<TABLE width=500>: H( l) \" ~" _4 s. b/ `/ T
<TBODY>) f! J2 O# T# Z
<TR>
3 D+ u* }5 R. R<TD><PRE>Method 01
, J" j6 s. X) c! J1 L' I=========2 J9 t# e3 D ]4 D
4 F6 O9 Q2 B6 Z/ w; e r7 ]This method of detection of SoftICE (as well as the following one) is: g: D; ?! I. e8 m4 k. F
used by the majority of packers/encryptors found on Internet. I4 T1 [; K& l {* ~
It seeks the signature of BoundsChecker in SoftICE
: Q8 S# Y$ A7 H4 H1 L2 A. k( j2 `% x
mov ebp, 04243484Bh ; 'BCHK' d% D* T1 q8 Y) u! P& G4 V# F' _
mov ax, 04h. F8 w9 x7 e9 M* C* t7 E9 H
int 3 ! Z) E8 o: g( m- S7 C5 M" m. p
cmp al,4" C o) }- e ]% G$ G
jnz SoftICE_Detected
$ K* T: `) J( H8 S( [/ ?; {( P h( V( l6 K# i5 g
___________________________________________________________________________/ P+ V9 n1 h/ a& ?9 x6 c
+ }, z7 n* p7 v: `5 Y9 Y9 s% o$ mMethod 02+ ~( |5 h+ n: W+ h) @' N% e
=========9 g+ K4 o" J7 @/ U3 [; D6 g& ?
* E5 p; a6 ~5 q8 J0 T1 w7 g
Still a method very much used (perhaps the most frequent one). It is used
" Y: B- a' Z) R% f9 ^2 fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( k7 i4 f4 }2 T% U0 u2 nor execute SoftICE commands...' s: `+ ^* b4 H. H
It is also used to crash SoftICE and to force it to execute any commands
! {) E6 n8 h" p! i2 [/ A# _% [(HBOOT...) :-(( 9 B7 X5 E! C8 k
) i! s' F* n, C. O; T7 jHere is a quick description:
. ]% t) }" A. c* `-AX = 0910h (Display string in SIce windows)7 e6 k( C; \$ n+ a! ^" H: `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* m2 M6 Z3 \( I6 ]3 t-AX = 0912h (Get breakpoint infos)5 X6 j+ J( o8 y7 n8 A: ~- y
-AX = 0913h (Set Sice breakpoints)6 ^+ X, \: C9 k( x
-AX = 0914h (Remove SIce breakoints); a5 {9 ^2 q4 d/ a' }2 g3 T
1 a& C& L6 n9 S5 F3 Y& F! T
Each time you'll meet this trick, you'll see:
& g8 X9 \4 L' \6 x-SI = 4647h7 e6 r- j- H4 y5 S8 Q+ W
-DI = 4A4Dh
& V( `6 h5 g7 q }2 f4 i3 [Which are the 'magic values' used by SoftIce.5 Q1 D# c: t4 X2 X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 |- s! @) P0 d) `* y
! Z. U5 F/ q z- q- _) XHere is one example from the file "Haspinst.exe" which is the dongle HASP
# h* t$ x' d3 A! o N* IEnvelope utility use to protect DOS applications:
! Z% p$ [7 m O- T; ?" w+ V: i; R7 Q0 ]" {
$ ^6 V2 B |. f% Z! O9 x
4C19:0095 MOV AX,0911 ; execute command.& q1 `3 b4 `# v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ v+ ^3 {) q- b+ |( R4C19:009A MOV SI,4647 ; 1st magic value.2 F) l. s- [5 j n, L$ g8 h
4C19:009D MOV DI,4A4D ; 2nd magic value.- t/ V5 y% {0 g
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! j8 h" \+ V9 ~# M X5 J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- W. Q" ?1 k) G2 A6 n* F4C19:00A4 INC CX/ V# G" n* u' ]) u+ u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; S1 U8 e! E- B; D4 h& M4C19:00A8 JB 0095 ; 6 different commands.$ I1 B) ?# X( z$ h; ]! z7 ^" P# N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 J+ j& {2 A2 y; }
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) E1 [$ [% u0 U/ s8 z
6 W5 L7 I+ _5 _5 pThe program will execute 6 different SIce commands located at ds:dx, which
: U9 C4 f* |* _* ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" ]3 \7 ?/ |' L$ Q! t" F2 c( G! ?3 I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ C" [6 Z& h7 a; A___________________________________________________________________________- |/ p( M! y6 S: a3 s$ B
, @. [" U; i0 C3 t. j, t3 d L
' z; G0 k2 o+ V$ r* Q V
Method 03
/ N5 Z. Z1 f# ?=========
: O8 t5 p; h9 Y) G. w8 f1 H, L$ R8 z. c# P7 U( g0 g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 s4 C8 u" t" v) ?
