<TABLE width=500>: s* _1 M I* A6 n' @, Z8 @
<TBODY>( A& {: Y9 [% v) q( j Y
<TR>& S) {4 g( Q) m0 v
<TD><PRE>Method 01 9 Y [8 a3 W9 F& P% B( Q, m
=========
, M7 ?- d+ q4 g
6 T# t) F+ u% a, z) }9 Y( p! ZThis method of detection of SoftICE (as well as the following one) is( N1 \; w$ p, l$ v
used by the majority of packers/encryptors found on Internet.
# b" X- w8 Z+ s3 V6 VIt seeks the signature of BoundsChecker in SoftICE8 ^8 z' q. L7 i' ^" c
+ Q8 n1 c3 b# _3 b. T) Q; B% |! a0 Y
mov ebp, 04243484Bh ; 'BCHK'
6 f- U" L; P5 V- N5 F mov ax, 04h
& s& B9 T2 `0 c int 3 ) a3 Z3 D; @! [6 ?! m5 o; J; J
cmp al,4
) T1 z. m% ^# h) S3 H8 n4 ^5 ?- k8 u jnz SoftICE_Detected
5 x+ `6 A/ N( Z- _5 ?& ]' e! w6 c4 y' e7 k7 w! l- @
___________________________________________________________________________, f, `$ P8 w7 W @) J1 o% i
7 m8 p& [/ c" r' w7 X: a
Method 025 E' [0 w. Q, R; B! ~- `
=========' @ o4 M0 o4 g- e4 {( @8 W
0 W* O" k* M! h4 V7 V9 _2 t6 n8 ^5 ~
Still a method very much used (perhaps the most frequent one). It is used* q0 g0 H8 q/ c
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! e2 n/ s3 s& y) a* q+ L1 x
or execute SoftICE commands...
2 l l P9 v+ t, b4 p5 gIt is also used to crash SoftICE and to force it to execute any commands% p8 q$ a. u0 {, `$ w
(HBOOT...) :-((
, x& N$ Y/ T1 H& i* e
) V5 h" m3 \: E; q6 f! }Here is a quick description:
* ~8 D3 p( [# d1 W3 ~-AX = 0910h (Display string in SIce windows)
4 T, Z* T9 Y/ I! R+ W4 ^5 V4 V-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 F; Y4 @7 A$ x$ b, t-AX = 0912h (Get breakpoint infos)) L+ A- T. C- W: w
-AX = 0913h (Set Sice breakpoints)
$ y4 Y! `. Y% k* w% j* ]-AX = 0914h (Remove SIce breakoints)9 S* J- D3 I8 }& o! ?+ t
9 _9 M2 Y y2 a0 ?
Each time you'll meet this trick, you'll see:
1 j; O6 z$ B7 S-SI = 4647h
) ?# N' S$ K/ W5 k-DI = 4A4Dh ^( O: F8 g# U0 k6 s' _/ E- d& g8 {* E
Which are the 'magic values' used by SoftIce.
. m- d2 F& p7 Y) _- l7 J% cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., J( q7 n2 Z3 k5 {) o! \; s3 g
& Z, [5 k: Y7 d- \# t& j
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 s) Q& W3 Z6 E4 z8 Q* v; D# {! FEnvelope utility use to protect DOS applications:4 J0 _- e$ m+ [ O2 s
' z" E* B4 Z5 Y+ m8 z9 p
$ _: x6 ~- T: Q- k1 k4C19:0095 MOV AX,0911 ; execute command.
; K( _* ^4 w7 r- x/ d4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." }1 _8 T" x$ H/ b. Q
4C19:009A MOV SI,4647 ; 1st magic value.5 y; X5 m- T+ H7 k5 n6 K
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 e' c1 R' t2 u; G2 t3 K# B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 G9 n5 v; |% G, \) j0 i+ [2 q) s# V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# u8 m+ w7 @) O: S/ y: N4C19:00A4 INC CX
: w, S: D. v1 y& K: G8 {4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 ^. u. B! a5 H4C19:00A8 JB 0095 ; 6 different commands.
