<TABLE width=500>0 |9 z, h- v F, z* R" X8 [
<TBODY>
- V# w9 d+ Y0 V; n! j6 t' y6 e<TR>
+ b- e0 k/ b! _<TD><PRE>Method 01
! q ?" L) ~4 t* `5 X$ D1 ]=========
# d5 _; u0 `, z; [& l3 b9 J6 ?% ^% ~2 t% G6 ]- [
This method of detection of SoftICE (as well as the following one) is
) n7 B+ U7 o0 a: o3 Wused by the majority of packers/encryptors found on Internet.
% P0 g/ ?% J# i( s, nIt seeks the signature of BoundsChecker in SoftICE
' F2 p7 q* ]+ Z$ S
1 Q% |8 y1 z$ D c7 H6 q5 ` mov ebp, 04243484Bh ; 'BCHK'
1 J; r* E3 `# C4 o/ A# G& B mov ax, 04h
0 u1 x( P6 L9 m- r, z int 3
! F, w! i5 ^) m cmp al,4+ U/ X9 j$ x a$ u
jnz SoftICE_Detected
/ V, L: W# G. U6 n& p2 n
# ?! f9 f7 D% E8 x___________________________________________________________________________8 b8 D3 n+ U% U$ o) B) x6 U
" n, g; y4 r/ L# JMethod 02+ E3 d f" n/ G* o
=========
; F! C% M1 ?& o) d# N/ I
( u" e) _- C uStill a method very much used (perhaps the most frequent one). It is used
* z) O; s5 Y3 [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 E# _3 Z6 h( i+ R1 J3 c# l& L7 C
or execute SoftICE commands...
' k' {6 T. D% VIt is also used to crash SoftICE and to force it to execute any commands, {0 q$ } U, {" O! X
(HBOOT...) :-(( ! ?! ?% \- Y$ b( \6 j
. c1 }# h1 S8 g, A4 d" i0 {4 fHere is a quick description:# Z7 t- H# y0 U! A
-AX = 0910h (Display string in SIce windows)$ L1 l7 ?$ `$ o4 l+ U/ v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 c; ?/ V( E! F
-AX = 0912h (Get breakpoint infos)# ^4 g7 r4 M" _- a
-AX = 0913h (Set Sice breakpoints)
, i. ^( }* l1 `3 s( R-AX = 0914h (Remove SIce breakoints)# P9 r3 w9 S8 F+ m
2 d: ^3 \4 i l% z7 n+ r
Each time you'll meet this trick, you'll see:5 m. U5 f1 b+ y- W3 e
-SI = 4647h l, g6 X. Z, M0 q) ~. f9 @ {
-DI = 4A4Dh
7 k v. A! g+ J" b/ K. D- E* Z* _Which are the 'magic values' used by SoftIce.5 I7 f+ k& T9 p% |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 }5 F6 o7 C& L' M
9 G8 K n6 L1 u1 m; o" JHere is one example from the file "Haspinst.exe" which is the dongle HASP5 s" H4 D* ]/ |7 ~& M9 d
Envelope utility use to protect DOS applications:7 c2 `7 `# v& D- s6 R
8 I$ r5 [3 @. e
+ b) R! C- |* k3 u4C19:0095 MOV AX,0911 ; execute command.; k- U/ V6 o$ Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' ~: q" O0 R' Y% }1 {0 E5 k( D4C19:009A MOV SI,4647 ; 1st magic value.
