<TABLE width=500>
/ f( Y) z. B% B6 J* h" d: C0 l<TBODY>3 |$ z% q/ o# T( f7 O8 b: u
<TR>
+ O) i# B9 D, ?3 p1 _<TD><PRE>Method 01 . j8 t; e5 T6 J$ s; \
=========4 b! m J! n# K! l* O
: C- c4 _" `8 C+ X! N( u3 s+ D
This method of detection of SoftICE (as well as the following one) is2 j8 ?2 M, I' w$ f7 |) U+ s' G
used by the majority of packers/encryptors found on Internet.1 ?( @/ y5 [* |9 @
It seeks the signature of BoundsChecker in SoftICE
. h# L8 z# D2 ^/ Q7 g& {, G2 |0 a& m( V0 \5 g) l7 k
mov ebp, 04243484Bh ; 'BCHK'
! {( J' n8 m- L& m/ }& o5 y7 S mov ax, 04h; M: C/ o- {2 f% k: Q( q# z' ]
int 3 9 \9 h( I. n7 l0 ?, O
cmp al,4+ R5 v% D7 k3 W6 c0 j4 b
jnz SoftICE_Detected! e; ?' d& X9 I- V5 z4 Y. L9 P
" P, Y8 |' ~! A2 W___________________________________________________________________________
$ g: v8 r% O" |: h' Q p |6 N: _. ?
Method 02
N) v" G+ ^: H- ?=========
3 \: X8 t8 D; t7 }: [$ R# i+ r6 u9 x( b6 W# W L) O3 C
Still a method very much used (perhaps the most frequent one). It is used
/ X8 S1 K, l) v5 c; K! hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; e0 ?9 \: q, t/ S- s& L; P5 ?( Hor execute SoftICE commands...
$ i% f$ M0 L3 |' qIt is also used to crash SoftICE and to force it to execute any commands
7 V0 e4 s. R/ A; z6 h5 @' E(HBOOT...) :-(( ' M' Y! N8 \# y6 Y1 D
8 ? p6 z( I& } F
Here is a quick description:
: Y1 E6 ?# \, z% e |; z: ?6 Z" O-AX = 0910h (Display string in SIce windows)
/ f6 M: T! t# a0 z. u; {-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' y1 k3 e. F3 w% L4 X- B/ ?
-AX = 0912h (Get breakpoint infos)& V5 O6 x7 F3 @: J
-AX = 0913h (Set Sice breakpoints)
+ `6 I* z0 h* v9 s" U-AX = 0914h (Remove SIce breakoints)3 g9 l9 f8 h/ \+ c9 L" Z8 F
. z3 R/ r0 u. G1 s" \* x3 VEach time you'll meet this trick, you'll see:) A% b8 I9 s$ Z" A3 ^) v# F1 L
-SI = 4647h
9 V) v8 B& f/ C4 \3 j) y7 Y-DI = 4A4Dh, t" B* z3 i4 S* F, u
Which are the 'magic values' used by SoftIce.2 v+ t3 Q* }4 i% M# x8 K( p4 X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# w' [+ k" ~7 ^: l0 Z5 _: ]
- h9 M4 h4 j, L0 B8 l* ~3 n1 ?( G. a1 @% _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 l! I( }0 r6 I5 C; S3 Q# OEnvelope utility use to protect DOS applications:% j6 E5 N3 m+ J$ f5 A& [! ]
" U, s0 d7 R' d. ^3 Q* }
0 k' O& f4 F x% g4 U) x4C19:0095 MOV AX,0911 ; execute command.
- K$ d8 N' d* [2 d0 f, F4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- `& [$ r8 c* s$ f
4C19:009A MOV SI,4647 ; 1st magic value.
. R# ?% p2 `4 K3 e$ i4C19:009D MOV DI,4A4D ; 2nd magic value.2 g8 K3 g" S4 [) Q4 ]% r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- k) U2 R2 d/ o3 a! J$ X3 ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! Y2 Y2 j9 h( f8 O8 X r
4C19:00A4 INC CX* A- [* j0 q9 a# Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 [# Q% i& U0 J4C19:00A8 JB 0095 ; 6 different commands.
