<TABLE width=500>
' b- j+ O) x% H<TBODY>+ Z9 K3 D! r4 I b; H. F+ d: K, H" \
<TR>% `( N$ n3 w7 O$ b' A2 R' B
<TD><PRE>Method 01 2 N0 A/ R1 }! |
=========
% j! X8 |# q$ t+ p) w/ d5 v# V0 m( C* Z/ y' b( Z; @
This method of detection of SoftICE (as well as the following one) is* K9 c1 q8 O" H5 F/ ?0 c
used by the majority of packers/encryptors found on Internet.
, V4 y& M9 N7 I0 X; P2 LIt seeks the signature of BoundsChecker in SoftICE
, X& {" x- j3 { m# Z8 X- m* S3 F' s5 L: C# ]' {
mov ebp, 04243484Bh ; 'BCHK'
- D1 d$ o+ O7 G' U mov ax, 04h
( \& I+ Z1 Z7 q# f( ~ int 3
+ m- C+ y! G# U5 g( c) A, S cmp al,4
# b C* J- U& p( d% ^. s jnz SoftICE_Detected
l& d4 D& Q$ x) O) a: o
2 g9 x& w2 y \0 ?: \$ L6 l% s/ E___________________________________________________________________________- U: r. I: S a, s* Y8 ]
$ z, j6 e2 {6 b7 y+ ^- c- a
Method 02* I9 Y2 x6 h7 e% [* i, O+ C8 Z6 c5 C
=========% H$ N | F- `0 @4 b7 P1 T
! b7 x' [6 l, R2 T
Still a method very much used (perhaps the most frequent one). It is used
4 Q8 U( E! A3 j/ y9 _; P$ zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. x9 j# ~& _+ j2 o% Q
or execute SoftICE commands...$ S5 I0 A0 I+ S, r, p: R
It is also used to crash SoftICE and to force it to execute any commands& g. M% v3 M7 `2 |9 e
(HBOOT...) :-(( 1 Q2 C# ^$ D& _ ~$ d/ b7 H' c
0 o) @% R2 `# a+ a0 w+ u
Here is a quick description: c' }) R' P; z4 o" q3 i; d
-AX = 0910h (Display string in SIce windows)
2 H' `. q/ u# Z- X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 \) O, Y5 E2 h8 y$ t/ X
-AX = 0912h (Get breakpoint infos)$ P/ s' K, [ I5 [7 R0 B
-AX = 0913h (Set Sice breakpoints), D0 ^9 m; L% T' y# l' Y' o ]
-AX = 0914h (Remove SIce breakoints)
2 q+ e. M3 }) M5 q' U) L8 Y. c0 d5 r3 Q4 d2 E- y( V7 s
Each time you'll meet this trick, you'll see:
, k" l. R. o- V# z( J8 H P" v, x-SI = 4647h
" l, g" F& @( t- Y: _, l; K7 Z- a1 w n-DI = 4A4Dh! Y& j3 X' K; {" S% w8 Z
Which are the 'magic values' used by SoftIce.
