<TABLE width=500>) G- n4 L t0 k" D3 L
<TBODY>
' [) [, S- ^& V6 e( M( s( \0 B<TR>
+ w5 T U4 W* W+ z<TD><PRE>Method 01 ; |& `" |& h9 L! W' ]- T1 ^
=========
$ f+ ]$ Q3 E! ]- }$ p% [
0 h; ~# k1 {$ I( ]5 o) |This method of detection of SoftICE (as well as the following one) is
) _( b% A0 m Y3 q7 B: \used by the majority of packers/encryptors found on Internet.( ^9 z- g9 `& Y7 U9 N8 ]. N
It seeks the signature of BoundsChecker in SoftICE6 H! w( H/ ~( ^8 z
& t, Y% ~' |0 V) B
mov ebp, 04243484Bh ; 'BCHK'
& }8 P9 Y) P3 n mov ax, 04h
2 G2 n8 \" U6 J- R. t7 u, x. I6 Z int 3 3 d+ p1 O1 Z. S5 W1 q
cmp al,4" \3 f* {9 X9 C- u
jnz SoftICE_Detected
( W: P* H+ B; B3 v+ v! ?5 L3 H* z2 ^3 U: h0 l0 C- _
___________________________________________________________________________
# T$ v7 |8 y5 P1 n4 H% S) V, p
- u% Y( z M: h4 r7 ?& KMethod 02
& E1 Q) b9 Z' P8 s2 V4 ?% C=========3 G6 o g" G ` z
# ]4 U" k7 {4 q* f& n" p8 K
Still a method very much used (perhaps the most frequent one). It is used
& U- @: r( Z' cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,; H' I/ `" x5 J1 I+ w+ f; Z6 C
or execute SoftICE commands...
+ w5 [. f( l8 d! c2 ZIt is also used to crash SoftICE and to force it to execute any commands0 F. Y6 x7 _5 ^7 ?* L+ R b
(HBOOT...) :-(( " e( M3 C8 w" _, }
* X5 ~3 S: i4 S) X1 `9 EHere is a quick description:
: l; _2 Q: R) [2 H1 p-AX = 0910h (Display string in SIce windows)- F) K0 C! }/ U" `7 F! Z; g# z- P) }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 P' r! y8 n7 f5 p-AX = 0912h (Get breakpoint infos)6 |0 s' F1 c) g& ~9 C
-AX = 0913h (Set Sice breakpoints)- [4 X4 h* j1 @1 d% @5 p2 e
-AX = 0914h (Remove SIce breakoints)
" _1 h% W- K5 f- Q6 H
) e1 J0 c7 w% L/ l2 t/ c# k" |Each time you'll meet this trick, you'll see:# Q& Q j7 j- Z/ z
-SI = 4647h9 P {. T) |5 a2 S
-DI = 4A4Dh# a- ^# e7 Z* o2 u' d, a4 E' y3 w
Which are the 'magic values' used by SoftIce." L* a! z+ `, K( I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# a9 R8 C* ~3 G0 ~$ Y: a! x" \$ [' x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ |2 u% s; N5 c# U+ M$ MEnvelope utility use to protect DOS applications:. d* x% A. c9 g6 ]/ E- W/ V
6 O2 ?; }) c9 H; }
. _, W! R' j! W; o) p, i3 K: f5 b; U8 Q
4C19:0095 MOV AX,0911 ; execute command./ [- E; g6 e" r& `
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ k) i% h5 b9 |
4C19:009A MOV SI,4647 ; 1st magic value.
