<TABLE width=500>* i# J* V% T0 @0 c7 \ M3 g
<TBODY>
2 Z. |. j' {* I: O<TR>
2 n. V8 \; }7 R% y! w/ y<TD><PRE>Method 01 ' o- ]4 K! t/ E0 `
=========% N5 u4 b5 I7 W* A
" m3 O& A) N. _% F* l* V
This method of detection of SoftICE (as well as the following one) is
8 {) g+ M& L7 I% u! gused by the majority of packers/encryptors found on Internet.
& g4 j. R( q3 c7 s# DIt seeks the signature of BoundsChecker in SoftICE" p m% Z; r: T1 B n/ W
+ N- b, [+ w# W6 Y: r7 @2 ]
mov ebp, 04243484Bh ; 'BCHK'
3 s3 I% i4 W; x; |: X mov ax, 04h
. O0 n" V9 j7 D6 O int 3 ' {+ v- a( W% L2 I8 A
cmp al,4. \0 L8 N& g& q; A! ^4 z
jnz SoftICE_Detected, }! I& B# j, O' J
6 C; h* M( `) v: m, q& \2 Y* L* l
___________________________________________________________________________
P% `4 S3 P/ R% M
' Z( f* u* x/ B( @1 V+ P2 eMethod 02
* a/ y3 J- u5 @8 E/ H=========7 x9 k6 r) U+ v# Z3 P! V9 M
$ W; o: Y8 a; j4 _
Still a method very much used (perhaps the most frequent one). It is used* j. _( V! X9 c7 I6 ?
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ j" O& b' a+ [1 k" for execute SoftICE commands...
8 e! h) W% I T; e5 {It is also used to crash SoftICE and to force it to execute any commands
. F9 N; f% T3 f0 _7 F(HBOOT...) :-(( 8 A3 j5 i1 p1 j$ u8 {# s" }* G
, C# d: n6 C+ Y3 u
Here is a quick description:
2 j) l( e2 V+ e: i [' ^+ Y$ n-AX = 0910h (Display string in SIce windows)
2 F" w% f M1 ^) }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 ]1 k3 y. G1 b/ a
-AX = 0912h (Get breakpoint infos)
9 Y8 P+ U* k0 G% x: r. {-AX = 0913h (Set Sice breakpoints)
. f% V* s+ v; C4 g- D- a-AX = 0914h (Remove SIce breakoints)
$ E" G" Y2 y3 ~
a9 S( _8 U/ p% K# OEach time you'll meet this trick, you'll see:' U1 p# s. _$ u& U
-SI = 4647h
5 B- K8 X( V$ V# S& B, H7 ? ? }-DI = 4A4Dh& z5 [* P: V# K) [. I) _" ^8 O8 J
Which are the 'magic values' used by SoftIce. H, \4 @/ j# k3 I% y" t, ], _# B
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* f. a% m) w8 s3 |6 |2 U, a. _/ `! n. k ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, u$ M6 {7 I- M, L, HEnvelope utility use to protect DOS applications:7 K5 p& v; H/ k4 g5 v8 Q4 w
* u( g7 k( K1 j6 |% s- f2 H1 g h
0 \/ X1 C" ^8 C* d4C19:0095 MOV AX,0911 ; execute command.
