<TABLE width=500>
% N# }8 J2 I+ V! g& ?% [; s X<TBODY>0 c z. c# H" C0 i: M" y, @6 U' ] l
<TR>
9 D! {8 [" ?& f3 L8 |<TD><PRE>Method 01
* g9 A/ {" z9 R% r9 Y F/ S( D6 F=========
; b U. H8 t' f" h! p- v$ v$ O/ O3 Z6 y7 X* [
This method of detection of SoftICE (as well as the following one) is& v# f! C" e* Q8 p% D; |: C
used by the majority of packers/encryptors found on Internet.# V6 V8 b9 W7 x% A! r3 v- U
It seeks the signature of BoundsChecker in SoftICE J9 `, m* u6 s! @ g
! `9 ~ I6 u, D: p+ C mov ebp, 04243484Bh ; 'BCHK'
" |: Z3 T' a. f6 p& \* ] mov ax, 04h4 x& y0 h0 x9 H9 p
int 3 ; ]7 [1 r o3 Q
cmp al,4
: q. t! c8 `, r, i jnz SoftICE_Detected- b5 q5 s n! | I; n
& d, i2 [+ \2 {; B5 f: n8 ~" V% U+ p
___________________________________________________________________________
. x- o4 C' y6 [, v' n; B) ?# R; n! k; y$ A8 F9 y
Method 02
; M( d. d$ a. b) e2 a) W( p, o. P=========
; y9 g {$ _( q3 B/ B6 ^0 o0 m, d1 i7 `+ w
Still a method very much used (perhaps the most frequent one). It is used
' i, _! |. l% B$ Y' q2 Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 Q& l2 \# Z$ z7 L) x( F. n$ ?
or execute SoftICE commands...0 |# g) @# s/ i/ l" s7 I4 Z6 H
It is also used to crash SoftICE and to force it to execute any commands2 ^# ~& M2 {5 y9 w3 x) u
(HBOOT...) :-((
1 ~' t3 @9 [* R- _& w' H
. A7 U/ |: p; q7 bHere is a quick description:8 w2 M: I( ^$ s& A4 V8 W5 z, ]
-AX = 0910h (Display string in SIce windows)( ]2 U# o" ~9 l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), a$ A* A/ A1 _ f( V9 T; ~8 j7 e
-AX = 0912h (Get breakpoint infos)3 _4 S+ n! T, G' L8 Z% |3 N/ `$ U6 ^
-AX = 0913h (Set Sice breakpoints)8 u8 A- @/ ?5 M2 l
-AX = 0914h (Remove SIce breakoints)
5 g8 } J' F. \9 K. P4 P) [9 N# ~- r0 Z
Each time you'll meet this trick, you'll see:0 ?$ s9 J& }6 |& e8 W+ j4 O
-SI = 4647h
$ O& j0 r V" m% J' c-DI = 4A4Dh
. _$ b& s0 M3 o* n: y! sWhich are the 'magic values' used by SoftIce.
9 ?9 x# \0 s5 ?' ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* ^/ H$ P+ d" h8 ?2 D! \, k5 J& \$ Q' T/ `* ^; i( G' `
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 S2 Z N, V4 {
Envelope utility use to protect DOS applications:
' |$ J p! l1 X6 p3 V2 Z- z
& w; M6 K+ |8 e& g8 j7 d" w/ ?+ G- M* c# ~' X( i
4C19:0095 MOV AX,0911 ; execute command.# E% r R* i% S) s& z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." G2 f% {+ I! H- b. d1 P
4C19:009A MOV SI,4647 ; 1st magic value.
) Z9 j4 g) O/ ` v! C2 J4C19:009D MOV DI,4A4D ; 2nd magic value.
