<TABLE width=500>0 s/ u' [2 O1 D& P( H# Z+ T
<TBODY>/ B; o1 B x) W
<TR>
% O$ d1 U2 ^& g9 ~, G<TD><PRE>Method 01
; O2 V6 J+ `8 @- \2 G" N=========
$ `3 U! ?: _2 ^8 \' D7 J) R& D8 T
This method of detection of SoftICE (as well as the following one) is
, M' P1 c3 C5 j( z5 O: G B6 d6 `7 sused by the majority of packers/encryptors found on Internet.; T# x! y+ {( I/ d
It seeks the signature of BoundsChecker in SoftICE' c7 i8 {% M. g" g7 r
z! D1 F% @" E$ v5 a9 a% ], v1 h mov ebp, 04243484Bh ; 'BCHK'
; u' O* c$ z1 T mov ax, 04h
. n/ I% A \3 C- A* A int 3 * U+ J8 e: ~; j: D m
cmp al,4
3 [1 @; w/ G9 W& v jnz SoftICE_Detected
0 {' ]8 T+ I. w$ e0 u3 E( y& F. s; K5 v7 M; x
___________________________________________________________________________
" _) |0 A9 `$ Q* Y4 ?
% X/ r) @8 `5 R; X9 O4 \Method 02" B: n3 J9 `3 _( b4 S: G! e
=========- A K% _) ^, G3 g- d' q* Z
# S% ^3 K9 {- ?
Still a method very much used (perhaps the most frequent one). It is used
5 q$ F4 k. q( b9 S( }" g0 Zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: M% V* Z( C- u. h+ ror execute SoftICE commands... N( J& N' U# Q/ @9 x$ s& q7 I7 N" ?8 N
It is also used to crash SoftICE and to force it to execute any commands* i+ x" b* p1 q$ y5 w, O* A
(HBOOT...) :-(( 9 F) _, t4 t2 N
9 O- P; _6 A! v" R6 L! \8 U! K
Here is a quick description:
! N3 K: T6 [' a p# H: I z: K-AX = 0910h (Display string in SIce windows)
" G# ]) N9 }3 y2 T& x/ U-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 W1 A1 \9 i9 m9 F: [$ S9 A
-AX = 0912h (Get breakpoint infos): O5 o& W' X3 ~9 u) }% h3 C
-AX = 0913h (Set Sice breakpoints)
. y/ U7 W0 l; T7 x-AX = 0914h (Remove SIce breakoints)
( n2 ?7 l$ i3 L& B* K' a' v2 C( W& V" z X
Each time you'll meet this trick, you'll see:7 q. Q+ ]- b$ M% V8 v% d5 B7 H5 l
-SI = 4647h
- R: D( [3 x9 s-DI = 4A4Dh
; Y# D6 L5 Q& y( _) {; DWhich are the 'magic values' used by SoftIce.
* k9 w- }' t7 K' O GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 Y4 d9 g' z+ B6 b; x7 f. k4 Y" x' s
( w j- h' u' X& P& U; o3 F* n( h5 vHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 O e: o4 ]: J$ h0 l& _& WEnvelope utility use to protect DOS applications:
/ t4 {0 ]. S; Z/ W3 Y* [2 R
8 Y4 ^9 E+ X* N+ \& t+ a1 W# J
J; z- `+ i1 d( H4C19:0095 MOV AX,0911 ; execute command.' R8 Z! N1 w. {& B4 U
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 w! i. d+ T* n, @
4C19:009A MOV SI,4647 ; 1st magic value.
% M( z- l' O$ s u! `3 W4C19:009D MOV DI,4A4D ; 2nd magic value.
; R4 K ?% L7 U% `% D; S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 H- _" k/ g8 p/ a& j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" _/ G- m$ |+ ^5 ^/ `! E( J! {( V4C19:00A4 INC CX
. n, W x5 P/ @4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 R7 T! W! J' J. B8 p* A$ M" p
4C19:00A8 JB 0095 ; 6 different commands.
