<TABLE width=500>
0 E! D* \0 b1 x. O/ ~ s+ Y<TBODY>
' q& I9 u8 M& H$ [* I# o" B d<TR>: O3 ~$ J9 q% K
<TD><PRE>Method 01 * J$ h5 m q/ v" `
=========
( z9 \3 j8 _ G) n
. n* r: b/ j k5 y" L8 EThis method of detection of SoftICE (as well as the following one) is9 ]5 Z: i# ?; J9 K' Z
used by the majority of packers/encryptors found on Internet., x* j) C% H' y9 k1 Q" Z5 s. k/ s. `
It seeks the signature of BoundsChecker in SoftICE
6 C# b0 m8 y* u2 l; j. Y `: e! A' `9 G5 _
mov ebp, 04243484Bh ; 'BCHK'
5 P& d' K! a. J8 ~ mov ax, 04h
- T h( g+ H) i/ _$ u int 3
2 D; Y6 R" i! O# G/ w+ j, D cmp al,4
. y$ V7 {* k- B* Z! E t jnz SoftICE_Detected0 h! n% c# f9 {# P: N
* V! d `: `: n- h
___________________________________________________________________________- R; J6 u8 n4 B8 ^% x) Z/ Y2 Y
8 ^& v* y* s( S, h# H5 ]/ j7 a3 EMethod 02
8 Q+ |2 J7 o7 w& z0 X" t- u7 F=========
/ F% J7 @! ]) _/ w9 l7 q; a; @$ Y/ ^+ ~
Still a method very much used (perhaps the most frequent one). It is used
3 Z2 z' |* c6 j' B5 pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, [+ G$ D; U, H$ yor execute SoftICE commands...
6 n4 ?& p! u& e: _It is also used to crash SoftICE and to force it to execute any commands
6 t' q0 C" a& n/ p+ k0 t(HBOOT...) :-(( ; l; I2 _; |! d
6 [- y6 Q1 T; a4 t3 n: [
Here is a quick description:8 W! e/ J3 _- r" t
-AX = 0910h (Display string in SIce windows)" w. s: G% z' p9 k
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 Y* h9 X8 L* G6 P% {-AX = 0912h (Get breakpoint infos)
3 x! x w$ p! `9 Z/ A/ R-AX = 0913h (Set Sice breakpoints)
' ^% i' W: w3 }) o( s-AX = 0914h (Remove SIce breakoints)
% B$ B; j- v, R
c A# V* a1 D2 C& M# w; Y1 u9 U- nEach time you'll meet this trick, you'll see:
3 r' J4 V7 f/ u! E% \4 C& E-SI = 4647h
. E# J m1 ~& t9 Q, J- s; ?9 ~( D) [-DI = 4A4Dh3 K$ W% B. C+ t6 m \. N
Which are the 'magic values' used by SoftIce.& e" a6 C* b1 B; v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 V( @' o S! T0 ]5 w/ u; v
5 W( A& Z0 ~+ [0 N0 t. |( qHere is one example from the file "Haspinst.exe" which is the dongle HASP" H4 ~7 S- T0 n1 E$ s2 K
Envelope utility use to protect DOS applications:
* {8 d* J/ ^1 \6 q3 P. _$ L& F. _' U8 B. @" N' {
1 I9 w' g# u8 Y5 `: {( D2 C" V$ _ |4C19:0095 MOV AX,0911 ; execute command.3 ~- t. ~# z9 J6 B
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( d5 f$ d; z& a6 Y4C19:009A MOV SI,4647 ; 1st magic value.1 M! A. H. ~8 m% l6 {
4C19:009D MOV DI,4A4D ; 2nd magic value.: Q: W0 N7 Q/ M' ~& M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& q- {4 A$ k7 y) O6 T8 r4 |4 [
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute [- S A8 k) z
4C19:00A4 INC CX
! Z3 t1 e3 A9 ]- P; s4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! Z4 l1 f' R7 V7 E! K
4C19:00A8 JB 0095 ; 6 different commands.
