<TABLE width=500>
) R+ x ^' A1 Z9 j( h<TBODY>8 }' d' T( N% t- j% {
<TR>
9 G' C6 a R/ W<TD><PRE>Method 01
! P p( C0 S( M+ q=========) ` s" E5 j8 ^ G% J6 u1 V- X3 k
4 A R9 a8 y2 y" TThis method of detection of SoftICE (as well as the following one) is
, M9 W) y k$ qused by the majority of packers/encryptors found on Internet.$ f. L- u1 Z9 X/ r& u9 g
It seeks the signature of BoundsChecker in SoftICE9 a5 l/ n; t! ^' S: ~6 D; E
% X& g' u; q3 E) O% m
mov ebp, 04243484Bh ; 'BCHK'
t; [% x. _5 F: U+ m mov ax, 04h
( v ~* f- N8 _4 i t' q int 3
+ c5 u& z9 a7 M3 f3 I! | cmp al,49 S; x6 ]* J9 y; U1 G% {# X0 O2 h. n
jnz SoftICE_Detected
; q+ ]" ~3 G, S/ v9 W9 @( w% X, H) w
___________________________________________________________________________
: y2 j; Q) n& Z$ E5 i$ j/ T, R+ j1 V) z2 p* ? _2 L
Method 020 g* X3 \2 u7 u
=========
5 c9 E8 \6 H1 o' ^- u/ y1 m2 y4 B0 a& {$ d3 M# h
Still a method very much used (perhaps the most frequent one). It is used
. R1 ^" h+ r$ {( ~" Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ {3 n5 K/ h+ c* A. ], A! B* Vor execute SoftICE commands...
- J: g6 d% ?4 v! sIt is also used to crash SoftICE and to force it to execute any commands
% e3 M8 i3 U$ a1 j(HBOOT...) :-(( 1 i3 s0 g( }% F- E
7 q' ^9 Z" y; P" k4 @* Y& @Here is a quick description:
4 x2 v0 p+ @# \, ^-AX = 0910h (Display string in SIce windows)0 m6 L* C( |, ~2 s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: A! g6 P0 e+ t5 E: t-AX = 0912h (Get breakpoint infos)
; b. g- f G4 A- I- J-AX = 0913h (Set Sice breakpoints)% ]/ ~. A) \5 h5 D! o
-AX = 0914h (Remove SIce breakoints)
& U n3 Y9 ^- O! [6 X3 ?4 B$ M3 V' m2 c J
Each time you'll meet this trick, you'll see:
% h+ F% }1 x7 t2 b1 L: l-SI = 4647h, N6 s3 C5 R9 A/ f: y/ z5 ?
-DI = 4A4Dh. V$ v7 L2 O; }1 D# L
Which are the 'magic values' used by SoftIce.# D& D( D/ s* d4 Q& O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. I! ~3 @' A- S! d2 Z" W* `) \
# [+ z. [# ^$ cHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ P" g5 I4 h& D1 \) W8 M0 eEnvelope utility use to protect DOS applications:; v8 C @" r0 z, h0 i
* Q o; u9 z' g, q8 V$ }, K) O- x5 y. B4 r$ \& f
4C19:0095 MOV AX,0911 ; execute command.; q" q9 Q' f! K( Z3 S# T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 b0 G; ~9 Z8 Y& @& J3 _4C19:009A MOV SI,4647 ; 1st magic value.
# C h' N$ k% d5 o4C19:009D MOV DI,4A4D ; 2nd magic value.
, I. T3 F& {5 \" E* ?, S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 a6 Y3 Z/ X% P6 ]1 ^: K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: a/ r. K$ C3 W
4C19:00A4 INC CX; U4 v# t. Q6 u, | B
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
K4 w' P$ A0 z, r, S) }' n4 S5 Y4C19:00A8 JB 0095 ; 6 different commands.
