<TABLE width=500>
) p7 s+ ~5 M5 I" V<TBODY>. x# k+ @& D" r- D& p) i/ @
<TR>
# E! M n `; S# D, O8 C0 c<TD><PRE>Method 01 # {0 h5 v8 `- V: O% H
=========& ^, h8 j- m9 a
9 u1 W" \- k r! {
This method of detection of SoftICE (as well as the following one) is
/ D# }; Q* z' F! J1 v, m2 f# jused by the majority of packers/encryptors found on Internet.
) i) f0 D1 g1 e: A) L% gIt seeks the signature of BoundsChecker in SoftICE3 I) u4 o; f5 U3 O
; A9 r/ w! Y. E$ ~* t* m. l7 J
mov ebp, 04243484Bh ; 'BCHK'
9 V+ u: G- @! \) O8 X I* d8 A mov ax, 04h) f' O0 e" k4 c
int 3 $ O1 H) o, m9 M$ a$ U' h
cmp al,4
# p2 D, C2 }/ i5 U jnz SoftICE_Detected
) r; d. h/ z8 } f2 p, i# X. o7 C( }
0 @6 {. g, R2 V3 d6 c. f! W. C( }___________________________________________________________________________
) p% a* c( W5 r3 C2 [" b$ j: ^( e0 ~0 k- q* p/ ?" N
Method 02
/ x( B$ C3 V l8 G2 I. ^" D9 J' p) G' S=========
0 @" T$ t" [( j/ ?7 k/ \( H; E" E, ~+ ^! r
Still a method very much used (perhaps the most frequent one). It is used% t7 P* J' j; S/ E$ t; l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. _- f2 P1 p' Q* l$ `. s) Eor execute SoftICE commands...8 S( T2 C; a% e; c
It is also used to crash SoftICE and to force it to execute any commands5 q) p- C @: V
(HBOOT...) :-((
3 W2 L& {" |- C, B% R! Q7 V( U1 Q' {+ E! T. X
Here is a quick description:
3 m) C/ D& k9 ^0 d3 ?0 G. T-AX = 0910h (Display string in SIce windows)
, c; a3 {1 d6 s) [* S9 M4 S- W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 ~0 C) L2 L' p
-AX = 0912h (Get breakpoint infos)- a+ s! H' I. B2 q$ R- b5 @1 m
-AX = 0913h (Set Sice breakpoints)/ M9 j. |7 @ M$ `9 H( o1 c
-AX = 0914h (Remove SIce breakoints)) @: N+ D2 ?' @8 f0 X4 }" ?( w
J4 A! n3 P5 l/ jEach time you'll meet this trick, you'll see:
! v7 m5 {* X# b% R" j; X i( y9 e-SI = 4647h
$ C o' J0 V* I-DI = 4A4Dh
' \0 U0 D- o f$ g8 M( c- I( r& U" GWhich are the 'magic values' used by SoftIce.
" y+ a% p+ C7 nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: g4 U" s9 n) P
0 @5 L& v8 q' C) V7 d1 bHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 m) [, K) m8 \4 X5 ~Envelope utility use to protect DOS applications:
' u# [! H# |- k2 m2 ~# y& m- f8 P' k0 ~; t. [8 E, b4 c& a
! x1 R6 L* w5 b, m8 f# N- L4C19:0095 MOV AX,0911 ; execute command.
$ W6 ?* a4 y( T/ ]6 o! f# h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" z% D# S' |" F, \4C19:009A MOV SI,4647 ; 1st magic value." R4 B- A+ y) x% N1 { z
4C19:009D MOV DI,4A4D ; 2nd magic value.4 }1 h. ~/ e+ O- P9 ^) o7 h! g
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( J0 _5 |& H! ^. A/ ]; a4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* a9 c, R% x5 S( |& o6 V4 ?3 x- w4C19:00A4 INC CX- c( n% g" G- D3 k2 @1 E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) a1 ]6 k* J. s5 F, G6 t$ G
4C19:00A8 JB 0095 ; 6 different commands.
