<TABLE width=500>/ M O( F3 e' l3 A" m0 E: m* f
<TBODY>
0 y2 V. Z+ K! O) z<TR>
" ?) d9 W9 G% H B3 O& M<TD><PRE>Method 01
+ ^8 z, V+ h8 j& W5 s=========
' | m! @, T( T+ L+ G" ?. M- M+ b3 F9 T- X% Q' t9 X
This method of detection of SoftICE (as well as the following one) is* f. A5 m9 \2 {1 W! [# m
used by the majority of packers/encryptors found on Internet.+ J1 B# o8 ]% O ?
It seeks the signature of BoundsChecker in SoftICE
5 l% B4 K' D, G% n1 r/ d) Q7 T j( S. v; M- m1 D9 n2 q
mov ebp, 04243484Bh ; 'BCHK'1 u5 m. G! }/ ~ ^ Q5 B Y$ @+ s0 `6 o
mov ax, 04h
p n% C' |5 N* g int 3 # ~* D3 k& s7 l1 n8 `( d
cmp al,4: {( M8 Q: C) s' x2 S8 t
jnz SoftICE_Detected
* w% H- w' a/ {3 }# _2 v7 o
" @1 U: J! h" Y$ ~ g___________________________________________________________________________$ c; [# G2 `# f5 o
4 i9 z* o- S7 g7 ?3 T
Method 02
3 x& Q* K5 D. X; D/ _$ n- @9 V/ I=========
+ r- t" P) n- H& q9 ]" d$ S
' V4 p, h1 F4 U4 XStill a method very much used (perhaps the most frequent one). It is used& x$ w8 f: \* V8 m5 k0 K6 w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" G1 R5 s6 ^- c R+ n7 ior execute SoftICE commands...
5 K j. m+ Q7 l7 C# kIt is also used to crash SoftICE and to force it to execute any commands
8 q8 y: p3 N* D0 P# i M: F' u(HBOOT...) :-((
& [' L& [9 J6 @/ h; M3 l
" {7 i& w) Z5 {Here is a quick description:
: S- |3 S( j4 Z-AX = 0910h (Display string in SIce windows)
3 x/ e: I5 t. \3 {8 v5 @9 n* z2 d: g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 J% w6 n p+ D) k) f# A. N3 u& b
-AX = 0912h (Get breakpoint infos)! E0 z* c( s, Q" H2 U9 H# U( N, y
-AX = 0913h (Set Sice breakpoints)* s% c, z( C) ]
-AX = 0914h (Remove SIce breakoints)
* O7 D" B0 c! @ V7 M3 U! w4 i B' F% T+ J
Each time you'll meet this trick, you'll see:
% W1 i8 F# E0 I7 p/ \-SI = 4647h
, {" a# |, f: G) L+ i-DI = 4A4Dh
- B! }- `1 [# r$ T0 lWhich are the 'magic values' used by SoftIce.6 W% X6 A% m, j$ Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 h/ i" s$ q" e* n2 D$ ~9 D
- g( y" L0 n- T" s* X, t
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ y" e: ^* Q* U) Q. F$ vEnvelope utility use to protect DOS applications:
2 t$ p3 O; l4 j4 w
4 A7 i$ ?0 [' S' b9 R0 u( [1 s$ `' D& k8 x! b1 S
4C19:0095 MOV AX,0911 ; execute command. [; `! k& j) n' s8 Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# ?7 r& u7 ^; U# O4C19:009A MOV SI,4647 ; 1st magic value., C5 x9 z$ D# B( b. {$ r# L
4C19:009D MOV DI,4A4D ; 2nd magic value.. x$ y# G+ F- y( {
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 ^; `3 Y) |3 S; e- w4 C4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! K: ?$ f: B: P1 _- Z
4C19:00A4 INC CX
7 \- l( D7 D+ E) E$ d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 f/ k5 h. r: T2 V
4C19:00A8 JB 0095 ; 6 different commands.
