<TABLE width=500>
/ @# @4 |0 }" l6 [! L<TBODY>& K% f, }. v/ p: b: i3 J! t* U
<TR>/ |6 O5 _8 O; |" I! q2 J( f
<TD><PRE>Method 01 8 S- U. s) l8 [% _# r% _
=========
: _3 Z8 `. d3 a; O) t
7 F7 R+ b0 h6 ^9 ^1 MThis method of detection of SoftICE (as well as the following one) is/ t/ w! N' e* m5 h0 u( L" w9 S" L
used by the majority of packers/encryptors found on Internet.- M% @" q6 U9 h% W! p9 K% Y
It seeks the signature of BoundsChecker in SoftICE4 u4 {1 S9 a3 D" v0 X- L" i8 U a
D) b1 J( P( \, [( s) f
mov ebp, 04243484Bh ; 'BCHK'
' [! S) L8 T: S mov ax, 04h
9 H* j" t2 a, A) L int 3
) D, ~; z2 n$ b4 }: K5 i cmp al,41 S0 w8 J. @9 P2 ?
jnz SoftICE_Detected3 [6 Q7 y2 r: l! h( _+ Q, d/ b
( q0 i$ y2 y! z: c, i2 I( E3 k___________________________________________________________________________# f5 B' y' `5 b! C
! E7 C( N% y/ a2 A) m/ OMethod 02
! f: j4 Z9 C2 ]' Z=========
+ ^5 \0 }5 q9 \9 d0 |& h% Y% z8 [' I4 q3 A
Still a method very much used (perhaps the most frequent one). It is used
7 s7 C( L6 l0 ^" ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# p/ y" x/ P7 Nor execute SoftICE commands...
. L$ Q9 R8 k, sIt is also used to crash SoftICE and to force it to execute any commands1 I' N' R* z9 b$ K9 J! S5 U# b
(HBOOT...) :-((
; Z" f- d a- r0 ?! e5 o* M$ d4 W. Q* K
Here is a quick description:
% n/ v* r, g' ?! L& _' D-AX = 0910h (Display string in SIce windows)
. Y, f1 ?+ u) S1 a/ R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 g9 O4 d% m \-AX = 0912h (Get breakpoint infos)( R' s# n h" [+ o6 k* S4 i- f
-AX = 0913h (Set Sice breakpoints)( [! b% g, F" Y* u
-AX = 0914h (Remove SIce breakoints)1 F. i# i1 `. f0 X4 t( V4 w
5 n) }5 A4 ~9 u# [Each time you'll meet this trick, you'll see:( D. _+ D' D- [5 u8 g
-SI = 4647h
6 K% W2 j! K/ z: i0 r& s! J+ ~-DI = 4A4Dh
- B- B) K% {: zWhich are the 'magic values' used by SoftIce.9 x" f8 A! _* x# ^/ W8 O; }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" u: D& w. B7 m$ ?' {. K9 o+ G6 d% F6 z4 B* I% G
Here is one example from the file "Haspinst.exe" which is the dongle HASP A0 f- W0 [, w1 p3 F0 I
Envelope utility use to protect DOS applications:9 H' K/ }8 ]7 c3 r
, B$ F/ K. v9 j7 {. f- V) }! Q1 U; N0 x* t# o
4C19:0095 MOV AX,0911 ; execute command.
$ Q) l- f2 H$ D/ D6 N6 i5 h4 \! c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% V: Z/ E, E% ?$ [, ^0 n. R( q1 y4C19:009A MOV SI,4647 ; 1st magic value.
6 ?. b6 x! b1 S9 @1 b4 t4C19:009D MOV DI,4A4D ; 2nd magic value.
