<TABLE width=500>
" S2 X. l! i: n9 r M, E/ @6 l! ]<TBODY>
6 }, l3 ^8 }- E5 {2 y<TR>
9 V: Q, l3 [3 T<TD><PRE>Method 01 7 c: F- m Y: x* ~2 X% g9 Y3 j
=========
9 y: m7 N* ~9 E# b
3 w# C2 }4 D3 q6 N! h2 S8 aThis method of detection of SoftICE (as well as the following one) is0 M( B+ ]/ y, Z1 A
used by the majority of packers/encryptors found on Internet.( n y" `1 R b$ y
It seeks the signature of BoundsChecker in SoftICE% i/ H0 r9 I1 [+ X Y: u
% l D( A. w O8 q
mov ebp, 04243484Bh ; 'BCHK'8 X6 J& O% o; O! F: z
mov ax, 04h4 x6 H' W$ F6 Z# g; D! v
int 3 ; G( t1 S* {) Y3 V; h
cmp al,40 `% t) H- g* ]5 J& \- U* N
jnz SoftICE_Detected5 | Y/ P3 O$ L( \( s6 T
/ w( R/ y4 u$ t# z
___________________________________________________________________________! t, F9 R( y0 p' [3 M3 c
7 F1 F+ R, H1 u6 i5 z% qMethod 02* o( h' L- p3 {, I8 n: g( M5 h
=========
O6 s; q( h0 T V8 s7 i V1 b7 K
Still a method very much used (perhaps the most frequent one). It is used
* F5 ^+ ^' s7 g' V) Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, [3 j2 y1 G& y" F9 |5 vor execute SoftICE commands...5 U0 T. B$ Q( m$ U) U, I( d. l
It is also used to crash SoftICE and to force it to execute any commands
( E! s! M! `* E, R+ ?(HBOOT...) :-((
\! D' ]) h- m4 g5 k; r9 Z/ ^. P" w0 b* {8 Z: T( |' C
Here is a quick description:) F. R9 ?1 e0 s
-AX = 0910h (Display string in SIce windows)
3 G4 s/ b4 D+ H5 l; }7 A% K) `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* B5 G- w; \7 y$ v$ |: O
-AX = 0912h (Get breakpoint infos)7 T4 Z: T8 A. E. B* ~5 e
-AX = 0913h (Set Sice breakpoints)) |4 ~' A6 y1 l/ {9 t( W# h
-AX = 0914h (Remove SIce breakoints)
" i" Q8 A( q5 l* O0 k* p U, G6 U1 F" G* @" q D
Each time you'll meet this trick, you'll see:. Z. f2 z4 g, ~% T3 G8 w) m/ L
-SI = 4647h
0 x/ s1 p/ k8 F/ N9 w2 [-DI = 4A4Dh+ s) i' f3 O9 y U c: L
Which are the 'magic values' used by SoftIce.
