<TABLE width=500>5 S) }% ?8 U* ~7 v
<TBODY>, s' q/ g6 [- v; v5 S R
<TR>6 X8 v; Q/ d( v
<TD><PRE>Method 01
3 {* w3 w y: h5 c5 o% f=========" F3 y, B! y# p0 Q2 j( P
% n9 o! ]% O9 N f6 G, }This method of detection of SoftICE (as well as the following one) is
/ z v5 Q$ K' u3 Aused by the majority of packers/encryptors found on Internet.& X2 |5 ^1 s9 M F+ H* e
It seeks the signature of BoundsChecker in SoftICE( ^( E7 A9 W ~" {
2 U8 F& X+ l7 A, t2 G, i$ L mov ebp, 04243484Bh ; 'BCHK'
' R1 G3 o5 o( l" P" [3 u mov ax, 04h
' p9 ?/ F2 `' Y) } int 3 2 A. Y8 X+ Y' ^) k0 [) H
cmp al,4: f/ E; D7 K; ?; n- ?3 K! S
jnz SoftICE_Detected
" T$ h, U* b4 [/ C
h* Y6 c) |$ B( A___________________________________________________________________________2 P8 N, j" q2 v P: [8 G! J
: E' \8 ]# f c% f
Method 027 f2 q/ S: L0 I9 k5 [, p7 f& z
=========% p/ _- t$ {( w4 T, d/ n0 x
4 Q9 P7 F" W# n4 w9 y7 dStill a method very much used (perhaps the most frequent one). It is used! d# Q" m2 `1 y4 i& o d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 p% z2 `) P8 ^' I+ ]
or execute SoftICE commands...
! y5 T: f" O5 Q3 ~8 G7 i4 N) VIt is also used to crash SoftICE and to force it to execute any commands6 m0 @" O: p I, ?2 G9 s
(HBOOT...) :-((
" n- O, A2 h6 p( i0 m# o' y" ?
# ^& Z9 T+ o- vHere is a quick description:
$ X7 V: z Y* v6 ~9 P$ y, G4 a-AX = 0910h (Display string in SIce windows)4 e3 r6 v% L) ~; i" J0 q- d
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 S9 d1 A( j m! m3 Z' f5 g4 t# s( z* A
-AX = 0912h (Get breakpoint infos)
- c- V' ^) ~% Z# Q$ A5 J-AX = 0913h (Set Sice breakpoints)$ @& n" g2 r. y
-AX = 0914h (Remove SIce breakoints)
' }3 I7 c, j9 e4 b) Z
" R0 |3 |+ \$ R" j1 Z( mEach time you'll meet this trick, you'll see:
- W* g+ |0 a: g) e% f- p-SI = 4647h& f( i9 C6 X, g4 \
-DI = 4A4Dh
, y- G, g; ?4 L- v7 C- zWhich are the 'magic values' used by SoftIce.2 j5 h; C9 y) g+ \8 z) Q6 m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- M/ r8 w8 ?3 t2 m G
6 K% `: |8 B- i d' p. Y6 F" O
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& W3 A- f+ |$ _4 d: ^1 m9 d6 ~Envelope utility use to protect DOS applications:/ r! u) _: ~" D
1 ]9 x! K( m! O. K( y1 H
1 f6 a9 ?: N7 d7 y/ z6 \, F3 }4C19:0095 MOV AX,0911 ; execute command.. G' S. x+ ]/ y& T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: p5 ~; ]3 A1 W' E4C19:009A MOV SI,4647 ; 1st magic value.
9 G% S0 z; b6 q! e; V( D* Y% l2 t4C19:009D MOV DI,4A4D ; 2nd magic value.5 v3 b4 N" H+ R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 ?) p/ W- @4 Q" F" c4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% G$ F. q: q) W4C19:00A4 INC CX" n6 Y% O1 [5 w; j
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; w4 _! N# E1 A0 i4C19:00A8 JB 0095 ; 6 different commands.
