<TABLE width=500>
7 D9 [5 C- w) ^ e7 k4 I<TBODY>: O& j3 C9 g1 K$ c5 u/ [
<TR>9 G4 A2 M" U0 |+ Q
<TD><PRE>Method 01 ' N% @/ Z/ V. W5 }
=========
0 _1 Y& P$ { p5 Q% E; L4 f% m, O; h
This method of detection of SoftICE (as well as the following one) is$ X _& C+ A: z& g. n
used by the majority of packers/encryptors found on Internet.
7 h, ?; X9 u& ?& j& V; @It seeks the signature of BoundsChecker in SoftICE x; m m3 g' H! n
S8 e( |5 P0 E6 V
mov ebp, 04243484Bh ; 'BCHK'$ d9 v( r* i$ J
mov ax, 04h
# E" y% }2 L9 I/ _8 [8 ^1 n. ` int 3 X G, c# @1 H. A
cmp al,4, N( s" N9 ?3 I1 s$ p8 ]2 Y. Y6 \
jnz SoftICE_Detected' p; {9 L9 u) W. d/ x! J1 N" T/ p
; d2 @! R; `' \. w# m. |
___________________________________________________________________________
( b1 K5 U' D% M+ D4 Y0 k$ I
/ u2 {& `0 ^1 eMethod 027 B1 P& \7 h1 b* D, B8 ?
=========& a9 U4 s4 j/ h; m6 J
( R x5 N2 s& f- h9 q% l. d5 [
Still a method very much used (perhaps the most frequent one). It is used- i4 {9 v1 ~" x" q* G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* b+ |* m2 y4 A+ Z6 s
or execute SoftICE commands...
% E/ P- v) b) ~& JIt is also used to crash SoftICE and to force it to execute any commands
5 w1 E" a2 \ E5 Q4 K: O(HBOOT...) :-((
+ R/ g4 [4 I9 c8 [" a2 L
! n3 S; J. G. r# E" C1 BHere is a quick description:$ r3 x `" |# J z8 K/ }" S' ]8 f
-AX = 0910h (Display string in SIce windows)4 z' Z) }2 I1 t3 V& J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 y# k3 x' [1 B1 |7 X# A+ z-AX = 0912h (Get breakpoint infos)
0 j$ l* F4 p( ~ T-AX = 0913h (Set Sice breakpoints)7 i0 l' j, l7 X
-AX = 0914h (Remove SIce breakoints). M* D+ Z5 T* i" p) [
) @. H. G7 ]2 m7 D$ I- g; lEach time you'll meet this trick, you'll see:' P5 b# I$ P' Z# X% @/ `1 l4 b4 m
-SI = 4647h
- d8 I$ N; n9 [9 l-DI = 4A4Dh/ M! U x/ a( [2 U4 O: j; s
Which are the 'magic values' used by SoftIce./ b( V; O7 B7 G3 B" _, t- i/ J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. I5 M4 u, B. }2 d& F
9 v/ s( c% E2 v1 N) ?- VHere is one example from the file "Haspinst.exe" which is the dongle HASP E2 F" H7 o, C$ g# w; f! r; }1 D
Envelope utility use to protect DOS applications:
$ |: E$ c. U. @5 {+ l% \+ ?$ l: h0 n. v+ k2 i3 r. a5 ?
