<TABLE width=500>, m) D! ^3 U2 i8 \
<TBODY>
3 u, {, q' D+ U3 e( A3 G! H<TR>+ J2 s; C1 `* ] t% _8 T
<TD><PRE>Method 01
2 \" @3 r" {$ h=========( h4 \! }1 S" ^& n) I4 s7 y \
, ~+ T S( `! h6 O0 u
This method of detection of SoftICE (as well as the following one) is
: ~& i* W, s3 w& o, M+ s) Dused by the majority of packers/encryptors found on Internet.! l# j! q) ~' m( G1 d2 g
It seeks the signature of BoundsChecker in SoftICE" }6 _: r; D; j. V1 i2 V" B4 M3 a
; Q+ [( D9 ?0 i& {+ { mov ebp, 04243484Bh ; 'BCHK'
' @0 N* T: g. S. q* e5 k mov ax, 04h
6 E2 Y6 |, s+ _ t3 T; [5 R int 3
" B3 q0 q) y4 f. ]9 C9 x cmp al,41 B9 y! F/ i0 L; \8 C
jnz SoftICE_Detected6 t y: S" i/ _. s3 c2 n9 d/ N" [
) H# T% w+ b+ X
___________________________________________________________________________9 h- i/ p& @8 L. H( m2 f$ d: m; X
5 O: y. ]- s5 I* ~% |4 sMethod 02, S7 F) i3 f" u
=========9 k5 [4 Z8 h. J6 z5 c4 C" w( }; d
4 s6 P. W- z' c2 GStill a method very much used (perhaps the most frequent one). It is used
6 Q4 \% W; Q# t7 P8 C8 [4 nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) Q M: X9 e& jor execute SoftICE commands...$ Z+ O' E$ }6 u2 g, y; k' h, a7 b
It is also used to crash SoftICE and to force it to execute any commands8 b$ ^& C, c- m5 S7 Q5 ^0 C
(HBOOT...) :-(( / h: j+ U9 M) M; l9 T
e8 u8 f6 i: [: ~, x) wHere is a quick description:7 y3 i' u: e* o {: s& T1 B
-AX = 0910h (Display string in SIce windows)
. ~1 [5 [: ^) F8 u; I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; e3 D( p; v3 l9 o; V-AX = 0912h (Get breakpoint infos)8 N6 b* M }0 U6 t
-AX = 0913h (Set Sice breakpoints)
, B- F* A. t6 n( O-AX = 0914h (Remove SIce breakoints)0 o4 q0 `7 c8 @# n8 c& P
3 W. I F' L7 b6 V# A
Each time you'll meet this trick, you'll see:( n2 m$ \- i% E8 J" q! f. k6 M
-SI = 4647h
1 f( \) {) W) O* A2 c8 J Q$ r-DI = 4A4Dh- @; h/ a4 f5 ?- \2 `
Which are the 'magic values' used by SoftIce. m7 A: N0 H# u9 {. `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; N# L6 ?$ X0 Q( d5 i
# }% X k+ G- Y$ G/ x% y( @Here is one example from the file "Haspinst.exe" which is the dongle HASP$ _( A0 Z2 [1 i2 P1 N/ L
Envelope utility use to protect DOS applications:
( j. O( Z3 a) R0 H$ {/ x
( _. Y) W2 D: E/ k1 H- V6 a6 Z
0 \4 o% }. x1 w" M& ^4C19:0095 MOV AX,0911 ; execute command.
% } n2 w2 X, ~& G- c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ y$ I, G7 T5 s: I; K$ }4C19:009A MOV SI,4647 ; 1st magic value.& [+ J: a% z: C" {# D$ f
4C19:009D MOV DI,4A4D ; 2nd magic value.% v3 h( F( E/ x1 F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- z. Y! y7 ~5 H' m6 t4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 u" \ z2 d$ V& L8 k4C19:00A4 INC CX0 d* D# O9 e5 z' _
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' {7 G5 e; c0 N# s; d9 W
4C19:00A8 JB 0095 ; 6 different commands.
