<TABLE width=500>. i/ u0 V) n) f! Y! C$ v$ v
<TBODY>
5 U4 V# x9 N: Q) E. p<TR>
. n% E4 Q& c$ Y- ~$ Q) Y<TD><PRE>Method 01 ' E( N5 H! f7 k ^7 X
=========0 q# n5 K) l# V+ S/ O
) O2 p. G% w6 l; Y/ EThis method of detection of SoftICE (as well as the following one) is
5 Y8 l2 g8 d' x) P3 Bused by the majority of packers/encryptors found on Internet.
( g, D- k) R8 k' O$ r qIt seeks the signature of BoundsChecker in SoftICE0 o1 S& l( _& b6 v, {& j3 s
- u2 k3 x! u! k2 d
mov ebp, 04243484Bh ; 'BCHK'
! z) n! @, m! W4 G" F* Q9 Q: N8 s mov ax, 04h7 a9 d- r( B" }7 ~
int 3 " L* V" ^! k; a6 T
cmp al,45 y2 k- S( `4 _. [: H# ?
jnz SoftICE_Detected
. G- b' A8 \3 N! ~$ j
$ z! m, o" n& A& o: a8 D% q, r/ t___________________________________________________________________________
) ]6 J# [+ B" Q& O
/ `- P8 c8 d; SMethod 02
t% x: ]* _- {=========
6 f) V( I$ _' K& g
; c" h5 Z: O1 _& A/ L/ h9 zStill a method very much used (perhaps the most frequent one). It is used
! T* C* x! q6 s Q$ T+ Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: I. J& E$ j+ p& [2 G: @& @- for execute SoftICE commands...7 o1 r5 q. V# N2 x
It is also used to crash SoftICE and to force it to execute any commands
* l" \; f! A$ b" f(HBOOT...) :-(( " f$ B& a6 X) z( }; c% ^' N8 X
' F1 o2 _; }8 t) _
Here is a quick description:" d9 y; W* k) K- I. X# b5 o) X7 l, D$ Y
-AX = 0910h (Display string in SIce windows)9 X" s7 ~/ ]4 _# A0 _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 {' g4 z) Y& n1 O/ m
-AX = 0912h (Get breakpoint infos)
8 y! E- L3 I/ E; X* D-AX = 0913h (Set Sice breakpoints)( a% p, k! [, r
-AX = 0914h (Remove SIce breakoints)
! v8 e4 G& x6 m( }# W' h; v9 T
0 E; R% @' t* p5 r: bEach time you'll meet this trick, you'll see:- X/ Y, h# S- e
-SI = 4647h
4 ?0 {2 f% ?! t3 w-DI = 4A4Dh
. N0 b# e( x3 R7 m2 Y0 IWhich are the 'magic values' used by SoftIce.
3 I2 l( O4 `+ H+ \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# H6 _9 T+ B7 ]6 D1 i# s+ {
6 T; T# ?$ c! O/ a/ I" H/ t# UHere is one example from the file "Haspinst.exe" which is the dongle HASP T" |% p' ^# \* ~ u
Envelope utility use to protect DOS applications:1 Y) r" p8 Q. _6 i& @
0 C$ H4 L' P( B
5 ~0 b2 d+ }: y4 P F/ K) O
4C19:0095 MOV AX,0911 ; execute command. m4 t* n- H9 R" Z9 O2 {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. c3 S: z+ _% d2 K
4C19:009A MOV SI,4647 ; 1st magic value.9 ^7 n Y" p" |8 x' i% q# U
4C19:009D MOV DI,4A4D ; 2nd magic value.
, Q. U' ~3 M9 Q% e7 `: U4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), t: ~# s/ y7 W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
S0 K. Z% p1 W- Y4 z9 y3 P4C19:00A4 INC CX
( B2 p, Q3 D9 }7 ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( n8 g$ X0 L. K8 D1 I7 @3 r
4C19:00A8 JB 0095 ; 6 different commands.
