<TABLE width=500>
7 f3 Y1 g3 R! f<TBODY>/ A! U5 U6 V3 V# [4 {
<TR>
0 D2 s Y9 t* Q3 ~7 R. Z7 s. C<TD><PRE>Method 01
( J& r* z" ?8 r) B3 H4 ~( q6 K+ D=========0 [3 w* [% r' i
5 k0 h$ k5 I# k8 h/ f' Z
This method of detection of SoftICE (as well as the following one) is* r" }% u5 m$ K' H! u2 V
used by the majority of packers/encryptors found on Internet.
; c$ x- m! j6 V3 |% w+ N& JIt seeks the signature of BoundsChecker in SoftICE% d7 X1 q5 P y1 g# H% K" j, q- F
3 u" t- @, V1 x, n Y+ z; X( e. P
mov ebp, 04243484Bh ; 'BCHK'
0 r! Q( X# r7 }8 G mov ax, 04h+ y6 ~; [. {7 [5 H
int 3
7 K5 K- r) Y8 q cmp al,4
9 B5 r9 A: u, ?1 m& M9 S9 A jnz SoftICE_Detected- K, r* ]3 d3 P6 Y8 b, y6 h
/ D! {7 I+ I. P' e6 s/ S6 s___________________________________________________________________________
! {& m+ |( B! ?3 m7 @0 H
- Q, d5 _8 I. @* z) AMethod 02
$ W, T4 L) v l' T( k=========
6 K9 `1 p$ w" J! D2 r6 ~1 N4 [) r( Z1 P. |1 i$ r3 d
Still a method very much used (perhaps the most frequent one). It is used
( k' A0 t1 a4 D' \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. z" o8 t4 P. H+ qor execute SoftICE commands...
0 j+ p" [ O2 |It is also used to crash SoftICE and to force it to execute any commands$ I5 ~0 q# @8 l" h; }
(HBOOT...) :-(( 7 ?, H7 [7 F+ ^& n9 Y& z: K
, l' a; P. T- J1 w1 o1 z# G
Here is a quick description:
7 x, L0 g E2 q/ ^4 i-AX = 0910h (Display string in SIce windows)
: u: _( \% H; A2 k, G! N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ R! T- ?4 K7 u' j
-AX = 0912h (Get breakpoint infos)
- C$ N/ H7 u7 r; d-AX = 0913h (Set Sice breakpoints)+ K4 q/ I; b7 o: y0 Y
-AX = 0914h (Remove SIce breakoints)
$ u) s7 h% s! E; C. K- y1 g8 D$ w: o) e
Each time you'll meet this trick, you'll see:& R4 E# V8 s7 ^, g& Q9 ?
-SI = 4647h
: [ m; a$ z4 Q# |9 d-DI = 4A4Dh. F0 Z5 P: i0 i5 r
Which are the 'magic values' used by SoftIce.
* p5 `( t1 }: q1 O% L7 h; ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" P7 o/ u7 G" r4 k
2 ?. f7 N5 A9 O$ G5 p" PHere is one example from the file "Haspinst.exe" which is the dongle HASP3 ?' d/ k0 {# g) f i! [
Envelope utility use to protect DOS applications:
' a+ a$ H: P0 k0 R. o! r2 j+ X- K
) u$ J- ^+ A0 A4 Z. H: u% ^6 V; i2 V- i
4C19:0095 MOV AX,0911 ; execute command.
& ^# a" H4 L/ M+ G# Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ w4 h* M, h6 I4C19:009A MOV SI,4647 ; 1st magic value.
9 B* o( x2 r4 B5 H# X# p, {4C19:009D MOV DI,4A4D ; 2nd magic value.6 H8 T+ k: u7 D/ C, ]: U9 e
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 L B W, d) g2 \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
k9 C5 d! x G0 h4C19:00A4 INC CX; @( y3 y; K& Y# N( W, Q3 \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 E+ Q6 S& E9 t% ^
4C19:00A8 JB 0095 ; 6 different commands.
