<TABLE width=500> M; f, [3 o/ W0 Q4 ^
<TBODY>
2 u$ N) U B5 E0 V<TR>! T& ] c5 a" Z: i
<TD><PRE>Method 01
) S4 S3 M; t/ `=========
2 L a& C ]1 B D; ~; U
& U+ p! w& ?9 ~3 o3 K/ A6 e7 wThis method of detection of SoftICE (as well as the following one) is# M. l3 o: y! Q8 Q# h
used by the majority of packers/encryptors found on Internet.3 V/ q0 A! \4 M7 G; m
It seeks the signature of BoundsChecker in SoftICE
' ]* i! ^% z8 }
* c: p+ P" Y9 f. a' n mov ebp, 04243484Bh ; 'BCHK'
! x+ C( }+ S1 r3 J0 n! B mov ax, 04h
1 S# ?% d- _! ?, J int 3
( B9 S$ q1 z* j9 R! s2 ? cmp al,4# \3 w' g% I9 @; N4 z# g* ]4 S8 l% B
jnz SoftICE_Detected
, p9 h! }1 ~* v" X: ]4 N: r. s# d- y% l0 W) b+ E- H$ s3 H" l
___________________________________________________________________________' u' b$ L8 A- Z2 c- |
) {* I8 w: N+ @- Q: o+ `. ^Method 02: ~0 L, p3 u* [2 p
=========3 ~& C) R3 ~/ \2 ` T( }0 ?- o6 |
8 j6 C1 Q3 N1 m2 R/ aStill a method very much used (perhaps the most frequent one). It is used/ {- d5 _- b/ C8 x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# C' Z D* u/ n0 w* u! @$ Qor execute SoftICE commands...4 H% }5 P/ R% L! t, A ?& n
It is also used to crash SoftICE and to force it to execute any commands
/ L. p! u/ V$ v: \& h! E. Y4 ^(HBOOT...) :-((
% z- J; Q' R+ t& M$ H
% E \+ a) o1 R" t( X7 tHere is a quick description:
- G3 `' q, t# q) P2 f( c, `' W-AX = 0910h (Display string in SIce windows)
# m5 F+ X! o5 a* m" I P9 T% ~) s7 R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 `5 U: T& T7 b
-AX = 0912h (Get breakpoint infos)# A: F* s% L, q/ k' r
-AX = 0913h (Set Sice breakpoints); ]& v) @3 P: W4 G1 |2 M
-AX = 0914h (Remove SIce breakoints)
* m' T( f1 ^. i( m$ f L
$ X7 x; h& x) t+ ]- Z) }Each time you'll meet this trick, you'll see:1 K% P/ X# Z* J6 T5 C
-SI = 4647h
- s# u0 J" C4 E( C-DI = 4A4Dh! w4 n# H b9 X2 U. x$ ?
Which are the 'magic values' used by SoftIce.
6 a# a) f! R* G- c: k* gFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# `; x0 i& m4 Y9 g3 t
1 d" W8 y5 M9 g! }2 Z# o2 ~& BHere is one example from the file "Haspinst.exe" which is the dongle HASP
, Z i: u0 I4 ?8 v3 F: jEnvelope utility use to protect DOS applications:
! F* O: J1 ]$ |9 M3 A3 [) y+ ?7 @- W" t" H
" T2 {1 R; }$ [4 Y
4C19:0095 MOV AX,0911 ; execute command.& Y, y i) E b6 A7 E0 ^9 w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' s9 D2 U2 d( \3 D4C19:009A MOV SI,4647 ; 1st magic value.. ?( Z2 T6 \5 Z& L5 g# z
4C19:009D MOV DI,4A4D ; 2nd magic value.
0 g/ Z% l L# o/ C \ x p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* ^: U% f4 V- s4 E& h' L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 B0 U* G& t; w, A3 w( t; o9 |
4C19:00A4 INC CX
, O, Y/ Y, w0 x4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; a8 R0 L7 S, W7 b! A: D9 t
4C19:00A8 JB 0095 ; 6 different commands.
