<TABLE width=500>
1 a, B. D* t) ?9 x4 X<TBODY>8 X7 h; j5 [$ e# a; y' V
<TR>+ U2 C& v( o& P4 ^
<TD><PRE>Method 01 6 ]/ J- p% ` J8 X
=========
Z9 q% ?/ G' @. W! @% k' W6 s' j' w1 x( E5 d G$ }2 s2 O3 q
This method of detection of SoftICE (as well as the following one) is2 Z7 G- f# x* f) ~4 k
used by the majority of packers/encryptors found on Internet.7 t, e. X2 {/ }9 r
It seeks the signature of BoundsChecker in SoftICE
. n3 |3 b6 z# g( _
# j+ |! c4 w2 D% p! w* M+ Q mov ebp, 04243484Bh ; 'BCHK'
" C; }& s' h8 f1 E% N" R mov ax, 04h
- g) c9 F: v+ ?9 ]; Y2 H$ l5 [1 t int 3
0 U7 D7 @" `7 ]) Q. n cmp al,4
" u, A- [+ A& N jnz SoftICE_Detected- K& |; v% a; }' P
: E. Q% U! d: ]___________________________________________________________________________9 {/ p0 K2 k. L
+ l( b% J+ C: X6 O u% p8 i$ F. XMethod 02
( ?5 a }8 m+ o4 ~" Z5 ~=========
8 z8 A, R. [: o% L4 O4 o" r4 W" \3 G4 V
Still a method very much used (perhaps the most frequent one). It is used7 K4 N Q+ R$ t% X# o+ p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 d1 h5 \3 Y! P* w0 Q
or execute SoftICE commands...5 `2 M& `8 x5 V- k8 |- N
It is also used to crash SoftICE and to force it to execute any commands
0 N5 G* t! L3 Z2 H6 x+ g(HBOOT...) :-(( + N0 m3 P5 u8 B4 L
1 k1 h% C- ]* R& W, O3 J4 Z
Here is a quick description:' q- r. ` o6 o0 {+ ?4 F, F
-AX = 0910h (Display string in SIce windows)$ A: ~8 n- D" I L4 v+ c% p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 m% s. J* S* e4 o$ `! ]-AX = 0912h (Get breakpoint infos)( D3 o! t" l, {! F" r6 p
-AX = 0913h (Set Sice breakpoints); V3 ^' H! o% s. g
-AX = 0914h (Remove SIce breakoints)
+ Q/ J6 ~3 t+ q3 n0 k8 A/ d. i+ |0 t) p+ H. @9 O% W
Each time you'll meet this trick, you'll see:
; @# L, F2 O. X* ^+ W-SI = 4647h
7 o9 d7 g, k+ S! i9 _; I-DI = 4A4Dh8 F! b4 R$ \7 d2 y
Which are the 'magic values' used by SoftIce.
, c+ k v! {+ B/ G" ]4 d, q5 z* C2 zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ d3 }6 j3 ?" U# z P, d: \8 k$ Y
& T/ c1 ?# X$ b# O! O4 e
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 t' R1 m. |7 L/ E! s+ y
Envelope utility use to protect DOS applications:
^, T$ `' s1 D/ \( W
: {; [# ?$ m$ _ c6 e
" D! |. c# A1 j! A6 K9 p7 R4C19:0095 MOV AX,0911 ; execute command./ ?6 i. w- V0 f6 d, I2 J
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ {) \- Q. a+ @5 {! i
4C19:009A MOV SI,4647 ; 1st magic value.! S, k7 M3 w+ d; R
4C19:009D MOV DI,4A4D ; 2nd magic value.