- c @7 s0 D) N8 R- L5 v4C19:00AA JMP 0002 ; Bad_Guy jmp back.; }' ]7 H7 s! }1 S) A
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 [5 H8 Q u& |" ?2 [
2 |( d& X9 ^% K t8 d- R. z
The program will execute 6 different SIce commands located at ds:dx, which+ o) H8 s6 [% C7 Q4 t- I0 V9 J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 L" _1 b- i z: v6 N; I+ g) y
# s0 \" }; L; Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ |+ \& t* ]5 l/ d, t
___________________________________________________________________________% ]# K; S! r. p" ^' P
6 d+ d/ G% y6 _$ `$ K5 | h" u* O5 L& j/ c' m* ~6 x8 c
Method 03" \. h1 o9 D6 X% m
=========9 H7 D" S4 [# o' T7 _. C
1 D7 w. |& x1 A' k5 s1 b- a# w) ~7 MLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 E5 Y* ^* B: u. n5 G: w4 T/ S(API Get entry point)
0 w+ }* r4 |* t4 X 2 {1 }: V1 s7 v! `% u: B7 ]
9 [0 e8 Q! n1 Y, L* d
xor di,di
- t6 A0 a4 b$ @ mov es,di% w) e2 A; o& @; B
mov ax, 1684h
& v* x, U, o" y* W mov bx, 0202h ; VxD ID of winice
( i7 A# G, M$ E6 D int 2Fh% b4 N& l# y# b% p* R! f) ?
mov ax, es ; ES:DI -> VxD API entry point( M$ o8 ?$ r- R& {3 C- N# j0 \- I
add ax, di5 I: g+ C) ^2 d6 U8 _7 S! P+ V
test ax,ax
) U) }0 V. g+ _- I# x r jnz SoftICE_Detected
' W% H {' J1 h4 h* r4 y
. f7 W& }' {# t2 w/ `7 {! h___________________________________________________________________________" D$ D6 V' _* q. k _8 ~# l" J
8 d/ t( J9 Y& Z, m* Z8 tMethod 04
, H0 m5 e( l% S9 Z3 i=========& t* `: o0 m1 d) b$ d c
3 d3 K* r" x/ L+ L: a1 F# N8 b
Method identical to the preceding one except that it seeks the ID of SoftICE3 d( U u5 R3 t" a, P& a) z2 c f! z
GFX VxD.
% M. B5 ^3 [& L6 J- m8 l- P. y ~' C5 a- e% S# K
xor di,di
M5 o- R! S+ o6 e mov es,di
4 S+ _" P$ j. x mov ax, 1684h % \6 p( ~$ r Q0 _' E& x+ W
mov bx, 7a5Fh ; VxD ID of SIWVID
, T C8 e/ G* M) t int 2fh: _$ b) x. |4 m1 j- r/ i/ h2 L
mov ax, es ; ES:DI -> VxD API entry point4 p; j) ]" H3 Q- a# g6 h8 |
add ax, di/ {8 L+ l! G( z( M& [6 W
test ax,ax1 Y" V$ C9 v1 ~' u. w5 P- s
jnz SoftICE_Detected4 m! T+ E: Y# h4 g* K
7 |3 l. E+ }* M4 R7 H
__________________________________________________________________________
' o9 Q# q0 M. B% k, G) I9 G" Q3 n& Y& {4 i5 Z
5 g# i! t5 u' `9 w# Y; q1 B/ j
Method 05
6 F \0 e! [# |: m=========
