<TABLE width=500>4 k) @" X% f+ d& }- d
<TBODY>
. f4 d3 O2 b: D( l<TR>
; R8 o, ]+ Y6 v S! I<TD><PRE>Method 01
* L: N) B. i/ l+ h=========
8 l# I" O- f$ m) u/ {3 H/ O: o P; r2 _# T- w
This method of detection of SoftICE (as well as the following one) is/ L" J, E0 E. b" \2 W! [) D
used by the majority of packers/encryptors found on Internet.
) C2 j+ L5 i I6 o4 rIt seeks the signature of BoundsChecker in SoftICE
! F p6 m) I& ?- D! w
1 k2 u2 a$ T% C# }+ B mov ebp, 04243484Bh ; 'BCHK'3 P* e2 {0 t/ {- _9 O) o
mov ax, 04h
4 I7 i3 Q, I- Z( V |! I& L2 R int 3 2 m! y7 T" n# o7 `
cmp al,42 v# p+ q: a9 y8 X Z
jnz SoftICE_Detected
# V9 B3 N% j% [/ D) k
1 u7 m+ w4 K1 T' m3 y( g, X' }___________________________________________________________________________$ J9 Q2 r3 ^- m/ m* x
8 b$ ^# n7 L$ ]$ f/ i+ }
Method 02
) L. L3 g( a/ m2 N! E6 {2 _( O& Z=========
. C& j/ ~3 p3 ~, c% l/ v \& A/ U' a. w, Q
Still a method very much used (perhaps the most frequent one). It is used1 c$ [' T9 R2 c" @( n* X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# f0 C8 F H8 Y K8 N6 Vor execute SoftICE commands...+ f# U1 i" `, F$ c" D( P
It is also used to crash SoftICE and to force it to execute any commands+ s! y" G0 L e8 }8 R2 o; i" M
(HBOOT...) :-(( - h4 D! }2 H. a s4 y0 ~0 S. a. x
& ~1 i. x4 T; {! e, @9 Z3 N' yHere is a quick description:
' }, P5 |5 _! O" \-AX = 0910h (Display string in SIce windows)7 R# T1 a+ x/ Q2 ]8 G7 o
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% e) z1 e; r8 c) F-AX = 0912h (Get breakpoint infos)
m( T; y, Y" G-AX = 0913h (Set Sice breakpoints)8 j5 o2 I) M1 C
-AX = 0914h (Remove SIce breakoints)/ J% f; R6 v) c, U% C5 z
) W2 Q" z5 ~" e) e
Each time you'll meet this trick, you'll see:% ?' ?! M: g% f
-SI = 4647h
" V4 v1 U7 W- I) `. f-DI = 4A4Dh/ Q2 \! m3 A, H* P! W6 D
Which are the 'magic values' used by SoftIce." o9 R: g7 V' D) V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
`5 [$ y2 @* W- |! }4 e* t/ A! ~3 X. O" a& C4 ` g" _. H/ h
Here is one example from the file "Haspinst.exe" which is the dongle HASP" J% ?0 @8 l) _+ W6 S" w4 i
Envelope utility use to protect DOS applications:5 u! `* I+ q1 Y2 z+ j+ k# V
7 P. H) b. f5 U, q
8 A6 a |: B4 j. _* |5 a4C19:0095 MOV AX,0911 ; execute command.8 ~; E, T# I0 ]3 K7 R7 P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. t/ t0 I' u, f: g2 ?% m; w4C19:009A MOV SI,4647 ; 1st magic value.
+ h. e: ]0 b- g9 o: Q+ m: o' O, M4C19:009D MOV DI,4A4D ; 2nd magic value.
% m5 S1 {% ?2 x+ w" z5 m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 r$ K2 D1 U& ^0 U A7 j
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ L7 r( m' o) Y% Z/ _$ H
4C19:00A4 INC CX
5 R# W- S' e" {1 U9 q5 C# L; ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( |+ r$ m1 [7 O% w4C19:00A8 JB 0095 ; 6 different commands.
