<TABLE width=500>, o0 i6 v1 ^6 z0 d8 {$ Z
<TBODY>
& a7 C" ^( `2 p8 `<TR>" c$ z3 G# \& S+ j9 M6 _7 O/ a# M( n
<TD><PRE>Method 01 / i4 Q: x6 K* H: r
=========1 a6 H- O: C+ @1 Z1 C- L6 x
1 d" `; H) f$ Y3 F/ F/ q5 ]$ ~
This method of detection of SoftICE (as well as the following one) is
* ~# b5 h; b, r4 n, ~% h% Z0 S yused by the majority of packers/encryptors found on Internet.
9 b9 h! O( {" P) HIt seeks the signature of BoundsChecker in SoftICE% C, z. `$ p) H
' y+ e( W4 [5 d% R0 b7 ^( y& t" ]
mov ebp, 04243484Bh ; 'BCHK'
! \5 n. E& O2 C T8 ^; I2 p mov ax, 04h
# `2 E3 a7 R" u1 M; H4 J. } int 3
& Z3 o4 f) ]/ q8 T4 n$ b* H cmp al,44 d: T! Q7 Z$ G6 W
jnz SoftICE_Detected
/ @; {/ t! p" H% c' ?
, P3 b1 g5 n- G$ T# u1 Z___________________________________________________________________________
& F' j5 n. g5 p9 |) m1 E! g6 J& c9 Z+ @3 U, C
Method 02
" P& Y( N4 S& \- D8 m0 F9 G=========8 @# Q' U1 ]% V m# u5 S
5 m" Y1 o- _2 `5 R1 ?
Still a method very much used (perhaps the most frequent one). It is used- o# ~* z' T- j3 n5 i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! x S( _" E; g( }& }1 [* d
or execute SoftICE commands...' j! X) S! w: t: ` _
It is also used to crash SoftICE and to force it to execute any commands9 _$ a% O: k' E6 D
(HBOOT...) :-((
, S. v$ ~, X5 O9 n, Q1 l$ t: H/ B/ \6 S- v- p
Here is a quick description:
. d, D" m0 s8 ^, w3 S5 e! l-AX = 0910h (Display string in SIce windows)
# f0 C; B i/ q9 _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! }' ?3 \5 s E5 u2 v+ b-AX = 0912h (Get breakpoint infos)
( f7 m( E) G2 f& b, B4 g7 g-AX = 0913h (Set Sice breakpoints). k5 \2 X5 V- S# Q
-AX = 0914h (Remove SIce breakoints)( _ s' R' Z* ^- x3 Z
) H% A' |. K. n" mEach time you'll meet this trick, you'll see:
/ I1 r t+ f' t& w8 \/ z-SI = 4647h- o# ~9 I0 P9 s1 f9 P
-DI = 4A4Dh
) ^0 D1 d( O8 k8 IWhich are the 'magic values' used by SoftIce.
9 l- d: i6 n9 mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' V% _4 ?2 {8 @4 W) w0 t
& F) |2 j* a+ R* aHere is one example from the file "Haspinst.exe" which is the dongle HASP
% `: l: p& D: U# j' DEnvelope utility use to protect DOS applications:; C4 e. t: K3 x0 q0 ]7 d! Q0 P
: w$ Y, g) T7 o0 p
8 Z7 B4 a$ l7 C4C19:0095 MOV AX,0911 ; execute command.
7 y2 W$ U5 {$ u- t+ p/ g4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 r7 ?- [2 G4 Y' j4C19:009A MOV SI,4647 ; 1st magic value.
