<TABLE width=500>
) x2 N" |: n3 t: S& x8 J<TBODY>" ~- |" }& z" N- d1 i4 T I8 h
<TR>
: n Q: I( \. H! o" H' n) P: p' Y: c<TD><PRE>Method 01
. J$ h- R+ D* B$ b9 k" v=========
, o: H$ s: V6 t4 y( p4 G4 w# v2 s+ Q' O2 [5 \" }
This method of detection of SoftICE (as well as the following one) is& d3 K7 j+ `2 @2 n; F
used by the majority of packers/encryptors found on Internet.
. A( J& @. ^0 q* e, \) B) xIt seeks the signature of BoundsChecker in SoftICE
, |+ Z( r- T* F2 i) {4 _! I6 `/ u5 t5 R6 a
mov ebp, 04243484Bh ; 'BCHK'
3 p8 s: I; @" p! z, V) q+ O mov ax, 04h* B' i( ]" G- E, V
int 3
, f: s2 y4 ^. ?$ A( Q0 w3 Y2 _" F1 d cmp al,40 P2 u5 E- p! N5 i' j
jnz SoftICE_Detected9 X3 D2 D, q* r& f: O, z" G; h- w
0 Y+ H* J. N, J; B4 {4 K. I
___________________________________________________________________________# u3 N: N) |) B; b7 o8 R
B8 O9 ?+ X) ^
Method 02
+ H0 Z* n8 C& I$ S& C=========
+ j3 ?, W8 E# }! e/ V: ^" k3 O* _% _7 i: Y3 t3 f- U
Still a method very much used (perhaps the most frequent one). It is used+ q- y& T" L& D% @8 H$ S$ e- g8 I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 X* `" {2 n% h
or execute SoftICE commands...( {# T! p8 K1 B2 {. J
It is also used to crash SoftICE and to force it to execute any commands
- w) c/ \) M& A& J6 @& S7 ?2 \9 t$ {(HBOOT...) :-((
/ ]% C2 x8 O% k, I0 q* H C" q4 [$ F4 r$ e5 O' [
Here is a quick description:, t* N9 }; i% e. x6 `, ~: h7 W
-AX = 0910h (Display string in SIce windows)
4 a: w& V1 D2 W2 S# K/ X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 V: _/ \" j5 h0 _. P
-AX = 0912h (Get breakpoint infos)
4 H! ?* g3 s2 q' l-AX = 0913h (Set Sice breakpoints)
1 N% a8 m4 ~" X5 H2 h-AX = 0914h (Remove SIce breakoints)7 g% |/ S- g: n6 @2 I1 p5 U
( X, B. ^6 C& H& OEach time you'll meet this trick, you'll see:3 P. i! C# W2 D% s3 [3 v# d6 p
-SI = 4647h
4 E3 Q) ]0 N" u9 v-DI = 4A4Dh: w2 g& e+ B! O, n* W
Which are the 'magic values' used by SoftIce.& D: K: A# x$ L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.( @& V. V# h. ^9 A; R6 o. F
& d/ e5 T* f" p( O
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 d- q5 A7 W1 K: P1 n; N
Envelope utility use to protect DOS applications:
& B& o/ A7 Q, [$ T: _* }( X" r! @9 W2 D, T8 W; a6 Z2 D
) b' |8 w1 E) p B- R! D* ^% A
4C19:0095 MOV AX,0911 ; execute command.
