<TABLE width=500>4 d+ i/ y* \- i+ ~0 m
<TBODY> k( z% S+ E) M! ~/ G
<TR>9 K, h0 }; O' Y1 P* S1 }
<TD><PRE>Method 01 - v( M- g: Y; b1 E8 w& F
=========
9 l2 K! h; D* l7 H/ Y- i. n) o8 A) T a* x: @9 h! v) C% f, R( D9 f
This method of detection of SoftICE (as well as the following one) is' r- m8 i. T/ g
used by the majority of packers/encryptors found on Internet.7 p( D8 N, q6 D6 [; D- p4 V) |
It seeks the signature of BoundsChecker in SoftICE3 g2 H3 g+ T1 v# R1 j0 W3 X
* f l& b$ P; h& a/ U mov ebp, 04243484Bh ; 'BCHK'
' O* ?, \8 W8 @1 x mov ax, 04h
/ d2 J8 L8 Y# m9 C5 Y int 3
2 F5 A) o, ~" E* P7 O" z/ h3 z cmp al,4
* `: x/ f$ B( o* ?) _ jnz SoftICE_Detected+ @0 i$ q% E! Z6 r5 f5 |
~( ^) J3 r8 R- ~& B) T
___________________________________________________________________________
- ^7 s( v. e. U2 R
- ~' G/ O& v1 }# d4 X3 v; HMethod 020 R) l" F8 c! J' h7 F1 y1 j8 I
=========
4 c8 R1 X& o/ }8 r4 T/ z
/ U; I: B2 J* }6 w! U/ |Still a method very much used (perhaps the most frequent one). It is used
9 F0 Y7 x, K9 {5 o! n; K1 {) uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) T. i/ q L6 K
or execute SoftICE commands...
; }/ M, n6 g4 o& ~It is also used to crash SoftICE and to force it to execute any commands
* ^+ d$ j- n: I2 ^' C R8 w" l( F \(HBOOT...) :-(( 2 W. m L9 M* T
% F5 e1 @1 Z# B. R% S4 }Here is a quick description:
4 u8 K/ N: I" K8 e- G6 _8 s8 K-AX = 0910h (Display string in SIce windows)
; G( e2 G, w& \-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! t: D% N0 }! E3 p+ W-AX = 0912h (Get breakpoint infos)% N# y: M; g- n6 O- B W
-AX = 0913h (Set Sice breakpoints): X4 B2 W; P- z# I: Y1 S
-AX = 0914h (Remove SIce breakoints)3 b9 p, u! e5 m
+ I# \2 v# n+ \2 J0 f# eEach time you'll meet this trick, you'll see:5 E5 L- f1 Y, Q P/ m4 t9 P# c5 d3 ^
-SI = 4647h" N2 ]5 w. }% O6 u( e
-DI = 4A4Dh
! s& Q# g' M) |5 u) q$ GWhich are the 'magic values' used by SoftIce.
2 D0 t, p- M! H8 ^ cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* d* l" D# f5 l) \
- E+ e1 k' S: u" K
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 a# @: g) K( \" O( {- R, B1 xEnvelope utility use to protect DOS applications:
" H; e1 B4 ~. A5 K- |4 m
1 d! V! {5 D3 x5 Y# T" Q
M) ~' I) O6 u, R4C19:0095 MOV AX,0911 ; execute command.
5 C& Z9 a# S; z) `& H7 N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& z r$ l) W* F- B; j7 |+ r& X
4C19:009A MOV SI,4647 ; 1st magic value.$ }5 j1 ~! v7 U, \ r, V
4C19:009D MOV DI,4A4D ; 2nd magic value.