0 J, f9 H3 |1 W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) f' B U' Y9 e; E
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
s' Z! v; D4 S' K5 n4C19:00A4 INC CX
9 f( g. W$ r9 {6 Q8 N9 N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 V4 p: }5 g( B9 n2 @8 Y
4C19:00A8 JB 0095 ; 6 different commands.2 w" ~1 k) g3 `* L1 t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 R6 }+ [+ Z5 P7 F. @. m' {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 ~# K* W: Q; H0 h M$ V$ G8 W, I6 ^
The program will execute 6 different SIce commands located at ds:dx, which" P; W6 x) l" h6 c, j. g& X* e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& t6 ?$ v; R" |; v6 S: Z$ K2 q- I! D2 Q, m0 [7 h" W: w* w0 \/ |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% f$ E: R4 Z: Q) D
___________________________________________________________________________
0 a' v& P; o1 W6 r3 p- ?3 A
# B8 s* Q: x# m% a
5 h' y, P, l0 P) V6 ?Method 03
5 A! g h+ Q; M/ y1 m=========4 |; P4 l/ @1 v# B. m* O2 }7 X l
4 G/ }' N4 j. @# Y& }' H6 Y+ Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 u; z9 Z0 ]% W( s8 c
(API Get entry point)
# w! P0 {/ ]/ o* d% q9 J
9 |/ y( T+ I5 i$ {# O
4 Q1 C" V6 I- S* \7 e- s xor di,di3 d2 r3 | c' k
mov es,di
0 T; O+ B# N! T mov ax, 1684h
+ q* q; }, ]7 S k mov bx, 0202h ; VxD ID of winice9 T# a5 c* y2 j+ j
int 2Fh
" p8 J, W' q' x8 @# C mov ax, es ; ES:DI -> VxD API entry point
) @# U$ K' R3 i+ b7 T% C1 i) d add ax, di
" a( i& n0 S" _. M test ax,ax
* Z6 e) C& x, [0 o1 e7 H2 `/ j5 _. ^ jnz SoftICE_Detected
# t: ~( j4 X) g- b
3 z- c# c% Q' J/ c4 h7 L. J8 @___________________________________________________________________________% R% z. v) y+ r- _* M3 P. `* e; @3 J; a
, ]9 p* g; f' R+ m* `
Method 043 f. f& V( d) i
=========
* O7 b4 y4 ]9 O1 k+ ^. e/ p0 Q- t5 {- [9 g) O3 [- y p) i
Method identical to the preceding one except that it seeks the ID of SoftICE% T: U# }- r: \6 z/ R! e
GFX VxD.% Y# n: f/ X& W% v. O o
) i/ \1 n! e" V+ F C; T/ j xor di,di
3 d" I* K& d1 R0 b# ~4 D! i mov es,di
; R: i8 m) t7 l7 L- Y mov ax, 1684h
) k7 g& ~1 X r4 y mov bx, 7a5Fh ; VxD ID of SIWVID# K5 N* R8 F5 h1 e
int 2fh
/ ~( G2 x. R7 j6 s mov ax, es ; ES:DI -> VxD API entry point
/ F: f$ ^5 _/ D! R add ax, di, j4 K, f% U- _7 M
test ax,ax
, b. O- U3 [: v4 H! u jnz SoftICE_Detected! O% z2 E- \) U: N0 [
" M3 n ^; |; m" k/ m__________________________________________________________________________
' i9 \; ^7 b- W9 {+ {8 _" q6 ]3 v, G( e/ n( r- o( Q) S! U! S
1 q! _0 T8 [: `* t0 C! n! w; e* f7 y9 |3 _Method 05
6 j: X& X% Q0 d, N0 U* _=========6 ?& Z2 I9 v9 P& i' S/ w
8 [% G3 N* a2 ? i$ k* f
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 ]! @8 @0 e* ? u- E" n4 j) N
debugger. It calls the int 41h, function 4Fh.
- K: P0 O% i& R) p2 [ mThere are several alternatives.