0 M9 b: F. P- _3 ^0 H4C19:00AA JMP 0002 ; Bad_Guy jmp back., Z6 h: O6 @2 z+ j$ O. A* X" k3 P' S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- F5 b9 C( l# A5 |. p3 R+ P
. M- C! u' Q4 c( O6 ^The program will execute 6 different SIce commands located at ds:dx, which$ X% x5 G) `3 \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 ^% G( j' Z+ f. h+ H: q# W" h
9 }0 A4 R& j" q/ s
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 M ~3 g! } G' |
___________________________________________________________________________
# a5 P. j8 l9 Q) D1 P3 y- t; r& S5 }6 s( ]. M: N
1 W8 h2 u) p# U! AMethod 035 ?9 x5 |3 G0 M
=========
/ A$ L4 }5 H3 v" ~5 P) O
2 A. F+ C+ h- o! cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 y# q9 V# ^2 p9 [' z4 S
(API Get entry point) D e! j x- r+ z6 m/ i. j
+ o- |( N) h3 B m
4 b" D' m3 M, v% S
xor di,di
3 v8 E, N: Z' g mov es,di
! a, j$ U; m m5 H' T mov ax, 1684h
; N+ k9 \5 b6 l mov bx, 0202h ; VxD ID of winice" D" i' A1 F- v% U% l0 f }3 n- ^5 Q5 n
int 2Fh
& t1 N+ F# l5 Y+ V( s mov ax, es ; ES:DI -> VxD API entry point
* v3 {. h [5 @' r add ax, di. e. m C1 K H5 x9 A0 b
test ax,ax
: `8 b# t2 k; g4 v! e! C jnz SoftICE_Detected
2 e0 g, ?3 d+ i) U" Y. t7 r8 O3 l
0 ~: C6 t% v n, a1 w2 ?% T7 J___________________________________________________________________________
+ s7 ?1 p4 H. z! N! S0 _. N& P& g
$ H& P2 L+ U$ \ n) o" M% LMethod 04
" Q, k# X$ u/ u" G' M=========
3 B8 N2 ^* L% H& {9 @9 Q/ E) E% y9 h
Method identical to the preceding one except that it seeks the ID of SoftICE
1 ?$ i3 ~4 W; f- K$ A+ Y" |( GGFX VxD.
: a/ l1 N1 a, ?6 i) D6 Z
1 N. U x7 e' K; { xor di,di2 E7 w) Q% u2 w1 E/ V& c( t4 r% |
mov es,di4 S% W: l" c4 U8 X- w9 W
mov ax, 1684h
T) x5 e7 j% e mov bx, 7a5Fh ; VxD ID of SIWVID4 k/ |: k9 x* U4 Y% M: N
int 2fh, ^( V$ w1 U8 ?/ _ a
mov ax, es ; ES:DI -> VxD API entry point( i0 i8 _$ e3 D) b/ L+ Q
add ax, di
( D, M( b0 J! S+ X- V# N0 b test ax,ax
" C- g8 P, k$ v/ c+ G+ f2 `7 [ jnz SoftICE_Detected
: `& G& x- g+ ~% g8 i- g; N L* Q1 B4 ?8 @# I* J1 V, |0 K. u7 \
__________________________________________________________________________
! n& c6 H% C+ K
, N' K+ A' T5 r- ~. p: O$ r, s) ~, n9 S1 r
Method 055 S/ O+ y5 w6 V$ o0 e
=========3 Y1 A$ t! t" [
" h# i; g! A1 C7 x9 q3 @* S3 nMethod seeking the 'magic number' 0F386h returned (in ax) by all system$ Q2 r8 t6 L3 C6 U6 C9 g2 A
debugger. It calls the int 41h, function 4Fh.6 g* i0 G; {5 l. U- Y- i
There are several alternatives.
