<TABLE width=500>
$ [2 D8 I: v$ H) A" _2 v0 h( V* ?<TBODY>
7 w. r, X2 r% I. r1 N<TR>
2 ]7 A# @- k7 x: B! s$ g( D2 r# a<TD><PRE>Method 01
; S5 b9 K5 O' }% q U=========- J5 l' Z3 q: p) C, d* q
* j4 ^- {5 D5 Q) T' r
This method of detection of SoftICE (as well as the following one) is
6 T E8 J! i. _used by the majority of packers/encryptors found on Internet.2 H* j" h- i3 v5 U
It seeks the signature of BoundsChecker in SoftICE
/ q: e' {) ^& P2 ^5 q4 E
+ r4 K% b; j1 t8 g mov ebp, 04243484Bh ; 'BCHK'4 ~3 l9 o; d' O; i, o/ t
mov ax, 04h
1 Q$ l' m9 n {# X7 V. G8 {0 ?# Z int 3
1 X6 E" u c; C5 V0 {0 X cmp al,4
6 ]7 L7 N2 a4 ~ jnz SoftICE_Detected
9 ]1 M. M# B9 T' }) g% ]
9 w" D, \$ L1 `; v# {$ ^___________________________________________________________________________
+ `8 y! Y& t$ [- |2 H* u- i# N' D
Method 02; [3 c1 x+ p+ ~3 ~$ p& \0 `
=========
2 ]. u' [4 ^/ U- b
( C( n6 ^( O9 U" wStill a method very much used (perhaps the most frequent one). It is used; L" L1 I! A+ }8 d6 m+ L/ {/ L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! d+ e% c% M% w: A: ~; xor execute SoftICE commands...+ D& R0 Z" J+ ]* }! s
It is also used to crash SoftICE and to force it to execute any commands9 v9 A* N0 ?9 i" q" T" K4 X
(HBOOT...) :-((
& ~" g. {; D; U2 q7 F
9 g" \) ]0 m* y' y2 jHere is a quick description:
0 S5 t: O2 r( }-AX = 0910h (Display string in SIce windows)) b7 I, } R/ f. R6 S- y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 z$ E% i6 Q: S* O-AX = 0912h (Get breakpoint infos)
; i( I( J# X0 ^-AX = 0913h (Set Sice breakpoints); k+ P( p( D5 g9 j
-AX = 0914h (Remove SIce breakoints)% S2 L `! K7 J4 I( ]! m% z1 i' a
5 ^, v9 T0 \. K0 i- m5 R& JEach time you'll meet this trick, you'll see:/ ]& J: T5 E7 A
-SI = 4647h4 B' f7 b5 N# g3 x
-DI = 4A4Dh
5 L) v4 e$ Y+ m# v- w# EWhich are the 'magic values' used by SoftIce.- v3 D: ^- T7 U+ k2 Q, C8 v% H
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 s1 }6 C8 t/ }6 `
! z- X+ W: G" i% EHere is one example from the file "Haspinst.exe" which is the dongle HASP+ t2 c1 w- l0 r4 M3 h5 e0 S0 }
Envelope utility use to protect DOS applications:0 S" e, d W. ?8 o4 P3 B. V
' }# n/ V, \2 f: i' x* d6 j! H# \% i$ |9 H5 l& \
4C19:0095 MOV AX,0911 ; execute command.
4 t6 P8 T6 A* x( x+ C, E+ P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 ]# R8 I) Q% W- |# s, t
4C19:009A MOV SI,4647 ; 1st magic value.
0 v; E$ |' r/ q5 i4C19:009D MOV DI,4A4D ; 2nd magic value.* X0 K1 P- Q, Y7 P% ?. c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ M8 F1 v5 v# m \* Y# j
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ V( Q6 M8 l; s4 ]. p* K4C19:00A4 INC CX
7 K7 N ?' f- s/ G4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 q A0 R v3 e8 v. j
4C19:00A8 JB 0095 ; 6 different commands.