6 R/ Z- v6 w8 u4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 Y2 `7 \4 M1 X5 ?1 p3 I, i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 |' P3 C) [6 ~* V1 c, w) |$ C" N5 C4 ]# f$ J9 U
The program will execute 6 different SIce commands located at ds:dx, which) D0 f/ ^, T3 d' [3 M! |, X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, U, x# v3 |( Y: m( l# `* l
& X& `/ R8 D6 M" i4 {* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! f. i; i; q7 y }; ?1 g4 F( ^ i___________________________________________________________________________; _9 Z4 T. W. N: F7 l$ r& H
' [: |* f9 x: z( {
8 A+ A% ^. |9 L% l6 L% r$ f) sMethod 03( b2 i" ]3 [( g/ L, ]) L0 `
=========. N/ [' Z- o5 v3 o
5 S& j8 y8 ]% b# k s! jLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# h8 Y: O7 i" y4 X
(API Get entry point)
: L3 ~+ `9 R: ~6 P! h* Y: ^3 h 5 @/ L8 H* ]* l0 m) L
, @" ]. c4 `9 e
xor di,di
4 Q/ P( v* a) }' S mov es,di
: h* v3 X, z5 V: Z. g mov ax, 1684h
3 A R7 T1 U( q$ n, Q mov bx, 0202h ; VxD ID of winice
3 ~: X B2 C/ H% @/ T/ }9 k* B int 2Fh. U* W& E" D G
mov ax, es ; ES:DI -> VxD API entry point1 I H' ?' }* a3 j
add ax, di
" R5 z1 n& J5 j# ^ test ax,ax
5 _9 E2 G n* p- ^* d3 ^7 ]2 ? jnz SoftICE_Detected( b5 ?, m. x7 j e$ `3 ^$ `
0 U: e% q, b) A* M' f3 t___________________________________________________________________________! a/ ~: [' z0 _% Q
( y8 z r6 R. z! i) k9 m0 J
Method 04
- Z: K2 H2 J9 |% p: }* N=========
8 t5 _5 f9 o' t* ]+ ~' T+ F
. y, E# r9 J9 q3 w$ ZMethod identical to the preceding one except that it seeks the ID of SoftICE
Y% C' b' p" F- N. G* BGFX VxD.7 C; @$ @: @9 E: _1 {# ?& F
; i4 E# N: U( F- q: C3 V% k1 t
xor di,di; N7 L+ D- Q. Z
mov es,di
$ s1 N- J6 s E( `1 G( b mov ax, 1684h ! Z, C! F2 a# b5 E5 A( @, M% G
mov bx, 7a5Fh ; VxD ID of SIWVID: i; J& w3 M1 U
int 2fh
6 l' i3 t8 l* \" ~9 c/ X f mov ax, es ; ES:DI -> VxD API entry point
3 J" p# e9 D6 [$ h add ax, di9 f0 K% d+ H4 R0 l
test ax,ax+ j) Y7 y/ @7 B4 R0 _( }3 w. I
jnz SoftICE_Detected. O p Y8 v5 P# f; d
* M# }5 d' J. \$ h/ s
__________________________________________________________________________
) N) d, M! B3 j6 g; Z: X
6 D; d# s' t X: I/ m& t) J6 u6 F' }! g `" t
Method 05$ r: v" R& S# M. k! ?
=========3 {; O' |* A0 M" s6 D* C. t
# g1 X, N) }/ j) J$ E3 a: OMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 U% A- e: M) T4 Jdebugger. It calls the int 41h, function 4Fh.) S9 W+ m" p7 u" O
There are several alternatives. - ?0 D' X$ Y3 m4 l- c! a
, W/ y& Z! n9 Y. @: h' s
The following one is the simplest:2 Z; P8 E; E) v: T/ ]
5 W6 A5 q8 Z- }+ i
mov ax,4fh
) D+ n5 d) A% x/ n& S& w' p% V" a7 y int 41h
/ C3 F$ c2 Y3 m8 b cmp ax, 0F386/ N. v9 g6 b# R- W, ^' p4 i1 r3 J
jz SoftICE_detected
" q5 y! q6 y$ b$ R) f. ?7 X9 o/ N2 e3 L9 n m
; B: K( y2 f9 o( |4 Z8 D* UNext method as well as the following one are 2 examples from Stone's
' `+ |0 @2 \2 p( p5 B' |"stn-wid.zip" (www.cracking.net):1 L m, K1 N3 J( C- g# b- _
, j* d0 S6 H! `9 S7 j mov bx, cs8 y, e, |% T* w, O+ T! T1 M* [
