<TABLE width=500>5 s, o6 x0 I, V; |% _1 c" P( E
<TBODY>0 S( l/ z/ B0 u' a1 J
<TR>
5 p0 \9 D$ F0 {<TD><PRE>Method 01
. @, n8 Q* J0 }; y0 Z( n) [=========8 J7 v5 u6 I# z$ X- f2 [4 e; Z
}& x. B$ {. j9 r2 d2 l& l+ ^6 }) dThis method of detection of SoftICE (as well as the following one) is
2 E3 ?( a; t A: [' ]# D# Lused by the majority of packers/encryptors found on Internet.
" q% Q) c9 T6 [1 [It seeks the signature of BoundsChecker in SoftICE
; ]. L7 e( ]+ A
3 P+ w. }# U' ?* @ mov ebp, 04243484Bh ; 'BCHK'
, B& k3 ]* b; O% M- G! x' V; s8 h* | mov ax, 04h
9 @/ p Q0 n/ m! r" c& | int 3 * T1 l* d% P* S2 v
cmp al,4
/ d, F( a5 N! b( F* z6 }& v jnz SoftICE_Detected! D8 t( s( y+ t) q" g4 Y
% [- W' ]. K' |8 z4 H# w___________________________________________________________________________! o' w& ~1 v" t A' a' V% @
% ~1 \* u8 w- R+ K: [' d6 u
Method 02, y+ v0 P& e2 [5 c/ G
=========
* d2 N2 f/ l, `1 d$ k
6 Y' A% D7 n8 k* C- y& c6 [" a8 i' ZStill a method very much used (perhaps the most frequent one). It is used
. b+ D. ?& U2 V$ y% ~1 eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 Z- U. ^* D Yor execute SoftICE commands...$ w+ x: J' X( U8 \0 @3 C! v/ }$ W( H
It is also used to crash SoftICE and to force it to execute any commands, H' j. `+ o8 o3 g2 m- L& h
(HBOOT...) :-((
0 L, b7 ?( i- D! ]9 X, e; Z) |+ K, Q1 b
Here is a quick description:6 _/ d& x% x& B. p
-AX = 0910h (Display string in SIce windows)
5 a1 ~! m, l6 P) u( Z8 V4 f3 D% Z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 ?9 a4 l+ L" J4 l7 M-AX = 0912h (Get breakpoint infos)* i9 ]3 L* H8 |4 X
-AX = 0913h (Set Sice breakpoints), `6 t. ^+ e% g; R
-AX = 0914h (Remove SIce breakoints); R3 p _# r; }' N
; D8 y2 m3 S1 R1 M ]! I+ jEach time you'll meet this trick, you'll see:* Y$ `- C7 O. r# o8 U
-SI = 4647h" g7 g7 V5 e y1 V8 G5 x( z
-DI = 4A4Dh2 ~) w4 T. @$ |! Y W% c
Which are the 'magic values' used by SoftIce.
$ |. f% A/ Y, k0 l& AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 K5 C6 K3 F9 i( t0 n# B* `
4 X8 n4 y; I" t9 AHere is one example from the file "Haspinst.exe" which is the dongle HASP5 C4 I8 C9 W1 d
Envelope utility use to protect DOS applications:
9 a6 q) `" Z5 c
1 x* a3 g" |+ G0 `5 j$ M
+ H$ p7 B% f+ p4C19:0095 MOV AX,0911 ; execute command.
* G2 `; D4 k, A+ A5 S' Z( j' H& K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 s; b9 v; S9 M: `6 T1 R- H M
4C19:009A MOV SI,4647 ; 1st magic value.1 u5 I4 {5 A# n% h7 `) ~; r0 D
4C19:009D MOV DI,4A4D ; 2nd magic value.
# z" r0 j2 u' V4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- A) E8 c9 j% ?' _; C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 g5 m' A: | c6 Y o6 j; V) X9 Y
4C19:00A4 INC CX" E* o4 ?; s( O3 L1 c$ u+ v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. V. B0 P# ]: v) a8 ]
4C19:00A8 JB 0095 ; 6 different commands.
