<TABLE width=500>' v I5 h: _% I! H' v
<TBODY>5 i$ x& Y2 H) e, S' K. m
<TR>
+ j: E; v/ S. a2 y! j$ b<TD><PRE>Method 01 2 d5 B4 J$ b9 i
=========
q1 E/ {; {0 j" p K- p( t
0 o& o" B9 e# e, Q. |- lThis method of detection of SoftICE (as well as the following one) is# e$ p `2 Z# W
used by the majority of packers/encryptors found on Internet.
1 [1 I2 L& T1 ]$ L! r$ u B! A1 }It seeks the signature of BoundsChecker in SoftICE- z9 V" A0 a _7 [! K
: l! z3 M# i; u4 D; b F; `. r+ Z mov ebp, 04243484Bh ; 'BCHK'6 z2 g! L8 Q7 I9 W( `
mov ax, 04h
7 A. L# P3 R z+ V5 _6 [ int 3
& c6 b5 w7 ?$ U" ^ cmp al,4
" y/ T( j$ p% Z6 U jnz SoftICE_Detected3 N: S: E9 W; l
- A, ~7 T0 C: Q- ]; c
___________________________________________________________________________) j+ R' }" p9 g7 j( ^
8 G: r9 _4 Q; Y* i
Method 02
8 N# h# D: t3 a" w6 e# n=========
$ T. {- g' B- M# K/ ]4 E" t2 P, e G8 ~& v& v( r+ J) b
Still a method very much used (perhaps the most frequent one). It is used+ Q7 o/ f: b9 q3 Z9 Z1 L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 p, O7 G* s$ T" R! q+ h
or execute SoftICE commands...
$ g! b: L9 A0 m2 h* y+ IIt is also used to crash SoftICE and to force it to execute any commands
0 l7 ~ ^6 H. }8 C(HBOOT...) :-((
8 V0 k j: A8 T" a8 c: }/ g/ z. G( J% @3 I* O2 g: i
Here is a quick description:
2 K& I% `2 |. F! m1 H5 t/ j-AX = 0910h (Display string in SIce windows)$ a9 t$ Q _8 Z* N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 X, t; v5 g3 [8 Y* Y
-AX = 0912h (Get breakpoint infos)/ C! @8 }: o3 M& b& j
-AX = 0913h (Set Sice breakpoints)
: G6 t5 e7 S- V0 N: P; V& Z-AX = 0914h (Remove SIce breakoints), b' f0 K5 r9 Z2 a
. S. b8 [' C- x4 B9 U. b, PEach time you'll meet this trick, you'll see:3 T0 G/ ^2 m( k8 i
-SI = 4647h f# A2 P: k2 p3 a; c3 @6 x: I6 T
-DI = 4A4Dh; M _4 i+ T! G" k" m
Which are the 'magic values' used by SoftIce.- `5 f- i5 J' `+ R" J+ y2 \# r, j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ ^: Q, D" c" q
( m1 k/ H, `( ?8 x/ _9 u* B/ F
Here is one example from the file "Haspinst.exe" which is the dongle HASP; q9 L8 B9 X8 E+ Q3 i( @! U
Envelope utility use to protect DOS applications:
3 i2 o5 A$ l7 z0 E0 d
& s" G; {1 A( y- @, j& m, U
% |% l9 c; ^& J5 S/ _4C19:0095 MOV AX,0911 ; execute command.