* Y2 n2 A V4 x, u" T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( e! [0 |; P! l) N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 w1 ^' F- E3 U3 X z3 i
2 `- F6 f. x7 m# rThe program will execute 6 different SIce commands located at ds:dx, which- U4 ^; D0 O( l, |2 Q4 f$ P, v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- v. T& p; q) ]" w3 w( \& d( x' w: p( U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# T: C& h: F1 O6 u5 C- H: q. c
___________________________________________________________________________8 d% s2 K- U0 x( N/ l
& i. b- @6 m! k, \! S% |! o
; g! w3 i' G1 F/ q
Method 03! e( c$ M7 b& k/ k
=========' n% [% T; Y7 B; H p: J
$ a" x& N8 R2 o# j+ D( ~% YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! l. ]$ G: x, r
(API Get entry point)$ i# o: u- f9 n7 y. S
' t- c% n3 O0 P) V- E, b' c* S4 W
+ ?4 J4 e2 z# E. [0 R ]2 e8 m0 W! W
xor di,di; ^3 S4 K9 E2 ~* j6 ?" T, V
mov es,di7 n; r& K# N7 M- @/ N7 y9 F: N
mov ax, 1684h
+ C5 \6 I# v. j3 `) N mov bx, 0202h ; VxD ID of winice' L( X G0 J- p! ~
int 2Fh
6 v% \" f1 e! g# K- [# J8 ` mov ax, es ; ES:DI -> VxD API entry point. I. w! D' q5 K( ^6 J6 G# R0 p
add ax, di' P5 k# z# h* C5 Z+ u8 A4 ^. W
test ax,ax
3 K9 b% f2 ~) L: Y, j jnz SoftICE_Detected
3 ]& j$ X. e" t, ^2 b- M; q! n: ]! X) a3 t5 G
___________________________________________________________________________
5 A, _ f) u3 v' T% @* @
2 S- v2 H$ Q7 g5 d( s: Q8 ?Method 04
# K* A: c; i6 Z, I+ l* ]- f9 T b=========6 [( j( P" H9 Z! `
8 T4 p2 n- f) X
Method identical to the preceding one except that it seeks the ID of SoftICE& l) h! `! ~, j. ~
GFX VxD.
0 ~0 o, s* B" K9 _( f. s' a) p/ I. j! |: Q% v/ m
xor di,di
# Y9 l; C: o" V# Q mov es,di- @- O# ~; L6 |2 U+ U3 |4 P3 C
mov ax, 1684h " J Y4 I ]! i+ h, u& g* G2 m; S- z
mov bx, 7a5Fh ; VxD ID of SIWVID
+ |8 ^% i! S8 _, _) f int 2fh
& G4 M" v$ n* ~ k. o3 b mov ax, es ; ES:DI -> VxD API entry point7 @) m2 t4 z2 a4 K
add ax, di
$ d; I4 ^3 M r* N# O2 S test ax,ax6 N: c. n. s4 {
jnz SoftICE_Detected
6 h( I0 p3 y9 Y# u; \& Z* O8 ?- U8 ]6 |, _( J* X1 x E
__________________________________________________________________________
' O; U8 P3 @# ?
2 t2 k0 V$ n, D! ?4 e* L
5 U& O& n( S. ?: h3 L% \5 i" UMethod 05# ?2 A8 \2 ^/ ~8 }. C
=========
- E& Z# E% M- g% d0 ^
' s4 K7 D5 {4 B- fMethod seeking the 'magic number' 0F386h returned (in ax) by all system# W% `# a# f/ |& V' ]' O
debugger. It calls the int 41h, function 4Fh.