9 w) ]1 S! c+ z* Z$ ?$ F4C19:009D MOV DI,4A4D ; 2nd magic value.; S5 F( n# B6 [9 p
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 U4 P" ^% a% c$ c# `: O& [0 G2 o9 U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 V' g- ]& q* ]4C19:00A4 INC CX) _5 I& P6 j. p
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 B/ X! R) n f# d( f! O; n! _4C19:00A8 JB 0095 ; 6 different commands.# S/ l' p3 F5 T. U% G$ S- t4 k
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 ]3 ^* I& P* E3 g6 r% a% T- a- r
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& N2 E( Y# j1 w
* t) R3 K8 A- N1 V0 F
The program will execute 6 different SIce commands located at ds:dx, which6 {9 p4 |4 g: h- y% Q" Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 T7 Z/ l5 n% t# m8 L" o6 x# o! F, v3 p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ n% G' [& k2 ~3 p7 Q+ K
___________________________________________________________________________$ }3 |9 z) Y3 S% s! R7 R
x9 `. L" d3 e( p. @ A6 k2 F+ r0 [) a R2 e; ~6 D4 Y6 |
Method 03/ Z) y7 J9 U6 |0 j! Z, m6 }6 U6 o) ]
=========
4 q( { @ X3 E3 @+ W+ G4 b% S4 u, I' B+ H6 t @2 A4 H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 Q# ~7 U5 m1 j3 O/ k1 J, `
(API Get entry point)
n* ~- z4 G" |1 Z3 w% k# v
$ S P. [+ v: v; K! J1 \5 g! a6 h3 n( C
xor di,di
. \) \ c- z6 @/ a mov es,di/ _! [# G6 J! U5 R% \+ c
mov ax, 1684h
& S, }1 H9 T$ t6 Z5 d8 F' w! X mov bx, 0202h ; VxD ID of winice( P+ {. b5 @( n+ t
int 2Fh! v; R% ?5 V) q/ ~+ j
mov ax, es ; ES:DI -> VxD API entry point
/ S1 H- C( ^' m6 i add ax, di
- W& U) k( ~2 h0 ] test ax,ax
* ?% ~- r; B* a' u8 Q& P jnz SoftICE_Detected
# W" M) n; U [, R' ]9 M C! P; e2 O
___________________________________________________________________________
0 v* n( T+ r: o$ u6 @3 @8 Y# ?4 H+ x4 h
Method 04
# A# u5 ~- G; }" j, X- ^: R8 n6 K' t=========
8 m1 H1 E$ [& t( z( ?4 I5 A! J2 e& M0 V9 S
Method identical to the preceding one except that it seeks the ID of SoftICE# X& ~3 C% Z: @( s! l; ^8 ?' |
GFX VxD.: x" z, T% k) S! w% c# A0 F" Z2 o
) W* U# s4 B+ F* D xor di,di3 S& ~9 q% y" J8 Y1 R
mov es,di% s+ K0 C$ Y; ~
mov ax, 1684h 6 T6 D% B" |2 C. F
mov bx, 7a5Fh ; VxD ID of SIWVID
, c. x* t H; F2 c; w int 2fh7 e" a7 l* q L' t" B
mov ax, es ; ES:DI -> VxD API entry point1 \8 N3 _- j$ f5 K" O0 u$ k' r0 O; b
add ax, di! d# b% G: W% k" W. G' E
test ax,ax: [( U* b0 J' P+ H4 X4 c9 T
jnz SoftICE_Detected5 |. U/ o5 @1 R: {5 u9 @
/ }* i, m# b, n% O' e% z__________________________________________________________________________