: i- Y0 _& i; r. O, S$ [# ^
; |# s" A w. D1 L4 t; @6 w' \Method seeking the 'magic number' 0F386h returned (in ax) by all system+ W, W# ^* k9 E- u- z9 }
debugger. It calls the int 41h, function 4Fh.' G# `7 z$ `; A. a5 [$ u! f2 E1 D! l
There are several alternatives. 4 x* N3 `& ?1 Q
& [/ y4 _8 [! @! W6 K# _4 B
The following one is the simplest:7 Z$ z" g6 M: `, K# o
; V1 C* ^: i' o3 F0 R( D mov ax,4fh8 E3 ^" j8 T9 y. j6 y# w: S
int 41h* N0 l8 E. u6 R8 g
cmp ax, 0F386
5 O# {2 B: b, y" M1 {8 E9 ~/ ^: I jz SoftICE_detected
/ K% |/ ~; O) I7 }8 |8 |. ^: O. t
) Y; Z! `: }0 @# h6 g: D& M6 lNext method as well as the following one are 2 examples from Stone's / [! I& b m5 F; [% |$ o, l* J; _6 {
"stn-wid.zip" (www.cracking.net):
7 p( m+ C! W, B3 _# c- r# O/ g
' S" \' n( Z: s; z mov bx, cs5 z, s0 k: ?% F+ p7 s, U
lea dx, int41handler2$ f& ?/ v7 W( j. n
xchg dx, es:[41h*4] }; s: U* @. E/ Z" I7 a- w7 k
xchg bx, es:[41h*4+2]
/ `9 y" y' [- Z+ g' P, r mov ax,4fh4 n; q5 a, w) A7 T; M D: R( U
int 41h
! K/ Q7 n+ D& k5 n; ~1 G xchg dx, es:[41h*4]
0 w) T& I+ D/ H3 f3 d9 h7 r xchg bx, es:[41h*4+2]
3 Z; W; [0 G: P# n l cmp ax, 0f386h( ~; u9 p7 w% A
jz SoftICE_detected$ r* i1 x$ H% {. ~$ S" P
2 R" H' j: ~% }( E0 _& L
int41handler2 PROC8 }" V( l% v3 T4 H1 i3 m: {7 x1 O
iret
, w2 x! Q% E& X& ]& ~int41handler2 ENDP$ c$ d! ?- E2 p6 K
; ]3 h7 P( h5 M7 w
5 C; S0 X5 K! A9 P4 Z
_________________________________________________________________________7 h# w$ X- Y. H) g+ A9 n
) p' b8 P1 ~: z4 v/ H, c
4 i2 G7 W: L, o4 IMethod 06
- M: f7 F2 A1 D=========
; {& j! n( D# q$ u0 d
5 \/ k- |8 C# j( o1 }% q
% L8 u2 X: ]8 M0 j; C9 U* X2nd method similar to the preceding one but more difficult to detect:7 _1 G( o( W( D/ o$ S
$ T+ N! X/ e( r8 p" B" g c! h
9 r/ M$ i z/ [/ bint41handler PROC' ]: i* N; C3 _ d l& y
mov cl,al
1 h, Q E# W4 O& u' b Z. |; d6 F. K iret9 R3 G K3 X6 N1 O1 ^+ s
int41handler ENDP' \% B# p) u- H& c4 P9 R
! J+ _" Q" e* l7 U- z5 _3 U) ]- T/ |) [2 F. Z
xor ax,ax3 L/ m2 A5 V) |
mov es,ax
) ^! L4 W8 ]/ a5 n3 S5 L1 l mov bx, cs5 w9 A, w) s7 N+ s
lea dx, int41handler
8 K4 S6 }3 |+ H4 i; M% L/ B xchg dx, es:[41h*4]
9 K4 e: h- j( N; | t. c% f: t4 ~ xchg bx, es:[41h*4+2]
' z$ [. ~" e$ F: g3 F$ U3 [ in al, 40h
( s0 }3 l7 y# k$ w xor cx,cx3 v' @9 q6 I. `* ?