* x/ \: H& Z1 ~6 T1 i6 `4C19:00AA JMP 0002 ; Bad_Guy jmp back., D2 e! d! c* O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) B6 G* |' A3 A% w8 r3 M
/ q; w2 |" C0 R F3 H* Q) ]$ M
The program will execute 6 different SIce commands located at ds:dx, which
% ?% J$ F* P) k2 J X) h9 K J% }& A1 l& Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 _6 C/ K) E% ?5 B( a, M+ C5 T, u# \3 L
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ x" o; w% n7 V8 |! f0 l* g
___________________________________________________________________________
3 H% O& ]1 v; C' m: R8 A5 X* H- ~9 r
: P3 E; c- X7 |* u* j0 l' u A6 N$ ]; ~! I- |. a7 A' T
Method 03
# _7 d7 b6 X& Q* w) j=========7 o+ t) _6 w1 S5 O( B9 o
, ~2 b, |; \3 V+ q- r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 e2 A& p, E; l1 H2 D(API Get entry point): p( Y# z }; h; K9 b' R! n& v6 O
0 B: E9 C, R; L1 Y C
) d/ v& v' z2 g& V0 u xor di,di" Z) a' I' B, I6 q
mov es,di
& s' u" O) t9 Z- M0 U mov ax, 1684h 3 }; h& Q$ e$ Q
mov bx, 0202h ; VxD ID of winice
$ M( u/ `$ Y" A. R4 O; \ int 2Fh
5 P6 [1 N/ z/ h$ V/ D7 x mov ax, es ; ES:DI -> VxD API entry point
7 Z8 ?( ~+ t3 t1 J! v add ax, di1 J* }6 p1 `# o/ P: q* G
test ax,ax2 z' ~, T }* i
jnz SoftICE_Detected! m6 x5 D( k9 q2 N" @
$ I5 ~% H5 K9 Q
___________________________________________________________________________
) @/ ~/ G( F9 J# M+ a; @* {! c' ?+ W8 A4 {
Method 042 y3 O' `- v( a- i5 H6 R, C
=========
, a( ?+ |/ _, O$ B" [
# G8 Z5 d! C' p1 m; cMethod identical to the preceding one except that it seeks the ID of SoftICE
' O6 Q6 q7 c8 B) D8 ~, EGFX VxD.6 a/ T- Z1 ?! r* l2 i7 ^8 q
3 c6 [( ]* t! e: x3 U
xor di,di. ^/ j- [1 U) e. K# k, y
mov es,di
. N J k1 z6 d) w8 V# f- ~ mov ax, 1684h
3 L! G* j$ O! R mov bx, 7a5Fh ; VxD ID of SIWVID
v2 Y7 [7 M" [. s V int 2fh
* j x% j( z0 k. g' D mov ax, es ; ES:DI -> VxD API entry point- C( E9 c1 D7 e0 [. P
add ax, di
6 u; Z' b: S2 N$ |4 z) G, H test ax,ax
$ Y! Q3 Q+ s8 J' e' I- L& S& j jnz SoftICE_Detected' E" H: i; \+ ^( Z; q$ ^' u
" ^+ a& ~" h2 ]
__________________________________________________________________________ ]3 \: W& R3 T l- k# ]0 [' }7 E- r
2 R0 S' ?* @& n% }) P
: v- B; v+ e- C1 NMethod 05 N5 U9 w8 N1 h0 g9 D: Z
=========+ Q8 h4 C- W" u0 N0 z
, r6 c7 y6 ]( P* w( hMethod seeking the 'magic number' 0F386h returned (in ax) by all system _% ~3 c% p. T$ i" N
debugger. It calls the int 41h, function 4Fh.
