<TABLE width=500>2 w1 c' F9 C) M% d
<TBODY>: U% b3 F0 a3 l, ]# }; X p8 {
<TR>. j3 P* q5 g" [8 \6 ^/ p! f: X
<TD><PRE>Method 01 ! f" ~/ ^) [& d+ f! j, t
=========
% H* d' F/ @& R0 R9 p. h: l! ~0 X+ k$ C3 ?; G! @: P
This method of detection of SoftICE (as well as the following one) is
3 B- \* V. n3 w. `* {" N: d3 Pused by the majority of packers/encryptors found on Internet.1 j' T8 R+ N/ M3 j) s
It seeks the signature of BoundsChecker in SoftICE
& j/ k l4 C3 G Y
3 V- t3 l% X& q4 Y/ f/ H. L* {( m mov ebp, 04243484Bh ; 'BCHK'
/ Y( A+ r. _% x4 E mov ax, 04h
. |! @" W) v3 e$ s: m int 3
0 T: B4 N W6 N cmp al,4
8 ?1 c8 U/ m0 }3 r2 ~ jnz SoftICE_Detected+ j I" Z) W# k3 _
. P% Y2 V. S0 B/ T7 H, N
___________________________________________________________________________
( t& N# C# f& I$ l4 v( d
6 a/ B) g( j( t' KMethod 02
1 l) \% h$ L& a" o+ a=========
0 @1 }3 i( C! Q5 X5 N0 q1 w' }) E+ c# _4 L N9 F4 o7 ~+ Q
Still a method very much used (perhaps the most frequent one). It is used
( y' ~7 b0 P4 n: g$ o6 ?! x1 {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% _. ]+ H6 n1 H: }8 E
or execute SoftICE commands...
: G- L3 b5 x8 m/ c7 YIt is also used to crash SoftICE and to force it to execute any commands
, k' v1 G; _+ L2 D' \2 w(HBOOT...) :-((
+ h/ }1 v. \" [8 J+ V$ H# `- L# U: ~
Here is a quick description:- ]: W# B" O2 ^
-AX = 0910h (Display string in SIce windows)5 t: S! c$ h/ `0 B2 v4 T, {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ F6 Z: k2 P) H ^9 c% B/ {* B9 [-AX = 0912h (Get breakpoint infos)
6 ~ H$ S9 S1 y h/ L& I-AX = 0913h (Set Sice breakpoints)
7 D' Q+ @7 S9 W" |3 K-AX = 0914h (Remove SIce breakoints)
) a# d' n- A/ ~) C& i6 w) N
/ N+ Y( Q+ i; _Each time you'll meet this trick, you'll see:
+ `' g% _- W; B" P-SI = 4647h/ `5 u) s# u5 p; {, j; I( z, B
-DI = 4A4Dh
. [" s1 n$ V* t6 C# sWhich are the 'magic values' used by SoftIce.4 w' ]2 k# K- F3 N9 u1 L2 G, x# m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* U# } |5 h( D: I3 s. Y: l+ W( w8 t2 B. [6 A9 m9 I* w
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 ~6 Y" p! z5 t! L2 tEnvelope utility use to protect DOS applications:
+ `3 Q- |$ y% u. e- J7 Q
3 Q# I( }6 Q; J: E7 ~; F2 F
8 ]- n9 Q( k. e( ~$ i9 @+ e, g4C19:0095 MOV AX,0911 ; execute command.
/ k7 [6 e* u9 g$ f: t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. B4 X0 V1 P$ V( z+ _' v4C19:009A MOV SI,4647 ; 1st magic value.
, q& Z U- V0 D4C19:009D MOV DI,4A4D ; 2nd magic value.7 u" I% @6 k5 l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): v! Z; ?+ Z2 c' x& Z( w$ o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute r( e6 v5 p; }% n- Y) L
4C19:00A4 INC CX
1 h+ d2 r9 `* ]( R" j: h4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 P4 ^6 N( o* v2 b# E4C19:00A8 JB 0095 ; 6 different commands.
