<TABLE width=500>' Q# `0 b* Z8 I+ U* P. C- Y
<TBODY>
& t. N3 x8 V7 K2 T ]4 V% N<TR>% @1 l- X# w) {2 F& O1 _5 E/ X( M
<TD><PRE>Method 01 - u: O) c: Z/ z6 H
=========, v; \' A( l$ |9 ]8 A$ e2 i
^9 ?! w) l: u
This method of detection of SoftICE (as well as the following one) is6 w t* e( [" O9 N" t
used by the majority of packers/encryptors found on Internet.
) {1 \) W a# p1 \# JIt seeks the signature of BoundsChecker in SoftICE8 ~2 ?5 e8 h' Z( K
. T. ]; }6 h% X7 B
mov ebp, 04243484Bh ; 'BCHK'- ?/ k3 g* T, ]% g4 j
mov ax, 04h
! u* f* Z, ? k7 A int 3
1 n: Q- O7 a, Z% W$ y" o cmp al,4
/ }( k5 o) ~) R1 N O jnz SoftICE_Detected( p- V6 @3 u; B1 ?, ^$ A
3 ?; R* S3 u* b/ U; C7 ?% @
___________________________________________________________________________
$ y5 B# g7 {1 S( ` `
" W: F5 J/ e0 x. S* |Method 02
; y* ~+ ?9 G, j% v' H=========
. _1 ~7 f. s' Y% E: J/ V
$ S: R7 n8 y9 w/ t$ X' wStill a method very much used (perhaps the most frequent one). It is used# x3 l. }7 u! {( }% x& h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 k: P1 A p& O: D4 Y; S' por execute SoftICE commands...6 i! q3 i& X+ z/ S
It is also used to crash SoftICE and to force it to execute any commands4 E/ G3 U4 U0 T7 j" b, m/ P! W
(HBOOT...) :-((
( s" G y4 R* F5 Z% }3 }& d5 y( L, R! w" R9 ~, w4 E
Here is a quick description:* Y3 e$ r$ V( v* i e
-AX = 0910h (Display string in SIce windows)
1 q% a1 ~! A/ D" g) K' x6 O3 b-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, O, R3 s$ O! ^* i7 S-AX = 0912h (Get breakpoint infos)! \3 [: W, N+ o& ^- e7 c
-AX = 0913h (Set Sice breakpoints), u4 ~9 ] K5 V& a& U3 g
-AX = 0914h (Remove SIce breakoints) D/ s* {& b" E) q) e$ ~
6 L z' J8 H9 C6 WEach time you'll meet this trick, you'll see:
1 T$ X9 d4 V8 n8 G' C. h-SI = 4647h
) O5 h6 @, ]3 F! f4 A8 M-DI = 4A4Dh
: l5 F O" v8 n) j( jWhich are the 'magic values' used by SoftIce.
8 b7 E& Z- J9 Y0 w% x! PFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# z/ ^" S' ]" H$ m
' Y4 ~! ~# P7 U) E) R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
u7 A0 r2 K/ R/ l% J. _( |- mEnvelope utility use to protect DOS applications:4 D# k, S; f$ |9 C5 A5 x
7 l7 y5 F) w) ?0 S# w: _
2 O7 K0 [6 [! q! l8 q4C19:0095 MOV AX,0911 ; execute command.# r7 t; O2 s1 L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 @# h, M0 n0 r: l9 U1 D: W; \9 f4C19:009A MOV SI,4647 ; 1st magic value.
