<TABLE width=500>: F/ `$ P1 V$ G% N
<TBODY>
& ^9 T! A; B3 A7 d* K<TR>1 u2 s6 z8 [; a* ~6 x3 _
<TD><PRE>Method 01
/ x, T4 } u* N- @=========
5 @, {* g: R/ l& k2 s8 P1 n6 {7 t& {
. `( S2 M8 x7 _! Q: w; R) AThis method of detection of SoftICE (as well as the following one) is, R0 G: [3 w: [( Y& z* R9 l
used by the majority of packers/encryptors found on Internet." R# S" q# t; c+ }% I' {
It seeks the signature of BoundsChecker in SoftICE1 M+ Q- Q! b+ C d# d5 L+ E
; e% e9 g/ q9 E# R& \
mov ebp, 04243484Bh ; 'BCHK'
3 }7 A: ], x+ [ t mov ax, 04h7 @; b# v3 I. f3 D
int 3
: \5 O! g6 Y6 |7 |9 d% } cmp al,4
2 o" B2 w+ J' Y) _: c jnz SoftICE_Detected- d3 W/ x# i6 o9 r B4 G6 J. I
5 @4 x; E# P$ z+ N___________________________________________________________________________8 ?0 \) D( W8 J1 A' h) K, y7 ]4 ?
2 n2 j- k1 {9 r
Method 02
0 t1 M& z x- ]7 n0 C @( V=========
1 L, b4 i3 m% ~2 ]' I/ A
& V- N! ?) V# F" X* YStill a method very much used (perhaps the most frequent one). It is used
# L4 P+ X) U1 Y: rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. n7 }4 U' I# {2 v
or execute SoftICE commands...5 I7 M7 x( u% Q. p- g. V' o
It is also used to crash SoftICE and to force it to execute any commands
0 R2 Z8 F4 j) t3 C; y0 C(HBOOT...) :-((
5 _5 J/ x% Z' P$ a8 s' { ]
2 O3 x2 N4 X- ~. O# N/ C5 \* uHere is a quick description:* t3 f6 X, S2 N
-AX = 0910h (Display string in SIce windows)
_( R3 l7 w1 L/ }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ {) S) N, ]* Q2 N8 |-AX = 0912h (Get breakpoint infos)
( o* j+ B( ?! ^' M1 e. \8 O-AX = 0913h (Set Sice breakpoints)
! R4 p9 _! _; g7 p+ k! z; g9 @-AX = 0914h (Remove SIce breakoints)& D, A6 ]/ y/ k6 s0 g: A
/ Q. G& b- i) @9 j; s' e b! R
Each time you'll meet this trick, you'll see:/ d2 Y5 j k( f5 h
-SI = 4647h" v+ @5 R' Q, s$ P" I
-DI = 4A4Dh" J2 w+ r/ H5 ]0 g. b
Which are the 'magic values' used by SoftIce.
8 g" s" s+ Z; m5 \, c2 x% s5 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ u6 ?1 A; y# I, \
- d/ H9 m! ^: H' b/ E- {* m2 @, D O5 vHere is one example from the file "Haspinst.exe" which is the dongle HASP. H/ W. c! m, V2 w
Envelope utility use to protect DOS applications:& \- ^& O& V' U7 b% G
# `+ ~2 T9 u* O2 M; r0 ?( V$ B1 C* e! M6 {/ R# W, \
4C19:0095 MOV AX,0911 ; execute command.! I6 a5 ~/ L2 Q% j9 Y6 | ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. }4 O' L% n3 E& |. U& }, M' T2 Y
4C19:009A MOV SI,4647 ; 1st magic value.
6 Y Z# L( O6 J& h Z/ t" T- G4C19:009D MOV DI,4A4D ; 2nd magic value.' y5 O8 }% O1 U) k3 Q j" Z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ `( `$ t, r$ I8 X( F% {1 |0 A7 x
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 C+ g. J& w5 _$ E9 {6 R
4C19:00A4 INC CX" \1 Y/ n+ I( ]6 v9 a& i
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; l( z% f6 q9 W5 M4C19:00A8 JB 0095 ; 6 different commands.
