<TABLE width=500>; a7 ]8 A2 {* }2 u
<TBODY>8 G5 J Y! B( T
<TR>
% E: A4 ^' y" @4 ?# T+ }<TD><PRE>Method 01
$ y9 H" L% A* F$ G6 H2 l=========( [" q9 L! F8 ~; V
B0 q e( |$ L" S0 C y' I/ i
This method of detection of SoftICE (as well as the following one) is
! i/ G+ z9 o$ \7 R- ]# |used by the majority of packers/encryptors found on Internet.4 r& K, V4 { n9 q
It seeks the signature of BoundsChecker in SoftICE
# `) v% q. w- T( Q3 s& q
& e) e. k1 q, z5 p8 ~$ H mov ebp, 04243484Bh ; 'BCHK'3 d/ w8 e+ m, k. M3 g
mov ax, 04h6 U, w% A8 w( N6 o9 {4 Z
int 3
. v' K% t- R; U- f' Y! m, \/ X cmp al,4) n5 @' C2 F5 o# y5 g! [( i! h
jnz SoftICE_Detected: ?. ~ p3 d; G
- C4 Q, g; C" B+ C- L___________________________________________________________________________
: a! c. _- u4 \; Q( U8 j
( I" j# b8 y2 l! ?' NMethod 02
5 v: O) P) K+ Q1 T( ~=========6 p- [- w7 a) R9 Q- W! V/ _, J
, P: W, W% e2 Y+ T# o: \& `Still a method very much used (perhaps the most frequent one). It is used, `1 `2 |+ [. m T& ?0 \) L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) k; B4 @7 P2 V& H) sor execute SoftICE commands...- U/ |: `, J# ^! i7 t/ m2 y
It is also used to crash SoftICE and to force it to execute any commands8 h; W1 M: r+ H, G w, @
(HBOOT...) :-(( ' A% y0 ^9 J7 @ s* _$ Y
: P: M) L) ?% IHere is a quick description:
0 b8 _: \5 B" `2 ^-AX = 0910h (Display string in SIce windows)6 | G( T0 f9 t* `8 l* z$ Y7 D
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" s, R) i* u$ c) V$ f. i* `-AX = 0912h (Get breakpoint infos)8 n' O& L6 V. X" G. P3 M3 a5 Z; `
-AX = 0913h (Set Sice breakpoints)% A0 P: ?6 e& p7 E/ z8 w l' g
-AX = 0914h (Remove SIce breakoints), d9 t# D& O& N9 o" E: e3 V
# |. t& _1 d+ R6 T) L/ \, M( K, q
Each time you'll meet this trick, you'll see:( s4 f4 o- m z/ G7 S+ S) l
-SI = 4647h
* v7 c- f9 x, c3 E: ]-DI = 4A4Dh
1 f; ]* P+ a: [' EWhich are the 'magic values' used by SoftIce.
" I' U% d$ ]# l- A( ~9 s- i8 nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 e! V' R9 P; E1 ]. t) q% V( }- e5 ~& D; a; m* u. @
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; m* e3 z8 D! S4 S# W: CEnvelope utility use to protect DOS applications:
2 M8 O5 b+ D# t
5 O, j+ k* b2 A; Y; o }3 Y+ t1 r5 B+ U9 A: @: T/ W/ ~* V/ u* y
4C19:0095 MOV AX,0911 ; execute command.
# x* y8 P* @) a8 y+ p4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- @# L3 O0 t! A* e4C19:009A MOV SI,4647 ; 1st magic value.
; O2 Z) j* a- m" V$ m" N; m: E4C19:009D MOV DI,4A4D ; 2nd magic value." t+ j1 `# u7 `& a$ B& k4 `6 R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. P& W0 j7 l3 R8 I$ f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute s& n& V2 t& \: u# k$ _8 n
4C19:00A4 INC CX
5 _) g& i$ y% T+ k6 [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 \, s) r0 l& w9 D) b9 `& @4C19:00A8 JB 0095 ; 6 different commands.
