<TABLE width=500>2 }0 o0 t( o8 Y N5 J' g! v
<TBODY>
, N2 \0 y) d) c/ j<TR>
8 X6 w/ x# }( k9 @<TD><PRE>Method 01 " @1 x8 |. A7 n- h) b( U
=========
6 h: g/ l n( \/ X9 R% _5 C/ S5 x: e3 f9 ^
This method of detection of SoftICE (as well as the following one) is
* F' O) G7 _9 x' H$ Wused by the majority of packers/encryptors found on Internet.
& |( \7 g6 _& a5 rIt seeks the signature of BoundsChecker in SoftICE, V. z7 f, v" ]) q& A- ?8 w1 ~) f
% ^. Y0 g& G0 Q' g
mov ebp, 04243484Bh ; 'BCHK', |7 v) J/ j' u: G
mov ax, 04h
% G g. @1 b: S% ]. s6 G" j int 3
0 t. B( J8 p+ z& t4 l7 z cmp al,4
/ p# {# p) [0 c/ N9 S$ l) S3 @ jnz SoftICE_Detected ]3 A; ]# ?$ S- f$ @2 n
' i0 I. M: `1 D$ g- G L& @( h: n- m___________________________________________________________________________! o- W9 y0 @# P" A
3 c" ? X. }* i
Method 02
1 x, j9 J( Y; t/ ^% C6 y; i9 y=========
3 k1 ~: O" W! b4 V& ]" g5 b' j' A& h4 \9 @5 g' h
Still a method very much used (perhaps the most frequent one). It is used" \/ M2 v" ?* \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 V5 V! d& i1 p6 H
or execute SoftICE commands...
5 v6 V+ X3 W n: m; v0 xIt is also used to crash SoftICE and to force it to execute any commands
$ Y0 h9 w, t1 |5 J6 B) q) [(HBOOT...) :-(( 7 T6 d n' L( K, G+ |1 t e
5 A3 f' I G: W# D E
Here is a quick description:
$ o8 [; |3 [8 ^% T-AX = 0910h (Display string in SIce windows)
+ ]; x% c" F M1 b- i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& V+ j( F0 R3 ]0 u# B( {-AX = 0912h (Get breakpoint infos); s3 X1 H! a) U& V/ M6 f
-AX = 0913h (Set Sice breakpoints)
' m5 \: N: s' s* J6 [' e-AX = 0914h (Remove SIce breakoints)
3 F, U4 h1 P2 @
1 q/ G9 S7 I, K! ~Each time you'll meet this trick, you'll see:
% W" M' v5 q% O( Z# q-SI = 4647h
9 e4 w3 l$ B K4 u, w! z9 e0 q-DI = 4A4Dh
& w" y$ w& Q; k+ |6 d+ WWhich are the 'magic values' used by SoftIce.. J6 z+ `( U& W/ ~/ [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! k( n$ Q. T0 E5 ^! T( t
4 `9 f d: c+ s0 _. H
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ c: J( J g, }% M$ N/ r; }! S
Envelope utility use to protect DOS applications:
9 B0 r, ]( l# S* _9 h6 j% { w
% c! N- ^5 I6 \0 x) n4 a) ~: @: ], u9 x3 `+ Q3 M
4C19:0095 MOV AX,0911 ; execute command.$ E) u( k- u0 a% D4 u
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 k1 g7 j _+ _2 Y7 s# y' q# J& J4C19:009A MOV SI,4647 ; 1st magic value./ w8 T6 q/ g9 g# O8 u! s4 a