" ^6 u: C( |4 I5 Y: L6 w l( m3 j0 q
The following one is the simplest:6 @& V% N+ {2 r% s) s- t/ f
/ e; E: k1 k, S3 l0 o$ y7 t( @ mov ax,4fh& v1 t. y. X9 v/ e
int 41h
" n) Z$ A6 m+ x7 {0 \0 @ cmp ax, 0F386
y% [6 R: m: X* L jz SoftICE_detected( R0 m% w* V7 s+ o L- S( N" x6 B
. S( v+ C8 \' C5 S
- H. D) Y$ r# Z3 DNext method as well as the following one are 2 examples from Stone's
9 x, `, W: W4 Q C7 w3 O$ d. R( f"stn-wid.zip" (www.cracking.net):
% y* Z8 u! }$ F0 E8 q
% ?' N/ j" I$ k" E# R/ k mov bx, cs
2 h: v5 _: D: w lea dx, int41handler2
4 ]' `$ _+ z3 f xchg dx, es:[41h*4]6 E& r$ H. {. M; v
xchg bx, es:[41h*4+2]
" X3 [3 h( F: v% b$ s6 u% z1 v mov ax,4fh
! t! l9 q8 G' I$ N7 D int 41h
T' m" ]9 w. f, n xchg dx, es:[41h*4]
8 q4 \& f! q. U xchg bx, es:[41h*4+2]
, G; A; t E# | v3 k cmp ax, 0f386h1 N1 O- s; @# l
jz SoftICE_detected
) N( A- t" W; D3 O$ w8 _4 O7 v- w" G5 |% L& F. v4 v2 K
int41handler2 PROC
* l7 \5 t& T7 H9 {2 H. ~ iret
! g2 z; n+ o* o$ l( U: U3 d5 O- Mint41handler2 ENDP8 f1 E' ?' S$ ~/ x3 E
: s' _4 s4 O! q0 d& J9 K0 U( U
5 W& d! n! I4 b- W% ~' O_________________________________________________________________________
5 r" d) Q' w" M" c) Q* S# {8 I$ z) [% R
6 e8 C: K/ S2 p7 E/ w# dMethod 068 U/ G6 @% U2 p- x
=========
: P- d, o5 O+ c4 c. X# x4 q" z1 t" C$ T2 K" Z
* l6 W# p* x% \1 K3 [
2nd method similar to the preceding one but more difficult to detect:
7 \/ I& z* z) s( ^- r- L, T: g& U8 C! y
, i" \5 V# q3 {& T4 j# q. Sint41handler PROC, G3 l6 k& _! A; @% y$ I
mov cl,al$ T- n! U9 z$ @
iret
! K6 q0 f R! j4 v, Jint41handler ENDP1 J8 R- v }8 n5 g
, n' T" u {2 s4 l3 J+ Y% u
$ j5 R g' b4 D' H5 M
xor ax,ax, f; j4 g7 M7 L# Y- l! W, T
mov es,ax
. p1 m( G' C7 [5 V$ u% ?0 }' }) g mov bx, cs
/ a4 P( ~% P1 G$ L( \% ^$ a9 |' m lea dx, int41handler
6 A/ ?% e- W2 w( ^5 P xchg dx, es:[41h*4]& |, H% R, `4 m. K
xchg bx, es:[41h*4+2]
; k( o$ D: s# R2 x6 O in al, 40h
! `8 G, B6 k: w; N8 T/ v xor cx,cx6 c5 B9 N5 @2 y5 T
int 41h% @5 ^# v3 O6 i
xchg dx, es:[41h*4]2 S) \5 l# d5 Z) V7 V8 ~6 i, l; Y2 a
xchg bx, es:[41h*4+2]) a- Z; i! ]" n q
cmp cl,al. e5 y: r8 D1 ^8 T7 M
jnz SoftICE_detected2 R3 i! J( o6 B2 h% O4 z
& f" V) D- O' i: J" {
_________________________________________________________________________
" p1 J+ m# |& n C# G& g& c* G( u g+ i6 {" X8 u5 p" B3 _' |6 y
Method 07( G: f6 T$ b" u( q5 n+ N
=========
. s8 q- ^4 N2 g T9 V+ i
' R# m, V5 d' N+ F6 e! G" wMethod of detection of the WinICE handler in the int68h (V86)
. y5 h% _" w# P6 |" m$ F' r4 I0 e$ A" D6 b
mov ah,43h
; G7 B* u [ ]/ G7 }9 D int 68h
* w$ q' P# B( U% I cmp ax,0F386h
' ?0 P& v; C1 V `* }; M jz SoftICE_Detected
6 E ?0 w& B& u! {8 v/ S; S' L3 y0 A/ O& I