# M" U; a+ o) b: B1 L4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# t9 u( {& D2 w/ a( ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, J/ V t# Y: l8 ]9 [$ `- |
6 I/ K5 Z* }% x9 f# @+ AThe program will execute 6 different SIce commands located at ds:dx, which7 {- J6 e( m" E% [, B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 G* ], y8 S5 d% ^0 Q
/ I6 o& `2 c$ [1 s$ c! g1 q) h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% I/ I' S# g' U/ ~3 N$ }1 \( A___________________________________________________________________________$ q2 e, a F1 ^0 h; _5 V( r
/ P( j2 g0 g+ M+ |/ m, R
5 B9 p% d+ p7 K1 c8 V2 ~
Method 03
4 i( D4 B: w- l# i0 j9 B* L=========
; @- g8 Y5 {" Q# k- M. C. z- Y$ D( N# p
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. i h1 h0 D) @* G. v2 u
(API Get entry point)# O/ ?) Y- A7 g/ i
( C, N( [* d/ Q4 |# W
1 a8 L! h3 C% g xor di,di, Q. @2 R Q3 l6 ^+ D
mov es,di, n6 T! \ u3 f- n5 W
mov ax, 1684h 5 a/ n$ U' {: i6 x: w- e8 P
mov bx, 0202h ; VxD ID of winice4 }! ? {) U9 t' t1 [8 n8 U
int 2Fh! @) [2 i/ F' ~
mov ax, es ; ES:DI -> VxD API entry point( W$ ^# D3 m7 e
add ax, di
! g" t1 Z/ L" v+ M( ]( @6 i test ax,ax
0 y" n O% m- C# l3 K" O jnz SoftICE_Detected
/ J6 h1 y% R: V, s, c+ h& l/ p1 u% u7 Z9 O; |
___________________________________________________________________________
, j& S) Z, |- K1 Q( }, ~+ _; }3 N( d) N
Method 047 B9 m$ q, b: d6 f
=========
) S5 t& i. ?. B! P. @
, ^& D$ _! s; o8 l1 }Method identical to the preceding one except that it seeks the ID of SoftICE
) V; k8 z; d. J, XGFX VxD.* R5 x( t3 p/ @5 p* W* o# i% c
+ c* u! d" ]% P C. H2 w
xor di,di
- Q- U) f& n2 Z1 n. K mov es,di8 l+ Z$ q' [* A$ q- B+ K- ?4 z
mov ax, 1684h
& Q- w7 x6 r5 k+ v mov bx, 7a5Fh ; VxD ID of SIWVID
- V8 _3 S( ^2 }+ Z5 k' y4 L int 2fh% f5 F) }* ^9 c. v
mov ax, es ; ES:DI -> VxD API entry point9 n9 @; X. r# L
add ax, di# j; f7 |/ Y2 c: _) q Z
test ax,ax8 i2 Q: j' {8 a
jnz SoftICE_Detected3 ^- D. A5 X+ K- m# E1 y- \% B3 V
! E! q8 c k# F. B7 F__________________________________________________________________________' H7 q p2 t( M3 S
& c K6 n' ^/ E* _
8 _6 Q) y, g' O5 B" W4 v
Method 05. v: k2 p: R* q }
========= @. M. H- B& W4 J" n: R' }# }
! r. v& I9 Z& a% a
Method seeking the 'magic number' 0F386h returned (in ax) by all system# x7 t: A. {# [" |, }( g
debugger. It calls the int 41h, function 4Fh.
