<TABLE width=500>+ a9 x5 {# U2 i2 R* x- \# u' t
<TBODY>% w/ O* r5 T6 ~( |
<TR>0 `/ C' t5 J" [# |8 t, ? o2 l9 I" y1 l
<TD><PRE>Method 01 1 G; j j: {$ P. Q' f
=========( A6 G% ^$ Y& c3 [
4 ^/ V7 B3 d% n! [! B1 F
This method of detection of SoftICE (as well as the following one) is
" f' }5 r% Z* w- Y4 z% V Aused by the majority of packers/encryptors found on Internet.
4 S4 g2 j% g; q4 P5 lIt seeks the signature of BoundsChecker in SoftICE3 H( i6 q+ L: x# n
/ Y8 w( m3 E6 J; F9 f mov ebp, 04243484Bh ; 'BCHK'
" R1 @1 G' Y- | mov ax, 04h
! J$ G% _! @8 b" d5 Z int 3
9 @4 a3 @5 ]0 u cmp al,4
- y& N5 S% d% x2 L7 j jnz SoftICE_Detected
- _1 Q" i) ?2 b& w _8 {5 S9 o9 |: r8 k8 }, H" w; y J- F6 ?, S
___________________________________________________________________________
. Y( I) S( \5 J+ J9 P% `. _9 M+ |
& k& _# ]' M# s/ G' u1 ?+ RMethod 02
/ s* a: ?: F% o9 H5 h+ [=========
* B2 S/ l2 I* W& N1 B
# Z7 k0 b) A( X" O: a UStill a method very much used (perhaps the most frequent one). It is used8 S4 U, z# L. P7 f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 J3 \& S. d- E$ U y
or execute SoftICE commands.... U4 \" N# j/ f; Z" s7 f+ Y5 ~
It is also used to crash SoftICE and to force it to execute any commands# k( k) X8 ~9 ], @4 q
(HBOOT...) :-((
5 f. Q9 G" I8 B
" _8 B* q* W$ p/ ?) KHere is a quick description:
2 [3 t u2 T! ~8 p) g! e/ T/ I0 P-AX = 0910h (Display string in SIce windows)
. a7 d8 D- v5 |+ J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ F/ |' F5 F. ^9 B' W; ?
-AX = 0912h (Get breakpoint infos)
) O) J! `: P4 Q5 w-AX = 0913h (Set Sice breakpoints)3 @9 C$ c! v: y) w6 V+ K j4 Z. w
-AX = 0914h (Remove SIce breakoints)
/ q5 \6 f- X$ Y0 [- F/ a7 q
3 p! p, j- ]4 a8 e& _* v: KEach time you'll meet this trick, you'll see:* j0 X. }! r0 A6 U. h, e8 f
-SI = 4647h
% ^8 i/ I4 V% [/ _: d9 _" s-DI = 4A4Dh
) i, v9 E5 `; d+ V0 D* H$ xWhich are the 'magic values' used by SoftIce.9 d. X# N1 B9 J# M# t" t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 n4 e- ?0 s: a- ^# S. A6 v3 C
9 s3 b) a1 F3 e9 n# H) X/ q
Here is one example from the file "Haspinst.exe" which is the dongle HASP" w/ Z% `; X2 Z9 _- `
Envelope utility use to protect DOS applications:6 [; i9 j8 N1 E* R
2 T5 _) k! g* r
3 Y! M* |( ^( p9 ?0 h: w6 N: a4 U4C19:0095 MOV AX,0911 ; execute command.
- U3 ?! q. d. F4 G4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 [! P2 J# L3 g, K4 V) U% p
4C19:009A MOV SI,4647 ; 1st magic value. X2 @6 G, E9 L( @
4C19:009D MOV DI,4A4D ; 2nd magic value.
