<TABLE width=500>
, _; o6 ?$ @) T3 s( N<TBODY>
* F. b" D8 n j<TR>
* Z1 N/ \) M/ \* u6 t) R: e<TD><PRE>Method 01 - v, P) h3 Z* u3 J. _; P, B
=========
6 O/ \4 H, _8 W5 i$ s! e4 R9 u4 k1 g# X
This method of detection of SoftICE (as well as the following one) is
6 d& |% |0 V& F5 f' c: v! X7 _' Kused by the majority of packers/encryptors found on Internet.+ A+ U9 K6 e; l( p* j
It seeks the signature of BoundsChecker in SoftICE
9 q. p2 r7 x8 D0 U6 Q( u9 Q- c& G9 {0 A
mov ebp, 04243484Bh ; 'BCHK'
% \9 ^- Q4 R/ t4 Z( g mov ax, 04h
6 G8 R$ j, E& o' c- j3 M int 3
0 k; {* T) H* t: _$ x# X7 l cmp al,4
$ `9 F2 I" P. y" c jnz SoftICE_Detected4 i, ]: w* u, s% C" U8 j
1 _7 |# P+ q$ Z) U' d
___________________________________________________________________________
0 X0 t5 `- z U# d/ m/ l3 k9 o9 @/ ]
Method 02
% y$ @: h+ z3 o/ h6 r, B: ^# M=========
1 M7 P4 C" k6 t7 K I9 e8 w; r# `8 P, F0 y; H F
Still a method very much used (perhaps the most frequent one). It is used2 D& O$ T* E9 ?( A; C& a% L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) j. ~. ?# T j/ R8 z5 {5 ?# C, n
or execute SoftICE commands..." |& b/ ]" {! `+ N- M
It is also used to crash SoftICE and to force it to execute any commands
* J! N- D, E% b; C* {5 f& @(HBOOT...) :-((
0 ^# H& i8 {0 Z0 @0 [3 C4 o5 e/ p4 y: O% I
Here is a quick description:0 b, W, N( f; h2 P3 f
-AX = 0910h (Display string in SIce windows)
6 B" ]- s3 ]! ]# c1 V7 l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% Y5 ?1 d# d, ^- ~
-AX = 0912h (Get breakpoint infos)
1 ?$ H+ c5 K* C/ J; p3 Z-AX = 0913h (Set Sice breakpoints)" {7 s1 y1 ?" A
-AX = 0914h (Remove SIce breakoints)
0 Z, {2 X# s% J% g4 J% O
* W1 X" H+ p- T0 ^; r3 v3 {: ^. WEach time you'll meet this trick, you'll see:6 u# L+ P1 f/ z4 F5 @
-SI = 4647h4 f& j5 T9 O" E' ^( M# N: j- [* Y. E
-DI = 4A4Dh
: E5 [9 h' Y \: y7 y. jWhich are the 'magic values' used by SoftIce.
: B7 b6 V* q- T: v6 {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: ~% v7 r$ [5 P" {" M
! w. F. h5 S, d- t
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 V8 d' m5 u P- k O2 }Envelope utility use to protect DOS applications:
0 R, T* ?7 z! j
3 h" S, e' ~2 w4 A) ]
/ v0 g* O" R0 C3 X% Y4C19:0095 MOV AX,0911 ; execute command.9 D8 B# n0 W+ n9 O+ d/ F7 o' M
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ b; u2 H) l5 h+ \! y- w& z
4C19:009A MOV SI,4647 ; 1st magic value.0 Y+ v J3 y: ] i8 `
4C19:009D MOV DI,4A4D ; 2nd magic value.; ]3 q, U* z* I4 m; c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' v$ G7 q7 V# i) Q3 c: `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 `4 u' o7 g" o% [3 |1 d: @. h5 N4C19:00A4 INC CX
9 Y! e, A1 v4 }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 g$ m4 T' b. e6 e! N4C19:00A8 JB 0095 ; 6 different commands.6 V" r7 y- f5 J0 r4 z+ P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 y$ \$ h- N: i E; h0 }3 Z( E9 N+ g9 K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! A Z0 z( p( u. a) [
' B) U0 z. z( d' N. vThe program will execute 6 different SIce commands located at ds:dx, which
8 l C( {% r3 p% g) D& I z6 }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' T% l9 w5 _: [% s
$ z, P5 p" }8 h: f W" L( a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
Y; q5 u( ^4 A4 x" n* h___________________________________________________________________________
$ @7 ]" t/ B1 ?
