<TABLE width=500>
* ]; E; c' K5 d: v5 r: b# ^, W<TBODY>
) H7 R) W) J" B2 V- N) y1 n<TR>) ?2 e- A9 g e
<TD><PRE>Method 01 8 r* t7 g. C2 F. r2 W `' S
=========- Y d9 U- `4 n0 ^
: k0 z4 v( L7 `) u' o6 r
This method of detection of SoftICE (as well as the following one) is0 B% z: Q f3 y- B* p- @/ ?' J
used by the majority of packers/encryptors found on Internet.
/ b# c3 D$ x( z8 {9 QIt seeks the signature of BoundsChecker in SoftICE! H2 x: [" Q# n' ^+ R
0 y/ d/ M! k0 e5 q mov ebp, 04243484Bh ; 'BCHK'# p) ?- P0 j# T7 ^" C5 |/ M
mov ax, 04h1 y( F2 J+ ^ u: |& `: g# q
int 3 0 g1 S: z F0 F. A
cmp al,4, }6 K9 z7 ]# j# _
jnz SoftICE_Detected$ A- {) h5 B2 o/ w
% K0 p# A( U0 F! H0 I# X
___________________________________________________________________________" d, `5 C+ Q- e; Q3 d' p: W5 q' n# F
! v3 A, d _; @8 h" W; bMethod 02
6 _: `- n! l& ?7 n5 Y8 l=========
. p$ f d& O0 r C7 b4 {
% q4 K* E% _: m0 i+ w( b# a! YStill a method very much used (perhaps the most frequent one). It is used
" z k6 S' P9 o+ x- ?' dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 }7 Z1 M3 V# C
or execute SoftICE commands...
5 e% D9 {+ z' l; t! r8 g6 c$ D# {/ {* jIt is also used to crash SoftICE and to force it to execute any commands
/ v1 U' J D+ J( P3 @% L(HBOOT...) :-(( / n$ R% k/ D3 H" ]
/ d+ h, s7 R" o! Q' mHere is a quick description:; |$ U3 i- c. T* i# s4 c8 A2 X7 V
-AX = 0910h (Display string in SIce windows)
) g; A; W/ R2 o-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
O$ Z( X2 j) q* ?: _5 X- W-AX = 0912h (Get breakpoint infos)
' Y, x( G, k% w; ^' @) [" D y5 ~( q-AX = 0913h (Set Sice breakpoints)
8 V9 l* i9 B& \5 L4 d' z$ v6 i- ^-AX = 0914h (Remove SIce breakoints)& I6 u# \+ k+ B+ t; R
; }! A# Y4 [4 H) F M9 s" G% {Each time you'll meet this trick, you'll see:; |# B4 ?( _. i) V [
-SI = 4647h
) L: @& q8 }. o9 M+ r& n* m-DI = 4A4Dh: k+ ^# D# V& F9 l% i& j' i
Which are the 'magic values' used by SoftIce.# D" D9 u: k) p* A) U: ?( c4 }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 l2 f- u5 l/ }8 a7 |/ @0 f/ Y
" f# t, q& Y) w4 u" o8 x8 r! hHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 x; C! z5 y0 N; pEnvelope utility use to protect DOS applications:( k1 {2 B: S0 j$ }; o
1 A! L9 p9 j# `3 K+ K" `2 B( S4 c7 f$ C% G1 E1 n
4C19:0095 MOV AX,0911 ; execute command.6 _! {! I1 r$ B, X2 g
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; m9 y2 p4 J3 e. V' Y4C19:009A MOV SI,4647 ; 1st magic value.2 f4 m3 [; M j9 ?
4C19:009D MOV DI,4A4D ; 2nd magic value.
