<TABLE width=500>
& @+ f0 E# D0 D4 J; H& k+ E<TBODY>
4 t# D; v. ^ ~<TR>. n! m( r2 L8 U
<TD><PRE>Method 01 . Z @% H! |3 _, F' L
=========" w4 o& T$ _- U) f J3 R
9 J4 c* I0 J; v5 a2 |# O ^This method of detection of SoftICE (as well as the following one) is3 |$ @+ p' A. o+ o' T
used by the majority of packers/encryptors found on Internet.
8 Q' o8 ]8 a" r& C0 h7 r7 lIt seeks the signature of BoundsChecker in SoftICE
" x. i% m: k6 w2 {6 R
) p5 v! r1 B2 I8 D! i. c mov ebp, 04243484Bh ; 'BCHK'
5 B4 Q& T/ L8 }$ F- w. \( T mov ax, 04h
" L, Y" v0 m& J9 W8 S! x* c) E3 Z int 3 ! O7 x; m/ F( I$ e3 g4 a* D0 ~
cmp al,45 _# K" H9 U& o, i, O
jnz SoftICE_Detected
2 y! ~& d j) p' e( o0 l7 U+ Z" R4 }( j5 M
___________________________________________________________________________
& n. @9 Y$ r5 Z. ^3 D2 P( y" E ~8 e
Method 02& S- L; L$ K1 [5 o% g2 m+ x
=========
* I4 V* ~: Y+ Y' `* ?& G- ]* e
( z2 S, u( h! d: ]8 aStill a method very much used (perhaps the most frequent one). It is used
5 o' I3 m0 N3 l: ], \2 ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 Z8 g* b6 ?2 Y( U9 r/ v) H! n
or execute SoftICE commands...
6 S/ _5 j$ h7 e, @It is also used to crash SoftICE and to force it to execute any commands
/ |# K7 m( u6 z. A(HBOOT...) :-((
8 [8 A+ O" R+ ]' c9 j8 `7 \
) ~% R' T% R% P5 t! `Here is a quick description:: e9 ]; q- z9 B& u! |! s/ b
-AX = 0910h (Display string in SIce windows)( \' M2 C* x5 m; o4 Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 A2 ?2 s1 E( w- |
-AX = 0912h (Get breakpoint infos)) x1 M4 |3 B6 S& y8 W
-AX = 0913h (Set Sice breakpoints)7 z# q# y* N! y. B1 I# \) L" E! m
-AX = 0914h (Remove SIce breakoints)
2 U" Y) C$ h0 d B( \
" K3 Y8 N, X: d) o, @+ g U5 a1 UEach time you'll meet this trick, you'll see:3 r; f8 { y c
-SI = 4647h
7 H1 d4 |% R- N# {2 ^-DI = 4A4Dh3 g* l' j# Z3 l" P( n4 M M2 R
Which are the 'magic values' used by SoftIce.
5 j9 w' N- b# z* ?: d% N1 W# DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! x- U2 Y) p* y% r0 r% |. X8 y! }. c; w% k& \
Here is one example from the file "Haspinst.exe" which is the dongle HASP! n" m) t/ P, l9 S
Envelope utility use to protect DOS applications:) N( ?4 T- k9 u$ P
h6 I5 k3 _7 ~* b, A2 r2 f. D
; |# ~- ~( W! U* g7 K( P4C19:0095 MOV AX,0911 ; execute command.
' f+ X% x2 B" R& J6 E, I" h" |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% U* L2 {' G, d( C/ F, y% K v$ a4C19:009A MOV SI,4647 ; 1st magic value.
: @* z2 v0 ^8 c B$ z1 M' i+ F4C19:009D MOV DI,4A4D ; 2nd magic value.