' N5 Z a: a0 K6 m) D4 R7 @& A, ^% S
: Q, c0 x9 U( \. dMethod 03
& ?6 W6 C. U# e! C=========, Y ~) z$ H; q
I; ^, L' u1 p$ Y4 L4 g, j5 Y" [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; v' S1 ]/ H% o5 S3 O2 q. A
(API Get entry point)
2 g# M; p! k9 T1 E8 a
, y; {6 Y( b- e% Z8 q2 K% D* y+ K6 I0 X7 [
* N) Y! I0 f" g" k$ L" z' t4 t. U9 D7 z xor di,di
1 ?- `" X) g, Z6 u- m% x# T mov es,di
: m4 Q' Q' f( v mov ax, 1684h
8 ^& C6 p& _5 a mov bx, 0202h ; VxD ID of winice
( r3 E5 v+ S5 }3 D u8 I5 l int 2Fh3 _# F% [ ]' A, t
mov ax, es ; ES:DI -> VxD API entry point
7 ?9 C6 Q# D/ w add ax, di; @: m: k- \" s. B
test ax,ax
9 r' {3 ^0 c9 U$ Q% h& I$ K jnz SoftICE_Detected
7 m* h9 [6 c8 Q+ K3 B( b9 A6 A# e a% _5 F8 U
___________________________________________________________________________* e0 l% q# S5 x" ^6 j
0 L% z& M7 t9 J8 M( u
Method 04
1 m0 R" ]1 ]# D4 c, X=========
7 R& _2 J* T) z' D8 a1 C
" ]; Z/ V. e9 e) w) p8 D4 `- FMethod identical to the preceding one except that it seeks the ID of SoftICE
" ]2 A+ H4 \9 d) v0 ]GFX VxD.7 }2 v& I2 E! n
: s( ?& I9 x: r% v' U0 E
xor di,di7 I4 C s. T. a+ h
mov es,di
- e; w, |) h4 m! ^5 E9 S* b# q mov ax, 1684h
1 E4 a2 a, H% U mov bx, 7a5Fh ; VxD ID of SIWVID4 L! V2 k/ m A2 l% U6 p
int 2fh
4 ^6 i( D8 p" C) W" m2 P3 ~) x) c mov ax, es ; ES:DI -> VxD API entry point& e' ~- A. r" L; L$ d3 H
add ax, di
# I, `4 `$ @. [ test ax,ax
2 z% A% ~2 r% [ m jnz SoftICE_Detected5 F, V6 v8 w0 m1 l6 v U
: D$ F$ y) [9 \6 s9 k
__________________________________________________________________________' Z& M. E1 ]/ i. o3 b8 Y1 e# \
+ B: L' ~- O- L
" d# ?1 E7 B* V8 @Method 05" i# _( A v: D0 {4 T |7 F
=========) o" _6 b3 j K0 `7 J# H3 N
! p" r, C" K4 w9 w) d! m, bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ R9 f$ | E$ M! bdebugger. It calls the int 41h, function 4Fh.
: r# [. O6 ~7 O5 O. Z/ I; F i/ fThere are several alternatives.
