<TABLE width=500>
. b6 k% T, \9 q# @, _; |! m<TBODY>
4 ?# S4 d, B" ]+ H/ i# z<TR>
& U9 e8 |$ j' y8 i8 n% z<TD><PRE>Method 01 . Y1 \4 ]* P/ C6 D: O9 F. N) c
=========+ V) I5 @ P3 t
. o. m) V3 a2 ^( ?. }! N
This method of detection of SoftICE (as well as the following one) is
9 E* m5 f& `, I( v( v4 cused by the majority of packers/encryptors found on Internet.
8 |/ n+ b& }5 N0 w* h' G; T* ~It seeks the signature of BoundsChecker in SoftICE9 H; c$ P2 h6 C# ~' Y' X8 P
7 y, h7 |7 t4 B, U8 z7 l) u1 C
mov ebp, 04243484Bh ; 'BCHK'
( K0 _/ |: l; ^' ~$ \5 F W r mov ax, 04h
# S5 R+ C5 O/ p( P, P) T: ^ int 3
! ^$ n0 W# D6 `+ N( L, B! y+ V" c cmp al,4
- o8 I( @: v) }4 k jnz SoftICE_Detected
4 m6 {0 T6 \/ k2 r# J7 Z
) n- k+ ?, V# ]1 t* G___________________________________________________________________________: L0 \4 _) F* \0 T5 V
2 ^( s4 F, U7 v! Y k% FMethod 02! N; s' p' {9 o. ~2 f" E
=========
* K- w$ _* w" d" e0 T7 X: d9 T6 g8 ^5 R" N) l$ H" o2 r
Still a method very much used (perhaps the most frequent one). It is used, a& D. j1 j* W: k9 s8 C+ K
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# J/ n! Z& v7 X, j. I. \$ f
or execute SoftICE commands... G- J$ t( H: k, o [1 B
It is also used to crash SoftICE and to force it to execute any commands" G9 O0 X0 p: B% i! C9 P
(HBOOT...) :-((
6 g9 k& {3 V% `0 q" e: [5 d0 B9 g/ [' _7 _ R& |' d. x4 _
Here is a quick description:
' r. A( H; C5 B" ~-AX = 0910h (Display string in SIce windows)
8 D/ ^2 ?1 h( O& `) |8 g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& C2 _6 v8 g& f# r% g
-AX = 0912h (Get breakpoint infos)$ x4 R* z. Q e" S4 s5 A
-AX = 0913h (Set Sice breakpoints)& ^+ U& g. i- b- s
-AX = 0914h (Remove SIce breakoints)
) `% K2 h8 W4 l; d; U. T( S% Z I3 K7 y7 V; P5 u5 ]0 I4 c# S
Each time you'll meet this trick, you'll see:0 k# d# M/ K& }" d2 l0 i
-SI = 4647h
# J. \8 X: x+ D- u: |-DI = 4A4Dh
0 S) T. R0 x4 W V+ ]/ |Which are the 'magic values' used by SoftIce. J# i2 ~' ~& J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 S$ K$ l( }2 i2 O* p: s# d: L# `
Here is one example from the file "Haspinst.exe" which is the dongle HASP
u; e" r. e" l$ Z& G* l- X- gEnvelope utility use to protect DOS applications:* v2 d* [1 |4 L! U9 N- ^/ R
4 ~& t: e: @+ @0 H; P% x$ C
- L% M9 L2 H K! e* U: f
4C19:0095 MOV AX,0911 ; execute command.
6 m# e% b% C. G" J6 H' q$ m4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* f/ B4 F t8 O, h4 X4C19:009A MOV SI,4647 ; 1st magic value.
+ ^. c( L6 b. ?4C19:009D MOV DI,4A4D ; 2nd magic value.
