<TABLE width=500>
6 y# m+ S7 a9 T0 K<TBODY>% a- {1 C6 D+ r$ s
<TR>9 _3 |. Z1 t5 B g4 V4 n
<TD><PRE>Method 01 % b* G a* [! p) V: a" Q; |* {" j
=========. k$ Q# g, a0 i% Q$ f+ z, E
0 ]; E2 i) y+ k+ J
This method of detection of SoftICE (as well as the following one) is+ N# z; m- o6 o5 y$ d
used by the majority of packers/encryptors found on Internet.
4 o6 V; m* T$ f9 ZIt seeks the signature of BoundsChecker in SoftICE3 M& e/ M: `/ i9 X' w+ t
+ w2 C, q7 o- Y. D( F
mov ebp, 04243484Bh ; 'BCHK'& m0 `0 G& l5 N, @& K5 b* J- [
mov ax, 04h, S- z9 c: W9 W+ ]& y
int 3 2 p# `- E5 M$ ^
cmp al,4
- E9 u/ S! u! @0 O: Y/ k9 \0 ] jnz SoftICE_Detected9 c8 A2 L' g% }/ t
3 e0 \) b; }( A' {
___________________________________________________________________________) U3 N& N5 X' U" u* B. }2 a# X
" p# b2 D3 |9 l- s) s7 y- w) a
Method 02
( b! s' j8 P, o( `' F=========
( ?) D4 d! `+ `
: w. n: T& Z. z# o8 RStill a method very much used (perhaps the most frequent one). It is used
0 \: z4 S2 E( H) f7 Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 K# L6 w$ n/ I. r, ~
or execute SoftICE commands...7 T1 i9 O3 Z" T6 M) h; d/ c2 V
It is also used to crash SoftICE and to force it to execute any commands! s, W J, A8 n% _3 w" x+ T6 s8 t
(HBOOT...) :-(( ) c9 ?7 I6 H0 V* ]1 W
' a( N: E9 e' O8 |
Here is a quick description:0 y) m5 q% t/ {+ L( W7 v6 b7 ?
-AX = 0910h (Display string in SIce windows)
5 z" W9 t D$ m$ [: m0 ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
Q" }+ I0 h8 W7 Z7 B-AX = 0912h (Get breakpoint infos)
$ I) X* i+ R% v! ]-AX = 0913h (Set Sice breakpoints)% X/ z3 I* b" N. V8 ^
-AX = 0914h (Remove SIce breakoints)
* o1 \) t. R8 w2 C# g8 C; c0 X' |; b- X1 ^
Each time you'll meet this trick, you'll see:
{/ t$ o' \7 h5 \7 k7 }5 A-SI = 4647h+ d6 \7 n! b G7 Q. m/ t
-DI = 4A4Dh
% G, z- b1 Z7 j) e9 YWhich are the 'magic values' used by SoftIce.
6 ]- _! M1 J9 ~3 Q/ B$ U. l$ S, uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( r( o2 q0 `; d% Q2 P4 R$ n$ L, b4 L; k# m/ m2 j3 p
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* o! b. @ n, z+ D% F; t/ |Envelope utility use to protect DOS applications:
4 \# g1 e! b( {! [0 V3 A+ d z; F* N- P M* P5 p; M5 o
( M2 u% w5 o0 q* V, p, v1 F
4C19:0095 MOV AX,0911 ; execute command.$ V- } @. m- ]
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' v4 w0 z: G( }8 [
4C19:009A MOV SI,4647 ; 1st magic value. d9 b- ~4 k- K# u" k8 Q
4C19:009D MOV DI,4A4D ; 2nd magic value.0 ]4 L8 r# B" G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( a4 H$ _2 l- l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- [8 K8 i3 N h6 P4 {4C19:00A4 INC CX) \# z" D, M% f9 h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! V7 a# ~* f7 Z7 O. k: V% L' W) p
4C19:00A8 JB 0095 ; 6 different commands.
