<TABLE width=500>8 z( z6 F* |! z: r S
<TBODY>
6 q; R1 U' i! F: ?! s. }<TR>
3 _5 l1 p0 L; K( m<TD><PRE>Method 01 2 X2 X) V! m3 J: I+ T+ [
=========
. N+ |# O& T0 K; ]
, j& x. m7 M# U9 x1 ^This method of detection of SoftICE (as well as the following one) is
# r" c" C- r5 O# j9 R8 Fused by the majority of packers/encryptors found on Internet.
1 @" U1 J6 f$ R) b& tIt seeks the signature of BoundsChecker in SoftICE+ C1 H8 z$ @0 N1 ~* X$ F
% s1 U, W+ k1 k) h( q mov ebp, 04243484Bh ; 'BCHK'. B @+ \3 B1 Y) Q/ B
mov ax, 04h
* ~# W. m* o3 r z int 3 ; Z. Q. K, a) B) Z9 R" F
cmp al,4) r4 ?7 j, M6 B
jnz SoftICE_Detected
8 C b7 j2 A3 O5 h, g& `- h
& b" \# l4 D( n% A9 e4 W___________________________________________________________________________
2 [; v. ^9 Z2 @6 l& \$ z; s4 l8 r4 G2 i; [8 L2 Y8 f$ U- Q, F& d( J
Method 02# u$ G, R7 E/ S- X
=========
! S# j$ w' d/ b* }9 L6 H7 E1 V0 K t" e7 W7 g
Still a method very much used (perhaps the most frequent one). It is used
$ U. n* P* {3 }# X5 b1 y, Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 j) P2 \) u8 `( F' ]or execute SoftICE commands...
7 i: o6 b' K* V$ m: Y) ~It is also used to crash SoftICE and to force it to execute any commands
- p! f& S2 \1 e& K* ^2 |0 B(HBOOT...) :-((
: T9 ?7 Y% Y9 r2 _/ d
4 D4 {) k) X2 b% f: x' hHere is a quick description:5 P7 k3 `& M1 H( q- H% W
-AX = 0910h (Display string in SIce windows)
0 v9 }. }% U' n0 e- C! W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 B m0 W2 s* Z! M( Q* C2 d( N, W7 n
-AX = 0912h (Get breakpoint infos)
& f f4 A6 n0 k1 K+ q$ O-AX = 0913h (Set Sice breakpoints)/ D. n6 e! w" S5 D; T
-AX = 0914h (Remove SIce breakoints)6 M$ u4 G1 i( X1 u9 a- q
; t P. K/ M! g- |( Z. G6 rEach time you'll meet this trick, you'll see:+ p% C" r/ f# R3 y6 \7 c
-SI = 4647h: J( |( i4 Q. m ] q: `# _) M5 [
-DI = 4A4Dh& C; n# I: {7 a
Which are the 'magic values' used by SoftIce.