9 L* w n6 A/ |0 N) [* m0 r y0 S) }9 S$ u+ O
( S2 ^* b4 P- x
Method 05
" ~2 P ~4 Y' s2 S=========
7 W. X6 T+ F' U1 M$ k2 l& A- q' P6 A) e" w0 q5 ~$ {
Method seeking the 'magic number' 0F386h returned (in ax) by all system" j6 H: `, p1 [3 _
debugger. It calls the int 41h, function 4Fh.2 F/ ?4 S. v* A, A7 V
There are several alternatives. 3 p6 b7 H' h, X6 V3 m2 g
; ?5 T! P' [) H$ lThe following one is the simplest:
7 L' c8 a. P8 y. H7 T7 ^3 g" R9 q! j+ P" a
mov ax,4fh/ v2 j: G1 x% Y6 s6 D( f1 c% [
int 41h5 c3 I' l' o( d1 C
cmp ax, 0F386. M: \. M* o$ G9 X/ _
jz SoftICE_detected8 E$ k$ b3 K2 E) H+ @: m
" z" O8 h* [3 q# g
4 b/ g, f) @* u" o2 ~+ c1 s8 ]: ~& nNext method as well as the following one are 2 examples from Stone's
4 D0 j- r1 X9 d9 _. b8 z9 H"stn-wid.zip" (www.cracking.net):
: V9 K- Q% K& y$ G% t/ \9 }2 I& K( a9 Y' o
mov bx, cs% ~ H+ h0 s4 j5 v, M8 L4 R2 G
lea dx, int41handler2. V ?- A) ~! i
xchg dx, es:[41h*4]( m+ f: b' y3 Z3 T
xchg bx, es:[41h*4+2]7 H H' B# W$ u3 A9 L; {
mov ax,4fh
% i4 b* S8 Z8 a Y" E int 41h1 V7 p* p- l& F: \) l, c
xchg dx, es:[41h*4]- S) ~3 R4 a3 }$ D9 i1 `9 p
xchg bx, es:[41h*4+2]
) ?& F& n2 i0 `& l+ P( b h: F9 F cmp ax, 0f386h
/ ~9 E' x4 k( { jz SoftICE_detected
6 i' [6 v- e c& x4 X
' e+ F, S5 p' l J$ n9 P! Z9 @! p) Vint41handler2 PROC
' q+ f9 S& h& x; A* y iret3 D- R4 @ [* L
int41handler2 ENDP7 B8 m, O) P- ~4 G: t
2 p% g n2 d7 T7 n7 v: o
/ z! F! q S) h6 U( K! h
_________________________________________________________________________
" O; {8 J7 Q) J. R8 R1 ~
* U, ^. a# E; a
* S+ [' k9 Q0 E4 a7 S0 f `2 m+ pMethod 063 S' S. ]# J' g% \& O6 g; e6 X
=========
1 ?; Z; ^7 y+ Q/ |8 ^0 M
& [8 Y: E- ~5 k! f2 W, w8 b( c
, @% p/ h4 T; r0 r( T, o2nd method similar to the preceding one but more difficult to detect:; R3 f" L8 u) w$ i6 ]
Z+ E* B0 j4 f" C4 P/ U9 i6 Y
* Z6 s9 z) L6 S) K
int41handler PROC+ D& i- d+ `1 r& ~+ R
mov cl,al
; z' s# c: \ {$ M; d9 r" } iret/ [: l1 p Z. S! w3 p: Q/ \
int41handler ENDP
1 l% b$ t: B7 S8 w+ o" i8 J# s. U
7 y$ Y" T- @. I# J
xor ax,ax" Z$ x' s$ l7 B" y0 s- C- h
mov es,ax
8 ]6 f4 i7 l8 N2 u% D- s2 r mov bx, cs, Y7 a/ t$ g. x4 p5 u& ?
lea dx, int41handler
. Q/ f4 r/ \: j7 N( D2 W xchg dx, es:[41h*4]
q" p" L7 \( ]% j5 q, S xchg bx, es:[41h*4+2]$ r6 q% H3 |3 ~* M
in al, 40h
! y _8 m' Q6 j% ~% e+ |) @ xor cx,cx
2 `/ ^/ U, e' D. c, R- a# u0 P$ u int 41h
! r2 l3 O5 ~ {& v xchg dx, es:[41h*4] u+ x4 `2 g5 C n4 ~3 \. z; n! x$ f
xchg bx, es:[41h*4+2]4 M/ Q) v- u6 D4 F5 R, j
cmp cl,al9 j& g9 x0 ?# ~5 V/ a6 E0 X* ?