4C19:009D MOV DI,4A4D ; 2nd magic value.( L: \6 l3 n9 h' u& [* I F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 `1 w; g/ @ W3 E' p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! z* s- H, w9 j! a7 {* k" c4C19:00A4 INC CX# t' I* X* v8 l, F# s* s& R) m0 O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 j1 O# r0 m8 v, ?: z1 N4C19:00A8 JB 0095 ; 6 different commands.& }& y" P: ?* C4 [% `! l* M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) a* }3 n5 O0 z) y' M3 E: C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ }: e6 z4 j; q# E! R/ K
" p, p1 L9 d/ [$ ^1 ]
The program will execute 6 different SIce commands located at ds:dx, which
, }, T, @/ \2 ~1 f S( c% e2 w# mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% Z; C R; w4 T6 C' F6 S1 g/ T3 p
p) z' r4 E6 r8 @1 n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 v' `- ?+ U0 G. p___________________________________________________________________________' E- I! Y, j) s
2 c& c( H* h+ o9 Y) G$ S! `. @# [! [0 v0 ~/ s ^
Method 03
@' n% q( G/ T7 L=========% W- F+ W. a: q% `: C- {1 J8 y8 X" c' E
! {) |8 @# g) @8 f( Q5 y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# k, E! Z# v8 S8 t* [(API Get entry point)* `. M! c/ }. h' F
& m/ q# p3 ~: @
7 T: w, [, q3 w! Q$ |
xor di,di
0 s7 b3 z2 |7 E mov es,di
6 F9 v: T0 f3 Z" X$ Q* N1 F mov ax, 1684h / `/ \5 @3 Q: Y# s
mov bx, 0202h ; VxD ID of winice
' K& _& z* c2 b! @0 \ int 2Fh7 |, m k7 V4 K% `/ _4 ?& H
mov ax, es ; ES:DI -> VxD API entry point: v0 @" [! h& \' W2 m
add ax, di7 \& O" Q+ R5 W# z+ _+ e# d9 F
test ax,ax
4 \5 L4 N5 b$ x+ L# i2 Y jnz SoftICE_Detected( d/ t' t* y9 q+ J: d
* c* z6 z) E8 \7 E1 @4 C' Q) Q___________________________________________________________________________
: Q* T2 J; b/ G) p* }+ b( f! O0 _( n2 c& ]9 ?5 d' j! c' C4 }
Method 04
- R e- W+ r3 d/ V6 ~8 w6 W=========' w1 y& O" M; Q5 i8 C
) ]1 E, C2 y) Q; VMethod identical to the preceding one except that it seeks the ID of SoftICE
0 j/ x: z2 B N5 A, }/ dGFX VxD.9 H7 D7 O( V+ J' N/ A
' N& x- O3 M, y1 X* S, E xor di,di% W% f3 q! l8 i
mov es,di
! _& L' [5 M( _% ~ mov ax, 1684h
5 v/ [: `9 N: X6 }6 j6 C mov bx, 7a5Fh ; VxD ID of SIWVID
2 F0 [5 z0 J# J. a' m# D int 2fh
5 R) T+ Z3 D: b0 q, ?+ r9 c/ m: s mov ax, es ; ES:DI -> VxD API entry point
$ E) l; @; {; A7 ~, R add ax, di
0 |! B2 N& M6 |$ a4 e8 p test ax,ax
1 I6 d# {4 f" k jnz SoftICE_Detected
: C' R3 N4 m7 _0 W/ y
( L9 K# I8 q7 s4 Q: r6 G__________________________________________________________________________
