<TABLE width=500>4 B0 m( p0 ^5 x* B/ h
<TBODY>
6 F5 B6 z5 }! N<TR>0 s: w4 x' a* k, ^. W
<TD><PRE>Method 01 " [, k% F" \" Z
=========4 A1 ~: ?, T4 ^8 ?& ^' @
4 G- [- r4 H+ O3 F
This method of detection of SoftICE (as well as the following one) is( l: x: l& h9 L+ A D
used by the majority of packers/encryptors found on Internet.
9 ?- v: |3 F, N# ]& P- YIt seeks the signature of BoundsChecker in SoftICE
: c/ i1 ?& J- d( k1 n9 E* s7 c7 k: b7 ]" {" }+ a3 g
mov ebp, 04243484Bh ; 'BCHK'* o5 y* I H: a6 F# v
mov ax, 04h$ O7 ?( h( n& m$ M5 |
int 3
/ w2 e* S0 R( ^ cmp al,43 S5 v; c7 a: w
jnz SoftICE_Detected
3 ?4 B, i a, ~/ v7 M& i* p+ D1 U0 w* k: B* G5 O" f! p$ ?
___________________________________________________________________________
6 C9 n7 P9 |! W' J2 \
( J4 Y. O k7 p/ z) g" qMethod 023 S- |+ b3 I& U8 p/ w0 H0 H
=========
1 L1 }0 {9 q0 Q% G; K+ @
& q2 Q/ E; `& M8 L4 J) f |Still a method very much used (perhaps the most frequent one). It is used
3 h6 O0 ~5 ^; K! X7 q! v5 eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,& l+ A# E8 e/ s
or execute SoftICE commands..." Z- [% l2 E% a) _" ~: w
It is also used to crash SoftICE and to force it to execute any commands
2 N5 \$ G8 e7 g1 c8 k+ e }6 P7 o(HBOOT...) :-(( ( t6 m5 |. I# F
' `: A$ X% o1 q! ?3 D! mHere is a quick description:
' \3 V6 o8 `* x-AX = 0910h (Display string in SIce windows)
4 Q+ D6 _+ v% b4 h/ n- F- r: g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; H) l% e1 b! r0 Y) I7 H3 L-AX = 0912h (Get breakpoint infos)
) W( m4 |. C! { Y' P! p9 `3 P( t-AX = 0913h (Set Sice breakpoints)+ R, J+ J& |! m) R% N1 y1 u
-AX = 0914h (Remove SIce breakoints)
3 u1 l$ N1 O' Q4 L- r% @/ R- X
" P. i1 |3 }, AEach time you'll meet this trick, you'll see:
+ J' R2 _0 G. C" F0 ]-SI = 4647h0 ?: m" b3 \, X6 U
-DI = 4A4Dh
/ e5 L2 `! K7 E2 Y% j' EWhich are the 'magic values' used by SoftIce.
1 _5 l8 r' w6 [0 I2 }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ d0 d4 Z& b) p$ m2 x+ N4 `+ i
- a' |& R- Z' V* ~Here is one example from the file "Haspinst.exe" which is the dongle HASP
; [( ?; H4 V) t5 OEnvelope utility use to protect DOS applications:) g/ W6 a5 X- l
