<TABLE width=500># V0 L Q5 ^9 |
<TBODY>$ \3 |" X7 A- F3 I8 W9 W3 J
<TR>3 h, s8 n) ]) A) j) v
<TD><PRE>Method 01 6 [3 ~# o+ c4 X2 p6 [& e, C
=========
& k* I) V9 h# W( e+ y! d2 m, B1 h) D* P, q0 ?0 q$ V5 e0 s' E, L
This method of detection of SoftICE (as well as the following one) is
8 E* h2 y2 `4 x0 m0 X. t# d# cused by the majority of packers/encryptors found on Internet.) x4 ~# Q) k: N% T
It seeks the signature of BoundsChecker in SoftICE
; ], a2 y: Q0 K6 Q, H+ z6 K" ]9 _
mov ebp, 04243484Bh ; 'BCHK'; Z/ I/ k8 L; @$ {5 e; `! s4 k& B
mov ax, 04h
}/ `4 ]% A9 b& T" b% P+ Z* J int 3 & r: P4 A+ N7 b" m/ J2 z! Z* X
cmp al,4) k9 c+ S9 A6 S6 t" t" r2 o
jnz SoftICE_Detected/ O: E4 m5 b" Q) {3 e: n& l' Q
- E- F7 R* ?; z5 w! W+ l. {* T___________________________________________________________________________
" ]6 }, { p: J7 [- ]
+ t, P/ A0 {' C8 D! w& C$ PMethod 02
8 h- X' c! K% s. r=========2 M1 c( w" F" k9 }/ F$ ~
7 R- v4 b4 J o4 o6 [Still a method very much used (perhaps the most frequent one). It is used
9 I& P G9 n7 U0 \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ [6 M$ ]# t+ R" H9 s8 t% f2 l# |. Jor execute SoftICE commands...8 R' Y3 P5 ]* O* M( d
It is also used to crash SoftICE and to force it to execute any commands
9 z+ ~9 B, w# q0 e( ?+ W2 w" i(HBOOT...) :-(( # L3 k1 C+ `. X, y
# x) W- y+ Y. q7 f+ ~$ W2 CHere is a quick description:. m& D3 c0 |, ]
-AX = 0910h (Display string in SIce windows), W! _! W0 L5 J2 [+ {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 J/ ~- c0 w/ ?$ A' }4 ]-AX = 0912h (Get breakpoint infos)! J% r/ m+ L l& N1 A
-AX = 0913h (Set Sice breakpoints)% Q r6 f4 B# O# S
-AX = 0914h (Remove SIce breakoints)5 @& s1 ^; o) d. d4 R
6 A" `; k4 n0 I8 F x
Each time you'll meet this trick, you'll see:
& w' `0 i- Z# M! I-SI = 4647h
$ @ ^& j7 [3 x% i2 F2 t-DI = 4A4Dh, O2 C& p) U# b
Which are the 'magic values' used by SoftIce. h1 `5 h- h4 s D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 n0 ^( s1 D$ g3 ^
* \( m4 z1 j6 o* NHere is one example from the file "Haspinst.exe" which is the dongle HASP e, Q9 d1 s+ u5 F" d8 r9 t
Envelope utility use to protect DOS applications:: O! w3 }7 I# N4 e3 M% ?# p
5 z- o- P$ k, I" u
, s, I0 ]/ _. k1 c8 R- Z: {/ W
4C19:0095 MOV AX,0911 ; execute command.