% d# W4 m5 n& l! [( p4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& ]" s5 M9 ^" F" t3 ~3 @2 @& X) ~0 P4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 ?2 ?/ i/ a7 B8 @% H, L
+ I+ J: s1 H% z/ H
The program will execute 6 different SIce commands located at ds:dx, which
' }7 {: D/ q% ~1 n2 u, h2 tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- a6 ]' f8 G% Y4 s; C7 z. f
C G: B9 M# g+ Y( j* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. B2 O; X0 @6 _5 n
___________________________________________________________________________$ e# N0 ?& A& g: K
: E' Q7 a3 ]$ t, c( R' q6 b3 c
' k, h3 O6 B4 p. S" A1 B4 c' EMethod 03' ?6 _% n+ O ], w+ h% Y" b
=========
9 L& o+ _/ t! }, @
; p9 N9 x4 e- N# v+ TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 ]: \4 j! _, t! U, Y
(API Get entry point)( ^- W! x) T7 Z* K
# \6 l, v4 r/ Z0 c0 |
7 {5 V1 k4 B! f7 k7 M xor di,di
. z/ t% W/ `8 M/ U mov es,di" u1 j% S3 u% S7 G& {0 `
mov ax, 1684h ' p$ ` C9 e7 p5 {0 j
mov bx, 0202h ; VxD ID of winice
0 u p# k1 w2 E2 q8 I9 J int 2Fh( ^2 m6 c) G9 b
mov ax, es ; ES:DI -> VxD API entry point0 G5 J# v; T9 P+ w
add ax, di8 Q" h( e, q0 |' v
test ax,ax; ~- f& [2 E( k
jnz SoftICE_Detected
" }" e3 Z, w8 |( Y- E: g( `- ?( z' }% \9 H1 ]* D& I( J7 r
___________________________________________________________________________
, |+ g7 K& p% H, a" |- ]
; ` ?$ }0 T5 vMethod 04
/ e z# U: e! x& t- T: }4 m=========
* d+ Z5 F( ?4 U% u7 [7 V2 Q, {
Method identical to the preceding one except that it seeks the ID of SoftICE% ?8 B) y, [% l. b
GFX VxD.6 l0 A- x% @) I0 C8 I( [# S1 i
: ]+ g; m7 d* U1 ~; }- @4 Q xor di,di
+ [# P3 J# |: \8 y1 a% ?/ _ mov es,di- q8 t4 t( Y) W
mov ax, 1684h ! z3 L L4 Z7 Q1 `( ?9 `+ M
mov bx, 7a5Fh ; VxD ID of SIWVID
! g6 |1 n$ v; [' D int 2fh
+ Z# _4 P% D: r0 S9 B mov ax, es ; ES:DI -> VxD API entry point# z: p, t/ c8 ?% u3 U8 f
add ax, di5 ~3 k, _8 g0 J- y" c& o3 M
test ax,ax9 y+ q6 ~4 `. Q: Y( ?! [
jnz SoftICE_Detected' Z- z8 L4 T; b; z+ x
/ C! E1 W" y# S$ t__________________________________________________________________________; v) e j2 ~) O' y5 s. Z1 ?
+ P7 H3 D7 b- y
" a- L1 S% P+ Y! K r. T1 h
Method 05
! f8 v# I7 M- X7 d3 }6 A& _=========
4 {) a/ |; n: t$ ?7 P) _8 x/ @/ \* x' {
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ t4 V A# V! Y6 m4 `7 R9 Bdebugger. It calls the int 41h, function 4Fh.
