<TABLE width=500>
7 D6 s5 J Q6 P: v: @<TBODY>+ h! z$ r: c& T( G. A+ M
<TR>% R* o" D7 s* ]; ]. s
<TD><PRE>Method 01
2 C! P( G! @+ a0 m=========- A# J% Q$ g8 I# q
& X" q; n# D4 R. _; A
This method of detection of SoftICE (as well as the following one) is
& u2 L2 q4 Y! `3 sused by the majority of packers/encryptors found on Internet.
- W* e$ P& D+ R& L) k+ P. e) LIt seeks the signature of BoundsChecker in SoftICE6 R8 S3 c1 @' Q% B0 W/ H+ r# V
8 C2 M/ G/ D# p/ v/ l mov ebp, 04243484Bh ; 'BCHK'
5 F3 H/ j% U6 j% {/ O5 F! c mov ax, 04h) ]2 S2 i! h: `: y) ?5 C0 d( p
int 3
+ Y8 z; {9 W5 n, S0 G) j cmp al,4 T# k" m |7 P: p- G
jnz SoftICE_Detected* }6 D; [; P( V& ~5 N9 `
2 b, \( d; _ u7 ?) l) U
___________________________________________________________________________
2 y+ a0 y! O) N8 X, ?* x
2 [& E C7 c/ J: ]. j" [Method 02
. A- p( i* U n4 R% R) J0 H' {8 M1 K=========: U: Y. [5 f2 \
4 W* |5 i8 u1 L: |/ U$ D" w, k
Still a method very much used (perhaps the most frequent one). It is used
; H" _* s+ e& A. gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% S( i% ~. K: q% K5 bor execute SoftICE commands..., \: r& H- o; v- w8 c
It is also used to crash SoftICE and to force it to execute any commands
. H" m/ e( X) \ U% S7 B; x: ]& z(HBOOT...) :-(( 4 j5 i" \2 c+ n4 V- t
0 m3 j6 q& D$ |/ C6 @; E* eHere is a quick description:$ y. e% w# b" |2 X, m) o k
-AX = 0910h (Display string in SIce windows)) ] L1 ]* p9 N( ]3 t7 G
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): x9 p# J$ T1 ]
-AX = 0912h (Get breakpoint infos)
$ h& g4 _& ]8 X4 h-AX = 0913h (Set Sice breakpoints)
4 {1 H' x( d0 M1 @4 C-AX = 0914h (Remove SIce breakoints)
6 q# {4 K+ H- }0 m4 v) N5 Z/ f1 h: t1 G+ x
Each time you'll meet this trick, you'll see:4 f6 V9 ?; `5 V! b1 b9 `: l
-SI = 4647h
9 [& s7 g9 `! W8 _$ Q, X-DI = 4A4Dh
0 \% \0 r5 g9 H/ }' `0 CWhich are the 'magic values' used by SoftIce.
+ C4 T' J8 F2 \2 X) WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.% R+ g* g- {; g! S2 v( E
1 P& Y1 h1 f" m% j1 tHere is one example from the file "Haspinst.exe" which is the dongle HASP h; q, I' ]- o2 q5 D
Envelope utility use to protect DOS applications:: c6 w9 ?5 ^) W, O# b# T; F# d% N( I$ i
7 p O7 o3 Y7 |% o. T) w
8 V* ~+ A7 @( j" f
4C19:0095 MOV AX,0911 ; execute command.) P7 b0 d& v/ u3 V* @* U! E7 X# Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 p4 \/ O4 S' R# M1 L a4C19:009A MOV SI,4647 ; 1st magic value.
' B7 l/ s- a( o9 R8 H4C19:009D MOV DI,4A4D ; 2nd magic value.! f' g8 n4 x& U0 \3 b
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( A* `% V1 Y" r; ^ R V( F! J c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; d/ P8 `3 c7 e
4C19:00A4 INC CX+ U R' D1 E4 L6 Z4 z1 e' V& A) Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 s( ~0 a- @5 D: z
4C19:00A8 JB 0095 ; 6 different commands.
