<TABLE width=500># R8 _& b$ L/ R
<TBODY>+ t2 E. e/ Q: J( N/ P
<TR>
0 e5 X e! I$ N<TD><PRE>Method 01
8 R) [3 b- J) }9 `8 r=========
0 e* ~0 Z: s/ J/ E& D+ I5 c2 M$ b3 f# b# A0 Q, Y
This method of detection of SoftICE (as well as the following one) is
: a _5 K* z1 x$ o tused by the majority of packers/encryptors found on Internet.
% B' M3 s: u9 q' u- y0 O/ {/ jIt seeks the signature of BoundsChecker in SoftICE* A3 S" b7 t1 ^9 B2 ]
/ I- r; A! y4 H6 ` mov ebp, 04243484Bh ; 'BCHK'3 B7 B3 `0 M: z B
mov ax, 04h
1 }( Z' n+ `, n$ o int 3
' E4 O1 k X7 }( q2 e6 O cmp al,4+ c; u* C3 X4 s3 U
jnz SoftICE_Detected# |0 L( U4 m" e) r. h# Z+ L5 I3 c
9 B1 M( z; `1 F___________________________________________________________________________
" o" k. D( x" `+ S: k. _( H# f4 F; e, V: T& ]
Method 024 } Z3 z+ q& |9 Y
=========
# p2 u8 q4 s; @, I: d$ Y. o( c5 a: V: K$ T
Still a method very much used (perhaps the most frequent one). It is used1 }2 Y+ {8 ~- V& K/ A( _* J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% B5 R; z- W; K4 i- c/ r
or execute SoftICE commands...4 j- R# }. Z% L5 `
It is also used to crash SoftICE and to force it to execute any commands
3 ~1 ]0 J/ L) G2 t(HBOOT...) :-(( 3 X& E8 _0 e' a$ J2 ~5 N
6 L9 ^& T( }0 V* Y6 BHere is a quick description:
4 s: z' o, P2 b-AX = 0910h (Display string in SIce windows)
& A: g1 |) m. h2 ]' p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, p5 N$ x& g6 X: |-AX = 0912h (Get breakpoint infos)
9 B' f$ D0 Y# U! r% U-AX = 0913h (Set Sice breakpoints)
) A6 O! N/ |: A. q4 R! h-AX = 0914h (Remove SIce breakoints)
n1 E( h) A( {6 v0 n) E
: |1 g9 G- ]! j5 E6 jEach time you'll meet this trick, you'll see:
3 D9 p0 X) `) B6 d: r-SI = 4647h
) I" K0 k+ ~$ ~-DI = 4A4Dh
; M+ @' U3 l% I% N, q' t* {Which are the 'magic values' used by SoftIce.
8 Z# a& N$ Z0 u _/ KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." D) \- N3 i" _% n/ L2 ~1 Z! s
" M% }( |* {1 w T- oHere is one example from the file "Haspinst.exe" which is the dongle HASP
1 A3 F2 b+ ]0 P( i8 QEnvelope utility use to protect DOS applications:
8 s: y ]0 A) W, ?9 u; O) z0 }: B; n! n# ?$ t% T3 b
; d+ n1 }6 ~( h, e' g/ Y& A7 T
4C19:0095 MOV AX,0911 ; execute command.8 ^4 a; D. F: ^9 Y" \3 Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 o$ q. [, n% r1 i8 i; F( L4C19:009A MOV SI,4647 ; 1st magic value.
