<TABLE width=500>& H) A: Y1 Y s* s- r+ u+ B' ]
<TBODY>
: V' W2 E# N( I+ W1 x<TR>
7 N/ N- _! a3 E2 C3 |8 D7 [<TD><PRE>Method 01 & A6 a$ o( L6 g; v
=========/ Q* ?2 P7 N5 v1 g/ N2 Q
9 `) `; j5 U* T. j+ ]" w* c- X
This method of detection of SoftICE (as well as the following one) is% @2 o3 o. i( c3 @; ?' ^. N4 }
used by the majority of packers/encryptors found on Internet.
- s2 P* c4 N* _# ` B- v6 A$ ~It seeks the signature of BoundsChecker in SoftICE
' L3 g" G. Z9 E3 Q) r: S
4 b* x g# Y7 O mov ebp, 04243484Bh ; 'BCHK') ~4 W/ [1 b2 c- E! v
mov ax, 04h0 g+ b: g5 {/ T
int 3
+ b2 e& f4 i" H1 u cmp al,4$ l7 ?2 z& c# D% P- R
jnz SoftICE_Detected1 J- [6 ^" p& d9 s; m
3 H4 W6 ]% f8 O* M8 O___________________________________________________________________________
% D& v0 C0 c* E8 U) U- ]1 u: b! y- f# |' z3 {
Method 02
. G. ~- k) H' b=========1 y$ {9 P* p- d: j) b0 T, @
+ S: n3 {! j- e3 x
Still a method very much used (perhaps the most frequent one). It is used8 r* Z! V! e( s9 A1 J9 _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 R' U& h" j; o, [9 Vor execute SoftICE commands...9 h$ Y2 h; x! p! k/ Y2 }8 f; C: ]
It is also used to crash SoftICE and to force it to execute any commands/ B; o7 }9 r1 L3 ]( N* n
(HBOOT...) :-(( : x3 q6 t& z: ^8 I& I
! d( t O) g7 |) w
Here is a quick description:
, J% t; N( `5 q. s8 `' `, Z-AX = 0910h (Display string in SIce windows)3 S/ @. x. ]' T8 E' z: D6 M/ O6 l& V
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# Q ?& x+ I5 _- h4 @8 I
-AX = 0912h (Get breakpoint infos): \8 b& Z: R" d
-AX = 0913h (Set Sice breakpoints)+ |" o, _) ^( A# I. ]& U0 T# e
-AX = 0914h (Remove SIce breakoints)1 W1 g9 D, d$ [. X5 H8 v
; V$ S9 a- \) ?0 v& _. p$ h6 |Each time you'll meet this trick, you'll see:: O" N [2 _ p6 p0 u
-SI = 4647h
0 R( X7 p: I8 J% L3 F9 D4 t-DI = 4A4Dh
9 _! J$ A* c% {6 v8 F* o: J+ o" w9 {Which are the 'magic values' used by SoftIce.# _ F' M- B/ ^/ q' D/ u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* S% i7 l' I; R. k
7 }5 ~- O: A7 v. H3 Y" B y+ x" f' p
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 v+ P& ?, r8 U, [
Envelope utility use to protect DOS applications:# S1 n: w6 n3 O+ ]
8 U1 e7 ^8 c) M2 r# K
1 ~& F9 [7 h) Z3 Z4C19:0095 MOV AX,0911 ; execute command." Y( l* }: a1 O: @. f3 U
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) }' q* F! p" G, {* z9 c, r
4C19:009A MOV SI,4647 ; 1st magic value.7 Y5 U/ U0 B, h$ b) i6 A/ a
4C19:009D MOV DI,4A4D ; 2nd magic value.3 s( v, F# N9 |, k' A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 u- B' a3 E; e! e; E; p' w* O m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- o7 O! |9 g! H% \4C19:00A4 INC CX
4 k+ C8 M0 @+ |5 t& L- Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: }' U4 w0 S2 h' q2 k. R4C19:00A8 JB 0095 ; 6 different commands.: I: |+ `" @& L6 ~6 B9 }9 u( U
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 e* z4 |. h9 w' q# x% k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ k0 a- d1 V( b, f% U
* c( N- d% J% K& P/ s* [5 uThe program will execute 6 different SIce commands located at ds:dx, which
" K# m8 c6 J6 N; lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; `5 z, Q6 `5 h% J+ E1 m
( O; [' r% p2 k9 U7 P4 `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 K6 M% T9 P$ i& l___________________________________________________________________________
' L( h$ ?( S* t
) b! D% p0 m0 t2 s, L5 u# }/ w' Z4 M& }* d, k- Z. M$ \; G
Method 03
, d1 P, `1 z6 u( ]. \7 V* z=========! d1 f0 Y" Q1 Q, W6 x
1 N, F- @ T) Q. ?+ i# VLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" u, S) O6 d% y+ ^7 `9 h b" m(API Get entry point)4 H1 L) R- c. A* p% ^
% p( O6 r: E# g0 F; ?
