<TABLE width=500>
. t' C+ s `6 I4 } z3 L<TBODY>
& b" H/ @1 A( K. g<TR>
7 F0 ~. w" J% I9 E<TD><PRE>Method 01
# {: M+ j+ r5 e=========5 k! a6 A7 b; s# h* c0 R2 F9 J
! x/ N! n& m' i/ ~: d# E3 H
This method of detection of SoftICE (as well as the following one) is
2 ~* s. K* a( c* \0 }4 T( @# rused by the majority of packers/encryptors found on Internet.
" h9 i {: Q- ZIt seeks the signature of BoundsChecker in SoftICE! Y- I( ?' o* }, m% _* w
5 J p/ a7 t" K1 a( l" Z7 f mov ebp, 04243484Bh ; 'BCHK'
6 L* _6 Q: x- F% C* d; H' W mov ax, 04h4 T3 k( W$ G9 o5 a4 [$ `
int 3 ! I+ }, u- @& }/ k* w
cmp al,4
, n' `6 w8 u# N7 L+ c% T# D7 g; q jnz SoftICE_Detected
6 g+ ~0 G: M4 p# k# X: i7 T8 H- _& v
___________________________________________________________________________
) P4 X- p7 P2 P8 g2 Y6 n
- l4 s- H2 T. N# P! c4 B! ^Method 02
4 x" W6 x3 q& [$ f, w( P0 x& ~=========- c9 h, [9 s( L4 V3 u" b9 z0 X* e
, d3 E% ^) e7 w: @; `$ e
Still a method very much used (perhaps the most frequent one). It is used# v: e D0 i# Z( y6 x3 f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- l8 u. Q$ u4 ~2 n9 I7 x& h( r8 D0 O
or execute SoftICE commands...2 Z# q1 r& R- r* L( v( b( h
It is also used to crash SoftICE and to force it to execute any commands f/ `: |- f, J1 _
(HBOOT...) :-(( $ ?1 \( b. @6 b" @+ Y
$ \& z( {% U, {0 |6 r; P( o* sHere is a quick description:' J) a# ?) L- j. ~
-AX = 0910h (Display string in SIce windows)
! r) K# r6 o% K+ x-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): N7 T+ K! \" `6 Z
-AX = 0912h (Get breakpoint infos)) F( m+ s6 O+ J" V, e0 M2 f, m
-AX = 0913h (Set Sice breakpoints)6 \$ E: J: O3 ^; q
-AX = 0914h (Remove SIce breakoints)4 M- X. r$ ]4 {4 w3 {' I! l' Y
" E$ J( F4 ^0 j+ F$ {- ]; AEach time you'll meet this trick, you'll see:
' s3 V' X$ D) I-SI = 4647h1 _+ U4 d* w( a& [5 E
-DI = 4A4Dh
% H" \/ d' P7 bWhich are the 'magic values' used by SoftIce.
+ G! f7 ~0 t8 K( O* RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 }! X# l& o- g( X
% `/ q; M0 O4 J! {+ B; F3 mHere is one example from the file "Haspinst.exe" which is the dongle HASP0 a8 Y8 g% R4 \2 t( w$ Y% X
Envelope utility use to protect DOS applications:- A! I I% Z( @. v) M
+ M$ s" X2 d2 {
) }, e/ ?/ B$ h0 P% z* R7 k, |4C19:0095 MOV AX,0911 ; execute command.
4 w' c" X2 y' s$ r, S5 l3 v& q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 N# e! h. H% h9 O4C19:009A MOV SI,4647 ; 1st magic value.! U5 X/ t+ Y2 U" I4 L. v# t4 Q" n
4C19:009D MOV DI,4A4D ; 2nd magic value.