2 c; w- s7 S8 n3 {; o" b4C19:009D MOV DI,4A4D ; 2nd magic value.1 L6 {7 V% [% n+ x9 f, {$ u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ B) @/ Q* W- P! n5 F& A, R0 s5 |; c4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% U( w) J% I8 b' Z2 N4C19:00A4 INC CX4 n2 w* L5 C; B( d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 J* Z( `9 m) N6 x4C19:00A8 JB 0095 ; 6 different commands.1 W8 `: m/ O; c% S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; M7 U8 {& t2 {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* q+ l% Q2 n' v0 _& K
) G9 _9 A$ \- ~The program will execute 6 different SIce commands located at ds:dx, which Y. p" Z9 E' b9 Z. X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 y6 W) l% G; m" W0 e5 O/ |8 E' e: l1 F
$ a1 N' F* ]' C9 b8 V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 H5 E1 Z) b& C- C1 N___________________________________________________________________________2 r( ^1 {& v0 H9 j( Q5 q
! ?8 X- W, k$ Z/ Q& K* J
" k2 J( m$ ~# c! {- aMethod 038 W, ~; w+ n! H0 {- ]. T
=========
) [# }) T7 |6 A' {: c+ b+ b: d$ n( p# j
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. e( Z3 n( n% F
(API Get entry point)0 G8 c% L) v9 J H. W
* q& U- k1 A# R
6 K Z L5 P7 R& G1 _$ Q1 F
xor di,di
8 W7 {# f- x% e* h mov es,di4 M( s5 t: e7 _* m
mov ax, 1684h
6 ~' c7 t: R1 ^% K+ R/ Y8 E5 A3 S mov bx, 0202h ; VxD ID of winice
0 w! t# ~( t" L4 c0 b int 2Fh) B( t& \1 C$ _, u3 P
mov ax, es ; ES:DI -> VxD API entry point3 Q8 P" P/ Z; Z! l! N+ d
add ax, di" v5 C$ u& }7 ]7 b3 y% J/ n+ `
test ax,ax1 Z2 i: ?8 l3 a& T1 n5 Y
jnz SoftICE_Detected
7 `$ N5 I$ [; t: U0 e$ u+ s0 T/ e1 A! \" ?6 k7 W6 N8 |4 J v
___________________________________________________________________________
" a( A& @6 {; z6 D r& H) T
9 \6 ^' \8 S; K4 {- BMethod 04' l& ?% Z4 h$ k# m! J* ?' A
=========, p* E% \* F. k+ P
$ i% N- u" W, w K) o8 i# \
Method identical to the preceding one except that it seeks the ID of SoftICE$ K7 F4 v# Z! q! ^# u; S5 Q7 ?
GFX VxD.
, ]6 ~+ Y6 A3 Y1 T4 q7 N
' T5 J9 y$ \! [+ a+ D+ A2 D7 O4 Q xor di,di, f! H* M6 N s8 m9 m" u4 {. H! k. S
mov es,di! ?4 _: n6 k* `$ ^6 ]
mov ax, 1684h 4 L: |. |$ w' |1 B+ H O
mov bx, 7a5Fh ; VxD ID of SIWVID
3 \4 F! o6 x' Q* M# L3 W int 2fh
: l8 ?0 L! G9 u mov ax, es ; ES:DI -> VxD API entry point; M8 b. L6 g. e, k
add ax, di
6 Z& A7 s: Z, ]" V8 e. A7 E test ax,ax$ S* H0 F1 z" O
jnz SoftICE_Detected& r" |3 i% h* w9 H0 V* R
/ s# A2 T0 l1 M# S0 z__________________________________________________________________________8 F) s) `# p7 t8 Q" ?7 R% G
" [3 l% t. K& N( |6 T8 f: o' d
7 S& B z/ J3 Y$ n5 [7 z4 LMethod 05, I) ~7 G* T" H
=========
! _2 ^( ]3 @" D1 D" f
5 z1 G+ a m/ j4 @; `: }Method seeking the 'magic number' 0F386h returned (in ax) by all system
" w: p t9 B+ n( v& E& k' vdebugger. It calls the int 41h, function 4Fh.
