<TABLE width=500>* b" G# N7 v+ l8 b; C. O
<TBODY> G- v- g9 U# l& F4 s8 O
<TR>
! M: B: f- |7 _: A- f% n" H<TD><PRE>Method 01
9 G7 `# B f8 ]: f/ _" u2 ~2 G=========
* s$ E! U: T* w5 A! l4 i
4 j& C$ \& y1 b1 a9 V9 sThis method of detection of SoftICE (as well as the following one) is
: a* J6 l4 \5 m; vused by the majority of packers/encryptors found on Internet.: @% S& Z6 r5 J2 w$ I; p& F# \1 F
It seeks the signature of BoundsChecker in SoftICE6 T7 S" I( o2 q9 p% K( c" r' e
% h' c" _ g3 D8 }- ]
mov ebp, 04243484Bh ; 'BCHK'( W- y, A& A0 _; N; m5 q* g
mov ax, 04h
) F: l5 Z$ i1 Y: N' V int 3
$ {* `$ S% M6 ?. H cmp al,49 J7 F& z8 R; c4 [ l* E }& T
jnz SoftICE_Detected+ J6 W2 ~2 h6 M
1 _6 o* ~6 D6 m7 M) y' `
___________________________________________________________________________
J" {! J: O. R
5 A4 x# @1 s+ `% N' E* SMethod 02
& X/ G$ k$ ~: f7 S=========
4 o3 w' o) C* w0 ?0 E. R$ b% Y& G' |: N& Z' j: x V, H
Still a method very much used (perhaps the most frequent one). It is used
/ L3 `4 t i7 q! b6 A3 }) n: lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 X" e2 J1 e! [' S: f
or execute SoftICE commands...( C* Y3 S, N; p5 ?7 A
It is also used to crash SoftICE and to force it to execute any commands
* w, U' F, z* \* l4 {(HBOOT...) :-(( 0 I2 `0 _3 l F' ]" `9 `
1 r) W w" o- Q+ ?
Here is a quick description:
7 _6 _9 }( Q6 Y* H& G/ h-AX = 0910h (Display string in SIce windows)
g/ a5 H5 l6 D7 W F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# r* i1 q# K/ X-AX = 0912h (Get breakpoint infos)
( _. a% C. a' h6 K6 X4 B/ _-AX = 0913h (Set Sice breakpoints)% P8 J& s/ E E0 a! s! ~
-AX = 0914h (Remove SIce breakoints)
8 y7 }- s; o, U2 |. _3 u5 e& ]' {" F' t7 l8 f" w4 y1 ^, C( A
Each time you'll meet this trick, you'll see:& ^7 G" ?/ u+ c b0 K' k
-SI = 4647h
$ N# l# Q$ y2 B, |* B6 N-DI = 4A4Dh
2 s. z# }5 Z; p) g/ ]Which are the 'magic values' used by SoftIce.
4 o) H* R* R! ~5 B6 u( `$ }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, l: X% q8 d9 J; T& [9 T3 S: \" M& X2 D) O P
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% y: Z- Z8 B# j" _# W2 f4 N8 f8 OEnvelope utility use to protect DOS applications:
: \4 v k/ c; M: k
- \% ^$ J5 u1 V9 o7 U P0 e4 f& z3 p3 a
; Z8 j1 {9 g0 q. L9 H6 }8 T3 }4C19:0095 MOV AX,0911 ; execute command., l2 g- I1 e3 r9 M
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 l* Z ]: U0 y4C19:009A MOV SI,4647 ; 1st magic value.
{4 n1 o( k6 y4 t9 h4C19:009D MOV DI,4A4D ; 2nd magic value.+ I# L0 h @3 c( B( p: G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 b2 H* z' G2 R6 b+ W0 b4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) p9 E9 A* F& e5 g7 @3 e4 ~
4C19:00A4 INC CX
' _, v2 o9 {! `; I2 G/ ]+ y/ N$ b4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 ]9 U/ f' Y) |( {2 S' }" g
4C19:00A8 JB 0095 ; 6 different commands.
