<TABLE width=500>: q* @ k( n9 `( K; a' ^' D- ?1 o
<TBODY>
; u+ M6 J* r% ]4 H$ l& ]<TR>
. _! T; J( c( Z8 l* P8 M3 G. `. G<TD><PRE>Method 01
& R9 Y0 D" z( n& u" B; O ~4 {! Y: J=========* N8 }& z9 X9 a" K& v
: G* h+ ]3 x+ w: C& k/ k
This method of detection of SoftICE (as well as the following one) is- n% L& C3 _8 J% B$ n
used by the majority of packers/encryptors found on Internet." I( e- D/ A1 ~+ W P B4 w5 s
It seeks the signature of BoundsChecker in SoftICE# A# i3 m# ]% T) p2 {( J$ e/ p
( Q: n3 T, \; z
mov ebp, 04243484Bh ; 'BCHK'
! I- C5 y& I9 m mov ax, 04h
: y, g% T+ G1 l) V int 3 ; O7 f( ] s( k1 H, ]
cmp al,4
" }) t; V) |" d& {. N# v jnz SoftICE_Detected1 w" t2 d E. ~3 a; `: O
. v5 K3 t. ^; i
___________________________________________________________________________
; q8 ?0 D- m9 e% F4 P N7 G0 F$ B$ w g0 U# L+ r- J
Method 02
/ Z% y0 o3 T4 N$ Z+ K2 p=========
5 s4 ^ r" W( x9 |; A8 b$ p
/ g) [; e1 a, v& fStill a method very much used (perhaps the most frequent one). It is used8 e/ f1 B5 I3 x8 j% F& b1 k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 G# _7 m% L! Y# cor execute SoftICE commands...
1 t5 m; C+ D% G5 U; t; v( O0 P; g" KIt is also used to crash SoftICE and to force it to execute any commands
8 R4 o- P% ~7 j% J$ [(HBOOT...) :-((
- A8 C0 b! N7 s
; r- l, H0 U- }& v2 bHere is a quick description:' [- I" h: J) Z# \: F6 s
-AX = 0910h (Display string in SIce windows)- K2 d) E+ S5 J2 ]" C, Y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ ~" ]6 X# i; I
-AX = 0912h (Get breakpoint infos)
8 y+ Z( h7 |6 s" c0 P& H-AX = 0913h (Set Sice breakpoints)
6 Y2 Z8 y* _7 J% P-AX = 0914h (Remove SIce breakoints)
5 F4 O& ^% \* f4 A# B" s. D5 B
9 V2 p. ^: M8 M2 iEach time you'll meet this trick, you'll see:
* t" N" ^, U. n: { L/ C' F/ f-SI = 4647h1 u- Y3 R' d/ g
-DI = 4A4Dh. W9 h" z# r5 x7 ]* |- G
Which are the 'magic values' used by SoftIce.
$ q* F: k3 K# }/ vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& X, [' g, x- O0 J9 D1 F" y# {* W: n% r% y. _& t2 h& V- E! \
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* S6 g8 U- f+ ~: y. E2 |' nEnvelope utility use to protect DOS applications:7 |$ P n$ n$ ~2 A
7 A% ^4 }. M6 n4 y( o5 \; [
1 p. j8 T; D+ v: f% k; j3 e5 }4C19:0095 MOV AX,0911 ; execute command.
