<TABLE width=500>3 K2 S. R+ }( [
<TBODY>
; k4 l [, H' Z1 x3 u+ t- a<TR>& Y, q4 u" Z# m# p
<TD><PRE>Method 01
- a$ ]9 g6 F+ y( O( A- S=========" g+ r& d: d( i7 c% g3 U$ Q
9 y7 g6 t: X6 ^; q MThis method of detection of SoftICE (as well as the following one) is% w6 n: U# n+ B* R8 V2 n( w
used by the majority of packers/encryptors found on Internet.* s6 A8 h! v, \; h1 ?
It seeks the signature of BoundsChecker in SoftICE
N/ i9 Q( O4 u5 r/ [ v# `1 M' u' D5 K$ a* z
mov ebp, 04243484Bh ; 'BCHK'
! [ B* @! a' P- ^6 ] mov ax, 04h" C7 U5 ^ v3 C) b; c
int 3
" @! u2 ]. |9 I# E' X1 s7 u cmp al,4+ f3 B- I: d0 ?5 o5 o) X. s
jnz SoftICE_Detected- Z Z( W( M; p; g
9 n& O, |9 e+ \. z: D% k___________________________________________________________________________6 G3 o( N! a% R) G% U! l2 c& U
5 n! c& _; z- Q; g/ i' l: xMethod 02 ^% I" G) f) |. T* S$ P" [
=========
, E4 t V! `- ?4 ^9 E' X, e) x7 z1 u: B$ k, L. C$ |$ A
Still a method very much used (perhaps the most frequent one). It is used
+ b* W4 ]2 V! h Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ x# |# m. e3 ~6 |, _ n/ @2 sor execute SoftICE commands...
& F, |: i7 ~: ^( } mIt is also used to crash SoftICE and to force it to execute any commands0 p! A* o& `: z/ n
(HBOOT...) :-((
' l) a$ d, y' z) \! P0 Z& }+ |: B. |* Y' {# y
Here is a quick description:
6 G" N8 N1 G& }' q# H* l-AX = 0910h (Display string in SIce windows)
/ w/ \! O3 X) s5 }$ l# l4 u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ |! D+ q: O' U, R
-AX = 0912h (Get breakpoint infos)0 A* R2 X" B& Z; T: K/ N1 }
-AX = 0913h (Set Sice breakpoints)
' O6 e+ b1 Q# i+ {; @, p$ U- g-AX = 0914h (Remove SIce breakoints)
4 p& p4 m, @) f; V" j$ u8 k5 b, @3 [ u. Y
Each time you'll meet this trick, you'll see:- B4 `" D( _/ G% k! j- S* r0 K
-SI = 4647h
0 F1 W# i# U8 B7 t) l-DI = 4A4Dh
% |8 {4 Y) Z+ S. m+ k* L" k$ v" hWhich are the 'magic values' used by SoftIce.
6 U; Y: Q0 n% mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., c: b- r7 L8 v* ~( I
; y; {$ i# P! l5 @; M
Here is one example from the file "Haspinst.exe" which is the dongle HASP S9 i9 e. I; n' @8 q- `
Envelope utility use to protect DOS applications:% r) v* B, b4 z' {. x7 X' w
0 X3 \; K7 X! `3 G# W/ G7 W
- g$ E9 t6 A) S- h: h R4C19:0095 MOV AX,0911 ; execute command.) ?9 a( L$ R8 U$ c9 ^+ M
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 j" ~! o3 a5 z4 L4C19:009A MOV SI,4647 ; 1st magic value.9 G+ B# H& V/ p# G
4C19:009D MOV DI,4A4D ; 2nd magic value.
" M. y+ o% q- Z3 R! T" O3 m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) j+ C9 }3 B- \% z3 i
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 {1 f H5 i( `. R3 e4C19:00A4 INC CX6 E. v. A" S( ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 P5 d" p0 y9 E
4C19:00A8 JB 0095 ; 6 different commands.