int 41h8 I# a1 V6 j. f/ @* \3 K
xchg dx, es:[41h*4]5 W) D+ B! G/ ~+ r: a
xchg bx, es:[41h*4+2]
* V7 T2 x ]/ u+ {& O7 B( H7 J+ o) D2 v cmp cl,al9 v* s# A* c( M# k& U2 |
jnz SoftICE_detected
# @; u0 B6 C9 l: M+ n
- J! r; k+ v* O2 B9 E_________________________________________________________________________
2 B% S: G* F( D/ h( C
' W$ y6 l# o8 W2 @+ xMethod 07
3 ^6 q0 A" e7 a$ U1 w# {=========
4 ~+ u- x; B. e" |0 S6 R
, c6 M! j+ |, h( j& ~: aMethod of detection of the WinICE handler in the int68h (V86) a" I j7 w$ K% A1 |
* y' d1 v3 o0 g' T! C; Z" H
mov ah,43h: g8 p# ]6 k3 G/ i
int 68h# N" x3 P, X* c) d" Q, K
cmp ax,0F386h
% S4 F9 n( E' e# g! ]7 ~9 F jz SoftICE_Detected
" G% i5 e3 b7 B( j* I- k& Z7 f; h* V7 o+ i; e
, ^3 k0 G) x Q5 X7 V& v3 e, t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ [( H& \0 `- u# A. C app like this:
: a; w* g: i* ` p% n5 G1 ?8 G8 h
9 E% L+ r8 S4 \7 } BPX exec_int if ax==68, {- h" C! ]% u. |" d
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 X. E7 m- O0 a7 P located at [ebp+48h] for 32Bit apps)
7 @ D% o+ P P9 d- g__________________________________________________________________________. l2 Z& C3 c9 z
' d& w' I: q" G
, M6 O- F/ d: y6 V e' u5 [Method 08
/ f% [8 m9 E+ k N" W% Z=========3 T/ Q S0 N |1 ]3 D z& C
' d, A: h" O' ?' kIt is not a method of detection of SoftICE but a possibility to crash the% {/ U8 A! m4 e3 x; s
system by intercepting int 01h and int 03h and redirecting them to another
; A5 t4 V# C6 I+ Y" rroutine.
+ K1 T% D& V) qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# g- h( A: | oto the new routine to execute (hangs computer...)
) ^6 f% o5 b% }/ e3 J6 l3 a- g! H, B$ a+ p1 }1 ^
mov ah, 25h8 L0 ]& v, o# f: H# @3 M
mov al, Int_Number (01h or 03h)
/ L- s% L# g0 H9 J mov dx, offset New_Int_Routine+ B2 m( T7 L% b3 v H
int 21h. {) q9 P- ?; ]7 b9 t. s
; A$ b/ j. M, ?6 J__________________________________________________________________________: I! T1 l7 J7 Y" r- J, J ~' R
8 b% H; N9 v; gMethod 09! x0 a7 L' _, e' r& ^
=========
, u) s0 H; o7 U! f/ Z" J, H
1 ^. w1 h/ f! v4 {- {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ z# L. N' @$ }( w& j( pperformed in ring0 (VxD or a ring3 app using the VxdCall).
- W! M9 D4 p" \. y ~The Get_DDB service is used to determine whether or not a VxD is installed* s. ^ Z& g- }( Z7 h+ a( e
for the specified device and returns a Device Description Block (in ecx) for9 v' h+ z8 d9 `
that device if it is installed.
* v) Z: T! a& I
2 f$ B _% d( T; Z# x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 Y8 L* _8 o5 R& d; [ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 Z" f* i" P$ H ?3 c VMMCall Get_DDB
' ?' Q% e" B% g/ H. r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( n7 p* a) m$ Y! q1 {- S! d
d5 z! A0 [' M4 R3 }9 qNote as well that you can easily detect this method with SoftICE:
" m6 [6 c$ p3 ?7 r1 }7 m% {0 e( x bpx Get_DDB if ax==0202 || ax==7a5fh8 E. _9 x. _: I' a, X
& {+ l1 x5 G0 w2 }% u9 q6 d
__________________________________________________________________________
# }8 S$ |: N; U" r ^9 n8 n) s) u
Method 10. R9 h3 J$ g H
=========: F5 C9 ]% L4 k( M/ e
% t* v& u+ ^" F
=>Disable or clear breakpoints before using this feature. DO NOT trace with( ]9 g. ~1 Q4 m8 f. W
SoftICE while the option is enable!!