% Q4 [1 C+ O# a0 [7 W+ @4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ C d8 O5 Q9 e' E8 m9 |4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute C. j* F! q' k2 _# Z& V! D
4C19:00A4 INC CX
' C+ J$ C' I* _) G4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# } t0 S0 U3 P6 G' W
4C19:00A8 JB 0095 ; 6 different commands.: \4 U- R1 ?9 a( C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% x r- m+ I- k. j4C19:00AD MOV BX,SP ; Good_Guy go ahead :); G! n* Y) {& |) H- _. G1 }" q( g
) d& y W# V1 t! F N- hThe program will execute 6 different SIce commands located at ds:dx, which# J6 h0 ^6 Z$ n" O6 \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% V# s9 `. q0 J- J# N
- Y3 x8 g6 r9 G$ i/ P8 O: P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 u3 L" d9 O: G1 m0 h D___________________________________________________________________________
5 I$ b8 K) r2 W; j
8 x' [6 U+ U' I+ u# o6 B5 D
+ _, s6 W" X' H8 s: J) RMethod 031 D$ F+ B } ~! Q9 ]% U
=========% V' q1 V( _! P6 X$ l. t* ?% q
4 ?2 ]0 s- t+ U( e, u# |. NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. F7 Y! q- ]" r/ K(API Get entry point)2 @% |+ G! L7 I1 @) k' u) ^6 r
1 J% _0 L% ?4 a+ s8 N3 t: \4 ~+ C0 ^8 o9 p
xor di,di7 W# p( E2 F! } r
mov es,di
) Z$ _( a% V& k/ Y0 b mov ax, 1684h 6 }3 ]9 w$ t: D$ ?9 O) d# v
mov bx, 0202h ; VxD ID of winice* }) e' {4 I0 z) o0 h, X2 c A
int 2Fh& K% H- h& u! J, k
mov ax, es ; ES:DI -> VxD API entry point
: n. L/ t: M! z: B: l! a add ax, di
( C" D0 T9 r% E6 z4 N: Z test ax,ax, b% u- b# `, k& t- a& F
jnz SoftICE_Detected
1 I$ i/ _' h3 T# D4 V. w1 D
' p) Z3 l" `9 s6 i P+ i___________________________________________________________________________
5 @1 o. Q- V. B; B* x8 q! Z$ v9 y6 i3 V( n5 ^
Method 04
2 P q/ f/ m# I$ ] I }/ A=========/ v0 m+ c8 s% N! A% w! T
7 \' b: j3 J5 _2 Y- O
Method identical to the preceding one except that it seeks the ID of SoftICE! f$ L" q! T- j2 @! j# A
GFX VxD.
. a7 Z; U1 ~ d5 R
8 A5 L% U0 ~2 j; P. o0 x' y xor di,di
: L g) D3 ?& N1 f6 s mov es,di
K" p2 X2 { e/ m, R) J mov ax, 1684h
* _4 k6 t9 S3 q' h I4 P$ Q- P2 C) E mov bx, 7a5Fh ; VxD ID of SIWVID
" T* d% s& S: c int 2fh
, V! k' p" s$ L# @' b% v4 | mov ax, es ; ES:DI -> VxD API entry point
. l6 m, n L1 [8 ` add ax, di/ A5 m1 i5 d0 c8 m$ S% G) x
test ax,ax( [- P$ ^; S5 z3 Q
jnz SoftICE_Detected4 r0 @$ n1 y4 V8 c
: t' E3 q O, p7 \__________________________________________________________________________6 ~* r; L9 g4 W c; E8 ~8 v4 V8 H
& W* k$ ?$ l0 v3 W! @
/ B3 A6 n; ~' J6 [3 O' v; x2 X6 e" @- [5 aMethod 05& v4 Y# m4 f' r' P! ~
=========
# S; e% U& B9 U' I' c/ z% L% w) u
/ S" f r. G+ `( x- _Method seeking the 'magic number' 0F386h returned (in ax) by all system
( `' L# K% y$ c/ x5 |8 Vdebugger. It calls the int 41h, function 4Fh.