(API Get entry point)* p$ z( f( V: y1 u
6 V7 U7 u# Z6 ^2 [; [
# J0 u H5 d0 o4 a, ^2 S xor di,di
3 C1 {5 N8 c6 u+ ~; l; C' S3 b9 W' _* T- Z5 n mov es,di
k6 x5 c( e" v% ^, }* B mov ax, 1684h + B3 u) Z. Z6 R/ F4 g
mov bx, 0202h ; VxD ID of winice+ U; B4 R: R8 D3 ~ L9 `! R
int 2Fh
# o; A" ~, p: u* G, h& x, n mov ax, es ; ES:DI -> VxD API entry point
& v. x4 E1 F4 { add ax, di @. n4 l7 w9 m% Y1 a& R: ^7 F2 t
test ax,ax
$ @! v! u! r# B7 T+ m( n jnz SoftICE_Detected( {* ?5 S0 n7 d$ W" Y2 g
, L5 h' ]+ Y, D# v! v2 u0 ~/ r___________________________________________________________________________
/ p# @+ D8 x8 z# f0 a. C3 \; X- F1 W7 J
Method 04
3 v+ K6 r3 t5 T6 D* X" A=========
5 k$ i5 \/ f: r% n3 D4 o0 B% k- h* v2 M8 I! C' l# Q# d9 |
Method identical to the preceding one except that it seeks the ID of SoftICE
: o; [$ _# e! Y PGFX VxD.+ ~9 f) H& y, g) b0 u- ^
; G) [% U/ [* } k* r$ y xor di,di
! V& f4 G+ F! N. p2 S mov es,di/ {% u) R2 l- g- @- t
mov ax, 1684h
$ g' J$ O. g. e) ]: \$ ^2 B mov bx, 7a5Fh ; VxD ID of SIWVID
$ g7 ]/ S5 u, Y- a$ l4 a int 2fh- b5 m3 X9 R* d3 Y
mov ax, es ; ES:DI -> VxD API entry point& p* {: b! s) u$ ~& N* B7 s" o
add ax, di
4 }+ x* y( D. E' l; y+ j+ \ test ax,ax
1 C# S8 \0 n8 C$ M3 U( i jnz SoftICE_Detected0 v8 c0 |7 ~ ^4 U& l3 O, g
. x) h5 [- _, s8 v$ a__________________________________________________________________________/ N, U& @. q8 ? t6 o9 o
, p- }& r# P" n$ l, w* G* J2 F5 R s7 P6 Z
Method 053 M/ m6 E7 C* U7 e) A! n0 N+ A
=========5 [" X/ A' w* S. N
K/ d- G. O% R) ` Q( zMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 Z0 w- c! F$ T2 w- N* F$ j# n
debugger. It calls the int 41h, function 4Fh.0 B; Q0 X3 |8 t- }+ J# B' R
There are several alternatives.
