<TABLE width=500>% Z6 s G3 T5 _2 ^' |# S( w( c7 R: d
<TBODY>2 P, i# o$ E( W, d1 L; ~& v; u7 B
<TR>
$ J+ o: p2 R1 e2 Q<TD><PRE>Method 01
. U% I+ H2 X3 w9 E0 G, Y=========, R% Y# J4 u3 Z# M. V# d
6 S# o! A9 ?" Z' ]. \
This method of detection of SoftICE (as well as the following one) is
5 | Q0 y3 O1 z% S6 }. c# @used by the majority of packers/encryptors found on Internet.7 q9 s7 g6 g x& O
It seeks the signature of BoundsChecker in SoftICE
L* }1 W- J% ?9 m1 k# I
4 X9 z; L5 L) R( M mov ebp, 04243484Bh ; 'BCHK'
, a+ f# I1 }% r+ D, g2 V mov ax, 04h
6 k; x- Q7 Q* H' n4 y int 3 & J: M! v, r6 O2 g
cmp al,4
- u. }; J; {5 G! o$ |. M jnz SoftICE_Detected3 C/ z/ t6 P( {4 w/ T3 u2 O
t" K6 R. j3 Q( G. T$ ~# y
___________________________________________________________________________9 Y0 K% t0 L9 r1 J# u
( I3 E O3 Z# Y+ T Z! BMethod 02
* c0 M: j$ c9 d9 C, C=========
6 r |# f6 b# Z' j- W, K# k. }6 J% B0 k/ O. ]# `0 u
Still a method very much used (perhaps the most frequent one). It is used
/ X% n& Y' T: t) uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ @7 k( B- M' m+ S/ Jor execute SoftICE commands...0 W6 e& S+ |2 b/ ^: A' M, M7 u( y
It is also used to crash SoftICE and to force it to execute any commands" F: h$ Q3 \0 A* l4 I l0 n
(HBOOT...) :-((
2 o2 h. O. o$ B! F
" ]% b' `* [) \8 s( GHere is a quick description:
1 P; j/ [1 m' |5 k-AX = 0910h (Display string in SIce windows)! l E6 k) b2 s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 K* Z. ^; M: H* l4 U$ A( Q
-AX = 0912h (Get breakpoint infos)
; {0 ~+ |! B- k+ z) ]-AX = 0913h (Set Sice breakpoints)
; ?; O5 K9 H# K0 u' l4 [1 h-AX = 0914h (Remove SIce breakoints)4 B# c- O9 u1 v9 O( o
5 t6 E/ b; a; t l- d& y& z {
Each time you'll meet this trick, you'll see:! ?1 z+ D Z+ m$ o3 R; h3 y
-SI = 4647h6 m1 ?- n6 g/ Q
-DI = 4A4Dh- g; t9 \* p; d8 {: N
Which are the 'magic values' used by SoftIce.
5 L# C, x2 e0 l/ EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 E1 L, g v- y9 H Q3 j. _/ l+ @4 |
4 U% @+ L1 G' V2 uHere is one example from the file "Haspinst.exe" which is the dongle HASP
& J4 e$ X" ^4 k! }4 u) TEnvelope utility use to protect DOS applications:5 L2 ?! F) M6 e) T
6 X2 o0 {( U) i; R9 w; j# u8 | Z2 {$ ^( T! v- E: }
4C19:0095 MOV AX,0911 ; execute command., ~* q, B, U; x4 N3 s h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! ~% S3 ^1 I1 i$ j4C19:009A MOV SI,4647 ; 1st magic value.
0 [; ~/ Y+ P% B4C19:009D MOV DI,4A4D ; 2nd magic value.
