<TABLE width=500>
) L5 P+ E/ s+ B/ O<TBODY>6 p% F- y$ z, W# s1 ^- h
<TR>
) u* g& K3 ?9 b! v6 y d, Q<TD><PRE>Method 01 2 x- h: u9 S& @5 \. ]
=========
& {( J4 K: M1 j9 j. S! D- K- y# X/ g# Z' h* V
This method of detection of SoftICE (as well as the following one) is: D! S% t9 F( _. l a
used by the majority of packers/encryptors found on Internet.$ ]3 ?# D7 O" |
It seeks the signature of BoundsChecker in SoftICE9 X" K8 x8 M4 Y! l) v
8 x) A- c5 ?' o. \
mov ebp, 04243484Bh ; 'BCHK': f/ i% @: u4 I# p4 V8 y3 N) ^
mov ax, 04h
# w' }% i7 a& F& L- m int 3 8 q; W& [) H# }8 ^% b1 k
cmp al,4
I- m" z; c5 b M, F9 z jnz SoftICE_Detected
: P* A- C. W. H
/ I1 }% ~1 w( y4 |9 k7 [8 }$ u; D___________________________________________________________________________) s7 {! n& K* s) z, L' k
+ n. {2 I6 W; I3 T" B6 FMethod 02) P" `3 T$ d# T7 }
=========
+ j* h8 @! G; c6 K
) ~2 @7 y2 K2 ~; N9 z( K( ]Still a method very much used (perhaps the most frequent one). It is used
6 K7 n( C& | B1 P% Z# N) K5 kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 v- H [2 D: Q' [7 a; W& Por execute SoftICE commands...$ q: N% }7 x6 D" [0 I8 P: e; E( Y
It is also used to crash SoftICE and to force it to execute any commands
$ `1 I. B' _0 a9 i7 U0 H, `(HBOOT...) :-(( , r+ @( `+ U( X9 o) X9 r
+ _! w9 h" v" a: n
Here is a quick description:3 i, D. [: w) J. @# a! d2 x1 f
-AX = 0910h (Display string in SIce windows)
2 u V% Q/ V, K0 V4 k1 B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) g! F5 k" _9 J5 E/ R3 a- L/ c
-AX = 0912h (Get breakpoint infos)2 @7 m9 W$ a5 i _
-AX = 0913h (Set Sice breakpoints)
, G- {/ D: `% k8 I-AX = 0914h (Remove SIce breakoints)
E2 Z- W1 `$ |/ K: D9 d% C v2 q" A( ~
Each time you'll meet this trick, you'll see:' e9 h, L5 V- a$ e% C
-SI = 4647h5 c! B# J, Y+ o* d7 U1 I/ _. V
-DI = 4A4Dh
d$ K0 X6 f4 t; |$ Q, RWhich are the 'magic values' used by SoftIce., ]3 g' W. L O2 I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 |' N* E" N+ P9 i: n
3 B3 `) {, W: N7 u3 V- d8 yHere is one example from the file "Haspinst.exe" which is the dongle HASP# _+ h9 n( L, \6 o2 @6 Q$ x9 J* X
Envelope utility use to protect DOS applications:
! z* v5 ~) N1 l( s9 Y& t. Q# e d/ y4 ^: f+ m
/ P* y# _, C" `( h3 p, u/ g. O4C19:0095 MOV AX,0911 ; execute command.
( d) r o3 X/ A% N3 F5 v" m0 U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) a4 }) |& Z4 d6 U R0 r4C19:009A MOV SI,4647 ; 1st magic value.
