<TABLE width=500>. G) i; W* \ y, ?0 x- Y0 W
<TBODY>
" ^ _) ]1 s8 [; d7 n<TR>
; C) S: @" {& Q: T; N% l! t; Z) [<TD><PRE>Method 01
- c# \) h* n, K+ s/ p9 N=========# H3 o, H c/ S
" j, P$ }. V: j h
This method of detection of SoftICE (as well as the following one) is
( y1 L; D% d& T& o9 R4 Yused by the majority of packers/encryptors found on Internet.
% W/ h5 S' A; d% H; DIt seeks the signature of BoundsChecker in SoftICE
0 I; A$ e* s" E) v9 K1 \' ]- ^& F9 z
mov ebp, 04243484Bh ; 'BCHK'4 ?$ w# a6 [4 b9 U: |
mov ax, 04h
6 |) ~ H4 O( G B7 S9 A# j5 h3 F int 3
. q" o* X4 W! l+ K cmp al,4
. d: c9 h l! I7 F J2 K jnz SoftICE_Detected
) t3 n. R5 d; I$ _9 G1 j" j; P' B7 l% V f
___________________________________________________________________________
! [9 h. e) A+ n% v) W
1 u' O7 [ O( q! dMethod 02
+ I" |" e9 R- H2 A# R7 k=========# Q: r1 P/ E3 l& x* C# M( T7 g
: G% z; ?1 ]/ a4 z6 x; OStill a method very much used (perhaps the most frequent one). It is used
. s9 J, c/ x( [, ?5 T0 W3 U# ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) \) O: m1 o! eor execute SoftICE commands...
7 Z' M% \3 X7 p2 r% c1 ~% FIt is also used to crash SoftICE and to force it to execute any commands3 n9 s- O7 m7 ]6 ?
(HBOOT...) :-(( - L% w8 P3 r# x, W9 A) Z( Y
& q5 P* k8 S9 B+ D" ], Q* U, o0 c
Here is a quick description:1 ~8 i# w7 G1 W7 D
-AX = 0910h (Display string in SIce windows)
: I0 W" q6 Z+ Z6 R; o8 h5 ?$ G-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 i# j+ W! K& V7 F* e! e
-AX = 0912h (Get breakpoint infos)- V v# k5 k; j7 d% x
-AX = 0913h (Set Sice breakpoints); u" m5 T2 i: E' B1 l* E: K; E
-AX = 0914h (Remove SIce breakoints)
( ?8 h) H* i% `, {
; w2 S% g+ {5 s5 h! q* eEach time you'll meet this trick, you'll see:
: m7 ^& ?" H- ^ ]$ e( [7 k* S-SI = 4647h
: n% Y1 Q, ~6 Q& U4 {-DI = 4A4Dh6 \" O7 x4 Z3 g2 t( c6 r# L4 m; x
Which are the 'magic values' used by SoftIce.- P x0 Y5 W% W* [0 s) A5 C }" s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 v$ m D6 \1 S0 ~, C2 a0 Q" L0 i
3 t9 m2 S# B* o5 c8 O9 P/ cHere is one example from the file "Haspinst.exe" which is the dongle HASP
@# p" \/ g7 e2 W# b- |+ OEnvelope utility use to protect DOS applications:
$ K+ t/ P" u/ O7 f& r7 b# M! V1 R. B/ \( m6 d- A6 `
# L1 n, D' F5 U$ `, f7 p$ K
4C19:0095 MOV AX,0911 ; execute command.
0 p! ]7 \9 y' _/ n6 W7 b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: U7 ?! A0 x$ N/ O
4C19:009A MOV SI,4647 ; 1st magic value.( g5 h2 x5 f' Q+ T' t
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 G* _ ?/ }7 X" W e; V4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) M9 k% }8 N# f* W% t! u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. u; \8 Y+ _; n4 n9 X! D( e4C19:00A4 INC CX( j' Q( R9 J8 ]& S+ d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. x0 k' X4 F- x0 w: c, ^) T" I6 ~3 N
4C19:00A8 JB 0095 ; 6 different commands.