+ ]2 A, b# S1 C# p n; D4C19:00AA JMP 0002 ; Bad_Guy jmp back./ F$ m; e* U p' } i+ Z8 d+ o
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); L3 g" e1 M5 V$ ]* C3 X, M
* c1 j( d# u7 H; n( J$ EThe program will execute 6 different SIce commands located at ds:dx, which
$ N# L. ?/ T* R2 b: s Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' ~5 V1 Z: b" b" }/ [' J% {
3 B6 `3 K- S2 d1 \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' T9 t( f7 e& n
___________________________________________________________________________
! }% e& l4 S6 H$ T
% s" T- O3 T* x- O! }' i- f, d) e
; ~6 U" i4 X2 O6 B; d, `/ jMethod 031 O" _ u' A" u3 I5 x) I4 q
=========7 z; v/ L+ r% l! @* F0 u) B3 B) \& a
7 |# u, K' t& E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 C4 m2 {6 }! c$ T(API Get entry point)6 A2 c7 I0 h( X1 @$ H
6 p* g5 f; R% j2 Z
8 ^1 O4 C" P) c2 L2 x- S6 h9 O& s4 J xor di,di( b; J3 l- f* D" S
mov es,di9 e/ a4 J+ p: J
mov ax, 1684h
8 m+ G( o0 v/ U8 T+ m1 L' l mov bx, 0202h ; VxD ID of winice% D; H7 _1 w7 _% N1 H/ I
int 2Fh( K; a. x' o1 `* e! |. o# T) Z
mov ax, es ; ES:DI -> VxD API entry point
( D# G( E% ~: X' T3 u4 }/ [ add ax, di8 ]# k0 ]/ _4 M" L& U5 L! F
test ax,ax0 Z2 C3 e1 U4 `
jnz SoftICE_Detected
4 _+ R: r# S+ ^- q% n
9 i7 m5 T# O$ e8 \4 x___________________________________________________________________________
# o! z T- B% b' L* _9 A" |, ~' p2 W/ {
Method 04
2 M ]& A" }1 G0 e# I=========
: c* S5 ? ]8 I5 U% y8 C
. H) N' Q6 L3 O2 AMethod identical to the preceding one except that it seeks the ID of SoftICE
' E% g! U. b3 E% _; m8 l/ Q. T) lGFX VxD.! W5 J) J6 |% }6 Q. @ J
$ Q+ l, ], g/ j, x# c9 n3 h1 z xor di,di
) A- m8 H( U& L; K4 o E mov es,di5 a; ]- k/ H2 |) K) V7 R! P
mov ax, 1684h - B8 Z. u! I' r( a
mov bx, 7a5Fh ; VxD ID of SIWVID
8 t5 a% ~7 I- y3 p int 2fh: L7 G; S' ^/ I5 u; H! k1 t
mov ax, es ; ES:DI -> VxD API entry point& {( [! }) E, G5 j9 U: \! s
add ax, di
' @4 ^. \% n7 }- M; q5 L9 ^ test ax,ax
' O- M6 ~8 i3 _1 t) F t. \/ M jnz SoftICE_Detected1 A' \3 a X3 u {6 B0 f% u
x' u, t' o% m+ b! i5 f
__________________________________________________________________________
0 `9 b- Q7 {! Z" _
* w8 E* C9 ^' L" [
% h0 v' a. E. v" X1 mMethod 05
( E+ T: x! x: O4 I. R8 ?4 N2 Q=========
$ d9 V1 x5 a* O0 B2 w. |% u2 E: Z+ n
8 k3 ]9 _! Z, q6 `6 X1 [+ f' s) YMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( D7 o- R' L& b- H9 Edebugger. It calls the int 41h, function 4Fh.
