<TABLE width=500>6 d% \$ l! y0 A( z+ H' ?
<TBODY>
/ o0 [/ m! P; I5 [, C<TR>
; f! h6 B8 h s+ J- L5 h' {* B<TD><PRE>Method 01 % v+ _0 d( ]. W* R' F3 n, P
=========% k4 \0 }/ ^) c2 h! t
0 X0 X% ?( s/ a8 i* K5 K2 K1 \
This method of detection of SoftICE (as well as the following one) is
! Y% i4 X. e9 Xused by the majority of packers/encryptors found on Internet.6 {% V5 t) ?0 V4 E. W
It seeks the signature of BoundsChecker in SoftICE% ~( x' f2 v3 z( R
+ H1 e$ b' t+ v A) a- S# V mov ebp, 04243484Bh ; 'BCHK'- b& G6 L0 K* Q
mov ax, 04h9 F2 u. ?. f* f U
int 3
- f" H2 c8 ?: [1 V" K$ H cmp al,43 _8 Y+ J1 V7 F' f
jnz SoftICE_Detected
, I2 U9 y/ {2 u$ P8 g
/ t9 U: S7 \5 k___________________________________________________________________________8 `7 G& I: c# N
) o: q& v2 B( Y
Method 02
% s4 b9 `) V+ ?3 `=========
/ E U w% c: g& L# J& Y& J u0 }0 Y0 |) m* l
Still a method very much used (perhaps the most frequent one). It is used, g, K1 ]' Z: L4 y! J* a* L5 m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 U+ |* f4 b( L
or execute SoftICE commands...
0 l! ~: z' u5 ^+ ~" z: s4 QIt is also used to crash SoftICE and to force it to execute any commands' C3 c1 l9 }5 S5 k
(HBOOT...) :-(( / d8 C: r5 A, }
) H' ^4 W0 U# r% @- u$ C9 y& t0 j
Here is a quick description:
3 b' R2 O0 E5 z U5 T9 h( u0 h# J$ _8 x-AX = 0910h (Display string in SIce windows)
`2 z, o3 ?* w' J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" s3 ~! {: K2 x- v/ a8 }1 V' w5 M-AX = 0912h (Get breakpoint infos)
: U% {. S+ M' H-AX = 0913h (Set Sice breakpoints)# [6 G' u; m8 U; Y2 s: X2 _
-AX = 0914h (Remove SIce breakoints)
. W8 g) ~( J: M0 M5 Q. h5 o
, a8 W' t/ Q+ N5 I0 x9 W! o2 V, oEach time you'll meet this trick, you'll see:% d7 w$ ~: E4 n0 ?/ \
-SI = 4647h! V( ^1 R1 A+ J) l0 y
-DI = 4A4Dh5 u" @- S- S; C# B
Which are the 'magic values' used by SoftIce.; b8 g. D& N/ U; N* _6 M8 O) Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ D" D0 u: `# @2 Q$ {
) E4 x, `7 s1 Y! {. wHere is one example from the file "Haspinst.exe" which is the dongle HASP, c0 E% p' l6 E3 V1 m
Envelope utility use to protect DOS applications:2 v8 Z( W+ \8 I7 d
7 K$ z% _. O' i' ]
" u$ N) k) y' P2 N2 b4C19:0095 MOV AX,0911 ; execute command.
, Q5 A' c! L5 `, Y3 u0 `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). i+ R3 J1 u. @
4C19:009A MOV SI,4647 ; 1st magic value.
@6 S) j" q- Q7 `4C19:009D MOV DI,4A4D ; 2nd magic value./ j" p$ Q& D9 h8 d# M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 E* z, _2 _" y. h8 N4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 M. \) g& E; b i2 r4C19:00A4 INC CX
: F& Q3 X! T, P8 q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 L; M1 o: U5 u, }) I4C19:00A8 JB 0095 ; 6 different commands.% C6 w- K! H3 B" T, r
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 t& Y/ O5 I, ]# B2 a% m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) D- B, U/ t) C& j; `! X' I" D# ?
