<TABLE width=500>5 K+ m& \- m; X7 K
<TBODY>
0 K, q$ a4 f/ R3 \<TR>
! K- W/ C8 ?% u" C<TD><PRE>Method 01 - f5 [6 {9 N# @" J
=========
0 A# } B3 K3 f, I B. G, V1 T: W$ J! L! q- S1 F8 r
This method of detection of SoftICE (as well as the following one) is' E; N/ H% j. ?3 N/ o
used by the majority of packers/encryptors found on Internet.* m5 ~ S7 y( H: V* E9 m
It seeks the signature of BoundsChecker in SoftICE: |1 D/ ]; W% s$ J% z# j
! x) e; L' Z/ N. \' h: M; ?- P( w" z7 c mov ebp, 04243484Bh ; 'BCHK'
9 l& O+ L# O+ M2 m6 Q6 e mov ax, 04h g, Y0 ~0 k2 k: a& N9 x0 t- ?8 G
int 3
4 W9 w' `0 Z( G) h2 L! C# d cmp al,4
3 p9 ~1 ]0 \" ]5 n3 F, X jnz SoftICE_Detected
7 A# U$ S+ p7 v# r7 Q y+ V% {% N. p% |" b, V. \: o7 m
___________________________________________________________________________
9 h" i1 L3 B" T- v( D6 p; A$ D9 c) L
Method 02
/ Z U# E: b5 ^/ Z=========+ X4 _( D/ {+ n; ?, T
% U- }* Z( a8 N! d" M8 t5 y" HStill a method very much used (perhaps the most frequent one). It is used
4 A+ z- _5 m8 H8 q6 Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 w+ G& L8 n v2 h1 Eor execute SoftICE commands.... l, S% v K' O+ r- W
It is also used to crash SoftICE and to force it to execute any commands
" B# ]" _. d+ M' l8 Z(HBOOT...) :-(( ( e9 g: a, E& |& ?
' w2 a5 s. n1 r9 |0 |
Here is a quick description:
( i9 e! H. L: d: r5 }- H# C/ E-AX = 0910h (Display string in SIce windows)& t7 |" p/ Q+ |! f; y: Y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); ?& c5 A* s- V5 b5 Q
-AX = 0912h (Get breakpoint infos)
1 L( t; Y, W5 n, x) W-AX = 0913h (Set Sice breakpoints) Q s, O6 e6 p( m1 d
-AX = 0914h (Remove SIce breakoints)8 w6 U8 B( T3 H: ^ h# x
4 j* D% l+ D% w) g& ?$ z9 p% AEach time you'll meet this trick, you'll see:
# |" {. `. V0 A* _/ U) i$ e Z-SI = 4647h
" e7 J& U: Q( L-DI = 4A4Dh. F; o* y: |6 n- W- }
Which are the 'magic values' used by SoftIce.! U9 R) c2 ]$ j5 f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* y+ j+ q6 g$ G; _; ^; ^3 `" H" ?! [& V% C
Here is one example from the file "Haspinst.exe" which is the dongle HASP% Y! ]( X. d3 B% ]8 t% J5 z
Envelope utility use to protect DOS applications:
: _/ G+ N, L9 @! c* ^2 t
4 {& y* u/ M# b! H) Y! {7 e& O$ f# C& C) T+ z# E- A! N
4C19:0095 MOV AX,0911 ; execute command.3 i. K( a! C/ O- r8 s* i5 Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" j; h4 d. Y3 \4C19:009A MOV SI,4647 ; 1st magic value.( {" b+ U5 U/ [5 N- T& G4 c) a
4C19:009D MOV DI,4A4D ; 2nd magic value.* y% ^9 L# n1 w1 a6 o9 \
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% L' ~. v. {% }9 {! I) Q& ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) W2 `; }7 F, H% l) R9 H. k5 b4C19:00A4 INC CX7 e9 v. g: }1 Q& _) M- F" ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 l2 \8 R) a+ q' \6 Q6 B
4C19:00A8 JB 0095 ; 6 different commands.
