<TABLE width=500>" |+ l2 _* ~% ` V# g3 _. z1 K
<TBODY>. ?, y e" w9 K
<TR>
% E6 y1 e% F# m<TD><PRE>Method 01 5 Z# U0 }7 U0 W
=========7 R# L y$ a# K' P2 _2 d
6 Z+ j% ~) l; _7 G* @. a8 x1 q
This method of detection of SoftICE (as well as the following one) is. r% T3 f; ~2 J# L3 H! [
used by the majority of packers/encryptors found on Internet.7 V) ]1 {2 Q2 y: I" i" K
It seeks the signature of BoundsChecker in SoftICE
1 r' K% j' z! j3 Z+ w F
9 Q' H2 c- Q% _% b( W' h0 M mov ebp, 04243484Bh ; 'BCHK'( L: L! n/ h( d8 N5 L4 v( c$ I' D
mov ax, 04h' d; i: k& a. x; p+ |% z9 e3 a
int 3 ; ~" R/ s9 L. V9 B
cmp al,4/ q, S1 m8 L; e) a( ^
jnz SoftICE_Detected
! x8 Q1 f/ }( y s- ~) R3 }) S3 R4 C0 J' N t6 o* Q+ z1 Q
___________________________________________________________________________" m7 r+ Y a, Y) ^; ]7 L
3 d2 s7 v |* R! [9 EMethod 02
& n1 E& _& N1 L5 w/ n=========
& Z0 x- ]8 G' y: i6 J; u' _8 }
6 p. I2 R7 _, K+ L( n% w3 QStill a method very much used (perhaps the most frequent one). It is used
7 U! \! m; I3 i+ t0 e" kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. H8 H# Q& A! ^8 C) k0 ^or execute SoftICE commands...# s0 V% A {9 s. `( s
It is also used to crash SoftICE and to force it to execute any commands
) J d# |" U0 G(HBOOT...) :-((
: j2 h6 i' s% s' J
: Z+ ]& F0 j# O& V+ mHere is a quick description:
5 y, S1 B3 `* _-AX = 0910h (Display string in SIce windows)
" U3 d" A2 k3 o9 q; P- i: U( G9 P-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! Z& |! Y, A2 r. a
-AX = 0912h (Get breakpoint infos)3 E: I+ t3 y- r% ~7 Y, f$ p
-AX = 0913h (Set Sice breakpoints)& S7 H+ i1 w: t6 j! Q" Z& q
-AX = 0914h (Remove SIce breakoints)7 J7 m" A- R3 V! R- S! }) J
5 O9 h8 ~( u% q7 I, G" a
Each time you'll meet this trick, you'll see:
) u Z' M" Q* k, b7 c-SI = 4647h
% r& }3 I% D6 v: y. l- j-DI = 4A4Dh
6 t* h: G2 e/ y- g6 _$ zWhich are the 'magic values' used by SoftIce.
+ n; Q% C( ~' A* YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 ]7 ?' [9 H! x% q, i
) C" t0 ?# v+ o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 n. Y: A- h8 u; G0 _" O) |# c( x" ?; ^Envelope utility use to protect DOS applications:7 u( }) o5 i. T) }
. n8 q( P% ^% c2 [; V) x
3 G" y6 @8 o" h4C19:0095 MOV AX,0911 ; execute command.
2 X B2 g: \5 V4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: m; ]) t1 o# V# W: Z* Z, W/ L' q" P
4C19:009A MOV SI,4647 ; 1st magic value.: F2 p; c- G+ D
4C19:009D MOV DI,4A4D ; 2nd magic value.+ E: G. K: K- V- N, y. J7 R( d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; n7 V/ c0 w( \, t5 T f u. U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 x: j, u0 w1 d2 s! c9 V; L
4C19:00A4 INC CX
' [: O. n m, u$ s! I3 C' |5 l3 k' }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! R0 H( R# v, m& ~! M4C19:00A8 JB 0095 ; 6 different commands.