' O" z$ _& U" x1 f; N* h# K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& D/ L6 p6 ?: p; y. o4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ ]0 A/ x1 ~) u) S. \
4C19:00A4 INC CX( f$ _2 }* ~; M7 ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- v& W, W# K+ Z) t! S" z6 Q+ j4C19:00A8 JB 0095 ; 6 different commands.* J# u1 K$ D; n7 [
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 H9 \8 g( A& x8 ~, ]7 B" H' d2 Q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 B" ?. T4 P7 e* L2 ]: F' T+ X: a* c3 |$ c
The program will execute 6 different SIce commands located at ds:dx, which
$ F9 h( ~: f! k: { r/ aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 [) U! Q' _8 }6 v: g
( h L& B4 G# _; M* \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 j1 C0 D( \/ [) O" ^___________________________________________________________________________
_" j+ w0 p* `4 a8 [9 o! v; f
V" e1 Z# c% O5 H
* i. U) P: z, y5 m/ q% [2 m7 z% C6 Q! k! mMethod 03
3 p/ v( _2 g; v* F6 V=========/ d U; z$ e7 Q ?/ g+ V
; e. I; n. s% `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& p& v7 L# i# x6 L- t
(API Get entry point), k1 E4 \9 t6 Y- j- B+ ?
; ^8 t7 v F& k3 M5 x }' [
, v4 J, C# |0 C: L9 F xor di,di
0 c: ^' {2 R. G3 \" W: o mov es,di
, {! W& Q4 ^4 e3 I- E8 l mov ax, 1684h 0 i( D9 e: w4 y$ a! a
mov bx, 0202h ; VxD ID of winice) I& j. O0 g, k' ~! o: |8 _' I8 j
int 2Fh
4 y" B3 B! q* S" T' ?' _* h& x4 Z mov ax, es ; ES:DI -> VxD API entry point
7 _, r0 d4 h) x add ax, di4 a; G5 ]( L& [
test ax,ax! Q. M4 c% w' h3 ~% O$ G n' B
jnz SoftICE_Detected
5 K4 s- R+ h7 i1 w4 ~8 L/ c* E; q, g+ D. N9 G7 _/ f
___________________________________________________________________________
* I3 m D6 f! I0 G; A. @8 c9 l8 ~4 E; s
Method 04: Y0 l6 \% i N; w
=========
$ k0 w: E$ |6 [
5 f7 \# {/ ^" W$ N- jMethod identical to the preceding one except that it seeks the ID of SoftICE
" v+ P: ]9 D0 r3 K( U0 N6 _GFX VxD.' P/ Y% m+ k6 D/ V4 L* r# h
7 ?3 v; }7 s7 f& P4 A D
xor di,di$ d% H+ ]- h! N0 j! A
mov es,di
3 W/ l/ }: y$ w8 r8 H+ }4 q! h3 O mov ax, 1684h - z6 T+ o3 w0 W1 j
mov bx, 7a5Fh ; VxD ID of SIWVID
4 j" A% U3 }) v+ ` int 2fh" C/ S$ U, w. R
mov ax, es ; ES:DI -> VxD API entry point& `" W0 R+ G5 }
add ax, di
7 s% x" o. V/ V6 |+ }9 t test ax,ax
2 O. ?3 _2 b7 V0 N& i0 _4 ?5 J. o jnz SoftICE_Detected6 \- ~+ E# p' U K8 Q
$ `+ c) }4 C$ Y6 d__________________________________________________________________________
3 v% [' a3 t5 @( C8 }/ G
) j' `& M, r' Z! [7 V* X' q; @
9 p5 D! y2 c% s. X, T/ J* B3 cMethod 05
. l) e( _# {0 v$ a! }& c4 W' q! f9 i=========9 H, p) l- u9 U
/ s) O- R& k! H3 d/ ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 |% T- H/ P# P3 n# ? W
debugger. It calls the int 41h, function 4Fh.