9 o" B) y! ?, d4C19:00AA JMP 0002 ; Bad_Guy jmp back.
y w0 v3 k! m8 e4 J" \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ h1 R7 F0 Z+ B; j l. r: w/ V
) r- c( U3 l) j/ g! C4 f' @0 X! hThe program will execute 6 different SIce commands located at ds:dx, which3 S8 W+ ~/ ?# S* `: L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 V7 z0 B& G$ k0 ~
1 c5 V A8 L' t1 }" I: X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ t! @) r4 L7 s2 k) V
___________________________________________________________________________
q' {8 B& U t& ~2 |! O
) u+ g0 m# q% D+ N, U" E$ K" ?) }0 s# [# c1 Q% m' ?7 z
Method 03( `) Q3 Z* }6 m$ P( p2 V. k# U4 Q
=========
P- v4 p$ Z4 f5 r- k
. k$ c6 p8 Y% p" DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 D) a1 x2 d$ u' [0 r(API Get entry point)
M# I/ c) \1 B% H' x . H2 v! v, ~( s: N: V
: c, v7 t& b5 T5 r
xor di,di( x; P) R! w/ w! E1 f
mov es,di
& _. ^$ ]" t& ]5 i! P% X mov ax, 1684h 6 n* C( V7 [$ ~7 q8 p
mov bx, 0202h ; VxD ID of winice4 }0 M0 K2 i% J' n! i
int 2Fh
# e/ z+ [/ h( ~8 c4 L5 W mov ax, es ; ES:DI -> VxD API entry point3 M0 ? X" Z' E6 ?" s
add ax, di
5 z* ]! j) A# ?) T8 d' E1 d2 Z test ax,ax
( E# c1 N% A) B7 h1 m# I jnz SoftICE_Detected/ V& [8 f/ f2 R" o4 Y
9 h5 m/ G. D( Z4 e
___________________________________________________________________________
- [0 g- L5 Y5 C( p
; h5 D2 `' a$ Y. h0 d+ h7 Z$ OMethod 040 N$ [0 L! \; o7 [4 }* _
=========" m( j6 m) r# t# T. Y
4 U; S7 G( D! H! PMethod identical to the preceding one except that it seeks the ID of SoftICE
3 Z# X+ U( F& d" Y* ZGFX VxD.
) U+ I) d$ L6 R* I/ X
; r. u- t `0 e xor di,di( O& g7 @7 W3 d/ E
mov es,di
* {( i- h* d5 ]2 I mov ax, 1684h $ H5 S: D! u0 T1 W7 O. r6 R6 D% l
mov bx, 7a5Fh ; VxD ID of SIWVID a; r+ y, u. I2 e+ o. b$ b
int 2fh
2 | |/ Q1 o C5 ^% p. W mov ax, es ; ES:DI -> VxD API entry point
0 ?3 H7 I0 J$ C' | N( P add ax, di. W% ]- o/ u# F% i+ N/ _" j) I
test ax,ax% {) b' S; v/ Z3 d
jnz SoftICE_Detected- I$ t2 t) R @# \
0 s9 U( q3 [( r7 F__________________________________________________________________________. v2 O1 q3 C' B& a
8 \6 V M+ m3 K. M/ [
( a1 H: D/ C! P( D0 S0 u
Method 059 F! ^: U% u1 b' w% H4 k& n: O8 _' E
=========% i7 @. Z3 M m2 O/ U, M3 @
# @1 i# c3 v- r; H6 I: L
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 U1 d v& L7 l1 f$ N( J- e/ C) b% _
debugger. It calls the int 41h, function 4Fh.' A6 R* Y& k" L6 W7 r+ N- ? [6 S
There are several alternatives. ) R: M" v5 B7 R+ @5 {
- Q( H3 w, P7 a3 ~, _) F, X$ HThe following one is the simplest:1 [' Q( [! l1 L
* _2 z3 f* M/ B3 s4 ?
