<TABLE width=500>% s2 k6 ?1 K) q
<TBODY>; i: V1 Z6 Z: F' T% g
<TR>5 A7 a3 E! C( l4 d0 w
<TD><PRE>Method 01
% u0 a: O. X' Q9 j6 A=========- S3 H# C& }7 C7 v6 Y y$ q$ O
& |) t3 k2 h$ w1 _
This method of detection of SoftICE (as well as the following one) is
" q* \6 a+ L5 y. hused by the majority of packers/encryptors found on Internet.
- ]# o: C9 a$ JIt seeks the signature of BoundsChecker in SoftICE
3 }' u Y" Z! A/ `, g" |! Z
1 G2 E2 e* } B mov ebp, 04243484Bh ; 'BCHK'
, C- \/ V' h( M+ g9 o+ ^ mov ax, 04h
; c' n/ y( W# I, v% M int 3
1 R5 M/ Q) N) y9 m; e, {3 Q* b+ s cmp al,4
- {5 F3 ?( O. j ]* y jnz SoftICE_Detected0 n2 [" d2 b5 d) W
! Y8 H5 v4 R6 n9 O) C# V6 T! G1 y___________________________________________________________________________
5 K0 V% } c- @. j8 L A1 K1 d" e1 g$ ?+ k$ [' M9 F; [
Method 02/ J- F. l3 b" R4 I F" d: E
=========! W3 t( @' w" V8 \6 N
+ b1 x( _2 T/ u; v6 M1 U: I; I4 SStill a method very much used (perhaps the most frequent one). It is used
& B9 L; p/ q8 {' y9 z c- e& ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ R: V4 {0 B, o* A) w' S" P
or execute SoftICE commands...
4 B) [; C! O1 l U1 T, xIt is also used to crash SoftICE and to force it to execute any commands$ e1 K! w% `9 C; X) ?/ E
(HBOOT...) :-(( ( G/ g$ F" a2 }; R
$ ?" Z ~: T7 E& z- VHere is a quick description:
; G( r) j" n) W" A-AX = 0910h (Display string in SIce windows)3 N: I/ u2 c8 u) i! |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). l2 G, O, R6 ~4 P4 C
-AX = 0912h (Get breakpoint infos)2 j& [5 Z) y' A. w* a3 x! k
-AX = 0913h (Set Sice breakpoints)
( l# @) j: Y( v% G-AX = 0914h (Remove SIce breakoints): t" h; f9 H. e4 M+ i
A* r8 D$ J3 n
Each time you'll meet this trick, you'll see:1 q; U0 V+ M" G! y" j" D
-SI = 4647h& B k( @, G C/ h9 K- z' `' |
-DI = 4A4Dh. c+ c5 a0 _$ b. l! j0 K
Which are the 'magic values' used by SoftIce.% j3 W2 S/ w) B5 [+ C1 K' M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ K. s9 `. s/ ~8 f U0 {8 B A
5 [6 L! R. f* m3 s( o- g+ i6 wHere is one example from the file "Haspinst.exe" which is the dongle HASP" t" G" q$ B4 a1 u4 u; {
Envelope utility use to protect DOS applications:: w7 p% c: S5 {" j: s! ?* \' x
, E5 C5 K Z. U. `
6 g- q1 m) c$ N7 F" Z' g4C19:0095 MOV AX,0911 ; execute command.9 v1 J5 f! L/ b1 k7 \; J8 u+ M
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- F/ _# ?+ } k) l+ O! k1 F0 v% }
4C19:009A MOV SI,4647 ; 1st magic value.( N) r# j' j0 M% B( ]7 W) a' A
4C19:009D MOV DI,4A4D ; 2nd magic value.8 o- \$ O/ {6 n; i: a" Y6 C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; _8 a! | N& i4 U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% O+ O2 Y% `/ r, G/ d: c6 {) U4C19:00A4 INC CX9 e! }% t s% `, l/ N
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, Y: ]2 F$ |# e4 e$ i5 s4 E" d
4C19:00A8 JB 0095 ; 6 different commands.
