<TABLE width=500>
8 k, A4 G, ~+ Q! f* P<TBODY>
5 `+ P: M) n/ o k! s: h- `<TR>
6 z A! ^" u( X: D4 u<TD><PRE>Method 01 ' \6 }( s$ M \- s! V6 A0 q9 w
=========
" T5 P% ]" T$ m. w3 C4 l7 S) H& u" |7 E+ J
This method of detection of SoftICE (as well as the following one) is
$ P& A3 R" A! B' H) O1 z4 X+ Aused by the majority of packers/encryptors found on Internet.
( m, g. u1 F, [ VIt seeks the signature of BoundsChecker in SoftICE
4 N% h a1 b, [
- {) Z J8 }8 {3 M; B mov ebp, 04243484Bh ; 'BCHK'
; l3 z) j( I2 K# f6 D9 f% _4 L mov ax, 04h% ~1 q3 I5 s) u7 H
int 3 3 _0 `4 V3 g% i# U' f4 H- s+ L
cmp al,4
" E. x7 D, m" N3 d; m* ? jnz SoftICE_Detected |) ]# [6 @( l0 F* j7 Y2 p* k1 n
. k O5 y8 K7 V) u
___________________________________________________________________________
6 l- Y6 L9 b8 O @, I9 T; P# b1 b2 }9 |) ~$ N8 R
Method 02/ Q& c& K; p( G" m7 O8 P- D$ s
=========
4 ?$ N* P6 }0 l" r8 i& ?# n; Z0 |& H+ q* O* K- r0 c* u4 O
Still a method very much used (perhaps the most frequent one). It is used
8 I j" [+ R5 }8 i# O* Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 a1 U5 N2 ^0 `/ K% [( nor execute SoftICE commands...
- V5 \0 d' ]! d* S' F9 _4 |It is also used to crash SoftICE and to force it to execute any commands$ ~+ j9 V% N5 f/ `
(HBOOT...) :-((
2 F1 U. W) \' R ]
% b# |1 G9 }' i- L# p/ jHere is a quick description:
3 \# S# K2 [( z/ @% [. m# N-AX = 0910h (Display string in SIce windows)+ m! O5 O( N0 C1 O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 S7 J9 l+ ? Y/ W
-AX = 0912h (Get breakpoint infos)
+ y4 B/ I0 y- r# y7 ~4 B6 R-AX = 0913h (Set Sice breakpoints). q$ s8 w4 y/ M( s0 u
-AX = 0914h (Remove SIce breakoints), ~! T$ J7 S" b5 R0 m0 z
+ t5 T3 @" o% A) h* U! g8 mEach time you'll meet this trick, you'll see:: l# t, b$ @3 \! T" `8 s$ x* b
-SI = 4647h
7 b& R+ @& I/ Q-DI = 4A4Dh
9 I4 z. g- v" IWhich are the 'magic values' used by SoftIce.
# `* [6 @0 O% ~0 |9 D2 vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 w2 N3 v, a* R. S0 C
( s; P% k* C L) ^0 l! XHere is one example from the file "Haspinst.exe" which is the dongle HASP. p( E. C# U9 _( G( `$ j+ d
Envelope utility use to protect DOS applications:9 o+ u+ |- x' e8 D* ~5 L+ P0 J$ r1 N
. }0 H# P# q2 N5 u+ _" U2 T/ I9 u1 L6 T
4C19:0095 MOV AX,0911 ; execute command.
