<TABLE width=500>
# [6 B: L% ?' |<TBODY>
. r/ A& T8 V5 V7 w0 W<TR>
* G* z0 y, _) h9 w0 a<TD><PRE>Method 01
+ [; H! c/ L6 v=========5 x+ Y" |2 M0 u0 j$ y% I K/ B* S
, Q( e& _) K9 tThis method of detection of SoftICE (as well as the following one) is- q- Y+ ?- m# |, r+ d
used by the majority of packers/encryptors found on Internet.( I* D" |/ n y) q+ b0 c
It seeks the signature of BoundsChecker in SoftICE6 O; b, |% e1 b. O) x4 a
: y! Y+ q( P1 V9 G! G r
mov ebp, 04243484Bh ; 'BCHK'
6 T) _+ C0 E$ R! z0 R mov ax, 04h
0 B' a1 |( \- a int 3 % o3 z6 ?- t+ C# L1 ~/ Z
cmp al,40 q% n5 p. X3 y6 I, z6 L# P, o# `
jnz SoftICE_Detected7 F# T+ p* J# ?" F5 H5 Q% s
h- z8 S: n0 Y- o' E5 g___________________________________________________________________________1 S' B l; [- A. B
+ s& f p2 R& r5 C% Z
Method 02
' ?9 _/ R* c0 \' I; b' Q=========. J3 p: ~7 G7 V
+ B+ n" i% q: g+ e7 e
Still a method very much used (perhaps the most frequent one). It is used
3 s; h+ L5 W( F5 t" w- ?0 Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- F% G% y* F, [or execute SoftICE commands...
5 N" ^' K1 S/ r. ~3 {It is also used to crash SoftICE and to force it to execute any commands
c# o1 ~# O+ j1 ~/ _3 P) V(HBOOT...) :-(( " K( a; ^. q v
' e b" J* D/ E+ I7 P% H2 |+ s4 K
Here is a quick description: ~" g5 _4 ~% l: h8 E; l2 u3 \, h
-AX = 0910h (Display string in SIce windows)9 ?( P. G9 U' E2 _0 q5 }4 o
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 s. c+ w- U- Q9 T6 q1 V) @: [1 r-AX = 0912h (Get breakpoint infos)4 k9 W3 A% b- g! s
-AX = 0913h (Set Sice breakpoints)/ }+ c) ?# V" Q+ T" r" B
-AX = 0914h (Remove SIce breakoints)
9 j3 M: b# S! m. G) u
5 Z* U8 L$ N2 O3 `# D. _ lEach time you'll meet this trick, you'll see:* V7 s4 V8 X1 H- l6 d2 o: B0 P
-SI = 4647h- P. D7 g' o8 k$ A/ Y2 {( i+ L
-DI = 4A4Dh
3 h9 D+ |+ A# J6 ~- H* r4 lWhich are the 'magic values' used by SoftIce.7 e9 N! g1 S8 h7 d# O2 |) R; D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 b- X; U, R) R, g- c( X# s9 Q& l! g. A% q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 }* Z! A. Y! z- X5 Y5 sEnvelope utility use to protect DOS applications:& ~" d! p" L/ ^ F4 E! ]* _3 A
2 \$ Z5 D, @0 ]2 q# z: d4 d, ~6 g& f+ y( ^& @/ c" `/ K% d
4C19:0095 MOV AX,0911 ; execute command.
# X: `7 _) c; c; V* Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 I6 ?6 \8 {- F# G
4C19:009A MOV SI,4647 ; 1st magic value.
