<TABLE width=500>
5 A: z8 S* K! X<TBODY>
! c$ j. z2 r1 x5 z v: Z1 X, S3 ^/ r<TR>
- k5 _# M7 S+ _0 ?<TD><PRE>Method 01
! ?+ F; K* M! I6 Y( Q: L=========* _: n( Z' {* \ X8 H+ R6 @
# k7 l0 _! Y& y4 M3 J
This method of detection of SoftICE (as well as the following one) is5 p, v6 b' Y; _# Y; t( r
used by the majority of packers/encryptors found on Internet.
) J: U$ f& {7 e+ o" }% V! t) V: \It seeks the signature of BoundsChecker in SoftICE
% T) I% ~$ X. E% U8 s. P5 S# J2 U B2 Q8 s6 i, b+ S" D6 D: T
mov ebp, 04243484Bh ; 'BCHK'' ` m2 V( d! N# ]- z
mov ax, 04h" v. ~, M( F2 D+ K
int 3
, O8 G Q0 D, q cmp al,40 h# U7 `7 h3 ^. ^
jnz SoftICE_Detected
5 V6 y, A1 q! F9 [# y
1 t* i; i! z- ?: o* q# G- N___________________________________________________________________________7 k- I* n- K; E7 l! Z( K6 w8 g
! _) z' p. e# _Method 024 r7 s! \* U& h" ^! T- n. ~" `
=========
5 S- L3 ?, o3 V1 U9 j1 j* L- Q, j9 Y, \4 S* l1 d
Still a method very much used (perhaps the most frequent one). It is used* p% q: }0 j/ i) E' Z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, p/ F% B6 C3 m0 @7 H5 x7 d- Oor execute SoftICE commands...
; n9 ]& W6 m2 F2 O( n; J6 E+ [6 iIt is also used to crash SoftICE and to force it to execute any commands+ x2 w* m# M8 Z' J. b) S5 l
(HBOOT...) :-(( # P% t+ `+ e- J/ i! I0 N4 x
k+ V8 G6 l# x7 {5 N4 L+ r: |Here is a quick description:) I0 P3 P Y3 H/ V4 [/ I4 j, c
-AX = 0910h (Display string in SIce windows)
) D( m% {* c# H" P* `/ I) |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) O e1 H! k: y2 [: o6 j: T, Q
-AX = 0912h (Get breakpoint infos)
6 v* v0 s- E8 E-AX = 0913h (Set Sice breakpoints)7 ]" a% a' G. a7 h4 \
-AX = 0914h (Remove SIce breakoints)
# V5 N5 s7 V Z$ _
: P' b, `8 q! {) }( f1 PEach time you'll meet this trick, you'll see:
; s4 }, k/ `: k4 F* g/ ]: O) T-SI = 4647h
0 L0 B m$ d) U, z0 o* Q-DI = 4A4Dh
( B# G5 N6 a, X/ x9 fWhich are the 'magic values' used by SoftIce.
3 C# D# \% i8 y- a1 HFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., T5 @# [* }$ }! z6 ?2 y" w% _
, ]7 w. C: m M: G; o) ^Here is one example from the file "Haspinst.exe" which is the dongle HASP8 @ x/ y5 _0 L6 @6 j2 f& \- z
Envelope utility use to protect DOS applications:
" g8 G! ^. p7 c- O4 K1 l
J8 b8 p- j2 M# t3 a- P
5 c! f3 q' ^& |5 c2 J& U4C19:0095 MOV AX,0911 ; execute command.
