<TABLE width=500>; J: D% a- `2 [# l# J
<TBODY>
3 _! X5 E: t+ V4 m4 a$ L<TR>' U8 D* s" N0 e( P9 T) W6 T0 R
<TD><PRE>Method 01
9 i' g$ u; X3 S6 u1 ?4 Z+ m=========. k9 u9 q4 D. n1 f( @. r
: N0 q/ W; q/ F, k' h& ~( jThis method of detection of SoftICE (as well as the following one) is
, s7 W3 X% }! L# Q: bused by the majority of packers/encryptors found on Internet.
) y7 x9 J& x; t" aIt seeks the signature of BoundsChecker in SoftICE. R) m% {! U$ X
( v5 p$ u2 r0 j3 E+ r; ~/ q5 h5 R mov ebp, 04243484Bh ; 'BCHK', N9 g, Q& l2 S* L1 m
mov ax, 04h
& ?/ X0 t- B3 `" R int 3 $ E: b8 c w1 }; I) ]
cmp al,4
- e+ R) u$ \1 c& Z$ f1 b jnz SoftICE_Detected
! r+ q7 H/ e% r
. Q' z! c: V* s' D( f4 ~$ J___________________________________________________________________________' H7 z# j& g3 f2 A6 Y- ~
8 w0 c5 g$ t% o2 P5 Q7 cMethod 02# s' t/ [# t# d
=========
+ R, b6 R, G O
! q9 \# F1 m. C% ^* N* c2 P+ OStill a method very much used (perhaps the most frequent one). It is used
" [) C3 e+ V7 Q* {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) X5 w* s7 }1 \or execute SoftICE commands...$ b+ S" t# _2 S; L( ?2 y! M) {" X
It is also used to crash SoftICE and to force it to execute any commands
: J' v* q# `8 M! w(HBOOT...) :-(( 5 M) i! f$ t9 v; _
. V: {4 ~4 n( p9 u
Here is a quick description:
6 V6 z( L0 ^+ T-AX = 0910h (Display string in SIce windows)
. U7 m; k6 {2 w/ R( J' S2 k6 f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ ^" V# ^( o: f2 p5 o Y& L, o# l! R
-AX = 0912h (Get breakpoint infos)* q8 @. w t# c7 w5 p( H- C) m! G
-AX = 0913h (Set Sice breakpoints)
/ L! R2 Y* R. y- J, Q L2 p- K' ?! ^-AX = 0914h (Remove SIce breakoints)
. F, f/ O7 A* x% \4 q; @8 x; U: c- {: O8 u& E" e% l) A
Each time you'll meet this trick, you'll see:+ |- s- R% M4 C4 B/ e+ n
-SI = 4647h9 X! i) \2 n9 e$ T/ ~
-DI = 4A4Dh
# y1 Y% N9 F/ \ X2 RWhich are the 'magic values' used by SoftIce.& F! E2 N4 F d+ @ P/ Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. S& d7 g3 m- T H* T- L
. H o; O* y6 w8 R1 ~7 U0 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP* E/ q1 g, o( M7 a" Z
Envelope utility use to protect DOS applications:
5 Z* D8 S7 b, w+ e
' T2 \ n: o- U7 Z8 Q3 y
3 O3 ]/ e3 I. m4C19:0095 MOV AX,0911 ; execute command.% A9 w1 J: w7 Y) R& k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! H4 y0 t" O: d4C19:009A MOV SI,4647 ; 1st magic value.# H, a$ w) b- A" a# D
4C19:009D MOV DI,4A4D ; 2nd magic value.
* p& m S3 U0 x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 `" V/ A2 Q9 k' o- O5 Y% T7 H4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ y- n) f5 [7 k0 W6 ~& v7 ?4C19:00A4 INC CX
6 v0 Y, S3 [! L+ j) I& r, d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; e5 I. `0 i) B4 D1 N
4C19:00A8 JB 0095 ; 6 different commands.
