<TABLE width=500> q# e0 o7 v( N+ p
<TBODY>6 Q. r6 X v5 s4 Y
<TR>
( v9 O- o9 C' o7 ~8 a5 D<TD><PRE>Method 01
2 j0 `4 L) g l7 K, l=========; p1 y+ [" j" d/ @3 Z
& j6 e0 K: c5 P/ w0 ZThis method of detection of SoftICE (as well as the following one) is
, u2 }# q3 `- c0 hused by the majority of packers/encryptors found on Internet.. q7 |, ?+ Y+ `; s P) o
It seeks the signature of BoundsChecker in SoftICE
( O) U) y& k( w
% R \3 H4 r" J mov ebp, 04243484Bh ; 'BCHK'
% I" f1 y* n& e1 E& t: H& W mov ax, 04h" t! f W' B2 ?' F$ T. y
int 3 % h* L7 }* @0 H. H0 m1 u
cmp al,4% c0 N/ C4 h3 @. ]: e7 Q
jnz SoftICE_Detected
! l4 v# E; T' H5 x: W+ j
/ E# A5 q+ h# Z* G& D9 }___________________________________________________________________________" J+ L! O r" g# a4 @. A
8 y3 ^- R" _- Q7 q5 @" O$ O; ^Method 02: Y8 a1 W3 F4 Q c7 P
=========
: R5 {; r5 B3 N+ x L* X+ E5 Z9 N9 D+ \" h2 H( j# S t# M
Still a method very much used (perhaps the most frequent one). It is used
, D8 V5 [$ T% v$ q* eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" D, \ K. T P* ^7 oor execute SoftICE commands...
. L; [9 {: d8 DIt is also used to crash SoftICE and to force it to execute any commands
/ I/ x E4 i6 Z* d0 x5 J" y(HBOOT...) :-(( # `* |% o! }8 s4 r4 V
$ ^& d q7 i, C# |' _. Q
Here is a quick description:
& u$ z& m* D2 Y) H% K7 X-AX = 0910h (Display string in SIce windows)
* Z: \) F; _9 s) h7 p7 l+ r L! n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# {+ V8 p4 z/ ?- T
-AX = 0912h (Get breakpoint infos)
& m( x8 w% v9 x( R' x+ Q-AX = 0913h (Set Sice breakpoints). }% a9 m# b/ W$ {* ?& e2 |
-AX = 0914h (Remove SIce breakoints)0 k* V3 f% @" O
2 c: D& m: o, A* N, S
Each time you'll meet this trick, you'll see:
: h8 d. o2 R- ~% X5 w6 H# s0 C-SI = 4647h
2 W( r8 T7 h& N% v% B+ }5 X-DI = 4A4Dh
. e9 ?* G6 _% _Which are the 'magic values' used by SoftIce.
5 ~! D8 {* @ m: F5 D2 TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- W) @# i: c+ m' I2 l
7 |; q, j* a* v+ m
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 I* x1 _9 |/ _: M( pEnvelope utility use to protect DOS applications: i6 u/ M" g8 e1 M$ @, u
' a$ ^0 n& h# J C9 [) Q: v5 c5 i
4C19:0095 MOV AX,0911 ; execute command.( w( A" W# ]) {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# G( J2 S' N$ C- K2 R; B3 \, i
4C19:009A MOV SI,4647 ; 1st magic value.( Y7 R" G# u1 P" P, n
4C19:009D MOV DI,4A4D ; 2nd magic value.3 P; V8 k2 a9 P! s
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' r3 P+ l1 [, j' K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute O5 D4 Q0 s' g/ }
4C19:00A4 INC CX* M( d2 P3 z0 g D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
I: j5 E. x4 v" K# ^4C19:00A8 JB 0095 ; 6 different commands.
