<TABLE width=500>
& x! n5 u& {) {+ ^! D7 o<TBODY> B3 t6 u! b" K! N/ D. N1 L6 Z \4 S
<TR>
5 c) R6 n' `1 U' J<TD><PRE>Method 01
7 a- n8 s/ {; l7 ^3 K" ?=========1 D, V5 Y: {7 |. z3 [
" L( u9 G: ~4 ?5 f1 c, O: k
This method of detection of SoftICE (as well as the following one) is! ^5 ^8 {! z, i* {7 ]
used by the majority of packers/encryptors found on Internet.# N+ m0 p# Q4 Y, Z% ~
It seeks the signature of BoundsChecker in SoftICE: x5 K0 l9 O- h1 W
: I( ~- r9 L( B1 H; z6 M mov ebp, 04243484Bh ; 'BCHK'
2 `3 U. v" }+ o3 k. q mov ax, 04h2 V8 y* J! }5 C. O0 G
int 3
5 y% |8 X' c+ [/ V6 ~) C cmp al,4/ _: o* z- F# j
jnz SoftICE_Detected
7 p3 i# M8 t! u# k8 j; z
% R2 Y" i* c6 w9 R; f# g, o* U' a___________________________________________________________________________
/ ?9 i$ t2 I. B. N
& n0 |& P" l- N0 D$ d+ RMethod 02
- ~8 Z* C/ ]8 y& A=========9 z7 ^5 e% C. D
2 b2 d' E1 ^, e3 [7 DStill a method very much used (perhaps the most frequent one). It is used9 {# x8 w/ L/ O, S' G+ S( ~$ V2 f# T
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 {3 z# @- E+ Y, r8 q7 R3 j7 Y; _
or execute SoftICE commands...) U" m$ C5 o. [( O. _ M: D
It is also used to crash SoftICE and to force it to execute any commands3 c, p3 y E2 ^- j' \! v
(HBOOT...) :-(( ( c2 N4 \/ A Y. t6 S
, n# G0 N* `8 _/ y! X- K
Here is a quick description:
6 k( N! ]4 b) W) V; n$ M7 j$ K-AX = 0910h (Display string in SIce windows)6 U5 y; x4 N8 {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 ]' C- T7 p d+ x% o- Q) a
-AX = 0912h (Get breakpoint infos)/ @1 T& F2 M( a) h9 D
-AX = 0913h (Set Sice breakpoints)
' n1 x$ c, \. v1 ^" S-AX = 0914h (Remove SIce breakoints)
i7 J3 y& V9 m8 Z' S. I
+ _' m+ U6 G1 Y* O2 ~Each time you'll meet this trick, you'll see:
) ~ ^0 ]2 E/ R5 n-SI = 4647h
* F2 e) D4 ]1 V' k P# y! D-DI = 4A4Dh& I! Q- z& ]. ?) H( y, w- e& \
Which are the 'magic values' used by SoftIce.1 e- B, V: G* u6 r9 }' g+ r6 D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 h; M9 o. ], ^6 h/ Z3 E
A) G* F8 Y- k% M- }Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 @5 z, z* }3 Z* s- {4 F$ c+ [% VEnvelope utility use to protect DOS applications:
9 g" r+ A) i% `0 @" b" }
$ V4 }+ i' f2 ?; T/ ^* o1 n, j5 s3 [7 g( |$ R4 F( ~: r- I
4C19:0095 MOV AX,0911 ; execute command.$ T, W, _4 ^1 g/ q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' b6 z% ?+ @( o; i9 |; V
4C19:009A MOV SI,4647 ; 1st magic value.: z# s/ G- w0 P4 r
4C19:009D MOV DI,4A4D ; 2nd magic value.& D( { P) r8 @, V4 G. K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" E' U' u6 h. R V: C+ c6 U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 m3 F) T6 T9 c' e: L g; j
