<TABLE width=500>/ N2 ^* {5 r9 O' F( [
<TBODY>
* ^( S9 y, V- \4 W7 |& }<TR>6 O7 l6 h7 Y5 b% n- D Z7 X
<TD><PRE>Method 01
7 M8 e- q* y& |9 N1 z=========
- M5 M& O" D8 @+ L$ E; q- | @9 [/ u7 I7 [3 a3 B
This method of detection of SoftICE (as well as the following one) is
h; p! u; B+ W" B- xused by the majority of packers/encryptors found on Internet., M8 }. }/ ~! m* L& W4 l4 W
It seeks the signature of BoundsChecker in SoftICE
" s2 _" |% W( ?; m: C" {- `$ h( D4 Q; f" W
mov ebp, 04243484Bh ; 'BCHK'8 ?4 Y0 ^; ~* m# q
mov ax, 04h6 R# H) q2 Z+ i. s
int 3
/ l7 x7 f% j2 ~+ p3 E7 s- d cmp al,43 F: U! Y6 M+ K. P8 f
jnz SoftICE_Detected
9 L( g' g5 C+ A8 o- I% N0 M0 N) R) L2 Q5 j
___________________________________________________________________________: d3 v7 `$ p! f7 |0 H5 i
9 r. Z; c; T2 c) M: H |) K
Method 02: S& Q1 p5 Y0 w5 {( a8 }0 Z
=========
7 z8 e I T; r; x0 x. ], t
/ q% R$ T, }) \2 b1 TStill a method very much used (perhaps the most frequent one). It is used8 ?7 [: `7 U9 l) g q" v9 F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' b( j3 G$ b w( a% T* j
or execute SoftICE commands...
?1 z. {4 ]# u, }4 pIt is also used to crash SoftICE and to force it to execute any commands# a* }/ F9 w0 R
(HBOOT...) :-(( 9 I/ C$ `6 M9 o" w% i
: V; v: ~2 m. e, y# q) k
Here is a quick description:
: f& i2 J/ E, Z3 j/ j/ r, \& _, ?-AX = 0910h (Display string in SIce windows)- |! v$ E* m8 j! C+ s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 l- j' b- D. k2 ^1 E8 o-AX = 0912h (Get breakpoint infos)
/ F5 V5 @8 C% J: \; f-AX = 0913h (Set Sice breakpoints)5 w8 Z$ t; F2 A7 ^% w- i5 c
-AX = 0914h (Remove SIce breakoints): k4 _; J# m: k2 T
3 |! G7 W) W# u/ uEach time you'll meet this trick, you'll see:4 n' {+ f$ p* ^# r" [/ P3 f
-SI = 4647h7 }9 ~4 h; p; d/ c9 _! b, C
-DI = 4A4Dh
8 d& d) G& Q+ S% c. iWhich are the 'magic values' used by SoftIce.
. o/ v/ g5 X' A/ R. K6 d. `For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 C7 O$ d7 F3 h; F- b
( } w4 I1 U8 V: O) ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 q0 V# a- k- T* S' WEnvelope utility use to protect DOS applications:
+ e2 E# a( v' t% L/ C h: J
+ Q5 v6 t: z8 h3 q1 C& K, I: r% f, _& b0 u; O* @5 E: l) S: C8 O
4C19:0095 MOV AX,0911 ; execute command.* x* x7 a' h0 L, y# _! ^# m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 K! i8 }: G5 `8 U3 F2 x: h4C19:009A MOV SI,4647 ; 1st magic value., t9 G) V' c3 u# G, p7 Z7 t
4C19:009D MOV DI,4A4D ; 2nd magic value.
