<TABLE width=500>+ h# b. I) A5 o: P! t8 J. @! s7 ?6 o
<TBODY>: ]8 I" c0 W& k0 u; I( m8 Q! x$ D
<TR>
$ Z( [ Y4 [' v1 C2 C<TD><PRE>Method 01
8 O2 }1 e' ^& s=========
8 S% l9 u& K; D3 I( F P. B) ~: M) s; k9 ?0 F: w
This method of detection of SoftICE (as well as the following one) is! F, ~+ h$ e# \& F# T
used by the majority of packers/encryptors found on Internet.% X" P1 w l% E4 I
It seeks the signature of BoundsChecker in SoftICE
+ X( E: P! r7 u! J2 ~0 X$ R9 ]; [ A( B
mov ebp, 04243484Bh ; 'BCHK'' c& h2 `3 b! ]5 ^
mov ax, 04h
4 Y) }" F2 m" S int 3
4 ^3 p% w5 `. [ cmp al,40 p& a9 W1 a) E k% Z' @
jnz SoftICE_Detected
( Q; A, I( E3 D8 P. I3 R5 \* z4 n. G2 P- W. l
___________________________________________________________________________
9 \. B& h1 T6 B6 [$ o7 z
. T& Z- K' h1 v* f4 ], [2 uMethod 02
/ N% N' x1 Y% i" A=========
7 z3 b1 E5 t9 l p( X/ H' N1 e( u& m, Y6 L7 Q! _
Still a method very much used (perhaps the most frequent one). It is used
8 W4 b& R0 g" w: ?/ \3 ^2 oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 O. w' \, V3 I8 g4 m7 w; C
or execute SoftICE commands...
& M+ Q7 D% p$ i$ B/ _# z1 W$ ^It is also used to crash SoftICE and to force it to execute any commands( ~6 ^, l! b( W! P0 T' M
(HBOOT...) :-((
7 W- q6 i6 y4 l1 C# @, @' C7 m$ m! p7 N, \1 Q) P
Here is a quick description: k& w; F! T' |3 l, n
-AX = 0910h (Display string in SIce windows)
% ?7 Q) F6 [: K9 K-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 `" I( P+ p) g& N, z$ A% D-AX = 0912h (Get breakpoint infos)% u: F6 U, v b* c
-AX = 0913h (Set Sice breakpoints)! o# }. k- m4 s* ?0 b1 q3 x
-AX = 0914h (Remove SIce breakoints)3 _/ s1 _7 G* w2 y4 s5 o
- j% D3 M q. _8 |% i$ U! l1 Y
Each time you'll meet this trick, you'll see:6 p# {1 j% Q* M" n, u# e& x9 z
-SI = 4647h
3 l6 @0 x% F: P$ P* Q-DI = 4A4Dh
: q" _: \, x$ V4 V; ~; h+ {- ]' eWhich are the 'magic values' used by SoftIce.7 G3 l7 t# X" C+ K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 ]; k& s4 G) s
+ \; s8 Y2 s$ t7 n4 y( [+ I
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 y2 f! b/ g4 Y* i
Envelope utility use to protect DOS applications:
. V2 H1 x6 J2 ~3 p' W! c3 d1 C% C& H3 V
/ C* M& b7 c& x, A! \# H5 Q' [$ }7 A }% o" g
4C19:0095 MOV AX,0911 ; execute command.
