<TABLE width=500>- S, n1 q: a. {9 U0 t' K2 n Y+ I
<TBODY>
$ M' c6 e$ t/ N% R<TR>% M& j1 Y0 e* o* B* t0 |
<TD><PRE>Method 01 3 U9 @ V- [0 f( a$ i' S3 O
=========0 j$ o- X/ d! `
" k/ u& F, A% c' `+ Q) Z& cThis method of detection of SoftICE (as well as the following one) is! O: l, z, D6 w0 @# j( T
used by the majority of packers/encryptors found on Internet.( ^5 e3 @5 X& Z6 [
It seeks the signature of BoundsChecker in SoftICE
8 N% D& j0 t' F% O9 a7 g% i! e9 I' e! s6 S: a7 n: Y. x, h9 |1 r1 B1 L
mov ebp, 04243484Bh ; 'BCHK'( W. |# W, Y' `( q2 k4 ]
mov ax, 04h% e9 S1 G2 b' X# E9 ]6 V4 m
int 3 / E" r* f! v% ?; e6 V
cmp al,4
) O% n: Q4 a' m( [5 e' w jnz SoftICE_Detected
6 s! s' l l% T' T; l( d% X" t4 a/ O3 C3 N" G! s! g" r& X0 O/ Z# Z
___________________________________________________________________________
6 o0 V, a, s% f3 u
; r( ` N c g6 e. N/ F/ kMethod 029 E n8 R4 M/ f1 C9 P% i0 o# m
=========
& ^+ `2 w2 ]* W G2 k. u" [1 {( Q. M- D
Still a method very much used (perhaps the most frequent one). It is used; z( E( [0 X$ h# M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) X$ _/ M+ G3 V7 B- {3 X; v- v' dor execute SoftICE commands...# t8 R, U6 s% O, ]
It is also used to crash SoftICE and to force it to execute any commands. u, {6 a i1 B6 G
(HBOOT...) :-((
& R S! k* ?9 N: z) D
; x# C7 ?% z6 r/ ?( a/ AHere is a quick description:
' G8 S) _6 z+ _. Z-AX = 0910h (Display string in SIce windows)
4 g' K# \+ d% P) z7 h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 R6 E7 E& k2 t$ l
-AX = 0912h (Get breakpoint infos)! z, L/ Y- m& n. z6 q: @
-AX = 0913h (Set Sice breakpoints)
. C% Z0 J8 R3 f- ^& }/ i. J, J) r-AX = 0914h (Remove SIce breakoints)' A/ J" j$ B1 A. _) o* J2 K! F
% C5 A. {& L) n& r
Each time you'll meet this trick, you'll see:
5 \/ _- d+ P6 ]: ]-SI = 4647h
4 H/ a4 m* _3 H: K5 \-DI = 4A4Dh* r1 G3 G! ^1 o5 H Z4 R
Which are the 'magic values' used by SoftIce.
! f( w( s! p0 W% m7 u# NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! K9 l$ Q+ w) v1 @/ S
l7 Q& M& Y2 ]2 |5 @Here is one example from the file "Haspinst.exe" which is the dongle HASP$ Z& l4 h6 W/ v# q- l) I
Envelope utility use to protect DOS applications:% y1 z Y) h5 H
4 h0 ` U* G! W, t2 }
, ?% Y, H4 r6 H0 t# \5 c4C19:0095 MOV AX,0911 ; execute command. j, L2 {+ h3 B; ?4 F# f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- B$ ^& o( T& _) ?- D& S4C19:009A MOV SI,4647 ; 1st magic value.3 z7 n) Q$ F/ l) D" g3 b
4C19:009D MOV DI,4A4D ; 2nd magic value.
