<TABLE width=500> Y3 Z2 Y9 }8 @# D x
<TBODY>
8 c- s! q" Q3 m% X<TR>) l# V1 D/ z/ E
<TD><PRE>Method 01
4 C( R# a8 v$ W1 q3 X7 A=========/ ]' M( E [3 G" Q, C
- {" i, b& k l5 j+ t9 @. ]
This method of detection of SoftICE (as well as the following one) is8 m) u; d0 k* e' U8 M& U
used by the majority of packers/encryptors found on Internet.
7 [( i4 g; K+ e6 `: d( S; {It seeks the signature of BoundsChecker in SoftICE
) u, K' S: T% w* `* G# a4 w) C- b
5 H2 e+ _7 u# I0 O' |# @( h; F0 i: c mov ebp, 04243484Bh ; 'BCHK'$ y* j9 R* \8 g, b: j! i$ ~
mov ax, 04h' m3 `; K: I, ~; y' ^, z, Z! {+ \" ]5 @
int 3 8 M( r) O) ?5 B! O0 J9 s. m+ O
cmp al,46 |( W' `. ^7 I: P# B
jnz SoftICE_Detected
2 {4 x! [9 w" k- {
, m2 I! g2 H% w5 [$ W D6 P, N___________________________________________________________________________0 }! w7 y# Y* G2 C0 i
: S3 J) w" J9 ? c3 S+ H' LMethod 02. W7 i9 R( P5 i# t' ~
=========2 s1 Y% D x- E5 w- O$ ~
3 H$ V. c$ J% Y" Z" OStill a method very much used (perhaps the most frequent one). It is used6 O4 S. q- E/ c9 c
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! }" M! i! P: E B
or execute SoftICE commands...
7 B9 }, I- b" A8 SIt is also used to crash SoftICE and to force it to execute any commands. v) O% E4 G* W; j+ X( |# F# G! J
(HBOOT...) :-(( " R9 c7 }. W( i$ {
9 ~" d* v2 a; q- X$ WHere is a quick description:3 j3 I1 _; P, K. ^9 b: r
-AX = 0910h (Display string in SIce windows)- r" {; z# |5 I3 R8 J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" A. u- p; b g2 M/ O" M-AX = 0912h (Get breakpoint infos)2 b* _3 m( f" b& a
-AX = 0913h (Set Sice breakpoints)
' D. x: ?" {1 |! [-AX = 0914h (Remove SIce breakoints)! q# e: V3 ]: c, ^9 k1 J) K% v% B
0 i+ ?. ~/ K! H7 h6 P' v/ ]: B5 l. E5 m
Each time you'll meet this trick, you'll see:: q" ^& j7 X- R, t4 U, |' L
-SI = 4647h' H; G" u8 Y8 _
-DI = 4A4Dh
$ l$ j" j# I# v0 e/ fWhich are the 'magic values' used by SoftIce.) l- p7 ?& N( `( B4 ?9 t$ A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
j4 M5 W( G( w- B: I4 a* x5 |# K) @; a, N5 W
Here is one example from the file "Haspinst.exe" which is the dongle HASP3 W" z6 C1 Q2 J7 M
Envelope utility use to protect DOS applications:0 ?. ?$ H- v8 a5 M' ?
; Z9 S! I* ?8 A: e+ s
* y+ O# M% R/ m3 u& S
4C19:0095 MOV AX,0911 ; execute command.
9 z5 H0 W: y; |3 A3 p7 \4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 V; S) @4 G6 A; Z
4C19:009A MOV SI,4647 ; 1st magic value.
3 d! v0 G, A; K: \% o/ g7 h4C19:009D MOV DI,4A4D ; 2nd magic value.& s& i9 u" m+ R2 v' T" Z( g0 e J2 z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 H$ l3 ?* N. `6 X, z, Y% a4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: Z$ t) k. _9 D1 ?* ^5 s0 w
4C19:00A4 INC CX
- u; R6 ?3 j# }0 o9 E( M- P+ X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; ] t& e. Y) k( A/ V7 O
4C19:00A8 JB 0095 ; 6 different commands.