2 l( Z- Z* P; H" l Y' U6 c" t$ l2 R* _( z( U
i4 z4 D4 U+ k. l2 ~$ b# l2 L) uMethod 058 l3 d7 j$ I+ v" _, V4 ] u6 _
=========
9 \- b6 B l9 `( X; Q
+ W) I5 }% p: rMethod seeking the 'magic number' 0F386h returned (in ax) by all system. z- G. u8 I& w. A! d7 A
debugger. It calls the int 41h, function 4Fh.9 G8 v; N% \! F" l; ~3 ~
There are several alternatives. ; i4 B, N% m2 e. z0 u. k
9 j2 |& E! M0 F7 V3 n
The following one is the simplest:
1 _# L, K: @9 d( ^' P
5 o. A0 w' M2 i; \9 Q# o. y6 c( I mov ax,4fh
! Q" H% u+ F3 n! I8 H* h& T int 41h
2 R9 m5 |% z& r5 @- D* ^ | cmp ax, 0F3860 R$ i: H4 c( `: B i4 e+ ]
jz SoftICE_detected
$ | y4 v7 r0 _5 B3 r+ x h' u& q8 L; Z4 k* X
. L- U0 m z6 F( |: L; ]6 A
Next method as well as the following one are 2 examples from Stone's
: M2 w2 L; W" w0 E2 l& r+ [* e"stn-wid.zip" (www.cracking.net):1 _7 J1 H$ b6 @7 a& u- ]
3 f! O% v- o. U$ i7 e mov bx, cs9 a! S8 x% F: B$ g9 v& o
lea dx, int41handler2
9 Z4 B/ g1 d3 ~; } xchg dx, es:[41h*4]' s* ~9 f- L8 \4 E I
xchg bx, es:[41h*4+2]1 e3 \, ~" ]: E
mov ax,4fh) Q7 _' o. q% b# v* e
int 41h: r, _) S) t# J7 @ p+ w" W0 Q( n
xchg dx, es:[41h*4]
7 x- f/ o9 S9 @* w xchg bx, es:[41h*4+2]
4 T4 j: i1 n. ?% y# W N, V: j cmp ax, 0f386h
% k: c# A5 `$ h/ M; r$ P jz SoftICE_detected" |! Y( r+ S# x0 B
, Y0 x# h' M; o
int41handler2 PROC- Y2 ?; a; l1 ~; m
iret( _ l' n+ ^( e$ H$ e6 ?# d
int41handler2 ENDP' W# E7 i! n J' _* L4 y0 a+ ~
8 \: { E1 m5 K8 C& R
: d; M' r( i6 a- ^4 x_________________________________________________________________________
6 ^) [, `0 l+ e/ U
# o% N3 K6 f% }& i5 j; u1 [2 x& e F E- F3 u) i4 y9 x4 ~2 m
Method 06
5 U+ I# k, q* X4 l4 w G9 w( A' P% k=========- I9 i+ p( g# c; F# U6 H
+ p5 I3 Q: w6 q" L
, _" H: T. h* f6 ~$ l2nd method similar to the preceding one but more difficult to detect:
5 c( Y/ d) L4 ~( r& F0 P- @
; `; c: }9 X. ]. P
- N+ G) Y, p4 ^3 q# g5 H/ @9 {4 Lint41handler PROC1 } M) D4 R( M! o
mov cl,al
; E# Y. q4 O. }. v$ h8 L iret
. o! x& T4 e( p$ ~ h k+ |, jint41handler ENDP. m \4 V; j0 O; q3 F
/ L0 b* G! P5 |9 ^- W5 }& Y# z& U, m
4 s$ }- P( Y' _9 ~
xor ax,ax H" e( E0 S% U" O
mov es,ax9 Q7 ~; x! O V& i
mov bx, cs# k4 \/ s+ \3 }( c0 {
lea dx, int41handler$ x9 o. W \: G
xchg dx, es:[41h*4]6 Z1 g0 t" s7 b( v+ ^
xchg bx, es:[41h*4+2]1 T, }0 Y6 W1 ]* w: @
in al, 40h. p; |) h( ], Y2 ?7 ^( x
xor cx,cx
% M& I. X: J1 i3 B; C int 41h
! b! G4 i) C/ _) U! P xchg dx, es:[41h*4]