$ g- O- w3 d: e; s4C19:009D MOV DI,4A4D ; 2nd magic value./ y% Y# a& w7 K: z2 d4 t9 i* f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 q# u3 w! C1 F( q6 t( F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ R4 y& z% A1 f) `
4C19:00A4 INC CX6 k7 x- j4 \; o$ E+ [) A* f
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: x8 d" |% b8 O" U& @8 n2 h4C19:00A8 JB 0095 ; 6 different commands.9 S7 h' a- `& h- B* p+ D3 ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 H2 C+ l. z& [9 z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* r3 t& ~) ^0 c; \. o: h" F1 g4 W. P. j
The program will execute 6 different SIce commands located at ds:dx, which2 \% c9 G4 V; ]" e7 s5 @, Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( J k. l1 \$ h8 p X, V" n; |, {! \- F6 D7 g1 U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 h5 i0 p% P/ b: ]4 z+ b" ~+ D+ N___________________________________________________________________________6 U6 }5 R5 P, m) P4 ~& z: L
9 `. y x; Q$ |: i$ K: C
f1 C% V( B% t1 Q+ f& Q! nMethod 03( j# }" H. }. p( V% ]
=========' U; f7 F8 c1 \
$ s' k# y# Z3 m( @; ]/ \% v+ |0 V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- t; n7 _: |8 Y/ `(API Get entry point)& M3 C8 a2 X) B3 z+ \" [0 x
- X- F9 F9 _) J7 a' V# |
% w5 C6 d( U! J1 d, ] xor di,di
$ v- t1 M$ Q$ u/ }6 I3 g mov es,di6 x9 A* O) Y& x! ~8 c$ g+ y: R- [0 h
mov ax, 1684h
/ t% a7 X2 R9 E/ c* ^7 n7 f6 N mov bx, 0202h ; VxD ID of winice
5 H$ ]+ e; R/ P- `2 V. _ int 2Fh
. ]* | l9 Z* z; t) M mov ax, es ; ES:DI -> VxD API entry point% S9 I% m. w% x5 G9 y
add ax, di
8 I# x7 X7 y; K4 C4 x+ W test ax,ax
7 @. P0 o; M1 q# X+ K jnz SoftICE_Detected
1 v: ~4 D5 p& e1 z a' `7 V
, I8 w/ @/ \( P% x5 y$ c/ D7 M9 D4 F___________________________________________________________________________
: C; P s+ u7 m) ?! x5 Q8 `7 F0 [3 w$ l
Method 04
0 R# X- j" z* ?! [4 R& P=========4 r* f! ^+ H3 c! ^; E
" g7 @& \$ F% G: n) oMethod identical to the preceding one except that it seeks the ID of SoftICE) n% j7 ]2 L' K$ y
GFX VxD.; o$ V. b7 F( @! E. r- p
- m, t$ ~7 `8 f: i2 ] xor di,di6 F9 L8 Q" ^" u. V3 N* D
mov es,di
- g; V" J$ k( x mov ax, 1684h , h& J1 ?, F6 f- A! j
mov bx, 7a5Fh ; VxD ID of SIWVID0 ?! M! P: J! }* }0 ] \% w$ u) V: P
int 2fh# n `0 d3 C* G
mov ax, es ; ES:DI -> VxD API entry point
9 f4 M g z& H; L2 }. C add ax, di
9 X' j* `3 \( T( n. w2 Z test ax,ax8 }/ d) ?0 P( h z% n) G
jnz SoftICE_Detected
3 p0 F2 Y, i; G. m1 o
Q( w8 ^; d; u__________________________________________________________________________
5 ^/ q% U, G6 o) f1 }1 z9 l3 |
+ a( _1 C1 s. O) d
* d+ {" l' p! s4 w8 D, [. y( fMethod 05
5 A* t+ l0 v. N2 ?* l=========( V$ S4 a, c2 u9 w
: V1 \ v4 d+ @6 U& k! E! T
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* Q8 y9 c: ?6 A) g8 odebugger. It calls the int 41h, function 4Fh., `" ?4 f" B: h" Q
There are several alternatives. ; u7 N& X a0 e( [
$ d2 V$ ^1 P1 ~% n5 E
The following one is the simplest:
& N) A* r; [- M( u( P2 }+ P! @6 q/ v( p8 ^% d3 ?
