 b8 _" u& O I8 h
mov ax, 04h
3 L1 g3 q# o. N/ E int 3 * p# F; n! ^3 U* v3 `- ~" m% r
cmp al,4
. o# t) c7 i7 S9 S8 \9 T jnz SoftICE_Detected
4 K; \4 n% l- }6 d4 N6 Y" q) E* w
___________________________________________________________________________; X# m& N; N6 j1 N2 F& C0 Q
1 q" M* f$ X/ j8 a, t) @2 v0 s
Method 02
0 \# @% Q- B9 z0 T0 i) X X=========) S' l* X2 N. \5 `8 s+ C
1 y1 d/ R' a3 X* d# B- Z
Still a method very much used (perhaps the most frequent one). It is used, d! Z0 ]; u0 a* D& D: \5 I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 i! E6 ]. m5 G9 |; W$ Q1 K; ?or execute SoftICE commands...
# K/ ?. ^5 D6 rIt is also used to crash SoftICE and to force it to execute any commands# I) K/ O; @; s% p: ^' w0 |
(HBOOT...) :-(( 6 E$ Z% @+ t2 u- w- i" s3 S
7 t7 A8 A$ q; Q8 e# Q# t8 ]Here is a quick description:
4 \" d. @ h% }) k-AX = 0910h (Display string in SIce windows)
7 b) s. a- k5 X6 [' d: V+ h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. }' j E; V0 P8 C; C-AX = 0912h (Get breakpoint infos)
4 j4 N) q G, r& E4 ?4 U-AX = 0913h (Set Sice breakpoints)8 E2 l( q! v' {' @+ F
-AX = 0914h (Remove SIce breakoints)( H% x# \. W4 @ \
: V, t( @1 g& o! c6 b9 g7 e; ]+ W
Each time you'll meet this trick, you'll see:
+ c$ m' K$ k' @5 Q) n2 ]-SI = 4647h0 b& b' ^, T. X/ z4 y0 w6 U
-DI = 4A4Dh; ?4 ~2 I2 v* }$ N5 B& Q
Which are the 'magic values' used by SoftIce.0 r' R4 \0 U D8 |% v- u* ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! H3 @- I. ?% u* Y9 A8 W
$ | _9 I+ j. J4 EHere is one example from the file "Haspinst.exe" which is the dongle HASP; p5 w/ ?9 y) i- ~+ b
Envelope utility use to protect DOS applications:
8 j7 c% E& X- m, B, B# r) i2 V0 V" V+ c, H6 n6 i# M( ~4 X; Z
, V+ m5 S5 h' k6 g4C19:0095 MOV AX,0911 ; execute command.( M" C, ~9 K! l2 J7 R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" Q$ w* {3 i8 C: s' ^4C19:009A MOV SI,4647 ; 1st magic value.
6 k- f$ |: U e$ I$ ^* ] \4C19:009D MOV DI,4A4D ; 2nd magic value.1 c8 p+ O- R; j6 o2 L/ @6 d' ?& K8 }# f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) H$ A) p. X# n3 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" Q3 \# x& Q% n( ]; c: i* F
4C19:00A4 INC CX$ u& _# [6 V$ Y$ Z9 I5 I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 q/ _! e. W" O5 E4C19:00A8 JB 0095 ; 6 different commands.8 |; C0 h5 y/ @# ]% T) a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& a* b- M0 G3 p* [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 j# ?6 x3 A' A9 d: B+ K; H, i
/ p9 k, c1 F X: F5 |The program will execute 6 different SIce commands located at ds:dx, which
V6 h' m0 E3 c$ J9 b6 Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ s4 A+ U/ a1 ?6 s, Q% b
7 E1 _ ? U a$ c- z. @2 j* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 m& \: g3 N: v4 N& K/ ]$ z
___________________________________________________________________________! K: }8 P: W. H2 s& L) D
& W- Q1 e2 L9 i4 d- \9 E0 Q4 o0 K- P3 e6 w- B
Method 03
9 J% q, o% X* Y4 W0 z4 m n3 W k2 `9 i=========
$ W9 v! s* X( V' C; A b1 w3 d# B0 f* G5 O1 x" m( }5 l- E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% E/ q3 E. y0 S2 J! y0 ~, ?7 `(API Get entry point)- x7 S0 [0 k/ Q: Q
