<TABLE width=500>
# e4 k) J5 i( L. e<TBODY>
; H+ @& c; t) @: v2 Z: }, b- Z# L) r<TR>; J) n% [ u# ?: z! k0 }
<TD><PRE>Method 01 W& ~4 L0 m4 P7 C
=========0 j& W- u2 U' h5 T# e. ]5 B
( m* V! @5 S7 Y, {This method of detection of SoftICE (as well as the following one) is( ^- e' G7 ?* d# y1 c# l
used by the majority of packers/encryptors found on Internet.
0 p: a8 k6 V- J1 ?+ K2 mIt seeks the signature of BoundsChecker in SoftICE6 t' m# Y1 K+ q, x4 o2 o4 S
5 `+ D0 n' R% l( C: T mov ebp, 04243484Bh ; 'BCHK'
V# v" V3 Q$ u5 Z8 x) ` mov ax, 04h+ g/ M- q3 E& K- V; {2 H
int 3
' s; ]' L/ @7 Z: Z( ]/ H cmp al,4# e8 l$ d) T0 l( [! c
jnz SoftICE_Detected6 O. U# f/ V; s! R: B
& X+ C" r1 y6 D7 M
___________________________________________________________________________1 P1 U& X6 I9 m
+ T# B* S: s: \. f. j9 y& r$ ? mMethod 02
$ j: d9 q P b9 C! ^2 ~- G' z$ R=========# ~) W$ G- @/ i
- a3 j8 J# k, P8 t+ eStill a method very much used (perhaps the most frequent one). It is used
8 R% _0 N M& `5 [6 m5 e, Zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 x8 s6 M/ g; [2 D) ]1 k
or execute SoftICE commands..." [* B8 r( U2 _2 a) U
It is also used to crash SoftICE and to force it to execute any commands
3 N% [" g8 N% \" g: A1 g(HBOOT...) :-(( : R$ q; ?( ~" d& j
% J- Y. i: ^4 @' l/ P( N
Here is a quick description:- E* F2 ?0 ]" Y
-AX = 0910h (Display string in SIce windows)
5 r# J4 C7 d a9 X# [4 {- c' B! J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
p# ]$ j0 H, n- a-AX = 0912h (Get breakpoint infos)4 A) ?# @: J; ~" r; t) [% x
-AX = 0913h (Set Sice breakpoints)& c n) e. n# \. G) T' G9 L( E, m
-AX = 0914h (Remove SIce breakoints), P4 M: J( u7 J' A7 O# k7 M
8 s0 L7 U* R' GEach time you'll meet this trick, you'll see:: R+ T5 k& B' A, ]
-SI = 4647h \. W9 F- f$ O
-DI = 4A4Dh
5 X; z/ {# U" |, X* x" [% p; CWhich are the 'magic values' used by SoftIce.
O5 ]9 t. L d; gFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# [ Y% o; I4 G
: S2 U. m" g( O+ F6 A" a. f, \! L5 |
Here is one example from the file "Haspinst.exe" which is the dongle HASP {9 y. R4 L0 n( n: u
Envelope utility use to protect DOS applications:
0 |/ f1 Y# X- p! U& ^ J
1 A, \0 y8 g1 N- ~
6 { N- j; l- V4C19:0095 MOV AX,0911 ; execute command.* k. X7 j9 r, q* K# d/ G, K
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 t, W, j6 f; |4 D* b4 A0 a+ S4C19:009A MOV SI,4647 ; 1st magic value.
