<TABLE width=500>+ h4 Y& p3 _9 w0 m$ ]: {
<TBODY>
4 O) P- O" |$ ^9 \( `/ x5 k<TR>3 P9 \! H$ W1 A6 S- T& L5 {
<TD><PRE>Method 01
4 M% ?; n# g n# @7 Q; _! `=========
/ @1 L' A! j, p0 T% a0 v* U1 Q8 u' G0 k3 o3 c
This method of detection of SoftICE (as well as the following one) is
0 t: V) ^3 h1 ]5 r' mused by the majority of packers/encryptors found on Internet.# r5 w7 |3 I1 u
It seeks the signature of BoundsChecker in SoftICE7 [6 Z+ z, @* l2 Q
2 C1 |9 H6 V) g5 t; ^1 B0 B mov ebp, 04243484Bh ; 'BCHK'% Y! N5 B7 O% i0 B& J/ d; V$ Q0 U
mov ax, 04h
0 q' `7 k7 S" u9 m5 ?! s% Z8 T int 3 $ E. E$ X1 ]9 y; E: Z( a
cmp al,4& R- D( C7 Q( u2 G1 x+ t9 O
jnz SoftICE_Detected* o6 [ h5 F9 P
* U5 p; t! l5 M2 ~, G' C0 U___________________________________________________________________________" o3 \& i) U- Y- C
0 k& i1 { t3 m8 W7 fMethod 02
! S& z- I Q4 h: W=========! Z m0 ]9 S, t8 N% D/ }* e
3 R' Y8 {( h n3 `Still a method very much used (perhaps the most frequent one). It is used
; K4 _6 n7 D4 N1 _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ a: L8 T. u$ D, Sor execute SoftICE commands...
2 j' x" C, ?* `It is also used to crash SoftICE and to force it to execute any commands) L. W3 W- k5 @
(HBOOT...) :-((
& R% t9 H& T# [$ O4 n1 S7 E7 q8 X/ r! X9 l
Here is a quick description:5 C/ ?$ I* ^' R
-AX = 0910h (Display string in SIce windows)& }( }& r, p/ Q$ U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( g6 b9 y0 M" }4 M! [! z
-AX = 0912h (Get breakpoint infos): Q7 V" N6 Q0 Q
-AX = 0913h (Set Sice breakpoints)
( i$ k1 v9 w# e7 O8 Y9 b0 O$ o-AX = 0914h (Remove SIce breakoints) B1 N% d+ O+ D3 R/ {& S j7 Z% z
( y: \* J# e0 `* o: CEach time you'll meet this trick, you'll see:
. B4 V9 ^2 v; Z-SI = 4647h
; `( _' W6 s0 G$ p- A+ B-DI = 4A4Dh2 [, P1 L' t6 x2 f1 l
Which are the 'magic values' used by SoftIce.