- d; J, ^5 y ~! t+ ?1 j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 h, }7 L/ K" y( m" N4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 e, @* Y' U8 p1 q. K
4C19:00A4 INC CX3 }- B3 l6 y+ ~+ A$ z2 M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 H8 ~% U- M4 R% e" H4C19:00A8 JB 0095 ; 6 different commands.' M) A$ E8 Q" `1 x' w3 {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 D5 p7 ?4 v) I o8 R& a4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' L0 ^9 V7 L0 v9 ?8 @$ M
% C; h- Z4 l! w6 |, `; a4 E
The program will execute 6 different SIce commands located at ds:dx, which
2 z# @4 Q# R( ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 e1 K5 Z4 A2 b$ {6 Z6 q% n; w7 ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' r- Z. `( _4 d0 @- B% f( y8 R3 D7 A___________________________________________________________________________4 T1 w" O9 n z0 S: V8 v
, q, g" v5 g. I" t" q5 p* f* C9 B, \# a% @/ k
Method 03
/ F0 x0 m u9 r Q9 ?=========
) u( l" |0 \/ \% |4 y9 ] q {
) H& F$ A* Q, s( i; ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 l, I1 c1 v* E0 t
(API Get entry point)( e* j/ Z. a9 o: p* f) Q% \- z
9 O% b; X) r6 B/ A! z* m& |: |
0 n2 N% E* Y" u5 e! O' q0 P- |. b: _ xor di,di
6 R I) v8 M s& G/ U; ] mov es,di
' O% a0 b- b) B% a& Y/ \( @+ m mov ax, 1684h
) j1 B! ?# S. d) D5 J mov bx, 0202h ; VxD ID of winice
e1 G3 V8 H9 ]; z; j O( y int 2Fh8 `: k; V9 m: P- n* q
mov ax, es ; ES:DI -> VxD API entry point
( ]0 _4 V2 b* A7 }! p ]' a* ^5 } add ax, di& |6 o; }; G, {3 k8 c
test ax,ax
5 E( H+ E9 | @2 Q1 c jnz SoftICE_Detected6 s8 q. I9 e, X) A$ m# w5 k) Y' W& E
4 J. H8 E6 {7 j2 l" c___________________________________________________________________________
5 p8 y2 x: p; ?& h4 ?8 w
+ i' S# `7 h* N: |" dMethod 041 s; K% W/ u$ X3 p1 B
=========0 h( |, n" a0 @6 b" F
s; Z6 ?" \, N
Method identical to the preceding one except that it seeks the ID of SoftICE; G- J+ e9 w) y- w7 i- w
GFX VxD.8 ^; [1 q$ d6 I2 r/ c. K# l: k2 u
+ a% D0 J7 [( G9 R: f
xor di,di4 u- r+ v/ k' V
mov es,di
: K7 @9 H% H" D# _+ P. Y) v1 l mov ax, 1684h / w# Z* I1 z( M j
mov bx, 7a5Fh ; VxD ID of SIWVID; i% g [$ }1 H" j9 Z
int 2fh/ @5 W3 R) V- ]
mov ax, es ; ES:DI -> VxD API entry point7 [- R9 W' w, W2 n6 A* H
add ax, di3 b# ?- S* V$ f5 X: y9 o0 i
test ax,ax8 V2 X2 a: p- ?; u3 M
jnz SoftICE_Detected u+ p0 p. Z3 {2 A, f4 G7 ]6 ~
+ |, m/ f) e1 X' u- |% P+ K
