<TABLE width=500>
# l! P- B7 Q5 t* ~% p<TBODY>" C8 W. E1 F: }, c W
<TR>
* U0 m3 F, l4 Y: t! A3 b<TD><PRE>Method 01 % ^% r! L: p3 @- _8 z; F
=========
! W* z. k6 ~5 s3 p8 C' o: q i6 ^9 M5 X, k0 N/ B* l1 S
This method of detection of SoftICE (as well as the following one) is
M; |( s9 `6 r8 o$ Mused by the majority of packers/encryptors found on Internet.
$ Q4 Q( k/ w5 J5 _! f* C3 d2 eIt seeks the signature of BoundsChecker in SoftICE8 V( r/ H+ r4 w# v! d* u; Z" s
0 a( r& J# l: f& K
mov ebp, 04243484Bh ; 'BCHK'! s( `8 n$ V) o/ P* l: V
mov ax, 04h7 c- H5 s+ i7 k$ d) g
int 3
2 T6 w6 ^4 o8 Q: l: E) m cmp al,4
& @( ~5 [5 }8 ~8 Z$ C0 ? jnz SoftICE_Detected
* X: V! }2 V* A6 z% ^1 G% }0 r( Y* C0 x9 B
___________________________________________________________________________
1 L" w* M2 b4 D* c0 X, _1 {# W" p0 |+ y6 L0 y4 Y
Method 02
J/ R2 B) e. x Y1 V* _! c. S=========
* ]1 z, {0 Q! m8 F8 w$ R* o& l0 r9 u/ D5 ]- j; `# c0 s
Still a method very much used (perhaps the most frequent one). It is used" S$ k0 W& s8 D3 m0 D( [+ R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, }% C1 j7 c; P) \/ Y* Ror execute SoftICE commands...6 ?% c* v5 Y3 E, H) c
It is also used to crash SoftICE and to force it to execute any commands- ?( R: z& `% r5 e7 R) {
(HBOOT...) :-(( 7 ]8 i$ ?) f6 d
. _' \6 p2 c# r2 ]% {
Here is a quick description:3 H" f/ [2 P' _) W2 g: `& ]6 Q0 e
-AX = 0910h (Display string in SIce windows)( y' y: s- I( G2 ~' ^, h; C+ ^& x; K
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
|9 w; w! e3 e L/ t-AX = 0912h (Get breakpoint infos)
8 R+ T; f. v5 t6 }0 U& ]7 X5 D6 S-AX = 0913h (Set Sice breakpoints)
; t9 n4 A; W0 Y8 f1 G-AX = 0914h (Remove SIce breakoints)
% v! ~" K" U5 s5 [5 f+ _! i- Q( m B( h& g1 I8 A t) ?2 \
Each time you'll meet this trick, you'll see:
! a" Q4 R# ^7 @ w" Z-SI = 4647h
7 H, y4 t: E W4 q/ s-DI = 4A4Dh& h3 G9 j( ]$ T3 M4 M
Which are the 'magic values' used by SoftIce.
& Z* L& n$ S0 O. [: tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% Y7 y5 a% ]0 R$ {1 l$ H- U( o! _% g- ~7 P8 j) q e" d
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 M" U: z9 ^/ y( ?( q
Envelope utility use to protect DOS applications:1 j# C! b0 _/ L/ L h+ C) a" T
& O1 f% m5 q8 c% F5 o+ V# _! ?# \4 @4 ?! J
4C19:0095 MOV AX,0911 ; execute command.
