<TABLE width=500>& u3 _& H0 I4 S
<TBODY>
! N* m% W! x$ k; H% w! B<TR>& d& g% n0 x) _# `+ o
<TD><PRE>Method 01 ( r% a5 M# \- P
=========0 U0 j. \' H' N* r& J
. p. W, A, \- v: @, o1 g
This method of detection of SoftICE (as well as the following one) is
; }. ?% k. f8 Pused by the majority of packers/encryptors found on Internet." T! N1 t# [* P' {
It seeks the signature of BoundsChecker in SoftICE4 |5 ?5 @3 k4 y+ E$ @, ^
+ l& A; W' h+ w- [ mov ebp, 04243484Bh ; 'BCHK' I3 A9 m( a; r( \. s6 F1 s& _/ V
mov ax, 04h6 |# \( H1 @% Q( W6 E& Z1 c3 p
int 3 1 M- n* N4 X$ k8 ~9 T3 b" m9 U
cmp al,4
& K9 `4 v3 ^9 j6 w$ d jnz SoftICE_Detected- u/ m. w& e7 ?9 _' [0 u
8 y4 E* A* S+ e2 f___________________________________________________________________________
: j5 b" T# `; I3 e) J/ f. j3 V
8 v1 _" X7 N* ^+ gMethod 02+ j, k+ C6 ?2 Q, n* q0 `
=========
" ~5 C0 t3 V8 {7 j8 ]$ m
" _0 ]% O9 A( P2 L$ b: dStill a method very much used (perhaps the most frequent one). It is used" R- o' b. o4 i. N8 u' r u$ {8 Z; u' n* @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: _( _% L5 R# F: T, jor execute SoftICE commands...3 Y- h6 S& h# k" h" c ]3 v! U
It is also used to crash SoftICE and to force it to execute any commands
9 @* [5 H) k' h* X8 M8 G! i- |" ?(HBOOT...) :-((
; b- J$ D# o0 s$ o& T6 M0 y
$ I( |/ Y8 I5 [0 Y+ x! V+ p) oHere is a quick description:, x$ f% _" u; e, U9 V; A7 E
-AX = 0910h (Display string in SIce windows)5 u4 h) I, u( D
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! O1 ]# h0 p6 o7 G9 c-AX = 0912h (Get breakpoint infos)
% L7 y5 v1 y; M- I0 M& y-AX = 0913h (Set Sice breakpoints)8 q Z5 G! L3 |& |+ A+ ?: W7 w
-AX = 0914h (Remove SIce breakoints)
$ v3 u4 L3 Z" J' M2 h7 |/ J( r4 `9 B1 w' z! }: m) R7 z' W
Each time you'll meet this trick, you'll see:. }" \! o8 ~) `6 {
-SI = 4647h; G C7 x; @* C
-DI = 4A4Dh- t: O/ G" O, Y% @4 K) y- h
Which are the 'magic values' used by SoftIce.
. e6 o% \9 ~) o* J- ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 z3 f" E- P5 n T
& P3 e9 I H! e) s
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 I, s; Y( J4 ?* j$ [5 E
Envelope utility use to protect DOS applications:
7 B/ b; K; O6 R0 N% G
! L1 Z- Z. K( B7 e% w; C9 A! w
' Y9 P0 P( D E0 f4C19:0095 MOV AX,0911 ; execute command.4 X# i! F; [) N1 `: a; e4 J6 p1 Q5 k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' a0 B/ C- A+ M4 e/ n' a0 p1 ^
4C19:009A MOV SI,4647 ; 1st magic value.0 ]' ^4 Y/ P% `5 j3 A
4C19:009D MOV DI,4A4D ; 2nd magic value.
. h$ U% t% o) _/ v! a+ H4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 O9 z8 U/ s8 [; B1 ^9 T
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 t7 n) w! Z: D: a+ @
4C19:00A4 INC CX Y1 h2 O) I! |( @5 }
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 \+ b1 B% M: n" k- x& i. ]4C19:00A8 JB 0095 ; 6 different commands.
