<TABLE width=500>: E! y7 z+ x% A
<TBODY>& l% R7 P" d2 p% Z- a5 ]! \
<TR>
3 m `; o8 y( T3 p+ U<TD><PRE>Method 01
7 O5 {3 D* J8 i$ g* ~1 j=========
8 I. \9 F# Q1 {' o4 q. `% e& P1 l! E! O! U
This method of detection of SoftICE (as well as the following one) is" i$ n. s1 C/ ~' d
used by the majority of packers/encryptors found on Internet.6 Z( E+ ^/ S X' q
It seeks the signature of BoundsChecker in SoftICE, B- ^" r. B3 Z3 u' ?2 G7 H8 N
0 m9 J1 a& L) n B2 ?; r6 g
mov ebp, 04243484Bh ; 'BCHK'( O% z3 B9 h: X1 X# N- }8 c7 l: j/ S, d( J' B
mov ax, 04h
+ q5 p7 w( c6 e1 ^: j! G int 3 , I G# T* c5 m6 e& L' C( S. f
cmp al,49 j% G2 ^. o8 m! W S, ]
jnz SoftICE_Detected
9 d; u0 ?: a! F# Q4 n* y+ N& e) _' a
$ ?& G3 P3 ]: d2 s8 w___________________________________________________________________________
/ K% T+ L) K( t3 k; Z
) `; ]2 z8 s9 L8 JMethod 02
/ y$ R7 Z7 T; I=========# |. Q* D! l! i: o+ _
9 k. x" U4 i6 n% E, r3 f. i5 UStill a method very much used (perhaps the most frequent one). It is used2 j- P# Z' G# I3 X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& o/ X7 x4 z8 qor execute SoftICE commands...1 X; |. M( F9 c; c; \
It is also used to crash SoftICE and to force it to execute any commands( L5 k, D4 h9 Q( N3 C
(HBOOT...) :-(( + W2 @7 `! @1 J- E# ?
0 I0 f! H) ?8 O0 v5 ~
Here is a quick description:
, G/ v* `2 n) o7 b% {0 h% F% A+ w: z! d-AX = 0910h (Display string in SIce windows)
, P y( s9 c) q( `: H' }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" |" @. {% o0 N, `- H-AX = 0912h (Get breakpoint infos)$ {* |( {- l; \: n
-AX = 0913h (Set Sice breakpoints)
0 Q) W& z- G1 C0 r; J3 l-AX = 0914h (Remove SIce breakoints)
N$ v- M4 f5 I2 A( a# ?+ C, n! ` h) I
Each time you'll meet this trick, you'll see:
$ V6 ^6 G4 U6 S/ w1 H-SI = 4647h+ z2 V' U; T" t+ @; j
-DI = 4A4Dh! V% h9 I$ O1 g# B4 V
Which are the 'magic values' used by SoftIce.
/ D. g: W! G; H6 M$ Q, g& {; ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 |! [8 l }/ M0 o: W
* n% Z. j+ k& r4 ~+ wHere is one example from the file "Haspinst.exe" which is the dongle HASP; z6 F; F" { j* ]
Envelope utility use to protect DOS applications:1 G" `# `2 E T- k
: o" C2 b" } I0 E# E* R+ d
4 h8 D+ g* k! r; `& R; L M4 B, a4C19:0095 MOV AX,0911 ; execute command., z* g0 a; g+ ^1 x0 P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: [& k( ]% z; a" B$ b4C19:009A MOV SI,4647 ; 1st magic value.
5 |5 f1 T( e, h2 P: m+ N* t9 D) l5 I4C19:009D MOV DI,4A4D ; 2nd magic value.- D8 R% Q: |6 h* E! Z, k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( c- H1 W5 e# R( ^. o, f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% U! ~ d0 Z! z; w9 u% n0 `4C19:00A4 INC CX
1 S2 D6 U2 ?; r. k7 i4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 ~! @7 W& T+ E6 r& _4C19:00A8 JB 0095 ; 6 different commands.
