<TABLE width=500>$ c5 V3 |" \. @4 x1 A$ ]: r% ~
<TBODY># b& `4 ^- t' } Q3 r' }; s6 x
<TR>! O& P" w1 p* k
<TD><PRE>Method 01 1 _/ T7 ?/ v# @/ G k
=========, R j( b% a! R: e" y
! \4 H% D* C$ ^' v2 BThis method of detection of SoftICE (as well as the following one) is
- `9 i& t/ C5 v Dused by the majority of packers/encryptors found on Internet.
" I+ f( K4 U' A" w; \4 o2 RIt seeks the signature of BoundsChecker in SoftICE+ g% X) F' }9 F
9 a; L/ K: t& s# c0 s, U# C4 a3 {
mov ebp, 04243484Bh ; 'BCHK'
# C. R& Z. W: E- h mov ax, 04h
& l% F3 U6 F6 D( _ int 3
% p: G( ~8 z; Z9 r8 p; H7 I cmp al,4
* \* {# q" b! a: u jnz SoftICE_Detected
6 R# D7 @6 \, S. L
* \& Z# p- z3 X" v g/ Q___________________________________________________________________________
- d7 W1 Y0 G3 V4 c( j
( p3 n* o$ w8 s% eMethod 02$ q0 V' f1 x6 f/ Q/ ^7 I
=========+ a) _ B% Y1 B) X
% b0 ]% o; C0 |# u
Still a method very much used (perhaps the most frequent one). It is used
/ h, L2 A. g" e9 T; t6 Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 o V3 d3 n0 ~
or execute SoftICE commands...4 B Z4 z% k: l% C
It is also used to crash SoftICE and to force it to execute any commands+ X8 V1 o4 v& k0 n) ^ J0 n5 O
(HBOOT...) :-((
, n! N1 r: J0 \$ k% B$ d4 i. a& s$ B! y- C) D6 g1 @ N# w3 `" Z
Here is a quick description:& ]$ |7 T2 k# ~
-AX = 0910h (Display string in SIce windows)" _, H% J9 x! M0 _# f" x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ q2 e t: r/ S( l
-AX = 0912h (Get breakpoint infos)
7 B7 f' M/ M1 [ [7 M, d-AX = 0913h (Set Sice breakpoints)
" R' `" U R# w; ]4 \4 n" C+ g7 @-AX = 0914h (Remove SIce breakoints)3 H2 P3 k7 ?! d: B" @, \
( b$ {, w3 e( v- U; _Each time you'll meet this trick, you'll see:
4 q7 [3 Y5 J8 V: t" T# n. ]- t-SI = 4647h
7 A3 K3 D# A y6 c% p2 p9 r3 k-DI = 4A4Dh9 @5 \' f: u8 h5 x8 }% q
Which are the 'magic values' used by SoftIce.
+ u7 E( ]2 c6 [, bFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) c+ x3 ~6 o) Q' O
' }2 [$ D! j7 L/ ]+ n2 W# JHere is one example from the file "Haspinst.exe" which is the dongle HASP4 _) ~% d; w1 c) l+ U
Envelope utility use to protect DOS applications:
3 d( A, S3 f4 F# M7 t# P
, |' X+ X& i+ k( w6 X4 j) Z0 S* F+ Z' k) E1 N* C
4C19:0095 MOV AX,0911 ; execute command., N" m; b1 ?( l6 k1 E0 A+ g3 ]# L3 N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) V& M/ U& i W- i6 S2 g4C19:009A MOV SI,4647 ; 1st magic value.7 {, Q* n, O; D6 D
4C19:009D MOV DI,4A4D ; 2nd magic value.
