<TABLE width=500>
1 ?1 Z% h' H: x/ |5 T, j<TBODY>
6 K, i, X/ [ E/ p1 }/ K<TR>
8 m' V y. u# R$ X3 _( f<TD><PRE>Method 01 . a3 k4 e& k& y) q1 K7 y
=========
! G' }* q5 H0 q: j/ n9 U
) B% Z1 j, e0 O2 T0 HThis method of detection of SoftICE (as well as the following one) is3 t/ E! T' l, p) f6 B. g- F
used by the majority of packers/encryptors found on Internet." w1 \( E3 L( R; F* y- f
It seeks the signature of BoundsChecker in SoftICE9 t% P( m x0 O/ J {$ D9 C/ w
0 K$ M: B) l7 z% u, S/ D/ }% f% i mov ebp, 04243484Bh ; 'BCHK'
B* R1 {# S# N3 R! R; `, N& G+ T mov ax, 04h9 ^: E( {* r, q: ]' N- ^7 ~
int 3
9 H+ V0 C2 X/ _. E& r5 {' R cmp al,4: I2 p, o/ z. O0 t, p- W4 W
jnz SoftICE_Detected7 U: K! g- b7 v' X- a8 ?
5 z4 j9 p) F9 s___________________________________________________________________________2 U+ _% S# w/ |; Q2 l( i7 s
s7 ?* G: J$ [Method 02
" h6 ^" }9 {6 u4 P' Y- Q=========
( D* }- ^2 K! w, B1 x, i$ h
$ D$ n+ G0 ` d+ m& xStill a method very much used (perhaps the most frequent one). It is used4 T- d% X3 F* |7 S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 _+ S9 ]" D1 l3 jor execute SoftICE commands...
, I; i; @* L1 x# RIt is also used to crash SoftICE and to force it to execute any commands: ~: }6 f2 `% P4 C0 n5 r0 S
(HBOOT...) :-((
! I7 O: u# o* @
5 h$ m. C+ M4 x7 A' tHere is a quick description:
# ^1 Y6 o! I! i( R-AX = 0910h (Display string in SIce windows)
7 I1 F& i1 u- f$ W) z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- F, e! C/ g& a
-AX = 0912h (Get breakpoint infos)5 G4 m o" k' ?! y
-AX = 0913h (Set Sice breakpoints)
6 c) \! l3 `' o" d; i-AX = 0914h (Remove SIce breakoints)
6 m+ w# y7 | r
; r' \4 C/ a& W/ |Each time you'll meet this trick, you'll see:1 U( `% _5 C" @( @" z, \# r3 U
-SI = 4647h
% G6 O3 `% F5 v, x& |/ O-DI = 4A4Dh
$ a8 E8 Y! z ~5 YWhich are the 'magic values' used by SoftIce., W l, |! Z. ^' @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. [/ X! O8 t8 [# ~" b' B, \! w3 R1 t R; m1 _- M5 @# k6 N- T) a% T+ `
Here is one example from the file "Haspinst.exe" which is the dongle HASP3 B1 o \: `0 A5 I( Z' ^7 U$ Q
Envelope utility use to protect DOS applications:
5 A: v* v4 M g8 \ n
8 k l1 }" T, J+ j
; F) U2 Y5 @- Z1 K2 W) m; E0 u4C19:0095 MOV AX,0911 ; execute command.# F2 D/ B5 f, ~7 F1 e% @
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' x$ [8 `6 x- P, V3 k) o
4C19:009A MOV SI,4647 ; 1st magic value.: a% G; p, p, s
4C19:009D MOV DI,4A4D ; 2nd magic value.
# ]7 B f! k; z, L+ [3 `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 O4 r ]- N" h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: T5 ^0 H# H C: B- N; m4C19:00A4 INC CX- b% c. N1 e6 J5 ^+ x* ^
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& O- N0 }& z' R- R8 h
4C19:00A8 JB 0095 ; 6 different commands.