K. i3 S" L7 s2 |6 R: L9 b! S. z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 j0 q3 J7 o: J
4C19:009A MOV SI,4647 ; 1st magic value.1 \: D* m( P' V1 m" y
4C19:009D MOV DI,4A4D ; 2nd magic value.( D1 X( v% F2 B2 X* {/ h3 h
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ [6 V4 S/ \+ P' \% k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. z/ P9 G% D0 X" W
4C19:00A4 INC CX
& k4 ~: V N; p4 q `- Q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 S: n. S5 ~. z8 ? T4C19:00A8 JB 0095 ; 6 different commands., m+ v [7 H' G( Z: T4 [% a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 c7 R5 u5 \3 r7 Y$ a3 s
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) ^3 B+ o. I4 E6 G( f
* k; V! @! S, B/ l1 y9 C9 P% @' gThe program will execute 6 different SIce commands located at ds:dx, which
x9 W/ G$ u! Z. N) l0 Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; @+ J2 g( l% ]5 ]% Q
0 e/ _/ p y# h8 ?6 r2 x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 l& r* c. o1 t& C
___________________________________________________________________________: Q) @ t. p, W5 G
9 j2 t$ h0 V/ J
2 b0 p* _. Q" IMethod 03
- V& D9 y8 e" I8 G1 [; ]1 | U; J. Z+ o=========& G9 {" X( }- D; k8 g* A
" t" z, t- [( Y; `/ ^3 {5 t: R- DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 G% d1 D$ ?0 F* g5 G; F1 t
(API Get entry point)
- h! `" ?! i4 b1 l 5 l! C$ v8 P5 F( z$ M6 [
" z5 B: r, r9 E4 P
xor di,di
! F' `) f, ]% A mov es,di8 D& H( K: Q& q6 J' L. e
mov ax, 1684h
0 D& ?0 p5 J; ?8 l3 D. f mov bx, 0202h ; VxD ID of winice
; q+ P! a2 p/ \- V; ]! O9 f0 ^ int 2Fh3 U0 o! u `6 ^& ]- d8 j$ H
mov ax, es ; ES:DI -> VxD API entry point0 F- m/ l/ d* x9 `3 e, f. k
add ax, di
/ i, q- L8 G4 l I O test ax,ax- }0 ]( o; r' F
jnz SoftICE_Detected
- E9 m8 t- B" a1 F, x6 o- f1 N; e
, i+ O1 P# W+ J$ ?* N___________________________________________________________________________
% \0 g( u" d/ Y" c* ?
0 C4 U3 a) d' VMethod 04! i7 j& N$ F% v
=========0 |8 {% z6 q, ^! l: b
" J4 C) i( C: t
Method identical to the preceding one except that it seeks the ID of SoftICE
; ^& q9 A" k/ `" \7 r9 p/ E# cGFX VxD., a, A& T4 z0 O
' q; r% B" ^ X9 _' J- Z. ~) L1 C
xor di,di
$ K; H6 t5 ^7 ^. t mov es,di( ~) b0 m s/ F+ v% t
mov ax, 1684h
2 r* _2 z4 E7 s mov bx, 7a5Fh ; VxD ID of SIWVID& i* O; O+ y$ {" S, q& L/ X
int 2fh4 f8 [! m6 q% W& _" L
mov ax, es ; ES:DI -> VxD API entry point
1 a) A9 h2 G$ L& g0 W4 @0 d* D add ax, di. g7 I6 M0 C* O8 j+ Q
test ax,ax
" g' F/ F& X' e jnz SoftICE_Detected
* }8 E- J( }4 r! P. U R M' v4 ~
) J! c3 n& e0 |9 l4 ~__________________________________________________________________________6 _3 c5 h% Y6 H, x B0 c: j' p% S1 O: K
7 `4 v% ?) o) {3 o q8 l6 a7 }9 I5 k& S ? D/ A. Y0 F0 W
Method 05. R5 [8 c% r- b
=========, R, }5 w! Z" `/ k) o$ e/ G
0 n9 V: B. e! ]* W5 ?/ lMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 f. N) z `" B. O( |5 o, F5 S4 Mdebugger. It calls the int 41h, function 4Fh.
# L$ U) \0 B6 q N. dThere are several alternatives. ) Z5 D, g9 X; ^
, @# M B/ j' s' h4 v, ~ s
The following one is the simplest:
* N7 I# P9 A9 O; f; M! D
! ?' \+ Q; P! ~; L# ~, f) z1 _ mov ax,4fh
! a$ I5 I" O8 g int 41h) E, s7 Q1 B ~0 s) j; f
cmp ax, 0F386, d$ {/ C7 n w
