<TABLE width=500>" Y2 B8 |9 X2 ?1 u w3 o: T D
<TBODY>
- n" j8 f$ f9 |<TR># l2 F7 n5 l9 P0 z! ]; n
<TD><PRE>Method 01 - H- y3 Q: A2 t+ ]/ N4 d) d
=========& k2 U+ K& i3 ?( C0 J; p" U
1 n9 r% E. u/ e3 H; B; l' f& sThis method of detection of SoftICE (as well as the following one) is
, A. ^7 _! ?9 O3 e3 Z; T( Qused by the majority of packers/encryptors found on Internet.
) f; K2 x/ ?3 s( P/ OIt seeks the signature of BoundsChecker in SoftICE. y, h# Q: g! x+ N7 v& L' `
6 n: r! R6 P- A, b6 r" C+ m, d
mov ebp, 04243484Bh ; 'BCHK' j3 Y( u$ w0 R7 Y7 B0 a4 n
mov ax, 04h/ c( H9 ?' Q6 d. [& k
int 3
: O. ^6 o, d8 `( L9 ~0 F3 G cmp al,4
+ Z! d% `% V$ A) h5 m/ Z3 O jnz SoftICE_Detected
, g \6 l4 j! N% G8 a4 c9 a
+ W. z3 P7 o$ i: R___________________________________________________________________________
0 {+ | [# H; R) k6 }
& ]1 q! L9 H* z0 \# l4 A9 TMethod 02
7 a' A9 T" g* V* a. R3 F' O+ l=========! b" t1 n* I: R& r4 I4 R+ x" s2 i
1 B" r3 o6 V1 O! N2 \7 z5 [* q O/ _8 VStill a method very much used (perhaps the most frequent one). It is used
7 @6 @3 Y$ F' J# i* i [8 s7 Bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- ^9 h% S: {0 @0 s6 e- dor execute SoftICE commands...
4 W# Y) d* `; e t7 G U9 \It is also used to crash SoftICE and to force it to execute any commands# L- C# `; ^9 L% K% x B
(HBOOT...) :-((
4 a6 u5 |2 s/ q# g8 b% o: }
2 ^: a4 i: N# r8 mHere is a quick description:
2 Z) T) \, `3 N8 V/ a-AX = 0910h (Display string in SIce windows), h1 c5 j( J7 g0 N0 @; {1 t( O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' D6 F9 Z1 R1 K7 U& S( m# ]-AX = 0912h (Get breakpoint infos)
6 ?" B" u( n- f x$ d+ J$ s7 k-AX = 0913h (Set Sice breakpoints)+ E: `% `: U. }& e" G8 b8 c
-AX = 0914h (Remove SIce breakoints)
/ U$ Y6 F5 E4 k9 s: M+ _3 M' p9 \, X1 a: \
Each time you'll meet this trick, you'll see:
& G0 A! n8 {0 N6 K: @6 B/ y2 p-SI = 4647h
/ a: o+ u; N; N& Y' ^$ P: ~& @-DI = 4A4Dh" q& o2 Q0 Y J% h$ k
Which are the 'magic values' used by SoftIce.# \' V/ k: t; B2 p' w1 _9 ^2 `" J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. ]5 X! c$ ?9 g J2 ^# Z
0 a7 P4 {6 y; i7 B& rHere is one example from the file "Haspinst.exe" which is the dongle HASP
# @( W/ t5 Z3 w7 j( \& kEnvelope utility use to protect DOS applications:
2 {% B! q; I, [1 Y' M
1 J# f% P$ Y- x6 J' ^5 y; v* U& j& q
4C19:0095 MOV AX,0911 ; execute command.