0 |0 w- n5 k {& A/ q8 W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 p: R d$ p& g3 m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* w8 G! b$ `4 q
4C19:00A4 INC CX4 L& {; [( n( Y) g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) L" p" r4 m( }5 V
4C19:00A8 JB 0095 ; 6 different commands.- \2 X7 b; [7 W+ n- Z) L" h9 N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 m; o" F1 ?( @5 p
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" C- P8 `+ H1 [1 Q
1 y2 @! }, Q9 ]8 Q8 [0 IThe program will execute 6 different SIce commands located at ds:dx, which% x+ y2 \7 K4 u4 H- o* e, L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- D0 C3 r9 j" w* f. d
. K6 F; {/ b0 h+ Q. T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 @6 f+ d& g7 v+ [& E" A___________________________________________________________________________' f0 e) W- E- J. ~. Z
# u# ]% ~+ O4 Q/ D! [: k! |' m. l& E
Method 03, t4 g U) |9 E# Q* s9 I
=========
1 {8 i1 `! T9 d% q8 k6 A3 d Z& K1 L1 }, @" U+ D: K+ O
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# ?; P1 m6 O4 ~( d
(API Get entry point)( D! ^) l; `- W& ]1 o
" b% N+ v W4 z/ G* k8 [
% C. P5 n2 U# l5 l; { xor di,di- o) T; q! k) e! ?0 A' ]# Y! F% D
mov es,di
% l7 l; @; I3 _ d mov ax, 1684h . K. h4 u: k! i$ ~, t! Z4 ?
mov bx, 0202h ; VxD ID of winice% L# X" O- v" G, }5 j
int 2Fh; G" {1 s, v$ o4 J: B0 T- I: V7 n! I( \
mov ax, es ; ES:DI -> VxD API entry point( x" j. L+ `" c7 Q) }5 b
add ax, di7 r: P& p0 {, a% S
test ax,ax4 Q. P! U) E2 K
jnz SoftICE_Detected) s; v" {; p* A7 a
& N4 B/ K) z. `% B) u' h, ^+ b
___________________________________________________________________________2 R; ?2 h2 P* l$ \" E
; s$ s7 ^& n9 B/ Q3 Z! h8 aMethod 04
6 o$ ^5 q' x; F+ Z+ Z1 \5 ~4 i=========( c% v9 I+ s/ \2 @
/ b8 u* [4 j$ u4 e6 X" N
Method identical to the preceding one except that it seeks the ID of SoftICE" v5 x8 r7 I4 L: Y1 F# E( q9 l: [, M
GFX VxD.
, M2 I b7 f# A8 ]% v$ }
f. s9 _/ ?+ {7 h: X xor di,di* G; a# m4 g- v6 {
mov es,di
0 B9 y! v- w" ~ mov ax, 1684h
' u& b' y1 f% |' e7 x K/ f, p- Y mov bx, 7a5Fh ; VxD ID of SIWVID
8 m2 k, E# u9 D; k4 S* Z6 R. w int 2fh# r. L( K) B I [* n
mov ax, es ; ES:DI -> VxD API entry point8 `: C$ ~8 d5 Z" M8 {0 `4 p, N2 o2 y
add ax, di
; _, i$ k5 j; ^9 u$ @% H test ax,ax
4 Q; T) q: i& q0 l" q/ g jnz SoftICE_Detected
# }! [; G2 c$ _4 G) U' ~/ M8 |' ^; M3 P$ h2 {$ I& _
__________________________________________________________________________9 y6 c# R/ m, s& V, e1 {5 ?
O8 x! L, J. A5 a4 P/ j2 ?
6 a& [ R _' Q! R# xMethod 052 M/ i* x, O; a) e. z
=========
4 x) F0 W( v+ }6 [# L3 o( G- j2 D& O) i1 S8 F
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ ~) T) U: Y. Q% k3 k1 e" {
debugger. It calls the int 41h, function 4Fh.: [% _/ Y- E& Q {$ f l* ?
