<TABLE width=500>5 O7 t6 d* u2 |. b
<TBODY>' ^4 f. G, f* F9 e& X" z* Y
<TR>2 d9 Y% h# I" K; `- H7 T( O
<TD><PRE>Method 01
1 @! a5 d6 o- x( y, B/ ~=========
/ d: x- J4 }2 w. J4 ^
p6 t3 B# h7 U5 c( V gThis method of detection of SoftICE (as well as the following one) is
& F+ K$ c! j5 B" mused by the majority of packers/encryptors found on Internet.
" N+ T- |" e% G4 h0 g! y5 g7 AIt seeks the signature of BoundsChecker in SoftICE: ~1 {: C: |! n$ j2 Y; N: ^
. A& H1 R m0 H# v
mov ebp, 04243484Bh ; 'BCHK'
. D0 N5 l1 D f- E* C/ f3 Q# j2 Q mov ax, 04h
0 H8 W0 d9 L1 h [, R% t1 p- X int 3
2 a# k' r6 h' a1 J cmp al,41 `3 D; T! l4 o( U5 R- h3 O' B2 M
jnz SoftICE_Detected3 ?7 w* I: m' V- k
9 I: i. V6 T3 o& J- h8 C3 F
___________________________________________________________________________6 Y4 @* c L% k6 S# Y9 {- F
& f/ W: H0 R3 c8 F: p1 h1 N _Method 02
+ ]$ _' @. j8 A% v3 ^0 B2 x=========# m, A8 t. i0 v" n0 C
4 a6 i$ a- i+ }2 z2 h1 |Still a method very much used (perhaps the most frequent one). It is used
" V; i- y6 R: m# f/ ^2 Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 r) e5 Z, J$ k/ _9 T. c, Qor execute SoftICE commands...
0 n5 A7 _7 B7 \5 B( ^It is also used to crash SoftICE and to force it to execute any commands& M) g$ x- i# H8 f: U
(HBOOT...) :-(( 0 j) ^% @/ p0 E6 K; T
# |3 w. Y# ~: U; }) y8 r+ D9 JHere is a quick description:0 P+ w* M7 l, p' t
-AX = 0910h (Display string in SIce windows)
! }" Q7 p; ~& n; @) J/ `& t4 R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! b& i. P0 i# `3 N# H) m- k* \-AX = 0912h (Get breakpoint infos)3 ?( _0 U5 V; h9 e2 Y
-AX = 0913h (Set Sice breakpoints)" L+ X* h+ e% e% j" p' `5 l% I+ _
-AX = 0914h (Remove SIce breakoints)
0 ]' _7 _9 j3 ^
8 v( D0 N/ n6 I/ YEach time you'll meet this trick, you'll see:
2 x) B! W' U0 Z$ \% Q-SI = 4647h% T4 Q2 K" H& |% U& u
-DI = 4A4Dh
" z+ ^; W Y5 U9 V- N7 HWhich are the 'magic values' used by SoftIce.4 G) o, g0 p1 r% K! M' |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ E& D9 D" v: X& d( V4 q
8 x) I' h. ^4 k. @+ _0 w& GHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 p: |# J4 `6 x4 `# P" S" H' pEnvelope utility use to protect DOS applications:
7 m) D8 r& j/ N: _ V5 o! o) }& P( O* o+ Q" G; J% _
$ `* ?& t) e1 o0 k4 `9 m8 s4C19:0095 MOV AX,0911 ; execute command.
3 I, O' f' n$ g4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 }- R7 X) X3 F; U J2 f& g* n4C19:009A MOV SI,4647 ; 1st magic value.
/ e; `$ x. W: ]" M: l4C19:009D MOV DI,4A4D ; 2nd magic value.