+ `! Y7 P9 d# G: o; v# b8 g. D" W1 o4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ d* R% s4 L1 G( q C4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 u: c# C3 L, U. t. a
0 H C9 ?. c5 f% z: ` [The program will execute 6 different SIce commands located at ds:dx, which) v! i# N" Z, B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ m: U; ~7 k% K; N' x9 b
f) h! ^( E5 [- E3 O! u3 O, |) r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 z$ K+ w- X; T% V5 P___________________________________________________________________________
% x4 d# [* f4 a, K
% e& n# r$ Z2 f0 g8 C; D8 P9 |# u/ j1 y
Method 03
( f9 j: d& ~# x9 l1 B! X% m$ Y=========
1 [4 `/ `# ]' z) X4 P8 Q- ?5 ]1 y1 a3 k& y, F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* l E, v9 G$ C$ ]! }8 R1 x
(API Get entry point)4 g! C+ Z8 p( y. Z5 b( P
' r/ U1 w* W1 Z% H/ |7 }9 N2 }
, o- h6 J8 Q0 t xor di,di/ u' h" ^; _2 A6 i* T8 a
mov es,di
$ n+ {. R7 o/ Z1 R2 j- } mov ax, 1684h
4 }6 T% v/ _( W, @8 U3 d) o mov bx, 0202h ; VxD ID of winice* ~3 e9 C- O6 H$ I& L* z
int 2Fh
! j5 \% k" K8 i0 ? mov ax, es ; ES:DI -> VxD API entry point6 R4 d) g+ K( F0 H: c
add ax, di
2 [9 H- ] n8 T test ax,ax
0 E( Q1 N9 f. U+ \. Q" U jnz SoftICE_Detected
$ b1 o, Q9 Q& P- A, g- S
, y4 j* t, P8 q___________________________________________________________________________2 _2 s+ u3 I1 @( N5 a
$ J1 {- ]$ r7 F; h6 C9 ]- }
Method 04) C$ Q# K7 s! d% z( `( a' Y
=========9 c5 v# v0 b1 D/ J; v# }9 B
3 g% V: v* q5 J; m
Method identical to the preceding one except that it seeks the ID of SoftICE4 m7 b2 U o; [: J/ _% I- Z# X3 o/ k
GFX VxD." v, Y( n6 y9 s( D2 W& K
1 @2 z4 }" Y1 p xor di,di5 r6 K7 {& X& B8 y0 b) h" H! A
mov es,di; n/ F7 u' L$ d! ?" J- N M. y! v
mov ax, 1684h
3 @' x- p k9 H6 }- Q& l: n. F& B mov bx, 7a5Fh ; VxD ID of SIWVID
3 s0 b% g9 G9 W" J7 o int 2fh" i1 y$ X" {3 r5 U5 E
mov ax, es ; ES:DI -> VxD API entry point9 o$ q" \ y2 N7 N+ U
add ax, di
[% w' _# g' w/ ~ test ax,ax
; Y) P/ M( _/ N# P z jnz SoftICE_Detected
% \, f' q* v" `5 F/ c. a9 D% M& O: D2 c9 s6 k1 I
__________________________________________________________________________
, p% ? ]/ Y& I5 Y' q: j* F, a5 x' S; }! R+ C% c; Y& `
- S( q( l- S$ ^, K. }/ }
Method 05 U, |8 ~' \0 [& J4 g
=========
" m, u+ }* N( R2 o
1 Q) f8 v- c |Method seeking the 'magic number' 0F386h returned (in ax) by all system; v4 t" q$ t& X/ l! C) I
debugger. It calls the int 41h, function 4Fh.0 z/ K% d8 N8 b, k. K
There are several alternatives.
