<TABLE width=500>. X' w) l/ @: E* R: p
<TBODY>
/ d9 n/ z" `# }% I2 `) N<TR>% }& p! ?+ r5 K7 M! c$ a9 _
<TD><PRE>Method 01 ) K) e3 J4 n d$ e9 u# F) f: i
=========7 a2 ?$ k2 p' C1 [2 L7 B' v, L
0 M% I, ~" G9 V( @3 B9 m# l# MThis method of detection of SoftICE (as well as the following one) is, Y9 E# O8 p. B. D6 N3 {
used by the majority of packers/encryptors found on Internet.9 m* z: ~3 w7 Z" {9 X- j! x: N
It seeks the signature of BoundsChecker in SoftICE
/ B0 k# c3 b8 Q: G
: b2 k4 h! z5 v$ H8 o mov ebp, 04243484Bh ; 'BCHK'0 b% W) q: d# a# V9 {9 S$ R
mov ax, 04h# G) y" O7 w2 Z6 N' c9 s) I; }
int 3
8 s3 H7 e& m/ Q0 ?4 R9 T4 @ cmp al,4
0 H3 d1 C: i/ M3 V! f% J, R jnz SoftICE_Detected0 d( M% K5 s, v4 t
0 v Q! m3 z2 |; z0 V( Q) s7 o___________________________________________________________________________% j" l8 \# b2 U2 ?+ I) X8 g; Y
5 x( p3 j. P) p8 P3 ]
Method 02
" }3 V2 s! ~$ Z! m3 _! N=========& r4 D4 A$ _3 g2 F, o+ Z
' U% F& d( u7 Z$ g4 k# sStill a method very much used (perhaps the most frequent one). It is used3 N5 C% S7 R# n* F' s# {8 }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! C( d% Y9 f& V* O0 s# For execute SoftICE commands...8 G1 J2 P1 l; r. Z i& S: N
It is also used to crash SoftICE and to force it to execute any commands2 r: B/ S9 o8 @. z l) z0 e2 ]
(HBOOT...) :-((
$ Z+ a3 v7 R0 G4 |% c3 O
" b( r4 R# E% u H# g5 HHere is a quick description:$ H! S9 a# f# J6 b7 p
-AX = 0910h (Display string in SIce windows)
/ g: ]' s7 E5 }/ U' ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, `& v; Z, E- a p-AX = 0912h (Get breakpoint infos)
8 D& t% q3 L! H/ G) n& C- G4 [3 r. i2 L-AX = 0913h (Set Sice breakpoints)$ o8 O* t- s0 C, f& n
-AX = 0914h (Remove SIce breakoints)
4 I L y% @+ _0 x# }* m w5 z5 O" M/ A
Each time you'll meet this trick, you'll see:
1 w+ }+ O8 [1 p2 V" B( N-SI = 4647h% b4 J8 P: [# Q
-DI = 4A4Dh8 |, y& b; _& K- E4 z
Which are the 'magic values' used by SoftIce.
# Z; N9 x/ _: U/ d9 n* k9 ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ Z! d" ^9 p7 p, ^" `4 c
# r4 L( W8 p/ S, {Here is one example from the file "Haspinst.exe" which is the dongle HASP5 g8 Q1 J" `, G' }+ f
Envelope utility use to protect DOS applications:. [' i# g: z/ V! I4 c
1 Z" T v) ]7 u% L. n
$ m$ H2 T; ?* S4C19:0095 MOV AX,0911 ; execute command.7 i3 q& f! O. P6 d$ b9 v0 ]0 s5 m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ P; Q3 c# j5 H; c
4C19:009A MOV SI,4647 ; 1st magic value.% d' K3 ^( J1 s4 G" l/ t! u; T& i0 Y
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 S6 _, {/ {8 ]. y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' ?6 P8 N3 M6 j6 t' O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& h, E" m( j& a$ l% E4C19:00A4 INC CX; c, M0 ]: @: X/ ~8 i6 j
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& k$ `3 ?% u6 \5 R M: c3 Z
4C19:00A8 JB 0095 ; 6 different commands.