) ~# Y8 A5 h5 k0 O! R( L4 PThere are several alternatives. ' F4 j/ i2 E6 b( p+ t4 i7 Q
0 u9 g+ T' G' {. x
The following one is the simplest:( ~: W( L" K2 _7 F( o7 ]1 A
/ F5 {4 q8 P9 N, N mov ax,4fh
5 [/ N8 W2 d0 R7 S0 p6 d; `& r; v int 41h" U; M* s% A8 o2 \( i* O8 }' L
cmp ax, 0F386
: D1 L" T) P: w2 |# A jz SoftICE_detected: ^( B) ~* r6 P( S# v
: T' L0 B# b% {) f* v8 t& R* k
- n) ^' I# U3 b6 ]/ o* U
Next method as well as the following one are 2 examples from Stone's
5 q) @* t& T9 f; L* {/ v"stn-wid.zip" (www.cracking.net):
5 G" Q7 b# y0 L
$ ?% Z0 s/ S; L/ G' K mov bx, cs* ?; q9 L6 l2 Q0 c
lea dx, int41handler2: r! C9 X2 |4 W/ J( V# C
xchg dx, es:[41h*4] m! g: J, U6 W/ p9 O
xchg bx, es:[41h*4+2]7 ^3 Q) a4 g1 A7 m. m, W
mov ax,4fh
7 c$ a. {1 u k/ U2 A+ X0 C int 41h
% `) w0 [0 C+ n2 y _+ \ xchg dx, es:[41h*4]
/ Q- c" L" C. ]. F! ` xchg bx, es:[41h*4+2]& B& S6 k* ~; O4 t$ M
cmp ax, 0f386h6 K! {; z1 S8 g O. s
jz SoftICE_detected7 n1 d; U. s9 s
5 A4 ^: u' E* W) [4 fint41handler2 PROC9 r T9 l; l7 c+ C" G; F4 [) `
iret
6 f3 k( ]. j; F7 hint41handler2 ENDP
! L# e j+ R$ |$ ~5 _ z P- { }, f" Y9 h) ~
! F+ A- _# T- J- R( k$ v
_________________________________________________________________________
2 k' E9 Q8 r9 V# o5 k, ^* i4 H0 h# u* [; q9 ~
g- s: n( P# F: ?3 t2 N( K
Method 065 g# z! H6 ^7 b4 g
=========
( a0 z( s- m4 |$ R4 c
# V* Y5 H" B6 C. g; h6 w, m8 n' M+ q! N
2nd method similar to the preceding one but more difficult to detect:
" t# t- q6 Q, G0 e# ?5 O5 c/ D+ E' \0 w w/ K5 k
) U9 [5 h+ X! V: I; i! o
int41handler PROC+ D) f$ o( I5 T [' R9 a
mov cl,al
1 b0 S* x, m, @: a: K6 F iret" w& V7 M8 X1 \; R9 E- [. Q
int41handler ENDP- p. B r% Q( q# j
* |+ y. y' o( Z) i: d
6 U! L! b# k% q" Z( \4 j xor ax,ax
$ J: \7 T4 n# a( E mov es,ax
8 M1 X% `+ S- h7 n4 `1 ? l mov bx, cs
* z8 v& K6 Q; g. H$ M3 f' G lea dx, int41handler! w. u7 {0 r6 O: j8 T2 h
xchg dx, es:[41h*4]. E+ Y7 [0 K" A# E
xchg bx, es:[41h*4+2]) s& n1 e6 {1 M j/ o, x# N3 f
in al, 40h
2 X2 ~% @/ W: k* U0 B2 c! Y- z xor cx,cx
3 _0 K& u* a$ \* L& J: l int 41h- q5 |5 J" y- U( E3 j5 H; L
xchg dx, es:[41h*4]
& C. K6 C( N( {- e' F/ @8 w xchg bx, es:[41h*4+2]
1 c2 R+ u) t5 D& L! i9 Y cmp cl,al
8 I Q) u! H0 v8 j jnz SoftICE_detected6 B! k( x1 d6 [+ }
7 y5 M+ \. ^ l' q$ m4 x
_________________________________________________________________________6 I) m# | Y* u- p. i- A0 b
6 m% F9 d4 h6 A, Q. Q2 n0 C% HMethod 07" L1 G8 F' H0 r& ^) o
=========/ \4 {7 u$ H b9 ^3 |8 H) C* Y
. n- X& N' z& F) W
Method of detection of the WinICE handler in the int68h (V86)
' m& L! f1 S/ w: ?* f! k$ q9 Q
% R2 ^1 R5 o& t( d# w$ ?( t# E1 N; c/ U6 _ mov ah,43h5 g- x5 b( _" t0 m
