<TABLE width=500>
F6 s8 w& L6 [- B7 D<TBODY>
" Z/ y8 R3 w! T* ~1 B<TR>9 k% }3 k9 t: p' B" y7 ?
<TD><PRE>Method 01 " u3 V1 s# Q9 z( ] x' t
=========
/ Z# [: l: E) v& c2 o! s; h" {( Y+ w" t" b
This method of detection of SoftICE (as well as the following one) is
2 g/ y3 D* x$ }; N/ _! Z* pused by the majority of packers/encryptors found on Internet.
. z* {7 K0 f( ]8 g. k' HIt seeks the signature of BoundsChecker in SoftICE* ]( ] y9 F2 v% |4 `# `- u" s
/ l, s6 t$ j2 r! d
mov ebp, 04243484Bh ; 'BCHK'
( g1 i) h. Y/ q# t1 V# y' w mov ax, 04h
) E7 W. v' p- ^9 m9 d int 3 5 h1 W* a% A( b$ A- N, g
cmp al,4; l4 Y0 z4 c4 o) X) e3 E% [
jnz SoftICE_Detected
' g3 [: {3 u, x& c2 K* T1 B& u. m3 L# K9 y/ [2 P; N/ L
___________________________________________________________________________# t" ^, _2 p7 C3 y
* v6 i) ?4 s7 V. I c1 ^2 M
Method 02. t, J( U: R7 r, c8 e) l) q
=========; ~9 e h0 {/ b5 ~! p+ X; p6 K
# b- S$ }3 Q5 }$ R" w5 g. j
Still a method very much used (perhaps the most frequent one). It is used! g( p# C* K1 [" Y: S0 h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( X6 E0 s( U- m1 c" ?( L# ]/ jor execute SoftICE commands...
. ]" [# X+ X% |$ `3 j$ {, m3 h* oIt is also used to crash SoftICE and to force it to execute any commands! X% c+ |' S; r6 u% ?
(HBOOT...) :-(( , O! j( i3 {: Y. B$ ?
0 Q& R* ^5 i: `& c+ v9 r- lHere is a quick description:0 [# s% Q' S8 R6 c2 g* o6 C ?
-AX = 0910h (Display string in SIce windows)
( q: P) f/ J' _* Y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% C* b& J7 x6 c% V( X" M% X. v
-AX = 0912h (Get breakpoint infos)* n! Z4 h! t3 E i$ m6 m( B
-AX = 0913h (Set Sice breakpoints)
$ G+ V% I' I* j, b# N% y; s: t. [/ W# |-AX = 0914h (Remove SIce breakoints)" A$ D7 D R- o, E$ m" m: G
5 b- d3 t" K. s9 y
Each time you'll meet this trick, you'll see:
+ y8 e7 G6 e; S _9 T-SI = 4647h
* g1 |$ j/ A9 R; k+ v) j) |$ I-DI = 4A4Dh. @7 o) i+ D! @, i
Which are the 'magic values' used by SoftIce.9 p8 \# o2 v: D7 }, O5 J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 q4 ?$ r: V# _+ e+ Z9 k% h( C/ [
$ D% H% v9 E R2 F* Q5 f9 Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP J7 ]8 ]+ g$ S' f/ ~% ?
Envelope utility use to protect DOS applications:
; A7 j2 q. i" ?+ |6 E2 i
" n' a) w9 E7 B$ K0 K9 s1 y& X" ] `3 ~1 o
4C19:0095 MOV AX,0911 ; execute command.