! f: Y1 x7 A% J2 y3 ]! d9 v- s4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 c5 ]+ z+ L4 y! ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- s7 K, d7 ]/ t7 e+ N
+ A% t9 F. I/ c5 V# L
The program will execute 6 different SIce commands located at ds:dx, which$ M$ {' C$ {3 U1 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." k1 e+ i3 s: F E% W/ j
* _! b- D) S- \0 O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 |; F \. G$ s/ j' [& {1 t0 V! R___________________________________________________________________________
" L* m, T# v- h1 n+ S$ b
6 [: ]8 w' b. Z$ t1 W: J" T& X
. h! T5 Z0 y" T+ U" |' xMethod 034 N, N- M! |5 E
=========& W2 O( h6 {% ^9 @
! [, K8 \+ ]* NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 f( C8 E$ d; M2 ]' o(API Get entry point)
# |% J6 M9 Z6 d6 X. ?: T! ?* o
) f$ ]6 C3 P7 e' ?" K! d" c1 _
( x2 w5 c: \; L: X# o xor di,di
6 o/ M4 b. @( x& |0 w& B8 t mov es,di+ Y1 z6 [% }( X- [
mov ax, 1684h
: M b8 G' p+ X! p W' l6 g6 s mov bx, 0202h ; VxD ID of winice
# y/ g8 @& Q3 A/ x o7 q- t) e int 2Fh; V% `9 z- v2 z5 V1 r# l( a
mov ax, es ; ES:DI -> VxD API entry point) m+ f A% o5 k6 ~% m
add ax, di
1 x3 A+ H/ |! V, ^" `# Y3 |! l$ c A0 I test ax,ax
3 H; W$ L# g/ f* v( H4 h jnz SoftICE_Detected" U# `' z' w* }- S% q
8 T, W: y- Y+ Q" ^. r& M. U' v___________________________________________________________________________
( Y+ r' M6 T' \- C4 K
/ l$ x* ^5 x5 r3 PMethod 047 C* W4 m; C6 q/ v
=========
/ F8 b6 R% R* T3 ?' |3 ~5 d5 T% I6 D
) L- \2 G# |. p8 T9 v a' DMethod identical to the preceding one except that it seeks the ID of SoftICE6 v2 E& y: T) z$ t' F( u& k
GFX VxD.9 H, Z f6 Z: v- ~4 t- m
5 b7 a9 u$ S& K1 O+ M xor di,di
1 o& Y1 H# o0 h" n3 V3 k# S) f mov es,di) L6 c8 R; G. ^% N
mov ax, 1684h - C( y n9 E* i2 a! y6 p
mov bx, 7a5Fh ; VxD ID of SIWVID+ @8 h! q/ m; _5 n
int 2fh
, A9 O, `/ J7 x/ j! p7 B mov ax, es ; ES:DI -> VxD API entry point3 A$ M* ^$ X f
add ax, di
5 F' h6 B# [2 Y test ax,ax
/ G H0 v5 X$ i jnz SoftICE_Detected
0 `! T7 p! H3 r5 K4 o' j1 T9 ?
__________________________________________________________________________
: l( V ]2 B! S$ {
! Y! V$ q6 h0 r7 K
* X# R" K0 q3 V/ n, @2 i9 K* iMethod 05# n) x( O7 S: Z' y
=========
+ u" S+ y* I' ~6 p; ^# V* L; B) m- m2 Q! B
Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 c8 G5 K: A. E* ?1 {$ ^debugger. It calls the int 41h, function 4Fh.
" ?* S5 S! t, B" i" Y+ l. K- KThere are several alternatives.
