<TABLE width=500>5 [8 y2 j* d: l2 D _7 E
<TBODY>4 H6 B0 q/ m/ ?: \: P. g s
<TR>
# V8 R/ U- V4 R' O: m& k7 u<TD><PRE>Method 01 $ p) A+ J3 E: n5 j% F9 d
=========8 z- j& ?% V' y8 P
' M5 M$ Z; |+ X+ j
This method of detection of SoftICE (as well as the following one) is# g5 o4 K3 }9 [! c
used by the majority of packers/encryptors found on Internet.
3 |$ P5 \+ E' t& K# P' m: cIt seeks the signature of BoundsChecker in SoftICE
9 ~. S" q; E& Q# R1 J7 |2 F' D Q; |+ u
: b8 t' d3 K+ m mov ebp, 04243484Bh ; 'BCHK', W4 m4 w! C+ B5 y( G# n5 ~
mov ax, 04h
. Z! m% K1 H8 C0 H int 3 " K' L) y2 M" T3 q- Z3 k
cmp al,4
. N* [( ?8 x, Z4 c6 b5 W jnz SoftICE_Detected
% k. |# P6 P+ J7 ]) L7 y# a# b, o7 s
___________________________________________________________________________8 w& j' A$ [" o! T2 I
& ]7 m% r8 o& R! u" y& X. D; eMethod 02
7 I0 O7 W# q8 L; I& J+ e: } i=========
9 @; ~3 t( {* ?% a3 ~. m: U, N, b9 `' B. I7 p2 z
Still a method very much used (perhaps the most frequent one). It is used6 @9 @- r( w0 c+ M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 m9 P4 n" C, Q+ T Xor execute SoftICE commands...3 }! b8 k/ y* G$ K
It is also used to crash SoftICE and to force it to execute any commands2 _5 W) P4 Y- K8 D
(HBOOT...) :-((
+ i6 i% w# |; q a
$ q5 w( ?! a. v7 j6 X4 E) I8 _Here is a quick description:
8 `- Z L; R7 U: g-AX = 0910h (Display string in SIce windows)$ [: r' g( [; f: N5 J0 S% m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; T3 Q* q# L* Q$ ]9 q) p-AX = 0912h (Get breakpoint infos)' t/ T4 i% ^6 _2 P; c" a
-AX = 0913h (Set Sice breakpoints)( x( e& k" U: c) m9 a' v3 b" G
-AX = 0914h (Remove SIce breakoints)* [& c. w1 b5 d; e
3 s; W4 n3 ^8 ^! A( t( e
Each time you'll meet this trick, you'll see:! B6 o- G6 V& D8 x
-SI = 4647h
! B/ k( J$ s: N7 l5 |0 H9 C4 z-DI = 4A4Dh
5 O2 Q' j5 |' tWhich are the 'magic values' used by SoftIce.! b' Y8 F& H' `: t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 M) ^; X$ T2 y# S( c1 |
3 ]/ v" K9 S8 M7 GHere is one example from the file "Haspinst.exe" which is the dongle HASP+ }3 U( l3 x, j( g, [/ `' K) G4 m
Envelope utility use to protect DOS applications:; ^0 {& X* g5 m: J0 L, D3 _
: p' M3 x7 A: U3 I3 `, ?
; @& q/ K6 L8 ]0 [4C19:0095 MOV AX,0911 ; execute command.$ Q) E+ S! H" u" M+ i5 [' [
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 x+ q" C9 V2 ^
4C19:009A MOV SI,4647 ; 1st magic value.( {( M/ Y% M/ O( l2 P0 K
4C19:009D MOV DI,4A4D ; 2nd magic value.# @% q4 }- R0 q8 o# n R2 S
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 p& N6 S/ P8 S. L! H6 D1 K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 d* ^$ P* l7 S" |1 C
4C19:00A4 INC CX
/ U$ J; t, r. L4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- A: T* ?! x9 s, c; n: f4C19:00A8 JB 0095 ; 6 different commands.
