<TABLE width=500>
2 a" Q$ j/ o8 r5 y# E0 a<TBODY>8 [* i$ J$ [6 \. E0 V4 C+ [+ c
<TR>
$ h) t5 ]: @" D3 _3 y% J) z, W: V<TD><PRE>Method 01
4 u' g- X0 o, W: u: v4 V=========
6 x3 N% A4 T# x3 `( N* w( Z" h4 j) T0 K- t) ~8 n9 U& ?
This method of detection of SoftICE (as well as the following one) is: T) m3 K4 [# \ [/ t
used by the majority of packers/encryptors found on Internet.3 O! @1 X# s2 w) k4 B6 M9 A
It seeks the signature of BoundsChecker in SoftICE. v9 J9 u# A; R8 e
# h/ i- Q7 @2 D
mov ebp, 04243484Bh ; 'BCHK'4 G% K7 s1 E; a* V* U
mov ax, 04h7 c7 _* ]* c: O0 p3 t, ?
int 3
" i! H. Z1 ?+ O cmp al,49 A" \5 P! t4 Z: M
jnz SoftICE_Detected
4 f/ ]+ Q, f: q+ k# E/ B) [ P0 S1 v5 x% {' x0 V B
___________________________________________________________________________+ o3 z' s5 C E. H! c. J
E; v0 n7 H, A# W( o5 \% a5 I, S
Method 02% P* ^3 g; t8 y
=========, [- R# u+ i8 S: B" b; _) n8 E: o
: W8 ^. I: H5 e3 U' \" wStill a method very much used (perhaps the most frequent one). It is used
B9 U# I: U5 ~* z5 C j6 i3 _7 \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 M+ y, ? k% Q& N) ^5 u( a* P
or execute SoftICE commands...2 d' p2 q# ]. a' Q
It is also used to crash SoftICE and to force it to execute any commands$ j6 ~ s% f6 z+ g" a9 f
(HBOOT...) :-(( 5 v5 W: u6 w p
& i* v5 T+ N4 b: H; U) i5 d# OHere is a quick description:" @% Q2 V& c2 y8 U! J
-AX = 0910h (Display string in SIce windows)' e, a1 w/ Y, j" K9 F4 a
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), B2 s+ v3 Y+ G3 K
-AX = 0912h (Get breakpoint infos)7 c% j. @8 k$ _8 S
-AX = 0913h (Set Sice breakpoints), g }2 H/ _% D3 d" s& W
-AX = 0914h (Remove SIce breakoints)
8 u) V9 n' c! ]- E) o/ L
4 A, Q0 j! m1 t% wEach time you'll meet this trick, you'll see:
. A! z3 s: q& M4 \-SI = 4647h' x# O8 f; Z% E& S" Y
-DI = 4A4Dh
5 t2 P8 I7 G* E7 ^/ {Which are the 'magic values' used by SoftIce.; X2 C, [& E$ v, T% W: n
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
E L2 W' ?) u7 c& o: q8 U
, v& h' N+ F; V- t+ KHere is one example from the file "Haspinst.exe" which is the dongle HASP, P4 k: m4 F1 Z9 \: L) o
Envelope utility use to protect DOS applications:3 e$ Z+ J4 d5 Q
9 q( \! _7 M: i. j
9 b& ~2 h' k" D& t. P6 a0 P4C19:0095 MOV AX,0911 ; execute command.
- r4 S; p9 e" ^4 j4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( @8 p; X6 a! v: J9 z- |+ o4C19:009A MOV SI,4647 ; 1st magic value.