/ H! v0 \2 p2 ~5 R0 r) rThere are several alternatives. 0 |: `6 `/ k1 g5 ^8 o
1 U3 | M7 }( c3 o7 v0 A+ \" a/ YThe following one is the simplest:2 k0 ^4 z# B* X5 L. L* j
2 ?1 I1 Z' v! m, k# A. _7 J n* V mov ax,4fh: }; E# ]& G" z1 B
int 41h
9 w; ?+ i, {% [4 ?/ _+ f4 M7 [ cmp ax, 0F386' \% \0 N; v) T6 W) l ^
jz SoftICE_detected
+ x) B9 d1 L2 d+ L4 t$ I+ v7 ]3 H
( i( r2 Z/ I3 `5 k8 G. b) z! `1 j/ \& H* [
Next method as well as the following one are 2 examples from Stone's * w9 l8 |5 | T/ x V( f
"stn-wid.zip" (www.cracking.net):
' ]+ Z* l' Y& ?9 r I
6 x) W4 H+ J) t" I mov bx, cs
; k$ f5 a# F9 V4 J T' _9 i3 B lea dx, int41handler2& B; {: s- U$ N7 X8 z- ^
xchg dx, es:[41h*4]
* b3 A3 o- C! q: O xchg bx, es:[41h*4+2]
& i( s) v P/ X! E% X mov ax,4fh6 G7 r1 Y' ^( A5 p- B j
int 41h
1 B9 u2 \" @& R+ ~% U9 a8 c2 e5 b xchg dx, es:[41h*4]
6 n- P* p% [' Z' `3 i# {% L xchg bx, es:[41h*4+2]
/ T- y6 G* f- s9 U( S cmp ax, 0f386h* {) {2 J$ b& F* S% k7 q
jz SoftICE_detected+ V# p0 v# D5 g% `6 ~
1 t! x6 I$ j/ G" F$ Z- [; tint41handler2 PROC
. `. Z& o; o9 ~* n4 O) q* n iret
% q& O' z+ B! rint41handler2 ENDP8 Q: t8 w, M3 [2 ^9 X
4 e" v3 o9 _" j. Y$ U- ^) o- O1 P
1 m; s+ k- I7 [; D_________________________________________________________________________9 y7 f" X' r E9 D$ f& K
, M; g: m% t9 S& b% U3 ~
; X6 v/ o) ]; b4 EMethod 06
' k! T0 N# ~. r& H( [9 q=========& `! Z4 Y4 P5 ?0 d, b- ^
" M( F- v( C2 E! r* }2 Q1 l
) F3 @% f& m/ ^3 B& l2nd method similar to the preceding one but more difficult to detect:/ E- p* M0 w. |8 l* U2 J
; V- o6 M! h+ O Q2 Y% u
W) Y* D7 v6 E( h' r, F1 Y1 lint41handler PROC
4 |: l0 r3 v! ~2 r; S9 L0 e mov cl,al W' A; p4 y( p! x
iret* V9 X+ }$ N& r6 Q; x0 [1 f
int41handler ENDP
; R# G$ C0 J) y4 Z/ y1 q$ ^+ `9 E$ R( l' R
$ ~; g8 A* x" |9 w. b xor ax,ax
) G8 m5 [$ T* d0 c. \ mov es,ax. S& n0 m. ?$ s
mov bx, cs4 I5 F# W% h0 g
lea dx, int41handler
" ?; K" c% I. b8 b: @" O" K xchg dx, es:[41h*4]
, V6 I% J1 D& U4 u% n1 C( }6 A: ^ xchg bx, es:[41h*4+2]* g- `! y0 d/ c* l2 z% c' c0 @9 _
in al, 40h7 N H5 [1 b$ L' r
xor cx,cx
4 n7 v; o9 c- M2 D: @ int 41h- w1 o! T: u2 ?0 \* ~9 V
xchg dx, es:[41h*4]
2 t8 a2 ~" Q7 X, s8 ^8 K3 B2 q xchg bx, es:[41h*4+2]* g; R( ?4 P( w6 o3 s( c. |
cmp cl,al