Y e1 u! |! l( L9 ^' y' c" Y; i' M
This trick is very efficient:
0 y# w& P3 p/ {" Tby checking the Debug Registers, you can detect if SoftICE is loaded7 f1 K7 _4 ~4 U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& D. |* Z! ?; L1 r3 c: Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ S" l @: {" K/ z1 H2 e, F8 kvalue (in ring0 only). Values can be manipulated and or changed as well
7 Y0 o; ^: ]0 Z* _$ w(clearing BPMs for instance), A# u, e1 o# y6 Y4 p9 f/ c+ V1 G
; k4 Q! W- `9 _* e0 F1 y% l/ s__________________________________________________________________________! ~' p, K$ l! i% w& L
4 v5 e F$ }$ p) @Method 11
/ j, P7 a0 P) E+ ]=========8 q. a9 x* F! j) K! F' ?
- i+ N2 F* {; U& `$ c2 U' P+ Z* k% t' ?6 XThis method is most known as 'MeltICE' because it has been freely distributed; H! C1 d+ S O c7 r- y
via www.winfiles.com. However it was first used by NuMega people to allow/ t& C2 D7 L/ N }: h3 o4 m- L7 S% p, V
Symbol Loader to check if SoftICE was active or not (the code is located( h" o0 D; u- M; U# _$ r' b" P
inside nmtrans.dll).
/ i# o8 L9 p6 C5 z7 @% |, T5 G/ F! Y7 a: V- K6 d/ M, N
The way it works is very simple:
* Q6 ?3 ^* r* k: ^7 s7 _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 B9 G+ O& T; |6 h4 d# z
WinNT) with the CreateFileA API.3 I$ a. u* E) m7 `; ?, V
9 a/ F& l1 s: o; o- H3 K, RHere is a sample (checking for 'SICE'):
& a, ~- r$ i0 b; ^
( n, L2 a- s B1 g6 C/ q8 CBOOL IsSoftIce95Loaded()
, r0 o5 c' _2 I{
$ U" `: D# N7 c6 M" l3 @3 ?$ q! | HANDLE hFile;
7 W5 x* y z: y1 E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
r, Z& `9 f* O FILE_SHARE_READ | FILE_SHARE_WRITE,0 A9 M& i+ D5 [, w; l h, X* S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 F3 {9 }: u3 m, v' P. H* ^0 L if( hFile != INVALID_HANDLE_VALUE )
8 T. ?* M, f( W! |1 L& v3 X j+ Q {
- Q' Q; s4 p& p5 U CloseHandle(hFile);: w9 \1 ]/ k3 s6 }4 n
return TRUE;
7 x/ b- L# R6 G* m8 E% `0 G9 t5 Y E7 _ }
$ g& D) {6 T! L, Y return FALSE;5 J1 H J. L' U7 @0 g S
}
) l% `$ ^' M9 F2 A8 y% F0 z1 S) ~! E! c0 }) g W5 {" n. Z* Q5 n
Although this trick calls the CreateFileA function, don't even expect to be6 Y; Y, F7 t* w+ E2 m. [9 G' r
able to intercept it by installing a IFS hook: it will not work, no way!
d: j, f o0 r: l' o, aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 d% v1 F s3 ^% v% f/ o+ |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* D5 b9 _$ T; {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 [5 R& W" g1 |5 h8 b" y
field.
