<TABLE width=500>
! ^8 ]& i% ?5 e7 x<TBODY>9 C. J5 b1 i# E2 F+ p
<TR>2 w! k+ `$ J: ]) k9 |& \% y
<TD><PRE>Method 01
" e8 h* K( @0 [=========
# b" J, S2 @: W/ M+ {
" O9 O8 }* l' DThis method of detection of SoftICE (as well as the following one) is8 u1 b0 R B. e! @8 t/ V
used by the majority of packers/encryptors found on Internet. R. S0 ^3 d& j* a9 Z, T
It seeks the signature of BoundsChecker in SoftICE
1 |8 u0 @$ ], G" k( J+ ^( X7 |. c0 \ d! |, l
mov ebp, 04243484Bh ; 'BCHK'
. w8 e- l C! g$ f& R( ? mov ax, 04h: e0 r3 ]5 ?/ s- O. S
int 3
- T% [/ T* o: S4 t cmp al,42 s4 B0 k' o% T2 D
jnz SoftICE_Detected
/ J; E8 C3 R$ ^( b# d
- M8 ]7 ?5 Y" q( a, y( e___________________________________________________________________________
/ S* Y2 _; j; {7 l- G- P
3 m3 K/ R$ ?$ c- q0 UMethod 02
$ f% ?* ~8 L/ p" t3 U=========
" w" [" F$ X- P7 R2 @0 ? w0 t0 A2 G! d8 ^9 F ~! B
Still a method very much used (perhaps the most frequent one). It is used0 X. e0 G; z$ i0 k, p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 S; u: H( q) U/ t+ i/ y) D
or execute SoftICE commands...% N4 Y! E0 D/ `1 T" B
It is also used to crash SoftICE and to force it to execute any commands
0 W: v# R6 Y9 }' m1 S2 S: Y(HBOOT...) :-((
* X; ?/ L6 X4 m* I+ N1 F: a
# `0 u' t. r; z6 UHere is a quick description:
6 H# P7 V1 S& q9 o# g' D-AX = 0910h (Display string in SIce windows)' [3 Y! m; ]! A/ _( x9 V
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), m; Q; O/ k! ?! J* y
-AX = 0912h (Get breakpoint infos)) _/ Z. V) M! j8 `7 S' d, }& x
-AX = 0913h (Set Sice breakpoints)# `8 j/ K7 {! Z
-AX = 0914h (Remove SIce breakoints): v7 t. a8 H8 W3 n4 s4 F! I) s7 N
9 _9 l7 ^" b7 s2 v" k
Each time you'll meet this trick, you'll see:
+ z( _ P% w7 k+ J% t5 y-SI = 4647h8 d) x v" N) v! W+ S
-DI = 4A4Dh# \7 G! ^% e" c: ^# \
Which are the 'magic values' used by SoftIce.
3 p: z9 }- |* x8 ^9 M* dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 p* p, t5 l s1 k; `( Q
/ {/ B' s+ G* W% bHere is one example from the file "Haspinst.exe" which is the dongle HASP
% Q/ e& M& O$ s( r/ IEnvelope utility use to protect DOS applications:7 Y/ r0 r. E! c9 M w* o; Z
4 V, D6 D" ~3 z& V1 v% X" l4 U
% Y5 q& J& ?8 ?7 J5 Y% @. s8 }- N4 L4C19:0095 MOV AX,0911 ; execute command.
0 k1 h! H$ X4 @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 r9 j! x. A( f2 K4C19:009A MOV SI,4647 ; 1st magic value.
7 u9 M- c; ^, R: h5 L( J) _4C19:009D MOV DI,4A4D ; 2nd magic value.) @; s0 M. G: _' m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% E7 S1 K" \. ?4 i+ o4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; Z) K7 {* w. j
4C19:00A4 INC CX
* F7 U# z( n$ {2 P4 u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# L% J. f" N/ N0 R4 O4C19:00A8 JB 0095 ; 6 different commands.
