<TABLE width=500>) q8 l5 l. ?/ \: B% _" m
<TBODY>
, i x* S+ ^1 T- n5 j; g- ?<TR>
$ H! c- X( ^1 L* ]& {( U<TD><PRE>Method 01
( N. m# e. g2 [0 l3 K========= m4 L3 x# W+ Y+ c
! N. R, \' C, G% N# h% |8 }! J
This method of detection of SoftICE (as well as the following one) is' {7 o9 ]! ]2 R1 T& R
used by the majority of packers/encryptors found on Internet.
- u4 P9 e e' I& {It seeks the signature of BoundsChecker in SoftICE
; P6 N, @+ r' T5 o. G' v \! U! V) N, w
mov ebp, 04243484Bh ; 'BCHK'' f+ ^/ j5 @! y$ j
mov ax, 04h+ }8 g0 F: ?4 f) J% j
int 3 * j$ v/ J% m9 a) |. ?! U/ J: M- i
cmp al,4
- d3 l9 v/ B; [ jnz SoftICE_Detected
1 Z F9 C6 q) {# B
) r* h" q$ I4 ?$ ^' b; J6 \___________________________________________________________________________
; B" l: Q3 y. p. F4 ^. Z# h8 v" A
1 L6 S9 ~. W" I; p z$ _/ s3 IMethod 02 R8 G" W( ]5 p6 v% y3 v: E( n
=========' Y; C& b- u5 F7 d
0 g; A, V. p: v3 F$ E
Still a method very much used (perhaps the most frequent one). It is used
8 a g' |9 z5 J7 Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; W) _9 P. T. I, ?+ ~* oor execute SoftICE commands...: _/ p/ _4 b% g. J; e5 ]% X9 n, o
It is also used to crash SoftICE and to force it to execute any commands
5 B- _) I- z. S(HBOOT...) :-(( 3 u+ S" O$ w: @. ^6 U$ S u7 H4 M
) B/ e' c: ~; j3 l, y4 |: HHere is a quick description:' A \2 c* G v
-AX = 0910h (Display string in SIce windows)
% h+ L6 [' t/ }9 P0 @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
d& V8 z8 P) N6 e' H- n/ D7 v: \-AX = 0912h (Get breakpoint infos)
+ U+ {+ B2 F0 r2 Z3 n-AX = 0913h (Set Sice breakpoints)1 Z: m' g0 j0 }6 H `
-AX = 0914h (Remove SIce breakoints), x6 M( y) q& M5 J: \* t
1 E- {8 _, }& Z6 e1 uEach time you'll meet this trick, you'll see:
# \! w5 A& B% N# ~8 A4 n-SI = 4647h8 B2 t7 s# e+ Y& ^( T3 c. a- E
-DI = 4A4Dh
" S) J9 D5 q( ^, ?# p- ?$ B( cWhich are the 'magic values' used by SoftIce.- M, e J, ~& a5 |4 ~6 L' f) Z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ r& c! ]5 R; d5 w4 S7 S4 ^
9 {2 R! R! C6 b- [
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 e) t& u2 `- hEnvelope utility use to protect DOS applications:, s: |" \, G6 C* `, o) s, S
9 ^2 j) f3 J3 S2 J0 b& a0 \: a0 l8 u: O
9 Q! r) q$ C- k, m4C19:0095 MOV AX,0911 ; execute command.' E4 A: h/ n6 l. ]& H( I' K& e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" s; S: ^9 c* e' P+ O# ]. I# p: i4C19:009A MOV SI,4647 ; 1st magic value.: b, G( \4 m+ X0 ^) K- A+ }6 A3 b
4C19:009D MOV DI,4A4D ; 2nd magic value.! e6 n, b) P! d ~7 j, C8 r$ d# C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% H B7 ?- x6 [* ~5 \/ P! f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 n4 I$ L" t+ w! U# x- G: R4C19:00A4 INC CX
3 e5 f Q$ O9 a1 x; |6 `5 R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* `, L! s6 Q* ]& Y9 E5 I0 E( A' k4C19:00A8 JB 0095 ; 6 different commands.
