<TABLE width=500>
; b+ `: r1 E0 n- q' `( J& H<TBODY>, _1 S. L4 a& B0 R2 ~" D8 g( P
<TR>
, [2 ]: o! l/ ~& ]" R<TD><PRE>Method 01
3 J ~9 X# W7 s& m$ j% U=========
: l' Z. g9 T: \
: x9 _0 U Y5 n0 y4 ]5 j- W; CThis method of detection of SoftICE (as well as the following one) is$ a+ R0 |$ D+ ^/ C
used by the majority of packers/encryptors found on Internet.$ ?( R3 N4 ]( t1 X
It seeks the signature of BoundsChecker in SoftICE5 V0 n; R/ I/ D- g0 W* f* o& {! c: F
O, G, l0 F% K. @' a3 a
mov ebp, 04243484Bh ; 'BCHK'
* V. o* y! A& r( x2 E$ a4 g6 u$ | g mov ax, 04h* \$ y6 w6 [2 f( x Q
int 3
* m- E' J* c; E8 {6 l; l cmp al,4
! F# K6 b# h6 _. e4 {7 K( p1 ` jnz SoftICE_Detected- X2 w$ l( T' D1 {. B1 U
( ~# |% ]6 L$ e% T. W___________________________________________________________________________
5 m/ o/ O" b5 S8 e d. [& W% D- g# N' A9 P5 L% |1 Z
Method 02
+ c# H3 V. t d=========
( q6 h ?0 b/ c) i
" Y) W" ]' T5 k) R& \; d, SStill a method very much used (perhaps the most frequent one). It is used
5 c$ h c3 L) c* @) p# _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 T6 d. X! {2 P5 V" E- l) _
or execute SoftICE commands...0 U4 a# ~4 M3 o; O- f9 ?
It is also used to crash SoftICE and to force it to execute any commands! \( T5 F! L8 b; R7 U. V- L
(HBOOT...) :-((
/ ]# @+ g: A& ^1 b
& X' \9 Z- g4 b" G H5 ?8 JHere is a quick description:& v: P) _' [2 t8 f
-AX = 0910h (Display string in SIce windows)$ y) m/ s4 w! Q+ Q6 H! V; Q b
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ E# T$ E6 L: B/ w& F9 }-AX = 0912h (Get breakpoint infos)
6 V& F2 a/ c2 [: G" c-AX = 0913h (Set Sice breakpoints)
o. U4 ~' O4 _& {) P1 J: {-AX = 0914h (Remove SIce breakoints)
" m0 ], i* I4 \$ q% n) x) k: ^
Each time you'll meet this trick, you'll see:; W6 ~7 B8 U$ V4 C* | v" X0 V& z
-SI = 4647h
. e" g4 a2 P8 G2 a3 ^) |; ]1 W$ n( m-DI = 4A4Dh- e( y& u* P) d6 j# ?2 W' T
Which are the 'magic values' used by SoftIce.
7 W- p7 ?$ x3 N$ rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.: O3 k1 k, G8 {% f7 w1 w
@; F. A' o, n+ SHere is one example from the file "Haspinst.exe" which is the dongle HASP$ I2 W+ Y( Q& H5 _/ c' W
Envelope utility use to protect DOS applications:9 D' `7 O9 O. b0 B: d
0 C& M6 ~, `4 H
+ v! c) q% y( s6 p$ B8 y0 y' L$ t
4C19:0095 MOV AX,0911 ; execute command.* x' R0 R' b s( I$ k: Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 @% M' H$ C Q" V4 y9 w
4C19:009A MOV SI,4647 ; 1st magic value.
4 V. q& J4 p" h l! M, ], Y# }$ C) Q4C19:009D MOV DI,4A4D ; 2nd magic value.( l: N. N& i+ n: g& E6 }, U: _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 a5 b! y. L% P9 N, `2 n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# {/ x! ^- a0 B" E' T! i; K( s4C19:00A4 INC CX) q, ?" H+ X* e
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 x/ M7 w$ Z/ O% I- A5 `& w, D
4C19:00A8 JB 0095 ; 6 different commands.