# _! ?: ~7 ?, }9 Y$ Q/ W; _7 h4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); R) i( l- I0 V( X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# i- ~/ M1 P* l5 S4C19:00A4 INC CX
4 |8 ?5 T# ^7 t' P8 m w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 f4 l% z1 M( A6 |( j
4C19:00A8 JB 0095 ; 6 different commands. W% X3 Q0 e0 ]7 p7 N1 w$ [
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* x" T" v4 P& ^) @* S7 \- z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 [& D! [0 ?% Z4 E( G
0 W0 X7 o/ M$ A% |7 E
The program will execute 6 different SIce commands located at ds:dx, which, X0 Y( `6 u2 q8 ]3 b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 Y# t" P" {3 u6 `/ @' H) T3 r0 Q
! u% ^) u9 F. d6 m |# c# f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 |$ v4 u/ k; l n3 U! @9 s
___________________________________________________________________________6 @# B! i& [3 c r0 S) C
* H% V& h( S1 B3 t8 H
; U9 }/ {$ a* F& M; h: A: D* ?Method 03
& y3 f9 h2 ]8 a6 l5 l=========
, B' B1 f: o3 X X3 l6 L3 m" Y. x" i) h/ w$ B8 I% \0 N2 u' _
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 w# i2 c% m3 T$ j
(API Get entry point)
6 ?& R! F, T1 ~& \9 G% r
/ t |1 Z8 y. z; N: R' J5 r
/ h! { Y- M& X. i0 S" t* v M xor di,di, ~$ r5 g8 F% U8 U
mov es,di
8 r% o( B- _% Y g }* }, ?. j mov ax, 1684h . t& X1 k \# S: q6 K" P
mov bx, 0202h ; VxD ID of winice# \- G- \1 i# i: p
int 2Fh) R' B& H; z! _
mov ax, es ; ES:DI -> VxD API entry point8 {0 }. _3 r* E# {
add ax, di# h2 M' |" {- H5 ~ \& O9 F! d( h- T
test ax,ax6 {1 I* q- y5 f7 D# k: k
jnz SoftICE_Detected
8 K. m, n$ h+ [% n4 k
3 k/ F$ P5 L% G& c/ t8 [___________________________________________________________________________0 t* J. a$ I6 {+ [' Y8 U% D S
' z; E, d! H* v# T7 o" ]. mMethod 04
7 u3 [" D" G) t, f, Q5 Y2 ]=========
/ |( r1 ~( J) a& H& F% Y `7 P9 W% w( Q4 o; y) _9 ]+ g; ~
Method identical to the preceding one except that it seeks the ID of SoftICE; s/ L/ o3 Z' ?9 G0 ^
GFX VxD.
- l* R. q7 I( U* E1 r
0 j. T$ L/ Z4 U xor di,di( E% t% ~8 B6 s& A$ ~+ g
mov es,di; g) Q7 W2 ^8 O- x$ E# w v! x0 K
mov ax, 1684h
. D b: K5 T9 S8 ^ mov bx, 7a5Fh ; VxD ID of SIWVID: `0 q1 G$ g3 U# j
int 2fh' q- P Y( @& |: D% a5 f) ^, U
mov ax, es ; ES:DI -> VxD API entry point6 B5 K. L9 c, [! c" e% ^8 W
add ax, di) ?3 u! k) `7 b' g7 u; ~
test ax,ax: x' ?* c; ] H( u* x; @, ?( g6 s
jnz SoftICE_Detected2 r; m g: o. v/ n8 V0 ~% q
* Q& M6 m# |! |; M__________________________________________________________________________
- n, u. O' g. q0 m- h; g$ o4 w0 o5 O+ @0 N/ R
2 J+ j5 g: `8 G- o( W* W. o! X
Method 05
2 K! x+ M0 t5 d1 ^/ k- b=========; B" r+ [/ X* i( D l
% {6 M5 W: a2 k/ m; L
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 v4 b5 |6 d: u4 P4 c6 X
debugger. It calls the int 41h, function 4Fh.
: E! t& T* l5 H$ X+ uThere are several alternatives.