7 {7 q% g ?0 Y+ oThere are several alternatives. " I7 ?) W- e! s& t- l
: v$ q+ K* q2 M3 \; P" S" U* F" n8 T
The following one is the simplest:
: |. c6 G% D% W" c+ Y ^
# D" E* |4 Y- z# ]2 V( x mov ax,4fh
) }% w8 A# u- U2 ]1 v% g# D/ z6 U0 Z int 41h6 L# N6 B( }: c% b7 I
cmp ax, 0F3863 d, i( o; R3 \# K. g$ b2 M
jz SoftICE_detected2 I& M7 O. g: j7 ]9 g0 @
+ ~: L7 U3 d0 Q B1 a& e
0 G" A9 P) [4 r1 |* \# a! J8 YNext method as well as the following one are 2 examples from Stone's ( E ?( E% h% F
"stn-wid.zip" (www.cracking.net):
' C1 d4 \# v* U5 t! Q' z% F5 Q1 ]) O( N' ?# S) ]0 G: U2 `
mov bx, cs# Q( |6 P$ o B: I5 I. F" v
lea dx, int41handler2" H# P) M6 |/ t* X) n; u) s1 }
xchg dx, es:[41h*4]
/ |5 C8 [5 M3 h2 i# M0 b xchg bx, es:[41h*4+2]! `$ k7 F5 }4 B/ m
mov ax,4fh# H* p+ [, ?- N7 d. N+ q- h
int 41h$ g' X& D0 Y2 u/ @! q
xchg dx, es:[41h*4]
& c' R" A ]5 D$ P/ B6 y3 c xchg bx, es:[41h*4+2]
' X1 C1 v5 Z z* f& y cmp ax, 0f386h
7 f- m0 [2 j; i jz SoftICE_detected3 \! w; B# \6 f- n
( s: F+ V9 g! D: \int41handler2 PROC6 h# O& X2 B1 c# M0 g+ U
iret
0 X. c8 ]( t/ z7 aint41handler2 ENDP
7 f/ t/ C0 z C" d3 n9 [* {3 L9 _# Q! i1 I
0 ~7 _% O$ N! t4 x# @ @) ~; Z
_________________________________________________________________________
3 i$ I( c/ w' o4 ~" E8 {3 }) X
4 H7 b# _3 S' W" {% o! p- ~* }% w6 a& ^; D `: N+ t
Method 06
( G/ G3 L- Q7 m1 U5 ~4 [=========2 B( ^5 Z& v3 H+ v+ p
! E( {$ n8 [7 F( S1 [, [+ u* x& ~! `$ v! W8 f8 G' Y, J
2nd method similar to the preceding one but more difficult to detect:
, E0 I6 B( U3 c" V" y, T | a% f' [7 L
2 X4 Z2 b8 Y; j, q1 Lint41handler PROC4 z$ s. g) H% L2 n' }
mov cl,al
% o* s5 N5 N, k. z iret8 K: ~2 i. ~( P: i
int41handler ENDP
$ N C. e' t( _: W9 |
6 [4 }5 Q, f w" w9 a
+ c' z6 a' m& _ u( `) C1 X xor ax,ax) r4 Y* }& I- b" z+ O$ x: b
mov es,ax
4 E% P3 n. I9 ? mov bx, cs
1 L) a1 t) G* H6 F5 t# |. D lea dx, int41handler
8 I: T: w4 X* y" I8 X xchg dx, es:[41h*4]
/ q# t0 A P- P4 S |# r Y" G; P xchg bx, es:[41h*4+2]
" C K Z7 X7 g5 u6 e- @9 \ in al, 40h
. v4 a+ v6 d$ n. m xor cx,cx3 V$ C+ _: _4 \( u
int 41h
) n: v7 \$ y- `. y+ Y xchg dx, es:[41h*4]
# ?$ |# w. d; R! q g7 t1 f3 { xchg bx, es:[41h*4+2]3 R( h2 `; t' Y1 J: y/ R- O; p4 T
cmp cl,al
6 K! N$ C$ d. b; y! R jnz SoftICE_detected
2 R# o+ |$ g: e+ ^' e, y* Q+ J
9 i5 b2 T: w# q% u8 ~4 _1 \, X9 A_________________________________________________________________________* e0 d. i0 ~( X* F$ u- H
; h0 t' B# g7 b" g" \# Z
Method 07) s C% R" p; g
=========8 T' l5 N( n3 {% l0 A
* ]* {& n& N. y% aMethod of detection of the WinICE handler in the int68h (V86)& |: p: K" H( m* ~' Y+ \
3 K* b( a0 S% F8 L
mov ah,43h
, B, w0 Q* J8 p3 }! ?3 m6 y int 68h7 e0 k2 A5 |/ ~0 f
cmp ax,0F386h; ~) N2 E9 @& A% V9 Y6 ]