) r m! u! H! J9 X( N3 B* ^5 L4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: H( F& j1 i" Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) k$ m6 F m+ x8 o/ O
0 x/ [- D; s, I- ~! r' X! ]The program will execute 6 different SIce commands located at ds:dx, which; o; s$ `4 @: C$ K& H5 E1 U& y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: k: L5 K, H1 @; x
4 r- A" i8 f- k% P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ H* T, e, G: I2 u: k! X* Z/ T' i
___________________________________________________________________________
7 M z2 \" i/ W1 C1 l7 l7 Q5 ^* F# z8 H* o3 J* Q! Y( Z9 _' n2 I+ y
! c2 C8 _ t$ [5 _Method 037 ]/ ^' t1 r" U& G! y* H; x$ u+ R
=========$ `. B) k. X. V7 z x' g2 F
) I0 f, {- V z+ `0 H; ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 b7 M& u" |4 N2 Q6 K
(API Get entry point)
0 W' U4 u6 u% q* A1 W9 ~0 u# w( w 4 N: z/ F) |9 o; v4 R# S8 s
3 c! V# U- P! a xor di,di
9 h4 @& x' u* g7 Q9 J5 W mov es,di
( T! x6 {) V5 V9 j0 K/ u+ \( h mov ax, 1684h 0 K: d9 q) f/ ], {. R; k1 N7 m
mov bx, 0202h ; VxD ID of winice
/ I; M( w/ ^* Z: a+ S int 2Fh
/ _$ s% Y( K# {, h, ] mov ax, es ; ES:DI -> VxD API entry point! h, J0 E8 n# R% v
add ax, di+ T8 F1 b; m" M7 R8 U5 y
test ax,ax! Z0 C2 p! c# W$ W3 ?' u6 l, i8 a) i
jnz SoftICE_Detected* N1 L0 t( i0 E; n) e& j* V
& u5 ~: b3 z9 G4 S3 V. L) p___________________________________________________________________________0 S5 i/ a6 X7 @. X
8 T: L1 [! U/ o0 B9 YMethod 04! n5 Y8 w5 Q" e( b( i1 ?
=========
2 Z9 L2 _0 \) R z( h* j
7 _; C7 ?3 `' w9 b9 zMethod identical to the preceding one except that it seeks the ID of SoftICE
5 Z _6 A4 H. i& F/ m; lGFX VxD.
# v. J3 U) c' e/ l
9 P" m- B9 R) U, O9 M9 V5 p1 k7 b! m xor di,di4 g: P1 Q* G/ d+ R
mov es,di
0 n* M8 ^8 _4 \- K7 K mov ax, 1684h
; x* l! J% t0 s4 q mov bx, 7a5Fh ; VxD ID of SIWVID* Z% q; l% J+ Z6 i) B1 y
int 2fh) ?( [3 `" m9 s8 e
mov ax, es ; ES:DI -> VxD API entry point
! b' S& n6 [9 |, v* g4 J6 h% g add ax, di5 b/ F7 @7 W, F6 w
test ax,ax
; \8 p% E. P3 {7 H' d: a7 J jnz SoftICE_Detected1 l$ ~6 \* y$ G8 A6 L$ c
2 C" {& f- m0 o5 F__________________________________________________________________________
: ~8 l& R9 ^) r' M* h
( R7 O, @# p7 q
* `8 f0 a+ z8 T9 w+ b+ o; R0 a" I, @Method 05
) P* u& n H! v6 y# O=========
% W: ^/ [/ G- q% x
}. o) h/ ~/ O# QMethod seeking the 'magic number' 0F386h returned (in ax) by all system# I& W5 O7 p: K& m: Y( }% F
debugger. It calls the int 41h, function 4Fh.
