<TABLE width=500># |- a, `- P6 z+ F" v5 X: e( [
<TBODY>+ D% y s+ J6 Y. \/ V% m% R
<TR>
/ k8 J6 q# I k* y q<TD><PRE>Method 01
+ A! o* X) E% {2 d9 F+ d=========, a0 i3 i) i; V2 d7 ~, Z
2 Z8 s) V1 J; JThis method of detection of SoftICE (as well as the following one) is/ F* N3 m* U2 G' }% p1 ^3 e( _
used by the majority of packers/encryptors found on Internet.
5 g& N5 u2 H; @! k, NIt seeks the signature of BoundsChecker in SoftICE
5 c* c' d) m9 z& U, V; c- y& a$ r
+ K' k. p' A1 F& G; u6 N mov ebp, 04243484Bh ; 'BCHK'+ O+ @ ?$ I% m* ^: V
mov ax, 04h# W2 v( y, P7 _9 J0 s% B
int 3 1 ^0 l6 s2 w7 R0 T3 B: s5 e7 L
cmp al,48 Z* l8 z! |! J( Z2 m1 Z, ?; Q
jnz SoftICE_Detected K, ?# x( N7 X
5 E8 h( O0 w1 p1 K j
___________________________________________________________________________
7 L1 {9 A1 e5 E6 ]
. Z4 E, r% U* J# w1 w: Q, W" v8 OMethod 02
* h1 \$ Q. C8 n l9 W! I8 X# v=========( w& ]2 ?* P; ]/ O. Y. O
; J& q* f0 n4 g# ?
Still a method very much used (perhaps the most frequent one). It is used
8 E1 u' l7 _& p- |! f. i- gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. }- u! S/ B( U3 Z5 \or execute SoftICE commands...3 p! R/ }0 T- G! E8 v
It is also used to crash SoftICE and to force it to execute any commands4 @- _: A2 j* Z$ u" n5 J+ r+ E7 X% u
(HBOOT...) :-(( + V: ]/ {/ s- B& Z4 b+ H3 M+ X
* m2 Z) ~0 k6 d( W* H) ~6 k; t9 lHere is a quick description:
2 D, C B4 g) [-AX = 0910h (Display string in SIce windows)- r0 q6 U" j! |) c. ?9 P# o* p5 R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' N; e0 f) v. I) X
-AX = 0912h (Get breakpoint infos)+ s+ g& J8 @/ N2 t: x: ] I: D/ m
-AX = 0913h (Set Sice breakpoints). X! O0 Q3 D; J: d2 ?! a3 N/ L+ w8 B
-AX = 0914h (Remove SIce breakoints)
' [# {! `& V, O3 u; D) s0 O, g4 Q5 Z0 X* b% t8 V
Each time you'll meet this trick, you'll see:9 _! f% I" C. T* `) c4 B$ d m9 ]
-SI = 4647h
, E& R+ Y0 @5 O; |-DI = 4A4Dh
+ ?. C, e; \0 ^# H9 CWhich are the 'magic values' used by SoftIce.% F; e$ [2 f! ]6 P% m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: y6 I- W/ H' L1 k1 {$ c
5 D* f( E- R/ ]7 I7 W6 _Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 H# x$ \9 J1 f) ]Envelope utility use to protect DOS applications:
$ K/ C2 r4 |# O4 h" y$ I
) ]1 N. \' M! e0 x6 X8 ~: A; R/ P1 g4 N# i' }( w4 F z2 `
4C19:0095 MOV AX,0911 ; execute command.
6 J. X8 Q' Q- ^8 w) o3 @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ B$ K7 D# D. P' `; b
4C19:009A MOV SI,4647 ; 1st magic value.3 [& p% D5 } r1 J. @
4C19:009D MOV DI,4A4D ; 2nd magic value.