* `. Z1 K- X. W3 H" I, a5 F! f; K4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ _( K6 \- q: V+ B7 q, |" l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' x. J: x& h3 J( d* f: [+ }% E2 n
( Z' b0 ]- y# u1 x6 x, BThe program will execute 6 different SIce commands located at ds:dx, which
; O& I/ H# W* i& M. o+ V+ s5 qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 A; U8 C$ P3 Y/ `/ I& _. q/ W
5 p+ b/ k8 u* Q( E Q8 [! F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: s- b) l8 s& j( K; G, m___________________________________________________________________________4 y+ M% K. }* D7 I+ G% ?; x
% g3 p& S5 ~& s
8 Q5 p; L' U n: f! ?( FMethod 03
( u- E9 g7 `, M# B6 l& H* ]7 v=========
8 P `! i! e' L, C) l& }6 q& J- a" z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, c2 ^2 T$ O w( h
(API Get entry point)
5 U) W) W3 R2 o( M& A' l
5 |+ O: t3 Y2 c5 \3 R3 n' t. q: D! q- F" h. R1 B/ x' k
xor di,di% W, `+ r' I S
mov es,di/ k5 E& d- X% v! R) E
mov ax, 1684h
( q; [. E5 s0 o3 h mov bx, 0202h ; VxD ID of winice
) \! _% ^- R/ e8 @7 D int 2Fh
" J" C! U/ c% K* Q2 y$ E mov ax, es ; ES:DI -> VxD API entry point
K4 Y. O; [8 F/ w3 w- k. b add ax, di
U1 T# A8 E) Z- `% P test ax,ax; |+ r# F1 I& O: }( p* u
jnz SoftICE_Detected2 i( C% [6 C- e3 V3 I! Y% _0 b
5 H/ `6 z ^6 C3 i___________________________________________________________________________& I |* S; m" Q& @. e% Q
2 E4 ]. Y# R1 n8 X
Method 04
0 g! Y6 n8 J3 t) i=========/ |7 ]. O, X8 ^! m
! l: Q5 h' f$ W* Q$ c
Method identical to the preceding one except that it seeks the ID of SoftICE: \7 y. |0 F. \, c% ~" q2 ^3 V8 r
GFX VxD.' B$ ]0 g+ c2 w) m( W
2 B. E4 O/ _) {# h9 }
xor di,di
, N8 L" A: p! ~0 C+ P mov es,di
( d" M5 s \% v- |3 \ mov ax, 1684h & a! v+ U M/ Y
mov bx, 7a5Fh ; VxD ID of SIWVID# k K- O( l1 Y2 ]
int 2fh
0 L6 [: z5 |( S; V( ` mov ax, es ; ES:DI -> VxD API entry point5 D5 b8 ~6 h2 j0 L" ]# ^
add ax, di
9 X' t5 f7 _7 S0 I test ax,ax
# B o( R, y/ t6 N jnz SoftICE_Detected3 t* s! {% G9 P D6 V- }4 t
2 R$ U1 n2 T; I% ^* f! O__________________________________________________________________________* b* [2 a( F6 u S( a2 Z+ v3 b& v* t+ L
! F: U, G; b0 p" a5 G$ E$ @# `$ t5 K! r' v9 ?! B) O4 z
Method 055 R% H- M" W- s N$ e N- l
=========
2 T/ E, v" m5 V# X, t8 l6 N# L; O' q& B
Method seeking the 'magic number' 0F386h returned (in ax) by all system p7 X3 ]7 p/ b) Y. `' |
debugger. It calls the int 41h, function 4Fh.