# P/ ]0 y8 O4 e H. B& z4 v* LThere are several alternatives.
0 Y8 v; c, T8 b) X
$ p! }6 d0 W3 @6 l; nThe following one is the simplest:4 u7 f+ j8 {1 D9 {. `% H
3 J" A) O+ X4 K* ~8 h mov ax,4fh
$ x' k0 D" r6 d' y& t2 T int 41h
( M: r! i; m8 e5 E2 ? cmp ax, 0F386
6 G0 H1 u6 h& u2 }1 ?* \" X. w jz SoftICE_detected" @1 p* `, N4 r6 _
2 {( K8 W7 I7 H! J0 Y' }
! Q3 A7 a* [/ K2 oNext method as well as the following one are 2 examples from Stone's
) _ w6 a* a' K ^4 H$ n `9 B"stn-wid.zip" (www.cracking.net):# d+ ~* |6 r8 H. Z& p! ~ P1 i
% d5 e, r2 S" l% p+ R
mov bx, cs4 k# }" d% [, x3 C/ o( C
lea dx, int41handler2
+ Q* @8 v6 {$ T) } xchg dx, es:[41h*4]
; j' o4 w; A. n, m: ?" f xchg bx, es:[41h*4+2], Z" S) e5 p% i( c# T: s a
mov ax,4fh
3 ]* e- {/ C6 V4 r" x int 41h
$ v5 I) |. x9 F' J; g. Q0 ^ xchg dx, es:[41h*4]
! e$ r& u& P+ N# k, V+ b" Q, D xchg bx, es:[41h*4+2]( o( s9 Q' O2 j# U& G
cmp ax, 0f386h
7 U: J3 w$ K8 X8 I. o* q jz SoftICE_detected
5 u/ |8 S9 H5 j+ Y
7 M( n( x7 k! e. Jint41handler2 PROC8 v8 c8 l4 Y; a5 j
iret
- N4 z1 \" L8 J: X. rint41handler2 ENDP" z9 T/ @3 E2 F- Q n8 d
( l! U6 Y$ ^ Y( t
6 e( R6 ?5 m; {( J0 J_________________________________________________________________________
4 u' m% G4 s4 D# |
1 Z1 T# [/ @: q0 a; }% U" L
- a5 g1 W, g: @Method 06
- S7 l* S( N7 d1 k0 d: z=========
- O2 H: q! ^" x2 d. g
4 M4 C9 W$ u# v, u7 w8 |' s# K) u2 e$ L8 T7 S
2nd method similar to the preceding one but more difficult to detect:
' q3 d/ {3 D) t8 O! H/ o" a) F& ^) v9 }# R: I s2 N6 @, O, j
C( m3 S! W8 Cint41handler PROC
2 Q1 C5 O6 N* Q% [ mov cl,al
8 n! H) T6 G8 j iret) k! q1 G- m+ T8 ^
int41handler ENDP p Q1 a4 a% V( O5 N1 S
5 B( a$ I, q+ w6 W$ o
, X' j" Z$ E4 M1 E& X$ w
xor ax,ax4 y6 `5 N3 J$ V; Z: p! i1 n' ~
mov es,ax
; F& m; r# V9 m; l! {% Q, h mov bx, cs
+ C4 C$ ]. i& P" m5 N( d2 h* d1 W lea dx, int41handler8 E8 G# r; M, W7 c3 C: R! v0 `
xchg dx, es:[41h*4]6 J0 W0 u# J$ e$ ?5 R9 u
xchg bx, es:[41h*4+2]5 r' _1 e/ u; X: T
in al, 40h% X- p1 w3 a4 [% M
xor cx,cx
9 Z1 `3 L }6 M& ^ int 41h
8 z6 Z9 ^( f4 |. x: Z& f2 w xchg dx, es:[41h*4]
+ f" S8 O& e2 _. L/ ` xchg bx, es:[41h*4+2]7 @8 n- W8 d0 _, ^# R* u+ d# d8 p$ k
cmp cl,al( |# [# |* C) C" E& R
jnz SoftICE_detected
3 A+ y8 ] N4 u
; x% v- j Z; M5 k* b/ M0 N_________________________________________________________________________
