<TABLE width=500>* p4 y9 a( ~$ K% t
<TBODY>
# Z$ s8 q$ {. y+ o<TR>
" U; Y1 G M, ?& I) J- F<TD><PRE>Method 01 " P) x6 ^1 ^, _- R; \3 J
=========4 U1 K$ J4 p& h' G
4 Z S6 z B2 e5 V4 p) W
This method of detection of SoftICE (as well as the following one) is" h1 ?$ o8 q5 o7 x4 @
used by the majority of packers/encryptors found on Internet.
& y1 |" j9 I' K: n2 B" ^; {: oIt seeks the signature of BoundsChecker in SoftICE
& x: t9 ^6 o6 @5 T& I0 f" K& ~8 z* ^, k4 R6 ?
mov ebp, 04243484Bh ; 'BCHK'
; I* n* Z4 Z8 ]. f, a8 W mov ax, 04h
& ?" D7 K1 ?' @3 A, ] int 3 ( w, _" r E7 W O, m& \
cmp al,4: {2 P* A# o$ X; h4 x6 \, o
jnz SoftICE_Detected0 c. k& G+ K) X: H M2 O
7 M1 i+ ]8 O. Q0 h) I___________________________________________________________________________8 a! T4 E" r a I# q: i L
2 o# G% \. W* X5 W# ~: j
Method 02
- R s/ b8 @ h3 z) a5 Z' L=========
; R, C% a6 P# m& v* F; D/ N+ v4 ?3 g% ~
Still a method very much used (perhaps the most frequent one). It is used! f. _/ U/ o4 ]6 j2 Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ x1 @* P/ ^/ j- Bor execute SoftICE commands...
) ^" O$ Q* r# ?, W. L# PIt is also used to crash SoftICE and to force it to execute any commands
5 r) e' p2 [$ y, D5 P6 f" e(HBOOT...) :-((
1 |+ g+ ^. ` K1 n
+ b% Z/ V+ Y( ?2 x ?: {Here is a quick description:) |1 l N" P% c- T3 Z* Q: @# M
-AX = 0910h (Display string in SIce windows)
- `' |' Y8 B; A* \1 j-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ Y, C% |5 @( n. |: f, v8 u
-AX = 0912h (Get breakpoint infos)
% I6 Y! z* A1 R# ~0 z8 ?9 v8 {-AX = 0913h (Set Sice breakpoints)
. f0 G9 b1 v; @# O( y-AX = 0914h (Remove SIce breakoints)
% Z5 [: v# u/ w9 V7 _2 F$ C4 u$ g- X2 O5 Z) d
Each time you'll meet this trick, you'll see:
5 C1 L+ M8 o7 ?' Q/ `( e- T( w-SI = 4647h3 m: O4 L; c3 X2 z7 P9 z- E
-DI = 4A4Dh2 N, N7 t; M4 N6 F2 X: T9 `
Which are the 'magic values' used by SoftIce.
