<TABLE width=500>
# h$ U; G, H2 V- U/ q<TBODY>7 u3 V3 ?8 T6 m2 r) t! E& c
<TR>, W& O! t8 T* W; n. @8 @4 _2 T
<TD><PRE>Method 01
/ Y2 @2 m' _) [" q=========1 a- U! q+ M; v& G
; K( K2 G. @/ P, AThis method of detection of SoftICE (as well as the following one) is
7 t" u7 m/ R( a- g, O' d qused by the majority of packers/encryptors found on Internet.& V7 d; i! D3 v9 Y% R, j3 W4 m
It seeks the signature of BoundsChecker in SoftICE
* q. x7 a8 o. M! Z( d+ ]3 \+ Z6 M6 ?% e& Q5 I6 p) a
mov ebp, 04243484Bh ; 'BCHK'
6 r0 J8 P9 b; p" N, @ mov ax, 04h
. ~( a5 J7 \+ F1 N) T, N int 3 ' u6 f% V( P& H+ f6 _6 s8 H3 _
cmp al,4
1 P* Q7 L0 C4 X$ W; Z/ r4 ? jnz SoftICE_Detected) Q }9 O! ]6 I2 m5 J! w- g" @! E
. R. q( c/ r# Z3 T___________________________________________________________________________9 N2 [" t4 T0 }* R) C* o
: j0 X4 D3 F+ y8 pMethod 029 _' L! \& V+ X3 b; G8 b
=========
" A1 A& y& l9 B. u5 ]% w
3 [8 \ Q1 s* @6 _* E- SStill a method very much used (perhaps the most frequent one). It is used5 Y# r4 M( |( r' s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, U# H" Y$ ?) B+ J" p8 m8 g& y7 j
or execute SoftICE commands...
6 |: w/ L9 G# j/ s% v) J: X6 {It is also used to crash SoftICE and to force it to execute any commands
& k: w8 |- G: A/ [2 B; m6 {(HBOOT...) :-((
! T' J" X' W% a0 z3 N
6 w2 B$ Q* Q$ ~+ B8 L" cHere is a quick description:5 u( n& Q2 w" Z6 B+ p$ c
-AX = 0910h (Display string in SIce windows)
$ _2 z) d. L4 q% |& _& W) X8 D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% h; M& d& F2 j3 P6 J-AX = 0912h (Get breakpoint infos)
$ z8 m+ H$ F- {# r |, L-AX = 0913h (Set Sice breakpoints)6 h( y& G( e" a: v; T
-AX = 0914h (Remove SIce breakoints)
9 u j# _* o7 _
% T; s+ E0 H7 O8 d9 u% j) WEach time you'll meet this trick, you'll see:# m7 O7 O( K+ Y# [
-SI = 4647h# _3 [: q ~3 `
-DI = 4A4Dh
" W: U+ N/ @9 y! _Which are the 'magic values' used by SoftIce.
x. {" [+ D# L Q# i; X, rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 j, ?4 }: _" C) v
! k8 C5 E) _% Q# KHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ a' }" J7 e/ tEnvelope utility use to protect DOS applications:
: ]! o" F2 ~9 i+ u" l) @/ U$ w" `0 {, e+ Q) M$ K* a
+ T6 W! A+ G" |( \! w/ n/ z4C19:0095 MOV AX,0911 ; execute command.
m! Z# Q8 ?/ k5 M; T% s4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 N% T/ o) ^$ c
4C19:009A MOV SI,4647 ; 1st magic value.1 p8 K- {, V9 S6 \4 z: v @
4C19:009D MOV DI,4A4D ; 2nd magic value.
+ n5 ]/ k3 J9 C& t! W/ A4 V4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ {3 a( v- [; R6 R1 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) {" a$ |% L0 s, I4C19:00A4 INC CX/ D* D% Y$ A( Y9 t* L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 u" Q8 V8 h. c4C19:00A8 JB 0095 ; 6 different commands.