" z& t+ m, m8 H B$ m/ Y. R/ r4C19:00AA JMP 0002 ; Bad_Guy jmp back.) i, o/ g% e( E3 F, S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ ~ [% O% H7 ?6 {* Q
, a8 @3 @: z0 TThe program will execute 6 different SIce commands located at ds:dx, which
! a3 ], @! h4 e. x: Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) E1 ]7 H, x% M& R& j* U, V2 j6 z
; D- P: O5 M. s/ Y5 S: i( z8 B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# D/ ]2 t* u. ~8 K( R3 }
___________________________________________________________________________4 g s" O1 w8 T6 ]$ h6 h
) J8 K) a+ L) f
. o, w' H" p, k1 {, xMethod 037 K/ _7 S! |. K& R
=========* w; d% d7 g% B3 }+ |
A& G5 K% a8 gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ H- H" w; U* c9 T _' V; a
(API Get entry point)
; L# a" {! y, j6 n
. O! L" q) D. X( \8 `1 O- n' X5 r! c
xor di,di
4 h- \* V+ Z# u3 `8 X# P+ H mov es,di, F& {/ y" l; Z( V8 G" \( H
mov ax, 1684h : W. ]9 s( p! I/ e( x" X! M$ d; O% I1 k
mov bx, 0202h ; VxD ID of winice
& ^2 o( ~9 {% _/ m2 F int 2Fh2 g6 x. p# |) z* h& C) X1 w
mov ax, es ; ES:DI -> VxD API entry point
1 I Y5 h' D3 k& n9 E7 }* M" o add ax, di. A; o) E. H( C
test ax,ax
- P% Q ?$ k' E/ e1 u jnz SoftICE_Detected
. s" `: n. T$ j1 x6 a! O6 W, \$ P
, h* a' Q, Y" @* e. F___________________________________________________________________________0 Y( P( p: P/ I$ @
& V0 R4 U+ N' Z( b/ h# o+ a8 ~* b
Method 046 O% b; i( @. Q4 g
=========$ B! W, @. n" G1 e! W2 G: L
/ j( z* O0 x$ }1 d4 q
Method identical to the preceding one except that it seeks the ID of SoftICE; e: e* H4 Y5 C+ [( f% e; l
GFX VxD.
, Q" n; j, d6 o' @1 {" m' @2 y; X; C3 O: \/ t
xor di,di
7 I% {9 T+ W0 K/ J mov es,di
! a% k% c6 Q# o2 R; W' C8 x mov ax, 1684h
9 z! b7 p2 q& e3 N# x mov bx, 7a5Fh ; VxD ID of SIWVID. y4 R% Y* j& |5 N2 h9 ^( c
int 2fh
2 V. G2 W. ^/ N/ i' d9 P mov ax, es ; ES:DI -> VxD API entry point" E( ~* Z: N$ @% m7 Z1 q
add ax, di
8 Z! o* V- u( {1 G2 f/ o" L test ax,ax$ f: y! b( i3 L! \, q: x
jnz SoftICE_Detected% j9 G+ _4 x. p' _& R
* H$ R- Q n) N% Q5 V/ k; R& _
__________________________________________________________________________0 T% p, P. A8 D8 z4 w
4 v. `5 a2 @, R
7 n C1 r8 w. zMethod 05
( q3 T% B v. `0 f6 E6 @ r1 J; v& j=========
$ `1 S# d' z+ p1 v6 s/ ~4 ?/ ]0 n! n2 Y6 [; X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
. m5 \( k4 z% j( [, `debugger. It calls the int 41h, function 4Fh.% u/ d# }/ D( \8 M
There are several alternatives.