5 F) n2 {# Q, n6 x* v; o4C19:00AA JMP 0002 ; Bad_Guy jmp back.' p9 x$ g, Z: l% h& N) }
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: x9 y4 i: K7 {4 ]7 v. A2 @' J7 I0 K- D8 f! u
The program will execute 6 different SIce commands located at ds:dx, which
' x" T* v* s2 J) U1 d, e; m# k Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! C# |3 j2 j5 @( T2 T0 |
- p3 @) H1 s" C0 d! [/ o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 B/ B# m& M1 q/ e9 a; |$ a___________________________________________________________________________
' m$ t5 H2 s$ f( k
; o( Y/ j9 i! o* N- a! k5 Q$ k8 ?& \( {. Z; g p5 J
Method 03
* R% t( X1 i3 v- F=========0 l4 c8 t+ d, b" U: [3 @
0 L9 p5 `/ g" R! d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 q0 t$ {- S X+ J* S. z(API Get entry point)9 ?0 c5 x* F/ Y' l6 t
\) W: @' P) l9 R9 M1 d
! U# J+ m+ l% Q, ?" i1 F0 v
xor di,di
9 ]2 p$ j/ v, k9 |* k* @ mov es,di
+ i% A/ h' S$ a4 c) R mov ax, 1684h $ Z4 @+ l; c) f: E
mov bx, 0202h ; VxD ID of winice
3 ~/ a7 C5 V0 [ int 2Fh
& Z( T' \) }; C0 Y3 L mov ax, es ; ES:DI -> VxD API entry point
' l' J3 l, ]5 v E- l { add ax, di/ s( M" \8 n1 C
test ax,ax; e* x) r/ G5 _( [0 i
jnz SoftICE_Detected+ u' Z, E W' ?. z0 U: }: d
; [! V- ]- o, o: s___________________________________________________________________________3 N9 N2 W* i8 w0 h* w" E
5 y# N) e, l+ N% r8 p& d& B0 C. S
Method 04/ U# O) Y6 ?0 } b5 ~% Q( y
=========
) R6 w, U; ~, K; Y' J( Q. e% T8 t
Method identical to the preceding one except that it seeks the ID of SoftICE
3 v- q) R$ n% `! i3 u, MGFX VxD.
: H+ U2 Q. y8 }, @$ g* j* ^. i% `. B' i: d8 s% n) K
xor di,di; v" S/ w/ f( F
mov es,di
8 A) S9 Z/ j! W. J& F* s2 I mov ax, 1684h 0 a B B$ `" ]% ~
mov bx, 7a5Fh ; VxD ID of SIWVID
9 s j2 j: c& A" u. T* F' J- e ^ int 2fh8 m7 h# j9 v: W
mov ax, es ; ES:DI -> VxD API entry point A" U3 e) u! s2 _
add ax, di
" c6 R& N" C" Q- o test ax,ax
8 q% c* Z6 x. K& o9 S. G jnz SoftICE_Detected# S' z* |% {6 k) {4 f3 z
; L6 _% n l7 U% @$ T
__________________________________________________________________________. }+ v; D) q- J2 L) Z6 l
, p9 T; o! O: w( p8 ]# z1 M+ C9 b4 J
/ o' g3 @& n0 y0 E& ]1 O
Method 054 c6 p" \& I9 F; t# \
=========9 f2 |1 T$ {* m& N( K
; {$ k! B; ~: A) M" L4 @/ ~4 u
Method seeking the 'magic number' 0F386h returned (in ax) by all system( q( ?6 j( q! p& J n R
debugger. It calls the int 41h, function 4Fh.$ T; t: Y- H& F, X- @0 [2 r0 L
There are several alternatives.
