<TABLE width=500>
; o Y2 a9 R, }9 O& K<TBODY>
9 d5 R8 W- r% V% f" \$ `<TR>
$ j( I P- V' i$ O- x<TD><PRE>Method 01 6 N9 f; Y% {4 k
=========
% d$ n2 j% g8 \6 o, @# ]. R, J: z5 J1 y3 f' b, C* y1 L& @
This method of detection of SoftICE (as well as the following one) is
" W5 S2 J& j% ?+ Z% s1 oused by the majority of packers/encryptors found on Internet.
* D* Y6 S( u" n+ c) r+ `4 U; D# s; oIt seeks the signature of BoundsChecker in SoftICE' P9 O: b5 V) z) I+ \# K# t
' A/ v0 [6 [) t0 P- U7 L mov ebp, 04243484Bh ; 'BCHK'4 y& Z$ X9 l" N- T2 s6 { n
mov ax, 04h/ w$ d) q; R5 e
int 3
% K9 \% M$ |3 R$ P cmp al,4
% G" l: `( O# C6 O9 f" E jnz SoftICE_Detected
$ _* k# e: v9 r; f" p
3 j. Z. ` y+ s* I* q' u; U___________________________________________________________________________1 g! E. f& ^' ]3 w6 F+ j
) |: W! u" A! wMethod 02
4 ~9 o$ h1 Q; f* C/ O=========
+ I- v/ {: S. P7 x# U. X5 P: p
; ], `8 F$ ^% O3 XStill a method very much used (perhaps the most frequent one). It is used
' ^9 t. ]& r0 Z9 P j9 b8 Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ ~ {5 s& z3 m7 ]2 g, W
or execute SoftICE commands...
' z1 V+ w; H! P/ k* }; g, hIt is also used to crash SoftICE and to force it to execute any commands
9 l7 Y# G, m9 ?- m5 n K(HBOOT...) :-((
2 J2 O8 f; g5 Z" G, o+ a- Q1 y/ D% a4 q3 ~- U+ ?) u
Here is a quick description:
' B4 S; M* t7 I$ d+ s-AX = 0910h (Display string in SIce windows)
6 {6 s, T" r+ N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 N; h2 h5 Z% X$ _2 _5 D1 u-AX = 0912h (Get breakpoint infos)
6 m2 u+ X0 _0 j8 k. `-AX = 0913h (Set Sice breakpoints)
7 A/ G5 V! P5 k% ]-AX = 0914h (Remove SIce breakoints), e. m/ H/ L; R" z# A4 U. d2 {
3 O/ d+ l8 x; G% m2 `Each time you'll meet this trick, you'll see:+ r$ ~, v. q( B) @
-SI = 4647h
& j" z: O+ q/ K* a-DI = 4A4Dh
! Z; _+ S# V. g) v. m6 k3 @# r, gWhich are the 'magic values' used by SoftIce.
1 n# B- {3 R- g I) IFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" U7 M& e! n! a2 E, p* B# |8 R. M: t2 Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ Q1 |+ S$ p- q7 B2 y1 J0 oEnvelope utility use to protect DOS applications:3 Y+ i& f; O# w" n5 G8 @$ U' U
3 [, l1 M% G0 z6 k3 b
/ x- j, s: U4 h9 N4 j4C19:0095 MOV AX,0911 ; execute command.
9 c- @9 L8 R: h* t! b9 l3 b$ ~4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- ]; Z$ E/ N" i' F4C19:009A MOV SI,4647 ; 1st magic value.
8 @. p# c5 A0 n; ^' r) L, U, t: T4C19:009D MOV DI,4A4D ; 2nd magic value.
6 N2 L5 f6 P6 V* s. n5 @# Y( b. u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). z; b2 Y4 d" U( Y% M, P8 {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. D+ x8 T R6 m: `# |) p- e, d4C19:00A4 INC CX
- g. u1 @2 ~/ `- x* n2 o7 \% D4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 l9 k) g* j2 \9 c- J$ B
4C19:00A8 JB 0095 ; 6 different commands.
