<TABLE width=500>! a4 U( @& p0 \3 A2 Z- k+ T
<TBODY>
: Y7 x5 r. w, N; R1 F2 n# _<TR>
: K; u$ U- `, f+ w<TD><PRE>Method 01 + r6 h- ]3 c) G) P
=========
$ X, L+ T: S* \2 a/ B0 X7 _
0 @9 R+ p8 p' M. s% {This method of detection of SoftICE (as well as the following one) is: z: V& x: J$ e2 t
used by the majority of packers/encryptors found on Internet.
$ r, Q, f$ Y, D; y" ZIt seeks the signature of BoundsChecker in SoftICE) r! i& P0 Q1 e4 {% J
8 j1 N! h( H2 f& c4 e mov ebp, 04243484Bh ; 'BCHK'
7 n( |/ c; g ^3 q9 z/ h mov ax, 04h
* l0 Q' C' ]2 } ?) R' Y9 J8 Y. ? int 3
( ~% C4 A% R& [9 j6 ~ cmp al,44 z- h3 V7 U) ?
jnz SoftICE_Detected' R0 E! h% ~' P* l5 N+ h. L
5 _3 _* J J( q* P
___________________________________________________________________________
5 Q" W$ U7 W" c; k" ?% R: [0 h) R* P' c$ E- A
Method 02
$ A" ^2 x H! i2 u4 U6 J$ z8 m=========
' `% h7 E# k% ?, |2 }& b4 E+ W, {( q9 U3 V: F1 T2 n
Still a method very much used (perhaps the most frequent one). It is used
7 P# Q& [4 G/ [- R& Z/ l" ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; \" d) u$ M4 \
or execute SoftICE commands..., m. P. x# ~, f- S% ~. w. s
It is also used to crash SoftICE and to force it to execute any commands
5 U- D# A1 S7 d: v: V% `(HBOOT...) :-(( 1 t) |5 b$ Y' d$ c0 z) n- I0 p
$ |0 S; Y u a& s' k
Here is a quick description:7 s3 ~: s! _8 _) l7 @+ a% f8 u; k
-AX = 0910h (Display string in SIce windows)) Z3 @: p; M( I% G2 Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ v w9 d% I5 d7 a" R) N
-AX = 0912h (Get breakpoint infos)
& G# o; L( k, G6 Y, R& E2 {8 z-AX = 0913h (Set Sice breakpoints)
& }7 {, { }' M# H- _ |9 {-AX = 0914h (Remove SIce breakoints). c- d. H5 `' ]$ D- M6 M6 Y2 b
2 a, j9 B8 v+ `. S: u- W" s9 f5 ~Each time you'll meet this trick, you'll see:2 E. Y$ H- N% B% D. l* T7 D$ S/ f
-SI = 4647h {: P- t1 j+ g. y* D
-DI = 4A4Dh
; c; v* e! G) v( g6 e$ rWhich are the 'magic values' used by SoftIce.
/ }# t7 U" [/ @: ~& V4 K' Z; SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# O2 E2 X+ ?- J
. A9 M \) `8 j- QHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 T) y8 ^$ i* T' H/ L! qEnvelope utility use to protect DOS applications:
6 _0 [0 ^# a; M$ F9 x" N- k- _
# Z% J: b9 ]0 l0 `8 U
1 F9 g4 x. b" W. |' j' A& _4C19:0095 MOV AX,0911 ; execute command.6 f4 F% Q% W: q1 f, H7 N6 N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. v8 [/ m) P# x+ p4 H4C19:009A MOV SI,4647 ; 1st magic value.& t( x2 {: w$ |! B
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 V6 Q; [- T0 ]% k/ R9 e- N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ D$ @1 @* F0 \, d7 s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 a2 T; w4 t" e' q8 s( F, r/ B4C19:00A4 INC CX
- E$ C2 N8 r |" Z7 D$ V4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" F6 I( a [0 K5 `5 r6 L. ?