0 E0 s) @- N& { m4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 L3 q4 _# R9 j/ t! g
4C19:009A MOV SI,4647 ; 1st magic value.0 E; J; n( P+ F4 _* e1 v4 F& w
4C19:009D MOV DI,4A4D ; 2nd magic value.- k- w5 X2 q+ Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) a: C3 V. b! `$ p5 q, U& s2 t
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) P* I6 l8 G% \: Q5 b! }/ \
4C19:00A4 INC CX: Y% E% [+ E% G/ {* a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 \6 F% C& F4 t* d# D4C19:00A8 JB 0095 ; 6 different commands.0 Q6 k3 v. E( m5 \- u+ a L; H' E G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( L9 X7 F& |$ r5 v- N1 E. ~
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' h; r6 i( G1 F0 `4 u; Z I9 ?. c1 T; |6 J# S
The program will execute 6 different SIce commands located at ds:dx, which
# a W y) J+ d7 `8 \9 xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 k0 ?( Q: R" ~5 v
1 j( A" s8 L. S- `1 ]2 l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* ` x; P4 _7 o" M, }+ z) l
___________________________________________________________________________' r$ v+ ~. u' P
" V+ r6 r& H, Z4 d
( x% M( \+ r( M' t) Z: dMethod 03
3 c9 ~. O# o5 ?0 e=========
4 e! k+ }6 h5 C& {# x9 E3 ~* W8 e* n" ^+ w3 ^# S2 m7 j3 b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 N* A: t) L$ I; l, J6 h
(API Get entry point)
8 c/ _: ]2 P0 ~* Z) }4 {0 d : A( ^# q+ L( w( g- r% D3 n
* P& H1 k% Z6 m" l# o
xor di,di
; t# T+ F( `2 ?( M mov es,di M1 a/ l6 E! b7 z0 D+ C" T4 W
mov ax, 1684h ! w2 q- Z/ q/ |+ R2 D1 t
mov bx, 0202h ; VxD ID of winice
: S7 m8 Q1 n6 h, m5 w0 q& n ^' \ S int 2Fh
' Z2 d, N$ M0 o* B mov ax, es ; ES:DI -> VxD API entry point
+ ?/ s- v8 T% ~$ X add ax, di
- T4 J0 n) C8 i, S test ax,ax
$ }3 {& _8 S) z2 a: {# d% F0 } jnz SoftICE_Detected9 V) c) |5 h) x3 _
* B, Q, a$ _! M v u# m# \% @
___________________________________________________________________________+ s8 I8 t7 y0 r8 L
- l7 `8 A! g5 C, a
Method 04
' Q; N0 J1 A# b/ [3 u- ~& h=========5 _/ l8 y- ^0 H c. ?
% w5 S# I* K* s2 Y, @# ], AMethod identical to the preceding one except that it seeks the ID of SoftICE! Q: \3 }; k8 T/ w: J) q5 i. v
GFX VxD.
7 A5 j7 Z9 v) l) E! d; `5 M
1 w1 k0 B1 H; T0 L3 s" \ xor di,di9 e/ S& i7 h) E# I3 ?& C9 W! C
mov es,di
* M$ j/ ^! w! I mov ax, 1684h 9 A8 Z& D" i# q/ c; m( E: g7 {
mov bx, 7a5Fh ; VxD ID of SIWVID8 C$ w; `( B8 n: e3 J: B* i
int 2fh: {/ R q1 b+ t& W; T
mov ax, es ; ES:DI -> VxD API entry point
: W; n r6 Y$ b4 E add ax, di& h* r5 v5 }' w3 Q" k5 I
test ax,ax) U, }: n+ ], L1 [
jnz SoftICE_Detected5 w& S0 j$ i) v8 i/ m1 j5 ?
0 l1 \$ l- s- b1 O2 J7 D$ z
__________________________________________________________________________
2 m9 G, W" [1 R4 V
& d' ]8 r3 {3 t& ^) c$ @7 Q' D& w. J, Q4 z
Method 05
/ ]! F# J; l g" {: q% Y=========% s/ w5 I, H* E; y8 P" R7 P
; n9 q# P- ~9 N2 ?5 Z& ~3 {
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 X# v( x) O7 p' l# D
debugger. It calls the int 41h, function 4Fh.6 |' }3 }, m0 N% r! r8 U) A
There are several alternatives.
