<TABLE width=500>" {2 u$ d- b1 J% {. T3 V9 C$ z9 l3 c
<TBODY>
4 l' u& H! o; E& g' `<TR>
& J. C5 a2 {1 l2 d4 h V( _! q<TD><PRE>Method 01 # [* x5 c: u4 K3 C) t! H
=========1 x. t5 j! F( k, _& p5 q
/ s$ [, K/ V8 D2 J. J# z5 d
This method of detection of SoftICE (as well as the following one) is
~2 X4 T- G( i: Wused by the majority of packers/encryptors found on Internet.
) ?1 S' T5 V( ?% F- XIt seeks the signature of BoundsChecker in SoftICE2 X6 v7 w0 ?' A: a$ N6 c
8 t+ I- O8 q4 e2 s mov ebp, 04243484Bh ; 'BCHK'
5 p7 K A5 E0 h& R2 M; Z: s mov ax, 04h/ G& I" t" r5 Z' t( i7 n
int 3 8 z5 ^ M1 A$ x' z l* b
cmp al,4
% k4 ]" D) \2 M5 C jnz SoftICE_Detected
# U" @3 X- s9 E3 X: {' K6 G
& I- [( e( G( |6 \8 b9 K1 }___________________________________________________________________________ x9 v" Y' l" f# _" S1 }7 ~
$ e. }% n& J4 G) ?5 x7 M4 XMethod 023 y8 @! Q; w" `' K
=========
: u3 a: w: Q" m! G' {* r+ J( b* {( f7 I! C: y7 O- u
Still a method very much used (perhaps the most frequent one). It is used. E- [* f5 e9 D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 U: \+ V& O }5 oor execute SoftICE commands...
7 {+ ~, ^( _, f6 h9 o7 U: zIt is also used to crash SoftICE and to force it to execute any commands
" s4 j" Y" l9 m6 i6 m(HBOOT...) :-(( " W! T! @3 y4 ~
5 h6 e8 b$ Z; @& X* Z6 d: l
Here is a quick description:5 K6 N3 Y: B: S+ ?
-AX = 0910h (Display string in SIce windows)+ |( [8 l: Y! Q8 i% k
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ A! p" S; S y8 [-AX = 0912h (Get breakpoint infos)' W# {$ l M) T) l# D( e& M2 m
-AX = 0913h (Set Sice breakpoints) K7 C2 h; x: B; J2 Z! ?$ j( B
-AX = 0914h (Remove SIce breakoints)$ \0 g2 U" j r% e
4 S7 S/ N5 K" g* x$ C5 ]0 N+ K# R5 AEach time you'll meet this trick, you'll see:5 E" I) m* f9 @$ Y) d
-SI = 4647h7 H2 F2 ?5 |$ O7 T' {1 h
-DI = 4A4Dh
# U. {+ i- V* G$ t( O( I; R, X/ [Which are the 'magic values' used by SoftIce.. z" K) \/ k P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* w' k- O! b- e5 g% r. c3 K8 l
- C X. t, n0 U* b, dHere is one example from the file "Haspinst.exe" which is the dongle HASP
. p. N/ K8 _* U6 r, T# lEnvelope utility use to protect DOS applications:8 f+ w- S+ n1 J) q
' H( x# m" I$ ]# o: \! Q a9 V! q8 H" p! c' J. Y: L- U
4C19:0095 MOV AX,0911 ; execute command.
`+ |( I# f+ N7 B4 i; A4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 ~1 M7 b, H1 W1 {# |
4C19:009A MOV SI,4647 ; 1st magic value.