4C19:00A4 INC CX8 _' A+ J; ^# L; {" D2 v* e/ }# s
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 Y! r1 q* V6 k* M2 m( X# a4C19:00A8 JB 0095 ; 6 different commands.8 L+ P3 S9 L1 ?5 B* S s& ~' e
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ a; v8 k9 |+ D, |) r7 I/ Q! S# E4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 z, ]4 L7 c- C, i4 t& H* r1 }- b7 `) U9 X9 V
The program will execute 6 different SIce commands located at ds:dx, which: p7 ^; P: Y \7 ^5 M. [/ o8 M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ R, D6 `6 l. \0 `) l5 [
8 r, b% M) S9 w0 L; {& f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 L- z6 P9 G5 t4 \8 s. `___________________________________________________________________________
3 o3 U/ w" a# n8 O3 H) L6 [/ T) `" E1 y; G4 ^" F; i' q
f$ ]' a# M+ g# ^3 b; p
Method 039 g% w5 i8 c+ D% h' m+ X% a9 Y
=========
. w% h+ C% @& M! A! `2 F e8 x- F& V: J3 n# S
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# O, J8 q0 j( ]1 w: A" }- k5 d8 o! y% W
(API Get entry point)7 S" m* k( V# W; V y
: `3 X t" U; Z3 O% t3 p
8 t5 [: [6 Q. j# e xor di,di
! K9 } n- j1 G) ?4 X) C- w2 c mov es,di
8 |! _3 c+ h; @ mov ax, 1684h
% f0 z, g7 v6 r0 o2 Z# H mov bx, 0202h ; VxD ID of winice3 ^8 l+ W" L" v% N% c) b
int 2Fh
- e8 O& B( p$ m2 v# j0 F# i2 t mov ax, es ; ES:DI -> VxD API entry point' L X2 }8 @) S' `
add ax, di+ x' ^- t& f' u! O; q
test ax,ax
! ^) j J+ @0 I/ a. C; _! c5 H jnz SoftICE_Detected3 g b* _. d6 E I# E* K! h
+ R2 N% F z/ j+ k0 a) z4 \* t___________________________________________________________________________# D) n, Z+ m6 k `; I, ~
7 U0 f" j2 u1 r6 N" M
Method 04
* p% _3 g, o+ S2 c, m! z, ~; k=========
9 ~' y: h* l" l' j$ ^+ B8 z, @/ D+ n L! a! F, a. C7 c
Method identical to the preceding one except that it seeks the ID of SoftICE
0 c+ U" J# Z; G' r9 |GFX VxD.1 e; z6 X9 C7 H' p
" R3 G# D/ u/ F8 _. b" O xor di,di1 i D) K) ]+ w% K! G, _: A9 T
mov es,di
# V- X! b4 b$ D8 h mov ax, 1684h ( ^. G" w2 A/ H6 b" m1 q
mov bx, 7a5Fh ; VxD ID of SIWVID% J3 F) `+ @5 Q- h: \: G- n
int 2fh* p$ Y$ J, s. q
mov ax, es ; ES:DI -> VxD API entry point2 i' z8 y7 E* X0 i: s% }
add ax, di. L& }. ?& U9 E( V3 S
test ax,ax b4 t n O8 L8 k3 P% f
jnz SoftICE_Detected4 c: \6 L/ O, M) G5 V+ Y
& ^3 s6 W8 y/ {__________________________________________________________________________
4 H9 H8 V. a. O/ v$ W: l/ d4 l
+ F( X4 R! p$ }6 c s5 t8 T* x. R% {- C4 X9 ?7 g9 }
Method 05
6 V4 t. _5 d9 E+ t* Y! z0 B4 _7 @=========; D. Q9 B5 ?0 A: g, a
+ \+ x* N# M3 d
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! ~3 J1 E6 t0 y4 e3 V! a( r' kdebugger. It calls the int 41h, function 4Fh.
