<TABLE width=500>& l7 s _$ D; a0 Y# W4 E
<TBODY>
! Z5 E3 y& \$ _; n: G$ _. I<TR>) }, K k( x% q( B
<TD><PRE>Method 01
! I% J) U" {8 H; N7 s& B! Q2 {=========
. I* D; {+ V' V& e% b/ E. s0 p1 e y8 c2 S8 Y( ~, Y) q% p
This method of detection of SoftICE (as well as the following one) is
: b9 S* t; [- l/ @used by the majority of packers/encryptors found on Internet.1 M6 Z9 t2 S- }2 q" o
It seeks the signature of BoundsChecker in SoftICE
- V1 j8 i# K' D) Z( `2 Q
: ?8 M3 S# J' @ mov ebp, 04243484Bh ; 'BCHK'* m- ]9 V( f/ S, ~5 p
mov ax, 04h
& N* a0 a- Z* w4 v6 L# ^ q" ` int 3
8 ^& g7 ]- T. a cmp al,4 V* g. O. {) [: j+ b
jnz SoftICE_Detected3 t Z! B3 `9 U3 C
$ G. O% J) y' t, Q. L4 A0 J___________________________________________________________________________! q+ J! R- v/ v l
; h/ l& d: V: }5 p, _! x+ o1 B; HMethod 02$ W: _- `6 U0 e: f/ t4 G
=========
' i& c0 H# K j
# N4 u) T2 j: u( M; g; a6 LStill a method very much used (perhaps the most frequent one). It is used" b8 S1 B& X, y% F$ Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ C9 {; \. J8 A2 x# f- m7 Hor execute SoftICE commands...
% C% J. d% ~, S" \" qIt is also used to crash SoftICE and to force it to execute any commands
; E2 k+ g3 S2 f0 D% b! Q# f3 p(HBOOT...) :-((
) |' {& i$ `' p& \3 W8 `1 Z% X
: p/ w# v& ?- N6 K, u+ `8 JHere is a quick description:
- m7 `; b% D$ u! d-AX = 0910h (Display string in SIce windows)9 l! {% a7 L9 {* ^, L% X: a' h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ Q! y- M. E& P/ P! B
-AX = 0912h (Get breakpoint infos)
& V$ @$ v! M4 N" C" j9 v6 v-AX = 0913h (Set Sice breakpoints)6 w7 J4 x$ z4 B& j
-AX = 0914h (Remove SIce breakoints)
$ w5 A9 \( _3 q$ y) h5 N, `( s' _5 w% C' w
Each time you'll meet this trick, you'll see:
+ @; g2 {9 y9 n" r- d1 I-SI = 4647h/ a" O. u0 X& z5 x
-DI = 4A4Dh2 Y: F$ u4 t4 j: ~- J( p% h
Which are the 'magic values' used by SoftIce.- r3 u7 F! v4 k( _! g5 U* {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 w3 m' K1 ~" o% V1 |
3 p& k) m r9 H+ [9 a2 U% {Here is one example from the file "Haspinst.exe" which is the dongle HASP0 `' p `3 I( R
Envelope utility use to protect DOS applications:/ H& ?, e0 V& Y0 a
9 I, p' _; A+ U$ x% _0 o
8 _% i8 J; \ F8 t
4C19:0095 MOV AX,0911 ; execute command.! d* ^ Y0 s' Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' g k! \! Z+ B9 c+ A5 `4C19:009A MOV SI,4647 ; 1st magic value.( U& g* Z- t( ] M; y: Q
4C19:009D MOV DI,4A4D ; 2nd magic value.
$ c! G/ ]7 w# Z" p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, D/ e. w! {; s. @# s; \7 }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 {8 I+ o U3 a D0 A) G4C19:00A4 INC CX
- O4 p2 B' S5 T. w! q% f! p2 e4 c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) u% v- g! r) e
4C19:00A8 JB 0095 ; 6 different commands.
