<TABLE width=500>+ h6 G$ j" }! d1 n) C5 I" P4 @
<TBODY>) G1 N: h* p* N6 O% S) e
<TR>7 ~: v: w( c/ @; L, \' q& |
<TD><PRE>Method 01 6 J3 K/ C& Y; [: n& n8 U
=========
; U5 u5 D) u- X; n. b
: D6 H3 Z& k7 a4 p$ I J/ BThis method of detection of SoftICE (as well as the following one) is
: _/ p* X. t! m# k) Sused by the majority of packers/encryptors found on Internet.
' ~9 S& S$ X4 {9 m9 f# ]It seeks the signature of BoundsChecker in SoftICE# K* t5 P, a* m0 P7 Z
8 m5 t% Y0 e( j& `& H+ f, T
mov ebp, 04243484Bh ; 'BCHK'' h' N* d f% |# _! I: }& e
mov ax, 04h" ?. H1 J. k( ?; A7 z; r2 G
int 3
! ]7 D( M4 I0 D' t cmp al,4+ D. z+ @+ A9 @( b+ {, J
jnz SoftICE_Detected
+ h) l$ @& q ]. v2 \/ x4 D
0 }' u& v4 n0 W___________________________________________________________________________
, O7 W0 H9 l; w* G% l3 Z! q: e0 D% z: E: ]2 E- ]
Method 02: O" e1 X J9 `0 t
=========7 V7 H3 E0 {8 s4 m6 V
0 ~3 N0 g/ r' {) T
Still a method very much used (perhaps the most frequent one). It is used0 m" f& x. g, a( \" k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 B, X# X+ r1 ]2 w( l) P6 B
or execute SoftICE commands...
# C4 H; R2 F7 }* vIt is also used to crash SoftICE and to force it to execute any commands9 {( l0 {& e( l B
(HBOOT...) :-(( 1 _' y* {: t4 [3 s8 E* _8 P
, b& I8 Q* W" G7 B% h! N
Here is a quick description:6 S" E. T3 H2 h' _* `
-AX = 0910h (Display string in SIce windows)& T5 O- H+ j3 u9 D# U) V3 K# ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* z0 V( ?& T! _% K/ Q$ U! a: q
-AX = 0912h (Get breakpoint infos)2 w2 u8 }4 D4 g: D7 r: _0 i
-AX = 0913h (Set Sice breakpoints)
P" @1 F5 F2 a& b4 |1 n& z: h-AX = 0914h (Remove SIce breakoints)
0 F5 v" T* S V5 ~1 Y
9 T. u) `9 k8 vEach time you'll meet this trick, you'll see:
% L& \8 O: B9 q-SI = 4647h
' ?9 B/ q8 s5 [ O( z4 C4 f-DI = 4A4Dh& |: g- _/ |. f/ M
Which are the 'magic values' used by SoftIce.
% P, W8 Z M7 q3 {; ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, h7 T5 c7 y! ~+ j+ D
3 c7 y5 I& y2 WHere is one example from the file "Haspinst.exe" which is the dongle HASP
- U. y1 U5 c; L" fEnvelope utility use to protect DOS applications:
0 t! N2 c. U$ g7 R0 M/ g) }7 q7 W4 W* w
9 ]8 W/ S N+ h% ^' V( z, }
4C19:0095 MOV AX,0911 ; execute command.% q) r: I, s, s" B6 g+ l6 p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% }5 m g9 G$ o( r
4C19:009A MOV SI,4647 ; 1st magic value." ]& l; b' S7 y; s# J" ?5 o
4C19:009D MOV DI,4A4D ; 2nd magic value.5 _ ~' R9 N" Z, {# N3 q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' P% L. t' o. I) [& k, d1 J u$ J4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ Q3 x( \' d/ {8 T2 i" j3 S4C19:00A4 INC CX
2 z/ n; a6 Y/ |4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 l4 w/ P" k/ `* B6 [
4C19:00A8 JB 0095 ; 6 different commands.
