<TABLE width=500> n m% Q, I& x" n* q
<TBODY>
& B2 [( m" B8 y% ?' r<TR>2 B8 v) Y7 L @
<TD><PRE>Method 01 + E8 P8 X& R9 k
=========
0 ~1 w x- g' S# ~
5 S( B/ ]# f x6 v% OThis method of detection of SoftICE (as well as the following one) is' a, }* z; h; I
used by the majority of packers/encryptors found on Internet.
- |) m) c4 x6 U4 g CIt seeks the signature of BoundsChecker in SoftICE g# q3 b% ^; ?9 R" W5 m k
% f# y6 s, w! \) Y% |
mov ebp, 04243484Bh ; 'BCHK'
; T/ n3 k2 j, m( G3 [, y3 y, Z( \ mov ax, 04h/ E! V6 ]' Z3 {; x8 O- K
int 3
4 X# v" q6 _# o8 O) v4 y cmp al,4
4 s9 |9 O9 A3 ? jnz SoftICE_Detected
" @3 {+ e' y. y
" D' N, U( n) o; m9 j: u- L___________________________________________________________________________
$ ~$ K9 j, m7 P8 f! k2 f1 V1 s. _* Z) R5 T& e
Method 025 T* V0 T+ w7 k. c7 C
=========; N! [! v$ e0 ]3 D! a8 J/ n8 j
- u6 W' W' W! R1 Q* H! [Still a method very much used (perhaps the most frequent one). It is used$ z9 q) K+ F8 d9 A9 s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, b! k6 [+ ^6 J% k' {. ?, y' d3 U1 |
or execute SoftICE commands...! _. W- ?! \0 `! O) Y
It is also used to crash SoftICE and to force it to execute any commands+ ~/ d A$ U# t$ d; [7 v& z0 ?2 Z
(HBOOT...) :-(( * J" \ _, S3 C; C5 k
4 n! ]; c- }" s. XHere is a quick description:) s0 W. z5 ?1 ~
-AX = 0910h (Display string in SIce windows); `) v& T) |$ O7 u& y; x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ D, `- f% o9 n5 C: M* f& J
-AX = 0912h (Get breakpoint infos)4 @; S) J% t" |( I0 j
-AX = 0913h (Set Sice breakpoints)
7 u/ }4 ~% @* V- I% U% _-AX = 0914h (Remove SIce breakoints)7 ]2 x, o, O) ~2 H" `) R( J
2 {1 i, m' T* E) |$ BEach time you'll meet this trick, you'll see:
8 v6 ]2 n, X- R" O+ Q9 Y-SI = 4647h; J3 |. V7 C! @) C$ e" Z O
-DI = 4A4Dh
) z6 h3 ^! `& l. PWhich are the 'magic values' used by SoftIce.8 n! l6 h* f9 y/ \4 O) H- L0 v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 \+ _2 @3 K; j" e0 Z: K
0 `2 }" B! d4 l) a9 P- PHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 G+ @& M9 W* V8 W: @- J8 HEnvelope utility use to protect DOS applications:
( p4 h/ @8 ]- m# G! S
: a& P" X P! K; K$ v5 C* C; H- y; s" e: C. T* I% ?- F9 Y- j
4C19:0095 MOV AX,0911 ; execute command.9 Q2 A& L! b$ s! Q; J. c: ]' T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! N' Y3 K' n/ q$ [5 G4 f2 w4C19:009A MOV SI,4647 ; 1st magic value." y" r0 ~+ x( G4 h; ^$ c4 B
4C19:009D MOV DI,4A4D ; 2nd magic value.+ J1 P) g- p; m M- C7 v* W! ~, z0 E
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 [0 V/ N7 U, M* d( n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, _8 s, y8 N7 s4 y% e