$ _5 ?8 i* K6 ]7 a/ i4 ~0 S jnz SoftICE_detected
/ M* @. i0 Y @ R* t. G( e: J* A" u- w7 |
_________________________________________________________________________: `( t( L& P* H$ _. ~
; b" a& a9 K$ a- [. ?) g9 u K
Method 077 U) Y6 ^! Y' d2 D4 A8 v
=========8 H" H, v$ K) q% I+ }
7 l {2 U; @3 F) t" S/ g
Method of detection of the WinICE handler in the int68h (V86)
% u( y5 i8 l- K) Y9 T9 `0 o6 u
" F7 y `1 O! o) s8 } mov ah,43h' y5 J$ S" P8 ]& r# q) ]
int 68h A# F: J( ]. a9 V: a
cmp ax,0F386h
+ {1 Q% [. u( k. |2 p' x jz SoftICE_Detected
- E2 \! _" ^" v' A4 P; a$ w4 A L! s/ y, I8 G& |: z3 }& W2 Y
# A5 Y7 A6 x5 x% e% H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& [: j/ r, ~& r( m
app like this:3 E( `6 a% J. ~$ z
- a* d1 @0 J0 D* s2 h0 \. p
BPX exec_int if ax==68$ z+ v# E& K6 `& V
(function called is located at byte ptr [ebp+1Dh] and client eip is
" [6 v) \% L6 S+ J$ o" U located at [ebp+48h] for 32Bit apps)
3 m$ ]) a: y, |7 ___________________________________________________________________________
8 h) q' R/ y; x# q$ R y: j8 I' g+ E( `/ S
7 p' `) b& k4 `# F
Method 08$ L" K+ d+ ]2 X/ N0 F
=========
& J' v5 Z- z& X) z
9 r. M4 j+ @% p3 KIt is not a method of detection of SoftICE but a possibility to crash the
) j) a) Y* }% ]. v" E6 Msystem by intercepting int 01h and int 03h and redirecting them to another8 v* T- r a. N
routine.. z0 |4 Z* G) L, U1 L! f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. w$ b: o$ a3 S! O" B
to the new routine to execute (hangs computer...)% Q2 u2 T3 {6 c
% V; N! j3 o( Y$ N1 S7 [) t5 K" l! l mov ah, 25h
5 s0 l" ?" N; @2 F3 \% k mov al, Int_Number (01h or 03h)
! s* r2 F& C; N$ F! o: C* W mov dx, offset New_Int_Routine! R1 k6 _: `; Q1 Q [7 d
int 21h: K$ q. D6 a( C" {! D, H( a
& m( F( T1 n+ D: S1 d__________________________________________________________________________0 B& k% d; o4 s/ `; A% M( N- i/ P
$ ^& } @, o+ k9 @( c8 dMethod 097 Y `* E, ~5 H- n' K1 s- C6 [$ U
=========
4 H5 X$ P! n2 L& }
! z+ d P) A* Q1 b6 k6 pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' [" X9 `( }: I; a) D7 P' H
performed in ring0 (VxD or a ring3 app using the VxdCall).
& Q& V3 g& m. x* |The Get_DDB service is used to determine whether or not a VxD is installed% n; Y# C: Z% z' M; L& o) O$ n
