<TABLE width=500>
- x( Y- V" f9 v<TBODY>8 u- C9 r1 P9 V$ m
<TR>0 |; e7 ^ N) `4 e
<TD><PRE>Method 01
4 e* w* P V; Y( O: x+ U0 G; l! M=========
- x) \1 g `) ^+ @- P; [4 ~) U( B
8 Y( d. M7 S" \9 }) cThis method of detection of SoftICE (as well as the following one) is
- ^4 J. n3 p) w' E) z1 uused by the majority of packers/encryptors found on Internet.# R0 o6 j& ?1 }* B9 G O
It seeks the signature of BoundsChecker in SoftICE
1 m* A' Q8 [7 \0 o9 n6 {. F& j& M8 I' o6 p8 n$ g
mov ebp, 04243484Bh ; 'BCHK'2 `8 R0 i% b; c
mov ax, 04h
" P- |! k; }6 l4 Z D int 3 ' ]# e Q/ W" s5 V: X& {
cmp al,4
: [! ?3 L& o# a8 e( f' z+ H jnz SoftICE_Detected
1 Z2 Z5 ^% V8 C( l1 e
. k" B @. \+ a6 P( O___________________________________________________________________________6 A2 p, B& y" s4 z% r- J
4 p A6 l2 g3 Q6 _1 Q. z4 k( pMethod 022 v: j$ Z$ L, r
=========
) W0 A7 e5 u4 ^' }' |7 w! w/ l; E) \: k' {# J/ i
Still a method very much used (perhaps the most frequent one). It is used/ k$ g9 s( T% ^: E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 ]' _2 e8 {+ F, `& N. Y+ H; Vor execute SoftICE commands... w$ A4 \6 o" ]) D Y
It is also used to crash SoftICE and to force it to execute any commands
* e9 j; g" A1 d$ c(HBOOT...) :-(( ) }: B# A0 }& T$ e# z! ?5 I
! p+ w: _6 E: wHere is a quick description:
3 q* Y" u0 n% q% {4 h" n-AX = 0910h (Display string in SIce windows)9 Z% P% X% l7 n. _/ P* e7 \
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, o1 M& ^; e- F0 S' t-AX = 0912h (Get breakpoint infos)
0 p2 M2 H2 |- [ |: o* e, {-AX = 0913h (Set Sice breakpoints)
, p( `, N1 o& c6 h+ {-AX = 0914h (Remove SIce breakoints)0 i m, s3 W; ~7 M& l! }1 i
5 O; f& k2 W) A4 P& j2 G- t3 u5 ~' }& G
Each time you'll meet this trick, you'll see:/ c& v0 P# i/ }* u) P0 j
-SI = 4647h
' n. V6 p% o( K4 X" G) }# w-DI = 4A4Dh
( n. W" y I, [; Y( g* zWhich are the 'magic values' used by SoftIce.
9 `3 o6 }5 `1 T* h5 fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., ?& w4 A0 D. ]# E; d
7 A0 u' }7 ^( S! t6 r) M( G
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ n- D# a! D3 j( h6 b. NEnvelope utility use to protect DOS applications:
- m7 q) _9 ]% } f/ n6 b% y4 m i2 b# D) u# F
# @. B( G0 c$ V& {9 ^
4C19:0095 MOV AX,0911 ; execute command.
2 S0 {* ?8 g; g& A, b0 d! T$ c+ E2 h H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ [& {6 w* V, m& N& W& r7 l
4C19:009A MOV SI,4647 ; 1st magic value.