6 Z, C- ~. I/ J1 f1 L7 Q2 R4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 I! W( {1 S# m! X A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! W/ }% l' o* e9 J7 t
; q6 K! w* N# Q3 B
The program will execute 6 different SIce commands located at ds:dx, which# o5 ~$ ?! ^5 }' U6 g+ C6 g* k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( K. x# i* N9 }1 c+ h. U6 K- t& I
/ W" m, p; T* W8 U" V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 r% e8 }; \ T) E4 h4 W1 [- V3 k
___________________________________________________________________________6 v8 d6 }1 v- P$ g
$ n4 `: E5 O# h o
0 e* Z/ t# P( [ i+ v5 K/ FMethod 03
# B. H& \ O t=========) J% \9 H, b0 v6 n. r
* }3 A: L5 U) K2 {) F \5 ?& _Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: ?( `# H6 {9 f6 h
(API Get entry point) x) L) b9 _ o
Z& ?5 f$ H8 A. ^% F. d: J) E/ Q; D |! l6 f9 j; H
xor di,di
$ S' f) S4 \' M+ e0 Y mov es,di
! G1 O& G# M# T( Q" H8 e mov ax, 1684h * K) @0 C' v X; I0 _9 m Q
mov bx, 0202h ; VxD ID of winice4 y) G4 ], h9 f7 k- j7 q3 ~1 z% h- v; x `
int 2Fh1 Y8 u: T# l% C+ I6 Q3 ^
mov ax, es ; ES:DI -> VxD API entry point5 F% N; i, P* W# `
add ax, di* X: i" h/ I8 Y$ U$ q, s
test ax,ax* v8 c z$ y$ f& t6 P
jnz SoftICE_Detected
! m) I5 S; F2 t! @; i. L# z7 F
( Z' L9 ? [9 t" ^, B___________________________________________________________________________
( K/ G$ @0 Y( [0 g) x# v# x
4 f) }1 G: M6 ]Method 048 F# ?4 _, U6 @+ A
=========
4 p4 m: O: c3 v! }0 n8 _6 t
1 C1 ?8 R5 k2 }" v1 O7 \Method identical to the preceding one except that it seeks the ID of SoftICE: P5 V% O! k7 ~ G
GFX VxD.
( }) A5 H* R3 c0 y4 @; W0 h% z
% V0 i' ?4 R! F L* l xor di,di, G9 X# \8 R6 A% ~7 }. F. o- z
mov es,di, A D+ q; O6 k0 g7 e
mov ax, 1684h 9 \# ?% s+ [ E- o
mov bx, 7a5Fh ; VxD ID of SIWVID
f* Z! `1 F9 f% J/ r, ^$ e0 B5 { int 2fh+ L# b9 r1 f) m* a
mov ax, es ; ES:DI -> VxD API entry point2 K5 a! S# @2 n) D4 a
add ax, di
* B* q( I1 X- D& q2 V* D& a2 w test ax,ax
/ [$ P L: S, I \ jnz SoftICE_Detected
6 K8 Q( j3 j7 W/ O
3 A( K- Q" l2 F9 a__________________________________________________________________________- H; |, Q" I* D$ S" z. Z7 |
b+ [* i4 N. O% ^
; p y* o" G3 `6 l! U; ]7 }" b
Method 05
0 m" B7 k! u g. }! m7 y=========
6 y2 D9 Z% H. w( c/ }% t/ h/ ]& _7 L- Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 g V) \5 ?' D9 p: r% O
debugger. It calls the int 41h, function 4Fh.