) i& l* X6 F0 t: O8 }& a* j4C19:00AA JMP 0002 ; Bad_Guy jmp back.& V5 ^ H: b( u6 m- }% F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' x# a9 V+ c/ ^* r" [! V
- |4 |! m% E; R6 X% z' U: IThe program will execute 6 different SIce commands located at ds:dx, which/ A6 a) X6 a! i S% {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 Y+ O: j- |% J' x# R' P: ~; _8 O
. T7 `3 N! L& ]# J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 S5 [2 j3 N6 ~: w. o
___________________________________________________________________________3 a, A; P4 Y; m* j% g
- w6 q; _" ^! l, `1 D7 {9 ^
/ X4 }; j- x$ i/ T9 j5 C
Method 037 t* F$ j6 _3 g8 S: F0 t
=========# I; c4 A% {- V$ _
6 ]0 | e8 H, b/ w# LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 u9 ^' f( B6 K(API Get entry point)
' S; Y, [- u. g# X# L( g
( v7 I( l3 I) L% z! W
* [2 a2 H( e' P" t/ B' U% } v/ B xor di,di. i) T* f g( [: w9 S& F: ^4 W
mov es,di/ v1 w. Y$ {4 x; C2 u
mov ax, 1684h 6 i5 E" b% Y5 Q; Y, p
mov bx, 0202h ; VxD ID of winice g# y( S h* q& j9 J
int 2Fh
5 J0 ?8 S. U( i: u" {9 y mov ax, es ; ES:DI -> VxD API entry point
( @( x( j1 ~# o4 p( k add ax, di
1 e5 v/ E- o8 u; ]0 c3 O test ax,ax
) G3 m1 B: b) {; D jnz SoftICE_Detected! j G- O8 g8 C4 K6 P- k
! t+ o5 V( P# U
___________________________________________________________________________3 \9 ?5 Z5 J5 l+ O+ Y; W/ h9 Q
7 b- b% S3 t! E+ C+ b4 h( uMethod 04
. d+ Y8 a/ A5 {; r. L& v9 b, Y0 g* ^=========
- \' C$ w* {) B
1 w' E7 d% W4 z- T. q3 uMethod identical to the preceding one except that it seeks the ID of SoftICE
$ i) \6 E$ ^1 H( t; Q% ~/ ^% i9 Z1 SGFX VxD." n3 I+ K2 q7 c1 x# l
6 B A& @/ n' |4 g4 |
xor di,di- J+ G. s6 }! r; r
mov es,di6 E1 R/ `; |: q' V$ {6 y
mov ax, 1684h
+ M( x+ r# F! D) P: ~ mov bx, 7a5Fh ; VxD ID of SIWVID% R: j8 |; _3 Q: V. S$ T
int 2fh
" m* d7 W4 E0 Y mov ax, es ; ES:DI -> VxD API entry point- `& ^' ^& B8 F( k6 o( S$ l; o* r+ W
add ax, di
9 v" J$ s' ?/ y) A0 ?4 i test ax,ax
/ N+ Z ]6 y; Y4 c2 z7 c jnz SoftICE_Detected6 ^% P( P3 H W/ u. ^% E
; L7 U' \! C/ X4 }# X# v__________________________________________________________________________! q* g6 A, z# m3 p% W
. Z7 b- Y1 O4 q1 _6 I+ M4 S- _- r! w# J% O- e- `
Method 05
2 X3 j# {6 X5 ^3 C$ S' }9 F=========% z" v6 C$ ?. q. N }
/ k6 g' M# Q6 @6 C$ b. TMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 Q" ~0 U1 Y& Q7 pdebugger. It calls the int 41h, function 4Fh.