! ?( s2 j/ a/ \# d7 W$ U4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 b. K7 w7 _4 c# ]6 a% x& l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& X! {# s2 z& h) t* S& t4C19:00A4 INC CX2 y; j+ d# }3 |# |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
d# L6 h8 [4 x1 Z' E$ i4C19:00A8 JB 0095 ; 6 different commands." {6 G; d& \2 V* s6 s+ T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 B4 l+ w; {* U, Z7 t3 F* H$ p4C19:00AD MOV BX,SP ; Good_Guy go ahead :) I$ G4 o7 o! Z) @
2 O& l% O" @: C) }( m& L
The program will execute 6 different SIce commands located at ds:dx, which- @' x% F) ]1 q0 g+ j; C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 F5 C& E5 D2 I7 N& \9 F3 U
. |/ }# D9 G) z1 u k( q# H8 W" E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! H! \8 U( S/ S3 F( D0 a) T3 p___________________________________________________________________________ U" o0 `# ^6 E# A
0 q; E& N' }- G! N/ ]! ]
6 i r0 L3 i3 ^, M2 e* bMethod 03
: S5 O( y! Z- W0 \ |=========
3 @3 q. o5 { `* R; U. [
, l/ J1 o) V3 q- d5 U2 `/ h7 k7 NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ k+ u- k8 Q6 q/ b) ]; J6 w
(API Get entry point)
1 S8 ]/ q( x# K) Q# e- x) d3 | 9 I# E' Y9 Z) e# |% l
1 B8 p) i; N/ l" H
xor di,di/ L f7 H* |4 g
mov es,di: P# y" u& x ^& M
mov ax, 1684h $ o3 s7 o# o# H( s1 C& ?9 e
mov bx, 0202h ; VxD ID of winice& y' u3 P8 D0 X3 X6 i# G! |
int 2Fh/ o" }) r, w+ a+ p
mov ax, es ; ES:DI -> VxD API entry point" }1 t3 `0 m2 f
add ax, di
+ d! Z( b6 ]" L r `: r9 E test ax,ax
9 T; e8 y3 j* P2 g% i3 F+ o9 y8 P jnz SoftICE_Detected, f; P; P* x) P. ]) r" W" @7 m
& F0 N3 I. |/ g6 x$ D, M# M2 f
___________________________________________________________________________
0 f( R8 a) h" t: @6 a
2 Z0 B3 H, _0 ]1 }( z2 @Method 04
6 ?8 m! I$ Q. Z=========
, t9 D& X, `3 N& v$ K: Z
. A9 Q4 X1 y2 kMethod identical to the preceding one except that it seeks the ID of SoftICE
+ m3 L7 ]( g4 l9 @) j! ?1 o, QGFX VxD.
# c- q8 D: v' z
1 F( p3 v4 G( z- j* Z: b! W xor di,di
. ^6 K. E8 q$ z- J6 D; l) X5 \. l& U mov es,di
+ d: C- p' h' l4 P mov ax, 1684h 0 X! Y: t) x0 H
mov bx, 7a5Fh ; VxD ID of SIWVID
: ]( J& v9 d' [. r int 2fh
! R2 c, K' V5 G: f+ t5 G6 N mov ax, es ; ES:DI -> VxD API entry point1 ~& m( Z. g# f! }. x! u9 ?
add ax, di
" f6 O, S2 _9 [ test ax,ax
3 t) q8 K4 @: I1 |( d% l$ e jnz SoftICE_Detected
0 K P9 a+ P7 X2 @/ w8 ^
3 d0 i2 H" w4 b; v3 U, E! r__________________________________________________________________________3 z! ?+ H; x5 C/ D! @: A8 z9 }
& L" c" M/ H( _5 i, v
) e+ S; D7 k: C/ \" HMethod 05
4 R2 V$ R( l$ ?6 j=========
$ a/ _7 h0 q2 T
# ~; R3 ], H$ @* r3 Z xMethod seeking the 'magic number' 0F386h returned (in ax) by all system) C- v! m1 f2 l# T# n
debugger. It calls the int 41h, function 4Fh.
- b& q. \+ Y2 e; P: N: m8 [There are several alternatives.