: h4 N5 A9 \# t* l6 N0 EThere are several alternatives. , w/ d/ j0 G( Z |) j+ x! d
- B/ F, S2 R; f2 G/ ~3 }& N& KThe following one is the simplest:
, d( T% G+ F1 ^) v7 Z/ i% H/ T9 }. N. s
mov ax,4fh
& P" t+ r' m/ ^2 A8 H& i' t2 | int 41h8 E1 U" N1 X: I* P, ~
cmp ax, 0F386
* O4 Y2 {1 W! {" o jz SoftICE_detected
; f5 e; |6 z* f$ K: w) L9 f# L: f* W$ ^, s- L
' A: V# U" t! \7 p2 d* t8 ONext method as well as the following one are 2 examples from Stone's 4 K2 o8 `6 E2 M: E4 ~% ]8 Q+ e
"stn-wid.zip" (www.cracking.net):' K1 _7 Y1 U5 B% J7 ^1 Z
; j9 V4 e0 f$ r" X8 ` f mov bx, cs
9 W$ T7 k& t* X lea dx, int41handler2
1 I7 ` A- J* y7 x$ d% O; [ xchg dx, es:[41h*4]
; ^( y n5 L$ ^7 q& C) P xchg bx, es:[41h*4+2]
+ I6 @, d+ s% U, ^2 ^0 C mov ax,4fh
5 A: |- R" W" c$ ]3 S. S int 41h) s$ E9 \* a! Z, s9 H/ N* N
xchg dx, es:[41h*4]* h: Q1 g u$ L& ?5 @
xchg bx, es:[41h*4+2]& X3 K+ ?8 c J; N& s- j5 U" g
cmp ax, 0f386h
4 B/ X; a: G, F- w, k5 c3 g1 } jz SoftICE_detected
) o: \1 h% p- O7 E! v! N
$ b W6 {! i& j( i; L' Eint41handler2 PROC
) X/ M! ]7 E% Y+ ?, B0 W4 m iret
4 E2 Z" G1 B/ D1 N' r0 Jint41handler2 ENDP0 Z6 d% i$ @1 n( G) O" }- m
( l7 l, h8 {$ ]+ k+ I
3 y# [' u m3 q$ D/ b1 k+ M g_________________________________________________________________________6 [" J4 M1 L/ V3 A% @4 h
% a( K( S4 _1 v/ O$ ~" ]# c. c5 P, k6 M1 K0 f2 x. R
Method 06
7 o' }0 t9 R" E$ R8 r; C=========3 G4 `; Q) V( d) c4 K) F9 S1 a
, j1 O8 ?( o" {5 S0 F
' P/ b6 v, A: e8 l( W5 e2nd method similar to the preceding one but more difficult to detect:6 |. a1 a" J W* H G; J
# X* M. ]. @ T2 w9 W& _: [- M) l1 A
int41handler PROC
' ^0 s/ |; a W1 q mov cl,al- Y% O2 P! j4 m1 Y" {
iret
, Q: G, O1 b$ }+ U5 Q4 kint41handler ENDP/ i" u( e% t& v& x6 f/ r4 T
/ \9 u0 r6 _/ x3 L0 e& B/ {" W8 \' [ `0 Z
xor ax,ax4 Y0 f# @: T8 i% G; }3 A# u6 N) z
mov es,ax
) Y0 A- I: [6 F3 n* e, @ mov bx, cs# t, q/ j; I6 @3 j. _+ I& p. H
lea dx, int41handler
2 f) \. T" D- r& t: Q0 h! N& [ xchg dx, es:[41h*4]
7 m- I @* e; i. }% i7 j xchg bx, es:[41h*4+2]
. W9 r- ?# W6 t) A& W in al, 40h
" ^# |- {- u& q xor cx,cx
( [9 _% B8 B0 u6 m6 X( j/ { int 41h
( z7 _& ?2 \: t* A7 a xchg dx, es:[41h*4]9 R# y" l4 r% ?1 ?- z
xchg bx, es:[41h*4+2]& ]. Y' v/ g H3 l4 N
cmp cl,al- M3 r: W M8 ]# \* w( ^9 c
jnz SoftICE_detected
# j+ H# Y' J! c
' y! y c0 a3 _1 l# r# U! k_________________________________________________________________________
2 I% X1 o, `1 L+ }) K/ U% Z& e# j5 K
Method 077 g; ]5 H" \7 O7 `; d. a
=========# q- b$ ^. E. b
% s# N5 o2 c3 K3 Y& l5 lMethod of detection of the WinICE handler in the int68h (V86)3 V$ [8 ^& p% r/ d5 F9 L. ]4 i
: S, P1 d7 `3 \7 D- w! p' Y
mov ah,43h! G2 ^+ A) I9 ^! n6 P" C/ P: r. ~