The program will execute 6 different SIce commands located at ds:dx, which: n. C5 o6 o5 O( F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ }7 n8 W) y4 \' G2 E3 Y; ~
; _; L/ C0 |, J+ E5 Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ H( ~( K* r" c8 J) g& f( i___________________________________________________________________________+ e, K. `2 r" @+ h- `
. }/ ]( y% s5 n/ }2 a9 G- J K' U2 n7 S$ d$ r$ g2 e4 v1 B( L
Method 03
# g7 L- }5 ~: {0 r7 x4 @=========& n. i8 |4 e: `/ w `3 F% @
) k( K/ J& t; L) x, s3 Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 m( T# W! _3 e/ \. G(API Get entry point)2 m& ?, O; Y, B/ x; ?$ G
- x& d& W: V* B: o! b/ s. A# ~5 x7 P7 c) E3 F4 \4 F8 {& x# U
xor di,di; e. q% ?4 v0 w/ g) A
mov es,di$ U/ ^6 a& p- J; Y
mov ax, 1684h / ?, [1 X( w, o
mov bx, 0202h ; VxD ID of winice
& Q2 ~) G7 N! y7 h int 2Fh
. w' b9 s$ K+ L mov ax, es ; ES:DI -> VxD API entry point
' W+ n2 }% h* B6 h$ n* V: A# \ add ax, di
, v% ^: [: X3 o; |4 Y test ax,ax8 C, k( t9 L! m" }; W' X: t
jnz SoftICE_Detected' H1 i% m% G6 g
3 c# r8 d6 V! W___________________________________________________________________________! ?& Q, H. p2 Z2 n
8 q- R5 U6 |/ R3 \( S
Method 04
: r* m. d6 J! O8 H( y& x. R=========" W! P) J, v: r* A9 r
! u( F. I" S9 N
Method identical to the preceding one except that it seeks the ID of SoftICE
I/ e; q' ~$ }: o. n/ yGFX VxD.3 V5 m- K2 e. c" ^1 E. S
0 q6 C: T9 a0 u9 ^
xor di,di3 }+ J. H3 b* c
mov es,di
0 i) n2 K% ]$ v5 k1 J. D* H" a mov ax, 1684h : e- p7 ~7 e; [9 ~
mov bx, 7a5Fh ; VxD ID of SIWVID
# J8 E/ E$ {0 x# K; W# e, ~8 l$ s int 2fh" O" R [+ z. B8 c6 h
mov ax, es ; ES:DI -> VxD API entry point
+ ^; {* g0 j/ f& ~9 D. L+ l( x3 B, A+ K add ax, di7 A4 y% E j- }. A7 O4 S' D4 z
test ax,ax! J- J/ w/ l5 n& G
jnz SoftICE_Detected$ W6 V: L/ c1 i) a s/ }- z1 J! r
1 X7 u3 n6 G. i* @! F__________________________________________________________________________. m5 }! b* S; A. k% `5 a. ~6 ?
: U! o6 I- q+ \
& H) j5 W6 i% E
Method 055 t& Z1 I: Y2 z; N, a
=========4 y. O7 y! Q& U/ S0 y4 F( t5 R
* H7 F: b2 ^: E+ h8 R6 b! O% B: d0 E
Method seeking the 'magic number' 0F386h returned (in ax) by all system& R% E! u3 ?2 z: q
debugger. It calls the int 41h, function 4Fh.
7 c1 L! p% b A% C2 Q4 dThere are several alternatives.