8 }) t( `' r. ~3 W+ MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 J S9 D1 c y$ D. n( n* c3 I+ a; g3 X+ h
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( Z5 c& e/ c1 V* Q2 d" E: cEnvelope utility use to protect DOS applications:5 ]0 p& E5 c/ R* Q1 o4 O+ E+ [
8 V8 Z, ~- \/ q! q% a, _* @9 J% J0 j# o6 M
4C19:0095 MOV AX,0911 ; execute command.* O) q% c. c% i' k* N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ ]" F, J- M0 i4 J
4C19:009A MOV SI,4647 ; 1st magic value.+ ~. |: S& I4 d" g+ ~4 B1 w
4C19:009D MOV DI,4A4D ; 2nd magic value.3 G: {$ B: [7 A6 W" b
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- A9 C7 x$ V2 b4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 K" i- Q, f$ f* L4C19:00A4 INC CX
! s9 B/ _" m1 r, i( w* x4C19:00A5 CMP CX,06 ; Repeat 6 times to execute b6 t5 s' y9 H; y' x' r
4C19:00A8 JB 0095 ; 6 different commands.# ]* G/ A3 J( e+ W
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ t" [8 x* B2 ^5 u( d6 C0 j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 ]7 ` a8 _; ] Q3 q- p; j5 c, j; J1 q8 O( m
The program will execute 6 different SIce commands located at ds:dx, which' e' f6 m: K( `8 D0 D. Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 c* N. H+ e4 E, I! o; G
- D. c$ J( H b* F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# k$ _& J6 K- }! c# n2 A
___________________________________________________________________________3 k" _5 j; E6 b0 E }; Z% _
! E; l" x- W+ k' R5 T( H8 }- H
7 h' `2 i. c$ j* e/ BMethod 03
8 c5 ~7 j0 f0 {=========
x1 r: Y5 T" |) G7 |, v: s# t2 \6 |
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 h6 k: q' |/ N(API Get entry point)- E. y7 i: d# Q( z) y: ^3 G0 s
4 N) ]( F! R& V' P; Y! Q
4 U6 W$ d6 P4 U [
xor di,di
- g2 Q4 E; l* v mov es,di
# [7 F3 j( |/ z* @2 F! R1 W mov ax, 1684h
& N1 w+ X5 E9 O, B mov bx, 0202h ; VxD ID of winice
8 i0 F+ ?5 Y; c0 U! Z ? int 2Fh
8 ~# L; I+ d M mov ax, es ; ES:DI -> VxD API entry point
+ C/ G) D8 ?) T) ~+ O1 J add ax, di
: ]+ G( y, b! `9 y g% T7 g4 o. w test ax,ax. A4 t$ T( W) M5 Q# o H
jnz SoftICE_Detected
2 F) k; G- D2 b1 @3 G! M9 f8 c
___________________________________________________________________________
- w8 U8 {% a' ~- \ G1 M
' p$ {3 p1 I6 {! c, x4 @Method 04
+ y' q* H& P* w5 Z=========7 w& s+ ~5 C9 E6 S, o
$ u ?9 ~" |1 j2 Q) XMethod identical to the preceding one except that it seeks the ID of SoftICE
2 C; {4 _2 E; [1 a: n+ yGFX VxD.1 ^1 N1 ]: w1 b6 x- P+ e
~" Q7 F, x4 @ xor di,di
5 b; V4 T* U0 b% N5 M9 p1 o' c mov es,di
! c8 N0 K7 Q. {0 J$ |) H mov ax, 1684h
& P5 {" i! s2 V0 V mov bx, 7a5Fh ; VxD ID of SIWVID
) p! G5 R( l( c int 2fh
5 a! }2 e) H" l- j mov ax, es ; ES:DI -> VxD API entry point
- N' `5 G; u1 M r; A7 ~3 l4 `0 A add ax, di
" l9 S- i4 |9 G( m9 ^4 t4 g test ax,ax
8 j. S2 y( f/ w jnz SoftICE_Detected
, L- j$ x8 |) C$ l, |) G" U# U7 e5 a; G, \ b Y7 w
__________________________________________________________________________
- R$ N+ E2 f8 r% I, u6 U
( Q. n# _- Q4 N' ?, t* ]) D Y2 H3 b5 {0 I
Method 059 ^; E2 S( R# D& K5 h
=========
- x+ ^9 o- C. {3 E5 z
1 ?: h C; H# _% S9 z+ \- j9 y7 |& CMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ C2 e0 T* \& V& W
debugger. It calls the int 41h, function 4Fh.5 F A4 t6 O9 [. ~2 D
There are several alternatives.