2 M ^: i3 P; ]9 W( H( J. h% Z4C19:009D MOV DI,4A4D ; 2nd magic value.8 B, T$ y: a: o8 c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- r7 y0 |: f# b( o2 p9 y7 {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" A" L9 Z" A( W4 |4 v; T j! {# E4C19:00A4 INC CX. W/ h P5 Q Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 n8 H. m+ \# ^! ^6 o- b
4C19:00A8 JB 0095 ; 6 different commands.' g) M1 |6 `* N* v" {& Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 |; Y0 |* z. j) w- Y: V2 w4 S- `% z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 f# H+ J* I3 ]! q9 I3 _7 k3 G+ p0 P0 x$ p( m7 V
The program will execute 6 different SIce commands located at ds:dx, which: \+ P; w2 Z" V* G4 ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ {4 H7 w7 t& u8 N" u) q
$ q3 w- w0 p* i6 ]' q8 ^, E' L- D* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 X$ L: r6 [+ [5 m* x- x, _
___________________________________________________________________________; ^% Z5 B0 o2 S& y' s [
& H6 x$ b9 L" {/ j' N. ~# j
6 I |+ K" H: ]# ~% T. n0 U# J
Method 03, @7 m) w) y0 k( M( j( m
=========
6 D- |8 W$ _: V. P+ J! C/ C3 N; x( P! A9 F# x V/ D5 N3 |
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, ]7 l n0 C2 Q* F& y3 \2 [9 z
(API Get entry point)
/ ^$ h2 C( A: T. z9 [ U |) q
# H( m# d& ?# Q0 U4 w
% S( z; X& t5 ? xor di,di' l5 I& [, H, c
mov es,di, @' G. n8 x; z7 J9 f# [8 B8 H( m
mov ax, 1684h % f/ M1 T' [/ A1 E0 u
mov bx, 0202h ; VxD ID of winice
3 q" S# A" l1 F# n, q# G. [% l& u int 2Fh
4 O# n' O* U' y+ }1 I mov ax, es ; ES:DI -> VxD API entry point
+ @: V3 Y: Z; n" S" |% x add ax, di
; R- u% z) p) m0 h+ [ test ax,ax! i# [! ]# b2 b9 ~
jnz SoftICE_Detected$ M: i; E. i1 s2 P9 V4 W& u
0 c/ G. q# Z! L
___________________________________________________________________________' v+ h* F( B0 ~$ F
+ m/ i/ j+ v: ]1 o7 I$ c5 dMethod 043 m7 V* e+ Q q4 @3 c
=========+ l" A7 h- V+ y5 {: v0 t1 \
$ u" ?! X+ B4 Q" ?! t
Method identical to the preceding one except that it seeks the ID of SoftICE/ K9 I6 G1 d$ C, _* A/ l
GFX VxD.
% W+ L1 _0 ?: n" M9 I$ ]" A# A, S1 D& F+ V7 U
xor di,di
. j) F8 J. p( u mov es,di
: G, w. w' G: @5 t# G4 S5 U mov ax, 1684h $ Y7 c5 ]1 _* {7 b
mov bx, 7a5Fh ; VxD ID of SIWVID
9 }9 u3 j! z5 _+ c8 I int 2fh8 N8 g7 K+ K2 }6 @
mov ax, es ; ES:DI -> VxD API entry point
) J7 m) z" _- ^9 W/ Y3 D add ax, di
6 s" d- L, P" O3 E# O2 ]# P test ax,ax
1 {4 E- e( U Y) N5 H2 U jnz SoftICE_Detected1 q' ]. {+ e2 t; a$ U
; C: H& L8 p6 U9 R' W% q1 B
__________________________________________________________________________
$ \5 u/ @& f" w3 r$ d* d" [) n( @ g
9 `) r* W$ i& Q% qMethod 05
; j. t3 o' u* L% W: U=========
0 m) t X( D4 ^2 u3 s8 K- S; d7 Z5 Z2 ?% j' y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ k3 H2 e3 y3 E7 r, Sdebugger. It calls the int 41h, function 4Fh.2 s8 w7 y U# Y8 Q1 r" Q( }
There are several alternatives.