* Y6 B- M! Y B6 G9 a6 h: ]4 ~1 c) D2 D# Q3 p( m5 U& l
The following one is the simplest:5 j, D1 Q$ I# T6 p0 K: c
- C: b5 m G+ @/ K mov ax,4fh
, t. S8 u% S( x8 o- W int 41h
$ W i" R( t: x6 f" ^4 T cmp ax, 0F386, ~1 w8 n+ c& r. q* X; r# M
jz SoftICE_detected7 r! `6 m9 j: n! _) [, K
8 c# Q2 V9 \# o. l# G7 N) v, f5 F# [' R1 R% p) _3 } }
Next method as well as the following one are 2 examples from Stone's 3 H) k8 U5 R6 ]0 @
"stn-wid.zip" (www.cracking.net):! v( X e, c- ^# i0 \
' f4 [) M, E- N- E% @8 V5 X mov bx, cs
& @, E+ F$ z3 o2 U$ l lea dx, int41handler28 S' y4 V( N \6 {4 d J% h: b0 }
xchg dx, es:[41h*4]- Y9 z& ]0 t- [" W
xchg bx, es:[41h*4+2]$ M- [1 x2 c$ w& T+ n1 K2 u1 R
mov ax,4fh
( v/ s/ z T1 g3 h$ ^ int 41h$ |) ]$ u( Z1 m6 n
xchg dx, es:[41h*4]
+ W0 b5 D: i( ? xchg bx, es:[41h*4+2]
7 X, y+ U6 [/ H* q" u cmp ax, 0f386h9 O L. Q: Q/ g$ s: h' C( C
jz SoftICE_detected
6 M9 s: D9 N) p* G
9 b; L! ?8 s6 bint41handler2 PROC5 x- G3 s% I% t" w. u+ s
iret2 z& K! {. l5 m- I/ Z" M( }
int41handler2 ENDP
7 ~, {6 }) @+ C1 D, N) V$ g4 Y' C* B! y$ {; y3 w7 a9 _
8 B3 O$ J2 |5 d9 U2 B- s9 \3 b_________________________________________________________________________
; z7 h ?; X& a: K! v& I3 l) V ?2 M$ z u' H$ d0 P Z
: v! x3 P8 Y+ n4 u2 j8 VMethod 06
8 ], G+ k3 @" i; w8 A7 Y=========
5 |& i' M0 r }# Q0 J2 P5 p# F" ~7 d% k r
% Y3 i+ D% O% c2nd method similar to the preceding one but more difficult to detect:' }2 V5 y. T: M
2 R- g" [% `0 K' b! b
& y9 w+ t7 V6 T% G( p1 N$ U! K
int41handler PROC, I; N! o3 d1 R, Z$ F: k
mov cl,al7 f7 q& e; f# `3 _2 J' O @1 W6 @( Z
iret$ q2 ^# H: x* J' L
int41handler ENDP
) N, ` z8 S4 r% Q
2 Y( Y6 h2 z2 y3 ` j
- `) l7 z+ j* a. w) L! G2 ~ xor ax,ax7 q B+ y* Y5 p Q( z3 k7 h
mov es,ax* e ?3 s% ]" {- d0 }
mov bx, cs
7 z$ s& [& ]6 C+ v& } lea dx, int41handler
+ U! u8 u7 e8 \8 o; \4 W9 m xchg dx, es:[41h*4]9 R( n3 `" L/ w3 c
xchg bx, es:[41h*4+2]3 W( ]' c2 ^! ^7 ?