. Y, X: @0 e& K5 v+ H4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. z; O3 f4 A9 M" W' ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ n4 t1 a( `# v1 | ?
& \5 V! i# H! D5 Z: ?. o# H
The program will execute 6 different SIce commands located at ds:dx, which3 ^+ V9 D$ j+ O: ~, X; E( X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 K" s7 n% T' c! a5 b
: v Y4 s! @6 g3 W% j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' p( F# S3 ]5 I" [% c+ f6 G
___________________________________________________________________________1 U+ [7 ^8 F+ r4 ?# K
2 u" A: h; p! y9 R2 A% Q- ]- o4 d8 C C5 ^# c/ K4 F( h
Method 03
7 o7 Q. D/ o* y3 C1 @% S8 V=========) q, M2 e. r2 ?4 ~
/ o8 m0 \3 V1 E1 t/ Y/ W% ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' e( u: {8 Z: m; u# E" ]7 k(API Get entry point)
2 w7 x, K7 T5 e* h/ d- h% [& ?
9 R4 w8 z+ u! I" L; Z7 n7 K5 `1 N
xor di,di0 W% M ^6 h4 [- \( @
mov es,di
6 r) P% g* v7 s4 X3 ~0 v8 K mov ax, 1684h
, I" V" A$ E+ G) j* d) B, ?& h( E mov bx, 0202h ; VxD ID of winice, e" w" ~, f$ B" V& o# s# A
int 2Fh
# _- a: x6 k. A& H4 N& [ mov ax, es ; ES:DI -> VxD API entry point/ O( a7 {7 l& y
add ax, di9 e2 }+ D4 N/ c" T4 b. d
test ax,ax( ^! A. T9 q2 M
jnz SoftICE_Detected
k: n' q4 ~4 E6 B' q
5 _9 ?7 f7 y C( g9 s! T___________________________________________________________________________- ~5 F$ e, w- m4 O5 q6 ~
1 g; c& a: w( A& |$ q& B3 O. ~ SMethod 044 N$ \; u. @7 Q: _
=========$ B, o( i4 ^: V* o( I& n
; f$ K1 j9 `& n* l, N5 R! z9 D* X
Method identical to the preceding one except that it seeks the ID of SoftICE* }! t2 p4 M. ?2 y
GFX VxD.5 L. k' `( t% h/ U! C9 @
2 r0 W* p& _/ k! Z: R( R, P xor di,di; L) j0 O- Q, r
mov es,di
8 R$ ` k1 d+ @0 o2 q0 T8 f mov ax, 1684h # s7 E2 ]+ w" Q/ ~% v
mov bx, 7a5Fh ; VxD ID of SIWVID
9 a3 Y. i6 }# J int 2fh
0 P: p* q4 ]( h- x4 i9 m mov ax, es ; ES:DI -> VxD API entry point
6 t6 i" U) U5 p: {2 G$ J [ add ax, di
. C; }6 W- B, J test ax,ax1 `* l0 o8 F* E' I o4 ?% a
jnz SoftICE_Detected
+ a8 z( l; b0 d
7 Z2 l+ O( `" s) |7 A__________________________________________________________________________
4 Y& F( `2 }" H1 X S
% u/ I9 V! s+ \4 B. j5 q0 x) R- k# n
Method 05
, N# G' _4 q4 n) N& W f=========0 } X z# I* D! i
& h1 H+ Y- t; x: ^* t" D- QMethod seeking the 'magic number' 0F386h returned (in ax) by all system
w, d; u" {" Hdebugger. It calls the int 41h, function 4Fh.