5 o2 v# u2 B( _6 b; v
6 E- }2 u4 r7 ~ y) j! i4 l' wThe following one is the simplest:2 }( m2 Q, W8 ^& }* H
) I1 q9 P/ Z& S& S) | mov ax,4fh4 ^7 N. a1 x0 t+ U! @
int 41h- k" h; u. Z3 }5 E
cmp ax, 0F386, b# a' n- e* W4 H/ W
jz SoftICE_detected
/ c- v1 E+ q3 {" Q! Q( w2 I8 J5 Z8 s0 D% h6 |6 [
* [$ o+ o4 k1 I( i8 v7 b! L
Next method as well as the following one are 2 examples from Stone's
. U9 Y4 }# g! C! \) B- A* f"stn-wid.zip" (www.cracking.net):
$ m0 ]4 v; i9 }
0 ^$ n5 R [% s. E( j! D* ^) q mov bx, cs
; _( x/ d0 M5 k, j lea dx, int41handler2" e! O: {( I) w& Q- ~: i9 ^4 V
xchg dx, es:[41h*4]* o# l* r3 Q6 h
xchg bx, es:[41h*4+2]. }" {/ p; }* g( |9 u
mov ax,4fh' o* _6 P; M7 ~; M
int 41h
; p* x$ V$ f4 [' J xchg dx, es:[41h*4]
; d8 x W1 D. X7 S( M xchg bx, es:[41h*4+2]
0 Q% s) _- e- q$ @0 C cmp ax, 0f386h
: \( G; `. I4 a. B8 P jz SoftICE_detected+ S' B# b5 ^9 S1 h$ S! f
2 o/ W% E; M3 {9 s4 }. Gint41handler2 PROC' \( v0 x1 L4 K" ^% z% h1 u
iret' u1 e/ Z; f" [
int41handler2 ENDP, I1 Y$ c( g( S- b* @1 I
6 _9 G+ F' a8 u4 g3 `5 j
/ d' Y2 Y3 w5 y* x_________________________________________________________________________) L, s; X% Y" i; U( C7 n
" \9 W5 E/ Z0 M5 R9 ^4 n0 r
5 l) t, }, \& `/ dMethod 06/ p" z7 F; U$ N& l( J( E; ], P
=========: }: W3 z. ^0 F& M
; W5 { c s6 s+ J
, A8 y0 R% |" e" U! M* m' b
2nd method similar to the preceding one but more difficult to detect:6 ^$ m4 {' _/ t+ ^, b
0 `9 k' D/ J1 x# M1 P( [7 A% X/ J
}; o+ y3 W ]
int41handler PROC& c& K; i% y5 o7 w# q m. s
mov cl,al
9 c( s# z4 P' \5 U9 ~, P iret
. d: t8 C, t* V" j3 Zint41handler ENDP* t+ M- u; e9 ]$ L3 ?9 Y- M
# g/ h5 \3 R3 f; Q- X, p
# V8 E" B4 ~( }( K/ } V
xor ax,ax
" C) x& J- n, ^/ A$ b u mov es,ax2 ]4 ~5 J* X8 h( R; B
mov bx, cs* h" J8 n2 y4 i" K
lea dx, int41handler+ _. I. _! g ?
xchg dx, es:[41h*4]
. Z0 Z0 F1 o" |8 I+ O xchg bx, es:[41h*4+2]
3 R; b4 D% D7 N' D0 n in al, 40h
9 @4 K/ X, c+ u: t x9 q xor cx,cx
8 m8 D4 X) G! M- I; C; f! X4 d+ u; A int 41h
$ e8 z" z" M4 ?' P9 M xchg dx, es:[41h*4]3 l0 r6 ]9 u- l
xchg bx, es:[41h*4+2]
# {( Q* _) L) E9 r cmp cl,al* y" X$ O* h' i$ m4 x
jnz SoftICE_detected
1 h8 Z; c- [4 s* ]
$ C D6 C8 t4 u, j$ j_________________________________________________________________________4 F7 y0 i1 |6 F: v
3 j1 B% Q" h7 J# O; QMethod 07
2 d' l# O6 x# |=========
% B7 C9 X% t: |# h2 Y0 @
6 b# n* Y' v! N1 W1 @; W. PMethod of detection of the WinICE handler in the int68h (V86). S0 n/ L1 F" u0 |6 f: ?