# C+ o/ r x+ ?; L* Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." f# X @4 R' O
4C19:009A MOV SI,4647 ; 1st magic value.2 V1 W0 R# }1 Q A
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 k$ w% a1 z/ w" ^% z4 T% Z" r4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 }; I( v* B e3 G7 C% C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' {* d6 P# v# [ q* @8 `
4C19:00A4 INC CX0 `( C* K; B$ f# M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# i% e% S% |' r4C19:00A8 JB 0095 ; 6 different commands.3 H3 m, R' @; i4 d$ R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% t2 Q! M! i; Z- Q6 N0 S0 L- l" A+ ]! Q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" _3 M' h& c: Y2 ~4 C: I' q
. P0 r$ l- d. u* c( P nThe program will execute 6 different SIce commands located at ds:dx, which* K# e; R! ]. \6 L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
?) E) S) J% D O$ `# I9 n/ ?9 W0 R* v! @& I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 ]# _+ m5 ~4 t& x# ~___________________________________________________________________________- X& j2 W1 |- G
8 _: J# W9 a# w$ b( u$ b" @; p/ y& ^+ E! t
Method 03/ ~# S) j+ } f
=========, Q& e. S. B. l( [! ?
3 D. m, O% X3 D4 ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# H c* j/ x1 s' V) D8 {
(API Get entry point)& x+ N$ S# \% Z8 W) d$ D
. T) G0 K7 h( c* }7 h2 ?
8 A; F8 y2 H; q: t xor di,di
* @- [0 R9 {, q) b3 D. Y* U. j mov es,di
7 A6 h( S' O; A* [ ] mov ax, 1684h ; i: i" ^0 D' S9 u% O: K5 X. D
mov bx, 0202h ; VxD ID of winice
+ n1 z; _; M$ P' f% }& t9 a- q int 2Fh
3 o% M( d. a9 S6 i' \3 C mov ax, es ; ES:DI -> VxD API entry point$ H" Z1 ]0 B( \) h3 u0 z
add ax, di
) i/ p; e$ ~1 e& S; t, p test ax,ax
2 m8 S6 e) S, n! Z jnz SoftICE_Detected1 U0 c! _# n6 I+ l
; f' h' i+ B& F
___________________________________________________________________________+ U# { S: w* G! D; k; D8 L4 v+ b$ X3 K) b
! U* [4 E% c( `: l1 Q7 \7 m) C6 n( b; |Method 045 {! t! u( N) |! l( ^8 M9 _) h
=========
$ C- E* @: j- q) Z
Z5 s4 Q+ n8 fMethod identical to the preceding one except that it seeks the ID of SoftICE3 c5 q; @, U5 Q. J
GFX VxD.
4 I! G5 H4 e: ^" I4 g! h1 ? f7 U V
xor di,di2 ~$ j0 U' K7 L4 m5 H/ e" x
mov es,di3 Y, a/ @+ ~/ J& e) \
mov ax, 1684h
! F D) e y6 o5 t9 z mov bx, 7a5Fh ; VxD ID of SIWVID
6 s M2 y# B& L# W* T. } int 2fh" x0 {* A9 j! |
mov ax, es ; ES:DI -> VxD API entry point3 K( d) k& W4 ?8 U* R, s
add ax, di/ b/ S# |! f; t% c
test ax,ax
2 B0 }- v7 n4 j& S2 | jnz SoftICE_Detected
# E& B$ q1 C! ^6 {$ r6 U
! W# N8 v6 L' E! v3 u& f# I+ Q__________________________________________________________________________
6 k) m( i2 @) U+ d. Z- r4 J" Y3 {4 v% p: k* L& M! I5 c
9 }- C4 F& x6 oMethod 05* v/ J! e1 Z- x7 Y( D& R! R
=========
% V) y# q; u5 u, R q/ v: M
% Q5 N+ j8 E6 ]2 N# X2 SMethod seeking the 'magic number' 0F386h returned (in ax) by all system
b0 g# H2 y8 G9 m1 [4 X. ?8 qdebugger. It calls the int 41h, function 4Fh.