4 v8 u2 P$ Y+ Y" V! l" Z1 K& J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- |8 L" d+ b$ g7 l1 P7 G4C19:009A MOV SI,4647 ; 1st magic value.6 Z- y- X% `7 H: Q; D
4C19:009D MOV DI,4A4D ; 2nd magic value.. ~- i& V5 O# |' w
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 h2 `, b8 W4 W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, d+ R! |% {3 y" M8 m4C19:00A4 INC CX
x. F: ^& K, U$ x4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; J i0 ]5 x) Q+ a" y- G1 x
4C19:00A8 JB 0095 ; 6 different commands.4 d# U6 p+ n* f5 T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 ?) v/ o4 {. V# @7 s2 G0 Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" j" h* L0 N% t0 I; O
8 H) O+ S# z% P
The program will execute 6 different SIce commands located at ds:dx, which
' h% _7 l& C: T! Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; T. j" V' P6 ]7 x
( ~: B5 Q5 O5 E) h& L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' `- o; m5 y# G4 Q% A/ Z6 I___________________________________________________________________________
# ] z7 P) U8 m( K$ s) w4 a! R& t4 a! C! \$ V, o; b( ~! u
2 M- B0 i' k& @+ T- h7 dMethod 03" p- x7 h, H2 e5 n
=========+ u, C- d+ P) `, a: B/ _# Z1 ^
: v. h* v, x7 Y: P+ Q: T4 o/ vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ `% H7 G8 m& W" `/ o c
(API Get entry point)" U0 q' x, T4 }! Z8 c2 \
6 `. c/ e3 t/ a1 T# w1 l4 o8 d4 l
. n% f% _2 u2 R2 J/ ?2 |; C8 @ xor di,di
# P5 D: [' V3 W, R3 s' q0 d( H mov es,di( {& b) M9 x. E7 |6 e9 [( v
mov ax, 1684h
! M7 }9 I! w7 B mov bx, 0202h ; VxD ID of winice) {9 B, ~7 J) @% D/ u
int 2Fh! o9 l R& b7 e/ I% p ~( G
mov ax, es ; ES:DI -> VxD API entry point- x8 U/ h9 u1 T/ W
add ax, di
/ [" b1 H! s! i5 f3 ?' @: { test ax,ax
8 d. t4 l2 `) p0 q7 \4 G( A1 D7 n jnz SoftICE_Detected
; M- J$ ]" ?$ i! ]; j
, I% y8 w( ~# `/ x___________________________________________________________________________
. C6 `0 f W) \ ~6 ~1 ~* u6 Y9 C( X" k0 K& Z
Method 04- h/ B) o6 [" d3 t
=========
* W6 J& A: R9 @- X9 a3 f, X Q4 g
$ l8 u9 E+ d( i* M% i# c9 bMethod identical to the preceding one except that it seeks the ID of SoftICE4 F0 H. i1 E: w4 D* w. c
GFX VxD.7 \' N; g5 l- A% N. e9 y: z
' M8 L4 H- f; c% P9 n
xor di,di% a# T6 ~8 [* _5 k
mov es,di
" t A4 k1 s% C! ~- t mov ax, 1684h
H! G, ~! w6 h% Y3 G( c8 \7 A mov bx, 7a5Fh ; VxD ID of SIWVID
0 ^3 o: N, ^& \8 J: Z5 h/ t int 2fh) ?' `# E3 s& k5 G7 i
mov ax, es ; ES:DI -> VxD API entry point" k0 d- G3 ^5 V/ K
add ax, di
2 W: q8 G" z! i# G test ax,ax
( R. S; \7 M( P9 n1 G" B! `. W jnz SoftICE_Detected% A) I2 h. N% C7 H: v( g
$ ?1 D( t' B' P* ]- ?/ o" G__________________________________________________________________________
5 z3 l2 D9 N* w/ m4 t+ C5 @( I! @8 l$ H3 C/ T$ v0 R, k
3 |, g, P: O" V1 Y
Method 05
# V6 a- v; S/ ^( D3 Z" [) ~=========
: U9 O, k! \; F. p
2 [$ O) P9 Z$ mMethod seeking the 'magic number' 0F386h returned (in ax) by all system, i* D0 D! f* r( E
debugger. It calls the int 41h, function 4Fh.