3 x/ Z( x/ Q% Y9 G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, x) Q% O: W0 O) K4 I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: {$ i Q- q# x6 O% B& V( v# D
5 `; }4 P& Q* n5 P3 SThe program will execute 6 different SIce commands located at ds:dx, which
2 R' j+ P- L4 p, Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 h& Q- u1 C2 B) R2 x% f
& @. g9 ]7 n' b7 H* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! ~4 q$ R# B4 r: q9 M; |) _! ?
___________________________________________________________________________# J) [! d$ V( P# s
1 _' X' }/ h4 a+ c
* S5 r2 ]% }) H4 k% AMethod 031 s3 {! _; c2 d* N$ o2 R
=========
e; k# Z+ w8 r! L0 x6 K* Q
; M$ o) l( r. mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# n8 @& I4 b/ L
(API Get entry point)
" \ d# C1 m" q/ z& Y- r
, j8 ?+ s$ r( \; c2 a& o
8 Q' i- G4 V( o: T8 t xor di,di' b" Q2 t& W/ ?3 G5 O' w
mov es,di
9 H. R, w% c. U, ~# u4 e$ p mov ax, 1684h
9 }7 F) F9 w/ d# B3 m, _' Z mov bx, 0202h ; VxD ID of winice! ~$ r2 a5 z! h# D
int 2Fh& n5 G/ h4 v0 F( B
mov ax, es ; ES:DI -> VxD API entry point
( A* I4 a8 X- Z* _. ` add ax, di' Y# Z# s) j" i8 l" N1 Q$ \
test ax,ax
: u. S& ]* U9 y: V3 y( y jnz SoftICE_Detected# h) `) b; L" K4 p
" J8 a" c& a7 y9 `___________________________________________________________________________
7 g. @4 ~' `$ V, u4 L0 t
9 l5 ^" Z; B3 Y, {( wMethod 04# e. C9 H8 V; F0 {. M9 |
=========6 Y( V+ R, |7 ~$ u% c/ D& Q% v3 I
( Z6 ?2 e( ?% q
Method identical to the preceding one except that it seeks the ID of SoftICE% F, c9 C) t& \! z
GFX VxD.6 g O9 K3 g4 v! o
% l6 V5 G# ~4 E0 [ xor di,di
( J2 w9 a& \4 h) k( J6 T mov es,di& O' |- _2 }+ v7 q
mov ax, 1684h # E7 y0 j# c3 m
mov bx, 7a5Fh ; VxD ID of SIWVID# O. i6 n$ J- l# \4 X9 H
int 2fh
* s, f, ]1 W; g' s mov ax, es ; ES:DI -> VxD API entry point! h- ]4 r$ n3 A4 X$ D( m
add ax, di2 y0 ?- o/ ~* {! K7 z% h0 Z6 Q9 u) [& M
test ax,ax
' F! x: K, N3 A! u0 b: O; B. @ jnz SoftICE_Detected
9 _. J4 W# v. O7 T% \! k
' p& Y' {, B8 h5 c4 V$ q__________________________________________________________________________
5 k6 p2 |1 V p% j, |$ s- b% n4 D8 b; T' a! m+ f# i2 ]5 ]
Z& Y; w" j/ U- k1 _. j, nMethod 055 @* ^7 A2 E) Y( t7 K8 d( a
=========
) A0 i" M2 J5 i9 R3 ^4 K5 J F; `3 X8 M. o y8 k6 ?2 M: U+ b( S
Method seeking the 'magic number' 0F386h returned (in ax) by all system& [# k& O* }% u5 s
debugger. It calls the int 41h, function 4Fh.