$ [+ s: J% T) T$ ~There are several alternatives. + y6 n' f' e1 a7 f9 _3 } L
% K _7 d# ~, [4 i/ b+ T1 B
The following one is the simplest:4 l/ @, X4 r: A4 ~
- [$ q0 F) E2 ~2 z
mov ax,4fh
+ g, E6 I) p' P int 41h
# F( d7 s; |- G cmp ax, 0F386
) l9 b7 O* E- q" t4 V jz SoftICE_detected
' Q* |6 r' z2 d
) G/ `( s/ e, e0 w$ z
8 ] i+ E8 U% ~/ S% y7 KNext method as well as the following one are 2 examples from Stone's ' C& v3 K" I) y
"stn-wid.zip" (www.cracking.net):
4 E [1 b0 ]* {
/ w6 h, c* V! e# E. ?; F2 i, m$ P mov bx, cs
. ]2 z- ^& I9 [1 z0 K3 R lea dx, int41handler2
! x8 v' |# X5 I7 u# ^ xchg dx, es:[41h*4]
+ T% W+ k7 M) ]# K4 E xchg bx, es:[41h*4+2]8 M; Z( T" F5 }3 ?
mov ax,4fh0 M6 ^4 }+ @) }% X/ [5 v% R# H+ a
int 41h. q7 R! S8 `. F7 G6 Y& z9 j
xchg dx, es:[41h*4]! b+ `. ^) h# q z
xchg bx, es:[41h*4+2]
* S2 W$ N2 Y% w* U cmp ax, 0f386h" i6 V8 }7 p. F
jz SoftICE_detected7 W& U. T5 L$ V2 w6 W
1 l) U& A' N$ `6 {6 s5 s# |. Wint41handler2 PROC3 N. @$ p1 A* m$ u+ I/ \, O, q
iret% d& e w5 M" k% _% Y! J" K
int41handler2 ENDP
+ P) T+ @6 g& X* M) D# d
# n/ m2 m# A/ h7 c$ V5 N1 W8 v8 H. q, e2 r% }( r1 N0 F4 i
_________________________________________________________________________
& E# p; D6 V- ~, A
% c4 N+ S2 ~: E( n8 {4 j9 e$ }
8 p# l1 P7 ~/ k @Method 061 _+ E) a2 q* `. y7 `0 ?4 C( R
=========
h8 Q7 i$ @- j. p2 S" q2 N" j
5 f- r4 m8 X1 G: `' ]; o& O& g$ R4 _7 H
2nd method similar to the preceding one but more difficult to detect:
- u3 K/ ]; A" E: z
# j7 J6 F6 K- p- R/ |6 x7 E$ l: W4 s: X4 R
int41handler PROC
! M$ q. H" o8 [' o mov cl,al7 h3 p2 [; _# b5 I1 P
iret8 i# k8 ^. i% P, v5 ?2 H
int41handler ENDP
1 B& e. B2 N6 E& b2 D- Y8 B1 D/ c. f' E
: u4 B' z8 }7 }& L3 f xor ax,ax
/ d. i7 b3 `0 c8 A/ s" v mov es,ax ~6 t6 R! x; P% f, ~( {
mov bx, cs
$ L3 G' o) {6 G# w) K lea dx, int41handler% V+ Q' N; }* T; B& E3 S
xchg dx, es:[41h*4]4 l* k1 M! }2 ^8 P8 L' j3 E
xchg bx, es:[41h*4+2]7 o$ N7 G. Z! i n& J* B7 i; K: K: C& V
in al, 40h2 ^; ] h# C J1 c
xor cx,cx5 Q9 T7 ~2 m3 L7 @/ Q ?7 U5 F
int 41h
- g @, y( l3 n" S xchg dx, es:[41h*4]1 ?9 b& y( @. ^6 g$ p9 k
xchg bx, es:[41h*4+2]* l& N Z: v& |
cmp cl,al# ?2 w- {3 x8 @* Y5 `9 q! }& Q
jnz SoftICE_detected
& s4 H4 E- }2 _; i2 B' j K5 B* D, `: z6 s/ [6 Z6 C
_________________________________________________________________________
/ ~4 P4 |3 \3 W# ^/ X) e# n6 ]1 F2 Q# J/ v6 p4 W
Method 07) |8 t. k. K, s+ d# J
=========
0 i- A/ h7 L7 I/ M0 o# W5 G' x6 A& F( B( [
Method of detection of the WinICE handler in the int68h (V86)1 B4 s1 W) q2 f+ a' m* ^4 h
! L: D, z- k/ Z0 O
mov ah,43h- `4 z) d2 T6 ]
int 68h
8 {% ?! `" t* F cmp ax,0F386h! [8 A2 \6 @7 c/ J; t1 ?