# r6 r9 R- |3 _; e- ~: t
9 X3 w9 y1 Q [: N9 l, ~4C19:0095 MOV AX,0911 ; execute command.
6 j) r: y1 N3 Y, q2 i6 D& ~4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., v2 y9 j8 @7 m+ w! @! u' J
4C19:009A MOV SI,4647 ; 1st magic value.- c( ^2 r8 U0 U4 v) V( }
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 v6 G5 s; H5 F3 L, B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 l n* h' M% A+ e/ n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 b$ E& Y/ B$ H( n9 t% x" V
4C19:00A4 INC CX
: [; e, G5 `7 n) |) {4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' W0 o8 M6 g2 l9 x0 L4 E# N4 ~7 U4C19:00A8 JB 0095 ; 6 different commands.( ?2 C& v0 v5 h4 g- m
4C19:00AA JMP 0002 ; Bad_Guy jmp back. L9 F0 x. X4 M6 h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- o6 Z* I! N7 u( F0 _( i
" U% J! B; U+ C+ V
The program will execute 6 different SIce commands located at ds:dx, which
" S1 M" ^1 {2 _# d0 tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 B! i# g# W* d$ e
: B& h" z% T& Z7 L# I; ~: c7 A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 J7 D& O* q( d0 u
___________________________________________________________________________
+ }( G% p- U# _* h" I1 E8 ?" a! [) p6 P% f
3 [) i! V1 P( p) R' B1 n& {Method 03
& ~7 t* x1 Y, k {7 k! z% [=========7 d. f" j+ m. S" L8 q# x
; q( D6 t% \) C
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# } t: ]+ y& D! F) `(API Get entry point)
& e; w2 e3 J# {& Z" @
6 \. a+ I9 V6 J) Y
9 M; ^* `9 p- C) d k2 I xor di,di( n: [0 N) N4 I. h h# N; c
mov es,di
" u* ~/ E* N" K3 |- u mov ax, 1684h
6 ?) ]5 b. t) I9 H- O mov bx, 0202h ; VxD ID of winice ]4 }8 Y1 T5 j: o
int 2Fh. ^- i& c- p }
mov ax, es ; ES:DI -> VxD API entry point
: o& P- Z: S7 c+ ^0 J3 D; K1 `' M add ax, di
7 ~" Z$ w I0 G test ax,ax$ F) D( o2 `$ X+ [, @* b' H! Z, ^
jnz SoftICE_Detected
) I* V: F( S, o: q- A4 x- K( C/ b4 u' f( q0 E" w5 d
___________________________________________________________________________
- D0 C3 D0 ]( ^9 b# u" m- m4 Z7 I- N0 r |. e
Method 04# b9 M1 u. [! X6 z. }
=========6 `' N, ^8 w+ ]
R: m1 V9 ?9 h6 w0 I
Method identical to the preceding one except that it seeks the ID of SoftICE
% p% c I9 l0 r6 {8 M6 T, t3 QGFX VxD.
9 \6 T+ T' i# n m0 X: M: l7 z( q$ s' v
xor di,di
$ I2 B$ ~6 o2 {( F mov es,di% ^" g8 k$ |7 ^# [0 m5 ^
mov ax, 1684h 6 ~9 i/ q/ J( U& I7 ^
mov bx, 7a5Fh ; VxD ID of SIWVID: y, f1 v8 x, J& h* N. l
int 2fh
% S( r! ?# G2 i* h' x mov ax, es ; ES:DI -> VxD API entry point
$ Y% ?5 {: q+ c/ u- M Y$ U0 ]4 z+ k2 S add ax, di& z; [# a9 R% A+ v1 |! N
test ax,ax& J, n$ Z7 g! n5 U, Q5 X
jnz SoftICE_Detected
& y5 e7 |, J0 G" q8 x8 n$ _* g0 b5 S( c/ {1 x9 H1 s; s! i' Q, x
__________________________________________________________________________) n, W# D, N4 ~' m& O
1 d9 e3 {% C! n# N4 h- C: m
5 H Q) F) [; Y7 S' q* |Method 055 |1 o4 D; \9 K$ N) M! P; o2 Z