: I- e1 R3 r' ^6 P0 rThere are several alternatives. 9 ^2 i) C/ I9 h& ^! a
& R6 M G6 M, m, X9 _
The following one is the simplest:, X Z* m% C, M* l% r3 F
. L' s( j, ]7 R$ x* o/ {* O
mov ax,4fh
7 T; S! s; A, B" z9 ?! X int 41h" t+ T7 F/ _2 ]0 M, O9 m: M+ r& B
cmp ax, 0F386
- p4 N8 d# |* ^9 @" K jz SoftICE_detected
, b! G' P) \/ w1 N1 h `
9 V1 ^- x- w" y: r4 v& l9 ~# k
- c. C9 \; P1 H, q1 R3 f. X/ b" _ VNext method as well as the following one are 2 examples from Stone's
( q I2 X5 R+ f |"stn-wid.zip" (www.cracking.net):1 q* v4 I, z1 n
: H- } G1 q, C& D1 Y
mov bx, cs
! H' h& P D+ Q4 I lea dx, int41handler2
4 A! B, I# B3 ?0 h2 ]" N/ \ xchg dx, es:[41h*4]
# N) W( R8 p7 w2 f' s4 Y$ d xchg bx, es:[41h*4+2]
# p9 B' ?2 t, k6 F4 V3 j mov ax,4fh ?' I+ Y2 y1 @2 w
int 41h
$ z2 H/ b. h/ E8 k7 L xchg dx, es:[41h*4]
/ }& S ^: z+ v6 p5 l# f1 p7 P! \ xchg bx, es:[41h*4+2]& B0 O7 R( u3 h1 p# w* N+ {
cmp ax, 0f386h Q/ N5 V! L' v9 H2 f. m' Q( [
jz SoftICE_detected
% f* }; L9 S, H2 Y
3 Q E4 s/ n+ W# |2 Q/ Z- Rint41handler2 PROC
) ~+ V0 r5 c" J iret W" F L. b: O6 J& X1 t& {
int41handler2 ENDP
9 l2 @3 E; i' E& A3 ]( ]4 I6 t) u1 r" T
% G$ N6 ]; u; x% v% _$ i+ q: A
_________________________________________________________________________
) y# j, z8 R- |0 w( Q% L7 X* \
: G4 s# k) F. {
" A, u" Y9 f0 K& N8 mMethod 06
1 }# N7 O9 F1 }0 L g* V6 I=========
8 ]: b" E% }; V, [* p
. M8 H1 x9 Q, c& n- C! D( ]8 m. Z
* _7 z, E8 I2 I- O) X9 L2nd method similar to the preceding one but more difficult to detect:
/ Z( A1 J4 C# L( Q x# ^4 U
3 e' X+ I% f D& O8 X8 t- ]" S
int41handler PROC
" f; x1 \4 X1 G: @7 t2 a- z$ N mov cl,al9 i6 V4 F7 v4 n- F+ T6 {
iret0 X4 }& s% a' C
int41handler ENDP* ^; m& |0 @; s4 m
# U, b$ O) \. l: J+ o* n
: `# K" y; }& K Q& H7 E
xor ax,ax& `9 W8 Z6 r* S3 L& {) j" {6 @
mov es,ax
4 _7 [, o0 F$ f/ P/ l" {. p mov bx, cs
% G1 k0 ?: s+ c, z4 e0 { lea dx, int41handler
4 o' j; w& p4 c* `7 p$ f xchg dx, es:[41h*4]
. v* }) ^: r- |+ n4 r# v xchg bx, es:[41h*4+2]
% f" F" K5 }2 f ~' `$ r in al, 40h2 s1 l/ K6 R; l" A5 Q. P! ~8 e
xor cx,cx2 G& ^; u4 |- A$ D$ ~
int 41h
; `1 Z' ~; `: ?4 ?/ ? xchg dx, es:[41h*4]8 h) A2 U2 ~' T9 W6 O1 h
xchg bx, es:[41h*4+2]# K# l' u/ G0 _1 t" H" Q) N( v
cmp cl,al' d( s$ O0 }, b2 s( o
jnz SoftICE_detected
, l" ^' U+ x' A6 \" B, P- Z
% G5 ]. e/ C/ z) s- u6 e_________________________________________________________________________! M% `$ z8 J1 `7 Y+ j6 C. {
! A- a e" F$ E5 D
Method 07
6 ~1 ^* _5 g+ ~" ^! V2 C=========# f7 G7 V* {( V$ r% h; ~# T7 m
2 C1 W, L+ f& s
Method of detection of the WinICE handler in the int68h (V86)
# n0 c* ^$ A/ h, e+ z! Q) n; Y0 @% ~- o
mov ah,43h
I- b4 @% a, h6 I/ f9 \ int 68h. `; a; P+ V" A* b) A( B
cmp ax,0F386h o& y0 o6 o7 Q" \
jz SoftICE_Detected! i7 i" K" d9 R) ~" K# N0 @
