<TABLE width=500>
4 D; U& P3 i& j5 j<TBODY>6 C" r2 `: {! F/ s# L$ K5 C) y' t5 E
<TR>
. i6 e- T- ?: a. t, m: k# J<TD><PRE>Method 01
: \* z& q/ L0 E7 P6 T1 ~=========
; Q' P3 g, F9 T( H, {; j2 H% o* C2 l
This method of detection of SoftICE (as well as the following one) is7 ?* L! c: o. P- q) O! {. ?
used by the majority of packers/encryptors found on Internet.6 e8 ^# X. b4 X7 G# u0 @: W/ i
It seeks the signature of BoundsChecker in SoftICE' `4 v1 K+ q% a
& L0 j8 K& o/ c) w mov ebp, 04243484Bh ; 'BCHK'
) m2 S$ ?! ^: S, @. r# B7 |, T mov ax, 04h
/ t+ F' x" l7 l0 n int 3 : g6 i. B( ]& v" x$ |, S6 F2 {( Z
cmp al,4
$ g* A- u( ?$ \ jnz SoftICE_Detected8 O/ L8 n9 M1 C3 ?. M
4 I& |5 S, A, O% \4 L, o+ `
___________________________________________________________________________9 y/ F6 u; n; P9 i, V7 }" }) C- v9 Z
) R. F9 m' @2 M
Method 02+ x: j/ U k s
=========
. n2 U: O6 w# D7 ^- h: _1 x( @# a5 k2 X6 o; L! b" D2 a
Still a method very much used (perhaps the most frequent one). It is used
a/ g, E) p! c$ wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& l2 P {) J7 C. |& i3 lor execute SoftICE commands...
$ i. @: L, `# U& ^It is also used to crash SoftICE and to force it to execute any commands
u. m- H0 {% a h7 ^(HBOOT...) :-((
: f1 |1 t! P& y8 l8 F7 `) y0 z' q/ P5 E( k% a# ]! t6 `/ r- A
Here is a quick description:" K5 J. a: m! ]; M
-AX = 0910h (Display string in SIce windows)
3 k% O- @; Q i& U# s4 S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, y! ~6 S$ j0 {9 G, C0 a-AX = 0912h (Get breakpoint infos)
6 E3 l* x) d& m& E-AX = 0913h (Set Sice breakpoints)
+ ]0 Y5 y4 l" W* l6 P4 j-AX = 0914h (Remove SIce breakoints)
* J) t0 Z) u6 G9 a( S( O( @1 d# M4 o
, T$ G, \) |6 Y) qEach time you'll meet this trick, you'll see:# Z. y" ?1 W" Z B5 l, ?
-SI = 4647h
! J/ Q( G& c9 V+ _! q7 t, @- w# O0 x. P-DI = 4A4Dh
! T" |6 T g4 ]" O6 H+ p* `5 I9 zWhich are the 'magic values' used by SoftIce.
; q$ N! D4 [2 u4 g) ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h., Z" ^, N1 S7 R6 C
8 _7 o1 b2 ]$ j' r$ P; RHere is one example from the file "Haspinst.exe" which is the dongle HASP0 w" J$ s+ j4 n# i. X
Envelope utility use to protect DOS applications:- p6 y9 b3 a7 c7 `
+ y: u9 [5 `# w5 f$ ]5 q1 t
" W3 G, R+ l3 l8 [9 A! J4C19:0095 MOV AX,0911 ; execute command., V: r0 n2 S ~& p% W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ {9 ^" U l& n, x4C19:009A MOV SI,4647 ; 1st magic value.0 Y! y. p6 G# e8 `2 [
4C19:009D MOV DI,4A4D ; 2nd magic value.8 C: \; u( R# ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) a& i( {! w% ?
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! R2 S+ l( y# w( Z' g, Y: G
4C19:00A4 INC CX
0 O/ z3 e6 {+ H9 p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* |1 @$ q9 z5 @9 H3 N
4C19:00A8 JB 0095 ; 6 different commands.