7 |3 w$ A4 O8 N! B! M/ kThere are several alternatives. % w1 O' l7 V. I/ M. L
3 l; w' P; `- P0 J8 l' g$ b/ rThe following one is the simplest:. r+ ?, o" m7 q& f
, U/ g1 q; L# p" M( @5 N7 S mov ax,4fh
6 Q% q3 n t x1 N4 o3 H- c0 c int 41h
$ f2 E6 @- [" }- p1 d% V1 ]8 J cmp ax, 0F386; ?8 q* }9 z* I5 H2 h
jz SoftICE_detected( L: ]; G$ }" J) W7 T
g) _+ y/ w8 [$ E6 o6 r% a
2 x/ S( w1 N% ^Next method as well as the following one are 2 examples from Stone's
; y# w$ G" F: u! a"stn-wid.zip" (www.cracking.net):# L% \# v3 X( G( i; b8 A
/ \) F6 ?$ h2 r9 z
mov bx, cs* @) |% ]2 a3 j4 N# n
lea dx, int41handler2
7 b: J0 A" ]( x xchg dx, es:[41h*4]
- H. t/ ], H5 @& d xchg bx, es:[41h*4+2]8 i2 B* D9 G% }* i
mov ax,4fh
* B5 M5 E. r+ F$ D+ E int 41h& u! L/ _- U6 o1 Y$ n
xchg dx, es:[41h*4]
6 M/ ^ K; S2 C. V: Y xchg bx, es:[41h*4+2]: v+ D$ G d/ C# S3 P
cmp ax, 0f386h
# |- m1 J( S! B3 Q jz SoftICE_detected
( O# ^' M( P( s* ~
) c3 k6 p5 Y$ F+ \' }int41handler2 PROC6 E7 j7 S" z& G7 ]8 N9 X: s
iret, Z7 F; V. O- Q" b" O# h8 q3 \
int41handler2 ENDP- t/ m: ]0 e1 d* F- l6 V
/ R, R& q, f4 P( C7 x! B. q8 y6 y0 L. P2 C$ ^' H
_________________________________________________________________________: j+ r4 I4 S5 F9 R1 m6 j
% o1 r6 k( u4 w: I1 P, v, E+ Y3 Y0 Q' {: z( E" Y
Method 06 ?( `3 G2 G5 z: _/ a! m8 i8 z: x- _
=========5 J! @5 o- n( I, }/ {6 d
7 c# T, ?6 Q. E S! i# C8 X- }1 e: [1 F6 C
2nd method similar to the preceding one but more difficult to detect:+ q8 ^) [" O5 s$ ]4 C4 J
' ^2 G7 G7 n4 A; U
: q/ w& z* I' N! |, }2 {int41handler PROC
' F2 q1 C' r+ n2 ^ mov cl,al
8 R7 g$ {, ~5 I1 ]# f: | iret: i0 a l \- i! }+ g
int41handler ENDP. {5 D R0 ]8 @0 Y3 i0 A& M; q9 i
! R+ T2 ?0 D. G- P! q# f
" g4 F2 x+ O1 l3 [* `1 ~
xor ax,ax$ N$ Y7 y- @% G8 T1 d$ G0 K1 m
mov es,ax/ d/ V4 h% y1 n% v4 y' l' O
mov bx, cs1 u( R( f, \( d& ^& f5 |* Y
lea dx, int41handler
( I7 Y2 \1 c. } T. ^ xchg dx, es:[41h*4]* F1 J: I8 [/ |. _" p1 M$ L) ?
xchg bx, es:[41h*4+2]
! T! A: O2 c$ _$ E+ D2 \2 F in al, 40h
" B' f& S+ s2 a" K5 `6 D3 Z xor cx,cx3 M' N; i9 _& W! o' W
int 41h( P2 d! ?3 H5 l' F; q# W4 W! [
xchg dx, es:[41h*4]
4 G; a' c* s- x9 ^ xchg bx, es:[41h*4+2]
0 s( A, `4 U, I4 X0 |' g cmp cl,al
7 @4 i; \$ ~1 c) H# {4 B jnz SoftICE_detected6 L s" w/ z1 e, P9 y: ~
* {/ |5 j6 j7 h4 v) f# f% j
_________________________________________________________________________
2 w+ v* o; e* e5 b9 p) H! D$ y
6 ?# j( \8 P; m; `! ^Method 07
j* N7 o- K% ^3 j# g=========
+ m2 N. ^, ^) x- @" V; d7 u
; x% K' Q$ V" R$ l8 wMethod of detection of the WinICE handler in the int68h (V86)/ Y. s- `+ J) ^6 \: d+ s
( O- v9 Z4 \1 ^
mov ah,43h
: P4 [( o, o+ S/ X int 68h
' U' g# r+ I( r# a& y4 S cmp ax,0F386h
' x9 u. P, R$ c5 v0 W jz SoftICE_Detected X9 U" {/ j- T2 x* Y) ?