! Z# |% r/ m9 N4C19:00AA JMP 0002 ; Bad_Guy jmp back.- ?3 h2 a8 \* y: P, z+ |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 Q- o; X* \7 U {
- Y5 ^2 {4 Q/ N) u
The program will execute 6 different SIce commands located at ds:dx, which
! A$ v+ D6 ^: j! c, Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' L9 ?0 l5 r# f- a; h
$ c I! @3 ~3 w/ e5 x- E. K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ v( v: c1 S3 s$ ?7 c* ^
___________________________________________________________________________& P% Q% B! m5 d- Q1 M1 J1 `/ H
- ~4 A. z8 y0 M( r# O3 C
! b& n/ A; X7 U' qMethod 030 g( Y/ g# G4 S& r- g6 Y/ e
=========
3 v3 s9 e% Q, Z( y' l8 ~
# z/ F- i. B# z- yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 x6 @+ z% r; @3 T; Q
(API Get entry point)
, g& \2 i& G! q7 i, V
+ P8 i4 j( Z% N( R, D9 U L) H- i2 R5 ?! ]) c
xor di,di
! R5 g \. G$ `; a5 f. b# S, o mov es,di
) E* g6 m, H5 x. q5 L: Q7 h mov ax, 1684h
3 G% D1 l5 ]0 X- r: c6 f* k0 m9 J& f& x mov bx, 0202h ; VxD ID of winice5 Z3 ~1 L" a* L
int 2Fh
) n9 `! B# a/ D mov ax, es ; ES:DI -> VxD API entry point
7 Z3 Y& }) Q" I- H$ Q+ _ add ax, di
9 }! C7 h9 Y8 k test ax,ax+ @3 R2 D9 I+ z) X
jnz SoftICE_Detected
' }: ], J9 {2 d2 }- g
9 o$ V0 A$ [* X1 ]" f7 B+ ~' \9 g___________________________________________________________________________& F2 l2 }3 m8 m% L4 t& G, z
1 G L. u" o1 IMethod 04
% p3 N! _: Q- h=========
% B! u- s& ?0 L4 x$ u2 [/ W0 d7 V
Method identical to the preceding one except that it seeks the ID of SoftICE
^2 h0 A# R: y/ _GFX VxD.
" O2 T: p* `8 d2 \& S# }% \- ^
1 C7 H3 r8 u3 m' B; X4 { b xor di,di
2 m9 s1 V* N4 f mov es,di7 g& L" L2 D5 |# e+ A- _; A
mov ax, 1684h 2 X. a* K, U+ D
mov bx, 7a5Fh ; VxD ID of SIWVID
9 n& O, a/ c" d; [7 U- H int 2fh, ?6 i6 u9 H8 |: {, Z- w3 J
mov ax, es ; ES:DI -> VxD API entry point! v5 B# U4 z$ i+ q8 s+ d$ c2 A
add ax, di6 Y; |1 H) t0 [
test ax,ax. @2 M7 U+ h" _. I: r
jnz SoftICE_Detected% r; j K' H2 l; ]# e- t
& c$ C) \' |1 _) D' `' J__________________________________________________________________________' t7 q! ^. C) P8 ^7 g" f9 f* z9 K
- U9 ~; s6 L# q# Q% b x7 L% p* ]$ |) h$ ]
Method 05: F l' H' \8 v9 S
=========
( I' z: H5 ]/ A$ @& k q# ]2 z. T! }6 T$ D$ `/ Z* g* k7 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system$ n; W" o! P e Q
debugger. It calls the int 41h, function 4Fh.2 [. P8 u# z3 H' P
There are several alternatives. * |( }% P# A8 E3 z, W
. k$ g1 T" w' L% g9 PThe following one is the simplest:" h4 d& b/ [6 _- O! b$ s# g+ d
7 r' Y8 \; }6 m" K- v+ ~
mov ax,4fh
, p' F' y+ J' X int 41h9 K( G3 b! G. P+ f- e1 E: T; a! p
