<TABLE width=500>. L8 ^5 b/ F0 ]: w: J) T
<TBODY> m2 s2 G7 {* K* ~
<TR>
, Q% X2 G5 t/ ?<TD><PRE>Method 01 - }# A; D7 V' W! w7 b4 U
=========( @/ s; Q4 [8 t, m0 X
. k- |2 K8 y- j
This method of detection of SoftICE (as well as the following one) is& n6 O& y/ R3 g& O
used by the majority of packers/encryptors found on Internet.
* A! U/ N1 T9 O+ o- c9 ^It seeks the signature of BoundsChecker in SoftICE. u" I9 {5 t/ G" L- Y" `5 \% r
4 c) i6 X. i3 t7 d
mov ebp, 04243484Bh ; 'BCHK'
: i1 A9 E6 g" D2 q' L) B mov ax, 04h* [: k: O. c% h3 f1 j2 p l
int 3 : V/ N/ [, l# H- ~1 I d% S5 L3 A, k
cmp al,4) N H# \& V, N3 z0 s1 O1 a
jnz SoftICE_Detected
' L% ?9 h; E% F7 H5 K
' m$ `3 G+ O5 x___________________________________________________________________________1 r# x: C/ s j# m; @
) Q" n3 W( @/ t
Method 027 u; v- q6 a+ m: Q
=========
1 v" w! V0 x! C. |7 c& B4 j2 ?+ R4 h' [$ [- I/ U4 L
Still a method very much used (perhaps the most frequent one). It is used! B$ R0 `* h' r6 _# [0 e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- a. R5 q- n* \: h0 L. uor execute SoftICE commands...6 I0 X& a+ z# U# J; B1 H9 _/ z
It is also used to crash SoftICE and to force it to execute any commands) ]2 T: A( z/ C, T
(HBOOT...) :-((
- |4 d$ q/ K+ M8 h. ~$ G! e+ P; @ J. W+ Y# M6 F
Here is a quick description:
. u! C( O9 }0 d4 B-AX = 0910h (Display string in SIce windows)
/ G4 u9 f ]/ k, w-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" g' d1 e3 {' t+ u, y- h m) Z-AX = 0912h (Get breakpoint infos)6 v1 F5 F8 U4 T# G @2 J
-AX = 0913h (Set Sice breakpoints)
3 _/ _6 ^4 y9 m8 A, x6 i$ o-AX = 0914h (Remove SIce breakoints)
8 B& R8 C7 L) A+ t+ s6 C
2 P) a7 G9 ]2 y' T$ i: Q: i" PEach time you'll meet this trick, you'll see: r- }+ ^9 F+ @) m% i
-SI = 4647h2 |; E( C4 K8 [! X; W
-DI = 4A4Dh; b' |; h6 T* p Q) e% N+ F
Which are the 'magic values' used by SoftIce.
- W+ U8 m8 M' i0 cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h. i# J M# F; E6 N
" Q/ \7 a: K6 L# F0 c
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# u) D3 q7 I% ^0 H' D4 d- dEnvelope utility use to protect DOS applications:% h( I+ [' o s' a% o: V. }
7 J9 P. N$ K0 u! R- M6 A3 y$ \. x! C4 s- y% ~* D
4C19:0095 MOV AX,0911 ; execute command./ u0 m+ c }! f5 s' |
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). o" M, X1 X8 `( ~& a
4C19:009A MOV SI,4647 ; 1st magic value.; D2 ]' M- g. {& G
4C19:009D MOV DI,4A4D ; 2nd magic value.
g9 o* I, r7 _! c+ [2 T4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' D$ o2 h6 `4 L4 T4 ~& i& e
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# b# ]% }( M( ~# I+ [/ R4C19:00A4 INC CX
- l, s! B" a' h5 J* S+ n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ |5 V2 T$ l x; }8 z3 r. ]& L4C19:00A8 JB 0095 ; 6 different commands.