/ b- D6 P8 Q n7 v) [4C19:00AA JMP 0002 ; Bad_Guy jmp back.
Y8 R$ {/ C' w9 @9 o% a! r# f% T4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& ?: f$ n+ w0 m T* x& m: \
2 W# r7 `8 K/ p3 a) C
The program will execute 6 different SIce commands located at ds:dx, which
# D7 c0 e" g, r; kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 V# m( l0 ], Q! ^8 y0 h, L V( s7 p& h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* i3 \ W: t' X. W+ |2 V
___________________________________________________________________________' {6 u* c: P" E S( C& c
1 ]4 h. C. d+ d9 Z% x( a1 W8 i
% Q7 Q5 i; Y' Z) RMethod 03
& y" \; n2 D' D- K% B" j=========7 d' H# b: @" y* H2 ^
. R7 c+ B! g' ]5 u( w. N2 CLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 ?% w* H4 A- m$ b6 D1 D+ o(API Get entry point)
, f* C# e" W3 ]1 z
5 j+ T; ~. ?6 c( g$ Y! Q5 T4 @$ b8 o0 p5 m7 i
xor di,di
" H9 C6 p! [" H( Z mov es,di2 P1 i4 _- {+ G5 e3 L0 i+ n7 _" p
mov ax, 1684h
6 R+ g- M8 z2 I, M! E mov bx, 0202h ; VxD ID of winice
3 Y) P8 _8 H: ~" H A int 2Fh" W: k. U0 B9 R7 z9 P0 `
mov ax, es ; ES:DI -> VxD API entry point
: h8 G; V; v; M' `, S; P add ax, di
& N9 Z8 r' A4 K, h% c- D test ax,ax% q& O# U$ Z4 j3 A
jnz SoftICE_Detected, J& Q3 k0 E% b
- K( {9 N1 w% X: ]4 G9 c) ?1 H, R
___________________________________________________________________________2 Q2 Q: G9 d" P) P* C+ e/ i' R
0 q* i$ b, G( n$ {! k% fMethod 04
, K0 b7 [# {$ i% i2 d: O4 y=========+ J: L1 S4 x" f% X( A
, H0 E' n' |3 ^5 _# l! ^
Method identical to the preceding one except that it seeks the ID of SoftICE7 i: l8 Q9 k @/ j' U
GFX VxD.
, B' L. R# |3 p6 u9 a9 Z+ ^6 s6 o' E5 ^% w/ {
xor di,di
( M+ w9 W1 k# H, d, D5 B1 p! [8 { mov es,di0 E( w) ]; v# H- e; s) I
mov ax, 1684h % v9 U! y8 Z- j/ N5 s
mov bx, 7a5Fh ; VxD ID of SIWVID
6 D8 ^) C, v* m( e) F int 2fh
% w4 W# }1 f3 u) R4 c Z mov ax, es ; ES:DI -> VxD API entry point
" `( e6 D# t( C5 v' a add ax, di( d+ D+ o" O1 M2 f9 j
test ax,ax) h# K7 i# b- b, D
jnz SoftICE_Detected) }8 T5 O u6 k: [# R J
. v% w- r/ m4 F& ~5 s: g__________________________________________________________________________" `+ F! t9 z2 {0 n
, k& X" p( _( @- T
: L; C2 w5 V, C% L# g! S& C, D1 z
Method 05: S4 s. X8 b+ P
=========3 n+ w1 @6 b2 c6 @* H9 d8 T
. ]6 u. G" [; Q" n
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 I( }8 S. `- odebugger. It calls the int 41h, function 4Fh.' o2 A- l* f- F: Z8 ^# A; m3 M
There are several alternatives.