. T q9 a2 v2 ^0 ^% G. Q4C19:009D MOV DI,4A4D ; 2nd magic value.5 W4 f* N' P) r( C) Q3 @
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 U4 x( Y' N/ p& a1 N9 w
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 |( C$ h( N( o; `" O4C19:00A4 INC CX: l# F* a/ K) L4 y+ A9 M$ g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- m, t0 B, n: D( i x8 k
4C19:00A8 JB 0095 ; 6 different commands.% K& W# V) o8 D( b3 g! K" o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.. Y# @$ S. t3 P( l) W9 t# N, ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ B/ i% c# f; y0 R
b k% o$ O' F: u7 I! f! r+ TThe program will execute 6 different SIce commands located at ds:dx, which) P- E# J- D# Y7 D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 T1 l" Q# r3 o9 I- e
. `8 o; z9 q) D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 }, a0 G9 P. r' n
___________________________________________________________________________; _" _2 O" s% I' R& W
. f# k) Y% _5 Q
[% p: l r; e' W1 aMethod 03* G& n4 ?$ o( t2 W+ B# B
=========+ }, S* y1 y5 \
2 m6 z4 I/ n9 e4 k" a N2 l' e
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, N% o U0 q9 U* T(API Get entry point)
( K2 J' k! }7 S, i {7 j$ `' B- c
! k8 ]& Q, ~+ ^% |* N
Y" } A+ ]( g- e" i1 l3 {: f xor di,di
, ?3 ~5 j2 d+ f8 X mov es,di% @; u8 i. B' [% n9 t
mov ax, 1684h
% b1 B6 c2 w9 K+ r mov bx, 0202h ; VxD ID of winice8 _, Q# r, a; V* e! s7 Q, k* {7 |
int 2Fh+ S- ~' y6 w! z# n" `6 ^
mov ax, es ; ES:DI -> VxD API entry point
- l4 [9 j+ q( y$ S5 o add ax, di
! a( z8 ?8 Q9 U test ax,ax. v5 J `' T4 V1 S/ I! {$ t
jnz SoftICE_Detected- I2 M' o, v0 _7 Z0 W7 v7 [
$ W7 _+ D' Z# Y. u+ }8 s___________________________________________________________________________
& F+ y+ A: ~* M* p: u! }7 Y/ ]4 x9 d% [, C3 \) g0 R
Method 04
, H9 w3 `. d. d9 y=========- |0 ]1 r( K4 P+ i- R2 k
0 [& }$ C- L6 i6 rMethod identical to the preceding one except that it seeks the ID of SoftICE
& l5 w0 c7 _3 VGFX VxD.
8 c6 \5 e8 c9 _: Q+ K/ F3 H
7 y1 L f% z/ \5 `8 Q xor di,di( @/ q; |5 P, ?$ B0 S8 Z
mov es,di" \( @+ ?$ B7 I7 w. l; G0 C7 }1 Z: G2 _
mov ax, 1684h ; G# k- \2 W1 X
mov bx, 7a5Fh ; VxD ID of SIWVID
1 ^& y% i5 E( ^' K$ `$ n' K' A int 2fh/ h i* c7 e. b+ e7 R4 X
mov ax, es ; ES:DI -> VxD API entry point
0 _/ m, U T; a1 W; Y. @* [ add ax, di0 v# ^% T2 ~7 ?, L; D4 @% d$ k
test ax,ax
$ @3 y1 O' ^: m$ {9 @" D jnz SoftICE_Detected
5 U" f' W1 R4 h9 f* m
( E( H9 e" o1 F. d2 d__________________________________________________________________________3 \0 k& n3 ^/ T& H
$ U- c8 o# L# G9 N4 J$ R
9 T w, ^' \5 E/ `9 E7 VMethod 05. U( {- D& I5 x" f# x5 w8 C) t
=========
1 k- M0 y( ?8 P0 `# y& M- s2 l( a: |* c, `
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) [6 \- h! W Z/ q1 sdebugger. It calls the int 41h, function 4Fh.# p3 V1 d$ ?& _4 P( d( \
There are several alternatives.