2 s& H9 }# K1 z/ [1 `. T. {4 p) {6 t. n
Method 07* \7 m; D; z2 s9 j, R: a
=========
! x0 } c/ _. @% J/ p0 b, S" P3 V' b! x' P7 l: R. r J
Method of detection of the WinICE handler in the int68h (V86)
- Y1 E# f1 G/ x: q2 L0 t0 y$ z$ `" V; x. v1 }; k
mov ah,43h- B/ b( E* Y+ o/ \$ p2 g1 _3 {
int 68h
+ o+ }. _8 s2 H4 f- h ~. ]; V% o cmp ax,0F386h- i! w# |8 u s8 t
jz SoftICE_Detected" j& E* H' j8 y& u# j! R. P
7 |+ n: d% J \7 @
* G9 {: e, W1 e* c1 Z# O3 {: \6 z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 } S% W- s0 l: O7 w; e! x app like this:' b; j& v2 g# i" @+ \/ R
( d* V$ j: z; r- y+ A
BPX exec_int if ax==68' W& K" J$ Y7 t7 @% Q n# U
(function called is located at byte ptr [ebp+1Dh] and client eip is
# i: t7 J+ l, ] v1 s1 b% |. z2 V located at [ebp+48h] for 32Bit apps)! _" G7 B/ |, E( O- x4 R! ^) ~
__________________________________________________________________________
5 E3 X: d& r) h0 [: |% ?( ?2 @$ r; H; ]( ~- i; `9 H
3 @ s+ p) p* A- h3 e- U
Method 08. k, ?; f8 V( `+ a( z
=========7 U, B+ S: m W' v9 v, I2 y
5 Z. f6 H3 ?) G) ?8 p6 m! C8 }It is not a method of detection of SoftICE but a possibility to crash the
1 r- ]3 R6 ]" e3 dsystem by intercepting int 01h and int 03h and redirecting them to another
9 Y) I0 k. s! d+ e# T, F/ jroutine.
. i$ m4 ?. u( cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points M$ j0 P% w: y' G8 G9 n1 N
to the new routine to execute (hangs computer...)
5 X) P/ O) i; r. g, h8 q. J2 G9 L
mov ah, 25h
7 \0 A3 l/ O* g6 j( x) R mov al, Int_Number (01h or 03h)
5 N# H; l2 d- ^. d# l s4 Q- c0 ^ mov dx, offset New_Int_Routine
) k, }9 m# Q0 W F- p2 H int 21h: U6 s6 T4 ? \3 V1 Z
( |0 I( e j( D
__________________________________________________________________________( G; Y& ]$ n- H, K3 j
1 D8 \6 o" K9 a4 p$ ~3 H* O
Method 09
3 F/ b* ^0 R1 r# ]1 R; \5 }/ f9 d# L=========/ w, w3 u3 G U4 k1 e, u5 y
& k9 m) l3 a2 w3 h9 f A/ x+ L5 _( |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( _8 h9 B- _1 _& ?2 tperformed in ring0 (VxD or a ring3 app using the VxdCall).: q& ?; v' w& X$ ]
The Get_DDB service is used to determine whether or not a VxD is installed
6 h1 G5 r* B$ U* W1 Z8 N$ M8 efor the specified device and returns a Device Description Block (in ecx) for5 J5 L, W. b) c
that device if it is installed.