__________________________________________________________________________- {- V( I" q% \" I
4 ^" N$ n2 C4 ~4 P8 m5 m- B
" q0 K# m5 d; [9 B4 Q
Method 05/ }+ E: R) X( |: k
=========
' g$ [( S( v$ S# C- X/ z6 r) w9 ^) B( t" w3 R) i! R
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ T$ l- b! x. m! y+ }& }5 g; r/ @/ Mdebugger. It calls the int 41h, function 4Fh.$ N) q: \- Y4 p. a. ], Y9 [% Y
There are several alternatives. + r( v) M8 [& `' B/ e
" y$ {( G9 |# Y7 ^6 `The following one is the simplest: Y6 j. |. g( u! ^) t8 C
5 t [ J( a% ~# W
mov ax,4fh* `( u' Q C0 p4 }9 r# p4 f
int 41h
6 r, b* v( U! G6 o cmp ax, 0F386
, ?* I, f7 h0 x' a* k! O/ r; ~2 Z/ h jz SoftICE_detected' j% j; L8 K! {7 e+ |
5 \5 X8 W \0 X
7 J& @ M- ], u* _5 B0 |Next method as well as the following one are 2 examples from Stone's 9 f: y. m6 Q3 K" K3 y; ^' G, n6 D: ]$ [
"stn-wid.zip" (www.cracking.net):4 |; \% Y2 }% B
; S. A6 x7 w4 U8 g/ B# i: b/ M
mov bx, cs7 C. K7 Q# n9 D9 I. E- x( `# a
lea dx, int41handler2
8 }& f- _$ v$ A7 A/ H xchg dx, es:[41h*4]: }9 b2 x% H8 R h7 f. _$ }
xchg bx, es:[41h*4+2]7 j1 w) j. j1 w8 G3 m* W3 b
mov ax,4fh6 \0 ]4 o# B/ M" a& R6 k1 ]3 F
int 41h& j ^) T1 `& Y) B5 ^' G7 u7 i
xchg dx, es:[41h*4]+ y" \+ J" U8 u8 D6 a
xchg bx, es:[41h*4+2]
( h2 _8 R; a4 N1 B8 J% x' K cmp ax, 0f386h$ @- ]$ W" ?2 B) p
jz SoftICE_detected
' y" U0 b/ B3 \; v: i
* [( B. p( ]: q& s* @9 K" l2 jint41handler2 PROC. T! w/ L5 o2 Y8 f9 p
iret
; p* n( e4 Z7 w6 O4 yint41handler2 ENDP0 K7 U) X1 L F8 E( E1 d5 z
. \; ^7 m7 j L2 w0 g1 `
0 ~0 e+ r+ Z" i& U_________________________________________________________________________' x. l. a O5 Z1 R( s' T
1 `! H4 k# O9 j2 L! D G8 h
7 j9 T- L) B5 s* S. zMethod 06
' w6 b9 n, f- O$ A" e* G( W=========4 t9 w' [) L2 C( h- y
& H5 u+ P( ^' e" e
$ w$ E% ~9 s0 y7 c$ g+ ?* \/ |/ j6 `) j2nd method similar to the preceding one but more difficult to detect:
( t" a8 v5 o* a# r0 w% S8 S
( x6 Y8 r9 S9 ~4 m1 b3 j3 G5 @, Q: C
int41handler PROC0 a& A9 V) N/ j2 m% Z4 [
mov cl,al1 x5 N, o# l; e
iret5 E1 I) B/ w4 C8 Q4 L2 r4 s) h
int41handler ENDP" A* F; `6 x1 M
" ?+ n3 g$ m) @# k9 t
+ g: \1 D4 K' b2 b& k7 X xor ax,ax8 s' a/ R5 K Q+ }* e
mov es,ax$ w6 J. J I `: M6 b8 S2 H
mov bx, cs# p. n+ z. [% O8 ~; j# w8 E
lea dx, int41handler
& b" y, k; e( W xchg dx, es:[41h*4]/ v- _% U+ M% Y' H( i ]2 s
xchg bx, es:[41h*4+2]
5 G; Q0 b. B0 {) u+ O3 A5 C in al, 40h
* a1 Q# z+ z( {0 @0 p% Y# P4 z xor cx,cx- p( L$ a& Y: }+ T5 a6 R
int 41h5 q) {+ T, S' ?