* R! u) P# u) b: _4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 j; l' |* s3 y: X5 R0 y, ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 ?* s9 {# e+ s7 _- F- w5 {% D
: f1 |' {* P8 o" c, yThe program will execute 6 different SIce commands located at ds:dx, which
3 d" R7 t1 n( K! mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 i# b4 P$ a. ?. u1 e1 F# @, B8 M( J& L+ U2 ^: e1 j# d( h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 x8 u8 E$ T7 f
___________________________________________________________________________
" r( }. G) C$ Q) L! Z! C/ e% {. C1 M% R/ w0 }9 t6 ]
: E5 E1 y% f# j8 g CMethod 03) b& e2 d. r% F
=========; K' s$ m' F4 J% [- G. d u/ }
7 S- C, K$ P, i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
]; V- Y @" X2 k' n2 k l(API Get entry point)- ]* l" h# b: y
8 Q- D, ~0 x* M# r! ^
! r2 V, f- d: O _ xor di,di
' N5 ^& d8 o) ~2 F mov es,di
" e h; f( x/ v/ ^ mov ax, 1684h
* T1 V1 G# F& d" @' x1 R mov bx, 0202h ; VxD ID of winice8 m6 }: f8 v; r: z0 O. ?
int 2Fh
$ x; {" J) e/ |% Z2 | mov ax, es ; ES:DI -> VxD API entry point
. B; Q1 i$ T& { add ax, di- Z$ s: R, n) ]$ o, h5 j: G/ `
test ax,ax
0 ^ O; h" L$ [ jnz SoftICE_Detected- i" h' E% Y+ h( Y
6 e9 c3 o' w7 d+ u___________________________________________________________________________! Z" M0 [6 r" l
; _! c# p) W! Y# n5 u, ]" k$ U8 z$ ?Method 04
: z- X' B2 q5 T3 G; h1 G. I# X=========
7 e; z4 U" j7 s/ V* [, a3 T1 k' ?2 G4 @! P+ ]
Method identical to the preceding one except that it seeks the ID of SoftICE9 e6 |# ]5 X5 q- L" b7 r
GFX VxD.
, O; X q E2 _/ c% [0 j
- K V8 c( P$ ?4 y xor di,di9 J i g. B( J* c( C; {" E6 k
mov es,di
/ a* p2 G" k4 {! }6 @5 V w mov ax, 1684h
x# P" \) H; ^; W" i. u0 g, ^ mov bx, 7a5Fh ; VxD ID of SIWVID
, H7 i E$ a' W ]" } int 2fh5 Y; }& {3 r3 D6 h7 _% z+ ]
mov ax, es ; ES:DI -> VxD API entry point
, E7 J* P, M% q" G! ] add ax, di
! ]$ a0 S. T7 T0 u, M* Q# z5 S% I/ r test ax,ax
. v* L" }3 d! G4 R( N jnz SoftICE_Detected
, d f# _3 v* j4 l1 i* \3 ?; l) z8 l% q4 ~+ S
__________________________________________________________________________4 p4 r; \# |9 E% I& D
9 h1 x7 D2 [& h/ M
6 E9 j& h8 b q, ~6 |+ V
Method 05
. a; U7 N- U! S# n8 B=========9 [- R+ D w/ s. W- y
w! I2 O: C: a+ \) rMethod seeking the 'magic number' 0F386h returned (in ax) by all system- W0 M9 Z) S! }9 W, q
debugger. It calls the int 41h, function 4Fh.+ Y; { F$ n `
There are several alternatives. $ k2 n$ E) Q# P' t5 d6 F; H
F; V! Z! ` |0 K+ BThe following one is the simplest:! w7 `( F3 X% N, t; G% V
3 Y8 }8 a. \7 z+ m
mov ax,4fh' T7 L6 Z# r6 a, _6 [2 j
int 41h4 |3 ` [- r% g6 Z( \