int 68h
' d6 D$ I6 F+ y& b2 m6 u% I) P cmp ax,0F386h
1 e( r2 ?4 U: Z5 ~ jz SoftICE_Detected1 l7 q3 F2 ^5 T3 K6 H. E
0 h- ]" Y7 @( g4 C( `, n. _0 D. O' k) @
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. n2 P5 ~1 X8 J. x1 A2 W! } app like this:
" M7 c8 L' z6 w* D4 t% @
" q; n) F! w3 b7 J- |# V BPX exec_int if ax==680 Y" q9 K# Q3 [+ x
(function called is located at byte ptr [ebp+1Dh] and client eip is9 c' R# w5 o" ?* B9 f
located at [ebp+48h] for 32Bit apps)
& Z$ q* ]% A/ @0 [- O__________________________________________________________________________
0 b' W: d; B5 Z' ]8 r
6 S% v! h6 C; |! [+ m0 U+ j$ L8 [, C
Method 08/ \5 d$ n( w0 r4 V' y1 k
=========
6 {/ L5 ~- y3 r5 f$ @6 {/ d
$ z$ V( W% H( I; TIt is not a method of detection of SoftICE but a possibility to crash the
0 W2 ~ \5 }8 Tsystem by intercepting int 01h and int 03h and redirecting them to another
& s& O" Q" z# z! O2 ]3 ]5 lroutine.# ]8 R3 }0 U6 E' h; ?+ z: ]+ K4 y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ `8 b N; f+ e+ ^6 [4 P# Q
to the new routine to execute (hangs computer...)
4 w p D& P+ T
+ E6 \! n2 d, z* \7 w mov ah, 25h
: o q8 D# g. X' h mov al, Int_Number (01h or 03h)
! ~; Z* i6 v( y- M mov dx, offset New_Int_Routine
& {" Y7 o4 Y) L2 }1 H2 X int 21h" {6 K: x/ d$ @7 U
# z$ V" d5 |! |' w0 b8 u+ q
__________________________________________________________________________2 @7 s" C e# J y
- b1 b7 w! E" q8 C$ n1 c
Method 09
* E! R! F+ d! m# L/ K=========5 N" Z. V3 }/ G2 O0 r1 C
" i4 C. q+ `6 z3 kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; e7 V& {2 L0 w5 [+ x* @6 L. lperformed in ring0 (VxD or a ring3 app using the VxdCall).+ c3 u1 b. A' ~. F$ n
The Get_DDB service is used to determine whether or not a VxD is installed7 Y% T% [) y. {) D/ i/ Y
for the specified device and returns a Device Description Block (in ecx) for9 o- w0 \% U2 N! _& C& g
that device if it is installed./ P6 r0 Z4 U9 y" E& B
4 v8 [4 s/ g$ S& [: y4 ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ ~' o: P9 r9 s' C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- h) G( A* ?5 p3 ? VMMCall Get_DDB& f- O/ t( `* A, m- ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; u* ?' [% l/ a" R
" E ?* W3 u5 X6 i* r9 c6 j& T; L$ T6 X
Note as well that you can easily detect this method with SoftICE:
% T& X5 A; D( S/ Y# M1 K bpx Get_DDB if ax==0202 || ax==7a5fh
" w, j1 X1 T7 |2 ^0 t( p2 R' A
$ d+ {3 X, i | i# y3 G4 R__________________________________________________________________________& V, R, Q+ ]2 k( ^1 A
% e {; a5 l# j3 D
Method 10
/ z# a6 ]9 ?) `% t$ o! f=========
) C. C& N; c! ]& F' g, L, l: k
