<TABLE width=500>
; n1 p- n. g0 {<TBODY>
+ F5 ^1 E' U$ l& W4 N. L<TR>
& \' j5 ]- n2 T: [<TD><PRE>Method 01
9 n8 K2 P2 u m$ x) b5 L8 ?=========3 `4 Q, S" G4 n y" m+ P0 h: `
( H' g& v$ I+ K. b+ hThis method of detection of SoftICE (as well as the following one) is5 W& ?; \# V3 y/ x( v
used by the majority of packers/encryptors found on Internet.8 y3 d& @- E5 u3 u. F
It seeks the signature of BoundsChecker in SoftICE
5 q6 _, S0 E, F* B0 f/ q
# V9 G+ [8 Y* ~9 P; x7 Y7 [; L mov ebp, 04243484Bh ; 'BCHK'$ v2 B) n) T; k: ^: d( z0 c
mov ax, 04h2 q0 E; R% f* s# B! O K! q0 j
int 3 # Z% l% H' A2 Z
cmp al,4, K1 e x9 E7 `' v4 z$ b
jnz SoftICE_Detected0 Y$ W5 C4 E( [# C, E
* t' R3 ]- U( L7 @ Q" _
___________________________________________________________________________
: W& x9 l7 K+ t' T$ z& L
2 n1 R0 F+ _. o. r$ QMethod 02
4 E+ ~4 G4 h$ G. e" B a& G=========
9 c6 O% W' N. v* S7 t! H& q
8 Z; g1 [3 X' I' y) AStill a method very much used (perhaps the most frequent one). It is used
( v: r h d0 s) a/ oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' |1 \ ~; q# I2 V6 U2 Aor execute SoftICE commands...
9 w0 W H. V" p( r8 PIt is also used to crash SoftICE and to force it to execute any commands
$ t) A* g: E f. H' u(HBOOT...) :-(( 0 p. w- Z2 g T' U/ ?( O- R- ~
/ Q& s4 e4 `7 _( F* O1 U; Q
Here is a quick description:+ u) i5 y/ Q( `2 L, }/ w5 J2 Y4 r
-AX = 0910h (Display string in SIce windows)
_8 ~, `3 Q3 H& j' g8 q" j-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& }9 S. w8 D: C: L- J# x( j-AX = 0912h (Get breakpoint infos)
; G2 v1 O ?8 W, U9 p' B: ^-AX = 0913h (Set Sice breakpoints)+ F" `+ e6 J% F7 h
-AX = 0914h (Remove SIce breakoints)
, Z [# J9 H% q: U) h) J. u+ x
: C( R9 l5 y9 D" g* Z# P/ w+ nEach time you'll meet this trick, you'll see:
2 ]; k P! _' v- \-SI = 4647h
) k/ v0 }9 Q9 h-DI = 4A4Dh
0 v4 M- T. K, R1 X4 E9 I4 r0 z8 K8 HWhich are the 'magic values' used by SoftIce.6 q: ]1 r) O* }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 H) J* i0 n s. k1 }: u5 R
9 e+ b+ L/ ~0 h7 ?, U6 J! q ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ s6 J4 O3 Q5 z0 S% g
Envelope utility use to protect DOS applications:4 Q3 g+ C) f* c, C3 \) P" N5 X7 w8 d
2 [. b0 m# V1 [2 G& c2 S
; u: ^# s1 J( l1 ^; V4C19:0095 MOV AX,0911 ; execute command.( K* M. F0 N5 ]! n/ W! L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: @9 T) Y- l8 u- z
4C19:009A MOV SI,4647 ; 1st magic value.2 z, f! ^( n) s& ?
4C19:009D MOV DI,4A4D ; 2nd magic value.