for the specified device and returns a Device Description Block (in ecx) for
4 M3 M$ k7 r9 X' k. B8 \2 e! [' B% \that device if it is installed.
$ I* x# c# l$ L$ `, ]0 X* T3 ^7 {. s7 e4 o' d; l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% \ G: F4 k) ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ |) L5 K% Z4 Q, }; Z6 t/ i
VMMCall Get_DDB3 F; f" L& e( R4 }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 p" W" b$ f( n; f" z) T
6 N" r, d' P8 x1 _
Note as well that you can easily detect this method with SoftICE:
4 i+ C# x, F' G' Y7 s% F bpx Get_DDB if ax==0202 || ax==7a5fh; s; k( F8 b+ }+ N% q
9 Q+ K# P4 b$ j0 G; j, S3 v__________________________________________________________________________8 s! \, e- n# Q; D4 q8 \1 D; X7 g
" {7 r: |+ Y6 \. l; e- B0 v: [' n& m
Method 10) ]4 f2 E$ E e1 T
=========3 m, X' {2 f! _8 [
/ Z& F* ]7 \$ h0 n# O& [% Q5 C=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 B% d; X1 P0 F( @ SoftICE while the option is enable!!! Z6 @7 P! T4 J1 U z- _
" R" X- t2 I: N7 F# G
This trick is very efficient:- b) L2 e) c+ q
by checking the Debug Registers, you can detect if SoftICE is loaded
* v% m; s% f0 V! H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* ?; z3 y7 Z$ A2 l9 W5 J& k$ Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
|) M0 {: z4 f% tvalue (in ring0 only). Values can be manipulated and or changed as well
0 G, ^4 R* ^& z3 C(clearing BPMs for instance)
2 E% d3 S+ j: g3 C8 [' F6 f/ m
__________________________________________________________________________
& d+ `( F& U7 g3 p
: f7 v% s$ y% g6 R, |# T! z: f9 gMethod 114 H( ^% V) {' S% c! ~- V1 n
=========4 s b: g* C+ i% `# R
% \; _4 h% n6 M+ L) r: QThis method is most known as 'MeltICE' because it has been freely distributed- _5 T2 |4 h! H- T( J6 a/ T
via www.winfiles.com. However it was first used by NuMega people to allow
7 d9 W+ `+ T& D3 [& _ ]0 HSymbol Loader to check if SoftICE was active or not (the code is located
) R7 Z: _& g5 r" A# ~7 [; C% Pinside nmtrans.dll).! y" ?6 u# m) V( c! n, P7 C+ R& A7 d
1 g" N! z4 I7 r+ wThe way it works is very simple:
9 C! z* S4 k# P: z* M5 XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& e% p j/ S0 @* ^% CWinNT) with the CreateFileA API./ C5 x0 l. Y! J G
4 u* A# u" `0 |Here is a sample (checking for 'SICE'):
$ f) n5 V" z* Q$ {, [9 w0 K1 I, @1 z: k& R. U7 x# B" |; J
BOOL IsSoftIce95Loaded()) }8 w) i- R5 ?0 a9 K
{4 R' S3 \. Z4 L6 s) y) b+ Y
HANDLE hFile;
! P5 S3 R* R; H I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& ~( c% k$ \% J* J& C1 b) m
FILE_SHARE_READ | FILE_SHARE_WRITE,! m" ~3 k1 h6 F
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( ^$ ^* Y# S6 M/ V& q T if( hFile != INVALID_HANDLE_VALUE )
2 D1 `9 ^- G3 |8 F {- S; G# n$ Q4 y$ x
CloseHandle(hFile);
- G8 V) S6 a- E5 z0 I/ g& _! S return TRUE;
. [( g4 O/ w: K/ H5 r }% a; `6 E' h7 o$ X0 C; Y
return FALSE;9 P4 O* S5 x" J6 @) L5 z: z
}
& r8 o. d- ~& ~/ n' [# l& W* c9 Y Y" b7 q1 F0 M! \
Although this trick calls the CreateFileA function, don't even expect to be
. B h: H+ T2 F% \# S" m0 l# Kable to intercept it by installing a IFS hook: it will not work, no way!