in al, 40h* K9 I x( I/ [! `5 l% i. H# _0 T
xor cx,cx' m' F% @1 P$ p; D
int 41h
4 B( T* c& ~0 O9 D5 F xchg dx, es:[41h*4], u9 n |# ^5 Z6 M9 _
xchg bx, es:[41h*4+2]' A8 f: O; g! K
cmp cl,al
) Y" J( c+ K: W5 X5 v jnz SoftICE_detected
# z' Q i, X! S+ j0 A8 } e
6 U7 h$ D: @: [ S, E% J_________________________________________________________________________6 L" ?1 n: a3 j$ N+ L) @! o- x
! O C( @8 ?3 X3 ~Method 07% d: l% R0 c( }( `* q
=========
+ L: w1 z' v+ s, d" N9 L- r& p B8 C" E# {/ H r$ L
Method of detection of the WinICE handler in the int68h (V86)
4 h( W) m; ]% {! k
( C9 |- y& j* {1 t4 h9 g mov ah,43h
/ J* U( x+ A/ s$ Z y4 q int 68h! F2 k! U4 {! _2 f
cmp ax,0F386h9 U# s: c1 o/ D. C
jz SoftICE_Detected: a$ Y0 v) {: O% r
, V8 R( A: }9 d" a4 _/ a% h1 Y
' E2 l" ? a* a& L1 g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) h8 W1 B! f( p! f/ V
app like this:
0 A6 R& J1 S* v/ a& U9 }1 i: V: w+ X, R# \+ i3 H* H: |' r$ r2 Y
BPX exec_int if ax==687 ^& k% [5 q5 x/ O7 S' S: Z7 K1 m
(function called is located at byte ptr [ebp+1Dh] and client eip is
. p% }3 Q1 @; A! y" Y6 G/ \9 j located at [ebp+48h] for 32Bit apps)2 m: i7 j% x6 V8 c5 C/ F# M
__________________________________________________________________________
' j8 d0 X/ o3 O( Y( A( E( e4 x* \2 k% Q
2 ]( J& H' |5 Q6 y3 P' S1 GMethod 08
# K- N. j& O) S7 U=========
/ h* s8 B3 \3 V. x
* P. P/ S+ _( D2 |. a: IIt is not a method of detection of SoftICE but a possibility to crash the2 g. _/ `7 S1 q5 b" ?
system by intercepting int 01h and int 03h and redirecting them to another5 {. A( Y- Y! D
routine.
5 U1 f& R j* V8 cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 J' D4 ]7 n6 t3 a* _% a
to the new routine to execute (hangs computer...)- ~9 C8 p, c& V
/ J# v3 Q& e% R9 E) `) n0 F
mov ah, 25h
; i6 q5 U4 G) G/ d$ H2 E* l$ Y& q mov al, Int_Number (01h or 03h)
! }' g( `/ ^, h- [# ~) d+ @ mov dx, offset New_Int_Routine
6 ?' w/ P* B8 B9 o6 N2 A, S8 q int 21h H% r0 x* X! u: [5 I0 N
* B; J" m+ l8 c P6 v& T& s8 q8 e5 Y7 ___________________________________________________________________________
8 u4 U) q5 B N9 P' W1 J1 `9 p6 y2 z7 A1 Q
Method 09
) _4 z' Z2 }! B/ q) ^/ `=========
9 [) P& g' m% F0 G/ E$ ^2 A! C/ Y
" y, k% Z2 ]0 u7 _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: [8 F! ?& _/ E' C8 ~
performed in ring0 (VxD or a ring3 app using the VxdCall). l" a: D! {# |
The Get_DDB service is used to determine whether or not a VxD is installed6 V" v0 M* N2 ^: q9 s% \
for the specified device and returns a Device Description Block (in ecx) for" D% ]! f' G ]7 J
that device if it is installed.
