<TABLE width=500>3 q+ y; k$ v6 X y
<TBODY>9 ~0 G: B$ h" ~; }1 U8 p3 v
<TR>
8 l, j3 g2 z, q- H* X<TD><PRE>Method 01
* M5 K/ I# I. V( J, `3 z+ a=========+ u: X9 u- O) q
7 U% V! _! Y- ^ Q- \" gThis method of detection of SoftICE (as well as the following one) is. A: D( S: X {# `5 T
used by the majority of packers/encryptors found on Internet.
0 S) G4 B/ t6 r8 SIt seeks the signature of BoundsChecker in SoftICE9 I8 U, F+ L' Y% q5 W
+ [: Z4 r6 s7 H
mov ebp, 04243484Bh ; 'BCHK'2 _- D/ N% | l7 y+ y
mov ax, 04h, d- z! ^& O' W2 D7 }
int 3
# {% `9 {7 S8 e0 P cmp al,4
3 J9 O0 ~7 y4 I8 B2 v: H r jnz SoftICE_Detected
0 b# Y! D7 a! Y' `
7 C/ {3 j' u( F6 d- R* n. s+ R___________________________________________________________________________1 I+ v$ P) T. T7 J8 Z: }
7 W. q/ n/ G, g
Method 02
; I' A k# s3 `, h=========: V8 x5 _# P" _
2 h- n! n/ k# K3 rStill a method very much used (perhaps the most frequent one). It is used
; V* B0 r3 A; o) c0 O2 g( Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 A8 n! i% p2 a
or execute SoftICE commands... V% e$ E" d# g1 `$ k! Y/ w
It is also used to crash SoftICE and to force it to execute any commands
$ m, r0 B1 V7 c: N% g(HBOOT...) :-((
G& c& Q7 l/ h: s0 a; W- t5 b: { k: _" ?) j$ ]1 y
Here is a quick description: H; k' T& _+ y. ]5 ^
-AX = 0910h (Display string in SIce windows)
% V4 `' h% _& t' F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, f J# l% ]0 o+ Y7 _3 J1 h& ]-AX = 0912h (Get breakpoint infos)& ]' k' F0 L$ f B
-AX = 0913h (Set Sice breakpoints)8 x2 K; Q: C6 p
-AX = 0914h (Remove SIce breakoints)
) ?+ V: c# h2 O" ^( @: f* ^2 J5 e* s6 O
Each time you'll meet this trick, you'll see:5 P G3 P& p0 b
-SI = 4647h
- R3 O, P. i7 V-DI = 4A4Dh) C2 a+ h/ Y8 A- d
Which are the 'magic values' used by SoftIce.
* {, E- p/ f' l, W0 CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ s# X7 j, y0 u
7 J W5 F2 q) m4 UHere is one example from the file "Haspinst.exe" which is the dongle HASP
n# W- C3 N3 I8 I2 VEnvelope utility use to protect DOS applications:' m$ T4 q4 |* L% t$ Z( s5 D9 V
+ g- ^$ f: u: {' p8 R
# {6 ~, y+ H3 Y d4C19:0095 MOV AX,0911 ; execute command.5 c' a1 \' y4 x& T2 p5 D- l, Y/ l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 b) @" R, H* N, a2 D3 A5 V4C19:009A MOV SI,4647 ; 1st magic value.
8 V- q& W) Z3 s8 m/ @4C19:009D MOV DI,4A4D ; 2nd magic value.4 k7 T* y' g+ ?" P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* M0 E1 w5 n6 F- m
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 D7 k8 F+ T6 v9 T
4C19:00A4 INC CX& h6 W, B" N+ { e: t& Y' ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 S: g$ @. p) @ w+ [
4C19:00A8 JB 0095 ; 6 different commands.
