<TABLE width=500>- F! v g+ P' _
<TBODY>
* Q4 k" @' m- z, S8 G<TR>
6 d8 M* T, j) U7 l<TD><PRE>Method 01 D) j2 g7 L5 P& O- |; b
=========, v& t% I: w, F* V, ?6 y6 b
( q1 w& N2 \, m" a7 A* p7 H3 d
This method of detection of SoftICE (as well as the following one) is
5 f/ X" \ _: c3 d, s; Lused by the majority of packers/encryptors found on Internet.0 i* Z/ M9 U# C7 S3 U) T" l
It seeks the signature of BoundsChecker in SoftICE4 i) {9 A- n" E6 N$ S/ e
$ W0 g3 ~+ ` F7 n* ` mov ebp, 04243484Bh ; 'BCHK'
4 X4 f' F7 z5 t; L' M, ~ mov ax, 04h& q6 ^4 c2 ]6 {3 x$ d% R
int 3 # k. @- H, y4 m
cmp al,4
. x- [: C4 B$ L7 I jnz SoftICE_Detected
4 `) ] ~! j. j( S! d8 z' W8 B6 M! t
___________________________________________________________________________
: ^4 W/ _ g- N# S1 m1 c
# H3 [7 R2 V, k# }$ W6 f) Q9 GMethod 02& l; _2 g( l: o
=========9 N3 `: v# z+ |( d6 h5 X
: Z- s9 y" A' R# J4 zStill a method very much used (perhaps the most frequent one). It is used( U% A& Z6 E D7 \' q) `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, Z) q& _, t0 G8 |
or execute SoftICE commands...; }& V" _3 L) _; ~7 L0 g% n
It is also used to crash SoftICE and to force it to execute any commands" Q: W" y* W) f0 A9 B
(HBOOT...) :-(( ; v0 G* O* E- \ g6 Q$ q3 ~' @
5 @7 C5 L* R- A
Here is a quick description:
* D) v( n$ F( Z-AX = 0910h (Display string in SIce windows)
3 C; c; q7 M6 O7 K; h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( F5 r3 x, O6 X: x8 S) a0 d-AX = 0912h (Get breakpoint infos)
# p/ c* |) G) S6 @9 {- C, x; o-AX = 0913h (Set Sice breakpoints)
$ L+ \6 ~: F) g+ X- R3 ]; o-AX = 0914h (Remove SIce breakoints)
0 W/ a) m0 C; h \; z2 }1 ^2 W& U* @7 d' {9 z' V3 J8 e
Each time you'll meet this trick, you'll see:
: A2 w/ P( K+ {* [6 ]5 _. \-SI = 4647h
0 w, j9 E+ h8 ~* j# w; G7 {5 P-DI = 4A4Dh7 q% E7 }8 Y2 T2 k
Which are the 'magic values' used by SoftIce.
7 h& L, ]3 j) G" i+ O) @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& c7 F, G# S6 k3 |+ y; x' h
$ t3 c" H1 k2 I* L
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 x8 v. w9 q) I2 o y
Envelope utility use to protect DOS applications:' S3 m3 K0 `8 B) y
+ B% i: ~3 |2 J4 m! E
: O9 j& i- h+ I8 q0 {8 x3 r1 ^
4C19:0095 MOV AX,0911 ; execute command.; t& h/ p% k1 X4 o" u9 r3 {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# G! i, z! I% i% u2 v/ D4C19:009A MOV SI,4647 ; 1st magic value.
1 s4 t$ C3 B/ W* v! y' G4C19:009D MOV DI,4A4D ; 2nd magic value.