jz SoftICE_Detected2 Z9 f. M8 T4 E; Q
* W4 C" K2 R" y
0 `: V& h8 [0 P# o- `$ U _
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 m8 a d% C" C; K: F$ q* { app like this:9 Z2 a- V2 R, f N; Q6 L
- u9 ^: }9 N* D `4 a8 @4 u BPX exec_int if ax==68- \" e. \, F6 I2 w: a5 O3 T( V1 E
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ T4 `* s! @* f* { located at [ebp+48h] for 32Bit apps)
" C/ o: B; I+ y__________________________________________________________________________7 O' K4 U* K' i h
( z* ]' } b' r: M: O G* q# o: i% V8 r* w1 w# X# c R' V4 x) I
Method 08& e, a. O3 ~$ P( B
=========2 j( P. u5 t C
& I2 n7 ?$ p4 L+ w! c0 H4 W5 z
It is not a method of detection of SoftICE but a possibility to crash the: e! c$ n) O$ e$ O. G, p: a) y/ A# |
system by intercepting int 01h and int 03h and redirecting them to another1 S$ [& l: ~5 Y2 \1 p" q0 q
routine.
# V$ y) V% b1 f4 w( o, hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: Y2 w& y* a3 g' W( q9 tto the new routine to execute (hangs computer...)' X V% k6 \# h# ]3 }/ d. a
: A) c& x- P* F0 s( y
mov ah, 25h( t* H- _* n5 l. ]/ S
mov al, Int_Number (01h or 03h)- _: ~# m' a( A, A
mov dx, offset New_Int_Routine
8 E+ c0 i' n0 a" _; J+ v3 h* i" r% H int 21h8 t4 W9 j5 H4 X9 I, g# u
# i, c' }! M' b# W, y: ?
__________________________________________________________________________
0 J! J2 C$ _* y+ \+ T
9 m/ y- R/ f) QMethod 09
1 v& @( t& D' O=========) I- n1 D$ T/ x8 f% r6 X
1 T# m& s# C, M# q. I2 PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ {6 @" ~; l' b# ?( t" o, q- i
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ Y$ t% V! g4 n3 e& `/ r7 g" q5 EThe Get_DDB service is used to determine whether or not a VxD is installed
8 i8 m/ q( g2 i. y% [2 Z, tfor the specified device and returns a Device Description Block (in ecx) for
9 T- f; x- S I) A/ d; q' H. _4 o7 Athat device if it is installed.* Q8 l' s' Z7 ^5 y
& n( ~9 O) o8 i, D5 N0 b$ p! ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" c( L! A; S# ] mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( U, _. V7 Y2 O) ~& i3 a
VMMCall Get_DDB
4 y+ K a; q+ s. r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ }9 D% s, w: w: S' `4 X' m! }( U$ d7 @' }3 C: @
Note as well that you can easily detect this method with SoftICE:% i$ w Z6 S- G# O# C' i* d
bpx Get_DDB if ax==0202 || ax==7a5fh6 o9 f& Y% W1 J7 E$ H. w, r9 g+ z
: [3 i/ k$ F/ m
__________________________________________________________________________9 r2 m4 C* h6 h
1 ^# O; a2 T2 v( f2 rMethod 10( b4 A$ t( @+ ~1 r
=========. F% C# L- F# t. W* ]" h$ n
& R8 {; V7 S: T, E' Q=>Disable or clear breakpoints before using this feature. DO NOT trace with/ B" T# I; v# C! D4 J) L
SoftICE while the option is enable!!