1 E. i& ~- k+ Q5 E; R, B' m2 w$ Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 Q' y [ |5 W @$ n0 A' X D
app like this:( L* m1 a4 J1 i7 t
& F' f1 R- y9 u! D- W& b, X
BPX exec_int if ax==687 e( `6 S- [, U) c
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ ~1 U! h B. e located at [ebp+48h] for 32Bit apps)$ z9 @7 W+ y: Z- u6 F" `
__________________________________________________________________________
" c; v# O2 C( `7 K3 S( K- J: r" ^ s
- E, C& V/ V; @! k' p. n( _. ~3 `5 \& s5 B. K+ k
Method 081 I2 n! J3 t- \7 C) l3 |
=========/ @9 O) @& B; @5 C7 K+ `
. Y0 e( l0 p6 a; W$ d3 [# ]: `; s
It is not a method of detection of SoftICE but a possibility to crash the
% q9 l" t! S; m; E" S" @, `5 X9 hsystem by intercepting int 01h and int 03h and redirecting them to another& a1 M5 g' M9 z4 Y2 u; x+ o. R
routine.
6 t. p% t: M# Q. dIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; j1 U. A0 B1 s( eto the new routine to execute (hangs computer...)
" q# w& y! r v, E1 D
, F) w6 @6 `( S. Z% H7 ^# n' P mov ah, 25h/ J* A% z) `# k6 m, S1 d9 n' @
mov al, Int_Number (01h or 03h)3 d5 i0 F1 y# M9 q+ ~7 @! C
mov dx, offset New_Int_Routine
9 _" o6 p7 a7 A, h' O" A; P int 21h
3 s( @$ i7 A6 [ W1 c- {. T+ j/ h7 a1 K+ N! `( T2 j+ M7 W5 `
__________________________________________________________________________
; r# r! E3 W4 |% Z/ K8 p, ?7 o% x- ^* w; ]4 j* m5 {- r3 n% U
Method 09% v$ g& v: T9 C& r+ G$ o
=========
& j4 E% A% R$ _: |+ b9 x& ^% c
T* n# c; I% x( F) n) U* iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 y( [7 R9 S* x" B5 P3 J, [& W( V8 I
performed in ring0 (VxD or a ring3 app using the VxdCall).
& r* o* c/ w, D$ a9 ?The Get_DDB service is used to determine whether or not a VxD is installed$ h# X4 |: t( ^6 K
for the specified device and returns a Device Description Block (in ecx) for; H/ K+ Z: U2 g; S% R
that device if it is installed.
& A4 \ }( b/ b/ [( G+ _0 k) e1 z4 r: a3 _8 Q1 f; Y1 M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. n* \4 Z! c7 k& ]: L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 w. C' B3 S( x- Z7 Z& B5 I: j
VMMCall Get_DDB3 H0 p2 q" v# U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; ~5 K4 |0 c) ?4 V9 R( Z9 ^ r
" x( i3 c( p' [% O) L' Q, ENote as well that you can easily detect this method with SoftICE:) |+ c9 o+ d( O% a
bpx Get_DDB if ax==0202 || ax==7a5fh
& v, j# r# v" g
6 c! V5 H5 S3 c__________________________________________________________________________! r( ~% U1 l |) N
! T& T/ D+ r" d3 g: ~% U8 AMethod 10" g8 G) t l! }- G8 W2 Q) l
=========
5 w3 t! [- D E( h, {: }' m$ I
1 ?) e3 A% l' H3 x. _=>Disable or clear breakpoints before using this feature. DO NOT trace with
D% I$ ?+ q6 T# m SoftICE while the option is enable!!
