<TABLE width=500>
" P0 s3 p# x5 B* `- T; ?<TBODY># j6 L( L( b! y6 G& T8 y& g' t
<TR>; X4 {$ T# E- M3 H* V
<TD><PRE>Method 01
* v) n/ v( O6 t, w' i=========
/ J; S+ A9 h, p9 g/ @
; t, Q# S( v5 h$ KThis method of detection of SoftICE (as well as the following one) is" i! s* Y+ g; ]( C
used by the majority of packers/encryptors found on Internet.
. l- j" Y" K) p6 x' OIt seeks the signature of BoundsChecker in SoftICE j0 n9 X2 v9 C* }/ P8 ]/ c6 g! _
4 D( ?+ P% R; v$ M mov ebp, 04243484Bh ; 'BCHK'
# _8 n7 S {; L" z mov ax, 04h6 R4 c: Q" F/ U7 b3 v
int 3 % }; h! P( W/ j7 r3 r, Z6 d
cmp al,4- W: j- I+ R. c6 A1 s
jnz SoftICE_Detected* h9 l1 o& U7 O* j
/ F/ C% n0 @/ B U& m
___________________________________________________________________________
& A, h0 M& k+ K" M8 ]+ R6 C( Q. c
8 z- P# q, w9 A5 i4 T8 [; vMethod 02
& ?+ p6 X* l. j' J1 o0 P4 e=========; l' C0 p' j6 C
z# T6 U K# Y/ Y4 V) g) S% yStill a method very much used (perhaps the most frequent one). It is used
$ }6 N6 j9 \4 t; P% o* X; F* Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" T" b3 G" [3 N7 \* kor execute SoftICE commands.../ { K: q- T+ R* B
It is also used to crash SoftICE and to force it to execute any commands. z2 E8 n( |- H& B# T% _ V
(HBOOT...) :-((
1 j R5 [, t: Z7 r, q4 C( Q" I4 e. m) B2 Z7 R' l
Here is a quick description:8 F9 W; i' c* e
-AX = 0910h (Display string in SIce windows)9 o& s5 D6 a9 O; _/ r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 Z& T8 P/ k1 |-AX = 0912h (Get breakpoint infos)$ o2 u' X! [( Q% P4 y0 m5 I
-AX = 0913h (Set Sice breakpoints)
. p4 j+ Q1 Q. }* { k8 S7 ?-AX = 0914h (Remove SIce breakoints)
+ K1 U7 y% d& B, k/ `: Y7 b6 h3 Z( Q7 q# `& B! Y$ F/ |8 @
Each time you'll meet this trick, you'll see:; a# v, [' c* G! }& p( r6 x
-SI = 4647h9 v& A; Y3 s* D9 p6 {; r$ a& o9 ~$ X
-DI = 4A4Dh5 V) l' W" w7 E" Y! U5 X/ j
Which are the 'magic values' used by SoftIce.$ A0 N/ i# v6 I b9 N
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ {% G9 [+ B$ }9 r0 U5 M
# }) S% n- A% I6 X0 QHere is one example from the file "Haspinst.exe" which is the dongle HASP
% D4 o. h. @5 X- l- r |Envelope utility use to protect DOS applications:
- W, [* {! O0 [
M( t" I: S* j3 [
- ^# A$ F: A+ W9 ~9 \0 h/ Q4C19:0095 MOV AX,0911 ; execute command.
8 p, K3 W4 v7 {1 r4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# j3 d4 c" n9 `: y6 r7 o4C19:009A MOV SI,4647 ; 1st magic value.