7 I+ h6 b) {5 U: Z4C19:009D MOV DI,4A4D ; 2nd magic value.
0 y) w* f& ?0 {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). C% `0 x' J) ? U- p. S0 D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# w' f' |3 x0 w4 k4C19:00A4 INC CX0 ^3 I2 l- b0 A |1 X7 y5 Y4 o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( H8 C% Q6 C y2 I4C19:00A8 JB 0095 ; 6 different commands.: A) x0 {' y3 P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) @ X7 I. `. p2 U
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) Z/ ] |; ^6 }2 \0 h5 W: X
% l1 \& F& q+ o$ S' |The program will execute 6 different SIce commands located at ds:dx, which; p, _1 @9 r5 p* w3 M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& l) i1 N( y* G6 f: Z
5 d ]( b$ g$ {8 y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. Z( X, f4 \; H8 o) C& `5 N
___________________________________________________________________________. ~2 m6 p% K1 @$ m9 m
( d# O G. W. |5 f8 y4 h3 w6 O
$ [7 W8 a$ y2 M" F; RMethod 03
" {# C* J' }( j; h=========
& O4 C5 G! r# d' B
: g% M% `$ h5 a4 e2 l: sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 g6 z( f/ z8 S
(API Get entry point)
+ I) l+ p4 E* b! W) d+ k+ x
# w7 T6 P% N' Y# p. w" H$ l* q q9 s
xor di,di1 g. ~; A* v" v. b1 O+ u
mov es,di" ]& m) X" R6 x0 N
mov ax, 1684h
0 \0 T" o7 W( a. l2 ]) b% w mov bx, 0202h ; VxD ID of winice" ~3 e# U+ _* d/ M4 R
int 2Fh8 w4 ~( R u9 [& z
mov ax, es ; ES:DI -> VxD API entry point
8 V8 e2 [, `( z! F+ \' U; D add ax, di
2 @* Y4 w' |& o/ u$ T test ax,ax
8 \/ C9 ~" k. s2 f* W0 t7 M jnz SoftICE_Detected
/ a' d+ _6 O, }3 Y# ? N& Q& k7 l/ l
___________________________________________________________________________- C- s! S' }1 r4 z
) v8 t/ |. T: n& A' o. s1 z
Method 04: i: q" v; h" x) w9 K+ n
=========
% u8 w; z) |( R/ k8 v
( U* W/ L* [1 x7 \! V8 V1 X& W3 AMethod identical to the preceding one except that it seeks the ID of SoftICE
+ ^! _) A3 {$ BGFX VxD.
; S7 o( S4 A" k, B% `8 M8 j
$ F5 p1 u" h/ P xor di,di
6 ~& R7 I0 T D& Y. x mov es,di
' j' @/ v ~5 e2 }4 h3 b U9 q mov ax, 1684h 6 q& O0 `0 }% K) _8 S' R
mov bx, 7a5Fh ; VxD ID of SIWVID1 o$ O' I. h3 M( b/ \
int 2fh2 X* [; c: N: s. h: @
mov ax, es ; ES:DI -> VxD API entry point( x T, j, Z& x9 o9 Z
add ax, di" T; \+ `. i# D1 \' Y% ~; i
test ax,ax) }5 T5 q4 z! {) V. u
jnz SoftICE_Detected
7 j# G( N; p5 @$ c* ~* j" G
6 S4 y; n$ Q7 C7 A__________________________________________________________________________
0 a7 ?; {% ~7 S- k9 A2 D4 t! N4 r0 j3 W% O) `- x4 X$ ?+ S" o! |
+ I$ R" U9 q1 l2 {
Method 05: Y% P0 z, K( A8 t$ c
=========0 w5 U0 Z% b, f
9 P; U' d& ~; H0 ^" a+ Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! S( R' c" i' ?1 i }. Wdebugger. It calls the int 41h, function 4Fh.