' I/ A4 K3 j! X$ s) V: }1 s% x0 h6 `+ t, _ h' S4 b' g1 E1 {# w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ \6 y$ P _2 M2 h) F# X7 i: M2 X mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. y( M9 ]% i; I3 B$ e VMMCall Get_DDB
* g% U7 c+ P: `* g& n+ ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 Q, i2 O% E9 F% F, d* z8 v
( \, ^$ c3 @2 i! j( e8 L$ v6 v8 zNote as well that you can easily detect this method with SoftICE:
4 Q8 H1 w9 U& q- X: o bpx Get_DDB if ax==0202 || ax==7a5fh
7 a1 H6 \) l- s% C# I) r& X# A( }
: G; d" n6 H* b! z* [__________________________________________________________________________
$ F d3 I- A5 t" ]+ U b+ L( u5 f! v+ Z
Method 10* R9 T' _6 y9 A' r/ M
=========: `$ [% z% q" O: D$ b
/ Z: v0 n3 t a, }! h' u W3 H6 v
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 k- |; x0 w% Z! X! @5 N/ T
SoftICE while the option is enable!!7 e: j( ^0 D" B# S Y
2 k- k. d% V6 o+ b8 k: M8 @This trick is very efficient:
1 e0 E$ {+ |- _( zby checking the Debug Registers, you can detect if SoftICE is loaded
8 K. P% x3 y' D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ G( X2 s# _6 ^0 L. cthere are some memory breakpoints set (dr0 to dr3) simply by reading their# W8 h; c1 [# [! d' ^4 j) H
value (in ring0 only). Values can be manipulated and or changed as well1 I2 U: ^4 a3 _
(clearing BPMs for instance)+ P$ z+ C( X: v* M* t
# h3 C- c8 `* {9 D- B7 Y! O__________________________________________________________________________
, v$ R$ y9 c3 K' x7 @9 O6 v: `$ \. J4 y. }/ t3 q6 c
Method 11+ |# A, H5 X o9 K
=========* G& H; A4 L4 T; p+ I3 `( I
5 U& E/ N( ]. Y# IThis method is most known as 'MeltICE' because it has been freely distributed) o5 X) F: E% z! ~, C# @* d
via www.winfiles.com. However it was first used by NuMega people to allow
$ M, E: P2 x/ b, RSymbol Loader to check if SoftICE was active or not (the code is located
+ O5 {* g# O" D" L: Z; @- winside nmtrans.dll).. E/ `6 Y, x6 D( p
. B9 B) X0 z, f/ u* nThe way it works is very simple:( f$ `" I" Q: \9 }) T
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 P: n t5 }# t1 r0 b
WinNT) with the CreateFileA API.; w9 c1 C4 ]5 C0 r. z6 E0 b
6 y, t2 X# `: L5 u
Here is a sample (checking for 'SICE'):* S0 I A( x, W k5 A R
! n3 T1 O! _ s6 E3 DBOOL IsSoftIce95Loaded()3 D0 X" |+ y- S4 ~; c3 l9 x/ s
{
; Q, r9 w" O% f/ U* e, B HANDLE hFile; 1 q4 \/ M' J( u2 Q8 h7 ^
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& S9 t+ W: D" N4 |- A5 N' q9 D FILE_SHARE_READ | FILE_SHARE_WRITE,; b& j; c0 y( G h4 W
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. d, \) x8 b$ F3 k; j% P
if( hFile != INVALID_HANDLE_VALUE )# F; c# g. U2 g
{
. }% [. r0 F. l3 j# h3 p) v CloseHandle(hFile);
% g$ P( @' i$ b \) O( ` return TRUE;# U8 j0 Y7 | J" t) h
}% q3 \6 i8 ^; R5 r/ H- H9 U
return FALSE;
" }" Q: f$ S8 f/ ]6 H# E' V1 Z4 ?}
. c1 |+ b, c6 R0 H, b% O% a1 S3 N$ C+ S6 w
Although this trick calls the CreateFileA function, don't even expect to be/ y, D) [7 I1 V$ {4 D- z
able to intercept it by installing a IFS hook: it will not work, no way!
