<TABLE width=500>
! N* `' J! x p3 Z; u<TBODY>
6 R# H7 d% o; i8 n9 v/ z<TR>! x$ Q! D9 _+ ]+ \4 m
<TD><PRE>Method 01 2 D! O" e5 c' Z2 G% W7 o! _4 v) ~
=========
: S E/ S+ b0 i$ f
k/ {8 i6 J$ \This method of detection of SoftICE (as well as the following one) is. `& m% t m4 h2 m
used by the majority of packers/encryptors found on Internet.; d: ~. w' p) l" X( X
It seeks the signature of BoundsChecker in SoftICE
: `3 I2 n; V3 F8 b" c# P* q$ |& B B' F; L3 |
mov ebp, 04243484Bh ; 'BCHK'
4 {" @& O# \/ q; Z8 \( s mov ax, 04h& G, W& e& z# v6 e# Z7 _9 u
int 3 * i! U: I* f/ }5 x9 E r
cmp al,4/ r3 M/ Z2 s/ t. r3 B- a9 S% r
jnz SoftICE_Detected
: [0 H' z6 H* P( U# C3 O0 s
H m8 D* f; @( P___________________________________________________________________________6 ]" y7 ~* Z( c' P0 }! T$ H/ }. H
* ^( H/ | k& C, C; S' M0 W
Method 02
) j0 I- s( i2 A% J- |=========
4 l3 L1 r- o$ {- i4 b+ L7 @, L: k s( ?) h* f+ P* v
Still a method very much used (perhaps the most frequent one). It is used
0 ]* n$ E- b- N+ @2 \! cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- e E' ]$ L/ l6 Yor execute SoftICE commands...
7 K. I. T% A+ i2 h7 MIt is also used to crash SoftICE and to force it to execute any commands4 [: u% x: I2 [7 l3 U; B, G
(HBOOT...) :-((
( J2 [! N f5 E4 L0 _% B4 [" _, O2 @# Z3 g
Here is a quick description:: q) P1 g; X* k; O+ k# p. K9 p
-AX = 0910h (Display string in SIce windows)
0 _' p9 A: N( Z6 m( m9 e- _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: g* h# t; ]: {8 R" R1 h# W-AX = 0912h (Get breakpoint infos)
8 D8 \3 e, `- h* E9 N-AX = 0913h (Set Sice breakpoints)' ~" V& k& |$ Y: d! v* M( ^% r' \: T
-AX = 0914h (Remove SIce breakoints)
1 R( k- Q T: o, l9 i- ?0 E5 {: Z5 G. @
Each time you'll meet this trick, you'll see:
, v* ?: @' c* }0 t$ @$ z7 F- o-SI = 4647h
+ w0 ?8 V2 k5 v-DI = 4A4Dh+ {2 e) c- _0 M# |9 J }
Which are the 'magic values' used by SoftIce.
g6 Q4 N5 u5 n! ` I+ JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h. D5 M: ^1 Q0 h- ~7 E
) [1 ?4 R$ ^" p$ r' V* K$ w
Here is one example from the file "Haspinst.exe" which is the dongle HASP" s7 Q" x% I! R- |( X: ~9 f! L
Envelope utility use to protect DOS applications:
" S3 O i1 E" }1 D4 X& X. L! R/ J6 u
0 @( x4 j8 Y9 g7 G4C19:0095 MOV AX,0911 ; execute command.& h" C' S- h# r5 w; o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- t( s+ R" \6 ]/ r3 I9 y) X0 x: \4C19:009A MOV SI,4647 ; 1st magic value.
: o; |0 B0 \/ G4C19:009D MOV DI,4A4D ; 2nd magic value.( F5 q* Z" t f) N" o( ?