9 M( X, q1 y' i0 ?. O, u% ^
* T4 R" C, K; w. ?The following one is the simplest:4 }4 G* c6 B6 v2 _8 E& z
3 G2 d: w& u# e
mov ax,4fh0 l3 d3 S- {, T; E! j+ J, J2 l6 `2 t1 G
int 41h! o' X6 x/ Q7 I3 r5 h/ Q& s& m
cmp ax, 0F386
( b4 ^% a2 a6 N0 [5 j: F jz SoftICE_detected6 P. A& _. t: T3 Y6 K |5 \# e
, [7 P# x) A x" T" h1 I1 ~8 _5 C' t; Q. A
Next method as well as the following one are 2 examples from Stone's # ~1 W. G3 |$ V! S, l6 F
"stn-wid.zip" (www.cracking.net):
7 i7 D7 ^1 _# a& _% h! d$ ]$ [
+ z( {! R7 y, [ mov bx, cs
2 k$ f" ?; S% Z6 B# h4 p4 S) G lea dx, int41handler2/ H$ b$ N4 t3 P
xchg dx, es:[41h*4]
' i1 G8 o/ h, B5 i' ] xchg bx, es:[41h*4+2]0 I7 ~0 c6 ~* d3 U/ J% ?% \# C9 p
mov ax,4fh, Z8 w2 Z& V' Q; O5 @- j
int 41h
* M4 v) X3 ~% p k2 } w xchg dx, es:[41h*4]
( {, T+ `7 e4 z3 a2 K xchg bx, es:[41h*4+2]( t, ~, B6 z$ u) \
cmp ax, 0f386h0 q( `8 g2 M& _" \! v$ i
jz SoftICE_detected
H3 f5 n! G" n* W0 F/ ~% ^% ]
) ~6 b* U- M5 ^int41handler2 PROC. |+ d* Z3 C+ c/ p
iret9 Z% ^% w! X1 K+ v6 U9 |1 o
int41handler2 ENDP' J; D% o5 B5 {/ o3 y/ T
( ~3 E0 B% f# E( c
( S2 B0 L( c( z: p* m0 P" P7 r_________________________________________________________________________
8 C z8 m9 \3 v, v
& t+ R6 d/ d9 v4 D" X+ N' \, L
Method 061 E' }; {$ O9 P+ d# E- p
=========
. K I, h( @: g8 B, ~4 J. b1 x$ t7 d3 }" T* u z9 ]
# P( \$ n0 L |5 ~* X2nd method similar to the preceding one but more difficult to detect:
# Q z. Y' J+ j' A: I& B9 F4 s9 s% }4 {1 c2 p8 ~: E8 d6 p$ Q
- c6 i& F4 _. m. z4 S. K
int41handler PROC# D7 v: E8 p) [( |/ ~
mov cl,al7 r0 m8 @$ V' \9 u* Q( v
iret/ W! `. N4 G0 p. s1 q
int41handler ENDP+ {* z3 i# U/ d; d& N& ^
0 t* b8 x: X8 X! U5 J1 }! \* b. s+ Q( |6 W$ c: O* p
xor ax,ax! e6 @% b5 A3 k" e. K# t9 \
mov es,ax
. Q9 R3 _6 m! R" H9 \" Q mov bx, cs
2 D# P' ~/ [% W# C5 @, J D lea dx, int41handler
4 ^8 P4 y3 I% U% Y) G! Y( t xchg dx, es:[41h*4]2 Q( e8 R5 O2 ^% W" x& ]
xchg bx, es:[41h*4+2]) l2 i: J( P/ \3 @, b
in al, 40h
0 L! g$ C: s+ X. R1 A0 t- X xor cx,cx) P, w, j# m; F' f& V. s
int 41h
% j9 K% ]# e2 D' J9 X* n; ` xchg dx, es:[41h*4]
. L7 d3 `7 P- W+ [- Z: O xchg bx, es:[41h*4+2]3 ?0 C; j2 J. g) o
cmp cl,al& W+ K+ E2 T1 [. y( q2 e8 [, N
jnz SoftICE_detected- B6 t D: h* J# D
5 B- t( J& J+ v: g! s9 E_________________________________________________________________________
t; v! h4 q* r) L, W6 ]& A1 Y' J2 q! B( x' }6 |
Method 07 h# F( v, U2 N0 j0 ^- a" v0 j& U
=========* l/ L) T, c9 L( m0 m5 S
* f& [3 D& Z2 h: MMethod of detection of the WinICE handler in the int68h (V86)# w' d" w" X9 A d- U" } M
; P6 {. J( @5 B mov ah,43h T$ w8 |( R$ J' ]0 ]8 Q+ [ L. B2 u
int 68h7 Q5 s: u T5 p- k
cmp ax,0F386h