% u6 E1 y0 w' ]# a) ZThere are several alternatives. # d' |6 P P5 w C. N0 u
" R1 l2 u5 `# X' N, S0 b. wThe following one is the simplest:6 H F% x- x7 q
% o% K) a% {( |
mov ax,4fh
6 {3 V! O( e% q2 J: J) T* v int 41h) |- O- w+ d$ s4 M, x
cmp ax, 0F386
3 k' L5 n* [! S a$ n9 j3 H. q jz SoftICE_detected7 C' [( o: ]& ^+ x, E `
* i- b0 h0 v3 T: z2 r
0 P' Y; E* s. n4 g' D. t4 _Next method as well as the following one are 2 examples from Stone's ' R+ |" x7 w4 x6 ?1 O6 ^% O1 y
"stn-wid.zip" (www.cracking.net):
7 C, V9 E8 e; r( Y; L
/ H! F- u! A' A4 d( V mov bx, cs+ E2 T4 e, G# p! \: v: l
lea dx, int41handler2
- z2 d1 Z- m$ l' X. n xchg dx, es:[41h*4]
7 ~6 `7 D W' H, ]# M0 | xchg bx, es:[41h*4+2]1 E5 P, ]& N& o# ~& l; s
mov ax,4fh
( B( v3 l/ ~+ d( n# k* Y int 41h
; w1 R+ a9 Y4 @* p0 f) R xchg dx, es:[41h*4]
# e9 ~' d3 l" Z# ` xchg bx, es:[41h*4+2]
0 q2 W/ i# L4 ^! R cmp ax, 0f386h. f8 f9 Z |3 c& v8 `' Z0 N1 {. i
jz SoftICE_detected8 [( ], O5 q+ ?1 V2 f
. Y. N- Q7 ~# {! p. U+ Z! dint41handler2 PROC& E+ A8 u" F) S
iret
L( X4 `' ~+ f, ?* J R uint41handler2 ENDP! r$ ^! {2 b3 D' a
. k& D. _. v* Z) J- ?7 S
! J/ b! W/ p8 y- g% D6 P! {& _
_________________________________________________________________________
; I7 i8 r& }) ~7 w' i9 ~" `& |5 O% s2 C
~3 Q7 Y0 _' j# r& J) XMethod 06
) |+ i' h' O, v8 D. f" j( f' ]3 S$ z# s=========# b+ i) e* z9 k+ T) G, v
2 y6 g4 e: }3 |0 I7 s
, o2 l( I, g- T+ z# ?2nd method similar to the preceding one but more difficult to detect:
% ~5 Y' C6 B. C! Q+ I8 L- C) y* y; M7 V' p
5 N- l" D2 z) v* ]; t3 R" \int41handler PROC& p: z7 R$ k2 ]* ` `: Q* q6 e, t& E
mov cl,al% D, s* Z) g1 l% e! a, Z
iret! C3 T1 b0 E: d6 |3 A
int41handler ENDP- J5 ?8 }* p) w, W8 R" o* V
8 j, J# w0 K$ c
d) U& L9 i% s% ?6 J4 p" N xor ax,ax
- o, ]1 ^$ L4 x6 F; [4 m mov es,ax9 @" u; a+ J! U5 X G$ A9 W; |3 I
mov bx, cs
* |% ]# F8 u5 T, {1 t lea dx, int41handler" V) o# P; W3 P; T( G& `. E& r$ I, ^
xchg dx, es:[41h*4]
$ V0 _8 e- U8 T# n9 H0 X- X* d xchg bx, es:[41h*4+2]: Y0 h K6 s0 y
in al, 40h t$ h5 g- `0 E3 H
xor cx,cx" B2 f$ p3 h D+ u: }- Y4 x
int 41h
0 y5 @2 s$ `+ l( [# i6 \+ b xchg dx, es:[41h*4]: V W( h# m D: |' o* A8 [0 y8 g
xchg bx, es:[41h*4+2]
. Z! h: s. B9 N4 v4 Z/ K$ G6 n cmp cl,al `, g9 W8 {) H
jnz SoftICE_detected0 J7 [% W4 U- n- h, S9 E
' b4 ^( F$ |1 O3 I% m