6 G; d8 ?( A# t! Q$ `- E8 [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): [1 [. B* L) z) Q/ \9 f9 ^ t
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ j0 t# B( A; i7 u0 Y3 O
4C19:00A4 INC CX! S" |- I$ s" O) {% W
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& L7 m" l, B$ \2 V
4C19:00A8 JB 0095 ; 6 different commands. ]: k, X- W1 s" ]/ F6 P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 Y# p+ K7 \; i0 b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ M% r9 n$ g3 l, r0 `& x6 W
1 |5 O" N- D: MThe program will execute 6 different SIce commands located at ds:dx, which
2 ], _# d7 Z: ~/ X+ N6 rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% b% J4 D. G2 F5 b, n
- S$ v. y1 S% w% ?; ~ K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' O" {5 r# I# j. G
___________________________________________________________________________
4 Z# s; n% A0 m0 X. o1 G! T7 ]* b" m! r0 t
) M6 o. o; A4 ?7 s( _4 DMethod 03
Y# U# s/ l: ?7 e=========4 _8 S5 E9 ^ d# D% Z, j
! d; T2 z I7 {6 h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 R" M6 ~- H2 k" J
(API Get entry point)
6 a: @3 x6 c& f" H5 M( ~
$ [) S' b6 L4 @. Y
, F- b/ D9 l" Q8 ]! j; m xor di,di
. m1 X0 k+ \ h, U6 U mov es,di
! n& H: f7 i4 J4 ~5 s2 r mov ax, 1684h
2 F0 \+ ]' b1 E$ J) {1 R8 D6 P mov bx, 0202h ; VxD ID of winice
8 } O% \, @6 P int 2Fh6 ?( N9 ^* f7 r* J
mov ax, es ; ES:DI -> VxD API entry point) C$ k, S+ q: [8 h% l
add ax, di5 a6 a$ @# ]% Q' A1 h5 S
test ax,ax
' b' Y( I* @0 }9 ` jnz SoftICE_Detected
5 b+ H1 L7 [) {2 ]6 i4 S6 K/ u$ Z7 x' ~! g/ S
___________________________________________________________________________
$ ~: ]* \7 ^/ u, P
9 a; W. v5 @" o# R# {Method 04' N+ y1 H0 B) N7 X% \ l# g
=========+ P s6 `& `- @% y$ w' w4 M" z
" X$ j" W+ Z5 d1 ]Method identical to the preceding one except that it seeks the ID of SoftICE
9 V3 K4 x2 x$ ^# \GFX VxD.6 s+ l4 G& V1 S9 r0 g& K. [. I& c2 i( u: T
8 H8 ^/ N: h! H, C' \ xor di,di* ?# Y9 B4 P) o. c- [
mov es,di- F4 g/ _3 C( d2 l* N4 j, v8 E' k
mov ax, 1684h ! a- a* G- I7 d* B( O
mov bx, 7a5Fh ; VxD ID of SIWVID
5 \0 t7 t) X0 l! v6 { int 2fh! t2 s! v( O. a2 k4 G0 X0 _3 n
mov ax, es ; ES:DI -> VxD API entry point4 i. A3 d; ^0 b7 [! B8 r
add ax, di
* _) N3 Z+ s) v' n5 @ test ax,ax
. ]* L+ a% P/ ~. a) F, k" X jnz SoftICE_Detected9 }" d% J* `! c4 K! m2 f
# o: n3 \1 E1 S `. X
__________________________________________________________________________
2 T. q, L8 H6 r; {( m
1 H. I# c1 `, J, r$ P: f' G. C, l+ {: }. D8 _, q. h/ \6 O) g3 {- O
Method 05
/ n0 j- _& S: w8 ]=========, s; Y, y, @2 f$ _' U. B
+ E3 k6 b* T' o
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( n w% {5 x$ Fdebugger. It calls the int 41h, function 4Fh.