jnz SoftICE_detected: X! R. u0 M. k6 x) b; D3 t6 c
8 ?8 i5 `. p2 r3 U7 v
_________________________________________________________________________
. c5 i+ i) {0 h# P& w- O
" {; w, N# F9 w* @: VMethod 072 Y4 Z% d7 ~0 ~2 k
=========
; a8 q6 N8 d2 r! ~2 f0 |- a7 M5 B- Q4 B9 c; Y7 L1 X
Method of detection of the WinICE handler in the int68h (V86)
5 `4 Z5 o' a1 z! @9 F! x# k8 {8 s6 z3 K2 m: _
mov ah,43h T+ @6 t0 ~$ o1 S/ ^
int 68h
r# d: S3 K/ ^* T* [ cmp ax,0F386h# |% @4 x+ T, j- p
jz SoftICE_Detected
) J; p# W* I3 i/ x7 w d7 I# Z9 S2 {! }" a& k
+ Y0 a/ N, y6 M; f" T5 b& t. w
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; ]! U: v0 l" [: w app like this:& U5 o, R7 i4 ~% o& Z$ l
' N8 i' p- f* M: Q8 d
BPX exec_int if ax==684 U# m4 w8 U. k6 ?6 Y* C
(function called is located at byte ptr [ebp+1Dh] and client eip is) M/ T F3 h- j M* _
located at [ebp+48h] for 32Bit apps)/ [4 `& h8 q. n8 M/ Q" E
__________________________________________________________________________
0 U* J! R b# l1 g9 k4 K5 \( v
3 z# A3 ?, Q1 R+ G$ V5 W8 |8 I7 x; S) k+ a o$ _, }/ K/ l% n
Method 08
" `: q" U/ u: j8 p9 A=========
; I3 P# f2 v L+ Y! z* ~6 `5 X, H# E
9 L; t( V! P$ EIt is not a method of detection of SoftICE but a possibility to crash the
6 ^% F1 C' F) G! p% nsystem by intercepting int 01h and int 03h and redirecting them to another: p2 T! F6 w+ } n" X
routine.& F* n6 y" t/ n* s9 v: F1 d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, l! m7 o$ }9 j* T2 a. gto the new routine to execute (hangs computer...)
7 G+ Z) v. X' L& H: }8 A/ h
9 A1 H. D8 b2 c# \# m$ m u mov ah, 25h9 f; O/ t J" ^' c( ]' t* g/ [
mov al, Int_Number (01h or 03h)
- p$ o& h- h0 [ mov dx, offset New_Int_Routine
5 y) G7 o% e2 d1 b; ] int 21h' h- P2 ~- Z. h% e
: A% p! g* _; |. \/ {/ i
__________________________________________________________________________3 A7 c) N2 W7 P3 c
( j5 K6 G( X0 I! H& z. y! ]Method 09
" M; }% U2 B, l; a( S4 U=========
3 j3 C2 H8 h n# y! f" _
. l# _1 F% \4 L$ EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 H3 _/ h# n- J& L$ z( Nperformed in ring0 (VxD or a ring3 app using the VxdCall).; p5 r& t6 F0 Q" d$ M! ]
The Get_DDB service is used to determine whether or not a VxD is installed! {6 Z: \3 C5 j1 u# K( [3 L; {
for the specified device and returns a Device Description Block (in ecx) for
$ A: b( S$ G" Y4 _+ Z! t! q* q: zthat device if it is installed.* _% s* ]# W' h9 a3 u$ E& K( K7 A
0 u. e/ v, s, p: x$ ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 c+ R, D3 ?$ `5 |! \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ R- c e! m, l9 G* c VMMCall Get_DDB2 C6 {/ F; o; T9 H" } {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 O: w8 F2 A6 L/ \
; M( n1 E, Q& K9 R' A9 Q% U/ H, t
Note as well that you can easily detect this method with SoftICE:
: {! I- L9 f5 h: s. t bpx Get_DDB if ax==0202 || ax==7a5fh/ s. t3 l; V! B7 n' @
' [4 z0 c. I# i__________________________________________________________________________
/ n( G# F/ j- h( j% ]
8 f5 i) y: D7 q* ]- tMethod 10+ O3 A+ X! ~; [9 k1 y: I1 a/ @
=========, Y. M U0 F6 i. D5 Q% I& _( j
4 l, [8 Z/ s1 C1 j2 ~# V1 V=>Disable or clear breakpoints before using this feature. DO NOT trace with
, b/ Y& {: |, f SoftICE while the option is enable!!