* J9 p" {# k) K: P; y1 R$ ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% V, G: U2 w: h' @
, q& z' H1 x( D6 p2 K1 C) I: `Here is one example from the file "Haspinst.exe" which is the dongle HASP! f+ c( Q1 U- Y# B: N" i/ D2 c
Envelope utility use to protect DOS applications:
8 s t9 Q: t; I, v% k; t
2 c* R7 @8 S [1 j5 N5 B) e
1 M% Z, W" ?; o& }, t4C19:0095 MOV AX,0911 ; execute command.) X: X8 o3 s6 I7 t, H4 S! x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 z1 }2 x& @8 b. B2 ^/ S- T/ \
4C19:009A MOV SI,4647 ; 1st magic value.$ t0 q! {! c) W
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 O' N: e6 O. [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 R$ V( F! G+ x2 T ]* M' [4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 i O: f# {0 a0 q, q$ o+ d" q7 @1 E: T
4C19:00A4 INC CX, |4 K, |% T2 w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* u2 d7 S7 T `3 T
4C19:00A8 JB 0095 ; 6 different commands.( v; d) ^6 }. u4 b: p" N9 R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 C5 M0 s( K& R! H! }- ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 f) B$ Z0 h4 P8 _7 V6 k R
* g! `" T# ?/ f# r6 IThe program will execute 6 different SIce commands located at ds:dx, which
8 w) g% h8 y- ~) h( jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% z' L/ _( r) l" }2 [. m- A2 s
) ? m. X3 ?& q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, ^/ e4 a, c+ o9 Q* w___________________________________________________________________________
/ Z" X* W6 H% A7 [. W
N8 p0 m- X# U( g) j4 t T% @' }/ t# {! o6 g
Method 03
9 D z# e0 l$ b! y7 v E3 x& l=========# R5 f! m* M0 b
7 [7 r- X9 X( G" F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 ?3 u3 k7 f( S* _
(API Get entry point)2 I' R7 g6 j; `7 Z [
7 B5 N, \/ f( O
9 i) q) H' n' J ]9 H! j xor di,di
6 C% [+ i s" Q6 ^8 d* j mov es,di1 @: D. R$ J# E* @
mov ax, 1684h
/ }7 ]% y( [2 q8 K! x mov bx, 0202h ; VxD ID of winice# C3 X% t: n9 O, O. g. I* F
int 2Fh
& `# c# K2 Z) k: |* _6 b mov ax, es ; ES:DI -> VxD API entry point! Q r$ _# j( y! Z- {' P
add ax, di
) Z- ~ ?; [0 F& V6 ~ test ax,ax0 J) r# X# S, t$ r6 V/ A# P2 Q
jnz SoftICE_Detected
: V. K5 t: Y8 L' P8 b
6 l" D/ p) Z+ J @# p2 o: d8 F6 [( z___________________________________________________________________________: s" M. j5 Z$ s: x4 @7 V3 }5 O
" P+ V) k0 n. z" D, ~ O# u/ j
Method 04
( E% `; `( ]( t2 E; y; `=========5 _! D3 i/ T g
. `4 t0 R4 v2 F6 q7 n! b
Method identical to the preceding one except that it seeks the ID of SoftICE" K6 o+ ~& ?& g- Q
GFX VxD.! o+ D) V6 `4 H. D1 Q5 r4 q
+ B2 {, Q" K! h ]% f0 h
xor di,di
, O a& u$ N0 ` mov es,di
3 v' d3 d% W+ K6 [9 G4 F mov ax, 1684h 7 }1 d: h8 x6 T# ~: ~ F
mov bx, 7a5Fh ; VxD ID of SIWVID
4 i3 v7 [& p9 t2 h/ R0 M% v! K int 2fh
) K" k" ?/ ?% L1 S8 m2 d$ O' P- g mov ax, es ; ES:DI -> VxD API entry point( L% q+ \9 d- M2 R" n% D
add ax, di/ z' i6 A4 o3 g# ]- _2 ^
test ax,ax
3 U! |0 u1 e6 k/ a' p jnz SoftICE_Detected
" O3 m8 X. p0 {/ f
" J" N% \9 V6 j8 A__________________________________________________________________________
5 H1 ~3 ~7 R" t) y! E3 [
! f, U/ T6 ]3 h3 d; J# l2 w5 v: O" V
Method 05
4 a6 g9 ]# F/ d& P" `=========2 s6 \. s$ d& ]( ?1 \" T1 D' p
3 {8 D) F8 }0 N( e5 {Method seeking the 'magic number' 0F386h returned (in ax) by all system/ b) q- P+ l3 K3 v
debugger. It calls the int 41h, function 4Fh.( l& U: {$ ?/ ^5 r
There are several alternatives.