G. i: W3 c( ~6 f! l; g
* i' P- R% [: P# |# qThe following one is the simplest:2 c- a b8 P; C/ r0 e4 O" |
( [+ a" C+ e" [ H n9 V" w" Z mov ax,4fh
- w0 U" i% k/ A L: W6 b int 41h
( L2 r0 T2 r* }2 C4 Z2 { u cmp ax, 0F386
! s I4 a U$ i2 G8 s' J% H jz SoftICE_detected
2 A. a( g0 g M- F8 c, v4 O) z% j' T
M1 ]# |- Z2 s, ^
Next method as well as the following one are 2 examples from Stone's
! b+ _$ C0 ^7 W3 Z"stn-wid.zip" (www.cracking.net): N8 M3 M& L7 @7 A
8 r9 s T5 ~" S1 E( j) b! h0 R- m4 f
mov bx, cs3 {) C7 f) F2 X; E3 C: `
lea dx, int41handler2" |8 k. n `) Z% N% V* H: S' p
xchg dx, es:[41h*4]
9 w) J4 u9 j1 w& e& u xchg bx, es:[41h*4+2]1 e) R" y0 F% N! z4 n5 k2 |$ ]
mov ax,4fh
9 y8 I) W# H& s int 41h
; A7 \0 L6 j9 |* Z xchg dx, es:[41h*4]
) K! ^+ ~- Q1 q4 `) d9 T xchg bx, es:[41h*4+2]7 ?, b0 Z7 N6 ]
cmp ax, 0f386h9 R* H1 ?& {, c8 A3 T) h
jz SoftICE_detected' h7 R k1 O8 e! E' v! x8 F+ |
# ~4 M; n; ]1 ?7 l4 @
int41handler2 PROC
% Y3 v' I0 X& ]' T- P% p" [ iret. g. W: j/ I, u+ E% f) d
int41handler2 ENDP9 O* H: O, W% D* V2 L
. F( N4 {9 Q0 P( s! U
- \, d7 `3 ^: v6 ~: K" C_________________________________________________________________________
" U2 B4 P! l! y6 @: B; ^! s. b( m+ G! c+ u
+ u& b6 L( ~/ r1 ?7 [Method 06
0 S$ d9 X; ]% N. ~# m=========4 E' w* ? a1 @( [4 ~& ~
0 L1 g9 C# F$ o- F& Y6 s! V6 l8 N4 z* w3 c0 J- J
2nd method similar to the preceding one but more difficult to detect:$ l! G! q1 u. O& n$ `0 e
+ i: J/ j3 G3 w' @8 s2 W6 K$ N( j8 b: r5 t
int41handler PROC" s6 B6 K( T( T; D0 `
mov cl,al* z6 ^ ?; i" a8 O7 Z' A+ ]
iret
/ V+ ]) r& M8 {' f1 Hint41handler ENDP
$ G1 [, s) t1 w# r
5 m- R$ B( {% K( w+ g# Z2 I' u" j4 M% l( e1 ~3 O# R2 G
xor ax,ax3 Z4 Y' ]4 F* G# K0 n
mov es,ax/ F# ]) D2 i9 J @
mov bx, cs
. o, u" U) u/ E7 j8 B$ Z lea dx, int41handler! O$ g/ d7 d) K4 R$ Z2 }0 N4 j$ D
xchg dx, es:[41h*4]' v: I, G$ m/ {) N
xchg bx, es:[41h*4+2]6 t) {8 Y7 y" J6 i
in al, 40h; m8 Q$ n% D* p/ p# P4 _* [* ?