2 o4 o! P4 {4 M5 n! t. t% m' C& ?- x8 G5 r e9 V
The following one is the simplest:9 ]! o3 o4 W1 P/ `/ ?( w3 x$ X
& n7 i4 p4 `* N mov ax,4fh
- W9 U) W9 ?: [- R% L( Z6 F int 41h! E8 [* g( Z+ q' S
cmp ax, 0F386
: L, X2 O9 ^2 n. C9 x1 A' e% C q jz SoftICE_detected
, J! l0 g; J" u% K" g
( q, d9 f( l! n8 z3 P6 j H, a4 p0 r
9 Z8 i6 ]- N3 o. MNext method as well as the following one are 2 examples from Stone's " A. c( k4 [4 s. x3 z% ~2 l3 h# \
"stn-wid.zip" (www.cracking.net):6 g% h' x U1 y( ~ L- t1 j
5 \7 I6 r$ O9 p3 {* L W8 V
mov bx, cs
1 X0 N0 D( d* f) D b/ h lea dx, int41handler2/ s: ~6 p1 U2 a2 C3 U
xchg dx, es:[41h*4]
h+ }: N: D% b$ A xchg bx, es:[41h*4+2]
" d ~1 x+ n6 ]: M, k mov ax,4fh
( w' s5 {0 F: `1 \ int 41h
9 J1 H* b; i9 ]4 g xchg dx, es:[41h*4]7 a% ?! O/ h% N8 C' T. R
xchg bx, es:[41h*4+2]
/ ?, N2 h& e7 u/ i/ ~9 I cmp ax, 0f386h0 g. C$ O+ a6 `4 j8 E9 z4 c; c6 t
jz SoftICE_detected! j( q) A" _( X
) J7 \2 F+ E1 H0 H' W1 C7 h
int41handler2 PROC
% f+ Z- _1 p. S8 [% W2 q* F iret2 t' L1 h2 l, C. p4 W; `) j
int41handler2 ENDP
, d) d. b7 \" ?; R2 i5 I7 y1 J5 ~, T
' q, T0 I2 [3 p" `3 H/ n
_________________________________________________________________________0 ]0 `% L: w( R; q4 c" ?) m
7 G! N5 r2 ^# A' g @# `9 L7 [8 j+ P* C+ Q
Method 060 m* g. a- s! g, z
=========
6 y0 V5 B+ Y9 t
c ?/ _$ n7 D/ I
) k3 [' G9 d# K2nd method similar to the preceding one but more difficult to detect:
9 B) x2 j* @9 ?9 ?3 x! G- }7 ~3 Q' U7 s/ O
6 \9 ]- a5 L) `; l/ d& Y1 G/ G
int41handler PROC
1 W7 X" K i6 s. c3 h: N mov cl,al, k3 p ~' e C+ v
iret
# O3 t }" [) M" s% S, ?int41handler ENDP
* H9 k7 ?9 p0 x
+ _% Z) |# k! ?
