<TABLE width=500>; J& V* V" W# `! C- y8 B
<TBODY>
2 [' a! J2 P% [<TR>
. r5 d6 e( i, T2 N<TD><PRE>Method 01
- n' x/ _5 A: w' Y=========
, r% h' P q2 Q# t5 y6 } i q: r- Y- @
This method of detection of SoftICE (as well as the following one) is t6 B( k1 {3 N- w2 B5 R% w: T
used by the majority of packers/encryptors found on Internet.# H! e# u2 o8 l" ^' Y8 T
It seeks the signature of BoundsChecker in SoftICE! D( b0 ]) Y$ M& ]# @
5 H0 F8 `. d! ]* R% M- E& u mov ebp, 04243484Bh ; 'BCHK'2 X8 Z( C: Q5 [7 M" K5 F
mov ax, 04h
6 q; R, k; p1 Z1 F! g2 [) V/ m9 i int 3 . o A* K8 O' c9 N% s7 l
cmp al,4
: R' z( w) d' U jnz SoftICE_Detected
/ g, R! k- ?5 ~6 Q& U+ N5 q
6 u2 A2 t V b- d9 N, l___________________________________________________________________________
; B# V: ]) B" G, R% k. V
! A. e9 _: d& r. b$ rMethod 02
6 P* v5 Y* Y# z7 d" G, G8 Y=========- P( b! w8 P( b1 g7 e9 W
3 `1 ]. t# B2 v5 p4 h
Still a method very much used (perhaps the most frequent one). It is used4 F) k& j% x/ t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 ? H. e1 r [9 d$ K: k7 l
or execute SoftICE commands...
! ^4 v# U0 o+ q9 BIt is also used to crash SoftICE and to force it to execute any commands
0 D6 Z( z; b4 e% f+ L; A: m5 g' v(HBOOT...) :-(( 8 e9 h* I9 X5 L" O) R
! {/ f6 n! m. m, Q) |- Z( K# Q
Here is a quick description:8 J6 Z, e b% i( j7 L m
-AX = 0910h (Display string in SIce windows)& @- k- H R4 j; R& s4 P
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) Y% F/ C! _/ e6 d1 m! {
-AX = 0912h (Get breakpoint infos)4 v7 D+ ^& N# W5 R0 S0 F' D
-AX = 0913h (Set Sice breakpoints)* n+ \4 K: [* H: j5 K& S
-AX = 0914h (Remove SIce breakoints)
2 ?4 U' S4 q7 p' D
4 u" R7 f5 f+ M( ? fEach time you'll meet this trick, you'll see:
1 i+ G) ~8 N' m-SI = 4647h Z, f% j0 i9 L" @
-DI = 4A4Dh
. C$ w2 F' l9 HWhich are the 'magic values' used by SoftIce. W% B7 R) p) e! a6 ?1 X2 w; V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* X: p7 o0 B2 o% w. u/ R! W
- c# |% y5 {" t% t" t$ n2 l) oHere is one example from the file "Haspinst.exe" which is the dongle HASP. k3 J- \" x" X; p0 H2 D, f
Envelope utility use to protect DOS applications:1 W5 H& b0 B* L0 c
% I& ^. Q5 D8 R J. C
3 N1 ~1 W$ n9 d3 f/ _& R( }
4C19:0095 MOV AX,0911 ; execute command.
4 O' H" `9 {. O8 F- n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# I5 e" P$ A0 y* K5 B1 s4C19:009A MOV SI,4647 ; 1st magic value.$ ]& U8 H) S* h- N# L- m
4C19:009D MOV DI,4A4D ; 2nd magic value.