1 z; g( n+ }1 v( j8 F! f4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( \3 Y p1 O+ m. ~$ U1 s4 R4 \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 I M$ A# j" ^3 Q
4C19:00A4 INC CX" L8 I Y5 Z6 N0 B
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ U8 F' x$ O4 U7 a, E1 Q0 j6 }4C19:00A8 JB 0095 ; 6 different commands.1 k$ a1 O# W3 z7 r! I$ u9 L6 q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' n8 `0 Y4 a: u3 k. G6 p
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 H# A, u6 l. J: J) G8 ]3 t( p3 T4 E- u/ s0 U" C8 G% ]+ v! P2 B
The program will execute 6 different SIce commands located at ds:dx, which+ @1 m) Z) |0 G4 ]$ M9 N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 e( Q1 H* \9 [; J+ w: y* N5 m8 v9 s- U3 ]/ V2 J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 ? W, K" Z0 }, [/ ^+ q7 F
___________________________________________________________________________
5 e# }' T( }0 t+ A: G1 g2 g( Z4 B. F" I: O
; P, {- `) h3 S- _Method 03
7 a8 F/ B% L6 U$ M- B& D=========0 e; S) X& K- n0 j* [0 |+ ?' X! o
: n8 ^6 V; O& }7 W9 r/ l/ _Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! K4 L( Y$ v' L( d
(API Get entry point)7 P# E6 m; G2 b1 x# F/ D
; j8 V; Q& M1 p; P _, L) d4 A) A
xor di,di
* J1 u9 B0 w+ \" F" Z- p mov es,di
' r- x3 X5 ~1 d. C. m. E mov ax, 1684h
8 W5 K+ Y. f4 z: j( H0 n mov bx, 0202h ; VxD ID of winice+ W. y. S3 T, u* m2 S4 y$ G0 J
int 2Fh/ s0 N/ j5 e4 U! Q
mov ax, es ; ES:DI -> VxD API entry point
7 l" a# Y) _2 g5 u add ax, di. }1 G$ e( h" ?1 V
test ax,ax% T |5 Y6 r9 K: K6 Y9 n
jnz SoftICE_Detected/ e+ ?& D& @" x% l) d4 B
5 r7 z# v: K3 R: G___________________________________________________________________________+ C) O) s( D8 m. b& N
" [3 X: a+ g% C1 b7 ?& JMethod 04
9 _0 s N6 N0 N# K=========
+ m2 e% L% I) ^$ e# _
& D6 @) F% S/ i- D0 zMethod identical to the preceding one except that it seeks the ID of SoftICE
# |) j4 M/ y F" nGFX VxD.
* n# U _. n# v P5 u/ w2 S0 s/ L2 v" b
xor di,di: d/ c6 |3 G) M
mov es,di# x" W$ `0 C7 U, ^
mov ax, 1684h
, Q' P0 S8 u7 y: P! X! ^ mov bx, 7a5Fh ; VxD ID of SIWVID4 X: R" V' P1 P+ P% `# P/ ^
int 2fh
0 R, [% p F0 S0 g7 b1 O mov ax, es ; ES:DI -> VxD API entry point3 A# T$ t4 l' T5 D, u j% l. O- b, `0 W; Y
add ax, di
9 C6 s& x# H; Y test ax,ax* E4 \4 H1 U( C) s" |
jnz SoftICE_Detected
) K+ z) a3 I& ?3 M1 U3 C
3 N1 v! N4 F& M/ y2 H__________________________________________________________________________
( G8 n o) J9 c) ~, J& _# \
1 w9 [; {. I/ y, U% I, u3 A
/ Z$ S( M2 b& c, H& gMethod 059 _/ z6 n4 @; u0 W1 d
=========
/ F: j6 e3 z( K; y' h$ X4 Z! g
Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 D1 p1 _$ j8 E) o: B1 hdebugger. It calls the int 41h, function 4Fh.3 } s; i6 W# v0 V9 B% @
There are several alternatives.