6 x. S7 k% V/ t% U D1 j4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 Q$ ~+ M/ T8 Z* I' A( Q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), _4 |' _6 C4 B& x
) V% ~6 S V7 v" k& i
The program will execute 6 different SIce commands located at ds:dx, which
8 { Z5 F# G0 c8 Y( A0 D7 |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. E j$ r& B9 _& ?
+ n/ [ ^* x% u3 ]/ ^$ d2 A, l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 V% H# r$ p: T$ d- q& ~4 S j/ X6 E
___________________________________________________________________________$ G( G7 V2 I, o& a! Y
. z7 W, D; R$ x! K5 G
* k/ F% L) N* @) J' d, _, v# ^Method 03
2 d! c; ]5 V5 W& h, |" ^' q6 ?! x=========! `0 z3 s; k$ V7 U( |
) B4 K% p+ x8 `4 NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' Z6 W9 f- ^9 X+ _1 E4 m(API Get entry point)
! z F( |% i7 z9 r! G5 R' ~4 Q: {6 Z
. x1 S* h: j- N' a
( |1 R3 K: B% f9 d8 r% D" A% o8 Y xor di,di! Z I9 @! S: Q6 s
mov es,di
) q6 X! m1 B# N3 U) |+ v% \# ` mov ax, 1684h
; ]1 i; ]* O8 X mov bx, 0202h ; VxD ID of winice
. [- A, b: C7 G ] int 2Fh. U0 B4 |5 l) u
mov ax, es ; ES:DI -> VxD API entry point
: @- t. E3 E; b/ U add ax, di
4 f9 F* Z6 B, Y$ b6 D2 A3 O test ax,ax9 [ Z' m! R) X! p6 p. R
jnz SoftICE_Detected
4 Z. f( q2 ~3 l0 n8 J$ ]; U- e- q% o6 P0 h( G3 _4 m4 v8 n! }, k( S
___________________________________________________________________________
8 B' E6 b p7 K% ~* d" r( i6 ^% o0 N% c
Method 04% N. ]+ ]( W3 x# p9 k9 X% t
=========
j7 t4 p9 R6 ~1 d6 `6 W; X8 l$ b/ I6 M0 Y
Method identical to the preceding one except that it seeks the ID of SoftICE
* ]& c9 V0 {: T. J, G' D8 MGFX VxD.
' _- q R' ^% @* |+ y0 S" A1 v% b1 q% J& y
xor di,di# w; K) {: a8 H& |
mov es,di. ~7 u9 O! s( }" @1 |+ \3 c4 l" a
mov ax, 1684h
1 v% w2 f7 S: a/ d# }0 t& s9 |/ L mov bx, 7a5Fh ; VxD ID of SIWVID
5 D/ V9 Q6 n0 p' s0 o- j! w: W int 2fh0 I$ m# M( P5 |# _# U
mov ax, es ; ES:DI -> VxD API entry point
4 G( e. t3 D6 k- C add ax, di
: E3 R8 Q- I2 i* k$ y test ax,ax
8 Y" k% X! a' a% w; w. \ jnz SoftICE_Detected, @" U: Q- H8 L5 a
- M5 r3 H' N' o5 T V__________________________________________________________________________
* G3 x- S* ]. v# \& H; X; {8 C/ R% N
1 q/ G: w( K& K; ~% B6 T6 c% FMethod 05( N6 I) x( q A
=========
% r0 H9 X8 P! m- ?2 X2 n: a
4 q* o9 }# J; t8 p* gMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, s4 q# k4 q( G7 y. xdebugger. It calls the int 41h, function 4Fh.
* i0 M$ q5 b) {There are several alternatives.