) \* i' [1 L# i) h$ c8 S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 k# @, u( a; _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" a' f; F. ?% I/ m4C19:00A4 INC CX
9 U1 \$ W9 P; Q* \% {" l+ V4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 O( i7 _9 ?: n8 y4C19:00A8 JB 0095 ; 6 different commands.8 v. ~2 I9 S# n4 y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ {9 _5 \( o. T+ j2 t z9 _+ h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 L+ `: ~$ @. s/ I R) Z; O) X2 D# M' C, O6 u7 h% j
The program will execute 6 different SIce commands located at ds:dx, which
% \0 j# ^8 I1 c9 L. t& z6 P6 }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: _ D: u \* W: }2 {) @0 y
/ {- J# {5 X2 \+ b" f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& U, [* v* C Q, T' m* I3 p
___________________________________________________________________________. H# |7 t( m+ P7 e: ~8 {
: \3 S. L5 ?2 C9 z, R/ W
: c6 T( X$ |0 @Method 03
: g4 s8 @6 ?; W# |=========
+ ?# K3 z# r) t* S) q- t+ F2 n9 [2 [& x$ c% f" I( p
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" {0 z8 G, Q: k( _ Y5 \2 i
(API Get entry point); H1 D5 a: C5 x6 R2 d/ c
+ X5 j% \. b1 u& G' X* m8 W# v
9 ?( ?7 T* B! v, d
xor di,di
2 y Z# H8 i% N2 K7 m5 y7 u mov es,di( e+ G: B# v( z
mov ax, 1684h
- s% |+ ?) D, A7 Z4 V- q, A mov bx, 0202h ; VxD ID of winice' [3 Y. Q% @( ]" k, F
int 2Fh: q% K. ~) E4 ^1 j9 R- u, W
mov ax, es ; ES:DI -> VxD API entry point3 o! M9 i& h, Z2 {& i) r
add ax, di5 ]7 g2 ?+ E6 P4 I w0 a6 @, k
test ax,ax2 C! s, g2 P6 P/ ]8 d3 p; `
jnz SoftICE_Detected7 ?& e, O2 Z2 U& X
0 Z# d( S8 `; [) ]" @$ c
___________________________________________________________________________
/ S- g- L! ~) u& G7 z6 ]
0 [2 S. d1 @1 t) q. uMethod 04) x1 o6 L) j4 o7 z6 H
=========5 [2 k' D& M) q! n
$ v7 t" O$ e, N, N+ ?: cMethod identical to the preceding one except that it seeks the ID of SoftICE( z& ~8 N* ~: W9 v) g$ [: H" C. o
GFX VxD.
" ~7 w8 ^; K! ?* W4 }5 g. R5 q4 W* Q# h" G0 R. F/ `" }" B
xor di,di; j6 ~' A& _. `/ l7 e
mov es,di5 |9 M) Q5 Z3 o7 y1 `1 z9 F
mov ax, 1684h 8 T4 o6 B" k$ I
mov bx, 7a5Fh ; VxD ID of SIWVID! L E. I& ?0 v5 _
int 2fh
* J1 ~' W' q8 G |5 I$ n1 O% U6 p% k! B mov ax, es ; ES:DI -> VxD API entry point: S2 @: v x; V4 g" Q. |$ o
add ax, di2 s3 r0 o; q7 J: I
test ax,ax. B. P! ^* }2 x7 @
jnz SoftICE_Detected5 u% j0 i, S5 l3 @9 e+ `. |6 T- A& Z
' l' o& f2 q0 f* ]" T2 Y. b
__________________________________________________________________________
5 P/ R+ f" B% ~) g: s4 b* A3 \0 t) [* L o
$ d* U5 X( V4 W4 Y% i/ O
Method 05) b$ }3 g6 T: d( d; K3 D
=========
0 g6 @1 K- Q% M' l9 L* }7 h: t! F) W" c" q9 N% s9 z3 l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' E# {# }# D7 t0 @debugger. It calls the int 41h, function 4Fh.6 A! N! c4 t5 _
