<TABLE width=500>- T1 S" _( A9 A$ N# I9 V0 e
<TBODY>- y' i4 a3 ?6 H% N* w
<TR>
9 n/ E! D( `: S7 h$ _# I; a" a! a<TD><PRE>Method 01
( ]0 E" M1 ^/ r; S7 D/ F=========* G/ u8 F6 P& t+ l* t9 U* A# q
- j# c/ E$ B% t2 @. ~
This method of detection of SoftICE (as well as the following one) is
; n. |; z8 s! p. R: b- oused by the majority of packers/encryptors found on Internet.( S- }0 e! T( \
It seeks the signature of BoundsChecker in SoftICE+ }( O o4 ]8 c- |- Y+ K/ x
! c$ H6 K- ?. u+ e0 U
mov ebp, 04243484Bh ; 'BCHK'
, M6 n( U2 Z! ~3 n/ ? mov ax, 04h
3 ?7 ~& `; M( s4 }& d9 ? int 3
8 c6 ^6 S) x' _% V4 X; r5 v cmp al,4
+ S, l, \7 |( i+ @0 L2 ]' Y9 ?& x jnz SoftICE_Detected
, G% j5 b' y: U6 @8 I4 n
' k$ N# V5 A/ q/ q. A___________________________________________________________________________ g) A' a2 q; Z: a
! q6 |2 Z& U; C4 @1 W5 ?
Method 02
* {, ~9 R& d- O$ Y- u7 g=========; j, F4 w2 X$ s/ {& ?& x, x. z- J
4 o) ~1 t b4 [. ~
Still a method very much used (perhaps the most frequent one). It is used; i$ p$ R. H: p( W( Q" |, o
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! Y! E2 H8 ~. n# ?' ~
or execute SoftICE commands...
# K0 k8 U, B S' j" Y9 y5 yIt is also used to crash SoftICE and to force it to execute any commands: q' E0 a& I. c: d+ ?
(HBOOT...) :-(( 2 Z u4 M. m% W' J; Y
# n/ `7 k! A; z' K FHere is a quick description:
9 y. x4 c |; L( G: f$ W-AX = 0910h (Display string in SIce windows)4 Y5 i* H' \8 m" G
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ ?, q# y3 G* q2 Y- V) r-AX = 0912h (Get breakpoint infos). i4 d/ S8 e% l5 v
-AX = 0913h (Set Sice breakpoints)
- C: U K% e' z. P J$ m-AX = 0914h (Remove SIce breakoints)3 Y# o$ y; m Q" w/ h+ m
. x+ M7 G4 h9 E: }Each time you'll meet this trick, you'll see:! A. l+ f' y7 ? P
-SI = 4647h
$ e* w, u2 K U-DI = 4A4Dh
4 P4 \0 s2 _" I# M) F6 }+ wWhich are the 'magic values' used by SoftIce.
. o# n! ^% K$ x4 R- U5 W3 MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 e3 q+ c4 o0 n
0 I: I4 O+ D X; |! ^6 }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 w+ ?! z% [% N- iEnvelope utility use to protect DOS applications:& b4 ^) C: C9 n! I, A% B* y
, m' g- a1 g9 t- z5 |
" d6 n6 m. B O3 a: y4C19:0095 MOV AX,0911 ; execute command. A+ O1 P9 a2 g6 U4 `2 x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 j" z" }' G S* n1 a; h5 d
4C19:009A MOV SI,4647 ; 1st magic value.
$ S0 N; h9 c# @+ g% U& N$ p4C19:009D MOV DI,4A4D ; 2nd magic value.
! r" i$ n- @2 O# o8 ?6 B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 K F! q& _1 y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 k3 m' u" Q @4 E
4C19:00A4 INC CX
' u& i9 w. V m5 Y5 ~6 t. ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! @. Q. }4 z6 b2 ]! ^4C19:00A8 JB 0095 ; 6 different commands.
