<TABLE width=500>+ h5 m+ d, B: P! Q
<TBODY>; T: C8 P" N3 r
<TR>
) w0 E0 o' h/ Y5 [1 W; R* ?$ ^<TD><PRE>Method 01 3 G, U- p" `8 c. @1 C: E" k* n0 s2 f
=========/ q7 P; J* U- o9 U' T+ J- g2 f' ~
, L: _ i/ x0 l, oThis method of detection of SoftICE (as well as the following one) is) U+ v* G( W- a" W% C; _; M! r( m
used by the majority of packers/encryptors found on Internet.
6 u+ p! \5 \0 ~; {( T0 z0 @4 NIt seeks the signature of BoundsChecker in SoftICE: J& ?+ y) J2 T
Z$ ~; m! r8 P* O, t/ T mov ebp, 04243484Bh ; 'BCHK'4 m1 m, h! _8 N9 H6 U4 T1 `, Y& |
mov ax, 04h9 T z* X* Z' p) A9 X; G) n
int 3
3 }" F; u. h8 [( n$ \ cmp al,4$ r7 E1 |- h- q, f& |$ _6 l
jnz SoftICE_Detected4 y. M$ R1 G+ Q. h# [( d+ n+ _
* k# Y' _ X |3 v___________________________________________________________________________$ A% B! V& V0 `6 K
2 J/ F% D, F8 l( \Method 024 Z$ O& ]( _0 f' C1 w
=========/ f" N; ?2 A4 I* f, I; G
0 `0 |5 A$ u9 `8 l Q
Still a method very much used (perhaps the most frequent one). It is used1 T6 B+ o2 A" A) A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 v$ z" \* ~+ L$ `1 wor execute SoftICE commands...
6 g' W" E% i w5 d) pIt is also used to crash SoftICE and to force it to execute any commands
5 X2 y' b6 j: p- u% y. v9 X! N) J(HBOOT...) :-(( 2 d+ k' y0 J, U; x' v B8 c
; W7 d7 o5 Z8 F5 J4 d
Here is a quick description:: p' u# c/ B: u( a9 h1 e0 m- R6 A# n# E# n
-AX = 0910h (Display string in SIce windows)
7 [" `4 O1 a2 S) e, M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 Y# _$ Q8 J7 z" t* o, q-AX = 0912h (Get breakpoint infos)* e, T5 x0 @( p/ P8 V
-AX = 0913h (Set Sice breakpoints)2 L. M1 W g W) n+ \0 S: M! [
-AX = 0914h (Remove SIce breakoints)
3 l& P% b4 G9 n) Z; t& s
! X% B7 I# [5 E! Z4 d( UEach time you'll meet this trick, you'll see:2 D, Z1 Z. e7 `5 u% _& x! I
-SI = 4647h6 @- |. w, @ D/ \5 v
-DI = 4A4Dh
9 \6 O. j% Z3 L1 uWhich are the 'magic values' used by SoftIce.# R% R' {" ~2 n0 b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 y1 b" ~' z" y$ U8 n. ^) b
, |/ b" j/ ]& w! ]Here is one example from the file "Haspinst.exe" which is the dongle HASP
% {/ a2 E7 A8 |Envelope utility use to protect DOS applications:
, `2 i& c D8 ]% n f5 n6 L6 C3 L) |, R0 w& N) \& Y y$ P
" N R2 G& I% c: n4C19:0095 MOV AX,0911 ; execute command.% l& T- a) J3 [
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) X) t- X2 H. f# z- `' v4C19:009A MOV SI,4647 ; 1st magic value.+ _7 ^: X7 G% g
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 z8 T6 n: P# ], ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( o* W7 @( y% n2 Q I8 l. F
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 ?' P5 l1 q( N2 D( o4 _ t4 Y6 H' z4C19:00A4 INC CX
( Q0 e7 ^/ t: N; o6 ]; t6 B1 a# g4 \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" H. y! ~. g6 u* r& [' V4C19:00A8 JB 0095 ; 6 different commands.