! k2 k2 M) I$ {- D$ Y, y4 m% I% s0 a) z) r: ^2 S* _
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& h8 Q4 N7 s+ Y' M& S
app like this:
v- T8 p6 C& ~
. d9 o/ {2 T7 [/ v# p* l# D8 b BPX exec_int if ax==68
$ i' v; G6 \& K! y0 Y! a (function called is located at byte ptr [ebp+1Dh] and client eip is/ |7 @+ G0 C# I4 d& a6 L
located at [ebp+48h] for 32Bit apps)
) X( R7 W9 j y7 I__________________________________________________________________________& f; h+ d+ t9 B! w8 W- Y' U
w# l+ K3 ~# n+ G& N. l. t
2 U( R9 A" X4 C# j& [/ v$ S. L2 b
Method 08/ k& O$ r1 g5 t+ j3 z; d
=========; Y$ T9 u1 e% u+ A- R, ^
+ n( V6 s4 y7 [6 m5 a2 I
It is not a method of detection of SoftICE but a possibility to crash the
0 Y, p4 S9 O" O, }; I! wsystem by intercepting int 01h and int 03h and redirecting them to another
2 M" o2 t0 ~6 {4 t: g! Kroutine.
! }1 [) G+ }2 g P) k+ S1 `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 O+ f& M y/ y. P& s: F* C- @
to the new routine to execute (hangs computer...)
2 \: ?* _! n4 X. Q+ }1 k& o+ J/ T
) w8 ]. x% d- N' z# f' \ mov ah, 25h
; b! i! T4 g" g7 n1 ^ mov al, Int_Number (01h or 03h)
- f* |3 F/ z' n3 t% O' u$ ~% ~ mov dx, offset New_Int_Routine, l/ `3 ]- z5 J9 b! T2 F
int 21h( r7 j6 |7 Q" z* c/ E: S& D
& z+ v& M% ?$ a% M! q__________________________________________________________________________) K6 Q/ ?% R& X) G i
8 |# T' E" V7 m# M! JMethod 090 z @7 f; w: {5 l
=========
% _& u0 b; ^/ m3 s" r) y- v$ z* X" S' n$ ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" A8 c* P& o& a' c3 ~/ f+ U
performed in ring0 (VxD or a ring3 app using the VxdCall).9 G5 G e! C' {# f/ L8 w
The Get_DDB service is used to determine whether or not a VxD is installed3 y& I6 @* T) C8 F
for the specified device and returns a Device Description Block (in ecx) for
6 j& M. R3 c4 l8 {6 A1 Wthat device if it is installed.
- {% B& s( j1 x" h; w- T7 V" U; Q2 M/ X% V5 Z% f: m$ L9 G# K2 L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID x/ Z9 s- x7 z4 r B/ x: c* a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 x: r" q' W' h' e$ R
VMMCall Get_DDB+ L$ G8 L9 x+ S* R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 U8 D9 J$ o D* A* g8 G$ K# ^
% k6 N/ T! O- Q' D( b1 nNote as well that you can easily detect this method with SoftICE:
( i' a9 ~2 z0 i- I7 }, c: f( k5 Q bpx Get_DDB if ax==0202 || ax==7a5fh; ^( `, b2 J6 H" k6 H% l1 b5 z
1 Z' q+ f) Y _6 L; S
__________________________________________________________________________' S0 J+ j% c, d: U/ m. Q9 }' F
- t& Z7 `" \; R- B7 S9 J. ?, xMethod 10
& H$ L' }/ G) _/ B5 Z$ j4 Q=========
7 h3 l) V, k) |9 S' x
7 D. D$ M+ n) e* V" c=>Disable or clear breakpoints before using this feature. DO NOT trace with8 l# T D$ X/ H0 D! a* ?9 W
SoftICE while the option is enable!!
