<TABLE width=500>$ W# {0 u3 u8 Y. D) W" K6 G
<TBODY>8 [2 [7 |% Z: C
<TR>8 G3 J. L1 h& V$ H- u
<TD><PRE>Method 01
7 X3 L5 ?3 U( o+ j; M: T* {1 s=========) }6 x8 E6 n9 o: L/ Z! ~3 X3 H" M
' |; m" h2 A! X- |: ]" e
This method of detection of SoftICE (as well as the following one) is
' a. N d9 g3 h ]0 A- Aused by the majority of packers/encryptors found on Internet.9 w6 B8 e5 }3 u* D" `' s
It seeks the signature of BoundsChecker in SoftICE& c( E' j% s1 v7 H$ F6 H
8 u# O8 C5 O ^; I7 o$ ?$ }, Z
mov ebp, 04243484Bh ; 'BCHK'* {& v9 y% @7 ]- F
mov ax, 04h$ m! S% w$ y1 U5 H4 i: s* N
int 3 0 s* j& A1 G3 w/ b6 ]5 F! n
cmp al,4
# Y: P1 ]& z. B1 Y, R- }. N jnz SoftICE_Detected
. F" H" S0 F8 q1 x4 P/ i y4 Y/ [, U/ g& L
___________________________________________________________________________" R% S' q% K T' Q: u. N
/ v, _; y9 ]; y7 k9 I& `
Method 027 c: O9 Z9 l: X$ V
=========8 o9 ~" E, y& A6 m8 N
' p+ v4 T3 j4 x2 B- W( Q8 r7 bStill a method very much used (perhaps the most frequent one). It is used1 U9 |, X E- R+ I7 S+ @5 f0 s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. L! m+ c( Z. r- W( j
or execute SoftICE commands...- F! m; T( x u9 L' h+ {
It is also used to crash SoftICE and to force it to execute any commands
9 Q! H; M+ a8 l2 X8 u6 l(HBOOT...) :-((
+ {) q: j, A+ g! e3 ~% }+ @! R& G9 H3 ~ m! r
Here is a quick description:
& O6 \ R+ w6 S, Y: _+ O0 @-AX = 0910h (Display string in SIce windows); k* T8 q* e/ T. `6 d4 Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' O% J, h, B( w. _6 O- p& r-AX = 0912h (Get breakpoint infos)9 J5 |& l6 }4 R5 B/ N) A
-AX = 0913h (Set Sice breakpoints)
! t7 l8 F* o& u9 y; [! q-AX = 0914h (Remove SIce breakoints)* r- N! c4 D/ A6 f6 q
% e% X1 u: |! p! P1 I1 EEach time you'll meet this trick, you'll see:
3 S+ ~" B6 J% G1 ^-SI = 4647h
7 m3 b1 I( x; o# ^0 V' Q9 t-DI = 4A4Dh( k4 D- m( [( n
Which are the 'magic values' used by SoftIce.& [! t" i' b% `# ~9 R% z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ x, K8 D% q" x$ P& B- j9 J
' S, T) ]0 C. B% ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
# c9 x& r* u" T- q8 R) E! FEnvelope utility use to protect DOS applications:# J7 F r/ @1 k' o, P
) ?! h0 D, }# a1 ?: e6 l
# K \# K$ ~( Q$ S: B4C19:0095 MOV AX,0911 ; execute command.
$ I3 U( |' ]3 n( y3 [ @& k6 u4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 F0 m$ h6 V7 H$ h$ p4C19:009A MOV SI,4647 ; 1st magic value.
; M6 F+ O: f) ~# k4C19:009D MOV DI,4A4D ; 2nd magic value.