. M$ T6 M* @ R, l' \2 x' C: M xor di,di. E% n: {% e, D. X
mov es,di
7 Z: A+ [" W' X& M+ r mov ax, 1684h
3 ?$ e' @* }' C8 N: v T mov bx, 0202h ; VxD ID of winice
" d/ b5 A' ?3 D2 B int 2Fh
, w% f- l# a3 q* F( N mov ax, es ; ES:DI -> VxD API entry point$ I0 o# \% T9 a8 V: @
add ax, di
5 [5 J) {* l. ^9 Z9 u test ax,ax
$ u( t; Y$ X! p/ Z0 I( v+ j; G jnz SoftICE_Detected& E. f/ M5 I3 [9 o+ K5 D& e* W Y
. Q, N, m5 k1 [' \- c1 C$ V& |
___________________________________________________________________________/ @; I$ {4 \ v( T
7 i' ?$ u* Z+ Q9 U& K
Method 04+ `7 v9 m# B, {3 O% ?0 T* G, M
=========
3 p' l$ o0 k% r
; e* F' X7 z/ hMethod identical to the preceding one except that it seeks the ID of SoftICE' X1 Y3 V0 L1 z L
GFX VxD.
4 d, d, w3 u8 }
: _! [+ _6 J& q$ G( V% y8 f* d xor di,di7 S" Y3 H& ^4 K( D
mov es,di
' S( a- n' d# Q) @ mov ax, 1684h [! s# W9 }7 A( \0 \ T
mov bx, 7a5Fh ; VxD ID of SIWVID
1 A c; V5 ^6 I; s; h int 2fh
( W' E7 D* g* \. S3 \3 J mov ax, es ; ES:DI -> VxD API entry point, @' a2 }9 {! u3 M* S/ f; Y
add ax, di, D1 e5 A" `; ~3 O4 m" k& q. d
test ax,ax
* y! |- s0 i T3 ] jnz SoftICE_Detected
( I8 k' n0 H1 D5 G# }* K, s! L8 ?- N. ]- T; x. V N7 V
__________________________________________________________________________
m& G, f. L) G' k: T8 B: L/ o% B# E) \( E
) L6 a/ r: J. p/ p) s0 LMethod 05$ W7 C2 `1 `/ v$ ?4 C/ O/ ]8 X
=========2 i% p% `9 c: `% _7 Z- K6 m
, @$ ` }; X- l. G8 g/ Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ \3 y; f9 s+ T: ]7 U" [1 H
debugger. It calls the int 41h, function 4Fh.7 H3 U+ ?% G. p' a- ]' g
There are several alternatives. . l5 ], s/ X+ F6 a
' j( q; _0 \/ v3 t) m
The following one is the simplest:$ h6 X6 J, [1 y, j: s# n
, \& P; P1 I+ C mov ax,4fh
3 r. S7 o1 P* \! E+ q int 41h
- w4 j6 b8 k: s% x0 H! l5 E- U: m cmp ax, 0F386