4 B# s) Y* Z1 s& X3 w$ B4C19:009D MOV DI,4A4D ; 2nd magic value.$ N4 C( U. ^" k( y2 N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): o6 }, ~" @- D+ M! p7 J7 d1 M% q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' i; _. Z+ f! @5 O7 l" O4C19:00A4 INC CX% T& l6 F& B B9 {. S! q. U& k2 r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 B0 M) g$ F1 j( Z6 j& w; b" ~8 x7 y
4C19:00A8 JB 0095 ; 6 different commands.$ p+ w$ [% m( V U) J+ @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.. R( n% D8 t4 v B
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' C4 e- B& i4 X! h6 r! t+ U
. r9 {8 I, ? f6 @0 sThe program will execute 6 different SIce commands located at ds:dx, which4 V6 d! i% x4 ?1 b: m3 f$ V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 F% t* |6 q, M& e; G; J" c
" C( C9 I! K7 [( M" P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 ?4 C3 c a' f U2 _, C___________________________________________________________________________9 C( E3 ~2 f7 m/ \4 a
. K; {6 ?- @) a$ e' u9 _1 a+ A8 }% z
Method 03! X# L& K% A t) G
=========
( N# O1 N; P9 c
3 d* ~4 K5 q+ B# wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& X' j5 Q4 j Y$ \
(API Get entry point)
, t6 f$ }5 Q0 D& W% Y# v & W3 b/ @% H q& o* g9 `8 F
2 u8 B" X, Y8 e
xor di,di1 t7 d' E6 z' \3 z5 [
mov es,di: {/ o( _! m# n( M+ r' u
mov ax, 1684h 0 N" `+ b% D' n0 T' k$ p, d4 B1 C
mov bx, 0202h ; VxD ID of winice$ y/ R$ J& }3 ~
int 2Fh
, T" ^9 T2 W' u4 t1 U mov ax, es ; ES:DI -> VxD API entry point
1 Y6 i$ B$ X! g2 M2 Y& x add ax, di
, S7 y+ \4 t2 w( F% m: o% F; j, Y test ax,ax
' y( |/ Z* |) x' T jnz SoftICE_Detected" N- X& u& l4 N* y. U
: H3 w; |8 p/ H___________________________________________________________________________# G% j6 g# a1 a1 u, t
; k! [: y! v3 u0 eMethod 04
+ K( _: o. T9 z- `3 ? I" j: [=========4 t% G7 Z1 l3 o' a! V) Z. g0 l
' S9 M: N4 Y7 _# NMethod identical to the preceding one except that it seeks the ID of SoftICE
; s) o$ s8 v$ o" zGFX VxD./ A: r; ^1 n# {. m
1 t8 Z+ X( c+ s9 b2 R6 |6 B6 o
xor di,di& A& Z* ]' ]$ Q4 O# r, n! C5 n
mov es,di
; _6 D- D- m8 f+ Q! Z mov ax, 1684h
& I$ N( u1 r. ~9 Y mov bx, 7a5Fh ; VxD ID of SIWVID. A& p' a5 a3 |
int 2fh
$ a+ }( h) C [- O2 f mov ax, es ; ES:DI -> VxD API entry point# p1 m6 }" s# D" ^3 Q @4 q9 B
add ax, di6 o( X P& r; l$ D& N4 p8 ]* h& t* m. n
test ax,ax- A" i% \% C* Q7 p7 ]
jnz SoftICE_Detected
) _2 G; [7 s) N5 }1 P. |" W0 a* d+ F
__________________________________________________________________________
( @3 a( Y# C# R0 `1 W; A
2 S6 |8 Y" J0 o2 y4 r
) V# s+ W0 u" K, B* xMethod 051 Y' Y1 [ V6 A- t
=========! d- Q+ i: D: l P/ h! u
m' d3 H4 p9 iMethod seeking the 'magic number' 0F386h returned (in ax) by all system
" @+ Q- a4 b) _7 x3 |debugger. It calls the int 41h, function 4Fh.4 X- x4 ~$ S; B: |) G x% z* D! a" T2 o+ H
There are several alternatives.