% |4 w/ N. a3 E4 ?& j$ K
+ \! A W0 _$ {, K% b4 q* j! KThe following one is the simplest:
4 R, y" g) H0 s' X4 W
/ z0 m& Y6 W, Q1 t% S7 w* W mov ax,4fh
; h* }# v- A' o; l5 z int 41h6 z3 Y; w* \4 H/ B4 E
cmp ax, 0F386
% a3 K; M' @- @ jz SoftICE_detected( N p9 T) k$ F$ p% @$ ~
1 P R; Q8 @: r4 I0 F
1 M% F) t, J) Y0 Z5 _$ n. |- ZNext method as well as the following one are 2 examples from Stone's L* s! |2 k) ]
"stn-wid.zip" (www.cracking.net):+ S! c+ q* B$ F6 o* D- y
4 `% v/ J f" V3 W% \9 Q' @. J2 p
mov bx, cs
9 P/ l& C, v9 a lea dx, int41handler2' K9 n" u$ C6 h
xchg dx, es:[41h*4]
5 A! H& @% z+ S$ F xchg bx, es:[41h*4+2]
- B+ c5 x/ u2 ]' A. U+ u: C2 x1 s8 L) z mov ax,4fh
" y; o1 P8 a1 k3 I9 B int 41h
) v# Z( S/ }9 \* ? xchg dx, es:[41h*4]# W% P- o% R3 h: z6 }0 _' p
xchg bx, es:[41h*4+2]/ O- J. z1 E+ j% a' C: p; ]& F
cmp ax, 0f386h
/ R, Y2 [9 ^* d7 A5 n G jz SoftICE_detected
8 l6 k6 ~/ G' y$ @- _9 z
; r; A* n/ r! K- b8 S1 gint41handler2 PROC. `+ T7 \, X' W$ L( a( A0 p
iret
j( S" N5 y3 R$ ]' L: s# Yint41handler2 ENDP
" H5 p0 S( Z* q( U4 h* v; ~
3 V3 R* d+ g, a. A# L- G3 Q5 k6 u* l7 @3 M9 t: T
_________________________________________________________________________
! r- Z' T }2 Z9 Y
% Z, a* I: V) I! P7 c% r' W# h ~! s$ J. b6 m$ O
Method 06
# u1 c7 m8 @ i0 {7 h/ O% Q1 x=========8 D, a3 |# f- Y7 d
/ m) i/ Y6 d) d
5 k) j; Q( g- @: Z) x+ \2nd method similar to the preceding one but more difficult to detect:
" @8 @1 o0 N: B* }- H5 r2 i8 F- j1 V
- L' Q* ^% O' g
% ^" F0 R) G( ~. V& M8 y. k/ Uint41handler PROC9 O* f' ]3 f/ r8 s& z/ @
mov cl,al
' Z/ j: F. n, n7 X' a$ b iret0 y/ X: z4 }, y7 x5 ?
int41handler ENDP( W2 T; Q' W d& O
# S$ _8 \# S8 X- W& P
$ B* E5 R, X+ ~
xor ax,ax
/ m N; n1 c% m @. \ mov es,ax, Z, {; w/ D/ q5 F' ~
mov bx, cs
6 [+ J* V/ [ O; Q. d lea dx, int41handler, [6 ?% p5 N/ N2 r% G' c0 ?