3 g3 U, z! t0 J7 D( w: z' S' ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- b, h. x+ E f- ]7 ^, M! `
4C19:009A MOV SI,4647 ; 1st magic value.1 ^5 p. [, z! U# }* Q
4C19:009D MOV DI,4A4D ; 2nd magic value.& R0 [ R# M1 M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 F( ?* \ K) }8 k! D0 A6 V4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 m) o L# d- m, k. o- @. @# i
4C19:00A4 INC CX5 M! p$ P- ?7 ?5 i6 D) V
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 \" Y4 K/ U0 n* ^: ]) B) b
4C19:00A8 JB 0095 ; 6 different commands./ d( E1 c/ z( `' i5 R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ h; Y9 O/ n9 ~+ O6 s+ O4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ L& a4 A- Z! A) E1 g( Q
/ K* _! o0 m7 S8 gThe program will execute 6 different SIce commands located at ds:dx, which; J" D9 A4 j" s. o$ \% @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; o @' Q: [. M
9 a2 F! t% ~4 Z% x' k1 p3 V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 d& G2 C2 r6 T! ~
___________________________________________________________________________
, o# p- O5 p) u9 e3 ~, r- o5 f; m
- {- c* o. E' D2 O. e( a0 f# ^# q- p; O+ J$ ~& G
Method 039 e6 V* _* G# O) L6 ?2 g
=========! T; H1 b \4 e* A9 W! Q
: J& m+ }' Z5 X2 rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' k7 O. r. U. @" y) G5 C6 M/ D
(API Get entry point)
! d. m: O- ?/ b& z8 F \) x" q3 k" } p& |% j+ @( k
9 R) i2 o( b; z/ ?. b xor di,di
; {7 r; c# V9 ^: K" a: a mov es,di2 s' ?3 D- b/ K
mov ax, 1684h $ V/ A* L+ _2 E, V
mov bx, 0202h ; VxD ID of winice
: r' Q4 Y. V7 m6 `2 x/ Y# b# O int 2Fh
8 n0 q, K u, _7 z B" r+ Q mov ax, es ; ES:DI -> VxD API entry point
" h7 t2 s0 l- T, w" t/ C$ g add ax, di
# _5 E: e. X1 l% U8 R test ax,ax
: R9 W9 r: K/ M8 {6 H jnz SoftICE_Detected+ b3 e& J p [+ z' B
' C3 `. @) W- x3 j. y5 q
___________________________________________________________________________
$ q' B( B0 `8 n }# \ i4 @9 }7 B1 G/ l* \$ l0 Z
Method 04
% P3 P8 W5 k8 i V=========7 Q( @0 O- S6 u: X
. D2 O W1 j% X" {/ SMethod identical to the preceding one except that it seeks the ID of SoftICE4 G" j$ Z: A8 }- ^% e# {( D: Q7 N4 l
GFX VxD.
: @9 z) G6 V5 I# @6 }4 @9 H: d9 ]" ?( B, E6 \ x
xor di,di4 z" G5 f6 y, U" M, N1 S8 |/ |6 A- o
mov es,di1 O( v- @$ r3 L8 P: J% r/ R
mov ax, 1684h
K' p" E* Y# j/ [4 q0 U mov bx, 7a5Fh ; VxD ID of SIWVID
" x3 c0 Z7 K5 n+ i int 2fh8 q% e7 b) \* G y
mov ax, es ; ES:DI -> VxD API entry point0 s4 d8 n6 k& L; }" f `1 S5 [
add ax, di
& T& d1 k- j6 K: R+ V test ax,ax; Y( E1 ?1 U; p
jnz SoftICE_Detected
( \1 N* z* H+ [! E- w2 U8 q% Z& f8 u" E* H
__________________________________________________________________________
- u, v$ W% g: e/ L
3 A8 V2 ]6 C5 t! ?9 ?; N# k, a% D
( k+ t" {& O& ZMethod 05) A0 Y. f4 v* q8 g6 K& x
=========
5 k4 n4 Q( z+ g8 _, ^( R9 G' W8 O6 [8 s Z/ K
Method seeking the 'magic number' 0F386h returned (in ax) by all system# p2 G% t' B: L! l( v
debugger. It calls the int 41h, function 4Fh.6 p$ ~1 W, o) k9 Y$ P% D
There are several alternatives.