" s$ Y. _# f8 h: _. S" M$ D, A; g f$ V1 k+ M
The following one is the simplest:5 j6 l, a6 f0 l! J
- q* U9 `. _7 g8 X# v mov ax,4fh
( q" {% I) J) c1 O0 x8 X4 Q int 41h
8 I3 @( H# {' n cmp ax, 0F386
* \- @: \: E- n) E$ l/ } jz SoftICE_detected# {* ?# |7 q2 z% l& | D
% O% v7 d& c$ `* s. f2 O1 [- Q
' ~ Y. \: }% W
Next method as well as the following one are 2 examples from Stone's ) y5 {5 m: Y' Z* P
"stn-wid.zip" (www.cracking.net):. t' Q" }9 d, d. g) p- q
6 U, ^& {% A0 b+ Z# \% |& z
mov bx, cs
0 @0 _6 y3 \/ b9 f2 Y4 G lea dx, int41handler2
, u# J9 p+ R) r$ f; q7 q2 j xchg dx, es:[41h*4]
7 s) e7 M/ j( i2 D xchg bx, es:[41h*4+2]7 P4 H% b9 n( M. V; K
mov ax,4fh
; Z) U. b, ~7 h0 A/ F2 e8 C int 41h
5 R( I2 @2 f6 B( Y C2 Q7 F: I( G xchg dx, es:[41h*4]
3 E- S5 ^' }, L/ l- d xchg bx, es:[41h*4+2]! x! l- B& W T' D1 ?: E5 Z
cmp ax, 0f386h
8 }6 [; j) I$ d jz SoftICE_detected+ p! A5 O; a9 v
% I; W: z5 m: b0 v
int41handler2 PROC' }- p% ^* N# M% ~* p( H
iret
$ u+ W% n7 Z0 G4 X) rint41handler2 ENDP
4 E! u T" r! J1 V: N% j7 r, ^3 t: M! J. f8 u7 o ^8 a) K# g8 E
. g8 G3 z, h, B# |6 {_________________________________________________________________________8 w( }' n8 a$ u2 Y
7 @0 `2 @0 [( k0 j6 L8 M! j
* g1 }6 w* G) |
Method 06/ B8 p# l8 }! {5 K: F( v
=========
/ B: m- F9 y0 f9 \
- q4 a! U( m3 c) ]$ n& T4 N8 L( Z* P) g% T* Q2 z$ H
2nd method similar to the preceding one but more difficult to detect:
3 W- U1 T& E& ~0 i- }. s3 ^
6 n- w9 e# I. @7 S
: {2 [7 {1 r; ~int41handler PROC5 R; _' H" C2 @& H5 V; _8 R
mov cl,al1 i$ |, C% D4 d/ j; K
iret
% i+ A8 U& K$ h1 c3 J% v; A! ^int41handler ENDP
& U ~% _" o+ _4 M0 q: a, x9 \& V+ f E6 k7 J- y) y5 k
( b R4 m9 D# c4 {9 A' z5 p Z* o xor ax,ax
\$ U+ ?: C1 M mov es,ax; I9 U- N/ f7 K5 R' J, p
mov bx, cs
7 a" G! S2 s! t% O0 [ lea dx, int41handler/ O$ a! l* |( ^
xchg dx, es:[41h*4]: O/ [) a* _. x' f. |( j5 O) C
xchg bx, es:[41h*4+2]
2 c9 p. L% w( g) A in al, 40h4 J9 B% o; w, O8 m) q% p
xor cx,cx4 s' q$ R5 n1 ?% w6 ^2 }
int 41h, d; }, f. ^' Z% r7 T
xchg dx, es:[41h*4]; e% ]& u o9 [* y0 T0 o; j1 w0 c
xchg bx, es:[41h*4+2]
. z5 P' R; v) f3 y+ Y cmp cl,al, v' e- P$ ~) G
jnz SoftICE_detected
# E; F5 b! n- G. Q. Q4 R: ?& n, e
_________________________________________________________________________
' s+ D0 n4 n' F: Q
% L' B3 @- f: N8 ^; Y% O: jMethod 07
# U# r& @" e' W: _' V2 |) {/ c=========
, O- |. V2 h+ X
) T* w$ G* F6 B; hMethod of detection of the WinICE handler in the int68h (V86)2 T9 G) n/ U0 r$ Q" @- K
( `# o2 x' f" c5 `
mov ah,43h, u9 |2 J& ^( k
int 68h
% D% |8 z y8 S& b/ B4 f cmp ax,0F386h4 D% G9 `+ P, c- o2 ^" g6 C9 P6 J
jz SoftICE_Detected
6 \, ] q$ `6 U' M3 l. h; U2 p; M |/ c" H( V0 j3 M/ l