0 l9 Z3 X- D- U+ {; m/ `4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! A, e/ S4 _2 T) W. n3 x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 G6 T( a( b! z, |
- g0 @4 e5 t0 a2 z9 k! l
The program will execute 6 different SIce commands located at ds:dx, which! Q/ N2 K& J1 }/ y5 E F% R* u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 {( I3 @% C/ a% s/ w, \+ T! w$ z* L! o* `- T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ M% n6 r; s8 v h
___________________________________________________________________________
2 E7 _0 Y; C6 R, u) T6 n, ?4 `
6 p* o1 u( s1 Z/ }
$ {- Y# G: }( @+ L$ j/ U" T& ^Method 035 G9 N1 M8 J, O" f2 ^
=========
* z$ ?4 G% B% q7 K2 @- j3 Z$ o9 [: G$ s/ m5 [. _4 h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 h) x. C6 e( `% B: z$ P6 _(API Get entry point)0 L# P4 w# p$ g) [# r
7 p M8 U6 ] P! ^
9 t- @9 Z/ `$ z) c xor di,di+ m* x, P F" n' H! ^
mov es,di
, ]0 u4 W) T3 `% o/ K6 q mov ax, 1684h
6 x' I W+ K+ I, K Z. z$ g' E mov bx, 0202h ; VxD ID of winice
" e/ O l$ g r int 2Fh
3 ^, U: v* R( s5 H3 @ mov ax, es ; ES:DI -> VxD API entry point
% @8 q! f' @! g add ax, di3 k1 @! r) O( g
test ax,ax
* V: d$ Q) D% \0 c1 t jnz SoftICE_Detected
) a9 y/ B% m. F* z+ @* U& m/ j9 o( I' ]" W/ H
___________________________________________________________________________
" \4 [6 {/ z f7 y* h' C8 U
: d/ f% t8 {% B1 @# \ ZMethod 04% p; A0 K" _( ?0 Y# C
=========
$ F' j. P! q/ T' `& V9 l5 |0 |) i' P* e; b) B D7 i2 M% \
Method identical to the preceding one except that it seeks the ID of SoftICE$ s" h5 H: Q' T- @; P
GFX VxD.
. ~# W) l. L( ^& j6 k
9 u& ?" P: _4 h xor di,di" Z) E/ y0 Q9 o- J- i1 D# _2 y) ]9 J! g' o
mov es,di
( e& Q8 c9 j7 p/ L. N% k0 g4 m( C mov ax, 1684h ! N/ P3 H+ ]# U: J0 ~3 e. a) Y
mov bx, 7a5Fh ; VxD ID of SIWVID' d: F- ^' Z* A! j' I
int 2fh
& q% M. X( G0 J% X1 ?: g mov ax, es ; ES:DI -> VxD API entry point
2 V( u! g7 w4 ?& L* {; L add ax, di
6 s5 P3 m) E. H0 n. j test ax,ax
/ \* \0 z) m1 a3 v jnz SoftICE_Detected
/ p6 p7 k& e8 C `6 z# w
: Q# I* ?. y8 d__________________________________________________________________________% |/ D+ z- E% J2 o( K
2 G! p, j9 q8 X+ `; k) c6 O7 J
3 Q: J8 T1 O. |, kMethod 05
/ m, {% Q2 a( G6 G1 z2 @* n# m=========
, x2 z, p2 A( M( ]/ `
J! z2 g# t, f; IMethod seeking the 'magic number' 0F386h returned (in ax) by all system, }! u/ }) V+ [: G' y
debugger. It calls the int 41h, function 4Fh.