" r, u/ M+ W1 K% X, U4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ M+ Q. r' r% N) W
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 x$ W% h# }$ P+ g: p) O& |; @" v0 u! d9 w; j7 W
The program will execute 6 different SIce commands located at ds:dx, which
+ \+ b6 h/ k! ]/ Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ N& ~- V( `* I0 B
$ M# `- w8 P; ?3 M* d- V4 b5 Q$ l' h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ i* }3 h: ^1 L# S, [+ e9 \' y
___________________________________________________________________________% p5 d/ _$ z. j! r# ~% ~, Y. Z
# K7 i4 ~0 a) G
$ G- A( O$ t* U9 I& {7 XMethod 036 [( z# q1 T' Y- F/ x# c; b k
=========
& D2 C J7 ^' j; l3 [% J& P) x" F) z; d- V, S( l- ~
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% w' s* D' s9 ~0 k5 e" N(API Get entry point)! D7 A1 {. R5 x
4 r2 p; ^: r) J2 f! T9 Z& Z/ p5 x+ }& H3 r( n& R' k1 I8 y* c
xor di,di# w2 B* R( m) s) R9 |& b
mov es,di; k8 F" {4 l& v [0 D
mov ax, 1684h 8 ^& B1 J# @ Q! {8 ~; ? [
mov bx, 0202h ; VxD ID of winice
' Z; l" J3 \, o8 G int 2Fh% h$ ]$ G' d5 B: u/ K
mov ax, es ; ES:DI -> VxD API entry point
! b H7 w& A, r! a$ b# a add ax, di
6 _9 C/ s1 W! p7 c test ax,ax
0 V, W3 ^2 J8 G- O) u; o9 C& o jnz SoftICE_Detected% | A, U& {/ v0 B( E: H
. y1 j& o, ?. Y" F' n- h# U9 [% N
___________________________________________________________________________8 J6 {4 h9 z, {6 ~3 D0 k
5 T; l" A9 @) Z, d/ yMethod 04" ]# j2 R* L% b# v! }* C+ j& `8 B6 Z7 |
=========9 U u! y p! M6 Q& X1 V
0 N2 h- P- O2 lMethod identical to the preceding one except that it seeks the ID of SoftICE
- T& Z3 q& W! ` U B& k$ `1 \% @GFX VxD.( N1 z! r9 H, ]9 D6 s
) G, ]/ D' x U, a( ` xor di,di ]1 n1 S( A5 {
mov es,di9 w k; t$ x i. u$ q* l; \2 _
mov ax, 1684h 0 T+ } B, X% e5 H- X
mov bx, 7a5Fh ; VxD ID of SIWVID" y$ F$ r& a: {% X
int 2fh
0 c2 o/ G% O) N. m" f1 Q- \5 K+ I mov ax, es ; ES:DI -> VxD API entry point
$ T/ Z1 i' d9 f9 \( { add ax, di1 ^& A: f# I$ F
test ax,ax
4 V5 y+ g l- N" N( S5 ? jnz SoftICE_Detected' X; l# n. n% l; u
9 [: \$ U! Z5 z! m( f' w% F__________________________________________________________________________! W0 v+ m9 ~7 n
, z7 M8 P2 {' T# X; y: u
( |6 b( z' d! d+ U- x5 oMethod 05# _4 @' D/ J- B2 m1 B) I, M4 i
=========
# J& H" W' T' h- R$ W$ S8 F! v. X( k& ~! n
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# m% U9 u" h/ }* b1 V: K5 F/ }8 @6 H$ cdebugger. It calls the int 41h, function 4Fh.
- j$ Q, H7 T u6 CThere are several alternatives.