; W4 x0 \: f. Q- ^0 q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: u4 P. h6 g F, W; W* G- P" E app like this:
/ j7 Y8 K: j$ l! H
: e: F! y/ r/ q% Z8 Z) q BPX exec_int if ax==68) X8 M! i' S' q" _4 q( B3 k$ r
(function called is located at byte ptr [ebp+1Dh] and client eip is
& q' k/ b+ p X8 v& c# t1 m located at [ebp+48h] for 32Bit apps)8 k: a3 A' n: \' a% z5 i8 n0 |; `
__________________________________________________________________________
* u0 L0 B6 S# [) ~0 x* z4 J1 P, @2 ~
: E) F% _, p$ D; P/ D j; h6 D. K
1 d9 s( p1 [! R4 [" CMethod 08
* U9 |2 p# w4 B: T: [6 X, U=========
; c1 q) v9 k7 E+ P$ k$ X4 D. h( R, B- P2 h Y; M
It is not a method of detection of SoftICE but a possibility to crash the
# q! T7 f" x' c" }! Gsystem by intercepting int 01h and int 03h and redirecting them to another
4 X: q; {" p% n* k) R2 oroutine.4 s/ w; ~; F: R i# S+ R+ \% [
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 N7 [* Z2 o2 M
to the new routine to execute (hangs computer...)7 [% L9 q) B V& O( A
3 Z) O- z% [& o Z5 \) [
mov ah, 25h
) Z5 ?# R6 p; P% A0 u h* J6 g& L- l' u) w mov al, Int_Number (01h or 03h)
+ O& D1 D( j2 q% y& e5 b# O: C mov dx, offset New_Int_Routine
9 O) N2 M* m; u& r int 21h
9 Y- u- E8 S0 _2 e+ H1 n o4 l. G0 b2 I! a
__________________________________________________________________________% i! o/ _( p& |. `, w% z' t
7 d( H; Y9 v6 V/ @) PMethod 09
$ M" d5 i6 L, t, P' A H=========
+ ~$ e+ U3 O( I1 m# W' K% r" @5 J/ Z7 D" @5 b
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ E; p( S" U- v& q2 K$ N3 z2 \- w
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ i" Y. J0 c' `The Get_DDB service is used to determine whether or not a VxD is installed
c0 R, F$ ~- o$ ]5 \6 {5 ]for the specified device and returns a Device Description Block (in ecx) for
" s, L7 B4 g7 Y1 g4 Y' ~9 ?that device if it is installed.
# L: w+ D8 O1 e4 }1 i4 x/ c6 u F( D" J5 i/ [8 e) k
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ U6 ~7 D' E' @0 F0 `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# _6 F: Y) p \- N* s9 s* W VMMCall Get_DDB# o8 P" A9 S& }8 |$ f. Q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. g$ r& q! b. R$ y8 }% J) v0 c
( p, V9 R6 U5 kNote as well that you can easily detect this method with SoftICE:
: k6 R( |$ ^4 `. @$ }* |' T( d bpx Get_DDB if ax==0202 || ax==7a5fh: V& \/ A/ a$ |# _2 I# C' b/ h% H7 q2 O
! N; q6 V5 K& Z: D+ l- ^
__________________________________________________________________________
: Q- W, A& s% H4 x. R
! I7 D8 S/ P h8 N: N9 Z5 wMethod 103 I% y4 W$ \( u9 g: t6 ^: f' H+ R; J
=========# W% h* k% x$ \( Z6 C5 w
2 \! I; X- x! u+ R' \: y=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 X$ U5 N# y& G) X, K6 H5 |$ _ SoftICE while the option is enable!!