7 x2 o, f( y, p; g+ d; kThere are several alternatives. ! h t( S9 g, z* t/ {6 r% N* a
5 l- m6 F6 L7 I5 h5 \The following one is the simplest:& p2 I8 k6 i6 q ]: k9 p
& @2 D) O& K9 |7 c
mov ax,4fh( Z( H. P9 I" w' a! s6 ^
int 41h
; W/ |. k `5 D% l g. i cmp ax, 0F3863 M; U' H( Q2 P5 I' x2 i( z
jz SoftICE_detected! j2 Y+ U. Y$ p; y
- @; T8 }& C6 C) P
4 j8 W/ y# Y4 M. Z1 ~' Q w( |& q
Next method as well as the following one are 2 examples from Stone's
s2 ]+ q; c* Z# m0 \"stn-wid.zip" (www.cracking.net):
4 o% S' F5 |* F' P
$ \ g7 F% x2 y, e( u! F$ S1 y, U3 Q mov bx, cs
p( U2 Q- x6 U. a lea dx, int41handler2
: q \6 H/ V4 T9 D A0 } xchg dx, es:[41h*4]# ~! m D! v/ B: g8 _
xchg bx, es:[41h*4+2]
/ x- j" ]0 M, H$ r- W mov ax,4fh
& X* |# U& P* n. [ int 41h
' j( G. R2 r+ g7 Q xchg dx, es:[41h*4]0 Y$ G& z" J4 g0 l9 U9 j$ y/ H
xchg bx, es:[41h*4+2]
# _; p/ M/ c* x7 u, T cmp ax, 0f386h
3 Z0 c6 d: |* w! i6 s& p$ b jz SoftICE_detected
Y8 Y' h, F! F, J5 \$ Y% u; a R! [6 n! ]3 x9 S4 h0 j
int41handler2 PROC
& x a1 @: V% w1 R! M( w/ ` iret( z, g- ~$ a7 ^1 l- Y7 W A
int41handler2 ENDP
4 w6 V7 [5 Q' D r$ k
, E7 g- s* t, ]+ t4 o% u+ k1 `+ ~0 T, |. c. y
_________________________________________________________________________. {" X7 u |! A9 n& ]
" u3 X! w& B. q- x
9 E! j/ n+ p e- `2 f7 ?3 Y: tMethod 06
, r/ @* n/ o) I- R4 s- {; L=========) F1 s/ N/ a: f% ^- K( ]6 s& x
) S' v/ I, |' L
% Q- o5 V- n, F9 Q2nd method similar to the preceding one but more difficult to detect:! `. K' Y# T3 ?0 ^" k e
" [4 M' r* h& G9 P
, L8 G% Q2 W y2 aint41handler PROC( U5 P8 |6 [, _* @0 R& |
mov cl,al- w7 J9 J' F2 M0 q$ w
iret( ]4 Z& n: I( l) @
int41handler ENDP* v$ P: d4 F# E1 K! C( t
( s* V6 g) z( n0 z3 w8 b( R- L) x: Q, [0 C, s5 \
xor ax,ax) Q! e7 P3 [& |+ z& K
mov es,ax
9 x( S6 n$ c1 I: Y$ f) H# U mov bx, cs6 a- Z3 m" N0 t! j
lea dx, int41handler
* R! e. k2 H% g8 D xchg dx, es:[41h*4] l5 y! `7 c6 V4 \
xchg bx, es:[41h*4+2]
! l; g- }" g$ u1 y- |- L8 ] in al, 40h
2 g4 r1 g9 t8 a, V1 y xor cx,cx
% G4 k4 \: h$ C/ s* D" E int 41h6 N" h: Q- u1 J' e4 K5 |& Z7 l% ?. t
xchg dx, es:[41h*4]
* b( p% |7 v T) B+ ^( ~ xchg bx, es:[41h*4+2], D- s U+ z$ L3 V
cmp cl,al J) O3 E6 d) ^
jnz SoftICE_detected! S# {) d9 c J. v
( W6 K& k1 k, C6 _0 l
_________________________________________________________________________6 r0 T% r+ s8 R9 V% V4 [% s
, k! x& t8 G! k4 ?; qMethod 07
* k' L7 H5 t4 W1 b=========' u$ M( G' E1 o5 m; W- D& ?; N0 G
( I& W& u6 {" q# ^+ g
Method of detection of the WinICE handler in the int68h (V86)
2 r4 N# Y9 V8 Z9 N8 x" c0 t( b. o4 y8 Q2 ~6 M" R7 h# U& b7 ]
mov ah,43h: o& L. q: \, h0 L
int 68h6 u1 V( m5 j3 {- c1 `
cmp ax,0F386h
$ x5 u' J0 E3 {/ [) B jz SoftICE_Detected/ N. e- E' \( h( o, p& R! G1 W