+ p: F' M! I0 t8 y+ o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' f9 H' |8 g! }, w( e7 F4C19:009A MOV SI,4647 ; 1st magic value.1 F1 C" W# g5 D* g: p
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 J* c5 f- r, N- f6 a% B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 h Q4 @, e) p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) Z( u4 a" f! }% i# W
4C19:00A4 INC CX
1 [3 O8 \. B1 _6 d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: a( P+ N T1 ]' s) F v
4C19:00A8 JB 0095 ; 6 different commands.& l8 q9 R' _- \+ I# M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- @. ? g" c7 H O" ^- Y8 f8 ]
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 l, S# H o5 ~7 l! X
$ z D/ S- G9 {The program will execute 6 different SIce commands located at ds:dx, which c; E. A2 w' l. a- u, K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( R& ]: L8 ^& V' l0 q
0 W; ]/ Q5 q% R# i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ O4 ?" C+ Y% N% I1 W1 ?___________________________________________________________________________" ^( @7 u! _0 I# @
# ]- T. ]% E- t5 L3 x5 h8 |% Y: c
- N I8 `. ~! u. s/ @Method 03/ @- N# |( R3 X: i* W
=========8 Q" r \4 k) v) }* ], W: M
7 _5 E) ?8 P% Y) s: M: @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 h2 D, O& z3 M7 y8 ^4 b7 r
(API Get entry point)9 N7 H' k( R- a& o6 Z9 |9 K
& }. Z3 h5 y# S/ a4 J: F
, M: a: Y4 o; t% x* s: z; y. q
xor di,di8 r) Y( \, F( C3 u8 ?9 S
mov es,di
`; Y6 K6 j1 D! s mov ax, 1684h
9 _) ?* E7 C: s2 } mov bx, 0202h ; VxD ID of winice ~, t( E' Z0 T* P1 Q
int 2Fh& L& |) {8 E1 y: B6 @! Z3 d+ X3 ^
mov ax, es ; ES:DI -> VxD API entry point l& D6 `6 G2 q' [8 a. v$ [
add ax, di8 D j* ~/ e0 l4 t `3 z
test ax,ax' f/ ~" ~0 _: k) ^4 y
jnz SoftICE_Detected
t; N, ^- b& j5 p! l L; q# W7 |& f" v3 H5 g" W
___________________________________________________________________________% J2 o3 j. }8 B" ]# P5 R
7 ?5 ?5 N; s! s5 iMethod 04+ {6 L2 y; D0 }1 Y5 k) ^0 A
=========
9 w5 K- |, P9 P+ B$ B6 E9 t
# N7 @/ q/ R! E; L' |Method identical to the preceding one except that it seeks the ID of SoftICE0 ~- d+ X% |& G6 p
GFX VxD.
1 X% ^% d y9 X! m- D, l5 H3 Z$ Y6 O
xor di,di- p0 y; A: t- s7 \
mov es,di+ u: H1 X0 o0 ?2 E- M- k
mov ax, 1684h
+ i) k1 {: L, T+ Y/ C6 t. r0 H mov bx, 7a5Fh ; VxD ID of SIWVID Z* p. R% J2 A3 c# b( f
int 2fh) ^% }& [- V: X% o5 V" F
mov ax, es ; ES:DI -> VxD API entry point
/ R0 ?6 B" e. W# a add ax, di
" V) u" o( p: s% \! Y O! a test ax,ax# ]5 l* i( I' r! C, j) f" p8 D
jnz SoftICE_Detected. s V& W# M1 S1 c9 d
; G# D7 a0 R$ a6 ~( v6 W+ k' z__________________________________________________________________________( s, [5 f/ g5 K3 D
! L! R6 x0 v) c9 W8 e
' ?6 s/ k' _( C: O$ PMethod 05
5 s6 a/ {! p% s, _- Y) d=========- v9 u( p7 h- E+ E' N
4 l6 x7 a! T5 v1 `
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 X" e+ j# @: B% s8 [
debugger. It calls the int 41h, function 4Fh.
( C; t# u/ n- K3 KThere are several alternatives.
( w( {3 Y8 d; D' n* d+ b r% n
# }. y* Q$ L0 T! Q1 Q: C, yThe following one is the simplest:
& {6 b+ K, z( _3 ]# W' j# I$ q7 \1 n
mov ax,4fh$ f7 W5 [' f' P! p4 P- n4 k
int 41h. C% x: f& c# J& K& a; ]
cmp ax, 0F386! k7 L+ N' l! v+ ]: H
jz SoftICE_detected0 M: K7 f) J0 f# J9 K
& R2 C9 Q$ i% b8 S0 s
; S4 v% ]4 H. H6 ~Next method as well as the following one are 2 examples from Stone's
