<TABLE width=500>1 G+ c( d7 q* R7 C. T0 l! z
<TBODY>+ k* K: i K' W- A6 t
<TR> Y3 a! e! O7 S- P; J6 _+ y
<TD><PRE>Method 01 0 | M% J0 _6 z% }
=========3 G; u( a0 b, D/ j _# c9 I. ?1 ~
4 h2 M+ p! {: _8 s" Q {This method of detection of SoftICE (as well as the following one) is. B% I0 U9 V9 q! t' a
used by the majority of packers/encryptors found on Internet.
' L }+ {( P( C% o5 |It seeks the signature of BoundsChecker in SoftICE
' T; m( J: O2 W# a g: r& Q$ F1 N. V! Y( A
mov ebp, 04243484Bh ; 'BCHK'6 o7 L" X. m p/ H
mov ax, 04h" _! I/ x; v+ R5 ` |" ~* ^" A
int 3 6 i9 X. r$ D2 f9 ^) m
cmp al,41 k1 O" M0 R+ Z7 O3 O
jnz SoftICE_Detected, @3 Q. k9 ]. I; G; A/ M
- S8 {! u% k, r3 w' W3 g5 U___________________________________________________________________________
9 h$ R4 U0 v& g2 ~- B
) k! L& o7 Z. }0 q8 n% ?* {Method 02
7 _; o) F4 G+ k E3 N0 f=========
; Z* \8 K5 r" m5 z! g( m
/ Y8 S" p S2 x% Y: U( Y7 V7 NStill a method very much used (perhaps the most frequent one). It is used' T) A, K6 p: B9 i1 g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* p% {1 X( A* q9 Wor execute SoftICE commands...1 G7 _" M; q' n4 r3 z
It is also used to crash SoftICE and to force it to execute any commands
* O8 F0 H9 J2 @$ `; u% s(HBOOT...) :-((
/ s- g: B$ v W: B8 y1 R! f5 W; n4 ]3 O
Here is a quick description:
5 _# O S( {' E2 ^& Y4 t3 I-AX = 0910h (Display string in SIce windows)" P" y2 I2 I8 `# Y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 C# F2 L2 o8 ]3 p [+ Y
-AX = 0912h (Get breakpoint infos); p; I \9 t4 r. v8 ]" k
-AX = 0913h (Set Sice breakpoints)% l, Q" G1 |5 S
-AX = 0914h (Remove SIce breakoints)2 v9 h7 e% S# ^$ k
8 B+ i% r' C3 o: g7 ?: [Each time you'll meet this trick, you'll see:
9 g6 o3 x, b# x. e* M, v-SI = 4647h& e& W/ ~& z% Y6 Z
-DI = 4A4Dh* \- x/ e8 Z' ]% ]: z
Which are the 'magic values' used by SoftIce.
9 X/ K$ Y) H1 m4 K7 ^5 h3 vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' n) Y( q. `/ E/ t" k2 h* T2 c7 C
' T1 g! L& c" d: f ?4 THere is one example from the file "Haspinst.exe" which is the dongle HASP5 {: S$ z' F; k, P
Envelope utility use to protect DOS applications:
: ^7 o1 w/ }) J/ L
: d g" Q* M3 V H$ V1 Z1 _) h L; e, D k( J$ ?* R
4C19:0095 MOV AX,0911 ; execute command.) G) F v& v- ^" n6 ]. M) n- l9 r
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& b: R5 i" Q5 x! O4C19:009A MOV SI,4647 ; 1st magic value.