, n. n: l+ n' u) u; |- q# ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ U5 P n J# k0 ^& h
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 g+ X4 M( I& H+ j4C19:00A4 INC CX. e( _5 D1 e. k: X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ G/ s8 ]; i' l3 \5 y: v H% Q; S
4C19:00A8 JB 0095 ; 6 different commands.8 d9 E0 R0 s R; \ [2 R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 n1 p( @9 [1 T6 M' Y6 u6 s6 c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; X! D: r; h# ^4 `. C% A
; v7 h1 G1 k' ^5 f( aThe program will execute 6 different SIce commands located at ds:dx, which& |# A' W, X9 p/ H. a: @% t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, l" C0 F8 m" Y$ v( h! S( a4 Q- x% V ~4 ?' O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! r" m2 {' n+ P8 L* T; }
___________________________________________________________________________! x9 d9 b. X# I
4 [3 t& z! p' v0 @, Z: h- Y1 c. s
5 J" U7 Y) c( Z3 y5 vMethod 03
0 ^- L# O* x& I4 v" h6 f% l=========; y7 B5 J; d8 l: M' A
3 X) b6 [) A5 w3 e9 m4 A1 f1 C6 ~Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# J1 f- R8 v* w& F" m9 {(API Get entry point)$ h% b% k: r7 C0 n
5 h. Q7 Z9 @* [& L: ~4 p& L; m2 r3 n8 k0 J
xor di,di$ b& M/ d% j- @7 L. v
mov es,di) d! ~: w; V) A& D% C4 \
mov ax, 1684h 4 G* ?) O5 n" E9 E: i
mov bx, 0202h ; VxD ID of winice+ d0 v9 N. N H: s2 K6 [" D- U, I P
int 2Fh
+ B) D. F1 y* v mov ax, es ; ES:DI -> VxD API entry point
! X, k& c. ?4 ]& v8 D add ax, di
5 S0 b0 l6 N' B( G; s9 w test ax,ax- H4 W6 u. r, G- C8 R. U7 L( r
jnz SoftICE_Detected
9 Q8 F" F+ k/ g" L& ]1 V" @( S' P9 b% ?( P, u
___________________________________________________________________________
/ U3 k4 Y0 C5 [% W$ L2 k3 m; C5 e0 O2 ^! W
Method 04* Y% J' `% S; p& }5 f- C+ a
=========" ]7 o' G; h4 V6 a4 D/ x3 W5 m
4 x; R' L/ y9 Y: ~
Method identical to the preceding one except that it seeks the ID of SoftICE
7 |, s% n/ p4 _3 {9 iGFX VxD.
) p; ^1 E: o% P$ Q* I j. S
' Q. N! r$ {( ` xor di,di& D# s8 ?" y D6 v+ o2 c/ h
mov es,di
8 ~4 ?4 ?: Y8 z1 T: L- P mov ax, 1684h
! L. F2 J$ A0 T mov bx, 7a5Fh ; VxD ID of SIWVID6 m4 O$ Q/ | Q( L
int 2fh4 n+ u, ~" k: m8 p+ Q7 u& O
mov ax, es ; ES:DI -> VxD API entry point
, { \3 ^# G) f add ax, di, w+ a6 z! n6 m7 R
test ax,ax. W7 e2 U& u! z9 n2 r* J* o
jnz SoftICE_Detected' q9 k: u6 X3 Y
% `+ j1 _* @: n' b1 w; |& Z( F
__________________________________________________________________________
: H2 z' _; \+ n+ r: n5 ^7 E: b9 u; p2 b1 H' s8 j