4 n( |' W. ?0 Y/ t/ j- G; u, I5 n& ?1 x0 J2 j: X$ K
The following one is the simplest:; }; H2 D9 {) {, j8 V
9 j/ h0 H/ ~+ E$ ]- n mov ax,4fh3 e5 `& R( i& N/ J, f0 l5 Z! \8 ^
int 41h
) d0 v' d% ?; ]7 C" r cmp ax, 0F386
0 W* p7 k% g, @1 b jz SoftICE_detected
' Y7 s. Z& o% v' G, ^- ?5 I) g$ ~+ [% E5 q0 v+ ~ w* D7 J8 f* F9 X
0 \* G8 I# c: O. e Z
Next method as well as the following one are 2 examples from Stone's . f8 B' \# w/ z" C* f6 [* }
"stn-wid.zip" (www.cracking.net):
& y, z7 L- N7 w! T5 y ^) L; n' O8 N; |! ]
mov bx, cs
( x; \) W9 _' N* u lea dx, int41handler2
$ N- K6 U2 `) y: L4 _; s xchg dx, es:[41h*4]; l5 O" |3 V1 e+ w; Q5 A- e+ g
xchg bx, es:[41h*4+2]& ~$ f; _* F# d+ N
mov ax,4fh
& g0 \ Y" R2 L/ j, x9 Q$ S! X* e int 41h
, s7 u8 p1 I @9 ?6 B9 U4 ^ xchg dx, es:[41h*4]
' b6 X( c) T* Y4 H% p xchg bx, es:[41h*4+2]
0 w9 U: L- d5 d* V; \/ ? t: k cmp ax, 0f386h. G, _& @" |4 S: X- y& C- X
jz SoftICE_detected* V d5 ^# Q5 a! E2 c; Z4 T
' @: u8 V. F5 ?8 S
int41handler2 PROC
0 _: O: }) r% j0 \ iret1 P$ ^% ^& R) H6 V0 a
int41handler2 ENDP* Z' b+ Z1 h. x! D% q0 Q6 x
1 ]+ v/ O; Q4 U/ c0 j+ a6 X9 z% ^
6 ~( ~) F" f; G/ r( S; Y4 T9 E0 E; s_________________________________________________________________________
/ ^1 S2 B7 Q# c. W' J
% E" Q3 z) C% V) Q) w8 W5 l/ h7 z6 c
Method 06
7 n. t$ B+ o5 J% w* R=========
. d5 L( }2 d8 ]. y1 A" ~3 r" A3 q7 q
- f8 ^8 k1 `: P+ K% E9 |7 X
2nd method similar to the preceding one but more difficult to detect:
8 l, c& y0 {/ @ l' L* d. h( k( h; Y" n% ~; J4 N Y/ C
& g7 N$ h6 E/ u) P2 z- G/ ?
int41handler PROC
, H, Z) r' W w; Z mov cl,al6 [) z( E. Z9 p; H
iret$ s( Q% c) A | }% P% X" Q" P
int41handler ENDP
% e/ {' S X7 c( v0 T3 u4 c0 y2 Q
: Q0 n ] Z; h. A xor ax,ax
* n. S, r' q- k$ |' @ mov es,ax7 z! g' r8 m: w% ~* w, B
mov bx, cs
) t% u3 P8 R! Z# F! O' Y lea dx, int41handler& c, {' X$ A9 w6 d* b8 H$ H
xchg dx, es:[41h*4]( T6 ]$ _& c: D, y r: |9 x
xchg bx, es:[41h*4+2]) j, n0 p8 P4 o$ g$ Q" V8 r% x
in al, 40h) y9 a$ ^3 x; c9 c' y2 D
xor cx,cx# a, s% Z6 w4 i+ y
int 41h
; R( q/ g0 O$ x$ o F xchg dx, es:[41h*4], R" }/ y5 I- f; V. K
xchg bx, es:[41h*4+2]
! F W7 b" F8 U9 ?# D cmp cl,al