There are several alternatives. 3 u; {: R U. T2 l3 I$ m- O: D
1 S& y3 W7 c& c, x6 AThe following one is the simplest:
! Q9 z+ q9 P) w: f1 \, c$ f3 a( }! J; o& ~8 v/ l5 t
mov ax,4fh; Y# \2 P" b Y
int 41h
5 v# g- m- s# ^$ l, G% q cmp ax, 0F386: c6 d, R# w C% |" c7 Q
jz SoftICE_detected% e; S: X0 \; z1 G- n
( i7 h# a& }/ e6 E/ H
T4 ]; z. c7 t7 FNext method as well as the following one are 2 examples from Stone's
, h" _8 h8 D1 X% ?% Z"stn-wid.zip" (www.cracking.net):
, P: x# ]+ f6 Y& K8 m8 j0 o t& ~$ G \- f# X& P
mov bx, cs! C: ~* h* T m+ e0 ?# r
lea dx, int41handler2/ Z) A7 t. L3 _& ?; s
xchg dx, es:[41h*4]
& D( q2 l% ~$ P' r xchg bx, es:[41h*4+2]& o+ Y( [# S* h9 K
mov ax,4fh1 Z* d% z) j4 h9 o5 J$ c
int 41h) D- W3 o& ~$ o0 A
xchg dx, es:[41h*4]* c/ D% O3 B1 L& W3 s9 ` f. a5 q
xchg bx, es:[41h*4+2]. }2 _# J! [# Z, j0 m( i. N7 K
cmp ax, 0f386h
; l8 s& N$ D9 T0 @1 @ jz SoftICE_detected
( K6 q$ y, |$ n6 ` f8 x: r6 B" p3 }9 Q2 O' y8 V
int41handler2 PROC1 \- H, |& k2 E: q/ W) n
iret7 _: _! b" ~$ \' {( \. ^ Z
int41handler2 ENDP& x: q, O6 _. }$ e* v
2 G6 d) x. v. K# b. m+ A& ]% p# u$ Y" B+ R
_________________________________________________________________________
! ?) j: f& t( M& F3 e& k+ U
2 Y% y6 j# E" ^& z9 Z5 s" @1 Q- |# |: w
Method 06) G- j! P5 u- r9 @1 I9 n* ]' ? `" b4 ~# Q
=========2 s/ M) r# [5 ^- q
3 y) Q% v) y$ [/ f8 j* c" Y
6 ~ Z+ P3 R8 k/ M% D: G P
2nd method similar to the preceding one but more difficult to detect:: `4 P% o3 a/ i
) ~; a( v4 v. X2 @1 f
: M1 `/ D. @3 `" K1 r/ q; W# g
int41handler PROC9 _9 H6 P4 e# M/ G6 j
mov cl,al" M% |1 W6 ~( L2 ]( |1 M
iret
0 x- F8 P& g9 O1 d5 r& t3 U6 E8 M0 ]int41handler ENDP3 W$ {; N- \: `0 k1 h
8 c) i2 ^2 M& s/ o8 j) \
& F6 r, U0 @7 _7 |
xor ax,ax
1 ?0 o4 T# c; W* m, i mov es,ax
2 i, Y( |. m, p$ q9 f mov bx, cs+ M* V- i1 ?; v; K
lea dx, int41handler
- d. X+ \% e$ p9 _! \; W0 n8 y9 @ xchg dx, es:[41h*4]+ M6 ? }" A3 A1 j+ c$ {
xchg bx, es:[41h*4+2]
3 b1 ~9 L( G& p( }/ z7 Q0 D( t4 a in al, 40h
1 W; [; ?. c0 B( ^6 N& f xor cx,cx7 R. f0 U" X; M) j
int 41h) m2 a5 h3 l! c. r: E" I
xchg dx, es:[41h*4]' s6 i/ h9 j, {! P+ U3 c
xchg bx, es:[41h*4+2]
0 K: y) K% }" J, a- ] cmp cl,al
- G% [$ r' d$ I; T1 d& I jnz SoftICE_detected
/ U3 P9 m7 M. I! G# w8 |6 \' b7 I0 W. \ l. B
_________________________________________________________________________
5 @7 ?( R, P4 K' { ~& ]
! z) ?+ @3 ? E6 Z$ G3 ]Method 07
- d9 D% k! R6 `2 z# p: V" ?1 h& I1 r=========
8 c& E/ [* i' \' v( O5 F( w- s/ a( s
Method of detection of the WinICE handler in the int68h (V86)
- g C6 c% G( Q6 j; n4 K& |
' p) j) t6 ? ?- w* i% Y- h mov ah,43h
5 {$ e- h8 l9 {' p int 68h
M8 }& Y3 Q$ g0 U2 _ cmp ax,0F386h1 f% f5 i6 ?3 P, w: s t: E4 S
jz SoftICE_Detected" Q) u( _* i" f7 B