R* i4 E% R# z+ G! F xor ax,ax( k: |4 g; y# ]! ?, H8 J
mov es,ax0 u5 W) u0 n: h+ \- p# r( [
mov bx, cs0 V% \% K. X9 `/ {- I
lea dx, int41handler2 K5 b' L; w) V- f% r3 e
xchg dx, es:[41h*4]
: F' K6 M( q6 H- j xchg bx, es:[41h*4+2]
. K% d" Q- z2 H$ S in al, 40h& v% d( U: }+ [( G* F
xor cx,cx1 J# o. z4 E/ x S
int 41h6 N$ P5 r+ J9 a
xchg dx, es:[41h*4]
# M1 o6 j, E: i+ M3 ~ xchg bx, es:[41h*4+2]
9 A; F! ~5 C8 n% I cmp cl,al
y8 a7 [$ P3 b: Q4 I! T jnz SoftICE_detected
1 `3 x" T5 o5 c
+ Q8 f ]1 A! I) L Q_________________________________________________________________________
" E: @6 R9 N5 j% S) n w; A' e( ?2 @% H( h2 x i
Method 07
F# P) c2 i5 `" w=========( Q; O: w/ \" G6 K! F
) l5 C$ l* E; T8 b7 X" z
Method of detection of the WinICE handler in the int68h (V86)' u: C+ R9 {, J$ o& B4 u& m
( m- `, k* M) w/ h" J' q
mov ah,43h
7 e" Q9 }# M* K# H( \8 z, a4 B# _ int 68h
1 B0 {8 h7 K2 r" t cmp ax,0F386h! P, ?% l! S& t5 K
jz SoftICE_Detected
/ a) c: \& j+ T' v q1 R, L% j5 f6 o4 s h! W
7 W0 R6 G3 S" m( Z. k" M! {6 K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ k" |/ |2 H/ {
app like this:' t$ ]( D9 ?5 D
3 F0 Q& Y( K( y& \6 B) \. D BPX exec_int if ax==68& y' z# c/ o9 H1 S$ g0 S
(function called is located at byte ptr [ebp+1Dh] and client eip is' o5 F" ]3 ^+ S
located at [ebp+48h] for 32Bit apps)7 L9 V/ A+ c+ [/ C' M. B
__________________________________________________________________________2 r' t* Z% j& i# M4 g/ E. e9 Z& c8 ^- G
4 n: ^ f9 ^) c$ g+ N6 Z2 c
* t W0 q( j& h! z5 j% {2 w! ~
Method 08( M. [: n# L2 `" x4 c9 ^
=========/ A3 X4 O0 D$ I9 y) g- t9 A
- ]/ m. L8 f" @+ a9 m9 CIt is not a method of detection of SoftICE but a possibility to crash the' s: Z( E+ y/ y8 W
system by intercepting int 01h and int 03h and redirecting them to another
. j$ g# R% ?4 lroutine.! ~0 g3 b$ ?5 ] K5 o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 i s" g5 Y J9 i; y% n. k" ^1 lto the new routine to execute (hangs computer...)
/ c( @* H% `! ?5 ]$ C5 o9 P7 u: v) r6 X3 H
mov ah, 25h. n$ W" k, l7 b$ x, _
mov al, Int_Number (01h or 03h)
5 I: U9 P$ r) I mov dx, offset New_Int_Routine
0 t. j- H V, q$ ?6 `2 n d$ ` int 21h
( v3 p. O" F, H6 J+ }) N
+ S0 E1 {. ?3 V0 [7 B$ S__________________________________________________________________________' d7 V( [8 X% z1 M
8 R; y! j4 Q9 sMethod 09+ ?( i) |; S. Q. D- S9 j
=========
. |& C9 { j* [- h/ u
/ V: n9 O! w2 ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: R! f3 F6 ^; l" ~, W8 `performed in ring0 (VxD or a ring3 app using the VxdCall).
# s% J" C0 a" [- [# t* mThe Get_DDB service is used to determine whether or not a VxD is installed- H' _0 U) Q+ ~, b8 r7 }6 _
for the specified device and returns a Device Description Block (in ecx) for; G7 Z3 K" J. b% b5 W0 P
that device if it is installed.4 H F# U" {/ q$ n
( b. p |& }: j+ q8 C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ h, S9 N* h6 g) p6 [3 {; n6 ~3 c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 t) `$ M0 I- y
VMMCall Get_DDB
) b3 D1 e. K" ^0 |! A. W& t! } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 i# t8 L! c6 d. C, X3 ]( ?1 V' k" t% @2 x
Note as well that you can easily detect this method with SoftICE:
0 k3 k* A% B, d! \9 P/ t bpx Get_DDB if ax==0202 || ax==7a5fh' T0 R2 b2 u( Q" @+ L5 S- z3 D
% w% Q/ z6 E) K" C
__________________________________________________________________________
i$ E/ {# o0 Z, d) D
