<TABLE width=500>; X' @ A. M1 A% A7 C0 O
<TBODY>9 L9 S- V5 }; g0 y7 S& v
<TR>5 D7 @/ k( @# B$ \+ R& I
<TD><PRE>Method 01
" D' ~" O) k' Z=========
( b! ]& N p" \. m. P' Y
5 A$ C6 v' h8 q1 XThis method of detection of SoftICE (as well as the following one) is' a6 K0 t# f) w; u) k$ P- r
used by the majority of packers/encryptors found on Internet.
. v1 \) f8 O; v( P# @It seeks the signature of BoundsChecker in SoftICE. P2 n, B. v; T0 R; e
" H( z8 k0 m0 P3 e. O h* h: u
mov ebp, 04243484Bh ; 'BCHK'
* o- j u9 @, v! _6 b8 x mov ax, 04h+ H7 I6 i5 G4 [- j2 d- M: @
int 3 7 t7 }4 L3 k' Z, O6 s/ Z: u
cmp al,42 P6 g! m' x2 G/ n
jnz SoftICE_Detected
. q) X$ ? d3 c' V* B6 x+ D9 q% z; Y0 B% i# K
___________________________________________________________________________
# C" U1 D9 U: c9 h4 _4 ~' q7 W; \" c( g8 C( k* G$ T3 Z d
Method 02/ ~. @! k7 `; b \# V" D5 S6 O( {
=========. s# u y& y: n. [6 \4 o
6 ?+ ]" j" {; @, @8 d1 gStill a method very much used (perhaps the most frequent one). It is used
$ n& R+ h3 K4 T' h" f" c9 l+ B0 Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. r C7 r% V, i7 B3 V' ~& mor execute SoftICE commands...
+ t0 w9 ]- R6 m: A6 E+ ~It is also used to crash SoftICE and to force it to execute any commands" W) x S/ } k, P. E+ I
(HBOOT...) :-((
, R" X' C' H7 d5 b9 g }9 n# `- ]8 _
+ E/ K$ k+ i! S8 p" K. CHere is a quick description:& F3 ~. h; p; \- Q# P1 Q
-AX = 0910h (Display string in SIce windows)% j" m& }! [; m, F3 S* [3 _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- J0 S4 d/ q5 H6 m& P0 n4 I
-AX = 0912h (Get breakpoint infos)8 i* ?. F/ E) r1 R/ H. a! ~
-AX = 0913h (Set Sice breakpoints)
* O' l2 ?% l) ]9 K$ Y: L-AX = 0914h (Remove SIce breakoints), G Y* ?% A+ ~
% ]) w, x6 F2 @1 p% tEach time you'll meet this trick, you'll see:9 O0 Y+ Y, ~' p1 }
-SI = 4647h! s1 ~. j. S3 M; ^5 E+ V7 d6 l
-DI = 4A4Dh" e! [' A6 |# o
Which are the 'magic values' used by SoftIce.
" t% @+ L4 S$ j# pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 t2 A2 |* D# i0 t5 M, N
& ?. I' I/ A1 r* n3 FHere is one example from the file "Haspinst.exe" which is the dongle HASP
. j& y9 ]/ R( W+ l" vEnvelope utility use to protect DOS applications:* J8 K' ^% \9 Q5 i+ [2 _
- `4 C& x1 P# Z( p r" v' V1 \6 `: v# M; f
4C19:0095 MOV AX,0911 ; execute command.
6 s& \0 E$ W8 j" d( E5 \4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: y& X: `; a ]4C19:009A MOV SI,4647 ; 1st magic value.; y: _# O9 P ]
4C19:009D MOV DI,4A4D ; 2nd magic value.1 z* T, m2 j) M! |' l: M' c# j
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 L' u# _7 [: `# k$ k5 E; ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" f3 C7 f5 {" G" i
4C19:00A4 INC CX
; @/ L7 B6 a; h, M4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; R( X% r) a4 u/ i. z- q7 E4C19:00A8 JB 0095 ; 6 different commands.