" V8 \' T; L0 f0 E. H4C19:00AA JMP 0002 ; Bad_Guy jmp back.( G; a! n; U- o) ]
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' f1 @2 e2 E3 |4 ?. E" D
. @* @6 `3 t @. T" m. r
The program will execute 6 different SIce commands located at ds:dx, which) H+ C& ?: a* x* ?5 C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; n9 W j# o ~- J% D$ [' D
& t+ g1 b8 `8 h, I( m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# O0 m4 C4 ^6 X; {
___________________________________________________________________________. s2 C0 C4 \6 S. v% X
$ a0 y9 g8 r8 A3 Y) r; N, q8 f- E. @% N
Method 03
- I% l& X% a, `/ h( V" D=========, j" |& z6 Y( f, p
c) d d6 I# y; x& s: P% d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 ]; Q/ j2 H9 V4 e' a(API Get entry point)
, k# y4 T D( E' d
: }+ f- m3 I! m: G" ^4 o7 Y2 B5 H8 _
xor di,di
# _% Y" i8 z* Y3 ]; m mov es,di
& `* x# h% F; I5 m ? mov ax, 1684h
. ~5 ]# n9 u9 u N1 R/ p" d mov bx, 0202h ; VxD ID of winice
% I& B7 m& [, j% H, z int 2Fh
: u4 Q& D& P" @+ Z4 c/ D. N mov ax, es ; ES:DI -> VxD API entry point8 \' k' r. c, h0 K
add ax, di; Y a7 w- X# `( W- g" K
test ax,ax
3 R9 y7 l5 f; [3 y: U jnz SoftICE_Detected
8 r3 s; T* v9 o
9 w( R( C/ t, v5 F: M5 h# S___________________________________________________________________________
$ x) i1 I( L r Z, y' I0 j7 W
2 o w, N% y# S: Q3 G5 ~Method 04
0 _& Q; }' w; ]: \7 }+ e* i=========2 t7 n' @; f: C3 O H) ]# R
" f) z, N3 }3 V, C, J, m, p6 q
Method identical to the preceding one except that it seeks the ID of SoftICE
, N: V; x# v( @9 ^GFX VxD.
9 ]! ?2 c/ S3 m J w. e/ g0 G5 \- X, V: P2 `% Z
xor di,di o$ O0 \7 _1 {1 E# |7 j
mov es,di! u$ L3 Q! E: a& p# F9 f+ e" o4 k& _
mov ax, 1684h
: H. e2 y8 t: w. b mov bx, 7a5Fh ; VxD ID of SIWVID
+ R, ]& U) J& p* w# a int 2fh
" t7 ^8 h+ y9 s7 g( _ mov ax, es ; ES:DI -> VxD API entry point, u# ~, J9 P7 r. R
add ax, di
) j# d" g; R( O) s8 z+ s test ax,ax
! F" F ?0 K- V jnz SoftICE_Detected
# s8 E: j. h* W* J1 H8 Z/ \
0 y8 P$ S% k2 ^0 I. ]+ V. T+ J__________________________________________________________________________" p3 I) Y3 a) F/ }, {# s; B
* O8 G j0 G+ Q! n1 J8 C* j
7 o$ _ k2 U& \ CMethod 05
1 h: J e- e6 w( g) q=========
* D2 B0 S: ?6 z- q+ t" a8 H$ J6 I* q0 I' b2 x4 {+ S8 v% F- R m