3 ]# p, F2 C- z4 C( d+ t( y4C19:009D MOV DI,4A4D ; 2nd magic value.6 S1 E+ H$ b6 n, s3 m8 w
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) m% E3 k1 t1 e7 j- D: d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 o$ h8 K3 b8 V! A" V$ L4C19:00A4 INC CX: D7 e; i- ^; n! d5 v2 z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ D* R) P9 T; u0 L! q1 X; \4C19:00A8 JB 0095 ; 6 different commands.1 s4 a6 y! V7 L; l% y# }: r: ?! c K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- \/ ~& n# R/ G* R, n' s4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' U- `, Y0 o9 k$ @/ N7 m* C9 E& q0 K0 i
The program will execute 6 different SIce commands located at ds:dx, which5 F+ k# F0 w& f0 b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; c/ s8 V! ^# {) s# Q7 \
) X) j( ]# c- V; N8 T/ E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# \9 K: G. X6 _4 f8 d
___________________________________________________________________________
7 h0 }8 g& Y/ @2 }2 K; `7 L6 v% P
% Y4 k- E5 s9 @# I8 B, c2 O0 e# @# `' w; M
Method 03 Q/ B |& q* T
=========
8 [8 }* S* M: S7 P7 V. j; Y' q* Z* X
/ D0 X9 n: X) e5 \Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 z+ H% n9 m( g' Z* Q
(API Get entry point)# X8 L; @. e5 T+ L
; C% g2 v& J% K" x6 L2 [6 q) [# S2 j5 {7 B
xor di,di
# q4 \3 A) q) G3 @: R5 K: y mov es,di
, o& f% }. C8 | mov ax, 1684h
* V6 B/ I) ^, e% s mov bx, 0202h ; VxD ID of winice9 O% ~! n6 j# m8 I) Q
int 2Fh
' }' y" z1 Q9 O6 T, ] mov ax, es ; ES:DI -> VxD API entry point
4 _6 N' j! @ U3 u4 }* t+ D add ax, di
) B; E `/ N+ M9 a+ ^ test ax,ax0 s1 g7 D: u. O( `* F$ h
jnz SoftICE_Detected
& {) I2 s6 v" g2 v8 Y4 d8 I3 Q
___________________________________________________________________________
( T# C1 k/ U# g& C b1 H' E g
' E: ]1 m& h2 QMethod 04# O; {' Z! Z) n
=========1 v& X8 @/ g: _: w
) Y7 K3 c/ p# J2 D0 g+ ?/ d& @' sMethod identical to the preceding one except that it seeks the ID of SoftICE. ?- A9 z8 I Y- ~
GFX VxD.
, Q. p/ g, L3 a0 ^$ u' X6 j2 M8 u8 ]6 h. l( P. _! ^' q# {8 L4 f B# q ]
xor di,di
8 C6 m% T" ~5 j. K) E mov es,di% y4 b/ J$ s2 F7 f! E) p
mov ax, 1684h ( { A# M. j# g3 p, [- s
mov bx, 7a5Fh ; VxD ID of SIWVID
) i$ D) t, D' C3 q int 2fh( q; W+ N# A0 ]- `( v$ R2 @. ]
mov ax, es ; ES:DI -> VxD API entry point. K1 } H$ ]$ P* L( I
add ax, di; w) T9 Q y) _' d
test ax,ax
{3 q, ?% y9 ?1 B# Z jnz SoftICE_Detected+ o. V- ~: U' [- Q, U- L
7 n$ h7 Y& p6 ]+ [__________________________________________________________________________& |; i( o) f$ t; E( N* Y
/ Q2 m) Q' ~9 [" W; [2 I$ S0 \
' g0 E. K0 ]" A3 ?/ A. G
Method 052 O& ?9 I2 _6 n" _* c9 N
=========$ |; t k. h! r9 F
. v7 @& w: u* w1 I6 n' b) k4 l* u
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ V. J4 w8 f; D) l6 cdebugger. It calls the int 41h, function 4Fh.
