<TABLE width=500>
4 d* h8 `7 I: N F X% i3 I, n<TBODY>
4 ~8 H, Z% H+ M% C3 S<TR>" q: |3 O+ W6 q3 _* {% {( I9 U
<TD><PRE>Method 01
' Y, @/ c8 ]+ r9 e: I=========* X4 D4 s" ~+ `, o
& ^0 K8 X1 k. QThis method of detection of SoftICE (as well as the following one) is- n5 N3 P$ I3 H% D9 h( o M+ s @
used by the majority of packers/encryptors found on Internet./ R- M$ ^" N, `/ m1 z
It seeks the signature of BoundsChecker in SoftICE
9 X1 K, J0 x# V+ J' M* d
. p) U& G2 W; R+ v7 ]/ ? mov ebp, 04243484Bh ; 'BCHK'
- b8 W6 j1 u! c) p8 Y9 o/ P/ Y0 Z mov ax, 04h$ l" @1 O9 t1 d
int 3
+ c# H% Z1 J* H t( D" V9 l% s cmp al,4
' I9 u/ {. c" z0 n, m jnz SoftICE_Detected& r" r$ M) q3 _+ p3 y
a7 V+ ~$ H# o8 G___________________________________________________________________________
. D9 M, ?' d/ C6 u7 z/ C( H3 R4 v$ r. [* s! x4 J) ?0 T
Method 02
* S1 V5 ~( j3 E+ x& s=========
& Y5 M" v- A% c! N9 Q$ G6 O
" j! L1 B8 B. `9 E/ a% \Still a method very much used (perhaps the most frequent one). It is used
* E1 [2 u" b8 t7 C/ e3 Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ a* n C1 v, ?9 a1 h+ Ior execute SoftICE commands...) m5 g1 Y n6 l4 s$ l
It is also used to crash SoftICE and to force it to execute any commands1 `9 y# Q4 F' j2 b5 Q' E
(HBOOT...) :-(( $ y1 J/ ^* g2 {/ h8 X* [" p
1 ?# E7 M. Q7 M1 \# m
Here is a quick description:: B3 W2 O8 V/ c' j/ G6 E& S
-AX = 0910h (Display string in SIce windows)* e8 s7 a" F+ m1 u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" m Y9 f5 ~; _3 ?
-AX = 0912h (Get breakpoint infos)7 `/ A2 N# L! O0 D" i
-AX = 0913h (Set Sice breakpoints)
, ^* I% c' Q' r6 B. x-AX = 0914h (Remove SIce breakoints), u, P' [5 y( L4 r7 K" e/ u) R
9 V6 S- D8 ?# v3 ^( e7 f& Q) c
Each time you'll meet this trick, you'll see:% p# W, q) b( H8 c8 `
-SI = 4647h
' W$ C* q( s9 R! z6 u-DI = 4A4Dh9 F$ ~( v. N8 ` d/ w! H
Which are the 'magic values' used by SoftIce. x7 o! U: k% B: v' R& Y+ M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# j$ V+ I8 D6 `4 C* J/ A: p6 \
0 k. _9 T( p0 _Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 I/ s( j4 Z5 Z, A9 p$ hEnvelope utility use to protect DOS applications:8 q+ H0 @. g! a8 }' I1 |! F
4 A' I A) A/ s- q; V3 {; k
% Y8 F' K$ R0 ~5 v* ]) e4C19:0095 MOV AX,0911 ; execute command.
7 ~/ L- S$ F" O" |2 s$ Q% d9 L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( V- }6 S. \4 [; }& o8 R
4C19:009A MOV SI,4647 ; 1st magic value.