cmp ax, 0F386* f* B% @8 K4 o( b5 t: v) p! l, G
jz SoftICE_detected
$ v1 y7 ]. [0 A$ R7 F4 U
( ?# [- l: ]9 D; }; b2 X# z \: i
3 l0 H) L7 f6 H4 E3 A7 zNext method as well as the following one are 2 examples from Stone's 5 r- T1 k/ \* N' f3 c! _' {, N
"stn-wid.zip" (www.cracking.net):7 @+ a, y6 [8 }
& i0 R) U3 T& V2 J" V; @% }7 V
mov bx, cs6 Q2 t2 q2 b' M! U' i6 n
lea dx, int41handler2) r P: v* v3 k! _7 H1 i6 a
xchg dx, es:[41h*4]8 Q) }, d+ R# X: T: ]9 f% d
xchg bx, es:[41h*4+2]: p: {# W5 n3 ]- _1 {' o
mov ax,4fh
& a7 a0 X1 [) O' a' z; f" t. m int 41h' j" [6 _0 |! m
xchg dx, es:[41h*4]) I% W/ t" T. X! A
xchg bx, es:[41h*4+2]
% E( a& z% l+ _* {6 C! J* x5 t cmp ax, 0f386h/ q% w" x# Y E5 }9 |5 ?5 s* m9 ~( R4 ?
jz SoftICE_detected$ r, i; a C- _: H3 O5 ~
# g4 U/ f) d: n2 u: sint41handler2 PROC
- Y. P- v4 l* A) c iret8 f: B$ x( k+ ]( O3 I
int41handler2 ENDP* }5 v2 i, `. _$ [. H: {
: N# ~' y$ N% ~ w. q+ [' u
9 w1 T e, t, Q- x+ g, [( p_________________________________________________________________________0 ^. u8 f* K3 _5 {4 j+ [% e
2 ^% U7 z3 B' }. ]1 u k
! S: y: q. @6 w; x, p; JMethod 069 w/ Z8 J, }" }% S
=========/ w3 b) F9 w p; O/ Z
8 D6 \* {2 B9 P8 a3 v0 p! I4 B6 W, }2 _7 C' h% G" Z
2nd method similar to the preceding one but more difficult to detect:
; Z* X Q& {3 A$ h$ P \; r9 W- P* ~, N& u. S+ ]
' \4 t8 W1 r7 _2 L( P" N
int41handler PROC
3 n( v: B% v8 Y! M& Q mov cl,al. M9 C# h- C- J9 c8 V
iret
9 |. L* i# f8 u7 {2 Pint41handler ENDP
5 S4 [: w* j% f7 F! m
% L! s9 I7 M# A4 K/ n
( U2 o c7 [0 z5 ~) r2 t k/ N xor ax,ax) [# r& H% [2 l: u
mov es,ax5 m3 t" k2 s2 l, x! R
mov bx, cs e7 E# z7 E4 W+ ~( g
lea dx, int41handler
6 D: x* B) J( V/ F. X i xchg dx, es:[41h*4]
; ^ B% R0 j; Q xchg bx, es:[41h*4+2]
3 E, u2 B# J* Q3 J, ` o0 h- i! R in al, 40h
* K6 f) }/ O2 {1 g( m: \ xor cx,cx. ^. g9 z3 V# S
int 41h
6 ~- G+ S2 Y+ l" \' h; ~: M xchg dx, es:[41h*4]
. }3 D) r- f# R xchg bx, es:[41h*4+2]) U2 M: ]5 X' ]& d+ j) S
cmp cl,al1 `1 v! w1 C1 ?1 q. u4 U2 `, R
jnz SoftICE_detected7 _9 d1 F- F7 P8 i
% _; A( C2 L3 z" `9 ^_________________________________________________________________________; D/ V8 g% E9 c2 P8 {( X, _& @
" z4 K9 S/ Q @( N2 I" N. ^. f& DMethod 07
# e6 @8 {' C# l: y=========
' v2 \1 F7 |2 P; n, T N' y0 C; n1 S2 b& n. ~
Method of detection of the WinICE handler in the int68h (V86)
& ]% E: ?: x5 W8 K, G" G! A$ |9 j" A3 V- {' M6 P* b) l5 I" y
mov ah,43h. G% A8 U p# O; N+ y5 z( _
int 68h5 n: ~* a) G3 Q$ C% \
cmp ax,0F386h
: {+ c0 d+ r0 C. x jz SoftICE_Detected
2 r* k, s# t' Q0 n' W0 S7 D- Q. ?* b/ \
* P' g n6 }6 s- \ _8 A- I! a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- Z3 E1 b5 G* q* j app like this:
) X5 y7 J( S% R: i( K
* i; o" Z4 [& A& v: K+ `" T BPX exec_int if ax==68! X: p. }3 L& X3 j4 v
(function called is located at byte ptr [ebp+1Dh] and client eip is0 W) M+ ?- r1 p; K9 Y5 e* x
located at [ebp+48h] for 32Bit apps)
7 {6 p- [8 {) ^0 z! }__________________________________________________________________________
9 I* Z" F8 R: K9 `/ I4 O4 u4 M# m
- l; Q- f- x& y$ l) W' z( C: z" T: N# l/ q" ?
Method 08 x5 f; t* ]& U, i
=========3 f! [6 e/ E0 a8 v4 G
; y+ o* v1 ?9 B, N, Q" y. E aIt is not a method of detection of SoftICE but a possibility to crash the
0 V$ V; o. u; K. V( l3 \4 X: rsystem by intercepting int 01h and int 03h and redirecting them to another0 A& M. J& D& Q# }
routine.3 U/ a- H: Y' [* |5 }1 r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ Y1 s3 v d8 K* f# y: N# @to the new routine to execute (hangs computer...)- N: U" m2 T5 A5 ?
+ l a0 Q+ ?' s; U" d- k& R mov ah, 25h9 ]0 G. F3 l. S' z ?- U3 R4 P) M
mov al, Int_Number (01h or 03h)
, f9 Y% k6 c3 V$ n6 S" ~3 } mov dx, offset New_Int_Routine5 o/ b5 i Z0 X( a8 M7 m
int 21h
' Z6 Z0 S* C" U4 t, C! ?- h& J# O& ^! g& K
__________________________________________________________________________
4 n/ T! u, ^7 L. [) o3 c; o \* t v' c7 u" N" G" \: L9 g
Method 099 H6 R' Y+ a% ]( |
=========# c2 ^, a2 O1 }, U# `' z
# }* C# N4 C- a5 s& m, t+ M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* T* f* J; }5 s) c
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 g) ?5 a5 ?! i* F- |4 \The Get_DDB service is used to determine whether or not a VxD is installed0 I% O5 K8 n/ g' e O
for the specified device and returns a Device Description Block (in ecx) for
2 L$ `. P0 h2 T* h0 r( T0 ]2 Wthat device if it is installed.1 ]+ E5 a- ?' n1 k3 S+ N
/ U$ S3 o" B1 x( W1 d6 e4 h2 j mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# |# B' G7 k$ _8 s: s' f8 d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 x# M, z5 ]& k( v5 w; i3 H+ t. t2 G/ j VMMCall Get_DDB0 T3 ~$ _% x0 S$ f4 d
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ a% f# N8 J' {8 Q% _0 q8 O
) t7 ]" l9 E5 J% A) G. O. f5 [3 ?Note as well that you can easily detect this method with SoftICE:
# c$ m$ f- k) k: ]) Y# A bpx Get_DDB if ax==0202 || ax==7a5fh
: Y/ } U9 M+ _* {" W" V( d8 u x4 {7 r7 X9 G2 ~; S
__________________________________________________________________________* s0 a; V5 o N' J2 {
( x, U7 f2 v1 \8 Q
Method 10$ A, d5 }; o' k$ t! _& _0 c
=========+ Y+ l: }- `, `3 m) c. q
( n( Q7 \7 N( m& _=>Disable or clear breakpoints before using this feature. DO NOT trace with
- M2 P, G3 d6 y9 l2 P SoftICE while the option is enable!!