$ M2 Y( j/ K7 G6 I h1 o2 T+ ~: X4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 q7 S0 O3 e" d6 w% O( \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 T1 R6 {2 E! o8 n* a; T/ x- Z8 l' S/ v. E5 X! m7 r8 B
The program will execute 6 different SIce commands located at ds:dx, which
) Q2 v1 r2 n% f/ Z& ] P( h7 Z. xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) t& y% H+ j: ^- s; l7 o* G8 r, ?: G0 i& h% W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 R3 K( R! b2 }3 |6 N; g
___________________________________________________________________________
$ P* H B, G6 |
9 L E% y. D4 ]2 T* A5 {
8 a) G8 }" G# p+ ~8 `Method 03( Y# T# R6 S& S. |( }% x" s
=========
$ u* M& i; P9 h9 L) m- R7 _7 y2 X: ~6 A: a
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% f$ y9 F9 i9 j1 F6 s0 o(API Get entry point)
5 {6 `& v: c3 b2 [; G
2 `, n N( r4 k$ [. d7 Z1 i5 B# j
, _9 P U7 Q$ u. ?4 `1 P; j0 R xor di,di s0 m! M' A$ T/ n4 Y4 t7 @% l3 |
mov es,di. q6 r5 v% A9 i" f7 j% d( t
mov ax, 1684h
7 ]. Z u( G& F, s* J# ~6 w4 T mov bx, 0202h ; VxD ID of winice
# I, t- L }. D8 s2 v int 2Fh0 v$ e. D) Z. g" J& y; u
mov ax, es ; ES:DI -> VxD API entry point
0 A% H Z" }* a9 c& O7 K/ M* C add ax, di& \& B2 E2 e$ F$ j
test ax,ax
3 _, `& F( G! D jnz SoftICE_Detected( ]! b6 A1 O5 i8 G
5 a0 F l, p$ m, W9 d" M8 U. Y
___________________________________________________________________________
4 Z. |/ k9 h% W' `- m
1 s/ O/ @, J8 ~, x ` T' i: f" A! XMethod 04
9 ~, b0 |+ r" I1 W! u2 ?3 k=========/ ?7 t4 O6 i0 ?+ L2 B) B
/ q' l% X4 N- V7 w8 w o! u
Method identical to the preceding one except that it seeks the ID of SoftICE, |) v1 X7 C& N) V' O
GFX VxD.
: q/ f. ~& q) w$ g. G( b t9 Q8 o0 ?- X5 A' o* s, T9 ?
xor di,di L& D N3 ~: M/ k3 Y O+ x
mov es,di$ r3 F6 ]( z; I' ` v% p) J. f
mov ax, 1684h 0 I" B2 K3 n" i2 }) z
mov bx, 7a5Fh ; VxD ID of SIWVID
( c7 V% w; h8 M! p8 m) R6 S int 2fh" L- Q3 a% l" b: `* j+ @
mov ax, es ; ES:DI -> VxD API entry point
( W: |/ E r6 k' e+ q add ax, di
" G# S, b6 D, |2 F+ A test ax,ax/ l% t+ A( C. ?0 C, c' q
jnz SoftICE_Detected
4 L& U+ [5 U+ d. V* a* z8 n
* G; ^" |$ m9 t4 o( A1 e; D__________________________________________________________________________
, G$ V3 [% t5 q9 B* v1 L4 x$ E6 \+ b% R# y
7 U$ q. | ?5 X* R$ H n; \
Method 05% A; C1 m' h: d' K
=========
. @, z) ]+ C7 _ f" ?) o% s
! D6 s" ?1 u* O0 a: v4 D# ^ LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) u! \# Q) u3 _9 Y+ Tdebugger. It calls the int 41h, function 4Fh.' K: S& {: s( r2 X) `( I I
There are several alternatives.