jz SoftICE_detected
" k4 e0 m. A/ B+ h: k) u& F# c/ W; ]% U9 `
- {* W% ~3 ]$ Q' D# j
Next method as well as the following one are 2 examples from Stone's 2 j' M' u1 N" a J- r
"stn-wid.zip" (www.cracking.net):- T5 [7 B0 u5 ~, {/ _# U
: k8 I3 [+ f* Y) K+ X mov bx, cs3 A2 H+ ?4 u: A6 h. P
lea dx, int41handler29 M F, O* [0 B
xchg dx, es:[41h*4]- q2 j! s9 g6 m3 g2 d& r: i+ o
xchg bx, es:[41h*4+2]9 k; x; O8 s0 K6 N
mov ax,4fh
( L) n/ O& j$ e0 x u6 `# T int 41h* x- N' ~9 z& T2 u: y. r
xchg dx, es:[41h*4]
, W! l6 U L3 B xchg bx, es:[41h*4+2]6 _. X, b5 ?& a" M# B9 s" ] h* N
cmp ax, 0f386h6 k* e$ D6 k9 G; [% Q) T
jz SoftICE_detected+ n i O' N7 c$ V4 h, n& U
2 w( u) w" u5 a" aint41handler2 PROC
1 r- v! S, b: D9 ?+ L: ^ iret
. F* T: U/ J3 I8 ~int41handler2 ENDP3 _/ ?& u5 x' o3 n) p. l
: ]8 U+ h9 L% K h' q" W, w7 \; L
5 c, Y* f% w: n7 k# O$ z
_________________________________________________________________________
; z J( |: V' }! C' z" Q+ c1 }( G5 o1 i0 q: i+ ~5 K
4 I. O' G$ `& w# X3 Y3 ^( z; g! c8 uMethod 06
. m# e# q' M" c2 ?$ a4 I. {=========
/ ~( G, h/ l2 j1 ^6 p
9 v0 o7 n. p) i G; a7 @& \" z v8 b; H# a3 g' L. W2 C2 z
2nd method similar to the preceding one but more difficult to detect:
; h/ [4 [( a) y1 z$ r" j
- O3 S) U0 L; c; f
c0 v% v: p; y$ b xint41handler PROC+ m- G& |$ p3 |
mov cl,al( e% U. F! Q9 a ~8 E
iret
* V" ?4 J i) V& m* ]% Wint41handler ENDP
+ i% W7 t6 n* h! T. M2 |4 d& c+ C8 S1 ^, a
0 Q% o, _) D6 i! C7 W xor ax,ax5 i$ [! b, I2 t2 J
mov es,ax
3 P# C! K }3 W2 M7 z( s mov bx, cs% b4 }' `& c& @5 X- }- R6 L
lea dx, int41handler% @- ]( \2 [9 S+ M7 X- C3 p
xchg dx, es:[41h*4]& ~. {$ C7 X5 x; V/ y5 B b
xchg bx, es:[41h*4+2]! Y. Y7 z3 ]" V3 L+ R' y7 I$ p/ A
in al, 40h
, k) ?- v; X2 |- E5 @; t xor cx,cx/ \4 z. A' Z" |! |8 E
int 41h
& E" j/ Z+ A* B. x8 [+ O0 x9 n0 }) { xchg dx, es:[41h*4]
$ Y0 f" J8 b0 C& G0 ]( j xchg bx, es:[41h*4+2]
( Q0 @% s* a5 V3 G. ` cmp cl,al0 O4 f; v6 n8 j3 Q* R. d( n. |
jnz SoftICE_detected
( E5 z; F# v- l( Q+ @" k6 G- `8 D/ q& e- O9 H7 J1 n, H; V3 N
_________________________________________________________________________
7 z6 h- t* J$ n: P! I/ y
4 ~! T8 o& T6 a$ w; \Method 07
' X& y$ D8 a" {7 Q) C( i) E& B=========' g" F1 k/ Y" y! G
7 y' p7 L, }3 WMethod of detection of the WinICE handler in the int68h (V86)" G" R, O7 O$ s) O# |
* U* ?: O1 I2 k3 X5 i mov ah,43h
\! G) D0 ~' _( p int 68h. F( g/ z% A6 r# \. e" J* x
cmp ax,0F386h1 G% @2 o! o0 X8 v: u) |
jz SoftICE_Detected$ D( t* b8 \8 X% Z
1 p; v8 Z9 B' ^# x" J! ~
$ i V. K# |0 S H7 J- U7 g1 T" {=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( b. x. [: g: ^: w) [
app like this:
' t2 S* D* M& _- `
; C- C6 h/ n" K* s: H BPX exec_int if ax==68* \ s, g. c0 Z& {2 h% o6 i. q
(function called is located at byte ptr [ebp+1Dh] and client eip is
' |/ m0 z% K/ A3 y8 [ `" h9 | located at [ebp+48h] for 32Bit apps)
" m; D1 _: k8 b: L__________________________________________________________________________
1 I2 ^; X2 z. ]
) Y9 n2 L& v! h0 M* b7 j9 x* B
& z% Z5 o# m- I) b* f* HMethod 08
" H7 a. m" Z; W0 m q' h=========+ c" Q" k* q& e! j6 m
" e G$ E+ q8 U3 Z5 k
It is not a method of detection of SoftICE but a possibility to crash the( f' W1 O$ ]/ T5 p' F