9 y% k1 R+ K: S# J# Z
# ~- T1 v6 @$ Q4 w5 `The following one is the simplest:
s- I. R- p( y. n! i
7 x F$ z# v9 M! T/ W) {: Y1 h, A7 R mov ax,4fh
& m4 m9 X- ~4 C int 41h! z5 x" E; m5 L- w) L
cmp ax, 0F386! e1 C, v5 T( w' O
jz SoftICE_detected: L& n8 W" B4 H: a# W
1 D/ h7 r/ K* G( Q' w; B* o+ R
+ H p0 A0 T0 y" KNext method as well as the following one are 2 examples from Stone's
. d8 L. [" H! [+ \"stn-wid.zip" (www.cracking.net):
. M6 v1 \9 y5 m$ X, b% z; a3 Y: h% M
( q! T* G6 `$ M7 l$ O% g mov bx, cs
; s6 R$ h h0 i# i lea dx, int41handler23 b* g2 W- p- T+ k% T9 f/ M
xchg dx, es:[41h*4]
, j# ^% f5 ]3 E6 z& H xchg bx, es:[41h*4+2]8 R& E* M( q# q K3 a
mov ax,4fh
# C3 F& r2 W0 u! Z9 B int 41h1 g8 p: C) b: e& Y+ x
xchg dx, es:[41h*4]* ]- h( ~$ U* \. j1 Y. y0 g% i
xchg bx, es:[41h*4+2], O8 P" t f( S' i5 e5 Y
cmp ax, 0f386h
" m/ `; V* R- V" x( x6 b: ?2 G) d* J jz SoftICE_detected
2 ~0 K. i5 E$ \, V# ~( [: O
) Y! r5 M. @: N5 g$ e3 A! r! @int41handler2 PROC4 _ U7 X4 n7 X2 p, g6 _7 ]
iret
0 D0 G: F* u `$ q/ zint41handler2 ENDP
7 F: J- o' ^: W- a6 K% r5 F
I( Q8 Q2 H3 b# B+ X. S1 a# D. N$ J) G9 f
_________________________________________________________________________! R: J: Z' q8 v! o! u
- n* v9 V& g A; d4 }7 g4 i! o
2 ]8 F+ m* P2 A C+ u. T" [Method 06. z2 d7 X" [$ `$ U. g3 |: Z
=========
& R$ U% n6 T& g/ G) d) y8 r; ?4 H3 V
( V) t$ N# |& [, Y5 i) Q8 D) H* t9 z* t1 V- A6 {# w* z: C
2nd method similar to the preceding one but more difficult to detect:3 L, L: H& w8 L9 p
4 q0 Z% Q% C! T u5 z+ p% p
, L( f' k3 p! \' `
int41handler PROC8 t8 X9 v6 W, P( [0 z' {- p8 N
mov cl,al/ T1 u/ ^: w- b
iret
+ R0 a; O% a' L! {4 D* aint41handler ENDP
_- m0 P# P* J2 P. F D6 Z+ I/ n6 u3 m, t6 d7 W
) \% p1 {: f5 F' P4 a% ?! \1 }' B
xor ax,ax
) n0 }% w* e; x b4 y mov es,ax
% s' K% Q9 g. d6 N! O+ I mov bx, cs8 `6 l/ l0 ^( H9 b0 b; b/ @+ W
lea dx, int41handler h+ N# n0 d) x/ g
xchg dx, es:[41h*4]
. X* |* a$ x/ F) N$ Q( x xchg bx, es:[41h*4+2]* y6 G5 F* f+ U+ C6 y. b! T
in al, 40h
" |! W! l+ r2 H% k* k xor cx,cx
; g' Y7 N" a; R: `6 W# r int 41h
9 Q4 ~8 L% `/ h) f xchg dx, es:[41h*4]* [! n2 q5 ~' t3 e
xchg bx, es:[41h*4+2]9 n5 B% _# r4 y8 ^: o
cmp cl,al2 Y3 a/ A7 S N; O
jnz SoftICE_detected
' Z/ v# s: T6 S
( s' l( U9 _9 P' e_________________________________________________________________________/ ^4 [0 T) }* _ p, G4 o9 j3 q