_________________________________________________________________________
1 ^) V0 l8 I5 ~+ |! n4 Z$ ]8 G
2 m/ ~7 |$ S# a7 {9 Y, U0 WMethod 07( B& X" j/ ]% R9 u1 ~; ^* W
=========' B0 Q9 o% X: N0 J1 G* h
- }, S% P& m0 @9 V; q) {
Method of detection of the WinICE handler in the int68h (V86)
+ j6 Q& T; Z! ^, m3 D9 s K
2 W# K; J) v- Z7 x# u9 m mov ah,43h, }7 b& a4 |' \4 }5 i( B+ e H$ L
int 68h6 f+ V: H! ]6 X5 C+ {" }) I
cmp ax,0F386h# T5 b1 I) r8 \/ ^
jz SoftICE_Detected
, i' z/ I9 ?, G* d! F5 V$ s
: {" h4 _, V; X6 o \ C1 a9 q
% d* z- {6 V9 k' ], `# e0 j' r=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. X) ~: v7 O* J2 v. r9 g7 L+ V app like this:3 G4 R8 D/ N3 V; z5 y
3 |5 L: u, q& D& Z- u. }, E8 x1 A BPX exec_int if ax==68
+ T* r/ F5 L4 `. g (function called is located at byte ptr [ebp+1Dh] and client eip is
, `4 j; [5 L" o' w5 G located at [ebp+48h] for 32Bit apps)
5 U% d5 [* i8 k5 H( s% F__________________________________________________________________________3 w: [( T" k) C# l3 ], C1 Y1 X
- k" G1 N! r. e% \/ N9 b6 Q, k$ o4 t/ d) u5 }$ W
Method 08
6 e. t& F- [7 E$ h6 p% s: z$ d' G=========2 e% l# D* ]$ o7 Q6 R
# T) d4 M9 t1 x* L9 j( |% v1 l
It is not a method of detection of SoftICE but a possibility to crash the
: v# }9 `: {5 l/ Isystem by intercepting int 01h and int 03h and redirecting them to another
; m9 y. }$ P. `1 d9 d: @routine.0 M& _. i% F: ]7 ^% u% i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ A" M5 h& c2 q4 v% z
to the new routine to execute (hangs computer...)# ]. p) y6 i) g6 K
; b1 T: Z R. I. f6 }
mov ah, 25h
+ V3 p7 r6 S& w9 n mov al, Int_Number (01h or 03h)
1 e4 X6 z r) K4 {! I/ E mov dx, offset New_Int_Routine
2 F0 v+ h5 Q; ~ int 21h
. f- U4 Z% G) ~* g
* C* d4 `% E2 y2 }__________________________________________________________________________
! g4 d) v' D' p* P( {& l3 w5 l* }* y! o. X
Method 09! v! {& e& D4 C
=========
. N* C- ?! ^8 b0 R9 q4 z' [: e
: ]3 Y9 X( I' ~4 m! C, c1 _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( t+ G C! P3 L& T
performed in ring0 (VxD or a ring3 app using the VxdCall).
J; ~& q7 ?* D* A! x- t) T& XThe Get_DDB service is used to determine whether or not a VxD is installed
1 [$ q1 m0 ^1 j& H4 A# `" Gfor the specified device and returns a Device Description Block (in ecx) for+ l! r& H0 W6 Y4 g+ @9 e
that device if it is installed.