/ c5 o+ P# f% }0 G* ?6 d! ~- k
. \, \& Q9 W7 M1 \' [1 ]3 D3 v y! fThe following one is the simplest:" D: c- }. } }6 j( o
5 H. t6 W. d: C( M6 s$ v8 p1 ]
mov ax,4fh: ~- z9 A& k( j" I! e) P( Q
int 41h
- H) B! S# d' l M/ U cmp ax, 0F386
# Y$ g+ A8 L. M: q5 J jz SoftICE_detected3 U0 F: y- K. C8 n1 A# G
- ?3 Q& k- D0 [/ ]- D) x
* e* g3 `, }; b- Z' g$ N# o
Next method as well as the following one are 2 examples from Stone's 4 Z, R( c: G! U, S
"stn-wid.zip" (www.cracking.net):. h! _! X% \" P$ l3 N; u% i
9 r$ n8 \8 r0 l, T e) {( G1 u: | mov bx, cs# v7 T2 S+ q. _: ]5 ^
lea dx, int41handler27 F0 P' N9 T' k
xchg dx, es:[41h*4]
# m: \9 p V9 U4 O9 V" | xchg bx, es:[41h*4+2]
0 ~- O3 Y" N' E; \- o7 I! l/ ? mov ax,4fh
# L% Z% b. D( \- C, K int 41h
+ E% I5 Y- _1 E2 R$ R xchg dx, es:[41h*4]- u ^ _/ `+ S
xchg bx, es:[41h*4+2]: a: J" W- w) t1 _5 `$ }5 A
cmp ax, 0f386h* c5 [! L3 L# M: R* }- P
jz SoftICE_detected3 l& G5 _; k/ i+ q
( y0 k& K( A% V
int41handler2 PROC' D0 q( R/ g3 m: {
iret
- B. {3 O7 t0 H- h7 D0 Eint41handler2 ENDP
8 V$ w* V! B& y+ v7 q6 F/ \' W# o2 W M' ?
" L1 K- G$ ~! d% l0 f_________________________________________________________________________$ X( {& @7 Z d6 I1 j8 a, g
; K, O! G1 R8 l" ]3 u( X3 ^1 f( @
+ z+ \. _7 B9 ^2 O3 GMethod 06
- M/ S1 F. u, v5 b4 y# p=========
. ^5 G- a( J7 F$ y* R( q1 c8 R
! H4 ]. {! ]" T, ?! Z! B" j x& F4 ~) O
2nd method similar to the preceding one but more difficult to detect:
! O7 y3 o/ D4 L" d3 @& n- r4 q: ?4 ]: y4 g% J. d/ [, a
, N6 F9 b. w- y8 @: J1 F. G( Z
int41handler PROC
3 m" {6 C, |, U2 m mov cl,al4 i- c- q. f* p" Y. s# r( N
iret
' m- ~1 j& _5 Yint41handler ENDP
4 Z( B; z0 z3 N! x0 S) Q, N5 W3 C; C: `: E$ Y& T/ E
4 v; ^8 C& N* S$ L7 b0 g, U
xor ax,ax
% \, E2 J9 v3 Y5 a5 k2 x7 E) ~ mov es,ax% H7 N6 @/ C; ?6 X
mov bx, cs
0 h/ O- _ m+ h# _5 z2 X E0 m lea dx, int41handler9 w3 ]# }$ P" E% I' M
xchg dx, es:[41h*4]3 a" z, U- \$ o3 v3 j7 X& n! D
xchg bx, es:[41h*4+2] l* O7 g6 L1 N, R/ x! o) }4 ~6 ~- u9 v. g
in al, 40h' l: ^" t3 t \. R7 }
xor cx,cx
% U6 i$ W" E4 F! _* Z6 R4 k( y int 41h! r+ K8 ?% @5 F, H' b6 ~
xchg dx, es:[41h*4]
; S1 s6 H, |' O8 a0 A/ J8 L xchg bx, es:[41h*4+2]
% k4 @: p9 _0 o/ r6 ~& r cmp cl,al
& u$ X; P1 W% h* w9 {6 Y) `9 [: W jnz SoftICE_detected" l3 \3 Y3 e9 e& k! _