* v/ ]. \' u% ?* j, g8 z5 e5 B% |3 D' }
This trick is very efficient:
. @2 D$ A9 Q3 |7 |by checking the Debug Registers, you can detect if SoftICE is loaded
2 c1 P8 ?$ d! y% C/ [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ U5 @( v/ O' k5 n4 K/ ]" pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, y6 o& L$ z: _& q* o# nvalue (in ring0 only). Values can be manipulated and or changed as well. X" ~" [* t3 A) G9 d0 g
(clearing BPMs for instance)' c" j! h* D& @& c. F! o* ^
- V. q S: ~7 O
__________________________________________________________________________
& ?9 A: J% L5 n: d" ]. {+ T* Y" A2 W" j1 ]: C: e' L& I
Method 11
: A T9 V) M# D5 R/ c# V% P1 c=========
" o7 \, L9 ^8 w* T, O( ~
9 L, l. ^8 u& h" {6 K8 qThis method is most known as 'MeltICE' because it has been freely distributed5 W0 z a z3 ~4 o" u2 G
via www.winfiles.com. However it was first used by NuMega people to allow9 W) @" O. T; ?) P
Symbol Loader to check if SoftICE was active or not (the code is located
+ g6 U+ @4 B$ O) d# j1 K) Winside nmtrans.dll).9 s0 B, E. T8 N1 v6 ?! \
+ s9 n4 c1 I3 Q3 A4 t
The way it works is very simple:* S4 S, N, l$ L2 p9 y; W" Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 B6 A' I6 T, w5 Q' I0 \WinNT) with the CreateFileA API.9 u3 l3 \" n: c) `- o) K3 Y
. ]+ {5 }- N% l9 J. J+ a4 [5 \! k0 P8 p/ THere is a sample (checking for 'SICE'):$ c5 C8 ~; X) o
Q& L& o8 T! g/ I; EBOOL IsSoftIce95Loaded()8 q- M0 g; x6 d3 G6 M
{2 q7 `6 S4 ~; I" H
HANDLE hFile;
8 X$ M, D- v) s# u4 G) M" G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- t$ o0 o# F/ K; K) r
FILE_SHARE_READ | FILE_SHARE_WRITE,: C% X% @1 I7 B
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! j1 K: k, N, [: A, g2 ?! M
if( hFile != INVALID_HANDLE_VALUE )
$ R1 o% I! L0 M {
+ ?& C, g( P- b2 W2 t; ` CloseHandle(hFile);1 l% O9 @, u# W
return TRUE;
1 p& G; w. l( `# T0 k+ B# K }
! k# N# [; @+ c. W! e! L return FALSE;" Z' y; W: q* n
}
" r0 w& e6 q/ h0 a5 q$ e
# p5 B/ a7 u1 \) \5 J: ~* GAlthough this trick calls the CreateFileA function, don't even expect to be& g7 z7 N `4 d( H
able to intercept it by installing a IFS hook: it will not work, no way!
$ ~( @7 B# h" m! kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" F) v) M( s9 E g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) w! v! M& `4 A; Z: M2 F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ U5 i) B c0 v2 v- X+ W4 J, s, [# P5 l/ T& Mfield./ B' @' }- M6 P- A. C
In fact, its purpose is not to load/unload VxDs but only to send a ( A5 {+ Q, _# q" Z6 z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 w% u( h( j3 B6 ?2 e! w- k( ]# ?( l: _
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: S6 V) ~% x$ a: A: `3 T
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- Y8 g' C9 i0 V" h0 u' B5 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 U! M6 o1 ^! Q
its handle to be opened and then, will be detected.4 U; c: W) Y( J2 x/ V
You can check that simply by hooking Winice.exe control proc entry point
( H# [' i7 V+ u7 H) z: nwhile running MeltICE.