+ l: {8 S8 P& B& G4C19:00AA JMP 0002 ; Bad_Guy jmp back.- M" N' [/ w7 e. b0 j0 M
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! ]5 s& o) g3 L+ _6 ^! J
) C1 p5 \/ G% n" a6 pThe program will execute 6 different SIce commands located at ds:dx, which a: y/ z( U3 b$ ?& O5 ~! h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" A6 j( M3 B; B* q- ?4 Z( D2 J% J5 Z* Y; L% N% {: r$ j* h6 R- u
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ T# {" T. M5 b
___________________________________________________________________________9 J+ J* w$ U' O' `
# Z4 v6 d3 {- |# M
& T8 u4 q8 i. C" X! LMethod 03
& f, F% m2 B+ `+ k" p=========
: R6 g3 @2 O% j: s4 v- ^- `9 s& r& X0 K/ m$ S# x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 Q- h& k: T% K# p$ L$ `(API Get entry point)
7 w5 Z4 |( n; K$ z$ D $ {! y: {. V2 C. I8 v! f7 {5 i9 @
1 T( t. B" u) ]( ] xor di,di+ u% |. S" w c' K- s {
mov es,di& y, e& \% D: u& l
mov ax, 1684h ; ]7 D" J7 r3 t% G
mov bx, 0202h ; VxD ID of winice6 C0 w. a" t( \6 y5 u
int 2Fh
( ^0 N4 x5 N3 r' t( c5 {0 F: Q. z mov ax, es ; ES:DI -> VxD API entry point
& P) v, {& D1 d& o, b% }, t) a add ax, di9 j+ p7 { s5 W0 l* G2 `
test ax,ax
3 [+ U. h& z# _$ k0 k- ^0 V jnz SoftICE_Detected
6 o/ @! w; s/ p5 y9 U
7 O. g6 g+ {) I4 @) P5 T) D___________________________________________________________________________
8 C4 I7 m0 b" `+ K
. F+ D- v# Y0 h7 P; `: Q' bMethod 04
, Z3 T0 [7 A8 w, x=========
. o) B7 ]5 q* \" L& c) L! n# u2 C- ?! o8 R2 ?
Method identical to the preceding one except that it seeks the ID of SoftICE
; l/ {: d. h4 |( @! o: lGFX VxD.0 U! B2 J) w! X" k1 h
# j/ m9 Y* z$ { xor di,di* l; w$ p0 O3 ]4 {
mov es,di, S$ i% u: B7 y$ q
mov ax, 1684h
! l! G7 ~+ j" m0 `, K7 Y& i9 o) j mov bx, 7a5Fh ; VxD ID of SIWVID
5 G2 g- O2 `1 f2 h% w int 2fh
8 F: a- ]9 a4 ? S mov ax, es ; ES:DI -> VxD API entry point9 g$ W) L1 C* I- X* M
add ax, di1 z9 l* B# ?3 w! I
test ax,ax
$ g9 Q* i( G4 m3 V1 a jnz SoftICE_Detected
$ A- W* m+ e' C) E
1 J: o" a! V% {__________________________________________________________________________) ~6 Y6 O% h: b8 g7 {; e
6 H, |, Y) ]" H- H- l7 a0 ]2 P
2 |6 J8 i& ^6 B4 u5 K$ h% W
Method 05
) F. w% x2 \: g=========
! q9 `( k& b, {7 u5 {+ K
" k: B# l* J" j1 gMethod seeking the 'magic number' 0F386h returned (in ax) by all system
* A1 C# j* V) G* d1 n8 jdebugger. It calls the int 41h, function 4Fh.( a( o h8 h# A
There are several alternatives.
