<TABLE width=500>
# H, H% ^3 y/ q3 B& h4 k3 O5 |<TBODY>8 z! w$ _1 m1 s( p' ?: d
<TR>/ }" }$ n9 k# W5 b8 ?! f4 j! e
<TD><PRE>Method 01
1 F7 v3 c, J h; }# |=========
% l9 B; w! N* m+ u5 C% q. t" g2 Z" A5 h, a3 r2 p0 a9 w# c& n1 i
This method of detection of SoftICE (as well as the following one) is( o- F; T4 N: H! c% z0 I$ b" ~
used by the majority of packers/encryptors found on Internet.
$ W# V q5 U7 _0 o. }It seeks the signature of BoundsChecker in SoftICE/ {. ?1 f2 P$ [3 }, m8 G$ d
Q1 ^8 h: ` V+ ?- F8 l mov ebp, 04243484Bh ; 'BCHK'
9 O7 y, k) Q/ e m' F9 ^# \# A7 v mov ax, 04h
& L9 I5 s, f5 \4 D int 3 , [' Z+ d2 j& z9 L
cmp al,4
- [" y. a% d, a5 N jnz SoftICE_Detected5 A2 z. W/ n3 q; }" W( R
* P# S/ Q) I+ ?* ~8 I* Y
___________________________________________________________________________3 Q& ?6 @' h' G. X
* u! b" d0 G; d# E
Method 02
5 }$ G0 W+ s4 f1 g/ `( ~+ L=========6 J! m4 C5 W$ z1 I, l
& I8 c& }: v. ` c; YStill a method very much used (perhaps the most frequent one). It is used
+ o! W! t# u$ m" w9 P6 }9 Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,! |" g& F: n1 O, Y9 j: \
or execute SoftICE commands...( c0 {* e; D* ~/ L) F6 c
It is also used to crash SoftICE and to force it to execute any commands
9 J. F6 m) I1 ^; L6 t(HBOOT...) :-((
, {" `6 f& v3 n7 ?4 O$ b" M
' A* L# N% S, a7 z& EHere is a quick description:6 k2 g$ |3 f, A9 T
-AX = 0910h (Display string in SIce windows)& w- y/ B7 [# T7 \9 s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! J. U( h9 {/ E/ z8 C6 p7 Z
-AX = 0912h (Get breakpoint infos)! r' H# O3 y+ d6 U$ G
-AX = 0913h (Set Sice breakpoints)# ], W& O4 |. m. }$ u6 A
-AX = 0914h (Remove SIce breakoints)
& w% K! e' l$ q) ~. ~8 e- p f8 d
Each time you'll meet this trick, you'll see:
7 [! h; |4 s; z% I v; q$ n! G-SI = 4647h
$ e- ^) m( E8 {" K' K) D: a1 R( f-DI = 4A4Dh
% H o4 T7 O2 Z5 eWhich are the 'magic values' used by SoftIce.' h+ y7 J8 K9 g+ O/ k" c: B) s2 \: Z: d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" J, C% ~/ Y0 c. ~/ s* O
% W& |! h& O' J( x+ cHere is one example from the file "Haspinst.exe" which is the dongle HASP1 l% s# D2 x( u8 f% o" Z- @
Envelope utility use to protect DOS applications:! g9 T" p, l3 x
& v: |/ ?# {1 S+ x& L* t7 T7 H% t# ?2 z5 B$ E7 ]6 k0 @- J/ ~9 ]9 J, A
4C19:0095 MOV AX,0911 ; execute command.
z3 ^ s6 N* Z- T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* h( L. L- j- O8 p" u3 M
4C19:009A MOV SI,4647 ; 1st magic value.
/ ?, ^$ e4 L, j& w1 _* T! P4C19:009D MOV DI,4A4D ; 2nd magic value.
