<TABLE width=500>
$ N4 {, R4 i, |- x* r3 g3 k<TBODY>
4 E3 H' y6 T) t1 H<TR>
" D0 x3 N$ Z# t9 X$ [" D: M<TD><PRE>Method 01 ; k4 _1 t9 S1 V. }' R
=========
2 K* D! C8 Z4 K$ W/ x3 L; Q
C6 @. N7 C0 B: q6 P/ H6 J8 N2 wThis method of detection of SoftICE (as well as the following one) is
) ]& |; n7 @/ L5 Vused by the majority of packers/encryptors found on Internet.
: J4 H# A' X2 ]! T8 n# d' DIt seeks the signature of BoundsChecker in SoftICE
: H5 _6 D# W# M$ L% @4 X8 J' Y0 k+ j0 d5 _. L2 M
mov ebp, 04243484Bh ; 'BCHK'
- Z& }, R4 U! S: d/ i+ Y7 i mov ax, 04h
8 P+ T+ v; Q: X6 } int 3 ( B; ? J4 z7 n
cmp al,4
. I7 t% i; G3 Y- p3 _9 j) u jnz SoftICE_Detected
g: |3 K" b- t+ z5 c* s" R# j3 d& e4 G+ \
___________________________________________________________________________
5 x4 ~7 x7 }) m8 v6 h
+ U, O: P3 |, m2 H3 RMethod 02
& X* r; M9 y1 {=========* \& e8 q7 f/ o v' |1 V
$ h6 q" s8 d3 _. Z; H0 [' \0 g
Still a method very much used (perhaps the most frequent one). It is used' i4 \" n* x1 n5 c3 S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 u/ H% v7 W) z5 d j0 o( n2 W, i9 {or execute SoftICE commands...
/ b( I0 m& @" x$ X8 S' p8 V$ gIt is also used to crash SoftICE and to force it to execute any commands$ N6 S" O! `2 t$ J9 x2 f; k
(HBOOT...) :-((
+ x, M& V! j, g+ {
B- p4 F6 s4 c0 k* d. a( OHere is a quick description:
3 G* B) R4 ^5 ~6 c* r7 ]( R-AX = 0910h (Display string in SIce windows)
! F! c+ [- A. N+ g! `' l9 Q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ ]6 F* y* E+ ?7 y
-AX = 0912h (Get breakpoint infos)8 d, h# J" w9 B) r
-AX = 0913h (Set Sice breakpoints) s, I; p5 r/ i% i0 z: R4 b r" X# a
-AX = 0914h (Remove SIce breakoints)
' Y. w7 m& ^% Z, M
" Z8 J+ @! ]9 }5 UEach time you'll meet this trick, you'll see:
R5 D( J$ @0 I* I0 @0 B( z) Z) @-SI = 4647h1 F+ U; F( |2 Y0 ?: s3 j
-DI = 4A4Dh6 G4 b. ^ E+ u3 ]. x
Which are the 'magic values' used by SoftIce.
1 P5 b: n' G. eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" z% O% f5 E5 Y3 V
* r: Z) Z) D2 q+ r, b" W: I" ]Here is one example from the file "Haspinst.exe" which is the dongle HASP6 f; y- g& f1 k. ]9 X
Envelope utility use to protect DOS applications:. x! ^! C% p# z- S: L j9 I/ B
7 l3 W% d1 u+ {9 T
! M n: m3 H! U. k9 a
4C19:0095 MOV AX,0911 ; execute command.
5 x" l" F( I+ g7 w2 a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 |% c. m- q) C7 O9 P/ W+ I4C19:009A MOV SI,4647 ; 1st magic value.