9 ~: E7 f. n; x2 u5 N+ H4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 t; L( }# H+ E- I' _! }$ E! Q2 W4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( t+ }. t& P& B( t2 G6 w" }9 n+ K3 Z: M$ v' ?! u' h
The program will execute 6 different SIce commands located at ds:dx, which
' T1 k! [+ \2 w2 \& Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' s! b. g/ E% B; S
: o3 _" ?" q1 [4 K3 h& s0 T1 U* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) A: d4 S% A- N1 L7 c& [' ^/ k___________________________________________________________________________3 U8 R% K) k. ], v1 z$ |6 R+ b
$ o' W( R3 x7 [( b- K
. l$ x: A+ w% h! y: pMethod 03
2 k& _. d2 ]/ I! P=========
; f: L% T$ E; I% f8 |
! `' d* Z- b7 a+ U+ tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 O, c& g4 w6 @/ |4 E, F(API Get entry point)
2 Y- u+ U# d- A1 V9 O2 A* m* O
$ t& _" I+ V$ Q' ~
9 ~0 |8 V9 L0 w) E2 F xor di,di1 }4 `9 t. {# [, w1 E
mov es,di
9 U; h, S2 _$ _! o6 p; f mov ax, 1684h
, [) r/ { _) L9 c0 N3 I/ F6 o mov bx, 0202h ; VxD ID of winice
9 }1 d$ m8 U5 a3 W# T4 s int 2Fh5 ~5 `$ Y0 b1 T3 v, \
mov ax, es ; ES:DI -> VxD API entry point
. f, |, T, `1 U- \ R, E* s3 a add ax, di
, e. M( f0 c; O E4 k test ax,ax) G+ h; F" S( o& ?; \! `
jnz SoftICE_Detected6 E$ `5 J/ j- g/ k! x7 G
* I) d* _5 J a$ H, m& c
___________________________________________________________________________
! L8 y# X8 W' H# l
7 c0 ]1 Y P$ _$ NMethod 04
, L% T) _5 ^. S* v# d: v! Y=========
- G! b/ e+ t- I! A0 n) B
]* a' W8 [" ]% c' w( {Method identical to the preceding one except that it seeks the ID of SoftICE" a: S. Y& C$ g9 l g. N% M6 }0 W' l
GFX VxD.! }, a8 J n1 m1 j9 O0 h$ a. I
' o/ @, W% {: G; z! A1 X7 I, [7 o& O+ Y
xor di,di5 ?% P& a: M3 a) `
mov es,di
! v- B j$ E% O- M5 j mov ax, 1684h . ~: [& W( V Q/ j) c, ^. d
mov bx, 7a5Fh ; VxD ID of SIWVID
1 g; t1 P" {0 ]6 E. L) A0 o int 2fh. M1 z! p; h8 t) X% \! e% c
mov ax, es ; ES:DI -> VxD API entry point
0 t) l2 R" t' q* X4 K5 t( e add ax, di
w5 B, K5 c% y test ax,ax! M7 v- m8 ]) N ]+ ^, X
jnz SoftICE_Detected
, |! z$ L* h7 p# I# m: u
) K ?1 [, R: `3 M W6 ?__________________________________________________________________________( N( X& ]/ n1 M" ~
3 Z# h; |! i$ l5 g* m
, v4 d" Y4 H/ V0 u
Method 05# g" o5 w: W0 M7 `/ Y1 c2 w
=========
4 f" m x8 Z8 x
; y' L. X' p* V- D0 M. hMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 B* D- X& y5 r ~" zdebugger. It calls the int 41h, function 4Fh.: f& |) O5 q. i0 J
There are several alternatives. . z( h& X! C5 @5 i; F4 R5 W
" n5 g3 p' n* G7 s& _The following one is the simplest:/ Q, w; X; G# @* O M4 o, V' w
9 E7 V6 E/ h! C6 @1 k
mov ax,4fh
