<TABLE width=500>
# P/ I5 e% C% I ?* s$ [1 q<TBODY>
' d8 L$ {: |4 F6 X1 C3 F- a- M. x<TR>
9 w; p% p5 |# b. }8 S+ o6 q<TD><PRE>Method 01 # C9 p8 y) G4 Q7 S3 s2 P2 n
=========3 w! M7 D; s& @1 S! s e: D+ ^7 }
3 S+ m5 _4 n' ]4 }5 vThis method of detection of SoftICE (as well as the following one) is
. N0 P$ c6 Q# I8 Q0 Yused by the majority of packers/encryptors found on Internet.: m4 C2 q$ t! Z: D) A, C' M7 i2 d. }
It seeks the signature of BoundsChecker in SoftICE
6 c0 V- K3 l* R0 E$ r" f( o! c1 d# t' _' k$ O$ m y
mov ebp, 04243484Bh ; 'BCHK'; n4 H) Q! J" A: r+ J" z/ f
mov ax, 04h
7 H" C( P! X2 |1 [! P int 3
, ~$ S3 H! C; A/ t% [1 ^6 C cmp al,4
0 z5 u. R$ A9 W# A* ?9 Z1 h7 ? jnz SoftICE_Detected
* @7 n8 h8 w5 b4 H3 ]% H; F7 Z8 J6 A* w: p' w* O
___________________________________________________________________________
# N( n2 x0 j( D2 F
5 t4 b' @, S* F& Y/ M' rMethod 02' X; O9 v3 v9 T [
=========2 `' ?' ^! a! p# F' Q! _, p
1 p( t: Q7 }+ i4 p8 ?" ]' N. CStill a method very much used (perhaps the most frequent one). It is used
$ y8 C/ b0 @8 `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& d7 U; y. C' O3 C) o5 {
or execute SoftICE commands...* D$ R! H/ T; x; \( G2 S1 H7 d* Z' c
It is also used to crash SoftICE and to force it to execute any commands
+ c( X$ o2 r* S) E* F: p(HBOOT...) :-(( ) s3 W2 j6 v K8 h
3 C; i9 A' E% hHere is a quick description:* ?; L- _9 h) a
-AX = 0910h (Display string in SIce windows)* x3 I7 w: u$ y* Z6 n# h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 E/ V$ O' I& n9 G! T, ]- \-AX = 0912h (Get breakpoint infos)& k {' F% J' T6 g! f0 }7 {# K
-AX = 0913h (Set Sice breakpoints)7 i0 V/ j5 F; d
-AX = 0914h (Remove SIce breakoints)& a- W( k; G% r
. X! P8 K' j; ?9 B G: `0 Z6 f0 h
Each time you'll meet this trick, you'll see:
) j# J! S! n# T- w% x9 m/ m-SI = 4647h
) {7 ^! c! M8 w$ F-DI = 4A4Dh$ X D- k& ?' \
Which are the 'magic values' used by SoftIce., I" N2 ]" Y" Z7 a' L# F' t8 l
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% d7 i- n+ ^: H0 y, o: p+ s: |# y
" V1 V' U4 p ?4 cHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 k$ Y% d' S# mEnvelope utility use to protect DOS applications:5 p9 v% d& _" @) W
$ P% |# ?/ ]/ {# \4 o Y( \( s
( C7 j, G5 x# t4C19:0095 MOV AX,0911 ; execute command.
( h" N3 ^. ?7 U- A4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ v+ _8 \* J( p, O: O
4C19:009A MOV SI,4647 ; 1st magic value.7 W# u; P+ I3 W2 X" ?( n, [9 ~
4C19:009D MOV DI,4A4D ; 2nd magic value.