xchg dx, es:[41h*4]5 C. z# s; f! D) a- Q$ P
xchg bx, es:[41h*4+2]
4 |- a8 p6 e4 Z# m! I cmp cl,al& s* n# {4 d& a
jnz SoftICE_detected
g* W" r$ k9 L( f$ O
3 m1 w6 C! l) }, C% i_________________________________________________________________________
4 J6 I- J3 y- U
) x' J# R7 W2 b' zMethod 07
) Y) N# q( \4 [0 ^4 {=========( s$ l# @5 e' }
& D( |' z% a; m) M8 v( X& \
Method of detection of the WinICE handler in the int68h (V86)
1 y+ d; @# T5 X0 r" l6 Y; X6 d8 u g0 h, @ S1 r
mov ah,43h
- m: U! W* O7 w7 C4 W int 68h. r. o8 y: u/ K5 a
cmp ax,0F386h
' y( L( s8 L2 k, ^ L! e jz SoftICE_Detected
2 w( Q M& ]& O+ ]
0 I. d- U! i/ y& ~+ D: t
0 k4 w% T7 d) \8 n7 q7 m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 G6 [9 w* q p7 X1 {' f app like this:
5 L1 U% s& X+ V# B0 i' w8 o1 r! M/ ?/ q3 o
BPX exec_int if ax==68' I1 U+ P$ v9 r6 r" T3 |- \
(function called is located at byte ptr [ebp+1Dh] and client eip is2 ~8 k* D9 }6 C2 {, v l9 p
located at [ebp+48h] for 32Bit apps)
' p' ~) |* \: Q, ^1 d' Z) ?__________________________________________________________________________
' N7 b7 N! { p3 J8 _4 Z3 p- e$ `+ s7 u' Y1 Z& {1 K% H
, j! I6 ]: H L0 M# m% n6 sMethod 08
2 c6 E( @& E0 z5 G( J& w=========
8 `( K) K; e" ^- B8 h
. v! u. T5 R) {3 N1 YIt is not a method of detection of SoftICE but a possibility to crash the
G4 R0 M" R) S e: Dsystem by intercepting int 01h and int 03h and redirecting them to another* d1 |- ~5 `" Q0 n) C% G% J! ]
routine.- O% ^( a6 ^. @% n2 E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% A0 Q3 h0 ]! \to the new routine to execute (hangs computer...)
, M. @) R1 W5 U' {# j4 X8 z% A2 P1 r4 {, m* e/ I1 N( H
mov ah, 25h( Q5 ^, t5 w7 j
mov al, Int_Number (01h or 03h)
# ^; r( k- D$ V4 @/ Z mov dx, offset New_Int_Routine
, I: K. m4 K' i/ q) e; ? int 21h* V" l) G ~; e6 }9 y
+ d3 u$ [) L0 r+ K% ?__________________________________________________________________________* e" [+ y1 U% o
$ D, X2 n* J5 g; t- q1 E. O% }
Method 090 @* O* u! m" @, K: @# }7 N9 S& u/ G: f
=========* J0 M O1 U$ K1 j1 Y
& x: u: E: H' z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 a' G* j4 g/ b, S( k3 mperformed in ring0 (VxD or a ring3 app using the VxdCall).. G1 H0 P7 B" ?" s% O8 V* V
The Get_DDB service is used to determine whether or not a VxD is installed
) m# \% k/ s* j/ d4 x3 y* y! Rfor the specified device and returns a Device Description Block (in ecx) for' y/ r \# Z0 r* _& [: e' @9 V" w
that device if it is installed.' ^6 L5 ~; S) x8 y
( o5 n+ N8 L7 L0 `) r H+ m' P$ \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, y' n9 O2 d' O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- k9 p' q; p1 b& j" ^: \ VMMCall Get_DDB
+ @# s* X: ^$ m. C( _8 Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 o3 ]& L0 J, y# I3 N1 C! k4 E, [. Q- U1 ~( R- v
Note as well that you can easily detect this method with SoftICE:" D" L/ n* j. Y" b* \$ \