=========
! ^$ T$ V' R8 _, @ x) N3 X9 m6 [
' A( t R4 z! V0 h% ~- x* y9 WMethod seeking the 'magic number' 0F386h returned (in ax) by all system- z5 a2 A( H+ y
debugger. It calls the int 41h, function 4Fh.. o6 g3 c8 e, H+ w' e6 v. D
There are several alternatives. - b, \# v; @. h/ [; l5 K) S# S
- ?( s' @1 m% o5 q! _6 m
The following one is the simplest:" X$ t8 a3 h' ?- i, F
2 w5 n! H/ B' u1 ?- ~
mov ax,4fh
! g& A4 s; b/ j) M# s int 41h
0 V0 ]( K8 p7 }* L cmp ax, 0F386+ }" s2 Q' {5 U0 U- C: K. [2 Y2 {# L
jz SoftICE_detected
" p! x& b2 f" Z! A! p) l' Q: ^7 ^% n* T6 z8 D }: R* p3 k+ B
! v7 I& f+ U u3 gNext method as well as the following one are 2 examples from Stone's
* T8 |6 h% V) b$ w; X; F, x"stn-wid.zip" (www.cracking.net):
% d( E/ E9 Y! H) E9 s# @ z
( a% S6 v- T& g+ I( v) E mov bx, cs
2 [ R9 J5 r$ y. I# Q6 F4 b lea dx, int41handler2
9 }3 T+ F/ V0 k& h xchg dx, es:[41h*4]$ k# M* a$ c& l( l& v
xchg bx, es:[41h*4+2]( A/ y. a3 q. `& R# T
mov ax,4fh
# Q' _ i) L' R' p3 ` int 41h
, g" g* P9 x7 g/ ~9 J% W. r xchg dx, es:[41h*4]9 K2 m$ Q/ u; A8 w$ |% ?2 X
xchg bx, es:[41h*4+2]& M( `$ O$ i8 N& {2 g' e9 j
cmp ax, 0f386h
. }4 o# R) T& X a7 [- \# j jz SoftICE_detected
& J& T# p* c# E5 z/ K& l$ @
# v3 g; v$ j; v; q. n/ ~int41handler2 PROC
: k; `7 f! |: J( A$ h- _7 D iret
0 |8 N5 z% ^7 j& Q+ `4 I, ~int41handler2 ENDP
8 B I3 x; ^6 u# v% V/ K3 G8 J6 r4 R: |; B( H$ @" b' p1 z
. e9 d1 O. ^" {: W( g& ?, o/ X& b
_________________________________________________________________________& c' |; D2 l4 l4 k4 ~
7 ?% a, {9 l7 h/ C. o
: C Y+ c& z0 V& @" FMethod 06" K3 c- w; i' P* K0 }% Y
=========
' x" { C2 w( | K' \: R& c) O' ]. t, `4 D( [" L
( J; Q' u, G* s5 x6 H, U
2nd method similar to the preceding one but more difficult to detect:: e% q/ d" U! _5 f% ~9 `2 w- y
* z8 O% p- c. x; N2 z# M
* E" X! X9 y) P7 `int41handler PROC
% D& O/ X# s: q) E mov cl,al
+ k' S0 t% k- B1 Q% i$ z iret- V1 C9 ~' R, ?) u: d6 t+ h
int41handler ENDP
* ~; ]. A1 s7 t# ~: g! W+ t
4 q- v( P& c% w9 l7 H8 \9 y7 \7 W1 M/ z% f* b" F. A
xor ax,ax
+ w. q6 y) }7 R( v mov es,ax
2 f2 D# }6 V$ B2 J6 k mov bx, cs; E' A0 K' P1 v* |; _( A
lea dx, int41handler8 W8 R! q. X$ n6 R3 H
xchg dx, es:[41h*4]; Z: s- v: p8 ]1 x. m
xchg bx, es:[41h*4+2]
# ?% j) M4 W; l4 s" z' \$ n2 S in al, 40h- u+ z* W3 ~4 M" i
xor cx,cx
( R) A) @. x0 P/ T" n/ X int 41h' U4 J+ @$ a Z: f6 n
xchg dx, es:[41h*4]
/ g5 s7 _2 x% z! V0 V xchg bx, es:[41h*4+2]
1 T6 S6 y+ I3 F, `. c cmp cl,al" K+ d4 w3 }) i
jnz SoftICE_detected
- w2 T9 Z+ a& u0 d/ W" G
; d+ l5 @4 e" b. p7 E1 L_________________________________________________________________________2 q! |6 ~7 B7 U& b# L6 n
" S+ X. L: B+ i* g8 I7 M
Method 07
. u) T: l J8 Z. Q=========5 b6 w3 A9 E: T" T1 N
" c" x4 R# m- r( @' O' ?Method of detection of the WinICE handler in the int68h (V86)
. J$ J) P- X; I# {
" d) b2 v M9 U5 v9 S: C mov ah,43h