3 L3 ^' o7 g* r4C19:00AA JMP 0002 ; Bad_Guy jmp back.* ?; P8 S- ]$ y. _: R8 Z! q0 Z- S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) i( z. u; F, l4 }3 } d
& R% o0 A" d* B* {5 Y8 d+ HThe program will execute 6 different SIce commands located at ds:dx, which
! D6 \; h/ B( a7 b( q4 [; \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ _* e* F# `$ d7 V* n. U" d L" ~( j2 S$ Z! l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; a, s, e1 q1 Q& t" q0 F
___________________________________________________________________________2 J9 d: P+ ^* R5 w% O
9 D: ?# l. \8 g6 T, d! [ R
! }( z* l" |/ n# `Method 03
5 e9 b. V% O1 y* }+ d$ p=========
# e5 K) W1 @0 p x9 p) L I" k2 }) A. a! G J' M( s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- d3 E( b0 h( N3 ?0 L(API Get entry point)
3 D, r1 X, @: F 0 B `6 r/ K4 H2 b" d
4 i2 p2 X; ~6 h g* c/ ?
xor di,di
% ] Z! s9 L+ L% x mov es,di
- m1 X, m5 l1 g mov ax, 1684h
; q0 o& m0 f& Z mov bx, 0202h ; VxD ID of winice
- ?, b. s1 b$ k/ h) U int 2Fh+ B2 o( q0 X. x+ o+ H
mov ax, es ; ES:DI -> VxD API entry point
9 d3 z+ s0 n: K+ U, ]4 Y5 C add ax, di$ d; i2 D: l) e6 `- Y7 {6 J
test ax,ax
1 K4 M- [& L% c6 ^ { jnz SoftICE_Detected5 P4 g( y, u, n) f, q f/ o* t
; b) w9 v% t- {1 T: y
___________________________________________________________________________
% X$ w& j/ X7 z* ^# A5 G4 i( S& M$ i* P8 @0 P C
Method 04
8 I/ d) x6 r( G=========1 M% p, F/ w- T7 F- c# O
3 Z G; ?; E& R$ o! j4 V
Method identical to the preceding one except that it seeks the ID of SoftICE5 R$ a& a5 ?; i3 U! E6 u8 K
GFX VxD.
+ z9 t6 s- E. R5 L4 G1 O$ g" i9 A5 G( d9 q5 y- t1 s$ i
xor di,di# c5 S/ y5 b8 H o6 A3 U$ d
mov es,di8 f: E- r; f) _% [9 l+ V1 q5 [& o
mov ax, 1684h w* [$ p5 l' w- K, ?! ]9 v& a
mov bx, 7a5Fh ; VxD ID of SIWVID
' g% P' ?4 |5 o int 2fh
* R) W: m6 S" \8 f* u mov ax, es ; ES:DI -> VxD API entry point
. f H- s! h+ v7 ~8 [/ f add ax, di
; z; O. o1 w! n' b: e test ax,ax
1 t; a0 Q1 W3 K9 n jnz SoftICE_Detected4 a6 K! G7 ]* @4 C/ J" L3 z4 Q% N
8 R! H5 ~7 m! v. L: x4 ]
__________________________________________________________________________
6 _# z' M4 Z: p3 k/ ?% P* l) a* z/ o/ k& f+ u
) `9 `- n2 B( n. O4 q
Method 05' D1 [1 j0 W* d
=========
7 P% b# ^# J1 j
/ O5 r6 ^! i' Q( [( P5 z4 nMethod seeking the 'magic number' 0F386h returned (in ax) by all system
k8 c5 B6 p/ i7 D+ n9 xdebugger. It calls the int 41h, function 4Fh.
a2 _' s; l: h, OThere are several alternatives.