: F, e* @: j% l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) R! Q/ q3 p/ H& a/ g
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 r" x& A2 M: s- _
4C19:00A4 INC CX- X* Z/ p7 f/ v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: F& w7 @" p4 J# s6 b
4C19:00A8 JB 0095 ; 6 different commands." R% ?* `, |. ?" S6 R! b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 g6 ?4 y/ H8 Z7 _! {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' Y$ r: ~$ I) E( v3 K7 o3 d) O
4 e7 S' J6 R* b' iThe program will execute 6 different SIce commands located at ds:dx, which" Z4 }& @$ K; h; O/ ~) X! R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& M5 Q% d$ E( \
; M1 b2 N- K/ g) j1 ^+ U- a0 y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( Y* q) ? _5 Z2 S! i/ H___________________________________________________________________________
8 T6 g9 L/ o2 b4 O, X8 M7 A7 H2 ], `4 E: L1 M
+ j4 w2 A& W2 K8 sMethod 03
1 c2 P- f) T* f4 T9 J9 p! [) f=========. f2 |( x- Z5 U$ A% f
|4 z. b. w$ x# i) N' F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. J6 g8 [! S3 H: O
(API Get entry point)
! p( |2 S* Y. q : y4 P- M3 D* ~5 ?$ A
! ?# R2 |1 y0 _$ ^: `5 O6 {. h xor di,di" V4 J5 A; @) {; @7 Y' r+ g
mov es,di) W# ]: C. N: W& C" e
mov ax, 1684h
! W" b. G1 O4 D7 n& `8 K mov bx, 0202h ; VxD ID of winice
5 q$ b0 f) f9 z# `# k( w( i9 Z int 2Fh- e3 C5 @8 N! w' q
mov ax, es ; ES:DI -> VxD API entry point
' `% L1 P7 A4 L' j3 L add ax, di
. _/ d- E2 D7 v8 E1 J& O% k test ax,ax" d! d, \) v; e( t
jnz SoftICE_Detected
+ I V6 {0 B# U! r- Z/ `
8 a* D+ @. i! S3 T( f+ ]: S___________________________________________________________________________
: h& D. }. D# P1 A
' q2 l9 ^. U9 ^: H6 z2 b! j( dMethod 04& k% R9 @; [1 e
=========2 h2 n& P) {7 C8 [( G7 J$ N: f
' p1 u+ P* H/ ^) e8 U; LMethod identical to the preceding one except that it seeks the ID of SoftICE! z& O5 t4 ?7 \ p/ V
GFX VxD.
. u# Z8 v: G# Q- g
- R" K0 g7 K5 r' @( A% p2 ~! R xor di,di
7 T2 j3 g: k& t, n$ u mov es,di
! e. ^: l0 Q" ^" v mov ax, 1684h
# W: }& d; o3 o2 H/ X mov bx, 7a5Fh ; VxD ID of SIWVID
2 U# ^# l! k( W4 f5 v, c int 2fh, _) r- j, s4 n+ a/ c
mov ax, es ; ES:DI -> VxD API entry point/ e9 s. c* L: C/ |! D
add ax, di7 i/ B4 ]3 s( V. w0 v( O! X* R
test ax,ax9 M' y! n5 V+ p
jnz SoftICE_Detected) [% l4 F, E+ U: W* j
2 A: I2 O: }- j% u
__________________________________________________________________________
9 Q, u" J- u$ N' t; `& u" T9 O- [# y0 T( H8 V* k
, e5 c3 i: {, C# R$ q! n2 e+ l/ ~& x
Method 05
1 V* x! K$ K) M) m3 {# A=========
0 @3 X( B( W/ t5 c
$ u) B) C' w6 O3 }Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 X* ]$ S) r# S, J" xdebugger. It calls the int 41h, function 4Fh.