; W( d( C6 A, T! `4 P. gThere are several alternatives. ; z9 x7 H6 H. B* n! E) }7 b2 w
: x" V1 |6 l: l) l( s c: C H
The following one is the simplest:3 Q% s1 f) N, |8 |1 F3 u) O( m
* H0 e; S' v' ~/ I$ S; j, P
mov ax,4fh
6 R; k1 h) n9 U int 41h
& t8 A8 w. {" E( i: f, i0 y cmp ax, 0F3862 G% Q" Y* Z1 K, v4 s; i ]( x
jz SoftICE_detected
, J& N9 e4 c3 ^" {. X
8 e) {' y# g1 e$ b! j; K
2 n+ Q$ p- Y3 l d% ~5 Z( W, ?Next method as well as the following one are 2 examples from Stone's 9 A( C" g( E. r- c, ^5 y1 ~
"stn-wid.zip" (www.cracking.net):
! [. F9 u1 @" k
' l$ y1 i" ~- L% x$ s" [! i- N% q/ N5 E mov bx, cs
& U0 [, \# u K& U0 ], q6 a lea dx, int41handler2
) K$ I0 W3 ]( w- k: t# w xchg dx, es:[41h*4]6 R0 v1 x+ Q4 E) S' {9 i3 @! W2 _
xchg bx, es:[41h*4+2]: P* }! |! d. ?
mov ax,4fh
6 z( b& i3 `+ o1 A8 Z int 41h
: v* F& I7 s& v& R! H1 P9 } xchg dx, es:[41h*4]
1 ?' d6 D4 L9 R2 r5 E4 f6 t; J xchg bx, es:[41h*4+2]
1 m) L" G9 a7 w, j3 m+ @& b3 n! e% t cmp ax, 0f386h
0 d9 I- q A3 k+ h7 @- J- h jz SoftICE_detected: ` y7 Y2 `4 R6 C' H9 u
; N5 A& o, B7 G; v$ M
int41handler2 PROC9 e" `. }- o6 U, D% M
iret- w+ a. `& P" z2 K+ q
int41handler2 ENDP
, I* i9 F8 K3 o1 _! f
0 D( f5 p/ x4 R/ J S. k$ b- K( i0 ^( B+ M
_________________________________________________________________________
! Y! x2 w+ y" {: i' J4 P- ~$ ?; N; F" v# o
) P+ A/ `7 _$ K
Method 06 R ^$ f2 [) d
=========
8 o1 R- N0 M1 ]1 b' c7 s8 q. F: q) v7 v0 q. O
" d7 O: P1 w7 b5 \# y" n2nd method similar to the preceding one but more difficult to detect:) s, b; f: V8 {- p/ H
0 M9 z! F! z6 i8 h4 p
5 i% W0 x5 o* Z: W" oint41handler PROC
: ~! m) ?7 b0 k) J! x mov cl,al$ q& K d( C5 y0 g g& k r; O r# T
iret
& _/ B; J8 O3 p$ fint41handler ENDP
/ H# y! m: [4 {8 l4 K
; ?+ D- L5 R6 L! I7 I4 u+ q; b/ l
/ B% j7 v9 J% {' E0 ? xor ax,ax b4 t$ t2 u& L
mov es,ax/ f q) _, R: y4 j
mov bx, cs
7 C- W! f5 N' M7 k lea dx, int41handler
) ~( `6 X/ U P- Y) Z, g4 U" s* v xchg dx, es:[41h*4]7 h: h5 B9 T! h2 d
xchg bx, es:[41h*4+2]
% _+ Q' t: x* s( J in al, 40h# @, G0 X E* I3 e- n
xor cx,cx
7 y( s5 A' E) c( l3 X int 41h7 s2 G1 S E# K8 T2 }+ t
xchg dx, es:[41h*4]9 b" N+ I# x& d: B
xchg bx, es:[41h*4+2]$ {- @5 |* Z1 d: T& e0 A
cmp cl,al
; i- O& h6 ], E# q# K) Z jnz SoftICE_detected+ e1 e, w% s7 E& u5 d/ K; P3 i
0 Q9 @1 X p) B_________________________________________________________________________
8 s0 ?0 r+ G8 d# _* F* v) G
7 _! q; n f; E( W- G9 xMethod 07
" }3 X) e/ O+ d: s4 t=========
2 o: y0 ]6 x, m
6 u7 j. C# L7 U7 RMethod of detection of the WinICE handler in the int68h (V86)
- N5 O, l& n3 l6 h- _7 D; `/ c! ^
; g; I4 X- h6 y( C4 V+ f4 v mov ah,43h e) [# E0 ?! Q" c1 z