! A# B( p" p T+ D0 T4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ ~8 G% I# {) B5 O1 X$ `) ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 U: s; P# f# s9 H, a4C19:00A4 INC CX
5 Q! t, ?# A7 @% H% C+ e7 c/ n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 z. R+ O i1 b$ p) T5 M) ]6 N4C19:00A8 JB 0095 ; 6 different commands.; s/ r# s) r9 |# K. t, ~; L
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: @) z7 {6 b4 H( U& H- K# W& ]/ _4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- _/ Y) U( Q9 }1 \
' D7 n' o% v: R$ V5 }The program will execute 6 different SIce commands located at ds:dx, which
8 c2 J! L) C; \! }: tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* V9 |( f# z! w9 U% X" G
3 Y. r ]9 P( q. T- T2 U1 u( v: m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 _+ E8 P* N3 c* K) ^0 M9 q' A
___________________________________________________________________________
. `! e# x+ G6 P" z3 f4 O! l1 A, z- U" z+ S) i/ Y. c
) s/ I* N: |% q- V# b7 r* r
Method 03
1 f& V' D, J; M3 k- D=========
4 q( u% n8 Q# F& w
4 }9 S/ {# j: E! R/ W! ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; N# E f: U! j \4 ~/ g
(API Get entry point)
% \* f; S$ \ u6 N! L' n/ K, d9 k 3 K( I- e7 P3 v) N
: t, Q+ \ {) V3 S, d, W
xor di,di
+ o) h8 T& @6 z3 q mov es,di
; @! y9 f* h5 I% {/ h' m mov ax, 1684h
; m7 @8 X x3 A/ x8 P. c/ P mov bx, 0202h ; VxD ID of winice
8 a# W2 N; E) ^4 z% d int 2Fh! x8 w4 i ~2 v& r; r5 `
mov ax, es ; ES:DI -> VxD API entry point
4 q0 Q$ v+ G0 V add ax, di
0 v1 C! h% P; D: H: _ test ax,ax. p, X [$ }: w% l1 ~& R/ I
jnz SoftICE_Detected
+ O$ L, m2 |7 y( V3 ]: D3 J( c! z- _6 b. a
___________________________________________________________________________
0 |" L& F& ?' ^$ n& ^" V. ~5 n7 |" U* H
Method 046 e$ S/ W+ _& P
=========
) K6 K; t- d3 p$ V1 L: E5 s. p e
Method identical to the preceding one except that it seeks the ID of SoftICE3 e8 |3 S+ L; ~4 G3 n
GFX VxD.9 d( D* ^- p3 D7 H7 w. s$ [% W
# w5 G h/ j: I# s! i0 G xor di,di) u- t, S5 S. i
mov es,di
+ m9 ]9 i2 ?+ g$ ?' L& K mov ax, 1684h 6 U. s' B# k( ~) s
mov bx, 7a5Fh ; VxD ID of SIWVID
8 Z4 u& R( V6 ^/ T; k+ E int 2fh
( e( J7 Q# m5 K# R4 ]( a, x# h0 R mov ax, es ; ES:DI -> VxD API entry point
1 c2 h" ^ G8 n add ax, di& I7 m; y" ?2 h- C/ U
test ax,ax
# ~/ g% j; @" W jnz SoftICE_Detected
+ O" I F* o; Z
" P; {! ?! m5 F__________________________________________________________________________
{, O7 A( \; Z* Y* ~. t- x' P
0 z( E- R. o- b% `
+ O& v; n+ [) ?( [, U% iMethod 05
1 {/ {5 _: }6 t6 v) ]+ S=========
+ S& w" h) H0 N5 @8 S& S" _
9 c% S$ e% I1 xMethod seeking the 'magic number' 0F386h returned (in ax) by all system
G% Y6 \, y" v9 w* ldebugger. It calls the int 41h, function 4Fh.
" t& V- Y" H& g9 `7 a2 ~& }There are several alternatives.