; \* N# V Z$ N' [1 M+ Q% V
3 \7 b$ B1 T8 U- E3 CThe following one is the simplest:- t a: l g5 A' H }0 k
4 |) O0 c5 s+ B. w' a0 E" u
mov ax,4fh
. [( v2 R+ c: O I int 41h
; o1 ?8 G+ r- }6 S. A0 D( h cmp ax, 0F386+ R3 U$ D8 R2 x3 S$ q
jz SoftICE_detected; s+ Y, f) m3 A5 x# _8 q) f
- x1 X+ J0 v6 F
) }( d7 A4 ^2 Q
Next method as well as the following one are 2 examples from Stone's
$ S% `) j0 N$ } B; K8 ^ m) G" b; o"stn-wid.zip" (www.cracking.net):2 w8 n* J% r) A) O& g# j w, D
' L; K5 Q G) F& J1 y* F mov bx, cs8 C% [7 c! N/ M, t
lea dx, int41handler2
" L8 U* F2 p. L% j% S X; { xchg dx, es:[41h*4]
8 O: m. ]0 E4 F xchg bx, es:[41h*4+2]
8 B6 y; D9 [- _ mov ax,4fh
6 w7 U# w% m: r0 n+ a a int 41h- Y5 B, k7 D: z; q3 _6 Z+ z
xchg dx, es:[41h*4]3 _3 _5 U, |6 {* n1 k0 r6 i4 q3 q [
xchg bx, es:[41h*4+2] I+ J. Q" B0 a: L2 f
cmp ax, 0f386h
, L3 K8 C, u: C* u- u; a+ g jz SoftICE_detected
) i% \* ~# x [% w' I" N* |0 Y3 l; T1 Y0 `# a* @
int41handler2 PROC
c: G$ S# p l- n8 G) ? iret0 \% V" T5 X) G, j! Z
int41handler2 ENDP5 {5 `! P8 G' }; W3 z1 T
: O& N2 {( @3 Y. ~+ u8 a
, r4 D, ]: H4 K2 _; @1 f_________________________________________________________________________
' b5 Z. P/ s/ K0 q( t2 J- z4 Q7 L$ q) u$ T
9 V" \0 F# _) X3 e- BMethod 06
! ^. j1 ^0 K; v0 @/ K=========
6 u- y: A- I( o' O3 d
, O8 o9 N: Y& q2 {& R! C2 ]) |' K3 H) n- M
2nd method similar to the preceding one but more difficult to detect:6 I6 r7 m0 V% x8 g4 X
1 {$ o! Y* F- K g
3 y0 s7 ^1 R$ q9 y6 f0 sint41handler PROC
5 u5 e8 N' x' v. t$ h1 H' A mov cl,al: K$ @+ @/ R+ G
iret1 k6 A1 v5 \4 m
int41handler ENDP
7 I/ r% `* u3 `: v
8 w- s' E) k9 N+ \
! d/ n$ K9 _' K+ p5 \ xor ax,ax
' T0 C, y) y- D. v: w mov es,ax( Q; x( s1 X. ?- p, M
mov bx, cs
) g2 j2 L- y8 w/ i. j: C lea dx, int41handler& i! g% c6 k9 U
xchg dx, es:[41h*4]
9 j) s* p4 Q6 }, k8 F xchg bx, es:[41h*4+2]8 }7 x( i' K9 b. C6 p, @
in al, 40h7 y5 w+ M- x1 W$ n* q
xor cx,cx4 J% q9 i! ~3 n/ O: n8 w) L
int 41h9 ^/ d9 V! T3 ^* E" a$ j' A: j' A
xchg dx, es:[41h*4]
: B: o+ d- x$ A* L xchg bx, es:[41h*4+2]
3 m( a" n7 R9 c8 ]$ ? cmp cl,al6 s0 g; }0 }1 x7 h
jnz SoftICE_detected
" ~# [1 D* L/ A' e, ?3 |
- k# t7 g$ S3 [3 j! V_________________________________________________________________________1 g+ M; T9 |) j: _' C4 T