! z9 h; B/ y1 ?% b, y% d" r4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' g4 K$ J# C! \5 ^7 | h9 t+ [
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" g# t# _$ n1 H( g& r
4C19:00A4 INC CX
0 l7 A! S0 G6 J+ J9 b" H; |0 x4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' P5 f- \- _5 S# O4 [8 }/ H4C19:00A8 JB 0095 ; 6 different commands., K: R) T7 h! `
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 e5 F4 g. X* L* h8 s; P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) g3 h- o8 Z4 [& w1 P
8 O+ M! l# K& j- lThe program will execute 6 different SIce commands located at ds:dx, which/ |9 R6 {6 D+ ~- j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 i( n" u D" [0 p L6 T5 J# F4 Y" [& ], K3 Q3 @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." ~7 ? v7 D1 R, K
___________________________________________________________________________
4 f3 F# m6 \) U
1 J L& d* M) x1 q7 L/ H% o" P" K ~/ P
Method 03) T6 h* X2 E- E9 @
=========
! X6 S6 g* ]8 s E; w: H6 `2 F, [0 A( c. \, o+ h" H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' q* i9 T1 k$ s
(API Get entry point)% U/ D6 \% _* i$ B7 `6 T
, [: k5 o( Z4 `/ j! N
0 Q' F o. t) {; a3 A% m xor di,di
( U- e u& w7 P8 J1 K* e( k mov es,di" u; g' ~/ w; h6 O: [/ o
mov ax, 1684h + F: b* W, ~: h% X/ F/ F* `* g4 ]
mov bx, 0202h ; VxD ID of winice
; Q/ V% q+ @ E) d' S9 E int 2Fh" |/ g9 g5 W# z6 w; G& r% O
mov ax, es ; ES:DI -> VxD API entry point
3 d1 s0 ]4 n+ _* b2 }% s: [ add ax, di% f- a, l/ Z2 g
test ax,ax
* M$ ?+ ?5 ]' c! v jnz SoftICE_Detected1 T" \' u2 w9 {1 H4 G! p# f
$ V+ g; o! A: _! M, c2 @- @5 }
___________________________________________________________________________! s: r1 v' h$ C7 P
8 i2 _- F0 Z9 `Method 04
) U! x, g( ~- G! f" J=========
' {8 R- V& }/ A3 \# F# z; s9 U. r# R( i. f2 V1 ~
Method identical to the preceding one except that it seeks the ID of SoftICE% B3 W6 p& p! L5 C6 ~/ y9 M
GFX VxD.
% \1 Y5 T: c& Y t( i6 k* y7 G
2 r) G9 F8 V+ V# ~% J$ I# I xor di,di8 k. e& v" Q( s& @4 o4 _
mov es,di
4 ? S' I- I4 O3 m% E mov ax, 1684h
( N0 C3 C9 j6 P% B# A( ] mov bx, 7a5Fh ; VxD ID of SIWVID
$ j( O+ u {: ~( e& { int 2fh
- Q: M) c1 X+ U6 z3 X* ]/ h. I$ B$ I R mov ax, es ; ES:DI -> VxD API entry point
$ q+ p) @0 e9 v% n add ax, di
1 S( b1 ?/ y- l0 \ test ax,ax) R: b f, y7 Z6 j
jnz SoftICE_Detected2 O% g0 V% ~) F
) Y9 D' m8 R( G! _( M$ g
__________________________________________________________________________3 B2 b" B5 V1 ~# A' k3 b8 u2 q
7 X6 w1 B( S" j! J8 M+ l. g- b- u1 g
Method 05
0 v/ l) R+ q$ l1 L4 T5 I* I2 K=========
w/ m; \7 r2 S8 F& e# G% E: u0 `& t( @. ~! n5 m
Method seeking the 'magic number' 0F386h returned (in ax) by all system E8 x( ]! L6 N4 W
debugger. It calls the int 41h, function 4Fh.# w( n0 l3 X6 K; U# n, i9 u, j* {
There are several alternatives. & J! L" ^7 g, C9 s5 ?