lea dx, int41handler2
1 W1 {- K- X0 ^4 s xchg dx, es:[41h*4]
% c9 x, G( Z! f; \6 F" A xchg bx, es:[41h*4+2]" K6 W! [3 W/ [0 `9 s1 U
mov ax,4fh
- {; d/ L7 u: x1 p int 41h
^/ M$ J: w( T* d6 S xchg dx, es:[41h*4]
0 f6 z4 ^$ c/ `0 V4 h8 o xchg bx, es:[41h*4+2]* ]: p" A: m' g7 Y4 |0 ^
cmp ax, 0f386h+ Z! y3 Z4 C' |, j) |/ f! n
jz SoftICE_detected
! L& e7 D" r9 c5 j/ o5 @( \9 `- K1 ~/ H8 n7 a8 y+ p, o# _; h4 I A
int41handler2 PROC/ q& O+ R! k w# @7 [+ [; p& o
iret
7 R2 \" _9 S6 G+ _int41handler2 ENDP0 C& y5 B9 g5 q6 h, G. n/ y |
* w) g0 d d `% \1 f* a) i. C3 D. T7 A$ m
_________________________________________________________________________( f* G0 ]- u: O' l, ]" Q. X' ^
' s( o8 h t/ c2 m5 _6 N, u' f7 W: v5 I5 N# P" z
Method 06
5 I" }% s7 E/ n& I! o=========0 q, }* j8 \ M. }5 I z4 c
* Q+ R" {6 S# q+ ~9 b
+ C5 ^5 W' W+ C, G4 p9 J/ F4 q. Q# Y2nd method similar to the preceding one but more difficult to detect:7 {+ y* n8 a' G) H) `
9 G2 D& z% B- s1 X: L
0 N% K& @4 y) |% h% s& a4 ~( T3 Pint41handler PROC9 b D& i( o+ Y" F/ b$ w+ ]
mov cl,al
8 ]6 t1 G! T; i6 `7 ]. C iret5 B( H$ _1 Q Y& r( J, J3 |
int41handler ENDP
& K. J" J& a( I* ^9 A* D2 e" J
' P# _# [( e2 D/ i( @- @% b! @. e+ w5 Y
xor ax,ax) I2 J( U g3 f! _2 W
mov es,ax
! ^4 M5 f% `, X( l. O mov bx, cs
% L1 f% g" {& ]8 C L0 Y G2 X lea dx, int41handler
6 O E" {. F R: a" f xchg dx, es:[41h*4]
+ U6 x. v3 U( |" J# V xchg bx, es:[41h*4+2]
i+ A5 c D. r in al, 40h
& }% v# a |9 f% G6 O" X xor cx,cx/ `0 w$ H6 v3 {" o1 x
int 41h# S( C+ n1 x) p5 I# f
xchg dx, es:[41h*4]
+ {/ s. x' k) ?4 [. H) } xchg bx, es:[41h*4+2]
6 ~4 s, A5 X+ }8 ]* n" o cmp cl,al
! y( n# B+ v V+ p% J7 T' ~* j jnz SoftICE_detected: r4 s' n$ M$ `' @$ v8 r t* r e) |
) z+ l( M. l/ w( R9 Z_________________________________________________________________________# @- j" y; `3 N$ m
" i" e! M& }2 E4 T& j/ @& }Method 07
5 ~' V$ v: [, N. D0 g=========0 H6 T) {, C1 ]
* M# e( J$ D/ h4 ^& Y# jMethod of detection of the WinICE handler in the int68h (V86)3 t6 b! X3 h$ n
5 J* S `( @4 H$ Q8 z* H0 r* e3 B mov ah,43h. O8 l/ E- Q6 o
int 68h
0 {* a8 `) e- X cmp ax,0F386h1 m7 p$ ^- l9 i
jz SoftICE_Detected7 `, x9 i5 x: y% I
; B5 y* U* l! _+ Q% q
% P$ G# }+ X/ l- I6 q" k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, n* U9 z1 p% F0 _8 ]$ {
app like this:
9 |7 a/ r' R! K( _
3 ^4 _6 y7 g3 d8 K0 |9 C2 { BPX exec_int if ax==689 E; |/ ]/ y8 t3 f( D* w! T/ [
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 [5 x9 A4 ~# ]' q3 H$ Y* H4 H; J4 y located at [ebp+48h] for 32Bit apps)6 F5 O: A. D6 U) O
__________________________________________________________________________% q' \/ {% P0 a7 y" O, _ ]
8 D9 d3 O! u& ^* s
+ M6 @% `3 ?( y7 _7 F9 }3 r! [; ^Method 08
+ x& t, }* m1 [5 u7 o8 J- G=========
. O' i% }0 A' D, R- X) f% o# d. m6 e) i$ {& l. j) N% c+ D
It is not a method of detection of SoftICE but a possibility to crash the
+ K9 o" a, f- i+ osystem by intercepting int 01h and int 03h and redirecting them to another
. o) j2 J' n+ @, J2 s: Aroutine.