. f Z l9 A0 d1 o6 X/ }4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 O6 T$ S4 B/ v2 ~5 J# M& s4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 ]# V! S3 ^2 _5 a7 L9 N
, I- w. ~; i$ E4 CThe program will execute 6 different SIce commands located at ds:dx, which5 ^$ `2 T8 v$ H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" `$ Q3 s) u; }' i* x p
4 ~$ H8 ~) R2 G; M" ~ B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 t! x+ ~3 m% v- \" u___________________________________________________________________________0 |) f; E7 t+ {2 h) S: K
1 E0 m6 I& L/ N. Q* T4 h5 R
" @1 o& N; h: [5 D, B9 J
Method 03* b7 b! h4 O {7 J L$ ] D
=========
1 M. E- |1 I7 N$ V: A2 |( J, j8 R4 Y- P" a# [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 [6 E( u: z" U9 j% D; X9 y% N0 Y(API Get entry point)
& E( _7 k3 g) M( G' X * V p9 B/ C, p% R' ^
. C) u/ [# x" O- {2 n4 E8 f4 l
xor di,di
! R* o' r) \$ t0 u5 x# W7 e mov es,di. C8 H: M- ~' `# X, |. I2 \
mov ax, 1684h
( o2 E; f( m/ y7 Q' s% k mov bx, 0202h ; VxD ID of winice, @0 ^4 z( j& J: f
int 2Fh
) m! J6 x. Z" I. e+ X( F mov ax, es ; ES:DI -> VxD API entry point
. e1 w" z& P/ E' G+ d add ax, di1 s, S, o1 C% ^/ m; c+ s% ~ C
test ax,ax
! P! A6 s( \& E6 F. e0 I/ ~6 a jnz SoftICE_Detected
- ~7 ^4 j8 t/ @3 q* A) W" M1 `
; S. l4 L5 k; k" X$ _4 k" u' r___________________________________________________________________________
( R2 z' n$ E( G
) k, ^& ~7 ~' W* \1 g# JMethod 04) y% ~( K5 w# C& e, Z9 u+ k, A
=========! T7 j& v) G/ p- l1 b
1 ~2 _! `$ Y$ f4 V9 x! n8 c! XMethod identical to the preceding one except that it seeks the ID of SoftICE
, C F' V, F E8 [$ X2 DGFX VxD.1 V! m H* ~6 Z2 Q4 N7 b- o
: L+ |2 }2 t0 z. i
xor di,di
S% E+ i" A+ P" f# _ mov es,di8 n! |, |5 b% i3 [
mov ax, 1684h 2 r( x9 d9 x" E9 j2 L7 W. d" L7 U
mov bx, 7a5Fh ; VxD ID of SIWVID1 f# O5 J" L$ {: V+ K4 c
int 2fh+ c9 y( Y t* n5 f, ^7 b8 C C: c
mov ax, es ; ES:DI -> VxD API entry point! A" K1 z0 v( W7 O% I g! C
add ax, di
2 N& t. z8 J& c2 X test ax,ax7 N. u( v. Y! G' p
jnz SoftICE_Detected* a8 q$ @' [5 s! ^# n. r9 w- c
: c- l3 J/ |) d1 D6 y
__________________________________________________________________________
# I; g( c8 N* L, t
! g. X' K/ Y& n% i' `8 X+ d+ J1 A, S) e2 ~5 H% v! H# \" @! s2 \
Method 05
" n3 @- u( j b+ R( O' e& Z=========+ v; }7 ?/ Q3 `% R3 J" s
1 ` d& ~5 ~: xMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 n* m" U( F% j' K rdebugger. It calls the int 41h, function 4Fh.
" [/ L2 |+ q. f) R; ]$ LThere are several alternatives.