cmp ax, 0F386/ K L4 E1 G8 _% E- g
jz SoftICE_detected
9 I! i7 `( V; n8 R* d! ?3 m1 k2 Z. L* V; [$ t
$ h! M; J' C) U
Next method as well as the following one are 2 examples from Stone's ! Q2 X6 C" j) t% I2 o# I
"stn-wid.zip" (www.cracking.net):
) w5 e" C) _4 ~9 r- X8 F7 r! i
& a% a: d( P% E7 G3 V' ~. ` B* n" ] mov bx, cs
- H9 l. a& k8 N/ }* ] lea dx, int41handler2
$ L) J* H7 U1 g' k xchg dx, es:[41h*4]
+ K1 V9 e. |5 m' b xchg bx, es:[41h*4+2]# x5 \( D( j1 p
mov ax,4fh
! } R. l) v! f4 q% @) A int 41h
+ ]) W0 ] S$ L7 P& V' B! ~ xchg dx, es:[41h*4]
# y2 a' ]( B, h# B. u3 J b xchg bx, es:[41h*4+2]( V" Z1 ?. k: a6 _, [* r1 S
cmp ax, 0f386h2 ^$ O. e1 s R; Y
jz SoftICE_detected
- Z8 t& c9 {- W
1 J" b! w, O9 {3 Jint41handler2 PROC
0 y, z" B$ u( N- U iret3 j5 U: [& [- r: W6 h2 J% {9 V
int41handler2 ENDP' Q( ^3 L' y+ l1 ?
' B# C2 _ S8 J o; h5 J$ {
3 i0 S( [% K* V! @% d9 T" {: x_________________________________________________________________________1 `5 F; s. F8 J! e! k% y8 E( @
, V7 I: ?7 `) ~$ i; s+ o! I
~3 [9 u7 A/ z# `$ mMethod 06
" \2 H" w0 V6 N=========( s' e( {& B' y9 O7 j& _
+ \ A) ^ o* Z3 y7 m$ m5 l; C6 g( c. m% z, T( l
2nd method similar to the preceding one but more difficult to detect:
2 D; D! n ]7 O9 w
) @; J0 X/ ]: z: |* r" I
5 \0 T! p& Y! p1 h0 e) k) _1 eint41handler PROC
_* ]7 m3 u, _/ p$ D7 H mov cl,al
' s: P( g+ Q7 C) }+ v( e( W& K iret0 @7 i3 Z, J# g8 L3 a3 \
int41handler ENDP
- R/ d4 f% h. Y% |2 Y* J+ q+ z0 F0 I, p7 [+ L3 B5 u7 ?, g
/ Q3 Z7 o" w( _% A `9 t
xor ax,ax) ?( f7 p, C* E/ \, `. d m7 h
mov es,ax& e5 O. X, ?4 Z
mov bx, cs
) X1 G+ H% [9 Q- |: Y5 b# Z lea dx, int41handler" _" c1 J( P- P1 J
xchg dx, es:[41h*4]
: r( D0 \; e) W7 S- T$ ?" N; ^ xchg bx, es:[41h*4+2]- ^$ i: ^9 o4 B5 M* l
in al, 40h9 U5 w; G' t" L( z: b2 Y% A @: y
xor cx,cx3 Q# A4 a) y* K0 w4 n" ^* D
int 41h3 m. y4 u4 r3 Q, ?* L
xchg dx, es:[41h*4]
6 f: c2 O- }( Q; `: U0 W4 k8 O xchg bx, es:[41h*4+2]- q& l7 I; v. D! m9 e _
cmp cl,al# ^( @- ?. k/ W8 d$ q
jnz SoftICE_detected
8 t" ?* f/ Q7 z- s, k
8 ^& D5 w- S9 o( X_________________________________________________________________________! q7 z: P1 C2 S, H2 U; V/ x7 y/ i
" Y5 M- h+ U% X0 b4 L
Method 07
" M; D# F# R( ^=========
) P& y8 @9 K( O. X; ~% @9 P) c. V5 N
Method of detection of the WinICE handler in the int68h (V86)
]8 g! J2 j. p i. ?9 U1 [8 ?- p/ `% a2 h$ P
mov ah,43h; f3 k% N+ [: l
int 68h
" z7 z9 i8 G3 P& t4 E cmp ax,0F386h9 a/ N- d' G" y6 P+ @
jz SoftICE_Detected8 S( h; d; ^( o* ]
) _. r9 o* _$ M4 X* D! c8 G, e0 N6 H8 S& F$ N7 A6 Y3 G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 \5 ~6 h" B0 i! _4 ] app like this:
0 ~6 `1 ?, [- u8 }5 r- @4 u1 V2 m2 H
BPX exec_int if ax==68
+ L! c6 h* r8 E/ T# ` P (function called is located at byte ptr [ebp+1Dh] and client eip is
- h; p- x0 V e7 F located at [ebp+48h] for 32Bit apps)+ x. r' @6 j& `* J" h
__________________________________________________________________________+ Q/ ]! [" h# d
, G5 M) d7 ^' `' @: h3 j
; G# S0 Q" |) ]0 q) n' s
Method 08
& n2 @! L* X6 z9 N' `! I5 \# P=========
; S' v4 P; w8 g- ~% N. N7 X$ z% K: A. y
0 y& J* U/ Q& O7 x7 W$ RIt is not a method of detection of SoftICE but a possibility to crash the" K+ J) v8 j9 h. g F" F- D/ h) e, i
system by intercepting int 01h and int 03h and redirecting them to another
8 g8 i: g$ k" B3 c. N# i. z1 @routine.5 X& n7 B# D' q h+ A
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 h& @6 ~! @' g. D! z9 w& M/ y/ Y+ h
to the new routine to execute (hangs computer...)7 Q5 m# }# h: ~! K
! g$ X2 k& \0 S3 S3 x9 Z mov ah, 25h" J& {, ?" m$ d+ C7 |/ T* ~
mov al, Int_Number (01h or 03h)$ Q: a6 e! m- y; r
mov dx, offset New_Int_Routine+ e% Q/ B2 H/ z* Y! q' u( q' i
int 21h
8 o9 ]6 Q7 E# O5 i3 b# V2 m K% I* e( t5 U; U
__________________________________________________________________________3 B( Q: @* S. `! {5 D8 M ^/ S' P
$ e6 H, W1 z3 `, a0 I5 U2 @Method 09
: W7 r1 e: T/ a/ ^2 ]7 }=========% U3 f) P$ p6 L) w
; M9 ~% ?! s1 O. e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; q$ T' Y, ]2 |3 k" f1 w2 u* E' ?0 Y
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ U9 a6 b, g8 }# i. U' y3 bThe Get_DDB service is used to determine whether or not a VxD is installed$ F8 M& h% `" t+ L6 B" o
for the specified device and returns a Device Description Block (in ecx) for
- n, x5 K! \- r0 T. _% Z% O+ p4 p" ^that device if it is installed.- I( U1 n: j p3 |0 c
7 N( D) R3 D0 G2 X/ w8 U1 F" l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' k0 N) u4 v0 ^/ N% L2 I4 g8 s; v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( _/ Q% E, n. g/ E VMMCall Get_DDB) ]' E( l% g: ~) [8 t. E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' ]5 P( q9 t- i. F1 w' t# @
: c* o* [7 m( B& YNote as well that you can easily detect this method with SoftICE:
) C! J* G3 `( Y" _9 y bpx Get_DDB if ax==0202 || ax==7a5fh+ n3 a6 y. ?( ?, @. a9 M
* ?$ H/ ^8 a1 L/ A7 S% W
__________________________________________________________________________
% `- V4 p9 m# d0 O& u" k! [9 V& C, Q! s; p
Method 10
& n$ |6 s/ D! h! y=========. k" S) V2 Z5 E9 d4 r
. H; N+ V0 @, |: E1 w; @8 x& I=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 I& p+ M# L. F$ E/ S; J SoftICE while the option is enable!!