. `( y1 u4 S2 j( n4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 Z/ V+ ]8 O, L
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) j5 {4 O' P# G8 {5 A1 Y1 c) M/ Y" Q
The program will execute 6 different SIce commands located at ds:dx, which h" R5 W# u( I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 f* b4 p1 M: [
/ w! | [3 }4 G( J$ {/ n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' p3 L w' B: U1 I
___________________________________________________________________________) \) H2 ]5 m' t7 B' Y7 U% R' o
: [8 R. {7 A& U' Q5 }
6 y! V6 A' S2 I% E3 F4 w* F8 JMethod 03: i0 l0 {- b3 b8 n# ` A
=========
4 P$ e/ ^9 N+ b
% z8 ~' ?" q3 h' R3 `# rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' w* L; ^# u2 y# ]
(API Get entry point)) K7 G9 Q4 x1 T
: X" o( a7 \% B! _; ~
: p; I" v# j* v y; k1 U xor di,di2 N. S5 y) f; Q) S- l# I
mov es,di7 h( A, s# ~8 R3 x0 k$ w4 ^
mov ax, 1684h
* F3 p0 n/ E% e, w mov bx, 0202h ; VxD ID of winice- M/ W5 m8 H5 r7 @5 g5 q
int 2Fh; V2 n! N3 q( @+ `8 D( X3 r: x
mov ax, es ; ES:DI -> VxD API entry point
. o3 A1 @) d: o add ax, di% f5 g! Q; ]( g; K( f% ~0 q# n
test ax,ax) G7 h- z ~: ^+ d: G4 b. {0 ]: t
jnz SoftICE_Detected
- L6 H! ^- o3 M4 B* f- W S2 Q3 p; R- [1 A' ~3 y* t
___________________________________________________________________________% G/ ]- e! h: J
' f' }4 d q7 |4 J5 u: L3 O# T. @
Method 04
/ [1 u4 b4 A# ]7 T/ z=========2 T W7 {" j" o$ _
8 E; k5 o& s7 U- y+ N, ~2 c
Method identical to the preceding one except that it seeks the ID of SoftICE
/ X: p2 d: n( {; Z9 U0 dGFX VxD.
$ _% ~2 v; ^4 @+ F* ~
- d* Q: V4 ]. s xor di,di
9 {1 y6 N; Y& K. S mov es,di0 `: L: l1 h6 y6 a- F% c3 k
mov ax, 1684h
+ Z$ Z/ p" }$ E8 L* I& j mov bx, 7a5Fh ; VxD ID of SIWVID
4 ]: ^" {3 o8 W0 z int 2fh
. L- B( Q6 q2 K) V& M* e) Y mov ax, es ; ES:DI -> VxD API entry point
+ h- @% A' R0 [$ N* f add ax, di- W4 x `3 O% L& \: s
test ax,ax
$ V8 P, H/ |$ ? jnz SoftICE_Detected* E8 I. E$ {2 H5 M7 L
; w8 @' `! |7 T) F+ _3 q6 L- e( A' p0 o__________________________________________________________________________- f; S2 t& F5 b0 |* y; C, l2 ]
7 G4 l- u) ? V+ y/ p. K+ w* _
/ K N) p' l# C
Method 05. _2 J3 o% j1 o. P3 @( d2 q
========= D/ n( M2 j0 ^$ l+ d
2 W- j3 ?: N; b6 Q+ BMethod seeking the 'magic number' 0F386h returned (in ax) by all system# k6 n5 A( U$ T- \$ c" j
debugger. It calls the int 41h, function 4Fh.
2 g: z0 f/ O7 _4 h# d/ BThere are several alternatives.