1 q5 V7 t4 T0 j1 c5 x3 q+ ?" h1 V0 Q7 i
The following one is the simplest:
S: j" a7 ^' `, I, X8 H6 n+ h4 Q7 V( w. ^, B) B5 t, K2 v& w
mov ax,4fh
* Z- ]: J0 S/ H$ g& n- h% M# ~7 t int 41h
+ N7 }: i6 v Q! B cmp ax, 0F386
! N+ a' F. g# w0 Y! M+ o: I8 q0 m jz SoftICE_detected9 w# H% r, Y" E( i7 U2 N
) o6 Q2 X" _2 i( F' b/ C; I; A3 z w! v$ r! M
Next method as well as the following one are 2 examples from Stone's
j. C. r; [: S: s' v"stn-wid.zip" (www.cracking.net):, {. `6 G- ~! A" a' G0 o$ r3 k
, F* O O/ V2 t i0 } mov bx, cs! @: o5 S7 C( P5 ] b! v
lea dx, int41handler2
2 r( T7 v: j5 b, u+ m3 k xchg dx, es:[41h*4]4 k. K7 W T2 S1 v' T
xchg bx, es:[41h*4+2]9 J+ w: a4 c' ~* u; V( v4 r( @' U
mov ax,4fh
" Z" `: e$ W2 z int 41h
" m4 j# S9 c4 q, M+ K' H3 w xchg dx, es:[41h*4]3 h b6 Z5 l* e ?
xchg bx, es:[41h*4+2]
: J+ a; w" z' m% K l* K cmp ax, 0f386h
, ~# j$ p* ~& ^% z }7 _9 {, r% C jz SoftICE_detected
% \4 Y. R1 j( j/ m
7 H6 d' T0 B- A& q! O- oint41handler2 PROC4 V" A6 x6 }/ ~
iret+ R- B& @" d, @# ^1 B3 m
int41handler2 ENDP
- k9 L8 @, j+ S( G* ]( F } L: a+ z+ b4 E" N- b$ K) J: G7 F
; \6 t8 D/ t" F' T8 L* b
_________________________________________________________________________
, e) M2 w% x9 |1 O; @# o9 V3 Z6 ?: r% L( h; k
) L3 f/ M$ ^7 v
Method 06
# r+ ^0 t) J" w5 o' ?( I=========
- J, u' s8 x8 ~ `, j6 R, y
* B) v u% N3 c" x2 A$ ?5 J9 x5 F/ H1 ?( l
2nd method similar to the preceding one but more difficult to detect:
* V5 B6 S w2 ~" p* A: m5 D: L% L
% w% I+ C( \0 w: Z% B
int41handler PROC; J2 H2 p5 h/ b+ {2 Z2 t, Y
mov cl,al
6 M, y# ~# P. k: A2 f& j iret- b. q6 z0 }8 ]. b& t
int41handler ENDP+ P" k* H. @$ X
# k2 ~+ _3 v' |* g' j4 N' x. x; n m s/ I$ j* p
xor ax,ax
7 o) O2 R( y; X! L* G mov es,ax+ z, g: r- R" }
mov bx, cs* s4 b8 Z- L8 R! M( `
lea dx, int41handler
3 I1 x$ u. \$ u, C r1 A1 P xchg dx, es:[41h*4]
0 e( k% p. ` ~ W5 E xchg bx, es:[41h*4+2]
' z% \$ q8 k7 S; f in al, 40h
% v. h H* @% N/ c0 ~: ~) l xor cx,cx
- Z5 ~4 M U: Q5 P8 Q3 `9 z( p0 m int 41h
r# |5 s3 {& ^& n xchg dx, es:[41h*4]
$ I/ j& f: k; i7 a, l: p3 P xchg bx, es:[41h*4+2]
6 m2 u9 U0 v6 t- y5 F' B: K9 x cmp cl,al
5 }( O+ e% O8 ?7 @: j" A jnz SoftICE_detected- r/ J& ?+ L7 f4 ]! r
- R9 z4 V- z4 ~_________________________________________________________________________0 u" [( f7 Q5 V3 E' e2 V. R
: x8 a, g, \& K
Method 07
4 P# b" b E" v: I=========
3 A& N0 \ q) t8 V) M# v) B6 J. g4 k; @/ n3 c
Method of detection of the WinICE handler in the int68h (V86)
" j1 x: |: q& \& Y/ |6 L6 {0 Z+ j) n' @+ ^1 g" d
mov ah,43h" `$ j3 r* V9 `0 ^. c( E9 R
int 68h
$ m" J6 c- f- V1 S; V7 Q7 y cmp ax,0F386h
7 b9 \4 f6 \# ]+ j3 i" q+ `1 e jz SoftICE_Detected
, M: F" e+ I' s6 ~6 t; @, u( e2 S2 ~, ~& c2 z* p! s' z3 J. D9 X