. h7 A2 {- ~9 L1 t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' a5 ~7 B7 ~" \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 I2 q+ S, f. ]8 F4C19:00A4 INC CX+ k. v0 E, I1 H: c* S y s
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# I/ X% Y- l5 n3 A
4C19:00A8 JB 0095 ; 6 different commands.
) X0 U7 j1 H7 g, Y4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 a8 O9 @6 w/ K4 K: c' J3 T5 A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" s9 l# q3 L5 g4 A* C3 `: t* j6 |+ ~
The program will execute 6 different SIce commands located at ds:dx, which8 c4 \8 ?+ w; p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. S, }! ?- D' E2 g9 w
( S+ H" Q3 ~ g6 F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) z# q! M& f! `' f u. i___________________________________________________________________________
4 I2 p% B7 }$ u6 I5 k. a# D. v3 C7 f/ R& K# U
' \9 e3 p) m% j
Method 03
1 d+ Z ^6 u/ j/ P' {7 D=========* B; ]0 x/ A E( t. [3 y3 x3 Z4 I
& x# Z3 E, m8 k) F8 U4 t2 t* u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 V% H3 `& w% F* P" y/ r: E
(API Get entry point)
/ }! Q. V3 P" ?/ d0 i4 N" p T/ E4 {
, j# U. T. x0 A6 P4 r$ _
0 A5 m, T) N+ Z7 m xor di,di
1 A& d+ e1 ?7 V. @! V mov es,di1 S8 T, k( c% ?) v
mov ax, 1684h
: w' ]' u" C# }) s5 N* j2 U9 E$ W mov bx, 0202h ; VxD ID of winice$ S% v' ?% {) b# [
int 2Fh
7 h O7 }; ^' {7 Y. i$ c8 G4 Q mov ax, es ; ES:DI -> VxD API entry point
2 k& a$ O5 B, e7 w% l4 m add ax, di
1 @% K# ~3 B9 ^; {, n# Y+ Q test ax,ax4 p8 Q4 ?$ m/ G" r0 C$ c
jnz SoftICE_Detected
4 N( D u/ |5 k+ q+ z$ C8 `0 c9 S% A. _9 q; u9 d
___________________________________________________________________________
5 A4 B9 a7 V( @3 E6 M5 R# B5 F, G+ [7 I6 e. G) e( W0 m( O# L
Method 04' \2 i( U' {% {4 \: k
=========
7 i; F, ~4 V4 t( A, U/ c
R2 [$ Y( \& }! E! C3 x7 \Method identical to the preceding one except that it seeks the ID of SoftICE- ?0 h7 Y/ A/ z
GFX VxD. i G* D! J+ U: U' r3 C8 [
1 K( b/ c5 a8 X# U* ?3 R8 t
xor di,di
6 V$ j+ H$ U0 A% ? mov es,di7 ~& m. r) d- h! Q, r7 n) q
mov ax, 1684h
6 |4 N3 E5 p* i: z' J4 g) e mov bx, 7a5Fh ; VxD ID of SIWVID# f1 f- N8 S% A* v$ i* y
int 2fh
2 s' K/ p6 a! ]3 L- y# |4 N mov ax, es ; ES:DI -> VxD API entry point4 b4 _ l. x" d* y& k9 \6 t
add ax, di: R+ o; C3 n/ o( Q; } F
test ax,ax7 R" T9 F9 ^( ?
jnz SoftICE_Detected
3 H) n! M: L8 _: F; a2 i: P! P; o2 F! z$ M1 f! B, ~0 c
__________________________________________________________________________
# z' M, D* a! X2 l
0 ?9 W6 I% G% \- _# {
' w B* [- u6 z& S; L( K3 KMethod 05
4 [0 i2 E/ ~1 s" |4 y- f2 D=========
: b+ p* k$ ^/ C$ Y4 J0 H h9 _& D5 D5 e; I' o: U6 t
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 a/ L" M8 n4 @1 V D( Kdebugger. It calls the int 41h, function 4Fh.
( e% r. h/ _6 _There are several alternatives.