3 D% ^) j6 q2 l, QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! T, l P9 u& h5 {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 G# {7 d' R) p7 |/ O0 N
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* S& O' }; g9 D6 y
field.: N/ E- U( ]* o4 I
In fact, its purpose is not to load/unload VxDs but only to send a
/ ^+ T1 B+ z; A' I" V. J0 n' mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# a. D& o% B' s( f I* y1 m3 [to the VxD Control_Dispatch proc (how the hell a shareware soft could try; e; R* s6 H% _& V1 C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ j2 U& I, a+ J3 MIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 q- F/ b. W% v1 aits handle to be opened and then, will be detected.
: a1 V. i5 z/ A( h. K% KYou can check that simply by hooking Winice.exe control proc entry point
" z% U0 I2 x$ l, r2 E8 p/ H/ Hwhile running MeltICE.
3 ?! z# q' ]( |
7 E C2 J! \7 \3 U; f& D
) a& r5 f" x: u+ k 00401067: push 00402025 ; \\.\SICE% }0 j8 Z) ~$ `. c3 H
0040106C: call CreateFileA: {) V& ~$ [4 r8 B0 f9 `
00401071: cmp eax,-001( a& q* Y+ _5 i" x$ P
00401074: je 004010912 J6 |/ }+ `- b; [, T; U9 I! \' O% B' H
# h! B6 J1 v0 O, ?
* ~/ h6 @' V" m: D9 pThere could be hundreds of BPX you could use to detect this trick.
& ^6 _& ~2 Z3 N2 S1 ^* u# H: T-The most classical one is:
/ Z/ D' q# S/ G! ]! x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) Z8 J6 `) w/ \
*(esp->4+4)=='NTIC'
* U# e6 p' H8 g* j1 z5 m v
: v. B* v; V; I-The most exotic ones (could be very slooooow :-(6 k3 x0 P2 V. V$ Q" @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, U7 K& K! t$ Z: i ;will break 3 times :-(5 Q+ W; q; r) g
! r) h; Z2 y' }' |* n" P-or (a bit) faster: 1 |5 X: V7 H/ B$ ~$ z9 u! d
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ {/ ^ O- k! C3 \ D/ w w
8 g( h& l# V% v F( X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* A: I; B0 d7 p0 L2 B ;will break 3 times :-(
1 O$ \0 M& Q; P) L& U) {6 M6 [
) R u! [ a1 D$ V-Much faster:
: l( x2 I3 q# t5 P2 f' J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# Y4 y) L4 V2 U. x2 \
. x; D% @, B7 _( fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ n5 v1 s5 n$ Y. Q) J0 q) kfunction to do the same job:/ d# Q* |; p! @+ u" B& a
& q+ h* M/ }# ~5 Z0 g9 \ push 00 ; OF_READ- A% Q, Y+ D. O+ A6 b
mov eax,[00656634] ; '\\.\SICE',0
# F; ~) @/ v: q# j C' } push eax5 _5 I# w8 |( j& j
call KERNEL32!_lopen8 p' A W8 _/ U, R
inc eax/ Z5 ^! z2 R3 z1 M* N. `
jnz 00650589 ; detected
7 }8 b Q2 r( r- P push 00 ; OF_READ$ B. Z3 U! H- s s
mov eax,[00656638] ; '\\.\SICE'' x4 H7 F1 \. [; R$ M' w
push eax
; E3 V# ^* k9 M5 | call KERNEL32!_lopen
. n# d" \8 ` k inc eax. M8 ~: l" Q- W- B; x6 e
jz 006505ae ; not detected
4 s5 v; J: g' V# t' p' o) [; n8 x% f9 r
4 i- k( F& B3 {* u
__________________________________________________________________________
" R/ w [9 Y3 I$ o6 m& O' o( x. }
Method 120 W, |1 ^7 C# V1 v) k2 c
=========8 F/ w" s' V* {
( ?7 Q0 X. W: U1 }4 m) V1 {This trick is similar to int41h/4fh Debugger installation check (code 05# k$ b6 l4 [4 i T+ {) T$ C