4 R8 p0 `0 c' Q" z" }$ ?& g8 m4 K4C19:009D MOV DI,4A4D ; 2nd magic value. M6 S+ g: T# a2 ~3 H( c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
W! O0 U4 n' v, A9 T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 O8 S' g* S o( a: L
4C19:00A4 INC CX
" O. A- r9 }# v4 C! I. K; w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. {3 A, V: ]4 o7 T. |5 v/ q4C19:00A8 JB 0095 ; 6 different commands.3 `/ U% ~4 |7 E- O$ O! ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 c# `( P5 E5 \: }; ]* @2 z% p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! l! h& q: s/ `) I/ N9 g u
- C' [- C5 _! l. vThe program will execute 6 different SIce commands located at ds:dx, which
, A8 u# s/ c6 L. s# a2 }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ ? n( X" ~$ @" [# n
; R* X/ A4 r" o9 J" q# ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 W# e% F4 k4 M* G6 T, P' E___________________________________________________________________________. e9 B/ x! ?* M8 m3 C, `3 U, k
4 D0 u4 ]; X1 V! F5 Z( |
3 O% i$ t0 |/ p4 D7 k3 [Method 03
( V" I; V7 p# n. z8 ] t, Q=========
( T; H5 a2 ]+ J2 G0 a; ]3 W. {& C* G! x4 ~, i8 z. `! S$ J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# B' j( H! p+ o6 x d
(API Get entry point)* z! Q# p/ t/ P0 A
6 }1 O$ Z; D& l, t4 n" K8 x* A# i( y) \6 d! C3 [( F! w, Y
xor di,di
% l$ c# y9 Q% v/ ~% W( U, @ mov es,di
, h2 s7 j; N% W; ^# h mov ax, 1684h
, r$ J% t( `4 a9 Y# Y+ k mov bx, 0202h ; VxD ID of winice
4 R$ U9 C: E! w2 K6 v int 2Fh
1 |( s. Y) X3 A) Q1 S mov ax, es ; ES:DI -> VxD API entry point" Z' N5 D9 X. a8 f6 P( B) e5 V5 m* S
add ax, di
0 f f8 L3 l3 `3 Z# Q& @6 C test ax,ax7 g9 o: f' Y& U- m A
jnz SoftICE_Detected# Q, e1 x z9 x# E" {5 Q4 q' @- j/ n7 n
! }* `/ G/ j: j___________________________________________________________________________
9 v! q$ v7 |5 A1 K
% k6 v/ @3 |( R* G- yMethod 04
( q2 _/ ~ V6 {=========( z5 v9 Z3 }7 H; B) k* d
' W3 o* e% e5 M7 V' e1 Y1 P5 tMethod identical to the preceding one except that it seeks the ID of SoftICE* H8 q% r' v1 S' a1 y& O6 E
GFX VxD.
, n) V$ e# w8 O' |) c: b6 L$ Q! E
( Z! b- D( J8 A! q, E xor di,di. A2 H( B/ h! B, T* A
mov es,di
; W. k1 T8 N1 O/ D8 N mov ax, 1684h
+ O- I. H+ z( E2 b( O4 q) F mov bx, 7a5Fh ; VxD ID of SIWVID
% F8 m/ k) e2 q7 y+ e) k% E i int 2fh" P5 c9 E5 a( N4 h- Y
mov ax, es ; ES:DI -> VxD API entry point. `" c+ V! w% n& ~" J& V
add ax, di
: Z2 x0 S0 x- ~' }& `8 t% m test ax,ax
/ Q4 r) r4 c# l( b: \ jnz SoftICE_Detected
3 j7 ^) W& o' ~9 L7 M: t; V
% A9 L) P; ~/ G: O( ___________________________________________________________________________
) y5 y. _% z3 f' m* D: s4 b, a1 K: j. t/ g
9 a4 | u6 z( G6 p/ i4 c& i6 MMethod 05
4 m5 _. Q* F( z9 y, ^) g=========6 p/ U4 `0 d" w% p9 W1 r- i/ ?
2 C4 W2 Z- G* b; m7 ~" p1 lMethod seeking the 'magic number' 0F386h returned (in ax) by all system
A! x X; X/ C, [$ F8 O4 U; jdebugger. It calls the int 41h, function 4Fh." r7 @0 m+ m% B8 A8 {
There are several alternatives.