, u( Y; m! q Q, A& g# W. q. t. e3 P9 G9 z
The following one is the simplest:% V0 y: a' A1 q$ t, R
5 H+ v% Y2 ^+ C
mov ax,4fh
* ~& w+ ^3 K" R. m5 c" k$ _0 E, p int 41h: N5 [4 n( {7 S: i
cmp ax, 0F386/ c4 W( w0 {0 q% b5 [ K
jz SoftICE_detected: O. \ E+ N, R+ m' X1 k
' p y" y8 Q) _' c' X$ ?# M4 z! u6 z
7 Z' \6 k! v' H7 F8 GNext method as well as the following one are 2 examples from Stone's
; ]" B- [' @' a* h"stn-wid.zip" (www.cracking.net):* h( ?, B6 u' s! w, m0 B$ c
1 C @/ A2 o0 i mov bx, cs
" S2 l- e& R* A( t lea dx, int41handler2; H8 {3 \ v; \! v2 L( ~
xchg dx, es:[41h*4]
- d. Y& F n. N6 k xchg bx, es:[41h*4+2]
% L0 i& d, p) f: t2 M/ u( ~ mov ax,4fh7 h, d! b$ j( ^: t& j* B
int 41h5 ^. X; Y- ]! n7 A5 J u
xchg dx, es:[41h*4]
' s- {% Z" ~* u+ a xchg bx, es:[41h*4+2]
, `9 W/ R/ {" ?9 L# ^8 J cmp ax, 0f386h J+ z5 z# r- ~, {1 F5 Z
jz SoftICE_detected; C" N: ^/ X6 O" J+ S; Q
7 ^1 o4 K0 j2 H" J0 a7 Y' {int41handler2 PROC4 C. E' R+ U0 r4 g' G4 z! r
iret
# h/ A: C7 }5 E3 U- G* s) uint41handler2 ENDP& _' N" o: F6 |9 _
2 N6 Z* L* g" u: B7 W" p$ Y$ f3 H3 `4 ?& V- e
_________________________________________________________________________
/ s3 j$ `8 R) M+ S8 Q: R- ], M. N1 G" l. W$ J
, d1 E1 A: s# B$ g$ l: b5 E
Method 06
3 j) f7 h( v# T( @( O7 `* N=========; Y& k! y# |( d0 A' ?) l
0 n F! E* O; u
6 X! u: Z1 _4 V. x3 y4 l1 h2nd method similar to the preceding one but more difficult to detect:* J, r; P$ b g5 s& f" T! F+ o
& W$ k4 f9 w& y" W7 y
+ \* d) O; z/ W0 W
int41handler PROC6 V9 d0 c6 f. I- Z
mov cl,al' m- V e1 L3 f- [
iret
3 u/ ]$ d7 ]2 O, Aint41handler ENDP
4 S9 K c2 [& ]; } t. z# h8 e5 i# f$ X/ }. T( g" h3 y
7 j5 S, r- w/ k9 g xor ax,ax0 M% d1 x6 ^! @$ O- F
mov es,ax; Y$ x2 ^3 g1 b; s; F I1 q2 l
mov bx, cs( L* i0 w. K4 h& i) Y3 a/ H
lea dx, int41handler4 z9 [, i* l! _1 {4 e0 F
xchg dx, es:[41h*4]: f. Z+ P. K* [: k7 ?