( j' h- j) E/ _9 d: W0 a2 ^' T4 ]7 d3 G% F) I6 @+ ?4 C! c Q0 ]) U r) S
The following one is the simplest:
, N% @3 g. S& {' l- h( X c0 }2 J& E, p
mov ax,4fh8 |/ Z* T- \$ N! U! n
int 41h
- j3 |4 ]2 w3 I. E cmp ax, 0F386+ Q; ?( ^& v- ^
jz SoftICE_detected
) l: W3 Q+ h3 ?6 D8 ?
* I5 {8 n: r) i4 G0 r; n0 B, [1 D# L+ R# i& r5 H6 Y
Next method as well as the following one are 2 examples from Stone's
( ]3 f1 f0 W- G/ W p"stn-wid.zip" (www.cracking.net):
5 H2 Q# h" F% D' m: M
1 S6 K2 o4 e8 n2 t, c4 ~4 ]9 [ mov bx, cs# W( M u( p7 |
lea dx, int41handler2. C5 R' N+ K6 O
xchg dx, es:[41h*4]: ~* v) M. ^* p/ T
xchg bx, es:[41h*4+2]6 Y: `% `! ~, y
mov ax,4fh
2 G% }1 ]6 H" }$ v) `% c* k int 41h
# ~/ Q4 {. o( [1 Z9 ~ xchg dx, es:[41h*4]* \* S3 J5 N4 Z) | Z% X
xchg bx, es:[41h*4+2]4 B; l/ p: [) j) C1 l2 c t. D
cmp ax, 0f386h
& ]2 h+ S& D2 \* V0 z3 P jz SoftICE_detected& ~6 |4 D) d/ l/ `$ T5 t7 H( n4 O" E7 Y
' I9 P4 g: f& B4 N9 _int41handler2 PROC. G& W- a( E8 j) t! \# \0 V
iret; k8 C. {" [* G N" S5 G6 ]1 b
int41handler2 ENDP- C4 {" b1 i" R7 y" D# X
; h! _; R" r" M; \3 d/ u
# R+ m0 R2 q7 J7 @
_________________________________________________________________________
2 ^: X4 W8 @/ W8 h
4 n: W! Y* }) M5 Q
& T c9 _/ r- {2 V5 }7 L' oMethod 06
3 e& f9 j2 P ]" d. f8 C4 n: B! I3 q=========
0 L, S! M9 X" t( k* l/ L! b4 q3 Y- X& x8 g9 b# Z& w% B2 {
6 n" P* R% d6 t v
2nd method similar to the preceding one but more difficult to detect:
1 @6 g/ U' |5 M# ?4 `8 _; ]: K w, h% L9 `+ b* R+ ^( r
/ F+ `" Q" D/ dint41handler PROC6 S2 a- {+ f$ P, j0 |
mov cl,al
2 E# T( _. ~. a D" b iret
7 `5 S3 Y6 f3 K; z4 {( D1 n+ V, Wint41handler ENDP; Y$ N$ s/ z, D: V) j. E3 a) t
, T7 }* W) R8 }
6 U$ O1 i! }/ ?6 o4 r2 U' y- S xor ax,ax" c: P% {( R4 O. ^
mov es,ax( Z5 y& D( M* W7 \/ g
mov bx, cs1 i i' v; }+ b8 _
lea dx, int41handler
2 p* \; D# r: r7 @ xchg dx, es:[41h*4]& r1 J- c& w, ?) A9 F+ t5 e ~
xchg bx, es:[41h*4+2]
5 y& H# c" y! C% E6 r in al, 40h4 w% B% x3 x9 |$ W; W
xor cx,cx
% g! B5 |" M9 b6 u6 x int 41h
% T% m4 ?, ~0 |9 t0 H: i. `5 q" X xchg dx, es:[41h*4]
3 z8 U3 J0 U& y xchg bx, es:[41h*4+2]8 O* g+ r$ i+ m2 H
cmp cl,al& }" w. x$ F! \8 E- d
jnz SoftICE_detected, @; N1 B% z6 t0 ~4 P2 o
8 C) C1 } ?& v4 @7 L_________________________________________________________________________' \, T- Y- z5 ]# A
/ T" c3 H8 |: c' L
Method 074 T! U% j0 f1 V$ N2 r/ O0 C
=========' Y3 i( S! a% N8 A7 O
6 C; ]1 c/ W+ h% zMethod of detection of the WinICE handler in the int68h (V86)! s8 I, d6 Y1 C
2 f* N+ w9 d0 G1 X- s7 a/ h- p mov ah,43h, J, g5 N: X& m
int 68h
$ S- N+ m7 [6 o& d# O cmp ax,0F386h
- z2 U+ V; N) T( ] jz SoftICE_Detected& Z2 W( R$ ~$ N: z+ X