% }) }% I) A' L, V
Method 07
; m4 Z, q* u" u. E5 B) r V=========
+ u) k8 ]* z E( B5 ]' k! Y
/ O) I9 a K3 A5 dMethod of detection of the WinICE handler in the int68h (V86): m! } q: I! G- Q
8 p; g1 Q; m1 k, m4 z5 A
mov ah,43h
3 m/ b* W. K( ?) C6 ?0 s int 68h! i6 R( Q! V4 j1 [0 X" h
cmp ax,0F386h
; k7 H. O% q* U! T5 J/ | jz SoftICE_Detected
2 E& J# s. t: p! H0 M5 N
9 Y# z6 i! N( s& I2 p6 C% Q- Z2 g, n
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" Z9 u9 `3 S7 ^: N+ E7 |% I
app like this:6 X0 @4 G( {2 x9 }) J4 Q/ X
) B9 B& R) X6 A ~
BPX exec_int if ax==684 \: s& H) ~$ U5 ~2 D& p3 q
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 C' U$ X& d3 x* D0 T/ L6 w( h; o located at [ebp+48h] for 32Bit apps)
' Q/ w1 _' t! E/ C" D. o__________________________________________________________________________
2 z3 A8 ^3 Z% Q8 h9 }6 G& L! M. L. M: D2 D
, B; |( E1 d0 O( A
Method 085 L' U: H' t: g% m
=========* ^: u/ {, B& I) z8 U9 Y4 a" I1 f+ U
/ ]0 g; T6 ?6 O6 {3 j
It is not a method of detection of SoftICE but a possibility to crash the' K% \# x8 b! |
system by intercepting int 01h and int 03h and redirecting them to another3 ~" u* v2 n% }" x Y. w
routine.
& I% [1 b8 d$ ?' Q2 `5 p2 ~/ Y4 {9 SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ v0 E4 `: E4 W/ z5 X1 e
to the new routine to execute (hangs computer...)4 M1 }1 B% ]4 d4 A+ e$ B; S6 `
1 r* b- A) V4 L& U, g) f
mov ah, 25h' a9 P2 G$ b/ [ k0 c1 ]
mov al, Int_Number (01h or 03h)
2 I4 I6 n7 O8 S; V# I# R mov dx, offset New_Int_Routine
1 Q8 B- [" ~$ J' @ int 21h
3 M9 l; } }1 B+ p2 G" ~& `# G* `
__________________________________________________________________________
, J# e# }# P! y$ `
7 L+ B' m- J) T3 a. F$ P" N1 wMethod 09
, {, f5 N) k$ x+ l6 m=========# Z8 s# [* K' m3 d, }1 J- r' s* K, }8 M
4 f# B/ J; R# i' [! b/ [
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 e( [9 [" z# iperformed in ring0 (VxD or a ring3 app using the VxdCall).) @9 ^, |$ R1 v7 q" {, B( j2 ?
The Get_DDB service is used to determine whether or not a VxD is installed
$ t; E# b b4 d. L, e$ nfor the specified device and returns a Device Description Block (in ecx) for/ \7 h" O* I7 v+ e& x
that device if it is installed.