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( a& t3 E; ^, [1 L, a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# X0 D! s3 i3 o4C19:00A4 INC CX5 I8 a, _* \% Q# B
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; H ~6 f' Q" }6 p
4C19:00A8 JB 0095 ; 6 different commands./ w' Q y. _2 a$ R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) X6 _$ _* x6 q/ B# I+ u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 g# N/ t& w; E- A
& [% q' g3 E4 s; U% M& M* |The program will execute 6 different SIce commands located at ds:dx, which6 h# y4 q8 C: Y5 T$ L$ \2 U2 U2 G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& O" K6 g, ?1 y! G
2 H! H9 l# i; {5 V8 I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." h* o: Z u/ G3 b" h7 t
___________________________________________________________________________
# @$ ^- d( H8 t1 r; o4 y9 f# T
y, B; ?' u# f9 Q4 K; x; Q9 P* n
- H8 c+ Y6 N4 m% ^& ?9 TMethod 03
! @$ E" W! {. O' m% h=========
. b% P4 o2 r' H$ E$ m! v: \- b; H2 y: `; ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, Y* @7 ~$ b5 i$ c/ ]) L8 U# S
(API Get entry point). Z: k2 F6 i( k7 W( M( U$ V! |
( m! o C& M6 \: ^0 ]! d, W) g- a9 Y, H+ W" j# G
xor di,di
0 S2 m7 |6 O: X& k+ j mov es,di9 O4 L$ z. Y& N* e! M' M$ i5 p
mov ax, 1684h
0 g+ b$ D- G5 g# I) h mov bx, 0202h ; VxD ID of winice# R, F( D% U( q8 y8 r' V7 q
int 2Fh
% x$ D: |" v% G3 u3 Q. A3 r mov ax, es ; ES:DI -> VxD API entry point( L: A3 S9 Z, e7 Z6 o. R8 V
add ax, di
7 Z6 i1 W+ n8 ^* _1 V u4 }( A1 p9 Z test ax,ax& X/ |; t0 e, o& k$ a6 H
jnz SoftICE_Detected
. Q% t: v3 r+ h! O) J" C; s
& I9 V3 Y5 d. T, z. V* `( y% O. A___________________________________________________________________________
# U- B3 |. i( B" V
' l; h5 j: O5 F8 \3 JMethod 04' q! f- F# r7 i! C7 N' ~; g
=========
" B' z6 N, W1 B( N* ?# C
8 ^; z& m$ z/ a1 n/ sMethod identical to the preceding one except that it seeks the ID of SoftICE
& `1 V& E6 m, u% ] F8 t0 YGFX VxD.
6 v$ y+ |0 d0 r. c2 b7 f D; n( [! c# v9 D- \
xor di,di
5 w0 D6 i- X0 z) B8 T @9 l mov es,di7 @% D7 m, \) O) M2 d$ L
mov ax, 1684h
9 U5 E# P( _' V# m6 \( D. l' l, o ` mov bx, 7a5Fh ; VxD ID of SIWVID( E' |/ P$ c- d7 H5 ?
int 2fh
5 f O/ L8 Y* e mov ax, es ; ES:DI -> VxD API entry point. u/ D" F( \$ t+ Z( z% O
add ax, di
' G+ r: A# T$ e' c8 M& j+ j# J test ax,ax$ f& R4 |( W+ O8 @& D/ A6 ?
jnz SoftICE_Detected
: z& F" r* w' K$ B9 P* [
6 @, Z2 U+ f* |% R. V. @; C__________________________________________________________________________* z3 v) u3 j$ r6 r2 z
8 S/ ~. z) X& A i& z" w8 z. Y2 C) k
$ C7 B$ x- k; t; d3 CMethod 051 B: X* _: R9 r# H$ X# `7 U; @
=========
. w8 y/ K* M, X( G( ^3 M* Q! \2 h) ]9 e
Method seeking the 'magic number' 0F386h returned (in ax) by all system* v) q' Y3 M1 u
debugger. It calls the int 41h, function 4Fh.
, Z) a/ D, B& dThere are several alternatives.