4 L; n: h" Q3 O. K1 T) B! C- ]1 e6 k
8 ] `5 u( m% \; ?) I3 y& a" sThe following one is the simplest:
5 i+ x9 S9 A: S
7 ]( P" Y* F' o. d% K* f- f mov ax,4fh
( `( ?7 ~2 H8 G3 o( t0 M int 41h. y; d t1 T4 r" V% S- s. O" z
cmp ax, 0F3866 f3 [- J) d5 N- T
jz SoftICE_detected
% m: ?- j; Q- ^7 c0 _' @- N2 E. ^+ j0 N! P- A
1 [- u$ i9 ]5 n8 R
Next method as well as the following one are 2 examples from Stone's
2 t9 Z: j8 C) [( ?# D"stn-wid.zip" (www.cracking.net):$ r: k; f) |" ^+ c
B$ G# z3 j9 r$ I
mov bx, cs
' {( a& Q% Y7 Y lea dx, int41handler2. O' A6 s, T+ F& B
xchg dx, es:[41h*4]
* \5 C3 N" b( N4 E. p! M1 r xchg bx, es:[41h*4+2]
8 ]! P) i# @: @) P mov ax,4fh
5 C. {" K5 z& C( I6 C int 41h
8 E6 U7 U6 t& _ xchg dx, es:[41h*4]
8 r$ F% L% s* j( \9 d$ ^ xchg bx, es:[41h*4+2]
# L. s- ^( R# p! @( e) ~$ D, l6 w cmp ax, 0f386h
- @9 ?& J' ~" i m3 z1 k' ?& ]* ? jz SoftICE_detected# @8 z! Y2 S1 ^$ B. W9 A
* X: A& M* z3 m, g+ V- @3 I; ~int41handler2 PROC
, H7 b3 |; d, O$ V iret
' w: L& \. D: k" `int41handler2 ENDP6 U% P' D9 X8 q# Q
, W5 O; T9 E' G4 w8 W" L" C0 g5 c" f1 }; ]7 ^9 z6 l/ ^/ `
_________________________________________________________________________
# \& S" U* G* q' |7 W/ x7 c1 c6 q7 I9 q O
& ^4 W# L) |3 i8 kMethod 06
/ @, B' d* r5 ?, T=========
$ b6 `2 r' C. z5 ~! Z7 h6 p2 [2 O" i
' t2 [9 ^ @' x! T2nd method similar to the preceding one but more difficult to detect:% t( ]- e/ ^7 d
( ~$ X; h5 ~/ w! o, ] x" E" g: F7 U2 r6 W+ {9 g
int41handler PROC x5 Q; G7 N4 O& s, i6 A
mov cl,al
$ E$ v3 ^: ?, N- A N iret5 _2 Q% j+ Y ]. ^) X
int41handler ENDP
; G1 A( n) d- g1 x0 Y: q: U- R1 ~" Y6 {
" L- z! R% D9 A( K7 V/ R xor ax,ax; C# u, O, T+ E+ c% i9 q% D
mov es,ax' n0 n7 w l* N) D% y* P% j
mov bx, cs- c2 X0 u" c) x! N
lea dx, int41handler
- X+ `" E; d8 h% B% i xchg dx, es:[41h*4]
) [% b. {9 l5 W' q xchg bx, es:[41h*4+2]
! m* k& f% z+ m# l. T2 T) U in al, 40h) L F" V, g- B4 |) ~2 `$ p6 @
xor cx,cx4 c: l+ j3 p# a" X# g# ^/ y5 s
int 41h0 m, l8 G5 E) H) [* Q+ [1 J
xchg dx, es:[41h*4], c1 L; D; v" S
xchg bx, es:[41h*4+2]
' H, d- V* R# F1 e5 e' I cmp cl,al0 @+ d: f8 V/ q o
jnz SoftICE_detected
) o- C. G& Q1 g$ b h
$ w# {2 i, Z6 J! p$ W0 ]+ ^_________________________________________________________________________
+ [/ W! L: g! f: N
3 h9 i7 B( Y" u" B0 DMethod 078 e* S$ E4 k v
=========; a( ?9 @6 ^+ h" P9 i, C3 J6 D
& q, X1 T! k w! s4 P6 U9 ~
Method of detection of the WinICE handler in the int68h (V86)- B3 a6 O* s5 j8 O
; N* x2 Y, l% N5 z
mov ah,43h2 I5 p( j0 ]- J1 E2 M* f# Z4 ^
int 68h
. s- }9 J# S1 Z# @0 ?+ j+ A ~ cmp ax,0F386h
+ Y/ P5 G$ ^- W" i7 {( k! q/ S jz SoftICE_Detected
3 r$ I$ g" `( o8 I( ^) r
/ b! @ p% x, r5 x" x8 H& o, i w
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- q5 B4 o/ o g* r& d, q. A
app like this:
+ y6 h) j. }" G" D0 e* H; s: c- H4 r5 |: O& ?