5 G9 E: y0 y. f" @1 p: Z4C19:00AA JMP 0002 ; Bad_Guy jmp back.) |- f' i9 U; H. y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
{7 n& Y" h" H; C+ F2 r, Y/ N) j9 P2 J+ g$ ~8 s4 S
The program will execute 6 different SIce commands located at ds:dx, which
$ ]! p) T9 t$ k. J' p, D/ x( zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ t, s; |8 }* P5 c; Q: c/ d
3 w( J B9 p' ^1 Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 n( x. `; M a* \* |7 c3 q___________________________________________________________________________# A3 t* i! i" n( m! j' |, \) C
! T; H9 Y# l0 }3 O$ |) f! Q# v# d# L6 Z- s
Method 03! N y" ?4 {; E/ y
=========
& \( Y1 `$ G5 V( \! w9 R4 i* R
0 {* l3 h, O% s; BLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ ?% p3 Z& b% P) _( Y(API Get entry point)* Z& ^- C7 M! K8 b, z
7 _% w- [9 F% E8 y( b4 `
! G4 q& t% b% }/ S( R2 ]
xor di,di
2 u" K& ?$ W& ^ K# K/ M mov es,di1 F2 D F+ _0 U# m) a( [1 o& I
mov ax, 1684h
1 H8 ~, B# r( ?' k) q" F. d @ mov bx, 0202h ; VxD ID of winice: i- O2 h1 @! h Q) Z# C9 C
int 2Fh! a7 Q- e& s6 r# c
mov ax, es ; ES:DI -> VxD API entry point
# Z: q0 R$ q5 E add ax, di
- C! V \- z& K# Y) f test ax,ax8 s& G, u. ~- h8 E. Z* W
jnz SoftICE_Detected
+ u _7 f8 v4 k9 B& Y2 s" Q+ k- F1 {! A6 Q: P6 }/ ~9 D
___________________________________________________________________________
% i& p1 p* J* _% W
- b8 {: t( U, X+ Q G% D) eMethod 04# E L: \& f9 Y2 q8 w1 H" n
=========
$ b% n! c* Y$ ]* X1 d1 q' L3 n! ~4 `- E/ p
Method identical to the preceding one except that it seeks the ID of SoftICE
' }" p0 P2 s6 z* ~1 dGFX VxD.
# _1 N7 t7 }1 O8 M, @3 q; {6 T5 }0 N6 T F( U
xor di,di
' |# v0 }5 K( e# p5 }+ s mov es,di! }! M! v. Y: E6 Q1 S
mov ax, 1684h ; t4 h0 ~* f+ Z* U
mov bx, 7a5Fh ; VxD ID of SIWVID
! Q! P) e7 v/ J; B4 Q int 2fh
: S4 G' D8 @1 g, v+ T; ? mov ax, es ; ES:DI -> VxD API entry point2 ?: `/ p) m# i
add ax, di7 V8 _9 h* x+ F9 R7 R
test ax,ax
9 X* [$ T3 a2 F; S: W' ?2 D jnz SoftICE_Detected+ b+ T) h7 o6 m8 t5 h
H) B( K6 a9 X1 ?) d__________________________________________________________________________
% A3 G5 {9 I7 P* Y5 s! d1 }( F$ j. B) ~
$ i9 ]# e, q; w1 H. s
, u& ], |7 }0 X: d: W% R0 ]' gMethod 05
- v4 T) {1 G6 d& X1 J=========
+ T( [3 p/ C3 d1 I6 t& J6 X7 b( r1 L6 o
Method seeking the 'magic number' 0F386h returned (in ax) by all system; g. ^) H+ E! ]9 V2 d4 B! W
debugger. It calls the int 41h, function 4Fh.