% z) {# ^' T ^5 P: v4 l6 D. X& \' k0 o" D/ I1 K$ d/ }
The following one is the simplest:
2 V3 c# d# G- T
% X% z7 @. A8 X E2 \3 e mov ax,4fh( ^7 W% l: M# b+ b) q5 F0 t
int 41h, ?6 P7 G# S* s: ~' C
cmp ax, 0F386
$ `9 u- F7 ]. }) t; a# d0 X& b jz SoftICE_detected
8 `0 [" W$ j, c$ t! J( p5 N1 W
% Q+ T/ F: o# T, G. M, D; N! W( v$ D4 A, w2 Q! @4 |7 E3 f( X
Next method as well as the following one are 2 examples from Stone's ! ^' r5 u G0 Z! A- Z
"stn-wid.zip" (www.cracking.net):" H; e2 G: x( X" l1 c8 A
+ q5 ]- w0 B! n mov bx, cs) e2 K: }2 M+ }& U& s" R% S) E
lea dx, int41handler21 n ~. B& t7 S1 [# \
xchg dx, es:[41h*4]7 g! C0 d$ m( \: D* X
xchg bx, es:[41h*4+2]
/ m# b- s. C# C mov ax,4fh; I. {% ^' F# S- P& n- t# F7 K( `
int 41h
6 f' }6 K8 e/ m2 K2 P6 s) l7 Y3 g xchg dx, es:[41h*4]3 _! v5 P$ h. h" _6 v# w N, K" Q
xchg bx, es:[41h*4+2]0 p+ y* g& j, U1 E" F& k/ Y3 G
cmp ax, 0f386h
) g) p/ a8 f! m2 i5 W jz SoftICE_detected
* L# r" b- |3 g
( }% j) L5 T% v* u7 u" D U- p: z0 A" hint41handler2 PROC
! j8 X$ L { w1 u iret
7 {7 @' l: V8 Z; q- H; r! fint41handler2 ENDP
- G' |1 X4 e$ n. V* B% P! q& w: b) l# |
6 T$ ]9 ^/ x9 d; A* u, ^7 _: b
_________________________________________________________________________8 i' x5 N4 m: `2 y5 b5 R
7 k. u1 u2 B z$ E s& e6 p
1 f$ k* c4 h- U& y! p8 }% R8 x
Method 06
2 [# }, Q/ G5 A: L; ^=========
: @" |- A u" a# t- Q
c( [6 Y! p6 z5 w9 |5 C! G" }6 W" V# N
2nd method similar to the preceding one but more difficult to detect:% N# q4 c* }$ w3 C0 s2 X% i
3 t4 X$ o9 H, X S3 G
' ~ c$ O+ @$ E8 Xint41handler PROC9 T- U/ a; i1 Y8 l- f: X% i
mov cl,al/ i0 N& T9 t' {
iret
& d) m/ ~( H, \int41handler ENDP
7 F2 F3 k* |: i" i. k% x7 h* _) {2 J$ A( w8 e2 g+ M8 |
; Y& V5 g5 E* L: L' G xor ax,ax9 D7 q6 V6 m+ M+ G2 u7 f% q
mov es,ax
5 }4 `- K/ z0 _0 l+ {" \ mov bx, cs
" l* f7 a! _+ a lea dx, int41handler
" S% s2 [. v: T9 M' `1 Y6 d xchg dx, es:[41h*4]* Z# t+ B9 ]; N" ~/ e2 s! w
xchg bx, es:[41h*4+2]1 s5 {. q% f- D' f: i' p4 P7 |, Z
in al, 40h* {/ r% Y! y: i7 O! M+ _
xor cx,cx
' _2 _8 `) v1 D5 t int 41h5 G" a) G) v8 C- t3 W4 i
xchg dx, es:[41h*4]6 v0 _' d' N# _( C- _) @" P
xchg bx, es:[41h*4+2]
8 H2 h8 d& u5 o$ X# E" ?/ p% G- p cmp cl,al
, P [' ?! f( a jnz SoftICE_detected8 m& `% w$ {5 M9 e1 G& K; c
( _8 w& b7 }8 F0 @_________________________________________________________________________
- ~- z) Z+ k+ i% o4 T0 d4 Y7 h& g6 l4 z! X' P4 t) V
Method 07
8 k0 {7 i# ?9 y$ l; w=========
" n2 k+ i7 r5 n: r+ l6 p8 ]6 r+ G1 |7 o f( V m' \; ?