- t- h, [: N7 w" Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 Q, [6 S3 g6 k* F. u% w
app like this:* q: X5 W. J: O+ F3 z
' v; s* m% Y+ U BPX exec_int if ax==68
7 |# C- a6 ^1 @" V% q: T (function called is located at byte ptr [ebp+1Dh] and client eip is; V4 _3 Q: M" y4 \0 G' _6 }
located at [ebp+48h] for 32Bit apps)
2 {! O# t; v1 Z) w# M__________________________________________________________________________, D9 ^ _5 {$ `- ~2 a t1 G* {' z/ M
0 D' E) j; ~* r& O& E+ h1 u! T
! E: o7 D+ ]. y. L/ K4 AMethod 08
& p& y; O: i% G5 }" C% P$ e=========9 u4 r, H! G. L k
* m; F; O0 f' n! F: g9 v5 z
It is not a method of detection of SoftICE but a possibility to crash the0 h4 c. q* r* W n- J5 ]) q+ m
system by intercepting int 01h and int 03h and redirecting them to another% ]( O0 }! M: ]' j0 P- u' }5 s
routine.0 k; _! B |% \- H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' S* W! y* l2 _7 |# cto the new routine to execute (hangs computer...)
3 J) y: Y( h( g( |+ _ d& |3 h
2 C( m% Z3 k9 j& S2 y mov ah, 25h/ Z; `# \% a; G. }0 A$ b
mov al, Int_Number (01h or 03h)5 M6 c Q. T+ A
mov dx, offset New_Int_Routine
8 K0 M3 t& G( l* m/ Z# v d int 21h
. `# m) Q2 J, Y4 [1 X2 V& b0 G$ s7 v2 `6 H. K; W0 _- D8 l' A
__________________________________________________________________________1 p6 S+ v3 @3 w. c. e9 B9 p }; g! S( T! V
6 W. Y, q8 X5 E0 ~( N( p6 EMethod 095 B( O% W T$ R* I7 J; [: c
=========3 P4 ?; F: Z* A& `, `6 P
2 _: k$ g n1 u' H F: Q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 j; I% P; w* ^: E1 f" tperformed in ring0 (VxD or a ring3 app using the VxdCall).
' \2 d) c, R3 w5 O% _The Get_DDB service is used to determine whether or not a VxD is installed
8 V4 T) T& I) N8 y2 Rfor the specified device and returns a Device Description Block (in ecx) for: S* j9 G' b% n. s j4 {
that device if it is installed.
3 R) b/ N7 M5 i: Q; x% G+ S; ~1 c* M. O( y% C4 S& j6 S: _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 x+ p; G/ }/ c- ?* K: q% D1 w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 N ?1 b' n% Y# f VMMCall Get_DDB* Y; {$ P9 a% x) c5 k6 W
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 [5 n0 { ]. X% H2 Q P1 o6 [
4 ~4 F$ T- k. {+ x" k* y2 h; E
Note as well that you can easily detect this method with SoftICE:& {+ Y$ M) z" ?9 s3 K; {" r
bpx Get_DDB if ax==0202 || ax==7a5fh% ]5 u% k8 T0 u" i& x) D; ^' \" @
" J$ g5 D5 S; y) c" a4 \3 L$ S6 Q__________________________________________________________________________, f$ [$ ]; i! i8 \7 ^+ x
% q) |' `) C5 r& \% v8 W+ x
Method 107 Y" I% W, N7 e* t% g- M
=========
" s3 k1 T" d# H4 D) |8 U: k# s' u, ? E- O3 u
=>Disable or clear breakpoints before using this feature. DO NOT trace with
( O0 a& }% L( w/ p SoftICE while the option is enable!!