# a( D1 h* C( F- o' ~: q/ ^, SThere are several alternatives.
/ j: e1 h. h: y8 d9 V* q" R+ g# p% [+ P" I' l: {
The following one is the simplest:/ `" E9 O5 m, V( C% D) X6 B
. G$ j' s) F+ i' b0 \3 l( v
mov ax,4fh
7 Y6 s+ R- d K8 M4 J k int 41h
) O6 q9 Y' v# [# i0 O cmp ax, 0F386
k0 O& j; c/ h& p( s. x6 [2 j jz SoftICE_detected* y+ R- R* ]) ?. \) v8 c9 Q
$ v+ Q2 ^2 g/ ~0 k) E9 G% Q
6 f; c& b; f$ W& `! f. |: b1 Y$ s2 u
Next method as well as the following one are 2 examples from Stone's
& H* T! s8 T0 u' O"stn-wid.zip" (www.cracking.net):+ [2 E" l% p# o7 U! O
* Q8 T- v- R) U* K t mov bx, cs
; \2 o3 F! V$ m lea dx, int41handler2
! V* k/ ?$ Y& l4 V. k" L# I xchg dx, es:[41h*4]
+ t5 X9 V7 `3 ?& N7 L; Y- W2 m xchg bx, es:[41h*4+2]
9 Y% L$ c& S# w mov ax,4fh. j* e9 C5 `9 I+ |! O7 D
int 41h
; F& T1 q4 Z% S$ F8 ^ xchg dx, es:[41h*4]
" F/ O: Z+ |# t: ` xchg bx, es:[41h*4+2]" t" P4 {# r' ^/ a, ^ C
cmp ax, 0f386h
+ ?, ~9 T2 H5 x) w5 _; S jz SoftICE_detected2 }) b) C/ u+ P- w+ ]7 x/ o M. V* c
: c, \. ` M/ @8 `8 mint41handler2 PROC3 N4 D; t, u# h; R8 ~1 \. k
iret- t1 W8 c0 P6 v! O
int41handler2 ENDP
) A0 ` x! _5 A' v; m) L! `$ V- b- h! e; l- n2 O% q
2 l: j( X' I! {( v9 o! S_________________________________________________________________________6 n5 p8 D. _* {* u( o+ u
$ Z1 S9 o7 g- X6 H$ n7 u0 [- I/ Q% t6 q
Method 063 A' E& ?! F" G4 h4 k1 k
=========
5 `7 A, K9 u9 W( ]" J) q
9 ~; i% ?7 _. l1 M8 M
& z0 S' O+ S: y! I2nd method similar to the preceding one but more difficult to detect:+ Z2 n% X$ }. ?4 P1 B$ c: B
) S' w9 s& g. D
* [4 c! f# A3 w! A3 [2 O
int41handler PROC; }- D( E8 }. u+ i
mov cl,al
! J* D& i! D6 c; t7 b iret$ l$ P% ]5 h4 F
int41handler ENDP
8 g8 |; ?* h& j: K! M% ?
$ o6 S! ~8 M; V2 t% B& E% a- | I5 L. a& ~' h2 c6 @+ C+ `4 u
xor ax,ax
5 e! h9 J$ v2 i3 |% ? mov es,ax9 ^! j* _8 a4 E h) G
mov bx, cs, K8 I1 d7 y5 ?- c1 }9 T
lea dx, int41handler: D0 n; ?: T! E4 H: H/ Q
xchg dx, es:[41h*4]8 @: x- ^) A; ~( f. T
xchg bx, es:[41h*4+2]4 Z$ O9 m# L' `" K
in al, 40h
/ S7 h8 I+ ~# e6 { xor cx,cx5 S8 w ]% I8 {+ G e% E
int 41h
: m1 W% r: M/ G, ], F xchg dx, es:[41h*4]9 f( _1 o( b7 m
xchg bx, es:[41h*4+2]1 a" ]6 u, _, L
cmp cl,al
7 H& W6 p/ b; b+ ]! | jnz SoftICE_detected! z0 T- {1 p$ l# _0 V$ t
. o j* \% ^# T& @1 N_________________________________________________________________________
1 C& C0 T& V ?1 O$ f: ]" Z. S/ ^, B
Method 07
/ l2 `) t% O: V; }=========, D; q' X4 F6 j/ ~& [) |
$ x( V3 ]# s: | AMethod of detection of the WinICE handler in the int68h (V86), Q: \# F2 P$ u) c' _. d