* o- d! }3 K5 [) _5 m6 w2 ^# C4C19:00AA JMP 0002 ; Bad_Guy jmp back.( U' b0 i9 H, L% J X4 B9 ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 l1 o( z" X+ J/ o6 X
& y w8 p) ]( b j$ T/ _; c BThe program will execute 6 different SIce commands located at ds:dx, which' q( \. U( E F0 c& s Z) ?
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 X4 V/ A8 q1 Z6 a% p P' p
/ _+ o3 z. w$ K9 }0 [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 j) |( H) ^7 c* j1 J8 f___________________________________________________________________________8 T8 ]9 J1 e0 I" S. s- t
6 A/ U" M% R Z" s
3 @) Q4 O9 d' o8 g `0 F3 tMethod 03% ^$ F; B$ y* h( A" F
=========8 P0 i, k2 e4 d' ]
$ q; x: L$ @& a- O9 a; w( X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ P7 n0 `7 Z5 [' G1 X3 P- M
(API Get entry point)- m4 C: V, u& e7 E# q% A2 \
7 r3 F0 q# V) H. k4 M/ l/ Y# b6 ~- y2 Z1 O7 F P
xor di,di
; O0 T: a1 `! j( x' n mov es,di
) e7 k" H: B& l ~' m mov ax, 1684h 8 o" ~2 t/ R7 i0 D& z% b2 ^9 L
mov bx, 0202h ; VxD ID of winice
* a# K, i8 Q! h+ l int 2Fh
0 E7 i, K( R% ^6 G7 t mov ax, es ; ES:DI -> VxD API entry point
* G. |. r9 `) Q add ax, di j; H1 Z: ?) K, G1 H w
test ax,ax
% Q' }; v3 V9 @3 k jnz SoftICE_Detected
; {. L6 v) v, k; l8 @. t. O
8 [* z6 _5 _! N1 M___________________________________________________________________________
9 d/ t# r0 p6 q2 G+ B$ V
) E9 W7 m% f0 |, w1 b$ fMethod 04, g+ F, X9 F& S
=========
3 b. }$ \0 k! A( _: E# u
+ @8 @. h* E0 r! V8 iMethod identical to the preceding one except that it seeks the ID of SoftICE9 c6 E+ j+ E- ^4 x) P) [; S3 c
GFX VxD.
; j h4 K) g. ^- _* O
; r/ J# H7 v0 \) I0 P, G: T xor di,di
7 }1 }* w2 v `/ b mov es,di/ b( ]# k+ Y2 E( P: P/ x+ Y
mov ax, 1684h
7 |7 X/ S4 V3 F0 x7 e) \6 A4 T. {" f mov bx, 7a5Fh ; VxD ID of SIWVID
' y) z' z( ?: N" E0 K0 m int 2fh
1 X/ z5 B% ~ F3 V; q& [) [ mov ax, es ; ES:DI -> VxD API entry point
$ R/ v5 r' g& E" e! f4 N add ax, di; r( U) W/ }% k
test ax,ax8 V- i" M5 g' ]$ F+ @6 M- f
jnz SoftICE_Detected; [$ y: w8 W$ E6 A" S M. @
7 P2 j- F h# V" B/ Q
__________________________________________________________________________/ D# |* }0 [2 X+ p
5 n3 k; U9 Z8 p4 J. w
! P& z3 M1 p) k" C, h8 j% V- JMethod 05
' L4 e; v' |7 k5 @=========
0 R1 f4 l7 R7 G% f9 a3 G5 |: r
^; D/ ^- I# M5 Z- N' eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 b" S2 m5 _0 V$ ~' edebugger. It calls the int 41h, function 4Fh.1 [# D- L7 E: [ R" d7 i
There are several alternatives.