0 I. r% q% z0 y1 x5 ^! |# h4C19:009D MOV DI,4A4D ; 2nd magic value.% J' ]1 r$ g, y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. B2 B# Y) W ?9 t9 i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 g3 G1 q" b# J% f9 m" R: ]( T
4C19:00A4 INC CX8 X. J& Z: i0 T2 g1 R H$ J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: q( i' w6 T+ Q, |5 g
4C19:00A8 JB 0095 ; 6 different commands." B: Q; z$ H' p* x; u8 u
4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 G, T' e, ]% p- H( f+ g1 F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& x0 D* D8 \! p q
' y' o6 r4 X2 u% FThe program will execute 6 different SIce commands located at ds:dx, which5 h. I1 z; A- j/ r( f2 F/ v; I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 X( c6 Y) u& i" x% L: U* }
" g# Q9 ? u- F& E7 ~& M% L
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 N! ?4 Q i/ L2 t
___________________________________________________________________________, n1 n f: B+ H- r" j5 s2 s. \
2 ]& A; }5 V! I8 \
! s8 u2 Z9 z9 F1 M }+ t8 M( [
Method 03 _2 C; v: h2 m5 N4 V4 `
=========
4 M3 _" p" q @& M1 ?- D3 U" a; n' q Y4 I
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ [% I1 g) f3 b- f. `9 \+ c9 p5 D
(API Get entry point)
& G! A+ S; U4 w; E' \4 ^2 ?
+ q" K N' l+ G( ~! W' {: s& v
/ \( Y* i7 s2 z xor di,di) G* j' p* @* J4 i6 L
mov es,di
4 u- x4 Y7 ^$ ? mov ax, 1684h
( k9 C# W: u$ Z" E$ u! c mov bx, 0202h ; VxD ID of winice
) k+ v) i; Q0 w" i& I int 2Fh; y7 k- H& ]2 V' l& E
mov ax, es ; ES:DI -> VxD API entry point+ L* e, u" c' M6 q* b
add ax, di4 W5 ^' y7 q; t
test ax,ax5 E |# \; p, a# R
jnz SoftICE_Detected- c2 K# F$ c, ~3 s7 N6 C; L! ~ ^
% V+ B, ?. u4 N/ ?5 N___________________________________________________________________________
3 e) I2 D! h) ^% p. I2 h
; ^, q! x( ]! q" \$ |Method 04 p- t; r" U+ s" m( `
=========2 ?! W2 o1 M& |1 ^5 @
5 W: q, S3 n& O. P$ n
Method identical to the preceding one except that it seeks the ID of SoftICE
5 Q8 F2 k6 Q/ f2 d& p2 Y9 m7 aGFX VxD.
4 x0 q; a; ^( G% j2 F
# d" ^/ m# A! \/ D8 G- X xor di,di: q* P K. c) L; K
mov es,di' a. T3 _8 G% [
mov ax, 1684h 4 W$ K6 q# R" U$ a
mov bx, 7a5Fh ; VxD ID of SIWVID# V, h' g5 h# s6 r* u/ n
int 2fh
+ P9 r, E; ?, @, T, T mov ax, es ; ES:DI -> VxD API entry point' W: o2 l- r! x* i, ?
add ax, di
( u0 \3 j1 Q! d; B% \ test ax,ax% k( q5 a/ r% ]. A( M, {
jnz SoftICE_Detected& a9 O' u/ O' G& T# O
3 }' R8 Q% Y$ x. }* P; m7 M4 R__________________________________________________________________________3 M1 L: Q. B, l" E
L: E" H0 @$ N6 ?9 Q T+ i" {) Q* Z* r0 e" U a
Method 05
: G. J2 j, i' q( v8 p9 N=========
L2 r( T& O3 h7 k
0 ~) |# @9 z3 c5 T" J5 JMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 n1 x! Z, |' d# K2 r& [debugger. It calls the int 41h, function 4Fh.