% Z9 g9 k2 @$ P* ]. \. b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" `0 O! ^. p) {0 J; A- O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( J; C% c1 H! e+ y3 m8 A! x+ d
4C19:00A4 INC CX7 W3 H7 F: U- B( J/ ^# `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ p/ u3 |% X0 k s+ O
4C19:00A8 JB 0095 ; 6 different commands.. M. ~9 `9 p8 G- @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 c {' t/ W s( P' L m- A
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" E. ]* f& i4 R" W* G, J
- ^) E7 g2 \# H3 {6 U$ a: {
The program will execute 6 different SIce commands located at ds:dx, which8 e: z5 I, k+ G& _! A! o9 z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 o+ D9 ~4 q* J
3 p _: c2 J& y6 r6 \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! X+ v+ F$ H5 b6 K, [/ e___________________________________________________________________________
/ M; w- U0 e W5 c/ C
* ? q& S& R' }8 w7 u8 O' r8 c% s* Y2 J0 |. q# H
Method 03
/ `: W2 W- r" ?' X1 y! S=========
+ @/ @9 Q" I8 t* Y0 p9 B( C, e, w) ]# b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ C) ~% H8 c0 Q* q O
(API Get entry point); k2 D4 x. V" z; m) `
3 c( y1 V9 E+ ^( m8 C2 b8 V. i
xor di,di0 @4 |6 {) u- k! T" \+ X
mov es,di
7 V6 q- s8 G' w/ o$ q mov ax, 1684h & r2 a3 F9 @, f( \' m( ?1 B
mov bx, 0202h ; VxD ID of winice0 J6 P/ a/ x3 U5 M# Z+ O
int 2Fh, Q7 S* }0 |3 G
mov ax, es ; ES:DI -> VxD API entry point
, M+ v# g# G& n6 i1 U2 C# H add ax, di
) l5 ^9 |/ H1 f8 O' e2 a test ax,ax1 a; @9 z) A6 S+ R3 H! h
jnz SoftICE_Detected
; E! |3 E1 T7 {2 r; m1 H: p/ ]& d
+ s5 w0 L6 M; `( N# k' H, j___________________________________________________________________________1 B8 D6 L3 o! u2 v2 p2 W
0 M1 E8 f [/ C, k% Q9 ]% YMethod 04% ^- r; V7 o1 x' \/ |
=========" ]. H H& }. i" T+ U
9 i: u" b. Y* J# \Method identical to the preceding one except that it seeks the ID of SoftICE
. }" Z1 k% V) d5 gGFX VxD./ Y' p2 O( k' T* p3 F, z
+ b) w- K0 Q- T4 ^( _2 i: t2 L
xor di,di; E- J" d% x8 K
mov es,di6 b! V$ V! n; z. {
mov ax, 1684h * ^* N8 ]! h, v I. \
mov bx, 7a5Fh ; VxD ID of SIWVID6 \& l* D3 N" N# L' D. z9 n/ W
int 2fh
0 r$ A% i! a/ w1 x* W5 W6 i V1 L$ x: v mov ax, es ; ES:DI -> VxD API entry point. ]( I- r+ l: O
add ax, di
9 ?7 J9 c# k! z% l) C test ax,ax) [5 A- L# W; H t- C+ f( y
jnz SoftICE_Detected
& Q4 x6 t' W; l" H* j4 }
8 ^0 t/ S1 I# r; H5 f__________________________________________________________________________
( R' R# ~: I) C9 Q4 E4 H/ V; R3 ~/ _7 K, f5 s$ P
( S1 e" K$ [+ X! v
Method 05' O) h6 L" Z1 B2 s, E/ z" r
=========4 O7 N& u: [/ m0 Z, O) b
; ]% D3 v5 _; i# M5 \ W
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 ]& P) M8 l: e& t0 w' x' n! odebugger. It calls the int 41h, function 4Fh.
/ F' M$ d& M! _9 F0 Q Q" WThere are several alternatives.