+ q8 f3 i8 b6 P: Y( g' w4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 W4 ?3 X0 H, {. q1 l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 \0 \! e9 w2 c; n" G7 W
9 G9 Z; l [4 [# H0 W8 _, aThe program will execute 6 different SIce commands located at ds:dx, which
. y3 e" l, D s y2 l- ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 d* y2 b& H# h% ~9 A- W) _, G. N! e& i5 h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., P8 O2 p# c% U2 R! B1 r
___________________________________________________________________________
- m% ?4 B" e4 D% q8 @4 ?4 m5 q5 J+ e2 K; g2 W
. ], C. d8 z" ?Method 03
6 q' v) j7 ?' g2 m3 T5 c+ g( s/ k=========7 ?4 m& U6 Q0 }' n# u. _
2 H0 _. k" u/ `* I8 W, r" M- R
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% L h( r1 g) U" q% b/ i
(API Get entry point)
& a: Y) O/ Y0 ] 6 l& y/ E5 ?5 F3 @1 _1 D
8 B- `, Q8 c$ n, ^5 t xor di,di7 p; J# \5 _* P+ |7 } `
mov es,di
`1 S) d2 N2 s3 c; m6 Z: F mov ax, 1684h
( o4 u7 S9 y2 E, J& G {. E mov bx, 0202h ; VxD ID of winice% T- ]! a0 i; |4 r% U
int 2Fh9 d1 ^; V+ H" s
mov ax, es ; ES:DI -> VxD API entry point
|- G6 q" x6 T3 C' P; O% n2 G add ax, di
3 z4 G/ r* i5 n4 y+ ~! j' H3 w3 ]+ O( E test ax,ax
8 L# a: u3 E! E. i% ~6 R5 i jnz SoftICE_Detected
- T% O) h( {: _" {4 C6 n
. [ O. C2 o3 H# x$ R+ w___________________________________________________________________________& a: l5 i e9 {# c1 |6 o. H T: o
X8 F2 o: s) z, S
Method 04
7 Z* N. x( o/ s w$ |- _% V=========
# A+ K0 M1 P, t# v2 c! S' G+ P0 n( h( U/ b: m6 M/ L: g. I
Method identical to the preceding one except that it seeks the ID of SoftICE/ ]6 j: X M. T# e
GFX VxD.) h- F$ A/ b/ J/ \2 [5 X; V
6 c9 s; @( S( K, K" E, [$ ~3 Q& I
xor di,di
4 Y) g: G0 y3 Z1 `% s1 \) K1 M mov es,di" `6 Q4 w7 g$ f
mov ax, 1684h 0 ], x2 N$ Z/ B9 T8 p, ^8 H: X( @
mov bx, 7a5Fh ; VxD ID of SIWVID
% J2 l1 n2 `/ J$ F! ~ int 2fh$ t3 }% a( _9 w8 ^9 i& l
mov ax, es ; ES:DI -> VxD API entry point. Q1 Z" o3 t P9 j2 K5 H( ^
add ax, di
" O [8 z" z+ M: o: P test ax,ax& f) I: F/ _( p. N ^
jnz SoftICE_Detected. }- X& d, O0 E6 Y3 C% s
$ e: c" P+ V ~$ U, v9 ]& w1 U/ m__________________________________________________________________________
M# V0 d; T4 v6 T; S
8 _8 k. {" V2 h, ^9 h6 \" Y( M% J3 W' X8 w" m# C4 i* f
Method 055 J6 e+ I: q" @. P5 b
=========3 k8 U. k) S" k+ e+ S
6 x5 j4 I5 v1 z6 P! `Method seeking the 'magic number' 0F386h returned (in ax) by all system
. P u' \: K# P. M4 ~debugger. It calls the int 41h, function 4Fh.