int 68h) d8 T W8 l. r$ v
cmp ax,0F386h
; S9 e* V* L7 c8 `+ I5 O3 u0 r jz SoftICE_Detected
4 x. [) @% c7 d9 a. X9 V" ~9 E5 N" P8 r; Y
8 v7 P: N8 W: d% C/ ]' k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' m! P" Y$ p: d. A
app like this:) i/ {( I% {6 O, |2 q
- y# p/ S, z" }. d/ s0 w BPX exec_int if ax==68/ J/ l- a: K; [5 `' ~
(function called is located at byte ptr [ebp+1Dh] and client eip is
) h6 O4 O- u+ i located at [ebp+48h] for 32Bit apps)
2 _& u8 x0 F0 A0 [, q1 V__________________________________________________________________________/ \6 t# v" C `4 K z9 q' |
4 ^" W9 @$ @0 {
( m/ _# k' F8 o% Y4 i
Method 089 I1 v" P- ]$ O/ y7 [
=========
- A! Q) b( q v- n5 C
+ V1 _* o% x: hIt is not a method of detection of SoftICE but a possibility to crash the" O8 @- r* B+ w$ I
system by intercepting int 01h and int 03h and redirecting them to another
; ~" i+ T$ Y C- d' ^routine.
$ o: j! u" c5 X4 P7 W0 \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ t7 O7 w, b( q1 @# Pto the new routine to execute (hangs computer...)$ Y! Z$ N. ^( f7 g
8 ?7 H6 _3 ?2 W" X+ N mov ah, 25h
; e6 Z: x; _7 p; _: ^ mov al, Int_Number (01h or 03h)
; }6 y: F3 D. h, U$ P6 S3 u/ y7 W mov dx, offset New_Int_Routine
+ ]. t; j& |2 o int 21h' G& |" b# V& `1 l2 a; k
" A' G3 Q0 V) t$ ?$ P* I__________________________________________________________________________) \. h/ s6 b/ x# v6 K
& N' ~7 e7 o4 c4 r KMethod 09
: t* N, J0 ~5 y2 z=========' s% Q* @$ B0 m+ ?2 M6 _0 w$ K
' r4 N5 z4 l. J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 B v5 i; P: Z+ Sperformed in ring0 (VxD or a ring3 app using the VxdCall).* B- g x% u& F' A
The Get_DDB service is used to determine whether or not a VxD is installed
/ Q6 T( I% ?2 x) bfor the specified device and returns a Device Description Block (in ecx) for- ]8 Q3 n" l9 `7 p1 b+ ?
that device if it is installed.
~9 ^+ h" y" o* @2 _; P/ ]2 @) e6 G+ U0 `& G
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ o( y' D% {5 ?( v$ D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 g- }# F, v e+ F1 X- f
VMMCall Get_DDB
* {4 E$ p, T/ J5 s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ y, i' y3 ]* }* w* f. x5 ~. Y. O* L2 ~5 G* }4 f' @
Note as well that you can easily detect this method with SoftICE:. m- I* [: ?& l' |
bpx Get_DDB if ax==0202 || ax==7a5fh! T9 u( j1 r& l# Y/ }3 M
: ]+ ?7 V- E U! ^+ s
__________________________________________________________________________$ s( a, f6 `5 ]( `2 a$ I
1 e9 T% J. a9 ?* nMethod 10
+ M' u( i/ g. n/ p=========
! J. q4 F/ q8 F5 b) X
6 r: r+ u+ n2 B; L8 ?=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 Z( f1 O5 l1 ~ SoftICE while the option is enable!!