, D9 A- U6 H5 ^6 r( [1 V
! B: S8 X& } W) f: x* p" NThe following one is the simplest:4 v# R& O0 v$ P, J% ?8 @# K3 P
. h* }0 z% O* q1 T! _ mov ax,4fh: k# r9 w0 F. h$ {8 y
int 41h
- _- E1 ~6 j0 n$ S4 Y1 L- G cmp ax, 0F3865 H+ M- y$ l2 D& X i& s g
jz SoftICE_detected U0 z: R: b! S, }/ l
2 k5 P7 i0 O1 ?9 W- `6 {' [0 @- v% U5 J1 x: g2 }& a! Z
Next method as well as the following one are 2 examples from Stone's # b7 f0 i* E, R) r- A2 ]! K
"stn-wid.zip" (www.cracking.net):+ K! A( R. a0 G
/ O, G6 d3 Y4 O" w! k1 G2 J mov bx, cs
% a- ~! k0 Y* r7 j% F' e lea dx, int41handler2
6 i) ?3 q1 a$ U. g xchg dx, es:[41h*4]
* {2 z$ B0 ~& R+ ^# @$ [* i xchg bx, es:[41h*4+2]: G% r! v4 M: h7 T, z3 x- M, ?
mov ax,4fh
; x8 Y! c8 l: l/ l5 X int 41h
% L( k( W0 u6 q5 t+ j- G xchg dx, es:[41h*4]
( z2 C, Z1 |8 C3 ?, X0 n xchg bx, es:[41h*4+2] `& p" F) x3 }& Z4 x( L& h
cmp ax, 0f386h9 X. i3 K* w/ A' c/ O
jz SoftICE_detected
9 Q; u/ D& C( [) \% V* B
: m/ F5 ~, R0 w+ U. w& K) D- {. Rint41handler2 PROC7 G6 p4 \5 Y( ^
iret* E4 h* y$ h6 W# w9 P: ^5 y
int41handler2 ENDP
' k" T K+ y$ y% J1 ~' s/ N& a: W
1 g- ]1 O3 i& [6 l- e+ Z4 O' k
_________________________________________________________________________
' G/ }# ]' V: W
8 @2 D- p) l! A6 i/ r% ~- b1 f3 u; ]4 S' K" V5 P
Method 060 e- S K1 \) w [+ l' Y+ K, J
=========$ }6 @1 _3 N# U- q2 L4 Y9 ?
S- J" o$ G f: e, P! l" |) s
9 H& t. N, d) W- U9 A7 J" i2nd method similar to the preceding one but more difficult to detect:
+ s, [0 Y$ t) u/ w3 T) i; l/ P* \4 B6 t1 {' A
4 H4 a- G) T. D1 H4 }& ]
int41handler PROC: x$ h% _/ i4 `! c3 K
mov cl,al
0 A+ p- k5 }( B$ y' z9 c iret
$ e# N S' u% n# bint41handler ENDP! p* b* Y* J/ |
E1 ^8 i2 j$ Y0 }9 x/ [
6 y' ^1 z9 K& s, c xor ax,ax
- r' Y+ f+ x6 H/ w* M mov es,ax$ g% {) r* }; J! F3 d* Q: p4 B" D
mov bx, cs
7 B! H# b( D j! G7 M! t( m7 B& s1 d lea dx, int41handler: C0 @4 F/ l" z0 |7 {+ k& x
xchg dx, es:[41h*4]
0 ?* p$ ^0 o/ e% S- p xchg bx, es:[41h*4+2]
4 Z8 j0 A; q+ K9 A) s& C in al, 40h
1 u: i8 M" }) T. W xor cx,cx
" \# |& T# i, Q9 F int 41h
( F; V& j1 o2 G xchg dx, es:[41h*4]
7 q" m; q. P- K& L% { xchg bx, es:[41h*4+2]2 f& h( Y) [. y" }- @3 U. z
cmp cl,al s2 h0 Z/ A7 o. F+ X# F0 _; L
jnz SoftICE_detected% @: P* k2 M7 g0 r- E; c
5 b4 B3 k, B) _! L
_________________________________________________________________________- _1 O- |4 H: Q# A0 J5 Z) r
4 x0 ]" C0 G( RMethod 07
) w/ q/ j; v9 {) d+ b5 Y4 n7 P; ?=========! j5 L/ _' i1 W* M5 a$ ? i9 B
! ~3 H$ N0 A; N
Method of detection of the WinICE handler in the int68h (V86)
1 T2 p+ L& r- t
: _; e" D5 m2 S2 ?3 ]5 c: h mov ah,43h
% J1 R0 k. y# X3 h; f int 68h4 t5 s0 |. E: J1 `5 Z4 J: ^
cmp ax,0F386h
; x. A$ L1 d4 d* r jz SoftICE_Detected