" I' b5 A3 c+ `' t8 V8 W4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
U2 C( Z& k9 q5 O4C19:009A MOV SI,4647 ; 1st magic value.. C8 @) C; d% ]" t
4C19:009D MOV DI,4A4D ; 2nd magic value.- i$ W6 \" l6 @4 K1 S4 H
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 u6 ~+ l7 k- A- s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
}! ?) ^0 {. v# M) n3 q4C19:00A4 INC CX
" e/ b' a- h) u- n( X2 `% J; A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 o+ _. J9 T* [' F; T" m Q, M4C19:00A8 JB 0095 ; 6 different commands./ g8 i2 [) u$ h7 h! K* Y# t
4C19:00AA JMP 0002 ; Bad_Guy jmp back." g, [ |$ u9 Y, K4 X9 O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 e# z0 ~1 c. K' I2 F9 p' `6 @6 Q- O5 \; N" ^0 ^. o! O: Q
The program will execute 6 different SIce commands located at ds:dx, which
" Z6 J' b" N- R0 A* W2 J/ @are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 |+ \! b' l8 q# j
* M6 O. }$ V) p/ F/ h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) X4 s# s. N4 b( z___________________________________________________________________________
8 m2 R7 L! O$ _" \
. Z5 l* Z: P3 ?$ Q6 I5 z% D# g5 r& G/ A& r, {
Method 03
4 `& w; k/ u& W% T: {=========2 _: r+ ^ u' z5 ^% m, h" @' E) B
$ }0 H* f2 ^: R$ x+ |
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# w5 i. W6 n* K. k' A! {(API Get entry point)
, S, {& T, Y5 `* M9 G
# {* M9 x0 N' o- I/ V, q
4 v& B1 S2 F2 X+ d& }4 f5 w xor di,di
2 Y( O& U9 Z+ U. E" A mov es,di
1 k6 h% N3 b8 f" g' q2 Q mov ax, 1684h ! G! G4 ^8 l6 a( x
mov bx, 0202h ; VxD ID of winice
9 h' _% S% |7 Y+ }! u( ]0 p int 2Fh9 t2 [1 p/ x+ V2 Z ]: k
mov ax, es ; ES:DI -> VxD API entry point! U( i' O! y" N
add ax, di
" v! _# q$ j; O test ax,ax
! ]1 B6 m! a, B9 a7 L jnz SoftICE_Detected6 C" p9 g) f: u) k
; J0 O' }; t0 F4 G/ L___________________________________________________________________________
6 V9 s" B/ V5 Y! S2 n$ _# B8 h- {) X& H
Method 04
: N! P' k+ O& p7 O6 s: D8 p6 u/ s=========9 W8 Q1 d1 N/ s: ^3 x( d5 R8 }
% U, s! _4 {# }- A
Method identical to the preceding one except that it seeks the ID of SoftICE
3 Q0 S" U% E8 V9 UGFX VxD.
# `+ ] D$ a T1 ?5 N2 L. ~# w! |% ^2 Z
xor di,di; W* P' v2 F$ S3 b
mov es,di
' |7 m1 O: J, @; A; e& @ mov ax, 1684h
- M! b s. B4 K; T mov bx, 7a5Fh ; VxD ID of SIWVID3 n3 e; L/ _/ z& y0 i( t
int 2fh# D2 C+ Z( V: y5 V$ u2 J* L
mov ax, es ; ES:DI -> VxD API entry point
8 F4 w( H1 F+ A add ax, di
. J# A4 B6 o- y W, C test ax,ax
; A4 Z+ b( `( x5 ]# Q jnz SoftICE_Detected
* X, M+ x5 Q' U7 w% M0 p4 Q. ~) z: x5 s, k; Y; L
__________________________________________________________________________
?; {( `* h! M' t; q0 \! D3 y
2 m+ D. J1 o- Z. M- H* r, ^' d* g8 M. X& {& c- @1 |, i8 V p
Method 05
/ j3 }; z# m; I T% s4 |=========
) z2 h9 B# F5 I8 A' L( G7 F# ^7 s5 m# C5 j; ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system! N! \& K# E" \" n$ M! G
debugger. It calls the int 41h, function 4Fh.