Method of detection of the WinICE handler in the int68h (V86)3 B) N0 w9 Y: E
3 n/ l! u+ R1 `8 w/ J5 @ mov ah,43h' l$ g1 `; @% y, B+ l
int 68h/ s8 D* y- V) m! h
cmp ax,0F386h1 d. T$ C8 }( d( b# r+ e
jz SoftICE_Detected& N& j9 w9 |) i+ \
( v. W* S1 n& W
6 e/ e0 U& A( i0 r/ _3 \- B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 z, y+ k% n" z# t9 n/ d
app like this:
. V2 t6 c" h! L- v0 L* ~' T/ ]% ~$ e1 T/ W6 K
BPX exec_int if ax==68
3 a+ h7 a' [% G2 a% V: ?1 J (function called is located at byte ptr [ebp+1Dh] and client eip is1 C$ b1 d/ ^0 q& v) E
located at [ebp+48h] for 32Bit apps)
3 m9 W% N" L# W__________________________________________________________________________
/ M# V# e2 f6 N: n( c
6 k9 U! y I: ^% L; {9 t D2 m6 ?" g! _- ~. _8 `6 H
Method 08
0 @- S/ h8 U. X ?. A( A=========
& L, a# t& P; B# D* v B. Q. m. w
It is not a method of detection of SoftICE but a possibility to crash the
, V/ j' ?) B0 Qsystem by intercepting int 01h and int 03h and redirecting them to another
7 x' \/ P/ c1 ?routine.
9 h/ W+ n1 l( Q2 d# f$ PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 Q3 \1 c$ z+ K1 h$ X+ U; g
to the new routine to execute (hangs computer...)
) h1 R$ y5 ` }- x- P2 X% k# h* t
0 `' x1 m- u' K! O t$ V! K mov ah, 25h
: X3 ~6 y0 l: W* k/ Y3 w mov al, Int_Number (01h or 03h)8 \6 Z. X7 @% _" u9 n
mov dx, offset New_Int_Routine4 p6 `$ \. G: ^
int 21h
7 t/ G7 p6 W2 f+ C% w2 T2 g. D) o3 z3 k% A
__________________________________________________________________________: I2 S$ i7 X9 A: S; _: ]& p
+ ^, B! }! E% mMethod 09
! k% {# J" `, R- w, Y7 b9 w=========, l& t2 `. g" `( I9 g3 Y; I
; L6 a+ s' Z: m* l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) r9 `) ?1 H3 C; F$ R' j8 p- nperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 U& M+ S0 n3 Z: Y) m+ g. f jThe Get_DDB service is used to determine whether or not a VxD is installed- u7 x6 u4 T( i; d% f5 ~
for the specified device and returns a Device Description Block (in ecx) for! N8 F) e8 n* p7 W" u& L: w
that device if it is installed.
0 e+ }) J$ D! Q2 P( L" w2 E% P" e O2 [8 ^3 J. e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( V- t! e" q% f( ^: y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 `" B" ^" E1 `5 k VMMCall Get_DDB I% n# [/ Q0 o6 \, G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( k6 W- F/ g8 S. Y1 W7 }
( n1 [5 G. J6 h7 R1 Z1 H. H
Note as well that you can easily detect this method with SoftICE:
' K) Y5 y: L/ x- y: _2 \1 S2 p bpx Get_DDB if ax==0202 || ax==7a5fh: E d$ C$ p) h% z8 j) i% ?