4 B2 S: T- z4 Q" H+ g8 y y2 NThere are several alternatives. 4 W& w" b; D/ H8 ~$ Q8 J6 a1 y
- @7 Z! X3 K+ S: M2 w) s9 S! `, a2 yThe following one is the simplest:# j; M5 K5 w: H2 j' S ?# h# U
/ d- b0 M2 ~) N8 J, t, J mov ax,4fh* @* f# ~- K+ z& _$ c
int 41h
1 o5 T' X* V) X9 ?- ^7 D/ m5 W cmp ax, 0F386& {" _3 I7 ` l8 l. J
jz SoftICE_detected6 ?1 | D! q! H* R( g9 L# z
& K: z; B+ {" F0 ~4 |# Q0 l0 X7 B! u5 w7 m: m9 a6 L. D
Next method as well as the following one are 2 examples from Stone's
- Y; R- {- Z0 I( m( J"stn-wid.zip" (www.cracking.net):
2 j0 n8 f5 X; l1 H# P6 f. Z! r8 G2 i! v( ~
mov bx, cs
- r9 T% D, e" n% P; T+ d0 [7 ? lea dx, int41handler21 A0 ^6 N2 D" w
xchg dx, es:[41h*4]
+ r- s7 I& y0 l2 g. {+ X4 D0 l1 z xchg bx, es:[41h*4+2]& N, ~8 n3 ]& s8 M9 v
mov ax,4fh
6 T6 D" M. P" B7 u9 | int 41h
. j2 }3 [, x. ~- d- J! | xchg dx, es:[41h*4]5 K* l% b0 ]9 \: W8 j
xchg bx, es:[41h*4+2]6 M5 k# E% l; e1 ~
cmp ax, 0f386h
1 B. I6 r) Y0 s4 i6 x1 s- I jz SoftICE_detected3 u: M( u: J, D! @/ v
; I- {) S5 K' n8 K: k$ w8 \- A4 A; _ |int41handler2 PROC
) l7 i' m: G B, i& O- m6 K iret# T8 ?# I7 }" L! M, R3 a+ x0 H$ f8 l5 g
int41handler2 ENDP5 y6 O. }- N8 i0 a
3 @& C K5 x- m" U- D+ U
- C4 O8 \" ^8 N, S( N6 Q_________________________________________________________________________
1 s6 g. V. a% A+ V
W; Y6 k4 X* H) L: E
1 Q% y M9 O& {1 i* WMethod 06
# K0 O' C) F" p% b, `=========- @5 u K4 H* B# q+ m
& }1 W- l$ q7 C6 |7 o( H( i% d+ s# f, r8 I R
2nd method similar to the preceding one but more difficult to detect:' w$ d# @! H& L& f3 \: j
$ {7 N& P3 O0 B$ }3 L6 a
) r a0 ^' G/ S2 J6 mint41handler PROC
3 l5 [; {! N& M2 O6 L8 \ mov cl,al. B) X8 r9 w' g ~/ C
iret
: S8 s; S* e) Dint41handler ENDP4 @) @5 `0 |7 w+ k) i4 D
- N8 d# o* j+ O# z" K; e- q- Z. s: D) y' x( y, [( o6 ?' a
xor ax,ax( A4 \( z# y$ B, O( h J# m5 @1 ]/ [) N
mov es,ax5 e# V: H8 Z0 @" ?# Y K% `) Q
mov bx, cs, M& b, ?% S9 C$ B
lea dx, int41handler
2 V' I5 Z, |& S# x* I xchg dx, es:[41h*4]' b0 S9 C& I4 H" `7 ]
xchg bx, es:[41h*4+2]+ b4 ?) f4 _: ^1 d
in al, 40h
# S4 A" X* }& L& X1 I1 K xor cx,cx
$ i! ~6 ~8 U+ S int 41h3 B0 `; w4 `3 |3 W" P; V; G
xchg dx, es:[41h*4]$ j; k& T( u7 J- Q0 M; X! U2 G8 G) {
xchg bx, es:[41h*4+2], L6 |) H! q5 z/ f4 _5 d
cmp cl,al
# Z; x0 l6 T9 O% T jnz SoftICE_detected
5 s. q* K; T9 ^" I1 I \+ ?% y5 H7 m1 ~8 W