- f* F: x: q6 x4 `/ C4 V, { mov ah,43h0 b7 i4 v. `' ?, [1 j: m
int 68h M5 P3 n! r7 k. R% T9 ^
cmp ax,0F386h
9 y" v0 Q- b8 v5 Y* R+ {" k1 U jz SoftICE_Detected
/ I% C0 ]) Q+ }# Y l2 `5 e" x; m4 s2 U# c% J+ v
h0 G, C8 t. z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: j# w; o4 o* U4 T4 R8 V# ~ app like this:, O# H+ l; ]/ C# S
1 }2 }4 S* {4 v6 G+ @1 Q$ m3 {
BPX exec_int if ax==681 V, j C/ S# z3 z6 l( D/ P8 u* [( [9 \, B
(function called is located at byte ptr [ebp+1Dh] and client eip is
( W% T# E( B: V. V located at [ebp+48h] for 32Bit apps)
& A, ` v9 {% o__________________________________________________________________________
5 ]- W% K: Q1 _& m) U: @4 s. x: t) z0 f6 f |
. J" r3 O* u: ^" w( B$ L9 i9 U# _Method 08/ X5 E( z* B8 f7 Q7 H- `: U) E
=========6 N- T1 l8 G. C5 L
' e0 g _+ S6 B* r
It is not a method of detection of SoftICE but a possibility to crash the& O) V3 Y) c) b9 z Y. Y
system by intercepting int 01h and int 03h and redirecting them to another: z: G8 N5 d8 c
routine.( G, F8 `- X9 Y' X& l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 T1 ^" T# L) v/ D& _to the new routine to execute (hangs computer...)
' u9 B" R- g0 u4 j3 g$ H2 S' r2 i m% F
mov ah, 25h8 L# J7 f7 f* q, m' v- l
mov al, Int_Number (01h or 03h)- z& T4 X( ?, ]% x4 b
mov dx, offset New_Int_Routine
4 l) i& c0 N8 @7 S! U4 A- k& \* p int 21h& J0 u5 S- A, T0 x, @" h
6 n) f" @+ L" Q# @5 g! b+ @
__________________________________________________________________________
# y0 s, m) U! I! D, T
2 r9 j! I3 T1 n( k: V3 l. r, gMethod 09) N- a' k$ I* k6 Y, u$ G
=========
8 N* F* Y1 f9 t( E9 v1 V
5 p% @# T$ |% e- v4 RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( L. w3 F' Y: w; J- Nperformed in ring0 (VxD or a ring3 app using the VxdCall).8 W; a( p5 R' B$ c1 ~
The Get_DDB service is used to determine whether or not a VxD is installed
0 v/ v! X, Q# x1 Afor the specified device and returns a Device Description Block (in ecx) for l- P5 D) J$ i) I
that device if it is installed.
" F( J- x- B/ K; m4 n9 K# d0 Q! T2 l! {) a' o/ c: ?+ M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) ~( C5 ]5 z3 q: ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ K6 P5 s+ p( G VMMCall Get_DDB( n8 p. ~( _1 q- T0 U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 n4 [ ?! t1 F0 b* u* r0 E$ t. K
" Q0 {; ]* [3 v# [Note as well that you can easily detect this method with SoftICE:
8 l; S+ R* o; k" y6 k8 G/ p' a4 ? bpx Get_DDB if ax==0202 || ax==7a5fh
) y4 _& v/ W" d* T- E! \6 t8 w; O1 ?