6 h) D3 s N$ |& B1 r# I=>Disable or clear breakpoints before using this feature. DO NOT trace with P8 o! i4 r7 k% n+ `
SoftICE while the option is enable!!# B2 E) R0 [, `' J4 |
3 o% h% h/ e. a# H* Q
This trick is very efficient:
+ V9 V, n$ J1 N8 fby checking the Debug Registers, you can detect if SoftICE is loaded K3 x. D3 ]3 l" T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' Y) u$ g/ F* e1 H9 V
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 c0 x, [) Z( |9 Z& Z7 Z5 D& zvalue (in ring0 only). Values can be manipulated and or changed as well
2 {# v# U2 f5 Q3 Y/ A& L+ g(clearing BPMs for instance)- _0 Z+ c1 d0 C$ ^, M# o Z
2 D+ l% D' Z: R5 {( o6 j5 p* N__________________________________________________________________________
% h# p9 x, h5 [) l" y
) h5 Z& H: V- z% f. \$ W0 _Method 110 f- B. e9 R: W: T# i2 A& b1 a9 i2 }
=========
# |* W' ]9 a3 l* {9 i9 p* t5 n9 Y* ]8 B% O! k1 A/ V: ?
This method is most known as 'MeltICE' because it has been freely distributed/ U4 u$ y( [% t9 V! y! I8 I; l% [
via www.winfiles.com. However it was first used by NuMega people to allow
- ^ V( H6 V( M# z4 |5 E! d* rSymbol Loader to check if SoftICE was active or not (the code is located
4 z6 x o7 ^. @- d: Vinside nmtrans.dll).
) u5 f. p9 {: N
) c3 `/ R0 t0 `4 n+ h* p- UThe way it works is very simple:
& F: g3 ^; @/ t0 pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; y$ _# U0 v9 z. BWinNT) with the CreateFileA API.
" T8 W4 C$ U' \) Y. r- \# o6 Q9 {+ ]) g7 L; I
Here is a sample (checking for 'SICE'):
7 P( J9 g* w1 f- o6 k/ q+ {% {. d. B/ R
BOOL IsSoftIce95Loaded()
+ I. A1 R& Q" c& A3 _3 b5 a{( p8 I" s! ~ J5 f; m1 I) B! t! Z
HANDLE hFile;
+ B2 A/ d6 V0 j# J; t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; D. M) u" H( {. s. X5 W$ ]$ | FILE_SHARE_READ | FILE_SHARE_WRITE,
3 f8 ]2 N4 i! [# r6 e3 l NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& B% p. Z0 A7 X
if( hFile != INVALID_HANDLE_VALUE )
3 ~ o8 s; k6 h% U. [8 ~1 R9 J" \( B8 Q {9 q, p0 \) X a6 w
CloseHandle(hFile);
, q& j: q# F& M0 m9 [* }- a return TRUE;
6 i: A8 [( x* h- T3 L }
; v7 W3 f7 k. Z" A0 O. P$ w1 m return FALSE;0 r6 a j7 v3 O) c! H* o5 \# E
}
2 b: y) J7 _$ D4 f8 A8 @+ D: @: z* Y( N' E4 C$ o
Although this trick calls the CreateFileA function, don't even expect to be
/ ]7 ^% s' y) Z. f: v' Iable to intercept it by installing a IFS hook: it will not work, no way!* @, i1 \( t7 z; ]6 s2 u0 H U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% }- b6 C& E6 `. |" H: Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% R, y; J% ~. J2 c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! [% ? K+ O, I' i
field.