Method seeking the 'magic number' 0F386h returned (in ax) by all system' e6 b; B" j0 m. X7 z) w( x. t
debugger. It calls the int 41h, function 4Fh.' c6 s) \" P; q: C" u. v+ E1 {
There are several alternatives. 4 F6 w( e3 B* }* i, `1 N) P8 g
2 \6 Q. a, y4 U$ ?/ l
The following one is the simplest:
4 g8 d9 D7 V3 A: X
9 Q/ T- e+ [, |0 v) z) g1 x mov ax,4fh
0 y; s5 c7 F' p8 `: x# x; ~ int 41h
7 {& G6 l4 M: h cmp ax, 0F386' J |, q4 a* |2 {; J. @) P
jz SoftICE_detected4 P. W$ _/ M' r6 ]9 A2 v6 c/ @
r% {2 y4 {4 B! q
1 I2 V) P8 v3 o3 X; L _2 qNext method as well as the following one are 2 examples from Stone's - n' B5 ?0 v% |8 t/ k
"stn-wid.zip" (www.cracking.net):
+ C" Y+ p/ R& ]7 B8 C" f: t9 j3 {( u+ C2 p: M1 [; Q
mov bx, cs- W& x; O" \" E4 e, p
lea dx, int41handler2
7 K! x$ x/ |0 r% D xchg dx, es:[41h*4]
/ r& Y# Z1 V. k2 x6 \# }5 ]7 T xchg bx, es:[41h*4+2]: a2 S" R. X5 v( w6 h$ Z
mov ax,4fh @3 Y U3 N* v; t _" D. [
int 41h/ o) B! |- ]" v ^% G
xchg dx, es:[41h*4]
: t, j0 ^5 u2 V8 B8 a xchg bx, es:[41h*4+2]/ b- ?) A: e8 ^5 |2 Z3 E: y( A, X; V
cmp ax, 0f386h
6 R; R& S' ~5 t3 N$ Z jz SoftICE_detected
+ ~: Q9 S& G9 }; U( @
3 `6 e; d5 S; [% v; S1 G Lint41handler2 PROC- B& C: g: E, f. Y& K
iret: z4 C, B# W; Q2 f3 [
int41handler2 ENDP
* E6 M( ]" P T9 k2 B! m& p6 ?2 i
/ Y a) ?8 h; s, R$ o6 ^$ o
3 \* `. ~& W: s, n9 o4 F/ s) y. f_________________________________________________________________________" p) {- C1 d' f. i
) G& G3 H3 {+ I8 Q
) }8 w/ Q+ g% t# wMethod 06
0 v8 I3 `6 w+ W, w=========. t% q' k: @5 ?- Y3 |
. N7 ]1 V4 ^6 L8 `5 m( z, V( U% A2 r) ~
a. v7 G* q; S/ ?5 x
2nd method similar to the preceding one but more difficult to detect:
4 }& N: R9 |' y# B; ?: }* i4 A9 S. l% C6 n1 X
! p$ j2 ^' I* o( cint41handler PROC
5 N" i- n# y d+ y2 m# M mov cl,al; S2 J2 q8 a6 g3 @# W3 W8 Q% h+ c3 H
iret
4 {- C Z! {6 W) vint41handler ENDP
( I* p5 \1 ^% t" h6 k( Z! a6 n, X, X4 X8 L" r. `7 w1 M
: Q$ b. E% ?7 F2 H, l xor ax,ax3 \! U6 b' v0 f4 q
mov es,ax/ C8 J4 ^ ?. Z2 k0 k1 T
mov bx, cs* p6 }- `8 x y3 ~
lea dx, int41handler& V9 n+ g: P9 C! F, w
xchg dx, es:[41h*4]
+ D: I' v! w6 g1 ? xchg bx, es:[41h*4+2]9 R+ D) a! E4 Y- |0 A1 f) e
in al, 40h5 X1 K7 f" d. \; H; k0 w
xor cx,cx
4 S Q& h6 m) V# r8 L int 41h7 t' t/ N3 F$ k6 C/ G. Y; S: U