z* N/ J4 S) P4 e7 P5 l. [4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ Q2 ~' z- |) _ C, t3 P5 A- P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 f; Y# h; J8 G# s
E; ?1 O4 X/ ?% pThe program will execute 6 different SIce commands located at ds:dx, which
0 h1 S! E J f' c6 E# L7 aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# g8 \7 o: C% t8 \- ~9 @
; ]/ T# v' c& G! l+ M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# Q# f/ v [* I% m7 Q1 k- D( ^) ~8 P8 b
___________________________________________________________________________
! j1 i% u1 J7 K( j- I! v2 k7 g1 \# W! k( |5 O
; L6 J* [1 i( z `' oMethod 03
/ O6 h% H1 Y- f e0 u. b8 K=========" D1 x6 Y9 ^4 D# {0 q" }
1 S% C! T, { B9 w4 s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 k' }# S3 }9 P, g# v4 l3 c
(API Get entry point)
: Y$ c0 T" u: B; Q+ O6 K 0 |& g- A' w* N6 Q/ I5 l1 w
' B9 ^; G I) ]" B& G) i9 J xor di,di
) }2 [7 T% z2 w" r mov es,di0 O& ^5 z1 l' h; [: o" j8 O
mov ax, 1684h
$ [( [% x, g1 o; D mov bx, 0202h ; VxD ID of winice
" m& A7 d) N& O3 Z1 @ int 2Fh
: s# d& y# h7 L7 l9 Z mov ax, es ; ES:DI -> VxD API entry point
6 j3 T. K7 O* q7 U4 g/ ^8 ~$ @ add ax, di
1 i! _2 S, a3 b: H test ax,ax( T! \; e2 Y; S% j8 e5 q
jnz SoftICE_Detected2 t$ `9 q. U3 n6 C" B, g
' Y5 Z9 u# a4 v
___________________________________________________________________________
4 Y& Q3 `+ N) G& S5 K( G/ C
' d' a0 b1 v c" zMethod 040 Y6 v/ k6 ]2 |/ b6 Q" d6 N0 ]1 S
=========
% C& G7 \) E+ S% @7 h) a; u2 m% ]" K' U6 x* K j' O
Method identical to the preceding one except that it seeks the ID of SoftICE# r1 Z! ]9 `& I0 K
GFX VxD.0 ]+ s2 F4 H4 Z. s! I( y) \2 ?3 E5 {& [
( R+ H+ ?; l7 e7 ~9 v. g8 ]
xor di,di
( ^4 o" M. f2 R; o- I! R" P mov es,di) _ K/ j3 e( ~- H; T% f: t
mov ax, 1684h 3 A- `" p' ~0 j, {% A, u5 ] w
mov bx, 7a5Fh ; VxD ID of SIWVID/ r# v# X* }% p, A/ R$ H
int 2fh
; G3 ]' L% w$ O D* b' s mov ax, es ; ES:DI -> VxD API entry point, |& V9 g- A) k2 m! L3 y. z
add ax, di
( i5 U- e" ~" ` test ax,ax' L) n7 d# z; f/ o
jnz SoftICE_Detected
. Z" u/ u: P- c/ W( U# K; I* `+ @6 S4 A
__________________________________________________________________________
8 z0 o: v& s Q& [8 c2 |
0 U3 H" D: s) y# o- }3 R
. n0 J) D/ q1 B$ v; N8 y& SMethod 05
8 F/ G) c7 y5 U4 d; A* [8 w=========
$ Y, _7 r0 G$ R$ X' `
4 X+ o" \, A$ F( yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' i+ g& L4 ]7 v/ H+ pdebugger. It calls the int 41h, function 4Fh.