4C19:00A8 JB 0095 ; 6 different commands.
; I4 U' d" w# U6 N; O8 ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 ~7 N \8 }# k! ~) u
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 L+ S/ K# ]8 _- p5 j2 |0 H# m6 f, _ s3 ]" g7 @. w
The program will execute 6 different SIce commands located at ds:dx, which- C, ~$ F- O6 S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; s4 U+ v0 z3 q T' `$ F- B
. _. _" L# N! f" _/ W& C3 R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 Q& |( P5 i* z5 U `2 l
___________________________________________________________________________
) T3 k1 i$ R. q: L- h0 O+ i
: N8 d) R2 ~' B' E- A! ~
: P# E6 a% q* y: Y2 F* _% a+ MMethod 03 J" I7 F8 t: N* X* @, f
=========! F+ _. J6 X8 r. u) [- X# p
+ T e( m v+ Z, g' h2 A2 |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! ^% f% |, Y3 d4 V! N
(API Get entry point)
. n5 j5 a( {! J0 h7 [0 k0 [ ; ?# N# W- ]" M9 K3 j
, r, Z2 @4 k/ w0 Q, k xor di,di
9 t5 x$ ]0 F- b mov es,di
! T4 g- p0 t' ? P/ v5 h# i mov ax, 1684h
% j& @& V4 a- t$ R0 {, ` mov bx, 0202h ; VxD ID of winice- o/ ?/ o* T& t& ?( n
int 2Fh$ c+ e; n9 f, ~7 x
mov ax, es ; ES:DI -> VxD API entry point
- N+ l& Q7 {( t add ax, di
Y* P. M2 `" o# v) C test ax,ax; @3 g) ^6 T# z7 M0 d
jnz SoftICE_Detected
# m! I: z: y% \: J, w" r5 E8 l6 h5 e0 n4 P0 M
___________________________________________________________________________# d! F) A8 Z( M( ^! H& R. E8 m6 z
9 O W' C, S* Q* v/ k4 HMethod 04- o" P5 b4 o2 H H! W a; |
=========" M+ `( u% r3 c- \/ A( b! B( i
. T4 y+ F& q, j- ~, m$ I" r
Method identical to the preceding one except that it seeks the ID of SoftICE1 F2 w' I" Q% l
GFX VxD.* h" A" K$ v" Y ]- X; D: y
9 V1 W' [- @% ^6 t+ _2 z0 A- H7 v xor di,di1 A) u* L% y& K3 s, C; p
mov es,di Y; I R D( U1 L" D
mov ax, 1684h
, g" Z1 h6 s3 c+ h8 d mov bx, 7a5Fh ; VxD ID of SIWVID5 c2 N& ~0 R, D+ p. g$ C( [' ^
int 2fh
9 z" s/ |8 Q- F o" ?# Z mov ax, es ; ES:DI -> VxD API entry point
1 W0 B* [) Z. _( f add ax, di+ S* U2 W' o" R* I. c% H
test ax,ax
) U0 j# \5 I+ ]! w jnz SoftICE_Detected: J1 {# K, ~5 r
! V8 _/ j% s S5 U9 I% j) \( T
__________________________________________________________________________" ^. f2 d; t1 m) y5 a- k! C
$ O+ T1 K9 |* ~& `) r" m3 a y3 G+ d o' G. Z) b+ L# U- z4 \3 ?
Method 05
* X) J+ B4 h# M2 |=========: w( v: ?3 h. ^, O- `- ?
0 a/ w e' H6 a8 |, F, T
Method seeking the 'magic number' 0F386h returned (in ax) by all system& Z+ l% y1 q& v9 W! ^) q, G( t
debugger. It calls the int 41h, function 4Fh.
) J& ^- a! I% N6 q7 G* Z, Z5 o }There are several alternatives.