" A: u* l& S( |
. D# D6 x# G# }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: P6 F+ W0 O1 t& K( h app like this:+ W+ a% A) ^8 ^- q
) f4 E& M0 D, p7 o/ j; U BPX exec_int if ax==68
0 v/ G ], U7 L" x (function called is located at byte ptr [ebp+1Dh] and client eip is/ R* F0 t; Z4 h7 S! K) i* _- ]1 e$ x
located at [ebp+48h] for 32Bit apps)3 R. N# R8 S: C) h
__________________________________________________________________________8 {" ?4 n) P" r+ J. }
: t9 l/ G& g* X5 v- [2 Y# E, h) Y
' t7 d- Q# E3 \* F: b
Method 08* X" d5 Z% I% C& k6 E4 g0 t0 P F
=========
8 m+ m& Q6 Z8 ?# E2 r( {' R2 h$ \ m0 N% U: \
It is not a method of detection of SoftICE but a possibility to crash the
% G9 g7 p: u" p) Jsystem by intercepting int 01h and int 03h and redirecting them to another/ s- Q. V) F( \% x! ~7 r
routine.+ _' e8 Z. n' N3 h7 \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: k/ K# x8 A0 x0 q1 _to the new routine to execute (hangs computer...)
/ q- u. I& M( X4 e0 e2 k8 I* p) h% M5 E- c' f6 Y h
mov ah, 25h
( l) `8 Y2 K) p0 j4 r; v& j% U mov al, Int_Number (01h or 03h)
8 ]! a( p+ r0 Y5 E mov dx, offset New_Int_Routine
& Q4 s) g& G+ x6 `& w& c int 21h
( N& h+ \! r, p$ t
4 e& J1 V" K, k" ^5 R__________________________________________________________________________- f- T! Q- n. s7 l& k
% e8 ]6 g) ^9 V1 FMethod 098 C; a: A" F( c3 e
=========
. i/ [0 ?) V2 e+ [7 j Z! n. g* @. b1 x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 v. }* W0 S4 x- {2 x
performed in ring0 (VxD or a ring3 app using the VxdCall).
" U1 ~. E4 ^/ N, V* v3 h9 e4 LThe Get_DDB service is used to determine whether or not a VxD is installed
+ [$ V5 v" V+ J, [& F, U8 Sfor the specified device and returns a Device Description Block (in ecx) for
& ?5 u) @5 ]& n6 @; \- |8 sthat device if it is installed.
3 l7 S) s. g% @5 m- z+ B) B- j- Q, |+ M6 A0 a* M8 }8 ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID j) T7 x1 W$ F* p
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): }) ` ]; c- g. K! f2 y1 h" w
VMMCall Get_DDB
6 d$ m/ c. G5 f. H' E3 e mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* p* a$ d4 F& ~9 H5 G0 Z* H* l# K& W! ^; S
Note as well that you can easily detect this method with SoftICE:4 R% S% N8 K, C9 Z9 M" Z, K0 K
bpx Get_DDB if ax==0202 || ax==7a5fh
4 C" U4 P# G+ h1 h# [9 a. @7 P1 |* e: F2 X' A( \
__________________________________________________________________________
: B$ v6 @& s* `1 N
( y% x H& q. L3 b/ bMethod 10
+ A: @4 g0 }9 j9 k& T- L4 M=========
1 ?- Z5 D$ e6 H7 X# |; j, K1 Z: e3 D
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 p( o7 D0 ?/ Z# {" Q: Q# o' W. T
SoftICE while the option is enable!!