# V6 x& w9 I1 A F4 z" W+ J4 s jz SoftICE_Detected. z8 X$ Q3 |1 Q% |8 W* f
" f) v" O! f7 Q* _
3 }. s1 X2 C0 K- t3 x) I' q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 R- r& ?4 R1 s app like this:6 F7 n) `: P7 H7 |- \
L! @" |: E: f' I) `6 R
BPX exec_int if ax==68" n5 V1 X) s+ t) t9 |( j" F2 D
(function called is located at byte ptr [ebp+1Dh] and client eip is
* Z# m K' }. ?; B( F located at [ebp+48h] for 32Bit apps)/ f: o* x0 w' t: B# z; w
__________________________________________________________________________
7 T0 `0 G/ _( ]$ l7 g+ x
( a7 a e. @8 f) E. W" C5 \/ ~+ S! Z c5 ^3 J8 S2 l
Method 08. J! U2 @( L- S3 w: Q6 P& a
=========4 m/ R3 n# }% @* |% S
# R. n5 v$ `7 h
It is not a method of detection of SoftICE but a possibility to crash the
. o$ }# `2 {$ b7 l g' h! g! ~system by intercepting int 01h and int 03h and redirecting them to another
( `9 @$ n+ {4 A9 aroutine. Q+ |8 V8 H3 a9 N) B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 v3 Q2 ^4 H- yto the new routine to execute (hangs computer...)
- {. P5 ^0 R, u- x) D$ i
! r4 u5 L& Z- L ?& ], y mov ah, 25h
1 k7 I$ v* S& Z: e mov al, Int_Number (01h or 03h)
- G& O* N( E2 @/ r% k4 q mov dx, offset New_Int_Routine) z4 ?0 _# L6 t
int 21h4 r5 O8 y( S9 \# l6 m; K8 W" k! y- n0 W
/ T# o6 e$ Y8 |6 W, D
__________________________________________________________________________
F/ C( h/ O# H1 F7 N# H; ?% _% b- a1 D5 `
Method 095 u6 \- H. p( @, }8 J
=========
1 w/ x4 I0 B% c7 l
6 A& X; ^4 @/ a6 Q- j1 y9 b/ a% ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 Q. P! q+ A2 R. d, I
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 m$ t, Z8 Z! b+ [8 CThe Get_DDB service is used to determine whether or not a VxD is installed) M+ R; `0 R" f5 p
for the specified device and returns a Device Description Block (in ecx) for, _2 y$ | u1 C! h6 o$ }4 ?+ b
that device if it is installed.2 K. K1 E" | \& m* G4 x
4 b0 O- Z5 ?4 ]/ i" G
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# H2 `% P: e! ^ w mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 Q7 I0 B, g- A8 l; L" f& Q8 t
VMMCall Get_DDB
9 x" a v( N% B: |4 ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 E' L6 D) ~" Q; v
; |( v$ N, X. c2 MNote as well that you can easily detect this method with SoftICE:
0 j0 M/ i/ S6 t4 J/ Z$ w2 o bpx Get_DDB if ax==0202 || ax==7a5fh
1 x) A5 [7 O# s% b
0 x- w" }3 w$ h__________________________________________________________________________. H5 T/ ~- v+ _" V4 I
! q& x* L2 `* r) w& a, E
Method 105 d3 W m V/ e9 L
=========
( s/ z; }% k2 ?( M" |
/ L/ S0 }- x7 e7 v1 u=>Disable or clear breakpoints before using this feature. DO NOT trace with. M/ z5 P S7 b/ y# c
SoftICE while the option is enable!!