\! a4 P# O0 L
" [% U" a L. Q0 G1 l+ vThe following one is the simplest:
2 Z( W9 Z" x$ i' _' }2 F- ^3 c6 D( b2 q0 U
mov ax,4fh( g& e' _6 d& r. M7 t
int 41h
7 X2 Y4 k; d. J/ |% R1 V- G cmp ax, 0F386
( }! ?9 @, ~! l4 W1 G$ Y* S jz SoftICE_detected: N, O! H- K1 E( w$ D
4 P. s7 q! N- H, `( E& _5 H
. P s9 o( D# ?! a, ~7 j( kNext method as well as the following one are 2 examples from Stone's
/ P& v/ ~& H0 N; i& E5 f"stn-wid.zip" (www.cracking.net):1 Y, D' W5 `! u; x+ A
/ k9 A, Z8 b% `) X6 Q# G mov bx, cs
( g8 Q$ c$ h0 y. t% ]3 V lea dx, int41handler2
$ G- Y6 j3 V( D( c/ Q ~; W. |1 e xchg dx, es:[41h*4]
" k- A: l+ F, A; V: b0 T xchg bx, es:[41h*4+2]2 [+ o4 r$ F( j2 A5 [' P
mov ax,4fh
* Q/ S3 [+ }* f& T. _2 H( I int 41h
( _/ T* t( Q+ `: K% a xchg dx, es:[41h*4]
5 C% g. |) }* i3 t! I" m5 D xchg bx, es:[41h*4+2]9 n0 a. p: g0 z4 f4 A r# d! m
cmp ax, 0f386h4 m! j4 z; X/ O1 v
jz SoftICE_detected
8 i% a4 q8 U4 F7 {
) l: P2 S+ o+ t0 sint41handler2 PROC
# y3 M' L0 ]- T1 } ^9 ~- k: G iret# |5 D+ W1 i. R
int41handler2 ENDP; {& p. `6 ^- T5 w9 N4 Z7 b
+ p f" G2 p) D, a* l0 c; Z
' j9 d6 o) v: S# P+ m; {_________________________________________________________________________' L7 i* `# {, V$ e' w8 }, a# N
: X, ~9 H8 J# X5 J. B
! s6 f7 g, w; o. h! ]- b
Method 064 T7 t# t) g$ K6 |- M* r/ X( d \1 m
=========( J4 L" X. u1 O% X3 {; V! x/ b6 M- _; `
9 E& {& a7 X3 s$ i/ }* k
3 _1 ?% `- j: I1 L2nd method similar to the preceding one but more difficult to detect:* W% h6 M# c- j! ]/ Q
3 Y8 Z6 K" ^' Q! \2 p+ K3 b8 \
2 B/ b9 b( P1 a/ d: [5 q. L
int41handler PROC9 S; D+ L' x( r4 w1 u0 m4 P
mov cl,al
: |! j; k& m% p2 }! T9 F1 T iret' v9 w9 J7 h/ }' p3 o
int41handler ENDP+ W4 w, L4 @9 w
" @# @* t$ H4 P+ t' P* `
1 O1 n, V# N- X- j5 u2 V: g xor ax,ax
+ _ o2 Q j! G$ D! `% U7 S6 G mov es,ax
+ v1 ]9 `7 P( y mov bx, cs( Z: D6 Z: q6 z' L( P6 K: k' L
lea dx, int41handler: D2 C% P2 ^6 @& ^. A
xchg dx, es:[41h*4]
) L G- J3 r- w1 O xchg bx, es:[41h*4+2]
6 W. z" K* J9 U* q# ]* R2 d in al, 40h
1 r# H3 X4 y/ J xor cx,cx' c' a3 | Z! }( c: z! L
int 41h
. y! A' y( V3 x8 }- A) U# W+ ~ xchg dx, es:[41h*4]
3 e* |8 c6 K! I( l xchg bx, es:[41h*4+2]' O: S4 R5 x- Q