; T3 [. s* d4 ^0 w7 x& {2 B) y4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! v; q/ {" t2 {# n V- G3 b: @8 l: J4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: T: ~# O6 i+ m4 J0 U5 J" f
& O( W0 [6 s4 ^, ZThe program will execute 6 different SIce commands located at ds:dx, which- h# G9 v2 G ^" @; ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! j. J X* |4 s1 \
9 l. y! E* K# p* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( k1 v, _2 C; N J2 q2 Y# R___________________________________________________________________________+ {; \9 W/ m0 W
* I6 B- | }% l+ {! f2 w' d
1 C/ T3 V/ `+ W; ?7 w9 qMethod 03
2 } O3 G4 ~' v7 E=========
9 e/ K! [8 q7 `
( x, g4 \" e2 |/ A ^( X9 S: fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. s3 H4 g1 l: \9 M0 K7 d
(API Get entry point)
; s" n7 q O5 S! W + Y0 i, z, f9 W# U- C
# t, R0 L4 t1 J xor di,di/ Q" y; z: L& V6 k+ l
mov es,di
8 S2 x% s7 h0 S) j6 N mov ax, 1684h
. ?' M# J+ M/ Y: V mov bx, 0202h ; VxD ID of winice' ?9 R0 K; v% C! ^7 u% I4 I$ ~4 q
int 2Fh
; h" j, D, s, s7 m5 b9 Q1 u mov ax, es ; ES:DI -> VxD API entry point" S; y+ [/ g! b- z
add ax, di% a/ q1 g) o+ C! w% s
test ax,ax
# e2 ?3 d9 K J4 c4 } jnz SoftICE_Detected5 w, w- U) ~# d& h7 v
8 { b& s+ J* p+ q) Q0 _) ]# v, V___________________________________________________________________________
5 R7 W) l# G; V1 s# D, ]) d6 h9 E+ w- T6 }
Method 04. e* |6 a$ M8 x9 o; o% |6 O
=========
8 K0 o0 g2 w; j& m* w9 K/ u
* A# X* C: J/ p9 M+ D' tMethod identical to the preceding one except that it seeks the ID of SoftICE l; h( ~- i- U% S6 Q* u6 ]1 T
GFX VxD.
8 H3 k' Z, \! t) q
, n5 E' X$ _: h xor di,di
6 N$ N4 o5 o S- Y! i mov es,di) Q& F' [# C/ S9 S I( m; e n! s
mov ax, 1684h 9 ^" z; t/ ?: }) h) {& F
mov bx, 7a5Fh ; VxD ID of SIWVID( a8 G3 f$ J3 d5 N# y
int 2fh
4 X3 I* |# C9 l6 X; |; r) Z mov ax, es ; ES:DI -> VxD API entry point
0 O9 Q, o5 t z6 s add ax, di$ n+ _9 y6 C1 o3 i
test ax,ax9 p# w5 n& c& N- {: D) ~8 V/ h
jnz SoftICE_Detected
" {) Y" b) b2 p2 H* x4 \% g2 |/ e$ `5 Q* Y
__________________________________________________________________________
; _+ X' E, ~- r2 \8 M4 w3 R y
+ X5 n3 G/ \, v9 |* k2 }. s: O
9 e4 {% I+ f' Y, N ?Method 05
$ |( [; `& n; }& M=========
+ q$ `# b! o. h% f6 R- _! t+ v4 K1 @0 ^/ {+ S
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; l; E- H; Q+ Kdebugger. It calls the int 41h, function 4Fh.$ A; y/ x6 M+ k; W
There are several alternatives. 3 ~7 }' C( ?, \* `; W8 S, s
3 u) Z! U8 G7 CThe following one is the simplest:
7 U. }. t! e# q/ Q/ r) A8 W3 [" u
. n" o, _1 T5 s; x/ f& [ mov ax,4fh) U8 r( X7 d7 m* a, Y5 ]; ~
int 41h
! [; x1 g4 s. j: W$ [ cmp ax, 0F386' X* @$ P' v* C$ G
jz SoftICE_detected1 K" Y7 G/ h. d3 k$ l: _8 R
