<TABLE width=500>
# d" f# p% Z4 A<TBODY>* `- w, E4 Z1 p; B- B
<TR>8 _/ Q, R- u( f
<TD><PRE>Method 01
/ g" v. t' e# \2 a) E( P; O. j=========
5 E% d# A7 n' X5 R* R6 w M7 z+ m/ b6 o: o2 S$ H( ~; b# S5 y
This method of detection of SoftICE (as well as the following one) is7 D R6 M1 M, p: p( Y, h7 `3 {
used by the majority of packers/encryptors found on Internet.' n# E* N. r' v4 j& O. R! Q. ^
It seeks the signature of BoundsChecker in SoftICE
! y& s4 }7 n- C5 @0 X; D, A' k; K/ _+ q( i
mov ebp, 04243484Bh ; 'BCHK'
, y3 W6 T3 [9 y. P% t# v mov ax, 04h
$ {4 J+ q$ ?) J9 I( m int 3
?( m( d* n' ?9 E' U0 d cmp al,4) ]% t4 W2 E0 M* @$ n8 F3 I# C
jnz SoftICE_Detected4 b' g4 ^) U! `# c) e! W1 x, a7 ?
! U2 V) x5 g' D# O* z {___________________________________________________________________________ S. U3 K; X* | V! N- ^$ h( D
" D! V G, k) }4 [7 {% y, b
Method 02
# u: ], x. B5 j7 ]& U=========
1 t0 \8 S$ A2 C0 a" Y9 z8 `$ ?- ^
# a' e+ a# V- H$ P) ~3 W7 kStill a method very much used (perhaps the most frequent one). It is used
P$ q1 V" i2 \6 R7 k9 B; Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 o& y4 Y/ U: ~or execute SoftICE commands...
( t0 Q& p) Q, m- bIt is also used to crash SoftICE and to force it to execute any commands
+ w/ f# \5 _) ?9 F9 }9 p. b(HBOOT...) :-(( 0 U2 e$ q3 g+ |
: b0 g7 _: v* I* } A. }
Here is a quick description:& f3 B- y3 P) z+ w
-AX = 0910h (Display string in SIce windows)3 m" F5 x1 h: O/ L/ r! B. @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) `) a) e9 |9 A3 c$ _
-AX = 0912h (Get breakpoint infos)
% o& x: u6 o- G8 v/ B) b: X1 i; H-AX = 0913h (Set Sice breakpoints) C* L+ ]! N2 I2 ^
-AX = 0914h (Remove SIce breakoints)5 G0 Q" [# v3 }3 B/ q4 y
$ [- x- U% @: O4 n% lEach time you'll meet this trick, you'll see:
, Q# B/ u8 E4 [; l, m9 p( k [-SI = 4647h$ @, p$ s. `9 U/ n
-DI = 4A4Dh4 v$ k6 D7 r1 g/ c/ |. c+ x4 ^
Which are the 'magic values' used by SoftIce.
/ d; ^; t k) N3 N4 a* X; WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 |" u4 R: x! ^/ O6 g
5 b9 W5 K" Q: d4 y# j9 P, I
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 }# H/ I3 S% o% h% q/ P/ G. M% Q
Envelope utility use to protect DOS applications:. O" P3 @ v! B4 |
/ s& I* K: p5 n" T$ z
0 @/ U3 g6 T# q" r) W4C19:0095 MOV AX,0911 ; execute command.
, p9 k1 {, Z: j% P+ h2 k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* o$ V; s, Z3 T8 f/ D
4C19:009A MOV SI,4647 ; 1st magic value.
( P+ p; j$ `7 U4C19:009D MOV DI,4A4D ; 2nd magic value.
. S; D/ R. y0 N% w4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( O# w' I- E6 b* Q. G l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) _. K; A n) `4C19:00A4 INC CX* S0 C' z' S9 L% H
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( V; f! \+ }6 d% x4 i4C19:00A8 JB 0095 ; 6 different commands.