( k2 `& s6 Y M( b8 _/ W' {2 a: q1 c2 q8 C9 ]7 T1 B
The following one is the simplest:0 D B1 [) G7 j8 j
9 L; \! S4 |( [( j) Y" ~
mov ax,4fh" h5 j% B. l2 B
int 41h v/ p0 z1 F& F
cmp ax, 0F386) V2 N+ @4 Z6 n7 b0 G9 `. w
jz SoftICE_detected' a; f6 Y% Y9 }+ `, n
2 w! t( o: x* a6 M- Q# K
& g$ v+ N$ a8 p: b0 h) LNext method as well as the following one are 2 examples from Stone's
+ h) M \% j& d) g1 Z2 X5 _, W"stn-wid.zip" (www.cracking.net):
# L) g2 J+ h& F
$ c$ t/ ^6 ~" l( L. } mov bx, cs# [( t( m3 N) b, y) {
lea dx, int41handler2
( Y" D3 m, c W- z+ |) A* F9 T xchg dx, es:[41h*4]
9 a6 N) \7 K+ d3 P/ @/ H xchg bx, es:[41h*4+2]( J. O8 J5 Y1 `
mov ax,4fh( Y0 Q% c. {. c; z- e' X
int 41h
7 f, _3 V6 W J E: G- }3 J xchg dx, es:[41h*4]
, o3 f! F1 P3 g; s! J" _ xchg bx, es:[41h*4+2]- t3 w l6 H# X, A' ?
cmp ax, 0f386h: I2 { @' y" q+ U. Y1 U0 g( l
jz SoftICE_detected
- r+ t) x U* k8 `5 r# M9 Z3 J
& v& f9 C! T: k0 p2 Xint41handler2 PROC# Y) `. A) Q' X) V# m1 h
iret, m- i0 x: x! d3 R5 z! j5 v
int41handler2 ENDP
" L: ~+ U6 x7 [" Y5 z c7 p+ c* Y5 J+ b$ Y" p
1 |2 j8 K# u0 d
_________________________________________________________________________
$ L. N$ W/ D3 o, c" F/ ^
3 K8 a3 J5 F- h
- s8 y: R1 J" \1 o YMethod 066 e4 m! Y- C3 H0 O
=========
$ o+ V; x& J9 @
% ], i. y: f2 O6 U4 X
5 _ c( L e/ q& l! t$ v2nd method similar to the preceding one but more difficult to detect:
4 T+ `1 i/ w6 E8 }$ s
' \+ j/ H7 e" Y' ?' s: v0 n9 o; b# c
int41handler PROC9 M. Z) }# \* p* f! U8 u {* e
mov cl,al/ z: F% o# s8 x1 o8 `8 k+ t
iret, X! X3 L! g O3 {
int41handler ENDP3 L7 i& ^( t/ Z7 F- \- m
- I4 O% m* H, Q5 V3 ^2 ]7 Z
+ T9 O. v, Q& V
xor ax,ax
( M6 Y1 `3 R# E mov es,ax% m9 u5 |1 y) @* l6 O: q4 G, z' C
mov bx, cs, a! x; R; H( b
lea dx, int41handler
: m; k g @6 i5 M0 i xchg dx, es:[41h*4]
9 L1 V4 o* P8 B5 a g) Y1 i' V: a xchg bx, es:[41h*4+2]
) N) r, p+ |5 B, P& `& Q. }& k; W in al, 40h
" F4 @, v0 r! g2 S0 `6 Z% t; j- I xor cx,cx) J9 D) J; R% y! b+ b7 w
int 41h
4 L8 M. b* a) [7 n W( F! C xchg dx, es:[41h*4]
" ^" S3 n3 f8 r1 i xchg bx, es:[41h*4+2]