8 b* |( g/ J0 ~. S4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. Z8 j( @, |5 U& l" O4 z9 _
4C19:009A MOV SI,4647 ; 1st magic value.9 z1 Z! @: f* @
4C19:009D MOV DI,4A4D ; 2nd magic value.3 J+ h8 ^$ j6 l9 j! G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ A3 L, m) C# I( y, U7 i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ [) R0 ?. N3 ~( ?. p1 \
4C19:00A4 INC CX
6 Q { H, z5 o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- s# k+ P$ G* [% f/ Z7 i8 f4C19:00A8 JB 0095 ; 6 different commands.( v- V" E* u% w9 S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: g; i7 {$ S# l& c- t) S8 g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ M( S0 N* i" R. H
: l! {2 `$ e5 UThe program will execute 6 different SIce commands located at ds:dx, which
, o x& ^: q( ?. G4 Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., ~4 ]+ l, Y# y. [' L! P x
* c$ w/ y0 {9 w7 d' [) h! `) [" Z. t4 O- ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( u" A1 t0 @3 t! Z, _ \( A2 q4 @
___________________________________________________________________________
( h+ r* v% T( Z" m- g; I9 C; i( a& A* ]8 @# O
5 l s! j: g6 X: u- A. _
Method 03
1 _* o& e! _/ V1 i$ E- O$ e' i=========
& F( G2 n1 {5 O2 w9 q7 u6 N0 a) Q, L8 i3 K: m2 _2 m) r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- M0 j5 Q; `( A- B- T1 _
(API Get entry point)
9 Q6 c% Q3 P" h) P2 v1 q7 H) j / {2 \. m5 ?: Z% u; ?8 R7 n, j6 A* q
1 p- i% S' J Y' q# t! E
xor di,di' D8 y3 n R( D* t
mov es,di. B ?8 E8 c2 M* ^% i4 l, s+ G
mov ax, 1684h
( X' t# }. A. c/ f: ?( Y$ { mov bx, 0202h ; VxD ID of winice: b; A' L. [" D! \: n8 d
int 2Fh, O9 h; H0 ]1 m9 D. e: g
mov ax, es ; ES:DI -> VxD API entry point
7 G% Z& F2 ~3 p7 o add ax, di
6 G& T! P! x4 j+ z6 N2 z test ax,ax3 x+ {# y6 G( y6 L' m
jnz SoftICE_Detected
* N8 J9 s/ H9 O+ ^* U* N! L% d) D! o" w% U1 q7 I
___________________________________________________________________________
, I0 W9 O# n/ J# Q% Z1 R! k2 s3 k3 P) \8 K/ N
Method 045 f! Z: B7 x9 K/ U, W1 W( d+ \
=========
6 P3 l: {$ ^6 y5 A; Q1 T7 p+ M/ ]1 P/ d
Method identical to the preceding one except that it seeks the ID of SoftICE u! _7 N2 D* ?# c& t# V, o& a
GFX VxD.
9 x, K2 ~2 ^, u7 y" Z& h2 p
: \+ L8 z/ n! L4 i% F. _& h xor di,di
2 l: x3 z) l5 S% u, d mov es,di* R; G$ A" y0 E3 t( G) ^
mov ax, 1684h - o/ G, T& {8 C' _
mov bx, 7a5Fh ; VxD ID of SIWVID
: a: I& y* T: [. M int 2fh
0 c1 b% k* ]% @. A- }" U mov ax, es ; ES:DI -> VxD API entry point& H" O) Z: H& g. e+ _
add ax, di, `! J5 d) b z, x: K: Z& ]
test ax,ax$ @1 \6 O/ @6 x* d9 a$ O0 b6 J
jnz SoftICE_Detected
( q U; B) S$ I( L5 n! r" o7 I- X( p: a9 B) {* R
__________________________________________________________________________
1 f9 O+ Q3 T$ ~; I
* g" `5 ]' X2 u, H* S, p
, y, ]! B0 E$ J. D! @Method 05
3 ^0 d1 q- {/ z- Q- V! @, C/ i1 z=========2 j8 c$ O. v1 R8 p+ x
" N3 ]8 V2 o b5 D& vMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ x7 W9 K* R4 F6 U/ T
debugger. It calls the int 41h, function 4Fh.