: Z7 e6 w0 Q) h* U1 w- u+ l2 i/ b+ X: D+ _ h, ?$ o
+ S" i- W7 v2 x2 m: A1 H
00401067: push 00402025 ; \\.\SICE
9 v' V1 Y$ E, q; [* B 0040106C: call CreateFileA
7 \! @, X$ I( X( V0 y! K 00401071: cmp eax,-001
/ n6 B4 B- g1 x# h4 s3 I) G 00401074: je 00401091
; O5 L# C+ f' }5 o% [# Z
, e0 e7 n( o& G6 h. L# |8 c! Q; Y6 C* r; K) u' v7 H$ s% U
There could be hundreds of BPX you could use to detect this trick.
$ d, g* s' P' N1 t+ c% o" B-The most classical one is:" v4 E1 B4 k( N6 \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% T4 S6 ?( B1 B; r m9 |" {
*(esp->4+4)=='NTIC'
( q( n! L c2 X$ B5 q
% M' B" _7 Y) Q" v4 G-The most exotic ones (could be very slooooow :-(% C* }1 E0 i% c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
p4 q# i `4 z# o ;will break 3 times :-(
9 I8 ~' S" S2 g, J5 |# C/ W# n: e; d1 q4 p" \0 `! i
-or (a bit) faster:
% @1 @$ K/ G8 Y1 C" y4 x BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); F( e; w8 ]* U) X3 r7 z6 j
1 F) H) O4 H( ?2 h! ]8 M/ F3 K6 ~& E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; H% n. a$ p$ `2 i ;will break 3 times :-(9 _' d' Y1 {( J% F+ A
/ N. ]2 w5 F( ^" y+ f9 e/ \( v-Much faster:
/ {6 P) u& N4 M8 z, m8 n) R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- N7 t g9 X4 Q
6 i; X' p. v J! S1 W" n/ \7 E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 U) Q& z4 [* N! t) xfunction to do the same job:
2 m: m; R/ C7 D8 }* r- z6 L2 z: l7 W8 I
push 00 ; OF_READ
! S% K. A4 W2 g3 z mov eax,[00656634] ; '\\.\SICE',0
' Z c9 i3 c# a; s- O6 n7 R& I push eax
; P2 I# Q; P, e+ M6 }6 Q' P call KERNEL32!_lopen. d$ ?/ ]+ G+ A3 `2 D! o4 ]/ h" t
inc eax
6 A, X4 a6 y- K' r$ h8 ^- k jnz 00650589 ; detected; _" Q: B ~. c" H
push 00 ; OF_READ* g6 J0 z: L T+ K: u
mov eax,[00656638] ; '\\.\SICE'
( S9 k: k& \- n1 A2 B push eax% k/ R- E1 M- S1 G
call KERNEL32!_lopen! h |! _' E* P
inc eax
7 W4 @3 d a% F& E7 X1 q0 T ]$ N+ {1 p jz 006505ae ; not detected
. R; J2 b* T% A- M* Z, u, A& _4 \8 _, W
$ \7 }( {% ~" U% \* v3 r9 @__________________________________________________________________________
- z, m" j. J8 ~1 ?2 i# n! U: A, b q4 p- j8 q
Method 12+ W$ \. H- a0 n! ]- p; Y3 {
=========
6 G) ^ B5 f$ b# P# k1 S9 O
, u0 Y+ B/ m: w! y5 a3 ~- @This trick is similar to int41h/4fh Debugger installation check (code 05* t0 P: o8 O% O
& 06) but very limited because it's only available for Win95/98 (not NT)
" U0 j' `$ e) Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.% `8 G$ z- X9 l, `6 @
" Y) I& D# C# |" J: N/ B
push 0000004fh ; function 4fh
5 e8 S' @9 n) r push 002a002ah ; high word specifies which VxD (VWIN32)
$ |! J$ s3 u$ y1 F7 D) S ; low word specifies which service