, [! C5 E% U( R7 X: ^4 H4 ~& {+ v- N4C19:0095 MOV AX,0911 ; execute command.1 Z! Q& r ^# u; T( N5 h0 t3 T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., U8 W$ z8 y+ `4 _. W+ ~* I5 ?4 M6 Q
4C19:009A MOV SI,4647 ; 1st magic value.) t: F; @; D Q
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 @. v0 u) ?7 s8 q" ?7 v4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, x( r" t+ ~' ~" C3 z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; K p+ c% d# s, \* V% Q$ G8 j4 P
4C19:00A4 INC CX
" }, k( L! i# _$ y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) y ^& X) _: l; V2 {4 L
4C19:00A8 JB 0095 ; 6 different commands.! g( _9 G; k9 R: a, `
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ K6 Z2 Q$ M) M( L- c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' j# z; X6 O$ g' O
4 P' H* u. O: z; c( d+ q- }/ ^& x
The program will execute 6 different SIce commands located at ds:dx, which
0 u$ B0 Z! E( p4 J) rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, i8 N e* U9 c( S9 D( S+ A# L$ o% e8 p/ P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# ?% P- ^7 p8 k3 ^" c0 Y R0 U___________________________________________________________________________, g" L8 `: Z2 o" ^ Z& y
& O. x/ M. g5 H) v/ c5 T
9 v9 l" t Y1 y8 X5 e" A2 P
Method 039 P9 {/ D! v8 M3 m
=========
- V$ p# N8 y+ G+ x( K& ~( W3 H; H
: J6 c! |$ W; [2 MLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 l6 W6 D0 n7 e/ l
(API Get entry point)
5 c3 \2 U5 M, d( _
) k H; U7 _9 h8 g6 [
K8 O0 c# k% M4 O xor di,di
0 G' C1 U0 h9 { }/ w0 G. ? mov es,di. i6 o& t/ w5 X% w5 d, Y# a
mov ax, 1684h 7 C5 [, G: m5 |0 l( P
mov bx, 0202h ; VxD ID of winice
3 s! @8 a& W; v+ }+ }. J" D# r4 A; U int 2Fh0 M4 r9 m( W" D' I% w& {1 p5 [( w% }
mov ax, es ; ES:DI -> VxD API entry point
" A- s; p- B0 e* N( z% C: d add ax, di! N6 H' f: @* g4 p# n0 B
test ax,ax# c3 F; ?. B9 D% V5 C
jnz SoftICE_Detected
% j6 m8 o# q: R9 {. m1 C' t1 J& \2 _" Q$ Z6 ?! d. w
___________________________________________________________________________
6 p2 P# x% ?. N' y, b' g R% f t) R9 H
Method 04; h9 D+ p1 J4 Z8 L b$ w* w
=========
* d1 H! V- i4 T8 k9 y5 G1 z6 C3 |4 E& ~" p
Method identical to the preceding one except that it seeks the ID of SoftICE
* g; L8 v/ k; hGFX VxD.# \% Y2 n! _7 g1 |) N2 Q/ I5 n
& C( z8 |7 V# L xor di,di/ l( Z0 m* p; w% n! f; A. {, Z
mov es,di$ z( e9 `* D: g, C- g1 ^
mov ax, 1684h
1 E. ]' A3 c ]3 t mov bx, 7a5Fh ; VxD ID of SIWVID! L3 E& d! d( ~4 G8 c3 ~) r
int 2fh
6 ]3 _+ y6 p* x" a* j6 q mov ax, es ; ES:DI -> VxD API entry point+ I* |) A0 J7 ^4 [) N
add ax, di* W4 I" t' W# x; p
test ax,ax
; E0 a/ Z1 _- D7 s1 s) c jnz SoftICE_Detected
^) b/ z5 c8 O6 C" R l; x) {( t2 { w P8 f0 R6 p+ l$ F7 z
__________________________________________________________________________$ U/ |% u4 h" B, t# T) e- \/ M
; W+ z7 J3 w1 d( K0 n
5 r$ R3 l+ `7 s: v& c- W
Method 05
2 P* g5 ]; G) x0 C! y. ]1 u4 B=========
* b& B: B( y( n$ V( n) I7 F+ u$ b8 y& i3 p c# K" ?; ?