1 a" N7 b2 Y+ V/ _6 S" \Method 10
/ A" w8 R3 x" A/ _& S; K, f: i) F=========
# {& M0 |+ [& F0 ~6 D
" A1 v0 |8 `) Z4 z=>Disable or clear breakpoints before using this feature. DO NOT trace with% o8 E6 p3 Z7 [1 M5 f& E
SoftICE while the option is enable!! y1 b% r r( s
1 ~( b' z4 o& Y" xThis trick is very efficient:( S0 c& u! @' S- e$ }8 ^
by checking the Debug Registers, you can detect if SoftICE is loaded
' J7 V! ]! }* ^1 ^0 F9 n/ g' c$ N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ q+ t9 b5 Q. }* H" G% }$ W6 i
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, m/ o: Y, ^) g! t; `6 o: Evalue (in ring0 only). Values can be manipulated and or changed as well0 G( R. y* d3 k, y, t% ?3 G
(clearing BPMs for instance)* D* {. z& v2 R+ [" i. l1 a
1 m6 K$ U5 w" A/ b1 @
__________________________________________________________________________
, `& U1 b0 G( t. S+ U3 M w) j: v0 {. P& g7 n+ n8 G2 m
Method 11
0 ^1 B" ?- l' ~0 G, V=========
& p- W# m- U: y2 i# \9 ?3 c. `- R% Q6 ?5 @$ b9 c
This method is most known as 'MeltICE' because it has been freely distributed
/ T% C9 S9 e/ N$ Uvia www.winfiles.com. However it was first used by NuMega people to allow
& F) [; ^ G% p, N0 Q7 dSymbol Loader to check if SoftICE was active or not (the code is located* w7 s) O0 K! \+ @5 @$ S
inside nmtrans.dll).
3 S1 m, x; W9 S w4 S+ H; u
/ U* j+ u% M3 M$ mThe way it works is very simple:
0 y. B- ]8 a b$ C6 e: S. qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& M- s2 T* Z+ b% t7 r' a- JWinNT) with the CreateFileA API.
; `/ t2 I* _1 j9 f6 F- c9 k% x- ^
* ] m$ D* w& q/ T: j5 i7 ~$ vHere is a sample (checking for 'SICE'):
. K# g/ r+ x6 L
l& @* r. G- h/ k @BOOL IsSoftIce95Loaded()
8 e1 M: V2 \! C8 O3 m{. N4 e; {" Z! ?' [
HANDLE hFile;
& g) x$ I3 }3 b4 d6 b' Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 y8 ^0 b- q+ r: _ FILE_SHARE_READ | FILE_SHARE_WRITE,
" t3 Z _1 G; {- @4 ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ m) d8 A0 h4 U) T& T" f
if( hFile != INVALID_HANDLE_VALUE )' b8 d; J$ K5 V: K; C) V- T2 A# X! i
{
# w6 b+ ~6 R, Z' H1 l. c# E( z+ x8 x CloseHandle(hFile);
1 |0 \/ e3 m8 |0 c* Q9 y- Q return TRUE;& H% I; U: ]: Y- c3 {
}
9 ?2 e! w4 ~" V3 {! Y& l# k4 Z return FALSE;+ r3 f1 [+ i! y1 H6 X/ P* P
}1 z X6 b% m" K" d2 K
+ n8 R* r2 z5 b' D9 TAlthough this trick calls the CreateFileA function, don't even expect to be
# R# g0 k! A: F( p( g fable to intercept it by installing a IFS hook: it will not work, no way!
9 q& W& x; r2 g0 r6 ~# {In fact, after the call to CreateFileA it will get through VWIN32 0x001F( d2 p/ Z1 V1 l m' s$ e4 `& L: ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 O% s, h! d0 u: k' n" V/ T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 c, o+ w/ x6 t/ Tfield.* |' \- ~# y$ ]
In fact, its purpose is not to load/unload VxDs but only to send a
" |/ I( |2 z. k) X% B! y1 ], eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! T3 n, Y2 e" {; h% e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, D5 } F, {# w% z: f0 D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! ^6 @/ X, X9 {3 p5 p. }
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) v. C7 D' s5 P- m- q' i2 e0 j% zits handle to be opened and then, will be detected.9 f- W* q$ p# ?+ R8 s
You can check that simply by hooking Winice.exe control proc entry point) e8 T) D8 X& G3 o
while running MeltICE.