4 E7 h8 f+ |/ P% _' i2 X" D7 `3 v8 B9 O- v4 E j$ Q% l
The following one is the simplest:
4 X8 F" f: p( e( Z8 Y* `0 `/ B# d, b3 [1 k* [! M; K
mov ax,4fh5 _7 ?9 C0 }6 F6 f9 |. S8 G" `9 _
int 41h3 [9 }) i2 P; r( e1 ?" c
cmp ax, 0F386
- B! [! J; n4 E z5 k. T- j/ ^ jz SoftICE_detected
! @0 j# M# S* \
/ l5 | ^; C; W5 X3 i0 B
) L( g" t2 d( [. Y9 R0 {Next method as well as the following one are 2 examples from Stone's
`4 H: L; Z- c- i, s( |/ z3 H"stn-wid.zip" (www.cracking.net):1 P* w* e$ k7 w/ v5 `' _1 P0 V
) M. p: G8 y+ s8 v
mov bx, cs& }; z9 f z9 _0 A% A
lea dx, int41handler22 c3 T! x3 U# `/ A, v
xchg dx, es:[41h*4], V7 p7 U2 ?; C
xchg bx, es:[41h*4+2]
# T8 P& K/ ]* L1 M4 @ mov ax,4fh9 k4 q6 F4 A; f% c5 G8 }/ V: w2 ]
int 41h/ e7 C4 g3 [" q! y
xchg dx, es:[41h*4]( T" w$ x! R3 q$ v W" e! Y: e
xchg bx, es:[41h*4+2]
& q7 I8 p3 v& P, W cmp ax, 0f386h& H7 G) \+ b7 A" H3 a" T; {) X5 n# Z
jz SoftICE_detected1 x- Z. q" T7 s
9 `, }& e3 U# j/ n# K/ d, @! U
int41handler2 PROC
# F& ?; \- g# _; a iret
7 P1 ^% J* [0 z0 zint41handler2 ENDP
: [6 @) S% w l9 A& ]) R; _( ~
1 V" j4 B* K. ~( P; T/ ~+ a: k" b* |* m) m# c1 I; r1 t
_________________________________________________________________________
9 J* T0 C, ] q- R/ U7 N" r3 r% T. k- X' |9 ^1 U
) D- u3 L- G- J) O
Method 06" w) ]) F) k$ V9 I+ J! ?: s
=========
0 R; z' P( e% x4 q/ g
$ j" |6 X' E- Q4 m% J
4 @, F* O/ n! |2nd method similar to the preceding one but more difficult to detect:
/ t4 f; ^% m9 W3 p7 G! R0 H
" T& |% C1 P& i' {+ ^4 w
' i: `: [' G. U3 ?8 Mint41handler PROC, F# R" A) O( g
mov cl,al$ |- p+ N, x. u- i% o# t1 ^
iret3 h9 _6 `7 k, m* A5 L6 B: h( P$ A) c
int41handler ENDP
5 l0 s4 ~ Q/ ]/ q( y9 F0 `/ c# \* M2 S
' y9 x; ^- ]) T( ]- B
xor ax,ax/ B1 }8 X: a) v; ^* X
mov es,ax
* J9 F' _) }& x/ d4 f mov bx, cs
, B- i$ e/ l2 j: P& w- L- v L lea dx, int41handler
( B1 R1 `& O; f8 r) C( \5 L# y xchg dx, es:[41h*4]" E# _0 v" b7 V8 h9 k$ o
xchg bx, es:[41h*4+2]% t2 l1 D9 _9 L* j
in al, 40h; Z" H1 g' k" i9 D* @/ S! D$ Q
xor cx,cx% p4 J! {7 f8 i/ h q
int 41h0 ~# A0 I3 i, N! W: x, ]2 x. u
xchg dx, es:[41h*4]( E6 L8 A3 v3 ? k3 m
xchg bx, es:[41h*4+2]) f3 h$ H; g/ A' _7 q! u
cmp cl,al+ Q F u0 M8 A% [) q5 R: s$ |
jnz SoftICE_detected& I' `. y, h4 M. O" \
- y q4 c$ q9 x0 D& \9 {_________________________________________________________________________5 U1 i1 c1 W. `# g$ O
- ^3 U9 \& q) g( `# s6 h! M+ F9 x
Method 071 e4 ]% e: }) J, E- a, l, ]
=========
& V7 Y+ e) r6 i1 e/ c4 [- t- v2 p) W; o
Method of detection of the WinICE handler in the int68h (V86)4 e9 M- h1 D9 ^. w: [
. Y; N# B) o; g6 }' t
mov ah,43h9 s# I* @( R' B" t4 ]
int 68h! b8 g$ l- {% S4 Q, y( w3 f
cmp ax,0F386h- s6 o8 H( z# I+ ~. r1 ]5 I. r
jz SoftICE_Detected9 J2 }3 F9 T, ?8 y8 n" _+ K. ~