) R- O, e8 y' d0 [- m4 M+ O8 W+ [: v& Q7 z3 G, ?! o
The following one is the simplest:
+ N3 C' s$ x6 v7 Y0 {
. i) H) }; c* M2 B" m" Y mov ax,4fh1 I6 G+ j, C7 n+ B& u
int 41h& t- [' B+ |3 E5 h3 K
cmp ax, 0F386
7 Z% N3 \/ m5 U5 X: x" A jz SoftICE_detected, z1 d5 `0 P" |4 W$ ?
7 F' X/ ? }+ \" y7 q$ D2 O: u- J+ M+ z; A, U. `7 m8 p* v
Next method as well as the following one are 2 examples from Stone's
3 e+ y: E8 B# J- b5 X/ v"stn-wid.zip" (www.cracking.net):, ~" G/ a5 x$ C3 M
3 r' i! t! Z4 T+ q* Q. A
mov bx, cs
. u2 [2 T* G# f4 B lea dx, int41handler2
| w2 l V; w' W xchg dx, es:[41h*4]* {! q4 A6 K' W9 u8 {% S
xchg bx, es:[41h*4+2]5 C" a7 I( s1 [% F- g; A1 j/ J
mov ax,4fh# R- G2 R0 W. `% f
int 41h
4 z/ M9 y0 Q$ J d, b- A xchg dx, es:[41h*4]+ z3 t5 ]3 \' S9 S
xchg bx, es:[41h*4+2]" _5 d* i# X0 o
cmp ax, 0f386h
2 ]: t! S1 `2 E2 i jz SoftICE_detected3 {4 [" U$ A5 K* t
& T7 m, G( a: l" X6 K B
int41handler2 PROC' U% |* d) J' d1 u2 K. K* b! _
iret
. L8 h" y- ^6 X( ~8 _int41handler2 ENDP
5 @2 O+ x8 {* q5 q* L) `) R7 i; a: d' ?8 \' X) S" A- H/ ^
% J: J" @) k" {_________________________________________________________________________
E$ t; L3 r, C3 c$ n9 Z2 f6 I2 [
( P" H1 J1 e8 `6 P: p* j# U. P7 O
Method 06
6 D& p4 g' _- V4 D=========
+ t7 J+ l1 \0 R1 A) F% D, B% B6 @- ^4 k5 u1 B
7 V" q! b- ^* N2 r& o
2nd method similar to the preceding one but more difficult to detect:$ r8 q( i6 G5 M/ N8 x& o
( R/ s; I) ^" S& A+ p
; T! y% l8 i3 sint41handler PROC Q$ x* k; G) A/ C! r& I! J
mov cl,al' |$ ?$ j8 I2 r1 x6 R1 _1 r
iret
: |# f8 t" b. `. Kint41handler ENDP
6 q7 a3 C7 l# ]. Y) w0 K, k1 _: n n- J1 R& R( f& z
8 R, l+ ]( c+ r
xor ax,ax
: y: C/ Z$ R, w; m" _ mov es,ax I* T' S# P4 E; G: Z
mov bx, cs
" X) F/ ?5 Q2 ~+ X5 j" @ lea dx, int41handler0 T y/ H* O$ k$ |, A }; ]6 x( w
xchg dx, es:[41h*4]
$ \! W9 E5 j$ b1 `" ]* d! x- n xchg bx, es:[41h*4+2]
& ? [% d/ v" a- E) x: T in al, 40h
. D4 b' }* Q; t0 d2 K xor cx,cx3 a% r9 m4 M1 A9 H) x$ G; F
int 41h
6 a8 C2 O& M* ]8 p% {! k. [ xchg dx, es:[41h*4]
6 z; k ^: W8 i" i xchg bx, es:[41h*4+2]
+ c3 _) H% D. A' ?) I# | cmp cl,al
+ L$ q; i# Z; Y4 l6 g9 D jnz SoftICE_detected3 E; Y( A0 w0 T( j; l: T& b6 j4 I8 {" l" a
7 j9 b: d+ g* E_________________________________________________________________________