: _. F1 g+ y, ]$ ^' j2 R* s, h- N1 P& R+ d* ~' f" Y+ `# H: g" v: V. b7 C
The following one is the simplest:% w7 \ R- f0 Z9 l
. V- O9 ]8 l _
mov ax,4fh
" ]& F% l" e& a5 z$ s int 41h
9 p7 \3 W, B) p8 S- J4 f, w cmp ax, 0F386
8 g3 _# v4 g& s jz SoftICE_detected
4 [$ _" o$ O2 D' F/ E' a/ I( p! @, l; x$ T3 F* _6 X" V
7 J4 d1 I7 a0 ^Next method as well as the following one are 2 examples from Stone's 6 Y% ]% a3 s* Y# p
"stn-wid.zip" (www.cracking.net):
) u u& E' ~1 e4 m2 H3 c4 q' U, C1 u9 F" t
mov bx, cs5 y) J% h5 g! \6 Y! `
lea dx, int41handler2 F( u( r8 f4 \- o3 |
xchg dx, es:[41h*4]
4 D& d# H. A3 Y7 @2 K3 n xchg bx, es:[41h*4+2]
, H7 l, K! {% i; D- ^# | mov ax,4fh8 B3 i2 y% T3 a8 _
int 41h+ g& S: F% g$ R6 t
xchg dx, es:[41h*4]
6 _6 I6 y8 j5 p g/ i xchg bx, es:[41h*4+2], F) L6 |+ M, I& l" t2 g
cmp ax, 0f386h, M8 `! J4 D& ?/ g" F f" N
jz SoftICE_detected
Y: j: _) k" D( K, E% E! f% U" ]; d: B) N0 \' ]" @
int41handler2 PROC
! f. g& l' T8 u iret
; {" @5 @( E" M" iint41handler2 ENDP* w' Q: ^) m) D
, t/ \; k# {; G2 O8 G0 j1 l
0 b1 g& s3 c2 w( ]9 K_________________________________________________________________________9 \" f1 O% S7 f. l2 P
2 C9 n2 F. i8 y; T) }
4 V7 H4 b1 B% O2 V; S" D, c5 ^5 [Method 060 L) ]4 r, G( q' n
=========+ }" h- k Y9 A, B+ I
1 w: i0 l, ~8 ]$ ~
; b5 V( L; l8 o2 c _) F2nd method similar to the preceding one but more difficult to detect:
' u3 K! o0 D& M {
/ U/ ]# ]' n& a2 g0 N' d9 _1 e; ]6 s- W3 b# l, ?# }
int41handler PROC/ o) }" I" A6 z3 }# A# Q
mov cl,al* c" |! Z5 f* Y! U, n, D
iret+ v$ I# ^5 \ f. V2 i$ j* ^3 v
int41handler ENDP
& \( O5 A/ G0 w) ~
' X6 ~4 v# o8 e& \! D6 C# H( U" `: d5 `$ m
xor ax,ax8 S' F8 U2 s0 Y3 V8 G( l
mov es,ax
! _5 H* | P7 x+ Z# s mov bx, cs/ R4 M+ |5 n/ M, h; W2 Y N' ?
lea dx, int41handler
" L3 p* G5 D, i* k xchg dx, es:[41h*4]
0 }9 n8 U( M3 L xchg bx, es:[41h*4+2]* m9 ]3 R1 e3 r/ Y2 M( p) h1 E
in al, 40h
, W. V, @2 F2 {8 `# @ xor cx,cx! b8 `4 g& e- J; n0 A; W: ?