% @: s, `9 Y7 M" S/ b! e- P* \4C19:009D MOV DI,4A4D ; 2nd magic value./ O" M' ~9 ~7 {% C z# D
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 C9 p3 C8 F8 K- P. m
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 K% S$ e8 N( d$ F! |' M$ h
4C19:00A4 INC CX
9 C4 ~3 U3 Q; |( ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 |5 |4 B( l4 i4C19:00A8 JB 0095 ; 6 different commands.( X+ f& o0 R0 O3 |3 V, y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. H# `8 O& n3 K+ w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 b7 t2 q+ S, y1 U5 M: ^
! @& P( U6 | Y nThe program will execute 6 different SIce commands located at ds:dx, which
* Q" z* a! Z: G: sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# J) c, _! P, a1 f
0 V$ I3 i0 f5 U6 u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ R0 I' ?' z/ O* f- f. Z3 S5 f2 K___________________________________________________________________________
. }7 P7 v: t- j, ?+ x" ~" Y
4 u. y( B* a- m1 u8 D( H Z- ?, I
+ S( l+ u% \( y5 s9 }Method 03
% W* `: _4 u, s" G) V) m=========/ Y& @7 ?* M) N2 x z
* f; @. a& M% V) q! ]7 M( vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& {+ Q! r! O; R% p/ T! |" ^(API Get entry point)
9 T+ X5 ~5 r+ }+ }+ ~ , b9 _, U% R4 v8 @, C% s. U' C
/ y- d9 Z3 f! o1 `2 k' \ xor di,di
; U3 u, D7 k. i* d mov es,di! W& r+ ^) u% Z2 r( Q! O
mov ax, 1684h
- K: ]2 c& j- j9 J7 { mov bx, 0202h ; VxD ID of winice6 L- [6 S% K9 r" M. H) D
int 2Fh, p3 x# L- E+ n W$ r+ i* ^; ]" V
mov ax, es ; ES:DI -> VxD API entry point
0 C$ p5 y" e9 V: E. P' i7 ] add ax, di
7 c# ^6 ~# a- E; F* _ test ax,ax
4 s) F5 ~; I, P5 D jnz SoftICE_Detected
4 N3 b( r: e; H% D! A* c" a, n/ R5 Q. W2 |( l. {/ V0 b/ u3 q
___________________________________________________________________________0 ~1 z5 _& \; v) W! _6 C q, Q& o
6 ]9 w( Y% T6 T" }Method 04; S! g4 v- R6 n
=========
1 k r3 w; t% u0 D3 a; w) L( G9 a' P
Method identical to the preceding one except that it seeks the ID of SoftICE. X2 D6 _3 @# Q; `
GFX VxD.
: N- a; y) j; l% H! e
% V1 z0 z$ p8 P4 E xor di,di0 d7 Z% u- R: j9 s% [/ y! w: o
mov es,di) o+ F: K4 H8 `0 ]! P9 Q2 _1 \
mov ax, 1684h ! y: a. B+ [! H& p1 u$ e
mov bx, 7a5Fh ; VxD ID of SIWVID" V& a& j4 G4 x3 J4 a
int 2fh9 g4 W1 d" }& @
mov ax, es ; ES:DI -> VxD API entry point
$ {4 M2 F8 y s" v5 ]4 P- H: l add ax, di
9 C9 Y# y$ b) U) ?* ? test ax,ax
1 Y) y8 N+ `( s" l# A/ x3 M; _$ h jnz SoftICE_Detected1 D' b" R E6 |& Q/ L9 j3 C$ F8 {
w$ T! ~- T4 n__________________________________________________________________________' z5 d% _0 V1 W. R6 k
. J+ L. v# L1 k& g% d
0 Z7 Z+ U& o a; `* C) i
Method 059 D# _4 W/ T) L( ?1 f( E9 S
=========
2 [5 T" B1 t1 G8 N T5 m+ o. F; r. g. R
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 r. O/ }! y3 ]7 b/ v8 _' M9 V# ]debugger. It calls the int 41h, function 4Fh.