) I- x* D" v, |3 N_________________________________________________________________________
" f. O' p7 x& v/ i- x9 X) Q) }4 |5 c+ A" z J T
Method 07
+ [" O. j2 R8 o=========
& H; a) f) }) v; t5 x' d7 A# ]" \. z6 k+ k4 W1 o
Method of detection of the WinICE handler in the int68h (V86)5 a3 V( V, U) d6 C; T7 ~7 d4 {# p
5 V, m3 I( B7 U+ G8 z mov ah,43h! ?/ Y7 j# H K# v
int 68h
+ ?8 ~: q2 [( T, b x9 ~4 y. D! G cmp ax,0F386h
7 j) F7 b" P# F) h3 m/ ` jz SoftICE_Detected4 ^; I1 g; N2 |: T r7 q+ M N/ i
1 u% O! f. j- R5 B
/ A/ p1 i4 G0 O=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 ^1 p, \+ Q; }; E3 j+ C. V$ Y
app like this:. J) W3 s1 J1 F! p8 {9 j
" {/ J+ C/ m$ ?* m0 t BPX exec_int if ax==68
9 L' j8 ^' C9 t! Z2 C* r (function called is located at byte ptr [ebp+1Dh] and client eip is, m. Y$ {8 b$ Z7 F
located at [ebp+48h] for 32Bit apps)
1 R1 n0 o x) g__________________________________________________________________________' a% ~, \- ?9 g; J f0 c; p8 _" X
+ F* s" @8 i1 q7 g
9 g5 u3 v! f% Y! f# _& N6 v) eMethod 08. `: j/ h+ C, f! U
=========
& u! k8 M- ?6 C6 I9 A# g
7 p& @- P" N0 g7 i# lIt is not a method of detection of SoftICE but a possibility to crash the
# _* u9 M3 h6 N3 c6 ?% @system by intercepting int 01h and int 03h and redirecting them to another% l. Z3 ~+ O: r
routine.
# H, Q1 n* t8 X$ T) F4 a {6 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points {; S& @: V I
to the new routine to execute (hangs computer...) b8 Q' t H* M' g/ X3 q. z1 }
2 k0 v/ }# A! S7 x1 [ d, z9 u
mov ah, 25h
3 v n4 a; w- b: ], _- | mov al, Int_Number (01h or 03h)& s* K% K6 t9 M9 S; n
mov dx, offset New_Int_Routine
2 j ~8 a3 \7 P, v7 p8 O+ b int 21h
: e: O. O& N' r! k; |2 L) }7 O' K- @% S
__________________________________________________________________________
8 D! T; { R+ P) A8 d9 r& K. B# a0 ~6 J4 Z! A
Method 09
; a! v: c- U% }=========
5 Q4 q- ~: y: h, d4 s7 T8 q, q, z8 h/ z$ g( R. I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& l$ Y1 `+ y2 K9 t- ?# lperformed in ring0 (VxD or a ring3 app using the VxdCall).2 O6 Q- ^ @& G; S S- r( a' G: L
The Get_DDB service is used to determine whether or not a VxD is installed
( h4 e$ }, ?9 e) E7 yfor the specified device and returns a Device Description Block (in ecx) for( v* k) a4 E/ ]; ~5 [
that device if it is installed.