3 {. Z2 h9 X: D( U4 ~4 n
0 b, }' v8 g8 E8 sThe following one is the simplest:
, r# s2 f9 H( e0 U* k* Y# u
0 O8 D" y' I( k mov ax,4fh! X( E' Z/ e6 E! j# F, k' M: e
int 41h* P: }+ k( `' S v# O) A4 }+ H" ]
cmp ax, 0F386
3 z/ J6 U; ~; I# l6 h3 @ jz SoftICE_detected7 t- f* u! F$ Y+ g
. w y* w2 S" n# X; l+ q9 _0 `5 u3 v' G+ V+ d
Next method as well as the following one are 2 examples from Stone's / X/ r7 R& J. Z3 G0 g. V
"stn-wid.zip" (www.cracking.net): m" F' a$ Y9 y, i/ L T8 l
! A o, T6 {: Y I mov bx, cs7 M4 w4 E& V; u) n* C! f) A
lea dx, int41handler23 k; Q, ?; k4 F6 l* R- S; _% g
xchg dx, es:[41h*4]
$ O. M5 Z0 S% c2 a6 K xchg bx, es:[41h*4+2]& B- Q5 r4 X; o9 t( J+ z! Q* w
mov ax,4fh
5 H- o! t5 i- i0 s int 41h% A( W* i y: n5 J) a
xchg dx, es:[41h*4]
( M% O$ ?- L( Q7 c# N3 Y& j2 ^7 M7 c% j- a+ ? xchg bx, es:[41h*4+2]
' @. E4 T% l: c; C$ w cmp ax, 0f386h, t3 k7 Y% v- h3 O P5 B0 r9 O
jz SoftICE_detected, t# S7 j! i/ Y
4 W; E s) ~) S; j8 Y7 w# u1 Kint41handler2 PROC. t0 t4 s( \6 k
iret
$ r, B& {; C4 R5 T2 d) lint41handler2 ENDP
( z8 N( p8 C' z, t3 ^) i- W: F5 S" D L3 }4 i8 B& H
6 ?" G: A+ E" }/ S/ b" g! F, B. b_________________________________________________________________________
; N- C" |' x* m$ _# V$ C f1 Q3 q6 @7 Z2 Q& R
7 L; l8 n& ~6 j* Q7 IMethod 06
9 }6 _3 ]/ c$ ?2 b. W; I) r( c=========
0 X9 d, Q6 A; J% t
6 J i# s7 J3 i% p: E- s) ]3 N5 ?
2nd method similar to the preceding one but more difficult to detect:
7 e8 W8 M' i+ x2 K6 [+ | t5 }! z$ r0 R4 Q1 ] }* P8 l
' u0 H0 a9 x' i; J1 ^; Dint41handler PROC, k" a8 [! w: P/ U
mov cl,al2 Y; c* z- k2 x& ^. b* q( T
iret
# p8 }/ q( H5 oint41handler ENDP
Z6 M6 W" P9 I, X
$ {; T, o% k) m/ D1 Q1 w/ z- {. T& q/ |. o9 _% _
xor ax,ax! ?* k9 v2 s3 [) I# p! x5 v
mov es,ax
4 ~- H- g* v- c9 K3 g! [5 t- _- v mov bx, cs
* i) ~8 m5 k6 N; `& y9 G; x lea dx, int41handler; g. L& x: J, i% E7 \( q
xchg dx, es:[41h*4]+ r- Q. D7 S7 F2 ]/ @, c
xchg bx, es:[41h*4+2]
3 `5 J0 p3 _' l5 m6 m: r in al, 40h. D( G5 K& E2 r0 t( M6 N' k
xor cx,cx
( C/ Q4 O; `# i, j6 I3 ~2 V$ i int 41h) P' n9 P2 z5 _: W7 G
xchg dx, es:[41h*4]8 s0 z8 Z. R) R4 K" N6 H) O
xchg bx, es:[41h*4+2]
* C- ]# e3 U% r" o9 X- p cmp cl,al
5 ~5 D9 g) J8 x( k jnz SoftICE_detected
: o" f' Z0 T, C# [( w4 C
# ^2 d& u$ j7 G% {% c_________________________________________________________________________
k: I& @6 A$ a4 ?. O& w
# V. e0 N1 k- ^9 @* s/ FMethod 071 g0 b7 M3 V; ~/ @
=========; y/ A2 C- r9 B
5 E6 y1 I( H, e2 ]8 H/ W+ yMethod of detection of the WinICE handler in the int68h (V86)
& O: o1 l8 c! p ?& h
9 j/ M5 H! |; L+ o X) ^9 x mov ah,43h