_________________________________________________________________________
! X4 N! m# x6 Q6 T9 K" c6 Z6 u6 x7 X7 h! @; m# y1 j
Method 07. Q/ q w# W+ j; |. Z' e# B( m: J
=========
6 I; Q9 d' e7 i; M8 N9 f7 }+ w) q; M$ S v9 ^
Method of detection of the WinICE handler in the int68h (V86)* N* O# m! Z* P$ `( A8 j0 Q; E/ O
# h) P) \+ y. v) ^7 s: j& T mov ah,43h# c, C# g& S& c9 c
int 68h& u1 T! V, _+ y' L& ~' z
cmp ax,0F386h
; s2 g3 ^# ]9 a/ W* q/ f jz SoftICE_Detected3 Q9 l0 G: G8 H; _
; U( M2 c( x, X
9 ?- v8 Y& }/ e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 ?7 o' G8 M7 A$ t/ E% p0 E
app like this:! E3 K9 y* q& R% p) H8 u3 ~
" H6 S+ B0 q5 r, S BPX exec_int if ax==68* s) L7 S. o9 x* Z2 t6 w( l Y
(function called is located at byte ptr [ebp+1Dh] and client eip is
% J; |+ |& v+ W; G located at [ebp+48h] for 32Bit apps)8 P4 z3 w0 o9 i7 g; O' L5 h
__________________________________________________________________________
' t% J M a* {+ L' x$ m& v- y1 V- K6 a6 h) P; E' c
7 u" K9 S' R. SMethod 08
O: r# y/ d- e9 e1 K7 }=========
" L( l$ [+ B, A3 \/ e; R: z
8 `' U1 b. {8 kIt is not a method of detection of SoftICE but a possibility to crash the
2 R4 ~- \; J' A6 ]( ^ ~0 Ssystem by intercepting int 01h and int 03h and redirecting them to another
) \: a a3 D# B5 Wroutine.& L. T& |. y( C: F+ y5 p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points C2 ^' X1 b; ?- E% A9 Q* b
to the new routine to execute (hangs computer...)+ ^$ A( E K3 Y5 e: d6 V
! a! N1 t% A3 ^ mov ah, 25h
w P4 Q1 v( R# d+ n" i mov al, Int_Number (01h or 03h)2 A/ U% B! Y, o
mov dx, offset New_Int_Routine
~) u" W% A- z7 I2 D2 A int 21h; e/ p8 T& O6 s4 ^0 R1 L
4 B- [1 A% d1 v {; ___________________________________________________________________________2 Z' H( g& Y9 d0 L+ e- n
1 e( U& f2 O5 z: E' Q4 `( V2 T& a
Method 09" _# _ k5 a& d) Q( w( f3 A: M; J8 c
=========, Z) v: v9 w6 x' P
" G6 y. P! n( j+ T* `5 h: uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" b6 }* p. _% x5 Cperformed in ring0 (VxD or a ring3 app using the VxdCall).
' e, |; e1 C4 S; f' o# uThe Get_DDB service is used to determine whether or not a VxD is installed& a/ j1 x) L( p' f1 \
for the specified device and returns a Device Description Block (in ecx) for1 A9 h% H; D( o5 t0 L
that device if it is installed.
