<TABLE width=500>& Y6 | q4 m! y8 I. y& Q0 n
<TBODY>! w7 `+ m7 }# Z8 Y5 n
<TR>8 t; w; }* Q' }
<TD><PRE>Method 01 ' i+ m' N& p# h" X
=========2 z& O$ t8 j6 A( k# m
, @( [/ u: d# [ bThis method of detection of SoftICE (as well as the following one) is9 I% k% J8 G- N4 J; U" Y5 [( m
used by the majority of packers/encryptors found on Internet.) c. ~3 x& A0 D( f$ D* ?
It seeks the signature of BoundsChecker in SoftICE
3 w7 S" x$ b: a0 y- W$ q5 q; u/ H7 y# c Q
mov ebp, 04243484Bh ; 'BCHK'
3 |7 J# ]3 t. s1 S. j% D mov ax, 04h
. h& W, K! @$ f6 u int 3 : `8 I9 t* k/ h" x; l& Q
cmp al,4( Q" N6 K3 L2 T5 |) i$ r0 d0 p5 s
jnz SoftICE_Detected
/ z. O* ^1 ]7 l5 l- n6 k6 Z; U
# Y4 b8 E; Y( g- K" V6 [1 f" E___________________________________________________________________________. b" m4 W6 U0 ~
6 i: k0 B3 r9 [1 R; ^Method 02
+ z6 w$ l* g, g+ A$ l" h=========
4 z4 H9 G5 _, E* _. n! y( m" C% T! A5 @6 r
Still a method very much used (perhaps the most frequent one). It is used
1 Z1 f1 R# w! B# `* ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) }; d% e1 P$ _" kor execute SoftICE commands..., `) h$ j- E L& P: [1 d) t8 w6 d
It is also used to crash SoftICE and to force it to execute any commands
3 z5 \5 A+ Y( b& F+ c: I8 C(HBOOT...) :-((
9 _! k2 ^$ u- @* h/ `2 \$ l* i
Here is a quick description:
1 z& v4 O, r G6 k- s3 I-AX = 0910h (Display string in SIce windows)" O% o% M# L( a$ y Y- K, ?7 @5 Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): m [1 b- K/ L% M9 P
-AX = 0912h (Get breakpoint infos)
* @* U1 Y6 L4 F r4 r-AX = 0913h (Set Sice breakpoints)
9 }& r; N" p, B% T* q: r-AX = 0914h (Remove SIce breakoints)# g+ b9 e1 ~( M G
/ @. ?, t+ r9 ~
Each time you'll meet this trick, you'll see:
$ F" p" Z" X& v6 w( K3 X+ Q( q-SI = 4647h
- m7 [4 j3 k; L3 z" q; L8 {-DI = 4A4Dh2 Q4 t$ s( Z3 R( }$ Y- ]0 L
Which are the 'magic values' used by SoftIce.
) W7 \+ e# r1 j2 d& h- uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 u4 k* F0 R& k" [
1 ~; V5 w5 D! ]/ n# i3 |" q! \$ FHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 y2 z) M1 J/ s! n! {* qEnvelope utility use to protect DOS applications:2 t3 q7 T' {1 I7 B8 Q
) q2 y- t% e/ _0 d- B
+ s6 K, l; V1 Q- v8 G4C19:0095 MOV AX,0911 ; execute command.
! [8 H3 N% B+ c7 ^+ z7 I; E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., H* q$ |, \1 |( z
4C19:009A MOV SI,4647 ; 1st magic value., I0 g4 f1 W) ]* T2 S& ?% J' Z$ a
4C19:009D MOV DI,4A4D ; 2nd magic value.8 T7 B# |; L8 [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) r' C' Z- m" {% a4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute b& D7 X2 s; A6 o0 `% ]7 o
4C19:00A4 INC CX' b1 S" A6 @! ^3 [: q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
G' P' ~4 z7 k1 r4C19:00A8 JB 0095 ; 6 different commands.