6 e @8 V* B. [2 l) d; DThere are several alternatives. 7 _. c8 m4 B8 l3 _4 w; a$ b0 `' V
$ D a" E ]$ I3 C) O0 {The following one is the simplest:$ J0 y Z* i! E2 M" D, s* I
+ E4 F% V+ q" W mov ax,4fh
; z5 }& k& L( R! O4 b' N' |3 E int 41h. `/ C ~, \0 [: p* j% E5 g
cmp ax, 0F386
! W' l" o% A8 _. w jz SoftICE_detected
* ^1 H& ~; V) S2 R4 x' W& {. |2 Z, s! f4 F7 O: p
; G0 r' I B9 T8 Z
Next method as well as the following one are 2 examples from Stone's
) c- B6 B+ }2 q4 h$ e"stn-wid.zip" (www.cracking.net):
b5 Y0 y u4 ]
4 S& N/ L# N0 B6 ?9 }% I mov bx, cs3 i; H" ^ e6 }& e$ |. p
lea dx, int41handler2
+ H- v: E8 Z# j' E xchg dx, es:[41h*4]' c$ g) a) [. \1 e
xchg bx, es:[41h*4+2] {/ {) G# q5 {, a. f
mov ax,4fh6 ?. r1 q6 K) N o+ L0 J. U
int 41h4 N3 x7 c7 h% G, i
xchg dx, es:[41h*4]& T( A+ O" c; c- W. n$ \
xchg bx, es:[41h*4+2]2 L/ R: h8 [7 X3 C' R( M/ M3 k
cmp ax, 0f386h$ @/ y4 F h) r/ |4 H2 B' j8 k
jz SoftICE_detected
\* {, M6 r+ M6 p5 F) Q, \
2 n. z4 D8 G+ k3 D$ Rint41handler2 PROC
# X. [( d, F7 R d0 ~7 s. i, f. V iret, @8 T6 [( t7 N" V z! }
int41handler2 ENDP
( i! E! _" @. j' j4 N" A, Z! ^) y* f' Y4 F- `* T: m
, z8 f O, n `( l( |: _
_________________________________________________________________________$ K! h1 J4 q/ b2 }
2 O$ Q, L& S6 Q; d7 ~. e
9 \. `& B3 l% f9 a. V) r' Y
Method 06, D8 }* s* I8 |' Q+ R
=========
# y6 N# y; J( ^. a6 B' v2 b- ~! P! W. U7 m. P, ^- M+ Q) E" C( x
3 h4 E( O7 J! g* T0 ?7 T
2nd method similar to the preceding one but more difficult to detect:7 q) o4 B' l) w+ U7 f) Y7 G
# \8 B$ j( M: _( |) `4 r! S; \: p
7 v' M' w# p. j5 L! D! P) \! @int41handler PROC
- e3 G/ }: w& o- h( L9 F mov cl,al! Y( u' ]& _. B6 z7 q
iret/ z$ s8 Y& ~7 y/ Y: B( ?