1 J' @7 n3 ], G; U( p0 {& [% x$ C
N# U; r3 k; R+ b) JNext method as well as the following one are 2 examples from Stone's ' y0 r) a" A# E1 g3 V5 Z
"stn-wid.zip" (www.cracking.net):9 ^7 \: _' D3 H) m+ U
6 o1 x5 M) S9 G5 N, |2 C2 d6 J8 ?, D
mov bx, cs
% Z u/ y8 m% r- _, P: r; o( c+ @9 q lea dx, int41handler2
$ b% ~# e% r6 t% Q* [ xchg dx, es:[41h*4]7 c: u% {7 e0 |* d& a& U7 r2 z9 ]7 n
xchg bx, es:[41h*4+2]
* M _( d4 R1 N- q& I0 t mov ax,4fh2 {; t, z& r; k- G
int 41h
# _/ s5 {: g9 r6 p& |- } xchg dx, es:[41h*4]
3 U7 k3 I/ R- [( x, Z* e* x/ Z- o1 r xchg bx, es:[41h*4+2]9 O9 K. t4 x! D8 Z2 `+ P( M7 v% Y( N
cmp ax, 0f386h
4 _0 L& X. f7 y9 a jz SoftICE_detected: D; O" a2 A0 p, j; `2 n* G
5 `7 j8 _ Q0 Y! d8 `3 {
int41handler2 PROC
# v- E1 m8 S; G& {3 F iret/ o, b5 P4 F9 o( C) I3 L
int41handler2 ENDP5 E$ s5 v* E6 w0 D0 j; D% w9 f- g
/ N( h" V2 z! w5 m. y4 O8 S1 K: j+ @* u6 i v: G- W
_________________________________________________________________________6 O7 v+ C" \3 t
- K0 x( _/ _$ @7 U
* g r4 N# M/ a' z' QMethod 06
( s* e, N% a# z- y9 x=========+ C& r: X0 D6 d# K: b+ R# w4 H: d2 p
* H. G! P& }, V! v) d! P$ R- A4 x& \( n3 h* P: V/ F
2nd method similar to the preceding one but more difficult to detect:
8 c" i1 b: Z1 C t# K5 q
; \$ w- X) V, k" `
9 U1 P( y" m2 x0 b# g; fint41handler PROC
9 `( Y" _8 ]4 K6 L/ `0 e2 d mov cl,al8 i/ K# x$ N9 r' O/ G& z
iret
0 v4 u" U/ u+ S% nint41handler ENDP
3 d) g/ L* L6 ]+ D# i
$ V& {+ j8 T2 J6 U; P0 _& m& D; O, h( }8 p) ~# y0 G
xor ax,ax
; A5 e! T# ^. Q8 q# O2 t: X mov es,ax
& U9 R, U6 g" l' v5 j! v mov bx, cs8 r$ R6 W! Y! N7 T! e2 _, B% {
lea dx, int41handler
) G* Y7 f2 d: U8 F7 l xchg dx, es:[41h*4]. l0 P1 p6 f. Q- f9 C. R
xchg bx, es:[41h*4+2]
8 j7 p1 t; o# Q& h8 n1 l$ `7 x" I. ^ in al, 40h7 S" L p0 @4 S ?$ H p, K9 [
xor cx,cx
6 v- G6 i7 g, N int 41h! r+ o- w7 K P. b1 U) H8 g0 H3 P
xchg dx, es:[41h*4]
/ c# e, A' A P xchg bx, es:[41h*4+2]+ a2 B. t! ?/ A3 h5 R& d8 j& t
cmp cl,al+ v3 V$ j- n0 b, J$ e, e
jnz SoftICE_detected( Z& W1 _& j- L u" v
4 X* a b. ^+ a' i( x
_________________________________________________________________________
9 z) v% Y, N$ L7 a6 J* T3 e5 `* g( q0 i+ A6 v3 e
Method 07; t8 i0 Z7 c' C( y, u4 r
=========
6 h- c6 z4 O% f( S6 M% V3 K" D+ I) o" ?% u7 h3 r
Method of detection of the WinICE handler in the int68h (V86)
" V1 F* v7 Z3 f0 z8 A, _
1 V0 O% _! U( E4 K! ]5 V mov ah,43h
. _0 \6 e% z, v- _# Z int 68h
+ I" T- g6 r2 O3 _ cmp ax,0F386h' n @: j8 t# u* D1 Z
jz SoftICE_Detected
2 l( T/ K( ~2 a: L, E! A. P9 j( S6 y" _% f
4 y' o; i( n- S( Y7 q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; h# J% Q ~, Q" A" I2 C m app like this:) I- q- Q$ _* y8 g# F7 P8 h5 r+ X; u
& l2 O1 i% `8 N/ e4 {