4C19:00A4 INC CX0 \3 _3 S) P* ?. `9 |$ E; c# \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, x! B N8 j! R
4C19:00A8 JB 0095 ; 6 different commands.% q# ^( H+ V- B% o! L4 S0 o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; B$ {$ y) S0 `6 B$ _4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 R" M" C' T1 g, T4 g( a
. ]& i' @' x1 c1 V: x4 m; A/ e* J. AThe program will execute 6 different SIce commands located at ds:dx, which$ v. H: w+ s& n2 p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 }% m9 H/ a1 S8 V5 `- A
( I0 ]# o( C* |/ a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ t8 ], V" y/ C% |% A2 _
___________________________________________________________________________
, T2 y; s5 j) g+ E3 R. e) Z+ w
f% [ r+ g5 O- `
1 M! |) v5 B! kMethod 032 M& H* m4 i) N$ M
=========7 ~% r. d2 _! a
& Z1 h# B, o& c: o& P* rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 c+ j; L6 b, G# P
(API Get entry point)
- Z5 W) o( m8 y0 Z1 U ; ]& _" P+ K \/ L
* D! C) a3 N. [9 Y% G" b2 O xor di,di Q, C5 x( T8 [; o
mov es,di
6 l* i( ~( ]3 i4 L" D; b8 ? mov ax, 1684h 6 n! d' J7 s( s8 R/ m
mov bx, 0202h ; VxD ID of winice* F& c _0 F3 x( b3 p. u: o
int 2Fh
8 _+ o7 ^% x9 X8 T3 @2 | mov ax, es ; ES:DI -> VxD API entry point% n9 Q6 ]/ `# ?
add ax, di6 }1 ^; O! y, e+ H& A0 h; |! p; k+ c+ w
test ax,ax' `( t9 A! ?1 E9 |7 O( J! {& ?# ?
jnz SoftICE_Detected- ~% o5 J8 v# A# S- ~) Q
; U, W; q2 P+ \___________________________________________________________________________4 V. J3 R) D! |5 U
* c; K( E0 v7 Y+ }/ E* \0 fMethod 04- @) V; q1 I( k" S
=========
# o9 ]( v; E7 |1 N' T0 P' T' W5 A; o+ l; r, N3 V3 r
Method identical to the preceding one except that it seeks the ID of SoftICE
) Y0 z6 E! V* P N0 [. bGFX VxD./ X- T( H( c$ k. r6 O# |
$ O4 p" z6 P- I2 u/ `2 I; g
xor di,di
0 B/ l7 [; R# d1 I# q mov es,di/ |7 n: Z& @& p( R$ r
mov ax, 1684h
6 T( W; S1 V. g: a5 r$ p. o mov bx, 7a5Fh ; VxD ID of SIWVID5 ?; v+ o5 u7 h; L' }+ N
int 2fh% U4 @; H! c$ j# D+ L4 L
mov ax, es ; ES:DI -> VxD API entry point. [" w* K3 R l- ]$ B' E' r+ p
add ax, di
2 I& Z' `& E$ r5 Z test ax,ax
3 ~* _5 Q! f* Z+ W* P3 m7 h jnz SoftICE_Detected$ ]) t" ^+ k8 }' k
0 n+ v/ b1 ?" j__________________________________________________________________________0 v, C# Q/ f6 U6 \5 F2 r9 n
1 W; W7 D1 X- Y7 q6 A
% b; r7 A+ x0 |& r* @4 BMethod 05
2 _) ]& M; D# T' q7 B=========# Z' A. V( a0 c" P
+ c6 [9 `- R1 [ ?+ s
Method seeking the 'magic number' 0F386h returned (in ax) by all system) }& e1 l! ?4 b( A; f
debugger. It calls the int 41h, function 4Fh.
; r$ v. w% c" V: xThere are several alternatives.
