<TABLE width=500>2 A* M8 W* }( H+ k
<TBODY>4 O* K8 r- S* r! W+ s% j, B) `) J
<TR>
1 J+ q3 h3 }- `5 o<TD><PRE>Method 01
H+ J$ V1 {% Y8 Q=========
/ G7 @2 S/ D) R; F# f/ c
" O5 J9 `: O' |This method of detection of SoftICE (as well as the following one) is* ?& Q, o/ V3 S/ ?
used by the majority of packers/encryptors found on Internet.3 c4 p! T$ O7 @$ D, |: u' F
It seeks the signature of BoundsChecker in SoftICE, q! |, g9 u* k+ x
' S( S, Z' w( R" y2 } mov ebp, 04243484Bh ; 'BCHK'
3 \6 C2 D4 q4 N4 i6 U mov ax, 04h% ~9 N" [: D" c: N) F2 K
int 3
; |' G- K4 J7 _* P0 x" P0 Y cmp al,4" x8 X0 T; U6 S7 q
jnz SoftICE_Detected
~! u( E- X0 t
/ o7 ^; g% F y! F4 l___________________________________________________________________________
8 d) B, E+ q9 I) B% b
; Q5 n0 W7 w/ H4 S1 wMethod 024 B6 A2 I) d$ Z! O5 P
=========, n m0 E/ s$ Q8 |! |) L
2 G7 f! h3 b* x. L: l; R
Still a method very much used (perhaps the most frequent one). It is used {8 i( N( z$ N! B/ X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; c' w J+ Q( f. \or execute SoftICE commands...
8 {6 M0 a2 I1 B* g7 PIt is also used to crash SoftICE and to force it to execute any commands
) G' v# V! f- z; ~(HBOOT...) :-(( $ T- }5 ~: |- }0 z( m/ |, d; E! f
% [4 |" D- T6 j8 o$ tHere is a quick description:
( w0 e5 @/ _& z9 y$ d& `3 ^! w8 T-AX = 0910h (Display string in SIce windows)
8 S" ], d e0 l1 i) M3 _' `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. _1 I5 n& {3 z! |$ U) F2 q-AX = 0912h (Get breakpoint infos)
. s; n1 l& l' I& W-AX = 0913h (Set Sice breakpoints)
+ {7 @9 H! {2 K' r2 P! ~2 v-AX = 0914h (Remove SIce breakoints)
! m8 J; E2 `4 B* O i% V# _- j" v! D+ b" {9 |8 G! C3 B* A/ o; j
Each time you'll meet this trick, you'll see:( Y; z G' F: b" Z/ x& e, V
-SI = 4647h
: g# T" I$ a5 z% n( B-DI = 4A4Dh
3 v" Y9 x) x. K$ w3 b$ v* z! eWhich are the 'magic values' used by SoftIce.2 w0 a7 Q3 g' C- C" G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ b3 `3 i! J/ w* N5 Y' y1 u. r3 S2 X2 L" r9 F
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 D. K# K, y7 l( b
Envelope utility use to protect DOS applications:4 W2 h; j, _0 k, g5 [
/ r! @5 ^5 v: a% ?
( j D: C' ~) M2 h: {2 m+ g b/ V4C19:0095 MOV AX,0911 ; execute command.9 U, ~& Y# f% V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: x7 B" @) e7 C6 B4C19:009A MOV SI,4647 ; 1st magic value.5 b+ Y' n: u7 N2 Y3 G J- [
4C19:009D MOV DI,4A4D ; 2nd magic value.: a) {+ N; m; G; D3 Z" f& d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 q( I9 E% H8 L, r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ D7 ^( p$ _0 d5 T- u" X4C19:00A4 INC CX
- S) {; Z+ C6 v' N. d: t0 P4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 W' V0 K( i6 c8 A' i4C19:00A8 JB 0095 ; 6 different commands.