8 G4 D2 G% m, K5 k4C19:009D MOV DI,4A4D ; 2nd magic value.
8 o' b3 q; q- \, x' ^ w4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 P- z: p3 x$ b3 `, b1 w0 T
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% j4 o+ U# N& C3 w# o" q7 i4C19:00A4 INC CX2 Y+ o1 z Q( j! x+ |/ s, O3 r$ v! r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ D1 |! H, b0 w9 E9 @. D4 B& @4C19:00A8 JB 0095 ; 6 different commands.. P/ b5 K! l+ P- O- T+ S" p$ W2 q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 e3 Z; S& Z0 b v" U4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 { l" Z1 T. G" l5 v, S7 `" S* b1 Q: h$ e$ C
The program will execute 6 different SIce commands located at ds:dx, which1 u: v; t9 d, O. }+ C$ u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 z) L% B6 ~- {9 [' m+ q& L2 a
9 ^+ i4 \& }- j: z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; N7 Q/ K9 a7 g___________________________________________________________________________
1 i' C e% l( f6 k* p! h2 O- @# E( }6 Y, l7 P
/ P I, j8 [. sMethod 03* }, G# h; Y1 {. v) k3 _
=========
% i; U, G" n5 |
; Y1 c" K& }+ y, \) E0 V5 F! V" FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 v/ f( I& G O) F X
(API Get entry point)
( B2 W5 L" j2 G* x6 V5 S4 i& V
# n. g X7 ^& O1 R
5 A5 v" @5 c% o5 C xor di,di
: L. {/ A- K$ d, \/ b mov es,di( P$ f" l; @8 ?1 H0 X+ K
mov ax, 1684h
% M- [& r, Q7 k4 z6 N+ G/ U- N mov bx, 0202h ; VxD ID of winice
- m2 {" o8 `5 j6 T int 2Fh
) h$ v4 P6 ]$ f4 o' Y9 O _ mov ax, es ; ES:DI -> VxD API entry point, B' |% F1 D; [0 r) ~
add ax, di; w/ b0 v- M7 l+ G) G
test ax,ax
5 l5 s) X3 E4 W0 k4 t4 r; J: p, \ jnz SoftICE_Detected8 E" l6 O9 y; H9 G
! u6 z* [5 g( ^4 `3 s___________________________________________________________________________" r% j0 R/ M+ B! @& w
+ b; f2 d A: l
Method 04/ z/ `; E. S3 F" S" `
=========! S! l2 z! r( ~1 l
( s6 e8 H+ ?/ t( wMethod identical to the preceding one except that it seeks the ID of SoftICE
. o J* y3 F: o# yGFX VxD.' E% A0 z7 W, }9 L3 _) L
6 j+ ^* P3 B7 |7 L2 K2 p8 @- | xor di,di8 e( C; }' w, ?, Q* c
mov es,di6 k8 Q3 c' C3 a7 a% m6 y+ f
mov ax, 1684h $ H4 g: c2 C2 |* ^, M3 w
mov bx, 7a5Fh ; VxD ID of SIWVID
& C, E( @! m- s/ n0 g" B' W int 2fh
1 T0 {3 `/ J% R3 R! |8 l& a* J mov ax, es ; ES:DI -> VxD API entry point
/ W& X% [2 g) N+ y5 v" a! E' L add ax, di/ a/ P2 u# o" c$ I! F, [! o2 z' U
test ax,ax
4 n# P( i' s1 y' |2 x+ k jnz SoftICE_Detected
$ v( S2 F9 ^2 @$ |) h% O' h( ^" M$ k4 }4 ]3 V' H5 L! w
__________________________________________________________________________
4 ]% Y8 S u& |8 G1 ]) N/ a% n, B) E* v+ S7 f
8 ?8 I9 E& F$ e% b mMethod 05: n' Z+ f) r k: Z" v
=========
o. M& q& K5 p5 C' ?" Z7 X* C4 Z" Q6 E- Q; J
Method seeking the 'magic number' 0F386h returned (in ax) by all system! f9 G5 J: }; y" k
debugger. It calls the int 41h, function 4Fh.* E8 ]& C2 M u! n
There are several alternatives. S6 R+ f$ [6 z1 W2 A7 L, s! [7 `2 J
. S3 S9 U2 ^" m5 R0 E; Z
The following one is the simplest:+ w5 l& K! a F& f/ H
- O' [' Q& D; B# O0 {
mov ax,4fh( o8 m4 e& ^9 i$ e
int 41h
: E# n( q9 [7 `. ?, X5 \; X cmp ax, 0F386, @8 Q- J& W& o& ?