jz SoftICE_Detected
' u# y7 W7 V5 D0 ?; S" Q- s% O# _# |! u
$ n0 v" V+ m; t/ G; F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, z7 H# N( h$ ` app like this:
# I, @' P" M8 D6 ~, I
M; c/ q" O9 g BPX exec_int if ax==683 i j! H. N, A" ]2 e- G) A& R
(function called is located at byte ptr [ebp+1Dh] and client eip is
' P* J. X2 v* c located at [ebp+48h] for 32Bit apps)
' L" u/ k" |9 a& r$ |# i5 M5 ___________________________________________________________________________0 y7 D3 o: a, Z# L; M
6 G3 R. I4 G7 s, C$ R& M) P2 b+ a% T4 e6 O8 u4 A2 [
Method 088 i* `7 U$ _* P6 J1 n+ R. w6 i% g
=========
/ u8 z& n4 _1 O& A2 l. Y$ Y6 [8 m9 P d( @' g
It is not a method of detection of SoftICE but a possibility to crash the) v7 ]% i8 n1 U* {* y! Z8 x
system by intercepting int 01h and int 03h and redirecting them to another
; } q# c- d& `" { Zroutine.9 s! }; B' v1 J5 Y! O( _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% K+ k1 {9 |( z5 k. J1 X( wto the new routine to execute (hangs computer...)1 x- M# W0 {2 M8 K
A/ o: A8 }0 F& f. \& o6 J
mov ah, 25h
7 p, _. @& m0 h; d2 g" z! ^ mov al, Int_Number (01h or 03h)" C5 q' i! d, z
mov dx, offset New_Int_Routine( Z) O! K6 k( J. ]8 P$ a9 c4 M
int 21h
$ O3 N2 b: O" N- t6 r: c+ G& _: ?' ^4 p
__________________________________________________________________________0 [. [ l; l, {* x, z; B: [" C
# j2 w3 H: f8 I7 J2 s5 ]
Method 09
z6 n8 x; o2 B) ]1 S7 R9 P=========
/ Z/ A( X8 v% X& f
4 G$ b# d7 d U& e4 p7 s5 pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& q9 |5 Y, T* F) X2 F) X
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 U. m! A1 d4 P6 C' C5 Q3 FThe Get_DDB service is used to determine whether or not a VxD is installed" F' \! Y1 h: S( }
for the specified device and returns a Device Description Block (in ecx) for
* {, K$ n4 t& o/ e4 ~/ A, gthat device if it is installed.