; K9 u0 M; Q5 g2 I0 z( m% D* k9 l4 Z
Method 053 K/ e9 {$ N2 n: R6 V! s3 O
=========# n, V1 B6 T( T* q7 `
4 ^* \# b) ?5 F) _
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! ]$ ^$ S3 t& b6 Ldebugger. It calls the int 41h, function 4Fh.! {5 f6 f8 m5 p4 |2 k
There are several alternatives. / b& C, a8 F7 B& i$ q8 d0 B
8 v* n! j% K! ~( e! Y0 |3 N7 z- \* t
The following one is the simplest:
2 o" \: g. }0 ], T1 w' _1 ]* a5 W2 y4 _! ]: c% _: @
mov ax,4fh1 \0 g9 G# s) F* N7 b$ Y6 Q
int 41h1 M* z* Y+ b1 {: u
cmp ax, 0F386
/ B& t$ i. [+ v* Z) H. | jz SoftICE_detected0 T7 Z7 k/ {% k Q# i
9 A6 Q& @: L- x0 m5 X+ _
R, I, n& M0 m1 o" l2 gNext method as well as the following one are 2 examples from Stone's
, b7 M# Y- G! K7 G& e; t"stn-wid.zip" (www.cracking.net):8 Z/ I% l9 m$ h+ u9 S( m& u
. h6 {# ~: t6 z+ f
mov bx, cs" v+ w6 u* ^5 R! Q& B5 s9 H
lea dx, int41handler2
9 o, g1 S1 f8 j7 h7 o8 j1 [/ a xchg dx, es:[41h*4]
9 o/ K( K" i" d# A; E xchg bx, es:[41h*4+2]# m" ]1 j# b7 C; \$ z9 \/ l/ I
mov ax,4fh
7 F8 i& o5 t& i r0 a& i int 41h7 _% W3 E9 x( E/ u X
xchg dx, es:[41h*4]
) n$ e8 T% {" T7 [: f+ ]7 i xchg bx, es:[41h*4+2]7 F7 f# A/ c1 `* u' f2 M; u& ^. y
cmp ax, 0f386h
* x D3 `, s/ U' J' k* u jz SoftICE_detected' k( @( L% T8 A: ~% ?: `# @5 r2 ?
; x# g: I- B/ c4 S$ U/ Q5 }int41handler2 PROC! q2 e7 `# M- C
iret9 h2 n: m, }+ E" G" J% j4 U
int41handler2 ENDP
9 _6 t t) m; h& c, C8 s/ X# V; s$ A! G
5 J# W1 q1 J5 }2 Y( d_________________________________________________________________________: M O' A/ p7 o n. ?/ ]# p
4 a; B* F' A% k2 b4 e K! w9 |, c: Q$ o+ Y) u
Method 06, G! [8 P) k+ q& ~
=========
7 {( ]% L2 Y' [4 G9 A1 E6 \* K# s8 X0 ~2 N" g7 a
- l1 Z$ m1 z2 x$ v2nd method similar to the preceding one but more difficult to detect:2 i- Q" N' O2 ~
, z/ e% f" B. U8 h
7 x" H8 {; w9 r( Aint41handler PROC
l# r4 g1 o3 x% H3 M mov cl,al! Q: O0 J* t3 A
iret9 {2 {% f' L H) v! n3 d, f
int41handler ENDP
) H2 N# Q7 }; ]/ d: ]% K6 i( J
" _: X& C5 K3 z, _# |# R2 A( J+ T
' R n; i1 w- P! e4 S xor ax,ax. ~( N }" ^9 J; @# z( V: ]
mov es,ax
! l0 t. ?% s. w' E- n* v mov bx, cs
' i. T6 C: p9 I8 O$ o& _$ N lea dx, int41handler u: Y/ U2 X/ T# b3 C1 x
xchg dx, es:[41h*4]6 A0 A6 g# m) X3 R
xchg bx, es:[41h*4+2]1 a4 d6 f1 V* P. U4 I
in al, 40h h. f# _! [! ~
xor cx,cx
/ U$ [1 m6 W( d4 J int 41h' l% W" m. X. M0 x+ r5 t2 J4 Q
xchg dx, es:[41h*4]
+ |2 P' \) c. J) ^" z# @ xchg bx, es:[41h*4+2]/ k5 @! V! p" B: `" B3 [/ C: ?