% w- q. ?5 B! H1 [& j( m4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. H8 U0 z3 u- @, a4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) J J# Q9 Y; a5 E3 e7 a. u' ?7 N9 \
2 L( M* ?+ @9 Y D- f. d
The program will execute 6 different SIce commands located at ds:dx, which* x9 h9 o' N7 F0 z/ g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: ?: M7 K* E& F# j E* D+ Y
( X8 U) f. F- v8 L1 p0 i, u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' k' g9 V4 ]* h6 J! O+ E) g___________________________________________________________________________
8 z o: _0 w8 d6 h4 P5 z. i, }7 D# m. S1 ]
. g# P5 }* M* n, | S7 h2 gMethod 03& L& h& |4 v8 c' `) X2 D1 e: l
=========
/ [" i3 v8 ] Q: K" x
! H8 G X. l }3 z$ hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& m8 ^, q4 S8 r8 o& l3 Y8 K
(API Get entry point)
. F: M' p3 i1 L6 x) ^
T) j# b4 |* Z+ l6 @
9 m# w( I5 h' N xor di,di/ b; |! w* |% t" G' P
mov es,di
( }! X: o M/ Z$ e& S; I9 T mov ax, 1684h
' }% T% `; z V; Y, _ mov bx, 0202h ; VxD ID of winice4 F2 i8 M, l9 _9 X* p4 _
int 2Fh
* w/ W1 i! s9 q7 l \ mov ax, es ; ES:DI -> VxD API entry point1 V9 v2 {9 C y; M( q% x. \5 l& H
add ax, di" `7 `# ? f d5 M+ }) u& Q
test ax,ax0 ~9 H5 }) B7 ~1 x! S, a
jnz SoftICE_Detected
' p% }" @! F7 ?3 M. d
/ y( p5 @1 Q4 t6 Z! J___________________________________________________________________________
3 n, m! r r: P) ?4 x; L3 c% y0 n9 _4 X
Method 04( F8 d) H$ A+ _
=========
, W, e) B: A* t0 P
7 H3 x i8 Y9 s/ |+ SMethod identical to the preceding one except that it seeks the ID of SoftICE
; G! I1 T6 V2 }! a) s" \GFX VxD./ q" V0 m# s8 ]
; n6 [1 A# x( g
xor di,di
! i6 O( y1 d8 K" H2 x+ E% A. ` mov es,di
8 c3 e! U7 e9 o7 j8 f mov ax, 1684h , {/ q% F4 M& G" j; `$ C# h
mov bx, 7a5Fh ; VxD ID of SIWVID& T2 m# p$ `- f' z0 `7 i; {; P; L$ I
int 2fh
- x$ z8 e% n- F% k3 Q- f4 S" O mov ax, es ; ES:DI -> VxD API entry point
: x0 j. Q) h. y add ax, di
$ k# L* D/ f; Q6 g$ J test ax,ax
" W% ?# w! E, O: V/ E2 ~ jnz SoftICE_Detected
, b* z* g( ]9 v. R6 P3 M4 K
a" H, Q+ b. v5 \/ x__________________________________________________________________________! k5 |% m" v% O* ^: x5 P
. Q# x9 [' T9 R/ Q9 }4 `) }9 c& R F6 D* `+ L8 C
Method 05
( ^, ~9 V# G4 ?+ v=========
- s |, Y/ O# A6 E" `: D$ }# z! @
Method seeking the 'magic number' 0F386h returned (in ax) by all system" q/ G3 k v( c
debugger. It calls the int 41h, function 4Fh.