6 o, }: G* t9 `, b6 DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
i7 ], g5 H0 F8 U$ [, l+ b0 N5 ?5 `8 Y/ X3 l/ a
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ g. Q0 h1 w! }7 A( \
Envelope utility use to protect DOS applications:, z. R. v8 U) F! ~3 \. k
* D3 \4 |, k9 F, c' |
: m1 _: g R. u/ p7 ^1 {
4C19:0095 MOV AX,0911 ; execute command.+ a4 e7 N) K/ s. `
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 M, y! b( o; b' F0 u9 |4C19:009A MOV SI,4647 ; 1st magic value., }1 I. L- t; [7 |# V2 o& c" U
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 i; ~/ c& B x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 L: S% }$ A. Q$ I( N4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, U; v0 k6 ^0 l$ S9 R( \1 q4 S
4C19:00A4 INC CX, @8 m6 P: H. N: h; |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 r) P* j3 D* X( N H$ U2 Z2 `4C19:00A8 JB 0095 ; 6 different commands.8 p' J" ?, p) I& V: R0 }& k* Y2 s
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) S8 K( k! B' a& {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 B% S( R% _" w8 m
4 }! h P' Y: g& O! h" GThe program will execute 6 different SIce commands located at ds:dx, which
# y% Y" T5 X6 P; I0 g+ _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." B* A7 u& w Q! f- k
' \: J: M/ A( S) {; K, C- V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( s& ~1 u+ }- n3 t4 A___________________________________________________________________________/ A! D' I5 z" O9 b" R6 u6 b
0 q; F6 t/ h4 q8 q" u x
. E; D$ C; F' e( B4 v' ~Method 03
0 c3 \% K& j& d, N: _=========
% N* }1 L& u+ J: k) X& H* J5 @& _0 W: |
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; V7 L. d4 H% E* n; n A! {(API Get entry point)
8 D0 @- p: \; i4 X. Y
+ f6 v1 F! `7 G `5 p5 }
0 y; a- ?) ^, z4 d2 ~ xor di,di
, b6 B. z: L( V o l mov es,di! y+ Q& h5 R# m
mov ax, 1684h + F5 j1 E/ J1 u" V
mov bx, 0202h ; VxD ID of winice
8 B5 Q- v- Y5 Z) t2 Y+ ]5 Z* q int 2Fh
6 f: _* m$ p6 y, F. X4 w' k mov ax, es ; ES:DI -> VxD API entry point" S% b4 y! k. j% V4 ^& \
add ax, di( ~% Z5 N! Y- F! W2 r7 |, c
test ax,ax
( j/ D; q& Q! j* h; R jnz SoftICE_Detected
$ n9 h- p% W, R& e ]6 V# o. P2 m
5 L, B. o* D- U3 a& m4 P& M, Y2 ]: h___________________________________________________________________________# n5 z( \- }, T1 J7 v# g3 g# B
0 j6 H2 e T( l" [4 Q2 _
Method 04
( S' b) [ v( a=========: c% H7 K# \1 F& N- z- F
: |- N) W+ ^0 r8 q( Z" @- p" U- }
Method identical to the preceding one except that it seeks the ID of SoftICE2 n* \: L& u' \: P. K
GFX VxD.
4 G* L" p9 a9 ?* N7 r& }' ~" G1 M7 ~+ R k6 d d
xor di,di# v- e# ` j0 J8 F
mov es,di9 {; [% |; B; X- P7 I3 H% @7 q3 p
mov ax, 1684h
/ q. J8 q0 z4 `+ X# }) F A mov bx, 7a5Fh ; VxD ID of SIWVID
" `, R: f/ {7 `& E% {7 p int 2fh, H. P. h% h' v' R8 l1 H: d$ l
mov ax, es ; ES:DI -> VxD API entry point
& B8 c$ E- B) ?! t" B7 R add ax, di4 L& E f. @# w, |( {8 R3 u- ]# `5 u
test ax,ax: R4 g: ?: d" G2 V' J+ f1 ~
jnz SoftICE_Detected
7 Z9 n0 Q, }! w. E
% P$ U0 m8 S9 W# O__________________________________________________________________________. v; o5 W3 C4 M* Y% w
% h$ z. c W+ N+ Y+ V" ` K- x7 B
( q/ h6 D7 S5 k) L+ U$ L. c
Method 05
# E, N- B) }( g# s=========
5 x- o; t; l, a5 M
' b$ N2 }7 v3 {Method seeking the 'magic number' 0F386h returned (in ax) by all system: r7 R1 ~- O. C: a8 L
debugger. It calls the int 41h, function 4Fh.8 d" v* C I; Q' \ \1 Y& W
There are several alternatives.
