<TABLE width=500>
3 W2 p o& E6 `- n<TBODY>
) F. F$ k$ \9 h# a1 ~<TR>1 |# Q8 ]/ x' m" G; }& O! d7 c2 M
<TD><PRE>Method 01 , o# u! H( c; R' T* M- {
=========
! R- r/ ^5 L0 C o
! ~1 d+ U) C2 y1 B/ a( ?) JThis method of detection of SoftICE (as well as the following one) is
- j+ X* _7 B$ r) f4 D8 {) t6 Iused by the majority of packers/encryptors found on Internet.
, l, k9 E) t; t7 ]: bIt seeks the signature of BoundsChecker in SoftICE. M% F" b, O. [7 |, M* ~
% u, U7 q9 E$ s5 v; E
mov ebp, 04243484Bh ; 'BCHK'
. ?& L* G7 E3 X" K l) @6 d8 G mov ax, 04h
m& D8 R5 k8 o int 3
& s3 }/ X2 U* W) F, Y cmp al,45 U5 M6 K/ H. w) j0 I& H0 p7 i
jnz SoftICE_Detected
3 q+ Y! G2 |% `6 v- l
4 b s2 p+ [+ `8 w$ z8 E___________________________________________________________________________
! e) [/ r% w v" o- M4 \
9 r3 W( ?* N3 H" ~Method 021 @ ?) s/ {9 V7 t2 C, T
=========0 g" `/ C6 z# ]- b4 v# Q. @
3 [8 X h7 h# O# U
Still a method very much used (perhaps the most frequent one). It is used
6 j, C. i- Z& Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; u6 C2 Q' _# Kor execute SoftICE commands...
2 H7 R6 X! M7 p8 rIt is also used to crash SoftICE and to force it to execute any commands
( y! f R0 l( k6 j: l8 C(HBOOT...) :-(( 0 y5 D. S; |5 M' Y' R B/ X% b& Q
3 G, {. ?5 Q, p
Here is a quick description:
) v0 E" i. x) c5 X8 S-AX = 0910h (Display string in SIce windows)
! [' a6 [' d" S$ x-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! s+ b) y/ F f7 o-AX = 0912h (Get breakpoint infos)2 G0 S" h" D0 U. t0 e# b, U
-AX = 0913h (Set Sice breakpoints)
P6 q( K1 s2 Y. l- s- y+ g8 o# d( K5 [-AX = 0914h (Remove SIce breakoints)$ G- Y9 |" x* t6 w) L, ?
5 d7 Q @+ @; T/ ^4 m$ a7 y% T
Each time you'll meet this trick, you'll see:
& Z8 M/ V9 c9 Y-SI = 4647h
% u+ X/ m" U/ q9 E! o; }8 ~; ?-DI = 4A4Dh$ M) u7 w W- m' K( m1 P7 s
Which are the 'magic values' used by SoftIce.
+ N0 }# K( F: u* t4 V$ EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' c5 O* s! E9 I# \; D; _6 e
Q m r9 g+ JHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ M9 j- d& X% ^& zEnvelope utility use to protect DOS applications:* _/ k1 [# I# p' o( f( u6 l' g
8 M7 h: ?6 E( H2 p2 F
* d. W, B+ W4 l/ |$ ]
4C19:0095 MOV AX,0911 ; execute command.
8 v& B$ E6 v% L" e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ F f% L3 ~ {4C19:009A MOV SI,4647 ; 1st magic value.* ]* p( A; K7 [/ Y. u) n( f
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 E" Q" S/ N: S% d# T5 @/ M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 Z" n8 x1 Y3 K% |; F3 }: w( R: X5 ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 m! v8 c2 J6 E1 }; ]1 {* f/ [
4C19:00A4 INC CX
! ?9 B: h" T! F0 J2 l5 @4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. w4 X7 z! h* k4 M1 O! @4C19:00A8 JB 0095 ; 6 different commands.
( |% t) ]2 S. I+ E4 p8 Q6 v4C19:00AA JMP 0002 ; Bad_Guy jmp back.
x4 ^" h# A; `/ D) K# d; P4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 d! G4 o# _* z2 K9 u1 }0 P6 R6 z; u5 H9 u" s- J
The program will execute 6 different SIce commands located at ds:dx, which: m& x' {/ V- J6 V+ P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 L! g# D y1 c8 |7 S* A
L3 Y+ O8 {! l5 F9 h1 p! O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: R. n* n" L' C% A7 d$ O
___________________________________________________________________________) G8 W; L+ ^8 }" q8 Q
& U5 {, F! {$ L8 R9 ?