. Z$ f7 u- X9 ]. `- j4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* Z1 n. W2 J! ^# \4 {* R4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& D% z- Q$ @0 c% R1 j+ v
/ p h: V! r! u$ w- iThe program will execute 6 different SIce commands located at ds:dx, which' j4 f3 z: t, W' }/ |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." P) G9 |7 g- O& n3 n3 I, _
: u; r* b |8 k" s2 S- k3 t6 a. o% Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. _7 F' [2 x$ Y___________________________________________________________________________
/ Y: X+ C" B+ f; c- Z, x: O
/ H3 m* q7 i5 m0 x" Y* [$ Y1 T
" R, M2 Y5 L4 G+ a9 gMethod 037 g0 I. w! X( \; }7 G0 [% D8 D
=========
0 l+ }. }8 \& x% A1 M2 o1 ^: h7 I4 F: E4 y+ o2 F6 \& L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 O: i. G" j% z8 p/ V( q& X
(API Get entry point)
3 q: w, t: u6 @/ Z" }. i - R" Y) f1 _, H4 b: V
2 C5 d7 s$ O( Y5 P \; X7 `3 X7 o xor di,di
+ r- Z/ [' s4 L8 E0 K mov es,di
; I1 P: L7 _5 v' o" @ mov ax, 1684h
7 l. E# j+ V9 X, z mov bx, 0202h ; VxD ID of winice
3 s6 s; ]# r, y, W int 2Fh
$ W( h& }( p" v9 D% ~ mov ax, es ; ES:DI -> VxD API entry point& {7 e0 ]0 y% O! X$ s9 s
add ax, di
" s0 x# T( o9 V1 f* Y test ax,ax1 h. L- p4 [8 l' |: y' C3 B: R
jnz SoftICE_Detected
7 y6 Y& n e, g6 a! W: _; B [0 O0 T% R( h r
___________________________________________________________________________
3 R: N! W/ \) ?6 y6 n0 S0 U0 [3 |- C. Q9 k( [) I! ]) s
Method 04% y) N1 h& J0 j7 Z0 h+ T
=========* r3 t+ Q6 s O) L( k0 L: w
7 r* I9 E7 M3 L
Method identical to the preceding one except that it seeks the ID of SoftICE
% Y; Z9 Z$ z0 o w! w; _: N, WGFX VxD.
% v1 b; G# M! n: s) Y# b/ i4 l7 P+ y4 a, a" z' ?7 V# h
xor di,di$ h/ D9 ]# `& s) B P
mov es,di
9 j6 O5 n' B( y. Y0 |# d1 Z mov ax, 1684h 6 D2 g h, y( p6 m8 z/ d8 K. Q( {% x
mov bx, 7a5Fh ; VxD ID of SIWVID$ [" R2 j$ \( y$ A
int 2fh
% v7 v" }& l( o6 b/ n mov ax, es ; ES:DI -> VxD API entry point: b1 Z9 A" z: A
add ax, di
5 p, ?/ ^8 P7 ? test ax,ax
3 W7 C% [. ] ~; t! ?9 `+ v$ E jnz SoftICE_Detected
4 x6 f G1 O; `' X2 p5 g; @, I& }) i/ |1 Y
__________________________________________________________________________7 _# ^$ H3 C4 v( j; r
- E9 e* J8 o; M# I" R$ s. c3 H/ W( V# a7 ?* B+ _5 ?6 M3 v) V+ U) K2 a/ q
Method 05
$ q* g7 Z# u) X B=========
# A3 U: I4 H1 E1 O- F2 q% F: I( r; J; n7 f# G
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- }- e n f- y5 w+ c( K( Cdebugger. It calls the int 41h, function 4Fh.: Q$ X$ n9 D4 [+ k5 X. a) ~
There are several alternatives.