0 e$ y7 \( K& r! b% h1 k! n0 T' s$ B! x6 ~/ g+ F+ \9 K
This trick is very efficient:9 M$ D0 Z1 ~& k% T$ K
by checking the Debug Registers, you can detect if SoftICE is loaded9 A8 r9 R q/ c# ^5 k0 Z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ ^' d- e8 u6 n% M
there are some memory breakpoints set (dr0 to dr3) simply by reading their) O4 [) {. D. I% M; }
value (in ring0 only). Values can be manipulated and or changed as well7 X; W ~ D$ w' d3 d& _. W; X. W
(clearing BPMs for instance)$ V; v+ |' l! q) D5 E) }
: f2 M! y; P( {( D__________________________________________________________________________
& t2 a" z }0 R) \+ L3 \4 m
# c& } H6 U6 H5 y: }7 @! EMethod 11- Z5 C7 r% A9 M$ i8 e
=========/ W( ?' g. f0 z( o, ^1 q# w* `
5 o3 A# }+ C2 ^# ?
This method is most known as 'MeltICE' because it has been freely distributed
J& S7 D b4 hvia www.winfiles.com. However it was first used by NuMega people to allow
- B+ b0 v+ \/ Q$ [Symbol Loader to check if SoftICE was active or not (the code is located2 G4 a4 p) e. j7 ?/ a# r W
inside nmtrans.dll).
9 K) ~- ^9 F' X/ B9 _9 X
1 G$ c! d$ ^( ]" U6 v: U' qThe way it works is very simple:& q6 V3 C$ e( o. d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 x2 E, n1 s& _
WinNT) with the CreateFileA API./ |% s9 L6 R. p2 I
M2 F$ G/ F pHere is a sample (checking for 'SICE'):
2 N& v# d W) u+ i- x4 C' j2 `
- v$ D+ E- w; L' R bBOOL IsSoftIce95Loaded()1 r/ b- n0 R( \: R) I! G, D& W
{
5 U9 B, c0 b( A5 a0 c, l# { HANDLE hFile;
: T9 ]: \ F; g+ a2 Q6 B* x hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 m1 H5 R/ u/ g2 V( B& z3 F0 M FILE_SHARE_READ | FILE_SHARE_WRITE,
9 e- x d; h @, Y3 \ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 C ^ T4 g3 G; R, C# E* _ if( hFile != INVALID_HANDLE_VALUE )
; E2 ?1 m/ t' s8 f {
# g) x+ u8 R+ U8 U" ^ CloseHandle(hFile);. v- W1 Y# }( q, t3 \; R% }
return TRUE;# B; `. {2 B/ p+ d u& D% r
}
5 m4 T; U0 I- f) r: Q- {& S% Q return FALSE;! @0 d* S4 |, i L
}* Z: B1 g+ @$ y! @5 F
5 J1 }. C) G/ }; h) P0 ^Although this trick calls the CreateFileA function, don't even expect to be) s _% ]: P* o% a
able to intercept it by installing a IFS hook: it will not work, no way!
% V8 m8 d) f( @8 O0 N0 s2 `In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 q5 K/ H5 F6 q. Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 w7 M% K/ v# c: Q p" U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* h6 n' X5 ~/ q% r9 {field.