Y) K* [. L( d$ Z$ ~5 o. U6 I& G6 `, G8 E8 H$ H
This trick is very efficient:, J- E* `' P6 t! Z q$ h9 M) X5 L/ A
by checking the Debug Registers, you can detect if SoftICE is loaded
% [, r- g/ c& o6 T5 T6 |3 r: G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& `5 w3 v6 t5 P' J! l- Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& `9 z" m' k% V+ p& X G+ v9 Lvalue (in ring0 only). Values can be manipulated and or changed as well. i& H% B& ]& h' [( ^ K1 n
(clearing BPMs for instance)
3 A" o7 ]# x, A4 Q! |& S: S* U; c! Y
__________________________________________________________________________" Z Q. e$ ]: v6 S |# _9 x7 q
# ^* N: G3 b, y7 q0 r* ~/ ~
Method 11
% Z6 \. Y+ @1 U2 Q' A=========
% H+ `- X* I1 x1 H; ]) _5 f1 B5 X* `! C! H6 {
This method is most known as 'MeltICE' because it has been freely distributed5 _) v6 h4 \5 i3 o8 F
via www.winfiles.com. However it was first used by NuMega people to allow
% b- o* I5 G7 J/ e( PSymbol Loader to check if SoftICE was active or not (the code is located/ j& f8 i0 f/ @2 \
inside nmtrans.dll).
) N) ~1 t8 S( `& D5 ~: A) t4 x
" g0 q: M: v& P8 UThe way it works is very simple:
n8 i& o( y9 t5 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- k; ?& z9 o; }
WinNT) with the CreateFileA API.
/ t+ X& ~% [, e5 N1 k6 |) \! L# w6 ]6 p
Here is a sample (checking for 'SICE'):7 N, S9 Z+ w0 u: n& g1 ^
3 r8 Q% N G JBOOL IsSoftIce95Loaded()9 T+ a. W8 k3 B i. k7 m7 ^
{
9 s& l. o8 o2 L. p/ R# w* |" F HANDLE hFile; * X" U/ a1 T0 U0 S( X4 f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# D4 |$ F8 S3 C. }( \ FILE_SHARE_READ | FILE_SHARE_WRITE,
( d7 p% H/ p; h/ @" o* B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. K; N: T" ^ w8 h" R q, S7 l if( hFile != INVALID_HANDLE_VALUE )3 M# P$ d: L) h. ?
{
5 P' E0 I8 T* o4 S I0 f9 P CloseHandle(hFile);
) x' y( u; b) M9 @6 l W+ g return TRUE;3 R+ c6 |( c) [* b, J
}
8 V3 s, w3 W5 s6 M6 @' u return FALSE;4 z; T$ v8 H7 n) C1 a% y& o
}: [- N9 r+ j) E( q1 M
+ A, [8 b3 R7 r$ U& Q
Although this trick calls the CreateFileA function, don't even expect to be) @/ m' a \9 B
able to intercept it by installing a IFS hook: it will not work, no way!
; I1 U4 A& l7 I, ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F. @ W, ^2 K8 x: } L5 W" }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* J- l8 ~2 l' M7 s4 fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) z, S' O( s; ?" c& q% p, tfield.