- {, k5 ^4 R- L& _% @, w
The following one is the simplest:
# X; @7 ?" P0 o# d! j2 _( n3 [" Z' h1 ^$ [% @4 B- q9 j8 K
mov ax,4fh1 p. f0 N \% I0 |, C& u& R& z7 z- j
int 41h1 B" s; J3 q/ B/ }+ h# {
cmp ax, 0F386- P, B( Z9 Z2 Q: ~- `0 s* R1 s2 R
jz SoftICE_detected, H7 S0 _9 U* P! o: _
, }0 u! @6 F/ Y$ W' N# f: {" N7 P6 ^' q
8 H( _( T w3 b* _. `5 `Next method as well as the following one are 2 examples from Stone's
! V; Y6 p* N+ e: R3 Z"stn-wid.zip" (www.cracking.net):
$ r( E* x! t7 D: j- l9 }
* C; t! S) K% O, C mov bx, cs
( \- f3 f+ L" c! \ R1 @+ F lea dx, int41handler2# F/ ]$ P5 {/ r {1 q
xchg dx, es:[41h*4]( P t* E% b$ l/ p6 b
xchg bx, es:[41h*4+2]7 q: s8 X9 i% s' Q# H
mov ax,4fh
% s0 [$ _5 V% _ int 41h
6 L% s2 n; Q! | xchg dx, es:[41h*4]
- ]; m* t; M& k: e xchg bx, es:[41h*4+2]
' m/ Q8 m, c- g# f, Z4 o cmp ax, 0f386h; j8 o* M* h+ ~9 m6 b1 l) Y+ q
jz SoftICE_detected
7 G2 a1 j' m8 i. i
) v" H3 Z+ `+ bint41handler2 PROC3 @0 h+ R0 l H4 E/ u
iret& a: |1 D+ J5 r" r( F* Z1 {( l
int41handler2 ENDP
. _+ h& E4 n# b1 i6 c5 S& u
+ \& j1 H: N6 b5 `. ^ }0 F1 \" x& V/ Y
_________________________________________________________________________7 n6 h* I" L; Q4 z
. R3 x2 x2 x' P* l# \6 W
, Q( K. q. H4 H5 p6 [3 T1 I, a; DMethod 06: u4 n, Z% g( P
========= n5 ?& X, i$ N; D2 }* l; Y" D; C; B
K) |8 |1 W, V. x7 R/ D) S3 H8 p
0 ~( |/ a/ P$ A2nd method similar to the preceding one but more difficult to detect:
$ a% _/ f5 P0 J. J! N7 K9 h- l* b( \5 P+ F- p7 q5 ]$ g5 M6 G
' s# h# E* y0 o. I, m
int41handler PROC1 g( q* w: ?+ _+ I' G# @4 b
mov cl,al
% T& a, P) |1 c! x iret
2 {6 U x! j+ ^5 hint41handler ENDP' {* C' P. q" |. v
) W' [4 A! O4 k, b1 Y' V x( z v/ P& H5 t$ B
xor ax,ax* T$ e% q' r2 c' ^( D
mov es,ax' I' O: a. z3 f$ y
mov bx, cs
5 l+ M7 ~' y4 b1 P6 h, {1 m lea dx, int41handler
. P; l6 H& Y/ A xchg dx, es:[41h*4]# M+ I" h. ~$ d6 ]$ i U: D
xchg bx, es:[41h*4+2]# |7 Y3 B, ^' p
in al, 40h
8 A! W( r5 ~, @ c' R xor cx,cx
9 ~" q8 y. O, q$ Y int 41h9 o) ^2 a5 _; G6 D1 j
xchg dx, es:[41h*4]) G6 r: h5 K/ A+ p& j
xchg bx, es:[41h*4+2]1 p( p+ ]9 k8 R: [
cmp cl,al
8 m, f4 o$ J. K: v jnz SoftICE_detected5 @5 w8 h) \$ |5 x) r P
1 w/ r; P: ~/ S, k_________________________________________________________________________