) t' {. L+ X9 w+ u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- [& H z5 W J4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 {: G* D7 u% Y2 N: F0 v: X
4C19:00A4 INC CX
3 m1 x1 n2 @' i: Q4 h% G' \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ h! a7 D) B4 u- m3 T! g4C19:00A8 JB 0095 ; 6 different commands.
+ k. H/ E' r( x* Y: h4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 ]0 {& g0 j- ?( E c0 g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 h+ q: I S! N. i2 F( x
6 t) f8 Z( U5 UThe program will execute 6 different SIce commands located at ds:dx, which
# p8 C4 F L: C( s) a# _. k- Y0 Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. U7 h# I% q8 E; N* ?* k/ A6 F
" x2 D" b- q' Q/ A5 {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 y8 o+ D s8 X+ U, G___________________________________________________________________________6 p3 X3 r9 ~7 g
+ N: f( k" y3 B
2 b6 G: U- F2 J* w4 SMethod 03 r$ E2 x8 O G+ k) {# X' n
=========
: o3 U7 x- h$ G: d) ^
" i5 Q; _* z5 Z+ _, FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' q G6 Q( }# U7 R; \# S( \; L8 `
(API Get entry point)
4 R4 Y8 b, t' |. h7 ?2 M$ w, ] / m* u4 `) o1 O( f
1 E% ` g4 A5 t5 e7 K! v' h xor di,di4 x6 B1 C, a! `) U. \
mov es,di# K& ]: X' T8 p9 o$ E
mov ax, 1684h % H- u" j5 T" b+ l9 Y
mov bx, 0202h ; VxD ID of winice9 l1 X7 V- c+ R# I( G
int 2Fh7 C6 E' {" }3 j8 ~" S
mov ax, es ; ES:DI -> VxD API entry point
+ V" J/ w6 q, k( v, H add ax, di1 t* X% T- i9 S( H) u0 m
test ax,ax
x8 m( O: e" A2 I$ `! z jnz SoftICE_Detected( n; G8 U8 K: G% x8 W# ]
4 T) N6 U9 i- S/ ]5 C7 X" j___________________________________________________________________________3 v) F# k4 c# I8 Y
# z7 \3 n4 s' [ E$ t* C1 hMethod 044 f1 N* _0 v( P( D
=========# g0 O( e" X1 e6 V+ ?
9 t5 ^( \) y" P& C
Method identical to the preceding one except that it seeks the ID of SoftICE _0 L% ~& _! g: Q
GFX VxD.
. e6 p+ R! V( |, f3 X! a( F. \1 b# ~/ Q6 S# `* i3 f0 {. `
xor di,di
" p1 \% w- r4 b, @6 O0 w mov es,di n8 ] {3 }# q; n. J( B H$ F
mov ax, 1684h ( x7 e7 C7 ?: g1 Q+ H3 N* a% n
mov bx, 7a5Fh ; VxD ID of SIWVID# h8 E* C4 ?% f' ^" K/ d
int 2fh, d$ H7 N" z, m" C! D
mov ax, es ; ES:DI -> VxD API entry point9 |$ ~4 M8 D% S$ q0 e( T' O
add ax, di
9 e& d' s7 \( v4 }5 G3 W test ax,ax( T) z% I* a$ m1 y5 c( n
jnz SoftICE_Detected
: X7 E6 e, s4 K( Z9 J& [( `& z; O* |. M2 V( x, N; O ?
__________________________________________________________________________
( {% o% `% V0 e6 ~3 ^" d$ [, V0 p) r
8 r$ |% G) L& K. H
Method 05
4 ~* h+ p* ?: p/ z ~* w! w* A' V=========
) g8 D0 K( Z1 g4 K! X: x. u( F
5 `4 S8 z4 v$ T: V) Q; J) w' gMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 ?. O5 F6 m6 k a- Q( D
debugger. It calls the int 41h, function 4Fh.' h; m* W$ M# w
There are several alternatives.