8 n. f1 L; h2 t/ v* W) J! Y
@# z: L; b, t+ s, g. E W6 VThe following one is the simplest:
% F$ a1 ^ n" b8 [) b; X) J& _" f: Z) J: e
mov ax,4fh+ h. {& T6 V' R8 X7 `2 `
int 41h
, v2 Q5 H2 N2 j5 q, U3 Y$ T4 h cmp ax, 0F386
* z) y0 O2 Z! k) d. `" {# G1 q8 } jz SoftICE_detected
. P, s% ]' F8 z% @1 m5 X8 e2 P! i) h
. I0 V* k* g- L! U7 W2 G" cNext method as well as the following one are 2 examples from Stone's % o4 f/ `) U2 k6 Z! w
"stn-wid.zip" (www.cracking.net):! ~: A0 L, Y# h E7 ]0 B- ~
% L& z! G) r% [8 f mov bx, cs5 G# h/ X* O# X: B9 F: d3 O
lea dx, int41handler2 e% P# v! D) D; H. h
xchg dx, es:[41h*4]
5 V, i1 w$ `) J/ Q xchg bx, es:[41h*4+2]) V w0 G& s- |6 A" X$ r; M7 |# N
mov ax,4fh
0 { |! P4 x3 q5 ~' _" v R% H0 x int 41h
1 d7 x0 B7 v* k( t( L5 X xchg dx, es:[41h*4]
8 \. E7 g4 ^, z! y6 v6 I! c6 y xchg bx, es:[41h*4+2]9 I% f8 H v9 M- j$ x
cmp ax, 0f386h) v i0 T% A4 }9 u
jz SoftICE_detected
0 i: A# ]% a/ M0 d5 g. W3 A+ O1 l1 i
int41handler2 PROC
8 K) Z$ ~& U+ X* c2 G; M iret
7 A" V! K1 d! O$ z4 f$ z) j. e2 @int41handler2 ENDP G/ a1 g4 _4 V' R' `
5 b6 X1 h- m0 x. q) G) ~: R, M1 w
_8 U7 k6 D- N7 ?+ p_________________________________________________________________________) w& L# i8 j2 F& |; t
0 K9 O; M' B( [& F, o$ O5 g! J5 J3 }' ` O0 C+ K; X) q! S
Method 06
' W4 i8 [& b# L+ D* E" W% z8 H=========
' l0 f4 r4 T; f0 v( s
+ g2 ^; H6 g& Z: H2 |0 p. m d+ h( `! X
2nd method similar to the preceding one but more difficult to detect:
; j/ u1 t( g. W3 Z$ f+ X5 C# B+ M6 z; e& p, y! w
8 X3 p+ ]8 y0 q/ w4 jint41handler PROC; G4 j! m0 h2 c
mov cl,al
4 V0 F$ P: I& I+ g2 p iret; x* k7 [4 j# g. |0 \" M9 H+ q' J" ?
int41handler ENDP' Q6 B; Y! G9 z9 v W# m9 Q) C
; [ n3 Q" _8 I' {. |$ o9 j- S4 |& C. m0 R
xor ax,ax
2 M2 m- W) ]! L$ h mov es,ax7 o4 x( T4 I1 { K( ~% n
mov bx, cs; y9 q9 w$ z# A% b2 d/ f6 H
lea dx, int41handler
2 G6 v) t% \: L4 I0 F- @% X xchg dx, es:[41h*4]9 Z9 n. N1 T% i. A
xchg bx, es:[41h*4+2]3 \/ X6 \' h: f3 ?8 X: a& F
in al, 40h& Q9 |9 r6 y; Q( z
xor cx,cx7 k: c4 f% g( L$ Q
int 41h7 C6 S5 k% Y" p; a
xchg dx, es:[41h*4]
) Z' Z' i/ l, e' H: ?6 g4 @9 b xchg bx, es:[41h*4+2]
: Y9 b& o) ?- p' T) Z) C9 a cmp cl,al2 g% i1 [% W3 B; a: r) ?