8 u1 w K* n( {* H: j, ~5 e- }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): {- l7 S. e2 `8 o' X6 @2 `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ }5 I; }) Y- w- D' H$ m2 I0 I4 U6 g4C19:00A4 INC CX3 n9 g7 K! M; A: p- Y5 [8 Q- p
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 N q4 p2 U7 D: V$ i/ |
4C19:00A8 JB 0095 ; 6 different commands.
a$ }! ~5 i3 C) k$ v4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. n2 ^2 Z0 r0 q$ E* H: W' ?6 \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
] t3 @( K5 u& H3 _+ r( H! }! _) x/ o. y
The program will execute 6 different SIce commands located at ds:dx, which3 P: u& g, ?. b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. ^$ ~8 g% U) i ^* R% A, P
0 U) w2 `" |( `+ T4 x6 }$ W, V8 i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 X8 C: n' y! w' a, t8 T$ ____________________________________________________________________________
5 `3 E2 L! w+ _1 W/ l# ]+ m) q. D
% K+ ]/ o4 l# m$ b0 L
; x+ R8 K# ]+ D% f0 V0 sMethod 03
5 v% d& e% `4 X$ J1 {=========
4 a3 H! b i m5 H: b3 {9 ]# l) L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ h1 y s: h2 _" x" u! m" p(API Get entry point)
7 S7 L; ?+ e$ P; W4 B5 z" H Y
- S% b+ d- A! @* [6 j- n8 H3 H9 P8 B4 S$ V6 p
xor di,di
) _: L8 d2 s/ f! R; [ mov es,di
w3 d7 F7 k; C0 m. C$ T mov ax, 1684h
$ r h7 h7 [/ u& u mov bx, 0202h ; VxD ID of winice
* U, p, _7 g/ o int 2Fh
& N* F/ ]) S8 I* R1 Z mov ax, es ; ES:DI -> VxD API entry point/ `+ f/ W( i8 E6 h# u- T9 F, L9 T
add ax, di+ L4 W5 N l) Q4 M8 V# w
test ax,ax! a- q6 d/ w: U9 S5 Z1 J$ l
jnz SoftICE_Detected
; \6 e2 u% x0 c4 l6 |
* I3 Q7 p% c$ P9 B___________________________________________________________________________
8 i: e/ `4 k7 _; c/ [" D- @) m O C1 ]8 L' [1 l9 H1 G
Method 043 [" A( j. @* I, b% W
=========
# K5 |7 n9 ]" S1 d. m1 _( ~7 E# h2 N6 ~. x' F( u- ~* {: L
Method identical to the preceding one except that it seeks the ID of SoftICE4 Z8 j# p, r$ L
GFX VxD.0 V# f3 D ^8 `* R. {0 B" E8 Q- m; n4 |8 e
h3 n+ V4 s) l2 ~9 K P( e xor di,di/ p+ }4 r; \/ \
mov es,di- L. X, f% L! \5 d) ~
mov ax, 1684h
( L1 [% }' n( b- ?3 ~3 J& `" U mov bx, 7a5Fh ; VxD ID of SIWVID6 g: F1 s2 Y3 K4 {
int 2fh7 A' q( m" ?, {/ n7 | u
mov ax, es ; ES:DI -> VxD API entry point# N' O) R: x; r' {9 L
add ax, di+ p' M9 C8 c; Z( x9 ]9 c% @
test ax,ax0 ^5 D( a: `2 X) N
jnz SoftICE_Detected
% _3 o/ o8 H8 h K
$ V _+ Y \4 Q w__________________________________________________________________________
J% g0 x3 z# H: K/ _. c
( K! f% I( ~+ X% A$ @
5 V+ f" }# x# t# sMethod 05
+ V: }& D" ?3 y4 ^: w=========
' i- k+ [; }( [$ o
6 \7 ^ c% \. i* PMethod seeking the 'magic number' 0F386h returned (in ax) by all system
Q8 Q% z: o$ D6 c8 d. D( i0 `" ]debugger. It calls the int 41h, function 4Fh.8 s; N4 i5 S" S
There are several alternatives.