3 \/ p4 F6 a* h: J
+ l: F, x& A" y- Q) I( H: [The following one is the simplest:
( y9 f( ?/ q3 ]/ L6 w6 h3 G- W9 C% Q c+ [
mov ax,4fh
$ n) ]9 b5 n: I4 h int 41h
8 A% c3 L/ O9 [0 a: E2 P cmp ax, 0F386
; I0 G! S/ u5 B8 x0 Q' j+ T jz SoftICE_detected; @' S" P# _4 H
. v* x5 Q1 O% d# s
1 p- o# X$ U ]1 r" o" Z
Next method as well as the following one are 2 examples from Stone's " B2 E3 G9 O* o+ t
"stn-wid.zip" (www.cracking.net):0 K4 ?8 F+ H9 n% ^* \7 ~5 }' v( s
+ m' o+ g4 ~8 h/ g
mov bx, cs: }" Y6 H3 f6 C: m( c6 z
lea dx, int41handler2( c3 |' K! w% w
xchg dx, es:[41h*4]
% o$ C. M' [9 [) t" n0 C; o xchg bx, es:[41h*4+2]) \7 o4 j4 ^# K' ^
mov ax,4fh6 n6 y0 { p6 c9 E# R+ D
int 41h
5 L( T- e! t' ?% m% { xchg dx, es:[41h*4]+ ]2 i! @! e) |
xchg bx, es:[41h*4+2]$ J% t: U6 K+ i+ r
cmp ax, 0f386h
+ Q4 e0 m+ D( b: O# y2 H jz SoftICE_detected- o1 t/ f3 [4 h& X/ e
6 X' q5 k6 e3 h0 V. W4 s1 R
int41handler2 PROC- @9 a/ q. ~; q
iret" r# A, Q ?7 k, a3 r6 l# G; {
int41handler2 ENDP
5 ]9 u8 ~$ Q! I; N) O3 q0 I' f8 D3 C) X. m# s1 O
7 | w! m2 K. x- g9 C_________________________________________________________________________) a% c; w! A( D
6 J# P* y+ O! Q# g8 K
% ^* i" n v5 M. E7 _. GMethod 06
% j& f6 a. K+ D' u! i A=========* V; v* d/ |7 D) _* q& o* R% a+ f
G7 \/ n9 F& L/ v) l, q
. ]$ d( z, T6 ~- u$ F3 X
2nd method similar to the preceding one but more difficult to detect:
x: k) \1 J) n2 a& J$ ^5 z4 K! p# F7 C9 @. d* q. ~1 g# W
9 \/ w `. g) ?5 c$ `2 A, qint41handler PROC: m3 E0 Y+ A2 q; k
mov cl,al$ {4 }) U) G3 H7 w1 Z5 B. m2 V$ M
iret0 o! X( s" T& C
int41handler ENDP0 Q/ b4 G' H9 Q! J/ i( ~
" F5 s3 s! n6 `) i9 i6 K" [
* y6 k1 H m( }6 `) B xor ax,ax
1 i. u0 V8 F/ G- K; `9 Y; |% U* P mov es,ax
. g% n" C) e- {( k. f6 Y |" R mov bx, cs( x+ C! { R2 N4 ]% ~+ I
lea dx, int41handler
% Y0 N x. B* S8 l, X xchg dx, es:[41h*4]
3 @+ d+ y( |8 v; F. W xchg bx, es:[41h*4+2]! f; ?3 m' ?* s) _9 F
in al, 40h
$ ]0 U2 F8 U7 \1 u xor cx,cx
$ `& J" P6 Z8 P; S4 d int 41h+ e6 |" B7 N5 w( o8 i6 @* v
xchg dx, es:[41h*4]
& L! W$ W! l( W' R( ` xchg bx, es:[41h*4+2]
) W# r @+ d! M3 n! o' x cmp cl,al
, _! B/ q8 G. z9 e+ I# W jnz SoftICE_detected
3 x/ e( t# p a$ ~9 C0 c/ M/ X- r
_________________________________________________________________________4 `. U* H' T- g- C" H. w
( W; r( X/ a; [2 uMethod 075 x* V4 y- R* ~; l( t
=========- C; i( d# X+ Z& o8 }
' m" i6 x* C. PMethod of detection of the WinICE handler in the int68h (V86). y2 b% k% n$ U, |' i; {
: j. w9 s) N6 A+ F+ |% F8 K% W
mov ah,43h2 }8 f( f6 T% O8 U
int 68h
3 m( y. O$ t8 O6 p1 ^) \& m. L! N cmp ax,0F386h( s$ ^. h" q, W5 \