- P% M9 H* q7 }1 m% {
! s X9 T* @- H, y& Z, F1 kThe following one is the simplest:, v8 |" ~& E0 O% e% n
' H- q% o) U) x
mov ax,4fh
) d. l% B6 X) G7 i% x5 ~( y2 ] int 41h
. X6 v' s6 P" B1 ] ?2 ? cmp ax, 0F386
v7 |6 y- j/ h3 R8 e5 u/ _7 @) H jz SoftICE_detected3 c2 k _% H' K8 s
0 }# l0 u3 r) i8 E, J! f$ Z% c# i# X# ~( |
Next method as well as the following one are 2 examples from Stone's : n3 l# v, }5 [" ~. H
"stn-wid.zip" (www.cracking.net):9 c9 ~0 ]% ]7 S
1 x# |+ L: ?0 g$ n9 I2 N mov bx, cs
9 q' C; s# @' n/ V lea dx, int41handler20 \, e o. T; t2 s, o' J# \1 `
xchg dx, es:[41h*4], {7 ~0 M( Q& f. h, b% G) \
xchg bx, es:[41h*4+2] I6 s* ^/ W0 \+ a) L* C4 V& K9 \
mov ax,4fh
+ [% |1 Z* F, N e. a0 c7 b, X int 41h- ]* {& @8 E0 T( U1 V! I7 F; z" [4 t
xchg dx, es:[41h*4]
l$ E$ l& M% f- Q p4 Y2 @2 S) Z/ m xchg bx, es:[41h*4+2]% f- R2 r0 N0 Z- {
cmp ax, 0f386h0 D1 s2 g- ^$ n3 w2 X
jz SoftICE_detected8 c6 {7 E. p4 j& c
+ K! O& J+ Y, I& c. B$ Z$ M
int41handler2 PROC
1 W4 f& k$ x4 a1 Q3 r iret/ u9 o* ]0 T. E0 ?5 b) q/ `) }+ t
int41handler2 ENDP% d* h% u4 E4 c$ ]* S# ^
' T! C) K1 S$ Q) k
' N9 `! }% h: a! }_________________________________________________________________________
! n' S" f8 b* o0 X: L! b9 x6 x$ |6 y/ R7 w
3 G1 j `$ A0 J0 v- ?# @% M
Method 06
2 F# o* ]* h6 N) k, c$ h! m=========
# }, B/ }/ t( U: i2 `6 g' d. \' R8 o& S+ q# `! B1 ^
, o9 V" a, l8 b9 M4 \2nd method similar to the preceding one but more difficult to detect:: y! o% A* |# C- I$ C8 W
, _0 l- n* \$ `3 w" R! X9 Q) Z7 K8 | ?1 F
int41handler PROC x a3 X7 d: K% U. p ]1 i
mov cl,al! S( H7 D! r" c( k
iret
[, n" \ A7 S8 \5 Q1 rint41handler ENDP
4 H4 e. z6 K! _0 Z' l2 n( R% y: c5 _! O& I7 \1 z
d# \* w5 T: S( p. q( \- D7 c0 Y
xor ax,ax- s4 L5 Z' y; z& k6 [' q
mov es,ax/ m" ~* {/ Z4 B, L: y
mov bx, cs
9 W+ [, A9 v/ }2 r lea dx, int41handler
& i, q9 e4 F1 { C: G xchg dx, es:[41h*4]% E* [, @$ n( _: g7 q) [: `
xchg bx, es:[41h*4+2]
7 t" x/ Q9 H+ e n& m9 s in al, 40h
. e! \ F% Z* p Q* D xor cx,cx4 T [8 j- i; f' L3 }- u
int 41h
! e; ?$ {, A( P2 k3 R5 p xchg dx, es:[41h*4]
c0 h3 c) V# {6 c' z- g xchg bx, es:[41h*4+2]
/ V9 i$ \. ^8 _ u2 Y cmp cl,al- t& s/ V: E# B L3 Z) H2 S
jnz SoftICE_detected
. o; c! ^4 `% A2 E1 H+ j# O" x$ o- m% b( f$ W
_________________________________________________________________________! p! J; Q% q' E; \4 ]
' p. F( t: x% b- ~2 C' c7 |Method 07
9 R2 ?+ ]6 _- P) A5 I' R=========
$ N m3 v; n# T3 U3 t. ]
6 }+ {& {9 n4 Y( ^9 ^5 r% @, eMethod of detection of the WinICE handler in the int68h (V86)! }1 u+ x/ y9 f2 p9 {
, p, v; m( f1 Y# X/ u mov ah,43h2 J! `4 L( x ~( N% e+ H$ Q$ ]