# s2 U! @2 D7 W
Method 036 k ?% c6 x& A2 m1 W
=========2 l/ ]: ]2 r9 [2 e) T% U
0 h* A3 S Y# V4 g' s# K
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, y x( e7 U2 |4 B: d8 g
(API Get entry point): q5 M( ^; E" X$ `( f
0 G; x! u! V" m8 q4 U B" C$ D* w9 \0 L6 J& I4 |+ I
xor di,di R+ Z7 \+ v, Y! m" w3 I
mov es,di
: e" z8 I7 z$ m4 W- S" U mov ax, 1684h # j" x& v. S4 m( S5 d( S; a
mov bx, 0202h ; VxD ID of winice
U! }3 L5 V S int 2Fh7 g$ p, Y3 w V2 P/ c& K0 ]2 J
mov ax, es ; ES:DI -> VxD API entry point$ d: i1 Y9 E( B
add ax, di/ g9 w" a/ y* g
test ax,ax# U7 v+ v& R) s: C
jnz SoftICE_Detected
8 B6 j9 s H; o8 g1 b l' m) d8 R) |. d( J8 N/ Y
___________________________________________________________________________
: T1 B0 Y# q' T# X i* H& R+ t2 p4 F2 L- r& B" S9 t/ e( P
Method 04! \. Y# l/ b) H8 r9 y
=========
$ X% S8 d" C& e4 i" Q( b: J \+ }7 U8 o" K
Method identical to the preceding one except that it seeks the ID of SoftICE+ Z" l+ E" d" i1 O7 P$ A1 D
GFX VxD.9 F" L! m" M0 v* `0 i/ N; g
2 f1 s, s! E3 n% f
xor di,di
- i U, G M% |. Q. [! X mov es,di
/ a0 m1 K0 X- s) S5 g6 d; L2 n: H mov ax, 1684h 5 P9 M8 j0 ]; ]1 x2 I
mov bx, 7a5Fh ; VxD ID of SIWVID
; U; @5 j/ v+ v0 Q int 2fh# A" r+ O" [* y+ W( N' A$ r
mov ax, es ; ES:DI -> VxD API entry point
6 ~0 Z2 F5 k8 R add ax, di
& _; w* X5 m+ J1 F test ax,ax* u+ Q9 g4 B1 b' W0 F( _, |
jnz SoftICE_Detected( k) m H" ~9 ^0 c; h
6 J" a! e" C5 ]( _; D" M( V__________________________________________________________________________
3 D% Y3 @$ L+ {1 S: b( I
4 G" ^7 ~# J7 c9 h/ W2 I! H8 I$ _1 D; ~1 v: n3 j
Method 05
( ?- o1 e. a3 d# n$ H1 c: S=========
' t5 @( D, X5 N; g3 m' a
: D7 ?* U. \& E9 a9 r7 t$ n8 eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# ^0 a; V9 o" ^" X4 y( w# K. m9 _debugger. It calls the int 41h, function 4Fh.2 b7 M$ h( {% M. @
There are several alternatives. 8 ]- o! W Z" B5 u6 M3 T" _& R8 r
0 [ H$ p$ O, S
The following one is the simplest:
& o s3 L L. i- d
+ ^+ l; j. ~3 e. ?9 j/ J) f4 ~ mov ax,4fh
6 J ^! S: m2 q int 41h
x( g* j' b4 v cmp ax, 0F386
" {( m& C" K# f' F( [; d jz SoftICE_detected& f' U1 z, Z( \1 v$ ?3 p! H
0 |9 z9 @7 R, T% j$ @+ S* o5 f7 _! d
Next method as well as the following one are 2 examples from Stone's & W! a4 @' J, w6 ?
