<TABLE width=500>( {3 g5 F, U, `. J
<TBODY>- z; p) ]% o& B' s% U M% S0 G1 k
<TR>$ z m! ]0 {0 n3 C' s9 K" X% |$ S U
<TD><PRE>Method 01 % y5 ?& V- B$ N3 Y8 X' W" @
=========
! D3 R6 V+ H& ^* \4 n: i( o1 P- v: G3 o8 A ? F2 B+ e9 Z8 z, s
This method of detection of SoftICE (as well as the following one) is6 z9 t3 b, j$ [7 d) H$ @
used by the majority of packers/encryptors found on Internet.7 M, T% X7 S8 t- J! J; ?+ P9 y
It seeks the signature of BoundsChecker in SoftICE
' P- t7 L* N, v7 t! Q" e8 C
]4 ?/ Y0 \$ } mov ebp, 04243484Bh ; 'BCHK'$ |. U \* Y& v' `2 s$ `; n8 c
mov ax, 04h
# [! Q( U0 x# o9 Q( V0 o0 T int 3
6 P; O' j2 S0 o" g: N5 y- o cmp al,4" B: A" y% |- _4 v) @5 r* m$ J
jnz SoftICE_Detected
: V5 B- B3 J3 w' {5 W
" l6 W8 g" _9 @: C; b' ?& \' m3 v___________________________________________________________________________4 l2 t+ z0 m9 K U. _: I. y
# v' V0 }2 y5 z- C/ Q. B( J2 \Method 02 ~( z5 T7 }' l
=========
5 R3 Z( T3 A$ @' L6 N' v1 U! P. q6 {, J
Still a method very much used (perhaps the most frequent one). It is used9 R- A! N# I8 v4 m: F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! h) T$ f& X( Y
or execute SoftICE commands...% F1 l* D8 k3 T( ^
It is also used to crash SoftICE and to force it to execute any commands
7 T* @' A( A5 x& `3 x(HBOOT...) :-((
/ G$ R3 I4 p R6 ~) ?' {/ L
% @' K3 Q+ w8 m0 t* uHere is a quick description:
2 K' }) ?0 M8 f1 \' C. w( H-AX = 0910h (Display string in SIce windows)3 v) T' f0 X: y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& X3 k* _8 _0 ]
-AX = 0912h (Get breakpoint infos)
- x4 o; l* I6 P9 a, e, s$ f. V-AX = 0913h (Set Sice breakpoints)
2 X0 l- @- _$ @* g* I$ x-AX = 0914h (Remove SIce breakoints)) K" @# w$ a8 ?
) I8 I" x, N) W
Each time you'll meet this trick, you'll see:* T+ d( B8 i% z2 c6 U+ v
-SI = 4647h5 |: a( K5 i5 O2 j, a, @( ~; [0 G
-DI = 4A4Dh
1 k g5 E/ Q+ E/ Q# J& M0 q7 XWhich are the 'magic values' used by SoftIce.. f% v6 f+ Q, T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 B$ B a% D) _. M' G( \
+ e) n& [' }5 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 M! x2 a' _3 x" O( V: YEnvelope utility use to protect DOS applications:
5 x& G& H4 x1 Y0 |" n, M" x% B# @2 M) q7 Q! |$ j) }5 @
+ g4 k( M/ x: s5 k0 Z5 L& A4C19:0095 MOV AX,0911 ; execute command., m+ B6 N6 |( r A/ W1 O! S: O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- M5 V9 u- u( h
4C19:009A MOV SI,4647 ; 1st magic value.
3 A" g+ B. F2 z6 W3 ~4 Y/ O9 a2 O! \7 Y4C19:009D MOV DI,4A4D ; 2nd magic value.% _. r/ b# h- H( E& L7 j. i2 J6 c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& I/ J6 j: c9 V J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; z( v9 Y: n: G# c$ p
4C19:00A4 INC CX4 K+ O% H3 e. {; m( j, X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 S: a3 }+ ^9 {: j+ o. Y6 S$ o
4C19:00A8 JB 0095 ; 6 different commands.