; T' x: ~9 D1 ^( \! C. |; Z% z6 Y8 y) \3 M; O" J
This trick is very efficient:9 _4 r& d3 [6 ]/ B
by checking the Debug Registers, you can detect if SoftICE is loaded
: F/ J: u1 E/ P* ?" R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if N2 A2 \7 ^6 C( Y: s! v4 c: y
there are some memory breakpoints set (dr0 to dr3) simply by reading their, J2 E$ `; {4 a3 W! \
value (in ring0 only). Values can be manipulated and or changed as well
/ K( p8 \) ?( d$ b3 s, \" i(clearing BPMs for instance)# E, ^4 t7 V3 N# `) r$ f" {
+ w- U* X1 `6 w9 C5 B& p
__________________________________________________________________________" B; ~( Q9 O: w5 ]) W5 M. X5 v
2 p9 p. G6 u: c9 {2 f" M
Method 11, Y. v' R* H; {2 _8 j, Y
=========! X3 `( t! G2 J! |! ?) [
1 [8 f1 y" s2 d2 R! Z
This method is most known as 'MeltICE' because it has been freely distributed6 e: L' {) t' k+ T+ V
via www.winfiles.com. However it was first used by NuMega people to allow- v- r& [6 s: q4 @8 ?/ x0 r
Symbol Loader to check if SoftICE was active or not (the code is located
2 U" m+ H6 @& n3 A7 Y6 r% ^: jinside nmtrans.dll).+ u; x% ~8 \, p/ S. s
% R. S& I+ `% [
The way it works is very simple:
+ R1 j$ B2 c9 B- j* ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ ^( ?5 @. L: N4 ]$ O/ a3 {
WinNT) with the CreateFileA API. g* N" E* ?' n' o( \; E
7 K) X: ?- X! ^' @
Here is a sample (checking for 'SICE'):( Y7 b i- V- I
% A) O8 G+ N, J, W$ P
BOOL IsSoftIce95Loaded()3 T7 j: U% s1 c- {3 {9 G" a
{5 a; T! c8 m6 j# V, x" Z
HANDLE hFile;
1 t! J6 e% p8 I4 i6 E" D2 T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 ]/ w3 I6 C$ n) s/ p7 d' O
FILE_SHARE_READ | FILE_SHARE_WRITE,) v; v% ]5 S7 R A4 D: L
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ |' j x" G. w; q' ]4 L. m
if( hFile != INVALID_HANDLE_VALUE )
2 _5 [+ X: v! h/ D {
! ]! d% `* X% b( Y, T& t CloseHandle(hFile);
) r& I% Z Q, ~, C, _ return TRUE;3 s- O2 h8 b; {; E6 O
}- H: t' F% q3 z- y2 W
return FALSE;
* s+ h) a% T% X$ b}0 m' [4 k" G9 b" T1 n+ ~, V. t- F
& W( b* u( [# v+ T% ]7 {
Although this trick calls the CreateFileA function, don't even expect to be$ R0 I9 j: T, a
able to intercept it by installing a IFS hook: it will not work, no way!
# ?& B' r, S0 B Q! f gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' G8 O G. A! l% {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 |9 T' x: w9 L) E. u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ N: T' w$ i& [2 K4 @; s$ I, Xfield.
1 v* X1 |' c5 h( [In fact, its purpose is not to load/unload VxDs but only to send a
; @7 k+ |( K$ xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 O. Q* G# l, h& i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ Q" |; V$ \7 k. o, U2 kto load/unload a non-dynamically loadable driver such as SoftICE ;-).% F" w+ a! `- d2 }$ F8 Y, @, Z
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 l- L' d, t7 G
its handle to be opened and then, will be detected.