BPX exec_int if ax==68
9 {& z6 g* \) B" O e8 X (function called is located at byte ptr [ebp+1Dh] and client eip is) e6 M" ~8 k8 w) D3 U5 f1 x
located at [ebp+48h] for 32Bit apps): f) d& o, K; A" v+ F/ Z- N
__________________________________________________________________________* L6 |4 r! ]! ~
+ l* y4 G8 w' r% H) L/ w
) n, Y+ J( v$ @4 u" l: v& AMethod 08/ T4 `8 l' Q* ]8 S
=========
' n# i0 ?0 ^) ^5 A! {7 F% R& A% j) y
" J& p: d! J$ P. a( {; W0 q+ OIt is not a method of detection of SoftICE but a possibility to crash the
" I8 d8 z. m1 |9 d V! Bsystem by intercepting int 01h and int 03h and redirecting them to another( I: `- L. I+ N5 E
routine.
' o: `8 x4 \2 W" `" E9 eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; S C" I" Q g9 S
to the new routine to execute (hangs computer...)
$ D3 w) M1 Y9 E, g7 S5 P5 `1 l' [! T' g+ q" B# _9 C
mov ah, 25h: y* ?, b7 C9 K
mov al, Int_Number (01h or 03h)
( g7 r) J% Q4 r; X/ u& K/ O mov dx, offset New_Int_Routine
4 ~5 G6 ?2 I2 z3 E' q int 21h
( Q5 c5 W% u" {% w* l5 T+ h; ?0 K4 U6 M0 T4 t
__________________________________________________________________________. V4 I; A5 N; m9 x6 h: O
& a ?0 O7 t6 G$ T9 p
Method 09 z) r. \, S Z' n& I) o
=========3 C2 N7 [1 H( }2 N; H; P8 \
, G: r2 E, T2 L2 u1 _7 g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* t# F A8 [8 O: |# i% W6 | O) Vperformed in ring0 (VxD or a ring3 app using the VxdCall).3 R+ k5 h8 J5 S8 y; R+ F, }
The Get_DDB service is used to determine whether or not a VxD is installed! A% [7 S! Q+ `, l; X7 D
for the specified device and returns a Device Description Block (in ecx) for m4 J% \; P/ a" E( x1 n
that device if it is installed.6 y+ ^, R$ v% p* `
% v5 d- M6 S K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 G3 a% U/ n: W+ f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ b# O8 z4 l% I( W: _, d
VMMCall Get_DDB
# K( C( V Z% a+ u1 D7 ~3 v mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: h+ |5 s7 y t
3 L* u$ F) O8 v# J6 ^
Note as well that you can easily detect this method with SoftICE:' f* _- J" K& y/ J, h7 {) ?$ i8 I
bpx Get_DDB if ax==0202 || ax==7a5fh9 _; G& G" t, E2 c6 f
: u5 n `3 c. J2 I. p! [' _5 s' R% ?__________________________________________________________________________
, u4 _) M* @9 G- }+ E. |
6 V* ~* | q1 H- ]% Z& JMethod 10, z( A7 q( b, ~( r- m, P {
=========' T. [' n& ~# q% L3 z
5 e& V8 T+ z9 y5 X5 Y=>Disable or clear breakpoints before using this feature. DO NOT trace with1 @8 H# M1 t6 Q, @
SoftICE while the option is enable!!4 X: v. p# k! O* }# Q' E
7 ~+ @4 ]7 ?( c/ F
This trick is very efficient:
( x1 X* [* V% }* R" v' w# bby checking the Debug Registers, you can detect if SoftICE is loaded6 e$ c, e2 M: }8 F" ]/ E' X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: |* g' T# g% e6 A: t7 h) X8 uthere are some memory breakpoints set (dr0 to dr3) simply by reading their; R5 D) i- j/ i9 S
value (in ring0 only). Values can be manipulated and or changed as well* d+ A. i: A+ l. l: g
(clearing BPMs for instance)8 c$ ]0 u$ \" d$ H
3 |; O. ]9 c3 {+ p# E& u* e
__________________________________________________________________________
8 q9 d z; H2 j2 a+ x( q
; ?( @* t% B5 D6 Y6 ?# G1 A' eMethod 11
# l, ?. W7 g+ \=========0 {. t0 b$ I8 e7 Z* E
9 v7 g# a3 H2 L% P% H$ }& J, |This method is most known as 'MeltICE' because it has been freely distributed
5 I: c# W$ Q4 V ?5 A8 L5 uvia www.winfiles.com. However it was first used by NuMega people to allow
' Z7 J7 U' p6 Y0 P' ?/ nSymbol Loader to check if SoftICE was active or not (the code is located3 s# m5 p$ ]0 u0 V% O3 [! k, T
inside nmtrans.dll).) g( j+ Y. j* ~
8 @ V& C$ J1 Z' P
The way it works is very simple:' v# z. U7 @6 l: u$ Z, O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 c' N% ^3 P7 ? IWinNT) with the CreateFileA API.
+ ?$ o1 z% k/ K# {5 M5 w; L7 N* `- ^8 u5 Q) D+ c
Here is a sample (checking for 'SICE'):
/ J9 g% W; r$ B$ U
+ ~: @$ t& }% N4 ~$ G$ SBOOL IsSoftIce95Loaded()
; Y! P5 v' R4 f1 w6 t' l* \{
4 _2 t7 s/ g/ m J HANDLE hFile;
6 O9 Q5 q. m4 m/ P8 N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. \2 ] P) k; A1 }) D( V1 Z) U8 A! Z3 E
FILE_SHARE_READ | FILE_SHARE_WRITE,' L1 q7 r& Q/ s4 e- n, [. {# J; Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 ^- \* x1 [2 a& S if( hFile != INVALID_HANDLE_VALUE )
, E4 C0 L% i. n/ f6 J {
* w6 {- [; K. ?' F CloseHandle(hFile);) N2 ^7 w- F3 C6 u; U6 c" ?
return TRUE;8 v. e* u/ D: Z" h
}& Y5 O% y/ Q% A
return FALSE;) L J+ B8 p# J, Y
}
7 h3 w6 @4 G' S
# R( e0 ]0 D# g' m7 d, l3 L1 cAlthough this trick calls the CreateFileA function, don't even expect to be
. G1 j% X' G7 P E: V! o" v5 lable to intercept it by installing a IFS hook: it will not work, no way!
. N4 X1 ^9 h- U# O& t6 _In fact, after the call to CreateFileA it will get through VWIN32 0x001F i/ ?" J, k6 i% K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" ~3 z: X4 M" u; A; Rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 b! {5 ]! c }field.! q! O8 ^+ B' E- h' z
In fact, its purpose is not to load/unload VxDs but only to send a 2 S8 d0 a: G0 h8 w$ s8 s1 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 R" R8 e+ g; k6 F( u. D' X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 w3 K ?8 `, x O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* Y2 l# p4 W1 r" O
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 r! U1 S( O0 |: uits handle to be opened and then, will be detected.