: G; C8 k4 j5 Y3 C% tThere are several alternatives. ( }/ B* c6 b! r' @
5 [: q( h, p; d" e: U- i2 AThe following one is the simplest:- }- c, P8 K/ w9 r) I
7 R/ L* m1 l. [# Z$ w! }, Z
mov ax,4fh v* r ~- L# ~. M$ C8 |
int 41h
" q, q8 `4 m0 R. Q7 ~ cmp ax, 0F386
$ s) L& l3 v) z& X( |- U r7 ~ jz SoftICE_detected) t, s# _* h K* Q: R
y# a0 }- h3 q. G7 ]
# _; t; D5 S: MNext method as well as the following one are 2 examples from Stone's / j2 k' ?" u& z8 P' y
"stn-wid.zip" (www.cracking.net):
* V% P8 G! J+ d
4 u( D. T* o; R4 a; D4 j mov bx, cs. V n% y9 a" c# J. b: R7 @! A2 P
lea dx, int41handler2! R1 l# e& C1 @) t' p/ B% }
xchg dx, es:[41h*4]
0 F0 ] c9 ]. G6 \$ a xchg bx, es:[41h*4+2]0 ^: V9 L/ {# j P' l
mov ax,4fh R$ {4 G5 }) m6 r
int 41h
" c4 n2 }4 a. y$ K& w4 ]( x: k$ e9 H xchg dx, es:[41h*4]
% _) R- V* W$ T4 F: q, J xchg bx, es:[41h*4+2]
( {: c8 J) _ l7 h( q3 b8 @ cmp ax, 0f386h
/ S( {# p4 |0 ^3 y( _: N jz SoftICE_detected
% C, s+ k) B$ d+ q5 a( @. o* o
^1 y; Z* p! {# j" }int41handler2 PROC# ~* s4 N ?( `3 X" j1 ~
iret
8 K n* i9 L7 U/ ^) O K9 Rint41handler2 ENDP
7 p3 h: ?) g9 G7 f. E& M) ~" E4 [9 c" u0 z1 ?, |. V2 b( P) {5 M3 J+ a
4 H/ Y1 H3 p* I9 z5 _0 a
_________________________________________________________________________% m0 ^5 j v7 G% C1 _2 k
6 _ |" ]4 x! g; p) [' }; p
* \ F; ^0 P6 H: I9 KMethod 06% W' ?& Z! X) u, w# l
=========
) V" [7 y% k! I$ H! O3 X5 O. m2 T9 ]3 V! X# @7 ~ d
7 U1 C- {. e5 n* d
2nd method similar to the preceding one but more difficult to detect:
1 }+ `- G. @' c7 a$ Q& @0 P4 O* i1 @- o. b8 C# Q. R4 O5 s
2 O) q4 N9 F8 N* n+ @' @& [int41handler PROC
" t9 e& U. Z T- u+ J0 l0 i( }) f mov cl,al
: i8 X' ~% p4 }4 v* d) o iret
* |, Q/ \+ |5 P: U* G0 F) D% uint41handler ENDP( ^1 f o& `: V
' x) d+ [9 T& d/ l
2 I6 L/ B4 T% ? xor ax,ax0 p1 U! b- k$ r9 P* Y' g4 P
mov es,ax3 q5 y( ]: `' N' v2 [
mov bx, cs
2 s6 w* \' R4 r2 K9 A/ E# a- ^$ [ lea dx, int41handler) J" K% ^; v# a% I( e
xchg dx, es:[41h*4], T3 W8 A8 b! s; `
xchg bx, es:[41h*4+2]
: o j1 E2 Z$ S$ ?: z( t% h in al, 40h7 R7 S- s9 k2 `
xor cx,cx
9 d E: G% n9 ]* m int 41h
% o6 q9 h% E$ R, Y0 t xchg dx, es:[41h*4]% j6 r3 v6 {' d4 O4 d+ n- E9 B! a
xchg bx, es:[41h*4+2]( P( X& |! a0 z' p; O7 `8 I
cmp cl,al
* c8 {" w+ P. O' j r m jnz SoftICE_detected4 @/ C! \0 E: |; F' T/ f) }