; `5 J6 R" N/ R$ P jnz SoftICE_detected2 i* O6 N. J D& a% i/ n& }
& ~7 A! o9 G' R1 c$ f_________________________________________________________________________* n8 J! ^, L8 K# @* b5 _
/ G! d" W+ \6 e- i- gMethod 07
+ l/ ?& @" R% i=========
# J" ^/ A; X/ X# ]" H
5 w# Z3 i, f6 l3 FMethod of detection of the WinICE handler in the int68h (V86)
& O2 h b8 H' a# [ Y4 ?$ Y" e3 |% u5 a. v5 L' s8 S2 S! s7 J! c$ F
mov ah,43h
3 J- C2 P6 U# _8 _ int 68h3 ~) y0 x2 c2 B" s
cmp ax,0F386h0 v" I6 w4 h+ I
jz SoftICE_Detected
$ `# y9 K: D& E$ p- h' q5 q! w% D8 F6 X" y+ W& b
+ y4 j( p( L+ h" K) {5 X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ k1 C/ s5 f& R7 v( v0 } app like this:2 D" ]8 _3 q9 ?" K* H
. Y, \& v4 d/ W BPX exec_int if ax==687 T _, l$ k8 N$ _
(function called is located at byte ptr [ebp+1Dh] and client eip is
( D4 R6 G* U+ w! U `, o( E0 M+ | located at [ebp+48h] for 32Bit apps)6 P7 n& p# H2 o7 X
__________________________________________________________________________
: B' X, o: B% O: E$ @/ E& n$ c! @$ B, v4 K5 B
( t7 e% W" N' O/ W( @: u: u1 @" @5 v5 nMethod 08" |( E, h u9 S! w! p \
=========6 a7 f; `& Q( `, Z
( v: g0 X* H6 d7 R+ UIt is not a method of detection of SoftICE but a possibility to crash the
: [9 g- |5 j. v! g# h0 Tsystem by intercepting int 01h and int 03h and redirecting them to another
; K& i: L0 `- ?9 }routine.
! S1 p' |3 ]* F5 k8 r% ?% F$ rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) y$ o# @5 x% z
to the new routine to execute (hangs computer...)
' Q! [' a' g! \% ^; q0 o' I7 U" E: h1 m9 x: O" ^' f
mov ah, 25h3 q( G# N4 N. Z8 [
mov al, Int_Number (01h or 03h)
- z8 D! ^9 n" G- Q; B- @ mov dx, offset New_Int_Routine
6 ~1 [# E1 X6 n+ t int 21h
4 S& V5 M# k' m+ V! y0 M2 J: _
; O1 e: s$ U7 H( w__________________________________________________________________________
+ f$ x9 D1 }# ~) k$ ~: x8 p1 {" J9 v# x0 C
Method 09
' I3 \1 Q# c, c( }5 p ]=========' e7 g/ A- N1 N$ o1 X9 ~* B
# X; A7 i+ u4 v+ U# m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( S, G5 d: [0 c6 W. ?1 j/ d9 @9 J; tperformed in ring0 (VxD or a ring3 app using the VxdCall).