xor cx,cx
1 S+ S5 f+ v4 ? int 41h# h4 r& p* {, k$ Z# _- s+ E: Q! y7 V: [& l
xchg dx, es:[41h*4] K. Q& R8 s% i1 }- G n+ ~9 g1 l+ N3 Q
xchg bx, es:[41h*4+2]
7 M _8 H% ]9 S; T" [ cmp cl,al) k; j& A7 \% S, O) x
jnz SoftICE_detected
* J h& @7 }! l7 z: n- C! e9 f' s* ]8 k
_________________________________________________________________________
" r) b& F. e2 G- V p, R& ^) f
$ y( n" i! t- P+ v* C7 y8 b/ kMethod 07
9 ^. _- w! I" H4 e' O/ s- `2 N4 S=========: ]' A- ` k6 X! p
6 W6 d- ^/ P! |Method of detection of the WinICE handler in the int68h (V86)/ ~% Q4 d- V' C& E5 h* G! J# s
' [- D( E" ^% ?8 u
mov ah,43h) R! W1 z V1 K' `+ K7 K
int 68h
& N9 a5 k2 [8 ]# l2 H cmp ax,0F386h
! c# _7 S# x2 s! j5 K' K jz SoftICE_Detected
# @2 b/ I, L6 W# Y; y- C3 C
* H" D, S% B1 x. X0 ]2 w. x( f2 W
5 p2 O( a7 U; a% D9 [5 K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( e# M F/ H( n4 {% A
app like this:' C8 G. |& `) s+ C7 U0 A2 N
* L+ q! f& i! l+ w
BPX exec_int if ax==68
$ H, s9 J2 l5 o' q* N" \- \7 C, v3 b (function called is located at byte ptr [ebp+1Dh] and client eip is# U3 u1 S! q {7 t- @
located at [ebp+48h] for 32Bit apps)9 z8 c9 Q2 G5 _, m7 z4 k5 R% X
__________________________________________________________________________
6 Z. u7 e% E% @. R4 _0 C
, ]9 e \, _+ |$ `
$ W0 _4 ]+ T7 RMethod 08. ^% j/ ^* T8 I V! Q: C; @) S
=========0 ~/ q, g! Y# _: D
0 e2 S! [9 ]. ]. AIt is not a method of detection of SoftICE but a possibility to crash the6 ?2 d9 b0 M' g$ a0 A8 U* _# N, u/ F
system by intercepting int 01h and int 03h and redirecting them to another
! S2 e% r! m) Oroutine.0 l' d, a3 n$ \! i% [: k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. n, h6 _3 ^7 p2 H/ S- s
to the new routine to execute (hangs computer...)
4 x/ q) y$ l' @3 C2 y& Y4 h% E5 c$ ?% L
1 X( [9 x1 m) n mov ah, 25h7 v, q8 `+ B( I8 z4 p; {4 k# S
mov al, Int_Number (01h or 03h)
0 }: }' @+ u# n. _% Q% F# s mov dx, offset New_Int_Routine
/ X8 v2 n J5 c# o6 \* e int 21h3 \. v9 `3 T1 e% M2 w8 W% ?$ R
+ F/ \: C5 L6 L2 c" `
__________________________________________________________________________
- U+ x& [( e Y/ k5 |- i1 y/ X
Method 09& W9 b$ b; T9 l% T5 N1 B5 [
=========
1 [& D" _, n$ M; u3 L: a7 n4 \- k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! u) X1 t/ C! n+ d/ I3 @& W( X- w
performed in ring0 (VxD or a ring3 app using the VxdCall).6 h) m% `5 I8 u7 Q
The Get_DDB service is used to determine whether or not a VxD is installed
7 ]$ @7 F) z) H |' l7 Vfor the specified device and returns a Device Description Block (in ecx) for
+ c- G: r1 ~1 @/ R0 r% Mthat device if it is installed.4 r. o, z" q7 u" U% H
6 ^0 n* C8 Q0 j U4 h7 G: H$ ?% L9 n/ r; a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ e( m. N, B6 y( n
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' `3 a' }( X+ Z
VMMCall Get_DDB
7 A- I- }( h' m( M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' T f. q# P7 k, {' k% V# B
. B0 @- c I9 f3 z1 d+ sNote as well that you can easily detect this method with SoftICE:
. R2 f$ r9 R% E7 X5 b7 [. H1 y8 k- F! Z bpx Get_DDB if ax==0202 || ax==7a5fh
. U* B5 H1 _% A; r* n& e8 x
* F0 J& S q. Y! S__________________________________________________________________________- E H2 Y b8 |
( {& Z" p- z( |. Q7 iMethod 105 U+ E* o- I; b4 m, w
=========
8 }/ H# I5 r' M
" ^" R( M, ?; U5 q, | j4 ?=>Disable or clear breakpoints before using this feature. DO NOT trace with- I' `& }+ M; o+ C
SoftICE while the option is enable!!