' i/ _0 l' g7 H: x" X_________________________________________________________________________
) p$ g, G; @2 x2 y3 ]
- d N8 L; S$ @. D5 c+ C3 eMethod 074 |1 |: P$ f" s8 s
=========
- X0 ? U" v+ |8 [5 {& S! N( w. x: I% |* u8 B
Method of detection of the WinICE handler in the int68h (V86) p8 ^9 ?# r8 k' W5 e
- i) B( T! |" l5 P& A& B" }/ y# Z mov ah,43h
( B0 C3 [1 ]8 @ int 68h
' y6 |3 @& e' A, a4 k8 d cmp ax,0F386h# m: |" h$ ?' V& C& H9 [
jz SoftICE_Detected
, a, Y% A# A) E" |8 g2 ~+ i7 }; s7 d) V$ s
" }! b+ ^' R8 b3 p7 }+ h1 u6 B# |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 {3 d- D8 U' ~/ j; [, H4 J
app like this:
* |1 @) x: @9 V3 O( V! [, D$ ^/ {
: m/ p. W2 L* t# r6 ^ BPX exec_int if ax==68$ Q3 f1 I* d9 j0 m
(function called is located at byte ptr [ebp+1Dh] and client eip is% T4 p8 ~3 ~1 U3 y1 _
located at [ebp+48h] for 32Bit apps)& L) Z+ d1 Z0 k2 A
__________________________________________________________________________5 H: f3 }7 \8 R5 l' S( x7 i
- C7 e# {' Q& ^$ m! X9 B; Z( B: r
1 m0 i, F' U6 Q5 i" y/ i( Z- |% SMethod 083 w3 x0 \+ p. D
=========
5 W* z9 Z8 S( Q) F/ ~1 Y8 _1 G' y5 N1 K. Z
It is not a method of detection of SoftICE but a possibility to crash the$ u# O9 ]/ z# p
system by intercepting int 01h and int 03h and redirecting them to another
2 u2 z" i# ?! n2 p6 c) Q: Y" @routine.6 S" \7 H6 ^7 i; [* u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: N+ S) q) h' ^! ato the new routine to execute (hangs computer...)
" r4 D3 o- i5 b7 g# w, x( ~' [
. Z( C$ ^( I( G) x s5 c mov ah, 25h
0 G- i9 `$ g5 W1 d1 q$ Q mov al, Int_Number (01h or 03h)& f8 d$ u s, M
mov dx, offset New_Int_Routine, }- r! J& H% A" g( R
int 21h
& g B8 T- Q0 g
" E8 l c6 f; g, |2 C* e; W' ?__________________________________________________________________________
3 `- E# s1 @, l' X* E3 J$ D8 e! \8 Y
Method 09* {1 o* c: {$ s2 h' y" X; E; q
=========$ R) q% h( F, ^8 T
8 i/ o7 r# _5 {% ~) X5 a. i; G# @# HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# ]! m s' C" o! [/ m4 T
performed in ring0 (VxD or a ring3 app using the VxdCall).
6 G" l/ m/ l# ^9 \9 G7 l9 K, G1 UThe Get_DDB service is used to determine whether or not a VxD is installed0 t2 z3 K6 k$ z; c, l
for the specified device and returns a Device Description Block (in ecx) for
' ?9 a/ h. u' \! `+ T. \2 Lthat device if it is installed.