9 C& m& z6 y% ]* e( s' L- U4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ j3 |3 [5 @* J" ~- S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" f* K3 d1 @3 c( H. W9 ]' f
/ l8 [ u5 e1 _, m; r9 fThe program will execute 6 different SIce commands located at ds:dx, which. |, e! q: \! @; [+ H- Q( X$ b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ M6 d3 w; {8 K' N( `( r" N
$ m% g) i K4 `4 Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: N% p, b+ I# Z___________________________________________________________________________
6 p8 N+ Q( k" {9 ^
, B9 {* Z" N: |+ X" {6 ?4 m
; c2 ?- l N4 _+ k9 WMethod 03
: j5 G( v$ Y: A7 z+ |9 {+ I=========8 ]4 L( q; t( E) D( H: d
+ Z; V; E. r' W
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 k7 S9 R5 r( _. X: J) C' g(API Get entry point)
4 @. V) R' f2 H9 _* }& ~. L3 s
4 Q( X/ p1 U0 r( q7 ]) l: i X: `" V
4 L3 g) K6 V* p0 O, z" C xor di,di. Z7 G! ?4 L3 j d+ l0 c: ^4 {
mov es,di
/ G8 B! t5 q0 R% z$ p4 [; J* ~ mov ax, 1684h
0 F: P$ j I d7 U, ? mov bx, 0202h ; VxD ID of winice# @6 p i& H/ k
int 2Fh
+ @9 L. }' P* g# ?+ D+ g" ? mov ax, es ; ES:DI -> VxD API entry point5 |/ |' V6 Q U n3 K
add ax, di
) t6 K, _ _( d test ax,ax' C: r; G ]6 n; i
jnz SoftICE_Detected
7 `/ t; F- p/ F
4 L x: s r; B8 ]' _, r___________________________________________________________________________
3 d4 a8 n' |& I z& {& ]) C7 j" E8 u+ e7 J5 y M9 @5 t
Method 04
5 [# ~/ P8 |' p, V) W; H/ y$ f=========( v; h' }; {2 b) Q5 @
) [/ |; i* K2 m2 UMethod identical to the preceding one except that it seeks the ID of SoftICE
0 `8 U* v- _1 Q1 }+ x) g$ z$ ^GFX VxD. S. W( t v( Q1 N
* c7 D8 k v* _ }/ {
xor di,di& q' E f0 M2 o, G+ `
mov es,di
4 I [% C; I' ] mov ax, 1684h
3 w q; S7 @ W z1 K: j! n$ x mov bx, 7a5Fh ; VxD ID of SIWVID9 t3 w6 C. F6 S$ c3 A5 ]: n
int 2fh3 w% I! w0 s9 n# H
mov ax, es ; ES:DI -> VxD API entry point
- M5 O- b* r$ j. ~, e add ax, di
! z" Z' X3 Q& ?. U4 X test ax,ax
6 j, _# P6 M+ c8 v jnz SoftICE_Detected
" Z( z4 K7 H2 j# t N/ q) X; p" F+ E& g
__________________________________________________________________________
; Y# B, u3 B% E* S O
! U3 ]$ h F# A' C, y( k
( ~3 ?2 }* G* I/ rMethod 05
5 p1 I o; }8 Z% p! Q$ U=========* ~9 m4 D; f: g
2 N7 G$ S. P8 }0 q( H d& R8 oMethod seeking the 'magic number' 0F386h returned (in ax) by all system0 O. j3 y; C/ f; x
debugger. It calls the int 41h, function 4Fh.+ [5 U6 [2 n" t9 }4 o. e: [8 o
There are several alternatives.