3 j8 Y( V$ H$ A& E( _! r U/ R$ Y+ `2 O
Method 07
+ q5 |5 @+ P* M& [2 R4 ~=========
# e) \# \+ B4 Y2 j* ^3 {0 g
/ h! r. \9 U" t- p* \$ ~Method of detection of the WinICE handler in the int68h (V86)
9 m4 _8 L* |0 {1 S J m4 E8 f# G0 }
mov ah,43h
- k. Y% Y$ |( R* R# [) b" A int 68h+ y4 v6 G8 Y& D" y8 R# R
cmp ax,0F386h
. ~6 Z4 a; [6 z z0 Y* y jz SoftICE_Detected
2 `- Y4 s5 b' G! _2 S
3 T8 s0 N" }/ Q9 W& }' e/ a& a: h8 D, Z, K/ E& g& Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 a" R/ c$ @7 W& Q app like this:7 T% c, M$ t' C8 m" Y7 G1 \! ~
# V. ^3 n1 p: ?3 d: ^3 `& j6 g- M- n
BPX exec_int if ax==68+ x& e- M2 w9 h) x$ r4 w
(function called is located at byte ptr [ebp+1Dh] and client eip is: B6 \/ z9 B F* i: Q
located at [ebp+48h] for 32Bit apps)0 E" R7 ?, g% B! s+ S h1 Y5 q
__________________________________________________________________________+ k n, D( P. |. F4 U* n1 d1 r' `
# ?- r8 R1 |, T$ H& J/ K
5 U/ X; a I LMethod 081 |, p8 |+ X9 |2 S
=========/ e- O: n! `: G! B) G1 X
3 Z1 G, z7 ^4 A+ g% b, S; wIt is not a method of detection of SoftICE but a possibility to crash the
6 ^9 `7 l, m) M" q; O! rsystem by intercepting int 01h and int 03h and redirecting them to another
- }% d" Z7 K9 B6 D0 _$ jroutine.9 r N/ z6 O6 l" j C
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& q0 Z! Q0 ]. B. J1 `+ Xto the new routine to execute (hangs computer...)( T, w. r3 i- M) ^. [0 z9 X
7 M* q4 J8 i2 t! ~
mov ah, 25h) m1 z2 E `6 d# ~5 h g
mov al, Int_Number (01h or 03h)8 h# k4 h! h/ e" |5 j y% P
mov dx, offset New_Int_Routine
& n, g5 D2 B. d int 21h
6 P4 D4 L3 p2 z8 I$ W- d1 R/ ?5 B- x$ ?7 k# m5 {6 H0 x
__________________________________________________________________________
2 h b" r# T4 ^1 V+ a
( w" U# k/ ~% E. }: T2 ]! ]% jMethod 09
9 @8 q0 E& L( w. o* j=========+ B. c1 N6 P" H" E# E4 _
0 o: Y; q: ]) I# k0 \7 QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* S! e. m, l, o9 pperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 I: q& a: N1 _6 a" L* HThe Get_DDB service is used to determine whether or not a VxD is installed5 v2 A# a9 x+ A3 q8 w; S8 U+ {0 }
for the specified device and returns a Device Description Block (in ecx) for
9 ?1 W$ ]8 L' P9 d- Ethat device if it is installed.