: Y9 B9 T9 G- G3 X, V' D% x& q1 U) g3 c, W% v, M& Q9 _
The following one is the simplest:- b3 w3 S6 Y+ G0 @
- X7 s5 ~6 X; V mov ax,4fh
8 P6 C, v' f# S2 }4 K ]: b int 41h( @* k; u8 C4 c% R T
cmp ax, 0F386* D5 i+ c4 E9 ]: R1 G8 U: \ C# L, O
jz SoftICE_detected' D# D* r. j( n! c4 ~
: W d2 H5 H5 f- T7 W9 D% @/ t/ c, \/ D6 L% j# a1 P
Next method as well as the following one are 2 examples from Stone's 0 d! e; I1 J* q* z) ]' Z
"stn-wid.zip" (www.cracking.net):) `$ Y3 P5 H0 Z
* s0 J. X/ W3 b2 N( A
mov bx, cs, r; U* E4 Y: l
lea dx, int41handler2
) B' U2 Z, M) q8 [( J6 w2 D- S* n xchg dx, es:[41h*4]
" M0 x/ G! X8 E xchg bx, es:[41h*4+2]
) c+ d1 ~- W7 ]8 ]9 h f( t; ] mov ax,4fh9 W% ^' A9 x" v$ e' _9 N' s% c: Q5 j
int 41h/ i! N2 D# ]1 u9 R
xchg dx, es:[41h*4]
, R' B; a' I2 j, j/ K' w xchg bx, es:[41h*4+2]( Z% F) R3 E6 u+ J
cmp ax, 0f386h
- J5 v/ B, k e4 @+ k1 P jz SoftICE_detected
+ {0 S, r8 |$ M) G* u/ ^
$ q0 B% n4 c. W$ |, @: [. T& H0 {& T& B- Tint41handler2 PROC
: P5 s: w0 {8 u4 f( Q/ @ iret
# I F3 ?% L l9 x+ oint41handler2 ENDP# J& A+ J* p" v: y( q" u
0 \9 t x0 J* P2 f
% e" [! e: e7 }_________________________________________________________________________
6 f" S9 ^' X6 D
* W* J$ o) f: W& ^& s7 P4 G' N8 U W. T c$ i1 W
Method 06: U. u6 A0 ~+ D4 T8 e$ A6 e
=========( `* ?& @0 K# `. O$ j+ R
7 M) {. W/ |! ^& E+ k5 @4 X% }
' P5 Q1 O, n8 I+ V* o0 H
2nd method similar to the preceding one but more difficult to detect:
. G1 C1 M: g0 C. `' ~3 A( t4 }. e3 C6 R4 f9 `
; R E$ u0 s- D2 d" ? g1 V v
int41handler PROC! A! y& O7 E# _& L0 }
mov cl,al
& W( i# y' V' \. m* l n' ^ iret
. O# w; {! J# X) Y, B' `& x4 K/ `int41handler ENDP5 I- z& I4 j% U7 J/ C
' A; ]8 B. ~) u9 A' u# F. y+ @( L+ G% @0 f! c9 C: R2 j. I" N4 V4 ~
xor ax,ax9 I2 t6 o _+ m `
mov es,ax/ Q- c' O4 v Q$ p1 y+ l1 L6 u
mov bx, cs& Z7 `* x J7 N4 ?" K3 a' E
lea dx, int41handler" S0 C' c% Y& Z# t1 Y8 ?5 y6 `
xchg dx, es:[41h*4]
7 E( a4 ?' u! N6 t. K) \ xchg bx, es:[41h*4+2]
# I5 `! a' h4 A in al, 40h/ ?! U' y" r- H: N5 l5 R
xor cx,cx. i7 {; i! d8 v( u% m; t
int 41h
1 U s, ?# J# K6 `( s% R) J7 M& P xchg dx, es:[41h*4]
4 ]; Q) P; a* A xchg bx, es:[41h*4+2]; q, S9 m; O4 ?5 F2 s+ e
cmp cl,al3 B- T) m" G; ]$ K3 ~* q
jnz SoftICE_detected0 W" m( o' a* `# S5 ^: L3 {( H
3 v5 x1 c+ @' M
_________________________________________________________________________
2 }+ x" |, t, Q& K9 o1 m$ v. P- l& Y8 C: t8 X
Method 071 s/ f( r K' r; o
=========8 o' j+ s& Y* Q