6 v9 ?+ ?% B8 S3 l& J( IThere are several alternatives. 7 E6 |) U2 h& @) C) [
v1 H0 a" J( m4 a, Z, _
The following one is the simplest:9 g. g& q( c- k: @% g2 e
% F3 y9 a/ g0 h mov ax,4fh
J: z" Q; v/ D& D/ h- Q int 41h; Y! E5 F( _6 u* b5 c
cmp ax, 0F386
, {6 y& a% u+ ?0 m% T jz SoftICE_detected
) y" B3 W* l) V; W; W$ s% @: \+ V3 N
7 O# @' M( T+ w9 K7 O% G5 A9 S
- f5 @: h8 @6 d2 x; E" e" aNext method as well as the following one are 2 examples from Stone's * }7 G! g7 i, D
"stn-wid.zip" (www.cracking.net):
5 w2 e' J5 b1 u3 _# k& A8 Z
: k- E- A F: p) z1 F mov bx, cs
& H0 M! R5 }2 f- g% h5 P lea dx, int41handler2
' T9 z3 `2 o$ D xchg dx, es:[41h*4]4 D* k- e4 J" h# S9 T5 a
xchg bx, es:[41h*4+2]! r: G3 [- k/ O- ^5 c
mov ax,4fh
1 l9 ~. O$ K6 z, U& v7 |$ _ int 41h
& X) A' A l h: y0 T xchg dx, es:[41h*4]
) I* {/ u6 V; G/ F) g xchg bx, es:[41h*4+2]; D; a! n0 i i( v p, ~
cmp ax, 0f386h
: {' ^& U9 H7 P$ F9 |. x$ z jz SoftICE_detected
! q# }' E# \) [; y9 V# m+ x3 b* i! E0 o
int41handler2 PROC. M" |; k6 l+ B: L8 x: p
iret
4 S# ^$ t( O( X' n( o) O7 [& p8 w7 uint41handler2 ENDP
) G" |8 y% Y' Y/ }% V1 o. v( ]9 `) p3 T% c) _; b5 f& q; P$ z
( ~, g5 m/ T& e* U& k5 t_________________________________________________________________________
' B% \) l! ]1 m4 y8 _) ?7 @9 S
& u0 t1 n% [7 a: n3 l9 `. W' u
8 ]1 s- B* J* e) rMethod 06+ j& n/ H& S7 D
=========
, M1 J( o2 i7 |
5 r9 o2 ?- x4 C' E$ w; o# [1 G, J! k4 t; G) n1 ?4 w) V/ J
2nd method similar to the preceding one but more difficult to detect:2 f L- L+ g$ `+ v0 k% \0 `. P, T
7 |/ N$ l I* [" G2 W
5 r9 p) ]) Y1 g0 G$ t+ W, rint41handler PROC
, Z1 K; K: Z! N' r. j9 ~' g% ? mov cl,al5 V0 K$ ^! l* I P1 w: e
iret
& C0 U3 p( k$ q+ [* n! ]" @5 Pint41handler ENDP
$ T! R! E, h* B! \4 r! K6 ?; @: c: U d6 Y( K
& d2 M. t- o5 ^" q( [% b
xor ax,ax5 S" U- t7 n: S0 ~7 \; l# w( n
mov es,ax
+ O! f( _$ q: U+ P" T6 S mov bx, cs
) l5 D8 E0 \) U4 ?. b7 ? lea dx, int41handler0 s* |7 b3 b: c: p% X" U! P8 n
xchg dx, es:[41h*4]
. k: e9 Y/ T! s2 x xchg bx, es:[41h*4+2]
9 b. T& C0 [8 J in al, 40h
( d' I5 g' w4 L5 Z- r% i xor cx,cx6 P( G1 H! f: {
int 41h( d4 z' Z: w' x5 K' h# G R
xchg dx, es:[41h*4]
4 w; [ c( J2 X- y' ]) J* L& S xchg bx, es:[41h*4+2]0 u* L6 _* A6 j. q. j7 Q. z
cmp cl,al
# k: B/ v1 t% \+ J. Q jnz SoftICE_detected
2 D6 I9 v: O2 a' k
: w3 p# g" g" |) Q_________________________________________________________________________1 O+ ]" Q( V# h. @
; K$ P6 }; e1 {* G
Method 07
: `3 ^# |0 y1 B, @3 C=========2 ?6 N* c9 Y3 x
* |8 X% f1 R8 Y. kMethod of detection of the WinICE handler in the int68h (V86)6 a! d. J8 O* Y; _- k