( _7 F& D# E' O' d0 z. rThere are several alternatives. ( s# g9 r! e4 @9 W: M9 {7 P
! q. Y* d/ G+ m: f# ]
The following one is the simplest:/ @2 F. R- I- N# c* B
4 G- t) M/ K" a( P
mov ax,4fh
- [7 A: ]$ t X% P) J$ a int 41h
% _" V+ U0 f9 t! k8 E% B/ @# V0 \ cmp ax, 0F386
, `: ~& M- L- I jz SoftICE_detected3 b( S# f5 y0 B
: n- x- y& a: |: t2 I
1 X% W% M2 c" B# D$ B( |- Q- nNext method as well as the following one are 2 examples from Stone's
! `% H; D6 v0 o7 L% g* \9 R2 d# W7 b3 ["stn-wid.zip" (www.cracking.net):
/ Y$ o- S/ \+ D1 x1 ^2 D3 t, H4 O: o/ {
mov bx, cs
5 o) t) _- Q) R; z6 M4 C2 d lea dx, int41handler2
# j( D% c9 m* ^! m, x, e xchg dx, es:[41h*4]
% _9 @( X& C2 @$ |: }. @9 e5 I0 W xchg bx, es:[41h*4+2]
1 s% e0 }* d: { mov ax,4fh3 P* z7 a' i, p0 G9 q5 [9 b
int 41h1 Y& W7 L# V, u% D% A2 `1 W6 s$ k
xchg dx, es:[41h*4]
5 u3 v2 I& Q. l( O% @! C xchg bx, es:[41h*4+2] H0 M: g5 I6 Y5 E6 b2 x4 L
cmp ax, 0f386h6 e: ]+ w5 V' o. q4 D- s( U, [
jz SoftICE_detected
: @, D9 T: i& {& g6 l1 [
+ y/ b! \( h7 k+ X1 A7 Yint41handler2 PROC9 q$ ? V. }/ |9 G8 j) B
iret
) t8 E$ p2 l, e8 F+ G& dint41handler2 ENDP$ g' w" ^. G" w4 b& D Z+ \
6 D$ g& R t, J4 c& g! C/ `4 Q
$ ]$ x$ [7 _" H. ]$ b
_________________________________________________________________________8 G4 ~0 }$ v: S* T2 z
+ p3 B8 e+ X% w3 w! |
/ ^% z5 S# S A. I
Method 06
1 ~4 P$ C" z# }4 d$ ]/ ]=========% ?/ k$ ~2 y0 a# y1 C" O
5 i4 R0 b; W$ Y+ b$ o. c/ U r
7 b1 e; @1 s% b0 F
2nd method similar to the preceding one but more difficult to detect:
( P; @% I* X0 O6 m
# X* l% } }+ C2 R1 q8 w9 c
1 `$ J" w6 ?$ x3 ?7 C4 Oint41handler PROC
, P% V6 w; T F. w8 M2 C mov cl,al
7 v& `% v+ X$ `; Y9 k, x6 ~ iret/ p: f9 h' f: e. L
int41handler ENDP
5 n; L: ^$ L1 P9 a2 q: c" x
. ~4 C6 ?1 t v: v, i) S# W- A# q* ?