xchg dx, es:[41h*4]
4 L- B7 X: U+ d xchg bx, es:[41h*4+2]
: P* s N3 Z- y- A* g# d cmp cl,al; F0 a/ Z" P2 N7 q# q3 L4 G
jnz SoftICE_detected2 E$ ^+ j7 a4 w! O
: T7 k8 \, m% p) \" I- U5 s
_________________________________________________________________________
3 b' n, j% a' R: v' u2 f1 u( P; T9 X0 w' Z( T) ^( S
Method 076 i j8 [9 u1 F) U
=========9 E0 \/ g* w% X- z/ F" |& M7 X
: J, f( Q6 k3 aMethod of detection of the WinICE handler in the int68h (V86)
9 _' k+ T0 C6 g" E6 o, E/ j: a9 b7 l
mov ah,43h
+ [6 V, G" M# n4 z" V. R int 68h
# Y( Z$ E) A- C; R6 m5 w4 c cmp ax,0F386h
9 U2 A% u6 V4 o- k4 t" { jz SoftICE_Detected# q# A, W6 Y- \6 d0 ~ s/ J
6 T1 Y3 y3 e+ Z) V" D
) R5 O" w7 L( I0 y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" [, }# N1 P w" W app like this:: V( b2 H- \! z1 E; a* f
6 {% V1 |0 w% @+ F% z+ U. { BPX exec_int if ax==68
2 k; b' Q' e5 [$ O" u1 J) a5 e (function called is located at byte ptr [ebp+1Dh] and client eip is
4 |9 O: `4 a8 a z2 f! R- o+ U1 R located at [ebp+48h] for 32Bit apps), `* o0 e0 Z% `5 a: ]% C i: O' l
__________________________________________________________________________
) {; T% ]4 y6 i" E* @5 n
3 Q4 n, {% d" J; n# v: b& Q) e
9 r2 r6 ^- J- WMethod 08
# `8 H2 \0 \' `6 R! c7 _=========5 r( u7 V5 C9 A2 `6 w( K- A
+ K, l/ w; i) H0 R( b rIt is not a method of detection of SoftICE but a possibility to crash the
! H* Z# C5 ]7 y0 M9 E6 xsystem by intercepting int 01h and int 03h and redirecting them to another8 E. E. e9 ?7 [+ q" |$ c/ g1 U
routine.3 ^/ I/ h, G5 m4 G) `, N
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ {" W: Z8 ]0 K3 ~+ _3 l$ d+ g
to the new routine to execute (hangs computer...)) H; {2 h _/ M: D
$ C7 O8 Z9 |" g. k/ K4 w mov ah, 25h
. a3 Z& g* H, X, ]$ O2 T mov al, Int_Number (01h or 03h): N" Z) R+ R# J
mov dx, offset New_Int_Routine, o- H4 _# I! A$ X
int 21h: R- C, R' E: ]/ H8 i4 \! L
$ L; j. q$ H, y2 y
__________________________________________________________________________/ D) ]8 P8 g5 v
$ d! @' R: I4 Y& }, @* F
Method 09
! a2 O) z( O# `=========
( N) M5 p& X7 @2 i! U: i
' P) e- h) `. B6 [& l( UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- U: i# W! D9 [0 m e+ p# @) E) T% D
performed in ring0 (VxD or a ring3 app using the VxdCall).
