<TABLE width=500>
' ^, [, i# d7 r# {<TBODY>
0 G9 {5 q( o1 H# M9 G<TR>
& m5 i8 b; i4 n. s* J<TD><PRE>Method 01
6 Z0 `& Y" B ]2 J' {& M: n=========
6 L4 W g. G/ ^. L1 G- y6 b) c
6 K) N- u, @7 D# G5 d5 VThis method of detection of SoftICE (as well as the following one) is
$ W6 }$ K4 Y4 t3 d! N# ?4 T+ uused by the majority of packers/encryptors found on Internet.! X* ?3 i# k$ ~9 O& Q
It seeks the signature of BoundsChecker in SoftICE
/ E. n3 y7 u8 f. X7 e& p" w0 F3 J9 @& n4 n5 c% ?$ {
mov ebp, 04243484Bh ; 'BCHK'0 l- L" | [# g9 W8 h( C/ k
mov ax, 04h
: m9 o5 M: z( h, q int 3
8 C/ {8 _' {0 x: { cmp al,4
" ]4 g$ @- ? b jnz SoftICE_Detected( _" d# F( A; s' ]1 C# a
# g) N7 R! i! U___________________________________________________________________________
2 v' m+ U9 o- ]) N% K" b
* Y* y; A) B6 V5 U; R6 p1 V0 r- `+ mMethod 02- U4 N: t" R6 {; G! s
=========/ k* N/ K9 P. v& Y* Z0 @8 ]
: t! i0 j4 b) |( M' W: W$ A: KStill a method very much used (perhaps the most frequent one). It is used
) K: K" D# ~2 @! E) Y, xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! ?8 i+ W1 g& ]4 s2 @or execute SoftICE commands...5 q$ c* z! t/ c7 d/ D
It is also used to crash SoftICE and to force it to execute any commands
8 Z; @9 B U. I& A# W(HBOOT...) :-(( 1 m$ G" L7 p* [2 m8 b
: m, F! y2 K& d- [9 _" f
Here is a quick description:2 v! z$ p: n! Y6 D9 O
-AX = 0910h (Display string in SIce windows)( D" L: C9 _6 I9 B6 p2 v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
D; [5 u8 V; v- B-AX = 0912h (Get breakpoint infos)
m$ {3 ^, Q. k r/ t-AX = 0913h (Set Sice breakpoints): B; }( K& j3 p* n) m$ Y5 Q/ V
-AX = 0914h (Remove SIce breakoints)& @0 w, O/ \; t$ {/ m) ~ z
) @! z: @0 }! f* }
Each time you'll meet this trick, you'll see:6 C s8 g+ ~! N9 S; X
-SI = 4647h
7 Q$ P- j: F* ?! `* K/ l-DI = 4A4Dh
; {& Q/ w: N( l1 [+ \) K5 {Which are the 'magic values' used by SoftIce.8 p8 D6 p* A' b! J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 E$ c5 R* f4 ?3 _; _, I, q
' C0 ]6 V! S; n$ F# @$ E+ @Here is one example from the file "Haspinst.exe" which is the dongle HASP3 F" |* |' {# p- R D
Envelope utility use to protect DOS applications:2 I+ V5 [. B8 R3 z9 `
- ?$ O5 q; o9 g* T+ q
8 I! Y5 Y( l; |5 D E7 `4C19:0095 MOV AX,0911 ; execute command.8 e; v7 f9 e y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). g6 d" N" [$ j# ~% Y9 p# i* @; D
4C19:009A MOV SI,4647 ; 1st magic value., G( Z- `, B4 h2 V& X% r
4C19:009D MOV DI,4A4D ; 2nd magic value.7 @4 F2 v. |8 J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. j8 }" V2 z) {) f, X4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ Y0 N7 @6 |: W% I4C19:00A4 INC CX
2 n; B1 W5 {4 |8 d' U" @4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ K* A% Y' I3 Q
4C19:00A8 JB 0095 ; 6 different commands.