3 j- e- c; w3 z8 A" e
) D" a e* f( l: J mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: o- i8 Q' H4 }; P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, e5 V0 o7 e: L1 P VMMCall Get_DDB
4 J. Z2 o0 f0 h, M. ^- r) b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) H( e: Z( @% Y# t; ~8 N9 N. K
3 V3 U) f2 a7 E7 HNote as well that you can easily detect this method with SoftICE:, P+ q! t7 T4 g) o
bpx Get_DDB if ax==0202 || ax==7a5fh) `6 j( r& i4 W4 c
d+ G# o. }2 Z' N! c" J- d: K
__________________________________________________________________________
4 X& n, J* Z+ O
6 L# z; F6 A2 L& jMethod 10
* i- p7 Z# J$ ?" M" S, o=========7 J: D% L! e9 H* w& o
* ~* I( |7 |% g% b" |, b
=>Disable or clear breakpoints before using this feature. DO NOT trace with l& R/ }/ q# }" F% k! S
SoftICE while the option is enable!!: M$ ]: `. s8 ^* s5 J; b
! m$ u4 r R6 V3 i4 xThis trick is very efficient:
: B; h' A/ t6 b8 j7 ]1 Qby checking the Debug Registers, you can detect if SoftICE is loaded2 d- w7 c9 H5 W. m6 r0 A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- t& j e4 d5 y" R
there are some memory breakpoints set (dr0 to dr3) simply by reading their+ B3 g* E1 j' a8 w. ^2 [. \/ X/ f0 u+ m
value (in ring0 only). Values can be manipulated and or changed as well, S" d j% C: J6 r
(clearing BPMs for instance)/ D6 c! I% Q- C1 v
+ H6 y/ u" n8 i/ h$ j0 n__________________________________________________________________________
5 x0 r7 A6 `+ ~# o/ J1 u, V3 M, q! m( U
Method 11" `$ c: B; G5 A: s+ m5 R4 D. [
=========
7 K# n5 h" a5 m) n8 `; c* b y, M9 v3 `4 J) X
This method is most known as 'MeltICE' because it has been freely distributed1 S. W: }9 R# G- u# c1 h ]& Y3 {( ~
via www.winfiles.com. However it was first used by NuMega people to allow" Z+ T1 o/ Q' W4 _9 E: V
Symbol Loader to check if SoftICE was active or not (the code is located# J$ G. z: g! i
inside nmtrans.dll).
$ F; b6 e. G) W# _- @# t( m' f( s/ E: A. p t
The way it works is very simple:
: A u- j3 W1 ?8 {$ cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. b9 _/ O9 j' L q: w0 e# N2 AWinNT) with the CreateFileA API.! S. P- ^/ R. Q2 A9 o( {8 v( b, A
+ ~" ?8 \1 ~; I/ }' x) }% F
Here is a sample (checking for 'SICE'):
0 G$ O+ M6 `, A% k' U' w1 U4 k1 `. \: z5 I7 `9 a; C+ c
BOOL IsSoftIce95Loaded(); D l, Z# f6 u: x
{
; d3 L' R" U% R( R" t HANDLE hFile;
) Z0 V. t: H+ W) B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# x2 a8 g) y2 z/ d2 o
FILE_SHARE_READ | FILE_SHARE_WRITE,
8 {5 g* a' L- q% l8 F2 s NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ W5 _5 I3 I- h! ~3 ~+ k
if( hFile != INVALID_HANDLE_VALUE )# @) H/ @/ A# F1 v' L. o& \ f
{4 X) \% j1 f* u$ s+ C f U+ B
CloseHandle(hFile);+ U) U$ C. a( _9 p
return TRUE;
1 ^1 a& n' ?6 h9 T, C6 l X( b }7 @$ g) B8 H+ C6 Z" X6 N
return FALSE;
7 G4 y! \: N; T0 ?}
) C4 t# c- Z: z& r1 \8 m
! w2 @& i9 Z1 `; zAlthough this trick calls the CreateFileA function, don't even expect to be- ^0 ^$ u# X/ B! s8 Z7 i7 x& v
able to intercept it by installing a IFS hook: it will not work, no way!
: B0 k# N, T8 @+ V! ?* `In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* |" ]& Q2 o* w7 U" jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 R& x" G7 M$ P7 i/ b7 Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
* D# B+ V) X/ x6 a Zfield.! v K& m3 n2 r7 N" {; w5 b/ ~
In fact, its purpose is not to load/unload VxDs but only to send a " h, Z* ?( W' W3 {+ d7 ~% ?6 b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- W0 g) F9 s2 p/ v/ ~! `7 k& Y% d
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- Q* }( e) W* B- N; @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 ~/ n2 M3 C8 H. p$ ?: mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
}8 \& D- Z" g- K% [0 v3 Fits handle to be opened and then, will be detected.