5 Z1 X# U0 I0 s5 ]; r
/ i4 k: o9 U' q3 u" i3 z, U' ~. J8 e/ iThe following one is the simplest:! `" _2 I* ?" P' _8 f3 Y+ V7 `, V
9 g2 x ?; `" }# a5 M. p
mov ax,4fh. Z& O& M( t4 z5 |2 S
int 41h' \1 W) M3 T0 U& G# E2 }0 O
cmp ax, 0F386
) x4 x |* m. S9 u0 E5 k jz SoftICE_detected5 c2 n2 A S( k" K* P% f" Y: m
+ |, J/ f' s3 ]; ~
7 e9 m2 B. z2 E2 dNext method as well as the following one are 2 examples from Stone's , q' |' n2 ^# I3 A, [% y
"stn-wid.zip" (www.cracking.net):
! k2 U0 T- m: R* M2 |$ @& ^- x; L9 C% ^& }- k8 f% g
mov bx, cs. I7 {/ F, E6 E
lea dx, int41handler2" \" f/ X" t6 Z3 _, A- V- t
xchg dx, es:[41h*4]
1 O) G- [. K; u& x xchg bx, es:[41h*4+2]
- _" S( M5 { y mov ax,4fh O/ F- E7 e. s4 a5 {% ^! w
int 41h2 X* c0 V! ]+ M6 e
xchg dx, es:[41h*4]
- x2 d2 H# f# f2 R* q1 h- _# y- V xchg bx, es:[41h*4+2]
! d/ n9 b" |0 l# s' g" g cmp ax, 0f386h( i) r3 {" \. |5 s& C8 v& ]6 K% K
jz SoftICE_detected
7 C2 f+ J8 ]& ~# Q, p
r- _+ O( {5 }' h) hint41handler2 PROC+ q' F5 E1 G$ l3 G
iret# J& z* R/ o$ l! A
int41handler2 ENDP
1 p. Y( g" _1 T ]0 ]- C& v5 F# c( |9 r: P
( ~/ A- U6 ~$ Y3 T8 H3 y_________________________________________________________________________
; U+ e V3 @1 q ?" C+ N7 ^) K$ o- o/ x2 a
* T1 W+ ^4 ?, u& o$ L! AMethod 06* M/ c' w1 u* x! d* }4 Z0 ^
=========( n4 B4 X5 }+ s! r5 l4 E2 m
9 z' ~ Z. Q5 C; F4 [# v4 X! ]6 a& N
2nd method similar to the preceding one but more difficult to detect:% _* S8 ~% R1 R3 \' I
/ C# I X ^3 P4 X- ]8 g2 c' z
8 a: o: y& B: a1 L
int41handler PROC: G" t. h: A1 u+ U7 [" G
mov cl,al( L( W2 }6 l- a3 e8 P% Z
iret8 j; ]5 n8 Z' b
int41handler ENDP
2 E5 z$ b; B% ?% C/ g* {- Q( v/ H% n: w2 P
+ {6 m+ H5 A; Q/ T. P xor ax,ax- F6 Z, _+ {& K. }
mov es,ax; r; `+ l/ s2 O% Z9 u
mov bx, cs4 f4 w6 c0 p5 S; B* {0 j4 v' Q
lea dx, int41handler
5 q% ^6 ?- H; N8 O" |6 y0 b xchg dx, es:[41h*4]& d+ J! U; f; |+ V" D! L4 H" T1 c& Y
xchg bx, es:[41h*4+2]( c% I# J( N% t' `3 i
in al, 40h! Y# y* Y' Y1 ~- A: f; a( E
xor cx,cx9 \! s& i- T, d6 ~% |
int 41h
) f+ P$ d9 `* \ h, a xchg dx, es:[41h*4]3 k9 R( d4 z# d0 i' D
xchg bx, es:[41h*4+2]
0 {1 m* K- e; ^' K cmp cl,al5 }& ~2 b# q! ?& T0 O. y
jnz SoftICE_detected
! c# u8 t, r' i v$ T3 u7 a! k; T" g, C( X: m" z
_________________________________________________________________________ _( o7 c9 m$ Z7 q
- n5 Y0 w" p% `# t7 z& _
Method 071 _8 u! f" _6 x" H5 r9 j i& A
=========5 C1 @' f! k; m$ T+ F
( P& j+ j" x7 x: W; F: w
Method of detection of the WinICE handler in the int68h (V86)
& L; w! J3 }0 L' P( g+ F5 b# x2 x4 y9 q! V
mov ah,43h
: B1 C! E7 x) V+ h7 Z4 o int 68h7 M9 f2 y; N. h7 s } f
cmp ax,0F386h/ J3 d# M& }6 V6 { f& r2 V1 [
jz SoftICE_Detected
! f+ a' B# D4 O. K+ t" X7 n5 I( f; Q4 p$ [0 @$ ^% S, N# o% u7 ?