jz SoftICE_Detected
9 g2 |# h" R+ D# u) |8 _2 X8 b o4 r( ]$ r- ~: W7 k' c, G# |& n/ R
# W3 c# g* m _
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 V% q5 A+ `6 W7 Q* V8 A& k app like this:- t8 t+ B5 x. l. S
" Z0 G! E+ Y9 G5 s6 [ BPX exec_int if ax==68
+ h. |8 Q/ y, M" v: H% g (function called is located at byte ptr [ebp+1Dh] and client eip is
. o4 a! @) a( s0 m. J! f1 G located at [ebp+48h] for 32Bit apps)6 \0 {9 ]% d8 t" x
__________________________________________________________________________' `1 ~, \/ B( o7 z8 o" ?" O
8 u+ I. H" }8 V1 p. H
6 u, D1 Y2 @, {$ M8 S
Method 08
7 x* K. ?! [7 J- o, u+ r=========
" P; i9 O, `* l7 f1 ^+ Z% M' Q) v% b) ], Q3 U5 R7 {8 E P( m- K
It is not a method of detection of SoftICE but a possibility to crash the
% F+ X1 `7 n3 L4 _8 Xsystem by intercepting int 01h and int 03h and redirecting them to another
; [' j" k* q' I% m/ @: Vroutine.
% U# g7 P. D# ~' @: V% n' LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 T2 V. d; N1 d
to the new routine to execute (hangs computer...)
; x& |7 O! A" L1 I* n
1 m& Q3 |" E$ F" k5 N: @& u mov ah, 25h
) z4 O- I2 F+ Y1 q: V9 u& A7 o mov al, Int_Number (01h or 03h)
! C$ G1 V8 {8 Z mov dx, offset New_Int_Routine+ P' F; \/ W& e7 [& r
int 21h& K2 n1 [4 t) d" e; g5 |. _
7 q& Z9 o5 O" J, x8 f2 c
__________________________________________________________________________# ~" s* I2 |) C
( m) ?- s4 }) `4 Z1 G& n" ^6 a
Method 095 D1 r& U2 k' Z
=========
9 \0 D1 B( @+ m; b, i- N% k! Z
* K o6 }, u: zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) r* |+ @9 m* c8 @5 G! H& Y
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ e7 D* A. g( L6 T" sThe Get_DDB service is used to determine whether or not a VxD is installed
0 n u* N- S# U( w& Lfor the specified device and returns a Device Description Block (in ecx) for
$ B( H$ D( I2 u- I" Mthat device if it is installed.2 d. P( `' a* Y) L
: t+ T5 U3 @% {% ^2 ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' e1 u' Z( N1 a' g! X- m+ H mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ [' j" H; e, F3 w0 Y VMMCall Get_DDB
3 ~& |3 B; ~. R! v" M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( W }1 q1 b) l* n# U4 |4 L6 o
/ S, ^" Z, v8 V) R* }Note as well that you can easily detect this method with SoftICE:0 u% S# E& e8 y% ~3 Z) {
bpx Get_DDB if ax==0202 || ax==7a5fh4 l4 }/ a- G' y) u/ Z4 u
3 x. F7 H- y8 P, J__________________________________________________________________________6 q2 a3 `2 R2 B
0 |! e7 l6 g1 ?8 X# M6 l* Y: b x% ^Method 10* B$ [6 f" O! G6 ~6 c% v( _& A
=========" E1 M% L0 S5 p; N; ?