9 f5 m& @( e! k5 y
# `; n0 p4 z2 lThe following one is the simplest:
& @' N9 ^( d6 u9 L! Q/ C9 Z" f
: c1 M+ }3 ~; H- b, d: n8 D mov ax,4fh7 a7 x2 M6 z4 K& B
int 41h- A5 h. I- n: Y2 A0 K! q
cmp ax, 0F3868 \+ C' K# ` J
jz SoftICE_detected0 [! a8 r/ M! b6 ~
8 P; V0 N" x+ B6 W$ n4 i
& v$ j% k( H/ ~/ q: TNext method as well as the following one are 2 examples from Stone's
5 h/ \( \3 Q+ I5 H) w7 N"stn-wid.zip" (www.cracking.net):
& k% i$ t, o0 t1 F6 S0 p
, q% U" C! i* n) W+ i mov bx, cs4 {* \' L4 ]- m A% w
lea dx, int41handler23 k* E5 }% a E9 G
xchg dx, es:[41h*4]+ h( ?3 i, G! K# U. e
xchg bx, es:[41h*4+2]& z8 {3 f9 {5 f- P! U5 Z! j7 ^
mov ax,4fh
" \5 A7 P; A( Z' @, B int 41h
0 c- _6 I- N- n' s xchg dx, es:[41h*4]7 ]( {; `0 I, l* [7 e9 Q
xchg bx, es:[41h*4+2]! y9 M5 F5 ~+ R$ E) ?: @
cmp ax, 0f386h8 K: z- u* g6 Z5 W, K# H: T
jz SoftICE_detected1 [& B8 c, ~6 Q# j
( {! x- N7 ~" \3 u3 U5 ]% c6 @
int41handler2 PROC
- X) {& j$ [/ o+ |: a- L iret
4 K6 x B8 [, e' Oint41handler2 ENDP
# `2 A6 R9 |$ l3 l# _# ~+ w$ @/ k! V1 b9 i# U: p @ o- H' G
: `0 P( T/ E/ Q
_________________________________________________________________________- r1 p7 a, p1 V' z8 k+ ^' U
( s+ M/ f2 x. X* p: a
* N; p9 u2 v" B! `. M
Method 06
2 K, A* \0 a1 ^- ^=========
. ], B$ A+ P+ a
* M* F. n$ Q% p# B0 N9 ]- P3 r; X: ^" ]8 n5 d- I
2nd method similar to the preceding one but more difficult to detect:7 d! P6 s' @7 j" `+ _
2 X( _. `; s4 r* v! O$ A% c _: @
% ~! f& c# W& q6 Y5 j) uint41handler PROC
! j+ |+ A5 C; @# d$ I mov cl,al6 L4 |) }, k: w+ L
iret
9 L6 o7 K ~' @; N7 }$ \int41handler ENDP
( c) p- N/ R; x' ^. m f0 y' w
7 r. x R1 u+ W1 n6 E$ w; X4 t- V8 O7 h8 z
xor ax,ax
9 N: \, w- r: d mov es,ax u6 r" C" A$ u3 U! T" x3 G5 q
mov bx, cs f9 G8 j& n# h7 \
lea dx, int41handler
' B. J- q) z) g: B6 n, s xchg dx, es:[41h*4]
1 I' X4 Z4 k9 N4 o4 o* d# L3 \ xchg bx, es:[41h*4+2]
* u3 ^/ t1 d6 E# b ^0 X F9 | in al, 40h1 ^7 W2 N, @; G* W, D# b- t; T# K
xor cx,cx
0 ` w5 o% C: L' [. n' U" G int 41h# ~; D2 v' P9 f1 t: D8 \, Z
xchg dx, es:[41h*4]" ?& N/ d, G5 q$ p8 T( O4 R0 U
xchg bx, es:[41h*4+2]( w* T# O5 {7 W1 x( \) r5 _
cmp cl,al- w8 ^! [% L3 q( N
jnz SoftICE_detected9 h' l# `( r# _
5 w( A$ C9 q; M2 __________________________________________________________________________
- D1 L7 `7 F' A6 B( c1 t* r$ r6 c) O) U1 F
Method 07* v: z. ]$ U, r. z! ]& O9 X# ~
=========1 [* E, t6 b% U
5 N" P) ?. @8 t# C5 SMethod of detection of the WinICE handler in the int68h (V86)$ S6 V# v6 o, J, U6 x9 N
1 m# X6 H6 r9 i2 ?' W
mov ah,43h
/ k7 _' I1 z4 O0 e! S6 y9 f int 68h
9 \& J4 k' C9 y4 P6 E cmp ax,0F386h1 s8 T1 y3 A7 K
jz SoftICE_Detected7 ~3 y: R6 X W# w; w" L G- t3 V5 T