. N+ ^* Q7 @* o# C: ?' Y: z& F8 O: U5 X3 _
The following one is the simplest:
; j* @1 ?4 w: ]8 x# K( V+ V v+ e8 @; h
mov ax,4fh
5 Q) R/ v8 n/ R4 w! | int 41h3 y0 d' E4 R5 V0 Z
cmp ax, 0F3862 h5 H+ C7 F! O/ E/ H
jz SoftICE_detected
% a, L1 n. ?# @5 H' s! F
/ Z( c& p, ~3 T3 G; N
3 y8 V. H4 D0 r6 C, s' t6 CNext method as well as the following one are 2 examples from Stone's . t, p1 c E! A9 V4 T( @/ g0 R0 M
"stn-wid.zip" (www.cracking.net):
8 f: [$ Q( ^5 v5 `, p% k& K* A# R3 d' n% g3 c( s0 L, E8 G
mov bx, cs( b# ~2 | p d$ \4 M0 l
lea dx, int41handler2 E2 v! ]5 T' R4 e0 ? c4 N
xchg dx, es:[41h*4]
4 n T" D, L7 x5 b( p xchg bx, es:[41h*4+2]
2 @) n: a$ B" H8 z! c- T mov ax,4fh6 K+ |, I+ e3 c5 _& ]! S3 q
int 41h/ w0 t0 v6 j+ g6 A4 }
xchg dx, es:[41h*4]1 n2 [. s8 |0 [" k
xchg bx, es:[41h*4+2]6 u0 d: N- f, E
cmp ax, 0f386h
2 q8 {% n' ^; f' ^5 V9 e jz SoftICE_detected
/ X5 q3 e0 M1 K0 @$ E I2 R, K- b6 H. f( R- j0 F. c- g2 E! e
int41handler2 PROC8 p; l; R5 E; ] b3 J7 s
iret$ O! @* c; [/ l
int41handler2 ENDP
# i, i" M6 w; r; j3 [+ `
& d5 o$ L# \7 J( h2 W$ R
p1 ?5 M# X% l9 c) X% c! I_________________________________________________________________________
; K: M4 a3 L# |! `! n( c
4 Q8 e6 T. n) y R3 O5 |; ?. l( n
Method 061 g! R" L4 \# @. m3 A
=========
( T# b' _& D: V+ i: d& n% U- T2 T7 c* G2 x1 H; {: _
9 J% C- N( J" Y& { p0 [
2nd method similar to the preceding one but more difficult to detect:
8 v* x( c2 C1 ?/ ]% s3 d$ a9 p0 z. E" A# L3 w$ H3 t
( l |2 f% c* }
int41handler PROC
4 f0 z8 m) K+ h" N: t mov cl,al
0 i) v1 d1 Y- i1 f iret5 C3 F, |4 b6 `
int41handler ENDP
% y1 k6 o6 @: T; U: }) S: c; |
7 j" U4 `+ z5 j
+ Y. J( ~; T5 h; { xor ax,ax0 {. N5 z; l# t( \9 U
mov es,ax0 w) g" c* v7 t2 `
mov bx, cs7 L: m6 X" p" J2 q8 t3 p4 U
lea dx, int41handler
" o! }5 i' U5 p, D# Q% q: z xchg dx, es:[41h*4]3 N& U9 n! h! k' F
xchg bx, es:[41h*4+2]
4 x G& i( r, |, p) o% } in al, 40h- m u+ \7 Z- H+ M ^# E! Z
xor cx,cx2 Q0 h. d0 Q# o( o
int 41h
Q- Q, s: z1 U/ \+ p5 m xchg dx, es:[41h*4]# n( v3 b, O3 G5 a6 g) p
xchg bx, es:[41h*4+2]! p" i! z, a3 f1 Y' f( ]# O2 Z
cmp cl,al
; \6 |9 t: t, g! N: @ jnz SoftICE_detected; X' u5 z, Z, ?0 v! f6 u
' m2 N8 d% x, t7 O3 x$ P S2 r- j
_________________________________________________________________________
- R" q. P* M& _2 P, Z. }/ ]
9 @+ A' d( R7 i- h+ EMethod 07
; k* U8 G8 \$ ]: k9 d, [=========, ?) j$ b+ r( A3 K7 W1 r5 t
0 r; j z7 w- Y% }# L; J
Method of detection of the WinICE handler in the int68h (V86)7 {: d6 g! n+ x; \; a
% m1 @* T8 l$ Y( x
mov ah,43h
. J6 B- c% k1 n1 d# _; p int 68h
' l; ?8 D* c0 e( Z6 T cmp ax,0F386h
a: D) |" _( w# G y6 H, s' G jz SoftICE_Detected
6 g/ P. D: r& g1 l% O. [