2 _4 L6 Q# v9 g! g7 ~' @, |0 i2 A+ b9 p
- Z+ C0 c- H) Y5 IThis trick is very efficient:
6 U( B: {& \/ V: n" ~by checking the Debug Registers, you can detect if SoftICE is loaded$ b. c! r3 @ L
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 L" n7 J; s* D7 ? B3 ~there are some memory breakpoints set (dr0 to dr3) simply by reading their4 ?5 v8 ]( y. I$ s1 X% C
value (in ring0 only). Values can be manipulated and or changed as well
- { {$ _1 j' ` u9 D: V% D* L(clearing BPMs for instance)4 `* s [' g& V
3 m) Q! K+ y+ M: {3 z* D__________________________________________________________________________
% }; g8 D9 G3 H, x
. X( e4 J7 g a7 jMethod 11' n _4 c" o: Y4 d
=========2 q$ f6 t- w- ?" _! v
* ?* {" m3 @; [. |# ~% k0 L' V- |This method is most known as 'MeltICE' because it has been freely distributed: Q2 i3 w8 \ T. S
via www.winfiles.com. However it was first used by NuMega people to allow
. [; O1 W# {6 A6 L( oSymbol Loader to check if SoftICE was active or not (the code is located
% _3 J5 w: z1 _) j2 J( ^inside nmtrans.dll).7 V P, J; P: P/ H% A
+ m4 j' ` H( `7 N$ ^8 M* \9 K
The way it works is very simple:9 F4 T) D, o5 L3 r" S' L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; }% n) G! N8 P7 f! y
WinNT) with the CreateFileA API.
7 d% S+ I9 U5 Q* ?- n: @; J9 _' j: t2 `0 d" o( s3 W
Here is a sample (checking for 'SICE'):
9 f1 G9 F4 [- _; p+ A; B- i$ m* ~9 l, I% p9 K
BOOL IsSoftIce95Loaded()# `9 B. m5 J7 ?# f3 l
{
+ E; F: B; L; G9 U w( u HANDLE hFile; ' k5 L G; A1 J4 @% o: ?) Z4 K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) `2 k/ l- i) G
FILE_SHARE_READ | FILE_SHARE_WRITE,0 j/ w+ U/ ^' Q P) p1 [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 p: e$ j5 R6 t+ E z4 g1 p
if( hFile != INVALID_HANDLE_VALUE )+ A5 m ^7 S/ z5 t- o# R+ t
{
0 c2 Z$ V+ M9 K C# v CloseHandle(hFile);
$ D$ s" f" A3 K! v return TRUE;
" z( D- G( ], s% \, R) R* I; d }4 H$ M& n1 Z9 d" }1 t
return FALSE;
0 {% L2 _0 ]! T. ^8 f} I* R' v9 x! N* c- s( Q) s
: ^* `" W9 K9 a5 F! ]Although this trick calls the CreateFileA function, don't even expect to be
a. _$ \2 G$ x+ d F/ f1 pable to intercept it by installing a IFS hook: it will not work, no way!
) T. B* U7 E) W; R$ @ @1 N* bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; Z7 e& k1 u q$ y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: y; N! e, f; [8 H( L4 zand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 ^& }7 P) G; `9 V" ]1 B
field.
1 C. t0 S5 E( F2 x" JIn fact, its purpose is not to load/unload VxDs but only to send a % i( f' O9 ~7 H( U6 b, e
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' G8 U ]4 `6 I7 p3 e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; I U0 u1 f* r" j. N# \to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- R* ^5 M5 U3 T6 D( EIf the VxD is loaded, it will always clear eax and the Carry flag to allow" h$ t! m+ w. r& Z- D# M( ^
its handle to be opened and then, will be detected.