$ t; Y* H+ h* c! U" V+ b) s9 |There are several alternatives. " Q% d) n1 M- m: m
) ?6 [2 v8 Y$ N0 y* tThe following one is the simplest:; C4 x% T. f9 T; F/ U: |
) n) N7 D6 B7 ~* G6 O0 `- ~ mov ax,4fh
/ w6 L& f! }- [7 |6 u& f' k, I4 q int 41h2 i' B5 P2 Q( k) e
cmp ax, 0F386
: ^8 p, m/ e) D+ H# d5 d- O+ v7 R jz SoftICE_detected
) c! p& d9 ]* m+ N9 @. j7 y; \4 E6 h8 c, v# ]* ]4 L7 z) S
H! z2 _% P) w/ f& N/ K
Next method as well as the following one are 2 examples from Stone's 2 s5 m0 I5 l8 M9 P7 E& @8 j
"stn-wid.zip" (www.cracking.net):; f2 [( b# ], B! J9 ]$ W! X# H
) D7 E3 y |8 w" R; ]) k/ i4 C1 k* p8 h mov bx, cs8 }- l4 M( M/ P" d! i0 a
lea dx, int41handler26 y3 t: K+ Q) L
xchg dx, es:[41h*4]
( \ z+ @- p2 {( Z9 J xchg bx, es:[41h*4+2] J0 [4 t j; @& A% e. B6 k/ U
mov ax,4fh
% t$ V( Y, O& x' M7 ^ int 41h
Z5 ~- m; d G/ M+ _ xchg dx, es:[41h*4]
: l, \7 X& g9 r; Y xchg bx, es:[41h*4+2]
' M/ W' z; k0 S2 E cmp ax, 0f386h
! O1 K! B+ I3 U jz SoftICE_detected
" N: D( c9 k: O& Z# j) ~0 v7 |$ B# I
int41handler2 PROC" q0 K4 _# ] f5 d$ z [; B
iret- ^( n4 G+ v, J0 D% @
int41handler2 ENDP
$ o5 i6 J$ E; E7 L$ j1 Z& v' s2 ]; X- D5 L
* j3 A( P; J" o( t0 ?_________________________________________________________________________
4 @* I0 j/ C3 a) A6 ?/ i. \" g. Z' O
' ~: Y5 A* y+ _& E; i6 Y; e' YMethod 06
- A: y1 s* f- ~; m9 Z. p=========
: V: Y0 {) K/ ~' `4 m! m$ ~
4 } N N, E) A# @
/ {% C1 g, `. x0 |' S5 K: o: C2nd method similar to the preceding one but more difficult to detect:
O3 u* ?7 e: }! Z7 u2 J* v! G! t7 y! |" S; S
$ d# f& q+ Q' U5 C7 Z
int41handler PROC
4 \6 M) v! h+ s; e mov cl,al+ z7 t8 l4 e m+ \
iret, F& K, b8 i6 {5 X3 `
int41handler ENDP/ `3 `0 s$ _5 R9 Z+ A" \5 N5 L
2 {2 l. _; D: X2 |3 b, o% b% U, n/ a: b0 U/ R8 d* m
xor ax,ax4 L! x: ]! H5 `( v9 h7 @
mov es,ax3 h7 v. D- |7 i
mov bx, cs5 c8 |+ g2 P6 ?4 s ]5 ]- g
lea dx, int41handler3 a, }3 l7 d9 r4 ^; D2 P8 {7 w
xchg dx, es:[41h*4]$ s# e3 T& ^2 J% x3 z
xchg bx, es:[41h*4+2]
$ P! e! F Z! m# D/ K% g in al, 40h
/ ?7 v3 k- F$ B) Z0 L xor cx,cx3 `; Z. B% p4 V, O' q8 F1 S
int 41h
# R( C! e. O, t9 Q# f1 a; _7 W xchg dx, es:[41h*4]9 u+ O0 b! i4 e
xchg bx, es:[41h*4+2]+ ]0 r9 e5 F B$ ]' |9 {$ w0 T. a# Q! C
cmp cl,al% ~* z; P% G' ~- Q8 ^# s+ L% B3 a+ z
jnz SoftICE_detected( [" K( n- C2 ~" T( |, ^ p
; l/ Q# S2 p: O6 ]) w a_________________________________________________________________________; j3 Y9 G3 X: @' y" n$ D9 ^* `
. x9 J) N% C8 S0 i- _5 F- NMethod 07
5 A8 r p* l) }=========
5 g6 T5 T/ z, n. e' B
$ ?7 X$ K8 t0 lMethod of detection of the WinICE handler in the int68h (V86); R% T# t {% t2 J6 b* ~
u W4 z7 q5 m/ o$ w* d mov ah,43h
& W, F/ ?: q. S2 a int 68h0 O }, G! w& s8 t
cmp ax,0F386h
1 N i0 f( y- }% F$ \. Y' @! D jz SoftICE_Detected" p! e C" K9 u" h
2 y: U9 W [1 n$ r
7 W w' {0 c, U- l# \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) R) h& h. J- { app like this: v6 i, q" A3 x0 x$ u
5 s+ u! g9 f) b6 G5 r BPX exec_int if ax==68) M1 `- Q: V+ o4 F