/ N/ I0 S+ O" s+ e4C19:009D MOV DI,4A4D ; 2nd magic value. h( }# m$ i) n: l* B# _: J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ W1 u) I; A n, y( i6 ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% c$ m9 J, e+ l' d+ o4C19:00A4 INC CX; v/ i7 a* `3 @$ [ v k: R G l+ Y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
o" X% T; f% R* _1 W; V4C19:00A8 JB 0095 ; 6 different commands./ j- o6 I4 V4 ?1 u; ?6 c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' {7 }. l3 Q; O, J, u2 I/ p; x) N5 B4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 i. p; O9 {( L& K7 ?$ R$ P% r- V3 V: K4 ]& \
The program will execute 6 different SIce commands located at ds:dx, which# [$ Z) f3 L4 a- K y9 Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ q7 e! Z5 N3 M9 c. `
* J; ]4 ^1 ?/ R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. ]" ~ c& x% G8 v' D
___________________________________________________________________________" f0 B& {8 h1 r. A
9 c4 P% H; s! e) M* J- t
8 D9 J. i+ m: pMethod 037 |" B$ v# M1 L6 Y0 I8 @5 z+ P
=========
- D: K1 |8 x' |1 C1 Q/ X5 R8 F1 O0 T7 W/ {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! A; r/ F- u9 |& v. Y& m
(API Get entry point)
; b$ T. T% X' g , j# Y& g) D7 m
' n: L ]( G- f# @ xor di,di
7 S2 V& J! M% W mov es,di+ q0 v* w0 s; v; t$ i; ^
mov ax, 1684h
# H. t1 [9 ]9 ~* ?* } mov bx, 0202h ; VxD ID of winice! s4 z0 k2 @/ K# S5 l1 q+ u
int 2Fh; @3 y! s8 S0 n Y, S0 g
mov ax, es ; ES:DI -> VxD API entry point
; Z9 q- b2 I8 c7 Y5 q% Z add ax, di7 l( @- I; z( h
test ax,ax+ m6 K7 j- B! e$ a) ~" t, B8 a* o+ c
jnz SoftICE_Detected. c5 R( s9 P* Q0 o8 s9 y, \& t+ T
+ e9 {' D/ |6 o2 l, f% M___________________________________________________________________________' W$ \8 j" l/ x, Z' A
- q" ~6 V. q" x! b- HMethod 04
; M3 d. K, D8 Y, }% P4 m" I=========, k$ {+ _+ C% O$ R7 `1 ?1 G/ Q
7 h. Q- n3 o: e UMethod identical to the preceding one except that it seeks the ID of SoftICE% u1 }8 p% b5 @' [& d
GFX VxD.# y- _' i& ?, m: z; |; X
0 t$ |4 c5 x4 E xor di,di$ u9 Y% H# T+ u9 B! y& l) s
mov es,di6 l5 k+ j: o6 n$ a! l
mov ax, 1684h
3 N: q$ T7 V7 [/ T3 Z. T mov bx, 7a5Fh ; VxD ID of SIWVID/ F, a/ G0 w5 h4 E5 t
int 2fh4 E/ O/ u, M+ T! B- r5 `6 e7 s
mov ax, es ; ES:DI -> VxD API entry point
% G4 ]8 ^6 _6 P4 D7 H5 C add ax, di
& z5 b Y/ C! H2 v8 N4 J' Y4 ?0 L test ax,ax# J$ l0 U$ s* b! w
jnz SoftICE_Detected5 n# w, ~- T0 t9 r
4 f2 O B! ?) Y, d__________________________________________________________________________
- f9 J9 ?% Y2 U
9 w( i' B/ q" m4 U# l' z( f# x' r( _1 Q- D3 @7 R$ a
Method 05
4 `/ P/ D8 b1 {& R* w8 v, M( @5 g=========
9 n1 T: Y. |% {4 L9 r
4 G' g3 S6 P6 \4 pMethod seeking the 'magic number' 0F386h returned (in ax) by all system! A; `3 D3 o+ o' q3 }. {" ]( {; v