jz SoftICE_detected
6 ], T3 I& d9 R- t+ k" `/ L) Z8 i1 N3 ]5 ~
/ F; K' y: E0 G; q/ c. R( v
Next method as well as the following one are 2 examples from Stone's 6 |- v$ p% j0 ^- \
"stn-wid.zip" (www.cracking.net):1 X9 Q- @' F& I9 r e. f
2 f: W7 z- o5 o5 Y+ T4 n1 ~8 L
mov bx, cs
. t0 x5 V3 c& q1 C: ^* k lea dx, int41handler26 c; k9 R; ?# f4 r0 W
xchg dx, es:[41h*4]
, D$ X0 T" z8 K/ L: u( T' t/ d& u xchg bx, es:[41h*4+2]
# ]7 t0 d( F/ J9 L$ R mov ax,4fh# N5 M5 [8 p% k2 s" D0 S
int 41h/ R- [6 e, x, E, g/ N' _6 r
xchg dx, es:[41h*4]2 v" c. _+ O% t5 B$ g' S
xchg bx, es:[41h*4+2]
# A/ i I: ^: r. o9 m D6 ?& Y cmp ax, 0f386h
2 i8 g# F) f: U jz SoftICE_detected7 h; p, q& x5 s+ W
4 s. Y. q( H7 J: D9 U/ [
int41handler2 PROC
. Z% h g. s! R4 s iret p( x# H9 f. h# D. a+ A S
int41handler2 ENDP. r5 q3 P8 `# d3 W) r/ ~
; s9 x/ B8 w; Y# J7 F, J `+ ^1 C
* G0 O# m$ w! O7 v3 B- v8 C_________________________________________________________________________
( L' `" R- K- m3 Q( E& X* |% E8 v* ]! O/ e' [8 w& W
3 \9 f7 ~. o2 d1 T3 t; CMethod 06
, p, z% Z% E5 Q9 ?# C R=========% v5 }% A; M$ d( h, v
- c2 u# w3 ~: S, F( [5 u
' s8 n1 F% v, \4 e/ m. |2nd method similar to the preceding one but more difficult to detect:! u. W& U1 r5 n
: R8 I' b' S o' d
7 W" S6 t% E4 D; l) V. Q/ {& pint41handler PROC
* K" O" F. ^# F( j5 M" V6 O4 _% b mov cl,al, J$ o1 a1 ?6 ?- r& Z* F
iret9 B( s3 `& Y `
int41handler ENDP" @2 S, U, U+ J
' e5 H k1 x' x; v9 T
1 q0 |5 W9 G3 O* q5 w! e% g4 D
xor ax,ax' s: D5 s% v0 A' j5 J
mov es,ax- B$ N; N/ t4 m4 x1 h" q0 w
mov bx, cs
( w/ I1 h& e: y4 K5 u% V3 {% P5 h lea dx, int41handler, k3 D7 b7 |7 s8 Z! {5 r
xchg dx, es:[41h*4]
0 N) I' b# a1 e1 x. ` xchg bx, es:[41h*4+2]' \- l. z7 P) U$ F5 _( [
in al, 40h) q9 s5 H! T; A* H
xor cx,cx
+ K* t3 B7 i; k i; q) ~ int 41h
0 s7 h) N% e- Y/ u xchg dx, es:[41h*4]' X, b' \8 D4 G( d
xchg bx, es:[41h*4+2]7 Q( ^& J0 A A, G) T# z5 A
cmp cl,al
) Q, x7 o& A* s8 _; x4 V. T jnz SoftICE_detected
" o. E) Z' o5 J' |/ \ Y, c; L: ^7 n ^6 k7 r$ {
_________________________________________________________________________
7 N2 R) n$ A8 W, s9 u: z+ A5 A, B
4 F9 m9 G, y6 J$ a9 _& oMethod 07) J% P7 ]& c& v& h S. f' {% N
=========
% v+ g6 D/ o' \/ y
: [! c5 ^7 k9 nMethod of detection of the WinICE handler in the int68h (V86)
; [% v& P! h( M% H% X! X: H+ F) V' V$ m* { f" f
mov ah,43h
$ B9 {8 a4 m: j: U1 q int 68h# D5 W: s2 C3 y! I7 i9 } i/ j ^. C
cmp ax,0F386h" a V3 C G5 E. O
jz SoftICE_Detected
: c b A* m- h5 d; z" J. F: q8 {# q5 w" F: a3 b
6 \- j' R0 o8 b& _0 H! l$ B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. G& J; a: e2 P% J8 F0 O$ }: t1 [5 u