int41handler ENDP
1 K- \' C4 v x$ v9 A! A8 l: k& Z* b$ A
0 |# }* Q; y' Z: q
xor ax,ax, |7 C$ f; O' q+ O, t9 q
mov es,ax7 @3 z, x# N' G7 G
mov bx, cs' ~7 Y- g+ v1 X7 \* H1 m$ }8 T
lea dx, int41handler
# a1 Q* s* @; b: } xchg dx, es:[41h*4]; y6 o! N/ I1 @! ?4 j
xchg bx, es:[41h*4+2]5 W+ ~& N4 K6 w2 i; o
in al, 40h, x$ ~9 J, S( M/ ?% s6 r' ~
xor cx,cx) V" o3 `% g# T/ @2 C: g: K
int 41h
% ]7 i# P6 Z1 Y4 g' f" b xchg dx, es:[41h*4]
; D8 e" O( H S2 S: I6 a xchg bx, es:[41h*4+2]
( o$ n" z7 S2 F, i+ _ cmp cl,al
F# M' Y) r7 Y8 n5 |' L: c jnz SoftICE_detected/ y; D7 i. L8 r( x: G2 t$ n
, k9 D9 y4 j6 |, a# }
_________________________________________________________________________% |2 `! f6 F3 t) [) n1 F3 H) }+ m: c8 |
' o, \3 h" f+ H# T& C" iMethod 07
, b3 y/ |+ ?) y* B6 X, t( u8 P9 A=========* d) s9 ` f+ C. w- @9 m
% E5 J+ O9 @9 ^
Method of detection of the WinICE handler in the int68h (V86)
& ?9 V. Z: n+ |- e: N+ X! N# R
1 T7 Y: v8 O6 P3 T, _6 Q+ D3 v mov ah,43h* C! h5 n: a/ \) E! z7 v, y* Y
int 68h
, R6 d- E. O% A. j4 C% h cmp ax,0F386h4 \' @% O# G7 g: O R/ m/ w
jz SoftICE_Detected
. T ]5 _ g. d1 L" x5 p* s! @( `
5 z/ q+ D2 Y4 g5 y7 S, D4 J) I7 E4 C& d- D( } E. z; z- w
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( D( b4 [- I3 @* `4 g0 m6 p1 }
app like this:' o3 p5 J; i/ B+ Y1 n3 f7 g
1 b4 o: G% t' j* y) Z
BPX exec_int if ax==68$ P/ c6 J$ {4 r a# J e3 d8 i
(function called is located at byte ptr [ebp+1Dh] and client eip is
) f0 s6 \" ]4 u located at [ebp+48h] for 32Bit apps)) z0 S2 |9 F8 Y& J
__________________________________________________________________________3 t: V# b5 M2 A3 S, y' x6 ]
# g! D% x2 v+ E5 g* N
8 ?; V6 W0 _3 V' y2 F" U
Method 08
; D' y! _+ ]- K=========/ A! c2 L7 C: i! w% _
9 o1 o" x% K6 WIt is not a method of detection of SoftICE but a possibility to crash the
& h3 ~( { F" psystem by intercepting int 01h and int 03h and redirecting them to another
% Z# l. P) E! ~3 Z; R9 {6 A8 }routine.( s) E' ]1 R& u4 ~$ O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 U6 T! d$ M3 E9 x4 n/ Pto the new routine to execute (hangs computer...)
8 |5 L4 Y \7 A- Y7 @& S: f }( n4 E: M* ]5 m
mov ah, 25h- {* S! Q! D, W' X5 B5 I- n& v
mov al, Int_Number (01h or 03h)) c4 [' i$ V$ z
mov dx, offset New_Int_Routine
" c& N2 z2 N2 L/ _ int 21h; K9 ?6 \: ?; _/ h
5 d4 v" T" h6 E* o7 q* o
__________________________________________________________________________
1 j+ `" s4 C9 i9 G6 x7 m; _1 S- s) r; k
Method 09
$ ?# \% E. O4 i2 k- \; k: ]3 `=========- {( T" D' Q: A2 Y$ x0 ^4 X {3 ]: r. j
% i; D" M( U% h
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ W+ W7 X: {9 }) B/ T$ b
performed in ring0 (VxD or a ring3 app using the VxdCall).- i, |* V$ f' Q- m. X
The Get_DDB service is used to determine whether or not a VxD is installed
) | V9 U% n$ o f* y+ Rfor the specified device and returns a Device Description Block (in ecx) for
6 v5 E7 t3 t4 G) s" @ a' F: mthat device if it is installed.+ i! [ U! {, t" e* u3 i, j! N
5 |0 q7 i0 A! ]" k1 o% E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 @: U% k2 i& O" I mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) a- m& a/ ^$ S( b# @ VMMCall Get_DDB# `7 A6 v( U7 v3 I
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 q. U" q: L2 f5 B8 p. z% O3 r2 r! ]9 K) ^+ j [" N s- g
Note as well that you can easily detect this method with SoftICE:
5 w" O, _5 L5 S- [" U bpx Get_DDB if ax==0202 || ax==7a5fh
6 ?3 Y$ S$ V, f, k E' s5 J9 W
) @: W. @9 r# z6 O _8 q__________________________________________________________________________( _( }& V3 P x2 }7 o7 P
8 \5 R; a0 ]* C
Method 105 g* d& `% U3 v! W, u: F d/ k
=========
5 v+ j ^4 V3 R* L `: u3 T
& \9 _& }" {/ L) b& b=>Disable or clear breakpoints before using this feature. DO NOT trace with
X# J; m+ Q; Z2 E# |" F# w( W SoftICE while the option is enable!!