3 M/ z3 Y5 ]) ]" r. @/ v: D+ D# e"stn-wid.zip" (www.cracking.net):" R# S& a' N s9 C" @
* y r* l a0 h/ O" Q6 k
mov bx, cs, q+ F: `8 y9 v$ G0 J9 p7 N
lea dx, int41handler2! K0 R" }0 ^( W
xchg dx, es:[41h*4]
3 K6 W2 T: h0 X1 Q xchg bx, es:[41h*4+2]+ m3 t0 g1 G- d/ _/ i$ z
mov ax,4fh
( j' y2 Y, a% G4 y) | int 41h
3 e2 Z D9 p' ^( _" i( u( k xchg dx, es:[41h*4]6 G2 A# k5 B! m' ?/ k& O1 K) r9 I
xchg bx, es:[41h*4+2]
/ K+ c% J9 v8 S/ E: h% l cmp ax, 0f386h, f: i; P) W7 z
jz SoftICE_detected
9 ]$ N* y- p T5 d% u- i5 ~, J6 W f+ U* ~% N
int41handler2 PROC
! A' l/ D. h- O iret6 E* P: |# c* K3 ^7 c) @" V$ B
int41handler2 ENDP
9 E& W& o& v9 N+ k( M; H5 i4 G. |( _! u, A' _$ l! J4 n) ]
- {$ [- [8 V1 J2 H% I0 Q
_________________________________________________________________________
1 |( Z$ T6 ]! X4 A3 B; _$ k& \; Y
4 @4 O7 L2 e# u& T E0 B
2 n! m2 C( K8 ?- {) ~: M y" IMethod 06' h& \* S3 ^" l8 o( K: |! L
=========
) n1 y$ V' k/ k* Z" \6 U2 X
1 F) r0 `( [/ j+ g5 M
8 p- i# z# e5 e$ D: P8 R% v8 ]2 @8 H2nd method similar to the preceding one but more difficult to detect:* m/ F6 V1 C- v7 @' d! q, G* L$ O
N1 Z" Y7 {; @' j' B
8 p$ Q: J) X2 s" v% h) I9 r" @; Q- J% Vint41handler PROC7 L" s: g( g J2 V
mov cl,al @, o0 [0 b9 M% z7 P5 R
iret
# r* H' I+ y/ Pint41handler ENDP
, ]3 s$ ~9 o0 g+ H+ U7 Y$ \9 y$ @
4 d# x. Z/ s: S7 b7 V
9 k W- }" `6 ~, C3 g xor ax,ax0 [! A8 D4 d: r. e+ E; ^! n
mov es,ax, \! @ s7 j/ o
mov bx, cs
1 z& S- S1 S9 y$ V/ V# _ lea dx, int41handler
4 z( w% e, A. C7 y3 {" F xchg dx, es:[41h*4]) r }" f2 ^+ b; B
xchg bx, es:[41h*4+2]
$ Q2 J/ |4 [5 Q7 F! D* g: u in al, 40h/ o" o+ J- G8 K5 _. K+ }4 g
xor cx,cx
7 r# B( j# ]$ B" A: n' F int 41h4 C* E; t' b4 i( V: ?& f2 s' G ?
xchg dx, es:[41h*4]/ Y4 d* V8 ?) z( L) ], i! P
xchg bx, es:[41h*4+2]
" C) @/ i, y: s4 S cmp cl,al
" D# s% I4 a+ p& M C9 j5 n jnz SoftICE_detected
+ ` w1 x% n: Q7 R1 O* O/ ^7 W* V. n, j* O
_________________________________________________________________________; x. A+ Y- O& v; t
# u% {# F6 ]' }! U
Method 07
$ w$ G' C) ?* ?& U=========+ A3 w7 D; K2 F% j, A# k1 ]+ X* d! k% x
$ j& h7 c$ c* \7 ]; A" r; v
Method of detection of the WinICE handler in the int68h (V86)
0 I: D7 T+ s; @/ F- u- d2 V. w W5 E/ H) d3 L/ n* Q F2 N3 C
mov ah,43h
" e( C6 L$ E& m3 F# ]0 b int 68h
! l% d6 M7 y6 r( |$ N0 ^ cmp ax,0F386h+ T! N" M3 z5 n" O; G4 _$ D
jz SoftICE_Detected
, T+ O- l* b8 n( Q* c+ U* [; ^: Y/ b2 [0 L
6 V2 S0 d& j& v) A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 w, A+ Z0 e. N- A
app like this:
7 o0 k1 M+ p- w8 u1 B
. W; _+ r3 S( O5 ] BPX exec_int if ax==68
d) X5 u" `! F (function called is located at byte ptr [ebp+1Dh] and client eip is
0 m; {# ^, F \9 ~0 t8 F/ Z& `6 L located at [ebp+48h] for 32Bit apps)( t4 O8 ]; R t( x2 m' R
__________________________________________________________________________; J: C( N, ^0 } Y
# x' q8 z/ X" p4 T! @+ z- B5 h, p: C1 O# H2 d3 C
Method 08
* U0 N5 _9 z; Y+ n+ A=========
9 X, }! Q8 @! M* K7 \9 i2 t/ q( ~% U
It is not a method of detection of SoftICE but a possibility to crash the
. |: n$ L0 t4 P, h$ \8 qsystem by intercepting int 01h and int 03h and redirecting them to another1 y# m9 s2 h1 O1 s
routine.2 Q# @( a2 N! \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 J+ [* `5 R1 x. [% X& i* p! lto the new routine to execute (hangs computer...)