; w4 Y( b U; J- s/ nThere are several alternatives. % C: v! t. D5 K2 U! f5 |
2 O0 Q; u" G' S3 B. i$ E) q
The following one is the simplest:1 e9 h7 K1 d2 ?$ M
) c1 G z* U' o3 B N2 h7 C8 H
mov ax,4fh
& H2 F' @0 M1 `+ H6 \ int 41h
( O! J, \ P0 I, U- Z3 Z cmp ax, 0F386
! f2 i: ?) y) u9 D% a! }1 x0 z/ [! G! R jz SoftICE_detected
2 p5 {# |$ R! C9 A f* m3 s/ F8 `9 t; V7 U, v
& V: V- D9 @& i V M6 D* GNext method as well as the following one are 2 examples from Stone's
( Y7 y/ D' ~+ A# W+ J1 N7 H"stn-wid.zip" (www.cracking.net):/ T; r# K9 J& u* I& u/ M/ `
7 d7 U$ m& T2 W B
mov bx, cs+ C4 E" j3 Y; A" I' F8 C
lea dx, int41handler2" K8 ^( ~9 W1 J
xchg dx, es:[41h*4]
6 v. G. I9 T( r1 i xchg bx, es:[41h*4+2]
; A4 g4 Q4 H0 v mov ax,4fh
- Z; a8 _# @& w/ u- t" M+ r b int 41h
# k! ~$ g& U6 U; t' a \ xchg dx, es:[41h*4]* j1 `& S2 u9 j3 P: S
xchg bx, es:[41h*4+2]6 u& _( |& c2 O7 m/ N
cmp ax, 0f386h0 h: S& P0 f/ E+ e8 n
jz SoftICE_detected
6 j& R+ @0 Z3 V; k/ _6 ]4 q
3 W' R w: X4 @) H4 D" @1 v$ c fint41handler2 PROC
; h$ i: \8 |# v. j/ v8 G iret# K! a3 y" O8 `, h2 c0 _4 i
int41handler2 ENDP" J1 U: k1 h$ r- Y( E
9 i+ F H2 `' U
~' E- ^4 e+ y Q
_________________________________________________________________________
# w: b" K" _. d) C7 n* u4 Y K* o9 c. g4 B9 R2 M
4 K! U- T; S) s4 |/ u; c2 VMethod 060 G; B4 n8 O1 J( n Y L% [ Q5 r
=========
0 E, H6 l2 e6 F5 k4 g; }0 z. v {- C# U; [" d5 O
/ y, R( n6 ~! M G G$ d& A$ E
2nd method similar to the preceding one but more difficult to detect:
; C+ X1 X# n% Y" x+ y5 f1 m/ b5 r5 f! h1 V' C8 r/ ~0 @
9 I4 Q- O8 V: f
int41handler PROC u0 x C& Z" q: f
mov cl,al
; K2 v/ I' ]0 d7 ] iret5 [: x: ?# R( _, S) a
int41handler ENDP
8 a, m. O# O+ n5 m% T% m3 M+ ?' y2 ?
