<TABLE width=500>
2 a, Y/ Z) I; N- @ m<TBODY>
) M6 a" L3 J$ S9 n5 e- ?* B<TR>
3 k4 o( j3 Z3 v, N/ V2 \- S<TD><PRE>Method 01
4 w. E2 c% g( B% Q$ y=========
- g" Q; X, E8 @" y2 s5 n6 y- s8 M% }% Y% V
3 K6 Z2 O. s) S( V JThis method of detection of SoftICE (as well as the following one) is
2 l2 ^' K, N* }% j- x, Aused by the majority of packers/encryptors found on Internet.
( j$ t( x+ h. }7 d" J( W+ ^6 iIt seeks the signature of BoundsChecker in SoftICE
% a/ Q3 ~: ?. v9 {: N. O2 P, J0 _" y6 R1 C
mov ebp, 04243484Bh ; 'BCHK'6 V% Z9 z6 S$ B, w, i
mov ax, 04h
, o: l% g8 f7 D" | int 3 $ e( ^9 k0 h( Z7 l
cmp al,4
8 q* s9 H5 ]/ F jnz SoftICE_Detected
9 G* N6 W1 v& o/ K; H8 R. Q1 n9 V# ?
___________________________________________________________________________
! Q% F6 k- l4 L: b+ I7 i, s
' W, v$ S, E0 C! @/ {$ F! x& UMethod 02
: l& P$ [- Z& r' o5 O=========' ^% K4 C" ~8 l8 _+ Z- T
+ O: V$ Z& O# e4 f! j
Still a method very much used (perhaps the most frequent one). It is used
& b) [! O! q1 f% d. O; U) o4 S: ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ X( @4 Y- f; L, o/ ^+ r8 j
or execute SoftICE commands...4 Q% G$ d* ?' s$ z7 F% j# H% U
It is also used to crash SoftICE and to force it to execute any commands
0 M3 o. A# M6 ^- ^* I(HBOOT...) :-((
) E) Y. {( k) W8 T! b6 h0 c% E% c# U& G5 P9 v- p
Here is a quick description:
4 k' @6 n6 x* S) ?6 a$ j-AX = 0910h (Display string in SIce windows)
( J# W9 ~: q$ T5 J; W3 L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ J& H8 w5 x% D/ @; [' a
-AX = 0912h (Get breakpoint infos)
, D/ M. q" Q$ W' z# `' }9 E* s" h6 _-AX = 0913h (Set Sice breakpoints)$ q3 P5 e2 M; b O2 q ?) k0 Q
-AX = 0914h (Remove SIce breakoints)2 u) C7 D! A4 O. r( a
1 v/ ^2 M. T2 F8 U( z; G- VEach time you'll meet this trick, you'll see:, B& g# F/ n7 G$ a% ^
-SI = 4647h# P, Z. F& Q- y. B
-DI = 4A4Dh5 m& Y# {2 a8 y
Which are the 'magic values' used by SoftIce.; v3 G3 i9 y& H& r0 b0 d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.( e) ?# ^8 y `* Q# r' }) @. y; |
% F# u8 I3 Q r9 D" BHere is one example from the file "Haspinst.exe" which is the dongle HASP" n n+ F. {" S& S- q, c; |( a
Envelope utility use to protect DOS applications:8 |. @6 h, c/ S; B0 e
# o0 W8 X1 B: _6 D
/ I8 c# _, u7 b6 A3 k0 l% h7 F9 b! S4C19:0095 MOV AX,0911 ; execute command., W+ P& l- c8 y4 h# s
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( k* x6 y; E6 t9 O; j4C19:009A MOV SI,4647 ; 1st magic value.% i0 [6 s, |! E- r
4C19:009D MOV DI,4A4D ; 2nd magic value.% T/ o$ Z/ \( Y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- g8 T a$ ~, n
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" Z( G4 o$ x3 y' B5 ]- g4C19:00A4 INC CX
' h* B. k" ?% O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 N" P1 `: b( H! e' d4C19:00A8 JB 0095 ; 6 different commands.