mov ax,4fh
3 U. ~; a1 N, C. | int 41h
& v6 k# Y) z+ n" Z8 a9 u0 ~ cmp ax, 0F3864 X6 _/ F4 I1 J+ O! a! t
jz SoftICE_detected
; x: T! r, {; b+ t8 A1 V9 {
; Y" S5 K- v; i
5 ]/ x9 L; ]" i$ ^+ z8 ]Next method as well as the following one are 2 examples from Stone's 7 y7 L: Q/ q! ^
"stn-wid.zip" (www.cracking.net):
7 X5 t# G$ ]6 Z. ?+ k1 u- \, m# r u# E& t& K- A
mov bx, cs
, m8 v; v4 Q' i% B; ~) j: h lea dx, int41handler2" G; Y t: x5 b i
xchg dx, es:[41h*4]8 t% X& [/ O. k: W5 F e5 z% @
xchg bx, es:[41h*4+2]
6 g/ ?; ~$ {4 ]( q& X# r2 o mov ax,4fh
/ R+ S; k6 A+ m$ ^5 g8 K int 41h
- y4 w9 n+ w, C6 j) x; g9 j xchg dx, es:[41h*4]
+ ^$ E/ o) w$ L1 l xchg bx, es:[41h*4+2]
# V: P4 a% d. A% Z cmp ax, 0f386h( S' M& ^3 F) l% N4 [
jz SoftICE_detected1 B$ a% I8 D7 ? E( e
1 U& ~( g( M* f; G! D7 |/ y N
int41handler2 PROC% G" g. n1 d+ b4 V$ o% U( P6 V, c( S
iret
5 h7 f3 u' H% K. `2 e. E( N# Aint41handler2 ENDP
7 h8 f( T9 e `
/ H, B$ K5 w9 @5 t# Q/ B) y* B6 G" I- o: X. J
_________________________________________________________________________, R1 R5 t5 q7 c2 v
" [( Z u0 V; |
7 i4 c3 M( E6 E5 Q- T
Method 06/ U8 w4 c3 ^# V/ {8 [
=========
7 f3 L, j* E; {8 l
7 U* U1 N! V* ^& q9 v1 A! l; Y' t) B5 q! j; {7 I4 p, @
2nd method similar to the preceding one but more difficult to detect:
; P3 w1 n6 Z8 f3 O6 s% v
$ L/ t' a: a7 |: B- F, R
9 \; s% g/ m4 Kint41handler PROC; t+ G7 K% s7 r
mov cl,al
( K2 {0 S. P# y j1 C, K& T iret& v1 C- V2 r# u3 T, p2 c( |. N9 _
int41handler ENDP- z+ t2 Z& k Q$ ?
3 z4 d8 `4 k# c" t: \9 B" H- q2 T0 N5 Y1 r- Z
xor ax,ax# P4 X4 c2 [! v2 E1 e4 @2 Z- W0 o
mov es,ax
. c/ t; X, v, n# V5 b4 W, d W O7 t mov bx, cs
4 ~8 t2 O1 |# b) N/ H lea dx, int41handler
3 j. U6 U$ R* `4 ?8 c xchg dx, es:[41h*4]
. _1 d! ` s3 v7 T) c: p- L xchg bx, es:[41h*4+2]
# z7 K5 U* p2 g' p4 m; }; ` in al, 40h
& N# N- K. J3 a# S$ O7 x xor cx,cx
* a2 y" e6 T" X# J9 M2 t! s int 41h
) C) c7 e1 N1 T' \" r4 y- ] xchg dx, es:[41h*4]
B- ]% q' I: X; ?$ u, t/ s! U( { xchg bx, es:[41h*4+2]
* z! O& L6 P6 i- b cmp cl,al
/ E5 g% x$ @6 \ {" K( q% K jnz SoftICE_detected( X8 u! P a/ G2 q) ~* r
3 _/ l9 m# k) F& k2 p ^
_________________________________________________________________________
6 S: r* Z& S7 D0 S. e' Y/ j- R9 W; _( l
Method 073 |) ]4 [# M0 D2 m$ n, m, v0 N: U
=========
# N2 O: u! ?6 L6 F0 N) r% c3 o- I1 e v7 d
Method of detection of the WinICE handler in the int68h (V86)
: O( x: P0 o4 Y. z4 D3 N( z& ~" F: R# A" h' X
mov ah,43h
1 k, a2 P* I9 w# s6 B0 P' t$ w+ W% I int 68h
& _. T. g, _& k1 \9 z: [' T. F cmp ax,0F386h H; h# Y# b6 j5 q* u& b" ^
jz SoftICE_Detected
: m# D v: {& q' K3 e$ ^* Q$ i$ `" [$ w
7 V8 [0 E9 `* d( ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% ~& L# {4 f) |3 v7 q
app like this:
$ [1 }# @" [# a8 O' G+ @/ ?. D! c/ v% ~5 d R
BPX exec_int if ax==68; A% l# {( }, z3 a
(function called is located at byte ptr [ebp+1Dh] and client eip is) ?: P2 a- q O( S
located at [ebp+48h] for 32Bit apps)* \9 g; R) |+ a
__________________________________________________________________________8 A, r8 S- _9 n7 h* N. J
, O; y" N3 _) @5 _1 N# f! J7 S+ Q# Q8 E* P/ T8 [
Method 08' o; R; _2 c6 ?9 x
=========
# g8 ^3 X4 Y5 G5 C1 m& m, ^4 B3 W; ?+ H2 f( d" l( Y
It is not a method of detection of SoftICE but a possibility to crash the
6 y7 y+ K/ Q0 Q8 u. A q6 Zsystem by intercepting int 01h and int 03h and redirecting them to another9 w6 o8 F8 M+ l6 J3 H. x
routine.
