<TABLE width=500>6 e( M9 N% h: N
<TBODY>0 }$ f X. i' `' l
<TR>
: c) a, C8 T) R9 `/ P7 G1 v<TD><PRE>Method 01 ( \4 Q3 ~1 ^! E2 v7 p
=========( w; R4 b, h% _ H0 G: v7 M# e
2 ~ V4 q/ g! \This method of detection of SoftICE (as well as the following one) is
4 K8 k# ~+ c9 F4 r0 J8 fused by the majority of packers/encryptors found on Internet./ k6 t1 @2 ]. e! C2 {4 v+ Y
It seeks the signature of BoundsChecker in SoftICE
& V7 \& P2 N. F! R- I$ k3 [/ G" D9 f( n4 k9 x" t1 O% t. _9 B, B
mov ebp, 04243484Bh ; 'BCHK'0 j+ B) e, G6 j+ | A, h1 n
mov ax, 04h
, V2 z- n4 T* V int 3 * b5 W+ U% b0 J& G# L1 T' r% Q5 \: Q
cmp al,4
' X) W [; [5 K( T+ Y jnz SoftICE_Detected* U' b# \ L$ M- @( Q1 _- B/ S
- A& P% }+ o! \( q+ N___________________________________________________________________________: r+ d. E( {+ y2 i4 [
6 }6 J+ T$ n. }, G; x/ p; G
Method 02
. Q$ K. E: Q' a4 K=========
& H. v" j1 h6 f! D2 \% d1 q: } L) ?/ }1 j5 \- ^
Still a method very much used (perhaps the most frequent one). It is used
2 Y- Y4 ~7 g! P& Z) Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 q( t0 c) \ N7 aor execute SoftICE commands...
+ g& R: G3 W, s9 e( mIt is also used to crash SoftICE and to force it to execute any commands, [* D. M, [' F$ e$ C# F- n
(HBOOT...) :-((
: ` O7 S9 S% P' |/ |: J9 u3 m( I* Z
Here is a quick description:
% u- U0 d" ]: y# a: ~-AX = 0910h (Display string in SIce windows)1 b5 h2 [) C/ K9 n/ F+ t V
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 a/ d& p% S1 v" A
-AX = 0912h (Get breakpoint infos)
4 R( o( ~+ A( d& ?-AX = 0913h (Set Sice breakpoints). ?, z! ~& G$ f# {
-AX = 0914h (Remove SIce breakoints)
; s5 j, z. ?! ^( M. J- @& S% j
8 ^* S) A% a5 e. kEach time you'll meet this trick, you'll see: T2 [" s8 \: N v2 V) [
-SI = 4647h' R+ x* n0 Y8 T* \" O4 ?; d" y3 E' y
-DI = 4A4Dh
+ C9 m% ~% K5 v8 a5 z4 wWhich are the 'magic values' used by SoftIce., e. s8 l# }& E [! N- \. \) A4 ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 q4 B3 p5 K9 D2 T
$ R& ?) T+ u& @ _( j$ {6 JHere is one example from the file "Haspinst.exe" which is the dongle HASP5 T+ s6 D8 B1 [, f1 q, v* f
Envelope utility use to protect DOS applications:% b8 r x- j0 S) h8 l
' y+ Z& c9 q/ |0 t( |7 X+ F/ Y
' b7 K X4 K' C9 ]3 K4C19:0095 MOV AX,0911 ; execute command.
: L Q. t7 t% f% w( ^1 m! e/ K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; m; `, V9 T( A9 _2 N! e4C19:009A MOV SI,4647 ; 1st magic value.