xchg dx, es:[41h*4]' K* p% ?3 i/ @/ L' [
xchg bx, es:[41h*4+2]/ p7 [* \% ]$ D! z& ~. r
in al, 40h
~$ s9 @9 @/ ~) n xor cx,cx
7 g4 a6 v. p4 G7 @ int 41h' @, }" D/ Z8 O
xchg dx, es:[41h*4]
6 x# g2 } |0 v5 D, Y- K* E8 D' [ xchg bx, es:[41h*4+2]# y6 S/ D! n3 E8 [6 d
cmp cl,al5 }/ X* C0 f; p- r' ~9 |( B6 ~
jnz SoftICE_detected* o3 t. @( f- h f/ E
/ q6 r- Q# k, k
_________________________________________________________________________; L5 G e1 s6 z2 |' J$ R- ]
/ `) C( L! N8 i# c0 x' J0 Z, EMethod 072 y- ? F' u9 ~0 n# e1 }* u
=========" l2 @$ A5 H5 z* O, E
+ a% Y/ [4 G4 [" W2 F, v, _Method of detection of the WinICE handler in the int68h (V86)
1 p3 _, X0 M* n* m6 \, t6 R
5 N) n& h: k9 J! ~ mov ah,43h
' b* M9 L8 `# G/ q: P! I. G int 68h
6 C5 p" n; l0 a cmp ax,0F386h
, q: G5 `! y" O( {6 l7 `3 H jz SoftICE_Detected
- p2 K- D7 z, L, P
2 Z, D9 u. w9 v" j q
$ g* ?) D/ z* c' k+ }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 i2 h% O6 @( q* [: ~( ? app like this:: u# ?+ c( i; b& S$ F" x) v
" y* B @: O5 z" w0 l& q' g BPX exec_int if ax==683 n9 ~ Y+ |5 J* I6 j4 r
(function called is located at byte ptr [ebp+1Dh] and client eip is
' J2 E( S( r! j located at [ebp+48h] for 32Bit apps)$ O: Q: D8 @$ q' [" ~* S- H% Z
__________________________________________________________________________
2 x z. j- y$ q9 e6 E
: f+ N* G/ {) [0 T* n4 G& n4 h y( J, F/ b" z/ {+ G
Method 08
+ S* d! _9 A4 N4 i=========& `1 R t9 O* V! P" M8 d
% J6 X/ X2 [7 }6 t2 \% G
It is not a method of detection of SoftICE but a possibility to crash the# ^2 B: `7 p2 |$ O
system by intercepting int 01h and int 03h and redirecting them to another( U1 q7 X. N9 q4 N) ?# u1 v
routine.
9 C% g" K' m. w6 | ~/ QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 q8 Y- ~+ e0 J' m
to the new routine to execute (hangs computer...)
1 x5 i/ p& {1 |5 I2 E7 f
O K: r+ o' ]* d3 W0 X' E mov ah, 25h0 `/ V: w$ m: o$ k8 `0 v) Y
mov al, Int_Number (01h or 03h)
" t( @* w* ~0 a+ r: R mov dx, offset New_Int_Routine
3 Y: F s6 W% V. | int 21h2 q, m1 Q' Y- G* M$ j$ a( A8 h
) p! U" E2 X! i2 j# p) ~' z__________________________________________________________________________
$ ?+ A0 z* A' p& @( Y( A3 m& M+ C8 X* Y% F5 W6 Y
Method 09! h1 r! J# O9 E+ |2 x4 k% l- Z
=========
2 w1 R. U5 p7 `# v& K4 g& c. O3 ^0 f. y, v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! Y- c5 v% \; m; s1 u; hperformed in ring0 (VxD or a ring3 app using the VxdCall).. ?: l1 `* } x
The Get_DDB service is used to determine whether or not a VxD is installed
& E; s: S- i9 [6 h' O9 f& S! Ufor the specified device and returns a Device Description Block (in ecx) for& v6 V4 W( Z3 P! k1 }8 ]9 y
that device if it is installed.1 M3 q% l8 @) j3 i2 e+ r
4 L; U& [/ I+ ~. ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 a0 `) a* l6 P5 Z- G! l- f m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ n2 A T/ G7 y0 Y" V Z- G9 Y
VMMCall Get_DDB
! y. {7 d Z' D& F$ ]$ [: X `) }0 R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 J: k7 J5 f% F5 G: Y8 u% W