4 ~6 r3 i! I3 Z6 E: Y! ^5 V* I! J) ]$ i3 l) q/ u1 r
Method 07 y5 O7 A1 C% ?: w. I4 c
=========
/ d2 d. n8 R; |4 M% s- q# U
0 I- z- [ Y7 r0 X% b j% FMethod of detection of the WinICE handler in the int68h (V86)
/ V. t% W9 M- X* R" L. s8 F$ M+ E; l3 L5 i7 K
mov ah,43h
- V$ s* v K# I8 h9 c" U int 68h) q8 I! S. C3 _5 G# v
cmp ax,0F386h
, R9 K6 Z$ w/ {% g. i jz SoftICE_Detected
" Y; I( W) H3 m; @
, @% N: g' [: D. x7 S* S3 u
2 K) I; K2 I5 g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 \, c9 Y6 o/ L6 e# z. `$ w
app like this:0 i3 L3 m) H0 F' ~
; P: E: ]1 o$ p: d) {
BPX exec_int if ax==68# U. `$ i3 ]7 f& s+ N
(function called is located at byte ptr [ebp+1Dh] and client eip is4 Z) H( `* _1 L" X8 q
located at [ebp+48h] for 32Bit apps)! o5 ]: G5 C2 x8 ^2 Y
__________________________________________________________________________0 F# ?! v* ?& u- c
) o. X/ G9 M: ?* T' b2 P* Q/ m" q7 ?- |$ J
Method 08! I X' J+ X6 e5 [8 G" I1 S
=========9 P2 V% T) F1 U1 ]5 |
8 ~) ~2 v+ o0 V# i$ s9 KIt is not a method of detection of SoftICE but a possibility to crash the
( v# V. c% o9 R# L/ R7 z5 ysystem by intercepting int 01h and int 03h and redirecting them to another
) Y: r. m, x& k* ]5 z: Hroutine.! ]- j* @ L& n l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 [. l* E. a+ @6 V& o S; h4 d+ _to the new routine to execute (hangs computer...)4 i9 l4 Z6 R" n; E6 C* [# t
! {$ Y; Z8 h; Y( C4 x$ p# O& E
mov ah, 25h# g0 v* ]. L4 l/ Q) o
mov al, Int_Number (01h or 03h)
G1 y8 J+ X. N mov dx, offset New_Int_Routine
! {# |) B% J6 o* k% ^$ @' z int 21h
& |9 M4 T1 V- l; g+ @1 F0 s, Z: f+ k4 w% b* _0 \
__________________________________________________________________________
) S( _# T+ f7 g1 v2 w- b2 h
+ h! i+ Q" y7 BMethod 09
: k; p8 r. |9 N=========3 R' a; @6 r# W( b
/ ] C% c# ?: p! ~7 N0 L8 HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 `/ l8 C1 I* N, t1 [5 W* D( N+ V0 _performed in ring0 (VxD or a ring3 app using the VxdCall).1 N e+ k( s% x* G
The Get_DDB service is used to determine whether or not a VxD is installed
) E* s2 i1 n; e. H& u! Zfor the specified device and returns a Device Description Block (in ecx) for% f! G* C, E- @9 N& X/ I: M
that device if it is installed.