cmp cl,al! J1 _8 [: d9 p% i
jnz SoftICE_detected! b4 A! D1 H# ?( y
8 @" K/ ]+ r6 g! u
_________________________________________________________________________
& C, ^: M; H8 t; J3 V& _2 f; b0 p& Y0 C, z, {
Method 07
! v6 c4 n$ f8 @2 `. W=========; F- d" G- h! ]
4 Q* f' E0 R' m0 `9 jMethod of detection of the WinICE handler in the int68h (V86)0 p# `5 X7 o& s" [# F* N7 S
) F3 P7 n4 c4 {. a% R
mov ah,43h
l0 k) A) w( A3 D' M int 68h3 q' ?+ g8 h7 W+ j/ A- Q4 M
cmp ax,0F386h
" q2 a) z( R+ q, j+ c3 ]: v1 s jz SoftICE_Detected- `; C9 p* x2 l
9 Z O5 @4 L) N; \, a
( p2 M4 ^+ e% w3 Q/ E5 c" `4 g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 U5 I6 r; `% r( n, w app like this:
7 q8 C* X7 _& `
3 r+ D, {" W+ `0 s2 x4 c BPX exec_int if ax==68 u7 A$ L. A9 l. A8 Z
(function called is located at byte ptr [ebp+1Dh] and client eip is2 h9 [* ]( S# y/ p% ^5 m. _
located at [ebp+48h] for 32Bit apps)7 P! Z: i5 V# y
__________________________________________________________________________
6 F" L8 M2 E0 h
' B7 D- A; W" x+ x/ S/ P" e% h5 L1 `/ }
) S" G) R3 h' ^) [) P$ [* X" FMethod 08% m1 \+ w" A( r, ]( o' y
=========7 ]! R0 u6 l9 k
& O4 y7 c5 ]; J; ~0 X3 Q7 S
It is not a method of detection of SoftICE but a possibility to crash the) l; C6 N/ V3 ?; x# ^
system by intercepting int 01h and int 03h and redirecting them to another3 m1 ] \+ E* `2 \* q) |# X
routine.$ H9 e) M) W I5 R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* h& ?" J, V$ m! r/ ~to the new routine to execute (hangs computer...)
+ I" J `2 [0 @
& b$ S6 E8 f6 w. M$ `) V7 B mov ah, 25h
( o- }, w. Y" ` mov al, Int_Number (01h or 03h)3 K. M) l- x) C. W6 o3 } j
mov dx, offset New_Int_Routine6 K# E4 [$ s+ X" Y
int 21h
# s+ h6 E7 [3 v5 p$ ?0 m: \5 l
4 ^0 ]6 W9 E! c4 F. q__________________________________________________________________________
; {. w# g) Y) b0 v, U) E* z. y- N2 n. H
Method 09! o5 H6 n. h- k C0 l- G
=========
) s- G9 @0 T. X* C" R. A6 f# ]( `
4 D9 l/ [: l4 D* v4 aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* e9 h* W3 X, ~- p6 C. C
performed in ring0 (VxD or a ring3 app using the VxdCall).1 z* ?5 l( m& Y6 k
The Get_DDB service is used to determine whether or not a VxD is installed
0 R! D/ ^. p$ ]+ wfor the specified device and returns a Device Description Block (in ecx) for
6 z& U1 Z3 r9 P) ]1 @5 e5 ithat device if it is installed.- r) i3 m) f, v3 i
/ \8 G) w4 [5 H ]$ l6 }+ v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- d5 `& I3 k3 j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& ]' H1 b T$ A+ b
VMMCall Get_DDB
4 t: c8 o6 ~( T) I% ^) {9 C mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! e3 g. ?; b% g: U
) S2 |- e( ^! c+ B/ m( G
Note as well that you can easily detect this method with SoftICE:/ ^" \, \ g) `! Y
bpx Get_DDB if ax==0202 || ax==7a5fh
# ~2 f& ~& D) B6 I' A1 {7 a7 c/ ]" e. C
__________________________________________________________________________. Y' v9 ?( E1 u9 Q/ B# V) [/ w
1 F, @/ x# h1 F u2 q0 jMethod 10
2 p" [0 E! H) I/ b7 L8 K- x9 h=========) a( x4 Y! v7 G i9 Z1 ^% p
8 p8 r$ K! _; a) w8 M* N# i5 W=>Disable or clear breakpoints before using this feature. DO NOT trace with
- I3 d% V4 X# P SoftICE while the option is enable!!