& Z* G$ O, g0 f0 K5 e0 v" s* J" U% Y7 V' v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# I2 h1 |& Z( ]: @& b! b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( _0 A' A! W$ V# i t p5 j& [ VMMCall Get_DDB
# u' m$ V9 G$ O$ }! R% E3 A mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! X8 e* h" o3 t8 e* Q- t; s) s9 h( J0 ]. U1 F
Note as well that you can easily detect this method with SoftICE:
8 s/ P6 ~( P% N1 Y, `6 ^5 f bpx Get_DDB if ax==0202 || ax==7a5fh
2 A1 ^) z f# g0 p/ L5 @2 e6 a& j& r
q( S" X1 f @* Z }0 d__________________________________________________________________________
6 r! y4 u( c' o% ]8 y* d4 X/ o1 u: m8 ~, D
Method 10
) }) ]8 i& `2 j k=========: [' A! _* I# g8 M
8 f; ~: x& @% ?6 T4 \8 u# ?+ `
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& X' x8 E: b3 m, R; B SoftICE while the option is enable!! f; U2 x6 x) A3 M3 y* i
6 [- r1 e: a4 d: O! L, rThis trick is very efficient:( f/ \5 c* Q8 ^0 }; L8 e
by checking the Debug Registers, you can detect if SoftICE is loaded
% Z1 I% K' X7 z( s7 f6 c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! u0 Y- V$ w: G
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. _4 K$ n b% n0 dvalue (in ring0 only). Values can be manipulated and or changed as well
$ f7 U' m$ o. o6 j5 u' ^5 n(clearing BPMs for instance)
6 I$ W& P' i& Y% t3 ?3 O& `; d2 N& I0 n! Y
__________________________________________________________________________
0 Q( d3 u# N1 M' B3 J, M$ o3 b
" |9 J" M# |) q; ^$ pMethod 11( R$ ^/ e: P9 X7 O" i3 g7 w/ v3 _& M
=========
5 E" s- T5 f6 T& g6 G. r# `4 U! g
3 l8 x7 @" E- c2 q* {+ ?9 ?5 \$ V; ?This method is most known as 'MeltICE' because it has been freely distributed
4 G: C' m9 P, }* Hvia www.winfiles.com. However it was first used by NuMega people to allow
. T8 ~4 L* b, \" O+ i% uSymbol Loader to check if SoftICE was active or not (the code is located$ `% i+ f- O9 ?
inside nmtrans.dll)." q2 q! m8 l" ~3 \' J/ K3 w
1 R2 z; O+ }8 A% x. [- c2 g" u5 ~
The way it works is very simple:
1 T( C' l9 x4 T( ]7 y: \& HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 x0 T: F! y" l& M |& C' t9 U" `
WinNT) with the CreateFileA API.0 _* S4 \1 z* o2 C- Q8 {
9 Q" O/ D9 v% l+ `1 d; m
Here is a sample (checking for 'SICE'):
. N; y2 k" p. N" U" O( _, d
5 g u. @; v2 ~& Z1 tBOOL IsSoftIce95Loaded()1 ]/ o% e' N/ a: `( m. a' ^
{
3 D2 H' n7 X( u% y0 {1 ] HANDLE hFile; # Y4 h6 q+ M/ _. N! g( S V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' U1 J0 P. m) C a f/ v k: h
FILE_SHARE_READ | FILE_SHARE_WRITE,6 z- N8 C, p/ r0 U: L' c
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ T5 |" D0 {( c! L2 y
if( hFile != INVALID_HANDLE_VALUE )
) @+ w. e8 W, r- n4 P3 ` {
. n: U$ y! ~; o. U; S2 P CloseHandle(hFile);
7 ^( {; U' v" J: @. c. C2 N return TRUE;
. w6 Y$ ^. ~% N. B; Y3 M }1 T9 C& h6 m# B2 @
return FALSE;
( r5 K8 I5 B8 i* i}8 @" R- j" n }" v/ A" [
6 H, A7 N5 @+ G7 @# |! E3 lAlthough this trick calls the CreateFileA function, don't even expect to be
! `: ^% ?6 G |1 }, e' yable to intercept it by installing a IFS hook: it will not work, no way!