+ R) m6 V/ [# } V) f8 @2 HThere are several alternatives. * g$ H6 f9 Q @& Z; k- Q! u1 {! T
1 R# ~) x! ~3 B% l9 f$ @, ]# L
The following one is the simplest:
1 j; w* F7 `5 r" n( Y& n* M+ K
4 I% L9 @6 |+ E/ \ mov ax,4fh
( M3 Z! F, d! s! r: H int 41h
+ B6 n( k; F, S3 \ cmp ax, 0F386
. }7 k' P* G6 w, @; ]" q6 N jz SoftICE_detected
& r5 ?3 r- l" p# R/ [2 Z
. R: E/ L. Y. d- \
" L' t" V# _$ d. x+ H" dNext method as well as the following one are 2 examples from Stone's
* s& b) M( X' |( v7 J h"stn-wid.zip" (www.cracking.net):; ~/ B9 y* }" E) S# d! r4 @
# C4 |& D1 }8 s) ?6 D
mov bx, cs# S6 s9 Q( ^6 R
lea dx, int41handler2
2 P2 n7 F! y! r! r% x+ I xchg dx, es:[41h*4]
5 @+ _- U* b. p6 T/ D5 @1 O xchg bx, es:[41h*4+2]
6 W+ ^ [! {8 z$ i1 u" Q- R mov ax,4fh
: {. J) f, G, @2 j- [7 t* W int 41h. c5 n Y) T4 e7 R7 M) \+ R5 D5 g {
xchg dx, es:[41h*4]
- J6 Q/ `" m& ^' d, V xchg bx, es:[41h*4+2]
- F7 }; r& G/ D1 E: C0 u$ b cmp ax, 0f386h
% X4 B- |- `! d x0 m jz SoftICE_detected
- S& c5 Y( x4 b2 v7 s2 D M. h6 \7 G, e# @& C0 @' B3 y
int41handler2 PROC7 ] l) `: P9 e7 o7 ^7 ^9 K
iret
9 _7 M4 m; a" v/ p4 ~! V- tint41handler2 ENDP* L. v X( Y- c+ J( x
1 F2 N- x3 b; I3 D P5 d/ B/ K
: D+ R" W' f! h% @0 Z6 @1 {_________________________________________________________________________ u3 [5 }; L: m0 P/ S
" C0 O* @ l9 W
2 ]1 m! K; @5 L# N% F- u2 |8 d
Method 061 n. z. Q: P. z, q! |( l4 M9 n
=========
; b# A+ U; W/ M6 T% R3 h3 {$ q0 \* X% w. D3 d
2 T( j) c1 A! S; c3 [) t
2nd method similar to the preceding one but more difficult to detect:9 E! i* U: O7 N C
! @* r( M* u3 i: ~( ?" Y
. [' k7 _* s) D+ Oint41handler PROC3 i1 ]- i. _. m r9 p4 B: ~6 G
mov cl,al' G& i! A+ X4 T5 I; m
iret( j( E6 \6 w9 c0 M6 r
int41handler ENDP
8 J. h# O0 |! B( f0 J
1 b/ `% \+ d6 Q3 i) a$ n' c6 i8 q7 y _- ]# v/ F" |
xor ax,ax
& l1 }! f0 j8 l8 m# Y* d# T9 @8 @) { mov es,ax
$ S p J. d* ? X% w mov bx, cs
# Z: {3 a& W) k$ [$ ^+ x( ^" h! q lea dx, int41handler$ p( F" i k7 g# V
xchg dx, es:[41h*4]# i- x7 }& `1 _* K2 Y
xchg bx, es:[41h*4+2] i+ `( @% ^- a8 s, _7 i
in al, 40h4 a1 u% { m' V) ?. U
xor cx,cx. A8 O: v9 C; }1 F
int 41h
% b" e9 V2 V- X* B4 w/ v1 { xchg dx, es:[41h*4]7 r* J6 F; W- V
xchg bx, es:[41h*4+2]
Q0 P; O+ @& k* Z$ B cmp cl,al: b9 A8 ~. e8 S V1 K) K
jnz SoftICE_detected& I1 |6 ], ^- U- y
+ P/ Z3 B/ K3 s( p/ O1 J1 m
_________________________________________________________________________
4 s: `- F& O4 G$ d
0 G5 e8 x( @: r; M/ Q1 }Method 07$ X% j. k w" X8 m9 L4 @- q) a4 F
=========
* ^1 ]) t7 l& q6 R% q
' y0 |& X* c% `$ a! B# v, X6 nMethod of detection of the WinICE handler in the int68h (V86)
% m/ v$ ~4 }! A+ E- z. j7 j
) n; x9 H l" ~5 { mov ah,43h' ]& \9 F! a/ H% ?% F' V* S# y
int 68h
* ^, X0 Z# F% ^* n3 g& B4 M; R cmp ax,0F386h, d; p1 q& e6 r5 ~
jz SoftICE_Detected' y8 H( a' R0 q6 R. n0 x