+ m# F; B* i' O! X4 c( G, o
F. U3 ?4 B" h! v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 A+ V) r- \/ A( A+ ]
app like this:
4 }# t7 E! i! V; f; ~' A7 i6 V* V2 F. W; G2 u# u5 c5 b1 y# P
BPX exec_int if ax==688 A( Y( I& z. n0 L, |$ `% Z
(function called is located at byte ptr [ebp+1Dh] and client eip is
& W ~" r1 H, h, R: d& w* s/ k located at [ebp+48h] for 32Bit apps)
2 Y& a& L9 D$ o6 S+ N__________________________________________________________________________- O& x/ Q$ F0 ?' ]* ?2 k: \- K
. w( r% Q. X) b* r" ?
7 }, s: k+ r* _8 ~' D/ BMethod 08
9 o6 l9 e- w1 Z% b========= \9 g9 _' }8 S% A$ {
# [$ J2 m$ b9 u2 d' iIt is not a method of detection of SoftICE but a possibility to crash the: @ V2 z8 G5 w* M
system by intercepting int 01h and int 03h and redirecting them to another4 H) g" k7 e4 W/ [
routine.$ v* R0 p' Z0 \- s J- P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 ~1 i8 p* T0 J3 k& R3 K
to the new routine to execute (hangs computer...). |4 d. U$ f: H [; `% u6 ]% w
' y9 E: Q0 L( y% l# V
mov ah, 25h
8 U* S" s; e5 B* G8 Q' s mov al, Int_Number (01h or 03h)7 l! x8 {& `# u5 Y/ p& G
mov dx, offset New_Int_Routine1 @2 g8 J1 y" R' @: Q9 s0 P
int 21h
1 V9 j3 W# `% O: ]0 G: l
$ r6 M( e! p5 v+ ^3 g__________________________________________________________________________
5 C/ g [; v. `+ |) s; J9 K- n4 I3 s0 z. v+ ?5 [, C
Method 09. C8 X% Y* V- H9 }& z4 f4 A
=========$ O5 r8 X- I H! G' d
1 e, ]( o* N/ J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' }( q6 H, g; @9 m$ L
performed in ring0 (VxD or a ring3 app using the VxdCall).# v" K) e }9 B! F I3 P1 A$ o
The Get_DDB service is used to determine whether or not a VxD is installed6 X* I8 _/ ~+ e1 q1 f
for the specified device and returns a Device Description Block (in ecx) for
( ?9 \) _6 C, N( J* V0 Jthat device if it is installed.
/ p6 W# w; J! M J: ?/ R& u: j( V2 T6 F
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 U* d6 q& T# g0 n% [
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 E: ]( I4 B! _" ~! s+ }7 ?
VMMCall Get_DDB
- G- H. \3 ?, H) T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, ]+ o6 V0 W2 U( n2 O
! A( z4 o% q/ e1 P- l, ^! }1 o* `Note as well that you can easily detect this method with SoftICE:
1 w0 P5 K: a5 r& | bpx Get_DDB if ax==0202 || ax==7a5fh
" @/ N+ Z3 T4 R' n) K. @1 J7 O1 \
; |2 K" g- d; p1 c! |__________________________________________________________________________
) D$ V4 N5 u4 F7 x3 n- U$ S
$ I. H+ G. B( xMethod 10
6 w, f1 q2 v* V; D8 L" f6 ?=========0 C* Y. p# I+ ]; O" d# q" p
5 t9 \5 J5 M. q
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 q4 ^& q3 i, Y( F( X( m# n
SoftICE while the option is enable!!