4 M% @* @: M1 N- Q$ p" d# iThere are several alternatives.
3 o% N* ~7 o" ]% @6 n7 J9 T9 \( L- A/ U1 d
The following one is the simplest:
1 d' o# k1 g6 U1 g c. e& w
7 T: x) B7 c* k% P mov ax,4fh
6 [$ h7 b" Y6 f$ W7 P- u2 X$ [- u9 p int 41h% C- J$ p* `, ~% }2 `
cmp ax, 0F386
5 c {! u( C3 l6 J jz SoftICE_detected
; [6 W7 L# z8 |3 t" m& R# Y8 N
- o$ r" o( p/ _! U/ N# [0 `9 a- u1 G1 F- m; O0 N( J$ c6 s
Next method as well as the following one are 2 examples from Stone's ; P+ D* O; q- ^5 j! e
"stn-wid.zip" (www.cracking.net):
: f) v! s* z/ V* T: u; e- r1 P) y' E% @8 D
mov bx, cs' Z+ n: `; ]% D0 k0 a1 {5 Y
lea dx, int41handler25 ]) S$ y4 K% n2 C5 f( E
xchg dx, es:[41h*4]- n8 Y3 [$ c4 }9 x7 i# }2 k
xchg bx, es:[41h*4+2]
) c; e2 E! y1 X { mov ax,4fh9 G8 p3 N& f/ ~" D: X
int 41h
' C6 u. V. N2 ] T6 w( j xchg dx, es:[41h*4]% J' ]; b0 m) i* D1 L. s' _
xchg bx, es:[41h*4+2]
' j1 w# T& ~$ k- d8 @# x cmp ax, 0f386h- _, h7 p1 L' U- i! W* x
jz SoftICE_detected
2 i; V( G) n L! t4 q
& J' X$ Q; O$ K k% x# _; X- W+ E0 xint41handler2 PROC
6 Z3 _; G6 L4 S' N Y S( w iret$ |& {- d7 y) h% j+ A- z
int41handler2 ENDP
: m) i- h$ m1 \9 G! i! j+ ~9 n. s3 S& M2 v7 L ?# a
; ] L x8 X; f4 t R_________________________________________________________________________
- p5 R: }/ _9 N) G2 T* i& |( v, x& M, `& U5 y# }
8 h3 y! N9 z# @! j% {0 A
Method 06, H" A3 ?! i. U. u
=========
! }9 i, O( B M5 }! [# K) T1 H& i6 f; x C& W
6 z; `( R* L( K3 | g& b+ @2nd method similar to the preceding one but more difficult to detect:$ }& P1 A! z! }7 }1 l2 T
- t* U8 w6 `: h Z( i
; d" A* P% P0 I. ], Hint41handler PROC5 U4 }& S) ^! o8 W
mov cl,al
6 A. n4 z4 N7 t) m+ C$ z iret
1 Q% e* X* Z# r; R" ?+ m. [int41handler ENDP
/ m8 I5 y5 ^, q
) D! j( P* j7 `) e! w
7 v' i5 `( D1 S+ i a% k0 ]9 m xor ax,ax
0 c' t: w6 o9 B- [+ Q0 L mov es,ax
2 }. y% S7 H, C- Z mov bx, cs
) p2 ` H/ v' x8 y, i8 i/ H lea dx, int41handler. l/ L, C6 M: M0 q3 D; q9 g% l( h
xchg dx, es:[41h*4]
" h" n. e, f8 v) _8 e, B" A xchg bx, es:[41h*4+2]
8 y8 J8 r c/ g" l2 D. |: @2 _ in al, 40h
6 h- n: ^1 ~4 s# ~ xor cx,cx
9 r; `1 E3 W2 u. G int 41h
0 k+ y( b5 l- a8 Y; a xchg dx, es:[41h*4]
7 N# y2 M# A5 y" L/ C xchg bx, es:[41h*4+2]1 S3 ?0 q5 R u) Q) Y4 B$ p
cmp cl,al2 L3 y. i6 g4 m2 n1 Z