0 }) U6 x. p' t+ }! N) J0 c2 { int 68h
" `3 F: Q! c# Q0 Z cmp ax,0F386h
+ P2 U Q9 G7 a5 |+ e4 M jz SoftICE_Detected
4 ^. _; K8 |3 [# D& a: k
g3 j+ g' {0 z6 W7 Q) x |5 D: ?. R' V; ?. M% a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ G8 c, D3 p# C# r; }, [ app like this:
* u N5 @. e: p0 r* e9 o3 Y: K q" G* E+ G6 K! ], B: U6 x% J) F
BPX exec_int if ax==680 ` [! V% r( U! i6 |) `
(function called is located at byte ptr [ebp+1Dh] and client eip is) C: \$ }; H3 c0 u o( k* J q
located at [ebp+48h] for 32Bit apps); X- w$ d( G$ e, l1 {7 W
__________________________________________________________________________$ A: @% U3 U1 V
, t S* Y9 l U, \) [
! V- t- O% c% `! M. U: X1 |Method 08
; A2 s$ Q+ p8 g% \0 h=========
5 D3 ~+ {/ f# w7 s; v9 D" U3 s- Y5 C. L& Y' o. v
It is not a method of detection of SoftICE but a possibility to crash the
$ D- K3 j- C- e+ Y+ ssystem by intercepting int 01h and int 03h and redirecting them to another
; s; q' }: {5 _, p# q- ]6 {routine.
! [8 o2 A4 R, i6 J4 m" t SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 m7 t5 s; i' M) @9 {; S1 tto the new routine to execute (hangs computer...)3 e# v& X- f7 a) J5 P9 A8 F
+ R& ]! b" T0 f/ S" w" M mov ah, 25h
7 t0 s- X* H+ A0 Y mov al, Int_Number (01h or 03h)
' Q7 U h& }( n" y mov dx, offset New_Int_Routine
) B- a! c: y9 P* w8 B+ G- k% A, Q7 P7 U int 21h( D( a+ C b2 J8 d k) c- r
. e( c5 E% ?5 g: r
__________________________________________________________________________# r5 |4 B! ^( A7 Y
4 y X% K+ e. {& M6 p+ O' @' o
Method 09! E2 b! M2 d( E1 l
=========
' {8 h% ?& q# F1 a6 p$ @ t& e
( U' \: W, S4 @. XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' @9 z8 O5 X2 P2 F: ]1 O. {performed in ring0 (VxD or a ring3 app using the VxdCall).
/ i% N2 {* c' L; I0 ]The Get_DDB service is used to determine whether or not a VxD is installed
& B3 i4 \0 q9 |for the specified device and returns a Device Description Block (in ecx) for* B6 @# O: P: u/ j0 N
that device if it is installed.
% E# a) L* t$ D* {$ J" D: C" l _) H4 T0 h. K' O) o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 C8 ~" I8 z, c+ k2 j7 R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& }5 x& S+ t( C: f- [0 }
VMMCall Get_DDB8 w* b, B9 c5 \! I# {$ T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 L! p @/ n8 g$ O+ G4 G' P! ~* M6 @& e3 }# G" x9 L( S5 S
Note as well that you can easily detect this method with SoftICE:5 |0 _1 q: a) t
bpx Get_DDB if ax==0202 || ax==7a5fh
; d& V: x. i! K4 s$ x, [# W7 _
( m) ~6 L1 [5 n3 K__________________________________________________________________________* V* f. O0 J {) j( q
) X6 M% Q7 I$ m* b
Method 10* z& }9 a" r' q. t- t
=========
" q( T! U/ M' o' W' j3 ^
8 S/ f$ V4 F! ~: b7 f( I6 ^, m=>Disable or clear breakpoints before using this feature. DO NOT trace with j7 e( i, n/ T9 h6 p' l
SoftICE while the option is enable!!