: S* Y1 C6 a6 V. p0 b. O. P0 a3 H/ b) d
This trick is very efficient:2 w$ U9 e8 S) w
by checking the Debug Registers, you can detect if SoftICE is loaded' h. Q; V9 N8 j% q' n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
R/ G" O) l, b9 E7 ?; b- `5 Q: jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, i* J6 X1 B2 x5 R# fvalue (in ring0 only). Values can be manipulated and or changed as well E. D5 r! Q6 I) Z; h9 p, V/ b
(clearing BPMs for instance)' q& e; t+ U7 y9 h
' k6 G9 C% l8 D3 f% e5 |( h7 Y__________________________________________________________________________3 {/ f4 W2 L+ K
( R) q$ u) A0 T* G. Y4 RMethod 115 Q/ G$ n: F0 V7 _. [3 C
=========3 b" i( f# m" n3 l: w5 p5 M
( F2 D8 i9 M/ LThis method is most known as 'MeltICE' because it has been freely distributed
; M' F/ [1 M# }* q: V+ u# zvia www.winfiles.com. However it was first used by NuMega people to allow
8 c0 J( b. I+ u- `Symbol Loader to check if SoftICE was active or not (the code is located
3 w' j2 Y D. a- g4 S4 V1 K. l5 C: }inside nmtrans.dll).: v* k+ p8 ]* b, n. L9 `1 U
+ x. S: F: q( _( E8 ?) W
The way it works is very simple:+ a- o2 B" {8 S5 Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* ~& ?% m' u, P: v7 J' G2 R! h
WinNT) with the CreateFileA API.. a0 l) ]7 L: ]
* F% S, j& q! T( V
Here is a sample (checking for 'SICE'):4 g+ \2 G9 C+ c I% x$ c
9 t( c: H Z2 M2 b6 A
BOOL IsSoftIce95Loaded(); K: y6 Z: {8 N- u$ b
{
k/ S8 S- u6 g+ M5 W1 A5 b6 f HANDLE hFile; 4 b* d. j7 ?4 h6 Z- e' s3 r6 W9 `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," z8 u0 m0 e: g; ~
FILE_SHARE_READ | FILE_SHARE_WRITE,3 f' c8 F" a4 a0 z1 [. S# G2 Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 Z- ~/ L# }' j3 W' w
if( hFile != INVALID_HANDLE_VALUE )
* }+ B& Z! ?" R Y$ d {; t8 ~ K s! j8 I' J4 [: a# l
CloseHandle(hFile);" j z, t/ Y% U7 Z O" p. q
return TRUE;9 z* X; o, `+ P6 f5 U$ `' J1 u
}
/ e; j" k$ t/ h f" m return FALSE;: ]) f% g, g1 z- i* Z
}
' a5 A6 ]: H* x, g b( l4 {3 d1 ~4 l- m# d% R, E& s1 [
Although this trick calls the CreateFileA function, don't even expect to be
) n" W1 l' e# |able to intercept it by installing a IFS hook: it will not work, no way!+ `2 S) G5 r. b' m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! {( M( C5 h$ f! I0 e+ w/ {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
\7 i1 D. H7 w- L" R, d" ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( G0 {2 I. H0 U: ifield.. Y* g3 ?3 t. e
In fact, its purpose is not to load/unload VxDs but only to send a . r% K7 l0 p1 b8 @$ \% [! X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% a2 U1 U& w6 n, k4 T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! W) ?4 h1 U' C' u! A: D- k
to load/unload a non-dynamically loadable driver such as SoftICE ;-). }6 d1 d( ]! v: G
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 q5 d- c# K3 S: q5 e9 I
its handle to be opened and then, will be detected.