& @2 |& ^, f3 S0 r0 H! d: r" P# x# e) W% ?5 z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: n8 G- x9 u/ r% ^2 {( K7 Q: t app like this:% P: j* M2 H$ D6 Z& f( w D% I) O
0 |) j/ [- s% f
BPX exec_int if ax==68" a' F" z8 D, q: Q5 n- J6 y" l
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 a6 X( H) N D8 j2 D located at [ebp+48h] for 32Bit apps)
6 m$ A" |: n7 C$ d6 u__________________________________________________________________________
* I) e9 K1 ^, ~( H$ c2 Q+ L- J) x2 k: p t% Y6 ]% e# [ j
8 x" [! P' J8 jMethod 08
) _" h, X( L n2 F( {=========
" J$ L4 }& R5 G) L/ z2 N/ d ^' Z0 V+ W5 ?2 R/ d! P; y( m5 Z, v
It is not a method of detection of SoftICE but a possibility to crash the* J) j/ Q- K$ A: k
system by intercepting int 01h and int 03h and redirecting them to another
% e# }$ P% e' m, J& P$ Wroutine.
/ D; a& G3 f# l$ PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; t5 L( V, X6 E) h
to the new routine to execute (hangs computer...)$ k& ]/ i, \+ h l& Y
& h9 @9 }5 h) O. J. H" R& W mov ah, 25h
7 G$ x+ n* ~5 r$ \ mov al, Int_Number (01h or 03h)% [5 C) q% l# d: i+ x: u J! [
mov dx, offset New_Int_Routine) m2 H+ L6 u" ?1 ?& ]7 F) F2 F
int 21h
4 D! X) S2 Z& i- z8 R( ~* f) b P, n* u: v# \+ c. q& O
__________________________________________________________________________4 v, w6 A o+ e8 \, m
% J1 M2 n; V- @Method 09/ x: e @1 H3 @9 x$ k
=========. B# \% e: I7 b
' P1 e+ U7 _* v3 M4 \! nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) P5 r' H) @1 l7 Vperformed in ring0 (VxD or a ring3 app using the VxdCall).
" i4 O2 b1 \5 u8 y$ \7 T& I' a, h6 @The Get_DDB service is used to determine whether or not a VxD is installed
% ~/ I9 ]1 q+ D" l7 gfor the specified device and returns a Device Description Block (in ecx) for
) \9 J, c3 `" E' E+ R4 {that device if it is installed.
; I+ D. R5 o- n6 ? D+ |8 k! L- X0 h0 A2 Z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID e8 q8 X) a D6 K; ?
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, v& c; l3 e3 P* j* |+ O# M+ E VMMCall Get_DDB0 c$ k8 T; p0 ]+ p# q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% M' [6 d- s4 a% ?9 w. d
: I2 r# R$ g/ t3 ]
Note as well that you can easily detect this method with SoftICE:
/ ]+ q, I7 `5 O& j1 q+ Y bpx Get_DDB if ax==0202 || ax==7a5fh
( x2 D2 v6 Y: m* [ P. n2 o3 h+ z9 {7 g
__________________________________________________________________________9 h2 y% G" L, \& @2 O# ?, ? [
1 z* `) M4 |, ?" Z* U3 w. R( {
Method 10
3 i- B2 B' g/ Q, A) X& o3 \=========
6 s) b/ D/ y5 B7 F: e! B0 D6 l5 t3 G7 b- S
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: L% `7 Y6 l5 f" D, X, e: O) q SoftICE while the option is enable!!