app like this:
/ i7 y4 K9 S2 J) J2 N9 U4 G
X1 |2 @3 T" I4 v6 F BPX exec_int if ax==68% }2 }" S) R9 Y- [7 s: T
(function called is located at byte ptr [ebp+1Dh] and client eip is
! p! x+ F# C% h/ S! i d- d0 c' C& T located at [ebp+48h] for 32Bit apps) ]1 S# f7 P3 ^3 Y5 C0 v
__________________________________________________________________________
# @! x- e4 Q. O `2 o2 g0 M) y: ^0 [# h- n( b
: M, u( c& w+ m0 m% s0 T
Method 08 K$ Y- u( q: O& p& }8 M' t
=========
. a8 n e* s3 c2 v2 x/ m: M( O: z/ w q, w; @1 A7 _
It is not a method of detection of SoftICE but a possibility to crash the! V5 {+ Y% y7 P$ x! Q3 J
system by intercepting int 01h and int 03h and redirecting them to another
! q) ]0 v" f! t0 r, \- rroutine.# m" U) z$ }- S8 Z1 Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
B& k3 y* u2 \3 j# w Gto the new routine to execute (hangs computer...)
: v: c; K4 A. [1 A% N: R5 g
7 ]% q; C. `$ h8 Y mov ah, 25h
. N: l0 y( _9 Y7 i0 W mov al, Int_Number (01h or 03h)
5 P$ D* S- e' q1 H0 x3 i mov dx, offset New_Int_Routine- h) @8 F5 c* q5 q2 P% w7 c! t) H! o
int 21h
1 e0 r5 |$ }- V$ _
+ z, E7 n# q+ q__________________________________________________________________________- A$ ]$ ?5 z# t; D
( X& H& v/ f2 ] r
Method 09
# g# X' v- ], Z$ ^4 Q8 b: t=========5 D/ k( B6 c9 o3 N
- n# I- |* J. x9 F. g* ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, J) X0 Q( d! Q* H+ f
performed in ring0 (VxD or a ring3 app using the VxdCall).
: Q8 h* x5 @; _The Get_DDB service is used to determine whether or not a VxD is installed% P/ d8 I& g" ]5 l2 ?
for the specified device and returns a Device Description Block (in ecx) for
8 k8 }" `+ i. p. g" Z+ y' t: Bthat device if it is installed.: x, t" f1 u& X
" p( w5 e# ^' B1 A: _* o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 I3 m5 a6 p W# ] mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 l3 z3 \: E* z VMMCall Get_DDB- H# T7 s: t% @' Z2 A: M+ u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' s. f2 T9 ?, Y8 ?) q0 H" @$ T
# F: s' _+ Q& t+ g! xNote as well that you can easily detect this method with SoftICE:
* D. @) T: V9 |) X% v5 y6 P, z bpx Get_DDB if ax==0202 || ax==7a5fh: z% g" U% n( |$ X# M
7 F. F8 Z8 N% w# m8 h( i4 O7 M
__________________________________________________________________________
* S" ~- Y9 h& ~) y: t$ U3 a$ V& i5 ]; x7 x( r( s$ M5 I9 E
Method 10
- X9 @% u7 _- \0 ?=========$ l& L! W( p6 p3 D' X
" m" R7 c9 H9 y8 q5 \
=>Disable or clear breakpoints before using this feature. DO NOT trace with
) M2 d/ F4 \- ^$ n+ h) u0 n: q# i$ i: X SoftICE while the option is enable!!