* g& g% l. |* |5 ]) w
: m) I0 G8 G. i6 U) V" F# rThe following one is the simplest:
$ J S( m% N% o, D& H
2 u9 g7 W8 I, t9 @; | mov ax,4fh
& C, e( g# b l( Z int 41h
V; h$ K6 G' S5 Z% k2 X% [0 n cmp ax, 0F3863 x2 A1 b: o$ |& P
jz SoftICE_detected# |. }: @0 a' q' }
0 n& N* c8 ?' @+ D$ s1 [2 y3 _& q3 H& w! B% t$ l+ |2 t7 Y9 A
Next method as well as the following one are 2 examples from Stone's * ~1 R- b& Z9 O* {
"stn-wid.zip" (www.cracking.net):, w) m* M8 x/ B% t
1 I& B$ B' ^" U4 ]: V5 S mov bx, cs
1 T3 Q5 S% k3 S. R8 R lea dx, int41handler20 _4 [$ C" q0 [( I
xchg dx, es:[41h*4], Y" l4 X, A5 J5 b( M( o* f2 k) [
xchg bx, es:[41h*4+2]
/ R: k8 L4 X, I+ D* i9 u' |% | mov ax,4fh3 Z7 R4 x! r7 Q/ y& j
int 41h
; N# e4 g" }# g; W7 S4 Q$ [0 F& R xchg dx, es:[41h*4]
1 x' S. X/ P+ U( | xchg bx, es:[41h*4+2]: h* D5 n0 C2 ^3 z9 a7 o5 b& n
cmp ax, 0f386h
/ L! x5 k W" c! b jz SoftICE_detected8 f+ v3 N( n. R
2 H) w8 h. m% z4 N
int41handler2 PROC
6 q* t9 P+ f, o8 j) V iret
) b ~- m/ i! y7 x [int41handler2 ENDP y( t. q2 ?) A# |& W
4 m, ?4 ]6 _& k. I7 A }8 t
0 _9 B( z6 Q9 z, M0 e' `) d% ~- c1 H e_________________________________________________________________________
! `/ K5 ?/ X4 o' P8 h$ X% o( ]5 N7 h9 S- \" Y# k5 m4 o$ g
& B+ E1 L. d0 \Method 06
$ t) D" S( H/ l3 T* X6 m9 `=========
' j& x7 V; r" a8 f$ x" ?
9 f: _; I. }- h" S9 }2 h6 ^, g7 Z, ~% M/ A, M4 S+ ~/ b
2nd method similar to the preceding one but more difficult to detect:
; c- v! a: R" Q. e1 P9 e" _7 l, p( P- P1 K; W
/ s6 D1 ~: E: Uint41handler PROC! p. I! I' k0 E7 U" D
mov cl,al { q& P0 X0 E6 A# ~1 M1 q
iret
, o2 ^8 u R3 uint41handler ENDP' L1 E7 b9 r. V( C+ P$ ~
, f L" Q7 b3 k: V# D2 ]: e: @" _* w
xor ax,ax& I1 S1 R9 m% Q2 ~) h+ f
mov es,ax6 ]1 B U4 Z! M
mov bx, cs- O6 N$ B8 Z/ J' i7 e+ t" y
lea dx, int41handler* f5 P$ b& w: ^; ]0 m4 K
xchg dx, es:[41h*4]3 x; v- ]: `6 {) x
xchg bx, es:[41h*4+2]
( I0 N+ Q2 @0 Z3 Q0 W in al, 40h
, ?0 k& }1 Z2 k6 ] xor cx,cx2 l$ a( W5 `( C, N( f
int 41h) G$ ?! Y7 x7 [$ @
xchg dx, es:[41h*4]/ S4 T3 d$ \; u2 a
xchg bx, es:[41h*4+2]" k5 o/ F( `- O& i$ g0 S
cmp cl,al
3 D2 A8 R2 {) O M9 I Y, V0 d/ T; O4 ^ jnz SoftICE_detected
9 T3 Z1 m' z3 L. o* R% z) r
: i- n6 r) }; _( w: b4 p_________________________________________________________________________
; \1 A( k( s/ W- D& o2 Q- N