9 N5 ?0 h: e! V' h& R$ q- J
2 }; R- F+ |$ [5 M) o& FThis trick is very efficient:% P7 Q# p" y2 r9 T& t
by checking the Debug Registers, you can detect if SoftICE is loaded* e& i3 S/ t z$ ^! w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ v b8 K- @# dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: v0 M/ t) j* E( K0 Fvalue (in ring0 only). Values can be manipulated and or changed as well
* m+ o8 J) ^5 E7 g& t(clearing BPMs for instance)
: f) R4 }# Q/ y# K5 p! H+ p8 J$ u
__________________________________________________________________________
! M' m) {5 w. {; G4 I; l) V& r1 B& w: `* G9 C3 C
Method 11
2 m+ |$ h p7 [* u=========& D# j4 T1 q1 M- Z7 q5 l
( _7 R) j& _0 m W7 {2 AThis method is most known as 'MeltICE' because it has been freely distributed* R0 m' R% \! E b7 t4 w) f4 Q( V# @. s
via www.winfiles.com. However it was first used by NuMega people to allow2 v3 p- B7 e/ X6 N
Symbol Loader to check if SoftICE was active or not (the code is located
" I% H2 v6 l- e" y. Cinside nmtrans.dll).2 D& E& K% v0 r m. t5 I
6 N# X2 H$ D: i6 N y$ e4 B
The way it works is very simple:) Q. ^7 q: J) G- }. X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 ?( E" e( k5 EWinNT) with the CreateFileA API.
5 }$ P& m: E7 j7 G- |1 u) _7 x! u( S8 p( x
Here is a sample (checking for 'SICE'):5 j, z; |8 Z) E
9 h& E6 q( u0 MBOOL IsSoftIce95Loaded()
5 J" @+ z) N- T; }' o# [{
8 l( p9 M) O; n7 k0 }3 R HANDLE hFile; ; I* f9 ^1 r; ]# _; b8 i2 H) L
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- k$ P* }4 f5 m: F5 U/ \
FILE_SHARE_READ | FILE_SHARE_WRITE,/ o, p1 r" Y3 t8 l) }7 u) i" b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ D) Z- ^+ T0 x3 o3 D$ l
if( hFile != INVALID_HANDLE_VALUE )
F6 d3 U$ {9 W! K {0 E `, }7 d: i7 v4 G3 i- f( f1 c
CloseHandle(hFile);6 w1 `& h+ b1 o
return TRUE;+ d0 g) r" G, q7 f; N1 f' g
}2 T( T& z( h! {
return FALSE;, ` z* O5 k* o! R
}$ ~% _( K$ U t: V
; a5 a# P) B0 Z. oAlthough this trick calls the CreateFileA function, don't even expect to be
7 |$ A G- ]4 I+ Q) o' hable to intercept it by installing a IFS hook: it will not work, no way!
. `4 M* {& p: ^- W/ ?! KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, [/ z/ A8 P; h6 w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( P/ C" T( p1 u6 s) i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
h f7 d# P% x. Xfield.