(function called is located at byte ptr [ebp+1Dh] and client eip is+ F; B- { D8 J" j
located at [ebp+48h] for 32Bit apps)
) E0 ]- H% f! c: q, t( @6 M__________________________________________________________________________
3 J) Q! `! B& B' e' Q* q+ y! T; e) G# u- O; [- ]
( I, I7 I) L4 c' [2 `Method 081 ]& ~9 P; n' d* v9 o( t
=========
" [0 C/ w7 q4 b4 S0 Z# v6 d- v) y
9 I8 o1 d. Q" I8 NIt is not a method of detection of SoftICE but a possibility to crash the
& U( l$ S4 i isystem by intercepting int 01h and int 03h and redirecting them to another* Q" h$ f9 v9 X/ x) J7 y
routine.- ]4 o/ p) \# u# o% r' F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 {7 b% \ K1 w( y) `
to the new routine to execute (hangs computer...)! w6 A5 }3 B2 q- N; u3 a" ]" p
; h0 T+ C5 J- G: \4 Z7 Y/ [
mov ah, 25h: ~6 F3 V- C& m
mov al, Int_Number (01h or 03h)
7 _& i3 R/ `) M mov dx, offset New_Int_Routine
1 Y* m2 ~, V- p7 [3 J% N" r% l7 f6 ~- b int 21h
5 n. L4 F' H6 j( v3 T8 d
: P( l5 e4 V2 R6 c8 F9 r# E__________________________________________________________________________. ?* t, H _2 f% K% J8 C
: u/ W D; n; `7 D/ S2 c- QMethod 09& |' I: ~& H& k1 G6 Y# B
=========
7 V" }9 D/ j% c7 r
, i4 [/ I" k. M- OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' K1 w! G0 w+ U$ Lperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 ~7 @5 _: h% P" N4 G9 J: _The Get_DDB service is used to determine whether or not a VxD is installed
7 D" g {: A; P( |! Afor the specified device and returns a Device Description Block (in ecx) for
5 m% v, e, ^! p5 p/ M3 G$ qthat device if it is installed.( _% R6 B0 v: j+ C c
- w: W) |3 S8 o- m2 m( B, z* D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 Y- H' q+ K; U, L( e [2 S) ` mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) i; Z/ Q: i* q6 }* @* a' W VMMCall Get_DDB
2 t$ v7 [. [6 x4 P7 [0 S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; x1 a6 D* T+ u7 T9 C( v! J$ S; W- e
Note as well that you can easily detect this method with SoftICE:' O- @0 f- N! ^/ f. l
bpx Get_DDB if ax==0202 || ax==7a5fh+ u) m* S% F% N( \ Q0 w
; \5 t* i J& h+ }/ f/ |" G
__________________________________________________________________________
' B' v" [1 N& q! ?& }. j' w+ l; d- o# y6 C7 `" Z/ U/ N
Method 10
% w+ g0 x/ g4 ^* L. O=========
b: O* b6 J5 O2 D C" [6 O- q% _) k* J1 u
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 `* n2 y# C- y
SoftICE while the option is enable!!0 N4 q: l1 C% t, R
" o) g. n) Z1 I; Q: E4 X8 r
This trick is very efficient:
% `6 S2 ~! Y! Y* sby checking the Debug Registers, you can detect if SoftICE is loaded1 @& b* J o* k# a2 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- x1 ?( x8 P- f4 F7 B- } Z/ _" mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ s- q, o( ^: r, [ ^' N# [value (in ring0 only). Values can be manipulated and or changed as well- R; O% _! V5 `, Y# w
(clearing BPMs for instance)
2 J) w; t8 u- z0 K+ N$ i C+ p0 ^