: z& N9 |6 w4 M' @There are several alternatives. : E$ d4 @6 E4 ~ A! M
% P* A" D8 L) ?% C2 C, YThe following one is the simplest:- }" |* _: o4 M+ ~. _' _" O h
, d1 y6 R- g# e$ d Y
mov ax,4fh
% i5 Q; F2 u+ ]# t! [) e int 41h( w) U8 u# i5 _" H
cmp ax, 0F386# M: f0 t( Q3 m3 d& K( S
jz SoftICE_detected/ Z( ~9 E6 e% [: _& L/ Q* ?7 ]
3 i& _ j% D8 n# V7 U" q" I. I, t- W" r3 B" n7 F
Next method as well as the following one are 2 examples from Stone's
' L$ Y* g: g% l% J& v+ T" N"stn-wid.zip" (www.cracking.net): c' G3 N0 m4 A+ M
: W8 z! Y' ~7 D1 J2 P mov bx, cs# A2 z% T% q. w
lea dx, int41handler2
3 E) l& F4 `0 i, H! u. @ xchg dx, es:[41h*4]" y4 E4 a7 w/ g+ d0 G$ m9 J; P
xchg bx, es:[41h*4+2]3 n' ^9 @, w5 i: n7 k1 A; I" s
mov ax,4fh
' g/ M0 {$ l T; W6 ^8 U int 41h
1 K& A7 `" j4 k3 p, `. ?4 w3 {$ _ xchg dx, es:[41h*4] H+ l) i2 o% f/ q
xchg bx, es:[41h*4+2]5 `' Z F1 }. I# S# \1 L
cmp ax, 0f386h
% V+ d% u7 ?$ h: L) i3 K jz SoftICE_detected; q4 E! H1 T0 I
k+ s" x6 Q+ e, V% k- ~: T$ Nint41handler2 PROC' G& T& A( Q- T2 U0 F
iret
! i! F0 [) T" x! O& qint41handler2 ENDP
( O: [6 n- ]$ P/ ]0 ^
- B2 j6 v1 O6 [$ I% G" n X9 n! C: [2 Z1 D# {/ X
_________________________________________________________________________& Z+ W0 E6 t7 w1 a9 [8 Y& `
e9 Z' x% ?; i. w- @2 u+ }
% I& E3 j/ B9 PMethod 06" g* Z4 j( g, w& v4 e. v+ p7 \
=========
6 P# |' h& M# b
! l( q9 k/ p7 u8 h0 F1 i: ?+ L
# G2 F* o$ D6 r1 s8 x2nd method similar to the preceding one but more difficult to detect:( T* D8 f, z e& I3 c6 J# |+ f/ r
' X) _1 l, M( `0 M
0 r7 I- J. a+ @4 }) ?int41handler PROC0 `7 q9 y' ]; K' y% p# \0 W5 e, Q
mov cl,al$ A: I% a' J+ b: O, {7 f q: J
iret
' X) [7 E) I% q. N7 }int41handler ENDP
& w* ~8 C8 w* `% Z9 k' n4 G5 ]
5 Z6 P) H+ n3 A3 \- I
( {9 Y. l0 D. m B/ Y xor ax,ax
/ c1 Z# X" b" Z mov es,ax1 d% r0 G- z! w/ l1 @, O5 G3 X
mov bx, cs
7 h( H; M a: z% }6 d0 p0 W$ C3 d lea dx, int41handler6 X/ x' n9 T$ ?) x
xchg dx, es:[41h*4]
* K9 |- g5 z! q \! I8 \ xchg bx, es:[41h*4+2]
7 t p1 }& T( u2 V& U9 u- H in al, 40h
; U3 J/ U$ N3 P5 @1 G xor cx,cx, J9 }) t1 L _; W: l! K
int 41h
\" G- p2 e' I xchg dx, es:[41h*4]; G8 u% ~( H, n
xchg bx, es:[41h*4+2]( s1 {( o: H0 P9 o( u
cmp cl,al
4 e+ O8 x4 L6 K* I jnz SoftICE_detected
" @" O( j; z" z# y' ^4 Z( u
. K1 {6 X0 [* T$ O- a. N" `& E_________________________________________________________________________$ ?; B1 o1 T' p* [- S$ F x% J$ K
/ g) n- Z( F. s$ N0 `' s' u0 sMethod 073 v- [: D! H4 j7 X
=========- o. N! v2 f: t& i8 T" c: D
, o- e6 ~6 K( u+ a( I! [3 p: w
Method of detection of the WinICE handler in the int68h (V86)6 O# r) o9 C0 @% t; [' b9 `2 j
8 P, D6 Z/ J- K9 u: R2 Z mov ah,43h
1 }: ~. S9 F: m8 b" z int 68h
8 |& Q7 a4 ^) ~4 @8 _4 r cmp ax,0F386h6 U; F) c2 f0 X2 Z; \& z
jz SoftICE_Detected5 @$ M/ h! k+ j" E
$ P* g. b X8 J7 n; }! F
: r& ?# S. y! G6 e2 t3 `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" X+ T$ C& D2 G2 U1 L5 S app like this:$ o" l, P( S2 X' v |0 Z+ Y0 ?