, e4 m I7 q# x7 |1 o* \
mov ah,43h8 s; f- L# O7 `' T/ M7 Q4 k
int 68h
6 K$ t2 T! i; M, p cmp ax,0F386h
$ o2 O( f& L& R6 r) q: V jz SoftICE_Detected, A) M' E: K4 M ]% q* w6 K9 e
9 l% Q6 T n$ [ S
0 e- X% z$ X5 Q( Z: c8 F* h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ S# L' u; T- W# _ _# j. r' t
app like this:
: w4 w# A1 z# `# V! R; R, y! H! N2 x
7 y4 K* H5 |% ~5 [; Y BPX exec_int if ax==68* f+ u2 F! t0 F1 w( h
(function called is located at byte ptr [ebp+1Dh] and client eip is
( f3 k0 T2 c- Z4 `$ ~2 d |9 A located at [ebp+48h] for 32Bit apps); J) ~8 F, A' `# k. {0 ]
__________________________________________________________________________' c3 X7 _9 C: `3 s
2 `9 j) d) w& B+ X# L9 e
( c; j B2 D P0 {Method 08
. Y# T) P! h$ ~! G; e+ Y4 ?=========
2 d9 A2 o' ~7 k6 e' ~6 [
' X+ J$ d+ D' P; {& e( nIt is not a method of detection of SoftICE but a possibility to crash the5 }0 D4 I0 }7 `, h2 y Q9 q! E2 j
system by intercepting int 01h and int 03h and redirecting them to another+ N" X% S* e. I( P- \
routine.
) k/ d9 Q( a: f1 XIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 ?# p7 A/ C! H' N2 B; i
to the new routine to execute (hangs computer...)
6 L \! j5 `6 Y3 D. q4 |9 h3 j+ I) t( h/ A. ]* W" |
mov ah, 25h1 J( m/ u1 q- W2 X
mov al, Int_Number (01h or 03h) G9 ?% g0 U. R
mov dx, offset New_Int_Routine2 W/ W6 w' s. g, E
int 21h" X2 L$ T6 {5 w
" ?+ H8 a) H6 C! ]8 Q__________________________________________________________________________
0 Z' v* m/ o2 l8 ?' B
# G7 B5 L K; IMethod 09
' A; P, t* B# u; }=========
$ z0 W, J: ]8 Z$ _, W9 p: Z4 c& g' d$ \6 k) U) E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' L7 w; F' [2 r( j+ L/ zperformed in ring0 (VxD or a ring3 app using the VxdCall).. m& Y# F' X# [9 Q, t
The Get_DDB service is used to determine whether or not a VxD is installed% N! S8 a w( D( u& u' c
for the specified device and returns a Device Description Block (in ecx) for, a2 [: [0 ]1 Q) ?( C, ?; H3 |
that device if it is installed.
3 a8 D% H1 z6 I+ `5 k! O
1 d& M0 V" m% _/ ~5 D# O; ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' ~) o/ M5 _, J' I) u mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- [- c. w' u! q2 C+ n+ O7 a6 @9 Q& ~ VMMCall Get_DDB
' I4 w4 H$ Q$ b6 B0 A* z# s- e0 d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 J' X; J2 C* b1 ?
4 r. l% J6 S5 @2 O$ H" hNote as well that you can easily detect this method with SoftICE:" a0 i4 n0 O8 g( t4 |
bpx Get_DDB if ax==0202 || ax==7a5fh
9 l& F7 o2 Y5 |% d e& ^5 e9 ?