__________________________________________________________________________
. i& n5 ~) W' M! `: O8 `5 x# O# ^7 [$ O# e
Method 100 B I# b- R( `; v: H
=========
# d1 C7 F1 i" C& o% A0 }
/ S2 v4 T9 r, o8 J- P=>Disable or clear breakpoints before using this feature. DO NOT trace with- x+ K+ v* p. |% S8 r9 p4 s
SoftICE while the option is enable!!2 B/ \) j% }5 E1 j0 B
- X5 [4 ~0 N! y0 J6 s8 q: N
This trick is very efficient:: I$ r- t" [) P5 G7 Y
by checking the Debug Registers, you can detect if SoftICE is loaded
7 ^. Y. u$ U- l0 [6 _+ f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% D. p* w& E7 v2 F+ x, [
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, Q9 o0 @; t& ?. ]$ wvalue (in ring0 only). Values can be manipulated and or changed as well3 p# s) D6 M6 `. K& ~
(clearing BPMs for instance)5 R9 {9 W: A9 l. X: ~
4 c5 l5 f0 o% l9 W, F8 J) v+ m
__________________________________________________________________________
- w* Z" U# N. Y0 F' n' v; X
: g9 J+ t4 I9 |/ D3 }) pMethod 117 ] v: ] h/ a7 o R& [1 T/ d+ N. Q
=========. V+ `0 R- _. V) ~; t! V
' F/ a) j+ H5 E/ x( i& B2 W
This method is most known as 'MeltICE' because it has been freely distributed3 G* Q" M; u- Z
via www.winfiles.com. However it was first used by NuMega people to allow
+ ^. V- W% |& V' B' L# d) r) OSymbol Loader to check if SoftICE was active or not (the code is located5 _, Y2 {! P# Y! c2 v2 |
inside nmtrans.dll).$ v$ [) Y0 p( n/ l9 t
/ H/ _* Q5 ?) v2 V$ S
The way it works is very simple:( V. _" p& `, Z% r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 L* ]. c T9 n/ v* U. Q5 B
WinNT) with the CreateFileA API.6 T7 ?1 q6 m( ]/ Z, C, e
, u% h1 j5 W7 tHere is a sample (checking for 'SICE'):
" L( _" h& u A% ~1 b3 q# D! c j, D5 ?/ l4 V0 c3 L/ b1 |
BOOL IsSoftIce95Loaded()
# b8 J6 n$ I y+ W ?4 ^) |: l$ y9 `{
4 J& A. R f- S8 ?# z/ l HANDLE hFile;
+ D0 y" W, l) X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) I) m! E# d- D3 I% c9 t
FILE_SHARE_READ | FILE_SHARE_WRITE, J5 [4 V& s! j7 @- `5 |( n
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 {; E$ N/ Y$ r1 C3 U
if( hFile != INVALID_HANDLE_VALUE )
: `# o E* j) i0 H$ F {) v6 x6 P! m1 a3 f( @$ t) y
CloseHandle(hFile);) O5 w' Y& }6 z) r- Y
return TRUE;
( ?0 Q# K: Z! c+ s$ }% e }
( ]' R- {, h# i2 Y+ H: L# \ return FALSE;0 H6 T1 U* P/ {- J
}4 |. y/ Q1 Z2 X8 J8 d( u
1 `! g3 p* Y8 T% b
Although this trick calls the CreateFileA function, don't even expect to be' p2 L d2 z+ x# U- M
able to intercept it by installing a IFS hook: it will not work, no way!
) W8 M Z' Z5 [& nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 R9 h( m0 g8 i# r- ^, w9 X1 Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 s8 ?7 h" z, ?( d5 a- c6 sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
- I$ u5 O% v5 q; H" [( @field.$ [# d/ K8 P+ q7 I
In fact, its purpose is not to load/unload VxDs but only to send a
; b2 N. P @$ Y9 w2 w( RW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 m; Y t# p" Y5 T, a0 e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& U6 o* |& B6 }+ {# Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" N: S; C) Y6 s- `8 C; XIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( H/ g4 R6 r) U6 h/ Y. ^* yits handle to be opened and then, will be detected.( Z6 L9 V+ l. o/ x$ F( i) B3 \