cmp cl,al
( u4 ?3 G* z* K1 h6 r jnz SoftICE_detected
4 g& [" F; y, c- R/ R7 W x1 N! U9 l X0 w7 N
_________________________________________________________________________
0 d& m/ w) }9 ?9 r# ^3 f- }, P2 o$ k) ^- A* W0 f: ]
Method 07
8 ^! ?2 n* J/ Y* g8 H=========
3 A' V# ~# V( _, [0 I
a! q8 J& O9 [% [7 M/ ?Method of detection of the WinICE handler in the int68h (V86)
+ B3 s3 {# r( ~' _3 ^9 H2 ?2 ~
# E M4 b9 {4 l }' J# A% P mov ah,43h3 ^( c( W5 o: M# E3 t9 W( s
int 68h, C$ t; V& c5 d2 v b' R
cmp ax,0F386h
" k# V5 m$ f/ { m jz SoftICE_Detected; R4 }7 a1 Q: \1 N* H; y
- b: F6 e8 q4 s$ Z9 Y8 E. x9 j8 e, i4 R6 l/ l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! f; s I+ W" a
app like this:
) k& S/ N1 A8 d) O! O5 u! V2 V- g- e
BPX exec_int if ax==68
# n5 O2 S) s5 U4 j (function called is located at byte ptr [ebp+1Dh] and client eip is# h, ?/ E; z$ M9 X8 P/ t# A. [
located at [ebp+48h] for 32Bit apps)
7 P& q* {( l% H" W. J__________________________________________________________________________
; M: m* N: L- a+ [5 `$ p1 h! h
: w5 X; Q* q! q2 I% l9 \7 ?9 D
, p' M* @! S+ @7 z/ l0 sMethod 08! I( Y9 P# |5 @+ q; {
=========9 a' P' i# D, m- Q
. l/ P$ q7 f0 r" A( t" F0 H
It is not a method of detection of SoftICE but a possibility to crash the
# H0 i/ J( Y3 K+ s- Psystem by intercepting int 01h and int 03h and redirecting them to another: O' @/ E0 q. z5 `
routine.
$ n* \4 F* X" h7 ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; l# z' w: X S& pto the new routine to execute (hangs computer...)
- Z8 m( ]8 e1 z) l- S4 y# F
1 ^4 @! g9 `9 U u% @5 e5 b; } mov ah, 25h) |* }% G5 p2 d" b
mov al, Int_Number (01h or 03h)
- s* ?0 p6 k1 L* n+ O( E2 ^ mov dx, offset New_Int_Routine
{: P" l' `, T4 j: q2 c int 21h3 e' Y" c7 T. k d
+ |% G+ z' k8 B3 T) n* b8 ?" K9 \__________________________________________________________________________2 u3 x3 p& [5 z6 q& f
) f) X+ p4 R u" ^Method 09
" _5 Q8 t8 P0 u! Y9 K! X=========
4 y- o. B, _0 |1 Z( v8 X+ [0 D3 {% n7 f, T, [: V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ u$ z. a. R& d
performed in ring0 (VxD or a ring3 app using the VxdCall).