mov ax,4fh) D& U! j6 T) K( t! x$ \
int 41h
) A0 h% g$ }! t4 V3 b V cmp ax, 0F386
* b% U7 U8 o) A+ f- L3 E6 R jz SoftICE_detected
% q: j' W& p( h/ ^5 e" M9 J
. d+ T/ C ^5 L% ]
- L- X- X& f' ^+ x3 iNext method as well as the following one are 2 examples from Stone's & E! C7 \$ X+ C, d5 [ J
"stn-wid.zip" (www.cracking.net):3 z7 k! [3 e1 b6 R7 s
$ t& F) i* ]( J [
mov bx, cs4 F# O2 D1 O) H/ H' X
lea dx, int41handler26 |0 _' h7 S. B. K/ u6 ^
xchg dx, es:[41h*4]
; H5 ?; N; n: S/ |% w | xchg bx, es:[41h*4+2]
b. w3 n% }, x! u mov ax,4fh
" o% J M7 D& [" t' r+ P: `- Y int 41h
( H! L; F( K+ r8 N1 b, H3 `% X/ i6 | xchg dx, es:[41h*4]
; X+ H b; e9 N! P' ]( g2 u+ V. u xchg bx, es:[41h*4+2]/ c ~& f* ~% `6 S
cmp ax, 0f386h
, T4 h! S, {( X5 I) V jz SoftICE_detected; {2 i+ V8 _+ |6 l; r
5 I s8 A2 g% W0 Nint41handler2 PROC6 s' [3 @4 ~% ?: U( v
iret
8 ?) Y# g3 p' G; |int41handler2 ENDP
8 ?- H# Q# A% X% M% t7 C% x8 R6 c8 U! H) p7 R
$ ^/ g. l. P: Z7 e7 t_________________________________________________________________________2 z0 Q8 d8 p9 V! x6 l" E8 B+ m
# Y3 I" I5 z9 }( N9 x; Z$ H% O; f3 w" `9 @0 Z6 |* D
Method 06 s" T7 }" B* A0 ]/ y
=========; D& `0 ~ |* }
" J6 b) }# _2 K, s; `# F, A* Q8 w! q
# X5 T( W% l& S4 k
2nd method similar to the preceding one but more difficult to detect:
5 J8 n2 L1 K9 A! d
7 V1 n& v: P z' ~1 v& [5 K$ ?( H
int41handler PROC
' b' q9 U7 P& `+ j/ M" O; _! L mov cl,al+ M2 y0 }; c8 l. g P
iret
% u; ^& u1 ?5 t2 t7 N+ `5 a$ ?7 n- eint41handler ENDP
8 O3 F' O0 g4 P& a& P
; a- I+ n* I" c/ s" }% g- J% S' {' H0 n' i7 a
xor ax,ax
! \! X0 q7 g$ q- `# j mov es,ax; R! Q# p9 i! G0 d4 Z' r3 h
mov bx, cs. j: B# ]9 U2 Y
lea dx, int41handler; P c) }8 }' U' o& l {- Q! F
xchg dx, es:[41h*4]. ~. H) u; r2 t- r) e
xchg bx, es:[41h*4+2]- n. K$ F( s' a0 X b Q/ Z \
in al, 40h: T/ [9 B4 i: C. C. I
xor cx,cx1 ], L" ~$ P D' K7 U1 T
int 41h
( g: k3 G; j/ n' L xchg dx, es:[41h*4]
1 F, k- k9 z- d4 F* B: T6 D xchg bx, es:[41h*4+2]4 p! ~' x+ p; c2 s6 Z# C
cmp cl,al) z5 f- l- ^& R | [
jnz SoftICE_detected
/ J( e7 j& N/ t: _( q& g2 n! k g. Q
/ s" c6 A2 ?' o0 e_________________________________________________________________________
. @. g7 U, z& Q- {+ L2 ^7 W, D
8 o0 B3 K0 w/ V2 N# `Method 07! H0 A% `4 |2 q: e4 s
=========9 @# d% |% Y: }4 t2 Y' N% Q7 m' H
3 \5 d* b$ E4 e$ M, WMethod of detection of the WinICE handler in the int68h (V86)
. c+ Y! ~7 _# z" d7 z0 s! B$ y5 A5 \+ B; n+ h/ I: U
mov ah,43h
* x* y1 H6 z9 {8 B int 68h) X/ B6 P z3 j u# E1 D. y
cmp ax,0F386h
9 T* O) I" o5 x. [3 i; Z$ P jz SoftICE_Detected
8 ~! q1 g3 C' N, X
5 | n2 r! O8 @4 M# f3 x. h8 [+ h7 r; G& L$ q/ g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# Y+ ^: H7 j+ F! H# U
app like this:7 k3 B, {3 q7 c( n