& l" L9 D2 a3 N$ m" H4 u' j( j2 }; k__________________________________________________________________________
1 ]5 Z4 ?! A8 w& F9 M8 `+ O2 g/ I6 V0 k o
Method 10
* J$ j8 f. j6 w: O- ?- i=========3 P5 q% l. q3 C
! p' _1 g# B, p
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 a3 Q' V: ~4 v
SoftICE while the option is enable!!
, H+ @4 ?( s. ?! m! q/ r z/ e3 [ z- g7 D! I& G# v- y6 J
This trick is very efficient:
# {% t; R+ l0 E$ N& I3 } W- vby checking the Debug Registers, you can detect if SoftICE is loaded
- W% `& W3 h. l1 A- ]' B! T' q' r& T4 N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" K/ _1 E! ?# b2 X1 B# w( ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. v s8 U( q9 tvalue (in ring0 only). Values can be manipulated and or changed as well% G) o% |; l/ a' J, F0 n* k& p1 H
(clearing BPMs for instance)4 e0 n1 u" W% q. u1 I& K$ `
' p+ O& z; F0 I! y! e" |
__________________________________________________________________________
: E' `) G5 ?, v9 D, l( i0 b* P3 O2 ]9 z* x: A9 e4 C* o8 w
Method 111 t" u3 j# R) R+ g1 `2 f
=========
% _& p2 V1 [2 K& r' P3 F# `% U1 o: H: u) {' ]: Y0 \" b+ V" M5 a
This method is most known as 'MeltICE' because it has been freely distributed
% [# {7 w7 T/ w5 tvia www.winfiles.com. However it was first used by NuMega people to allow3 L1 g* z5 Q8 t* e" \
Symbol Loader to check if SoftICE was active or not (the code is located# _0 ^9 x) S0 V) k F+ n1 C& V
inside nmtrans.dll).% T! l$ j5 D' A
* u6 A1 n9 N3 c3 \! lThe way it works is very simple:' Z; ?2 u' E- A) D5 x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for e1 q& z; D, L: M. w; X L Z
WinNT) with the CreateFileA API.
X0 K2 [9 M4 K* T% O$ C+ Q" w. r" k0 `6 M2 m" `9 ]0 K
Here is a sample (checking for 'SICE'):
h5 h6 b# _/ B8 b: D2 x
3 _' v% h0 E" n# H$ VBOOL IsSoftIce95Loaded(); g7 ]1 w( g1 X% R! H) M
{
2 H8 o; Z; z! d# H HANDLE hFile;
0 _. T1 ?# b+ N0 @) U9 e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- X1 f$ c# I% D5 ?8 P. ? FILE_SHARE_READ | FILE_SHARE_WRITE,
; A# y3 u4 u. U8 }3 f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 {9 w6 N! W% r& V3 w* q
if( hFile != INVALID_HANDLE_VALUE )
# J2 n6 M& i2 X g2 W0 P: i {+ j9 ?+ t! @+ f/ w) W8 m4 s
CloseHandle(hFile);
3 s% m8 A7 F3 {1 ^& P6 ^ return TRUE;
4 c! G9 L5 \( d4 G4 `5 l* j }! D* c" V9 y3 C# F
return FALSE;; b" O9 @$ X( D) u4 y* G# M4 y
}# E4 L) ?6 [7 D+ ?- Z, n, Z
* u" `" G3 N# i, d P
Although this trick calls the CreateFileA function, don't even expect to be
2 `; |1 O6 H: j( g9 A, ?, _able to intercept it by installing a IFS hook: it will not work, no way!
( \9 y% o# d o Q$ p, I. lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# Y8 C0 J8 I4 M) h. D2 z& K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 L! X; l4 q. ~1 Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc: D: @ \0 E6 C' o* q7 H
field.