8 @* S9 ]% F. B* v: ? int 41h4 X0 U/ I( M* J' w; e: h1 P
cmp ax, 0F386" l7 _3 A% P, G. o
jz SoftICE_detected
8 P/ [3 j9 o! s' B
& _7 }2 G$ z4 |- r& R) b+ ^! F! c/ H2 \- ~+ X9 |+ G
Next method as well as the following one are 2 examples from Stone's
8 r# J L3 |7 X7 H"stn-wid.zip" (www.cracking.net): @' o( E' H6 J0 {5 v% o; f
- O1 ]3 s& |+ a5 w
mov bx, cs; S3 y$ o& p4 F" a! |, @
lea dx, int41handler2' a$ n$ C9 H) J. |. ?* d9 J
xchg dx, es:[41h*4]9 t0 `0 T3 c- @( k% ` _
xchg bx, es:[41h*4+2]
4 x+ y" V1 |: t; |2 p mov ax,4fh
2 L# u( q+ Z8 P+ a! Q; f& N int 41h; x$ U& _9 l' I# w( C, V
xchg dx, es:[41h*4]
1 Y+ V; |) c! L8 D" `8 K xchg bx, es:[41h*4+2]. s) }5 y2 X. l# Q" J4 L5 @
cmp ax, 0f386h, s/ X2 D; E! a |
jz SoftICE_detected
; q/ x$ M+ k' V9 T9 f1 W, K7 ^8 L0 v9 m2 W
int41handler2 PROC. s0 Q7 c5 J( E
iret
8 X! o4 W' s; d' P5 f. @int41handler2 ENDP U% Q$ [ V: c. ?: {" z8 ~0 i
# h7 M9 @+ K( ~ b) P( t/ b* X
9 f+ |" ]4 U6 ?" Y$ n
_________________________________________________________________________
& r) C4 X; t+ c* P. |: q& F' B4 C$ L! S( v% b( B4 Y7 Q
4 @0 d' W% {5 f0 g/ U- P
Method 06
0 {9 @- g1 u2 S. ?, S3 k# B=========/ F+ O- L$ m' s( F: `9 d
4 Y# s4 h- Z" o. ?- {: @* d: U& a: I: B( o0 I }
2nd method similar to the preceding one but more difficult to detect:: \' ^3 T5 y9 d
/ G( M& O& H& T" F; D; c* l8 Q
5 E. l, Z3 p" c% ~4 H
int41handler PROC9 ~8 M, a. ~2 F. J& o
mov cl,al
2 Z7 {$ |& F$ W& i iret! E' c" K: W: i! o0 q# e: r) Q
int41handler ENDP6 C s" N( B7 t3 L
* X0 ~& S2 H" c5 \3 ?( d
: C( w% c# Y8 I$ K: @" e- |
xor ax,ax
& s. O" T+ A% x4 U9 T# ] mov es,ax
% L2 F3 A8 k0 q9 ~+ q mov bx, cs
5 ?2 u. V& m, p' m: _ lea dx, int41handler
. F+ D5 m' w6 I( u! @ xchg dx, es:[41h*4]
. ^7 i6 ~" e7 Q4 y. A! s, ` xchg bx, es:[41h*4+2]
; ]& ]4 p8 Y& N, v3 z in al, 40h- Q& Y% W! H0 D% J& ^. c
xor cx,cx
- s% Y8 o. H* \: Z# k int 41h# Q3 R8 q' n6 c1 u/ e* M# {
xchg dx, es:[41h*4]9 Y9 ]0 [; H- U7 i5 w9 G' Y
xchg bx, es:[41h*4+2]
% X% h& }# r. E, a4 p) j$ j/ L" W cmp cl,al" \. I2 Z @) |& ^% g
jnz SoftICE_detected+ ~) S$ {4 g/ @' I. L8 B
4 @; C+ q; h: i$ \* j1 Z* H. {_________________________________________________________________________+ y# l$ u2 H# f* V9 k
! _* k$ v4 }4 M% g; m" u) g* eMethod 07. p6 j+ d4 l9 V4 m: X
=========7 ]7 R6 w2 m$ h0 \. I, l
' Z' K5 e' D5 I( IMethod of detection of the WinICE handler in the int68h (V86)- @: q: T ?( M9 u r) U( w( ^' y
r* ?: r. G0 ]+ L' D7 J* D mov ah,43h
, x1 T5 A9 U9 h* P% g int 68h+ h( ^1 ?( s1 ?8 N; U( [/ K# K
cmp ax,0F386h
: T( N. M( Q9 Q( }- t jz SoftICE_Detected7 f1 W. p9 Z0 I4 n
; `% p: M9 p8 X* Q; r- g5 `' _8 n; r