. J7 l- a* ~, j6 ~
BPX exec_int if ax==68
" `, P7 |3 K z3 @! B d (function called is located at byte ptr [ebp+1Dh] and client eip is
" ? A( _- h/ y; [ D: V located at [ebp+48h] for 32Bit apps): p5 Q# X, B/ W& L( R
__________________________________________________________________________; g% [) @% A" e! D" q O7 I3 P
7 M6 f; g) y; x1 u3 _) i. C
( s9 ^1 v+ W& p+ jMethod 08
( p/ s: \& m$ Q" g& \% c=========5 V, l2 R4 b i8 e9 o
" N: }0 ~& n% m$ n( t/ y$ o# {
It is not a method of detection of SoftICE but a possibility to crash the
8 S* B6 Y" y' m. \/ Lsystem by intercepting int 01h and int 03h and redirecting them to another
9 U& }0 P7 B4 n0 u0 B/ A7 l; jroutine.2 j, \: G: @ J @6 t$ y D) e& L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 Q. H. j/ m; ^to the new routine to execute (hangs computer...)0 h* A; |1 J7 w( f( M/ j. d7 |8 v k
# l9 ]# j$ W9 t- n% |
mov ah, 25h
4 q, ]! \ s" ` mov al, Int_Number (01h or 03h)
0 G% k$ x1 r0 Y/ c$ g1 x, N mov dx, offset New_Int_Routine/ S# e7 Z8 {- I7 H
int 21h: s4 x3 m, f+ k- t9 U
0 a$ o; d5 V/ [: c1 `6 V6 C__________________________________________________________________________
; f) c& }8 m; ~# T, T. S9 \% T7 [6 g) [: X, C) C
Method 095 Z; J. y7 V* `
=========2 r: v1 @. M, [" D5 n
4 ~8 i! w5 n- K5 J/ ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ m4 V( r9 q& C- C# g$ yperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 O. B a# P" r% h6 `The Get_DDB service is used to determine whether or not a VxD is installed0 c5 @6 r% o+ d, _" D$ g! @
for the specified device and returns a Device Description Block (in ecx) for' L, O0 } \5 B: [) n: |
that device if it is installed.6 Y5 ~/ J5 S+ J, B4 l5 F4 ~
$ G$ p" z. }1 T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- `6 P9 z* f: j1 y j) X
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 w4 j3 l$ Y# q- c# i
VMMCall Get_DDB
# l1 u# e6 ?, i6 ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! W; O9 c; U% x q6 R' n# e3 q
4 B8 X( O3 ^! W" P" `, ` q1 j
Note as well that you can easily detect this method with SoftICE:9 E' C0 j9 k: [0 s2 r
bpx Get_DDB if ax==0202 || ax==7a5fh
2 x4 K3 E4 Y! t( X
5 W" m: I$ Z2 I% K" C8 [2 ]__________________________________________________________________________. A: a* H" n1 w/ Y0 J; V" t
, ]' H9 I* B/ f9 L% t# k3 l& @Method 10# j( X* A/ ]( d1 ~, R+ q
=========" \) r" W% I# G/ s
' E7 X( \8 R0 c7 P7 A
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 N. Q5 @4 y0 B' g SoftICE while the option is enable!!# C7 i( J% c* |# }
6 ~' R9 U% g# ^! x% |This trick is very efficient:5 |, H& o( K& ` w1 q
by checking the Debug Registers, you can detect if SoftICE is loaded) x$ R, i; q- W4 B9 H4 s6 }' c; g* ?