: i! N& w0 g% J0 q' K9 d- R e ~8 _( l5 Q" {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% K/ V& N6 `; X
app like this:( t3 X4 l" ^: h1 D, b' k. l
& O5 W, W( Z* K) g# [& [
BPX exec_int if ax==68
, O! @* H. j. W) \ (function called is located at byte ptr [ebp+1Dh] and client eip is
7 ^4 d# I, y+ C) y/ |1 l c located at [ebp+48h] for 32Bit apps)
- \9 X: e8 P$ V0 `5 y( e: w__________________________________________________________________________
& _8 ?# E. v- L. _. o m
5 T( u, O* c% E: w6 S
0 p6 n' o2 q$ n) D4 pMethod 08
5 e8 N3 J( v8 z: j2 s=========+ j: ~# P# C. A: Z! k5 M1 e) P
: T$ T7 ]7 q* pIt is not a method of detection of SoftICE but a possibility to crash the
- n5 J8 V# i( O- c9 L0 o: Hsystem by intercepting int 01h and int 03h and redirecting them to another% G" a, L* \& G! j% [
routine.% B; t* W' A% }3 ~9 R* q$ ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 p6 V. `# \: D$ mto the new routine to execute (hangs computer...)
: w! Y5 k' E1 Y6 \0 m
7 m5 G) {; ~6 u! [. E0 q( [ mov ah, 25h# C* v/ C, C; A- c, f! T w
mov al, Int_Number (01h or 03h)( h6 w! Q, H& ?: C
mov dx, offset New_Int_Routine
. m1 j$ P4 X' w' O% ^4 I- @ S V int 21h
7 u+ o# a9 R6 i# {3 F8 w8 j& b0 ]1 j* w/ s
__________________________________________________________________________' P; U: ]) {/ u Y. l# i
; e' m: U" Q" cMethod 09. a1 F+ r7 u; a
=========
0 E- k! R" Y1 F2 m$ W2 ~) Q* [' W: U3 r5 k' r- B! _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 }2 I. h( g& W8 [& o
performed in ring0 (VxD or a ring3 app using the VxdCall).' c: H, U7 r5 I$ B
The Get_DDB service is used to determine whether or not a VxD is installed
) F, v( }( K, W8 x0 R) _for the specified device and returns a Device Description Block (in ecx) for
: p) f, {0 {, a+ ^, mthat device if it is installed.
8 i' P# m4 f% }4 r/ t8 u" G' f& S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 Y& Y, z- A8 \6 o" ]( F- T! v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ s" \, g) R& H/ \ x0 }; g7 J
VMMCall Get_DDB- y; P3 V/ z. w" j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ z+ K6 q# ^5 _2 j+ ^: z& @' E
: E, Z& P) p, \; O7 {Note as well that you can easily detect this method with SoftICE:
6 u( |% r7 ~7 K" o4 D bpx Get_DDB if ax==0202 || ax==7a5fh
U. l# A1 K$ t1 v; l' H% s* b0 j+ z! I. r6 F& E5 {
__________________________________________________________________________
z3 ?2 B: H4 c# G3 k5 f6 ?/ L8 _6 T, M9 g' F) `- x
Method 10! B, ]9 O: f+ p% H& W
=========3 g/ ?# y! o3 V
: c$ X! E( i6 v( {, w: j3 _+ A=>Disable or clear breakpoints before using this feature. DO NOT trace with" Y3 q, S$ n! G' _! Q# [. ~7 `) z
SoftICE while the option is enable!!