; r! U }7 [8 Q/ k9 o% hThere are several alternatives. 2 ?# U6 v2 v) E n) ]4 ~
- ^9 s' D( a8 v# S' i0 V
The following one is the simplest:4 b: y0 v$ Y) e3 b6 D4 X% A
; [, s* b: p% `% O mov ax,4fh, {9 A( M P5 ?5 `
int 41h
' v9 x8 G) _! b& p# ?, E b cmp ax, 0F386: L Q0 K" D- ?$ B( j' j$ n
jz SoftICE_detected) }% S }. K& a" O& s
& ], b/ u9 @* i/ o9 o4 y
' J# T0 `" S# F0 [6 `+ C
Next method as well as the following one are 2 examples from Stone's
' K7 [" v( o( O, O( X: s"stn-wid.zip" (www.cracking.net):! h, ?3 l0 N+ ~" b# g1 O/ {! r d
, H6 C `, Y& w$ i6 I" S
mov bx, cs5 }/ {' E5 F2 }% V
lea dx, int41handler2+ \: m( B9 J. G+ v) X! {- i6 m
xchg dx, es:[41h*4]
t+ @) B3 x/ k4 Q xchg bx, es:[41h*4+2]: l8 K n9 a% ?8 ^) T4 I: ~1 z, m
mov ax,4fh5 v0 B6 v @+ H( n$ R7 W- O
int 41h
' H1 o, d& P# z# @& T l xchg dx, es:[41h*4]
1 K( X. N3 X5 q. R6 B! q xchg bx, es:[41h*4+2]
7 d/ H E: G8 p5 N+ e" T cmp ax, 0f386h
! U# Y( {/ s2 Y; L jz SoftICE_detected+ `* w7 a# D$ A$ Q" B0 S0 W& m
; K* Z% o4 m* nint41handler2 PROC$ e* P( E' L& j) _
iret
' b" p5 i& r$ e8 V4 B" Fint41handler2 ENDP% p! \+ R9 v, W
q6 S' r& p8 z5 ^0 ?
6 D( }4 @3 a7 W
_________________________________________________________________________
, v1 t2 J3 G4 [4 M/ n! T/ e7 V6 @. a5 ^/ R" u. m/ t2 [+ C
; @. ?6 ]/ }% k7 a% Q7 h4 V' h: D
Method 06; l8 M2 v( v Y9 _" p( l) n
=========
+ h) T2 M, @. J
Q/ u6 v% k9 Y$ q' n
: }- _$ R5 i4 B. }. s1 Q2 e2nd method similar to the preceding one but more difficult to detect: n, T, t4 l* [( K& m7 {: s4 Y
/ b0 o* U1 e/ s4 U& h7 |
' Q7 i6 c1 f) t3 P
int41handler PROC) H; ?& }& X! W
mov cl,al
5 |+ W* Z8 j, ]6 n' N iret
3 j- x. M& i! R0 @int41handler ENDP
# F5 E2 ?7 {4 |* Z+ P. R2 f1 {! M$ `6 G; Y
& }+ x6 B( o+ w- l xor ax,ax( a( ?' R- Q R( {: E5 J
mov es,ax
/ ?5 Q) c# F: p$ U8 R( ~4 k mov bx, cs
. v) `3 a. R$ q$ G3 U1 I lea dx, int41handler
5 l5 A! a; a/ A; D xchg dx, es:[41h*4]) L7 n9 L) P' F+ ~1 ^1 g
xchg bx, es:[41h*4+2]
; G2 `" X' R: ] in al, 40h1 w8 V3 y" P5 @ g* k, V! t
xor cx,cx. f6 Z; Z! A' V& S5 n9 |7 r: w- N, k
int 41h
x* [+ l9 i; K8 {* R1 g xchg dx, es:[41h*4]
& e6 I# W; w$ |6 Z xchg bx, es:[41h*4+2]
4 ^) L d: T" g$ K' N! U cmp cl,al
6 @0 i. f3 a) s& Z L jnz SoftICE_detected
$ h6 }% v& ^( S
; B+ }! Q( E) s5 j2 `6 q% f0 u# L_________________________________________________________________________
( A, M# d' x# U: H+ C2 Z8 ], ?* r7 p5 N: X
Method 07
3 v6 t8 p9 ` p6 l=========
: z" j, U% |7 f' [
1 v4 g; j n( f2 G RMethod of detection of the WinICE handler in the int68h (V86)
- Z0 B' e/ j, {1 l/ t( S9 l
/ |% f+ Q! \* a% d. \# k/ e mov ah,43h
! S- T& C: W( ~+ p int 68h: U9 T; n9 a7 z4 \* q, X
cmp ax,0F386h
2 H8 d: Q+ {# D1 O+ u jz SoftICE_Detected
& E, |* d' G. i4 K n8 t- U* _) x" _$ k+ E% g