2 A- d3 r6 F5 y1 ]6 D* lIn fact, its purpose is not to load/unload VxDs but only to send a
# U Q" w+ V! a. ?7 D) nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% D5 @7 f7 S! p/ ~* g) x& F8 Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try, @6 [7 ~" v( Q. x X
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., v- y6 V* K2 y/ q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
4 w; ]4 d8 A) |, ^9 A nits handle to be opened and then, will be detected.2 v+ U( ^/ ~# Y H
You can check that simply by hooking Winice.exe control proc entry point' e4 w) a; r; C. ~2 w& e
while running MeltICE.
: ^3 r4 j+ ?& @ w7 Y& ~2 Y# ~' d& U9 \/ Q& g) G% X( k
5 k# Y8 v0 c, u1 b
00401067: push 00402025 ; \\.\SICE
/ e$ b" r( l9 U; W& v 0040106C: call CreateFileA/ Q" K! X3 r \5 o7 R. K
00401071: cmp eax,-001
6 q0 X" |$ z" A3 s 00401074: je 00401091
% M) C- l# A1 G5 ~& l2 \! @( w+ x1 N7 y; M7 c
; @2 @6 J$ n. J, f& R" f
There could be hundreds of BPX you could use to detect this trick.
& Z; A! A% D: t+ f-The most classical one is:
, d" U S1 T3 B" M5 y7 U3 c' y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- y/ w- j& A- s$ } *(esp->4+4)=='NTIC'
( K$ L7 k$ Y9 Q/ i; p7 g9 ~0 o: h5 P) i( H m- {. H! w
-The most exotic ones (could be very slooooow :-(
# |1 }2 q. w3 f- n" R! l/ K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 b* |6 ], k) z8 \ ;will break 3 times :-(( K* L) j8 ?% X, \: U- R
* Y |- t3 _. I1 N* i6 B# R0 l4 O-or (a bit) faster:
2 P; G8 B1 N. k C5 w! _* ` BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! q$ O5 v9 H1 [9 J i$ ?
. h- K6 \. u7 P- X7 h( { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % A% z! V% a* P. J# L6 v
;will break 3 times :-(" Y4 ?4 M$ q8 B+ z7 O
. r0 I9 k& K* E9 Z1 Y! l3 U-Much faster:
% D+ K' H8 l0 S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 u( b5 D: d4 `/ s
! ^5 e! T! L& ], C4 mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! q7 P. i0 |0 @# Y1 O+ f
function to do the same job:
9 @. h$ @3 k) Y+ l2 i3 G' c' E7 l3 S6 Y
push 00 ; OF_READ
- p! h2 h% F- G mov eax,[00656634] ; '\\.\SICE',0
( c" l& T! {. B/ f# q" b9 A0 i# n push eax; X. T% P: L" {. g' G
call KERNEL32!_lopen
1 Z* o: O- j6 x1 ~& x! E0 s inc eax
/ U, E8 {' Y. M( K6 S8 H6 r jnz 00650589 ; detected! p V+ M+ O5 Z, J
push 00 ; OF_READ" k$ e+ N \- o$ J( ], I a7 S
mov eax,[00656638] ; '\\.\SICE'
: v8 N0 y; @8 d* L: t push eax
9 @5 a* N+ q6 J: { call KERNEL32!_lopen
2 N) H+ t7 x- Y% a& H1 E) i( m- a inc eax3 q5 M! Y2 |) t7 R5 h# ^7 }, {9 Y
jz 006505ae ; not detected
0 k) W) B+ H* M" s( ], v
L# s0 `3 f5 R U% x+ R# i0 f) `; }) F
__________________________________________________________________________
# u! ]( R' _' i7 o5 L( q, }. x& W8 {
; R9 i/ P" G+ T- f) `Method 12- |2 S0 t$ Q$ n- j
=========& _; k' L$ `- b0 Z% F% I& D
3 \2 J. X2 X& k% Z4 p
This trick is similar to int41h/4fh Debugger installation check (code 05) e" A: N: V1 Y; D" u- j
& 06) but very limited because it's only available for Win95/98 (not NT)