, n% f0 X: \/ ~# g* l0 }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 i- L6 k: M" l+ p. O x
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ K1 t8 l- K& }9 z/ i
4C19:00A4 INC CX: k! h# _$ s2 v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- y. u) _, n/ D; N4C19:00A8 JB 0095 ; 6 different commands.- k3 A+ G8 B3 B' I
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ \; u5 w- E. r2 G/ b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, p0 _. N m1 o5 q" F4 g# J9 U/ U' n a! Y3 I$ |8 M
The program will execute 6 different SIce commands located at ds:dx, which. `. D8 O8 j ?- L) i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 b7 D2 F& ~* y; H3 [8 L' [+ {7 x( [! j+ g. w; O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- g, U7 {+ s; N5 u1 S$ E5 L, y
___________________________________________________________________________/ z( y2 w. y) V# }+ h3 m8 B
1 I2 f' m% e; O. a
' o- y5 L% t0 s/ E) |8 y3 xMethod 03! v- R! ^0 F# y
=========
7 J4 h% p8 K7 W! P6 s& Y* o) u
0 R* Q# J: n9 [& X# i; RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ P5 X& f" R- a1 }4 G(API Get entry point)
$ F) \; m$ } ^- ^* `" E4 u' \ 3 ]& R2 V6 }3 b$ a% @% k3 k
2 ?" P8 e% }- ~) c: v# X
xor di,di$ T1 s, u) g0 s$ n/ x
mov es,di; ], J4 z$ X9 Z2 n2 z* h5 ~
mov ax, 1684h
3 ^$ u P; ]. n$ [7 X9 o mov bx, 0202h ; VxD ID of winice( U( @- S2 k: M
int 2Fh
) R8 d. X! u c. t5 H mov ax, es ; ES:DI -> VxD API entry point# v, x7 ]. k5 U
add ax, di
/ p% R* Y6 i) P @ test ax,ax. P' Q/ _/ {" h+ L
jnz SoftICE_Detected
. U6 G2 _0 Z8 P( \' f4 q" C3 Q# i' y {& D9 r1 H, u
___________________________________________________________________________
) S9 R' w2 l4 u8 A3 G6 ~: w' S2 k c& ?
Method 04
% \& g8 {/ @* ]0 B=========
[' {- ^' t7 P# Q) V+ K0 D6 [9 u0 y/ F8 U
Method identical to the preceding one except that it seeks the ID of SoftICE. Q+ G% J/ v+ }" d, r- o2 f
GFX VxD.
+ Q' V ^$ S) V+ Z$ \- V4 I& c/ T! S9 Z: m
xor di,di
6 O" H/ }. X# c: {% o# w mov es,di
8 M/ w7 X$ C0 U+ M* ?+ [ mov ax, 1684h ! B8 X9 a# b) G2 V/ d
mov bx, 7a5Fh ; VxD ID of SIWVID
' U9 h6 g8 Y+ E* C int 2fh
" _: B! Y8 C+ }: @7 z mov ax, es ; ES:DI -> VxD API entry point
: F- \$ z& I# j# y; `' Y- ] add ax, di
I- P3 q. V! h6 b. P test ax,ax" T: S1 W# O5 X7 n- G% ]2 r4 f
jnz SoftICE_Detected, K$ g7 s+ L5 W1 A4 H
2 D9 A2 E" E8 h& }6 u8 K__________________________________________________________________________/ W, H' M7 T6 [0 ^7 W! C" t
% p4 h2 a k. @! e, n0 J3 [) x( W; y: X1 F) H
Method 05
0 L7 ]% l) W' o5 m, a5 }=========
9 A( G1 Q& V% o. T2 x+ B( r( W+ S5 h. ]/ B; n* [+ K5 G: L0 |. ?" I
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 u! R+ f0 |4 W: Z5 s0 D3 [$ f4 C) Adebugger. It calls the int 41h, function 4Fh.6 z+ |) ^- q. r* ^: j
There are several alternatives.