xchg bx, es:[41h*4+2]
0 p7 U" T3 j5 Y" J8 | in al, 40h
7 t- n' J6 J" g7 p xor cx,cx
& d9 N* m* P0 p& R- E int 41h4 F# M. [! ]9 j, B
xchg dx, es:[41h*4]
1 Y7 c, ?' M8 g4 w% h M xchg bx, es:[41h*4+2]) ]* Y. n3 A n$ _: d* z) d
cmp cl,al
; Q+ z' I. U9 C4 z7 E4 d jnz SoftICE_detected
8 F1 r% S: @* t: m& j& L+ a
* s# f5 ?3 ?5 f( `+ f# _9 G H_________________________________________________________________________
# f+ @ i- b; Q4 b8 x% S6 K- K J) M: n |/ E
Method 07' R. M0 E5 ^3 I# z# h
=========
0 ?6 }7 m, A1 u, Q; Q# }- L5 w$ z( a3 C5 o
Method of detection of the WinICE handler in the int68h (V86)+ V5 ?0 _3 x. A5 C: Y5 {" w3 n& f
( A, X3 ] [3 i3 h
mov ah,43h
7 f4 t% R$ J& _1 C& C5 o; z2 ] int 68h2 L& l( b0 v, J
cmp ax,0F386h
5 b# u7 @, e& @ jz SoftICE_Detected
/ R! d, ` ?6 k/ a
* M0 m6 ~7 U5 S9 Q- R/ m1 q `0 W3 R4 X1 V
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 j0 I0 ~& l, Y! _: \1 J! C9 c
app like this:( Y7 A4 K$ [1 A- l4 l
% o8 B2 Q6 r' j BPX exec_int if ax==681 G& ]- \8 b! L& E" ` r9 ?
(function called is located at byte ptr [ebp+1Dh] and client eip is
; W: C" g& g( ^; `# }. w+ b located at [ebp+48h] for 32Bit apps)
x0 z4 Q2 E7 m; t2 A' a% x__________________________________________________________________________
2 M( j9 a$ u$ O& N9 d7 J6 ^) L
/ v+ ]6 y. V7 s: i2 q# w
; \$ p' N+ K( G7 m# Y8 fMethod 08
0 h- w) x9 o* y- ?=========3 {( Q" T: w) I' T) F5 T7 S
: D \, ^+ T( G5 H& ^6 S d. ?) fIt is not a method of detection of SoftICE but a possibility to crash the
8 p, O5 O: }' z& {! s1 Gsystem by intercepting int 01h and int 03h and redirecting them to another
/ J: s: v: ~2 q, l3 ?routine.
5 E7 x6 H4 d) y, d! lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; u5 Q9 [" N- s$ _7 E: |
to the new routine to execute (hangs computer...)
6 i" Y& t# A9 ^- W
\3 R3 `6 e( _, a+ _+ L' K mov ah, 25h
. d* o) F8 q6 m4 D) Z/ t* U mov al, Int_Number (01h or 03h)
) |3 y2 g {- T8 I$ `( w& G3 b mov dx, offset New_Int_Routine! _' q* T% \- ?5 U9 c! g6 I0 f
int 21h
+ V& A+ j3 Y2 Z& ]% s
# A. Z) I0 d" y0 l+ ~__________________________________________________________________________
" y- h$ O6 b, U U( M8 J4 S& R% ~8 x* }6 T1 p1 V
Method 09& j/ c6 j! q8 Y$ w% n
=========
, s9 q- m- T, S- M s7 L
6 i% l/ ]. K. iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ G( T( B2 H' I8 hperformed in ring0 (VxD or a ring3 app using the VxdCall).