+ c; ]: z8 z; s9 q$ A# Z4 U9 qIn fact, its purpose is not to load/unload VxDs but only to send a 2 v' y& I2 B7 ~' L6 \2 r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: Y" T% }8 D; }9 f! \( n. S* yto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 j& h2 B% o3 _3 R" H- ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 m: }7 l: O" p- Q; d4 GIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! I3 }+ K5 S9 Z! n" qits handle to be opened and then, will be detected.
5 N* P5 Q% ?5 T8 NYou can check that simply by hooking Winice.exe control proc entry point
- P" i, F- T, `6 ]' R3 Gwhile running MeltICE.
( q3 t5 \6 n9 b8 k/ t
: D# }" G/ z+ P: P6 m% `$ [9 t/ I5 a
00401067: push 00402025 ; \\.\SICE7 C7 D% W+ {: o2 d1 Y
0040106C: call CreateFileA
4 ?" F, i6 B8 d* q. l 00401071: cmp eax,-001
& ?6 s7 l, \" p6 v5 R 00401074: je 00401091
" ?- P3 g* N J3 j! c) f1 @5 m' g( U
% v6 H8 z+ ~' l: x- D: D+ k7 F! s3 b. a$ K! o \, R
There could be hundreds of BPX you could use to detect this trick.* i* [* ~1 | z& S# N5 F5 o. ~
-The most classical one is:
' C$ M9 Y- F/ u2 c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || O, D; r3 D1 w* r6 o- s
*(esp->4+4)=='NTIC' X, x( M- \/ r" E0 }
% D( t( c+ W, V* h-The most exotic ones (could be very slooooow :-(* g- x4 z2 w( x, `# ?. N5 e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ m+ n! N/ |- Q$ R0 D ;will break 3 times :-(1 _& b, Q# h$ n- y# {. Y ], X
% ~( Y8 K7 |- w
-or (a bit) faster: 8 T% b+ _+ D) j: {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 R, r2 i1 R. t6 {0 r4 F+ n' z: Z+ v
# }- S" M0 b& e* `0 f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; j+ P& b o5 [& ~/ X, ?- R ;will break 3 times :-(
5 j2 ]7 n. [% g+ O* ~. u
: `9 j. _4 N: \( w-Much faster:
6 F* ] \! V$ P Q5 s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% }6 X3 z9 y8 n6 \
: ~( T8 t3 |" J9 W3 b: {# @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ {' h8 W" D& d) xfunction to do the same job:
9 q. F8 W+ P+ h+ Z. ?2 y T3 v' `2 Q4 u0 N9 H0 p- d0 i% I
push 00 ; OF_READ7 g7 u) J, i, L1 u9 W
mov eax,[00656634] ; '\\.\SICE',0
* u. f! {4 r1 U5 [1 x/ p push eax
! }9 \( y& ~& P+ v" G$ q call KERNEL32!_lopen3 \+ \8 B, E. r* R
inc eax, m( A: \" A: r8 {( r4 A# |# P
jnz 00650589 ; detected
( ]4 s$ t! Z0 i push 00 ; OF_READ
0 y9 r) _ e3 G- h mov eax,[00656638] ; '\\.\SICE'
% C1 _" Q. ^( x) W7 U9 I$ w push eax+ ^, m# @- K$ [# J- b4 O" ~
call KERNEL32!_lopen
4 `* z7 O3 g6 a) A6 @ inc eax
" ~4 W6 G8 f ?7 W; l5 a) o jz 006505ae ; not detected+ c- B# H, z6 `( W$ D: n6 s" J
0 f. u- _, S" ?7 w: w7 t% ~# G6 J; y, Y. L2 N% S1 q& o
__________________________________________________________________________5 v! U' l4 z" U
5 }- J( y- C7 ?, X$ aMethod 12
& c9 c( l, {( e. f, F0 l=========
6 D: X3 K6 h0 j- J2 T' E5 E8 T: [ I9 G. C/ ~
This trick is similar to int41h/4fh Debugger installation check (code 05