' L% D% \- Y' N; }3 [4C19:00AA JMP 0002 ; Bad_Guy jmp back.* U# |' P% z% A% v7 T
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* f b; f0 |* q% E3 W' T
+ R- L& e$ h: E
The program will execute 6 different SIce commands located at ds:dx, which2 D7 n, N! g. ]5 Z; ]& _% A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 \. B9 Q$ Z+ d( U W, d0 A
2 y7 G4 R u/ P5 R: r8 x' F$ v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& t3 Y3 V Z y0 d$ F5 k5 @___________________________________________________________________________
& z4 ]2 F6 D. J' Z _, m4 z$ Y" N& Y8 \" `# u
$ ?7 ~- y( B6 z0 u; D2 WMethod 03
9 ?2 h' t/ Y9 n8 z=========2 f0 @- Y. K/ g. P
; w+ c4 X+ \ \% T# {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 T0 H! A" h- X- k' v7 N
(API Get entry point)
) o% k D0 z' a& l. _; Z
$ B* \7 L# \ |# D3 V8 l% ] z3 Z1 A" t Y3 [' ^
xor di,di, ]- D7 `- S* T
mov es,di
7 i$ a' L1 a. X, W( _; A: [$ I mov ax, 1684h 7 _, E H' Q- K3 ^" h/ q& i, o
mov bx, 0202h ; VxD ID of winice
* Z/ C2 k- D5 `9 v7 j, x int 2Fh
- z+ V0 {& |6 g O7 H mov ax, es ; ES:DI -> VxD API entry point' e! T! a* l7 u
add ax, di
& u2 P( v o; _. w9 H test ax,ax/ k7 Y4 z, V" o9 L( O
jnz SoftICE_Detected+ V& g+ H$ a. C! z2 Y3 [
4 w: {; t) {5 O/ N) S___________________________________________________________________________
0 t+ J. r# M3 [) I
" }6 m: R. q# S0 ?4 E% m6 Y I/ fMethod 04) Y% b9 i9 E& B" s6 |$ a# X5 z
=========# x# d9 A% a& g) Q
& s& `! `; t( [; uMethod identical to the preceding one except that it seeks the ID of SoftICE4 R* C/ ^: s3 P0 A
GFX VxD.
; e6 t2 W+ Y+ R2 Y. A: a7 k( [0 f3 e2 Y
xor di,di1 p1 d- j# F% q" I
mov es,di
8 | E5 k3 c' E3 ]) S5 ? mov ax, 1684h + D) n+ k6 V2 y5 Z2 D9 w* A) H
mov bx, 7a5Fh ; VxD ID of SIWVID
% t4 o( L. R+ O% w) Z int 2fh
' d! U9 Z/ Q8 z, ^; \ mov ax, es ; ES:DI -> VxD API entry point+ N7 Q9 h. j: k4 W; X
add ax, di
/ w* N5 ?& L, x0 P7 z test ax,ax6 F3 E+ i/ r) \: ^0 m+ v; q
jnz SoftICE_Detected
" r" {, }: I8 q1 r5 D8 B; c
3 h* h! V3 `; v8 d# h__________________________________________________________________________9 W7 H7 W s9 D- C* ~
4 j$ p7 w4 V7 @7 S) b
% ?" u* E7 z! b! I. M- Z
Method 05/ r; H/ Q# t* W0 Z, |
=========
2 x! K$ O$ _; G0 m- i3 c: {( L& E1 P& a
9 l3 r# `% Z+ \5 p- ^' zMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 k9 @0 w X1 q4 I& Q8 `& s* Ydebugger. It calls the int 41h, function 4Fh.' ~$ W9 \7 C. i' ?! _
There are several alternatives.