, c- M9 k0 W) I
. N' h9 I* Z6 c4 E# xThis trick is very efficient:2 k0 W' e7 V3 R& F* D# J1 W7 G
by checking the Debug Registers, you can detect if SoftICE is loaded
- ]$ j5 w+ V* `5 s$ v- N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 y; C8 y3 b5 T5 P* e3 M" z
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ ?4 q/ q' x# ?; b( u1 E
value (in ring0 only). Values can be manipulated and or changed as well
. y, w# r! |7 y, S" { n(clearing BPMs for instance)
6 y0 U9 X; \& C6 {2 e& R1 S& S, P( Y2 E& Z& ^9 a* I: e$ A
__________________________________________________________________________5 q5 X9 A* Z, V3 D _
1 m) D( L- a$ G2 s
Method 11
/ i% f$ C! ?! X4 B; d0 B=========
# T9 r+ y, u" o& [( ~. C* Z z' [# O5 g
This method is most known as 'MeltICE' because it has been freely distributed
% J& x3 e. \- T2 W# g# r9 Xvia www.winfiles.com. However it was first used by NuMega people to allow' m: _8 R8 p. P3 D' j) d
Symbol Loader to check if SoftICE was active or not (the code is located
4 w X/ O, B ~" ^% M$ Pinside nmtrans.dll).- p, V- K9 r! z
7 L' N: C5 ^% M8 \$ W3 H3 ]9 D
The way it works is very simple:
! Z6 l; [$ `. HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& H( i' A6 |4 @( n" k+ @3 {
WinNT) with the CreateFileA API.8 B0 \0 J! G/ ]# O
. c% R- J/ s- K0 F8 l2 n& Q# ?; X( ]Here is a sample (checking for 'SICE'):
: u* u7 v8 R8 F3 Z) K, p+ V* ~7 Z0 K* k! E) m8 a+ q7 X3 H8 g
BOOL IsSoftIce95Loaded()3 C1 R$ D" S! x) Q+ K
{
; _4 x4 E; A+ m* _) Y HANDLE hFile;
( | ~, X4 m/ m c; z v! ?; t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ W3 \' k5 Y q4 H FILE_SHARE_READ | FILE_SHARE_WRITE, h; m, ^8 i5 S9 U. Z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 p$ {. D7 y9 [0 O8 Z9 v) F
if( hFile != INVALID_HANDLE_VALUE ), C1 @) O; R+ w* T* C1 h
{3 J7 t& `; f9 g1 ]. E2 a! h5 T
CloseHandle(hFile);% Q( B2 c- b4 u+ L- g
return TRUE;; a$ h9 \: w3 v; l5 V1 @" ]) U0 L
}
j6 q% m1 C1 @1 e. G0 y return FALSE;
# J7 }1 a" U4 g% @: Y( [) U}
/ g: S7 h4 F q* e7 F0 K$ S: c+ C& C+ q" L! r
Although this trick calls the CreateFileA function, don't even expect to be X3 D% T/ k; ?% A' K8 O0 h% I% y
able to intercept it by installing a IFS hook: it will not work, no way!
( u: p# v7 F+ m0 J/ S. F5 MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* b7 Q T& w/ a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) t; F! ^, D; _* ~! H( g4 `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& _7 p, d' _2 {& [
field.