$ v6 a7 y3 w3 ~/ U4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ ^+ [( `" R: X; v# ~9 I4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) T8 P* h1 P8 a0 t3 a4C19:00A4 INC CX
9 B. Q, B* P+ R% q, s% x( O) s4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 ?/ _; A* Q- \% V& E2 n
4C19:00A8 JB 0095 ; 6 different commands.3 u# c& i1 {4 e; V
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: G# `8 d9 x3 I* ? }( `" z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ I' E, T0 n4 X/ o1 ?( _: y* X! [
# S; y1 P( }: |8 I4 G4 c! O! jThe program will execute 6 different SIce commands located at ds:dx, which
6 v; B, C: m( M3 s: j6 I4 Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 G3 y( ]0 h0 l% |+ u- W( [/ u* P
% p6 s9 \1 T$ t }9 h% q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ D) f! Q8 }$ r) u: ^8 f4 y3 @
___________________________________________________________________________
3 Y: P. N. ] {& {+ v
: F% ~; S- t5 P, W) ^1 U4 W# O3 P2 B5 _
Method 03
) F! j% @; s/ Z* g0 p* d" B. e=========0 }5 e( M) ~" o' v" G& e
( J$ Y7 N( `3 O& A) E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 L1 x; \' N( R& i" S5 f% {# }(API Get entry point)
9 O+ c" t6 t S/ L0 C " {0 ` [% R! m6 _7 ]7 W
' l, m- W; |7 c! U' G; x: k& l4 c xor di,di
2 F- _( a* ^7 f" E# { mov es,di1 |9 r/ s: L! Q! }9 d! e7 w1 R
mov ax, 1684h 4 o, O$ f2 e& E/ s+ U1 f
mov bx, 0202h ; VxD ID of winice
' ^8 p7 n* i# ^6 T3 T int 2Fh6 t! \3 H, }2 L, @% m% i
mov ax, es ; ES:DI -> VxD API entry point3 T; f4 W, s/ E2 @% m- [6 b
add ax, di- ]5 ]' p" [- p! y( @1 v
test ax,ax0 T7 z0 @) j% ^* S, ` q4 \2 a
jnz SoftICE_Detected
/ M7 H# c2 V3 P% a! L& q+ {- C9 F4 Y/ [9 r7 e+ v# V s5 Q
___________________________________________________________________________
; G) ]: `) x- V0 q
2 _$ R3 ^) I$ J; r0 q2 \Method 04
" }1 S3 G: U Q3 O7 z4 B=========4 Y9 K9 p2 y# m
2 y! [* A6 ^1 [, ~3 PMethod identical to the preceding one except that it seeks the ID of SoftICE* q$ K$ f) k) x" t2 `' J0 u/ U
GFX VxD., {- F! | B4 N' K" ~5 U- p E
0 z2 y& ?& a: A( d n xor di,di
u- t0 o5 ~& d i* h( p. W* f mov es,di' A }" [( ~ `( c( Y0 n5 K
mov ax, 1684h % F. T" o) o( a# k: A" K& e
mov bx, 7a5Fh ; VxD ID of SIWVID
6 x8 W- {& a! v. X4 x int 2fh
7 F _" Q; Y4 N0 U7 H+ ]6 y/ ^# b$ @ mov ax, es ; ES:DI -> VxD API entry point
7 V/ v: y7 @* _: j0 J1 C: n add ax, di2 T- a: j- l) u' m
test ax,ax
5 Y9 s0 a3 w4 g3 o" n7 `6 ?' n a4 ? jnz SoftICE_Detected
2 }# W7 ]2 h- Q# j% x1 S4 `" [6 A
* `: A3 E3 G8 X, [# `0 a% h__________________________________________________________________________0 v3 {: i- ?4 }8 w5 w
/ m3 `: \" K( E* Q
' \" ]+ y) J) m7 w ~ ZMethod 05" _ L" [7 n- Q0 N! C
=========1 e, I+ O4 u# b* h
5 t! b* A O, p( N" mMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 h1 ` |" g8 m- A% |) _
debugger. It calls the int 41h, function 4Fh.* Z& N7 f2 e+ `7 e8 e
There are several alternatives.