" S+ S; b/ A: B2 ^, u, u4C19:00AA JMP 0002 ; Bad_Guy jmp back.; g9 U/ m/ j$ B# a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). [" u; F1 b p( ]( L
; z9 i! t0 V$ I, L! x2 P- RThe program will execute 6 different SIce commands located at ds:dx, which1 A. p9 z% R* E; |& g& c
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- X0 g3 Y# Y) r E9 W" U( K& A
% G/ \, }* K% R/ H) l, O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 K- m( y# `: o k' H0 k/ f9 ]3 d___________________________________________________________________________
- S: i7 S( V! }; u, E
, z. I w |1 E6 f1 U0 U
8 W8 Z/ I" ~& R1 ?Method 039 o1 f2 S* \4 p3 E
=========
7 H8 T; g+ ?7 o6 u# \. J+ N8 s: E
5 y+ B, ^0 T! MLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 l1 }# q% d: v, c4 r(API Get entry point)
) [* e' n9 s6 H; A
1 X" F! ` b. D S, T3 ~- v: P2 f! S# r: x* y v; s, z9 I
xor di,di
! W. h- K3 X/ y7 F/ n4 I mov es,di% b) b! v: X1 m- z" k4 t
mov ax, 1684h . j7 z5 g- a, n' ]
mov bx, 0202h ; VxD ID of winice
: [: U j6 _! j0 v2 G8 \ int 2Fh$ a: K+ w; G5 e' y
mov ax, es ; ES:DI -> VxD API entry point
6 r, Y6 M- o1 O# m( c& O! w" ~0 s) z add ax, di
8 b# P" S! d7 ]& \6 k test ax,ax7 N' I' g+ C! Y% T- T7 ~/ n& o
jnz SoftICE_Detected+ a9 A% o; t4 N9 B/ i+ W$ w2 |' J
+ k; A0 D7 D" M. s___________________________________________________________________________' p2 Q' U. _ T B5 `6 r
9 Y Y8 L7 ?) q, y0 S6 K$ aMethod 04- ^5 \' `; }4 J6 z
=========, l1 J3 `$ j" C2 E7 ^
; l8 Q% K2 v$ _& ?7 u% ?9 J4 WMethod identical to the preceding one except that it seeks the ID of SoftICE
. l: z2 d4 X/ }GFX VxD.
5 ^7 ~+ `5 Y7 R' g- r" w! q: V
W3 [5 q8 `3 ^) O9 v2 \ xor di,di
7 v6 {1 i# N# p mov es,di: t. ^0 V" C2 k
mov ax, 1684h
, S; l" ]# [( f* }- E mov bx, 7a5Fh ; VxD ID of SIWVID8 m6 O" j& s7 Y, }
int 2fh! J+ e v9 D" v- K( y* J. i9 Y
mov ax, es ; ES:DI -> VxD API entry point
9 w+ ?, z1 r+ O) u6 \ add ax, di. z) |( _8 [/ c* h4 N
test ax,ax
7 S+ A% E; M5 R3 }$ g6 x, V, G jnz SoftICE_Detected" V+ t! b, i: b+ `# E* r, o. n; d _
2 q. b, F8 o& [, D9 k; t__________________________________________________________________________
1 w* ?; U6 I& ]
6 T+ }. Z2 j9 V% ?0 {1 p
5 l. J7 x2 T2 m0 U: b. q& B+ Q; C0 mMethod 05" F s& }9 C+ i" G! i
=========7 k5 w6 }0 ?( r7 f4 I
1 a9 G r4 ?: v: r2 S- f4 v- fMethod seeking the 'magic number' 0F386h returned (in ax) by all system
- H5 ~# t$ j3 W$ f% r* tdebugger. It calls the int 41h, function 4Fh.! ]$ p: J4 N7 f) f
There are several alternatives. 8 d8 l: C2 d& T% T3 z ^
9 e6 s+ a" [1 w b4 ^. T
The following one is the simplest:6 z+ \( p5 j M) C o
" [. u+ M7 R6 G. Z! e mov ax,4fh* I/ }+ M: |# }$ L, g