; }: O0 m' Z/ W5 J/ j! B8 v& V3 R8 v3 q7 m: D7 W2 n
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ f. }' C. T/ X' ~, J+ W: Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 p: \# P t% ?& W6 w
VMMCall Get_DDB
9 W0 G7 r9 O! l& y5 D+ T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; X1 q* J0 w( q& ~7 Q; K. Z
$ k. ~$ y% B7 e; h/ o. WNote as well that you can easily detect this method with SoftICE:
3 y: M8 R1 k2 ?- K' D/ U3 v bpx Get_DDB if ax==0202 || ax==7a5fh
" K! S2 A& a) {& d# F
/ e u6 G5 R0 H+ Z! m9 S__________________________________________________________________________. l/ M: r! K6 G( {2 |
* \% l: L% |; B/ E3 C0 p JMethod 10
/ S8 R( ^2 |! J7 T9 ]! b=========" A# Z" P7 q; X# q& E6 I' r
# \; O+ A( u+ s& x, i$ d7 Q=>Disable or clear breakpoints before using this feature. DO NOT trace with" }9 Y5 ~. D" x5 e% ~2 l/ l
SoftICE while the option is enable!!7 N4 R* f7 O3 c2 K
8 b$ E5 ]5 D% c0 |$ X# u
This trick is very efficient:
( v8 h2 j, G+ W% i& tby checking the Debug Registers, you can detect if SoftICE is loaded9 h( O) @, I% C4 _" \
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: {# `5 I2 l0 T9 f- ^7 V) h. J9 sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! h/ @: [% P0 k2 Rvalue (in ring0 only). Values can be manipulated and or changed as well. Z% e/ c! Y( d( v( x+ P
(clearing BPMs for instance)+ r# I5 G b; c5 v9 y
8 q9 r" H4 q$ X9 q, g__________________________________________________________________________+ G+ }8 N/ {+ Z- ~0 l4 d
7 A0 t) @% ]: ~( G7 w ]7 w f
Method 11
# b3 @. ?5 k. ^; h=========
]3 K9 g$ F4 M+ F3 F. R( h; J! c [0 s) K+ v
This method is most known as 'MeltICE' because it has been freely distributed
/ X/ M( }& D+ ?6 Q9 Uvia www.winfiles.com. However it was first used by NuMega people to allow, A) B- {2 M* d3 ?
Symbol Loader to check if SoftICE was active or not (the code is located# W7 M/ }, C) B U: B
inside nmtrans.dll).
$ d4 E( T2 x. I" R; p
; u5 y5 Z S9 q: \- GThe way it works is very simple:
8 [( _$ g u& G+ H2 tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- T# Z- C5 L+ {, l9 ^
WinNT) with the CreateFileA API.
6 u% w: ]( d2 {5 E
- D" o* y: o5 Y) @ ?5 oHere is a sample (checking for 'SICE'):6 `3 K8 S* w# S4 D: r- w. B1 n
r) n# Q+ _4 ]! Z4 mBOOL IsSoftIce95Loaded()
; v; l0 w9 G. Z: C{
3 l' v' E, e0 U5 w! r, l HANDLE hFile;
+ I7 p7 O' d8 m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& d$ e4 H+ z6 [3 `% }* ~7 B# B
FILE_SHARE_READ | FILE_SHARE_WRITE,
) w1 S$ I, Z( H, ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( l4 w; S0 N3 p
if( hFile != INVALID_HANDLE_VALUE )
! ~# l* n. p( G/ c! n {, U0 ?4 y; L! I7 B( b5 u
CloseHandle(hFile);% a# Z+ z6 ~: _0 m5 n) Y7 v
return TRUE;" E" |) C2 {2 ^5 \4 a! w
}* w2 Q+ h# W; B7 s& R
return FALSE;; M1 t& T u6 d; q6 q
}9 N' Z0 h% @* P$ f
4 [. R+ C2 L2 K, Q0 UAlthough this trick calls the CreateFileA function, don't even expect to be! ]! x$ m8 r3 r& @' A
able to intercept it by installing a IFS hook: it will not work, no way!
" O# n4 T* d$ YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F i7 i5 t% T9 C* _5 [1 [3 f6 [7 M- K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 w* @& T% L. L+ O7 g9 a1 h( s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 Q3 j8 _5 Q/ p: p3 i. F
field.- |7 H- t! O/ Y& L
In fact, its purpose is not to load/unload VxDs but only to send a
, @, ?6 W. i3 }( h5 w( TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, R" W2 H; Q& ` K+ b) V+ vto the VxD Control_Dispatch proc (how the hell a shareware soft could try f) @, b$ A W6 f# k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, e i2 v3 E! l, j$ IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
3 v, o# `3 u% c5 ~4 L, @its handle to be opened and then, will be detected.) ^. @, x+ }* o) b/ g
You can check that simply by hooking Winice.exe control proc entry point. Q8 b2 C4 l% Z1 z$ V# {' k& {
while running MeltICE.