% [6 W/ M. I/ b& C3 [2 ]8 S$ j i4 p; Z
The following one is the simplest:2 \" t+ A6 R2 D
( h* p1 I/ {7 T+ R8 t( N mov ax,4fh5 G, {; R" }9 n6 e/ `1 `
int 41h4 b& U$ k c7 i$ `# ^- M
cmp ax, 0F386
# L8 a( S6 v8 j jz SoftICE_detected
' l; H# @! t5 y3 i% L5 e0 q
! P4 F9 Z( k' |) P' j2 W
! P; Y0 k% _% W) A- c RNext method as well as the following one are 2 examples from Stone's
! l2 x/ J7 V" S8 a5 Y1 l9 E) E"stn-wid.zip" (www.cracking.net):
, a0 Y; C( z ]' w, F# b \2 D1 v& e9 l. G) f4 l( O
mov bx, cs) l1 `& K6 ?: ~6 }# ^8 E
lea dx, int41handler2
3 l+ R' {: y t6 n/ ?! P- G/ L& j9 @2 q xchg dx, es:[41h*4]
. K5 @3 c/ a6 a xchg bx, es:[41h*4+2]5 Y B9 X: n3 k3 p
mov ax,4fh) e% v) I" g5 s6 z% \
int 41h5 v" D0 T1 N% E) I
xchg dx, es:[41h*4]& M4 K2 b6 ^/ G5 ^
xchg bx, es:[41h*4+2]( ?0 \ g' P' i* a: }/ F4 p
cmp ax, 0f386h
1 y+ J( A: O3 u, B0 z3 c% O, u. v jz SoftICE_detected
# N2 G3 h; T; ]5 \( q- |4 i5 V( Y" k" a5 G
int41handler2 PROC
, s/ r6 U; K8 n$ W* H( a iret9 w! g9 K& e3 f5 B9 ?% X
int41handler2 ENDP8 i3 Y- ]0 X( J4 K# _9 e. n/ J9 q% O5 Z3 P
1 M3 }2 A7 v) J, ^
- {4 q& x* P* f' z9 t' Y+ y: |. i
_________________________________________________________________________" ]" K; R" d$ v( M7 O
5 a* ]' A! d$ [ ?/ \
9 T7 H) f6 D" r1 k* [Method 06
( X$ g# I* E9 b: J+ }=========
3 f1 L/ t/ L! y, n2 p2 f0 [0 Q$ @5 ~ J. ` |5 D3 n
% ]: V* [3 ~0 X( v* }
2nd method similar to the preceding one but more difficult to detect:8 T C! G3 w: n8 |7 Y
$ L+ C+ y& r2 L3 u
* g$ [7 s9 y2 i& r( M7 c6 s
int41handler PROC) n8 j9 E' A# c$ d
mov cl,al7 D3 U7 m; U) g! a! A+ U- `- z
iret
% F3 d8 s* {0 vint41handler ENDP
" s8 N& T$ T$ ?- q) E$ v
, K: D5 _) ? w- X; y3 Y+ e S) A+ J0 c- Y- u* y7 U
xor ax,ax
4 r! b$ l0 K6 ?6 k% @ mov es,ax
) J; C- N0 d% E2 U/ k mov bx, cs
: h$ Y- }. T- H$ ~( C& M+ K! c lea dx, int41handler9 o$ q$ W8 N. ~6 z! m3 D9 u( x3 \
xchg dx, es:[41h*4]4 o t2 `5 b1 [6 K. y8 L4 {
xchg bx, es:[41h*4+2]4 L" F4 I8 B+ i( E
in al, 40h
# x+ F: [ {9 K xor cx,cx
3 r% r0 ~$ d4 c2 T+ t int 41h! R( p0 \' R+ P, b
xchg dx, es:[41h*4]/ }. S2 @- V. l! G
xchg bx, es:[41h*4+2]3 }) _" u; F' _; l+ b) t" K! f
cmp cl,al# Q5 z! B. h( b4 l) ], j! {' |! l
jnz SoftICE_detected
0 ]2 H7 N2 U' \1 `3 n; w; Y3 q! @8 \8 n