6 y- ^6 x9 b* n) [4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 u8 q+ C5 d; r4C19:00AD MOV BX,SP ; Good_Guy go ahead :); L+ E. h" X; l% U7 F
- P- y+ ]; f6 G+ q* H9 b9 O2 |The program will execute 6 different SIce commands located at ds:dx, which
- r C: q7 t7 F# T" C* Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ D: z- Z9 v# f9 r* q5 E
" s& N# v1 d0 f* j( V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& d% K. \2 Y: r8 X: `4 l___________________________________________________________________________. K9 }2 R3 D) g5 }7 a, a9 @
0 A0 _9 g# A+ f, k0 Z. U/ G! g
8 s% G1 y: K0 U4 y+ I4 Y9 H3 y% wMethod 03! ~+ }0 o$ {# a C4 k! @
=========7 B4 W' z1 }3 E; ~# X. ?5 [+ @
% R+ s( D6 Y! uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 p% n! y' s) ?/ F S }(API Get entry point)1 ]$ K: y* l( Y c" o0 i
. P1 X# J+ c# q4 v& c
" w5 ~$ i# T! T/ Y1 _& j4 ^ xor di,di
7 n3 q# t" z+ O/ l mov es,di, q6 @' c( \+ H
mov ax, 1684h
; A! m# B, K0 U* M mov bx, 0202h ; VxD ID of winice- s7 r4 A$ Q8 Q1 ]
int 2Fh0 V: k1 q2 z1 Q' `0 }' K7 S
mov ax, es ; ES:DI -> VxD API entry point- F- X# H8 t+ T4 F; W9 z
add ax, di' A, L; ~0 c6 w4 ^, g% v% E
test ax,ax$ D( \8 ]) R a& d4 n, N
jnz SoftICE_Detected
! [8 B" Q. @1 H$ Z9 m/ ~
( D) }* @* T9 N2 K___________________________________________________________________________: S+ b9 H# o( B' D
! P( V8 K4 b% z( G8 C1 ?: B, b
Method 04
, ?# s: l! b' w- p# |=========2 w3 w7 J0 i) O' J! A8 @
+ Q# p8 A% y) r
Method identical to the preceding one except that it seeks the ID of SoftICE& ]( T5 x: o X# F/ u$ g
GFX VxD.
5 x% v) f, Q& a) n; `8 f% n- j- k( H O0 j6 V7 w! H! B8 x" o7 [
xor di,di) ^7 g& F$ c3 o2 Q7 D
mov es,di
& x+ p) _ B- ^8 O, u. S mov ax, 1684h 2 Q+ t. i* H* P) h' M3 q; L
mov bx, 7a5Fh ; VxD ID of SIWVID' d( N* U( D* I- U4 J- }* c
int 2fh
4 z5 B2 R7 T+ H' J" Q! _# a mov ax, es ; ES:DI -> VxD API entry point
" }" r4 S+ U( o8 ^0 @( j7 p add ax, di% ^# Z3 I* z% _! \3 w
test ax,ax* G/ R9 ?* ~+ k6 a |, `1 {
jnz SoftICE_Detected$ l+ D; P$ P9 b6 B1 c
) Z8 _ H& b7 s- B- }__________________________________________________________________________& I" ?4 ]5 ]. V( A3 }
4 r6 E o) ^7 l( d
) P( P7 g% {% I- @5 O, Q' C9 t
Method 05
2 J% F- Q2 U, J- e$ Z8 q2 t=========% o& _% t* r3 O
0 j r5 x+ {6 W5 m' n( b! `Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 z7 _9 q# L6 W& qdebugger. It calls the int 41h, function 4Fh.( t; g2 T9 i3 Y' p. P0 _
There are several alternatives.