! ]3 H+ ?6 K" m0 x4 I0 x
4 Q5 [, O, k3 tThis trick is very efficient:
) e6 ?$ x$ ~, d7 jby checking the Debug Registers, you can detect if SoftICE is loaded
9 g i6 ]- w$ D7 e/ I- b(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 R% B" J" k2 ?there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 X2 [+ M5 S* T, h/ d8 x2 hvalue (in ring0 only). Values can be manipulated and or changed as well
+ Q4 Z" h& H0 ~' v! {9 v(clearing BPMs for instance)" @# p8 c7 k+ I' n. B4 f3 B$ Q
# W, `" G- d- }) D4 f& z. ~# c+ z
__________________________________________________________________________# ^" |* v% f- i* ` U$ p
$ [/ o5 w& ]( H, BMethod 11
% U' _0 K1 T1 P3 n T% S=========9 l" f, m$ X, y6 W
; C m1 G3 E p5 b3 T4 rThis method is most known as 'MeltICE' because it has been freely distributed. A" W: S/ P" V
via www.winfiles.com. However it was first used by NuMega people to allow
1 d. C8 x, o2 j# l: uSymbol Loader to check if SoftICE was active or not (the code is located9 x/ J0 Z6 y) m' k* k
inside nmtrans.dll).8 Z2 J. n: @ L% j; C# e# j
& T3 Z$ [" h% z. Q* D2 w# zThe way it works is very simple:0 b' w' i, ?: Q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 Q7 k# z* H9 V* N- @8 X1 d; O2 K
WinNT) with the CreateFileA API.
3 @: B W+ S# A3 C! |2 @
+ n' x0 C. V1 g) E2 HHere is a sample (checking for 'SICE'):
' f: y5 n; t# o/ T( Y
! _! ]" I' a3 ^ k I7 [, n0 `% HBOOL IsSoftIce95Loaded()
, E1 t J, w* t% `7 u+ m, s( L{
: h: t1 F% z l! l HANDLE hFile;
* Y$ _% B. g, \! \0 @ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% x" q7 k! v# _4 L FILE_SHARE_READ | FILE_SHARE_WRITE,, J" B& d% M* l' G+ I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|1 e6 S/ A; h. X. k if( hFile != INVALID_HANDLE_VALUE )2 ^. m% f/ g5 m& v b) P$ C
{7 @5 r4 l( I% E
CloseHandle(hFile);4 G0 T+ K' K+ X& u6 L
return TRUE;
% h# A5 m5 X) \ }
5 q/ y! H( l# G0 U$ C return FALSE;
- N! I" _# G- f" o d v d}0 ?8 n: z% t; F& |
( G3 u' l* @7 K: y. w6 `3 _
Although this trick calls the CreateFileA function, don't even expect to be* _5 x: p4 `/ `! k8 k5 B7 r% q+ L
able to intercept it by installing a IFS hook: it will not work, no way!
9 G0 d$ U a1 T* M D: pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 M* ?3 }) a$ N7 B; G7 \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 A4 D/ F3 }1 v; a+ [* l& X9 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 F+ y3 c% E9 Z. P, Y& L
field.; L$ T; \3 I7 U2 K$ D1 S6 S- @
In fact, its purpose is not to load/unload VxDs but only to send a ; @' Q4 @ n) c" d* {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 H/ e) e' \) o3 \
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 r8 l* X1 {/ O9 F+ dto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ ?& d( W6 ^% K$ @) _! |
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 d4 f9 I+ e% x( ]( fits handle to be opened and then, will be detected.; e, X2 K$ j4 }5 m. Q5 R+ A2 u$ w
You can check that simply by hooking Winice.exe control proc entry point
3 |! s* Q* q( V% I3 Xwhile running MeltICE.