% H& _2 i" R. N& l2 D- C4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 ?) v* ~: O9 O8 v3 R4 ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! E6 ]2 k$ h Z0 y( o
: e5 Z6 D/ l, `+ Q5 y3 \
The program will execute 6 different SIce commands located at ds:dx, which) t: Q2 E7 \ ^1 B0 _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 p0 V1 h- e8 e- i' Q2 z5 L7 p5 x: u: }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 w6 K) ?. c* V7 T6 k6 A; x___________________________________________________________________________$ m; ~5 Y2 g4 t: |5 k9 U
( Y& N! D+ r1 }
+ I% [% |; l5 q7 `
Method 03
% ~- g! o5 t' D4 |' b=========* z8 G' m7 l* L: J
! W2 i0 x# f: C, i+ |8 r ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 h$ g. H0 H& w4 T% C# x& g5 V
(API Get entry point)
2 t1 u n2 ^8 V# t : K6 M q1 b( K3 ~. j
/ `3 L/ K/ b1 b v5 D6 g5 v1 `
xor di,di
9 n5 M3 a* y1 `' D- t mov es,di
S& B+ e' w+ I Z' y mov ax, 1684h
a- y& a! p5 e5 P- X mov bx, 0202h ; VxD ID of winice
* f5 [" |3 U# X5 s! ~% v& j int 2Fh. N3 _/ S# M1 Z7 k
mov ax, es ; ES:DI -> VxD API entry point4 v, z2 d% k- y4 k* h
add ax, di
8 F- ? o, X& W r. R( c; _7 S0 P test ax,ax
% }4 r: k4 w! ^0 V3 n( k' D0 [6 o jnz SoftICE_Detected
9 Z0 g) J/ h* _6 V$ K. }8 d
2 z* N6 m& t3 N4 r0 z___________________________________________________________________________6 H* d m |9 o( K9 j" h
* k) L8 {3 M5 N6 vMethod 04
) N0 t) `! \- u' }4 R0 S: t" P=========
9 ]. v+ q, e, i% F) a
) z- Q- \1 l, G2 T: g W7 LMethod identical to the preceding one except that it seeks the ID of SoftICE3 S3 j: ~% ^1 k N$ _8 y
GFX VxD.
2 M3 L$ Q2 ]' _) n' g" T* e! a8 b. ^7 z3 U6 W( x+ R8 V7 R7 B
xor di,di
( r- P) K7 ]( Q3 Q) B: b8 \ mov es,di
! f( u s/ M- N" B+ ^8 i; a mov ax, 1684h # u- R0 s' x/ F* x ]+ K" s D
mov bx, 7a5Fh ; VxD ID of SIWVID( x* h G) i9 n) E
int 2fh
/ B* |0 I& b) C8 C/ @! f: O, [8 {+ j mov ax, es ; ES:DI -> VxD API entry point' p: ?& Z2 b: D% S
add ax, di6 [, V* {3 J/ o/ @7 i! S0 Y% h
test ax,ax* S2 t: o2 L$ b9 h
jnz SoftICE_Detected
; E3 s2 K W2 l
, g- K/ J8 r% Q4 K9 \__________________________________________________________________________
/ ~2 @5 B7 k) x: B
5 C8 z2 E5 {, f& ?% c; W: L( p. a, v& X& i4 D6 E9 s2 ]
Method 05: ?9 o- _4 C. D
=========! y) Y Y, N5 e# b" }
8 H$ E: J$ c, M# u8 k, cMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, ?) y& @# n4 d1 idebugger. It calls the int 41h, function 4Fh.6 [% c* x" H/ e& l
There are several alternatives.