# ^# G/ M5 e7 h+ |, |
! T2 T6 \' w1 y! q" P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* K2 J( G, Q1 t7 b' @7 @8 q app like this:. U1 R0 t- k4 ]( y, V
* C( P6 T# o7 H4 _4 R$ D
BPX exec_int if ax==68
0 l: q/ ^ M/ n: h (function called is located at byte ptr [ebp+1Dh] and client eip is$ ~2 p; t' J- @) {& z
located at [ebp+48h] for 32Bit apps)/ e5 {6 _* j ^+ Z: h3 u
__________________________________________________________________________7 \) B y+ p: F
. { w6 {1 M: r0 R
+ H: N! G, B$ ~; V# J; pMethod 085 D% i7 G. g" p; k
=========
* C, C1 k, t( |
+ A2 q) d0 v, |5 o+ iIt is not a method of detection of SoftICE but a possibility to crash the
6 R$ _5 j9 i2 t1 E) W8 ?9 fsystem by intercepting int 01h and int 03h and redirecting them to another
+ _! S3 ~6 k7 m4 k1 {routine.
1 X/ S' w4 A& y% p0 k% VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 e! O+ k( n3 D# n! O- ~
to the new routine to execute (hangs computer...)
# ]6 n: K9 |% e' @0 `( z
* `% N$ \$ A, F9 D mov ah, 25h% c+ m2 i7 i" N$ l- b! a6 b- |
mov al, Int_Number (01h or 03h) }7 D9 K+ N) C0 [
mov dx, offset New_Int_Routine7 c* k' \; I7 j) K, t
int 21h0 Z- P& |4 z7 W/ \
! U9 J0 }" I& ^9 z, g: N__________________________________________________________________________
& N- Q4 B. N, b0 K) ]
3 q R/ Y9 v& B1 F, u) ZMethod 09
0 i y4 M" `& v1 `=========4 X7 o, d8 y g, |) K$ \" U
h, J& [( @+ O8 d0 G' {+ yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' Z. f4 b/ i; W2 Q4 z8 t
performed in ring0 (VxD or a ring3 app using the VxdCall).! a% M) U& r+ Z/ M$ g# w$ t3 u
The Get_DDB service is used to determine whether or not a VxD is installed/ D6 F- q7 n& v1 U: {% y# q
for the specified device and returns a Device Description Block (in ecx) for. \" }! h0 n- i- s* m) L6 s% P
that device if it is installed.* c, d" x# w* j2 t7 Q1 [
' I9 ~% q9 N* L: J* h mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% T" U7 i O* h7 }" j: W: A) L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), v! N, s, U6 D3 n3 U6 D
VMMCall Get_DDB
: M! ^) E2 J2 ~' c mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ D$ m3 t0 Y5 k9 ]* K: X6 H
' k* W7 e# [: E! Q
Note as well that you can easily detect this method with SoftICE:7 W3 S7 F& n8 m* |
bpx Get_DDB if ax==0202 || ax==7a5fh" M4 c) \0 X5 w# i Y
. s( W: ` l. r& W__________________________________________________________________________7 K# K5 q3 ^! f, Y
* `$ x- x9 N t. | y" V- vMethod 10
6 g3 D, [$ @% A=========/ b# D7 J9 e7 P0 P' q
% }7 b' p+ n$ j- x8 d=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 j( y4 I, z# T* \ SoftICE while the option is enable!!& M* Z6 n" A1 U) |" \
{! a& j1 J0 `- |8 s# S. R
This trick is very efficient: Q o1 T6 j" V+ v
by checking the Debug Registers, you can detect if SoftICE is loaded