debugger. It calls the int 41h, function 4Fh., T* q) k8 e% X8 Q X. D
There are several alternatives. ) _/ [* ^4 d$ j5 p6 o
& }5 B1 E/ \2 m5 _( b* g
The following one is the simplest:
$ o* F7 }& O4 W1 G, X8 i# H2 Z: e. A: s
mov ax,4fh( u& K% l2 F, ~
int 41h
3 y* K. c$ B* h- G0 |" | cmp ax, 0F386
; {) t6 ~# z7 N' v8 d& U jz SoftICE_detected
. E/ s/ ?. v3 H, I8 t, r
9 j8 K6 o( ~& h' e0 D- r9 M4 H3 H4 K. K, ^
Next method as well as the following one are 2 examples from Stone's & Q7 ^9 a+ E9 Y% T! F
"stn-wid.zip" (www.cracking.net):, j+ d n1 K2 X2 w5 j
: s s" g t5 c2 Q1 D' W6 i! Q
mov bx, cs1 ]3 z! U# [1 `: M) z
lea dx, int41handler2
' v. O i* C3 ?- E xchg dx, es:[41h*4]
' X' W: e/ N: c6 \: q xchg bx, es:[41h*4+2]
* V K2 g0 C% m3 p: r7 U mov ax,4fh0 `7 g1 P- n9 R( }$ f
int 41h" j, a* N+ V% ?" n/ p" g8 o) ^
xchg dx, es:[41h*4]
! _* ~, f( o3 P9 Q% z; R7 v xchg bx, es:[41h*4+2]; m g9 r; h* n" `+ a
cmp ax, 0f386h
8 n" v3 X: b. L/ |$ x- { jz SoftICE_detected
7 c, n& k( q C$ _5 k/ ]) U7 _$ V1 ~) I H) X8 r
int41handler2 PROC
& b9 ~# X" Z8 `/ F# H0 k, @# m iret! i a. u) K3 n5 y2 x
int41handler2 ENDP! E5 J- M% j) ]2 R: I
9 E8 q$ C8 W, S, \4 {- ^- |
: I s! N+ o7 U_________________________________________________________________________
- s$ O( t- X: [+ q+ y% _. i5 }* J4 l4 R/ [
; ^: I+ {* T7 [1 g; {/ ~5 g
Method 06. l4 c9 p% q" c6 v7 z
=========
/ m2 D: J1 X* }" y$ m
2 l L0 h F6 Z) k1 }
! d/ c* B& N/ l$ R- O2nd method similar to the preceding one but more difficult to detect:
6 z, x& Q- Q$ y1 s2 M6 H2 n1 b: K: V2 x4 r) m- I) Z
- f G- s8 F) u4 b4 \. @6 o- G
int41handler PROC" l+ O2 y& I9 S8 B0 Z X! F
mov cl,al- l5 ]8 u' d) B( I0 B6 H
iret2 I6 Z( j7 V" n3 Z, N- E2 F- P# R
int41handler ENDP
. L2 H. s: t) \3 \3 o
7 F3 {- T9 \% Q3 b4 p; z
% I- V. ~& N9 a) Q) }4 n* k xor ax,ax; i% I1 G2 P1 i7 m8 r
mov es,ax
X/ X4 m p4 i8 r mov bx, cs
+ ^8 Q' M1 T l2 Q* n: K lea dx, int41handler4 g/ \3 D$ P: {! D% R. @" v
xchg dx, es:[41h*4]
' n4 U# N4 l4 R* K. { xchg bx, es:[41h*4+2]
" }3 O+ y- {% y b1 _* x in al, 40h( w, o9 y$ R8 x' x% T
xor cx,cx
7 R5 G1 Y" j- D int 41h
( W) O$ ?6 G3 \% W- [ xchg dx, es:[41h*4]
! l3 l+ I! p) s6 Z6 U xchg bx, es:[41h*4+2]
. y6 z' Y: R5 `- c5 n cmp cl,al: n1 D! j- E+ N0 }+ v! O
jnz SoftICE_detected
4 U5 I& O# J& M, S8 O
9 d3 @0 S0 @4 w$ `) O# K ~& B_________________________________________________________________________( ]/ Y9 b; i3 |$ u* `8 [
3 R' T- l, \2 ?. O6 R
Method 07
' E8 S$ F: [0 m# z& s2 @, M=========0 m1 H5 M7 [: g H! }7 n
. u# C, Y# J" {Method of detection of the WinICE handler in the int68h (V86)' w& ]5 @/ }- o8 a6 \
! X5 a- C' H$ C/ l* q! M9 y
mov ah,43h
+ f: G6 C. a& z$ a int 68h
/ Y* m4 U/ A( S6 }3 W4 Y: o) J cmp ax,0F386h$ ~8 k' b0 {: u+ Z