& {3 h, r* b7 f: W: Y3 _! ?4 D( p: I4 i, b: r: w0 ~0 Q$ U a2 c
The following one is the simplest:
w! q4 E4 s9 F; @% j; y. u' I8 U! Q8 D2 ~9 ?) d/ Z T0 j4 i* T$ {
mov ax,4fh2 @. `4 e' M8 Q" q1 @( }
int 41h
7 |9 B8 X- r3 Z cmp ax, 0F3864 I x( u& H2 [
jz SoftICE_detected! G# T3 r% X! U
+ Q$ M# b: ^( f8 l
# x$ s( S+ {& { n n% R JNext method as well as the following one are 2 examples from Stone's * P) L2 s$ D5 W+ i4 F/ O
"stn-wid.zip" (www.cracking.net):7 a2 ~/ s0 }( I. `- j" U6 w
& S6 O; U, e- R$ U7 w mov bx, cs
7 r+ S. l2 p& c# c' h$ n lea dx, int41handler2
$ ?7 v' _) G' k3 m% M5 e4 O( c xchg dx, es:[41h*4]
7 {" t* k: G/ @' t" J7 f i xchg bx, es:[41h*4+2]0 W) z; J3 Y. `
mov ax,4fh8 V' U J3 o Y5 o
int 41h6 F4 x* q# C( x4 n
xchg dx, es:[41h*4]+ t# ~0 t2 S$ E" W
xchg bx, es:[41h*4+2]% L, @. T& a$ F4 x; U
cmp ax, 0f386h4 J8 i1 Y" Z: Y9 q( [3 d# }8 T5 u
jz SoftICE_detected, d# }8 c9 v0 E7 ` I, o
/ N1 d; Z$ i: h w/ Z6 k5 i( h
int41handler2 PROC
) W7 D( W) ^$ k. R iret
$ t/ H, \2 J- Z% R* {8 U: L' qint41handler2 ENDP5 H P7 e# p" j! x, k
$ n4 l) i9 z- B& R' ^1 b
8 f N$ b! t4 s# H, g
_________________________________________________________________________
/ B0 ^' @- j9 }, r# e* {. H: b$ ~& K0 D! z! c! t
8 l- }4 L1 R& c, rMethod 06
7 h# x4 t9 A2 O=========
" d i7 Y1 g$ {, Z
& U. O' \& P( U' h# R+ @) ^% I' c7 q, i$ v
2nd method similar to the preceding one but more difficult to detect:
( B. Z/ m1 G4 m3 e/ v5 Q) c: w3 l$ `4 D
: P( _; u5 J2 ~- d7 f+ a3 t5 yint41handler PROC
+ |% X) M \1 n- `0 l. i- }* S mov cl,al, A! A. a8 M" K% F2 |5 N
iret
6 c c6 Y! R- q9 N4 c9 ^3 qint41handler ENDP5 G8 }+ V" ?6 r0 V
# U& ?0 W: U& |4 S' l8 {* f; I9 T; ~; O {- @$ A; Q. P
xor ax,ax- Q0 l/ ], [. p7 @ y& D- ]5 L
mov es,ax
$ g* U$ x9 V7 f* Q5 h. U9 q mov bx, cs# e, t6 N: U5 K5 \' G8 S% l4 k
lea dx, int41handler
9 ?# V- N1 b6 P- ]0 Q xchg dx, es:[41h*4]! e7 d: p8 @4 P& Y+ H I
xchg bx, es:[41h*4+2]9 |$ L7 i% l$ g
in al, 40h
' {, t7 ^, v6 b `0 `4 b xor cx,cx) J0 j: X- N" r$ x& T
int 41h7 s& j& G. b k% s
xchg dx, es:[41h*4]% T2 e% X) F4 q: e' u9 S. Q1 `- u
xchg bx, es:[41h*4+2]# t @/ D, T' [& s/ y; @5 _. D5 f- i
cmp cl,al
- y, ~; h! O: g# @, Y jnz SoftICE_detected
1 G, ~/ T u* ]3 f' J( {5 V: y* V1 L/ L# d+ O; k# Z
_________________________________________________________________________0 _1 F& \, i9 ~: s5 U, E
9 R/ F& S" H& B, [Method 07' }# J& {8 I9 r0 W' s