system by intercepting int 01h and int 03h and redirecting them to another
4 h0 ]" g5 g, |6 V0 Yroutine.% G- T2 ?& \$ M) V1 L4 y3 r3 X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 s; ? S- g @. Q7 Y* P/ bto the new routine to execute (hangs computer...). F1 @+ w& @3 k7 [9 h+ V
6 M3 n: S! A2 ~% x0 ~ mov ah, 25h
( l6 b0 `1 q/ P- M mov al, Int_Number (01h or 03h): \# N" P* d8 z
mov dx, offset New_Int_Routine
+ p& V- l& B( b8 m: | int 21h
, M4 u. x a4 e) _- Z) n0 @4 E! l$ m6 j8 i! X3 q j: i
__________________________________________________________________________$ }! S( C3 j W; _, X8 i
) t$ X* y, o- ^0 e$ P9 z/ v7 c3 gMethod 095 K7 M8 {! F: | Y% ]; A8 O0 S7 ^
=========
( u) n$ U( c" h$ x( B' K# r* t9 N; `2 h2 o) H' d f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 [8 V; I; `% s: j
performed in ring0 (VxD or a ring3 app using the VxdCall).' v' H' Y; y+ G. d) Y0 v
The Get_DDB service is used to determine whether or not a VxD is installed
4 F/ q. j5 W) ]; ^& `for the specified device and returns a Device Description Block (in ecx) for
0 s! s4 b. \- Wthat device if it is installed.0 ?, F" T4 e. ?, v' V/ i9 {. f
9 {# S( l/ t! h% `+ p5 H0 u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 I6 r/ F9 @; x$ W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); t8 u% I6 ^- f( i; R& H) ^1 h
VMMCall Get_DDB
7 @& S+ i: Q7 m1 D6 x: Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 U% Z3 ?3 S, f- a5 c
L0 |6 T y3 P4 XNote as well that you can easily detect this method with SoftICE:& t* ]2 P9 c" x: _
bpx Get_DDB if ax==0202 || ax==7a5fh
- a% t& d% m3 {( a3 N( R+ ]/ A
" z" r* B$ J4 |__________________________________________________________________________
; F* i' e* q5 n6 b( t4 H: M
& r/ R2 r# T' P! dMethod 10
1 t3 g1 y2 K" l9 Z Y9 b1 }=========
9 X4 m5 Y5 J2 G5 N8 J
, f7 T' [2 ]/ G v& v=>Disable or clear breakpoints before using this feature. DO NOT trace with7 z+ V. O( j+ g' p+ ]
SoftICE while the option is enable!!
: _1 ^7 G* ]) p' u# F$ N* g1 M7 t+ n# g
This trick is very efficient:1 E4 R4 s `% F% H8 _
by checking the Debug Registers, you can detect if SoftICE is loaded
- M% f5 k4 i5 a3 j9 K& Q; S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ }7 c0 N7 N( M& |
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" q" }% K4 t/ L* T& I% {& Fvalue (in ring0 only). Values can be manipulated and or changed as well0 m- f. k5 a" }5 V- W2 T' n7 J7 i
(clearing BPMs for instance)
9 X$ z1 m( c# M+ v# R4 |5 q& J) g# D3 B& U J* `$ a
__________________________________________________________________________% O7 g% O. G7 @1 ~9 j
4 L7 [. @" a; q+ Y+ a, f3 i9 lMethod 11
- I0 B! r" O. {0 f0 U9 @# e- t B=========$ m. f6 d0 Z( N9 E S
# d" R8 a! o& JThis method is most known as 'MeltICE' because it has been freely distributed$ x: u+ |5 [* b6 u8 U8 Q& C
via www.winfiles.com. However it was first used by NuMega people to allow
- m. R+ {, R) ySymbol Loader to check if SoftICE was active or not (the code is located, a& h) k% J+ \7 a$ B+ T/ X+ D! L
inside nmtrans.dll).
, F) ]% t0 h# o. G
# _; `: V" H) ^4 |# EThe way it works is very simple:/ Q7 N( T6 s O; I) P
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 y) Z- ?$ j. {9 I, uWinNT) with the CreateFileA API.