' t7 K7 G/ G1 FThe Get_DDB service is used to determine whether or not a VxD is installed+ v1 Z. E0 M% _% [* \, a
for the specified device and returns a Device Description Block (in ecx) for
1 S: i% M& o( F$ O( Ythat device if it is installed." x- w2 D5 Y8 W! [2 j. F* a( j; {
L; N6 f( K+ |- u: E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 j' Y6 o1 U9 G mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ z+ S! j- }- s! N
VMMCall Get_DDB8 [8 g+ l2 ]+ R4 F) X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 I: R5 a: e4 P0 c8 N
1 a9 D: N/ O0 V9 z8 vNote as well that you can easily detect this method with SoftICE:' G1 P' b# X; n5 ?% H2 k. }
bpx Get_DDB if ax==0202 || ax==7a5fh& k4 }- O, S: F* ]2 e* }9 ^! y6 ]
1 p- |4 C5 n; I# J+ t+ L
__________________________________________________________________________6 y4 n* x/ l! {: [" m
Z- f9 e! X3 z" ]9 C3 U9 k( PMethod 10) G; |6 d+ f4 F6 }
=========
p) r/ i+ c9 W6 W+ j, S/ ?! J! C/ @( F* Q& P/ _' z. r5 T$ d" o
=>Disable or clear breakpoints before using this feature. DO NOT trace with
- x3 ]+ V# E* P1 v& d SoftICE while the option is enable!!" M( I" ?5 I3 S) Y2 f
4 D9 D% C* w; v5 y0 p% T RThis trick is very efficient:8 K- C1 u5 ?" r( Q! U' d
by checking the Debug Registers, you can detect if SoftICE is loaded+ m: S% d' `" s" a* G l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' [) [3 ?0 |1 ]1 T' j/ Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 e$ F6 j3 _! w! j
value (in ring0 only). Values can be manipulated and or changed as well
4 F6 J) x& T/ I. u& H(clearing BPMs for instance)
6 h8 {2 f; g5 N8 `; B3 \2 f# ?. w: e' z) f' |' R4 A
__________________________________________________________________________& L1 E, L( j. Z' `4 X
) g: }5 Q. t$ g0 j
Method 11
0 G' s- H% n0 [& {=========, t- d2 s$ r6 d5 h: Y! J$ d4 e
: X" i1 _8 P4 o/ G6 ?4 K2 [3 A$ V# w Q
This method is most known as 'MeltICE' because it has been freely distributed* Y' K U( u; v# | ~. N: s2 M
via www.winfiles.com. However it was first used by NuMega people to allow
) W6 a$ n" C6 f% ^3 }* QSymbol Loader to check if SoftICE was active or not (the code is located# u& Y8 \/ o3 m* C4 S9 ~
inside nmtrans.dll).
/ o( w" n1 ~$ {2 T5 I5 t
/ V; H3 f' r7 ?% B$ l; G1 c0 E* GThe way it works is very simple:
3 N( F" C6 n7 Y+ IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; c6 [3 L: P: k& }. yWinNT) with the CreateFileA API.: |9 w3 G+ ]: S/ |
+ ?/ ?( F( M) R3 }Here is a sample (checking for 'SICE'):$ A8 U6 U+ X" z% m
3 ~6 I; L6 s& v* b" T4 Q7 t
BOOL IsSoftIce95Loaded() B, l8 R8 \- d9 B, t
{4 w1 r. i- }; A6 _- X# O
HANDLE hFile;
6 s; H5 P, I8 L8 H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 E1 U, ? C$ _0 l L
FILE_SHARE_READ | FILE_SHARE_WRITE,
}2 ?! L0 H0 T5 A/ d NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 _* q1 O$ r& \" a- M+ U' o if( hFile != INVALID_HANDLE_VALUE )
# n% w. Y7 r! t {
2 F, f! R( b& _% p/ t. r4 T0 O CloseHandle(hFile);
- g# m: b3 _5 [/ V return TRUE;
9 u c. O6 x3 _! p( _* U }8 r# Z9 N/ t9 i* `
return FALSE;
' _4 x# A1 e' I6 {1 U}3 E8 b! \8 |' C+ o. L E# d
: {. \) k, F5 WAlthough this trick calls the CreateFileA function, don't even expect to be4 i+ h' `6 A. V7 p4 U
able to intercept it by installing a IFS hook: it will not work, no way!
1 a$ K+ f$ \7 y% fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# {4 E3 b; q+ H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 {3 A7 c2 G! ]/ z2 O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 B; J1 ~2 o1 \* B* \) ?
field.