6 w* C# m# T: j# t, a
# E: E& o6 b0 z% E/ r) n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 c" o3 e, t4 V8 k( `+ H app like this:
: x& w: _+ T. Z6 ]+ J1 K5 l+ T4 k; N! S0 C
BPX exec_int if ax==68/ ^. u: _2 F5 j I
(function called is located at byte ptr [ebp+1Dh] and client eip is# v4 }, O0 L6 h! A. ~+ U
located at [ebp+48h] for 32Bit apps)
( J3 ]/ x( i# h5 ^! V__________________________________________________________________________2 x& G1 w, _4 I1 F2 q
6 W4 ]6 a; m% s: m8 C+ f
: ~2 @. @# _* o' l3 I
Method 08
) ` i# b; S7 N* w. c=========
/ E4 d( { C: y5 Z- n, _
+ v. q7 u3 G$ T8 J# f* z) F' BIt is not a method of detection of SoftICE but a possibility to crash the
% d( X# t( N, Q1 esystem by intercepting int 01h and int 03h and redirecting them to another% p5 P1 j) x, Z6 x; u: f1 X6 B8 W
routine.
# `+ o% O7 g) H" Z3 V2 f' [6 [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; C2 m2 ^) O6 Q7 Z) c4 k3 j7 z
to the new routine to execute (hangs computer...), `( y' S* ~+ w
7 H. _2 u5 b& W3 F l4 @# e) Z. E mov ah, 25h2 ?. h/ I4 [) H. @6 _. i/ N" i7 I
mov al, Int_Number (01h or 03h)
0 w! |: }: B: T8 j8 S. y/ U mov dx, offset New_Int_Routine, X/ h5 ^% J/ X, M. }
int 21h1 Q& V0 p9 F: V# ^! N5 h- c
; ]# w: o7 s, k8 e6 P9 p$ x__________________________________________________________________________- `( @, K+ x7 J0 j! G
9 d! W1 f) [+ e) Y" l) h; N& R
Method 09+ A8 l. Z$ f" c1 G% ]
=========6 {% [) i+ i* B
) n# k0 k8 L u' w* k' y) j7 j* i+ FThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% R1 B$ N& }' ]& }$ P0 n9 o4 o* Q
performed in ring0 (VxD or a ring3 app using the VxdCall).! v2 e0 t; P, n3 s
The Get_DDB service is used to determine whether or not a VxD is installed0 m4 c; C: q6 m8 l- u) L
for the specified device and returns a Device Description Block (in ecx) for
. Q+ }; ~4 @8 bthat device if it is installed.6 q$ }% p: C! Q( D$ D o) j: r
; [1 d- x9 C6 z0 x9 L6 C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) K- d" h' n+ u4 M% U/ l: n* |% c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) l2 e, [7 R- p8 l VMMCall Get_DDB
1 ^3 V1 {( K$ \/ X! `( y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: p7 v7 V0 Y# o; n# `) `2 [! o- s, x. F2 O1 V5 y
Note as well that you can easily detect this method with SoftICE:1 _, h' h- e" x
bpx Get_DDB if ax==0202 || ax==7a5fh3 y- B8 m7 o; G5 ~/ x; X
- N4 P4 L s1 c
__________________________________________________________________________4 \5 n! J9 P: m* p8 D3 |
. q: j7 O8 m7 ~% Y6 J- dMethod 10
) W7 u& _. y# ?; A: J7 g=========
- Z) }- {# o' {2 A5 x+ t( }' @+ H, U3 b2 W9 h* O8 {
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 H2 x m1 f3 }8 I! f* f: a) ]: C
SoftICE while the option is enable!!