" `; N4 V5 v0 H& D4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 y1 k( t" P6 O# T" @$ A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 n- P# |% x4 l% [3 j( ]2 w" c
% r: P" h U% s. g8 I# QThe program will execute 6 different SIce commands located at ds:dx, which
. F U, g& _6 w3 I6 `- D9 Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 A7 G/ C2 x) H c4 W4 D) a" i6 ~: r8 }9 c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ B9 R+ f' H! h9 [___________________________________________________________________________
# Z5 z, m' N; f
3 Y5 r# J6 W0 e2 Q6 f& R3 g9 H; e( _4 `% ~5 E- r
Method 03
. m1 ^# L" I3 S- C6 N. ^=========
! Y: X- B; P! H% Y& ~
4 v* C0 ?2 n, Z8 TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# A$ ?9 q: e1 o! d(API Get entry point)$ {0 U0 p9 A, `# Y. e
/ q Y: W+ h* ]" i0 R% ^+ g
7 _- d, ^/ K1 P! S( R xor di,di
, j' N0 j0 P3 x1 \# N- N mov es,di
+ l$ w' K# V" b/ P* J' n0 ? mov ax, 1684h
9 Z- F9 h( s( c& q0 F/ ~% r" i+ Q& L mov bx, 0202h ; VxD ID of winice
4 }- C1 k' s' P* s int 2Fh
- W$ X2 P+ d, Z mov ax, es ; ES:DI -> VxD API entry point0 q6 O5 r# b3 a5 p% P0 m
add ax, di
' L: A% O3 m! Q C test ax,ax8 M8 o5 A) M. J* _% r1 w
jnz SoftICE_Detected0 P0 [6 j, t3 i! Q) F J5 j
' b! @4 j8 l" M___________________________________________________________________________4 l: {7 |. D& I0 n
0 k( D7 r4 P: N6 t# ^& }3 HMethod 04
5 L' e! y7 J/ c7 b=========
* i1 V" J# l' h) F* W6 P) f) J+ ~1 h
Method identical to the preceding one except that it seeks the ID of SoftICE8 r5 i5 m! e7 A V
GFX VxD.
8 f6 o6 N& d8 S2 ~% R& m- @0 z- g7 z- k' R( ~! d
xor di,di: s# M5 P4 g |; R
mov es,di T. S' i- | g u4 m c
mov ax, 1684h ( A1 y1 \; Y6 }0 Z/ d2 \
mov bx, 7a5Fh ; VxD ID of SIWVID: p% }2 F8 G5 u$ }4 F- G/ ?) M
int 2fh
( t( ~: K" v3 V l. |4 E/ d; [8 m mov ax, es ; ES:DI -> VxD API entry point# A9 [( T% l5 ?) v5 a6 ?
add ax, di
7 k v+ g, [1 m t/ }, L, i test ax,ax
2 u# B2 e1 J+ {0 U( o8 O jnz SoftICE_Detected7 Q# G: i' K' c# E6 w5 s
, `9 J3 m" M: ]- H: g; q
__________________________________________________________________________
. h; t9 i; d3 B* |) G. V' k
' P0 v8 p! Q; e" r
' r' b' j6 z' OMethod 059 y) `( R% ]: P7 Y5 [4 n9 _
=========! G# j% x% o; b4 X/ X) @: W- o
/ h5 d! p) B( J$ r
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# R8 o& ^1 |. B* c pdebugger. It calls the int 41h, function 4Fh.# s9 T5 v5 s% M# ~6 W7 \# T0 @3 r
There are several alternatives. 7 K4 R: W8 k- z! g
8 g. Z0 }! C$ v" m6 v0 M; pThe following one is the simplest:
" Z: O* S9 W8 ?! f2 o" S Q- v! Q0 f' g4 T1 j# J) Y( s
mov ax,4fh
; y# |6 B% P ]# E3 a) t int 41h7 V7 z# [; X) C7 D) } N7 }4 j
cmp ax, 0F386
% Y& [, X- F/ |9 T# f1 j5 Q3 n jz SoftICE_detected' V$ }" b& `; r' A7 r
3 x# u: |4 _; m* T
, A- s7 I2 [$ o
Next method as well as the following one are 2 examples from Stone's
7 q, P" }; M- B7 L+ b$ u"stn-wid.zip" (www.cracking.net):7 K- z. o' D. P) P0 v. f
+ \+ L W5 R* @# W' P1 [ mov bx, cs
& _2 S0 \: W. u4 ~! o% i lea dx, int41handler2
9 b4 p! ?0 I# J) p+ w xchg dx, es:[41h*4]