: ?( V& v/ p8 ~, z9 B2 i( Z2 jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& y) f1 B- B& h, W5 G; J1 d8 N8 m+ \4 ~) y5 r3 D2 h2 H+ F) X: g
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 Q' G# {+ m& q, R0 _Envelope utility use to protect DOS applications:
* Y4 P8 ]% F6 R2 E3 w) h/ J2 a! z
& L- A# t2 ]0 g: E% {( H
+ Y# p+ W+ v. M4C19:0095 MOV AX,0911 ; execute command.- m% X ^2 S1 X$ Z1 j! w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& I* D! ^$ G; j1 A2 l+ g1 a; N
4C19:009A MOV SI,4647 ; 1st magic value. y n6 g% z; I N+ L/ }
4C19:009D MOV DI,4A4D ; 2nd magic value.. J* @$ L" j/ t, l, h, k8 ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 L2 }% k9 r) B& z2 m. |8 s4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" T( n' L# j, q" |: p/ K4C19:00A4 INC CX* |) _# k/ z* }4 A R4 }5 @/ u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" Y# a: `4 c2 X9 C0 h, N
4C19:00A8 JB 0095 ; 6 different commands.( f, G4 A! c! T O. u
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 I4 J, L% P3 o- P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 P. r( t8 V, p# f- E7 j, v" d0 ^$ Q# t& h
The program will execute 6 different SIce commands located at ds:dx, which6 t! t) @% C) @& p* W
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' e, g% i+ t+ S: A5 ?" _# e, }/ P5 E( ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 V7 L% K( T7 L! j' H4 f! z1 w
___________________________________________________________________________% Q) U* w0 p" c) u' T7 K$ ?8 r
4 ]. j" y1 R) f6 j- |( x' w+ d& V" ^8 k" U5 X/ ?( X# I6 V \
Method 03
) g4 b; c/ v- T, P4 b& f7 |=========% e4 @$ N# E7 R
! q# f) S, P+ w0 \0 BLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 I! w) M& s5 d3 n6 e, B w
(API Get entry point)
+ Z8 V5 U0 h- E- ^ d5 n, R
$ h4 y& {2 l. r' Q, R% M! `: t* _' z* C F5 r( {
xor di,di6 }; s4 K% W \. ?$ ^( {8 ?
mov es,di
5 |( R% _9 D6 z* M mov ax, 1684h % d* ]! I! @4 `
mov bx, 0202h ; VxD ID of winice
, a I$ m' J- A9 m6 Y3 Z int 2Fh
2 I/ y) m+ W& v4 B# N( z6 G mov ax, es ; ES:DI -> VxD API entry point
/ z; |0 L. W% V* y) r5 ^ add ax, di/ b& G4 A% o* n
test ax,ax
5 |6 {$ N& I; V" c; c" m# B jnz SoftICE_Detected
- a) q# c. ^8 J! a
6 C1 `+ T1 N& V; z" k___________________________________________________________________________* Y& r& J) p b; q
6 {9 P, \. V1 X. u. n- ?
Method 04
5 g: p; c: Q' J; ^- [* U' _=========
. D) h7 e0 x8 d6 D5 T6 W7 ~8 U2 a; K/ F2 D" q$ C' [ v
Method identical to the preceding one except that it seeks the ID of SoftICE
3 b3 w+ J! l; Q, J9 T' V \& r/ Y# bGFX VxD.6 s Z0 }; `6 k2 T, C( O
$ Y- l! }: G6 \9 R0 x0 J& X0 B/ M% A
xor di,di
3 O0 P) Z' {* P. h' ?, g3 r& B mov es,di: L1 o5 p4 _5 O. w. A% p
mov ax, 1684h
5 [' i+ _! y& q* t I mov bx, 7a5Fh ; VxD ID of SIWVID
5 _' ~4 \2 Q: |1 G1 f int 2fh2 ~- _3 i k- A4 ^
mov ax, es ; ES:DI -> VxD API entry point
$ M9 |! s0 _# a) a add ax, di
: i: l1 l! r( ~+ p6 Q test ax,ax9 C$ F# p m* j4 O" w% \
jnz SoftICE_Detected
3 z( |2 I1 o2 i
- Q7 f# Z% d6 I- e" K8 q0 s__________________________________________________________________________- z, ]7 p: m9 }6 n( |9 y: y# P6 L. ?
+ Y2 V& d' R# J
7 K, [( e8 }. }2 C$ NMethod 05
; S5 A m$ R$ r4 I8 }( X+ \( j=========' O6 b7 L- |3 K9 b
/ c0 z! ~1 x5 \0 e% X8 b9 @, z3 pMethod seeking the 'magic number' 0F386h returned (in ax) by all system2 d# @" H% m4 K& D7 Q
debugger. It calls the int 41h, function 4Fh.