( E& Z0 d% @2 Q6 F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 @" F, q! B/ H0 ? j& h: u: ~8 n; b app like this:
r2 ]: u- B% L, D) Z$ r' K6 P+ z3 D
BPX exec_int if ax==68
- F4 G: h+ f$ {+ o: Y# _' d+ K (function called is located at byte ptr [ebp+1Dh] and client eip is. P% \" d8 u9 @2 y5 o0 I- B
located at [ebp+48h] for 32Bit apps)3 v: [" k1 \) B I# \& K
__________________________________________________________________________
4 _9 p5 Q" N% p# W- C5 \/ \2 V5 h% ~) C: K; @% W
% g L' ^0 S* L2 B2 m: JMethod 08
6 h2 H! u6 K& g) K9 n=========
8 k3 ?- G/ M" X
& }8 Q/ H. z0 {/ r0 tIt is not a method of detection of SoftICE but a possibility to crash the
; M' g% ~+ g3 Fsystem by intercepting int 01h and int 03h and redirecting them to another
& A$ T6 T* U. x- V7 w qroutine." n- ~" p& Z1 j' R( A
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* V2 F, W/ u0 q7 E
to the new routine to execute (hangs computer...)
5 M9 ^' _" s i+ @8 e' w# R, Y
5 h- |6 v2 z; e5 A: H. w1 a mov ah, 25h
0 H: _) P6 e" b mov al, Int_Number (01h or 03h)* w- m* b X/ M
mov dx, offset New_Int_Routine
' n. G5 x' Y! s9 P& w; T$ _4 K int 21h, G6 m" M& o: T' e4 i' |
' F0 Z- N* I1 t
__________________________________________________________________________% S# Q! {- X# ]* X, |
5 o% q- D, F7 b# x3 X9 W9 p1 }! y
Method 09
" W! d# l9 z- \% Y- }=========2 L0 w( R7 h' z
: C9 W+ u% P% t" [
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 G& W9 W% m2 f' z9 k* i/ }performed in ring0 (VxD or a ring3 app using the VxdCall).
& e- j( b' ]2 L; a' H' x6 r" t/ ~The Get_DDB service is used to determine whether or not a VxD is installed2 D: s! {/ g! f! {
for the specified device and returns a Device Description Block (in ecx) for
$ a+ V# \& \! Ethat device if it is installed.1 L+ I' f; I3 ]( u" B8 H! W
2 o) Z/ b+ u/ |7 \" h) M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID d8 F9 X% O3 m( z: g$ Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' B! ^. L' V# ^3 x9 P% x1 b3 { VMMCall Get_DDB9 U$ @8 i& `5 y" W- L1 z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ P6 M: ~. S5 U2 V
) E% h4 A4 v* M! e% U8 u
Note as well that you can easily detect this method with SoftICE:
" Q0 y* U+ n" |$ [" z: m5 n: D bpx Get_DDB if ax==0202 || ax==7a5fh
8 g- {5 j8 p8 W2 t4 u' j. @: l
3 b! w5 I( w1 T' M__________________________________________________________________________# _) M6 z( [& P7 M# v
( h/ P, D1 b, X' U
Method 10
( j$ K$ v) O$ B! P p, w" Q=========$ s: ]( }6 t" a6 N* Q: J8 {
6 u4 s% Z8 s/ `' m8 M" h$ Q=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ ^- x9 W+ z5 h8 t! s' C SoftICE while the option is enable!!