r% T$ x @; [0 l6 }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 }- W) Q: `; z) \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& i1 `( B% ]% `1 |4C19:00A4 INC CX
! {$ M* W( P$ v( K, @' n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 t2 i9 n: X1 X5 e$ T5 L; F4C19:00A8 JB 0095 ; 6 different commands.$ k( H: g. W! D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 a% e( J9 j7 b: ^* N+ z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 A! S3 f3 k& X* @: x. \' ?6 J' h9 b
+ m5 Z0 g4 m: y. F# J4 |* k3 y7 l+ S8 [) ~The program will execute 6 different SIce commands located at ds:dx, which
( q u5 e' m6 v- hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; E+ y8 j( m* V# Z: ~
9 j2 n! u! V% T* O: P* T7 a D* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) W) h. D# Q9 S. t
___________________________________________________________________________
! v! Z# e" O% E" M5 m; M
, t3 M8 S% ?2 }0 E
" r& k r+ _# p7 S: PMethod 03- U4 n, Z% x) z. |4 x4 O5 o
=========
$ I3 h8 z; Y: g/ s* g4 w
, r; B9 ?* i( R+ b& E. kLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' M p$ |* h2 a(API Get entry point)
' f+ k4 m, X! M& r, o* N / ?5 K( W! k# v$ }" V
# j6 i5 O$ M/ |' Q1 n) E xor di,di
/ e1 P1 F4 n& U7 L1 p s d mov es,di# `: ?2 {. f9 J3 A. V3 [
mov ax, 1684h
4 X& D0 o! O5 `- P mov bx, 0202h ; VxD ID of winice
/ I2 @9 ?2 k! c int 2Fh
+ y d6 l/ r, c mov ax, es ; ES:DI -> VxD API entry point% ^ y9 C& d u
add ax, di
0 I3 |6 D9 D( m B% h test ax,ax/ C+ @6 P# B" X9 e7 ~
jnz SoftICE_Detected
A" A8 `/ i: Z( g9 x* t
! T" ?" P! {+ K/ u r2 J6 L4 ]___________________________________________________________________________
4 N; W+ w" t& Y3 I( r" d' h7 v
# `/ h2 e. w9 f9 b. G0 a" TMethod 04
; Q$ W- q$ ~7 A. S5 [=========
% _! ?/ X2 M. D( c) J, ~, f+ H- ]. |2 X
Method identical to the preceding one except that it seeks the ID of SoftICE
/ V k0 O# i* t2 l# kGFX VxD.* u, t3 F! e% }6 S% M8 j
( O% y( Y( `. V. M4 h4 [( g
xor di,di
( x" N; G5 Z D( O+ x mov es,di% p, P7 o7 N! n8 w; v7 W+ Y
mov ax, 1684h & Z" {0 X: f8 `5 l2 ?" P
mov bx, 7a5Fh ; VxD ID of SIWVID
' E. _ E# C" A, q" C( ?, y% o int 2fh) _6 N8 t. l$ a6 p/ C* L5 H* m
mov ax, es ; ES:DI -> VxD API entry point0 T$ w1 ^' W1 [
add ax, di
* a- e' ]4 S+ i) s8 n test ax,ax6 }3 ?8 U3 `/ D8 G
jnz SoftICE_Detected2 M) T) L/ }) v
2 A$ h4 r3 K3 }6 J# B/ C6 ~% G( {9 K
__________________________________________________________________________
8 U5 U4 h5 [) d* v% b- E" _9 R8 E
; p( _* S. P- H s* q* M4 R% n+ ?3 V; y) i
Method 05
0 `% A+ t2 O+ G+ B4 M& n6 D; U6 `% y2 E=========
- F5 G& h; Y! V+ m) a/ a. h$ A& b0 ]% c
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% h: c" b0 G6 @, V5 K; Ddebugger. It calls the int 41h, function 4Fh.