/ E" L9 Y8 q- V; } uIn fact, its purpose is not to load/unload VxDs but only to send a 5 t: W, M( t7 g. E" p' O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ r/ S! a; i, T' ~3 z4 y e: [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) E& e' b/ k W4 j5 y2 |
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ w! ]/ E; n$ FIf the VxD is loaded, it will always clear eax and the Carry flag to allow, n' s5 @1 ^4 S# D6 a
its handle to be opened and then, will be detected.1 e; p: N& U" R. j1 `
You can check that simply by hooking Winice.exe control proc entry point6 G8 v9 |1 a3 o/ [ G
while running MeltICE." Q/ A0 Q' F; Z6 ^4 S: J
, Y; u% n. d7 Q9 d
; T& z$ A3 h. s: f) B$ C 00401067: push 00402025 ; \\.\SICE
8 V4 K& A4 S: S2 }; _1 j 0040106C: call CreateFileA
f: {: {& [6 v 00401071: cmp eax,-0018 h* U4 ~4 y( y6 O) f. u/ }
00401074: je 00401091
% Z/ }; V9 G) d5 e+ Z$ h# A- F& V! R3 J$ x$ h
0 k$ V" z1 A9 U1 U1 }
There could be hundreds of BPX you could use to detect this trick.
6 k2 u! e, u# i, c6 E5 E-The most classical one is:" ~0 p- y. m# s/ X. E& T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 b9 F2 C' s$ _. k *(esp->4+4)=='NTIC'# h, i0 T9 g6 m; W4 n) ?
( n* |8 F% J5 b. ? g H- X
-The most exotic ones (could be very slooooow :-(
) v" g4 S6 d* ]/ }- M* w! Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
^0 ]1 k% z) u, ^0 n( l ;will break 3 times :-(6 m- Y ^* [' I6 U4 V2 I" B
* Z8 J% e: N" A! ]
-or (a bit) faster:
R4 Z& g0 W# G( e; a; o, S4 u6 w3 A BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ W/ e6 O# a& ^( E3 a0 w
, A, T; P2 Y8 P0 ] F6 y& r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 ^4 c+ j7 l/ N$ L ;will break 3 times :-(! U' j8 c" w6 l
- _6 t2 ~% U, a" P9 W-Much faster:: @* K' N- P5 f: M. j$ i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 ^5 K" [! d) z! `( _0 U4 r- c( n3 M. }* M( K+ p p+ A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ y' V' H. @5 v' U4 J. r) ~function to do the same job:# t8 T' Z; g% v, g) t
* h" t6 H; a: A( L push 00 ; OF_READ9 {8 N5 u; C' n9 F6 U- [
mov eax,[00656634] ; '\\.\SICE',0: \# G4 e' }: D7 S: r T
push eax
# V K$ H9 E* Z3 x call KERNEL32!_lopen5 |' Z: y* B1 W3 e! W, W7 R
inc eax7 D) G6 f4 i3 [+ w/ u% ~# u* G$ y
jnz 00650589 ; detected6 C5 R3 @: j0 {
push 00 ; OF_READ
) H( a! `) r( q! | mov eax,[00656638] ; '\\.\SICE'
. z* Y9 O: G& p3 m% Z+ `0 |9 k, W push eax/ f9 @( ^4 `; c
call KERNEL32!_lopen! D1 M: g' z- i- L/ ?; c A
inc eax0 t! z4 U* q; `6 t8 j8 v
jz 006505ae ; not detected
; q! \ N7 h8 |0 U2 N) }9 U5 |5 m/ G) o6 j \& t' R2 S
) j, u- j0 [) Y% ^- `' S" ^__________________________________________________________________________
1 K7 J; h! s: ~' F& S% I8 h$ c, L B# K7 r; L2 T. _* m8 Z
Method 12& r- o/ B" I0 j" {0 Y
=========& p I5 i) k9 P- Q. M! I
" W, T, C h) I0 c+ uThis trick is similar to int41h/4fh Debugger installation check (code 059 B4 f2 Q0 ?6 r9 o5 b; i$ T