& I; {7 `& I/ H, M% j+ A7 b4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( \; [+ V7 ~& a' x9 T& Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! X( v9 [4 v4 w2 W' R1 F
9 h1 `* s! M" VThe program will execute 6 different SIce commands located at ds:dx, which
* G8 z G1 z" J% c4 _) c% [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., y2 Z& i7 H5 X$ M e
3 b% L3 }* _9 |# G% L$ y8 D! V; ?% s* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- }. `% _! Q* W% y% k4 K___________________________________________________________________________
% {3 \5 m- z/ r0 O
+ G* C/ d" K# d* x' k
" H- j+ L- q3 c; r4 e4 T* M5 wMethod 036 k2 q6 z# J: h1 ~2 E+ h
=========: P! d$ d" ?# [# K
+ g3 P9 G* X ]) c- [& U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 ?8 k, J# H, W+ N/ q5 t3 }(API Get entry point)
; e1 b# r. G: {# Q6 G - H1 X1 y# r$ F; R; n0 r! `8 `
9 e$ |, }0 R5 g) A- s" R$ p xor di,di
0 i! \0 z& L- S1 z) ?( l( s' r mov es,di
) A8 {8 k- i. M9 N' s3 [9 u0 w7 `8 x4 @ mov ax, 1684h 6 b) {# P5 S# n+ X" e5 h" s
mov bx, 0202h ; VxD ID of winice+ b7 {# Z2 ~% I' o' G
int 2Fh. M. f; I, W) s2 H( w
mov ax, es ; ES:DI -> VxD API entry point/ R1 I5 |5 C( u$ M
add ax, di- n) f6 k% K3 |
test ax,ax
3 Q: o. v1 b; [, [ jnz SoftICE_Detected
, B& w& Y# }( k* g$ G: q- Q) V5 n3 ^4 }, {0 D, f. a2 N, s* I
___________________________________________________________________________
5 i J3 _+ c" n; i
! k6 i5 l6 }2 u7 h/ u4 LMethod 04
2 D; {$ M# ?3 x8 O2 f# k# \=========
9 \4 m9 T: f4 k1 R% U' s% i$ q9 V, H* R% R
Method identical to the preceding one except that it seeks the ID of SoftICE
+ F6 v- i+ j' T' J' p1 X# T. \GFX VxD.3 P# {7 u) ^8 ]8 q! z9 T2 W
; u. O5 Y/ u" n, g2 e: X, \
xor di,di
, K& a L; Y0 i) f, [8 G mov es,di! Q$ @0 p2 \% v
mov ax, 1684h
* h0 T4 O' w. l+ J mov bx, 7a5Fh ; VxD ID of SIWVID, g7 d: |7 k0 L9 l9 t
int 2fh
2 L: Q4 Q! W" {+ q' x mov ax, es ; ES:DI -> VxD API entry point
1 `& U: y9 j( A( q" T add ax, di
4 C7 [5 E+ x2 k+ w test ax,ax! \" \- X) w% U; f
jnz SoftICE_Detected
; @7 \) c* b1 `/ W& i, G& z' ?& m4 R5 k8 k
__________________________________________________________________________
0 o# V+ h6 M# T6 {- b' ~
0 X5 t4 W6 ^! u- E4 W8 B- _) j( E
Method 055 h# A' _9 V2 \, f$ h6 @: {% M |
=========
0 t: f, P& [/ l, C& ?7 E5 r
8 Z n% c* F9 g' }" kMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 I5 N( H6 M. s. X E9 {debugger. It calls the int 41h, function 4Fh.0 ?& u: [! b& l ]& E
There are several alternatives.