; @; z& M" V- n8 [2 c% a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 a) z8 d$ U" v% x& _: |
app like this:
- _ q1 i1 d0 ~7 c2 {& M# S/ Z/ M& B L! g3 w0 t0 ]
BPX exec_int if ax==68
; N" g+ l7 E1 U0 B6 X) N3 @ (function called is located at byte ptr [ebp+1Dh] and client eip is
* _% P- f4 b' ?6 z8 G% q4 P% N located at [ebp+48h] for 32Bit apps)
) ?& Q. R D6 U% G__________________________________________________________________________
+ x& v! s' L) b, N' N [3 `/ [2 s# K( p( C, f0 q% F
/ P) y; x1 K2 o3 ZMethod 083 U/ U- d1 K2 ]$ `* l! t
=========
3 f5 _ o$ |, @3 _, H! ? E
* ^3 d. a- x1 B7 C1 N4 k& u' \+ @It is not a method of detection of SoftICE but a possibility to crash the. \* f: X9 z3 q x) Y. Q/ _5 R
system by intercepting int 01h and int 03h and redirecting them to another: L) F! z, G0 q" F2 ?
routine.
) B/ b6 f0 _( W: m1 _8 L9 @" UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, t0 A- e' O" M- D: Kto the new routine to execute (hangs computer...)4 _ ^! ~" o6 l! B7 {
' g4 `7 H2 ?2 P) u$ q8 e; i mov ah, 25h
! v" c0 \. v& J8 A2 A mov al, Int_Number (01h or 03h)- W; C2 |' K. \. k
mov dx, offset New_Int_Routine
1 H1 f3 d" x/ X6 l* O# p int 21h/ n7 [$ v0 s! `5 g3 n
3 z* T2 T% ]0 s1 W' `__________________________________________________________________________
, y! Q# n0 c! `' P6 r' A, @; ~: C# g" [
Method 09
. |9 N# L2 Z, R* J$ B$ F=========
6 F& W: ^8 g6 i* Q! _/ j5 ?3 {. ^" K; E. h# ^1 \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& H( w8 k* f$ F% H
performed in ring0 (VxD or a ring3 app using the VxdCall).3 P+ L! o6 Q# _$ e `
The Get_DDB service is used to determine whether or not a VxD is installed7 F4 D" E7 H1 w1 {: _
for the specified device and returns a Device Description Block (in ecx) for! g; s9 y5 u X% u; W% g; C+ T+ O
that device if it is installed.9 D1 s1 ?3 X; u0 z7 z
# L& I B) ^* y& l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 g9 V) F+ j4 H: ^' V) B8 X
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ C5 Z* b4 Z2 I+ d# Y6 a d VMMCall Get_DDB
$ @9 f. K% N* L+ K$ w6 D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: y @0 I" T9 }
1 L4 f& D$ r% \Note as well that you can easily detect this method with SoftICE:
" P0 e: z6 ]' r" d( B4 S* ~ bpx Get_DDB if ax==0202 || ax==7a5fh. o' a/ e/ G( r
% j$ V' ^* m9 A; m5 i+ ___________________________________________________________________________
- P. n9 n; L! _) ~7 E1 F1 `! ]( n1 W( a) Q# J, a5 {3 X: U( Z; A
Method 10
& B( [- F: D% D& W& i=========
9 F$ D! n, j( c
( j$ L" m/ S1 H( i6 k=>Disable or clear breakpoints before using this feature. DO NOT trace with
- x7 S' Y3 T7 J4 W( x SoftICE while the option is enable!!3 J- K! Y4 \6 E2 D* ]+ b
, z K' A: b5 M+ wThis trick is very efficient:3 K) q) W5 l' h