: v- J1 Q+ C0 l# f% G+ B @
' C+ Q+ o+ y1 I' ^* K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. {# B6 Q1 e7 H4 U8 i app like this:3 S. N( u5 d. C. R
* d& S: z9 U. i9 f5 K C
BPX exec_int if ax==680 C6 Q) H5 c$ C( e
(function called is located at byte ptr [ebp+1Dh] and client eip is$ i+ Z+ T# s ]7 f4 P7 k
located at [ebp+48h] for 32Bit apps)" M1 B9 e# r1 m" r
__________________________________________________________________________
1 n6 H3 R* c8 r' Z' I' G) F* R/ N$ J4 A# g4 @
" T! c+ a+ [( z9 y' XMethod 08
- b+ i" j; Y- I4 J) N/ F=========
" X! T( [8 U4 N1 }4 S
2 d( j" P2 `* |! ?. z, s& c! O) RIt is not a method of detection of SoftICE but a possibility to crash the0 w$ y2 M% f ]2 ~# }
system by intercepting int 01h and int 03h and redirecting them to another
! F) G l4 h1 a7 |3 Z$ _/ @# N- @routine.
- B' s* `3 e& K) P# _( g# |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ z3 u% H8 R l; I- i
to the new routine to execute (hangs computer...)
9 j. J6 }) r" D' B8 t4 S! ]3 h$ q" f# @+ A1 x9 d
mov ah, 25h
' s. ~- o# n" F% I0 y, S mov al, Int_Number (01h or 03h)) ^* [ @9 B8 B, o" l6 @7 |! B
mov dx, offset New_Int_Routine/ _: r* B6 [' J2 H* r. R
int 21h R& N7 Q9 S& b
7 K5 X8 R( y- F$ d$ h. e# [1 q__________________________________________________________________________8 s9 Y) a, b7 s# U R" l
9 z! C1 @$ L; p, U3 y) V" ZMethod 096 K4 O/ P6 E. T5 I9 {- k6 P
=========2 w; L4 |3 M6 E. {0 t
/ c. Y2 E) I3 T$ aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 ?5 s) B4 R; S9 R ]* d; lperformed in ring0 (VxD or a ring3 app using the VxdCall).
( p+ d) `* v$ c; N" o7 a3 g5 ?6 OThe Get_DDB service is used to determine whether or not a VxD is installed
/ Z2 M! Q0 ^+ v Gfor the specified device and returns a Device Description Block (in ecx) for
7 c1 I# h& `' ~4 ^that device if it is installed.2 s( O' r9 _ Q
% Y( h& Q4 a$ ~9 v9 \; L$ u1 l- X+ ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 D, Q/ w ?0 g% L' H {
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* s2 V; o% {9 a3 O$ @
VMMCall Get_DDB
/ _+ o' R0 @; C0 W1 ^, \1 a$ H mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 Z( X- R& T+ W8 w& l. v5 m5 Z3 d4 c1 ^# [
Note as well that you can easily detect this method with SoftICE:
$ V: U' d& s) I! C/ E bpx Get_DDB if ax==0202 || ax==7a5fh
+ C! U- s1 I5 H8 [2 E, f& i3 e- U
/ c& @4 Y+ X9 N0 `+ E" ^2 e2 s__________________________________________________________________________( s8 _$ v; q1 ~! ?) a
0 {0 u: Z; j' m3 U+ H+ rMethod 10
# g% I: J, Q3 r=========
0 E8 h* T- b$ ~! y
) B& K, ~% @6 ^$ G+ c" P) F( B: H=>Disable or clear breakpoints before using this feature. DO NOT trace with
M2 A# o% e4 I1 A9 |2 R SoftICE while the option is enable!!
