<TABLE width=500>
7 g0 I! C" E, _$ W' ]5 U# O" i<TBODY>7 a3 K( T9 H6 c& H
<TR>. B1 M0 g% U% G1 H {: ^ q
<TD><PRE>Method 01 . K5 H l. `& ]. P- }
=========
$ b% Y( z, U! B
$ w/ f! \7 x# q6 p- I0 n$ @This method of detection of SoftICE (as well as the following one) is
9 B! d* w4 t7 h0 R/ I- Z/ fused by the majority of packers/encryptors found on Internet.
6 p4 _4 k& d& QIt seeks the signature of BoundsChecker in SoftICE" M1 y8 t4 u0 u4 w7 u
8 j& I' j7 i! o9 p mov ebp, 04243484Bh ; 'BCHK'
1 |& L, q' f1 d! M mov ax, 04h1 x, s, O: Z" }& N! E/ j9 B* C
int 3
- A4 V- B9 e+ L cmp al,42 d+ x5 [2 j7 y4 Y6 l1 e2 c
jnz SoftICE_Detected
+ C8 D" t3 Q6 c# M# w8 y4 X$ y& L7 V. G
___________________________________________________________________________+ s( o6 O6 g/ @9 m- \
5 K- f6 q2 D" `
Method 02
9 \8 E) T. g' W9 B0 N# F) i=========
( ?8 g" p6 ~. {- Z$ d5 w& k
/ l: H+ U& }: OStill a method very much used (perhaps the most frequent one). It is used' M9 R8 I4 X9 H( N/ _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- y+ @# |8 _% m
or execute SoftICE commands...& [+ V1 L1 N& _8 G6 J
It is also used to crash SoftICE and to force it to execute any commands
9 x5 o( u8 u+ D B; n0 G( s7 ~$ ?(HBOOT...) :-(( * P' r3 h( B6 t0 W4 |- S
, i, b7 j* C' j! P* H, |% Z1 W, J
Here is a quick description:
0 h* i- p: y. c; Q% k1 J+ g-AX = 0910h (Display string in SIce windows)
" M' B; |9 A* ~, [5 q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): b# D; O* C- M3 s" j
-AX = 0912h (Get breakpoint infos)
/ i: Z+ n, b3 v8 N; L-AX = 0913h (Set Sice breakpoints): a3 d i9 N/ V. n8 p
-AX = 0914h (Remove SIce breakoints)
0 y u& l/ M6 ^4 I8 f( S7 x
5 R' ^! }1 T! k* REach time you'll meet this trick, you'll see:
b, [" I9 P$ }2 U* p2 h+ \; v-SI = 4647h
$ V* g# E' E! l' Y: C* X-DI = 4A4Dh
! ~2 k7 T2 [* Z4 L/ ?7 [5 hWhich are the 'magic values' used by SoftIce.8 A1 v% w8 C" H7 r+ D. r) p8 z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 F% D# i' h! q1 g
* {5 A) W* G( c+ A" kHere is one example from the file "Haspinst.exe" which is the dongle HASP! @: b) C; o2 y
Envelope utility use to protect DOS applications:
+ s- s$ j5 ?: @) h& q/ P7 b- G1 h8 f/ d4 |" C
* R* S! p7 b* C6 a% b5 Z/ p9 \4C19:0095 MOV AX,0911 ; execute command.
+ j) |2 j. R3 j( ?# c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 X) \+ Q% G5 U% V% q6 k# M6 |' x4C19:009A MOV SI,4647 ; 1st magic value.