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; g: K+ h! X' A6 S5 X$ o
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 I, ~$ m9 `: L( P1 m6 I" F$ j
value (in ring0 only). Values can be manipulated and or changed as well0 r q* Z0 B9 n8 e/ W) g w T
(clearing BPMs for instance)
# U0 g( `& C# S5 z: {$ X9 ?* g4 a! w1 ?; w2 L z9 a3 X
__________________________________________________________________________- S1 {( [* k7 W
6 j7 |9 d6 l4 r. s" pMethod 11; ?7 ]* ^. `+ n
=========
6 w; i& R* E0 o1 H" j) |; h7 i& }! O+ j* m
6 U5 L: T$ ^6 k: p4 h0 n& L& A# wThis method is most known as 'MeltICE' because it has been freely distributed- Y0 r4 g& n z$ S3 u! H- u0 V
via www.winfiles.com. However it was first used by NuMega people to allow
- O: m- y3 \2 \2 J# v1 G1 OSymbol Loader to check if SoftICE was active or not (the code is located
1 s1 C1 M- P# Y- @- q, sinside nmtrans.dll). U0 j) b! T7 c) n' d, O
/ Y$ H( L& U- _' H( J e
The way it works is very simple:1 U3 r( b x! x$ E' r$ A" {$ g1 a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 d/ |1 q I5 F# @7 B
WinNT) with the CreateFileA API.
3 K, t4 }7 O/ c* e+ ]1 Q: W* l1 {2 ~: D0 M* g/ u
Here is a sample (checking for 'SICE'):
+ j# w( d- r7 l# R1 y N$ U; e1 O# q( u& t8 \7 [4 g* J0 |$ z
BOOL IsSoftIce95Loaded()
; e' f. M" Q) v. x: d. x! d6 G{
: q+ _! t+ e- q HANDLE hFile; 9 i) W" M+ a# \* R$ }# K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 t- ? y- W, j) @ FILE_SHARE_READ | FILE_SHARE_WRITE,
: T/ A# ^1 u4 T% E+ w1 y6 W9 h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, }# v7 k8 F3 q, w3 ]
if( hFile != INVALID_HANDLE_VALUE )" g$ u6 q' v! r* N/ L* _$ W0 n
{
! u' b# F9 ~! a CloseHandle(hFile);
A f! [8 e: i0 |" l return TRUE;
3 F0 h, f2 z, a! C }' e4 q2 I" A/ T
return FALSE;
$ e# a( A1 ` |6 u}! `, c7 z* G9 V: _& @
* O0 Y. d* a; i8 p' q6 VAlthough this trick calls the CreateFileA function, don't even expect to be3 I! G# B2 P7 `9 u4 ]6 s b
able to intercept it by installing a IFS hook: it will not work, no way!
0 h$ _5 O# R) p; cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' G; ?; ]! V# \6 m: Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 f/ O4 G9 h$ Y, k4 K% z3 rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 B( `; E4 \& K; G) efield.
3 O; g3 s+ ^$ cIn fact, its purpose is not to load/unload VxDs but only to send a
. }: Q' P& x# h; iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 V# s+ M8 j4 g- q4 V. X$ t' bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
% n; d! a7 y; ~' S R& ?7 A9 b4 Sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
U" [& h) J5 ?6 R+ OIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: j# w% H4 L z: `6 F+ vits handle to be opened and then, will be detected.