! I! Y) D+ i& ]* ^, K. cThere are several alternatives. & [* G* K2 o5 u% Q& b
" M3 v+ [$ A6 V& e& S. U/ j/ |The following one is the simplest:
! g6 K8 |) f- _8 k
& j4 e+ P3 D: O# i( i mov ax,4fh
& G T, j/ g! E, Y$ Z5 r8 i) f/ b$ I+ ]! x int 41h
0 Q$ F! ~ v6 v6 w4 P/ ] cmp ax, 0F3864 X2 n N( S; V8 u! L8 h
jz SoftICE_detected
& a% ]: W& F9 n6 F
2 C0 j, q! |4 z* `1 N0 n3 t4 s# E/ n/ j! e
Next method as well as the following one are 2 examples from Stone's I+ B" L7 {8 b3 w
"stn-wid.zip" (www.cracking.net):
( F# B$ i) P% x8 I+ [( \' J
$ m) b; |3 R- l4 g2 ^+ t3 U mov bx, cs
0 W) f: X9 b) }4 w lea dx, int41handler2
7 O, @1 L" Y! B xchg dx, es:[41h*4]
b u1 Z+ \' ]7 |2 Z7 U) s1 Y xchg bx, es:[41h*4+2]/ Y0 ^9 m$ M! h% X" G, B; H
mov ax,4fh% T* m* G8 @$ _* A# _! I
int 41h
) o( k8 K) f: a/ v% r xchg dx, es:[41h*4]1 n; V8 o8 U! w* O
xchg bx, es:[41h*4+2]2 v0 i" l& A: T* `# @
cmp ax, 0f386h; O5 z" x$ J; G& v4 z! ?
jz SoftICE_detected
2 ?% D# o, {7 G$ Q9 F6 o2 M5 {$ a
. O! F' B% K% ]9 j' L! i! @int41handler2 PROC
! y, B6 H( g8 o8 \5 C( }" v iret
8 U; U+ n1 E6 Y; cint41handler2 ENDP* H: W! ]! p" P6 Z3 \0 m4 x U
% a/ G- f. O% Q& X
) |2 p5 E5 Y. M! F_________________________________________________________________________
& _( d% [3 G* b3 b" `7 H
6 h$ T$ }0 [! v4 K; g2 e5 B) n: U6 B% H: i' M* \
Method 06
$ a1 K0 c+ V1 ]* j5 s; ~=========
. B9 D; |# H. x& {) P* h) ^$ G4 }! ]
$ L: U3 s$ W( P1 U! T2nd method similar to the preceding one but more difficult to detect:; s1 D* M0 E5 q4 ^' e, l; m& [
/ t) @6 P, i }
* x! }* `# h, A& ` K0 |; @int41handler PROC9 e; s+ z8 J [3 e/ E! ^' k Z# t
mov cl,al2 ^& |7 `8 x* v p, E" e" P/ |& X7 B
iret
3 Q$ i+ P) C" ^2 I" xint41handler ENDP5 w) j( X. K# `: x
R# N _+ T* g1 V3 Q! x' v" o2 C5 t0 d$ _2 a
xor ax,ax, \- y9 X8 o- I. U& ?5 J9 V1 I
mov es,ax; l" z% ^( A) g
mov bx, cs9 S, X0 `: `& O0 z' _3 y
lea dx, int41handler' g' k& F* g, }* W: {
xchg dx, es:[41h*4]
( \, S, y9 w* s! @! @$ N& d; U9 l* B xchg bx, es:[41h*4+2]
1 v. ]1 \0 |3 o. w/ @! X in al, 40h
& B% z. O5 ], U xor cx,cx
6 L1 s+ j! Z `/ g- R. m s int 41h
+ L7 M: [# q7 B% w0 i% v1 r xchg dx, es:[41h*4]' u9 c" y- ]& J7 S4 v5 G. v
xchg bx, es:[41h*4+2]