' j6 n1 |" b5 i2 O
0 ]% a0 h, P0 pThe following one is the simplest:
# o4 ~' J$ W" A: ]: w W3 W7 Q7 v- m( L! G" E3 B- z* p- R2 q
mov ax,4fh
/ v7 `% s, F) ]) M3 j1 E1 f# r, T int 41h
& m. z3 D! Y$ N& I7 ~ cmp ax, 0F386
2 Q8 c9 H/ i" Z, p: T jz SoftICE_detected
1 O' V4 G2 a6 f2 \ K; p9 f4 T# @& ?
# k5 j6 {- a7 K% A% n
Next method as well as the following one are 2 examples from Stone's
6 _7 g# g M. g& ["stn-wid.zip" (www.cracking.net):" N3 Z! k! l8 Y) n/ d& ~+ B
* ]0 R; ^9 @. u0 q$ q, Y- m* u9 ` mov bx, cs
+ Q1 ?5 w" p& i6 `6 T6 a2 o lea dx, int41handler2
/ G* _' o) p1 I$ b J# o xchg dx, es:[41h*4], |1 x7 v$ F$ T; w$ t
xchg bx, es:[41h*4+2]( s' `* f" O6 F5 ?6 w
mov ax,4fh
$ d- d( [, P# p. F" A2 ?/ q5 J int 41h
% @/ d$ R$ m8 N9 g) I" ]- l xchg dx, es:[41h*4]
L/ W9 z; x5 n' K( p4 O xchg bx, es:[41h*4+2]
5 R0 Y! u+ {% n8 B0 B# i5 [ cmp ax, 0f386h
+ b V# @* p2 y) q- @' r- {1 o jz SoftICE_detected
; T# ?- v& I8 r& m$ n1 h( @; ]/ A, V* D% G2 S5 f
int41handler2 PROC: f/ S6 G' \: }) ~0 v" ~' h
iret
3 b$ Q: L3 `5 D$ Eint41handler2 ENDP
! a# w' u9 q3 G' ^/ o \1 \# P8 L1 |+ F9 j# I
9 p8 V+ t, [- O
_________________________________________________________________________7 X) D6 h% q# ^$ ]
" K2 [0 |3 \$ ]2 ]6 _6 `( O- r6 g! O
Method 06
* h" Z& Y W9 H3 D+ g/ m=========: h: \) l& U( ]* o8 m
8 a& N# l* a7 u1 n2 I% C5 c6 j
# l; i/ D, \ S [
2nd method similar to the preceding one but more difficult to detect:
) i$ \. R$ ~+ c/ W. z
& u8 h) W- i# J# m5 B# C V8 J: D7 E5 D9 U% B( t
int41handler PROC, D3 ?; R' j8 @( T4 y* T$ ~
mov cl,al
9 C1 K- _+ j9 h' i4 a3 g" D r8 F iret
) \" D7 ~0 t7 y6 N sint41handler ENDP
* K+ G6 L- T% ]: f( |2 R4 A5 |$ k) x) ~4 W3 x9 F! @
, Y. P c( Y, Q6 c, w- ?