! e1 l- S; U3 p* k! z1 X9 z; |0 g/ v* H
This trick is very efficient:
+ B: X9 `# L( W. [/ sby checking the Debug Registers, you can detect if SoftICE is loaded
- z. B( m# w- j8 K9 I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' y" r% ?$ n- s- Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their. i' P# }7 P. w4 z( X2 F
value (in ring0 only). Values can be manipulated and or changed as well D! B& X9 L* ~6 Z
(clearing BPMs for instance)
; ?2 }$ y! g" J% S# `
C, O" R: ^) |: N2 t, U8 A__________________________________________________________________________2 q' g( f( N, a9 Y9 m" v, v
* \$ y9 \$ ~" z& A$ d0 yMethod 11# Q* ]; U! I k8 j4 ~
=========* M' C2 M( M( W: F4 w: a$ T; c! Y6 m
' L& ^" m& w5 r8 h- g- }5 X& x$ sThis method is most known as 'MeltICE' because it has been freely distributed! f$ S# N" J$ `0 y6 C' |
via www.winfiles.com. However it was first used by NuMega people to allow
8 o9 d5 p% v% \" Q# n; ^Symbol Loader to check if SoftICE was active or not (the code is located. k, h& {, n% o3 e5 M/ W& S
inside nmtrans.dll).$ u$ n+ o, u1 U
) i2 K* V1 g$ C8 |
The way it works is very simple:
5 g- |$ u" r, w7 F/ Z/ M* Z* MIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; k- |/ \& E. _1 C
WinNT) with the CreateFileA API.8 b8 l0 t& L% {% i. E
6 a, N; ]7 R0 `1 g* g8 U
Here is a sample (checking for 'SICE'):; v k6 S* e) W0 H
" Z/ Y, V2 b& S2 P) |; i! n6 j7 w+ `BOOL IsSoftIce95Loaded()
8 M4 _. ^8 V0 K P. U2 ^9 b4 ?{, x C* A3 ^) X% a$ B: C" J$ L
HANDLE hFile; ! x9 V: n8 |% P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& Q: F5 p; A. O! v+ w FILE_SHARE_READ | FILE_SHARE_WRITE,6 y$ [+ Y4 G4 c! E% k# t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 i- B2 ^' [5 L( Q7 F4 J+ y0 m( q if( hFile != INVALID_HANDLE_VALUE )
( `% v$ R4 X7 f {" A0 w* O+ X4 \: ?! J: J/ x
CloseHandle(hFile);" J/ {7 P" F& x2 b ?( @* A! K
return TRUE;3 J. Q4 ]4 a5 K3 A8 p
}0 l2 U5 e- u. }
return FALSE;. ?! i3 F _9 S1 P2 G8 Z
}
/ T$ e0 J+ O$ ]8 S0 N0 z f' A. @" R" d
Although this trick calls the CreateFileA function, don't even expect to be
5 { u# u* k: @7 v/ s: S& Hable to intercept it by installing a IFS hook: it will not work, no way!
' r4 s) S# e, _4 ?4 OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F5 U" C* d9 T$ ~5 s( M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) i( K( I( ^6 Q$ e+ |
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ A- }( Y L; F& yfield.- g9 w* a; m l0 L- ]$ B
In fact, its purpose is not to load/unload VxDs but only to send a
4 s% w g, h7 H5 I7 NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ [8 P3 m' w' v1 Q# G7 S
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% j7 f6 p0 T# S, y# S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 h. p, K5 G- w% w; o7 IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( {1 m& S5 t$ o4 I9 F' Q7 Kits handle to be opened and then, will be detected.. _( g E5 |( Q2 T
You can check that simply by hooking Winice.exe control proc entry point; d1 `2 i7 Q% j8 S5 ?( H, V) X
while running MeltICE.