8 @" z) }. v+ C* q% \( k. p+ u' V' \% P4 V% W' C, n x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 n4 B2 {3 F, g/ O0 I' }: _( k
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 U( G, N% g, h
VMMCall Get_DDB
) k, B, b/ D$ Q1 H9 k) m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. s# p. a' {1 B
+ ^& I# z2 [( T1 v8 C' V+ S! w7 X
Note as well that you can easily detect this method with SoftICE:: T8 L9 b$ B$ E' B
bpx Get_DDB if ax==0202 || ax==7a5fh$ [+ x& f* w& b3 ~2 Z
! d9 z4 G$ s: r5 d' {__________________________________________________________________________
- m4 d- N8 u' ^
, I: r6 A+ L# J, s! F+ }, k% ^Method 10) X1 ]# h7 y) `' @5 k. t
=========1 [; c% g9 o8 {
% r4 e. F j* ]=>Disable or clear breakpoints before using this feature. DO NOT trace with6 z% f% Y' X1 `. R4 }, g
SoftICE while the option is enable!!
( w8 b$ \" e9 d9 D" x9 y9 U) l2 I! f {0 `' }
This trick is very efficient:
: y/ u C9 r' `# {9 pby checking the Debug Registers, you can detect if SoftICE is loaded" R% D- e* y4 M5 E( N5 x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 ~- e& e- E6 o" v
there are some memory breakpoints set (dr0 to dr3) simply by reading their) _# v) m4 h. S1 z! E* R. ^
value (in ring0 only). Values can be manipulated and or changed as well
& ?6 m D' E, z( J5 r(clearing BPMs for instance)
5 r; J4 B- e& l6 i @: x. z8 v5 }) \* c) x3 V; k+ U
__________________________________________________________________________; x: D p7 e# o, h
, R8 k$ W( h% a0 e( g9 `4 L
Method 11
0 t1 N+ V) S4 R6 ^1 A9 H. t=========
o/ Y. d1 M8 r1 _% f: {# \
; q$ d) |* {* RThis method is most known as 'MeltICE' because it has been freely distributed. e% @; _' I4 m, m4 k
via www.winfiles.com. However it was first used by NuMega people to allow2 V+ c9 m+ m# e8 t" I4 p6 p _
Symbol Loader to check if SoftICE was active or not (the code is located
% K6 C7 v7 [2 C2 d! Z* [inside nmtrans.dll).
0 O4 F+ t/ h+ D. _* ^) K; Q' j) Y- _4 R# H
The way it works is very simple:/ z. y' G, X5 I3 d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) t" h! O: |7 B1 m7 G
WinNT) with the CreateFileA API.
6 j" l: N( Y$ x3 l/ [0 x/ }
5 M, j' {% g! n0 J. l% s, g% x( |Here is a sample (checking for 'SICE'):
! m5 o' P9 J4 _/ A t* ^4 a3 ^; D8 s- I/ a
BOOL IsSoftIce95Loaded()
# T4 y: ?% I, S, I, y{
% h( s$ S9 m8 q* ^ HANDLE hFile; ' D, ?. D8 H8 s w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% X; N1 v+ ?( ]9 j s FILE_SHARE_READ | FILE_SHARE_WRITE,
, p4 K- V! C9 P; ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' h: h% T5 t0 c' [* I5 m9 O
if( hFile != INVALID_HANDLE_VALUE )
' H$ d- ]# C. j _( h' R' i {
9 G% u0 R2 a: n5 z CloseHandle(hFile);
; O" q0 a! i0 m return TRUE;
+ p: @4 m; |6 W% k1 l/ m4 j }
9 `4 ?) j' W; l4 E$ A return FALSE;0 F6 T T. N7 D' F# n
}
$ ~' Q& P9 R# _$ K* M& H7 f
% |2 l4 Z3 {# d9 q; pAlthough this trick calls the CreateFileA function, don't even expect to be P) I: E+ t: r! M
able to intercept it by installing a IFS hook: it will not work, no way!
( m* m$ ^( J1 V6 s0 n. c+ jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) p. ?* E: L9 Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' M" ?( ]* C; {and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) y. w! c3 I. I6 [) ^# m% V4 B" nfield.! c( } `/ ~2 [0 V5 T6 Z2 j: l$ S/ R
In fact, its purpose is not to load/unload VxDs but only to send a
- M' T4 L2 g# I* eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 l) }7 ?' O4 m6 h8 \+ i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* F- g0 |, D B- P4 Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
( F+ t. A. r, H! M: \4 Y1 JIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( R# g; j. ~- Q% |1 b9 Iits handle to be opened and then, will be detected.