# }2 X/ k& f) m0 i) b3 OThere are several alternatives. : f" T. ] b- m
4 E# C! R( X6 |; p# n9 n
The following one is the simplest:
9 s5 r0 n- Z. b! `" J$ J
1 _: P% y8 n: F( ?4 a# L( E mov ax,4fh
- J$ T: i3 i0 A int 41h6 b/ z0 f6 u3 T) s0 C' M
cmp ax, 0F386$ U! `$ C5 _1 z7 p. j
jz SoftICE_detected: N! l1 I/ r' G: O0 t0 R
r9 l/ i, A2 G7 H
0 v+ ?) U9 H( aNext method as well as the following one are 2 examples from Stone's
) l& | a7 x0 f: g"stn-wid.zip" (www.cracking.net):
% R/ V$ y9 u1 k
2 i0 S5 B/ d0 E7 ~# }; z mov bx, cs
' o& Q( ?' D/ i7 P; m0 a4 i( J lea dx, int41handler2; N @6 _( w9 A* k8 t
xchg dx, es:[41h*4]
H! z; w+ M) i/ U5 q- ~! j E$ V xchg bx, es:[41h*4+2]9 A0 I- }7 N1 ?! Y1 O
mov ax,4fh
8 ?- w% g1 W7 [ int 41h8 Z8 W/ P, H. i7 n
xchg dx, es:[41h*4]
4 [+ b7 X" a- ^% J% @8 a xchg bx, es:[41h*4+2] w# J( D5 M* f, D3 ~0 M( O" l# D0 J% y
cmp ax, 0f386h
3 N0 q5 g- t) K6 s jz SoftICE_detected# y* H9 h' D7 s5 p; N& S- O) U
: t+ B7 y9 b! f; h% tint41handler2 PROC" q( J- L- T. s0 Y
iret
3 N2 t- x% ^" ]! e S) {- s1 }int41handler2 ENDP
$ a) x$ b9 X. l! J
9 j" b; @8 \ f. ~ L* k. M/ \
9 A h0 B, A+ V_________________________________________________________________________5 I2 z2 V$ V" ^0 F
7 _3 a1 `, p# s) O# K& R
9 Q F8 V8 [9 G" yMethod 068 }+ W. z8 o! e- i8 i3 J
=========
% B0 j* B# z8 L# N. l. x6 Z
. j/ L0 ^3 G- |0 d+ a
! Q1 I D% X5 P2nd method similar to the preceding one but more difficult to detect:
' L4 F3 i) }# _& d5 j/ m/ [+ Z/ B$ B
; G0 `* i- \. k7 D+ xint41handler PROC
9 @* z7 ^( l# ~" ~ mov cl,al* j z0 ~6 M% w1 v) L) U
iret$ Z* P1 e/ b' u6 L% U
int41handler ENDP
/ X1 X2 I- g" F9 B, L9 e. F: g: l2 O! f
1 f: f4 n6 I1 O3 G0 e% c
xor ax,ax
6 c" I) H4 z9 Z9 r2 S: `4 p7 Y" e: K( g mov es,ax
6 j: z: K* K6 O mov bx, cs
- @; E+ g, z' f4 [$ X# o lea dx, int41handler
3 ]! X# @. G3 ?, D xchg dx, es:[41h*4]# o9 \2 X# H( O' }; a; `
xchg bx, es:[41h*4+2]
1 L) A% f% a7 v& ]/ [4 `/ V in al, 40h
0 g) ]! F- \4 g7 l xor cx,cx
+ k9 I* E* }" p# ?# S: J+ ] int 41h
* J% b8 @- { E' n0 L; T+ o8 a4 ^ xchg dx, es:[41h*4]% Q7 j$ r* G" A+ M$ G4 k' J. q
xchg bx, es:[41h*4+2]' {+ p, a! V) m& s
cmp cl,al
% o8 G4 z2 L( N) ~6 u7 { jnz SoftICE_detected4 D: @; u& h, T0 D0 j* n4 q0 [
* \1 D7 Q4 {# A Z
_________________________________________________________________________, w( I; u8 Z2 l
& h8 C9 b( V. K' D; f" k1 n; w
Method 07% m" _$ s. p- t- Y- Q
=========
0 b/ ], V- a1 S% t+ U" x
/ Q6 n; s5 J. h; f1 [Method of detection of the WinICE handler in the int68h (V86)) X' o, [- r8 _0 d- ?& A
; P5 r: I1 F4 s' l0 W- T% f7 c
mov ah,43h
: w' L @* R$ q; O$ S7 I+ g int 68h
) z; E; [7 J: ]$ N& f cmp ax,0F386h' e: |% s. {" T/ f- R" x4 ?