jnz SoftICE_detected3 a; z. K0 V3 L9 L, P
& R6 V% d$ L9 P% }& {% [# z! D
_________________________________________________________________________
' d% _7 f+ Q* S- q
' a+ T% r6 G6 O+ k9 u% i& _Method 07
$ l' V3 q1 t" Q: b. B+ N" F# c=========
% s% A5 |1 B8 ?1 f+ B2 W: t: A0 B& A, ^
Method of detection of the WinICE handler in the int68h (V86)
) I" k. {& ^' x2 U2 v" a! `8 V: }! O5 a _& G9 X5 h( N, @& J# K
mov ah,43h. a: x) d9 T9 `% x m7 l% e8 W
int 68h
8 j0 |( N3 X0 v* o9 A cmp ax,0F386h6 Q1 a% n: {# p& _* A6 \# f2 k9 x. R
jz SoftICE_Detected
, i1 c% w z) c
a" U! c, D6 O7 y! ^; l- m+ f; |7 B' P, ^: T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" p' L% E% C7 z. T; {. {" q app like this:
. \9 W, W, W( C M& C J0 p: R$ z; Q( b: S
BPX exec_int if ax==68/ X! U- K# E& {
(function called is located at byte ptr [ebp+1Dh] and client eip is
, w+ n% O! F- A+ b located at [ebp+48h] for 32Bit apps)
- Y: U5 b4 f$ ], L0 [__________________________________________________________________________" x9 W, |/ d: i8 q; f* t# z6 a9 a
2 W1 v9 }* U7 }0 t- X' B, J: M" E9 _
Method 08
5 ?( I. R6 q( i=========
0 b$ T9 y- e5 Q" P- t
0 X. w: I9 D0 C7 X) ?9 S; H2 S& EIt is not a method of detection of SoftICE but a possibility to crash the! B- s$ g% s; ]- g
system by intercepting int 01h and int 03h and redirecting them to another7 L+ q4 G9 Z. y2 ]- q* D% V
routine." \1 S5 H' ^: ^6 Q4 J3 a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: H: ~- s# g* r. C& o
to the new routine to execute (hangs computer...)* Y% u; A. E. ~/ ~$ F
: \* j! D+ x. {% }% F9 H
mov ah, 25h
( e* \+ B! z) C6 a+ A# k mov al, Int_Number (01h or 03h)& c& c) d- g9 u3 p0 }
mov dx, offset New_Int_Routine4 P4 i; v1 G! r7 P% M6 V9 X2 e
int 21h
8 h/ ~( i9 ? W$ c! E$ j7 F& [; c |2 [2 q
__________________________________________________________________________: k/ Y2 H. U; {9 y8 m5 c% e
3 ~" ]4 ]5 w( Y0 ZMethod 09
9 w0 X+ M1 S0 ?' ^/ F=========
; C) g5 N$ @) J3 ~7 F" q3 x
1 S# V6 @3 D- t' O7 l/ aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 g' h$ |2 e; R. C2 A. _! d7 u
performed in ring0 (VxD or a ring3 app using the VxdCall).5 t$ X/ M4 D) Q; K
The Get_DDB service is used to determine whether or not a VxD is installed, n9 i1 \+ H; {" O! B