0 P1 b% w3 A# x2 W) B1 sThere are several alternatives. ) w- Z* M$ V; i
! _) l: X$ H" G9 @2 y" sThe following one is the simplest:8 ?" E+ u8 Z$ Z0 F' m. J' i# I
2 \3 S9 O: r( ~ mov ax,4fh( G/ i7 _) k) e/ H
int 41h# ~& [) T6 s* V- R
cmp ax, 0F386; s3 B* A& m' @# J1 ?/ j
jz SoftICE_detected5 X9 p% n& d: S2 K+ t. @% w
9 T9 I7 a) g1 r# O
* S6 U3 ~' U* I4 e' V( o A0 i! t$ hNext method as well as the following one are 2 examples from Stone's / o% T0 Y$ ~2 B+ V5 Q
"stn-wid.zip" (www.cracking.net):
' T% O4 U0 ^$ `; Q2 [( }
% w7 y( x' J k mov bx, cs
a7 t' G$ ~; d5 X/ ^8 x1 x lea dx, int41handler2
4 B4 v" K; i# T. }9 M; g1 x) C xchg dx, es:[41h*4]5 [1 L/ O5 a8 a
xchg bx, es:[41h*4+2]
9 n6 W, Q: g/ l( S* g* c+ ?) ] mov ax,4fh4 V/ a, J6 c. V1 S7 r, P
int 41h
$ h- p; a1 m1 E0 {) p xchg dx, es:[41h*4]! U; Y6 m* N/ S. O
xchg bx, es:[41h*4+2]" B/ `% f7 u% n _; }
cmp ax, 0f386h
/ r$ B' o$ Y1 e- f& b( W9 f" k jz SoftICE_detected
3 _" [& {* W$ c! A) q5 L H4 i4 u( t
6 Z; O8 C5 _% bint41handler2 PROC7 Y/ z5 j% R+ Q! q6 Q) J
iret
, v! g! h# {- l+ Q4 w+ A# B; Oint41handler2 ENDP
( B& E: x1 b3 V. ~
* k0 {4 _ q# I. Z* V1 q, g. ^* K3 N, |/ C" ^
_________________________________________________________________________8 b Z' }1 p! b/ H
9 T0 G& L7 b& h0 @7 q" ]
3 w: v. J. L& D3 _; V: S, hMethod 06. T& r, t9 C$ ^5 ~* q
========= ~) e3 }+ Y1 z/ }5 x4 }. [
1 }1 a: E( N* F7 W* a# B
8 p# r3 \" [1 l
2nd method similar to the preceding one but more difficult to detect:' y* N. s/ R* D- B: E& L' e; _( z8 J B
. C9 z% y6 X/ l! ~. N$ j
4 q9 }( {0 D, F- _6 ]int41handler PROC% a9 {5 B+ n7 F
mov cl,al
+ R, J- y, c. D iret6 i" c% \$ M) a3 R' ?3 ]+ u( J
int41handler ENDP
6 u+ M! S. y0 ^2 D1 L- P. n u7 Z8 Y. n, R# ?
3 a4 J! c0 l5 J6 D! m$ B; p8 Z4 G
xor ax,ax
" r. s" R4 { _! a4 h mov es,ax
) e7 G' ~1 P- q( p# s mov bx, cs2 @4 k- k/ X% g4 y8 F1 k9 b
lea dx, int41handler
7 u8 T( r0 w# ?" L6 ?4 q3 e xchg dx, es:[41h*4]
( f) G9 [. T8 O% L) S9 s8 c5 R+ { xchg bx, es:[41h*4+2]7 q) K# B3 ]5 d1 h
in al, 40h
) o( X7 ?, C- l0 c xor cx,cx
! t! n/ G0 m' i: o/ k' w int 41h6 k+ G" Q1 s) u6 h
xchg dx, es:[41h*4]4 C8 r. L4 ?1 c# P5 f ]! w5 y
xchg bx, es:[41h*4+2]. s' ]8 Y9 |1 E* |9 i1 T
cmp cl,al: r, Y+ [6 O, ?( i" Z1 K7 ?