2 ^! m' ^/ }& u jz SoftICE_detected
$ ^8 W# z2 ~' Q# l: v7 A3 Z7 e
3 U% m; f7 k3 f6 U% a' J2 _6 @
3 l; T4 h6 i5 W! T, q9 TNext method as well as the following one are 2 examples from Stone's ) v/ l1 n9 X8 U3 I: |8 V! J. V
"stn-wid.zip" (www.cracking.net):3 ]* I$ W1 Z: U) @/ l
, |8 c! q1 J' y" W' P& ~ mov bx, cs: |/ g+ p" o: P U2 o
lea dx, int41handler2
: O8 X# g4 ^) h* T- q xchg dx, es:[41h*4]
5 A; N6 [) j1 v! Y" p xchg bx, es:[41h*4+2]
2 f0 H4 k) S6 [! j3 W mov ax,4fh
+ ]5 E4 G9 R8 C, f8 L/ v int 41h
' V+ \8 J. w4 s8 J8 `& [ xchg dx, es:[41h*4]" n7 P* x6 R& D& ?, Z$ h' C: ~
xchg bx, es:[41h*4+2]
5 G9 Q N; W6 J* ^4 a1 ~ cmp ax, 0f386h
8 F! B+ y8 E0 V8 ~- B3 f6 E jz SoftICE_detected
* p3 `5 U' M+ C* w! L7 R6 ?6 v* e; A
int41handler2 PROC
) x! E/ K3 Z0 D8 m2 s. L iret
8 W% D0 y) P: x: e6 m0 gint41handler2 ENDP0 j7 }0 m ~- L; [
% ?6 a* R8 V/ K5 |. P4 ]/ r1 v. T% S& y
_________________________________________________________________________
3 A, y6 P3 {% {6 e2 u6 A6 T: l6 z8 d, F! w
0 }8 m' v- d; v( _ h) ]. oMethod 06
h) [0 K" C) H7 B0 h=========( b2 C/ L, _$ S' |
0 y: a1 j8 D3 t' U0 m
8 M6 |! {7 D8 V! i1 e, P
2nd method similar to the preceding one but more difficult to detect:
% D6 a2 H1 {1 V
$ B& I# ?% i7 S/ \: K. ] e, M8 l! o7 b) x
int41handler PROC/ j ]: M0 G7 P4 u' h7 p
mov cl,al
& P8 ?2 y9 b3 d9 W/ y2 a iret" I% B- s/ |1 |$ A" X" H
int41handler ENDP
! w6 g7 p2 H. ?; ~0 c
1 V" y7 x* ~) ]3 b4 b" B+ ^, W2 I0 S6 s
xor ax,ax
* b! s* U8 H% n6 I2 P mov es,ax- X6 [6 b9 f+ T9 N. I u
mov bx, cs
2 y5 c) T/ O# y2 Q/ R lea dx, int41handler C( }/ H3 Z1 _6 D
xchg dx, es:[41h*4]$ E5 \/ v _* `; v1 j
xchg bx, es:[41h*4+2]. y: f; c$ T- Y5 H1 ?/ F
in al, 40h
9 s8 h1 f* l9 [& } xor cx,cx' t- B7 T# W. G( @2 \ j
int 41h3 U/ b8 C' F0 c0 T* i7 D1 @: w" ?