int 68h
; u4 f- x" X5 k$ b cmp ax,0F386h0 O/ a% y$ r; ?. w0 {
jz SoftICE_Detected
6 D/ w5 A, q* C: @4 e- N& _! A/ u, X9 ?% T1 v- g7 d
a3 i) d, V3 G3 r/ M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 C; g* g& q+ M( l4 Q0 X app like this:
8 }6 p+ [* v2 M: ~ }
5 \, J1 p; ^5 y/ R BPX exec_int if ax==688 p7 _9 p6 N& c, i6 U
(function called is located at byte ptr [ebp+1Dh] and client eip is
; E9 V: Q5 s" f. N* g located at [ebp+48h] for 32Bit apps)& U) H% j6 z* p. D4 L* R
__________________________________________________________________________! L+ B( }1 e. d$ L, o
2 C% x7 k& t; U* p3 i. A
) g) `& J c2 i% L% vMethod 087 j2 R& h% v5 |! W2 H9 R6 O
=========
" Y3 i1 \" `' I2 M5 T# f# e3 a% r6 o) Q9 D/ V ~# G0 g
It is not a method of detection of SoftICE but a possibility to crash the
& L2 l( Q, W2 n$ x" Asystem by intercepting int 01h and int 03h and redirecting them to another
) y0 b( a$ e/ A$ Nroutine.( a8 ~ G+ h$ E* L2 v* z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
D( Z7 l. R7 |6 gto the new routine to execute (hangs computer...)
, I2 I. Z* H' J# t7 {
) e; I' [# [* @$ Y& N) i: s mov ah, 25h
% Q) G( w; {0 H& r" f mov al, Int_Number (01h or 03h)! U' [- K0 R* [# C' C
mov dx, offset New_Int_Routine
2 L, \/ N& r& T int 21h
, o2 i5 z# Y5 \0 k$ B
1 E) m" E1 {. k i__________________________________________________________________________& A! G8 }6 ]; [
4 k! x- \# b5 O9 O8 O9 I3 R' I
Method 09' Q& Y* S* U5 x% V5 I
=========6 c7 f8 r4 K* J4 M3 }* t
1 e L& U. J7 g0 R# q$ _8 X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 j4 {9 G6 l* n C- ?6 d. operformed in ring0 (VxD or a ring3 app using the VxdCall)." o& ?# {9 L! @. Z. m* |! d, R2 S
The Get_DDB service is used to determine whether or not a VxD is installed
" @7 t; K& q1 | Y+ d ~0 Hfor the specified device and returns a Device Description Block (in ecx) for/ ~4 [* G9 N5 W. k
that device if it is installed." G& K& h+ f5 Z
( Y6 [* R+ e9 j3 J mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: m+ k; W0 |/ G9 u& v2 O" |/ k& r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* [7 @$ M" `& [
VMMCall Get_DDB7 o% N% H4 ~( r% B! m0 p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 Q9 u' K# T- T1 I1 c" X. e' H8 b ~" H1 x2 H2 q; t
Note as well that you can easily detect this method with SoftICE:
: Z7 j. }# Y7 o$ \ H! N- y, _ bpx Get_DDB if ax==0202 || ax==7a5fh' x O/ s& L# ^& x! }7 B
7 ~8 l b4 {' `1 c( m8 ?& `8 ~( i1 I__________________________________________________________________________" j) ~, I; p4 L0 @: s" c+ j( W
' s2 M7 _) K$ A) h; l+ g8 ~$ AMethod 10
) r6 g: f E, ]6 D( ?=========