BPX exec_int if ax==68
' |8 Z/ T6 {& k (function called is located at byte ptr [ebp+1Dh] and client eip is
$ h6 f; ? E, O5 s( z5 v" w located at [ebp+48h] for 32Bit apps)$ D' c p% t, W; n: R5 M4 d, J
__________________________________________________________________________9 P% P T" a E( w
# u" c' k6 ]2 M6 q+ H1 r" ~8 \+ i, K! O Q, P
Method 08- C3 H, W1 o: t$ D1 k
=========
& }' {2 d: H4 \
% P+ a& z! j% m; b. t6 aIt is not a method of detection of SoftICE but a possibility to crash the
6 M, a- f/ @! P3 Hsystem by intercepting int 01h and int 03h and redirecting them to another+ ~3 P" b- d% H& {' F3 q/ O
routine.) }; g @0 O7 e7 p1 Y$ |3 ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* m! T/ F; _. l& F- u7 X1 T1 M
to the new routine to execute (hangs computer...)% A* h4 v- A# `; }- V& ^! b
: K" C" G( c- d% g mov ah, 25h
, f+ m1 o# J h mov al, Int_Number (01h or 03h)
i2 n1 y( g7 z, x4 H+ ~, ^1 U mov dx, offset New_Int_Routine
7 R: I7 x. U1 U& H6 U2 L* Q/ v5 ]% L6 z int 21h' x M+ G, X( j" u8 E- H" d
# v8 R1 z* E$ X__________________________________________________________________________4 K2 S% o; W: b" F, z
3 P* ~' ]! x- @ T5 |5 B, G3 S4 r* ~Method 092 o& \ b0 C+ V2 z1 q- g# Q
=========4 P2 A# W7 R( ^ {7 p
% H+ [& \' N* |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 N9 @- ?% z3 b, R
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 P3 z0 B, O$ YThe Get_DDB service is used to determine whether or not a VxD is installed9 F3 L3 [4 m0 I" l5 x2 X
for the specified device and returns a Device Description Block (in ecx) for( V" }% v& e, ?
that device if it is installed.
) Z# t1 w/ W! \
3 T0 O) r1 B+ t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ w" r6 Z1 u9 }6 r% u$ f mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# B6 [8 X# l; c2 S+ _6 r$ t
VMMCall Get_DDB
% |7 ~/ W) N) `5 m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) U& A: ?! q% ]
. D# a) L) i" X& A' JNote as well that you can easily detect this method with SoftICE:
- x$ j% y% F4 @: Y. [ bpx Get_DDB if ax==0202 || ax==7a5fh6 u& K# c1 r. ?1 Q& O$ ~
! j+ f1 g: ?+ Z9 E- O
__________________________________________________________________________
* Q. X( a1 {* p* p+ m
5 E0 K' F. a6 f, zMethod 10/ W4 e% s0 F5 q; q
=========: S+ W/ ~, o9 s7 l' T
% H: A5 ?% V+ d/ H0 ^, J! I6 q=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 [9 \, Y( Q+ N/ }# n; c/ h SoftICE while the option is enable!!