bpx Get_DDB if ax==0202 || ax==7a5fh
2 s+ `3 u3 @: ~% [7 x
( ? R' v0 u0 j9 M__________________________________________________________________________
) V( }$ c9 f# Y" O3 h" G9 C2 ]! y4 ]* ?) L; q& ^" _
Method 10
) ~& i2 g' G8 |/ X8 q* b9 E! g=========
( ^" V9 s2 ^) p. Z$ F5 b; j/ m3 f- D* `9 a' U
=>Disable or clear breakpoints before using this feature. DO NOT trace with5 ]" j7 D( P3 B9 r
SoftICE while the option is enable!! m; y& ]8 T: z% }/ }
! p: D0 u* Y# L+ h: [ A# s+ j6 \
This trick is very efficient:
; B1 ^* I! C1 ]. L* n, M5 iby checking the Debug Registers, you can detect if SoftICE is loaded
" R4 f. \3 s7 f& L) W(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 }: e) i. b4 c) s. V& {7 k( V4 h, Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ P: V& k% W' |value (in ring0 only). Values can be manipulated and or changed as well0 b' V4 L3 g- Y! C# |- R' {
(clearing BPMs for instance)5 a: S. V4 y! T7 }! d5 w L6 b
- H0 o$ [' D" q5 q/ W
__________________________________________________________________________
+ V- p- F6 m9 m
8 G% R8 @" }. I+ e/ z& sMethod 11
! M) o! Z2 @* G& e=========
6 c9 S$ \* ~# n% r6 X' d: \. [. H J+ |, T7 {/ _
This method is most known as 'MeltICE' because it has been freely distributed
7 Q7 p9 l9 g+ k3 @' N7 D0 bvia www.winfiles.com. However it was first used by NuMega people to allow
# z" ~" m' t! m. PSymbol Loader to check if SoftICE was active or not (the code is located! ]* S! C6 v1 y- Z# N
inside nmtrans.dll).
( g8 w9 D1 W5 w! H- R+ G" K3 E/ d
) U* v9 |0 }/ x, aThe way it works is very simple: d% ? s# _% A n1 R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ N/ B4 ]4 Q3 D* k! Q' S: l& wWinNT) with the CreateFileA API.
8 T6 b$ l. J% z
8 s! W# Q4 T" N& |8 r* x. oHere is a sample (checking for 'SICE'):( p7 p3 T* u, |* v) H- t
' [8 f3 W2 `5 v3 a7 @; DBOOL IsSoftIce95Loaded()
. ^ C6 @7 q$ U5 f8 W{) q o- q) ]) Y2 C
HANDLE hFile; [, b& ]. e; @9 t% R# Y8 ^$ j
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 m1 u6 \9 S' i2 X FILE_SHARE_READ | FILE_SHARE_WRITE,( q2 z2 w1 ^4 a+ M2 S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. z9 y/ E( P( Q$ z$ G+ b0 n$ v if( hFile != INVALID_HANDLE_VALUE )
M1 u. c3 {5 M0 X$ A {$ i V( S8 T' o
CloseHandle(hFile);
- {0 t- W; n' w return TRUE;! F) t$ P5 _5 c6 f# K6 F! h
}
' X5 l, h6 x7 {7 Z1 h* Z% ^8 h return FALSE;
- v5 p* |" j1 i6 h}
3 K7 I/ i7 O; j4 ?) Q" x! F# B/ U D5 j# B- r, F. ] p
Although this trick calls the CreateFileA function, don't even expect to be
0 p: e7 q4 p& ?& e+ eable to intercept it by installing a IFS hook: it will not work, no way!
: W% N4 `& b4 P, ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ x3 U% t' A! [; V0 k$ ~& w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 n# l6 u- w! f$ {9 mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 \+ i8 r! E5 w" p0 E& ?6 ?% gfield.