$ k A: E( j. ^
3 p) U4 p' S$ I, j I! z3 aHere is a sample (checking for 'SICE'):4 `; X! ]! F) t x: B+ P8 G; C
! m6 `8 `3 c6 u) V* v8 @, E6 [BOOL IsSoftIce95Loaded()
9 w- d' [3 Q2 c. I9 y, u$ S: z( f: H{
8 @% q$ m, @0 F9 n! E HANDLE hFile; : Y4 G- t, h8 i6 r
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 P: ?) O0 _3 u2 ~ FILE_SHARE_READ | FILE_SHARE_WRITE,8 E0 R' K1 ~) Z! O2 \9 \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 L& \. |8 Q( e$ B: u) |# ^ if( hFile != INVALID_HANDLE_VALUE )
2 [$ e6 k2 C V9 f {
' O& y* ^3 C2 f6 d& s CloseHandle(hFile); G% s& ], f e; b
return TRUE;* o8 K$ D v2 G5 W" M' R
}
! G! T; M) s$ f" F return FALSE;
! V5 z* C: t; P5 y}' r* |: l: d$ B7 u' j
2 M) ] X# k" o0 l
Although this trick calls the CreateFileA function, don't even expect to be
: L8 T" T# H2 k. u$ ~0 R) T7 Yable to intercept it by installing a IFS hook: it will not work, no way!
: n6 {) {/ b; cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 W; f" v, _+ }: B1 ~' xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 r. ]$ T; r# k' v# N4 Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc @( u$ o& L; D& r5 @" ^" U
field.. c$ v5 c- [: C
In fact, its purpose is not to load/unload VxDs but only to send a 4 m4 K$ M$ y9 r0 G3 {* m }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 ^# m* \ y: U% a& Z0 D) _! a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 i3 l* h- H- V( b" ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 o& o4 @: x: X1 g- o
If the VxD is loaded, it will always clear eax and the Carry flag to allow, }; p' J3 c' G5 w
its handle to be opened and then, will be detected.' v- R( f6 A2 n- f$ G5 y
You can check that simply by hooking Winice.exe control proc entry point: v% B- M: r7 M; s1 Z- q
while running MeltICE.
! R, o& c; c% p3 A$ T V+ V" N1 G. p; Q) n
9 a! U2 C" p1 A9 k0 w% g: g6 ~5 m
00401067: push 00402025 ; \\.\SICE1 Y5 `" r4 T5 h, Y% L2 i0 d
0040106C: call CreateFileA/ f5 ^* X; ^( u( N( g
00401071: cmp eax,-001
2 o M; z# @; P# Z 00401074: je 00401091
c3 o2 w) I, X3 f; ^7 N( v, `5 n; L$ h. l) Y
2 x, ?1 }: i5 \# S9 s% ?/ L! Q# b
There could be hundreds of BPX you could use to detect this trick.
5 `# A, i6 ]+ ]; d# C$ w-The most classical one is:' c+ b% f, ?5 H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% c7 \ D4 d; T o- `* n' ]+ ]9 B8 s
*(esp->4+4)=='NTIC'. F5 A* {- C/ q% q N+ C& M
7 w9 H: N1 P3 i' A$ Q
-The most exotic ones (could be very slooooow :-(
% i- {6 U7 _1 `+ l6 {- E d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + [. p+ {; X; G7 ]1 O# N+ U
;will break 3 times :-(
& P. i) v/ C4 B* Y8 G
$ C) s& s2 N2 c j, T4 c6 q, l# V-or (a bit) faster: ) f9 d5 w3 L/ n5 @& G- X" s( w" b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! H+ a' o$ _8 P/ B' J1 G
& E/ R, W2 R# V( i+ [) n# | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( {3 I @% J4 g
;will break 3 times :-(
2 Q& k6 s/ w( i2 s( u; o0 B. U7 s- [+ F# k, f# m' W6 E9 e% F
-Much faster:
6 K# }- f* _( n6 ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 n5 v0 ^- r/ u. i, g# W) @, [7 Z6 P3 K, C7 b, @* a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' x* L2 i* s9 S6 L% Z
function to do the same job:; K n/ p2 x2 _# b; \* G
) l/ c/ s7 B/ B5 T* X push 00 ; OF_READ1 M& C8 |# \- F" k. s
mov eax,[00656634] ; '\\.\SICE',0
! |- _- L, Y; c, L/ G push eax
; C' C8 i. P/ p; D8 h/ K) V call KERNEL32!_lopen! P7 f& \" y& {$ F# s& E Y
inc eax6 k; T" O5 p8 |" h1 P
jnz 00650589 ; detected4 `4 T' g7 _( C
push 00 ; OF_READ
, E" L; S* H/ O# i) d( _ mov eax,[00656638] ; '\\.\SICE'
; e' `% m6 B) U3 R" L1 c push eax& k* e0 e! u6 p& R! n6 j l
call KERNEL32!_lopen
4 W3 O$ y; h9 ]9 o" A inc eax' f: T3 ?3 z4 Z7 `
jz 006505ae ; not detected& d: C, h% O! m: u
# _4 A# M `5 c1 @7 C
* V" T/ I* |8 Y7 u6 k/ W4 H: v! ?