7 K6 I$ m$ J5 Y9 q" R% c0 {# S) [6 M3 E' _
The following one is the simplest:" [" b2 [' P2 C7 P* t+ L
% X# s( v0 ]9 c- e: K7 g5 W
mov ax,4fh
; ^# j" D8 i! h( e int 41h9 x! v& @ S$ |1 t1 n5 ~, _
cmp ax, 0F3864 q0 V" X& M0 O! l/ Z5 b
jz SoftICE_detected
6 l* p% V8 |0 r2 D6 f0 W$ @5 j( \7 B9 h6 C# s
( |% O) V* q/ C7 W$ WNext method as well as the following one are 2 examples from Stone's
+ n& P; m& Z0 h/ G: A% M"stn-wid.zip" (www.cracking.net):
& D3 _) I2 L% r+ P! g, y
B& s$ z" M9 g1 q N) ]8 e5 u mov bx, cs. M+ y8 z- |- `* S6 H
lea dx, int41handler2/ C8 T B* H: w# h; Z& ?. |1 a
xchg dx, es:[41h*4]6 P) J1 _8 }% f4 N ]" p& g
xchg bx, es:[41h*4+2]. R4 d% T$ V+ \& ^, F2 X$ v* V2 R
mov ax,4fh
) }& I1 |, e; V4 y' b9 B M int 41h
) t& F$ h" c8 K1 w, s! X xchg dx, es:[41h*4]0 W7 z8 {, `9 S( h
xchg bx, es:[41h*4+2]
) `! s, @4 Z' u. k cmp ax, 0f386h2 ?2 {( r! K; {6 n" w
jz SoftICE_detected) N2 o$ c! T. r c
- Q5 }& w! ]- b1 a
int41handler2 PROC3 w( V3 N8 b0 ]+ S& c. g3 U8 u$ r/ y
iret
$ j: P! R2 [9 A! W8 J' Xint41handler2 ENDP& k! O7 j, _/ u d+ m3 x1 L
$ e- v4 {" _7 e: H* d' s% J
2 }8 h2 b t. S& p' l8 r8 ]" t_________________________________________________________________________( N5 J( q( ?' }1 W( g4 r9 K
7 T2 |% R) ]% R- o4 @) v, Z1 y) c" L
2 s- v9 j' ?4 [4 B% [% S' eMethod 063 B7 T9 Z" j4 M- j8 K2 x/ X* {
=========
9 K9 ?+ c8 w) ^9 ~: p$ c. R
9 U2 M7 E' X; h$ h) g& I5 O7 R$ E3 o- f1 n% n7 d
2nd method similar to the preceding one but more difficult to detect:
& d" Y: V+ r0 z* n1 a0 s& o% T* W' o" E ]. {- D
6 ?4 D, y( G/ i
int41handler PROC
8 @) v# d7 P1 B- O n1 r mov cl,al
9 ]0 D' G7 r( A3 U$ m# {5 f/ s iret
( l3 k9 s: X; d: c6 b6 r0 zint41handler ENDP: c- D+ O. _! M$ Z+ z
. P& ?$ U1 F4 i2 ?/ Q
/ a5 p: L0 ?6 x xor ax,ax' Y9 g# D' b5 [: N! N
mov es,ax# L B$ q- C7 I% }. D
mov bx, cs8 t q$ X+ L/ ]4 f& y$ o4 j' E
lea dx, int41handler
`2 m9 ` \; L1 N xchg dx, es:[41h*4]9 a: @$ g& h* U1 B: F$ P
xchg bx, es:[41h*4+2]/ h9 [: o1 I4 ~# Q
in al, 40h
0 t! [1 A) [1 Q i* B xor cx,cx
( U8 O$ h- r) F ^1 Z int 41h
+ F% s+ s! x: s' o5 g1 K# P( f xchg dx, es:[41h*4]: n( g: v/ ~/ g) |% j; \+ U- d
xchg bx, es:[41h*4+2]