xor ax,ax1 p! c7 f$ r& K' a
mov es,ax
+ n! P% C% S# ~6 I* z mov bx, cs
* c! {- {6 ^: O& j* | lea dx, int41handler
7 J9 ?* A: B# Y' E# P3 {( I xchg dx, es:[41h*4], }4 p" s" N0 Y1 t6 y; J5 a8 P! R
xchg bx, es:[41h*4+2]
. r, M. j8 a. a% b* @$ r$ u in al, 40h
5 ~7 O) |& \3 Q, N' U xor cx,cx
2 {& J! A3 E, g8 H3 e3 f/ R int 41h; N$ N: x5 { w8 A9 f
xchg dx, es:[41h*4]: H3 \+ r9 ^+ l3 a+ s @
xchg bx, es:[41h*4+2]* V, |# T2 L+ ^1 p
cmp cl,al
. }. d) l- X6 M5 g& \& J jnz SoftICE_detected
$ x- K: F" _+ `) V8 T, R, z6 t }9 Z
_________________________________________________________________________
/ \$ o: ~% j% q/ O
% j7 T8 C/ u" \, FMethod 078 r& V( G7 _$ |1 @: f9 E' b) h$ I
=========; I/ O( B; V4 }) h$ h, l
8 X9 j3 E8 r' S' {% I
Method of detection of the WinICE handler in the int68h (V86)
9 Z, _, S4 k0 E( Y/ p6 }* H! x1 ?: o# C, ^
mov ah,43h1 ~3 ~; r& `# o1 N: I
int 68h
E$ @0 L( o% D; N cmp ax,0F386h
( D" n' `8 c* L6 Y& G0 _ jz SoftICE_Detected0 v# O) ?. j: V6 U) X* e: _ w6 V0 V
& r( o& n+ a5 B, y: \4 B/ j( S1 D" ?: t4 f0 B1 V% @
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. `; B# w! T1 |2 X& G- U! i# v1 o app like this:* D! b; M8 q6 l4 H4 C7 d0 F5 c
2 r- |2 O* R# D7 P7 J0 M BPX exec_int if ax==68
5 \9 |+ t W0 |( V6 V9 ^# ? (function called is located at byte ptr [ebp+1Dh] and client eip is
6 ~' I5 |2 ?! ~& C located at [ebp+48h] for 32Bit apps)/ w0 l6 r1 w4 m4 C7 }; @
__________________________________________________________________________
- n! I' G) c0 _0 \% M4 g' B" A+ v5 q. F4 f: O, Z/ v! F1 v
: J; R3 Z( f5 _/ ?Method 08: E/ M4 w' j, ^ e7 K8 s- v& f
=========! C0 Y% z- A; @! z
/ D7 i5 ^2 N% D4 h0 aIt is not a method of detection of SoftICE but a possibility to crash the
0 P! L; x, s4 f6 Qsystem by intercepting int 01h and int 03h and redirecting them to another" g; G2 M6 m% E0 w# x* V, O: s! A
routine.
! s- J6 ]8 K1 k; g' @6 fIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# S5 H0 x8 |5 u r
to the new routine to execute (hangs computer...)! W; {) ?8 L2 m% W1 _' Z2 Q, a
" l" S' y; x: E: w
mov ah, 25h- @1 e P. U( W3 u6 j: b$ z
mov al, Int_Number (01h or 03h): L4 @& D- u$ F: a; w8 O# O) b1 ~/ r% U
mov dx, offset New_Int_Routine! S. _5 u( u* L( y: x
int 21h
: {6 G2 K" g5 M* V0 s2 b7 F8 M! o) |! A: n9 a
__________________________________________________________________________
a. }/ [8 V) Y K' ^
" l& y; K% S- X) r3 pMethod 09
' ^' O$ O; [+ a7 B=========
, O8 U# S' n2 p s/ C
! F* ]3 ]: k R& U0 LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( n- K6 H& J; l; [& } Z# k7 k
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ W- B+ ?. `, U( dThe Get_DDB service is used to determine whether or not a VxD is installed; y2 {$ g7 P3 N0 X; g7 v r
for the specified device and returns a Device Description Block (in ecx) for" v: e7 y N. y
that device if it is installed.