7 \" A) t* k. s* L7 o4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) c. y% g( @& p& {; o4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 j3 b3 U) T$ g* Y) N5 M# L/ z" e7 k2 O1 w! I3 ^. |# N" U: X
The program will execute 6 different SIce commands located at ds:dx, which
9 r0 v4 C5 S! G' Y5 u' vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) i3 r, o4 d" [8 f* w
4 L; X9 [2 c! F/ A' q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 h1 b( o6 M& l5 @3 L___________________________________________________________________________
7 [) r4 C. c" s5 p0 s4 B8 h
, A3 ^7 S" H0 m h
$ R( N5 b0 Q: P& b. |* P0 a4 x7 qMethod 03
: a0 w; G7 A) b' N=========
! s8 X3 f% M3 o# \; f7 S5 I% J' y; X; i
2 `8 g+ B' ~8 V) C6 NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- X- X% S) U/ P8 m( L: c& S
(API Get entry point)$ G+ [4 V0 j9 j8 l
7 s ?- ~: R4 ~8 x
' j) t5 |5 \! t: {' E xor di,di
1 b8 X2 Y# B: w4 a' z mov es,di0 ?9 H2 Y( ~- ^/ a3 d/ j1 ]. \
mov ax, 1684h + B6 m. T3 v( U8 R) ^
mov bx, 0202h ; VxD ID of winice
) U) Y7 H6 }, n& u+ k+ Y' g int 2Fh
4 r- O+ f$ G, V! n1 Q' V# M! ? mov ax, es ; ES:DI -> VxD API entry point
& `# A* A3 ?* b# y) y* ^ add ax, di
: R, D" l' Q9 t- z0 T" v test ax,ax; R( }; E6 P' s8 g4 g5 y
jnz SoftICE_Detected
6 h6 T$ I9 ]9 H+ |7 \% N9 J3 @6 e
* N6 J. b' K7 ?: ^4 b5 N4 M8 r___________________________________________________________________________
& F+ e' p: ?& { b! e" o1 }: [' ]
2 I0 o; K9 p) F2 P KMethod 04: ]& H6 m$ `; ^8 ~
=========
/ c' H0 b+ C% B, }1 u: r
+ x7 |2 m% b' mMethod identical to the preceding one except that it seeks the ID of SoftICE
1 g$ F+ b0 O7 MGFX VxD.
9 l8 a- E [: o, b# h4 r( t4 M+ S8 ]
xor di,di7 J5 A; [2 u' S+ v9 h8 g) E6 e
mov es,di4 z- w" K. p2 G8 ^ W8 V- y
mov ax, 1684h
. y+ |2 k- a. Z* |# ? mov bx, 7a5Fh ; VxD ID of SIWVID/ N2 P7 W% M! d% M# @0 `/ G6 i
int 2fh& ?# a: T$ `+ _5 q! O
mov ax, es ; ES:DI -> VxD API entry point
/ Q+ s; D! G+ o# r add ax, di1 x0 l2 a8 Y9 j0 b. K$ y/ c# g
test ax,ax3 ^6 @/ d" N) t. Y7 `# W5 E L
jnz SoftICE_Detected* d3 Z! {) ]% n+ i7 m
0 ] j1 \. R$ }
__________________________________________________________________________4 v+ `! v! w+ K. r0 G
8 ~. ^: E+ x' P4 n+ y1 t/ E& J) L' t
1 n6 @) T* i: R( q! q; r
Method 05$ J8 S! {! {1 [; D& d! J# V
=========
2 d: J! h9 b% w5 I# ~6 l& ^9 R( L* Y0 E* H" g" a0 v3 ~
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# E& T; k* c6 r6 N+ Ldebugger. It calls the int 41h, function 4Fh.! _ j; `% D. I: T! C
There are several alternatives.