0 l) g& d% Z3 q) ^# T
$ s5 q6 p7 l4 b- \' sThe following one is the simplest:" o& {. Y. V. L) J# {: z
# N5 C. F1 ]. O7 q7 ^" a# e3 g
mov ax,4fh
' W3 x8 J4 a) A( g int 41h2 }( O D0 l: [! J: M O
cmp ax, 0F3863 I' K6 m7 K+ ^7 G5 `3 ]0 d
jz SoftICE_detected
9 v0 u5 j3 O1 \
& ?8 R4 i$ m, b D- c5 o/ J$ Z8 h9 [; Z
Next method as well as the following one are 2 examples from Stone's
' e0 U0 P" v6 Z" T# j1 f"stn-wid.zip" (www.cracking.net):# ?; A& X' c5 \* h+ `
c$ |$ ~: d% p' v/ b# h
mov bx, cs# n$ [. ~- I& H" z+ L
lea dx, int41handler2
0 N' g# e1 y+ h" T0 C xchg dx, es:[41h*4]
$ ^1 d8 |4 @9 c* c2 m9 J5 ] { xchg bx, es:[41h*4+2], l. F* L8 x' x7 G4 d
mov ax,4fh
: {% _ k) g3 p7 y' L; w int 41h& }( B. e4 ]9 b* d/ U- c$ _
xchg dx, es:[41h*4]
7 T- _0 R0 q; ^ xchg bx, es:[41h*4+2]
/ T! t+ s9 `$ s, `0 ~ cmp ax, 0f386h
0 m( I$ V) \- L% F; }4 y+ `7 P jz SoftICE_detected6 b6 k- [. ]5 k' H' e' E. s* N
0 [: S" ]! M. X8 k' R; q+ N
int41handler2 PROC6 n0 j/ Z; s( Z$ O2 \
iret
+ c5 n$ Y X: d, pint41handler2 ENDP
( n( f: `' o) F* s) q* \, j, l X8 `
8 g( L6 B, [5 y! w7 o_________________________________________________________________________
/ @4 [* q3 Z$ b; M$ j# `5 t" _, ?$ p3 o; I/ \6 ~
8 i- \) _& h* [0 f/ A; |
Method 06+ r! B% T; Z+ w
=========7 b- v1 n7 }- n% e: H
. x$ q( k: J; O0 k! ?
+ _' {8 V" i: c7 b
2nd method similar to the preceding one but more difficult to detect: z' a9 i+ B1 c3 A, j
; j, G2 i6 M+ k t( C
8 _9 c6 k$ f, v- z5 l
int41handler PROC6 |6 L6 ^7 t; r9 b5 S
mov cl,al; l' x; n$ E) c% @5 k
iret5 C. M5 O; t& B! N! K
int41handler ENDP$ N1 t% L+ ~5 S$ o& f+ a3 J
0 Q7 i% v2 Y7 P, L) h) l) I/ Y: k v0 E( n8 x
xor ax,ax6 _* f2 B" D) g$ |, V- [
mov es,ax% r2 m5 L5 v, ~
mov bx, cs
9 G1 x% h" Y4 W% @/ k% x3 i lea dx, int41handler# X. |, g5 g; c- _5 a
xchg dx, es:[41h*4]
w0 p/ r' ~' V' U6 J- t xchg bx, es:[41h*4+2]
) i+ W& U+ |: s' n in al, 40h
?9 r! y+ I) B! ^# ~& B* N xor cx,cx
6 V ~2 o5 a7 r/ N) U) d0 L int 41h' F5 `* K1 M( f8 ]8 i
xchg dx, es:[41h*4]
" E9 p" [0 x4 B$ b xchg bx, es:[41h*4+2]
) K* r% v+ n4 u cmp cl,al* |+ _( T( R5 c" A" y
jnz SoftICE_detected
P* b! h: \/ g3 S& B
3 x; U, w. W" N; W t/ \_________________________________________________________________________: Z- m) E1 k& r, P
- c _, H# q, {; y( c: L* q" v. CMethod 07( J7 B8 g/ m; U! }
=========
# h( E _4 N# x* l) v' I2 G1 c( {
Method of detection of the WinICE handler in the int68h (V86)" F+ {% h$ h1 z+ ^5 _