jz SoftICE_Detected& ]# h5 w/ A/ E$ P/ P0 r
+ l# ?- h% o4 l) k6 {# W2 L! h* N6 m. H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' l) r( y8 g+ y5 j app like this:6 B& t3 S; R& I# L1 ?- }9 p
- x& l/ N- `# b5 x, n% z BPX exec_int if ax==68
+ H' l0 z( V1 O9 P (function called is located at byte ptr [ebp+1Dh] and client eip is& E/ J$ G) K5 E1 O1 c5 e( n
located at [ebp+48h] for 32Bit apps)" h0 _& b4 z& C3 C ~
__________________________________________________________________________
% t. W- e# `/ I" Z" j, p% f# u3 _% e. d, h ^5 n- X8 p$ P( h
: O4 N u. S' J# i' A
Method 08& C& S7 `8 T0 z! a% r
=========
9 ^: G; K3 G+ m3 Y9 ~2 u5 C# _
8 o* c Z D pIt is not a method of detection of SoftICE but a possibility to crash the! p) u, b0 E9 F# C
system by intercepting int 01h and int 03h and redirecting them to another P" {/ P5 Z+ s0 g! [8 O- D
routine.0 n5 Z% J6 k4 {: n- e6 s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 l) b) F' u2 gto the new routine to execute (hangs computer...)
: ]6 |# \3 o. y6 K9 V, `0 R: i1 u; S% B
mov ah, 25h
L' z# }& v4 R( i4 {& g8 I8 F mov al, Int_Number (01h or 03h)
: {& v/ R) @8 k mov dx, offset New_Int_Routine% n. r, Q# g+ X1 ^3 t
int 21h. q" x j2 s" n( L5 W4 L' Y5 I
D m3 H: t9 g: Q6 ~& r8 V
__________________________________________________________________________( ^9 W4 e' Q* Q7 O9 V
3 K" |% F! `/ O- E. D) l6 F3 z3 wMethod 097 d( i% L3 \4 ^: \. Z/ m3 e
=========
9 d1 n" l' D# C5 }# W$ p; b! J' C$ r: u/ Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 L4 S0 U f4 Q% f% O& ]4 Uperformed in ring0 (VxD or a ring3 app using the VxdCall).; s& j! `3 O+ a1 z0 ~: ?
The Get_DDB service is used to determine whether or not a VxD is installed
9 l" Q, E0 F6 t" qfor the specified device and returns a Device Description Block (in ecx) for
) B: x' T$ {$ s2 Uthat device if it is installed.
( {9 E0 B6 S7 B5 [5 N0 z1 K5 `
$ }$ | B3 ?8 @3 {- F7 k1 G* i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 F" l; F8 k$ F; d( I6 t" N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 A! d* b$ ^4 F: h VMMCall Get_DDB& f( l$ m+ l9 h
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( u+ h1 d: v7 q1 X5 `' B% a+ ?2 E! f- r
Note as well that you can easily detect this method with SoftICE:
5 B W. I; r3 p& k+ y bpx Get_DDB if ax==0202 || ax==7a5fh5 b- n1 A& M {0 y- _ e* J
7 C( U) x! y5 P__________________________________________________________________________3 U8 P0 Z T: v* I* j# h5 g
, ^% b# _( }: R& s/ t
Method 10
2 e8 a# g5 t( p( E, x8 Y=========8 {" m2 I9 d6 x1 z: S
6 e9 A/ ^2 f4 L* x# C) x=>Disable or clear breakpoints before using this feature. DO NOT trace with9 Y/ c5 u* |7 k2 g$ {, g6 a3 l
SoftICE while the option is enable!!