( D6 ]! B+ V7 w- y$ U- E+ P6 x* H' y5 K; Q- ^: u
The following one is the simplest:! s& W) B, t# P8 N3 ]
# H" d! x, p2 d- M0 J8 ~ mov ax,4fh h! S `/ m) w& r' S* q
int 41h" u1 [( j3 [% w7 w. t3 G3 z
cmp ax, 0F386
$ L/ S, F! a0 O; o$ o: I1 { jz SoftICE_detected
`) r& [4 ~0 v
1 ^& h4 d; n1 Q9 j* T' ?$ u, p' [( ^2 O
Next method as well as the following one are 2 examples from Stone's
" _4 C8 p0 |7 Z"stn-wid.zip" (www.cracking.net):0 R- C! j. [2 g3 n
2 S: f; ~/ p2 ~; v, N mov bx, cs& q! D5 b1 k( M2 G5 L
lea dx, int41handler2. d4 D! ]; M6 z+ U
xchg dx, es:[41h*4]1 s5 y Y* n/ Y; b7 ~/ h
xchg bx, es:[41h*4+2]# p' F6 [! e! G3 o Q
mov ax,4fh& }0 B2 J( G/ S! X! E8 |
int 41h$ R0 V* l. r5 P9 t# H! p
xchg dx, es:[41h*4]. j5 [% n7 ]; k9 Q2 R+ m# s
xchg bx, es:[41h*4+2]
/ \3 c8 \( {) A& G2 i: [ cmp ax, 0f386h: R% q" }( W4 W/ k0 U% t+ {
jz SoftICE_detected6 [) z* a% u& _9 G, r6 Q# ]' S
: Q6 ^0 f6 k6 \9 T' A" n6 w+ yint41handler2 PROC2 q4 @. @! J- Q3 D; k
iret3 t9 e, X9 q1 W) W# @ V+ s/ i+ i; r
int41handler2 ENDP
, {& W7 A" ]. l. K/ K7 }
/ M4 j6 h2 i* d9 |4 _, F. `! ~
, |% ?: _7 n, m% ~_________________________________________________________________________
0 N9 `# o) t" D6 i2 Z" ^! j# ]0 u8 S& c$ {
: f0 R6 b# K" M4 d2 k3 w: sMethod 06
# }$ [( ~; R& B2 E; o9 r7 f4 R; f=========, ]" J0 v% k( n7 E
5 Z2 L0 K5 N) q U6 g5 J5 U
0 y; Z$ B2 |8 f% S8 q' n$ M2nd method similar to the preceding one but more difficult to detect:5 i* w0 L, G2 t5 D' T
1 m1 \7 o( s) z4 K( t6 s
+ P$ s- N' e# v) f8 U
int41handler PROC3 B8 M8 ?# z. A- y# H- e
mov cl,al
" \% p) V6 K* Q% B iret
: \4 Y' i, |& Z+ \8 E8 o/ _int41handler ENDP
0 G7 |( i, s! Y1 U8 F) p2 G: e2 D, H( _
& m# L; \' A- w- Q8 |0 k xor ax,ax
5 z F5 U4 j: Y8 H6 A# M. K mov es,ax
[: r: P5 d& j3 H mov bx, cs
& _2 y/ k/ R* { lea dx, int41handler& \4 l0 [( {; N; q
xchg dx, es:[41h*4]! W' z2 t# B! k! V
xchg bx, es:[41h*4+2], }2 m, y% V# b8 k' o3 r
in al, 40h/ p4 p8 }- h7 p6 X6 m
xor cx,cx
3 P5 _8 Y D3 X! J int 41h
" U% G9 p; ^% J" K0 o xchg dx, es:[41h*4]
. f# t7 D) ~6 v" J% i; V, K xchg bx, es:[41h*4+2]& W# d7 k. a5 G9 G& B: I* A
cmp cl,al
9 x8 c2 F% p+ S; k+ D! _ jnz SoftICE_detected7 T$ Y! B; c8 R
' p# v- \; T1 @" H& _' l% {_________________________________________________________________________! ~+ l$ I4 }) B+ t
G% [6 z4 \7 E7 |Method 07: ~# W$ G& I& k9 _" i$ u
=========
! P; u. V4 u1 a) h1 h) p2 Z, {& b+ ?: ? i R
Method of detection of the WinICE handler in the int68h (V86)' O: V0 S7 G4 {0 W. J
) Q, Y! U" \! |% V+ t( k
mov ah,43h
3 i: Y% ^ E) X: U int 68h
]/ Y. n( L" E0 k1 F2 h- @ cmp ax,0F386h- n+ l9 ?# k2 q