=========' L b. i) h7 q1 S" Q# r
7 K3 _2 d8 _& @: W- q5 `
Method of detection of the WinICE handler in the int68h (V86)
, A4 E* S* j( d. Z9 ` e5 M$ a1 _% `5 T! v$ a: K0 s2 F
mov ah,43h1 V- c1 w+ L3 z7 d. }7 M! K
int 68h1 `- T5 a/ V1 Z, S6 j9 j# a
cmp ax,0F386h3 ?3 N- P3 F, {- j
jz SoftICE_Detected8 b& h" |2 f' a; Z1 S, M+ a, R
% N1 [& s# }% S% i. v, J/ Q6 ]
+ x8 u& k9 n3 y: ^6 U" B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) ^7 p( \" \0 l, M
app like this:( d& ] n2 S" z$ P' j
* g2 ?, J+ a4 X* E; X BPX exec_int if ax==68
$ J9 ?# s+ X3 j% H/ T5 g# a+ ^4 E (function called is located at byte ptr [ebp+1Dh] and client eip is
& j# @' W2 A1 G" E* b4 l; v located at [ebp+48h] for 32Bit apps)4 E/ W! l& N* r. i7 G6 c C& K6 H
__________________________________________________________________________
/ {# f- W3 y0 |, r3 Q# L( ~% W
4 [: l3 V$ g& h C1 q1 E( d
% G7 j5 \: k+ X; d- l0 M+ LMethod 08, y; g! [1 w: ~0 F1 r* g$ H
=========" L3 ~, u; O7 O; T e
9 X2 j; j: `9 W k( y7 @
It is not a method of detection of SoftICE but a possibility to crash the
' C$ |8 M2 }, }7 ssystem by intercepting int 01h and int 03h and redirecting them to another
' y5 S* r% K3 Oroutine.
: d1 p' o, _. c3 ]& ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# y" k+ r5 i Y7 d! q* m9 Wto the new routine to execute (hangs computer...)
3 m* t- d5 R" J4 u2 R) H$ }' m6 ]5 |- `0 N
mov ah, 25h1 x- _' z1 x; N
mov al, Int_Number (01h or 03h)2 t- e- Z" W8 q# _* W
mov dx, offset New_Int_Routine
0 F0 K6 [; L0 R3 {' Y4 n) g) x int 21h ~3 d( f# A" P& G1 l1 A
0 S( a8 m! a( q k3 O: l__________________________________________________________________________
6 F4 S1 w, ^) u2 J3 o4 ]' R# k2 w; f( m1 G2 q9 Y
Method 09
/ f% L: {8 U8 m+ g p0 i& r3 N=========& s, Q) e5 r* H, x2 }% e
8 k/ a. Y* o; i/ C; s2 \This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& X. P, f2 t' `
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 ?1 T4 V4 t$ H) P' S' G9 U: bThe Get_DDB service is used to determine whether or not a VxD is installed
3 I, O" a* I: {3 y7 Hfor the specified device and returns a Device Description Block (in ecx) for
* B9 G8 V/ ?+ B& U0 Qthat device if it is installed.! g( [6 O8 ]. V. r+ H$ `
' [: Q. L& @. H! X3 F% b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: y0 `! R- W. r- o; v# ?