. `5 @- y! u" V# R4 F, S6 q; m4 z4 e9 o. B- J2 E3 q! Q
The following one is the simplest:' M& D2 Z9 ?2 s
& f# H& L$ V! }0 a0 L0 H5 ?' e mov ax,4fh
# |; n1 o4 q* Z, `6 N g1 y int 41h8 `, d& x1 n9 |
cmp ax, 0F386: h- L$ I* @& o: K7 ~2 C' W
jz SoftICE_detected
# b5 k+ x& z) T5 r7 l" H/ Q6 E0 T
8 Q$ }+ v% k9 `+ k4 L& u0 a7 M" u/ @
) a+ _# R8 P& i* a& TNext method as well as the following one are 2 examples from Stone's , K) h5 m ^% P: _
"stn-wid.zip" (www.cracking.net):: F- l% M) G2 v/ ^0 m; Y; L& |
3 t( _+ r. P4 f7 F mov bx, cs4 X A5 ~9 ?! B d' v
lea dx, int41handler2% j* N4 i. s- Y/ e2 E2 d
xchg dx, es:[41h*4]
0 r1 i4 s! h4 d7 f* j% l( k3 E* T& K xchg bx, es:[41h*4+2]- ^: b5 k: D9 @( x2 W
mov ax,4fh
3 {, Q: G5 J! \2 c& i2 B int 41h
/ g; [$ P1 w ~ xchg dx, es:[41h*4]# v- d% Y+ k) [9 Z# N
xchg bx, es:[41h*4+2]# c& k0 T5 C: ?" s7 ~, U7 u! ~
cmp ax, 0f386h
3 a) p4 U7 }# x6 ]! n- @ jz SoftICE_detected( X6 a7 u& M% w" ^
) k2 c+ f' x3 ?: Oint41handler2 PROC
- R" ?8 @+ e0 ?# \8 M( ^ iret
3 O3 C5 G7 g, J4 tint41handler2 ENDP. X" G: v+ C, s# X8 \! C: m/ Z
g) o; I0 i. X1 y0 o+ @
+ r2 J9 ^) D7 Q' e$ L$ R) w_________________________________________________________________________
; Z3 t C! {- s1 e- t
$ t6 r$ W, \$ n
9 X1 ?* K- ^5 f" A6 n- _5 H, pMethod 06
Z; `" Y! d7 ^9 u' K) U=========
! [+ E/ s+ a0 X
' \5 m4 _% i, T4 m9 Z3 x6 {
) E+ i- r d' D7 S$ Q# D2nd method similar to the preceding one but more difficult to detect:
) P# L% X3 O4 a' ^4 R0 O
* U- K Y* c/ D* d0 |
: [( L \( i: g' Sint41handler PROC
- ~' z3 k" j2 I( O/ y mov cl,al* W7 x* t# \" y2 m* t
iret
5 m( a) e4 \( _7 vint41handler ENDP5 S) h/ E/ Z8 I9 [" I" e
( B/ ^$ q5 M! T: b. }
& G( b% y Y/ ~; C+ D. t/ t l& T xor ax,ax }- Z3 D" d9 c1 Z3 B' U
mov es,ax
# b5 }9 Y K# k mov bx, cs
% f: a& q# N/ O4 G) P lea dx, int41handler
: ~$ a8 n7 J; L$ f! |; o2 f xchg dx, es:[41h*4]8 `- L1 J( {, x. s, {2 w% b
xchg bx, es:[41h*4+2]
- v% T0 d, d( R3 k: f in al, 40h
7 ]$ z% l4 {% j! ^8 P/ N xor cx,cx5 [/ b5 V# u: b$ }
int 41h6 d) [5 q% B! ^; S
xchg dx, es:[41h*4]2 G8 U" v( \) ~/ s7 L
xchg bx, es:[41h*4+2]
; _8 [! _# R- q1 m7 ` j { cmp cl,al+ h* q- J/ G+ p5 x. b7 w2 X4 l
jnz SoftICE_detected' j( u# S0 c; J4 s: P7 S
% U5 R6 G0 U/ i4 m6 [: ^
_________________________________________________________________________
8 v" F+ z- S, \2 @+ f( k% S1 s" E4 @; I$ |; g
Method 077 R( X3 Y/ g" U7 H$ ?8 I
=========# e- R! ~: q6 V3 ~ M1 b
3 r! {3 S" F$ r! ^0 p
Method of detection of the WinICE handler in the int68h (V86)+ K$ P! {) e% W( |; P' D3 D
9 e+ [2 w( f. H L( M- N: | mov ah,43h
5 S1 z* k& k4 n: k4 d int 68h
3 e# t* w0 l4 W cmp ax,0F386h" u$ P* I% F; `+ K/ a, ]
jz SoftICE_Detected' ~$ @ ^7 h1 E1 V" o! a