int 68h! a, h0 I1 `, x1 g. l
cmp ax,0F386h) P3 ?8 M2 \$ O" U: J4 m9 [- J
jz SoftICE_Detected" v# T1 ]# v2 X4 L/ t
5 k1 d( S' q) R- S
% w. _1 o" s5 Q, W2 ?9 n7 U=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 ^' Z% L, E3 K0 d) p: s app like this:
" G. @7 _% X5 V: ~ X9 M4 R; b# o1 w; y- F2 a W
BPX exec_int if ax==68
+ F+ i1 y" L7 v0 z4 b! S. r (function called is located at byte ptr [ebp+1Dh] and client eip is& i3 ]( b3 H' A- s) C8 o6 I5 h3 F4 T: f
located at [ebp+48h] for 32Bit apps)
4 E d8 i+ J, {0 X! u# p0 ^: l+ M- t__________________________________________________________________________2 D- C6 h- @: ?6 V$ Y
6 Z3 _' w% F5 o1 T5 w/ g; X
4 H9 L" d7 o) n; dMethod 08
0 b. k- ^6 @2 T! Q, K=========! m/ S$ F& ^ z9 A. u
4 W5 p, S) ?3 F2 W9 K- v8 PIt is not a method of detection of SoftICE but a possibility to crash the0 S# H' o; `- e& P$ ?$ \
system by intercepting int 01h and int 03h and redirecting them to another
- J! Y# Z+ \/ k* f8 v- f" zroutine.# n+ Q5 F& {) P7 `( p- j8 \6 x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ A9 w D( `, c; _
to the new routine to execute (hangs computer...)
' x' ?5 H- G8 X/ M. X
9 j/ d/ _! \/ N mov ah, 25h' {! x% A N6 t( o1 u. C" y& r
mov al, Int_Number (01h or 03h)' Q% r# @& {$ |1 b, f6 A. n2 P" b% {
mov dx, offset New_Int_Routine5 x8 O" G w* n3 O
int 21h
( ^. q7 F& g3 x7 w- \
& q9 [+ t V. S& J# E( A__________________________________________________________________________* I9 j( A) d) @0 E
1 _2 @, P; X; n, M- `+ o: ]Method 09# v: B; E; j1 w4 V7 P+ T7 N$ p3 M
=========
: l1 c- Z1 T9 p2 K" f6 ]; v6 K1 }& E7 {% ^. n# O# h
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 o4 _& O8 x% M+ c/ x* @: aperformed in ring0 (VxD or a ring3 app using the VxdCall).5 G. Q2 Q) F) W5 v
The Get_DDB service is used to determine whether or not a VxD is installed
" d5 m! U" ^2 y# Afor the specified device and returns a Device Description Block (in ecx) for
; J& }# C6 ~# y- j7 Z* \that device if it is installed." O& P1 ?, M- ]; q- @2 T4 q+ T
; o* _% x0 {0 L9 Z- p( n* D4 h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ f' `. P6 J" R! c$ }1 A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, _3 R! K. |6 w. h VMMCall Get_DDB5 T R2 [& V0 o& ]1 X8 a5 ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) [$ U, l9 h; `# i) y6 Q2 ?; f9 r) V _% }: [: v# F& I
Note as well that you can easily detect this method with SoftICE:
; I: |6 t! H X2 e8 m1 e bpx Get_DDB if ax==0202 || ax==7a5fh* ^5 D; _+ {; z Y6 w9 D
$ m* A* s5 U1 {8 g
__________________________________________________________________________
) E/ [6 _$ u+ f3 f* c0 ?# o8 `$ |7 l6 e1 x# ?