: S# o4 ~! L1 cThere are several alternatives. 8 S6 N7 N6 ?: P* @& e
; Z4 _: W6 A5 v/ E
The following one is the simplest:
! N+ j: x0 X9 P7 E! ?6 r1 a
% U, `8 P0 `, { mov ax,4fh8 x# @0 }3 X1 c+ T5 M' W
int 41h
- R$ ^4 S" F; u% M+ _ cmp ax, 0F386
. E- k' H$ _+ s" P jz SoftICE_detected, }$ S- N1 `4 K
1 t! E) ]) P& R
; ^+ }7 X' t4 Y# d$ L: eNext method as well as the following one are 2 examples from Stone's # n8 ?1 H3 ?( V0 |4 Y
"stn-wid.zip" (www.cracking.net):, N' n1 L; N; F5 l% P; x, R
5 h& z9 l* |: Z
mov bx, cs
) A! { i& W% ^/ _# [+ f! \ lea dx, int41handler25 a0 z7 {- o. c
xchg dx, es:[41h*4]
, V/ i. U9 g& \, B xchg bx, es:[41h*4+2]- f- z1 `3 z5 V a" r) C
mov ax,4fh! Y/ j, U4 S. v5 v
int 41h) R+ j8 V- h2 s( K1 A7 i
xchg dx, es:[41h*4]! z% z' {, o- o: y/ n) t
xchg bx, es:[41h*4+2]
% ^" a5 b. H" S8 p- c, D cmp ax, 0f386h2 G9 w# O7 Y- {2 w
jz SoftICE_detected
* [, O0 Y/ p s0 k Q9 i8 l/ G1 Q% _: e
int41handler2 PROC
( e+ O% R" g$ ^, @ x iret
3 o; b2 Q2 D" A/ eint41handler2 ENDP* l2 ?; z+ k* f+ G
0 q7 z) |! O2 c, R
6 x, z, f0 g. m( ~: \_________________________________________________________________________
; D$ ~" j0 X2 ~" q! U( E8 o
$ ]' F' B G! W. b; j: P. q0 s$ |- M$ g; V4 O- t- e! f4 g
Method 06
7 p7 E+ i! C0 S) }=========
) r' l; ^3 X, N; v9 x; o7 U; x" l: Y9 v* k
* W% _" C! v% D$ d2nd method similar to the preceding one but more difficult to detect:$ F9 H2 i# M% t4 i
7 H7 s0 \, ?; w/ H5 w8 \; L
7 a& g3 Z: K6 v% @. m1 i* e4 ~" lint41handler PROC# a: ]/ y3 X( z) m6 [
mov cl,al+ W. L' {- J E: G. i5 d2 n+ Q8 Q% F0 d& U
iret. t+ M+ ~0 w4 O9 T4 n
int41handler ENDP: T" e+ M. R6 z& V9 ~
" @! o2 M/ ]& r) n( f) {/ x! P
0 B4 s" C+ Y3 m2 Z7 j. W, q% n xor ax,ax" I3 p0 q! L& l0 D, ?) M
mov es,ax9 M- a* A& P. T0 F! m7 S
mov bx, cs. Z H9 ?" e8 K6 G
lea dx, int41handler. k5 ~( g$ h4 v& n- P( E
xchg dx, es:[41h*4]& l) _" ~# v2 i- K1 M5 b
xchg bx, es:[41h*4+2]3 ?& n3 ^' {( ?$ k- D# y2 z
in al, 40h- M0 [! l, C, N: { u
xor cx,cx
6 b0 u; o; _7 R* \0 ]5 J Y( i int 41h6 J0 b9 U; E* v" ?