" t* V9 G$ d5 u: W; G1 t' b/ e' _% X
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( V" M2 ], N, z/ ~8 G2 O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* ]3 i2 n. H1 x3 {0 F VMMCall Get_DDB
* v8 h& W; G# K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- O# o" s9 S4 v$ Z4 _7 m
e r8 s. Q; p, TNote as well that you can easily detect this method with SoftICE:
% \' M5 P. I2 X6 `1 l bpx Get_DDB if ax==0202 || ax==7a5fh8 l8 S U( X! M$ `9 ^' Z P
S7 p: N m+ f2 ~__________________________________________________________________________* M1 M" g) N: f1 y/ }0 r$ \
: y) t! Y1 {* z5 I7 D' y$ x3 U
Method 10" q0 |+ l6 ?: {$ v D6 V8 W
=========: \3 D* X0 [ G [
X# v A$ P% h2 v: Y7 z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 d4 A0 j/ V% i' l SoftICE while the option is enable!!+ y2 m6 C9 Q3 j' P/ ^" |9 [
# B5 E: o( T+ `5 _1 |- k3 i5 ^This trick is very efficient:# a+ y# D/ O [# ?2 X2 }6 `. Q# x
by checking the Debug Registers, you can detect if SoftICE is loaded
# |- T/ [% C& B* o- j( U(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 o' W$ C$ x) W. X& V( S2 Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" d9 S7 J' K9 yvalue (in ring0 only). Values can be manipulated and or changed as well
/ {2 d/ D; `1 }- z+ K) ]/ n( _(clearing BPMs for instance)% H& b1 ?; n8 f! T9 t3 V* Y
3 I" V4 N: b- u) Y) K* [2 V) P8 q__________________________________________________________________________8 P) Q& v, i4 p; z f
" ~# Q" L% D4 o! D( f9 l
Method 11
# v) u6 g7 N7 T% C! U T=========
Z' B7 Y2 q @( I: F* ?
l0 m+ Z4 B9 P1 LThis method is most known as 'MeltICE' because it has been freely distributed
3 o- N; N$ \0 Y5 h8 R0 }via www.winfiles.com. However it was first used by NuMega people to allow; x2 l& E0 m) y' w5 a! F: @
Symbol Loader to check if SoftICE was active or not (the code is located3 R' G% g/ t3 i: l; m/ h: }
inside nmtrans.dll).2 [/ f1 h: ~ [7 l, k& r7 m
) H, P( R- s1 h+ g
The way it works is very simple:- U9 } `9 a$ E3 W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! E2 ?) f* B8 q7 o8 x: C5 rWinNT) with the CreateFileA API./ [9 T5 L0 `5 A! R3 U0 ~
& x5 v L; M2 I/ ?
Here is a sample (checking for 'SICE'):
- |! m6 C( Z6 g. L/ z- ^. n& r0 ]% x8 E; W" n. z
BOOL IsSoftIce95Loaded()
+ q U5 u. G: K0 E. g{
+ k" @5 W6 F% l HANDLE hFile;
* h1 B& m, Z5 b4 T8 G/ O& N# F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: _; y5 j5 D9 ?$ J# c6 i FILE_SHARE_READ | FILE_SHARE_WRITE,
0 p0 A: C' O/ t/ H( `$ q) _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% y8 M2 e! E5 ]& e% A* X; J6 | if( hFile != INVALID_HANDLE_VALUE ). P: O6 \$ M( n
{2 ?( r( n6 x- n& r
CloseHandle(hFile);- A) E; E% G# R' j6 D
return TRUE;
* W. q1 ~. ~& R }
7 S5 ]' a0 t! }- A( E: Q return FALSE;6 a: ]5 A$ r3 V l
}
* e% w% V$ Z+ J( m4 l1 D& Z$ H2 R7 u! k$ n1 ~( ]* n L$ ]
Although this trick calls the CreateFileA function, don't even expect to be/ Y u$ @2 c4 M" z" R
able to intercept it by installing a IFS hook: it will not work, no way!# [8 ?. @- c2 X0 B
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 v) i9 P4 g( b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& U6 _& ]/ m& {5 D$ h4 y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 J5 \. k8 w/ ?! U* S3 q
field.& M! W @! J7 f& z2 [. w6 W
In fact, its purpose is not to load/unload VxDs but only to send a / M4 I+ R4 J5 L! P7 ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ g2 f5 H3 O5 T8 d+ ~2 {% D; Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) z- b, o8 [ x. O d0 I3 nto load/unload a non-dynamically loadable driver such as SoftICE ;-)." v8 K1 n R) s. V' l9 c
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 f3 J: w: ~% F3 I( ?9 [
its handle to be opened and then, will be detected.$ q, v* ^- b! f' q$ H
You can check that simply by hooking Winice.exe control proc entry point* M# k5 a7 d5 D
while running MeltICE.