; S' ~6 W. i( S5 j6 B7 J4C19:009D MOV DI,4A4D ; 2nd magic value." G3 y+ a- D# G5 x4 t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 s3 E6 K0 }* I# K$ s1 D4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 k' p5 p% H) b4C19:00A4 INC CX- s7 R) G; J% b7 N5 F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& X/ R3 {9 X4 F4 R
4C19:00A8 JB 0095 ; 6 different commands.1 a# t& p' q. \
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 W9 g, T J$ Q) B# P4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 x: s5 ]0 A' P, Z
' F) I" T( X5 f% a) AThe program will execute 6 different SIce commands located at ds:dx, which; F! ?* i4 h9 i6 c l" d4 e6 ?
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% p! I! c# ^3 D5 j! b8 e7 t4 g6 l7 V# S1 z5 p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. R! c8 O' E7 b& i! Z( q6 T: w X___________________________________________________________________________
; u& m0 L2 O1 l7 t6 K7 a5 ~6 B
" p4 N$ v; _. |7 M' I. G% z
9 J, Y Y( s [* d" i2 Z3 f7 q3 _Method 03. K0 C0 E' O; s* M
=========3 \5 E' e. |/ y+ x# I$ l( ^7 Z5 n
5 q# [# o" b& K. o# qLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! E+ x0 x+ X4 n! J3 Z2 z(API Get entry point)( ]& z6 t" d5 M. D4 \. J9 S# o
2 h7 s2 O8 \5 N8 \
$ r4 j" D! L" _- M3 \ xor di,di
) P/ A& h1 {: z w5 ^( }5 w mov es,di
, x% q. j* o9 ]/ v [" n mov ax, 1684h / R! U, m) M5 ~' G
mov bx, 0202h ; VxD ID of winice
0 b- p$ Q( \/ d `7 e int 2Fh* i$ Q; V: ]1 O, P( P. n
mov ax, es ; ES:DI -> VxD API entry point
9 `4 S5 }$ a& `9 C8 s" | B add ax, di
1 W2 @7 p8 H- _3 ]0 @$ y test ax,ax1 ]: T! i: _/ c
jnz SoftICE_Detected( K* x, y/ G& Z/ A+ \, n/ R
3 C' q$ K* ]& [. s7 I___________________________________________________________________________
w U) u0 L9 E$ ?; _( n
! W& U7 J, h/ @- Q* pMethod 04
. ]3 Y. t3 f0 O6 \=========
2 G: h8 P4 h" S' m/ E" N% t2 f: \1 E2 C
Method identical to the preceding one except that it seeks the ID of SoftICE
9 o* n# Q# \. `, b0 tGFX VxD.
$ l" k- H: A( I4 [% s" ]
% ?. A7 t/ D- w! w7 d, J2 [ xor di,di
* ~. Q- o+ h8 S9 N mov es,di1 m" R$ @% T' @3 R% x5 Q4 V! W
mov ax, 1684h
! Z. K; `5 m! }8 G D mov bx, 7a5Fh ; VxD ID of SIWVID
" B9 H+ o: W$ z; | int 2fh
# s; K0 v# \' }( ^' y( ~ mov ax, es ; ES:DI -> VxD API entry point
U4 J/ @( O& y0 \2 E6 W add ax, di' l: S5 t0 }& w% m5 W& _
test ax,ax
3 E3 R8 N4 E( E8 o' g, l0 Q8 O jnz SoftICE_Detected1 B8 D; a0 K) n2 u3 @* E* ?8 X9 {
f+ [0 [7 Z) q1 j: `
__________________________________________________________________________
3 Q, y6 i: g+ n7 p+ c. C7 A
+ S7 d9 \* Z0 o, A
, V1 y \- m5 qMethod 059 }* V6 K, ^% X2 \ F
=========, Z( x) b! W1 s' @5 b
^ p; z j7 pMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 M% y( `( M. }( `5 P% `debugger. It calls the int 41h, function 4Fh.3 I# k, t) m+ N+ o6 l7 J& c
There are several alternatives. ( r4 p8 d, E* a' G% R6 X. z5 P
& |6 u# r. y. I5 R, f# M
The following one is the simplest:
, o' o9 E" } d# d% {2 D9 M) H
/ d: y J R) t3 ` mov ax,4fh% P1 \, ~& R1 r, c: v& l9 w
int 41h
' h7 k! x) q6 w9 ?3 L+ I cmp ax, 0F386
, B4 l5 [' }2 | jz SoftICE_detected
4 o8 v$ c3 r/ M/ r8 m9 O F3 L, o* r; I$ Y
\; |3 _! ]8 _7 }7 C& N1 ^Next method as well as the following one are 2 examples from Stone's
; f2 l% }/ O! s. h9 D+ r' ~"stn-wid.zip" (www.cracking.net):, n# q4 `( S' A+ A. K5 |) V
: _7 d4 K7 h1 W) Q& r- f/ l% @( \" D5 J
mov bx, cs% f6 Q2 V* b, u5 p
lea dx, int41handler2" G7 \2 u5 x' h* p
xchg dx, es:[41h*4]
- t# C3 {6 l4 i& I l: s5 R% @ xchg bx, es:[41h*4+2], s0 V! ^+ ^6 L, L* y7 E7 N o
mov ax,4fh k7 G% i% f# F. S; o/ ?