5 v' i6 B* J/ ?3 N5 W, v7 l) a1 ]
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* b! M m, p- k0 B
app like this:
8 }0 U1 |; f$ r7 P+ \/ l4 Z9 w% t/ P! g6 |' n- F
BPX exec_int if ax==68' E2 M# a: D+ F" T7 r" `! m1 E$ {
(function called is located at byte ptr [ebp+1Dh] and client eip is" {: ?' @' v& c
located at [ebp+48h] for 32Bit apps)
- P# `, e; w+ V7 @0 f. G__________________________________________________________________________% C$ J4 `4 o& V5 y( c2 w Q
8 ?& R2 U7 F' t2 U8 C+ E
7 T# b' L p. aMethod 08
! H: { e2 h2 {8 ~=========
; V6 a9 ~ P! Z5 O" m
8 K9 e9 Y+ F" @6 A% `% }It is not a method of detection of SoftICE but a possibility to crash the
4 q0 v/ E( J9 ]6 ^: C% Nsystem by intercepting int 01h and int 03h and redirecting them to another% a3 w/ u& t6 X$ {, P0 l
routine.5 [: u# Z& T, \2 w$ W: ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# C' f( ~$ j4 x5 T
to the new routine to execute (hangs computer...); n# M* a' s' w1 I
6 X2 p$ _. o( A3 m, i6 C2 x( b mov ah, 25h
8 `# M/ [0 v4 Y* @8 N- V1 A; ^6 m. t mov al, Int_Number (01h or 03h)
, H' Z, S& y; z W, ^1 u mov dx, offset New_Int_Routine
m8 B5 w- [" T/ B int 21h5 B# ~! R& c3 E0 X+ ~
! D$ x x3 g8 V. \; X& Q3 n& `__________________________________________________________________________
7 K* w) g& M1 c
9 I. C" P) h. J- U& Q8 w3 HMethod 09* H$ m/ w5 Q$ ^
=========- `& N% K* i' s) g8 Q
0 M b: ?* c( XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; k# k/ m7 T" }; ?- H
performed in ring0 (VxD or a ring3 app using the VxdCall).2 ^0 h3 \) Z6 u
The Get_DDB service is used to determine whether or not a VxD is installed5 S! D- s- ?& `6 J" B
for the specified device and returns a Device Description Block (in ecx) for
7 X; ]* G7 U: A! Mthat device if it is installed.* K J, Y! D5 k
, G/ l( J2 t# g0 ]: {0 b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 G' A- o. j* K' K3 u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& z# M& X2 b0 c, ~2 c; v: M- N9 m
VMMCall Get_DDB4 h0 Z- G1 L& u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& v. k$ `" z1 h& s# f
. g! J8 t* N6 b) NNote as well that you can easily detect this method with SoftICE:' d6 E h8 `- W$ M
bpx Get_DDB if ax==0202 || ax==7a5fh
, t2 Z0 A9 f+ `2 ]' x2 s# |* V4 P- S: S* k3 Q4 \# t' J$ q
__________________________________________________________________________( r% A8 H2 Y( e9 y4 W* W+ \
: y5 v1 ?+ Z' w% x; `# M, j
Method 10" r- ^& m2 z' z! b- i5 t
=========
3 K+ K6 W3 Y" E# l- t% P
0 i& ^! k3 y" d# K# g( \4 M=>Disable or clear breakpoints before using this feature. DO NOT trace with" t( {. i2 k! ]" O1 I7 R4 Y& _
SoftICE while the option is enable!!9 |, a$ x/ p3 A, ?