9 M( l: Y8 v1 }( o, d. b2 e, ^- g/ C' R2 c6 ?
xor di,di t# r* H9 L, @
mov es,di. X, M( P( v( l, P
mov ax, 1684h
, P7 K( T5 Q2 O& n" j" n. B mov bx, 0202h ; VxD ID of winice
) \ V2 y/ k: @" N0 }& G" o int 2Fh) \9 f" F3 E! J5 ^; S( I# \
mov ax, es ; ES:DI -> VxD API entry point' U2 T) e9 N4 E# y- @8 b( X: [6 Y! M
add ax, di% R2 \) B5 q% R% L
test ax,ax& _+ J8 z' S; P9 J) P2 ^ _( p
jnz SoftICE_Detected
4 A. X: t5 Y+ [4 H$ K& N
3 `9 O- S3 k3 a4 |, o___________________________________________________________________________( a! @6 S7 c* z
/ z: c9 d; G% s+ kMethod 04
8 x: [* e& X, e. S=========% [+ b) t# L s
9 ~+ A9 b% X* S' j2 F
Method identical to the preceding one except that it seeks the ID of SoftICE" z! v3 H w9 y7 F' z/ a
GFX VxD.
& e; I& ?2 O. c6 P
' d* f, v7 Z- s5 d3 h xor di,di2 s7 t* l# {5 D: F; J
mov es,di
4 ^) ]/ N9 X$ a8 G mov ax, 1684h
$ j% P$ P9 b" b& |* i, M mov bx, 7a5Fh ; VxD ID of SIWVID( @% B A t9 R5 l. @" B) A
int 2fh
1 Z0 x7 a0 A7 d' \: X' J: u* _6 ^ mov ax, es ; ES:DI -> VxD API entry point
) m9 S$ E9 O* e add ax, di+ c9 n7 F$ x4 g0 P m
test ax,ax
: i6 J4 o& o% r/ Z9 W% a% ^$ E jnz SoftICE_Detected
* p, h9 `5 ~+ G, f6 c6 H; q1 p3 w# K/ N7 {
__________________________________________________________________________$ ^( `; G3 ?2 C6 f
9 |0 @ c( ?, S. E: N
! f3 |0 V4 z3 T9 y& y- t9 M
Method 05
+ J; h' ^. b5 b! }=========6 Z' Z( r7 o1 u/ Z- m3 X
4 G- Y) U" G+ p( [
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& Z; R0 }2 T" r# V2 z$ ^7 Ndebugger. It calls the int 41h, function 4Fh.: x9 ]" S0 Z. u; x. |$ U* M
There are several alternatives. $ v- b8 l* x' T, c
J( v' M' k# \; i/ i8 }The following one is the simplest:2 u. t" |! }( ^ m+ t5 o; [
3 M% R' m( z$ s; h+ O
mov ax,4fh- u# \" { H: o5 c7 E6 k# ?
int 41h
4 c% k6 F& s5 e, p( Q cmp ax, 0F3863 S+ D0 T# H8 M/ M
jz SoftICE_detected
; n/ e# d- {! D$ \% a9 a6 H% I& p% x& U. q* v: V. |" Y: S
' C. [( x/ C) K0 @Next method as well as the following one are 2 examples from Stone's
9 j' V- o# L5 [: I8 X"stn-wid.zip" (www.cracking.net):& w8 Z% T% I* K9 x. N
7 W5 X2 V( L) {" W mov bx, cs
9 s! @# J( m. q5 `' [; s$ Q& b1 O lea dx, int41handler2
4 ~3 L/ y# s( O$ b6 X# P xchg dx, es:[41h*4]2 f* M8 w2 D8 J! v9 ]$ W
xchg bx, es:[41h*4+2]: i# g3 m1 j' V+ w# H C3 H
mov ax,4fh! a% G" t7 `( L+ C5 Z) J, [, g" G! h! v
int 41h/ _& Y; q- }0 X8 ~- y1 m
xchg dx, es:[41h*4]
8 @( B3 ]/ F: T" {/ I/ v i$ S xchg bx, es:[41h*4+2]
$ s8 @6 [, N+ f$ C cmp ax, 0f386h- B" X* X# [( m% s9 f3 x
jz SoftICE_detected
~) y& y* D4 D" a7 \# k4 H8 Y" h
int41handler2 PROC0 D% z+ M2 |- d& f: w+ |7 l
iret* Y0 ^. s6 |) N, M6 E2 x4 a
int41handler2 ENDP
: W% D% U- Y4 b# T' [0 X8 K# `3 Q' |6 x
- c& g- W# ~; ]# @( q* s) @1 F) c_________________________________________________________________________