5 [$ L8 g+ q7 O6 u: S& Q7 g) z+ P* A0 S# A! O
This trick is very efficient:
1 |/ f/ o1 c$ |) Q) Wby checking the Debug Registers, you can detect if SoftICE is loaded
$ Q5 H5 S; c% y1 ~8 C: c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( w; q8 D) f! q" w- _3 Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 q# ]3 Y( A/ N2 I5 z; Pvalue (in ring0 only). Values can be manipulated and or changed as well
! x5 ] _2 f! `: j(clearing BPMs for instance)$ h% y1 n; v Y9 ~1 U9 R
) r! C) J; y; i% Z C, [0 b
__________________________________________________________________________
* { |5 D: x d6 d. t% D
( x% z" h7 H8 _$ Z+ |; |: ^Method 11
( P' ^+ ^6 j+ _+ n* t=========
; F7 i% z$ M9 g+ k( s: A3 n! o7 d. M5 d! O7 Y
This method is most known as 'MeltICE' because it has been freely distributed
3 F$ m6 j- v: i# ^; i8 Jvia www.winfiles.com. However it was first used by NuMega people to allow+ {0 q" H, D9 Y, |/ [
Symbol Loader to check if SoftICE was active or not (the code is located
0 A& f& l# q @inside nmtrans.dll).
( d1 I# X( ^# s. W( M, t$ q
) q5 e3 @; F$ NThe way it works is very simple:
) T a& z: g+ `% {It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; Y+ S& }/ D. v) `8 Y4 xWinNT) with the CreateFileA API.
# [! a. ^- H+ \) e. M
7 v% o& C. Z c, E% X1 Z, CHere is a sample (checking for 'SICE'):
- ^8 i8 M+ N! v8 r( C2 q) B
: K6 c4 ] o& |* V. n0 lBOOL IsSoftIce95Loaded()& j! I! C2 {; l5 f' l
{
$ i7 D6 R4 l% U" r HANDLE hFile;
2 I' F3 g0 V% s9 j, C8 p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( z! q$ p" F4 f8 R FILE_SHARE_READ | FILE_SHARE_WRITE,5 u/ C3 B' }: I/ V
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( ]( {8 ?9 u/ [6 L! T1 L& W
if( hFile != INVALID_HANDLE_VALUE )
5 g6 {8 p9 a4 u {/ T9 Y& U/ c( c/ K
CloseHandle(hFile);
' r# `7 X) r; ^8 W return TRUE;
# Q2 T+ V* y( u. a; e }6 N' u" ^( R" Q
return FALSE;+ X1 P* y* O- u, [$ r
}
4 t6 Q/ b& M5 u& d5 M9 B! D/ ?2 [6 o7 Z. C+ W1 H
Although this trick calls the CreateFileA function, don't even expect to be
" C- D/ N+ F) }* j$ c, q( Bable to intercept it by installing a IFS hook: it will not work, no way!- I4 ]. ~5 [# H2 `& k7 s! E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 ^3 @. l C( `8 c0 }6 s" E8 x
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: U8 b2 s3 @3 x; Q, C0 C' x* Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc# o6 m- D+ D5 S I$ ^3 |# a
field.