xchg dx, es:[41h*4]
4 }; s# Z# s a( S# h8 E% B2 R xchg bx, es:[41h*4+2]$ p, a( Q( B" \8 D! f
cmp cl,al' ~1 T% _# W; K; i( p6 K3 J
jnz SoftICE_detected+ q) W. a5 i* B z( o
! R+ z v6 r, I; q
_________________________________________________________________________( U+ C0 p( `! l5 y' q4 b
' F& p. P8 _! EMethod 07. \* v" ]3 w( i* R1 m
=========# s% w5 h4 r/ x; o. U
) `; ~7 W9 \( A
Method of detection of the WinICE handler in the int68h (V86)
0 V/ B K1 K3 ]2 C. U9 [, O& b5 ^( x! K( O, z
mov ah,43h
! p$ X# s- C# a4 q# d* L3 c* @ int 68h3 q: B7 `% o$ } K) J
cmp ax,0F386h. j$ M& E& v: A# g" D
jz SoftICE_Detected5 m2 q8 d' K7 f8 ^8 Y
7 n- D( Y$ f" F
) v& q& ]8 l$ t. ^( ~0 v8 ^+ Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# N+ `5 c7 O( y7 t0 ? app like this:
( j7 i5 o) N- w, G8 v/ v [! Q1 {. C O( m
BPX exec_int if ax==68
* U$ ?( C/ G1 h3 v; C3 t (function called is located at byte ptr [ebp+1Dh] and client eip is
; Q' E" m4 W4 B' t+ K located at [ebp+48h] for 32Bit apps)
: W0 n2 j; q& Y7 {) P) F__________________________________________________________________________
: F4 E8 Q. ~$ b8 l7 Q! Z
1 U* _6 Q0 U: H. O4 A( j4 _; `0 p. j
Method 08
; i3 Z' a& S, O W' G* `' L3 |/ a; J. m=========! v: R0 J5 E; e7 D' _' Y0 Y
$ a# f3 E5 w; q
It is not a method of detection of SoftICE but a possibility to crash the
) u' ^1 o% g" ?5 `" G1 zsystem by intercepting int 01h and int 03h and redirecting them to another4 @3 K3 J+ b8 T* K# m3 |
routine.
9 [0 [- h. ^, P3 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; p' b, D i( ~$ Z* P& l' R4 Qto the new routine to execute (hangs computer...)3 f* o' E0 b$ h# q1 E. y
- G1 k( c, |4 x& B# [: Y1 K [ mov ah, 25h! H7 H k: t1 s1 E8 I- [3 F+ V5 n
mov al, Int_Number (01h or 03h)5 S! J" r7 ?( _1 z! I
mov dx, offset New_Int_Routine
; d9 O% O7 |! R- A2 ^8 V: D; W int 21h
3 C. R7 @8 }0 ^2 q( O+ Y3 |9 M. G6 b2 J( a: y/ {
__________________________________________________________________________
9 ?, [3 ?2 T l9 W
; h! W2 w( p. LMethod 09, e- l7 j6 M" q( q8 Z
=========. ~" E$ i6 B2 }$ w) h& D
2 [4 n0 @0 M5 l2 o; v( S9 @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# |9 } X V/ N9 L$ K* i
performed in ring0 (VxD or a ring3 app using the VxdCall).2 p0 R; G$ L" ^6 T! Y, S
The Get_DDB service is used to determine whether or not a VxD is installed. f8 b6 T2 @' b
for the specified device and returns a Device Description Block (in ecx) for
2 u( V' B9 Q: \$ T( [6 |# ]( e7 M: dthat device if it is installed.