0 R5 X) S1 q. f: `! i b1 ~
1 O% `, h- L/ b6 h3 Y=>Disable or clear breakpoints before using this feature. DO NOT trace with+ W+ J* v) N6 I5 s0 \+ b" O5 B" f
SoftICE while the option is enable!!6 a2 {/ Q3 h9 b+ a8 w" w- q+ s
! d) _3 j; ~- K; S0 W2 B' ]
This trick is very efficient:
$ M2 m& h$ r* m* X- F' z9 Yby checking the Debug Registers, you can detect if SoftICE is loaded, M: x% _4 L$ y7 ] W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. d8 i3 x+ c% w# Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 _9 M( w i) vvalue (in ring0 only). Values can be manipulated and or changed as well! F& I' d/ a9 _+ f( r: W
(clearing BPMs for instance)
% k$ Z k6 r- }; m. U
( e9 f( B8 c* i |, g6 ]__________________________________________________________________________& e! a3 }4 K% |3 ]; Q
# {. ?3 i6 D6 e; [Method 11
; k) D$ x! P& G r=========2 O/ T. T6 t& ]
. O- r4 H F/ ^/ P
This method is most known as 'MeltICE' because it has been freely distributed
& v' M5 _5 W, l" R$ j/ o C' ?via www.winfiles.com. However it was first used by NuMega people to allow
5 R/ g. W; o1 w/ r. c% {. ~Symbol Loader to check if SoftICE was active or not (the code is located, D0 C( o' \5 P% ?8 n5 a' M
inside nmtrans.dll).
1 B% C# m5 Q# ]2 U! h
2 `' m+ x. H& E% I8 T0 b- [3 [The way it works is very simple:
1 s8 j) [8 D: ]- U$ yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" g6 P7 l4 v1 q* aWinNT) with the CreateFileA API.. ^0 Y" R' T: J) u: ^; I
2 `% i' W' N: i4 I+ ^( LHere is a sample (checking for 'SICE'):
| C, n% K4 E8 T/ O3 \
% B' t7 e# j9 y+ W4 g" d3 XBOOL IsSoftIce95Loaded()
7 z' [! X V& V, G( I( ]( I{
1 ?% s1 W# d# f+ Q- G HANDLE hFile;
5 {: l% U. D9 h* N: v/ B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 ^ i& v, L# I c0 r FILE_SHARE_READ | FILE_SHARE_WRITE,
5 d2 m5 k0 [; M* e6 ~$ l2 I7 l- x$ f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ f: K( V! g, w; @) ` if( hFile != INVALID_HANDLE_VALUE )
: c! I8 ~+ v N/ r4 i5 N {
' M' ? f, X' }6 W u CloseHandle(hFile);$ e0 J8 U+ I6 G. ~6 F
return TRUE;! t+ H, x1 B9 `0 T3 v
}
|7 E: b0 J* o return FALSE;5 f, S8 k$ u T8 ^7 A" J+ y. O8 J' T
}; V& o9 z) s4 F Y) c
. u' c, ]) }! U- q9 Q- `
Although this trick calls the CreateFileA function, don't even expect to be/ Z/ f+ r5 v* x' ?
able to intercept it by installing a IFS hook: it will not work, no way!
& e# i% R; J/ k' ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. {2 y M$ F `" U+ E" H' zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ z' i6 }! e! _) b7 Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc+ r* r: `7 ~2 E7 O
field.