. H4 u/ {# ^7 k$ k/ VMethod 07
$ \4 `& U' D1 ?. K: m& J* Q+ T3 O6 z=========
& e' t; k0 E" F
& q: h- t# m3 m" @/ G/ mMethod of detection of the WinICE handler in the int68h (V86)" v1 x+ F) j* W* Z
% o' A K' W# f, N7 O, E mov ah,43h
8 i, b* ?, i4 Z( p# { int 68h
7 H& o) H! T2 G- k4 S, Z. c/ t& g cmp ax,0F386h9 o. r! w! ~7 H% H2 Y) m+ E0 o1 O& S
jz SoftICE_Detected
: P: J9 D3 B, \' P- ? H7 |( m5 C l$ }5 x9 a, w
* Z2 `) e! h/ Y1 |4 Q6 h* F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' N* M$ Q: K- x' M6 T) A' p' m8 F
app like this:# Z% H3 `" _; e0 l/ J( h
6 G- b- a/ b; b9 v: v BPX exec_int if ax==68
* d% N" C) W, U& n (function called is located at byte ptr [ebp+1Dh] and client eip is: X" {6 g$ D. @3 D, {: u8 c3 @0 V
located at [ebp+48h] for 32Bit apps)" c8 [; |' ~4 t" I
__________________________________________________________________________9 v+ v) _ ]8 S
' J2 `0 f2 v8 ^$ G) H! E1 J+ Q
7 N& Z: {/ A: d) S' KMethod 08) U. K- I) }& T/ F
=========, L/ i0 N) ]- H. p
9 \4 H# ]: m% W5 T. ] V$ z' kIt is not a method of detection of SoftICE but a possibility to crash the
; |! a4 [/ R' jsystem by intercepting int 01h and int 03h and redirecting them to another3 @, Z2 l2 O2 t4 l- }9 }4 ^
routine.0 j+ x+ h$ r$ [5 p7 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 l% Q) f1 B& O
to the new routine to execute (hangs computer...)
9 Z+ [% G* B; A4 T
9 S5 F) t) a4 `& [( ^$ w mov ah, 25h
" J8 U9 @1 N# H U6 K6 M% Y2 R4 I2 J mov al, Int_Number (01h or 03h)
/ ~2 t6 U* V7 | mov dx, offset New_Int_Routine
W9 B) K. z9 v K# o: z. o int 21h
# `* M5 k" a/ o2 U$ }/ v: n5 d4 y( m) R2 `+ z7 i( H I
__________________________________________________________________________
( Y8 u I. X! j) T9 X! R0 a/ o* O4 k* h. b: O7 R
Method 09
5 \. U) y. t5 X1 J=========
3 e8 x/ ?5 X" S6 F
# \) W- t. M' M, L2 F+ F8 u$ QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" R8 H l- m/ F- N t/ X
performed in ring0 (VxD or a ring3 app using the VxdCall).
( V+ [9 d" c7 W: R! EThe Get_DDB service is used to determine whether or not a VxD is installed
2 s: {! l+ m" ^& g8 p4 H! hfor the specified device and returns a Device Description Block (in ecx) for; B* E$ a. F5 [$ O( M7 k. I: \3 R# [; z
that device if it is installed.