. y4 L/ V: M$ }; z: x+ R4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& Y" e8 x, \- I) X! v1 g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ E; r, K u5 J8 h8 B% Z
+ o, Z6 B8 Z' @$ ~
The program will execute 6 different SIce commands located at ds:dx, which5 k8 W/ A) x' A/ d# V4 J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. ^; `: b, T; O" W
: F6 L( Q) K- c1 ]% }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, _' }8 j; u9 J___________________________________________________________________________+ _: r/ p& z0 X' g- ~1 K' P9 x
1 g- [: G# q6 v& \; f1 j5 v1 O' {, v. y9 W) H# H3 y9 [- I5 i
Method 03# b S% X% e3 `4 u2 R
========= r& ^/ Y; \" M! z) S
& O3 E7 q" N) z! G
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ t4 J: G+ p' z6 `9 I3 q9 l; e
(API Get entry point)
) E/ g/ h7 Z; P, M* ~/ l # N3 X1 m+ k7 d S6 q8 n, A! ^2 A- z( @5 g
- }' c$ P& G' ^5 S! s" h xor di,di4 P1 Q" E- V7 O+ _7 @
mov es,di# g V% O$ G6 I1 }
mov ax, 1684h
$ u6 P9 v$ {/ S. l% a! v' X mov bx, 0202h ; VxD ID of winice0 n* R7 Y# X7 {( b" t3 D% g! P
int 2Fh/ J! s$ ]" Q! F
mov ax, es ; ES:DI -> VxD API entry point
( Z5 J! f4 [5 ^' [ add ax, di& f' D0 J$ t7 e8 M- ?
test ax,ax& v E0 y9 c! u2 g% _5 S
jnz SoftICE_Detected; S8 F3 A+ E0 Y2 `: G K
# H) S. V9 ` u$ ~6 z& ]0 ^( z) m
___________________________________________________________________________
+ |# A- Y8 ^" \% i9 A' p! ], x) J$ P4 r( q
Method 047 V( q8 e% j2 U2 k' S1 a' J
=========8 G- I3 ~0 X. e% v" k9 m' B+ e
+ I, y$ C2 Q! o9 O7 p4 l+ ~1 gMethod identical to the preceding one except that it seeks the ID of SoftICE' }3 { J! h5 x- x+ O; b
GFX VxD.
& t( M( i, c+ i. R# K& m" d; d( T/ w# U' ~# V+ T
xor di,di+ A E4 ?8 q+ k# c
mov es,di9 f6 _7 R# K% i
mov ax, 1684h , ?# g) ~7 t3 w" o; `' Z
mov bx, 7a5Fh ; VxD ID of SIWVID
) J T# t# l9 `, S& z6 E int 2fh
$ l) L. k3 P& ~# d X& K% ^ mov ax, es ; ES:DI -> VxD API entry point( |" L0 u' t9 [) i" o
add ax, di& |6 I: T! _+ n$ s, `, v. h% {
test ax,ax
8 E. \! n4 |3 E6 O' J, [ jnz SoftICE_Detected" g( _+ ], s" C; s8 K% N- u3 g& N
. [6 L4 V% f/ G7 M- p
__________________________________________________________________________
2 M4 B4 Z' ?1 w9 H; R) G y; q L4 l; M5 m5 e. E1 Y ^
1 P( J( L4 u' F
Method 056 P- l' H( U9 J, h/ B" Q( }
========= G$ U7 \$ K l9 \* E S& t5 U$ q
& E5 d, y+ K& R. XMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ F7 a. B) i( wdebugger. It calls the int 41h, function 4Fh.