jz SoftICE_Detected
/ S+ Y6 T( T# M1 c5 J: h& I8 ~& a0 v! J- k" c# r! B' }
6 @5 H: o9 I/ L7 }+ d2 {8 w- P3 U=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 Q. v: E1 e' g2 c app like this:" ?% c' P" |2 @ c) o" @+ |* K
- C9 |6 S* q" |! k8 ^ BPX exec_int if ax==68
$ N" V) W# O: K, P, _. o (function called is located at byte ptr [ebp+1Dh] and client eip is3 v% o0 r$ h- K; A' r9 a8 G7 Q/ ~& U
located at [ebp+48h] for 32Bit apps)
# \, A' L7 B6 U9 \, b; u9 z__________________________________________________________________________, {6 F) E- V0 _! r
2 G4 _+ W2 f8 P0 _. r7 n- [. [: O) \5 j& ]" A \# B
Method 08
/ l9 Q/ A7 R) w& f+ |; ^9 j=========! W! k& ?. |6 N% w5 d: _5 X
9 ~/ \; J! H& [. C/ |/ ?- oIt is not a method of detection of SoftICE but a possibility to crash the
/ q8 h5 b: O, i' J0 s8 Vsystem by intercepting int 01h and int 03h and redirecting them to another+ J2 Q9 E) ]7 Z
routine.
* `1 g0 c& R" E) ?4 C& B& JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! ?" ^0 Z: z2 C/ F7 l! q/ N& \to the new routine to execute (hangs computer...)4 m2 ?+ d, [9 H3 x. g) B; V
+ @8 N7 \ o+ m) v' w0 E mov ah, 25h
# l* B, Y f# c7 W# d0 z/ p7 R mov al, Int_Number (01h or 03h)
: \3 \6 d4 f) z% Q! x mov dx, offset New_Int_Routine+ X: t3 n& _/ B. E# G
int 21h
, u% A; F/ I& y+ a0 k9 o, F K7 {2 f
__________________________________________________________________________
! _' v6 P4 D& x& ]# y2 c( f
5 ]6 [& y- |, ?9 p% H- ^, `1 mMethod 09- K J% p8 Z b$ K! f
=========, o# l: S$ E% o: v7 o2 O( [0 S
4 y0 U+ x- t0 O. ]# ]( e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 Q* _5 u7 u' y# Fperformed in ring0 (VxD or a ring3 app using the VxdCall).. D @4 A/ T# |* P; y
The Get_DDB service is used to determine whether or not a VxD is installed& x* s9 W# w0 [: J
for the specified device and returns a Device Description Block (in ecx) for
9 R( e8 D' O$ F2 nthat device if it is installed.; t0 v X) ]( t5 c
3 M) x0 [2 K# U; \5 o- Z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ e) B! v/ ]& V& s# S
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 C9 t0 @8 k/ `* y$ q G
VMMCall Get_DDB7 M- h J y1 F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ E; s. D8 {$ h; O( q; D+ V u& [! _* F/ ^8 r A/ s- I" d# \
Note as well that you can easily detect this method with SoftICE:$ V+ Y+ g, u6 b7 g; S! [
bpx Get_DDB if ax==0202 || ax==7a5fh% K. k. w% \) q& I' {- k9 G5 |
/ ]* T% d* w0 ]+ O: t__________________________________________________________________________4 v; f) D: r+ J5 x S; K6 n2 H+ m+ X/ v
c3 Z# v7 j# V: s. m4 e; ~- `( P- t N& pMethod 105 E2 i5 Z# O3 s+ ?