4 o# C6 d1 l: j0 K/ F# b4 n, c! O' u0 ~$ Y- m- W
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" l* ?% g s" z9 p% i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 X' W3 m( x @1 v6 R: V VMMCall Get_DDB
$ T: v4 O/ ~$ Q& D( ?, u" n mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 ^+ }3 G( O7 H
9 i. X) e$ M2 t6 O% LNote as well that you can easily detect this method with SoftICE:
# D1 f6 d* w+ x' M9 t9 X bpx Get_DDB if ax==0202 || ax==7a5fh
% F4 X# d. y0 Y- g. I" |
d$ \% `7 P% O4 u__________________________________________________________________________1 Q* R T3 k: V; |/ I
' @; x1 h( F2 |$ c: W' ^4 MMethod 10
& q. Y! k3 _+ H3 n=========
/ ?& o7 A- C+ S6 Q! b
, `- z' a. p$ i" R0 H' T0 s' ^=>Disable or clear breakpoints before using this feature. DO NOT trace with
) r4 N! b9 \8 L3 E% g S SoftICE while the option is enable!!
- j- j: E1 z. ]" m0 e
6 y+ A, Z& p8 s3 e' tThis trick is very efficient:
) m! ^; h& j6 }" y: Tby checking the Debug Registers, you can detect if SoftICE is loaded
( \9 Z) K* F* O' j1 o! x(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( e+ M. ^( k/ k
there are some memory breakpoints set (dr0 to dr3) simply by reading their B! r( g8 c* s/ i" {8 V
value (in ring0 only). Values can be manipulated and or changed as well
: v$ p# w, ~6 v" o/ o(clearing BPMs for instance)2 l, x4 T5 @ S" W+ z6 I0 u- W
& t3 d6 h/ I9 ~+ r7 H__________________________________________________________________________, v& B9 w( [; S
' |7 p+ y2 M1 D! S
Method 11
4 q" B( s4 N5 P* o* O0 k=========
; {, f; h2 Q& B9 e* ?) M# `5 W q. S2 u
This method is most known as 'MeltICE' because it has been freely distributed; r8 X! R5 U" `# ?
via www.winfiles.com. However it was first used by NuMega people to allow% h* @0 H5 s" s
Symbol Loader to check if SoftICE was active or not (the code is located+ e# W3 ]3 x0 j8 l3 r
inside nmtrans.dll).
' d. R7 g* O, {7 C% \! P9 o7 d( [, I& ?5 J: Z
The way it works is very simple:
) R1 V) K/ ?& R$ V! }+ X! HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 K" G* `. P$ ?& A- g4 W% n5 W
WinNT) with the CreateFileA API.: _% v4 B1 m8 @1 e; a+ ~& e1 [% g
5 R. B! P3 _/ z
Here is a sample (checking for 'SICE'):' U: T9 p! w& p/ b" {
# D( T+ B: j9 q% ] I8 A' IBOOL IsSoftIce95Loaded()
3 q. C, L- j- M* w# F. Z{, y# q6 m* U- ]7 d0 Q I
HANDLE hFile;
6 G3 u. a" U$ [ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 S( p' G5 m, Y9 Q, r& X FILE_SHARE_READ | FILE_SHARE_WRITE,4 \( a }# ?0 s/ F% b9 h. e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) w% i4 i% x- C4 ~0 W: o if( hFile != INVALID_HANDLE_VALUE )
S) N: q! F; n {6 k. {3 s4 R8 j- M3 w* X6 L
CloseHandle(hFile);
8 F2 R D: L: x0 v1 y4 Y return TRUE;
, U& ]6 Q3 p$ A2 m5 O }
% ]' W: D0 z$ F' ^ return FALSE;
- A* k7 P. R: q' \: ~}- Y1 k4 k6 R" M: `/ [( k
2 b# b0 m# d6 d% P/ uAlthough this trick calls the CreateFileA function, don't even expect to be
4 Y3 G2 d e( n/ B q# Iable to intercept it by installing a IFS hook: it will not work, no way!
$ r2 I4 O6 O% q) {In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ Q6 A+ F# m( @/ Y; }* l9 b, iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 ~3 T( S+ w& Q6 mand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ a* ^3 k u9 |2 S& _6 S) k
field.