+ j9 ? J; b3 F% `+ GYou can check that simply by hooking Winice.exe control proc entry point! m" q7 X% N' b9 T
while running MeltICE.
. @' _: D* e" B1 N, {5 o* E4 E& o0 |
8 ^& T# e1 a: e4 }0 k1 e 00401067: push 00402025 ; \\.\SICE+ v+ B9 c" M0 h6 E) J; P
0040106C: call CreateFileA* R+ e S5 E$ x# J) i
00401071: cmp eax,-001
* x1 a& c2 u( L1 N; X9 [ 00401074: je 004010914 r5 a3 o4 `* p i, c% }" A) G
" C9 n+ v% y# A* E
, H$ L0 o# z1 h0 w# c r/ O- ?There could be hundreds of BPX you could use to detect this trick.% a0 x8 F; x9 }+ h. P8 T
-The most classical one is:2 A7 w3 h3 a2 w8 P5 q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 L1 u" G- F( c- n8 q *(esp->4+4)=='NTIC'
$ s- b: @! C. f% \0 A0 T Z: B% g- t& L
-The most exotic ones (could be very slooooow :-(+ x# _& t! [; o$ u u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ D" R# [, V; s; _
;will break 3 times :-(' W5 }2 b2 b9 A9 K
' n2 x. b- ~! `! M
-or (a bit) faster:
4 S) R. w4 {* V' ?0 f& U/ K( W BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 s2 a$ v7 q% d* F f, P
& f( P5 ^9 a7 e7 Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( Q" e4 a) h3 A! \; t! F
;will break 3 times :-(
' T% ? y! r0 ?" e7 T$ k
$ C; m( E& `# u+ M4 K9 l! [7 _6 @-Much faster:( b, L5 j& N6 I5 d3 c- w# K N
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 I0 T+ _! C5 X1 x. P; n0 ?3 B
6 E# r! S/ s6 m# w% K4 m, INote also that some programs (like AZPR3.00) use de old 16-bit _lopen# h& K S# q4 \' x$ p3 G0 `; }/ E
function to do the same job:* I1 b. Q8 V3 c
3 n) h% D8 T7 g& s! F
push 00 ; OF_READ/ u) @) l5 q/ H% X8 A9 C
mov eax,[00656634] ; '\\.\SICE',0
* K7 i9 E$ C4 W$ t: S push eax" m) a2 A! k! N/ t& E$ z
call KERNEL32!_lopen
5 `+ S1 J7 h* ]# _# V# \" Z9 j, @0 Y inc eax
" k' u& p) L5 p: S+ I3 I: ^: _, M jnz 00650589 ; detected t$ J, ?) H, `/ Z' F
push 00 ; OF_READ0 Z7 R( A- }: Z3 o3 q
mov eax,[00656638] ; '\\.\SICE'7 y H# w P4 Q, |
push eax
3 m8 v$ X V' \6 I call KERNEL32!_lopen
6 m! K5 I$ w& w/ Y+ H inc eax. P) m% u4 l1 K0 ~, V' O: Q7 |+ {
jz 006505ae ; not detected9 O5 E; }; S! z; F( b) `( k
: l) l; j& j# E1 | X$ i! M
$ O1 n+ ]0 X& d" p: m
__________________________________________________________________________/ I- t+ G4 O. P2 `9 w1 w Q
y7 x5 D8 Z& ^
Method 12
. D; p; d5 h$ R1 F9 U=========+ Z7 {, P$ R* q$ Q
9 C5 Q5 S) F, j2 O
This trick is similar to int41h/4fh Debugger installation check (code 05' y3 d2 ~: ~$ x: [' S0 e3 f+ F! N; B6 b
& 06) but very limited because it's only available for Win95/98 (not NT)" w9 j* D& X! u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. t1 u3 ^* H0 T! ] L5 ^/ E* k& q& g7 `% V* G) \+ G( J( d
push 0000004fh ; function 4fh
: }6 i3 h0 h/ X$ f" n/ \ push 002a002ah ; high word specifies which VxD (VWIN32)