- H" K2 E5 X! c6 rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( K( s0 B* b% _& H5 ~& b4 Y
& @3 H8 K5 z% l" N$ b: qHere is one example from the file "Haspinst.exe" which is the dongle HASP
" N5 j/ Y5 ]% _3 E- {! B$ rEnvelope utility use to protect DOS applications:
$ M8 Z& Y7 k" ?# F$ x9 j' p7 K5 y$ C2 o
# R8 S8 O: {) ]7 ^, ^# D; ?6 H4C19:0095 MOV AX,0911 ; execute command.. U G k8 r5 m- Y% B) L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 T3 w* ~7 X7 h3 v$ i3 l4C19:009A MOV SI,4647 ; 1st magic value.( u/ y, H# _2 C/ C
4C19:009D MOV DI,4A4D ; 2nd magic value.) t! E3 a& w* G1 i: R6 C X
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! E6 i5 C/ r- h1 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 X: y* u7 M, D
4C19:00A4 INC CX
7 s/ V# ?$ j8 M/ h7 c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ Y! }- F5 ~# ^0 o. f
4C19:00A8 JB 0095 ; 6 different commands.+ {+ J1 {1 F# K: U* t& ]1 Q. e
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ i; b7 G% d; d4C19:00AD MOV BX,SP ; Good_Guy go ahead :), x5 f0 W) b9 T/ E, F" i; u2 V$ g) c5 w
. k9 C5 F9 g; {+ aThe program will execute 6 different SIce commands located at ds:dx, which
# ]) D8 f1 W1 u- A/ Uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 e( D8 J; _: b4 u. p- N9 G8 N. g4 }
" M2 L" n0 n2 O. k' M( t8 R3 {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 {# r5 l; Q) z J
___________________________________________________________________________! y8 I1 j) s1 P4 o. {! A
8 R+ _+ E8 Z/ g' Z$ O! U! T" s
3 x( O6 U0 q/ P6 v6 \
Method 037 q4 I5 h0 s. n1 V0 h
=========- ~, T. w$ I1 X |, v
/ W& p1 Q, k) m: y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( _2 X, u) _( a+ W* W
(API Get entry point)1 K& |0 `* l0 ~/ u1 K& X
/ d/ B O. d O/ G" F" @4 n
% L! g" t; G! d# k xor di,di
0 ]; Y( Z6 M+ ]7 v& { mov es,di
/ ?1 Q% ~# k& H8 ]$ ]2 a5 C' G mov ax, 1684h : p# z. M; v# W. |& N) x
mov bx, 0202h ; VxD ID of winice
0 o1 N) k0 V4 d# S' {; t: v int 2Fh
; T3 G8 i2 u/ v C/ F5 H mov ax, es ; ES:DI -> VxD API entry point
3 Q7 t" j5 L: R+ n- K add ax, di
0 ]- N% U" V" i9 ]/ s test ax,ax
6 M. s+ } \) C& z+ c* ^/ \! K jnz SoftICE_Detected8 m* Q" r2 {* D, K5 U0 u
2 |+ Q4 ]2 g# L5 z' C/ ]! F9 S# E
___________________________________________________________________________
6 }3 K3 [1 Y3 V0 @5 i
1 S' z# D P# f' t+ ?! E9 z& `/ Z8 nMethod 04# c6 _% |& [- L- |! V/ R+ W
=========5 J* v) r: @; ^% N
\7 |9 g& a6 E2 P" K+ [. zMethod identical to the preceding one except that it seeks the ID of SoftICE
1 \; U3 m1 v# {/ IGFX VxD.6 k% m, }) C3 U# ^- T) T- E
# z4 P* P% T& {0 r xor di,di7 b" W, r: N' D% f3 z x9 `" ~% l8 e
mov es,di
) N$ A# U |' `( I7 ?( Z7 P- T8 i mov ax, 1684h ! e+ {+ U/ [, Q% _9 i