* [' T* g6 I+ u8 h* \Method 07
# V5 v! W8 |0 Y1 P, O3 S=========+ f0 L' }1 p5 s& h
0 P( A$ n9 G$ ~$ f( t( NMethod of detection of the WinICE handler in the int68h (V86)
& t: O1 T) L' L7 X0 x
, I) N0 d& V- R( K& K mov ah,43h
0 ~+ {$ t( j7 M; ~6 w% q int 68h" b% v* {" @/ d+ G0 R f( _7 \, G# f
cmp ax,0F386h
/ m) N ^0 Z' e8 L8 c6 b5 m3 Z |( e jz SoftICE_Detected
2 x6 {* l7 h% E! [; t) L8 [' k
0 B9 ~% g; T; d* b6 E9 r6 L( L7 v$ i+ X7 l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, i8 r2 b: [7 H, }* |- P5 f* z+ \) b
app like this:
6 R; ?( O; A+ s/ u- z! W5 c6 c' h @: s* x% |; n5 [ p0 p( F
BPX exec_int if ax==68; Y" X8 Z. h5 l4 P0 s3 W+ Z
(function called is located at byte ptr [ebp+1Dh] and client eip is
* e- r) k( R* @, ~3 q located at [ebp+48h] for 32Bit apps)
4 R+ }; |6 k3 K B, d) a( w& O__________________________________________________________________________6 m! N- E: |; x$ p% \4 K# g. J
' U- ]& Q) P0 w9 w0 \; P7 i( Z
( t8 J' y8 a b6 QMethod 08
! _9 ?0 ~) p! F; _- l) `6 k=========
" ^. q3 D" b' g6 N% ~/ z2 Q
+ E, D' Y" A+ d( o" OIt is not a method of detection of SoftICE but a possibility to crash the
! f/ ]4 W* {( i' B% E' f4 usystem by intercepting int 01h and int 03h and redirecting them to another
2 J/ |% _2 |- u8 I/ `( W% i2 _) [. Q- broutine.5 g2 b+ \' B1 |4 L1 |4 J+ T6 Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. n6 X( U# C9 }. G( K
to the new routine to execute (hangs computer...)" C9 d" v4 A, l% Y
4 b8 Q: h# [0 ^
mov ah, 25h* T8 A* j L8 I2 h8 d, M( H7 ~
mov al, Int_Number (01h or 03h). H6 E; u, ^/ O( S
mov dx, offset New_Int_Routine
# q/ b* C! z' A/ k% n int 21h6 x2 p; M$ U- \. e# u6 b% u' U4 z
) U7 H" U3 E! b/ N* ?__________________________________________________________________________
* s1 ^6 q$ i0 p2 K
3 Z5 Z$ t$ W, U# P a6 ^Method 09
% d! B3 d* o7 G) u" N$ h* \/ m=========
9 k5 p1 t# F" g. [
. g, @: p1 I7 T8 n0 [* wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: ^' V- @& _1 s# A9 Tperformed in ring0 (VxD or a ring3 app using the VxdCall).4 G, D) T4 T4 K I# d( s' [
The Get_DDB service is used to determine whether or not a VxD is installed
5 d% j; q0 z0 G/ ^' Sfor the specified device and returns a Device Description Block (in ecx) for
( U, W- h. D# A# u/ f+ `that device if it is installed.