+ z4 q5 v0 g2 D( SNote as well that you can easily detect this method with SoftICE:
! O" L& a, O' [% H bpx Get_DDB if ax==0202 || ax==7a5fh6 Y# Z( N) }( G8 G( H
) v$ f5 S" p/ l2 t6 V
__________________________________________________________________________* I- D& Z0 q- n5 B7 Z
0 m# P# H; U m- K
Method 10
1 K4 L! P! S* c3 s=========, X$ J- M' R7 ~) n0 ~0 q
- b, i9 G/ _+ q! }, \9 i=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 R, \; _( L1 [/ j8 @ SoftICE while the option is enable!!6 p6 S7 v( ~: S. r/ n
9 ]1 {3 {3 X% H3 B
This trick is very efficient:+ X% e4 y' v0 i1 i7 N: \1 ^1 {$ n
by checking the Debug Registers, you can detect if SoftICE is loaded
$ V& c f' U, W5 ~: s9 q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( A1 E: p* u+ pthere are some memory breakpoints set (dr0 to dr3) simply by reading their& ?1 V8 s5 G+ y0 T' S: }' A' L2 [3 A
value (in ring0 only). Values can be manipulated and or changed as well0 m2 _8 L1 I, k
(clearing BPMs for instance)" N" W/ J- L ?: K5 |# W) Z
- F$ a- i5 Y: L$ G) H
__________________________________________________________________________
4 T7 A( {8 Q6 x7 O
: a; u E) P* zMethod 11# }5 d7 m4 T: I( [9 o, |2 O
=========
, R, v1 M" @$ q5 J5 n0 S
$ U; v$ I' m& Y" z. e. B5 vThis method is most known as 'MeltICE' because it has been freely distributed
; p5 d* n! L2 i3 u3 Gvia www.winfiles.com. However it was first used by NuMega people to allow
3 Q; Y9 D7 U! W9 H; k$ \+ CSymbol Loader to check if SoftICE was active or not (the code is located: s% z& `4 v( [
inside nmtrans.dll).& ^. N: P# H& ?4 B5 T/ Z
: u& J6 t2 e' L' X" ]8 ^' }2 ?
The way it works is very simple:. U1 ]/ v9 k9 z9 E/ T( q) W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 g7 M4 M& x* \# E# XWinNT) with the CreateFileA API., K1 y9 j8 E/ V( [; F; S8 _4 X# g
3 R$ | m$ c* i( j
Here is a sample (checking for 'SICE'):9 \5 z' v- @- R6 U* L# r% I& P9 f j
, Y: f# Q( H% m3 h
BOOL IsSoftIce95Loaded()
$ S. V! p& \ r{
) ^. \' A% u+ L HANDLE hFile;
0 J. ?; W# I F1 D* s& v hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ z1 H$ Z( T8 \4 J- N. h" _
FILE_SHARE_READ | FILE_SHARE_WRITE,* _/ G9 b, B, G6 x* b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 d" B5 ~" t6 J3 N( Y5 h7 i if( hFile != INVALID_HANDLE_VALUE )
: U( i# R& U0 F0 ?+ U# b; P$ e {' X6 V6 @# e" ?5 m& m& C
CloseHandle(hFile);6 S9 d: } b; ~7 i( I F
return TRUE;
' t' h" J; Z* g7 n. q }8 q! @* i& q; f( M& ?2 }( J3 {
return FALSE;
1 R: d3 A& c! j}" {; Z, N, K! o. F4 l4 h
4 i% x. t0 R( ?Although this trick calls the CreateFileA function, don't even expect to be3 x) S+ Y. S$ {. M- c
able to intercept it by installing a IFS hook: it will not work, no way!4 A/ J, R5 z, y* d0 C1 l8 p, A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, y, t/ J L9 e$ j, t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 W4 p; W5 c% K1 Y( z0 nand then browse the DDB list until it find the VxD and its DDB_Control_Proc( F( H5 ]# G6 [/ Q5 g' j4 c
field.% i) z6 \( I- p9 j