There are several alternatives. 3 o2 |) o2 w" ~
) b5 ~- o5 V) |) w% J
The following one is the simplest:8 k: r( Q# ~8 p
9 k8 x! t* ]% R3 v% z0 s: j4 `: z
mov ax,4fh
. A! k0 d C) {* v int 41h
" R/ F0 I2 U+ X7 |6 ^" b+ Q cmp ax, 0F386) _% x0 i/ o8 H
jz SoftICE_detected
. e+ a b- H) x3 k, y3 P9 i' K& X+ K% p5 D. h$ U6 d9 v
3 y+ I& G% E- `: R8 JNext method as well as the following one are 2 examples from Stone's
, i! G; P8 E" u1 y9 ^' v9 R"stn-wid.zip" (www.cracking.net):
% H* W: j2 u# E' ]3 t$ n; N4 B' y" c
mov bx, cs3 Z' O0 Z" \0 X3 F) J3 R' e8 b d7 z
lea dx, int41handler2
- n+ v6 R7 \0 X' G; Q3 a xchg dx, es:[41h*4]
$ {+ v9 v4 [. m1 Z! r+ j2 Q xchg bx, es:[41h*4+2]' h1 W- Y1 W: U3 l+ E
mov ax,4fh
9 W* B5 ?# q6 J5 ? int 41h' }4 d& l& w8 Z! h1 f8 v
xchg dx, es:[41h*4]* L& W( x; a$ B( L9 t
xchg bx, es:[41h*4+2]& J' W- G) \- {- N& J/ C, b
cmp ax, 0f386h
: l7 A0 h3 A: l jz SoftICE_detected
- p5 y+ ^7 }) [# b" f
3 e* s3 Y% x2 Tint41handler2 PROC
& P: J5 K P/ x3 ~5 S* U! P. R& J4 } iret5 L. \4 {; p; q5 S
int41handler2 ENDP
! u8 ]( X3 \9 y9 Z8 R7 a
; S4 b$ T: \) v6 B" T( q1 W4 N ^( i- f% e
_________________________________________________________________________' e( i3 B3 a; u0 U& M
0 w7 q2 j) A4 l2 R$ I7 s. R5 t, c) a3 I: R: L
Method 06
# S, T- T1 w. m. y5 K=========
: ]' @* I; y1 Q) |( O6 I7 i% |/ l8 C% c. n, a5 ?! [, U
5 e; {/ U3 W& R: a$ q( x% N3 W: ~
2nd method similar to the preceding one but more difficult to detect:
$ j+ R. Y9 s9 ~7 s) @6 C
% I7 N9 D$ m' `: R6 I4 h5 k
* f2 f; E& e( a+ z) [int41handler PROC
( K& ]0 L P" O7 T a5 B; |5 E mov cl,al; Y) F) | a/ S# q2 \, n( Y
iret
6 u! H( r% z8 p' K, @int41handler ENDP
3 W$ L4 _8 x3 v! z! b5 J& I5 Y- n
, i4 \7 Z9 [, |, h6 `! q" y& ]
xor ax,ax
6 }9 v7 b; l* d, F- C3 {0 _. s mov es,ax
; D: f2 X5 \, W8 T+ Y5 |! W mov bx, cs
7 z1 @6 a; ^3 N/ z$ w0 g9 W lea dx, int41handler
& M. |! d% r: ^, C- ?' P xchg dx, es:[41h*4]3 D6 m8 o% _7 `4 x
xchg bx, es:[41h*4+2]
+ i' d N0 D; }' R- }8 | in al, 40h
: A1 p6 g9 X5 v- R; Y xor cx,cx8 T/ Z" i0 V, T/ Y" E$ I4 y" F
int 41h. B* ~' Q8 E4 ~3 {
xchg dx, es:[41h*4]
3 G9 K& S; q- t+ d! o) Z" i; T xchg bx, es:[41h*4+2]
1 \) t0 `8 M: e2 @4 c cmp cl,al
3 L. [* L. a- `, z" h jnz SoftICE_detected- d5 P! N! p5 s/ T7 z7 E# m
, v, q4 Y* F4 I* x/ V/ M+ [
_________________________________________________________________________
* G2 b: S# n! H
2 |* |3 M7 x; _! _ |" x8 A+ q2 YMethod 078 y- ?. ]- f# K3 L
=========) R+ f; ~ y7 X" k: @
T/ b6 {* ^, [# a6 ~Method of detection of the WinICE handler in the int68h (V86)* k2 x3 C b& y. h7 c/ K% q
, ~4 I& L: v2 `! x
mov ah,43h6 s6 P R; w4 D+ s4 |% R8 _3 e" s- D5 {
int 68h
- ~: R9 `; P& S cmp ax,0F386h( j) f# c9 ]" F5 u9 h7 E, o