# {: ^; E6 q' Y8 S5 _$ N; v% f# EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 O( H7 Q% K4 l f: {
to the new routine to execute (hangs computer...)
" U9 P: y! u% L+ ^* Y v0 H) E* ?; J0 E+ c( d9 _
mov ah, 25h
# z' S! e5 X3 A: w- @1 r o% B! E mov al, Int_Number (01h or 03h)
^) Q( f9 x9 ^ mov dx, offset New_Int_Routine
# w/ X* E. n8 H0 e7 F int 21h
2 H& E7 A3 B3 g8 P4 C; s; u. z" f) g" C/ Q8 ]
__________________________________________________________________________6 q$ B; [# m3 ~; c, ~4 { Q
7 z( J8 q' ~% I* `$ W/ C
Method 09
4 N- v: i1 i* y; H; ~3 D6 L=========- Y% o2 p6 j+ |# A/ b
2 |# f% {/ u7 g+ N# E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ R) x) G/ P" {7 k6 s0 Vperformed in ring0 (VxD or a ring3 app using the VxdCall).9 [, \/ _* k, z2 r+ D+ E1 B! X2 F
The Get_DDB service is used to determine whether or not a VxD is installed
A) |% L6 h- v1 Sfor the specified device and returns a Device Description Block (in ecx) for
0 r; l* Z4 }- zthat device if it is installed.. p. _- ~: ]( m/ J$ N7 z" N. S. r
3 Q2 c" t+ u0 R- h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; D0 d% Q0 |6 q2 U$ N4 N2 y$ i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 t4 A; w/ L5 ~4 F. h( v
VMMCall Get_DDB
: s. M m) J( L6 ^1 {* r+ W/ u& R9 a mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ B2 s8 A: l& E6 c1 d$ I# P. y5 E
6 U& }, R* M! g) mNote as well that you can easily detect this method with SoftICE:
7 ] Q7 F, J4 S W9 X bpx Get_DDB if ax==0202 || ax==7a5fh
' v0 `2 ?1 L+ f( e/ }# g# O5 Q# M. @
__________________________________________________________________________) m5 e* K7 O& o
3 W1 c) t" V6 ?% a+ C3 G
Method 10
W: M( G7 J+ x7 H4 K, X=========
' n7 u" |3 G/ `6 n6 i. {9 F' N. f# u7 ]! ?- E: }7 a
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" ?" }( p& {) O1 }/ e% e- ? SoftICE while the option is enable!!* \" i: ^- w% x' W9 J
, d8 ] r1 j w) ]7 p( s
This trick is very efficient:, v" P+ {+ j, R; G; T
by checking the Debug Registers, you can detect if SoftICE is loaded5 ?1 |' f3 D. C$ N& }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 a: \/ J# f1 Athere are some memory breakpoints set (dr0 to dr3) simply by reading their" n- Z- G6 q. c, v5 w* S2 q4 |" n
value (in ring0 only). Values can be manipulated and or changed as well9 C7 r) ^, P6 E3 m
(clearing BPMs for instance)! S) G9 T7 {6 ]: w7 l9 L% l% {
* R. L: F3 x' O__________________________________________________________________________
! o, u) r( e6 l l. D+ l4 n+ E ]# P- q- R% ]
Method 11
' K) X' D- s1 o0 j/ r5 o3 w=========
4 d! f# G4 s4 n6 ^6 L6 J# Q, X9 y2 ]- Y5 {
This method is most known as 'MeltICE' because it has been freely distributed1 A0 M2 n# q' e- Z1 ~! O
via www.winfiles.com. However it was first used by NuMega people to allow
9 q# E, {/ B5 h' t tSymbol Loader to check if SoftICE was active or not (the code is located
& y/ i) c3 j4 S# o1 Tinside nmtrans.dll).
0 E9 E( |% M/ ?7 ~) M. O
3 C. S6 ]! l- f2 X6 Z! LThe way it works is very simple:
1 _0 _$ Q( g, t: N6 }$ eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# Y0 I! b7 v, x, z/ |. c5 MWinNT) with the CreateFileA API.