; m7 ?; L* ~1 _$ {( G& 06) but very limited because it's only available for Win95/98 (not NT)+ o( W* y) W. U% r2 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) V. a* b* w8 H% U9 Q3 U) G, C( o) Z3 G7 f9 F. _' X
push 0000004fh ; function 4fh
@7 |& G$ s: f, f) h! V push 002a002ah ; high word specifies which VxD (VWIN32)
* b4 V) A3 U l g$ @ ; low word specifies which service: Z$ E. h, Q% }2 c
(VWIN32_Int41Dispatch)/ K5 S" m) @; V( d) b
call Kernel32!ORD_001 ; VxdCall
; i7 @$ r, [3 {3 h( N cmp ax, 0f386h ; magic number returned by system debuggers" C5 C; R' S3 F! Q3 n( |, }8 J
jz SoftICE_detected3 U- v8 W' B( h8 t! j* G$ z6 o
3 L4 s( s$ h+ HHere again, several ways to detect it:' d% |' K/ v* n0 |1 { I
# Q; {8 C& L) f1 B1 { y. m
BPINT 41 if ax==4f. W* p! ~6 u/ |6 @
# n3 A( n' F$ H @9 C1 Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, P- S% U3 z! M; d5 h9 B: X% s7 K
% E+ e9 {. o$ G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; u) h/ {9 @, v; }
4 R6 Z+ o: F }8 a0 A7 W BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 g/ m4 B9 E1 d5 [" U" [$ {* b
$ h9 z& {4 [1 m1 l3 d__________________________________________________________________________
2 E/ a, o/ g9 I2 ~ M- o: y' Q) U
- i' y) ]( U- F# a2 WMethod 13
U! [& \+ W: V% L' b# ?& L2 J9 m=========* B# l) h8 d, J8 W a
# I+ ?- V3 g" H/ D9 i& e- G
Not a real method of detection, but a good way to know if SoftICE is5 f4 H) h1 |. V/ m
installed on a computer and to locate its installation directory.
2 x0 s; _) j, j9 o2 n: pIt is used by few softs which access the following registry keys (usually #2) :
/ R" f/ P R* a
9 R$ z" m; w5 @/ Y* J* N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 k; \8 B% y) S2 _+ x% e. a\Uninstall\SoftICE
; v+ ^, Q' i4 u% c/ |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* m% C1 F$ D( i1 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 p0 ~3 n$ Q! b r2 }6 \
\App Paths\Loader32.Exe
4 a( l1 x8 N1 M1 l8 b: ?! O8 X2 X5 d0 n. F
) E- Z0 y( v6 E2 c2 N4 q! h
Note that some nasty apps could then erase all files from SoftICE directory4 N& V. s0 k) r- S4 y$ U S' S; x
(I faced that once :-(! O! N; ?# _) X% t9 q1 c
& W: o* i' C( b0 h ~% N5 Q% E7 IUseful breakpoint to detect it:
0 l, o! i5 f# [5 ~$ F* ]' @, t
& i* Z3 N! T" q5 _ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- T3 G, e' G) d, }( B
3 Z6 R6 L& c s- {__________________________________________________________________________
; U ^( c. [& t1 z6 Z# @
! D& b$ V Y' T7 N: M
5 d$ x$ }5 F z! F/ SMethod 14
' |$ z( d. |6 F3 b=========
* ?& V4 J, ^6 m, a5 C0 D+ u
! y; n( g: G \& _; J# b5 d ^( xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% ?. J: ^! |) l0 F
is to determines whether a debugger is running on your system (ring0 only).% _+ ~4 ?( ^: T" P( {
* ?( a' w# Y+ r- x' o$ U" u N
VMMCall Test_Debug_Installed
" A0 Z" s$ v1 ]7 |4 ?" @ je not_installed
2 h: K1 b1 z. ~
8 y+ @9 i6 h6 ^8 D$ OThis service just checks a flag.
! |- _: c8 P3 Z' x2 E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