- n# b2 V3 ]6 d cmp cl,al
& `: C. B4 _% G3 Y' r jnz SoftICE_detected
' g; F q2 o. O6 w; |, a( q$ C- p$ R' o
_________________________________________________________________________% Z3 s4 Y u- I* m
% H0 d, M9 _3 O7 w. {- o* B6 f7 W" Y! O
Method 07
4 ` u; N( R( B=========5 {: Y8 b4 I. F3 K
) M [* }5 ?/ ZMethod of detection of the WinICE handler in the int68h (V86)4 @! A5 j2 C7 ~# ]% g$ O6 i
" s) ~! a, N- c5 e( V9 n+ W mov ah,43h1 d, f8 l4 l- M
int 68h
$ H; C/ P! E' T+ P cmp ax,0F386h* e. l1 }. C3 V9 q, @! A8 {
jz SoftICE_Detected
2 A2 i3 C3 z& M. A* I' V' p! e, q
0 W+ z1 U: f6 y( f' i2 W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 W" b! D% b$ }- p# k9 h6 a
app like this:! ~( S# v4 t5 R- u$ }% T( ?9 D) ^
( ^5 f9 K( A" H
BPX exec_int if ax==68
3 S2 @3 `2 S9 b- G8 c% [# E (function called is located at byte ptr [ebp+1Dh] and client eip is
5 T) `" z7 h- p9 O located at [ebp+48h] for 32Bit apps)9 |' G2 S# k& \. J' X! X
__________________________________________________________________________
( p2 R C7 B9 p7 ]8 h# b* o5 E/ v# @$ v3 i% ~" X
4 E- d4 h% b7 \4 s$ L8 a8 A1 z
Method 08
! n/ [; Y& ^: y' Q; ]. w=========
& S; G9 B$ D7 s8 |$ z: D
0 ^2 h$ N# [9 E* h9 U' ^; R0 V; KIt is not a method of detection of SoftICE but a possibility to crash the
3 `: C# n) M4 Ssystem by intercepting int 01h and int 03h and redirecting them to another1 e# O7 K: N8 q! U
routine.
- I4 [, ~ G2 v' x7 mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! h) M$ [$ ~+ q: p, [ S
to the new routine to execute (hangs computer...)- f$ B( D9 b2 {- {
4 Z' Z0 Z$ R+ _. ^
mov ah, 25h
5 _2 n# {, Z) I/ n. o) n" c mov al, Int_Number (01h or 03h)
, l" M" b# B$ v7 d mov dx, offset New_Int_Routine0 X3 n0 D. w' q! r3 e) l) s4 U
int 21h4 s1 k# T* w! S: V
; _7 U" ~- x3 X1 L. S
__________________________________________________________________________0 B$ _; X- }, g
1 M0 H+ m& `# I8 U8 Q; J
Method 099 k- D8 }3 `1 S( L
=========
0 h- |" |/ V" X6 T: \' h2 ` P2 O
% w& K# F+ |$ pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% G/ A6 T8 d( k) J: Q3 C- q1 W
performed in ring0 (VxD or a ring3 app using the VxdCall).