# x8 ?0 K. C( p8 w
mov ah,43h
: Y4 e( n4 G, b: m+ @8 F int 68h' e) F, t- V: ^' S9 z7 B6 H5 ~: k
cmp ax,0F386h7 n) X8 e. {) j4 J6 |
jz SoftICE_Detected6 w% p, D: L- e! z
# I, _+ b7 k* f3 b7 ?
3 u. `8 p% m" d$ c; B# r5 d) B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 i7 Q! ~- h, V: S9 q- t app like this:
# y0 N3 a7 o& {- I7 t5 ^
I+ q& j2 ]: W BPX exec_int if ax==68
0 W l/ y8 @3 G: V) a% D (function called is located at byte ptr [ebp+1Dh] and client eip is4 C6 \! C% I( O' y. Q, Y1 h7 _
located at [ebp+48h] for 32Bit apps). B) ~( G/ |% ]0 x; v8 j% }
__________________________________________________________________________, W5 U' J" @1 Y$ m1 u
3 y3 u7 {. ]6 h# Y) `
/ Q4 x" v% p7 U2 ?* y
Method 080 y% m/ C D5 }
=========
* y2 a. s1 W" m2 Y
# A$ r4 h- F. K# H7 AIt is not a method of detection of SoftICE but a possibility to crash the
* Z4 z w9 G$ L. N6 `system by intercepting int 01h and int 03h and redirecting them to another2 L( |1 x2 u$ D" W4 }3 h
routine.; h1 ]2 q3 |" y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ \1 W1 M/ i& {5 U( Dto the new routine to execute (hangs computer...)
3 N, P5 R: t) G, `/ ^" R+ b) R s
mov ah, 25h
, U6 P" ]2 D( a& F* h mov al, Int_Number (01h or 03h)6 t- B6 L6 a, F
mov dx, offset New_Int_Routine" v7 {% ]7 y- R# |0 t
int 21h
) }2 B2 h0 n! ^* N1 ~) A
0 L9 G8 n* o8 Q4 J% l+ t( d3 H+ G5 `/ T__________________________________________________________________________
' ?& y* h- ~* `" x5 j+ F9 b1 p- Y0 i) Q2 p+ v; a, U2 n8 F4 e
Method 09/ {6 Y) S: a, L- Q' G( [' G
=========
4 U) r$ W, A) \2 p
7 b6 `+ ~7 ?0 r# N* [0 rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* }6 g9 I6 E; A5 k* T* d, `performed in ring0 (VxD or a ring3 app using the VxdCall).( y: K' s* C/ }0 c4 O! O
The Get_DDB service is used to determine whether or not a VxD is installed$ N! H$ ]( z; k! |% V4 g- Z
for the specified device and returns a Device Description Block (in ecx) for, W8 Z& ~: M8 t& H0 f
that device if it is installed., C' D( A6 m; H: Z+ [
9 G+ W1 y9 b0 f2 D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; |- L1 ~+ b5 L! w7 f9 C
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% X+ B2 s/ n5 o$ y8 r VMMCall Get_DDB
5 }( m. J8 S$ [; z3 _5 f; D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& Y9 |' E, e5 P5 n( u% l+ ?8 J* [* H2 u' Q3 u+ ~5 P" U
Note as well that you can easily detect this method with SoftICE:* Y4 h: H! {- P: c2 \8 |, O
bpx Get_DDB if ax==0202 || ax==7a5fh
3 E# c9 X; R4 e8 [+ `7 s' n( k" i6 J1 j
__________________________________________________________________________3 a. h" T3 P1 J8 k5 \! K
- l$ |& ]% r2 A
Method 109 \& c* _* ]! C4 Y# I( g+ \4 M
=========
1 q8 U8 u0 d. j9 d
5 K: `/ z8 M. h. h2 w& O- k7 y=>Disable or clear breakpoints before using this feature. DO NOT trace with
* q9 }$ u# S6 H) `$ f! v8 m5 z5 N SoftICE while the option is enable!!9 h3 k4 K- V. h
; y3 ?$ G- Y0 Q) o F2 jThis trick is very efficient:
( {; P1 \; F* P7 K, \; Xby checking the Debug Registers, you can detect if SoftICE is loaded( C, I4 ^% _- g4 W: K6 a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% k8 v0 X$ X a' ?there are some memory breakpoints set (dr0 to dr3) simply by reading their2 W C- A& @" `3 q
value (in ring0 only). Values can be manipulated and or changed as well
7 I! V }, @7 ]. b0 t/ a* n9 M(clearing BPMs for instance)' B2 B: y! i }, X5 X
# C- A% B |1 o
__________________________________________________________________________
) A+ c0 Y4 ~0 M# z) S" z
2 _7 }' c/ c% O/ v2 E( fMethod 117 b8 v3 f# r% T5 V* o4 r
=========' i& A; L _. |8 e! I7 L0 W4 h8 B, L
: {4 L- D% a7 X" kThis method is most known as 'MeltICE' because it has been freely distributed+ K9 u7 F% j0 f9 `
via www.winfiles.com. However it was first used by NuMega people to allow
5 D! S; U K) w# x& M3 ?! JSymbol Loader to check if SoftICE was active or not (the code is located
5 F7 g0 M U( ~# l# O# ~inside nmtrans.dll).4 H' u+ D4 j* A
' M3 e/ P; d/ Y5 MThe way it works is very simple:0 v4 e; _& k# P. g+ L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ r- Y& w: @- U+ s6 \3 T; EWinNT) with the CreateFileA API.
9 f8 ]" q0 n0 ^9 ` W- V/ {8 K* k
% P7 R" h5 |' |2 x2 T+ u& OHere is a sample (checking for 'SICE'): Q: Q# [2 l! z: c
* v8 c7 v2 [5 q9 w N! j
BOOL IsSoftIce95Loaded()+ F3 _' u' a! {( E/ S
{
3 v+ F6 K/ B5 v HANDLE hFile; + b! _/ R; P7 ~4 b; Y- e
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: T1 X, z+ j9 B4 P' B5 {* q FILE_SHARE_READ | FILE_SHARE_WRITE,7 L% T8 F% v) P, K
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 H) Y/ t ~& ~ if( hFile != INVALID_HANDLE_VALUE )
. I: V5 L v' J {$ F3 A6 i" K. d5 J1 U! `. T3 {: c" T+ S
CloseHandle(hFile);
6 @% ^9 r I2 C4 `/ ^5 I T return TRUE;% @3 E9 T# A9 U6 d) L1 ]2 ?
}0 p! x0 [" U% g: v, E% P4 u) b2 x8 O
return FALSE;
% p9 I! D! [, d" F! e/ h7 J& s}
& M* O; f7 H6 K: f8 K; p. c, |4 u F( j; N* }
Although this trick calls the CreateFileA function, don't even expect to be
9 {" U3 D% r5 r! R# `+ V0 W1 [ _; Aable to intercept it by installing a IFS hook: it will not work, no way!
" x5 N$ @! I. A3 R: NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 V9 I5 U/ Z: _* ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: R. g% H: `7 h7 p$ n# n# @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- G0 o) `3 R* F4 R* M9 t) R( K) mfield.: I- A0 j4 }" w2 u7 N6 m/ O* Z( I
In fact, its purpose is not to load/unload VxDs but only to send a ; s h9 Y5 A7 |$ Y) }3 H5 B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" q8 Q, \2 k3 |- P4 D6 b. Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ q- G1 Z9 p. @! U. x% Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).& Y2 \, q: u+ J: s6 e7 S1 Z0 @" y
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 c7 l( f1 U+ V# C- t; o1 K. {4 Z
its handle to be opened and then, will be detected.
