<TABLE width=500>
: Z2 j1 \" E/ Y( f/ a<TBODY>4 |, d; T9 P3 V' H$ @, O% f, y
<TR>
: G+ l+ I2 j* P1 `1 e<TD><PRE>Method 01 ( b. V, w' t3 c
=========& {- K- S( N$ w0 u
! {( t1 g! k4 l% D; S s2 z% JThis method of detection of SoftICE (as well as the following one) is3 {% x% N* X' D$ ]- ^
used by the majority of packers/encryptors found on Internet.5 A) f! r$ J- t" i: S
It seeks the signature of BoundsChecker in SoftICE: e0 B6 D" M, t4 }0 ?( J
( V& y7 g) v: l( t# M; U
mov ebp, 04243484Bh ; 'BCHK'
/ W) _' O* G+ g mov ax, 04h
, K% \3 Q( [) h; F! p int 3
" z+ R' J8 N$ e( i! U0 O cmp al,41 V/ d: W: ]" ] u' K
jnz SoftICE_Detected2 m+ H- ~/ {5 ]
( N7 v: U9 y9 w" N
___________________________________________________________________________4 ^2 m, I. c+ J7 B {
- u/ U6 ^: Q: [
Method 02+ Q7 q0 y7 k6 k8 `7 w4 T, T
=========
! S a9 G4 o. S! U1 |* y- m4 o
. k# j3 n" ?: u' dStill a method very much used (perhaps the most frequent one). It is used
3 e) d/ r- v dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 q( V3 O+ l' L5 {0 }) C% C- ~or execute SoftICE commands...# W* V; m5 Y( Q$ y
It is also used to crash SoftICE and to force it to execute any commands1 W" w( H, y; p" b& F: i0 S g
(HBOOT...) :-(( ! q) |, \7 P. u$ k1 r; ?
3 u' `* s4 W8 a! }' ?) eHere is a quick description:* @* S" ^0 ^5 R8 h, \
-AX = 0910h (Display string in SIce windows)
# @0 m) s, J" s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). d3 j, s) I: C8 b; T/ Q: c
-AX = 0912h (Get breakpoint infos)6 a, Z5 D& A( ]8 ^- a
-AX = 0913h (Set Sice breakpoints)# k& B- U( @2 t6 C0 r4 V$ b
-AX = 0914h (Remove SIce breakoints)
; m' b/ i2 q! b" E4 i; B+ N! @1 G. ]7 S" V1 ~( C
Each time you'll meet this trick, you'll see:
" e" O) A5 K& W7 \-SI = 4647h
( a& @7 |) P$ F; `( K$ f-DI = 4A4Dh
' ~/ Z2 X# {7 a. j: c PWhich are the 'magic values' used by SoftIce.
1 k Q/ M: z' J1 a+ c" n3 |. jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 g( s+ R$ ^% D( [% l
1 Z: _! V/ c9 p! y3 bHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 v+ b2 a1 f) |7 d6 {! L+ f$ b7 HEnvelope utility use to protect DOS applications:
' k5 e7 d1 j5 }' L" i
$ A$ s7 E7 V, e6 i$ W1 s6 D! b% |% p. P$ b' }, H
4C19:0095 MOV AX,0911 ; execute command.
/ [- l4 u A: r5 ~4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# q% \5 R6 F7 ^7 X0 g h4C19:009A MOV SI,4647 ; 1st magic value.3 e0 n% C( i: A0 ]1 f
4C19:009D MOV DI,4A4D ; 2nd magic value.% `, G/ K4 t7 y4 j9 k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: k8 u9 u u) x8 q& Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 w4 Z" d( B+ R& }: Q4C19:00A4 INC CX' I2 G0 ^) j& O9 G
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' _* ~2 W. q- d" O# y5 {7 J9 |4C19:00A8 JB 0095 ; 6 different commands.