9 _! `$ G {2 E( _, c9 e0 J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 L. |; U# o- v# [2 H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ k& _+ x& X% ^' i X9 [
; ^# _4 J6 O2 e4 K6 {7 x
The program will execute 6 different SIce commands located at ds:dx, which
5 s7 v" Q, }0 J4 Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* K; g h# r- F& ]4 X) q( h T6 T# y, a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 D- O3 y; e2 l, q3 e___________________________________________________________________________0 {. }' b3 j2 G+ t# r/ S
( X6 v/ n/ b) _, B8 o. m8 C
% J0 d: F6 O3 n: }Method 03
7 A. V0 N, g' x) N! U8 V' j=========5 T7 ]4 g$ L9 c( l/ J* Q
6 r4 Z+ r+ X& j9 O' g2 lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 \; C( h, o4 u: G
(API Get entry point)3 P; p; Q/ w5 k) o! Q6 W3 ?
4 E. J& }+ D5 G" U
0 F M; g2 L8 M xor di,di
" {8 M; q( I$ h7 m% ]: f: |# D7 B* y1 _# D mov es,di
& {3 Z8 Y# Q5 _7 c mov ax, 1684h
% m. a: y7 G7 K mov bx, 0202h ; VxD ID of winice* X3 ?. v5 V! B$ h3 Z" p
int 2Fh/ ]+ q( L+ M K" v
mov ax, es ; ES:DI -> VxD API entry point' e( b, b2 o& h) q, I. M
add ax, di0 d6 h/ f- r9 I- Y( N# w
test ax,ax. A2 T- w3 w Y; a
jnz SoftICE_Detected
. n# y r- }1 @# K% C4 o$ Y/ h( ^- W# z+ |; c0 ]
___________________________________________________________________________
) s' I* C7 [6 ]* h
{6 y8 n& C2 }) jMethod 04$ D& _3 J! P9 P" J* `4 J# z
=========
% p2 S0 }1 f5 l8 k! ~% c5 N4 J" ]- K
Method identical to the preceding one except that it seeks the ID of SoftICE
* r: s1 D5 L' L8 w5 ^. ]GFX VxD.
c" I7 B; r: T* q& y0 q. A2 m1 H" U( u9 E- }( _0 D1 ^, o5 E* e
xor di,di- Y( z3 ~* l1 M1 k" Y/ Y7 p% d
mov es,di4 X& Z- p' _* J1 V
mov ax, 1684h ' J: a. S# V: J a" R
mov bx, 7a5Fh ; VxD ID of SIWVID: C; j: s3 M8 ^$ R& F: _+ ?
int 2fh z) U0 F9 a& P' R1 h
mov ax, es ; ES:DI -> VxD API entry point
' Q s( O+ F+ A1 e+ T0 y8 y2 {8 l add ax, di6 |; a# M7 E0 c- C4 Z" S2 r
test ax,ax% b! B! I) }" ^% y( r9 y# n2 C
jnz SoftICE_Detected3 s, i( p7 S# [4 n4 ^( e
; U4 H: Q% _4 j- G' C" J__________________________________________________________________________7 y4 _5 E' i2 q& _' |' V# V' x
/ _& W- v$ V3 e
+ f1 e' h" u# pMethod 05
, O& N/ G1 G1 O' r- C/ [=========
$ f/ Y7 p, z" H) E/ s3 v5 j& k
! X7 l8 V7 n; @$ a6 K7 aMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ G0 v) e `3 Fdebugger. It calls the int 41h, function 4Fh.