& L9 S. o7 u% a" {" U: h+ Y- G, _- vThe Get_DDB service is used to determine whether or not a VxD is installed% U) b: j8 T( a+ S7 o
for the specified device and returns a Device Description Block (in ecx) for
f* Q: N% J- W. Ethat device if it is installed.+ n' K" Z: M: Q t
0 |; d2 O+ v* j4 r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: P$ ^/ B) v& m2 K4 _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 P" G! V- p: l
VMMCall Get_DDB
* c. Q b! W2 l) @. A- S* ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" D+ i$ \3 @, F6 l: N0 [4 a! m. _( {1 `7 D
Note as well that you can easily detect this method with SoftICE:: Q6 x3 c. t; c( S& Z( _
bpx Get_DDB if ax==0202 || ax==7a5fh
6 I! E1 K$ |( I8 r9 e0 j4 u+ Z' J' u
3 ~5 H' b2 d" h* L* O__________________________________________________________________________
8 |4 u8 T, y6 C6 ~6 G. ]3 O
, b* }, K% Y3 [0 |- O( ~ m" SMethod 108 ?8 ^' _. }" f# ~5 ]& R
=========
6 k- u6 p# F& m2 P
2 l; g! V% O; P2 v4 A8 M=>Disable or clear breakpoints before using this feature. DO NOT trace with, ^1 q: a! `- T+ x/ d( }$ Q
SoftICE while the option is enable!!+ N2 l1 K/ a2 T# Z) _
3 B$ l! J1 u" A: A% ]7 ~7 FThis trick is very efficient:
( T0 i c! k1 t G! B# f" xby checking the Debug Registers, you can detect if SoftICE is loaded% ] W: }' H$ [% o+ I7 h; m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' d6 I" d L# S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& A+ l ~1 ^; i! Dvalue (in ring0 only). Values can be manipulated and or changed as well
0 m+ c+ B& K) ?/ s0 O" A' f(clearing BPMs for instance)
+ W0 g' O* }' Z; F& K. G$ _ x0 L1 U$ f P0 U$ ^( O
__________________________________________________________________________' K! D2 t) N7 _2 ]7 W8 i: a
% v) ]8 p( H( c% K ~
Method 11
4 L0 @5 M0 q6 k+ o=========4 V$ q3 I' H: ~' Q/ Y7 q8 x
3 V- U9 ~& _9 t5 w0 s5 x3 YThis method is most known as 'MeltICE' because it has been freely distributed
# t: C& @. z: |9 H* l+ \0 w: Zvia www.winfiles.com. However it was first used by NuMega people to allow( @/ x* H5 h/ [/ f _+ F
Symbol Loader to check if SoftICE was active or not (the code is located! V' a9 n- @6 Y
inside nmtrans.dll).) B5 @) z' s: C# l R. l
$ U- {, q% T2 Z! }, gThe way it works is very simple:4 ]/ O; ^6 h' i/ K# a1 d7 T n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ {( g# g5 V% d8 E+ _WinNT) with the CreateFileA API.1 N- y$ f U2 a6 S+ `
7 Z$ K; T2 A" W) G" V
Here is a sample (checking for 'SICE'):" Q& y4 f3 m4 U. x. ?# c; o
2 f5 b# l2 w: B0 ]9 eBOOL IsSoftIce95Loaded()5 }) J8 ]. Z( ?
{
( A+ y6 P" t- Y HANDLE hFile;
& o1 C$ q. @* j1 h3 G0 f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. D3 G4 b. X$ H7 A* T FILE_SHARE_READ | FILE_SHARE_WRITE,( A7 }9 e( T* ^5 Q- {) z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 W P! S; c$ o$ \9 S0 Q if( hFile != INVALID_HANDLE_VALUE )& e- T& f) [) O$ F2 W' n+ K0 x
{: k3 h I6 H- H
CloseHandle(hFile);& R1 u0 u d/ Z
return TRUE;
( r$ U* N8 h3 D9 q6 e" m }9 c5 Y: s7 _$ L# A+ w& b! z
return FALSE;
, |: k8 ~& N- h) F& v}
: o* i/ K( t6 f1 g$ c0 Q+ g3 X' l* ^: r+ z
Although this trick calls the CreateFileA function, don't even expect to be
8 f9 B' k; D+ }/ oable to intercept it by installing a IFS hook: it will not work, no way!
! B6 |& e% _0 S0 ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F' g" f4 J; R) P) n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- {' Z7 M! y" V5 t' z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" C9 ~3 U9 h: z' f* m, J6 |( B: hfield.
- R4 Q1 d: d: U0 ~; p. Z1 \In fact, its purpose is not to load/unload VxDs but only to send a 1 \6 G% y0 S/ {: P( @4 F$ Y+ x* a9 W4 o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 n- j- T5 ^& c! r* m. y- |% I4 ^* t hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 f) }/ E c2 t4 `% `) zto load/unload a non-dynamically loadable driver such as SoftICE ;-).# u" z5 S8 E1 a) Z, A
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 A8 |7 d9 T- c v# N# |
its handle to be opened and then, will be detected.