0 R; o3 @. M& q/ _ {4C19:009D MOV DI,4A4D ; 2nd magic value.
7 i5 C' ~- l- G4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 m" ^5 g ?9 [$ d0 z0 W2 }& i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ d6 d: x# ^9 q. k4C19:00A4 INC CX9 e% d& `: J8 q% S$ C1 q1 n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 o O6 c, |; a9 ^: ~' O; k
4C19:00A8 JB 0095 ; 6 different commands.6 U7 k. r/ @- d$ s' [6 l! ~. ]+ W0 g
4C19:00AA JMP 0002 ; Bad_Guy jmp back." O, }8 b! x2 z- w6 a: u
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# w( j) k" m, l' q% c9 Q- n2 E4 m. U
3 y- H8 J b* z5 X" BThe program will execute 6 different SIce commands located at ds:dx, which# ^7 q7 [' w+ q# A* N) @$ O1 N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( K n9 n; G. X; n( I: M9 Z, T( {/ n# n# V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 `/ H0 e: S, m6 u: B* ]8 W& O4 G2 ^
___________________________________________________________________________1 s8 l; k( {* l6 }: H
* C0 c' W* m" N! r; F
" W, b/ T& @- P3 t# Q) SMethod 03
& ^' l6 B" C- k2 d* q=========- C$ Z. d9 w. `# S
, \/ o7 x' A1 `. b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" r m( d: k6 Y3 j, v. F) m(API Get entry point)# d% Z( r6 k; y% l8 c( k
% | s) @! r8 e- @" l; G+ f. z G4 I% k4 T* c s v9 Q) n
xor di,di' k$ ]+ Y; t. N4 Z/ _
mov es,di
" [; X. D. O+ L/ b' N* ]. e2 @ mov ax, 1684h
& @ c" M! Y+ Q5 T4 x mov bx, 0202h ; VxD ID of winice2 k) \7 f9 f* Y/ f0 Z
int 2Fh0 |8 z/ Z8 b M) {) K- N& a' ~
mov ax, es ; ES:DI -> VxD API entry point
% _- `0 k- m3 C+ | add ax, di, ~' w* K, ]. N) l' o5 \1 A
test ax,ax
( S) U+ ` _: x. Y& h g jnz SoftICE_Detected
U$ G/ X$ s( {6 e
/ h9 W: z! C, y& y/ Y! I___________________________________________________________________________2 @3 c2 M6 k5 u) k* ^
6 ^; O0 T& c- T, VMethod 04
6 v7 Z, c0 e5 I9 N7 A=========
8 J) J# F, j! A! M3 A( \/ w: R6 d8 T3 o' r4 Z9 G
Method identical to the preceding one except that it seeks the ID of SoftICE# s% t3 V- W$ X* f5 z5 y/ x
GFX VxD.4 d" p% n8 u; `6 J. p& p# j
& a5 [3 {8 z& e( C
xor di,di
1 i& o9 _$ [+ f4 G- S$ k* o mov es,di
) v1 Y# l* B: s \5 v& C( n! x mov ax, 1684h
+ U. @ x. G% S mov bx, 7a5Fh ; VxD ID of SIWVID
6 \' j# K$ P: H5 |# w! t8 B( I int 2fh
9 D$ Z- c* U! ^! U7 P" J F Y, C mov ax, es ; ES:DI -> VxD API entry point
# v* b0 ^: |7 |4 m$ I, l7 @ add ax, di% y) S- Z4 N% `, g) Q$ L' q
test ax,ax
+ m, \) I$ P+ }* w: C jnz SoftICE_Detected# S% {+ x4 L, F
. J# a! K: g$ o& W__________________________________________________________________________+ P" [1 o. M5 m5 f% y2 b
# G0 w5 U( H& e9 V6 i3 g) ~+ v. R( G7 ]
Method 05( e9 h. i$ a. v
=========( z4 W L. h! t- O; ]2 {
$ M7 N; e7 A, t& j5 ]Method seeking the 'magic number' 0F386h returned (in ax) by all system
! Y% M* R9 U+ [" _debugger. It calls the int 41h, function 4Fh.