4 T ~5 _6 w4 d" ^/ E: F4C19:009D MOV DI,4A4D ; 2nd magic value.
- E+ W4 i' s- D' I% N J1 }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 ~+ H- e( D7 A5 X4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) [2 q5 J1 v% ^7 {
4C19:00A4 INC CX V0 p* a5 m4 N0 L$ H5 h! X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 Y1 [; o& o7 ~
4C19:00A8 JB 0095 ; 6 different commands.& ~# `$ ]: s7 H3 O3 G5 m. t. ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 ~6 L' u- D' y6 O4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 l/ P% c' {! B" B/ A/ S
# d3 _% v0 e4 {7 U* p9 N% w
The program will execute 6 different SIce commands located at ds:dx, which
5 h" y) @7 I0 g2 O. w+ {, p+ i0 B1 }" Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ z! I" r" Y' `9 e) e* A9 V$ x5 P. Y- g) @* S4 N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 I( ^& ]2 v Y___________________________________________________________________________; y* ?* r# s+ r# S
+ W. B. D& ?6 d, l( V( p7 c
* W. U# c& \3 @- oMethod 033 a- G8 v5 W6 X& q1 |: A8 i
=========
3 h7 c; @' V9 g6 e+ |' b; q
/ K: O6 u) [' a& ] @" n6 u9 ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 X* o" w4 ?. u& c* K& z5 Y) J(API Get entry point)# T. }- \+ x$ h/ w6 e' M; q
" G& G9 z1 k! r
+ y$ S6 O, k) R
xor di,di
5 I* j# f, [2 B7 i. n. ]2 U" _ S mov es,di; ~; j/ F+ H- b+ T- b- |
mov ax, 1684h
, I9 V6 @, A2 `" u mov bx, 0202h ; VxD ID of winice/ f+ w- Q# n6 f5 q* b8 T( l
int 2Fh2 K- H5 f, k+ ?* I( I/ \
mov ax, es ; ES:DI -> VxD API entry point" t: K4 I c0 e9 ]+ W8 X* Y6 L" o
add ax, di- J) f( Q- v1 e$ a0 k% c( B2 p
test ax,ax
& }: n R0 t! E# A, k! s: I jnz SoftICE_Detected
1 ^0 T" f9 t- _" b. k g0 W) u
' `& |6 m/ f9 w7 s3 J7 P___________________________________________________________________________9 v+ \: g% _' l% u4 [
2 v! f3 R- G" H/ _$ k# Q. G* }Method 04
. N' r: ]% P0 F=========
O) b9 z9 H* }, q8 f+ `
, V* m) p4 i, s" Z# ?/ iMethod identical to the preceding one except that it seeks the ID of SoftICE
0 v" H A9 k, |GFX VxD.5 k2 F+ Q) [' U: J1 E
& `; t% R i( s7 S) t/ X5 m xor di,di/ p& s ] C3 z S& J0 t4 n% E
mov es,di p6 R! M& m# t$ P& F
mov ax, 1684h
2 u: d( E( @+ c3 X7 R5 E mov bx, 7a5Fh ; VxD ID of SIWVID
- R; ^8 g$ t+ [) {6 B, e; J int 2fh
/ z4 D! S9 g2 s- U ` mov ax, es ; ES:DI -> VxD API entry point7 z3 V$ ?) F( H- P( E2 k+ d- h
add ax, di
, V6 L, i. G5 J7 |) |% V7 ^ test ax,ax2 D) G; i! m _. H
jnz SoftICE_Detected
1 c" C1 S5 b. v: R: a
: n; f0 I; e0 X$ b b__________________________________________________________________________
B3 `2 I# z- L7 b. j/ `! H6 p( K/ {" {- x" s9 @
& D# U: I y- o* A% oMethod 05
8 X9 M; U) E, g5 z! Y6 S=========
L, U' ?; s: C0 r; g& h7 c! j1 X B
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 M! y( K+ ?, K8 r7 Idebugger. It calls the int 41h, function 4Fh.
: n" `" L, r) k8 s. T" v/ J4 dThere are several alternatives.
( u7 @4 K" a+ L. m8 K
/ Y! c. k! D0 j7 e0 l! w1 QThe following one is the simplest:
) [ i; v3 h* |8 N# b# c: B+ O: {$ o% _0 l+ V4 z
mov ax,4fh! y, {$ c/ d# _& ]; {3 ?