jz SoftICE_Detected
- F" G, S, \ V4 @1 i& h. w; v9 ?4 f7 ~
$ `. G8 {9 V i e( M. k- ~8 P8 h- E, Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& x% U- @2 \( j/ k# L- W- T; | app like this:
- t2 d3 L1 F z5 s/ o$ [- |2 x( V E5 Y, i0 x
BPX exec_int if ax==68
' l0 I. C' q& x) u+ \9 b6 p (function called is located at byte ptr [ebp+1Dh] and client eip is
# V; n. Q) t: A2 `& Y) p located at [ebp+48h] for 32Bit apps)
0 @# a3 G# H& w( ?__________________________________________________________________________2 R" q$ d1 G$ e
' Z' K! Y f7 ^3 y9 k: Q
! K1 p1 _. @ y* G% n" UMethod 084 m! A! l9 c& [& l
=========& q* m; J; k6 J `- s. w
8 {/ P W) H- c) s" z1 BIt is not a method of detection of SoftICE but a possibility to crash the
+ p V* J2 M( z' K1 }+ X- z. gsystem by intercepting int 01h and int 03h and redirecting them to another
$ A" u9 F# x- y2 d' iroutine.$ n, ]3 |9 }( G+ d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' L3 ^" n8 Q+ o. n( @$ Q+ N& V
to the new routine to execute (hangs computer...)
$ t$ I2 {) Q$ s0 [- s+ h2 E7 q& Y# Z( o9 g$ t
mov ah, 25h! y4 Z$ v! r% C' |, b% K
mov al, Int_Number (01h or 03h)
0 E' p) P, v/ n. S/ j mov dx, offset New_Int_Routine
5 m! M+ `) \# O! Q% Y int 21h, `& T: z# u5 r1 Q: E+ X
, }- k1 g( Y. U, ^/ x: p__________________________________________________________________________
6 v+ }9 x4 B+ W4 C- \* M% L' a. k& [" e% N
Method 09. s9 t' }: c$ r% V7 a
=========6 \4 V' i% C- _+ V1 _9 ~1 H
# w2 z" G; ?1 c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: q% F, \7 k) }. }9 ]performed in ring0 (VxD or a ring3 app using the VxdCall). `( [9 |6 s: ]2 w% A
The Get_DDB service is used to determine whether or not a VxD is installed7 R d* w$ }: j$ x
for the specified device and returns a Device Description Block (in ecx) for
- \- Z% s& o2 G g' e4 j2 Pthat device if it is installed.
1 P7 g4 m, ~+ N, Q- `6 L1 d7 c' ]# _& D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, N) h W: W: |; ~$ O# o; X mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) y8 c- L/ N1 _8 k& C+ c9 |
VMMCall Get_DDB
; e6 t& R# G1 ?( K, w5 i% f5 } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 U9 l/ E; {3 F! k* Q$ A6 R3 A. e) k- a, @
Note as well that you can easily detect this method with SoftICE:# g5 I( S" k9 Y5 r5 d* G0 _4 J
bpx Get_DDB if ax==0202 || ax==7a5fh
1 D' E# Q) _: j. ]# @/ l4 ^. X( Z) T- P% a
__________________________________________________________________________' W8 {6 L$ ~) c. r/ y7 B. A: b/ l
$ ~0 V, M0 Y i( {2 J+ }
Method 100 ~! C2 `! ` H0 |: S
=========
, x0 e+ t0 [% F/ F) p* P! k" C3 H& H1 @+ r$ M
=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ U: Y' D T" T- M5 R1 r SoftICE while the option is enable!!