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). [: C1 z6 Q7 r2 L
VMMCall Get_DDB
) Z+ B: { p: s+ \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ H' ?9 p2 F1 E$ _
0 v0 G( W6 x+ O0 \# x+ D
Note as well that you can easily detect this method with SoftICE:
, K5 e: @! N! z bpx Get_DDB if ax==0202 || ax==7a5fh
0 z: {, O5 E- `: \# o. @
2 P; e1 n" z( J# n7 P" l__________________________________________________________________________# Q8 i& w0 s b" Z
5 d: K% L9 N" D$ G, yMethod 10
' l+ @3 R0 P* J+ ]( [9 h% c=========
2 W. R0 z" k4 }; N7 q: H1 ~0 ~( b" ^+ `1 v: O4 M9 I
=>Disable or clear breakpoints before using this feature. DO NOT trace with; V _; f/ ? U6 u0 Z- k
SoftICE while the option is enable!!
0 m7 M- m) S/ m9 p5 a3 q
1 o7 z2 j* e+ a; ?- K) p3 @* V$ K, M8 M9 _This trick is very efficient:
' e+ p3 Y- X. xby checking the Debug Registers, you can detect if SoftICE is loaded
8 L/ A" T7 e$ ~# j3 w* ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 y" d" o& Q0 }1 H+ Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: y4 ^7 ?( ~/ H( evalue (in ring0 only). Values can be manipulated and or changed as well' Y9 D5 O: _% P2 |
(clearing BPMs for instance)
6 S, v0 O2 v7 O( U6 X& P) |" W. N1 I; n! L
__________________________________________________________________________
. K) H% _ J; k& q9 }6 I: Q5 ?: ?
Method 11
; G0 J+ N) n q! m; |=========
" V9 F/ s8 u* k+ ?% ]2 g( _; L y, C9 j# n, j
This method is most known as 'MeltICE' because it has been freely distributed
; F9 ]3 ]5 f, v. n9 Uvia www.winfiles.com. However it was first used by NuMega people to allow
# u3 m+ d; a" E3 jSymbol Loader to check if SoftICE was active or not (the code is located( ]+ S) `9 N' z; u
inside nmtrans.dll).# I: ^6 V* E: T) F! a$ ]/ v
8 _8 d- [7 M Z/ }& Y( x
The way it works is very simple:
5 S9 t) J1 R: g/ e [1 @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 P. e: d3 {3 Y3 P/ d+ ]
WinNT) with the CreateFileA API.3 X J" X4 t2 }3 ?( T6 M8 z
( v* a d* Q X8 n( jHere is a sample (checking for 'SICE'):' b. Z8 N& ^' P& R& G1 H' l4 i
' \8 h0 [- ?+ y1 }/ D& E4 L
BOOL IsSoftIce95Loaded()6 L% u2 t" Z* p
{8 K! o) }' |! H% ^
HANDLE hFile;
- u! S+ \" G7 k+ `5 `9 _. s hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 o4 ~% e" m5 J8 F FILE_SHARE_READ | FILE_SHARE_WRITE,
8 \4 c+ T5 _, p* [1 C: S. k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ {! ^" M% y* e3 z if( hFile != INVALID_HANDLE_VALUE )
0 C) ^3 ?1 }7 P; j3 g {
6 _" J# [- d# @: M CloseHandle(hFile);
6 T Y8 n7 ^/ U! W return TRUE; t" F; ?* t( q" ~
}4 M9 Y) x5 \, D# |' a+ J& P i
return FALSE;0 Q. n$ r, ], B: }( ^
}
: G5 \% t+ r2 t* w0 ^& R% |% A2 z( h
Although this trick calls the CreateFileA function, don't even expect to be
+ ^8 x& x. U6 Y2 b9 {able to intercept it by installing a IFS hook: it will not work, no way!
3 }9 \# M" D& J0 ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F, M- A' G: K4 H. c: e/ q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! h+ O! ~! X$ d1 [% i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
x( R8 z J' t/ t H: x ?& G& i Zfield.