: C2 i. W6 w! V- K9 \4C19:00AA JMP 0002 ; Bad_Guy jmp back.
{5 t( S# B! N. M! U* G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 a6 O& G3 z! r) H i6 C
, D) \( n2 T* D! I' r& f& iThe program will execute 6 different SIce commands located at ds:dx, which
5 E1 H* H) V3 A& ]) nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 W4 ^! W7 G- Q! K' k! F! y) c' u7 w9 c) U! w1 T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 ?/ \) I4 @4 }, v' E
___________________________________________________________________________
- k) n+ E& L, ]2 S! }) H0 V3 `/ |4 f9 A+ r4 o2 S
]# S2 z/ U% o* yMethod 03
& k j, ~' r; V# K. s9 _=========
S+ P+ m# N o4 x9 c- c% w" e
* t( w& ?$ I. h; e0 P. WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h w/ A5 {5 d. W. C5 n
(API Get entry point)
6 {) v. q( [0 H( o9 g' c
3 N/ @& a8 a3 O8 P/ J- y
* F/ b9 ?7 v& y$ a xor di,di/ v7 ^# ?. p7 ?& h: p* u5 o
mov es,di% q3 Z) H7 p, S/ o0 m* o
mov ax, 1684h , d4 U0 p: N3 W1 s6 l: ?, O
mov bx, 0202h ; VxD ID of winice
5 P. F4 a$ X) ?/ G6 |3 I int 2Fh
+ g! r/ ^+ ?* _+ S/ r mov ax, es ; ES:DI -> VxD API entry point7 U! H- A8 i# @; W4 g3 {) s
add ax, di3 ]$ s0 c: p7 Y* u( z. n4 p* K
test ax,ax
x; {& z$ s+ e! | jnz SoftICE_Detected; ], u0 m; l- o; m G2 X6 y; f
" T( `7 t8 ?" `- a( R
___________________________________________________________________________" E+ `8 W: p+ `* {7 u0 q
( u( v) x: C8 h1 q% wMethod 04
. p+ w' N" ]8 ?6 W=========9 _6 A( R; A2 H$ \
5 `7 p3 G3 l6 ]; p
Method identical to the preceding one except that it seeks the ID of SoftICE
) B1 E7 p* p9 t6 t6 eGFX VxD.
( f2 D# c, Q0 X9 U ?; t$ n# z2 X+ a$ r) O- \
xor di,di1 x5 k" V% `) F9 C0 y
mov es,di
' s, Y1 g! j0 J! P+ s5 j/ k- o, A mov ax, 1684h / u$ v: R. |* ]. V& @' Z& V
mov bx, 7a5Fh ; VxD ID of SIWVID) J h& x. }8 j3 B: K9 r
int 2fh
" y. b& n: W+ K* ~7 @. F+ e mov ax, es ; ES:DI -> VxD API entry point8 J& D' ~/ ~1 H) i7 t: n
add ax, di
5 z' @" t! Y+ k# s test ax,ax: P9 U" k( m' x9 M9 b' v
jnz SoftICE_Detected
3 } Z' R. P i. c4 B% K0 W% }% A1 Q5 L: J3 k9 g9 G. u
__________________________________________________________________________
* G) O6 w/ V [: a7 x$ E1 q+ z% X6 k- w' G: I( G! M2 g! _9 B
/ n5 q! c8 @2 o- X, e% K" |5 k+ k
Method 05
) t6 T2 m' f9 |* K6 N6 q$ m=========6 |$ B S6 Z& _9 F2 ?