8 Y. B! D% G5 W6 U( A7 P
7 q5 J+ F1 T* E9 i. `6 [The following one is the simplest:8 O' a- y2 W' L
& q+ Q& R# m8 K5 C/ p( A
mov ax,4fh J0 s1 f: b3 o7 f% h+ ?8 I2 b
int 41h7 [% B5 `" `0 \) F# m. U ^
cmp ax, 0F386+ Z: S5 W* a# T7 c2 c L
jz SoftICE_detected
! O2 K) g; m3 k" }9 C! _
* `2 b0 ?, Z# h( O) E2 k8 ?. R" y6 t. y- G3 y: J8 S5 c% _
Next method as well as the following one are 2 examples from Stone's ' p. h! e8 s: k( P$ z, H( {
"stn-wid.zip" (www.cracking.net):
6 W8 f- D; u0 s. K g9 u9 l2 I. p) w8 Q1 S3 |$ N
mov bx, cs$ _6 R/ \6 N9 H0 V1 z: Z
lea dx, int41handler2& @7 e3 R& m" s+ z
xchg dx, es:[41h*4]5 C4 y0 U2 z2 q( P/ w6 F
xchg bx, es:[41h*4+2]1 Y6 a `7 d0 a0 z- n
mov ax,4fh
8 i$ x, c- Q Z+ A8 k, c int 41h7 o$ }' J+ |6 o+ z8 D7 `- k k
xchg dx, es:[41h*4]
7 @0 D0 {! m8 P) Y/ J9 w" Y& J+ |/ Q xchg bx, es:[41h*4+2]
9 [% J- T! s' l4 a& M3 B, k cmp ax, 0f386h
8 N- \5 g) m5 x4 a jz SoftICE_detected
& O v' E1 x% L, {& ~8 b& G- z* f" o3 a6 i& [
int41handler2 PROC- j5 y- Z" {3 @4 @
iret: t K A+ v. F& S. n3 e+ R
int41handler2 ENDP# x8 H9 h; H' w1 {) o& z, o' p5 ~
& q* f% \- n3 Y& X. l% V
8 x- ?5 X7 h( Z
_________________________________________________________________________* n% ~: r: @0 ~
3 b! h. v' Y. k- ~6 t% o2 C& L# W' d5 K. `3 m1 Z
Method 06
& z* A2 y# M( K% n=========9 l+ v! J3 A% r9 M( v- z
9 D/ D) d; X$ \
6 |8 P) E, u/ {, X2 S) G2nd method similar to the preceding one but more difficult to detect:7 ^- v I; O& b
( _; B/ h9 L& a, ~1 T* a H* e. Q$ w
int41handler PROC
% @% f5 t" u" Y, i/ T6 ` mov cl,al( U1 q( M3 ]& v+ J: m8 Y3 X
iret
, r! _9 U, R( v3 I) A; r! jint41handler ENDP
; l+ s, w, U* J P
: n0 ~- h5 h, `: C7 U9 m. q/ l+ q/ R$ b5 a. y( ]( ?