; }, q4 B9 D. T: C: qIn fact, its purpose is not to load/unload VxDs but only to send a l9 C8 q, z4 [* R3 m
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" f; W5 b1 V- L, a" W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, _7 l7 s& J C1 B* nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" c/ W1 @0 c- [/ `# \+ UIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 ]% m# z7 O+ K" f
its handle to be opened and then, will be detected.% W& [5 n$ c9 k: N
You can check that simply by hooking Winice.exe control proc entry point3 j5 v' B) J! r; k) H
while running MeltICE.
9 q) W# t3 X$ _. p# r
9 c# t) a! F8 x5 c" \0 H# B" a3 y$ \2 S4 \
00401067: push 00402025 ; \\.\SICE2 e7 _' O* U. D
0040106C: call CreateFileA9 I: F% r! J9 f1 Y$ q
00401071: cmp eax,-001
1 N- I5 Z) t, ]5 O& D0 R 00401074: je 00401091' }: d* f: O/ A5 n; t
$ E( Y. R3 x& P$ a
; v/ o' _ @: ~5 T/ |- k( z$ xThere could be hundreds of BPX you could use to detect this trick.
7 I1 O1 P/ }. \-The most classical one is:
& D, v8 T3 A; N( t& n, s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ k8 k6 p$ O/ c1 O; F4 j3 ]' W+ {) `
*(esp->4+4)=='NTIC': b- Y7 N% D! R* T
. J+ A( A6 z6 Y- ]! m+ Q- L' T-The most exotic ones (could be very slooooow :-(
9 B- L7 o, ^4 J8 p7 e' u1 J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ G, m4 P9 W; p- P ;will break 3 times :-($ j2 T" i! Y8 \0 x' S4 m2 r
4 ~ ?5 U) e4 B! a4 g6 U-or (a bit) faster:
) y' I' J5 x- F. a. V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 M# l* p3 x1 T' X# |5 F" b, v" r+ P/ Q" e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( J7 ?$ A# y$ a' u1 }) i ;will break 3 times :-(; `2 a; a3 b6 I& n
& j, k9 _5 {% Q/ c- c-Much faster:" P x5 ` g* M8 _
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ K% a0 T9 l s- Q4 `9 U2 b: D( p
/ P& {% A/ l! ]2 k4 kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ {& [/ D) S+ J" |- C8 e) Hfunction to do the same job:& \, x/ a- {2 v7 J
5 b- a* Z* f, L9 x7 S2 p
push 00 ; OF_READ
4 e' N0 e% u- J+ \8 @ mov eax,[00656634] ; '\\.\SICE',0
7 N! f. G# V# k4 p5 ^ push eax3 R f _7 b4 U/ s
call KERNEL32!_lopen
1 B! x4 y/ b% y: i' `" f) J inc eax
. {3 Y8 Z+ e! b$ T& t jnz 00650589 ; detected
& J7 k6 Q; j5 ~# m! A8 L push 00 ; OF_READ! c) X7 t5 I& z
mov eax,[00656638] ; '\\.\SICE'( g3 H0 O- Q5 b* D# Q
push eax. \' x5 n5 r- v' `% w/ S
call KERNEL32!_lopen
" `+ A/ W) p+ f9 u inc eax, ?7 `) l# A3 d% c* F2 A* S. r
jz 006505ae ; not detected
* `" k% ]/ h+ V" ?/ U
( ^' I# O) A+ P+ ?4 G5 G, M6 Z( H7 p! K$ M; Y. [" n' D
__________________________________________________________________________
0 _# S; N1 `7 I; J: k7 E2 H( O5 L. G5 W7 O. f$ @1 i
Method 12
' ], H# E& t/ r& U" @- G$ M: ~=========
0 y& f) ]% J" |$ }) e
+ P% K$ o" {9 j2 G# JThis trick is similar to int41h/4fh Debugger installation check (code 05- q+ \2 I0 `( i& b% e
& 06) but very limited because it's only available for Win95/98 (not NT)