, g! U+ f" |; n, m+ m$ Z1 K5 p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 y# @% q% s% k+ W+ W2 `
app like this:
+ P0 `: z, R b8 L1 E$ A( \' y3 w0 n4 b
BPX exec_int if ax==68
) ~+ [% U2 L7 J8 c4 ]5 [5 E. U (function called is located at byte ptr [ebp+1Dh] and client eip is
" f& r3 U8 J# ~9 D! G/ L located at [ebp+48h] for 32Bit apps)
) u: G% ]' X# d' H! v+ f/ G' W__________________________________________________________________________
8 f6 O" j7 R. l* |3 p) S5 U4 z' X2 E" E
* e: s7 k, ]$ U3 s1 U+ e7 a
Method 089 D Q" Y `4 Y, ~. \! c: c
=========
' G, L+ U/ J. l8 `* L/ W) j
$ a+ T% `3 m) c6 m+ ~; UIt is not a method of detection of SoftICE but a possibility to crash the k0 Z( L2 W) V2 Y* M/ P+ i
system by intercepting int 01h and int 03h and redirecting them to another. b4 ?3 l1 j* o) s) L
routine.# E6 M) v( K/ R/ b3 t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 ]! x4 Y" f# [1 [/ H
to the new routine to execute (hangs computer...)7 V# H" y/ l0 ]2 Y" t" G
* l' |7 \6 E& n ~* p! M7 q mov ah, 25h1 o$ s6 c, ?7 o* {
mov al, Int_Number (01h or 03h)$ l* X' Q. J O$ ^
mov dx, offset New_Int_Routine5 E9 \' Y2 X2 `8 _: ]
int 21h
: B( J1 H* c+ _2 ~$ R. i9 ~3 [3 z: o9 s2 f& [4 j
__________________________________________________________________________
0 `3 ~% S5 x H2 `: K+ |2 e9 j
) \" |/ \; E" b5 @) Y }Method 09
9 W& E0 S5 Y, l; K. a=========; O$ L" Y+ b& M' ~
% _5 W" Y7 |+ {2 q* M8 X. w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
S$ b, _- H9 N; Aperformed in ring0 (VxD or a ring3 app using the VxdCall).7 N* |: i' a6 v/ b% @: i4 l) b1 _
The Get_DDB service is used to determine whether or not a VxD is installed% A$ p( }4 ]4 o" t- \2 S$ D
for the specified device and returns a Device Description Block (in ecx) for6 l' o {2 `7 j6 J* } \5 g9 H- Q% U
that device if it is installed." {. n! N) y/ C: ]7 Y( H. ~0 x
+ ^. p; P9 J( R mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 n& D: u% u& n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). R; u& I6 r8 Z# y0 u
VMMCall Get_DDB
; H, x) o7 p6 L7 E' v mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! D, y2 C) R- A8 G
( }# {8 H# V. w* G! y) H/ ~- p
Note as well that you can easily detect this method with SoftICE:4 Y4 a# _0 C( K |, q
bpx Get_DDB if ax==0202 || ax==7a5fh, l' [. \# f# _9 _
- W( f1 e4 b" b# F: M, T8 Q2 d
__________________________________________________________________________7 v9 a5 ^& t- _& g1 J/ i
- c8 I' u( q8 q: o% fMethod 10
2 s' ]4 Y `9 y0 }* q3 ~=========
0 o1 L4 }, M6 \) H8 P. r- A% G3 t) C8 `
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 L: @+ q, k& I4 A) K- F3 X* F+ V9 S' k SoftICE while the option is enable!!