) Q m: S4 P3 M7 t. ^* I3 `7 {2 F h9 P6 t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% L7 i. y- f2 Z. b7 b8 w mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ v) q, Y6 Z& h" v: \
VMMCall Get_DDB
: R4 _+ m# }# {" j( y7 B7 l% f' P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; Z% J. f+ [+ P/ D w
' X4 x9 a# G3 I9 A3 F8 ^
Note as well that you can easily detect this method with SoftICE:
) _; \& y0 G* ^% i- E" j5 b bpx Get_DDB if ax==0202 || ax==7a5fh4 j! z" W- P/ T6 E- W, O
# K g9 T7 c. l: Q* y* |/ ~7 R
__________________________________________________________________________
) v5 w$ `$ G: l! }1 D1 X) R( G
; X& n# w; h2 Z: Q% {: i/ I# jMethod 10. a) ~) M! |! U. o) u, T; {, b
=========
5 u% b+ t, S/ \
6 P# T: H" S1 }9 C: q9 \=>Disable or clear breakpoints before using this feature. DO NOT trace with1 ?4 ]: u9 _! m, l
SoftICE while the option is enable!!% d5 d: Z& T9 w' X, x$ q6 W- s
+ x. K: w0 P$ \( l: K+ H
This trick is very efficient:) T( y# A3 W4 g9 H( c% p6 r! _7 L
by checking the Debug Registers, you can detect if SoftICE is loaded2 i5 X7 R# H) N' u: p8 P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
S2 [5 o- q% |- D" L, nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ }. n# g1 o0 r3 ]* A; b0 ivalue (in ring0 only). Values can be manipulated and or changed as well8 X F, l O" L
(clearing BPMs for instance)
4 \5 W& Z5 M4 O! i/ R: _8 ?8 R8 f$ l9 H5 j, ~) a$ K
__________________________________________________________________________6 c" o4 X% _: M5 x0 J) Z- Z( s! e
; F% [9 H/ `, D7 T: k1 o9 n
Method 11& ], ?9 X. C3 M
=========
/ R$ r6 d& o+ [$ w
6 K# g% ?% R& z0 p6 ]) _& YThis method is most known as 'MeltICE' because it has been freely distributed$ W5 N/ p& e- a+ u/ l9 C4 A" K( [! a
via www.winfiles.com. However it was first used by NuMega people to allow9 p! {: j8 W+ e1 V
Symbol Loader to check if SoftICE was active or not (the code is located
6 v: S% ~. p7 C: Y. Zinside nmtrans.dll).% j6 ^3 D, f: S; P5 F( y% B
! W8 x: P0 w: w6 y5 K- hThe way it works is very simple:; x2 [- Q m* u3 B9 ?7 @2 `% Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# @9 t- `8 w" i0 @ G4 R
WinNT) with the CreateFileA API.& V7 M7 J9 @3 L; B+ L
: Q1 l0 _4 r+ q% p
Here is a sample (checking for 'SICE'):' f- ^4 Q- J, y/ R% l
( b& I4 B$ `: N7 o, q8 ^4 x) x
BOOL IsSoftIce95Loaded()! v1 `- g) X. W; W) k
{
, o( E/ {& _" {6 R% h7 I HANDLE hFile; ( S( E& x7 U, Z6 j
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 s/ J! _* R8 T1 l/ x
FILE_SHARE_READ | FILE_SHARE_WRITE,. Z4 k$ ], G+ ~7 {4 E
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); b* Q5 D7 h# K& v4 E
if( hFile != INVALID_HANDLE_VALUE )8 I: A! Z ^2 h+ S4 x
{4 v' m M. z r3 y& ]8 n* ^
CloseHandle(hFile);- x" b# V1 H+ i7 j1 ?8 K6 u' U0 ^
return TRUE;/ n3 Q, `( v* N W4 N0 R
}. T1 x' z/ H: B# P* s9 T$ `
return FALSE; n# [" ?" n! }% B. Z
}
4 }7 B" a" K/ ?5 J: L5 R6 l* i& u* K' | f
Although this trick calls the CreateFileA function, don't even expect to be
2 C0 H4 C/ G% ?able to intercept it by installing a IFS hook: it will not work, no way!! \% D+ K$ S/ F5 y2 n3 {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 M5 I# H) d# l0 e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) R- M5 a# [" V
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 S0 B5 ]. Y1 l5 S0 k; _6 F
field.