, O j; R0 G1 f- I& P) M cmp cl,al
3 H2 X) r1 i" M7 M ?! \1 ] jnz SoftICE_detected
4 u" k, X8 c( ]7 p S
+ q# N% I' V% t5 J0 r7 e2 r8 U7 k. M_________________________________________________________________________. [: ~7 Y) F+ f- {* G- {
5 a5 n4 i0 B2 u) C
Method 07
3 ?0 ~% X( O1 S1 y1 G=========
% w/ s8 M) v6 V! k
/ i% ^3 j# W+ {& }1 N0 m1 ]Method of detection of the WinICE handler in the int68h (V86)+ R. L% C, ?! w. M1 g
. j/ s0 r5 H5 | j9 n mov ah,43h
7 B* G! a$ G$ `+ `+ w+ A; l. X! a int 68h* [: h/ }/ s% o T
cmp ax,0F386h
8 [6 l+ ~# n) T' \+ _* p$ k jz SoftICE_Detected k5 F6 h7 r% G2 ~ d& C
3 \4 m- f! T! v8 @
9 ?# G3 X) Q+ w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* K2 _+ d8 \+ B6 @; s app like this:- @# A$ X$ ?7 O2 V7 b
" J+ N: y2 O+ j
BPX exec_int if ax==68
* {" l6 v% ^. z3 o2 C (function called is located at byte ptr [ebp+1Dh] and client eip is& f9 ^% C. D; m0 N( S* e$ u3 H
located at [ebp+48h] for 32Bit apps)4 l" u _+ @7 ^4 q8 h" @
__________________________________________________________________________. v2 l: a2 N8 v+ W1 X
6 k: I, b9 d5 x6 a4 C! A0 X( v9 ]5 M/ X. D2 S" P
Method 085 w1 V; W* b, Q
=========7 h% w* I" q% m" l9 x8 `/ d N' a8 { r: ?
% A0 t6 a$ u* D" g+ lIt is not a method of detection of SoftICE but a possibility to crash the8 X) L `: e2 C; r6 G# ^
system by intercepting int 01h and int 03h and redirecting them to another
9 l g: B! ~: Sroutine.5 \5 V% a4 S9 Z* o: ~6 E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ v9 T+ O+ k$ ?2 K4 D
to the new routine to execute (hangs computer...)+ W! G- @5 S9 p: A/ J/ w2 h6 E
& Z4 k$ z0 X' k- G o& i E mov ah, 25h/ h: q" g, P) X* g$ m1 q* x
mov al, Int_Number (01h or 03h)8 }% Z/ a. M; e8 W" Y
mov dx, offset New_Int_Routine" o; n/ w3 {' y1 `6 Y9 f, g
int 21h
! n6 k+ N; [: p/ I1 `7 \/ H4 I$ z
; T) o% c5 k5 f& `, x__________________________________________________________________________5 u8 M. C+ H, @7 M6 L$ k
! I1 e6 x. |) @9 v9 g- E- H2 z
Method 09
5 V6 M5 A8 m9 U: U=========
. Z3 h" ~5 G/ T- S3 S- K4 g# f3 k/ r8 O: s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 K/ b' l+ i) M' N& K/ d, u. z& Wperformed in ring0 (VxD or a ring3 app using the VxdCall).