# m% m* @- E. p# h9 P
" D7 _. g/ f. l6 J$ vThe following one is the simplest:2 O- j9 g' e0 t6 G( j' p0 h
+ |0 ?! X2 z8 }$ Q0 o, \8 ^
mov ax,4fh6 u. A8 b% A, l9 {
int 41h" L8 s/ E4 }' ?, H, ~ L( f
cmp ax, 0F3867 A3 \0 p; P7 b# r% c: g" l6 R
jz SoftICE_detected
1 j- A4 r w7 ]6 P. ^& ] U! `; X; R3 o. @; U+ l9 l% _
3 r Y! [" y' T& A- `+ i; m; INext method as well as the following one are 2 examples from Stone's 9 a+ m+ X1 g8 Q' a# A
"stn-wid.zip" (www.cracking.net):+ h* F% F$ F" c. J
0 K( U% n# }) k6 _, \& j4 q
mov bx, cs& u$ F8 |3 o* h7 e; u9 v6 T- A
lea dx, int41handler2; h2 J6 S5 F% ?( O! x
xchg dx, es:[41h*4]
/ G0 A- u/ [3 b2 M5 F- F- \ xchg bx, es:[41h*4+2]; A( }( L" f8 S. Q i3 }4 c& Z; |
mov ax,4fh
2 C2 e- ~1 C; o1 ~ int 41h& j, [& `* Z) o) A6 F- c8 R
xchg dx, es:[41h*4]
- \& p5 Q @2 p$ B) n xchg bx, es:[41h*4+2]- M) a- J- T3 q. T4 S3 |
cmp ax, 0f386h
$ p3 w, E9 d h: c jz SoftICE_detected
; L0 p7 N- ~! L3 q3 o$ J8 a. A- i
int41handler2 PROC" ^7 P9 B3 O. m4 O" Z4 y
iret% k/ k# k7 L$ y5 H" U0 b! z0 x
int41handler2 ENDP: r; @! }) v1 V( X
% N+ L' l+ H% X$ b2 e* B" L7 }/ ~: c: K3 ~4 i, {) v- m! S
_________________________________________________________________________5 B b/ y# a7 m* f% R P9 m) `
: A! s6 }1 w9 M' e- a- g! X
9 w2 s( {) l @ J: j7 nMethod 06* i) a, F, A& B& G) W6 `
=========" u- Z/ T' l+ w6 ?
6 ^* O; p8 ?2 w9 |( r
1 c$ T; g) \! M! X; }$ f+ A9 G2nd method similar to the preceding one but more difficult to detect:% C0 d1 z: ?2 t
( D9 V: f5 u: `* j- C: [$ k
& B# ] W( H0 Kint41handler PROC
* y8 o3 T8 L4 \1 Y8 x mov cl,al
5 t# S6 ~( g% t; N; h, L: y2 x7 e iret8 n q- w* P* C- X8 {* t1 A- V
int41handler ENDP
/ b f x, N1 v+ z1 `7 B, u0 u
p9 Y C3 m( i+ u+ j: `
+ W2 W2 }' I) W5 C xor ax,ax
- l( j ?* w0 k! a8 D x mov es,ax4 U4 {4 _1 H. @) k
mov bx, cs
& G4 a/ h: d0 f2 D0 c" x$ X1 F0 w. l lea dx, int41handler; j' G4 d2 J% K4 o) r# s: [. k
xchg dx, es:[41h*4]
' v, ?8 @6 d8 v xchg bx, es:[41h*4+2]. B V) f5 f$ u
in al, 40h
4 R; k' U: ]- N; _ xor cx,cx" \7 ~) s; `) }
int 41h- ]: P5 ~1 {, C& ]8 e1 `; h
xchg dx, es:[41h*4]- c& P$ { S' {( a! V+ A
xchg bx, es:[41h*4+2]. d' b7 B/ ~1 S" x) i3 F: } w6 F
cmp cl,al
/ L+ R8 g! \! B' U i- v4 W; P jnz SoftICE_detected
6 o2 ?) g; W4 G
4 U+ }; V. j. O$ F9 x5 q! U_________________________________________________________________________" ?9 I: v0 v, @9 o
; L2 t7 i1 W' @$ G' EMethod 07/ z; W; H: O3 T+ w: @
=========+ E1 E6 {2 O6 O% U0 a, i
+ i( o D; z8 }
Method of detection of the WinICE handler in the int68h (V86)
0 ?+ M+ K" V: t5 M, n
V% T( n) a: Y# L# K6 o mov ah,43h
5 _% Q9 C/ s0 E) p ?$ j: T, B int 68h
; J, u0 u5 @ Q3 Z' ?* z cmp ax,0F386h1 J% P6 G9 Y# f# ~# e# w' O, b
jz SoftICE_Detected( ?0 T4 }; q# |8 z$ ?