8 }/ L! Q# @; c9 U; I' g( s* `1 i
4 |" ]+ q1 w: s3 o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 j2 m, x0 X+ n5 {! S mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), F; O- T; }) S3 t% C) M% @
VMMCall Get_DDB
/ P; v6 z) r T3 Y( @6 m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" @) ~7 d; ~- g# G& j1 D2 |6 e8 }' m1 [5 z8 ~: k+ p
Note as well that you can easily detect this method with SoftICE:" a' n: a# m+ j7 n- v) ^
bpx Get_DDB if ax==0202 || ax==7a5fh0 f4 v/ J$ L1 [; x D3 Q
% a1 G7 `$ ?/ \/ _# L5 |1 y
__________________________________________________________________________' ~- D4 Q1 y2 u5 T2 J; {
8 I1 s1 n9 H+ x( f: i1 pMethod 10
3 G W, d% P* W) X8 e=========
! G8 n! G7 H. J
2 y7 J& B# J9 ~& e8 l=>Disable or clear breakpoints before using this feature. DO NOT trace with" M- h9 D. e+ D) B( B
SoftICE while the option is enable!!
. Y _) _. j+ U
. t+ F4 A7 u4 oThis trick is very efficient:
& J }. d- W+ fby checking the Debug Registers, you can detect if SoftICE is loaded4 Z3 F$ @: ?* W( n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. j x1 g) z. Q+ L+ Q3 R
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- K7 H) r3 D9 B g! | d5 k$ V' Jvalue (in ring0 only). Values can be manipulated and or changed as well
' ^2 Q' ~( \- R) Y: j(clearing BPMs for instance)( l8 Z1 R: W+ ?' v9 q0 j
9 \! m M. m" N# Y
__________________________________________________________________________
' R- w, c2 A5 A2 R
" y5 p! q! c0 m1 gMethod 110 m- D3 l" p& \7 H3 H
=========
/ E. @$ M+ s+ h
( _6 n' A5 }3 r8 x/ N: @This method is most known as 'MeltICE' because it has been freely distributed
& V# K7 e c4 ~via www.winfiles.com. However it was first used by NuMega people to allow
5 q5 ~0 m9 q1 O4 j. c5 JSymbol Loader to check if SoftICE was active or not (the code is located$ \% y* X/ M* b
inside nmtrans.dll).
3 _- q. r7 n$ k- }7 d% W/ R* ]. s- b Z& U6 [& ~1 @
The way it works is very simple:
5 Z& K, {$ |! i4 @+ n6 w: WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 h9 _. r, v) i' i
WinNT) with the CreateFileA API.
0 W6 s4 O8 B' m( ^ \8 m+ G2 I" u. M! ^- ^; u$ B: N$ t4 ]
Here is a sample (checking for 'SICE'):/ h) O& u# e6 H
4 m+ @. W* a$ ]+ Z* ]0 Y* E6 R
BOOL IsSoftIce95Loaded()
D3 Z( L$ g$ E5 j0 n$ w9 x9 M{
) e2 U4 x2 q% z) m {, a6 [ HANDLE hFile; + Q- h% G' Q3 l" v: ]; h2 ]5 U
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. o' b/ T; S1 z, c: W X FILE_SHARE_READ | FILE_SHARE_WRITE,% ^1 b/ u# N h. l, w2 {; L9 |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 s/ ] B, i. p& [9 D: e" }: Z( B
if( hFile != INVALID_HANDLE_VALUE )
9 i2 r# E% d& \3 ^: n. F {6 x' \/ D6 h p1 o; `
CloseHandle(hFile); V: k' S; Q& ^; x8 _
return TRUE;
- b6 @, H! D% }2 ^+ X }
- |4 ~8 G: H3 @( m& S" a8 ?, A* U return FALSE;1 c! w }% k+ T9 {
}
6 g' v$ r: }! X' ?/ d7 r3 U, A' v) ^, Z* c3 {3 @
Although this trick calls the CreateFileA function, don't even expect to be! t5 [& t: R# c