4 C& U5 t; R) p, u$ r( u) K int 68h) b+ u) W9 U$ m! P& v" Y. p
cmp ax,0F386h
+ |' o G+ s: w- Y, r; T: O jz SoftICE_Detected' J( f1 a% N9 g* O/ W8 c
5 ?2 D9 i/ g; w7 ^9 E
6 g8 \5 s2 E& U9 u* s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 z8 I$ p& K& p+ R9 H* C4 ^
app like this:
& e+ p e' n- k3 ~$ u9 }/ z d, u8 Z5 w* _ _( N
BPX exec_int if ax==68
' [) k. R8 o, w (function called is located at byte ptr [ebp+1Dh] and client eip is3 b. K+ N2 P* I. R6 k
located at [ebp+48h] for 32Bit apps), C% I3 Y% D w$ e( U
__________________________________________________________________________' C# [9 X$ i M$ F2 |# x
! S9 e6 z6 ]( D2 j
0 v, g6 N+ J2 I& H
Method 08
. N h3 j/ Q4 ^: x! d& Z0 k8 F=========
1 U+ K0 e) V+ [4 q% ^7 D* K+ P) @# H4 e2 F6 Y
It is not a method of detection of SoftICE but a possibility to crash the- `4 @4 p0 P' L$ z
system by intercepting int 01h and int 03h and redirecting them to another; B* Y+ _ b+ b( G0 [, d# o9 \' \
routine.* f: H1 v" k7 j0 D' K6 O A
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 i e- l1 Q: A1 Yto the new routine to execute (hangs computer...)
1 q9 K9 l: X2 g F$ K: k7 Y5 I4 E* ?* b" b) @. m7 E& G
mov ah, 25h" E$ v! z( p4 Q3 |
mov al, Int_Number (01h or 03h) k1 m+ N# E d# p) l; K/ s6 ]
mov dx, offset New_Int_Routine
5 I$ a8 v2 s! p) k2 b2 T9 V int 21h) O3 ?; E0 ?# X$ l3 |, `( R
% E) ]# M; H' y! y7 J$ j$ i__________________________________________________________________________/ v: B. j+ _* V% I6 J
; @/ f% W% D9 h- F U0 v
Method 093 j2 e6 {! x! x9 t
=========
. Z! c3 k$ s* B' j8 @% R, o% X8 U% J' C1 k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
}3 ~4 l/ A0 T+ b( u8 F6 l8 pperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ i& w1 |3 O: t$ TThe Get_DDB service is used to determine whether or not a VxD is installed2 M% n( }. V1 u# b8 Q, g' H
for the specified device and returns a Device Description Block (in ecx) for) I5 D9 E2 \ w- ]; q& F
that device if it is installed.
! B+ B5 k5 L( |9 u/ o, X6 A0 C# J; [0 _5 N7 g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: w' v# w4 i7 k
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% H! i8 P8 R! c" E' X1 V% S VMMCall Get_DDB
0 A" v6 z! y2 g( T8 z5 |, |; ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* {4 G& P' E8 R4 ?# s
5 O3 m7 x7 b2 P5 P& r
Note as well that you can easily detect this method with SoftICE:
% u4 \4 n$ V9 y( l: B4 q$ ` bpx Get_DDB if ax==0202 || ax==7a5fh
i" a G b8 P
: t" F% I/ |+ X% l7 }# `__________________________________________________________________________: M1 J- _* D9 F
& S& z6 j7 A8 G8 x6 W* @1 w( s6 w1 ]) |
Method 10, L, A, o, B5 F% ?