; E: Z0 b! j' h1 zThere are several alternatives. 2 w3 s. R, A a! E! X0 v/ G6 s' O
2 R& W8 ]4 _+ u2 x
The following one is the simplest:3 {5 e) L3 } ?8 }+ K) X
J0 F$ n G+ n mov ax,4fh
0 e' u) w# A3 [! _) H d! F$ I int 41h& P% G2 U7 F3 x. s1 V; _
cmp ax, 0F386
( ~0 j% {; H) C* R jz SoftICE_detected
4 _& ?0 E* _( w o& I
5 [9 ~. I# }4 ?3 M' D5 T6 H- h/ m+ W9 Y+ f' h( H" l
Next method as well as the following one are 2 examples from Stone's
. S0 |+ U# p7 f"stn-wid.zip" (www.cracking.net):; C+ M9 r6 N" A, a
2 X" Q1 t: y6 A1 x4 T" { mov bx, cs- B5 g# V5 u1 z! t- [: J
lea dx, int41handler2, x( ]/ j6 T# c( @& |6 ^
xchg dx, es:[41h*4]
- i' ?4 }' M) L9 g3 L# q" n: u xchg bx, es:[41h*4+2]9 d: o4 |) F+ u) T0 Y# e+ }
mov ax,4fh
( v* t5 j& ~ r$ x- k5 f/ k! n' L int 41h
) v$ a$ f1 K. K& w+ n# v% q xchg dx, es:[41h*4]( R4 Q' |, s. c1 E
xchg bx, es:[41h*4+2]
2 u7 p0 n2 Q, F* T( z: C9 b cmp ax, 0f386h
& T+ r; ?: d. }. b8 F3 q/ q jz SoftICE_detected
2 [" Q- l$ c" L4 ?- Q- N/ Q+ s9 c7 ]" L
int41handler2 PROC' P2 @ C, L0 ~
iret
4 v: ~8 @$ i* @! E- V9 K9 tint41handler2 ENDP
- n+ c! y* L5 r, L" z& c
" l5 X- G7 _7 Y) w! ^+ u4 c5 z. @2 Q1 i
_________________________________________________________________________
" P- i! l+ m% K) t& e* i9 r% m2 e" ], @. {' u! s* w. C
Y a# X# C- K1 O
Method 06
9 L3 |0 O" ^& Q3 W& f! A- J=========: U9 l+ ?" N3 t( s2 O; R' q
8 L# A. y T, R
& L, M1 u# t b9 V- b8 R
2nd method similar to the preceding one but more difficult to detect:
5 a+ H6 N! I. T: U) F! h. W U" p! Y, B, W9 z
- g' k4 a) ^3 E; g8 i' n+ |" Pint41handler PROC
) W1 E# C$ }; x. E% H mov cl,al& g9 e+ c; j6 D: Y, B# g( `
iret
0 p5 x; s4 j* _; K7 Aint41handler ENDP
: o: [; P' _' B6 }) h; A: |
( g2 Y( v) S/ j/ D2 h( O& f7 f) F9 J7 B9 r8 [) @
xor ax,ax
) g6 e! k7 h, J mov es,ax
2 J! S: G4 G6 P. R8 i mov bx, cs; K$ F: L1 T Z0 V0 r
lea dx, int41handler9 z5 E) h2 ~: b0 x" U/ X( g
xchg dx, es:[41h*4]
' f+ R M# r4 T$ m9 _' B xchg bx, es:[41h*4+2]8 o U; P' f$ P3 Q% e( ~/ G
in al, 40h6 Y1 Z. P. m" y+ D7 o
xor cx,cx4 R/ H4 T8 O1 y, x9 ~
int 41h, ^1 Y; `7 H- l/ J# ?4 M( U
xchg dx, es:[41h*4]2 X. Z5 }! ?; r& t
xchg bx, es:[41h*4+2]2 U3 T; r9 @0 \. I" J" Y
cmp cl,al, s# Z( @0 ~8 }
jnz SoftICE_detected" j, m7 }" Z& F: r5 I
9 V2 n! J1 z+ J3 C/ ]# b# v_________________________________________________________________________+ K N' R$ d' G! W: n
" B* G# _5 d( P- M. W, H$ sMethod 074 C$ V3 J% y8 G
=========
- c5 v2 A% w5 {2 j4 U5 x \# T; r. i8 Q1 K; r
Method of detection of the WinICE handler in the int68h (V86)
" y- T) o) k5 @% m1 g! L% _; S2 \. W; [) q+ d8 o& ~. W
mov ah,43h
" y* e5 P: m- D) `+ R0 X int 68h! s3 E; k1 M% L7 ^
cmp ax,0F386h. F$ Y4 G3 |1 H' {2 K% [
jz SoftICE_Detected d2 c6 H9 e2 V& r T: M3 E7 d
4 Y! @4 T( J& m9 d- S! e7 c3 y2 O