* ~$ `4 {4 h( m, v xchg bx, es:[41h*4+2]
8 P# Z& T3 x9 o' Q mov ax,4fh; ^) t( Y9 A7 v3 Z# I- l w
int 41h
, Z0 |& K9 V$ ^3 s) U2 I xchg dx, es:[41h*4]# W! G; v& c N: n# S: `
xchg bx, es:[41h*4+2]
9 [1 K) W( s% I6 s8 z7 ~ cmp ax, 0f386h, j% o* T* D3 Y7 ^' n9 L7 L G
jz SoftICE_detected5 n8 p$ j9 h/ ^* |4 {+ f
3 T# H( D) t5 \+ f! H4 _int41handler2 PROC2 Y* B( Q* O/ Z/ w: I7 L' n0 o
iret
& z# d8 K" A/ f v3 [& P! k( R h9 Hint41handler2 ENDP' z- t7 a, @( b" {% l! R: d }
% o( G3 p8 Y) B( \7 v9 s( m) [
# p) ], Q' t, R4 D& O& ?, \" l" I
_________________________________________________________________________8 t& q/ b7 O& K* F0 H
Y( b0 u; z4 K+ X# T9 X
! f$ U) W! \' b: r
Method 068 t& f) ~7 s p7 z) k
=========' R n& o, i# a& v7 ]3 H9 s
1 F a+ I9 S; m+ L6 A
4 {0 v+ L2 r8 ], [+ E
2nd method similar to the preceding one but more difficult to detect:. ~, @* g' \) c$ Q& i8 a) l3 j
1 o* f7 V6 S& L. t. J" n
+ n. m" ^( `8 W( T1 g
int41handler PROC* M* r4 D5 f g1 {: l' q' g6 P; N
mov cl,al0 v7 O; F9 ~% Z8 ~* C
iret
+ R7 Z* ~) _& w! @6 s2 \int41handler ENDP1 H/ ]. T% k) W
1 E/ _: l/ f) w8 c9 T) G7 u9 L" t+ \ M* ?
xor ax,ax
% l1 y+ H. v' N mov es,ax8 ^; X' R* O8 R+ ~
mov bx, cs: o$ O0 n5 p) D1 ^2 K
lea dx, int41handler4 ^. u9 j8 u& a, @ Z
xchg dx, es:[41h*4]" Q) r8 P) M+ r5 m9 ?
xchg bx, es:[41h*4+2]
3 u5 a) M" @& l1 ~: ^ in al, 40h5 I" F E" ?; r: j Q' l
xor cx,cx% Z. {. |* A. R3 D9 }
int 41h2 {9 k Y8 V* a6 C" j
xchg dx, es:[41h*4]
$ y) ~- @7 \/ S* B: | xchg bx, es:[41h*4+2]! \- y" v' s; I- M
cmp cl,al; v! M! |' d% w4 {
jnz SoftICE_detected# M$ ~$ k; g. P
R. Z& y( G! B: L! I_________________________________________________________________________( h1 L( o+ i8 J& x" _8 t
, f$ j! F9 ^1 K5 k q. C3 M+ EMethod 078 n; Y( G, f2 Z6 [
=========
( B6 x/ D( k6 N! z( z" ^: G0 b7 p0 K v4 z7 Q/ \
Method of detection of the WinICE handler in the int68h (V86)3 C# U% C" J2 }- p/ A
6 t9 N {' u m5 ^) Z1 ~& J mov ah,43h
8 s4 z& [+ l# m/ ?1 u int 68h2 X0 @+ N8 g; t' R
cmp ax,0F386h5 B8 j" l8 d3 B8 a
jz SoftICE_Detected# F# e) J1 ~7 h9 x1 ~
$ v( p1 }5 q" x, b8 D6 f9 X
\2 @) ? H# M! o3 a9 f/ i5 r u6 Z3 C
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. j" O% w# b2 \- S1 V! F app like this:4 {# \$ E5 m! t8 `: s
* E b- |: |$ U1 k BPX exec_int if ax==68
$ n# N1 r4 \% j2 |/ s3 e2 J* t" h (function called is located at byte ptr [ebp+1Dh] and client eip is
0 T' y- X) A! j1 D' n( U located at [ebp+48h] for 32Bit apps)
% R, e3 N* n: c; B1 u+ T' z__________________________________________________________________________
w b2 h; |- u
/ x/ { u3 o5 B% E5 j8 D, Y; N/ I/ U& J
Method 083 Y. C; k) X$ h% Z
=========' t; T4 y' k; U, x k, g- Q( ]
; k; d0 s6 C& PIt is not a method of detection of SoftICE but a possibility to crash the% @, F: n0 C8 j
system by intercepting int 01h and int 03h and redirecting them to another
$ u7 I" b1 R; Y" Lroutine.9 k, F6 l4 o6 C) D8 L# t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 S M3 v( P, r7 j4 j2 P6 oto the new routine to execute (hangs computer...)