int 41h
1 N+ h9 n8 `% J% a/ \4 n- O* t cmp ax, 0F386" r' N! Z! \3 L% n+ `- a
jz SoftICE_detected
9 v$ g7 I! a7 ^' t# r* Y& {
3 L; D. p( _2 V2 Q
7 f" ^- v, P& j& zNext method as well as the following one are 2 examples from Stone's + J1 x" `, W4 p W7 S) b
"stn-wid.zip" (www.cracking.net):
8 y) E+ e# D( B: @' b' Q
1 H. V1 M5 \4 B0 O; ?2 W* F+ ~ mov bx, cs; k$ W' U6 B5 t. c2 X, t) D3 L2 a
lea dx, int41handler2: f+ k" H* O* C2 B" r, c
xchg dx, es:[41h*4]- A6 F) t/ r$ G0 L5 V: K7 Q
xchg bx, es:[41h*4+2]
8 {, ~% [% R0 z0 Z1 c mov ax,4fh
5 K# p4 U, @, @7 j# Z( ^ int 41h
' f. D1 Q! q$ v9 h' R Z xchg dx, es:[41h*4]7 N4 v: K$ b, R0 |( g. o
xchg bx, es:[41h*4+2]
( s" z. ^2 h3 g- a# `0 U9 q7 Z u! q cmp ax, 0f386h4 x% p. s6 | n3 V
jz SoftICE_detected
1 i* A4 d# [) U, b# p' J+ v. `/ |% D7 K$ K
int41handler2 PROC2 _/ B. I- ?9 P( i5 x2 N" A! t
iret
) F) C4 ]8 s& o$ x% J" g# K `int41handler2 ENDP# G8 e9 ^4 g! Q b. L5 I1 c
1 x3 R0 ^6 m! [' ~
7 h# k c3 e; J: V; P8 s
_________________________________________________________________________3 C }5 r: w- @! K' D- G- {0 S8 c
: r4 g& j6 p5 a6 z/ a8 P( S3 B+ X0 K$ o: S: W5 d
Method 069 c7 T3 @& X( H9 l& H
=========
8 p3 e" r! [5 @+ \8 U8 I! w9 t. ~# L, |( c( n7 `
8 A! n$ B) S& d% `3 R* ]) Y2nd method similar to the preceding one but more difficult to detect:/ L7 F r2 v: z' V2 }% {% G
; j; H/ Y) ]7 I1 j q7 E2 j
2 m1 i% G0 C2 I# i, L7 d. R) [
int41handler PROC% D' s" U6 T1 ~- V7 D* U7 ~
mov cl,al
+ m0 H( n# M9 I; N iret
$ w) l' O( }9 t; N+ A6 Pint41handler ENDP% D& f. y0 `7 e% f- T! V
9 h: }: e* Q& R" }# Z4 O8 S
% `# O+ x* @: U
xor ax,ax/ e. B }! _( |" ], p8 |# `
mov es,ax
6 O3 N3 C' Y- @6 Q! y, t mov bx, cs
1 l# H0 G5 G5 J" [7 W- \, Y lea dx, int41handler
; m/ k2 L' @ D; u* p& C2 n xchg dx, es:[41h*4]
! e W1 T( W" G% u xchg bx, es:[41h*4+2]
1 M& t8 s& Z W in al, 40h
. {# O% a' g: o xor cx,cx
+ q. F( n- u/ l* J int 41h! B, ~0 ^7 U5 F
xchg dx, es:[41h*4]4 I) y2 Y2 ~: Q# M
xchg bx, es:[41h*4+2]
+ s5 Y0 V8 H. _' |; F+ ~+ V; d cmp cl,al
9 J- `& d5 J* j3 W jnz SoftICE_detected5 i, u; W. D4 L- k/ i, ]& Q
! @$ K: \) a- u/ x_________________________________________________________________________
* _. v/ e4 q) H& H& o+ G9 J
2 V! }% C- ^# W7 [# b& h+ xMethod 07: s! g) W' j4 U P) ~! r7 ?+ w
=========
+ x" i% R0 M/ u9 c+ I4 G% o* x- U+ A1 u% F% p% C
Method of detection of the WinICE handler in the int68h (V86)
( F1 X/ x, Q! A1 J/ F+ V/ N+ D& ?* v# g) {0 ^
mov ah,43h3 _# v0 |1 O$ ]
int 68h& r8 p6 N# L0 q" c& }9 Q1 ?$ O
cmp ax,0F386h
9 |7 ~+ u; p! c& g/ M jz SoftICE_Detected1 |2 @: u0 N1 G# [7 D
* H( t+ G8 ]( a3 H