- H# ^4 L) a% y9 v: [- a2 rYou can check that simply by hooking Winice.exe control proc entry point
/ b9 w( h" i8 E+ {' Z+ Rwhile running MeltICE." x" t9 b* e3 g8 ~5 T0 o
, E- x J$ _, X
: X( T3 V+ d9 j 00401067: push 00402025 ; \\.\SICE/ O, {) w6 ?; Y, k% B+ i6 h0 G$ ^% a
0040106C: call CreateFileA
4 `- y ?3 A! D$ Q! ?' M8 U 00401071: cmp eax,-001" a2 g, [# v8 c6 O/ v" p4 C+ L" U
00401074: je 00401091
- ]! f8 _1 N2 x6 I
4 O. o# {% f' a4 w9 l# b, J
" y. u0 r# W1 z; Q$ n ~* U* LThere could be hundreds of BPX you could use to detect this trick.$ ^+ F$ W1 D/ C) T
-The most classical one is:% P% o6 r) z% t1 Z8 `% C9 a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# u7 F4 W1 ?" z& |, z *(esp->4+4)=='NTIC'. Q4 Z L( I0 C5 j/ H$ h7 E! C
, B" p7 r7 K/ v8 t$ _-The most exotic ones (could be very slooooow :-(0 Z' \9 @& J! ^
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! [; I6 u; l1 H9 U ;will break 3 times :-(
( J* D" w( n( F& n# \1 ~$ g
/ S# v4 v6 }( w7 H+ Z7 {-or (a bit) faster: ' V" m- n( j+ c' | q3 P- E
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 o8 } f3 _( Z, b7 j; e1 }' X3 q8 z8 W2 O3 a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: C8 q- N9 f% J7 s ;will break 3 times :-(
/ Y+ k" _7 }! Z! K9 f8 b' P) x3 w& ?" n4 y4 p
-Much faster:
* M- q# ^9 q v/ s+ K BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 { W) v9 A& Z: S8 z
. x: r% ~0 s& V- G9 uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 E. D9 B% E% i f$ p0 Nfunction to do the same job:
0 O( C; N5 ? X' ^+ A% W( S$ [2 O8 N+ J* ~9 }- t6 T
push 00 ; OF_READ" [" s' h- G# A6 b; k/ j6 U7 C+ y
mov eax,[00656634] ; '\\.\SICE',07 j' N. U! `8 B" c1 K3 g
push eax; n) L8 i {( Q' i9 P) O% e J
call KERNEL32!_lopen+ t; i/ z8 F/ T% C* U0 B4 ~* X& \4 I
inc eax* i; [5 ^ |- h/ K, U
jnz 00650589 ; detected5 u0 d: F8 S. g Y; t
push 00 ; OF_READ- j" {2 p- ?7 v
mov eax,[00656638] ; '\\.\SICE'
# \; v- j; _5 \2 x9 R" q( A' `* F push eax5 w4 i1 Y' O+ R/ g$ J
call KERNEL32!_lopen6 T4 O8 a7 N; K. X8 w! Y4 J
inc eax; D. L; h0 h; H( t) f# h/ J7 z
jz 006505ae ; not detected
# {4 r# @* q. K7 D* C5 a8 k v+ W7 d0 A9 b& N
+ S% I' P. w) ~" q
__________________________________________________________________________
2 z2 C2 n4 F. A8 M2 L
# @, F. G6 m% f4 M* Y5 X1 WMethod 12
% q( C' ^/ w1 Y, J; `=========
! J7 P7 N; X, `3 g
/ ~7 n' j+ ?' v" u0 VThis trick is similar to int41h/4fh Debugger installation check (code 05& ?# W( k8 f& s; y
& 06) but very limited because it's only available for Win95/98 (not NT)
) X1 @9 r- c% e+ S/ `0 S2 n" ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
?& @* C6 \) u7 O, E2 c% r3 O# w/ P
, G' D9 t1 j) m8 M! c5 O) |! m, q push 0000004fh ; function 4fh