: v& Z$ E+ T( F- N N/ T; b6 R* W
2 j0 ^& s% L8 L1 ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) W J/ N- M% q- S1 F$ ^
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). m' F% Y9 Z2 a6 I4 y0 O
VMMCall Get_DDB C% O* t( X& ?5 q& b
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 ^+ L( ~6 ?& d, `# Y
+ X( i9 `' W* }0 v( R2 S+ ONote as well that you can easily detect this method with SoftICE: C; G6 p) E1 R. Q8 B- j
bpx Get_DDB if ax==0202 || ax==7a5fh
8 h. x/ o; g8 ^" p* ]
7 Z! c1 N# E" @4 T/ h$ v( }__________________________________________________________________________! m. I$ P1 Q' Q2 w
4 }' l# P6 Q: u% t
Method 10
/ T, q. l' R: i+ R+ S3 A8 Z=========
& u0 {) S& f- V0 ^% n: M) \' |+ C2 r4 J- |5 Q' Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ [. e8 d, K0 v0 c7 \ SoftICE while the option is enable!!
, N% j, K8 W S1 \/ Z8 u* `
/ _1 R0 L. V4 v( }! I( pThis trick is very efficient:
/ ~+ R% z7 k2 v8 ^5 @* x' g0 i0 hby checking the Debug Registers, you can detect if SoftICE is loaded
+ _ c2 g5 T0 _ n8 V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 i! L1 d" w% x" E8 R0 jthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 h/ U1 ^* p& X1 G% s) r
value (in ring0 only). Values can be manipulated and or changed as well% a$ S# e7 r+ |
(clearing BPMs for instance)
' p2 G/ F" [5 p, \$ A1 f6 }. m% e
__________________________________________________________________________) y- T- Y# \' f
1 H2 c( r% B; u2 a3 h, _
Method 11
$ M& ]4 X* m. G( R; G& y========= K8 k! _! F" H. }- Z
1 p7 H% _' H# G' S" f( |! U
This method is most known as 'MeltICE' because it has been freely distributed G. }0 H" _; o
via www.winfiles.com. However it was first used by NuMega people to allow5 n3 V0 N3 z! z& Z5 c. o; L6 Q
Symbol Loader to check if SoftICE was active or not (the code is located
/ Z! Y7 }! ~2 H+ _& `& C2 Sinside nmtrans.dll).
2 Y2 `5 |3 [$ B- q2 }9 C" C3 t
The way it works is very simple:# x) P) f0 O" H8 U W8 S# q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 K4 d# N+ d7 c, v! s2 k" P: Q, u
WinNT) with the CreateFileA API.
$ S5 F8 S: v$ T
( s- j! J' T" A* H7 zHere is a sample (checking for 'SICE'):
2 s, b3 A& U+ R! w5 s" D i/ w& e c9 b2 g
BOOL IsSoftIce95Loaded() u9 W' \+ q) Q, E; p3 ?9 W
{, N/ a8 [* {/ ^/ U% d
HANDLE hFile;
) ~( d! l, j6 {4 ?; ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- p7 m& s; j. j$ f- C; Y+ E
FILE_SHARE_READ | FILE_SHARE_WRITE,. r, Y7 \1 u+ E8 K4 i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 e# _( O# w! q; W8 K9 D& u% J
if( hFile != INVALID_HANDLE_VALUE )2 I% [. J( f; ^* F4 V
{
( a* [6 @( {2 M; I: c5 D CloseHandle(hFile);* v+ E! k* e: k8 V
return TRUE;) P( T# h0 w5 B, ]2 e4 N @$ `# ?6 w
}: v9 i/ k2 p. n: o2 E. E$ B6 D
return FALSE;
9 A+ p! B' o( m8 m6 l}
0 \ |- H) y' p/ f% ~
& o7 R( b/ b, b- ]- o a$ p3 YAlthough this trick calls the CreateFileA function, don't even expect to be# F, `, X2 T5 e) B7 n+ }