jz SoftICE_Detected; i& _* K5 s5 k' M
: m/ i/ N% V+ |
6 O! o& J, b2 Z/ f
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 p V1 b4 U- |/ i% t8 L- B
app like this:
w# T, ^( U% T
2 j$ g$ Y* \8 F/ P2 q1 ?4 i: e BPX exec_int if ax==68
/ F8 c8 A( B: j: ~; @* f7 G7 L (function called is located at byte ptr [ebp+1Dh] and client eip is9 h- N+ ^' u Y. }# k9 z* S) P* H
located at [ebp+48h] for 32Bit apps)
' ?$ W# l* \, M% `# G1 `, o__________________________________________________________________________
1 ?' e- `5 q* h1 h+ @; N# k& ]: q( T) ?1 t( i4 H! E4 M. @* j
7 b% O9 l' z1 t; m3 K) C
Method 08
2 D' \+ z1 m6 F=========
. u! A H9 e/ Q$ v8 y" _& [( z. n9 g- X- s/ n, L$ w3 T7 F$ F
It is not a method of detection of SoftICE but a possibility to crash the
7 Z: |1 ~$ s0 P9 o) Hsystem by intercepting int 01h and int 03h and redirecting them to another2 J5 a( H+ E; [
routine.
2 V7 j: G& B1 p& `$ t: |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 a( ^8 m4 r$ Y5 B
to the new routine to execute (hangs computer...)1 S- @6 U" s( G/ q. m j
6 c: l5 p |0 H9 ^/ X mov ah, 25h
. p2 o& F P8 C) [. | mov al, Int_Number (01h or 03h)
! y( e: p6 T5 h" f' W$ c( A mov dx, offset New_Int_Routine. V" C: r$ X" K1 F
int 21h
9 Q6 g/ x# m' O6 S! Y: F1 G6 ^. b* _- R/ J) A2 d* \- J3 ?
__________________________________________________________________________
7 e- R8 n$ W9 G* N8 b
' L, m7 V$ {4 bMethod 09 @+ @6 \6 o) {$ `8 \$ D3 r- r* d
=========
0 M2 B# b6 f2 `/ I6 s- o/ b0 `) y; g }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) ?9 s w& D7 O' \+ G- Qperformed in ring0 (VxD or a ring3 app using the VxdCall).% | ?; g: _+ j+ F
The Get_DDB service is used to determine whether or not a VxD is installed
8 u, |9 E" J, h7 u7 ]3 Jfor the specified device and returns a Device Description Block (in ecx) for6 `& J4 z; K* N7 {% u" H; _5 b. l
that device if it is installed.
- V3 N. m7 u+ F) M
- ?, y8 w5 a8 s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 P( k% ^% ]4 i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 [0 m: U6 m) f) u, |- ~ VMMCall Get_DDB
/ H$ g) ]) F1 |- t o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* }( W: Q/ a( Q
4 B) R* A4 \4 Z# D5 y6 L9 k
Note as well that you can easily detect this method with SoftICE:( s9 }8 R: g2 ]0 }6 E5 U
bpx Get_DDB if ax==0202 || ax==7a5fh M, k h$ x; ^: q( o4 o2 e7 _
* v0 t' l D! ^( W" B( V__________________________________________________________________________
( G- \/ r V1 z$ a$ I0 H8 R+ D* q3 [" h
Method 104 G1 c. k4 F- j# f9 w
=========: u7 l) J, G& V: u" J6 o
b7 ~: Z2 t! K w% a=>Disable or clear breakpoints before using this feature. DO NOT trace with, p. n1 H9 o; |1 r. S7 V
SoftICE while the option is enable!!