, `, W1 c! T ^+ ]* s* K" c4C19:00AA JMP 0002 ; Bad_Guy jmp back.' s: _- B5 E) q9 j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 ^( E8 N3 m0 Z* H+ {) r3 }
: v" q' B! J. O: \3 B' a
The program will execute 6 different SIce commands located at ds:dx, which
9 S$ R$ j( h+ S) H& w# J4 R! w6 h. `are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# C4 g2 ^2 N: P- T
* }& I$ I( c1 a& D* }* K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 `2 R: Y, G$ h2 y
___________________________________________________________________________) a$ Q: P: U7 C" |( o& p; D/ R
9 c3 ~" C. Y6 C! S+ c; _0 T
; ]" g. j! m+ Z4 }. \: w
Method 03' j+ K& V; Y# p, t' u( L
=========$ C% v0 `( `1 z+ X# f
1 q# G8 v; ?% [* m# S/ ~
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% A0 `6 l4 z* C$ ]- D0 q(API Get entry point)
- q1 _' P4 C% t( L7 E
+ }5 [- L2 o# ?" u8 z
8 E1 ~, `2 ]' V% r" t E; z xor di,di) m* J& C" y, h
mov es,di/ ?" `' t- Q+ n& c2 V; w0 r9 s5 k
mov ax, 1684h
) G& Z+ \/ [/ R7 E mov bx, 0202h ; VxD ID of winice
8 q( v0 T$ C) k" z+ n+ ? int 2Fh% @* H4 Z/ C8 M, B0 I0 E
mov ax, es ; ES:DI -> VxD API entry point, P% N1 [! w. Z# I$ z
add ax, di1 P" @/ K& M% |+ O/ K
test ax,ax+ R/ J! Z( a# i3 c2 Y
jnz SoftICE_Detected4 d. G. O# d. q1 W& A' S
/ }2 k* K M1 n$ l( y: F___________________________________________________________________________
' o+ c) A0 f+ q$ A
/ `: y6 _2 T, S9 a8 ~Method 043 H( h* \$ \ o$ |! Q1 B
=========
- o* b9 i' j* h: K0 X' |: U1 e4 U7 `# [$ n
Method identical to the preceding one except that it seeks the ID of SoftICE
& c; K2 [" ]. \7 V9 `& d3 PGFX VxD.0 g ^; K& p- @; I3 c
/ }: V r( ]# F$ M9 N4 j
xor di,di* o2 j9 X/ z( _+ \& X
mov es,di9 Q) u; X0 o& @2 U( p& S1 W
mov ax, 1684h 5 S4 ~- v% k; N3 Z2 ^
mov bx, 7a5Fh ; VxD ID of SIWVID, L- m( |3 o v! Y k- g
int 2fh& k0 a3 z; _( a( w) H
mov ax, es ; ES:DI -> VxD API entry point
# m) p3 V% Y8 ?% r$ b add ax, di
& j* k) q$ p- Z& v( x test ax,ax
8 T: `- }+ ~6 B jnz SoftICE_Detected& T' O% p; o& S1 E5 Q P
: [( m# A& g7 E+ J4 H__________________________________________________________________________
% A3 p" W0 [4 j I) R5 f
2 c1 F5 u$ K" _% C4 Z' n- M) X% g! _" r
Method 05
! `8 C/ P: ~4 Y( w. ?=========0 S, [$ z5 X7 T. ^% X% `4 \
$ ~& \) ^! p# j: T3 H3 S" H7 zMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 ^/ y" d7 x0 K" g- K; r! fdebugger. It calls the int 41h, function 4Fh.+ e, X3 z; i* g1 U& r4 Z
There are several alternatives. : [% p9 u8 e4 F
" D+ P" E1 d1 P1 S. F3 s
The following one is the simplest:
- a t' U- s0 O U
+ ?! a, ]: a& J: J7 j6 H2 r mov ax,4fh