able to intercept it by installing a IFS hook: it will not work, no way!+ w @: G* U! Y; c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 F1 U5 j" P8 S! |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 b, C1 @5 }9 i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- m* j' c1 |* G
field.; E$ j5 F' U& h. M! j
In fact, its purpose is not to load/unload VxDs but only to send a ; B8 @( q7 z% T' U. B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 c! I; D! @3 x5 ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" }) P( ?; L- F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
i7 G0 x/ ~$ ^6 g' e/ |$ fIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! P: z" o" L! S+ F% h8 `its handle to be opened and then, will be detected.9 Z/ m$ p+ Y/ F: s6 n h' @
You can check that simply by hooking Winice.exe control proc entry point5 U; l! I$ G, h2 s
while running MeltICE., o2 s8 s4 p4 p# y( z
" w0 X! M' [5 y4 N3 k
: i) y; Y" W4 h) B0 ~ y. ` 00401067: push 00402025 ; \\.\SICE* s* Y0 ?6 X q& F
0040106C: call CreateFileA
6 A2 i$ I' s& ^, e8 h- t 00401071: cmp eax,-001; m% s7 b9 ?4 C( J' H
00401074: je 00401091) G' d" _8 }8 P$ N
% `1 V% x! q e/ _4 g
' s6 Z9 J4 N' hThere could be hundreds of BPX you could use to detect this trick.$ I& ]" ]0 x: z- z% b0 q
-The most classical one is: r) @+ n8 _6 J( {2 r0 A" W c
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- |+ ~7 F& ?, _3 u M& V *(esp->4+4)=='NTIC'
; o H4 }' X& g+ F8 ~4 v4 F/ R$ T5 m7 m1 {+ g
-The most exotic ones (could be very slooooow :-(1 ]+ A7 \. |* |* s6 o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: v4 p: [% Z3 w# p7 _ ;will break 3 times :-(
3 k; n$ V7 |6 C% a$ |4 | c- n* i
; e- s: c- S: E+ b% ]7 z-or (a bit) faster:
) ^! e' O/ G! t( s2 \& l. c BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
s5 E" [, k6 G Y/ {
) v1 l( s1 y3 |& z1 F0 K. @0 f$ h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 q* y2 ~* N7 ]% Y x' u% e
;will break 3 times :-(
6 V3 f ~0 p( v I0 ~1 e, O0 s3 b
-Much faster:& e% Z# Q, i) l3 T' h" |
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; D4 v* q7 V/ w6 f0 |6 ^- O
, \/ o1 W5 o! E8 n
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! r0 m: U' \8 R# Z
function to do the same job:
1 k' B# H( h* Q: R5 d+ l" E: R5 g! C& V& Z! i
push 00 ; OF_READ# L' P6 T5 D2 W- Q3 Z
mov eax,[00656634] ; '\\.\SICE',0
6 N; L- @) Z1 \( P+ W- b& e" l: C push eax
* t# I/ i/ \; ^6 o8 T3 b call KERNEL32!_lopen
) R7 ~! g1 b( T1 @' C inc eax
$ {/ j( Y0 S1 b1 g ^ jnz 00650589 ; detected: @: a3 ?0 y& s" G: z; j
push 00 ; OF_READ
2 ~& G0 r) a9 m2 x mov eax,[00656638] ; '\\.\SICE'
j9 w( p! ^$ P) y" ~ push eax# ?2 K3 w5 u3 T" ]8 U# p* k, P
call KERNEL32!_lopen
2 |3 b, h3 U0 N2 b! e! }' W inc eax
% O8 M; x( K9 C& F1 [8 q jz 006505ae ; not detected
# c) Q7 p& \1 ]& R. U! t& C
( ^( {5 B8 {8 b& a, x) G. ]4 S5 w) k8 I( U) R
__________________________________________________________________________
. J# V' j3 h S2 ^
$ o$ Y8 E+ V$ X4 UMethod 125 p5 Y" N) M1 c
=========9 Z$ p& R3 q* V! h
& W* |) Y j* I3 D V" C0 P D kThis trick is similar to int41h/4fh Debugger installation check (code 054 P! b( f: Q* E2 ^0 P