) T4 q" j* F( v3 z! _ p" e q) x% P6 n ], x
Here is a sample (checking for 'SICE'):
- ^) J, W* p* A3 ~' O# x! i$ X! L. e) s. w- e& T# ^. d5 T
BOOL IsSoftIce95Loaded(). M& a! T" z) ~
{$ @& i5 Q N, `4 F& h
HANDLE hFile;
- r, d3 y/ p3 u, H6 {. O7 Y: e: _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 E) q% f5 e* V6 W' `
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 U0 P7 |, T: z2 E# |- T2 l1 Z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 |" g8 U: v. ] O if( hFile != INVALID_HANDLE_VALUE )
! T8 j5 @9 f% j+ M+ z {
% q0 ~8 \ N6 v, i w# \ CloseHandle(hFile);3 U5 \1 w2 M7 {
return TRUE;
( h; P! A9 L' R+ q+ Z }' [9 l. M1 d# A- O% h3 L
return FALSE;: B6 ]+ B) c. i9 J% `
}& G, E' v4 N1 A9 ?' u
' _ {9 a8 s k9 z# f6 yAlthough this trick calls the CreateFileA function, don't even expect to be
7 h+ b7 v: d! D1 Xable to intercept it by installing a IFS hook: it will not work, no way!
9 D5 `( v0 x. K( b. X% h7 ?( jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& l) u' |3 M7 m8 T; z* q8 L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
s/ K$ S0 |$ m' m4 v5 @and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ @- d; V; R0 i7 r
field.7 T+ A+ v# E& q" m7 x
In fact, its purpose is not to load/unload VxDs but only to send a
. V5 t8 Y) u% bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 i2 w( L3 S" n; S5 l" w# Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" u+ O, {) ?) T# l. ]& Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
* k0 r& N% U. d# xIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 C9 g& q8 `; i$ l3 y& C
its handle to be opened and then, will be detected.4 o( f; ?* t& D y! g9 g# q+ F! u
You can check that simply by hooking Winice.exe control proc entry point
6 Z0 C+ u" k! u1 R3 K5 B8 {while running MeltICE.
1 C& [0 D" S/ `# ~* _
) D6 q$ [. C# I% d" K. Y$ M; K
4 v: }6 v& v9 _1 N4 R 00401067: push 00402025 ; \\.\SICE
1 A4 M" O+ G: e8 V4 P1 m. I 0040106C: call CreateFileA! j7 @& k2 q7 i' D/ n9 E
00401071: cmp eax,-001$ U. o G; l# j# }. E
00401074: je 004010912 c: Q, B! B3 t/ I# \
_( l" r7 Z, @3 w; C- \
- R. O. k' w6 o7 ^) N- s3 S; tThere could be hundreds of BPX you could use to detect this trick.! B3 u$ m* r0 v m
-The most classical one is:5 Z: S+ K1 E+ @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& D# W/ G. |) u6 U6 ~
*(esp->4+4)=='NTIC'
, n2 l* z/ A2 [/ F2 J7 u @( P3 v# T* E0 m0 Z) @
-The most exotic ones (could be very slooooow :-(
v p: r( l9 R BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * G0 W; n8 }* q z6 _0 C
;will break 3 times :-(( E* O. U4 e9 n* x
+ f# Y5 x5 f" i3 Y. V6 R( w3 B-or (a bit) faster:
) R4 P4 z7 m, w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 j% m5 {/ c7 s1 D* A3 I
# F* \3 e: R* B- r3 F! r v+ z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % n. d- S) n1 y9 I
;will break 3 times :-(
" A9 Y# \ y7 |" D( H0 ]2 Q$ {6 E
" X/ u- B" |9 |) E; R4 _' m-Much faster:- x1 V; u) R6 t% Y4 l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ p. G, ]. S& j2 S
0 _7 ^/ A8 p3 S" j- iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 E% y& X) V5 D5 t3 i7 ^function to do the same job:# C. j5 z7 y' X( Z* B
/ O" m1 X. L/ E+ a push 00 ; OF_READ
" z' r: T/ i; u9 C h4 w( a% M2 J mov eax,[00656634] ; '\\.\SICE',0" S1 s$ [3 G1 h# n% o& N( ^. Q$ F
push eax
4 V- g0 @: X% T% e7 u% L- k: ? call KERNEL32!_lopen
2 m6 \, k; s4 C3 F inc eax
9 [% B5 Y3 M8 M$ U jnz 00650589 ; detected
) N$ E* I' G) v push 00 ; OF_READ' q% x4 q' n0 a# e
mov eax,[00656638] ; '\\.\SICE', v5 u: ~ x; Z( R8 n# y