7 J- C4 ?$ d9 A% ]& o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& i6 P' y/ s# ^# H
4C19:009A MOV SI,4647 ; 1st magic value.) u6 b% C. s2 R! J
4C19:009D MOV DI,4A4D ; 2nd magic value.. @! J& X# l. k+ p& k0 E4 h! L6 W7 d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): H" g9 P$ E* B9 ?+ A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, } W7 S! Z) W; x- @, _4C19:00A4 INC CX( ^+ Z+ p7 p& t, @( m6 w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
|) f# T" V3 U& y, f# V4C19:00A8 JB 0095 ; 6 different commands.& _% N2 R! q8 {* A! w- J; S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: L9 Z' l4 O7 Y8 \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 [8 ^5 q u" A! Y9 Z9 T. u+ i, z* ]. K/ w8 f' O
The program will execute 6 different SIce commands located at ds:dx, which
6 j" J* G5 _$ t. Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 ? V8 A1 D& P
. m: ?7 L/ d5 I C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 O9 }, s: V6 N6 T& V4 i___________________________________________________________________________7 b6 M5 Q: s# o$ p1 B" j0 U& Y! _! v7 s) h
( d N, E: j I+ r8 s/ m0 E' I( ?8 D; g3 X
Method 036 Y* }! E; P0 k4 D$ _# _7 F
=========
1 n' T3 F( w3 e9 }) s
, ]( K! S% | I% nLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( ]; I& ?; k# Y* w(API Get entry point)
- v; X- M) H: }
1 x3 |4 Z: N# i% S: o8 u8 {: z, q6 B- x, i+ A5 `! M* K9 w
xor di,di
3 X4 ~6 w w8 z mov es,di: v" A/ |( J& [% r
mov ax, 1684h
( G" }& Q/ d, S9 ] mov bx, 0202h ; VxD ID of winice
2 V$ r. X4 P) O5 Y: I& N3 c! \( O* `" A int 2Fh; s7 x w7 g, o7 X: ], ]5 f* R
mov ax, es ; ES:DI -> VxD API entry point
% T1 W4 K0 q7 U add ax, di
0 z( U) j( P; M5 q$ W test ax,ax
% P/ W% r8 ^4 T0 ` jnz SoftICE_Detected* ?. B- j; T& C; _! h
& V9 H5 r8 Y5 f* a
___________________________________________________________________________
) N% T# z. x: Z% i C) s2 _$ N6 Q1 W) \, M I6 O u! k
Method 04* r6 S* {4 \5 E* F; s" n( [2 C
=========$ } w5 N0 ~7 z. l V
! x2 G8 U3 j) c [$ NMethod identical to the preceding one except that it seeks the ID of SoftICE: b) M' z; p5 R* ?
GFX VxD.
" H8 Y6 }& Y& p' f9 [# d, H: y/ K. ?2 A" E$ Y. i$ n
xor di,di
5 I% V1 O# y7 P mov es,di
% P9 g0 ]$ i( C# h0 L* V mov ax, 1684h 2 h( ^& Q- a6 }; j7 b9 }
mov bx, 7a5Fh ; VxD ID of SIWVID
4 `; U6 M, R, I6 [% I7 L" f int 2fh
+ r- R+ C( y! d0 E# {/ j1 S* F1 P mov ax, es ; ES:DI -> VxD API entry point
# H+ Z A! }3 _# ^1 @7 P$ p add ax, di
4 ?, Y5 E) a2 f- e, {3 A; o$ {/ _ test ax,ax# Q/ t" H* n: ?) ?9 j: v' U
jnz SoftICE_Detected/ W( Z* {, B8 }6 s
y; ?8 m/ W8 }- q1 n
__________________________________________________________________________0 w# g" L3 ~( [
( n' L6 Q. x. W8 F) [9 A! P- [9 z) o
Method 05
& E4 f7 ?) f( U/ A+ a* o; l& O=========& {6 }. q* l! ~! w/ u: \7 g
6 H- ?, ~- U: U6 C! w9 ?9 d7 y4 Z: K
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: I. V7 w3 R2 \8 Q/ D4 T0 bdebugger. It calls the int 41h, function 4Fh.7 z, H/ w- ^; v8 z
There are several alternatives.