1 t* B, L1 T. d5 I% ]4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 _2 F- D- Q4 g% \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 `4 n9 k& _$ J, C4 P4 @, r, P# T/ S/ x% e2 S* w8 f- N
The program will execute 6 different SIce commands located at ds:dx, which
3 X' d4 N7 Q9 p* Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- I' S0 `! `3 y; Y
; z) _& n$ u% Y2 x: S& a7 ]/ e7 f5 E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 V3 r: e/ }: k0 i; f___________________________________________________________________________5 J3 c R0 t/ i
& O2 k' u7 S/ {2 Y
5 I: D3 ?7 Q1 \8 P2 o* e \Method 03
2 {: C. x: v! I! L1 t( z% L=========
0 K4 ^* i& U* `" M6 j% H- V
/ ]# R; K2 B' y% HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 R4 n# I4 l% b! o& f( I) R
(API Get entry point), X. M9 q! _ ~ ?
8 T- U1 _& V9 L( v3 D5 y4 f
6 k" {- c7 X7 V
xor di,di
# n6 g" }% \1 w; w' x1 S mov es,di+ c! p V2 K9 k8 l# D
mov ax, 1684h 8 H$ K* {+ C3 G) h) ?
mov bx, 0202h ; VxD ID of winice
* [, Y* G* Z! s1 X int 2Fh! Z. w) j$ x" C2 E6 p
mov ax, es ; ES:DI -> VxD API entry point
) h; c Z0 g8 c$ B# ]+ M add ax, di! f4 k e+ u( h% v3 R: K
test ax,ax3 }' S9 S# n/ R( S
jnz SoftICE_Detected, w1 L3 U5 N5 s c
& o& _* V6 x5 q- m
___________________________________________________________________________
; s$ `& p' [: _0 p2 s+ f; y$ V/ g; K
Method 04
* z6 ?9 b. e. U2 X=========* A3 [, q$ C; m/ W/ e
4 M3 _6 w/ j# M" p+ Q: _! j4 F
Method identical to the preceding one except that it seeks the ID of SoftICE
6 Q8 A; f2 [2 EGFX VxD.
8 j9 t: [# h5 [2 s+ B% F) p" R
0 m/ Y" `- x7 x xor di,di0 R3 X5 y* i; O7 H- {
mov es,di
* h# u' `1 V' e' c- u! O4 p mov ax, 1684h
6 s3 ~; H: i( A( M mov bx, 7a5Fh ; VxD ID of SIWVID) l9 v6 t1 c7 C6 W" L: Z
int 2fh
6 r( G- ^3 f9 A' w- | mov ax, es ; ES:DI -> VxD API entry point
& V! W9 {& _& N6 W add ax, di, E2 }; h! [) G! k! n5 X& [
test ax,ax4 g; m$ |3 `: |# J
jnz SoftICE_Detected
& R* ?8 T; d2 j1 T( m K4 E5 H2 L2 d( {& Z! }3 C l
__________________________________________________________________________% k( U) L4 y/ g# L+ Q
- R/ T w8 S6 K
7 `0 g9 o/ y: }1 e5 n8 l2 `Method 053 F" X( ~. i( P( L2 |3 w& q
=========1 Q( o1 z" n' g! x$ C& ]# _
' U0 Y2 L, E2 P lMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 V4 X( `! n n% ]7 X* z# e. [) V
debugger. It calls the int 41h, function 4Fh.