3 {) `$ s+ W: L1 t- Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! F6 f; Y" F% j% R2 V1 t* b
/ _1 ?" p& L) a push 0000004fh ; function 4fh
- C- T1 C/ \; y push 002a002ah ; high word specifies which VxD (VWIN32)8 x+ B3 F2 t# f! [5 Q
; low word specifies which service2 e; f0 a; U! |* C
(VWIN32_Int41Dispatch)
~9 g0 c2 u# t3 s0 K' C call Kernel32!ORD_001 ; VxdCall: K: d% b5 v$ u# U z; J
cmp ax, 0f386h ; magic number returned by system debuggers
3 f3 n5 H7 {' D( k0 A jz SoftICE_detected
/ V3 P# l* N* K0 O- h% c( `
0 q) v5 h; v+ l( V) V4 w# F/ x% [Here again, several ways to detect it:' V* R$ x: M( V8 h) f
, o( Q) A3 h4 q: y/ @3 q% a
BPINT 41 if ax==4f% `# c! D0 B1 Y1 k0 r9 q+ l( l
8 r' I9 F- Y4 F' a3 t
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 _8 j; ] b& z8 @3 L; w
' Y, X+ y/ i9 D4 Q& g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' f2 L! M- }3 a* n% v& z$ s! u( y5 w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ ?& E, ~/ C: t0 e8 K3 h' }! v
. U( m8 M! ]) Q6 F+ i- d" k__________________________________________________________________________) _. A/ ^& }5 @4 T
1 R( I) q. b8 R
Method 13# {0 a1 N" e3 d: p' L# m
=========
, ~2 t! j4 {# @
5 [; w% B9 ]' L6 K# X. H o( P% a. SNot a real method of detection, but a good way to know if SoftICE is
1 Q4 G; a9 E) k4 ~. ?7 b$ Ninstalled on a computer and to locate its installation directory.& `4 r' R* P0 X/ h
It is used by few softs which access the following registry keys (usually #2) :
6 q5 R: ?& s1 c; O& `
$ T5 m6 `$ l2 `! g" L4 C7 u/ O1 b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 M& u3 @. D9 A* C% c/ P\Uninstall\SoftICE
! u5 [" @ m6 f% [. k' X& K) _1 Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- \/ ~% G6 | E: S& o-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 |+ K$ e$ H) p. ?* Y- }9 ?\App Paths\Loader32.Exe9 i; y1 a3 `. n; M9 ]
$ Z% p/ J* {" J0 w" R3 ~: _$ c
$ P1 K+ f5 U2 K" c0 [4 Z4 ?Note that some nasty apps could then erase all files from SoftICE directory+ u1 `# ~2 t/ p! H0 q
(I faced that once :-(
& c* G; `$ |+ X7 x9 ~" W
8 n3 h: [; K: ?1 Q7 wUseful breakpoint to detect it:
% w( _1 f2 ]; d: u3 W+ X# w& ^) r
; L6 W5 X2 \7 j4 i9 m# M5 a8 N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" y7 ]+ n+ {8 Y/ B E4 e
! g8 Z3 z$ S0 y* L- l, o$ T8 d__________________________________________________________________________
2 K- ~6 N" Y+ x B2 R
) O, u Z. E$ B Z2 I0 M' w
9 V( v) ?9 Z8 x! K& T7 e ~2 GMethod 14 ( s4 I' I/ p" O; Z
=========
$ P6 ], ?7 v, }3 \2 l q( d, U% u/ {6 g9 o2 A: e( W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- N1 k1 D: B) n1 H+ l
is to determines whether a debugger is running on your system (ring0 only).
6 c }/ s: v j) t! z( ^' G0 n& X
VMMCall Test_Debug_Installed
# n" r# Z9 f& o1 } | je not_installed
8 d% a* @' R( R+ }/ m8 x: i* q- ~% v. d1 ?" B8 y( o) o$ y
This service just checks a flag.4 P4 Q; t9 E. Z6 N9 E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