2 Q- F2 b/ h6 N
( `6 l4 w6 P# r% w2 e0 DThis trick is very efficient:+ p. K" m; z- G8 S5 M
by checking the Debug Registers, you can detect if SoftICE is loaded
! b/ ^: ?: E4 S/ w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 d2 q. T* L1 j. Q6 z) Y2 t
there are some memory breakpoints set (dr0 to dr3) simply by reading their( j* G, K. z& f# e. \
value (in ring0 only). Values can be manipulated and or changed as well
# o4 K+ F% L, {/ \, x(clearing BPMs for instance)" i$ [; O, l. ~7 R x/ H' W
) D8 ?! ?: E8 i# o$ n__________________________________________________________________________9 \$ a+ \' p5 P& k4 \" S
% E* O T, a% b k% ^+ o: |Method 11" U( K6 ~2 C, S/ m' m
=========
4 u( A: X9 I+ N( y8 z. g& ?) H$ _$ |' s P( W2 i9 n) {( m
This method is most known as 'MeltICE' because it has been freely distributed
S5 b, J8 [/ N+ R' Z4 dvia www.winfiles.com. However it was first used by NuMega people to allow# U* }/ E1 E5 i8 l; a
Symbol Loader to check if SoftICE was active or not (the code is located6 Z( B p" J& j# W
inside nmtrans.dll).9 b: X' X; J2 g
" f' U( T( T' g+ Q& yThe way it works is very simple:6 V% |* G& S/ Y I' ~
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: j( H8 [% i9 g x, H
WinNT) with the CreateFileA API.
& r/ z2 w- @7 [# h) _% r6 G4 M
" L3 U6 |# u' ]Here is a sample (checking for 'SICE'):
9 F" o7 o1 Z. v8 U* F
% m9 b4 V6 c8 L" k" P2 Y6 wBOOL IsSoftIce95Loaded()( x! E- ~. w! D% @3 a5 D& U2 e
{7 t4 p3 r; h! C- `
HANDLE hFile; 9 Y. R! b/ H1 ?4 j
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ A" [0 B" w/ m& v
FILE_SHARE_READ | FILE_SHARE_WRITE,
' h: k t; ~( ?% U6 S* v$ _2 R NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 ]# C. m# a. O" i/ w
if( hFile != INVALID_HANDLE_VALUE )* n, H0 T1 ~- Y( I! r2 e
{: Z0 s! \/ d0 ^0 \# r g+ m' w4 h( F C
CloseHandle(hFile);+ f, w5 m; I1 @( E* u% P" j
return TRUE;9 r- q2 p) W8 {' E1 D
}
0 M6 `& a1 ? p, R+ Q return FALSE;9 G8 F) j1 |) Q8 _3 e; I% p$ `. p+ x
}5 |2 I% r. m4 J f
" o0 j2 g0 c. W- J# J: ?. K" J
Although this trick calls the CreateFileA function, don't even expect to be
5 C: f5 ^0 J( G2 c I( Q8 t* G6 [' nable to intercept it by installing a IFS hook: it will not work, no way!
+ G% D9 _6 X; SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- K0 u4 B5 ^0 x3 h! b* j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 k+ D, c- b! zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 G+ F$ M( h2 }field.: g/ N7 O M6 C# ?1 |0 V
In fact, its purpose is not to load/unload VxDs but only to send a
$ o, R) b6 r* p9 Y' S! l2 s3 u5 OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 j+ x) F7 v8 Z$ \ ^4 X7 o* G; B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 K2 ]. U! m; Q) u3 Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- h/ z) |- N6 bIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, G# r" o8 ^1 R _its handle to be opened and then, will be detected.