4 u( D; D9 J9 e1 N" n9 V: |; A* |
, E+ @& Y. T) w ^5 E0 yThe following one is the simplest:
1 Y) o* J8 k- p: }0 _/ z9 B
. O) N8 |7 h$ V mov ax,4fh. v7 v: k& i2 @" L
int 41h7 L1 `( v- }. R
cmp ax, 0F386
) z: F) V. u, Q( E. b/ { jz SoftICE_detected1 s- X- l L- b1 O" o- U
0 T0 r+ b: l; I1 V# o7 V# W3 T
$ B& }! Z2 Z, S7 R: s* T2 l
Next method as well as the following one are 2 examples from Stone's ) k7 R, O1 J' v- |7 i0 T6 o% X* G
"stn-wid.zip" (www.cracking.net):/ v7 C( ]+ O M# ~9 M* a
7 L* U9 ?7 \! q% v4 L7 V mov bx, cs, D5 Z4 A: p" M: G
lea dx, int41handler2) P" G3 h ^$ y! ~* Q
xchg dx, es:[41h*4]% A) e+ `% }$ ]
xchg bx, es:[41h*4+2]
1 X; U" \8 |( I6 C) s mov ax,4fh
+ T9 \4 J2 G n( e/ G int 41h* E! z; P2 p' w0 U
xchg dx, es:[41h*4]+ M/ g( ^4 T* @: G; T9 a/ k, O
xchg bx, es:[41h*4+2]. X# T$ M% `3 e `1 a
cmp ax, 0f386h2 l& w; y+ a( h3 k
jz SoftICE_detected- u' v# l/ {# H6 a' g! k1 n
& @' y( Q* D4 A* U$ s: c: g
int41handler2 PROC
, R" H$ t! Y. M5 b; K6 t. Y1 \ iret
2 y9 W Q, u+ S8 oint41handler2 ENDP
# b- S6 ?, E/ c# l$ Z/ D' R2 ^" l2 v* k2 P
! ^$ B5 |- d; G: f& |5 N' u$ E
_________________________________________________________________________
+ f" s- i q. t2 {0 P
# U m4 W# M/ C* t& X2 j7 } x; M8 C
Method 06$ K) _& ?9 c' D4 I
=========8 e3 h0 G6 @7 J. {) r! M
# n$ ~! ^( v7 v. y# R
; `+ c# g, j9 g: _* }) a' I3 L# f
2nd method similar to the preceding one but more difficult to detect:* k% V& H- m' F) ]; m
) G& w" T" S# h7 c4 V
! l& w; g6 F; C) O# o* `
int41handler PROC# y/ \+ z$ y! g
mov cl,al- b3 i% ^+ X& ~8 a4 i& u% f
iret
3 v" @5 g+ J2 q9 B4 Wint41handler ENDP
, l2 R& Q( {2 F" w8 e5 \9 h+ {+ p& X* M' Q' n$ s5 q
7 j# U1 z1 b) W4 U4 P! t xor ax,ax
' y5 s* f8 B* e" j1 o! q mov es,ax( {: Q g+ e4 z
mov bx, cs S% U4 Q. @8 M% L' x' Z: r- k! r1 A
lea dx, int41handler
+ k/ `2 C5 v" Z" D7 w xchg dx, es:[41h*4]/ b( s6 v& r) J9 Y: D( k
xchg bx, es:[41h*4+2]* s: @0 G/ P4 M
in al, 40h
9 p5 S( c0 d! Q; n xor cx,cx& \" V! n. A" G2 E/ F
int 41h2 v' F. E3 |. G" H& }- k! }
xchg dx, es:[41h*4]
8 L" h& p) j: L+ V8 u xchg bx, es:[41h*4+2]
& A) i, [: f$ V4 D7 Z cmp cl,al$ `/ T/ z9 h9 m/ M n* R