9 u( O; h$ `; L: h6 XIn fact, its purpose is not to load/unload VxDs but only to send a
8 [% _. C/ y+ R1 _/ dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 O& }$ v% ]. }# {1 M) Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
q: m& @4 Z8 V% H- `to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 E3 c3 B# L6 y
If the VxD is loaded, it will always clear eax and the Carry flag to allow, W! I/ u; e: f; F0 Z; N+ _
its handle to be opened and then, will be detected.+ Q" q5 b6 P F- c
You can check that simply by hooking Winice.exe control proc entry point* e8 z! ]1 @1 o6 I! c
while running MeltICE.& v% ]4 R' ~0 L2 h- A+ k
. ~2 k+ ^# i1 \4 ~# B/ Z( K/ m: Z) y0 L T
00401067: push 00402025 ; \\.\SICE5 X5 m8 K- z# H7 s; ^3 W n
0040106C: call CreateFileA
# m: `9 h# n' j' b% Y& q 00401071: cmp eax,-001
' x" e% S# |7 t( L+ W 00401074: je 00401091
6 {" x# _ [1 f$ T0 x; n, ^1 D( {( n+ P
8 Y1 L4 e$ u( T9 d8 sThere could be hundreds of BPX you could use to detect this trick.
' T- P$ f. u3 b. X; t" h! i( }-The most classical one is:
# @+ c& ^# r6 G7 w' V3 b9 h+ s6 ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 f4 z1 x2 X, \: h3 M *(esp->4+4)=='NTIC'! r+ J) Z6 t& H' b4 o
1 ?5 s9 E6 a) X" N8 W- a1 h
-The most exotic ones (could be very slooooow :-(# a& T; j7 u' ]! w, \% Q, E6 s
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 x- j5 b. \5 d5 A- }7 i
;will break 3 times :-(; w8 H9 i2 T6 u" s- Y0 S
' }1 n7 M/ I. ~0 m. {2 w$ X- T! Q
-or (a bit) faster:
+ i7 M% z$ Z ?' C BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
O9 T+ ]8 o$ N* \. ?1 q
# r7 a \. q9 l, f$ Q* H BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 a: q6 ^' D( F+ W6 G0 ~# C ;will break 3 times :-(
% [1 I6 q* Q, `& N% B+ g" w
) h& W% E$ U! a. D" O% f7 K# t-Much faster:- t2 N8 N! R3 g3 U; D6 [! c6 j/ Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* p) l$ I, ^4 T
; I* P+ ?' v2 Q+ DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
Q2 B! U9 T4 j% A% e& Efunction to do the same job:1 W3 b$ T6 G4 x- [/ Z( c
, U' u# y! T5 U5 b% _
push 00 ; OF_READ0 i) B$ V1 S( l6 L7 p
mov eax,[00656634] ; '\\.\SICE',0
: B- z: E3 p- b4 L$ g# G( n push eax
' D7 c6 Q; j4 V+ M. ~$ q7 E call KERNEL32!_lopen( P8 [) I) N* n- C8 L; w |
inc eax2 {2 E- { }0 y
jnz 00650589 ; detected- R/ x8 C% V! D3 `0 t
push 00 ; OF_READ
) ^" k& r1 k, s x! w, J# W mov eax,[00656638] ; '\\.\SICE'0 G y. x- P. F2 K4 f% g
push eax
. o1 g: o( S+ I) m" k0 [ call KERNEL32!_lopen
0 [ Z! e2 j% ` b, w! E( L5 R inc eax
$ O: ]# S5 u# }8 J0 D9 G jz 006505ae ; not detected7 j; K2 b8 }' `+ M) l2 s) s6 U2 N
, r$ d5 T1 \3 t
+ p' d0 ]4 I J) r# R__________________________________________________________________________& c U) I) S& A& {6 l
8 X' c: _; A0 Q1 h8 S7 A, \5 oMethod 12
L! b; ?) i- I) X0 S* z+ n=========, `9 P2 w0 D" V% f, ^1 s
4 A1 [6 G: n# f+ m, y. X/ C/ D3 ]+ OThis trick is similar to int41h/4fh Debugger installation check (code 05! N3 E9 X: l& R3 M) l& Z1 L
& 06) but very limited because it's only available for Win95/98 (not NT)