. \7 C$ G+ E5 ]8 Z9 x" O+ }
: `! Z8 Y: e9 ]1 s& zThis trick is very efficient:
! V0 r4 `" `& L t6 bby checking the Debug Registers, you can detect if SoftICE is loaded
* Q0 w9 S2 {: D# k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ R; [2 x# b0 F. S6 w7 c. t
there are some memory breakpoints set (dr0 to dr3) simply by reading their
}% N0 U1 D; g! Evalue (in ring0 only). Values can be manipulated and or changed as well$ e5 g! j/ V# x F: B, N& L: f
(clearing BPMs for instance)
: [0 ^9 `: J' B- |9 @+ F! R0 M" o. Y2 |! ~! a' q' G
__________________________________________________________________________
: c5 @6 `9 h2 k1 B/ L% J
# X$ v; a2 i4 C, Y+ S( \# J. k8 nMethod 11: w* z; H1 d7 Y. `3 `; `4 H9 ?- Z
=========
* D6 z8 Z3 ~/ \) u c; k8 Z j$ e( G# v+ Z4 r
This method is most known as 'MeltICE' because it has been freely distributed7 K) m, L+ e; L" S% B: j
via www.winfiles.com. However it was first used by NuMega people to allow1 |0 b! l' R7 q( Z! p+ P
Symbol Loader to check if SoftICE was active or not (the code is located1 Y4 p# Y* e' E. S" q s
inside nmtrans.dll).
: N2 @( v3 O7 K3 n& u( E9 V
( |; D% b5 I r1 H- c5 `The way it works is very simple:
7 A- K5 G: H) C8 u3 m# u; P; mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# n; n R3 m; W% ?- n: R& n8 g' BWinNT) with the CreateFileA API.
8 w* T& |/ M3 f
" M ~+ d1 |* ^9 T2 PHere is a sample (checking for 'SICE'):
( V$ n8 z0 r$ o+ k; T8 U+ F$ G0 v" t9 K U9 B7 r
BOOL IsSoftIce95Loaded()1 Z1 b5 e7 R7 j. f5 Q& X
{
+ t) H; e9 N ?: ^6 o* X6 D, m, q HANDLE hFile;
, i0 V. u, ^1 I9 Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 u8 g1 V( q9 G+ d- M) e0 z
FILE_SHARE_READ | FILE_SHARE_WRITE,
' u) V; v, t$ O, \7 y+ l( k7 L# | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 h, g4 o9 C" g" r, B; E if( hFile != INVALID_HANDLE_VALUE )
! w& b+ ?% A8 t( H6 N {) ~, F0 [2 ^3 n1 I4 J# w2 v$ P
CloseHandle(hFile);) M& X: c( d; ~1 Q4 @$ p- T n, h
return TRUE;
: [) E# {3 _& c) W5 q% r, \3 o }
+ V$ F9 n4 E: S3 \9 V: F O! m* D return FALSE;( n7 D& O& b* S4 u2 R0 f+ x
}2 v4 w8 z' N4 `' Y) J! q" a
8 a6 @. m6 A/ D! Z. zAlthough this trick calls the CreateFileA function, don't even expect to be3 e! Y. O( H# F5 {) F4 ?
able to intercept it by installing a IFS hook: it will not work, no way!8 Q- ]9 D/ y0 r( R j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) h$ h) n! L, c$ o9 C) n' sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; g1 B+ ?( Y: Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" w% z- R2 C, j% s* Ofield.
" b2 D, @: v0 r% G! x0 K- gIn fact, its purpose is not to load/unload VxDs but only to send a # Z- y( ^9 {6 W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: z9 y' i% z4 t7 g! N& Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try) \+ L/ I% `/ {& M8 w- B3 z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# w# i2 E. w* e+ p% f! p" M4 k" gIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% ]" ? |6 u" A% O u: S# s1 nits handle to be opened and then, will be detected.