* p5 s. ?9 ?+ h1 G. F9 a. D0 FThere are several alternatives. % }' j# b u; e
: a- h% z* C6 [. qThe following one is the simplest:
( y; i! B* S; R5 U
, B5 O- W& j, v mov ax,4fh
& s+ ^- C6 j8 q% y* z+ y5 T int 41h
3 G4 x+ C% q2 e7 D( O, |7 R: W cmp ax, 0F386( [/ ]9 y* q4 m- X6 v3 _
jz SoftICE_detected& X d( d6 b, H7 N- y4 j# R
N+ t3 Y& j( K. {& o. m
0 {0 d1 [- \/ X# O* i$ mNext method as well as the following one are 2 examples from Stone's * A6 f/ g Y9 X6 ?' s' f
"stn-wid.zip" (www.cracking.net):5 n0 ?2 U- p! Q! B" n* D/ \$ n8 l
: Y% t# ~! v7 s
mov bx, cs/ u" o5 r" f4 v9 A: ]
lea dx, int41handler2# v: Z; D* H5 ~6 z" r) \% j
xchg dx, es:[41h*4]
- v, Q6 }% ]9 ^; D# { xchg bx, es:[41h*4+2]) H; x R8 d% v5 u2 j" q
mov ax,4fh
' ~8 x4 }7 `8 m' v int 41h' R! H+ y, L. x8 L
xchg dx, es:[41h*4]3 J' _, p7 f* q9 q- ^* u9 c, i2 G
xchg bx, es:[41h*4+2]0 u$ ]3 b* M5 j( c0 U
cmp ax, 0f386h4 F, t- B4 }, x1 A8 x% ^
jz SoftICE_detected
5 N" z' Q! [* z( Q. |: J' J
" L9 |* a) H Q! N/ ]+ _/ iint41handler2 PROC0 o# `% p4 v4 n9 |
iret, m1 }- B1 I& X; r# A: [; R
int41handler2 ENDP
q) Q9 } Y# @6 E( H9 |1 m& k" V' o1 m8 z/ [
4 u& I2 X+ u8 _) s; h) f_________________________________________________________________________
1 j2 n- M$ J# T$ i5 b+ u7 A6 q& }
3 _/ f4 j% c1 s, ~) S6 }5 D# p1 Z& P
Method 06
- f) B; m# p! o=========6 J: v: F3 i& d) f* l6 |
6 K5 k4 X/ W0 ~, T1 ^
/ t2 e$ P. a% \% o" _: D+ M$ v2 n0 x2nd method similar to the preceding one but more difficult to detect:
, @6 y. M' ]# B# {8 W2 M5 N: T7 a; K9 M [7 X B4 ]8 H; U
+ x# r: w* C) O+ r( ]) rint41handler PROC2 Z: d& W% i/ |! \2 h# t
mov cl,al- F, M5 H# |" B- t& M% _ m
iret- p: q# m! x! J* F3 [
int41handler ENDP5 q8 T/ v4 w; \
. S' q7 R' w: v7 L9 y1 d) x6 S' D/ Y
7 M. Z( X/ G( ]9 u' u
xor ax,ax
% ~8 q- [: w5 K3 q. A; ^ mov es,ax2 z3 K* Q6 T* X3 m7 n* U' s
mov bx, cs! L0 I$ p8 F. Z" n: W
lea dx, int41handler
1 d. w$ u2 |! s& B. Y. S; t8 u; X xchg dx, es:[41h*4]
5 u C: R6 J# a/ N& N xchg bx, es:[41h*4+2]& r: W; U6 R$ }( g4 c* {9 ^; K
in al, 40h
) V% x' R+ Z0 H7 N' k6 o4 } xor cx,cx. j8 q: J( ~. C
int 41h- g! s0 a7 X" y8 {" o
xchg dx, es:[41h*4]( V. L+ {, C. p t) a! F
xchg bx, es:[41h*4+2]( r6 ?) w1 p; }8 \9 y" |7 z
cmp cl,al
+ V& T* |$ B9 P, j9 m jnz SoftICE_detected
) O% C: U; N0 m; d, a. [% J( q9 v1 t1 ]9 n% Q4 r
_________________________________________________________________________4 @* X: m7 V9 f
0 r$ Y3 n9 T% G5 b8 B
Method 07 Q7 G7 t# ^0 J# x
=========
; {' L M6 H" ?2 N
' K. X! U! P) q, {6 xMethod of detection of the WinICE handler in the int68h (V86)9 j' t! @/ X4 i. [; ]: e9 ^8 e