# f# Q! m7 k- c$ I# k& z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) q+ s/ p- L# C0 k i M8 M
app like this:4 }8 _8 `) H( n" H5 v% B3 O7 q2 h
, b7 n( z6 ^8 \1 z8 i; f
BPX exec_int if ax==68- y5 j+ f* f( M) C, H# ]
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ B: x K% y4 d8 p9 o located at [ebp+48h] for 32Bit apps)) W0 D3 u& ~& Y# R4 O9 k
__________________________________________________________________________
2 e1 F R/ ~; Q4 R6 z8 ~ X/ I$ N6 g! C' D7 i! l9 Y
9 s* U; q; |5 f3 t9 E3 lMethod 08
6 C; Z5 z( {7 U: Z. F" k=========' @/ A7 i* q: `" F: k7 s
5 p1 w5 |: O+ G! {( [; U2 f
It is not a method of detection of SoftICE but a possibility to crash the
- i6 y: V. A9 v, P5 f- L- |system by intercepting int 01h and int 03h and redirecting them to another: @6 L k# R0 j, L& V; h
routine.
2 E) d. ]1 q6 ]! l3 X h5 |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* N( a& S& A0 s, e+ u7 Mto the new routine to execute (hangs computer...)
6 H9 }- u) r- o7 T& R
; [9 | ]: p" d mov ah, 25h$ Z% h! K5 [* m
mov al, Int_Number (01h or 03h)
2 R0 q( Z* w: }6 g- S% w3 N- a mov dx, offset New_Int_Routine! x& ]5 H/ g+ B" [( ]; A9 Q; m+ w
int 21h
5 b! Q3 R n$ D5 T a0 e' v
3 H$ Q w; F" a6 k; [; M__________________________________________________________________________% ~; G C$ a% z* X8 x0 x
9 F: G, B/ r; T4 l7 h% I
Method 09
9 X4 g6 [3 j4 g8 Y9 N=========
- T7 S Q9 O9 v
/ S) w6 w/ J* h% {' {' Z1 TThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 x2 c, s; ^) P$ dperformed in ring0 (VxD or a ring3 app using the VxdCall).4 [' k$ i1 s/ o" I, m" r3 N$ _
The Get_DDB service is used to determine whether or not a VxD is installed
6 x# Z, @9 D `, [for the specified device and returns a Device Description Block (in ecx) for
5 z, C5 p2 Y5 W+ B0 Y* Athat device if it is installed.
9 p+ T3 J# }) D: A# _8 T' o7 r# r- B# n, h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# S1 z) e2 P5 ]7 c0 K5 h& u( i& @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" o, k3 ^' r1 W( x% x+ ~" y VMMCall Get_DDB" X2 p* b+ c/ |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 j9 |! l( B' j( y5 w, @# U4 Z' |6 k: v |6 s% f- p& ?3 W
Note as well that you can easily detect this method with SoftICE:& u! j1 X$ j) s6 X+ x' m; s9 o8 d2 o
bpx Get_DDB if ax==0202 || ax==7a5fh
6 j7 K7 ^% h5 v2 }& E$ n
+ j5 J9 g1 {2 J; ?4 W__________________________________________________________________________& j0 u# R; p0 X' o. S! O7 D
% Q* k' `4 p! t" y# UMethod 10
' R$ D. b. B& N6 v* {: q7 m=========( d/ C4 v. P+ T3 d( \2 w( r6 B
/ \8 C/ n7 M6 w* u3 _
=>Disable or clear breakpoints before using this feature. DO NOT trace with! `0 {) c8 ?/ c' b$ |. L
SoftICE while the option is enable!!