% y' K+ u8 \$ s3 h: @" S, }9 x0 c/ |: i; }) e/ N' V6 r Z) Y
The following one is the simplest:
) ]: P0 |+ ~/ E" W; B1 W* D, {# ?8 ]1 y' {/ y& |, ^" u& U
mov ax,4fh
; k% ^% T$ D. H2 Q int 41h0 r2 c: u. F: @5 t- g
cmp ax, 0F386, b% D) I; p" J8 b. v
jz SoftICE_detected- a. S9 [/ ]1 l3 H F- E2 [$ Y
8 ]( i: A: y0 u: i& @
2 D5 V4 M( @$ G+ v X, X; |
Next method as well as the following one are 2 examples from Stone's 0 f# h1 |# x3 p
"stn-wid.zip" (www.cracking.net):$ j$ I/ B( s3 k" L3 A G
# d% s4 W* X6 W9 \
mov bx, cs% w, k2 V) v4 c+ b
lea dx, int41handler2! D4 `4 C4 C+ ]) j7 x0 e2 P4 H0 Y: c3 b
xchg dx, es:[41h*4]
0 B2 p1 ^$ }) `3 j% E% L xchg bx, es:[41h*4+2]
5 j1 q! p" P9 |, K4 ~8 Q. f7 x mov ax,4fh3 E2 l. z1 H3 s' e
int 41h! P+ Y x! g, N
xchg dx, es:[41h*4]2 X5 x' i- B2 k: ]0 C. F
xchg bx, es:[41h*4+2]
" w/ {0 `! \4 Z cmp ax, 0f386h
0 V& g2 l; g7 A& m* E. B6 v jz SoftICE_detected
$ Y1 T9 S: O7 x( o. m! T
, l/ Y' a/ I: Jint41handler2 PROC* r2 V4 s. s4 F0 }& G q \
iret
2 J* x5 d O5 W7 E' K# ?int41handler2 ENDP
& g, x+ X) C) G9 p' B/ R
- d9 G# h. N( N$ Z" ]" g; L/ \9 T" d, u$ H* T/ x. m' Y2 H( L" u A
_________________________________________________________________________6 V* e9 p- N+ z4 @
* P. m. O& {8 V' \& H. n. c% [0 {% g- j& B. T7 }* ~
Method 06
& [; m( E3 `& _9 Q& u=========8 Q' S. F5 g) V0 ?% G/ a, b9 ~
9 ]# T e h2 \9 ]0 s( | O% k1 _
3 `% P2 _6 n; d
2nd method similar to the preceding one but more difficult to detect:0 g& w. ` s( ]7 u0 q0 F
+ Q' E' W9 x! B' J! V1 K7 P
0 T! I; U2 x2 C' O |5 @5 Wint41handler PROC5 d. Y5 a. s, @- s( ]
mov cl,al3 _* [( D% _1 n3 x5 r5 F0 z$ s, Q! E
iret
4 J3 R' L3 J2 q4 q# J$ dint41handler ENDP- N! Y' @8 Y3 M# e" }
- d% W: W9 z t2 S% a; v
! H0 f" P6 D7 h: B* l& I xor ax,ax
) F" o$ e. E8 s) c1 c$ C7 k mov es,ax
8 j; C+ G S& Y. a/ X, ?! b mov bx, cs
# z( F! s. K/ {8 A lea dx, int41handler
; [% u; l0 }+ f3 y) u xchg dx, es:[41h*4]
) n/ Q4 b- _! Q: f xchg bx, es:[41h*4+2]
8 E0 n# j4 }; s& R in al, 40h
) ] @; k* E# I6 K6 P4 n xor cx,cx
6 K7 {! w8 j% y6 i+ j. b: g int 41h
- Q0 ?) [$ x) u( G xchg dx, es:[41h*4]
3 b$ a* r0 z3 `6 V# } xchg bx, es:[41h*4+2]5 _5 r9 U d. s- z# _1 ?# R6 q
cmp cl,al
n4 X9 y( A5 M, O jnz SoftICE_detected
+ o& x* U7 o1 k$ @/ {2 g) C( u" h# a' i& I6 ?# h
_________________________________________________________________________& m7 N; d& g1 `0 i! ? a
. i" E2 T% @& L0 A' T
Method 07
9 Z! h; ]- h6 N=========( ?( x6 b; S/ j O
3 C O4 U9 {0 z/ W
Method of detection of the WinICE handler in the int68h (V86)4 N6 o: M( b) E) W1 d
* E" o- {. k7 f, {( V+ x) p
mov ah,43h) ^$ M0 P4 v; W3 P1 g
int 68h, \+ N, [$ Z( A( r+ F# C
cmp ax,0F386h$ K# ^( g9 r, X& _% b7 M
jz SoftICE_Detected4 X9 X7 B% |3 }
( g6 R0 s& F1 B- Z. g9 ?