. f: j, ?3 K' {/ `1 o' y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 N. h1 g2 w3 q4 r7 g ^4C19:009A MOV SI,4647 ; 1st magic value.! y% V2 C6 k6 X, s7 M( Z" i
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 k, c4 g% q3 Z3 B8 l* E6 g% n7 c4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ Z" B" m0 v% i- @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# D0 s+ N$ n! M: W4C19:00A4 INC CX
5 ^' d8 K. {* k1 C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 S! o' S8 F9 x( L t- \4C19:00A8 JB 0095 ; 6 different commands.
: l' W- u: M' s1 u% J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( ^! f. W& d& J4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! Y- {: ~& W/ N" f: {( u
5 y. d" W3 F k% OThe program will execute 6 different SIce commands located at ds:dx, which
7 Y! Y: b& P9 ~9 [1 f% v! n( dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 A( Z b: _6 q9 h
8 F; H4 K" F3 E& g U8 R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 t+ T3 {% y8 R' R
___________________________________________________________________________! G* \6 V7 I0 |% f5 r; _
- `/ ]* `- k2 L# [
S; j Z8 F: b6 w! _; _, H
Method 03
0 A5 J9 b) c4 i4 z/ R( ?4 I o E=========
2 g R# [2 ?! L9 m
, w) H$ R8 t: lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- d! o# o/ o5 f w(API Get entry point). G6 ?7 L% d' n' x; C
7 V( a% K! J# G" n; d& |
9 D9 r! L6 v0 ? ~- U4 K, i9 `, g/ c
xor di,di
+ D4 q2 ?. d/ H$ g4 q& u mov es,di
# `" _) O: ?6 Y o; f2 B% u! @ mov ax, 1684h
2 A& m4 h) T, I; z7 u2 U" L mov bx, 0202h ; VxD ID of winice
8 }# @/ [' Y* _5 y2 H- k5 b int 2Fh
- o, A: n+ C( |2 ` mov ax, es ; ES:DI -> VxD API entry point# p- ^$ o; |2 z3 R' o
add ax, di
4 Y2 k3 H: {* K a6 m* u test ax,ax9 x8 q6 Q) W t0 i% q2 |6 d; o4 x
jnz SoftICE_Detected% \9 m" h& e- d% T
0 p* D' E+ r: D___________________________________________________________________________5 U0 h, g( P* O* `& A) Q
( e# ^! G8 o4 D3 J% L0 F. ?4 SMethod 04
# k- N( C- `+ A9 O; d$ w+ E& B=========3 ^, Y L4 y) s# T, `2 l
* b F/ y3 e9 T J* j* E/ X8 I
Method identical to the preceding one except that it seeks the ID of SoftICE. G1 U) v m+ ~# t7 J
GFX VxD.& j3 W7 h. S3 T
4 L. m1 B: v4 f7 d xor di,di
. Y. ^) R" N0 V# r V& C mov es,di
D) i6 W6 D, ~ J+ |% O mov ax, 1684h 8 S/ r, Y. T, c! ]7 \
mov bx, 7a5Fh ; VxD ID of SIWVID
4 z" `, f# b! D9 D: e, r int 2fh
8 ], D- A6 ~; h mov ax, es ; ES:DI -> VxD API entry point
+ Q4 s9 ?- h: ~5 B# O; ^ add ax, di
' k; D; r4 t/ O% a; P test ax,ax
6 X; p! Q+ `* N4 B7 G jnz SoftICE_Detected7 M+ U l1 ~2 \" a P
) [: i& }0 T0 Q2 e) k" s5 P
__________________________________________________________________________
# A! P3 G" \; Z( x' o; e- N% x. N- ?( a& `
6 f( [7 x; ?. P5 EMethod 05/ e8 d0 z+ e% q( X) h
=========5 h' _4 C- [; _7 s
# e; j" E, j8 N5 T( FMethod seeking the 'magic number' 0F386h returned (in ax) by all system% h0 v+ |1 h" H0 `' ^) P
debugger. It calls the int 41h, function 4Fh.6 a/ w/ f0 g; l: P
There are several alternatives.