=========
: }8 ~& N0 l$ N, P0 H2 K! t1 e! v9 o! Z8 w' D
=>Disable or clear breakpoints before using this feature. DO NOT trace with, u: M, `8 ^7 N, A# n1 a% p- R' P
SoftICE while the option is enable!!% S$ z0 Z2 L# a; @+ [/ u6 v
, B" r, R1 [4 H: X$ M# r' ZThis trick is very efficient:
* ~( i5 L5 e" |, w& B* mby checking the Debug Registers, you can detect if SoftICE is loaded
& q) r$ w# m: [" Q0 b4 n7 s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 Y% s; B% v) [1 G' W1 L& ?there are some memory breakpoints set (dr0 to dr3) simply by reading their5 v1 S0 r/ q, U! @, z
value (in ring0 only). Values can be manipulated and or changed as well5 V( ^) o8 s$ @' J: l
(clearing BPMs for instance)
% ?% P7 }% g! I6 z4 {
' n. ^0 F1 Z+ ?. ]% v, g( v7 F__________________________________________________________________________! N- Y8 _% ] p% H3 O
, |" j+ \( Y9 c1 k- BMethod 11
8 M/ s. A) L+ w" W3 ]' B4 i3 f/ D=========
6 M; n1 t1 t- r- p+ k! K. z- g3 l4 w; O: @, y$ F% C& m4 C; Q
This method is most known as 'MeltICE' because it has been freely distributed
6 E5 Z9 ?3 ^1 c, ^1 Lvia www.winfiles.com. However it was first used by NuMega people to allow
3 j' W: N- x- A( o. i8 _Symbol Loader to check if SoftICE was active or not (the code is located# g) _ ~* _4 T
inside nmtrans.dll).
) S3 y: F# y4 q6 f3 `( u+ Q$ a- i/ P7 {! S% L3 Y- o
The way it works is very simple:. ]. z# U* r. V$ p; p
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! D* B$ O1 }/ o- R7 n4 V1 x
WinNT) with the CreateFileA API.% D* t2 ?; q' P- B! x
$ h& f4 X/ b, O Q4 v) q
Here is a sample (checking for 'SICE'):
! F) g' @, \* }4 z9 ~$ z5 n7 {
0 a5 w# z0 R% ~% b1 {6 R% EBOOL IsSoftIce95Loaded()& q. O0 y, \& r" A/ U" Q0 L1 q( T
{
" u# q% h1 M' s8 _/ k7 p9 R$ `- D$ _3 K HANDLE hFile;
; [" @: U7 ? P( s8 r3 w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: U4 b+ D* I+ m( p FILE_SHARE_READ | FILE_SHARE_WRITE,
) j! w4 }) r0 k3 }' ]4 D, ] NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& |9 K' L/ E9 |; [+ y2 m" C2 { if( hFile != INVALID_HANDLE_VALUE )" u- q3 `- x. C. n4 J
{
, ^$ m9 t! o) m- j9 N/ X CloseHandle(hFile);
9 n0 R+ b! Z6 o4 ?: n. b# H3 P- h return TRUE;
2 e2 e" I1 t3 V) m }. W7 T( v X) S
return FALSE;& t' S+ E+ Q: o
}
+ @; p$ ~0 @5 g% O1 }
* C0 }# |, d+ b+ p+ {+ y( s, yAlthough this trick calls the CreateFileA function, don't even expect to be
) H' `+ P/ |. m0 S bable to intercept it by installing a IFS hook: it will not work, no way!
' ^2 U8 R0 U& @7 M# m# fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 ~! K% B t" x; U& Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 Q! z; \( q: m2 ~, [. n/ {& {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' k8 T8 @* |" r& d
field.