4 k5 y s' x+ q: x! G1 d7 cThere are several alternatives. ' C9 K1 G1 b) A
. C" r0 {5 j; f1 n. ~+ U& Y0 E9 VThe following one is the simplest:2 B+ Y6 ?4 Z' k0 w' q8 m( Q
0 J3 j! z8 f0 R; ^ C9 V
mov ax,4fh. [, T7 K. D( r6 Q9 U3 V/ j
int 41h$ C3 V1 Q% S( v
cmp ax, 0F386; g F9 |5 }6 s" A2 j d& _
jz SoftICE_detected
" S! e+ f- L! ]; u
1 F. r5 c9 P1 U' K0 V
7 x' n& O( I' D+ ^- a3 R* ?Next method as well as the following one are 2 examples from Stone's
/ W8 q& {" i( [7 }3 R"stn-wid.zip" (www.cracking.net):
6 x9 m, N' G. F2 F0 ^8 R
+ I0 X6 @3 @! ^9 I/ M$ r3 u mov bx, cs" y) T- k% u/ N& T8 d' K- Q
lea dx, int41handler2# r5 E+ f5 Q0 l0 D3 H( [
xchg dx, es:[41h*4]
# V& I% k3 D$ M" j( Z1 |& G* P2 c xchg bx, es:[41h*4+2]
8 f z) O& Y. w5 u3 `9 ]& e. ? mov ax,4fh) J/ o2 a2 h4 z3 t8 A
int 41h, G( i3 a( N: ? a; {/ {2 A' f
xchg dx, es:[41h*4]
+ R: z8 v' \8 ]1 O xchg bx, es:[41h*4+2], @" J1 I8 C% n/ Z2 X% H
cmp ax, 0f386h% d' w/ o& e$ K$ u' J. ^( N
jz SoftICE_detected
9 ]3 B. r- Y+ x. O& K( d1 X( l K5 A* d
int41handler2 PROC5 S' E3 p' x7 ~3 o) [$ X
iret
5 Q% `9 L. {9 ~int41handler2 ENDP' r4 c2 P! ~. F. C8 B" t
" O2 h0 r6 @) D
8 |) G' ^$ q$ r' b; g_________________________________________________________________________
. ]: V6 t, W2 N/ M" ?: W% x+ X9 v3 `2 _# L* W0 c- D
% S9 N5 ^; ?+ C; m, a0 |1 V2 p: qMethod 06( ~& E# c3 Q+ ^6 L p
=========+ N, d* L# [) `' g( \
6 f% d C! ~" e5 V9 g
- P0 I3 T3 o7 e! N7 _2nd method similar to the preceding one but more difficult to detect:
/ T0 M' g* f& g, Z& w4 o3 }. @' u K6 i* c X7 ^
: `' D+ O3 e) d6 p8 T
int41handler PROC
7 B( V+ t. u0 y7 } mov cl,al3 P/ f& v: V3 m
iret/ b3 C; ~8 u, H0 N' {5 c
int41handler ENDP) H1 z/ }: E' x; F/ b. f
4 V4 A4 G* R H, w$ H# X. j* o$ a k
xor ax,ax% `& A% M3 X9 |) ~# u& N& |5 A
mov es,ax# y: e% _! g6 P3 W3 p
mov bx, cs
& g6 f8 ^( O) n lea dx, int41handler
/ C! R0 q7 }/ y/ h! A# m xchg dx, es:[41h*4]
$ O5 g% G+ Q; W2 C @: C, M xchg bx, es:[41h*4+2]
- F0 N8 I" Z1 L+ o in al, 40h6 x+ W( K7 O o3 M% r9 }- a
xor cx,cx
7 A W" u* w: f5 o int 41h
# A( F' ?% j+ a. L& m% a! i ] xchg dx, es:[41h*4]
) P& M, N- p' y: k. _, O+ {4 @ xchg bx, es:[41h*4+2]" M& o# k. P# Z% Z1 r
cmp cl,al0 _: B) T* |6 J3 A
jnz SoftICE_detected
) c4 b( ?: Q& E" X5 \1 i1 q* U' u \ V( j$ h7 E: A
_________________________________________________________________________" H/ a3 T- N+ A" Z! S( Y1 |0 A
% d: |; K0 V$ D) o6 [- M+ K! A
Method 078 _7 t" b' Z1 y7 d+ U, C1 C* J; F
=========0 _% W/ f# b* z1 Z `
+ W+ z% k; j: \; X4 IMethod of detection of the WinICE handler in the int68h (V86)% v# O: ~" S$ [; z
4 z M! ~8 r A# F2 u
mov ah,43h
8 {0 q X, S7 D- U int 68h
. \7 S7 `3 f' }7 w& `. }8 |' p: x cmp ax,0F386h
i. [, U0 A$ Z jz SoftICE_Detected, g+ [) B6 W3 l4 ]6 Q+ }