% U$ I/ a' H8 a9 ?# P int 41h
. }' e; L) `5 Q9 l$ L, B& F% z1 O cmp ax, 0F386
& k, V8 M+ i8 }: W jz SoftICE_detected
/ p. v0 T3 n7 [' U, P& U+ L& v
8 Z7 i% [6 z! C
7 \9 X& E/ e0 d0 l3 k' K8 XNext method as well as the following one are 2 examples from Stone's
% v; n' x( Y9 Z9 q8 x"stn-wid.zip" (www.cracking.net):4 c1 v% X8 J1 \4 t* n
" J! W' F2 D& s v
mov bx, cs
& p$ L6 B7 P; p( p lea dx, int41handler2
6 z! m- l* u$ a9 V# C: u" }8 @0 R xchg dx, es:[41h*4]
1 b4 k: q5 @" f. r. L7 E" F xchg bx, es:[41h*4+2]
7 P( B6 u4 Y x7 F1 P mov ax,4fh; |9 T! P2 r+ o+ P* F: Z% I8 M( Z
int 41h
8 D: _( ]9 Q- }0 b xchg dx, es:[41h*4]
2 ~1 ]8 R- h& Y) x8 E0 L6 ?5 r xchg bx, es:[41h*4+2]
% P, `8 T1 t% e cmp ax, 0f386h
) n5 O3 i# t3 k+ `4 ]' `5 Z jz SoftICE_detected
# `8 E* W2 c' Y4 `7 M& A& [0 J& M, I. T( N' i
int41handler2 PROC+ E2 F1 v/ _- i
iret8 z. j1 X! ?' J+ @% j5 Y+ [
int41handler2 ENDP" c9 S; q$ A3 T' t, Q6 V
- K, \) k7 o9 I, O6 i; Y: R
1 r) @' c( y+ k5 q8 a+ \* [_________________________________________________________________________
7 ?- T$ F- k! F( q/ i6 N- H5 I( q% ?, i- e
' O2 k6 E' X- W/ ?6 y/ u) f8 A
Method 06; N( v( ]$ B) E1 |
=========! f: @2 D8 Q. G9 W' r
& @( [/ W& G' g+ m5 z
: p) ^2 Z, A7 g4 V9 s% k, z; y
2nd method similar to the preceding one but more difficult to detect: i, g9 W1 m4 P* \
J% E1 H* v; {. _: e4 K
2 L/ k# [( c2 w) ^9 yint41handler PROC
9 P+ k/ R( g: N5 h# o& M mov cl,al ^. v7 l \' }2 V
iret6 T$ F, a. d4 r4 R
int41handler ENDP
6 y B7 U( W8 h
2 Y4 h- R5 k% Z2 Z3 T9 o! y; P V( G; a
xor ax,ax* c+ b0 m2 q# H# a: b! W2 x- P
mov es,ax
/ o6 v5 @. r0 q& j) W/ i mov bx, cs
6 C. b" P! W2 V! @ lea dx, int41handler
' r0 L& r; i& f: s xchg dx, es:[41h*4]. f; l# u* a" K0 t g& p
xchg bx, es:[41h*4+2]- K5 h# m7 Z* }
in al, 40h( o$ l/ V, \/ Y" |
xor cx,cx- Z g ]% i2 l2 l6 B6 Q5 r- F- _
int 41h
, C% G; G; y- R, r# i8 Q3 l xchg dx, es:[41h*4]2 X# \3 e' S- E! m% Z$ o
xchg bx, es:[41h*4+2]
& G3 O( Q2 Y% h/ Q' M cmp cl,al
" o9 a4 \2 P3 _ jnz SoftICE_detected+ J) T: O& J. {
, c0 |3 A/ P0 ^0 `$ L% Y3 a5 r7 y_________________________________________________________________________ L/ [$ Q6 T: R; M& u8 Y' O
4 p7 d9 A- c5 Y& RMethod 07+ K$ n+ H/ Z6 c' m- U+ u# u; Y
=========6 _: W$ J3 ~* ^6 O+ {6 {* S
* N: }% |6 W8 V6 q$ Z1 J
Method of detection of the WinICE handler in the int68h (V86)
! ^: d; R h/ A/ b
) p4 |8 O& y; K0 {: M! U$ i mov ah,43h0 X3 z3 q: `9 n2 e
int 68h
3 Y, C* |( X6 \: N1 @3 y cmp ax,0F386h, u9 x. d7 y& f1 v. u: O
jz SoftICE_Detected
1 F: Z: Y0 ]9 J+ o8 [+ I$ j5 t" w1 l
. R1 n: K i& l E; J0 ?/ |: }2 ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit a1 x5 Q- c( G