' T7 d. m$ a( x0 [6 A: C8 u) Y3 M9 Z2 d T1 a/ W, A, K( p
- O( M8 D$ e9 e0 P
00401067: push 00402025 ; \\.\SICE
; {. A3 M! J, D* V- s5 U/ W+ L 0040106C: call CreateFileA; Q! {8 d7 ?1 l& G' v
00401071: cmp eax,-0018 o9 i9 Z9 }: L: [2 V6 y
00401074: je 00401091
. O4 W8 s+ I( Q0 n1 r$ l% m' |% ~: f3 d' Y& Q7 \
4 V5 B& N6 S% j6 m* c
There could be hundreds of BPX you could use to detect this trick.
+ G3 G) O l n4 X" t0 a# U% M-The most classical one is:1 P' m/ @- U% A: `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( o3 ]% ^# U( N$ g0 J* G0 f
*(esp->4+4)=='NTIC'* u6 q' ~, g$ K" G
; I. g- o( [, t- y" ?+ G-The most exotic ones (could be very slooooow :-(: C# f5 Y; `1 U: l4 g5 ?/ {3 u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , T, @5 t" V& y% o4 ^8 Z
;will break 3 times :-(4 O5 x5 |; X, z" x( {
: E; I$ _0 W p. d5 i
-or (a bit) faster:
3 W2 I5 d% ^ q* E( p y' T BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 C$ `- J7 Y& t/ h2 v3 _
4 |2 i& V! _& Z/ v' v BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 F. y7 j4 j0 J, E7 e
;will break 3 times :-(3 U; U7 X O. y5 \) G: L
7 ?2 k5 w0 i& Q) I) P1 o
-Much faster:
0 \2 N, H) W D; {) y. S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 S- I7 z# p7 W _4 P% K: C
8 A2 k9 a# l' ]% V+ @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& c& q. _0 E$ U0 A1 \* R; k u+ yfunction to do the same job:, S( R! x- x7 k: M [
9 D8 k- h" g6 e+ P) I push 00 ; OF_READ: g, W' I2 `' I6 x. i( y' l# u
mov eax,[00656634] ; '\\.\SICE',07 f" O. k0 d' ?+ s2 P/ l$ Z, ]
push eax" J, K& n9 j: ^- S- Z1 X. G1 q
call KERNEL32!_lopen+ ?: D% R) V& y- {+ C& s0 p
inc eax" ]/ l4 n, p' X( u; ~
jnz 00650589 ; detected$ g/ i& t) _ h8 t
push 00 ; OF_READ2 p s/ ^" i/ w: o9 y
mov eax,[00656638] ; '\\.\SICE'
% E$ a `7 h3 }' p3 r9 K1 ` push eax: b6 }2 a9 a L" M8 {3 p
call KERNEL32!_lopen
! R& N2 Y' j; A9 A inc eax6 c; ^8 G) o9 F3 K* q/ U& k( ]) r) w
jz 006505ae ; not detected
4 \% S- t8 I* R- L, s' s# F4 C% c
. z, [' i/ N( z
; I. F5 ~* K' n, J2 L) H__________________________________________________________________________& i6 ^ J1 Z [
# h% Y0 |6 ]5 ]: b9 S
Method 12% w/ Q) V7 y) v
=========
U, w$ G! o: S( c3 `$ {) `8 a
0 }6 q! T) q1 wThis trick is similar to int41h/4fh Debugger installation check (code 05
/ _! A6 O6 V2 L6 c1 C4 T1 A- f9 `& 06) but very limited because it's only available for Win95/98 (not NT)* U" j2 Q( v8 @0 a1 N- Y' z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." W1 O. o& r% j' y0 Q
1 y: p0 u3 E4 n9 k c& |
push 0000004fh ; function 4fh/ \% Y7 k, _+ m9 n! z' b3 I9 W7 {
push 002a002ah ; high word specifies which VxD (VWIN32)* z% s: D' z+ H! h! b
; low word specifies which service
6 L* P0 }) c. m2 c4 B. v* q (VWIN32_Int41Dispatch)9 s' D5 ~' p4 \, V2 n
call Kernel32!ORD_001 ; VxdCall- L% e8 x) ~" v$ M% c6 i
cmp ax, 0f386h ; magic number returned by system debuggers
/ a8 o* d M+ |2 k4 F jz SoftICE_detected
" z& q& O/ j0 k+ i! m; ^4 K5 b1 j: x3 Q# X
Here again, several ways to detect it: f- w! q, \; h5 j1 E6 X8 @' Y* a& ?