& j! g- l( e" j1 F) E" t! r0 S6 w9 ]/ ]1 A9 h7 w
This trick is very efficient:
" c" n7 E/ f, Q3 O+ m. X* Yby checking the Debug Registers, you can detect if SoftICE is loaded g0 ]4 H; j$ M3 y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# u H8 `6 t6 M& H/ Othere are some memory breakpoints set (dr0 to dr3) simply by reading their1 C5 G/ s# K0 f/ u
value (in ring0 only). Values can be manipulated and or changed as well
& w `% ?5 a3 G/ l(clearing BPMs for instance). L t' N" x8 p" \$ a
! G0 Y$ j+ F4 \! D" I0 {__________________________________________________________________________
: |& E2 b" {" T0 Z6 h, i
& r n7 v( l2 t, w5 S0 b( f* p- B" g7 GMethod 11
( G5 Y: E; K) t6 r% e& s/ \=========. [- n: G! @* X' w
" W1 ~/ z1 @# W7 Z# G* eThis method is most known as 'MeltICE' because it has been freely distributed% l+ |6 P) Q1 G' J- s! i d" l. Y
via www.winfiles.com. However it was first used by NuMega people to allow3 w: L4 D9 i% o; \" _ i
Symbol Loader to check if SoftICE was active or not (the code is located
* x& o- x2 Y9 p. F- N3 Tinside nmtrans.dll).
" _5 a! i. b( |# Q: y; N* G( o1 L7 |
The way it works is very simple:
. R2 u( M. \: I) i) r* ^- d3 b( }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 R! ]/ Q' k* Q, p9 j- B9 P1 W
WinNT) with the CreateFileA API.
/ |) J4 R* j% ^9 _( g8 E$ @, Q
; ?! A6 W5 f* F# }Here is a sample (checking for 'SICE'):7 U7 G2 m2 M! m9 Q, o( A* M
, x8 |/ V+ ~7 K W" m' K' d
BOOL IsSoftIce95Loaded()/ s' r8 X D- h$ \ }$ S$ B
{
6 m" k" b8 O; v; P HANDLE hFile;
/ e f3 [0 a, \9 S# C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; D: z# c1 z6 l* h
FILE_SHARE_READ | FILE_SHARE_WRITE,
: l- b* l4 G' g5 Z. ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# o' V$ C" c5 t6 Y- M* b: D; q
if( hFile != INVALID_HANDLE_VALUE )
& w0 p0 }$ ^0 U2 y {
9 h# C. g8 L' g( A, U* f CloseHandle(hFile);
2 x5 M k- p3 [, O/ y- w return TRUE;/ G* p% O5 l( Z0 W6 D) ?
}4 M' x# H/ {2 q) @- L* `1 ~
return FALSE;, H) }# B' V" G" U
}
+ u/ C! Q) ~" W+ S; h+ a0 Y2 D. `
Although this trick calls the CreateFileA function, don't even expect to be
. V% H+ ^; R; _1 D1 z. rable to intercept it by installing a IFS hook: it will not work, no way!/ b4 C. [# q7 D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 o& j' w1 h, x' j+ e) q# N9 S0 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 \& O6 q! I" q+ E1 ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 V" ~6 K+ Z$ f+ v
field.