- {" j7 C0 Q* {; O' ^0 b9 L, E) g% q; H4 `/ X1 t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* H& g j# R7 o4 A8 a5 h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ Y- ]+ G+ H6 l3 n9 X8 q) h7 P VMMCall Get_DDB* W3 E. Q+ R i. J3 N- h. \* v
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& o0 ~4 e5 |3 c4 Z5 P, S
' r1 Z: Q2 O" g7 F0 e
Note as well that you can easily detect this method with SoftICE:3 z1 q2 f7 j6 D, J$ f7 U3 x* }
bpx Get_DDB if ax==0202 || ax==7a5fh; G X* c! Z- a$ D, @
' ], y1 Q6 [2 T. |% z: D, Z- w8 M__________________________________________________________________________# u. A) {# M, f3 l% R5 }! M5 i) {
# z% Z, S5 V4 Z* F6 \; [+ z9 Q' y# ~/ S
Method 10! Q8 X: o8 Q* j, _0 [; @& n
=========
9 H8 D; I; l) a; ^$ {. ^& ^1 N. w% w
=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ i {+ T9 X5 h& V SoftICE while the option is enable!!7 Y1 ]& u# m1 R$ Y3 v% [3 b
6 a B8 T' x$ I# G4 W( E
This trick is very efficient:$ R: D+ L* m! x/ {% q
by checking the Debug Registers, you can detect if SoftICE is loaded/ T! r' U) b) B( Y3 z, X& H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- B1 x7 M X: m( Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 t7 V5 t, e/ V+ ]% X0 V( x8 u
value (in ring0 only). Values can be manipulated and or changed as well' \. L9 ~0 [5 |: y/ j( C0 m8 Y# H
(clearing BPMs for instance). U% r% I/ R4 o* i9 Q: }0 U5 P
4 \2 w! ~" ^. n) \1 g8 [
__________________________________________________________________________
' f( m3 o9 p' s( h: l
2 L4 S% r6 i: g2 v% A' {Method 11
6 b) e/ k: ^9 o% v=========
5 K! `- B6 {* E% m
2 Y0 v; P6 @1 Z2 }$ OThis method is most known as 'MeltICE' because it has been freely distributed
' T6 w5 p ?: S" y' m' b) nvia www.winfiles.com. However it was first used by NuMega people to allow
" _1 F2 C. k; u$ h& iSymbol Loader to check if SoftICE was active or not (the code is located3 s6 P& B6 s2 j6 `. V
inside nmtrans.dll). I3 D' v0 w7 G' F! u
Q- r9 q, _' s3 w- D' Y; n
The way it works is very simple:
7 l j+ b) j0 X! Y. PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% r M0 a% t# I/ ~WinNT) with the CreateFileA API.
- y+ b" o6 _9 f( [5 Z) J: b/ [% P& P6 i6 ^' j, u" }& B; l; L' N
Here is a sample (checking for 'SICE'):
. a. h8 o' T( r
+ F* A5 m# E7 |/ n$ K' NBOOL IsSoftIce95Loaded() _' S6 t2 D7 u, c
{" q: l5 ]6 N! V* w" I3 n: J1 V
HANDLE hFile;
5 e q, a! j8 B5 |* ?9 N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, ^6 P; @! w( q9 Y
FILE_SHARE_READ | FILE_SHARE_WRITE,
% w" J8 D9 L' r" A% z9 p$ O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 ~& o! [) |5 O6 v! o if( hFile != INVALID_HANDLE_VALUE )
! m P) K `5 t; N# M8 b. z# ^7 { {) x6 E7 l; Z0 L
CloseHandle(hFile);
0 ]' o+ g0 F) e) P. b, @! t return TRUE;
8 s, o% S: p4 k- c }
0 v2 N, s2 f. U& M return FALSE;
7 ?/ P" V* M4 {8 a* o}( v& B( E4 J7 s X5 l# _9 R3 m+ e! X
: ?- @7 | Q7 A2 k, p) A5 |: t
Although this trick calls the CreateFileA function, don't even expect to be
! H4 \% b- n( F3 u, T7 iable to intercept it by installing a IFS hook: it will not work, no way!