# J" `" }# X( W6 jThere are several alternatives. 0 ]; s; K' f0 F( @' w7 r: r: y# ?
& e+ F! T3 r ]+ iThe following one is the simplest:7 u: v0 a! S$ P7 ]. ]7 t- w
# w: F- f- |: [: A7 Z1 v mov ax,4fh* F' ~' ^' H+ Z7 C6 f: m
int 41h/ {6 |# e1 |% D8 G) U% N: D# t! u
cmp ax, 0F386
5 L; o0 t j) h jz SoftICE_detected
) @% _$ e Y% X. s6 y* |/ u) C8 r W! w
( n5 D( ~% d$ R8 ]1 U1 `& r7 c* y+ DNext method as well as the following one are 2 examples from Stone's
7 f' k+ _" ^$ O8 z0 x$ o"stn-wid.zip" (www.cracking.net):
7 F, m" A3 @& n$ g0 {3 m t5 o
& u6 D- `4 P8 o+ @ mov bx, cs
- t1 l* i4 O$ o8 f2 P3 O: C# @3 d lea dx, int41handler2! i8 C6 e' ~* Z- j! \4 A& V4 K& ]1 }. c
xchg dx, es:[41h*4]
5 n2 z9 g# }6 m3 S9 W7 C xchg bx, es:[41h*4+2]
: q8 M8 ^6 E, O/ n M8 l8 m mov ax,4fh- C I1 N' c9 N0 P" s
int 41h
]/ O, c0 r! y. } xchg dx, es:[41h*4]3 g [' S& ]# `1 }
xchg bx, es:[41h*4+2]
, |9 h' \2 j! g! X c- m: r1 X" g9 J cmp ax, 0f386h
{. L! A: q7 O; Z% e% z. ` jz SoftICE_detected
. S z1 o" Z9 A! P9 B0 W
, R# u2 K* ? Zint41handler2 PROC
% c& m5 Z N/ R0 e* Z iret
e5 Y/ Q# P! I, k- i. pint41handler2 ENDP
- E/ d( P0 S% h, Z
8 g! I- s( R' t. _+ Y! a1 z
3 `! i4 V) f2 @ Z_________________________________________________________________________5 H3 |8 r) `% L; h" g' \
5 M( ]# }/ Y. J* L( R0 r. T
) U! [! P' u) O
Method 06$ |# o3 E% h" l) D: z
=========; g9 E) O9 K, H; Q4 T
; q+ l& Q" b0 K% G
( Y( W0 Z/ X1 S2 J2nd method similar to the preceding one but more difficult to detect:
+ n: R4 L1 J( G2 i" r
0 C( }" P5 p8 G# M5 b7 K% j$ r* b- N( i) L2 z) Q
int41handler PROC" \ q& ?- [' S" h" q, N
mov cl,al! u. H+ U% T' |/ P0 `5 ] a3 t, L6 F
iret
5 O. Y- e# `$ u. j! \: Cint41handler ENDP; ~/ P& I9 r' ~5 u5 e0 O V* j
m( J- d) o; k/ S. e2 b4 b) Y; F0 ?. |9 Z/ t
xor ax,ax B' t! L/ t. y0 K' y, t n
mov es,ax$ k, Q: j- c6 m+ L, O- y
mov bx, cs8 h: E# o; N! }# u" x; n
lea dx, int41handler' |+ Z8 T8 T- d: @2 A
xchg dx, es:[41h*4]0 r, ]$ ]9 c- O" R
xchg bx, es:[41h*4+2]
+ l1 ~. ^' I c in al, 40h
9 M% a+ ?% f; s6 K xor cx,cx
: o8 C/ a% u0 G/ E; _2 w/ U int 41h
& t4 N3 @, w$ T2 [$ H) F xchg dx, es:[41h*4]0 Q+ b, |! x8 n( I" { P
xchg bx, es:[41h*4+2]6 ?+ [- O* q8 T' y* p4 y/ M/ c
cmp cl,al
! H8 J" e' M$ }- N+ I9 g jnz SoftICE_detected) ~$ d6 v% f7 ?0 P% N9 H
: q% k1 u% G5 j
_________________________________________________________________________
. Q1 R3 J. [4 I+ m
4 Z$ y8 D' N* Q) b8 wMethod 075 J6 j" X8 h/ ~! @9 s
=========( r( `, I( `3 H ~
# s8 ~; [/ m$ j' b
Method of detection of the WinICE handler in the int68h (V86)9 D" W/ ]9 Y+ `% G0 t7 B3 L) o
! h; P- j; S" d( Y/ I1 \; V
mov ah,43h. A0 z; h9 F' \' A
int 68h! b3 Q' h9 n8 K& z
cmp ax,0F386h; ^8 V, d$ P/ n6 b/ l# v
jz SoftICE_Detected8 b4 Z i, F0 b