jnz SoftICE_detected
) J7 V3 ^. h( D8 B; F' k9 _, F
_________________________________________________________________________9 y) B+ j j; h2 _
: V4 s$ y; d$ M- ZMethod 07( ~- j3 P- |" O- x- L# u B
=========( \2 N9 W) ^5 h
4 z I# v# S; a! WMethod of detection of the WinICE handler in the int68h (V86)
+ X: @4 l9 {9 P8 L
! k# \+ |1 q$ K4 l) h4 K7 \ mov ah,43h4 K. a* Z; O$ O. w! _* r
int 68h
' }8 I6 P9 }# M1 T- r cmp ax,0F386h
% T4 I* N( ?8 M jz SoftICE_Detected
6 ~" s0 v* q& ]7 z* q$ w
& R8 F: }. [, K" Z$ y- ~/ o- [& M, X0 a; u. L
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" o3 W g2 N9 ]
app like this:& Z$ h, t! |6 f; R& o2 `8 _$ f- v
' I0 L- G4 z1 b0 ]1 o& i5 z$ J2 ] BPX exec_int if ax==68/ G" T( {* w9 S, T4 S) E
(function called is located at byte ptr [ebp+1Dh] and client eip is
~6 G9 U0 D" {5 P: q located at [ebp+48h] for 32Bit apps)3 E% }- K1 u0 t9 r9 s
__________________________________________________________________________1 ^5 p/ c! j* D! Q, M% S% b
% S. m7 u7 m% r: o
0 g/ W* y& I/ P1 E+ S+ iMethod 08
% q4 z* a+ S: g/ k+ O" z=========
' o+ |* q! A7 E2 H j4 d2 |. ?7 K: C1 `
It is not a method of detection of SoftICE but a possibility to crash the3 u5 h( X, g0 Y; `" n4 P) \
system by intercepting int 01h and int 03h and redirecting them to another
* e0 U" x1 Z% p7 m7 s7 v1 @; wroutine.& b$ X( l* c. {1 {4 n. R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 r1 ]6 _' Y' s, v' |1 f0 zto the new routine to execute (hangs computer...)
; a- ~- _8 I+ g$ U; v0 |5 i& ]7 P
mov ah, 25h
) {, m5 B) s+ F" u, w$ ?: Q7 \ mov al, Int_Number (01h or 03h)
6 ]8 b2 v7 ]9 J6 F/ X8 Z9 E mov dx, offset New_Int_Routine2 t/ n" ~* H' d, X- ]& t, {6 p
int 21h
) ]' }+ x6 ]' E' [. x ?9 x8 A/ U8 A% H& q# B
__________________________________________________________________________
6 T5 x! ^4 K! F$ w: z# ^! `/ t; K, M& F3 A: c1 D" p! J8 Q% s
Method 09
& g9 Z R" W0 C8 B' o$ {& C C" j=========. w4 ~# i* h$ n
0 J; @% q2 K) r) [+ m, s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! _6 F; g+ l' W2 f* e; l
performed in ring0 (VxD or a ring3 app using the VxdCall).