3 N, B- N; [' W4 D' \There are several alternatives. ) V, @2 A/ V* J" Q6 ^ } T
, m/ H5 G; F5 H7 P0 W, oThe following one is the simplest:. u# |0 [& @0 R) N/ X: c
# N9 I' b3 O; V mov ax,4fh3 B( E' ~/ w0 c, S r( r; J
int 41h
5 M% |# s+ N( q8 f; w8 } cmp ax, 0F386; y% Z$ t% ?" _4 ~5 A# C$ }
jz SoftICE_detected
% s0 x9 k) a$ ?8 L% E+ J
8 r9 j$ ]: P* y4 j d2 R( s3 i* b, c U" u' p4 {/ c# a) A, I1 d' g
Next method as well as the following one are 2 examples from Stone's
k9 n4 f7 O8 T1 }3 q1 r' X"stn-wid.zip" (www.cracking.net):5 P: {# v0 D' ^0 ]) l
: M1 X/ p8 k# K' q! a& e# ~ mov bx, cs, u- \- V+ g' e
lea dx, int41handler2& g3 T |: a0 _4 x, @
xchg dx, es:[41h*4]
7 S- J* l# D5 W" K7 Q- o2 l7 r xchg bx, es:[41h*4+2]3 e5 ~. P) r5 L: `) I( g
mov ax,4fh0 L% l% l3 a3 z' f! e
int 41h' i* D- X. q- s, W- i$ u
xchg dx, es:[41h*4]
1 S1 C7 q3 ?- b/ k& R& o xchg bx, es:[41h*4+2]
. C9 |! A9 u N' x3 V cmp ax, 0f386h
( `; ]1 U8 ^% h D( L# [5 @ jz SoftICE_detected ?% ?. ?7 ]0 d0 O: b6 ^
- c0 H: D; R& Y. Gint41handler2 PROC8 O x5 ~1 v0 A' s/ l7 @% G) y6 U
iret; R2 d& c- n( T0 b& q% m! F. l& I7 v
int41handler2 ENDP3 h0 E7 a/ ]. g J
0 v" ^& t7 g- I; N
; s0 B# \4 t" W# h4 x3 p
_________________________________________________________________________! h5 O, `. U: @0 N, z2 F& C
0 \. g# p4 V6 w2 V+ T
, {# g" N3 ?4 ]; k! d2 K+ x
Method 06$ O8 l8 ~5 v$ b5 |7 A& ]# k, F
=========
+ y, K) F7 g+ Z6 D/ s/ z1 ?
, b0 @. F4 o* B: g! v( A v5 | C) l: O% p& X$ z7 r
2nd method similar to the preceding one but more difficult to detect:
' ~* Q' A" h6 m1 ]; s4 O( a0 R) C% G, v; `/ B; ?, t
' j4 U3 L* d" p0 Vint41handler PROC
' K0 _2 d$ q( L7 n+ k/ O mov cl,al
, L: L- ` ^8 T iret- p7 y f5 i% b) f4 l2 _4 x
int41handler ENDP
8 U% t+ P2 {$ F3 Y1 G t8 c: a0 K8 r& Y
! w! K( r! A' C! T7 f. b( J4 [' B. K5 X" j
xor ax,ax
2 y) J( ?3 N: J/ K$ [; Q mov es,ax
* @) A* z0 l5 A0 S+ s0 A5 ?- p7 [9 S) { mov bx, cs2 q6 H: B% n7 w
lea dx, int41handler" |% |6 f- [, p6 B4 k5 M
xchg dx, es:[41h*4]$ ~1 Z9 U" M/ G! _+ @7 A
xchg bx, es:[41h*4+2]' K' K1 x* n/ k6 O' w) v W0 ^
in al, 40h2 z* d/ p. v& T' S% S4 H
xor cx,cx' f+ C/ v$ \8 |& o8 Q# u* O
int 41h
1 [; p: s/ J$ K4 o: b" m xchg dx, es:[41h*4]5 I& t0 _4 t& E# P# s# [( {$ N
xchg bx, es:[41h*4+2]
+ N. @2 X7 z' u: a& C/ a cmp cl,al
0 S4 f7 o% @* H1 b, y% ]( V jnz SoftICE_detected& ~2 Y* j& m' B0 V* w- m
: J) r! J6 }! z: D_________________________________________________________________________
7 Y' t; }# }7 c- g7 u; v" G) H0 }" V, ~ B
Method 07
! U! ?2 j/ r, a8 ~9 b7 @2 P========= k' z+ O5 Y5 A1 ?4 a) b" V
& O1 Q$ D- r/ ]' F# E4 T
Method of detection of the WinICE handler in the int68h (V86) k: }* @; t, s; U* u1 u/ _
- I9 @# u% J! ]' x
mov ah,43h
8 X/ F& y4 H& ~# O! L int 68h