" i) Q( H* H" v5 T' H6 | u9 K
- l- |% D% p' I2 |4 j/ I# { mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% g# j4 x, a/ ~7 |. } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: x8 a2 W- x2 p6 I% ? VMMCall Get_DDB
6 o: h' N5 H' Q8 P2 ^5 O! K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
V) S7 q1 M- m8 y6 z" O E3 i! c' P E/ u* i5 t% h. L
Note as well that you can easily detect this method with SoftICE:
2 n& J- c" z# {3 n: p bpx Get_DDB if ax==0202 || ax==7a5fh1 z' k7 T8 p' E; G
# o. y! S) l9 y& `) T. h) [& t" `8 t
__________________________________________________________________________+ k0 U' P, ?& k) O
4 _8 {' }" V/ o/ IMethod 10$ _4 a+ d, j6 D; @+ X
=========
, {) L, A! x, q- J( G# Q
5 K- O7 C8 F4 V, X% s. C' ^+ x' S=>Disable or clear breakpoints before using this feature. DO NOT trace with0 N! l0 Q6 u( Q) k, u
SoftICE while the option is enable!!* S2 c) n1 O0 D/ {
8 M/ N! `: J# I$ ]& h0 ]This trick is very efficient:* p4 D' R% {9 ^- m# Y8 M# D& j
by checking the Debug Registers, you can detect if SoftICE is loaded
, K* u7 Z3 ^; B; I2 V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& {7 V% d7 M. j! T; W6 k" M/ tthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 u3 Z" p b6 X- G. l; M
value (in ring0 only). Values can be manipulated and or changed as well
- i; F- R" p+ A! u( S7 a' p(clearing BPMs for instance)& s) d& q1 n, I9 \
# \! K( ~% x1 C__________________________________________________________________________' a9 |5 z% G" u5 x4 X
( O) A+ ?) X* k- n4 ]Method 11
* o8 M, K; j" B# V5 J$ e1 q5 t=========
1 @ g. w) p0 a' C: w* I9 v3 D& u5 c6 N* P0 {3 } t n
This method is most known as 'MeltICE' because it has been freely distributed
; I1 g Q& \* i* u( v/ e8 q* j0 fvia www.winfiles.com. However it was first used by NuMega people to allow8 A. M5 C5 F. Q- d5 @( I0 F- D0 S
Symbol Loader to check if SoftICE was active or not (the code is located, I' \4 R+ A% q' ]; }' {4 q u
inside nmtrans.dll).
$ U2 M& b4 y8 N. Q& o: {& Y$ K
% C- Y3 Z: U4 m+ d1 b* d( JThe way it works is very simple:
; S& l, e7 G+ c# M/ ]( _& A! gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 i+ j/ U9 i9 s5 x+ m
WinNT) with the CreateFileA API.
' x6 a1 y6 b7 g" \
5 r$ H# s3 U/ p; p0 |$ uHere is a sample (checking for 'SICE'):2 I+ s# x; N) \& q; c2 L, z
8 c9 M' T1 M( U8 X% S4 ]
BOOL IsSoftIce95Loaded()% k L1 {$ X" `+ s. y& {
{6 c v- R2 |+ V% f( t
HANDLE hFile;
' W- I& o, ^2 |( T* q2 a/ t/ I4 _- c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. p; k- y8 G/ y* f FILE_SHARE_READ | FILE_SHARE_WRITE,# K' h R( ^$ v4 [$ e( H
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 R: A" |; u' E if( hFile != INVALID_HANDLE_VALUE )4 I( g; x% j5 a
{
' X4 h$ g# G' o, A2 r, U CloseHandle(hFile);
6 O7 k+ I8 }# |8 v+ |- D return TRUE;
# o: P. N2 c4 f }8 Y8 c& f# h+ J: h
return FALSE;
5 O# n, `) n9 D}
2 K& T7 z% `* K" l
( D) T$ W0 P- a j. |/ XAlthough this trick calls the CreateFileA function, don't even expect to be
3 y n- e9 | U& q: ^3 ^( V$ r/ cable to intercept it by installing a IFS hook: it will not work, no way!2 Z- ^! v! X J; B# E1 @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F R0 I# |/ W2 |7 {- @) R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" }! L. z3 i, x& e" M) xand then browse the DDB list until it find the VxD and its DDB_Control_Proc% | u" v+ }- R
field.$ h k0 v+ a+ h2 u6 \' I
In fact, its purpose is not to load/unload VxDs but only to send a ' ^& |) e x2 Q1 ~+ ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 L% {8 p" u) a6 \to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 r% _9 L0 z( B5 O% R0 g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# ]0 c6 }, r) \) k# i3 z+ u3 f4 l7 P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 _$ k; D" ]# }/ Y! Eits handle to be opened and then, will be detected.