) i2 d% D3 f/ S- j; H T$ k8 J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- u2 F% q I' e* t# d) G app like this:8 f" |1 s" t( ?& s3 T
; y, @8 a; }9 G6 ]
BPX exec_int if ax==68
5 Q j7 ^$ S7 W; F0 u- W: [% Z! X (function called is located at byte ptr [ebp+1Dh] and client eip is
: {. {* S) M {: d- C5 w* [ located at [ebp+48h] for 32Bit apps)% @3 X: d; A1 ~9 V% R6 f8 N# k4 v+ w4 T
__________________________________________________________________________
) H: F5 W \4 I9 v# D8 ?# V5 z. S# ^) i
9 }6 B0 b3 [# v" O0 Z1 L, mMethod 08: y& k v2 I! e' y7 t
=========
; b8 c$ Z0 d8 J6 S. |/ @$ K4 v5 i+ r9 Y/ n! X9 |! c# R
It is not a method of detection of SoftICE but a possibility to crash the
& f+ e) A# D. }2 esystem by intercepting int 01h and int 03h and redirecting them to another# x* K" C/ L' A4 z
routine.
. J1 Y8 I% W" z9 j7 C' |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" z: {5 u" D5 I8 A4 nto the new routine to execute (hangs computer...)
/ t2 r" b' Y& Y) G( J; B6 j/ i' n# J! f* O' H. {
mov ah, 25h1 Y% a( E6 I2 a; \; a, M
mov al, Int_Number (01h or 03h)
- y' y3 ]" f: q7 w0 h mov dx, offset New_Int_Routine" [3 y6 p( R2 }9 v
int 21h* S5 S$ [- G! o% L' i& ^
/ e& u2 x6 h3 O0 I | N) _' j
__________________________________________________________________________
1 n! A2 \4 `' @; r
8 }' a1 x% p0 z6 N. L; [( @ uMethod 098 m. m6 Q2 [, N/ n+ C x7 f9 w/ s
=========
# G3 p! w- d0 Y' f% d' t- s* |" h+ j. W4 m/ e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; a6 A0 `( p. `( ~performed in ring0 (VxD or a ring3 app using the VxdCall).* M* P5 U7 i3 g# S" |5 N1 C
The Get_DDB service is used to determine whether or not a VxD is installed
" M) Z& D. \/ ~8 y& u/ \4 Rfor the specified device and returns a Device Description Block (in ecx) for/ l- t3 O" U7 r- l7 A/ Y3 l9 r
that device if it is installed.1 u6 U; u, `0 N! D6 }+ O4 ]$ ` [
: d: [% r6 X* u7 t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ u* K& O% i% H4 ]0 ~) H& Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" u8 i& R$ p) W5 N0 u
VMMCall Get_DDB$ t. d5 F% Q6 O# e" F( r* z% e" r! D1 `3 H) [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: m: M: H: ?% B: ~* f) y
, k# m2 H/ R* c! y1 s/ _Note as well that you can easily detect this method with SoftICE:( @2 Z# k/ Q/ V
bpx Get_DDB if ax==0202 || ax==7a5fh
- j' m3 A% e/ Y& f; C2 h7 K) c
, y: D7 x- n, b4 B6 M$ R( z8 t6 d# ~__________________________________________________________________________
5 m/ {% l- @# Y9 V6 A9 A
D8 |1 D2 Z% Z- xMethod 10
6 j: r6 d0 V: ]2 N=========
. c3 p6 F/ i2 L; `, _" |" K5 c1 `
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 B$ H' J* y L
SoftICE while the option is enable!!& ^( l% q; K5 E+ H; c, [' b9 |) @
8 T8 e7 V1 p+ h' t Z) m: K
This trick is very efficient:& B) Y t* o8 P# Z# f4 K