1 n( I5 I: Q/ Z: N& HYou can check that simply by hooking Winice.exe control proc entry point% g# `' @2 D" X; ~ G
while running MeltICE.
! z6 V* `% G0 B9 b
9 x: E4 N: g# o# P$ t' `
7 Q- p* {" N- M; ]2 ] 00401067: push 00402025 ; \\.\SICE
. N- h$ j& f& z- E+ Z1 w9 f: K 0040106C: call CreateFileA/ @; C" {9 s2 Q% L; `4 M( T# Y
00401071: cmp eax,-001
7 e6 y: @+ [; M. @1 W1 b7 V( R 00401074: je 004010917 o* w- T. u0 N# N5 Z" B# Y
- P5 Q- _; ^; p" [( _; b4 q
- L/ S# x$ m! k$ l6 d7 M
There could be hundreds of BPX you could use to detect this trick.
; X9 s( d; G3 r# \7 V-The most classical one is:, D* b7 R6 G4 c& s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 H3 J- v0 \9 I *(esp->4+4)=='NTIC'
$ u% z0 }4 e3 J' r- o1 f1 p0 K6 {) `
& |( {( \3 v1 F# G2 ]* F/ [-The most exotic ones (could be very slooooow :-(& v7 j8 W( ]7 ?" R' J6 U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) E& c/ F. _/ r5 {: a6 \6 r ;will break 3 times :-(
( [' i& l7 ~* z+ b9 H, I' q1 x' g I" ^9 ~
-or (a bit) faster: 3 h* `3 p; T0 M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& x4 g' [! E% y5 h! U! e: i
" z. Q5 x# y, `+ h# ]
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* `( u2 d1 l9 X) d/ ~ ;will break 3 times :-(
$ w, G) h& B$ ^% l: L$ q1 O6 R& j% F* W+ W4 v
-Much faster:
# t5 E- Q9 l8 z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 v0 M* P( l; @/ E6 l+ w4 B5 @
- V: v. c* u1 a/ Y; k W$ E! E- K0 k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) E& I# `, `0 `$ v! Q
function to do the same job:
. R& X0 G: H* u9 z$ y6 E0 X5 m- O1 V- O( ]' g+ z' J
push 00 ; OF_READ! b7 f( n8 N# c, x/ P8 V8 N
mov eax,[00656634] ; '\\.\SICE',0* |3 Q7 f1 j7 b) R# A. T6 x
push eax
/ A' Z& t# e, Y a call KERNEL32!_lopen
2 H3 G1 \2 Q0 J1 i, ?7 } inc eax0 v0 a: ?: b; l' l
jnz 00650589 ; detected
8 c+ a8 ]! N- k push 00 ; OF_READ
6 Q p8 h7 o$ |- S4 M& U mov eax,[00656638] ; '\\.\SICE'
" C3 c) z, _) H+ i. }; ] push eax
5 R6 }' `$ o; r call KERNEL32!_lopen* t) d1 [* t% J* L! T
inc eax
7 y W& `: |( g& L4 M jz 006505ae ; not detected
/ w0 \7 g- e$ R# O3 t5 T5 f" }0 C4 q! [& g+ K2 b
1 [% w* z9 R9 V! F+ X, F7 s1 j
__________________________________________________________________________/ W- e' n. @2 V' Q V
% `, z" u$ T) @9 c# ?* {. D
Method 12: f- ^8 P0 p0 K' g5 d" E6 b c
=========; X8 c U7 s) V9 p2 a, ]
! W5 @" V4 J+ a% mThis trick is similar to int41h/4fh Debugger installation check (code 05
/ H9 q: Z$ i. N: B$ b) H" ^& 06) but very limited because it's only available for Win95/98 (not NT)
+ n. [. x- ?4 b5 Q9 ^8 s) T* T' Z; Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.# q2 k- N+ |2 l
3 h. [: C- T' K9 `# x$ b push 0000004fh ; function 4fh/ x& U9 W6 `; x9 i1 R5 w" ` N