"stn-wid.zip" (www.cracking.net):/ w& _- `2 G5 a1 o$ Y+ g& h- ^
2 `+ F) e) @0 ^ mov bx, cs
8 F# ]6 e. ?7 w2 T% a! } lea dx, int41handler2
3 ` `1 X7 r) H; ~# w( k M, D+ r: ?; C xchg dx, es:[41h*4]
9 ?- o" s9 v* R i" [5 K xchg bx, es:[41h*4+2]
2 \& t0 H# I" B* n$ ~" I mov ax,4fh( L) w. S1 j+ K0 n( y
int 41h
" S/ C4 P! v* M2 _7 { xchg dx, es:[41h*4]
. Y# S8 n1 n+ l+ X1 o5 Y& S! ^2 e xchg bx, es:[41h*4+2]- {/ Y$ Q/ I/ J: w" \
cmp ax, 0f386h5 Q% G; M: S( n9 _1 d
jz SoftICE_detected2 a5 b; a; h# d! b# G; L, B
5 y* z% V$ [) b: D
int41handler2 PROC
6 g3 R) A! y0 g2 v. ` iret
$ L/ F" D* c% W( z# jint41handler2 ENDP' z/ |/ q! z( a& _$ z
) w6 p- m' y. B9 y$ ~5 z: v
7 _+ x. K0 |3 A* a
_________________________________________________________________________) V7 U- [ l" H% R+ ~6 ]6 k
; C: m$ W; T6 O9 m" ^5 B: a- A0 ~
6 n8 `5 S0 T: m* ~/ l5 g( b( GMethod 06
- Y1 ?) T+ `( D- Y( B( K1 ~, p=========# G1 u; O# {1 c! L
* W9 O: c$ W. x2 g5 a* p% m( d- W) I6 J1 K% S
2nd method similar to the preceding one but more difficult to detect:2 q1 U8 s5 R& Q
. G- R1 R5 N$ S" N8 `% B3 Y1 d- K! u$ O1 F$ c( C
int41handler PROC
/ D E3 k( C* O4 V" l/ Z7 f mov cl,al5 s: i( U4 w4 f1 p9 \1 O4 U% m: O
iret0 p m1 B0 g* Z# u
int41handler ENDP
( X9 B* t( z: e$ i8 q+ c' n- b7 F0 [2 N* `
" n% k8 i1 x) s
xor ax,ax, ] \! k# H5 m( S
mov es,ax3 R! x9 r& ~/ n7 ?. b
mov bx, cs2 U5 K# l& D- Y
lea dx, int41handler2 S& s1 d. x3 A
xchg dx, es:[41h*4] N7 ~8 j$ T7 k8 z8 W' Z0 ^' P
xchg bx, es:[41h*4+2]! J8 ^4 W& s0 l/ F7 M( a
in al, 40h
2 x7 S1 q. G7 \# z" z3 ?5 y xor cx,cx A/ C* N0 f- ^9 g* A) {& D/ q
int 41h
D; ]5 `. w: [# [8 ^ xchg dx, es:[41h*4]
- [: R" U" b! N4 n7 P$ i; X0 P xchg bx, es:[41h*4+2]
7 L% ~. \- V' s9 L- O7 Y& F2 C cmp cl,al
6 [- |' i% D1 R: E* |* h4 p jnz SoftICE_detected+ H7 V1 ]+ h9 A7 x$ x8 X
% u n" O2 W8 Q2 h! _1 `2 M
_________________________________________________________________________8 r. X$ s ?3 }/ L2 B: K, E
- c, C) B6 |( Q! E6 J( vMethod 07
- O' f. P. S; ~4 X2 Z, a5 I=========
% S! O4 _6 y- Y; [1 G& |& s$ C- ]" G: m, z$ C! R
Method of detection of the WinICE handler in the int68h (V86)
2 T7 u. n6 h0 } |) ]( r- p* F* \0 k; A% V# T$ \ \
mov ah,43h
7 l' `. w" d! k x/ m int 68h4 e& j7 w- ]; ]) A6 [, Z
cmp ax,0F386h
& {* b+ u3 g" V! S" ]& |$ ^' o jz SoftICE_Detected
1 m% P4 {% t4 k( Z
! K5 s& y( L) G5 T, n+ J9 c
, v3 ~) S1 U5 s' O; i' r=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& x* ?3 V# M# ~" h) P, w! T
app like this:
; X" q1 t) o T" @; Z: |6 s9 \+ o! [! T# ~9 _8 V# _
BPX exec_int if ax==686 i$ Q0 h! |' Z
(function called is located at byte ptr [ebp+1Dh] and client eip is2 @+ o f9 O* S4 w