# ~5 X7 Y: j: l8 I* }In fact, its purpose is not to load/unload VxDs but only to send a
9 D2 Q3 O1 N4 bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 h+ u6 Y' n5 `; |1 s9 j7 ]- j
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- v0 B* ~$ Q$ S |4 f# Q2 ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& E, X: _' D9 H1 ^; J
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! E+ i# d6 b; i$ ~- Bits handle to be opened and then, will be detected.8 c% Y8 V$ ?8 m7 W3 r2 b
You can check that simply by hooking Winice.exe control proc entry point) Y* k* K3 f2 b# V
while running MeltICE.
" J3 V' T- r8 T( a( G7 Q6 \" }& c, B
" F0 \. @" B$ A+ j$ d$ J" g, Q* m
00401067: push 00402025 ; \\.\SICE" F, C2 i7 x6 c
0040106C: call CreateFileA# j3 `6 X* S a* e4 L
00401071: cmp eax,-001
" L4 D1 {& ~$ L$ b' V& m 00401074: je 00401091& g/ r, i2 Z1 @, c! S# _4 d
3 Z' Z! l4 \- [
3 P E$ | k" D3 @* W9 z
There could be hundreds of BPX you could use to detect this trick.$ h( Y0 g9 ~3 Q1 T5 d; o) h
-The most classical one is:7 Y: Q8 S; E0 q Q2 B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 H4 c" M5 y! x5 n4 d6 R *(esp->4+4)=='NTIC'
; X. D: L9 y4 J: ?9 u4 M( A
/ n* B: y9 H" j# X-The most exotic ones (could be very slooooow :-(
) `. X6 X; w7 S5 [: d2 r BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - f) Z2 i- E1 l0 ?2 w/ A8 o
;will break 3 times :-(: A2 t/ Z* k, Z
4 Z6 s, Z. s3 K7 A3 b6 P/ ~& z
-or (a bit) faster: / i3 m0 s& b6 ^, s6 }
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) [) V/ L1 ^! p+ G5 W
7 m& E2 E- F% {! s$ N( r/ T5 e BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % a- ]' Y _2 K
;will break 3 times :-(1 F/ |, N& L; i5 b3 G
5 m. V5 W! @1 @. P) ]+ l-Much faster:
4 O3 P; A: `1 h( I% f' T: A9 S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ H! Y8 p& B: [: s4 D3 o
; n/ I5 Q; x' c' X4 t: j. K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 T% P- L( n; s6 @function to do the same job:0 U! @; X5 m, T, `" H9 T2 F6 k
9 {9 Q* B/ m8 i" n, C. m push 00 ; OF_READ
, A! `: Z: v# A; v" f mov eax,[00656634] ; '\\.\SICE',0
* O) o% C2 X0 h! @ push eax, K- Q+ B% [ T4 z
call KERNEL32!_lopen1 B/ }4 M6 u& l( t
inc eax
! f5 Y$ O/ B* Y: c jnz 00650589 ; detected) b# R7 [4 G9 S
push 00 ; OF_READ' q; r; j- U- i8 \* e& |
mov eax,[00656638] ; '\\.\SICE'$ O) X: @+ x+ [# y
push eax+ i" O. _7 l! }2 M9 q
call KERNEL32!_lopen( {. d( I9 c2 S7 _/ Z& b4 m( f
inc eax! o5 o! ^/ M8 m. C! Q3 W
jz 006505ae ; not detected
: U. g* a2 N& O0 z3 Z$ {% W i, ^, x1 m6 H7 [- C6 X
2 o" D/ C" R, Q2 d6 ~__________________________________________________________________________
; S P- t: f/ B+ M1 ~
* g4 u& R1 g7 N5 I' iMethod 12
* k" ^0 a% c% W% [=========0 u4 B# P" ` k. X' m0 e9 j
- O u/ f9 H- ~% r: _
This trick is similar to int41h/4fh Debugger installation check (code 05/ h) V6 y2 D% f4 s