mov bx, 7a5Fh ; VxD ID of SIWVID
! I) V7 R# W1 _& y6 H int 2fh" b2 x- h$ D/ Q! c1 r! o s
mov ax, es ; ES:DI -> VxD API entry point
+ P: Q6 Z/ A6 O, W9 Z- g add ax, di
7 o/ Q* _# d+ M& B- C" A) b test ax,ax4 t! s1 `3 e6 u2 g. v6 e
jnz SoftICE_Detected
3 b c! T7 `/ N1 {
7 P5 G( B$ v1 [0 E__________________________________________________________________________, Z! a5 I. v; h+ R7 U
. |, N2 |2 H7 v* z7 l* E p
! k4 q+ }( S* R* mMethod 05
- J$ `" j# [$ ^9 |7 Q=========% B, Y# n2 h4 v+ W9 X! w; \
' f3 T" ^9 s7 H7 Z1 y' X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, G& p7 ~$ N6 Y; zdebugger. It calls the int 41h, function 4Fh.3 j3 I6 w2 V8 T3 w7 C
There are several alternatives. + s' S7 U. U; }; q3 P) w& p
# W& P- l# z' h& u
The following one is the simplest:
% K5 ?! D5 S, v/ c8 G' x4 _* f- m+ s' R P4 Y
mov ax,4fh
) T9 L' H! M; [7 O. D; S2 s5 q2 I int 41h3 l+ S7 [( L0 _
cmp ax, 0F386
) O# a/ a$ b9 m4 j# m; m! Y jz SoftICE_detected
$ H! [$ [. Y4 |* S8 M. V9 ^ [" c* t7 G( W9 p; V. h+ U+ L# g* }
% U/ g, X6 e% e8 j1 b [Next method as well as the following one are 2 examples from Stone's * z! s3 V) z R" e6 }
"stn-wid.zip" (www.cracking.net):. S) Q# F7 B( M9 o5 h% I
: Z. M' I y1 X( L3 K mov bx, cs
$ K* ?0 C1 m2 i8 E7 q lea dx, int41handler24 Z0 q9 S+ p0 d8 x; t( b
xchg dx, es:[41h*4]' v9 C+ M a5 _& _. y, P. w) ^
xchg bx, es:[41h*4+2]3 }% ^. T9 b1 x
mov ax,4fh1 y% U- {, G* X: W# ?
int 41h
$ I1 L3 [0 |, B9 }& v& C' `8 A, {2 d xchg dx, es:[41h*4]
4 }/ [. @) m. T4 a4 @* F% x xchg bx, es:[41h*4+2]! o: n% c _# {; _1 [
cmp ax, 0f386h _4 V: W/ J1 p: o" f4 H& g& c
jz SoftICE_detected+ B# s% g) s4 o- @6 f
; @7 P% Q6 r1 [. V. Kint41handler2 PROC" o/ ]9 `" ~. Z% ~3 o
iret; b1 _. [2 Z7 T+ o& z
int41handler2 ENDP
, h# ~ J$ J( A2 e& H& e ?( ` c3 [5 L% Z
1 G+ H1 ~2 d$ f0 P; Q8 d" [
_________________________________________________________________________" B9 E6 p+ P" s2 L" \, a
( I$ X8 p+ L7 P7 K$ [5 E: M% l/ O: o5 i; O' r5 m" b
Method 06
6 i' C1 |. T: x8 M# Z8 m. R- c=========: }4 R0 o& R1 r" y% g
) i7 k8 \# d2 N3 F$ `
- s5 b" z8 w8 W6 T2nd method similar to the preceding one but more difficult to detect:/ ^- L" n `+ f1 y( G1 k
8 W* ^; v S' t. |( T
7 Z$ N% A9 E" t/ e: h: R& w+ t
int41handler PROC1 a0 v e+ V! Y3 }* k
mov cl,al
. z7 C* f; H# ~; n iret# D. f4 K0 G! T
int41handler ENDP
; G3 i) b8 H) L" [/ v d; X3 W! V
5 ^. s. ]5 Q2 o. H1 T4 r) A: z9 U! R- p
xor ax,ax5 H+ T- h( o+ @7 I6 v. w0 N
mov es,ax
6 ?/ [0 C8 h# X: z5 F" v7 ?- V9 p$ ~% P mov bx, cs
& E U5 ?. F. I3 S( ?% l lea dx, int41handler
6 V* x* S( G* Q7 w3 V, |( E' H xchg dx, es:[41h*4]( ?3 }) |; l: ^: B5 U$ D0 f4 ~6 y
xchg bx, es:[41h*4+2]( M" k( ^) g9 X& ?