; t# r$ c) A/ F" m( ^=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 A* H: M% E6 ?) [ O
app like this:
4 k! H. @; C& m
+ S/ \; D& @" p' Z BPX exec_int if ax==68
6 E; Z! ], i5 U+ [, F: h: w (function called is located at byte ptr [ebp+1Dh] and client eip is
( L7 o R9 n# v. P. E located at [ebp+48h] for 32Bit apps)- D# U( G7 }. @% x4 m2 c3 k$ q+ k
__________________________________________________________________________
/ j) g8 I0 q% q4 @1 T, a* R
" P2 Z$ X0 ?+ {1 r& q) v* \/ Q" e! _& t& b0 e& z
Method 08
" ?: l$ G0 N# I- t=========
/ a1 _5 F/ Y4 \4 g
! S- e( s7 O2 ^It is not a method of detection of SoftICE but a possibility to crash the" {2 m% k. Y9 _; U- S8 A5 a
system by intercepting int 01h and int 03h and redirecting them to another0 K1 L& _% m1 ?) s0 \1 _8 ^ |
routine.
! P0 I4 c; s% Y# E; H8 @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- m- H5 j F8 rto the new routine to execute (hangs computer...)4 r. ?, ~' r0 n. R8 J
- e! \8 a6 c- q mov ah, 25h
) X* M8 D8 |+ v0 i- R mov al, Int_Number (01h or 03h)
$ ?5 E/ U' H7 v3 G6 r9 a: F mov dx, offset New_Int_Routine
( o+ e7 i/ B1 D# }- `2 k, L int 21h
# W& B5 R2 @! U" C+ E2 f
: g8 A) J, H2 J+ p- n7 o3 O__________________________________________________________________________
1 o3 O' K- B4 z4 ?, x( q# |& U) @2 F! r9 S' C4 [! g/ s8 \
Method 09
) R4 l3 b4 H7 l, ?, u, t=========) V2 }* Y0 ~' @+ X7 |# D
6 e x5 g/ V% a9 n9 M$ f o7 bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 R7 @, }# Q( s" ~* }
performed in ring0 (VxD or a ring3 app using the VxdCall).8 s2 K" w6 N) l" u2 o
The Get_DDB service is used to determine whether or not a VxD is installed
) o, h; T) \" T# h0 cfor the specified device and returns a Device Description Block (in ecx) for
F5 A. W, u$ S0 f, xthat device if it is installed.