8 n7 y/ e4 k7 p# N! u( ]3 G
( T( ^ i% W2 r2 KThis trick is very efficient:
' [8 I/ U( g6 D# F/ `/ |4 b( `+ fby checking the Debug Registers, you can detect if SoftICE is loaded
1 Q7 `8 a6 [6 N' T2 u2 }0 w E! N' a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 `* t, [& a' H2 c% y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 C6 I, v" b. ?( Ovalue (in ring0 only). Values can be manipulated and or changed as well5 ^/ |# J! f! P8 D+ k1 O
(clearing BPMs for instance)
! [' M% w0 e U0 v+ o3 B- o( r8 K+ h/ X3 F8 l8 A7 w Z7 ]
__________________________________________________________________________) w8 l h% }1 Q
" D" o6 w, ?) W" u" B
Method 116 k3 J, \- `* A9 t7 R8 K% k
=========8 i( E' m' t. y3 |. q1 ~) D! @
; ] W5 G* O& ^9 z$ N1 {This method is most known as 'MeltICE' because it has been freely distributed
: Z W% o: p' }( O* Kvia www.winfiles.com. However it was first used by NuMega people to allow2 v0 F' y8 T/ X$ \8 P. }
Symbol Loader to check if SoftICE was active or not (the code is located
" g1 j U. v6 _9 K. l( X! u3 Yinside nmtrans.dll).
! d. K- q U1 c+ F: ]2 h" }5 y0 \3 X' ?
The way it works is very simple:
2 E- d8 ?5 ]6 D: AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, Q" c* q# s1 l- o( y! G7 dWinNT) with the CreateFileA API.
( [, {8 `0 p+ Z; `( ?2 L1 ~( Z+ @: h5 ?& o
Here is a sample (checking for 'SICE'):
1 I( t$ Z- J; ?, T2 u) d$ K. ^/ W- @$ D
BOOL IsSoftIce95Loaded()
5 M7 V! `/ ]7 O) v+ b{
1 S2 T+ f$ }- O8 }2 r+ q5 e HANDLE hFile; ; k: O1 |0 j* ?7 T% i
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; o6 ?4 v& E( L2 j FILE_SHARE_READ | FILE_SHARE_WRITE,
9 Y8 w; P4 k: k. b* b6 G G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 g2 r2 T' _4 ]# N1 ^
if( hFile != INVALID_HANDLE_VALUE )0 _9 A% h) U6 q* R; U" b
{: y9 `7 S6 l' J$ T& B3 r) Y) F2 ]
CloseHandle(hFile);
! {) s r! |- |5 c- \2 ^; v# k& V return TRUE;
* P) j: [+ i* K: W0 o' {8 A }
7 C/ e" A) ]# d! P. R2 Q return FALSE;
* T1 h( T5 x: b$ f: w- d- J9 v}3 A& Y; V0 H) b. I
8 C) y, ^% y3 Q, D/ g1 DAlthough this trick calls the CreateFileA function, don't even expect to be
& k* B! F5 I( E/ Iable to intercept it by installing a IFS hook: it will not work, no way!% d l ^; N6 w% B8 Y( e# p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F7 `' y3 \, m' A8 Z, H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 i" l6 c2 P- e# m" L9 W+ Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, Y, @% z: N; x9 f9 s* X" U- ~4 Hfield.