2 `5 B, ?( ~" D/ K, `( l* H$ a3 [$ B# r; b8 \
The following one is the simplest:
; O/ U# L4 z4 V0 d! T# _! x0 q1 @6 \: H8 x U2 U$ \) |3 F% }& X
mov ax,4fh: ?0 x5 f0 y2 w Z6 d% M
int 41h, i7 ^+ @7 Z( k' G2 M
cmp ax, 0F386/ p! ]# U" r% {) A
jz SoftICE_detected- S/ ?6 U) v! W! t+ d R
( r: \% x% O6 v: ^- K; P. F
3 r# I) j+ |- }% w% k- ?Next method as well as the following one are 2 examples from Stone's , c2 ?, |, q3 R9 e
"stn-wid.zip" (www.cracking.net):
7 e! c7 H& s7 l( d6 ]' V" F6 j
mov bx, cs K! j+ c% P: l7 v
lea dx, int41handler21 X2 I1 `, ]( ^6 B! V
xchg dx, es:[41h*4]
4 E K; T5 p5 R0 `+ h! w! j2 T xchg bx, es:[41h*4+2], I6 s! \- J2 @ o6 b! q& p
mov ax,4fh
3 x5 Y# T$ a) x int 41h+ j }/ U& ^8 T
xchg dx, es:[41h*4]
q5 W5 X; q: \- l xchg bx, es:[41h*4+2]
/ A. [8 U% s, L1 m7 h; j, G cmp ax, 0f386h5 Y8 D9 Y/ _9 q8 z1 ?: e
jz SoftICE_detected
, I& E: H% E D* ?2 `& |( d7 l% j6 D; u. P+ `8 L
int41handler2 PROC
& Y( z* k A1 u$ ?9 H y0 x iret
0 P6 }% u% i8 X# r% Yint41handler2 ENDP
" f0 O; J, @' Z+ _; s0 M9 P( a7 m3 j" r
$ _8 C! v" W' J- B5 K( r0 q_________________________________________________________________________3 h5 ^) L4 a7 X6 a6 s9 d" _
Y7 Z& u+ ]. j+ l l& o
+ ]" n6 y8 d1 H1 n1 r; W% DMethod 06, [- h" h m3 T( a) Y# Z
=========
# p0 {8 T+ F7 K# K
7 W; j, E, M5 {) e) V! H
0 A) w; S8 }% n8 R2nd method similar to the preceding one but more difficult to detect:
6 ~3 e2 s6 L G0 u8 ~7 @/ d @% ~$ Y* Y9 G& V! w
: ?3 J, E( _$ X# G" A1 Pint41handler PROC
8 G1 H- s3 \1 z( A mov cl,al
0 c# ?8 m* ]$ W" ]) K2 c/ A* S iret
6 N/ d& d7 ~7 |; |. O' D' ]$ H" x; r; oint41handler ENDP
" x" y+ I9 C+ ]" I6 [) |& C+ h! M" V" }( h7 L V" O# H4 _1 B
0 o4 M* }3 }2 ?# ]2 I& N1 l# B* A
xor ax,ax! p& D r8 q5 O) L
mov es,ax
5 O9 f0 |9 R: F2 M5 e- M( y mov bx, cs
+ w* P" H4 @( O" F% d6 M lea dx, int41handler& P' T8 J U0 d7 a
xchg dx, es:[41h*4]$ g; y+ F; F; `/ p% |& C Q }
xchg bx, es:[41h*4+2]8 q- h2 a/ ]; A- k; U' t
in al, 40h9 F0 |8 p! P7 n# @5 }2 Z- Z5 J1 W. J
xor cx,cx
b1 `! }: _9 U9 X# K int 41h
1 ]0 }; I; |4 G# f% @ xchg dx, es:[41h*4]
) w: m- K+ u: k1 O. m+ N xchg bx, es:[41h*4+2]. G0 M; o/ b# V! f+ j5 _. N* p7 k
cmp cl,al
+ T& q! i r0 f& a jnz SoftICE_detected
9 Y0 H' b, d' N* `$ C9 p" X- u. H& J6 _3 \1 n+ D7 E% }