# S$ ^0 a& d ?* K2 p f8 I
" w6 r5 I+ d2 h% FThe following one is the simplest:
( Q2 D, {6 C* y7 x: h: p" Q
: P' k/ C" q+ Z4 v mov ax,4fh
( c& d3 m; i% E# Q0 e _9 C3 M int 41h
1 [: r% E4 K( G$ g9 I1 t& U cmp ax, 0F386& g$ {0 K9 @9 p9 }
jz SoftICE_detected
5 n2 v5 E( Y7 ]7 x+ |* l
0 i; P9 {$ h$ m- P5 F* @0 N0 k5 K$ [- o. k
Next method as well as the following one are 2 examples from Stone's + I) d# C( G. H( T4 e- `
"stn-wid.zip" (www.cracking.net):- L& O+ f& A% L d6 ~
8 b8 A& v4 _3 o7 G! V2 R/ O
mov bx, cs* n9 G: W: W( b6 h r- ]8 a
lea dx, int41handler2
& U, d8 ]% z: F# Q" K6 m5 | xchg dx, es:[41h*4]3 r: a7 Q. {- S0 d* C: ?! Y1 h
xchg bx, es:[41h*4+2]
" ~9 C- F4 j7 B# X( B mov ax,4fh4 H+ I2 I: X; J4 h: H6 M8 {
int 41h
$ K9 Y8 p2 D" d: Y% J5 @ xchg dx, es:[41h*4]
" t% i. Y7 n. X xchg bx, es:[41h*4+2]
7 d# |, ]% d( E& m' c0 K" Z' o cmp ax, 0f386h/ ?( T& V: s; B6 p7 K( O6 W8 v8 L
jz SoftICE_detected
$ Y8 O! z* d" O/ B9 X3 \* V5 J- M1 [* a$ o$ O \3 A' C
int41handler2 PROC
2 ^: ]# L5 E, p( a- Z) d iret
I: \8 s& n& \6 R. w7 O4 R: }- Eint41handler2 ENDP
% l7 h8 w8 M' f B' i. @9 j: L* Q! ~8 Y
$ b1 E8 B3 X, C. b8 s; ^_________________________________________________________________________, }' c% V: i# ^/ t9 R: `
I, F9 K& R# ~( l
3 K8 D& Z$ Z& N( K* Z# j: DMethod 06* s2 z: k: t5 c8 S l% i
========= T0 u8 F/ H! s; z H) o/ h& ]
1 `' l: R& ~6 }( ~) d# d V. t% w% U, \7 ]) E6 c3 r
2nd method similar to the preceding one but more difficult to detect:/ `/ o, H* [$ S1 w& @
4 h4 i6 |: [% ]) {) ]& B a' f) t4 V1 Z5 Y+ g- z2 U
int41handler PROC) t+ {. n& u8 ]% ?# y' \+ ~
mov cl,al
$ {9 n) y( F' Y: w iret
) S2 s c! V3 U* N7 j. M. [int41handler ENDP% _5 B8 m7 Z N( f9 t
4 R; c w7 ?) N9 y) g
. @, Q d+ m y8 a5 t' e xor ax,ax! B. U+ j) g- A! e1 S9 U
mov es,ax' Y5 @: d$ s* j0 j; {7 B6 Q
mov bx, cs
: W1 Q1 \5 b$ m. E1 E8 x( ]8 p lea dx, int41handler
& z+ l4 q# g# G$ ^" o* {& ` xchg dx, es:[41h*4]
3 E. |: p `% D' p: V& A6 k xchg bx, es:[41h*4+2]7 Q& p# g( H) n- q% W
in al, 40h
5 c. `! H1 z, \5 ~) p O0 O xor cx,cx
8 A1 a0 V% L h2 N I# m int 41h
: V8 f5 V7 |$ r2 T+ v) A; q7 f' } xchg dx, es:[41h*4]# K7 b3 w8 x) R2 m+ X
xchg bx, es:[41h*4+2]
) i$ Y% M' p% B! i3 u* U- g% U cmp cl,al) a+ R& w. A4 r0 B2 K, R' D9 E
jnz SoftICE_detected
8 o: }7 W+ C' U8 n0 G6 I4 K1 M
, G( `" Y/ v& J e8 {_________________________________________________________________________7 y! F( g1 G! \1 _8 s3 A$ H; m
1 ? H& \$ ~1 ?; p" s! H) ]
Method 07
Y1 i7 S7 ^& l8 C8 U9 x=========
( ?. {1 K) F1 r* z% Y! q- y- Y" Y9 o0 O) V9 g8 \
Method of detection of the WinICE handler in the int68h (V86); B1 b" d B u2 w) d
$ M2 F! g6 ]. Z" D# M& w
mov ah,43h2 g& T6 ^ X' P9 i! ~* v1 |
int 68h
8 P8 M1 t3 D7 B0 V4 ] cmp ax,0F386h