int 41h
2 [$ r L* y8 Y5 p0 w( J cmp ax, 0F386) x0 ]! i' x/ x. K7 V3 a9 _1 {; W! @
jz SoftICE_detected# Y& O7 X; q6 D* o3 e: W5 X
9 y' u' `# Y. A/ z
( M# [9 v/ g* M# @- f5 C6 n3 o3 x/ _Next method as well as the following one are 2 examples from Stone's
7 [& o" Y* w" q6 {8 E"stn-wid.zip" (www.cracking.net):5 G/ F; L ~/ {* ^6 K) P+ V
' E |& n+ V2 }3 A7 w$ W: Z' [ mov bx, cs: g( K* C" K+ g+ G& _' ]# X/ z8 `
lea dx, int41handler27 w) |; n) h5 [; k
xchg dx, es:[41h*4]% T+ m, w( J$ Q B0 i
xchg bx, es:[41h*4+2]+ O9 _9 t, ?2 x4 [9 p- b
mov ax,4fh. m! g, R) {* U1 C
int 41h3 X" H( g/ x5 F$ R, l: S
xchg dx, es:[41h*4]0 m* m1 ^2 q( R- Q. K! U0 o. X; }
xchg bx, es:[41h*4+2]
) B/ d R) o2 X* v; r5 E# I cmp ax, 0f386h
# \ K( i# k a- U4 F5 T2 F jz SoftICE_detected
# e4 `* p! G- c1 k
& {1 h$ n6 p* b$ [1 J& q" Jint41handler2 PROC
- J% S$ _$ u& g9 Z9 J& O( l iret
/ K& }* H3 T: b8 v- F9 Eint41handler2 ENDP1 y2 c0 l4 I" N" d q
# u4 Z6 c- n% X% |2 Z) w- e/ N3 M1 ^" I, c2 H+ |: f& ^6 u. v
_________________________________________________________________________
0 K1 F7 e# h: c6 E6 @8 q$ J& M( l& ^# | W6 `
7 B9 R# a/ h% \$ D
Method 06; K% n7 [3 I- p5 ]# [& a
=========, S2 X: @4 a/ W8 Q
% Z0 H* H/ o. L7 }3 l. H+ }, X7 V! V& a. C- m- I
2nd method similar to the preceding one but more difficult to detect:* n1 R7 s! V' d, Q& K- `6 W
9 g) l! L: V- a7 F0 ^3 h
5 U0 B1 o7 c" |0 Y2 t3 a$ U- M! l' Tint41handler PROC9 V u6 B1 r$ F! q
mov cl,al
5 f- h, ~1 ]' Z# L8 Y# R4 T iret7 s5 V1 h7 g* L9 q$ N; L' T K! M
int41handler ENDP
- v7 T7 v0 } N! O: o5 l( g- a R* {6 o) z y3 g$ ?
& @) [0 N* _, v1 z5 C
xor ax,ax+ E2 @& h$ c" h3 }. m& d
mov es,ax) I! r1 o0 o: J0 X" b' d* E
mov bx, cs7 F: [& ?3 U% E( \
lea dx, int41handler5 D/ c2 A) m; q! {4 J1 o
xchg dx, es:[41h*4]7 f8 M% ]' H# ^5 i
xchg bx, es:[41h*4+2]
+ k. y f( E) I7 q% S; ` in al, 40h
. r0 S1 ], o5 M! U; f xor cx,cx
0 N; n/ {+ y* K& ]9 ~' W int 41h( N/ N# \' F- u; E$ t5 \( D% d
xchg dx, es:[41h*4]
2 n) c" f! {$ s8 {, _% G B xchg bx, es:[41h*4+2]* m m9 h! F6 P( _. _" ~
cmp cl,al
' J8 @3 _; H! p* m, f: N jnz SoftICE_detected
- E& u5 f0 ^& a! z4 C3 n5 A# |3 u* A! r) i, G2 K/ t
_________________________________________________________________________
* B. H) m" z* i8 |5 {! I' Z
9 _( B8 P- p% z8 c' `Method 07
# l0 I3 H' {1 R( ]! U: E2 C( M$ ]=========
( a7 e9 m' x, f m0 I4 I
8 J% L8 |0 e% g S. zMethod of detection of the WinICE handler in the int68h (V86)
$ `! A4 i/ n# J% n9 {, k3 z5 r1 T% @; i2 r7 |
mov ah,43h
# T2 j1 s; }! [3 `1 D, m; x int 68h* r) k6 w1 }& Y
cmp ax,0F386h
( N6 @5 `% u3 f* s/ v) x8 {& i% y jz SoftICE_Detected
( H+ ^1 x3 M3 H. F
; o2 _+ |9 s) f. C4 U- p' j+ f2 Q4 B/ C9 ~0 c6 N3 S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 b" v+ q* I% V! h7 e
app like this:4 v ?$ S% f; K' y+ B, B- x
! T0 v) M' A. Z! d9 s BPX exec_int if ax==68
) Z7 i; q! u* o& @ (function called is located at byte ptr [ebp+1Dh] and client eip is" g4 O. e! j$ R, i4 ^, U
located at [ebp+48h] for 32Bit apps)
- ?% O8 e6 _+ v* g1 R__________________________________________________________________________
8 ~( x8 W2 K# Y9 a/ v X$ C, z1 m6 j8 e* v: u7 l& B; e
1 `5 S& ]; w4 V+ M
Method 080 p* O* X i, h$ ~) ]
=========
8 G, D2 q3 I% p6 h
8 T0 `8 G3 G6 z; T% a) p, qIt is not a method of detection of SoftICE but a possibility to crash the9 j; C/ R' g0 A8 R% \% C2 J: u( t/ q
system by intercepting int 01h and int 03h and redirecting them to another! j, P; B3 ]2 q L
routine.