2 d% ]( V1 S. H. X+ k6 f xchg bx, es:[41h*4+2]% C/ u3 l4 ^/ t2 G
cmp cl,al5 {' t4 w# q% r" v
jnz SoftICE_detected
& j7 @3 V& h% B. o5 v% y0 @ L; T7 A5 A
_________________________________________________________________________
& U0 ?% ?* R! h: P$ p" h7 S: ^
# U# `5 A8 x# W- O; v' V4 H4 wMethod 07
2 i$ l7 g# o; B% Q1 r1 p=========
, @7 l/ G0 Y% [+ K: {, i2 m1 A, q, a, G* `
Method of detection of the WinICE handler in the int68h (V86)
7 W, h5 _% W& q1 d
$ v6 @* e: }1 r& l. }; H: Q mov ah,43h
9 v. @0 R/ Q/ ]+ t; m! x' x int 68h
f/ B9 X6 {7 R% ^ cmp ax,0F386h
2 |/ M( ^2 S( ~4 G4 N6 ~ jz SoftICE_Detected
: V/ ^5 @- d1 q% ~" T, s/ [
9 o4 c$ B3 Y- b1 G
/ h, t! H- X/ e, l2 `& b) Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 N; c5 S7 \7 X+ M$ u) [. G% t
app like this:
, H) o, L1 S+ h0 i
; x( X+ `$ g+ @" F8 o; J) w9 L4 _ BPX exec_int if ax==68
`# f$ {4 p9 l$ k" r+ b (function called is located at byte ptr [ebp+1Dh] and client eip is
& h! F; B# H0 F$ P* ~" w$ M located at [ebp+48h] for 32Bit apps)4 u- M& H) {, U7 f/ ?9 E
__________________________________________________________________________
`5 s! O& w( r) ~$ Q5 U' ^ [" s6 c. }. Z+ F. p. u
% I& e3 U5 r* O9 i! A" YMethod 082 l, F8 i5 u- C
=========! f" i$ Z8 {7 _) u. o
' i- _4 B$ k2 s2 \7 gIt is not a method of detection of SoftICE but a possibility to crash the' ]1 ~. E) \' O/ F" o
system by intercepting int 01h and int 03h and redirecting them to another
8 ~3 ~8 d4 |0 v" \routine.6 [! M( u& O' F1 H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 v c) X8 x( c# H. E5 yto the new routine to execute (hangs computer...)
* H! F& ]) R6 p6 x3 U
+ }2 h5 L- d0 ?' j$ w) q mov ah, 25h/ d1 W1 X# n$ r* a9 T
mov al, Int_Number (01h or 03h)8 {' p$ Y, z& z4 m1 B
mov dx, offset New_Int_Routine
: |* F6 C! f( b5 U int 21h3 S5 e& o+ v8 S1 R; t
$ M* g/ h7 Y1 g+ o( C' I
__________________________________________________________________________0 D: ~1 o5 g+ Z' X6 |1 l& l
8 F0 g/ v. D! a( L; _0 R: q+ WMethod 09! L% p4 x* a" |- V5 j- D9 x# L
=========
7 {" W3 R) c$ E9 g& |
" b! p4 m x9 XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 }; F7 u6 r% @# v9 q( }, h6 _0 h
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 ?+ K, X/ i, ?The Get_DDB service is used to determine whether or not a VxD is installed0 ~$ L- G/ E0 @3 z+ k8 D
for the specified device and returns a Device Description Block (in ecx) for# f! z' t6 O8 g6 f Z; v+ S
that device if it is installed.