8 t7 n+ u: ~- I& T. t! i! M) \& c* y2 e& @+ g
This trick is very efficient:( G+ G( G+ A% v" h& |* Y6 ~$ n& b
by checking the Debug Registers, you can detect if SoftICE is loaded5 @: b$ Y+ ?3 W8 N1 J: l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! G0 S8 P+ L( h* \( B% p7 W) L
there are some memory breakpoints set (dr0 to dr3) simply by reading their- @2 M* l- s$ ]" v' M
value (in ring0 only). Values can be manipulated and or changed as well
3 c- x, A" p1 r& b8 R(clearing BPMs for instance)1 U7 n! b6 e5 {, m r6 n* `1 N
) w* R- ~3 H' e6 {# o6 c9 F: `
__________________________________________________________________________. ?/ m! o5 z/ z9 V+ \
$ P2 i5 C1 L4 H3 ZMethod 11
7 F" c) ?, v9 u( j( Q=========
W7 @1 \8 `7 ^ H
( M5 H+ ~* N$ p8 I3 OThis method is most known as 'MeltICE' because it has been freely distributed+ H2 F1 ^2 E6 Q d
via www.winfiles.com. However it was first used by NuMega people to allow8 S5 r3 X& ?% g1 w
Symbol Loader to check if SoftICE was active or not (the code is located G; |. }$ m" @
inside nmtrans.dll).
, X/ ~' U1 q+ B4 F- l7 \* Q( } R
/ ^0 w+ p, G2 E' E+ _The way it works is very simple:
/ t8 L, [9 [5 vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* [& _8 h* m8 @$ [; e. j' D1 t( kWinNT) with the CreateFileA API.
! f& s0 o; h# }- _4 A' z/ z
; Z0 @5 p, G" R: q/ v$ SHere is a sample (checking for 'SICE'):
# b3 [# X% x* b: |. ~, q2 k% A! `8 L% `- D: V9 _$ K
BOOL IsSoftIce95Loaded()
& C+ T# u- b6 @6 Q# o{' I5 |3 }1 v, P! ]9 q# l7 a
HANDLE hFile;
) k$ W% S+ g& b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ C3 W: y4 I. K8 k5 P3 l; h
FILE_SHARE_READ | FILE_SHARE_WRITE,1 }' l/ a5 s: e- @
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# A7 Y2 n5 s; ~( f if( hFile != INVALID_HANDLE_VALUE )
x! |3 H/ _" P* p; g& f) j {, I2 h$ F# a) {" h/ ?
CloseHandle(hFile);* r, ` i1 L2 `) L
return TRUE;
3 |; \; Z: ^& A/ r% ~$ ]4 z }
; L# [' ^$ f. U! E return FALSE;
" T8 I& u, F" F9 u. M4 Y% I9 @- ^}. ~5 |2 f- a+ L$ y0 \# O
1 F- f+ W0 \: _8 b- x8 YAlthough this trick calls the CreateFileA function, don't even expect to be
G' l+ x. _) t1 x9 `1 n: Nable to intercept it by installing a IFS hook: it will not work, no way!