1 L0 T2 G+ @6 t: J1 m+ Z" GYou can check that simply by hooking Winice.exe control proc entry point4 ^" Q5 y' \/ |1 |/ O4 @( P* V# V
while running MeltICE.( e6 ?0 v0 v* C! f% k! V4 {
7 l' q( r, `4 D" A5 m; B- N9 v
" a( Y! @' o7 w$ t8 ^: v) y M
00401067: push 00402025 ; \\.\SICE# j+ C# g1 |! i# t; j. ]
0040106C: call CreateFileA% y: f7 f3 W X; L* p
00401071: cmp eax,-0019 b+ U3 U; C- u% J% Q1 e) ]- S6 v
00401074: je 004010912 S# B& [; _6 X: u4 z; h
* Q/ I' g% w+ S7 N
& j+ o7 E; i- W3 \There could be hundreds of BPX you could use to detect this trick.
7 i; Z, t! P" b-The most classical one is:
% b" [. @1 G) t$ o2 e7 u5 U5 B7 S' _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ Q* u" n* Y: `5 L: G *(esp->4+4)=='NTIC'
) |5 {8 E# x/ m$ U% q" {2 ^" g8 z/ g: X$ ?
-The most exotic ones (could be very slooooow :-(+ I8 b6 S% t" y' g: d* n \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 H9 i! R% U: H% V" `' U+ z
;will break 3 times :-(- t/ W# j0 S2 b: L e
9 _/ b9 y$ M8 s0 g Z, W
-or (a bit) faster: " Q+ F( B4 i7 G5 G" a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 a+ O5 e1 V, ~8 |/ p" w0 m
7 ]- W {& Q9 l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. k8 O: s) D1 S4 S7 q" g ;will break 3 times :-(+ F+ ~* `) v% `1 Y0 m
* Y' U3 `0 s7 E, m5 l1 }
-Much faster:
7 ?/ `; t/ @. S# W. l. q9 g: q" ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 {+ a/ [; x8 p ^4 B0 R/ y
R1 H" K$ x0 oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" u! z4 w0 a/ G$ I* q& }function to do the same job:! ~: y5 c' ]6 d) n, y; b
# T t' r& R. r. J: {. P push 00 ; OF_READ/ q& R1 h8 A9 _4 K# B
mov eax,[00656634] ; '\\.\SICE',0
& b U, t% L* `. M9 W push eax
8 D/ }. D; v! z8 y call KERNEL32!_lopen2 z- z. }0 ~* b4 n& h3 d
inc eax
5 z* L5 d7 B5 j, M. `8 G jnz 00650589 ; detected' ?/ V5 r' w' I8 K p
push 00 ; OF_READ. `% o/ U3 l) Y& n5 `& o8 U3 N8 r
mov eax,[00656638] ; '\\.\SICE'! T4 X- j# ~9 V" Y( P& z
push eax* N) }- ~6 c; g! B
call KERNEL32!_lopen7 m: G+ E9 d2 W, ^; B' H+ |1 M
inc eax
+ ^: s, g7 @2 X' ?5 M jz 006505ae ; not detected
& } t9 ?; z' ?$ G0 @
$ [: n3 Q" S" G% C4 r# D! @7 B/ U
) m+ S" J) o8 u: s( Q0 V$ B3 O__________________________________________________________________________
. j4 j' B- q/ E+ T
' l) ^) F, R' I( ^! q) X6 _Method 126 v2 [: e; k& L; U
=========7 b4 z, r$ y, A" K
7 {/ Z! d* m& Q- F$ e: @This trick is similar to int41h/4fh Debugger installation check (code 05& Z- z' J5 I) {6 T8 R
& 06) but very limited because it's only available for Win95/98 (not NT)' Y/ B* l% T& ~3 T7 j( |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. {: r$ B' c$ c4 o* P
0 o, J' U2 O( X+ m push 0000004fh ; function 4fh0 ?7 ^+ W. N' N6 i. C
push 002a002ah ; high word specifies which VxD (VWIN32)