. t% ?0 U4 v3 o) j1 V9 ^
xor ax,ax
9 n! `4 k$ A- l8 b8 X mov es,ax
0 j3 K7 Q @3 V! @! w3 [ mov bx, cs
7 T! ^) ?8 A9 t' [+ p0 _6 \7 V3 s lea dx, int41handler
5 W4 E* b( {. V, E$ \$ i xchg dx, es:[41h*4]
9 x b& E. ~. r2 ^ xchg bx, es:[41h*4+2]
) c) ^! w( f! Z in al, 40h; A% ^9 Z6 ~2 R O) m
xor cx,cx
# U9 e* P' Y6 E$ v7 `$ K' b int 41h
7 w! s) R1 r/ j' P" d xchg dx, es:[41h*4]0 b+ q5 I; j2 p4 P
xchg bx, es:[41h*4+2]
* Y4 e ?2 o* v0 d cmp cl,al2 I% B1 s5 X0 ]
jnz SoftICE_detected
# p# E7 X5 q c3 x
9 w% D. h* q6 K! M9 g_________________________________________________________________________
4 Z# g/ T ]5 W# m' ~
" g5 F+ ~2 x K7 U+ e% Q- pMethod 07
. t: Y z8 v+ e: P1 V& f+ J9 u=========, ^( B/ g. N' C7 a1 |* I
* g1 ^3 |. K5 E) `% t+ @Method of detection of the WinICE handler in the int68h (V86)) M( S: x; d0 c% F# v6 Q
; X5 h) b; S' w8 e8 C1 c h mov ah,43h6 D/ u$ n( B% a5 L
int 68h9 E+ ]8 K4 K& O/ j& }- ?& G
cmp ax,0F386h% A1 W1 [5 `* O
jz SoftICE_Detected
+ k# t6 ?7 D0 y' m* `% u4 f* h
' x3 ?' e, Y% k- r9 [8 ~$ E
. ~ j+ k+ Z; c+ R0 F& _# C5 I E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 \5 \# x% H: W7 w$ @0 u1 U
app like this:. @( _# \( N( s6 d
. X1 V2 B+ t9 n i; f! P* |
BPX exec_int if ax==68" z6 Y4 M) k3 ^' X; @( S
(function called is located at byte ptr [ebp+1Dh] and client eip is0 k4 X& s X& c0 c" C) A W
located at [ebp+48h] for 32Bit apps)
2 k; n/ Q6 X9 Q__________________________________________________________________________: P( F3 E! O1 x1 ]# r
( Y$ z1 k4 Z; N% b- \7 J: Z, q+ W# F7 e3 B) n9 @
Method 08" u( w0 l0 [: _4 a! [. T4 V
=========& [1 p$ d2 M- b; u0 R
W. @0 Q* B$ V+ L! P
It is not a method of detection of SoftICE but a possibility to crash the- d! w9 X# h0 [% O, f1 I$ N* T) g
system by intercepting int 01h and int 03h and redirecting them to another
/ R8 O, o1 W; G) U& n/ M/ Jroutine.
1 Q1 W7 F: E5 E& ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' [' W6 G+ J% i: x, u& E
to the new routine to execute (hangs computer...)
5 N/ @- S: `3 `3 `# v2 B4 V2 G+ S& t/ B+ o
mov ah, 25h; L0 R% c( e5 z
mov al, Int_Number (01h or 03h)
: d" s: [1 B/ X mov dx, offset New_Int_Routine9 C0 R6 ~8 E$ w9 l5 L* c
int 21h
& U+ J8 {! d3 E: n: Q- F" b5 y( M" L# Q9 g$ J8 i
__________________________________________________________________________* g+ W) S _# o$ ^: T
1 O: j; H' b* _' ?# H. GMethod 09. ]- I# h+ E+ o, _- w
=========" ?" ~9 j& X- d
% N5 F! N P3 i( a$ j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" y# |& m) m7 g T' u% tperformed in ring0 (VxD or a ring3 app using the VxdCall).
& i. ~- y- t, E1 [/ I# W5 [The Get_DDB service is used to determine whether or not a VxD is installed/ X$ _6 Z( q( e G" ?* @
for the specified device and returns a Device Description Block (in ecx) for1 G5 t/ ^6 f9 m& h8 H
that device if it is installed.
6 w$ E: |4 ^) V- B4 A5 c q- U
# d7 [4 w" G; |5 B mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 T) y, Q1 v) x; V0 B4 ^* ] mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; I& g9 ?" V& p' S+ c, z VMMCall Get_DDB
" |6 l. q7 Z I; [. ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# R" Z$ \7 _8 x
7 A, I$ ]+ ?* p) M. `9 FNote as well that you can easily detect this method with SoftICE:6 c7 a4 O8 T) ^1 [ T
bpx Get_DDB if ax==0202 || ax==7a5fh
# J6 J$ E9 \5 M! ^5 O- Y2 |3 z- f5 G9 l: A7 u0 K4 z
__________________________________________________________________________% q5 \" {: l$ i6 t) z T
- d& K& x1 }# s$ f5 W* v$ S) o% sMethod 102 G2 h$ y! g& I5 t
=========7 e& W5 s8 u. n7 x$ f
1 A- g; e1 \6 T4 [& v0 u=>Disable or clear breakpoints before using this feature. DO NOT trace with
' o" J: d; s( `* r, Q" x9 V- r SoftICE while the option is enable!!