3 M l0 [. r, [& a7 nThere are several alternatives.
3 p, ~3 G y- E) h, p. v; W$ v+ r3 I6 E
The following one is the simplest:2 f0 u% b5 G6 g: t
: |5 N; p$ B5 q$ p7 r2 N) T mov ax,4fh/ D( @( }& J* o- E6 w+ D
int 41h4 ]- o ]% X2 g
cmp ax, 0F386
1 c) @& A$ B. r3 H0 R jz SoftICE_detected
- @# I" t/ T. H$ U
, b* }$ S, [; Z4 C9 J: U+ m: ~) R! b4 X8 d
Next method as well as the following one are 2 examples from Stone's
: q1 L% L3 i7 y/ ?; H" F* ^' w"stn-wid.zip" (www.cracking.net):
5 Q) E0 V1 j2 f9 F0 U: m6 o2 M; B2 N' d" H# J) T# k+ a2 Z/ ]
mov bx, cs- b( [: A- M |2 g% F& L* V- J. c
lea dx, int41handler2
5 |) h" x) Z4 \) w5 d/ i, {8 X xchg dx, es:[41h*4]2 ?/ d) a0 J3 g2 t2 f
xchg bx, es:[41h*4+2]
# R, A, X7 R) _$ U. a( m/ Y mov ax,4fh$ Y& E5 U8 ~, t. |( J9 W o
int 41h
& k0 ^, d6 T3 _6 q5 f7 O" b5 s ] xchg dx, es:[41h*4]
$ Y- a! F. J9 q# K3 v xchg bx, es:[41h*4+2]- Q6 }. ~* ] c. D* z
cmp ax, 0f386h* C# z& a: \$ U$ `; k& \: o' t1 L
jz SoftICE_detected4 y9 _/ l8 a+ m
1 a6 m+ W/ {, J
int41handler2 PROC/ G9 a7 `0 |, n
iret
0 {# ?; }5 \2 {) a! {int41handler2 ENDP4 x- R# v" w( L
7 ~. A. e2 _2 U- B& H) `3 m: S8 z
( {1 Z) X) U/ D
_________________________________________________________________________ }5 U, {: r: _/ r( s
/ Z1 D! V1 |$ D& S# s7 l7 L
# f+ d1 y f" q* d: e- |Method 06
1 c7 k) p2 p7 Z( [* p& l6 t=========
1 Q! t9 l8 a+ M1 k c" k
: N% Q3 O& s: P6 o' t8 [/ Q6 H9 Q
4 I8 }" W9 \4 T2nd method similar to the preceding one but more difficult to detect:, l' e( ]7 y5 p! `: E9 D
4 q1 N& K2 F+ y* Z3 x/ l' b# V6 b- j5 u/ ^1 u
int41handler PROC- u2 }6 j2 r) n
mov cl,al
8 i9 O$ a7 B* v3 N4 V iret) ]( x# i# W/ L3 g L" p
int41handler ENDP) R( R, j1 B r* H7 k1 E
: e: w6 J& y, M; [/ @! V) Q9 w+ J
9 @1 l2 H6 }) l$ z2 K6 s xor ax,ax
3 I, e$ ?! X, D8 F mov es,ax
- n" a( }5 |5 [% m n8 k* [# O) g mov bx, cs0 E) l1 d0 K' O' x8 q
lea dx, int41handler
* ~$ X; ]7 [4 l xchg dx, es:[41h*4]5 p' U, s3 ~0 W, I; p$ n- E2 w! L
xchg bx, es:[41h*4+2]2 y. {0 A! M3 b4 \% F! C
in al, 40h9 o$ F, m+ O# M& e5 d( s
xor cx,cx- c1 ]% G- T' E1 }4 }" d v
int 41h
P8 R0 n ?$ Y xchg dx, es:[41h*4]
$ `1 T5 e1 _+ Z" @ xchg bx, es:[41h*4+2]' Y8 s3 o8 C T# R! j
cmp cl,al
0 G8 F% F+ p& i: D7 u, ^" [# n jnz SoftICE_detected
|+ s2 D1 g1 D( J, g3 b, T
4 @! A4 ] p0 D# L: \_________________________________________________________________________
9 E8 u1 x l) `/ T& K8 Y) J- r8 K2 |/ [: y! J
Method 07
# |$ Y# O, d0 i. ^& r=========
% k w3 \! w$ J5 V( |/ v& a. Z, U$ j1 T3 u' l8 O
Method of detection of the WinICE handler in the int68h (V86)
3 f$ a: e+ x5 Z' ^9 m, v. F, F) V7 J2 w" ~
mov ah,43h; Y' Y' {9 R% }* z1 k3 C3 Z
int 68h0 R# t7 b7 B( I" g) k0 k
cmp ax,0F386h" U2 I* R; k3 V5 { A