* k3 {) N& B7 Z y! v" E: T: r; i: a% Z3 B9 c* a1 v" t$ l- j
This trick is very efficient:
7 p8 `$ u; I2 V/ o) q- iby checking the Debug Registers, you can detect if SoftICE is loaded
( Y2 w' J; o8 c% ~5 {$ n% Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 B6 [! c. b/ b( T8 ythere are some memory breakpoints set (dr0 to dr3) simply by reading their- H9 S! A8 v1 h4 K5 i0 k5 P
value (in ring0 only). Values can be manipulated and or changed as well8 ~- d# ?1 p- o
(clearing BPMs for instance)
1 A# \; @- B N" B8 Z' l& k2 [' g; G: U' L; [5 Q
__________________________________________________________________________$ M$ ?6 b) I% T/ _4 f: o
3 B& l/ H' \) A: [Method 11
- ]5 E0 T; b; o7 u: r1 Y+ f6 {# T=========! G& H& ~1 X6 U6 l5 E
* Q N2 u+ k- w% y9 \) kThis method is most known as 'MeltICE' because it has been freely distributed
2 Y8 a I7 `$ T% ivia www.winfiles.com. However it was first used by NuMega people to allow
: P& C9 b2 o" G# ?( M* o7 ZSymbol Loader to check if SoftICE was active or not (the code is located" P0 g! v" e$ t
inside nmtrans.dll).
0 Z: b' s- M3 L, m0 h8 ~4 G: {8 N& Q: K
The way it works is very simple:( b# d0 W0 Y2 l. C t; k: b$ l3 K0 W" Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 h+ `; V/ _8 T0 H$ V. {WinNT) with the CreateFileA API.; [# L$ l, e0 P$ u
: a0 p1 S; z3 Q: I* b: ]- x H# v
Here is a sample (checking for 'SICE'):
! c/ d W4 t% F$ h7 ?. e
8 e! A7 u) Q6 p+ ~. k+ ZBOOL IsSoftIce95Loaded()* c1 |3 v0 r, D6 J4 Y( Z
{
' K" F) {; p; _ f: {. z HANDLE hFile;
. E% F, W# ]2 V* |0 M7 ~. p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( d6 g7 c9 r, ]
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 R* D" q! C$ P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 o# J. q* M9 B% s
if( hFile != INVALID_HANDLE_VALUE ): V7 w8 E1 U) x
{9 E M1 z: P6 M p! l
CloseHandle(hFile);, `5 T8 y; G, V! t+ w2 q3 E
return TRUE;+ i. W4 J7 g$ o0 A% \6 w' Y
}% m" H/ Y/ C6 w1 a4 W
return FALSE;
& {' d! g7 M' A) c9 P' r- d}- c3 J3 r5 W1 n) m0 G& r0 M5 V
& n/ m" R( g" i" @ d6 S4 m% QAlthough this trick calls the CreateFileA function, don't even expect to be
* E; a) ~5 T$ v: p# s$ c* Vable to intercept it by installing a IFS hook: it will not work, no way!