* M8 R! e) R/ {In fact, its purpose is not to load/unload VxDs but only to send a ( E1 j; I: @/ ?0 [% u) ]$ L% D0 k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 o z }7 N8 F6 t" u7 M4 |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) V/ U3 z0 W; M6 L; n: B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 a5 L/ O0 z9 H, E$ x3 \: kIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& w: e8 \1 E) |8 U' L5 Fits handle to be opened and then, will be detected.) k- _) q- B E: q0 [# J* v
You can check that simply by hooking Winice.exe control proc entry point
! S* w* k4 D4 J9 ?while running MeltICE.: ~& l$ ^# r9 w8 v
; O( {; ]5 i: Z$ i/ F1 r W5 }: [4 E4 v. _5 Q! s* E
00401067: push 00402025 ; \\.\SICE
/ `2 ~& u3 H" }# O; r5 J& L; V 0040106C: call CreateFileA$ v1 g6 J" L: y2 f" C
00401071: cmp eax,-001# G& f$ a Y) m/ m6 J9 O$ [
00401074: je 00401091
% o; O- f" t7 u' V' ?
3 n7 G! s7 ?$ ]5 a: v- y: f
+ `! ?$ Q) [5 oThere could be hundreds of BPX you could use to detect this trick.7 Q2 B3 _% H* V! S) ?# u4 \
-The most classical one is:' U- k# f, e+ j' B" i3 u1 ?; U5 L
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 a' u# F; g/ E *(esp->4+4)=='NTIC'
+ G6 U$ C) s F6 K
& k3 u: v6 w6 n/ h( s L-The most exotic ones (could be very slooooow :-(
4 G* a) U ]4 k, l5 B9 b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 }* l9 E0 c7 W2 t' v
;will break 3 times :-(" T! B \. V( F |6 P' Y2 r$ e
' v( J: }! \3 ^5 E( y3 i+ g-or (a bit) faster: ! i# t/ [; w0 s7 |$ _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 o' M# A3 F' _/ P+ I2 O! |
# S1 h9 e. Z1 Q. o7 \ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) a: ~) ], J% F- f ;will break 3 times :-(/ N2 X" E! {) p& l( N) O: D0 {
3 y, ^/ F3 p0 w U; U% f3 d-Much faster:
& p& p+ x% T( { n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 X5 `7 I9 T" L" n7 o9 j" _7 e) G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% L: M! Z( D: E; X" E
function to do the same job:! R3 o! `) Q' p' n
% v, ?$ I3 @* Z& c, B/ U push 00 ; OF_READ2 H' ~9 ~( K/ D/ w5 L: j
mov eax,[00656634] ; '\\.\SICE',01 O6 {% i$ [) e; `
push eax8 q h9 L0 k* y( D& b9 f# b
call KERNEL32!_lopen) Y' I# [" s4 K
inc eax
% O/ j3 @, g/ o/ U' E9 B b1 D jnz 00650589 ; detected& o ]7 u, {9 }/ b7 M
push 00 ; OF_READ
4 ^5 O H" I4 \! P mov eax,[00656638] ; '\\.\SICE'
/ P0 S) D' i# x8 b0 b C3 I6 o push eax
. d" l$ ]# p9 L0 Y3 o9 i) z" y0 j call KERNEL32!_lopen
- f( V, j$ _9 C9 t* w" t inc eax
' c5 ~8 R8 M5 W: k jz 006505ae ; not detected2 t2 X, F& L1 ~. h5 U
, d/ D9 N' n; g! ?1 d
3 i% P l2 i4 \# R& I+ A4 C& G
__________________________________________________________________________
. h' g2 Q4 ^* f1 f B" v/ c0 y, C- h* T! Y
Method 120 Q% B' _- ^" T8 G; U
=========
. R P/ Z m8 [. w
$ H. |. b; d, U \! SThis trick is similar to int41h/4fh Debugger installation check (code 051 v; _* \% @! E' n. S9 f. C
& 06) but very limited because it's only available for Win95/98 (not NT)8 T' S& O+ S' u u; R$ w8 J' T6 _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 T5 F/ ^! D* a, P6 z/ P( L6 T# A
push 0000004fh ; function 4fh" x6 A; W) n+ C
push 002a002ah ; high word specifies which VxD (VWIN32)
. y9 ?# q9 s5 u' P' m ; low word specifies which service# D% i0 t' ?! O+ V' g5 r" J
(VWIN32_Int41Dispatch)