jz SoftICE_Detected$ L. W' E' a" s) U7 [6 k: P
+ J$ W ~( V+ A8 \/ {: h8 c: @. |* X$ c) B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 B; i7 d4 T* I& B
app like this: y1 O# q$ V3 \: Z' s2 B0 c. l' g
4 q& R% a$ z1 ~2 c) o& d
BPX exec_int if ax==68' X* \5 x8 u7 d9 x3 W i
(function called is located at byte ptr [ebp+1Dh] and client eip is; b, Q' y8 {& J0 {" c
located at [ebp+48h] for 32Bit apps)/ C B+ I; }3 W+ c9 A
__________________________________________________________________________, e0 f# ^ A( I' `' S/ L N
`7 m- L9 [0 {) q
$ g3 t, u7 z1 ~' P1 G# HMethod 084 a! I3 l- W+ E; n% @8 N* M+ W! e
=========# _5 @: R! _% r2 ]
" |$ K T" w/ _; i9 H
It is not a method of detection of SoftICE but a possibility to crash the
, u1 e9 g X9 M, @$ C3 f. Qsystem by intercepting int 01h and int 03h and redirecting them to another0 m( ?6 V" v, }9 S9 V- n
routine.5 T& l4 b' i3 u2 D. I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- ^! h' X$ L( p m( ~9 U; Eto the new routine to execute (hangs computer...)
+ b: V1 g' ?6 W- H9 |! Q' T; m# w+ o4 l
mov ah, 25h! k! r, d, b. _0 C' F
mov al, Int_Number (01h or 03h)
: @, u5 ~9 I. F% w mov dx, offset New_Int_Routine
) L" B9 ?( K3 R! C int 21h
3 P2 F% k- ^* J3 H( ~8 A/ E- t" e* P
1 i' l% T. N6 d L8 @6 u) {__________________________________________________________________________
2 ~. z- o1 U1 x: [2 ^6 e9 T0 k" E
Method 09
) J3 e$ X9 e% v' |/ s# |=========
& z+ i8 U* W2 n
" e2 V0 h6 g9 [* IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ X# X4 w4 e j+ n1 u, A
performed in ring0 (VxD or a ring3 app using the VxdCall).5 t; B0 t1 E0 t) g
The Get_DDB service is used to determine whether or not a VxD is installed# X- I6 Z' H! I; z3 ]
for the specified device and returns a Device Description Block (in ecx) for. f/ N! F9 S! a: g
that device if it is installed.5 O) F3 m* }& ]' \; z9 \! V% h
3 E" K6 Q$ K! `
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ k# S' C, ^4 O R6 N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) @0 X L( h9 y5 Q* w. ] VMMCall Get_DDB1 t5 i' I5 s' S! ^# u, w# O3 Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) Q: u/ `8 w" n& }6 N
5 j l) U/ C9 {" rNote as well that you can easily detect this method with SoftICE:
$ u) y6 S* s6 t1 x& R3 J+ ] bpx Get_DDB if ax==0202 || ax==7a5fh/ {( a- |( @5 U
2 M! O0 m9 z, m6 e' B; o* H: T: Q
__________________________________________________________________________
+ o. H, \5 g8 y3 d$ @/ c) z$ o ?; e( i, f$ S& ]+ U, j E
Method 10
# i) b; H0 k8 y. Y1 K, p$ y+ f. Y=========* F1 t2 q8 w# I
6 V2 h9 A6 |9 ]3 R2 `8 M# k$ D=>Disable or clear breakpoints before using this feature. DO NOT trace with( q/ F: U6 U( {* ^! V, t- |
SoftICE while the option is enable!!