' i4 k7 A' z; f! y=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 C4 s- c6 H# `2 t% r& j4 k/ s! m8 r) w SoftICE while the option is enable!!# W5 b" |3 y% r% X( k/ X" c
p) j) ]$ v! U+ S& d8 d& [4 B- t
This trick is very efficient:
) v0 b# h; p5 iby checking the Debug Registers, you can detect if SoftICE is loaded8 v1 V# G/ m( G2 x" m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 ^4 W. D) X) c" r; m5 J
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 _% j+ Q3 h8 Y v0 g! b* d
value (in ring0 only). Values can be manipulated and or changed as well
4 `/ R! {; Z" b; L7 ~/ Q: W(clearing BPMs for instance)
' ~. C( ~, S5 K; m# ^6 s" @# I" ^( j, t O$ e
__________________________________________________________________________
+ f0 W7 B, ^& t/ Z' j( }/ z, s% K
Method 11
8 _: _% [5 |6 P/ k=========: \) ?; ?/ u3 _7 T. S* s/ @* O
* n6 D' _: ~1 G# u8 ^This method is most known as 'MeltICE' because it has been freely distributed, q; `" k# ?% G7 F' X2 Y
via www.winfiles.com. However it was first used by NuMega people to allow
2 v# T, }# X7 Q$ e0 p( qSymbol Loader to check if SoftICE was active or not (the code is located' i$ I* d* C3 ~2 C" Q' r, _
inside nmtrans.dll).
& ?) y" d9 g/ C; d; u7 i+ Y( P, o b, b! h' v: @6 l
The way it works is very simple:
# F; |. f4 @8 S$ JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, [" f8 ~6 A, E$ P6 cWinNT) with the CreateFileA API.
5 W+ }) B1 e. J! b9 J5 H& ]. K3 @5 @4 k# u% E- m' G6 c; d2 J
Here is a sample (checking for 'SICE'):
/ T+ I) f& g$ x9 M+ u
8 }+ v I& ]# @$ I F lBOOL IsSoftIce95Loaded()1 B; ~% \: n A0 R# V4 Q! q8 Y
{
7 E) W( w. X# N7 g9 i3 B( \ HANDLE hFile; % _5 O; ^. K1 C6 b9 W: S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: K" t0 a3 s0 ^5 `
FILE_SHARE_READ | FILE_SHARE_WRITE,
# V- a% I) B8 G$ p& H! a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; D- }& I' I* h$ f4 G! [4 l8 Z0 [9 T
if( hFile != INVALID_HANDLE_VALUE )
V( t; t8 Z# U" Z; k( L {& [4 s; s$ K& d# t0 Z) O4 E
CloseHandle(hFile);
3 C! N! O& L3 p' v# |* H/ ? return TRUE;5 G$ L# Y1 P& J1 ^; J; a: ?+ A
}. g" @: v2 R+ K X
return FALSE;
?3 |" r$ n0 V z& L+ u; ~2 N7 c}" N5 B+ L9 c# o
* O& A* ^) q5 O( F) d
Although this trick calls the CreateFileA function, don't even expect to be
; N$ L/ Z% \7 K& V/ k# c7 vable to intercept it by installing a IFS hook: it will not work, no way!' v: n: f) w, K7 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 `7 M" V# P; j3 m% M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* A' a- l( v) x0 Q. Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, Z- [/ U! _: Rfield.6 V* G. p3 b$ {# O, z! F; R5 t( G# z
In fact, its purpose is not to load/unload VxDs but only to send a
7 c3 N8 A# M: X# p- \5 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 Q. m( ^4 z3 @to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 z' @2 V5 ?" R6 O7 J! K- g% bto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ ]% O7 b L5 m J
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 a2 D5 X5 ?' R% zits handle to be opened and then, will be detected.