/ x4 t4 b: o+ [& q5 \4 h( X& f- o y8 T' k
The following one is the simplest:
2 I3 F* G9 n7 f
Q) X+ |1 \4 T mov ax,4fh
/ ` n6 j6 E9 F' `+ q" Z6 G int 41h
- w) x$ U) F1 b$ R cmp ax, 0F386% y, e F4 X" Y) b" i& P' C
jz SoftICE_detected, E$ }7 \7 D g# i0 ^
7 |: d/ D; w3 p
$ x$ ^. R1 R; d; I
Next method as well as the following one are 2 examples from Stone's $ e V6 P8 K1 ]
"stn-wid.zip" (www.cracking.net):8 |$ d( R5 a- k* f/ F/ ? x
$ r4 K. t9 k: q* q8 ]- {) | mov bx, cs
' ]& T9 Z$ X9 |8 ~& J, e5 E lea dx, int41handler2
; Y6 t! N, g c. Z xchg dx, es:[41h*4]
" l: u0 z5 a, r- R& _ xchg bx, es:[41h*4+2]
6 r! _ p# @, } T; [. t mov ax,4fh; a0 ~" Z5 Z" x: ]$ Y
int 41h+ L) e/ R g4 n1 [
xchg dx, es:[41h*4]: C9 _* h9 U9 |% \% R& V& w8 V
xchg bx, es:[41h*4+2]0 S" Y, u+ B4 p* v- \
cmp ax, 0f386h' x; c: e2 g3 u( ?+ ?8 c, L7 r5 S
jz SoftICE_detected
* Q4 T# n+ d" C9 |8 f1 O9 ]4 x& @& z5 q* d
int41handler2 PROC+ p) f8 N" L. B9 H c
iret5 ~( k5 _ h3 `/ G6 N
int41handler2 ENDP
* S3 C8 Q1 y; U, e, p' d
$ {2 }1 D! s0 O% H. f# W) k- x1 D3 J5 f) _! `7 _: \
_________________________________________________________________________
. k9 C( ^* G2 n- c$ p. S/ f/ [2 F) k9 v+ I
# Y# c1 n) Z* y1 w; C+ f
Method 06
* k, D3 E% q/ G' ~=========6 z: v+ M% W4 |
. A+ m. Q W) y9 F
8 O7 g/ T6 s* P7 D( e1 f( s2nd method similar to the preceding one but more difficult to detect:8 e- I7 |, L1 A0 J0 b" f# v
% Z9 x# H/ A& K6 \; `
( I1 q( b; Y( B& V+ b1 i
int41handler PROC
8 n, F0 q& q+ X! T5 m) C0 { mov cl,al
0 Z; M& j9 N. m% U6 _ iret
4 a, X+ }8 O) m% g7 v% hint41handler ENDP% s" _1 q; A) k% j) }! E3 o: v
# V: Z, l5 B% b3 b$ [5 N( i. X4 ?' J9 G- D
xor ax,ax
+ k) `( R) m" v6 S2 W9 z mov es,ax, E1 c$ N2 i' O1 ?
mov bx, cs
5 l: r% @) }2 E2 Q lea dx, int41handler$ e6 O) i# z/ M1 K( H% k" [& ?