0 B& f6 N9 i% g2 ^. g: q8 q7 [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ o" g! E( Q- K( W4 c$ ~! D app like this:
' C5 y" s4 {9 ~! U: u
8 n/ J9 v+ t( S) V0 A, U) }- q/ p BPX exec_int if ax==68, u. l8 u# m! b# c2 X8 i' \+ c
(function called is located at byte ptr [ebp+1Dh] and client eip is
1 |% |4 K; W: n located at [ebp+48h] for 32Bit apps)
6 k1 w& s3 I; p: m" q1 Y__________________________________________________________________________
7 @$ P3 g/ S$ u9 Q* O/ O. ^& q. N8 q& x2 M: O. J0 \
2 t, g& j- L$ H3 tMethod 08$ s7 {2 P4 N& R# S, ?# Z
=========; y8 l2 ~% B4 q9 a% z4 Y2 j
. v6 \" u( d+ t: q7 u5 y* `
It is not a method of detection of SoftICE but a possibility to crash the! k9 Y# i' Z5 U f
system by intercepting int 01h and int 03h and redirecting them to another/ k: l0 U, a% |) A, I/ [) ~
routine.
2 H# ^5 o+ b9 ?7 H1 q' i( o5 KIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. [7 U# X0 b# y/ T9 x( d
to the new routine to execute (hangs computer...)
, D# x) |0 J7 |) ]$ w
8 c: O6 k X7 g mov ah, 25h) L: r( E5 Q1 H0 ?6 r! ^. `6 F
mov al, Int_Number (01h or 03h). E; m. K- Y9 R$ `
mov dx, offset New_Int_Routine
5 Z( v C1 P9 p int 21h: l0 `: ^ b" P# a* ^
# I# O R" ?2 C& t% A; Y__________________________________________________________________________# T1 [( m, G; a7 ?* n7 Z
3 L4 j" v9 m. L; g5 ~Method 09
1 r% t3 \) S/ \9 }5 R/ a( M- \4 V- |" X=========1 E5 D# m* _4 z# a" u* G9 G1 e
: D t. X' T$ v1 v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ Z% a7 V3 d1 \! D8 l4 x2 O
performed in ring0 (VxD or a ring3 app using the VxdCall).3 a+ E* W9 V4 c& W# E! h& `3 i3 o+ E
The Get_DDB service is used to determine whether or not a VxD is installed1 l2 c& f; G5 j5 k$ R
for the specified device and returns a Device Description Block (in ecx) for; ]6 \6 I F! s0 L# G% S
that device if it is installed.1 `) r- P( s, m3 X7 m" p, B, m
) \( T) u4 ?6 y3 ^1 p1 q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 f n$ ~; @9 @2 {' e+ W7 {- m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 t4 _+ u Z6 r4 U VMMCall Get_DDB
. B" y1 e# d' ]- N4 n" l: b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 f* A' [# T. e( c8 @
, {2 V% m' m: H: gNote as well that you can easily detect this method with SoftICE:. s; Z Q# G8 q1 b
bpx Get_DDB if ax==0202 || ax==7a5fh
! p, x9 {+ y! v! V
, p# l2 A! @) }__________________________________________________________________________" j; R0 @- B- H/ Z
- q8 Z# A' P7 z3 I( |' tMethod 10) Y( P$ @0 }. K* m" F' x
=========
* ?; A$ |. w7 ?' @) z9 P; J
' `1 ~# t' _% Q3 i0 [) c9 t=>Disable or clear breakpoints before using this feature. DO NOT trace with( D0 G2 H. B4 X8 K
SoftICE while the option is enable!!