6 D7 f" [% l1 C7 G! y jz SoftICE_Detected( A% G/ |" Y* e8 E: \
: h' j# M& p: F# y: J
- m% l* t: m* ]' t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 A3 p. V# |& d% y app like this:8 w: }( ~ P6 y& J/ M* }/ G
, n2 U) x! @7 u- Q5 L' ]
BPX exec_int if ax==68
, a2 A9 N5 g8 e4 M (function called is located at byte ptr [ebp+1Dh] and client eip is
- q/ }) s4 E8 ^# l1 d located at [ebp+48h] for 32Bit apps)
8 n: G) [5 a. L6 M__________________________________________________________________________
5 a1 Q m6 c5 k) k; U, H$ x3 [+ }; [3 _/ w: ?0 V8 u7 }- C2 o
1 c. [% a1 R/ n. TMethod 08
0 A% I( Z0 X: w9 J( W& }=========
' @8 d, r9 [0 ]; A* o4 X
7 S) a/ _1 A9 o$ |! G. \It is not a method of detection of SoftICE but a possibility to crash the" d# B, `/ Z3 J7 P& y/ j" f
system by intercepting int 01h and int 03h and redirecting them to another
/ i) s: ~0 M+ G! wroutine.
& A& L u; f0 m& B1 N9 sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( a/ n$ |' W# p3 p1 ^" ]( O" O" s4 Pto the new routine to execute (hangs computer...)
, s% Y5 t/ M! o2 F1 [1 g* f0 w2 @+ }. n* S+ j% Q @4 W
mov ah, 25h
x& M& A }0 l0 E mov al, Int_Number (01h or 03h)
3 M; w5 b" O' j mov dx, offset New_Int_Routine( q6 J& e( v1 |+ Y, d) \
int 21h# Y E, S0 p5 l8 ?4 e H W1 z
, V# X: b* M, M% |# ?__________________________________________________________________________- y) {% T& [+ C" b; u9 s$ L. ^* r9 \
& V# B9 g+ y. J# b1 I$ R
Method 099 W O3 ?3 d- o9 C: S t, H. _. p
=========
x/ i; w) B3 ^% j1 p( j
- j* l. i _" u$ z6 J7 JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" F* V Z/ }, |6 Pperformed in ring0 (VxD or a ring3 app using the VxdCall).7 Y% }# P9 _( L' Q
The Get_DDB service is used to determine whether or not a VxD is installed
* T0 Q) J8 ?1 ~3 ufor the specified device and returns a Device Description Block (in ecx) for
* R6 Z/ y; p4 a. D; t. pthat device if it is installed.6 Y' J6 r& P% _# w$ j9 I/ J
# w" v& q$ t- ~% J, n
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! N! \4 E% e1 ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# r* D+ H: k! M4 G Y
VMMCall Get_DDB$ `; d4 @6 }6 A& Y. o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; C; v# x) L+ c% y4 Y3 Y( X3 n/ P( R
Note as well that you can easily detect this method with SoftICE:* A5 |7 y2 s% E
bpx Get_DDB if ax==0202 || ax==7a5fh
7 v2 z6 F$ p" E. b! M/ I
) M% C) e4 w1 g0 P( K: ___________________________________________________________________________
7 [6 H9 W* y( J- U, H% U9 E
' [6 I/ j9 D( ^- yMethod 10
( Y. @7 \- K6 f8 i$ K$ }7 I/ t+ J/ {=========6 P* k/ F1 u, F* E3 ^; ^
/ E* C$ {- j# V/ Z' n7 T) U
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 |& d1 l; e( E+ l
SoftICE while the option is enable!!