9 {7 d5 p$ h7 K, \; e WThere are several alternatives. 9 m% |& N& _! {, {
# ]7 q5 a6 }1 [/ `- J" DThe following one is the simplest:$ z( A5 u: N6 \1 O9 [* b
8 R, y9 t8 X7 T. N: [" a3 q/ V mov ax,4fh" k) O4 }; a) |1 d+ a! G2 [6 k
int 41h9 ?5 y3 K4 l3 P. |
cmp ax, 0F386
! |* f B1 J" L2 X& ^) }' _ jz SoftICE_detected
0 ~2 P' H# j# ?. Z, S5 G9 H: Q( e5 \+ }7 U& d, W8 `; w2 ?
) ~ {7 v) p2 R8 p$ XNext method as well as the following one are 2 examples from Stone's
~0 S( A! Y k7 \) c G4 v"stn-wid.zip" (www.cracking.net):
' X( V" J2 ? i' s$ g8 Q8 `3 y* @+ o* z4 ]9 S0 Z+ ^$ y
mov bx, cs( P- {/ H0 b5 L" W4 }0 {& B
lea dx, int41handler2
2 \- w9 M+ T" u0 a: ]" ]& t xchg dx, es:[41h*4]8 ?5 r; I+ J" s0 k
xchg bx, es:[41h*4+2]" l6 l' d: h, S2 [& s" V
mov ax,4fh/ D; A/ |- O9 m/ H9 I# r
int 41h
7 p1 I7 \1 k3 M% B) w xchg dx, es:[41h*4]
6 |5 k1 S! S7 t0 k+ K9 n xchg bx, es:[41h*4+2]( C0 o/ a5 A5 ~: M; v O
cmp ax, 0f386h. L5 P7 O/ d7 T# K I# y
jz SoftICE_detected
% n* K5 L2 e: U/ P, d) U$ s* A9 U, a
. m( I+ q4 ]/ n# |int41handler2 PROC
7 b( T0 a( I' s7 \- \% H3 F' z iret
. ^! [# N, x* Q3 Nint41handler2 ENDP
0 P& u7 w' R. h3 W0 x9 p2 R3 t1 U2 }+ D; Q1 l( u* N
# u1 P- }+ P* W& ]6 k$ T3 k. v_________________________________________________________________________
4 R2 s B5 Q {
8 {& T1 S+ S, R0 y* F
6 R5 `/ a; @* ?, x6 jMethod 06+ b7 |/ {, [' D
=========
/ G* T p) n) \+ e3 I1 N
?; h, {/ ]! _9 h2 j. ~! k; p, g% S7 r7 Z6 H. X' `9 E* \
2nd method similar to the preceding one but more difficult to detect:
: M R0 l" ~0 M; w4 v6 h3 r& n
" Z5 l T" \; q. r2 q& x- e, m; B; B+ w2 U+ m; O2 ?" w% P
int41handler PROC, u, j, g2 p$ w) V: A7 L
mov cl,al
+ @ S. T4 H& c t iret$ Z! a3 d" y8 r4 W. ~
int41handler ENDP
1 A% j7 ?6 `% i c- W( }, z) \( A" ], Y8 _9 T4 n& |
3 j5 H0 Q' n+ z/ |! w& K, ]
xor ax,ax/ D- `) e* G, H0 }
mov es,ax
$ z7 n) p- V+ F& p mov bx, cs
$ x6 o* k4 q4 i# \, z, J5 U! w lea dx, int41handler7 l7 V/ Q6 H. R
xchg dx, es:[41h*4]
( g; ]1 ?& g5 x% W, l3 U7 J- q xchg bx, es:[41h*4+2], H! n( ?& @2 s. ?; y9 R+ o
in al, 40h
+ V" G; T5 w2 H2 l xor cx,cx
" f8 h$ R4 f- U6 I* B; a int 41h
8 W d) n5 [6 z% v9 g, \7 f xchg dx, es:[41h*4]( L4 x% n5 d T. p2 T" s: E4 A8 j7 R N
xchg bx, es:[41h*4+2]2 C6 E& V# w0 o( R
cmp cl,al
9 v9 T/ f6 j) m jnz SoftICE_detected
, Q# E* s z E8 D% {$ g* v
1 H) ?9 r, [0 \8 y% a4 B$ A_________________________________________________________________________% ^8 J* ?6 }) N: c+ s
! Z" [6 |0 V0 s7 l2 j& c5 ?