$ a, e# R; C, h! d push 002a002ah ; high word specifies which VxD (VWIN32)
5 A9 v/ J% v, Z; K2 i& w' q6 k ; low word specifies which service
8 | `- g3 z( U (VWIN32_Int41Dispatch), c; W; q, @* f( |/ U+ f; \7 g& I
call Kernel32!ORD_001 ; VxdCall$ Z! k& B. \0 v7 U
cmp ax, 0f386h ; magic number returned by system debuggers- J' V2 l3 y9 P; a! `& k
jz SoftICE_detected
5 p% x6 [( O& i0 n# M1 Y1 V8 ^/ m4 Q" h F
Here again, several ways to detect it:
, ]" N, k+ o! Y }& {
6 e t- ?+ X+ F! n( G BPINT 41 if ax==4f5 V+ ~& m9 H0 h+ G# \- |
0 R/ y& N/ f' d% T8 _! g# Y6 B
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 K2 F0 {/ I3 Y* F
" T) k. `; s0 h& s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! Z5 @# F, G8 M9 \3 d" O" b4 A
1 X* z! \. l8 F V3 o$ u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 F: m6 h3 n8 E% ]" d, {/ N
^/ m$ X# l& J. \. p: |__________________________________________________________________________
/ a6 l7 Q3 [' ?6 [% U: ^, k
" E; X' e# ]3 X; j9 ]2 p3 n" p# @Method 13) R+ S6 A7 d* ?% ]: W4 e' }
=========: {- X6 z5 k4 R8 |
7 j u1 l' }5 {5 F
Not a real method of detection, but a good way to know if SoftICE is, l3 x5 t1 m, m7 D* {
installed on a computer and to locate its installation directory.+ m' ]/ w9 z3 M! m- ~: ]
It is used by few softs which access the following registry keys (usually #2) :
0 D6 ~: [% g+ [
9 u6 ?. Z# e/ ^4 ?* d4 X: o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* X- g& S& P H6 W6 {6 W5 @6 K
\Uninstall\SoftICE5 [ p/ C0 e5 F5 [- C( r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( H6 @3 G7 y0 |, ^0 V! ^% C+ |/ d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. f5 V5 C1 o& M) J, _\App Paths\Loader32.Exe
' j* M% K; N/ m- K2 e/ u& Q) X! n' T
2 v. T3 V7 B X8 h0 ]& w v
Note that some nasty apps could then erase all files from SoftICE directory
% [; l9 H& R/ q; q! r* T6 j$ I& b5 C(I faced that once :-(* b# T+ }" b$ |% u
. v% D" v/ }$ z2 f; U
Useful breakpoint to detect it:
% U. Q4 f7 ?9 ]! X! I6 K0 ?9 ]; J( k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 q, u6 k6 @* V
0 M$ C* H: {- {' \& G
__________________________________________________________________________- }9 D( b2 @7 E5 V4 e
1 B& h5 I3 _- n) E+ m& x0 \
$ w {- Z) h/ {4 V( D! W4 uMethod 14 : @3 M( H" I0 H" c
=========7 @6 G; C! k( L0 o+ ]; Z! l
: |* u# U, |7 z' F# ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. g2 X, }2 \3 I
is to determines whether a debugger is running on your system (ring0 only).! r. H s$ P0 [* C( |! G
: {( a( }: y1 P4 c6 d$ ?0 L# m VMMCall Test_Debug_Installed
) A/ j; E" |6 G, M( y je not_installed2 J5 j6 w5 D( q3 Y- [! b
8 N, d( j& _) Z
This service just checks a flag. t5 K; V9 p) O6 U* H, F, ~
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