7 j! b0 `$ ? a% g0 h
6 j2 I$ y v2 z' r/ [2 qThe following one is the simplest:+ K4 S1 @5 ~+ A# c) t
! L! w0 [, W/ E
mov ax,4fh
' K6 V4 \! c- V/ j2 V6 w4 B int 41h4 T0 v! N5 i9 m0 l6 C5 ^' v
cmp ax, 0F386' {6 N0 T9 |( ~% [
jz SoftICE_detected; W" q$ c/ V: j6 F4 z
: [, F- l2 V4 ?& x& |
- s$ M# o: [! l" ~
Next method as well as the following one are 2 examples from Stone's
) h$ N' k' n. T* s. v2 S( t"stn-wid.zip" (www.cracking.net):7 ~: d& r& [: U
* l/ B1 n, F9 q9 i9 i
mov bx, cs$ M2 C( f: z; z- ]% n$ t2 @9 m
lea dx, int41handler2
$ Z$ Y0 f" Z$ n9 q1 P xchg dx, es:[41h*4]
}: _7 s' I8 i% h& j3 t xchg bx, es:[41h*4+2]
1 M6 ]! n- ?% f7 s mov ax,4fh$ r6 h. y: m. c
int 41h
3 ]) b" I+ i; b. s. J7 [ C h xchg dx, es:[41h*4]2 h6 ]+ i, [" K8 [) F* _
xchg bx, es:[41h*4+2]* b+ g h! c. s7 t
cmp ax, 0f386h8 a$ K# l5 n, ]
jz SoftICE_detected
' ^( ^/ b1 q8 Z+ g6 h+ K$ k: J6 g" D# k) C* f! U
int41handler2 PROC
9 J7 t7 R# J* T iret& P2 Q0 r5 Y3 v8 A: K1 s5 q
int41handler2 ENDP( m, d6 I0 U h2 ~6 w
& K" M3 h; Q1 ?
7 d( { y+ K$ g2 N7 D_________________________________________________________________________) M8 Z) v: k) W6 X- O' b: O7 E
- K8 B* h( M- n1 p% b6 b2 a$ V) L/ `$ A0 \3 }) u
Method 06- s7 g7 N/ j0 e0 q
=========
) M! ?; Y" i& D1 [/ _! Q' ]% I8 o& @$ g0 N f! j1 E4 m- [
7 I) ?/ ~6 l/ g% B0 f8 N' z) E4 G
2nd method similar to the preceding one but more difficult to detect:
) L" U1 P6 j$ I) ~! M" a/ m8 g1 X4 n4 {! i0 }8 ?$ _; z# @
: e% G+ p% l8 e* ^9 l4 qint41handler PROC
1 G" C7 q+ Q) N2 R0 F mov cl,al4 x+ a4 a$ h& s% o+ r' M4 B7 P" V
iret
# p3 k" T& ], Y' i3 c( `int41handler ENDP6 a- W. k% U( }' U( t$ _
1 J" x9 q( M* i& P1 O" h) t4 ~
" u: M3 p; e$ d; | xor ax,ax/ J/ r1 _9 K' s4 N& B! E
mov es,ax4 T8 c' [* F U7 {
mov bx, cs
e0 h) c+ t: o2 w0 f3 ~ lea dx, int41handler& S* @! ~- v: |* p3 `
xchg dx, es:[41h*4]
}% `0 H3 E# x% x. _+ D: ~ xchg bx, es:[41h*4+2]
+ x: H" [( e, y, T) u9 I W in al, 40h1 Y2 `# _# ~2 j9 {9 Z
xor cx,cx1 J& ^- J% O# m2 S) v! G
int 41h$ u8 Z* z( L1 C L
xchg dx, es:[41h*4]
y9 N2 {3 O7 |$ t4 {* F, T xchg bx, es:[41h*4+2]
' Y/ Z4 Q1 f5 z( I( z3 W cmp cl,al8 O/ Y8 `9 i# H# B
jnz SoftICE_detected
) C/ W& h5 @2 L* c, p" S) M% C. U& S) y. m/ C- q, R
_________________________________________________________________________
% D3 A: d& l1 M/ \$ j: l" Q- R5 u6 J0 [- n; T6 @7 U$ S% H