8 u0 V: o/ I8 ? `; x; ~4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' n0 J o) c. J! E4 P$ h0 m
4C19:009A MOV SI,4647 ; 1st magic value./ C% M. B5 r0 F1 z
4C19:009D MOV DI,4A4D ; 2nd magic value.! S- x+ B9 ~- t" P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" H( @* @# u: V$ [+ V' X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# [) n% P Y0 F' @* o- C4C19:00A4 INC CX
- {* e1 a1 F2 a5 \) [' s4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 f2 {* k: J+ C4 u6 N" o
4C19:00A8 JB 0095 ; 6 different commands.! F# v. S u( N* [( e) ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 n- Q4 I4 ?& Z; N7 Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 K( c' K1 g5 W: T
[9 L% K1 s( x( l2 Q) Y4 OThe program will execute 6 different SIce commands located at ds:dx, which9 E0 D1 C/ t% l% j3 {$ ^' U( q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 P$ g; Y9 q, O c! P
2 k$ q' z0 W9 }/ ^$ z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% [* `: [0 C/ x! B5 M- S7 `___________________________________________________________________________0 U* g$ K& c' A& I* ~& e
* g* H' @# P2 ^
, S; k5 q2 l6 T
Method 03
0 T2 l; V' H; _' ]( D* m=========+ P+ a( i# Z$ o$ V; p: l8 a
: f/ H. J' G1 p4 r9 U( }Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ n+ j2 X; v# c# N; m3 a+ B(API Get entry point)
" E% a% L! L; E3 V
' [4 G- @+ L8 R: ?) f* R( r
1 n5 N7 Y: A: f7 `- s7 f) X2 h xor di,di
. g9 j9 s5 ^" [' G3 m" V4 { mov es,di
2 G: G2 i% k2 {) l) t mov ax, 1684h
' O$ s* \. @) x+ u3 h' w4 k mov bx, 0202h ; VxD ID of winice
$ l4 B: F1 C% `; u$ P" |7 t* `/ [ int 2Fh( T. ]7 h7 Q7 N/ U
mov ax, es ; ES:DI -> VxD API entry point3 A1 f: B2 Z7 y5 k& j# N
add ax, di8 N$ ]( Q: }6 m: \
test ax,ax
- P5 S' @( ]0 D! b, h jnz SoftICE_Detected: ]! R; y' G, e+ _5 p2 J
9 T- y# Y" \7 `# ]) S1 T___________________________________________________________________________2 _$ a$ s, C! U1 {4 ]- k; r9 S
3 L( `& Z' ^/ l6 V: ^
Method 04$ Q$ i6 K) \5 K- A) U
=========
! p! C& D) o& x+ P x
/ o1 Z, }) ~+ V9 l& s! BMethod identical to the preceding one except that it seeks the ID of SoftICE
( o9 x: c; Y; x' _% L" E6 Y% f9 `7 @" aGFX VxD.6 P: I) a* f" e v, v8 Z( j: w
& Z. P7 ^4 V2 y' B7 n d0 S% W2 }1 a xor di,di! l X1 I2 H6 L' i
mov es,di
9 t2 R8 K; ^* I# U! P, u mov ax, 1684h 0 U+ e4 d1 z( c/ I% a% m
mov bx, 7a5Fh ; VxD ID of SIWVID
^* }, o: a0 }" M- r- ?7 ^ int 2fh
o% _ P# d" U mov ax, es ; ES:DI -> VxD API entry point
. @# L) g- z0 J1 @# _& H$ }2 e1 M add ax, di5 @" P( s$ w6 _8 q
test ax,ax( P* J; a! T, B2 Y$ |( c
jnz SoftICE_Detected
; q4 O9 S+ I7 n/ O+ U8 G
) {, G3 W2 w" K1 u0 Q4 y9 V__________________________________________________________________________1 ]4 G7 j; P% D" B- R- v$ n) E
2 }8 b2 Q5 h; \' x2 d2 P$ g
+ l' |; e. j/ j' b- [4 N' {Method 05: k1 g1 F+ Y. h) B/ ?/ l. d- R
=========8 f) Y1 n# R/ X5 \5 o% [
7 R/ Z, g6 x! x8 D: F& zMethod seeking the 'magic number' 0F386h returned (in ax) by all system3 Z: X" V9 ?- z: J) W$ O
debugger. It calls the int 41h, function 4Fh./ c0 z* _1 _( S
There are several alternatives.