0 f# B, U3 H! F' q0 c4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' s) F* I( M: B W5 ?3 ?( s! @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 M! M& y; A" r, o" P
, U: c# A$ R' [7 x. U6 y# X$ H9 }0 TThe program will execute 6 different SIce commands located at ds:dx, which
2 R* u% w0 M% ? I! Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
m$ m( ], t. i" J$ o) ^3 t8 w% X& Q- d% i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' d1 x# g6 f; o0 B& n& d; {! O___________________________________________________________________________, D% M" I, n( c9 z: m( \" d! {
: ^, a: g0 M( X7 _/ c& Y2 W/ Y w, K: w! v% T
Method 03
6 G' q: O: O1 H6 W=========
# y& M" G: _; i; M
* z& p3 q( |. ^1 E" E; U2 |2 bLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 d3 p D+ P- ?
(API Get entry point)
9 a- i. T) K! f# @, f8 ]& _& R 2 [8 \0 V& D( l' v! ^9 P7 R/ Q
( S; a) v, ?( c3 u) o( }
xor di,di
+ M9 ^1 s# P0 a5 B% N mov es,di! w8 G( x1 e" }9 X, ?( v
mov ax, 1684h 3 W: z+ X' g L' m3 ~8 e3 X
mov bx, 0202h ; VxD ID of winice
9 A) m/ _' {; W5 a3 V2 a& U int 2Fh
m0 @9 E4 _9 p) o, _: g2 e9 C4 | mov ax, es ; ES:DI -> VxD API entry point; m! }) g; J6 z( H0 b; m4 [; l
add ax, di
5 q2 Q! ]% ?. _: W. k( U: k: i test ax,ax5 Q+ R; q' F1 B( D2 {0 I
jnz SoftICE_Detected5 h) I6 {- y3 ~# u( s
' F! e7 ]' U4 H
___________________________________________________________________________
& t4 D5 \9 w1 c$ m+ h4 q' A5 [
4 p4 F/ Q+ k' Q; `Method 04$ _4 }1 S j# v5 z
=========
% w& e1 U3 G/ m: y4 ~
/ ]1 [% A3 g: e5 dMethod identical to the preceding one except that it seeks the ID of SoftICE, y# J- V, k7 b& t. x8 n q
GFX VxD.
! D" b0 `5 X3 I' g$ Z* D2 r6 X/ `1 p A" Z
xor di,di9 N7 n3 X2 O' R' s" H4 Z. b2 Y
mov es,di$ x3 N/ Y# p7 P# ~3 J; v9 \
mov ax, 1684h
8 X/ M0 {7 n$ W, H- N2 V7 @0 s mov bx, 7a5Fh ; VxD ID of SIWVID0 V9 Q1 x- n5 k( q
int 2fh
. X/ a. t/ U) `; f( ~! ^/ s mov ax, es ; ES:DI -> VxD API entry point
" H5 B+ I1 {9 w6 T2 [ add ax, di
5 ?. J9 @3 x& ~0 W& J% S/ B test ax,ax
6 @+ N+ v1 A. n8 G1 P$ c; _ jnz SoftICE_Detected. C+ A+ E6 t1 w" Q; G# w+ |
: t7 v; a' q2 L9 Y& ?