6 J0 o- B. s$ U# W$ x+ k call Kernel32!ORD_001 ; VxdCall; H, Q( B! B; [8 ?
cmp ax, 0f386h ; magic number returned by system debuggers. r6 B9 J: \4 a
jz SoftICE_detected/ {; w3 G# Q0 K: y7 g
5 w5 J* M1 E. y2 y4 J2 a0 rHere again, several ways to detect it:, n$ J! ]: b: Y% H" w8 c5 o8 H
" \9 i9 p+ [! S8 Y
BPINT 41 if ax==4f6 r! t5 L0 \* d0 c5 s" h4 D
8 M0 p" {$ n; ~; `9 n$ L1 U# ^/ m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' l( Y* j: {" {' r7 E6 y& _/ d8 R$ C* T3 n" F, z+ z: _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 s* [4 w( e& K! D6 v4 ?
8 i( H( j% b7 e s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" x5 J6 Z3 T) L: \2 g: e! t) H4 h" P8 J! M g( P H
__________________________________________________________________________
" O' N! L% l7 f& d" L0 }( z8 P3 ^3 E7 @1 M
Method 13
6 b* C Y9 O1 p7 Y) E# t: u+ z% D=========
! I6 q, ^5 y v3 m0 @; Z
' v( O% z2 i: R% I. TNot a real method of detection, but a good way to know if SoftICE is
5 b: K6 V% Z- g+ L; V* B9 Kinstalled on a computer and to locate its installation directory.$ \2 @. M* D; ^' X9 y$ O
It is used by few softs which access the following registry keys (usually #2) :
' }5 a2 }% ]+ u2 ^% }% H( _8 t" C
# x* z2 J* ^. Q- L: }6 w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 F1 W2 v d; t; B; |6 G\Uninstall\SoftICE+ T2 B0 Q, X% V1 h, Z2 W3 [) B7 h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 M! ~- L9 c& H) B F8 |; a9 N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, _8 f7 u2 ?! T) B" ?\App Paths\Loader32.Exe% m8 G9 m: Z& J; d
0 O ^$ S. A2 k4 P
- i+ ^ Y! d# L4 {Note that some nasty apps could then erase all files from SoftICE directory
0 w* ]3 [! E9 V. t9 Z! ?(I faced that once :-(
/ e! ` _5 M) m6 g6 D
1 h0 h' z. N( ^3 r3 kUseful breakpoint to detect it:) T2 D, E" ]; a/ X" `5 i: R
, P5 N5 u9 R$ ~, J' P
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; `5 p5 j& l$ e* X& v
% a: V0 m3 m: C__________________________________________________________________________
$ f$ u# n' E, A, V3 y5 @3 c0 V* ]( H1 E/ C6 C( s$ F* {1 D
* E ?: ` }1 ?8 v% AMethod 14 5 g* c3 J& z6 d2 Y8 ]0 q5 a @
=========9 p$ D/ D' Q) `( d$ b
$ T( |9 r0 B; i& N v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 D2 Z, O3 [$ mis to determines whether a debugger is running on your system (ring0 only).0 v# k# o$ U) _3 k0 Y3 b! h5 L; P
" B$ d/ N$ [4 `
VMMCall Test_Debug_Installed9 l6 W: M2 B! b0 x8 N$ z3 N- f) E' z' y
je not_installed
i U/ R: O( p2 m1 D
. S8 Z) V; G" ^ o B& r0 U& \This service just checks a flag.
3 r' n; k, x2 v: Q ^1 Z9 ]$ n</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