2 {* F* M" V0 R2 n3 z5 |3 _# Q w% M: f9 y; U2 Y- r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. n7 U7 {2 S+ r, B5 z) \9 b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* R4 |3 R& `& J
VMMCall Get_DDB9 ^/ E- l) W) y& g$ u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 \" e( T$ P/ V5 T' a
+ [7 f' K, Q$ I. [Note as well that you can easily detect this method with SoftICE:
! F0 e6 x' y7 d) { b" J9 h% ?0 w2 d9 M bpx Get_DDB if ax==0202 || ax==7a5fh
6 W, a2 H' B# q' f8 J6 h+ V0 [3 p8 r, Q- J$ T, l
__________________________________________________________________________# p+ D# X4 ~$ q+ ?% J
2 w5 Q3 w' r/ S G& I$ v. k
Method 10 A0 o; N- w' k4 p( d2 K
=========5 A& c" l, |* \" o% }0 S. n) G
$ [' H, n- u) W5 g8 {6 g7 _# P: N=>Disable or clear breakpoints before using this feature. DO NOT trace with( M4 y/ |" F+ R& b$ }
SoftICE while the option is enable!!4 e% g( d1 g) D
e! l( T: R/ s6 G; Q
This trick is very efficient:. ^0 y {1 @/ S( T# J. f3 v
by checking the Debug Registers, you can detect if SoftICE is loaded
' d0 P# Z- _+ Q/ {5 o1 ?8 H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ r8 D0 e( t* Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their: H" L) v' f7 ^$ E' m! N2 H
value (in ring0 only). Values can be manipulated and or changed as well3 l; V, { D. \( M' W
(clearing BPMs for instance)$ T4 S L% \4 F, I
6 W2 ` k7 ]6 L! {3 E. o0 ^
__________________________________________________________________________
) B6 s0 r6 q, a3 |! ]: i; G
8 f+ i7 W* D' wMethod 11, p" h L. f% Z
=========; v: [, l2 e5 @& J" l2 o
9 @5 ?6 ]1 n _: z7 WThis method is most known as 'MeltICE' because it has been freely distributed# K7 ^- y M [0 B: _
via www.winfiles.com. However it was first used by NuMega people to allow% a5 K% J- O: V* i: e& Z1 A
Symbol Loader to check if SoftICE was active or not (the code is located) }0 ]7 j: `2 r
inside nmtrans.dll).% n a1 K8 V1 J5 s4 ]
3 g( M/ v1 p# CThe way it works is very simple:) ~5 T+ J# U. w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 R- S& D) k8 I
WinNT) with the CreateFileA API.
) v. T/ E3 G& j( U$ _/ ^
9 C- J1 D( O' A" VHere is a sample (checking for 'SICE'):
$ z% ^6 j7 ?, U5 p) p; B0 s1 v9 t
; c) C4 a1 ~+ p: ~BOOL IsSoftIce95Loaded()
/ [0 ]) E- ~ s: L{$ E' e2 `# |/ Z* i) n
HANDLE hFile;
, N, A9 y. H1 {) x1 \7 J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 \5 F& w; s' O% V
FILE_SHARE_READ | FILE_SHARE_WRITE,
" M/ U& b5 e8 u( r) y& I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
y7 W* H% \- x% |+ e2 \ if( hFile != INVALID_HANDLE_VALUE )
) i, U! ^7 G! h3 f) R& w {
3 h D3 i6 M5 w; v3 S CloseHandle(hFile);' b$ h ^- z5 X- |
return TRUE;3 J0 n8 c" z1 H$ z& e. {, i
}
1 M3 J; U6 X* z6 ?. e# f return FALSE;
# C- s8 k0 S5 ~" V( I}$ z" A3 V+ h5 h% D/ F" _
0 \9 S* [- Z S' p% OAlthough this trick calls the CreateFileA function, don't even expect to be* D5 \' ~' ^5 ^% `" a" E* @6 F8 i3 D
able to intercept it by installing a IFS hook: it will not work, no way!4 l8 U. p- v: }3 o5 p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; ` L! t- u0 M3 t$ Q, I, Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. f: E7 l: Z- K8 \$ `; |; Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc" p# q8 w+ K! b" D F* R r
field.5 E$ H/ B! \7 t/ b9 g
In fact, its purpose is not to load/unload VxDs but only to send a ) | t3 q; V- }: e$ _9 ]+ A- y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, L" x- C& I8 N5 T- Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, }2 x0 ~! y8 g3 y4 a: [. ato load/unload a non-dynamically loadable driver such as SoftICE ;-)., V3 { N. L% {* A% b
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& c5 d6 N. H5 L" v8 B5 Kits handle to be opened and then, will be detected.5 i2 Z/ Y3 B) p) @) F/ V