# u' J5 t& F; w# h2 Z) Y5 D8 o0 g% ^
0 T" P' I" Q) U: [3 _This trick is very efficient:
* c7 l. G& F+ I4 D* q: _9 [by checking the Debug Registers, you can detect if SoftICE is loaded' f- ^& \) {1 h, h' i% q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- \' q; [7 X x
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 P+ e' ]5 S- y! svalue (in ring0 only). Values can be manipulated and or changed as well
0 ]& O1 O+ `* f" t/ B+ b(clearing BPMs for instance); j. o3 a2 h' ?8 c+ ?3 P. P* f
- l% Z" ?5 Y& o2 d$ ~& ^__________________________________________________________________________
) g0 k7 A2 {2 C7 `* v5 L9 E* o7 j& q. u, y0 ]; S2 ^! A
Method 11
2 R# q' N* ?5 C6 B6 q6 p=========
# k9 V1 t0 [3 b2 |& {3 @" Z5 P' n
This method is most known as 'MeltICE' because it has been freely distributed
% ^" s6 w' F4 T- P( z1 lvia www.winfiles.com. However it was first used by NuMega people to allow
$ h- F# n3 A: h) a0 @' D- TSymbol Loader to check if SoftICE was active or not (the code is located
. [. J) D6 U+ ]2 M& N/ B. Q- E/ H7 rinside nmtrans.dll).
6 O; G* p+ s$ X/ y' Z3 E; |3 g7 t' F( q0 S6 `0 _0 p
The way it works is very simple:1 E' A. W' j T- \) E5 z9 y8 X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: i. O) W- [: i+ _1 Y
WinNT) with the CreateFileA API.
$ b( V' f6 S9 h* H2 B6 P& @$ Q5 h) {1 t3 q9 d! k+ F; G
Here is a sample (checking for 'SICE'):
, y" T. q: Q+ d) C- O9 R# i% T! Z( `, x
Q3 l7 V4 q2 e+ ^9 bBOOL IsSoftIce95Loaded()
3 V3 ?# ^8 Q$ V& m4 w( z! O, Z{
# l4 v8 S, ~, C5 H HANDLE hFile;
1 ]7 X- m& Q6 m" I2 W$ l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ |2 U. B, g- D8 Z. g FILE_SHARE_READ | FILE_SHARE_WRITE,
q& H4 B% E( C3 c7 G" | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- {3 U, N" L+ ? T8 l Q' o0 r
if( hFile != INVALID_HANDLE_VALUE )
9 } X) N9 m+ u# X {
; z0 c1 z0 x; y8 q CloseHandle(hFile);; H2 A b: o N
return TRUE;$ D; `; F" G9 }7 S& Q- |0 r e) M
}. X0 `4 b7 d7 Q- N% w# q: I
return FALSE;
' m5 S8 p- q" O1 p}
1 N4 f5 a: P& x2 }) Z& K# S; f# l7 r2 D9 @% P' L2 n) G/ v# ]
Although this trick calls the CreateFileA function, don't even expect to be
3 j9 e T) k1 l' }able to intercept it by installing a IFS hook: it will not work, no way!+ r# |* }* a6 f( p2 {+ N" }$ b" ]8 c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 I, ?/ b# r% U3 l; D1 z L4 V# r! eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ \* u; j4 ^1 I) d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( a4 U% A* R0 Hfield.
8 n7 `/ K9 {/ u7 O4 Z+ a" NIn fact, its purpose is not to load/unload VxDs but only to send a " \$ T/ i. q; M$ x6 [
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: e3 P- ~2 c, R+ Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try& M$ x8 H' z6 g2 u; O Z( u+ _- t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ e6 e0 V5 R& z3 w" C& @! oIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 _! b# O: A0 ^+ w6 k
its handle to be opened and then, will be detected.