' G& u p1 u' F: g b6 LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: _* w- D5 B1 r) C! p9 {: Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 e5 b2 n1 W( w& x& C! c# Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
. P: v# E8 |' pfield." U0 S& O- g( Q" A5 _
In fact, its purpose is not to load/unload VxDs but only to send a
& \% [1 G5 R& rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 X6 R6 _6 O, ~ B( ~) A# g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ K: u7 o: }0 Y8 z. Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 P1 Y: v& A$ Z0 m
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 Y R( ~1 \; Iits handle to be opened and then, will be detected.% b+ o; e [3 q% }
You can check that simply by hooking Winice.exe control proc entry point
' R3 {1 D% q8 O: y2 o9 |" c6 _* qwhile running MeltICE.' T! k5 V$ O; p' z. G: V1 l8 ~
9 i h! d! y4 _& q$ O* x& x
+ r) ~! R4 i# w4 w; c6 J5 Z6 } 00401067: push 00402025 ; \\.\SICE6 F6 g; d! H# P- N6 O
0040106C: call CreateFileA7 i7 b2 _; a! k7 F$ ]3 H$ F. w& Z
00401071: cmp eax,-0015 p3 `5 b) s9 r. l5 U N" L
00401074: je 00401091
. p9 Z$ F& j, g) I- T4 L7 i# \( c5 _2 h% O" z# N
$ B) t2 e: p$ q" y- o! e
There could be hundreds of BPX you could use to detect this trick.! t- u" e& P" a8 q+ i
-The most classical one is:
" D0 x- H' J* X8 ` BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
?! n5 u7 d$ v H+ v+ g3 m7 o *(esp->4+4)=='NTIC'8 F* m. C7 R- B+ S ~# T }
+ ] G5 W. @ `! a! N& P
-The most exotic ones (could be very slooooow :-(8 d1 T" G4 ?& ?2 |) |8 r. ?
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& o0 L8 u0 L2 v+ |# e( q( ` ;will break 3 times :-(/ U2 m3 g, A2 }# }3 b
m0 e& f- W4 U6 Y& P
-or (a bit) faster: . {0 M# @$ k+ E) e) x1 ~
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), ]3 I2 V9 I5 ^* m. u3 g- p0 t
5 q O9 }2 D. N/ M& j- _. W6 R
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ B: [+ }( f! V; y* u3 H! ^ ;will break 3 times :-($ x0 T( ~) d; x$ @
* o+ I/ I. h1 {( Z0 d
-Much faster:% H4 l2 P( o+ j1 |% v! m
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% j, z( {$ f6 b: s3 Y- y4 m5 ~. t& y( a) q5 p0 Z; \/ D' q& P# n
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! n% v1 I8 y9 e3 z& q) V/ K
function to do the same job:0 d4 t `3 n- b- i& e) D4 B+ `
- s+ d5 Y! S0 m
push 00 ; OF_READ
/ S, Q' s8 ?6 h0 ? mov eax,[00656634] ; '\\.\SICE',0( B/ Z! H: {5 @, V& d5 }$ {4 d
push eax. t u$ F! ~3 p0 O4 |
call KERNEL32!_lopen: x# v( h$ M. G/ E0 m% G" j
inc eax
$ f( g: ~6 m2 Y2 a jnz 00650589 ; detected
; Y& x- z! `' Z2 Z push 00 ; OF_READ
0 U! l; R5 q" E, [7 i. F mov eax,[00656638] ; '\\.\SICE'! k W: `: @2 {, i# n( V1 \3 y! j2 I! q4 w
push eax
; @0 H) i" q: z5 C$ t6 _* Z8 ` call KERNEL32!_lopen& h, z( O4 x/ C! |2 |
inc eax' e- [5 Q1 G# r) V
jz 006505ae ; not detected( L0 M2 {# P3 l" f
* E/ C) D! e- t, x2 {6 f1 F% E R: j
: A* @5 o: i6 A8 D5 w1 O/ a0 s" X9 x
__________________________________________________________________________- _& R: s& K* ^
- G) }1 B+ H8 [7 N: u) q) E
Method 12/ [ H, ]' H' b: E% q2 F- H$ U
=========" ~ w% x: i) k, V, t! z