- J- X5 J) ^ X$ a4 f; XIn fact, its purpose is not to load/unload VxDs but only to send a
9 n+ l* W3 P1 D/ ?( `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 X4 }% y$ `/ F# o3 A3 T7 G- F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 V; \4 k7 ^) ]( o% Cto load/unload a non-dynamically loadable driver such as SoftICE ;-). Y0 v0 A$ [. ^" w
If the VxD is loaded, it will always clear eax and the Carry flag to allow E3 _! e2 _) O: `
its handle to be opened and then, will be detected.2 i# a. M) Y, R) u j" w, ?
You can check that simply by hooking Winice.exe control proc entry point
( b% r2 i! G5 Twhile running MeltICE.
/ `* v: b" w/ G+ L& h
4 u& s! Q( h6 r- H0 B/ r& ^, M. {4 J
2 R* n+ F3 u N) U8 m 00401067: push 00402025 ; \\.\SICE: o9 m# I& M% j s; M: @
0040106C: call CreateFileA% V) F8 u5 h) G) x* d, ~! _
00401071: cmp eax,-001
5 j5 H* i! b, C5 {. g 00401074: je 00401091
; W2 t' w/ n6 S5 }/ \+ K( G3 o4 C& X
% f, w( {* ~8 J8 J. H @1 r! M/ [7 i) _6 U& L, ^! E. B
There could be hundreds of BPX you could use to detect this trick.& D- G( u6 d) I7 [% R' {7 D- f
-The most classical one is:
: N( f$ |2 s2 N/ m; f1 P BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 I2 r- ~+ }5 K *(esp->4+4)=='NTIC'
6 m9 ^0 V+ Z+ J' S" p* M+ c- g5 ^7 k$ [: x- h+ I
-The most exotic ones (could be very slooooow :-(
9 O% G4 V p M n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 p6 G" u( E' ?$ U t- x* T
;will break 3 times :-(+ {* h: M& e3 m/ G, X7 s4 P/ D" @; |
3 H/ m- f# p C, X+ p* ? z! y-or (a bit) faster:
o$ [4 q3 z, w2 p: g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 [+ ~# H* W* H
! ~: n' P6 f8 H4 B: j* C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 g; T( S2 K+ `) t- M2 K ;will break 3 times :-(
3 l' k3 L( z3 V, N ^4 u6 q7 L/ M/ X$ W+ r: ^
-Much faster: h3 w% }0 K8 S6 m2 J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' D; x; N0 h/ ^' I- ~4 k9 `( o
; \" _! M" {0 c, `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; Z$ a2 o, m9 l4 t( ] N
function to do the same job:! h! G( [, a4 q
/ v; y6 @! n% Y) l) @
push 00 ; OF_READ
% J3 B2 w# q7 \' e" m4 N mov eax,[00656634] ; '\\.\SICE',0% ^/ x/ a9 F! A$ E* O/ S
push eax+ A# @- K* ]4 b& ]. g) R
call KERNEL32!_lopen9 C4 m3 @- `& t0 d. l
inc eax
w5 R3 E* [$ l+ S* F jnz 00650589 ; detected
' R% p5 }% k/ A' Z% M push 00 ; OF_READ `& u% F( n4 T6 F# Z( e! [
mov eax,[00656638] ; '\\.\SICE'
' G; q2 `3 b" x push eax( ~& P& [2 K6 A; K; L; |" `- M
call KERNEL32!_lopen
1 ?. z) G. P2 l inc eax; L9 n8 t2 B* h' U$ ^6 O
jz 006505ae ; not detected& u4 j7 E0 q) M3 M& U
( o8 m/ k) J: f; F
( S; L+ E7 m; y; u6 x0 o
__________________________________________________________________________1 y) H4 Q* ?9 b Q) M- ~+ o' _
! b% X9 X9 g1 Y. C' R
Method 12
8 ? _/ \4 z. Q E=========
3 Z% N! E" T+ T5 \0 y$ v z
6 _/ p$ j+ H1 gThis trick is similar to int41h/4fh Debugger installation check (code 05