xchg dx, es:[41h*4]
8 b% ?1 g* n, P3 x; j xchg bx, es:[41h*4+2]
/ k' I9 a# z' t% ]# I* \ in al, 40h
7 n" G0 `" o( M/ M1 T1 \& Z: K, \ xor cx,cx
5 W r! o) s( U8 k0 P% q% o3 r9 c int 41h
# i' f4 E2 W( j3 x& C& k" P% w xchg dx, es:[41h*4]
& |7 s- o6 m8 e- Q% v xchg bx, es:[41h*4+2]4 o W* O$ j9 B. T7 F/ @5 |0 w
cmp cl,al
, t+ N j+ D8 s+ u2 n p8 f8 r' a jnz SoftICE_detected
5 O2 W, f0 Q% ]- t+ _
3 ]5 `% Q- o7 F1 |& Q8 E V_________________________________________________________________________
2 }& e8 _( t9 a! c. s
& x! W- o# I6 ]/ m1 e, @7 uMethod 07
6 X' Z: f) q& y5 z=========
* s- {, h3 n- _) x: S. z
$ h A/ l6 X6 c& H3 g8 @$ cMethod of detection of the WinICE handler in the int68h (V86). b! C7 I- x d7 V' K9 I: W
" O; c$ p2 J. a& c8 A; g mov ah,43h- [6 } g( g% X: ~* m, s3 w/ r9 h
int 68h7 |$ Y4 e3 ^; C
cmp ax,0F386h }2 ^; [% J& u+ L( O
jz SoftICE_Detected
+ ~" x" E! Q j6 I; E! u; d6 I2 k" P- Y1 r
; V; ?! C3 U$ F3 Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* D! t( m$ d& m8 Z [; r; g- `* T( y app like this:
* W; Q3 }4 w* `$ O' W6 ]$ a
5 A. a8 |" x; f# p1 F$ i BPX exec_int if ax==68+ v0 [ r! H+ g; J
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 J3 l- q* ~. T+ E$ T located at [ebp+48h] for 32Bit apps)
- M; u' g2 I9 h7 Q2 z__________________________________________________________________________
" z9 E+ X& {3 [8 ~7 u
0 w3 j/ |9 T( {' u' p5 O/ v
& a% r. M# ]* S# d" L% ]Method 08
! Q! W5 w! [7 J=========) J& h$ j3 t" J! g
6 k! e6 t& ?8 P2 aIt is not a method of detection of SoftICE but a possibility to crash the& a2 H7 X3 W! [
system by intercepting int 01h and int 03h and redirecting them to another
v# q0 a3 U5 C) H: {2 p$ ^0 l `routine.
# m7 ^8 u/ T7 _& lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( U) q* `1 G8 {to the new routine to execute (hangs computer...)0 P6 S1 }2 N) {+ f. E- ^
3 Q: j4 t' F0 j7 V8 c+ A* U mov ah, 25h6 Z% O/ U( U. p' s2 Z5 | v
mov al, Int_Number (01h or 03h)8 g* c. w8 ?8 G2 i+ _
mov dx, offset New_Int_Routine
* y0 z* |8 K& m6 a% i int 21h+ s6 s. k, _) k m( F1 R
6 J7 n5 N+ D7 B( H# D
__________________________________________________________________________
; F0 E0 c! f+ v; Y9 h& f5 ?6 Y: n2 a9 K0 _) [0 n2 ~
Method 099 M2 D. H# j# F; B$ q2 U7 }( n
=========
* A9 y4 ]6 K. f- R6 e: Q( F2 ?/ Z; y; _7 U( `9 O' w! a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 S) p7 p0 M |) R9 f* A+ R( jperformed in ring0 (VxD or a ring3 app using the VxdCall).: X$ b3 {7 c% o9 `
The Get_DDB service is used to determine whether or not a VxD is installed y; j! w; H8 X+ z
for the specified device and returns a Device Description Block (in ecx) for
7 Y8 u7 R$ c1 S) o% Gthat device if it is installed.8 o- ?$ Q% Q, `4 x% R7 Z
- ]2 f5 Q' q/ n, P$ V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 b* ^0 l S, x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), J' G4 @9 |9 M0 `
VMMCall Get_DDB
: z& b* D" J- O1 [5 j5 ~* f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! a: n+ x! C' ]! w+ i+ b
8 z+ t( k! Q2 ]/ Q" XNote as well that you can easily detect this method with SoftICE:& d3 W. n6 _/ h5 T6 A
bpx Get_DDB if ax==0202 || ax==7a5fh% e# R6 X% T1 C* y3 c0 ^- f. a4 E
& Z( w/ \% M# y6 m. ]
__________________________________________________________________________6 Y5 s/ H; Z8 J3 R8 |
2 z A1 W5 b5 m( N0 X3 r z- N4 e kMethod 10
; ~4 v* b/ a: _2 `=========, V0 q8 K; p) ~8 }, |2 T& K
- C( B% j# K$ q" D: ?+ x5 U% q
=>Disable or clear breakpoints before using this feature. DO NOT trace with# d! S4 K. [' B
SoftICE while the option is enable!!