1 y$ F6 _6 d% V9 ^You can check that simply by hooking Winice.exe control proc entry point( }, O* ~% ^3 F3 B" e1 o1 T$ A
while running MeltICE.) X8 T5 f3 R$ E
. D: a, _: h& j3 w& U) B5 ^2 ]( ]5 q3 s5 L
00401067: push 00402025 ; \\.\SICE
! G1 h! N' T& j4 ~) e) `) ~ 0040106C: call CreateFileA- n; e5 Q0 I/ e
00401071: cmp eax,-001
2 I- U% c _5 @2 A5 A: k; ?4 C5 X 00401074: je 00401091
* S/ n; l1 w. r7 q" J: Z; X
3 q5 Q0 F' `# r8 n. b- {" G" D, q. X/ C" A
There could be hundreds of BPX you could use to detect this trick.
3 s: @- k& E* x+ [-The most classical one is:& y3 M) i7 G7 K+ ]# R. m% W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 j. O2 V- D. S& X$ S *(esp->4+4)=='NTIC'
5 ?3 E& o5 N l% q2 K: c* m6 ~
5 ^0 H+ U6 ~' r9 b-The most exotic ones (could be very slooooow :-(
: x7 u' V, T! l' F a2 v3 y) k BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ A3 {# P2 K3 u, x8 ] F- }+ G ;will break 3 times :-(
: i5 I0 l$ g5 j; b/ q1 m
3 [3 r& n; ` z7 b-or (a bit) faster:
- X* b- n/ H' N; b BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! `8 h7 D: G5 l/ |) h3 ~
9 H. c# v3 A+ r& ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 d8 c1 L% d7 n n! \ ;will break 3 times :-(
, c" K4 O; \2 Z7 ~' _$ t* Y" E6 q. q3 ]* B/ R. y# d0 H6 i
-Much faster:0 n. v$ }+ l% B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 ?, I& N$ N. u) Z6 D, ]
% W, k1 r, f6 [/ u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. E& u, ~+ H+ ~* V: }; m
function to do the same job:( m: O+ X4 H+ V8 _- c% ]
# Y) U/ }" Y1 D: o* Q
push 00 ; OF_READ& G r0 l2 Z) O: h" ^
mov eax,[00656634] ; '\\.\SICE',0
) v+ ~5 e/ Y ^% w push eax
: P( U1 k( N+ H call KERNEL32!_lopen4 I& I$ k( A3 {$ n
inc eax
; C7 N: q: P9 N& F1 {7 j% b0 V' R( T% a jnz 00650589 ; detected
% h- v, O7 c( o push 00 ; OF_READ5 |5 t3 N6 ~, C9 z e U
mov eax,[00656638] ; '\\.\SICE'
8 I r8 ]2 ~* D; ~' Y8 I push eax
8 P& _: h/ c# v! l# q" r) u call KERNEL32!_lopen
+ s! _! a6 `& K' y1 f inc eax3 Z9 p) J* s9 `
jz 006505ae ; not detected
* G. B: `' U) x! e# h
$ L4 S% S% K+ H X2 X; x& ~" S
4 ]- x' L8 u- G' o m- Y$ U/ J/ |- e__________________________________________________________________________& W) F1 S# x6 A* f* X8 ^
7 g T9 a: l; OMethod 12
0 n/ z. h! r4 x, L" W/ o, A8 }0 J* i=========
& Z7 H0 _$ I3 q4 U" U
V4 B5 ? {$ B! `: D% ~: OThis trick is similar to int41h/4fh Debugger installation check (code 05
& {9 Y2 ^. C* ^& 06) but very limited because it's only available for Win95/98 (not NT)9 ?" Y/ w! D9 O0 P$ x; B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, v; z8 ~" q# q' j0 E% U
, R% _) i9 h0 s# Z& M, ^ push 0000004fh ; function 4fh2 [3 G6 d# I8 p+ T