2 C, J3 Q3 k: `8 `& i, g% L, _5 p2 w4 g' x- g; A
This trick is very efficient:
" ?% [& f1 `: V4 ^% iby checking the Debug Registers, you can detect if SoftICE is loaded
, W1 t/ Q% L7 G/ J' I) e6 f9 v3 B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! N. Y+ k+ E4 m7 Q; e# O. L( f( O3 cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: @% ?7 q& ^4 qvalue (in ring0 only). Values can be manipulated and or changed as well( X; w A) u! e' f) h
(clearing BPMs for instance)" ~. ~, ]( e7 C: e' _* S
8 {' n2 v, j( i) o) p
__________________________________________________________________________
: q: K: Y/ K, o2 c. D# f J* o! m: p6 P' G4 w
Method 11
9 J3 F7 p% g1 i=========% _; `# b9 [1 J- @/ R" K+ H9 z
$ h/ i% C6 [, M Y! L
This method is most known as 'MeltICE' because it has been freely distributed; B" \+ k: c4 Z0 h8 x
via www.winfiles.com. However it was first used by NuMega people to allow+ Z2 K* ^/ O* T: I/ j. @
Symbol Loader to check if SoftICE was active or not (the code is located
$ L- s; t* Z2 i! w8 T# p9 Finside nmtrans.dll).# x" t& T& _$ X; a
9 _+ z+ w; |1 \& s4 i7 \The way it works is very simple:
& U; g1 {# x. x W% P6 aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 I& {1 ^$ U5 ~1 E. vWinNT) with the CreateFileA API." J$ ?5 y/ p5 j! T1 d
: ~3 r% D% \( O5 C8 M7 r
Here is a sample (checking for 'SICE'):7 ~7 v* a: @2 w6 G$ \# N
: r5 n& a7 b$ V3 n. g* R3 P8 x
BOOL IsSoftIce95Loaded()
3 c3 V4 G4 p9 k: P{2 u" A" u6 q$ |: m, l
HANDLE hFile; + s; f! r+ g$ c. L v+ H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 I" ~9 _7 S8 f7 B- e
FILE_SHARE_READ | FILE_SHARE_WRITE,$ M8 X2 z. W5 Q- a. ^
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 E& g2 ]4 P% p- O0 d
if( hFile != INVALID_HANDLE_VALUE ): b: m8 |& G5 I
{( P' a8 d. d+ _' d* g4 b
CloseHandle(hFile);, i k; }* N; S9 B$ I; {- L3 O( N8 _
return TRUE;
# m8 n }* |, u5 d% I }
1 C, I/ o" W6 V8 g2 y- r return FALSE;
8 ]/ ? G% D" K" v$ A}8 u. z4 H3 r" Y& x4 m3 s# G( s' Q
0 t( `5 _7 T8 J4 @2 J
Although this trick calls the CreateFileA function, don't even expect to be7 a K! h+ }" j3 N1 |
able to intercept it by installing a IFS hook: it will not work, no way!
5 I$ v. G) I! @$ r4 VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ v; b) T6 M) K" G! J, A' oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 o: F0 \, \# H+ a0 H6 x# S kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 g( r9 `) M4 I4 v, c( a, Dfield.
5 \/ Q. ~6 y) ?In fact, its purpose is not to load/unload VxDs but only to send a
' u, a4 g; u& I; ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: g6 _) h# T" M. qto the VxD Control_Dispatch proc (how the hell a shareware soft could try& v+ l. y$ B3 z
to load/unload a non-dynamically loadable driver such as SoftICE ;-). \9 Y4 r1 G6 q D- S
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 R4 D2 F2 U: c! i& S
its handle to be opened and then, will be detected.