}. Q: C4 l8 f9 ?( l k2 U
* D' b4 D& u7 T# uThis trick is very efficient:
. A* b( d# Y2 H9 f" M6 |by checking the Debug Registers, you can detect if SoftICE is loaded y/ ^) D1 q8 I2 ?; j7 q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, L( z2 b% Y: e" \8 A5 [
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 R) r \9 l( S: ?6 E' u
value (in ring0 only). Values can be manipulated and or changed as well3 `- Z* u B0 I: R1 Z4 Q3 ^
(clearing BPMs for instance)6 Z h4 Z) a7 A
( H/ R5 L6 l8 r# t0 ]__________________________________________________________________________
* b/ I$ ?! x1 T6 u/ a& K
, _/ i9 q) }) EMethod 11
9 r% K2 r( c2 c=========
' R. u% V; A8 m* n& t) H: Q- E) Q& Q- B( J% d' o+ |
This method is most known as 'MeltICE' because it has been freely distributed5 S! N+ |/ w, c `, U
via www.winfiles.com. However it was first used by NuMega people to allow, C) C# N# w) ]# u9 i
Symbol Loader to check if SoftICE was active or not (the code is located5 ?, \& a. W. c' F1 K4 ^
inside nmtrans.dll).' i- }: y, k8 G1 G
- N0 E A2 R {
The way it works is very simple:+ J* O, T b/ _% J
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 R. B; R0 ]$ y
WinNT) with the CreateFileA API.
5 X' G" w: l4 ]# c1 p# z; v# [
% k( }- `3 x5 z0 Y# {+ fHere is a sample (checking for 'SICE'):
$ \# j+ f* s( H9 U5 ^8 v! u! k
: _2 f$ o" L6 y& d# E1 f) d* x, uBOOL IsSoftIce95Loaded(): X3 F' K9 b z( `5 D
{& \9 W2 K: ~1 z2 E) m+ Y4 h$ @0 s
HANDLE hFile;
0 X# k8 `4 _8 H' N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 d8 n& j3 T8 ]3 v7 P' L9 `1 Z
FILE_SHARE_READ | FILE_SHARE_WRITE,+ e% F! H" V$ m2 t7 F% Y6 B1 J1 C
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( l, D; y/ P' A( I! n; D0 B5 @ e7 K if( hFile != INVALID_HANDLE_VALUE )
& ^7 G" m9 B. Z' D0 p {$ u6 o1 }( K" U
CloseHandle(hFile);
1 s8 n$ ^: F+ T7 W" F! L* Z return TRUE;7 u( U ~+ A( [. l
}
) P+ c8 v, W, {6 F& T; C return FALSE;
: n3 Z5 }) o }% g}0 e3 ^! i: }3 i1 |: d5 z- N1 y$ o- M' }9 V
0 E" e1 O$ V: j5 {- V% V) K
Although this trick calls the CreateFileA function, don't even expect to be. J9 r! s1 Q% {5 F
able to intercept it by installing a IFS hook: it will not work, no way!2 M" k. t5 {# O. \. s/ d: d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 n1 X1 D9 d9 Z! f* N- T8 S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 @/ ]0 L6 @; k" Y3 R1 d3 b( Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; k7 J: i C* A" }/ G/ R& xfield.