- I% ^8 O7 t' r! I4 tThe Get_DDB service is used to determine whether or not a VxD is installed+ \ P" Q6 k6 C7 c0 C, D2 G
for the specified device and returns a Device Description Block (in ecx) for* M \" `/ J$ p- \8 }1 O
that device if it is installed.1 A! V, a a6 q! k7 \
* F5 a* G% j) i$ v) F+ C/ I
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" Y6 @9 y- |" a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ D, p& K+ O" X. a6 r, M- g7 h VMMCall Get_DDB
% e; s. s2 L; K' O8 S) ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: X+ T/ Q3 [, a; `/ Z) b; P5 K
; F: o. O! e& o O7 O
Note as well that you can easily detect this method with SoftICE:
' A- z6 n" D3 D. A8 n) j bpx Get_DDB if ax==0202 || ax==7a5fh p4 S9 b( C5 G# @
+ R$ F3 F8 G( [& ^7 P__________________________________________________________________________
8 O( W9 W7 W( s+ d/ @, ^ V) }2 V% s$ l0 Q, x+ Y4 _
Method 108 y3 }8 [/ \3 N2 M* C s' J. T0 i; r
=========
& _6 q% W6 `3 ?; A# P# W3 }3 A' ^# l2 T6 r; |! `" H l, u
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 h5 E! v7 V) w" ]/ q SoftICE while the option is enable!!0 n) }! m9 t$ m! P m8 n p. g! _
4 @4 S: o5 l" h' j5 ~This trick is very efficient:
8 s# [; U8 w# V' dby checking the Debug Registers, you can detect if SoftICE is loaded
7 ^5 @7 ]. q# l6 T5 k6 K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, b3 Y5 @: A% U8 k; B& y* Q5 Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 I J. q' Z. }, g- wvalue (in ring0 only). Values can be manipulated and or changed as well
8 @8 F" k$ L7 @' j6 Q(clearing BPMs for instance)
& o2 U& I6 D0 O( F) x. D9 E9 O0 b9 v& D4 y
__________________________________________________________________________3 q, g& |+ T: a
/ V9 j e+ p' g1 w; u4 f/ e9 p( [
Method 11* o" Y" u) V* I S
=========# J9 } c, ^& U3 K/ w# [8 A. k
" T. i) A3 Q" n0 f
This method is most known as 'MeltICE' because it has been freely distributed
* V# e' J5 Z8 `1 ^$ R7 rvia www.winfiles.com. However it was first used by NuMega people to allow- M( }" d [3 ^, b: a. M7 T% R; |
Symbol Loader to check if SoftICE was active or not (the code is located) ~4 ~/ a5 x" L3 w- u
inside nmtrans.dll).+ M( C& f& V; F0 p0 x3 Z" P# C
5 L" a. r3 B* F" B) cThe way it works is very simple:
7 X/ N6 w/ X) M5 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 S0 _+ N4 Z8 x7 c2 R& p" |% p
WinNT) with the CreateFileA API.1 a" x' F* \2 X% a# Y
. A" h+ v1 O0 U+ M1 I5 O; V! p9 qHere is a sample (checking for 'SICE'):
0 \$ Z& Y) J& n* {. J2 n
5 w) r; ?3 {4 g& O" C9 UBOOL IsSoftIce95Loaded()
0 d% M( I; K, X' ]; n1 f# Z{" k; }0 D5 k M! {1 l ~5 [3 B
HANDLE hFile;
3 |. z7 y# Z& H: y9 \5 ?, l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! [% X! L; L! Y9 V- G
FILE_SHARE_READ | FILE_SHARE_WRITE,+ d% p7 G j2 R$ {" |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' f- ~4 i$ H+ A0 L8 ] if( hFile != INVALID_HANDLE_VALUE )
, n; P, D4 f, ^2 g- I5 J {
$ @5 u2 _4 e7 D, n; E: I CloseHandle(hFile);
# J6 Q$ p5 l, c# f/ a( T return TRUE;
9 z) Z$ q% |( O& J' f6 _# r* A }# M8 y) ?1 i1 Q1 V$ w; p
return FALSE;
2 s+ t: }5 |2 g# ?2 n}: H8 \! n! |; T: e. `& D
% `/ O% L6 o4 z- @) HAlthough this trick calls the CreateFileA function, don't even expect to be
* s# u2 Z* C" U# D" y4 ^ f! w0 Pable to intercept it by installing a IFS hook: it will not work, no way!* v& v/ L) x5 Y0 |4 v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" k0 b: K. \' [7 W' @- @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( N( ?5 e& _. r) s& d) j+ U" [) O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 ^5 e+ G6 D/ U+ g; P! n
field.6 Q8 Y2 I! U! J# F D
In fact, its purpose is not to load/unload VxDs but only to send a
3 H5 N: w8 l6 sW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 }! ~' f* f2 }' B. a9 tto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 Z% u3 V2 b! M% K7 p. y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) _1 ` k6 q4 v* H; O0 {5 kIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ t! }. e; m- ?5 A" o6 X6 A0 [; l! ~its handle to be opened and then, will be detected.( A6 t& A$ v8 w6 g$ k5 t! B
You can check that simply by hooking Winice.exe control proc entry point9 w! J5 q' P9 d2 A; z; _) m6 [
while running MeltICE.