0 U7 V4 i( }9 s! U- D$ q7 a
This trick is very efficient:! \5 z# L+ Y8 d D2 H( [
by checking the Debug Registers, you can detect if SoftICE is loaded& Q! B4 q" c! L* X& [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
a) g% R7 R" x: N( E# H) Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 U& q: n% U$ ]+ r$ [value (in ring0 only). Values can be manipulated and or changed as well6 N6 W$ K# m: m5 r' T, }
(clearing BPMs for instance)1 ~+ z: U2 \5 k$ k% t8 I, h$ o
% x, P, ?; D8 w! j__________________________________________________________________________
$ B! Q" V: w' D9 X+ v7 T1 Y' z
1 ^! x% i1 J1 [9 |" NMethod 11' K0 K- s6 K) T A+ w5 N
=========$ B# G: t" E0 k7 p( Q8 G
9 M0 c9 s8 k1 z" t' }6 t* ^
This method is most known as 'MeltICE' because it has been freely distributed$ f H9 r7 V' A) L
via www.winfiles.com. However it was first used by NuMega people to allow
3 T2 c' R$ b6 _3 x* GSymbol Loader to check if SoftICE was active or not (the code is located
7 s: j# A2 @' O' a- U# ?* s/ V$ xinside nmtrans.dll).
8 m( \; n- Y$ I/ i9 W2 K: @$ U+ ?* K
The way it works is very simple:
4 r6 x! x% D0 W6 c& qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; s2 D# p, X# Y; M
WinNT) with the CreateFileA API.3 \& b9 K- Z% I( B+ G, n& g
% Q, N$ S0 W5 O! B2 g4 YHere is a sample (checking for 'SICE'):
' f2 V$ d& F0 X. F$ N
) y& ?5 |% y3 h3 A+ hBOOL IsSoftIce95Loaded()& m6 Y u3 e" f, C2 C
{
4 c0 R3 p8 p F7 \$ W" o7 Q- q; ^ HANDLE hFile;
, v4 q0 L9 T% F% e4 r hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 X, \( k- U2 U* q# X5 z
FILE_SHARE_READ | FILE_SHARE_WRITE, ?3 g' F9 V4 o* h6 k- d
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! a' S0 D+ s1 |7 h if( hFile != INVALID_HANDLE_VALUE )
' Y- t/ K3 b( l {
) D m# U w9 U& j/ |7 y CloseHandle(hFile);
E( n$ \! G* ~3 ]( ^ return TRUE;
7 B1 D: J. E! ~; h1 Q: c }2 e& ^ u7 f' ~5 f
return FALSE;
+ J2 t/ j' _* K7 V }}
( u. Z" q+ O7 [$ v$ R. b4 _5 {0 e9 J/ K% w) p4 r1 c' D0 [
Although this trick calls the CreateFileA function, don't even expect to be) X* J1 h$ G; x( ^% x, L# _
able to intercept it by installing a IFS hook: it will not work, no way!# W& u" O4 A" o+ b2 `0 z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 O' t4 K- j" U7 M! F( |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 c/ T* y3 }$ [, y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- g4 A5 o" C; ]& |5 m1 T0 _1 i
field.# Z; E0 _# K9 R8 I4 K1 b- \7 f
In fact, its purpose is not to load/unload VxDs but only to send a 7 q+ m+ f5 C" y) v9 [: Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 u! f3 |2 X5 r X6 p* R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* m4 o* k, e+ l" K2 L/ o/ |to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 ? {( W2 l- w3 A' ]; O8 Z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 F. ^$ X; k' s1 {0 z0 Rits handle to be opened and then, will be detected.; {( a5 R9 _5 o& z" b7 x) l v
You can check that simply by hooking Winice.exe control proc entry point$ n. U" U, ]2 v
while running MeltICE.3 q5 H( n/ u* K. J! M" u8 }: ~4 ~, F" q
" W9 K( N. t% ^! `8 u5 O+ n E4 w) X
00401067: push 00402025 ; \\.\SICE1 a4 U$ H5 y8 F2 p
0040106C: call CreateFileA& M" x& E5 G( W
00401071: cmp eax,-001$ P4 E' V. r o/ b x
00401074: je 00401091# T6 U! i9 S. B2 x; y8 [* r' a
+ T, [0 X6 w& d# B4 ?2 {8 J5 g6 T# {
There could be hundreds of BPX you could use to detect this trick.