3 I3 Z8 e! Y' G D) W8 ~9 j7 Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ m8 s b9 @% A- }4 ]6 R% h7 j' G$ c: V* A1 O6 n( H) k
push 0000004fh ; function 4fh
! E& w. N7 V# |. r+ J; T9 s1 C* D push 002a002ah ; high word specifies which VxD (VWIN32)
1 C, T8 \! | N0 O ; low word specifies which service+ }5 |! A# W: w, Q4 n+ Y- x) }
(VWIN32_Int41Dispatch)
5 E3 J' q& w! K- i e# ^2 O call Kernel32!ORD_001 ; VxdCall/ ] e$ x" r u
cmp ax, 0f386h ; magic number returned by system debuggers5 B4 g% ]! n8 r4 g+ E# Y/ U
jz SoftICE_detected
/ ?( z0 P( n' |5 l! O! H/ a! T6 B2 A# K
Here again, several ways to detect it:* c. J4 G" B5 w1 Y) B7 l8 F# p
$ H. }7 O1 w& m8 r: ]4 @! ~ BPINT 41 if ax==4f# a- G) Y8 A% p$ F8 C
# A3 v* P$ f, O) I# s8 @; c- R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' Q1 c2 U' l* W: F2 i! T- [
4 h* z; @5 @9 z7 ~8 [1 i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. r6 m+ w# l0 t3 [
4 Z# g j& F0 q7 y, z- S1 I% D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
n0 e# O0 q+ J1 Q6 t1 v0 m$ o. B6 S. B) ~
__________________________________________________________________________
/ Z: ?9 t. a/ @4 t$ J' t; M! [9 |4 @, v7 ?3 u
Method 13: |; G; {4 n1 y3 T5 e% b& Z: `
=========
& Q1 H$ R. C# P4 c/ c, ?0 B& R* e2 h5 Z( y. x. E: U
Not a real method of detection, but a good way to know if SoftICE is& d, E; G" K. h& U5 K
installed on a computer and to locate its installation directory.
* l7 R( L/ c' PIt is used by few softs which access the following registry keys (usually #2) :$ l' i3 o# c+ X; o% D3 h) c
8 X+ v9 P5 r( W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# y r0 H$ R5 s4 H. h/ I" L" \\Uninstall\SoftICE; r4 I* O3 m, v) G3 x0 E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 Z) Q0 `, Y# f. m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" a. _2 a: N1 n& j( n
\App Paths\Loader32.Exe- C2 [/ M' v; Y, d" @8 Z
3 d4 e7 _+ a% N. D; I! U
& ~# B a! O! e' e' Z) A! }' lNote that some nasty apps could then erase all files from SoftICE directory
$ I3 o# \. K7 y2 B F/ G; h(I faced that once :-(
" d* ]# e% b" A5 G" i
, n+ w4 { _$ l8 z* Z/ CUseful breakpoint to detect it:( i0 g' L$ ], h- V y' u
2 x$ \: k3 Y7 W$ C8 H Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" Q. N& i: o0 J6 h
% x! c4 Y3 C" J5 t4 ]) O__________________________________________________________________________
$ V4 J2 ?( J2 l0 W) p4 @
7 L9 W3 A) f# R: |# g$ u5 Y# r2 {: {- @' O1 Q8 v
Method 14 / c4 O/ F8 {4 a; r& y8 g
=========$ N0 m- e! R. ^/ q0 X" E
! f: c( G+ J/ ~* ^) W0 D2 tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, t% w. B; g. V! V7 p' n: l; mis to determines whether a debugger is running on your system (ring0 only).
% \% B( g* k5 t. T* z" b' @1 V. F2 M
VMMCall Test_Debug_Installed
5 A) G2 q5 u! _, z je not_installed
( p8 W8 v4 _. W7 a" Y: z4 b' L
( C+ i" |. l1 Y9 q0 r" {+ \This service just checks a flag.
7 p( x7 x- t# k' n9 E2 E) g9 M! M</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