=========
7 Q" U8 O2 i2 ]
7 k- }1 M+ o' Z9 I=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 s( R+ {! t: Q; L, t SoftICE while the option is enable!!6 o/ [9 v/ T$ r T
& `- Y9 _. u9 k5 \4 ^
This trick is very efficient:
1 l }# G# F7 X5 c) {7 \by checking the Debug Registers, you can detect if SoftICE is loaded/ h0 X7 g/ ` V& v6 P* s: F& _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; a: S a- m4 v `
there are some memory breakpoints set (dr0 to dr3) simply by reading their- }! g% U& R9 n& f
value (in ring0 only). Values can be manipulated and or changed as well
' R k, K5 Y' Q(clearing BPMs for instance)
# `" Z0 K( n. H) {# g/ {1 w0 a* l0 z$ i; R+ o
__________________________________________________________________________) J! E: ^, o( p6 V6 @, a7 R3 \" f
; H# ^ g: Y9 l
Method 11
( s9 B1 b/ Y7 T. \+ X9 y=========
* x0 m3 s) W1 T6 v8 m0 p' F |. M( {3 u, w
This method is most known as 'MeltICE' because it has been freely distributed
2 B. W' S, Z! @5 S1 s7 U7 X+ Xvia www.winfiles.com. However it was first used by NuMega people to allow
|1 k( v9 F$ W1 RSymbol Loader to check if SoftICE was active or not (the code is located
8 j4 ^) B' @* a( K+ Kinside nmtrans.dll)." l/ @- }. N' u4 G2 M0 u; t
5 h. z0 n* \1 ?# V# M) W, V( jThe way it works is very simple:2 K$ r# j, p4 o% u+ W; h
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' S# a- {2 S3 \8 A
WinNT) with the CreateFileA API.
/ b2 Q, c- r' m9 C8 v; ~ y, I, l ~8 c1 {( h# E
Here is a sample (checking for 'SICE'):9 m4 c1 { P J( A+ C' x
0 F+ p* x! H& N3 h9 A" u0 pBOOL IsSoftIce95Loaded()1 V4 ^4 `( |& _4 b- ?0 U& x/ h5 k
{
# S% Q9 X, r: c! X HANDLE hFile; 3 i& L0 f: T9 P; m- r q" e) ^5 `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 j0 A R8 Y! V' ]7 L1 C FILE_SHARE_READ | FILE_SHARE_WRITE,; k/ X* `, @9 e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 F6 Z" @- s- c if( hFile != INVALID_HANDLE_VALUE )8 I& D* E& R" u
{
) k+ q t3 H! o- Q CloseHandle(hFile);" V* L) A/ Y! x2 y. q
return TRUE;* r/ c- t; V o) I
}: f" v T- U& I" J: e; ?5 | {9 m- Z
return FALSE;# T* E& b1 Q6 {( m3 a+ n, B9 K O! `6 h2 h
}
" n7 B9 I% q/ y- a$ I
* c6 r" Y# N& x/ m9 \$ tAlthough this trick calls the CreateFileA function, don't even expect to be
/ G. n* B1 W, q- t) l& fable to intercept it by installing a IFS hook: it will not work, no way!
; p# a: }( i Q; f) H- C* c0 M% yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F+ ?+ ~) Q: r) ?0 T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); t; f# g n+ H; Y# ^4 E
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 n. e, T3 ~8 F/ }5 sfield.* [. [1 J+ ~7 l( h& z5 I$ p
In fact, its purpose is not to load/unload VxDs but only to send a $ F5 J* y8 g; r5 u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& a- ?1 j5 ~+ xto the VxD Control_Dispatch proc (how the hell a shareware soft could try# {. g! Y4 o# d/ p+ Q1 n. G! C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 {+ R- R5 k! h4 E
If the VxD is loaded, it will always clear eax and the Carry flag to allow* A6 n+ ]3 y# w, L9 A' [. O
its handle to be opened and then, will be detected." h" X8 Q# V d! w
You can check that simply by hooking Winice.exe control proc entry point( y% S; F3 c8 @ I7 b
while running MeltICE.