by checking the Debug Registers, you can detect if SoftICE is loaded s% c" k) j' Y3 i x, i( F3 z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. _+ ^7 z; o% x+ dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 f6 b9 {% w' Q6 I& i! Fvalue (in ring0 only). Values can be manipulated and or changed as well" z( O$ ~! Y; O" h0 M
(clearing BPMs for instance)$ T7 i H' D4 V1 o X; a H
B/ b3 \( m3 z) I9 O* Y__________________________________________________________________________0 ~+ u. u/ E0 {4 E
3 L9 t+ A3 q/ Z1 c( r" }* p, QMethod 11
5 O5 s/ E8 J( R: D3 X=========
0 I1 G3 i) Z7 T, x& j4 Y! w
+ V: U9 W! J; t' sThis method is most known as 'MeltICE' because it has been freely distributed/ y: Y# i. d- z2 L9 H
via www.winfiles.com. However it was first used by NuMega people to allow
1 K" [$ d6 f- ^Symbol Loader to check if SoftICE was active or not (the code is located
5 w; O! L3 L- F6 w- ~) ^inside nmtrans.dll).- }1 x; e4 E q3 n. P( `) t
1 m4 V3 O d, }' x% O( C- v( R
The way it works is very simple:* }& E: Q7 y9 c( n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 E6 O! }3 `' W4 @ P4 w
WinNT) with the CreateFileA API.
1 o# v$ T8 O! F9 \" F8 { h2 J5 g% ~
Here is a sample (checking for 'SICE'):
$ K$ J% E- j' M6 J7 d: c+ ^ r$ E2 U6 I% N9 O' q7 l
BOOL IsSoftIce95Loaded()6 v# G; Y( A* G' s7 Q* y
{& p+ w* b$ h$ a7 q+ e
HANDLE hFile;
; Y0 s1 v! l5 Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 S" u" c; V# T" [) E) I3 U; z FILE_SHARE_READ | FILE_SHARE_WRITE,( Q$ e. i0 e) Y3 S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: \8 L. s. ~% p" l4 N5 U& _ if( hFile != INVALID_HANDLE_VALUE )
M1 i# Q$ m& n* z {* E: \/ C7 G: W0 Z
CloseHandle(hFile);; R% L( l5 H# I
return TRUE;
9 ~2 i3 t' w) `- R: l y }6 h% @. h2 [# o
return FALSE;7 Z$ X2 h1 `- N' I7 ~
}9 R9 K4 `4 L% g3 x! P# v
9 W: `7 u) {1 Z8 Y
Although this trick calls the CreateFileA function, don't even expect to be
* t: s* L2 Y5 S; Kable to intercept it by installing a IFS hook: it will not work, no way!
1 e6 s# N g# q* E; k1 sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 |: V% D$ q k9 X! @7 \, l( \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ g! z: J; I; B9 D9 w/ d1 J3 R5 l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' Q5 ?0 H9 M: i/ o+ j6 m1 ~field. q" m" b& h m0 y2 Z' L; B
In fact, its purpose is not to load/unload VxDs but only to send a / v' E" D& l- ~3 @, f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). @' I3 M. J3 o. [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- i4 B2 A7 Z/ g7 S+ z3 K9 F4 F) t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ ]/ v1 V; ?+ _/ M4 ]8 QIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; F, g# C* H8 Q' J" K& ~its handle to be opened and then, will be detected.