in al, 40h
2 [, _4 ~# U& B! G7 v. u) s7 F xor cx,cx; a9 M& n4 n9 ~% D/ c
int 41h' k9 Z3 {6 F s9 b7 Y4 b( }& |" x
xchg dx, es:[41h*4]
9 S% A8 M* ~- l" v# A" F% a xchg bx, es:[41h*4+2]
& f! K- S( P6 v) ~ L cmp cl,al% b }2 Y1 {5 k% j7 l1 O2 N
jnz SoftICE_detected
5 S% z7 |$ m" b# n+ K5 y3 k% x% q2 a
_________________________________________________________________________- ]. r S. P* b4 X( Q0 G
% Y1 \1 j C" E3 U! tMethod 07$ m! H: r% D& u$ p
=========
* o. J6 l x W: d# \& u2 c. V3 |$ u x1 D- I
Method of detection of the WinICE handler in the int68h (V86)
; }( r' x' _# L2 S
0 }- [, d, [* S, Y8 |- W mov ah,43h
* i# {& q' p' v int 68h8 o. G& ]1 {/ L: H4 h7 V
cmp ax,0F386h/ Z" @, v( }3 h ^
jz SoftICE_Detected
6 B: {$ ?# O( P9 X# R8 t* Y9 d8 u5 h0 X
: a: a2 H9 g; t- u& y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 S. t% Q9 d4 d
app like this:% p) `) m# U) |" p8 o4 _+ U
! W7 J* r; W( w: p- T
BPX exec_int if ax==68# Y) f* P9 ?5 v1 s$ m7 ^
(function called is located at byte ptr [ebp+1Dh] and client eip is
5 @% ~; r0 I: `- D( }7 v" i located at [ebp+48h] for 32Bit apps)
) J3 r' L3 l2 Z- W& w" S- `! {__________________________________________________________________________
$ h; t$ U/ t* ? y; P
4 J8 Z# x9 x4 A+ |( J3 J; d8 e1 o+ i. s
Method 08$ k" o$ f I6 L4 [
=========& r5 `" C; c: O7 @+ O% |
9 q$ R- C: _- m- P! ]3 o- ?6 K/ o
It is not a method of detection of SoftICE but a possibility to crash the* `7 c6 S2 r2 j# U1 L1 B
system by intercepting int 01h and int 03h and redirecting them to another
# O* @: t3 T% P9 k- C; G! |routine.
' d" \+ U5 o2 x& G5 z* O! K9 DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 W2 x1 p) |2 ~, E+ H4 m* q
to the new routine to execute (hangs computer...)% D2 U E4 B+ E. U
5 P. Q t7 |! D& C mov ah, 25h, ]7 ~" { P% C4 E! \
mov al, Int_Number (01h or 03h)) Z F! }. S3 q% [6 v, j9 ]
mov dx, offset New_Int_Routine _8 U! @% f. I) T
int 21h
0 R7 n. d- P! P7 S L, H: n. G$ r' h4 J/ ?) e8 D& Q5 d' t
__________________________________________________________________________
/ [8 C, A, L# h, N2 D0 o7 z7 F8 z
Method 09
3 B) K( Z* T) h: H* R8 l% G=========
3 i% u& Y4 N5 S& V! i! _$ a8 \; H! W0 _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- A7 Y; @% z8 y# T- A
performed in ring0 (VxD or a ring3 app using the VxdCall).