# \1 I- ^9 W$ V/ U$ r4 U9 j0 s4 X1 Y7 e6 U5 T6 n0 u
This trick is very efficient:! z' k# C5 c4 ]0 Q1 S% Y* }; o7 x. p* }2 K
by checking the Debug Registers, you can detect if SoftICE is loaded0 C( d! H p% W% w4 T3 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 L. C8 L2 ~. E: R! l8 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 `( ?7 D/ h* R0 x8 y) Y
value (in ring0 only). Values can be manipulated and or changed as well
. ]- K! z, \& Q7 t* t8 b(clearing BPMs for instance)7 q7 S3 w: |* L% w
! q! ^+ B! f/ z9 D/ y__________________________________________________________________________
: i2 S. B( K5 P. B( S) a2 H1 t
Method 11
) C% g1 r6 \7 g=========6 U U' [9 u: f) z6 t7 f% ]: z
5 J3 D2 E, M5 Y
This method is most known as 'MeltICE' because it has been freely distributed o( i3 l1 K! U
via www.winfiles.com. However it was first used by NuMega people to allow
& A- I! d. N1 X' V0 hSymbol Loader to check if SoftICE was active or not (the code is located L; F7 D% v, ^
inside nmtrans.dll)./ Y* Q7 o" W. a& [$ T' H; E
c6 E* S/ E( o. j( sThe way it works is very simple:# A! K6 m: \. ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 c6 E ~9 z0 I% T, TWinNT) with the CreateFileA API.
, x% w9 R* N' |# B. `3 f! x) i- b9 r: b2 W( e' y; A5 @3 U
Here is a sample (checking for 'SICE'):
( }/ Z W* `5 z" K$ v7 [6 p% h4 b* e5 F( `
BOOL IsSoftIce95Loaded()
0 ~$ J8 j! P. e; y! P, \ `7 S# F{
7 a3 I. r/ j6 y! ~, ~' [2 K6 y X HANDLE hFile; , @8 ^! }7 u* U& u8 {2 Q, T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! A t4 |: ]$ T4 Y8 O. ] FILE_SHARE_READ | FILE_SHARE_WRITE," Y: e; A& `6 @0 B# ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 M: e, t0 q/ V' v* x' O7 p
if( hFile != INVALID_HANDLE_VALUE )
' O( b4 J8 H7 a6 Z {
5 s$ M8 a- }1 c$ |5 T1 i CloseHandle(hFile);. g/ W' K( P( ~5 c6 _, L9 u
return TRUE;% _7 \3 P) `" r5 D; }1 F
}- C! X5 f9 k; ]( c8 J7 V8 Q
return FALSE;+ z' u. W, p7 b, _+ Z4 z. q
}
} G6 y$ t) |4 u. N: |( a/ u' r& {* ^4 X
Although this trick calls the CreateFileA function, don't even expect to be
% n+ |6 K5 S* x D. \able to intercept it by installing a IFS hook: it will not work, no way!! r9 |, H9 k6 F* |, h6 H7 D4 W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! c% Y' P- Y* B, ~* Z& I; X
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 y( A: {' L3 mand then browse the DDB list until it find the VxD and its DDB_Control_Proc- B$ y1 a- s7 J- T, S7 O% _' n# u
field.& \$ g2 x8 {2 h9 @5 P
In fact, its purpose is not to load/unload VxDs but only to send a $ k6 Q1 R0 { K: H$ A2 T! l6 h9 H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): P$ D ?7 J: i" A/ m/ v2 l2 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% M) r, ]+ _1 Q5 B0 A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' N/ S% d9 F7 @- M, Y9 K5 \* S
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 u8 _+ k3 S: @. N
its handle to be opened and then, will be detected." f* m& s& H! ^ V* l5 M
You can check that simply by hooking Winice.exe control proc entry point }, l( _2 a9 o6 E; A1 `7 s
while running MeltICE.