8 S2 K, b- q: m' ^4 u* O4 d
! s m5 v; g+ x0 t. {8 fThis trick is very efficient:
$ \% K! ^9 U" D* q+ D, Eby checking the Debug Registers, you can detect if SoftICE is loaded
6 t/ j9 N$ K1 a& _ [! s* U(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ D0 k, T' O6 g* O+ Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their+ p5 J7 _; W* k, C- i4 e' a
value (in ring0 only). Values can be manipulated and or changed as well3 M+ i0 {9 \+ x5 X c5 V
(clearing BPMs for instance)
/ l# m: R0 l+ r7 R% U! y5 Z) u D, C2 z% c1 @
__________________________________________________________________________2 y9 Z* q6 o3 ?" E k F
/ q8 W+ w% d! }. j5 E+ P2 i0 y" i- J/ s
Method 11" |7 [. }" e! h+ k( j
=========9 g2 G+ ^+ }6 R1 `& [$ r) \' x
4 ?+ E1 K" D% g0 ~9 d# ~This method is most known as 'MeltICE' because it has been freely distributed
9 t+ J2 z# V8 w: `2 svia www.winfiles.com. However it was first used by NuMega people to allow# i7 l; M, E$ }" h& W6 b. w# g) w. H- N
Symbol Loader to check if SoftICE was active or not (the code is located/ Y$ i% Z+ T% M4 R9 Y8 s1 o3 p
inside nmtrans.dll).
! c' q9 j0 d$ a2 }7 B. k3 d+ K D: o/ ^8 y
The way it works is very simple:
! J- T& I8 O2 a) ]8 L, yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ t" Z* T1 }: [
WinNT) with the CreateFileA API.5 P; o4 Q5 z" Y/ Z' _6 @+ K L# r
$ z# t4 h& ?( n. D$ y# Y3 o9 s" L
Here is a sample (checking for 'SICE'):% O7 m4 \5 j% @+ I a/ ^4 ?
' M. t0 Q9 w9 N% VBOOL IsSoftIce95Loaded()
) Z* a, r, F9 e- _" e' b9 z, R{4 W' [. I& w. J7 ?
HANDLE hFile;
" l. y7 e+ P8 o; f# R hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) }+ q( H5 }$ A- C' H" L FILE_SHARE_READ | FILE_SHARE_WRITE,+ @1 S; o, U6 R
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 ?, I+ t7 F9 X. h- V" e+ j if( hFile != INVALID_HANDLE_VALUE )$ H! @$ y5 j D3 r. c2 y
{
* W H) z) B6 N9 b6 Q- Q CloseHandle(hFile);
5 @& }4 d+ f0 c6 O% v return TRUE;
) g( i( g1 ]* Y! u* [ _ }
0 H. A- w. d+ l return FALSE;; r& H# k. F, F8 A
}
! F+ Q* a$ P" M0 d. C5 ?5 x; x' p2 f/ }. F! S7 |5 M
Although this trick calls the CreateFileA function, don't even expect to be
* r' B q8 m" G6 [able to intercept it by installing a IFS hook: it will not work, no way!
1 f- i0 Y3 C) Q$ NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; e5 i6 z8 {. u8 S* h( j3 U: I1 ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) s) v5 q6 D l" Y9 s8 I4 l+ t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc n" _ Q' [% x
field.