1 b F9 O7 V r1 r' D$ e, b z. y, ^8 ^/ A3 p' O
The following one is the simplest:
3 y7 [7 H3 ~- w5 R ?% A$ j
; h5 [; H, ]9 M/ r mov ax,4fh
1 j& c$ h+ o$ S0 J5 T+ c int 41h! _3 ~) w: g6 p' {2 S T/ F# b' {
cmp ax, 0F386
4 L- z) F; \ V/ S' {! Y% e4 s jz SoftICE_detected1 B X/ S1 k- k
. c2 k4 T& n% G0 b. |' A0 J+ E1 V3 W) N+ K/ U- Q0 g
Next method as well as the following one are 2 examples from Stone's
3 p- o+ E& U* I( H0 G"stn-wid.zip" (www.cracking.net):
0 f- x: i0 S ?- e* j9 k# n* ?- A' C
mov bx, cs5 k- A% Z$ X9 S9 g! `- V( @+ L
lea dx, int41handler2' G" j9 F$ w- \( R* |- p! W
xchg dx, es:[41h*4]
2 G7 p2 v8 e2 {4 Z& l7 Q; u. A xchg bx, es:[41h*4+2]' w3 t' d$ [) ~/ \
mov ax,4fh
, A, }$ j2 X4 m int 41h
3 w3 b5 r: c) r# D! Q3 I9 z xchg dx, es:[41h*4]- C; p1 h9 s4 T4 {+ k
xchg bx, es:[41h*4+2]8 {& |; R% f. I$ d. d( r$ n$ t% z+ {( ]
cmp ax, 0f386h
1 s. [: o4 {0 \* E, C# t6 j jz SoftICE_detected" w* \' T" V- s# i
* O8 j& ?) z6 w3 V7 j/ w
int41handler2 PROC
) Z8 F( p; F; `" Z iret) C* H" P& A% _2 }( ~# @
int41handler2 ENDP
- V$ z6 g7 _7 L$ c; G9 y
9 a" Z1 v3 X8 r a; K
' t: d9 G( _: b8 c3 h8 P" b @/ k_________________________________________________________________________/ W, _' ~ T- O: o% b& u
+ x' L) q# [' G. j. I& v# k. V) ^% y1 a0 d9 X, _! e% W: W% l6 g
Method 066 e- _3 I7 N1 n
=========
4 A9 Z/ X, k) C( E1 l
5 V" o( s c% \; E- i- X% d
) c% u! ?% D$ y7 [5 f5 n" Y* ~2nd method similar to the preceding one but more difficult to detect:
3 z+ b6 T- W) k: c, w( | H
, D0 B8 G3 N) i. h% \# O3 \6 x$ e1 f* L" K
int41handler PROC
0 |# O; l3 u: i! b* e6 y mov cl,al# w2 i/ Q+ E7 O8 f
iret
* |5 }% K7 S) `' M( M9 ?int41handler ENDP
3 N4 w6 b# N4 i% O. a% [) n7 N* B5 t8 W5 u" `; F; \
& H9 [4 @* M" ?# V: O xor ax,ax* H/ T( F4 y' x- h8 x7 j
mov es,ax/ e/ f4 S4 `5 I, g# a/ m6 @4 J
mov bx, cs
; _- ?. q; s' u5 ^ lea dx, int41handler' s5 K) P. c' H
xchg dx, es:[41h*4]
k% D, X& e+ h1 D xchg bx, es:[41h*4+2]
- x9 i* J9 ~# B W# e in al, 40h4 i0 [* n' Y; `5 P. a- p
xor cx,cx$ W; a8 D) Z6 Y1 a
int 41h
, U- B) E% J/ w% M xchg dx, es:[41h*4]
) K$ o2 N0 x) d T8 C A4 @ xchg bx, es:[41h*4+2]( x# f2 g" B! Z* M2 [
cmp cl,al8 S X5 d, ^: _ W6 u
jnz SoftICE_detected
1 y# Y0 A2 ]- D* w1 ?+ y. |0 Y. ^( G/ A