% h9 C0 h5 p4 `- b' |
/ R; y3 }9 |% z; k: g7 e
P% K& e3 c! g4 x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! S6 t. C( e: o) q
app like this:$ h5 K# J6 V! G5 g& f
" _9 `0 _3 n$ J3 f' O
BPX exec_int if ax==68
" \7 h% f9 y3 _$ i! I2 y (function called is located at byte ptr [ebp+1Dh] and client eip is
3 `4 l; H$ r7 i) F% l located at [ebp+48h] for 32Bit apps)5 ?! D1 ~5 V# S! A9 e7 W% q" e
__________________________________________________________________________
! Z2 i. B8 `* O6 `; M/ [4 `& W n; a: Y. a7 A- [7 E0 N
' B3 K& ^0 t9 gMethod 08
* r/ T, s! F# ~; e0 i" |; R=========1 \1 S* E) D: ]4 w6 [/ F. x# T9 |0 X
& u7 k. S1 I9 g7 SIt is not a method of detection of SoftICE but a possibility to crash the4 S0 l1 w5 r/ g# K$ T- m
system by intercepting int 01h and int 03h and redirecting them to another. n7 B& M0 Q0 \4 _
routine.
2 w0 }0 b" D8 Y: B1 Z/ c8 [+ TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ }8 B9 X! `# r' z) Y% d9 g: P7 `to the new routine to execute (hangs computer...)9 \" T/ q$ X% e
6 ]; D7 Z9 W7 V3 L/ V( w mov ah, 25h. a0 S7 g" L: B) Z$ J3 Q" H
mov al, Int_Number (01h or 03h)7 L0 C, N* X q7 n& `+ A
mov dx, offset New_Int_Routine
- o# B$ z' f6 I- g) x int 21h& N4 D2 s! d4 ?4 Y' T- g; ?$ ?
% V+ F t% d O3 {4 @! k' m__________________________________________________________________________# t( ]* n" o- M/ I# X0 w
) q9 D8 I+ h! W; g2 K/ LMethod 09
- b( B1 j& B) x( t4 \; M=========
2 o' _5 O8 N8 S8 d' V9 j4 p2 B4 Q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 D* J5 r6 L% P+ R# D9 Cperformed in ring0 (VxD or a ring3 app using the VxdCall).' ~& m+ A5 k' ~) L! }; {2 |/ M
The Get_DDB service is used to determine whether or not a VxD is installed
4 m8 e( P) v0 h9 ]for the specified device and returns a Device Description Block (in ecx) for& p. I) S4 M6 o* r
that device if it is installed.) O" A4 L8 ^4 P8 d0 I- N
" h' F7 c# A3 W- w4 G* |$ G
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 } g* c; D9 R mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 f( s8 Y+ [! v2 }. C: b3 @+ g VMMCall Get_DDB) P0 z' V4 p% }6 B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% P' s p5 k9 U+ N
- d5 P+ V! c# r7 nNote as well that you can easily detect this method with SoftICE:* ^, V$ V2 P4 D
bpx Get_DDB if ax==0202 || ax==7a5fh; v3 I! c3 b, ]: V7 j
" U9 a( ^: T u* Q3 a4 p
__________________________________________________________________________
- c5 P; r. |5 v5 o8 J* @! V
6 z0 j% O: D( n$ bMethod 10
7 ^ `7 ` }3 }: I=========
) m2 F: p: u6 b. T
: {* e; S" ~" `: g8 z; z# A# a/ i=>Disable or clear breakpoints before using this feature. DO NOT trace with
: @& ]& ?5 p! x0 s" g% ^ SoftICE while the option is enable!!