+ Q& x9 ^0 w1 C# }) j- V" a! e- \( L( XYou can check that simply by hooking Winice.exe control proc entry point! {2 h8 U" w' c2 I( s3 |0 N# c0 J
while running MeltICE.
+ v, `, E/ b# E- O; _. e2 n
- j* _8 C+ V# w
) T* K n/ S0 @& i5 V& e 00401067: push 00402025 ; \\.\SICE3 |& c9 V: J- j4 ]6 H$ o
0040106C: call CreateFileA
: A- ` K% N- I$ \6 h 00401071: cmp eax,-001
( X. n0 V6 o6 K d3 l 00401074: je 00401091
. m* @' ]2 R: n0 ^5 `2 b* i
5 g* g# T$ r4 f, ^
# Z, I! n2 J6 [, U5 \There could be hundreds of BPX you could use to detect this trick.' _0 a+ ]4 K/ w. D- y0 f6 H
-The most classical one is:5 Y3 k" ~5 `+ p3 V8 S' D- D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% W# R/ m6 K, {/ Y0 l
*(esp->4+4)=='NTIC'/ N4 u5 H; {5 _& g; [3 C9 |
; w+ L! K$ E) o" v# s# e; q `-The most exotic ones (could be very slooooow :-(
$ c" ?/ R6 Y0 ]; V# [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 z4 e# }4 m* V- }/ A ;will break 3 times :-(' s: w3 [" z( B
# y0 g0 {$ B! b/ e8 z7 Y- X-or (a bit) faster: . [1 _- K5 f3 b8 Z# b5 d
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' Q: U+ O. W- m7 I# {, u
" f0 o9 \* X2 ~" r6 {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( W; u0 D: U# N+ u$ Q4 [% W ;will break 3 times :-(( c7 i, `3 R. ?1 A
7 o: d0 N( f) a* L" P+ X
-Much faster:
( q* P/ l0 W0 P8 t; m4 T) V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% S; z, B1 A- l
3 M( i/ M6 \- B5 B& rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ g/ G4 I: I3 m5 ]& z* t3 efunction to do the same job:
/ b; a9 g( P5 F0 y& q
9 t- p1 b9 ^* T# J# R! H push 00 ; OF_READ
6 k, s4 P* N9 q4 P7 c mov eax,[00656634] ; '\\.\SICE',0
6 j. L' W9 C+ R' | y+ v% j( ~' s. n5 F push eax. E9 Y/ |3 y5 r! o. M
call KERNEL32!_lopen3 a! f9 T& c# J
inc eax: ~- ~; e: N7 e
jnz 00650589 ; detected
( R2 N1 m f6 ~2 Y7 J4 I: b$ E push 00 ; OF_READ9 N3 `( V3 M* b
mov eax,[00656638] ; '\\.\SICE'
) a# j1 D! p! R; X4 z! ^" T) a push eax
# {- Z/ H0 u" `; X/ i6 F1 B$ N! g call KERNEL32!_lopen7 q$ O& U: J$ M/ b( G
inc eax
- i5 L+ y. L: J" C) U, x6 H jz 006505ae ; not detected
( s6 @; J1 q, Z" @2 c' C
" }( F. Z0 B; v" L# a0 r3 |
! ?1 D1 E, z- U8 e4 \8 y! @__________________________________________________________________________
4 t0 [7 x4 J5 X1 X
3 S& a, w1 d6 `1 V$ f: {" bMethod 121 _" @, J m; i
=========
# ?) N5 h5 q0 j9 i+ }, v5 c% H5 i) R; J l! s! w
This trick is similar to int41h/4fh Debugger installation check (code 05- w, ?1 l( N {% F* F8 p
& 06) but very limited because it's only available for Win95/98 (not NT)
* d a: p$ p4 was it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 {& ^7 u2 }1 R# e J
& l4 H/ h0 a; G1 Q& x. M$ h
push 0000004fh ; function 4fh. d3 ~* \ n& A! U9 M) M