7 y7 n" ~2 m+ OIn fact, its purpose is not to load/unload VxDs but only to send a
8 p$ i4 { B/ X6 h2 J" F4 @! JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% ^: C2 U9 d/ o" ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, }6 A* C0 m) x, r$ a; oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" M8 T' n: k$ Q6 @+ ^/ FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
# R( g& a: Z1 h) k# wits handle to be opened and then, will be detected.
' t& m6 e, ~* M+ }% KYou can check that simply by hooking Winice.exe control proc entry point+ t! L4 t4 u% p
while running MeltICE.
- f4 J* S4 ^3 ]3 G+ b2 W8 D3 ?1 y7 I- t
, ^$ g. Q% P6 I2 T+ N6 F
00401067: push 00402025 ; \\.\SICE
4 N. T2 h O6 i6 | 0040106C: call CreateFileA
' T7 b) E( s3 c4 K/ D( ] 00401071: cmp eax,-001
" S( ^8 K1 i! m; d% ? 00401074: je 004010910 ^0 X0 ^' C3 f- E
5 A7 r) [# X8 ]% A! X
3 {0 {. @$ Z& iThere could be hundreds of BPX you could use to detect this trick. C/ _: v: { O; \5 @/ J* i
-The most classical one is:
( o7 |* D8 A6 ?9 @$ o. ~6 g! t BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( a* g$ d2 N' D0 B" B6 W
*(esp->4+4)=='NTIC'
4 z0 Q* G8 ?* B; N t8 t- x2 N! ~ M; A- [
-The most exotic ones (could be very slooooow :-(/ L7 G$ x0 H" H% j/ R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + S$ [" b- E) z+ B
;will break 3 times :-(2 e! V3 q$ z4 G" e+ y
+ F6 W$ P1 _+ H2 U
-or (a bit) faster: ' S& U, {6 r! V2 }( ?- J5 _5 B; V
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 y k; \8 N$ K/ M. [
& w8 V0 e* r: z3 K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% N, d: t4 P$ W: C: B4 f4 _ ;will break 3 times :-(
& M1 v2 i3 m7 V0 V9 g6 T9 O( i( r. t! T/ B t6 O }
-Much faster:
. x; t# }) d- x' [" `. e. ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ E) n+ j. [$ l* o% {8 k. \7 u: D( B
3 E( n. r$ D6 i% \9 Y5 e' T W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 L7 y0 M6 n! z& @# z# O
function to do the same job:2 G% g; O! D/ _( R8 l
; O2 F, L- v- m8 D X push 00 ; OF_READ, T& z }; s* z" L, b) b( d
mov eax,[00656634] ; '\\.\SICE',0) w. K X# Y3 j2 F* j2 @) f
push eax
; L2 {% G2 }0 N/ ] call KERNEL32!_lopen; _3 G* K& W9 S9 ~3 {. _
inc eax
5 S) g* I3 h. Y1 {% q+ {4 e jnz 00650589 ; detected
% \" V# ~5 t/ j# }/ ] push 00 ; OF_READ3 F+ n' R( _( A _5 A6 }# @! s; E
mov eax,[00656638] ; '\\.\SICE'
5 Z2 w7 C. I; a" C1 i4 u9 ^" f push eax
. R, ~4 X0 i- I; k& T9 ~ call KERNEL32!_lopen
/ V5 O% T6 G! s8 l! j1 H, q inc eax' Q6 K) Y0 s9 Y/ f; C
jz 006505ae ; not detected: N, Z* P. H1 `$ f; C+ T
; s* ?$ a- `7 K% u" R+ s
8 e/ P, B- c! i% y) f; H% y
__________________________________________________________________________2 M7 r4 p% C( Q' m
9 ^& u& t) ~. c! _1 p' C, d
Method 12' e8 u! M3 g& ~4 t% L' \
=========
- p3 `$ d. v' b1 T. `0 N' R# ~* i0 T4 B4 t1 N. q
This trick is similar to int41h/4fh Debugger installation check (code 05