6 R# y7 p# h: Q" Z8 E: i! D
' |3 C6 q/ T7 eThis trick is very efficient:+ v5 c6 j8 e& F3 @' H0 _1 ^5 R
by checking the Debug Registers, you can detect if SoftICE is loaded/ @" r) m8 M+ P1 V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) o5 g6 S: K; H! m: y9 S& ]" P% r
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# g! E8 x2 }+ Ovalue (in ring0 only). Values can be manipulated and or changed as well% @ t4 t+ `' ?- {6 n& n
(clearing BPMs for instance)
8 d/ E5 x% l) f5 D' n. [
0 t7 E( ?5 A% n2 C6 e" S) F__________________________________________________________________________ L0 ?5 f7 u1 L# `+ O( b$ V; q5 \
' c/ ^ F' n9 V% A; L% l
Method 11& Y2 V, h9 m/ z* V& W( u
=========
: I) r3 J5 I% d0 P/ ?; K: _$ A$ u" C4 D6 H% u% Q2 b
This method is most known as 'MeltICE' because it has been freely distributed
! _/ i' F/ i. ~/ Vvia www.winfiles.com. However it was first used by NuMega people to allow2 B. ^ A& J* a' W
Symbol Loader to check if SoftICE was active or not (the code is located) J3 U$ B' S8 z+ s5 W
inside nmtrans.dll).3 T: [2 G% [, e* X) k6 E' m) ^
: V. J& P1 ]4 V6 P, q
The way it works is very simple:
9 q; G3 `4 F1 R5 l$ WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' _7 M, v. n' f
WinNT) with the CreateFileA API.# ?0 \8 X: E) G
" Y& V7 B/ P3 M( B& r& lHere is a sample (checking for 'SICE'):, U7 [ `0 [: t% s
( ?# a0 O2 w% n, [
BOOL IsSoftIce95Loaded()
, E S4 }1 B- Q% |" i, ^: r* u{. ]# o" m6 H/ c
HANDLE hFile;
$ T$ f( m6 V5 o; T+ g; S2 n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 U# s; ?0 ~6 E9 n7 f8 T
FILE_SHARE_READ | FILE_SHARE_WRITE,: N9 k( Y8 ]1 T0 [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ d% A$ p* p! V8 Y- k6 d0 [4 Q
if( hFile != INVALID_HANDLE_VALUE )! }9 ~0 }* X8 p) ^( d1 K7 E1 ^
{
" P7 ?* G) L* e, S0 I CloseHandle(hFile);: a' r! f/ a& c! o$ H4 I+ J- ~
return TRUE;
* Z Y. I$ o; d5 `% V }
G) I) m3 L$ o% f! M1 B9 { return FALSE;
% R' {1 D/ ?! b& p3 U+ u6 F}
0 u6 n$ h. Q. p! P
+ r- b; `" ~* p1 v$ W$ yAlthough this trick calls the CreateFileA function, don't even expect to be
6 S/ R3 W2 D# O8 L/ ~able to intercept it by installing a IFS hook: it will not work, no way!
# h* b9 f/ D7 b% a) x/ X- bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F$ Y6 I9 d: Q) N% a% [( Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
X9 {& l7 x: W6 u4 pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 J# `- t# ^% i' {+ `field.. T3 T) {% c% T- o1 G s
In fact, its purpose is not to load/unload VxDs but only to send a 5 U& C) i% l3 _; }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 \% h' Z P/ u7 T7 X: g4 S8 V
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ O8 p& A+ v5 w* D8 L7 i5 Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 ]+ t; H2 x: r F
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 J) v) y& B8 t, J6 U) y" q0 [its handle to be opened and then, will be detected.$ N1 d4 N5 V6 n3 ~# G+ x/ r
You can check that simply by hooking Winice.exe control proc entry point9 K- |0 T: f4 S1 r- S# N, o D
while running MeltICE.