jnz SoftICE_detected
" ?) h5 ?; b# Y2 ^0 N# b8 i' I: e
$ V( k1 Q2 ?. m_________________________________________________________________________
) y, T( c# o8 p2 f5 i
, y5 I/ a% [. S1 hMethod 07# q! S; y7 Z- b; J5 o
=========+ `5 \9 M. q9 }
$ ]& ?& @) d* R' } b4 H/ \Method of detection of the WinICE handler in the int68h (V86)+ a2 h7 U) `% B+ D+ A( n# q
7 s0 N+ a) Y" k7 ]! |) m( [3 } mov ah,43h
4 j8 W. z& j4 H- R; w- y int 68h
* Q3 r, c( i, Z9 C# T cmp ax,0F386h
& ^4 J- G3 R( v E. f; H7 ?; w* N jz SoftICE_Detected4 E0 c" s7 n: Z: V
" {' Z: l1 \- C5 M
1 z* _( I, Z& w4 {9 t' s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) O5 y, @/ v) e( b" N P
app like this:
! O5 C. X$ G2 X& V$ t# B d! T6 ?; m& i
BPX exec_int if ax==68, t6 s9 `6 o1 Z7 M: ~# V3 b
(function called is located at byte ptr [ebp+1Dh] and client eip is- o1 Y9 q* g+ ]9 }
located at [ebp+48h] for 32Bit apps)6 V4 b, P4 U7 h) O4 Y& |* r
__________________________________________________________________________
4 }' |* a9 Q2 T( g6 ~% W6 u; ^/ y. U Y4 N( o* U' p2 H5 W
a7 N1 i+ X. N3 uMethod 08
6 w5 c; W1 d0 N, U=========
8 ~ Q1 A: h( s( o- H
* f# B K; X! r. f" ~It is not a method of detection of SoftICE but a possibility to crash the# a( B+ |- u" [/ ~
system by intercepting int 01h and int 03h and redirecting them to another
( n) r( ~! u) Aroutine.
, h% F; d, M: \8 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# S0 B" e: l* n" X5 gto the new routine to execute (hangs computer...)
. r9 s& R4 E9 G) ~ a* z$ f3 r* Y! j
+ j1 a6 j# n6 U: w8 B mov ah, 25h
& ]! c: w% V8 X5 K; H: V# B& P mov al, Int_Number (01h or 03h)
. j5 A: X1 d% l1 V6 F2 ?# t mov dx, offset New_Int_Routine( U7 d! d$ P+ Y, Y5 g6 r
int 21h$ q0 `: h+ Z/ Y
' j0 g( Q+ E: o! l4 w" G__________________________________________________________________________
# j6 ~) R/ l# u \8 o3 N! R9 ]+ Y9 m3 @& N
Method 09; [& |) I& V' N" K( i1 G; `3 K' h: y2 ~7 x
=========
, A( R5 ~9 W; h" H2 w( t& R2 O7 Q. O9 ~8 M+ |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' w2 q* w% C# x% ?performed in ring0 (VxD or a ring3 app using the VxdCall).
9 n, b. Z6 Z3 y/ \- wThe Get_DDB service is used to determine whether or not a VxD is installed
. ?5 W1 V, R, l& [for the specified device and returns a Device Description Block (in ecx) for
; L1 H; h& a$ l1 Ithat device if it is installed.
6 ^' t u4 J& P& }+ `+ x& ?: N( c+ W' g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; R9 A! g. a, P' ?8 Y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 e" e) \4 E0 [+ n VMMCall Get_DDB
5 ?0 f4 P6 N j: X5 @! ~. [% @, h' W2 ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 [0 t& }8 t* V: P1 k& E; ]$ z& ?4 W
! v5 ?# U+ l# d8 e
Note as well that you can easily detect this method with SoftICE:
, a. e) o+ z. s9 v: P bpx Get_DDB if ax==0202 || ax==7a5fh8 C1 x- V- _/ z f4 N: B9 P2 v
; _# q* X/ Y) u, m/ q* g__________________________________________________________________________2 _) p1 m" U2 e
9 | m6 }% Z- H9 U+ B3 F" [4 J& m
Method 10/ K) G% e. g8 f' Q; F
=========3 F2 B# l) Y0 H7 R1 ?5 R
% x" M; u3 o' m5 O ^) x9 E
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 F- J' W) ^' m' } SoftICE while the option is enable!!