. y; H' P/ L7 Y0 D( Z BPX exec_int if ax==68
K' \- t- T$ q7 B) q6 v (function called is located at byte ptr [ebp+1Dh] and client eip is
2 u/ ^+ H1 d6 s/ O9 e2 ~7 l# M located at [ebp+48h] for 32Bit apps)0 A/ ]# M. X/ X0 L0 j
__________________________________________________________________________; M9 l- T% j7 l6 r
& v' |" n8 A6 b5 U; V5 X7 ~1 f& j Q3 L7 F: g5 G
Method 08; r: X/ e2 h! g9 i$ i
=========
0 E& o: h2 i. w5 |0 e' n N. m
, ? Y* J4 {4 A- D7 DIt is not a method of detection of SoftICE but a possibility to crash the) Z% c9 O# K, A; S
system by intercepting int 01h and int 03h and redirecting them to another
6 s4 [! k1 ?% c, [ c5 Y$ Aroutine.. Z+ D y0 ^$ y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' Q' N4 ]! q; x- @/ O. Uto the new routine to execute (hangs computer...)
7 o2 }2 o' k: B- I4 ^* S7 @
- b/ M* R3 e5 K* C' s. @' b1 ? mov ah, 25h1 N" ]' g& _3 h. G
mov al, Int_Number (01h or 03h)6 d- k. @$ l" Z8 t: d' I8 }( `
mov dx, offset New_Int_Routine9 P% j9 f/ K8 K
int 21h
3 `6 l. F8 N! a
( A( L5 ?# V- B__________________________________________________________________________
3 t& X# R2 t! k* `6 v
" e8 S& P# d& e9 Y* v% OMethod 096 ~2 ]! t+ U8 f0 j/ F
=========
' H f! h+ J0 g c4 w0 z1 \
2 ^* c% z+ O6 n7 l) h& MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( r$ A6 m: Q# `1 Z* ?- r. [
performed in ring0 (VxD or a ring3 app using the VxdCall).& j3 G1 R2 `& E- S8 |8 p9 ~5 G7 y4 x
The Get_DDB service is used to determine whether or not a VxD is installed
3 k7 t1 j8 V& X2 Dfor the specified device and returns a Device Description Block (in ecx) for4 X& x' `+ {0 E0 i
that device if it is installed.
0 }/ b5 i. H+ s+ O M: W) [- g+ T+ M) o& x+ X
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 n [) E- A S0 V# a0 { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( B" W' w" {4 J' x) l1 Q
VMMCall Get_DDB" o6 w8 n' ?% `- s4 T% S* m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* X* T4 K" [; E/ C1 Z: Z" v6 A: b
4 ^7 V v0 D/ S
Note as well that you can easily detect this method with SoftICE:/ P7 r g, T+ H8 @+ B# I; A% A
bpx Get_DDB if ax==0202 || ax==7a5fh
, u5 T% L& o. D- k1 z, z$ u4 X* M# P; q4 }! e+ [% ?( R
__________________________________________________________________________3 L4 ?$ y% L2 A1 [- \/ c
4 k5 A1 x, L) X- a% C! [- e
Method 106 U9 E5 l5 e. _
=========6 j+ J3 z N* \( g8 k' J
1 \9 v0 }. V, d1 n2 M5 @
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# ?- n! ]6 o- X+ ` SoftICE while the option is enable!!