& 06) but very limited because it's only available for Win95/98 (not NT)+ z t% o0 w& z1 x; W( b
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) b: H' ]# K) ]1 u( I/ y, p
8 p$ K' }6 C' k push 0000004fh ; function 4fh
. a7 j% Q: K9 u8 V push 002a002ah ; high word specifies which VxD (VWIN32)- F+ |- X) S) s) b
; low word specifies which service% N' d6 G$ @$ h: u+ ?" Z
(VWIN32_Int41Dispatch)4 }8 X4 u$ Y7 O; e: E
call Kernel32!ORD_001 ; VxdCall
/ e" L# V6 V0 S; f/ ~) n cmp ax, 0f386h ; magic number returned by system debuggers
9 ^4 a+ ]% U$ E/ c# @) I jz SoftICE_detected: v; V4 v$ j' u1 ^9 g
: \7 k8 X) N7 N: J/ s1 V
Here again, several ways to detect it:
- L/ \* y+ f4 z0 q& r/ r* @/ k' _; O8 h* L# K( p. f: o
BPINT 41 if ax==4f z4 @1 x. k& v# W3 S
& t1 }" M8 P! y1 l' [. Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. [1 T3 B3 J" ~9 U8 _8 K
4 }. k" d; f0 Q( _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, B' f1 O' A; [7 z9 u# ?' C- o6 ^1 v
0 m! |3 q' L8 S8 f6 @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 l3 E0 @$ F% K
u' Q# q( t8 C2 E0 H/ F/ `__________________________________________________________________________& u1 J- M& f( y5 V
. T' T! f2 A5 d; }) n% {8 U+ h
Method 13% M8 S; w* E8 a! @+ _
=========
7 c: b) J2 ~) x* N4 L: D, y0 _) I! p" e$ O) V7 U h
Not a real method of detection, but a good way to know if SoftICE is
! Q' {4 }0 b: O" M3 C! S5 x/ Qinstalled on a computer and to locate its installation directory.
/ X! D9 }, \0 j9 X g6 {3 vIt is used by few softs which access the following registry keys (usually #2) :* Y- P2 ^, }$ y
# N6 S8 {6 Q' O. d) p" o) l1 c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, X4 o) K6 S1 {2 X9 C; R- \1 x' T$ S
\Uninstall\SoftICE* R# n, `0 J+ ?* {" U# }2 N# [; |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; f. e7 J* b/ C* c; Q. D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. [0 } n; f% ?7 p8 g\App Paths\Loader32.Exe- D0 w `2 r$ x# I8 R
h& T- I! v: T8 ~& h( F
& H1 g) F% i9 t( pNote that some nasty apps could then erase all files from SoftICE directory% c' @# U( D+ H" j% @
(I faced that once :-(3 m' d2 n' J6 t5 Q: B4 T8 W
6 |1 y K; K5 s& A& `; x4 D
Useful breakpoint to detect it:
O6 n( J7 `8 W$ A' L6 L+ m) V' G- \ R6 B9 {% L
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; v: ~/ g. D% T! d' S- C) }) f0 t/ ]
& V+ e5 F1 n# }' I
__________________________________________________________________________
. ~+ {' J2 z* m8 Z8 \. _4 t& h5 T& |
% O8 O( W, I4 m/ [
Method 14
- ^0 U: a6 \3 v/ A=========
8 h# l6 _2 j: o. C" B, K
. E9 B6 S: { xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 D- C( B' W; d+ ^
is to determines whether a debugger is running on your system (ring0 only).
% X. B0 f/ q/ V' G" ?7 z; i8 v6 Z% O) a3 g
VMMCall Test_Debug_Installed q' |4 ?# I6 T
je not_installed
2 q2 P2 ~! s8 G# ~4 `/ F7 @# |8 m" }5 o7 k$ G
This service just checks a flag./ ~$ z0 P1 e2 q1 I7 \" q2 E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