int 41h" n% }( i' O' f3 |5 f
xchg dx, es:[41h*4]% D5 u9 P5 P; A' S1 q6 h
xchg bx, es:[41h*4+2]
$ B2 | Y1 D2 i+ e& x. { cmp ax, 0f386h
5 K4 U, q7 @5 A9 p$ F) j( b( N# t jz SoftICE_detected
! D7 S; g6 v$ M3 R; ^" B" Z$ q3 n. Q( B9 h% _
int41handler2 PROC
/ ^. A8 r; _, E: W' d) v) N% z7 J iret
, ~' l8 W8 S5 H! @int41handler2 ENDP
& Q6 s; m. M6 [5 f: }6 Q: E- [7 ?4 t; g8 {/ k: z7 C* L- ]
9 H: Q( x7 }/ M; \4 x, w9 k' h; Y
_________________________________________________________________________; S; i. P' T, `$ ~" e0 j8 w
j" {) g: S# B0 Z- r" {; g" G' f7 E# O; d. @" k
Method 06
: l" K, e P& J7 z) f0 W2 ^/ G=========
8 Z5 J |0 |9 H- x% |
: ]: w! i1 g+ s
8 ^' J$ B( n8 w8 f2nd method similar to the preceding one but more difficult to detect:
+ L. u+ b$ i; @4 E/ I8 E6 r! J$ U1 F* R& t: `/ c
) D) D+ U3 e% v0 O# h% Yint41handler PROC7 c4 ]8 d' o* F2 i; a1 j
mov cl,al' ~1 V! e' p* X; d4 x3 @2 }
iret5 b' a2 B$ Z5 N9 ]0 ]! ? y) J8 a2 @
int41handler ENDP
# g2 H/ M! H: M
2 F* S; B0 a& T8 Y9 X, w9 o
0 ^$ |1 K# I7 Z& H( u; D xor ax,ax
+ S$ j l( a2 D" @$ m mov es,ax1 L5 Q1 _7 r* c5 n
mov bx, cs
' m( h, w+ f3 u, B, [ lea dx, int41handler
# s$ \: F% u! {; }, N, t xchg dx, es:[41h*4]
* i. S3 i3 q1 w xchg bx, es:[41h*4+2]
4 l' Q, n1 c g in al, 40h8 H7 H y o* V5 S* F9 q: I
xor cx,cx8 h3 N( a7 T+ \% J- {
int 41h% }- p5 Y5 Y" m. r4 `
xchg dx, es:[41h*4]
5 P; R6 i" s* P1 t" v xchg bx, es:[41h*4+2]
" k: s# f ^! I$ T cmp cl,al8 }! r: O4 q. f/ k6 u; e
jnz SoftICE_detected3 H3 d I/ W( Y% p) A; l. ]9 v
3 y) b s# G. m, H6 }_________________________________________________________________________6 P4 Q0 P, S3 n! [
$ y3 z7 W' i) D$ C6 FMethod 07' Y: U* \, c% \2 H/ u) f
=========
5 G& g4 v0 ]7 s% f, H6 U
* T# Z% }& ]( J% r4 W. _; XMethod of detection of the WinICE handler in the int68h (V86)
0 L' T1 _. _9 @, H+ N
+ v, v( G: e, X* t mov ah,43h
2 s7 t: n6 n2 g n; F0 D int 68h2 Y9 e+ A6 c: m# q) ^! }
cmp ax,0F386h
1 R/ [2 z6 N e: d% c4 U, D( M+ \ jz SoftICE_Detected+ ~$ ~5 k# Q; k! p
! L, l* N/ ]& V n$ s+ @
R5 o+ W" B) ~" m( z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, S5 b5 f' O) @5 W+ E
app like this:1 k! B; c7 A+ W9 F
0 S4 g( u8 A5 t. y7 x2 {
BPX exec_int if ax==68" ^. i/ [ \, ~1 g1 Y& @
(function called is located at byte ptr [ebp+1Dh] and client eip is. L2 n2 T8 `) M+ t; Y! O: ~1 i- Y
located at [ebp+48h] for 32Bit apps)