4 s, e6 T3 |- K# |4 I0 HYou can check that simply by hooking Winice.exe control proc entry point
* y' L; v# e4 s2 i" ~& dwhile running MeltICE.( Q3 q& ^$ V: J0 i* g) H& r
5 k! I1 T$ ~8 t2 e
4 w$ n+ Q- o: z9 @. a 00401067: push 00402025 ; \\.\SICE/ H/ t5 K$ {/ \5 p
0040106C: call CreateFileA* y; `: X' Y3 q9 ~
00401071: cmp eax,-0018 e1 a/ z. c. Q/ L" s8 Z# [
00401074: je 00401091
* k0 a% x' j' G% ] [' n! p& L8 `- B& e
- P' W7 N3 l. U/ \5 ?9 {
There could be hundreds of BPX you could use to detect this trick.
5 j& t. c1 t- c-The most classical one is:
6 ]5 W, P( e2 D$ p+ m BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( y+ u- r$ r0 g7 t0 _) V& u *(esp->4+4)=='NTIC'
O) T, \8 c6 e3 K" g, A. J; F$ G) G& Y W: ^
-The most exotic ones (could be very slooooow :-(
* n: v/ E( Y1 Z3 Q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& b& I8 T Y6 P6 f7 Y2 `' e ;will break 3 times :-(# |( J+ m' S: O/ r/ n
9 f5 y2 C9 N! [7 c7 S3 m, Q/ {
-or (a bit) faster: % ?* y: ~( v4 i7 t' f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; o; J& l6 D7 M5 @2 r. @
- p |/ j n {+ q- @5 X* j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* b3 @% C6 Q& Q! A- U9 G0 a ;will break 3 times :-(" F. v# Y% X# b5 L5 ~% t ]
$ w3 h# N: D3 V0 ^2 o, u-Much faster:& c8 u, O+ W0 f3 n1 m5 L- C
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 w3 X! \2 l* @ s7 e
. `7 f% X3 A! \5 s S/ q- LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; o; |; R' Q3 ~, P! e
function to do the same job:
; ?3 N; f. C1 e& h5 ^3 _" A+ {/ m) D6 C/ V
push 00 ; OF_READ
4 v: A. o9 a* N; A5 P8 ~ mov eax,[00656634] ; '\\.\SICE',0
* z8 T$ F* J+ J" W3 L' ?9 j! } push eax
" y- e+ R' s: L- _! `2 ] call KERNEL32!_lopen0 ? F. T. y1 }) y+ J
inc eax. N+ }7 n7 a; k% k
jnz 00650589 ; detected
1 O- r4 N/ }7 S/ X8 [/ B push 00 ; OF_READ
# t( x0 |# H) ^' J mov eax,[00656638] ; '\\.\SICE'& c* F- M7 U+ }2 J; q9 {
push eax) U) Q) n1 y1 e* X& t
call KERNEL32!_lopen
( X5 y8 ~9 n) h9 r inc eax5 L' f4 w2 X* N3 \1 V0 r
jz 006505ae ; not detected
7 s0 m& a% b( w- @9 O9 O ]# `2 v0 U7 a* f9 G, j7 }- {
6 p$ F: O; p' B, N% @0 \* Y
__________________________________________________________________________
5 F# a4 ^- W& t1 ]5 P
' O7 E8 z$ ?( Q0 A- sMethod 12
& A5 w9 u" s1 e9 J1 ]9 b5 F, Y% z=========
6 }; i* c# V( v. \; [% [9 R% [+ M: h+ R% m2 h& V5 u. Z7 p
This trick is similar to int41h/4fh Debugger installation check (code 05
" R# F, y! b2 X9 q0 z9 _& t& 06) but very limited because it's only available for Win95/98 (not NT)% g; z* \2 V4 n/ ?0 A2 v3 ]; I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 H' u( ^% t& K4 q" a% w
" `) O( D7 E$ l, b, I/ l
push 0000004fh ; function 4fh: v% ]% V* v' F9 N3 D