__________________________________________________________________________
+ l$ ]' _) F# K" F+ R5 g# r ]
) d/ p+ P/ }6 A6 ^9 U5 {
7 D/ p) b0 g: q: P( TMethod 057 P& [2 J1 s3 s9 T2 {6 _) H; n
=========; M2 p9 Q2 F! d* I6 n6 `
9 }6 K* j8 {6 [' V# ]& |& _Method seeking the 'magic number' 0F386h returned (in ax) by all system
M7 c& n3 O, o3 j8 fdebugger. It calls the int 41h, function 4Fh.4 w) D+ {0 ^1 y( R1 F3 C. F0 l
There are several alternatives. # V4 ~2 {8 I. v9 ?6 o' D
! V W3 J8 }$ x) [1 p1 b( cThe following one is the simplest:9 \" _, X8 \" ~! W; l# m- z" z: T
1 |- ?3 Y* x, |# E! [- v) B
mov ax,4fh
9 S! w3 L. i- u/ n$ V int 41h# ^( A5 o5 @: h# U( B) H$ i
cmp ax, 0F386- ~2 Z% W1 v! v, L% v
jz SoftICE_detected
0 @% m+ h$ P* E. ]0 G" J( a6 X" c4 }2 _7 |" w$ [) A) ^
% C6 x& i9 c, A
Next method as well as the following one are 2 examples from Stone's & V3 B3 M/ J1 c1 ~
"stn-wid.zip" (www.cracking.net):
4 y$ |" T7 U3 }' g* V- y/ q* S1 x" p J$ |
mov bx, cs& k- v; L( {7 J6 P
lea dx, int41handler23 a/ n7 {# C' n
xchg dx, es:[41h*4], E3 s, e4 V/ S
xchg bx, es:[41h*4+2]
, s! z% G \+ s4 C. ~& K mov ax,4fh
0 k+ N$ w g& i% {6 U4 j int 41h3 n, I) n: B" k6 @0 {. I$ L$ o1 q
xchg dx, es:[41h*4]
0 ~* b$ z' K* [- H# ~* Q xchg bx, es:[41h*4+2]
D- Y9 m# B- F0 a! J- [# V cmp ax, 0f386h
, T# ^' w! h- C, T! X- K" s0 ^ jz SoftICE_detected! I0 K$ u5 E% I5 Y+ k
/ [/ Q7 M4 B1 h+ @- E9 W: y3 hint41handler2 PROC8 Y- l8 d# R6 Y' t4 p3 f
iret
7 t$ r) `! r7 ^int41handler2 ENDP& ]* ~ ]% f# c" w/ M" b, j0 {
! c( r' B$ J K& T
3 _0 i3 j. J% g m_________________________________________________________________________
# v. \4 U( |5 n& ~' y
* ^9 d. M W4 v; c! e( |" O, t. N/ y, f- j
Method 06! \; y( ?6 p0 f1 \( E; ]
=========
7 s( n; O+ [; B+ ^$ g6 o6 w+ v6 G5 t4 S' Q9 S
3 a- E9 U# \0 r$ L: ?
2nd method similar to the preceding one but more difficult to detect:8 ?: H6 y8 m# d# }/ K. T/ I
$ u3 R" c* E/ F/ o/ l: N! m
/ f1 q$ T4 q4 aint41handler PROC4 h C. I0 q" s$ w) ^$ a
mov cl,al
, Q# c8 _/ L# c6 R iret& n, L+ l( N. d9 x/ c. |6 Y# Q! D' q
int41handler ENDP
& d. l0 _: S! D" v: _" e- o( c; S2 E
S! j; N( z/ k2 S# ^0 x
xor ax,ax
" \6 g& R4 q& Q; o* a4 Y7 B mov es,ax. Y/ R3 D6 K* J3 o* p
mov bx, cs
/ g. ?9 n4 E% ~; E6 V9 M3 V lea dx, int41handler
, r; P! O: ?* K- ^& i xchg dx, es:[41h*4]
4 J/ w; f# K, @" n: z- X" E6 Z9 B! E @ xchg bx, es:[41h*4+2]2 `6 q- w0 p1 i6 y8 S7 w
in al, 40h2 n! {& ]5 j7 W8 f
xor cx,cx
% i# D0 F0 i/ k, Y- v; ^' M int 41h
( p/ w. i5 z4 o0 q2 n" s$ q% T xchg dx, es:[41h*4]# p7 A* G: ~5 O5 g5 Q
xchg bx, es:[41h*4+2]2 v0 c" s! ~, w8 `, C& C
cmp cl,al) e5 v5 a& a( M/ d
jnz SoftICE_detected
+ M( K v" S( P; a8 P" e$ `: a0 k+ V4 R
_________________________________________________________________________2 f: ~. L" b, M# G- B2 S. D3 j1 ^
3 F$ @; T& B4 R0 [Method 07