/ D# b" K0 r- ?. k* t# G8 z' KIn fact, its purpose is not to load/unload VxDs but only to send a 6 Y8 @ }5 v3 d$ z4 Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ T9 y$ W" h f7 e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 u# Z0 Q) ]) y& }% R" X! `. ?) ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 `# |& g ]8 ]. }If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 S' k' q9 F4 P8 p8 x4 V+ z7 Aits handle to be opened and then, will be detected.
t# i( d; x- m6 aYou can check that simply by hooking Winice.exe control proc entry point- {7 W) a% o! M- [3 z/ v. Z' D
while running MeltICE.
9 g; f6 v( w7 E- ~4 c7 b& ^& E r) A9 @% e, c& F) w
2 `; t3 z6 o! o- X O# g" X5 {) M. x( ? 00401067: push 00402025 ; \\.\SICE m' E" b, }2 h3 Y
0040106C: call CreateFileA" P: H" G7 Y3 w J
00401071: cmp eax,-0013 c4 W. J- O! q7 v
00401074: je 004010911 ?0 `0 E( {* ]" M
) m, Y. ~) L8 U3 Q$ ]# `0 g- ]5 ^% z- Y& s' L. }3 j
There could be hundreds of BPX you could use to detect this trick.
2 D2 a. `0 v. |+ F- c+ P-The most classical one is:
3 O( q# n+ [2 a' M# I' i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 w) w& ~7 t3 y5 z
*(esp->4+4)=='NTIC'; c, t+ i" e T* U; d4 Y
m; ?* L1 F* a: G1 Z-The most exotic ones (could be very slooooow :-(* o" P) K# v. c% s/ W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * Y, \ Z) M6 Q9 w
;will break 3 times :-(
w3 M" ~1 v I- j0 k9 ?( O( @: E C0 c8 f! r
-or (a bit) faster: & ~& R$ V- n% j: r- w# _/ f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' n: @: F+ b' Z4 d. n6 t7 K8 A7 t2 @- E2 ~: d# c
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 U% W# a4 b! x* D1 I" S' N
;will break 3 times :-(
7 e7 s) K$ i* Q" y; P, z) E* J7 ]
. D& ?4 c+ ?; V/ z5 w! v+ u-Much faster:
9 r* I# N/ o+ l% h1 g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! a5 @: O3 Q- o3 @
. B3 n9 D+ C0 i, j p) U& aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. P! ]7 w; V4 Y7 G3 w1 t0 V
function to do the same job:
1 x& i1 o! c3 b8 O% |9 f: a/ n2 m0 C, v
push 00 ; OF_READ
( [- | l$ N+ s: o mov eax,[00656634] ; '\\.\SICE',03 c' ~9 D! P' r' w
push eax: B8 d8 m9 ^2 {% _! f( q# s
call KERNEL32!_lopen
' U4 w, a+ c7 W5 h+ H) o) A inc eax, `1 Z: S9 e6 J1 k! p) I- [
jnz 00650589 ; detected
\, O2 y1 z3 a1 m7 s9 g( }! x push 00 ; OF_READ
# d' O/ [" p& ]! a9 T1 v# ^ mov eax,[00656638] ; '\\.\SICE'4 x! m3 _. f$ X
push eax
: Z5 {0 x( T! z4 m call KERNEL32!_lopen
) m% E$ G0 h2 E! j6 _2 c7 O inc eax" A U( n3 D+ X
jz 006505ae ; not detected) V( p2 ?; g: n, A# a2 s% ~
* h% {$ n6 _4 t7 d; G- r! j5 U6 n: Z5 M8 l- L& Z8 Q6 e
__________________________________________________________________________
) Z6 k9 Y0 g4 f+ J! m
0 I) H5 y( L& i, |Method 122 M5 f' _& {" w( r2 c8 I
=========0 N a+ z3 D( t) e3 r
( ~0 v4 I1 F6 GThis trick is similar to int41h/4fh Debugger installation check (code 05
3 B9 [6 H9 s$ z) h7 z4 k& 06) but very limited because it's only available for Win95/98 (not NT)