& o9 e" ?7 P( T, s4 `2 _" _
5 S: I4 C( r, \9 R1 o9 z& ^2 K" ~2 b' M
00401067: push 00402025 ; \\.\SICE
0 w4 e" N9 I$ j$ b. w 0040106C: call CreateFileA$ g" `( p3 s* K+ R# ~
00401071: cmp eax,-001( I7 T- K+ }/ H
00401074: je 004010913 f8 y) N. R3 C5 a+ s
9 ]8 \+ o1 {0 z9 x: P# C% D' P3 O t
There could be hundreds of BPX you could use to detect this trick.
' K8 x5 p; O6 [-The most classical one is:
- k# ]; M) U+ L/ A, i* y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! h4 m5 w/ e" g' ^5 b Z
*(esp->4+4)=='NTIC'6 f. f/ t$ ]& D
0 A3 j9 J: \" ^) Q4 |6 M-The most exotic ones (could be very slooooow :-(
6 u |5 b" S, a3 T& o$ j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 w: K: c$ J1 G
;will break 3 times :-(
" d2 g+ ^2 r, k" J/ \9 P! B4 k5 o; A6 L
-or (a bit) faster:
3 G2 }8 w8 ^: a) R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ R" \: I& |( J t
" k# d5 r8 Y: m: a( Y) d* { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" @9 b ?* h+ D: _$ r) k, k! Y4 d ;will break 3 times :-(
: O' A+ v; f, d# p% J
3 G4 q H2 P, C& E0 h5 A-Much faster:
, x9 Y$ L) V- E& ?8 P9 ~8 p( [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 k& ^7 G( t1 D9 p1 s8 u9 @) A8 ^
) g4 \1 O) ^- Z1 B, ^, H6 L* k& m8 m8 |% G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* N. h6 m0 b5 ~1 t6 \ W3 H
function to do the same job:, h/ J# \6 S: c& h: R$ F
' y' ^2 d1 Z' Q+ H( Z( S
push 00 ; OF_READ: l7 `8 N1 J* |- ^
mov eax,[00656634] ; '\\.\SICE',0, T! e0 r; T J! W5 j, W' `5 u
push eax2 z% r( M/ V4 a% A9 x+ m
call KERNEL32!_lopen
9 x: ^6 g6 m) o, x" n inc eax
7 y4 a0 O& t$ ~ L9 A# L jnz 00650589 ; detected7 F- A: U$ L& y0 x% F2 g9 o9 i) E8 W
push 00 ; OF_READ
3 C; y; s5 n( z+ L; f$ J mov eax,[00656638] ; '\\.\SICE'0 Q+ E5 j' [* i% v
push eax
. y% T$ a4 o9 K! _- ? call KERNEL32!_lopen
+ n) i. I+ @2 H5 x inc eax
( ]0 }2 C9 u4 b3 k# W0 {8 G9 N jz 006505ae ; not detected
, D8 v. M2 q5 E) Y& s6 S0 F; g: D# o+ E3 O1 M4 q0 V B1 C
+ v) o0 m2 _9 E' g
__________________________________________________________________________
9 M4 t4 Y1 h: v, a6 y. K
$ C4 F* d2 E( ~8 X- {" l+ bMethod 12& z- @8 n+ _' x$ l5 _9 n
=========% ?1 b5 O n. U
: w9 f: U. ~% _2 ?* V9 Q
This trick is similar to int41h/4fh Debugger installation check (code 05& Q, T( _; ~% h/ C" M0 d
& 06) but very limited because it's only available for Win95/98 (not NT)
5 Z9 M$ l! |3 n9 oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& n8 t% p) f2 y+ j
" @) @' v& Z" T6 n% s, k" Y push 0000004fh ; function 4fh: A5 u- s" |' K
push 002a002ah ; high word specifies which VxD (VWIN32)7 d( e$ _& h; a+ K+ F
; low word specifies which service
! G o* y9 `4 C* o8 g% Q2 B0 q (VWIN32_Int41Dispatch)9 T& {) I/ S, B- T8 k