, q* X" s. Q" ~) b* e8 f1 I4C19:00AA JMP 0002 ; Bad_Guy jmp back.) I+ f3 `0 U& \2 T* C$ U% _/ T4 G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( r3 d- h6 k3 ^, P( X0 ]
/ [, V- q. L' _0 ?- u, m pThe program will execute 6 different SIce commands located at ds:dx, which; B6 z E- b" M* M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 ], p0 P' D' o% m; B
, t. M2 t, _5 E6 {* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 j" @3 b6 r, z___________________________________________________________________________$ s$ B* i! j' Z2 A8 W6 }, l( H4 ]
8 f5 i5 m8 f% f; M
6 q' p# b( A6 `3 c Q3 e# [5 f7 ]
Method 03- f. d' X2 x3 | B w) q9 h- i
=========# q$ P. o( D5 S& w' ?8 w4 N
3 o) [: g* v+ u0 h) CLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 E2 ]7 O$ M+ |7 g
(API Get entry point)
8 j- x- l8 C l r
& M& n. @$ Y2 D9 g- _4 E W" @6 Z) S
xor di,di! W' ~7 i7 Z* {2 p3 o. c
mov es,di6 I- F0 H! V- l! S( `
mov ax, 1684h
( G$ ^3 T( \, Y, ~5 p mov bx, 0202h ; VxD ID of winice; k6 c" Q7 U3 I& d* v
int 2Fh
0 J0 D9 `1 {/ D3 M6 m; { }% H mov ax, es ; ES:DI -> VxD API entry point
6 e, f! f# _3 M K0 ] add ax, di
& H1 Y# d9 Z3 E+ P- a! n p8 S test ax,ax4 Q! {# y: [1 h7 B
jnz SoftICE_Detected* Q' q0 p/ k9 s) j- u- R$ Z' _. c
, c; l; S' `' B i/ J- Q7 ^% I
___________________________________________________________________________
, E( \# ^0 U8 M7 F/ V: X4 @) \
" e; Y0 ]0 x$ VMethod 04
( Z( Q& j# B' [" ]! r2 Y, Z=========
/ V0 }; }+ C( Z, V+ n/ ~- b6 w
7 c# ]5 h' q+ Q/ u/ g5 u* |Method identical to the preceding one except that it seeks the ID of SoftICE
: R( I+ d! S& E2 aGFX VxD.
; Y- k3 Y: B. M0 q( y
o) Y; }( _" Y) X1 U xor di,di, B/ G$ a; v& \; V4 H9 [8 z+ B
mov es,di
. n) g( f7 S9 g8 O( g0 W1 q mov ax, 1684h
8 O' v+ @5 d# B' n+ ]% s, E mov bx, 7a5Fh ; VxD ID of SIWVID
8 b5 W, _ C7 N int 2fh
3 Q3 a6 U+ o! H$ ]. L7 W mov ax, es ; ES:DI -> VxD API entry point7 _. Y# t, @* v, x# ?% P) m' u) G
add ax, di
/ r2 X+ f8 i+ d6 q' U! I! s5 Z) a3 p test ax,ax( R, F" S7 J2 _; T
jnz SoftICE_Detected
/ t# p! C* X3 W1 Q# n3 H/ c& a1 t h
__________________________________________________________________________
5 _3 b* c- U1 L3 \1 J8 p! }" W( P" ` J' p( o) O' |- r
! }( b1 u; G0 B# T/ n% C# `; u
Method 05
2 ^4 H3 ^1 x% d, y* h=========* F) A+ o1 k: w) e2 h3 z
) `2 C l; s8 K2 S' y! N. _7 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system& C- l' \% ~' }5 z
debugger. It calls the int 41h, function 4Fh.