& T2 H" ?: Y7 q( S9 F0 A* @The Get_DDB service is used to determine whether or not a VxD is installed
( s( Y) [2 v; P! \) Gfor the specified device and returns a Device Description Block (in ecx) for/ Q. u- t- l6 r
that device if it is installed.$ k- @+ J% C$ E: D: q% G! Z/ k/ J
$ `" }0 C; x1 \: B. O5 j- O mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 f0 Z# _: Y( _* ^) W, O* c6 M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 W6 w( ~- R" B VMMCall Get_DDB, u+ F* k. P! i5 H
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ ~: N- j9 h7 J% \
[- J+ m, B( j: z, HNote as well that you can easily detect this method with SoftICE:
4 c( `" B8 k3 p _ bpx Get_DDB if ax==0202 || ax==7a5fh
! H5 w8 v" ~, s7 r; Z9 V5 w$ L2 \* R; s9 r
__________________________________________________________________________
7 G/ M+ }1 K9 R" O4 q3 t$ ^" ?' |1 R9 |' A- G3 A
Method 10
! l7 T( O$ D5 R2 T=========6 g; {" o- a7 p9 Q& l
! [, p0 _$ l5 M=>Disable or clear breakpoints before using this feature. DO NOT trace with! o5 H4 [+ u! t6 d' b2 v
SoftICE while the option is enable!!* @' O2 z% p: k; H8 ^, \$ N
7 h5 B% B) b1 J+ e' c* r7 w
This trick is very efficient: _3 h5 ^. N: f. `/ r8 Y
by checking the Debug Registers, you can detect if SoftICE is loaded
9 w9 v q4 k0 o) a" D- P1 }% _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 B+ ]* Q: O. b
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% `& X0 J2 F& `! W& Pvalue (in ring0 only). Values can be manipulated and or changed as well
0 E, {. b, d7 D(clearing BPMs for instance)* C1 M. k2 k3 c* M) f
# x5 W, T! f5 d7 v+ C3 ^' L$ h__________________________________________________________________________& m s' n3 f9 P; E$ T( j2 q
9 z6 ~, q, c h: ^. R, e- ` m- @
Method 11- u) L5 `" q9 ?
=========
1 E7 o( F% n4 @+ v3 h* Z& k. E, Y; Q5 t
This method is most known as 'MeltICE' because it has been freely distributed8 K V: _7 X7 A
via www.winfiles.com. However it was first used by NuMega people to allow
9 Q7 n3 V7 d4 V8 ^. RSymbol Loader to check if SoftICE was active or not (the code is located/ R! \9 L# v% c" B
inside nmtrans.dll).
( I0 u3 l8 @4 M% h7 b' H
& ~# X8 [ U% q, xThe way it works is very simple:4 T* f y2 L) r4 d* K
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 E# R" J, R9 m. A9 B) o) `
WinNT) with the CreateFileA API.* E( D* T/ `; k1 Z; P1 H @: X
8 k) a: a# v/ }0 z7 f8 J
Here is a sample (checking for 'SICE'):
- r. I8 G/ \+ ]: j# D$ a; O: F6 ?' a
BOOL IsSoftIce95Loaded()
& R3 a3 H; I$ h1 U- {& Z" x6 x{( @ p( ]1 y4 ]2 ~, Y
HANDLE hFile; ' s' z$ I) k ~) c, x) R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 f) r M1 y& X9 M
FILE_SHARE_READ | FILE_SHARE_WRITE,2 R( c! {+ v. G! t# V9 ]
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' [4 q0 `1 S' V7 L+ c8 W8 m
if( hFile != INVALID_HANDLE_VALUE )) D; I, Y9 Y' Y! o8 V6 m6 O
{2 P! T5 ?& b& D: p8 u
CloseHandle(hFile); q I$ U" s2 H% n
return TRUE;
8 \' J9 b1 i' c0 j3 t! V }# R' g/ K" O" e d8 k: r
return FALSE;! R3 \ k$ p; B
}
8 ]9 c7 |) h" J0 I& c/ r4 }8 ~
& a' k: g2 j K% A+ K+ A3 k8 oAlthough this trick calls the CreateFileA function, don't even expect to be
% e# ^5 ~/ |# x( W$ Wable to intercept it by installing a IFS hook: it will not work, no way!2 j2 T: H0 z" D# c; B: O
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# W( m; J2 T" z: G' C+ X
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). V+ w: O0 N0 J: m: `7 {- f/ @+ ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* @. u( p' J V& x( Q; i7 Gfield.
. t' [6 o3 k; U- c1 x& qIn fact, its purpose is not to load/unload VxDs but only to send a
c. \: e( U. HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) T# z; F1 B7 Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try: |; w$ w' B& A2 _: n5 ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' _- f1 h4 }" H( b3 J1 YIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. v, V+ x' Q4 gits handle to be opened and then, will be detected.