: o4 ~8 @, M0 m/ i1 k- o8 e4 ~$ \9 ]6 o1 G6 r3 o; r5 T
This trick is very efficient:$ n: A$ z' F3 d- |1 J+ D
by checking the Debug Registers, you can detect if SoftICE is loaded
d9 {4 i3 g' M2 T. N! E& ~; ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 X$ L% a) y9 x- F2 L# z! n2 v$ Athere are some memory breakpoints set (dr0 to dr3) simply by reading their
& \( n4 H" M8 W* ivalue (in ring0 only). Values can be manipulated and or changed as well; |0 m* q! j. @3 Z4 p% X6 y% N% r
(clearing BPMs for instance)4 `& e% x9 `; u9 Z) z" e3 ^9 a
J4 y5 } E1 j4 r__________________________________________________________________________
. O1 k% y6 j6 ]. K" ^- @! B5 l" |5 A- G1 D; @3 p
Method 11$ {6 D+ Q! |/ o: I7 F
=========
& S% S+ D/ o% ~" C- Z4 e
! O8 j2 R$ M5 S: v4 OThis method is most known as 'MeltICE' because it has been freely distributed
: h* m4 @& l" Y t1 @% @- Hvia www.winfiles.com. However it was first used by NuMega people to allow+ N* a% D( N1 W# d( i
Symbol Loader to check if SoftICE was active or not (the code is located3 G2 U9 ?6 s) [3 A$ e
inside nmtrans.dll).5 v2 K5 t6 R1 W
3 I- Q K) \3 p3 P( W& DThe way it works is very simple:/ m* ^# D6 V. @8 k C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) t5 h0 }7 ^, l0 f, b {6 UWinNT) with the CreateFileA API.7 M; j6 n6 u/ ]
: M, K* G n/ x- n( O8 [/ [Here is a sample (checking for 'SICE'):* Q6 i' O: n9 P: f
1 N1 Y! `9 R9 e+ _: ~ U" z8 {BOOL IsSoftIce95Loaded() H7 J8 A& ]$ [% P3 R- H
{" c/ @7 I% Q4 d1 n/ B K
HANDLE hFile; 3 P! a, Q- @4 w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' D" }5 N. Q. |! y FILE_SHARE_READ | FILE_SHARE_WRITE,
7 T# Y x1 r) u+ c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( l; B# M2 c: \$ H9 w0 J9 o9 R' N
if( hFile != INVALID_HANDLE_VALUE )
6 t; e4 O2 c" z0 s4 o) d! y6 ] {' R% U5 I% N9 z+ R s6 E1 m0 z
CloseHandle(hFile);% q/ A" n6 N% J1 t! ^8 L f: d
return TRUE;
7 `1 [: L; k" @+ m* J }. n e# r2 Y9 T) ]1 r
return FALSE; d3 A% b" { c! |) I6 z1 \' O: }
}
; p" e: S4 s8 \2 W9 R
( o& q* L; G5 P# c1 CAlthough this trick calls the CreateFileA function, don't even expect to be
" B5 E+ }! S/ Q% pable to intercept it by installing a IFS hook: it will not work, no way!
1 E! G. `4 S m& P- DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 b- S' y4 h7 V, n( E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- m8 o# E: P/ r0 fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( e, m l( Q8 X4 V( ?6 S7 S+ n8 Jfield.* c! Y* a6 V3 f3 O/ D9 }7 i
In fact, its purpose is not to load/unload VxDs but only to send a
7 c5 @ ^8 v( ^1 u6 C$ `( }W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 c% d6 I5 @' k5 Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" m' ]% F e- y# K/ d9 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 Y( y9 a7 D4 S& _& ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 s- p. L7 @# ^% a
its handle to be opened and then, will be detected.