, D* _; m0 D- U# E* m4 h7 S+ r8 X
1 ?) P+ p& y6 V9 M3 T0 RThe following one is the simplest:
- \* O5 k; h. x8 o; c0 C
% r$ G( `; ]) o9 y1 f& h$ z mov ax,4fh/ f/ U9 l/ n. o; ^9 G' I, x
int 41h, Z: ]8 F Q4 o9 @9 }, a; \+ ^
cmp ax, 0F386; W4 Q+ p1 H7 J1 P7 |, X
jz SoftICE_detected
5 z( d8 M, J2 v' o3 _ `5 z8 j3 J: H# U7 o1 `
# f+ s( L/ M" Q8 O; S% e( m
Next method as well as the following one are 2 examples from Stone's J) G- d3 U/ j( @* ^) y6 q
"stn-wid.zip" (www.cracking.net):0 Y9 [1 y9 [, m1 I" w! l# p; ]0 [
8 T8 u7 A+ R" y6 ?- V$ U* Z+ _
mov bx, cs
& l! C) I- r0 d* G% l& d lea dx, int41handler2
& Y) R3 `6 h! y4 e* H2 b xchg dx, es:[41h*4]- `/ G4 ]3 T6 T2 P
xchg bx, es:[41h*4+2]
' z+ E5 m! O: \3 J! k5 A- _. ?" G- x mov ax,4fh
9 F+ r8 b9 K, Y int 41h4 S- ]- M# q. Y, E* `/ v: z: f! z6 k
xchg dx, es:[41h*4]
' K+ T6 y: G9 M2 R3 O9 }9 x/ O xchg bx, es:[41h*4+2]
0 q# A! ^$ ^% J& m6 o6 _" H! t cmp ax, 0f386h
$ @4 z0 c6 }! l1 T6 b jz SoftICE_detected
2 }! Q, A; M/ `3 b* w; o' Y
: o0 v$ {' `! O8 j* i0 Jint41handler2 PROC: Z. P7 P! n1 G6 F6 u$ u
iret- f7 D R2 `: }2 F! Y9 ~9 i- U
int41handler2 ENDP7 }* b/ |0 e) I S8 y' v z% d
. G2 b4 }7 X1 t& s: X* t
& w- w8 `/ ]& N, Y$ f8 B% r_________________________________________________________________________4 P# t- l3 u: b( Y5 O
& r9 _' c- ~. s0 V) r7 S+ @3 v! i1 m
7 x2 ^. `* B* c- c
Method 06
, }7 A, E) x# N1 f, b* J8 Z9 \=========
( s) @) x2 X5 F" j; Y8 a, C* @+ I# N& ^( Y2 D" v+ b6 y& A
; h. @# P4 Z* h
2nd method similar to the preceding one but more difficult to detect:
6 w, A% _2 M$ q- w5 q- r- c( u, C" k6 B9 ?( H, @: d7 G) ^! Y9 l
/ Q6 r d& W: g- G, D% O: _1 Pint41handler PROC' \0 o; ~( T: u3 _1 R
mov cl,al
2 F4 S# G7 O2 h6 X: o6 o iret t u1 {/ {# j3 F/ h! L" n0 d5 u
int41handler ENDP6 C& b( k1 }& r. H- `+ R& z, N
. f4 _( u# }, V) E( J
5 e8 ?" U( |2 N/ u xor ax,ax% ?& D# Z/ D: ]% J2 s" m
mov es,ax/ e6 x8 s$ m1 N& x
mov bx, cs! Y/ T) ?$ i5 s- ~% w; c& e9 y
lea dx, int41handler
9 O/ z8 w+ E" X; t xchg dx, es:[41h*4]
$ p2 ?; X2 a% R: O& ` xchg bx, es:[41h*4+2]
: y6 V5 N+ b1 u- p5 ~. C in al, 40h
3 _7 P0 p& `' {; {( D) { xor cx,cx" I( [8 y: j* M0 A$ ^
int 41h
$ \2 @3 O5 f" r9 C xchg dx, es:[41h*4]4 J# A9 n3 C( D4 `5 b/ n
xchg bx, es:[41h*4+2] m) I5 {. Z. Y0 P
cmp cl,al
& y/ m4 K' \) g, M3 e _0 S jnz SoftICE_detected
$ S$ S6 m" D! L$ u5 O# A
6 I" Z8 U1 }& `! Y( l) O_________________________________________________________________________. `+ i7 r" Y2 A/ [+ ]9 L
- C7 \/ c4 u8 W3 s3 ^+ r# P# Z: Z7 B
Method 07; c0 E1 }) [7 `' E6 I0 }1 e$ F+ K3 f
=========
: V N- R t* R/ x# Q" j- ^7 I) a. |
Method of detection of the WinICE handler in the int68h (V86)
! T* A+ P8 d' [7 W' y" K* C; m' i) Y# I5 a* H
mov ah,43h
3 r4 N6 c7 }9 w6 L$ K( o/ G0 { int 68h. H8 T4 u q/ O1 c1 f8 S' x
cmp ax,0F386h# [4 F7 m( ?# W: T