% V* N+ `& y5 x! c, b4 K3 {( P" L" f3 k, C" o$ b; w( q$ m
: y- B8 F; w. M ?6 _3 D# P0 A" A 00401067: push 00402025 ; \\.\SICE
, ?. S9 v% o5 D# u! @+ L2 l* @) r9 d) y 0040106C: call CreateFileA
* ?; ?6 D8 r" w8 h5 M 00401071: cmp eax,-001, o: e1 B3 V( {( Y/ g
00401074: je 00401091" x3 a# i2 N* o4 c, L# A
# L8 ]' Y; q0 d9 f
^( T" Y& d M8 l6 J8 KThere could be hundreds of BPX you could use to detect this trick.
$ S" T( v, z b. c-The most classical one is:- V4 i. f* Q: m% J0 W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, D8 M) n r4 D3 x; x *(esp->4+4)=='NTIC'; M! G, d3 W+ K7 ^2 }7 N
- @& `0 l& t5 R& p% z {" P$ }-The most exotic ones (could be very slooooow :-(8 d' l' M0 x* G7 y, B% s
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; S M: x7 J% s) {# T6 W* K( C7 o ;will break 3 times :-(& R: q8 g' Z: D. D& ], h
* y* j6 x/ D& s3 ^) c+ T$ Z' T% `-or (a bit) faster:
' ]+ l' Z5 D4 v& I& k/ _* [, Y; {- W BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 t7 C" ]* A% v: z) R5 c0 P
4 R1 @8 ^' B7 j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . n# ]- f, o) |+ f g& `" R
;will break 3 times :-(0 |* }* X% ?: N5 g
& J. w9 K: _, c3 h4 d& `5 G
-Much faster:1 _( c5 G& U" Y5 J3 I% F
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% w) H" v/ n1 G" k% r
: D$ f B$ ^$ g$ U* w# n% Y) }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: e( d' \ O& c: f8 Z$ _1 J i: t5 qfunction to do the same job:: c& ?* r/ I/ U
; W* g+ }* K" D; E/ r; a5 L push 00 ; OF_READ
8 W5 N- ^, T) \+ N2 N8 X mov eax,[00656634] ; '\\.\SICE',05 H) I [- c. }# q
push eax; m% W; F; ]% f( b
call KERNEL32!_lopen% T" z+ R* X9 s9 g6 Q
inc eax
2 r T/ t, N: s0 x% k- G jnz 00650589 ; detected6 Y0 b4 {" E+ b5 r, `
push 00 ; OF_READ% D1 G& _5 n' F3 Y9 N: W2 N
mov eax,[00656638] ; '\\.\SICE'
2 P/ ?2 z7 K) L, @ f1 ~$ Q push eax w: H" Y8 x9 b# V. z0 c
call KERNEL32!_lopen* O* f! S [( d# T% Y0 g1 T& h* i
inc eax9 P! q8 Z7 L# `4 N6 O+ W. N
jz 006505ae ; not detected
4 ?% s& k9 o& ~' x; \6 e/ B! m# z2 M3 L! i8 l7 Q0 K: z9 i% J! F
, @: J3 E" I4 x f J1 @8 d__________________________________________________________________________& D7 v1 f" }1 S0 w
& _4 L; J* [# x+ dMethod 12
1 X! `( w( @- `+ I/ \ Y- x% B=========) A0 A4 M3 e3 x/ l+ _
- E ~& W1 K7 Y5 yThis trick is similar to int41h/4fh Debugger installation check (code 05) o5 N" W& Z: p% ?* e* A/ Q
& 06) but very limited because it's only available for Win95/98 (not NT)
( H$ G9 ~; J. ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) i7 v1 Y3 z8 t& ~, S3 o
+ c0 c5 {' T3 Z0 q0 c& m! R" j push 0000004fh ; function 4fh
* x9 ~/ x; b4 D: H+ n push 002a002ah ; high word specifies which VxD (VWIN32)