- m3 ~8 m- i6 [( j
: e8 W9 \$ Z. ?. q# Y' U! TThis trick is very efficient:: Y. r5 j* U; l
by checking the Debug Registers, you can detect if SoftICE is loaded2 Z4 F$ e I0 g7 H6 m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% z- K. `+ [: `1 K# P# qthere are some memory breakpoints set (dr0 to dr3) simply by reading their. N) p5 @2 G9 ?
value (in ring0 only). Values can be manipulated and or changed as well
: ^* e# X$ J3 P9 X$ q! m$ \(clearing BPMs for instance)% r8 N1 x- o: a# Q
$ P/ g0 Z+ L6 t9 W7 {. J# K% e__________________________________________________________________________* j# @3 x5 _1 ]) G
3 _& {% a4 G5 P" v0 ?Method 11
V9 ~* j8 d( E- ~7 M k! t4 Z9 p=========
, W2 |5 E; Y! B+ _- f9 H/ \% J4 j+ [! ]* K/ L! ^! {+ X, \7 ^
This method is most known as 'MeltICE' because it has been freely distributed
# R$ p/ O/ b- fvia www.winfiles.com. However it was first used by NuMega people to allow! b& V/ K [) H$ K/ I
Symbol Loader to check if SoftICE was active or not (the code is located, w( R& l0 t: M* Q6 p
inside nmtrans.dll).
3 k v0 @, d$ X9 H0 c& [. z% c/ a- O9 p* o4 z1 a9 j2 v
The way it works is very simple:
! ^4 `- X- d7 c! f7 b# v" `0 ~3 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ ~( w4 m! K$ GWinNT) with the CreateFileA API.& H5 ?, v B! t: V6 ?5 W
" h! {2 w' x1 c3 n3 |8 ]5 K' ^
Here is a sample (checking for 'SICE'):
3 s, _$ e" b8 w% X; E( I& J4 T0 r% a% K
BOOL IsSoftIce95Loaded()
7 F1 Q, l* F6 A{
1 I$ d: R/ T' b2 X1 Y) B HANDLE hFile; - c% K# G1 x* L6 M6 N( o
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- ~8 g" G* i: V* m FILE_SHARE_READ | FILE_SHARE_WRITE,
" A' u# }! ~/ Z( |0 n) D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 C, z; N1 K+ m; s& x- [+ J, o
if( hFile != INVALID_HANDLE_VALUE )4 {. `5 _/ g( W' _! B4 j
{
' F6 G5 ?9 Z( \0 l9 A6 I CloseHandle(hFile);
% v$ \. _# x; a return TRUE;
6 a; o) M3 f: ? }3 U ^; R# ?9 f% p- f
return FALSE;
4 N; K7 ]6 N# G- ?' j. H}: M) F6 e( H/ o# W; `
& Q2 @6 R! s3 S: yAlthough this trick calls the CreateFileA function, don't even expect to be
6 h9 Q. h3 w( g& vable to intercept it by installing a IFS hook: it will not work, no way!7 k. |# z2 Q8 T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) X! w6 y( n: w: T T5 \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 L0 x. n+ l( N( M. R7 k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ a9 D, v" [8 ?; Ofield.
; {/ R ~$ J$ KIn fact, its purpose is not to load/unload VxDs but only to send a
: Q: p3 {; n) g! ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( D! x+ W5 a/ q8 N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 s0 |& K6 c8 B" I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- I; G" S% o3 Q" }$ P1 _
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ \5 H5 [ }! R' o
its handle to be opened and then, will be detected.