xor ax,ax$ B3 s$ o7 I# m
mov es,ax9 X! c6 k( z+ h" D7 u+ Y6 w% t
mov bx, cs7 J# N8 K) ?0 H9 f
lea dx, int41handler) {) ^+ T8 h- S5 k+ J
xchg dx, es:[41h*4]
! D8 v$ t- h, p& s xchg bx, es:[41h*4+2]
! l3 l4 L( P+ X, g$ z$ h9 Z in al, 40h; U' [) ]1 H% m5 G5 P$ O" n
xor cx,cx
- d3 V" x1 d8 P3 g int 41h0 d2 f+ T" U! B: o; @2 F* J4 s0 r
xchg dx, es:[41h*4]
% T2 @- K% R+ }7 n; V2 p xchg bx, es:[41h*4+2]& c' m3 P+ x0 x- [* h6 |+ v
cmp cl,al
( ]6 k, f$ p9 z' H# w jnz SoftICE_detected
" ]" k8 u/ p& i+ o+ {: H$ V0 C$ C: N2 V* c) H
_________________________________________________________________________% ~+ y z! z7 { s w5 Z* u; G
$ n; o* n6 `2 H) A( \1 |Method 076 H1 M( H9 n. I+ z7 _& s
=========
& V/ T1 S. ^1 F' p5 h5 Y6 O! S$ w% y
Method of detection of the WinICE handler in the int68h (V86)
8 x O4 B& X$ A+ A9 {
( {/ K' @( o" F, K mov ah,43h
3 G0 e: ~' O6 W* T' f( @5 f. b int 68h
' {% `5 @, T9 G cmp ax,0F386h
1 e4 L6 \8 ]$ B& h: _ jz SoftICE_Detected# I$ c4 v& E p3 e% i* n
4 q# @/ `. l: G- V2 [$ N! b
, z J# O9 X: f=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, U( R5 x7 w/ ~
app like this:
( C7 x7 p* R* e0 P" ~! e7 ]. K& J( ?% q3 N
BPX exec_int if ax==68! H! g* x) {2 q3 Z2 x$ e2 ]
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 O/ V. z9 S7 b8 E located at [ebp+48h] for 32Bit apps)
8 l! l7 p2 F0 |3 @3 w__________________________________________________________________________% x' u3 J, l' X, Z7 M6 s' s
: j6 C5 N* e/ J: e3 m2 x$ O6 q
K5 \* Z1 R$ M' |8 P
Method 08/ B4 A& g* y) a
=========
/ n* a. \" r, X) U7 V9 n+ n( E- h% x n
It is not a method of detection of SoftICE but a possibility to crash the
" p2 N# m( d4 n4 J9 ysystem by intercepting int 01h and int 03h and redirecting them to another
) v( }3 D; W1 o3 _: a& Broutine.
0 f0 g# T3 \9 RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ S6 [( I1 D' a+ c4 e' u& H" [to the new routine to execute (hangs computer...)5 X- A) k5 e' A
. H! [3 i3 G( F- |# R K" N: G
mov ah, 25h9 F2 Y. z9 L# z1 z }% j
mov al, Int_Number (01h or 03h)& x Z7 o+ b; s1 b
mov dx, offset New_Int_Routine
3 y7 ?" [1 L, A: D int 21h9 @% r- z$ P$ G, j6 r
5 C$ X' {) o' z) z5 Q__________________________________________________________________________
" v3 z# Q$ ^, N. n) }3 [3 e3 W! w: |+ k- y# U) A, }; S- Y3 p
Method 09
- G- @ o6 E0 j=========& n& U& h- h6 ]& u
+ H/ f* i3 C! }8 V2 s- h8 PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) h6 l) v% A. L6 y$ ^performed in ring0 (VxD or a ring3 app using the VxdCall).- [2 [0 {) T: _7 q7 w5 e
The Get_DDB service is used to determine whether or not a VxD is installed& b; R0 f: [. F0 w8 g: u
for the specified device and returns a Device Description Block (in ecx) for
# ~8 j5 ^) s+ N4 S/ [that device if it is installed.
. Z2 `1 h; S/ D& P4 `
( _7 C1 K) @. [ T' C9 V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; I5 H& c* Z3 z8 l
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). Z, i6 g' I- j! |9 H) j( c p
VMMCall Get_DDB
A [1 z5 S7 ?2 K7 Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" v) |4 ?0 \% r
" T+ |1 B7 L! ^2 m9 t* V1 wNote as well that you can easily detect this method with SoftICE:
/ y; p+ G3 _- S+ L1 N& ?- d* J bpx Get_DDB if ax==0202 || ax==7a5fh5 v2 `3 @ C8 s& l+ c% e7 ~
& H# [7 o' @4 @3 X__________________________________________________________________________
1 M- }2 _0 |; d! @. v' F0 C- X5 r$ t; q& c! E
Method 10( i0 x% B8 J$ d/ x
=========
, b; f1 c- s- ^; W" M6 `) B# O4 i1 _
=>Disable or clear breakpoints before using this feature. DO NOT trace with. f Z( @7 ?( P, U5 W- V# ^7 h+ j
SoftICE while the option is enable!!