* G, G3 }: O. d' W$ h7 CThe Get_DDB service is used to determine whether or not a VxD is installed! a2 Q! Q5 A3 W0 d5 `
for the specified device and returns a Device Description Block (in ecx) for$ h! W0 X( e) T' B% ?0 I
that device if it is installed./ h4 ]" v a% R0 X& Z
8 q% \6 g4 E) r) e3 X% p! v mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& m- }. n8 W) n4 ~: D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- `5 c; P) Z- y0 @. p
VMMCall Get_DDB
1 s3 c6 W- F' h i/ p( D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 O) U9 G3 {' O
1 Z6 s4 y' y: m' a+ }3 v
Note as well that you can easily detect this method with SoftICE:
* E- c6 Q$ S X1 X( B" i; r bpx Get_DDB if ax==0202 || ax==7a5fh0 z0 R$ A& y( J! x
; O Z7 ?+ T4 T. A__________________________________________________________________________
! b5 L$ `- `, o, t; [
/ G# x; ~5 j( r8 QMethod 10: I$ E; L( p* j' [, g6 u4 p
=========
; l! F6 \0 P) o0 D' S8 H% J6 D i) j. ?' H# U. C
=>Disable or clear breakpoints before using this feature. DO NOT trace with& e% O+ Y3 F# J% j2 q
SoftICE while the option is enable!!4 D8 f& Z- Q6 P4 r V0 c( R9 _ i
5 `9 S$ G* v) t1 U; NThis trick is very efficient:
9 V& q4 }1 ` O- ]3 J v! ^by checking the Debug Registers, you can detect if SoftICE is loaded
6 A2 J; G. q3 ], w" ]1 c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 R7 d: [6 Z: m( o- p
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ f- L+ k3 [4 d+ P, L" Q: Kvalue (in ring0 only). Values can be manipulated and or changed as well7 w/ ?5 F+ ]3 D9 G" f1 P
(clearing BPMs for instance)
* J9 e8 k2 s' D" y) N4 F! O# o3 Q1 q8 m# M }6 W& p
__________________________________________________________________________- T9 ?0 w+ v) X" `6 j" q' ~. }% f
) _$ J: ^( R- r; R9 v/ C0 kMethod 11
% N: t# [; M F9 `/ _+ r=========
3 M* a& a0 C: n* x
) U! ?* c3 r8 M5 YThis method is most known as 'MeltICE' because it has been freely distributed" ]" r1 ?8 y0 @ ]. W$ M3 N
via www.winfiles.com. However it was first used by NuMega people to allow
, O2 B, c! g. n9 v) ESymbol Loader to check if SoftICE was active or not (the code is located s! ]% X! y: `2 V g$ Y
inside nmtrans.dll).! z! T9 I g6 ~. V3 G; t
4 s* |2 _( C. X* A
The way it works is very simple:4 j7 U: e$ a, M6 g1 d: s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 @ V# M9 w) i% z4 u# ~" w+ |
WinNT) with the CreateFileA API.
+ @+ {8 U( [" ~! f$ o }: @6 g' ^) @2 G6 ?3 i- w/ M% R3 l% y l) n7 U
Here is a sample (checking for 'SICE'):' u: W3 p# u1 ?
6 i- A/ x5 v3 V/ i/ f- }. gBOOL IsSoftIce95Loaded()2 { e0 h0 x7 L; |8 B& X
{# P1 @+ m; b7 Q/ { W. c
HANDLE hFile;
& q8 M3 n: J: t7 c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ q. N9 @( M/ [& H- H# J) q
FILE_SHARE_READ | FILE_SHARE_WRITE,3 G+ K5 {5 Z% M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( E% {$ u. f6 h if( hFile != INVALID_HANDLE_VALUE ): c/ w5 X q6 n0 i S- J2 k8 n
{7 G3 J4 u- }0 J- I- H
CloseHandle(hFile);) P9 J9 ~1 Z" Z, J% a
return TRUE;* A9 C/ v# B- `% G
}
( {" |2 l- x. ~5 U return FALSE;$ D$ t9 w5 A9 ~% J& |: G' `3 E
}
/ N9 G' U- ?/ R' |# R) |
, K1 g, m" M8 ]- SAlthough this trick calls the CreateFileA function, don't even expect to be
: x1 ]; {& c: {: A/ Cable to intercept it by installing a IFS hook: it will not work, no way!% b4 }: x7 {8 K' Q/ B7 K+ Y5 N( d+ A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ |: l" V% K" i; x# S: Z- ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. @/ ^# p* }% L( B3 Q+ I8 u6 uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 p% _; J) c1 v: }2 Q, y$ o3 \field.# ~+ B( V; F# l+ Y" C9 G
In fact, its purpose is not to load/unload VxDs but only to send a
) v+ w- h4 @7 L* E$ B3 qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 \% H" F# ^; |' T2 J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 R- }0 A7 p0 ]- l2 [to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 s" l6 H9 I; ^7 zIf the VxD is loaded, it will always clear eax and the Carry flag to allow# {# `5 W/ e* y$ o; w
its handle to be opened and then, will be detected.