2 A5 c1 s& _6 NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( k. g- m* m* _* {
to the new routine to execute (hangs computer...)3 e4 o9 |8 j& |8 o
$ g+ E O" u% X' ^+ ?- X mov ah, 25h
8 O$ J# V, g T; q/ A; q* V mov al, Int_Number (01h or 03h)
2 y L; K3 D( [. t- X. @ mov dx, offset New_Int_Routine: u" \& ^5 L) ^
int 21h3 F5 m- t8 A* W0 K) Y* ~: H# `% p6 W
% I2 g; S! x) l+ U0 [__________________________________________________________________________
; {: ~3 v1 J0 N# A& g$ j3 m$ A( g z9 E. i$ b3 |. L* M+ P
Method 09
9 x; G: o. B/ s5 u3 E v# k=========
. u! N( z8 A, P
- w: B1 d! O0 {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, M) _% Q% R. {! Q8 t+ u( h/ G* `9 U
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ B$ C: _, O/ `- q0 M5 CThe Get_DDB service is used to determine whether or not a VxD is installed
& W8 f* H6 `% g8 M3 u; @for the specified device and returns a Device Description Block (in ecx) for- m j' @! M' t) f( G& t6 S
that device if it is installed.7 c) M, G# l7 c* F
5 I% _& K0 n: w0 d' P) h; t! U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
[& V' [( J- g2 u* ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) A0 B) ]& c' k Q# ?
VMMCall Get_DDB
" o7 ?! F9 H5 E+ r) c( `$ b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' W: y' O6 v6 J9 @) T
( O: x8 J m" s- ^& {Note as well that you can easily detect this method with SoftICE:" U% f: v' n1 }4 ^& W1 ~5 a, b
bpx Get_DDB if ax==0202 || ax==7a5fh
) F l* b2 \6 b2 ~
. X( q$ |4 E4 Z- G0 S__________________________________________________________________________# i5 L% ]: M$ z6 D) h
0 u% m) ]2 Q8 G1 u; E1 {Method 10
# z k+ E" }/ E$ K% \* j! l=========
* t1 ^* q% ]7 H" |7 `5 W' B- C) j4 h2 m+ d2 ]8 K
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; J* g: \3 T' O( {7 W SoftICE while the option is enable!!
$ ~2 I. c9 u/ b( o7 y
+ D' w* C' ~# z1 }7 q& pThis trick is very efficient:
7 o$ N( {/ ] g T O" Mby checking the Debug Registers, you can detect if SoftICE is loaded
: d) |/ d& |' E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- z2 t7 @: s4 A& \- }- [, G( D/ n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% I+ z7 F$ D3 l; M Avalue (in ring0 only). Values can be manipulated and or changed as well( b% ]+ m% y I. c6 s2 V' I1 Y
(clearing BPMs for instance)& T7 e0 [$ u0 e
2 \7 }1 w j$ K2 E
__________________________________________________________________________
J& J) @, D/ J1 i& H$ c2 T
: ~7 |9 {* |% X6 j R( pMethod 11
K2 Q" E0 X8 Q5 N% Y' j8 A) Q: L=========% k- l3 g7 O$ ~: ~! ?7 F& |5 t
1 ~( S; F) }; H5 Z# y2 g5 d0 d# Y
This method is most known as 'MeltICE' because it has been freely distributed
6 D* j, f5 L& T+ svia www.winfiles.com. However it was first used by NuMega people to allow, r: B: A1 w( j/ b
Symbol Loader to check if SoftICE was active or not (the code is located1 y2 r- q. e) ~. C. O
inside nmtrans.dll).; N, d- y9 H6 S7 O3 R, ~
3 M3 _" y$ p1 S5 V) kThe way it works is very simple:
/ h |6 w3 w9 d& ]; {5 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( p( a* I% H8 ]+ ^0 Q9 A
WinNT) with the CreateFileA API.