by checking the Debug Registers, you can detect if SoftICE is loaded
0 Q1 f- b& k1 t7 u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* C( S0 F; Q. R; P w0 [, G3 i' S! S
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 ^, ]" p6 q8 n3 E
value (in ring0 only). Values can be manipulated and or changed as well6 W1 w9 ^) X9 g
(clearing BPMs for instance) {0 B$ a2 B# ~/ {. J% \$ r
k8 g1 _ ?+ P% o0 p/ c9 Q__________________________________________________________________________
8 u* C0 [( a+ _6 ^8 a
9 h$ @* ]8 a/ \; s/ [% Z9 Z% eMethod 11
. C8 {7 a9 X, `' B$ X) b, y=========
$ M; S1 B5 E& d2 U h( N) `
6 N6 f w6 T+ p0 |This method is most known as 'MeltICE' because it has been freely distributed
5 c, Q, t2 d- _* ~) t2 wvia www.winfiles.com. However it was first used by NuMega people to allow; f: i& i( q; K+ a
Symbol Loader to check if SoftICE was active or not (the code is located
; i7 n) [! `9 q9 c, Hinside nmtrans.dll).3 f W4 }+ Q; `6 Q' q4 D
% X$ A# e6 ~0 {0 g7 l" UThe way it works is very simple:1 y0 H" O$ |) I# w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 e0 u( x3 ^2 RWinNT) with the CreateFileA API.0 s4 `6 F8 ]5 ^/ d% |: W
, d: H8 h/ p+ }Here is a sample (checking for 'SICE'):
8 j2 b' L$ |! j, Q1 M% b
& D) _3 W0 K3 l/ n( `% y, V. }BOOL IsSoftIce95Loaded()
& A- w3 p7 M: `" h0 J{
; O; ~0 R2 W2 {6 w8 ?: u HANDLE hFile; ' h" x7 x0 B1 T$ @2 x! V3 y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. [& ~: _5 V( P0 e, J FILE_SHARE_READ | FILE_SHARE_WRITE,
2 S3 v: c3 W5 k3 e7 I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ K1 P" ^8 J7 B! m
if( hFile != INVALID_HANDLE_VALUE )' ~* c9 j+ \* p' H
{
& `* @. C5 V n2 g+ {1 W/ S CloseHandle(hFile);4 E" S+ w J/ R' Z9 ~' M) ^
return TRUE;
/ E+ f) x4 U9 r5 G' Q9 V+ d) c5 b }
u# P2 ^5 K7 n return FALSE;; I, S' [0 }1 d9 y& W; Q
}
9 g. w+ A; B- O) L) o! F$ q5 I( l& e1 d3 R
Although this trick calls the CreateFileA function, don't even expect to be. t0 v) Z w) [8 L5 S4 g
able to intercept it by installing a IFS hook: it will not work, no way!0 |8 }, b- l! G: l
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# G* }! i/ }: y/ y# j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* J( l/ w- w' ]& }; f% x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, i. b/ c8 `! o( z, Rfield.; Z# t4 a* A6 O/ a: r6 W
In fact, its purpose is not to load/unload VxDs but only to send a % Y2 q" _* q% X- F' |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" k6 e' [) q2 L$ d
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; N1 W0 D; f' H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ B( A+ [4 ^; e6 F* y# ~If the VxD is loaded, it will always clear eax and the Carry flag to allow
, v, h8 r! B' p- o# oits handle to be opened and then, will be detected.