% a9 ~+ x4 B# B1 a0 c& C2 \1 R" j__________________________________________________________________________. I8 j+ D: ^: |' b& x7 W" \0 W3 \# O
: x! ?+ N0 P, r7 E* C
Method 11
2 X6 c; y% t' K) J& }! k=========* O1 m$ O7 C1 ?: i* p
e4 @4 [* Q4 V1 }6 U6 j
This method is most known as 'MeltICE' because it has been freely distributed
. w8 L9 T8 ^3 B& p" `; ?0 a! xvia www.winfiles.com. However it was first used by NuMega people to allow2 g/ z" h# O. `- v
Symbol Loader to check if SoftICE was active or not (the code is located$ R% Y# p$ ^! _) t3 X
inside nmtrans.dll).
& b" v! f5 M& H0 f8 F
: n, `. |5 S2 k5 n) w8 FThe way it works is very simple:3 N0 O' S# J# Y1 D$ C6 W' Y" n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 r7 z5 ]% w. y* D. }+ mWinNT) with the CreateFileA API.
! J0 I- z5 z5 d- w1 ?
0 K" ]5 [; V" v) @3 K- n F' g$ ZHere is a sample (checking for 'SICE'):( I: w# C+ w! o% E( F9 i
+ F2 g* ]; V- tBOOL IsSoftIce95Loaded()# y3 m7 c# ]# Z" @8 h5 j
{) j2 S0 ^' w5 U* |6 Y/ [
HANDLE hFile;
; b! H( O0 y; j! \$ G8 [6 l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! o0 u2 `; M2 F) u' j& p FILE_SHARE_READ | FILE_SHARE_WRITE,
/ D4 P; v+ V) o5 G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' |) k$ P; i, D# _
if( hFile != INVALID_HANDLE_VALUE )
4 Z9 n# [. R* F$ G" V# c {
1 e% d0 C/ B( p CloseHandle(hFile);' Q; l8 d! A* r+ ]6 I) r
return TRUE;
' O) {4 ~& Y2 t" F* D }$ ?* V& w4 q: Y/ P
return FALSE; S8 w# _( M: L- O
}8 a3 M* C0 N$ y
. @( \! m( l- w5 s* E' n# KAlthough this trick calls the CreateFileA function, don't even expect to be
) `: z' | H3 ?3 [& Uable to intercept it by installing a IFS hook: it will not work, no way!: N+ b* u, X# H: u, `6 _5 Y$ P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( F# M, E! m( i* `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ V+ b. p8 k: q) e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 x" p5 N7 C9 R8 R! @3 w( A; Efield.3 U: O/ \( A: S2 w0 v% Y( w
In fact, its purpose is not to load/unload VxDs but only to send a
2 r" i! ^7 c: H6 @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 R1 b; U8 X7 S9 Q$ F' v1 ]3 Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try& I4 \" W+ t( A: f% G5 _8 H! X. O; N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- U; o" ]- D+ t# T, l4 pIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ i, J. L, M. z, `its handle to be opened and then, will be detected.5 s1 d) I1 N8 x5 W6 b& D: M
You can check that simply by hooking Winice.exe control proc entry point
5 ?1 X- v( `" p* nwhile running MeltICE.0 G! A- d! I8 d: @! ` U
( y7 T2 s( F5 E* `. c/ a9 J- X
; i7 n( z6 F {9 w6 P 00401067: push 00402025 ; \\.\SICE( H- c% V1 A. N$ T* \- a! |
0040106C: call CreateFileA; a5 h0 ~- ^ E' t Z; k2 S( k
00401071: cmp eax,-001. q9 J( Y, \2 W( }& ?1 d3 V, K2 H
00401074: je 00401091
& q/ u9 \ j* q$ t
0 G! F5 g# G4 h' U* l6 a
$ v: x4 ]" @- U. f+ \ A. W/ dThere could be hundreds of BPX you could use to detect this trick.