Method 07+ u5 ^7 s4 u( I u
=========
, i5 Q! p7 g. C$ B( B" O, w9 U
2 m/ p2 k' x& d% DMethod of detection of the WinICE handler in the int68h (V86)
. s5 b, `1 ]0 K7 }- d
- r8 |" n; }. j$ ^( R0 G mov ah,43h
: u( h# p; u! I2 J! }$ Q4 x int 68h
9 V+ f0 s! U. z9 P* o% v/ i& ?0 J cmp ax,0F386h
2 K* h# C( o! E$ @% r# Z jz SoftICE_Detected
5 P6 J, @4 W' N# m" R* S8 W+ { I) b6 G6 k) M) z5 v" L+ ~7 P5 v
( I3 t& G- T$ `0 n& I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 m$ {* P% L; @5 t& G# K1 B
app like this:
* [# k% z1 c% S+ e% r5 n9 t
# G" Q5 i" T9 q8 k BPX exec_int if ax==68
0 t6 b; x5 L% Q; y$ h9 E) e6 z" d, k (function called is located at byte ptr [ebp+1Dh] and client eip is
# ?+ C; W# G5 s' v, g4 C; F% } located at [ebp+48h] for 32Bit apps)/ F7 W% S+ E/ x* x
__________________________________________________________________________
6 C& e2 S! b# X8 U3 m- S! O, `+ o5 W. D* `$ I
$ o* L# J, c5 R
Method 08
' t6 \- A% u% |& n=========
7 Y, i+ O) ~. ^. W4 a* \, w: B# [0 R/ q1 S- Q0 y8 o
It is not a method of detection of SoftICE but a possibility to crash the1 f% r) T4 r V3 `2 R. |
system by intercepting int 01h and int 03h and redirecting them to another$ q# n% R( d: G+ Z3 \* _- T
routine.2 P$ o! w* d+ P ^6 l3 T/ V! V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" Y) `; S' x" E5 T% o% Z) n
to the new routine to execute (hangs computer...)! X6 W: q# S# z4 M& E
. w' I8 @ a$ x+ M mov ah, 25h
. r' l, S# F& j8 L mov al, Int_Number (01h or 03h)' w1 l' {* D, y' A; r3 z/ W
mov dx, offset New_Int_Routine) s" s& f1 a# _' P
int 21h( S4 _/ k- [! E
: s& O: \6 P0 w! g0 j+ f
__________________________________________________________________________
' L" r' c: M. z3 C& A. q5 ?9 ?2 f$ i" I8 s, w- q4 N# y6 W
Method 09% ]: Z% k0 a; ]2 l
=========
5 \, e# Q B8 g% g6 j
' k' U' a8 i# y2 `) V* Q( m! fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) Z" j( V8 [) J# v8 Uperformed in ring0 (VxD or a ring3 app using the VxdCall).9 A) b7 U" V: u9 H' P2 s
The Get_DDB service is used to determine whether or not a VxD is installed
6 c8 {' u0 p& C8 P8 xfor the specified device and returns a Device Description Block (in ecx) for
2 @: ]; h* v- Q6 o7 c! _- wthat device if it is installed.