app like this:
5 Z2 O9 l# ~+ L* [# C2 t* w0 |% R% K: O3 C; |7 e8 K
BPX exec_int if ax==68
8 |1 `) s7 V3 `: [! e6 t+ ~3 C& ] (function called is located at byte ptr [ebp+1Dh] and client eip is
% q+ G/ z5 t+ t located at [ebp+48h] for 32Bit apps)
1 e+ @* ~8 N+ A i% ~4 N__________________________________________________________________________
- J! k+ o% ~0 X9 _/ Y5 d" H/ b* ^* P; [! z Z
$ ?* m& b2 \+ Q
Method 08, l+ @( z$ C* x* l' M2 O9 Y
=========. G5 s$ k( ~# @+ O2 E
7 |9 B. s6 L8 n$ Y0 B! Z7 y; q1 pIt is not a method of detection of SoftICE but a possibility to crash the, {/ g6 Z8 t" F8 Z/ I% H L, p$ w
system by intercepting int 01h and int 03h and redirecting them to another
4 ^: }1 Q% p+ e7 Z! z' eroutine.
7 h$ s* O" ?5 q" T& L' LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% B! N* `8 Y& C+ oto the new routine to execute (hangs computer...)
! S. F: ^ Q [! @; B
7 g$ b3 t$ I g9 h3 B4 T% U mov ah, 25h
3 k/ M( M5 G! H! s mov al, Int_Number (01h or 03h)3 {5 Q+ _1 E( U$ N) C- @; b+ K
mov dx, offset New_Int_Routine
. y, H/ k# K, R) b9 w int 21h
' o! H# |) ?( k7 E. o
, h1 O. C% v2 V__________________________________________________________________________
& c: ^+ W! H6 o( x
3 S* l1 H4 I( B( h4 n) ?( u o! ]Method 09& t, s7 @. @. A- e6 z9 `! g
=========, n+ c; X# c5 Y1 E7 D. W! D2 x- i
. V- ^& J2 T o/ ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ {2 j( c2 i. ?5 F) l' D
performed in ring0 (VxD or a ring3 app using the VxdCall)." x8 G( O/ ^0 b" ^
The Get_DDB service is used to determine whether or not a VxD is installed& q% m* \) J# |$ a
for the specified device and returns a Device Description Block (in ecx) for' J; V+ F8 u/ t3 W' B
that device if it is installed.
8 r+ V8 b2 i( G* W p6 L1 o8 L
+ p' B$ u9 ^% T; b# \$ A mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& _% x4 x. H- X! `' z2 X( W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 m7 B( }- e9 O* c
VMMCall Get_DDB' b! i+ Y* o0 r7 Y9 a; E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- K, t+ @% w8 Y' w7 B
. d( n# R& ]7 r i$ h" S0 J3 I5 zNote as well that you can easily detect this method with SoftICE:
) c/ E; o% h( D& I bpx Get_DDB if ax==0202 || ax==7a5fh8 y: l! s0 a7 [
, z) } x9 r7 E- {, O" i) ]__________________________________________________________________________/ a9 |- r1 X) \2 ^$ [4 o
: A, Y& C2 [ b
Method 107 Q! a5 m9 J+ S: I7 C9 @( [4 i
=========* o& S' k* \. O7 K' j! Y( X& B
$ v Q& V; Q3 q/ W9 T! k
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# K4 H4 L/ |' z) L0 | SoftICE while the option is enable!!