& z4 A, @4 A) {) r; h! E8 r
1 E" ^- p; F' O7 d+ iThis trick is very efficient:9 i3 B( l! U+ }
by checking the Debug Registers, you can detect if SoftICE is loaded
* ]. h# S7 P2 f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; t6 Z V: T$ e; T! {there are some memory breakpoints set (dr0 to dr3) simply by reading their0 r9 L7 i1 C& C$ x j
value (in ring0 only). Values can be manipulated and or changed as well
- w' W% c2 M: g. q7 s4 Z(clearing BPMs for instance)4 I6 F. C6 w: L5 w
) b0 y5 n+ d" }/ `% P
__________________________________________________________________________) F1 V/ o+ p. d D# j5 a, @
& E6 a( _; M# d6 e8 s. u4 j6 c
Method 11
7 o( ?2 r2 T5 S6 l2 h0 H8 u=========
. H. b7 d: c4 W: g) I! n
5 z% u& ~% e: {1 g$ T/ c$ {This method is most known as 'MeltICE' because it has been freely distributed
; C6 I" o0 O/ Hvia www.winfiles.com. However it was first used by NuMega people to allow
* m9 ]; ]5 O; XSymbol Loader to check if SoftICE was active or not (the code is located) ^. x8 v% Z5 S) ]( z
inside nmtrans.dll).) h/ F, r9 ~5 D3 [ ~
6 K$ }1 ]& m" C6 Z, e
The way it works is very simple:4 \+ Z% V6 @6 _% Q& z! N$ W* A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ W, c! {: `! F' b! TWinNT) with the CreateFileA API.
0 y' G! H) H! f# r3 f! v E" o8 m: R$ J* z! J. J
Here is a sample (checking for 'SICE'): v5 `. d/ i V; z
: |$ k: |5 H& u0 G; w6 g
BOOL IsSoftIce95Loaded()0 p9 w& S& H( o2 A
{
; e" d L, F6 a [" c HANDLE hFile; * r% o* T2 p# T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) d# i3 W0 K2 L; K
FILE_SHARE_READ | FILE_SHARE_WRITE,
: k' d$ S! i+ B6 |, ]* ] NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* k; ^# u2 F! x( {- r
if( hFile != INVALID_HANDLE_VALUE )
8 H' S- i; B! [ {' j1 z2 o1 ~3 d
CloseHandle(hFile);
% K( `3 ?7 O, d0 \ return TRUE;/ m( f/ h8 T; U& O- X% i
}
" J- O3 t! t: q# }/ K, R return FALSE;8 k* @/ B& W9 q4 r. x$ D# l
}
/ Z' o% t! d* M o, n2 R/ e$ J
" V$ p8 F0 i3 p% {9 H# c+ AAlthough this trick calls the CreateFileA function, don't even expect to be
6 Z7 j! n4 ~% M2 y% Q5 `able to intercept it by installing a IFS hook: it will not work, no way!
$ _$ [6 p3 B# N+ \In fact, after the call to CreateFileA it will get through VWIN32 0x001F) W4 z" }- }7 j6 A' h* ]3 Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 p0 Q* l1 ~5 `* Q" [
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 l/ E" o1 s4 ]- r9 r
field.& e9 y. g2 s) p, p( L# u; M
In fact, its purpose is not to load/unload VxDs but only to send a
" @1 B A0 q+ d' p( `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 x- N! Y+ I7 j7 Q3 J- z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 H1 d7 }+ @& E9 f7 L. v! }to load/unload a non-dynamically loadable driver such as SoftICE ;-).- B2 l! L1 E3 ?, ?9 ]' a N
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' E9 }9 ~# \# G$ M! C! n; ~its handle to be opened and then, will be detected.