3 J& q! t1 p6 W+ L$ |' D3 `" nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 w. A. `# `+ x5 N
* a5 f3 k9 e: U2 n/ R push 0000004fh ; function 4fh" W4 A1 m3 d* a# J/ G5 b9 l
push 002a002ah ; high word specifies which VxD (VWIN32)" o. s8 n* _$ e* ~% i( j
; low word specifies which service
$ T8 x' u) j2 ~7 _ (VWIN32_Int41Dispatch)
A3 @7 D( ~& g3 A; B call Kernel32!ORD_001 ; VxdCall6 ~1 a# C" B' Z
cmp ax, 0f386h ; magic number returned by system debuggers' r6 U, N$ N+ O2 `# I
jz SoftICE_detected
, X1 v r; B9 x2 ^4 L, A) r- P& X( ~9 [( ?$ J1 D% t& P" `4 Q: P
Here again, several ways to detect it:# L$ C2 G; A h8 I% B% b
- w2 s2 a9 n: S0 ?! L. I BPINT 41 if ax==4f
/ B9 o$ a9 s3 u7 L! }& b w( `' H: y2 ~* ~6 ~8 N% _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! o6 F8 Y. e% l, s# m" S# ~" s% L+ q& r, W; h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 D* z8 o& N& D# `0 L! q+ n% T: S9 }) E9 @6 D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" j6 j, l5 r, n8 [$ J
% S" Q" T' v1 m/ N7 ^- Y__________________________________________________________________________
) d T, g/ o/ ]0 v2 F4 D2 O0 p& r. a' s; s
Method 13
# S8 ?# e, _# Y. @. U5 [& ~# m=========0 \- x, `! {$ n9 l9 K3 n
7 x/ l4 D& v2 }5 `1 q4 a
Not a real method of detection, but a good way to know if SoftICE is
/ i& u* s' X! m2 [* `+ @5 N) _! P5 cinstalled on a computer and to locate its installation directory.
p7 d% B3 b8 C) l- s* Q/ T9 W9 h: EIt is used by few softs which access the following registry keys (usually #2) :" E* [+ F: R; i$ \ e* W( a, x# d
1 u6 ~$ a. x# |, E% {' u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! A# e( S9 ? v2 Z/ p\Uninstall\SoftICE
! O3 G9 M. x+ E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) Y' E7 W N( C/ A% I3 ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: H, A, a( a+ M8 d+ t
\App Paths\Loader32.Exe
5 D; Z/ F0 i- E) C8 U) L& `5 O+ d) X+ ]& b- K4 Z n( w" g* T4 [
: t% T& Z2 x; {; X q4 h; mNote that some nasty apps could then erase all files from SoftICE directory9 s; e I j. g4 q& H
(I faced that once :-(0 z6 Z4 B& l4 W
* |, n1 l7 ]5 u) i8 ~$ c
Useful breakpoint to detect it:
* _; \! o g5 }3 g$ e
8 f0 s* I f7 c! V BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. y# Z8 M+ g% L5 g( `
* h! e3 G. y p9 P3 l; q1 G/ ]
__________________________________________________________________________8 `5 b# t F6 e
6 |1 l0 P% V' q: ]- i
2 v8 M; R, {/ }+ o& M$ O
Method 14
- k) x$ |- W+ t: M5 U=========
: K4 ]; ?% P( g& Y5 K- K' [ W( l w
8 s$ N, b- r7 e8 `, `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 L/ A% W0 s; N; ]is to determines whether a debugger is running on your system (ring0 only). w; G l% X, } u3 S
, a, `' h8 u) p+ ?, F+ X6 P& @
VMMCall Test_Debug_Installed. u/ F) i5 w/ e d" r" i4 y
je not_installed
- b4 E8 r6 F. I( U
/ M! P9 D2 N" X, V% F6 sThis service just checks a flag.
2 A5 F. V- p; U+ j( a1 p1 K1 v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