8 b8 y" k/ P% f; M" t1 D, d
$ ^" m% _0 E- g8 J; U% qThis trick is very efficient:: E7 ]6 x+ n; X9 E' d$ r: u `
by checking the Debug Registers, you can detect if SoftICE is loaded" A/ l. S) i1 \; M( a& T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 ^& q: N* |* B @there are some memory breakpoints set (dr0 to dr3) simply by reading their+ Q2 H7 b) {: U5 P6 z, z) ?9 G
value (in ring0 only). Values can be manipulated and or changed as well' L1 v- A& ]' @; T4 U8 t8 m
(clearing BPMs for instance)
2 _7 z- N* {5 F& p# g- T
* l9 a. C6 F4 f0 E: Z8 Q__________________________________________________________________________
, D# A) `8 O6 t7 @3 v9 e5 u6 ^" X' m
Method 11
$ Q3 L1 h/ L7 f0 G$ V=========
/ q! `9 X& g) p6 g. {
* l$ u) [/ `& nThis method is most known as 'MeltICE' because it has been freely distributed
8 u& t' @: y& Q9 L7 pvia www.winfiles.com. However it was first used by NuMega people to allow1 T4 d! w+ g# ~0 r% u
Symbol Loader to check if SoftICE was active or not (the code is located
1 ^7 z7 b& I6 s8 Yinside nmtrans.dll).* U/ Y" J7 K8 p+ q1 q- n9 x+ e- b$ ^
* p. s$ C# V, l3 CThe way it works is very simple:
5 z% d B* O0 C( R2 ?5 w! qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ p- P4 E0 |1 Y8 C" ?; XWinNT) with the CreateFileA API.
9 E$ Y& s W& f/ c' k; j5 y9 A" f
# O4 g. @# Z# x+ HHere is a sample (checking for 'SICE'):
+ w7 x0 r& o7 ?$ o/ Z; g j1 v* k- d) D: W4 U
BOOL IsSoftIce95Loaded()5 z8 E/ R0 l" H
{3 s1 u2 j% f0 l. ?
HANDLE hFile; ' R# b$ f: I9 C& }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- T0 f0 ?! b* x5 T) h+ ~9 s FILE_SHARE_READ | FILE_SHARE_WRITE,0 N: o1 r- G) k+ j' r0 L: P& M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ t' u6 _+ `4 t4 i. h" W if( hFile != INVALID_HANDLE_VALUE )
% i2 J, r% ~- i. S9 T {
: A3 {+ y; u$ T6 i& j3 A2 Y CloseHandle(hFile);! O7 b7 K2 M$ o( ~' F$ I
return TRUE;7 d! [6 X. Z6 P
}
+ t- J( |, p8 X6 f5 a V return FALSE;
g" p9 S+ b6 \; I}5 q$ w+ a& S) V. g" F/ E& a* z
4 S# ]( Q$ ?/ P) z. K0 pAlthough this trick calls the CreateFileA function, don't even expect to be
3 [5 V& _4 c( ]* T6 h' a# z9 J* hable to intercept it by installing a IFS hook: it will not work, no way!
$ T% i. v2 u, _9 b( k7 j% X/ OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* ~# \$ p2 V, I2 b9 u4 |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 c7 _7 V- L! N! n2 B, k1 eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
- W. B' o. O7 I1 w! }8 Vfield.