Method 07
y8 b4 z; }1 d5 w/ g' n* S" ?1 T' d=========- g6 b2 c% _' C, q1 X+ {/ z
. ?* o& Y9 R+ |# @! Z8 w0 IMethod of detection of the WinICE handler in the int68h (V86)
+ x7 r& j* p( r
/ q* @ ]1 a- ~. J' }) z2 F. O mov ah,43h
( T3 u8 B, a7 [# j" ? int 68h& K/ t* g* j! m& t
cmp ax,0F386h
4 l X3 C' y$ M0 K jz SoftICE_Detected
: P* s: A1 \8 ]5 W3 c& t7 S
, h7 b9 B% t! d# g4 J% T% E
8 L& a2 `2 |7 m( B' F& m; m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" u; I2 p' Q7 y- s K% \6 Z/ Z4 a" q
app like this:
, r, v0 f, e/ m9 U" W# v+ H _0 l( d8 x
BPX exec_int if ax==684 p P0 V5 f8 Q. v! W
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 s* \% s4 ~: {) x located at [ebp+48h] for 32Bit apps)2 K( J/ @/ t' K4 e3 p
__________________________________________________________________________
2 S2 C3 |9 n8 K9 d0 R/ t% |
' t* N) n6 p- ^# _' B; ~ c* |( A
Method 083 ? C4 G- _* Q5 @) u
=========
( x& `2 @) a( x0 m) e
6 Z$ }0 R; |9 A9 n8 O$ v1 ZIt is not a method of detection of SoftICE but a possibility to crash the; c7 I. S% e1 }+ y \
system by intercepting int 01h and int 03h and redirecting them to another% w# l; F8 ?4 V' U3 V' ~' E6 I
routine.7 Z# a0 t) S3 H0 z' T/ K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. f9 `9 y. K% }
to the new routine to execute (hangs computer...)& x* y# K: u! i* U
# I4 H4 {& }0 L$ K9 j, I
mov ah, 25h
& e3 r6 x- d" V mov al, Int_Number (01h or 03h)$ b5 G# p9 ~4 F- P. Q8 q. h6 F
mov dx, offset New_Int_Routine2 N$ _5 C. W: l. A
int 21h
& w# Q4 @- s* T$ t( n p0 j9 H
C7 Y4 u. D: B: u7 q% l; d# t__________________________________________________________________________
; }7 W$ x% v: t4 k: Q2 j, ]% t7 [) A2 K9 l; ~. _% }1 y: A
Method 09
' g q2 q8 \5 K( ?& L( Y, G' N=========
9 y! V7 U4 c9 `% K, M
. o- n+ u3 b2 F4 I6 U$ AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 P* X Z& b2 l, _performed in ring0 (VxD or a ring3 app using the VxdCall).
B. [& ^' D9 ^+ H; T U' iThe Get_DDB service is used to determine whether or not a VxD is installed, }* C+ h; [" @* z( W7 Q: B( d$ z5 t
for the specified device and returns a Device Description Block (in ecx) for
) B: @ z% r. R% W& V% Q1 athat device if it is installed.; _" H4 a2 l0 Z5 o, c
! X( s$ P0 Q" J mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( p* b' i! A: V9 h7 l! x9 O0 Q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# i- o) Q8 Q0 c' Q/ d7 u VMMCall Get_DDB
|& d$ c j: t5 p- N6 ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' T `5 v5 O9 A( [+ M
) L/ [+ ?3 ?8 h ~- M6 U0 qNote as well that you can easily detect this method with SoftICE:
0 i- d* c# \7 X/ ?% Z( l* C bpx Get_DDB if ax==0202 || ax==7a5fh% O4 Z6 V j" w w3 M9 Q/ |: s
/ c+ A+ Y! g* D- w% f
__________________________________________________________________________# n. b% \ q5 ~; Y3 z! I
( g! Q5 J) u4 k4 w; F, y+ FMethod 10/ g; z( W3 v) }8 m+ l
=========
/ [' T. N9 z9 o! z ?$ v9 ? ?) D1 v- R
=>Disable or clear breakpoints before using this feature. DO NOT trace with5 z% I/ v9 V/ J; x G. h
SoftICE while the option is enable!!