6 W0 |5 D6 O0 S6 s. H/ ~Method seeking the 'magic number' 0F386h returned (in ax) by all system7 @4 V. k# Q! ^) a" y0 R3 D
debugger. It calls the int 41h, function 4Fh.# p! o9 u/ w1 |! D
There are several alternatives. / V/ }" u* s) f& O
. t% P+ I( {3 x0 B5 E1 kThe following one is the simplest:
! {1 [: J4 c7 u2 T& w5 j& M- |
* b0 W1 ]3 y+ A1 {6 P& H J mov ax,4fh2 \( q4 ~# G) u" ?! w5 V0 d
int 41h3 t3 a* X) V: g) _9 M: M
cmp ax, 0F386
K7 D/ Z: \5 F$ a Z! m9 ^ jz SoftICE_detected e: `% M. j8 x, G
# k. }- ^7 E6 v& m# Y
. e/ n1 S. Z+ t k- f- I1 PNext method as well as the following one are 2 examples from Stone's ( o3 u6 r8 t6 S0 W/ m' I
"stn-wid.zip" (www.cracking.net):( T) ?) s& F _4 K5 u
9 N: p7 L1 G. F! ^# I( i u& K: E2 T
mov bx, cs
, `' I3 c4 I% X/ `$ v% g lea dx, int41handler26 F8 @5 j" ?$ T
xchg dx, es:[41h*4]
2 _4 N# e' I3 Z' N xchg bx, es:[41h*4+2]( o3 ~# m% O0 [" Y p
mov ax,4fh
( s( w2 A& h, d int 41h
( u4 l& n6 @" }* N& A; e& o( j& { xchg dx, es:[41h*4]) N8 {" H2 N2 `5 f+ W
xchg bx, es:[41h*4+2]
+ B& F. a' y, `/ ]' X cmp ax, 0f386h
0 M2 c, y3 E' R# L) j; D jz SoftICE_detected- c: f; {; i' U* G e: i* R% x
3 g5 I3 }# J# Z5 I- l) e, ^int41handler2 PROC
+ r6 S- t2 M1 O iret
2 i. R9 @9 [/ N2 bint41handler2 ENDP0 Y+ |0 o/ I! S1 L
/ }: V, i# M1 w* U2 d v4 Y) p- T: Y# {- E( E( b6 C4 Z
_________________________________________________________________________, o- p8 b! V) [% c) C- M7 D* X- ~5 s# I
) _1 x7 P9 w% M! o1 V
1 F4 @/ \$ d& m, i. d% I4 A( r: eMethod 06
- e9 B5 V" C3 l1 W4 g=========
" [$ ]6 G- ]* ^: r8 Q& p$ e$ W+ a. P, m, @
( c5 u" q' _3 k# Z
2nd method similar to the preceding one but more difficult to detect: P8 o* f6 H9 C' U- k# D
: j. t0 f, O+ u4 B6 M
5 K1 e2 u4 ~+ ~int41handler PROC+ y; g0 x" _+ j& ~) g+ j+ A/ Q
mov cl,al
1 x/ n e( V) S8 M7 J2 i# D9 u6 G r iret
, f, o; Z9 m2 z9 ?. o( C# qint41handler ENDP( P0 ^& G+ L4 z2 t
. D0 X$ s$ [' V& G( I) u( K. `" {/ f8 A
xor ax,ax- ]' C+ k" U2 I4 }- U; ~
mov es,ax0 i" q# Q) Q) i2 M2 R4 N9 _
mov bx, cs4 o5 c) m7 X" a4 x, Q d
lea dx, int41handler1 U% q! `4 V2 A
xchg dx, es:[41h*4]4 j$ z6 C1 ?$ g/ D
xchg bx, es:[41h*4+2] a* a( m; \' E& N# s2 W
in al, 40h# w" J* M* P- _. T4 ]8 D
xor cx,cx0 v0 i3 i: e5 T
int 41h; j! j ]1 z* w, R7 D; Q! o8 {5 R
xchg dx, es:[41h*4]
& }: E S6 C0 A0 |$ ? xchg bx, es:[41h*4+2]
5 N) W9 q; R& ?, ]0 N& w cmp cl,al6 u/ K9 j, a3 y" x$ D' | d1 T
jnz SoftICE_detected
) z5 X8 V/ B2 k2 D4 z' p
! o2 \3 s) Q: n_________________________________________________________________________7 F! _+ H! ?5 v
1 Z" q7 c$ z# F. j' a" T. k( q- Y
Method 07
0 P3 B5 J5 v: h" X=========
/ u' b$ N# g* J( U/ e, R4 z/ j2 R% ]
Method of detection of the WinICE handler in the int68h (V86). m# y. Z+ S- j. b) f
- C/ l- Y" {' v
mov ah,43h
+ U Q8 ~* J( [; m/ E2 L9 L, s7 j int 68h