jz SoftICE_Detected
9 |" \" |" x4 |" ~# U% G& B
$ ~8 s; _4 G' X& L: @
7 z4 a' k7 S- n7 R6 ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 P+ N8 }) u+ T2 \4 J& G
app like this:
/ A0 n4 O, |9 ~# F8 k, V7 b+ y' h9 D/ o) H( @5 t4 C
BPX exec_int if ax==68
; G7 D6 E6 A: T3 [! w2 S' h9 j (function called is located at byte ptr [ebp+1Dh] and client eip is
6 [2 q; a- o$ V- e( }. p' A located at [ebp+48h] for 32Bit apps)
- g! Z) h' a F# S3 l__________________________________________________________________________6 p# s6 I( Y' ~* Q
/ C4 D! a) F& J8 z6 C
, k/ f% T; V n# `
Method 08) R0 b6 V0 O& s, n! h& s, Z$ E! s$ b
=========) U3 p& z8 m( K4 P w0 l9 `& V$ W
) `! L f4 f" ]: h8 R
It is not a method of detection of SoftICE but a possibility to crash the& M9 J$ j f$ t' q; n
system by intercepting int 01h and int 03h and redirecting them to another
1 W% }0 q; Z- Vroutine.
) N E9 w/ u9 H) T; H' R @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 H) ?0 i$ k2 m7 `) A, \, E
to the new routine to execute (hangs computer...)
$ t+ I m- s. h3 N {$ r V3 Q8 c
# G: o% a9 Z. s; l2 E( @- b9 x$ t mov ah, 25h- b! Y$ ^# J" }7 i6 V
mov al, Int_Number (01h or 03h): S' V A' d% W, r: w- I
mov dx, offset New_Int_Routine0 Y( X+ f9 d _4 t9 }
int 21h
* Q u3 t. p; B% W( R/ X9 y
& w9 Y% Q2 F6 F+ M0 B9 s1 T__________________________________________________________________________$ S1 B( s# j( F% c* d0 o
" b+ ~ j# C* z' l% sMethod 09
( }3 H5 g9 s) h- g" R=========
1 n' V Z8 D4 ?# \6 n7 z6 y0 d3 F5 K: h$ k! E% l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) U5 w5 u" U% Z U3 s- fperformed in ring0 (VxD or a ring3 app using the VxdCall).: Z% b# x2 g0 e) x- a/ k* z/ z$ Q
The Get_DDB service is used to determine whether or not a VxD is installed
. s/ ^6 u; M' s! H/ U: e# I8 pfor the specified device and returns a Device Description Block (in ecx) for Y& C% \. H. J+ a
that device if it is installed.6 Y2 [! e( r" z2 V" w# p
! I; O" C0 I, ?+ F4 Y0 P( K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# |( Z j9 d2 r( [+ e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ z9 z8 Z. c5 d% z6 Q VMMCall Get_DDB
0 u9 Q' @+ k k& c8 @. S* h mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ c' o7 [4 r( b& v7 }; [5 w x2 i$ ~! Y' F1 v B. c" ]
Note as well that you can easily detect this method with SoftICE:
# ]1 M8 q, }$ n& D4 t# T0 | bpx Get_DDB if ax==0202 || ax==7a5fh
3 K6 n1 u( a" g& n& m% m; B( Z% a
* u# X* Y' z7 ^9 C: N! Y) t__________________________________________________________________________
) g5 E' {6 a w+ j- }4 b7 O
2 {" u5 e: r7 T( {Method 10- l! m. @: H, ^9 u; s* I
=========
' I# e( @0 m/ D) x" L s( i# w# X$ }5 s2 C' X# R' m
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 l' {. A6 Q5 W1 ]- d SoftICE while the option is enable!!
