<TABLE width=500>
( Z9 y* D8 e B<TBODY>4 Y* N3 f% n; V
<TR>
Y2 z7 i$ l6 g5 g# Y6 j<TD><PRE>Method 01 3 S3 U* V% M0 S3 @/ b
=========
6 Z: p+ q% c: A5 A
) W; R1 f) |6 j1 rThis method of detection of SoftICE (as well as the following one) is! x* ?. h* q0 x& ^) C- P3 {0 j; N
used by the majority of packers/encryptors found on Internet.
* t1 N: n, t/ y1 W# U" q( YIt seeks the signature of BoundsChecker in SoftICE
, H8 R! k( o' F. k5 M5 w @4 @
/ N* G$ T4 l0 Y D/ \' Q mov ebp, 04243484Bh ; 'BCHK'( C% a( u, T; O3 ]$ J% w% T
mov ax, 04h9 E. a' K9 L: j) ]* _
int 3 $ P! T+ F$ W9 K/ G" D
cmp al,4* E5 @' Y7 i4 T% m1 L; e+ U
jnz SoftICE_Detected
' c, ?6 y1 ^$ ~! K
& D; _' g1 t& o2 E" ]___________________________________________________________________________. R# k) F0 `4 o
* r5 K$ U. X% p; EMethod 02
+ s ^) I! |' j=========
' e1 x1 _+ x* a8 _' k1 k) H
# D9 y/ s+ q$ uStill a method very much used (perhaps the most frequent one). It is used1 c6 Y* z1 k6 H3 x u! X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 q' U5 w+ ? L3 gor execute SoftICE commands.../ b+ r+ ~1 t0 I7 i0 U
It is also used to crash SoftICE and to force it to execute any commands
2 E' F* I! _2 J4 J2 X(HBOOT...) :-((
- M$ Z N/ g7 a1 f) s# H( e$ a1 ?. x+ I: K, S' ^! D J
Here is a quick description:0 T% I- F) x3 r
-AX = 0910h (Display string in SIce windows)1 X" i# H; }* d2 R* x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; q6 v+ i+ d$ A m- h% O-AX = 0912h (Get breakpoint infos)
7 J/ i u7 \+ R! W: ~9 u-AX = 0913h (Set Sice breakpoints)
) v# I$ _/ ]2 x1 \9 }; V& C% k-AX = 0914h (Remove SIce breakoints)
j, X: d, D. h- @, d6 H& a1 N
" d* D& D' k' Y6 m. _% o. yEach time you'll meet this trick, you'll see:
* Q7 o0 c3 M) Q4 F; f-SI = 4647h
7 Q6 G$ I6 Z" X: O9 D: v-DI = 4A4Dh9 V$ K/ J2 j9 _7 S
Which are the 'magic values' used by SoftIce.7 C7 H$ R. \7 g* i3 w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 j/ U4 c* q1 P& B- x6 `4 _' T& @$ U2 T, Y2 Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 N( J7 U8 w" g; i/ C$ N& H
Envelope utility use to protect DOS applications:8 p% ]8 h* S1 ^& w
9 V9 `* D; j% b9 k! p% ~6 {$ o( `) q( S$ O
4C19:0095 MOV AX,0911 ; execute command./ ]. T9 P' E3 I5 @
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' C: G. P$ c+ k' N4C19:009A MOV SI,4647 ; 1st magic value.3 l' ^2 q/ e2 C* ?9 C; Y# g
4C19:009D MOV DI,4A4D ; 2nd magic value.$ n! Y: @% K2 {$ M5 V, A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ H( D N. ~1 A! `4 w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) s/ u/ F/ F/ x, q1 ?* h0 V5 s" e4C19:00A4 INC CX
' L, F' X/ v+ D7 K1 o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- y8 p2 @( t) S$ Z. z4 w9 o4C19:00A8 JB 0095 ; 6 different commands.