" A* V. N% }! u1 J# \! ^/ A$ r! wThere are several alternatives. - `# i2 k) d0 {2 d3 y4 n4 X- e/ X
% ?; Q( _: |$ k9 zThe following one is the simplest:
4 M3 Z" P4 m+ X, w0 C, q: @, g
% U% Y. F; m: O7 B9 o5 g mov ax,4fh* T% o* r5 @+ D _4 z. |
int 41h/ B: i: r3 K6 E9 {8 V! m c' q/ i
cmp ax, 0F386- ?- D! w; K) m- a* z. S
jz SoftICE_detected7 {3 l: D7 N, A4 `. V. s1 j
' w# D5 z; F6 L
: W2 A) c, Z) ?- n& @ h1 A1 T% Z
Next method as well as the following one are 2 examples from Stone's , n. Z1 g' B6 I% ^- g: l( P
"stn-wid.zip" (www.cracking.net):
/ i, l4 c! J: X1 P# v* l6 S( q# s7 T* r2 L# l- L, f; k
mov bx, cs9 V: G) f: j8 |. S# K' o$ y
lea dx, int41handler20 q5 W7 Q) C. V8 _3 P# @4 |$ k
xchg dx, es:[41h*4]5 f" G) Z) n2 c0 `/ V& p. {
xchg bx, es:[41h*4+2]
0 Y; ?$ Y. d9 x" o' w mov ax,4fh
8 E7 k7 Z+ j3 y4 @ int 41h
2 z2 j2 X/ k- A xchg dx, es:[41h*4]
+ `* J$ r+ x& K" T- J( w xchg bx, es:[41h*4+2]
" i T0 `- O( c7 R! Q cmp ax, 0f386h5 q' ?/ I" f/ T& I( e
jz SoftICE_detected! L% I4 q6 o0 l' b% t0 Z
0 f# q% k5 H* p4 z/ Rint41handler2 PROC6 L; ?1 o6 K9 q7 i
iret8 V2 t' T' g! x" N/ _
int41handler2 ENDP
% P( b P* B b# S, S. a9 r3 R6 q1 {9 U5 I7 |; C
* r+ Z! o7 Y7 Z7 f( O( H
_________________________________________________________________________
- Z* ?1 D! @3 u! a3 N2 m
h" M0 {' O' e9 h+ D' R. B$ k* z. p' Q8 Z# \2 {+ X9 x0 ~+ k! `
Method 06
, a' @7 Q! S# U2 U+ J; i=========
, K$ o! ?- j& e) y) y& V5 f W
. S$ Q% f& t& L7 m: e1 s& g
& g' o$ V4 U z Y6 O2nd method similar to the preceding one but more difficult to detect:
0 p4 Z- h5 H7 u0 g
9 m C& {4 `* E E: ^4 u- C1 o0 P0 L P, y* Y$ Y6 l7 _
int41handler PROC6 e9 k) m3 L6 k6 ^9 n: f
mov cl,al5 v7 ?* a, K+ f: S; W" O
iret' ^& t( ~, @1 v9 X, U
int41handler ENDP7 m3 ]. f1 D7 A3 T
4 ?; M- Q& x( t' [0 l) a3 \
- W9 t! G; {6 o4 b( ] xor ax,ax2 T+ p" j, M P" V" M' z+ I8 g! _
mov es,ax
' Z2 q6 H: y7 j+ w) U mov bx, cs
$ D7 k2 Y! [# O/ ~ }5 N lea dx, int41handler9 q9 _. M" x: U/ }
xchg dx, es:[41h*4]& e* Z/ W6 H5 c
xchg bx, es:[41h*4+2]
% W' D# d% A+ g) w. @# L in al, 40h
! [$ x$ t! M+ P& K xor cx,cx6 A O$ c8 j( X
int 41h
, g! Z! k+ K& o9 V xchg dx, es:[41h*4]' }0 y/ R l9 E7 H
xchg bx, es:[41h*4+2]
- l' H0 D+ i) l cmp cl,al
% @3 V# ]8 x$ c1 k jnz SoftICE_detected. O- }& x( \) `# O# x! a3 i9 ~+ V
5 X; P8 E' A0 n0 Y_________________________________________________________________________+ Z o4 g, x$ H
/ Z# p- X. m6 \; l
Method 072 C' X& G7 U- ~) L
=========( d- |* N7 ?7 `* Y
% u( O- B) _! r+ G1 a- J& [Method of detection of the WinICE handler in the int68h (V86)
' n, g( j# S3 V @; T. m
2 {$ ^1 e( M( }$ K mov ah,43h
% i) Z4 n$ ~1 e9 S0 ~& Z8 } int 68h8 }/ D8 V9 y( ^- {! ^' P! n
cmp ax,0F386h