& W% k+ D ?0 |; p$ r* F# v( ]8 i, V3 W. E) [9 N @
This trick is very efficient:
% O$ f- Y! `$ a" q. nby checking the Debug Registers, you can detect if SoftICE is loaded
9 A3 F/ u0 d/ Y% D2 f+ F$ I1 [7 e! N5 Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% b1 s$ _: r) S+ J- l( `3 ]! ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 r* b V& \2 R2 Avalue (in ring0 only). Values can be manipulated and or changed as well
" m4 S Q E8 l! @% s1 c" q(clearing BPMs for instance)$ c; L, Q; w* x5 J8 z' U
$ b$ D, n) w, p7 b0 W1 d7 J/ r5 Y__________________________________________________________________________
# ~! C+ Z3 M4 u' @1 X3 s1 s! \6 _3 ]' C$ Y: S9 m
Method 11
' V3 Z# l% ^" s% V2 Z$ q=========
2 M. V( x1 a- \5 a# S( p+ E
I. \! F0 m; G' ?( \This method is most known as 'MeltICE' because it has been freely distributed
( [1 d, G# N9 c+ Lvia www.winfiles.com. However it was first used by NuMega people to allow
; w# O/ u4 F, ^2 ?6 Z8 B6 z TSymbol Loader to check if SoftICE was active or not (the code is located
4 z5 d" X5 J* t+ [4 T7 ainside nmtrans.dll).1 W9 j! {2 P$ w' |0 M
8 k$ L# h5 ~3 w$ SThe way it works is very simple:
! w8 j1 z9 |6 D. H) _0 f1 Q# CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& C: W( B1 k {) mWinNT) with the CreateFileA API.
3 I4 B: y1 _& ^! N% |8 s) X3 x0 t& {' V
Here is a sample (checking for 'SICE'):2 `, o! f9 B& i# J
7 g" m7 i, y1 O% O# xBOOL IsSoftIce95Loaded()' i$ n% U. f6 n1 D" ?$ x
{0 S9 u, m' B1 c0 @
HANDLE hFile;
! {! f+ x8 S( h3 {* j$ k8 E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% ~4 F0 {3 U' C' \( y' C FILE_SHARE_READ | FILE_SHARE_WRITE,$ q# A( o& Y5 @7 i+ B: o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# H, o3 R6 b+ l4 N5 m' V; } if( hFile != INVALID_HANDLE_VALUE ); _# \9 T) X4 c
{; f; o! L" s& b& K# d" m
CloseHandle(hFile);" I. q* o& b8 _/ l# u
return TRUE;2 Z) ^8 ?6 l. @4 b- O" \+ g2 n# t
}
" Y8 x& y5 Q0 v. r( C: g5 \ f return FALSE;
. T$ b3 Q7 m- _; G/ e, }}
% ]6 D& K! Q- `- {1 ]8 K
: z; x3 x5 `1 Z1 |% V! f( N0 JAlthough this trick calls the CreateFileA function, don't even expect to be; B# C/ @5 N6 I; g3 C Q/ E* J
able to intercept it by installing a IFS hook: it will not work, no way!