. V: q7 d6 K3 q2 u
( y! r# C8 O0 z9 @+ h( R
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 I' a: X# n h" @ app like this:
. l9 |' H, ?& U) b/ @: Q( Y5 {, H. R3 p7 b/ g6 T* _
BPX exec_int if ax==68
8 F, ]6 n, C+ U1 p3 k (function called is located at byte ptr [ebp+1Dh] and client eip is* ?( k+ n% O; H; \
located at [ebp+48h] for 32Bit apps)
' {5 L4 p6 e8 A: e$ M5 Y__________________________________________________________________________
4 o: q1 ]) A0 s2 o% s! H) o- q& n2 \4 A' o# `+ f/ }
* z) z& j6 r Z. j7 C
Method 08, {) {6 U( h+ F" u! B# x( {* C1 ~* [' `
========= h2 Q, K$ l) L; d
0 A0 r' r; W( C8 T9 K B
It is not a method of detection of SoftICE but a possibility to crash the+ ~6 h: e) @4 t, _: @3 u
system by intercepting int 01h and int 03h and redirecting them to another9 B* D' b2 @* P% ~9 y
routine.
9 P) ]) ^& g! R9 H% B, hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, u+ j7 G, t2 ]" g% ]" Jto the new routine to execute (hangs computer...)
- N5 E6 S }( v" ]$ f
) A. g: R5 B8 k+ H4 _ mov ah, 25h
; I" a( A1 g i U& g# Z+ p mov al, Int_Number (01h or 03h)3 a) V' P8 ?, v# s, g% P' `
mov dx, offset New_Int_Routine
8 g1 B! [) f& `1 | int 21h
$ L) P8 E9 K0 x$ S3 X6 w+ }- I) o; H$ z
__________________________________________________________________________
2 }/ G0 K B7 M2 j( c% Y5 `) p6 V" X
Method 09
4 d8 p9 @" O/ @5 u=========3 v' l- [8 d3 ^# B; ^# M
- H. U5 [$ M2 o+ y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 K1 v. w& m) I8 I& F! @
performed in ring0 (VxD or a ring3 app using the VxdCall).
( }5 d$ b% B; ^ M' t0 ^; \The Get_DDB service is used to determine whether or not a VxD is installed
2 {! i! j& e+ B2 z! G0 Lfor the specified device and returns a Device Description Block (in ecx) for
?( Z9 E- X2 m! ithat device if it is installed.