; Q1 j% a# [ l) U jz SoftICE_Detected9 e; m* J/ S, N q
) k% c) h$ v1 u" h1 s/ x
' w% ~- m: g4 ~" m7 `' M% H! A=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# l3 T4 p7 Z3 j+ u$ K
app like this:
. e& v! K9 g& c" {+ C5 d: P) G
9 A5 u: }9 u/ e BPX exec_int if ax==68- U* W v9 E2 f' _8 c! n
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 Q& l k/ P: I l" J9 ^) e8 i8 l located at [ebp+48h] for 32Bit apps): i3 p: v; F8 R! i8 U/ k
__________________________________________________________________________1 S+ f X- F9 b5 t) ]
( F) C, s6 ]! p# S6 D- ]
) d5 a1 S0 i; f9 C0 F3 P$ ]Method 08
( s. X. q, L* n+ _! r=========3 K3 D# k4 c' e3 j0 b
9 W$ b1 s7 J9 Y& B) F& PIt is not a method of detection of SoftICE but a possibility to crash the! O2 j' S) `- K& u3 ~2 ^7 k
system by intercepting int 01h and int 03h and redirecting them to another
3 b2 n" e- F8 z* w% j- X/ f1 ~routine.: D+ o# M; L' t) F: ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# U& ^; P% [* v" q+ Eto the new routine to execute (hangs computer...)- a' c6 P& J7 W1 y' R# J
. {$ y+ S' S: B4 \) v/ } mov ah, 25h9 f+ z. [0 G: H9 E0 I
mov al, Int_Number (01h or 03h)8 H& S! q9 [) ^: q! K5 x
mov dx, offset New_Int_Routine
5 k( Q% {3 t0 c: I/ J' L. v4 q' F int 21h
; Y& I7 m; F3 c7 I5 k
/ _5 s0 y9 f3 @+ X0 A__________________________________________________________________________
0 i& Z9 Y" r% V: I$ t! \7 h4 Y8 l R. ]
Method 097 Z; Q. S) v. j& p
=========
/ s' r+ O. G6 e7 _4 z/ [! m ` Q
4 F) u7 ]# U1 M; M! n: f9 `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 z1 B! Z* @5 M2 ]) Xperformed in ring0 (VxD or a ring3 app using the VxdCall).
* q9 C6 s o+ E6 MThe Get_DDB service is used to determine whether or not a VxD is installed, r: E: t- K. m+ J' n: T: j
for the specified device and returns a Device Description Block (in ecx) for
1 }# h$ D* y( i2 Z7 U x- `that device if it is installed.
( @/ F; X. q. r! s* u% [' T, x5 Y; n6 o/ M* ?) J( j* s0 p4 c9 d
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 h5 h) Q, D" i9 u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# B# h5 W: a/ P7 T1 n! j( h VMMCall Get_DDB% c2 ~$ ]' O+ O! ]! ~ W
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ u$ V0 g; Z9 J/ G/ |/ s: \9 H m! U; S
Note as well that you can easily detect this method with SoftICE:; e' I H- y' P4 e- O
bpx Get_DDB if ax==0202 || ax==7a5fh
2 j$ z4 m1 Z* [
0 E. s2 b( ^0 M3 U- {& I8 n& @- Y2 j__________________________________________________________________________) B# ]+ \1 ~- ^
6 [6 n7 O+ T* v& M8 Z1 f' pMethod 10
% a0 N% s% n9 ~6 D; S1 W/ k=========
1 b9 o j/ \/ w+ V' s0 F- p3 m4 j9 @ _- e7 N
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ p' I y( L5 B: v SoftICE while the option is enable!!