; W2 r, ]% g7 F! k' b3 b: S, u# s! h, K( C6 X( y
This trick is very efficient:- r* n3 B' x' S6 z
by checking the Debug Registers, you can detect if SoftICE is loaded. Q! ^2 ?! [* ~& k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 e" d0 i1 E) Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their& F( ~7 ^1 ?& F% \% J! k
value (in ring0 only). Values can be manipulated and or changed as well6 F5 Z1 M8 ?/ H Z1 v8 W
(clearing BPMs for instance)
1 D) U1 d; g$ a1 b+ I) Q4 I. m/ C# G* o
__________________________________________________________________________* N+ |% v! Q& L+ w. ^) w
, R7 p, k9 V$ R( l* ]% {9 B( |
Method 11& U& S( _% h: j: I1 N; Q- c
=========) c) ]! {, ^0 c( g5 z+ [/ p
% K0 g+ M+ J; Q9 P! NThis method is most known as 'MeltICE' because it has been freely distributed9 d; n! n& {6 c: D* l* ~
via www.winfiles.com. However it was first used by NuMega people to allow
/ n' K! M, a; {4 DSymbol Loader to check if SoftICE was active or not (the code is located6 m6 W$ m# V% D
inside nmtrans.dll).
2 D) A+ S) _. z# h2 I6 w1 c4 j! [% w, Q
* K8 T2 `# O8 O, F3 {- ^, d) N: A- IThe way it works is very simple:2 P; k1 g f2 A) u6 }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 V' c' Z% \! y
WinNT) with the CreateFileA API.
1 T! |- r* u* q9 ?, w/ E+ F
% {" A2 z. X& h6 SHere is a sample (checking for 'SICE'):
6 Q* _* _8 x6 [( t7 K
- U$ Y6 `. v" Q; D" wBOOL IsSoftIce95Loaded()( x" s( [ @4 F$ X
{
/ ~* v7 k3 h) C* B HANDLE hFile;
: d0 ]3 Q2 P' b! S+ [ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ d3 u: _: S- f, z6 y$ X
FILE_SHARE_READ | FILE_SHARE_WRITE,% W% {9 b7 P" E! \/ y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 {! ]! N+ F. m) E9 L2 Q# ~ if( hFile != INVALID_HANDLE_VALUE )
: N2 a/ r) z: K5 o; f- G# k {
' o9 w$ C6 `0 L# J CloseHandle(hFile);* Y0 d$ c6 R2 v- g; {) x/ q
return TRUE;
j A8 E2 H) s }6 |6 e0 Z0 P; q3 y6 ]( w; V5 E
return FALSE;
+ F! `' s* ~5 v( Y$ s}: q, F1 H# N( n! R5 G( h; \( x1 A) @
: C+ B3 N+ B" o: x
Although this trick calls the CreateFileA function, don't even expect to be; T( [2 Z! e/ m4 m$ R7 T% }' T
able to intercept it by installing a IFS hook: it will not work, no way!* A+ ~( x% @. o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 Y4 n1 X$ F: c* T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' l' B* L: h6 N. q$ p# H& \/ A& ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ R4 j* r$ |7 W" C7 i+ ifield.