8 Y# p" Q) q8 @) g) [# ?: P/ ^$ k" x0 I: g- [3 v9 S' a5 s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 d+ t2 V8 K% K6 O9 d9 O) ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# P& l" n* ~7 ~8 G
VMMCall Get_DDB9 v6 [1 t$ \5 l( ]% I' `5 ^3 _
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ w# o( X5 k5 v# ~+ A: R" l
/ b7 f/ r3 o) C# {; C: S( K+ nNote as well that you can easily detect this method with SoftICE: o0 h4 N0 z1 k; {" O
bpx Get_DDB if ax==0202 || ax==7a5fh' S+ d, ~9 M, G+ \
8 I+ x S3 e! a1 u8 b0 D& {
__________________________________________________________________________0 d" O f& Z1 G% L# k) w K
, @& {- F; F& H* v. aMethod 10$ k% q& ^, v* [; {
=========
' \3 G. H1 h& C: g
/ V/ i, t8 m! T% r* Y6 j9 z=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 X$ N" ^( c# u' l SoftICE while the option is enable!!
% \) f. A! v- D; S. p3 \8 v
5 N2 A! b" n! a( ~" y! C1 NThis trick is very efficient:
7 Z/ K+ `/ F2 ~! h# P( Dby checking the Debug Registers, you can detect if SoftICE is loaded6 D9 p& T: ^$ U1 O1 t: x# R6 N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ I' u+ \! I' `) R$ L+ a
there are some memory breakpoints set (dr0 to dr3) simply by reading their U \2 T- l# l" W
value (in ring0 only). Values can be manipulated and or changed as well: N0 a6 n1 j* i& u5 _$ [
(clearing BPMs for instance)9 }* w8 B5 i. }" I
$ U6 L! T9 s1 N+ R1 `) M: J4 s
__________________________________________________________________________
# s. b- \3 Z3 W+ s7 f* @
" _' U u2 W- |& b* N/ g8 Z+ `# cMethod 112 s$ c* @/ k8 C/ W
=========
. Y, P& }2 B% v+ J1 R2 p+ W0 z7 _+ {
This method is most known as 'MeltICE' because it has been freely distributed' X( ?* [; r$ B- X1 y
via www.winfiles.com. However it was first used by NuMega people to allow% q4 n6 E' k& S5 V
Symbol Loader to check if SoftICE was active or not (the code is located
) C. E1 _8 q& Z$ Q+ n6 H0 V/ c" binside nmtrans.dll).& a$ W( q! D5 ?1 H% r$ _# j
9 W6 \. A+ G+ q- b: AThe way it works is very simple:; a0 q5 N0 x1 d6 L6 L( g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; D, Y3 i$ b7 s# R) d
WinNT) with the CreateFileA API.
/ Z' t# b3 { W: x% ]9 O- P) ?4 }. N& |! f) C) T0 T% a: V
Here is a sample (checking for 'SICE'):
2 ?& i8 A* A1 [: n0 L' }' v6 h8 r- P% G2 R# @7 M& `6 u8 B
BOOL IsSoftIce95Loaded()
; D# Q% a, j$ M6 h{5 G- R( r2 w4 k1 u
HANDLE hFile;
) b/ R* [1 b Y. G3 C" X2 i3 t/ d hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 M2 j9 |! Z) H' {3 n
FILE_SHARE_READ | FILE_SHARE_WRITE,! d! D% q& M9 ~# ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 L/ k4 a* G; z if( hFile != INVALID_HANDLE_VALUE )
: \- v7 ~7 n: h. C# `& y3 K' c {
l4 h' d% M" m# u+ D" O: K6 {- C7 B& X CloseHandle(hFile);
7 ?# p# d7 [( o; j+ b9 k0 c return TRUE;( W9 v9 z- f5 W! t8 D
}
* h; Z" K* C# @7 r4 q$ n return FALSE;, ?2 m" V0 E+ M' c& K6 Y4 t, x
}
( t* O3 a3 L/ v3 A4 [+ i# [4 t9 u: N; W) g7 E8 z5 j
Although this trick calls the CreateFileA function, don't even expect to be
. }2 s, S2 G* Table to intercept it by installing a IFS hook: it will not work, no way!/ V5 u% k, _7 N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 t% B- H* U7 `2 M% vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* |, ^+ H0 k. M) Y+ ?0 m, K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 P& s, q0 {8 a/ |: Ofield.0 ^6 a& h" m/ O" t5 L; b
In fact, its purpose is not to load/unload VxDs but only to send a . v; a' m# c; ]8 n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 n4 Q8 J4 M+ J& I0 V o2 h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 b+ x5 o1 r% xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 v: `& @1 n. d/ v! V- fIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% b I7 H: F- J* ?1 S7 F2 r& gits handle to be opened and then, will be detected.% ^ G" B& x/ t% s" j
You can check that simply by hooking Winice.exe control proc entry point( a% r h) W& F$ T" M' @
while running MeltICE.