' @; b7 ^8 S* A5 ~( [
4 ~9 I+ y! [8 r( L8 y2 |This trick is very efficient:+ J1 ]" T$ @% @4 [
by checking the Debug Registers, you can detect if SoftICE is loaded- O0 m0 I; W: R4 n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( z9 R6 O8 [/ `, Q& k$ \
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ B7 ?" k0 V( p6 U( Rvalue (in ring0 only). Values can be manipulated and or changed as well6 y5 e% W. Z# G/ g4 t
(clearing BPMs for instance)
- q4 w4 Q: t1 o0 ]- o
/ t$ ~ V" I) j8 ^ |0 q__________________________________________________________________________
1 V! u! r8 A/ d8 [0 F) ^: f: s
Method 11
% p$ j7 j) |/ N! h' D=========* a; E, F/ D6 P. [0 c$ M/ f" n; C
5 h2 }2 c! \3 b/ k9 w
This method is most known as 'MeltICE' because it has been freely distributed5 z3 \% J# I6 d
via www.winfiles.com. However it was first used by NuMega people to allow
! l& |- c! ]0 y* z4 nSymbol Loader to check if SoftICE was active or not (the code is located/ A/ P: I, ]+ D3 G; ^5 j m# K
inside nmtrans.dll).. n7 f; L- I/ B3 S6 F
) `! f) S- Q, P
The way it works is very simple:" ?. Z* t2 _$ L5 v0 \, Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. R2 z) y5 m8 M& YWinNT) with the CreateFileA API.
4 v8 g# {* p9 A0 D( w9 m
. R5 Y7 U6 P# i4 dHere is a sample (checking for 'SICE'):7 B W2 V. G% Q. p" x v
6 B) C$ y, L* f- uBOOL IsSoftIce95Loaded()
7 d; R3 g9 `6 K" ]: |% f ^ Z{+ H+ l( ?0 ^9 U
HANDLE hFile; ; _5 U3 V Q; ^, c: T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 ?) I. g) @2 s' I! o8 ~4 x; A7 O FILE_SHARE_READ | FILE_SHARE_WRITE,2 o' I! s/ N. d; M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( u7 L* ~! B6 E9 ~
if( hFile != INVALID_HANDLE_VALUE )8 G6 l* H8 z+ ^& x; T8 G3 g) C
{, N _! {' B7 d$ ?$ ?" {8 @2 h% a
CloseHandle(hFile);7 \( d- `- ]1 U$ `8 Y$ h! y
return TRUE;
4 u% @1 U0 J# F4 r1 Q }
H2 o; P1 L2 c; g* m# N return FALSE;
7 i8 j1 r& V! B}
0 }+ w& P% C7 L1 L
& J5 r4 g& T# N& T9 uAlthough this trick calls the CreateFileA function, don't even expect to be" S, o2 o% x: j* ?
able to intercept it by installing a IFS hook: it will not work, no way!+ w9 b/ b( Q& c% h1 Z: e3 W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 {. M$ r, ]+ j: W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 t* \! i: s- n7 k5 S* q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 j3 Y X* q$ f$ A- d: U4 lfield.4 n4 [4 V8 |" V- B1 @- g
In fact, its purpose is not to load/unload VxDs but only to send a 5 E5 c) Q: a2 w5 f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 c4 p7 d4 I) k- T9 Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, j- o. |' N0 c% I8 V8 Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" j/ [. {: A' n. xIf the VxD is loaded, it will always clear eax and the Carry flag to allow+ Y4 t0 t9 {- F
its handle to be opened and then, will be detected.