: o6 E9 G7 Y j( Q+ yYou can check that simply by hooking Winice.exe control proc entry point( n! @8 }! G0 I* p
while running MeltICE.- q$ O, n- E- I& i, R ^
" w# J. R' m( Y4 r
+ o0 O9 T# T. k. |* j 00401067: push 00402025 ; \\.\SICE4 L$ U9 U- D0 }4 L `2 m! o9 k
0040106C: call CreateFileA, e. Z# a ]" c, y
00401071: cmp eax,-001
# H# l) r! i* o# t" @6 L# U/ F; L0 Z 00401074: je 00401091
: ~; u/ g* z9 ^" {0 K# W9 | s: u5 e; Y
2 O: M( Z) B+ LThere could be hundreds of BPX you could use to detect this trick.( A2 C' ]' C( K7 Y8 j: R
-The most classical one is:
2 ~! s: f2 q" m$ O/ w& n) l, N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || B& S8 q& O% x) h+ F" Y
*(esp->4+4)=='NTIC'
) L8 ^- z- A! D2 i1 j5 X' o3 x2 E% ]- E( t9 C" E
-The most exotic ones (could be very slooooow :-(
; C# X9 b+ y0 O& I" e y" l2 l# A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . z* E( r1 U% I5 { ]( m9 Y2 \
;will break 3 times :-(
: d* t% k) w4 T- S( j- v9 c: a; x5 W3 I/ E7 b' C% {* ?
-or (a bit) faster:
2 O5 N3 ]* |$ G$ |3 v2 l& U2 C BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( ^1 m. `5 P! _- Z5 j# I8 y' H9 d0 L$ a0 l& S& T) ^5 Z/ W. X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% C3 F* L$ I) i7 ~# \8 R0 w1 t ;will break 3 times :-(/ l% m. ]& I5 T- e V
) G ]6 a2 ?1 v+ j' s3 _1 \
-Much faster:
0 h* K$ q$ Z1 w) j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# _8 J& q4 x4 o& ?1 o- p! v- b$ p* k& n" {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 p- w7 {9 b! K* ^function to do the same job:9 b7 K! S( L3 ^& G+ x6 {4 E5 {