4 Q7 d( @: o5 g: W% \9 w4C19:009D MOV DI,4A4D ; 2nd magic value.
4 r% \- R2 Y w: Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): e2 Y- S( s( S. G0 h; V1 ?$ @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' y, r+ t+ P/ w0 Z
4C19:00A4 INC CX: I8 x; W9 v3 n7 Q% h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 W3 e+ J2 E) p Z3 {' y
4C19:00A8 JB 0095 ; 6 different commands.% A" b' _+ p& O( I& E5 w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 M, L$ `( B% u
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 |5 g$ R* h, A2 t) r
( r+ Q3 m7 d4 ?+ G* n# c- k- a
The program will execute 6 different SIce commands located at ds:dx, which" a# f. [3 m: N9 f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., e2 U% Z4 V$ ?" c. A+ d$ q. ^
* [, k. V+ e$ O8 h+ M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) t k8 m, O% x9 J* Q4 ~) z___________________________________________________________________________% U7 U v2 q6 L0 O- \
& U2 \# ^6 `& h$ S2 O+ A/ m1 O% ?/ h
Method 03
; T5 q6 Q7 L0 W! O=========" w% ^7 a% J9 ?
2 {& i' B8 i: W3 ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, } }* p6 w; a/ k1 u6 w8 u
(API Get entry point)
9 R% {+ @! k, ^* m
& B8 q) c+ ^: ]0 [' R0 k5 T1 v
$ z5 | ^, h' s0 r* X2 p; D xor di,di
' T3 r* w- ?% ?+ J7 J+ ~* A, @ mov es,di
' v% n7 b+ D6 q" J mov ax, 1684h
2 t* p) u# _, U) [ mov bx, 0202h ; VxD ID of winice
8 A# _. Z4 d4 ^& m% U int 2Fh6 z8 Z% ?0 O5 D }% Y
mov ax, es ; ES:DI -> VxD API entry point5 a; D6 D3 p( q0 O
add ax, di U/ H: [# }' M
test ax,ax' k( g' z1 `+ R* c( l* l
jnz SoftICE_Detected
+ k; H6 g' u: g1 r0 W$ @; Z4 [" t) S2 \
___________________________________________________________________________/ m' H* }9 T! a! }: O
% {4 s- I. \, S' p, gMethod 04 J0 K: Z# d: A* L4 `" ?, P1 L
=========
5 r0 _/ Z) a1 s- O$ v
( H. I, i" T; ?/ mMethod identical to the preceding one except that it seeks the ID of SoftICE
, P E& w# S3 k8 }# k4 AGFX VxD.; J3 b, w5 f) x( x3 K9 N
# @: F, h0 ^0 L* b F
xor di,di
1 ^1 ~% q& ?% A" `2 y1 h$ _ mov es,di5 C Q$ S/ S- b$ ]1 j* I
mov ax, 1684h 7 n; M5 R6 C* [/ _* H' b5 [7 J
mov bx, 7a5Fh ; VxD ID of SIWVID
2 w G" h) \3 e& ]5 m int 2fh! \0 T1 S4 E- }* }7 r, T
mov ax, es ; ES:DI -> VxD API entry point
$ J5 e p. o1 T) g7 c9 k add ax, di
# G, L6 _3 @) b8 @# c0 | H% U test ax,ax9 I) Y( \4 o+ M* r
jnz SoftICE_Detected. ]2 y1 z! ^0 l8 X \% ]
8 a% U! n' c2 V9 Z8 V& [4 p. N+ k__________________________________________________________________________
$ X$ Z3 f( P$ U$ e# c# C6 P& p+ S1 A6 p% M5 Q, b
( t2 X2 x: C0 x; b+ t. m) xMethod 05
; f0 |' N/ y' H8 |( u2 p0 A=========; {) G# }6 d% S3 i: u% j# ^! O
$ L$ e/ y( {( A$ k( r0 L
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 I& o* G+ V9 i
debugger. It calls the int 41h, function 4Fh.% u) i9 K# K" W6 T7 h8 v* F
There are several alternatives.