8 j. E3 F; A `: T. H" S+ w& ?You can check that simply by hooking Winice.exe control proc entry point
) E- c+ v" n! s: t! h5 k4 twhile running MeltICE.% E) T3 G/ d2 N
: r) g* Y7 Q( A% k% X9 t3 N; v. d
: J5 c6 k; O5 D' h6 u4 P1 n 00401067: push 00402025 ; \\.\SICE" j: b6 N4 M* d* P
0040106C: call CreateFileA( s a* H4 P% U3 C& C3 u9 S; I
00401071: cmp eax,-001
: I' k! \+ T. N1 q 00401074: je 00401091- Z! n8 E. V3 \
: {2 A1 |+ }6 [- f
I3 N( X1 M- Z4 j9 {4 e
There could be hundreds of BPX you could use to detect this trick.
0 q2 J$ J3 I# e0 u1 R-The most classical one is:
6 I) I/ G8 d0 I) C# R$ D$ g$ h4 |1 @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 Z0 q9 R8 m/ ~ b5 y8 S *(esp->4+4)=='NTIC'% ]: G8 j" O0 }% W9 X
# i" b) l5 j: K: }6 \4 C) q
-The most exotic ones (could be very slooooow :-(
* `* r$ S* A" a6 e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 D& ? c( ~6 @7 i& S4 E ;will break 3 times :-(
+ g: _. c9 k4 R4 f- F) o; h2 a( ]2 g! }$ I: \
-or (a bit) faster: 0 e e5 [9 f7 J! r$ N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 f# n" s0 J$ B( X8 n$ \: C% s. N
' g/ h+ b" P& {! L( C
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' ?+ H [+ p" }) b0 Q& o* P ;will break 3 times :-(
& D# S. l3 x5 N/ Y4 X& I3 t/ Y/ ?* b6 R: M, q+ @
-Much faster:0 z% Z& K# v9 J9 w0 E6 J& ]( C2 O% p- n8 }
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ }+ [! W$ E: v$ B: p1 ?& B
% @7 Y% g( I2 z5 W' U6 U" pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: U. H! |4 T$ i- e' Sfunction to do the same job:$ j+ U2 [: t( h( j/ M- S' P9 ~
- E6 z; f% X; G3 Z7 M push 00 ; OF_READ
1 @; E, U3 l U0 }0 i1 F |8 z' u mov eax,[00656634] ; '\\.\SICE',03 v$ I* \, v# d- B8 [3 ?
push eax
: |6 ]* N9 N2 E# f! x; [' K) C+ N call KERNEL32!_lopen, ^9 r% Z9 N4 O$ f7 X
inc eax
. \) Z6 z' e% M& n; ?$ c: c jnz 00650589 ; detected9 U% u! I$ ~8 S) m% N
push 00 ; OF_READ* U2 p9 b3 @9 b0 n |6 o
mov eax,[00656638] ; '\\.\SICE'6 V! W* S. n& G* E2 d
push eax
. Z' U' C' n) c; K call KERNEL32!_lopen; U9 B5 y; z1 v8 t" G6 r. ?: K
inc eax$ u. Q+ d1 s) H! T$ q. I) I
jz 006505ae ; not detected0 n/ r9 w& I$ y7 a
% c! d- q7 u: Y: S8 X) v( e
: D7 }, s: [- e+ h/ G
__________________________________________________________________________7 Q8 ]- z7 A7 z5 ~; A% R7 h! J! w
7 F# j" s) E# j! P9 h8 j. GMethod 12& e6 D9 D E5 j
=========
4 X/ g3 z3 D( w* \; E, }- e. ]6 C$ B7 }" }5 E/ b8 I
This trick is similar to int41h/4fh Debugger installation check (code 05) u& ^* T! j; ?0 O3 G$ e0 G
& 06) but very limited because it's only available for Win95/98 (not NT)
7 D9 q' W+ k. p( a" r1 E$ Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo." @# W# d- X# Q2 I
- d9 I# _1 x& _8 r( c push 0000004fh ; function 4fh& }) s( h3 Q" a9 ?9 h
push 002a002ah ; high word specifies which VxD (VWIN32)