; u. s+ v/ ~9 {In fact, its purpose is not to load/unload VxDs but only to send a
6 l% }- S5 y6 VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ d* P7 y+ ^& {, J" b# zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
' F$ V4 b# Q# Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 }( Q' ?; A! k( A) K5 E9 G
If the VxD is loaded, it will always clear eax and the Carry flag to allow- h- l9 P+ n4 t, X
its handle to be opened and then, will be detected.
0 n: M0 @" m7 qYou can check that simply by hooking Winice.exe control proc entry point
/ s' f' E8 V5 cwhile running MeltICE.
9 N: L3 K$ o. r! r7 S( E5 ?4 Q! O7 F' b
% X; ~3 G* C; P8 Z$ G/ n
00401067: push 00402025 ; \\.\SICE
% H+ N. |+ [2 P7 ~ 0040106C: call CreateFileA8 w- {+ n, N [6 A6 g
00401071: cmp eax,-001
) ^- ^2 y; M) N- M' r- a* A 00401074: je 00401091
~$ D& d/ o0 p3 j3 G% G F2 o( r4 M+ Z& ~
' V; a$ m4 {, j4 d" m2 Z
There could be hundreds of BPX you could use to detect this trick.
9 Q+ o! |" @ c; D-The most classical one is:" i. }( l: L, d" j7 n) W& ^7 _
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 f0 Q k8 L/ Z6 v" o7 Q *(esp->4+4)=='NTIC': S5 c1 [$ y |1 Q& k$ `0 o
" f. t. h# @: U E-The most exotic ones (could be very slooooow :-(
8 A. p% X: d: x+ G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ C& Y# u. B! Z ;will break 3 times :-(
7 h; \8 L" I# N# g' p3 j' e3 K2 P: Q3 e3 z' p @6 I
-or (a bit) faster: 8 ^9 ~7 {' _+ f: m2 f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 S# f' T' l! _ M/ U: h6 p, @" p6 N6 X3 g" K2 Q5 m/ M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' Q3 n9 w0 o0 M' M4 d
;will break 3 times :-(
3 M- Y: }7 n; T$ g4 n3 H) _ K+ R: `" I; G5 D; j
-Much faster:/ ^& ]+ T3 e3 v2 I3 E
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 ]/ G1 c! j- l# c: {+ T# e
5 g& ?9 t; z; |6 g! ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# z2 v8 o- z' ^! j& `; Qfunction to do the same job:; z9 L; ^3 R# A, M9 s$ w2 [7 K% v
8 B. w3 I5 I3 M8 u
push 00 ; OF_READ
: g7 l1 p z0 l! x mov eax,[00656634] ; '\\.\SICE',0! k# |+ H( K4 o' ]5 [: M- I
push eax
! s" x! T3 G: Z0 K" Y call KERNEL32!_lopen7 t1 b! X& v1 G- {3 W; E- n/ h, U
inc eax
2 m1 |+ p) \! j+ T5 }' G jnz 00650589 ; detected. i4 ~% B, ^# W- Z
push 00 ; OF_READ
" e1 \7 s. }9 v3 Y' y$ S- Y9 @ mov eax,[00656638] ; '\\.\SICE'
, ?8 W# f. ~" N push eax
! U# s/ `# @$ T4 j. T call KERNEL32!_lopen
. F( U, y0 I& ] inc eax- S. K7 I( H- J% `
jz 006505ae ; not detected( I6 j2 ~" l" [# I# @! _. R6 o
% K% E1 l' T) N8 V" R% j, h
" n# E% E6 B+ m0 Y- z# L# V* I__________________________________________________________________________- E m/ H3 Y1 p" c
* r; Z/ N1 a9 [, o) k- O: w
Method 12
4 a' C' b% ?' i S) d+ r=========; K5 F" _! B2 I) y
% v7 h, X$ D: B4 G- O6 h! I( cThis trick is similar to int41h/4fh Debugger installation check (code 05) ?+ ~4 f2 B% @* d
& 06) but very limited because it's only available for Win95/98 (not NT)