8 a& F0 [+ P2 E' X# G" G-The most classical one is:
5 p9 f1 B& b/ w3 M- q) ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 A) c) y5 A; i) S
*(esp->4+4)=='NTIC'. S$ V5 T9 v+ j+ N5 i3 I
4 B" X. E. z9 |* W
-The most exotic ones (could be very slooooow :-(
6 M5 [# y; b# e& d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ h& b$ k% r4 R# _/ U" G. _2 G ;will break 3 times :-(; p- B6 ^+ ^- ^, B% M w+ i( s
: s1 u1 {( L, u. w/ M* u- r-or (a bit) faster:
5 B" X' Q( m, p3 h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 P! v f' ^( \: U: N
: c0 y. _, \5 @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # {! T5 u, Z9 z7 n
;will break 3 times :-(% h: W$ L5 l# G, V" n
! v- {7 B: w( e6 F# S, h: N4 ]: X; g' V
-Much faster:
' ~; v+ X7 ~: W$ D2 C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) \$ a1 |; |8 u ~' B. S6 Q' c% D! S2 p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 f& q& I3 h) q a3 p. Nfunction to do the same job:5 W/ u% d, Q) ?. x
! H" R8 }8 S( C* ^
push 00 ; OF_READ
+ L3 L* b# r9 S mov eax,[00656634] ; '\\.\SICE',0
! ?+ f- H- K3 s9 E push eax
7 H. F" |- O9 t$ ~ call KERNEL32!_lopen& [$ ~* m! l# [$ {3 D7 _
inc eax
, s) v1 W# Q% F( B* s jnz 00650589 ; detected
# h9 J; k& ~ D push 00 ; OF_READ
1 k h& W$ G( b A* ?! I mov eax,[00656638] ; '\\.\SICE'
0 G5 \. H9 q/ T/ r& R6 a; ` push eax, M1 U2 U# A" }* t1 r9 Q; l9 `4 e2 c
call KERNEL32!_lopen b* f" m) K1 }2 H
inc eax5 u$ N. M p, b0 p+ k
jz 006505ae ; not detected
3 P% n9 x/ k- s/ l7 H9 ~" p6 k6 K
}3 I9 a( }, K) I ~$ B" ]3 m, ]5 l. w/ U
__________________________________________________________________________. `5 r3 H' F# @ x% m
: a4 Q2 ~% G9 xMethod 12/ h9 { c1 ?* i* Q% g
=========
% p+ C9 o$ ^- ~. P0 q6 M( a
F- O9 ?5 m1 B6 k: z4 E& QThis trick is similar to int41h/4fh Debugger installation check (code 05
3 Y! ^3 k7 r, E$ ^, B& 06) but very limited because it's only available for Win95/98 (not NT)2 i# J2 R& [, N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 R) Z( k( ], m( _ u
0 Y# i2 d1 Y: X; R: m push 0000004fh ; function 4fh
4 i& k& f; Q4 ~/ ~% A9 m$ a push 002a002ah ; high word specifies which VxD (VWIN32)
2 i% i' Y' G# `( o ?, ^: L; y ; low word specifies which service
6 |' o9 w \* E7 G; F; H( d/ G$ `/ t (VWIN32_Int41Dispatch)- C1 R5 g3 V" D
call Kernel32!ORD_001 ; VxdCall
9 D, ]% P2 o7 J, q: {% j+ ] cmp ax, 0f386h ; magic number returned by system debuggers% A1 w( q2 c3 e