7 M( Y+ P# z3 O( iYou can check that simply by hooking Winice.exe control proc entry point
/ L+ o2 }0 g. V/ Swhile running MeltICE.* b$ l8 M( o( R& O% J
! v: m& v# o# V$ W& Z; q
' g+ N T; h% U6 j* R, X7 { 00401067: push 00402025 ; \\.\SICE
, J" H& G8 O" o9 U: L* s g, `; k 0040106C: call CreateFileA
: W6 U6 ?9 T4 h$ g# N. Z! t3 R, E 00401071: cmp eax,-001
3 E! e# u" w: {$ v) W- z( k 00401074: je 00401091
5 t7 X I7 t/ n( ~1 U, B P
. k/ `' M& t; W( d; Y
. i5 x& c9 f' p9 _" l, ~- vThere could be hundreds of BPX you could use to detect this trick.
( r" o! ~- q( J& l0 `6 o% b/ k# j-The most classical one is:
- L! {( ?( A" r$ \; J BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& u, X- s7 a" x( w2 f
*(esp->4+4)=='NTIC'
& P+ Z, \& K: ]: T
1 f4 _ Q1 O( s2 q% u-The most exotic ones (could be very slooooow :-(( A+ E* Q; u+ A. j
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
I+ `' f5 E% `8 h9 G$ D ;will break 3 times :-(( T _; m* J1 O" I% `3 s0 o
3 S& ? J, m- u Q/ H7 B! ~" w8 ^-or (a bit) faster: # D, a s2 L5 U3 j, N, ^' Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ x/ o, g4 n) j( [$ R* b8 l4 C: F2 H) d; X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# S* X+ Y& q. O7 A# L$ r ;will break 3 times :-(
( O' v R E- @& J& K5 _3 W1 s% q- ~8 M1 n ]
-Much faster:
8 l3 x# ]& B Q+ n* u' v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 Q: V4 S$ J6 F: o) B. `
2 L5 w+ T5 {! _$ T" G* L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 _5 T- p$ v9 C( r" Jfunction to do the same job:+ W4 W# l# m1 }# O7 U
$ B8 G: U3 k4 d push 00 ; OF_READ
( B' _& {% B. }! K) X; \ mov eax,[00656634] ; '\\.\SICE',0. q) C: F7 t: v0 M2 A( h+ k/ u
push eax
% B6 }/ U5 J9 X# `5 M. m6 I call KERNEL32!_lopen6 T O! k. D" u; n
inc eax
# m1 f9 `0 |; _ jnz 00650589 ; detected
2 f" b/ S/ r/ u7 b3 u- h3 z$ M: O push 00 ; OF_READ8 R5 L4 ?5 N) T! U$ V2 e
mov eax,[00656638] ; '\\.\SICE'# d% e+ P/ \' R
push eax
5 |/ T5 {% D$ B1 L call KERNEL32!_lopen
! `+ d3 m, o' g: ` inc eax m" N4 o0 l d- j$ [# b
jz 006505ae ; not detected
1 [6 U ]! n. x3 h0 R2 M" o
. h6 H( r7 }' a& W; p1 P" J& N
0 X4 m5 g" w6 E0 |( y3 z; l0 S T9 U__________________________________________________________________________
: C' r, U1 s3 x- q1 o: Y! H9 [# F2 E" T6 A( x9 m
Method 12. K+ @4 l& s- X- {7 i$ v# f
=========
9 @& S- i) U0 {& @2 w" k# K1 o& k T; O0 f |0 p
This trick is similar to int41h/4fh Debugger installation check (code 05+ R" ^! a; V& Z5 x+ U% H U' `
& 06) but very limited because it's only available for Win95/98 (not NT). D8 {: l5 n' ?$ z6 S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ f! _+ I: r3 s! Q# V7 ?4 W0 ]
0 m( U; t7 S5 G: r8 \& r5 i2 X v push 0000004fh ; function 4fh7 O J/ y" W7 _6 G6 J. @
push 002a002ah ; high word specifies which VxD (VWIN32)