_________________________________________________________________________; T9 }- _: `2 q, Y4 o8 f2 Z& ~! V
: u$ a, s5 g$ K. B- U: gMethod 072 l+ I! O2 p. {. R. E9 D+ `
=========
; C* [6 M* F* m8 V
# P3 H Z% q& w+ c, m4 b# NMethod of detection of the WinICE handler in the int68h (V86)
/ z u7 C: }+ x. `# t6 L4 [2 J' [; S# I, M' S- E$ e/ A+ C l
mov ah,43h
. L: Q- [7 U, O) {" b. v int 68h% _9 T) O/ }" Y! z5 o
cmp ax,0F386h+ @/ D; r+ M) W2 Z; a7 b
jz SoftICE_Detected
+ H8 `1 j+ l* o0 W+ W# D- Z
! P( D$ C9 T2 ^: z7 x/ N
/ L+ G$ V9 S/ g0 c* }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% m4 O9 P: K. t. _' _, Y
app like this:
$ X" F5 p! G4 ^: k5 H' C! z4 d9 k3 C, i7 N
BPX exec_int if ax==68
# w1 Q e" k: K! D5 a6 h. k0 |: D (function called is located at byte ptr [ebp+1Dh] and client eip is1 l6 Q8 O* D5 f& X3 B
located at [ebp+48h] for 32Bit apps)
9 C0 `" S4 _" a__________________________________________________________________________
6 G( u8 j& g: Q4 j! i6 G. y9 @
6 }$ B0 Q- ^% e$ E0 U9 b2 Z8 A$ J& U. I% Y1 q$ N' s0 `
Method 08
4 s; r8 K7 g3 c# w$ _/ E; q& m+ a=========
8 T8 D. ?8 N# G+ j, j6 ]/ T1 m: `7 v. _/ I% ?) N
It is not a method of detection of SoftICE but a possibility to crash the& I" v. @* T7 U" f
system by intercepting int 01h and int 03h and redirecting them to another# E4 q4 z% C/ }
routine.6 K9 ^7 Q& ~0 f. f) h7 d! [, a' B" F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! g3 X( v/ C" @ G% k# m( rto the new routine to execute (hangs computer...)! X1 s6 |' L: f* h9 L# {$ |+ [
( |7 P8 D- [# A R9 g mov ah, 25h
9 a" P: f' `0 a! A4 q" x mov al, Int_Number (01h or 03h)7 k/ t2 O8 d) A, [3 U5 t8 @
mov dx, offset New_Int_Routine/ |+ R X$ N7 b0 m: n
int 21h
8 O2 K M. F3 Y, ^( ~+ D) G$ v
: f' Q4 [" P I__________________________________________________________________________
' O0 \* J! \* ~- Y
+ R& A* C; I4 f O1 jMethod 09! F* B Q( e8 [2 W2 p
=========9 Y A, q& n' }, o0 ^, V1 ]
' V7 [) |, s9 e8 z, S9 d# _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# n* Y7 G! |! M3 t
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 M% g7 E/ S7 P( B% P b- Z% aThe Get_DDB service is used to determine whether or not a VxD is installed
# c/ E) `$ e; b7 z) }! ^for the specified device and returns a Device Description Block (in ecx) for* o! @' f& ~6 ?# F" t4 M( z9 d' `# f
that device if it is installed.