7 Y: B: ]2 K. p* e5 U (VWIN32_Int41Dispatch)
* V6 w$ X0 d. Y$ m3 j call Kernel32!ORD_001 ; VxdCall
, h+ L( c& `9 |- [( @# A' q# p cmp ax, 0f386h ; magic number returned by system debuggers
+ B* B0 `! [$ b/ y8 C$ p jz SoftICE_detected* l" a7 T% m3 L
$ p. Z2 o2 ~4 A2 T6 N6 B9 r
Here again, several ways to detect it:, _- _1 D% \0 _: X. w
2 `; Z* _; t9 b7 l7 a$ x. k8 \ BPINT 41 if ax==4f
* ?. C- S8 c, [2 j4 ^: ]8 C1 K/ K0 A2 P/ F/ B4 F" z9 q; W1 U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, e* l: s( |# l% F; U
' m, ?/ T, L7 n# z( A- I; k: b BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# ~ S! |' s6 c1 X1 @
% U; P/ a. y' e+ {7 q+ w* B* l BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 i. K; h# m" X* i( w
$ f$ [( z7 a: S: ^__________________________________________________________________________
1 }( l5 x2 H" I+ I7 ^, O1 q8 ~0 t* p! r% Y/ c& p
Method 132 t6 `4 q! g/ a" J# h/ h
=========9 D1 g4 M2 W. k- U3 I3 r
2 I' H& K- |. p+ V1 d! E7 RNot a real method of detection, but a good way to know if SoftICE is! e) s+ H$ n/ K4 C1 O
installed on a computer and to locate its installation directory.3 F- R4 j2 `( p! Q, U: G% L3 [
It is used by few softs which access the following registry keys (usually #2) :& l. |1 I2 e0 ~$ W5 M! y0 W
+ i8 W, Y% A! O' \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) }5 l4 X, o/ j2 R0 V+ B
\Uninstall\SoftICE
3 r* ^6 |. D( J7 h7 R3 J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE l5 e' a* x! H7 ^# S* z' ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% A% b" N+ ?6 W% G# X. N2 N\App Paths\Loader32.Exe& F- q2 G1 z1 g/ g8 |% F
: n% z. a0 L) {- N
- l* x2 s8 F, a( d% O/ t/ N, u
Note that some nasty apps could then erase all files from SoftICE directory' \6 A1 h6 k& y, v9 O# q
(I faced that once :-(4 z0 n+ j3 \0 d9 u0 A
( s% ^$ H4 n' o! B. eUseful breakpoint to detect it:
' ~' O9 Z% Y/ T5 ^% z
# l, ~, d( z0 Z+ e% W" } q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': ^+ f" K, D+ N+ t
3 R6 F- K; q6 e# H__________________________________________________________________________
+ i- Y. O! t' H9 c I( R! g. k/ G- I# V& o# P
* i& x$ V, p2 e& z2 `& s# xMethod 14
! @1 [+ f8 f* C4 k% d( Q3 Z=========* G$ E$ C. G4 z6 T; u# n2 b, _
1 c! c$ ]4 D4 X. g, }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 H$ r. C. a+ a! {8 c5 g7 Ris to determines whether a debugger is running on your system (ring0 only).
. n9 \" r! E9 h
! n' m* l3 O! B! z: M5 E' z VMMCall Test_Debug_Installed
0 O0 I! H+ |) l je not_installed
, E( q( J7 b' L
: ?( ?4 I" N2 J0 b' CThis service just checks a flag.. G9 @. s2 \: _
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