! @4 V) x! }) L z% ~( }. x; ^! `; ^! i
( G7 W. n2 w: y2 A2 A! e/ h
00401067: push 00402025 ; \\.\SICE
, w. X B) p+ X/ e& {; g1 W3 Z 0040106C: call CreateFileA. `# i/ J2 E9 ^0 e% Z6 ?
00401071: cmp eax,-001 {6 G4 [& u+ X9 e$ f( @+ O/ W* p
00401074: je 00401091
- \1 N+ C3 h, t' l
, q+ i3 m$ m5 U& N% t( b: e5 l3 h' \" m: i$ w
There could be hundreds of BPX you could use to detect this trick.( d4 L# j" d( T
-The most classical one is:! C1 v1 n1 ^( C- m. O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; V1 w& q/ ^! Q- m' F *(esp->4+4)=='NTIC'
% x* F" ^* F0 ?' U0 D# n" E
% S, y2 v& w7 X# t-The most exotic ones (could be very slooooow :-(
( M# w9 I: I" J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ R! T5 H! y( c2 i
;will break 3 times :-(3 l' V: ?; ^7 L- X4 i; n6 I
( [5 m) s6 t, {4 K A$ M5 S4 |-or (a bit) faster:
6 ^) t+ O% D2 N$ K; V0 ?2 p/ G BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" y- v6 S" K0 ?- h3 x- @; b% z$ r. T2 S l
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! u0 a6 A! f; J# w7 ` ;will break 3 times :-(- P' u5 D2 s! ~1 q# X; W1 }' F
5 r* W$ A6 Q; d- s
-Much faster:
) f6 g' \) W$ K0 X9 X7 k BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! z1 L; P$ l) X
" e" m6 k4 } }: v8 X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* m) v, W/ f$ d* dfunction to do the same job:: q0 J. S5 \$ d: G; o. ?0 H! w
8 M/ P% w: C/ t4 v% ]/ ~& @, h push 00 ; OF_READ
2 f. T8 ~- W! Z! |/ E mov eax,[00656634] ; '\\.\SICE',0$ G( I& E' [3 g, o0 P% t6 Y! i
push eax
9 d0 p' ~" r/ u. w& v! n9 } call KERNEL32!_lopen/ [3 `, Q6 V6 U( ?7 b$ K
inc eax
7 R4 A/ Q" H2 b+ _" \ jnz 00650589 ; detected/ b8 R3 S& e! o5 |# Y
push 00 ; OF_READ3 }5 Q: ?2 ^7 W( r; p/ e
mov eax,[00656638] ; '\\.\SICE'5 G1 d( v; w0 |, @' h! j
push eax
! q# Y# q' d+ p8 U- y5 e call KERNEL32!_lopen) @7 H& g ?9 R8 O7 J1 Z. D
inc eax7 f# e& ?8 O) U6 t" k: v
jz 006505ae ; not detected
% w: i" r( B( g1 P( F2 b$ N$ e1 h6 V3 N4 o! n4 {5 i4 u
- ]9 s+ @" @2 j& C: p7 `__________________________________________________________________________
, M& M) ?* V4 L8 @1 S
! t9 M2 W, v5 H5 M5 iMethod 12
' Q, x- h S5 Z5 o5 X* u; D8 ?# F, c=========7 U' T2 R* q2 q4 k
n J; P" p9 b& x
This trick is similar to int41h/4fh Debugger installation check (code 05. Z1 V* |" b3 [8 E; f' u
& 06) but very limited because it's only available for Win95/98 (not NT)
9 B9 b5 v* Q V9 V" q# r0 kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 m! P& z0 m+ `) j$ L) C3 p3 P5 E: D8 n
push 0000004fh ; function 4fh
3 z4 e& J% H( E4 w( F4 ]2 i push 002a002ah ; high word specifies which VxD (VWIN32)( ^; b6 j2 H" q
; low word specifies which service
* F T3 x) X$ b5 Z- @8 i" J' i (VWIN32_Int41Dispatch)
, j* O- }; v, L. E- n call Kernel32!ORD_001 ; VxdCall
3 r# d* i& U4 l; x cmp ax, 0f386h ; magic number returned by system debuggers
& [. l5 K/ }6 x" |1 y jz SoftICE_detected, h8 |& P5 n2 e3 S2 b: P$ R1 ?