4 `( D6 [# { U$ w! B( rIn fact, its purpose is not to load/unload VxDs but only to send a 3 v5 w* w+ D/ W. g; N; w4 e' f; B- L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 v' D$ O2 S( q3 u# i' yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 g4 X" y2 }, m8 ?! W6 S! u0 ]* z0 Dto load/unload a non-dynamically loadable driver such as SoftICE ;-)., a" ~6 Z- A" J: u+ \+ c4 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% d2 k: U. g1 ]) aits handle to be opened and then, will be detected.7 ?- | D3 f J% U0 k
You can check that simply by hooking Winice.exe control proc entry point
3 J7 a- R2 s; Q5 B1 H( s8 Dwhile running MeltICE.. J+ Q9 j2 I4 Z; _
3 x3 H' e6 d- e* [
0 t: H( f- g3 } 00401067: push 00402025 ; \\.\SICE2 g1 i$ m8 {% T/ S9 @) S
0040106C: call CreateFileA% \7 c9 d- `; k8 Z8 q
00401071: cmp eax,-001
, `5 d* c% R/ c9 ?( H8 k. R 00401074: je 00401091( ^3 u- r3 b' V' e4 a+ L' c& x
. l; J( d+ k; A/ J
" U' j( y6 K5 u- j
There could be hundreds of BPX you could use to detect this trick.3 F0 J2 `! v) E( r p* x, G6 Z
-The most classical one is:$ {+ c O; q" F" v" n- G# N1 y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( a& S& k/ r; K1 v8 U5 t$ A( W *(esp->4+4)=='NTIC'
; W- v" ?2 p, \: b8 g: y9 c/ b/ @$ |' S
-The most exotic ones (could be very slooooow :-() A! f% ^7 p( |4 O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 x, h0 t4 J+ d$ ]
;will break 3 times :-(
+ b0 A2 x3 D0 e% U2 v8 W7 a# }& u2 J* B% d
-or (a bit) faster: ) r- j B" _: a0 L; z8 y" w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! u- V5 G1 g. h
0 F$ s: a7 b$ _2 n1 D E8 l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . f, q3 c0 g; a; J4 _
;will break 3 times :-(/ D1 I" m! E! b' N
7 B% i7 o+ B4 C& f
-Much faster: C! y5 H9 d* R" K$ g! Q- f" R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- b$ v' T- a! G9 c' ]8 F# y* {
9 ]" u* X" p s$ B' ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 ~; o9 x5 z. C4 g2 c' R; {
function to do the same job:
, ]# j( @# L0 U& Z( d0 M, f% u( ]" y0 C
push 00 ; OF_READ
; V3 j! m' I! S1 _: Z8 Z: {3 a mov eax,[00656634] ; '\\.\SICE',0
6 R* ~ D1 Q$ B7 q push eax
% v; U2 b4 N$ L1 @; k; v" V* D call KERNEL32!_lopen' U' e( s3 F( U9 G" @* H
inc eax/ I1 [2 l3 [! j- w4 e: M* ~3 |
jnz 00650589 ; detected
: g: D: ~2 w5 }' B) }2 z8 ] push 00 ; OF_READ
A% k& ]4 Z. G/ M+ a mov eax,[00656638] ; '\\.\SICE'
6 R5 I0 ^8 `" t }" h6 E5 j push eax
: d, }: r4 q0 i" D( l! E call KERNEL32!_lopen
2 t3 Q6 L* k9 {" i& S6 t4 J inc eax2 x. y( w& R7 g5 a& Y# r
jz 006505ae ; not detected, `5 i8 t' O3 n& k& O% ~; s. ]
7 z4 @( e, a+ V. R B0 X
, Z5 y# |1 i5 V: h
__________________________________________________________________________
2 @/ ~3 s- I% n8 b& M* N, d0 q/ A' t, m+ \' k) a. _1 ]% j& T/ Q2 T5 a
Method 12
* i# L! f' X3 D# {8 j2 V+ O* m8 U5 j=========. {& l/ I" {2 u" K
, ?0 d) i' c' Y) g' y% Z
This trick is similar to int41h/4fh Debugger installation check (code 051 V6 r& \& m: W8 w4 `! a: w