: I4 T; x) K& X- zIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 ] [& @: p& ]9 k, tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! Q+ ~4 w4 L; F5 |# f( {and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, B* \8 z% v. E5 q- o( |9 y! r P5 _field.; k2 C0 k+ V; E E9 p# }
In fact, its purpose is not to load/unload VxDs but only to send a
7 s" v: |% Q0 R" J \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 d& ~! ]% r p/ g6 N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' d5 U) |; p& X7 t& F& d h' j7 R, h9 pto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 Z" I4 T4 p+ xIf the VxD is loaded, it will always clear eax and the Carry flag to allow& U/ S$ V) C8 z8 n+ x$ X+ O- o3 C5 Z5 w* }
its handle to be opened and then, will be detected.4 O4 i7 f4 m) }; U# v
You can check that simply by hooking Winice.exe control proc entry point B6 n2 m" M6 c, L: [- f, `( C
while running MeltICE.( P! P) H5 z* i
3 P2 s3 Y5 h/ [9 D: V! X4 c
# Z6 } u- V6 V" s+ f: b4 Y+ T& m
00401067: push 00402025 ; \\.\SICE
$ j$ C9 e) s1 e 0040106C: call CreateFileA2 @6 [! w0 w# J" l4 A# U# m
00401071: cmp eax,-001
* o' m4 ]5 B+ } 00401074: je 00401091 g( ]4 I9 L4 p
! [6 {4 V% Y6 }# m$ t# p( {4 V: X
% N1 o" A* Z- T$ I3 e5 B! S4 l
There could be hundreds of BPX you could use to detect this trick.
, ]- a' K6 q2 d-The most classical one is:
& Z: `) U s$ u9 |% @) \2 q, [1 q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ [6 @; i: \" ^! |) | @ *(esp->4+4)=='NTIC'/ r: r; F. I4 Q* @) ~
1 f+ n. y8 q8 i2 f) \- ?0 k
-The most exotic ones (could be very slooooow :-(
$ e' X0 b( o8 @6 ^, B. V2 b* ?" h BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 g: R' A" i' i7 \) I) _5 }5 e4 f$ q0 k ;will break 3 times :-(+ H& Q8 V1 `9 i! x$ ~; y
7 K% ?: S1 C1 K8 Z& D" G- V c
-or (a bit) faster:
* l. Q* n5 f+ J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" @, t; [- ], V% o+ ~
! v. W3 C3 w3 w) H0 j/ c9 w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 @- q% e+ E( G) F
;will break 3 times :-(! ~& C2 E6 @9 z& G& L
5 V% e. \8 C- F& j, l- G
-Much faster:
% A! v# Q% ~9 E" Z9 R$ `; a; `/ @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' E, Q Y) M: h* F
5 ?! C$ b2 d6 ~0 y4 D, s rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen3 O7 h- \$ l: Q/ x" ?# S. |
function to do the same job:
, k& @; v, f# n
6 e" X K* R6 W7 N5 Z* j$ l8 h push 00 ; OF_READ
3 X5 U: Z$ a9 Z, Q mov eax,[00656634] ; '\\.\SICE',04 B, q* @5 m8 p* P) x" S; `, r
push eax
, X2 \7 C6 `$ v# q. h6 k call KERNEL32!_lopen
- N K$ L' k: a! P inc eax6 ]1 b' W% F4 ^1 B. f% J
jnz 00650589 ; detected
; {; X; P% `" k* t; e, O ]) I0 C' V push 00 ; OF_READ: a6 m+ j% z( y' R# i$ k1 m
mov eax,[00656638] ; '\\.\SICE'
3 \% o$ z2 V. [5 `) D4 w push eax0 |# f- W$ w6 K' b
call KERNEL32!_lopen
; \# I. H* g1 u2 F2 ?/ ?1 p inc eax. K! q* m% K3 \, Q
jz 006505ae ; not detected! R- R! x7 F/ C ?0 g o- G5 e, [
f( [7 G4 ~, O* k- J5 [- s; N/ x: f# Q) e/ E
__________________________________________________________________________' z$ K+ S7 Z% u5 ]/ z8 Y
1 H& Y$ P/ u/ F6 H' {+ U% ^1 d0 R% R
Method 12
, r% k% t5 W) h+ e. ^=========
1 |9 ^$ w- ~" o8 ^