- c2 d( m- [ T6 c=========. J: g+ l+ m) a6 p, \: D; }
6 Q+ U( R" `0 H
Method of detection of the WinICE handler in the int68h (V86)( F8 l' @" Y. p+ L6 S9 Z# f
4 n6 d q* h F1 f" p mov ah,43h
. S" |) X0 |* [5 M) J# ` int 68h; N& O: |* F. E+ C
cmp ax,0F386h
, l. I$ |7 t- c3 ? jz SoftICE_Detected* A$ h7 U- |5 m
% q3 R/ W/ q% v4 R
4 L; N; j) J. A9 g, t5 D: {6 P, y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 V* f& g' Q/ j; s
app like this:
# K; W% m5 Y5 Q0 H- H5 |- D7 J: s, F" z% s# ^: O) `
BPX exec_int if ax==68- o: K$ m0 \* P X: u% C, U
(function called is located at byte ptr [ebp+1Dh] and client eip is
: V* P; I* f! H located at [ebp+48h] for 32Bit apps)) c/ @1 B* d( g+ n9 N
__________________________________________________________________________4 `1 w% I- Q c
% {& h4 j; G. [
( y4 f9 {4 @5 [% ?* DMethod 08
/ m. z1 G6 X( S( U1 F2 D) a8 @; W=========7 N& l% ?+ I- k O
, f3 F2 S! R& T8 W' j2 I/ ~+ NIt is not a method of detection of SoftICE but a possibility to crash the# C; V' E& o$ m7 T$ ^' y j3 L
system by intercepting int 01h and int 03h and redirecting them to another3 V1 \; |: v" t" L) [& |% {
routine.
& S0 \5 z; ?5 l3 I5 BIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ J) O+ J k: x' ^8 X$ jto the new routine to execute (hangs computer...)( g3 i2 @3 l4 n3 |& Z
+ y7 A; c2 W# T8 D; U, B mov ah, 25h
O2 z$ u+ I4 s3 K mov al, Int_Number (01h or 03h)
% s5 i& l* V+ g6 \ ^ mov dx, offset New_Int_Routine
7 N0 D- x5 r& S- H" P# ~: } int 21h% c# ~$ l9 i0 T, g
& {2 j( w3 R6 [. k' k. b) p
__________________________________________________________________________+ [' F& S. S0 _+ n
v* v* h, y7 b( g
Method 09
; L. H4 c. J: ~3 y% s$ X; W=========8 U& {+ C1 t$ `! f* W" y& s
5 c; j2 v+ q& b/ _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% ~, _, C2 p2 Fperformed in ring0 (VxD or a ring3 app using the VxdCall)." P7 h* o, d* d0 b
The Get_DDB service is used to determine whether or not a VxD is installed
' {, v" C( S9 Z6 Ifor the specified device and returns a Device Description Block (in ecx) for% }% k5 x) K5 V/ b# B- u
that device if it is installed.! Y! Q6 F+ o! i
7 n% A% o/ c; @# i6 t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' F7 V, h% G# ?) q- |. j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), ]" B+ s: R0 h+ N; P
VMMCall Get_DDB
8 l* e# z; G2 q; ]4 m$ j* F mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! I+ j1 c( \5 j E+ ^
+ O3 R0 T1 W! V) M1 l' P W8 K
Note as well that you can easily detect this method with SoftICE:
7 z* J2 W w% v7 w1 f bpx Get_DDB if ax==0202 || ax==7a5fh1 h }! ]% F( f, V) E
6 l7 |' {5 K4 C; K+ P__________________________________________________________________________