2 K0 ?5 u7 a3 k. @( I" [$ n, t7 N, _, v& T* g8 |$ Z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' x7 L- E; K2 K% e( g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
G6 [5 @5 Y, ~5 r# ~1 C VMMCall Get_DDB
' I M1 U3 }! R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. X2 n& ^; [* r2 R! F& u9 F5 u3 X C9 C7 v9 y
Note as well that you can easily detect this method with SoftICE:
& r! x% o* m$ H9 ?8 `& d: M bpx Get_DDB if ax==0202 || ax==7a5fh
7 q5 J! K5 W* M7 W7 u, Z" o
" O: I( N! Q7 K; i" g__________________________________________________________________________6 S9 p N* _, I L- s5 n# H
4 E; S4 \& Y1 {% {* c9 N2 k" @
Method 108 e" \" z! @9 x+ S7 b$ c( u
=========
' ?0 H f/ h, W7 R. u1 M1 i4 `0 K
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* S8 } W; t6 e) @ SoftICE while the option is enable!!! g% y( f3 g1 A$ f5 Z
" a' Q' X* \1 U P9 D: H" g: b, C
This trick is very efficient:
- { e5 w5 B- z' Y$ dby checking the Debug Registers, you can detect if SoftICE is loaded
) e: G# Q1 l* `" }3 X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 I1 f- S+ t+ @, f+ @" ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their* M; r7 i3 X5 K9 y, l
value (in ring0 only). Values can be manipulated and or changed as well
' Z: Z5 V% D$ v) j4 Q9 h(clearing BPMs for instance)
% O) l5 a) ]. S* ~0 ?( `2 k7 D
1 f2 V; M" p u( a. f__________________________________________________________________________/ v( Q. n& E j* Q: D5 i
- n9 y$ }/ S; y1 |- i% B2 x4 cMethod 11
" R6 R3 J7 d3 S=========& E- ^3 }* W7 W6 Y+ ?
/ x3 m, X5 q0 x+ }' r
This method is most known as 'MeltICE' because it has been freely distributed
2 F0 K a4 I. @6 U9 P. e& |; w+ Bvia www.winfiles.com. However it was first used by NuMega people to allow
3 |* T+ L; Y9 w2 G# i1 HSymbol Loader to check if SoftICE was active or not (the code is located
" h3 h+ d7 K* f" C% P; ninside nmtrans.dll).& \ R5 g' F c( ^/ F
; z: \/ t( W$ o- a9 LThe way it works is very simple:
1 W) n2 O: O* N3 [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# c, q: m) z7 x4 v4 N+ uWinNT) with the CreateFileA API.) x5 Z: R1 s' A, I! [; j
3 ~7 v4 Z) n. u) G
Here is a sample (checking for 'SICE'):
( F; j- a* n, f6 f' Z4 k3 p( j
: |* Q8 Z8 |) a% o0 n% }$ sBOOL IsSoftIce95Loaded(). m1 P' p6 J! P: ]( Q* q
{
! C% S) R( e1 k/ U" j HANDLE hFile;
' J4 D. R5 X" v* |# f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, w, Y; |7 [( L6 \1 V+ N1 @ FILE_SHARE_READ | FILE_SHARE_WRITE,8 {+ |/ w! j: r7 {
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ x4 ~8 [9 ?5 c if( hFile != INVALID_HANDLE_VALUE )
: {( W# U4 D8 V* u. X5 {) ~ {& c( v7 H; N3 P% ^
CloseHandle(hFile);
& ~6 t# o" X1 E5 F+ i0 v return TRUE;
5 E$ P2 }; w7 }- t- M4 y }
' S3 U4 q6 i L" |; X6 B return FALSE;
1 U; ~$ D2 w( C}
2 Y' e) ^. N- ?4 r8 H$ K- l' X/ p
Although this trick calls the CreateFileA function, don't even expect to be5 K. p2 }2 Z- p
able to intercept it by installing a IFS hook: it will not work, no way!
& P6 |+ y! N+ f4 K5 E! YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 o F' U3 t1 g$ _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! |' ?0 }3 ^& R$ @" B* Z dand then browse the DDB list until it find the VxD and its DDB_Control_Proc+ u$ V( }. y$ \ z! K9 f$ u
field.