_________________________________________________________________________6 R9 y$ ~4 G/ r& h* I" u: V
0 {- l7 e+ y' S3 mMethod 07
" Z+ I0 p* u* H5 z# i' t% b o=========3 d, P3 f2 ] V9 |9 X
1 J$ q; \, D) z+ C; L: ?8 b2 P" T
Method of detection of the WinICE handler in the int68h (V86)# r# @, ?% u* }1 o2 R+ e
3 Y) E$ i. ?$ K. U o [. H mov ah,43h9 i3 g# L& V |1 y. U& Y* |. {
int 68h
, K0 y q( ^9 {. {/ z0 a cmp ax,0F386h# y2 n4 O3 g' _: c; s6 w
jz SoftICE_Detected# a! n0 i- ~7 Q8 [/ M( Y5 o
/ u2 G8 v, V! M5 r+ G; `+ J9 e R( R% N8 Q1 B8 \( r7 m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) S- {, Y0 J' O0 ], ^; e7 ? app like this:$ `' ~0 V( G$ R# R7 b! L. C2 R2 [ B
4 U6 R; S& f8 {7 Z6 o8 J6 m BPX exec_int if ax==68
7 F( n# u( o* X' v (function called is located at byte ptr [ebp+1Dh] and client eip is
. |8 |, s! G7 j0 C) k2 R* s0 n located at [ebp+48h] for 32Bit apps)
6 g# ~$ Q C7 F4 T6 G__________________________________________________________________________
1 W# d! g: w. c7 ^" i! V9 g
1 r; v H" q1 o4 P: `0 {( D4 k# T+ {) \7 t+ f, z" t
Method 08! ?) @/ Q Q! g- |, h* i
=========, o' a9 n( Q- I$ |4 m/ `- h
: t6 Z& Z5 o* |: Z+ ~It is not a method of detection of SoftICE but a possibility to crash the
. f' _; I+ W3 T+ j# x3 ~4 W. [system by intercepting int 01h and int 03h and redirecting them to another
* s( H) }* Y, B& r2 p+ Q2 proutine.
& Z0 |$ Q* q9 Y5 VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 [6 x% C* o& Z9 J4 Mto the new routine to execute (hangs computer...)3 k1 y* O0 p1 D3 T8 _7 u* c2 f
% r0 M3 a4 M- O" I mov ah, 25h
k; `* r& f2 T mov al, Int_Number (01h or 03h)
# ?5 c3 Z8 y6 I% l mov dx, offset New_Int_Routine
5 j' u0 ?+ [4 x7 p8 Y int 21h5 i( r9 K6 ?, i
7 A0 E0 ~$ H) E9 Y7 s0 L; e__________________________________________________________________________0 f# j# ~; S8 [- U W
+ f1 i7 z8 \& h" e
Method 09
1 s3 L, U3 I( m5 m% ?: @=========
- b" z( s6 ?: p# I2 |5 A
3 ?! O( L; F1 {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% d" G* S9 z0 l6 _+ O2 L
performed in ring0 (VxD or a ring3 app using the VxdCall).
" k! R9 G6 r& G: GThe Get_DDB service is used to determine whether or not a VxD is installed
/ i# L( @$ w3 C* J& y8 K) Ffor the specified device and returns a Device Description Block (in ecx) for
- u5 f& j( L& C" \that device if it is installed.