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; e9 Y. f! J1 G) _0 S, @) _debugger. It calls the int 41h, function 4Fh.3 f! ]9 ~' c) {: J, J& N6 I* k
There are several alternatives. : M3 l# W$ o$ T' [8 y5 t5 G
$ Z( r4 G4 A! S0 ~7 y
The following one is the simplest:" K1 M; K3 E8 j- o; B4 O$ s: L
7 `# L$ d1 O/ m3 T, @7 Z- \
mov ax,4fh
/ @7 ` @) k7 Q: B7 e int 41h5 s, U, K$ {3 v3 k' n1 ^
cmp ax, 0F3867 ^4 p0 Z8 s0 d8 t3 j
jz SoftICE_detected
/ S: s) I1 k' _4 K) B. ]
) t/ T1 {! m% n- |, [- W( s5 B3 x7 R% e5 B
Next method as well as the following one are 2 examples from Stone's
5 P/ x4 [3 t' x# v1 M"stn-wid.zip" (www.cracking.net):7 d7 h; X6 g/ P
/ D, B' ~4 S. p7 I mov bx, cs' ~7 r2 P4 y3 `
lea dx, int41handler2! @! V5 u4 A' D1 c. S; C4 ?# E0 e
xchg dx, es:[41h*4]) D9 W2 w* }/ n( P+ a# ~
xchg bx, es:[41h*4+2]
1 G1 }5 l7 e" a$ U mov ax,4fh+ E' J- a+ ~" a8 ]# @
int 41h5 G, C) N T# v
xchg dx, es:[41h*4]
3 l" @2 y4 o) v5 I6 { xchg bx, es:[41h*4+2]
7 f' M2 O& Q" g% m( t$ Y" @ cmp ax, 0f386h! P0 a7 Y) v4 X8 O* p
jz SoftICE_detected
# i! H; \9 ^+ ?/ N5 p
l! D, l* u0 `8 t$ Nint41handler2 PROC; l& U, N8 h9 |0 n
iret
$ P' f) m1 k1 M; ~5 L+ \; Rint41handler2 ENDP
, p0 z- v$ F/ n/ |$ X$ c G! u' j! |, x3 @# u3 D
' r9 H+ [. I3 J% c7 g! Q3 [
_________________________________________________________________________
: h r! B- ? ]
7 i; W! M7 d7 U' x* Y+ R3 y" N; c# ?" y
Method 063 X# @( f2 O2 I, V) W
=========0 N' ^. g/ a4 p% m5 r0 g: a0 W
8 V8 V7 |% k1 ?" i B
. d3 h! y( ~* n9 L& z% ^" A
2nd method similar to the preceding one but more difficult to detect:
H; H0 W/ \* Q0 v6 k3 I9 i3 D1 ^/ I" I) B3 w
+ c0 v" J; ?1 O c' C$ {+ wint41handler PROC
0 i- s( i2 D4 v" o mov cl,al
' A* q; P* ^, T; ~# a1 s% D, h, s iret
/ l+ F! V) p# s8 v6 qint41handler ENDP
% h6 z4 T3 _3 H& s' i" Z8 @ V! n
( b ?9 Y% R" Y. N$ K# ~$ e
9 S! l6 g1 e7 E, d xor ax,ax
0 K- D% i% t2 u* z6 O0 A mov es,ax
1 H7 B! t. }$ s& g mov bx, cs( L2 r, v9 M4 [8 X8 k, ]
lea dx, int41handler
0 u$ k2 c. @" t0 M xchg dx, es:[41h*4]) c5 ~4 w) R6 S8 g0 c; @
xchg bx, es:[41h*4+2]
- z2 }$ E) }& q in al, 40h- a9 v4 Z1 b, K0 _# P5 Z
xor cx,cx) W# {+ D, W( H8 Z* X5 a
int 41h
/ Z; Y0 b7 K1 M4 b& T% `- i3 k; _ xchg dx, es:[41h*4]
w4 k/ w9 @- P xchg bx, es:[41h*4+2]# n) }/ R2 h h
cmp cl,al! @ d$ |( [/ A/ e4 e
jnz SoftICE_detected9 E& d7 J" c! L4 l& }0 K+ X
$ ^/ U9 u+ g7 ^& J0 X/ F- k, R
_________________________________________________________________________
' c- k( F; m5 a- |5 C) ~: h4 S
. {- {% y8 V. ~1 }6 w! OMethod 07
2 {2 \( ?3 \" j* w$ W1 f" X9 l=========' x" e5 n0 n, l9 f( q! ]6 Q
7 C, Z: d/ [4 {; ^5 jMethod of detection of the WinICE handler in the int68h (V86)3 P" M+ K! d3 u" R# V% Y( e
6 I" m5 O7 d2 I1 \ mov ah,43h
; R& y: c% y: |6 M3 M6 e int 68h) Y4 Z; B) q: ?, r/ p. ~