+ t" B; L2 P1 R, Q4 ^. k
# Z* E( ~) X1 N* aThe following one is the simplest:4 l6 p( z& w$ O6 I+ {# D$ F
* {0 U3 V# q! i mov ax,4fh
# |$ `6 m* W5 _* \ int 41h
) D" x9 u m- |$ [1 l cmp ax, 0F386
# z8 g# d# r5 D. H/ q jz SoftICE_detected/ [2 n. W6 B7 F9 V8 |) m7 m
4 z% _5 Q) |1 v6 ~% f/ v7 R
0 Z3 \4 ?# X( y
Next method as well as the following one are 2 examples from Stone's
' X4 j" B( G% R6 ^, j"stn-wid.zip" (www.cracking.net):8 N( ~) W7 W3 G$ x% d$ i# {# n
. t* J3 k% y/ O. ^0 d3 y mov bx, cs
( [0 _3 y1 v; B, Z$ M& \8 R. s: E lea dx, int41handler2
: K+ p4 _4 n2 {1 T( ?5 W4 o xchg dx, es:[41h*4]" M, v4 j7 p* k
xchg bx, es:[41h*4+2]
6 C3 B1 P2 E. P4 `% M/ i mov ax,4fh
& G; \1 R9 f( m! L! K( Z; n int 41h
7 A* Z5 x0 r9 N( I xchg dx, es:[41h*4]
1 B. G* A/ @4 h4 L/ B: s, @" m xchg bx, es:[41h*4+2]
' l! A2 ^+ H, @2 m' W% F& k2 Z/ h cmp ax, 0f386h7 l- W4 @# @( n _8 \$ h
jz SoftICE_detected
a! y5 `+ \6 ?0 S3 ?
3 g$ M) f% p% k3 W+ h+ [int41handler2 PROC
# `/ B) r9 T# }2 H0 r# _/ w iret. n6 N" [ S7 T) C6 {4 | C" S2 P
int41handler2 ENDP% d8 B3 E+ l( n1 U+ S
6 o! |9 W# B% E, h9 j3 J3 g
# }3 |% G. T* }9 B2 s
_________________________________________________________________________( r! [+ f4 Z. S. x" R
1 y. G6 y9 M& B0 P6 I
6 a9 |# D( _. d p3 i
Method 06
+ r+ B$ N0 N6 X* h% c9 x% `=========
+ @; ~9 |4 `4 S7 z/ w4 [+ w' }+ ^, x4 \: M: Q; b
3 B: A( K2 ?( F2 w% b u6 d
2nd method similar to the preceding one but more difficult to detect:+ I, p9 w; c/ A2 V: |4 E
- r9 k$ F" c ~! Q; J7 u
+ ~( s7 S1 p8 Y5 M3 h
int41handler PROC$ M' V1 j# f" ]7 O) p: p+ N6 V
mov cl,al
5 t0 |# m0 I( r8 r8 H9 G iret
+ P7 [+ V0 I& k) g% D2 Fint41handler ENDP8 F- A4 X* |5 V& f/ |1 F: h6 b7 Z
3 W+ |: p! |# } W8 t0 P
# P2 V G( h/ Q xor ax,ax
o* t: }0 C: c; T2 y, N mov es,ax
5 s1 l5 y9 e, A! G7 Z- M2 e+ C mov bx, cs4 D1 P% f& R( R' x9 K
lea dx, int41handler
% f9 c5 ~% ~ g' Z$ x- O xchg dx, es:[41h*4]; N/ p3 ^0 |3 N, Z0 I( j' Y
xchg bx, es:[41h*4+2]( d: l7 l5 i$ C6 R9 M8 b; ~0 C0 ?