& N6 W& U6 {8 R S+ D mov ah,43h
3 ]( ~; {) ?% N, p: s int 68h
# q& _# _# x" H3 q. d7 O. h& | cmp ax,0F386h
2 r d) U8 D3 F. L" p3 i* Y! ] m/ O jz SoftICE_Detected
8 ]& p0 K- t" m N1 b3 p3 w5 y' u
$ `- V0 s' _4 J5 X4 d' V/ [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) @ p& L8 Q% ~+ ]! I app like this:
8 G0 l, w4 D9 @) O# a t- `- }5 d6 E! e" w$ u0 @ w
BPX exec_int if ax==68
" ?- d9 Y* Q9 V+ m+ }0 g+ C) y+ P2 P2 p (function called is located at byte ptr [ebp+1Dh] and client eip is
$ e I+ M1 O }& c G$ ]# [) L located at [ebp+48h] for 32Bit apps) N# Q7 @# e! i) m
__________________________________________________________________________
1 A2 Q% R) v8 e8 u% t' c, i. t1 h" x- X
8 H$ N" {! O! d8 fMethod 08
/ a4 c( R1 ^( {2 t" f2 x* g=========
' n' q" o) _2 L! k4 Z8 y" D
% B/ w2 b/ n; v% m2 e* J& SIt is not a method of detection of SoftICE but a possibility to crash the6 r( }& I! n: e; O) e# @# i) U+ [
system by intercepting int 01h and int 03h and redirecting them to another! t( ?5 N9 U; x2 s
routine.8 [0 [0 n/ M) H" W% i3 |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points B3 G4 q. t( q* r7 r# @
to the new routine to execute (hangs computer...): `, {, ?+ |/ E" {+ t( m" ]2 p5 `
' r! D6 L, q2 p& F
mov ah, 25h \ C2 z6 S3 N/ i9 [* D
mov al, Int_Number (01h or 03h)
4 A5 F) i' o# R5 d Y+ r mov dx, offset New_Int_Routine5 y9 m2 R" h- J! d/ ?) n: V3 |- a' M
int 21h
) c8 ^& X$ m) d" s9 q
! J5 M6 q. Z5 s" e' E! i__________________________________________________________________________( [- m6 b6 j" N3 B- a" M7 {
) t. \3 P/ } [9 m' g* C* ?
Method 09
, h2 c9 W" {1 J1 Y=========
6 k. R6 O8 t/ d( v g! `% @0 o* t2 ]" R5 W/ p Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 Q7 o/ W# N, [performed in ring0 (VxD or a ring3 app using the VxdCall)." N0 M. y v% |9 U2 d
The Get_DDB service is used to determine whether or not a VxD is installed
: @! \) ]- F( o4 G9 I/ J$ Afor the specified device and returns a Device Description Block (in ecx) for
. Z& u2 N2 F& `that device if it is installed. Z7 |: s1 C/ p! Z2 A
" ?! e. I; {1 h% L* V1 d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 o8 s% r$ T5 n8 S' s! ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 J, F, v" a* r& f
VMMCall Get_DDB! r; q# r) T% V; M. O! g: `
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 F1 O6 d& S6 W5 h1 b9 J9 Q2 m5 W/ K* g2 p h
Note as well that you can easily detect this method with SoftICE:
! X8 ]& S% ]# ]8 D9 l$ h7 b bpx Get_DDB if ax==0202 || ax==7a5fh) J- z3 |7 W) G8 o