! Z$ r7 \5 T0 t/ _( m rMethod of detection of the WinICE handler in the int68h (V86)
" J1 K+ m1 N9 F* i* P8 W, o
' d( q3 f% W3 t" B- K" f mov ah,43h. b ]. |, O+ }
int 68h8 o: ?$ z2 q: V2 m6 Z3 k3 {; O
cmp ax,0F386h: c, ?4 v, Z, f
jz SoftICE_Detected
+ Z0 c' k! C2 ^+ Z; w1 C
) I( p; q; q3 T. r
7 _% b! q9 L$ r" u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 r+ j* h, p# l" s
app like this:: x* _: |) w- B0 }# f2 G8 G- x
; F% V/ E8 f- j h) i BPX exec_int if ax==68
: \8 j# H+ d# h. @+ s8 @ L3 V( d2 d (function called is located at byte ptr [ebp+1Dh] and client eip is" `$ z9 }! B Q* _/ o, m1 D+ E* s
located at [ebp+48h] for 32Bit apps)
$ I( j8 @! u/ E/ g__________________________________________________________________________' z2 ]+ U3 \/ x0 L
1 e2 ^$ x- N1 P) y0 V: u
7 j3 [& \) a7 z' Z( Q3 i5 bMethod 08
; D6 k; I/ J( `2 `) R4 ^' w3 x: z9 Q=========
9 X+ P \* n* F; L! w' q7 G8 b* j4 Q3 @
It is not a method of detection of SoftICE but a possibility to crash the
6 v+ H+ r ~7 `3 Z( x' D/ Zsystem by intercepting int 01h and int 03h and redirecting them to another
# c) S6 M4 E& t; Aroutine.
6 F# `' ?% B4 e3 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 w) d, n i# t" {! tto the new routine to execute (hangs computer...)+ \7 T% G8 d" u7 h+ L( i
0 s. G/ r `& A1 X1 j mov ah, 25h
0 S: M7 \- q& A; t' G) h* j9 H mov al, Int_Number (01h or 03h)% l( R! l, R* V, a
mov dx, offset New_Int_Routine
( c4 E* l) n8 f, t l2 o int 21h( X' L1 c! K7 s9 R
; P2 E, h& z& K8 z$ t__________________________________________________________________________
7 }( k' d# K# ~ D' ]7 z6 ~
5 D1 s* Y! Z! A3 Q z1 u6 DMethod 095 I1 [# A/ ?( k# x: k3 i. H2 L
=========, s# s1 |0 u. }4 Q1 O) J
$ M8 K9 i" i- \8 d: |5 S7 g& U+ z; ^$ s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( C, H' f# j: s! f$ Y' ?
performed in ring0 (VxD or a ring3 app using the VxdCall).- c. {5 c6 V* Q6 K* b8 E
The Get_DDB service is used to determine whether or not a VxD is installed
) z: a" s: u: |4 ]# rfor the specified device and returns a Device Description Block (in ecx) for" b! W& G1 q( C4 U" w, {- S
that device if it is installed.. a$ n( U$ A3 b$ I
3 z6 q4 r. I N/ Y+ j/ W t! r5 ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" {+ }7 k' G: A4 W2 z9 k4 V. |) ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. ?+ C2 n7 i: r' F VMMCall Get_DDB0 n* l, K! y3 o, Z; w3 M% y+ t, y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) U- Q* Z* K+ I% g* t- K1 @; ?