0 k1 N# a$ }+ }& m$ b; d
2 d( x$ F7 ]/ W0 R2 [. ^This trick is very efficient:6 j) Y B, B q
by checking the Debug Registers, you can detect if SoftICE is loaded, a) L. ]9 W+ @% P* w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 ~& _8 i/ `$ B E( K3 N) @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 G+ v( s/ [/ \% D% B/ gvalue (in ring0 only). Values can be manipulated and or changed as well
+ T% B1 j, C& ~1 I9 u(clearing BPMs for instance). J+ {2 P! y3 J t
& s F, B' d2 S) k5 D
__________________________________________________________________________9 e0 P0 C' A2 g" A% L5 e% a3 V5 f) ]
& t8 W9 y$ t- L2 h5 z! @Method 11
3 Y: u& ?/ w& W u. e% x8 p=========2 _, ^- C$ x6 ]* [' ]
; |/ A R6 V- H/ F$ z4 F; R9 J) h6 b* MThis method is most known as 'MeltICE' because it has been freely distributed
& x3 M) o! E! a" A+ Svia www.winfiles.com. However it was first used by NuMega people to allow
* c5 C4 m8 S4 V$ H/ }/ ^2 iSymbol Loader to check if SoftICE was active or not (the code is located
Q/ R$ J! k1 o6 yinside nmtrans.dll).: L1 L2 _3 z" Z$ {% F1 r" J: b
* B9 Y7 l) D$ q( Z3 A8 oThe way it works is very simple:
7 s A% a- V5 p% B: GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ w$ ]3 [ G) ~3 ~4 P, S$ rWinNT) with the CreateFileA API.% i3 X- |& z; ^, l# I i
3 J7 X0 W- ~+ ?! U: m. m9 o- W- L
Here is a sample (checking for 'SICE'):( h U e; |- `4 ~* A; e& p8 T
' {" y0 N/ i6 W2 `. RBOOL IsSoftIce95Loaded()" @% r- O; v4 M( R
{: j. g% y0 E: c) J
HANDLE hFile; 1 a' i- ~$ n3 D0 X/ P! T5 N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 k6 a! K R' ? `, D! P4 J6 @- }$ e ^
FILE_SHARE_READ | FILE_SHARE_WRITE,
- |/ Z7 P9 {- h/ P6 y7 E1 ]8 a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- ~# T. H& |4 A& o
if( hFile != INVALID_HANDLE_VALUE )! s! ^ W: U1 d5 n) q3 X
{
$ D' T* {- D1 ^% Q* m CloseHandle(hFile);
8 s" s, w+ d9 b, g/ u4 U1 W2 m return TRUE;! j- l. ~0 a7 |- n
}
6 Z6 x7 S1 A9 {' @; _/ d. a4 }5 g return FALSE;
7 O" |) ]1 a1 n( q; t}
5 P9 s% w+ Y: c9 s) f& E Z
. Z/ A/ }) i# c( v4 l4 X: DAlthough this trick calls the CreateFileA function, don't even expect to be P5 E+ \4 `9 D$ z& T C4 Z4 s6 l7 a
able to intercept it by installing a IFS hook: it will not work, no way!
/ B% Q, Y* N+ _) ^; nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. ^. v5 o2 @0 E# _+ W; C; uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; U; G) l4 C; j" M8 ~- rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ J- O$ l& j* J. X. M2 nfield.# s6 d o- T- l ~9 M* }* H( U
In fact, its purpose is not to load/unload VxDs but only to send a
7 |% n+ W3 ]1 z1 PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); D N Y) x: P8 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ a( J9 O1 Q2 l- L2 \8 ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% l8 i9 \+ ?5 \5 ?! a% W S+ B
If the VxD is loaded, it will always clear eax and the Carry flag to allow( M0 Z4 }. c5 m( U
its handle to be opened and then, will be detected.: l& m% q+ e! E3 O) z
You can check that simply by hooking Winice.exe control proc entry point
+ z% z$ N- m- s+ \- ?2 K- }! `1 Cwhile running MeltICE.