0 |5 }& u/ f( Z& Q7 d9 o cmp ax,0F386h$ v' v5 H0 y& W
jz SoftICE_Detected2 p, ?: a* r/ R! G" F; l
3 }& X7 W" J) y/ W, D
% Q. [. Y" {' I3 i% K" J7 y" v W- X/ I: Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ p1 B+ Y' I ?8 ]0 g app like this:* ? s: {2 H2 g: Z
% R9 o4 } k; g BPX exec_int if ax==68
% Y6 }( L5 E Z! d+ Q (function called is located at byte ptr [ebp+1Dh] and client eip is
! {' e# P' x- V9 `+ ]% H) S located at [ebp+48h] for 32Bit apps)
& k# x" q) n ~__________________________________________________________________________( |* o. y1 q7 Q& [' ]
9 r( G) F* M, ~9 ~# s
% Y5 ~' ^2 \) P. ~$ @Method 081 x0 Z; Y# s. U- D9 Z i1 a
=========+ i; W- Z6 k+ B
, |* K. i# Y% X: d6 ^It is not a method of detection of SoftICE but a possibility to crash the
( h: K% i4 T' @ Dsystem by intercepting int 01h and int 03h and redirecting them to another- k5 S7 D2 Q8 a5 ^6 p: `
routine.& n6 k# P0 E; K- [4 ?" D: U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 v9 h& |# M0 x* y
to the new routine to execute (hangs computer...) a) Z) L' H- u. Y) f
5 a2 n7 o* f' O* c mov ah, 25h* ?. v5 y e+ x1 g2 q- {
mov al, Int_Number (01h or 03h)
3 j f7 v: }( \( C mov dx, offset New_Int_Routine
: @. J" H- _4 W& k3 \! {# B. ~' ^ int 21h3 \! D1 B( \* x+ P8 ]+ n
2 b# o; W: p$ [5 |__________________________________________________________________________3 [0 L3 p! @& K( u4 E5 h: Q
! ?) X0 O. v1 a& d! s2 |
Method 09
7 u; k, i: x( ?" W; P% Y=========4 p, c- M- M, i$ b }
" ?; z" H, K# n) I7 ?( a3 G' BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 Z. B, \$ a) v% X5 l7 P& p& p
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 W7 D: I/ X$ v4 v, J2 {The Get_DDB service is used to determine whether or not a VxD is installed5 B+ P6 |+ W9 X( q h% K3 T4 A- ^( `
for the specified device and returns a Device Description Block (in ecx) for
' i) S6 E& f) l+ |that device if it is installed.3 {2 y! W( Q& m3 f
' F, b' I' S' v' b: | mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 R3 f- Z4 U1 }* q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 Y! I0 R! }9 ?9 N* C& `8 q( v VMMCall Get_DDB6 t: }1 Y; [% Y) M6 A* n
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; F- b9 c8 J( `- S; x
1 J0 ~* L, ?4 C* UNote as well that you can easily detect this method with SoftICE:
" n- s7 G$ ~; @2 K" M& N1 \9 y bpx Get_DDB if ax==0202 || ax==7a5fh7 M. r$ n0 M9 B' c
- Y3 Q* E1 b, K' N, M
__________________________________________________________________________" I) h- R% \3 {" e" J
+ `1 k' M% [- g0 k" O( _Method 10
" ?) S# D5 m' m: D' e- Y=========3 T6 l, r+ R y; t8 G
5 R( t$ h8 z4 \8 Y* N
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 d: h7 ]0 {2 Y: P
SoftICE while the option is enable!!