0 E0 {. L; A- _: b7 i iThere are several alternatives.
/ F$ |% _! O- u: q! V- R- n/ e, ~/ h& G2 `- s, z
The following one is the simplest:
; V- }$ L* V8 ^$ N8 E# W0 R( G. o7 O8 N- ~
mov ax,4fh' E# N' ?/ I9 y0 M7 [0 H/ c
int 41h
% \' M; [ a2 U! P cmp ax, 0F386
4 w1 e8 n7 k1 C: ~" } jz SoftICE_detected( y6 ?; p6 M+ K' v9 d2 `* K4 r
# a. E8 L! z* s9 \ s5 f6 W% e( N
% V7 p, C* t+ v+ b3 I% k3 WNext method as well as the following one are 2 examples from Stone's
) o# r2 ?2 @/ ]% B! X"stn-wid.zip" (www.cracking.net):/ q9 ^" G) S( \0 }& P* t+ u8 \
) }, x/ L# T7 G) N7 u
mov bx, cs
# @% Q9 p- _0 M& m- S6 Z- c2 { lea dx, int41handler2
8 A& b4 i; j7 A3 [ xchg dx, es:[41h*4] y6 ^ b) W M$ D$ _1 u7 b
xchg bx, es:[41h*4+2]4 C6 t; k" b( C% I$ z7 R; d+ s
mov ax,4fh& W) z$ G' N* t6 }9 d
int 41h2 v5 N: M0 V' J
xchg dx, es:[41h*4]
; J' \0 _: m7 p3 M xchg bx, es:[41h*4+2]; Z Y; p& T+ N3 C) e
cmp ax, 0f386h1 k' Q0 D3 V: I
jz SoftICE_detected
0 J3 F: Z# I& M1 b' b3 B( H; P& [8 U- C" O( Q" A
int41handler2 PROC
# ?. ^- j! C& u( d iret7 L& O+ _# I; @9 e4 X" A- t
int41handler2 ENDP5 w3 K& L( w" O- M
9 R! @) R% h, r) P1 R a' h ^8 s3 j c8 M& g4 Z+ f
_________________________________________________________________________
; M0 `2 X, z7 q2 P/ Q/ V; d, G5 D g4 S6 I: w8 g% S9 a: F. E% I
0 ]5 G B; I9 M7 l6 i" c
Method 06
. g) I3 ~2 `4 E& s! B) @! ~3 ~=========
$ }' z7 o9 J+ a( N. |9 u& H+ J3 S
/ A3 Z" o! ~; `0 \' q9 s2nd method similar to the preceding one but more difficult to detect:
4 k8 ?# Y: r6 B8 c- z4 K
/ o& z- R" D: A: Y- W, f2 T' M5 b$ M- L% ^) d
int41handler PROC
9 ?: K" G W( }1 b mov cl,al
9 v; U$ y. W3 M4 k, r6 [ f5 R iret
9 K8 O v0 F2 e3 f7 J& {; @1 Tint41handler ENDP
0 ] |5 a, n2 x3 |, }
+ D+ a0 ~, r0 E" t) A
0 {) X2 L& p ?+ H xor ax,ax1 Y" g3 K% e7 r' c
mov es,ax
0 u% y1 y& u$ l8 j$ l9 V: S% O mov bx, cs
7 p, G2 M; v/ `" z5 {& Z6 {+ q lea dx, int41handler6 ^2 t5 Q1 I' y
xchg dx, es:[41h*4], q7 i$ p) F! F
xchg bx, es:[41h*4+2]
1 w. H u) J5 a% {7 K in al, 40h# d. _1 [& z! F$ T9 w; o6 b7 |
xor cx,cx
( H _' l h* e int 41h
* }7 G7 e1 Q4 f9 `! A xchg dx, es:[41h*4]
: a# \( A" T% } xchg bx, es:[41h*4+2]
$ p5 n" j' X6 h; {: V cmp cl,al# C+ H9 _7 {+ I* k- Y
jnz SoftICE_detected0 |/ G4 D, I( ?5 B5 R1 Z. l
8 F0 F# }' ~' t) V+ d
_________________________________________________________________________
, _/ |/ F4 t; a# w3 r0 W/ p' i4 u8 p" I
Method 07
9 g) E, D1 }/ P7 m6 E=========" Q" {! U0 z t1 `6 V3 K
4 t! J: v& D/ X( U4 ]
Method of detection of the WinICE handler in the int68h (V86)1 |' X$ c) _1 j) e- L7 s# n
; o' J, J4 f( ?; M ?