O- M b y! q, ^1 H; o4 ~% ~0 ^You can check that simply by hooking Winice.exe control proc entry point+ ~1 `" s; B: K/ @
while running MeltICE.
5 S; H, S2 r% \) ~( B, u4 V ]1 t! x/ d* w* {% ]5 V: c
! s' i3 y5 m5 y; Z) X) N& _% ` 00401067: push 00402025 ; \\.\SICE
' y$ e/ ?% a7 n 0040106C: call CreateFileA
9 I* Q" q% U3 x. i) a) a 00401071: cmp eax,-0017 M* |' b- b! m: |$ Q/ _6 c
00401074: je 004010915 i: o T9 k k9 }
! {- `6 e* b w; N1 @9 |) B; V
" z+ q/ w3 k. u% W
There could be hundreds of BPX you could use to detect this trick.. Y1 B/ [& @* o& d) q" I1 A
-The most classical one is:
" A# V( E2 ]' p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: }" f. {* Q1 k% y3 M *(esp->4+4)=='NTIC'
. F* k7 Q. @; y! i( P3 P4 n" c# M' y6 } M- E6 C% ~' V+ E
-The most exotic ones (could be very slooooow :-(7 `4 U& U9 s' j/ m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 |0 e' T3 @1 |* _; Z ;will break 3 times :-(
! a }$ v# E& n& b6 d$ T. _* x- P4 @! V* v3 F3 ?
-or (a bit) faster:
1 ]& y+ \' x! s9 r6 v5 ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 c1 k0 g. Q) D% [; i4 u& |
7 G. _% b" n5 S4 } BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 ], H; @% t4 l4 t/ R; h! E- F
;will break 3 times :-(7 e, l: I$ k0 @1 f
: U; Q0 A X3 B' q
-Much faster:: g0 R; `" _4 X7 \. s- V* z( ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ ]2 k5 ]5 [& n0 f. B }% _- [% ]. b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ S& j$ {+ F8 C/ e, mfunction to do the same job:: {; S! D( Y7 A# R: O7 \
) ~! H2 m+ _4 }. g push 00 ; OF_READ
; E! K( `! z) k, A9 T4 |7 S mov eax,[00656634] ; '\\.\SICE',0
' r# U8 j; b- F! G push eax4 [0 C2 r5 X9 e$ C! z. c) k5 Z
call KERNEL32!_lopen: K- a1 e8 ^: S% i7 y+ ^0 Z+ ?
inc eax. }' ~1 K2 D$ Y2 I& n( R8 u3 u
jnz 00650589 ; detected1 H1 d( Y4 S; r+ D0 I
push 00 ; OF_READ
) X: @* C" a1 p( M i mov eax,[00656638] ; '\\.\SICE'3 G1 S2 e: G: A2 |4 l5 c) H
push eax
1 G/ }) J% A% q0 W% U5 L W call KERNEL32!_lopen7 H0 w/ w, H1 M
inc eax) c5 y. q, ?# M! [) g6 G8 n
jz 006505ae ; not detected; z% ^4 m) s. r1 K5 I
9 n0 R* w4 H, Q2 r% ]3 f! f' _. O7 v# j$ ]& T
__________________________________________________________________________5 Y& [/ g& m+ `1 X3 d' l3 z! |
" X1 Z) ^1 \( [2 q# Z- B8 K6 ]9 ~Method 12. ^5 P. i$ t! T) o {
=========2 }/ K0 c; f3 U0 k$ v
2 A; {8 R6 N4 F' i: DThis trick is similar to int41h/4fh Debugger installation check (code 05
" Z( I$ j$ J$ f/ `& 06) but very limited because it's only available for Win95/98 (not NT)
, D4 |5 V$ X; q- _! v* Las it uses the VxDCall backdoor. This detection was found in Bleem Demo.' P# T/ j4 A. Z* n$ R, {# v9 [
3 n& @" V3 L" N% f push 0000004fh ; function 4fh# }+ p9 | d+ S
push 002a002ah ; high word specifies which VxD (VWIN32)
. N: k/ G4 k$ ?: A! J% f ; low word specifies which service