2 z5 R# V/ G5 P" o% a5 ^7 R
__________________________________________________________________________8 m' r- C& b0 O. ]) {0 A+ ?
- U+ X- d9 [ g( g8 f# a# U
Method 10
4 G. u; p% J6 t=========4 W/ }* t" Q5 t h; _3 M) \
" W" v8 I3 G: q6 ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 Z5 n' N9 x9 j! b6 m3 N3 u SoftICE while the option is enable!!
) q9 W: j3 V; r4 c# W2 @5 j7 y% [5 F! W2 N' y2 v
This trick is very efficient:
' P! ^: |9 j# c* {7 i+ Sby checking the Debug Registers, you can detect if SoftICE is loaded- q T, j- w4 U8 Q4 d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& i" E+ ]' i$ S5 v4 Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 b! a* t; J3 j- f' T* l. Y; qvalue (in ring0 only). Values can be manipulated and or changed as well
4 K c/ J) v! c7 F(clearing BPMs for instance)
7 k; F3 g, m& t
. T* l0 ~6 b$ ^$ x a__________________________________________________________________________0 |, F3 E1 ~" u; f$ Z# q( ?& d
5 R$ P5 M" n9 f- e' z- O5 y
Method 111 C8 M1 R9 ~4 d- ~
=========
) R; b* u `8 @/ U( r# t B& _5 U( n% j6 t9 T3 i5 p* J
This method is most known as 'MeltICE' because it has been freely distributed
" T, B3 T8 v9 evia www.winfiles.com. However it was first used by NuMega people to allow
" U/ k4 n+ D9 DSymbol Loader to check if SoftICE was active or not (the code is located
( W0 W- i8 I9 N# A( ninside nmtrans.dll).
" y( [3 g# V& I6 U0 N: r x7 d1 D/ \( i% y, \7 E/ L& ~9 |; a0 v
The way it works is very simple:
7 c& k7 m5 M5 `; v% ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for z1 k x7 `8 {. |; j
WinNT) with the CreateFileA API.. `4 s: h+ k) O8 C/ U& s5 ?: n
$ _- X4 _0 h' j0 d- o3 q FHere is a sample (checking for 'SICE'):, U7 K3 Y( ^7 o. V; L' D
: ~4 H. W$ O6 _6 S; \
BOOL IsSoftIce95Loaded()" A/ O4 x7 o8 u0 E. `9 c
{" w; n; c( |" z J& P
HANDLE hFile;
( B1 {9 d1 ]' S5 n$ a- ^: c( s hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 {6 R1 L; I6 }" ~, R+ E! I8 ~ FILE_SHARE_READ | FILE_SHARE_WRITE,
& C; O* {1 J- e1 N. x# O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* ?9 W9 K: f+ V7 q* H if( hFile != INVALID_HANDLE_VALUE ): J& z0 p+ A8 z
{
: M5 [' S! L2 H/ D% g CloseHandle(hFile);
I/ k5 _1 Z, b( ]2 I P return TRUE;. ]/ H: H) ]9 c% q" g0 x9 r
}- }1 w- G5 r5 Z) H% Q
return FALSE;8 K7 A! X: J- u2 e5 E" X2 }0 P n- e1 \
}
. @$ K9 D1 ]7 r- l
& S/ c; U. z6 `! s0 T$ kAlthough this trick calls the CreateFileA function, don't even expect to be- O& r1 o; U+ ~! _3 z! v6 B5 U4 A
able to intercept it by installing a IFS hook: it will not work, no way!