/ j9 {! b& N4 P- t* DIn fact, its purpose is not to load/unload VxDs but only to send a
- b* g( V$ j Z0 F* T' JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* o4 {0 h! _0 ato the VxD Control_Dispatch proc (how the hell a shareware soft could try7 x3 z8 n6 @* k0 A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# B% J& I, t( Z1 p; P5 m4 g# z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) X! Y$ S7 C* O+ i5 {its handle to be opened and then, will be detected./ B: d; s" p. Q
You can check that simply by hooking Winice.exe control proc entry point2 p; f0 v) A6 k5 d" C! g* G
while running MeltICE.% M7 _1 L) S6 f$ ^7 H6 Q8 Z1 V5 e7 m
$ L3 E& f* z) H' V* E4 s. j4 v3 l* p# ^$ K+ e2 ]
00401067: push 00402025 ; \\.\SICE$ J* I; G, A# a0 J$ E1 u7 e; F
0040106C: call CreateFileA
2 ^) |3 K5 |* l" `" E* v& K4 p2 \. U7 X 00401071: cmp eax,-001
9 J7 s) u2 z( G) d7 k4 b7 S 00401074: je 00401091% n0 p) y! Y$ ?& E9 A3 O2 `% x2 M
1 y, @/ A9 U7 m! Q; `6 A8 r. P" a& G# f. s$ J
There could be hundreds of BPX you could use to detect this trick.
}$ z. @* r" d9 u-The most classical one is:
$ a" }: [2 z0 q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ g9 l; s$ E* l6 N& V
*(esp->4+4)=='NTIC'
7 Q f9 K5 ]% N) E/ e4 J
4 O0 w4 q i- @-The most exotic ones (could be very slooooow :-(
6 b8 s) f/ R Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 \& {& s3 @5 V
;will break 3 times :-(
# m* M m' t& J/ c+ n6 I1 p8 Z" z) K" |& B2 k [" w% u7 M
-or (a bit) faster: 7 ]% T3 }5 M. @5 G- X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* P5 o# k5 m. \8 v
1 N: C% N* e0 M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 I+ @' K; h5 H8 q1 j
;will break 3 times :-(
X% `& j& c& w% o. Z0 |! M) n8 G J2 z- o/ s
-Much faster:2 b: ^# {$ e+ Z. y/ A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ }# G! I6 i' m. o% d9 {1 l* x3 u: t; `6 j3 p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" ^0 c$ F8 L1 U7 E- Pfunction to do the same job:0 F" K4 V$ a8 N& M0 w! D
) P: j( a1 I! F6 n7 Q
push 00 ; OF_READ J P% p% M5 n. I2 V# i( A! R
mov eax,[00656634] ; '\\.\SICE',0 s# F4 R1 L1 O' S/ `. a
push eax
3 |' Q, l% B& x" |2 c {, r call KERNEL32!_lopen
$ o3 T% |, S: ^0 d z# ~: A inc eax
7 M) ~: ~ a8 d' r' @9 x jnz 00650589 ; detected
4 {) \: J' b* m4 a- ` push 00 ; OF_READ
T& Q# I( @ v1 U6 C# t mov eax,[00656638] ; '\\.\SICE'
- ^, u9 \- x: }3 Y, Q% y( W push eax
* J( u& D4 ]; ] call KERNEL32!_lopen
- {! p/ Z2 W5 n( b/ |( z inc eax: Q) o4 O3 B7 Q, l2 E. F5 x
jz 006505ae ; not detected
5 z8 s# k$ Z" J4 [* Q9 {- U0 h. L! C# ] I; Z" \( J
% t2 s/ s) d* j6 Q; I3 ^ ^$ b* h__________________________________________________________________________
1 o+ T+ u) c( a. v! Q* ~3 o
3 E$ Q. _# y) L4 `9 v! ?' CMethod 12
& @; \9 r6 T U# o" F g0 E$ O=========
# T$ t$ P2 p) D' D' M5 C1 a: n. @8 t% a- v1 c
This trick is similar to int41h/4fh Debugger installation check (code 05