. |9 {. D3 x( V& i' {& @8 L__________________________________________________________________________) O9 c+ s% l# X1 \, o ~) l2 n- z
0 i+ @5 t2 ^7 ^, ]1 G, M% DMethod 10# |8 O0 A6 |4 O" T) K. B
=========! M2 x8 ?1 M9 y% ]: ] U
1 }5 j1 t1 |. a5 C8 k
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 ]4 C! `: @+ v$ R0 c0 E SoftICE while the option is enable!!, K3 |# g4 K: S
/ [/ Y( m. k3 y: F. pThis trick is very efficient:
: @/ R: D R0 s- eby checking the Debug Registers, you can detect if SoftICE is loaded
! R1 k6 L I' j/ H+ c8 a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 V: S2 p5 h8 Q( A, e- { U: k: I& o% I
there are some memory breakpoints set (dr0 to dr3) simply by reading their& M- Y' g" Y. U7 O/ t
value (in ring0 only). Values can be manipulated and or changed as well! @" V+ B0 ~; j$ N; F
(clearing BPMs for instance)
( e7 c& n+ K9 S% Q7 |6 m) ^
. M" A7 e$ K% i__________________________________________________________________________ I! a2 @8 q- r* B6 ]
7 p8 z; O) z' T0 k
Method 11
* t; c. |* K0 L0 K# }3 \, z- |4 a+ W=========" o `2 t' d: a
( I* K" D2 `7 J0 s E% E( x vThis method is most known as 'MeltICE' because it has been freely distributed
8 x8 b) w# n9 L& w4 O Avia www.winfiles.com. However it was first used by NuMega people to allow
* ~1 @7 T+ ~ J, RSymbol Loader to check if SoftICE was active or not (the code is located
9 G) R) f0 @6 l% Cinside nmtrans.dll).7 W5 p9 E8 |3 K( T2 H5 B, t4 |" p
! U' T7 o, O6 w& }The way it works is very simple:; w7 ^+ D& \8 B3 m6 a: C% U4 }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 O0 x$ ^- p0 E+ |% j
WinNT) with the CreateFileA API.
]7 t4 @/ t! v* u$ \3 q9 q! r. l. U+ U9 e
Here is a sample (checking for 'SICE'):* Z: l6 o+ D, O( `1 ^6 x2 r L+ b
. T b6 k. y" k- T$ v3 O' VBOOL IsSoftIce95Loaded()" R* W# @( M1 t
{
% K1 {/ B# m9 E/ _$ C9 T. L HANDLE hFile; ) w. O* j4 _# f- |4 m7 O
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' n+ Q6 F( c% k FILE_SHARE_READ | FILE_SHARE_WRITE,
' b5 e% d1 I* Y6 J: Y4 A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 f7 o! h4 c! D' l2 d
if( hFile != INVALID_HANDLE_VALUE )
# z* D/ u; o5 t# W. i {0 ]- M% I6 ? H
CloseHandle(hFile);
- Q/ q, e0 D$ f) X: {, \8 h/ z$ o return TRUE;
* M# e S/ Z( q/ m }
3 V( l% H! U' T. a. ?8 y return FALSE;
: z( y$ K( d. n- K9 l6 N: M; O}( O- Y0 p* g) |
8 c0 i" \& J# B+ y
Although this trick calls the CreateFileA function, don't even expect to be4 G! [$ U1 a' U! g& [( P
able to intercept it by installing a IFS hook: it will not work, no way!
, u: Z4 b+ D8 O; \- g1 k+ ]8 HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ I1 ? k8 C1 \2 r+ s$ ]7 Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 `; V& m6 Z# b' |* r9 gand then browse the DDB list until it find the VxD and its DDB_Control_Proc' c! G; b5 j: g l( ^
field.