; c/ X1 P, B0 Q8 W-The most classical one is:
5 E' C( i# g, C/ I BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ F! ^8 O. @# c6 r& j( E
*(esp->4+4)=='NTIC'; j7 q4 p$ q, y' }8 h# u/ `
1 }/ [, \8 o7 \7 J
-The most exotic ones (could be very slooooow :-(3 W; E7 C( L6 M8 [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 e5 [! h. U% R2 R+ `' a6 E$ i9 k ;will break 3 times :-(5 n2 n% ?9 M% S7 Y
. `7 o, N0 P) s3 U; u1 Y! c8 l2 D-or (a bit) faster: / S9 J/ f5 s7 n, F0 ?1 ^/ o5 l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ }/ L+ O' o* n2 c6 Z
2 Y1 f% M/ m: x" {( ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% L A1 d! C) x; r4 F/ U+ z# S ;will break 3 times :-(
# _! n8 ?; @- d* {# _, x3 U; M8 `. L, l
-Much faster:
% }4 V/ _4 ~( w6 `- C" G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 n5 h1 B7 D0 C* Z* l7 w6 e
* o% C, {$ g+ j% C' z: b2 |5 gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 r0 f9 i8 j& @% X% Ofunction to do the same job:
# G ~- `2 J3 Q* i, B9 i3 h$ f8 l7 `' t* N8 M1 M
push 00 ; OF_READ6 B8 p4 v) G1 g, l$ u+ i N: ^
mov eax,[00656634] ; '\\.\SICE',0
$ \; x0 K% J' u" U. Y push eax
. x9 u7 v) s" _" I" b call KERNEL32!_lopen) c0 ^9 F$ L/ H0 U; M N
inc eax3 N! V) f. p) t! n; x$ g& u K
jnz 00650589 ; detected
# ` Y3 Z9 y( p, W/ m- ^ push 00 ; OF_READ
' B- l) Z2 j2 Z1 D+ W- E mov eax,[00656638] ; '\\.\SICE'0 |5 r9 }$ {6 \7 u0 D2 {9 V* ^
push eax
0 D* I/ `+ y9 ^( | l6 ? call KERNEL32!_lopen
. S8 C' x: v( M, V inc eax" ^7 `* E) a% b$ Z
jz 006505ae ; not detected
6 E+ z+ A) g: h; \* |5 {8 Q0 R! R! _9 T+ g; d+ u
. U. A( s% R( z/ v n* |__________________________________________________________________________
7 g- L: k6 W3 [$ F4 n3 ^3 \) N3 J# X+ k0 d* G& b) [
Method 12! G# ?- s; {8 X _& w F
=========
6 p9 `* d$ R( r {% {% x' L: s
p/ U0 }1 d% a& d& H" h' DThis trick is similar to int41h/4fh Debugger installation check (code 05& D9 U7 F' O+ {* U+ O" |9 N& [/ }
& 06) but very limited because it's only available for Win95/98 (not NT)
$ X# I/ R5 C- r/ n1 jas it uses the VxDCall backdoor. This detection was found in Bleem Demo. b' ?6 }. M1 x5 t) j
3 W8 m2 O8 U2 l% s( n; Z6 E8 i/ N push 0000004fh ; function 4fh2 Y8 x. C1 l! b+ {
push 002a002ah ; high word specifies which VxD (VWIN32)
0 Y0 l, N1 g+ s0 I# R/ S! A ; low word specifies which service/ A. j; i/ C/ o
(VWIN32_Int41Dispatch)& C: ^. S2 H! N: h2 }( _( r3 I2 r
call Kernel32!ORD_001 ; VxdCall
" R: Z& B1 t& d9 d& a7 T cmp ax, 0f386h ; magic number returned by system debuggers