# e! \2 }5 R" R6 Y7 s0 |; g/ n I; B8 b" f j( Y G4 h f
The following one is the simplest:
3 ~, k# c5 n0 `# o- @: |. R" B- r, G1 X, g
mov ax,4fh
# R+ Z' j t/ C, R int 41h# r' Y, _2 j/ F3 ^, p+ c
cmp ax, 0F386
2 ~( ^8 l- ?& |/ J/ B1 }, R/ s" j: @$ z" ?: c jz SoftICE_detected
% o! U' N: R \& J( C( f7 v( f2 I" M# m
$ n( y w! x% D' M/ S9 `6 tNext method as well as the following one are 2 examples from Stone's 6 c3 i" t9 ?# u! }) Y; v5 r
"stn-wid.zip" (www.cracking.net):
& @3 X7 s8 ^# {7 J4 S, S1 P+ A( m D/ m p7 Q8 r' f
mov bx, cs" H& P% h% }: X( t3 ]
lea dx, int41handler2
# \; V) G4 t+ X0 m7 r5 Y# f X6 z) D xchg dx, es:[41h*4]% l: o- Y9 F! R. s( g' }6 E0 ^
xchg bx, es:[41h*4+2]+ |7 @3 _! \! ^) ?
mov ax,4fh5 s' j3 r. m# x) R% F# l' l
int 41h
, G1 \, A# f9 ]1 A' W# w* i! Z( m xchg dx, es:[41h*4]
# n! E( z0 S: a; o xchg bx, es:[41h*4+2]4 Z! V0 H: z6 m
cmp ax, 0f386h- z9 _. c- f8 s6 i: j% t8 T
jz SoftICE_detected1 i- g: m* K6 h$ H* V
7 Q5 _0 S% b, z. B
int41handler2 PROC1 G' D) y2 ^" |& s" `8 z
iret. {/ c' @ l7 x
int41handler2 ENDP
7 G& ]/ L3 U- m: l; q _
" z5 T5 c C* [/ t
* T1 P; h, z u7 b# n2 c_________________________________________________________________________$ V7 }& l8 \" y6 Q9 B" K( q# A& j
9 t' A' }6 E" ?! G9 i- c- k+ j1 J5 n) o* i0 M0 ?- \: `
Method 06
( f$ s+ o' ]1 G=========
+ C% G# |4 h1 O+ d# X" R" X' [3 O, ^$ o% L! u
# f) r3 | C( E2 `! D- U3 B8 X3 B c2nd method similar to the preceding one but more difficult to detect:" Z; G' t0 Y. h( S
; ]9 j- j) n% R1 q& y7 A* }
Y& U( l2 b2 z/ [4 Zint41handler PROC
4 E* t3 |) a) w5 F' X0 ^- Y mov cl,al
, S. I4 o( R& H. b iret
/ ]6 g$ _7 y0 j5 O2 l" dint41handler ENDP ?! ^1 X' y5 ?' T z
2 \, P* I7 |! @( n/ h
& r3 C$ ?; V! P7 n" j' x
xor ax,ax
1 j) p+ ?! E! }* h( g) Q mov es,ax
/ c7 Z2 d; |. _* g) u3 z mov bx, cs: r# a6 S; p% G2 y
lea dx, int41handler: J4 B E- G( b3 p% x6 z; Z6 W: Z- Q
xchg dx, es:[41h*4]
: V. o' f: p8 z2 S+ J' F: I xchg bx, es:[41h*4+2]