, ]" b3 q4 x- h$ ?In fact, its purpose is not to load/unload VxDs but only to send a
5 `; {7 l! S5 w l* D& `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' A6 S" ?/ v- Y* y. q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! A" M( O3 Z0 s4 O1 Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ A2 H! L) b8 a! KIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. x# a5 p- {+ Fits handle to be opened and then, will be detected.' ]- v! @% M N& z
You can check that simply by hooking Winice.exe control proc entry point) d. v7 d c4 Y* L4 E2 I* ~% V; s1 ]
while running MeltICE.
) R8 t2 @4 l4 V$ u$ [6 U- N7 L8 o! h
% r' |% _$ Q, [0 o1 w" d 00401067: push 00402025 ; \\.\SICE
% j- {( V; p- w0 M+ P 0040106C: call CreateFileA
7 K/ }0 I9 |' ] M0 U, |. T 00401071: cmp eax,-001, y& n* `) l0 m; W3 n
00401074: je 00401091% N( T7 N0 P& o6 j, N; m4 s
( D) S; d3 }' A% F( T1 m
1 O( w0 |! A7 j( u
There could be hundreds of BPX you could use to detect this trick.
* q& L& Q6 u) W4 U-The most classical one is:
! x* p$ ^& G8 n5 ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. K" Q8 G- ]0 p: Q
*(esp->4+4)=='NTIC'9 L# g" K5 U7 g c
( W0 h, Y/ {' i: R2 J-The most exotic ones (could be very slooooow :-(
+ n1 q, ]$ d+ b- X; Z, V BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% s! `/ c5 T" ], e: { ;will break 3 times :-(
( Q# v. K1 u7 E6 H; m) y3 ` v6 I5 u* U1 Q+ E! R& `
-or (a bit) faster: 3 }8 _( M/ e$ E/ o" G% w% K- y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* B% S% j4 F4 g8 F0 v' e, J6 Z+ _
0 z) W( X$ ` I! v0 W+ Y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' S; }- x" f1 X- O' K! n
;will break 3 times :-(+ Y) }" f4 Z8 E8 S, W& O4 J$ Z
6 P2 ]0 C/ o$ {
-Much faster:" T" J# h" D- Q/ f0 G
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" q' q3 G- j0 f8 z8 y' H" f8 r
7 t: j7 `2 w7 W- I8 R) hNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& i1 K, A9 H- R4 p2 l4 y7 bfunction to do the same job:
- E( J0 }5 j1 v& T( j2 g
- N# c& x+ E( w& c) m& ~ O push 00 ; OF_READ
. a4 q: f* d5 i$ x: L- ?! q( d0 S' B mov eax,[00656634] ; '\\.\SICE',0
1 |# v1 I" o5 U+ _- j2 u& q, F# b2 Q push eax
# D: }; H' s, X$ m; E* _ call KERNEL32!_lopen
5 D9 c+ ^3 L2 `' U+ z# a0 i) L inc eax
7 H# K R. t( V$ I: V! n& u jnz 00650589 ; detected7 K, w( l! b0 q9 v. k. ~2 z
push 00 ; OF_READ
: ?3 Z: g7 b6 N7 y' {/ [& p( W" r mov eax,[00656638] ; '\\.\SICE'
# J$ o$ G: }2 G3 x+ Q push eax
4 i' q4 ~/ h3 P( I1 D call KERNEL32!_lopen7 i7 @: P! c5 h: `3 W' R( a& @
inc eax1 g# e9 j. I; D" I9 @, Q* h
jz 006505ae ; not detected
# M) I; Z) Y* |; o+ J5 k b4 D, `% k$ f& d1 B
2 B# O9 Y& @/ Q/ e) O
__________________________________________________________________________
7 @( w$ E- m) u5 H
/ P! e' r p$ I4 A, a& VMethod 12. E2 _# ^6 t! o! J7 e- d: u
=========
9 D6 k8 F! ]- S6 i
: w! }" l4 x3 \/ H2 k8 s) K5 `This trick is similar to int41h/4fh Debugger installation check (code 05
& D- x6 U( }5 M) `$ P( [& 06) but very limited because it's only available for Win95/98 (not NT)