In fact, its purpose is not to load/unload VxDs but only to send a
/ _8 t2 w3 S8 S& d- S3 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 W) `0 z/ D' A6 ~$ M! z3 G" L
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ a. O* ~4 Y: B+ oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 U3 A/ g0 c) H3 T$ yIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. F8 p% C9 U6 `- E7 U9 o) q& zits handle to be opened and then, will be detected.+ V, ^ r8 L0 x1 _" @& m
You can check that simply by hooking Winice.exe control proc entry point' B+ \1 r" r2 N) e5 U2 e6 Y
while running MeltICE.6 X+ R$ E) _, ]6 ?5 J
" b/ t3 o. @7 U& Q' a1 x# h5 J, f
8 B h' P# f ]3 f
00401067: push 00402025 ; \\.\SICE+ j* q1 W. C: p4 l- F% ^
0040106C: call CreateFileA" G& Y& J+ F* s& ^, U9 p
00401071: cmp eax,-001& x5 h' u. Q. k# v0 F' u& U$ L
00401074: je 00401091
/ v2 o0 a0 g7 s& A( ~
. k" G7 G2 {8 T0 K# {4 B1 r6 j7 N+ S8 K
There could be hundreds of BPX you could use to detect this trick.3 ^. f3 n$ u/ p( P2 ?, G
-The most classical one is:
* k: u! R$ J7 }' Q* L" N; I% N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 i9 M1 I% @/ G; m% v" U *(esp->4+4)=='NTIC'
# W; k. ^& k2 |* a! G0 V& T( Z
9 l" b% r( M; D+ @% X) Y$ m-The most exotic ones (could be very slooooow :-(2 E. I. e3 R& R$ H0 |4 |' f
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 Z7 g% s( t5 d! a5 k! @ ;will break 3 times :-(/ Q1 G# j# J* H" G. x: ^" P1 N7 C4 J
$ R# c8 t$ V7 j-or (a bit) faster:
/ A$ @2 W/ t& \! h, s# O7 ]. c BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ d$ q$ k( }: K( ~3 E: Z2 ]8 u( f( ~, }1 ?
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 C2 n, z3 G1 P1 D ;will break 3 times :-(
/ P/ m% P7 r# Z6 y5 M7 T0 J
7 H+ W) R' b) u' P$ F-Much faster:0 t- ^7 {( ]2 g( I! p( N
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 ^% o% n3 G' a5 q' Q$ M! t
3 b; q5 U# g( G4 j# d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) c. V' u- \0 e" I% y) ~function to do the same job:5 Z! M0 X) \2 Y/ @+ T
4 d& K9 n6 P3 f: E# \) E" \
push 00 ; OF_READ: r( m9 B. U4 i m U
mov eax,[00656634] ; '\\.\SICE',0
7 ~9 t0 k5 H- N push eax# w+ } o- ]; b0 G! Y
call KERNEL32!_lopen( T* Z4 i) _( U) x
inc eax+ v. f A* R6 n: S Q2 G! K
jnz 00650589 ; detected4 V/ W- u! w; o$ ?) N2 T2 m: Z; k
push 00 ; OF_READ" l& U( @ g$ k' x
mov eax,[00656638] ; '\\.\SICE'
8 A8 e- ?9 K7 \ push eax7 S. j! b3 F; z0 d' h: x/ X, f( \
call KERNEL32!_lopen
# u( m5 M! z' J2 P" n5 B3 I- [8 j' G inc eax
) Y! \+ M3 p3 K' P' l. | jz 006505ae ; not detected6 J/ ^2 h6 `, x$ {$ k! v$ A8 ?+ l$ V
+ {# d5 G1 l+ g6 m& _5 v' D) E7 y" Y! r' `' l! n0 g
__________________________________________________________________________* ^, o/ B3 C$ g1 n) ]/ b" @
5 J% | g6 E6 z0 a3 N/ P- E- u+ }2 {
Method 12
9 d- T8 @2 K) s& y3 ]# S8 F# t=========
G2 o0 a [' Q- A( \) p
' L+ ], W; w( M* W! r6 uThis trick is similar to int41h/4fh Debugger installation check (code 058 Q' Y% w% Q4 |! o W) C0 d7 o/ N