2 r- y$ x; D1 z2 _' _* Y# D+ g, i! G- ^# r9 A
This trick is very efficient: K8 d- p# x, e% V$ v/ h
by checking the Debug Registers, you can detect if SoftICE is loaded, W6 {0 ~4 `( V( G1 j) a' d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' _' L7 e0 { |) d7 e" w% wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& |0 H2 G8 ~6 C# F5 [5 ivalue (in ring0 only). Values can be manipulated and or changed as well
9 o6 q; r' p, O5 j1 F3 c; I(clearing BPMs for instance). W2 z; J; p% m; X
' h0 g+ H: L: W# H
__________________________________________________________________________
# U# W: t# y0 N' Y. F& t7 K; ^
; B$ A# w' r5 X/ a% @- zMethod 11/ d" d+ z' y$ T/ ^! u
=========6 l e; [5 r( P6 e* W
. ?0 K% d( ^! d" K& O3 D/ BThis method is most known as 'MeltICE' because it has been freely distributed
8 O1 j! I4 n: o3 m& I, tvia www.winfiles.com. However it was first used by NuMega people to allow
$ Z* v$ [# h- l5 HSymbol Loader to check if SoftICE was active or not (the code is located
# P. q9 E: V$ r% ?* \# J& g( yinside nmtrans.dll).
# E! D7 U9 G; d3 c! Y8 n5 `5 K; o
: U0 H5 F4 w8 D! f, r: N$ U" z7 v& gThe way it works is very simple:
$ S3 d+ x( C$ M* iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 z; \% d( M; A" A
WinNT) with the CreateFileA API.7 ?3 D% t" D; Z9 H
9 a; F9 ~3 J( v5 x' [. L, mHere is a sample (checking for 'SICE'):) J9 v. Q ]7 Z: O5 j9 @
; k$ |/ K& U5 n2 U* q6 N; EBOOL IsSoftIce95Loaded()9 ~7 [* X. E& r- d! q/ `2 j: V7 ]
{) |& C9 i6 b1 A; Q/ M2 f
HANDLE hFile; 3 J% s' j3 W1 o( W) x6 @, R) x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! v) Q$ Y" p, f9 ~0 O% M
FILE_SHARE_READ | FILE_SHARE_WRITE,
) X1 l X9 U; t7 k' Q: S% A* [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 i b+ U0 S" l+ H- ^ if( hFile != INVALID_HANDLE_VALUE )
* r2 g% V# n1 E" m& p+ s {& K1 O7 k% o& \3 \ M% [
CloseHandle(hFile);3 [5 N7 F0 O. E1 m
return TRUE;
' o& J0 _" d8 ?9 C c/ J1 \4 V0 I }4 A. j4 k# i3 [) a7 i
return FALSE;5 \" B- v/ J! g. Q( ]: A" _. [1 k
}
: O) p0 n" q# J- v5 `& u, j( \
* ^; Z8 M* {1 \9 d6 Q( q# oAlthough this trick calls the CreateFileA function, don't even expect to be
7 k3 V% D$ F4 V P/ _0 o% yable to intercept it by installing a IFS hook: it will not work, no way!3 a& O& y; p$ e7 Z, X7 v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 _2 [" d! k3 l; `3 g* ]! j i: iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: k" w v t; {7 E0 s" H, p' o# ^$ G1 }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( W$ P E. y! `3 i. nfield.2 f% W4 M7 p3 q4 w9 Y9 w4 Y
In fact, its purpose is not to load/unload VxDs but only to send a 3 n( h0 Z; D/ B4 A( K) O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( r1 @/ Y% |/ x, I+ J+ Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 l' |/ j$ S& E' V* H! s
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 i7 k5 T c; g; B; q8 F
If the VxD is loaded, it will always clear eax and the Carry flag to allow" u5 d0 B; B; T3 ]7 Y, r
its handle to be opened and then, will be detected.