& N" H h6 t) I, DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ G% X" E! S1 O* h7 M$ |3 Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! G, l8 N3 m5 w) U' L. t% F* U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( {$ z- \" c- k0 i- Efield./ }2 w- E. @8 q( A/ C
In fact, its purpose is not to load/unload VxDs but only to send a
1 n- h6 C# ?1 ~/ B) OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 T% J7 m6 f; x* p# u# z2 |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 h+ h: y3 s# A3 u% x" n- xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- F0 U$ N8 n/ V9 F$ ]& vIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 D5 V3 z! o; G o( bits handle to be opened and then, will be detected.+ f; o: s/ k" f& ]
You can check that simply by hooking Winice.exe control proc entry point( R5 L% j+ k3 j2 O2 h9 h6 Q8 K+ z$ e: a
while running MeltICE.
7 m$ K; m( m( b$ K" b# q: z- S5 [' ~
3 S1 [* X( ~0 ?. ^ 00401067: push 00402025 ; \\.\SICE
4 B4 `" ~6 W/ R 0040106C: call CreateFileA
) |- ~4 U9 Z% Z) q, d9 f2 q: j 00401071: cmp eax,-001; e' r. }" [* G3 ^5 t
00401074: je 004010915 X" Z: e# r6 e% R$ R
3 E3 ~3 h2 ^0 Y# h) }3 }+ h* @6 v) a' T- r9 B" l, ~# k/ j& s
There could be hundreds of BPX you could use to detect this trick.6 x$ Y# G+ h7 L0 N% Y6 R
-The most classical one is:
# ]7 F% g/ o4 v: o: T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 C6 ^ T; I8 @; F1 q, c1 y9 J *(esp->4+4)=='NTIC'
+ A9 c0 W' s; i
0 s# {1 q& T' c2 i-The most exotic ones (could be very slooooow :-(+ y9 P* W* D6 L: G. m- I- g+ W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
n* x; L$ u% r/ i3 g& D ;will break 3 times :-(- D% |* p+ X! o
# X' g/ l( z- I" t+ x-or (a bit) faster:
# @7 W: z4 I$ I( y) Z4 T% x4 S/ F1 X BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 L1 }5 O, _ z
/ X* R J) O8 @9 s9 W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) r5 ?' C# J; p" G
;will break 3 times :-(
2 Q# \$ I+ i* a" L0 f7 ?# Z
5 V- x1 R* ?$ ?* J* z-Much faster:
" b/ p6 e, L( |5 s& v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( W+ Q, r2 Q- [* b# |( C
0 E$ z2 X: x9 YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* a c4 ]! w, K4 Bfunction to do the same job:8 B4 C6 k/ l' j2 t
+ r5 o& x& B: g3 u push 00 ; OF_READ0 e4 w& N* H( |" P+ M
mov eax,[00656634] ; '\\.\SICE',0% ~4 v+ C% o# z: f$ s7 I8 b
push eax {' Y; \) w% J' ~: X/ }
call KERNEL32!_lopen2 k4 |, f! f0 C, }( B+ ]( N7 O
inc eax. a. A3 z s" s7 P" h
jnz 00650589 ; detected
& ~( z$ k# P7 f6 f push 00 ; OF_READ
7 I! m0 T. i. F( r8 `) g mov eax,[00656638] ; '\\.\SICE'
2 L. ~0 @5 w0 X, G/ b. V. d" x# B push eax- K5 H, I! U5 B3 k
call KERNEL32!_lopen; P: g# m {0 [1 I8 ~ J
inc eax* m/ G' a0 p9 }
jz 006505ae ; not detected1 Z* b0 S% E! Q2 m0 e. i
3 w9 | K5 w, n9 `' V
: c; p* Q" ]) m2 c6 `2 W( i
__________________________________________________________________________4 J8 o8 ~: n4 r$ U0 j
: P6 f* y8 t/ J9 V2 ~1 v$ `" Y" H2 y1 s
Method 12
* C7 a9 ]3 o. s/ F. ?# K9 J# T=========
3 r6 P9 o, B# f% J8 b8 H. s7 L0 U. z$ ^2 u3 M
This trick is similar to int41h/4fh Debugger installation check (code 05
3 M( `0 R+ x7 F& 06) but very limited because it's only available for Win95/98 (not NT)
, \: w) m" h! |; h1 ?* Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 r9 H9 t' |3 w3 [% n
- P |4 [0 r9 A push 0000004fh ; function 4fh
: a) d1 {4 Q# W4 M" B push 002a002ah ; high word specifies which VxD (VWIN32)& N" E. r+ J, }% I( j* |* c2 ?