6 T; U6 M5 [4 s5 \
6 t* _' k' m; X( S, X; p/ ]: m! Q0 P) p! G6 ~! a
Method 06
5 ]5 A. g+ A S% B# S- d=========1 ~: V3 I. W) {
) u* W& o9 r1 t- b# c
1 I7 L6 g3 d& l0 G
2nd method similar to the preceding one but more difficult to detect:
* o x$ ?- q; [6 c! Z4 W$ Q
7 ]( W, [* A* D7 H& Q% ?/ r' s0 p$ T7 D+ P# L
int41handler PROC( v) K, k) S& B9 L; z7 X
mov cl,al: e u8 _5 W( r: q3 M7 R0 u# x
iret5 w E, ?1 `; T* [
int41handler ENDP4 J1 ~4 f! N4 M2 b- f
9 e( B' m# f! q
5 w) S1 c D- ^* r xor ax,ax' a* [8 [- {0 [% G: a- o& G& H1 i4 n
mov es,ax7 p* c3 t9 ^0 j% d) Z
mov bx, cs; y6 x& e7 B+ {) v- k: @8 \' Y
lea dx, int41handler
3 J' O0 d9 v3 E: {$ g7 q# i2 W9 ? xchg dx, es:[41h*4] }- x l& c" H6 v
xchg bx, es:[41h*4+2]4 S/ J, ~" X9 d
in al, 40h
, ^, V/ ^+ ^2 s# c& h4 ^ xor cx,cx( m% M$ i' i* F4 j
int 41h
; y1 q; L+ J: x5 K! s xchg dx, es:[41h*4]1 f5 k2 j+ y$ k2 i1 b# q8 r7 k: S
xchg bx, es:[41h*4+2]+ D# B$ E0 W: m& _: M5 l+ X
cmp cl,al j6 v0 K; \( P# J4 Q
jnz SoftICE_detected1 R1 |% ]5 F6 n# c
: A8 C% C( u u# v9 p7 H! R_________________________________________________________________________+ F" p4 ^% t% Y
9 o8 @: r2 F2 K+ qMethod 07
, ] {, g- |2 ^& f2 I0 G; K=========
& D$ A9 Z) Z( x5 D q, H) L* P
5 D0 N7 \2 p+ N* PMethod of detection of the WinICE handler in the int68h (V86)
" H+ f/ I- N5 e5 H: [0 F( z
+ g' r) ~" x. K( o# ] mov ah,43h
) B* C a7 G! L9 q0 e7 @& G* x. R int 68h
& `# s P. \/ ~ e( u cmp ax,0F386h8 @) r; b6 R/ M( }# z2 g
jz SoftICE_Detected
, ?& V( n6 Q0 ^: S8 @% j: G8 }' T
! J, I0 `+ n5 E2 f n- J- M. @6 b& V
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 ]& U) ? S+ m7 `6 j app like this:
4 N4 ^* p. j9 V3 x% n( y
/ Z. g. M. I' k8 G: I; A BPX exec_int if ax==682 \' ?3 f& h( l5 L- `( q% b1 M/ k1 c
(function called is located at byte ptr [ebp+1Dh] and client eip is
( y# K! d9 s* g$ h; G, Y located at [ebp+48h] for 32Bit apps)& O6 T. P5 W( _7 X5 H
__________________________________________________________________________
3 v# ]2 j7 P( G- ~7 v8 K; U# K. S5 c8 ^2 G* ]2 Y) s i
; J# h. J- \7 f+ L6 |3 i3 Q# ]/ H
Method 08
4 h# I* n" e8 [) l8 o2 k=========+ n7 J! e" b [8 R! Q
% ]0 A3 g N2 ^It is not a method of detection of SoftICE but a possibility to crash the* i/ Z& A9 x" J/ P- @. i, `4 H
system by intercepting int 01h and int 03h and redirecting them to another
( x) c% p4 F2 Hroutine.( j, A) } Y! l+ k. Y& }
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" ~/ d' Y, y' D1 Z5 x4 o
to the new routine to execute (hangs computer...)6 e2 `9 \# j; w; R$ `( }
& L/ T. T; ?9 Y6 G/ s/ `; U2 B mov ah, 25h
+ X' E! k6 x7 X! J0 b5 K mov al, Int_Number (01h or 03h)
1 ?& H" e M C4 Q/ a0 L mov dx, offset New_Int_Routine% Q6 l" r1 J# x( N8 w5 c u
int 21h
q( p( ?0 @7 Y