4 D- d/ z5 |! ^4 r$ q8 ?8 T$ M8 ^ (VWIN32_Int41Dispatch)
6 t( a+ s5 @) X, }( w% v call Kernel32!ORD_001 ; VxdCall
& _, z, E3 B6 E0 Q" _4 Z+ H n cmp ax, 0f386h ; magic number returned by system debuggers4 n( t& V) y, `, q C9 C3 Y
jz SoftICE_detected! p; v b# B, H- x6 E+ \4 J
$ _. B* U# c$ N @8 A5 Z/ \
Here again, several ways to detect it:, i- q" M- u; H# i6 F
3 p8 H1 s; y# r
BPINT 41 if ax==4f& t3 j6 t# p) T' t- _# ?* _3 z1 Q2 ^
; h6 p# R% d2 r4 k, }! d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, u* ]8 n" S7 y* K* Q" B) l1 Z! F# L
; r5 D2 a8 n5 g2 u8 R8 J3 ^
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! U0 B& Z! M$ x
* R, w# Z2 e' c* p) M+ R. x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. w7 ~* }. R+ I; J/ `6 u) ~
! t m) N; z0 K' I3 O' y7 h__________________________________________________________________________* ?# s( n3 D$ g3 S
$ L' s& f% l" p5 M$ Q2 ~7 g
Method 13+ H, L! ?' \$ ^2 k0 A
=========% ?3 Y' L2 K7 o$ N" e% S
5 H, @6 \) Z- Z5 r- j' ^! C, |Not a real method of detection, but a good way to know if SoftICE is
* _( {. e. j% q; n( ~4 K4 M' ]installed on a computer and to locate its installation directory.) }$ h; c- a7 I7 U# Y
It is used by few softs which access the following registry keys (usually #2) :
6 o* B& t3 n4 l& H2 I( x' X$ h9 r5 C- ^
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% w& l! V3 q9 T2 z\Uninstall\SoftICE& U$ L* T* P8 U, u4 g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" W4 o5 D# M; `) A' {4 s- W- }1 Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- l9 ~7 u2 Y% ~% R6 Y& V' p! w
\App Paths\Loader32.Exe
( _6 ]% [8 I7 n" }' q* k
# p: R7 R9 T# H9 z& h0 O) e1 `
, M3 P5 L/ } y. ANote that some nasty apps could then erase all files from SoftICE directory
6 B9 v/ b# D! l(I faced that once :-(" _4 X V7 }0 U, Z$ W
0 n8 F) O" ~7 M, e: L, M
Useful breakpoint to detect it:
5 O7 \0 A g4 `. X: U' o) S C. [: q9 j! ] g9 Q9 a; [/ k/ r6 {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', P1 c$ Y: |% I2 `6 C x) a' j9 n
# \! T3 A1 \, A7 ^- N# K) A__________________________________________________________________________
* x7 h* H1 v! ?* f. H4 i; P* y# D
/ r- W9 R3 I( T$ R# X5 Q/ Z
+ k# k% ~1 w2 [- Y* @# MMethod 14
& L' N+ V* R5 c- G! W& B1 T========= l3 ?3 x! E- S+ N' Z9 s7 E
! v; I7 D6 L' a( k3 [8 IA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ l7 X+ i8 a% C, T. }& D
is to determines whether a debugger is running on your system (ring0 only).
' u8 P; T( u; v& [# w% q0 ~# X# g2 k4 a. I" p
VMMCall Test_Debug_Installed% p( ^* }; [- \: n
je not_installed
- \% N$ p' {' j/ P3 v% X
; L4 n: u. T. ~1 @ P, s$ J5 lThis service just checks a flag.
0 [( {" B$ y( Y: b/ N$ p1 T</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