/ l# |5 Y( `, d: i5 _$ F4 j# ~% \; X- J4 z. X
This trick is very efficient:0 j; `. l3 F# r6 |6 ]
by checking the Debug Registers, you can detect if SoftICE is loaded, G% D( Z- L) P5 K; V" G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* U k# ^/ U- o [/ I2 O, athere are some memory breakpoints set (dr0 to dr3) simply by reading their* W3 j: y- E: w& _9 z0 j9 U
value (in ring0 only). Values can be manipulated and or changed as well
+ u- U4 {) B& w7 Y& v# N(clearing BPMs for instance)0 J5 s+ ?6 p( L' R& X0 S
( @8 c- A& D4 U__________________________________________________________________________
9 y9 [* y& w6 ~: N6 Q, D I% P7 J8 H- a" T* M
Method 11
+ F& J. {( R# G& a, w+ e=========
; b3 Z9 d2 m5 A. A# b6 G
6 u6 N7 ?" b; Y8 o5 bThis method is most known as 'MeltICE' because it has been freely distributed
* y+ W, T" [! J8 ?+ uvia www.winfiles.com. However it was first used by NuMega people to allow( ]' m7 W# |/ h: o/ i0 d
Symbol Loader to check if SoftICE was active or not (the code is located* |. r% N" R+ K. c4 {6 S& ~3 d5 P
inside nmtrans.dll).
& e2 k' \4 u0 d8 E! ?' U, u6 m4 i+ a' B# i! C
The way it works is very simple:8 x, a7 h/ E# Z8 t3 B! n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ V" E( N- e, X8 `5 oWinNT) with the CreateFileA API.
& ?, P* ?3 }! o; s& l4 U8 M' y* z$ ~
/ s, E9 Z- ]/ S: XHere is a sample (checking for 'SICE'):
; N0 O) q! ^. C& u+ n. W+ F" b/ u$ s! q$ b0 h s7 x2 U
BOOL IsSoftIce95Loaded()0 E& H; ^5 U+ ]3 D0 t% ]
{
/ t. n8 `( m2 G( p( e HANDLE hFile;
3 m8 O) Y2 R0 b5 } hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," l' a% Y$ e' M+ O: S, ~7 t
FILE_SHARE_READ | FILE_SHARE_WRITE,
( W( t f# V% m" } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ f0 n1 G* p' |3 H [7 _5 K if( hFile != INVALID_HANDLE_VALUE )8 E2 U- r: F; i6 H; J
{
6 ?: Y" h4 U1 {7 T+ D- o6 @: X CloseHandle(hFile);
& @ }( i0 `1 ^2 d return TRUE;
9 c+ L2 p- W( L, S }
" v% ?& u8 U. m! U$ I return FALSE;" s# A, S4 T2 I( Z
}
; U' A1 r$ b3 S. I( z
; t( D" J5 j! X$ p: r+ y4 dAlthough this trick calls the CreateFileA function, don't even expect to be
/ U3 L& g z/ c3 z7 x4 H+ q" P. N: `able to intercept it by installing a IFS hook: it will not work, no way!4 D" V3 ~2 w" k$ O& P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# M& o* w3 j P5 F- l7 ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' t( t. i& V y: _/ ]* uand then browse the DDB list until it find the VxD and its DDB_Control_Proc3 w& s3 a( [1 E8 m$ S8 @/ q. ?
field.