* G/ i- o5 g0 w" |- j5 ?+ c6 {5 l* d5 l* V9 C& d9 B2 \, A
mov ah, 25h
6 f4 q- @2 x8 y+ J8 r& q# b mov al, Int_Number (01h or 03h): E2 B5 u! W/ }. K% e# l
mov dx, offset New_Int_Routine
8 p. j( l5 ~$ c4 M% t+ j int 21h
. Q" N+ b) y9 P2 O! n9 `8 ]+ } j% |2 f" J
__________________________________________________________________________
5 R3 i& {, R1 a7 v& l# s0 m+ ?) k& [7 G
Method 09" n; p8 t3 U$ I6 T+ H, w& r
=========
~0 U% [/ s& G0 }6 L7 |( K( {- f' ~7 D
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. K q! |: h& J
performed in ring0 (VxD or a ring3 app using the VxdCall).% ?' B6 X- N# x, k, w
The Get_DDB service is used to determine whether or not a VxD is installed
' ^: E/ B( z o' L7 }for the specified device and returns a Device Description Block (in ecx) for
1 K/ K1 w) D/ G; E6 Uthat device if it is installed.
% ?: h# l( g6 a2 x; o3 D$ N3 g6 G; \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 j. Q5 _/ C. h5 R7 N mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ s& C, R7 D# P& K) f9 {6 T VMMCall Get_DDB% D9 l$ k% \' |' H
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ A L+ j! b) A; I/ D
& D5 i" e: U9 p
Note as well that you can easily detect this method with SoftICE:
/ q m' a: e. ^. E bpx Get_DDB if ax==0202 || ax==7a5fh
2 s7 `7 D7 b( B# ^+ ?) j/ E; I. P- ?; ?- g2 @. n/ W" \+ D6 K
__________________________________________________________________________
* A- g. a( |# {% M9 A+ j, Q7 y8 q& W7 L$ \
Method 10: Y! T: w* d& o& L- O1 l) |) U8 A* _
=========5 q" W8 @8 { I$ m2 g
W6 v2 D4 K- e3 R; c=>Disable or clear breakpoints before using this feature. DO NOT trace with, n2 o, T4 ?( c* i* n% c5 s
SoftICE while the option is enable!!+ Z# {* y% z) d- w& I w" K
# Q6 N, N6 z( j: ~% {9 KThis trick is very efficient:+ A- b0 }+ p2 X3 ^
by checking the Debug Registers, you can detect if SoftICE is loaded3 ?' R, t1 w$ v: l1 T; E( a! H6 S
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ a3 n+ D" C2 R* J/ y# V* t% f. Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% o) R1 m3 |5 h0 J9 S kvalue (in ring0 only). Values can be manipulated and or changed as well, `* i: ]6 a0 M( O
(clearing BPMs for instance), L- E0 Z- s* ]9 t5 l& _
# X. r7 k9 `4 t
__________________________________________________________________________: A0 q) P* p$ V" V5 G
- t; ?4 S8 T, g9 s) J7 GMethod 11
+ ~7 G( W6 [7 i! `1 B+ k( f=========
7 s1 z4 ]) Q) E$ I" I; q' L
- M- `2 D2 `3 T2 {$ m2 BThis method is most known as 'MeltICE' because it has been freely distributed! q# Y& P' R( Q$ E( W
via www.winfiles.com. However it was first used by NuMega people to allow
6 U, u! I; k) r! nSymbol Loader to check if SoftICE was active or not (the code is located
" @3 ]9 f* i t `9 M2 a O, M9 _inside nmtrans.dll)./ c' D* R, @) q
6 K4 V. {3 w+ i1 n) q
The way it works is very simple:
3 G7 I! i6 U4 `8 X. N* ]It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: C/ c6 M. u" Z; k) QWinNT) with the CreateFileA API.) n$ s) x3 u0 I. N+ f
5 w! |2 N3 C3 l e
Here is a sample (checking for 'SICE'):
' V9 [- F1 e) \! F; O4 n6 [/ o- X7 r5 X6 _
BOOL IsSoftIce95Loaded()
6 C7 w7 }, C+ \ r" c4 s; W1 ^+ b{, y! [, C2 s# ]6 Q3 J8 r
HANDLE hFile;
2 W6 @5 _/ N4 i7 \ H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& N) l* B; r4 h0 s
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ R% }; I W7 a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 i8 w9 S) S4 U- J: `: j) ]7 ]' S
if( hFile != INVALID_HANDLE_VALUE )
* b: `; z5 z9 H0 m* V' c {
3 C# P* F8 ?* V* W0 X0 t# S- P CloseHandle(hFile);
) ]* \" F( R0 l' q `- b return TRUE;" t1 K# ?# c! d0 `
}
, T( K* {1 C g. i2 D3 o, @ return FALSE;% J( B$ G# C9 u8 m* u6 D
}
# c& N3 e" I& R+ f/ R$ V* R
/ z+ ?; `* E/ H/ U2 V7 e5 EAlthough this trick calls the CreateFileA function, don't even expect to be
/ n8 i; N& ^/ ~6 P6 T5 I2 }able to intercept it by installing a IFS hook: it will not work, no way!