+ @: `# Z( o" L- F# o7 L* s- jYou can check that simply by hooking Winice.exe control proc entry point
/ o' n0 M( B" T5 A& @0 Twhile running MeltICE. | H. m' x. t: j7 e8 P+ \
1 w3 M+ {4 _8 Y9 {& v
/ h$ k7 G& `7 ]1 J8 @9 q* a 00401067: push 00402025 ; \\.\SICE z' {8 t+ H& _4 K0 b# I; O: c! j
0040106C: call CreateFileA
. z, M0 N/ H! e$ G, O 00401071: cmp eax,-001* ~' r% b/ y# f& d& |
00401074: je 00401091
4 C T4 I1 U+ ~# d0 e) G' i* J
$ j8 g9 Y' h- B1 \/ \& Y$ q; n4 d3 f# J
There could be hundreds of BPX you could use to detect this trick.
/ k/ a* L) ^: @8 L m-The most classical one is:
. k( k" T7 @+ J. C. |9 A8 ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( g) |8 t. ~" d# z( Q *(esp->4+4)=='NTIC': X2 G7 c7 S3 A3 s
" Z7 q6 ~- P W: H4 p-The most exotic ones (could be very slooooow :-(
2 o) L6 @1 K( H6 \; q! S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & Y# N9 y% y1 ?/ H
;will break 3 times :-(
: H/ T. H; }7 Q+ m7 T7 t! {, W9 ~. V
# C/ x3 ?$ K8 Y/ g$ s/ I-or (a bit) faster:
$ }$ Y$ z+ y) V4 u0 l& v/ n BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ Y5 d1 }, r5 u: E3 B& g/ k, [' p4 z
6 {) I) F. N, j* }6 l4 D1 u. O |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' J. h6 D4 t5 v1 A# C; y
;will break 3 times :-(
) b4 u9 [6 S& H0 q/ J' X
: \; r! f0 s6 o-Much faster:8 f8 ?& `5 P8 `1 ]" W$ L6 ?
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 A% Y' ^( D' P/ u* W+ `" ]3 m
/ b* r* n3 ]9 ~, @+ |; j) k3 K5 ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# ~2 E6 A+ Y: |6 k6 A* ofunction to do the same job:
/ \* \) A9 C1 I& a9 K
, h, K9 ~* _+ i: e7 v push 00 ; OF_READ) D6 [) o$ j& @; f8 ^4 _
mov eax,[00656634] ; '\\.\SICE',0
/ I! u8 E1 b$ P) g; j, v push eax1 P2 Q. Q$ `- Y8 o6 z X1 X) ~1 L
call KERNEL32!_lopen: ]0 a2 v% u9 j* P6 c* d% |
inc eax+ B/ j0 A! h; `4 G ?