xchg dx, es:[41h*4]
" D/ v4 g: z% c) n2 a; D# V7 b' i xchg bx, es:[41h*4+2]
) x# P' @8 b; k, @3 t m cmp cl,al5 M- t# ]# H" `
jnz SoftICE_detected2 W& H/ A( P) Q3 i- f$ H5 L$ ^ j9 ^
6 u# ] K- y* j$ y7 o5 T_________________________________________________________________________
% e, e) V9 c" _: O
) C6 N& F; F7 r. `! @ zMethod 07! j, M0 t& L1 p/ b
=========, C+ ^+ N! I2 X$ }6 q1 h
/ w- r6 y% {3 xMethod of detection of the WinICE handler in the int68h (V86)
2 q* t, [3 C9 h7 o8 H5 E4 q1 h3 E7 Q1 U( E2 t
mov ah,43h
# I" o8 l7 \$ g int 68h
- s' e1 Y0 L0 B cmp ax,0F386h
. F( t R. p0 k# V7 G" h. Y, D jz SoftICE_Detected. _ a: R5 \% S+ Y" Z. ?% a
$ b. K' r+ ^- K( A, D6 p" [! b+ C: @
/ v; u! `1 d# L- x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 b+ v r( y v- T. g0 L. @5 l
app like this:3 g/ N, ^9 D7 _9 y: _2 }
+ K- b* ?- Z# k3 Y2 s BPX exec_int if ax==68, X- o1 Y2 \- F% ?; b$ L M: X! m Y
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 F" h f H" p. U located at [ebp+48h] for 32Bit apps); c a% v/ t# a9 M3 P0 q
__________________________________________________________________________; K" r0 t# d/ \+ V; b) K7 U+ i4 r
- p7 b$ c) t4 l6 I; z! u, T
# h, X- S7 A! w4 yMethod 08
) {: D( G' w) J$ K9 {, F=========2 s7 p! M& { s" U
! y4 E! L* x# y6 Q; L, S* g5 V2 j: O
It is not a method of detection of SoftICE but a possibility to crash the: O; U. Y0 H: z6 D1 Z4 z
system by intercepting int 01h and int 03h and redirecting them to another
6 S% B& U- \& ?0 P- M& e& i+ aroutine.( P# R5 b/ Q1 V I- c) h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( _$ q" ]! ~% ?) b/ S4 k' m) i
to the new routine to execute (hangs computer...)
( c! H6 }$ h# b5 U' ?
E# d+ W$ G" \ mov ah, 25h( r+ B/ Q6 B" H& E) X O
mov al, Int_Number (01h or 03h)
# S- E: x X% u, T8 o* U- e mov dx, offset New_Int_Routine# |$ U+ p& K: u, C! y2 T& U
int 21h+ K" z6 L+ l$ R
: D. a h3 g6 ]& l! D; E& I__________________________________________________________________________# k2 P$ x1 Q/ X) }+ Q3 r: {
( O, C* X7 n# Z3 KMethod 09
0 v+ c, O0 n/ |/ n=========5 v2 a# E2 m; }" ]5 g1 V' F
" O) B0 b2 Q c, K$ AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ `( F1 ]/ D, qperformed in ring0 (VxD or a ring3 app using the VxdCall)./ U9 B: l- ^, v4 o/ y9 M
The Get_DDB service is used to determine whether or not a VxD is installed
2 E( j; @* {/ F/ W. E& {1 h' vfor the specified device and returns a Device Description Block (in ecx) for7 W$ D* O4 B+ Q$ w: F
that device if it is installed.
( x8 X9 e; t9 p, a+ b0 u: m! e/ ?