# O9 q6 W) n& r3 g) W3 TThere are several alternatives.
+ t! Q9 L K4 h# W; W0 {4 K, n5 t/ p6 q s
The following one is the simplest:# c) D. q- a6 R( @9 @% u
, K7 \$ u: W2 Z+ u" s
mov ax,4fh( t, l0 u/ F4 }& ?/ F# C
int 41h: i* g& U( ^& a0 b! B
cmp ax, 0F386* M: b" x% ^* c. Y8 C6 ~& J3 D, p
jz SoftICE_detected# b* ~7 c3 H/ z. e( i( z. X
( e2 [" a4 d4 [+ L$ A7 w3 n
) b& T) n8 J3 j3 T. X( \7 z+ t( ^7 UNext method as well as the following one are 2 examples from Stone's " }1 s: Q- K+ g; F6 y, S
"stn-wid.zip" (www.cracking.net):' {/ ?/ X' _, `
( s: Y/ f" M* e5 y6 c( H5 a mov bx, cs* k2 i! e) Z5 L1 @
lea dx, int41handler2
! D, K1 p7 u3 t; o) ]$ B xchg dx, es:[41h*4]
( p; U' o' m, v) A" W$ l xchg bx, es:[41h*4+2]
% M/ c; q) {, ^# z# A4 d" j mov ax,4fh
4 ]7 g9 G5 k& t! s int 41h8 i3 t1 Y0 t/ x; P3 x# S
xchg dx, es:[41h*4]8 d/ D' u1 ~; J
xchg bx, es:[41h*4+2]) [/ T' E3 L7 e! Y4 A0 |5 Y
cmp ax, 0f386h
& v5 e) X, i6 E- `" s5 ^0 m jz SoftICE_detected
* |2 D, M3 y6 a9 m1 B6 z: n
& f3 H# [: B0 o0 _" kint41handler2 PROC
6 f6 f1 L' r: R! N: U; \4 X. B iret
4 D. ^2 O( e+ nint41handler2 ENDP
0 g$ Z% P5 f5 T& p/ b8 Y) [7 c. n! z0 z$ R; i; k2 H$ Q$ C
" X3 z9 D( |( S* v_________________________________________________________________________8 f. ~1 i" W* S& j
, z/ W9 z9 e. v B& Q
% r- `, `( T# r) m% I
Method 06# f# g. ^. L3 d3 L
=========
8 S! f; L& I6 D: G# y4 A( T# _' x# p$ K& l
, X" M' w. p- |* p- W
2nd method similar to the preceding one but more difficult to detect:4 {6 i3 x) X/ K2 ~
( Y: Q" J; y( P! y0 Y0 S
1 X5 M( ~2 `$ _. K1 t; K# r) ~# N
int41handler PROC$ h! B6 q6 ]$ C5 M& i
mov cl,al
6 x2 B+ c, Z; H" z iret
, O1 b- D4 h& M/ Yint41handler ENDP$ r; H2 _6 |- X
: m0 y# @' C. H) H H
0 i5 W$ R9 q* p( ~. Z) W1 T
xor ax,ax t% K# A: B7 z* j; k" o$ i
mov es,ax
# A6 V7 a/ m2 s' I+ Z6 Q mov bx, cs
9 U" e: |! r6 q/ [4 u. L3 l/ ? M; _/ { lea dx, int41handler" i* E* V9 w( i5 n- X7 k. x) J& e
xchg dx, es:[41h*4]
o5 E" G9 i- m& m8 E0 @ xchg bx, es:[41h*4+2]
/ j- H5 U& ?/ h; d1 V9 A9 o in al, 40h
/ c/ k8 I0 T6 p# c4 b6 _ i+ C) A xor cx,cx
" ~8 ]8 g m% R1 K1 @/ ` int 41h
1 L& Z" G) H m6 i" m) n( u7 R xchg dx, es:[41h*4]3 n$ ?. M# Q4 E. q$ ~
xchg bx, es:[41h*4+2]& O9 @# }' q; X Y/ c& [! M
cmp cl,al
% n0 } b" S; s' l+ U jnz SoftICE_detected
" \' }) T# \! W& r$ s1 U" ?$ G3 T: b" C