) m! _; s4 q- {. v; m
& W! W. s+ R$ f* j6 }) B5 e6 y6 e/ cMethod 10
: m0 {6 ?' r. ]- `1 Y8 R=========
6 s1 \6 g, ?' H+ {$ c
- D* z6 \* u4 v5 |2 N=>Disable or clear breakpoints before using this feature. DO NOT trace with" }* \- N' [/ D: `: T8 u( T
SoftICE while the option is enable!!9 y/ ^& ?. u1 B4 L- n( O
# j! {- i4 u) ]4 a
This trick is very efficient:
! M# R9 x: [# B2 T) H3 W u6 oby checking the Debug Registers, you can detect if SoftICE is loaded
: r i: ?) b- V2 t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, f. X/ l# m$ s$ Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 g v5 w& f0 ~3 C, dvalue (in ring0 only). Values can be manipulated and or changed as well8 Z2 z9 A" N: G3 E
(clearing BPMs for instance)' B6 J) j" m1 t; g" z% J! L" r: v4 R
. k) U# n; X4 H3 F7 G+ u2 @9 j8 i__________________________________________________________________________
1 A3 i Y8 n: u- |: J/ N( z: D) y& U3 `8 p9 ]+ r u# h6 F6 @( C) G
Method 11
; q0 E7 m$ o/ E! ?=========
, o, l# Q5 [" [( ]- n7 d# L' H3 J2 g6 C7 u% @
This method is most known as 'MeltICE' because it has been freely distributed
; m2 w; U* y) X i: E, |8 Zvia www.winfiles.com. However it was first used by NuMega people to allow( h! b* o4 K' Q! c) ?
Symbol Loader to check if SoftICE was active or not (the code is located; }1 B* p! O+ Y1 q2 a5 W9 @8 v8 ]
inside nmtrans.dll)." k; U6 a# w/ w; a1 q7 o# E; t
3 V5 x$ Q. c* ?8 J' _% F9 ?The way it works is very simple:
5 w0 C5 d- W+ ~0 E3 zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 G9 {1 j+ c+ D( Z; h/ J7 H0 Q
WinNT) with the CreateFileA API.
( K- w8 \9 }9 n1 ?! \6 I
& L7 i* L+ y$ | y* p4 RHere is a sample (checking for 'SICE'):
- ^. U T* W7 d/ F1 r
9 S5 U$ }1 b) Z$ l8 u. ~ s; zBOOL IsSoftIce95Loaded() ~2 i* b# u( x B. p }. X
{: F: I( D% y& `, s/ I$ x
HANDLE hFile;
! z( i" u2 m' x hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 h7 u1 u5 O# t7 E3 s FILE_SHARE_READ | FILE_SHARE_WRITE,
- R. f4 B, w2 D) z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; M8 t% C& O. I! N7 ` if( hFile != INVALID_HANDLE_VALUE )4 ]% ^& n/ g# D% g2 h N
{
, q4 d* M' F& K% y5 I CloseHandle(hFile);) [# h8 m6 k, y" v4 K
return TRUE;0 s3 p& O3 j G3 ?/ p
}: Q! t6 M$ W2 y- @. K
return FALSE;6 n9 B* O' E! _# X9 m% L
}% Q5 y0 {5 M: F) Z0 ~, }& |
; ~/ {$ y1 R2 a' z$ A8 t
Although this trick calls the CreateFileA function, don't even expect to be4 Q7 T1 \/ X4 a5 y
able to intercept it by installing a IFS hook: it will not work, no way!# O- C _0 P9 e# x8 u# d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 q. ?! v% n5 L* w- Q3 A7 U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 k8 t! p9 U* M
and then browse the DDB list until it find the VxD and its DDB_Control_Proc W2 }' f. R8 c- x/ A
field.