& X1 C! W4 s/ B( e/ L y
$ o7 \% `/ \' z9 E' _7 i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, c3 C' n2 t( _ l
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ L- k% W @' ~ f VMMCall Get_DDB
0 P: `: A0 T# C8 L$ E5 q+ m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 B5 u6 u' G+ Z, g% @
# q S* K1 X8 U- J6 P0 R3 e' h" _
Note as well that you can easily detect this method with SoftICE:
5 p7 m, e4 W& e( O* W bpx Get_DDB if ax==0202 || ax==7a5fh
' t1 W7 i, F$ _# I; Q- P8 ]" X8 Q" X2 ]0 ]
__________________________________________________________________________" O( e j$ O4 m& N
; V( q9 t. `0 EMethod 10
" F2 S! K+ S: U=========9 E* A) T7 f7 p; F/ U4 J% F; p- d
: i h: ^ _) \3 I$ B=>Disable or clear breakpoints before using this feature. DO NOT trace with- w6 k; N7 @0 x" M( U+ b& i. V
SoftICE while the option is enable!!! s2 h( Z: h, X
" V7 J. D1 N1 Z, ~5 W4 n5 W
This trick is very efficient:
' H( n5 e. E1 E I$ Uby checking the Debug Registers, you can detect if SoftICE is loaded
- U# ? x8 |6 W% L/ }(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& `# P: W8 o: \' |& T" C& Z( P
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 p3 N& } Z, Z! s: V
value (in ring0 only). Values can be manipulated and or changed as well4 s4 S' W) \. c% {/ }, b7 o
(clearing BPMs for instance)1 [( Y- l# O3 M" J. G* [5 X" v
$ N- y' ~+ G/ a" S* Z7 I) i5 f2 [. p
__________________________________________________________________________6 C, a% o8 h- x% Z# ?
+ R4 S/ g8 f% v& F8 sMethod 11
2 r/ Q& g4 R: J, ]' @=========" `( e; n' c+ W1 e8 R" r( O
+ f* \) ~ r0 y7 J n! {( F5 P
This method is most known as 'MeltICE' because it has been freely distributed
$ O2 o$ @' R. G) Y% `3 w9 Z% Xvia www.winfiles.com. However it was first used by NuMega people to allow D& G3 [' {( U; P
Symbol Loader to check if SoftICE was active or not (the code is located
& Y. B m! S, A% u# Iinside nmtrans.dll).; s, C8 H0 u1 s0 o* U# W7 L
" c" P# T* l/ `6 ~6 C$ c0 tThe way it works is very simple:4 u4 F: ` S2 @* u L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 A- ?& L. K& jWinNT) with the CreateFileA API.
W' u; D# q6 Y4 @5 `8 y& z
/ w, ~ b2 E& ~6 ?" C" J( b; ^Here is a sample (checking for 'SICE'):
! n; S9 i9 ]7 L U$ q
1 [- q9 a4 h7 ]/ S0 N- y, wBOOL IsSoftIce95Loaded()
( z7 Q: y3 c d{
, x8 |2 k) B- d8 o( T* W HANDLE hFile;
Q* S6 ^5 q& c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( }5 A" ]* n1 T0 @- o4 v FILE_SHARE_READ | FILE_SHARE_WRITE,
8 m1 W! {6 c$ x# L8 |* r NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* R# ~# A: o/ ]8 _1 a m if( hFile != INVALID_HANDLE_VALUE )7 C+ U$ s3 a+ W
{' `/ P a5 y8 w; A) e# U
CloseHandle(hFile);
4 h4 T' X) e% I+ i' s" } return TRUE;! \- g1 w+ D2 Y
}
8 u; O& \& F7 j: r1 L. z6 Q1 E return FALSE;
$ T( s" @3 a9 Y ]3 U}* B& L6 `; |; ~: D8 i5 q* y3 m
3 H- {+ \( f. ^' e5 `Although this trick calls the CreateFileA function, don't even expect to be2 X6 g4 ~) Q5 O" V: K! e/ }1 w* N6 N; `
able to intercept it by installing a IFS hook: it will not work, no way!
3 A( L; }" k% z+ L _4 z8 Q; C+ yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- Q& {; \+ L( v; H H. W3 oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% }7 z( F" a9 V+ x- W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; F* @8 x1 I. @9 N R% f: n
field.