/ V# a1 O2 ~7 ]% F6 ]; iYou can check that simply by hooking Winice.exe control proc entry point* @0 c% n/ k2 f0 b8 L e2 ?
while running MeltICE.2 n$ y) k. }" I7 ^+ k+ N( O
5 j- i: K5 U y0 }
( [; {/ } h" t! q2 v+ X7 b- E3 S 00401067: push 00402025 ; \\.\SICE
5 e8 I9 X o9 i V$ e- [% w 0040106C: call CreateFileA
1 w5 L# c8 f8 H; X 00401071: cmp eax,-0011 F" o. \$ K/ f1 o6 a% P
00401074: je 00401091: S- K' I8 g o/ ^7 K* P5 v2 l
R! U* W; W; x. w
9 }5 d2 {* L7 f; ~( Q |. R! M& @# ZThere could be hundreds of BPX you could use to detect this trick.
" z4 d& B0 G, R. f/ d9 a-The most classical one is:$ f$ [6 p; a$ N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! f3 _" Z) U& w; @ *(esp->4+4)=='NTIC'
( t; R0 @) a" s# j1 M/ f/ D
6 j/ S8 o- U! t! d5 l$ O-The most exotic ones (could be very slooooow :-(# j$ [6 E: J" x6 s# D. T5 B( `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
G0 E$ G6 H( F6 F6 A ;will break 3 times :-(6 q) m- I4 o3 }3 W- Q
' W' p- x+ p8 s M4 S5 V
-or (a bit) faster:
( b& @3 _9 l9 l% \8 ?& q3 Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' e8 T4 V% @( R2 v# p
Q) r2 W8 X9 i- p3 q! U6 \$ ^
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 }) E4 p* h2 Z1 l7 u
;will break 3 times :-(" c; @: _1 x- k C6 w
( z9 ?, i/ [) f2 }
-Much faster:
, z* k, e3 y! i* V7 B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( r) ]2 d( Q% J0 C) i( e% d; Q5 ]& I
' f0 z2 _( H1 e: nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 j, v3 y; f/ w
function to do the same job:$ \. n: B( E; C8 `; B% i
5 h. {4 X$ N1 X j3 g, i push 00 ; OF_READ
9 k1 B" n2 e2 p mov eax,[00656634] ; '\\.\SICE',0' E4 E4 M/ j" F; a0 \0 P
push eax
8 X n0 D$ m; {' f call KERNEL32!_lopen
0 l! f# k, c) A6 L2 b' G/ }% j inc eax
% x( Q( w/ x0 E# K5 F" \% J* ]7 O8 w jnz 00650589 ; detected
2 N. f1 M8 \3 j- i" T" k4 A push 00 ; OF_READ
5 q- B6 n) S/ _; o8 ^ mov eax,[00656638] ; '\\.\SICE'7 [# b4 L. I. Z. f8 v- w
push eax
# e; t$ d: P1 ]# v& r# H. U call KERNEL32!_lopen
8 ~' T- o4 Z+ Z$ N% Q$ ?- ~ inc eax( n1 O6 J7 a' U7 [0 o0 m: \7 A+ ~
jz 006505ae ; not detected0 U8 o9 m. G# [! b8 X4 c
# y6 Q2 N/ U8 S. a; P! R6 N
4 S" {- G) G. w1 r7 X
__________________________________________________________________________
: C5 W; t& d) P8 Q4 f7 }1 p* F( |3 J7 t; ], W2 p: \
Method 12% j5 L' s+ p( H0 c; W
=========* h: A2 n2 {3 F' r z' Q# X# W$ ~
$ B+ X9 C* { wThis trick is similar to int41h/4fh Debugger installation check (code 058 V" e+ Q( h; w# q. [+ r4 Q9 D
& 06) but very limited because it's only available for Win95/98 (not NT)
3 O+ v. o" z( Y# E. Z( E: bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 ?- ?- @" W( k) ^5 o
5 ^1 l4 U5 U5 k/ _ push 0000004fh ; function 4fh" l) I+ k. }4 C |