4 z9 D! | {, t$ Q BPINT 41 if ax==4f- r, }. B8 L1 { A7 x; N$ h- P
( c% G7 s: c" w# v4 O0 P/ ^+ Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: e! I( N- W3 E
5 j% H, k' E$ s6 S2 {2 V3 _* ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, v8 L/ \4 n8 \* {. X" l4 g+ I! Y: o1 C* Z/ ]( U, ]: |8 p8 y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. L+ V6 n6 C7 a1 c o2 N
; ~8 P$ i( n0 d4 Y z! c0 Y; G__________________________________________________________________________
/ U. w- _0 S, @; `3 Q) f! M! _/ g- H
Method 13) R; e( b9 s. ~2 g/ H0 } z: c
=========
3 I/ x4 Z6 u; R1 `/ F) k# \" G& R' b" D/ N* N* w
Not a real method of detection, but a good way to know if SoftICE is
6 I& _& u+ A2 l h5 X; Jinstalled on a computer and to locate its installation directory.
- \3 {5 e* U# n5 J+ G9 YIt is used by few softs which access the following registry keys (usually #2) :8 L. \+ j$ X, G2 z( I- I( Z
) A' f$ w, a( U/ [2 i% j2 ` ~! ?. c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: ]0 h" ` `& x$ x, F" x/ s# {
\Uninstall\SoftICE
, `; _0 a* z3 J) L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- F! Z$ j- ]8 J. [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. f; [3 k+ P- j0 I" Q/ l+ P\App Paths\Loader32.Exe9 c% u* @! u5 d y; [6 _4 e R2 Q
: {- `/ ?& f: X' X6 g% q; k3 M
5 o8 h j. K" E. Q" |4 X
Note that some nasty apps could then erase all files from SoftICE directory
9 g; n ?) Q! u2 s- {3 [(I faced that once :-() j4 S4 J* r; }+ b
' o5 J' b* a! X- N/ W; M* VUseful breakpoint to detect it:+ Y! U2 \: Q' J+ G, X
% I J3 T5 L& j8 Q: A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' o4 {, K, g3 w* S! B
8 W8 a: y. a. M% \+ y% \
__________________________________________________________________________
' p: x4 `% |! p* d+ B% I& k8 {
9 U0 X( x! u7 [4 DMethod 14 ( m+ M4 G# G5 \; F0 t3 L0 Y
=========9 e& _' U% x% F* v, U
n5 |) |# A6 QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 G3 {+ l4 X, m$ h7 m7 k4 Dis to determines whether a debugger is running on your system (ring0 only).- ~9 n7 o" \4 Q
: S. C8 f, M+ f- o
VMMCall Test_Debug_Installed
2 n N, W3 q$ x, J/ Z je not_installed
" [! u/ M! f. a& n+ p) L4 ~
) A' o2 | X* L& TThis service just checks a flag.
, K( g+ N- o# P, l1 @; j6 W0 Z0 F1 U$ O</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