6 w$ _2 ^; h7 f/ v O7 eIn fact, its purpose is not to load/unload VxDs but only to send a
$ c" u, t% |4 U# q' n' r3 FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; y4 y# j; v5 |9 Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& E8 d r# l" t" dto load/unload a non-dynamically loadable driver such as SoftICE ;-).; `! Q( L6 h7 g/ J( q& F- v
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ f7 C& B* j2 T8 y0 d
its handle to be opened and then, will be detected.7 m( ?4 J9 ?5 [+ ?5 |! H+ Y
You can check that simply by hooking Winice.exe control proc entry point$ I6 K8 `+ T* f0 q2 f
while running MeltICE.# m" d# _% v( U/ f
, V' q2 V' j5 \# N) M* C1 B: Z/ `3 q1 n& B c8 e" u
00401067: push 00402025 ; \\.\SICE
" H# J7 ~6 z, b Z& L6 t 0040106C: call CreateFileA
! V7 g1 q, b8 z0 ? _& ^; b# x 00401071: cmp eax,-001) I& V8 I# ~4 ~4 l) ~: ]# A7 H) x" g
00401074: je 00401091. d3 I" j2 i& b% p1 \2 @9 x
; ?8 @8 t6 `% f a
2 z) c- O* t8 D: v5 p% S
There could be hundreds of BPX you could use to detect this trick.8 S. P/ f: E( |& T9 L! g8 f
-The most classical one is:$ N) f1 A+ d: R! s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 y! t7 N) }+ d$ y: k *(esp->4+4)=='NTIC'
6 e; ?6 m) |" m* M( ~% T# q, ]
* q" p4 ~1 z7 t$ C$ g! P6 X-The most exotic ones (could be very slooooow :-(8 g+ J' f# H- Y$ G' L( V
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( n: [7 {9 K6 b9 u& `1 L
;will break 3 times :-(4 s/ O. G X4 }) q& u6 ]
: p: S( ]6 B, J7 G) A, b-or (a bit) faster:
4 S% G# n1 M' u BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 m9 O o+ T5 v5 ~! I" O- ~) J% `
: S( B7 M3 W( i. _ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 }. q' f9 M6 x K4 G, _* x ;will break 3 times :-(& P5 l) i4 I5 O
; G/ U g1 ~) B) o-Much faster:/ Y# Z' r c: f% r+ k g' Q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 \0 t6 B2 i3 `1 e9 {
5 \% U5 {& G# L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) V1 _2 N2 s1 i& L' f7 b( v
function to do the same job:. F, E+ g( S7 _% w& [8 ^( n
$ }/ q5 I2 _ w: D: G& F push 00 ; OF_READ
3 J8 Y: y9 j! W- Q mov eax,[00656634] ; '\\.\SICE',08 s e' q2 @ o# n& [. z. P) I
push eax
1 E5 x/ T# U; c" G/ |6 | call KERNEL32!_lopen
( ?5 h( i) k( H' F! {' F! p inc eax
- O0 O& X5 @& L# [3 W jnz 00650589 ; detected
" s3 F" t/ r$ L+ s. Z) _ push 00 ; OF_READ) [1 }! V$ x6 S5 t; h8 r
mov eax,[00656638] ; '\\.\SICE'/ J0 n8 g( n" ?" v0 E
push eax
- _3 P' R1 N, A k call KERNEL32!_lopen
4 M1 _+ A/ ]6 n' w! j# W. q/ r- y7 _ inc eax
4 n1 M1 R7 |% w/ ^0 z0 Q+ ~/ w jz 006505ae ; not detected1 i: S" Y2 \! N/ v+ M2 w+ m) Z7 ?