5 X4 ^- v) \, V6 H' i. X& A- J; z0 ?
This trick is very efficient:
) x0 T% q0 K# Zby checking the Debug Registers, you can detect if SoftICE is loaded& S! H, x2 ?7 `# M- }/ |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" O7 l; H3 C) A# L8 }8 }0 [
there are some memory breakpoints set (dr0 to dr3) simply by reading their ?$ B5 b0 Y H
value (in ring0 only). Values can be manipulated and or changed as well. e# R+ M G5 W% |: k
(clearing BPMs for instance)7 l% E% M, b! ^+ L
9 [8 v) ~4 H' j" j3 `
__________________________________________________________________________4 u# e5 D. N4 k0 ?5 `
2 m7 I, ]( ]7 EMethod 11
) f0 t H9 d4 s=========
k& F7 @; d, H+ v+ h" E5 G" q7 d) V W' D5 W& N
This method is most known as 'MeltICE' because it has been freely distributed& V4 d5 F) w1 C- Z7 m
via www.winfiles.com. However it was first used by NuMega people to allow
6 j4 p4 F( v1 U% N; Q' ]8 sSymbol Loader to check if SoftICE was active or not (the code is located8 _6 Z j9 a! Z/ U
inside nmtrans.dll).
2 Q A+ m; \1 e: Q$ c
& S( |, {- i# v& n0 ? bThe way it works is very simple: c0 A# |8 i1 g) ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 k, B/ @. Z' j8 B( |( Z
WinNT) with the CreateFileA API.
( u L4 Z% s) h/ m4 C4 x$ V
3 E, _' G2 _& t0 kHere is a sample (checking for 'SICE'):
% A' d- W' L3 [! j+ B3 l! m& y1 a" m- E- @& t. C! A4 x. S2 Z
BOOL IsSoftIce95Loaded()
, M& j0 l8 c/ g3 D4 K0 n& @{8 c0 d) z4 z/ [
HANDLE hFile; ! ~9 I$ |/ b S9 U8 E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! P4 s1 N3 x+ M
FILE_SHARE_READ | FILE_SHARE_WRITE,4 Z) n* D! P3 p" x3 H9 W
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ V& t8 C* N, d) L
if( hFile != INVALID_HANDLE_VALUE )
, f( M0 w6 T; ]; w1 w. | {
' Q, V1 r3 m. r0 ]0 S* z# G4 C CloseHandle(hFile);0 D' d$ L2 }5 s3 ]- d
return TRUE;
* S/ W$ u* U" j3 I, k8 l }
. H9 K. d# g p. m* X- } return FALSE;; O6 {. s5 J( `) \% G) ]. |
}: [) ^3 R0 n1 d- V8 @
9 a( U7 c! h/ w( IAlthough this trick calls the CreateFileA function, don't even expect to be
. J2 I3 H' O0 u# H" l& _able to intercept it by installing a IFS hook: it will not work, no way!; Y9 E. |3 r5 |6 c6 j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ i6 b D9 |7 G1 C: s y( ` w. vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 Q# V' j( o. o: {5 nand then browse the DDB list until it find the VxD and its DDB_Control_Proc- V. p% r6 O( l0 H; D, q
field.