& X8 T, B( I& K5 }; ~$ j$ y, tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* M1 h' q; H$ Q: C6 q. ?: iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). J) \' v% N- D, w x2 ?- e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ p, g$ y5 P/ h) v- k5 U) T. F. g" u
field.' T/ p2 v) V7 M; [/ o* c3 ?+ ~
In fact, its purpose is not to load/unload VxDs but only to send a
/ I" d5 a# ?. k& z' U: W+ N, `1 AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* o! V+ `/ P6 f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 |' B$ F9 |) ?; @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 A% n: V/ I7 EIf the VxD is loaded, it will always clear eax and the Carry flag to allow- d( u* Y+ o. [. Q+ l3 t
its handle to be opened and then, will be detected.9 P- G! |6 I# C2 E/ B
You can check that simply by hooking Winice.exe control proc entry point0 G& r: U6 W$ c; X
while running MeltICE.9 F5 ?7 t2 `9 I% f1 R
; a6 W( O5 P/ b% q3 ?$ H: M$ j
, U4 X2 T1 ~1 J/ n a/ V# m 00401067: push 00402025 ; \\.\SICE
7 U- A8 D- G9 v5 j: m& d+ q 0040106C: call CreateFileA7 V6 G: r1 V+ d! _; v0 a
00401071: cmp eax,-001 f: k8 K' Q2 y5 m
00401074: je 00401091* K. M. Q# v0 G- r
& g" \/ E' _: ]- r
& z$ y5 u+ @ e+ G: KThere could be hundreds of BPX you could use to detect this trick.$ T2 @' F0 i5 z5 C( M
-The most classical one is:
, q' o9 Q0 a @% P8 ~, ` BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' e- r; P: [! c3 a6 H0 V$ s' u
*(esp->4+4)=='NTIC'' ] V9 Z i7 B: E/ k
2 D: S+ D- l1 Y& {. A
-The most exotic ones (could be very slooooow :-(1 ]0 @- C+ R v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') K( G/ j* c. |3 s
;will break 3 times :-(
. i) |5 n a: D d1 Y9 f# y
Q/ k0 e8 ]0 u; \% W-or (a bit) faster: + O. m' x' M6 R+ s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') K0 W6 [2 ]1 m/ Q+ r2 [3 O& ^
' A! x. A* Q5 L5 k4 b
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 i ?* o2 o k" s- i; D# e& a% v ;will break 3 times :-(
V5 a* [% M! i: A4 |. A
8 E4 o# X& M: a }% i-Much faster:4 P* P7 w& o+ i4 o5 c5 X& d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- A( n- E K* ]- g. c8 o0 c
1 `7 O% r" U/ \; t8 m4 s( s8 I; wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 @ V# v" |+ C0 e/ B' b9 K* C
function to do the same job:
4 h, ^, R) P: q- t4 q3 f8 \6 ~3 L" N% L
push 00 ; OF_READ. b. A5 s) Y. E& C
mov eax,[00656634] ; '\\.\SICE',0
# y8 s% [% N' r2 d% s push eax
+ k+ D+ s* ]% j s5 Q' ] call KERNEL32!_lopen
) ] L; U6 l2 ] inc eax
. n, V4 z! n6 _) o jnz 00650589 ; detected( D8 Q# _9 ^1 l) Z9 S8 J
push 00 ; OF_READ
$ L$ a. N+ F( f# P' Y3 l mov eax,[00656638] ; '\\.\SICE'
+ ?5 f2 @$ A8 b/ x4 F' M: l( O push eax
8 f+ ?- g+ |; `: u, w: \( [7 e: j) n$ T call KERNEL32!_lopen
* I% P, W2 i& B' M$ z/ ^ inc eax7 r Z4 `% |: N8 X0 @" o0 t! h8 ~
jz 006505ae ; not detected# ^' s3 r9 o, E' K' t; K4 z, v
- ^5 M" Q$ M) R+ w" e
; z) W0 S4 ^! \__________________________________________________________________________
7 p2 [7 L0 Y: ~" \0 b, a/ A' S4 X
Method 12
4 i5 Y% c7 g; [2 \" S=========3 g7 C: ^$ q9 _) l9 t4 z
6 l1 c h2 e( ^This trick is similar to int41h/4fh Debugger installation check (code 054 b+ l! @- ]/ B. t9 C; e, c