& c0 _4 S# K9 W! ]. A. FYou can check that simply by hooking Winice.exe control proc entry point. h+ f* }' l" l: [5 B0 j4 p$ F
while running MeltICE.
- ^# B8 ?6 D4 A1 d% R7 y: ]$ R$ B3 ^- `! n% i
7 ~, U. E- P. `. ]5 f4 `+ D1 E 00401067: push 00402025 ; \\.\SICE; r! y& ?$ N( b$ [* n% o& @
0040106C: call CreateFileA
0 A9 @3 c( i1 ]6 ]4 J5 T' ~ 00401071: cmp eax,-001
* E. \/ H+ H5 k. `9 ? 00401074: je 004010912 b3 @2 a; M" \% C+ n
$ Z5 \$ p) G# W. s5 d7 z I/ f
# Q/ n/ J( P. e3 C. o! G
There could be hundreds of BPX you could use to detect this trick.
: @6 ]" i+ ? U2 n' H-The most classical one is:8 x+ A: t8 z6 r/ j- i J6 Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- p! x) Q6 R% s5 y+ d5 T *(esp->4+4)=='NTIC'& a( w; L8 R% f7 u: f
8 r8 R- E1 v( v6 ]# o1 p-The most exotic ones (could be very slooooow :-(
( f1 M1 s2 Q! B( y+ P: T$ q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# S7 U/ N+ T1 S" a* ^ ;will break 3 times :-(
U$ a: t. u$ E. M8 C: q( _ j; j2 R6 u: M2 L
-or (a bit) faster:
' R1 _8 c1 b6 v( Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 v9 w9 S* ~. G9 V3 O9 }% c
+ n1 c7 r- L$ v' h6 \$ [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: I' D7 T! [9 q$ J ;will break 3 times :-(
" J) ?+ w* x* m
- @" L8 ?6 y' n' Z- Q9 k. a0 U-Much faster:& G1 c% O5 G ~ m- D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 ^4 v$ P$ [7 S8 T: a7 @1 x# p% n P% p- S; d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; x1 l1 z) t3 ]% V& m4 n- |
function to do the same job:- n1 l* X9 }& n! t: j) _7 }; K
5 Q& J: A0 O& I k7 b push 00 ; OF_READ9 @; f, O: T) C4 e* M
mov eax,[00656634] ; '\\.\SICE',0
9 P' r8 H5 { h) M+ r9 e; N push eax% I* ?1 a( Y- g
call KERNEL32!_lopen% ^2 G0 X: T/ r) G' q
inc eax
: x8 t. h# k6 {+ j jnz 00650589 ; detected: H/ k, S( i% [. ^& j# j
push 00 ; OF_READ+ Y7 t+ p3 D+ Y$ F$ o$ }: n$ \
mov eax,[00656638] ; '\\.\SICE'
1 q! y, A8 Z( g2 T t/ ~1 t7 X push eax) u- R: E# y$ m# E4 V z" v
call KERNEL32!_lopen
3 F3 u: J" H2 `% t# Q' A" Z inc eax& V4 k( X1 p8 f0 r% v
jz 006505ae ; not detected
5 ?" F: j- I X; `' c+ X5 L) m7 v1 q2 ^. F8 Q$ Z
, K+ @6 [4 x6 c6 d; X__________________________________________________________________________
+ O& @6 \; \# T( C& R3 p6 l9 @# a6 O& ]& K
Method 12; i, ~3 I0 ?: A) g0 ?% z# g+ C
=========. y; E! U `* n# @: ^( m2 G; k! i, F
+ X, J) ~. \! z$ |! ]5 a' z; z
This trick is similar to int41h/4fh Debugger installation check (code 05
7 Y& m% z/ [# z; Z6 E0 ~& 06) but very limited because it's only available for Win95/98 (not NT)" Z7 \* D8 G5 A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 C9 x7 S" J; b) Y: J! z
4 q( x" ]. P5 ?, d \4 y8 Y8 Y push 0000004fh ; function 4fh' r8 A8 l3 ~" u% b