) `. T6 A- d5 e( M, D+ N, E3 o( ]- E5 i1 F4 e# M
' v& p$ _7 s% x8 v3 q, H/ Y 00401067: push 00402025 ; \\.\SICE1 ]# B6 J/ w0 m. ^) l3 B$ m6 W; N
0040106C: call CreateFileA
# R4 v3 y+ V7 J! p0 c# @" P9 D 00401071: cmp eax,-001! I+ N# j# K$ W% U8 J) k
00401074: je 00401091
R1 u7 C# {/ W: G' U0 Z1 a! x$ X6 Y% t
+ V4 n9 p) C3 Q
There could be hundreds of BPX you could use to detect this trick.2 L( w4 _. d& L+ `: m) T
-The most classical one is:
3 [# u* M. @& b4 ` BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 E) B+ a X2 N1 {1 d
*(esp->4+4)=='NTIC'
$ O7 I! ^3 C) ]( E0 o4 `3 F+ N& ~2 {. H! `% j+ H5 C( w$ R
-The most exotic ones (could be very slooooow :-(
$ b2 a4 m0 k+ v2 ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" E( r+ ~$ b; A: [: x0 H ;will break 3 times :-(* e. A( P l: `) ]+ A/ O
- j3 |9 Q1 D) e [
-or (a bit) faster: - s0 b6 Q' x, h q5 E! x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ e7 i/ t# B& m2 y* A( D* \: T; k% d3 ^7 C# H$ o
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 I$ F Y% a- T% o6 G0 ?4 f6 L4 G1 w
;will break 3 times :-(% o9 D o0 G! j5 }8 ~. |4 [
- z( t' \2 q% H
-Much faster:
5 e$ p/ V8 X6 }2 d( Y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' \3 ~- ]7 X0 ?' t8 H( \1 J
9 h3 c9 T4 p4 f# e6 ?( XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' m5 J0 l0 Y" l8 Tfunction to do the same job:7 o; v- B& H4 ~2 I& T
; _2 u% r9 O+ y9 ^; i$ e" I! ^* q
push 00 ; OF_READ
; f; S5 g* Y' g5 q& ^; t mov eax,[00656634] ; '\\.\SICE',0
1 ?4 N: \9 x' K% R0 Y) @ push eax% v# P! B* }. a/ m* W
call KERNEL32!_lopen' p. m. o# P q
inc eax
1 g, G9 {# t) ~# f% z( G: l jnz 00650589 ; detected5 y, B' y: ]. D
push 00 ; OF_READ
- ^- l+ s; A% A9 S7 J6 P9 [ mov eax,[00656638] ; '\\.\SICE'
* H( Q3 i0 i# Q9 g& ^/ z. z, h push eax- g U6 {/ v; {: J3 s7 M$ C: W4 \
call KERNEL32!_lopen
' P5 b+ [! m6 P. H q* J# k) v. M inc eax
$ }4 L8 G1 H/ \5 ~ jz 006505ae ; not detected
3 S7 [' o2 s$ l% O
8 H* t! T. j+ D/ V- h/ M1 ] C4 d7 z i( z
__________________________________________________________________________1 i- M$ E7 X k5 _! U, h( B1 U
l1 p+ f% ~& p- C* c+ eMethod 12
2 k$ i# c1 c o/ O=========# [ e2 i4 \7 R, E/ E$ a0 o- Q; N
: N. y& V( H' o) Y$ C( Z$ {# v0 a# e
This trick is similar to int41h/4fh Debugger installation check (code 05
- Y" Q* j. y0 x: A& 06) but very limited because it's only available for Win95/98 (not NT)
) |1 x% n- c' nas it uses the VxDCall backdoor. This detection was found in Bleem Demo." E$ {$ U9 P8 m! D1 U2 S' I4 P
, y% p" k& k5 z
push 0000004fh ; function 4fh7 [% o6 t4 m( {+ {1 P
push 002a002ah ; high word specifies which VxD (VWIN32)