: ]" N Q9 \' t% K+ a4 x! K, k+ R1 T) F& U4 n3 G4 [( [
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 ^. @( {7 n6 u; v5 k1 u; q8 c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 ?5 c K7 u6 i+ r+ A VMMCall Get_DDB
+ I8 L& e, |3 U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ I2 h: e( `1 U. c3 a9 A7 M
* j* Z- L( G) YNote as well that you can easily detect this method with SoftICE:
! W" c9 [9 V! I bpx Get_DDB if ax==0202 || ax==7a5fh4 h% V: n0 o; x A
+ j; c6 ?0 Z# c& U8 o5 I3 f__________________________________________________________________________% }$ p b9 c3 O4 e
; m# }/ y8 R: N% m) u, h) l2 kMethod 10
2 |3 L) g4 S- P2 {) c7 X2 v=========$ E5 f/ M" m( D3 T# @9 m8 i
7 a, J; S/ O2 |=>Disable or clear breakpoints before using this feature. DO NOT trace with* m# _ p. P4 X. k
SoftICE while the option is enable!!) e2 q, c/ V2 T. r: t& T* [
/ }# o8 r7 ]+ `. x' O1 c* z
This trick is very efficient:
3 s \4 J' ~3 @ K, v5 z2 ~6 Xby checking the Debug Registers, you can detect if SoftICE is loaded9 M, m" F5 H$ j2 C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, O8 ]" B- p8 H9 D& \0 d- U, Z% j+ Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& o* K; Q9 Z9 U; b0 Bvalue (in ring0 only). Values can be manipulated and or changed as well
" N. ?% ~; _# g/ }(clearing BPMs for instance)$ @6 Q3 b5 T. R9 Y
2 m( }, D9 _3 k3 i: f__________________________________________________________________________
8 k* M8 e- m/ p
' K& J) s* Z; Z6 R& s- P# }; \) EMethod 11
- n8 G1 ^+ Y H! a+ @$ ]=========
* D. e" ~3 O- S; Y
' c3 x2 A0 B7 r, \, {This method is most known as 'MeltICE' because it has been freely distributed( Z$ \& s: F2 Z' v3 G7 L M# Y
via www.winfiles.com. However it was first used by NuMega people to allow3 h- D# @/ Y1 y4 K# v: a
Symbol Loader to check if SoftICE was active or not (the code is located7 T8 e- ]* Q }( e' c
inside nmtrans.dll).( c% H# v+ k2 V/ j9 i+ ^ `
5 W" v2 W3 P4 x5 ^+ y
The way it works is very simple:
C- D6 F8 [( k5 G" p; Z4 LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, ]$ p) H, J- {# L) d9 O+ P
WinNT) with the CreateFileA API.3 A" H* I, h& `5 _# h' U2 Q$ z
' r4 I4 h4 M9 D# n6 v4 ?! ^2 ?
Here is a sample (checking for 'SICE'):
* z6 T$ m2 w, b. n
) c9 n& H% D! ?, }1 J0 Z4 A3 y( fBOOL IsSoftIce95Loaded()+ S- G" m- c& i. K/ k
{) n" z, |/ f6 p7 {
HANDLE hFile; . A2 k8 c' H& R( b: \6 }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' A& O/ g, R! g" C& ]5 \ FILE_SHARE_READ | FILE_SHARE_WRITE,. ?+ w7 @" L$ ]# ?6 v! Y: w" w
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 P5 ]- B: @2 p; ?' Z% b if( hFile != INVALID_HANDLE_VALUE )% ]( b; A; o, j$ K7 y$ a3 @
{
2 }1 I4 Y3 }, ]2 I$ @ CloseHandle(hFile);6 [3 X4 D- j" H8 d4 r& e
return TRUE;( \8 v7 S' i; b6 e+ F
}+ Q& P9 N3 k( [+ c+ q: u, U& f
return FALSE;
( {* a- Q) C2 B- U: `2 c2 P# K}+ s( I' O6 E, Z& t% V
' {7 H" q/ ]6 [4 ^! dAlthough this trick calls the CreateFileA function, don't even expect to be
; i0 h! c& x E0 Oable to intercept it by installing a IFS hook: it will not work, no way!
, b \# o' H" U5 ]" A& j' m. [In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! q7 n' o$ n* F* w$ Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# E. C! D+ O/ B( \$ A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. ?6 O `! \% w1 ?" H9 rfield.