push 002a002ah ; high word specifies which VxD (VWIN32)9 H- m2 J+ j7 n3 O$ C* d5 b
; low word specifies which service
( y) [9 e) N# Y# E4 i. {5 I (VWIN32_Int41Dispatch)' i' e. }9 {2 b4 I5 K
call Kernel32!ORD_001 ; VxdCall
a- v: ^# Q1 J5 u# \0 Y cmp ax, 0f386h ; magic number returned by system debuggers
: Q( V8 V9 J6 R. F jz SoftICE_detected0 }* o5 v2 R" X) O
7 d! W7 D; B7 _; d/ v5 tHere again, several ways to detect it:3 f+ a0 U, k8 e( y( J- X( F8 F
" Q+ D* E! z! n r, N; ^2 M S BPINT 41 if ax==4f- s4 r5 C4 p- V( j$ @5 s
/ D* s0 n' A7 \5 N) b9 {- P
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& a) k3 L6 B( Y/ N# Q0 x' i
- g! {6 w( l, Q9 E5 ? u0 @ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A o0 E7 Y/ S% u
L" y1 i; ?5 V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ r8 ~1 P4 G. f0 a$ ?% u
" p0 [6 y* q2 j
__________________________________________________________________________( C; e1 i0 a( u# l
; i' i4 |- u& eMethod 13& i; D: _6 F7 i# t0 M \
=========: s* \9 W! d+ O
+ f3 |, [7 A- e8 y
Not a real method of detection, but a good way to know if SoftICE is
1 Q- b8 j! n6 h$ x" Z0 v2 n2 xinstalled on a computer and to locate its installation directory.
/ S( G6 x: F0 D+ T; F( hIt is used by few softs which access the following registry keys (usually #2) :7 m( j1 _8 L a- C% C( f6 j
9 e) n2 Z8 u. g) W) X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 M" n# x |! M: i' J2 p' ^$ d
\Uninstall\SoftICE. o9 K1 u5 c; u, S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, l6 w" @+ L f" }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
a* d$ k4 v, W1 U9 e Y( E\App Paths\Loader32.Exe
5 d8 [8 s7 r% Z- H t( t0 w& U1 V! K& P9 b! Q8 o
- j0 S0 C, l$ _( E; `9 y
Note that some nasty apps could then erase all files from SoftICE directory- I' X4 G9 m/ w0 c
(I faced that once :-(4 @+ J. U( d$ t8 R
& `1 L- S' y* O! S% z: s, {
Useful breakpoint to detect it:% r4 Y- t2 x* ^2 N; Y- w
* }& G" O$ l' n7 Y1 ~* r/ x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 s- K3 u5 k% w$ T4 ?9 I% H0 z
# F( W9 V! j9 W4 S__________________________________________________________________________. M) Q, m: N/ b8 j5 _% t, O; h
3 {; P# Y/ \% V
: o4 f: p: ~& v% t$ P" C. y, q: O
Method 14 7 r: ~, c# j, F p) Z) `
=========" s: t3 J/ l2 }+ }, m5 ^
; b4 C4 d% u# ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! d0 H0 d- ~: ]) |is to determines whether a debugger is running on your system (ring0 only).
" k+ o& E' n c) `
( M& r% N- U4 N5 L+ f, L0 r VMMCall Test_Debug_Installed
8 J7 J2 y- f, V( F$ h" O je not_installed b% [" T9 d! {) j" B
. w0 A: W, d& `$ e) G7 P
This service just checks a flag.
2 a% ~/ R: t8 u</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