Method 10# }, ?( z1 B" i2 ^
=========
, C* ?" x+ b; r! n# v2 o5 X: f! i# s
6 ~8 D) d6 r( f) _9 e=>Disable or clear breakpoints before using this feature. DO NOT trace with
m6 b. u+ u7 }$ ~5 z0 e0 x! p4 j SoftICE while the option is enable!!9 ?+ ^' @& v) d; g a$ Z' A
+ q6 Q, |& h# k
This trick is very efficient:2 ?3 K1 c: ]" B* Q6 s1 t" a3 _+ g
by checking the Debug Registers, you can detect if SoftICE is loaded8 s5 b" Y5 w( @0 e7 t9 I9 j3 _8 [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: W/ H# K& G* p a# jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
S- C1 Q; L- [" X8 @: \" l& Nvalue (in ring0 only). Values can be manipulated and or changed as well
8 m |2 a4 t( Z9 E% F7 t5 Y3 E(clearing BPMs for instance), e4 s" a+ E0 L9 l6 n
. [$ }8 o; E% F- D+ W
__________________________________________________________________________, O" Y% j( k+ Z& k9 Y/ ~4 ]* o
_0 x( Z0 f% R: }+ q
Method 11
& R) Z$ e+ r, M. g. g=========$ Q. @3 M5 ~7 R
& w0 R& H' U; U% S; ^5 L8 V3 nThis method is most known as 'MeltICE' because it has been freely distributed
4 i! s) K/ J* }% G: i) j: J$ t, ~via www.winfiles.com. However it was first used by NuMega people to allow/ [8 O s# v9 I4 p9 P% q
Symbol Loader to check if SoftICE was active or not (the code is located
/ y' ~4 \# Q. W0 finside nmtrans.dll).
/ d: ` B2 F" B3 I! Q9 p0 t/ L% J o* O! F; K+ r0 n
The way it works is very simple: p C5 A3 C& R( n" M/ R/ I, e" t" @- }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 `" p6 l, {1 Z& c3 T) g0 D- }
WinNT) with the CreateFileA API.5 p( N8 V' u: } a; I+ X' M
" {/ F/ E G) r$ d6 D2 f# V' BHere is a sample (checking for 'SICE'):
: h+ ]! g; }! [' X$ d F8 a! Q( D/ ~, [, \. Q( c0 h$ W
BOOL IsSoftIce95Loaded()
! X& W" E+ y4 k* [0 e5 ]{3 Y4 [+ [" q1 F9 F6 J
HANDLE hFile; 0 _# k! C/ x9 C: A/ q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: {( g7 U7 c7 |* a3 Y4 i$ p
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ L6 i. _1 G3 Q! V6 ` G: L S NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% S6 m4 Q$ ]4 Q2 n! n4 D
if( hFile != INVALID_HANDLE_VALUE )
Y7 I% D+ R9 F0 J- A {
/ F- p6 @9 }5 d. W" C! z' | CloseHandle(hFile);7 S* M3 C5 P$ ?/ F" u
return TRUE;
3 n' V, `+ P7 S/ n( B- \: o) ] u* \ }
) [# I0 d- ^. X return FALSE; U# Q. O6 t7 A
}% Y5 k- r8 {$ u- m3 r# X
2 k; a- v6 Y) |8 a
Although this trick calls the CreateFileA function, don't even expect to be, K" C1 q6 I7 l# T9 l! {; r
able to intercept it by installing a IFS hook: it will not work, no way!/ v7 B5 j0 x; T- \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 P: D1 O1 B: ^; l- y$ D( m: }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! V- X; s$ H1 ~. @& u, c' y% Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! C L( o9 ]4 I( l# Zfield.$ T8 g/ G( Y4 I/ a