/ o7 Z0 f- F8 u& OIn fact, its purpose is not to load/unload VxDs but only to send a
& R0 n) C* H1 Y s: uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# K" F4 E! d4 w2 B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# X5 H! q+ Q& A5 \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: e& J# s( C3 }5 {2 aIf the VxD is loaded, it will always clear eax and the Carry flag to allow
* P! U8 n% W4 c( o! r8 _6 hits handle to be opened and then, will be detected.6 D. H( ]: B9 r2 x1 ?
You can check that simply by hooking Winice.exe control proc entry point
1 t) A' _' m2 j+ a" cwhile running MeltICE.7 @/ i. o6 d& o1 p
& r1 ?: q& d! P* c3 g, B7 [6 G5 u. o
00401067: push 00402025 ; \\.\SICE* z, l0 e3 q# I/ s5 c$ Q; h
0040106C: call CreateFileA
- R& G: B, {! T 00401071: cmp eax,-001
* s! @" \1 f' z* }6 r: ^& W 00401074: je 00401091
! I9 u- r4 F- `
: L H9 E* M1 R1 K- H& h
+ V% s7 E$ e2 @$ b4 ^There could be hundreds of BPX you could use to detect this trick.
3 J% W9 ~2 ? V% e: N-The most classical one is:- z3 D2 ]1 \% P* P) @" q* m- `$ O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; R2 W( t' x$ E# h7 g
*(esp->4+4)=='NTIC'! ]8 V* \& X' O3 y# {6 b
+ h6 i' }! o) }9 S( r! s$ m& Q-The most exotic ones (could be very slooooow :-() w b* y7 L8 ?1 c4 @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
J2 B& j9 W- k4 \& w, `1 z ;will break 3 times :-(
, i1 l- o9 H3 p9 B* W" n S
# w* ?3 `/ v" t! n( p-or (a bit) faster: " a5 G5 H; v q# o6 z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- v l& @8 `% m/ A* `0 V! N, ]
+ y9 }% v' P$ q5 F6 T
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
w9 ]$ r: n9 R( ]. K; D1 o ;will break 3 times :-(
/ W0 i, h3 ?4 ?9 j6 Q% X: x1 t6 ~3 L0 B5 x
-Much faster:
# H6 f8 P* K/ o f" g. w BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' U }8 y, s. e5 v7 ?
4 `0 \: E; }0 n# G2 q: f' R: q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- w5 J& e. {2 A9 ^% M- ~* L; ]
function to do the same job:
2 g) `. f+ X* b, I$ a; m2 H5 `! f5 y4 b( P- G* A& [* ~) y# W
push 00 ; OF_READ! T7 z/ C0 X5 q
mov eax,[00656634] ; '\\.\SICE',0& z4 h* e" d% F
push eax
' C. o; w( n6 `. D& `+ B8 Q8 T8 F. w call KERNEL32!_lopen
5 P/ U. {9 n8 J5 o+ p3 X inc eax
# W2 `- Q0 }$ Z( a, { jnz 00650589 ; detected
" N9 A, i% }# ]3 J push 00 ; OF_READ
4 @ k+ x$ F# s mov eax,[00656638] ; '\\.\SICE'+ F; m+ x x+ ~3 c- u
push eax6 c4 s0 `8 I7 L
call KERNEL32!_lopen
+ w1 Y/ y+ [' @" B- |6 m% ?* C inc eax
8 v# a" b/ }" {' C$ A+ a jz 006505ae ; not detected* F; j. P3 O$ ^: \$ h
: {2 u' C( C( M
9 J0 i: k P3 c2 F& ~; S* t% z- C2 ?2 x__________________________________________________________________________
! X$ X( I1 v, R
: y+ z* r" X5 _. uMethod 127 G) q- v9 s! s, N
=========
# g6 o) G# c% J) e a; m6 W# j3 L- X+ z7 D4 q& D
This trick is similar to int41h/4fh Debugger installation check (code 051 w& F5 D1 i5 x( s+ y- e: F
& 06) but very limited because it's only available for Win95/98 (not NT)