$ m) O! |; o* L+ T% ]__________________________________________________________________________
8 G4 {( l7 E" Y( p$ @& S' D( e5 U9 W5 ?" W
j0 E4 }% }. y6 p/ I$ y
Method 08/ O& Q. ^6 u. `; E d% T y
=========
. L5 I' n; d- Y. h! o" Y; j+ f& n' R# p# b) T) U! H
It is not a method of detection of SoftICE but a possibility to crash the, J% d m# t1 s) f6 o* [% ?- A) C
system by intercepting int 01h and int 03h and redirecting them to another
, w2 F! K' Y( {8 `- w2 Oroutine.) ?. C- N+ M) [4 Q6 P c
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! k! e' a5 ] Pto the new routine to execute (hangs computer...)
) ?: ], E9 i' s: z
2 v) Y y; L: a/ Q% s mov ah, 25h
3 \7 ?; F( @( s mov al, Int_Number (01h or 03h)
6 p5 E9 R1 ?6 p$ {/ h4 N5 I- J" J: e mov dx, offset New_Int_Routine; u" ], y0 ^/ s/ |
int 21h N% l1 h0 {! ]/ p0 M( J/ F
+ V: j2 x0 M5 \* i+ k8 A# l__________________________________________________________________________# j( n5 B$ V6 [# b% N& a" _
/ w( C. ?5 Y, C' J& Q/ a f. JMethod 098 g2 l) y4 W& o# Z7 \* D
=========. w# _) M0 s$ s8 o( b4 _/ m
+ }# e0 W# `. M6 S' T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: e) ]7 Y% Y; Z3 E0 pperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ K: W( K6 f% y$ S0 x+ oThe Get_DDB service is used to determine whether or not a VxD is installed
4 h# Z/ ?( c% {1 {$ T0 h& b2 Q, x; Hfor the specified device and returns a Device Description Block (in ecx) for
$ ~3 i; m) Q6 D8 T. Qthat device if it is installed.
7 G7 f: h2 t( R6 f( D+ ^/ ~4 p @( p& I! x2 P& v5 `& @
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% u3 h. P! s! |) N; j1 e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 A" `, H7 r! Q# K- D5 ` VMMCall Get_DDB1 e5 k, X H9 G5 o' B& c
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* v0 V; ^4 ?1 W" u/ p$ a' f9 s5 q' a& x2 A+ E% P
Note as well that you can easily detect this method with SoftICE:8 Q$ v' R0 x- E& w5 v0 ~5 d
bpx Get_DDB if ax==0202 || ax==7a5fh; X" m& M `9 q: k
5 T5 a. c! j- S3 n. t3 R& ^
__________________________________________________________________________
P; o- d P4 j
. l5 x: c- U9 s& s/ K/ vMethod 10
& d4 U, d7 M6 C. p=========4 B( J8 Y* ]4 z$ C4 n \
% h6 P7 C$ e, V1 W9 }=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 T1 R0 h n. q! Y% B SoftICE while the option is enable!!