1 [4 M8 ~- q" D6 _4 w. g6 J' j1 ?3 pIn fact, its purpose is not to load/unload VxDs but only to send a
) c( I5 m& S& ]; k/ CW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 `3 a$ Y- A3 d, j/ Q. _
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ S" z7 z1 b3 |/ m' h2 ` R, T
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! _% X9 x! J6 }: T3 [3 ?If the VxD is loaded, it will always clear eax and the Carry flag to allow! I& f7 F# ^' f& w- C: O
its handle to be opened and then, will be detected.9 D: ]7 B$ y1 C& M& e# l1 X
You can check that simply by hooking Winice.exe control proc entry point; v. l( Q, V. D
while running MeltICE.3 [9 ?" v- a8 h# a
" n, _+ {: i4 n' J$ C
% y, P- B, `, z+ k: k3 `0 Q 00401067: push 00402025 ; \\.\SICE( w s; H! Y- l9 N3 Q7 y8 `! @
0040106C: call CreateFileA# M; I9 C8 f4 A+ [" b
00401071: cmp eax,-001
. z2 ?+ r9 }1 L# k7 t. a 00401074: je 004010911 B& }: U2 T& ]! r# }( ?
" Y4 u( a0 j: Q% D5 j9 W) O" V
2 I) T' q) b+ v# m( B' y
There could be hundreds of BPX you could use to detect this trick.
# I: k* F+ b s5 L-The most classical one is:! F7 z% `" G3 _: L+ V" L6 C) v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" O% X2 e2 c1 u
*(esp->4+4)=='NTIC'
. G- p6 p4 ?& E4 d: |0 H. s% c& |; \. _6 m: l; B6 @
-The most exotic ones (could be very slooooow :-(5 {8 _8 J1 L3 X) S9 d
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . S4 A: Y# |4 ]/ a
;will break 3 times :-(
- ~% U4 p7 E; {& T- o9 f0 @- w" p3 T# J! R. ?# I8 h
-or (a bit) faster: 7 q$ ]0 q/ d! k V* M c* N! ~( r
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). u( o& ~6 H, e5 I5 Z* W( T4 c$ Y
: ~" M6 [& p( h/ x( b* L BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
_& B; G" q' K5 X1 D. L ;will break 3 times :-() M2 q1 o4 Q0 ^4 z0 Y
8 G% H) T Y9 j+ Z/ q9 O! w2 W* m
-Much faster:
+ F/ q8 D V9 w: q3 d- @. @5 A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# i/ O ]1 t# Z9 K
; a0 c6 U: ]7 z2 U5 [9 l- nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) v, h1 j _3 M% x; N" ]- j; o
function to do the same job:" r2 H4 d% T) ^
6 u: i/ X0 }# d6 U/ d
push 00 ; OF_READ4 m( e* Y7 Z- J& W% j4 Z
mov eax,[00656634] ; '\\.\SICE',0# Z. C. H) q; a: W7 S: K
push eax$ z: |6 O. K. b' ^, R' ~+ v
call KERNEL32!_lopen
0 L3 H! k$ K7 ~ inc eax
9 a# O- T6 `/ j- E* p/ o$ a" } jnz 00650589 ; detected M: p2 b: o4 p4 g7 X8 D% A
push 00 ; OF_READ- A# G; F; N) v) L. R' H, {
mov eax,[00656638] ; '\\.\SICE'/ m- `4 R& |+ {! e6 Z5 k3 k0 \
push eax
2 V$ ] V3 Z; m7 Y' L) M+ ^ call KERNEL32!_lopen2 N0 z2 `3 R0 u( f2 |" W
inc eax8 s* B4 m: `2 r6 O" C( e
jz 006505ae ; not detected
+ \- U6 O* _% x S# q6 I9 N
1 r3 v& R/ c+ F9 p; P+ e+ l& o+ S( E$ n* G$ W5 W+ p3 O
__________________________________________________________________________& o4 }, P0 r) u. T: g
9 P. D. T+ Q' X, Z+ c7 ~Method 125 s" f7 U' G/ n
=========3 M, u R: ]* ~1 R7 i+ t
; W, a+ b. M5 S' d9 ]7 R
This trick is similar to int41h/4fh Debugger installation check (code 05