+ N# E: n# {" das it uses the VxDCall backdoor. This detection was found in Bleem Demo.' b& V, V1 v: O5 `( F, y' g! H
7 T8 {2 D: P& U( Z! O6 }# Y) Y
push 0000004fh ; function 4fh$ b( j3 Y: Y# }. H2 u
push 002a002ah ; high word specifies which VxD (VWIN32)% c6 ]9 y5 h, Y9 e
; low word specifies which service
8 ?! P& C5 f& k$ W# ]% p' @- I (VWIN32_Int41Dispatch)3 L, Y& | V- q- g& @
call Kernel32!ORD_001 ; VxdCall
& u2 \" H" ^3 a6 a! N8 h3 } cmp ax, 0f386h ; magic number returned by system debuggers# ^' D) ~4 c( n3 k8 a s2 R
jz SoftICE_detected f% M7 }: R5 K6 p
E! @, w: Q9 s9 I8 G( m1 C( FHere again, several ways to detect it:# t# i3 f0 K+ d* }' J# A
; N( N7 Z; U6 X6 n3 N" H: c
BPINT 41 if ax==4f
9 q9 `: u w$ n: B" `- H- Z+ q( M, m3 k0 L, C* ^! r# ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. Z0 @* E3 S# U3 |8 `
" n) `& K# p2 f% Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 m/ k" T7 |% d0 s- O
6 @: m9 H& i3 s4 O. c; E1 G8 E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. K5 k4 ]# T- ?
- o+ h/ Y' l" K9 V__________________________________________________________________________. w) L; O+ D6 i- [. a- w- A
, i j, o/ {6 @ o# A
Method 136 {1 L& z4 |! ], \7 ?4 i
=========0 [% @) {, k& @) {- g
8 I6 \. }" { s y( Y: s3 a$ J5 s$ z
Not a real method of detection, but a good way to know if SoftICE is$ `: ]* q( R. l
installed on a computer and to locate its installation directory.
) e3 i5 F) C ?% ~: hIt is used by few softs which access the following registry keys (usually #2) :( V: F- Z6 L C# [& _
! Z6 m# J: n" i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. U- C& R7 m5 ]7 \
\Uninstall\SoftICE
2 g0 f% F" S+ }7 o# e* @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 A) p `: W+ _7 W+ \- b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. u0 x2 `( R3 k" n\App Paths\Loader32.Exe
5 S d3 |# I5 y1 M
# Z! S# f9 ?* U0 N: o- O6 K5 X" D' w" Y( j
Note that some nasty apps could then erase all files from SoftICE directory) J( u) l4 t2 l& N. X/ k8 R
(I faced that once :-(
3 N- V( x/ ]- L% C
0 V8 L% k3 s) \* A% h) k2 bUseful breakpoint to detect it:3 w! ~& O1 G" w! p
" R3 c0 d* J1 n# {, q+ ]; s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( M4 M# m" n& Z
9 i% G L" H: Q! e! r% {& x__________________________________________________________________________
" z6 v2 \) H o0 E& P3 L9 L. a) d' Y5 s3 Z! E/ a
+ R( D. M7 d4 D H9 v& d8 t
Method 14 # {' y' {% }. i) U) X: }- I
=========
' a0 V1 w W- }% e5 b" I/ D* j3 C. [$ I* x8 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' }0 P3 K1 M! ^
is to determines whether a debugger is running on your system (ring0 only).
/ H" H" a0 [& ^ n+ {: x" n; k Z& U6 V2 x
VMMCall Test_Debug_Installed/ m$ ]9 ~2 E3 J, l0 x
je not_installed% _( m+ s1 h/ N3 \- H' U, ]
! K9 c9 R- x3 J9 A2 v1 l) \( }7 s
This service just checks a flag.6 K6 ?+ ]9 C+ l" e
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