6 Z1 B2 f+ h4 o8 w9 G" p3 M' f$ J2 e3 @& O
This trick is very efficient:
5 _+ g# g! D4 e0 ~( G5 s3 qby checking the Debug Registers, you can detect if SoftICE is loaded
2 u( X; k8 Z1 q7 P- {(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ X' ]' H+ `) j T# }# v: Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ Z2 r6 ?+ m1 ], Vvalue (in ring0 only). Values can be manipulated and or changed as well
0 p/ s7 g$ ^' S' d2 F" ](clearing BPMs for instance)7 A# A( x& A7 Y1 |2 ?
+ M( r. k9 A1 p( c__________________________________________________________________________
" \9 G- }4 a( ~( |' v1 b# X* d/ m
Method 11
& O2 ]. _- O* z$ p! @' W=========$ q+ r9 f3 t2 E8 n6 [
# {. N/ S+ W0 i7 m
This method is most known as 'MeltICE' because it has been freely distributed: G& @% o& O; ]% c+ B
via www.winfiles.com. However it was first used by NuMega people to allow
9 a* R* h2 O0 o- rSymbol Loader to check if SoftICE was active or not (the code is located% g2 [, c2 Z7 n( S
inside nmtrans.dll).' h, k( T! S- x; X
. Q2 w, R" ?# e7 b
The way it works is very simple:7 F; D. w1 C' F6 g' Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% ?8 U& C4 v$ LWinNT) with the CreateFileA API.
* t, `- K! [; O2 `* {
! ?+ l) T# \/ V( x/ j8 aHere is a sample (checking for 'SICE'):6 j9 ^ K. j! g) S T# ?. U2 K
2 B+ u3 O! w& z8 UBOOL IsSoftIce95Loaded()
' W1 F) [3 S, v" S# j. \- K! g{4 E( [# ^9 w) Y! _4 t" A
HANDLE hFile;
6 L9 d* ?6 J2 x/ V) { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 h) J" r) ^" h3 m2 v
FILE_SHARE_READ | FILE_SHARE_WRITE,4 B p/ I: q) \( A$ }: u
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. b. ?* c3 b' U+ H if( hFile != INVALID_HANDLE_VALUE )! o2 n u. Z) v; D# q: p
{/ }& _) G) H% V/ r4 v- E4 j2 g$ n
CloseHandle(hFile);
# {3 h- w% _0 b! G3 V return TRUE;8 @' u' c5 g8 I4 p
}- W( R8 d2 Q, L4 b3 j* e2 e. c$ G& M
return FALSE;
' I# u' X* E# G2 b8 h}; D9 }! g i9 X2 y8 U+ Z) P* c
. k# [) M+ i r2 {9 |: f5 oAlthough this trick calls the CreateFileA function, don't even expect to be9 ^1 B" ?. R2 z+ B3 u8 {) D! ~: ^$ V
able to intercept it by installing a IFS hook: it will not work, no way!
' r. Q& _, V3 U" DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ h: e' G* B/ v8 r3 [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). k9 }" U! H! T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- h/ {: `- |* W; q" s% Wfield.# P5 \; c1 y- ]; |8 S
In fact, its purpose is not to load/unload VxDs but only to send a ( n" u L! R, t1 s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 v1 U# j- g U2 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! t) g7 @5 R0 c! B9 ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).# o$ P) T" _5 ]$ t) Q4 }
If the VxD is loaded, it will always clear eax and the Carry flag to allow* o& D4 q* p& O0 s7 e) f
its handle to be opened and then, will be detected.; ]3 z% ~' R+ e
You can check that simply by hooking Winice.exe control proc entry point
4 }; b# m! I" q* s/ A) [; |while running MeltICE.