8 T. {8 f' o' B. U7 p. Z
) I2 g3 h: @( ]' hThis trick is very efficient:1 _# T2 E3 D! [* c+ W' ^
by checking the Debug Registers, you can detect if SoftICE is loaded
) E/ d) ~3 ~# t9 L; J, Y, y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; u$ ?$ P- Q+ D( T9 ], h) l* r
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 w5 G. n! ]9 x
value (in ring0 only). Values can be manipulated and or changed as well. w9 q' ?- v+ g# Q
(clearing BPMs for instance)
- O( q2 q7 D4 N# C4 |2 G5 W$ I4 U/ h$ x% a, u4 P
__________________________________________________________________________3 P4 B! [* j% Z- C7 d3 F2 k
7 l! @' ^; v" VMethod 11
! v* \( @: ^/ e1 d0 d5 C5 V=========
5 C% F# Z0 v" p5 ]
* M- x$ w7 I$ ^" jThis method is most known as 'MeltICE' because it has been freely distributed
' k% ] M3 r% Uvia www.winfiles.com. However it was first used by NuMega people to allow' j6 L# b& A; x" G' W( L
Symbol Loader to check if SoftICE was active or not (the code is located/ K, g M7 \0 [1 u5 B' l4 d
inside nmtrans.dll).% w0 `2 e; q8 e5 W1 F) o# B
7 t/ [$ ?8 h1 v) P4 E. a1 b" U
The way it works is very simple:2 b0 ? s1 A6 l) Q# \* R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 c7 K; h3 y s& B$ U: |
WinNT) with the CreateFileA API.
9 W& m* l r1 y: R+ C' |( E! u, w+ F1 T# r
Here is a sample (checking for 'SICE'):
& O* x/ X0 ` ~5 R, S; U
) I3 @5 m$ h0 R! o3 GBOOL IsSoftIce95Loaded()
+ B6 J6 E8 w4 Q, h. j, y) z2 O{# k/ x+ z9 `) i" @
HANDLE hFile;
& ]! h% l, S% r2 c; I( Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- b) J+ b# X: ~3 [# V: [9 ~ FILE_SHARE_READ | FILE_SHARE_WRITE,
, a5 l& O9 v& a# f! [. F6 B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 o. V" S2 Y( z0 B0 ~1 D S( v if( hFile != INVALID_HANDLE_VALUE )
& C! I6 A# l6 e: p {3 X# G$ ~; q* T) ?- e2 r- l* @% G
CloseHandle(hFile);
! \' P0 d# R. @+ U; i8 E# N return TRUE;
d# M3 _2 z# C j }
/ d2 O' N& ?! t8 L6 h& S9 I9 s! Z return FALSE;9 Q L7 }4 Z3 ~- I
}
$ |' Z; m1 J* Q& j7 W! F/ O+ o) `" `! @) V3 ] ~# Z4 s
Although this trick calls the CreateFileA function, don't even expect to be
* V Z4 X% Q3 s2 ?3 w3 s* kable to intercept it by installing a IFS hook: it will not work, no way!# ?6 Z+ n3 W H7 a% K* b) j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 l4 A! c2 |2 Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 S- i% d* N! W, C1 {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 P ~* q. m& E) q; [% r6 }field.
% E3 v+ P/ b1 \" K5 gIn fact, its purpose is not to load/unload VxDs but only to send a # \& }! ]* a2 E5 e7 d8 T% a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& n6 \, F6 y* Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ x3 y! ?/ h A0 o: d) W) xto load/unload a non-dynamically loadable driver such as SoftICE ;-).* M; O4 d7 C" E+ n1 a" M
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ Z9 [2 A! y: m) R. o
its handle to be opened and then, will be detected.