for the specified device and returns a Device Description Block (in ecx) for
6 Y0 {; i0 |) i) _5 Pthat device if it is installed.
/ h' v8 k" n8 e0 ?, U |- Q
0 m# c# u7 X( q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. f, p' b, _. s# b$ q$ [
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& m' P) w/ Q. j. ?+ I' l2 q VMMCall Get_DDB
5 L0 A: C& r J) V; R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' f3 t9 U9 j, Z) U
* v1 h8 D" o! U# XNote as well that you can easily detect this method with SoftICE:' @! z" ] v6 ] O: i
bpx Get_DDB if ax==0202 || ax==7a5fh
' d2 n! ~- j# A# E% s/ j" B- B
. g6 B7 M0 o2 w) ^* y- M! c- c__________________________________________________________________________# b, E. y, \: z
% x0 {1 p& p$ _! d) E) ]Method 10
. m ]$ _; s0 y$ l6 a0 Y4 n8 i=========
9 L; |; Y# `- J( w* D+ H% e# G# x( A. x
7 i* r6 J/ _- x6 b) t. Q4 `=>Disable or clear breakpoints before using this feature. DO NOT trace with
& g7 k) S0 h* w& k. o. x' \ SoftICE while the option is enable!! d% t: u# R2 }+ R/ C
9 L2 O' {. D3 b6 D1 T
This trick is very efficient:
+ F4 _5 E8 |# t( n, Eby checking the Debug Registers, you can detect if SoftICE is loaded3 w" v+ t6 y2 R2 j: p$ W$ F& U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 [* E: a# n; u- t9 V4 D ]7 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
; @. v& C/ k/ W, Gvalue (in ring0 only). Values can be manipulated and or changed as well2 C+ |, j9 B: e! g; p0 q- [
(clearing BPMs for instance): X5 c% Q# J& f% b
1 W2 S4 R, Z: C' [. X6 a* j& e__________________________________________________________________________ U( Z) T; ~' o# K3 _- a
; X$ K! D. Y+ BMethod 11/ P3 Y( r6 x6 T+ G
=========( Q4 I0 U. j& ?: Z) s
1 F% e8 l+ |4 H" q5 p9 p
This method is most known as 'MeltICE' because it has been freely distributed
0 O8 `% c- k7 f2 B z& Lvia www.winfiles.com. However it was first used by NuMega people to allow9 C0 R" Q, T' \! y! T9 U+ f3 G
Symbol Loader to check if SoftICE was active or not (the code is located% K+ G3 w, V2 E! f, ^4 q9 ]
inside nmtrans.dll).! n2 Y7 B/ k0 u) K: Z. ^
9 U4 x* `5 d7 z0 yThe way it works is very simple:
1 d% r" X9 t- k4 a& u3 H. JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& y, C) V f, H" @* H7 cWinNT) with the CreateFileA API.
6 g8 z5 |% s5 a4 ?" T' z) p( t$ v# M3 w
Here is a sample (checking for 'SICE'):
+ M, T9 r; I; t, e" [3 ]' [ {# h$ \/ H6 U D; \( p( \) d
BOOL IsSoftIce95Loaded()
& x/ S& S- C7 E j4 x7 u- |" U{# f: X4 ^; Q, A+ }- e6 P |9 g- w. \
HANDLE hFile; 0 c0 b; w6 T1 W$ Q. T6 ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) U$ {! f: x7 y8 _& C FILE_SHARE_READ | FILE_SHARE_WRITE,
$ C" F h* Z+ P0 Z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 n5 y* I/ T+ X8 R
if( hFile != INVALID_HANDLE_VALUE )+ B" n' M! }7 d# J% e
{) L; r$ Y. o: V. Z( i
CloseHandle(hFile);
( s. g/ p8 A' y return TRUE;: I1 W8 W% U- J- [* N
}
, }8 w4 {1 u5 b* U/ I/ u+ | return FALSE;
) H" \# _5 Q0 i- O! i}
& m# o, _2 t- Z! G; p2 } g" k) F4 e; W+ [
Although this trick calls the CreateFileA function, don't even expect to be
; Q+ H1 q/ i' }! D# F+ y9 oable to intercept it by installing a IFS hook: it will not work, no way!