1 l; n3 [7 O" p cmp ax,0F386h' \5 X& d2 ]4 B( z+ Q% D
jz SoftICE_Detected
0 P4 w4 R" c, E( X& u. ~1 N! H }/ ^
* q! D- n f, ]" S5 J2 Z: p- h0 Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& F( p3 ]- w) z* v: Q app like this:
8 i" T$ x( g ]# U, \
! S; b: S8 J+ z BPX exec_int if ax==68
* n7 V/ A/ B. h8 G) e (function called is located at byte ptr [ebp+1Dh] and client eip is
. H2 v N ?4 n3 V located at [ebp+48h] for 32Bit apps)6 t- g8 _ I8 ^& O; ?* U- b' Y6 M
__________________________________________________________________________
& A/ Y k' s% j' ]- M1 D& n- d5 I& H- ] M3 U9 Y7 m% l) X
C! `8 t+ `7 U: z* k+ O4 m, i
Method 08$ \' I; K. M" W1 T: u9 W W
=========
. O t4 B* {) r' ~
" y& Y( z) Y6 v7 P' Q% }7 yIt is not a method of detection of SoftICE but a possibility to crash the
9 A' v6 s/ u# Ssystem by intercepting int 01h and int 03h and redirecting them to another
, `3 @9 A& a! Troutine.
1 x5 u2 m9 v- l ?' M( ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ w# i* N- N E! f2 c7 v. K
to the new routine to execute (hangs computer...)! p# c' h$ t( t. H
! W7 [- O0 d1 X1 P
mov ah, 25h1 m) S; h* h& u" X
mov al, Int_Number (01h or 03h) Z" E8 G. y% _# r8 y6 h- q
mov dx, offset New_Int_Routine. v& @4 F$ @6 ?0 A$ q( R% w$ I5 e
int 21h
; d2 } f# j/ k# `' ^: _+ J
h. q% u, m1 e4 r* }" G__________________________________________________________________________! J: [! S( C3 L7 x [/ z5 D
8 b7 I. }; B# {, HMethod 09# K2 }, K" B" C7 j$ }' ^( W/ B$ T
=========
0 e6 s8 e! K; P4 F: I: L# S) C/ @
3 U/ O! j7 X; J9 f1 y K4 M# @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! G( B y7 D2 P' a, Z
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 L# D* u" V6 O' f! {5 A# _. ZThe Get_DDB service is used to determine whether or not a VxD is installed
: d" |: A: V$ | H) i7 \for the specified device and returns a Device Description Block (in ecx) for
4 v, b: [/ y/ u2 {: @6 p: [that device if it is installed.
9 P/ e5 p9 S$ [1 L* q2 {8 f% d3 Y1 {- N w' z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 ^& E5 \. E4 Z# j7 }2 b! E5 \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), Z) _" B# T* s* s+ l
VMMCall Get_DDB
4 w+ y* @& M1 |& X+ f4 J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) a6 v3 |" j8 u! Y3 d$ X3 r; m
7 u8 F# K2 Z6 y0 xNote as well that you can easily detect this method with SoftICE:
2 | X" n; Y) h) p. } bpx Get_DDB if ax==0202 || ax==7a5fh
' z* y$ j$ k0 A$ P/ L, v+ Q/ G5 _% ?7 j
__________________________________________________________________________! }7 X' z; V1 `4 w& a& d
' H# h4 \- K( Q5 e1 y' x- yMethod 103 ~3 ^0 W& t* ?7 D; W
=========) D8 n: f d0 @8 c
3 W4 H0 U( T& h
=>Disable or clear breakpoints before using this feature. DO NOT trace with. \7 d, h7 D6 f" u5 _
SoftICE while the option is enable!!' M5 ^% ]; L/ o- ?, a2 ?