& 06) but very limited because it's only available for Win95/98 (not NT)& B5 | Y1 H, [- y( ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 @- r' @- w6 w+ O" D! U* C9 k
v# j: G c: } push 0000004fh ; function 4fh6 ~, b- O. v0 _ K5 k1 @; t7 i
push 002a002ah ; high word specifies which VxD (VWIN32)( k" Q) n2 J4 r+ u
; low word specifies which service* D$ X0 O' I. Y. J$ O! w& k
(VWIN32_Int41Dispatch)) G5 ?2 X7 B& m. H; y( N0 L
call Kernel32!ORD_001 ; VxdCall) W" L% J* y1 f& ?6 S: T3 D
cmp ax, 0f386h ; magic number returned by system debuggers ^" b) q5 v$ M3 i3 u
jz SoftICE_detected
& ^& o: W& h: \" t4 P' f: c" k, z7 K3 m) k- M9 k
Here again, several ways to detect it:
; l4 n4 e8 Z6 Y ]3 B2 X: s
. v0 X+ c4 Q- C9 ` BPINT 41 if ax==4f
. h J8 L: T( a4 ]
- s1 D: E5 b/ V BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# P4 \( S4 i& }* G A+ e, I% q1 w' _
# [3 H6 o* a' ~3 W( G2 Q# x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 J! D% d: b$ C; W0 o
3 }) X4 |2 @" a' N9 l/ ~/ n" R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 u$ I1 R- {2 V5 ~& c
$ a- v# _6 o l7 i__________________________________________________________________________
/ k. L3 o2 X5 {/ P" y2 x+ l: s9 I4 V- ^( U0 y, }
Method 13
( D/ w. m' ]3 y4 r% O- I% e' c% a& C========= y/ V; P ?7 I& \9 M) s* R( X4 Q6 O5 T
* o# r$ ?! p# x4 P5 k9 P# o* f1 E
Not a real method of detection, but a good way to know if SoftICE is
; n* F. v! }! o* g7 ?- \% {installed on a computer and to locate its installation directory.
; L/ U9 M( r" SIt is used by few softs which access the following registry keys (usually #2) :
' r/ v" B* y* N- J8 T$ N: Z- \6 c) z% t7 _4 p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& s h- d! M+ ~6 E\Uninstall\SoftICE9 d, R, e* }* R& ]1 n, W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 H( ]. e' u; `& Q G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# ?6 R- _+ {1 g% z; a) D7 l\App Paths\Loader32.Exe
. O& `3 E0 N9 o0 V5 j: i) g& ]
' I8 {* w% t) Q" \" q# X% X8 c u; a6 Y! H* _
Note that some nasty apps could then erase all files from SoftICE directory
" l: `0 z" Y8 f! o) P(I faced that once :-( `1 v* l! W2 z, { m* A; z3 c
( D& t3 Y/ _" i
Useful breakpoint to detect it:
; w5 l! u6 v, |1 J6 A: Q& u
/ J1 V$ |, W2 r/ t1 [6 B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ T; l3 t3 e' O* A- i8 e* [( e, t8 e
__________________________________________________________________________
7 F5 |6 J+ p. ? A2 j
$ x1 U5 x% o8 l0 S! U* @
; ~ f; Z5 {8 n/ I% OMethod 14
6 c8 v" V4 r9 z* |) \" [=========& p! H p' e. ~# j% D3 l% l2 r$ Y
: j7 f: B5 S* e' U+ {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* M- h0 C4 L- r' H( |- h8 Cis to determines whether a debugger is running on your system (ring0 only).* r$ o9 j9 O2 x& s5 k( W
# x9 }1 X* M( E. E; _0 c8 m: I
VMMCall Test_Debug_Installed
. O' b" E; E- G0 k! m je not_installed
# E h8 Y9 S" J: T0 [
# j, B# r- f& P& \, n' R1 aThis service just checks a flag.! z) `; s9 o0 I$ }9 z) g3 o
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