# j. ]9 s& A( T4 k1 W; z; QYou can check that simply by hooking Winice.exe control proc entry point/ Z$ p. |& I5 F% g- N
while running MeltICE.
1 v+ Z6 r1 C7 }! D2 a+ l' T) A: d
6 e% B. H# v$ _% H
0 k; ^. Z/ g% I 00401067: push 00402025 ; \\.\SICE
: N: p6 I$ n$ |" w' | 0040106C: call CreateFileA s& d# Q1 Q, l
00401071: cmp eax,-001: X" {1 t3 @' l6 n
00401074: je 004010915 e# u3 e' L2 K& O; s2 H/ }: j
/ n. Q6 \- C7 V; @/ x
5 q; |2 `! K( }" \There could be hundreds of BPX you could use to detect this trick.2 Q3 d: H4 T# l& Q4 q. S0 y
-The most classical one is:% K$ u: s3 ] W$ s8 q& @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 j, _$ W9 Z/ U# U( V `, T) c *(esp->4+4)=='NTIC'
+ r# [( j L, j2 @% ~
0 f: `+ P) A: f5 }-The most exotic ones (could be very slooooow :-(
, m# h g7 y0 \4 P2 X h6 W5 N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 _4 `8 u: f4 B* K ;will break 3 times :-(' T6 S# I/ j% Y# K. I9 |
2 x/ r L# e, S$ S. ]8 d4 w; z
-or (a bit) faster:
9 o" ~: {* {: V' ]; ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): ~5 d4 q; {$ H% R- G0 G+ |
" s& ^4 N" B8 O2 M3 j! m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) w B0 b# _5 g G2 I ;will break 3 times :-(
% ^4 ^! F4 B* l: c3 h1 O1 I" b0 P0 j* s. f' E/ Y W& W+ q
-Much faster:
+ z% Z, m# A7 l) h- I( y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% C2 E% E) o7 t7 K4 _4 i: i4 `- c" [- R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* k: q! @: B! vfunction to do the same job:! ?& A' K- H7 ~: _) ~
0 _3 u* G3 {. s$ K# S% f3 \ push 00 ; OF_READ4 l# d3 {% ^; a: w& X; v
mov eax,[00656634] ; '\\.\SICE',05 Y, s ~* B* a7 M1 `
push eax$ g" H% |, l( R
call KERNEL32!_lopen" H' Q0 a; r# B3 H
inc eax
: ^- `6 A1 Q% @ H& E* F# F jnz 00650589 ; detected6 i$ }: o6 S# S0 ]; ]* k
push 00 ; OF_READ
( _' K) ~2 k4 K) a3 R mov eax,[00656638] ; '\\.\SICE'
& B: b9 y* x& l0 ^ push eax9 X8 `5 q9 q$ j4 o
call KERNEL32!_lopen; \6 M2 w7 }- B2 n$ L% i
inc eax _* d3 n+ S( W$ E5 x$ g
jz 006505ae ; not detected! [) t) \: d% ]6 V) g% z$ z
$ e& q( w" ~; F* \# \0 `
( Z0 {; C, d! b) N__________________________________________________________________________
/ F9 @! e8 ]0 S8 r% M$ t/ ]. N8 O% t( I. m; b! p; p
Method 12
. ` G5 m% d6 i% w- H8 { @# Q& ^=========( J/ J3 r- I( ]/ v0 [+ y0 R9 f6 M6 C
2 _+ m4 _0 T) v H8 O& \2 g+ L
This trick is similar to int41h/4fh Debugger installation check (code 05& h9 A' A% Q% B; o4 ]' Q9 z5 v- E
& 06) but very limited because it's only available for Win95/98 (not NT)' g+ B/ V) `$ ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, k# R& t2 ^# V5 u# N$ b; f7 y! _/ j3 M2 u
push 0000004fh ; function 4fh0 K! i; @2 X+ Z: z& m
push 002a002ah ; high word specifies which VxD (VWIN32)! t9 f: z/ J* d3 I9 n9 [! B! u