% j* |( @8 d; t1 |2 s3 K' j8 V# n4 wYou can check that simply by hooking Winice.exe control proc entry point# ~2 }" n9 R# v5 p0 x
while running MeltICE.: ?; _/ ~4 _, u& D) _' ]( }7 y
; h2 `8 d8 W( q; t, p0 ]+ |5 m5 @1 ?. Z
00401067: push 00402025 ; \\.\SICE
) T% H( @/ y$ p" ~1 n 0040106C: call CreateFileA
. `4 K" b/ I; H0 j 00401071: cmp eax,-0019 h/ t, M/ n+ L' X8 K
00401074: je 00401091
1 I. Y5 _$ `7 X, r! s% I+ R# S- I2 i$ q0 e Z& d0 z7 i# t
: M/ I- a: g9 F k! u1 K. ?There could be hundreds of BPX you could use to detect this trick.
- M6 F( b: M0 l' I6 Q9 T: Y6 t-The most classical one is:: z8 E7 u* t2 r7 L
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 h* K, @( o; L s7 `2 @ *(esp->4+4)=='NTIC'" k! a" i# V+ x) Z2 c
5 L, Q( W( b8 {% v) ?-The most exotic ones (could be very slooooow :-(
8 B2 \4 s. ]* m6 d q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' i$ a) z5 o: F ;will break 3 times :-(
, H! R/ i* y% g5 o, v2 L5 Q$ K, _
-or (a bit) faster:
# l' x6 U" t i( p$ O2 E' J0 M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; s( b0 j0 |+ ^
$ R9 r) K$ `# I; m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' k* F# d' w+ s% G, C" L! r1 n
;will break 3 times :-(
* I3 ^/ ?! W! P1 F
* @0 ^% x6 W- y: I1 h% j0 K-Much faster:
' }' P: u# C7 R" j# l0 ]. ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 ~' q5 ]- p& M5 U# s
% r# e3 p- p9 q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen h8 {! {; ~# v5 i k
function to do the same job:
! w& r9 j( Y6 F- o' M9 V5 f' r; Q0 H
push 00 ; OF_READ
( E6 w7 n. W( E. B6 D. C mov eax,[00656634] ; '\\.\SICE',0% E2 |( W; j q
push eax
' B+ ?% b& F7 a3 @ call KERNEL32!_lopen
5 I/ Q& E$ }4 Z0 P8 z# s3 o# A$ O inc eax
8 x1 M/ N: U4 P, y( @ jnz 00650589 ; detected7 ^% \- I+ y5 G. z9 m
push 00 ; OF_READ
$ D u1 w; } O1 y* ` mov eax,[00656638] ; '\\.\SICE'
6 M; p+ i' A' ^3 p- S0 E5 K" H; w push eax, x/ }' Q, q+ z* Z
call KERNEL32!_lopen
' `# [2 S; b- ?7 D7 H& l, y" r inc eax2 X$ `9 Z0 A/ [+ t9 r$ ?* Y
jz 006505ae ; not detected: Q. ]; Z U8 ~, x: Y1 [
5 }& ?9 m3 t1 `( `. ~& M" @! F! T6 t' C: T) k) R
__________________________________________________________________________
+ ?3 Y6 a7 a3 }' \& X% \: b. ]5 f2 G/ x# c. v5 {7 e
Method 12: {5 { y$ u7 ?+ ?7 G' C& U) S9 W
=========
1 N8 a& E% S; R* P, m% p) Q! U! ?7 k9 _- l
This trick is similar to int41h/4fh Debugger installation check (code 05/ N8 F, i, C6 M1 k) h
& 06) but very limited because it's only available for Win95/98 (not NT)
2 |# N2 Y* D/ q+ xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 B8 T$ k X2 S4 g+ X
5 e- D/ C( T# f7 r4 x/ c push 0000004fh ; function 4fh
2 R- C) ]( b/ `8 v: ` push 002a002ah ; high word specifies which VxD (VWIN32)- v4 l3 T6 H, X+ j6 j0 c
; low word specifies which service
0 Q1 X) C+ z# H4 {! ~ (VWIN32_Int41Dispatch)8 A, P0 [+ {" }
call Kernel32!ORD_001 ; VxdCall5 x- |, C+ \. E9 ?