5 B- V+ m& v: K, ^2 L! V# K7 W& ~& u0 ^ cmp cl,al6 L* k' n: Z' A, w9 I% H9 ?
jnz SoftICE_detected
3 Q2 [( o1 @- Q& k' E' X
$ P/ c7 C( H! ]- ^_________________________________________________________________________
3 I+ R, p8 @; J' R) ?9 Q! ]0 A( t+ `0 s- m' ?3 C2 L. _
Method 07) t4 D5 }! u( u: C/ O" g# _+ @; V
=========
6 g% R9 L: w% Z
, s' B7 e3 l2 CMethod of detection of the WinICE handler in the int68h (V86)
5 Q8 H! A( X p$ b3 h/ z
) w8 R6 a' f/ H# T) I1 |5 l$ h mov ah,43h
( A3 i3 j, r4 q' R8 d int 68h
/ _1 `5 K/ _, Q* P cmp ax,0F386h
. U( K2 v3 \% m' }: b& Y5 B6 l+ J; e jz SoftICE_Detected
* Y% I* ]5 z4 k# i* J+ y: s! w1 r. A( g' t
^7 R; t" d r: Y* a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% R) e4 p* F6 I8 \- @: B/ o. M app like this:
[1 Y3 j0 s7 U" |! k
! X. t- @2 F2 v u0 x7 b! ^: @ BPX exec_int if ax==68
5 {2 q8 x, ~4 L u (function called is located at byte ptr [ebp+1Dh] and client eip is/ C, @! O" [' Z) v: c
located at [ebp+48h] for 32Bit apps)( c5 z& b8 ^# u% p
__________________________________________________________________________
( A! D4 A0 y4 }0 h9 c5 `2 X; l. W) I; ~, K1 }/ m* @' h6 ~
4 o4 p: T2 P( H9 O9 @$ k
Method 085 {& M! q B: n! t9 R$ B
=========2 N; r7 U0 I, m! I/ l
+ D/ b) f. ?% q& F1 `' T- ^" C3 Z( @
It is not a method of detection of SoftICE but a possibility to crash the4 B5 i" V, g J1 P% t$ T, `0 B3 U
system by intercepting int 01h and int 03h and redirecting them to another
. X9 I9 f+ t4 Y2 v t6 troutine.- f0 m/ g( h' j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 z8 H& T1 i9 m; W% B. m& c5 n# n( l) ato the new routine to execute (hangs computer...)* l5 [, e2 Z3 [4 M" Y& r; u
8 n: ^0 G. N: z- g9 W! r mov ah, 25h
, r! G; {! A2 g+ a- W6 F$ N; m% H mov al, Int_Number (01h or 03h)
; B C2 F/ ^5 Y mov dx, offset New_Int_Routine
) f( V4 z/ ]/ A* ~) h; P* C int 21h& S8 l: L4 J/ m0 A6 |6 i
+ n8 u' Z2 M3 n2 s6 G
__________________________________________________________________________( K* J1 J! K0 R
! ^- h5 W4 v: T1 J" vMethod 09* B& ]9 X4 s5 V. G8 }
=========- I1 q0 c* X2 h
- ]& |( E, T" {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 A' i4 P1 [7 J4 n( w! t0 M; g
performed in ring0 (VxD or a ring3 app using the VxdCall).% I* n2 h3 n) d% e9 R( g* H
The Get_DDB service is used to determine whether or not a VxD is installed- k6 L1 t' Z5 F0 q
for the specified device and returns a Device Description Block (in ecx) for
7 }9 r K2 s Ithat device if it is installed." T+ p/ {* V; [
, @: g7 g& D2 d) d* z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! a7 y( Z0 v1 P: T5 T: M0 g mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& v+ e5 u0 @! ]6 w# Z
VMMCall Get_DDB8 T+ g3 y4 y2 U9 t0 E' L7 l
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 K) m, V1 m x, ~/ `6 N; T! l; D% |5 j+ R1 p, C
Note as well that you can easily detect this method with SoftICE:
0 |0 z- ]9 X3 r) B1 Z: p bpx Get_DDB if ax==0202 || ax==7a5fh8 C3 l6 f; |) }' a
8 x) f4 Z2 z: a2 |; Z9 k3 m__________________________________________________________________________
1 D% Y0 u/ w$ N+ x" L8 b2 R- l
h1 f/ G" ?& H# N% b1 EMethod 10
7 m0 z" m! b0 A, o2 }8 ]=========3 ~ R: j' a c# z
% B0 ]' ^1 E" g9 ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" X: T9 g: |# F B' | SoftICE while the option is enable!!