8 F; I9 u% b9 S9 K$ U! e: ENote as well that you can easily detect this method with SoftICE:- f! C0 V3 ]1 G5 K" R
bpx Get_DDB if ax==0202 || ax==7a5fh5 s6 [3 W/ q4 }- e+ p
% {% E4 b; {& t
__________________________________________________________________________
& Q% a! q9 q/ ?" M% [ x
2 y1 p! M5 z5 c( d( BMethod 10
+ V) A/ l9 V; f" ^5 [=========0 K& @, f2 S7 S' |0 h
; G2 `: b/ j+ u/ @1 C=>Disable or clear breakpoints before using this feature. DO NOT trace with
; w! U4 n; _6 e5 z9 j SoftICE while the option is enable!!
- c7 X3 ^: I( a) ?1 A1 I( N% t& `0 ]& k$ H! R# N2 }, J
This trick is very efficient:
: c4 `2 k7 X @2 i% z! _6 [by checking the Debug Registers, you can detect if SoftICE is loaded
& [8 w3 V- \5 f' ]0 g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 P( j* O5 T: w9 Z' `
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) X+ F! [4 y" y8 P# l! v# d) Avalue (in ring0 only). Values can be manipulated and or changed as well
7 `: o B2 c: F, r% h! D0 G(clearing BPMs for instance)
: F: S3 q8 d4 t! d
6 ^7 O; N& o# h" z( _' C6 C$ h__________________________________________________________________________7 O7 c0 D3 {! F( Y
: n1 O0 S4 w0 ]& Z4 I. V. C
Method 112 @5 q" I$ {9 U* e( _3 a
=========6 P. Y8 ^# x6 y/ k
) J m& g1 H6 E5 K
This method is most known as 'MeltICE' because it has been freely distributed
# f1 K( b5 r$ e3 W) W+ c3 v, s% v- tvia www.winfiles.com. However it was first used by NuMega people to allow- }7 s) G" {" _1 r0 w
Symbol Loader to check if SoftICE was active or not (the code is located9 B7 S, N( A8 {; |. }
inside nmtrans.dll).& {3 x7 q, X) C4 l- D( j! t
6 ~6 m1 R* d; MThe way it works is very simple:
0 n/ v9 l, B/ O8 g" sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
J& a$ W( p9 E7 e4 d5 UWinNT) with the CreateFileA API.
* a7 a9 t# S7 e3 I# S0 }8 P* n x* @) x
Here is a sample (checking for 'SICE'):
$ b- |) Q: m( Y h5 m- H8 Q" s- j) A
& D( R& m: x; I! m8 lBOOL IsSoftIce95Loaded()
" {+ K- _% ~4 ]0 z{& X6 |! g7 }: \6 S6 R8 R
HANDLE hFile; 8 K5 s l, Q% t/ d6 [4 | ` R7 A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
g7 N$ ~. |: J8 J* h( z FILE_SHARE_READ | FILE_SHARE_WRITE,- ^. e( a7 w# d5 s( {" W: J
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: N# m) V3 j/ j+ s: r: T1 ? if( hFile != INVALID_HANDLE_VALUE )- A0 m! b, y* U. P2 q5 w1 p- Q
{
: I9 S8 Y: b* P- b$ ^' f% s CloseHandle(hFile);
: f9 ?) @, Q5 h return TRUE;( E2 ]& S u( F: V& [4 a" B
}3 [1 r, Y b8 J0 j! O
return FALSE;- L- Q$ y7 h3 l5 U/ i% ?! w
}
3 [* U" ?8 J' R1 ]5 n- a# m+ y4 O: A( i
Although this trick calls the CreateFileA function, don't even expect to be) [7 M4 W3 x0 w! M3 E5 }
able to intercept it by installing a IFS hook: it will not work, no way!3 j8 Z3 `1 r9 K& j- O! H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 w6 P4 U) W2 Q5 U( Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ z" m# D8 S9 F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* L$ S% c! d3 L/ \* s
field.) w* ]( K2 d% ~+ i7 E4 K/ _
In fact, its purpose is not to load/unload VxDs but only to send a
1 o5 V& J9 C- fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& _/ c: S3 c& Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( h; v$ V) F7 G9 ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ x4 T5 T& X7 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow* t, C! G8 h( m7 H3 D2 G
its handle to be opened and then, will be detected.