* g9 \1 r1 A! F- J! d# ^& s; T8 _: h
9 \) u5 z8 u! L) y9 C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 ^. s0 I! W; m2 i0 m/ h1 u$ t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) M" r: e. N0 A b5 }0 G9 g
VMMCall Get_DDB
& E. f8 Q* o1 l% u( O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 c6 H9 K8 _4 E1 a
4 u! Y% H8 W1 A/ LNote as well that you can easily detect this method with SoftICE:
) A; D0 U4 \/ G8 i ? bpx Get_DDB if ax==0202 || ax==7a5fh. E; E5 M/ K3 b# ?$ l" V$ D! t9 m
1 S8 k( Q' A0 Q/ ?1 M! H3 y6 w& q__________________________________________________________________________/ _& ^# y+ z$ q3 u D; k$ }( A
8 C4 ]% ^& ^* z
Method 10
# ^% V) v) M9 e3 z=========
' F# X$ W' m: [1 }% ]3 p+ [3 n8 l* G# y. V2 `5 I4 k; y1 I
=>Disable or clear breakpoints before using this feature. DO NOT trace with B4 c m' y" s' w4 }
SoftICE while the option is enable!!: Y( P% X/ |& Q! x
3 m1 Z! d h; TThis trick is very efficient:% W }# q. I N
by checking the Debug Registers, you can detect if SoftICE is loaded
% s( N2 l! N* O0 b(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" u: I+ o. {1 E9 y" B
there are some memory breakpoints set (dr0 to dr3) simply by reading their" ~' F: C- C, y0 v9 Q: K4 Q' F( A
value (in ring0 only). Values can be manipulated and or changed as well7 L( s& p) r# @5 h5 P. A
(clearing BPMs for instance)/ v* T4 w/ L3 {
( o1 D. f d" P/ U+ d( @
__________________________________________________________________________
9 b& d7 A( U; \4 [1 l0 x+ o6 G3 U: k8 k Z9 I
Method 11& M* S$ A( h" k) S2 Y
=========$ A' u$ u' D% X( Y- P6 C
- W6 H8 C; Y9 U, \This method is most known as 'MeltICE' because it has been freely distributed) q4 U- t/ x" s3 Q0 Q5 b
via www.winfiles.com. However it was first used by NuMega people to allow! O7 r7 @& t3 L" U
Symbol Loader to check if SoftICE was active or not (the code is located5 d+ f0 f0 ~7 u( b
inside nmtrans.dll).
1 {; G; W, b7 v( c3 D5 L s) m: j$ \! G5 `' H
The way it works is very simple:/ N3 M6 {) C+ i& X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( i- o G9 K5 sWinNT) with the CreateFileA API.2 z0 L% d) d- _, z! P
4 v3 {) u) C/ y+ j6 p* t9 F9 lHere is a sample (checking for 'SICE'):# T" w& b7 T! T/ z
+ Z+ _& b2 q5 B& OBOOL IsSoftIce95Loaded()
' s8 W* ~8 h' ~2 y{0 Q U! A9 A8 ~) V7 I6 ]/ ^ F
HANDLE hFile;
: t% |7 \! S$ o/ c6 w1 c4 [6 y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# Z- I- [9 `* ^/ I" ` FILE_SHARE_READ | FILE_SHARE_WRITE,
5 W" N( N F8 h$ ~' O7 _! C. b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 J! }+ p2 U7 w4 {8 j+ k9 E" B
if( hFile != INVALID_HANDLE_VALUE )4 D8 _1 B/ d9 \( M" [
{
; R$ M8 q/ h/ o. _- o CloseHandle(hFile);) _4 B" X2 k& S. y6 i/ ?5 U
return TRUE;( H" t: A( g- Z V
}
- l2 h' ^( R9 g) O. V return FALSE;& m+ U7 r5 g$ u& Q; K0 u
}
' h$ @, n, I/ j2 z( i4 N3 h; P; I9 H) o* @4 _
Although this trick calls the CreateFileA function, don't even expect to be
4 s$ X' Z/ r, @" pable to intercept it by installing a IFS hook: it will not work, no way!4 s$ v0 r: K. O
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. b' q& V5 b. ~2 q O( ?# yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% _+ J* W) k* t9 p8 sand then browse the DDB list until it find the VxD and its DDB_Control_Proc! G6 y1 y5 i2 z. u& n" K/ f) s
field.2 E$ Y& s# v# x6 i" F4 J
In fact, its purpose is not to load/unload VxDs but only to send a ; O+ ]6 i2 x, e" u: Y8 W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. k7 D5 y( T9 Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try" v9 C: Y N1 A$ Y9 J, r
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% {4 h/ }* A* f2 q0 h* u
If the VxD is loaded, it will always clear eax and the Carry flag to allow, g2 |. U6 f4 t# }% u
its handle to be opened and then, will be detected.