You can check that simply by hooking Winice.exe control proc entry point
0 Z; ]1 t# F$ I7 }- Dwhile running MeltICE.
1 y. i( W# _; r, h! T* J: ?- O* ~4 P/ a7 C V+ k
: ]& q$ b! z i1 z# y1 W' _
00401067: push 00402025 ; \\.\SICE7 U6 t2 m; ^8 i1 q' i5 ?3 B1 O6 C( O, ?
0040106C: call CreateFileA5 K O) S+ s" z" y2 J7 y( I
00401071: cmp eax,-001
9 N0 a# u; c e 00401074: je 00401091
9 r7 o, O5 i. Z. O. [: g( U
_+ `9 ]" @! K7 [9 M1 J6 g" c, K' r$ b! I& [* e
There could be hundreds of BPX you could use to detect this trick.) A6 \ M' ~1 f& A
-The most classical one is:, @' ?6 S2 Q( P. h- R
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" P) `7 e z- v *(esp->4+4)=='NTIC'$ f% C7 R# \3 i% ~
9 J/ G3 q4 U' U4 i5 o- x
-The most exotic ones (could be very slooooow :-(
. W. B( k0 f2 O9 o, q4 s) Y. v4 J3 r) g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 v: A, H6 M- y! p! a* o* t7 G ;will break 3 times :-(& G- W) t' U7 P% m
$ I. ]7 {; ?3 f4 h-or (a bit) faster:
+ o$ u5 e: q: u9 J5 } ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. ^8 E, W+ b. f
+ d) ?* C- ^" h& B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* C2 n: O. l* P/ l ;will break 3 times :-() v' p; k4 ~4 {1 U+ [
% Z) o2 j8 k' _2 U
-Much faster:
1 B2 K/ c" f& V; v2 d3 I BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* ^7 L2 F5 s" a) u" p9 z
" _% |- {$ u3 B" [. W: Z j+ ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ a" V% T, B; H
function to do the same job:( Q; H- D" x' Y, C+ s3 Q- L4 t" b0 P
+ H" c8 z* E, d$ H* f) h
push 00 ; OF_READ
1 O3 } y1 c% x% q. O mov eax,[00656634] ; '\\.\SICE',0
0 c9 }3 b# ~ [ push eax
$ r9 T! Y( J, K call KERNEL32!_lopen! Y \% \6 ^- U" D6 e4 B7 n" [# z ~. A
inc eax" O8 f5 a/ n1 a; q# k
jnz 00650589 ; detected
- x9 ]! A+ O7 r2 e6 @- { push 00 ; OF_READ, q+ |$ x/ G* h+ _& h
mov eax,[00656638] ; '\\.\SICE'% a; \' \: C4 v, `
push eax: I4 l" z \7 ?! W* h3 e V
call KERNEL32!_lopen
! U2 p; g% o9 i$ R- R7 S inc eax
" d, G' u2 V' [3 Z* V/ f6 x jz 006505ae ; not detected6 y+ V2 W0 x. t
. x6 ]' z8 y7 U1 x2 v5 T) |; U+ H' L1 j
^7 \% N- u$ _8 g2 J: x__________________________________________________________________________
' [9 m6 g' V4 I3 V. f
# h* J4 z9 L1 v( c' c; X/ lMethod 12
/ g1 _) S3 `9 S4 `1 F8 j, z2 J=========* O4 p7 K$ {- L& R8 E0 P9 o
: T; s- i9 ~. I/ U6 uThis trick is similar to int41h/4fh Debugger installation check (code 05
& g- f2 s, ~4 `# I+ m& 06) but very limited because it's only available for Win95/98 (not NT)
4 a5 m/ B+ G9 X/ sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 i' u, d% ]" @3 L6 `
$ m `7 j) P& \ push 0000004fh ; function 4fh
* i$ Z. m# |7 @- W8 v$ G push 002a002ah ; high word specifies which VxD (VWIN32); ? a7 F: B5 ~6 A b" G" U0 S