( ?3 w% j. e6 z6 V) o) F5 a" d1 S* r: P. d0 J
This trick is very efficient:* ^0 Q( f N; R6 K
by checking the Debug Registers, you can detect if SoftICE is loaded/ @ W q; w" g
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 Y( K; N8 a8 ]; k2 m7 k+ [. a
there are some memory breakpoints set (dr0 to dr3) simply by reading their* k1 y* J7 c. w7 Y5 [+ |4 N3 r
value (in ring0 only). Values can be manipulated and or changed as well
- f4 G+ o& J- d) W(clearing BPMs for instance)
3 C( {0 d& U% j' V1 B
+ T$ h6 I2 ]' j, ^1 E__________________________________________________________________________! m& E+ b/ u: Z4 r5 m" @
3 @9 ^: h$ C# ]+ ?! B I7 C
Method 11
+ l6 d6 w0 o+ i$ L4 M========= M7 k5 l0 q) ^8 e
7 o+ L& `. g8 j: ^) iThis method is most known as 'MeltICE' because it has been freely distributed
/ o. A7 \6 o: S$ Ovia www.winfiles.com. However it was first used by NuMega people to allow2 l6 N0 n' E, h
Symbol Loader to check if SoftICE was active or not (the code is located6 M. o* S& {% @& L1 S/ j
inside nmtrans.dll).7 r/ e& P- T- C' H/ ], i
( T- Q0 N' d0 N) g! X$ WThe way it works is very simple:9 g& T# ~: _" m& d+ Y, Y" L" m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% D4 [1 _; X9 g1 |$ u
WinNT) with the CreateFileA API.
% Y* l5 ~- P9 `- p1 Z, k# n, N& b4 ?/ U; S5 R" ?! b9 ~
Here is a sample (checking for 'SICE'):5 m% t0 V5 [* f) l. |& a
w) S& a- @' f5 W3 z0 ZBOOL IsSoftIce95Loaded()6 [4 s' R& w: V' [ o; `
{( z, o6 `% M% F% @( O
HANDLE hFile;
+ |& ~7 D2 T& c! U5 Q4 _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* A9 y, _4 a6 j8 x& ]7 ^' y5 s7 O FILE_SHARE_READ | FILE_SHARE_WRITE,
8 n4 K9 Y9 w( f* }$ W; M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* l9 L1 N( Y/ ~/ V; `+ C- u if( hFile != INVALID_HANDLE_VALUE )
- p4 y8 W+ v: E& L% {5 R: o {# R: W+ G$ p. P- e8 E3 u
CloseHandle(hFile);
1 w( c' T) V, R return TRUE;2 ~9 q+ f: P0 z0 w Z0 j) U
}
: k* W' ^, w# b! M$ @ return FALSE;" q E6 v9 S% _- `/ ? P# ~+ X& l
}
7 ~7 U6 h4 [' ~6 r
" M& b8 v- ~ w( m% a$ [Although this trick calls the CreateFileA function, don't even expect to be
" s( o: V) L# s) {- x' @2 c0 lable to intercept it by installing a IFS hook: it will not work, no way!
. M7 H% P0 d- c0 }! \) A3 ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 n( y- s! C7 Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ H9 O* Z1 J8 W6 k5 `7 Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc! ^" J( t1 r" q: c$ g5 n7 g$ l
field.7 b3 U( t: Z, y/ a8 {1 S' ~
In fact, its purpose is not to load/unload VxDs but only to send a
5 @6 y7 K e/ Z9 ^# @3 f" r( XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( m" n. m% z1 [; `7 {$ F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ n1 R p j7 k+ S. x9 Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 R& d6 Q# k9 B1 d* x# @
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) L2 P. S- n" H3 `) t# Iits handle to be opened and then, will be detected.3 J3 n' e! I+ X" ?( }
You can check that simply by hooking Winice.exe control proc entry point' S4 J. J6 ? t- O! K
while running MeltICE.