. x7 D4 ?" ] V: o: @ F M* I$ U
& D( z5 ?, x4 Z" o2 \- X7 g* @ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ q+ F) U+ V' q, T5 O6 L
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
J+ c9 ]/ B' ?$ T# @& P VMMCall Get_DDB3 k8 t2 T* D- w, |! S. h2 V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' `/ M6 Q* e5 D5 a9 `6 C; C
, z5 c. @6 z9 K# w% m8 {3 Q* ENote as well that you can easily detect this method with SoftICE: d5 A# i2 u6 D5 X; l' s' {' l
bpx Get_DDB if ax==0202 || ax==7a5fh
; ^! e% ~# A; ]& p( q. i, l. @/ {) |* w% Y8 Q3 N5 `1 t
__________________________________________________________________________% U2 E. ~* ]: I0 b. w0 m4 o
) y, v+ K9 O, QMethod 10
2 c& a8 m/ e {: p3 F3 ?6 S=========
& \ G0 [5 Y& i9 v7 w
5 n0 J) X& }3 m. q. y=>Disable or clear breakpoints before using this feature. DO NOT trace with
) o2 \, ]% C1 j3 z SoftICE while the option is enable!!$ P/ t- l' _& K
8 S- _% C0 m, f( o0 O$ Q
This trick is very efficient:
- K0 B" R( z- z5 n' Iby checking the Debug Registers, you can detect if SoftICE is loaded
; G- B! @* S: [7 ~, k) F- T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# Y Z3 j5 U: D
there are some memory breakpoints set (dr0 to dr3) simply by reading their" K( O4 p4 Z8 i; W) { z! t$ R
value (in ring0 only). Values can be manipulated and or changed as well
6 O+ J8 v2 P4 |2 Y: r% }1 _(clearing BPMs for instance)
! `1 M( I4 e) v: o0 ^. W' Z7 S
/ }: D4 w- V: R6 t9 P1 V__________________________________________________________________________
/ @, X3 x+ l, {" L8 X) a
. V! u1 X% I) E* K5 I2 KMethod 112 h8 `& ~& W/ i$ k: a7 O
=========
2 o3 T2 l- B& T% b$ c
. s7 [; E1 J; A) e6 J9 QThis method is most known as 'MeltICE' because it has been freely distributed2 e2 @. f, ?; ]- P9 t! I2 u
via www.winfiles.com. However it was first used by NuMega people to allow- c% ?# g- |' _) b
Symbol Loader to check if SoftICE was active or not (the code is located5 ]" J$ d4 ^+ M0 ^1 `: ^
inside nmtrans.dll).
, _4 N/ G F' c: ]4 G) ~' ]
* T, X2 P. k# P( v9 eThe way it works is very simple:
2 [1 R$ E* s& t1 U! o& ?4 {0 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 h6 p) O: h2 K" W S" }
WinNT) with the CreateFileA API. ~" O1 e/ W9 \6 W f* t3 y
* P, _& S g2 O% k" p3 E& Q3 MHere is a sample (checking for 'SICE'):
2 p7 x3 V- D4 u3 R% |8 {
9 o- X" l( }1 r) a8 U; TBOOL IsSoftIce95Loaded()
- U7 C* H+ v; d: t) O( P{
6 G# ?+ K% D& m1 L7 x- n' D6 Q HANDLE hFile; 0 \9 i0 j" W; _$ V# P$ a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: D' A. y0 |) c$ i FILE_SHARE_READ | FILE_SHARE_WRITE,4 d$ \8 _% c6 U# e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) b+ H" I$ v9 v; {# x4 u) } if( hFile != INVALID_HANDLE_VALUE ). m5 H$ N9 a- S/ j4 W: K2 `
{
4 |, d$ D$ F$ c3 H S CloseHandle(hFile);
; |* n# @7 ~1 d1 A return TRUE;
: u3 ]# C- ~& h' Z }
7 i4 _" m6 U( p; K4 y return FALSE;8 w4 b+ o* T$ O, r: s
}0 @0 P& l# A6 f% Z9 n" h7 ~
. S* l4 t$ y- @0 `+ b6 A
Although this trick calls the CreateFileA function, don't even expect to be0 |; d; \8 r. ^- @. r4 [
able to intercept it by installing a IFS hook: it will not work, no way!
3 Y7 ~( `/ c/ G% g" ^% o1 ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- p$ J5 |& k& S& }5 a) v5 Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: ^/ [; o, @& ~9 i- I! Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc& @& t+ D9 d x& a( G
field.
5 H5 k3 b O" A% hIn fact, its purpose is not to load/unload VxDs but only to send a
' ~$ A% K5 I) A- V& ^( J' u1 H b; DW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# H. T2 `: J+ Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try) q1 ?4 v d. \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
G% d- A0 R+ mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! W# P7 x* ]2 h" {. qits handle to be opened and then, will be detected.