int 41h
, \. m; v: T# `7 \ xchg dx, es:[41h*4]
) C6 z" e; L4 p2 L( G: g5 L xchg bx, es:[41h*4+2]
9 ]- P# u1 T) w1 x cmp cl,al
& X+ x, N" _" \" G2 q9 J jnz SoftICE_detected$ L7 T; l0 i6 I' Z
" J$ m2 A' E. X H- [0 m: v) s% k
_________________________________________________________________________+ u% G2 s% G& Z9 E* y
! n6 C# u% Y) f: I p5 `; GMethod 07
' R4 H) ~0 A9 n' i=========
9 }# W/ K1 f7 i
8 m/ v( Y9 P/ `3 rMethod of detection of the WinICE handler in the int68h (V86)6 }0 R' J% }" `! \) J. w) @
! m+ N# m2 G- B A; s! v! y8 X mov ah,43h# q" w: H) |! w( H, ?* `
int 68h: d0 x4 v |$ |# Y. h" d: p
cmp ax,0F386h4 Y9 D6 D& o) B2 L4 s# x
jz SoftICE_Detected
( B c e1 ?" d' z8 E4 f& j! P# t& u- s/ ~# X% T q8 o1 K
9 t9 K' y* \$ N- t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* J; b" `! I. q% r9 z$ M0 _& N app like this:
) k1 N- }( _1 s9 E% n, ?/ x2 M. e. \
BPX exec_int if ax==686 n& |. P$ x2 |* K; S, H
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ {) x9 ]" z% m located at [ebp+48h] for 32Bit apps)3 M2 h5 X' f9 `
__________________________________________________________________________
+ E. \7 B) L/ q: Z+ C/ o/ q
5 g* b v: t) T# s
! i2 ^$ d' g/ N& ?3 iMethod 08( W% _4 e) [" m+ V5 @- G
=========1 [; x2 z/ g. d4 X$ `
0 n5 Z' h, }& X
It is not a method of detection of SoftICE but a possibility to crash the! g1 Y6 Z: `2 j' e' a
system by intercepting int 01h and int 03h and redirecting them to another
& c' A6 {3 I7 U) e9 Broutine.
! l3 q& W6 V9 oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 C/ z7 F. ~5 |1 k/ t8 \to the new routine to execute (hangs computer...)0 ^0 w& A5 K; u5 z2 |# m
; K3 g, k4 S6 L$ `& U% p- ] mov ah, 25h- f9 Z* _ N- k8 v' B
mov al, Int_Number (01h or 03h)
2 U: B% \( C8 N! [1 W9 A mov dx, offset New_Int_Routine' o7 `- d8 q: Z6 D8 E
int 21h
" @ |3 Q; @. @/ H: R6 S& z
B- Z0 Q' T; ?, R; b u2 s0 o/ m8 C__________________________________________________________________________
x& g2 ~6 @1 a7 z
$ r& ?$ j9 F& P# kMethod 09
d9 Y# N* h7 x I: ~=========4 r) Z8 e7 |9 i% a9 s7 K+ R3 b6 f! v
; i* W3 x5 X+ ]) l2 ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: u- [% r: A8 K# c+ zperformed in ring0 (VxD or a ring3 app using the VxdCall).