! S# b6 e& w0 d* p" IIn fact, its purpose is not to load/unload VxDs but only to send a ) \$ q: `% E3 }6 z2 R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ f! E' W6 e; p9 ]% H5 j
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. m A( f6 j/ ?7 K! d, xto load/unload a non-dynamically loadable driver such as SoftICE ;-).) w X! V. u( _2 N
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 V! u' t3 b7 Wits handle to be opened and then, will be detected.& [) G( n! \- [" x9 A
You can check that simply by hooking Winice.exe control proc entry point
! l# T& Z; O6 t* L+ gwhile running MeltICE.
; E" _. G6 G( }0 Z1 v! h `, T4 d# C1 Y2 k0 j# [6 I
, m( V( e5 t2 n6 h) C+ y3 W) O
00401067: push 00402025 ; \\.\SICE
& l W' A" c/ X+ j9 o 0040106C: call CreateFileA
! X) W/ u2 o3 R4 \ 00401071: cmp eax,-001
. z' ~* Z1 h |) t: ?# ` 00401074: je 00401091
/ w0 G& Y+ ?) O7 q. i' q6 @' W
5 k6 u2 L9 Y! l! x0 Q) ?0 ?7 S6 k. n$ h
There could be hundreds of BPX you could use to detect this trick.1 g9 l; D: X% p8 M5 T" ^% ~; R. b. A
-The most classical one is:
) P3 a3 Z/ B4 V! {$ b7 H BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 w& g6 W! o: S *(esp->4+4)=='NTIC'8 o+ b% s$ T" [+ ]! c
; Q1 x$ T: O7 W" b8 J) A% j8 \" j4 c
-The most exotic ones (could be very slooooow :-(1 B' `& I y- U' M. w! E4 Z. ?! B- n+ P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') g6 k$ R% M0 O8 r
;will break 3 times :-() J9 J+ l/ k7 n( o7 q, o
1 b, y9 ]( d% q6 t- h
-or (a bit) faster: 3 g+ q$ _% C x$ {; `/ w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 f% i( y }2 }- {! g" I
8 h! W0 d6 o0 ?+ n! T/ s BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & e6 w0 a; F; y- e; W9 t+ Z* N+ c
;will break 3 times :-(8 J1 x& ~: ^8 C, t
& x( }5 {' ?& g/ C
-Much faster:$ p5 q0 S! ^: j
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', ]2 j. c$ l, k* g- ^1 E6 n
2 T6 N; a0 i1 C, C. @0 W* PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 T. A& i! ]+ @* ]! y: W% P; s5 U
function to do the same job:- ~1 G% i4 ^/ y2 f
& N4 O4 ]# s: x push 00 ; OF_READ
9 h& x! s5 n( h- [ mov eax,[00656634] ; '\\.\SICE',0, @% U* ^ V. e1 R- E( f
push eax' s; U( Y0 @% c7 O. b, _ e+ ]' F
call KERNEL32!_lopen9 p/ R" Q* k, O7 ^
inc eax
( Q% }, s' q, D7 H/ V* f jnz 00650589 ; detected# T# b/ n T# p* p" M, \
push 00 ; OF_READ
6 H3 I6 M5 d- _- o! t9 Y mov eax,[00656638] ; '\\.\SICE'
# y$ s% E! i) ~6 r! `3 J* h! \- T push eax
H3 n7 X5 J: J% ?; | call KERNEL32!_lopen! p& e" S# @ X5 k
inc eax
* q. y2 x: F! S jz 006505ae ; not detected* _8 c4 E9 f3 x
4 K0 i6 S1 v3 S, C9 M9 N* H7 T1 o) V/ ^5 L6 p% t" [" N
__________________________________________________________________________( d5 E3 i( \. T% j, e
2 V5 d- }! C7 K' l
Method 12
8 @8 F' o1 n9 N=========
9 y1 ~: r6 o- h3 Y: {- ^9 `, N7 t1 z6 S
This trick is similar to int41h/4fh Debugger installation check (code 056 ]) L+ w; a# i" f