. X/ f0 \ l! `0 J l. v) b
* g: Y5 U6 a5 |% |) M% C: I) M5 z. mThis trick is very efficient:$ I0 @" r7 d R8 Y8 j" X
by checking the Debug Registers, you can detect if SoftICE is loaded
! M* H0 k/ d+ ~( L$ q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! w, t6 N+ C1 q7 ]there are some memory breakpoints set (dr0 to dr3) simply by reading their
* \& M6 r4 @8 `) yvalue (in ring0 only). Values can be manipulated and or changed as well
8 w# `0 H- S' j- i1 T/ p(clearing BPMs for instance)
# p( N& o4 L! P. d7 U( L. i$ k$ A' j. }' j
__________________________________________________________________________ |3 y) t5 A1 J
; k6 l, Z! K" \5 g7 U4 oMethod 11
0 `* ?/ Z3 I3 G: d6 C=========
9 L) M' `; o E0 U0 X; m# g& o$ D" V" L! S0 X% x, j
This method is most known as 'MeltICE' because it has been freely distributed/ q0 Q6 U$ n2 `
via www.winfiles.com. However it was first used by NuMega people to allow1 c6 l( _% r9 v2 Z5 B
Symbol Loader to check if SoftICE was active or not (the code is located
7 c X5 ?. V$ {$ hinside nmtrans.dll).
# r- p! O9 b* I# Y4 n* R% B+ K& w8 ]. B+ B
The way it works is very simple:- z1 d9 s F$ D/ B5 {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 _$ z% s. g( \
WinNT) with the CreateFileA API.
' _) A: D' T, E0 T8 }. ^! D
: o! S& U3 i7 ?* J4 o& b/ L- `Here is a sample (checking for 'SICE'):
& M$ ?& V' q% Y9 C& U9 j* L8 F" F
* [+ F+ K" R6 U- S# rBOOL IsSoftIce95Loaded(). d* i6 m1 F$ Z E8 N7 c$ B- V
{" Y4 O+ J# j! X$ G
HANDLE hFile;
6 {) E2 ]+ e( {" h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 b/ j$ T( Z1 x
FILE_SHARE_READ | FILE_SHARE_WRITE,
; t6 K) X/ J. S6 [( Q( ?7 O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 y! N# q0 }$ U! K& V if( hFile != INVALID_HANDLE_VALUE )
- V3 k/ I' F# T {
* A7 F8 V6 H& M; Y3 y$ x3 i, r: R CloseHandle(hFile);
- s# y/ R" c7 P return TRUE;/ P, D2 c3 W& u# ^! j- B
}
3 V) z: X! k) G return FALSE;; |( P& P% q4 u1 Y$ o5 j3 E i0 I2 J
}1 x& ?+ s5 V3 h6 f4 h
3 V4 N5 B; _2 C$ u4 R1 \Although this trick calls the CreateFileA function, don't even expect to be
% c* f) y6 B' Cable to intercept it by installing a IFS hook: it will not work, no way!, D5 a3 @' V) S6 \# }% p2 z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ M" I+ M2 K" }3 W' M9 M. L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! r* E }7 p4 V) h0 M; T) n9 h
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- {/ m8 {* n0 ~- I1 qfield.1 D+ W" s4 B! R. v
In fact, its purpose is not to load/unload VxDs but only to send a
% I+ f' I" e9 \$ r3 `- p+ bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& s# {6 k5 e& }8 c' `. K- ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% y# e- P/ w3 Y8 K: J* ]
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
^$ v* h& J2 L+ \If the VxD is loaded, it will always clear eax and the Carry flag to allow/ I' C! i6 }- ~4 v0 o3 |
its handle to be opened and then, will be detected.! \ ?5 i/ h" S/ S* m6 u3 H3 h
You can check that simply by hooking Winice.exe control proc entry point- W8 d% F5 u {/ L
while running MeltICE.2 I9 t0 h8 U' }+ {+ @8 q/ g$ C
. M: o3 Z* ?9 g7 a, k, x
/ s% `- \& E1 e* u" {6 q- i 00401067: push 00402025 ; \\.\SICE+ i, E4 I t; {+ w8 M4 |2 l
0040106C: call CreateFileA L# e& F5 { T$ ?