$ n' ?) F$ \# Q% }; [4 {$ x: E9 t+ X
) g, v; [9 s! D; R& I8 {) H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: g) j9 X; o( l2 I6 R" X
app like this:& O" X C) {0 X+ [; V" W1 r
$ j/ a% u# q, I( q* O4 ~
BPX exec_int if ax==68, ^& f5 x0 A6 Q
(function called is located at byte ptr [ebp+1Dh] and client eip is C0 `- \' F! U& s/ n7 ^' W
located at [ebp+48h] for 32Bit apps)1 q% Y6 N2 ~6 T: x3 A$ _% r+ ~ w
__________________________________________________________________________
, S* ~# H: i) x- D; j, W! F/ ?- B- G7 i) a' q
8 X& `3 G& s% o$ s
Method 08
9 J( ^5 \/ [6 `; v: P( \=========8 S- D! J0 a8 Q* j7 V! r5 e
8 [4 g( a/ R Q( \& b8 u
It is not a method of detection of SoftICE but a possibility to crash the! v9 I3 S$ H- A# S8 ]; R
system by intercepting int 01h and int 03h and redirecting them to another
( @) J/ v5 I, b3 T+ Mroutine., @0 H J0 q) G+ F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 U @! e; L# {' T( Vto the new routine to execute (hangs computer...)* I# A2 F# u* ~9 K ~, V
7 x1 F7 J: d6 v, ?6 S4 o mov ah, 25h
# }2 J% \% I) o8 k/ x m mov al, Int_Number (01h or 03h)9 u8 R" {5 I, c+ ~* Z i; e3 K3 Q
mov dx, offset New_Int_Routine" N" k6 b0 W! A
int 21h
+ _6 r* Y% X* y: N( h P* _$ x2 {) e* p$ |) l
__________________________________________________________________________* x( r$ L3 x/ A: F; V3 y
3 Z: F) E; b% Z( K( x) b# z( y9 yMethod 09% @: N: u; t j& R# @; f* E2 C
=========- a( ~$ w" R8 F( O# q8 T$ g0 q, \
( |4 j' i3 m' j. P" o( v) [
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 O8 S9 C9 Y( v, m! u
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ Q% y" W# U. T( E8 j) {2 eThe Get_DDB service is used to determine whether or not a VxD is installed
6 g; ^: @0 k* _5 xfor the specified device and returns a Device Description Block (in ecx) for& f( o: O# Z6 M+ C$ k# K
that device if it is installed.
5 q+ Y" t( W+ s* d% b8 F) p7 m- e# ^& w( d8 J7 h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ A! _! V, J- n
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( j! z" v: K; Z9 i9 ` VMMCall Get_DDB
+ D; S8 |% [" _- O- j$ d+ ~, I/ B$ @: c mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# B7 D* D7 }% r$ C
$ Z" s8 i# u5 a* q
Note as well that you can easily detect this method with SoftICE:, O6 l/ ^3 O. s9 @) T
bpx Get_DDB if ax==0202 || ax==7a5fh
4 ?/ [5 r6 u6 K0 O4 t* ~% ~4 E% x( G# K
__________________________________________________________________________
: U) m% Q% p$ S; P+ h Z0 p! J5 q% R$ o1 b
Method 10 z0 f$ T# s0 G- o, M
=========( [* E3 l; N7 i: k; k/ u' G* A# G# P
* O3 \% I( u% h. s5 A# i' u8 V=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 F* a8 }. `9 ?" ^% c1 |/ e SoftICE while the option is enable!!