7 b P a$ M2 ~% N( C6 F# q- |
3 d$ q' {7 W6 ~/ } P
. {' A: z' |& }" S; p 00401067: push 00402025 ; \\.\SICE
5 V0 X) n! |/ f: H. y 0040106C: call CreateFileA
: n6 q0 |- U# o7 v 00401071: cmp eax,-001
6 q# O: Z3 V; F, O) _8 } 00401074: je 00401091
2 ? r' ? n- f6 ^! F
* V$ u" [3 m. N0 O7 Q' j, i( G% s2 O W* e9 _1 c) {0 L
There could be hundreds of BPX you could use to detect this trick.' T/ ~& P9 V! c: \2 \4 A# R" b
-The most classical one is:* U$ _$ v e M p) q& h- \* V' U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: O1 I/ t+ t+ ~ *(esp->4+4)=='NTIC': T; d, I6 j% j5 j) b
$ T* q. {5 P+ C) [5 j& s-The most exotic ones (could be very slooooow :-(
& K7 U# l% ]) `, l# w" w BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 }0 C) H+ o) r( f9 o ;will break 3 times :-(
: U. V2 t. E/ n1 E' u. g' l. c
@ }5 m# _0 g- ]( }7 c4 m3 G, A: k-or (a bit) faster: . z, f7 n8 @5 Y, E" u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% |" y, G1 W6 k2 X8 d4 ]5 J+ G$ x
5 }* n9 }: E9 ]4 f+ j* X0 x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 R8 P- @/ ]- S I* t: D ;will break 3 times :-(# N& Y+ t" d! R2 a5 F
! [9 V6 w6 H( Y! N
-Much faster:
4 _, I" e* T; x2 Z7 d' ]* a! M4 n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ C6 L; s" D3 d
; a1 j& [' k+ R* Y* h% s& j+ N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 R; [$ a* w+ L @& z$ s# R) @function to do the same job:
. g4 H* [& g) D3 p9 X' s+ n& Y7 n% w9 D8 h$ u: \
push 00 ; OF_READ
# y! V/ y! D% ]' K1 r3 j2 b9 }6 r mov eax,[00656634] ; '\\.\SICE',0
0 V, L7 f4 ~ l3 A push eax
/ w7 y9 J) n. T. g* [ call KERNEL32!_lopen2 p# D2 j- E7 E2 E
inc eax7 K* L* I* \' ]; L$ a5 W2 ^: {- x
jnz 00650589 ; detected
! \4 ?7 S: y2 Z push 00 ; OF_READ
5 Z7 }: |. g3 @& r( ?8 F mov eax,[00656638] ; '\\.\SICE'
' Q4 p3 K# U0 V5 u9 L8 {- r6 o( h/ | push eax
9 n' s4 M# x' v+ P call KERNEL32!_lopen3 [2 p) e+ l: ~3 c3 P+ J; P
inc eax& c6 w+ \) R0 z6 t
jz 006505ae ; not detected
+ d4 a' y' o c. }. j
0 F% f: \& R+ T" w& F7 I. A1 q, D5 i
__________________________________________________________________________* i& W( Z% F% l, V1 Z
3 I; l0 Z6 ?# t7 C" b7 I5 {7 E
Method 127 t. s1 K- |# Q' F$ X4 M5 M0 J7 {
=========
, S6 @$ i9 c; R! y
* g/ p1 @' x+ }; KThis trick is similar to int41h/4fh Debugger installation check (code 05( M$ q U. d7 e% g- K7 U
& 06) but very limited because it's only available for Win95/98 (not NT)
& i& C8 x9 p6 t8 nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! X! t. }- J8 ]& P6 Q
1 C3 ~3 @. b3 D2 O push 0000004fh ; function 4fh
! X" ~& m3 F9 i! H& F; k, ^4 l# Q push 002a002ah ; high word specifies which VxD (VWIN32)
, `( `" y; Y& p ; low word specifies which service