3 G S( _# z2 L* Y/ Z* F
; Z+ G: R/ n7 i/ h9 J+ ?" R7 N=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 `# b7 m; E' @+ _. b3 k; _6 L3 A2 b
app like this:
( t( ^) t7 ?5 u( V6 \6 Z# t- ~6 S+ u& b; E
BPX exec_int if ax==68
9 T6 \6 F: v& [8 s3 t. p (function called is located at byte ptr [ebp+1Dh] and client eip is' b: y J! h, u. L! c$ _1 q
located at [ebp+48h] for 32Bit apps)
, G5 i( {% }5 }; i__________________________________________________________________________
$ B, i/ G* x5 D- p6 `) J# Z% E, K# s" T) c. _2 k2 `! s
- s$ B" h% l& w) z3 v0 _7 H+ ]3 gMethod 08
) T. l5 u6 F/ c' ] |0 k# L1 `! E4 [0 W7 s1 L=========/ |! W9 r) u- b" U& b: K% [
f* D2 r, c4 Z' f' [* a# g
It is not a method of detection of SoftICE but a possibility to crash the! V/ B# w5 a0 }* D0 p; b
system by intercepting int 01h and int 03h and redirecting them to another5 ]7 [4 \" K* F
routine.
; o! D, M" Y9 Q# PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% X8 n6 V/ `0 t8 D! A, o; [
to the new routine to execute (hangs computer...)% p2 R U7 ?7 U1 D6 m; o
6 O; V, c7 V1 T" H! F6 p0 Z
mov ah, 25h$ @/ ?: x3 H% }8 {* d5 }6 W n
mov al, Int_Number (01h or 03h)" E8 t5 F3 H! p& O
mov dx, offset New_Int_Routine& b# ^, q& h: t
int 21h
) |' @, T3 V$ z6 W3 U" H$ }3 w' G4 l2 M1 K4 @, s) v
__________________________________________________________________________0 A2 [6 Z( k* B. v
, a" o* P- D6 M; I, I8 h* JMethod 09! F" M7 a5 S; `* g" D, @9 C: d/ J
=========
* G" N5 |- a4 C" ]/ R) j0 k# s9 j6 Y( L( J- `! ]
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ w# ^- o% h' b. r/ A; Y; V; Vperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 q7 D: L; a9 g8 a% e* G" MThe Get_DDB service is used to determine whether or not a VxD is installed1 u8 a. C# z6 {* r1 I" o& l4 f
for the specified device and returns a Device Description Block (in ecx) for* |4 }( q$ ~) e& _* M+ T
that device if it is installed.
* D! u' r, s" ^5 F" d9 X" n. c1 z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) I0 I' P9 B" U
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' }& y8 V1 } R VMMCall Get_DDB
5 s: @7 g3 I* X+ f. a8 h/ @6 Z% M6 ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed H. ^+ m3 b4 g% k0 j" L) h
/ M5 C6 D8 g+ vNote as well that you can easily detect this method with SoftICE:
8 ^; a" C+ U# N* L m4 y4 p8 z bpx Get_DDB if ax==0202 || ax==7a5fh% D+ y% a: U4 D7 [1 J
% G8 D) W% |% {% B7 j
__________________________________________________________________________
4 k3 y# c& N( ~4 C3 ]2 N5 }$ `, d- v' I6 ?% ~, v
Method 10
% A5 w$ {0 k6 X; I! Q=========
2 R9 K3 z% c/ c, X) P$ u; T" j" n2 j% P8 ?) z1 u! X
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 ~$ ? r) t5 f5 x) J* T- [
SoftICE while the option is enable!!