) N& j( G& M$ A" U/ n6 q& XThe Get_DDB service is used to determine whether or not a VxD is installed
* `1 X7 z$ J6 I7 n$ q; x* ofor the specified device and returns a Device Description Block (in ecx) for
! D2 u& W7 P" J. P9 sthat device if it is installed.; Y: i: m) z9 t6 x! @" E1 r% G
4 L- D- J; s% @$ ]* m, T6 ?% q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! z- \$ A, x- H B) s/ f; A- ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 D" l3 F0 w2 N. I: P1 V1 }
VMMCall Get_DDB! b# k: C3 M0 p, G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ S; j. Z5 x' T7 T
8 e! j0 _& @2 NNote as well that you can easily detect this method with SoftICE:# ~% h7 M) ~$ d) C! Y. G- x0 {- j
bpx Get_DDB if ax==0202 || ax==7a5fh* V6 r4 I4 ~9 ]1 e3 I4 M' M* g
! A6 ^4 |& r. W2 A__________________________________________________________________________
r$ r! D7 c! Z9 _3 L) c% [) {( _- B4 x8 O
Method 10
" i" ^) ~7 w9 ]# a=========9 `2 s0 }" S0 }& E. r- b& J* q
; c h" n4 Q% u
=>Disable or clear breakpoints before using this feature. DO NOT trace with8 j! T* {7 q* d9 n! |9 x* s4 d
SoftICE while the option is enable!!! s$ l5 F) S1 W+ A# j* \
% r% X1 e1 h* |- N7 s+ ZThis trick is very efficient:8 a- G( ^( d7 h$ H- Y! z" W9 q
by checking the Debug Registers, you can detect if SoftICE is loaded9 h% x# G7 O2 Z, {# A& f6 N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) o ?- {7 ^) E, ?- lthere are some memory breakpoints set (dr0 to dr3) simply by reading their
; W2 E4 n" N- rvalue (in ring0 only). Values can be manipulated and or changed as well j9 u9 q: P4 C4 N% @( A# j% l6 v
(clearing BPMs for instance)- x# w1 k1 H" j& F9 g
O/ I1 S; w" s' [$ M. d! V__________________________________________________________________________& ~! n/ E% n$ |2 H3 f6 A/ M" j( F
" s0 M# R; q$ }% ?9 ^Method 11
& _4 S, C3 x% f=========
' \$ w. J8 A+ B$ c* M: w0 y$ T! j, q5 y3 Q/ C( ?( u. B, Y2 ~& J
This method is most known as 'MeltICE' because it has been freely distributed
: k: G+ s' N. T! Y0 }8 M+ C% Qvia www.winfiles.com. However it was first used by NuMega people to allow
# x) D$ e; B; K& w" Y* _7 C$ l( Q/ gSymbol Loader to check if SoftICE was active or not (the code is located1 T! x# g2 A+ w4 {
inside nmtrans.dll).
/ ~2 E5 t' J. m% `1 t" D) L3 y1 k( V, h% Y8 ?8 c* N
The way it works is very simple:
6 F: n5 D, R+ T/ FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) S m6 Y0 Q' i" q5 T. VWinNT) with the CreateFileA API.
4 O: o/ y$ p/ N1 e5 \) m5 Q/ ]' t; v4 e5 j
Here is a sample (checking for 'SICE'):8 g3 b: `: O6 r
O8 R4 V# c2 C N* M1 Y7 Y. EBOOL IsSoftIce95Loaded()2 o6 R9 W, P$ p8 i1 C2 b
{
1 E% H* h0 d5 l- t. s2 i0 H HANDLE hFile; 2 b5 F* y4 e: K1 m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: t1 C' E3 F5 k9 W l) }
FILE_SHARE_READ | FILE_SHARE_WRITE,: O/ T6 w: N9 H
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" @+ ^$ H& _- i! j
if( hFile != INVALID_HANDLE_VALUE )" s: @# Y) s6 ~; a$ ?
{8 L* E: R' q7 [/ ~( e5 g: ?
CloseHandle(hFile);5 K6 \4 y- q4 E4 W7 M1 u. c
return TRUE;
1 P8 {; m0 X; L- s6 B5 d }$ @ [ c" L( L, G' ]* F4 P9 `
return FALSE;- Q, W3 p3 ^, y( E/ h Z# H. ]
}0 T$ `9 X1 G0 f4 _$ D. x
) G" @" b8 o% j! sAlthough this trick calls the CreateFileA function, don't even expect to be
4 W0 V1 z1 m, u6 ^$ ?3 a6 Xable to intercept it by installing a IFS hook: it will not work, no way!
4 f0 |5 c6 s, N/ W! [( q2 q/ aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 A1 e$ t2 i+ O. M, b2 \, I5 Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" c# Q, t8 I, H- V/ `and then browse the DDB list until it find the VxD and its DDB_Control_Proc& Y9 @! x9 W! {; M D; {- x
field.( s5 W# v) L, w0 U K. X# y3 p
In fact, its purpose is not to load/unload VxDs but only to send a $ x" @& h% I4 y. r6 L2 E. {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 R; J( b5 o/ v. Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 j. q# @' n7 ?; Y I! C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; {" [6 Q* Y% B5 J, J, h2 M% ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ F7 j( K9 a8 ~its handle to be opened and then, will be detected.1 Q/ K! [) u' n