! h% c# T: X1 U5 A% ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ I% v2 G# l; E Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. _0 z. v$ q5 ?- r- mand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ c- Q( g- R# l' f1 r
field." F9 D/ ~' A6 f8 w5 G
In fact, its purpose is not to load/unload VxDs but only to send a 5 j ^9 W) c( r( X% K
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# Y( t8 Z. p" ^' u E8 \' I: x6 @! `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 G% b+ U" n7 Q. ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' P8 ]9 R9 M( ~If the VxD is loaded, it will always clear eax and the Carry flag to allow( X, V5 v* D b3 b# r8 x$ G
its handle to be opened and then, will be detected." Y6 t& T1 H% }4 e# ^ f" M
You can check that simply by hooking Winice.exe control proc entry point
2 L# j/ q3 |0 h# zwhile running MeltICE. G* N, q4 K. M
7 W7 I8 S9 C) ?+ W9 r2 F: \
! E }- C; X* [5 H
00401067: push 00402025 ; \\.\SICE9 [2 s: ]( a5 e+ t# D2 U& N
0040106C: call CreateFileA/ ]' f# ^ ]7 t$ X
00401071: cmp eax,-001 |+ k7 I( }2 B( J7 Z8 ?1 ]
00401074: je 00401091
9 E0 x4 S2 c: X) m5 C
2 j' P" }* q% { D0 {5 O" B6 [
9 D, t1 c+ i+ u+ M: N! RThere could be hundreds of BPX you could use to detect this trick.
6 {# L: ^( `/ x: m) g-The most classical one is:. i. x3 k8 ?0 ~$ E# |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 K. Y9 W8 W1 Z9 w+ o/ g$ R$ f: c q
*(esp->4+4)=='NTIC'
^1 m; _9 u0 T
4 g5 w( m0 P7 h% k4 H0 C-The most exotic ones (could be very slooooow :-(. e3 g% i" d$ s% B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , ?7 r7 ?8 p" v4 K4 m
;will break 3 times :-(1 x3 D; y4 N6 h0 k/ s
4 g1 }9 m8 s4 f9 r5 f0 T* w
-or (a bit) faster: & s4 r! m5 `3 {2 W
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! w. |0 e; E$ Q; P' K, t. ]) o9 p1 M
* q- }: {0 g# O2 d, L k; \ A BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. N8 `/ M& C( H ;will break 3 times :-( h- p0 }0 v5 [5 g& N5 D% A9 Z
7 r" K. |6 B4 I2 o
-Much faster:
4 H& ?. K5 v* }' j+ E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. x0 m0 E R% m
: h4 M1 w; c i8 SNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( C* y" d: l: C8 `& O
function to do the same job:
0 D( `, Q) V: y2 h9 [/ f: f
& e9 I, B: @5 a9 X" c; g push 00 ; OF_READ5 b4 Q* `- A C# o
mov eax,[00656634] ; '\\.\SICE',03 ^* J4 c8 ]- B: I* |
push eax2 g8 T/ X# \2 q
call KERNEL32!_lopen
7 j6 |* }, c% e6 F9 u inc eax
* X5 h- ]7 B5 y jnz 00650589 ; detected
; G$ i* C8 Z9 g) j8 P. E7 | push 00 ; OF_READ% p6 ]% C/ f2 l: n
mov eax,[00656638] ; '\\.\SICE', a8 q/ O3 @" j# `# f
push eax
6 i/ e- `' }2 ~! J% q4 ?8 Y call KERNEL32!_lopen
0 J R( I2 n ~9 C# U3 E inc eax
1 A* H, J0 b3 A jz 006505ae ; not detected; X2 x8 `# M: q
! k# M" S% J4 a0 Z
{0 i' ~# F* }2 z__________________________________________________________________________. c! o# u3 _* _: Z" K
8 t( }! G- ^: G0 B
Method 12
% P2 R; p3 k( ?; @' t( h=========
/ C7 |+ ^" U0 ?. l# f% ~3 {1 e* |' M1 `$ z. V, R$ ^