' Z& X, N5 x0 e9 J$ i" E/ G7 F, {$ [# @4 ~; ^- Y% ~+ k
/ {: q$ ^% n! A# m
00401067: push 00402025 ; \\.\SICE
) B x. z$ |- @4 X 0040106C: call CreateFileA n- s( K3 G0 F& @! q% l
00401071: cmp eax,-001
4 e$ H P2 L/ D; ^8 T* }# s 00401074: je 00401091* h& ~- m- S0 a7 {4 `
& C/ i" W+ l3 i% p2 Q2 J3 y3 P* k
2 m- e# E8 J0 y3 M/ kThere could be hundreds of BPX you could use to detect this trick.! o+ B6 c$ V' v* I# G$ d! a
-The most classical one is:% k$ h5 N0 p, x0 e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( n3 A% B5 C4 l' y
*(esp->4+4)=='NTIC': H N1 D0 \/ u7 r1 e
3 A1 j( X; x2 ], P. `/ k-The most exotic ones (could be very slooooow :-(+ J1 O- _# F/ _: g1 T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- u) b) H/ ~+ }' c) Q* }9 i% e ;will break 3 times :-(9 o, O" e `6 }7 I& ^# e
: B! @# j+ y: {% u0 v# Z; r8 G+ W; @-or (a bit) faster: 1 T" ^6 ?+ C" i& y7 w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ G1 {4 o+ q# ]. t
' ?. m9 P) \" m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 g- p. O0 B9 I7 `0 n) d L
;will break 3 times :-(
# m8 o' X: n, q
5 R P" o4 P" F2 c1 ?-Much faster:2 w8 f z' p7 a5 W9 ^3 Y3 E
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 S( q7 x' I% D2 c! Y( S$ @$ a! {$ x* A; t/ a1 }0 \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
P3 a v3 e9 G! `3 Xfunction to do the same job:
, j( z- e( Q& C/ |" `
6 O; e- y2 M8 @) y; `: M. d, R push 00 ; OF_READ5 \3 d; v2 |5 ?
mov eax,[00656634] ; '\\.\SICE',06 q8 \ y9 z% z5 ^" i/ f3 g
push eax' N, t6 p: k$ S
call KERNEL32!_lopen
9 y0 I& Y1 ]5 ]" ^( `; ?0 u$ g0 R4 i2 ? inc eax- Q* M6 _) h: v; y
jnz 00650589 ; detected( d: a' D7 w) g- ~0 }
push 00 ; OF_READ- p4 p: N4 Q/ l$ a7 P: K- `
mov eax,[00656638] ; '\\.\SICE'
3 {) a% J0 M0 X push eax. |9 n; f2 H0 m9 \/ m* K! U7 z3 ~
call KERNEL32!_lopen6 O1 j' d1 y1 z% _) a/ J
inc eax0 S4 n4 |# J% W; h O* m6 B
jz 006505ae ; not detected
( o7 v8 D7 b; h* r5 d
2 J8 M5 w8 G5 h6 V7 R9 {9 q# L, g/ @; w4 m# ?% Q
__________________________________________________________________________# f7 H3 ~# [- a0 }1 U
) p8 E" U8 C' I7 JMethod 12 A2 J0 e c7 u' ?. H2 [8 O
=========
D: M# O. V o% ^2 u2 [' E F0 @9 P! R; d2 H2 b" s5 G
This trick is similar to int41h/4fh Debugger installation check (code 05
# G0 N: Y+ T% O8 G% ~( Y& 06) but very limited because it's only available for Win95/98 (not NT)( e8 E0 n- ]" e0 X" `, q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: [, t2 ]/ J/ f* t. C# ~) J/ j
, \5 f# N( {( t8 w+ S1 O X push 0000004fh ; function 4fh
8 i/ H0 e3 N& {2 \- P+ C% C# { push 002a002ah ; high word specifies which VxD (VWIN32)
2 Y* X! e3 d% F6 A ; low word specifies which service