) h% y* o! r Z! ^7 T$ J) \* _
. x, k" p7 x, D! g! mThis trick is very efficient:
# S7 E. @5 N4 g5 @: S6 I# x$ Gby checking the Debug Registers, you can detect if SoftICE is loaded; }: @ _1 ]0 w3 F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 y) [$ O$ j- k$ l4 ?; ^- z4 ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; m: `/ r) V$ [6 q% ?: h0 dvalue (in ring0 only). Values can be manipulated and or changed as well3 M- v2 ?3 n& \! D7 |9 X
(clearing BPMs for instance)* A9 ~9 q9 k8 y) T, E
- V: V, y' S; P1 ]8 ?7 @ Y4 S__________________________________________________________________________5 |% L% }& K# f' T) b; a% E, v
7 H; u# D* [6 D) jMethod 11, t( p1 e: F- M1 K) c, c' ~, y
=========1 E( D7 m* @# I) h# k- @- B O: u: _
0 ?3 z6 t: x5 D2 }" j% d! S/ ?$ d( k
This method is most known as 'MeltICE' because it has been freely distributed3 u+ e# P6 \) w0 l1 d
via www.winfiles.com. However it was first used by NuMega people to allow
* [' ]/ O2 C% g- m9 ZSymbol Loader to check if SoftICE was active or not (the code is located
6 q. C4 W7 v1 n8 ~! F7 h5 C6 x2 \inside nmtrans.dll).1 K; H5 G& ]8 U8 i R8 i0 ^3 k
" Y( W& K; P: @8 eThe way it works is very simple:
+ n5 q# l ]# l0 ?) KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 V3 h! Z/ q$ u- {3 x4 g# F7 Y) s7 A8 M
WinNT) with the CreateFileA API.
$ D+ Y' }2 i t# S, U. z5 i% p6 H: \
Here is a sample (checking for 'SICE'):
" M0 v, g' h3 {8 P$ \( @% n) m, t1 I% P# R
BOOL IsSoftIce95Loaded()) s3 B; I1 ?7 c H, Q* i S
{) i" B3 n2 K0 k3 m
HANDLE hFile;
0 Y! b. s; ~' t' X, ^2 s5 F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. m+ M8 i' ^" c" n6 c S4 ^ FILE_SHARE_READ | FILE_SHARE_WRITE,* G# y" d' y: J* p6 x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
a* {( R# ]. h; N if( hFile != INVALID_HANDLE_VALUE )
% W+ ~& X* I8 ]4 h {4 c, ~; }2 M5 g6 |+ j, L' Z7 y
CloseHandle(hFile);
7 Z: R0 t! h# s+ o return TRUE;
+ F M0 V# t/ v, ]9 n: p }
# X$ U2 E& \) | return FALSE; m, `$ ?4 l8 t8 {5 B
}" y" J/ y) k( O/ P" Q
?0 v/ f0 D* l3 e. |) R- o% PAlthough this trick calls the CreateFileA function, don't even expect to be
5 \, t1 J. R7 xable to intercept it by installing a IFS hook: it will not work, no way!3 \0 {3 L+ m x0 ^" A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# {# |7 m |' u- x" ?1 _6 E+ xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 G9 W' V0 ~& q- d3 \
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 Q1 y J6 W8 C3 {
field.
% y7 R7 K1 v' rIn fact, its purpose is not to load/unload VxDs but only to send a 2 J4 W' l0 V H+ i# A6 S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 G- I+ `2 H. _* }4 D; ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& O/ o8 c7 v8 E0 ^" z* }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, ]* v+ q/ k% u1 Q2 L: qIf the VxD is loaded, it will always clear eax and the Carry flag to allow2 f- F r. L, \2 B6 d7 u# A6 j
its handle to be opened and then, will be detected./ |% S/ v$ x9 Z4 ?, M6 a# U, Y
You can check that simply by hooking Winice.exe control proc entry point
7 @3 {; |8 y/ s+ kwhile running MeltICE.