0 p1 }3 D |( ], u& }, }In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ I8 ~" m3 X0 N0 g8 ^5 lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ y% q* I0 {7 k) u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 [& e+ ~/ r) y' M3 a! q; r
field.0 g/ T$ g" H1 w( e
In fact, its purpose is not to load/unload VxDs but only to send a
/ n; U5 w' @' R: cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: c- N" `1 D, ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try. v u) V7 }# |
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ \; t2 _1 U2 y3 D8 N" |5 vIf the VxD is loaded, it will always clear eax and the Carry flag to allow( F0 p% L/ V+ ?
its handle to be opened and then, will be detected.
8 b: O9 d# g/ t7 Z4 V5 LYou can check that simply by hooking Winice.exe control proc entry point! @1 c( [2 w' ~' b' `- c* o
while running MeltICE.
: U# J' V3 e* p" o- `' Z2 ]! F/ n% `$ m, z; `/ q# ]5 s
! N6 y- y7 |3 |1 y 00401067: push 00402025 ; \\.\SICE$ } _- d, m" `7 ]/ t" F
0040106C: call CreateFileA
, n1 {; Y( Y5 N; Y" s8 ^ 00401071: cmp eax,-001; O; J% v# C9 @6 K1 v6 Y
00401074: je 00401091& i }: i- j! Z
; ]4 j, ]& `6 {. X3 q; w
5 I# R! `/ t; x, S! K" u1 dThere could be hundreds of BPX you could use to detect this trick.
' I' N# ]. R3 }4 c |-The most classical one is:
5 B- f3 u9 h' j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. g8 t/ ^2 V. V! z4 G: t# Q
*(esp->4+4)=='NTIC'% P% ~, L6 p! ~1 Y
j0 Q0 C/ W" h+ P0 J7 Z# h' X-The most exotic ones (could be very slooooow :-(4 `. ^- M9 Y `4 m% c. u# }6 L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) t# Q- s% L) O* f ;will break 3 times :-(4 [3 H! |% W2 W X$ @
$ t5 ^" X/ k H) j2 F* G
-or (a bit) faster:
1 D: E& n. m( T/ v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; ` }+ L. r ]/ H+ }. C3 |% P' y# D! T/ |& X$ a' v) G* _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 c- w: ], l$ V# i8 V
;will break 3 times :-(8 b, {1 J" ?7 M2 O% f
5 n' H, j7 K, P, G/ D+ s-Much faster:+ ~0 Y- ~. R4 C
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. C0 ?. G9 a! T- O
6 v8 ` V/ R1 H. z( rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" ~, X- m# Y/ {, y6 Ifunction to do the same job:
% k- g4 ?9 U+ A. w8 i4 c
: Q" \# N$ l+ h+ r" m5 u! E push 00 ; OF_READ
& `% a! F* K0 ^7 f) b, M# |. m& X mov eax,[00656634] ; '\\.\SICE',0' E7 F7 X! f% E% T
push eax, y( J/ Y, l* T. P
call KERNEL32!_lopen
/ v D8 F( |& {! h5 | inc eax, J1 T- E" x1 A- a$ t
jnz 00650589 ; detected7 Q9 M0 \3 |( v) o |: V4 Z
push 00 ; OF_READ
0 V' u/ S4 x, e( y- I3 \% D mov eax,[00656638] ; '\\.\SICE'
$ ^7 ?0 [& {; H push eax) R4 j' {0 d& k4 {" h
call KERNEL32!_lopen
% K6 [. t* G/ _; S1 s' ~3 K inc eax
' \0 i7 I3 m/ b( F jz 006505ae ; not detected
, M7 k3 w% L" B2 [, G8 B) G) e- g8 \& D; i& s4 P
3 B( Q/ L/ p6 O4 @; I0 ~. w
__________________________________________________________________________
8 |( G' c( p; W Q' q, x9 X* T- d+ f4 J5 j- b% B/ w
Method 12
5 M2 n: @" N* r q! L=========
9 l- c, h7 ]2 K8 U/ m! ]7 v) e) |* a W* A" Y. o4 y