8 H7 h, j' @0 a, Q0 d- E: ]In fact, its purpose is not to load/unload VxDs but only to send a
0 S. I; C, C/ H2 T XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 `5 n( q5 }9 ~ |" D, q* n. F# U( `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( ^% |1 D# a" K! {to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 ^* U( N, i) _4 g4 k0 C9 x
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 ~& g+ e9 T# b- p2 S) i% }
its handle to be opened and then, will be detected. h y _/ ?: }, r; ^" v* n* \
You can check that simply by hooking Winice.exe control proc entry point
f, j; x6 J" c. c! f: V- r9 W4 lwhile running MeltICE.
/ w, `! W h3 ~- e6 L: E- h$ b! X
( u! c% [0 E8 [! C" X2 t/ x5 E s6 ^4 T
00401067: push 00402025 ; \\.\SICE1 F. u5 g; F$ G
0040106C: call CreateFileA# l: c/ X( o4 s" t- V& o5 M) m% _
00401071: cmp eax,-001 V; a1 P+ x& e" \
00401074: je 00401091: u, E% O H6 L A" w8 o6 l
" G$ C5 @0 H# a) k! Q" L0 q) [
/ H7 e5 v, ?$ |* o# ` tThere could be hundreds of BPX you could use to detect this trick.
! }$ F" o- u3 j S, G-The most classical one is:5 R: F& f0 ~; [6 p) d g) d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: {- A- J e7 [/ W *(esp->4+4)=='NTIC'( p$ _# d$ v; { D- |1 m
8 A( `5 a8 ~% J; P. \9 Y, n-The most exotic ones (could be very slooooow :-(
+ j( j, E+ P% {1 N$ r7 \/ F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" k) i" I# t9 z3 |, l* u* v% c ;will break 3 times :-(0 ~5 Z6 {# i( ?% X; I" b4 d% D
2 r( ^. e" a" b# z( H$ |
-or (a bit) faster: 0 K& G& h- D1 n1 ]8 h6 T* s) A+ ]
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 ~- m# W* a2 m! m. p0 q/ f
. X$ X6 ~" ^1 e# H- b: w& P0 B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! {9 Q S, `9 d ;will break 3 times :-(# Y/ z' M) Y/ d2 }0 ^, d
$ \2 F% N7 n% X% Q
-Much faster:' e) ~; E3 M$ b" n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- d) X |$ M9 v z- Z% X" R2 |# r+ o0 H6 O5 B/ c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" B/ L) \1 r1 I. Kfunction to do the same job:
* L9 v9 X1 U' d3 E) K& x; ]8 W* }; b0 g. N% ?+ ~
push 00 ; OF_READ
6 K& W3 ?) }) O mov eax,[00656634] ; '\\.\SICE',01 f/ j- E/ O3 a6 c9 K
push eax
. X. E+ ]: _) |, c$ [ call KERNEL32!_lopen* P7 p$ w1 p$ x4 Z! O
inc eax
7 g) O4 ~5 }+ z @( d1 T jnz 00650589 ; detected3 D) `6 e8 b8 c3 n( Z
push 00 ; OF_READ; Q' F) J, u" i5 L+ X
mov eax,[00656638] ; '\\.\SICE'
& Y @" _0 Z- r4 Y8 `% r push eax2 r& f8 S5 a! q' T( s
call KERNEL32!_lopen' ?7 ?0 v: [* i- x9 f3 j
inc eax
, P9 S$ e. ?+ m( I: o! Y* ?6 @ jz 006505ae ; not detected: u, s, w% P2 A! s7 r+ v" ~
0 @& n' r( b+ C! N8 B: s; \( [, f' A% [: K; o5 X
__________________________________________________________________________" {- e9 P: O4 R4 U. q* [. K$ c/ c
7 s/ H0 T& P4 ]5 P* D+ _Method 12
6 e, A: ^( Z/ f* C=========0 [( N% C- u9 Q1 v2 ?