_________________________________________________________________________
( f3 o {4 k9 a @
- i6 P9 F' Q. R! VMethod 07* C6 \! v) s A' M- \% Z7 K
=========# S( [6 o. m- Q* D7 ?: @% _/ s
3 K1 h# O3 |6 h! Q4 O) N3 h3 dMethod of detection of the WinICE handler in the int68h (V86)
+ T6 n) i* \0 n: r" w* K. q7 I
- l9 r6 n$ i/ L) f mov ah,43h
8 o: o& P' r& o( E int 68h
- A' S' m& M7 A7 A cmp ax,0F386h3 V4 J/ @/ o# G6 T9 K6 R. W
jz SoftICE_Detected
9 ~. E: h- s4 U9 V1 c7 q6 _: T- q& B
0 r) |! t) F5 |3 ^, ?) w0 s. N8 r/ O7 W: X# ]* J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 {( p d& `9 Z) v8 ~0 ~1 o
app like this:( g+ Z3 w$ o5 k2 ?
% N/ i |3 o/ i4 t! B3 F, J
BPX exec_int if ax==68
. F S- S" c6 s4 _ (function called is located at byte ptr [ebp+1Dh] and client eip is
+ k3 T: J& ^* z# g b p located at [ebp+48h] for 32Bit apps)3 e. x% U+ t! t( E- e
__________________________________________________________________________
5 M* f' v1 c" r7 [4 X) Z( `( v0 H, i. ?
u8 `" t m( Z
Method 087 V3 n( F8 {& x; f; Z
=========
5 P5 D% ~8 P( M
& U4 M9 P. V7 L1 P( uIt is not a method of detection of SoftICE but a possibility to crash the1 B Q: t# X: X% m
system by intercepting int 01h and int 03h and redirecting them to another9 {2 T6 {+ i' i2 A! m
routine.6 z& X8 B! D" K; I. D7 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* c4 X2 ]& I5 Q# Zto the new routine to execute (hangs computer...)$ ^- O- J* n* L B
, F; L# i& y- i T
mov ah, 25h/ b' W( E& J0 @' @( D" h
mov al, Int_Number (01h or 03h)
4 X; \1 p$ C! S$ D mov dx, offset New_Int_Routine
" L' g& H2 T6 H+ ?/ g* J$ j int 21h
( S; _" d1 d' q* [6 N$ H9 O/ m: I, r1 b
__________________________________________________________________________9 m6 T/ ~4 ~9 _# j! B3 \3 v2 }# X; ?
$ i* }# v" @7 A2 [. Y0 E% J0 b# @8 J$ x6 JMethod 09
2 w. L. X- C9 ?=========
5 C- Y8 v! D( T+ I$ h% p+ K: U9 p- H- Z) t8 M0 ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# K9 U! J( C# N4 e" e) H* E3 {$ Iperformed in ring0 (VxD or a ring3 app using the VxdCall).
% G/ Z9 ?4 C/ M# {: F7 f9 c/ Y. tThe Get_DDB service is used to determine whether or not a VxD is installed
/ w2 B3 g8 A' N! _; ffor the specified device and returns a Device Description Block (in ecx) for
3 k# [3 N2 K" `, Wthat device if it is installed.