5 s) y! b* c" kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F( G( i- x$ j8 G# H- `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), u+ N8 v) B7 L( \ F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ n2 o8 i d; f) y& p
field.- \- [1 U( A D! f
In fact, its purpose is not to load/unload VxDs but only to send a
9 x5 \8 t( y3 UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 b8 M3 P0 P4 L6 x+ B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. _) v& a! }) }+ S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 g( H4 \: S! h. D3 ?/ g* rIf the VxD is loaded, it will always clear eax and the Carry flag to allow# M% [" f! Y# m2 @/ t6 O# d! i
its handle to be opened and then, will be detected.. ]; I ?4 r2 e( ~
You can check that simply by hooking Winice.exe control proc entry point
7 ] C+ B& w3 d" k8 _5 y7 ^while running MeltICE." b8 P6 U& Q" N
' j2 S8 o7 n* F" M$ P9 F' r2 U/ e6 K- q/ m5 k& X
00401067: push 00402025 ; \\.\SICE' K7 T6 y$ D5 O4 o( ^; i
0040106C: call CreateFileA
9 X) w( [" c3 f1 I3 b# L 00401071: cmp eax,-001
) F" `! |2 T* M: N/ ~' z# ? 00401074: je 00401091. C) f. x* e1 {* y. b# A
0 W% k+ v$ _9 ~4 r& c+ @: a& D) Z4 T# D- s! s X
There could be hundreds of BPX you could use to detect this trick.. n9 h4 G6 I# o! L7 F' x
-The most classical one is:
; _" Q2 r% c% N2 _) o% Y" m: G9 _# \ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" i- K d6 z) n; U9 U& q *(esp->4+4)=='NTIC'# P) K. k* e" Z
5 ]% U' a8 p L5 s-The most exotic ones (could be very slooooow :-(0 N. M m: [4 p+ r! f x6 m& z8 ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 |/ s! [% R4 ~) I ;will break 3 times :-(
: w, p& d7 [, G' n1 R. o9 T' f6 U) y4 |# O5 t
-or (a bit) faster: ) ~ s. c+ G: l- o! J) _+ N) U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 z5 M" Y" m( b t+ a7 Q4 W& @
m$ W" z8 _, J/ j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; i2 k( z0 {1 u# k8 i/ [$ ?
;will break 3 times :-(
1 \+ ]6 w) V9 i( X4 | s3 a4 Z2 M4 F2 H" }5 [$ ~9 v d% k0 P
-Much faster:- [( y' e6 C q! z( Q! Q. ~2 @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' o! w+ K0 g, V7 B$ p7 z
/ `- f3 A& _1 N6 r& D4 C
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! ]/ E. w4 [7 f
function to do the same job:
. i: ?( b7 i9 i9 a$ _$ l' V3 V! E* @ ]
push 00 ; OF_READ
! c) T0 j" J1 m/ f; u( I mov eax,[00656634] ; '\\.\SICE',0
( H* n" x( r# V+ e push eax
8 I8 `0 d& p7 X1 [+ L! c$ k& w call KERNEL32!_lopen; l9 P3 s- z, E0 L+ g" R2 e
inc eax
6 K* U$ n% Z- e4 M( t+ ` jnz 00650589 ; detected9 u$ K* e3 Z+ R/ B9 o+ \
push 00 ; OF_READ; j% S) T* w, q
mov eax,[00656638] ; '\\.\SICE'" {8 A4 x* J' U; t
push eax/ Z' n/ m* v+ a' k4 r' P9 e
call KERNEL32!_lopen
, }6 n w$ O6 C: x6 B inc eax
" `; Z% ]& j* S& d jz 006505ae ; not detected. @- ?' W( r, l6 L+ ~4 |
# l' L# ?$ M3 V, e
' l: A7 E7 x* \) z/ \$ B# p7 X__________________________________________________________________________
4 O3 Z4 k: {' u
5 q9 Z- w) f! J+ Q7 d sMethod 12 K( ^' B& t/ G" {; @* Z5 a
=========
' r, h& R' ~6 ]' j$ K1 f