& x! c, L: F' c3 j1 n3 g
( }1 w0 C* X1 B# e/ h
_4 L. h# H/ Q! O* a. v2 G$ n 00401067: push 00402025 ; \\.\SICE6 S, c6 X$ ^9 B7 @) l
0040106C: call CreateFileA/ s. }8 q2 v+ G5 n
00401071: cmp eax,-001
& G( L$ k- l. u3 c* G# R" g 00401074: je 00401091
( o8 ]# q9 `1 t, D0 X: u2 A9 A& w6 l! N
& u, I# C7 d7 D* O+ l7 jThere could be hundreds of BPX you could use to detect this trick.5 r2 U8 o2 s* v. _$ @
-The most classical one is:
' r: d1 O4 j# {6 q5 e; ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 n6 e) J- P* \8 D- m: g *(esp->4+4)=='NTIC'/ K( b! l6 n2 Y5 h$ q, e# \% Y1 Q
7 {6 j7 F* v- y) c R$ m' S-The most exotic ones (could be very slooooow :-(
( B% i/ ~$ C3 p BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" Q6 q* I$ ]1 X4 b! j; p ;will break 3 times :-(
6 t$ Q* c; @; K( i$ p1 N7 ^7 E* F$ H" V0 x) g+ Z0 h/ j8 _
-or (a bit) faster: ; x: X. [4 g8 V/ y F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 }9 j* T* x. I6 n2 o
' Y2 h: o% c% n8 R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) H# L6 A) C+ B! f
;will break 3 times :-(
1 B) V8 s# t1 B2 d0 e: T1 z4 Z5 |
-Much faster:$ Z! @! x! _+ `' ]; h, F
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') Z! r6 X9 q5 D4 _' ]' s9 b
" y% J( Y7 `' gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. A X- k) M- I& F$ u' Nfunction to do the same job:/ B- ~4 _6 m3 h
) |2 k4 X c; h; w! H, z4 G$ o& J
push 00 ; OF_READ" l8 p0 {) q4 Y2 ]/ U1 d8 X7 N# n& i
mov eax,[00656634] ; '\\.\SICE',0
4 R* F+ r6 i9 }2 Y push eax
2 z* ^: }9 ?# Z, B& W* ]4 J5 A call KERNEL32!_lopen
$ @. M) T! B# u* r$ V( N inc eax% {4 O0 c( m# I7 \ P: t" a2 D
jnz 00650589 ; detected: @, p: `" C7 q8 E2 t
push 00 ; OF_READ
& ]. z. Q8 [$ u3 e mov eax,[00656638] ; '\\.\SICE'! Q8 k( w/ G) G' K+ a; e8 l' N5 G
push eax
* D8 [1 }. P' ^8 G& M call KERNEL32!_lopen
* x, _1 c# D" Q- X& E5 Z" j: A inc eax
7 o4 u. {) i( d3 {) E- W3 [* C jz 006505ae ; not detected
. v0 u( {& L5 Q) B
- A( ~+ V$ ~: Y/ ]# O6 |/ H; f9 b' r7 N9 T6 u' g# i/ ~# }
__________________________________________________________________________" w: [+ m! }# @& d
0 F* E3 I v9 j; @4 ^9 V+ FMethod 12
, F$ z5 y+ S5 \# Q. }=========- M, P+ f$ t- v( l9 [ P2 C3 S
, [; e' Q* P. e2 T8 P% T# H; m AThis trick is similar to int41h/4fh Debugger installation check (code 05$ F- e7 w& I% V& w
& 06) but very limited because it's only available for Win95/98 (not NT)9 n9 H0 Y) E, V+ [0 q+ W+ i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
x, E. @* b1 v# y7 ~
" z' i; k7 |8 v% E+ E X push 0000004fh ; function 4fh
" W! @7 Y* n; [& H: W* { push 002a002ah ; high word specifies which VxD (VWIN32)6 Z' o& J5 b) j" M' {