/ q; U2 k; l5 V* Z4 d! Y# q/ ^! {% A7 |9 A7 C: d6 x
. d, N3 T+ x' i9 |. V8 O 00401067: push 00402025 ; \\.\SICE
+ b) j" Q8 ?9 x& M9 |3 k$ \ 0040106C: call CreateFileA/ g. ?% n T" e, _, B2 T
00401071: cmp eax,-001) A5 p3 d& e4 s8 D* H# T# N, V
00401074: je 00401091
# b ~" ]- m9 K8 y0 O1 @+ m, X
6 O. O+ q* S2 ^. Q
5 B* K6 s' L, f5 v. eThere could be hundreds of BPX you could use to detect this trick.
! h4 a8 {8 D" T. J$ h. Z-The most classical one is:( }& o. Y; C% y& L4 N1 f {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 \2 P. i) l T: u* ^0 ?/ y& ]9 c *(esp->4+4)=='NTIC'9 P5 t5 H* E* c& P) h0 X* l
/ B4 m# w) I) M( a6 V" t7 W-The most exotic ones (could be very slooooow :-(5 M2 ~- N2 R2 G% d2 Q. f' |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 |8 a! n+ B' |; H: Y! ]( S: [ ;will break 3 times :-(
6 F3 X7 p) `" C( P* u* R2 t* Q R0 v5 ~( d+ @' L
-or (a bit) faster: ' t& N7 F* B0 M$ c, K9 A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 l" a: k1 a) E) x+ l- }
" q$ I) p& j. r/ ?; q8 c
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) A5 Z! R5 H2 d3 W+ Z% S! C
;will break 3 times :-(7 m7 N" k" l$ s3 I0 v( J. |; m
1 I! @, q0 `$ I( _3 z. E1 F" b-Much faster:8 {9 f2 R, I3 t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. @% \* H. _$ d5 n% C \; Y, @! r/ i8 ^+ u/ E) T" y0 y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- e4 G+ {( z1 c3 Z8 M
function to do the same job:
$ J% { K) w8 Z
# }, n+ w7 z& [ push 00 ; OF_READ
& N$ I- c6 v) R" u3 V mov eax,[00656634] ; '\\.\SICE',0
% n% I7 \% Y% {& D1 y9 ]; I push eax
, Q3 }% B2 B' }; R* H call KERNEL32!_lopen( `/ ?; @- q% K% \! o& |, g4 _* i
inc eax
! i$ _/ p; j) X/ S( _% ~ jnz 00650589 ; detected6 [3 w8 ?9 ?$ _% }. D1 Z
push 00 ; OF_READ
/ H9 g3 e x- S! D& O- W6 K mov eax,[00656638] ; '\\.\SICE'. |; Q) F$ A+ Z& n) h
push eax8 C9 m) ]7 R0 R6 k+ |7 @
call KERNEL32!_lopen
1 i" r! @1 N P) [9 c& \8 c5 G7 K inc eax
* `3 M" U/ v. ^8 t3 [# T: L jz 006505ae ; not detected$ C$ ~! J6 j9 d8 I" p
) z z4 i5 C# s9 M; O- u4 C
) n2 \0 A$ `( G: E' n__________________________________________________________________________
G' D* g& A: h8 N' c( [6 T# S h* }. H$ w7 S: W
Method 12) _- [ A1 o# G- M/ {7 F+ x3 Z
=========
; p1 @) K: Y+ Q" E1 {( l6 ~/ m
8 o! ?6 e* j% u. @: l1 _This trick is similar to int41h/4fh Debugger installation check (code 05
: [+ D1 ]3 q3 ~1 d7 f$ P& 06) but very limited because it's only available for Win95/98 (not NT)
- Q6 t9 T& [5 v% d0 @5 Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 Q% w8 j' Y* u
& a6 S( b5 A2 ?5 e( E push 0000004fh ; function 4fh
7 F: Z* j: m ?) G/ n+ B! r push 002a002ah ; high word specifies which VxD (VWIN32)