# ]' M5 K" a' s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ M& v5 l' q6 d, o$ i6 W* r" z2 {there are some memory breakpoints set (dr0 to dr3) simply by reading their
' v( o) T- G* O; y+ e% _value (in ring0 only). Values can be manipulated and or changed as well8 u& G+ [3 X1 D/ E4 a7 d4 |- D/ p
(clearing BPMs for instance)0 N; g+ O2 v- n2 x2 Y6 u$ k( |
3 r9 k8 Q5 [8 n! C: Y__________________________________________________________________________
: {, M6 I! q3 B* P- S- i4 b2 V3 S9 M" L) U# Q8 [
Method 11
, J5 g9 `$ o# {5 J. ~=========
) C: v7 P' e% `( D* u6 W- ?7 q
4 o; }; d. ~9 T0 V5 ^6 O! kThis method is most known as 'MeltICE' because it has been freely distributed
+ X+ T3 w& k8 Wvia www.winfiles.com. However it was first used by NuMega people to allow
' T2 [4 Z5 ^; S1 V. i: sSymbol Loader to check if SoftICE was active or not (the code is located L4 E& j4 ^- W# s) |* p0 O
inside nmtrans.dll).
7 i# K3 s- C* @3 W3 L- N; F. @3 d: `3 t
5 p& f1 y0 ^0 i& _# m4 \8 VThe way it works is very simple:+ p* K" U: f; A, j8 w+ y, C7 J! V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% K: e9 S$ v) a5 G* t, qWinNT) with the CreateFileA API.! k! I" F ~1 s
( @7 m+ A. ?* `- F
Here is a sample (checking for 'SICE'):: l( s7 ?& {* A/ ^' O0 s3 e
* T% w3 u% V' T- `BOOL IsSoftIce95Loaded()7 k' a: x2 k6 E3 z9 s8 B. C
{% ~8 F- `( P( i5 z1 d2 r# r6 `+ L0 I
HANDLE hFile; . D+ R% o7 N, ?4 l4 k& q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' W5 O) [- `% j
FILE_SHARE_READ | FILE_SHARE_WRITE,2 O+ h7 g: D1 o ]& N) \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# D: N a3 M) K" @/ n
if( hFile != INVALID_HANDLE_VALUE )# { F, v, J( K) X% O
{- q8 B* y& H* R1 q4 m5 S4 `
CloseHandle(hFile);& X1 z. f; T I! {0 _
return TRUE;6 ~9 _& w& j! y! N6 y6 o* t2 }3 e6 X
}4 }: ?: f9 r( D7 H* |9 |. l
return FALSE;
0 C( C! }6 u" ?6 L. s' c2 L}
( ~+ R- s) h+ M) p/ g' h+ Y
3 m; W8 G$ e, B2 A f4 BAlthough this trick calls the CreateFileA function, don't even expect to be4 y B: W/ c5 V. o b5 D
able to intercept it by installing a IFS hook: it will not work, no way!& R) G* E/ g! C3 ?4 u" e2 u6 V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ k- ]) F% y. u$ t6 l5 U$ a, _1 Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ k; S$ m0 y* A) E3 r: q7 \2 zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ _3 d2 d7 {- I+ r' Ufield.- V: H& r: H0 h- w6 o9 ]' q
In fact, its purpose is not to load/unload VxDs but only to send a
. C# t0 T2 M+ s* T3 h' a5 XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" {+ `; K4 E6 c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: O& }' F5 Y( K$ a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; B3 y1 a" A* vIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 t* [* r) |5 A" U$ X* m
its handle to be opened and then, will be detected.