6 x2 B9 d' n' _; Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- d* [" e' O* g3 T2 S5 o+ d" l
: b3 Q) i8 w2 i6 B8 C push 0000004fh ; function 4fh4 y1 X$ X; D! n0 |" j/ `' f
push 002a002ah ; high word specifies which VxD (VWIN32)
! C) R; V4 a1 U6 G4 A. A ?9 Y ; low word specifies which service
+ r2 D! W% w6 H) _* M6 s (VWIN32_Int41Dispatch)
$ E3 b% M& q |/ w: j! W call Kernel32!ORD_001 ; VxdCall0 F3 ?" l; B/ y9 z1 N6 v
cmp ax, 0f386h ; magic number returned by system debuggers2 e% V4 l/ g, w. ?1 T
jz SoftICE_detected
! }+ D/ Y: R/ q6 A. Y: h4 a: q9 P9 h) m
Here again, several ways to detect it:' S1 ^' s/ @2 [& G, p
+ i5 v' p+ k L0 B# [& ^, ~! i
BPINT 41 if ax==4f- ]! r$ p( L4 @- f! c
- n Q: _9 W# t# w4 E, ]+ s( \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ r0 ` f$ {" V. P( f) F+ e
* {& B9 t/ S( f# X3 R) |- R
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 ~# h) Z& q6 A
& H. J1 w7 u1 {; \, ~, {8 P- E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! o9 T7 X* E- p, d! ` a2 w2 C' T( J+ q) z
__________________________________________________________________________
+ z, u) K0 k5 h% h' z$ G6 n3 r1 C8 f, b& X+ T& O
Method 13
: g( z0 ~) o6 F. F% d=========
- w, t) j# a: v Q* ?, x7 d+ \ J) Y. ^+ {4 S7 Y: `5 W
Not a real method of detection, but a good way to know if SoftICE is% l( k5 L. w2 Z- P8 A, Y3 f! p
installed on a computer and to locate its installation directory.: V$ Q8 G! a6 J! f9 y3 B: N
It is used by few softs which access the following registry keys (usually #2) :
2 s# v t6 R6 [7 C. B: w7 t0 y
" o/ p. A9 _+ I) E( i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 N% E; ?4 O+ X, I\Uninstall\SoftICE+ p9 I7 y8 u) M0 @, Z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 I6 T' F6 q' b+ y& V* ]6 B) E( I; b! p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ K. y5 Q, j% s3 i, B7 a
\App Paths\Loader32.Exe
, {- @. k% H- W' R( |( ]2 V! E! B1 `: P4 t9 N
$ u6 s( N. S+ D, O$ ^" QNote that some nasty apps could then erase all files from SoftICE directory
* u* g; V5 h) P0 H6 J(I faced that once :-(% u) Y: |$ U, [; c8 V" N( L
% g2 c9 o$ Z$ l" g, kUseful breakpoint to detect it:
1 G; `; V) D Y7 `. @2 [4 X$ o( I+ X6 ^: u" p# V; F: V
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; f, [2 R3 M2 _3 v, X
( O. f y& A+ V$ y+ K__________________________________________________________________________
X0 ^1 Z: ^+ ]9 S( T" E# H* ]: ~1 C( X+ U
; \) p/ G: {0 ^, n) U' VMethod 14 ! [6 X5 g9 @$ Y" b# y' S* q
=========+ W0 ]4 P+ s& K7 q
2 u# {" H6 Q9 M5 J
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; P5 ?1 R$ d2 O6 p% s
is to determines whether a debugger is running on your system (ring0 only)./ f4 W/ @+ y% m* x V/ s: o+ @
; l; U9 c8 c+ h6 r VMMCall Test_Debug_Installed# h, l+ y% g* }2 r, [
je not_installed. }( g3 \ b6 q: t7 M- ~
" |8 ~" h+ s' ]* |6 H P- A
This service just checks a flag.
0 d8 n- ?% T6 L/ G% I! b# J" G</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