7 s* P5 K7 p6 [$ \1 dYou can check that simply by hooking Winice.exe control proc entry point: W+ d6 \( H6 n6 [7 u
while running MeltICE.: G! q$ d4 i3 Z8 K3 o C
( v1 ~% @- i7 r T+ I. |* L \* z% m9 D# Y( m4 z
00401067: push 00402025 ; \\.\SICE1 {7 c1 O4 K- _% j7 @- \" l! s
0040106C: call CreateFileA& U% c; g) g) m
00401071: cmp eax,-0018 s9 v: z# R+ g1 F# l/ m3 b
00401074: je 00401091
6 C; X1 S [" X2 n; I: b
. \( y) b- o# J3 |
# l$ S6 G& T7 g9 u9 ?$ b: s/ hThere could be hundreds of BPX you could use to detect this trick.
% r3 M& ?& a: \+ Y2 ^" ?-The most classical one is:+ g& z$ B7 z* z- T$ \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 H# r) R T1 y
*(esp->4+4)=='NTIC'
, l P, b$ L& Z( h9 \! @5 N* O. i ~* Z
-The most exotic ones (could be very slooooow :-($ t$ g' f/ K; F* l8 ^' u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 R" R z8 H7 l4 _ G/ M6 z$ J
;will break 3 times :-(
! S1 `, t" C, r. M$ M* O) x9 a: z* p( r2 Q4 ?
-or (a bit) faster: 2 d; T( u# q/ u" V& }5 t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') [7 X# G! J0 y; h4 D
0 x: l' |' {1 j. a! ]. b r- ] BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& s4 [+ d& ~% E& B! j ;will break 3 times :-(, M. X& D; T; J) A# U, Y8 o; E( q
2 x7 C' _. j# i; Y-Much faster:
# {; Y& x2 h1 o$ H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 K+ `2 W& o+ X- p
3 U" g' b+ v9 S" X1 u* GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 n6 N0 H6 h. q0 V/ O/ z
function to do the same job:6 J# {. R8 @7 Z: k+ N
# m. a7 F+ T5 R9 Z. D$ A
push 00 ; OF_READ
7 }$ u2 W/ Q9 |# ]7 u+ W mov eax,[00656634] ; '\\.\SICE',0; |) D6 q( F1 j4 G+ ]* M% X+ Q# ?
push eax5 d, Y/ G# c9 q- `8 ~- i/ F5 C
call KERNEL32!_lopen
# O* G' F f: C8 r" t inc eax' U0 ~1 o/ u" O! |0 w8 ^7 I: P
jnz 00650589 ; detected
' D; H* q# c: `* S- U push 00 ; OF_READ
9 ^. a! K3 B& w4 W4 \( L mov eax,[00656638] ; '\\.\SICE'' g/ B" P9 j* o& M
push eax
+ C! F. p- p# C% w/ n call KERNEL32!_lopen: j$ K1 p1 d" B" p+ o- u# _
inc eax
- \8 o9 R, E6 o- l5 ~7 U jz 006505ae ; not detected8 V1 M i$ v3 w" ~
/ c9 k6 t" w' }' C
" `3 n/ S* b" g8 k/ M- o* m/ M6 F; G__________________________________________________________________________3 [; y6 X% Y- S) y4 z. b4 |
) X% m% ` u+ J* O/ A1 B5 `Method 12 @. O3 B6 F3 z$ W0 P5 R8 p4 i F
=========, \- X7 j$ l' O: \
! k. D3 ?# u/ W" vThis trick is similar to int41h/4fh Debugger installation check (code 057 I: e$ a: }' D% r
& 06) but very limited because it's only available for Win95/98 (not NT)
) o C) A6 x" m! las it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 A8 n6 Z% M- {7 L1 T! E
6 Y% s# e1 u1 o# G( K- n2 K3 p% P/ F push 0000004fh ; function 4fh
) o( z* ~4 C" p, }( i" r/ f push 002a002ah ; high word specifies which VxD (VWIN32)# Y& C* ?( e, f o