# h1 R9 m, x! I
! G. [) }: ]8 \ [4 a' o/ X* t8 F' P- Y# B( Z) M
00401067: push 00402025 ; \\.\SICE" G+ Q- \' u5 f$ k5 C. c+ J
0040106C: call CreateFileA, U. M) C! l, ~% q% ^4 R2 r
00401071: cmp eax,-001
2 A+ o+ r/ B8 o! n) } 00401074: je 00401091
* W- C0 _: M& a' C8 Q9 h% `4 N
# }2 F# ^3 R% Y: [3 a; W5 K. h, f0 W* M
There could be hundreds of BPX you could use to detect this trick.
' O% K3 O! M5 a% }4 c* a-The most classical one is:' R6 X4 |* E* ^( i, u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% Y% v4 F7 U1 i3 d0 C
*(esp->4+4)=='NTIC'- g3 v E, a) n! g2 `" J$ F
3 N( W$ {- H9 r. M- Q. [! u
-The most exotic ones (could be very slooooow :-(
4 w# K" `1 _; j, S: r' ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 S5 Y# _( \ K: u: x
;will break 3 times :-(- Y; g4 r8 r4 l4 m
& c/ k8 v; @) x& t m6 Z8 ?
-or (a bit) faster: 9 b- ~" x8 F4 j# Q( k' J/ X, D5 G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. O" V# d. t4 t! x; v
" R9 }4 v2 O c3 I2 }- ^" o1 S BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; `; O# C7 H" f, ^
;will break 3 times :-(
8 [" [" \) d- N& T, M: b) ^# n3 r1 u* z9 M
-Much faster:
3 X! D4 z# `. s" i2 ~( ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( ~" T* n( ]4 \$ @$ T1 G2 `5 H, h& U5 m# h4 o* l" m! Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen |8 W M+ _8 P
function to do the same job:
" A2 N) i1 ?7 p, R, i# H/ C# U1 @. s/ `7 n( ~' P
push 00 ; OF_READ: B6 K% Y. ~0 k8 M2 x; \' V& U
mov eax,[00656634] ; '\\.\SICE',0+ _0 p$ [+ j) r' P
push eax! i/ `8 j# D. A `: |
call KERNEL32!_lopen6 R. q4 I: J* k" o- L$ P
inc eax1 A9 y) A" \& X4 \
jnz 00650589 ; detected3 I g3 h `" M2 P* E/ E5 k
push 00 ; OF_READ ]& p X0 u4 N6 w" P: I
mov eax,[00656638] ; '\\.\SICE'% q" H9 C5 Z. c9 d
push eax
+ ^( s! F4 @1 \8 L! `. S+ i call KERNEL32!_lopen- H6 H0 c& ~, q- G1 u' v+ i' t" g
inc eax
9 O* V& {4 l. T$ s& c jz 006505ae ; not detected( f' m2 b, W: e% S
1 a3 A* w, x8 r" [3 R; i! g& W$ i# J; @
__________________________________________________________________________+ z4 Z! q# U4 c8 H+ {7 U2 w
& r4 _1 [7 T' `2 d8 @1 B4 ]) N) r# ZMethod 12
; i; ~, I% _1 V0 r, M=========9 x$ B! v1 T* e; b3 }* q* u
: r+ Y' }" v! QThis trick is similar to int41h/4fh Debugger installation check (code 05
2 O8 I( e" y9 v, n4 y6 a& 06) but very limited because it's only available for Win95/98 (not NT)$ u" d! ?! S3 I) E. P2 v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* \; b5 J0 _( b8 @
X9 @& |! {( r8 k push 0000004fh ; function 4fh, [ \- P4 S0 `8 p& r
push 002a002ah ; high word specifies which VxD (VWIN32)
+ a1 O9 A0 M2 o; r6 X ; low word specifies which service