! ?! K$ I, @9 b- l/ f: U# p1 F, m7 ~3 m/ G: D. D+ G
! t& i1 M/ d1 G; i! \8 i
00401067: push 00402025 ; \\.\SICE! O+ U' ` E& y8 R
0040106C: call CreateFileA
, j6 z1 ?/ ]4 }5 e 00401071: cmp eax,-001
: J; j" x. M( Z! Q" L 00401074: je 00401091
) H' J% Z) I$ O5 [4 f8 P! `' m: i) a2 W4 b5 H
& ?% b# a# x% {3 K% BThere could be hundreds of BPX you could use to detect this trick.
4 n$ g1 v1 W& V/ _! X, E: p j-The most classical one is:
* M% `( H* s# k$ g1 q) T) [. z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* Z7 m ~( K8 {7 }5 d7 K3 M
*(esp->4+4)=='NTIC'
' V! v% _2 c0 `9 H% M$ H2 q! A- u' l+ T& Q! [. d5 f8 w
-The most exotic ones (could be very slooooow :-(" U) m! M; H+ [) E! [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 P2 o- g- T2 h7 W8 P! x) Y6 { ;will break 3 times :-(0 u- E1 ^5 e- j2 |" v5 ^$ P
' x2 P* d3 Z) J7 a' _. k-or (a bit) faster:
" N# V# K$ }- s# I' s BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); }; Q4 U7 p+ W" }: L8 ^) C+ A |) k, V4 V
# }( G* x; R: C+ e BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' @ a. I/ _( V' D$ j! [0 L M P
;will break 3 times :-(' W) S/ T) }" L, M/ f0 {, O% z1 U$ x
" D6 \# i# C) D9 T-Much faster:1 c. e1 }, `+ A( z! U& P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ H- Q! w5 ^( s% g& n4 `* C% {% {( ?; B+ i: r0 X7 Z) p: F1 V& Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* _4 D3 X' Z5 p$ }! a' O6 `5 c
function to do the same job:# _% j! v: j; Q! e# U6 h4 ~
$ n; E$ b+ M M$ a3 d3 N3 W; G
push 00 ; OF_READ
' S% ^4 u: B; v mov eax,[00656634] ; '\\.\SICE',0/ I! v R4 b5 ~9 t: J
push eax/ }- c3 g" @* Z6 a
call KERNEL32!_lopen
- M: H' N' h- k* p: j, ~ inc eax
+ e. |& b* p4 }- \7 B8 [" G jnz 00650589 ; detected2 ?3 F6 W6 y; G' z1 p" q3 ?
push 00 ; OF_READ4 U- \9 ~$ q, m* n7 e" i
mov eax,[00656638] ; '\\.\SICE'
2 u) p4 X# M. A, Y; N; ?* L; q push eax
, G3 o2 c! O# T5 P ~ call KERNEL32!_lopen4 \( V( k+ H/ I9 X
inc eax$ L2 C; c% J5 \9 C7 w+ x0 }
jz 006505ae ; not detected
& O! R5 E) P( p' T5 R! }3 Q T4 ?
! H7 T7 M& Q' k v5 n3 u: I) w4 @9 I2 u: [9 w$ \* {& N/ M: U+ f
__________________________________________________________________________
' M$ m1 D/ {! Z' r3 P6 A* Y( \ G* J$ [* X
Method 12
" e! L- x/ k% F) T) ~========= O) x) A. W" e9 ^' F
+ F- q; Q* D1 T3 hThis trick is similar to int41h/4fh Debugger installation check (code 059 l, n( G5 M' Q4 s" y) A! j; S
& 06) but very limited because it's only available for Win95/98 (not NT)2 ]5 S5 z" i! X% f1 u8 D
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% ~" e) L8 e5 ?