' y6 R1 `+ a% b: g/ q B% c) _0 n% Q' x! F8 O
Here is a sample (checking for 'SICE'):
8 ~( k5 y4 B* W* d
`8 R; k' k7 HBOOL IsSoftIce95Loaded()' t/ R1 Y) \' `9 f) J& `6 T
{
1 h4 x4 R* y: ^ HANDLE hFile; 5 s- Q/ E: N% X T3 z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 h' d. {6 I+ f' C FILE_SHARE_READ | FILE_SHARE_WRITE,
# u3 K9 { @9 ^ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ \0 Y3 a( J0 e4 J) o7 d
if( hFile != INVALID_HANDLE_VALUE )
2 A! J5 |, p3 O {
+ d. k7 a( H u, f/ {2 ^$ I. | CloseHandle(hFile);* p- S) {" r8 a% S& H
return TRUE;
+ s' z: c' W' |) P6 t% T }! Z+ R. f" J9 X2 P4 G5 O, ?
return FALSE;9 z5 v! I/ t4 ]" E5 X2 A( Y
} K! y7 r1 a/ b) g7 K
g0 K0 y R% u
Although this trick calls the CreateFileA function, don't even expect to be' Q$ Y! M, |: u1 @2 k# F1 r
able to intercept it by installing a IFS hook: it will not work, no way!; }& L1 S, j9 ? g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; C, j) u0 |1 b9 P( ]( y4 W. h! Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 w: f+ ~% {( Y- ~0 X) Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& t; V4 T& w, p) l) K$ |field.6 n6 R2 z3 Z% F U
In fact, its purpose is not to load/unload VxDs but only to send a
* P+ P8 i* r) G' kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). \: M" t! i& {
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 g9 d: y4 _) a- ~$ Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. v7 j: a& Q7 K6 q( `' dIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ D: o& H5 t9 X {- Rits handle to be opened and then, will be detected./ u( G7 ]. N5 J6 ]
You can check that simply by hooking Winice.exe control proc entry point
6 `6 T1 ?; @1 l _6 z: |* }1 X" M6 Kwhile running MeltICE.
; o! Q$ V* Z7 V/ b6 ]3 a9 g9 ]/ `: W6 c& A n- t
8 M" R7 ]8 T Z$ |: Y 00401067: push 00402025 ; \\.\SICE
) E- P# x: _& [2 r/ X# Z7 w/ s 0040106C: call CreateFileA. T- o7 E4 W5 W$ t. e
00401071: cmp eax,-0010 J9 C( |7 s. M& E6 w* T
00401074: je 004010910 u. g! ?9 j) j& n! B" n
8 G9 X v0 J! D E
$ E$ h a0 E% m2 t2 o6 z. j& B7 x
There could be hundreds of BPX you could use to detect this trick.
& Q: E6 s7 W6 {) B-The most classical one is:
% O6 x6 R. M2 i, m BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! r2 M, ^4 k; _! W6 v% v
*(esp->4+4)=='NTIC'2 j' Y/ s' z$ a, o: p/ ~5 H
# \: m& b* o$ p2 S) {-The most exotic ones (could be very slooooow :-(
+ x( n3 N# x0 l9 W7 |& j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) D0 r% U7 @" _9 P ;will break 3 times :-(8 V& w+ J N$ L d' j
- a% g+ Y5 l& U: q
-or (a bit) faster:
# K- W( A8 ~% d" h/ ?. R* Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- ]. D+ l& N; _2 q
5 M! G% S3 ~* b' J- C7 X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' ?! g# F$ j, k0 Q, C ;will break 3 times :-(
: N8 H2 d) R$ M, p5 \: N v) ~" o" K" d; M
-Much faster:$ U9 V+ j) B& @( \0 O! E
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 L6 D" g- {2 F( n6 ?1 z
1 ?( v; j; {: i# j5 d8 S7 MNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% D1 |& c8 r, @function to do the same job:
8 r( t5 i5 j9 z# q" e
7 S& ^! n% o5 R6 ~ push 00 ; OF_READ. d' T/ u2 b6 _ L1 m' X: G
mov eax,[00656634] ; '\\.\SICE',02 d9 o" b* V& I5 {' J
push eax' E+ n2 f! H/ u5 h" w
call KERNEL32!_lopen3 g& D+ t% Z9 X, J
inc eax
6 ~0 n' k. u3 M$ i; x$ V! X jnz 00650589 ; detected
* M4 B- K' y" U( G L: w push 00 ; OF_READ
N4 E6 [- q; p mov eax,[00656638] ; '\\.\SICE'
& Z/ o; X- Y8 L push eax# H) e# G3 g) v; Y; Z# V