: G" Y4 J3 D) p6 r( nThis trick is similar to int41h/4fh Debugger installation check (code 05: F: L6 g' R8 E
& 06) but very limited because it's only available for Win95/98 (not NT)3 I3 p0 B" M8 P: ^, i+ l+ s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 q) f( g) ^8 m% S
& W) l) p6 D* j2 G! }0 K+ `3 y) B push 0000004fh ; function 4fh
8 x( R, r6 | k3 C% @8 _ push 002a002ah ; high word specifies which VxD (VWIN32)5 y9 d. q3 }+ H8 F6 o8 j( `
; low word specifies which service
( m& f {1 Y( ]; o& Y$ R (VWIN32_Int41Dispatch)% ?( ^9 r2 `7 v j$ f
call Kernel32!ORD_001 ; VxdCall
8 ~ W$ ]& `3 p( T cmp ax, 0f386h ; magic number returned by system debuggers
8 n- }$ G! e8 | jz SoftICE_detected
8 q0 y& z- D4 f4 R7 _. \( G1 d5 p9 z
9 A1 C! b5 E& k1 Z5 T C7 w0 F2 fHere again, several ways to detect it:$ A# l/ U3 C( J: N6 ^5 B6 ^5 M
* U8 s0 \0 t' p
BPINT 41 if ax==4f; C; N `+ V( }& d" u" r! } w$ e! z
v, o& e& r) K. f2 e1 |: J
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 U8 m* }7 h! \8 \2 k
0 J5 \' K# V" l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- a$ ~% ~+ R$ e2 `* {( D
6 D0 ~5 d8 F. |! d# r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 f8 D. A$ v- D
0 {7 H9 y) f! X) t
__________________________________________________________________________9 |" R: _( x' B
{( M1 w6 \2 Y H' x' ?
Method 13+ G2 w2 U8 E8 I. c4 K, f
=========
6 i5 \( ~" U( E+ \. G% [ r% u; F' f9 ^: H
Not a real method of detection, but a good way to know if SoftICE is
7 `; _" m+ h( z Y- C4 uinstalled on a computer and to locate its installation directory.9 D1 g- Q: C2 l# S
It is used by few softs which access the following registry keys (usually #2) :
+ h$ v% s. }( N, j, `; {6 U
. P: b" ~+ ^0 r9 F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 ^) h- }' }2 x) m3 F# p\Uninstall\SoftICE- J6 t! b+ e# F) R6 {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: Y x: Z: j% Y7 L* I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# F6 t. k* Y+ |, l0 Z$ h. S\App Paths\Loader32.Exe
. Z- p9 c" ` q8 E# ?& h6 x4 p+ t3 f' M- D( T
W' B$ B3 h$ Q( h1 N
Note that some nasty apps could then erase all files from SoftICE directory
2 A8 g: d% v. _6 r. h2 v* v8 L(I faced that once :-(
7 l& x( _9 s( \ @/ E) }6 m) X3 c, S- @" ~: R& U$ _
Useful breakpoint to detect it:. a& G' G, F- C2 i* q3 v& }! r$ U
2 S7 b- t1 A, y+ W
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ X6 O( b. I/ Z' G$ I
+ }/ v1 V( ^% H7 }8 ?2 ]: O__________________________________________________________________________
6 ~% l- h% n% [+ r" {: p
) T" H1 o5 @: L8 }# T; r
: P! S+ X8 l: l# VMethod 14
3 G, e2 g- j% u% d% G2 ?' P2 x6 X: W=========
/ ?; f3 V$ s2 Q- l5 n4 G" W& G+ H2 e$ N/ {# W8 R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( g+ x* l4 y. \0 W& B: j5 f! v2 z1 u
is to determines whether a debugger is running on your system (ring0 only).
. L- a% H! a' R
5 C* A/ d' V' f' ^. Z VMMCall Test_Debug_Installed* f6 c' R6 Y! i
je not_installed
4 `& v0 X# w2 b5 k% ]/ F) W7 L6 N7 t4 F
This service just checks a flag.
6 n! A4 O% E' W& v; g. U" H</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