cmp ax,0F386h
& C- p/ `/ Q \( w jz SoftICE_Detected0 B" N6 g+ Z! V
- B' ?# [$ W0 g9 A
" i. Z9 _- x2 R/ f# |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 R- X: N! A E* f& @, F
app like this:
! k3 V0 A2 k0 _ ~
7 g# c4 b9 t0 M* T7 X BPX exec_int if ax==682 T( _- k' `( v
(function called is located at byte ptr [ebp+1Dh] and client eip is
, C0 C: X4 [1 t% U _7 N% p located at [ebp+48h] for 32Bit apps)
3 ?& M1 D0 i1 n% L__________________________________________________________________________; ~* Y, j, B! C4 L" s
/ o. G: V5 @5 i* k+ J% g7 [
& W: } A2 g" j' A4 i- vMethod 08
' {- M5 y7 H0 P9 {=========
! [# U* l3 U4 W' M0 ?$ {3 v5 h8 _
It is not a method of detection of SoftICE but a possibility to crash the6 p) u( _0 p3 K
system by intercepting int 01h and int 03h and redirecting them to another7 R1 G; a1 ~. x8 e& k3 {6 \7 j3 e, _" X4 x
routine.
0 x7 R+ b% o; E2 K0 l: eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- E4 E, Z$ y, U: t8 _( T) d! e0 Vto the new routine to execute (hangs computer...)) A1 q! S2 Y& ?! y
# L/ T$ J+ [7 ~ mov ah, 25h- H$ O: H" K% O" ~$ V
mov al, Int_Number (01h or 03h)
" M: S( \, F- ^ mov dx, offset New_Int_Routine" V: G( [! }! `+ d/ L" D! T
int 21h3 w3 \. K) l* v: B! C9 w. ^2 r
9 ^- c. {2 x4 Y, t8 {__________________________________________________________________________) U0 B7 N0 t* ?/ b+ B+ C, t7 m. c
( C# _ ]4 o% P5 Z, b. A9 w8 D0 b
Method 09
2 [ x- t$ I, I( n1 R/ _=========
( `) u# k/ V, D, E% b+ ]" B `# P
5 x; n4 L/ o6 Z, n% H7 k) I6 y( lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' ^/ t! @2 _3 b$ j$ Y8 O* k
performed in ring0 (VxD or a ring3 app using the VxdCall).) q# ^* O* [5 ^! |
The Get_DDB service is used to determine whether or not a VxD is installed5 E+ G# ~, ^, o5 w
for the specified device and returns a Device Description Block (in ecx) for! ^* K R0 _7 _2 Y$ A
that device if it is installed.; W% n, s( M; C5 p+ ^ z- D$ ?( Q
0 C4 v( I x9 U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 k6 s9 {' c! }# |" m- x
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 m6 [" D. U+ _- n# U7 C
VMMCall Get_DDB, p5 k5 C/ S# M. D) w" m1 L" B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, m2 s B; P- j1 s% { c7 _ R3 d
$ c3 u# O! w8 t/ g7 rNote as well that you can easily detect this method with SoftICE:
% e# O2 n' g* e6 y) y bpx Get_DDB if ax==0202 || ax==7a5fh
/ `5 ~1 b6 S2 F9 v
: t4 J8 a; K* [__________________________________________________________________________
* O) Y, Y1 I* L' A. r8 I
- ~: e7 J- G$ cMethod 10
\5 v4 s: w0 p S: g8 @3 F=========+ L: G& S. O u% y f$ B8 w
* L; |' r( ~4 k6 d
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 Z2 V* m3 ]& ?" q SoftICE while the option is enable!!