located at [ebp+48h] for 32Bit apps)8 u/ P6 e' O# T2 g W' ~
__________________________________________________________________________
9 Z. l2 f3 `5 M. T8 N/ E [3 A( ?
+ ?! ]* p% G0 Q/ X. |. {: Q8 S J; t& W) i2 ?; r- _: ^
Method 08. N9 v- Z6 m0 T4 U& E5 U
=========0 Y$ M$ x. ~1 I9 g: d& ^8 Q3 m2 [
$ S" N7 R" J+ }& {$ EIt is not a method of detection of SoftICE but a possibility to crash the
. r7 V1 y$ h% gsystem by intercepting int 01h and int 03h and redirecting them to another/ s" |8 r, M0 \2 o& \" X) m7 D
routine.- P! m2 o- ]$ ?5 K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ q+ K7 U# [7 `( Yto the new routine to execute (hangs computer...)+ C! P* a2 @$ \7 x, s# Q
. J | B) @: `) L8 Y
mov ah, 25h
* [! z7 I. E: T+ x; [ N mov al, Int_Number (01h or 03h); P# B6 @, m3 a0 L
mov dx, offset New_Int_Routine
3 |9 m# g+ N/ Q( E5 q int 21h
) m8 q. b# b+ t" Z; u. H8 k" w, o8 ?; j& t8 E g* v
__________________________________________________________________________) c0 F: u( c" ]4 v+ m9 e9 q) e
% Y3 Z' k) N* h/ U- H6 f$ N! M$ u
Method 09; E# Y0 b! v+ v4 H
=========& }) N/ s! V) @
! M. d& C; p( D
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 S5 M5 c1 B# t* `
performed in ring0 (VxD or a ring3 app using the VxdCall).
! X( f4 {1 {; V' N; DThe Get_DDB service is used to determine whether or not a VxD is installed
i; l/ i8 p# R% x4 K+ y" V Ufor the specified device and returns a Device Description Block (in ecx) for+ o, X+ v2 O" i; }+ p4 f
that device if it is installed.
8 Z1 [0 z1 e( j- {! \) F5 _9 Y+ K) o$ b* r, q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( I8 C- a. p7 D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( W+ D" g3 z" O' R- I% W8 g- h
VMMCall Get_DDB+ N1 z+ `4 _. Q8 j+ x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 s q5 h9 t9 @" o1 k' k
( Y) }, {1 U* ]: o
Note as well that you can easily detect this method with SoftICE:( H; u4 i: I b
bpx Get_DDB if ax==0202 || ax==7a5fh; \6 ^7 c t7 M; n
9 Q( `. L! q2 L+ n6 F( p' R- R
__________________________________________________________________________
6 u0 ]' k. V# _/ e m8 k3 m' d3 R
Method 104 ^- U& J# F% S- L" f. X
=========" ]8 h8 d' M6 i" q2 Y. f9 F7 q
: K0 g: p" y+ d+ D9 a! n
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& _) {$ D7 G/ `) B SoftICE while the option is enable!!1 p! }/ d4 V3 r* [6 _5 g
" W) P# L$ @5 H' o4 qThis trick is very efficient:
# z9 `3 W1 }& f. W( \3 b/ {by checking the Debug Registers, you can detect if SoftICE is loaded6 {: N: Z2 P' F2 _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" w S' Q$ t& R
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 ~1 d( x( v+ y* C: xvalue (in ring0 only). Values can be manipulated and or changed as well
8 _' a4 A q0 K L(clearing BPMs for instance)- V, v, j! R; Y7 Y& B8 B2 X
) d6 W, f: q# {% _2 N__________________________________________________________________________
: C2 v$ a# f Z( m+ h# G# V% C$ \, m7 M5 B+ H$ J" W+ V, ?. ^: _
Method 11: E6 t. }; ^% \+ v- V7 g7 D
=========( U" }4 v$ s; T5 F1 j6 x
& J, G1 P2 Y3 y0 O" g
This method is most known as 'MeltICE' because it has been freely distributed) s$ {% l6 l& ?4 `/ l8 V9 m# O# [8 S, C
via www.winfiles.com. However it was first used by NuMega people to allow
) @- Q! C' X+ zSymbol Loader to check if SoftICE was active or not (the code is located: @2 W x2 Z% I6 m6 y3 n
inside nmtrans.dll).: j7 q% F3 A7 R
' p. _1 [8 u, kThe way it works is very simple:
% P( v* M3 \; _+ j( D+ pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 T9 v* }! R# B1 HWinNT) with the CreateFileA API.