* _" x' H1 l1 RThis trick is similar to int41h/4fh Debugger installation check (code 05. z0 G/ q- }/ S1 Y! O
& 06) but very limited because it's only available for Win95/98 (not NT)
- E; E8 N8 I$ {+ F0 }% p has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 a1 w! h, A. S. k& A
8 f$ H8 C: A. V( |6 o push 0000004fh ; function 4fh6 H T, S: B) E& P
push 002a002ah ; high word specifies which VxD (VWIN32)
% P6 F2 R/ ?, d: y+ g2 _ ; low word specifies which service* u: N) l5 @$ p3 k
(VWIN32_Int41Dispatch)& v N2 a, e2 f- J0 l
call Kernel32!ORD_001 ; VxdCall2 p- g0 K8 N$ u. l
cmp ax, 0f386h ; magic number returned by system debuggers
( ?2 w) J8 o: c+ Q |# ^ jz SoftICE_detected
% ^& N2 p& L5 @ b5 Z8 e
* ^5 k! d% L5 m3 W2 C! zHere again, several ways to detect it:, D$ h$ L7 M6 s4 U6 _
8 t# k4 p. H7 c( Q5 j* x4 M8 B
BPINT 41 if ax==4f
0 Q" b% ]7 [" \" t( X J V2 K, H& I' ~/ x: M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 Y, H2 a8 v: m6 h/ h
; v3 [) ^6 C$ }# X2 a9 v& Q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! K) N! G( O7 E# `; D+ K5 ~
0 c9 n O' f- v+ Y# H! b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 ]4 F7 j- O1 I0 R5 S
7 n5 r& H8 _+ n' s__________________________________________________________________________: T0 }2 @3 v/ W* M+ T
; I& m# M2 }4 M6 I2 Y
Method 13- C' L f; ^" x- H: o8 d
=========
' Z/ C# \9 W) x& Z {: o' v( [8 B1 X1 E4 @! M# a
Not a real method of detection, but a good way to know if SoftICE is( t: S& M$ E, _, i8 U6 ~( r9 n1 A
installed on a computer and to locate its installation directory.$ \4 q# O q0 s" J) B
It is used by few softs which access the following registry keys (usually #2) :4 B* x; c& s/ w; }
# r9 P. E2 Z1 B5 Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 z. i& ^' h6 s4 p, W! w+ W- R, j\Uninstall\SoftICE# c% H' w. r6 w5 H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! e7 N* ]: Z7 M: [% m4 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' ]& W8 d! J) M9 X
\App Paths\Loader32.Exe
# m$ D' w/ u+ a: E
4 P7 |; w* m) {, v) t) ?' s4 h8 ^: G5 c
Note that some nasty apps could then erase all files from SoftICE directory
: Q- b" g0 N, X' z(I faced that once :-(
7 X3 H4 ]' ]" b: F6 `& {% y$ z6 Y" n* R
Useful breakpoint to detect it:2 v1 M* C1 P; z% { b
% j, x2 U$ P6 h5 V, T( u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: l2 P7 c, `5 i$ S& h) i% C* M, |% T+ Q& C4 V, T" ?
__________________________________________________________________________9 J( O2 k. D( P- P* n' t
* t0 J% X. E8 H0 |9 m1 h. g) X
5 C/ C+ Z( c* b' t* RMethod 14 + v# j( d/ H7 c& }# J+ s
=========3 z6 ~9 k" h# [" w9 E" M/ ~4 R- o
5 U- m2 v6 {, v" N( [2 k/ W8 R. hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, C) V3 _5 L3 U _. eis to determines whether a debugger is running on your system (ring0 only)./ w+ @# w2 g/ u* _5 |( R0 P
$ R8 j. ~2 k5 I1 Y9 {( a6 j* t VMMCall Test_Debug_Installed+ g$ h2 w" g* p- n+ G( Z g
je not_installed
- g) e% B% ?7 q: v) g7 J3 ?2 o0 r* ~- F9 p# b6 h$ r$ k- L
This service just checks a flag.
& X3 F _) m9 i$ V% u: e+ W$ _</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