2 z0 k' q3 p5 X- n+ p' Z# r
3 }0 e. |9 m2 z& f) m6 _# m mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& i9 r$ w+ O. @1 J# y1 d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 A C' q! w, R) F
VMMCall Get_DDB- j$ ] Y# |: _& P6 v) r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 c6 S8 p) X, M
, ]+ }: s: V, H% b7 S, G% @
Note as well that you can easily detect this method with SoftICE:
$ ]& Z% M% W* n0 m' y+ @% `+ w bpx Get_DDB if ax==0202 || ax==7a5fh0 _- d6 `1 \' J* m8 O
. ~" F- H3 n7 I1 n3 V1 c
__________________________________________________________________________" \+ ^# H0 v( B
$ Y0 U" d9 }9 G- R* p
Method 10
/ d1 O( A' K0 x* J) m=========- i5 e' _! A. Q1 i6 t$ H
8 y, u4 |; o& d) S- \+ g5 {+ Y=>Disable or clear breakpoints before using this feature. DO NOT trace with( k# S* S' _) j3 L
SoftICE while the option is enable!!+ @8 ~ v) V, [& u
( M; R3 \& i1 a& EThis trick is very efficient:3 q$ j* y4 O5 Q5 K2 f' v7 T6 Z
by checking the Debug Registers, you can detect if SoftICE is loaded( o$ G! u: f! A p$ r
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: c9 _, J: _7 ~6 x4 L' G# V% L
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) I8 q2 T, v b# Xvalue (in ring0 only). Values can be manipulated and or changed as well: B3 ]8 N- c( K0 b, r$ E
(clearing BPMs for instance)
4 K- N0 h7 I( t0 S
$ k4 Q) [" t% ^, f7 [__________________________________________________________________________2 ]" P) R6 i! f6 ^# `
- e# F& P$ W6 L
Method 11% X+ M' M: o$ w. V! e
=========
/ |& Y; Z4 M# P/ `( t5 C( D- g% O+ R8 i; C1 T" A/ S
This method is most known as 'MeltICE' because it has been freely distributed) ^6 U% P( F' \" U+ q( F1 r% t8 I
via www.winfiles.com. However it was first used by NuMega people to allow* h7 a. _6 P) U5 U2 D
Symbol Loader to check if SoftICE was active or not (the code is located
, {% F4 e3 G) @* winside nmtrans.dll).
0 ]2 W# {: E7 U/ \2 S: d( Z
4 N; x: w3 \) D: V4 x& W' jThe way it works is very simple:$ D2 _! @0 w X6 ]. H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 b, z5 f, N* t, EWinNT) with the CreateFileA API.
$ \; g: P) h! P" g% f' @+ {
6 f6 g8 e% t( z KHere is a sample (checking for 'SICE'):
{7 R# ^) ^. U# g
6 K0 a/ l E4 K( O O, I. L$ `BOOL IsSoftIce95Loaded()
7 b3 o1 k% A! a! X/ j{! R0 V2 j8 l( p' L
HANDLE hFile;
! U6 K6 Y) z' T+ T( [ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; N" o4 h) h/ e7 T* r" d
FILE_SHARE_READ | FILE_SHARE_WRITE,+ W! |! v* d" e3 W5 S& L3 Y6 V9 U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, V) x. C e3 S% `9 p& N
if( hFile != INVALID_HANDLE_VALUE )% q/ S; J% C' J( f) m6 U
{
) t: Q% |: ~- B& X CloseHandle(hFile);
( E, V7 F" q! u$ B8 ^7 K return TRUE;1 G+ ~, i! Y7 C- D- D( _; s8 D
}% ^7 o* V& n9 \9 v
return FALSE;& w6 M/ F' d& e( b# O4 @1 T V1 Q
}. B# A% H, \& K' L" k
8 M0 M# e, W/ G- A _1 Z
Although this trick calls the CreateFileA function, don't even expect to be$ }0 Y1 } j0 K$ o- D/ h C$ J' ?
able to intercept it by installing a IFS hook: it will not work, no way!
& f3 F9 y' X' z* A) NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 u2 f* x+ o( P: Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# c9 `3 u) s3 B2 I c& D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' j) \8 j0 a4 j- V' d" T$ Y' s0 y6 R
field.
. Y. j+ S7 A# T# ^In fact, its purpose is not to load/unload VxDs but only to send a ! \4 ^) m1 a2 k9 s& j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( x3 t) `& t( c0 [, S
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 c3 I" Q- `- @% R3 W# xto load/unload a non-dynamically loadable driver such as SoftICE ;-).1 M) O! L, J! a( l& t4 f
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 Y# a% p9 b% K! T4 x7 _$ u
its handle to be opened and then, will be detected.