8 t: m6 \. Y' A2 V) E
, q; R" C7 ^" Y. V( P1 o+ yHere is a sample (checking for 'SICE'):/ O, d9 q3 p+ N' m6 v# |0 p
" G* `2 @: G# T- GBOOL IsSoftIce95Loaded()% e2 ?* v5 n% S t" }3 T; }
{0 X2 y8 k4 v7 _% q
HANDLE hFile;
( x* A! y/ [9 }7 @) U+ p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# W' S9 o7 Q* W FILE_SHARE_READ | FILE_SHARE_WRITE,
3 o; T. A8 f% i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* I/ \8 X* A- L4 x# R& L3 C4 H if( hFile != INVALID_HANDLE_VALUE )' M/ J; `. M3 o0 j# l4 z* S, j
{; l* n$ O; j7 t$ H
CloseHandle(hFile);
$ Q9 `9 l! Z% [: T3 N return TRUE;" ~; w. q" L% h$ W
}
9 S7 J% H" T F return FALSE;5 X& e2 L8 Q& E! P7 h+ k8 [
}
- F3 T1 }/ u" S
/ y/ e3 V' l9 s' P) }6 ^Although this trick calls the CreateFileA function, don't even expect to be
( x% Z5 d/ {$ L t& H4 y, A1 |: L& vable to intercept it by installing a IFS hook: it will not work, no way!" v, X7 K' h+ f" o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* ~: F& F' p# {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 I9 B+ f7 l( u2 e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 z- p3 ?- Z! T; q5 g6 `/ p, u
field.
. t5 X4 q" [) P/ P* @! j. K1 _In fact, its purpose is not to load/unload VxDs but only to send a 5 R! Z$ p2 Q8 x, I1 G: R( \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 S. i* O/ s. T' H0 ~6 A8 h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 f1 X( p; U4 a6 y$ D1 B" A) pto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 x) L7 \( F. k1 F
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 a5 o3 }4 k, H7 S; C
its handle to be opened and then, will be detected.
4 t# V% `8 K! Y5 u; O# vYou can check that simply by hooking Winice.exe control proc entry point
# s& z8 X6 [5 n7 b1 ]# Swhile running MeltICE. Y I2 U3 j! q5 p
" v8 ?& A+ P. e- r# ?4 y
' _% I0 o2 T* a; s 00401067: push 00402025 ; \\.\SICE" b. x& k3 ~& o) \( u
0040106C: call CreateFileA
/ R7 t6 e/ L T" o) q( C6 f% G 00401071: cmp eax,-001( |. p4 ^6 O, e, J) W; p
00401074: je 00401091
3 B% f; R7 ^( Q$ Y5 D/ s( ^4 U5 G( C3 b9 `/ ]; y: E# p
& O7 \ p: n0 `( h- g0 n0 hThere could be hundreds of BPX you could use to detect this trick.
" S( B4 ~; z4 q5 ~1 t+ W-The most classical one is:
( \8 l/ T6 U0 Y% j* p5 d- r# c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! w/ W/ x& v' N$ F5 O+ ]$ f! { *(esp->4+4)=='NTIC'
. L& Z! i5 m I% O* `: ^
s. N. |' g; F-The most exotic ones (could be very slooooow :-(+ p- i- q9 l- q7 }# G, \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ Z8 O1 R7 c2 y* k2 I4 u8 f
;will break 3 times :-(0 ?7 w+ Y# t( F$ Y8 s& b9 K0 E- l
* r4 y6 j: k! c: n6 ^( M: K- B
-or (a bit) faster: ; O1 O3 V/ K) ~0 ?0 z: k3 E
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ ~/ M" w$ @( V- l' q) v
% z3 \ |2 F& K! _# w% I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% E1 R7 F* p: k ;will break 3 times :-(
6 k0 n% T9 j# k/ N+ Q9 h h3 q2 O2 X9 L
-Much faster:0 G' @5 F$ w0 N
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' t: ]1 I3 N4 y4 z/ B6 w3 l# h) A7 y: V0 s. Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 I) j* R3 U q- L3 d6 c
function to do the same job:; c5 B+ I( F1 i/ {
! F( s! V% w) b9 B! y push 00 ; OF_READ0 A y! u1 A5 o# b" c
mov eax,[00656634] ; '\\.\SICE',04 b+ F z2 Z* L) D9 |! h% A
push eax+ z7 S& c- J8 R& w; x
call KERNEL32!_lopen4 _# I2 _; Y1 R5 L" I: U8 J) _
inc eax7 b* j1 K9 b8 e, h1 w% O- O
jnz 00650589 ; detected! S7 b @0 M5 p; r+ {' Z5 Y
push 00 ; OF_READ5 n; S! g8 v. ~