- g7 }- `7 j7 A! B7 F3 i2 ?9 _2 _8 _. z6 V. f+ Z8 h
This trick is very efficient:
/ T, m0 L0 L0 @5 pby checking the Debug Registers, you can detect if SoftICE is loaded
+ D: p; [( U! p0 r+ F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 P; k3 c0 B2 o: J4 ~; m5 C' O- vthere are some memory breakpoints set (dr0 to dr3) simply by reading their& f7 y/ s" e/ E% o
value (in ring0 only). Values can be manipulated and or changed as well
5 `- D6 N! V% U- m(clearing BPMs for instance)9 Y( s9 {% s' _9 k+ @: G2 |+ a) U
" ^# l3 }5 t; J- E
__________________________________________________________________________
# }0 X/ R# e4 z; d3 E2 ]/ c( V4 R9 H; O8 A- A
Method 11
! [" H3 u: n: @# @. q1 n P1 |=========
9 h: \* I8 m" r( \6 U0 r5 S) R8 n6 _3 c0 ~
This method is most known as 'MeltICE' because it has been freely distributed
" v8 x) T/ c2 N( `* Rvia www.winfiles.com. However it was first used by NuMega people to allow* i7 B4 M/ J9 S G" q/ {8 y5 E6 `% i
Symbol Loader to check if SoftICE was active or not (the code is located
9 _5 Z; T( N/ _ f5 ~$ Linside nmtrans.dll).2 b- a) P; n$ n% ~8 y* M* o; W: B. |
+ o2 g4 J& T. w- k [6 N' uThe way it works is very simple:
1 F" [; Q3 }- W: R! nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ E( J5 {3 Y6 g: m6 o9 ?
WinNT) with the CreateFileA API.
2 O. ]7 a! ~7 v
H Y) Q7 ]2 v4 W2 \9 I. Y; W% L V, Q' VHere is a sample (checking for 'SICE'):
6 o/ u/ D. D4 u W, T9 J3 e" R, T3 I$ n0 p4 H+ O# S
BOOL IsSoftIce95Loaded()
$ U' f) A' W2 v% J, y{8 @' Y" E) Z0 m! d; T. e
HANDLE hFile;
& e2 f4 L' _; i, f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," L8 R! G/ X6 i. o. C, |4 }7 E) c
FILE_SHARE_READ | FILE_SHARE_WRITE,, p1 A% v1 V/ C8 R1 p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ e$ o7 Q* J" Q9 A3 R if( hFile != INVALID_HANDLE_VALUE ): o4 \ N4 q9 @9 G
{0 r8 H* w4 l$ ~: D% g6 D
CloseHandle(hFile);8 |' i, O C0 d4 T& U8 C, D& t
return TRUE;1 n3 a0 W& N) g7 K" B5 n! m
}1 s9 d' [. y: W% K
return FALSE;