mov ah,43h4 e# s0 i) A' J2 }# I. J
int 68h
7 M9 }; T7 M, @3 W; a g { cmp ax,0F386h
1 [1 b9 ]0 T! h+ w0 @6 D jz SoftICE_Detected! ^+ \. Y* B" ]5 \! G
# G9 p6 P; y7 V2 V; n$ r2 s1 ?! M! o6 Z+ N! X/ P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 o; A. j8 u8 E1 F% m' d/ i4 V: R
app like this:4 \+ l9 _, I- c9 M* h0 D
. v, u* V% L! @/ G+ o
BPX exec_int if ax==68" ]& Y# {" h1 [
(function called is located at byte ptr [ebp+1Dh] and client eip is+ p1 W2 ]4 ?3 Q0 M
located at [ebp+48h] for 32Bit apps)
2 \9 Q( d" X( A- l* c1 X__________________________________________________________________________3 k S+ z x Z2 m: }3 [( a
4 r& c: C. N- v
: ^5 F$ M! f# y9 m. _5 n, m7 eMethod 08
9 W( I, g+ o+ ~=========
" y, l" R5 h1 Z C: I. d8 B9 w% g5 L6 f! q9 H, ]
It is not a method of detection of SoftICE but a possibility to crash the
* A5 q5 ]+ r2 {0 _system by intercepting int 01h and int 03h and redirecting them to another- Y. ], e9 |: [4 C6 @$ a
routine.
6 V8 \" i$ A3 C e6 M7 z+ `4 f7 ] OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& _; u9 Z+ Q3 T$ L
to the new routine to execute (hangs computer...)
1 Z5 X, u. i& Q
9 Y" G5 {" g5 |8 w+ y B- ?, N mov ah, 25h
) [. f5 R0 j3 m. p/ g9 c mov al, Int_Number (01h or 03h)
. i+ d+ ?. B, i; F9 k0 c mov dx, offset New_Int_Routine6 k, \+ H' P, C ~/ ~; _
int 21h
7 A$ |3 s. o; D0 f# C" c9 A) D8 ~* X
__________________________________________________________________________( z. L$ k$ p3 R+ `( `
2 x$ g' H( m! \, D- jMethod 09
8 A% d5 W2 S( Z: M; s. S, o=========' |; W. X) f/ l8 C2 y0 ]. `
?) o! p) P! F8 m7 J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 ]; {3 L% R: kperformed in ring0 (VxD or a ring3 app using the VxdCall)." k6 q7 @; H1 k1 H- f
The Get_DDB service is used to determine whether or not a VxD is installed
5 n! h7 K f4 M0 ffor the specified device and returns a Device Description Block (in ecx) for# x$ b2 n' Z2 w# H( |: n9 {1 F0 R8 {
that device if it is installed.
3 A8 H2 n, D$ _, x( t' ^- q9 ]
" } O7 q& v# e+ O( M* \6 ^" C% R mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
_) J$ X7 I6 ?2 C* P9 ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). |2 Z0 @1 c: T4 f5 L# ?6 \( M
VMMCall Get_DDB6 Z8 A( f# @9 t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# n( \% p. y) Q$ q- D
- i# H. V1 j" g& ^# ]* vNote as well that you can easily detect this method with SoftICE:
% S/ f T" l/ G bpx Get_DDB if ax==0202 || ax==7a5fh
) x7 d; F+ N3 q p0 x( I# N3 }7 F1 f: f% c+ d2 o8 }. i
__________________________________________________________________________. G3 a9 W0 m& d& f0 d
: t+ p1 Y! A* ^( }/ aMethod 10
Q$ ?" u7 s% j=========: @% E+ e V5 c2 D# i8 C8 \) i m
5 K+ q! O$ Q& T5 d+ P6 u# A1 w
=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ l: U7 Y6 o+ T$ A$ l: B8 \ SoftICE while the option is enable!!