jnz SoftICE_detected
/ t& e. K+ s6 m/ c5 z7 Z3 Y7 ~8 q
_________________________________________________________________________' d: F- O) A9 u
4 `+ U1 p5 e, lMethod 077 A# \/ Z% P% T; b# o
=========
8 c: m9 b+ @' u' F
, b$ A# B5 @, |3 J. v5 M; O8 d$ EMethod of detection of the WinICE handler in the int68h (V86)
. j. A. D) C! a, H* O7 V1 b+ U
) i3 L: t: g" Q# ^# `( m0 L; q mov ah,43h/ O$ W) t% j- U( U/ p$ y) j( @
int 68h
: H* V3 m7 K, V2 b# L cmp ax,0F386h* I9 w# \# H4 B5 |( P" b
jz SoftICE_Detected
$ c# J6 T# h: _& v1 p
! A1 ^+ h! t! W: }9 }4 g- X V# w: K( w
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
C9 G; a; C; ~; E0 y* i app like this:
: ` K0 R3 x; h g' Z% o9 L- j# H) m, c6 e
BPX exec_int if ax==68* T5 |0 r: I; U# F
(function called is located at byte ptr [ebp+1Dh] and client eip is5 C# o& y: C! ^ q$ Z4 L
located at [ebp+48h] for 32Bit apps)
, m9 j s& _0 c+ X' f. r__________________________________________________________________________; f I3 h( ^/ a: J5 j) [8 I
4 b3 b+ a" N, i- U& `
$ e d( T+ z# x* C, A, {! AMethod 08
- u% w! O. k! f r" Q& o L5 F) |=========/ X `9 o) l4 ~+ I; F7 o9 l* F
8 o+ c; h7 Z% j5 O3 U1 B6 @5 k
It is not a method of detection of SoftICE but a possibility to crash the7 b, t8 [% l% s2 b3 j
system by intercepting int 01h and int 03h and redirecting them to another
2 j: w# {0 P/ w) W( ?, ~4 Mroutine.
' r9 L8 S6 y% p1 kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. G$ s( q8 o3 ]( e5 \2 J6 _ j M
to the new routine to execute (hangs computer...)# w# c3 P- _- q( u: r
3 ` n3 G* a8 w$ w$ @# B mov ah, 25h! _" b8 _8 Z, c. W) f+ B/ g
mov al, Int_Number (01h or 03h)$ N5 }0 T* p# {/ d1 A* G4 c
mov dx, offset New_Int_Routine
Y' ]% k$ o9 {/ `; f' ]7 k int 21h
5 o+ A$ \( @2 m% }& R/ V& V( j+ b# c: n1 o8 e
__________________________________________________________________________* D# D: o5 e0 P0 k4 Z) ?* w
6 o$ D, y5 I, Y8 b/ @
Method 09
% h5 M2 N- H( Y6 P/ k/ e=========
9 O& W$ N- N5 T E# D' Z
$ N x' _9 h: h) B8 T6 y! O/ ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ D( ^; t; R/ `1 M( e! ^/ U
performed in ring0 (VxD or a ring3 app using the VxdCall).1 N0 ?: A7 ?6 O" \) z5 p
The Get_DDB service is used to determine whether or not a VxD is installed
5 n: a$ d2 W6 D" a" Vfor the specified device and returns a Device Description Block (in ecx) for+ j/ v- d* u/ u, Q6 w! o
that device if it is installed.