Z$ ?) U7 l; D& n7 fThis trick is very efficient:
$ L z8 C& C! Z* Y+ z2 A( Iby checking the Debug Registers, you can detect if SoftICE is loaded
8 I9 ]" k. L e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: Q7 s @, w1 L W! I7 Q$ g2 othere are some memory breakpoints set (dr0 to dr3) simply by reading their
% `. |2 y$ F$ n- m- U# s$ B" c6 Z, ~value (in ring0 only). Values can be manipulated and or changed as well5 Z; ~3 F A8 |6 b0 M. Z2 O3 [: ^* ^
(clearing BPMs for instance)
! K, q& v J( @& A! Z
3 i& L1 R" a! I c9 ]4 ?* O__________________________________________________________________________; O* D5 M6 s# k
; T$ D, C' f# ?7 m
Method 11
# O' k7 d5 Z+ |9 W2 p3 m=========
7 P9 U0 A* \0 I. w0 @) ?1 M; ]1 C/ u) K. O, ~# z0 t8 _
This method is most known as 'MeltICE' because it has been freely distributed
$ l: s5 {2 \' Qvia www.winfiles.com. However it was first used by NuMega people to allow: w N4 Y- x& d+ T
Symbol Loader to check if SoftICE was active or not (the code is located9 z* t' |5 N' b: V, v2 r% m
inside nmtrans.dll).: W+ T2 `" k; q2 M5 m
* J5 U' F8 e+ b2 a' D8 f8 v; gThe way it works is very simple:- r. y" J0 z9 N) l# `1 w v/ F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: y& x) R; {2 y
WinNT) with the CreateFileA API.( `# c5 Z1 V8 F! Y3 N" X
7 {2 ?+ A5 F5 ^: o- R6 Z# V
Here is a sample (checking for 'SICE'):
8 @- i2 }4 c1 R2 k7 k) b5 n
% Y) w+ {9 e6 ~# z& q0 iBOOL IsSoftIce95Loaded()
: `; ^- U3 W/ R' @{
" e( E: [6 w, ?+ O& W HANDLE hFile; ( I% k* z0 ?5 p& D3 p( x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) s& a3 y; a% I2 q6 R0 s: t FILE_SHARE_READ | FILE_SHARE_WRITE,' W0 x0 y7 h* M* z% P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& o2 I1 Z: v- P1 T* C$ h. g$ D8 p
if( hFile != INVALID_HANDLE_VALUE )) @. c1 P7 r1 b9 `
{
0 n' x2 K/ w, H, X2 v3 _ CloseHandle(hFile);
9 D7 r5 u" X, m return TRUE;
: e2 U* @8 C. l }2 A6 R( K& l- U/ a4 b. \% ^4 n7 k
return FALSE;
: `5 D" i( N4 D" A! e4 A! E( F5 k9 t}8 }% f7 i! w! i. j# c1 a
! ^; p* Y- ~: m4 @Although this trick calls the CreateFileA function, don't even expect to be
( A1 B* Y2 h$ y# d7 W, wable to intercept it by installing a IFS hook: it will not work, no way!