7 P! M9 u. G! XIn fact, after the call to CreateFileA it will get through VWIN32 0x001F | n/ ]$ t& S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- M. M) ?+ l. V! ]6 sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! T1 D9 N; q/ y! Gfield.& |% K& g0 B+ t [. t( Q" q1 X5 Q
In fact, its purpose is not to load/unload VxDs but only to send a
0 [- H5 q" E" A0 \- TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* i+ P2 ~" P6 Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try ^9 s# ~, i6 g" N. {" j% C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 F% M4 ] y" pIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& V: ], c9 Y" I) O0 _ B" }its handle to be opened and then, will be detected.; u/ `( `) l9 ^, U
You can check that simply by hooking Winice.exe control proc entry point, T: Q+ \ D) z( R
while running MeltICE.* o& b5 E1 q) i; W& [ a* h
& q& M, {8 w) n; |4 V# T0 D
7 _ M! E9 N' N* x
00401067: push 00402025 ; \\.\SICE2 g5 k9 p% I' ~2 d& X4 ?+ [1 X
0040106C: call CreateFileA
1 E; f6 G/ A5 h. x 00401071: cmp eax,-001
4 L! h6 n& M8 s! A# w$ p/ [ 00401074: je 00401091
1 Z. u6 C# g+ i4 r2 \8 y; v
& s0 h: o( J h% ~9 L4 S5 \; a: D% A# X6 C2 B& C) L7 \
There could be hundreds of BPX you could use to detect this trick.- C6 w$ Q& [% P! @! W4 W
-The most classical one is:
8 X7 A" J$ k h9 x2 e/ Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. F" u5 v2 N; K7 C
*(esp->4+4)=='NTIC'
2 W$ f. X2 J! f, B+ F
. _0 O$ q- Y% j Q. ? }3 Z-The most exotic ones (could be very slooooow :-(3 X( W9 t" f* H6 l# A4 N w$ v5 m5 k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! J2 D( Z8 n5 i3 W8 m* g- u
;will break 3 times :-(
% Z- M1 Y1 m" X. X. I1 X5 _* {' ]8 D) K4 L% R
-or (a bit) faster: ' \( |% u2 G) ~4 s1 e8 z+ @- [" W8 y6 P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 R- W- U- g9 p% W
7 O' {% p7 a7 X: ] BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: h! O9 j; a+ a( B+ c ;will break 3 times :-(' T% a, _# g* x; C, V$ ^$ `
- I7 `! `& X( m- y: c) h-Much faster:
6 G$ K' e+ ~) J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( X$ ]2 R/ Q6 s9 E- e4 R& n9 H8 u( J' h% F' }
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 i5 l+ s& u' P! l( }1 \' ~) lfunction to do the same job:
a' Q+ x; M) V% T# v
& I4 Y Y( X+ ]2 F, z( ]+ H push 00 ; OF_READ
& e* }6 z9 e0 m9 A mov eax,[00656634] ; '\\.\SICE',0& U4 i4 O$ g7 d( `- u/ J* h; l
push eax
+ |- ]2 g$ S* I3 s: K5 G/ `5 X call KERNEL32!_lopen
4 R5 k$ J$ @3 {8 b% }: M; p; a inc eax
; w2 R O: C3 B( L( j jnz 00650589 ; detected) L8 ]8 _* o4 E4 \
push 00 ; OF_READ
- A# c I* f3 l: N3 L mov eax,[00656638] ; '\\.\SICE'* z' \) {7 A( @ d2 e8 J
push eax+ l% |0 l8 E/ ~' j+ L
call KERNEL32!_lopen
; w# e; \6 i# k& Q inc eax" b' }, d3 F* v# I/ C! Z
jz 006505ae ; not detected
, @% H+ W! q' X. K; b/ }
1 r0 a( m3 g0 N" q' B& R
: k: g4 a( Z3 t) s- Q# [2 V__________________________________________________________________________
/ n, v0 u$ x0 t" d$ w4 A: R; u7 @! M+ V) i
Method 124 `, d. U3 @; `3 a8 H7 r
=========+ [3 ?) X. H) m3 B- p