You can check that simply by hooking Winice.exe control proc entry point
0 Y B$ n4 S- u4 s/ u9 V4 jwhile running MeltICE.
/ s2 z B7 o* [/ P# |& }4 g0 K; n7 ~0 ]! P# }
. X( \8 _! |/ \3 d+ }3 X( } x 00401067: push 00402025 ; \\.\SICE2 J+ v' D N) f! `0 R
0040106C: call CreateFileA
" q, \+ _. O! X2 J O% x& _$ I 00401071: cmp eax,-001; C2 H) v4 j; X( o4 a! Z
00401074: je 00401091
( R# i' g" ?& i9 j2 i: l$ D
$ r1 X% \( H: Z1 m: l! t1 i0 H6 }, l+ i$ ]2 R; U
There could be hundreds of BPX you could use to detect this trick.
# a# ~ u2 G. X- L0 [0 h-The most classical one is:
) Y! @" ? H7 F! G BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# {$ }; B$ M1 W* g* n *(esp->4+4)=='NTIC'4 c* w9 f) ^+ |" p
& G. d2 V0 H. a
-The most exotic ones (could be very slooooow :-(
$ ?5 L0 O4 V$ H" O) | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; ]/ U% E7 Y2 `* d
;will break 3 times :-(2 D4 I& V7 y$ x! r0 y" T
5 @3 r3 Y: ^6 T% L
-or (a bit) faster:
* c9 B4 Y% }5 c$ v8 D: ?( r/ ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( |7 x& d1 b: L R/ ?5 O9 ?" e
5 T) Z/ v( J1 m% r) ^. G& J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" S7 L2 x4 d/ ~ ;will break 3 times :-(- O" I6 A9 l0 n' E
# m; }# F8 j4 c/ Y- q. S* C: f
-Much faster:
/ r+ Q+ U# Z- t$ Q6 t BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. p L1 d2 D% k0 }& n; y0 h9 A5 M9 [, S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% ^' L8 e/ G' {
function to do the same job: W* b2 V5 r. ]" ^1 q
$ H. {8 ]- \! z- T" S- n push 00 ; OF_READ
/ a, e& ]% V' z! ~8 @# @ mov eax,[00656634] ; '\\.\SICE',0
/ ]9 k" y9 F5 l# D4 s push eax& W' w) @3 A1 S3 e+ l- }* r
call KERNEL32!_lopen% U; p0 _% R5 o6 m
inc eax
0 n b+ v% _% d5 m. P jnz 00650589 ; detected
5 @, a, P( l/ W' i" h push 00 ; OF_READ$ H6 i x) L6 f8 v; n* F9 @
mov eax,[00656638] ; '\\.\SICE'4 v* x! e( ~7 c: r7 P/ X& `3 }
push eax
; e4 ^; M: H, i! D; p8 O call KERNEL32!_lopen
# H5 F8 Z/ n5 G8 i& Z inc eax
. e" G. S# x: i f# {( _ jz 006505ae ; not detected3 H' @' o( g0 y. R) c' V9 s
/ {7 Y* h% d8 l6 c+ o: r6 j4 Z H3 n, V; V/ ?4 a
__________________________________________________________________________& R* U$ i4 M2 n4 i! G' q! Y/ m
% a- N. H) Q" u5 K$ n: ?6 b7 tMethod 12
( Z+ ]5 h0 N& S7 O( X8 H=========5 \+ C$ _: ?7 G7 i7 B! ^
* N' q ]. T0 N; G6 G; BThis trick is similar to int41h/4fh Debugger installation check (code 05
7 g% N8 _, T( \6 U3 P2 W |! P& 06) but very limited because it's only available for Win95/98 (not NT)' k' I' v) `! O- ~0 j0 W. N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' @" u* i& u6 g5 M; N6 t
8 V1 w& L* U( c& j( p8 j% i4 K; w6 K
push 0000004fh ; function 4fh5 s, f; _8 r2 S8 s4 v; ]$ u
push 002a002ah ; high word specifies which VxD (VWIN32) w8 P1 j5 K0 P# t) C" `