, o+ f, U1 o1 y2 M8 t. L: e1 L' e* F( v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 n, F' _. D! Y4 ~ ?9 u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). U! q+ p2 J. R
VMMCall Get_DDB3 A; j" U' u" v p% Y( m- b
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 P& D! O4 R+ P/ b! g% U$ D
* \& x( n# ]. ~6 T9 l9 vNote as well that you can easily detect this method with SoftICE:
! W& P9 ~ @+ P2 K# i bpx Get_DDB if ax==0202 || ax==7a5fh. e* ]9 K3 h* h2 p4 ~
5 s: x- @- H: R' k5 Z3 X__________________________________________________________________________6 s% s1 G& {" l, F
% Q. X2 h2 v7 ]' A& k
Method 10
4 d. e/ D! l, ?! ^, u7 W6 u=========) J' _# o9 O3 ^& {9 n$ k! Y/ j9 F
6 Z [: I6 k x
=>Disable or clear breakpoints before using this feature. DO NOT trace with# n# @( v, \3 u8 R$ R
SoftICE while the option is enable!!. v0 i( {- F( n7 R; S
' D4 D( j7 i* D5 b( ~( o: O4 ]
This trick is very efficient:
6 f" F- S9 r8 V% u4 Q5 kby checking the Debug Registers, you can detect if SoftICE is loaded
4 P _; k: X7 J0 g h: s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: W$ _& V( M+ l: s4 t9 F3 A
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ m6 Y U! t* L/ ~0 f2 \$ Jvalue (in ring0 only). Values can be manipulated and or changed as well
. h. [; C/ k$ ~- K% B- a# M(clearing BPMs for instance)
9 z+ B; H5 p8 y8 S
& q+ g4 n7 I5 |0 f; I/ N D6 U__________________________________________________________________________/ ]8 K# p- y* x A
5 h& G, R o; R9 v/ R8 f7 @
Method 11
' d) P0 L( n: {: y- o9 r% X! m=========+ Z- \/ T( p( ]* [! O
- B' ~* p# x+ g: FThis method is most known as 'MeltICE' because it has been freely distributed1 c. U9 `7 P: S4 b9 e; ~
via www.winfiles.com. However it was first used by NuMega people to allow- x& ~0 \+ P. x; d
Symbol Loader to check if SoftICE was active or not (the code is located
8 a3 M- h C6 sinside nmtrans.dll).
% @" ~1 M) c* I& h; i2 `' _- k) }8 ]$ [. O! w
The way it works is very simple:, ~2 V8 c u4 v. A; H7 @1 u# P% A* ^4 p
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! ~2 J1 A7 O1 C
WinNT) with the CreateFileA API. H: x$ ^/ _" o+ }
9 I; b" _( w$ b* l CHere is a sample (checking for 'SICE'):
5 Q2 L% f! A8 q$ u
* w$ M k, s _3 ZBOOL IsSoftIce95Loaded()+ Q) ?0 f; R5 k& Z2 k8 l
{
. G6 q5 p2 x- \, f$ P4 b0 @ HANDLE hFile;
7 g( z/ E8 e& {( X% h/ y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 P- D; x! v$ G6 c FILE_SHARE_READ | FILE_SHARE_WRITE,
" @' _, \. \! T% [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 |- \) w* S7 P W
if( hFile != INVALID_HANDLE_VALUE )
( Y6 [" N2 X) U {
# o% ?* p/ D( w- j/ l CloseHandle(hFile);
- o) l6 M% s( Z0 I$ o: Z2 w4 p3 t% A. I return TRUE;5 ~( F3 D- r$ n, K# B( J9 b7 s0 e
}6 X+ \2 y3 q9 y: X8 M! N
return FALSE;
: e% k: E Y' F}
3 X1 o: _% S! q- r% D+ L) @. D4 F. r. d- S
Although this trick calls the CreateFileA function, don't even expect to be# b/ L1 U9 C, ^% `
able to intercept it by installing a IFS hook: it will not work, no way!7 s X: @& d# y0 P! C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 O1 t. c A. i' a1 `! C0 _9 xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( }) e" _' V" \/ gand then browse the DDB list until it find the VxD and its DDB_Control_Proc9 C. a. ?9 @ T0 e
field.# D! D `( b9 N6 V& V \
In fact, its purpose is not to load/unload VxDs but only to send a
4 m8 q5 ^/ {* W. h; PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 J; z: L" M, W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- A8 O; u- V3 K% m4 W7 w E1 `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ m* H- N8 v3 l$ ]3 g% ~If the VxD is loaded, it will always clear eax and the Carry flag to allow
g% R2 A7 Q6 w/ b: pits handle to be opened and then, will be detected.# `, r% E, M7 Q# G
You can check that simply by hooking Winice.exe control proc entry point9 y, l! H% X3 S+ @: h; z( k9 e0 R
while running MeltICE.