& 06) but very limited because it's only available for Win95/98 (not NT)) c: n! x: W: [ N3 L7 m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 T* M2 l$ L4 n# b3 K/ @) _4 t0 c' k1 |1 E$ r
push 0000004fh ; function 4fh
8 n- R4 o" ^/ D# }" V push 002a002ah ; high word specifies which VxD (VWIN32)
: q! K9 J" a! E/ ]2 k8 d6 z ; low word specifies which service
7 m& `7 s% y+ P( C7 n& t t$ [ (VWIN32_Int41Dispatch)- e) i* [' u2 h3 ?$ l! d2 |& E
call Kernel32!ORD_001 ; VxdCall) ]; f" }: T2 \
cmp ax, 0f386h ; magic number returned by system debuggers
. U! f. R- n" @! ` jz SoftICE_detected
4 E2 J4 k! d; a# ^! Y0 b, ^+ r$ x/ W1 S' L {3 c+ J0 \
Here again, several ways to detect it:: p% v1 P7 x" l& ]
e1 k7 _4 X8 R9 x' a$ f
BPINT 41 if ax==4f
4 w- D+ V$ l. @1 C/ m9 _5 {* T" d1 P: [2 j
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% S# Q& E) a# X) ?4 G
; ?# q8 i+ u: c( {+ Y# `# l. N+ b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 Q# q1 m5 V* o, W7 R0 ^/ q8 L" r6 }8 n: e, x7 C& o* C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! K2 }' a0 ?, j% p
1 g" E9 L+ o$ \) z) Z1 U
__________________________________________________________________________" t# @, Z" v' R% [2 _
( o! s4 I, ]% r9 w# d& aMethod 13, ?. M. {( H" H2 q9 _& c# T
=========+ \ G$ d4 d. R# Q9 y& R3 x
0 h U9 _. I* [; {0 W9 m6 d
Not a real method of detection, but a good way to know if SoftICE is9 b# u8 C+ W$ i7 V0 B
installed on a computer and to locate its installation directory.; p; j" h: F* i9 G& j. v% k4 @
It is used by few softs which access the following registry keys (usually #2) : |; `- H. }' S0 ?
( t- i Q9 |0 c$ ?% f$ L- e [1 l4 ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) ^" W9 ^0 v9 F: r( _7 x3 B: J* _
\Uninstall\SoftICE }% V' s- m; p1 {# D/ v& S/ W+ @* `$ R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ ~8 z" z- N& W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 [* @$ q/ T2 S/ \( Q/ C' D: L
\App Paths\Loader32.Exe1 \1 Q6 \- X/ e& q4 t7 t8 w! E4 N
/ s- K5 R9 J2 q! \ G0 J% {1 ^+ ~* ~
+ b! w$ K8 c3 @' r TNote that some nasty apps could then erase all files from SoftICE directory r' W$ f2 f! r0 ~, E3 \3 Y
(I faced that once :-(
3 \) X9 X# y6 }8 Q- R; E3 C2 w9 X% r. F# i& I5 t* ~5 O
Useful breakpoint to detect it:
9 ?; g6 V& Y. m8 I2 J" Y3 B" |# U( a2 q' z4 y0 U) z9 z+ x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; \4 Y5 ?! l7 O& ]% `* S
" o4 r8 I# ^1 [5 Y% m5 d__________________________________________________________________________
- @* `! h, S# V: O/ P) k, v
: o, j' p P9 J" c, f' e8 b: R' v2 J( q% t, A8 I4 o2 J# m- g5 r7 X8 b
Method 14 7 U2 z# Y" A' s2 b9 X+ V
=========
a0 i, P& ^9 e" [; v" w* K2 ^8 f' u0 Q% c6 U* l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) b" l( E! Q8 ^# e
is to determines whether a debugger is running on your system (ring0 only).
* [& g9 \. \8 H
3 v7 ~3 ^6 i) Y) Y0 T! R7 j VMMCall Test_Debug_Installed$ m, O: N. ?/ g, p7 G4 s$ U
je not_installed
, v0 k5 n- x5 p( }; H, F* {8 E+ z; _" l6 v) n% B
This service just checks a flag.
- i( V+ c+ w0 ^* K) e" T' \2 s</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