xor ax,ax
- M% m% v. O8 ~! M9 p7 u/ }- u mov es,ax
$ R5 A/ i- x" |7 L4 h x mov bx, cs) {; a0 L5 k9 Q6 {7 N4 g+ q
lea dx, int41handler( @' N d, X! G) k
xchg dx, es:[41h*4]* {) C8 l$ q9 ~9 w! x( N0 }
xchg bx, es:[41h*4+2]
4 p' L: Z5 v- Z2 m) V0 n4 j+ h! J* @ in al, 40h
5 U0 q3 O$ A+ \' X1 h9 f: O9 B& [ xor cx,cx
. d( l+ h* Y- z! B1 c int 41h" K( Z! E) h% j; I" S; ~- A
xchg dx, es:[41h*4]
6 j6 D3 g E! A( t) K xchg bx, es:[41h*4+2]8 T$ B8 J6 z4 ? b. a# Z! J# k( b
cmp cl,al
( n9 }: r: l: {3 I! i jnz SoftICE_detected/ A9 A( X W5 B; v/ d
j' o7 j8 Y4 w; z5 t5 Z2 x_________________________________________________________________________ ^2 V+ j4 i4 H/ O' T
+ e: j# _# s5 o, V+ t" X
Method 07
; w) a9 f! q P+ N0 q) @! |=========/ q: R+ z8 d0 d& g+ M5 x
7 l0 e3 R) u4 u$ K
Method of detection of the WinICE handler in the int68h (V86)
+ |0 D0 h! v% g. r- _. h9 s
$ ~0 E9 _: g; ~& } mov ah,43h& O, G8 e) v3 \; Y+ l. X% r
int 68h
0 S$ B5 I7 T2 @$ R# { cmp ax,0F386h
/ X9 M% j+ V# t! `$ h, ? jz SoftICE_Detected
. m- A8 Z/ X: R3 B; b% m9 x' l0 W/ z0 F
/ J2 G4 P2 S7 M7 J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 Z" N8 ~/ Z4 d/ Q$ l# G app like this:9 s/ h/ Z+ ^& _/ K
7 {: m" n. j4 l9 g! s4 i
BPX exec_int if ax==68+ A7 L: ~, g: v+ t8 z
(function called is located at byte ptr [ebp+1Dh] and client eip is
& D+ k6 d3 E( g0 C( W* R, j" o0 r% j located at [ebp+48h] for 32Bit apps)
, P6 Z5 N$ B2 K__________________________________________________________________________
$ K. a* o# b; m" I% W% g& J/ v6 t" K P( V; F
: `: L8 O% C/ aMethod 08+ Y8 H$ ?3 T$ m8 v* t* R' Z
=========
/ A; J, O; P9 }
6 u2 K5 t6 U2 Q$ E4 TIt is not a method of detection of SoftICE but a possibility to crash the
" ]3 {: T; s$ v! Rsystem by intercepting int 01h and int 03h and redirecting them to another" n i9 L, s! J
routine.
5 @( C& C- \! f- \! WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) D7 F X. k% x: J) z: Kto the new routine to execute (hangs computer...)
& W5 v5 C2 d& b3 i1 ^, O
# T) k/ o3 R" L$ \8 W mov ah, 25h: U W. e6 q; ?; D/ ~
mov al, Int_Number (01h or 03h)
3 R' L; W$ L5 e6 n: H mov dx, offset New_Int_Routine
0 E. h. }# n# o" Z0 r( U% h int 21h- B- W$ Q* `3 |. s; v
- @0 k$ [4 R3 e3 G__________________________________________________________________________, X+ ~- I. h. Z0 {) g' T: z
$ J0 ]5 y/ W3 S* f+ ?
Method 09% O6 b/ n; ]! L$ n+ y/ ]
=========6 j; ^6 S+ W6 Y. |
/ H& `! Q% v9 o# A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# t7 m3 w" U* I. O7 a
performed in ring0 (VxD or a ring3 app using the VxdCall).
& W* x4 B7 Z- GThe Get_DDB service is used to determine whether or not a VxD is installed% |) e& O' b/ }& r
for the specified device and returns a Device Description Block (in ecx) for$ y+ _! I( P8 X
that device if it is installed.
2 ^" N. \2 p0 T8 ?$ T& O6 e8 C0 ]! n; @& Z' A6 h# e, |/ k. v7 v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% K8 i" k" N# a6 Y% q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! i; {; O9 V7 G& a+ S$ ?; ~
VMMCall Get_DDB
0 ^8 ~% V+ r" _' Y' ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 a6 h7 G$ e6 F0 |! t% R" @- r
1 @; r8 x: |+ `) C5 v" W, |Note as well that you can easily detect this method with SoftICE:: g) P( F; L- h5 ^8 J
bpx Get_DDB if ax==0202 || ax==7a5fh
# H/ a1 }% f$ h9 I& v
Y# ~2 {8 e7 s, S__________________________________________________________________________
0 l0 b/ W2 T8 l, ^4 O$ C1 [' @6 `3 I0 v; H3 [8 ~
Method 10
% _+ i, s/ P# A+ n3 F9 W5 N" K# R# N=========. R d0 |/ F( L
6 \( F8 Q, e7 [4 j
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 p! J& W8 F% X. u
SoftICE while the option is enable!!