__________________________________________________________________________# k0 f c5 C0 J
7 O1 j$ G& h3 m& u& d/ j& u% VMethod 12
1 L A4 ~* O' N=========! J8 p6 k+ w) f0 }
: }- i3 L2 V4 f8 K- S0 e* rThis trick is similar to int41h/4fh Debugger installation check (code 05
* K, Q! a+ [+ B: H9 y$ L& 06) but very limited because it's only available for Win95/98 (not NT)
6 j0 a4 j7 I3 V$ x% w5 U s: m+ qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! W1 q' H( Q6 D
& J, [! e+ x1 l# v2 H2 q push 0000004fh ; function 4fh
4 {5 Z3 k8 L& Z( U push 002a002ah ; high word specifies which VxD (VWIN32)7 j4 p2 Y8 s+ M$ D/ G2 ]; B7 J* S9 v
; low word specifies which service
* h" e. K$ D# B$ l: w- c6 d (VWIN32_Int41Dispatch)4 G+ W3 {; B6 Q
call Kernel32!ORD_001 ; VxdCall( v& x+ p- J( W! d0 N) m
cmp ax, 0f386h ; magic number returned by system debuggers# y, a; C- O" R; _) A
jz SoftICE_detected, s' {! _4 S% y
9 O- I$ L5 S) B `& D
Here again, several ways to detect it:
1 U5 z/ M. W9 a7 l- i) E- a; F
BPINT 41 if ax==4f2 P$ c5 x' J. w# i6 W7 v
, |0 s6 L8 w7 f1 e; F. M* s BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ b* O) A% _* g
- U3 s# U0 V! y. _; m# s$ i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 z2 v- Z" u1 y4 M7 c8 |
7 f0 x1 k7 ?) a) T! K9 l" o f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' l$ _& `+ t+ Z( _- H
5 E0 X. L5 N+ N. i7 T__________________________________________________________________________
$ [4 P/ m5 r$ r7 P* [( ^4 K3 a
! Y! B4 U5 l* F1 ZMethod 13
6 a/ z5 ~* e6 [0 I1 N( B=========$ O+ u. n) X. Y# X; A
2 F) S8 b" B9 C6 gNot a real method of detection, but a good way to know if SoftICE is' o) Z9 C3 } A5 Y
installed on a computer and to locate its installation directory. ]2 k. v7 C# {9 t
It is used by few softs which access the following registry keys (usually #2) :* q$ C5 p7 ~4 {' o5 X
' a0 P, {5 i5 V; y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" r0 h$ s6 z6 O( K; V$ K; ^\Uninstall\SoftICE
" N( |8 S, P+ B3 u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 m" R' D- Z( B3 M& }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- V4 q6 Q a' y8 Q. I" u
\App Paths\Loader32.Exe
) I& `/ Z" }& f# a" n5 n, t* K# H" |/ ?- l0 T
' |. ^- q, U- k
Note that some nasty apps could then erase all files from SoftICE directory
+ z! _ N9 L+ ^* {( {0 X(I faced that once :-(5 ^/ `: w* I, f$ `) l
. ]8 t2 A6 x# t, yUseful breakpoint to detect it:, h+ e; {, Z* s7 @* |9 M0 d
: g) j! N9 O- P: n- B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 y; u6 G/ E. D2 {
1 C( S F$ S3 l! n4 B! J+ Q__________________________________________________________________________
8 f9 i, c' v7 x. }5 S3 y4 O
( X% [+ P2 {3 v% B- A; k, a6 m1 D! s: c2 x$ Q8 w
Method 14 % a; x1 e L2 D; u
=========
$ H0 P0 _. u! k2 C& ?) `& ~) V5 D. B5 n8 y8 a4 x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( `; [* w2 j6 `! {is to determines whether a debugger is running on your system (ring0 only).; R+ z9 l g0 M2 k( ?/ M
% D" f& n: p6 _
VMMCall Test_Debug_Installed$ h0 ?/ e2 J* B" V
je not_installed% b: O5 u0 T1 B% |- \6 t
' ` i H c$ a' F4 X
This service just checks a flag.4 [' s1 c! p8 Q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