; K E9 ?/ g: \5 h+ p# ], ?8 |5 S8 o/ Q+ V2 w8 I
# Z( K; k" d! s# k$ j; f 00401067: push 00402025 ; \\.\SICE
6 m( Q8 K+ L" } T+ @+ p* R0 q 0040106C: call CreateFileA2 D, H3 @* O% {2 A! U
00401071: cmp eax,-001
% x/ c* k5 |- `% y. `1 h 00401074: je 00401091
1 Q! |0 d$ W" }5 s9 W
) b! I3 G& ?- R. z0 a% w S# D$ p/ n, X# {2 J$ R
There could be hundreds of BPX you could use to detect this trick.
: x0 m; P, q+ X: {- j0 t+ K) o: y-The most classical one is:$ \8 S- B* R; T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 E3 V+ E) m) z! N) M# i
*(esp->4+4)=='NTIC'
; I0 E3 m% h8 `/ n! z% H0 W
. W; m; ]3 a t$ V; L) }-The most exotic ones (could be very slooooow :-(6 D; y4 M7 g8 G$ F5 u9 ]* O% j# P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 @) U: r: k! z0 @6 a ;will break 3 times :-(5 v8 I0 F6 Q# I# }; V% Y- i
! z% V( ^9 R. d8 E. L, Z-or (a bit) faster: , J, P* G0 Z L: T% q: ~# @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); H; U; p" r/ |9 ]2 {
/ C4 {) X3 j/ ?, E7 S* d$ s BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 c; w3 F: _3 t
;will break 3 times :-(6 V' |& q' A% n! Y
. N, I& T" N$ {-Much faster:; q. @. b0 T, X8 D" ^3 z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
K9 c F% B- @2 S& B5 P% u/ C7 \9 M% |, f9 \; Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" D# ^) k( r5 ]6 Zfunction to do the same job:* ~- Y% ]: n: a. _' H% h
5 d" l. S; z' f push 00 ; OF_READ
. I! r0 A$ `: M' F& U) h* k mov eax,[00656634] ; '\\.\SICE',0& m, W8 c8 P4 p* |6 _