You can check that simply by hooking Winice.exe control proc entry point
9 N* ?& B# u9 q0 f1 U* d) I: rwhile running MeltICE.
$ y* ?" R* u* Z% q* X. Z$ O* D
+ t& F* ~$ o3 M' o E6 }0 p# f; D! ~. j1 v
00401067: push 00402025 ; \\.\SICE& A3 {- N, I3 v( ] r9 w9 `
0040106C: call CreateFileA5 B7 R( O( s8 R2 q
00401071: cmp eax,-001; j% g Q) T& _( X
00401074: je 00401091% k& H& A4 g6 e
& t% w( k( Q( x. e/ d+ [: H( J1 n, n
: c" u0 L0 F$ l/ i8 ^. u
There could be hundreds of BPX you could use to detect this trick.
$ r6 Q8 I0 M6 L7 K' E0 K; `-The most classical one is:
; B' ]# Q+ Y3 q) Y* A7 K BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 i, X+ o1 E' x( H" o; j$ g7 [
*(esp->4+4)=='NTIC'
7 B5 V( y! \* C4 [% C# `: _
& s$ a6 S1 V' [& v: t-The most exotic ones (could be very slooooow :-(
4 N6 k; e E' J8 `" Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / w+ G0 p6 A j1 H. u0 x2 ]8 ^
;will break 3 times :-(/ G7 l }* t# k
2 t; R4 P: Q" F J2 A* c, r$ C8 b-or (a bit) faster:
' h' |3 f7 M; j5 F5 C& t. S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# F0 z, T5 L5 d$ E2 S* z, {
- a2 J# x9 d! [% W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 E- x3 d, Q( |9 z; }0 v) O* o ;will break 3 times :-(1 ]+ x, g2 L, J3 ]& u; z5 K
6 V" F( L4 `8 l2 p) o5 a d$ P: F
-Much faster:: Q' O' p: E5 u4 Y {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. R) B+ v) S2 ?! M% K# s r$ `5 l2 A0 J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
s) }, E$ z1 \4 wfunction to do the same job:
& o; M: i2 T0 ~$ \ \+ s
# w$ e. q t+ Z! L1 P push 00 ; OF_READ# x- p: c- |$ h* a. c
mov eax,[00656634] ; '\\.\SICE',0
5 k# A7 C5 \' h7 c7 X Q$ I7 S push eax, m8 o/ [& q( e" S' o
call KERNEL32!_lopen
/ e0 S8 d2 ^# G2 u$ ^- U inc eax
, k6 F( U: F& V' X5 e jnz 00650589 ; detected
0 R0 d+ n' Y6 [ push 00 ; OF_READ
% O. z' j g' `" V! V/ a- x' N mov eax,[00656638] ; '\\.\SICE'
6 I/ U& N* f9 ~# r: h3 P( L push eax
" |& B; b2 q+ Z9 }" n% V o, t call KERNEL32!_lopen
" W; r3 x8 w, \! y6 h% s0 }: z, @ inc eax2 L7 R/ F9 e3 y2 d# s4 p5 I1 a) a9 a
jz 006505ae ; not detected
( D/ O0 y' c, d Z. \; P
" Q6 ^/ m6 ^, T* w5 K( G
$ V: d0 [" V4 [/ t; J2 u! @8 K8 X__________________________________________________________________________5 Y) w5 F3 _1 n- ]* z( }4 e
; t) L2 K7 w; P3 }1 i2 t
Method 123 l' U1 o' \& K; O: [+ d9 B7 y
=========
: b- V1 j3 H+ a2 ~
& A3 t' R7 z9 g( B L) [* yThis trick is similar to int41h/4fh Debugger installation check (code 05
9 b$ {( B" C- R6 z& Y& 06) but very limited because it's only available for Win95/98 (not NT)* ]4 y) R( P! u& D* h1 l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% F" [4 [5 m$ v8 z, W0 C. O# i
" s" A9 q/ ]6 y% X push 0000004fh ; function 4fh
+ W; t: F9 I- S2 x push 002a002ah ; high word specifies which VxD (VWIN32)