& 06) but very limited because it's only available for Win95/98 (not NT)! R. ]3 e2 E9 }8 g/ E8 q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 h! X" U6 L4 R5 ~1 _& S
/ W% F, B2 Q: Y/ g: w# ^4 l: T9 V: j, A$ n push 0000004fh ; function 4fh
: n; r4 U# [" K2 `( g' Z1 { push 002a002ah ; high word specifies which VxD (VWIN32)# q9 P) U5 W2 i1 S& V( V$ d4 B9 Y
; low word specifies which service
4 @' k! V, ^, l7 `1 z$ @* v% x (VWIN32_Int41Dispatch)
6 }: @& c2 m/ P% T% |* Z. f call Kernel32!ORD_001 ; VxdCall! H) V- @* s& h9 Q: v' e3 J
cmp ax, 0f386h ; magic number returned by system debuggers& t: u, Z. U& _
jz SoftICE_detected
6 R9 e: y8 d! A* g% t2 o' ?6 R1 s5 ]: a8 k) j$ P
Here again, several ways to detect it: e, L: \/ n: G# {; e5 c
3 I& h, Y# E) }. n, R BPINT 41 if ax==4f
$ B! L. Y, ^% m3 d% X2 `; o0 F: l; [( D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 C* T) i0 L3 R
, V: p0 _9 f2 ^$ H1 }4 G( }8 u
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; }1 L$ |9 I) i( G, K8 A
, Q% w8 _# X% o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 K* u3 E: K3 x9 C. {. u, K0 ]
6 d4 e g1 d, g3 T, ?__________________________________________________________________________
$ B# P, x! S4 s+ ?* a. G
0 \: I/ K- T5 E/ dMethod 13. S% y. L& H2 a4 ~7 O$ `" v1 s
=========
, w* W- n1 n/ r, N% M
" ^; J1 A. d& w pNot a real method of detection, but a good way to know if SoftICE is' S7 ^' S9 ~7 f% W
installed on a computer and to locate its installation directory.
- f F( N- F7 n+ {" ] BIt is used by few softs which access the following registry keys (usually #2) :
5 `- ~& b' k+ D7 a
& @% `: l r4 q+ Y2 F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 r; W, c/ \/ D% f5 d) G
\Uninstall\SoftICE& R: [3 u T7 `% \- j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! G! v. L1 U& D) s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 x8 \! V+ J0 L) l! M! q\App Paths\Loader32.Exe0 n* e! r+ z9 f9 m
5 ?# _6 a7 A* z) ` \ Y* k2 f, p2 {; ~8 k
Note that some nasty apps could then erase all files from SoftICE directory
/ X' o- _+ h, ]8 \( L6 r- m(I faced that once :-(8 h3 C* a+ ]* W
4 J. W- l( |/ r/ t+ AUseful breakpoint to detect it:- P* n6 s' X3 Z& M4 D4 ^" F* ?
, n$ t9 |& u! n0 ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' g% j( _) |* _1 i
6 }) B7 j5 y/ I/ E4 V) e+ r8 ?__________________________________________________________________________
/ \0 L1 x. n) |+ c/ I
- }) h k. W5 \4 w7 f, o& w
; Q, I( D! X7 k) u% q; A3 @& B. UMethod 14
! _" c6 E" ^- O( ^2 n8 j: u/ }9 a=========
8 a" h# R9 V+ W, e( z
9 w5 Y6 F' v; _3 M$ K1 {1 Y+ TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 g0 j3 Q r! [* W
is to determines whether a debugger is running on your system (ring0 only).# Q3 d, U, ]7 N. F4 p+ x" F( c
3 ]4 d2 p3 \8 { VMMCall Test_Debug_Installed6 R# F& ?. K. x) a4 ?* H
je not_installed9 \: E% @5 D, i: b) |
. \% w" {* x. k: [- @" vThis service just checks a flag.8 l' I: |( Q: @( c& o
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