; low word specifies which service9 w7 r* X7 ]7 x1 f, H, Q0 o- Y& b
(VWIN32_Int41Dispatch)- Z. `- A8 g! F$ b, g# f& Y( _
call Kernel32!ORD_001 ; VxdCall
/ O# _7 S. S3 N- f* H6 R cmp ax, 0f386h ; magic number returned by system debuggers
% A: v: `1 I" C3 {5 Z jz SoftICE_detected2 k+ @2 p8 \" j9 z A- S5 W
4 S& h4 Z& @# B1 c! kHere again, several ways to detect it:
2 z' V! h3 u- \! D& E4 d: J! r2 {7 J9 i
BPINT 41 if ax==4f
1 K' P0 h* q) I! L) L( i( V
6 i/ m) @: v! k: |1 d/ N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( |: ~+ o+ r5 y- H
# O6 N" M" u$ z# C# [9 V$ \0 o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; R1 x, N2 M4 v
$ z1 E; p3 i* U4 O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 N/ W2 l; T6 O4 b
9 L5 a1 m+ ]3 x Z__________________________________________________________________________' s# N8 @) c) J0 T5 V; }
* H# Y: i+ f+ P
Method 13
" f) x, }& I: U+ ~0 e=========" D) W& R0 |6 e Z1 O
i! ^7 b4 C m5 C7 H9 |2 u
Not a real method of detection, but a good way to know if SoftICE is/ K1 v, G; P5 o7 p. i: ]3 e$ H
installed on a computer and to locate its installation directory.2 c! Q0 c6 D! |* q
It is used by few softs which access the following registry keys (usually #2) :
3 K! `5 V/ x# q: h$ Q5 U3 z7 g
# |$ Q+ S, [: p$ i% L# V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 ?( H9 f8 n* \! w! b- }\Uninstall\SoftICE
% x* H: E; k; A: r' |/ O Q; f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# E0 U- t/ H& W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 N5 U- \. T1 F" A- W+ o2 i. x( A
\App Paths\Loader32.Exe
4 l& L O' F, P* K, r! _+ e: t; q
4 M* s8 V; `8 N" m. e( TNote that some nasty apps could then erase all files from SoftICE directory5 ]* J t/ u! h; a( M9 K1 T' D
(I faced that once :-(
5 y. c- z5 [% C4 v0 b/ E' l8 O0 ?, v5 c+ \( o5 Q
Useful breakpoint to detect it:. {6 ^- [5 `$ g1 U- `
. P* F j6 c( ?8 D8 g5 K4 N7 h; x& O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% K( Z8 D! n2 _$ X; k3 M! S& U. e. r9 t2 t2 r9 K" u* P3 M* @
__________________________________________________________________________
' \6 D+ |' k" v- ?/ Z. T" s a4 h( X4 A. O
# y" p+ R! s9 @3 y8 F8 }6 y2 i* k0 X
Method 14 7 i- E8 q( j; w: b9 X& X n
=========3 @4 F6 Y1 w2 R6 R& u
/ L, v* y. R8 V$ G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: N( X) Y* Q1 _- S4 Bis to determines whether a debugger is running on your system (ring0 only).
6 y# F; _3 x0 x: D% W: i7 t9 @6 {( n9 C) Z
VMMCall Test_Debug_Installed; g' {. U* o' r& Z2 _9 F
je not_installed# f( E3 l* D) L1 S* T0 D5 U+ L: S
7 T2 |6 ^& w' n. f2 l U
This service just checks a flag.4 T, @! ]0 e: g7 y: f' u
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