_________________________________________________________________________
% P6 O# s, Y% ]" d1 C9 T- P3 m( G( J# V
Method 07
/ w" l8 L! L: _=========; `; j+ v9 W* w- P- b6 |
" z2 ?/ o5 K# g7 p& ~+ MMethod of detection of the WinICE handler in the int68h (V86)
h% v; H: \. ~: b% M% d! X# t+ u, q0 g8 b
mov ah,43h5 L: L# m! Q8 o8 ]- ~/ x5 P- g) G3 X# }
int 68h
b- w% Y7 b5 T cmp ax,0F386h
0 I) J, _: N" R! B( {* o0 A jz SoftICE_Detected- P" F. |% K% r8 u
" _/ y& I2 w7 @6 l9 m& J6 L9 B c2 j5 S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& x8 F! t, K7 z0 P+ ] app like this:, q- H8 T3 ^# S9 Y
& E2 h5 x/ f. g4 |) n( w
BPX exec_int if ax==68
I6 v4 F# U, c, Y (function called is located at byte ptr [ebp+1Dh] and client eip is
' F+ C( o' j1 D @3 i- t located at [ebp+48h] for 32Bit apps)
3 \, @. X( W w" U! r) c__________________________________________________________________________) E& [& ]7 K: C
* t% q/ M9 e* h, x
- m; }+ o2 d4 Q' D6 eMethod 08
0 h+ n7 Z8 }0 ~=========
9 \2 x$ {' [' b8 c: O) H/ S
$ `- Q$ _3 g2 u I6 RIt is not a method of detection of SoftICE but a possibility to crash the
+ X" n, e" [2 ^8 `( @+ O) Osystem by intercepting int 01h and int 03h and redirecting them to another/ i) x4 S4 M- p4 F5 G, x
routine.. e5 x! O$ a" C3 y/ C8 n1 M9 t- @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ H! A; c% N% G. D% L. G( G
to the new routine to execute (hangs computer...)
) z3 F( D1 |9 Y! u- d+ }$ Y- \1 d1 O
mov ah, 25h% X4 g) i0 U: n, C
mov al, Int_Number (01h or 03h)
# I1 a! [) O$ |" ~) X2 {6 A; ^' I mov dx, offset New_Int_Routine
6 `' A' r. L5 f% S- `4 P6 X/ S: x2 i int 21h+ \5 [( e# y4 m& ~, z6 X W
) l" Y& f' {$ J! l) ]+ @
__________________________________________________________________________# r5 R9 [ `1 H. W+ ]' R2 f& V( {
. a* x% Z: J; A; h8 s$ r' S( CMethod 097 o5 a5 O) n/ t: ?% p- \
=========1 I. E! z: y; L/ G
- c" `! ]1 L6 ^1 U+ L9 T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! ?' y4 `+ x$ s) y1 c- a; tperformed in ring0 (VxD or a ring3 app using the VxdCall).
) P$ G) u8 `$ T. q3 JThe Get_DDB service is used to determine whether or not a VxD is installed
. Y5 j7 a- `1 @& A1 B4 K5 c' vfor the specified device and returns a Device Description Block (in ecx) for
$ T1 M( o, }9 {/ @7 _ rthat device if it is installed.