$ ~1 a1 c6 ^* FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ T( r& {) V' }- n
to the new routine to execute (hangs computer...)
' R: Y% q, L7 u; v3 i/ t( @1 @' } k4 e" [# Q: \; a; X- b1 [$ Q, P ?
mov ah, 25h
}6 b" R* O3 Q5 l" e mov al, Int_Number (01h or 03h)
! e6 M v x7 y5 k4 | mov dx, offset New_Int_Routine
9 K t2 z, p2 k' @, F int 21h
# V1 C2 Z( G1 K5 f9 T/ X
) _- p( K" ^! i9 ___________________________________________________________________________9 e9 K* A0 x5 d4 X2 H
# o) T" j- M' H- j" RMethod 09* |& |4 @6 s& [/ R5 M2 P
=========
' L# F9 C9 n9 c
! J6 y- J X6 j* {4 XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* S) @* l$ ~0 T n1 q. Jperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 j& Y% B4 l5 X7 F* a4 xThe Get_DDB service is used to determine whether or not a VxD is installed# T F. w) l5 f! P
for the specified device and returns a Device Description Block (in ecx) for
) \9 b: o1 v3 t. jthat device if it is installed.
5 K. K0 s9 Y& b# @) u$ Z# j0 L% J
8 {/ d" @$ R7 ~9 q V; r) X. I1 N5 ] n mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 y7 b. Z% e4 y1 k5 ], ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: ~( E# _) Z# x8 @ VMMCall Get_DDB) o7 a) Z( w! S. P# |, q3 B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; o3 e8 }0 k! P- X3 |! P' x% a) t/ D
Note as well that you can easily detect this method with SoftICE:
( @% v: g) ?: I& d bpx Get_DDB if ax==0202 || ax==7a5fh
4 h2 |, L' E0 N1 O+ G
/ R: O) Y) Z1 F4 x__________________________________________________________________________1 ]0 g3 A8 J' B! y& j, }6 d6 g+ m' m
$ w4 [. U# ?6 vMethod 101 b0 C' k. F' d! n
=========; q. y$ z. M& ?$ s1 e H
N7 r$ J! G' @5 \! c=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 R) ?* T9 X. M* ]3 }6 g% w SoftICE while the option is enable!!' T* S& @8 C5 W- Q+ \
! J& v- X) v' g5 h; A. `
This trick is very efficient:; L9 s- u1 y3 R
by checking the Debug Registers, you can detect if SoftICE is loaded1 z! W- D/ C: w# i$ k( ^9 J5 F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; Q% d( O, @. W& } g9 d T, s- ~& Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# S% l% b L8 z r+ D) ~; ^$ ]value (in ring0 only). Values can be manipulated and or changed as well
D' u3 I5 M3 ~! \( I# C. W: s* l: A) l(clearing BPMs for instance)
# t9 A. H, W1 U W/ D: @
" n/ a& u$ h/ R7 I K5 r__________________________________________________________________________+ X3 V, [3 b8 @7 @4 K
/ C' w& t0 P3 Q6 a, MMethod 11 u5 P- F! t! i$ r( i, Z
=========% z+ d( b7 z4 B; [8 z) b% o) }
, @$ i& b2 N: ZThis method is most known as 'MeltICE' because it has been freely distributed
# W, _$ @. X; `6 j+ Cvia www.winfiles.com. However it was first used by NuMega people to allow( O& ]) l$ `$ u
Symbol Loader to check if SoftICE was active or not (the code is located
- b4 T6 P" T, Rinside nmtrans.dll).' R! M1 k: |- }/ N" H7 H$ G V5 F& u
3 Q6 d& M% q8 `0 P. K9 l& }
The way it works is very simple:5 Y2 P; r8 C' f7 @! R! V6 F9 G6 v. t2 U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for ] h% u" x- j
WinNT) with the CreateFileA API.