s3 P( Y$ T4 H: p4 I0 t: A/ {! K0 Q7 Q; C
This trick is very efficient:
' B+ I( `+ F# n. @by checking the Debug Registers, you can detect if SoftICE is loaded5 c/ K: m d- w* H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 R9 l/ r7 F$ `/ ?& V7 X3 d
there are some memory breakpoints set (dr0 to dr3) simply by reading their' Q1 y: P, I; B; t2 n" [
value (in ring0 only). Values can be manipulated and or changed as well$ o3 {8 @' C( U! T9 b' m) J
(clearing BPMs for instance)
3 y* V' }& P8 D# _, O: Z3 }( h9 v- N5 y2 S; T
__________________________________________________________________________
" c1 g8 K8 Y- g9 @& G0 G* v7 A7 H8 E! p1 U
Method 11. U) E% ^0 L2 r
=========; O' j* a5 C6 o
+ m- ]7 j$ A8 a% [ R% K' xThis method is most known as 'MeltICE' because it has been freely distributed
$ J, S" A7 n2 B" t( wvia www.winfiles.com. However it was first used by NuMega people to allow
3 d( H" _) Z& c" M3 MSymbol Loader to check if SoftICE was active or not (the code is located
$ H: r) a, Q! Ginside nmtrans.dll).' y3 `- [7 ~6 t
3 k. j1 I4 `2 e* T& ?4 N1 F; VThe way it works is very simple:# D; D. C& n M6 C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% b+ N: x5 t {" B2 wWinNT) with the CreateFileA API.9 ?9 |$ }* n0 p7 U! q
$ D) A# J/ z, I9 X
Here is a sample (checking for 'SICE'):9 c/ f" \& g |, f* T
6 h U" d/ m$ u6 a, bBOOL IsSoftIce95Loaded()
) t$ d. I' l' i" S{
) C/ {- s) K( ?. o& ~6 C" J) P HANDLE hFile;
7 R8 V% j, R' S ^2 M- { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ S9 j. M$ r P! G* q$ A
FILE_SHARE_READ | FILE_SHARE_WRITE,0 h+ H5 ~( b1 C0 f
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 s0 S. _8 `* Q/ v" c0 P if( hFile != INVALID_HANDLE_VALUE )
3 }% ?5 f( v. g. T# z {
+ a4 U3 g- A4 Q9 @ CloseHandle(hFile);& w' w+ b3 j3 s7 ]! J7 i4 m7 ]
return TRUE;
, e) G: P/ T2 r }2 A) ~4 I* {8 S2 G$ g
return FALSE;
, h2 B4 B7 m& G6 z. {; a}, W5 q; |( M% w: E& k7 _. R
5 U, E- l& n, q }
Although this trick calls the CreateFileA function, don't even expect to be r" c0 n+ b" A4 @
able to intercept it by installing a IFS hook: it will not work, no way!) } t, A l q* |1 r' V6 d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- ^+ E% ^+ P' ]8 q0 @" ` `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# [& C# }8 z. k: @; [3 s( x; Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 p8 i$ m& c; `, S! h$ v, ufield.
1 x0 \% f4 X8 k# k* s5 oIn fact, its purpose is not to load/unload VxDs but only to send a # D8 S* Z* ~% C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" J2 D1 n; z1 nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
. Y7 u6 z1 Z- q: K8 ^0 Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).