6 y# s! o2 x+ R) \3 |6 vThe Get_DDB service is used to determine whether or not a VxD is installed
2 ]3 Z0 I3 ^) q4 T5 g; ]4 [; y+ l$ H, vfor the specified device and returns a Device Description Block (in ecx) for
/ }1 B" @3 V' g, A" Tthat device if it is installed.2 x! C. E$ S0 b% a& _
; s, ?* K3 l6 ?) Q% i, O5 f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ H8 ?+ j5 V- D/ h# O* h I' @; C
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" e, `) T. s" @
VMMCall Get_DDB
; D7 F$ \1 p d8 h8 [& c& c mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 L+ u* S! U( f! l
: \/ y) J: `$ uNote as well that you can easily detect this method with SoftICE:0 l' i7 S% c5 d
bpx Get_DDB if ax==0202 || ax==7a5fh) D* x/ U6 }, t. h/ Y
0 v, n, A0 k7 c. m
__________________________________________________________________________
4 b9 h3 U+ y5 Z: r3 R5 l) Z! V
+ v P8 Z0 l. K$ y* |Method 10
" F% ~) j+ j- x F4 t% g. z=========
' }. l- R, a; b" y- C1 d- c" }3 E+ Q4 R9 a3 D5 |, `
=>Disable or clear breakpoints before using this feature. DO NOT trace with% \2 v! T+ L9 m! D: b! X+ ]
SoftICE while the option is enable!!1 T6 Q. R6 U9 j6 Y" Z1 g
+ a5 ~+ Q2 `- b6 E4 P; dThis trick is very efficient:# f5 Q; W; Z" Q/ N" k6 f; V: E R
by checking the Debug Registers, you can detect if SoftICE is loaded a+ i7 }7 p1 C9 y' j. m% E0 [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& `$ D2 q* D, g8 Q" _6 c5 Kthere are some memory breakpoints set (dr0 to dr3) simply by reading their ?# z( u1 `+ M" q
value (in ring0 only). Values can be manipulated and or changed as well9 ?. B' g" s- G2 q
(clearing BPMs for instance)0 z, I7 K; ^4 H v
3 E6 T# H9 q- A: N1 i__________________________________________________________________________; ^# i% H. c% k* x8 M; y5 i5 g
0 B! x) ]1 I. s2 l$ |Method 11& x3 G& g! w- H( Q" H( o' g
=========, [; y5 y& j* c
( Q/ P% a) s' P) [& H: a P' S
This method is most known as 'MeltICE' because it has been freely distributed6 s2 T) r% F* J8 P2 v
via www.winfiles.com. However it was first used by NuMega people to allow
# `$ G' `. Y S' k' A; r" ]Symbol Loader to check if SoftICE was active or not (the code is located$ P) L8 J) S; [6 p" \* o
inside nmtrans.dll).
, d# { N, L& y' f5 o9 h& |. h- f1 _/ T. V2 p
The way it works is very simple:
6 R/ W6 [% }1 [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; T2 M$ N! a) FWinNT) with the CreateFileA API.4 h7 E& S! K# @
5 ^: w0 L8 V" T L5 x. J2 y2 L
Here is a sample (checking for 'SICE'):
* [9 [# g3 Y. I: o. h) B6 |* b5 p* B- Q9 r$ [* N
BOOL IsSoftIce95Loaded()
0 I* Y" Z9 Y) @; T- L+ i6 f{' a. Y. G7 [5 [
HANDLE hFile; # \- j0 w) j1 |
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 X! H5 k B% W9 Y1 F% J
FILE_SHARE_READ | FILE_SHARE_WRITE,
) l6 r6 Q: b; M' ^: k( I0 v9 K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 y- H. d% s% U+ c if( hFile != INVALID_HANDLE_VALUE ). }9 s1 ~& @3 c; c
{
: w8 H9 v' k6 y x CloseHandle(hFile); i/ Q* |' [, O' d- {+ {
return TRUE;$ g5 M/ l% f) p7 V# D, K2 B6 g
}5 u$ c \; w8 E5 _
return FALSE;
: e% \! L! w4 C! Y" v4 ^1 z- }; Q0 t}6 V: q1 t' l- B: s. @; w3 i
( P& ^ I! e! xAlthough this trick calls the CreateFileA function, don't even expect to be6 f. X A5 P" E' f: o
able to intercept it by installing a IFS hook: it will not work, no way!