! ]5 E, D7 s @- ^
1 n9 K. C* P d7 V9 J& }7 eHere is a sample (checking for 'SICE'):
- x" N0 s, m# T! W( w7 e
& |! Y4 V( a1 ^3 N; i0 b$ kBOOL IsSoftIce95Loaded()9 ~* _+ j) d( ]# ?7 H
{
3 ]' H9 K8 z$ m6 z/ Y! a) u HANDLE hFile;
0 I$ ~# y, F8 x( O- H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 \ S4 i3 }1 Q3 U& d' b6 t9 y FILE_SHARE_READ | FILE_SHARE_WRITE,; D) c$ }; }5 B2 A% H! O/ D7 X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! e" a% y8 t% X
if( hFile != INVALID_HANDLE_VALUE )
g/ i- l" J- X {$ A- n; z7 j; ]$ f
CloseHandle(hFile);
- h9 w$ e: }" n, i return TRUE;+ f4 Y: D' }- L' ^( p1 t
}
! ^% F2 q' y" `/ i$ O& O return FALSE;6 z# F9 l4 e# B! y+ k6 j$ I
}
- h/ }1 u# `6 V) O% S- D! P# ?% k9 O: s" Q' L) w
Although this trick calls the CreateFileA function, don't even expect to be
/ Z( G- K7 R: U2 jable to intercept it by installing a IFS hook: it will not work, no way!
+ Q+ z4 l j9 ?' H' rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F0 ?4 c6 W& L7 ]0 s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 F# E% O2 N! q8 E. u c! [# E
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* E( q+ G& k. k/ Ffield.
% L1 L, U" n$ ?; {7 y) |In fact, its purpose is not to load/unload VxDs but only to send a " W4 e' w) _7 {* q b7 f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 l+ {. M! z |- |7 d
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 N# o+ q5 A J" M3 ^2 k/ Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 a' K) P% J$ Z3 E
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 e- x) J- b. \" D. n2 w
its handle to be opened and then, will be detected.
& A3 h8 ^5 b& P# J1 v' rYou can check that simply by hooking Winice.exe control proc entry point
% X( t, L4 c2 ^% Hwhile running MeltICE.
1 L8 X( X0 S: V- R* Q4 x' {4 R, i
1 i8 k# R& D: z& W+ E& A$ C* g. G2 I; X7 l$ r+ U
00401067: push 00402025 ; \\.\SICE2 e' F( _% V9 v' M0 c
0040106C: call CreateFileA
. x& u* s4 O: }& m& t1 W 00401071: cmp eax,-001
1 ]" Z& v* _0 f, w& V( M6 I) f 00401074: je 00401091
9 n2 _3 W: M4 h" }' `$ o: T+ x
! g5 F0 p: X5 u' P/ G0 E
5 {0 C( {5 @- x+ M# j% _* {1 BThere could be hundreds of BPX you could use to detect this trick.4 O) x0 G' O. ?$ Q s
-The most classical one is:
+ v- G$ S. T, W' b( @' t2 d BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, O( `9 J5 C8 z
*(esp->4+4)=='NTIC'* a+ y1 v% k6 q; k8 R! m7 p' w- m
1 ]8 P+ p! B/ `1 ^- R o
-The most exotic ones (could be very slooooow :-(
& F& ]8 o5 x1 C: p0 i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- B5 \" _9 ^* U) H: |% k ;will break 3 times :-(2 o1 B3 j6 [2 D- e3 X+ Q. C
; ~3 v4 E2 f: J- x-or (a bit) faster: x6 w+ G3 x8 a, j: [: m5 |
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" Y* _2 X/ g9 H; |; L+ N6 P. h' Y6 t/ ^
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% |! S3 `( J8 s6 W5 E" | ;will break 3 times :-(
: p$ l. W/ f9 [( U" Q. u& k/ R2 `! [. @7 U2 a
-Much faster:
9 @# k) l5 b9 c+ x$ l5 g7 N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ r+ o, r& \, M* p) b t) B5 J* {) A8 _
- H/ U# A% d5 J4 e! vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ C/ F9 n- o4 k
function to do the same job:1 [" |/ V! u+ `
- Z2 ^6 }( i" l% T8 q; L6 l# h
push 00 ; OF_READ
' n" K$ q0 \( }& x+ H3 e. o& Z mov eax,[00656634] ; '\\.\SICE',0/ R/ W: S+ ^: s5 k& l; X* N
push eax
9 O: z5 T( y2 \. D1 I call KERNEL32!_lopen
: J5 ^1 R% s. T8 m- v inc eax0 N5 E, s1 o9 G& p
jnz 00650589 ; detected. L& z/ L8 B( E9 K
push 00 ; OF_READ