& t8 P' Z, X9 E8 r5 ~9 aIn fact, its purpose is not to load/unload VxDs but only to send a 1 C8 S' Q$ a( C- d6 }" O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ L9 @& |% w- d0 x/ o
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 I$ a$ \0 t2 p* F7 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- y! s( j% t7 C9 M0 U7 w. g- c
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 M/ D4 I6 Z6 s! g5 k( sits handle to be opened and then, will be detected.5 {' r6 S& @" a
You can check that simply by hooking Winice.exe control proc entry point
1 V6 v9 j* |4 C* J6 {8 F/ Owhile running MeltICE.1 M& b3 H$ t2 t
4 D; ~6 p/ ]( l& f+ j, r2 Y- C" y) m% b2 ^
00401067: push 00402025 ; \\.\SICE+ J Z1 `; m4 w$ {3 `- D
0040106C: call CreateFileA
! P( I6 H" X4 N! T+ y" }" _9 r1 R# W 00401071: cmp eax,-001
* G% m& R) I0 R# C [ 00401074: je 00401091
/ s% {5 r! j C. S, e
0 k2 p7 y1 G9 X0 H4 w9 M% S$ {* n' s/ ?# G' G
There could be hundreds of BPX you could use to detect this trick.$ M, ], D# P5 q- S
-The most classical one is:
# [# `9 s, A1 }# _, | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- ^, M% O$ ]! M. p
*(esp->4+4)=='NTIC'$ [, Q9 a% x! R4 D1 t0 U
- v2 J E* O& V, n" \1 H+ q-The most exotic ones (could be very slooooow :-(
* `! v; E+ c- }# @+ u3 M2 O. S+ i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; n4 @+ C+ ?/ A
;will break 3 times :-(
+ A0 b+ ^8 r/ E2 |; U+ Z5 n
1 O3 k/ c3 t, t. Z+ C-or (a bit) faster: ( A9 ~) l1 w6 `3 I+ _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ E/ y; q1 d) @/ T3 n4 ^* R, N6 I1 D
1 A) G; ]: m2 z' k& Q: P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 B5 G" {# e, H/ y5 I% ^/ ^; g ;will break 3 times :-(
: q; J7 \+ h9 [6 x- l7 Z( T4 c# u2 w- d2 W+ I# X( k" f. |6 L
-Much faster:& C0 P& m" ~% H* B) @1 x1 L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, ?9 @' {: o+ D1 Q& \# r
5 Z9 Z _& A w4 n: r" S' sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 y! L$ I0 x( q C- s) n
function to do the same job:! N; _+ F/ o; a
3 g5 b9 C1 i, Z1 L- A
push 00 ; OF_READ2 B T! Q4 W: h; B( C
mov eax,[00656634] ; '\\.\SICE',0
# B6 k8 w/ k* l9 j( O push eax9 s5 u& S: U0 d& A9 U1 g1 s
call KERNEL32!_lopen$ ]# I, Q! c7 N0 F( O6 h" @
inc eax4 j9 y" m; b* l- `1 f
jnz 00650589 ; detected
3 N& Y% I0 z+ a push 00 ; OF_READ- b+ b0 Q$ B# h3 H5 d/ z; w% f p
mov eax,[00656638] ; '\\.\SICE'8 `. h. K; n3 a8 Z# l& L
push eax1 C7 a* i" d, R2 {( o
call KERNEL32!_lopen' \, p2 a8 S6 x" }
inc eax% o0 b8 G+ B3 A: k2 e7 g& ? F
jz 006505ae ; not detected) W4 \8 d4 P+ l
A$ m M8 V+ E
* I3 P/ I7 F p1 h* m__________________________________________________________________________& w6 z$ B7 u* ~' I
0 s5 M5 P+ v9 p/ D' O: E' A
Method 12
$ q1 K- f V' z3 x1 c# J" [=========8 d1 j) @* H d; j- V8 o
5 o# M3 v6 |) i4 O5 YThis trick is similar to int41h/4fh Debugger installation check (code 05/ J4 C6 k4 h! u+ g/ @
& 06) but very limited because it's only available for Win95/98 (not NT)