& 06) but very limited because it's only available for Win95/98 (not NT)5 p/ k* A. c9 D: W% i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* D1 i- i! S/ {3 G% ?* k( Z0 A6 n
* A: N9 i9 [; d' q push 0000004fh ; function 4fh
6 r4 h9 \6 V8 ? B n push 002a002ah ; high word specifies which VxD (VWIN32)
* T) m' ` n" |& Y9 m& j3 e! v- r+ `( t ; low word specifies which service4 _# \+ Y+ f; J* F
(VWIN32_Int41Dispatch)
' D* p' N$ {& O+ y$ U call Kernel32!ORD_001 ; VxdCall( X- u2 `; N4 I8 a7 J+ G
cmp ax, 0f386h ; magic number returned by system debuggers
g& r0 }# f- v6 ` jz SoftICE_detected
7 V% o- N, d1 G" N/ b/ I$ Q6 i5 ~9 c8 \' r' N" S8 h1 m
Here again, several ways to detect it:. C' v$ ^8 T) \
$ Z# t) i; |& C. g
BPINT 41 if ax==4f1 c, G0 M2 I& L6 O# @3 }0 @( T$ p
2 D) I5 G2 W* V7 \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 D, D7 x* {# Q4 a
( [/ @- x: g% X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 w7 v+ E- l! [0 }- Y
* Q! p8 X( m+ _# p, r! u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- w5 _* S: S% n! c' P9 N$ a" E( V7 ^" m! W
__________________________________________________________________________
) v0 _( ^4 g m) b7 i. H0 D1 e# Z( D" K( s& t. S7 Y
Method 13
|3 H f" [5 Y; U" J=========
- r# k! V! U; ]" P9 N
: W) @3 \' \6 ?# M$ H! Y9 S8 _Not a real method of detection, but a good way to know if SoftICE is
1 m: N" \; `1 j& h; M& Xinstalled on a computer and to locate its installation directory.
$ e; K. [. D' `7 E$ ~& Z& ]It is used by few softs which access the following registry keys (usually #2) :
* Y7 U( S- ^8 q+ `- {, S8 e1 X0 R" r- ^0 X+ [0 x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ S% B( V# ~5 |+ U\Uninstall\SoftICE
" n0 u6 O7 K% E! h+ G( s2 s+ I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 A( v( N" W9 I! `4 K7 Y5 x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, k, O( ~8 m4 X* y. R' O& P. {/ b
\App Paths\Loader32.Exe8 @, ?5 S+ f; G
8 P& S5 i. K/ o3 h$ C, G4 A
! w3 q. W" B1 M J3 B& R
Note that some nasty apps could then erase all files from SoftICE directory
1 ]6 I9 y& o- x(I faced that once :-(
6 i! B9 y, V1 Q0 `6 U: P* d, |1 O6 Z7 h8 K/ {
Useful breakpoint to detect it:9 w; M3 \: }" }; a
" ]( V5 P$ L, Y: v8 [2 @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% [! c. S! R( `$ x1 D S
% F+ n: d4 F( m# K0 }5 [7 ?; k__________________________________________________________________________
6 A x. [4 {! @& J, _ z9 K
# b1 t4 o/ S2 C' D8 ~ i" @# z0 K+ L0 V4 M$ i
Method 14
: Z9 C# N5 H5 W! j' B3 w=========5 a$ a. V8 d9 v5 v3 \" Q" E L& i
" R" X9 e& B) t4 ~9 ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ M" K' T7 C, h# N
is to determines whether a debugger is running on your system (ring0 only).
1 J" H" Z8 \: ^% M8 D. i6 v; w" U; O0 L7 W Z, @ g
VMMCall Test_Debug_Installed
* ?. s3 y7 I# J+ p/ e7 T je not_installed
6 T2 F' a/ `- A
' `0 H, P! k1 P- x% A7 W3 |- WThis service just checks a flag.* [' x' Y$ `9 e8 s( C6 {5 N- n
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