# I9 [# P V) s2 y$ Y4 s, Y, \8 GIn fact, its purpose is not to load/unload VxDs but only to send a % v% a' C) J( C7 U; P4 {! w$ R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* F0 p. @9 B0 P8 _. }0 Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try: i' A+ z) B& f# J( |0 e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 V* N6 k9 b1 u4 iIf the VxD is loaded, it will always clear eax and the Carry flag to allow
y3 d7 S( L, i; T' V. H, T. ?its handle to be opened and then, will be detected.3 k* X2 u* a, X( r) T* c
You can check that simply by hooking Winice.exe control proc entry point
! T( t2 E% i, X2 V3 V3 {" l7 j# d) Iwhile running MeltICE.
/ e$ X# Z0 M" x7 N- U/ r" `( ~# x. W, c/ r# a0 ^( @
) r& \0 g. G% V& M4 H7 N2 G 00401067: push 00402025 ; \\.\SICE
, r' l9 |. ^% P: O6 B( E S6 o3 z 0040106C: call CreateFileA
7 \; V0 s s: o0 |" D 00401071: cmp eax,-0018 p. B, \/ h3 N8 V2 B. Z0 _
00401074: je 00401091
* a" |( E% {+ e( o) d5 E+ `& ~
h5 e3 ?6 A1 p* k9 E% |' K
! {+ h( u/ Q1 p! l2 _5 D" Z0 C# {There could be hundreds of BPX you could use to detect this trick.# t5 G( H h1 o
-The most classical one is:
$ K9 O p0 ]* P8 F7 p5 A BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) _7 j% h! i+ b) G. k& [+ N *(esp->4+4)=='NTIC'8 p5 q% i9 N8 D: ?+ q/ z
4 z& D' U" ^2 W) w! L-The most exotic ones (could be very slooooow :-(
% }! B2 \- P5 ^0 l6 m8 w BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # v1 B4 r: d. H( ~2 a/ u, X
;will break 3 times :-($ X9 w) c7 {' F
+ B) ]1 ]/ x, }4 |: m; S- w
-or (a bit) faster:
6 V Y9 n3 s% `& B! B) n% Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
m0 \& t, e3 e! k3 l: f, @* s6 ]6 j+ B1 `3 A, w0 v# y M. r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 o2 R6 m* F! F3 S% v+ S7 N, b6 f ;will break 3 times :-(3 Q! `- N y' h0 P( Z
* j' J9 E( r, I% Y) F6 e-Much faster:
# U! v* p; }& j y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 @4 O5 _& E7 `' @2 b9 g4 _
6 _; u' H# ^! LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' h9 o& Z |& c4 D" Cfunction to do the same job:
) x9 A; [* I) P0 F& N# G+ d/ y; ^0 z* D' _3 K# k b0 D7 g
push 00 ; OF_READ7 F U- W# l% _% O+ i2 `" C
mov eax,[00656634] ; '\\.\SICE',0! \+ m" I: K0 Y6 G
push eax1 U! l( Z# l( Q
call KERNEL32!_lopen
) @$ Z7 W, G, f! Y( T inc eax: _; e0 H, N# k( c4 X; y5 Z1 y
jnz 00650589 ; detected
0 [5 H5 M. k9 Z# @/ a push 00 ; OF_READ g: G1 I9 `* o, e8 {
mov eax,[00656638] ; '\\.\SICE', V8 p$ i. D+ P8 B, v Y
push eax/ Y* j0 z& u( V& [
call KERNEL32!_lopen' p ?6 ?8 d1 J4 n( @, g$ q
inc eax) Z! I# o( y q! a V
jz 006505ae ; not detected- i5 b$ h+ j, S( ?