in al, 40h
/ ?5 B, ]8 p) {- X4 ] xor cx,cx0 A/ V* w: E; u" y& i* k
int 41h
( J" N5 R# u* _' @ xchg dx, es:[41h*4]& Q" p* [! o; w+ E* N* C5 W
xchg bx, es:[41h*4+2]' ]" o4 }. h7 g$ o, X$ Q
cmp cl,al
8 T u* B5 j3 u jnz SoftICE_detected+ W. s M4 Z7 I
, `# ^1 x# u: O
_________________________________________________________________________ A8 ^) z, M o" j3 c- G
; r# `4 I Y1 x. u3 @Method 077 V9 k" W' @) n* [
=========
7 ]# E9 z% R5 M
' a% v3 X7 p) o, AMethod of detection of the WinICE handler in the int68h (V86)
' w5 G) g* ?# U6 ^ F" F ]
/ C. a2 y$ `9 N% D% L- m& Q3 }' l mov ah,43h3 R4 F G( F! A
int 68h
* p1 e! _- `" z4 t7 J cmp ax,0F386h' y0 ?8 ^0 h9 y
jz SoftICE_Detected# Z$ h8 s( z# Y3 M: Y1 U
1 r# X; l' D) J0 f( l' H( ]' s- C# h/ H3 R$ ]# y6 n
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* p4 u/ f1 n5 _# _8 h
app like this: d0 Q! ?5 R$ q- r& C! p
- k0 d J1 s) c! F# S# }
BPX exec_int if ax==68/ W" b ~0 [( f& W
(function called is located at byte ptr [ebp+1Dh] and client eip is& ~4 a: t6 W/ U
located at [ebp+48h] for 32Bit apps)
# \9 H4 o9 b% R) y' Q* Z7 r- ___________________________________________________________________________
G+ ^. \: K! W# K% E9 ~4 C! S* [
& m3 Y+ s$ p" n% w2 s5 j. y; ~
- X% i6 _+ p+ ^. BMethod 082 _, i' i1 Y/ x8 @# p) T# Q7 C6 l1 l/ O
=========
+ k% X: i# j8 M4 _! J) Z
B5 r& p5 ?# q, Z0 I, KIt is not a method of detection of SoftICE but a possibility to crash the
3 L, [$ d$ h4 n |7 v% ]- D; Asystem by intercepting int 01h and int 03h and redirecting them to another: u# p: H6 x! z: w' ]
routine.; i; H. d- v9 o5 Q3 f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ f# T2 m- X# ] C
to the new routine to execute (hangs computer...). ~6 M) h7 ?" s# F3 a
! u3 J8 Z# p' A* m$ I9 u mov ah, 25h! X- w4 w c) ^9 }( X2 K
mov al, Int_Number (01h or 03h)
8 t/ i, u& l- n | mov dx, offset New_Int_Routine, \' b' G' d/ s: j
int 21h- b9 G7 y" A; M/ O7 n
( N! r# k) l& W1 F. \1 w__________________________________________________________________________: ]$ R, @# o) y0 ?5 o0 U9 Q
/ v$ Z; R' o0 t; z6 v+ V' f$ dMethod 092 ^5 P2 y9 ]2 y3 a6 q7 q6 O% M
========= w' j) }* T2 E4 y1 x+ p' ?/ e
3 i \! a5 b; E% J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 Z* X% {/ X. e+ |3 d/ x; q
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 |; w4 c7 N/ }: d3 ?The Get_DDB service is used to determine whether or not a VxD is installed
% Y0 a0 V. u% |for the specified device and returns a Device Description Block (in ecx) for: Y" l9 r: w& p- _2 N. u/ Y
that device if it is installed.8 \1 i2 Z, S$ U$ B& _4 B
" p+ t, K; W% H( F
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 I7 Q; w+ A- B/ L9 _, ~( W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 F# W& p4 C! f: U$ v4 f6 j
VMMCall Get_DDB
! k* J1 _2 e! Z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 Z5 S8 r4 W; `! Z
$ o2 a0 p3 G) ?. ?Note as well that you can easily detect this method with SoftICE:+ e2 }$ u. c. [0 g: i/ V$ f
bpx Get_DDB if ax==0202 || ax==7a5fh& B6 @+ Z$ f, f
& `4 E$ ?1 }$ F6 ~: m$ p3 }9 F
__________________________________________________________________________
. d' q9 e; B6 Y0 i3 E( j
1 { a2 e, c: F3 {: J- jMethod 107 ^ x; F4 F, F* [" w0 z
=========
) n. r+ t' X( h) J* i! G M3 u7 S3 m/ z2 v: J! o, V. K
=>Disable or clear breakpoints before using this feature. DO NOT trace with
( d: Q8 E. C; R1 Y8 T, s4 } SoftICE while the option is enable!!