* {6 s- ]! k0 j6 wIn fact, its purpose is not to load/unload VxDs but only to send a 5 c% W3 \; G% s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 X* m. y" f3 ~6 b2 [) Z) tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 W: Z m c" ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 P) C3 z4 p) x$ L$ R+ ~/ e# p$ y
If the VxD is loaded, it will always clear eax and the Carry flag to allow; X1 M+ a, k, H* Y1 W" [) L1 N- M
its handle to be opened and then, will be detected.
- W, p/ s+ \6 R e4 H. ~% yYou can check that simply by hooking Winice.exe control proc entry point
% x1 @' f/ ` E% s5 dwhile running MeltICE.
- }: D0 _ }9 T, L- c9 }+ a$ l1 F6 {! w
; O# R9 P3 g( u' _! [# E4 _
00401067: push 00402025 ; \\.\SICE! i2 G" b8 }' t1 r
0040106C: call CreateFileA, {# c; }. G0 ^* a
00401071: cmp eax,-001! R- T2 H1 c1 r7 M
00401074: je 00401091
3 P# m6 J g$ f/ l3 R$ r: \8 R* F7 u B; x
{2 d8 C+ \: ? F% QThere could be hundreds of BPX you could use to detect this trick.
, ?/ i% C; t7 r-The most classical one is:
3 \$ T9 W0 n3 z2 ]5 l! ~ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% M! N1 p5 t, [) X. ~: P. c& D& m
*(esp->4+4)=='NTIC') ^7 E& [9 s6 M4 I, X$ `
) X }$ i4 ]. G7 {: C% R- q* z* @-The most exotic ones (could be very slooooow :-(
" v7 F: X2 y+ ^2 {9 K, G+ Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . a4 G( X# e+ z6 p
;will break 3 times :-(7 S7 G W' w. |5 h
* T3 l: m' k" G( i+ K
-or (a bit) faster:
. A4 C' o1 J4 Z% u; Z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! x1 o& p$ x1 v$ T
& \ q2 Y2 ~% S. n
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 z; z8 ]* j* k) S- ~ ;will break 3 times :-(
2 e/ s4 y, }! `' T$ A) K5 W6 G" e4 U1 n9 W* C/ ] s: T
-Much faster:! @" V* `+ M1 e( j, _. Y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 p: ~1 T( ?+ _! s5 Q& h! f( }' c' l+ v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 o+ z# Z' V2 U& O( e
function to do the same job:0 r* m6 q' _3 J5 W3 K; F
# F' l6 F) A) F4 S9 Y: U9 Q$ ?: U push 00 ; OF_READ# d& I( \: X9 a8 r5 O/ w0 i+ s
mov eax,[00656634] ; '\\.\SICE',0) [: U! Z6 y/ ~' a
push eax$ K t4 H. n2 d( ]8 r
call KERNEL32!_lopen
3 r6 b+ T4 ?2 V$ ^4 r inc eax
L G: W% }$ b jnz 00650589 ; detected% B8 Y7 ~1 p- q! l& c! L
push 00 ; OF_READ, e" e' Z9 H6 }+ Y
mov eax,[00656638] ; '\\.\SICE'
' [- ~3 x3 j( V push eax
, U i* e6 l/ @# \; v+ G3 z call KERNEL32!_lopen
7 G* t. z: g1 { inc eax$ ^0 A4 d; G5 _/ [: A
jz 006505ae ; not detected
. b }8 z* n: c* M% F2 ~: K& a6 i9 ?8 \9 ` p4 C
1 ]5 t* B0 s" ]; W# _4 X9 B
__________________________________________________________________________
- c7 E' F6 O0 T" w9 m: L# W% ^
8 w% f) l& ?3 U% _ dMethod 120 w# \6 a0 A* j. h
=========% o0 q# G5 n% i( J
! S' N/ a" j6 [" H+ _( _This trick is similar to int41h/4fh Debugger installation check (code 05
4 `) y: h2 R! g2 m0 ?& 06) but very limited because it's only available for Win95/98 (not NT)
Y0 M( |# |2 p0 |! Las it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, I4 u9 ?5 N% I9 ?4 k' F2 q
6 |3 ]& k$ I. W& X6 L @ push 0000004fh ; function 4fh, [+ E, s4 W, s m3 X6 ?