push eax
; e; t) Y, U& ~6 p call KERNEL32!_lopen
) O: C1 H D" s* \3 M) N inc eax: D% T j8 [. c: v: N! S. X
jz 006505ae ; not detected$ V& |3 x9 T4 l" n
# M8 B% o/ ^$ s0 d: C2 _! w' K0 e3 A
__________________________________________________________________________6 w5 \3 o8 Z6 w& ^# c3 _
6 {! g7 B. F7 F( v1 D
Method 12: L% J. d* u& O: |. n0 \
=========. W) c! h- R1 C6 z" n7 {
8 q) d' J h$ w3 J" rThis trick is similar to int41h/4fh Debugger installation check (code 05" r7 Z; C0 }, T# Z
& 06) but very limited because it's only available for Win95/98 (not NT) s* g- G) P9 B' @# h2 @: k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 C7 c8 H/ F- j' T S- u4 T7 j/ k9 A! C
push 0000004fh ; function 4fh" V, V0 a8 x1 R6 ^$ N
push 002a002ah ; high word specifies which VxD (VWIN32)
* q7 c3 W" V6 v# s+ ]$ X ; low word specifies which service& Z) |& n# I% D+ b& l: c
(VWIN32_Int41Dispatch) u# {, U7 y1 F! ^" F; d
call Kernel32!ORD_001 ; VxdCall
, W4 z/ @+ d* r- F } cmp ax, 0f386h ; magic number returned by system debuggers
4 _ K ]. d2 h* z4 Q, r jz SoftICE_detected
9 Y& |3 s" \: t( l) L: O7 R1 f( z0 U
Here again, several ways to detect it:
' `+ T5 e0 ?, x3 O# b* U# |& J, K8 ^' _" r& ~$ X
BPINT 41 if ax==4f6 x8 M6 P3 d5 f- k; s) F+ A
& h$ y+ R G, G3 E1 R% b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, [4 U* y1 U7 _9 h- \. M0 q: [3 {% c2 b* v8 {
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, T8 Z7 s" e6 U. M, e& n$ b' Y1 B" l+ V$ {5 W3 J1 ^1 M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ i, `$ q1 J0 N
3 X3 w# w4 G" B1 P9 B' I__________________________________________________________________________
9 R' G3 V. w ]1 z% V8 t' n- B' U; x, m
Method 13
! i6 s* [9 k$ ^# r=========0 P5 J! q6 \: ]$ A( B# W
2 @( z+ i0 l: D2 o5 F; q+ n! eNot a real method of detection, but a good way to know if SoftICE is7 h1 Y* t8 S$ L( V' M% ` T# G6 ^
installed on a computer and to locate its installation directory.+ x& m. |! s6 f; N& ?5 o
It is used by few softs which access the following registry keys (usually #2) :9 c! ?; `. d2 R
/ H8 A. J; L, S" e" K- s G; a4 d$ B) H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ v5 A1 [! p& S* P/ N
\Uninstall\SoftICE6 z5 s n' d0 C( F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; B6 `( e8 v! X% K0 Y* t. L4 A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" J) Y7 ^( w' T
\App Paths\Loader32.Exe' A/ E" X) W- `
0 C8 H! S" C# v8 [$ {% g4 b2 p
" e5 B' y8 x" I0 F
Note that some nasty apps could then erase all files from SoftICE directory
4 c m& V+ Q' T5 K$ j(I faced that once :-(
6 Y- n! R! j$ \0 E* ^% a7 w( {4 h% ~# t7 N0 Y" k: W
Useful breakpoint to detect it:
$ m9 O0 i1 K- u% N; b( N' j9 H X7 g+ B% E- Q! J8 a$ R* m P" d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! W) C" L* D3 j+ Q+ f, ?7 Y U. m, w
# m0 _& C! |' k# Y__________________________________________________________________________
8 O8 ]4 z) L+ n
7 H8 E- l' L' L% Z
5 E' W& D- R( A; n" `7 w5 }Method 14 ]; O) Z6 E1 I' S4 e
=========
! T) B" ^' F# b/ E" |3 O. l
0 s3 i3 `$ k8 {- \* y7 `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- B: s% E: q5 @is to determines whether a debugger is running on your system (ring0 only).
6 a e$ P' D/ j: b2 j' x. a# a, z* T
VMMCall Test_Debug_Installed
$ S" n1 Y3 Q- Y* {% F9 N) q6 I2 j je not_installed
4 }; S* l' l2 N* M% N. m) w" Q* a1 D6 Q* z) p" @3 i
This service just checks a flag.
" A# `% w' y4 p# Z, ]1 F</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