call Kernel32!ORD_001 ; VxdCall
6 [5 x7 m/ S% A- g# X# s/ {' T, x cmp ax, 0f386h ; magic number returned by system debuggers
% K: f/ M# [* J8 f& R1 f$ i% w jz SoftICE_detected
* G0 z2 c3 q4 E' x& L! m' h0 E/ ?8 R# \- A% Z
Here again, several ways to detect it:
% K0 n" `9 x) S; F9 m: j1 z0 f
8 }' ?0 @1 U0 U* c/ u6 p4 `: R# W BPINT 41 if ax==4f( w2 D# h8 L+ i7 O: {! x
( k! v* c# k8 v, s9 t7 d# g
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) V3 c, [( ?) j' @) l Q
) s& U. n' e/ R: v2 n- X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A C( w/ G% M" X6 V% |- C2 W7 J
2 j: y0 I+ o) F3 s, B0 \- I% f. x
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 Q Y4 q) z$ ]+ C% ^4 T! f7 N
8 c$ ~" }6 W8 l__________________________________________________________________________
$ [% h: U. z4 Z4 K, f- G' g; @( T' b( u3 I; L
Method 13) v% M3 X- D( u6 V7 R. H
=========7 X# c: l5 w4 J! L+ ~4 y
7 d J3 l) N6 w* d) W5 R, ENot a real method of detection, but a good way to know if SoftICE is
+ c5 N5 f) _! `* v2 Z5 Winstalled on a computer and to locate its installation directory.
) b, z$ c1 `* f# N; VIt is used by few softs which access the following registry keys (usually #2) :
L9 K) f& O* Q0 ]8 u
4 V$ }# f5 h5 _$ p% q* G- }/ ]-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 M4 l7 P2 b$ x\Uninstall\SoftICE& D+ R# \! v P: x: a* |' T
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 ]4 f' ]. a5 q! q+ S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 _! S8 J" t6 f9 G a8 u7 ~- ?
\App Paths\Loader32.Exe* P7 Y( z$ ^5 `; q8 q O( Z
% {: f9 [' `+ A4 N* d' Q+ x. X+ H6 `
7 K0 U1 E0 [% P1 I3 TNote that some nasty apps could then erase all files from SoftICE directory
$ O, \7 A4 P- l2 Y(I faced that once :-(% @( D2 V$ U3 f0 ~! j+ D9 c% _
/ J0 l9 K W, z6 D
Useful breakpoint to detect it:6 _1 F: i) C: M5 X/ t. J
( P' f7 b# S5 X! i6 c( q8 H
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ Y6 u& \4 {( ^3 F# s, ?8 y, V* C5 ~& a9 _: \) _4 N
__________________________________________________________________________
6 W1 E* x' ^" O1 B. a7 P) V
6 J3 Y P# C+ k. W1 {& N0 c
* Z" V$ f$ I" x. P' g5 j) ~Method 14 * ?7 L1 H% ?# u2 f
=========
( o* ?8 n/ L2 @% r9 @( p; T5 M7 r7 X& I1 J+ X8 h* t0 E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" T! X& ?) z4 t. m( _4 p
is to determines whether a debugger is running on your system (ring0 only).
) [; }2 O/ T5 B9 ^
2 s$ ^3 e8 W! ^# A$ h, N6 B4 F* j VMMCall Test_Debug_Installed+ X1 D' _9 K" @
je not_installed
4 J+ x8 s8 S, j4 p
( s) c1 z: q. h9 F1 [This service just checks a flag.( _- f" r, H5 @7 K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