* }# ^: K0 @ c9 w5 L( m1 RIn fact, its purpose is not to load/unload VxDs but only to send a
( [- @6 l/ D: D7 vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- G& M, K! j1 J! O ~2 Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& V% U) c' B$ P4 j9 ?to load/unload a non-dynamically loadable driver such as SoftICE ;-)., f% V. h) J9 ~' e- a: [+ d
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 ~8 ?) Y6 ^0 |) ~$ B7 I x, Q/ K5 tits handle to be opened and then, will be detected.
9 N% U7 e d7 n8 X6 g' k6 t( MYou can check that simply by hooking Winice.exe control proc entry point
2 ?, |. h7 D" owhile running MeltICE.
. ^+ P1 w5 F: N# p, a" u$ w+ N* ^5 d* \
2 r* C8 F3 ~9 l7 }& C& V 00401067: push 00402025 ; \\.\SICE
6 D1 s5 r* E# \; M6 U) M 0040106C: call CreateFileA q" Z) q0 H/ \3 h4 k+ w7 [
00401071: cmp eax,-001* X- S1 }. @ y* e* f
00401074: je 00401091, O0 B& N3 n) ~; M0 H
" O) q# ?1 s0 X7 ^8 Y( X" ^
8 r" ?( }! N9 \" c* n B
There could be hundreds of BPX you could use to detect this trick.
+ \& K) |8 ?) J# c-The most classical one is:7 J, \) C; |+ R% |( b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* a: _$ S ]; n4 c& E- K *(esp->4+4)=='NTIC'& N- ]5 r0 |& ]9 N* V% a O6 C
3 v2 @- D& \- R
-The most exotic ones (could be very slooooow :-(& [; P- N i( s
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 D, |" Q# T+ d! G ;will break 3 times :-(
5 {5 w) f4 a. `$ N1 f, F) G
. ~# j1 T9 {1 |: e-or (a bit) faster: [2 i3 i ^! ? E4 x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ o7 |0 R' H0 p' {# t$ e6 t
. |) @" J2 N% R4 s [& n BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' m" |* c3 J- N& m4 g2 z4 R ;will break 3 times :-(
1 d# B0 s" k( s( W
& K# J7 Q# A1 {# k- d1 {-Much faster:
9 s' L0 S& c: l( b0 B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 j4 J" w; v$ \1 R) ]+ `
8 A6 M1 Q, G1 ^4 i/ O* Y2 E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# Y, C( O- z5 w
function to do the same job:7 Q9 l" o/ ` s/ r
9 K8 {, Z# s4 r; m; i1 ^; v! V push 00 ; OF_READ
. T+ m) ^$ E, s mov eax,[00656634] ; '\\.\SICE',0! U/ d# g4 N3 P5 W
push eax
' j% c, H; p" F2 r$ C$ f call KERNEL32!_lopen
) G- G9 s* i* E( I. U5 V4 d) I6 z+ [3 } inc eax% g c3 j( ]" o, K+ ]
jnz 00650589 ; detected
/ t1 L* p& U/ ~' Y push 00 ; OF_READ
6 E9 L$ H9 \! U/ w7 G; Q5 N5 x mov eax,[00656638] ; '\\.\SICE'
7 a9 U6 _( M, u; ]0 e push eax
( Q$ B) d2 _- k call KERNEL32!_lopen& y' o5 ?2 Q) D& o2 [
inc eax
- l9 U2 `9 d$ ^5 e2 c jz 006505ae ; not detected
+ k" h- F u3 ^. `
/ ^! y* _, M; H% S
% x7 ^: u: R) P3 P2 b+ n__________________________________________________________________________$ G5 }* d" v# i& `- O; A, z# u/ @. g0 `
; [3 J6 ^7 I9 C% l2 l) l/ U! aMethod 127 \6 H9 `" G) d
=========2 q0 B& D5 k) S3 q+ W7 c
3 M+ z2 D/ K, r2 w5 o8 u" {This trick is similar to int41h/4fh Debugger installation check (code 05