: L0 [8 B& `' @0 B; p [9 ^ ; low word specifies which service) ?' T' l+ c {4 ^* R
(VWIN32_Int41Dispatch)/ {* W- Z- `# }2 [
call Kernel32!ORD_001 ; VxdCall
% [1 u1 Z+ W- X' ~2 G cmp ax, 0f386h ; magic number returned by system debuggers' K& ]3 Y# |3 ?( u1 C, e3 _
jz SoftICE_detected
$ z, u+ {, ?* l" Z" w' {6 G: M, m& K# e6 X. H1 L9 R9 s
Here again, several ways to detect it:
4 ~* O, ]- { G0 [! q% W
2 ]1 N$ P5 A+ w BPINT 41 if ax==4f& ]+ e! T% }2 O3 X$ k: q) [, u# n
2 J' I! @" v9 Y4 |; Q/ w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 ]+ e# M& v- l
: x6 u1 M- J6 p0 i3 @% W BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& ^5 R- V1 h/ x& H* W i: r6 l, p( Y# x( i! p- P
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; Y3 m' p( i! L/ E! p- {7 i: l
) ^0 z# j8 w, b' L__________________________________________________________________________% {9 t* s* c0 P6 h( e
. U' B- R" |- \) mMethod 139 H* ]0 ^* E) m: |0 S
=========
, Z' X# z7 E- W+ [2 h, i) m, ^ t2 U/ W- x+ g1 S' G0 p. Y& t9 ~
Not a real method of detection, but a good way to know if SoftICE is
4 K2 c( i/ h9 q6 j, g! A! iinstalled on a computer and to locate its installation directory.
7 ?. y3 |- f- \. RIt is used by few softs which access the following registry keys (usually #2) :7 z" d( y7 h _" i) o
8 i1 ^# d) `6 L* `' f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ }8 C' p2 O( ]; u* B
\Uninstall\SoftICE
' x! Z/ \3 T6 I. m: c, l2 a* M) P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) a# i8 k. ^6 q* V( {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; R7 u, C2 y0 v\App Paths\Loader32.Exe- \0 E: W( [" @/ i% w0 j2 u& L
. r. E x2 x4 \) j6 @& f* }" d# i
- j) d2 y# q( [9 x2 ^0 ?7 g3 l
Note that some nasty apps could then erase all files from SoftICE directory$ k: x" L+ e: c6 D
(I faced that once :-(9 B7 h2 P/ v7 w- R- S _& c) }
+ m% D6 W7 Z1 OUseful breakpoint to detect it:
) V% |- r! y. T" o9 {8 ^7 e4 f
; s$ j4 `7 Y( G! B+ J: ], M2 S BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" ~ n8 z& z" J: r! V6 U1 ?
& z" E% B0 z; W% w9 V__________________________________________________________________________; d0 s0 i$ u3 Q% s% I$ a- P
& t2 E$ p7 y% C3 t$ S5 j; Y9 ^, F% s# Z \) W+ D
Method 14 - l9 W% c& ~+ O' _. c
=========
1 s5 Z$ K" B6 `# g+ g' V! m5 X
' M4 d0 q/ k" r/ o( }" H( H! pA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ H# h( L# ]5 y# ]+ F nis to determines whether a debugger is running on your system (ring0 only).; e: d. L' y" E# ] C3 V
- v6 `4 w$ d" ~ J+ J9 D1 W7 U
VMMCall Test_Debug_Installed
) l1 S: @9 F& Z0 V je not_installed# y b- B m/ \1 g1 G% L0 c
3 t3 K- \ q' F, B% ?& f$ _
This service just checks a flag.
' R$ I' C* W! J H) V+ e2 Z</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