$ Z) X9 j2 |' bYou can check that simply by hooking Winice.exe control proc entry point
. s: ?$ K S3 s! }3 fwhile running MeltICE.
- h& x: v( x g9 t7 y* Z
# @" }5 j0 I7 }! S6 {( a3 s- ]' C6 A/ R% b9 W/ p9 f
00401067: push 00402025 ; \\.\SICE& f3 `0 q5 H7 y# \: M
0040106C: call CreateFileA2 y1 u5 [2 J- t$ I* q
00401071: cmp eax,-001
& Q6 i3 ` Z7 ^# x& i 00401074: je 004010919 Z# o* O# ^( ^) X
+ i E: C* ~9 ?$ q% `) v* }" n
* ~3 U0 u, |! z% J& L& \4 ]) jThere could be hundreds of BPX you could use to detect this trick.
% F- e0 g% M1 N5 {-The most classical one is:
3 F3 O% I, k! `2 E/ v& ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 [6 U1 _. l, h' A) h. V *(esp->4+4)=='NTIC'/ H& F+ m) j: h Z4 N6 O9 X% n
# s+ A4 x+ c& E0 a1 d w( E-The most exotic ones (could be very slooooow :-(
! q/ x# ?" d; _4 r* W$ m6 z1 w BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
?/ Z9 r. W. G2 A+ a. p# _2 n ;will break 3 times :-(
) M; X. m9 C; d( B K
( ] V0 Y5 d. E-or (a bit) faster:
8 f7 p1 ], |5 U2 Q3 |( R6 Q2 [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
H+ {' z- | r/ n7 r+ A. D
6 d6 ?9 T+ s* ?3 H4 u# ^# D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 U1 o% O" Z' w' R- j" L ;will break 3 times :-(
" v& c$ H7 Y' D% u. `0 _/ ~+ F6 `4 P! a n6 r
-Much faster:
- z0 I% b" U; N3 ~+ E8 u6 J6 \7 \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 b4 W' L5 @9 m5 r6 z8 r5 {% f6 f
; i, b$ ?; z$ |: [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 N+ ^/ ~4 i5 F- t
function to do the same job:
, A/ n p- w- ?1 f5 I8 t# J s9 B, i
push 00 ; OF_READ4 J/ d% W$ _% q
mov eax,[00656634] ; '\\.\SICE',01 s3 H) W' v& V; |
push eax
$ Z! r- B K% `5 L call KERNEL32!_lopen* h4 d' d* i; N! n
inc eax" a) s* F! x# n/ G( H5 ]
jnz 00650589 ; detected2 {/ C6 y+ E# {/ G* R% C1 x3 j" e% d
push 00 ; OF_READ
$ R0 Z' X/ K' B! O( M) Q3 L mov eax,[00656638] ; '\\.\SICE') G/ ]- ]! z& F6 q$ q! @$ Y% V9 O2 o/ p
push eax
% ? s& w# c: y& `4 h: C7 K call KERNEL32!_lopen
1 D* s9 k, [' X( v# X9 T j+ E6 a inc eax
; ?( k+ J( |8 l$ e+ y1 A8 I- H jz 006505ae ; not detected
# E2 o$ Y5 ?$ z s3 E* r
/ ]( u5 e- Q7 R j7 \* I0 @3 m5 t( S" \5 S3 x0 Z! S- p
__________________________________________________________________________: X0 ]( b7 R) x& P# A
; j; s/ n2 K- ~ t& b! a
Method 12
/ c1 K, T, E. l( q b3 @+ N6 V( \=========* J4 i" O: d$ t. {- C' F& ]" ~
4 g; q! F ^. V% w5 A0 H0 pThis trick is similar to int41h/4fh Debugger installation check (code 058 E+ t+ i* i8 C" Y
& 06) but very limited because it's only available for Win95/98 (not NT)
& u- d o/ N: Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 @6 K( J2 N* l! r! ^3 G2 ?) n: A/ B6 Q& Y
push 0000004fh ; function 4fh
9 w/ }# z$ ` Z5 ^ push 002a002ah ; high word specifies which VxD (VWIN32)+ w; `$ i. U! J% b2 c* F" w