4 V q; K; h" l9 b- vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 y N r$ O I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 Z" s( G4 A3 r0 Z/ u* `) L6 A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, a G3 {8 Q( a; ^; ^- b
field.
2 m" Q; [; N# ?: h; Y* Z( dIn fact, its purpose is not to load/unload VxDs but only to send a ; ^/ |# m! [1 u5 E
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 b& \; D/ C* N4 U: f- Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 W0 \4 I+ Z4 sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; W+ o& i3 \) d$ D B& y0 LIf the VxD is loaded, it will always clear eax and the Carry flag to allow. b% Y4 k7 E. L' ^+ ~ i
its handle to be opened and then, will be detected.7 ]% n+ X- H6 |
You can check that simply by hooking Winice.exe control proc entry point
R6 {. `5 _% _: [5 g/ qwhile running MeltICE.1 m, w" K3 |7 {4 n0 w
. V# f: |+ e9 v. l/ ]: ]- @1 e
" k# J {# k3 L$ w0 \
00401067: push 00402025 ; \\.\SICE9 E' l' q2 r0 A0 |* a
0040106C: call CreateFileA
5 g( j% Y! Z8 E2 Q 00401071: cmp eax,-001; F' I( s6 u, U: H. R# C
00401074: je 00401091
" v5 n' u2 u) v: @5 [1 z m1 o4 d2 }: m0 G2 c; q
4 X+ _+ S! T1 B" X. G9 o% C: xThere could be hundreds of BPX you could use to detect this trick.
4 R+ p9 ~+ b# }& F8 T- t* U# c-The most classical one is:
) ]+ H3 S. [0 K: O# J2 ~" L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# W1 w. W2 B, [6 { *(esp->4+4)=='NTIC'' m' h/ I3 V, c3 h
' q) n7 f+ e* c& p/ \+ m
-The most exotic ones (could be very slooooow :-(8 u( C, M% E0 a9 m: u4 w' S$ M9 [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' B7 _" ~3 E) d9 F( C ;will break 3 times :-(3 D }! a- Q9 |0 ?! j+ ^
9 c1 f; O" Z! |5 B; j* B-or (a bit) faster: * I+ T. j; m; b" Q2 @ r
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 P0 ]2 N5 Z- b; L9 i
2 u b' ~1 C5 O8 } BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; h% y& W% j" ~( Y- }" z! G
;will break 3 times :-(
. V- \$ ]$ V1 v2 [4 q6 N5 \, h
2 T( l, L1 _7 d/ S-Much faster:. L3 T) V- k( z$ d0 O
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( o$ \* }+ U( a" v, I
7 c5 ~8 }0 ?0 l# a* ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ Y' m; H; `! m& G3 d: Tfunction to do the same job:' O; R7 l4 V8 m# i7 x5 \ C
$ _* ~4 _8 L' c9 `4 M1 v: F
push 00 ; OF_READ
; X& S0 i# @/ X5 w mov eax,[00656634] ; '\\.\SICE',0
* k0 b2 r( R7 y' T7 C: G push eax
& r% p/ t0 p2 p5 {3 I9 I call KERNEL32!_lopen) V; b- M1 v* A# B' X; [
inc eax
+ j- Y9 r# W; o. ^5 c jnz 00650589 ; detected
: W5 [; q6 r: x) c( J% o+ F- Z5 Q1 ~ push 00 ; OF_READ
$ m! W9 u" z; M- c& M' Z3 L. J3 X8 e mov eax,[00656638] ; '\\.\SICE'
& K/ P9 p/ ^$ y push eax
7 |- I F$ Z4 q# H call KERNEL32!_lopen
+ V$ l4 K8 Q: T( x. _. e7 v inc eax% `, X/ i* u& H3 a0 H5 }
jz 006505ae ; not detected! T% @; [* X6 [# Z5 E& r8 x+ K
* N% N1 E2 V3 r; F
% B2 m0 h* Z1 t* U5 G__________________________________________________________________________: {% G) g/ w2 I
, e, @; O# v/ Q# L1 I" `% V1 ?- eMethod 12
" ~6 L2 N# ~, s" I% ]7 p* Z) M4 j=========
* e5 L0 @% w+ X+ z+ V
1 C7 ^5 L. _ I% b( B& cThis trick is similar to int41h/4fh Debugger installation check (code 054 s7 M! {5 E! o, c
& 06) but very limited because it's only available for Win95/98 (not NT)
! l4 b. u( Y! d/ o( I2 \# V+ Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 \3 Z; v) J3 S; ?