( ~$ t; P- p! SYou can check that simply by hooking Winice.exe control proc entry point# r& }; @' C( F+ L. l) D
while running MeltICE.
7 V, C6 [+ T E8 i9 C2 ]6 c6 |9 Z* y6 ^# i; C: P
# O2 e9 A& w4 E, C+ P. D( }3 u
00401067: push 00402025 ; \\.\SICE
+ r7 p4 Z* b3 U2 z 0040106C: call CreateFileA5 b% h5 [8 F. ~1 A- u' ]* X! j
00401071: cmp eax,-0015 }- e: a; |- `& {
00401074: je 00401091
- J7 A/ W- Y) V8 p% @# J
1 E6 D& ?7 L6 N5 @
; v) k& H' r- A4 Y+ s( cThere could be hundreds of BPX you could use to detect this trick.: @# K3 X) J8 ]: f1 o
-The most classical one is:0 j9 }/ u' `; u! E4 j
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || b, X- h8 x9 t* w9 o' u
*(esp->4+4)=='NTIC') u' D9 z$ R. K8 w8 ?4 V& h4 u& g
/ j1 i; ?, d' i& g& g1 Z/ I* c5 K-The most exotic ones (could be very slooooow :-(
( f' ?3 w. D0 T! [& F) `$ q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 C* Y0 @1 z$ t& s5 u. Y ;will break 3 times :-($ x6 K2 H% ~4 `1 c! y @2 l
( N% O+ ]( G6 X- T' D6 p) f" W-or (a bit) faster: 1 X: c. X" D- R3 @& D( E6 s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; _$ I$ a9 m( {2 V) \% Q" j( J; l# g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* M9 k1 t* X- K1 L' [, h5 m' A ;will break 3 times :-(
2 N& R3 y& q- t5 z2 K1 j
$ H+ r, C9 q$ W+ S-Much faster:
$ }. J7 h! ]; x5 Q8 H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' ~" j$ a+ Z9 ] _. w0 }1 P; z' z$ _3 K( X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 N z4 g/ s, c6 c$ _function to do the same job:
# O/ B t& m N* i/ h9 v+ r* \+ ^9 K5 [; Z d& F* g8 f
push 00 ; OF_READ; `4 e4 T2 p1 B9 H' h+ D
mov eax,[00656634] ; '\\.\SICE',0( u0 B8 q) \* D+ ^6 {* B" ~; Q; b
push eax% O7 I7 H) C% I$ ~. k+ T* h
call KERNEL32!_lopen
/ u4 J- I0 j1 M7 ` inc eax! `& c7 [. ~+ u9 ~& O+ Y
jnz 00650589 ; detected Z2 W2 M/ @! f1 ^: {& v
push 00 ; OF_READ
4 n, R1 `. D; w1 E; d mov eax,[00656638] ; '\\.\SICE', T* s+ m! B9 {" n' m
push eax) K" A% F, b# b, t4 b
call KERNEL32!_lopen' G1 D( M( G3 d1 m8 f. R
inc eax
8 H7 e# J# R7 S' k5 a jz 006505ae ; not detected
: ]. H/ N A0 \" K8 o# r _+ t4 ?% X8 o
! u) L3 @" L ^2 l__________________________________________________________________________
7 b! {$ s* @# E- O9 Y) D9 i9 |8 k- @3 ~" G* x7 h h
Method 12
3 W- g, r! U# P6 Y4 q=========. T8 d! O# ]) y# f* `
! e4 t' e& w0 T+ U& H( y5 _: K# d8 v
This trick is similar to int41h/4fh Debugger installation check (code 05: p' U9 X& z1 Q# k: @
& 06) but very limited because it's only available for Win95/98 (not NT)
6 |$ p- n1 N' Y" Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo. I+ f' W q! f3 ]
2 H0 b8 u. H" I$ d+ C
push 0000004fh ; function 4fh, [: v2 k4 L( L4 V; a% K* d5 D
push 002a002ah ; high word specifies which VxD (VWIN32)8 \9 M2 P, X8 G) j0 i8 n0 j4 v8 \ t