/ s) s9 l' d$ g* ~" S
' Z* n- h1 x3 [) Y% I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* g3 g! O' y* |& q% c+ ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 }- v6 Z7 h4 A& R! L VMMCall Get_DDB
' `" T* X# ~+ S! |; g0 L, H( i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
?' k( V' g- j' H3 v# Z4 h
/ a& j" I( w6 _1 V# Q; eNote as well that you can easily detect this method with SoftICE:
O: ?; i& Q3 R8 b bpx Get_DDB if ax==0202 || ax==7a5fh
# i, _2 x4 ^* r9 D: `
3 q0 G- _0 I) p__________________________________________________________________________' e" Z. u) X8 w/ E5 D: S
7 L, o% s( U& U6 W) @% X6 X6 i7 ^Method 103 n5 P& j8 W1 }
=========
8 {& O: W7 g4 `+ P: u/ i. A/ }( o0 E; o9 P0 f+ v ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 X& I) O0 i# K7 o H& O
SoftICE while the option is enable!!3 v5 U7 j( s2 R' C4 b& Y4 R
; K% c; K! [% @$ M; N
This trick is very efficient:
) O3 f# j1 G$ }- B, ~* F" a+ r' @+ yby checking the Debug Registers, you can detect if SoftICE is loaded0 i; _ R& f, N0 s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 X: q9 J* I) S% u: w8 B& q/ |: zthere are some memory breakpoints set (dr0 to dr3) simply by reading their, ^- N6 M! t8 R. X5 J! \6 w
value (in ring0 only). Values can be manipulated and or changed as well
& g7 Z7 d7 |+ w( j( l9 o# w% V(clearing BPMs for instance)% ^) l" Y/ j* f% g; P
5 t, ?9 ?0 f5 g* E( @! N__________________________________________________________________________
2 \4 b7 K+ _; U/ f. v$ ~) M7 z9 M9 B8 y$ L8 s& q
Method 11) [9 }5 C. u' W- A* X! b
=========1 D! J P, g0 d2 B+ R+ e$ n
3 n& o/ Z1 I6 Q$ q2 Y& S* Z6 R& T
This method is most known as 'MeltICE' because it has been freely distributed1 N; |# w; ~' n$ `! @ I
via www.winfiles.com. However it was first used by NuMega people to allow
2 f% y/ c- V( E" ^4 l% iSymbol Loader to check if SoftICE was active or not (the code is located
( r% C* \. P' {) _/ Y) S6 `inside nmtrans.dll).
0 q5 r. U$ ~) b5 K2 J! m3 i! ?0 s- Z6 O# U
The way it works is very simple:
1 ]1 @0 p# x' t8 yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! }9 I# s8 h8 a" y# f
WinNT) with the CreateFileA API.
3 h, }7 A4 t9 t p& A) \( g
7 J) @. N0 i( } w1 k3 H7 BHere is a sample (checking for 'SICE'):
# v3 y) i0 m- Y- Q2 q' T2 u' M
$ B7 M0 a( r! l( j9 oBOOL IsSoftIce95Loaded()! H6 h5 o H* E$ X
{& e& b- `5 B4 L" b' ^) h: j& p
HANDLE hFile; 1 r: H; f! Z$ S4 [. a5 ]4 f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* i- r' N, F3 h* g5 J
FILE_SHARE_READ | FILE_SHARE_WRITE,
# `+ ^% P5 T) |( W0 o. f% W, X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 B: v' t7 O; ^0 ?5 D
if( hFile != INVALID_HANDLE_VALUE )- \9 e+ A( i- D/ s+ W
{
! U' b- Q$ v$ S% x T7 r CloseHandle(hFile);
5 l# D$ E9 G& Q return TRUE;
) D7 R1 B/ r t' } } f6 B2 y5 x7 Z" w8 w& M
return FALSE;) L, R6 e# F) N( e* H5 h* L: J, M
}
L7 O" M1 k2 O5 _
$ t; D- x4 Z3 Y! F$ X7 G7 OAlthough this trick calls the CreateFileA function, don't even expect to be
2 |/ f1 k/ B9 j: cable to intercept it by installing a IFS hook: it will not work, no way!: K$ \2 ^- G$ n* Q8 n9 n2 ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# m& ]& d% }, x. ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) U! [8 c4 R; l6 Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 P$ C# G3 v4 u$ }
field.
& Q' ?" g, j" u. ~In fact, its purpose is not to load/unload VxDs but only to send a
$ L9 m' V/ o) O- O9 i9 R7 bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ ^. J6 g' b. H: k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* W% Y" |9 T2 @: D* a: Eto load/unload a non-dynamically loadable driver such as SoftICE ;-)., Q( n' F7 W! |) p9 m2 K3 m
If the VxD is loaded, it will always clear eax and the Carry flag to allow" E. f" [- L7 [
its handle to be opened and then, will be detected.