5 x# l1 q, W4 q& }4 q, b9 n% b0 j1 a) w. {9 q! [% }: A) d
This trick is very efficient:
% A$ z* e" k2 m( o Fby checking the Debug Registers, you can detect if SoftICE is loaded* r8 c* U, ^1 ?7 G2 K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& Y9 y, q& c1 e2 l6 i6 I# a
there are some memory breakpoints set (dr0 to dr3) simply by reading their- O1 C# s0 `7 y% F1 v
value (in ring0 only). Values can be manipulated and or changed as well, }" N. N- z( W) V
(clearing BPMs for instance)3 b& p% j) h2 D: p' Y
- G/ Q# R: o v! {% u6 v/ B
__________________________________________________________________________
- D; Y% b& V- P' p* f. O6 }8 W$ Y7 b
Method 11
2 C O0 q& z9 {" F9 U=========
, l! w! j( c6 ^6 Z! J; T: G" i+ z @* ^' `
This method is most known as 'MeltICE' because it has been freely distributed# C; `- c& V, [- P: k5 L" i% v$ Z
via www.winfiles.com. However it was first used by NuMega people to allow
# v/ o2 [$ x( u5 D& w2 n0 |Symbol Loader to check if SoftICE was active or not (the code is located# i1 ]1 l; U( Z; D5 q
inside nmtrans.dll).
9 G$ ^0 E- F' @( e2 M K7 T4 R/ ?2 Z% m9 U. j! Q
The way it works is very simple:" J( P1 U0 z& J$ `+ f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 C3 r" Q! P: T% ?/ @WinNT) with the CreateFileA API.- b9 c7 ^. c" _1 [# ~7 g
O1 f0 B A( l
Here is a sample (checking for 'SICE'):, s$ t- Z7 q, X
. d5 Z3 D) ]/ m$ f2 e1 e) KBOOL IsSoftIce95Loaded()
5 W, t* m2 F8 Z. C* b% u. C8 }6 Z{9 b5 `5 Q, H" A/ V% D
HANDLE hFile;
& y- t, C! b1 K- u/ U hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ ]. _& I) `! c4 d6 ^- v FILE_SHARE_READ | FILE_SHARE_WRITE,
3 T# g& K# o- C9 x# A8 y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% w$ S- f: Z7 Q. g' b+ F2 R if( hFile != INVALID_HANDLE_VALUE )
, W. u# f5 t [" |; O+ k, ~$ U {. y- D# a/ s4 }' g& i+ n7 Z
CloseHandle(hFile);
$ f) T8 j! Q5 D1 W return TRUE;' C* Y4 j6 I0 g
}
; R6 n4 `4 F) I% Z6 }7 n return FALSE;5 [) i, w% X9 v) a1 t9 p/ k, u, w/ s
}
9 D0 ]* l9 V/ S; _- c9 F- F* T3 Q/ W/ N. j2 f) M7 n8 \1 r) h
Although this trick calls the CreateFileA function, don't even expect to be
; f& l s5 N& k' O' d6 L+ c) U9 Aable to intercept it by installing a IFS hook: it will not work, no way!