4 ~. @- a ^5 A* {0 a( ], u! p2 \In fact, its purpose is not to load/unload VxDs but only to send a 5 N6 {( \1 |1 f" F5 F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& m* K) \2 e: X, b: Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: }7 T- i$ S% D7 o9 c) Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).; Q K Q# d" M; m2 q: v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- H0 N* N0 g, l- Z5 Aits handle to be opened and then, will be detected.8 a$ L" g) [: S4 l- \/ ?, o+ `
You can check that simply by hooking Winice.exe control proc entry point/ O; |+ m P2 X; h$ ?9 N
while running MeltICE.) |& f! m' q; A. G: X" {. L
9 e" G. `2 g8 V
- p( I% a5 f& z% f7 d0 C; T) n) B' X 00401067: push 00402025 ; \\.\SICE
5 K& c+ h9 j- J6 _: I 0040106C: call CreateFileA9 ^6 ^7 `: x' Q( x
00401071: cmp eax,-001
' x+ o4 H4 ~- q* h6 O, N G8 y 00401074: je 00401091, U0 ~, o" r! m0 Q* v+ m, k
9 P2 a% Z$ h% I+ m
3 h$ u# e4 T3 U, S4 f" s0 J/ uThere could be hundreds of BPX you could use to detect this trick." y$ g3 e H9 A
-The most classical one is:
. {5 f8 r/ }; H. \' m$ E BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 R' m, e# z# U. ]! o( F
*(esp->4+4)=='NTIC'
1 R v, [1 h9 G" t
* W+ D: `3 f& ?/ ~2 c$ i-The most exotic ones (could be very slooooow :-(
/ o/ G7 y/ @* I( c# N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + x5 F# i+ C& e, ]
;will break 3 times :-(# p# ?1 m" z4 g8 {
1 }! \1 L8 c3 i- z- ?$ j-or (a bit) faster: $ A/ ?- D! s" `- J1 U) x. q$ Z9 r8 l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 H. i' e3 Y; `
1 C2 l( J4 h$ E' B2 ~ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( B$ `; q7 q- [
;will break 3 times :-(' a2 P! d5 W% G
$ _5 k$ G; A# w& w. N6 _-Much faster:6 S/ r' w( l: ~8 u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& y0 w+ F3 N. M! ]+ ?, e, x7 p
) d; t# C9 H/ U/ SNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. o* Y4 R" Q5 T7 b3 N
function to do the same job:
: U: b2 X( P- l' S/ m: P! r3 v( z% p1 w7 P6 x7 n
push 00 ; OF_READ
& t2 \- } u! _& g- N% r* Q mov eax,[00656634] ; '\\.\SICE',0, e8 }3 T& p o, M( D+ z
push eax3 M' Y/ I3 F. R' w" A
call KERNEL32!_lopen
. K* r/ ]: S: u' @& [* q: q; h! P inc eax
5 B& O7 v; }1 b3 s7 N jnz 00650589 ; detected
6 p; w% V( K. n, @2 I+ w push 00 ; OF_READ3 R6 O/ z0 B# S6 o* a
mov eax,[00656638] ; '\\.\SICE'
6 m+ k0 \& b" ]( `% N/ _8 v$ u push eax
4 a! f! c" i% W0 k' I9 r9 W call KERNEL32!_lopen
' C# W& G2 z: K: b inc eax1 o( H9 ]% D3 G4 I) \8 C3 v
jz 006505ae ; not detected
" p& C/ s% b7 Z9 X# I+ K/ c2 V
3 e" ]% c3 h: B, {1 v- X) l) M
5 F' \! q+ x5 g. N__________________________________________________________________________
3 |, z. a: @2 ` n$ T' Z
1 J9 D4 d( p% CMethod 12
0 C3 p. U4 v0 C& q( K=========8 e% N$ p: l: E3 {5 L
- l, ^6 f4 H. KThis trick is similar to int41h/4fh Debugger installation check (code 05' U' B1 G! O2 K0 U2 S
& 06) but very limited because it's only available for Win95/98 (not NT)