* H: y7 G; B* f/ @/ {% Y* L8 J8 x ; low word specifies which service: l. X* i3 {) q' \9 S0 e
(VWIN32_Int41Dispatch)
, T9 m+ {6 L$ v5 k9 u8 O: g3 u call Kernel32!ORD_001 ; VxdCall
2 ?( O. X8 I4 S5 K* o5 n9 j cmp ax, 0f386h ; magic number returned by system debuggers8 P) x) f+ c3 ^2 w0 e
jz SoftICE_detected3 G- ^0 R4 X/ K9 o' p, A" |- \# T
5 [. b3 j4 l4 N. Y6 \! W0 G) }Here again, several ways to detect it:, s4 P/ y7 {% z2 O) j6 r' f* n1 ~
" t0 v7 x* M8 A' |/ k# f BPINT 41 if ax==4f% }; ^! J0 |' O& C# h7 t
2 J: A& f+ D, M7 i, C$ W: D7 z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 r0 S" o5 e% ~
1 ~1 s# J. H g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) S( p* d+ B& t+ D, Q
0 ?. {* g0 d& e( ]4 Y* ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 N t# Z+ Y, D6 H
+ x: t( Y( ?6 r2 Q) |9 z__________________________________________________________________________: |; b- H& x8 `
9 L! j* X) H/ e1 |! W/ |( @! b B, XMethod 13
2 z1 o1 S9 x, R=========4 A3 B( u: m4 m6 j2 b
T. p9 `: _& fNot a real method of detection, but a good way to know if SoftICE is2 h/ Y- y g( r4 |4 B K
installed on a computer and to locate its installation directory.& E0 X) `- K! f3 I
It is used by few softs which access the following registry keys (usually #2) :7 k2 o% j1 p8 E/ l
+ I1 _; F: P; c9 n2 t! X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 _: n0 {7 O5 n4 @6 Z5 [; O\Uninstall\SoftICE( ?' E/ ?/ d( S+ W% B9 Y. r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 l. D; Y8 @. F$ ?. [: ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; S/ c0 K- d5 @- c0 j+ ]0 g/ M\App Paths\Loader32.Exe
. \8 k+ y [- y* i S, l- t3 D6 D' x; g' G" C
/ u/ I7 P D; C2 K9 d& p
Note that some nasty apps could then erase all files from SoftICE directory
/ l* p1 V' u! {" L+ _(I faced that once :-() \3 s8 K" I# m3 P. l$ R+ v" r- `
, k- ]- [- Q! a2 f% C# U8 iUseful breakpoint to detect it:, X# B2 p! `7 k7 }2 _
1 {, L; n. u2 _% e/ F! B; z( r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ p9 \8 A8 r3 f% Z# a
* R, p) j9 g: W+ h `3 d
__________________________________________________________________________
+ d4 L3 a$ L1 J' r! A
2 z! L- [+ T2 M7 F& k1 O: b h
$ a2 S( O' L; KMethod 14
) C# g9 T8 D, F, U* A# i& B" }; d- l=========
$ A! z" d( C, |2 D( L# e4 _( t z8 Z4 |& `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 h$ Z! W3 O- X. A' u. |+ \/ l
is to determines whether a debugger is running on your system (ring0 only).! }$ x6 F; r( `7 I f+ s. i/ x; o
( w- C* d5 @" d2 r8 a0 Q6 H) i VMMCall Test_Debug_Installed
) V- W) g: d$ C& ? je not_installed. }4 N3 I* ?* Y; l" s _
1 L4 `& V8 ^) Y7 [, A0 rThis service just checks a flag.
8 T1 E) E" U! P9 ~% |</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