+ l/ L. Z9 \5 R9 q0 B( x9 {
9 f. ?; _ P9 {- W, v, [! O9 { {2 o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 k9 |2 _7 O$ N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) {0 D* ]2 G4 G. J5 ?" n7 }
VMMCall Get_DDB
. o2 T2 {9 G& W+ ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 i Z0 w0 E m1 g/ Y! b
; b x1 G7 T5 J S6 \Note as well that you can easily detect this method with SoftICE:8 y+ I. b8 E' Z$ v, o* v: ?" A
bpx Get_DDB if ax==0202 || ax==7a5fh
$ r# h1 z6 u/ |: e& U: M* q* z l/ N! k$ v5 Q( h5 S% _& R
__________________________________________________________________________( [+ a* w" f7 ^- c
1 F( S4 d9 i6 [1 a) n1 W
Method 10) B ~. k7 [ d1 V3 C
=========8 W! h: v7 L# @
/ d- m+ O: F2 H9 {=>Disable or clear breakpoints before using this feature. DO NOT trace with
) @* i1 k0 _, O2 Y- q/ \ SoftICE while the option is enable!!
" Q: E% I. ], m0 {% D- K+ ]
+ s/ b2 {- A7 f3 O8 g8 O* hThis trick is very efficient:5 e7 Z7 K/ y' d: u; P3 b* n
by checking the Debug Registers, you can detect if SoftICE is loaded3 ?( _ C$ {+ g% \, K4 y& W6 d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if u. @( K. V. V% T* _# I$ P
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ _& b# X1 Z9 u8 l) r; T* W& ~value (in ring0 only). Values can be manipulated and or changed as well# q3 Z6 G. }: L
(clearing BPMs for instance)- i: Q; d5 \6 j* [8 W7 \
, l9 O" v2 @+ D' R8 g__________________________________________________________________________
3 ?% f* L1 L4 f4 E1 L
: W. U3 j9 w% O, j4 I( CMethod 11
9 X: C0 Z5 B: d=========
- r0 ~: i3 w) i2 o) i Y, } B. G0 C) x
# ^. o% C# N& j) t, yThis method is most known as 'MeltICE' because it has been freely distributed# ~# v; z; } i
via www.winfiles.com. However it was first used by NuMega people to allow7 H% u K0 D0 g B/ U
Symbol Loader to check if SoftICE was active or not (the code is located, z3 w4 s' Y+ C% R, j5 h, J
inside nmtrans.dll).1 K6 v! i; }8 I, ]- V0 C7 w
( U) ?& z. A/ QThe way it works is very simple:
6 F/ Q4 A& M* V# i5 R5 AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 B% }9 s M- L4 VWinNT) with the CreateFileA API.
; i5 J6 w% [! P( L0 c
) H7 O' u7 F; M: pHere is a sample (checking for 'SICE'):. P* ^0 k0 g/ e! P+ r& x+ Y" d, i
" q1 U. A+ l/ N8 |- ]- k& `
BOOL IsSoftIce95Loaded()- d: d* G5 `/ B8 a) P* ]: W0 C
{
4 s# V! @$ `- Y& @# n( M- q HANDLE hFile;
U( F! w8 ?* t9 A' C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! X* a4 z3 W, a+ L0 I& S/ S
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 t$ H6 ^# l) F! E; s' l7 N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 m l/ i- N" F7 f7 Z I
if( hFile != INVALID_HANDLE_VALUE )
/ ]! l0 s& _% g& S {- M0 w# \* r2 R
CloseHandle(hFile);
# d+ x1 D- u8 u' t return TRUE;
& |: g" x* r. q2 X3 R }, f2 @# M; E u# |# a" v# g
return FALSE;
6 @ ?" m% q" R b! B}
& o8 v0 U+ F- d+ G
: T# e$ ^) t1 p- oAlthough this trick calls the CreateFileA function, don't even expect to be% _- o6 s* e. O$ f" q6 b: q3 O2 b
able to intercept it by installing a IFS hook: it will not work, no way!