+ Q% `' e0 @3 q& w# |2 J( {& LYou can check that simply by hooking Winice.exe control proc entry point+ b- A" Y/ s) K9 I! h- ?* @
while running MeltICE.
; j9 E/ g% s& R1 S( X0 `" ~! Y+ d# {
0 j3 L$ E8 z: p+ a+ z* Z8 C 00401067: push 00402025 ; \\.\SICE* [% ]& B6 F4 ~$ l7 I( `: p
0040106C: call CreateFileA% ^ p0 n0 }/ ?' c% N d
00401071: cmp eax,-001
2 y: j7 }3 t' u# J5 f 00401074: je 00401091 K v6 ]# Z+ N" X- C
( s0 }9 M" R$ ~, }: b; G5 B' ~' `4 W2 x9 p( c; z- E
There could be hundreds of BPX you could use to detect this trick.
( u' W. v6 P3 }2 s8 P# j, x-The most classical one is:7 s. @* p* G N/ D% F' O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 ~: e2 x- s( c& d *(esp->4+4)=='NTIC'
( t# m$ W6 o+ O8 p& T8 ]$ S+ ~* M3 J# E
-The most exotic ones (could be very slooooow :-(
3 W8 h7 F0 E7 x1 Z- @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' c# B: G( j, a
;will break 3 times :-(3 _: P+ f' o2 C: \8 T; g% g' ?
0 _( @4 x* X! {+ M) B+ u# K
-or (a bit) faster: ' k& z* ~$ Y/ }$ n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& k/ r' ~3 W/ m
' W. V: x6 G, ~# F. P4 | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* w& u7 ^) X- } ;will break 3 times :-(
8 t' ?, @$ d: e o
: q/ H6 R. m6 B# d1 ]0 t-Much faster:% Y% b" z7 }! j' Y3 d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% c/ b1 m$ p2 k9 [1 k% J F& o/ I
. Y- W: z" A3 J: \# p2 r1 q) _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ z w* G8 n- V/ l6 I% s& sfunction to do the same job:0 i& [& S/ b1 ]7 S1 P9 ?2 l
# Q$ _7 q/ Z5 K+ d) Z. E% z
push 00 ; OF_READ
# U; q; U/ M* Z4 Q; n' d mov eax,[00656634] ; '\\.\SICE',0
# i6 R. H; V6 v K push eax( R0 x9 ^$ Y! l T" B9 `& V
call KERNEL32!_lopen
( R z; }2 p0 T- I inc eax
8 ], I- L P1 x O" f9 z jnz 00650589 ; detected
( v; D$ n+ i0 r; o: p0 _- L push 00 ; OF_READ
3 l6 g& y5 j) ?8 M mov eax,[00656638] ; '\\.\SICE'
; F3 k0 ^/ O/ z$ ?6 X" n' } r push eax
, f% G( n4 |. j2 w call KERNEL32!_lopen
, j8 A5 P( H1 V: e% [ inc eax1 |3 v; I9 f& ^9 C" A6 B* ~
jz 006505ae ; not detected
' i. V) r9 @* V& w$ O% r6 x
3 a& z* a9 q9 }8 R7 B: g+ r$ z4 A- i2 L$ C' l
__________________________________________________________________________" p Q! O5 d# N1 U
T8 |. g6 ^' s; i/ A3 L% X( yMethod 120 x) o1 S x4 e) ~, z
=========0 {; G L6 m. U4 _+ L# r" ~, |
/ l. S6 l- B! ?; D5 _
This trick is similar to int41h/4fh Debugger installation check (code 057 R' Q, D( f& j& W/ G( o7 F
& 06) but very limited because it's only available for Win95/98 (not NT)2 R3 v% I& t& |4 }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. g$ b9 N/ d/ B4 N. L/ G
& D" G9 @1 n, f3 c; f9 e push 0000004fh ; function 4fh- N# H. I+ K& c7 c m# O$ ]; U
push 002a002ah ; high word specifies which VxD (VWIN32). a0 E* n8 S- k A+ i2 S