5 U8 X3 E. C4 A- u}# v5 g ]; t9 F1 T
* S3 v* y; w4 L0 { C( G. P$ ?5 {# n6 n
Although this trick calls the CreateFileA function, don't even expect to be
2 X, p( R! j: d% }/ \9 wable to intercept it by installing a IFS hook: it will not work, no way!
* x" D1 m! ?1 F9 a* jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; U" O6 G- Y6 i8 C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- e" W, P* p$ }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( ]; a! d3 F: x; m2 J- X
field.$ }. g+ A* W- m _
In fact, its purpose is not to load/unload VxDs but only to send a
3 r0 I6 l8 g- Y7 T$ t/ F- jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). L( c; t9 }) W. ~* ^) ^9 }/ q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 C u7 e9 P: e' D5 A2 ~7 ?) Kto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 \9 [- z! U: B! e- T* u: k1 S
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 F# k* u6 ]5 w- W! A* kits handle to be opened and then, will be detected., {$ @; e$ K: \9 S7 b! g2 j
You can check that simply by hooking Winice.exe control proc entry point
' T# @8 j$ A6 C' Jwhile running MeltICE.$ F7 [* z8 C. q8 U$ n6 C
! F: {" p2 b8 o: `# H
0 Z* ^, E P3 m# y# A$ g% Z/ D
00401067: push 00402025 ; \\.\SICE% u2 Q9 v. W' H: k# T
0040106C: call CreateFileA
! ~; e% ` h5 Y1 @ 00401071: cmp eax,-001 R- X9 D2 k) z& d
00401074: je 00401091+ W3 J5 ~( Q/ N% @. k7 h
9 J7 m, C* Y# W" {
+ l) W& L: \# k5 T' t- z4 T8 qThere could be hundreds of BPX you could use to detect this trick.
' _; T9 @1 j0 C-The most classical one is:5 y* s) Y8 _0 h9 {2 w$ \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 ?4 q: F' J, _! \ *(esp->4+4)=='NTIC'5 G5 D6 Z0 P3 U7 H* B
8 X# { ^) x% g. i Q-The most exotic ones (could be very slooooow :-(
, b$ R- M* y! s9 O, q) g( B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & ?( F( g. X* r8 [$ l4 E
;will break 3 times :-(! ~8 R4 v9 v) x3 j6 }0 [ d, v- r
' b. B1 P7 O: Q& E4 d
-or (a bit) faster:
' x% H/ j7 i( W% A BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ x) I0 Z4 [! ?
" v/ m+ Q& k9 V, O. }" w+ _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " ^( s! l5 [5 x) r! g, {
;will break 3 times :-(
2 F7 o0 s5 @1 c; F6 W2 X4 }/ T- h& \
-Much faster:
4 S: d4 f( t) c- B; \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' A2 c9 ]1 M4 s4 J n
$ V0 }7 ]' B( [( d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- Y h" V) J* J& I7 ?/ ffunction to do the same job:
& G# Q; e; o& O# S6 o
+ `; F! W4 N% S2 O4 v push 00 ; OF_READ
# x: W+ S g: } mov eax,[00656634] ; '\\.\SICE',0
0 b8 W% @ l3 J- [, W$ ]' `2 ` push eax* G; B: e: |4 W: x% w1 q7 M
call KERNEL32!_lopen
N+ I1 G. W1 e( g5 F7 r& f inc eax
# Z+ ?6 B: d( g jnz 00650589 ; detected
. ?/ { G0 H& o8 X% _* n. d push 00 ; OF_READ
: a2 \) ]: m" C( x2 I* u mov eax,[00656638] ; '\\.\SICE'
( U: P0 k4 {1 n8 f" X0 y9 }; u& {+ [ push eax
# u4 R1 n$ Q- A8 ~4 \ call KERNEL32!_lopen' O* _" o7 n. Z# i
inc eax
1 N# c. w- [" D jz 006505ae ; not detected
- e5 D6 d7 w' q8 S7 [
& p! i+ C9 Q3 J- g* L* }# h. M: U4 k: ~* c
__________________________________________________________________________
- j- V; ] m" B2 b @ Q0 k' n0 f2 L0 U# |- a' J$ U
Method 12
! I3 p) X( o- B: X( U=========0 } ~# x% r, ~) @* B
$ c/ t- W1 S8 U5 G) H+ x$ O) S$ f, o' oThis trick is similar to int41h/4fh Debugger installation check (code 05
1 T% ]& u; F# [: }+ W- A- y: r {& 06) but very limited because it's only available for Win95/98 (not NT)
, h& o e0 v/ u6 kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) F/ j# `; ?2 M) F* m6 a2 o$ N) ?! l! w. `
push 0000004fh ; function 4fh" R$ t V' o) G) U! B' x9 p
push 002a002ah ; high word specifies which VxD (VWIN32)
' v. z. i# F& H4 e; m( b7 o# n; H ; low word specifies which service
( V% x( T) O" u$ N2 a- O (VWIN32_Int41Dispatch)