8 ]! @) G3 } @) v$ i9 ?) u9 P* P# }2 x" h: U
( G* d( x L1 G& C
00401067: push 00402025 ; \\.\SICE
$ B- W' u, h* I 0040106C: call CreateFileA1 O% v0 ^2 M) ~8 e. R* ^
00401071: cmp eax,-001
3 ?+ p" ?' V9 h9 s. @) _ 00401074: je 00401091
% w' c: p G- k! L. j5 C5 x: Z. {* ?1 f. d$ E$ }
v! a3 U) E; j! ~/ } a( u
There could be hundreds of BPX you could use to detect this trick.1 M( J V/ o8 o b0 y
-The most classical one is:0 H$ G: J4 J7 i; {; c$ c
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 v. S: V+ r% w W7 E
*(esp->4+4)=='NTIC'8 A% U# \2 |% M" {+ {; E
8 W# c- P. a5 s( Q Z: k6 m-The most exotic ones (could be very slooooow :-($ k$ o; {* Z' k# l' }
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 o( M; Y6 O& a- S5 c( a
;will break 3 times :-(! a) D) p6 y2 Z# j" e- K+ e
+ h* ?! d7 ?4 d0 O L
-or (a bit) faster:
) H7 w2 K& n' Y; { W BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* c9 R; b, S4 ?6 r) o I
, h$ R0 F: E8 E+ ~ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ d, o8 J) S0 r( ] ;will break 3 times :-(
+ P' Y; m7 ~5 }) Q. A4 C, ?
' `. v. x. u: u2 E" o/ [# {/ H-Much faster:3 w, D5 o* _. U) J" C
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' @, w P& C" z, O5 m% D
: s1 {7 Z$ Y$ dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% m# {' y; u* Z+ T% n& [" [function to do the same job:
" |8 |7 Q, r* c6 N6 f$ \% G9 D
, `5 ^% D5 X7 w1 Y1 L5 P! V& K push 00 ; OF_READ
6 P2 r7 ?5 F! L7 f4 ?2 Y mov eax,[00656634] ; '\\.\SICE',0
4 u7 f! ~% H, W5 m3 J push eax( I3 w/ }( `9 k/ Y! w) l
call KERNEL32!_lopen5 H% z; c8 C3 r! I, s" i
inc eax
' J5 @$ a* R: U9 {) d1 F2 \4 S jnz 00650589 ; detected
8 M0 M4 z B4 x z9 K0 ~9 v push 00 ; OF_READ
- I" L0 ^' L0 C/ L; C9 b mov eax,[00656638] ; '\\.\SICE'
! D e% g& j! s- N8 C- F: E/ }5 f push eax
6 B" ]. B9 O1 R1 x0 g$ g call KERNEL32!_lopen, x3 U4 f4 L9 O. f
inc eax
+ @" \2 a* J- k2 a( [7 q; i jz 006505ae ; not detected5 @6 n9 b9 p' X
) H7 h& t" m/ q' P7 }6 [9 O1 F A0 [- v3 ?