3 m: y2 F( Q8 c+ B( G$ V__________________________________________________________________________
* D" L# q: q' u; ]" f/ }& [; r. V% B- K/ X! f% W4 k
Method 09! P9 A8 P8 V O: o/ W* T- a% T
=========
# j- C+ z* _, K- q- ?( g
+ Y: k ^- ?: Z' hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 z5 u6 K5 _2 G# h( V" L
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 _' g! m+ M. A |* j( nThe Get_DDB service is used to determine whether or not a VxD is installed, {% U' D3 f- i+ t3 m
for the specified device and returns a Device Description Block (in ecx) for7 ~- P$ m8 l4 |0 j$ S; } p
that device if it is installed.* F- F0 W( c8 B( ~" Z& A
; p. f' \( o+ Y/ F, w- b F6 C* e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ y. R" ?* y, y5 q P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 {2 g# i2 X& [& j, W; _/ ~ M
VMMCall Get_DDB
4 Z3 B q ~) q5 K* h; m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 G9 k* g' O1 {0 C6 U
5 [& S$ _, n: l5 c! M, kNote as well that you can easily detect this method with SoftICE:7 Y' f( a4 N' z% U
bpx Get_DDB if ax==0202 || ax==7a5fh
5 u8 p! }. M2 x) \) I3 q
, ]! j* c# P( o1 u) }__________________________________________________________________________
* {7 X; o8 ? x" ~1 p- J' C& }3 x& k# i5 ~4 [ V& _1 U8 R
Method 10
8 C5 W" L8 R, }' |0 ]6 N0 {=========( ~; ~" `) o1 ], \( i) x- p3 B
! c7 a6 ^, `5 m3 N/ J=>Disable or clear breakpoints before using this feature. DO NOT trace with' n5 R6 ] s8 ~" C+ \; _
SoftICE while the option is enable!!0 D! ~8 V- A* X5 J/ G$ ^* c, ~
( u% I7 W6 B4 N
This trick is very efficient:, @" u$ \, `; I$ p' j4 v
by checking the Debug Registers, you can detect if SoftICE is loaded/ ~' P) s. h+ `2 U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ \- N% W( g9 J- cthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 e; @1 a4 z8 _$ v% p- g
value (in ring0 only). Values can be manipulated and or changed as well2 p# Z3 B3 S0 l/ O
(clearing BPMs for instance)
2 o* G8 Q7 Q' a p
3 N( Z" g* q9 M h__________________________________________________________________________
$ p, l9 o" U. C- X2 B$ o f
! L7 n- L4 R% }: g! E) r& |6 L% HMethod 11" L2 h9 t7 I( J# `$ x2 a- f
=========# b6 s: u. H2 J0 k$ ^
( O; z' R, W# }, O' J8 dThis method is most known as 'MeltICE' because it has been freely distributed
) }* x- @3 m: Q7 Rvia www.winfiles.com. However it was first used by NuMega people to allow: T' C t+ U, ~( W4 F. c
Symbol Loader to check if SoftICE was active or not (the code is located
" g% v3 ~% m5 h4 x# x. A* Iinside nmtrans.dll).; {& b P: A! P. ]1 L0 j) ]
$ x" P. F" u# D+ Q- _! z. T' {The way it works is very simple:
" @5 a, j' H8 e, ]/ ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ @4 b$ t; y( {$ x9 `' y" I
WinNT) with the CreateFileA API.