, A' X5 o, L' S2 f- S# {& A* O, R' q4 d, i
- _0 N2 X' I% _: T; F0 Y( Q 00401067: push 00402025 ; \\.\SICE! \, t4 |2 E( F4 H) P6 F/ K
0040106C: call CreateFileA1 m. S! ]% H' [' \
00401071: cmp eax,-0015 y8 w) y8 ^) \" C( y
00401074: je 00401091+ v, f* s: m1 r! b4 Q5 r. {
+ S7 s2 M7 X: n+ m6 k, `/ ~7 [ |) y" T) y4 j% b8 s2 m
There could be hundreds of BPX you could use to detect this trick.6 _, ]7 B8 I6 A4 f% C, Q) p
-The most classical one is:
" D( x* d3 Q6 u( L% w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 R- O' h8 \1 m1 [5 ? *(esp->4+4)=='NTIC'! S5 x8 o& p% q% ^8 f: _- @, c
: g/ B5 w, ]- ~0 R3 n) z# L-The most exotic ones (could be very slooooow :-(
3 Q& ]+ }9 d% U9 v9 R BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 a d% ]2 n! _$ Z% [* j% | ;will break 3 times :-(/ j1 a1 L. q5 d
, w, N, _( O. P$ \% B1 J* g-or (a bit) faster:
+ ~( z$ ?; @% p$ Q1 r9 P; h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 O# W4 F0 i( p# K, W$ P
7 O( a( r9 I0 H+ v) P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 T" O1 Y/ ~+ S* F ;will break 3 times :-(
" r( M; ^' x9 c+ @$ }4 t, z
: M3 [" k: {0 e! i2 G-Much faster:$ t+ J* g' Z% @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' n) ~2 s% G3 C/ s. i
( Z% y1 s; R$ L2 f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 `/ B; ?# s' D+ L/ z3 }) ?* {
function to do the same job:
4 n1 ^$ A ]* V' |! [9 _3 Z) Z& f3 h6 V4 c8 Z/ s
push 00 ; OF_READ
. e0 Z0 O& R- k4 i mov eax,[00656634] ; '\\.\SICE',05 x" n( B& c" p3 F8 u2 {- W& @7 X
push eax C( v* a+ b' B& y' y
call KERNEL32!_lopen8 X2 r B+ w: S/ a8 Z. x0 P! b' `) T9 b+ v
inc eax
( }/ H2 c+ _- n; c) Y- Q: a4 F2 T; }$ [ jnz 00650589 ; detected
: K6 b- r, C7 R push 00 ; OF_READ5 a l& J% |+ |2 l( D
mov eax,[00656638] ; '\\.\SICE'/ n) c) a) }; d5 [! s/ A
push eax
' ^4 D+ ]$ q6 S% X7 [ call KERNEL32!_lopen9 n, o9 d$ y1 J. J
inc eax2 } Q$ K! B" W2 K6 \1 ^
jz 006505ae ; not detected# f0 w# s" y) w
- w6 b4 v3 u0 s7 u2 @/ Y6 |2 }- d( f p$ Y0 B3 x
__________________________________________________________________________
" N2 Z) y" D4 X9 T5 x, x) |( Z6 K% Z5 h( j! l9 G! |4 _
Method 12
4 X5 z8 I# g& }3 M5 g" L8 {=========
4 S D3 q4 ]' m) d9 g2 Y/ Z" g( {
6 A5 C/ }2 I+ s, z0 B5 {: oThis trick is similar to int41h/4fh Debugger installation check (code 05. \3 a3 `9 y# `
& 06) but very limited because it's only available for Win95/98 (not NT). j% [9 Y# W( Q9 S# B" w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 S* C4 l9 @* E) k- l
) c- l. ^5 g Z3 m
push 0000004fh ; function 4fh
9 s- h+ l2 Y* _ ^- b. O1 `+ g push 002a002ah ; high word specifies which VxD (VWIN32): t' e0 [, a& A