5 ], m* `! a6 A4 K
push 00 ; OF_READ, n9 ~) G4 G$ }4 i; J
mov eax,[00656634] ; '\\.\SICE',0
! P4 c! P& y! _* t1 u- n0 G push eax1 `; H3 ~% e- x: V
call KERNEL32!_lopen' E, u2 L# Y. }2 u
inc eax
" f+ F( C# \& O jnz 00650589 ; detected
3 a4 G. g' k, Y push 00 ; OF_READ+ `0 N- n0 S! r: ^3 q
mov eax,[00656638] ; '\\.\SICE'* @# A Y& }9 l$ k, p6 \) i# u
push eax1 J% o9 o3 Z( C/ h" ]$ M
call KERNEL32!_lopen
( E- w0 T @9 D, k( Z inc eax
& Z9 _; _1 t8 t( r' }4 D, @ g! u jz 006505ae ; not detected6 ?( f5 ~. }4 u
& O6 [, C2 s3 k% k+ i, u* K5 {; O. ~1 q, N
8 S) l: N* E* U% ?
__________________________________________________________________________6 W+ F% |% v' s1 L& V
, c$ a B6 P" y. M8 m1 M `* o
Method 12
8 S5 X+ m8 b1 y' Z b=========+ c! P+ _, a0 E/ @5 _
2 O7 w+ b! p: w- L3 S# W0 l1 kThis trick is similar to int41h/4fh Debugger installation check (code 05, m1 k$ j1 R6 y
& 06) but very limited because it's only available for Win95/98 (not NT); p, T4 y; @3 `/ w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 I& x. G! Y. h( D7 L0 X/ u( t6 @
push 0000004fh ; function 4fh
9 Q2 z) F% W& H+ ~* q; j* F push 002a002ah ; high word specifies which VxD (VWIN32)
. u6 x2 S# K) V% x0 q8 ^ ; low word specifies which service
$ e5 V0 H1 e1 P6 ~1 W( k (VWIN32_Int41Dispatch)
4 h0 y+ X- b. v# n; b call Kernel32!ORD_001 ; VxdCall
9 k$ m8 h1 R+ z! W/ z3 P cmp ax, 0f386h ; magic number returned by system debuggers
; N S+ @7 \. i3 l& I jz SoftICE_detected) T& L' a/ X) M9 l
+ ~. U, ]# p1 E: S# s2 F' \Here again, several ways to detect it:
0 o% [9 [ @ n G! b1 C) Z
" Q; [) Y" ?1 y4 o BPINT 41 if ax==4f
; O5 w5 x# M; I" ?, K( H! ~' j) o/ `2 y8 m% S, Y+ T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ o' b" @8 U$ P# S6 L) d8 {6 S
4 n& {0 A* Y0 L$ H
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 P3 J$ k1 Q! `, n0 z+ V
4 Y5 N' Q T8 w, j: b! t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) R. P# A4 Q: P3 m) o9 a" s3 z4 [( c/ H- |; m9 d0 Y1 o
__________________________________________________________________________1 d- N0 e. \( m3 J* ~! s
1 G8 B3 \, I2 L! W: [
Method 13" v3 T6 H5 k7 M0 F& i! `5 b
=========
7 |& m/ Y+ T" t4 G& p% }& N* A- \/ I$ {( V8 a Q
Not a real method of detection, but a good way to know if SoftICE is
4 L, ?1 G! ~* h* E* m8 Q Kinstalled on a computer and to locate its installation directory.
0 H7 k, _+ C6 m/ CIt is used by few softs which access the following registry keys (usually #2) :
% p1 X6 K, Z, Z. E. O Y0 T
) v0 b* C* I. v0 `0 x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 D0 `; w5 R/ _. o: G% `- v2 Z0 C. _\Uninstall\SoftICE" R% U5 a; O. ]! e3 ^" G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 y4 q5 R: z8 X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; o, B9 A l3 r. C w\App Paths\Loader32.Exe
1 d# ?: i- y) e7 p. G& y2 A( G# q3 V% ?& d8 @0 y+ X. V
$ E( U r' ~1 B. P8 N( w) F
Note that some nasty apps could then erase all files from SoftICE directory
! L+ B" v" C( q9 ?, D(I faced that once :-( i$ _% X1 _. w# _
7 E; n+ ?' a, H4 _Useful breakpoint to detect it:
' p6 Z ?% j' d6 d. Q4 R- d# w
) Q" K+ q. U% A) b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* e8 q8 @0 ?4 O. S5 l3 Q, r5 P' j ]( M
__________________________________________________________________________
# P% q" ~' e1 N9 R+ K/ E' b% q2 B2 z0 A$ o% o) M6 v
) ~$ s- X% F$ n1 G& S& N* T) p( c
Method 14
3 J" l: T B: g8 {, u/ w' P=========& S9 ~) C8 W8 D; P) Y. }% J
5 Y+ }- d6 b5 k2 X$ x' c7 r- {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose H: w. Z# O% `
is to determines whether a debugger is running on your system (ring0 only).+ p" w" U5 ]7 _1 G/ M
% D8 u4 Y- z) k8 x) B+ N; s8 ]# L+ S VMMCall Test_Debug_Installed
$ o( _% N7 t+ j5 Z# K je not_installed1 Q2 O# L. j* d, z3 W+ W' H
% H1 }: }* _0 j% a) ?8 n+ W. A# }This service just checks a flag.
3 }: U. [) [5 n. c+ t5 b. W</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