! i H! q( n7 E- N' t( wYou can check that simply by hooking Winice.exe control proc entry point# Q. E' d7 g1 a! L+ B% i
while running MeltICE.6 t+ z- {6 n i6 ?* a; q, h
! |5 N7 G/ b) f% D6 N
* e9 F+ v, c) l. B% S* {
00401067: push 00402025 ; \\.\SICE
8 k4 s5 t- ?- k% Y! y" F% ] |- G 0040106C: call CreateFileA2 y; u, y1 G" w f8 L
00401071: cmp eax,-001- v4 j H8 A! ]$ R
00401074: je 00401091
8 k3 C/ ]! n8 {* x! E. \( O! k' }
U% Y3 z# _- f' U
There could be hundreds of BPX you could use to detect this trick.' _6 V/ ]$ j* Z4 {" [2 e6 ?0 [
-The most classical one is:( R. ~, ]( e# n0 z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 ?5 B* L# f* ^, a+ |) \ *(esp->4+4)=='NTIC' V$ }, a+ I* C# @. w( o0 p0 A
/ F/ v2 j: b2 p6 ^! z9 i-The most exotic ones (could be very slooooow :-(
5 `6 U. k1 G( m% | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 K0 @5 b- ^: i* @# w2 N1 R ;will break 3 times :-(7 V! {* k* d& t; V/ {( u @
' ]" Q7 A* j. Z: T
-or (a bit) faster:
. r' Y: ~ e S& x9 D& C }% I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- I6 v; o/ C4 d8 f
; H" M4 P; v$ T* `: | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 u! k) @6 F* X ;will break 3 times :-(
( _2 b5 `6 X% U4 g: J
9 n* C, o& n" {/ T3 }1 E3 y-Much faster:( D2 k4 B9 R& z6 `# C
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 R+ r$ Q4 B5 n+ p* ^% n" H4 D+ I8 j( s8 ?3 O v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 l6 `% Q5 M. _0 ]# h8 }/ mfunction to do the same job:
9 g& V# z" K$ V* n- f: {! l) v/ ]8 d1 B. }% _+ R9 _' S
push 00 ; OF_READ
$ T- m0 J6 z0 p, D: O7 a# E% O mov eax,[00656634] ; '\\.\SICE',0
4 u2 Q I2 b( L, Y1 e$ w6 p2 u# u push eax6 o# m) c# y4 H! \4 w
call KERNEL32!_lopen
4 H/ A( Z) j% v. W- I! D6 r inc eax
( o' j8 z" k9 ]$ P3 w. Y3 a jnz 00650589 ; detected, i K3 d, S; L. d) l, s
push 00 ; OF_READ( m' {' G8 D4 u# O
mov eax,[00656638] ; '\\.\SICE'$ \% L r$ m S: ]
push eax% u2 F3 V; d" `/ {$ w$ E1 B
call KERNEL32!_lopen
" ~' K9 ?" z" ? inc eax7 c0 E7 ?: l O, w- p( F* Q! A
jz 006505ae ; not detected% E4 r8 E! j0 ?" Z G" }" |6 [
' [) H- n9 d1 H7 w4 W0 a) b, C- ]" y* R" C! E7 _
__________________________________________________________________________9 @; o6 X1 W2 I' M% w
$ Y& f5 B8 I( b o/ @Method 12
0 a: s3 o5 }) w$ }- r+ \+ h=========3 y) d: y" ^0 f2 H
% Y3 |8 M5 K4 C. X1 u5 B5 j: L
This trick is similar to int41h/4fh Debugger installation check (code 05
V3 U. q) @2 C3 z2 N& 06) but very limited because it's only available for Win95/98 (not NT)
: z/ o( p5 f$ R% I# V+ Z# t9 `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 t6 A; I1 p7 E( s5 \) w+ u& w( i0 f6 x3 a7 A& c. T* S1 k
push 0000004fh ; function 4fh. f0 c, Z7 Q1 }( H" P0 J
push 002a002ah ; high word specifies which VxD (VWIN32)$ u. [% Y1 X; g: x- @