- l4 ^: a* d( }
. A$ B1 U8 X, A5 H3 |8 u/ L+ ~& L4 a__________________________________________________________________________0 l2 _& t% z0 O6 i# P1 J7 U
; B) T0 W7 ]& {
Method 129 N3 Z) W. t$ A% Z) Q4 M4 i3 [$ F0 H
=========0 G/ X4 S) T, q9 X' V5 W
% S& P* ^& d0 h, U* xThis trick is similar to int41h/4fh Debugger installation check (code 05
8 s ?9 g" N' a# A' @& 06) but very limited because it's only available for Win95/98 (not NT)
( o( B6 i. x/ }1 c6 G( qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' r$ H9 ^6 [1 d& [
7 D4 O' u5 f6 E1 O push 0000004fh ; function 4fh
2 s& c4 K1 j W push 002a002ah ; high word specifies which VxD (VWIN32)! |& S ?& X5 l( A7 @0 U; r
; low word specifies which service
1 N2 ^+ T& D# ~" t& h9 ?7 ?4 Y (VWIN32_Int41Dispatch)1 o' y! t. H1 y+ ~6 O" T; x
call Kernel32!ORD_001 ; VxdCall
# H5 I# R2 y0 N4 U4 X+ ^$ s cmp ax, 0f386h ; magic number returned by system debuggers
6 u, q" w3 k- p# H- J jz SoftICE_detected) p; O2 a" Z; ?7 J5 x t
* |0 j. x. R0 k! gHere again, several ways to detect it:9 Y8 h5 w! |* A) k5 d
3 |' x& v F8 j BPINT 41 if ax==4f
% {* g) z( B7 H1 D4 P' A5 C+ [: D' C8 n# P: w8 l
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' j9 E; v# h6 J$ m
7 q" b9 _) e B+ p" ^- q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; G! P3 B9 j5 X
* I0 l1 A3 i7 G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 a4 H1 i' [: |& n# B9 ~! u- A3 a0 g
__________________________________________________________________________( l1 F& N0 o% n
9 e: `, m* ^. L) i: U; G" z7 GMethod 13# U2 Y) P1 o A7 Y. j
=========
8 Y0 N# ?7 {7 T Q9 i9 ]
* I4 g9 k# @1 y+ Y4 K3 y. ^* I; _Not a real method of detection, but a good way to know if SoftICE is T( {+ H9 ~8 u4 T$ V& R
installed on a computer and to locate its installation directory.
- \! |3 [& s0 h* r7 sIt is used by few softs which access the following registry keys (usually #2) :
# o/ i4 c; i' W+ _
& t: O. H! X, x* D+ k2 |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! \1 d _0 @* I
\Uninstall\SoftICE
! ]8 _8 a8 H3 L7 C3 Z! G. i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; _$ c0 u; L+ b1 b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( D2 e; h- ^, }( \! v\App Paths\Loader32.Exe
4 R( ]9 I' t4 u |3 S0 N- D' j3 T5 x) z
p* H& G8 G! I% l3 r4 S) nNote that some nasty apps could then erase all files from SoftICE directory# V$ W0 g' Z& u7 i. R4 W
(I faced that once :-(
t& L; C& F# O0 b, ?0 o, [/ r$ E4 D+ N8 r/ M, |8 _
Useful breakpoint to detect it:
% ^4 v$ z ]. }3 t6 C- z1 l" }4 r% e$ i) T" O/ @ H
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 j2 j# t# n) R* }, q- ]
# R/ x& G" p% t# E. Y__________________________________________________________________________' |* m% B1 Y7 c3 N) R
w9 m$ N. u4 \# {2 O, _& \
4 x+ W& w" w) c; f" o
Method 14 5 ]) j8 x6 `* {3 B6 O# v( R
=========
* w' w+ ^' |& a1 o. N( L6 K' r+ w$ r) M* d" [" D/ N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# w+ e4 C4 k. iis to determines whether a debugger is running on your system (ring0 only).
& X d G0 \7 |0 V2 D( t) z/ C( q& M5 C9 B/ s& G$ Y7 D
VMMCall Test_Debug_Installed
0 ]3 ^0 Z* X6 i2 B" ?5 v8 _7 H je not_installed: u2 Q0 `: @( u9 R
- N5 ~: A. S3 ]* ~* ?This service just checks a flag.
) h0 T1 \0 {6 E# u9 G5 ^) I, Z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