) m3 U1 w! ~2 S& |9 V4 ^8 r. @1 ~0 r( A4 W. m. M
This trick is very efficient:) Y* \" A% U1 B. ^& o( i
by checking the Debug Registers, you can detect if SoftICE is loaded
7 D8 b- o4 ]0 @7 H! l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 v }% j0 M" y: U/ t3 S9 Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( R4 e' |2 P, S* M" T% ?/ Ivalue (in ring0 only). Values can be manipulated and or changed as well
% s1 ?+ D2 Y% N# O; F(clearing BPMs for instance)
' K8 |, O& k$ R/ G# y6 H6 i; v) Y. K s9 N8 v" C
__________________________________________________________________________
& d2 c& y* V6 t$ C8 b, w: J5 s" V0 j- d9 \: U ?) i4 k% R1 i
Method 11. @: ]; y( z1 I- T( h; z
=========( ^: l) d- \ o7 s5 [
; m* X0 a0 i3 a8 S0 W
This method is most known as 'MeltICE' because it has been freely distributed
3 p& d7 X9 Z7 k: b2 G. |via www.winfiles.com. However it was first used by NuMega people to allow
! }# T6 P" N! V. k8 R1 |& ]$ Z) _Symbol Loader to check if SoftICE was active or not (the code is located1 l- R3 s; S/ g( Q
inside nmtrans.dll). W% |8 u( W$ t6 P& r& r* }
/ ^% ]/ s7 E& Q% d$ tThe way it works is very simple:
7 h/ ]6 D) T0 o; o% a8 M2 V" YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) c/ j4 _% w# e* x ?) z1 A4 I7 J. ^
WinNT) with the CreateFileA API.
( h/ H! q, \7 r1 m
! F; N b" F/ L4 E; Y- E6 ]+ z' dHere is a sample (checking for 'SICE'):5 \" ]+ J+ b0 y2 _
+ c. c" }/ u0 V, O
BOOL IsSoftIce95Loaded()7 P. o, J* F8 K5 p
{
0 O1 i* g1 x! C' h+ b t E HANDLE hFile; ( A7 {8 V: O/ Z* J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 i& x& N) U" H4 }! L, z FILE_SHARE_READ | FILE_SHARE_WRITE,. p: S8 i- S5 P" D7 r; Z6 g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' w$ {: ^' f& ]) z' T: }
if( hFile != INVALID_HANDLE_VALUE )! O0 {% D( o1 p+ l( V' \2 W! x# G- C
{+ P. Q b- Y' Z& u6 a+ S' K
CloseHandle(hFile);" `# w* B0 T8 P9 P7 h0 S
return TRUE;
$ f7 q$ J; p0 y2 R. j& p }) J+ Y' Y0 f) F# J( J c2 \7 U! W
return FALSE;
5 m1 K ^- _* Y0 r( ]4 R' |- b, w3 s}' o) ~) L+ E3 g4 E$ _5 h0 n& f7 x
/ j9 V; C" X6 k1 Y" S3 U( ?/ q& CAlthough this trick calls the CreateFileA function, don't even expect to be) }2 g% P" z6 k) o2 W6 U8 V
able to intercept it by installing a IFS hook: it will not work, no way!0 k( {$ n& _0 b. L- C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, q o3 ?$ O8 J, b5 }; `( g& \service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 t4 z$ [' K; w* L0 E4 p/ z! T) C
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" T% Y" ^4 T" Vfield.