! o/ V$ l& Z5 `2 n( F u, {: s4 J: JYou can check that simply by hooking Winice.exe control proc entry point8 W, F/ Z3 W" ]& W
while running MeltICE.9 T. B0 ^: p( B+ s/ b
4 Y. b+ Z- J) ]$ Z1 F$ z% m# d+ W. W& m5 {% P
00401067: push 00402025 ; \\.\SICE
) i' K0 s2 Z: n; s) L$ } 0040106C: call CreateFileA) w( ~. x1 j5 J: y0 ]
00401071: cmp eax,-001" p4 N! X2 |) W
00401074: je 00401091! Y( ]9 v1 Y8 e; ?* g
2 l) H. I$ T5 }! l9 D
) ~( f) M+ j2 F$ X4 [/ X. }There could be hundreds of BPX you could use to detect this trick.* p* `' w a/ G
-The most classical one is:5 Q$ W) z \ ^5 O- Y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' j* [* D' l7 {- U
*(esp->4+4)=='NTIC'" \& O( `- j7 e+ c
F/ x' x( j3 Y7 r" i0 ~
-The most exotic ones (could be very slooooow :-(. G! K3 }3 t1 [- b1 h3 C9 D" V' @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- ?: i2 @( Y+ d' J ;will break 3 times :-(
# M% R# X" y2 A# v4 I/ L0 ]9 R' F n. l ?. E, c7 w7 v
-or (a bit) faster:
. @& H$ e: P( x% }( @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 `0 P& I2 A7 K5 `8 @8 r4 a- Z6 s" d# B2 {8 K/ V: i
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 W& m2 C% w; v5 J
;will break 3 times :-(
; R) g6 }% d4 I1 w4 O9 A& }/ H1 ^( H0 v! O, s) t% x9 X
-Much faster:& m( t8 p2 y' y6 q, Y/ [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 D/ f& e8 [9 ]! M2 f
! g( x! J' n+ O: A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! X: T& e; i& o& T. J
function to do the same job:
0 x9 d/ }: Q* E4 ^: C: G% u4 ]" Y( b9 `6 n9 u) o
push 00 ; OF_READ
c, w6 {2 Y/ N* J H; [& M7 C mov eax,[00656634] ; '\\.\SICE',0
5 q/ v- F2 F5 j& u9 K5 { push eax
' o& i B" [# u9 |1 p call KERNEL32!_lopen
' G/ I- z/ c) W3 R2 n% E+ ?1 e inc eax2 R) Q+ P( a. B
jnz 00650589 ; detected6 t2 X/ A M- B/ K/ `
push 00 ; OF_READ2 A# D0 o4 |. `, j! c) |5 w
mov eax,[00656638] ; '\\.\SICE'; ?% S' H/ ]2 |4 v- X) c* ^; g
push eax' w% }2 I/ ^) ^# t# ?( V; ?