! `. Z6 y2 q0 R9 C3 _0 K$ Q (VWIN32_Int41Dispatch)
" [4 c) o$ b# G1 P7 h call Kernel32!ORD_001 ; VxdCall
, k2 j7 s3 C8 r! \5 {& E cmp ax, 0f386h ; magic number returned by system debuggers, F: Y6 _8 U4 B% o0 d6 L2 T1 ]# m
jz SoftICE_detected& @) X. ?( s( W9 y& a$ u7 M
! C: q9 o( `# y5 R, H* }Here again, several ways to detect it:
; x7 Y. k) q, I
( Q) K; a! K* y! ^& ?& L BPINT 41 if ax==4f
$ w4 x$ ?# O+ l9 j$ F8 t' ~0 x* W# g$ `3 P# X0 f, y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 A6 g7 O5 `% n: L, U7 ]2 {) i/ C: ]/ |- M. P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% s# h/ Y, K, O/ k; M6 Q+ x1 `6 @$ M s) Z! [4 Y, v
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# H- Q, H1 R6 }9 z
1 q# H- {# }8 P__________________________________________________________________________
3 f8 k% m' G N i) a5 N
; Z3 b/ @3 V+ t$ c) N8 Z0 pMethod 13
% _ m, `2 [1 L=========9 J$ ^, a5 W! c& N" \
0 u2 {5 V( R/ d2 l8 z7 _, ^8 ?Not a real method of detection, but a good way to know if SoftICE is, S. f9 L" J* ?. i& O; P$ ?
installed on a computer and to locate its installation directory.
, Q Z) v; w# b6 r4 {It is used by few softs which access the following registry keys (usually #2) :; A4 [1 a* y( {- n0 i
) L" h3 o# A6 s( K* o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 I4 E% A. T' A1 h\Uninstall\SoftICE9 F6 Q$ w, O) L, \5 X6 l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& \0 Y+ s2 o5 ~ m4 G6 E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' l+ i0 x$ M8 n3 k' X( @, r
\App Paths\Loader32.Exe
0 a2 S( f; m! L7 e6 S/ d5 Q
9 y: \7 Z# E: q# T2 a& j: q
6 Y6 D% Z% q2 i1 u, m# kNote that some nasty apps could then erase all files from SoftICE directory' w, w, D8 l6 }3 x- ~, p
(I faced that once :-(
6 ^% I$ ]% d: T: e
. X" H% y% M; x8 kUseful breakpoint to detect it:
& Q! P0 D( H: e8 E7 F
/ Y$ x8 P2 w8 f C BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': E# \0 `; z( o1 C& A
$ s! _3 T6 V9 |9 g: k; ~' U__________________________________________________________________________/ C& q+ `7 L3 ^7 f+ e: c
) C$ U- B9 D& U$ ~/ s T5 w- }) C
* l9 y: g3 {2 P9 u# Y# t3 U8 [6 iMethod 14 , y! w' r* }/ w% D4 m M& _% D$ F
=========
! s+ k! N( W4 k3 M3 m3 Q; r" O8 U9 Q6 o& O3 }% \ ^
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ x. W" z' N0 i) Zis to determines whether a debugger is running on your system (ring0 only).
2 X* h; \( |) N1 V
, ]+ m; |$ H- S+ s4 \ VMMCall Test_Debug_Installed
h, P& V8 x {3 g, ?1 N je not_installed/ R- W( e5 ^9 j/ F9 v7 V1 ^
- h0 |$ b1 G9 o. Z/ i' kThis service just checks a flag.+ g5 ]! a9 S2 c9 Z4 N- D; j! I' x
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