: ?! t- ^$ Y2 X j
mov ah,43h
6 ?6 M x: V# R- c5 C7 s9 s int 68h& o; z% @+ f+ C; ? {, j' J$ I
cmp ax,0F386h
! M- V0 h' u8 d* g f9 s jz SoftICE_Detected
6 M6 e; c8 V" E, U$ H5 e% E, b8 x% f" n( t4 J7 q" G6 P# W
3 K9 m8 y7 d9 ]. @6 T9 A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( [$ ^- }3 s7 x7 ]( ^( p) x
app like this:
1 q+ C4 `% b5 \+ H3 p7 O2 n) G6 o! i1 ^# m# F, C
BPX exec_int if ax==686 c" c) T' z/ F- b' p
(function called is located at byte ptr [ebp+1Dh] and client eip is
( a8 I0 F- ^+ _4 g: X3 t located at [ebp+48h] for 32Bit apps)
\5 n; m6 \+ S- @/ p__________________________________________________________________________" i# \; }; Z0 {
' Z& M5 F% G7 t! w* E
. u# }' n. V! Q+ M% Q7 m. E: j
Method 087 w7 d) z( m/ y: Q ~% P
=========: s" z- T; f N3 t- `. D
9 ^7 c. x) F0 v3 ]) M* J
It is not a method of detection of SoftICE but a possibility to crash the
/ o6 E h: h+ T5 {1 Osystem by intercepting int 01h and int 03h and redirecting them to another9 a8 {# B( E) S7 _1 U* k& l
routine.' k# X2 e+ ]) s" O: \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points n" y' j0 ?/ ^/ B9 d5 t. C
to the new routine to execute (hangs computer...)5 j9 k- [2 g9 E! g# C! z
% ^( t+ c5 O, q1 a. ]4 _ mov ah, 25h
/ T9 p$ M/ v+ r mov al, Int_Number (01h or 03h)
( O- z# ] u U; m5 O mov dx, offset New_Int_Routine
0 \0 ]6 l' D% @% m @' f0 a, } int 21h& R2 V8 U Z: O
) S) I; k8 |4 u, D
__________________________________________________________________________" _* ^2 P, ]. @2 n8 y
$ |( A1 c! [" _$ E/ L: ]
Method 09* F- x" {9 v8 r- q& v+ S
=========
5 d9 [' R& b8 w8 G8 o( C! Z6 t! |% A- u! k q* Q( ^, h. B$ I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 X" t3 o, X( T+ j9 ]
performed in ring0 (VxD or a ring3 app using the VxdCall).4 O8 ~7 N$ }5 X& f8 ^
The Get_DDB service is used to determine whether or not a VxD is installed0 k; y/ z2 ~. X( r; F/ @+ W
for the specified device and returns a Device Description Block (in ecx) for0 P- l& r3 u6 q$ B. P* S& Q
that device if it is installed.* d* M1 W Z; f4 E! O. Y" l
1 m0 q6 S+ H; M' i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% t& r& p$ Q/ @) W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 z" `+ K* D K: Z! d
VMMCall Get_DDB! A* C/ a& d# c1 O, Y# P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* w. J1 [2 }( L( m( l6 G
3 B+ E4 T1 Z2 a: p( XNote as well that you can easily detect this method with SoftICE:; ~) F4 B, W. b+ N
bpx Get_DDB if ax==0202 || ax==7a5fh. }9 l$ U* m$ C/ A
$ |+ _" t; u1 v' ]8 h; t
__________________________________________________________________________
9 {4 w9 [, j; x/ z
; h7 ^2 I% h: A9 Z1 S; uMethod 10
+ v9 i% G* S" W# t=========
, G. q$ T% T- T9 f0 w& K3 B& J: r5 z3 `8 g/ q7 ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 [" s- g& D, _8 G SoftICE while the option is enable!!