! p+ ~+ ~5 C5 F3 `/ UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F5 }+ }$ X: M( Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ ~" `1 O0 N# Rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 d+ r c- `. L" dfield.+ t3 z8 x: D: F& M6 d8 M
In fact, its purpose is not to load/unload VxDs but only to send a ; M$ w2 l- [+ _ [9 `* p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), R5 T. d' S' t& b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 k. A) E* T: n; Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 C' |9 W, b3 G, _8 N* u, O L q* IIf the VxD is loaded, it will always clear eax and the Carry flag to allow# V- h' f' \* q$ J) s4 D
its handle to be opened and then, will be detected.$ y; t& L) l% V, {- q( O
You can check that simply by hooking Winice.exe control proc entry point- j' M- ?1 o) L
while running MeltICE.4 L* _: Y. K8 I2 w
$ S' A5 K: F" M$ o- I# G' u
$ ~) l7 f& I" o( K7 S 00401067: push 00402025 ; \\.\SICE
" ^$ O; b" J' j N 0040106C: call CreateFileA8 e0 k. {% O- B& A1 M. _/ {* } Z
00401071: cmp eax,-001
& _6 Q! E$ [ U8 ` 00401074: je 00401091& g# V; H8 g+ Z' r
1 P9 b) P. s B8 q: m; N: V% b) _) L
There could be hundreds of BPX you could use to detect this trick.
* p4 Y% A/ Q+ N' _+ l4 j-The most classical one is:
5 V/ K& N6 u( n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
C7 N( X ?( B! `9 P9 w *(esp->4+4)=='NTIC'
) c6 x/ s8 [; F4 l# a0 q* F4 X# p; F5 G/ j7 d0 G% _$ Q
-The most exotic ones (could be very slooooow :-(- a( Z' S2 }9 y w f
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 n( n+ { T5 ]# Z" z7 F# C ;will break 3 times :-(
4 q! b5 Z- C/ O+ B& o' Y( z3 Y
3 N! `5 P2 p, Q) `' @8 k3 I( f2 Y-or (a bit) faster: 6 L- f0 u2 `; F4 y& e$ ~
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. Z5 z9 o" U$ W* y% i/ Z0 q" @2 f5 W* G& n# \) `* d9 U1 T) _+ C( ?' d$ u
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' ^, m( I+ }8 ~! r; U8 ]8 B ;will break 3 times :-(
/ q4 |8 W# f5 y, w6 y+ m: N4 A" Q
-Much faster:6 {/ W9 {8 `. Z5 U- k S
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* V# x2 T: P- z# k1 Q6 C% E2 ^
! A! _5 L0 V- s& Q9 m7 INote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 T$ U2 a" L! S3 Y+ n: N
function to do the same job:+ l. m+ E2 U8 P0 W$ J
' @* p1 {' r4 R8 {; M6 u push 00 ; OF_READ* J% ` i* H& U ?
mov eax,[00656634] ; '\\.\SICE',0
3 g! k* `6 X0 E4 f6 Z5 \ push eax
( l6 V! F( d' l3 N: r: O% w call KERNEL32!_lopen
4 H8 N2 D& v' L1 G( a inc eax! w8 \5 x6 I8 ^( e# v* _% r
jnz 00650589 ; detected( _* Z. B/ Z; A! i
push 00 ; OF_READ
% F, D. Q3 x: Z) `5 T) } Y mov eax,[00656638] ; '\\.\SICE') L0 C; W/ L% x V9 d" `
push eax$ u8 k; U, H, Q+ k4 [. a
call KERNEL32!_lopen! m+ E, P8 n* P( c9 Y
inc eax& R+ r. c% C2 R8 R! M
jz 006505ae ; not detected0 L1 e/ ?* t" z# i
) J1 K- T# n% O' C7 s, t# Z, Z
, j( X: L) q# }" O__________________________________________________________________________/ r: a" E. l, [/ N9 y" Z
- A% P. [5 X* I) u" t$ V9 lMethod 122 b+ p9 S0 V7 ~' X- w) O1 f* x
=========1 V2 u: w% x l( o8 C2 r" Y
' G2 {: k2 [1 u' M