3 }# }7 ^$ n( H. @& j0 RYou can check that simply by hooking Winice.exe control proc entry point
! l7 `. n- | Xwhile running MeltICE.
3 c- j, r: E/ P7 k: X: b+ h1 Z7 u0 W$ v; e6 e9 t$ J9 ~
. p8 O% p0 D6 F
00401067: push 00402025 ; \\.\SICE# t' g3 Q( g+ O
0040106C: call CreateFileA
% l/ H" w. c( G8 `) u: ? 00401071: cmp eax,-0010 |6 l. g* P3 [% c/ ^ S$ C) r4 K7 J
00401074: je 004010917 F X/ x6 P7 R4 E- q0 H
0 _! R/ ?( e, i+ K, M: I2 G) v
& j6 H+ p" F) T, P2 LThere could be hundreds of BPX you could use to detect this trick.
2 r5 {$ X1 Q7 H4 o7 g' r1 w-The most classical one is:
* {" Z O0 _( N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 l! o- M' j5 ]) I *(esp->4+4)=='NTIC'4 u6 V) Q7 E2 `6 p2 V* g) h
8 b6 i5 r( d7 K' O( B9 L
-The most exotic ones (could be very slooooow :-(
( v1 a% v: ` d. [7 [, ~# s BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ G" w, J1 H+ u- l ;will break 3 times :-(( ]1 e* W7 v. u4 f; }
, o6 y! o$ M0 ~8 E7 h/ v
-or (a bit) faster:
1 e+ R- l$ b* i1 Y* f1 M+ d BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* d1 X! Z! x4 b$ i7 Q) ^+ @
6 L2 V0 |0 x* l% e3 W4 Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
o0 x, [! \! ~8 t, j' |8 h ;will break 3 times :-(
+ [7 u/ A, K" I. p% G* L
\& r# t U/ q8 U( P-Much faster:3 r$ g3 B- k3 d0 u, M# X$ `. v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% [$ x' @+ p, o
% i+ |/ j: j& _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% M7 e9 j% Y, ?9 A# e+ w" K2 U
function to do the same job:, L; O [5 q' W8 p5 d% ]& N1 Z
% \: S" O' @: o9 h push 00 ; OF_READ% c) u( D" t( S3 l S) c- w
mov eax,[00656634] ; '\\.\SICE',02 P/ V, O/ k' K) t
push eax; W5 k' j5 e4 E0 L) b
call KERNEL32!_lopen
6 D2 _& _, i( c% U. ^ G) \2 { inc eax
, G- [3 s$ H; \4 R. @3 f$ m! | jnz 00650589 ; detected
* z- D3 n- G, ?/ p6 l push 00 ; OF_READ$ c8 T( G. E- _* b% l
mov eax,[00656638] ; '\\.\SICE'
+ w# X+ q- @5 Q1 i, _ push eax
3 C* W: ]) e4 { call KERNEL32!_lopen
% x" w1 X* j: \3 D) d: b4 l inc eax+ _& T7 R! U9 l8 {
jz 006505ae ; not detected# ^" I p: t; h8 h) J9 m' ^9 a# G
$ {/ H, L0 e: F6 e& t
+ G* h% N& P1 W# A( I+ q3 ?__________________________________________________________________________
) m2 A4 }7 ]( f! V2 c- Q7 _- Z3 B' b8 l& Y2 e' A) \2 W N: z
Method 12
8 u1 v- `0 S, d3 _=========
$ k+ ^3 g' g% D, s" A7 K+ k/ S# I* Z# t% |, H0 Y. A
This trick is similar to int41h/4fh Debugger installation check (code 05
: j& x8 ?4 U" e' s3 C. ~& 06) but very limited because it's only available for Win95/98 (not NT)! b3 S0 }! p7 M1 N$ S5 S1 q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 I k. p5 i/ K- L3 C0 u' s' m1 N# t
9 l3 w# G( X. s1 z3 v: S* v/ q push 0000004fh ; function 4fh" s5 E/ f+ c4 Z5 g6 H# [
push 002a002ah ; high word specifies which VxD (VWIN32)& @) E: d$ T% x4 L; O7 J