) }! j. V0 u# jIn fact, its purpose is not to load/unload VxDs but only to send a
2 t& p3 W9 X7 z7 s5 i% wW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 Q3 j% G# T! g* N# m; {" bto the VxD Control_Dispatch proc (how the hell a shareware soft could try& R2 V9 w4 O! k2 A+ S/ {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! S; b5 A$ ] u3 A
If the VxD is loaded, it will always clear eax and the Carry flag to allow( U/ y! D" q3 L8 L: |6 Y
its handle to be opened and then, will be detected.
$ d; M& w6 D! ~! x1 G& dYou can check that simply by hooking Winice.exe control proc entry point& C& q# s8 O' M( n8 a0 w. A
while running MeltICE.! g `( e" J* e4 Z3 Q, M, K; u7 ?
& R3 m+ f" G( T+ `: @- n: ~6 }( ?" h3 ]. N: A# Q
00401067: push 00402025 ; \\.\SICE
& t* d" l8 j @" O9 [: ]% d 0040106C: call CreateFileA
) W( |" } t% u3 i* k0 `* | 00401071: cmp eax,-0019 H) Y. U- ~4 F5 `. \
00401074: je 00401091& _; S! C% n* K" T8 y9 s
8 [6 S& }3 B/ M {, f; h, M
2 S$ y( T9 S( V* E# |
There could be hundreds of BPX you could use to detect this trick.
8 W; V, g5 F7 T3 K-The most classical one is:
% ~" D. T6 _5 O+ `7 t" P$ w9 r BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ E8 a) m" M: Y9 ]0 v; Q6 _
*(esp->4+4)=='NTIC'
' t$ b% T# G" j* n7 X3 a% g9 b7 ^/ |. i/ C1 M$ A- i' o
-The most exotic ones (could be very slooooow :-(
- T! x! e5 z$ I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 l [( ` `1 E1 w9 h/ @ b
;will break 3 times :-(0 e$ u. d( F$ j% e1 v* D
3 X P* b1 e- G" R# q+ X0 d+ [0 V-or (a bit) faster:
8 n- W; e: Q# I2 r1 f/ m BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& f* g1 n& X; e, P
1 y5 d: N4 n' e# t& M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & |% a0 F4 U+ t2 Y. m$ i p
;will break 3 times :-(
/ k3 i5 H! `1 _: e" P/ M: {
- `: N) g7 l/ ^; u% E! A6 e-Much faster:( r( Y4 l2 q' o0 E P( `+ _2 k$ a
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) h9 C- I5 B; M* B6 \: M1 k% P4 Z; ^" Q: q1 i$ o' ^1 l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: X, M6 a' y, M: j# X4 @
function to do the same job:
3 B# @* l0 q3 p l! H4 m* ]1 i
push 00 ; OF_READ
* l; W( T- z- g# k9 g5 K mov eax,[00656634] ; '\\.\SICE',0( z e- [7 e# T4 O
push eax
" E. d' h3 u. V1 O" k( h4 t2 y6 r9 i call KERNEL32!_lopen
& G, A& {, _, G inc eax1 a4 {# u4 Q8 {) b/ u
jnz 00650589 ; detected/ }8 _" f: h" F8 T* `1 P
push 00 ; OF_READ$ C' b5 Z, _, _
mov eax,[00656638] ; '\\.\SICE'
6 A( V/ c, l$ [) E push eax
* d K% Q0 z* N6 g, w" f7 f call KERNEL32!_lopen
" g. w$ j. d1 }* \2 ] A inc eax9 h1 [! S! ]/ i+ y1 b0 A4 H' l
jz 006505ae ; not detected7 \8 a# O; v. S3 r/ F7 C- m& h9 D
5 q) ?/ G1 G! a
: ^' Z, ~! B0 K9 E1 Y% }: r__________________________________________________________________________
# U5 [3 }9 |3 B ?5 @* `7 u7 _; N
' [' g' s" g* J+ ]$ R3 t8 yMethod 12
) V, \# c4 {7 s$ J=========
! b+ G; H( c9 ?