push eax
" g' g) l/ @" e2 m call KERNEL32!_lopen
. _' G7 z L) ` inc eax
, g9 b" G. x3 K2 x jnz 00650589 ; detected0 z& W$ G1 ]9 s- d8 r& G
push 00 ; OF_READ0 C% W5 s0 W; I
mov eax,[00656638] ; '\\.\SICE'* J0 s {; W+ H" |3 }9 W
push eax
/ r0 { Z# o3 u' V' G( i8 D call KERNEL32!_lopen6 |2 |! \) e/ R
inc eax
5 n; n3 o) a, G$ ?+ m) P jz 006505ae ; not detected5 ~- s! N6 C0 J( G
4 H2 B" J6 P; Z# Y6 y3 C$ d1 _# k# ]* F, \
__________________________________________________________________________0 q$ [# I; X @5 ?
) I( L3 u& J( m" d) }Method 129 C# ^1 a j9 x5 ~2 X
=========
4 I& c; z( ^- L; z; F2 S2 A8 k8 I2 L/ [' `* f3 x
This trick is similar to int41h/4fh Debugger installation check (code 05% v" Z6 l) b" x- P2 A# C+ a
& 06) but very limited because it's only available for Win95/98 (not NT)
0 \) k \. {+ r6 Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& L2 C% _7 A5 ` ^8 }9 G0 _
7 K4 _! E4 [( b3 |/ O2 k push 0000004fh ; function 4fh
; v4 w3 G4 A1 H5 p2 d- } push 002a002ah ; high word specifies which VxD (VWIN32)
. k D" E H7 Y/ _4 T0 ~! b ; low word specifies which service: e- D1 Y4 \. O# R/ S
(VWIN32_Int41Dispatch)
, S/ f1 O! U2 V6 C5 U1 D call Kernel32!ORD_001 ; VxdCall
& j0 r- R& h+ I/ h4 v" O cmp ax, 0f386h ; magic number returned by system debuggers5 l0 t: x; Z( X F
jz SoftICE_detected) f g$ u, x& {* D" u
- Q- V4 o# R s! _) j' DHere again, several ways to detect it:
r- s, t& _- o5 \
0 v8 g3 f6 }8 Y BPINT 41 if ax==4f
, o9 H9 e- b+ v- V$ P2 J% I# ~( g4 ]2 J9 D0 Z7 i, e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 I' [; h+ ^; V I9 t
9 T$ p7 g" P% Y7 @& M* O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: M9 a; B1 h# z' d j1 d6 c
, N8 s* R0 J1 V8 p+ u- m+ D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 b) {/ F9 r& R O: W1 J8 a9 B' p3 k( ^
__________________________________________________________________________
; ^6 @% L/ P* w! t2 f. ]/ T x7 N& V5 \2 ?# M: a3 S
Method 13
2 n% |% P/ z, d8 V=========4 I' |" J) v0 C! @$ y8 v
$ d [# k7 K1 S0 n! w9 e8 R4 `; ?Not a real method of detection, but a good way to know if SoftICE is4 k/ @, c' c- M8 o) C/ H
installed on a computer and to locate its installation directory.
' D8 @, D H4 ]* y, T y9 }It is used by few softs which access the following registry keys (usually #2) :
+ n) P( r4 t t, `! \- V. T: i6 G2 ] m/ M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 g# k6 t! }4 b' [' M+ P q
\Uninstall\SoftICE
5 u9 |+ t! p# X-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& E; j- P3 P' Y6 A7 F3 m( {. P9 V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 o) ] c7 ?; B w' T, l
\App Paths\Loader32.Exe
$ @" u/ ^3 E6 b7 x' B' J# L! V1 i N9 _% G' v# ?. b) i# ^
( R6 r o, p0 W3 P* j9 b$ HNote that some nasty apps could then erase all files from SoftICE directory
$ | k: H3 n9 g' w& ^(I faced that once :-(
7 c8 u7 h5 C# o: Z/ F+ i
9 I/ y7 B, z" v# z' K4 N% SUseful breakpoint to detect it:3 j" [9 I, O! e2 [
- {6 I. E" J8 D( r! C BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 v5 B; e; Z1 \
+ o9 v# i7 V6 X1 w__________________________________________________________________________* ?# ?$ a2 V9 F, i3 P2 v! g0 y
3 d" D! z$ c3 ]6 D& I
! u& X$ u6 Y- Y7 H# ?+ M8 o5 @Method 14 7 Z9 h) D3 |" o4 I6 ]. c0 i" C
=========
! p1 F( i+ `* E7 k( W8 w! w' k8 V% Z C7 K# c6 X/ N" q+ [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. m/ k" O7 s( u, z) u% k& i* Z
is to determines whether a debugger is running on your system (ring0 only).$ m( G- |: J9 ~# H t. k2 o, g# i
. V5 w9 f+ S2 C: x) C VMMCall Test_Debug_Installed' X- G$ U* I: s
je not_installed# N+ B! U7 B# k3 E" h$ M0 I. T
7 c" O0 E* X. e: hThis service just checks a flag., C3 d' l9 Z, ^# X6 }+ I
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