) d/ k- h! A8 a g" O- ` ]
) A P' B+ K9 e) G0 h mov ah, 25h& X# o. s7 Y3 D1 ]1 J5 ^
mov al, Int_Number (01h or 03h), P8 H" x1 g) t8 f4 r
mov dx, offset New_Int_Routine1 r0 Y. C7 y' K* @$ ~$ q5 ~
int 21h
& j2 W- E, v' n0 K1 D, C
* M5 T. p1 [3 W, I$ \; ]2 R) ^__________________________________________________________________________2 C" O1 H2 V& M' ~+ |( E
0 A1 P8 T- T/ S5 d- ~8 p
Method 09
6 ]4 x- \% ]# r) }$ J=========* a; E. E5 T' u9 B
+ C4 @# s" Q) B5 j, k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: D0 }! c$ w' t* ~# x& e
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 J5 ]9 I! Y: g% x c4 EThe Get_DDB service is used to determine whether or not a VxD is installed2 _+ O+ v7 T0 q4 H# U
for the specified device and returns a Device Description Block (in ecx) for
8 A! D( ~; g( n* B; Mthat device if it is installed.
+ W3 f! T: q0 r1 o7 f! ]$ s7 U3 Z2 Q/ ^, K0 i; M! b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 e3 U. {' f' B6 v. } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' [) t. c0 F, d7 d- e( i VMMCall Get_DDB
- K5 |; H0 n; `4 D" P+ H) q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& T$ `; B9 ~+ k2 Q
0 u v3 k% v9 j( \1 n. M3 b
Note as well that you can easily detect this method with SoftICE: i( g; @7 j/ p# C
bpx Get_DDB if ax==0202 || ax==7a5fh
, C3 f4 m6 w5 F8 b0 _/ S6 `" Y- ~
, ^3 ^6 l2 w- b0 ~1 l) ?- K& ~; A__________________________________________________________________________
/ A+ [8 B# Q- V& V6 ]" i3 l6 r
% v0 O, A5 w, o0 yMethod 10
( d0 Y; L/ M6 c( @0 J4 P1 ^4 A=========
+ h* m) k4 |7 l
, Z3 u/ Y T- r* B& M1 g=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 m' O$ M6 p; D' p2 j SoftICE while the option is enable!! f g. I9 n- b# K- Q
# l0 u; }: a! ~. pThis trick is very efficient:2 Y' |" C3 q9 v' J- a. I- b G
by checking the Debug Registers, you can detect if SoftICE is loaded! U" A0 x: Z' @3 B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 \; f) _/ N4 X1 z" x3 W0 I
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 Z4 g9 D! o" w. Q6 bvalue (in ring0 only). Values can be manipulated and or changed as well' o+ z! Q8 M0 m' O3 O$ K
(clearing BPMs for instance)
$ b# [+ j" u7 |& E" ?: ^- |3 \& g4 J8 S# _2 ~6 |8 S0 g
__________________________________________________________________________/ o9 R; U5 H) f. i/ o( o
1 C' @+ O q2 s d. p
Method 118 q, E& Q- y% }$ K' C9 h( |: v
=========
, l/ Y c. @6 j4 X
. F, ?) a4 m( } i$ K4 ]3 f' i, DThis method is most known as 'MeltICE' because it has been freely distributed m5 @4 q0 [/ B( x- i
via www.winfiles.com. However it was first used by NuMega people to allow
, k% W, H2 D+ Q& m, JSymbol Loader to check if SoftICE was active or not (the code is located0 q& u/ z. G* o9 h5 ~2 X5 s
inside nmtrans.dll).9 w8 [/ }$ b2 {% g
, _0 | z+ @4 z. DThe way it works is very simple:
. ?6 y, F7 ~% D9 n; c9 R# m: t( wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 m$ |8 d* S& Y {
WinNT) with the CreateFileA API./ o; {" S, U# z4 S( }( d0 v" t0 k
( F( T ^/ \1 }9 p7 C3 Z8 IHere is a sample (checking for 'SICE'):# {9 V/ x6 a* W
- w& a% }2 r# P" F$ y, \* P8 x
BOOL IsSoftIce95Loaded()
( l" r- o+ ?* N j: ^* r4 G( K{' @ N+ L* Z+ m/ x9 t. T/ t; Q
HANDLE hFile;
( U. [- ^( Y) `1 g# g) G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( e! _; b7 \' k% Y+ _9 y
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 S* I8 q" ~$ S+ H: S( ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. A7 |, O" E: C; I, U if( hFile != INVALID_HANDLE_VALUE )
5 Z& H) V; ]5 v5 K% b! t" } {% m0 P: t" x# b" t4 T' k% D" ^
CloseHandle(hFile);, F# U8 O7 }5 c2 _/ U( W7 l' a# d
return TRUE;
) L5 t: I- q- z" B% K/ X+ ^0 ?8 I }% V m% I' x1 d, n* J2 |
return FALSE;+ A; c/ y2 z$ W; I
}; `+ l% b. s# x2 T
- F7 F1 i+ |1 c
Although this trick calls the CreateFileA function, don't even expect to be _0 I' U2 u; E1 F7 N9 {
able to intercept it by installing a IFS hook: it will not work, no way!