: s) i: C2 M0 ]' F* i7 U- ? xas it uses the VxDCall backdoor. This detection was found in Bleem Demo." R! m! f+ q- I" }' E
# f3 h- c1 ~, A1 ~3 Y: [
push 0000004fh ; function 4fh
1 A( }7 w" f+ [# A- i4 l9 C2 [ push 002a002ah ; high word specifies which VxD (VWIN32)/ O* _* \/ K" R8 e
; low word specifies which service; r* G# i$ J% k2 D* h# a* V
(VWIN32_Int41Dispatch)
: M) I7 P, m; f4 I$ ^) u1 j- X call Kernel32!ORD_001 ; VxdCall m7 I" G( ~% r- O
cmp ax, 0f386h ; magic number returned by system debuggers
: C& }$ L* J5 J2 L/ a jz SoftICE_detected8 u" B+ w: E! g8 ~
u* J8 D6 v# {, f# C
Here again, several ways to detect it:
% E& j" ^- d& Y5 z7 q1 g
s- h5 ^7 ^) z U4 E/ R BPINT 41 if ax==4f
. C) S3 S( J& T! y: Y% }& a
. _/ |+ y- |# v0 g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ c2 f: x: x* [1 {
) Q. V5 |$ T% c/ @: e k& { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( U; p) l) g* u" M# \- U8 h" S- W8 T* p# O9 c V' g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 @5 r: k4 n! v. M( `8 i; X8 m" }0 I/ W
__________________________________________________________________________
5 r3 a( h- p" X4 q4 \( T4 q- k0 _; ~( y i
Method 13
1 z% ]% y/ V5 l' }/ @" ^=========' E, p9 k" V1 e2 K6 M& o
x- u. w% x, C$ A# WNot a real method of detection, but a good way to know if SoftICE is
' q" g$ v0 B* B o) r, v7 Sinstalled on a computer and to locate its installation directory.
6 I# ~* u( J* b/ L6 t2 BIt is used by few softs which access the following registry keys (usually #2) :) }/ H5 S' q- J6 P! c2 C
) Q. U0 T: w0 g6 E, _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 E S% f6 d5 V9 Z\Uninstall\SoftICE8 F; G0 `& y& D) ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& M$ @ t. h0 p6 T8 F- v6 t
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 p' |. f- x: F1 [, E; ?( l' r% E. d
\App Paths\Loader32.Exe u+ d. }! l8 k
3 g) f7 \ ^; s& ^* H; A- e
9 v: R9 l$ d$ _1 pNote that some nasty apps could then erase all files from SoftICE directory
* P2 y/ @0 r V. O3 M; j' W! Y(I faced that once :-(6 k; y) T {6 a0 w$ {' Z# l
. h5 [. ?/ B- I& ? o7 V
Useful breakpoint to detect it: D! |- k# f5 V, l# b
; S4 {# a1 l$ j+ W7 y" H
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 k! h. Y0 O( F, h/ \ g
) D4 R! m" U. I# o3 S0 \2 X__________________________________________________________________________
6 ~+ l/ y) X- y( j5 B3 k2 G
, h/ b( u( q1 h$ K5 Y' F: C+ Q c( C1 S" e5 l$ n) |
Method 14
" ?7 i/ \0 u' f) o9 g=========
; d* c/ \: y* K4 _) Z# b; k
/ N9 O ?" u3 C7 ?( A, VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" A& J' D: q4 \3 U/ |/ l0 I; y, H% d* L
is to determines whether a debugger is running on your system (ring0 only).2 y1 o+ G7 u9 T+ ` K. o; a
" z# h6 n6 V# y! _; N9 _
VMMCall Test_Debug_Installed
0 m0 q' j, ~5 w3 C/ u& h) t) p je not_installed
/ x$ I) X% y4 a' I! @% {( P# G# q3 `7 q" w
This service just checks a flag. B5 {8 X% U4 d! k
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