' g; |8 J: u9 b ; low word specifies which service
[$ Z' y3 z0 x4 V" w/ _9 k (VWIN32_Int41Dispatch)
7 a: J6 O& j# w call Kernel32!ORD_001 ; VxdCall* V' V. I9 D a* q ^4 d+ T$ Q8 S2 p
cmp ax, 0f386h ; magic number returned by system debuggers
% E/ d% k' Q2 s$ D) ` jz SoftICE_detected
) U8 Y: Y: ]: s4 v8 [
; t) q" q$ w7 ~( F! zHere again, several ways to detect it:+ q# b ~% C6 v1 e8 {7 ~4 F5 l \- S
/ a9 P5 z* x( B) F, L. K$ x BPINT 41 if ax==4f
5 s+ ~0 v7 A$ ]) p2 ~- ?- T
: a: d9 Z% L% k" x/ R BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, y) H! d! Y/ K' w' ^) n" T# T5 C
9 g3 q" G& c- i9 v+ n3 l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; j" E! A3 h: o; u4 B
, f6 y L+ t6 n- M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, z+ \ q( h0 K& A
! U/ E% l' C( {4 C- h# S, F2 w
__________________________________________________________________________
2 m$ Q0 ?5 d5 h/ m; n
7 G' {- J& z. O1 _* k( CMethod 13
9 J- |( Q" F6 z1 K=========
6 F' N% ?; Q& Q7 z4 U2 G6 Z$ x2 {" |/ e0 F4 ^
Not a real method of detection, but a good way to know if SoftICE is3 Q; Q" I# }2 _7 n
installed on a computer and to locate its installation directory.# Y- J) `- F6 u3 B- c
It is used by few softs which access the following registry keys (usually #2) :$ m9 E! o6 M4 k7 u
9 H: a! u7 ^8 Q5 K$ Z5 h; N
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, e) `/ w; u! }* [
\Uninstall\SoftICE
( h, m, V! H0 {$ _1 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ D/ I2 d3 ^2 c4 q; j
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, ]4 c4 m2 r. r' u. ]/ w$ b* t+ \
\App Paths\Loader32.Exe
4 K7 _; G+ X. C' G% p8 n
, i; g/ _. l* `7 h) z3 a
% V- ]" x3 P7 B5 t. S" R+ ]Note that some nasty apps could then erase all files from SoftICE directory9 d% O+ y1 Z5 {: y# R) Y
(I faced that once :-(
7 _- I. c ?4 y& k" ?/ C3 r6 C4 ^0 \, N [& c ~
Useful breakpoint to detect it:
: j, s' }7 d# p4 |& Y3 @) Z8 b' o6 ^8 q# e, M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 j5 @1 H0 z2 t8 X9 R0 ~ U/ u' S: S* o8 l+ g E; A% V
__________________________________________________________________________
6 a, [, v* T& I" g9 ~
2 d7 D; q' k5 J6 h" _8 V5 m9 m5 K6 k, k4 \, O5 k
Method 14 u$ F" \' G- f* x1 n
=========
! G3 V+ G Q, g, X, o( P# K: @$ A: p8 V- d# ?* B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; `8 b8 t! Q3 m& |0 n2 mis to determines whether a debugger is running on your system (ring0 only).
! j3 k$ k( K. i) `* v0 I* e$ }
* H b+ w. d6 x: O VMMCall Test_Debug_Installed! s/ N+ N7 ?7 [8 ^0 [- R/ Z
je not_installed' u% r4 ~; ]/ {$ h" f d& t0 U
) Q/ C3 C7 ?5 U6 H. H& rThis service just checks a flag.
. P2 y; D! E" m. M</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