; low word specifies which service
- \% E0 v8 J5 F, ^0 |1 F+ S: i/ j* W7 N (VWIN32_Int41Dispatch)( \( s% C0 G2 x/ H; d& P% c
call Kernel32!ORD_001 ; VxdCall1 S0 U$ h, ^! \& r. A( n
cmp ax, 0f386h ; magic number returned by system debuggers
; t' w6 L8 r0 ?! s; {- L5 Q jz SoftICE_detected
0 y5 Y$ P* M+ m9 S" h3 j
- W' ?" j$ A& E: f$ ^$ Z% HHere again, several ways to detect it:1 C! r( | [0 P$ }+ o1 ` S
1 T+ a3 M ~6 g" Y
BPINT 41 if ax==4f
5 j6 g/ i u% V* ?2 m3 J9 G/ s* A1 }: q1 M y6 n( }/ ]+ N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 u+ L$ L" k5 k! @
2 ~1 ?; j9 K X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( f; z# ~" Q9 d
& m8 z: k$ X+ x4 T8 `% p1 o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! m6 Z$ E" S- k: {( @
" q# Z) G1 `" t" B/ h, \) ?6 U' v
__________________________________________________________________________
2 O0 i# }9 J3 s% N. Y( u5 Q V4 C. G1 E( i+ b0 X- `4 A
Method 13& r4 W: J3 L; @
=========) w9 C" `; B* D- e, Q) i
, Q, [' E& m% }- y# U* B5 rNot a real method of detection, but a good way to know if SoftICE is- s4 q5 ]$ s& v! L" k
installed on a computer and to locate its installation directory.
1 u/ K- s4 P9 \# zIt is used by few softs which access the following registry keys (usually #2) :
4 V3 A/ @6 L+ G2 B/ H
% @& \; s: P# U0 F2 _5 W8 @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 Y% y6 W) F# X+ ` x4 u" Y& {\Uninstall\SoftICE
* M2 l- |2 U$ W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% J) `( X3 O5 D% u- Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- N; Q7 J8 \8 k8 u4 ^
\App Paths\Loader32.Exe# c# F/ [7 B) `# G% @: s/ e8 V; j
7 |9 Z! Q3 F' }# \0 h5 |, T7 I
4 c- `% m4 N1 g
Note that some nasty apps could then erase all files from SoftICE directory
" H1 M& z* |* [. A+ v# c! U(I faced that once :-(
$ H4 b" O6 I8 i8 o* `5 O
9 ^4 ?' t, S3 K, iUseful breakpoint to detect it:+ z7 o( Q. M/ ?! H$ \, H2 X
+ W$ R z' G0 I& |" J& i$ h BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) F% b/ a) K' t$ j
+ G& T: P/ L; z) P# x__________________________________________________________________________
" b( j- c# F7 u$ m+ g4 A- K2 w: e' |* E1 k
+ s# g5 G# p! [
Method 14
/ N1 w* N# y0 x5 _. r4 T1 e0 J2 X3 p=========
0 Q8 N5 d, @( A% x/ ~6 X. H: t3 u$ @% z9 Y h" p" x) \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. ?1 Q _$ w7 L1 l7 t4 `6 wis to determines whether a debugger is running on your system (ring0 only)., @. I; b8 V+ Z0 w: v1 q: D
8 e1 C- d2 A- X2 J9 S h3 x# {3 N VMMCall Test_Debug_Installed
8 t/ i% F5 K7 b: N0 F: R1 S3 Z2 h je not_installed" x# r" x$ k3 F5 Z- S* |
% Q4 c6 L$ F) F& C2 \& q7 ?- BThis service just checks a flag.
\& s S* ]) V4 A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