, L1 V+ D3 W$ t# c# t- T: R$ D9 P) L0 g/ c; M- P
This trick is very efficient:8 D: T' r0 K6 k* Y, D
by checking the Debug Registers, you can detect if SoftICE is loaded! O$ g! x$ P) r2 I7 S K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 r3 g) T3 Q6 O. ?there are some memory breakpoints set (dr0 to dr3) simply by reading their" I5 D7 m. b0 ^' I9 J! }' i1 U
value (in ring0 only). Values can be manipulated and or changed as well
# X: `+ e+ y9 S+ p2 _ J8 ](clearing BPMs for instance)
+ ~7 Y3 ^0 O! g% h; i; u; \$ O; z2 k3 W$ z3 I6 ]
__________________________________________________________________________
6 \2 T9 W' l2 R7 [+ T9 ]; b. @4 ?/ G0 V$ G
Method 112 C, \& s$ I5 F4 a9 e/ g' L
=========$ }# M5 x8 k5 L2 T
7 w+ Z1 w, U& e. N/ |/ T
This method is most known as 'MeltICE' because it has been freely distributed8 \' ^3 _$ o# [) @) i3 D1 D2 ]( N
via www.winfiles.com. However it was first used by NuMega people to allow/ u9 A9 s. l8 X0 {+ N" F1 s' ?
Symbol Loader to check if SoftICE was active or not (the code is located& _9 q. K& P- n& r/ `' E5 ?
inside nmtrans.dll).
" G! g7 t, K0 D @$ h: s5 V/ {* |
The way it works is very simple:5 g6 F1 I/ o! y+ g' B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) C- |3 i0 H" e I2 ?6 W
WinNT) with the CreateFileA API.& z. y6 `, \) e+ h
$ P) T9 ]" I$ L) R0 ZHere is a sample (checking for 'SICE'):; y" i6 y- N: w7 p! I
* `& G- W. m! r( ^8 z! aBOOL IsSoftIce95Loaded()
! u C* L2 Q, B{5 P0 Y" l6 L, F5 _
HANDLE hFile;
5 _' N! h- H( N) p& L( m; I$ ?" Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 J5 W$ N1 C1 R9 @, D' c/ V
FILE_SHARE_READ | FILE_SHARE_WRITE,1 K/ f8 _% N1 ^ R7 Z4 y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% r. p& j8 {- t$ V/ j+ C1 J if( hFile != INVALID_HANDLE_VALUE )2 @. x5 w: j" Z& Z2 x$ g( f T
{
( l( m# [6 j3 I3 t CloseHandle(hFile);
& Q$ @$ f9 L2 l [' t* Q2 u return TRUE;
3 G" _. b1 Q7 b& D% B }8 V8 ?2 V. ? t" c- }
return FALSE;/ s& c* b# _9 q
}" H0 F: h7 s, f% K ]- F
, b# r9 Y& z# F$ r8 x+ }Although this trick calls the CreateFileA function, don't even expect to be
: D5 B& k% u, `4 S5 vable to intercept it by installing a IFS hook: it will not work, no way!
! N! L$ P/ x. A0 v* j6 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 @2 c u, l+ P# q1 L8 E% `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 ~$ z: {! Y- iand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ f! g$ E# x; ]- N& j9 n" [
field.