& ]! U1 t7 }) g' a0 ^( Q6 Z2 `. ]- m ~1 C
This trick is very efficient:
* O: k/ h; J# y D; {. _$ p( [by checking the Debug Registers, you can detect if SoftICE is loaded# V" d; P+ y# b& G0 D% d. u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: B! i2 g) g* M% u' g/ X7 h
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 O7 R5 Y' n. T# {/ V" Svalue (in ring0 only). Values can be manipulated and or changed as well
2 H! L( M3 O. K# U- W(clearing BPMs for instance)
% e7 [, ]* m2 f! x. T: N' \
3 ?4 F- ^+ A" i$ o7 N" `__________________________________________________________________________' H8 s! Y7 ]8 W
! [& }0 V! `9 Z6 m5 z |% x* p. V
Method 11, g# U8 B3 G/ R) X2 b( T# S
=========
X' B. a* u7 O3 m4 E( V* D+ C4 n0 T8 h
This method is most known as 'MeltICE' because it has been freely distributed
N/ R K+ `0 i% Fvia www.winfiles.com. However it was first used by NuMega people to allow1 ]% X0 N- {' j6 `
Symbol Loader to check if SoftICE was active or not (the code is located* y5 \! k5 y" b# M- O* r3 Q2 H
inside nmtrans.dll). K8 v: K* Z2 U) n
- U0 L$ N+ d. m/ ^" c: }. DThe way it works is very simple:
; h+ ]" t* }* z- {It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, L" Z7 C& B. M S
WinNT) with the CreateFileA API.
4 X! z& N. ]5 i5 {; h; C
! I& r: V1 i2 Z4 N& t8 C% ?8 nHere is a sample (checking for 'SICE'):
6 w4 s# z& [& Y* {1 D, {! h
# W- Y& J* W2 m$ [* hBOOL IsSoftIce95Loaded()
0 R. F5 i: ?" F7 f$ A{
8 S& H: I, p* Z% U- T HANDLE hFile;
9 |; ?& P3 o2 c! z5 H0 v6 a& y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 ?. x# p6 s+ Z6 J6 G5 d FILE_SHARE_READ | FILE_SHARE_WRITE,$ J1 k; z/ P% p7 x, X- G. G- G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 h2 G3 k) k# K. r& C: R2 h if( hFile != INVALID_HANDLE_VALUE )
$ b+ U8 z6 z: O* ^* C {
( m B) e4 [* T& u5 [; U2 j4 A CloseHandle(hFile);" m/ U3 V a* M. f0 ~/ v3 u/ @9 F& x
return TRUE;9 H" |: z" R! n# t
}
0 w& d9 Z5 X( X; F" o {* r return FALSE;
6 _: b9 _& y$ h6 I* z8 ?}
5 Y+ P( b/ T. Y
5 i# M8 @! q* ^8 f" D- tAlthough this trick calls the CreateFileA function, don't even expect to be
6 `3 g( z4 d5 e5 l; vable to intercept it by installing a IFS hook: it will not work, no way!
/ r4 p8 Q+ G; U% UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F+ F4 u4 {) A# ^9 C" R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 t& K; @* \3 k' |/ U' _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ |9 c T' F; {! [' Pfield.