push 002a002ah ; high word specifies which VxD (VWIN32)
7 }2 Q0 H/ g6 v8 j! {3 w ; low word specifies which service
# d& J) n9 W2 P1 { (VWIN32_Int41Dispatch)
7 Z# w- m. m4 A call Kernel32!ORD_001 ; VxdCall
Q. I }4 f9 G9 e/ i+ E cmp ax, 0f386h ; magic number returned by system debuggers' a1 f! s6 i* }. R6 i, p
jz SoftICE_detected
7 r% x9 i5 U0 s2 x
! _# L0 ]; V, F, w+ HHere again, several ways to detect it:
6 \$ b F' J$ U4 R0 `1 Q" F N7 F c8 L% f. b% j7 B& l/ X2 Q
BPINT 41 if ax==4f
6 |1 Q7 U; W" L6 \2 D) y g9 ]% N8 C1 K$ M4 Y% P3 p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 ~ b3 t; R% S
% w. G9 y. m# w* h% ?$ j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 q9 x8 x: j% c. B5 _/ [( o. B; h& x5 d# M& P
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ b* p2 `2 d- y5 b4 ?; @4 S' _, c, I7 g- v% \
__________________________________________________________________________
/ a2 Z" `" d) I1 \( B2 J4 p8 E- I1 K. s4 d
Method 13
/ n# n; {+ z2 k5 M/ j& w=========
9 ~2 ]3 ~& ?7 {# ^. L; e3 ]# p5 b' d
Not a real method of detection, but a good way to know if SoftICE is
# f: P4 [0 R0 l2 Y' `" ?! _installed on a computer and to locate its installation directory.
. K5 O. M7 u1 W) T. |; k) oIt is used by few softs which access the following registry keys (usually #2) :* H/ P! M3 o6 X
1 O& A8 N" O6 l" U! J) l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 H. O! a# j* }( J8 n6 ^\Uninstall\SoftICE
) l2 p% }: z0 e/ K$ Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 b2 k- v) ^9 Z6 p3 h/ H7 {3 f/ {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( o' Y9 D E" l1 N$ s7 k$ u\App Paths\Loader32.Exe5 o' Q" w( `+ r/ [! Q( a& r: s
, o2 w B& m: m; E( x$ v1 H, T2 L- D9 r( s8 E. z# q
Note that some nasty apps could then erase all files from SoftICE directory
( \) G/ J4 u1 x# h4 F(I faced that once :-(
, v- ~9 M/ [( x
" B& R) J% q2 i9 _4 X, nUseful breakpoint to detect it:5 B7 P7 ~/ e0 Q6 Y1 e8 }' I) y
: \$ a$ o9 M J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 b+ ~* k0 [, M- N, N
$ V% U" g) _# C3 g9 e
__________________________________________________________________________
* v7 `8 t7 ]( d1 q2 e8 E" b2 w" R' p& |/ `; m$ o4 U
( d0 E% H! y, i9 _! z$ m4 s% y
Method 14 6 ~8 h3 D1 J4 K ]# a. u. b% w) `3 h
=========* e" y+ N4 T: E" U( F$ t* h. F
0 I0 G6 b0 i; j; @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ @5 Z2 w2 D% g2 r! ?' r; o) t! B
is to determines whether a debugger is running on your system (ring0 only).
& Z# ?! O7 S M, B: u$ s9 q0 x* F; _
VMMCall Test_Debug_Installed2 H1 P' r0 p# w
je not_installed7 }# q. t) V; J M% l* n4 c
) w* U" I! e9 }: M0 iThis service just checks a flag.
; o9 x1 T+ J" H7 b+ _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