2 a, ~$ H/ F* n7 _In fact, its purpose is not to load/unload VxDs but only to send a + ?' f" a4 r' A& z8 d9 n, P+ I
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 I3 F' x' N0 o5 ~0 `7 l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& l4 e7 c' o: e2 ]1 s5 X
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 Q' E: _. p9 \3 t! e* o% tIf the VxD is loaded, it will always clear eax and the Carry flag to allow, _2 v6 f! x- z+ D3 q
its handle to be opened and then, will be detected.2 N7 y8 h* v4 z8 _% L" T3 B
You can check that simply by hooking Winice.exe control proc entry point
! Q4 p( Q. f L. B' v& qwhile running MeltICE.% z* n% R- Y7 {( i- d. H
( t2 x, p5 Y) \* e9 @/ g
- @, q# C4 p5 P7 p' C 00401067: push 00402025 ; \\.\SICE
5 U4 ~( `; V' F 0040106C: call CreateFileA- Y+ F7 w" q: {7 K' j) v
00401071: cmp eax,-001, | _# B4 L! _/ Y! \1 E
00401074: je 00401091
. e( l6 l7 e9 L6 g" X
0 Q6 Y4 B- W6 V. s4 r3 I- D5 r' H( }4 E
There could be hundreds of BPX you could use to detect this trick.
C+ S1 Q( i, T7 B3 U: b-The most classical one is:! R: s9 a7 Y% ]' V) m5 ^8 d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( ~0 g) W5 p9 M3 o. \
*(esp->4+4)=='NTIC'* q' D" ~! z7 S5 M
7 H* \$ ]- y- w0 a8 T0 ]
-The most exotic ones (could be very slooooow :-(
$ J* l8 |: Y! Z% [) d. r: H: A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; x* O3 R' f) }" |
;will break 3 times :-(* E5 K6 o9 j* Z6 p6 B
& H; i- H' A; V) K-or (a bit) faster:
0 W# \. H/ t/ z6 q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& F* F% r3 h" d, R
' T' h; H6 S$ C1 n+ p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 r& a$ C6 i- N; |3 ] ;will break 3 times :-(
# _ ?" R$ k$ r- R; N7 {; q' T K" J0 D" M8 i" }& A' o% `
-Much faster:
; }5 Q: z8 c6 Z* c1 ?! ]3 J1 x/ m( D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; G1 T6 e& S' F' v) @7 D0 h: m* k
+ { v) {- ^3 u: R6 G' mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: W/ B' P( G! O$ Jfunction to do the same job:8 h0 C% W% E) J; q O
* M; \9 k% [3 v5 c) e- q- A
push 00 ; OF_READ9 O" V2 g4 D( K: ?! w+ f
mov eax,[00656634] ; '\\.\SICE',0
+ L/ i/ a/ b" p. d0 h3 k push eax
3 @( @; x$ B8 N- X2 F' m& u call KERNEL32!_lopen
' \- u6 M2 a! p( y inc eax T( a# C) E8 S+ r1 K% m/ x
jnz 00650589 ; detected
9 N4 d/ s3 C1 q) {9 Q push 00 ; OF_READ2 X3 E' x9 g3 N$ n
mov eax,[00656638] ; '\\.\SICE'
7 z7 F! F/ L" U push eax
1 S1 b2 m1 _) V& ]* v& p3 P call KERNEL32!_lopen
+ {& }, b X. N$ h& `4 W( x0 } inc eax( K r6 l0 U6 e+ Y
jz 006505ae ; not detected4 @" i8 f( M3 r& _! n1 k& n+ S
2 k) ?, j" S# V5 b" i
; v! z+ o2 n1 o9 @$ G
__________________________________________________________________________' D: @9 s! S" a% _( Y @ q) N
% Z8 R) r: c8 F" x( @7 h$ c# }Method 126 Q6 ^ `5 `0 W' T/ u7 X9 N
=========
1 _' P( F! q5 F+ E: L4 P' }: K, {& ?( I0 P/ |3 u
This trick is similar to int41h/4fh Debugger installation check (code 05
- u$ F2 H5 [! z4 X) q4 c& 06) but very limited because it's only available for Win95/98 (not NT)