; low word specifies which service- g: r+ ^, x$ h6 Q; ^
(VWIN32_Int41Dispatch)
|8 E6 N% k# f! c$ p+ T6 P call Kernel32!ORD_001 ; VxdCall
3 c" p2 q( ]4 ]* ^" u S. W7 r cmp ax, 0f386h ; magic number returned by system debuggers
1 L3 x% j, m( F4 m: b* ?; i jz SoftICE_detected1 r- {2 ?7 g! O$ h4 r
% C6 _4 D/ G' ?" j WHere again, several ways to detect it:
9 a" E& s3 j) j5 C" s' ]# a* ^
) \% c: e. v: `8 A# o4 D8 L+ q- i) k7 m BPINT 41 if ax==4f: @6 e- u. W) L/ X/ I, D; c
8 I) R+ W# B$ O# O5 N& Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; J" ?' o+ q! k' J
, x+ c4 C- t1 i* p* c& S% {% Q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A [( J/ F, J" X, w
9 `+ I& L+ Q2 Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, L( I6 @' l5 B5 E9 x* e4 ^ ^+ K0 e! b3 o& N, Y+ M
__________________________________________________________________________
4 b1 B2 z8 P6 p. l6 ?- {" B& r1 G( ^. e) w
Method 13. B$ p6 M/ V% b1 F
=========
; l% t( O9 R" c8 z& f# ]- H" r% U% T* K% k( M2 D2 \
Not a real method of detection, but a good way to know if SoftICE is& L; i% L' j+ b& k
installed on a computer and to locate its installation directory.
. A1 [- L' s% l5 k8 B sIt is used by few softs which access the following registry keys (usually #2) :
6 T5 ?" [+ I! N5 N2 K$ w# D1 t/ V9 b) p: x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 J% g1 n# N7 f% R* G. A* j
\Uninstall\SoftICE$ P5 B: F( v+ ?& P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 `: H2 y9 A( D: O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" ?+ X' E, v; M/ Z
\App Paths\Loader32.Exe/ {- `" U. y, z# l" k
- I- d" [3 M+ f% U* v9 ~. b; g U, P1 B& W% z) S4 m; a* i# a
Note that some nasty apps could then erase all files from SoftICE directory! K+ @0 k5 I6 a& u+ C% D
(I faced that once :-(
2 t6 ?) T! {$ C* g, D. z+ U
, G) r1 ^' c( r. nUseful breakpoint to detect it:
. E1 ~# g- m4 u& |5 _, n% D7 g
7 [3 Q% y$ I0 |; N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 _' V- p# Z4 K7 j2 g3 w
* ~8 N2 F; I) L__________________________________________________________________________5 }- S7 Z0 v& ]0 ^! b0 Q6 o
9 ~# [) M. Q" P6 _3 d9 z6 W
- R" L* }$ c8 W$ X h
Method 14
, G1 v/ ^: n$ O/ L$ ^* X# W3 Z=========
7 p! u8 ?1 t+ c$ L, t5 Y) \. c5 j- D* |. Y* Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( m! ?* D3 d- i& }3 V `4 i* Eis to determines whether a debugger is running on your system (ring0 only).: R# q/ H/ |# O/ E- y
( t' m; `8 r7 J1 _6 l$ Q+ D
VMMCall Test_Debug_Installed7 h3 R" O9 a) W3 n+ G! M
je not_installed# x& D( V8 y2 {, Y& N0 E( Q- q5 y
+ P# ?7 ^9 k1 ^! \
This service just checks a flag.
4 x/ }9 [3 Q+ j- H1 K, D0 q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