5 l3 T& ^; Q+ `- h. ?* U" @In fact, after the call to CreateFileA it will get through VWIN32 0x001F# ?4 Y6 ?7 p O- v0 K5 g7 T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 f3 q3 y' R a) {% P! p/ m7 S2 hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 {. x& K2 n$ _) X; J" afield.& E7 w# b- L" R
In fact, its purpose is not to load/unload VxDs but only to send a 9 Z9 A/ Z( X) \- d; h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! L1 L: E7 \% U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% Z+ r* c U x! W3 W+ e" Kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" l2 F$ e6 d/ ^) H FIf the VxD is loaded, it will always clear eax and the Carry flag to allow: m6 U" H1 p' a$ Y! X
its handle to be opened and then, will be detected.1 {! ?4 C1 `7 N5 s: `
You can check that simply by hooking Winice.exe control proc entry point
2 m2 R7 _* t5 [2 Fwhile running MeltICE.8 F# U% Y4 F r) s
5 w+ E7 y' }% \) U5 Y- }+ K3 k# ^
00401067: push 00402025 ; \\.\SICE, b7 Z3 {; E0 {
0040106C: call CreateFileA
; A- W, ?5 F' C+ j( m( G: M% r8 O 00401071: cmp eax,-001
u5 l! n: s) T% n 00401074: je 00401091
( k; C; `) \% |; {. h$ p2 Y* B* u8 n' x I; e
& v8 A% k2 c) C+ M) U* `4 _0 |2 K; i
There could be hundreds of BPX you could use to detect this trick.5 M! H6 _# @$ Y4 v+ l
-The most classical one is:' H+ m$ R; f" U- i% J- @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || M% z7 l: |; H' Z4 g1 l7 i* Z7 L
*(esp->4+4)=='NTIC'
) b% F' t. R s# e! x% Z" x, i) j" B: u4 s8 Y/ J8 {
-The most exotic ones (could be very slooooow :-(. s# I6 O$ I/ q8 g/ |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 B* z8 N- ^) b
;will break 3 times :-(
" Y, ]7 U. V; ?6 k% `4 {. X
; Q6 u% K' q4 }# W& p8 M7 F; K4 r-or (a bit) faster: 8 b. e4 r% |- U. A. N* B
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& ^0 J! C3 G& |; x5 _' a/ w
& A: p# c2 `& D6 ~
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 t3 ? H, h+ p5 M
;will break 3 times :-(4 s$ N9 ]9 c6 y: `! X
# V3 A* a9 O( ]# O, W- N
-Much faster:- X& M. g. @3 B: A3 k2 n6 Q# n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 z7 d8 y7 L3 Z2 Q: k: H; Q6 C/ C
, T0 g* [- W5 P; R8 X3 T/ \Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' v, Y2 w( e! g1 @3 A4 V3 p5 S
function to do the same job:6 Z( L0 z/ L/ d" o, A# d$ e
2 n" F: E6 R) `. Q4 l push 00 ; OF_READ0 |" c( F# y6 u8 w$ I
mov eax,[00656634] ; '\\.\SICE',0
3 N8 m4 G& ]! N push eax
O( @1 u" h7 G1 g! Y5 m call KERNEL32!_lopen
& K9 s U% t+ V* F0 r inc eax
- d+ i( y1 I6 G- T% G% @0 ] jnz 00650589 ; detected+ Y6 V. M. x' Z) C* H0 e
push 00 ; OF_READ$ F: N. }$ m" m% Z; J) G0 \
mov eax,[00656638] ; '\\.\SICE'
& P7 u. F; ^4 \ push eax
( |$ {& k/ n* V& Q( s call KERNEL32!_lopen
4 t* ~( _# \5 z- ]% b% G inc eax1 B8 m# r/ _, R V' v' O4 u& J
jz 006505ae ; not detected$ O: F- ^6 v; i! _( A
$ [& K$ W% C6 N9 \0 ]) J! w
! } y5 o( ^, C0 A6 K1 v5 g
__________________________________________________________________________
+ k& ]+ c8 |6 K) f3 @2 \! W0 L/ E+ s; N- d) C& H. ^! k! a7 g. t
Method 12
8 C3 f1 x M$ n=========$ j5 ?* L4 u( l b
6 q- \* I% l- K0 n" AThis trick is similar to int41h/4fh Debugger installation check (code 05! ]' `# |: ~( N v0 M* K
& 06) but very limited because it's only available for Win95/98 (not NT)& E( @4 m* `" B% [ [7 E( o; c9 T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." F- X5 ?: D& T) s0 a0 V& g
/ w% Q/ a* W2 `! H: H) c& W8 w* |
push 0000004fh ; function 4fh) q% i2 u! U# M P
push 002a002ah ; high word specifies which VxD (VWIN32)
; E4 \6 ?7 p8 v; n" N ; low word specifies which service0 p4 y) [0 L, |% E; M3 R
(VWIN32_Int41Dispatch)- C6 h0 d* d2 I4 F( Y5 e+ ?0 G
call Kernel32!ORD_001 ; VxdCall
$ w& B$ n, c, ~) j3 G5 f cmp ax, 0f386h ; magic number returned by system debuggers
- [* ]' \; F1 X0 s! E1 M jz SoftICE_detected- h+ Q6 `; w' Y6 o* f- s% _7 V0 r# K
/ o( s, ^; Z& |1 E0 ~' W+ tHere again, several ways to detect it:
# S: ]9 o6 x |9 v& |4 ^8 t
9 c2 [6 h( {% u8 m) T BPINT 41 if ax==4f5 L" v3 e" P1 K& Z A4 C0 ?