1 r5 r3 t1 f7 x# |& n. p, S. \, T7 t6 h2 \1 m! j2 y
This trick is very efficient:
7 ?, \0 V6 }( m! c+ M& sby checking the Debug Registers, you can detect if SoftICE is loaded- l* S( A) d# g
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' `" t5 [/ V7 b6 O1 A9 P+ e
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. y6 G; @2 n2 {+ i6 fvalue (in ring0 only). Values can be manipulated and or changed as well
+ t2 A0 B* L' j/ X) `(clearing BPMs for instance)
2 \) L; A4 ]) n) E
- V. w6 G' {) }8 u$ o__________________________________________________________________________
8 |4 Y6 j0 u- Y w8 ?9 W. I/ g" S
Method 11
) d, S V/ O+ N; c: e1 ] u! u=========
! @4 J5 u% {$ X! V- n6 y9 ^# {$ Q& g- Q% H$ o4 P8 p; P9 N
This method is most known as 'MeltICE' because it has been freely distributed
; K W2 O0 _2 P' h6 y; g4 O Rvia www.winfiles.com. However it was first used by NuMega people to allow
* O7 Z7 ^- x7 K. I/ [5 V: QSymbol Loader to check if SoftICE was active or not (the code is located
, c. o- j0 |/ oinside nmtrans.dll).
# d; ], D( ^3 q; @" F+ b, j0 f' ]8 c4 k6 ~& V" V
The way it works is very simple:
, q0 t8 e6 S/ y: M+ U5 PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& k; H# K+ j2 T( \+ c: p
WinNT) with the CreateFileA API.
+ n& A2 {2 r; {$ s w% y) [9 n4 ^- S
Here is a sample (checking for 'SICE'):5 T3 ~! g2 a9 @
( k O% ]- o/ ?/ N% N
BOOL IsSoftIce95Loaded()
6 t" {* B& \7 M/ _" H) @{+ U0 v& d6 G8 J
HANDLE hFile;
" b3 |4 q: h5 `- b; | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 m4 v1 b- y0 Q! Q4 m FILE_SHARE_READ | FILE_SHARE_WRITE, t# {7 C3 H) |& H( f% n% Y% l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- d% D; q0 \7 o f P
if( hFile != INVALID_HANDLE_VALUE )' B% S3 Y" f" A8 D4 T0 E
{
c' B1 y3 f; p2 t CloseHandle(hFile);+ \/ y0 P& V- J' l9 g( H4 p
return TRUE;
6 o2 {6 Z, M' g5 f }
$ C4 F7 f* J1 J; q1 h return FALSE;' U6 w: X0 r) _6 C; N- b9 w1 h5 u
}
8 Y, J; _; s6 p. B9 D
+ Z3 I4 b, f7 p9 ^- R# f* ^- e4 ZAlthough this trick calls the CreateFileA function, don't even expect to be1 f _ u$ j0 ?* E% `! n' I
able to intercept it by installing a IFS hook: it will not work, no way!7 O( _& f" @* X# g5 E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. y7 B4 U6 b' z w& D8 I7 K' g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 |& |/ G' l6 V5 H d& q8 y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: R# g6 k. O# t0 T$ N. nfield.