push 002a002ah ; high word specifies which VxD (VWIN32). H3 A! ?: t9 O8 \/ Z# @# z1 d
; low word specifies which service* E: b/ v4 D+ r$ S! e+ X
(VWIN32_Int41Dispatch)
. d- b, v3 [! J5 k1 t call Kernel32!ORD_001 ; VxdCall
9 z* _ _! u' @2 k# ] cmp ax, 0f386h ; magic number returned by system debuggers& A1 ^% D/ C( M7 J
jz SoftICE_detected
' w8 c! O- H' k9 v% C# R* j1 N+ }* J
4 @ q5 h/ W" WHere again, several ways to detect it:( J( \# W, V4 x; A
/ R- ^' V) s+ L* p0 x6 B1 O BPINT 41 if ax==4f
v- W, Q, G8 M2 j& M3 v$ d. [% o$ {0 x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) P0 U4 ~0 }% l3 ?5 y1 n
" e$ e& H; G# p9 H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* S6 c" k# I3 q1 S# o
+ I0 N; A% j. S BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- T; m! @6 v5 K) C7 `8 q0 k3 R8 z8 Z( U4 F
__________________________________________________________________________4 e4 P4 E Y- x. o3 U
8 _# k. \& r$ C2 Q+ Z( I, R
Method 13
% g, f, }" I& c( p) ?) h=========
+ f1 p2 w" A. l3 k* C6 c
' w" G c& x; P) C) E$ x$ LNot a real method of detection, but a good way to know if SoftICE is
: D0 A; R7 m# }/ k einstalled on a computer and to locate its installation directory.+ I' U- p7 T$ w5 |8 \% G( j- Y- S
It is used by few softs which access the following registry keys (usually #2) :
4 m9 Y; {7 u% T( L' Y$ e4 s2 u' Y9 U, D( }5 u) E$ _ ~7 Z7 v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 p4 @5 Z3 k3 n' C( r\Uninstall\SoftICE
5 A6 E9 S- d6 B6 k2 w* b1 t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 e3 r# ^- a+ K4 `: R n-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 u- I9 a0 Y1 ]# k* E
\App Paths\Loader32.Exe; _# B* `1 o& Y/ ]
9 j9 C9 Q) C+ ]2 T7 \; ^2 F0 P
Note that some nasty apps could then erase all files from SoftICE directory
2 ^) V/ K& j% ~- @$ i, H(I faced that once :-(
' _; V0 c4 A. J6 v1 ]4 t4 ^$ P2 E' m3 F" N1 w; p2 ~; ?6 U
Useful breakpoint to detect it:
' q J9 i6 b" L; u3 o: H
i1 g. n; S" B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 O: u: `) }3 C% i# Q6 _, D* v. q8 l1 W& B
__________________________________________________________________________
: [2 c3 j% ]+ t2 c# T3 e6 G) P. r# T9 D' R: Q+ f& y" P
$ q" }% D8 {7 a" T# f+ J1 x
Method 14
: [/ x/ E, b- r5 z0 t0 ^+ D=========
! h7 \1 S# K. E3 f
% v' W5 U. W1 q) v- CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 L$ L5 X2 `2 Q6 i* d7 Y
is to determines whether a debugger is running on your system (ring0 only).
- |/ u v( N7 |2 z3 ^4 ~2 P" M7 M! o2 H7 f1 d( c
VMMCall Test_Debug_Installed1 ^5 L" _8 k$ {& t: ~2 |8 o
je not_installed I# Z: O O" t r
Y) k( C2 o' z @This service just checks a flag.
- t7 m% \- V6 ^% c6 C! L</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