9 D- b; u; h/ }/ k7 h& S, l- h" ?. Z `4 y, b3 q7 v# [: e2 `
This trick is very efficient:
7 {* O6 }& J" b: rby checking the Debug Registers, you can detect if SoftICE is loaded+ H* ^1 m- s! c2 c6 M& P$ O8 F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 H) b. N: k5 j, `+ d
there are some memory breakpoints set (dr0 to dr3) simply by reading their: U' A) f, o/ Y, i
value (in ring0 only). Values can be manipulated and or changed as well
; H$ x( ]8 \5 o, z4 K(clearing BPMs for instance)
: w! g9 q& h9 Z; m4 X% S. i$ S# [" x5 w8 e$ `
__________________________________________________________________________0 I7 A6 G5 ?& y P
/ S4 ?3 e! P* E0 D2 w8 \Method 11/ X' q0 W2 M- @3 {! w
=========$ J! G! l& k! e
4 Z- P7 y9 r6 c# \
This method is most known as 'MeltICE' because it has been freely distributed7 V" O3 o' X7 \$ q7 F- E7 {2 V
via www.winfiles.com. However it was first used by NuMega people to allow) h7 S( w0 G. a! i. o
Symbol Loader to check if SoftICE was active or not (the code is located& j! R; `: p) b6 w6 [. R
inside nmtrans.dll).. d( W0 ~2 @7 x* C( ?1 L/ }/ F
1 Q; f4 _& M5 [% b8 K
The way it works is very simple:3 Z) u2 x: \( V3 _9 w: }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' ^, l5 j/ {/ x$ M2 o5 a; eWinNT) with the CreateFileA API." f- t* ~3 R/ r+ `. z
9 w! T6 w+ I: g: D# VHere is a sample (checking for 'SICE'):
% R' Z! P2 u( ]. {& V: T
, }; H6 Q" w( DBOOL IsSoftIce95Loaded()+ Y! T9 I( ~* Z9 I: K4 _
{+ |/ F: i# O7 n9 S6 W! A
HANDLE hFile; # |! R) a$ G' o$ j( E3 p7 {
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 r+ a: F. w% Q+ j7 R# ]
FILE_SHARE_READ | FILE_SHARE_WRITE,
! ?/ J4 B1 q2 ^' V' n NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* r9 \; r8 d. u* `. L6 h( h if( hFile != INVALID_HANDLE_VALUE )
' o% u* V5 x ]9 v {
$ w( X# r. l1 [ v CloseHandle(hFile);
( h, a, y6 \$ p9 n8 W9 B9 m return TRUE;
7 F5 U3 t6 c. b& E/ N( ?2 `4 X }" M8 v% f2 N6 x; q0 s3 M$ ~% N
return FALSE;
# d S) `$ E4 {, ~}8 u y W8 C3 M3 j) D- Z
; Z7 P4 | E. W1 J- ?5 {Although this trick calls the CreateFileA function, don't even expect to be
# D! Z7 e8 O6 @/ O: L4 fable to intercept it by installing a IFS hook: it will not work, no way!
8 c4 T0 Z5 e% k( ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, Q4 {3 B9 ?$ B9 H1 \/ H6 T* qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% s k6 g1 H. g6 v- y" ]and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; ?( v }: e- @5 S) qfield.3 q L0 K- ?: U5 o1 v2 t, a
In fact, its purpose is not to load/unload VxDs but only to send a
' z6 o- Y+ O! l9 ~, a+ MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! p0 i1 C) U8 N* o: b3 C/ \to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 H1 z" q8 k" [7 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; K% T: F% z! _
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* k, y) ]% | h6 o& s# h$ Nits handle to be opened and then, will be detected." `/ |$ _, p5 D: y( K& a
You can check that simply by hooking Winice.exe control proc entry point* c+ j' g* p7 d( l, l
while running MeltICE.