8 A. j) M( O* w0 M( V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* e8 H$ o( z0 ^; s H5 A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% J# \) P( G5 z% e: n
VMMCall Get_DDB3 M* p0 ~9 t9 z7 e: U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* B$ M7 i( c3 q& o, c. v
6 d6 j/ D2 i1 M4 ?6 t8 T: \: [Note as well that you can easily detect this method with SoftICE:
( p% R8 V6 w! j bpx Get_DDB if ax==0202 || ax==7a5fh1 [- `) k: u8 U; R- ~
$ O4 f6 J7 r% u& H& e9 C9 k' C# a
__________________________________________________________________________8 |3 b3 `' r7 M9 t- j. I; r U
. a2 Q1 ?0 y6 Q- o6 J* XMethod 10; N4 D3 n4 G7 ^6 s3 Q
=========
( k1 l+ ? u( s! I
6 Q' y7 _$ @3 P! `7 S=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 \6 I0 ~4 t4 @1 n. ] SoftICE while the option is enable!!! t5 ^/ S+ t1 o: T
3 K: o5 y( Y+ ]. }. m" d0 eThis trick is very efficient:2 b( u. I/ ]! w2 m% W
by checking the Debug Registers, you can detect if SoftICE is loaded% u! Z& P7 L4 `/ w' s& z" }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! v" D- q6 q% a* |
there are some memory breakpoints set (dr0 to dr3) simply by reading their' V; a* S3 ]( y, k- o9 O
value (in ring0 only). Values can be manipulated and or changed as well( y: _6 u. N) G8 Q9 ^0 Z) `" r
(clearing BPMs for instance)
( @" K/ E! ?! Z2 m9 z* n0 c1 G" Q
__________________________________________________________________________
& K( ^4 O& o+ a# Z3 J+ T' k' u) g1 a$ s& _- ^ f, V
Method 11
, d: m s( U$ a: f' ~=========
2 R% [. M) s+ g, m. R. r) q' G( c; C5 `* u. s' R, e
This method is most known as 'MeltICE' because it has been freely distributed
8 F( J4 A; ^2 u# Nvia www.winfiles.com. However it was first used by NuMega people to allow' B6 D$ N6 |9 T- l5 h7 ?: c5 ]2 E
Symbol Loader to check if SoftICE was active or not (the code is located5 {3 D7 D5 t0 ` U+ H8 Y
inside nmtrans.dll).
3 V- S6 u: }0 R9 f: C5 D7 A& I; _' z
( {! q5 n9 X$ y; W: `% Q+ PThe way it works is very simple:) N0 n, q. N4 d( {. q5 u0 I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' q& L! h$ S) `WinNT) with the CreateFileA API.
7 c- \9 }& E, c) g
. x0 p& M- M, }6 _! vHere is a sample (checking for 'SICE'):" c/ f$ m4 q/ F9 h" K2 T# h
5 U9 R4 D- O$ O M" z
BOOL IsSoftIce95Loaded()
9 x: B9 m6 M- v* Z, w{
: _( Z$ ~% I& p9 z; G HANDLE hFile; 9 I5 e* Q7 X( v! E) y4 E9 Q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 A \8 G5 I0 V6 Y
FILE_SHARE_READ | FILE_SHARE_WRITE,
* X4 ^9 K3 |( s c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 ]' ]# H. T& g5 M, X! x, a2 G
if( hFile != INVALID_HANDLE_VALUE )
6 K% E; o. C, a4 i8 z# H) s+ E1 z {
; J* C6 A. [3 ]* g9 E" j CloseHandle(hFile);0 j0 y( B' S! k6 c# L# G3 e9 v
return TRUE;
8 @0 }! |* G* i+ ` y0 J }7 f- E8 G; K4 g* r, P3 p; ]3 w# f/ A
return FALSE;
6 F6 i, L% @% }$ N' E}# U0 R- e# j& H( A
8 p. j: H2 I1 ~( N+ T. KAlthough this trick calls the CreateFileA function, don't even expect to be; U" d( @& ^$ ]