# R c" h q+ M$ hIn fact, its purpose is not to load/unload VxDs but only to send a
2 R, S) @8 W5 a9 O8 xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* `- P8 E: N/ p0 X" A6 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' K. o3 [$ T% B& Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 Z# O. E4 R7 G# _6 YIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' n8 ?& q% i. F1 |) r) s/ [% fits handle to be opened and then, will be detected.) B5 n' Q& _; b) |
You can check that simply by hooking Winice.exe control proc entry point1 y0 e" e: v; Y, @
while running MeltICE.
1 h1 t1 A' L4 |% d h+ A% u
% B( P) M" i b" Q* O" ~
5 C; H: o/ Q' J) ? 00401067: push 00402025 ; \\.\SICE$ l5 M3 ~% l; J4 m5 {$ B* x
0040106C: call CreateFileA) a( E: K3 \7 `- d
00401071: cmp eax,-001" e' { F* x" A
00401074: je 00401091
6 R$ W2 R [: l- q8 F; h4 W
- x4 A: a a2 u2 o3 |8 S a' o* o8 h4 y1 O$ ]$ i$ [
There could be hundreds of BPX you could use to detect this trick.7 D" \% [" J6 _3 z" o
-The most classical one is:
( i( B( Y" C3 z- U0 X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. l1 Z4 B$ i$ ?( @7 B8 }8 |
*(esp->4+4)=='NTIC'+ c( o# s' g n
- B3 n9 u9 Z- V. a. i5 h5 r5 i& Y-The most exotic ones (could be very slooooow :-(
) I3 I, v4 F1 K( K5 f BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! V2 g0 l& F s+ \ ;will break 3 times :-(
8 O8 _% Q- U3 X, Q3 [9 Q3 F
p) t1 b& y9 X; l! j-or (a bit) faster:
2 W7 t, Q1 L7 o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% m% \6 \4 F, t: r" Y/ I d2 {( @1 m: Y) q# R7 S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* ]1 L$ H" l5 _% z8 _ ;will break 3 times :-(6 \7 y. |* ?; O- P5 N2 k% n e
U. _4 ?& @8 _: D+ K; M
-Much faster:" g- T! ~ M# E8 }/ v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( `6 z" h8 D% Z. F/ [( Z, e3 R. o% r- b. d$ P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% f! t/ u! Y( z( ?9 xfunction to do the same job:
9 y8 w0 Y! T: V- \! B* R! X4 b* H: N$ i! `1 @1 V0 X3 R/ D
push 00 ; OF_READ5 b. `* |* p0 U6 z+ I$ G
mov eax,[00656634] ; '\\.\SICE',0
9 O; e# \9 w ^9 e! X/ n) m1 s push eax. S f7 E, F" }! l$ q/ r G
call KERNEL32!_lopen: T6 V8 G6 ^) ?
inc eax! a) {: ?- p4 K) s: ]5 ~. ]) O
jnz 00650589 ; detected8 B" W9 ?- j1 [+ I5 i+ g; ?: t
push 00 ; OF_READ
$ h- u/ |1 ~/ H( y) l1 G4 G mov eax,[00656638] ; '\\.\SICE'
! B( G. C8 F; m, y% T push eax' `6 I: C6 r" C2 c1 {# o
call KERNEL32!_lopen' o) ?- D% ^5 c4 A4 g
inc eax7 ^& ?& Q: K O$ `& v
jz 006505ae ; not detected1 X) Z1 w' H9 w- K2 U9 [
5 J/ F, u2 ]% E; |
! O# f; H9 }, x__________________________________________________________________________" V: @) {0 ~. {5 y
; t& o6 v6 P+ ]- u6 ~! K" t, cMethod 12
+ N0 M# V4 e/ O) m0 u, B j=========7 U" `' C8 _2 e1 w3 c. `* |; P; T
+ i7 z4 |- ~4 C1 d2 q: ]
This trick is similar to int41h/4fh Debugger installation check (code 05
) u1 U6 B/ Z5 ^/ F& 06) but very limited because it's only available for Win95/98 (not NT)
5 Z) R- `9 w! f6 }# E0 z5 L: zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; `* I S# o# T) W1 x( S) n2 W: _
, q/ v# \" F) ]5 n3 L push 0000004fh ; function 4fh& b8 n t: y6 C0 ?