; low word specifies which service
) j; [; q. Y4 x$ ~+ [0 u7 x (VWIN32_Int41Dispatch)
, `$ N) x) G4 |2 X5 }* V+ r call Kernel32!ORD_001 ; VxdCall
; d) B# S6 r$ ?; ] cmp ax, 0f386h ; magic number returned by system debuggers
& k. G/ J0 b B9 n! I0 ]: g, c7 z0 P- Z* Q jz SoftICE_detected) s4 c5 K2 q" `" B* K/ `9 b8 a
# y) t- v) H4 h6 L( E2 I
Here again, several ways to detect it:& U; S/ V8 u- E+ e$ {( J j2 a0 Y
3 F; S: ~7 y' i( |7 z BPINT 41 if ax==4f$ ~7 X0 J/ I) {$ n
4 Z* g8 E. _0 i2 o' ^: R, }7 l C BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 ]# l) E" u7 d& F0 A
6 g h5 `$ o9 M. j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) H! i1 [5 { X9 H3 b2 n0 i
* k) `6 [' R8 V Q; R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 Y2 m0 u: {3 l- K& z! d2 K& l
6 N* ~* I" x+ @( J1 y% o8 R
__________________________________________________________________________9 I2 z5 W9 p1 ?% b h' ?( k
8 Z* q! o7 F$ s9 C- AMethod 137 B, v$ w5 z: k. @5 E" A$ ?
=========
6 x9 p' q' e2 o
& t6 {: R! r# I2 q6 yNot a real method of detection, but a good way to know if SoftICE is$ M9 S1 J5 }$ y- V/ l! ~6 s
installed on a computer and to locate its installation directory.
2 a% }+ F9 ~) V. n7 ]0 xIt is used by few softs which access the following registry keys (usually #2) :8 |1 q) L; {" m) i" |4 g7 h! T
( S* q* ^) r/ A) T0 W4 ?9 \: _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, ~( T+ E7 j7 D0 @) F
\Uninstall\SoftICE
8 _) i- ^! ^+ D- \' Z/ w-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ [! }* }/ p: v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: D! x& F4 A, i# ]" u1 f\App Paths\Loader32.Exe
0 `! m$ ^8 S% {7 `& U, p0 w) t2 I0 C, l2 c/ W3 m, S6 t
' |8 C& L$ E' C# k ^
Note that some nasty apps could then erase all files from SoftICE directory
, v4 x5 Z: m7 L* u! o(I faced that once :-(- ^" x, x3 L6 C1 H; E
, _! L7 V+ j7 O; j, Z5 p+ V
Useful breakpoint to detect it:. ]# {, O* p& ?% n8 S4 Q p
# f' |4 g$ ~2 U/ {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': k. i% b; E& C7 `% j
0 W6 {4 n' O# G! S& r
__________________________________________________________________________/ |; S& q* j1 d& o+ J3 `
" `- l& }. z* R, W1 R N* a* ]8 c# D& k1 m. U! V3 U) U3 f/ Y
Method 14 % J) h. d5 s# w, L5 n Z% m, }$ A
=========
9 w- l; r9 E$ t; @8 m! T' `/ y+ t$ w, a) p2 z# V+ K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& m& ^9 E0 f+ Q2 g( m7 ^5 [is to determines whether a debugger is running on your system (ring0 only)., l5 o: x1 R) B# N$ y2 `
' p& U; W: z9 o" x1 |* b% n
VMMCall Test_Debug_Installed
6 J' s: I( _8 L! E5 k, Y je not_installed
4 N) H% w6 N* @) F; q' n; A6 J- ]+ G; R+ S- S7 Z3 a6 e
This service just checks a flag.2 }& Z( x0 Y+ V& m5 f. v- M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