; low word specifies which service
, _! o: a9 F9 e) o) h (VWIN32_Int41Dispatch)
- Z- n. y4 [, a* ]2 v call Kernel32!ORD_001 ; VxdCall5 \# ^( |& d/ w+ p; a, C
cmp ax, 0f386h ; magic number returned by system debuggers! P& R0 F5 V# w, \& Z! G: f9 q
jz SoftICE_detected* h$ F5 |! H$ {6 h+ \" f7 G% d
6 m4 b2 e0 v! J8 X( o8 P* {7 n) s0 O4 F
Here again, several ways to detect it:, j4 `0 z) W5 a" C9 [- W* H
3 u4 A! |% p9 k
BPINT 41 if ax==4f
\0 m( Y" ]1 r7 g6 X* g" H8 l( N' }) r" `. y6 ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% u2 N4 U8 C3 }3 H5 `- b
: r; x" U- H/ k4 p X- Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( Z" l! r- t+ I o1 x4 w
- U& H* I/ _) @! i0 S" Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ m. A) g) h; P) A& F- _; S# ~3 \) A
) z r2 \$ F# d6 L5 s
__________________________________________________________________________
6 ~+ m( r) F1 H; o- n" } q, y
' W8 z9 q6 Z% V+ F2 k" U% YMethod 13
) Y& f' _ y Y1 F* Q=========
4 X7 e h) m6 Q* r/ {' F* d+ ? Q
Not a real method of detection, but a good way to know if SoftICE is
1 H9 N S% d2 o/ E Y1 `3 D) q/ Uinstalled on a computer and to locate its installation directory.: Y* [6 t- b8 ?: [: `
It is used by few softs which access the following registry keys (usually #2) :
7 k$ K8 [' U- h! e/ A( v* _2 S* `. _4 h n: U N$ A/ @! ~" q! U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& E2 G3 E5 @/ O\Uninstall\SoftICE9 k! b# w. t: u0 C; {, M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 J" x C |- v4 r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ H) A' f2 S+ S# j* q! m+ E$ L\App Paths\Loader32.Exe
0 @& k2 n+ j. I# K; a+ i( U5 i
; j7 {" z. i' R! x0 q& K5 ZNote that some nasty apps could then erase all files from SoftICE directory
- Q! E0 {* m3 m! J(I faced that once :-(
0 K) w/ X" y4 w1 N0 u2 g, H6 s+ J" ~9 W4 x4 R* f
Useful breakpoint to detect it:
+ }, `) K# j, |9 t( c
1 T( f9 c6 w$ Z" B; t6 \* y, b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 }' o, X& {& n3 Q+ r2 r" `" q' t( c1 \* R l) U
__________________________________________________________________________
( H! E8 q, y6 s9 `/ ~# O
, `* J1 C% F( p2 d* }. z/ {8 l1 W+ u$ x( ^1 m
Method 14
* E6 K! i3 k# p6 W3 U=========' l8 M* E4 V! G0 E1 i! r' f- h' g }8 ~
! k. `; `2 Y) a( _" @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" ]$ C7 M I: ^$ ]- |
is to determines whether a debugger is running on your system (ring0 only).0 u, ?, A4 g2 N w) t% g' {
/ A0 a: g& _! D$ z
VMMCall Test_Debug_Installed
: X% U( L$ G8 V9 ?# G je not_installed
, R n' _1 V% U0 l/ @5 A. r+ s \. v x2 J! @. Z. X" H6 C
This service just checks a flag.
5 y# u* N" v' C: u' e</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