( K) a( a) z' e" Q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; ^4 G; e! t2 ~8 G' O2 P
& x$ T8 Q1 d- z) b% C6 V) _0 s Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ Z$ {9 w9 g! m$ K2 h2 B! _& m
. O: Y/ E* o$ F2 z B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! `$ P* b* p. |( I3 ^/ ?7 g; n9 [3 e. V) v9 E$ N
__________________________________________________________________________) R# R% Q0 n# N/ x; d9 U
B1 m' B: i1 x# l0 Y
Method 13
2 i) c! h; v( P p% e( \) A=========: F" \8 ^( W9 p/ }- n8 w/ a$ S$ L
$ ]' \; w! K" F- g) y, y& x0 E5 i
Not a real method of detection, but a good way to know if SoftICE is3 Y5 G0 |8 u: ?: E/ D- F8 ]
installed on a computer and to locate its installation directory.% `9 _, A% c% w3 G1 [9 C
It is used by few softs which access the following registry keys (usually #2) :$ R$ t. p/ |, t2 y
1 P6 [+ b4 V) A7 R8 N, K% k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 x$ |1 N$ b' F+ T\Uninstall\SoftICE; G4 P, o S2 z5 p! f( [/ H6 r/ `: C2 ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 r: Q. C6 Y+ o-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) W4 J6 n: D. l# m1 d9 j\App Paths\Loader32.Exe$ ?) A2 e* O& z' [* v8 I
7 X8 L6 c/ `: I7 p' T* P2 v' q" u
$ y6 S [+ x' D `' W- tNote that some nasty apps could then erase all files from SoftICE directory
4 h" b2 a5 A" S" S3 ^, [: K(I faced that once :-(
( o# A1 \4 Q/ \. t" \, F6 q0 o/ _, x5 E5 X, s
Useful breakpoint to detect it:& d) X9 c$ D9 W- S: L; c/ M
% v/ R& Q0 g1 [, b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 h# N$ H* L5 a, E6 S6 |- u3 ^& D- y3 E' d8 J2 q) M
__________________________________________________________________________
$ h! u5 \" U T$ ^, d; K# k E5 D& m6 x' O3 W o: n
5 O6 F# |. B5 t/ O$ `& a& q, vMethod 14 ; ]/ Z% e& k) s5 y; x' \
=========
+ ~1 V+ u2 b8 ^- z" S7 K/ o, j$ X$ T, d5 j, }; `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ [" z3 g- ~/ s4 @7 L9 Kis to determines whether a debugger is running on your system (ring0 only). V- R" U9 w3 x
/ J/ X/ ^5 X6 T$ C6 d VMMCall Test_Debug_Installed8 X- }) V- b/ h E7 n3 {/ m
je not_installed
0 Y! L" _% ], ]
* s. F0 a+ R; L1 W% F% K' I* Z( HThis service just checks a flag.
( e3 u5 A" I5 V1 k: a. O</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