0 H2 f1 w. V6 ^5 t0 Y1 Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) l0 @+ G" d( u9 s6 k6 F* d" u6 h7 r8 s. |4 _
push 0000004fh ; function 4fh4 k" G0 n. I; [2 ?( u4 A6 ^
push 002a002ah ; high word specifies which VxD (VWIN32), u$ ]6 B) `; s
; low word specifies which service; Z% \; O' G W3 L' h
(VWIN32_Int41Dispatch)
* L6 b# D: N7 [ call Kernel32!ORD_001 ; VxdCall$ k% `; t, K- L9 H
cmp ax, 0f386h ; magic number returned by system debuggers
! H8 ]/ E* |2 e5 V. v2 N6 S jz SoftICE_detected
: O" H9 {5 w. M0 R/ c6 n6 Q
% |. J! S8 l9 T/ ]1 X, [! n/ LHere again, several ways to detect it:
1 j) t) U. V5 i5 R0 R4 Z5 |1 h: b; ?5 o- ^
BPINT 41 if ax==4f
; k! D( }! C7 N+ O$ e
% X) M% I4 T& ] BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. l8 G& |! H) s2 U }' l; m
- F5 d" L2 i# b. T; t: A# j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" i* a+ Z# B6 w5 a& w' y! H8 F/ {
- T/ k* t2 x3 m7 w/ A% _* ? BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& B( p% o+ S9 X1 H2 r& L, Z$ Y5 r
5 X' O6 F8 R& k5 S5 Q__________________________________________________________________________
4 G3 b5 o! N0 y# M) A' |2 f
) M/ _6 q& Z, u$ ^! ]0 E; ^Method 13
; D( g5 p0 } J$ H' L- c=========! j7 n+ D2 C/ B# C9 f' T
7 @2 `( I9 v# o# d$ xNot a real method of detection, but a good way to know if SoftICE is
7 W/ }5 d# z* G' Q0 vinstalled on a computer and to locate its installation directory.
$ Q6 a% ^) c' Y# WIt is used by few softs which access the following registry keys (usually #2) :
; Y" [( ~( Z/ V. x" _! {0 N# M& e
* B: Y0 z( s; M+ d$ m9 v9 e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% p. V9 o |, @
\Uninstall\SoftICE
0 g& p# H2 h& H. g1 V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! w8 A$ }" [* [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ N5 \! W4 L) w\App Paths\Loader32.Exe
7 \6 V- s+ X5 ~
* ?. X8 L/ M7 S
) P) o' e C$ oNote that some nasty apps could then erase all files from SoftICE directory3 W! u% T- ?9 N$ b% P- s
(I faced that once :-(+ E/ A. Y* A# @( _9 c
2 W$ x2 F: j$ f. I$ v' kUseful breakpoint to detect it:
3 J: {' ]7 b6 ?' Q/ e5 [) ]2 q7 a" H; g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' N, z/ X. G; o7 u- X }
6 W! o" _$ i9 M" y" p4 q! d__________________________________________________________________________: l9 S& J* [6 K c# ]7 h6 x" `
5 U3 ~" C9 x* M+ X b
5 y m& i. D7 O5 G" D! _; tMethod 14
0 R& C* a- W! l9 f=========
2 @. C0 K$ s+ i- l2 K7 \% F' s a, d0 z; G8 D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) V' P5 B5 X+ y* d' u3 Y: |is to determines whether a debugger is running on your system (ring0 only)./ Z* @ k5 }9 @2 _% C
9 L' E0 }) Y- N& @9 @ G
VMMCall Test_Debug_Installed
, |% f* p! d2 }4 b( l% `' y je not_installed
/ d8 W" @9 Y0 o3 m5 s( R4 J( `- ^( @% t
This service just checks a flag.
; m* p0 C5 h2 H</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