2 n4 t0 G3 R# c& h- x' N. v, o/ \, gThis trick is similar to int41h/4fh Debugger installation check (code 05
* E1 w1 c; y/ s/ \& 06) but very limited because it's only available for Win95/98 (not NT)2 i9 A7 `0 u" }9 f8 ?) @/ A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' m; Q: g) e5 }" @
4 E; U, @: A% m5 H& N6 Q
push 0000004fh ; function 4fh
( j" B; P! |- J( m& ^ push 002a002ah ; high word specifies which VxD (VWIN32)8 C2 }1 i8 ~6 l, | M9 O6 n
; low word specifies which service
: p* B3 G$ M" i (VWIN32_Int41Dispatch)( f3 N3 j0 k/ Y2 y' m2 u, V
call Kernel32!ORD_001 ; VxdCall* F( g8 u6 y+ z J$ D0 [0 q
cmp ax, 0f386h ; magic number returned by system debuggers
# H' m' j- r6 r! O- h jz SoftICE_detected4 S+ v+ m" D% d9 Q J+ g
+ Y- l$ X6 p1 c/ k0 ~/ V) x
Here again, several ways to detect it: v+ Z; e6 m5 [& ?
( o5 L7 [/ k0 e/ S: |& u
BPINT 41 if ax==4f i6 P& }: d e$ t
4 E6 [3 m2 A3 l9 L! R9 W3 J3 O BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: o' t) B1 j% T: f' i
9 }* o" h1 _6 e, K3 O% @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 k. n& ?3 f" A# v! w/ s: u, C' f, e0 n9 r* l
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: |- Q/ Q9 B! j8 Z! r
5 A; O9 I( t2 ]1 [4 x( i: A
__________________________________________________________________________
/ X9 K7 |; l* j6 ^& ^
' z8 S% f8 k* g& T( J- AMethod 138 G2 F! d+ \+ Z( Z5 |
=========' R. A+ i9 H `
$ P) J3 r" o, r$ x! [Not a real method of detection, but a good way to know if SoftICE is
8 L! u, L$ m- _3 n2 o0 W8 vinstalled on a computer and to locate its installation directory.1 O2 B. p' ?- z# M, q
It is used by few softs which access the following registry keys (usually #2) :
5 V" K3 O1 \% \
9 ]0 W0 R% ^ U9 X% q7 `) A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& r2 z# f2 i9 X+ O% [2 v\Uninstall\SoftICE: n8 ?2 ]- d; X& e) ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ ~2 e# H, c* p8 K/ W; \$ p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 Q# f; K: _/ i4 U3 d, M\App Paths\Loader32.Exe+ ^! n) K3 D; L' p( _6 M% q5 W
3 ?0 D9 T) @* x5 m3 |; X+ ^; T" I0 d
8 k$ K# n- x) ]8 w2 oNote that some nasty apps could then erase all files from SoftICE directory
- m$ Q! }. H. R: M# z& \4 a6 G(I faced that once :-(
2 A; J# s5 t2 U
9 f5 I" m1 Z4 d1 }7 \, gUseful breakpoint to detect it:
; K: U2 P% t( v1 M# o9 |, N7 T% p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* s9 W8 E$ r+ I$ c! p3 y
- [ m, ^4 Y* i9 ]9 I__________________________________________________________________________ v2 j7 l4 r/ t' O% z2 L/ g
9 W* [7 D5 k! a
; P- _; D+ j. j: ~Method 14
2 k9 w# R) t3 ^1 [. _& l; u, j=========
; x( {/ R: C$ M- L7 M7 T$ r9 U* i/ w9 t) G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; f2 x, D* ?+ `9 f: S2 N1 xis to determines whether a debugger is running on your system (ring0 only).
?) h2 Z+ \. g' K! n$ h# N, |
, X4 u5 C3 a* t/ z. [6 r VMMCall Test_Debug_Installed
# y& i( l/ a# [1 u je not_installed
! j) [; B7 A& ]# V/ E' ]& p# ^% Y( ^( t) H, G O w& u
This service just checks a flag.
# i9 V! m5 ^4 g; R</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