% u+ z/ p, B1 Z6 E1 a+ WIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 V; J. i9 A2 s+ K. w% R( A% {
its handle to be opened and then, will be detected., p4 \. L# R) s! c9 Q4 e
You can check that simply by hooking Winice.exe control proc entry point5 h) B/ X' {+ s* m1 N
while running MeltICE.
! k6 F4 ~% H7 f- G4 u6 J; H- e- g2 P' c/ f* n( b
4 K2 }1 |6 C, {, x
00401067: push 00402025 ; \\.\SICE5 ~: {* D2 y" X( l' {
0040106C: call CreateFileA
1 y. i8 y9 ^6 v2 ? 00401071: cmp eax,-001) z6 M- b/ |% [8 _+ B2 G8 h
00401074: je 00401091* B. x- F5 L6 E2 ]3 R. n' K
N5 Q7 z) z) x0 X! P
3 `' j* g1 B: V! Z1 R: ]( D3 R% p
There could be hundreds of BPX you could use to detect this trick.$ j9 O6 y6 W0 n9 h% J
-The most classical one is:- X/ |+ h+ e# ]$ Q$ c
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# ?6 x- V7 ^5 e# i: m0 H2 h
*(esp->4+4)=='NTIC'
* Z$ K2 D1 V( ?' a* }1 Y% a6 a8 H, D+ a& ^5 X! D2 z
-The most exotic ones (could be very slooooow :-(
: B& k7 i5 i% U; x& \: z1 i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 G6 ]# e+ M$ ]1 y, m% ~: j$ D
;will break 3 times :-(+ [" Z0 @* J3 W/ `3 W6 H
. X: e5 E1 _) Z# a. C
-or (a bit) faster: 5 I/ S: I$ W0 {! V8 _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, D4 }" R, b9 |5 l5 }
, D, k8 I1 y$ t1 o0 d6 T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 P. d* x4 ^& p' W ;will break 3 times :-(# h. K4 \' W4 {
" E! s" G" N0 d% Y-Much faster:3 B8 m% p; G) C: G) ]2 a; Z+ o3 N
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 r1 h9 b! V2 ?; h) d3 r
" ~$ `2 ]5 D% a/ o& m% D7 t: M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 h0 q( [7 i, ^# L
function to do the same job:% {$ i- o4 O7 k6 L3 n
3 O/ D0 s5 A/ m5 A$ J @ push 00 ; OF_READ9 C3 m# W) G1 H0 A) h* |
mov eax,[00656634] ; '\\.\SICE',0
3 g7 C. J+ W4 P$ v$ K( I6 U push eax4 m4 |& C; a: D* T* P& s0 U" x
call KERNEL32!_lopen; r9 q) s- F. @: D
inc eax
* s& A9 j5 q9 G( Y jnz 00650589 ; detected
' l; [6 p* ], B9 k6 Z push 00 ; OF_READ% D& p5 L* x9 c5 T% u6 P
mov eax,[00656638] ; '\\.\SICE'
- K R& B3 A, {+ |8 _9 d push eax$ A, r" R% P3 n6 d5 m, b0 o! ?