jz SoftICE_detected
1 Y, P c* Y' j7 D1 p
4 S9 e; x y* A- W, CHere again, several ways to detect it:1 b7 E9 H1 s5 G }
; [: e" t# D7 S! X" L- J
BPINT 41 if ax==4f
9 b* Z; Q5 g1 g2 i7 `+ _
( ?& v1 o" k0 v S A1 P1 E$ {% f6 N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( \& D- M- p# }3 n, S* R& t6 \
1 a3 O, _. m2 r4 e, m4 A# x9 ~/ t
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& Y c" N0 F. p2 E P' r: e
( `+ T- d' E( ~4 T3 l" S8 Q( O- O" L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- u1 V+ G# n* o- y: e0 l& ]( M7 ]6 ^) E" ?/ S' [
__________________________________________________________________________ {7 X# _& G/ y
# d) T* T7 U7 [; t. bMethod 13
5 R+ O* u9 z. }# i) `7 y8 y=========
& q% F+ G- V4 R
& `% A0 v7 P6 a% f/ }' m7 VNot a real method of detection, but a good way to know if SoftICE is
: \" x5 k9 ]& Q* c6 w. \installed on a computer and to locate its installation directory.* j. q6 [! ]4 C. B
It is used by few softs which access the following registry keys (usually #2) :* t5 w- {# B" u/ F' _
& H! F9 U: P% S% K* {+ Z, B$ j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- I1 C: V7 f, _: s\Uninstall\SoftICE" ~4 O& @6 \+ Q, a2 m$ Z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! b5 @9 N; }: H( \1 |" ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# S, T& V9 C: K# ~& F
\App Paths\Loader32.Exe
1 B8 |6 m- O/ l7 w' U, [, ^' X/ J4 g+ l& H6 L2 B8 O/ B5 J+ j4 W. P
' A& S6 c8 F& K" h- E# tNote that some nasty apps could then erase all files from SoftICE directory5 s0 j2 f" l1 V6 U3 T
(I faced that once :-(. t! D# U' N. ?. {0 G* Q
1 m5 U, w# e" DUseful breakpoint to detect it:
2 |! [) ~3 D% `4 v5 q h- R; v
@' i2 M' P4 z& ~4 m" ~/ n+ Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% g& m- f5 N! O5 ~
2 X% N, g2 ~" I__________________________________________________________________________8 O+ _4 Z6 ^; D$ F2 j$ h4 G/ ^- t
* O4 K- b/ S/ C% o' D
. z. ?$ H- H8 x" h; K" UMethod 14
0 M! A9 r1 Q* i=========% D( {: R* L% A0 s
. o# j2 D- u3 m2 K/ C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 z0 v9 i) p5 h% U
is to determines whether a debugger is running on your system (ring0 only)., a! w/ |) u3 L3 q1 Z
( J8 }$ ?) L3 ^
VMMCall Test_Debug_Installed
: ^7 `5 w. r" H6 X je not_installed
& x$ Y, h& U+ l5 K2 I: ~
8 y1 ^+ R" m/ c' d a( U# K4 gThis service just checks a flag.$ ^ v# n9 x& ^- O8 q) h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