$ V8 l F4 l5 N1 K1 zYou can check that simply by hooking Winice.exe control proc entry point- n. v3 a& V# R: m8 t9 U- I0 g+ _
while running MeltICE.
2 q0 w. b! y) q+ F% p$ Z5 Q4 u, y7 p& \. Z2 Q- H Y
+ o" F* ^( t2 U) e- [ 00401067: push 00402025 ; \\.\SICE
8 Y" M g1 X) y9 @: V! {8 g4 `0 Q. e 0040106C: call CreateFileA0 m" ?0 W9 p% _
00401071: cmp eax,-0018 y4 n, t4 R) B' Z& _
00401074: je 00401091
8 }5 J5 W8 Q2 H* z$ x* \" I# Z* w0 x# g
9 j* \# P/ g M+ T4 fThere could be hundreds of BPX you could use to detect this trick.
9 L# ?' d2 v$ Y1 @2 m# }2 w1 c-The most classical one is:- F2 x7 X8 T% s: b; F7 E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ s4 z! H5 W5 R5 H$ z* w, q; y *(esp->4+4)=='NTIC'" D# R& V, |6 n2 n; t. s
) X# f/ j' M7 m( g-The most exotic ones (could be very slooooow :-(
& y' ?2 g" Q' J( M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 V% h* |9 K4 y7 Q" K) x6 P# {
;will break 3 times :-(, P \) J' F( t% u) ~, G. @
y! H4 k0 u$ T8 h$ p
-or (a bit) faster:
8 S7 H2 e: O6 ~9 N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, v6 P) |0 r1 h: b+ b; A
6 l4 e+ o* ~# C2 e$ v7 k. _: a BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; z3 a/ y4 `3 ^ G* j7 B7 n- m
;will break 3 times :-(! d* @2 q# {- }& B! m3 L" F
6 B f# s- t1 R( k# D
-Much faster:; A+ u# S1 F( W- N7 N, r
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 w9 f) a& O" U5 q. N' `* T
! J0 [ D5 i1 N, W/ Z" _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# r) T; Y4 \0 b. O8 E
function to do the same job:
9 f: L: j5 G- Z3 M
+ ~0 W" I& I( t( ^6 C3 J8 c push 00 ; OF_READ
l4 f) {6 P: V5 s5 w8 W. m' ` mov eax,[00656634] ; '\\.\SICE',0
- W1 i1 [" o+ R* I+ \) F! g push eax
" _. @; ^6 I, j9 Y3 T t& h5 F call KERNEL32!_lopen y( a$ {7 G; D- s6 t2 N. N- F1 p9 M
inc eax, {+ x/ V! i# A# z1 m; W1 q7 B
jnz 00650589 ; detected1 X }; M2 e* s- h+ p
push 00 ; OF_READ
. d4 o& v5 c, h" P mov eax,[00656638] ; '\\.\SICE'' ^; s& |# t* o/ E) H6 h$ c
push eax1 l4 l& Q- _4 i, \
call KERNEL32!_lopen5 a* p4 c1 y8 F5 v7 y* X
inc eax( @4 n0 j& \8 o& A3 R
jz 006505ae ; not detected
0 ~0 s7 O2 z+ f! ?; J+ o
) W! U, O% P* c q9 M! a. H
6 q& a U2 C- d9 i% G4 D__________________________________________________________________________
. c9 l2 `; h9 {" z5 g# E3 ?: ]! B* Y! i4 g( Z x
Method 124 _; U R/ y/ ?9 c# l R" u
=========
# `# Y: m9 ?" _7 |0 _1 E
: R6 ?" r; y3 ?7 @, [0 @6 N, CThis trick is similar to int41h/4fh Debugger installation check (code 05
7 J, {( @. h) e' l6 k/ t: l5 |2 u1 q2 ^- D& 06) but very limited because it's only available for Win95/98 (not NT)0 o& z/ z6 q3 x' U. O/ ~. E1 u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# }) z5 p( c% H3 h7 Z/ n; }) I
* X1 D9 }" `+ \3 S6 g, v push 0000004fh ; function 4fh