mov eax,[00656638] ; '\\.\SICE'
6 z) f( \' ?( Q% o7 o/ u push eax
1 K5 x i& N+ n2 k; i, } call KERNEL32!_lopen
6 }4 q, K8 H+ Y* }% B6 Z( a inc eax# F4 {% F d! u/ r7 J7 I+ Q
jz 006505ae ; not detected
1 z1 A, t0 w a. a( i
2 w N, {* p1 L8 |( S- N v
3 w$ p# @1 ]5 G( k {# g__________________________________________________________________________ k, ^$ z6 y4 R/ D
. X: ? a$ d: F% O- Q
Method 122 H& i5 I2 t8 c) ]/ X
=========
2 P$ M- b9 a0 C) K5 l
; I- u& Z, }# y% D% {( c- b8 i/ p6 vThis trick is similar to int41h/4fh Debugger installation check (code 05& e4 X6 @) x, B/ G% Q
& 06) but very limited because it's only available for Win95/98 (not NT). @- ]6 m* u& c5 {4 q2 T+ R9 K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- x% j0 X! M5 z7 o8 i' y
y, o7 I/ X y push 0000004fh ; function 4fh
6 y0 s! H! N; e; @ push 002a002ah ; high word specifies which VxD (VWIN32)1 C6 V3 {6 b4 d6 i) w: a1 J5 ^2 s
; low word specifies which service
+ @8 n* Z1 S6 @! V: D: q+ [4 z (VWIN32_Int41Dispatch)0 z8 f! `9 r# [
call Kernel32!ORD_001 ; VxdCall
( A3 j5 H& @- R, y( [6 v: } cmp ax, 0f386h ; magic number returned by system debuggers7 L# n+ |, G. C3 q) H( j& N
jz SoftICE_detected+ w8 L# `. ~+ W! |; s
2 B& s( \9 [. {1 ^Here again, several ways to detect it:
# }4 C% E. P5 d5 l8 ^3 w/ z6 c' o+ z4 N
BPINT 41 if ax==4f& j1 Z3 v7 l9 q# E
" g; C$ d! \0 X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 x: i1 k, p! U% M$ X9 [- Y8 f- G
, }# ~) u! W5 D" F K: g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ S3 `) v7 d% N
+ l, u# [9 ^8 Y4 m# h
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ P( U% j9 x y
5 _, p2 P/ G" c__________________________________________________________________________
# m) z9 O8 {8 F1 }) r- w$ E7 o2 z4 m' ]9 V
Method 13
4 c6 q: O9 m1 o2 z=========
" \. ^9 L @1 y0 l) K
0 t4 U- N7 Z2 ^; LNot a real method of detection, but a good way to know if SoftICE is2 E; b0 B' A: j4 q
installed on a computer and to locate its installation directory.
& d4 `( ?0 b- rIt is used by few softs which access the following registry keys (usually #2) :+ z2 f3 Y! }, H1 G5 [6 }2 c0 Y0 B
% {" ~6 u% L8 \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ `) ?- `( ?, y7 e# f
\Uninstall\SoftICE/ [) u! c7 j# `& P6 P1 U. F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ ?0 T+ [. Y6 I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# n/ v. o4 D; q5 @" ^0 d& v# n\App Paths\Loader32.Exe# m5 B4 u) O, F6 H8 |
, s- r# P9 N- n# Q
7 L i5 L, M, S- V4 l7 W% s' ?Note that some nasty apps could then erase all files from SoftICE directory7 y- Q" E% ]* k5 Q6 o
(I faced that once :-(' Z# P5 _# T7 p2 `( o# W2 t( z: h
; J* V- v" L3 p' Q
Useful breakpoint to detect it:- b: J, T7 H2 `7 q/ @; Z
- b" B- \ v6 j$ R4 [: C
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* e* L0 ~- u$ t" A! L$ i+ X8 T# y8 O3 L) l) e
__________________________________________________________________________0 z2 f( n4 [7 R' [8 Y2 x
0 V, ~* z9 i- Q5 d3 ?- Y
7 c, K3 y& o5 C G1 d1 hMethod 14 $ ]( |+ v1 Q1 ~5 A7 q1 c# x
=========, {% c. X2 a' O! s! I- ~2 S! i
5 r5 b3 k* [+ A+ m$ V9 [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 y! @2 P" \0 x: C/ Jis to determines whether a debugger is running on your system (ring0 only).# F! |2 ?5 F, t* g. Z( c
+ }2 n, x8 K4 A2 B/ v0 O VMMCall Test_Debug_Installed! k4 T _! t. Q. N, ]
je not_installed
( s* e5 X H& t+ W
S& f! W5 Q1 cThis service just checks a flag.
9 h- K% Z2 B3 ] j6 b& P Q C s</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