call KERNEL32!_lopen1 X. |) W; b3 ~; e4 P/ m
inc eax/ S8 \2 r9 y8 f' C9 |+ j* h8 Y, a
jz 006505ae ; not detected% H* e. t6 `" d1 b$ n" C
- i7 Z7 B- U G- F5 [- d5 |8 k+ v5 N
__________________________________________________________________________; ^7 Z8 x7 C9 L+ C% d9 l3 e
1 s3 x- x/ D: QMethod 120 W m" W" @! t- b
=========
# t% l3 i4 G- |: O7 k
( h: d4 ? U' q# v) `: r; zThis trick is similar to int41h/4fh Debugger installation check (code 05* T+ _4 e$ O6 T; p3 d' `( u {
& 06) but very limited because it's only available for Win95/98 (not NT)
8 s& D: E- R" c1 `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 x) r: Q$ ?5 Z3 X
$ B* v& a1 O, F- X0 e. D push 0000004fh ; function 4fh
( t2 P3 u5 w* {- J o push 002a002ah ; high word specifies which VxD (VWIN32)4 a* V( Q. n" e$ Q1 A6 y0 `$ ~) @
; low word specifies which service6 b" [9 ~ t9 O7 {, r
(VWIN32_Int41Dispatch)
% f9 h" z( ^$ M& j* A7 n3 E) } call Kernel32!ORD_001 ; VxdCall3 j! j( J8 Y9 @7 h, M
cmp ax, 0f386h ; magic number returned by system debuggers
4 r* x9 X N% W3 H& w( ~ jz SoftICE_detected- k# q7 U& w5 g+ x# s
5 q- }0 `. W/ ^: D7 N9 }1 g! z
Here again, several ways to detect it:
/ r! u7 T1 H7 N3 w: j% P" h. u
( d# c7 W/ K; U! E, w4 O BPINT 41 if ax==4f3 ]4 E l+ w, g0 q5 ?5 H( x
% U( {" s! x( u- a. q" x+ ^ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% R. n" h0 |9 y6 N
: I, f" w! |5 X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ w9 c! I% w# q8 g; w- V4 J
5 y! }3 e" a5 F b" q" {
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% r& N& h+ a9 S* @7 Q, y" \, |" l( X# W( N
__________________________________________________________________________
; W$ D& M* O5 S$ q( ]% R
# m9 v r+ Q" F# Y+ L' qMethod 13% D8 J! _. X3 y$ T( ]+ B! @
=========
F% S0 `! r& g1 O: F5 V+ i" a+ U" t
Not a real method of detection, but a good way to know if SoftICE is6 B$ F5 Z& G- R* x$ J
installed on a computer and to locate its installation directory.
- @( _2 }; V/ ]% M) ^5 `% bIt is used by few softs which access the following registry keys (usually #2) :' F* N$ C8 _& ~' C* Z
, k9 j2 s, X# p2 c) {6 n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 U; N ^2 B% h! ]/ A$ ^/ ?0 Q\Uninstall\SoftICE- A& Z& e& @) I8 B# V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, c9 g, Z; K6 `, ^: f( u+ |
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 g" H; M E; R- @5 I- ?. u
\App Paths\Loader32.Exe$ _ ^6 k/ E8 s8 t7 K
t8 K* o) L$ u- w* u& P" o& |2 u/ k+ p3 d/ |; v
Note that some nasty apps could then erase all files from SoftICE directory
, g7 Z" v6 `# G- h9 }(I faced that once :-(
1 p8 o# S7 I! {2 A" B+ a7 S2 E5 v4 g' R3 G- j% R" z6 }5 k1 S
Useful breakpoint to detect it:; I3 H% [4 v' O
8 w; v& P$ \7 \! e# Z6 E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 [& L( Z- z4 s: W9 |0 _/ h, B8 \! ]' q$ u& Y
__________________________________________________________________________6 O; V' K {9 C
; J: Y) Y2 f3 y" k( Q. p4 _0 C i. B
Method 14 + V8 V8 i5 m' K0 S" Z7 ~
=========7 w' _( H# D8 I. s, c( m' M) f7 ^
1 r; Z6 c. x+ l, Y" Q5 K- D7 HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 d: H' E$ o# P* R. J
is to determines whether a debugger is running on your system (ring0 only).+ ^& I3 P3 A+ _5 k. U j4 V# n; K
) X9 u# m8 K) o+ S, ^' c
VMMCall Test_Debug_Installed# H4 E8 U% h! [- |( W. K
je not_installed. k3 j" o) }. c% ?) P) }$ a1 U
! Y8 g; V5 ~$ r8 J* ]& ?
This service just checks a flag.
2 L6 B4 W( M3 [+ Z: p& j</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