L3 J$ U; U, z/ R3 H- d1 c/ ^7 w& `0 Y& C! H- A
This trick is very efficient:/ \# W5 j8 @. y" \; w! g j% \
by checking the Debug Registers, you can detect if SoftICE is loaded
3 R; w( ~; c+ \# t$ [3 F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' F; s& j, o1 G7 @1 ?" a+ q) rthere are some memory breakpoints set (dr0 to dr3) simply by reading their- B0 C M1 |- o
value (in ring0 only). Values can be manipulated and or changed as well
- k- {0 m( n- G+ } r(clearing BPMs for instance)" l3 M3 j2 L2 ~* e" n# A \/ |
( q9 @0 x6 Q- P% @, Q/ s__________________________________________________________________________
+ B$ N: v i. @# U/ o( `8 a. Y( e
Method 110 q$ g: O1 Q" o
=========0 p" p* _# C5 @# l" `- \9 p6 S
9 y! i% q: a0 v' a
This method is most known as 'MeltICE' because it has been freely distributed
7 X& W z' P; W9 J1 N- E& Z& y- uvia www.winfiles.com. However it was first used by NuMega people to allow: H' n( ~* m) z: w5 b
Symbol Loader to check if SoftICE was active or not (the code is located5 q" I) s U9 K9 h& G0 b' R
inside nmtrans.dll).9 [6 c; m6 i7 ]$ {7 r
" ~8 d/ t: e K7 ]( u4 g# o5 I/ u* Q
The way it works is very simple:8 r8 M) w( U% i/ U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( n i/ K8 ]9 c- FWinNT) with the CreateFileA API.+ |/ w5 Y% f, `6 [% Y+ `
2 C6 p8 O7 Y* |( b
Here is a sample (checking for 'SICE'):5 u$ m9 u, u$ M# b& U5 G% {' ]
( U; d6 h3 W( {& d, C8 P) x* n
BOOL IsSoftIce95Loaded()
! m1 x0 g0 {9 n- g1 }% L7 b{
' e, A' O8 Q* |( K) p Q: E HANDLE hFile; 3 B" M) T) g& z1 e
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% p+ M/ ?" t9 Q- |+ e% l: ] l( p FILE_SHARE_READ | FILE_SHARE_WRITE,' `. u% L. s0 y) l7 I; P: C
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. w. y% W7 {0 Y: P& }$ p' K7 s) |
if( hFile != INVALID_HANDLE_VALUE )
( k, R. i: N4 X+ F8 D: n( Y% N {
" p& _$ v3 _; Z* ^" o4 {9 M CloseHandle(hFile);
, z3 Z2 k Z0 C' K5 g return TRUE; M2 O9 B% u9 Z% n5 ]
}
" h7 i' _( F/ B& u return FALSE;$ e* s F* |9 Y3 z8 X) X
}1 d$ ?! c5 E7 S7 y
: m3 O4 s. w& I
Although this trick calls the CreateFileA function, don't even expect to be0 c" Y5 F* f4 {+ g6 v$ S
able to intercept it by installing a IFS hook: it will not work, no way!8 T: K0 H7 q& s& P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; V; H5 q' Z& [1 Xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* C# ~9 E# b1 J" Y+ Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" ^& ~: P1 Z$ V1 ?0 A% Vfield.