push 002a002ah ; high word specifies which VxD (VWIN32). O8 S T( z" S. j& }' R( ]" ]
; low word specifies which service
) u& u! x0 c8 ?/ p9 k* H (VWIN32_Int41Dispatch)
j/ q: w8 w6 S p& x% p call Kernel32!ORD_001 ; VxdCall3 a8 h: C' A$ a+ N! b4 K
cmp ax, 0f386h ; magic number returned by system debuggers
- Y2 c: {! p: k1 |# ]5 E jz SoftICE_detected' E8 W7 F4 a K' M' W
8 b1 B' a8 |8 m" i @Here again, several ways to detect it:
- n) r$ F, W& U: }) y# Q4 l, d5 ?+ v. C& w
BPINT 41 if ax==4f/ X9 \3 y- o5 s* {& U; \
3 e6 E% G2 P8 Q t
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* T) t; V7 S! Q$ U( h/ ]+ x- }! U% F
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 R2 W$ J: j0 v' x
: i/ N- O9 l5 y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! Q0 {* G5 V0 T8 z ^; I
" H/ V: q$ c2 G7 p4 p+ E__________________________________________________________________________- ]/ _, Z3 f+ q; D$ r+ l
7 `- l2 F$ ]0 R0 Q5 z
Method 13
7 m8 \, r, p. M$ u( |, D" _=========: r& Q0 @9 T. p. f( C
/ ^) K) W0 Z% K" q7 ^Not a real method of detection, but a good way to know if SoftICE is$ u* Y1 R/ D! X& V
installed on a computer and to locate its installation directory. F3 R5 Y. E! e
It is used by few softs which access the following registry keys (usually #2) :& V2 o5 \$ v9 P4 _
- h& ?4 Y) ]; i! t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ L9 L7 W E- M2 ?* ?5 g
\Uninstall\SoftICE
3 a7 `# o% u# S1 o5 Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 T8 b. W) Y: B$ I& e- O+ }# ~1 q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 g1 o4 c$ u6 Y2 F2 p& |0 P/ x y
\App Paths\Loader32.Exe
* V1 K6 m$ D1 J$ W" T; A0 M! Q' o3 a! T- X- [1 |4 |
, B9 L) F b# @/ _' A1 O4 |Note that some nasty apps could then erase all files from SoftICE directory
% d1 E. d, ~( @(I faced that once :-(1 w$ R$ }6 G: G" Q$ L8 s6 b3 ~
2 b7 g: M p! ^# L; r2 A+ oUseful breakpoint to detect it:
- @2 p' m# l* y6 _; l0 p3 [! v( q3 \0 L8 [) W( }! \" y( O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', g7 D$ u! m, K; |7 u
, ~3 @# m1 [# M% l/ V9 G! b__________________________________________________________________________ p! ^9 b& K& C) I# |+ W! ]. N
2 ~: o) \* c7 i' h' I
4 x) o% \6 N6 H$ y# D* L+ Y, d6 M& xMethod 14
: y; ]$ j6 L& o. A=========
) C$ y1 i5 _1 _& v9 R; ]$ i$ b9 V; y; [5 q. {$ x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. x/ z7 K6 K) X1 |
is to determines whether a debugger is running on your system (ring0 only).
: E$ I1 f# ?! b6 w5 @
% J" ?$ P6 \( @4 m( Z6 Q: t, A VMMCall Test_Debug_Installed$ D' h6 a8 j. N5 F* Z2 m5 C5 y4 ?
je not_installed
( h( i7 z/ S6 k% L% [1 g. V* ^9 f4 b' H' y! Q) n+ S
This service just checks a flag.
) H2 C5 q, U4 H$ F' A9 \2 X</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