; low word specifies which service3 Y& k, k' Z0 b W& K' a" ^
(VWIN32_Int41Dispatch)% m: W4 C6 V9 v' k3 O5 ]
call Kernel32!ORD_001 ; VxdCall
# R0 U6 U( j3 o* s cmp ax, 0f386h ; magic number returned by system debuggers
/ H# i3 K, i0 w2 T! T, P* W. O9 T jz SoftICE_detected
. q% h% L. [" ?9 k! \0 {9 V* t
6 e' ~8 [0 L* _" F# RHere again, several ways to detect it:" i! i/ O$ d7 I: }4 T7 C' q8 J
, t% G$ H* ]% c! Z2 C' |, P# n5 f BPINT 41 if ax==4f
7 |2 p( f: K$ D% s' ]4 {% b/ w* S; {( Q2 [, b& s2 R k* K; R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: z& s7 |3 F m0 V8 H" E6 @# L4 c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 H: r$ m: Y4 q! c2 c7 s' y
* H6 W0 p' `1 `4 i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* s# p4 x! N' ?8 n, Q
: @) i. \, C2 l8 ?) p4 x9 ~__________________________________________________________________________
7 @: D: x. k* }1 ]4 f0 |" v/ X- ^" q, Q2 C* a0 Y
Method 13
" E' O9 A B% I0 Q% i. ]/ D8 d=========
% n" y" g& U: [: V( c( k
$ u$ ?' b5 ]: m) j2 mNot a real method of detection, but a good way to know if SoftICE is
3 j0 h g9 i) T% N8 B# {3 finstalled on a computer and to locate its installation directory.
1 a* X! ?# |$ q& J+ iIt is used by few softs which access the following registry keys (usually #2) :
! z% n* \* K9 ]. k! I4 Z& f. o
2 G2 h9 V% d* p" m& W; o+ [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ h2 W) q/ N, p- w# [/ t
\Uninstall\SoftICE
7 ^6 N5 p9 ^) n. P. V4 B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 U { H$ @$ }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 ]! j" D- b( A( q\App Paths\Loader32.Exe& c y2 l$ i! B6 c# W
8 j& b w" d0 K! c3 S0 p
: {* L& c, S, N! k1 W
Note that some nasty apps could then erase all files from SoftICE directory
- L: e( _3 g3 G" b(I faced that once :-( L" H9 Q1 x# n/ T* C
; A; z5 |0 k* U/ t. E$ i: i
Useful breakpoint to detect it:' C5 _7 R7 a' C$ E9 t! C: o
2 s( w, w3 ~+ R8 @$ n% G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 M8 a( t4 J; Q" R& C \2 u
( A: R; E( u" C4 L& d__________________________________________________________________________* k/ j5 q9 ]3 k- ~) }. z# G
# T i7 E0 v" z9 s+ Q3 _$ x7 C# U7 J: p8 S% u4 l7 t" J2 B
Method 14 - ^3 {$ o: h/ K) V5 f
=========" q* X6 x- @( i3 Z9 O
. x" Z: [! h& E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- @4 d9 B) x8 j, m
is to determines whether a debugger is running on your system (ring0 only).
3 } ?4 |" p: E6 B2 P* g, t( x7 i% z# }) E
VMMCall Test_Debug_Installed4 k. Z0 L* S6 F4 r4 l, ?
je not_installed
# n) {. l7 x7 D* z" E
- P* v- ^9 W+ B. M$ _This service just checks a flag.
1 A* D8 O% b+ Z4 _& F: Z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