5 \& p0 C) u6 |3 h# L, IIn fact, its purpose is not to load/unload VxDs but only to send a
4 X9 U U8 J* a; d6 g- o W- _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 u$ x& o' G) B% H$ m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& j1 c1 G4 ] c0 L# S9 r# ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 v ~8 R3 ?) z" g" A
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) C% S; B/ V- h( H/ J. Z2 o7 |3 wits handle to be opened and then, will be detected.
8 ^1 l7 O/ C) T( z7 k! J" R$ AYou can check that simply by hooking Winice.exe control proc entry point2 i( A& { _ Q) ~! e4 d
while running MeltICE.
5 ~! R0 g' R5 x" g5 S6 l. V4 k+ l; j6 K' f; a" U
( d& M9 D& g6 q5 G! j2 f 00401067: push 00402025 ; \\.\SICE: |1 P& g! {# x9 N+ ~$ U/ k
0040106C: call CreateFileA3 Q) b% z2 F2 j8 D8 F
00401071: cmp eax,-001/ R K6 k( L6 f) s. ^
00401074: je 00401091( ?; U+ [8 ]% V }& F4 @
( q0 [: w5 p% M( s" Q2 g3 S
. _ d8 [9 w: n# A0 R5 K
There could be hundreds of BPX you could use to detect this trick.
) D3 Q8 ?# M8 L) M-The most classical one is:1 K; h' z5 D9 y/ p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* h5 S/ S& ^( { *(esp->4+4)=='NTIC'& a7 }& z) P/ U; f
; ]3 _: ^$ ^' {. s( J$ V/ E4 e
-The most exotic ones (could be very slooooow :-(6 m: G; s( l1 l7 g& }- k; i$ r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 B: y; n. x: [, i: [% C) {
;will break 3 times :-() s5 N# j; b3 o. m. {
8 P# w2 J* {$ F: A-or (a bit) faster:
8 m0 M- R: C: S( ~3 @0 N% h9 i BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): X0 N$ Z4 k+ T* B }
6 [- z6 @6 h; W8 g# q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" n$ N2 E: A9 u9 l1 }6 H ;will break 3 times :-(
F. V1 ]5 V2 q/ N: d: G3 g" K, ]8 I9 v6 _
-Much faster:' B; _. |9 d3 j
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 Z. d1 Q9 k/ p+ q8 ^
. A% Y% `) s* E. Y7 ^: pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* S Q4 K! ?* k* ]. Y5 jfunction to do the same job:$ I% w) t6 R' Q4 X- K: B7 r6 [
9 F% ?5 F. T$ x8 V4 X* i
push 00 ; OF_READ
, i3 P4 {9 U1 e9 C6 w3 r mov eax,[00656634] ; '\\.\SICE',0
! \, {! U/ @. K push eax
+ v4 D+ f. u. p E call KERNEL32!_lopen) _$ B8 x( H. G: q
inc eax6 E) L7 X% F+ k+ V9 ^. u) |
jnz 00650589 ; detected. \4 ^/ Z' [" R2 K
push 00 ; OF_READ
+ A' h6 q( J+ ~8 M5 N mov eax,[00656638] ; '\\.\SICE'9 A \. D& @/ R
push eax
8 d4 F [1 W, Z& z j9 i call KERNEL32!_lopen
5 m# z' D7 a1 W/ z% o# k9 P inc eax& V2 h. c! ^- H2 B- J
jz 006505ae ; not detected4 \, S) @6 O" i
4 p/ G) m+ Y0 d3 L
" v( u, J" p" M$ A9 t
__________________________________________________________________________$ N) z+ N3 G) r3 ? w" j) c" F
, e! n3 K9 d% V+ y& E
Method 120 D7 x. Z) ^3 t5 i7 T
=========
: o2 b( T1 S2 \. R) J# d' r/ c5 j# o6 J
This trick is similar to int41h/4fh Debugger installation check (code 05
) [! y7 ]+ y, o' h4 y& T; L+ M. c- A& 06) but very limited because it's only available for Win95/98 (not NT)0 m8 e: T* [: v* e$ [