, t, a$ t% {, X I" Y" U8 e7 A" L* C" f7 i/ K; {5 n; J0 p; B( F
This trick is very efficient:- K1 B4 }2 J8 p' @5 n7 j+ V* e
by checking the Debug Registers, you can detect if SoftICE is loaded! r; W6 e* @2 v, t ]
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- M, l: L8 H' N$ c! ^/ Y+ {3 Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their
5 ]; Q9 l* w0 [6 _9 }value (in ring0 only). Values can be manipulated and or changed as well- P# t/ Z% w/ S! p
(clearing BPMs for instance)7 q, O4 t9 Z/ G+ B
0 r( ~% v5 f- \" ^- t- i4 V
__________________________________________________________________________# O+ g5 W% z; w9 r
: e6 X, h% [! u: s0 L
Method 11& L2 Z/ W; n6 B2 z6 ]7 ~. [
=========
1 b, G. x& y6 M2 o# K# }' C
. M6 ?0 p+ q, x) d& LThis method is most known as 'MeltICE' because it has been freely distributed
5 q1 L, Z( A2 ]8 }% k% u7 d) tvia www.winfiles.com. However it was first used by NuMega people to allow" O( \0 T# j8 ~* G
Symbol Loader to check if SoftICE was active or not (the code is located0 y( v9 C/ N9 p- D
inside nmtrans.dll).( ]. r9 G4 |+ w" N
: @' z# K1 o0 J
The way it works is very simple:
* ?. I7 W% U. F& R; G3 fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% Y& N% |% H) g+ b
WinNT) with the CreateFileA API.
; r6 a3 V6 _& E
3 c1 z% z! P& Y' yHere is a sample (checking for 'SICE'):3 X( k3 c1 G' k0 z4 l( l
6 J0 j! h; O2 a7 uBOOL IsSoftIce95Loaded()
0 G! L/ L8 v3 K }% n, a( }{
! C l3 A! ]6 q HANDLE hFile; ) t( }- K8 j* h9 ~- Q% z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 t P' D" y% v( b FILE_SHARE_READ | FILE_SHARE_WRITE,4 K& _ a# m# u% k/ [4 I. t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ p" Y9 I& [9 X* |4 S
if( hFile != INVALID_HANDLE_VALUE )
; K0 v% s( V0 N1 y2 s {8 P9 k0 u3 P+ `2 H2 j
CloseHandle(hFile);" w x; U. a# U* k" R& T7 g: Y
return TRUE;9 O& t9 o: g) u: V9 c3 r3 G
}
; N: Z y4 J+ z* [5 t" j return FALSE;
) S' }# W5 P" I}
6 S! u8 {4 O) D. w4 @+ ?; ^
" C! O, J- D" w- u9 I/ sAlthough this trick calls the CreateFileA function, don't even expect to be
: G) O; }) L0 i% d8 a) E$ N* dable to intercept it by installing a IFS hook: it will not work, no way!
8 |$ Q9 K% {5 O/ @; }3 M: W4 AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% j% ~$ u6 }/ z6 B4 r; m/ w3 Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 `1 u8 w0 z8 K! g5 E. ?/ B/ r+ @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' X' u* U n7 d$ F8 Wfield.