In fact, its purpose is not to load/unload VxDs but only to send a 5 H% X6 M0 B; a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 _7 T' p. @$ ^' s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. M( ^8 P1 B% ^6 S! U- W2 Y9 d
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ m/ L! h, a4 b$ Y. ~ C' @
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 a5 r7 _' L5 ]3 t
its handle to be opened and then, will be detected.' ]! t `. X$ A
You can check that simply by hooking Winice.exe control proc entry point
! A7 z( Y6 x6 t+ ewhile running MeltICE.9 a# o: y- F/ o f4 y& @; j; P
7 i# J6 ^% U& N# t
* K' G2 _! f" z
00401067: push 00402025 ; \\.\SICE
& p x. n5 U- m! E 0040106C: call CreateFileA
" A# |9 U9 b2 x 00401071: cmp eax,-001
2 O' s5 [" \/ T" ^2 m 00401074: je 00401091& \# X# h' p" L9 x, k6 L6 e6 e
9 I- V( V$ K) I* Q* \/ {" s
- J# P. w" k' @$ L! s7 b5 R6 z& ^
There could be hundreds of BPX you could use to detect this trick.
- D5 |2 H! U+ z( F9 i9 R# K% ^-The most classical one is:1 p1 Y, k) k- Z! J3 g ?; D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 q& U6 I' n# M
*(esp->4+4)=='NTIC'
& }$ z/ a2 j4 n4 Z
+ v. P; _& J0 e2 r-The most exotic ones (could be very slooooow :-(
) t4 D' [+ }* J% N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + s$ z4 b% ?. J; c$ t# @
;will break 3 times :-(
2 \5 u! I3 x: ?" U. [7 T
. {8 r) O; P; L0 u) J+ O' H-or (a bit) faster:
' i' S/ z, i( M F+ f BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ ~( | d3 q: L; X: m( B
; N" C( [5 F2 C$ R& P2 A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 A7 A$ W2 W7 H* S# W6 J
;will break 3 times :-(
" d0 u M" C b( W1 i, N0 h$ J: o; {, _& M
-Much faster:" {/ u |% p7 {% W( o% V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', E4 e. t! O4 `3 a
# U/ M0 S( h, _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
I# C c; Z/ w$ _# j, ~6 P) Xfunction to do the same job:
' Z$ h: R, ^+ M4 `
, U* r0 n7 D: D5 z' o: r8 g push 00 ; OF_READ% S- P9 b8 o* a* J+ H2 I9 c9 g
mov eax,[00656634] ; '\\.\SICE',0
3 K1 r5 X7 y2 ]+ U, J1 O) [ push eax" _( ^0 G6 s' X8 F4 o5 D
call KERNEL32!_lopen
) ~' {( J; H f inc eax
7 \9 G" E; h. ^ jnz 00650589 ; detected
/ L" [0 R! Z/ z4 U4 F push 00 ; OF_READ
" E- X& Z3 y# U" w0 o+ F& L$ F mov eax,[00656638] ; '\\.\SICE'
7 B, z( ` `8 f- p push eax4 r3 P W5 g! R0 ^$ D! G4 K
call KERNEL32!_lopen
/ S( ?1 r& L3 f/ m } inc eax
' X( N; H+ w& W$ X jz 006505ae ; not detected+ D7 F' i7 g4 X. ?+ C! Z
: v( ]7 P- ?6 w- f, H1 H' W
" E" @6 e9 Z$ F, K; c__________________________________________________________________________
! m, y! C+ {3 Z1 \+ _' i1 l! P
N* E2 H9 w9 O+ WMethod 12
( t* G( g" V' Y* u6 z5 H$ n7 K5 K1 S=========% d# r5 F( |2 ~- `# G
' W2 W* i6 r- N( p; G( `This trick is similar to int41h/4fh Debugger installation check (code 05
* |5 e* ]) Y& {5 T& F8 x3 E+ y2 n2 p& 06) but very limited because it's only available for Win95/98 (not NT)