3 J" l1 p2 H6 \ JYou can check that simply by hooking Winice.exe control proc entry point
; ]( x& m/ z; J3 [; H) Gwhile running MeltICE.) Z) z: v# _/ L8 F
+ y9 F5 O1 [+ J8 |$ ^" ]- f( C
% c# h' ~& o- E& N9 X 00401067: push 00402025 ; \\.\SICE$ o( A: V$ C2 n) E! b! e
0040106C: call CreateFileA
) [) m2 N' Q7 h: t ~! M/ Z# H# @ 00401071: cmp eax,-001
& l H0 J* z$ r& E, f8 F. S! p 00401074: je 004010919 N1 }$ ^% x% h- b- H
, M4 `! }" a' F& i8 w
$ `; b5 o) p. d- r: q3 VThere could be hundreds of BPX you could use to detect this trick.
6 E, S9 S* J) E! j9 h-The most classical one is:
8 ?1 H1 C2 {8 r( u8 H' I6 H' W BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ m: Q7 O$ R3 j7 R
*(esp->4+4)=='NTIC'. r& ^8 @: V) C( X' ^5 n9 Z" n, P; h
0 q# a) I" W. a3 t) A
-The most exotic ones (could be very slooooow :-(+ F" ^# K& G7 F8 G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 q( V5 E% I. r L' r
;will break 3 times :-(/ p p7 [& S! |- L0 z( l- V
; |) @/ ?, `! E$ y$ f! h* c! ]0 M M-or (a bit) faster: & {# {2 H/ W( w8 v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 `# P/ a1 H6 f e3 z
" F8 _5 c7 U: J7 h$ H7 X( h4 J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 @4 P1 I8 N& J& o' g ;will break 3 times :-(# ~ P$ a) j7 U4 b
& [/ D- o: U, i2 C% N
-Much faster:
, F' R2 t6 \" ~. q* [( d- r$ y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 m& R4 u. `) K1 t6 F
, n- s. F: A; J' \) W1 N3 sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: m1 a, I- n# M, j9 @- N& f! f
function to do the same job:
1 v/ K7 {2 ]/ c( j1 \9 E! A2 f" k- C% ]
push 00 ; OF_READ
% G9 j# A0 D: Q4 t; z- g mov eax,[00656634] ; '\\.\SICE',0
$ T& C+ w6 w# e: H) { push eax* L1 \8 E: o$ g! ^, P4 s' E
call KERNEL32!_lopen
0 o0 ]9 G: T# Y+ ^ inc eax
; Y6 |; k- ?. e( V) t jnz 00650589 ; detected
/ [! m6 h _9 B* o" x push 00 ; OF_READ
2 `% J9 f/ P) b3 h4 g0 |$ _ mov eax,[00656638] ; '\\.\SICE'
* i* s& @: d# x1 k5 C3 h$ A push eax
+ o) t% G9 a% k" a$ ^, Q( j call KERNEL32!_lopen
0 a5 B4 g/ N% B, ?0 I- C0 x inc eax+ n- E( L) l! K9 r$ |
jz 006505ae ; not detected
$ ]; K0 `: w0 N
- r. r6 a7 _! z+ ~
' H2 w- {4 V" D__________________________________________________________________________ J M# |2 c/ C9 H$ T