call KERNEL32!_lopen
8 `0 g; Q8 [1 ?$ r& K inc eax* Y# r. v- F: `" d& S
jz 006505ae ; not detected
4 E2 B% {' h' i, q2 D, o
% Y$ Y6 y. Y' U9 Y7 `) A, E0 E; K* ~4 P
__________________________________________________________________________
2 x2 c* `5 ~, j$ A h, E' c0 @8 ~1 l1 e; ^
Method 12$ Q( P9 X" ]* {0 {: m/ h0 d
=========1 Y6 q0 o# G# e2 L/ b. K, X' O# x' d% Y
, h3 b4 P0 z/ |$ B
This trick is similar to int41h/4fh Debugger installation check (code 05
; A0 H2 t6 K3 ?, n3 k& 06) but very limited because it's only available for Win95/98 (not NT)
; f; i2 a7 M9 s+ Z$ ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 u4 o+ M8 r& y& w+ ^" g- ~. b
$ [2 u' V7 r ]0 j/ F push 0000004fh ; function 4fh0 I; ~* Y. c% u4 A6 `' {7 P
push 002a002ah ; high word specifies which VxD (VWIN32)
. }( [9 g2 ^5 d8 _9 l" t u ; low word specifies which service
3 u. d9 d7 u/ Y. o# T# M (VWIN32_Int41Dispatch)
/ A& o( x- h9 ?/ m call Kernel32!ORD_001 ; VxdCall; Q, H( K/ L' E9 C
cmp ax, 0f386h ; magic number returned by system debuggers3 E" O! y) F! g7 J* g$ K
jz SoftICE_detected! h) M& S$ g E C
! g' }7 b( M/ Q) |0 N8 ~. ?& L: qHere again, several ways to detect it:+ { a$ w9 ^; @9 s( V6 N. v6 R! o. L6 t
+ y% P3 z2 {8 Y! U6 g$ J Q# z BPINT 41 if ax==4f
6 X& ^9 z# ?6 s n: ~) E t' ^- [
5 Q: i. R& ~% _4 z% G7 D BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& I$ _) h( w; Y2 Q% K
$ k) J: ^' L/ q; w8 y" k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 `* U5 m( L' r( f* c5 C' P- h# p, l$ V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# f& b6 p; D- i! F- r! t+ |
2 |( T& I5 y: f/ u$ I; A A__________________________________________________________________________
' [- H( E8 d) X/ ]$ V3 D
$ N& R4 L3 g. D4 o5 CMethod 13
( _4 h K; x! E8 }" C" ]% _$ I=========
, f7 ]' }- h s- q6 o& G
* X& d+ U) F" S) I" I1 M9 y( cNot a real method of detection, but a good way to know if SoftICE is
/ ~9 h! N/ |: ~ ]+ @) `installed on a computer and to locate its installation directory.
- {; U$ v+ ]6 E5 oIt is used by few softs which access the following registry keys (usually #2) :. Q8 D3 f, ^6 w! t- \1 e- V; a
; m9 Y3 I* S7 U$ i# x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* W9 l# X( e g @: [9 m\Uninstall\SoftICE
) M1 o4 l) J+ J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
i5 o2 c6 L9 j+ F2 i' f7 y8 I+ l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ [1 |5 _3 T# u% L, ?( i& e\App Paths\Loader32.Exe. E5 q+ {7 v7 ~. c* L. H* h0 \
: T- x9 a2 r- c2 m9 j- _/ A9 s: _0 M: [5 w- B
Note that some nasty apps could then erase all files from SoftICE directory
2 Z! I1 v6 t: h9 k- A0 t(I faced that once :-(3 G, p# r! G) \ e
; C# x! ~; L; @% e
Useful breakpoint to detect it:* x- L4 [# ^5 g# T% Z: S4 `
; j5 b" M+ a; H/ H$ N# O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ r+ A0 ?+ C- Z7 f' E9 Z( L) `1 u2 o5 l% [9 R6 A; I
__________________________________________________________________________# X& A( m$ l1 U0 }) j" ~8 S
; x7 s: i- J L- |2 r; a% T5 I
8 Z% u& s' G% J: F5 NMethod 14
& D$ e2 P* @5 L3 O: G( q5 \=========6 {, a% c7 Q% e; ?
$ O1 }& k& v2 d. ^" `2 H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' d9 M8 E* c1 Yis to determines whether a debugger is running on your system (ring0 only).8 p i. S) P5 J/ Z4 s
" {( k0 ~# u J2 M" S
VMMCall Test_Debug_Installed* C3 H# N& _7 ]# ~5 x' O: c
je not_installed
8 _6 W! u" f4 g, w4 |
- V" p; u2 I+ {; }$ N; SThis service just checks a flag.# c/ K) M/ ?1 ], }; L1 @
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