; m( y S6 D- o" ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: z' U6 P/ F) Y
0 V t0 r4 W* U' d push 0000004fh ; function 4fh
3 D g% f2 l# ?/ e5 ~' q* h push 002a002ah ; high word specifies which VxD (VWIN32)
5 O2 V8 u( U! F$ X$ H K ; low word specifies which service
# G( z& [# J' ^ (VWIN32_Int41Dispatch)
1 C; D" E1 m1 j z: [ call Kernel32!ORD_001 ; VxdCall8 _8 `7 u* C) c; Z# D4 k
cmp ax, 0f386h ; magic number returned by system debuggers$ t! p; S4 r& \, _5 a7 W& Y0 f
jz SoftICE_detected
9 E7 ] P2 b J: Y
" F9 `8 @$ d! d; [Here again, several ways to detect it:+ U9 C$ V, k" @" |& R, V: s' v
* p, [& I+ O4 T$ ] BPINT 41 if ax==4f
: e0 W" x' N( H3 G4 P& R3 ?' n7 _/ h% |% N2 h5 x/ r, Y. e- f. p2 s
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! A F8 a @6 J2 I3 o* N
- Y C& G6 D9 C% ~# E/ @ U ]2 |
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' _% U% W) @# X' q* l, H' E8 y
: u/ Y* `7 I8 M& m BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 h9 ~# r* }$ {4 v: `8 X5 m
% N3 a3 c# a, x9 o, C__________________________________________________________________________
6 t2 h) H4 j8 o
3 U- j+ l% q. _Method 13
, ?( h4 g; t; n=========. O$ e, J: I( r( v2 R$ j
) @1 [; v. Y+ T) k; pNot a real method of detection, but a good way to know if SoftICE is
4 H/ i$ u* r& a" Finstalled on a computer and to locate its installation directory.% l7 S0 e# W! i7 U0 \0 L
It is used by few softs which access the following registry keys (usually #2) :
) K8 \) m7 V! {& D) a6 a1 w- t' ]/ w, I+ w5 a3 h, y) ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 r3 b* U, t, `/ j+ e
\Uninstall\SoftICE b; G$ I" A$ K% S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! V: {- \8 e7 b1 @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- Q, l) b2 a" [; }6 q\App Paths\Loader32.Exe9 d7 [( Q- w* ?/ Z" U5 H/ E
2 [. O5 r7 V$ W) ~* q) f
6 q# e8 c/ ]3 X1 @' DNote that some nasty apps could then erase all files from SoftICE directory- R- m( g5 t3 c5 k$ b' b. b
(I faced that once :-( ]$ f$ p1 ~# A( @, v# [
! x8 @4 I' V3 r1 D W
Useful breakpoint to detect it:
5 O9 V' t+ F5 ?9 i+ D- a, A. C. F3 ^: U/ y2 p; f# K6 W5 u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 |; e- F4 I4 W' P& ^! X* w- K) e c: t
__________________________________________________________________________
. D) p( a- R, M7 ]" y+ A- x1 W" ~/ J) s* P
e) \) d9 r" f) ZMethod 14
. m# {$ {9 Q, K" ^" M=========5 R/ Z4 }& |7 ~2 u
: B0 z0 ~* @ j# JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 _+ n$ C, S2 C8 B% l
is to determines whether a debugger is running on your system (ring0 only).2 m4 k6 D ^& r; Q& y
' \# ~% q$ o8 U! D VMMCall Test_Debug_Installed
- J* ^+ J* G, M9 g7 d7 N1 g je not_installed" }0 y, V( A# g3 W# }& u# G+ H
& b5 ]; H. ]2 y8 @) I- Q* k) I
This service just checks a flag.* g7 R$ h2 l# U7 @# T6 Y2 w4 N) F
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