) y$ ?) P* ]% m# C: A push 0000004fh ; function 4fh
" b2 V, |! \, L+ W push 002a002ah ; high word specifies which VxD (VWIN32)4 D6 [7 l* S+ ~
; low word specifies which service
" T/ T3 N) I- N (VWIN32_Int41Dispatch)
1 A2 ]2 B9 D$ U# Q1 ~$ l call Kernel32!ORD_001 ; VxdCall: x3 I0 m' Y2 B; y" P5 X7 i
cmp ax, 0f386h ; magic number returned by system debuggers7 e" |% M* i5 G
jz SoftICE_detected
- Y, ?" H8 i: O D# w2 X% T
# G% g0 \$ D5 e! G; ~% P* G9 xHere again, several ways to detect it:
% S* R- S7 j6 s' S" V
* j( w0 |. E- j( v BPINT 41 if ax==4f
( k+ O8 o, S* {/ e6 V% n8 o) L9 w7 `$ @' J9 ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- w# Q. J8 |1 r U1 d9 x* L1 u& O& O( s! M; g/ a. S8 f
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- \* P; N* w6 D+ |/ G3 t/ d" ^" G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 t5 ?" S( R* B' p: e$ e$ l* r; u4 S8 h7 Y" \9 e- g, R& I
__________________________________________________________________________- l" [! D. ^% \3 U$ F
3 ~6 ]- d: m5 C6 q
Method 13- ]- y+ R) E* R% Q& h
=========
7 C6 @* D- {# U. e2 r. q1 w
$ |* [- `% G% q( e: ?4 S4 GNot a real method of detection, but a good way to know if SoftICE is
7 l! T* k: Z% [ \installed on a computer and to locate its installation directory.
( L6 W3 }' W% X1 bIt is used by few softs which access the following registry keys (usually #2) :/ A4 o7 |, U/ L. V' N
( i |! V5 Q2 c1 E9 @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; o" S( O. H+ u$ O2 ^; ?\Uninstall\SoftICE
# S3 e3 G) g8 b( S, t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* [; N) v( h/ ^( Q; f& k-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( R# U2 M9 Y+ M9 g( V\App Paths\Loader32.Exe
% T' d# O& J( |" b% M
( Y. h3 Q n2 b! |8 B* V/ L3 |3 u+ U
Note that some nasty apps could then erase all files from SoftICE directory% _* {- H0 B/ m4 A+ [9 D' f
(I faced that once :-(( Q; B+ M, Q; e; V& ~0 g
3 J4 m8 ?" r3 h! r e
Useful breakpoint to detect it:
% }. n* F4 c! l4 [6 T+ S4 |$ S" w' z* \. v; [3 Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 O% U% O$ x* h! w9 l/ E; t. X6 @4 T4 U
__________________________________________________________________________
- P% i- a ?5 C+ x
8 r/ t/ A! U+ c9 |4 X/ c& m! O( c. m% o6 R; g- c3 v7 X( J
Method 14
- a. B5 A+ E* ~, Y0 G& b% W+ _========= L, @" i. O3 A) }, J
3 `' W: H6 P. M UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; ~! u: }& \0 e3 ^0 H: a% X( t# M6 jis to determines whether a debugger is running on your system (ring0 only).2 d7 c9 I( V l$ Q7 O0 l3 o- j
0 i- D1 P2 W. U' R$ ? g- b! | VMMCall Test_Debug_Installed7 W; f) ^0 x! Y$ N0 o: v) f
je not_installed
- q* J4 B) o n& a1 ^/ Y* q
( N, [& Z9 m# hThis service just checks a flag.! F/ B+ b* c! ?$ V, B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