call KERNEL32!_lopen
$ x X0 `7 L5 k8 z# O, o% b inc eax
+ y6 B3 o0 M" t8 x# ^& } jz 006505ae ; not detected
* X6 @& m0 Q U
6 H( A9 c9 Z; F0 M" M1 x+ z6 P
+ Y8 D4 s) Z i5 k: t' u9 C__________________________________________________________________________# @& J5 t7 F$ l! t' A$ m7 [8 F4 U
* c) m# U3 U& EMethod 129 a; Q+ C7 f/ n% |4 i
=========1 \' l0 |# V. H. R, e: Z
, x' ^0 k; q _
This trick is similar to int41h/4fh Debugger installation check (code 05
: W9 H# N0 f7 c9 p8 i+ ?& 06) but very limited because it's only available for Win95/98 (not NT)5 I! ]4 F3 M, @. T- R! l: N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 N. V$ j" y0 s0 n: p
2 X( {! U. o0 B: ]7 W( { push 0000004fh ; function 4fh: M4 e- `2 x6 y' ?6 o% v
push 002a002ah ; high word specifies which VxD (VWIN32)
/ c# ]) p* S# V. S" d6 _ ; low word specifies which service
. M0 R! E; O" { (VWIN32_Int41Dispatch)
+ S9 D% n, f H. e) w1 p call Kernel32!ORD_001 ; VxdCall: j* `- j% r* J y
cmp ax, 0f386h ; magic number returned by system debuggers3 w5 u) M. f$ R/ H
jz SoftICE_detected
8 g+ s/ e* {9 X: _! h$ E$ l0 s/ w1 a7 {. Q T \: ^
Here again, several ways to detect it:; \' h7 A$ A2 u8 j5 H
# g, g: e# \- t% t
BPINT 41 if ax==4f
& h' D. e: h# j" M2 b
5 h m" P8 Z4 s( x7 c# o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ `5 l# c; @! I1 B
9 @% H# {# h! ~; F- u BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( Q3 q$ }! t! _3 M
2 A. y4 _3 ~( e* H$ Y' u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# O, @9 i5 T+ M" p/ n A) {
0 |! T6 v0 U+ p7 G7 K__________________________________________________________________________
4 _) j# K& y+ a7 ` H2 M6 V. j, p4 V& B6 F! c/ `
Method 13" y v% G4 [( x" r X' z
=========# e9 Y5 }; ~9 y+ c4 s3 O
. S* O; M+ `: z ?$ g
Not a real method of detection, but a good way to know if SoftICE is
3 ?) U* F% M: t" g- [% i: xinstalled on a computer and to locate its installation directory.; H, B0 L; Q8 ~1 a3 j; S. ~/ a' _
It is used by few softs which access the following registry keys (usually #2) :+ `3 ~ J- C( l$ B% Z
2 L0 m. P# S1 G l6 b7 n6 t1 U1 r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" Z1 D. [# t7 F. B: _7 q
\Uninstall\SoftICE9 e0 R4 ] b0 x$ j c' ^4 V& n# I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% N% R' J! M" J, q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# O( y" ~6 J- C3 M\App Paths\Loader32.Exe
9 u9 q* Q, O! k, P9 U
! v5 j6 ^& ?% e6 V# }$ i. \& D. g. ^4 C/ D- A; e
Note that some nasty apps could then erase all files from SoftICE directory8 O7 m7 H, f& a% ^% u+ @, r7 Q+ j
(I faced that once :-(
6 X2 d" L6 }4 f8 u" d# J: ]# X( b3 b* b- T2 U
Useful breakpoint to detect it:
/ F; C% d. ?5 D" `3 c# B" ^
6 @: r) Q9 {* f" f& [ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ G) g4 `7 z: X; K; v7 q; }
; S. J6 G4 U }1 s9 e__________________________________________________________________________
% b a3 n7 o' _$ q; W
4 ^% u& J* V$ Y3 _4 C$ v4 E! w7 f, k$ [5 O( ?# l1 n
Method 14
, h7 X3 h- q. ^0 B4 t=========4 l% u( ]: Q+ Y! {6 j
! E( E s' g1 \1 [0 B" D+ b2 KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ s% f0 I Y! y }/ F# K2 n: O
is to determines whether a debugger is running on your system (ring0 only).
, N9 B) [- o9 {0 D( A1 n2 b
. \7 a0 {9 `! Y, N# h! C+ o VMMCall Test_Debug_Installed
. v. T! Q7 O: m& s je not_installed
% t' c; b' A' Q Y4 t3 b" Z# J9 z/ |0 b
8 E5 O3 A+ u5 V+ H% a+ V8 ~This service just checks a flag.
6 e( I, O6 N' V( w; n& @</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