0 X, r! Z. b, {( a0 X* K in al, 40h5 ^0 i/ v2 r1 }7 D1 P8 ~( m( ^! ?
xor cx,cx
" Q8 V5 H/ @- R/ u int 41h
3 ?7 ~8 C8 C& U! ` xchg dx, es:[41h*4]
7 u4 u R5 D$ K xchg bx, es:[41h*4+2]
' N. f, N0 w- c, ?% W- M2 N7 Z- N2 t cmp cl,al
7 o @; R5 v+ k jnz SoftICE_detected
5 X- U4 g+ c2 I2 C* r. j8 P5 d3 }, I3 A1 K& b
_________________________________________________________________________$ O/ L& ?) j6 c* J( v x+ Q3 s" Z
: a* Y5 B7 h: d! w) e9 {
Method 07- p4 ?7 m [. I
=========& \, Z/ k5 `3 R R& K) x
4 W% y& [2 E9 q, n7 _4 |# o5 |
Method of detection of the WinICE handler in the int68h (V86)
8 x1 H7 s) e' \. J2 k$ V6 P! \2 _
' f: i# K2 m( D y& G* K mov ah,43h
0 \" g; O9 m t) t; G$ D int 68h
* e7 ~; ^) d% H# T/ ]+ Y cmp ax,0F386h; F7 H9 W, }: L
jz SoftICE_Detected9 H0 Q) M# \8 f4 v
7 R( u* Q' V5 K4 G9 a' v j3 B
# B, v& I9 g* H$ [% F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; R3 @) [ r: e. ]! O app like this:3 J* p$ [6 r1 B9 T+ \
9 }% J: I7 S3 m- q
BPX exec_int if ax==682 d9 B" `: [, J# U0 J" j# v
(function called is located at byte ptr [ebp+1Dh] and client eip is% v u# A/ W/ b
located at [ebp+48h] for 32Bit apps)
5 t! t/ u" X# O5 ~3 r! S- r__________________________________________________________________________
) F; h+ r) J O: @/ j
* A/ s, `6 }. z
. Q* y. M& _/ @Method 08% T0 j' p& u1 o! s- {
=========
6 v' F% @4 v: N$ j3 H$ u
F$ Z2 l5 n* c6 o' b& UIt is not a method of detection of SoftICE but a possibility to crash the5 Q- G" ^$ K+ m1 K x0 g' V/ t
system by intercepting int 01h and int 03h and redirecting them to another
4 k" K8 j" A! k/ e; |+ |" L: t# e- d9 croutine.
$ |4 B7 [( M* p. iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# N# S2 r6 \0 |4 U3 N l
to the new routine to execute (hangs computer...)
) Z, J t8 W0 s2 ?9 k3 W& O# p( P- b2 f9 `; q4 l
mov ah, 25h
" q5 p& Y$ x8 h mov al, Int_Number (01h or 03h)4 ~) `0 ~- I$ W0 E. o4 N
mov dx, offset New_Int_Routine1 q; n) o# x+ Z9 L& p1 Z
int 21h
) s( h8 K! {: j! T1 a. U1 c! s2 D; h
__________________________________________________________________________# N! s9 R9 a5 Y$ k( ^
9 r. G( k6 g3 [& B* h
Method 09
$ z3 t* `$ |% d* s3 @=========
% t& v7 h I3 c5 x+ v2 f4 a1 P6 K. H- O4 q7 i+ \8 I# n3 a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 t$ R; \- h; J. pperformed in ring0 (VxD or a ring3 app using the VxdCall).
/ b1 J4 q3 Z3 Q* I+ UThe Get_DDB service is used to determine whether or not a VxD is installed
6 X# U; B# S2 ` {8 o2 @3 Bfor the specified device and returns a Device Description Block (in ecx) for
% H# S( s$ `5 Athat device if it is installed.