push 002a002ah ; high word specifies which VxD (VWIN32)
# g: [' s# S! ^5 N! M! _( E) G* I ; low word specifies which service
1 l; k/ r) ~$ h. e3 k (VWIN32_Int41Dispatch)
. ]2 O7 n& j1 f0 Y2 n* w$ k call Kernel32!ORD_001 ; VxdCall
, [8 d2 v# X! ^$ s" R cmp ax, 0f386h ; magic number returned by system debuggers
, o$ G$ O' v- ]) i jz SoftICE_detected+ i' Z$ {4 w. z$ k3 x/ E
: T7 i7 c `4 L! P% t( n
Here again, several ways to detect it:
) c6 e7 M6 h, ?
% c$ ]4 S- Z2 V) q+ F9 _" t( a BPINT 41 if ax==4f5 X: A; O2 z v+ I& D$ @
2 v l1 N! j9 f2 a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* y. c3 Z/ M5 S% [" F: t1 N* [
3 Q s7 t; }* R7 {) s0 a9 A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 m% S% p* a5 q+ A3 I* f' @
9 A& m, N0 X, t5 { BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 n+ ^2 M5 q2 _
5 A8 `! J0 f/ u* G0 H' c__________________________________________________________________________3 `; P3 Q- Z8 Z: b
4 L- d9 e& c. ]" o* L
Method 135 l: }2 F; G* q! `: i' p1 X
=========
& d0 _0 V. |# A# ^ O" p
/ w& \/ C- G- K8 mNot a real method of detection, but a good way to know if SoftICE is$ x. t- t8 I8 m$ ^ B. I5 W6 m
installed on a computer and to locate its installation directory.& A$ u% H5 q2 B' w
It is used by few softs which access the following registry keys (usually #2) :
( `+ o+ k0 M5 _3 n# p+ C5 S+ x
( F5 d1 A8 K) z$ ]4 ]5 f' X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 l$ v B/ D8 H& Q3 E
\Uninstall\SoftICE
3 y% B0 Q- W# ]1 i% ?' z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 F% k/ U% C1 |
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; M: y& ]5 m7 F. K5 Y1 Q\App Paths\Loader32.Exe1 S u6 V4 R* m
# ^6 C, i* q8 h$ l2 k6 ~# v
4 X8 d/ Z( B1 ]9 w, VNote that some nasty apps could then erase all files from SoftICE directory, i+ m& m: @. |$ G. j! G
(I faced that once :-(2 G1 S* A5 P. |- s" u: a# z
' M& a2 H6 R2 w. D& j, T
Useful breakpoint to detect it:
$ g3 i( H! Q! ]% r( C( a# \. P& I. g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': F6 Q0 e" f) Y* o& P! b( x/ k
* z2 m/ {2 {7 W; R) y8 M__________________________________________________________________________
7 l! D3 b; L6 ]# t9 S1 x2 ^
" s- C4 u. M s, `7 G; X V' r8 L1 R) @ ]+ s' F
Method 14
4 r. w& q O" g4 X3 {& y$ C=========# ]( @& s& {4 F2 W/ u O
0 u I! R0 q5 s: j3 |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( f0 W2 P4 h! @, R; T( ~
is to determines whether a debugger is running on your system (ring0 only).& `7 F+ n1 g( p& \* \
; o4 T% G5 g, ?0 O VMMCall Test_Debug_Installed
( x' h9 q0 ^3 N: m, u0 A V1 @ je not_installed
7 X: e3 H$ _- e% O/ {8 o( A8 ^! \; c7 Y5 T, j
This service just checks a flag.
1 Q, w9 e* A w9 Y X</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