; Q4 D2 L) X# N3 }5 k) I, SYou can check that simply by hooking Winice.exe control proc entry point
3 x, X! J! e) j4 n- ]while running MeltICE.. _3 L0 y2 @( B u/ F! N
8 o- T7 x. O: z0 J3 b0 ]
9 q" \( E& ]/ q. G+ \ 00401067: push 00402025 ; \\.\SICE: e: |5 h& e3 X0 F1 R& Q% Q8 W
0040106C: call CreateFileA7 c4 N2 `( s$ ]3 o# Z7 K( J T
00401071: cmp eax,-001
3 q- ~1 U3 H+ A6 x0 w) x) F" M 00401074: je 00401091
, I7 ?% ^3 A! f, Z+ }: w* x9 E! @: y' b( ?# v$ Q- Q! x
0 ]) M& y/ F( y3 `1 I" j! p
There could be hundreds of BPX you could use to detect this trick.) n+ A4 `/ a( E& f
-The most classical one is:
, t* {3 }, Z+ J6 F! r1 j7 L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' u4 M) l& q. K8 Q `5 R9 e1 y
*(esp->4+4)=='NTIC'
; x; c2 Z. l$ k% J5 ?3 O0 _* a, [: U0 z; O) V. q( t+ q" A
-The most exotic ones (could be very slooooow :-(, g! W6 g j' v- t% t
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " r) _8 @: {2 M/ W
;will break 3 times :-(
* J& [+ H& J1 i/ d+ g! n9 N q1 U6 L g
-or (a bit) faster:
/ i$ c' u* E9 f" K BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); S, [- g& c. j: J) G
6 v0 Z1 @' r7 \* }) x5 i
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 S! n- L) C9 x/ \
;will break 3 times :-( b: g- J' ]9 H) Q+ s5 m
+ g( X! z/ x" C
-Much faster:
" R. F& e' {# X( A2 `1 {6 d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- m) W. m: w0 ]$ K f0 g2 b& U, O% k! Q
9 K! L8 D a( r' f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 ~' e% Z, g3 p# I
function to do the same job:
: J" @3 s3 ~- }4 `7 r7 O% p6 L, o5 X
1 v' w7 ]: |& M: B$ C( A push 00 ; OF_READ
+ q& C# @5 `( A: G, ]$ l# r mov eax,[00656634] ; '\\.\SICE',04 N- s% ^# X6 z
push eax
- k ?% N/ r: a5 y' U7 J; b call KERNEL32!_lopen
" ~4 L+ B( s) H7 y inc eax/ q9 _( l- C) Q, f; s
jnz 00650589 ; detected
) E8 m) o/ z1 i/ a push 00 ; OF_READ7 i# Z1 p& r% o; W% |
mov eax,[00656638] ; '\\.\SICE'( `! `5 W! X, a9 [- D
push eax4 D- W- R8 T ]1 N4 D' B0 X
call KERNEL32!_lopen; t& s% O6 [0 e1 S
inc eax9 ?! L3 t, U' I" ~& S3 ~
jz 006505ae ; not detected4 ]4 ~; u- A9 N) ~. S. |, E! o
2 r) i, I# l3 C7 u
6 s7 c9 u1 | n7 d' C$ ~6 W Q__________________________________________________________________________6 y J5 d# x! C* o' a
- o+ [+ n5 R/ X3 C( c& J/ O: aMethod 12
' X* R* K% m4 Y4 R! H=========
! y2 i+ O( w4 P9 G1 C+ `( _+ |4 f4 C
This trick is similar to int41h/4fh Debugger installation check (code 05* p, H2 ~" D! q( p4 M; i
& 06) but very limited because it's only available for Win95/98 (not NT)
g" v0 V: q: R( s6 e1 u1 Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo." e. ?+ d+ z! U! ~0 {2 r+ m$ C, U
; s6 ~% H3 g, O
push 0000004fh ; function 4fh