4 ~1 O) l U2 x" F" v6 U& Z9 |In fact, after the call to CreateFileA it will get through VWIN32 0x001F% q, E+ d3 c% k& ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" |4 r& t; y2 r8 E- P5 pand then browse the DDB list until it find the VxD and its DDB_Control_Proc' m3 o4 L" N& D: r4 x
field.+ c5 { ]8 Q3 S( L/ p! z
In fact, its purpose is not to load/unload VxDs but only to send a
0 s ]0 L7 i) W. |8 u, [! aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); C, O/ t! l5 k9 x* _/ `3 \1 L
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: V4 {! W& p8 h3 V% F/ A J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! A4 z( H5 \7 w4 q! h9 d+ F
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 Q; G" j6 F. \, r2 t
its handle to be opened and then, will be detected.
/ I. _2 t' @1 zYou can check that simply by hooking Winice.exe control proc entry point& G! K' p( o' E K/ n4 `+ k8 u: o
while running MeltICE.) u- S: m: S: |: S6 _1 j
% r& H5 O/ @# ?5 t0 Q
, Y/ ~# d( \- M% U% z+ S: { 00401067: push 00402025 ; \\.\SICE' y! t6 P |7 S! O. u
0040106C: call CreateFileA- ^+ \7 H5 R" c- |( B+ c3 N
00401071: cmp eax,-001
9 ^/ j% D' y* Z/ ?7 a. Q6 D 00401074: je 00401091
! x# t0 k, D) X1 F; M; c$ H
) V* g! I1 r3 M6 d, z) J; `4 ?) U
6 h& x8 t( x; `% S' g+ MThere could be hundreds of BPX you could use to detect this trick.
4 M, b( B# ~2 @/ h$ @- v8 J-The most classical one is:
7 D& @. H' y" K' ]* F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 |* P/ Y1 H0 _/ E" ^ O
*(esp->4+4)=='NTIC'
* Z9 v/ t1 I' H1 B* U9 i
& N. W- ?8 {; B" u' |4 m-The most exotic ones (could be very slooooow :-(
# E! z6 y9 G9 T$ l! i' g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 V4 s' r) @2 s; M7 ~1 \+ F ;will break 3 times :-(1 v z }- C- _- V! a. E
* R1 x( x* S- f-or (a bit) faster:
+ X! ^* S" L' ^0 f6 c. i2 X7 s, }, z BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): `. c) k0 C. O( i8 T
3 r" n6 D8 \3 r, D( d
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ W4 h$ v* [1 p4 s' R, ^" z7 }, z
;will break 3 times :-(8 S8 m& n/ F9 d8 y
$ J& `& D5 C( e1 ^-Much faster:
! \& V! l5 I2 L BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 d6 ^* @- ~& E( o1 }$ s- E
6 e: l# M* j9 p; [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# J& p2 o3 I5 g. J4 [, E/ m' lfunction to do the same job:5 ?8 p: r' A: g
, ?7 |: v; c+ z5 G- ?8 t t push 00 ; OF_READ
' e# f( e. f L+ j mov eax,[00656634] ; '\\.\SICE',0) d. H b; a. Y# ?. I1 c
push eax5 o" D. p/ t+ l) \
call KERNEL32!_lopen4 e: z4 X H8 [. M
inc eax
; L! d$ X- u$ Q jnz 00650589 ; detected6 N# M$ w6 O9 C% w
push 00 ; OF_READ3 v; m1 W5 f, c
mov eax,[00656638] ; '\\.\SICE'0 t) `) v& @! F! t
push eax; P3 {4 B# R9 z4 P V
call KERNEL32!_lopen
$ D2 i. G2 J! q inc eax, P* j- E4 s, R) a/ B
jz 006505ae ; not detected
: k* L1 t& }$ @7 E, ?' p; Y) q' x3 j# [4 E l# ~# ^2 P6 {
% j, a) L# M M6 z__________________________________________________________________________
* L8 q! s! \! _- ^; Z6 J l, ]5 c5 x. K% S& w c/ Y0 \+ @- x4 k
Method 12( \9 L7 k- C) H
=========; D2 B( B! Z. A1 s4 c