) W2 ?, l- X1 l6 z! }You can check that simply by hooking Winice.exe control proc entry point
8 E% w- H7 f" j# M, K5 T3 Mwhile running MeltICE.2 t, V# K# p7 m9 ^, T+ j4 Z
1 n% l0 v b" V- x6 L1 h% ~
/ `) [* Z, Z0 f" s; @
00401067: push 00402025 ; \\.\SICE# c! }2 R8 z6 r& D5 \+ m2 t: W
0040106C: call CreateFileA
9 b- F' G: M u9 t4 D 00401071: cmp eax,-001
4 h- j0 F9 K5 z) E 00401074: je 00401091
, L% Z% P" D. Q: C- Y& A: W. ]2 A$ n- h9 t. p8 F6 T
8 }; P0 l, ]/ cThere could be hundreds of BPX you could use to detect this trick.
: ~8 z& C" a' c3 a-The most classical one is:; n" f# ]/ W7 j& Y* y+ j# {/ i2 L
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" l! {. f/ A9 V! J
*(esp->4+4)=='NTIC'0 a' Q2 z) Z: }. D; w, N9 z% N
. x. N! y$ P) M4 ?2 @6 N6 D4 v-The most exotic ones (could be very slooooow :-(/ I' P: ]. @% x: w' ^( b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 y' _8 Y9 T) G2 I% u
;will break 3 times :-(: S) k; P/ M2 _' R/ }( n
# H: H" i# T0 Q. ?# I' F
-or (a bit) faster: " c# \5 {1 A' B8 p `. h
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 e3 J! q( E6 u% g8 n6 C
* J6 c1 w/ R6 p' o0 _& K2 K5 ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' f& e1 w1 @, X! ]
;will break 3 times :-(
7 t; A6 x3 L+ ?8 H4 P. y* V3 P3 w+ ~* j/ }
-Much faster:7 Z' J2 E& k5 `% a1 q: l8 I' Z' p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' B6 e7 L' r3 k) W- R
. G+ A2 c. G6 d' ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 v# K6 m' A, Efunction to do the same job:
3 m, X" K% x# @- q" g; u) |0 C2 Y8 F& R4 i! {8 \9 J/ F
push 00 ; OF_READ
$ h4 |1 o ]! o3 |2 M mov eax,[00656634] ; '\\.\SICE',0; C W: V) A2 ~. g/ S2 E
push eax
& Q+ |: F/ Y: R+ d' j call KERNEL32!_lopen
~1 v7 D, V+ P# u inc eax6 q; o' [8 e& D. l, f7 D- a
jnz 00650589 ; detected
6 R% y3 N6 W* \% h3 n1 P/ J( _ push 00 ; OF_READ# {( X8 V c( U$ h4 i5 q) Z
mov eax,[00656638] ; '\\.\SICE'
7 [" V' B! ?) f% w* I X push eax2 E( r& q) B. m' z* m: t/ C, [
call KERNEL32!_lopen4 _. M* [ F1 ^
inc eax
) x" h5 p/ N. ^! c jz 006505ae ; not detected- [+ N' X* n. L; T# G9 Y
. d5 ?- U3 x( D
; S3 f) ?/ k- B3 q__________________________________________________________________________" \! c" f$ n: N
/ o/ c3 ^6 y9 Y( D5 q$ F; g
Method 120 Q# v3 J& G6 y( m
=========
6 ]1 s: o6 M6 U* ~1 F0 E$ P8 n
' c% s4 l0 c# ?0 ]This trick is similar to int41h/4fh Debugger installation check (code 051 O- v- |0 x! U% k) M( o, F
& 06) but very limited because it's only available for Win95/98 (not NT)
4 u* M1 B3 y6 W2 N! Q4 d' f qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' O) L7 d" n/ ^4 o$ u; A' ]: K0 F$ z( S4 l
push 0000004fh ; function 4fh