$ L% |- u( f/ n5 C) \! oThis trick is similar to int41h/4fh Debugger installation check (code 05
; ^5 k# U. z% }& 06) but very limited because it's only available for Win95/98 (not NT)- Q6 U9 n1 ~* f# Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. r; X8 m. h6 G% q/ J7 a
& ]' h) ]# E8 [2 J1 B) I
push 0000004fh ; function 4fh
1 h" U0 v0 i7 w( O+ m+ ]" M7 Z push 002a002ah ; high word specifies which VxD (VWIN32)
2 k7 C( `/ g% O ; low word specifies which service9 M* U e1 U$ J
(VWIN32_Int41Dispatch)
0 w! K+ f s& I, g# N call Kernel32!ORD_001 ; VxdCall# s$ ~" @' p' v- T; H0 D
cmp ax, 0f386h ; magic number returned by system debuggers
& u* F+ J" S6 f) T* J jz SoftICE_detected
2 U# k3 C Y7 U
0 x+ Y, S/ z$ N& a& y" |Here again, several ways to detect it:
3 h' M/ |( o" q
1 O- @+ Z; F8 N; d2 U2 b BPINT 41 if ax==4f4 o# S) Q6 p& \0 j
( w4 P6 h" K* p4 M, T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% b, o: @5 @" E+ H
( u* F* ~$ w$ H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- C$ ~/ C' e3 ~' }. N; l7 X8 A% ?& G
1 s: a5 c, Z! }2 v8 V% W% d+ w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 I+ i# I6 K( g: y- A' e
& N9 i2 @! B& B1 b% Y1 H) `__________________________________________________________________________$ z+ O, w2 H4 K' s' E4 n4 K" ~
; [- G, d: p! T% J& J6 }, t( h; T
Method 13$ u/ c. G3 j3 S3 g& F' i; \3 u
=========
0 h. o, v. O, }
4 |3 W" ]- G5 l1 C0 Z2 r& v7 ~Not a real method of detection, but a good way to know if SoftICE is
) e' Y% J& u' D# V% ~& Xinstalled on a computer and to locate its installation directory.
$ x8 V1 Q7 j5 ?9 o s, Z. G) B+ ^; n: hIt is used by few softs which access the following registry keys (usually #2) :
1 K6 a1 O2 }# o R7 {- }& X
! p | k6 W; @- {% C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 V/ j w5 z# m* J\Uninstall\SoftICE
- a4 f; f2 Z* X-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. F w0 L4 L, s' L' |3 K, q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 T$ j, L7 q6 [8 Y2 ~" z4 p+ F
\App Paths\Loader32.Exe* [! U1 p% |. F" E, _2 X
- Z& j0 o0 M8 ^7 Z0 P; v) g
* [( Z# B6 k! i5 h- aNote that some nasty apps could then erase all files from SoftICE directory& T9 L5 J4 k6 _4 E" n( q
(I faced that once :-(" h1 a. x' }# K4 M( w. s( a
& O1 B, F0 M, s) P1 @8 x5 }& SUseful breakpoint to detect it:8 W" x0 v, `% M4 ]% x0 p* g" [
7 T0 I+ M3 \$ L" F/ p4 h. x. A+ O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# R- `9 j, c/ i$ R
* z# U. r) K% L& K__________________________________________________________________________
, S( r6 i0 B N8 u* w% O1 l
' P2 M) f8 C7 E" y
+ `# |' e2 M+ qMethod 14
( |+ z) C, ^8 d% `=========
* P6 X# D( F0 x- R
4 H8 G. Q4 k: v* CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 y g& d9 J2 p! Q% `* M! i
is to determines whether a debugger is running on your system (ring0 only).5 Q+ \% x8 ^' j) }
9 D P3 U/ Z( r, f VMMCall Test_Debug_Installed
& X+ x& g2 z( Y6 y2 x3 G4 L: L je not_installed# P6 r/ t8 h: _8 V/ P- G3 r+ @
/ P1 A$ U8 f: ` x5 Q, J
This service just checks a flag.
) K* g' l5 I# u! f7 P6 q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