% X2 F) J0 B5 { U& Y9 k8 S. G
1 g, x& {1 u* x7 G__________________________________________________________________________
$ q" a# \6 @9 h1 b7 ]9 l) {8 L& t" c( I& k7 [9 X
Method 125 ?2 s2 u$ D7 X2 J$ I
=========$ p0 t( X5 W0 ^ X9 j0 ^
0 D1 s' P& c/ R' iThis trick is similar to int41h/4fh Debugger installation check (code 05
$ X! ?* K5 W- f! J ]) u3 a& 06) but very limited because it's only available for Win95/98 (not NT)' b _) f5 y$ K. g& x# n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 g. B9 {% l! y' i3 }$ q! j& K
& C( @0 m- w" d, i0 Y push 0000004fh ; function 4fh1 }3 Y# d8 S4 u! s+ K$ V$ G
push 002a002ah ; high word specifies which VxD (VWIN32)
( s% W# v) w! b1 M" |3 Q/ a2 j ; low word specifies which service1 C- J7 s3 [3 z% {3 l' }% H
(VWIN32_Int41Dispatch)
: R( {+ V5 `& A9 L8 ]1 W: w! c" m call Kernel32!ORD_001 ; VxdCall
4 }# n; |# ~7 M cmp ax, 0f386h ; magic number returned by system debuggers' f' i* I) p- h
jz SoftICE_detected
2 k: g7 J9 R, P0 S+ [4 z% ?5 a7 c
" t+ u' _. ]7 J; SHere again, several ways to detect it:) H( _1 G1 c3 i b1 ~9 [: x
9 m5 O# [+ A& S. V# u3 M! K
BPINT 41 if ax==4f* }+ b& E+ G" o% X$ t/ {6 h
$ v2 M4 r! @& o. y% R BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 H4 z: u" P0 w& H* T
# c" |) U( t2 U4 E9 K BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 N' d! o1 c+ G, ~
" d; X1 g" a7 B0 E3 Q1 k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! u- P" R, N; {
0 [2 H6 J# u$ E8 A__________________________________________________________________________5 E! F4 [3 s7 N2 M. S$ e
3 ?7 G+ C4 ~9 H& k8 T+ C$ T3 [
Method 130 s5 c; J, p$ V' [, A9 r
=========
" D) w; ^6 p) m; Q5 |& z3 l8 I4 }* T2 K6 e. h" l
Not a real method of detection, but a good way to know if SoftICE is
, l, n, @6 k1 h% O* Tinstalled on a computer and to locate its installation directory.
% ~6 ], A! S' E: H2 [ VIt is used by few softs which access the following registry keys (usually #2) :2 C! V% g8 ]' b0 G) a
* z' @1 H5 w! D ^- J1 k5 S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 M* v+ p* ~" }( k$ M\Uninstall\SoftICE; }+ X6 N- Z6 n" G' n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& i# A# n7 ]# S y' Q) i$ ~ [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, J( d0 x! i4 j, Y( G\App Paths\Loader32.Exe
: ^' L2 w5 ~9 d
0 e3 t% j. |) x$ b' a" H G
- |( C) g* o3 d0 LNote that some nasty apps could then erase all files from SoftICE directory
" |& m8 S6 P- C5 R& c: r(I faced that once :-(
! m9 \- y5 H6 e2 q( t7 \: `1 Q- m6 Z
Useful breakpoint to detect it:
2 U& z- g3 X# N% B" ^/ H/ p; u) Y; V$ j m- e- U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. U6 e% ^/ E) z J1 ]' B
/ J3 l! k# u& Q__________________________________________________________________________
4 u T3 T0 z6 {/ {: J7 K4 h: K
2 y) i; B+ _% G# t" P- u0 k: c. O% o A0 r
Method 14
) W3 J% D' M e1 ^=========# z0 I8 d# k R$ y# h
. P7 ]/ O1 l5 ~! j7 J
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 \ ^4 U' u* U7 T9 g# Ais to determines whether a debugger is running on your system (ring0 only).
: V. `, P. {4 s
$ M$ M8 g' Z: c1 o VMMCall Test_Debug_Installed
3 F- \; C2 ]% A$ V je not_installed' d) O0 M3 B7 Z% O
+ ]) ]" o' a. U6 xThis service just checks a flag.0 f& h- I" n0 j5 g- u' V V
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