0 W2 r, x u' P% I) n( EHere again, several ways to detect it:
. H( o# O" |9 t% j/ h; e+ d9 s( r1 s6 ]2 _5 i, G
BPINT 41 if ax==4f8 N( a; t, O( `- t( F& Z2 Y
4 S& i5 Z1 f9 x5 s1 p0 ]6 a, m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 p" ~% c; r- V: ?8 o; R$ V" _8 O+ _6 t7 |
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ E% e* k9 `7 W+ ^* T i
2 h2 T( P M7 b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ t) {, p) Y9 o5 f7 \% b5 @, b! q' P1 ~ [+ k) V
__________________________________________________________________________, t! j: Y1 q! g- X9 i" J* ~
0 `' U7 z1 ?( A, ]1 P# LMethod 13
$ }0 Z) P( I$ F0 _% ^8 s=========; j" W! ~6 V2 n, V3 L# L
( R) S9 t7 Q" q
Not a real method of detection, but a good way to know if SoftICE is
; z7 W; p P7 Q: c& M: xinstalled on a computer and to locate its installation directory.
, r8 e2 Q- {: |/ p; p: [7 iIt is used by few softs which access the following registry keys (usually #2) :
/ o& N/ _) s3 q7 k% \' `( e+ p. ?+ \4 x) i2 q/ @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. x- I! e& N$ g\Uninstall\SoftICE
) X+ I4 y& H1 S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 t2 T" A) Q+ x0 }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- J# [7 D; _. W\App Paths\Loader32.Exe8 y* _4 ^8 B7 t
: z+ D& D z" |
8 x+ S# D8 ?# M* A3 q! h% M& C
Note that some nasty apps could then erase all files from SoftICE directory+ ] ]6 a3 n# m/ F
(I faced that once :-(8 @2 K/ D+ Y0 _6 ^0 h' X' W! O& M
- E+ Q& J0 d5 B% u4 QUseful breakpoint to detect it:$ n7 N! H7 ?" V$ `9 F
1 o) P4 L3 f* E- h
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 o" I6 B+ L+ g- o/ n' P k7 c% J3 J
__________________________________________________________________________: O! Z9 f( V. z
2 _* |- Q9 e7 n5 @- F
X) p( {" x; r) X$ I$ x
Method 14 , E+ ^! H4 u9 W. A7 B
=========
- C$ O( V8 Q9 k" `# ~/ [7 u+ ^+ P: E. y& [2 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% l6 @# D, k" k& y cis to determines whether a debugger is running on your system (ring0 only).
; i( e( t( N6 ]* T% x' w# Q, o
( z8 E5 c2 S8 ^ VMMCall Test_Debug_Installed
& {, L1 H$ g6 I' k* m9 g2 J% v* x1 I6 i je not_installed
" G L! _; M9 U& M& m6 S2 A6 U0 W7 {
This service just checks a flag.+ ]8 J" m3 W/ I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