able to intercept it by installing a IFS hook: it will not work, no way!) z9 k) W- Z* F! P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 w, \! D# m r1 F2 U1 O1 C3 f2 sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 k4 r' o% I. {5 M, s6 N# g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' h) D x8 w& D6 ?' B
field.! \; Y0 _) m7 k6 X7 ]$ |) p
In fact, its purpose is not to load/unload VxDs but only to send a
2 t" }# y2 \8 ~9 p: Y. E* H) Y& VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) {5 t- {( i1 I* U" u: |9 f# i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) I t$ j9 C; h+ @+ M( q, l" Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; g* J7 q- l! aIf the VxD is loaded, it will always clear eax and the Carry flag to allow' D4 j& B/ |% g! ?3 U
its handle to be opened and then, will be detected.. q9 m( K9 q/ U- s8 Y# I
You can check that simply by hooking Winice.exe control proc entry point0 a& J2 F/ x2 G, \: X$ s
while running MeltICE., P" Z& H4 w3 i5 S7 s9 z0 `/ v
3 {+ B( B1 V/ c9 i5 z$ P- S( P7 k. b. B7 F
00401067: push 00402025 ; \\.\SICE
2 v# y/ P9 M r: ^" Q 0040106C: call CreateFileA
" |& B4 _6 ]2 _: N 00401071: cmp eax,-001
" P2 m n$ C% J. {1 ]6 H* T 00401074: je 004010914 }+ b& D2 T9 S( j. @
) }6 U/ W/ ^, L) N, `' Y( B, ^
" C M/ h7 G! i! }. f' s. ^+ N
There could be hundreds of BPX you could use to detect this trick.4 \: s% r Y: p. ]# z) h8 m, l U2 ~
-The most classical one is:+ S$ g/ O* v2 c9 C' V* a7 s9 V* g3 L' C+ g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ a6 X6 n8 C, W
*(esp->4+4)=='NTIC'
; S% Z& e- `1 f# |1 K7 ]; p! j( [8 e
9 g' F9 i- y3 h. E-The most exotic ones (could be very slooooow :-(3 K( {: Y' q, [! I C0 @4 ` s) m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ M& `$ K0 @; V
;will break 3 times :-(
L; G; Z4 n" }9 b; p D. u& O* `6 P" |0 g- t% i; d* l8 }, s
-or (a bit) faster:
7 ~, h4 A1 p* v. B. r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 \1 b0 T3 j+ G: X2 w1 O& F
" C y: G- w) [
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - h8 e5 U. a# ?
;will break 3 times :-(
+ @; d, t7 E" B, E- c# o% p k7 p
-Much faster:
2 W4 ], a- x! P, z, u) W5 O BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: x9 c' `- G- G; X
/ Q' V6 ?6 Q H+ A! g. [& UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 G9 s1 t( K4 Y( ]
function to do the same job:4 T& N `8 h1 Y, A' @& C+ O2 v
! H4 M2 J% I4 ^/ e push 00 ; OF_READ2 X: a; K4 `) }0 o$ R5 a
mov eax,[00656634] ; '\\.\SICE',0! y0 H2 c0 s5 h( t) f9 F% e
push eax4 b1 i' N5 m3 q- t* A
call KERNEL32!_lopen
0 A. i* b3 M2 L! Q' _9 P; w inc eax- b: ~0 ^. u" L; c$ a! j1 W
jnz 00650589 ; detected0 Q. r c" x ` D1 i
push 00 ; OF_READ: _8 q% J7 K4 M# N9 C) t% c
mov eax,[00656638] ; '\\.\SICE'
8 B) G% i, ]) j( e. m/ o0 w push eax
5 Y- X' y% R0 e4 w call KERNEL32!_lopen5 N: V6 p1 u$ x" M0 G1 L8 ^* L
inc eax4 k8 L8 y- y- E4 y' z
jz 006505ae ; not detected
/ i% k. y$ `7 F
' L. W/ L4 E: t, Z, u0 E, G
. f# T9 t) i; [ o- j2 [__________________________________________________________________________, _' v" ?; k6 ?