( k1 k0 R; C% M; ~You can check that simply by hooking Winice.exe control proc entry point/ }/ q. y. _) t. d% t
while running MeltICE.! F; L( d9 ^9 r/ l5 L8 v) _
5 g) @0 [& _5 B
, |6 ^, v3 m! c @, n 00401067: push 00402025 ; \\.\SICE
7 A* K" R8 N' M 0040106C: call CreateFileA7 A3 B# F% d! c1 q& @& p8 u' b
00401071: cmp eax,-001; P: _: {8 F; A+ o; Y/ I
00401074: je 00401091$ X* P% M: w% s0 P5 P c: m7 H( F
. r6 T/ G; [7 ~ c
0 M" z7 F) s% ?There could be hundreds of BPX you could use to detect this trick.
! d' C! v7 j9 c( U& u3 k8 A-The most classical one is:8 x, y& P2 |2 p7 u( |) t2 i# g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- e! @6 ?* V2 M+ [, q$ O) y
*(esp->4+4)=='NTIC'7 P& f* y: Z5 `7 {$ V! U- G0 q# S
1 g$ _* g; W" e. P-The most exotic ones (could be very slooooow :-(: `0 N" X; u4 k+ l9 u' r& x
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 T3 o) J! l( J7 q) N9 K
;will break 3 times :-(
x2 Z4 ~. w. V; H6 N' o
5 n3 ^0 Z, C% p% B; k2 g; X-or (a bit) faster: 2 E4 A- [7 f& l( p" w3 \4 \/ ^1 u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), X$ U( U M" A: x" @
* h' ^- q, |" C; @) K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) c; e/ \; M/ G5 s ;will break 3 times :-(
! P' A/ M- s8 u% k% I1 c$ ]6 n- Q( q' v4 D- [0 C+ n6 P5 u% h
-Much faster:% x2 Y$ E6 R/ u) }7 O8 U0 ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ V. F1 p% Y1 `6 ]
' Q; |* }6 K4 T- w. ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) J2 H, F( J& t/ Y) P; L& s( wfunction to do the same job:
\0 | l/ t+ p9 U& a% R$ W' r2 C+ ]/ X# W
push 00 ; OF_READ% f. z! h# d6 n( F7 a& K Q
mov eax,[00656634] ; '\\.\SICE',06 {/ H* }1 \. ~/ A6 O: a* N
push eax
3 A7 Z) Y7 d3 ?- B! s+ ?2 t call KERNEL32!_lopen
0 b: o8 A5 I; t$ U! j- w inc eax
8 o$ K* u- P% W H& L7 f) b jnz 00650589 ; detected" U7 a3 ^- W) Z7 b8 g
push 00 ; OF_READ: j% J3 l) K- Z" p8 o% ^
mov eax,[00656638] ; '\\.\SICE'
+ n2 m. Q3 G! u push eax6 b/ Q$ H" Z: z" U- R- A
call KERNEL32!_lopen
) a3 B7 t# g" f( t$ u inc eax
7 C9 h6 n, m9 o& @: e" l jz 006505ae ; not detected( b, d: x5 G9 _2 i9 i3 T
3 E( O# Q4 H- k
* {+ l4 m+ w8 e# O; T- \
__________________________________________________________________________
( a! `% `8 i% K+ u. | H1 i% T# F) h d/ x- p; I3 q8 s, \. C
Method 129 C* K+ A. y2 y5 ~' o
=========
% w2 b7 Y; \( y6 f0 H# r ^) ?6 Z* g- Y6 J! \
This trick is similar to int41h/4fh Debugger installation check (code 05
6 _: [; r5 D. R: z& 06) but very limited because it's only available for Win95/98 (not NT)
+ E( x* x$ x, S6 X7 has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& R: N* j0 P8 @& D8 K3 n" t; C2 g2 {0 F3 ]+ k. I# ]8 j
push 0000004fh ; function 4fh7 I: H3 K8 k' a! g. M9 ?# q7 F" e
push 002a002ah ; high word specifies which VxD (VWIN32)