' k5 z# ^" t3 O- w, C: E4 XThe Get_DDB service is used to determine whether or not a VxD is installed8 S' q M6 u3 a. D; x t5 `1 y# o' ~
for the specified device and returns a Device Description Block (in ecx) for
. E6 x2 K& o/ l7 Y2 i g% Qthat device if it is installed.( z5 O5 {3 O! M
4 }# J* J8 X/ \" l& k9 F
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! t2 X# S3 n$ a6 V' ^3 c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 o: v0 ^% h& }/ Z/ i/ `8 g% U
VMMCall Get_DDB
2 H v/ z, `- y e! ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 e. b; w+ x1 f4 R Z# c. n
8 A) u9 t- [) Q1 NNote as well that you can easily detect this method with SoftICE:
$ L X: Y% _% z, M/ y( S bpx Get_DDB if ax==0202 || ax==7a5fh
1 d; g0 i, z# f0 u; B
$ w9 I# k. f6 L2 m5 L! K__________________________________________________________________________ l! J7 j4 C$ W& u# W( @
# D/ _* g4 S; z/ O8 ?. QMethod 10
A0 C- l/ G* k% P( }=========) ~$ d z3 H. Z
I/ T- X: N& y. t' p
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 K* D O* m+ A: \: v- t
SoftICE while the option is enable!!3 i/ K$ o) K7 X! V
7 K& z( _- |6 ^- k% w& SThis trick is very efficient:2 I: K, c: | j
by checking the Debug Registers, you can detect if SoftICE is loaded# \7 _0 f! z" q. {, E4 V- E; i
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ D( F, T) Z4 P
there are some memory breakpoints set (dr0 to dr3) simply by reading their, q- ~; Z# x, L) _
value (in ring0 only). Values can be manipulated and or changed as well
4 I$ W/ T$ ^+ q" F7 Q(clearing BPMs for instance)
$ `, c, |: e* v( S8 j+ ?1 ]" U
. p6 @" u( _/ O: y3 L__________________________________________________________________________
/ L. s- y& q& R, p; Y i; r
1 }0 T4 U5 i* s& V3 @; m; M' b9 \, V- ^Method 112 i; z! G/ d! `7 K7 }
=========
9 H$ {# W' ^% \. v% i( |* u C F I8 H) m2 q4 A( y1 U `
This method is most known as 'MeltICE' because it has been freely distributed
6 b6 b8 p( y+ R- avia www.winfiles.com. However it was first used by NuMega people to allow
4 Y% h2 C' e9 C3 uSymbol Loader to check if SoftICE was active or not (the code is located
$ }1 i5 k1 Y* V8 vinside nmtrans.dll).
& T+ L& ~% o$ w, b. y! k; @4 Q8 X
! s/ U" l& ^0 v( m8 k6 AThe way it works is very simple:2 D/ w% V% @; u% ^) |& e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
J( w. a$ q3 Z" t2 U+ F5 h. q' m0 \WinNT) with the CreateFileA API.
9 m0 Q$ a: e! g5 y
) W3 J( L: k1 T+ m: PHere is a sample (checking for 'SICE'): w& x& c2 i' p' f
l& h' D3 m0 P9 g" ?( p- l
BOOL IsSoftIce95Loaded()- \3 L+ b/ Q* i }5 J4 ~( L
{$ G5 x; ~7 Z9 P
HANDLE hFile; ; w- o% b2 g6 ~# |9 d8 z' |
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ G8 z! s' W# o5 F FILE_SHARE_READ | FILE_SHARE_WRITE,
, f8 I' u# j" ~. A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 u" R- U8 E% |" e$ ] if( hFile != INVALID_HANDLE_VALUE )
7 O) y, R% h: B1 V {+ d1 A6 q7 M6 Z0 D! ~5 g
CloseHandle(hFile); ]/ k6 o* M: c: v$ n5 S' U
return TRUE;
3 ^+ w+ U6 ?, ^ }6 v7 K8 _- P0 l& \9 G
return FALSE;
' ]/ ^6 [+ `# @; F* O& b. S2 o}
6 s1 O* U# D' @5 f8 s/ v, M+ o" _% K
Although this trick calls the CreateFileA function, don't even expect to be8 ]) e7 M! f e+ V! T4 {
able to intercept it by installing a IFS hook: it will not work, no way!
# C1 ^. F* K8 l3 o7 rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 F+ _4 b U3 d& { u" a2 M8 k' Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) W6 S1 ]! l. j: E# `and then browse the DDB list until it find the VxD and its DDB_Control_Proc) @* U0 x, P" i* V4 `$ C
field.9 f J6 N j8 V/ O/ e6 F
In fact, its purpose is not to load/unload VxDs but only to send a
6 x+ M* o' B: s* vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( E2 Q1 O a6 H: u: W* Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, g5 _* u$ S* k+ o; zto load/unload a non-dynamically loadable driver such as SoftICE ;-).4 z0 a! j+ c: ~
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 V" G3 u+ h7 j: l% s# p
its handle to be opened and then, will be detected.