; low word specifies which service2 I L: [. I: w* X7 R7 r3 d
(VWIN32_Int41Dispatch)1 [. ]1 p7 k0 K9 R. h7 d7 j* p
call Kernel32!ORD_001 ; VxdCall& G0 w/ j% D! L6 G
cmp ax, 0f386h ; magic number returned by system debuggers- V: A) w* ]3 |0 u
jz SoftICE_detected
* `3 t' |; z7 h+ ?# H& J, {' G% s: k6 U' y) p2 B) ^; B8 I
Here again, several ways to detect it:
, ~9 T7 f7 t% L7 I0 r. b ?& x, T, A: C1 q
BPINT 41 if ax==4f
: J2 `% Z4 ]! Q- x2 @
' o) W3 e. T) O' s* H: @' Z( s BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- S2 h& H" {$ }- ~
6 u A( m, y- G0 Y9 o0 U J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 `, ~3 R! g! v
+ q9 l+ S1 V5 o$ |& i" D, i2 Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, R; I, O; C9 D" ]
6 ~) Y0 S$ H3 }! L; w' Z9 ^7 a* g
__________________________________________________________________________
; L1 O z/ ~! P | O3 X6 W/ [' u2 m% Q, j2 d9 A% s- e
Method 13
" G2 k! H1 N. e) v$ m/ ^=========3 X8 \& m% L# K0 b, V2 ?' u
6 f" b! W* K) s2 f7 x& zNot a real method of detection, but a good way to know if SoftICE is
# S6 n% l$ u: p) qinstalled on a computer and to locate its installation directory.6 Z( E9 j1 E+ O
It is used by few softs which access the following registry keys (usually #2) :
$ j& G0 [; E: L- S9 t
1 M- W% ^' d {2 o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: L6 O2 d4 d7 \! @- h$ [\Uninstall\SoftICE1 e _! D8 b) |: Q0 J$ N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 D1 o1 M1 v7 {1 a% s- o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 j4 Y+ D- O& ]3 d3 W1 P/ U
\App Paths\Loader32.Exe
+ w. E* P1 ]% r' _ w6 v- h/ l
0 |2 c4 f a0 T5 ^
+ T5 O# O. B4 c5 gNote that some nasty apps could then erase all files from SoftICE directory
0 ?1 l+ h. s- o6 Q, r, w. A(I faced that once :-(
# W' D- h0 ^5 @" T3 ^. m& m
8 b3 K3 U$ B. e5 O w7 U' OUseful breakpoint to detect it:
9 B2 X) M, e x- N: \# A9 U
" K8 L# j3 p6 f8 d1 o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ T, m9 }; x' `; x
2 n1 e' \+ o( Q& X__________________________________________________________________________
8 H5 `# T* V2 y
# J4 p5 }" G) ]; N1 q1 B. f/ d5 t# |) G
Method 14
* ~; a0 t- o2 |! p- a, b5 l. d1 Y========= X8 v* I" J6 u; }! X
8 G- j. ^+ A8 S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ \* ]& D& Q* G+ l; b0 F/ m' N. F
is to determines whether a debugger is running on your system (ring0 only).
: U) C1 z8 G$ ]9 D2 q& b. Y1 h) m6 D' @$ ^' T4 O8 [7 k8 B
VMMCall Test_Debug_Installed7 H: @0 G7 T6 {* h* H" d
je not_installed! r" H, y) j$ a
& t" @5 I3 I) L3 C0 N e4 `3 E; A+ k
This service just checks a flag.
! a" N. e5 ^/ o) O5 `- N/ f! K</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