This trick is similar to int41h/4fh Debugger installation check (code 05/ z) d8 j- W e/ P$ k. K1 @2 G
& 06) but very limited because it's only available for Win95/98 (not NT)
" b. c2 e8 g% \ Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 Z5 g8 D. x8 L! s$ B7 S. P
7 j# C% m2 |3 k& O+ M: \ push 0000004fh ; function 4fh6 q0 ^9 |' H: q6 }3 ]. i
push 002a002ah ; high word specifies which VxD (VWIN32)1 k2 u! I0 z2 n1 u
; low word specifies which service
" l# k5 F- H. I: i2 o4 y (VWIN32_Int41Dispatch)9 B0 ^2 ~8 H3 d/ x9 ~5 J8 M, J
call Kernel32!ORD_001 ; VxdCall
' Z+ x2 o$ U5 b" W cmp ax, 0f386h ; magic number returned by system debuggers8 N$ @( d3 j4 L$ o/ n8 P
jz SoftICE_detected7 I4 M" l: }) G7 U
3 ]0 W) e$ Z( \) |" `9 n: A; O
Here again, several ways to detect it:
* U+ s' Q2 c* T* p, {
! ?, v4 A/ B! Q0 m+ P BPINT 41 if ax==4f/ h" V: w9 S+ J4 F4 ^9 z
# X/ x3 x8 V8 | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& L! r8 K n [/ M9 W3 T6 A1 t: ^2 `! {* S: R; }& m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 Z% q* q* E) @9 s0 {; Q1 U
. q" w) _' f; W, Y$ F- D+ a! M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, V6 \7 X, L9 r0 ^' u7 ^
: d7 @ |8 h( C0 m0 X0 Z( S$ C( B__________________________________________________________________________9 y' U* K; Q& V1 z9 L
2 r2 c* e4 l1 ^; {) ]Method 13, n3 S1 ? j. o4 Z* U
=========
. T) R. ~& U4 ~9 A
9 T! G# n, N o x9 X/ u2 lNot a real method of detection, but a good way to know if SoftICE is: b3 m5 _( h+ k7 D c
installed on a computer and to locate its installation directory.
$ @' a$ ]) J/ t1 A% [% {It is used by few softs which access the following registry keys (usually #2) :; g2 }4 w' a7 w0 @
& M' }) N% ^( J0 |' b. X4 r# D4 A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ @3 ^$ N: C. ^1 m: Y% }) x\Uninstall\SoftICE8 x' ?1 e8 U! D' Q; F' H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! W- H ?# M5 d+ D7 C, v! w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 C) D T- P8 ]5 g' _\App Paths\Loader32.Exe4 u- n W0 e/ I8 J, K9 {! \8 ^. E
7 H: }, W! k2 m
! e, ?1 e; U" P0 G1 C
Note that some nasty apps could then erase all files from SoftICE directory( A C. v! c& |/ [4 {
(I faced that once :-($ ?8 Y+ \5 A# `" b$ d3 [: z. X
4 l9 N6 H( O' @ k* J, J8 HUseful breakpoint to detect it:
. F% e9 {& I2 p* j# j4 B5 y. A) r& o. {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') C( S9 X( {1 \% v) {
+ D8 v* m/ {1 j* n. R0 C! `* A
__________________________________________________________________________+ ]9 _* H6 f- s
2 w4 \$ E0 j; ^ `# w% O, H
, I9 f& s# F; jMethod 14
! L2 S/ j5 h. r, J) A=========7 X% H+ a, n1 D" F% x3 F
% p2 g5 X: j zA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 l# X' ^5 \( ~5 F" F1 X
is to determines whether a debugger is running on your system (ring0 only).4 }' x7 w2 J+ L: h6 d* O1 b! {* O
7 l F; |$ G; c0 n' }
VMMCall Test_Debug_Installed
8 z. Z0 i8 F5 A# Q4 Z, r! Z je not_installed
# s0 K0 J$ Q$ f+ V
: N3 Y5 [8 f e0 oThis service just checks a flag.
& J2 m& f1 O. v* h</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