__________________________________________________________________________# [' q9 ]( x% I' a, b7 q
* p: m+ M! s& {+ e
Method 12
. Q3 [# L) W, _' c" r; l2 c N=========
" X. H' V4 {% C1 K' ~+ Z8 C4 ~
# L* i' j0 t6 F' h+ B- W* QThis trick is similar to int41h/4fh Debugger installation check (code 05
2 p7 l' l) ^: I9 G/ o4 u' \6 J" u& 06) but very limited because it's only available for Win95/98 (not NT)
! J' W! F- W, g3 s3 a% E) Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 i e4 d+ t$ ?* q, J/ B% {7 U
: c0 D% O# T' X4 z! f+ Q" r push 0000004fh ; function 4fh3 T: m4 T" p3 R' M, {' e5 n
push 002a002ah ; high word specifies which VxD (VWIN32)
0 t' ]9 R% D9 q3 O- ` e ; low word specifies which service
' z1 x: T" P7 p, S( p9 J+ i (VWIN32_Int41Dispatch)
3 P7 y" R {) v/ S/ l call Kernel32!ORD_001 ; VxdCall+ J% j* j1 o z
cmp ax, 0f386h ; magic number returned by system debuggers
: C9 |9 R- `8 ?" J" `' m9 t: } jz SoftICE_detected8 V4 w+ C6 O" g: X5 v
5 z4 b" g$ F9 ?0 n6 pHere again, several ways to detect it:
( y$ u' ]$ u0 M* C/ o0 E" D$ [
BPINT 41 if ax==4f
) w" A* _9 w6 j
! s$ b* ]' ~3 z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- V( \6 ]( u+ C
; [8 D; w9 t$ f; q8 j& X$ X5 l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 W$ @) E3 T- v' O: A
) o* g+ A( m9 r! S' z3 ^, G! F ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 }4 F! L/ W- i# U. A5 e! M
9 L$ }; p6 Y5 ]( D% B' s
__________________________________________________________________________
# Z7 ~! C- @/ O |4 r0 x( H; l/ J$ u$ \6 G4 W; \7 l
Method 13
" Q* W: i4 L6 F( u4 W5 E' r=========% Q. f% S1 a# D; r3 u2 v3 \+ S& O0 n5 U
2 s: c& C& j/ V% B* f4 [* jNot a real method of detection, but a good way to know if SoftICE is, L/ D' {! h4 l/ x
installed on a computer and to locate its installation directory.& p$ e, t2 C. J# D5 d
It is used by few softs which access the following registry keys (usually #2) :! X+ [1 s% b; r* S' P
3 C/ e- G7 u" b; u ?! d' p+ U7 F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 v/ H) I: s/ v9 C: X2 E
\Uninstall\SoftICE
! E4 V5 q/ p$ {' Q5 A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 [: l, D6 a7 v
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# f8 d2 v' ^ A, I/ { L- V I; S. ]
\App Paths\Loader32.Exe9 n6 i c; _& i; b
$ \, }0 }1 A8 o( U6 ~
% {! E) n. y1 s7 ANote that some nasty apps could then erase all files from SoftICE directory6 L, m! Q6 i+ j2 m2 q
(I faced that once :-(9 N2 W- i8 d+ f! {
$ t9 u1 L- ^5 OUseful breakpoint to detect it:, }1 u* h* q1 X8 `' F" N" H% j |5 Y
`' z* u% ^0 V: d* Q8 G/ ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 r$ ]3 j) @) d- v/ z- C0 V' M) i/ L, C+ y: r& p: y, c& o
__________________________________________________________________________3 f0 f9 h2 K$ o/ b0 F J& M
) Q' q2 D N$ }6 h/ d# y
( q. z1 p; k, d* JMethod 14 6 u2 A. M/ M% F" H3 Y, w$ d
=========
7 }$ ^& R# _* T: K7 x. N$ i5 F1 Q6 G. l5 F: _) S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 h4 f9 V! Q% u0 m7 o0 eis to determines whether a debugger is running on your system (ring0 only).
2 U5 P' @! X" t5 z1 @' i# F7 u: O! s# q
VMMCall Test_Debug_Installed/ d# j8 F: M( M+ [ o
je not_installed7 Y9 j+ r$ J- A
( X% E, o/ I6 @# u5 jThis service just checks a flag.! N' N4 L0 Z1 D3 V4 i
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