00401071: cmp eax,-001+ }/ }8 S% G1 y
00401074: je 004010914 ~8 N( m l6 [( E& L. K
5 A1 f4 C6 U- j6 O! n+ o& r
9 y& \! Z t* B }% ^
There could be hundreds of BPX you could use to detect this trick.
/ R/ w. s; o9 a# c; I9 C* G-The most classical one is:
2 y/ X, I$ N9 a- |2 C8 o BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' m/ @( b T G$ `& D8 Q' m *(esp->4+4)=='NTIC'& t3 M4 u7 x8 j7 C: B( ]
& G3 i: |; |1 e# W! S% L- {7 E, |-The most exotic ones (could be very slooooow :-(5 j! `* u4 e9 K$ Y- g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - M7 ~: ~, n3 d, A& ^" r
;will break 3 times :-(
6 B: Y [4 ^% Y" l" b
6 K8 g# c$ Y8 c" A8 a7 G-or (a bit) faster: # V8 t6 }8 U+ `' b4 E, d/ a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 X/ p1 X1 w( m& o8 a( r% @9 g2 @4 ]! S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( w$ w& L. _& B+ r5 o" S# S s: k
;will break 3 times :-(
$ B# `% [# Y7 X$ K+ h0 O+ {7 {) \' F( j* f' r/ d y
-Much faster:
. V4 A+ v+ k S& b% i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
|$ Z0 }" j; b1 a
3 W% ?2 h( v) G$ fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& C; o& ]# E3 N: A4 gfunction to do the same job:5 I* N; @! u. w+ B
/ O7 ]3 M2 ^# X4 W# ]5 _ ]# Z3 t' m
push 00 ; OF_READ+ Q+ D9 r. U1 ], H+ r. X
mov eax,[00656634] ; '\\.\SICE',01 q# w* P0 S9 q! @5 `- F4 W
push eax
w- l1 G7 f+ V+ M call KERNEL32!_lopen3 I7 z5 I* ~; U' D1 A& o$ A
inc eax
+ e9 K: R) U: M$ G I3 ` jnz 00650589 ; detected `) W9 U. D9 _% R
push 00 ; OF_READ
|8 \6 p% y) O0 p, q; o+ i* z/ Z9 y x mov eax,[00656638] ; '\\.\SICE'5 n! y, K9 w6 \4 I$ y
push eax9 T. n8 ~$ M; U, |7 D. _
call KERNEL32!_lopen8 @: f" m B. c5 m" _, z3 p6 W
inc eax
. v! C5 F# p1 M* J# M# d' k6 K jz 006505ae ; not detected
, u) S2 k0 P% w5 w
1 M2 U) `6 I2 Z+ C0 h4 k5 y+ p
- ~9 Y5 U+ a2 m! b__________________________________________________________________________( w. O5 E9 E6 c- W# g9 b& d% e
6 o% t; S- S( dMethod 12/ }6 _$ R" E1 w3 l# e4 D
=========
7 K, @# R4 w' [5 f( y0 y+ x! X, y2 B" g f
This trick is similar to int41h/4fh Debugger installation check (code 05
8 O! X1 N4 q9 R# O& 06) but very limited because it's only available for Win95/98 (not NT)$ K$ d, D& n9 K5 D" C
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. H7 ^, J. `3 N; G8 N& [4 g
( v3 S9 \: l6 u$ H2 @ b" V, c push 0000004fh ; function 4fh2 X' v$ o0 ?4 I1 v2 n
push 002a002ah ; high word specifies which VxD (VWIN32)- S& h. ^( t/ p/ v
; low word specifies which service
6 C# |, U8 d3 ^ (VWIN32_Int41Dispatch)
& g) s, t4 `6 i* t0 r/ T* r call Kernel32!ORD_001 ; VxdCall2 X8 f' ~6 |9 z0 \0 F- q* S