This trick is similar to int41h/4fh Debugger installation check (code 05( }7 E4 ~. y) x* J0 P3 j
& 06) but very limited because it's only available for Win95/98 (not NT)
. e0 k6 z: v, T6 p: A' v2 ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 u2 ~3 q; ~ t \: v; f( D F: E) Q+ p$ }
push 0000004fh ; function 4fh) f" g2 b8 u$ [/ x9 ~+ A3 w; N
push 002a002ah ; high word specifies which VxD (VWIN32)
: u9 s' X4 z' P0 V; A) p# K* y ; low word specifies which service7 u7 ]+ h& Y7 ?3 K
(VWIN32_Int41Dispatch)
2 I- ]. E+ S* ], g3 v5 z call Kernel32!ORD_001 ; VxdCall0 ?# Z* u* F- Y: x$ d+ B- r# t
cmp ax, 0f386h ; magic number returned by system debuggers
3 ?7 Y9 `2 N3 k, w$ D jz SoftICE_detected
( y7 c1 P' a5 P$ c1 I; c+ J) j8 v& b
6 A7 C6 n: j9 L/ CHere again, several ways to detect it:7 E, L. p6 Y& @& h9 I9 u$ h5 K
% G/ n5 t8 o" }8 J5 B# k
BPINT 41 if ax==4f4 W' B. M% f2 X) e
+ }2 R( a' t) f, y$ S9 e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* X5 \; ~" l& ]0 v: a Y! r2 ~
, w8 N7 [- q7 o- n* _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# `! P. P6 H. {# K3 |) R$ f' K) }; C3 X# {
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 U) d& `6 r7 v
% o& C2 \ a: y5 w8 x__________________________________________________________________________
% n4 V6 o" |. s! Z8 E. X8 {+ A4 _, o
Method 13
3 U9 {$ S. ?( P=========& T( H, L$ P9 e
5 n; D9 f( e* g. c XNot a real method of detection, but a good way to know if SoftICE is3 f6 u. I5 s8 @; }6 d
installed on a computer and to locate its installation directory.
/ n8 r) ?9 S- y& {& j6 {It is used by few softs which access the following registry keys (usually #2) :
/ E. \# K4 X& y) N4 B+ h, x i; J3 z3 w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, e/ }* }7 O6 C2 w. b' \+ J\Uninstall\SoftICE
) k0 o4 Z8 t% G. ?8 ]# P! \! [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 q8 v1 c% ]' E5 L9 {$ q) B+ a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 ^2 i5 h- ~! ~9 w8 c1 h\App Paths\Loader32.Exe
4 Z- p/ `( v: t# X5 G) E {& n! p) Q- z d$ O7 i3 s4 K4 n
+ u5 r3 x. A$ n5 d$ V
Note that some nasty apps could then erase all files from SoftICE directory
+ }( M. j% ]" }7 C: N(I faced that once :-(
F0 c3 i, S+ m# `. z/ Q- H
) e) [" V E+ H0 Y# dUseful breakpoint to detect it:' c4 I |) R- ~! j, ]+ T
# I/ o/ U5 h7 }- a( E- [ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% X: ~" C) K+ r; j3 K0 @! s; w( t2 G, L
__________________________________________________________________________
! i' V( D9 D |/ ^/ o
) H3 ^! h$ P1 b7 O( N8 G
8 C" Q+ n; y {# a+ XMethod 14
M: \, g$ D% l% S* f) Q=========' o% U4 s6 i, I; o
9 `6 }+ w! ~/ m7 K0 E6 T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- Y; M- w+ ]$ D
is to determines whether a debugger is running on your system (ring0 only).0 h: U9 ]) k( T( g
8 f7 y8 k' p* L. o9 {; e. { VMMCall Test_Debug_Installed0 V4 w q5 u4 L- E. l
je not_installed
1 k0 T0 A- F: V1 l9 W
0 z. _, E6 H2 JThis service just checks a flag.
. ]) o' y/ m0 e- @7 _1 B</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