; low word specifies which service( u* j8 L5 z2 R: F, x
(VWIN32_Int41Dispatch); @) h; f" F$ U5 x3 K
call Kernel32!ORD_001 ; VxdCall
/ b6 i0 A+ ? T2 d. v* s; N# Z& t cmp ax, 0f386h ; magic number returned by system debuggers, f5 D% r; Y7 B4 H2 C
jz SoftICE_detected+ M! h0 c7 z4 ^& a, `
4 f D N4 d$ B, b0 SHere again, several ways to detect it:
2 R [$ W1 z* \) [! h. O8 D e) \$ x8 ` @% i! }
BPINT 41 if ax==4f
6 Z& D$ N; b; b/ V/ P e' v* T
- m$ c4 p0 A9 `, Y$ K% V9 g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- q+ e: H# Q# n6 s
5 p8 v1 v1 k# k! X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 u( l7 F. o! w) k5 B* p- ^
+ P7 @) e& E$ K/ S" t BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 `. T( F2 ~+ m: ]/ z4 h( r. d
( v( C; S9 D2 P/ V$ l8 ], H( W__________________________________________________________________________3 W4 w6 Y" h. `+ e
( u' n+ s+ C6 Q% I9 o( s
Method 13
; V) v1 a- _$ u( ^$ x=========
6 v( g5 w8 ~. n: e e8 L7 R
) |- C b/ w) g) n/ rNot a real method of detection, but a good way to know if SoftICE is
" U0 M( q6 l. l) Y$ Oinstalled on a computer and to locate its installation directory.
' C( ?/ Y; B/ n* HIt is used by few softs which access the following registry keys (usually #2) : k( @# T% O+ \. [1 h' h! `) s
9 g, o& A/ v8 n* w7 k$ f0 |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* n5 @- `3 l% I$ E6 u4 r6 x
\Uninstall\SoftICE/ B9 L- ], x X) E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 [, A! t, W+ m0 m7 A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" ^& R4 x, r9 W, V0 J5 ?& q# ]\App Paths\Loader32.Exe; F2 O5 _" P8 v
5 l+ ]3 _2 \! |; [
: V9 n) M" d% M! [0 l$ X6 CNote that some nasty apps could then erase all files from SoftICE directory
" S4 S' ], M0 R% ^. E( k3 y' Y(I faced that once :-(
6 I+ O- \' V" Z) v/ ~# M, }+ m0 l# ~, {1 |. y% ?
Useful breakpoint to detect it:5 J6 s- h% P; a, e6 l
/ W' e+ [8 b( ^& F" z: u# k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 T. m& ~/ L& T) T9 w# \- p v! q/ U5 x1 T" V
__________________________________________________________________________' Y9 y2 X+ A2 M
7 F2 g* @5 [7 D( v! w2 }7 T
( A4 A+ o4 t9 B! F3 {6 L6 F9 yMethod 14 ! X+ D8 t0 o3 o3 w$ l
=========' f: l( g) e. g$ K5 s3 w( \7 w
: n8 j2 V/ l( D T! i4 BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* F5 L) t% e' `% q5 j6 b+ \' U
is to determines whether a debugger is running on your system (ring0 only).
! u# i, V& b$ ^1 S8 }1 S% {, e0 a0 s$ I9 y1 k
VMMCall Test_Debug_Installed
% B' N8 q& _3 ^9 z je not_installed
3 W8 w6 n7 l. ]2 m5 h0 s, p
9 @3 {$ z6 a C/ FThis service just checks a flag.( n4 W+ l1 `" K, l+ _
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