- d) k: G; r7 OIn fact, its purpose is not to load/unload VxDs but only to send a - ~* p) v6 p$ V3 N6 e$ S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( N. `: c% u# j! p8 X/ F- R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ S+ ]! f4 j$ c2 d- V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 B3 D+ o( K( w
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* W* @& v& N: z5 n4 a$ S- v) sits handle to be opened and then, will be detected.9 f* f, [% B/ H
You can check that simply by hooking Winice.exe control proc entry point
% }+ V/ p4 Z0 U9 V: t5 C$ mwhile running MeltICE.2 I s- L1 B, v, g$ e! k6 O/ _+ \
' D+ p: l0 m* V: G) }9 X
1 B4 |/ i4 \/ g% ]# ~ 00401067: push 00402025 ; \\.\SICE+ S8 ]" M* f) E- m4 E
0040106C: call CreateFileA
@& C0 m9 e" Y. X7 \ 00401071: cmp eax,-001
( n5 W9 w' {: F; c2 u 00401074: je 00401091, R* N, x- t6 M: S3 `8 ^: Y( b
' `! g8 G8 W# F! ?: M8 `2 Z2 s# N
# _& E. } e& U! q) c# h; v
There could be hundreds of BPX you could use to detect this trick.5 o( @0 [6 v/ A# b( b& F! D
-The most classical one is:
$ a# }% [0 l* ^+ V, I) @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. ?9 s* {& i' l3 X% n
*(esp->4+4)=='NTIC'0 u$ r' Y4 }5 S1 n/ h4 _" @8 o- C
% H* o# b' c# ^+ m k# C
-The most exotic ones (could be very slooooow :-( R$ N. L7 Y0 b0 u1 e5 H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) P4 P; }9 z3 |" h2 \
;will break 3 times :-($ s, {" ?( C& T( i, k
3 x2 x3 v5 Q8 t3 C% x7 B9 B
-or (a bit) faster: ' }+ `3 \9 p5 C2 Z+ k m5 w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ p5 y$ Y1 ^, t! d
0 }8 X2 @" {8 E) R5 G
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 A! B. [7 ^$ e7 |4 D! Q: E" \! B ;will break 3 times :-(
; T% [6 q3 m1 O% }2 C- E
% F6 x8 |4 T! S-Much faster:
/ i7 X* y6 X/ J1 ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, ` ?: h* l8 g; @- K: I" L
& n8 d, X: L/ q% ^- pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ M; _- l! I( \5 M) F1 j
function to do the same job:( D/ N& Y& s# B5 K
% a+ O; C5 \3 E; E2 B) Q push 00 ; OF_READ
2 ^" p1 Y7 J! T! g mov eax,[00656634] ; '\\.\SICE',0
2 |( S+ H3 o; z v% J$ F5 ` push eax' ]( v( g2 R; n) X, w6 P- N
call KERNEL32!_lopen
) g/ j! a% E v( m. B* w inc eax
6 {1 f* f/ w: L2 C jnz 00650589 ; detected( ~5 }; ~% ~% t6 d% M0 j+ v, {
push 00 ; OF_READ& d7 ~* O% m- B$ M" {- c1 ~" t @
mov eax,[00656638] ; '\\.\SICE'
& M/ n* U1 p7 Y( G9 H push eax
0 m' R! e5 i* s. ^$ Q, d2 u call KERNEL32!_lopen
2 S" f( y1 p1 y- X! |* ? inc eax- u+ s4 N% U8 C. o3 K
jz 006505ae ; not detected! h( q- W* T1 }7 E: H, `7 j w/ S
& P6 U8 K, i- U- }! |. b! F5 D& [$ N8 H: D1 s
__________________________________________________________________________
+ w) i) ^* u- m) y
4 u8 w+ w4 L/ p" _" YMethod 12
6 \4 s9 v4 j7 j( P/ ]4 u=========; }' s# w; W$ m/ u4 p* C* @5 T' C
/ Q1 x7 T' r& p2 wThis trick is similar to int41h/4fh Debugger installation check (code 05