( k' U+ I3 c5 k9 [$ D XYou can check that simply by hooking Winice.exe control proc entry point
' k0 z, _% X! Iwhile running MeltICE.
* M: K! y; J% ~: A2 `
$ o$ D( ^9 k& x6 N" j$ E1 t+ w8 P! ^, |7 ]. |
00401067: push 00402025 ; \\.\SICE7 N5 r H: v& S6 I- f7 q6 \
0040106C: call CreateFileA
- o! w8 P3 ?3 l3 X& [ `: H 00401071: cmp eax,-001
- u/ q) @0 E" c 00401074: je 00401091
2 y+ F" c. D K7 F/ T D7 s8 W9 p
7 V8 I: w* A/ J' [7 n+ a1 N+ ~7 D. S( t6 F9 B- z4 Q# m
There could be hundreds of BPX you could use to detect this trick.& b, v |8 U1 @3 U \
-The most classical one is:- _3 _$ `! T" I1 e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. B' r5 r' u. c7 b3 u0 F
*(esp->4+4)=='NTIC'
V' O( X2 c$ v! a
8 d+ U8 Y9 Y' Z& q! @ V5 p. w; S/ h3 L* S: O-The most exotic ones (could be very slooooow :-(* i2 N% Y0 ~. d2 J. r4 t% m. ?+ J
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ M- k+ t1 q, o8 ~, z ;will break 3 times :-(
3 t2 i* N0 @8 L- Y' E
- a- V+ t2 v. x2 v; f2 G; y-or (a bit) faster:
: m4 {: z5 k1 N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
m7 W# @+ y0 w5 G% i" |
# s) d$ q, k: A BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% H3 m4 K# V+ x2 G4 a! n [ ;will break 3 times :-(
# Q% s; d, L9 p5 r6 w* o6 Z
' Q- { {6 X. b. E% w& Y/ \-Much faster: m: Y2 Z/ |" d3 M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' h0 k! i( t5 u# \+ v% N* m! O+ r( S( p% i. ?% g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( L: U2 R- J8 mfunction to do the same job:3 _1 h( D$ W/ B' B4 A. u
( {) U. W, G6 l* }" N8 A; n1 B
push 00 ; OF_READ
8 }+ G) w/ G* g5 U3 ^6 V mov eax,[00656634] ; '\\.\SICE',0- p. l5 ~. O g: a
push eax. s" n$ b" y; q6 c$ h1 i A) g6 Z G
call KERNEL32!_lopen
2 G) B6 x5 _ a+ h3 E inc eax
/ p% P/ v7 Z2 S* e1 f jnz 00650589 ; detected
& I9 m( v* D& X+ a# j" s push 00 ; OF_READ( Y. } E# b+ m. j
mov eax,[00656638] ; '\\.\SICE'+ C h1 ^; T9 m
push eax& a. u$ |- m$ j
call KERNEL32!_lopen2 S) u. a6 t) e* [8 I8 }0 N/ w# \$ O) ^
inc eax+ I% y$ d3 y' [ h h! t
jz 006505ae ; not detected; J) \$ `4 o# |7 i
- P; G. Z4 x) R) a' S( u* k- X
" n/ i/ q9 h) f% v__________________________________________________________________________
0 Z) q# W1 p U% ^+ s& p/ E1 u! t; Q+ L8 s% K4 E9 J
Method 126 z" D* m, C1 o! D! c6 _
=========
3 [6 ~7 x( T% Y9 s* D: q
P: n# c' g* U1 i* bThis trick is similar to int41h/4fh Debugger installation check (code 05
( ^- t1 E% o1 ?9 Q) p2 l; I& 06) but very limited because it's only available for Win95/98 (not NT)
) i: }& j Q0 K4 G2 Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; D& {$ Z w9 e1 L; i' n# u! Y* N5 y# R, [5 b- T+ M
push 0000004fh ; function 4fh