% G D& o0 L% ]. j0 n* _$ f0 z8 \4 C6 C1 e- Y) J& Y
This trick is very efficient:& G4 y" U5 p* o J5 A
by checking the Debug Registers, you can detect if SoftICE is loaded. ` \, F0 y& P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 B% R1 b1 B$ g/ r% @
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 M- \, w3 V+ n5 a! r a
value (in ring0 only). Values can be manipulated and or changed as well9 v) n( |0 o8 k9 A% C
(clearing BPMs for instance)
9 ^4 E) i4 i6 T3 y. M& [! `! C. ?# s# l- W, [ ]( c
__________________________________________________________________________3 U$ f* a2 O& I$ H8 m2 ?) f& Y* R; B
9 K/ C7 F- o. yMethod 11
4 a: B1 Y9 v! o. U8 g=========% y4 B, I2 J- k! P9 i j: S
. v0 u3 ?/ }6 w. n$ V
This method is most known as 'MeltICE' because it has been freely distributed# m2 n: r. H5 {( @! Q4 P
via www.winfiles.com. However it was first used by NuMega people to allow2 C$ |8 f! Z0 E: s! [/ C1 C {& w
Symbol Loader to check if SoftICE was active or not (the code is located
: R8 o& O9 D8 b, {4 Q" Z; W8 y3 D$ Uinside nmtrans.dll).& P0 r. a; S" L& I- x
! w# u2 Y2 _+ G% oThe way it works is very simple:
^. b) I% W d6 x. pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 }5 m; G" e( m1 t
WinNT) with the CreateFileA API.
$ b* W6 w, S% q6 P
$ u. ]7 y1 r; r( S. h8 W$ oHere is a sample (checking for 'SICE'):$ z# h: Y( v K# F) u! n& ]
; W* E2 P w t" p1 w
BOOL IsSoftIce95Loaded()
1 V, u* V9 c. n3 d{
4 h% @$ v. v: s HANDLE hFile;
3 e1 B! }; M. { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 E& |5 J. c) n& ^, d
FILE_SHARE_READ | FILE_SHARE_WRITE,4 A5 j. l: k3 P, P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: y2 \4 j( T8 {( U& y2 G- { if( hFile != INVALID_HANDLE_VALUE )2 F8 E4 j7 ^- d# W1 {6 u! v
{- b+ }; v8 }' `2 w* @) Y! n
CloseHandle(hFile);
% D/ G: N' [5 l W' G) Y5 L return TRUE;
, j' A# r- n2 ^" w }
. N+ L: J1 G L1 {$ Q4 [ return FALSE;; L7 t- [5 |; }9 n
}
4 V' A8 e; e9 G1 N' ]) R/ H; n+ y! g! q n( t7 |6 D* h
Although this trick calls the CreateFileA function, don't even expect to be
5 l/ {# e) n& q! a7 ^( a3 c# Aable to intercept it by installing a IFS hook: it will not work, no way!$ y- ~6 @# h) S" r. J, S* y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 D0 E: N& b& t4 M( e% `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 T; q l: Z" N7 U. Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( K+ m+ F; H+ X# y$ p6 tfield.: |( ?. M7 `3 `' v; s# Y. w9 f; \
In fact, its purpose is not to load/unload VxDs but only to send a
' d$ f3 e8 ~, @$ }* j2 V+ |/ JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 j, y" `" w3 w- @7 M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 M) `# G, A* u+ h, yto load/unload a non-dynamically loadable driver such as SoftICE ;-).# a/ L& H/ W9 V3 V0 E
If the VxD is loaded, it will always clear eax and the Carry flag to allow y: e% c! `2 A5 n$ D
its handle to be opened and then, will be detected.