$ k' x% Q1 [1 |- A$ J2 ?You can check that simply by hooking Winice.exe control proc entry point5 ~; x* k! h: ~2 a9 N& S+ O0 l
while running MeltICE.
& o& T% z! E4 w' `1 p! o
' }* D5 d* d c: J; G+ z& K4 N
* p2 E$ c$ V" G: j 00401067: push 00402025 ; \\.\SICE2 G/ \6 C$ S5 n T
0040106C: call CreateFileA
3 z# p/ T- U* y; `; S* o0 u; D% H1 T 00401071: cmp eax,-001( M e8 v$ i7 t+ ~
00401074: je 004010915 v/ i! _9 O+ D
% b5 h0 D% o9 c7 r
4 A1 M* [* x2 ^) w: FThere could be hundreds of BPX you could use to detect this trick.
9 U2 @( S" s/ w-The most classical one is:
# G7 i; W1 y( z2 V" V# }8 {/ z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ x5 U* U6 D4 ?( |+ I *(esp->4+4)=='NTIC'' Z2 f2 |( Q( G1 Y5 M% P
4 R- Z$ z' g/ O- \! p, X+ K-The most exotic ones (could be very slooooow :-(
$ P' M/ x9 S7 o3 } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + }* l: c0 ~ u5 i; X; m; k
;will break 3 times :-(
3 R% z9 u* I1 i2 y* T. Q9 Y: a( y2 v6 o
-or (a bit) faster:
3 o; K5 t7 g& z" w- w: ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 E& N7 p4 v/ V/ U4 x4 E- }& @
0 E0 J8 I: D h
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ I3 V6 l* K' l+ v( b4 L- m ;will break 3 times :-(
8 _: N k, y3 W5 U' ]9 J, p% ]% s8 A! t: b
-Much faster:
9 n# ^* R# s3 `- f3 p0 B3 Y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: T/ {, \! Q4 {9 ?( _6 w# s) g6 ]9 c M# X+ Y" c+ n# m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 j; G. I1 G; u* C
function to do the same job:2 Y, X. J. {5 E& S/ s( ?* r
& ~% A0 m3 W5 ~* M
push 00 ; OF_READ
, M' T) T% p7 f- O; D mov eax,[00656634] ; '\\.\SICE',0
0 H5 \6 @( h6 {+ J$ q push eax% _. w1 ?' H+ I R( ?: Z$ Z
call KERNEL32!_lopen
" J4 H0 @9 Q! }; v( ~0 q0 x inc eax& s0 T' z& C1 d! {8 H2 m
jnz 00650589 ; detected
, g0 g. ]+ d0 E. B& i push 00 ; OF_READ' e1 a* ~% k+ g, Z5 j) ?" P
mov eax,[00656638] ; '\\.\SICE'
" u0 t2 F; N' e7 T. G push eax
- _8 C. Z3 r3 @7 ^# T: n call KERNEL32!_lopen
' h) X; t; Z! s" N% G3 t) w inc eax4 q4 g* o2 Y6 I* u* S) T
jz 006505ae ; not detected
8 J, h, A8 @$ H+ A: O( y
- M2 l: B* y2 Y- n( \ U5 e& A- c+ f' n% v
__________________________________________________________________________$ L6 s8 @5 [. B( |+ y% ~
* X. A$ p: E4 FMethod 12
; i" F5 t4 ^7 u4 U# h, e+ A3 ^$ X=========
6 e$ R J# [- P6 _5 i; m7 Q4 D6 ?' E9 ]$ \9 _5 t
This trick is similar to int41h/4fh Debugger installation check (code 05$ F; n% v7 U2 `! X4 f% f2 U% ?