0 j$ V# h7 |$ k( R" z5 ?! q/ M& 06) but very limited because it's only available for Win95/98 (not NT)8 S3 @' H2 r4 {$ p# p5 E5 z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ t2 B# w. `6 D! x' C# _
! u u7 W& j. P* r6 l- [. g2 F: o
push 0000004fh ; function 4fh
8 A1 @+ f1 r) Q; ? push 002a002ah ; high word specifies which VxD (VWIN32)
3 P7 C \7 X$ A( g# K1 `6 H ; low word specifies which service
6 d6 p4 x% m E, o# ^ | (VWIN32_Int41Dispatch)
; `8 g0 V8 N/ m, Z; { call Kernel32!ORD_001 ; VxdCall
5 B# H, l: ^/ q cmp ax, 0f386h ; magic number returned by system debuggers" U8 {5 r( B2 v- Q# a9 L1 C
jz SoftICE_detected( {# e( J% i5 R- V0 B8 u" S) F% w( w
! \! W: u5 G9 i9 U* m+ I1 O8 X9 h4 DHere again, several ways to detect it:
1 Q2 b% p: Z% U6 `* D, S
0 P; z/ V0 o4 D5 c2 ~* Q BPINT 41 if ax==4f
; w( G- X/ T. {/ W
, N, @0 v! b! `% |1 k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 n$ q5 u+ ~0 T# T2 E) ?0 v: u
. n% }* q( q! k. G$ A. _: {6 l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 b# o+ Y8 B% B5 y2 j0 z- _" Y
! z S% I# }1 L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 h+ O* L ]9 n0 S2 z& ^6 k
2 g6 C; |+ C$ s- l% T
__________________________________________________________________________7 d; B- b3 J/ }2 W
2 Q$ ~8 O9 V# ?+ H5 _. q
Method 13, m2 S1 Q; ~. ?; U. {( R
=========
' Q( p% Z6 W' D. P7 A
8 h3 O$ K' x1 F }& Q T) ?Not a real method of detection, but a good way to know if SoftICE is- x, l7 B6 J* M- t
installed on a computer and to locate its installation directory.( A6 g1 Z j" Y
It is used by few softs which access the following registry keys (usually #2) :. d, B7 b8 j& z$ y) J+ M
1 z- `8 U' b" H6 a0 G+ @; f
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ V: p9 C- R$ X" @" a\Uninstall\SoftICE
2 x! I) m# t2 ]& z% m9 q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( u8 h4 e4 _) }+ z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 j( f9 S- F, H) u" A
\App Paths\Loader32.Exe- B6 w2 o& ~, u$ J( U
2 K9 X; d3 o8 P9 n' i7 v
5 e7 l- h/ t$ HNote that some nasty apps could then erase all files from SoftICE directory
; ]% I/ p/ |, P3 D$ `(I faced that once :-(
$ K' n3 J6 ]5 R4 T6 V3 n; l1 ^, v, a+ x, v j% ?8 J9 c& V
Useful breakpoint to detect it:
* u; r Q! O9 e' X* k6 P* D% u; L S6 A' }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& n0 X# \% R6 Q! a6 {
" _: P& k" M6 |" ~
__________________________________________________________________________
5 G2 S/ K5 |1 }4 k+ `& Q' ]8 A
! k, S) i4 @ m0 f2 h: k+ o% ?- r% ]' n
Method 14 + F- }% J2 }( l( k
=========& E0 ^1 o! O% p% N( W; B% n
! ^( [+ T* k5 g: T$ m8 C. T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# i( O, U% ^% u3 K# J p% F
is to determines whether a debugger is running on your system (ring0 only).
2 g. m v1 @# d4 [- t" J2 ~& m6 q3 A: @1 K
VMMCall Test_Debug_Installed4 u& J3 u) V. c0 {( v) _# c* v
je not_installed
4 t8 d. Y+ P2 F3 ^( v, Z5 b" N- H* T5 s5 p# s0 F' e
This service just checks a flag.+ h9 Z' m! ?4 W* S2 R
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