/ E" ?9 w; j8 k5 D- }In fact, its purpose is not to load/unload VxDs but only to send a + E$ `5 `3 b8 s) v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); T/ Q8 B: E; J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 |. ~: n5 h6 Q. \) b
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ r* P8 }" j: U0 t( n. YIf the VxD is loaded, it will always clear eax and the Carry flag to allow* F, y9 ~( q r% f
its handle to be opened and then, will be detected.
0 i5 ~7 }* ~9 x( v7 @& HYou can check that simply by hooking Winice.exe control proc entry point
' e' v% a Q) |" O7 L0 o) zwhile running MeltICE./ h" C G- B% L6 e, f7 z4 W
4 |) B* W2 m3 G1 M2 G$ a$ m8 t" l6 @8 h
00401067: push 00402025 ; \\.\SICE: F: R7 n8 H o6 l
0040106C: call CreateFileA6 g8 d4 Z) R9 ^% l5 e
00401071: cmp eax,-0012 L; E3 R! C/ Y: Q- v& H) q
00401074: je 00401091
6 n" M9 R' v; O3 ?! Y6 }
3 ?- z7 R7 I7 E( }
' v- E1 n. C5 |There could be hundreds of BPX you could use to detect this trick.
5 W* X) B0 C+ s$ o- ]7 F# a8 ^-The most classical one is:
% [! W4 v" t i) H BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; R* J) ^* Q {, `5 H
*(esp->4+4)=='NTIC'
5 C; G) g. J- y+ K
7 F# H' n3 `& w/ }6 E- v-The most exotic ones (could be very slooooow :-(! l3 \8 Z$ W2 u% Y3 O$ P' H, H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 Y/ W; W9 g2 a5 z4 z ;will break 3 times :-(
: x6 M# r" J* [" t& j9 Y2 d/ i) a1 j2 Q+ v
-or (a bit) faster: ) q/ a& _. E+ _. J5 }
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" v8 Q) S* D7 \; b$ x- g; |6 C
& q) m6 b9 @! P, c0 z) x BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! i- ` S' h9 d9 \9 Z* K p2 L) o
;will break 3 times :-() A0 p6 k: w0 }7 x
: {# o9 r0 Q" V+ R/ S7 U-Much faster:; \8 t( K9 G5 u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 j7 Y: s. [/ g7 V$ T4 p
9 q( l/ D0 q6 F3 c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 Q, g4 V1 s% A0 ]* y+ s" B1 C. F/ _function to do the same job:
5 Z% F0 E1 j0 T1 a3 w4 q) M: e% S) M6 S1 l" t* I2 X' }
push 00 ; OF_READ
; x9 A) m8 x A mov eax,[00656634] ; '\\.\SICE',03 Q( z+ B2 L" J6 Q9 C
push eax; C& O- I, _! l* S2 H; D0 \
call KERNEL32!_lopen1 u( ^; y+ r! N- m$ e
inc eax
; X a4 I$ _, j4 l jnz 00650589 ; detected9 T' B0 z- ]/ J* P0 i
push 00 ; OF_READ
# T+ k1 i; d) c1 i" Y5 r8 V) d mov eax,[00656638] ; '\\.\SICE'. @: N; W n9 \8 t
push eax
, p1 ~% d7 l: x( O( n, i5 R. w call KERNEL32!_lopen
3 t& D% z/ c; G, ~9 C! Q$ g2 X: H, f& ` inc eax
" T* K( {% S- n& _ K jz 006505ae ; not detected( D1 ~- v# {. {& v+ h1 d
3 G! c) F, i6 x) y; s. r
% f1 e& y! P, I__________________________________________________________________________* U2 W( ~: ^; M) N, y
8 u/ H+ j- H$ {
Method 12
8 q2 v8 L& I( W5 D/ S6 A2 D0 c3 z=========
, b1 ~2 u" y# k2 f( D
* a% U) I- } y! l# Q3 F9 ` l9 hThis trick is similar to int41h/4fh Debugger installation check (code 05
9 m) H$ ^# `( f( z1 h& 06) but very limited because it's only available for Win95/98 (not NT)