7 o: f8 `$ [6 B, ] call Kernel32!ORD_001 ; VxdCall
0 O- j- g3 ?; q cmp ax, 0f386h ; magic number returned by system debuggers: B# B$ |* |: ^: ?
jz SoftICE_detected, _" L% y3 E; M2 O0 e# A$ M! {
" P7 E# L7 \& j4 tHere again, several ways to detect it:
$ I7 R8 M& i3 z( x2 X, G# e) X; C' i- R: W c( w/ S4 h
BPINT 41 if ax==4f) U, q9 F- O* X$ W
" h% h7 K0 m8 s6 L/ e" d0 N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& x9 t! Z) S2 m, l. z1 n
& n! R' S" c- b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 [+ N4 K+ a* W# q. P
' f* {7 K% S9 J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 o. O5 }/ W4 |5 i" l' W
% e# C: R3 {# ~ A I+ y__________________________________________________________________________0 i* _6 w. D9 U" J
6 n& A7 A& o8 w
Method 13; E( Q6 y4 N3 {
=========) r( Q. j( _; Y0 F/ u! F( @
3 B* n3 B9 i- F. l! \" CNot a real method of detection, but a good way to know if SoftICE is t8 l1 O3 }' S5 H: y; J' {
installed on a computer and to locate its installation directory.
4 g2 @6 q1 a! aIt is used by few softs which access the following registry keys (usually #2) :: P& @1 Q T7 F" |$ R
7 s2 v; m/ {3 p+ C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 J, C0 X+ c! I4 Y. Y\Uninstall\SoftICE
: y- @ L( i' r) S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" f4 |8 s6 x7 D, m) h# A$ H/ N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 j ~& h& M5 s6 R2 N& J8 R/ D; U
\App Paths\Loader32.Exe1 X) l8 y' j r: z( O" c
7 l3 O# C2 L4 _
6 m( k3 R/ c6 |- _Note that some nasty apps could then erase all files from SoftICE directory9 C1 e( O! k5 C! m+ f( b1 H
(I faced that once :-(
$ m/ p2 Y7 ~ b O
, O: ~. l4 A% Q. k) fUseful breakpoint to detect it:3 i" q/ G) h% \# ^2 Z# U: q
5 t( K+ c" k! O$ w* u) r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' y% j, k: O1 M1 v h
6 Q, F7 n6 d9 e2 p
__________________________________________________________________________& ?0 H% [# u G2 t P# v( f5 ]
0 s& Y* A" q- \/ n* c( r* Q
5 R P8 @8 I! K# h( x, n2 kMethod 14 ! Y- h) {. v' ^( x7 Y. D. M8 O
=========3 u( a( k2 h: v' S# D. t, y+ C, T" I
b& j! g# O/ F" P( ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 h* k4 ~+ N; ]3 A6 l H
is to determines whether a debugger is running on your system (ring0 only).
+ p/ }4 t: D/ m; ? `; h8 l- d8 _# `" D
VMMCall Test_Debug_Installed/ |" J: }6 i) ?* d/ L: q+ M
je not_installed! j0 d* a2 x* ~& E% y5 {. J
7 D9 z" X* W& `# k5 zThis service just checks a flag.7 Q2 p- f. U/ @9 Q/ R9 ^9 z" K6 K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