* d9 a; V% `1 {& ?, t- |; Y6 t' ~ ; low word specifies which service
5 P! n+ ^1 _7 G# x1 S( l (VWIN32_Int41Dispatch)- j$ [ h6 ]* ]
call Kernel32!ORD_001 ; VxdCall
0 l8 l: S, l& e4 Q cmp ax, 0f386h ; magic number returned by system debuggers" p' M, Z, ?; ^7 b
jz SoftICE_detected
9 w+ m9 p! }! s5 I2 ^7 B$ O
3 M2 h# M8 [# mHere again, several ways to detect it:" h& w& X- {- {/ s& d) U/ }
0 k9 k e9 i! p& ?5 c( W
BPINT 41 if ax==4f7 { U6 w) n, F" P0 ^
w8 c$ O/ Z4 P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 z6 e( D- q5 m- }0 B8 G0 s/ G: M: Z$ z# h* t( m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 i6 T( c8 y: `' r; D1 y" i& P6 v* M$ m& e8 M2 E: n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 K* G# l( C) L3 ]( m N+ F9 u
' x9 ]9 W4 [3 {+ F- g
__________________________________________________________________________
1 \- ?. M, y$ Y `' B
2 C1 |6 K$ T: d" |! d% v ^' rMethod 13
; x3 u. E' e* x& O& C$ \=========& _( b7 Y6 M2 N! n
" C4 V1 O0 k% h
Not a real method of detection, but a good way to know if SoftICE is" V: }5 l1 _- Y# F! K# J9 r# e
installed on a computer and to locate its installation directory.# Y" |9 R7 Z7 E* M+ c! j& |
It is used by few softs which access the following registry keys (usually #2) :) x$ } P) I2 @, P
+ u6 ^! C+ R* Y1 W. `, J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- S; y. I; v# W\Uninstall\SoftICE8 [& C# _% b$ C- h( p- f1 G% W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
D% F8 g$ }, g: {+ l. `. ~$ {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, C D( [4 f4 _) P* B: @) l' O\App Paths\Loader32.Exe/ n8 O) f+ p* z- C) M" U. i3 J7 v
& g+ A* n1 ]% P; C# j2 d( S
7 C' B; P, Q3 q0 S. r5 I p& _6 A1 gNote that some nasty apps could then erase all files from SoftICE directory
& F' f( ]. u3 \(I faced that once :-(0 e& A* S7 x* |
! N2 X1 X# V# ^2 K d8 TUseful breakpoint to detect it:% C- ^9 @3 N5 U( K
5 }8 k9 e. @( D8 D% U BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# l7 |: C& Q9 `% Z7 ]0 _
" D; @. t# C8 F: a8 [, ?
__________________________________________________________________________
( D# `) l- ~: ~% I) p6 b+ `% V H6 M& U) _3 F
3 ~2 B% {! o! C* ~, W" j1 ^1 V
Method 14
$ `3 N- N. N4 i0 R, I- i=========) d$ P2 B' A4 t: j4 F! p( U G7 D
. z6 H/ R1 ^7 s! m* W$ ~! D/ j
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' ]$ `( o) m4 X8 x5 Z
is to determines whether a debugger is running on your system (ring0 only).' g! k& S9 m& M; y* U0 m
2 R G/ P; {+ H, k3 p+ n VMMCall Test_Debug_Installed
& C+ _. d/ t8 z% v* V- D: c0 a8 ^ je not_installed" y$ q+ P9 l# e/ g
( v% w r3 m6 n9 j6 J, y/ _! x
This service just checks a flag.
9 {. i; T6 ?* i* s k7 R</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