cmp ax, 0f386h ; magic number returned by system debuggers8 x: D m5 N& L2 ]2 |+ w
jz SoftICE_detected/ r" j0 f' o E3 B2 i* q4 Y
0 U8 b; U" p4 ?: Q* J- b( _7 wHere again, several ways to detect it:
+ l; ^5 W' U) @( a3 Q$ C# ^5 g! g* Z3 s* Q' C% s
BPINT 41 if ax==4f
, Z$ B2 t0 ^% B! Q, @7 S8 B
8 [+ M) |1 X! P+ j \8 @ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" m9 x3 ^& ]* s [: s# T3 u- c& @) n6 E0 b7 u6 Y m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 n; e: B3 s0 q, z) o9 @ j
, d! ~3 A7 s5 T' s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* ~) {- N5 f/ w; u' X& ?6 q+ G. l* X- E
__________________________________________________________________________
, a# J. A+ D/ {6 h {0 \
' _% n' |6 F7 e6 Y# nMethod 13
! m, b* `5 y( { U# e' L' Z$ t1 g# c! H=========
( }6 A e7 F- t1 q3 s' I- f) ?9 S. F9 o8 L4 a. L8 t! s
Not a real method of detection, but a good way to know if SoftICE is5 y& Q* P+ S' }' H) l, M6 |5 S
installed on a computer and to locate its installation directory.
- `3 }- G5 R" @3 U, VIt is used by few softs which access the following registry keys (usually #2) :
% r. a* f2 q6 X) W
# s/ |# u% C( r# ^5 K6 i0 S' V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" {* O q0 }# R( D\Uninstall\SoftICE0 K s& |8 @& E9 Y9 s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ l7 z* Z! q% R" r$ P) P3 J9 s# b0 ^! ?-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 W% }, C7 w& P8 E: A\App Paths\Loader32.Exe
2 P) P; L5 A7 ?" N. I, [$ }+ L4 G/ ]9 \
/ I6 j% ~7 i8 G: b9 A+ g# V( C, h4 ^& G# r6 _5 E
Note that some nasty apps could then erase all files from SoftICE directory7 t$ ~9 C! i+ \/ q- E, ^
(I faced that once :-(
8 ?) K! M! j& G
1 f. j5 i/ R* XUseful breakpoint to detect it:- f, P$ }) A/ o9 l* v! K5 y) U" u
4 l1 `/ f/ v2 \
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ b% M: L5 f; C, m- i- A3 P7 @0 C- \7 Z3 W! o
__________________________________________________________________________
! S' t9 k% q4 N% _! t4 M! }# M8 w% G [$ k( ?0 w4 d, J$ A
7 Y+ p* B* o1 R1 }4 z" C- B' FMethod 14
% o& \3 f/ O' S+ U# h8 u8 a' G=========
r" ~" ~3 b8 {* B' Q: s2 _9 ^' \; E( b; w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 K7 K* m ]7 t7 x* q6 Qis to determines whether a debugger is running on your system (ring0 only).
* D W: h. p9 S& q2 b) u- o0 h2 F* S- c6 L9 J8 P
VMMCall Test_Debug_Installed% _ v" z! a/ I/ F! ~
je not_installed, K" U$ S6 C, \) Y( d; \+ {
+ _4 b( t4 M. a3 V5 x4 q. ?
This service just checks a flag.7 f% A- g1 q& B; q; @
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