* V# A) w, W2 O) v
; U7 I# z1 n/ @This trick is very efficient:
3 m0 G# ~2 M: r4 R. f: cby checking the Debug Registers, you can detect if SoftICE is loaded* a& u( ^8 M, A _4 S/ @
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 `. ^3 ~/ i. D/ b9 D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* Z# E3 r0 o9 ~' }" [7 evalue (in ring0 only). Values can be manipulated and or changed as well) _" N: v* w+ ^2 { C2 W7 Q1 e
(clearing BPMs for instance)3 ]% W& ~" `2 [ t
' W, j6 r, T% |; l
__________________________________________________________________________ a( a/ j2 F5 q$ t1 ~5 C
* i' R- I# u% m# o+ `Method 11
' [- {9 m7 `4 k7 [3 }. ~3 N' H=========
" B. S0 u" D" z m
6 y: p% v3 k- n _This method is most known as 'MeltICE' because it has been freely distributed: j6 E" U2 ?8 I) l0 S0 V A
via www.winfiles.com. However it was first used by NuMega people to allow
9 q' G' \' g9 y) r% s" Z0 ?4 nSymbol Loader to check if SoftICE was active or not (the code is located- n: Y, ]5 B* s9 `
inside nmtrans.dll).
! I# M9 a) V2 \! [" ^0 T9 H
3 B0 T# O* V+ L, OThe way it works is very simple:* H7 Q4 \' T9 Q* W* J* ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 H% E! a6 s3 H! Q X
WinNT) with the CreateFileA API.
+ {) E t0 @4 ~6 j% K3 ^ i. ~7 ~/ C, ^' S
Here is a sample (checking for 'SICE'):
5 v! u r* Q2 ~( R0 ^ M
$ u4 x) \9 f( k! R* |BOOL IsSoftIce95Loaded()
. s, R/ P# B0 A{
. F1 K' f" c7 D0 b9 u; @ HANDLE hFile;
5 d4 t: j; {. z5 q! l- t: s: V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 A# y$ {! A1 }7 b. W _9 v FILE_SHARE_READ | FILE_SHARE_WRITE,
; E, c2 i, m' N0 r U0 m, `# a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( ^7 C7 S8 g8 }# M
if( hFile != INVALID_HANDLE_VALUE ) V# y' u! I; T
{
( |: i& l' l/ H! U2 L; m% y5 l5 K CloseHandle(hFile);
% N1 o! s0 e! J2 ] return TRUE;
h; R1 B# Q6 k* M& w+ l }
* z, Y1 c9 y% A6 H5 E1 c; n( J0 r return FALSE;
" @& t8 z, C0 h}$ w1 M5 q* r( _" g6 n- u8 L. h
" n, W; [- P# C7 W) I, Y7 k
Although this trick calls the CreateFileA function, don't even expect to be8 G& X" c$ }0 i8 i6 I0 g
able to intercept it by installing a IFS hook: it will not work, no way!
# \/ o- N$ l, Q0 M8 H9 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" V0 y4 i$ W9 ^2 G m% e4 nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* u' C5 h* k6 C" r1 \) m) Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 V r' W, @* e' f/ i6 @# u
field.