5 ^9 X' w$ @& L, bIn fact, its purpose is not to load/unload VxDs but only to send a 6 v" P* \9 I2 q! Q8 p1 Y+ ?0 V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. ]+ A# Y' g b2 e) _5 e$ ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try# |9 C* j. G. u( B ?, o1 q1 {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& {, r+ \* r* u/ R1 }0 m" p3 w6 mIf the VxD is loaded, it will always clear eax and the Carry flag to allow& X" l& h8 z; ^
its handle to be opened and then, will be detected.
' w1 o) X& f3 ^% k oYou can check that simply by hooking Winice.exe control proc entry point
( q+ J- _3 q' u/ Owhile running MeltICE.
# v0 ~ y7 u2 u7 Y; G8 ?" n
& D: X6 U2 B! i. J# a# `3 y+ U: k
00401067: push 00402025 ; \\.\SICE* W, f& k6 E- C( |, T, A3 w. Y
0040106C: call CreateFileA
9 m3 G% Z0 i$ | 00401071: cmp eax,-001
* R, i4 Z; Z7 I7 l5 J 00401074: je 00401091, m! w! k# j. F
: e2 R8 @2 o0 t/ }; p. N# t' {# ]$ L% h; O2 F9 g. r" U
There could be hundreds of BPX you could use to detect this trick.
" D3 U+ D0 \$ V' T# m-The most classical one is:
8 p- z9 F. \4 B# S: C$ y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 x$ `2 [! n9 q3 _7 v% j9 L" ?
*(esp->4+4)=='NTIC'; w1 {1 [* _7 Y7 W5 n4 K& ^
; T' p4 |, S8 ?
-The most exotic ones (could be very slooooow :-(
: l) i% |3 C' H( Q+ K; | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 W1 K8 d) K4 _- u$ z+ h9 e# Y) w) F ;will break 3 times :-(
+ a- W* \3 t. g& P5 g
H6 Q4 ]6 [* X9 Q w8 ^. m-or (a bit) faster: + m$ [# R/ a4 O. ], m3 ~4 D, ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 g& O2 z) l; A5 `' G2 ]
8 f9 A6 _! [9 M# W N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 B4 n% H4 ?: ]: Z7 }
;will break 3 times :-(3 O2 q/ ^6 N4 p0 w( q: }! x3 ~
; @* G5 a6 t {: H7 _
-Much faster:
( M# u$ M* @' b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 R6 Z, f1 |' M$ \0 T% X( D
_0 h) D0 [7 W+ r/ oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ r3 z# t* V+ k4 B7 t/ mfunction to do the same job:# P: [1 \0 M' Q1 R
& y% f' @9 A7 Z6 a
push 00 ; OF_READ" n& g4 }: n0 b+ z" h3 U# i! c
mov eax,[00656634] ; '\\.\SICE',0
+ n$ p' S) c* F2 { push eax
0 o' T4 p/ w8 s( q+ T* s1 i call KERNEL32!_lopen
& Y- o3 k; p. G/ t8 d; H2 J9 t7 T inc eax$ D+ I! b" i5 g
jnz 00650589 ; detected
+ p! ]1 F, n9 |! M. N push 00 ; OF_READ) N# A/ [! |* _/ J
mov eax,[00656638] ; '\\.\SICE'2 s0 Q! ~6 q7 Q
push eax5 r% J" b& K6 j$ D
call KERNEL32!_lopen' u& ]( g8 a" B
inc eax
7 |( `. {8 s* ~' } jz 006505ae ; not detected
4 W- ?. k, j2 q4 f. ?. o, w- i) y4 x
6 }* f J% a# \" |4 U/ b, `__________________________________________________________________________% G" T4 f) R; T0 T( v
7 z* B* C L) ~' p; T: vMethod 12
9 x2 j' @ }3 @4 _8 ]=========
; Y& M7 G2 I& ^9 [% c( t1 a* T* C% N% h: D- \( i, r
This trick is similar to int41h/4fh Debugger installation check (code 053 y3 F+ e) ~; D" H2 ?6 r- V7 P
& 06) but very limited because it's only available for Win95/98 (not NT)