+ l( l, {# j% o; u4 V% |6 q+ }6 |: {: U' w( B. Y4 ?
' c# M) }2 I# W. C, J. Q 00401067: push 00402025 ; \\.\SICE7 u, }' G; t! j" h/ q" x5 }
0040106C: call CreateFileA+ d1 U/ [, _. V( O/ r5 L
00401071: cmp eax,-001
8 ^9 y f5 J2 W8 V 00401074: je 00401091
, }7 _, m) k. A. ^- r
. F" x' D6 {0 [9 b2 S# @1 t& o. k' ?8 I6 b
There could be hundreds of BPX you could use to detect this trick.
; Z" {: ]) I, s# z% K-The most classical one is:
8 I, ]% E4 O5 G& ^8 a8 y5 ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% T. \* ?* ?7 `! G. K! }/ l: \2 n *(esp->4+4)=='NTIC'- e0 Q9 ]4 O" Z$ Q5 ~" n6 ]# t
( U! {; y" ~6 c- l% d-The most exotic ones (could be very slooooow :-(, F* `1 @ `% L2 ? D3 n8 C; R6 _
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , c, }' _+ a K; }7 Y3 B. Q/ z
;will break 3 times :-(
* ?9 S: _, T& h+ S! Q( R5 J5 p: T5 |. ]
/ j! Z; R: U; O s-or (a bit) faster:
m% E8 Q$ `6 ^6 c BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 o7 z& L$ ~0 ~- {/ J3 d4 D) k* g
1 g! _/ T3 r1 J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' b( H& L5 Y" g7 I" ` ;will break 3 times :-(
% O! R' _" x, a4 }8 n$ J* g% g% a5 A! m% j
-Much faster:
! o4 j4 b, B5 h% v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ u1 U, Y0 B- l! n, S1 a" e9 ^6 F8 I i8 `/ t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 q* t3 K4 P1 T# [: U
function to do the same job:3 ~* @- K5 T; f3 u$ P6 _' n5 O6 c
. k5 d- u+ t7 H. r( F/ m% o: @ push 00 ; OF_READ S9 [! I* \8 d% }" n
mov eax,[00656634] ; '\\.\SICE',0* ]# w/ a6 X+ u# N, M( \9 K, Y+ G
push eax& x( a; K( ~! R) d
call KERNEL32!_lopen0 l' o* M5 s1 ?( d( a
inc eax* ^! U3 X4 W, U
jnz 00650589 ; detected: b9 W: L% k& c. s$ }% J
push 00 ; OF_READ
! c% U1 a& m- K; d' c! w mov eax,[00656638] ; '\\.\SICE'! Z' W5 H$ z* O
push eax
. }" I/ }4 B' }2 a1 @( W: g call KERNEL32!_lopen
1 V% d; Q% L2 s7 E, x2 w inc eax6 B) b H3 t7 d( q
jz 006505ae ; not detected2 ?. d3 \9 u: J+ \: Y! X
$ u3 h) q4 I' G' m7 P6 M; Z1 y8 F2 M3 x
__________________________________________________________________________
# k4 W' w/ M1 j V, ?# ?8 P' C- y9 K2 a% i$ J
Method 12
2 q2 j0 i: G( a, v1 U. p=========% Q' e6 p7 P& G
2 h7 y6 @0 L7 E; v: qThis trick is similar to int41h/4fh Debugger installation check (code 051 N# x0 d! u/ l4 ?