able to intercept it by installing a IFS hook: it will not work, no way!3 a2 f p$ r8 {# Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 |0 g" H6 i) D7 X# K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) Y# J6 a3 s+ H7 }! o4 P; t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! ~% L; a& K3 V8 K' h* Kfield.+ k; p9 U2 a" |9 U B+ i; x! m H$ U
In fact, its purpose is not to load/unload VxDs but only to send a ) C- x" P3 J* G7 r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
?! }& X4 N2 B& {to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 n0 A3 I* x, G
to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ Z* @( `9 U1 P
If the VxD is loaded, it will always clear eax and the Carry flag to allow! Q" b* V. L+ y$ L, N# y
its handle to be opened and then, will be detected.. S w7 i2 Y; L, Y( K2 ?4 d7 E
You can check that simply by hooking Winice.exe control proc entry point
7 a) w$ [- ?' j# Qwhile running MeltICE., ]" b" ^; K6 ]$ k7 f! S. l
! z W5 X$ d2 c
) i1 Y7 g" V& H& s5 X
00401067: push 00402025 ; \\.\SICE
3 P5 |8 L5 j. E1 W 0040106C: call CreateFileA
9 H Z, _7 b" M! F n2 F 00401071: cmp eax,-001
3 X+ h8 y) ~3 D3 ?; ? 00401074: je 00401091* d" K: B ?1 ^) G- q, Q, G% T
1 Z0 s7 M: q, t8 e2 h6 L: T% y5 j: M- g+ i
There could be hundreds of BPX you could use to detect this trick.9 x( _9 c( t0 Q
-The most classical one is:2 t. I: }- m* ^' Y' `: s5 N& g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( F6 ^" |* |" ~( R! K2 t; g$ H8 b% L
*(esp->4+4)=='NTIC'
2 D$ V, d# E" E
5 {, r0 G3 L d+ H1 {' F-The most exotic ones (could be very slooooow :-(
: e5 F! }& w" P* u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 e" h' E% m% k1 e4 J0 B5 [ ;will break 3 times :-(7 Q+ o" C, @5 F$ F/ `& Y
2 u6 L: X+ V# Y: i+ f-or (a bit) faster:
, `$ L. v3 p* r% ^8 |, b. M3 r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ d2 O2 F! d5 ~6 ^& w- r& r% d" {) v/ ^% L, X$ V$ G
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / g9 P- w) D# j
;will break 3 times :-(
5 w! v' M$ s; R) ~" N
2 p5 |) ^8 u7 [5 z% k: ]-Much faster:. b7 C, \, a9 w, `4 B3 l9 }7 Y& ?6 G
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' E4 Z/ |# ~4 ?0 d
& M! T$ T: |3 ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen& ~/ I2 P7 f! u- f
function to do the same job:5 y. b) {$ J5 {9 p
! i) p) W$ n- R0 a+ ^. `7 t
push 00 ; OF_READ
( y7 g/ P7 f1 T: |2 \: T5 N# V9 k mov eax,[00656634] ; '\\.\SICE',0) P9 O o- y$ @% I1 Z
push eax% v$ P5 j; |: [! W. U0 w7 w
call KERNEL32!_lopen
# s* R1 E. }$ p i* n inc eax* W( M9 c" r1 S% @* X% u
jnz 00650589 ; detected
' K; |; f5 R- I% I' a$ M push 00 ; OF_READ4 ^+ t2 D% T; M
mov eax,[00656638] ; '\\.\SICE'4 j. N, H* q B/ X) i- i
push eax" D2 K7 z4 a5 A: f" J d5 E0 m1 J
call KERNEL32!_lopen I" {+ W. _# j: d4 M
inc eax
2 P( l* }6 F0 t# y% G7 }9 T jz 006505ae ; not detected
' k- q* k: E9 g3 S' ^
! D+ u, p+ d7 c; ~
/ W5 n4 g4 P: q4 ]$ P0 z5 O! b/ m7 J__________________________________________________________________________
# {7 h- o5 j! j/ N9 a3 p
0 E0 g, |* h+ j4 Y1 T% N4 g0 h- dMethod 12
/ F; U4 _4 x, {7 L7 |/ X3 H& s=========2 n- N* p y. {* Z- u3 \. M
5 H2 s( P4 i9 \5 u- {8 ^