. m! Y( Y% b; H) @+ Y* y: w: ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ ~- }6 L* Q* V: e2 ?- yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" E! w+ D( p, ?$ K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# n3 U2 ?- P z. |
field.
1 W' l, n' y; s3 e0 \In fact, its purpose is not to load/unload VxDs but only to send a - I8 `8 Y2 C" N( y8 _5 H) h& l
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 y2 {- x4 W5 X& K! r9 Z, g6 D/ r& ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* I7 q1 W3 p; D: h: r8 E+ F* ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).. A# i9 f j2 w
If the VxD is loaded, it will always clear eax and the Carry flag to allow, B6 P" `9 w3 V/ B* l9 X' a; v
its handle to be opened and then, will be detected.
! ]2 D5 N! o/ u( |) M0 zYou can check that simply by hooking Winice.exe control proc entry point
$ s5 m& w. M+ Bwhile running MeltICE.* C% H/ k! r5 v* B! i! U
# C7 C" Y+ k( z) o$ W+ }* p* q: V0 I: O+ c1 s: c
00401067: push 00402025 ; \\.\SICE
$ n9 w4 ?: p2 T. } 0040106C: call CreateFileA
8 q& f; k0 h: v/ h" b! y& Z+ m. v8 Z G: X 00401071: cmp eax,-001
% O z# n2 [! l" g 00401074: je 00401091- f( x0 N) H0 t m: y# A2 }
. ~1 n' X2 @2 o, |2 x+ P: h% l
- J$ _, ?# Q4 e/ Z( GThere could be hundreds of BPX you could use to detect this trick.
# G) {: J# e' B5 w6 ^8 f" w-The most classical one is:
( r: S- a+ T. Q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% w. c" u( f+ j% N! @& D5 D8 \: u% V' ?! ?/ a *(esp->4+4)=='NTIC'
- E( P' d. l. i, c3 o' j
3 `0 R) T) q; H7 L8 q; K-The most exotic ones (could be very slooooow :-(9 l* i# O8 s2 y0 f% w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 Z6 x# m- B+ r3 D ;will break 3 times :-(
: q5 @4 f2 P3 u2 x; J2 V- G
$ ?: V# C7 A$ `+ E. V Q" H-or (a bit) faster: 3 i3 i5 A; _& n v- W# Q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' b8 w- p3 ]1 L* u
7 h! h& `* n+ e3 s2 X9 O n BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# S3 X9 i$ i: {* Y ;will break 3 times :-(
7 b- X$ H5 j( g/ l0 K5 f; y. |; q
$ i* c+ O) E4 G0 o' I2 [; q-Much faster:
& m5 y- n% v9 r1 D& Q: b! v N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& U1 |, i( X- J6 `- x9 H
' K7 I; s: U. ]: a. @: `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 i# v/ b8 v/ r8 _function to do the same job:/ \) A" B; \( ]
+ e# b- M4 U( L _( j0 M
push 00 ; OF_READ
# S) U0 G" T( p" I: a- n4 |9 U mov eax,[00656634] ; '\\.\SICE',0
: B; ~! n7 B, E* v9 x- y push eax
& x$ Z1 m' f# O0 U. G1 ` call KERNEL32!_lopen
9 z6 X9 t- i% V3 N" C inc eax7 J# r: Y) H+ |1 v3 F6 F
jnz 00650589 ; detected
; O% ~6 t0 m1 g% Q$ ` push 00 ; OF_READ1 V% A2 V- ^- T' J5 j& R
mov eax,[00656638] ; '\\.\SICE'
w [/ ]( _1 P" M/ u' h push eax$ l+ x+ c+ P4 o7 d) ^
call KERNEL32!_lopen9 ~$ O' A |, Y9 j# }" k
inc eax0 v) C$ \8 w" Y5 D5 w6 B
jz 006505ae ; not detected
& m) J% Y4 I# @* X( d4 a7 K& J: ?3 S0 w T
( q. L a" N3 x5 O8 l0 O3 m( s: B__________________________________________________________________________! m$ n8 Z8 z; r$ I- O
( i- _8 ] C6 n+ {
Method 124 X/ @- w( _! ?