push 002a002ah ; high word specifies which VxD (VWIN32)
4 x, T% T2 v% l$ N$ o' \& w ; low word specifies which service
% I' H! I" y1 J (VWIN32_Int41Dispatch)
- g/ P6 w3 q0 Y/ b call Kernel32!ORD_001 ; VxdCall# J0 c5 K7 x% x4 P% g
cmp ax, 0f386h ; magic number returned by system debuggers( i+ T( }& F% v+ @6 K; S
jz SoftICE_detected B6 B% B" R3 E
" A- F' I, L0 O, c2 G" ?+ G
Here again, several ways to detect it:
" a4 [3 w {* {
0 F. B' _) b, G5 g* w! O* R" S BPINT 41 if ax==4f% e- n1 L# N1 E7 a, r0 j
|3 f5 o) V1 t$ V BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( Q# e- R0 n) r! _2 T! R3 k# P$ I: y* {
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. n. P+ G& v* C
( `0 k: `1 e* q9 J( v# t BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- _7 l, Q& \: }% u) \' x2 m# \4 t: \, e: F! y8 i
__________________________________________________________________________
t% g( q! @7 y8 ` h5 P/ W9 t2 p/ u9 ]% U8 u% c
Method 13
8 u4 U; M" s* E% }) J, q=========; u& K# B- g$ N" r) c; u
8 T6 U! \9 x% {9 _0 P9 xNot a real method of detection, but a good way to know if SoftICE is0 b, E7 L7 @6 Z+ T; ~
installed on a computer and to locate its installation directory.$ v9 q, `1 c ]9 X& S
It is used by few softs which access the following registry keys (usually #2) :: t6 ?2 ?' ]$ K* q3 E3 r6 P# E
$ A2 V3 R4 Z+ n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: e2 {) M0 }* o\Uninstall\SoftICE
5 w( M' ~9 ] X% U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 V8 o Z6 k4 j. N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 j! O8 T X7 y- ]& f
\App Paths\Loader32.Exe5 O E: L* d0 h# e( }& p% S
% z6 D7 y0 d7 J! r) I6 I. X
& g9 ?8 _1 e& c( ]Note that some nasty apps could then erase all files from SoftICE directory7 P/ D6 n( y) w& F9 v3 y
(I faced that once :-(
6 v/ u1 c4 O" i' B2 q% K6 m2 T7 A
8 }/ W1 Z* D/ `( B$ o9 ]0 ZUseful breakpoint to detect it:
/ y. x4 F: ?/ x# f; f2 _0 L; a9 u9 {& i; ]1 I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', i; D% f D1 R2 W+ t, P
7 U6 y, i% v: Y
__________________________________________________________________________
* R6 S2 l) D' P. T) S
/ c9 a& Q$ z0 B& ~
0 c: m) F( ~" wMethod 14 ! N4 [. h$ N: ^9 | X
=========
5 A' Q- z) ?0 M! K
) W% E; M% J. {. r2 k- _, nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 v, q B8 Q, J* h3 Ris to determines whether a debugger is running on your system (ring0 only).( d8 b6 W8 o+ S$ ~0 O
4 B3 x- q% a7 R; L$ N VMMCall Test_Debug_Installed
. @4 G l( p& @2 d3 e je not_installed
2 z P: @' H1 }) J2 O5 ]8 X2 h1 s7 t. Z, s+ g% T' f
This service just checks a flag./ P" _7 M0 _6 O3 D
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