2 V, I6 Q- T) b8 M( c3 R# B* ~In fact, its purpose is not to load/unload VxDs but only to send a
, x) H% ] o/ e! ]- sW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); c. w2 g' s4 p! x5 m; J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 w1 K- P' z) n1 N# @0 x' q4 X/ uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; I1 |+ D: p3 u$ nIf the VxD is loaded, it will always clear eax and the Carry flag to allow. B, l4 e# x; P( y' R
its handle to be opened and then, will be detected.5 i5 C/ P3 t! M' w. [" C" r) z3 B
You can check that simply by hooking Winice.exe control proc entry point+ A0 t! P! `2 J5 d
while running MeltICE.+ R/ G3 M4 u! A
5 N4 d2 O- y8 r- o# e. |6 b+ J
" T; {/ G/ @6 s6 B' P 00401067: push 00402025 ; \\.\SICE
/ b# O/ M/ X. ?2 F# n. C* @ Z/ S 0040106C: call CreateFileA
" {& B- l& M% X6 F8 }- n 00401071: cmp eax,-001
( s8 s# y% H P7 H$ L) `& u 00401074: je 00401091
6 c! |! _9 T# K0 o# s0 }* h& W5 R4 M- i6 L# K
: l0 s; O8 Y X* Y4 Y
There could be hundreds of BPX you could use to detect this trick.$ m2 C! A$ S5 t4 t8 c
-The most classical one is:
- }6 X/ J0 Q4 S# ^# C9 ^( Q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 l& `+ \0 j7 S% K *(esp->4+4)=='NTIC'
1 K4 F- Q: i# W7 J$ X# r z. T0 v% W% @) c% F$ C- ^ l
-The most exotic ones (could be very slooooow :-(
5 D2 e0 u' \" {8 q5 w- E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 F- v4 W, S) y5 W! g$ H: q1 X
;will break 3 times :-(
$ J( O, y9 R: o5 k+ ~! L4 k& v( U& J" W7 Z6 c
-or (a bit) faster:
2 w% N) z. k* p; g0 K& Z; q0 O+ O! ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- [: [6 x( j% R% \7 D" t5 l4 t9 ]! ^( c9 I) m7 @1 t5 Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & m" H' p" o! s! b4 C5 u4 B5 _
;will break 3 times :-(
. Y/ E3 ~9 ]; @! A( N! Z8 h' S6 E( Y/ o, D6 h
-Much faster:" l8 l7 Y! r. |. u5 J# g# |
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ r `3 u: P& x, \% \- p
% l8 @ w! {2 ?6 m! t! l1 H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; v) K; \: n4 F' N
function to do the same job:
. A2 W7 K# D4 ^$ Z3 _8 i( s* e6 ^, K! Z! b* `9 c& U
push 00 ; OF_READ
* n$ B; ^1 L) E4 z# z6 ?3 a K mov eax,[00656634] ; '\\.\SICE',04 U! ^) k; X" f
push eax
4 U/ v* O- y# ?$ W; [+ _ call KERNEL32!_lopen% a/ n; i& z% y( m7 e$ y' e
inc eax# `; O* r+ r5 J# F6 g! w7 a
jnz 00650589 ; detected
% y7 ]7 F. j7 m6 ? push 00 ; OF_READ9 p. U& K# u0 t) v' z6 a; `. W
mov eax,[00656638] ; '\\.\SICE'+ h0 h4 W6 a5 j( X$ m. }
push eax" o# Y$ l# V% k9 R
call KERNEL32!_lopen
% ^' l: ^& L) _ ]9 B9 j8 v& f6 Y4 z# | inc eax
& |3 L G! P9 N. v7 h jz 006505ae ; not detected
8 B. j# S; O t3 @! \) X/ a# p! ^- f) M5 m. h% w: I
, s. h7 @" E5 X. m( |2 b! p+ M
__________________________________________________________________________
3 `) M9 L; p& b$ S( s$ F# o' L1 e5 L+ x0 x5 z% N8 f z1 K: l
Method 12
5 ~3 _' o* Y3 t7 }, k1 W=========5 B: r2 {+ v9 L
: |7 `9 K8 S/ M! ~This trick is similar to int41h/4fh Debugger installation check (code 050 @& L- _8 @) ^/ ?. M0 r3 D1 \
& 06) but very limited because it's only available for Win95/98 (not NT)& m" R1 \0 }) z, }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# |- e1 o" A3 x$ j' @8 b# D2 d8 S- w9 D% H' R& |
push 0000004fh ; function 4fh* E$ l. m" ~3 O' \
push 002a002ah ; high word specifies which VxD (VWIN32)& a/ `2 e" h( Z( P1 V
; low word specifies which service- h& p3 C/ f4 S, t. K
(VWIN32_Int41Dispatch)
& R" P1 G1 W! L8 `. y0 R call Kernel32!ORD_001 ; VxdCall
2 p2 Z& C7 R2 u& @1 j$ d( B( R S cmp ax, 0f386h ; magic number returned by system debuggers
8 Y) P- I8 w0 i; E jz SoftICE_detected
/ ?) D: b2 B. O( J; O$ `1 ?