=========* }$ H k% l4 j/ \% b3 I
' N! p" H& A1 j) B& X
This trick is similar to int41h/4fh Debugger installation check (code 057 s0 h$ r& c) o V' W, e
& 06) but very limited because it's only available for Win95/98 (not NT)$ ~6 u2 M5 ]; a3 |+ U; x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 j- F5 D" _* C- W4 |8 S$ n0 d, @
push 0000004fh ; function 4fh
y) ~1 Q7 _0 G( {6 o# @ push 002a002ah ; high word specifies which VxD (VWIN32)
+ R# e# @1 ]5 s* P ; low word specifies which service- B6 e, T$ S- K2 x) h3 N7 f; h
(VWIN32_Int41Dispatch)
$ X8 n* k. O e/ a) N2 [ call Kernel32!ORD_001 ; VxdCall5 q( P \' }2 l1 M: h% u
cmp ax, 0f386h ; magic number returned by system debuggers/ w- s. X2 F0 @" L8 ^5 F0 ^* D
jz SoftICE_detected2 k1 ~0 @ q0 d1 ?9 m9 F
! @$ \! V: e" h9 ~, D8 R5 S0 i% SHere again, several ways to detect it:0 A) q$ x0 u: x7 G0 x9 }
# ^) s L( _% k6 M+ Z8 K, P& \' d BPINT 41 if ax==4f
$ M, X- A: q1 ?* K7 O) R, Q2 h/ G* m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 T6 {7 {+ G j w) t* y( X# A8 \% N7 R7 s- Y' S8 S
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 y' P. Z& N7 p: Z6 f. y' w$ x
0 P( p8 Y# @' @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* p7 h2 ]: n* A5 n8 K( \/ o
; x& v8 x6 g2 y) X; `- a
__________________________________________________________________________# z* `, T. a( q
! Z" Z$ b. \- Y0 D1 q- t$ [$ ^$ XMethod 135 E* x* x: _, i$ L' ^
=========: Q8 U/ J$ c" E- g& }: ^6 f( ^
9 H2 r+ N5 r3 r
Not a real method of detection, but a good way to know if SoftICE is0 w! `8 d) i- v: U
installed on a computer and to locate its installation directory.
+ k7 Y- y8 y4 w, z( {It is used by few softs which access the following registry keys (usually #2) :* g! n, n! q ^& T
2 x) B& ^3 F0 W4 G$ ^& F& `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- D2 \# l1 E2 X" g/ w
\Uninstall\SoftICE# m U- M% A7 L* O) f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ Y: h* `+ f1 [+ f7 m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 }+ h: B V9 ]; J\App Paths\Loader32.Exe9 Z, a3 w- D; u9 A+ [' x
2 |9 \9 S+ [% E
6 a2 r1 _& `& j5 INote that some nasty apps could then erase all files from SoftICE directory
) B$ b2 C/ j3 \2 k9 m( d(I faced that once :-(
1 @7 C- R1 d0 |' E3 o' N- o( M3 s' ^" u( |. a
Useful breakpoint to detect it:; |7 N) `4 M1 k3 V: \
; W7 i9 r/ L. n+ S. r8 r
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. W Y; A( ?: H- S
$ ~$ x9 I+ P2 C$ ~& ~/ P+ e" N__________________________________________________________________________
5 m+ \4 F& f; g5 u; o+ l
5 e9 |2 v2 ?9 v: |
u7 `% Y4 _/ c* k3 T! f& GMethod 14
/ h" m6 C" a6 B( \2 y=========8 ]2 m9 @# v' G
# j( H: S# f! e0 v% v" x6 M8 fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: n: m6 `" x! p1 h8 Uis to determines whether a debugger is running on your system (ring0 only).
# A" S* |$ f% Q: W' _0 {
. a) R1 A8 C3 S8 r VMMCall Test_Debug_Installed
' ~$ [" p+ r9 J' @ je not_installed' F" [% c0 z9 r# v* }4 [
4 c5 R! x' Z+ s1 g! k
This service just checks a flag.: O i) o! C o1 y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