& 06) but very limited because it's only available for Win95/98 (not NT)
7 B5 Z! A4 m- q7 S! }! H. G8 ` K3 Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 e: e% Y! l) C
/ O& Q; d3 T# O& q) z
push 0000004fh ; function 4fh% p8 m7 N7 t& ~' D9 Z
push 002a002ah ; high word specifies which VxD (VWIN32) Z) ]5 ]$ l+ S7 Y6 F+ e/ T
; low word specifies which service; q( N/ d+ H7 z( W3 T+ A
(VWIN32_Int41Dispatch)- H) q/ O5 w& `$ Q& S# d
call Kernel32!ORD_001 ; VxdCall& ~& J( s- @: l W t) V
cmp ax, 0f386h ; magic number returned by system debuggers# x ]; d' C6 y5 }
jz SoftICE_detected: s' @6 ~3 S$ R
/ x. G' o1 q( k) k& N' P5 D1 O9 VHere again, several ways to detect it:
# S4 r2 Y; J! O+ n' V; c% t- W
% T, M9 u8 W f' ^- ~ BPINT 41 if ax==4f
% G' |4 u. T. @3 J" _; V) u; I9 Q* H: j; i, D$ l
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 M6 a3 D8 m% @+ H7 x; _
6 {+ O& u C; ^- M
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 T$ T. N6 }( {2 B5 d4 i& G
: G& [: ?1 ]3 L+ Q; o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 J* G7 L7 _- }% ^1 b4 X6 I$ @
7 G/ E2 U3 k7 G) }__________________________________________________________________________
4 o' t/ b0 w0 i; T B+ B0 h3 J1 p) @6 q1 n: \0 v# d
Method 137 {& O- v. F3 q6 e8 d
=========
. r& X# o8 E2 k" i- ~+ E3 F1 {0 h2 n4 F D
Not a real method of detection, but a good way to know if SoftICE is/ x+ H2 ?" v2 P4 O0 n ^: h6 R
installed on a computer and to locate its installation directory.# b3 x$ v( G! ~9 j c: {
It is used by few softs which access the following registry keys (usually #2) :
' E7 Z( Z/ q, ^* ]& Z9 r7 g; D
0 Z" H5 W8 }9 F$ J$ W2 G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- r/ [/ J+ t7 R\Uninstall\SoftICE/ |1 n8 [& c# g$ L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" |* ~8 Y( \' F6 C8 d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 w; P: s0 }7 i0 {7 M\App Paths\Loader32.Exe
: K+ m5 @1 p. M5 j4 k1 N2 L( }; ^1 K* ^4 W! z M( g
* f. L9 J) `# ]" T0 A; H6 c WNote that some nasty apps could then erase all files from SoftICE directory# j$ F: T1 X; W4 h. L4 C
(I faced that once :-(
. O) i; J& M* E/ w# C2 s. S+ x/ |+ j- T- c% B" u" X5 ~" \/ @
Useful breakpoint to detect it: D w8 W0 [3 Q
( D# i' l% I- w6 p1 V$ l: P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, n6 ?: G- Z& z0 ]
" f9 H: g" ]% e: K5 f5 X__________________________________________________________________________
a2 I- O6 @7 I. E6 l& q. J3 K% P4 }+ o, i
2 \5 _5 _+ k2 ^4 v4 M/ ^# Y
Method 14
, r1 \; W3 Q G, k=========
. G- d; G" g% y; I) y# I) A: X0 P8 [$ _6 [1 b2 k$ H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; q8 r) Y7 u$ U
is to determines whether a debugger is running on your system (ring0 only).. s8 l+ o3 x6 v; r/ D
$ `0 l% F8 J/ J3 t; U& [& o ?- b VMMCall Test_Debug_Installed
3 u- i8 [2 c: e' O2 P je not_installed1 e9 E7 ~) f0 y8 _' D0 C2 m; @8 G
9 N! e" x7 `3 _This service just checks a flag.
3 s2 f6 b1 }+ K( A" b$ O4 P6 F</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