$ n9 K ~1 U! X" E4 I0 LHere again, several ways to detect it:
" i. n* b% p7 e/ O# S" o( \6 t0 m6 P
BPINT 41 if ax==4f
/ D) M) S& b% H+ a" X
. H- E. r% w1 A6 } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
~! `! Y& n; W. A* W" W4 O
# S4 X0 K* q$ B4 U. v+ J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ Z& p5 Y/ L4 b# _3 I+ Z- o
5 X; W& w* E( ] BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 `0 d# Z# u4 D# l" p
2 W% K% D" t( u! l- a' c__________________________________________________________________________
2 M( d. j9 B# P7 E4 q8 P; I& s0 E, e# _' A
Method 131 G+ M; ?+ }7 p& N) H- c* w
=========6 N" I( K2 i1 W1 e1 G: A5 C0 y
* ^5 H' G6 K0 V$ p# L8 v" _/ ]; Z6 N
Not a real method of detection, but a good way to know if SoftICE is5 H" G7 Q1 Q$ y3 p# z
installed on a computer and to locate its installation directory.
' F8 E: H8 p$ \6 o1 yIt is used by few softs which access the following registry keys (usually #2) :$ n9 m" e5 v L0 i- y/ T
1 X1 k9 i' M# F6 I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" u, Z9 _1 h2 r- Q: ]1 b% r\Uninstall\SoftICE
, ~" ^% F! l/ Q" C( C7 U5 h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# e8 T2 ~$ f, z) F( X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 P& N- a1 J" c* l1 s9 ]8 @, a; F
\App Paths\Loader32.Exe [/ Z* h& V, C! `
. i" | e6 b% k. m" H
! P3 N, Y" I9 \1 ~# K8 I. Y; i' H. {* SNote that some nasty apps could then erase all files from SoftICE directory
: k; Q+ t0 g- O) q6 ]9 x) Y(I faced that once :-(( t& B5 B; g0 K
& u- U" E0 L, F& n( X& o& m$ gUseful breakpoint to detect it:
5 T% i# r/ X' R$ n4 R
* r. y5 ?3 x9 M8 f' W9 v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 y& W$ b( X _
" u) u9 r8 N9 y5 O" Y
__________________________________________________________________________% H. X9 g9 O; @0 v7 m4 `$ R' K
+ _8 \+ |, v, h6 L3 d6 A
8 I4 P3 X2 Y6 j3 k0 A' H. O8 T/ _
Method 14 R! s6 z1 r! L" z) r; G. P. E6 A
=========. F* z; z' r. Z3 K1 @
W* o6 C) h8 p0 \% u) R. ]5 E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ r: u( q8 n% C( Vis to determines whether a debugger is running on your system (ring0 only).+ D2 s. s3 B9 X& \
j$ z( j+ A7 [! Y' `8 T VMMCall Test_Debug_Installed
# o% o: O6 d2 y3 W, ?0 G je not_installed
& N8 G. G! I% d- y$ f$ S$ a a9 g7 K# P2 {
This service just checks a flag.% _+ G% i# D' P# |; }3 s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