9 V2 o4 f. X( U. bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* b9 m+ E7 g% X" f: j3 Z9 cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. |: C) r9 Q) n; l7 x/ S1 T3 Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 e3 Q* t. a0 f( b4 Z3 p" tfield.! q) X# v1 y- h' X
In fact, its purpose is not to load/unload VxDs but only to send a
5 G& A5 ?/ b7 ]3 [7 ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* X: Q! z O# s$ u k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 i+ B8 X, ~; ~% B( pto load/unload a non-dynamically loadable driver such as SoftICE ;-).) x% K0 ` B) t# t
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. i' o7 T# M/ Y; t6 W+ z1 P! ^( Nits handle to be opened and then, will be detected.' X) y$ H h% u/ b2 ^5 ]1 l0 I8 z
You can check that simply by hooking Winice.exe control proc entry point( u2 f0 L6 N. N* j+ @* F. v
while running MeltICE.
3 {8 \: z( \- O% c2 c$ I. F* X
4 v. z( w- G* |- [" U+ C2 l6 z- t& C1 M
00401067: push 00402025 ; \\.\SICE
; N. T: `# v/ s1 d 0040106C: call CreateFileA
8 V, L9 F# y: u3 L7 f% w 00401071: cmp eax,-001
" \' K; ?6 k6 o* U. v! b: ^& N 00401074: je 00401091
; H( f! A. Q! N
# {7 C) i0 K; i6 a: q
" o# N0 C/ K2 K- Z2 `There could be hundreds of BPX you could use to detect this trick.
% A" O* h2 l) h) S, n% _- F% A-The most classical one is:
: t/ A% Q7 F% ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& T! J* `# i/ y9 R
*(esp->4+4)=='NTIC'
+ {6 T z+ I) f' z( T8 K( ^" _5 F" y! V8 j- q" y% s
-The most exotic ones (could be very slooooow :-($ ^+ r% O) h# F% V* e ?+ [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' ~2 o% R5 }% [7 A: G8 `. ? ;will break 3 times :-(- `" O/ I; T4 ~1 F8 s3 Y
' P* R: K- e7 G- l-or (a bit) faster: ' z0 p! C. X2 A. P- s7 d1 O$ b3 O2 H
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') G9 P: ~9 m [
: y8 v8 n$ E6 K7 `+ W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 x, w" J- v6 s( c7 _! v
;will break 3 times :-(
( V+ H) k( G! M' x1 y7 `
3 ]. z0 R& Y2 o- }* ]-Much faster:, R+ _8 `" L9 T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: u; \: g1 k6 I; p6 N' }: O+ V5 H3 {( M4 ]; C
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: C' }* q+ d9 @function to do the same job:
: ^7 U, `' T1 n) O* ?
, |# }& Y4 `1 }# c3 {+ R% K5 g7 B push 00 ; OF_READ
' L8 w5 Z" O, j mov eax,[00656634] ; '\\.\SICE',0
( } u9 Z; n; N: s push eax- z! M" ]7 c* Z4 |' V% i, W4 N# T0 G
call KERNEL32!_lopen
% R8 k: s$ l3 }: r4 V inc eax# `9 H$ z) g% ]- F4 _6 M8 T
jnz 00650589 ; detected
2 `" d" v% E" G push 00 ; OF_READ
5 B b% {1 t/ o0 V! | mov eax,[00656638] ; '\\.\SICE' f( F. p7 @+ }2 a5 S
push eax
4 V. D! {/ f4 r' u' O% U call KERNEL32!_lopen) z; s/ ~3 Z( Q- D B/ d( s j9 c* q
inc eax
9 P* }7 Z. O* D8 i9 c jz 006505ae ; not detected
9 _% Y1 \; ~9 [
4 Y# U7 u" l+ e( l# j0 f3 `2 F5 t' u$ v2 s: u; Z7 x
__________________________________________________________________________
c& z, A* G) s# F& @0 j2 A
I: j- ~4 k# ]& b% N/ \% G# pMethod 12
3 Y5 u7 z8 S( T3 _=========
0 e+ D. {4 c8 J5 A! P- ?& a3 i) e$ _9 v! l1 b