3 Z( ?) I0 I: z; F" B
push 0000004fh ; function 4fh
. ^& L6 H2 n% R6 E: z- U; w: ? push 002a002ah ; high word specifies which VxD (VWIN32)+ E: A" @9 o4 d4 Q# |5 u3 g2 N( G
; low word specifies which service
1 t% F S0 S# u) G* _! j x' A( r (VWIN32_Int41Dispatch)" S8 h2 N, f# m9 R4 h; {
call Kernel32!ORD_001 ; VxdCall
8 E# Z4 s M2 g cmp ax, 0f386h ; magic number returned by system debuggers! T3 b. s/ S( H6 }- s% f6 m6 n o
jz SoftICE_detected
, {% I7 a& f9 r: D: Z' C4 x5 t$ r4 h$ P8 k5 ^% h8 R
Here again, several ways to detect it:. M1 q* K9 s- j. F4 i6 d7 m! _0 _
2 L2 ^! Y6 f' R6 }; D
BPINT 41 if ax==4f% h7 w& L* Y$ u3 l2 F9 Y
5 Q5 g, {* v; o. w6 K6 | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* j" e: e/ D$ _/ `7 a
, N# i! I' l5 V) }$ s( S( ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
M, ]$ A" Y. ]9 ^- i( E. z# }/ g# m2 f& E1 m; r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! e. Y6 d( F: c- \
, [, z) d9 A8 Y: `! H" P__________________________________________________________________________) M, ~7 ?; p1 G. p# t q
! z! V# I4 N& y' {9 R6 l9 Z% _8 U
Method 139 W# U: \! @. y
=========
( P5 O& M, y: D' x2 G" |) p( I' V7 {2 q4 I) E6 F0 D1 N, `; K& q
Not a real method of detection, but a good way to know if SoftICE is
: W9 C9 b0 e: z# Z4 h- minstalled on a computer and to locate its installation directory.
2 z# t$ [$ C- }( I/ w+ b- x6 xIt is used by few softs which access the following registry keys (usually #2) :% Q& v# Q) `7 a- w. W0 U
! ~) b( r: E0 l& a8 B) M& P5 m* F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ s. ^0 J. b& t6 ~\Uninstall\SoftICE
/ d6 I c A! a S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ ^- ~. e# l, u% q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) r/ q' F" C6 L% S# [4 ]\App Paths\Loader32.Exe
: Y2 L9 c& q6 C4 i1 F/ u
' S9 s% c+ w3 W* g# p( U% J
) d# U: l; h0 {+ t6 L9 bNote that some nasty apps could then erase all files from SoftICE directory* E3 x$ y8 Y" Z4 b+ j* w
(I faced that once :-(3 r1 G0 B& Z' G" R
& t6 D' Z! T- R4 r& k5 G QUseful breakpoint to detect it:
, A- ?7 p, }3 N" q8 i& L8 S6 i( q' a. C& M! k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ R+ L" ]. N! D$ y+ _
8 ]! h* W& T; Y__________________________________________________________________________( P6 B% g. w, ]$ w. t* F# m6 i6 Y( b
* B+ V( `* o" Q
$ E8 J. I; {9 T% q7 MMethod 14
4 G: y+ y6 r9 i- l" U" L=========
9 m0 C6 h4 t0 _4 o8 P$ j6 T. o% K8 }* X4 W x3 h2 |8 X2 Y! i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! ~! f4 P1 i4 H A( h( D
is to determines whether a debugger is running on your system (ring0 only). m" \: x1 o2 C8 i
9 ~6 o7 d s; z' o% }' J' n% E
VMMCall Test_Debug_Installed
; B. O$ P- ?9 i) L je not_installed
; ^# S: p3 q4 e2 X7 Q: D7 S( i' a! d! a! C; B
This service just checks a flag.
/ J5 R2 e8 v8 f/ Q8 n, z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