^$ e% x0 V7 T( @$ f
/ x# P: ?. ~! E) B! h: J3 p- ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% i) `) }5 R7 G, j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' \& g' |) K7 c" { VMMCall Get_DDB) l/ @5 B9 R+ B; A$ Y Q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed h; m: u8 v9 E! j6 T% O
' R2 i' o, i9 x0 U, N* _
Note as well that you can easily detect this method with SoftICE:5 u9 b1 N7 b" i# `$ s
bpx Get_DDB if ax==0202 || ax==7a5fh
4 o3 h6 j2 L" b4 u. g
! N' n. N- I! A2 D" f__________________________________________________________________________- v# O* h. \! @# l1 p
: p8 N7 }/ t/ |. U8 cMethod 10
$ @! N$ h$ B2 j( [=========! n5 ]- ~- H- E% i& g2 J
6 I6 R9 T' v! n T0 j
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 m. I$ U" V. @+ n/ c7 G1 e SoftICE while the option is enable!!
, e( S- X. m! n% s9 C1 ? O* k" H2 E6 C
This trick is very efficient:
9 k: t5 ~. q4 k& ~0 R) l, T' i' [by checking the Debug Registers, you can detect if SoftICE is loaded" x* R, P5 Y2 W; @" b( R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, [$ n; w* e$ d1 ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 l2 y; K/ x$ ^' R1 I) G0 {value (in ring0 only). Values can be manipulated and or changed as well
# W+ ]8 W7 R E" D. w(clearing BPMs for instance)
! r$ [0 U' w+ u9 C: q# ^0 m
" K. m4 C$ n" Q# U5 Q2 j+ z' ?2 ___________________________________________________________________________- b$ e+ p/ A8 l9 L7 o
; V; Z/ P0 `/ kMethod 119 T1 m! n8 P' \5 l
=========
! W( z, K+ y8 X$ |- Q s% g, m7 N& I
This method is most known as 'MeltICE' because it has been freely distributed
4 q) M, {- C4 Svia www.winfiles.com. However it was first used by NuMega people to allow
2 C+ ]8 g8 j! _' o0 R& J9 x8 DSymbol Loader to check if SoftICE was active or not (the code is located7 k2 p; ^) I7 |. q" n. I; {
inside nmtrans.dll).5 E4 {7 A0 P9 A3 @$ b
8 z5 {+ E$ B, o0 t6 ^The way it works is very simple:0 I& a! d' ]. B# ]' n4 a, k
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 C3 e% h. \, ?( F* S
WinNT) with the CreateFileA API.
6 n: P' x* z: @& K# n4 p; ?! N/ Z L
Here is a sample (checking for 'SICE'):0 c# h' q! x9 D. v
' ^2 g# ]# _- B& O. C- wBOOL IsSoftIce95Loaded()
# u2 I' h, H( p% `! x' R{8 H0 @5 r6 G. L7 O1 v" l
HANDLE hFile;
- ]+ N0 f4 m4 d# {' J0 c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 a7 X$ h$ j5 _( k/ M' K! f1 w, g9 Z
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 G* ~+ F# x/ T! E; d NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- Q# L& E5 `9 R6 v. X9 Q# M
if( hFile != INVALID_HANDLE_VALUE )% A6 W+ r) f2 t' y% D; K
{
6 C. V/ Z5 { M( _+ O0 T" F CloseHandle(hFile);7 v) C* J1 A* _. s* y+ H {; I8 q3 p
return TRUE;; d1 o- k! `7 }- O1 |
}6 L7 E% H j S( ^& \
return FALSE;
! m y- x" R/ w* m5 \ v3 P) w% C}
/ W: Q( j( h7 [! j; y$ B: c0 E& Y6 a$ a! Y! C
Although this trick calls the CreateFileA function, don't even expect to be" {! W, Y0 F, O" o, [) O% f
able to intercept it by installing a IFS hook: it will not work, no way!
O5 a7 m" y$ w1 f( L$ yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 S' S) h; }, G/ {8 q# |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 g9 S- d, n* o4 y5 g, P% T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! }5 l$ l* q- }! Vfield.: K# i0 i8 _0 A! S4 a- s
In fact, its purpose is not to load/unload VxDs but only to send a
2 R6 j4 g5 [6 y8 i$ G' @/ z& ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- u8 g1 i7 F* f8 A5 }/ K! G* U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 z/ X( z! a; L# i# o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; S" E( I0 a/ ~If the VxD is loaded, it will always clear eax and the Carry flag to allow+ c7 g* R) r% ]2 E$ y
its handle to be opened and then, will be detected.