5 M; Q9 I- y4 }. E9 fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 `6 k X; X6 ?9 W# l/ i S' k( D& A h) Y6 i7 f
push 0000004fh ; function 4fh, |+ L$ |# Z- K- K3 u# R
push 002a002ah ; high word specifies which VxD (VWIN32)
+ u% v- l5 V( o# @& n! G; U ; low word specifies which service7 I0 O. K. S; o
(VWIN32_Int41Dispatch)
$ A9 C+ y- H; \/ z$ ]3 } C call Kernel32!ORD_001 ; VxdCall
% O) `/ A7 y# ~" [ cmp ax, 0f386h ; magic number returned by system debuggers7 E8 }2 {5 o4 E$ q
jz SoftICE_detected
, J. [9 F9 ]: T! s8 o6 T/ O
* z0 T3 U; q& d+ K% i7 aHere again, several ways to detect it:
1 G: y& H$ \- h* p/ F
3 p' Y( ~( j, F" x$ e# t; D BPINT 41 if ax==4f
9 e# S2 x% ~3 o1 g* e1 H& x) l1 T8 Y7 i# \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 R9 X( r$ D5 t! p3 q8 c6 j, H
$ @$ l8 N8 @) j* X# D9 m7 n% U. M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* \" l: c+ q; X1 Q, H! U( k
# z$ x9 Q7 K/ b+ E% ~$ N6 c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
i- p* ?5 }5 |% x5 ?, p# @" [: b/ l% D. k/ T0 E5 W% F# W! h
__________________________________________________________________________, L$ k9 s$ k9 \
( k5 Q) Q" A8 |9 LMethod 133 f" U5 z7 C& F. q1 Y R4 O8 j
=========
7 k# ]# o) t0 h- n6 D p4 m, v+ O3 t) g) Y
Not a real method of detection, but a good way to know if SoftICE is: O* r6 I( F* }0 n
installed on a computer and to locate its installation directory./ [" d% G" h E9 S. N) Q0 k0 J& P
It is used by few softs which access the following registry keys (usually #2) :
# m- y# v- A0 P/ Z1 ]- P2 W( `3 `: M: t: m6 D, ~) F1 z \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) M* i1 S q ~
\Uninstall\SoftICE
5 q# u8 ] m6 C$ T8 i* E" o* e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 T0 @$ T- Q9 z5 z2 x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# B' n# l. Q/ n( @) {
\App Paths\Loader32.Exe
; r: s6 m" J6 |( I0 G8 v9 U' B$ x$ P$ o5 d: b+ t& ?$ D
' @5 h* O% d% ~( k9 w8 iNote that some nasty apps could then erase all files from SoftICE directory) \" F- ]0 Y- {' p
(I faced that once :-(
/ X% ~6 |; K$ j3 d4 g: o% i& i: @
Useful breakpoint to detect it:
( X% A2 C# [4 _9 C! n: L$ s# l5 O R, t+ |8 }- n% l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. g8 `- a. F( J6 G7 L
R% h. ]- `( u3 a# B# p
__________________________________________________________________________
; r/ H! |, m$ q( I
: {8 x: O7 Y4 P0 A
% p4 ]+ O" S: _: d& }Method 14 , u. z& R! e: S/ R5 _( [8 x
=========& m( {5 X# l- M& z! Z
3 a% M/ d5 Y2 F2 S6 W5 J
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" |2 P6 |; i/ b8 C$ C. k" V
is to determines whether a debugger is running on your system (ring0 only).
8 g( I$ A$ ~7 r* P9 w1 n$ ]7 B% o% W1 s" h2 b( U
VMMCall Test_Debug_Installed/ d% r! V! I1 U# Q/ C1 s! D
je not_installed- M% R2 f# ?" j+ Q
: f/ L9 Y9 [5 D. C* q! q: k+ i
This service just checks a flag.9 i, v/ E8 e+ {8 B
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