) }/ f& j6 g0 b% F: q3 fIn fact, its purpose is not to load/unload VxDs but only to send a
% z6 Q) K9 y, w- `, E( [; lW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ \/ z/ _9 b) l o% ito the VxD Control_Dispatch proc (how the hell a shareware soft could try" V. o3 ?/ [2 w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' x9 w# L2 M2 {! h7 k2 oIf the VxD is loaded, it will always clear eax and the Carry flag to allow& j7 ?; }# X0 Y( `+ `4 j* R
its handle to be opened and then, will be detected.6 i" D: v8 X7 B4 P7 S5 I7 {. V8 ?* v
You can check that simply by hooking Winice.exe control proc entry point" c: Q H' e# O( D2 Y ^( j0 s! v
while running MeltICE.' F/ G6 ]/ P3 v% z6 x- \
7 x) b* j: V! A- l, W
. m3 {! u# p. q8 R 00401067: push 00402025 ; \\.\SICE
, X* F0 i: M: k/ r 0040106C: call CreateFileA8 Q7 r b3 d! L2 A! I
00401071: cmp eax,-001
) u. d! ]$ f- {& n% [0 O, @ 00401074: je 004010913 |$ U2 M+ ]" K7 l/ U* J& \
9 A& S9 g0 V) ~: b# C
8 d- z0 {( E+ w' m2 i; dThere could be hundreds of BPX you could use to detect this trick.( N+ h; k9 }% @, z0 b* a. v$ D
-The most classical one is:
, ]) i& u; R0 a' F+ \ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% h: g0 V0 k6 l2 g
*(esp->4+4)=='NTIC'$ q3 g" C' }$ F
' I( ~( c- R# J
-The most exotic ones (could be very slooooow :-(
( N! q$ h+ c" z/ S# m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 M9 ]6 ?5 p1 r# s: y; v4 F
;will break 3 times :-(- n. o6 D* k' ^0 a& v& v
( {7 U3 c; K. Z0 b# D: D-or (a bit) faster:
2 W# |0 x9 Q# P; U' R+ O BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ c6 n' F9 t& d9 h
' K% B5 t5 f# ]: O( l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ n5 U0 U7 V0 `$ v6 F
;will break 3 times :-(
# z# K& U4 d# S* D+ w0 l' F/ A" e! `9 A
-Much faster:
& Y& @, R/ a4 U4 O8 b2 {* M: i/ u3 X BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 f: y, j8 Q# S" U$ C
; A2 Q8 p% K0 R) p; b) {. q$ ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 \. X; s4 t3 q) F$ G; Q0 x% X
function to do the same job:# j; }, e* I/ S* i( K9 J
! r) O/ T' [9 ?3 G: B7 | push 00 ; OF_READ; Z/ i8 i. o: @& _3 I5 M
mov eax,[00656634] ; '\\.\SICE',0
! N: S( W1 O3 U( w8 P( w( C( }1 @ push eax
& ]0 U# o P- x2 N call KERNEL32!_lopen T! ~: j4 E& d5 }, R/ U6 m
inc eax
7 X. G; B2 {# v0 j9 Q" g6 I. L jnz 00650589 ; detected; ~5 A5 ?8 i6 P0 }, G. B) `1 {" m
push 00 ; OF_READ
/ b& N( f1 W+ G mov eax,[00656638] ; '\\.\SICE'* N6 r* t/ ?8 Z% E3 V
push eax
; n# J# ^& V/ z; \ call KERNEL32!_lopen0 T4 A# y0 @0 r# ~$ v
inc eax; G% F3 A* [" b1 k# |' E
jz 006505ae ; not detected
p) l# P" Y# o' o! T% ^% k3 B2 |/ L( `( i/ |, ] t
& u4 q0 m2 J2 k$ \! M! A, G__________________________________________________________________________
0 l! E0 B- v6 K6 Q3 S' J7 K+ d. U
7 m) C4 {2 P" C( ^Method 12
+ a0 M+ j3 M5 \8 U=========
: y) x# e4 I$ t3 y5 n
% R5 r8 r. j0 a7 W: zThis trick is similar to int41h/4fh Debugger installation check (code 052 G) I0 E: P- N* F, J! L