This trick is similar to int41h/4fh Debugger installation check (code 05
' `, C1 z, x; i& {7 F* A U1 y& 06) but very limited because it's only available for Win95/98 (not NT)# t- t/ T% G! T9 _. u% u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# {7 h1 R1 N: U, ?. g! N+ x
$ l2 N" `7 [7 c" O+ K2 O+ | push 0000004fh ; function 4fh
3 {1 G/ W; N: \ ]/ u1 ^ push 002a002ah ; high word specifies which VxD (VWIN32); z1 A/ s$ E2 U R$ u+ K% v
; low word specifies which service0 T2 f- y' |. T$ C8 i
(VWIN32_Int41Dispatch)
) g- D' x; i' ?0 \) L call Kernel32!ORD_001 ; VxdCall- |% g& r4 M. q3 p; N3 Z
cmp ax, 0f386h ; magic number returned by system debuggers# C. E2 Y4 b- V
jz SoftICE_detected [2 [$ s' g% F( d
- y& J: V3 ~8 `2 ?8 G5 w/ ]
Here again, several ways to detect it:
) F. U q/ j% E. i" F
& m) o& r4 L3 ^9 T BPINT 41 if ax==4f5 Q8 b# `: T8 q; J* K
# V, F! n# `$ e% L( u5 Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& V* l) ?8 t# |
g% t4 Z* |& L1 k5 A2 x6 X, c5 l$ h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& m j1 u d$ v. O( Q
% w- u+ B* ^2 e; h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% w- | I6 I' a7 N+ ]4 |1 }; _ \% {3 |' N' m: t1 O" }6 l
__________________________________________________________________________
8 R$ k/ [" X6 m3 |, R7 a: p7 g6 ]& J
. h9 M/ K/ ]. V2 rMethod 134 F8 x5 N# I6 L* Z
=========. S7 C) [: @( I
- r- w7 I5 _# {* O
Not a real method of detection, but a good way to know if SoftICE is
' @2 @, c7 \& _# Vinstalled on a computer and to locate its installation directory.( l H! w: L& d
It is used by few softs which access the following registry keys (usually #2) :
9 y6 K. s- b" d. F3 b) T. @) s+ l5 W- l) x, g& p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: y% @5 i- Q* ]8 Y! j\Uninstall\SoftICE' h' {7 A# J& Z7 Q1 Z; ^/ i* {. D
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& |2 \& l2 h7 }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& P2 a( E; r2 H7 k5 V" J\App Paths\Loader32.Exe' p" t. [) @: }
9 g- A/ w: S/ a1 s% Z1 I8 K% N _
) G; E* Q2 p0 X t* V kNote that some nasty apps could then erase all files from SoftICE directory
. M* W$ T' g7 E4 p# P+ A! ^% H(I faced that once :-(
& D9 k* ]2 v& r9 q( H2 J& A
+ k% Q$ G4 Y$ g: P3 X- qUseful breakpoint to detect it:& q; [: k0 P) ?" w9 l1 `( |' r5 z
* H/ g' _; k2 m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! [; S8 H( w( B
' G: ?( F5 M3 V+ ^9 O# C5 n__________________________________________________________________________
2 V! t( f% c7 r7 N
1 |2 b1 m6 V/ A' R1 C
: ]/ ]) T. A9 B& u0 d" B0 MMethod 14
1 t) z `6 c- A# _=========
& O4 t/ q, i( m& V3 Z# e/ X% k3 k
7 d# f: _" o5 j* g! w9 ?& T, K* sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ A" T* {( n* I; V2 B) {7 b- _
is to determines whether a debugger is running on your system (ring0 only).. E) c! ~$ S3 U7 I3 [: Z) v. w p
; b% Z* R; K H. Y. a! a
VMMCall Test_Debug_Installed
& k+ d% H: c% r* }2 ~& @# O je not_installed/ m- |5 d Z5 _1 Z
' K& t+ l& c# W/ { g# IThis service just checks a flag.
8 e6 D3 o7 q2 v' ~$ I# B</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