7 D4 _: Y- Z# B( c, S& 06) but very limited because it's only available for Win95/98 (not NT), @6 v: Q( ^! {& L8 O4 k0 Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; \0 W/ N+ o: j. `2 M
( |8 h1 j9 d* q/ `. U, T: G push 0000004fh ; function 4fh5 H0 Y& a0 u" v p
push 002a002ah ; high word specifies which VxD (VWIN32)
* h/ P$ N! f% Z; i ; low word specifies which service2 T* s! L: F5 K
(VWIN32_Int41Dispatch) o3 b) q- w, c3 w [. \# l, l
call Kernel32!ORD_001 ; VxdCall- D, @' _ }) _- o- h
cmp ax, 0f386h ; magic number returned by system debuggers
* P! E6 F2 ]' V* ]: k J jz SoftICE_detected
# }% }" y8 o: t8 W2 {5 Z
. p" m: h2 f6 x: f. i5 k) iHere again, several ways to detect it:
3 t$ ?' y) x- Z6 K2 Y8 E7 f/ K& W3 N0 b9 x- F0 c
BPINT 41 if ax==4f% Q7 J, r( v: o# \1 f- t
. `1 I+ N$ p* N/ j& W; v9 L" d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ s# V t L; y2 B
8 q0 l+ \! c& S# }
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A Z1 Z3 B; r. s5 J$ }6 x0 b' g
0 O. V: a( w% x; E4 K1 b1 F
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 F; C; R0 {# [
; z+ q# M8 h3 p
__________________________________________________________________________
. q; o- N: ]. Q5 `0 V! v3 [# W* e* F) Y. ?9 \
Method 13
6 q3 j' i, s7 o5 h7 E; o5 ]" p=========8 i+ ~! s+ h9 ?* x
% P: X1 @' c, H8 I: p7 @
Not a real method of detection, but a good way to know if SoftICE is
( I9 M: ~3 B, Z& Sinstalled on a computer and to locate its installation directory.7 L4 a' r/ \" g' W" R. {
It is used by few softs which access the following registry keys (usually #2) :
. l( G; g5 q) f( P v
( g/ Q5 H. b: v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: A. j. t/ S' q\Uninstall\SoftICE
- W `) S3 s5 f- f6 ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( b0 A- [' R, C" q7 f. G+ [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 L" U# X" j5 v\App Paths\Loader32.Exe. e1 K3 M2 f2 ~. c
) P! X: `, k" R D4 A
4 o0 L+ S& l, m: X' W" _
Note that some nasty apps could then erase all files from SoftICE directory
* M3 r; d. P1 Y# Q: x(I faced that once :-(
. {% ]6 q; q; ^+ i5 G. b0 `
' L5 t) B8 f# UUseful breakpoint to detect it:2 b* @' s) T6 `% P j; Z) X' z1 g
e C. Q5 d7 A+ f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': q. p0 S. G: z& i
6 R1 a% E) U# J% Z__________________________________________________________________________: A, d; ^$ F/ Z9 d$ E
) i. g, e2 ^( p
# D# y( I( b7 L% b( O8 w) E
Method 14 3 }4 }+ P: C: I6 w
=========1 G! V* y0 V) U1 m( T! X
5 I% h5 d j& U1 X: M- qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ L/ a/ D+ K' [% ~3 F: C" R2 ~$ z
is to determines whether a debugger is running on your system (ring0 only).
; Q6 L9 J, t k2 J, |
2 L$ M( D# f, e$ X3 Z VMMCall Test_Debug_Installed' ?. q: Z" t$ Q: O4 `/ D7 w
je not_installed
$ \' J; g: D5 |2 U1 E: k, [
3 h8 I$ o) l" A6 EThis service just checks a flag.
4 e( m% a' |1 m% {$ S</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