# E1 k0 K" a: u3 H. G3 }6 e push 002a002ah ; high word specifies which VxD (VWIN32)# d3 A# u, w3 ~0 S7 w
; low word specifies which service3 H8 ~5 [% j/ B' x1 C. b+ h
(VWIN32_Int41Dispatch)
7 O6 e4 a9 t9 X( {) g( Q- K call Kernel32!ORD_001 ; VxdCall
9 y5 r4 B7 i/ U- R, U% o cmp ax, 0f386h ; magic number returned by system debuggers
+ f b" {% b) x* {0 B M0 E jz SoftICE_detected. J" Y2 ~& k- W7 j; [( z
2 Q2 \. R% B" [, Q+ q" D6 }+ T
Here again, several ways to detect it:, N: e9 _$ k5 r B
3 C8 q' ] f" U3 ~3 j1 G
BPINT 41 if ax==4f/ \- d; o& B4 M, P1 c6 [
6 `( e2 G" u% a' O9 I c c' }* X3 ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 `: w/ ^+ h( q7 h; ^+ a
+ ]% D. e$ o2 s5 C4 s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& u( `. G% P) m
! G5 `- s3 Y. O: _/ F" Y+ C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; x# y) t2 |: [, Z$ r; {( k3 E
9 ^" m1 w& D; z0 N+ {1 f, }__________________________________________________________________________
, S3 D4 k) r& P( ~$ h3 e6 s3 D: X5 K* e# W% ?5 @$ W, z' ?
Method 13' p0 ?4 B% S; _ Z! t7 X5 H
=========8 w3 N: Z) J7 a3 V Y9 S* P
/ Y; `5 s6 C- Q3 ]3 BNot a real method of detection, but a good way to know if SoftICE is3 @# M: `% J& a# x" j
installed on a computer and to locate its installation directory.
; e: c. E7 L7 PIt is used by few softs which access the following registry keys (usually #2) :' B1 l4 A5 a2 ~6 W) `
9 o4 s4 l8 y. P \0 Q: I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" g, T" r3 B2 ]; j1 D0 R: X
\Uninstall\SoftICE' z) {1 U: h8 h3 `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 y8 l+ j/ C/ Z. {3 u+ c w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, v, O7 D; N( K% e, x\App Paths\Loader32.Exe3 w! X9 D# H+ U
6 s9 |/ Q& ?: l9 G ~- G
: L% u1 Y$ C+ p5 ]Note that some nasty apps could then erase all files from SoftICE directory+ {/ G' N; d* a3 r7 ?( }
(I faced that once :-(
! g& p! v+ ?0 h0 O; Z) h; x1 t* _# i# @! o A7 [
Useful breakpoint to detect it:8 ^$ T: S1 O$ Z
6 j7 R/ Q- `! w3 b% G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 {3 [6 z) ^$ r0 B! ^
6 |4 R* }# c0 z9 M6 @__________________________________________________________________________
, o1 |4 M1 o V/ _" u
2 a& S* F) ~+ S5 Q
, y$ k2 ]) {" T; S7 x H% iMethod 14 . Y) c5 B% v/ Y
=========
/ W' h' x. U/ |0 I! F
- [0 f* ~/ m* ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 Z7 y7 }( x- j, bis to determines whether a debugger is running on your system (ring0 only).
1 h* q) u( R3 L! Y) X5 R# D
- Y4 `2 ~' x/ f2 C( J4 R VMMCall Test_Debug_Installed, {6 d, m! m1 @1 ^2 {3 X
je not_installed
6 f$ O3 n; h4 E" Q4 q t
- Q9 u: R1 O, e/ S+ [This service just checks a flag.
6 f6 @: J% o( N9 p5 F0 S</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