: j5 x% T6 N7 D: z push 002a002ah ; high word specifies which VxD (VWIN32)
! y6 w" ?/ A- t3 { ; low word specifies which service
; [6 Y7 h& B, s4 _ (VWIN32_Int41Dispatch)
4 j' d- D- ^. _% k g O$ z call Kernel32!ORD_001 ; VxdCall
1 v4 M0 _& ~6 n; X3 g0 g cmp ax, 0f386h ; magic number returned by system debuggers
& X, o) S1 \3 E. ` jz SoftICE_detected
; y# Q' g3 K/ h) E7 a: X/ q, d
3 k5 q. ^5 u: y2 Q: z9 MHere again, several ways to detect it:
! N5 i- M: E5 n" e: _2 U H5 G
BPINT 41 if ax==4f
, B( M- T+ Z! F0 V) h0 c) y( u* r$ Q2 B
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 D7 o) k& T2 |. O" ^8 x9 j" l2 r, J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 N& ^2 d7 o' H) _1 a7 x) j
/ w: E! a5 r- y2 c0 R, F* r& a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# O! L: `% ?/ R" v" j9 x
$ ~& H& H# \3 f! c* j' C
__________________________________________________________________________2 o L8 f' O& L' d4 ~" j
. ~1 S+ h3 @ M( ~9 [( `
Method 13
9 o: L3 d1 H9 m, B=========& e s) ~' v, R4 ~
; E# L, @. m7 L+ B6 r9 x. E# QNot a real method of detection, but a good way to know if SoftICE is
# C8 P# M& s+ O2 xinstalled on a computer and to locate its installation directory.9 Y# o+ L; }. w$ ^9 S3 e7 J; r
It is used by few softs which access the following registry keys (usually #2) :
& o( \& Y6 M: |2 D; O7 d% O& G* X) C& G/ _& h* t3 K) `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* Y4 B1 L8 d* k G\Uninstall\SoftICE- k/ ^, e: a' f% x- u$ Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE b2 p! b- ~' N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
T! W; m3 S$ G( O# a% {\App Paths\Loader32.Exe! w; R$ \" |5 ^
' i. H# l4 ^* P6 p5 d
. Y$ F# u. K. `7 b' JNote that some nasty apps could then erase all files from SoftICE directory
8 k$ @- q" F) r2 a9 y7 B(I faced that once :-(
# D( p# K/ O8 C. @- D: j- U+ E
$ O0 x, ~2 D9 Q& \Useful breakpoint to detect it:: i& G1 X: e4 ?7 J
: R+ H! v: ^% B0 c
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* X2 E! d3 d6 U" d( v' o
/ k5 W8 f! o# C- B" U& r& Y
__________________________________________________________________________7 R9 J3 A1 ?$ E, r% j0 v
: G3 F4 O3 ]- R2 ?8 M& K
" y! Z4 d$ f9 L# s
Method 14
* e P' y9 h8 t1 X5 G( O8 I' i=========4 h! V% H. I) q \# i* Y
% O2 {* ]( e" l# M, F7 lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 V. ~" r, o0 x y& c* B; y
is to determines whether a debugger is running on your system (ring0 only).3 E6 T+ R, T+ o. I' N/ J/ y0 i
( a) h" x9 D- s7 G! l& m" k
VMMCall Test_Debug_Installed% w: y# _% k# C; v
je not_installed
9 [+ ~& L$ `+ Y& P ?$ A, c# }" g& \4 a
This service just checks a flag.
# D# Z4 Q6 |8 d: k1 O5 s& \</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