I/ o" z9 @) R; m4 e- ^: sYou can check that simply by hooking Winice.exe control proc entry point+ _, n2 ?; E! t3 S! G, {- e& o
while running MeltICE.
; j% @9 k" u( ^/ }+ V1 I
& i( a' W8 I) `* b" X$ i: U; _: W: p- i( ]. t' w! O
00401067: push 00402025 ; \\.\SICE: U) e/ z1 t& g
0040106C: call CreateFileA4 d) d7 q* c0 G! |( ~# [8 G! j+ u/ A
00401071: cmp eax,-001
9 m! |" {% r: `& y9 V1 P 00401074: je 00401091
2 R% p& H P6 H1 }0 @8 B) U* Q* f! ^2 z4 M: }% A& ~4 U5 o- W r
7 t4 F9 d Q( t! b1 JThere could be hundreds of BPX you could use to detect this trick.
- M& h# w4 a1 f# t+ \5 r-The most classical one is:
) r6 g* N) T% `$ w1 V( Q* X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 @# R" z6 e; J3 x *(esp->4+4)=='NTIC'
8 c0 y% g. t0 M: \! W1 K G/ L: F! e9 p: n5 t) z
-The most exotic ones (could be very slooooow :-(
+ d) X# H+ n4 i k. w) @. Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 q5 R! a1 H! u# l- O& F( K ;will break 3 times :-(
' y; c+ f/ j& t0 L5 q( C# o& d9 V0 ^# t1 Q+ a+ j
-or (a bit) faster: ) @) ?4 d8 r `& I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# d0 k5 m8 C# y* y; J! T# L* O" D& x. M2 d
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 }& H$ A( h( \& P7 E* ~
;will break 3 times :-(% ]3 R i: [0 V" V, l& |. s
, g X8 ~$ ^9 N- d- q# U
-Much faster: @( ~8 m9 i/ x2 Y6 Q0 Q8 p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& b b1 Z E; c
; `4 J2 j1 K5 B' _* R! i2 d6 b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ O5 G$ H+ c2 {1 ^9 D
function to do the same job:
1 s' I! P& U" E7 ^! s# q; B$ p8 C0 c& [2 ]; U2 Z8 ]
push 00 ; OF_READ" v# |) p( K3 N6 i- K& x
mov eax,[00656634] ; '\\.\SICE',0
; n0 P: |5 K/ \8 N! U/ D0 t push eax, F( g" G/ H6 _9 h
call KERNEL32!_lopen
% u* v7 |/ V4 G. n$ O inc eax
8 ~9 v8 ]% J L' M7 |/ D jnz 00650589 ; detected( z! C/ Q* ]$ W% X/ B
push 00 ; OF_READ
O! q% \ s" `7 d# C mov eax,[00656638] ; '\\.\SICE'
. y9 ~' o+ k" ~8 Q8 I- i' P push eax
3 w% Q4 p; |; C- X* l( x2 O call KERNEL32!_lopen4 n0 x" w# z) q
inc eax$ @7 N7 ] u' \$ l0 Q) ?0 T
jz 006505ae ; not detected! Z" _: P8 {5 J" p4 P$ L
$ `+ r2 N" u/ K# R
0 m+ O% S6 F) U3 u" s__________________________________________________________________________
r- v* c) J. S6 w! @3 o
) i3 S" `8 F; Q- u& [* [Method 12
7 [0 {* k; m$ q# }=========# r5 f* i/ E, o- s9 m
1 d" u- s6 u3 v7 \
This trick is similar to int41h/4fh Debugger installation check (code 05% ~, d) P8 [9 R
& 06) but very limited because it's only available for Win95/98 (not NT)
) L% f# R9 a" Q' aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# P. g" N0 z$ j/ U+ c$ h8 M. P+ F% \2 \5 y: O
push 0000004fh ; function 4fh
, E# w! a2 E+ x& ? push 002a002ah ; high word specifies which VxD (VWIN32)3 {# _8 ?$ z9 w: W