. k6 |2 {. O/ G9 a& t! H& 06) but very limited because it's only available for Win95/98 (not NT)' Y3 }7 y% c3 e' I1 l2 z$ R1 x0 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* H: m- Q* f) W' A, \% w5 P: V
- v/ E; o2 t) S+ Q" y push 0000004fh ; function 4fh
5 R; F6 ?, S" w+ H! r7 e0 R push 002a002ah ; high word specifies which VxD (VWIN32)
& O: l9 C6 j* |* ^# K4 S' H! ? ; low word specifies which service
1 v4 z; c0 R/ n (VWIN32_Int41Dispatch)5 Y% v6 k* v; c/ B+ j
call Kernel32!ORD_001 ; VxdCall
% p& |5 T9 U4 p cmp ax, 0f386h ; magic number returned by system debuggers) s) U9 q, ]! w5 @3 W+ g' ?' D
jz SoftICE_detected ?; A- F' f/ Z% d2 o% n: s
7 Q: s2 t( Z s8 P6 q" e/ k; {
Here again, several ways to detect it:
0 ?; t1 u) G5 \- P% j2 c' d# O* o! K5 i: C8 d
BPINT 41 if ax==4f5 l8 F) ^, b& Y
( o5 Z! H/ i2 ^ ~8 w; c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one x8 E" k4 t8 u- D) t! a7 b
: n) e- t; [. H9 D
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 N2 l6 M _9 U4 |3 P1 O- e. L& o2 R9 B0 z) `. m* t( }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ ~" _, T" c/ J2 ^" x
! R9 Z4 W6 [) d$ X% X0 E# X( _2 a( o% b
__________________________________________________________________________1 `+ s/ S7 n' j3 @6 [
* ?) ?# f9 `- z5 b8 W2 SMethod 137 V/ ^! e/ `, L( ^2 c/ Z
=========, }5 e a/ u* Y: v" t- [
( ^1 Q0 v v; W4 ~" ~* e
Not a real method of detection, but a good way to know if SoftICE is# K$ F0 F% l7 l X
installed on a computer and to locate its installation directory.
2 R6 _9 x. J; J% O9 u& X7 I! w+ x# gIt is used by few softs which access the following registry keys (usually #2) :
$ r2 `" e2 Q* g c2 N3 P) o- F6 R! j/ S# d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* x7 v# W% \ w) q; N; u\Uninstall\SoftICE
! h& {6 p+ {$ d/ I5 M3 R1 G6 |$ Q' l8 e" Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( \$ k: O; O6 q# v. I3 l! t! @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" x( _0 H* E. L Y- z
\App Paths\Loader32.Exe% T* D& k- x1 }; @
# D1 N3 y; p$ e, A
# t9 v9 \8 I) ONote that some nasty apps could then erase all files from SoftICE directory! H6 {5 e: L" c& U
(I faced that once :-(5 L8 {& h! H; U7 p9 p
3 [: q# C! I; ?! Y( F1 n* p, G& {
Useful breakpoint to detect it:
9 }9 z# U- N! q0 `8 ?. U: S3 O' r
7 m2 ?1 K* ~9 u3 J2 ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 Q2 R: M9 }3 }! i* H) ^3 t2 Y z: F1 X) u1 O
__________________________________________________________________________
3 C: B4 V X$ `
6 b, l: }+ J/ i% z% c4 t: @5 s4 c/ ]% W, i
Method 14
6 t! V- b6 R9 N l6 [8 U$ |=========
3 g. Y: L) z* O3 x4 r
% o, q+ d4 y- MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 G1 ]$ K4 O# P/ ~7 k. N( {9 Ris to determines whether a debugger is running on your system (ring0 only).
6 U/ Z% z" {# o6 [) S
+ f& Z; d1 s4 v" s- T VMMCall Test_Debug_Installed( C: A2 R T7 g6 C. D6 l
je not_installed4 M! q; y& k/ ^/ t. d/ H/ F8 }
0 z4 u' s0 X6 B/ K: u+ P1 i
This service just checks a flag./ H$ }) y. r/ k. o3 r% N, j
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