/ X0 P$ T, H$ w B. o (VWIN32_Int41Dispatch)
" j% n; ?4 {% T" k- d7 s call Kernel32!ORD_001 ; VxdCall
- f% }: S' ~: k6 T% V: m/ N cmp ax, 0f386h ; magic number returned by system debuggers
0 |# ?0 P' m* K jz SoftICE_detected3 }8 C5 {0 K" P9 X7 R( _" z
2 t& W- y1 g) m4 c4 z9 y
Here again, several ways to detect it:* b5 f7 |# P9 j D
8 k% j. B% |) o; P BPINT 41 if ax==4f
5 Z, E% ~9 z: n* t6 L! i
# \+ Z7 O3 D$ t; B2 P" \4 k# l BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 x8 I H5 s6 V) @" s
5 a+ w8 V9 _2 [8 P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) P/ F% c. G* _, o/ Q% i' e# V/ x2 c) X0 l3 Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( S: G9 E2 P, q" r1 o
) `5 L- f5 p7 @+ F( e, J% J__________________________________________________________________________9 A o" X" j9 C1 b
; `3 v" p( g7 h% y1 b% E
Method 13# S5 D9 g. `6 V' M/ q8 s5 e
=========
+ B* k) [) n o, Q( w w2 d
9 C5 s: u# A% V0 E8 v2 h' l! V! qNot a real method of detection, but a good way to know if SoftICE is
2 r# v, @% q! A h K5 j8 einstalled on a computer and to locate its installation directory.
7 V3 U) |" x/ F; G4 _/ V& R* IIt is used by few softs which access the following registry keys (usually #2) :
2 r G* K* y( J0 j- A2 D( V( V9 |. i/ ]( X% _3 L; ]; Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# Z2 r! U6 ~ [# h6 A( e. m
\Uninstall\SoftICE$ p) l% y9 g$ S3 {9 i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' Y+ L6 d" y% ~0 d& [8 x. J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 |( {8 S# ~( Y. E\App Paths\Loader32.Exe: }7 k- y0 n7 i
; i3 M4 F! I+ D \+ a: \: q$ u& _- l6 M# s4 c5 ]* A
Note that some nasty apps could then erase all files from SoftICE directory
, p; z7 l) ]$ L7 C/ I& a+ o(I faced that once :-(4 x' ]6 w+ q+ G# `" ~# w q
" v8 o6 J9 e4 f/ q8 X% R
Useful breakpoint to detect it:
2 k$ b1 C( }7 u# k f/ e% B% ]( D4 G! n9 _8 p) n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! O. y) K4 _; R7 T9 c3 b
' z8 Y7 R6 g. `; k5 B4 G
__________________________________________________________________________
# ~* f" L% X: u- G7 w2 }% R- ]6 m5 q; _% E$ |! q1 B- x1 q: p
5 K* r/ ~+ x9 z: @0 }$ S8 SMethod 14
8 c$ h5 w) v7 A2 l, X=========2 R+ X1 X% u. G, ?6 h- [
" F# S8 j* E* U. N: u8 |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) ^. Z5 h* |( l ?
is to determines whether a debugger is running on your system (ring0 only).- S9 V3 R+ _$ h: o! ]( b
: z+ |9 l& e$ z/ M VMMCall Test_Debug_Installed
3 P/ R* B1 `$ h$ P0 Z% D je not_installed
* U( y7 H4 K* X' w2 g0 a* g2 m8 k$ X/ i* O) \2 U
This service just checks a flag.
/ ?: m) o+ N# n% m</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