0 a. N ]3 B3 i9 w. zYou can check that simply by hooking Winice.exe control proc entry point
/ k- B. V& z( H% q6 K' h& Ewhile running MeltICE.7 b& |. w- y# y V: M
, E; o5 r+ f7 }
; _2 \: N3 w. k" ]2 L 00401067: push 00402025 ; \\.\SICE8 @1 s# h& p+ j
0040106C: call CreateFileA
3 h: B( o& D! ~" ~ 00401071: cmp eax,-001
H5 p1 a' B, W2 P% y 00401074: je 00401091
( x9 Y. q& k, B9 n6 O
3 A% x- n$ ?1 x8 r$ H$ S: O2 K3 a- J- q- z" ~8 r! \0 W
There could be hundreds of BPX you could use to detect this trick." R) L+ q* O; E% h7 E
-The most classical one is:: C' x( ?5 p5 _! x8 y, P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! U( f5 v) y, A) v2 w4 w5 y *(esp->4+4)=='NTIC'
) Q: B0 P# M5 I; I6 y9 D" [1 i# ^% j
5 s' s* c$ x1 l, r0 n4 k. Q! C-The most exotic ones (could be very slooooow :-(' b% v1 ^, h+ P: L" _- P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 g5 r, z- }9 }9 n* `* ]3 E
;will break 3 times :-(+ [* k# k7 D& J. K) ~' ~
; V" p* U* H$ j0 X-or (a bit) faster: / H; w7 W+ n& j5 C1 o" Q( B7 A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 _' E5 [! b( Q- ]3 W- F) `
8 H2 S8 x, o' G' [: a+ i* U p: V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 m" ?( K' P. E, |/ l; Q: r
;will break 3 times :-(0 F8 Z% {8 I! E& }2 H c% b
8 }/ Q, {7 ^; l0 F5 ^; s& |/ G# O-Much faster:6 Y! m! r- u# Z3 x/ S# ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', v: Y: s, @! |
3 a) ~" _" c/ F2 u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ v8 Z+ q S: ]( Z" }5 {function to do the same job:, i) b2 ^) f# |/ m8 X
6 K8 c: T' n& h+ j3 b
push 00 ; OF_READ
! O R, a% I* X2 G9 W mov eax,[00656634] ; '\\.\SICE',0; u! S* O+ U! H9 s" A: ?
push eax( z3 _! }) M* l: i4 k
call KERNEL32!_lopen
( [+ V$ K: \; c# k! k inc eax. ~( v" ~- d# U+ D% u
jnz 00650589 ; detected4 w. u) U4 l$ H' U y5 c
push 00 ; OF_READ( C5 r& T9 t6 s! f; m2 t
mov eax,[00656638] ; '\\.\SICE'4 n" U' S! G+ ~+ w3 R
push eax, v$ L! O9 j: R& [( K
call KERNEL32!_lopen- c. r. ] C* U% c5 g. b. x
inc eax. @# L, k& V* E! W4 R' W2 C
jz 006505ae ; not detected
& _8 I) N f8 B/ B8 T9 f/ m
$ c1 A) b! s. k
f% V8 G' U1 P' ?9 K; a& c) G X__________________________________________________________________________. v' g5 N4 w2 \* J2 e$ M& |
( m2 R. P5 F5 o7 T' b- QMethod 12# I" b: l! y' X! N
=========
' u6 y4 S3 Y9 x5 ^0 W# j6 z) W
5 t6 M& v* `+ g+ L& iThis trick is similar to int41h/4fh Debugger installation check (code 05% A! T7 L6 ]+ `/ X) E
& 06) but very limited because it's only available for Win95/98 (not NT)
2 a; b2 u1 O- r" pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: `, d7 h. ~$ e% {0 M
, Q8 Z% {% D8 e1 Z, y" h0 g9 z push 0000004fh ; function 4fh