7 A% u7 T0 j6 \" z9 GThis trick is similar to int41h/4fh Debugger installation check (code 05
* y F: c; y3 v% F& 06) but very limited because it's only available for Win95/98 (not NT)
6 O6 N* g' e5 p- P# k) E1 aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 o3 N X; Z' i# e4 s
- E8 R, Z5 b/ ?% K/ a% ~
push 0000004fh ; function 4fh' L0 K* l* n0 L6 P
push 002a002ah ; high word specifies which VxD (VWIN32)
0 J/ x! w2 W8 u3 G5 v) C$ c( ], A0 f5 \$ A% J ; low word specifies which service9 ]3 }6 V% e. ]8 i4 |2 v
(VWIN32_Int41Dispatch)
& I, x3 g! K$ q; S) p6 B0 ] call Kernel32!ORD_001 ; VxdCall8 d" Z4 x$ j* b9 t" N
cmp ax, 0f386h ; magic number returned by system debuggers
$ J8 m0 t9 J6 r& l1 B jz SoftICE_detected8 z: P" M# Z; v5 t$ e/ m9 V
, i3 J& i1 e, n$ i
Here again, several ways to detect it:5 w; a7 I, Y; h9 b/ ~& w
: B; ^4 B Y. e* j BPINT 41 if ax==4f
, w) C6 A& v5 ~
% j& f$ i: n7 }; w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 L. Q+ D/ ], e( C3 {, a7 K( }/ y+ {" c6 H1 V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 Z- U/ q9 O ~5 }# h$ J$ }
' H. p) J8 W+ C; P& n7 G2 C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ O) E, F5 o! A- n7 u# Z( Q: K
5 {- ]$ W' Y4 `; a9 ___________________________________________________________________________
, H1 L4 S: I2 ~# K" Y& P: m! X( w$ h% n# P8 g) E4 c
Method 13
$ B5 v) \$ I D. U7 J, E( J=========& Y+ I+ b4 u/ e+ A5 n3 Y; y
1 X6 ]% _4 Z% LNot a real method of detection, but a good way to know if SoftICE is
9 x$ U' b4 |$ r5 ~installed on a computer and to locate its installation directory.
: y3 p) }5 N5 k0 OIt is used by few softs which access the following registry keys (usually #2) :( f% r" m# l0 p
! T/ C! C- u0 F' `. N# x3 b: l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 v8 }# t E9 V\Uninstall\SoftICE
8 u- U, E: l: h+ O* p' ?. A0 C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- ]4 [2 L( ~+ ~9 M* {$ K: Z, f5 o+ m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) \: `3 m4 B0 ?1 j
\App Paths\Loader32.Exe0 r. G/ ~' j) P9 u ^9 w" x
% a3 N' o# s a+ x/ A* E8 G: r
5 X4 g9 g' N0 n! y! ANote that some nasty apps could then erase all files from SoftICE directory4 f1 B- a4 ?2 W( @6 H
(I faced that once :-(5 Q0 c5 E4 @" E0 H: A
s1 b; D" K) ^) p* H& P. C2 iUseful breakpoint to detect it:
6 c& E) i; [; ^. i" e1 e. `5 T4 g- h. S
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; b9 N- U0 G D& q7 `0 _
* W: d5 v% E9 ~: O
__________________________________________________________________________
3 B+ g1 R3 R3 W$ P% ~3 m E% f$ U- V2 b* f. t
3 m. f8 Y! l2 y5 ^3 j4 O
Method 14 8 Y9 E( \+ t, U4 k/ f& n
=========
. l6 Z3 \) f: G) C# [8 p9 ]* y
$ Q- r% n, l. RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 ]3 Z) u( {0 @ D$ K8 `is to determines whether a debugger is running on your system (ring0 only).
" h1 a6 `: W8 x x/ y8 c
' Y7 \( H; {/ [' t VMMCall Test_Debug_Installed' @! ]" O2 T3 b2 l
je not_installed
+ e) M# `2 i. L5 b: S" K H2 @: y+ |. g2 D! \
This service just checks a flag.
' {: ~& i8 G) _6 G6 D0 r</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