; low word specifies which service
k" E# B: k3 w" \1 Q (VWIN32_Int41Dispatch)
2 W6 }' v9 E# ]9 P! a# i! ` call Kernel32!ORD_001 ; VxdCall
9 Y0 ]. A; w4 u" w8 x# e0 k7 c5 B# z cmp ax, 0f386h ; magic number returned by system debuggers
6 Y' U* @2 A3 t* @( f jz SoftICE_detected
/ E5 E& G% n1 |# u1 G! y. N
; D# T# Z/ w5 y7 r& e7 |3 d, X& Z# GHere again, several ways to detect it: x$ Q( t: N H7 j1 u' C2 e
Z% @, H6 f/ x0 p D# Z* E
BPINT 41 if ax==4f' k7 V6 y- b: M M7 m
) ~+ X7 t7 E) E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% }( `! f D! }# ~0 B! m! q3 U. s6 u* w
9 l3 @% \, q- c7 Y& j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; s, O3 L' x. t: {3 O& Q
% p$ `0 i) N! t3 a% v% p" g) n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# z! [; e) m0 v% V0 m- b" V# r$ K/ m, d2 W p6 W5 y* \3 F0 _
__________________________________________________________________________
+ N. {3 s) j. X+ u- F- L& M: e2 T
9 g/ g' G R0 i- t6 fMethod 13+ m, e' ], T( J' Z8 z1 j7 ]8 t
========= @( N% V+ f; C9 D0 x- v
3 b% n2 x+ [+ O2 Y9 W4 H
Not a real method of detection, but a good way to know if SoftICE is
+ g/ I( I% x% {1 a, V) y6 G% Xinstalled on a computer and to locate its installation directory.
8 \6 C1 `! p0 p6 {. o8 EIt is used by few softs which access the following registry keys (usually #2) :7 W# m4 l) o7 R: l5 J8 b9 V7 o
5 n2 b9 |0 R$ F- }" C" [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 `5 n! h2 Y$ i: l5 ~% L' N
\Uninstall\SoftICE
+ B$ ?6 M& E- }' h6 X+ P, B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 [/ F8 C( Q% y: Z2 b9 I" \% V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. T; o! \# h" a5 W8 E& E% S* n\App Paths\Loader32.Exe
# D3 E5 O( h1 R. o# h" m! B
, C6 @7 z; M* _4 a& [9 }
0 x. h, w( \, KNote that some nasty apps could then erase all files from SoftICE directory
' v: G4 j/ b" O( ]3 ~* w; f- F(I faced that once :-(" h3 W, z; i- o E
, }5 e+ L2 H# I; X+ IUseful breakpoint to detect it:
/ x& L0 b2 W* S- u0 l' H: y( I1 O& f) `9 a- H, Z1 G* s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 k* V( n/ k# M l5 L# _8 N5 }4 B7 N# e" @6 S+ K2 m, v( g
__________________________________________________________________________
8 C; k o& l3 l; _5 e% z& q6 N3 i: W6 d
* S- K3 B- Q* J2 ^- XMethod 14
4 a+ ]% f5 T4 W, r" J$ |=========
" F9 z5 I4 _6 a. n" @) }7 p0 E4 k- ~, G$ h- Y/ b! m. ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) }9 d* E# n& F- S( b0 \3 [! @1 A& ris to determines whether a debugger is running on your system (ring0 only).
' ?+ z5 C; m: |: k+ p1 Y* G$ `# G& ]
VMMCall Test_Debug_Installed! j2 s, [ m* y, Z2 E
je not_installed& L4 f' h$ K* S; S! G4 _
6 e5 n% j( o: B" eThis service just checks a flag.5 ]6 }0 ?( ^. q B8 G/ c3 s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