5 L+ P$ G) T, H3 x; r$ f+ X3 @0 G ; low word specifies which service
2 e1 l* C! f8 h; y; f (VWIN32_Int41Dispatch)
* L7 h# E" U& ^# N1 R call Kernel32!ORD_001 ; VxdCall
" _% S. y6 ]8 g( z* f5 L cmp ax, 0f386h ; magic number returned by system debuggers
$ ?( J! f% h5 T- v6 R) b jz SoftICE_detected. r" j( w4 S; l" A
2 \6 [# o5 S; W# X+ r. }& s& o. X! @Here again, several ways to detect it:
' {& G6 g, d/ A
0 u- U) n- J8 d3 V* I BPINT 41 if ax==4f
% y$ P; S' Q b p# w! m, h8 N3 K1 V
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 D% C2 Q5 o, X9 P+ R2 k L v7 B! ?0 q2 n; }" l- L9 F
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 J- o+ Z# X$ X5 U+ b" M
- C; J" M- V8 g* P" M# }0 \1 I6 _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# E" v# M* M% ]/ U; u, d0 X* p& Z* T. K9 N" Z- y
__________________________________________________________________________' y" Z, K3 @, T- V+ i
/ ]: R$ O D' t: I( |Method 13
& r% U. b& h$ e, ]9 e4 b=========& `7 H o% S6 N* k/ b- d+ U
& o2 G+ T3 H# J7 I- M7 F# K8 iNot a real method of detection, but a good way to know if SoftICE is
. s5 @7 S3 }& I5 A& J. Zinstalled on a computer and to locate its installation directory./ Y L) u5 x& s1 ~. R5 `
It is used by few softs which access the following registry keys (usually #2) :; z- r% R7 ]4 N% i; _2 ]0 ]) P
! D: X8 f, x# H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 ^7 j! q0 X7 v- O6 p( _\Uninstall\SoftICE4 d! _, l; t% |: q2 M* x z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' w9 U$ g# J r+ p9 d6 f7 ~. H
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 ~2 i7 q6 B9 ?4 A\App Paths\Loader32.Exe
' N( q6 C* }, T2 s8 S
$ E$ v, {: E) ~) X3 E" m4 s2 ?' b. W/ M
Note that some nasty apps could then erase all files from SoftICE directory
. r1 u( Y0 i4 u; K$ @(I faced that once :-(: C4 v5 [( \8 Z2 _* v8 O, U4 s
- ] R4 _" Z5 z! D3 ?0 H$ {& U9 f
Useful breakpoint to detect it:. r( }' D4 U9 Y7 l+ E
5 h" S8 P, }% E0 G& ?% }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' d" H4 P% d1 S! @& d! R S; _
" Y) a g8 ?8 q. _& R
__________________________________________________________________________
* F0 Z3 _8 T& k m3 W9 n' J
; P$ ?$ c) m6 y7 {* ?
; S% _/ i$ l6 }. M3 G* zMethod 14
9 Y7 g, s- @; x2 {- Q=========6 H. X3 @8 ~* K5 m- h2 ], D* @
) _/ d. {! u1 r9 XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& B3 J6 f9 g% K# ^2 O
is to determines whether a debugger is running on your system (ring0 only).
# l$ Q6 s+ b7 \# ~) I
: m7 S' {% u; v( q5 Q$ d VMMCall Test_Debug_Installed5 x3 z* I* [% o& \
je not_installed
' `2 ]2 J$ Q8 Y4 T" {! D
3 y$ d& J% P4 G4 v* q# ZThis service just checks a flag. h" c+ L" t2 @! M! l9 d
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