; low word specifies which service' ~. I/ y3 I( m& M7 x5 H
(VWIN32_Int41Dispatch)* ?2 c; @: p0 z# s g
call Kernel32!ORD_001 ; VxdCall
* h( R' B% f5 |: C cmp ax, 0f386h ; magic number returned by system debuggers& d' u" {5 j7 Q& m" A
jz SoftICE_detected
# c5 \& i( R* A L7 I# z& B1 C
N& h# B# ]( h6 Z aHere again, several ways to detect it:! h6 D5 X" P, ]3 e) n+ }1 R) S
& m' w9 X# X' n
BPINT 41 if ax==4f
, c' @ ]7 a* D- t+ }# M+ b- E1 e# U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' d/ _. q5 S! e$ t# e: _ C; U; m( i( }& G4 J, }$ Y' v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 P T4 s+ s2 O4 c% j; C0 B! Z8 |( Q( P
4 Q/ E# |+ I: ?2 P* l: J A BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! \& ]7 ^# ~, N4 Q# Z- e
7 c# t" o% z* Q% A G0 O__________________________________________________________________________; q( z9 q; p z! c& {
+ @+ Y" h: |/ c6 ?1 ?Method 13
8 V# w! K: a; E1 t5 }=========
& @7 N+ R9 F- v' A6 Y+ T/ l6 _. H8 H1 I g. R
Not a real method of detection, but a good way to know if SoftICE is
; A s, s$ S. o7 [) ^$ Ninstalled on a computer and to locate its installation directory.( m- x, |9 ?% V: `$ }
It is used by few softs which access the following registry keys (usually #2) :
- ]! g- k% s# F$ l+ q( R9 D
0 G a4 r9 y( O8 {8 t/ N4 r* ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ @* Z% @' o# ?; R' {
\Uninstall\SoftICE
1 f( x! v& }- l' f: Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% R4 ^ Q) O, ?! _ W1 b. J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" I7 h( O2 M2 e9 f/ _
\App Paths\Loader32.Exe
/ O& @6 {) v- [2 B% i) t0 E; ^, @6 k6 r0 a* M' |
8 ~* s6 w0 ]1 X j" B# HNote that some nasty apps could then erase all files from SoftICE directory. r7 r/ k/ J6 A% [
(I faced that once :-(
' e$ j u7 s: j9 Q% {$ V/ f
8 p6 T; q4 s [7 r' w- \6 RUseful breakpoint to detect it:: G# H+ N$ A, ^ o' A
8 e- J; x! e4 Q+ G! D$ f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% x5 H) Y. h4 C4 T, P4 \
0 i8 m, ^4 _8 P) f9 E
__________________________________________________________________________8 G) G- k4 n/ f' O3 e
9 m" g" z" H& j: q' o2 _
; ^( c" V9 u& l8 v2 w; {& k
Method 14 ; |( l/ \1 P' e# @9 M
=========0 [- q$ v3 C* [/ B6 b9 J* u1 g5 A
/ n3 f3 }" p0 J2 e: s2 X+ q9 u
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" [& G" q9 ]2 M$ [5 N6 S9 N
is to determines whether a debugger is running on your system (ring0 only). ?5 p$ I# q3 U6 S) m3 Z2 l5 |' a
8 K M8 {; n7 h( o VMMCall Test_Debug_Installed
+ G; i# X! u3 [* M' f je not_installed
; b) t7 P& j" k* x) E
3 Z. V# n, y/ X0 e# B+ z4 T$ jThis service just checks a flag.
7 c& U7 U9 T; y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