8 p( K# W! N& }You can check that simply by hooking Winice.exe control proc entry point, q" O' w' h' U9 f F; p2 u8 z( p5 n
while running MeltICE.5 n% W9 C+ r2 Y7 Z0 l3 U4 R
) v% d) V; N2 x w) {) P* R' M9 u
# r* N) E% G. S( V9 x/ a 00401067: push 00402025 ; \\.\SICE; e0 z9 J$ S0 b0 y( x; g2 i
0040106C: call CreateFileA2 b7 i9 m! |2 [9 x: w8 ]
00401071: cmp eax,-001
5 L& O, |, z: h$ {. H% |2 i4 ` 00401074: je 00401091$ J& \- e7 ]& h( V5 @
! z2 m6 c3 i7 g S4 v# D" W g+ m
There could be hundreds of BPX you could use to detect this trick.2 O: G7 s% V9 q |9 g
-The most classical one is:( T9 V, N1 D! }( g5 I8 ]5 P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) @0 [1 r$ J% I1 V! H3 W. }: }
*(esp->4+4)=='NTIC'
7 o* {/ i2 m& g
, Y! M; G, A. Q- Y-The most exotic ones (could be very slooooow :-(
" L5 T, H+ x% Z1 [( q, ]- l. _0 N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) t- [# X7 n. g* b& }6 |% E
;will break 3 times :-(
+ J+ r- n4 _: ?3 y
" w; K( Z0 Q+ }6 O' H! I) `% j @% F-or (a bit) faster: * Y6 M) Z d$ Y: n) F; r$ u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) P4 o! r/ m" C' s
. r0 U A! b( d* W9 X) i BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 {9 V7 j' i7 k/ A
;will break 3 times :-( o! z) r% v8 }3 E5 K. M4 Z" F- _
. [: h* R0 i9 T+ q2 R( u-Much faster:$ Y2 [; B0 D) |9 n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( N8 k/ F8 E$ W; _
L) Z2 }1 Y1 l* [0 {9 VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 l `+ q- A- f$ n! b3 h! b9 J
function to do the same job:
3 N, Y8 ?( ]% x8 F7 {! @% D
% N6 G9 y- F7 i8 P7 @- |. U: G9 i6 d push 00 ; OF_READ. a3 I' Q7 S1 Q& \- r* Y& c
mov eax,[00656634] ; '\\.\SICE',0
4 j5 x1 Y- y3 ~8 V7 t/ F* W push eax
R% p- I6 S2 r6 d0 T call KERNEL32!_lopen
( c7 ?9 h4 `1 y' C( u inc eax
: H( n9 V/ R, _2 e: U jnz 00650589 ; detected& r7 z. \! s" [2 X" q) r7 ]
push 00 ; OF_READ
2 _; q9 _& g9 E! g mov eax,[00656638] ; '\\.\SICE'8 l4 U4 ~/ a5 T: `% v0 a g! c
push eax
3 ]8 ]5 D( O' w* _! q8 { call KERNEL32!_lopen; K6 z6 g- }& W, @
inc eax3 n1 z: `; E+ u, d, k! q3 M" W
jz 006505ae ; not detected8 j8 x, _9 p3 |# X- T
& v$ ]2 B8 x4 I- |5 c/ h; u2 q, Y* t7 O+ ?8 s9 Z' }+ J
__________________________________________________________________________
8 O( z5 T4 C2 g( n* Z' |1 J6 g
' x1 N* w- ?: sMethod 12
) M6 k( f! Z* k; O3 O=========) l8 \: J. e7 D( j7 u& V! F
, J% y- s) e7 i0 i, u: O7 qThis trick is similar to int41h/4fh Debugger installation check (code 052 |# J6 }' s7 r; ?