1 X: t/ f1 l2 @: X: B7 i# H ; low word specifies which service
3 F. f2 K" Z3 m5 h (VWIN32_Int41Dispatch)
& ]) w: k3 A6 u" |' x3 y7 v, x call Kernel32!ORD_001 ; VxdCall7 N3 J& Q5 Y2 T" z# t2 Z
cmp ax, 0f386h ; magic number returned by system debuggers. S* ~8 G; I% u, W2 r' `
jz SoftICE_detected
. ?" X8 `7 E# x7 W; r
) N' l: _. ] OHere again, several ways to detect it:
* S0 o/ h! l: Y6 m) W# Q8 Y' \+ }6 e. ^9 U7 {, l
BPINT 41 if ax==4f
5 w4 u! J$ L, ~ @# a. f
( y" f0 J3 f9 }* r9 O6 T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) ?5 `* }7 K. T* C% u- t
% h. B' x* l& J6 o- F- g6 x+ l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. a% Y& b; X* S w0 H* e9 O
! A1 s4 \7 }5 A. Q. Q1 n8 f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ x ^6 W- d7 _) P# d3 C q
; b$ n/ o: W9 |1 u2 k! m5 x% E__________________________________________________________________________
/ b% t: Z8 y4 T9 G) M. ?, g) G/ x/ C9 ?8 ?) w( G
Method 13& J' n; `! }5 @3 b+ f8 D, K9 K
=========+ G4 y u- H- }2 A4 e
( ?- ]$ j* O [* h2 J+ W
Not a real method of detection, but a good way to know if SoftICE is" S Q& @# w$ T+ v0 p2 a
installed on a computer and to locate its installation directory. n8 `4 f; T9 ^, J8 J, ~
It is used by few softs which access the following registry keys (usually #2) :
% g0 o' q% ~1 \1 h ?
% q5 y5 F$ a1 A$ o& R5 E3 z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" w. R1 v7 a- h& i0 H\Uninstall\SoftICE( R( w/ W( T! _4 ]0 W5 j. S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# }: b( V) O6 m5 X$ {. I6 z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 T1 w: \/ e% D. _1 o5 ^) c
\App Paths\Loader32.Exe/ O% @; L( A" ^
* B7 Y" B% B# b& t! n6 C9 b
8 Y5 ]4 S( I; p6 R1 CNote that some nasty apps could then erase all files from SoftICE directory# ?2 H& D7 h+ ]; j7 ?+ O
(I faced that once :-(
9 h+ X3 O9 z4 Z W$ L
6 ~! X# I1 p) Y! J Z! _) |, iUseful breakpoint to detect it:
8 B4 q4 W/ p3 v3 G( u$ d6 x9 w3 K0 ^+ U8 w5 e1 T- R v
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 Q8 @" W- r, p2 ]$ N
0 o+ T/ T5 Z% U8 P) t6 G0 L6 x
__________________________________________________________________________
. E3 i1 C- J, m! k9 L7 z5 t, V9 q( F7 ~% G4 @; x& T: Z
$ F' Y6 p4 a& P% ^5 L" p5 m7 |) YMethod 14 8 ]' J& M" [% _" c# r! A% n
=========
3 O0 }2 ]+ E# U/ v9 A2 e, I
; ~5 j. N- L+ r2 _6 p$ M6 `3 F5 tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 g% M# p7 d( I7 Gis to determines whether a debugger is running on your system (ring0 only).
! |4 b4 k8 |! d* S6 I$ ~
B3 i' y+ m: |9 D( t; r) q VMMCall Test_Debug_Installed. H$ L0 q5 Y6 \( s8 d5 {& G
je not_installed
4 I* G' e# z6 y3 X4 b
5 k- q6 Q: }2 j" c1 k4 aThis service just checks a flag.4 N4 {4 N: J* R) w. W! V# i
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