7 @9 O* K4 a2 ]" @2 Q0 Q P1 HIn fact, its purpose is not to load/unload VxDs but only to send a % p) {, S5 U9 b; S3 G" k* [0 |8 ^5 g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( z# Z7 O6 m2 V7 ?$ fto the VxD Control_Dispatch proc (how the hell a shareware soft could try; g- `7 v' @$ b
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ `8 E! q- q) e- P2 B% @If the VxD is loaded, it will always clear eax and the Carry flag to allow; x5 }6 T" L5 I. u6 Y; L* l
its handle to be opened and then, will be detected.5 U3 e3 Q s" G
You can check that simply by hooking Winice.exe control proc entry point) Z- L% S) h+ @' }) ]8 [
while running MeltICE.9 I+ ?1 K4 ~! ^) H+ }
& j) ]' m; V; o4 X9 m
5 ?% c/ }+ E. ~: c 00401067: push 00402025 ; \\.\SICE9 {+ S" c+ Y7 u
0040106C: call CreateFileA+ o, R2 ?' C* \5 R, w( E
00401071: cmp eax,-0012 M( m( i' E. V* p$ G
00401074: je 00401091
+ u1 C F: Q3 C" O8 I0 }- t$ _/ |. M2 @$ b7 ~/ R( X- w
6 d* o3 V* ~" BThere could be hundreds of BPX you could use to detect this trick.
& g3 H8 b, y4 G2 ~+ V-The most classical one is:6 S% @1 d# o# f( ?5 X6 I, d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 ]1 w! d& Y0 r: T
*(esp->4+4)=='NTIC'
3 Q' Q' [2 |- u2 \1 e( j: P# Y' f- j( }8 g) \: e2 ^
-The most exotic ones (could be very slooooow :-(
- p X( `' z% f# [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; w; J5 A- D4 B% k# F9 J, k
;will break 3 times :-(
( H" [+ \- P0 O0 i. Y! C
% g6 g6 g* C* q* u-or (a bit) faster: / J. _! y9 H" q# k. U# P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 w2 [, F/ |8 Q) D8 P$ ?
: o9 m' l5 N; [
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 Z: x" t" l' X1 {5 @( F3 Q
;will break 3 times :-(
) Y5 y3 @ g* R4 ^ {) f" }; w0 t2 A8 q% I
-Much faster:
, W9 U3 [3 H' j' E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 D& Y* d% Q' J6 t+ A6 W
; ?5 i7 V8 u9 K2 c- E" U: @0 @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: O4 [' e3 {3 u! r
function to do the same job:4 L. [ ]* o- b& O" a$ ~
! @ u6 N3 A! ]8 W' R: x
push 00 ; OF_READ @; w1 ~* J! D% w
mov eax,[00656634] ; '\\.\SICE',0
# N: Z. [) v1 r8 \! c$ r push eax/ f$ S' n) c! U+ K; F
call KERNEL32!_lopen1 \8 O8 N9 y* ?