1 d! _& {/ g& h) Q V) has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 x4 D+ i% D; O5 b9 \1 v5 O9 {- e( @8 U& |# J
push 0000004fh ; function 4fh" ^2 c+ a* Y8 N/ O
push 002a002ah ; high word specifies which VxD (VWIN32)
$ A! g$ F' |/ A1 b' d! o# X ; low word specifies which service. D4 N( L5 g; H' B1 C
(VWIN32_Int41Dispatch)
% v/ w, f+ G8 x, R& q5 q call Kernel32!ORD_001 ; VxdCall
: M1 @1 A: V/ m) Q, k# M cmp ax, 0f386h ; magic number returned by system debuggers
2 Q3 Z2 ]; X- N ?+ Y. o$ U jz SoftICE_detected
+ p/ v5 f6 z$ f' W( G* t
% a/ g% C* Y% j7 v9 X) mHere again, several ways to detect it:: k) b% i. y4 h' w4 J( L, Z# W% T& t& V
1 O) L9 `7 L5 U- f4 y4 i& i BPINT 41 if ax==4f* x& R/ A! z. F- z3 P% c
; L7 j% q0 k2 N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ u1 D8 J5 e/ e0 |9 ?
+ u; B [* t6 b: Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: o" B& f7 T: t2 ?3 ~0 s
9 ?4 w t$ K% r, @' Q6 \0 a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' Y) S; | [9 X$ [) e
) @" [. c8 J, X) B
__________________________________________________________________________
, |8 T4 p4 ]9 _' Z* a7 ?2 h v
" @% f+ w- B$ l: J" g! }) ZMethod 13. N- e. f1 |4 S2 O, E. @/ k& p
=========3 ?) K8 ^" k; J0 U* H0 O! p
7 q% x" c' S! B4 o) ^6 aNot a real method of detection, but a good way to know if SoftICE is
9 ]2 M" v9 Y+ Oinstalled on a computer and to locate its installation directory.
8 H$ \1 X0 ~8 iIt is used by few softs which access the following registry keys (usually #2) :( Z6 c. t1 w* X, ]
1 Z, H! q i% J) a-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; Z5 ?4 H/ Y: x; C; }$ ]7 S\Uninstall\SoftICE
& Z+ G5 G3 ~6 H1 g. h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# R' b+ J. I! g/ V, c- Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& }- p8 g6 b2 @. s5 X\App Paths\Loader32.Exe+ ^4 t# {# I. j2 Z% }
* ?! Y+ R' Y/ }) x+ O* ^
0 O4 g8 @$ Z1 a$ [0 dNote that some nasty apps could then erase all files from SoftICE directory0 g+ A4 ^" x+ n+ C: B$ i1 g
(I faced that once :-(' K: m c: {6 j5 g) q! ~# R
% E3 W# Y+ @3 G. jUseful breakpoint to detect it:6 }9 X0 Q9 ~& X8 _& x
0 s7 _4 H4 ]" y' l ~' B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, Q( I; E5 h" O1 e4 T
7 S1 X" e: a: D d1 h+ U! [__________________________________________________________________________* e- ~' J! F/ ^6 B
( Z+ C; l! b r+ H4 U0 U
7 u! j* R( O& ^$ U: ?: b$ LMethod 14 ) W0 c5 G$ a a( B7 W
=========
; W( y# g' H) \7 S) s& @- U- C/ u9 k0 F7 o3 y) Q n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% h' q5 ^1 u p# lis to determines whether a debugger is running on your system (ring0 only).
6 ?& D' w/ n) A* {, \# i% l% K
1 W: S$ x3 \7 M$ k; g4 K+ m7 n VMMCall Test_Debug_Installed8 z0 k; j% U ?
je not_installed
% e4 Y! n$ `! W. q' o* U/ v9 T1 t' {* |0 |7 W" y
This service just checks a flag.( q% W& g4 M- R* l4 |" r
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