& 06) but very limited because it's only available for Win95/98 (not NT)8 N8 [: n' W) `# U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) V0 L: G0 W% L% M" E/ q
5 D. P2 J0 f) W E! F- | push 0000004fh ; function 4fh
0 `0 f6 Q+ y! c1 B5 b/ P% ~( i- c push 002a002ah ; high word specifies which VxD (VWIN32)
( I9 D7 A8 w0 D- y! {# s ; low word specifies which service# X; d/ s$ f2 j" N2 }! G0 m/ I- m
(VWIN32_Int41Dispatch)
- a& M7 [- v9 N i' X2 \ call Kernel32!ORD_001 ; VxdCall
' T/ {: J# b" c3 l/ t cmp ax, 0f386h ; magic number returned by system debuggers) u! J% k/ w8 I
jz SoftICE_detected0 o8 I( f+ d6 ]8 D& X/ H/ [( W( o
% C0 S) p3 S7 j$ U3 b" O
Here again, several ways to detect it:; b. B3 c% k: A) w p7 j, z, {# M
9 {& ~' U7 }3 r/ @7 B5 K6 x BPINT 41 if ax==4f
" E/ c' f3 v- s I6 e* K' n9 E' q) \. e1 a& b0 e8 ?: A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, J1 j+ u) a( R$ |, H
$ E2 D( M. {" L8 G, `- k/ S" ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& Q5 h9 {4 [" r8 p$ |% W+ u$ Q
9 o! M/ R7 I; A2 b4 | BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- p8 e4 M/ ], ?; _
' K8 {3 M6 X4 B3 G Z' E! s+ l* {__________________________________________________________________________
& a- t1 L# ]* _* h! R- O6 ^3 \, l: B$ v! M& x6 M
Method 13
1 n: E( w9 \6 |% s; ?4 ]=========- K- ^) n) G- c7 W1 Z! ]5 d
7 e9 |) D) B8 o! v# e4 F3 y$ r$ tNot a real method of detection, but a good way to know if SoftICE is' O: t6 R+ k: _4 S2 s
installed on a computer and to locate its installation directory.
( } `+ s3 }) r% [ k) OIt is used by few softs which access the following registry keys (usually #2) :4 E) l( T+ Y1 B; c5 a/ \- r2 }
( T0 X+ H0 K5 w6 T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, }$ I% w. c9 K: z
\Uninstall\SoftICE
5 S* Y+ r9 g2 a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 i2 } `+ ~3 D4 v2 M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 `$ ?3 H" r/ x& g/ t! w- x3 l\App Paths\Loader32.Exe: K* V6 M4 N3 }- R9 i1 u
/ u& q$ P4 g1 l9 q
0 H6 S: s& }* hNote that some nasty apps could then erase all files from SoftICE directory4 j) f7 V! Q a% ~' U
(I faced that once :-(
+ _8 ^0 K- {+ l+ A5 I, W7 R& D8 G3 q; G: x: {7 }1 _3 i
Useful breakpoint to detect it:
5 F! s) \/ j' o! W- P/ p6 @' k( x4 C7 c! n; O0 ~5 q r8 L
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 U# m1 U9 u) ^0 _: V* T, ? ~ P, I2 E6 O4 C
__________________________________________________________________________8 H) o o9 Z+ j' x8 S0 H& ~7 t
9 S1 ?4 a* G A, ^: q' O7 Y+ m5 K
' M$ u. m- }% M! K& }. z5 E0 SMethod 14 7 D, b8 A: K+ {3 J9 L
=========( f/ x. J6 W3 n8 J- m
, O: w, X2 m/ h$ w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 J/ I2 P, p6 I
is to determines whether a debugger is running on your system (ring0 only).2 @# f& j& @* `2 C5 r; X
! t( r4 b6 z# v/ Q
VMMCall Test_Debug_Installed% ^) H4 Y! a3 K& b( V# ~# W5 [
je not_installed
, u7 R, m t6 f: }# B/ n# r1 n
3 H" @3 p6 x8 a% {( C: ZThis service just checks a flag.
3 y8 w0 R. j' Q8 u& F6 r! n: Q$ z$ r& w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