2 \. r$ K( z' I0 K6 L9 W6 \5 LThis trick is similar to int41h/4fh Debugger installation check (code 05; m1 q, K7 V, ~& J
& 06) but very limited because it's only available for Win95/98 (not NT)) a, {' X& J9 ]: q- C. ~, @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 j2 v* a& @. }+ z" P! P* A# X& E
push 0000004fh ; function 4fh
' Y3 L" h6 }. k% H/ C push 002a002ah ; high word specifies which VxD (VWIN32)
/ ~; V( t# L K1 u/ `3 z ; low word specifies which service+ U' q" } i4 m& o b2 b7 B
(VWIN32_Int41Dispatch)9 I& ]7 o! L( o8 x7 O5 e, |% i1 A
call Kernel32!ORD_001 ; VxdCall# q& E J/ O: w
cmp ax, 0f386h ; magic number returned by system debuggers1 T1 f0 O6 _* E! C, x- t$ U
jz SoftICE_detected" Y! Q: n1 m$ q8 n
" I! N; j# s* l( `Here again, several ways to detect it:) g$ G/ z. n) ]6 P |3 B
4 l. |5 \( q7 i' p/ ~7 O BPINT 41 if ax==4f
& i0 ?" {1 A- }5 G8 d2 E- f
P' t( H) w! l# L) M1 g/ y2 _ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 F, l. s5 W: D4 }& ~
5 L8 Q/ G1 G- z6 p) _& q; p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 J8 V- F* J. @# w3 f
" J/ f$ A, ] f a1 Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 x0 G6 H7 ]8 _2 ]; @9 M4 @% @# V; u' i. J0 b5 O4 t, Q
__________________________________________________________________________& y/ K4 a, o3 o3 ?) y, h
4 u/ ]3 I: R9 O: F
Method 13- ~1 F/ R$ w$ x& G8 ]
=========
7 u4 B5 P' u! W/ i: Z4 ~
* g) S. x' c+ T& ~Not a real method of detection, but a good way to know if SoftICE is& F3 g, Y+ [" c) P
installed on a computer and to locate its installation directory.
E8 f' ~1 b* LIt is used by few softs which access the following registry keys (usually #2) :
) S6 |) X; d; F; t8 R* r9 r5 K5 U' k( N y4 ^ @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 r P8 w+ y* O\Uninstall\SoftICE
. t @ Z" q0 k! h: _" d8 K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& Z( [/ s" f) B0 i. K X-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 C% A9 _! s# B8 @& T( N\App Paths\Loader32.Exe" ^( U; `, X' P7 f
$ B; d2 j7 _' e: y. H( |- z. ~
9 x& n3 w4 C* X% J# nNote that some nasty apps could then erase all files from SoftICE directory
7 b7 K& }7 Q7 c7 Y$ I(I faced that once :-(
" }" [4 J7 v6 t$ u5 c; _
7 a/ F- M4 W8 W5 SUseful breakpoint to detect it:
7 ^; _( ^3 S& H5 E- ~( y' A) ~/ H R2 M! `, `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" _" o4 V& _) a6 l$ W
1 }5 `! p8 q- E8 e4 |__________________________________________________________________________8 @' N7 J8 P8 e7 j, r
5 c, e3 C& L. Y. t# T0 k& C
$ T' E% d, r1 h
Method 14 5 ~$ l% I: e% [. l
=========
: n* \ w5 G0 ]: _$ a" A$ M& U0 ]5 x$ n' J# D7 a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ v0 `$ j; [# r: Cis to determines whether a debugger is running on your system (ring0 only).
6 R* c9 Z0 a3 ~
2 K$ i0 C. l8 T- T! c VMMCall Test_Debug_Installed @8 i8 W$ h4 s2 @& O: T1 V9 f" o
je not_installed
6 b0 u1 G' Y! X$ i
. |) l' m7 [% ]4 ~( N. dThis service just checks a flag./ m) P/ Y3 h8 n# k' ?4 n: h- N
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