7 ~* L/ p9 B: B9 G, ?2 R push 002a002ah ; high word specifies which VxD (VWIN32)) k$ B# q, k; a- j, @, k( t
; low word specifies which service% X7 l6 R5 h( U, U w/ z2 f1 Y
(VWIN32_Int41Dispatch)
/ d1 N/ i) q* W) t5 Q& [4 ] call Kernel32!ORD_001 ; VxdCall) g) k4 b8 N5 `2 Q1 G
cmp ax, 0f386h ; magic number returned by system debuggers# o& \; F q. E; H
jz SoftICE_detected
+ N% V- [ P# q! K6 q* S& ^
/ B2 Z' e' a+ v( y; l0 UHere again, several ways to detect it:: i& G1 |1 J& S- f
$ a! T* d$ Q) J k& ]/ y( F# j& e+ W
BPINT 41 if ax==4f
- m/ w4 W# P" `; R1 Z* n
5 P1 Y @- {7 b7 n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ C |) p G4 c6 o
" ^3 \% l1 O4 m0 b6 ]! ]' ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* ?& R4 \1 M' r+ p% R2 K
" k; w8 _$ S# y; b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. X% l2 |0 |# b3 H; W/ N+ ^
7 f. t* l4 j% @: P6 |' }7 m__________________________________________________________________________
7 |$ Y7 I1 i/ B* }/ J
+ n& }$ b/ P- A& }" LMethod 13! x0 L+ S6 Q; y; S2 i* @* h. g
=========# X9 B y- ]. k0 w& a
7 R/ h# r' e, z+ h' i
Not a real method of detection, but a good way to know if SoftICE is
& k# N7 y' `' Q0 z7 \installed on a computer and to locate its installation directory.- E- q) W6 T; V# Y+ C& q. D
It is used by few softs which access the following registry keys (usually #2) :
$ M" F, J7 A( u6 J( D, k3 I) k+ {" w( O' a2 f0 i: a4 b+ }9 ]2 B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 @, n2 D3 @: j6 \\Uninstall\SoftICE4 S, A$ j+ x" \6 a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 A% v$ M/ m( q. t$ V) Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ e5 { \1 z5 ` ^1 [
\App Paths\Loader32.Exe+ ?$ d |5 i. K8 i- |$ S* r
$ J$ j0 N1 X, Z# U9 `! t0 }& M
2 h( Y$ s: o& b( i' oNote that some nasty apps could then erase all files from SoftICE directory( q4 y8 h/ k* V9 r1 p% }/ H
(I faced that once :-(2 P5 s A7 g# L+ e) e, ~/ ]
3 f; c3 b. t. p' z! l. L! F! A
Useful breakpoint to detect it:
9 q4 [0 [, B( {) u; N J( Q. \7 W
, r: H6 v: L; X8 `2 D$ i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& d A$ T' X7 @8 @% Z# c0 a1 y
' d* L8 f" U0 W__________________________________________________________________________" a5 }# [( O7 {$ N& p
) t# T7 p: P: M, G0 m6 S- R$ `" Z
; b, U3 |, Z, n$ C1 a/ eMethod 14
" s$ l# w$ i8 ~/ N) {=========+ j6 v) K! x+ h {) c2 k! R9 F0 P
8 V3 v8 m& j T" z* G. }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& G' y+ Q( |3 U5 `" K. W: ?% K
is to determines whether a debugger is running on your system (ring0 only).6 h+ ?: p' y' Q; E6 Y- T9 n
6 v3 m6 q# _0 Y& U q
VMMCall Test_Debug_Installed' p0 d1 H* }$ F
je not_installed3 ]. K2 v4 L ~; s! C
3 }/ C6 Z# d& [/ Y" nThis service just checks a flag.
4 Q5 ^3 H( r0 g' T</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