* c/ q. ~6 f& Q o4 D/ P; F6 XYou can check that simply by hooking Winice.exe control proc entry point
/ R# A5 J, D, k ywhile running MeltICE.
1 q p: N: X( z% m. z/ d/ A' Y: T1 X( `: C; d- s. y
5 G/ K x8 X: N8 Q G; {# b
00401067: push 00402025 ; \\.\SICE: K: O. V( H& \* @' s. W) J n9 W
0040106C: call CreateFileA
# S- L- P$ ^/ b8 g. B6 E$ _- Z1 P E 00401071: cmp eax,-001
% T3 d% O$ x/ y 00401074: je 00401091
$ T% B6 f$ ?3 z. B6 z1 m( A9 Y0 V7 s3 j. Y! j6 e' H
( z. w1 y* j `& `$ j" E! h3 i8 Q8 k
There could be hundreds of BPX you could use to detect this trick.& ~0 f2 I5 |5 W6 I5 r
-The most classical one is:0 e) H6 l; p6 k' C
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 y" i# |2 D. d1 W. e, X *(esp->4+4)=='NTIC'6 t* z/ G2 l, P8 I3 H" w1 H
6 g) }# E; s6 R3 b-The most exotic ones (could be very slooooow :-(
# @& g" F$ P; |* {% a BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 @8 ^# |6 s# p6 b; _ ;will break 3 times :-(0 f( h0 ~5 [. Z+ V* ~
# ~8 V( R. \2 h/ M9 l1 F% j1 V-or (a bit) faster:
' y$ A7 Y9 B2 H" N0 j BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" i; D% X! l E( {3 L) K# ?" ~0 {& m2 s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 j$ _9 f: N- C" q" i" t ;will break 3 times :-(9 J6 Q4 d. `( Q0 @
8 q) K- M4 t: M t& w+ U* o-Much faster:
/ N& W5 c3 H X; y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ m' {, n0 k; G5 Q+ a: o' s S
5 y% ?0 h+ |8 `+ ~$ k" v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" _6 _% z3 U" H5 b- _- m7 V6 |
function to do the same job:& S3 b B8 Z/ \9 s8 M! k
8 W3 u# H+ T7 p1 b5 @! s3 e+ u2 ] push 00 ; OF_READ) d% F% {$ O5 i: U% ]6 Z
mov eax,[00656634] ; '\\.\SICE',0
* N2 f, j/ N. X# A6 @ push eax
0 D# }1 R; y$ c4 W$ k call KERNEL32!_lopen
1 I0 c5 \& }! F! S: |; t: o inc eax9 A4 r/ R( q/ M; g
jnz 00650589 ; detected
0 t( z5 A- A) v: Z push 00 ; OF_READ
. s1 }! }2 C1 s7 @ mov eax,[00656638] ; '\\.\SICE'( Z3 `: \& F: i; L8 H$ X2 V* f- w
push eax: P- a" L1 y9 n' e T
call KERNEL32!_lopen
5 [9 k) D/ c% S y- n& h inc eax
6 k! P* L; |2 ]9 l' x7 e, H jz 006505ae ; not detected
], D& H0 B% W% A" v4 I! J
! h: _* x2 J+ ?5 ]( l- Z
2 U. E+ K2 |9 `2 h& m7 H! n8 |4 z__________________________________________________________________________4 y0 M- V+ K/ c7 R7 L/ W- D& r
8 E8 _9 N! G6 _6 P1 r) t5 P/ lMethod 12" w' m! T j& z3 m, {: J9 ~
=========
1 L' m/ T4 w( F
) p; b! f+ j/ _0 }2 e; eThis trick is similar to int41h/4fh Debugger installation check (code 05; b% Q5 ~, ^) P+ @0 p
& 06) but very limited because it's only available for Win95/98 (not NT)
% b) y: F5 R8 A+ \: zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 x2 r) |5 N- d; [- e4 \4 H; Z/ d( U/ x5 g
push 0000004fh ; function 4fh
4 B/ s: W- ~2 P1 K1 r push 002a002ah ; high word specifies which VxD (VWIN32)