: v" h2 O8 d0 {7 u0 ]1 G- I4 C$ GIn fact, its purpose is not to load/unload VxDs but only to send a V) m. k4 A7 l' J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: G# d: F3 ~0 Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 ~, A* k0 `1 P: l9 k; \to load/unload a non-dynamically loadable driver such as SoftICE ;-).! w W* c& T& `* e! Z" ~7 {$ O5 S6 A9 s
If the VxD is loaded, it will always clear eax and the Carry flag to allow S& m/ ~6 n4 D3 f
its handle to be opened and then, will be detected.
i' X* D x& X* O9 kYou can check that simply by hooking Winice.exe control proc entry point) e0 z: J) e1 x% q
while running MeltICE.
+ b0 g1 H! f: M8 }. g$ U( w3 h
5 n* r" q2 ?& |- }. d! l
) }6 y* y5 ^4 `- {6 I7 d 00401067: push 00402025 ; \\.\SICE$ f' X6 V3 G# ]/ M, o7 W
0040106C: call CreateFileA8 F# i7 j5 G) A4 @( ^
00401071: cmp eax,-0014 t8 ~' z7 W5 |6 h6 P" \
00401074: je 00401091
2 B! X5 ^$ |- Q% h4 Y$ j& N6 T ]; f( e: A( a
- D* @4 d% Q/ u8 o: Z6 fThere could be hundreds of BPX you could use to detect this trick.9 x; ]- [$ ]7 H+ r
-The most classical one is:
9 v7 N q" u; i; I BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! ]+ ^! O3 a2 u) { *(esp->4+4)=='NTIC'5 N4 v$ K" x5 D ?8 b( P% H/ Y7 @
3 ?0 Z# \7 b! s+ t/ V-The most exotic ones (could be very slooooow :-(5 y0 `" m/ K# [! o/ p
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + E) E, C, R; H! ]$ _
;will break 3 times :-(
5 ^; J' i* U8 p. L h0 o# h _0 O2 p
-or (a bit) faster:
. D) K2 S; i" z z1 I# E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* [) y- R9 f: t& ~8 s; X# _4 Y8 X2 w; Y* C& \: o" D- |) {, L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 p0 l9 o! X8 Z9 H, d: S8 j* f* h
;will break 3 times :-(# h6 v* F" x( I5 F; L
) ?* s, Z. l+ Z! U8 H
-Much faster:5 a: Y6 J2 G) Z/ N7 s) N
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 _9 a' S( n: H1 c8 T! B- y- D) Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ ^1 U/ D( p( \% h% M
function to do the same job:
( S( W( W K, X1 k4 P! G. C- v
push 00 ; OF_READ, k# W: Q1 z* s- ~3 F. d" s
mov eax,[00656634] ; '\\.\SICE',0
, X2 R$ N3 _& p8 _, g push eax
( R* I; z+ h4 n) w5 V! [5 |# m4 W+ N; ? call KERNEL32!_lopen
: i; c0 `8 d4 z% l inc eax0 r9 ^ T- `3 i1 H
jnz 00650589 ; detected
3 ]8 Z% I# i, e8 B' y6 o7 [: u push 00 ; OF_READ4 b) _# B: c8 O
mov eax,[00656638] ; '\\.\SICE'! Z8 @! o8 P% \6 f7 w3 m s
push eax
& a! ?; S( m/ F$ o call KERNEL32!_lopen: M" J$ F! ]" b, `: u3 B2 Q" w
inc eax+ H; B& x' u2 K- V, c$ a+ t4 |
jz 006505ae ; not detected
) v; U$ _* L* t7 y! ~! d4 S! r) l( p
' K( o' B9 D: m0 I' V4 ~& z# L
__________________________________________________________________________" N8 u1 w3 d# _3 M3 U, z
9 a5 z7 i" r8 Q# SMethod 12
& H5 r( W* x& m7 q9 M& b=========
& G$ C6 {; I; _' t2 R5 H% [$ C* m
; L9 ?" _6 k$ }3 g0 _' p' H( JThis trick is similar to int41h/4fh Debugger installation check (code 05