cmp ax, 0f386h ; magic number returned by system debuggers# k ^/ Z. E' Q
jz SoftICE_detected' z' u5 d3 E8 q/ o4 e
/ d' t1 @1 E$ O
Here again, several ways to detect it:
+ ~4 Y! Z( x2 o+ ]+ R0 z: b; C \
$ \9 g" C: w' P/ m$ g7 H BPINT 41 if ax==4f3 b+ }9 j- P" y, T% P
: `) R+ A- W8 g% p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 q2 N6 M" m! b5 w, ]$ ~& ^2 Q: A$ h. i" Z6 X) z) R7 z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) g; {% P' \# P1 a) D7 B) `
B2 _- z( D1 s# E9 ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; M' {) J' D" _4 D6 P& |4 z2 I- [/ _
__________________________________________________________________________
# J* q. r& i% z" d/ o) n2 {% S$ n( d/ y; S! `! Z
Method 13" J, m5 O, X* f/ h2 W' G
=========, _* `- e* x( b* |( g
; n$ I: Y# G& L1 x
Not a real method of detection, but a good way to know if SoftICE is4 f( _8 g" u4 y' U6 ^( Z& ?
installed on a computer and to locate its installation directory.
0 |* c1 i& A0 ?& v, e" b3 MIt is used by few softs which access the following registry keys (usually #2) :
% t+ o+ v$ Q6 }6 p- W3 W: Z# d. K1 j
4 P* d* s2 u" b5 Z2 u6 w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 [5 w5 N% f% C+ o" y7 ^: U; [ ?\Uninstall\SoftICE
_; E1 e1 ~$ C0 S5 h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( k9 G( t5 h2 F) l! W% i, p& ~( _# R2 X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 c$ Q0 k/ ]( [+ I0 W! F$ G" L7 Y: C
\App Paths\Loader32.Exe
( k6 H3 @; g" q, |" {! N
) Q7 o; | r2 Y3 _
' d1 n7 ~$ o. V/ } S) `" gNote that some nasty apps could then erase all files from SoftICE directory) }3 r. Z R6 a
(I faced that once :-(
& W3 [! _, ^# P! k% Y* Z0 b, C% p+ h) p
Useful breakpoint to detect it:! i3 @* q% @! ]" p4 @. m: X
8 h, R; L% H p$ o# Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 P5 x6 B) W' l' I/ d
- e q0 y ^) [0 t5 Q. N/ H/ G__________________________________________________________________________& Q5 J u5 a @; y4 H- V
( Z& D3 H2 u0 x' j5 |
9 _ w; w! j$ A, O* a: \7 h' t
Method 14
2 t% y6 C5 x* Q u=========" K( R* E6 |, d- h5 _
$ ]( Y. t! @, N/ K s& }. e* w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( D- w: N2 J( ?0 r9 P% m* H% {) Eis to determines whether a debugger is running on your system (ring0 only).
~ O% i1 t& i- t! N* S/ N4 o
% r1 O8 p" O' d8 W* @' I2 Y; _ VMMCall Test_Debug_Installed# V' b" t8 i+ @5 Y9 u. E8 n
je not_installed
# O+ Z0 i: h: O* h7 y# f( Y7 W6 v
) R1 J& w2 L+ Q2 hThis service just checks a flag.
& E% ?/ V4 m' m, k; N: O& r( ?% B</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