/ [8 k8 f/ X+ @- ~* U% c5 g
8 {( F* a' W" E* Y! DHere is a sample (checking for 'SICE'):7 j. V- S2 Y5 y
9 }- g9 i$ x/ F d7 p, |BOOL IsSoftIce95Loaded()+ F+ E4 M6 A2 D/ t6 T
{
' A! e( K" b q; u' ?, B$ ~ a' M7 l HANDLE hFile;
$ T3 N+ Z& C# C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 n% A0 `+ O+ D6 d& S# z FILE_SHARE_READ | FILE_SHARE_WRITE,& X9 s, F( o! d4 }5 Z* @" q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: }) ]+ B" W6 D# x6 o4 a7 E if( hFile != INVALID_HANDLE_VALUE )
: P4 v0 w* k9 Z' S6 G {0 t" |/ _( |7 D6 v
CloseHandle(hFile);
9 p. l0 I6 f/ x3 ~- m0 ]7 a return TRUE;
7 ]& U+ a# x( f) w- R } A; L: c' ]3 I1 r1 c
return FALSE;0 P5 ]. A( m7 V& Y6 O4 L% ~0 @
}
/ n; R7 f# U, s; e0 F$ D t; k. t) [9 F' k5 |4 @* K
Although this trick calls the CreateFileA function, don't even expect to be" @& h- `# s3 u' q
able to intercept it by installing a IFS hook: it will not work, no way!3 }% N. V' S: ^" X. S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; @8 [; n* ^1 ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! l5 U* ]+ d! H1 x% N; d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: M! P- `4 M; r* [: Efield." \+ ^" S7 H: G7 p" ~ L& c
In fact, its purpose is not to load/unload VxDs but only to send a
5 x* g( s1 W6 [3 G% HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% d! i' y2 D x/ [! ]8 Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& g8 K1 t# S X. F- J5 E @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% q+ E8 ]$ F$ d+ `$ _/ K
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 M) Q1 M+ V$ o3 V, K4 Tits handle to be opened and then, will be detected.
; V5 l$ v9 B2 B' y- Y; kYou can check that simply by hooking Winice.exe control proc entry point
2 ?; ]. G3 q& {3 T2 ]0 z8 r$ Twhile running MeltICE.
+ n X, O' q! Z. ?& Y0 x5 H* h! q3 P5 k3 R+ x5 B$ L2 Z% C
% i( U$ R% n7 s8 S
00401067: push 00402025 ; \\.\SICE, M5 c2 D* G: b. p, V) k
0040106C: call CreateFileA& g) j3 K' m U! g1 O m: E6 U# U
00401071: cmp eax,-0015 c7 u c( \+ ~; B
00401074: je 004010917 Z2 y) R9 y+ V; u. o W
: ^, s6 ] T! n! A
9 n# a C4 x$ lThere could be hundreds of BPX you could use to detect this trick.* R+ c& E. \- f9 |' `8 c9 p
-The most classical one is:/ n: q: E. e: z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" z, H7 [. j7 J' u9 b *(esp->4+4)=='NTIC') T/ b' u1 l* Q2 v4 ]( t
4 }' O: ?. f0 i Q9 h, v6 I/ w, k-The most exotic ones (could be very slooooow :-($ ^* F2 S2 I i" u3 i
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # \' m' ?/ u+ c, M8 p2 X$ M+ y
;will break 3 times :-(- [# ?* {5 O6 U; a4 b+ _/ f
) B U! h( W2 w) [) {-or (a bit) faster:
9 b* N2 Y& q8 J) X/ \ Z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 q* j7 ~% X3 ^) r; y% L
2 F1 e2 I* J) O* X0 t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" _7 N# C" W2 S; t7 R* } ;will break 3 times :-(
4 S* S1 i: i9 E$ ?, y, i2 Q- C1 j$ d4 N! J, m b8 G. Q' p
-Much faster:
* |6 N4 c; j6 [) s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 f- m, D4 H8 m+ B g8 J, G
; w& a& Y( s& d! D T8 o) s+ A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 I" U8 _* X: }+ Y, r mfunction to do the same job:+ _0 C$ `- M& b+ f
5 k3 X! l4 n: Y' I" ~ push 00 ; OF_READ' S8 \& `5 R! Z
mov eax,[00656634] ; '\\.\SICE',0
8 ~/ f7 [" R1 {$ i push eax
# V$ P5 P+ J+ d% f call KERNEL32!_lopen0 H! g5 ~# d) g
inc eax* ?0 i' t3 b. x: Z( p
jnz 00650589 ; detected5 N( e9 C# R* d' {
push 00 ; OF_READ; O/ |- j5 [- O. n. ]2 A
mov eax,[00656638] ; '\\.\SICE'/ q8 u# O5 \" N5 i