% L' Y X+ g: m* t' z4 A J& 06) but very limited because it's only available for Win95/98 (not NT)
. m% H$ V: }& S E/ ` E/ r w mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# Q( s& E6 S p% M
% w3 [& h* G$ t! n: R* y push 0000004fh ; function 4fh
/ C( H# _/ \4 r k+ U T push 002a002ah ; high word specifies which VxD (VWIN32)# p/ Q( H: ]1 M% F
; low word specifies which service
8 B. C( N( E( R3 ^0 O# q" h (VWIN32_Int41Dispatch)( R* }# l: P8 N7 B9 f: _
call Kernel32!ORD_001 ; VxdCall6 z. Q3 ^# q- N8 a+ U& _0 }
cmp ax, 0f386h ; magic number returned by system debuggers. }: I2 a) c, F
jz SoftICE_detected
; s9 t7 c' g8 t4 ]- Q" i4 s4 S3 w. A9 u; H* c- C" Y4 M
Here again, several ways to detect it:
. f9 O" s. ?5 T u, K+ D6 d% p1 m5 A' _' i" g5 N
BPINT 41 if ax==4f
+ f5 ` S- T- a! w3 i* t
3 _6 X, |: v6 m8 d9 o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* v4 R# T1 Q, H4 V
- N1 G" B$ v( A+ S9 W3 c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, A5 w& u3 y9 g' v
% W6 y! C3 N1 l& X+ R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% L8 U3 u0 }- V% t4 u: u+ F' l' h7 a
__________________________________________________________________________
# [) I$ D$ U5 x I- }) X8 Y2 X9 t* g) Z4 q1 d
Method 13
9 v, I; d! i/ G+ \# j0 A P* V' Z9 [=========* i; a1 j9 S/ ?
& D* \/ J9 Q0 rNot a real method of detection, but a good way to know if SoftICE is* T2 z: s) J; W5 b: D4 y" L
installed on a computer and to locate its installation directory.
& p9 B( @3 @' e0 o" h+ AIt is used by few softs which access the following registry keys (usually #2) :
/ F9 g) F; r/ p6 W) C6 y: E0 a! i6 ^3 G8 A) j7 G0 m6 d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 [. H9 }9 r6 d) H M8 z\Uninstall\SoftICE K5 G0 l6 J/ f0 k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 `8 N0 Q6 l) y4 |) b4 W. A2 J3 `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 }: k1 K: F0 |; J\App Paths\Loader32.Exe
+ K9 y$ e% k- v( Y
7 s" B4 h- z+ Q) w0 x8 b' t+ k0 \% o* o7 d
Note that some nasty apps could then erase all files from SoftICE directory, z8 e! b* a! B7 ?9 E" x5 n' [
(I faced that once :-(& V* F1 q7 j6 y5 w7 }1 R! Q
: o7 {- {- F! U& GUseful breakpoint to detect it:
: J1 D. i& e' f- r1 J8 H$ H
# a Q; }" ~7 ^ g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% F9 e2 ]: B: f3 i5 g- D+ _
3 A& w- D1 f; W0 Y__________________________________________________________________________
1 n! M# k) L* ~
/ g" y% T6 ]9 h5 c% h
: Q4 i) Q! `0 X2 P% jMethod 14 4 E& F& M8 D! v& G& t& `; W' {
=========
/ t5 B: F9 W* f1 ~5 @. n, h$ x$ w7 |* Q; N& x& E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 u" r7 _5 c7 ~( F# B4 }is to determines whether a debugger is running on your system (ring0 only).
" n0 Q+ F4 X( [1 y, ]$ G$ ]1 R( p$ t P: i9 D# o
VMMCall Test_Debug_Installed
t' W6 n8 s9 j je not_installed
+ D* D% _. E+ ], W
5 s6 |) J" S5 {* K- r9 wThis service just checks a flag.
1 r1 v9 d. V$ X</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