! F, O& J( v; d ; low word specifies which service
! L8 r! R3 @/ a% r0 U/ C (VWIN32_Int41Dispatch)$ O8 }5 O" }% J/ C3 K% e( c; M
call Kernel32!ORD_001 ; VxdCall
/ h, ^1 ]6 {& A. `6 n7 N' K cmp ax, 0f386h ; magic number returned by system debuggers i) V! l0 {4 q: F `0 I4 j' @
jz SoftICE_detected" G& s* c) R% ~, J
+ j# p" O" d6 L6 h, t3 R i" IHere again, several ways to detect it:
5 J5 G4 }; ?+ M
+ a5 ?, S6 q' `$ r0 j3 U8 I BPINT 41 if ax==4f
) h* Z0 p& @! |/ @$ D$ w
: |0 s: l/ s* P* J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, f- `/ E$ z; V C
) k9 l( s$ b1 W% [1 J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 L- N5 G4 r7 z; D2 z# T
/ W8 a. {! O$ y7 b/ P/ m6 }. s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 _3 i# h3 Q! ?, l* z; O" U
7 @5 F T# ~( L) m8 e7 s: F Y__________________________________________________________________________
1 ]% E; ]/ \( o- u$ y0 ]" q$ b/ b6 g, N. g- E
Method 13+ @5 k( f( w# \/ v5 ^; q4 b
=========- g o% s! S7 F1 |
$ y4 ?* z' I3 _, |+ t- S8 U; Q7 ]Not a real method of detection, but a good way to know if SoftICE is
2 d& f8 d" [' B/ Cinstalled on a computer and to locate its installation directory.
! c3 k6 f" v" ?/ vIt is used by few softs which access the following registry keys (usually #2) :
8 Z5 x. I# g6 U2 a, s8 q y% P& G5 p7 G* e" C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 d! n' X& `9 J- U( _& J5 d
\Uninstall\SoftICE
4 y- P8 r2 n9 J' y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( A5 _* K/ h& r+ T
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 D# k2 ^4 o3 ?7 ^' e\App Paths\Loader32.Exe
* q; }1 Y# C N7 C' n% S' V9 K0 ?
: S: ?* G9 {7 ? r0 _- ONote that some nasty apps could then erase all files from SoftICE directory! h5 C& p3 o4 d3 q8 m# G$ q
(I faced that once :-(
" V' j2 c5 J* A2 H% @
7 _* W3 T3 N# b! t d3 d: PUseful breakpoint to detect it:4 Y" F) z+ b* e# J
/ I* d. e5 b2 |) q- n5 R+ J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 `5 ]3 Y6 z, Z I
/ @: N7 S, c0 y4 U6 @
__________________________________________________________________________
, C6 O! u0 V3 b2 Y0 c- u$ b/ A3 s2 ]( b& W) e7 U
9 i" y0 f( `2 r
Method 14
+ N2 x% T6 Z7 J( O8 B/ N, w=========
, O3 ?- J3 o: J, y0 \
( z$ ^. o5 R! hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 ?( Q' y1 g6 {9 O4 y) g1 x# p
is to determines whether a debugger is running on your system (ring0 only).
0 g6 @* g4 {) s
! ^0 S+ w: g4 S3 S VMMCall Test_Debug_Installed
: |# V- g& n3 H je not_installed
6 u0 p" G1 n, c G! N& s. X
- z7 x# o2 @0 M' E# X. rThis service just checks a flag.+ W. d3 n- ^" T) W$ J" ?% I" d
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