; low word specifies which service
" q! i3 d* Z8 ~( X8 Q H A (VWIN32_Int41Dispatch)4 l. d. s7 h2 {/ Y v' F
call Kernel32!ORD_001 ; VxdCall
- I9 \/ _2 Y( ?5 F$ D& ]8 [0 n4 ~ cmp ax, 0f386h ; magic number returned by system debuggers2 G$ s5 Y, W* X& @7 L
jz SoftICE_detected: l. z' }! \ [' l: X) o& D5 k. b! p
. S+ M) j# I: N5 { f
Here again, several ways to detect it:
$ ]0 F! N/ k. W) i" {) |9 u) d9 |; \0 k: L8 g* X
BPINT 41 if ax==4f# l x7 D8 P {; `4 j
: r8 f8 M3 T/ O. r( ~0 x BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" s6 g ^/ [4 t! Z; L
* x. l+ ?' J9 m R) U5 u* u! f
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& c6 e/ j4 C7 c$ X
$ p/ E& V! q* | BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. F. c5 U8 x) ?, i$ o0 h4 O2 ~' b1 `: D) ]7 C+ Q% {/ e7 e
__________________________________________________________________________7 z" ? i' M/ X/ G. _* I( S
: w" O1 c6 T- ]$ [& q& b
Method 13
. w7 s! I% N2 x' s( a% u" P4 [' C=========' A5 [/ j$ y8 V# u( c7 m
# ?% g, U# s1 M
Not a real method of detection, but a good way to know if SoftICE is
; j+ S7 O, K- o( ^; p( r W/ Dinstalled on a computer and to locate its installation directory.
u8 ~$ P- C$ cIt is used by few softs which access the following registry keys (usually #2) :
% u6 L- l2 w/ x2 `7 `, W3 }0 @5 q, y/ B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 |; ^% t+ t$ X3 }$ o
\Uninstall\SoftICE) x6 X: c( c: ^3 {: u! ^1 Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) a9 K( u8 `; h$ w' ]$ g' g
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- I( `; G) g# ?) n\App Paths\Loader32.Exe
7 D9 U9 u4 E" a) W2 s/ i% D3 {# F" C& Z0 S9 e
" C q6 l# C9 P- {8 V
Note that some nasty apps could then erase all files from SoftICE directory
# z+ m6 B( h/ f8 y(I faced that once :-(. k2 [5 e4 [5 f6 f8 A/ r0 _
. I K' M- t, N
Useful breakpoint to detect it:
% G0 |% n2 F$ w9 x1 b
- } Z5 }! s3 f6 R" N8 @, J* ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& v5 h& E0 V3 U' ?0 B
. C2 W& z E: v__________________________________________________________________________0 G& {* O5 t3 Q3 ]! A# W* {3 K
& f# j- i( ?4 p) e8 Q6 N7 G3 C
+ a; K/ d2 i4 i- P# S; g0 g3 X# y
Method 14 3 V' W$ _# T# v. j* k# T
=========
& B; c( e* v3 V) g/ U! l* v9 K& z( b
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" j# t# R& H% f' n1 W- O5 ^is to determines whether a debugger is running on your system (ring0 only).
3 d P" o) K$ Z5 Y4 t D Y) V$ |% Y
VMMCall Test_Debug_Installed
( K' ?4 W( F* c T' j q0 I je not_installed' j# m' S7 W' h9 ]
. |( V% Y3 X# Q3 L+ z7 SThis service just checks a flag.
+ M. V! A7 U: Y2 I5 a0 D+ |</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