inc eax* a3 a) r6 P' m- X
jnz 00650589 ; detected
1 r' G0 ?; x; Z4 N, r push 00 ; OF_READ1 w' J7 v( l8 j4 T8 G
mov eax,[00656638] ; '\\.\SICE'2 b% b- }& p8 p6 B2 c
push eax
" i( ~: h6 \) S! B0 `( I call KERNEL32!_lopen+ R' P9 V! q) D. Z7 F+ q# ~ f
inc eax* s6 T/ d4 Z9 V1 S+ P4 _" Y
jz 006505ae ; not detected2 z' l5 G# _2 n0 j/ O
8 y" V# S+ u' E/ h4 k
1 D4 u% f# B4 U. h2 }__________________________________________________________________________
l4 R! m: [/ W' t8 V0 M, V) J3 I2 G2 n8 o+ h$ b; d* N( j; S
Method 12 \" Q- L) z1 N" E t
=========
2 o5 y% j, }( n+ ^8 ^
, j0 Z; ]5 t# |* w1 [. GThis trick is similar to int41h/4fh Debugger installation check (code 05! v$ A7 {& h" J2 e7 \' q$ ^8 I
& 06) but very limited because it's only available for Win95/98 (not NT)
4 w m/ N, r9 F+ L f. i' Q/ Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 S" a. u0 c' F& x' _$ q M! V8 R0 N! a( n9 d0 t
push 0000004fh ; function 4fh/ A- I" N u- [* T& F
push 002a002ah ; high word specifies which VxD (VWIN32)
/ N+ d2 X# u) @4 q ; low word specifies which service
J, y/ e4 M4 `4 _+ g7 f2 f (VWIN32_Int41Dispatch)
, I1 v0 J b7 r- u/ d5 A call Kernel32!ORD_001 ; VxdCall( I& Z$ W) c7 F% R" ^
cmp ax, 0f386h ; magic number returned by system debuggers. C N |( B0 D& P0 x) X+ Q9 I1 D
jz SoftICE_detected
' o; {3 w. G5 M
5 d$ ?* e* B& S5 J4 r/ _Here again, several ways to detect it:1 O, _* O/ n$ y3 M- U" _
( s3 k1 B! }) @8 i BPINT 41 if ax==4f
5 D, a. V; k/ J( M1 I2 W' Z' `* u! q( V' q ^- Q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 K+ k u: J2 k! ]% l) @
; p* o/ r8 E& \* m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) w$ w ~4 ?' M7 f7 {
% j' v( `2 T I4 _' \ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ d3 ^+ H9 n% ~" w
5 t) F' |9 H/ T3 T$ Y& H__________________________________________________________________________. d; b8 g2 R9 D
5 c- o3 Z5 t0 G) ~! P, cMethod 13
1 J/ v! V( Y3 p=========
2 Z9 F. {% H; q+ G8 {4 n. W# p3 E, ?, s
Not a real method of detection, but a good way to know if SoftICE is
6 {- f0 n% `! |installed on a computer and to locate its installation directory.
$ C3 [4 I5 W' K: z+ SIt is used by few softs which access the following registry keys (usually #2) :! w3 h v# ]' Z+ V
! [! P( d% m6 W! O
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- `" m3 L/ Y& e* n8 m
\Uninstall\SoftICE/ y5 e: W9 Z( e! S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 U1 M. ^! U5 H- l& _7 [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 L9 F1 z0 y. G2 ^\App Paths\Loader32.Exe
c3 v' A" C7 Z
- o" k- x2 N, U$ o: q8 ^8 X1 J! P7 w9 t7 g; j3 {' u/ }
Note that some nasty apps could then erase all files from SoftICE directory: H6 b& M: _0 q3 b
(I faced that once :-(6 L* e6 a4 [+ [
% |# \, }& w% G- nUseful breakpoint to detect it:# x/ s6 H }3 a% q, D0 q
f- i8 ~8 p8 E( x" T
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 @ ?, }0 z/ }" }3 B! C' N a* E; C
__________________________________________________________________________
3 r ]& B: T5 d/ k+ Z* x( w6 K! V! u" f/ S
% D! D$ m" k0 Z( S1 MMethod 14 , H$ V. n& d; f; H9 w. i% s
=========
1 T \( i1 K/ k1 i+ a+ P5 g4 k+ V p" a9 d. I; B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 w, V& j4 F; e' l6 _$ Zis to determines whether a debugger is running on your system (ring0 only).
+ F( e$ M9 N8 N6 C7 `/ f8 r, b3 c( L5 t$ I! E" v4 @ v9 S$ K
VMMCall Test_Debug_Installed: U% J/ e$ m; w; y/ p! d
je not_installed+ t/ u' ]' i# r% T4 @, I
/ o0 Q$ [$ J- | r b6 W( K9 r+ H
This service just checks a flag.% ?0 x7 A' p6 l
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