8 Z3 S- i1 j ^( T- E' M5 ~$ j4 C ; low word specifies which service- F0 ^9 X( w- n o* I t
(VWIN32_Int41Dispatch); c8 ?6 G6 v d, h! {, Q
call Kernel32!ORD_001 ; VxdCall
/ D$ D- |1 U$ h. n cmp ax, 0f386h ; magic number returned by system debuggers
# Z- \& t9 f$ @ jz SoftICE_detected- Q; k# k! V% H ~( p" z" l1 y
9 V( M0 U% d/ E; S7 j6 f2 L+ m
Here again, several ways to detect it:( G k( r( k: h5 f3 t
7 Y f4 w1 Z$ l
BPINT 41 if ax==4f. R% C, M+ h0 C$ h
5 f F+ Z2 s3 ~% E6 \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& a k3 o! A4 d
, z1 h" p8 i3 v: O/ ~8 n- g4 o4 ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: `; S, t8 R0 n i1 B3 B
; W3 @) A9 G' X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- h* ] i# W- L" V [" [+ Q6 a" R, b7 R
__________________________________________________________________________. u! B1 V2 N B% ^& K" L! |
# [1 A* D, W) b6 _0 bMethod 13* d( ~; C/ ]0 M. ~+ V4 O0 u4 h
=========* d9 G; U1 w! l2 j2 e$ S# Y& K
( S5 K% c3 X9 _
Not a real method of detection, but a good way to know if SoftICE is; Q- g8 x# Z2 D
installed on a computer and to locate its installation directory./ d) {1 t" X/ Z- R p. b9 F
It is used by few softs which access the following registry keys (usually #2) :
) ^# L# ]- j3 f( i0 W0 c1 y0 }
% ]4 }4 a& p% X1 f% b m' ?-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, U9 {2 ~4 |8 F# r" I9 f. n2 y- B\Uninstall\SoftICE! @5 G+ {- ] }# X7 g5 k9 I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- y% L8 ]/ s8 Q- ~! k, s7 \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- i0 J+ ^. U- _" Y5 z
\App Paths\Loader32.Exe+ n9 g5 [; N% ]6 r3 I1 q
5 j7 }3 Y: F9 {8 W. c' R/ }) F
, b) e6 {& b& _0 r. FNote that some nasty apps could then erase all files from SoftICE directory8 T; Q0 {5 e+ C4 F0 I3 j8 I! O
(I faced that once :-(, R: s8 O j2 B d8 H9 o
: v7 v( a9 x1 [7 Y$ f; Z, Z
Useful breakpoint to detect it:+ j3 |1 {; f* i0 c, k; H
* a$ ]4 t9 r/ p; @* J; V& `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& o2 @3 h9 A) m( S. z
6 Y, d. M! i: b9 F: G__________________________________________________________________________) k2 y2 |" W# A) z) _6 W! ]
7 x d: I: N' R f/ @( l' [0 V& |6 n& ]5 g8 B6 @; l& {9 x, G& i
Method 14 8 o0 K- R) g$ w0 q
=========
9 d/ Z2 [$ d, j$ b, V( e: o6 G
* S: B: q. [, a$ ^, |, dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 X8 }1 Y3 r. M* kis to determines whether a debugger is running on your system (ring0 only).
) P; O5 k& n" M- ], _- g0 [, g0 ^) c+ b( n L6 m% q* o- G6 C$ _1 d
VMMCall Test_Debug_Installed1 p7 y8 h; B" a8 L/ S$ m
je not_installed8 q; f2 k0 m2 ^0 A1 `5 ~
0 X: |& P& u6 j! I3 s9 Y* L
This service just checks a flag.
+ Q3 P% V' v, Y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