1 n7 |2 ^+ H0 U/ O! s) ^! \as it uses the VxDCall backdoor. This detection was found in Bleem Demo. V) C! w Y& O' U5 X! f
" y- D; G% I5 N; R1 y, }
push 0000004fh ; function 4fh
; g! c$ @0 R2 c7 O push 002a002ah ; high word specifies which VxD (VWIN32)
- c9 V' J" M: x9 u+ ^" v4 M! h/ Q ; low word specifies which service
9 Q( U$ k% o. O4 i! F' c: U) h) Y (VWIN32_Int41Dispatch)
( c# t) A+ w' ^! a9 E5 M call Kernel32!ORD_001 ; VxdCall
' h8 D( R8 Y* x7 W& E cmp ax, 0f386h ; magic number returned by system debuggers9 b: m( I' R: S- M( I$ }
jz SoftICE_detected/ ?' @% T& V' ^+ g# @& _, J# W
$ e: \ Z/ M! x5 t) THere again, several ways to detect it:
" j9 k, z9 T! O5 A# \7 _ V; y$ C, Y7 O$ x, j! }
BPINT 41 if ax==4f
" z7 \* W3 Z" {7 \8 G. C: H6 g6 R+ i; k6 S( x7 N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 x2 a9 [& O( w# t- g7 _
8 {8 i( m* u" g% s- j/ h! z7 B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& t+ R9 D- O8 }% `6 ]
, m+ F7 N1 \* ^9 P5 P% ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. _7 y7 B0 A( b% y( N' H
: r1 y7 r+ k7 L F2 n__________________________________________________________________________: L8 N1 e4 J6 V3 i- J/ m3 {4 A/ }: a
. K p& B* @0 w% a9 ]/ R- dMethod 13* b2 p# M6 j& J, t' G w# N
=========
, m5 |: H: ~: j ?! q( `, z+ L8 A: A
Not a real method of detection, but a good way to know if SoftICE is3 c& R( @8 p6 z7 G
installed on a computer and to locate its installation directory." s( l8 }3 r- R2 N% J" q+ |1 y- f
It is used by few softs which access the following registry keys (usually #2) :
7 f# k4 h! x4 w" X
5 P5 V. k+ L! X4 |* Y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 o* O. T) `2 i O5 Y7 y4 a C
\Uninstall\SoftICE! F! H, r+ X* p1 _/ \/ m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# |3 m4 _- X8 f) a+ V) I! d3 |
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 O& O4 J! Y# w5 l\App Paths\Loader32.Exe& E" Y- o1 k% y" E3 |/ J' b5 y. q
5 L. C% X% R. C8 Z
+ D2 a. {7 S/ l9 b1 C/ n2 |
Note that some nasty apps could then erase all files from SoftICE directory- }/ ^% x5 `. m4 H& [2 w8 A
(I faced that once :-(; d, \. S* P$ ]' K# x- W, x
# H7 v5 E) a C, N# F" Z+ q/ e2 E8 b
Useful breakpoint to detect it:3 `" h. N. Z f. x0 B
7 I9 J) v3 p5 k- H
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" s" u0 K0 Y+ h* x% w3 v
) @. i0 X! a; G7 I [__________________________________________________________________________3 ]. i2 }* X9 ~
6 c9 \8 j5 E8 w' g0 j. `# T* I) V
) { C8 c5 N7 `+ m! r1 G! q6 @
Method 14 $ {. c% I& X% M
=========
- V- s. ?' H( ^$ t N+ ~" Z5 U1 l8 ?- P4 R) [; {, o' t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 \; h) o5 k* @6 D/ Yis to determines whether a debugger is running on your system (ring0 only).
4 Y- d% p5 _: a! K3 @- v2 M: Z/ z( ~; [$ ?( ]
VMMCall Test_Debug_Installed
& r6 i% u% j3 n& O0 n je not_installed+ z2 r; l. d5 g3 Z/ A: T
0 i( j- M2 y- o* B7 n; wThis service just checks a flag.
, L" }5 n; E, Q; G</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