# A2 z! U9 Q1 R) I% `
7 ]# k0 ]+ c, _ ^/ ~% m% K ?$ d9 b4 s* u) S/ f# v/ }
00401067: push 00402025 ; \\.\SICE$ \* S6 Q( h4 Z0 K- Z0 {
0040106C: call CreateFileA
6 ]$ q: z2 l& F4 D' O 00401071: cmp eax,-001
' \& W0 B* {# d% P) A 00401074: je 00401091
' ~' p0 ^0 S% B
- d- n {! _* g5 l9 ?' d
. S. t* g. _! C- ]* r; q; x$ iThere could be hundreds of BPX you could use to detect this trick.
. L D z o/ ]+ J( I* Z( r-The most classical one is:
) D. Y+ c: s9 M BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 b$ N$ ~1 }. K3 B3 m' E
*(esp->4+4)=='NTIC'% i7 _: D6 D, k# e6 Q+ A: a
' `/ L+ ^4 j5 |2 H; m" Q
-The most exotic ones (could be very slooooow :-(
6 H; h0 b- i1 T/ o C6 | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
c" m2 u5 ]1 b& L0 Z$ A ;will break 3 times :-(% ?% i7 J* q. D& p9 {
* F9 |. f+ K( E! @1 }$ L-or (a bit) faster:
7 O( j7 |! G6 g( u BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 G" Y* }8 _7 I2 T) H9 H: J) \/ m1 h+ r$ c, h R* H
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; n2 t; u6 C) b* l
;will break 3 times :-($ K- e Z" _, I9 ~, i9 U! Z
9 v7 e, m& ] ]1 c- V: R
-Much faster:* L2 q1 C6 |& \) i" L! s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! f a! q+ T0 j5 o5 _
) Q6 V4 }/ G. s d+ W% R, i& f- p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% \5 ~+ B; k. tfunction to do the same job:+ k+ z# d* h' w4 o z2 J
* t5 e6 f* o% |1 v8 [1 F push 00 ; OF_READ% x# u8 i- s9 c* t
mov eax,[00656634] ; '\\.\SICE',0
; P. j8 ?. R- X2 U8 N- ^ push eax& I6 d# }+ S4 z1 j+ F: o
call KERNEL32!_lopen
$ @! Q( }+ ~. x* | inc eax6 o; C5 `/ w3 ~3 X# q5 q
jnz 00650589 ; detected
8 g: z3 s8 ?( V4 n6 c, v push 00 ; OF_READ
* g* U. e+ k! t2 K; [0 { mov eax,[00656638] ; '\\.\SICE'2 d3 X; }; x* }% ~5 ^
push eax2 J2 q; Q) R# |4 x
call KERNEL32!_lopen% e% K2 c4 Z" f2 {9 l5 S `9 V) r
inc eax
# f/ Y" i" z7 o [. k- R jz 006505ae ; not detected% H& e* O7 }4 b! e% l" o3 n$ g) i
/ c( N, C: G: t8 x" U
( d9 @: \0 R8 [6 a# S4 S7 w__________________________________________________________________________ {( D6 l' Q+ w( N
9 y. u' @: X( HMethod 12
0 K: s# F/ ? G; Q( }=========
8 L- e6 |& L$ B/ o7 q) R* [4 a2 F: M0 [1 |8 s7 Z1 ^! A
This trick is similar to int41h/4fh Debugger installation check (code 05
* v# f% M- s7 C& 06) but very limited because it's only available for Win95/98 (not NT)) G, X* I6 y E6 W$ Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! E8 ^( b9 {( k# f
& A7 q9 B& e1 H5 a, N0 J push 0000004fh ; function 4fh
, {, V' P5 e5 w push 002a002ah ; high word specifies which VxD (VWIN32)
! l5 Y% w# i+ r) A! x6 A2 t8 i ; low word specifies which service
, O& I% s. J# }9 P (VWIN32_Int41Dispatch)' [- J' j4 X, p7 f8 M" Y' L