( O3 N) u0 B2 [% P6 B0 Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 o& K7 y' B+ ^3 T1 u; O8 W
1 S; y' }& Z8 w% J# ~# h% t" z
push 0000004fh ; function 4fh# G* Y' f* \) D! _5 F8 R; K# P* @
push 002a002ah ; high word specifies which VxD (VWIN32)( c s# N: E. n
; low word specifies which service& N+ _) V. m) t; Q# {3 P$ V$ Z
(VWIN32_Int41Dispatch)
6 [0 @* o$ F+ X call Kernel32!ORD_001 ; VxdCall
2 Y* Y3 R4 b+ c! ~! i* i cmp ax, 0f386h ; magic number returned by system debuggers
" O* B7 g( z M6 j jz SoftICE_detected& X/ }# y9 X- r+ q$ j. Y
) a6 a6 W. j3 g0 ~Here again, several ways to detect it:
1 I! r8 X! Z% h2 a0 _5 [: @' P, K! Z( A+ M+ n0 Q. F+ v
BPINT 41 if ax==4f6 f# Y* Y) X% [2 K# [4 @
$ U3 a2 [3 }% E( s# B9 M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 H& @2 C8 z% T( t$ H2 D) z
; a1 w; Q0 h* S9 D BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; h8 {$ s7 P/ ~9 x: Z, }+ \% l% g9 k, q6 C l, `: t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: A* O0 P' B2 B( | y3 ^3 K2 ]
; J+ I1 y$ w6 L& k" u: c( H
__________________________________________________________________________, d) U9 g6 r- l- F1 {
$ J0 ?$ w' e: _& G0 B8 O
Method 13# \& ]: `4 f: q7 L! J
=========5 q, C# q0 W+ u0 M
. h% V' e8 Z3 C! q# e' p, v% vNot a real method of detection, but a good way to know if SoftICE is8 E, D# I! O1 H: Q
installed on a computer and to locate its installation directory.
7 Q$ s7 l+ G1 y0 {" _0 b( cIt is used by few softs which access the following registry keys (usually #2) :
4 ]; y+ P) \: Y! P- m, C1 i9 ? l2 f0 S2 q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 I7 ~: F- ^5 I$ q3 V0 x+ Z
\Uninstall\SoftICE& j/ r& X/ a' S/ K# D- w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" j O# Q/ Z) P8 p* N* P# Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# t) v, A& i/ M' C# o\App Paths\Loader32.Exe
& U, x% G, I' m1 m( _/ y& Q' C& P: X( k' n6 {
1 D; J1 A* A7 v: b) V% Y9 P
Note that some nasty apps could then erase all files from SoftICE directory# T" E- f- l- r2 |
(I faced that once :-(' g ]4 U0 F2 r
/ `# y/ A+ o. f K; C- M0 A9 J
Useful breakpoint to detect it:5 c9 L7 z5 K) D ]3 ^
9 S& r% d" i8 b+ l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) z- r% r; l* k5 `* Q3 @& e$ r! i
__________________________________________________________________________
; E' g/ q. ], H9 Y/ Q
3 t- _8 k+ p! ^& ]' o- f7 @/ U7 O& h/ \) g) E# O. ~
Method 14 8 b" w5 C3 Q5 ]. d6 Z8 w
=========5 p1 q) a: q5 p/ \+ O+ Q' w
$ h, J: b9 t4 F# F9 n+ Q' z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, f& Z) `" a. t0 r; Ris to determines whether a debugger is running on your system (ring0 only).! d0 y0 B0 o! j- X
. E+ j I2 H9 a0 Y0 q( s* y% F5 o
VMMCall Test_Debug_Installed' q/ {- J. E2 K# n
je not_installed
! [ H3 g5 L" s% b% ]
7 e8 `0 _; \7 g- VThis service just checks a flag., c! K( `- _# a n0 u' D) E+ G; t
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