8 L/ s# X) i; K* t1 @/ z3 p- ^ (VWIN32_Int41Dispatch): J9 x" s+ W' g# B: {4 t* t
call Kernel32!ORD_001 ; VxdCall
- `$ J4 i6 L- R) B cmp ax, 0f386h ; magic number returned by system debuggers% T2 `, P7 J4 ~6 T
jz SoftICE_detected
6 j! A5 r) ?' u( M/ ]# E# I
2 ~, e# p8 N7 d+ a1 ZHere again, several ways to detect it:
2 A e2 N( B1 y% D3 p+ F3 `6 t' x) }* e: ]
BPINT 41 if ax==4f5 ?5 R! ^3 V+ B' t5 y( ?% v7 |
- w, p2 ]1 r8 [! N- | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 ~( [ n4 N5 q( Y5 y" @. d7 {. Q. o. K e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 Q, T8 C$ a5 e) e
* d6 F1 ?! R( H" R" { W/ M/ L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 N6 z0 s6 W1 {# T2 A+ K1 U
" \( ^6 N9 F, q__________________________________________________________________________
3 q& J* e9 H6 p N
; r7 F* K! J v8 A3 @' H" m0 ^Method 133 Z! [/ `3 g) B/ M( b& F3 E" Q! z7 a
=========
/ K9 S1 [8 p& O: q8 \3 z- k+ ]1 v% b% u- y/ ?, E2 M J$ u) _
Not a real method of detection, but a good way to know if SoftICE is
( {7 f$ p4 e" n. B7 r- t6 |installed on a computer and to locate its installation directory.- v% @$ F' H' B- v
It is used by few softs which access the following registry keys (usually #2) :
3 ~: b- J) {) }3 o/ f) j- u8 L7 J# j5 `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- V5 }8 |: S$ \- n1 p% f
\Uninstall\SoftICE4 z6 \! h3 M" p4 K) v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# a$ m- m; u4 J1 h1 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# e! O, j) N' H8 K* w& {( R$ Z
\App Paths\Loader32.Exe
8 o' m1 @7 v- ~/ m4 x' X+ Z
0 q; u, A6 Z: h8 e% N# s' s) y6 V }' W! _, _
Note that some nasty apps could then erase all files from SoftICE directory
2 p1 M) N; `' L/ _, K2 k4 D c(I faced that once :-(
" g4 t# r3 H& n, S# o3 |, l6 f% ^- p
Useful breakpoint to detect it:! Z) K2 T* R% A3 N/ a/ R" N
" K0 m+ f6 A0 Z6 T/ I$ ]1 L& L
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 M2 ~* g" c9 u. c, w4 i) U$ z
5 J5 q; t p0 P9 K" m7 K; z& Y% E__________________________________________________________________________
5 U f! k/ |) l3 k, B9 w1 p: n- Z( B0 r" e' `2 A
( r/ z9 G) R$ k0 ^' D' L* b: V4 @* [Method 14 3 i' X1 L, `6 X3 e
=========8 u: g) ^5 ]- i) Y% T; c
4 ]$ u5 z1 q; n h0 C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 p6 g7 Q* f1 N( {" ris to determines whether a debugger is running on your system (ring0 only).8 ~( z( P; d% z$ Y
5 d3 K+ S6 q6 r2 M6 i* t1 ~8 b) X6 ?7 \ VMMCall Test_Debug_Installed" p) c7 L$ f: w9 G9 g2 d! n4 r+ ~
je not_installed
' E' c) P7 X0 e9 l3 e, A& E0 ^8 S" s. H3 d5 }+ S
This service just checks a flag." I( |3 j" v" _& ?; p6 l
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