# d; z6 ^8 v( |, D) }2 HThe Get_DDB service is used to determine whether or not a VxD is installed
4 r, {# p1 P1 Z$ ?; Qfor the specified device and returns a Device Description Block (in ecx) for
- v$ D0 m1 n* H \1 ithat device if it is installed.7 ]& |, C. J7 G: Y2 j/ n% I3 F5 H4 m
9 }9 F. o6 Y$ l& B( e! p% r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 L2 b+ s* m: N% a$ \9 Y! y ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 V" _4 t* L2 M5 n b
VMMCall Get_DDB
( Y: ~ J1 O- z3 S% } I( s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% _- g- d2 z2 K& `3 ^
+ v6 ?& Q) ^* g3 I' dNote as well that you can easily detect this method with SoftICE:2 T0 W( `1 Y* y! a2 M( C
bpx Get_DDB if ax==0202 || ax==7a5fh, @) W9 f. i8 c/ j9 x1 `
: s7 U8 u5 R0 V4 H& y+ u& D__________________________________________________________________________* @( [8 C: I; \( {2 n
$ I; P5 [, q. R0 }8 y/ I8 ~1 q8 B
Method 10
; u+ N" }" F$ H' q, U/ B0 N=========' \4 N2 D$ r0 ]! E" a7 x, M
; j+ `& N9 M6 n' `
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 w4 X8 H3 w$ Z* u M/ a/ X SoftICE while the option is enable!!9 q- ]0 N$ O. l% w
/ M% [1 r! V% T
This trick is very efficient:3 W9 F* A1 b4 Q- l) P7 m7 M% P' M* F
by checking the Debug Registers, you can detect if SoftICE is loaded
$ r n Y/ T! q+ k! n% y9 I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 n- E0 E5 m" I& E; q7 L
there are some memory breakpoints set (dr0 to dr3) simply by reading their* U0 u; q2 v# d! R, ^
value (in ring0 only). Values can be manipulated and or changed as well
* G! |5 l) K1 m& ~(clearing BPMs for instance)
0 j1 D: }0 l8 J8 Z; d8 y0 w1 l4 X H
__________________________________________________________________________6 m3 S- Z/ p# Q) G, t/ p. C( J2 k" N
5 t+ L" y7 Q# Z: zMethod 11
7 w$ D! ?( t/ z; D' c6 ]=========- ^! m+ H* K( G! l) Q- M
5 l2 X' G9 @- g, r [This method is most known as 'MeltICE' because it has been freely distributed
0 d0 M" s9 V ]! B- g. B. A6 V+ nvia www.winfiles.com. However it was first used by NuMega people to allow
# P! o2 M1 V" [. a7 F9 MSymbol Loader to check if SoftICE was active or not (the code is located( I8 L8 p+ u7 H( x$ @
inside nmtrans.dll)." j7 x; N( { `6 W6 E3 |
8 k+ f+ J1 l0 q" J4 C1 ?The way it works is very simple:! G( D5 w9 z" Z0 u2 F+ _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 m5 M: M' s7 @$ o
WinNT) with the CreateFileA API.
6 t1 C' v) P$ c( f m6 E6 S8 [4 Y/ W+ n8 l6 G& ~- K7 I3 S5 ^
Here is a sample (checking for 'SICE'):
* I+ N6 E; o% e' J% O/ u3 y8 M
s- B) e# O2 [BOOL IsSoftIce95Loaded()
: D: Z5 d% `' _! W* y! n{6 S2 B+ G% `* P( l' f Z
HANDLE hFile; & ^( W5 r! Y! p" n! L! _* m3 B S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 ~ C2 h$ S/ V8 ] F1 H' k+ f FILE_SHARE_READ | FILE_SHARE_WRITE,: G+ Z! ~9 H* k: Y. p2 f/ ^7 o( S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# C4 J! o1 M6 ]5 L if( hFile != INVALID_HANDLE_VALUE )) \% e* T$ F- b
{
( d$ H5 R/ }3 t9 o& z" `* O% } CloseHandle(hFile);7 j1 ]' N& y9 ~$ E% M& R/ l8 u
return TRUE;6 j4 ~0 Y& s9 m7 v/ r9 m
}
v: f! t& ]7 p return FALSE;# ^" f& m! J/ i0 S
}
2 K4 I' }" R; q2 z5 I( G8 v
$ G& O3 @. D* D, v! P) ^) s9 kAlthough this trick calls the CreateFileA function, don't even expect to be* R& V0 y- R0 b( _* f' p! V
able to intercept it by installing a IFS hook: it will not work, no way!- o5 u' n" A# P( g0 r; U; d2 ?3 r3 f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' L' ]/ [0 Q/ Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* x! A. r' l4 ?8 z" d+ Z( U$ Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc: j* k; X5 e3 n6 \! \+ J7 M
field. d4 n. t8 d& b, u- x
In fact, its purpose is not to load/unload VxDs but only to send a
. B% ?6 w8 z: L$ x, i- EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( i* `( }1 b! X3 I" K4 k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
Q# ?+ o Z7 O: _, qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 w( X% Z0 |) fIf the VxD is loaded, it will always clear eax and the Carry flag to allow! K0 l+ Y( z2 a' k
its handle to be opened and then, will be detected.0 f: _& X' U4 g1 S# r; I8 _
You can check that simply by hooking Winice.exe control proc entry point
( P' j/ b; |; q+ R$ xwhile running MeltICE.