/ ]9 N+ n# b- B4 a9 X, R ; low word specifies which service+ T. q( N2 z c/ H2 v1 B) k2 A( w
(VWIN32_Int41Dispatch)2 ~2 g' i B" a9 J) B7 _
call Kernel32!ORD_001 ; VxdCall
7 a( d, R" I* D& E! ~* j cmp ax, 0f386h ; magic number returned by system debuggers/ B( t9 X8 P2 |$ \( x$ u! |
jz SoftICE_detected: P8 p+ M3 c& [- L
/ f3 s# C- y* j" y6 d! c8 _6 D7 n
Here again, several ways to detect it:7 A; j! m$ o4 P6 H, k/ S1 m+ j
' F$ ]+ n6 t/ C2 Y' W: w) ^1 n$ N
BPINT 41 if ax==4f
* E1 R3 t( _" \$ x1 \5 a, L! i
- N1 L9 @2 ^' a o z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: `& D }2 g' I8 N+ F% b
+ B; H2 P' q( H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 p8 ]/ E( b4 v. S) r. S
0 H9 v+ R( }" w0 x$ _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' y( W, i$ a3 G' o- u
R# ^6 s+ h2 u- L__________________________________________________________________________! @0 }6 f3 M- Q+ g
2 o+ ]7 y4 g; mMethod 13
- [3 D, e3 b4 T3 h7 G. R$ I h3 X=========
# [4 o8 p1 A( t. E$ t# d& x% I0 O# I5 o
Not a real method of detection, but a good way to know if SoftICE is
0 U. l; B1 w+ c/ I5 h8 {# F- _9 ~installed on a computer and to locate its installation directory.( ?% _4 t' f$ a+ Y8 W* |& s7 D
It is used by few softs which access the following registry keys (usually #2) :& W' {* x& X) Y; ] S9 _% v
! N$ C/ ~4 C! k8 {4 @# c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& f6 N1 i3 D/ p) [4 k/ n' E
\Uninstall\SoftICE% Y+ d5 ~5 N8 T1 U5 ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( M0 q# q0 v7 ~1 R7 n3 ~& y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 ?$ e5 v" i; P- M\App Paths\Loader32.Exe1 G: J8 b4 f* W' ?5 X
5 L8 E& U7 z% ` T. x( x, a
) F, s0 B0 {1 d9 P9 uNote that some nasty apps could then erase all files from SoftICE directory
5 I( v3 }5 f8 a8 B(I faced that once :-(5 @8 F5 D" {- x3 a, e
6 s; b7 H7 O- _; e2 q
Useful breakpoint to detect it:- m4 z7 f9 f2 @5 H' _
6 }0 D9 ]7 |. p$ V
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ N+ |8 m- V/ `6 v7 e) ~1 F+ G s: D0 L( x! N
__________________________________________________________________________2 y6 B2 W3 B. E2 C
: e. ~" Y; D( ^' |: M( U
% m9 {; ^5 H* Q; s1 F/ Q: ?& ^; h+ ^Method 14 8 j( g$ W* c3 D1 c$ k' j! t8 y
=========
8 y7 Z: E+ j$ r# |8 H
0 v! {) J$ z' G+ E5 f+ }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' ]' r8 }+ \7 e+ bis to determines whether a debugger is running on your system (ring0 only).9 v* b6 N! a2 z. P+ w' {6 l0 q# n
- a3 ~0 |3 k9 A' D& v VMMCall Test_Debug_Installed& J7 z8 g- P7 s6 E
je not_installed
9 z [) R/ {/ z+ k' L$ d6 T* ~+ V# k( w8 ~: u# |% Z0 B
This service just checks a flag.& ?3 _# S% f B1 E4 E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