& Q: A. y. M/ T9 T8 ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- ^7 h* m5 D/ a' T* E
# I! N' L( g) X9 V/ j( [) F7 L X push 0000004fh ; function 4fh! |% g8 |3 M9 `
push 002a002ah ; high word specifies which VxD (VWIN32)9 C& j8 [7 X- y
; low word specifies which service# S4 g) b5 p, n+ o4 z
(VWIN32_Int41Dispatch)+ z. G: @5 N% U9 S# I5 v
call Kernel32!ORD_001 ; VxdCall0 W& R7 e) T0 @
cmp ax, 0f386h ; magic number returned by system debuggers
" \( C+ Z" }+ d, c5 B% [0 L! s jz SoftICE_detected, T5 z- c$ n. p! N0 t* f
9 y/ ?3 W- O) J1 R
Here again, several ways to detect it:
+ b% S* r" Y) K, Q# e4 s! G
/ h. S4 \6 E6 { ]) Z5 t8 V6 V: I BPINT 41 if ax==4f) y' ` i- |/ X
8 ?" b0 P3 d8 ]6 U" z2 a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, k7 w7 m; j; Z( G* P5 _, a
( J* Z$ f y0 a- y1 o& p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' R5 }1 A! ?: l( |; y- Z0 a
* S3 |: r. t% k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 ]& E! b, ?- _8 o1 [( E6 h% a
# I7 [0 d C0 T A5 Z' F. s
__________________________________________________________________________
) ^7 d7 {/ Q/ n& k& ~$ v
& N8 J" ~9 B4 w4 Z; RMethod 13
# s2 {' `# _ c" J' {=========
6 f( \7 F+ d! v
3 x4 i& M5 U( ~9 jNot a real method of detection, but a good way to know if SoftICE is
3 c; F4 U- K! A9 c8 P( ^$ G$ o- Einstalled on a computer and to locate its installation directory.
' K, }4 J' Z0 m7 m0 pIt is used by few softs which access the following registry keys (usually #2) :
3 d; i8 P4 Q$ g$ o
1 h1 P2 x% }) \; E8 ~" A6 R2 _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. B* H, x n! o
\Uninstall\SoftICE/ T; f. ~# s) L, s: y% t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 @. w5 ^, Y$ X, G5 g5 _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 d( o2 f! D8 i$ F& Q$ G/ w\App Paths\Loader32.Exe
: ? T# g4 V4 z' G6 I6 N) o& H, ?. w0 f/ t% A$ i; }
& N* c4 M. A, J, Q. @( ?- zNote that some nasty apps could then erase all files from SoftICE directory
' t2 S& Q A/ o(I faced that once :-(8 e5 ]& q: i* Y7 M8 g- g4 a7 [0 t3 j
E- Z8 ^! j; O- W2 A8 i
Useful breakpoint to detect it:
r6 H* a! G* ]
/ [8 ^+ K( b' D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( ~$ ?: b5 P3 C" w; m4 q' J* e
0 {" F2 ]( r0 h0 [. f5 t__________________________________________________________________________
1 c$ W# i( {% O3 s* O( a9 A( G2 I+ }8 w/ i- V: y( H' l- v
% }. p' U7 e3 X' E8 M+ \
Method 14
. s0 ~0 Y: ^: y, j3 B3 B# y=========
4 `, A" ?. a. D5 C) S) @) ~- k7 V5 q. p( m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% e B* c I% ~9 r! A
is to determines whether a debugger is running on your system (ring0 only).8 D7 C6 u" y- }; P4 o
- |: l5 p9 t! ]1 A
VMMCall Test_Debug_Installed6 `' V- A+ G. N1 t. E y9 F* R: k4 Q
je not_installed
/ l& X* u% x0 {7 B5 R( M
' i% v" d9 R hThis service just checks a flag.
2 \$ t3 t' s a</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