; low word specifies which service4 Z( W/ x- N0 l) r; H( o
(VWIN32_Int41Dispatch)
' {% k+ ?1 a2 g/ h% N) r call Kernel32!ORD_001 ; VxdCall
/ _8 M( v& c. t j5 y# X0 R cmp ax, 0f386h ; magic number returned by system debuggers5 Q0 i1 e" k2 r8 t* q, q
jz SoftICE_detected
9 M1 t! X5 Y$ D# b7 ]( Z+ q- j
: r: o9 b, n, C$ \Here again, several ways to detect it:( ~: k. P9 J* G3 A# ~, N
- ?- e# a1 n8 a5 d5 f+ m
BPINT 41 if ax==4f
8 V5 F, M! l& ]$ q. O) B5 `: t+ w6 G
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& x4 _2 q( e: s: l' N' [4 O1 ^7 ]: K9 ]4 T# d. I
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( {, g$ w g! ~
; ~9 q1 `! o' |. ?- ~" P" a0 [
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 q- r1 k- S& w( N0 u7 @0 d
D7 r# t9 n% y+ i" Z E0 ~! J__________________________________________________________________________$ r: \- ~ \# h
, q3 B5 c$ a6 t( XMethod 13; G* n1 Y# Q5 v3 t
=========2 O) L5 r% u4 J0 t ]1 {
, K! U* x" J* w: ~) k b3 s# RNot a real method of detection, but a good way to know if SoftICE is/ l, g/ ?) M: v x" U, D d d$ c
installed on a computer and to locate its installation directory.
9 d A' z& @1 R0 ?It is used by few softs which access the following registry keys (usually #2) :5 t! Y/ c. _2 v7 z
' B! j$ ^% z4 |9 i1 J. \; \. J* j3 R; J9 M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 h3 L% X# i7 |, q, y6 Y. e- }1 G
\Uninstall\SoftICE
* E1 Z+ a/ F3 P* G5 V1 z D+ g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 \8 A _& p* x9 a+ z7 m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ n: P2 d' G5 K; @\App Paths\Loader32.Exe) ]/ m1 E) k# A
8 m" w) ~7 u7 ]0 v2 ^5 G
# \, Z4 S6 b6 cNote that some nasty apps could then erase all files from SoftICE directory3 u' E0 K+ t e% A$ O2 T5 V2 F
(I faced that once :-(
* {% ^# H0 j3 m% `" E! Z' r7 t6 u, g9 m& D* }
Useful breakpoint to detect it:
c7 s- d5 @$ K
7 @- a) u/ g) ~% H4 s; F: {- g3 g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" U9 @+ u( r- c7 i6 q) G" G. ^1 P3 c5 `' U
__________________________________________________________________________
' t1 P. U) _3 R" D5 w4 g% z7 ^
% J" {! R/ H" G
Method 14 $ ?6 w9 U" ?4 ] @
=========
; P7 o5 o+ H) F7 F6 |. F; ~9 v3 ]) v# W+ o* W0 N1 @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 B: b$ V- x( F1 N
is to determines whether a debugger is running on your system (ring0 only).
5 Z: Z% i3 l1 [# j; t; e5 H5 c
8 T9 n1 F) Y8 H1 ]7 P& D/ R VMMCall Test_Debug_Installed2 L! M! o. B8 t
je not_installed
. P! c, L0 b0 @) q) H+ N% n. ~8 p3 m
' t9 G) r+ ^' c+ c% ^! @This service just checks a flag.
: o. ^( n$ S$ }, W</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