push 002a002ah ; high word specifies which VxD (VWIN32)+ s( w- t7 b# Z' K2 h
; low word specifies which service
) x& J6 V: b% X! m8 D, y H (VWIN32_Int41Dispatch)
, k7 _) P, b: F call Kernel32!ORD_001 ; VxdCall6 M& @4 }" N$ @5 T7 }1 m1 B
cmp ax, 0f386h ; magic number returned by system debuggers7 T, ?" w0 _8 u6 E" R! s; T, t
jz SoftICE_detected
0 w1 S$ T; r. D3 ~/ x
+ |% W" U( y8 ]* K' q# \5 \Here again, several ways to detect it:
# [- ?6 B) n) x. P2 c" J% X+ s0 ~7 E' n; ^4 |$ s
BPINT 41 if ax==4f
5 y% J) R( T: V; g& k8 y
" p. C9 c0 Y$ _7 y. E9 E/ e3 ] BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 l/ t* c2 Q; \8 q$ f
: X' a: p. R4 r6 W. h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 b" e6 I2 G Q7 F; g
2 o" K+ j0 d0 L) D4 k2 M) [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# k0 L) S! v5 u5 D: J, }( g
2 m3 {9 q3 Y* @0 @$ Z__________________________________________________________________________
" j, q$ p8 t8 [ e6 {3 o" t! R5 y7 w+ t |+ p# d
Method 13, Q' k A/ c+ ?3 J8 T+ R9 z- A. q
=========
" E( C5 U% l! Q+ y& ?6 z( J( K) Z( P% M0 C7 \1 Q( M5 J
Not a real method of detection, but a good way to know if SoftICE is
. n3 x! S0 ]# Z7 u& q/ \installed on a computer and to locate its installation directory.
2 Y$ J8 `/ p# n5 JIt is used by few softs which access the following registry keys (usually #2) :
& D9 \+ D! q8 Q* U O
* {, O; h& p( d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 m+ m' E$ r2 [* H# d, t: D& E\Uninstall\SoftICE% T: r: a" \9 p% u: @$ `2 D2 z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( S2 @! G1 t; f- S3 w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 Y% J7 `# m- D7 F2 g; |0 S( I\App Paths\Loader32.Exe ~# Z6 i. f0 {! U1 G' y, w
: _) y; ^: [9 G' e" u
( J# t* H1 s6 E1 fNote that some nasty apps could then erase all files from SoftICE directory
/ ?' B6 G6 O" b$ q2 V K(I faced that once :-(: E1 e( B3 O+ T/ |' v
7 a; y# K) {) u2 P5 SUseful breakpoint to detect it:: [% W9 u1 N" C
P# i6 W$ B1 t2 f" `% ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# i9 P: \" Y/ ?1 B9 J* P. [+ m; _
__________________________________________________________________________; j4 Q2 D5 J, ]
' ~2 _: S: D# [- I2 W5 e* M2 H5 D6 k% E& X5 ]/ t
Method 14 ! t* B) l) O3 b) n4 b' Q1 p8 r3 V
=========
) N3 ~; g# k, y) l9 h3 S0 ^; j9 `3 x. x7 J3 g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: _, c. u/ G- Wis to determines whether a debugger is running on your system (ring0 only).
& f* W3 M7 ~" T; p# n" n* l" d3 G$ }' s
VMMCall Test_Debug_Installed
! s9 l8 e4 g! D1 S, S1 [ je not_installed# m9 G# X6 W& i7 d3 L
9 G. o1 Y' H. K) O% q
This service just checks a flag.
/ A( e& G" c& U p/ q+ j& B: Z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