; W% w. A1 z& C3 T, ?& 06) but very limited because it's only available for Win95/98 (not NT)1 n' [7 b1 o0 A" l8 R2 ~9 i8 A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# T' E# s! i6 b# ]: E
5 B8 ^8 u- A/ F push 0000004fh ; function 4fh& C4 K. b& V6 k6 M$ @
push 002a002ah ; high word specifies which VxD (VWIN32)$ l1 ]" |. J3 ^# u
; low word specifies which service# o: p5 H& b7 l+ s% o
(VWIN32_Int41Dispatch)
$ ]% p$ a8 ?0 W call Kernel32!ORD_001 ; VxdCall
" V W( M5 N. M% O* v. ]* r7 ] cmp ax, 0f386h ; magic number returned by system debuggers U. F( A% {6 U h5 h# G3 H" }
jz SoftICE_detected" W: P3 N& R: {2 H+ J$ T) H2 z& N
7 ~8 t7 I8 w0 `: N6 N
Here again, several ways to detect it:3 }. U% x) ? }) ~
! @: q k# i$ h: a& O
BPINT 41 if ax==4f+ t9 j3 Q& z5 J1 T+ L
, Z& W% p. f. `( x8 M+ U- T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ S g2 u- O: H# q
$ i3 s: X4 M( G* r; z9 a BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" @+ _- g' Z$ M( l0 o$ ^2 M
$ s3 E( z! R3 g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! Q( `' B6 R+ C& C* Q1 f
! s0 S5 x$ y0 e6 F: L4 G2 d3 Q' Z3 w3 N__________________________________________________________________________
( Q. |1 m* Y- H# k7 T" y5 m5 ]9 l, b; A/ Q- G- N" p
Method 13
" O+ s2 T8 Y2 F/ v' p' M! Y( i" O8 f=========; j5 S* G/ G, g0 x8 O
* b7 i" e, z- j3 j! d
Not a real method of detection, but a good way to know if SoftICE is
; {2 }8 _' E+ n* r& ?installed on a computer and to locate its installation directory.. ~* r- e( z8 j' {+ R* u
It is used by few softs which access the following registry keys (usually #2) :
/ S1 m& @. D; A) t& L
5 L" }7 ^, K0 q0 C+ X2 [+ @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. I& M8 \; \5 i# P- ~4 x8 J5 t3 O3 {9 Z\Uninstall\SoftICE5 `5 A! {; a' o3 m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. z7 \. I& l; r S9 E# w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ m7 r1 E* v, p2 K, O( O\App Paths\Loader32.Exe4 l1 t _; a# t6 y9 v
+ `$ \8 n" I+ S1 g
s/ W X5 ^4 ~2 TNote that some nasty apps could then erase all files from SoftICE directory: J0 Y7 B' Q' i5 S7 @9 Y
(I faced that once :-( V9 I4 Y: [# K+ z4 x( E# r% }% h
) K8 a& N! {: N7 y. IUseful breakpoint to detect it:& ~7 N" l5 N+ r- q9 c
e" z' Q3 t, Y3 Q$ t' m4 }6 |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ J! y% B* b/ Y0 H
. S- t i, f' |% D
__________________________________________________________________________
2 p# t6 m# n9 k2 U0 n
! Z- ]1 \5 X- S) |0 |" r
: t3 @1 j, s, c- @1 ]/ A1 x$ f; HMethod 14
O8 \( P9 B& l7 i( J `# B) V=========/ K' d# j) u. d* P8 h4 _8 \- w
2 `$ i' F! s2 [ P/ G3 a' P, [4 V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; D9 }3 L' W5 `* r6 cis to determines whether a debugger is running on your system (ring0 only).
. W* r ]; g7 H9 P* S4 |9 p# E& P3 e$ v8 E; t0 k) A/ ^8 m
VMMCall Test_Debug_Installed
X5 ]+ C/ B+ j je not_installed
% P8 h( ^+ ?; ]# x, e, T. Y
7 q$ W6 j" M. P/ \0 CThis service just checks a flag.3 g1 u6 ?7 C+ F
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