* E. ]; j0 p; l" f% G6 D3 [ ^Method 123 M+ o% y) j: c6 h$ J: W
=========
( w8 s( e) P, T- K* Q/ n7 _
/ w, S. Y5 [, n0 bThis trick is similar to int41h/4fh Debugger installation check (code 05$ d$ k+ O% I, _' v+ l ?' [
& 06) but very limited because it's only available for Win95/98 (not NT)9 U. p- V4 N( b5 |, L" X( J S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 D8 W4 T- P9 O
! S( K0 r: E0 x$ [+ ?0 h
push 0000004fh ; function 4fh$ {+ z1 J" \4 V y6 H- a; O
push 002a002ah ; high word specifies which VxD (VWIN32): H! W" r6 J7 C, U7 ]4 H
; low word specifies which service
" u, i& p4 E. A9 L (VWIN32_Int41Dispatch)
U. ]" N" `/ k; J, Z- o& W+ a$ ^ call Kernel32!ORD_001 ; VxdCall: t6 j* Y% e# j7 d( u
cmp ax, 0f386h ; magic number returned by system debuggers* l1 a% Q; U6 r9 z# o
jz SoftICE_detected+ l/ k% ^. i' M- W
3 h) Y" H0 r: E5 e( X8 |, Y* p
Here again, several ways to detect it:3 E4 ?! V* f$ M% A
: {7 Q% W; |3 v- Z; N BPINT 41 if ax==4f6 Y4 T1 H% x: ^, Q: u4 g
5 e- u1 ]2 s2 `3 h& j: d$ \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! l1 e0 M- ^5 i
, _0 v! E7 _& u; Y" s1 T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 d9 T, w% L# e0 m1 B) C* C2 M6 j! W
' O5 O; @1 p5 p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! L) J! e$ g7 A. H
) w, ^& r9 A5 U6 g) b& T__________________________________________________________________________
: w3 ]# T" d. s6 E$ e% I, t5 r4 x. W5 r: t& Q
Method 13- m1 R; o, P1 a7 t! J2 U" Q
=========1 y- a! x6 E9 O4 f, P" _
2 Y* N, Q: l' O+ Q) l/ t# a
Not a real method of detection, but a good way to know if SoftICE is
- G4 |! B. R: n z3 o, Qinstalled on a computer and to locate its installation directory.
& Z; Y" K6 G5 e9 GIt is used by few softs which access the following registry keys (usually #2) :
, J9 @$ i5 g5 U. v
9 Q) ^/ T* b, y, J9 K: s& L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 v* _) \3 D6 J. ~) i9 A+ n" X\Uninstall\SoftICE* I+ J2 `8 T6 a& \) c
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: M2 o1 I7 m- O- w9 p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" W& c; q$ ?0 m0 R- W\App Paths\Loader32.Exe/ N) D3 M, z7 v3 \& H
' y# ^, y/ y5 [1 x& u4 r
4 g: V4 r! g6 \! NNote that some nasty apps could then erase all files from SoftICE directory: H3 o' Z- d9 c3 B* Y$ w7 z
(I faced that once :-(
T# D8 d/ |. F i! A6 o7 _) A; T2 }& i
Useful breakpoint to detect it:" S% \. _, z3 F- Q7 y* _6 Y2 N0 |
! T0 U5 `4 b- e6 b- d2 u8 a. a/ m1 h3 ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 ^9 S! U1 o! a( e
# f" A- W( G s7 v& \
__________________________________________________________________________
% I% F0 L* Y' k( O4 z" P, S
# `) [5 `; b7 L& U' b. P* D q5 P- o) U* o* C
Method 14 & ?9 R) b' u: T6 z4 K( r* S$ K
=========1 j, H$ m( P8 J. h
' l. ^0 e5 l6 D/ C0 I" @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ f" D! ?- Y! W1 V# P" Iis to determines whether a debugger is running on your system (ring0 only).3 y b, U t$ N3 `
* N) ?* o3 F) D( g
VMMCall Test_Debug_Installed4 O2 `2 j. h( \9 h8 e5 b4 F
je not_installed& s9 e& c. k# ]3 ]2 n* t( [& y+ m7 @
L; g: r% [; r/ M, O+ @
This service just checks a flag.4 b$ k8 x* {" z" G
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