This trick is similar to int41h/4fh Debugger installation check (code 05' ]% U# z7 z+ u* l6 c+ x1 N( j5 d
& 06) but very limited because it's only available for Win95/98 (not NT)
4 S9 R; l( h9 X+ ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. @& ^1 t! H( o
" P* g. U2 V2 @$ @( M push 0000004fh ; function 4fh6 G+ Z. M0 g1 ^5 R
push 002a002ah ; high word specifies which VxD (VWIN32)' \. A/ c0 [- A3 b( y4 B+ ^6 b
; low word specifies which service8 l" a6 N4 g3 j5 C
(VWIN32_Int41Dispatch)2 C% @6 h, v i/ v8 {5 \
call Kernel32!ORD_001 ; VxdCall
4 z1 c. K& X* O% q cmp ax, 0f386h ; magic number returned by system debuggers
5 L# q# w. B' E& N jz SoftICE_detected! W9 e J" n' }* E0 s$ {
/ n k G! h4 n! S$ vHere again, several ways to detect it:
% {. z3 G7 E6 m5 D& Y
& u3 o1 J& @: m7 F5 w BPINT 41 if ax==4f
7 d3 m" |3 F; z8 f$ i+ G" M7 [) ]* ` {, K/ t
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! R e( X; S, G" g- o8 g& f
- u+ z( n8 f1 g, F BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 x% p$ c+ F& C; j. S2 i
# [. e; Q( s4 @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 T. }. O6 V* d) d: D" i
8 R) [+ t8 Z: H" G: I3 _" @
__________________________________________________________________________2 y% R/ u' i& J/ A: Q5 A
4 j B. y4 Y# Z1 R1 i$ E8 N) E
Method 13
8 C' Q# ^& i' E6 A: y, S) o8 D=========: ^' e3 ]: k# Z2 f0 |) n) n" t. l
* { L6 l |3 ^; zNot a real method of detection, but a good way to know if SoftICE is
5 ~9 y- V$ ^6 Y. `& Winstalled on a computer and to locate its installation directory.
: \( K2 R( I, q& o; M- H' j, Y+ FIt is used by few softs which access the following registry keys (usually #2) :
) X+ b2 O) } M6 M+ a* ~6 w. j& `" Y+ H7 N5 n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% h% w- I$ t. V3 X [
\Uninstall\SoftICE% N |% E. y1 T1 D% Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! @1 `! J: _/ P5 M6 X5 b# S! D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ o8 S# _& [* W/ u P! V* L\App Paths\Loader32.Exe3 D& w0 A- q9 e$ G) O) a$ N
; ]: F. W; v% _! g& z" Q6 w: h) K
2 f3 M# Y1 q+ X) c+ Z* D& R. cNote that some nasty apps could then erase all files from SoftICE directory
a j& ~8 G: x/ s# k6 \& |7 Q(I faced that once :-(' y; s' E* _& E9 P
0 g+ k% e3 {; k+ N& S0 zUseful breakpoint to detect it:5 E9 N6 C: U i
8 h( u, g1 Y( N" B) R: I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% e) E: ^5 U1 X; h# V
# c$ J8 h3 a( O; P- I__________________________________________________________________________
6 e& S- D+ ~- e0 O4 h2 m6 @
' m! ~/ m( k0 d% e$ d: X
5 D8 i: D% A" x. QMethod 14
' s$ w. [# ^0 A( t=========
. I* f1 c# T) `" D) B: T5 p& A; Z. R& [' c6 c, z6 l% C+ h M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( u# h$ t$ [- R" a
is to determines whether a debugger is running on your system (ring0 only)./ ]9 j' ]: Q/ J: D
# u0 A" I% O3 z) B5 a% m VMMCall Test_Debug_Installed9 R( X6 j, r* H" s
je not_installed8 d. ?: K$ u2 Z( J( N6 `* u
/ l9 w( M. ^0 t+ I: Q
This service just checks a flag.
7 p& c% V3 S7 B" P</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