! m6 P$ K1 u* ?7 r' |* @This trick is similar to int41h/4fh Debugger installation check (code 05# Z9 j( _! B, f" O! }& ~! B1 `
& 06) but very limited because it's only available for Win95/98 (not NT)2 ]- `" S! }. N3 ^7 \' _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" c$ |( ^5 J! F/ Y) D U4 v# h) E4 i d- Q8 ^9 f6 a
push 0000004fh ; function 4fh( {; I+ r, M- v: N
push 002a002ah ; high word specifies which VxD (VWIN32)
) J% e; a' m4 ~! p6 P9 a ; low word specifies which service
0 g4 f- f# o5 Y* M& F4 Q3 G (VWIN32_Int41Dispatch)
2 C" i ~; o+ ?' i1 s2 `5 H call Kernel32!ORD_001 ; VxdCall
: @8 u, K. e$ E( y/ r: E( d+ b cmp ax, 0f386h ; magic number returned by system debuggers! {. G8 e. d, y& s: c
jz SoftICE_detected$ D: D* X9 T/ {( n# A- U. G9 p
7 u# i3 ^9 E( t( IHere again, several ways to detect it:( Z' x$ N& \, l7 ~6 T$ }3 s
( j3 F4 R* a h/ ]7 B BPINT 41 if ax==4f9 A' o+ E0 E4 U
, Z7 ~( n1 _+ N0 A BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" k' {7 F* C* q' Z3 m0 e3 S. `" z6 i1 P C2 y2 w N, k9 d3 t
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" }9 J7 {" G; o1 r
& }( V% P4 o% s& C1 r( q2 [9 v: T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. V* \4 K. S' l0 E$ I3 x- O* s8 G
( w7 k5 E" l( y% T__________________________________________________________________________
, I( D. ~: q) p7 T4 ^8 G; }% y. _9 y% I
Method 13
1 h1 ?/ \9 P; d# @3 a6 ^=========8 R& l* r6 J/ n7 u
; C" }3 T; a1 Z1 d1 ^# p/ G3 zNot a real method of detection, but a good way to know if SoftICE is
, o+ }5 N$ n! ~( g% M6 y+ Finstalled on a computer and to locate its installation directory.7 T: ]* S3 }7 o1 D1 v
It is used by few softs which access the following registry keys (usually #2) :
- g1 ]) a4 n% y
g4 M5 U/ N) c% n. N B5 M" ?) R-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 v: a& `/ _4 Z5 |- W' Y" v
\Uninstall\SoftICE
' K7 ~3 S8 G+ |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 X, U4 U- g% C$ p, x; c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 B- c1 z& r. t( _, ^6 L7 A\App Paths\Loader32.Exe
; N$ s8 ?* g. ~, T- H% N. Z
) r% k6 b! }$ E8 T) d- o% a0 _2 K" G* H5 r8 ?; }- l5 Z8 x
Note that some nasty apps could then erase all files from SoftICE directory5 ^5 k5 y" D7 I7 s+ a1 R ?$ v
(I faced that once :-(
* E5 [1 T) x2 Y9 k
1 E# z. ?4 Y* l7 k4 cUseful breakpoint to detect it:
( N6 w0 D2 o$ K+ r& L9 l' Z& N7 D
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* P/ L: ?! m* Z$ X
) R- U8 ~/ o9 W' g3 ?+ }__________________________________________________________________________
# `+ x6 H8 F% u, H: M T* T% {! U, @
* ~5 e4 j7 u" x' g$ Z2 P6 CMethod 14
" {) J5 W+ s9 X6 c+ T. k3 d. E=========: y. }/ l, ~- S/ X9 b% o1 Q
7 x% {* q3 K c9 J+ ]; i' E2 W1 h4 zA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 W6 f0 T0 R* [1 Bis to determines whether a debugger is running on your system (ring0 only).4 j0 n8 J7 l3 N2 S. {4 l
5 A. W' z' l8 u$ k1 U VMMCall Test_Debug_Installed9 j4 \0 \2 A+ L' ^! Q
je not_installed
$ `7 ]5 {# ^" Y3 F, l# g/ `
9 P7 i: g, j+ v- J/ G; iThis service just checks a flag.2 l5 R# ~! }& U& I d4 p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