7 v; h5 F# ~7 Q p$ V0 E, d jz SoftICE_detected" F$ r; k( P" l- J: T
$ I: @! k3 ^. w
Here again, several ways to detect it:
; Q! t( [* b3 ?) ^3 N) ]
N0 S) V# I- G, m0 J ] BPINT 41 if ax==4f) e* O: Z( d& p, @3 }8 r5 Z. u2 {
/ G" _+ C( H4 S1 [! U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# k/ P* D) D& o+ X% D- l! P
8 ~0 b0 I' E, B# t
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. H- N' K- @$ b" ]
. g; v( ?. x9 Z+ h; x& i5 o% K BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. u6 H, _2 H6 n T1 @* t' l7 ^9 c+ k+ u" I" ]& U7 n& p
__________________________________________________________________________
1 w0 e* E0 i( b3 g
5 m" m1 T7 P0 i! T& B% IMethod 133 r* u( Q1 `( a5 l6 x2 Q+ b; `/ _0 H
=========
2 _9 p3 d) \* i* b' e0 |* R5 F- Y/ N: ^
Not a real method of detection, but a good way to know if SoftICE is6 k' P9 o5 c& t" J. B
installed on a computer and to locate its installation directory.8 i" Z6 N0 U |$ S; V( r5 p
It is used by few softs which access the following registry keys (usually #2) :, u+ `( u# e& L% \
% \( X* E) \( G4 T- h3 N2 D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 q% u% w) z7 D* s- X/ F\Uninstall\SoftICE& m& P( P* a- m. p% m. i( r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 T1 I9 Q& r. w' ~/ q* H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 m2 j" D% |; Q; v! N2 I\App Paths\Loader32.Exe8 K2 V7 A: n" i8 y4 {$ O5 Z" A6 R& U
) \) n& t" Y; H% R9 O j3 T
* |2 ~$ i' w4 C' X# b
Note that some nasty apps could then erase all files from SoftICE directory* A& ~ w5 Q/ [4 D! W
(I faced that once :-(: O, t3 E. f$ V6 t6 ]: c
4 B) Q& E: X4 u$ PUseful breakpoint to detect it:1 A$ M( C( U6 |! t, \; P
/ g0 t( e2 K, g q2 } D, O! Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 e7 {& N- Y# ^' b% H5 Y* @2 c
* K* L2 J" G$ E__________________________________________________________________________
U) f, C; j) M/ g
- j4 w# x: B$ |4 `1 K; S
2 e7 g" E9 I& \5 f* C+ uMethod 14 ; p i# C8 i/ s8 g" V; E
=========5 C+ g$ L' x4 I9 u
" u. `3 \' t) n8 |2 D$ v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 m3 D- A' S( N- v9 _3 w8 ^: K& `is to determines whether a debugger is running on your system (ring0 only).; T# m: t: e1 N' F9 n
6 N+ e, K2 i; I. u VMMCall Test_Debug_Installed
8 A+ u$ X8 m/ v0 D G6 O je not_installed
* x, w5 t2 ^$ S& o( I& |0 x/ V6 ]
This service just checks a flag.1 N, w/ A/ r5 E; x
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