) z0 [- ^! t' }, H4 G( a ; low word specifies which service
9 g! h6 A/ V5 P3 V2 o7 b* d (VWIN32_Int41Dispatch)
: N; D: j9 q7 M# j, E, s call Kernel32!ORD_001 ; VxdCall
) |4 s' y( y. ]# q8 j; z4 I cmp ax, 0f386h ; magic number returned by system debuggers# N1 H0 q1 q3 x( e
jz SoftICE_detected% F v: h6 s0 L1 u# y* n
3 l: g( M# H2 Z+ {, [) s* _- zHere again, several ways to detect it:
7 l" @" w, ~5 p: u5 _5 I( a3 A
5 A6 V: ^; W! k5 K' |) e BPINT 41 if ax==4f
$ J1 [4 e/ I* O; A/ J6 `, G+ m
$ L2 W8 O, C3 K$ @ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, v7 t9 c/ V+ Z! e9 z8 k: c/ P$ }2 R* z2 d! a# z3 o
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: A' d6 E. k0 t5 S. M" P, g* w! ~# q+ [
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( U9 P ?% s p( ]! k+ V6 s
) n& {6 ~9 d n
__________________________________________________________________________% F& A* l* O/ @9 D. p2 F
( v; q7 i- q# Z; m3 CMethod 13; n, |; q) ^' W6 u. O0 X
=========
0 v; O& N0 E& a) _" a" U
! n% O& m8 U5 Y+ LNot a real method of detection, but a good way to know if SoftICE is9 f- U6 J0 H6 s8 b5 H$ h+ Y
installed on a computer and to locate its installation directory.
7 q3 \3 x) p0 {5 p! pIt is used by few softs which access the following registry keys (usually #2) :
& S" z" n$ ~' F5 |0 [: |8 [) a4 E5 R; s5 w8 `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ ~; a5 D# e7 [+ X! d' h& X5 ^\Uninstall\SoftICE
9 n: ^% V7 d1 @) \ B" {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; j) O; b! k# i+ u3 J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! A. [* U$ l" y- u$ g\App Paths\Loader32.Exe$ }1 ?+ }, A. M3 w8 e/ G
4 i& C# q2 R% M" Y8 m5 P t
) `/ I' _* }- Q/ \
Note that some nasty apps could then erase all files from SoftICE directory
* s& T W! @ H3 D(I faced that once :-(8 {, P) ~' k$ D% }" l6 ]7 ]
' h9 i9 O' Y! @5 r8 ~" k2 u k
Useful breakpoint to detect it:$ i$ [/ \& p% z$ [1 J+ O
9 I' a" F/ s% ?/ |, y+ b- u V% x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% P/ F, f5 `+ R; |2 R4 ^; h
. o5 _+ N+ E: p; h1 h+ b__________________________________________________________________________
4 p2 Y X2 n9 Z/ m7 V! F
4 E1 b) V9 J+ j4 a, l6 D: K1 Q/ r- `2 t# h* v4 E- N2 @. A% B
Method 14 % I+ ^! g' j$ r4 o* K
=========
, ^; e7 q" t" y+ N- p' i
4 [( e# X" l c* b% a0 KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 }. N( v) A# H9 u kis to determines whether a debugger is running on your system (ring0 only).
" u% O/ H' h/ i$ Y/ b0 w3 i9 H2 ?3 v- N/ L( ^6 U+ {
VMMCall Test_Debug_Installed$ n+ x/ w# P9 ]2 t
je not_installed
, d N( A" t2 A! N8 O2 e6 h
% y/ s, C5 L& W: f0 q$ `) xThis service just checks a flag.
3 ]: d. l; Q+ h" V% }, Y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