& 06) but very limited because it's only available for Win95/98 (not NT)& e- v5 X) }0 R& l7 e2 s! Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 B# P4 X1 }4 a% Q4 f3 A3 h+ q
6 ?/ B0 c9 J0 ^
push 0000004fh ; function 4fh; y1 S4 L) O. W
push 002a002ah ; high word specifies which VxD (VWIN32) G: t4 {6 x- y6 e$ f) Z
; low word specifies which service$ V D4 @- ~: ?( q! ~
(VWIN32_Int41Dispatch)
& i- T4 W( X& e+ G7 b7 l6 c9 g call Kernel32!ORD_001 ; VxdCall
, s0 p( m. d4 B& P cmp ax, 0f386h ; magic number returned by system debuggers" }4 o- k, W' R8 K# J4 ]' f
jz SoftICE_detected
' T X; S# I _/ v3 x3 b3 [& ^/ a9 v7 `5 i+ D. [. o: o2 I4 y
Here again, several ways to detect it:
3 K* P" P" A) W- Q: f# U( d+ K/ A9 g' f4 {7 C
BPINT 41 if ax==4f
: P a7 H* B) Q$ u* ^# K6 ?; j+ J
* e Y" T n" o! P1 ] BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 e- A W/ |3 C5 O# M ?! ?& c6 N( m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 C0 Y! D5 q! f
7 P6 O5 m4 a" F* k+ [
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 D& x! t7 I7 U9 w3 T! {% J0 ^
, E$ {; G' X8 A1 c
__________________________________________________________________________
6 y8 C0 s3 t9 N+ {2 ~
% J7 m3 l' P( ^$ r- ?8 _1 H: fMethod 13/ v/ m2 V* K9 c/ i! R8 t
=========
0 R% n; N: ^# J7 A, F" `/ j8 M
6 @5 Z, ]/ L8 XNot a real method of detection, but a good way to know if SoftICE is9 U6 F3 e* P; q1 F7 L
installed on a computer and to locate its installation directory., Q$ _8 E1 F9 g# G7 V0 J) u. P
It is used by few softs which access the following registry keys (usually #2) :
$ G o& f+ @0 J$ o+ ?$ I% I+ J1 V, e& w3 W, I: E. |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 X) ^, z8 Z/ }
\Uninstall\SoftICE
; _: z6 m5 A l, B `) }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; n0 H# S0 L) d, M) I7 q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 i3 l9 ^. U, _
\App Paths\Loader32.Exe" f. p+ n" ?; h0 Y
- I* r1 ^( K h- m$ V8 b R' Y, U
U9 X6 v! m8 r7 K% ZNote that some nasty apps could then erase all files from SoftICE directory a* B; \, y- H& B! L
(I faced that once :-(
' J# p3 c2 }$ c# b- ?8 `
* `5 D1 A4 Z* Z# F' r9 o+ u5 {% BUseful breakpoint to detect it:
0 o& A+ C3 b( ]* A; m3 J5 F8 X9 o0 Y2 ?4 V2 Q1 d* o7 C$ ^# j
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! d6 H o2 ?. V3 n
' F5 z# m+ Q Y$ z d
__________________________________________________________________________ ~- @( A! ~" m
e% f+ `; }; e; z5 c! V* M9 F+ M2 ?
Method 14
+ D) {. c$ E" p/ ~* R=========
# m2 U8 B. K, ?1 q4 |" n* K' p! J5 W# H0 Z' X& Z( Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 ?+ O, w( \* Q7 X8 G1 v
is to determines whether a debugger is running on your system (ring0 only).
, {+ D& J' U" {9 J: E6 I8 y
$ q9 r/ o) D6 x+ q, R w- | VMMCall Test_Debug_Installed; s% O. ]! S8 n: L5 t
je not_installed
) ]7 G2 A [6 d# N, y% R$ c5 T3 @; L; `8 b( i
This service just checks a flag.
- ?7 m6 S' z1 R7 j</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