push 002a002ah ; high word specifies which VxD (VWIN32)
( H6 V0 n# c! I: U ; low word specifies which service
' f- I$ t2 t' e0 \ L (VWIN32_Int41Dispatch)* m5 f6 ?- J3 |6 `) a) D( r
call Kernel32!ORD_001 ; VxdCall
1 U4 P- ]8 p* n* d! D% | cmp ax, 0f386h ; magic number returned by system debuggers
' I1 \+ e4 I: d P& x9 w8 O, ^' [& h jz SoftICE_detected
. Z9 {9 E: Y9 X! E, ~ a, B6 _. _! t
Here again, several ways to detect it:
, S% {) x! q( J5 w9 k! [- s2 U }' G0 w. ^. |
BPINT 41 if ax==4f
2 M3 t* N4 k |# @& g( O6 p+ G& Y1 R8 i; _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* c6 @, t# F1 _6 R4 e! U v+ u- t4 K3 J- s' `. k8 ^
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 `* h. K7 x6 Q- d. c2 S+ \ B0 u4 H/ C; w1 A/ ^ c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# E2 f+ _: ]7 _. [0 E- L0 e8 G" V5 w
' m4 C# c4 B3 Z9 }9 D( {# m0 {__________________________________________________________________________5 d; H2 i- k; i
" o1 O* f3 t1 z" ^4 G# lMethod 131 S+ M+ q+ B' C& \! H+ D& G: R, T
=========
) g/ z+ ]! H2 @+ C
: Y3 E/ O' X$ F; i1 vNot a real method of detection, but a good way to know if SoftICE is0 B- O" n* {3 s3 `. T
installed on a computer and to locate its installation directory.
% A- }8 r' d, h- e# s3 p4 rIt is used by few softs which access the following registry keys (usually #2) :7 }2 O/ k6 p/ f1 ?
" q% z j9 ?' W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& I4 l+ C- f& H\Uninstall\SoftICE# A( x% D" c. T1 U {+ c
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& ?6 |& l$ u; N0 f u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ D7 r* y5 T( V z9 S
\App Paths\Loader32.Exe
: v7 h3 U# h( Z% P' [
7 N( {3 o; H. f, @5 V+ i0 J' h, J- I4 D# u/ S. q& d
Note that some nasty apps could then erase all files from SoftICE directory3 ^) \$ m- b9 Y
(I faced that once :-(
, U# u4 w9 V0 D5 D7 H8 Y3 l% [6 }$ _- {+ C# k
Useful breakpoint to detect it:
8 u: J; M, [* U; H* }. z
8 x& q @( p, c) z+ `' R7 E BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': S: |; S) ?$ W& C
, F) Q( ^8 ^. k6 U
__________________________________________________________________________! l1 i3 w5 F% s9 B! {2 j
& {3 Q( i6 W" J6 \2 b! L
, K% \$ T5 l* _0 K+ u
Method 14 + ^) F2 G2 `" Q1 o4 b: k
=========; v! Y1 o/ ?( D# d' H
" K, M2 t( T: _8 l7 m" D$ O$ KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 d7 \' a+ j: X9 q
is to determines whether a debugger is running on your system (ring0 only).
2 B" a4 T/ L, y1 H4 G/ _' M! ~3 }5 p$ x- |! a% J+ z; e
VMMCall Test_Debug_Installed; ]# z7 U1 X* t/ ?* G% F
je not_installed
5 b0 }0 o; i1 b; c8 g% {" Y1 D9 d/ L0 u' P5 u. m+ x0 e
This service just checks a flag.5 y$ @% ]. x1 o
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