1 N" g; I/ ` \7 y) H mov eax,[00656638] ; '\\.\SICE': k- m2 {1 c1 z. [
push eax
* v1 m$ U& o. Z2 L; G8 n5 L$ D, @ call KERNEL32!_lopen
3 H& V6 Y. u/ W* \ inc eax
1 b. i; F) A& U6 h* ? jz 006505ae ; not detected3 g! D; I" v A: @3 T7 Q
* ^1 b8 b5 k1 l
$ j% M' L. P' e( p( B
__________________________________________________________________________
, G6 F* `( ^! u
$ X: y% I! g1 M/ @Method 12& F5 K" S. _' c& \! x
=========
) L- H- _; n- B6 |8 |$ y# Q/ G! e( W+ M
This trick is similar to int41h/4fh Debugger installation check (code 05
% m. Y+ i. @+ d2 C( a& 06) but very limited because it's only available for Win95/98 (not NT)# I5 j. W) N, B: V: W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ n. V- d$ a6 K4 a* {; U0 M8 [2 t1 o+ @: x& g
push 0000004fh ; function 4fh. X; W& s3 H, _* |% m, K
push 002a002ah ; high word specifies which VxD (VWIN32)
- }1 A F( w, D* b: c ; low word specifies which service
9 h9 I+ ^( W4 \7 d3 @ (VWIN32_Int41Dispatch)" M* k* X2 @, U
call Kernel32!ORD_001 ; VxdCall1 K4 _4 P2 }: m& `. m
cmp ax, 0f386h ; magic number returned by system debuggers! q8 u/ @( q) j" O5 J0 J) W
jz SoftICE_detected0 Z/ @3 h, L( E/ i( i4 \ |
% U3 d ~# x' A
Here again, several ways to detect it:1 M \ Q9 j( Q) e: D! S }
3 i( a1 f6 p3 t. N3 ^- L7 O. n
BPINT 41 if ax==4f
1 M. \4 X. m/ @4 \# k6 e9 H, a) F) L" w9 I4 \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ K7 @6 Y& U4 `2 N c: F8 q4 O" p- L
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- T0 z' Q) k1 Q* |* \, X( N* W( r
J# r, p I, h5 e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, [6 S0 v9 B% m. g
8 q6 J! Z+ l( o8 _4 k
__________________________________________________________________________
+ _) `' i+ E" v& l. R
% F+ [3 m1 f/ F9 LMethod 135 c( f% N4 r7 T0 w8 v
=========
' U, l8 a# K5 x4 M
* a( i) R* z5 ~( P! ]2 j; q6 a6 sNot a real method of detection, but a good way to know if SoftICE is+ F" I m' `' Z; ^6 ?
installed on a computer and to locate its installation directory.4 ]+ g. }+ k( _* d
It is used by few softs which access the following registry keys (usually #2) :
! X/ |5 f- K3 ] G) D2 x7 j0 U) c# J4 O# G5 C5 R0 [$ l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ z; t0 d4 d( o7 U* k7 X\Uninstall\SoftICE8 P- L2 |9 l; K' I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ y" m2 g, m- t1 k-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) s& ^; M, J( j2 F7 X0 u% R9 O\App Paths\Loader32.Exe p: |- E8 K7 W) l
# S( T, P y: y( z5 }
: Z, t V2 Z8 N+ i( E
Note that some nasty apps could then erase all files from SoftICE directory
! v* n8 d: b& [& g4 G* x(I faced that once :-(
6 G/ |& X4 J; h) s5 s g- M4 J# `9 s& R+ }4 M
Useful breakpoint to detect it:
) ~* F1 _+ {( M$ y) g: n* k6 j( Y5 c4 b9 x; x' F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; b; s: @. q! h- {5 M; U
- g2 e7 w2 m, [__________________________________________________________________________
# n8 g- q8 B4 K. i, U. I) h
& s6 T2 Y2 R- a9 B& z* d$ N; S; x4 G ]0 J) y0 d' `$ o; C: d& A
Method 14
; t; E" t$ Z8 i c' `=========
: b/ d4 J R0 H) c. A* _, k+ Q& n1 g% @6 C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
m+ Q3 Y- z* y- \7 j2 @3 Eis to determines whether a debugger is running on your system (ring0 only).6 v. Y3 Z C2 Z( }9 D: f
- i& H2 X4 H$ G0 J( |! f% B VMMCall Test_Debug_Installed; `, V% I- d& z r) P0 a$ U+ }- O
je not_installed
1 R; r1 ^4 l/ r3 \4 {1 ^6 k: C% i" B2 L
This service just checks a flag.
; `0 {/ ~. B7 ]# a1 E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