) o8 G, n7 ^1 {- o( F9 Q% y' E. ~& 06) but very limited because it's only available for Win95/98 (not NT)8 U" p. p z' h7 t8 h4 ?) Q) C
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: t @) O3 S1 g4 T9 K+ g! L
/ R8 y, h* R- l% _. T
push 0000004fh ; function 4fh
, ]7 l4 {1 Y( T, t4 c8 Q% l! {. P push 002a002ah ; high word specifies which VxD (VWIN32)) v9 B8 @. Q; {! Z
; low word specifies which service, H$ h) B! j+ b2 B
(VWIN32_Int41Dispatch)0 T# s2 y/ U3 B q0 \! R( {3 x
call Kernel32!ORD_001 ; VxdCall4 w0 V6 C# }7 N
cmp ax, 0f386h ; magic number returned by system debuggers
- x* z- \+ J, M. y9 l jz SoftICE_detected
7 C, q. \( ?1 f8 |9 R' z* t2 [
8 c# j# P# A V1 _9 dHere again, several ways to detect it:, m9 x" t: g5 z8 x$ E
. D0 J2 B, J& M0 b
BPINT 41 if ax==4f' v( Y4 C# J5 x1 Q7 c; Z
7 s; K( q: z) u8 c- [. y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# m! I6 r& a% E! q- A v7 j% }' y( o- ?* a
5 b3 ]6 L9 k* ]9 z5 M( Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 p( I& U" O/ V' b4 m
7 N' g. v8 N6 ?9 `$ ?: Q9 S; C0 O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; P- m+ h3 q5 N7 c8 l$ N* z1 t6 M- w6 p4 Y2 h/ p
__________________________________________________________________________1 {. ^; p5 F1 X. m1 [0 v+ ]
( N3 ]+ S1 G; F9 p4 T
Method 13* u& t$ I8 R$ T) z% l$ z) Q
=========5 @% S9 Q/ F1 g9 l7 U* ~
. @0 H6 x0 o9 R5 k2 tNot a real method of detection, but a good way to know if SoftICE is2 K7 f) `& P8 Z+ p
installed on a computer and to locate its installation directory.
+ P/ h0 C3 ]. E; E, L4 QIt is used by few softs which access the following registry keys (usually #2) :
' K+ q5 u7 L& R G* e0 [+ f" P% x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ y4 O7 N. o' k/ t' v n
\Uninstall\SoftICE8 |& u0 r8 Y0 k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" Q" M8 i2 t) O+ _) S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, P! m! u3 _$ q7 x\App Paths\Loader32.Exe
# D8 T- r+ B4 `3 [
7 [+ y5 B& P+ u3 Z2 n4 u& N4 X. O, L, k# w
Note that some nasty apps could then erase all files from SoftICE directory+ e8 o `' @8 \5 k4 x0 i. X
(I faced that once :-(
5 a a7 \8 |$ R, k- M+ {& P8 X
& Y3 D j/ Y* D! |6 |, G5 j5 [Useful breakpoint to detect it:
2 a( |+ y) O* h) G/ I, J) [5 }* K9 ~" P' R1 I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( z& G" u \$ _8 v. S* H# z- y
. g' l( R# |- m' T4 L- F__________________________________________________________________________; ~( N: u2 b! ~1 {4 F
( {: }" X1 e6 |7 D1 y4 l; K; k
7 P6 s4 c- [8 C! A D5 u5 yMethod 14 2 U( N- c Z; M: ] Z
=========) ^0 r" m8 o7 z0 q: T* h
/ o7 m- u7 k" B Z# L9 ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 i, I! _' o5 F3 e1 I$ Nis to determines whether a debugger is running on your system (ring0 only)./ l2 P! }; b# c8 [5 o
$ `( T7 p% G( F( O3 ] VMMCall Test_Debug_Installed
2 M0 i& P( R' c" p je not_installed
% H0 [' Z1 Q d. K6 I2 p8 N
* G# g8 h5 N0 d% W7 \, Q- ?This service just checks a flag.4 j' @. P' |; x, H2 Z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