# Z" ], I' E2 S" E8 V6 xMethod 127 P+ R% B. O4 ?
=========" r+ ~2 H9 ^/ n, A- z
6 n# J/ a6 T+ I) t v, F; p* e
This trick is similar to int41h/4fh Debugger installation check (code 058 m7 K2 D7 F) M: R
& 06) but very limited because it's only available for Win95/98 (not NT)
. X0 R, C X8 X1 |# yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 R( R; w, d8 e5 S( p7 D; c" c6 d' Z
push 0000004fh ; function 4fh
- h# b4 g; W+ l; F push 002a002ah ; high word specifies which VxD (VWIN32)
1 `8 \! m4 _6 \0 S8 }& Q ; low word specifies which service8 r% b/ ~$ C9 C! i% L
(VWIN32_Int41Dispatch)
5 c) r( b7 z8 f/ g call Kernel32!ORD_001 ; VxdCall
- A4 o5 f' h/ A, ` O cmp ax, 0f386h ; magic number returned by system debuggers
+ d! J* t6 @- K: y( A, X) p jz SoftICE_detected, W( U$ |6 q/ q9 L! B: K
0 J( h/ b4 h+ e% ~
Here again, several ways to detect it:0 d- E- A) D, V' `" s4 t! W, j
d: ~) L" [# d+ \
BPINT 41 if ax==4f5 ]: i( X2 u( o! d" V" H8 I
( r/ M1 J6 S I8 t: }
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- x% F' i& z, z+ @
+ [1 ^1 \ B+ ?5 _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 \% P" a% D7 C5 }: `
( a. [1 g8 r7 z7 P$ G# P( U BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 W4 l$ @4 e8 C) C$ r/ }4 Y
" s5 d( `/ X6 ?, u2 q' L__________________________________________________________________________- D2 c: P# W; H9 V) d/ `; v
' d, B0 n: s W# JMethod 136 ~% G2 i# f6 M" c4 V
=========
/ H# w1 f7 N. y6 o2 N# o. V0 S( _- }: F/ f% D. c4 e' {
Not a real method of detection, but a good way to know if SoftICE is
; Y8 [* @9 f- B! Hinstalled on a computer and to locate its installation directory.
( K8 Y( E$ F% n% P R! H! cIt is used by few softs which access the following registry keys (usually #2) :
0 L: V$ r, V7 k ^+ |7 {( t
8 f8 D+ f8 A7 f* g-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 y' a# @- o0 }' l+ @4 r; E
\Uninstall\SoftICE
, {2 }! v# B/ {3 z9 k* \# |& L! `' P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 W" D9 p% h5 Z1 O2 b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" m' [0 `9 n' u% c' \\App Paths\Loader32.Exe
: Q% l w9 ^1 v2 }9 r1 h- [: Z! w& I2 M [! e
5 H: Y0 F1 C c, W( N8 S/ m' h) S: F
Note that some nasty apps could then erase all files from SoftICE directory" R& H: s: m! K! s" A$ Q
(I faced that once :-(+ s! [) J! ]# A6 W5 Z" m' m! E
# [1 S* X, X6 u
Useful breakpoint to detect it:- Q' ^( x* @9 D1 m+ S4 O# o
/ T8 X8 z1 a' W1 J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- {% ~9 q5 j& M& q1 e; Y% O
* Q' S6 J; t3 G3 D0 C
__________________________________________________________________________
. b6 e% `" X3 l3 {3 S6 V3 u' E4 @* O, G* J$ v$ C
K) T* G" X" _1 R# m. dMethod 14
3 P+ o: G/ }# n% b=========5 J9 \5 Y5 I: _4 w% X
9 I) G, w5 d* b; r1 D) Q1 JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ O: S8 ?" m3 a& o- p) X
is to determines whether a debugger is running on your system (ring0 only).# J: Q( u1 F5 x! l7 e Q
; Y2 i S- T7 B
VMMCall Test_Debug_Installed+ L1 c x5 j. G6 q0 {
je not_installed' a1 ^+ |; b/ ?+ X B1 w
* h8 L" Q' g) Q* _' e. H6 ?This service just checks a flag.7 v& b5 N9 K, R! H* D) j
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