push eax$ v' W( p* ?% j7 f) C$ x- a
call KERNEL32!_lopen
1 ?& V( m; r* g. n( k! A inc eax1 G# C# J5 F1 }+ K' W) \
jz 006505ae ; not detected
1 n+ D" [- G: a; P4 ~
# L k5 x3 [6 Z% V3 m+ x; ~7 G& a. l1 C t# s. F; m+ X' Q) i
__________________________________________________________________________
, Z+ t" b$ ^' U: c: o
: ^ A4 x4 t$ QMethod 12
" U9 ^1 i0 i, l$ `" D" K7 u- p, n' u=========2 z) a. _* V( R5 _
% P+ k+ t+ k5 ]( c! w! N' V# ~This trick is similar to int41h/4fh Debugger installation check (code 050 V" R* O6 @" c. n; r. F
& 06) but very limited because it's only available for Win95/98 (not NT)1 X, G# P% a2 E2 Y2 J; |2 c- u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! a$ ~" b& m) b- p$ H0 e
( {0 D1 [* Z' r7 h1 [! X
push 0000004fh ; function 4fh8 \/ Y5 D4 ]- Y' \& y
push 002a002ah ; high word specifies which VxD (VWIN32)7 n+ K5 V+ G6 t5 Z, J' t
; low word specifies which service
) W Z9 I# Q P3 s, U' W! Y (VWIN32_Int41Dispatch)# I& {# a6 _6 _9 e5 N, P
call Kernel32!ORD_001 ; VxdCall9 C! g6 q6 x# x% l
cmp ax, 0f386h ; magic number returned by system debuggers" U( ]: y. w6 s' }7 [
jz SoftICE_detected
w ?4 T& b" n9 N
! C' x0 O) H* R1 t9 W; XHere again, several ways to detect it:
5 @8 K0 Z6 R, I" N$ l6 L; u C! a2 d( M, q6 ?
BPINT 41 if ax==4f
7 w& Z" H0 m. f! f3 T
* P# ~* r: M' v1 H H# @ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* O0 L2 ]1 E, }
6 l) f' W2 k7 F$ _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; |6 d* @ c9 {* H1 n1 w" P
$ C6 |. o) x, k4 h) ]# _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" F. D4 R C$ b
; f7 w: V9 B' ^7 E6 q6 @( p! k- `__________________________________________________________________________1 w6 J7 P( f3 g0 V4 I% f
: S# j" w8 {7 I& a
Method 13; P" A5 S% u- c! Y4 S5 z5 D
=========3 f+ a4 S' q+ q: j1 G2 O% D
6 g5 D# D4 V; K$ A( ~- yNot a real method of detection, but a good way to know if SoftICE is
/ X8 G$ O, k! h/ ]' ^; w j8 v- x# pinstalled on a computer and to locate its installation directory.
# Q w0 \2 g( T, E& g& w8 yIt is used by few softs which access the following registry keys (usually #2) :* Z: Z8 ]6 _, B+ s* y
+ B/ P0 d2 s3 i* N/ D; G6 X; K
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! Y# |0 h, ]: l8 u\Uninstall\SoftICE
/ Y+ E m7 f5 S8 v4 y4 ^- X. p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 u' q; H& x8 C6 N9 W4 p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 }9 s, e+ G$ [& O L1 G
\App Paths\Loader32.Exe% Q4 }1 @# N3 f0 [! ]( g8 I
( M# s- q% h7 u9 g
$ q% D: ^) n' D3 }& e3 |Note that some nasty apps could then erase all files from SoftICE directory
2 f/ R' N7 B. U(I faced that once :-(
! D4 |7 ^' }5 w K, R9 Z; x
- H- q* }9 D3 g* g3 F6 b3 j% f5 Y9 uUseful breakpoint to detect it:3 ^# f) n! @0 D* p- Y
& P3 q7 z* u3 y" F/ C6 r
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 `- D, M* L+ _' p2 ~" G$ i$ G
# d# \* k1 N' N$ r
__________________________________________________________________________8 h" S, k f' U/ _) B7 p( i
" }. R& i) u! k* }. H* @! V% ?
Method 14 : f3 k- A, N/ P" n ]
=========: K! }. k; A- ^; m3 X) L( v6 R
3 p: c( }0 M+ _ d% @" n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* w$ V' ^( u6 J3 qis to determines whether a debugger is running on your system (ring0 only).7 [) v8 W" R% s' t0 B/ c! `
3 n5 u$ M* v `9 N8 ?9 [ VMMCall Test_Debug_Installed3 g+ e; J& |2 q% F( N t# ]
je not_installed$ f! h3 v! U% M
9 g, j$ q7 \% ~, L& \
This service just checks a flag.+ p7 T# D" i; G0 c& d5 Z3 |5 y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