This trick is similar to int41h/4fh Debugger installation check (code 053 v2 x4 y( U; v: F- r
& 06) but very limited because it's only available for Win95/98 (not NT)
2 ?7 a) X. _" |# Z! m Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ ]! x2 t# \+ }) r, E# v
( u j8 v) [& m) O& u push 0000004fh ; function 4fh
+ ^* R. Q7 V2 K- Z push 002a002ah ; high word specifies which VxD (VWIN32)
2 @4 z) ^8 K- s4 g4 { ; low word specifies which service8 t9 z0 h, J: t; \* u1 E, t# B
(VWIN32_Int41Dispatch). K# V1 ^" |5 C
call Kernel32!ORD_001 ; VxdCall
# q. H+ B* e8 G" c9 ~2 n cmp ax, 0f386h ; magic number returned by system debuggers2 R9 Z+ V- Y0 U+ r, Y. x
jz SoftICE_detected
% a; k$ {5 \; l! x% D* w
; I6 x- D; b8 t! _! F8 t# f- z3 RHere again, several ways to detect it:
, w5 I4 b& [& d# v+ L5 s
0 O" t# X( r6 t1 k BPINT 41 if ax==4f
. h6 K, Z7 ?) Y2 |0 L
- D7 e D7 m( U4 y" z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 T+ S+ S$ u; C- h
. r4 f9 {( n$ w. x, E BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ i5 Q3 e1 Q* D0 H' Z6 p5 L
, p u( d$ e6 n" ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& R( @7 y! b% M& P0 @2 `
' ]5 _6 `+ W* L3 v9 H7 l__________________________________________________________________________0 }+ B/ W/ z0 M1 u1 L: z; M
2 r. x$ _8 i; UMethod 13
8 g2 W5 A' e& B" P! [=========
- X: \3 c. |0 b" F. J W- Z$ ?/ T& ~; m0 X) ?% y4 ?
Not a real method of detection, but a good way to know if SoftICE is+ e: |! e6 a9 Z
installed on a computer and to locate its installation directory.
, B( H j& J; l+ r2 pIt is used by few softs which access the following registry keys (usually #2) :
+ b7 g$ M+ J! O/ R
% I t' S0 D7 h8 D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( r" [' q2 g4 [9 L
\Uninstall\SoftICE1 w1 t5 W" a4 A' J6 D" B @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& q- I( W6 c4 P9 h" {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 s6 s5 f8 E( H/ N
\App Paths\Loader32.Exe
- S. B; g- u: K! [/ ?+ w$ l5 _$ |" `9 @8 g3 Y: Z
/ T) }( q: S2 R
Note that some nasty apps could then erase all files from SoftICE directory
" u& w* n- l/ z6 l1 h6 D) E3 t; }(I faced that once :-(
( R3 J$ m4 k2 z! g- J) M. A+ e, ^3 z; X$ [- d" H3 C
Useful breakpoint to detect it:# t9 F2 H% T& K
+ _# j- x B2 _8 Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) y3 a, C7 |* u F, d/ d1 K# W, f) {
__________________________________________________________________________
; N0 R/ t" R# s4 }$ f' u) c
0 _% P) T3 q# D% B+ x) ^& V: O1 W: L) f
Method 14
' ]: a; C5 Z9 ?9 n0 ^) w0 M! O=========5 P/ z$ |* b+ j; [; R+ o7 o
( [) ]3 Y+ i1 z# g" k% f6 X! Q) Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
\# u2 ^' ~. @ V [# His to determines whether a debugger is running on your system (ring0 only).
1 G! B7 w4 m) d8 R
A3 A9 ]; k O+ D8 L; k9 @& i VMMCall Test_Debug_Installed
- e5 \2 m. ]% h# I je not_installed
! f, Y4 O. r/ ~3 Z# F& Q' f3 n( x) E. Y9 i1 S2 [0 m3 B& @5 m
This service just checks a flag.
& J; V2 f* K K- S: Y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