2 q% B) v& \8 j1 ?) V push 002a002ah ; high word specifies which VxD (VWIN32)
% `2 L6 C" m7 Y4 N. ?% H6 `7 J( u ; low word specifies which service
3 D2 A" k! c1 J" h! | (VWIN32_Int41Dispatch)
5 P' G& o+ R2 F7 n) Q call Kernel32!ORD_001 ; VxdCall( T- x: l0 X% r! t6 x
cmp ax, 0f386h ; magic number returned by system debuggers# O6 w7 b0 B, Q. s$ E: |
jz SoftICE_detected
( n$ i9 U' D, g9 m
9 i) A' m% `7 w8 E, z0 p! z$ bHere again, several ways to detect it:
) E# ?8 S7 w- x v& y9 u
" M0 P$ a# _9 k4 I BPINT 41 if ax==4f
! o% M8 N- e Y/ c) q s& V8 | @4 z) z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) O5 l. y& D, r9 c4 O8 R; @! }+ f2 U4 k+ V- Q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& s' d; l% `+ i4 S1 ]3 G' C
+ ~3 d8 h& E6 N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# ~" d5 n7 h" Q! f2 k$ Y
3 q' P7 L8 \, `. x__________________________________________________________________________
' Z5 n) ?+ D4 T6 y
) ]5 o& @1 T/ n* @, G1 h$ T2 V9 oMethod 13
1 ^) H( @9 r1 F( X1 x=========
0 {" d2 k- J: @# ~8 E2 |8 G8 r, p5 K3 c6 z5 j7 m
Not a real method of detection, but a good way to know if SoftICE is0 z% u p0 T8 o( R# v
installed on a computer and to locate its installation directory.
U1 R$ G2 n+ e+ h0 o% w- TIt is used by few softs which access the following registry keys (usually #2) :" A' ^1 Q; N3 }2 D: C) P
: C7 R" Y: k3 p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 o" A" r! ?6 r/ ^
\Uninstall\SoftICE
, a$ j) b3 d. J5 z( v+ J9 A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 O/ r4 b& K! K) E' C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 S" t' m1 B+ y+ D" I; N$ F
\App Paths\Loader32.Exe
9 e/ [& R+ H" D4 c+ O9 V' k: _3 d
$ L0 y9 `6 l/ R! @
- |: y; K( Q+ uNote that some nasty apps could then erase all files from SoftICE directory4 \" u% z$ N+ L% T8 \! p& k
(I faced that once :-(4 B. i; E2 Z- G. K0 b
5 E" T4 C* c) s! n
Useful breakpoint to detect it:
# l U, ~5 ~! j$ ~* [
, X, z# h1 ]/ i$ z, C% Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 m" P7 q1 Z" R! h* O, ^# l0 ?- e+ O
__________________________________________________________________________
2 G1 z- o9 d% _ @# }7 u3 g, r1 h9 y7 P+ q
% t3 \, S0 v& {' q Y" pMethod 14 ) N% o/ D& L+ r) U" z
=========
: k1 V Z7 T1 l9 `+ m; C7 \; B5 ^6 l( j% t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 R T9 P7 j: X) u# J1 v. Y/ J1 ~, c
is to determines whether a debugger is running on your system (ring0 only).
: a: w1 w! U( |# g9 `
x( ~9 |5 D- E1 {/ ~ VMMCall Test_Debug_Installed
# S% e% ]: ?4 a je not_installed! s4 Z( [( v6 |9 X& K8 _/ n$ ]
% Q- d9 j& y$ l& `0 @" aThis service just checks a flag.* S5 U* Q# ~2 G- E4 A# c5 }
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