call Kernel32!ORD_001 ; VxdCall/ V. H: {) R/ P s
cmp ax, 0f386h ; magic number returned by system debuggers: K4 p1 {. t6 i5 y2 @/ J0 N( n
jz SoftICE_detected- ]! ]' o5 ?9 E7 h# ]( M3 Q
( } @6 ^9 k2 \; S" f, K
Here again, several ways to detect it:) J- \, L, e; c$ f1 U) A
4 h2 J5 H4 j$ @; y% |) g BPINT 41 if ax==4f/ E6 R- Z5 ^ O. h
6 k. K D0 J4 `2 W4 U8 w
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 M V2 Q5 q- q$ c5 ]0 j# Y1 T3 A& S
/ O o7 l6 f1 y3 Q% q A! V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( U9 I% j3 D% l
# m) @# w! D" i$ n! U* g7 h- P BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- M6 s. {6 }% V0 g2 h+ ]
" w _* z4 ?0 |& i/ U, v__________________________________________________________________________7 \2 f$ y7 U8 i( D6 Y! K: E
6 m J# C7 Y) q9 Y0 Z# ]
Method 13! U/ r6 o; x x6 d( t7 A$ ?
=========
7 j# q; n5 I+ R- V* G% d
( v- ?3 l& z$ i. }3 h4 n" ~' yNot a real method of detection, but a good way to know if SoftICE is" _! u7 {3 o+ j, p9 o, T. A7 [
installed on a computer and to locate its installation directory.
& b' b& |3 f! }$ e- OIt is used by few softs which access the following registry keys (usually #2) : c U1 z; h F4 `1 }7 ?; I
( M5 W/ _/ Y2 Q/ L G' I+ [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 v5 x1 h0 x1 S: _& v
\Uninstall\SoftICE
7 O( g |6 Y3 ]# I3 `; R `* m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. B- ^. f# h3 G! E3 m: w) c; [0 s2 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& W W1 {$ y) h- G, {
\App Paths\Loader32.Exe
5 U6 X, Q; {: M& m/ E! p. J. R
B) l' J6 H) N3 _" [
/ Z) s- W3 Y# X5 _- [Note that some nasty apps could then erase all files from SoftICE directory
: \7 L2 y) y7 ^$ s# k8 U(I faced that once :-(, E+ Z Q" g0 m) w! q9 ?& S4 G1 x* F
/ I* ?" B( i. A" x" \: I) z+ h& {
Useful breakpoint to detect it:' Z/ d# g L8 ?
* a8 c% x6 m3 k) Z: z/ q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 U0 T1 i+ M& X1 B
, I4 L/ ` l; ^% A9 B& i9 I__________________________________________________________________________; ]. m2 ]4 E1 W* Q6 d
% F$ v9 L5 h) a V+ ]: @
, k6 ?' b# Y/ gMethod 14
4 \8 j; s d% | F/ z& X4 g=========
% o h6 @, M7 V" e1 L- f' @0 J8 X1 }6 K2 d) W2 B& t- O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 ~5 b9 p9 h+ D: cis to determines whether a debugger is running on your system (ring0 only).
) D, j; U- w2 q% i x8 d3 s$ Y3 M4 ^% y$ t0 c' {. v1 G0 m% ^" _8 k% ]
VMMCall Test_Debug_Installed
# P. o/ b% O( [2 Q/ S je not_installed
2 [7 w+ }* \+ B4 c1 g( H* `, \0 n1 d1 s: \$ f
This service just checks a flag.
|2 w: @8 p {* M</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