jnz 00650589 ; detected
3 a9 V, g9 W4 ]/ G" ] push 00 ; OF_READ
2 }" `3 }$ G* l2 O mov eax,[00656638] ; '\\.\SICE'0 p; }6 k) J _, q" R d
push eax( r; V+ m Z4 G
call KERNEL32!_lopen
/ t( S' s1 U8 ]# g4 E M! X inc eax# B& C( q" N ?9 n+ U4 n
jz 006505ae ; not detected; ^: _; e5 S4 v- x$ [
: t8 y) p: ?" m# F, ^, q- f
( s/ {$ i% L) U; N" H( V
__________________________________________________________________________$ R8 Q( g _3 F" x) Q
% I: f5 l% v1 S# E t, qMethod 12
+ J/ b; l0 i; V6 Q% X8 g=========7 ~( U1 j0 t( `2 ^. U1 [
+ l1 K/ @% S' Y; W# ~% n5 q+ ZThis trick is similar to int41h/4fh Debugger installation check (code 05- |: P" m1 N v( ~7 L/ [, x( l0 T
& 06) but very limited because it's only available for Win95/98 (not NT)
9 k [; h' }' f9 ~; V: |* uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. \ }. Q' q% M
, \- ~- g! `/ O0 _
push 0000004fh ; function 4fh. ^% H# ^' E! U5 x
push 002a002ah ; high word specifies which VxD (VWIN32)
. X- k- l6 }1 V4 Y ; low word specifies which service) M3 W" y- k, K3 Y8 b" Q- k
(VWIN32_Int41Dispatch)
5 s6 x! J; e9 _7 A4 l call Kernel32!ORD_001 ; VxdCall
" [' j9 P- v0 b cmp ax, 0f386h ; magic number returned by system debuggers$ y1 w+ {0 J, {; X5 b, u. H
jz SoftICE_detected8 @9 F9 t0 l$ r7 u2 w. a) W
* K* U# h, |6 t2 uHere again, several ways to detect it:& d, f! a' \/ p" m$ ^5 z
5 x$ K6 H8 ?& T5 ]1 s BPINT 41 if ax==4f
: {3 C( v1 {! Q2 G, i: k
5 G. D' h( c& N* h$ x BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 v" w* C x' ]) p2 X+ x
) T) {, E5 W% s! L
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
A# q8 i/ r2 G Y" s$ h
2 z; A8 H$ |6 u; [: ? BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 v# K. F; r7 V' @$ j3 F& X2 N
. @ y& v0 [( W7 b* n8 P& U. }6 ___________________________________________________________________________& I' F0 Z+ E6 f: ~7 v; M
" b8 I3 S/ t5 X$ v
Method 13: [# r* z2 K- d; h; e% t
=========7 G5 W& g: F% {, t4 z! J- y# r
) g' b0 O! x& `1 g
Not a real method of detection, but a good way to know if SoftICE is
# S( S1 t8 d- |" _, ginstalled on a computer and to locate its installation directory.2 `( ~/ f9 j/ L
It is used by few softs which access the following registry keys (usually #2) :
4 e+ h; h/ }/ ]4 H Q
: F- s% \& N4 E9 `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 L- c4 e7 V6 O# v) f+ a* b1 t9 A. Z* f\Uninstall\SoftICE! N0 S: q# C5 r7 s7 M+ o- G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 K, a l; E! O8 h+ T8 l3 B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! W, |1 T& ?' j' l8 \* E\App Paths\Loader32.Exe
+ |" ?0 E/ G6 u8 e, c: C6 d& d. F( |+ Y0 ^7 b! _
/ ^" g2 ~0 v5 w5 I% w9 i/ y& ~, Y# x/ O# TNote that some nasty apps could then erase all files from SoftICE directory
$ _7 |6 E& \0 P+ R(I faced that once :-(
/ P+ o3 p+ d, N: m! ~3 Q4 R. D: \- X A' J- w7 m) ~( U- L N0 u
Useful breakpoint to detect it:
& ^: N7 k" U! H6 H3 G" v3 B J3 R, m: D
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; j% K* m0 X2 S& } r
+ t* C+ Q0 G0 P; q/ f; \5 }__________________________________________________________________________- W$ `; n" F% a
+ F; W- e" t4 V" |5 {/ j8 O$ l
! K8 m; h1 V! i4 R# R) W) V7 xMethod 14 8 ?- X( K: x! q. P3 f9 s
=========
' b1 p0 X/ ~. Q- C/ J& O
- p; j X( T) Z* xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 V0 f( Y( w! ^" U4 ?
is to determines whether a debugger is running on your system (ring0 only).
; L" { }0 G8 a. S$ w c% K
% G0 f w+ u7 Q0 I7 j$ }/ s: e VMMCall Test_Debug_Installed
" h+ J0 H9 |( \! J je not_installed
: Q! Q q+ G3 Y0 y0 U
' A8 Q2 `: D/ ^; zThis service just checks a flag.
% e1 h4 n' H: G9 q3 x# c7 ?</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