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; J) a; ~% k$ l6 m
+ ~! J6 p6 K6 } push 0000004fh ; function 4fh
0 q3 Z5 R! s+ ]: S) ~9 U4 t+ L& s6 u push 002a002ah ; high word specifies which VxD (VWIN32)5 L7 t3 j' G4 ^3 t: s. a0 L7 |
; low word specifies which service# G( G. y ^- m9 @2 g
(VWIN32_Int41Dispatch)
1 |4 x' t$ Z7 N3 w8 F call Kernel32!ORD_001 ; VxdCall
9 {; n8 x5 h: s- a cmp ax, 0f386h ; magic number returned by system debuggers
* M5 T0 B; m$ ~ jz SoftICE_detected' o* [) w- s) U' G x
# k' G. i q: M- u9 lHere again, several ways to detect it:
1 I' n5 ?4 Q0 e7 W% V/ S
: ^. L5 ]4 n% l& l. ^: b9 v BPINT 41 if ax==4f3 a9 P& E1 N% L1 g) b
/ l( `+ E9 q E9 d5 m8 y) `
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ [6 X- ]& P& i: i
8 e$ N' Z s7 g9 F t( Q* w BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ Q# o6 h; M J
) w* S7 ?! T9 I9 H; H. B
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. ^* t, s4 N+ G b. G
3 D- c$ T1 Y8 m2 Z6 R__________________________________________________________________________
4 g0 T0 u, y* z6 }
t# o5 B( T4 ^3 E9 N0 DMethod 13
! s) O; v. n+ P=========) n( L+ _8 Z7 j$ A" H
I# n) s- y5 P. ~/ p' f: }Not a real method of detection, but a good way to know if SoftICE is7 T0 H, J" y$ `3 E" Z* z" k8 I
installed on a computer and to locate its installation directory.
, X& Q' K2 ^. qIt is used by few softs which access the following registry keys (usually #2) :
* |- q3 P0 X0 I( u% D* n; C/ r# e. g, N
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ z5 U* V' f J% ?6 Z# [! B\Uninstall\SoftICE
' N y6 e, ~7 y+ }2 w V f8 `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( H; `' E5 t* K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. a; T* H2 z: l& f- @0 _% S3 _
\App Paths\Loader32.Exe
; t3 ~* j2 [7 @( Q% x; I# J* }5 ^- h, @
8 \) n" s& H" f5 P( @1 H
Note that some nasty apps could then erase all files from SoftICE directory
. A3 e5 T+ | y, k1 X(I faced that once :-(
5 T2 ^) _6 v5 F5 m$ @7 T7 G! ]6 \% [- P1 r/ Q$ C
Useful breakpoint to detect it:' X4 u$ f2 M% R/ k; D
+ `" S9 W7 u# J9 d. K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( V; D# w$ z# P3 i; F' Z9 _1 r/ T2 G! Y
__________________________________________________________________________
% y# Y) U3 {9 k5 M/ C0 ?9 T' z
" U" S% r: V* w2 d) L5 O- i( F. }0 O2 p9 f8 @& x
Method 14
' a" e0 q6 V: p* ?& T3 T=========
, x9 ~; e' c8 t5 n- N' C
, U/ q' I# V/ b; a# o- a# {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( h4 M0 c0 u: t: cis to determines whether a debugger is running on your system (ring0 only).- S) f2 M9 w* p. a) s- R f8 l9 ?
8 y# R: B8 \5 l
VMMCall Test_Debug_Installed
% v8 F0 m" i1 w2 s q2 K je not_installed
3 Y7 a$ a) z1 a# m9 z& B
- `& q, |7 n0 v7 ` G) ]4 XThis service just checks a flag.
" D$ X7 I z0 T4 `% S" H$ C+ W</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