& 06) but very limited because it's only available for Win95/98 (not NT)% G, |' v6 T% x v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ Q. [9 ^( ~1 O8 ~
0 S6 K3 [; C! e4 h8 V( W j; { push 0000004fh ; function 4fh
, N: H- f! p$ [+ z" u/ ]" u% G; ~ push 002a002ah ; high word specifies which VxD (VWIN32)
3 w/ V9 c$ i, u3 S6 q% c/ y ; low word specifies which service9 N1 f! S7 ?, \8 Q" J4 N! r
(VWIN32_Int41Dispatch)- R1 X5 F7 W" \' F( @
call Kernel32!ORD_001 ; VxdCall/ v* t! g& A+ ]& t# U4 N7 l
cmp ax, 0f386h ; magic number returned by system debuggers
1 D0 r+ @" n3 ^) t. E jz SoftICE_detected
$ \' j2 U/ \+ X4 u7 C: M
; t# ^/ W& V- H/ `, U* SHere again, several ways to detect it:
9 L6 H3 v5 T7 a3 G) @! i0 L% t; v% ?% l8 l; d- T: c
BPINT 41 if ax==4f4 e: k/ ]) C }# |' c/ `
# X0 \7 Z8 B8 D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- \' a/ X+ y. ?, g' k9 H: |2 y% U
$ y% w/ U F/ |9 f BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 m9 j5 N, e2 _& z! b- Y9 @' K% m, M) u: Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ P- k# y& b" `8 y3 R
- p$ g4 _' o# R6 \9 Q5 f3 j# h3 U
__________________________________________________________________________# I) d5 x0 v* E7 K( p c6 I
) h: R- m+ a1 \- r# b7 i, f
Method 13: S% g" q4 \# w6 o% k2 Z1 L* R
=========7 N0 k$ C* D" s4 ]- Z2 l
5 g ~8 K7 t/ |( Y" }. G' T( xNot a real method of detection, but a good way to know if SoftICE is2 v0 b3 z" N* ? k7 K1 n; j( A
installed on a computer and to locate its installation directory.& p0 g% u. p4 }8 w1 W) w% \
It is used by few softs which access the following registry keys (usually #2) :
3 Y8 D5 g( k5 v7 l' `9 H6 h3 S! z" x* U$ I! x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ ~( w1 J( g3 J2 _6 K# u3 m
\Uninstall\SoftICE
8 e( {* H" x6 u. a8 ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' p- w, Q- R" i) p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! C! b W) I0 o# E- d% Z$ u: U
\App Paths\Loader32.Exe
$ s3 s1 ~0 z7 O3 d
5 b) U8 ~5 H; q8 @: [# X. p% c4 a: A+ {) {/ B& R, P* f
Note that some nasty apps could then erase all files from SoftICE directory
' u0 p7 z. Q3 `9 T' u$ \& [(I faced that once :-(/ O4 F- i! C# h& ^) n6 I
& w3 U2 k* _' K1 e. OUseful breakpoint to detect it:
4 I+ z- M; k' r1 [
. L% s3 J N, w3 F# m ^ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 g% f! [6 H3 y5 G" ^- a$ K' Z
0 B* Z. T j! G__________________________________________________________________________
z: } e V. \6 J2 }' U
' G( M0 ~% n' ]" {' N/ t: L
& b1 F e: |! iMethod 14 , l4 l7 C" U2 V( `
=========
8 z$ X9 Z( I- s: U; i7 e
1 Q* z& M& l* B; z) F5 OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% \ J; o* K) F
is to determines whether a debugger is running on your system (ring0 only).! g M! d9 w# Y0 j
, |# ^' f% e7 ~6 ?7 u VMMCall Test_Debug_Installed
, z8 x: [2 d1 y je not_installed; |/ H s* \4 Z0 u* ^
" _: z, Y/ ~+ B5 [This service just checks a flag.
1 l2 z/ e9 j5 ~, w3 D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