& 06) but very limited because it's only available for Win95/98 (not NT)9 b- Q$ T- L R' Q2 Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& w# I! K& s/ }# A' u% k! l$ ` @" E% A2 P
push 0000004fh ; function 4fh7 ]% ]* g4 |, F+ a6 g
push 002a002ah ; high word specifies which VxD (VWIN32)
0 J9 H+ x+ T3 C Y ; low word specifies which service) [( d, X9 ]) ]+ K- r# V
(VWIN32_Int41Dispatch)
- r0 z( p1 o6 d2 j+ L call Kernel32!ORD_001 ; VxdCall
b ?* F) a& S% G( ^7 b cmp ax, 0f386h ; magic number returned by system debuggers1 e! Y- K; j1 N& p) H" u
jz SoftICE_detected
4 R$ i9 Q0 R9 N5 I5 P8 v3 v
) r# n! C- e" n7 t+ UHere again, several ways to detect it:9 [ r( Y% n4 q' w% o
2 E$ A" [, \: H: @
BPINT 41 if ax==4f% I+ m3 r6 ]9 }& z* |! M- J
4 x$ D4 m) _) s: }% O BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: n: A$ r- Z! J- o1 F* j k2 f2 b" A$ V( f
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: l7 k5 `' L5 k# O! F. t- g+ I5 j& |2 m& R
" ^6 L0 D3 |! n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( y+ _2 q* D. C V, \
( `$ S! I% q# ^( M3 P5 M( V9 m6 E__________________________________________________________________________7 q0 D S( O* R
7 X8 v' W+ h# z2 b$ n2 R" u- IMethod 13
; r* I9 H( E* \=========9 ]& _' b8 A0 P0 A; I7 }) F
3 B) E" b0 M! S2 N- BNot a real method of detection, but a good way to know if SoftICE is" k; m. F: x( g+ [3 N
installed on a computer and to locate its installation directory.6 h" F$ \9 z. N+ i$ v
It is used by few softs which access the following registry keys (usually #2) :- U5 {2 v3 z' {) U& W
4 H2 K) c# o7 \$ u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* i5 e) A! l, [6 g, s5 K\Uninstall\SoftICE ]2 c# D5 ^6 s8 r" ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ D: I, _" f/ H8 q+ G* y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 ~2 e1 S- d! R; `
\App Paths\Loader32.Exe
/ x( I. p; ?3 j( _7 s
% f0 y. n. v$ |8 Q. V, Y" v4 S) I- S% A* q/ H2 W. R
Note that some nasty apps could then erase all files from SoftICE directory
2 w6 B3 N4 V! v' E( y" |( ^(I faced that once :-(# y( m$ D/ N) I5 n) u
% k! p9 I8 L% j8 V& KUseful breakpoint to detect it:
' R$ c, ^3 W& g5 c1 ^
% k- n5 U$ ]2 Q$ y1 _ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 ]( i; v7 J% D9 U( O' p2 U5 C! x: [1 l& ~5 A
__________________________________________________________________________
/ [% M/ O7 x1 G- j% w
! @7 A; D/ Y. a3 \3 e6 D3 [0 l ?, e# z4 b2 t3 T2 P. r0 X
Method 14 : D5 g, b) f! e- w3 L3 ?$ H, [
=========3 x% D* u; S* a$ e, D
' Y5 I' j. P9 f# J4 S6 [4 Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 T0 G! o* p* {
is to determines whether a debugger is running on your system (ring0 only).! I1 H) r, k( `/ J5 G' D
: w5 p% k4 }5 ]5 y) i
VMMCall Test_Debug_Installed' T9 {2 U9 E9 q3 h
je not_installed! N+ f* s) [4 L3 x1 k# a9 a! H
; S3 {% }) p' W$ P' c: j
This service just checks a flag.
5 m5 C2 L8 q1 x4 a) ~8 w+ f</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