& 06) but very limited because it's only available for Win95/98 (not NT)% s; \3 k5 V, i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- U8 S9 `! n! e0 T
) P9 U4 j7 p5 ^5 Y V' Q
push 0000004fh ; function 4fh
7 M' |" j0 M) g" l push 002a002ah ; high word specifies which VxD (VWIN32)- P/ T: a6 j' K2 G. K9 ?4 c- X
; low word specifies which service
2 _" \# R; q8 ]8 u+ ? (VWIN32_Int41Dispatch)7 c( B5 U3 h8 a Y! v) x6 S8 H) _' \
call Kernel32!ORD_001 ; VxdCall" y3 g+ l' ~) s9 n" }, I
cmp ax, 0f386h ; magic number returned by system debuggers
7 E0 n+ d5 w n& o0 v jz SoftICE_detected
& N, |1 t1 m0 d: b+ k6 p+ M5 f* M/ n
Here again, several ways to detect it:
[# m( X; ~% B6 g
1 \7 K' @) X+ ^ BPINT 41 if ax==4f% O$ X0 s; l2 C
" l. q+ Z5 K6 Y3 @
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* w; B! x# A( k E
) s) G4 q- u+ w$ C4 k& L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 r; D `; m: w
8 W% g: h3 V/ y4 b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! N4 M' U3 [0 u, Y# ~ _. u# d( S
$ c7 {" }" L+ x2 s9 C P6 p__________________________________________________________________________7 x6 v. D. i& f. I
8 ?1 y+ \: g) z) @" H
Method 13
$ G& G8 H6 L* d- b=========7 p4 \% z( h8 m: j% ^8 h
0 S. |. q; i& U9 c" @" jNot a real method of detection, but a good way to know if SoftICE is
$ q- F& I/ |+ q$ O2 C8 V! binstalled on a computer and to locate its installation directory.1 Y$ p1 s" Y& X
It is used by few softs which access the following registry keys (usually #2) :
0 s5 b: T# P+ \$ b, D# g" @
" l4 F! L3 X% \3 _3 m8 C; W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 E: L5 @6 s# M! a% f
\Uninstall\SoftICE/ |% |% W, [' q) S( D% h9 c
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) G( q0 Z8 k# j1 I, l/ @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 X3 |2 `* K* G! a0 N I
\App Paths\Loader32.Exe$ g/ j+ n7 ?+ Y5 {, {
, M. o1 ~+ j6 i; f+ w
* R: E: i" S& H7 N4 X+ }' |- SNote that some nasty apps could then erase all files from SoftICE directory6 V# |7 e9 o. ~3 t6 V7 `7 N0 ^
(I faced that once :-(9 S' S* i# R) Q6 D9 y/ }$ E
. Y0 d5 C/ n. S4 [Useful breakpoint to detect it:) j+ C, ]7 G) K( L
8 F" E- v. }, R4 ?7 s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 A0 d4 J, s) o% j Z5 J7 r
6 M$ E$ F# q) w E J__________________________________________________________________________0 O% ]) J4 l T6 k. W1 v$ ~4 O
) K8 N8 K+ G" e0 f- N3 n
/ ^: [ d y7 O; `# s* [8 p1 N: }. DMethod 14
* z% ~+ Q# X6 c- f6 I=========5 P+ L' ?5 z$ X1 c; q4 ]
& g4 Z- @8 [0 P& E3 K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ Y% Y: Q+ m% q7 _is to determines whether a debugger is running on your system (ring0 only).) Z9 [' r" R, d: k( W+ K; a0 v2 L
- j/ r" w& \# W& x VMMCall Test_Debug_Installed
" X Q/ L- z( x+ ` g je not_installed
! G* \9 E* q4 m5 Q' i) T
/ T$ _7 X; v2 M. ^: U$ xThis service just checks a flag.* ]$ c5 e( _( {* v% q/ b5 E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