; low word specifies which service' Z ^, D, m9 s7 d
(VWIN32_Int41Dispatch)6 ~1 Z t: C& ` |" P3 V- |. ~
call Kernel32!ORD_001 ; VxdCall/ b9 E4 g" n7 o) ~- n3 E! M3 h
cmp ax, 0f386h ; magic number returned by system debuggers" n, ~" n% c7 i, V
jz SoftICE_detected
- y9 ]: K5 i% i. h
! f7 Z# {2 A3 s- T/ M# r3 LHere again, several ways to detect it:, e+ W1 v& ^. K2 k+ z+ b, T$ v
$ T0 B) M: F8 x3 {( R BPINT 41 if ax==4f
$ \0 O" P3 G$ c- }3 o( k1 o" S& n4 }) N1 o# L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, t6 e: D. W9 k6 q- K9 C
9 I9 q W6 S- b8 U7 }8 ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ q. W; A$ y, i, F6 _" ^ n
0 Z# L, l* A( T5 e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) `& _5 I# A* ^% G @- q% A Z) L( [) ]" y1 f$ S. C& ~
__________________________________________________________________________" j ?$ c. ]; k) `! C
; U; |) k3 d; q; \/ z& g
Method 13
# V0 \, ?+ m ?6 Z3 U5 ?=========" H3 D# m. I' M% d- d' ~/ l( |
1 Y, a) C1 C2 O. \- ONot a real method of detection, but a good way to know if SoftICE is. x& J2 T0 Y0 T
installed on a computer and to locate its installation directory.
( f, t5 ]# ^7 o: } oIt is used by few softs which access the following registry keys (usually #2) :+ a; K. I: I, q8 l9 v! v1 \
, L2 O: H# L, `1 `7 c9 E4 B& O* i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: F+ I, }: u' ?. b3 \6 `5 a% B\Uninstall\SoftICE
% j4 }! T# B+ y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" w! c' N4 O2 ^: n/ } a6 w* u
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 ~1 L( X# D; G( k: |: x$ _\App Paths\Loader32.Exe" Q* b3 g6 d& \& U' k
. F2 T8 f) |7 Y, Y* x# s3 t
) {" q8 K3 t. \* W
Note that some nasty apps could then erase all files from SoftICE directory) l5 W: H" M4 X% ^
(I faced that once :-(
! h8 W5 G+ B$ A9 W2 j- ]5 T8 v
& U9 x4 Y- w9 Y. AUseful breakpoint to detect it:% N* f) q3 e- i. J7 E' c4 p
/ M4 N$ B- S& I1 q+ e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 f t% w% U `( A1 _& ~
* D$ t3 W" q0 L5 p7 r
__________________________________________________________________________
7 U! M: p+ {/ e t8 m. D: S4 u
3 S9 h+ Y o2 P" w9 w- I0 ?; K8 K/ \: w: I G1 Q
Method 14
& d n6 C+ a2 n5 [% h7 F=========
9 g9 o8 K _9 p' ?2 ?$ g) f
% ]3 y& B% p$ k. ]* AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. h( n0 |0 t4 {! {
is to determines whether a debugger is running on your system (ring0 only).5 [9 E ?: R) ~ `. U
2 D" O9 b: b& [6 {1 V
VMMCall Test_Debug_Installed
' d% t" K& J: T je not_installed
9 Q& O9 U2 ?' M, S6 s
7 ~) b8 W7 P- G3 VThis service just checks a flag./ c8 O. O% A) g( [& \1 h6 D& M5 s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