2 J+ ]+ _) a! a
/ [9 `, q2 P$ C" i# P8 M: A0 m& [$ @# X3 X6 V1 E
00401067: push 00402025 ; \\.\SICE
5 l. t4 `. w% D6 z2 m, ?. o) p 0040106C: call CreateFileA% j# O, M( a# L- M8 Y
00401071: cmp eax,-001/ i) g) [$ N% G' P' \
00401074: je 004010919 s; R: i( H v! b$ V0 o
5 O$ R4 F- D$ E9 | M/ k
) K0 o3 F$ f( C8 I3 |4 D s- SThere could be hundreds of BPX you could use to detect this trick.
& J4 j! h x, t- ^1 J-The most classical one is:) g% Q" _1 c ^- j) [& W8 T" V
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( {/ B2 m( r: ^0 w: X, p *(esp->4+4)=='NTIC'* t/ A& ~: R, D' w* v5 m6 J
: X4 k+ x" e9 ]5 O-The most exotic ones (could be very slooooow :-(
' a/ b: J3 }8 Q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 m0 }5 ^$ W! l8 U' _+ g8 }# D
;will break 3 times :-(
7 a! {' e! v) n8 W4 m5 y7 l3 W5 l5 u7 d: ?+ e3 W
-or (a bit) faster: * Z" { ?: L: _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 B# N- a0 C; c. p1 |
: q; Z# y4 b3 Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* g9 b2 o2 A* f& B ;will break 3 times :-(- o9 x# p% O6 C$ y5 G; k" W
3 g+ K0 z& b$ `( t' I
-Much faster:
0 ?/ f$ w& s" ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& Y2 i$ d% W! V7 u- z$ j" J$ b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& ?( {1 ?: j: v" `: N8 E, v
function to do the same job:* L: F% O( m2 N, J& F
3 y* X/ X8 U7 B! u9 o
push 00 ; OF_READ
8 k5 M/ y2 k6 ]+ E mov eax,[00656634] ; '\\.\SICE',09 k6 y6 f$ O( }' m& a
push eax1 }) d5 k0 ]3 ? [4 b4 O
call KERNEL32!_lopen# `$ e' [: {% h3 _
inc eax
1 T' @ ?- T) U4 E& [" D jnz 00650589 ; detected7 n8 L: d {; T& L9 k+ o6 B/ P
push 00 ; OF_READ
( M( z+ q/ F0 C8 n {! P y mov eax,[00656638] ; '\\.\SICE'2 `( Y$ e; t: y% E
push eax) b8 m+ f4 S& X# {4 E7 c& |
call KERNEL32!_lopen
4 u, ]: g% U8 O! [ inc eax
! R" S6 `( S& @8 G1 ?. M jz 006505ae ; not detected& F2 @# g* V0 c: A& s6 o
7 r1 Q$ }3 u [: r9 U2 p
) U2 n8 D3 U( O
__________________________________________________________________________
/ N) g% @; d# G7 D3 n/ q8 ~# L1 r) [$ G
Method 12( h. M" u1 n8 S; P G+ [
=========: T) L! @/ O. O1 K# _4 Z+ Q
7 u/ ]6 O# ^3 \$ P, W2 C
This trick is similar to int41h/4fh Debugger installation check (code 05$ F! e6 V$ K: I
& 06) but very limited because it's only available for Win95/98 (not NT)
0 \, H J7 ?3 i7 ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- O; |! S3 B s: f$ a
3 x2 S, ?# C+ l; z push 0000004fh ; function 4fh. u J( r/ y) H1 z/ M8 k/ {" O
push 002a002ah ; high word specifies which VxD (VWIN32)2 h# V: E) v$ i6 o: K
; low word specifies which service
! l$ g0 {& ^: J& @3 _/ c (VWIN32_Int41Dispatch)