& 06) but very limited because it's only available for Win95/98 (not NT)$ }2 x8 ]+ `! B" X, |; `5 `
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ j) a. [' p+ j0 ]! ? R3 W& i T" R5 }/ R
) h3 q$ `* V. {5 K, I/ m push 0000004fh ; function 4fh- {6 X4 ?) t9 u" h( C% ]; ]' D
push 002a002ah ; high word specifies which VxD (VWIN32)
/ e$ p5 X: ^+ {3 C1 L ; low word specifies which service/ Y+ O! Q8 S1 E+ z4 I$ x$ B* v( f
(VWIN32_Int41Dispatch)
! U( ]* [( u: O" Q3 j6 w1 i call Kernel32!ORD_001 ; VxdCall0 K$ `! K0 B% {- X* V" ~2 F* ?
cmp ax, 0f386h ; magic number returned by system debuggers
/ D# x5 }8 F U# b8 ?$ H jz SoftICE_detected8 h/ l% `$ @' D, f
% F; V9 a1 Q+ J" b, m5 j9 {) pHere again, several ways to detect it:$ \) D. _* N g+ |8 J& _8 O
( \2 W4 \7 d! t. ` BPINT 41 if ax==4f$ N8 r5 F8 _/ }6 I, n: k
7 B$ d. b7 O# |8 M' e( Q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* C0 ~% u( A2 i# ]! B# F2 j
0 R A- J3 Y& P' O! w! R5 f# X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' [+ U# `. @5 Z- ?( h& t: z1 l l- P f# L1 P: B G6 b1 }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! r' d& @' y# u& J/ C+ t
9 i0 v3 Q+ M8 c. D% \- x/ F__________________________________________________________________________( g1 w2 l1 R1 E) E3 G! z d
: G' c' L3 H- H1 C# i, b: n' @Method 13
* I! f2 [, C3 U+ ~- g/ _ m- ?=========. q3 Z, r, i/ t
- L" c& w& f4 E" S3 B) ^$ s+ z/ M& L
Not a real method of detection, but a good way to know if SoftICE is
( U" b, G5 v6 i& O* a: V5 A$ Finstalled on a computer and to locate its installation directory." c9 k/ R$ T) x* r+ o& Y
It is used by few softs which access the following registry keys (usually #2) :& E3 q7 j8 } S$ @ m
' u* E& p1 }: _; S5 d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 k8 B* [1 x1 c) u) T2 v\Uninstall\SoftICE
, F( p0 o; m' a3 B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. S- ^! o6 [3 Z" t/ u8 b4 L
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 ~. G* H. ]0 q) e5 Z9 b: z+ l
\App Paths\Loader32.Exe8 B c$ R! z$ g& H: I7 r
+ I6 U$ w/ p; V( m w
% e- E3 s& B* z. J3 t6 CNote that some nasty apps could then erase all files from SoftICE directory7 T' M6 Y- M5 m. u
(I faced that once :-(
0 H U5 z3 h, v" @
" z/ s- w, I9 x, Q+ c3 fUseful breakpoint to detect it:$ q2 q' ~7 S7 ~, u
* l! _0 O! O/ C0 v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- ^ B: D2 ?' |
0 a( J+ J* U. p* ^5 R, |0 z
__________________________________________________________________________0 x( B& C0 T! @$ h
A( W) H' k2 u* J' C3 t& k, G7 `" f. T- ?
Method 14
8 t* L; T' S* _# q! j. }=========2 \% T/ w- y" s3 ?2 k& W
' ]( U5 L3 |) E4 J8 i* J
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& v) Y) s/ y& o, h7 i* M) r
is to determines whether a debugger is running on your system (ring0 only).
: _$ s5 E7 N n$ i1 _
) I G; ^' L9 z# D. t9 H VMMCall Test_Debug_Installed
& G4 p/ T5 E8 T& E% C b- f9 M je not_installed
7 j* }% R5 u, ^# P5 g
( n3 I5 s8 `- dThis service just checks a flag.% V% l0 S9 f& p2 M% M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