8 H; D- }$ a! A9 c( `& C push 002a002ah ; high word specifies which VxD (VWIN32)1 a$ [' H% s* v$ ]+ b* S. ~* ^
; low word specifies which service6 ^- r/ f7 C* R0 ?3 V
(VWIN32_Int41Dispatch)0 m& ~2 T' k) i7 C: Z: M
call Kernel32!ORD_001 ; VxdCall" j# `: w' X" S+ s% j) b$ h4 r
cmp ax, 0f386h ; magic number returned by system debuggers
H$ V: k; Z" V, [$ W jz SoftICE_detected* Z6 Y) `$ X$ f% X
2 \( L8 e; K* c& L6 }
Here again, several ways to detect it:
/ R2 k+ [. X4 V5 S& W4 X p# B5 K/ F
BPINT 41 if ax==4f3 w' v# q* J+ D' L
4 N/ W7 Z( ?& L; B0 o" g" c: t1 g, P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, B; Z8 o Q7 u% v2 ^
8 E! g# n& \ M x0 Q& I; Q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ K* k' Z3 L/ ~. T/ p8 K9 u
: e' E4 U* ?1 Z+ q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 I/ Y- O7 i' L+ X4 D1 E/ H* k) B3 {8 @& H3 N, E
__________________________________________________________________________
9 X/ ]/ \. k4 _7 J5 q4 Q
9 `+ G: l* X+ t, ~2 n0 x, jMethod 13
! K* v3 ]: c `7 T( x" s=========
2 }9 E9 @2 a/ h; O/ e, ^* A& n% T3 b; C
Not a real method of detection, but a good way to know if SoftICE is
* `9 P8 f+ p& H* j* ]" Q( ^installed on a computer and to locate its installation directory.: \( r0 P Z+ K2 }/ n
It is used by few softs which access the following registry keys (usually #2) :
" F, r# N! {& o% L7 L4 Z6 g
$ m3 j2 ]/ d# W0 j1 I' D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 P% u5 g4 \6 f+ S9 M
\Uninstall\SoftICE N/ M( H- H, K1 o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- Y0 y' G* m, w! ]$ f; d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& F" F2 x! R) \) B+ k! S
\App Paths\Loader32.Exe
1 o6 b2 V- P0 A5 L. A( ~
2 l+ \$ A9 [$ L" k6 N9 t( k4 F. Q* F' s6 f
Note that some nasty apps could then erase all files from SoftICE directory
6 K* X" [- W$ _6 ](I faced that once :-(
3 I# p5 O# f4 X% z8 Q$ O" n) r! Z' T6 Z1 L1 ^
Useful breakpoint to detect it:
4 q1 u, y: G: l1 c: [
~* p' T4 \) F1 ? l! \7 E BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- O) Q* M6 F; v' E# G. s3 R" u8 v8 F: B5 g0 A' {! O
__________________________________________________________________________: L b$ y; s; O: t9 ^2 b/ ^
1 \" Q' s& P5 N* M' Y7 e4 A& H: Z( H+ B
Method 14
2 u' X9 n5 n, o6 B G=========
0 X. B* X2 y1 T( I3 P5 j( M. X4 V+ @) y+ o3 T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ L) o/ _3 c& f8 r
is to determines whether a debugger is running on your system (ring0 only).7 l% |. w- O, r0 [4 @ U
" ?8 Z, B' n6 p' u7 [) x VMMCall Test_Debug_Installed
: ], J( H% c0 J$ O8 s je not_installed' q4 b6 X4 E3 h* a6 ?& v
" b0 ?) N3 y8 ?* B
This service just checks a flag./ a9 R7 H% Y9 u" ^; q# d
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