, l( W/ d5 J. P, S$ M& 06) but very limited because it's only available for Win95/98 (not NT)! b+ O7 X6 }. P0 a" ]8 V3 M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 u0 y; m( t/ l+ k/ {* q8 ]# L' d
( {# X( R7 G, }- s* W" ]% }! U push 0000004fh ; function 4fh
4 z2 ~5 U1 ^: P% W push 002a002ah ; high word specifies which VxD (VWIN32) m, { b. r' `1 W! J! Q9 O2 Y. n
; low word specifies which service: k0 b3 l( N4 i
(VWIN32_Int41Dispatch)* @" |8 j7 i2 f6 X, @( K
call Kernel32!ORD_001 ; VxdCall* l# N( l' x* Z) i: }
cmp ax, 0f386h ; magic number returned by system debuggers, j9 P; A& E' }/ K5 S) p2 d: H( g3 a
jz SoftICE_detected5 W7 d' n7 D' L+ j( B) X* x
0 w9 t# X0 s( z' AHere again, several ways to detect it:
. I2 V7 I3 Z% U, {
4 Q% G; D" Y q% h4 E BPINT 41 if ax==4f
6 J& A2 h# {- P3 K6 }( N2 L% t: }6 j2 f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: C# j: x9 {" c: W2 @
$ C g2 y' |/ n9 ?, o
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A Z/ Q) O ?- s3 B! s1 W
, ^6 c! B& j* ^9 w* y! V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 W# R& W; G3 T; k' g
% y, N) m0 g$ [% w% l__________________________________________________________________________
1 m6 Z% M8 C7 E1 e y3 \% k9 L7 H; t6 q" [
Method 13" _8 e/ }( Y& y$ V
=========
: `! y% i4 ?0 P+ o% y( ~9 Z c; x1 H; D1 }
Not a real method of detection, but a good way to know if SoftICE is5 ^% l6 B! ~8 [
installed on a computer and to locate its installation directory.
! ~) k F% J; b; |: Y' r5 BIt is used by few softs which access the following registry keys (usually #2) :! ~- M/ E6 L [* c
0 N/ Y3 h& i1 W+ _" C- O
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. J: n+ a0 S6 t\Uninstall\SoftICE
" N( _* J( V- {* L1 l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ |" ^" X! D* T( q$ A5 t3 ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! _( I* J2 R" D$ R# Z2 d% T4 c" e
\App Paths\Loader32.Exe" }* p% |) f- _* S& Z
4 k& i- D9 M6 n
4 L% ]7 i# Y% E3 K7 d# j! n
Note that some nasty apps could then erase all files from SoftICE directory# x$ r6 }+ e8 O; @. P7 z$ X/ M
(I faced that once :-(5 Y% l( g) |4 D* o
9 r3 v, C. E9 `Useful breakpoint to detect it:/ r0 H8 r( _0 W! m8 s5 }* O
1 a" c: U# E7 w5 o! ^, D8 c+ o% `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( ?+ U3 G5 a2 b. z8 s1 B& x. C8 t# |0 ]1 d, p6 [; U
__________________________________________________________________________
9 b. s# R3 t( x3 B8 b5 p! @9 Y
: v8 V8 V6 K. Y1 D* c l5 S3 u" I0 y2 ~( R& X( |1 E* q ^
Method 14
' }# r0 t( Q; [. d=========
5 Z1 F4 _- z7 ]1 A- E5 A9 N' Z" }# e0 u* x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% t( m) L) ^. s. U" x
is to determines whether a debugger is running on your system (ring0 only).9 W, G4 ^+ m7 ~% ~) X& D
4 ]' ~& I. u; k5 \; {' {
VMMCall Test_Debug_Installed* M9 o5 r( a: Y8 v2 q. P6 H% d
je not_installed8 D8 u2 Z+ p/ Q: E
; i2 H4 D4 v% Z @: XThis service just checks a flag.4 X& i2 w! n5 A# W @" m" X
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