) d+ A) Y3 P0 m$ f( Z ~ call Kernel32!ORD_001 ; VxdCall1 g3 _" q( d5 e, B, m
cmp ax, 0f386h ; magic number returned by system debuggers7 ?6 z$ _; ^. r( f3 T/ P
jz SoftICE_detected+ R8 h3 v" {4 E% V* J- \
) t5 q; A2 m% L2 ^! U+ `+ z
Here again, several ways to detect it:
# L) K) [$ x8 `: S# r4 e- }; s, D8 k- m
BPINT 41 if ax==4f
* r8 Z' a( z9 e, G; U8 b
5 |* V+ k" V' J l! J3 [* r- S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
x7 A; \! Q0 _) X5 X
! T1 h5 H7 c ~6 q& a+ M/ B BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 e$ ~6 \! V7 a) [; c! w
% x9 n$ m" A2 W& V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; w! u& R) p+ b+ i; B) G" Y
4 @! V. ^9 G' M) I Z
__________________________________________________________________________4 s$ P* a- z9 j( b
1 @6 \4 ]( |7 }/ {% R3 U* _ K$ @( |
Method 13
8 E" d0 @- ?5 Y7 B) c* V' j=========, j$ t! w- [) }4 ~% @. v/ M: `
" Q- y5 U T% CNot a real method of detection, but a good way to know if SoftICE is
w8 p a1 y9 w$ y& `installed on a computer and to locate its installation directory.( b$ n2 \. ^) M' @7 q
It is used by few softs which access the following registry keys (usually #2) :
8 h P7 G& ~& o8 }1 Z
- z( m. n5 i2 F, O5 A) ~ S ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 B1 ~1 Q$ a2 w+ h6 w* C\Uninstall\SoftICE1 B* l8 q& ]& u1 e. n, t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( y0 B, c/ P, s2 F0 C( G% B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ C6 D* D l, h9 M8 d0 |5 C9 ~
\App Paths\Loader32.Exe9 k1 r+ ]" S# W
6 Z2 m& b6 [4 D
1 T$ `, [* c1 ]7 \Note that some nasty apps could then erase all files from SoftICE directory2 H" m5 `8 @2 g% n, t) m
(I faced that once :-(2 Y( U* B) P! }5 O5 m9 |& J" W8 p% i
) z! q3 K; `% |" VUseful breakpoint to detect it:, z. F3 ?* ?; i
$ w2 ^# {6 N* `! b. R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 o4 M8 E1 C0 F9 s7 R
/ X' \; ]; l# v; [4 F- m5 t, y__________________________________________________________________________
. M, z9 @# m5 b/ z$ b/ L$ t. A- p3 s3 L* ?: {' s8 W+ W4 N5 E: k
# z1 Y [6 a9 G, E1 _Method 14
0 Z; T: L; }& k. O( X6 l" j; I# ^========= I3 A( Z5 M. V- u# L% f! z
5 k( l- y9 z- w. R2 A
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* v& Q- g Q a' Ris to determines whether a debugger is running on your system (ring0 only).
- f' X! _' C6 j" {: X# F& g+ p- c8 ] S/ b
VMMCall Test_Debug_Installed
' {/ E) {+ t- Q4 ~ X# F S! ]: A je not_installed
" R7 m! {* r R* y- v: f z& M5 c+ K& W3 A# |5 A$ ~! y. P
This service just checks a flag.
w, T, X- C' [6 r( v2 z- [8 R</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