5 n3 [: {$ ^" Q2 m4 y4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 N& f. T" n3 `, Y9 b# p. H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* R6 e9 A& W+ n" X' N
; z$ H |+ T2 H' K" I
The program will execute 6 different SIce commands located at ds:dx, which
! h) K& O) n) x1 w2 I$ U- y8 O# T" R5 Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 l4 J$ x. x. _1 \8 N3 R) G* F: r: y! U' `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) u, v. Y- D4 o$ d___________________________________________________________________________
! L/ j' R4 K- m, a# P( I. o5 R9 C) Q( g: W& j: D
- `7 I5 O! z K I# QMethod 03
* p" \$ a4 t. Y=========5 P% h9 R4 E7 B. J8 H- ^
6 \5 H1 f' K) S9 P3 u v) I) v
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 c( H% S9 a* L1 Z(API Get entry point)
( q6 B" g0 v ^+ i# n1 p % h$ k, X! U. d" `
& E( m: u2 ?+ s0 w! q xor di,di
' O: a* \8 w/ I5 W( K2 I mov es,di+ x2 A# p& X+ f( f
mov ax, 1684h 8 o, o+ v- q0 _3 \# x
mov bx, 0202h ; VxD ID of winice
" t/ S _9 K9 z) ?) a! q+ i/ ^6 b int 2Fh" s7 O2 Y7 G& u
mov ax, es ; ES:DI -> VxD API entry point4 Y8 V! x6 \) I3 p4 B- B5 f; o1 M
add ax, di- i' l$ l5 S6 z, O
test ax,ax2 a) z; X' \0 ]9 C4 Y# g
jnz SoftICE_Detected& V6 o( _' P( K# P2 ]
7 @2 n* C/ T# P" t! k$ p$ p___________________________________________________________________________/ { s' Y- K; y& N
2 T0 Q& K; x! e# S- l
Method 046 I1 u5 e y$ n+ L3 e# [
=========+ T6 G u: w- k8 N/ p- _' F) q9 {
* W7 C1 y5 r1 B8 v& j9 P
Method identical to the preceding one except that it seeks the ID of SoftICE
2 V: e0 C R- c* `GFX VxD.9 I2 [( z4 C: z- `7 Y! A
/ C+ {/ y7 k! H' C$ w$ l1 ?
xor di,di$ I, s% |" S3 Q- c* J# u. r3 L) E" r
mov es,di
% g- I# ~5 I' n( k mov ax, 1684h / U2 w; w. p; ~7 a
mov bx, 7a5Fh ; VxD ID of SIWVID$ d, d7 q# L9 j3 N3 V8 o
int 2fh9 }6 v0 a0 D$ }( b+ W* |$ K
mov ax, es ; ES:DI -> VxD API entry point
5 S3 f: i( w( J( O7 H9 H( ] add ax, di
( S( e1 g9 ]6 G4 i- U; n test ax,ax! i& O# ]2 n- j: t
jnz SoftICE_Detected
6 |% g! W6 G `: B# \+ y! K6 e; u+ l# [& F
__________________________________________________________________________* i2 v7 S$ ^ k
3 e( K7 C$ {2 T* i7 d" {6 M+ J, ~' O7 t! D/ C
Method 05! U9 c. _' }; e8 g+ T* a( M5 Z" Y$ F6 ^
=========
: i/ x$ ?* m9 [0 O; \! F% u/ }$ y- H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, A3 c/ z5 z9 ^) G1 J( H. Q3 qdebugger. It calls the int 41h, function 4Fh.) E' m0 o, |% U6 {3 _
There are several alternatives.
% w5 c$ [# S: s8 ?* X( Y
/ @* M; V# a% {The following one is the simplest:
% r- `$ o1 E8 {6 X$ Q3 Q/ {4 h: e/ g1 g! m0 N3 _+ [
mov ax,4fh
1 Q! g. J9 e" r int 41h2 O9 V6 ~ K+ @6 L7 Z+ t, I
cmp ax, 0F3866 c1 M" S' ^1 A9 w& @6 X2 P6 N
jz SoftICE_detected0 W. K5 M: z+ `/ Y. _
4 R: u4 `& j7 m3 b0 }3 A! E* W' M1 ~; d! Y
Next method as well as the following one are 2 examples from Stone's " G- _! R! i) g6 {/ R- I; h$ Q
"stn-wid.zip" (www.cracking.net):
: W% M9 h! ~# l8 X: H, _5 W4 ?
- R G- o1 m1 q; n- }8 S: @" r mov bx, cs
3 A* }7 L) s: ?4 n1 e9 S; x( K lea dx, int41handler2
* W1 I# r" ?1 d8 }3 n" U xchg dx, es:[41h*4]( C7 H4 V$ ?6 a7 s
xchg bx, es:[41h*4+2]
2 S) `, i0 x: |% A; C mov ax,4fh
2 g$ \# O) k" \. U X8 @ int 41h3 c9 v% I( X6 d
xchg dx, es:[41h*4]" v$ [0 M g6 e( F( v
xchg bx, es:[41h*4+2]1 _7 o( d- P' ]8 W, Z
cmp ax, 0f386h
+ |; ~. o! `9 A jz SoftICE_detected
5 u6 s7 g2 Z0 o! M/ M9 ~6 q" F' f! T' }# a( g
int41handler2 PROC
" G3 Y0 r3 w' t$ r! l. V iret
2 g8 W+ N2 R& C: n% T$ kint41handler2 ENDP
; b6 d' \/ q7 a, G' q0 _ }: U- Z& k7 k7 c
8 k$ h5 O8 j' o* r- E- S9 R_________________________________________________________________________
( B0 [" X$ u. ~; m+ f
6 n" m# r: v9 ?; O. k1 A
6 B! l$ a3 `! KMethod 06
, [0 E6 m4 J0 J& M$ t, A! r=========
* m7 r# N# w' I
; O- i- W$ T! {! A& E2 R& M: M; }0 K) c. A" u0 c1 S* ~4 [
2nd method similar to the preceding one but more difficult to detect:
7 @) l0 j- a5 f% }' g
* o z! g% J( Q1 u7 A) ]7 s
2 U: a1 w3 E! @% _8 lint41handler PROC9 f" [/ i; R2 s" o0 w
mov cl,al& V P: @: N7 d" Y& t
iret- a+ R1 m# P/ ~
int41handler ENDP( C' S J$ A' {2 A" c0 W" d
7 K0 `5 ~. x ^! D/ u' }
# Q U8 X1 Q) j4 \! a7 d
xor ax,ax
' u0 ]. v' L# j# u# t- P# I mov es,ax
, [5 Q9 ~- I1 f* _& G& K mov bx, cs* g, u) A5 _& w6 x: a9 g
lea dx, int41handler
: \' |' Z' j, r* p xchg dx, es:[41h*4]( b" x8 Y9 }$ S4 \# k2 \- o
xchg bx, es:[41h*4+2]; ?0 G+ K6 J7 R0 [' l; j
in al, 40h
0 p5 ]5 @4 } e* \0 N7 _ xor cx,cx
7 R9 E1 Q+ P' _+ W' u, Q/ S3 C int 41h) d w7 c( o! Q9 g% q- x
xchg dx, es:[41h*4]! H! `: d& O* y! K. Z: I u
xchg bx, es:[41h*4+2]
- F# Q) k, M$ F5 v$ ^4 j cmp cl,al2 m: r' v& v0 @' p% g
jnz SoftICE_detected
2 I1 K& j0 f8 n
: W" f( Z5 @/ O; b_________________________________________________________________________- ~) F" E' ?" c8 e# k
. f8 ]* I2 x% e7 N( B6 |; m s2 N+ tMethod 07
9 T% l( {/ p7 d5 R2 R# K5 q& o" l=========0 v, i' B; {' G1 u3 u) l I
# b6 x4 Z6 l' @' z1 jMethod of detection of the WinICE handler in the int68h (V86)& P' i; K- R) e6 G, N5 F# x% w
A& U% L& _& r! g mov ah,43h
/ ~4 }$ Q; H+ S; q; ] int 68h5 z) {3 x! {% m# a* O/ Y
cmp ax,0F386h) n% Y' t/ ?: n2 F
jz SoftICE_Detected
- {2 f9 @* S0 s/ a
( {6 [2 D" A8 h( Q8 `* }, b% B) w" A g- N4 z* @
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) U( |7 D1 i" P
app like this:5 \7 v4 H7 z: Y' l! }
+ Q" j, l0 x0 h1 `# F: N
BPX exec_int if ax==68' J& j/ {/ H" m" v8 b2 k/ W) _1 y
(function called is located at byte ptr [ebp+1Dh] and client eip is- J0 S" `- z8 s, ?5 ]7 F9 N) V, ?
located at [ebp+48h] for 32Bit apps)9 g8 |4 r/ t% ^- ^% O- T8 D
__________________________________________________________________________
# Q/ }1 g% U; s k
* @4 Q9 L3 f) f& F
5 T6 t. G# y- x+ f6 y5 _; U% DMethod 08; V$ i+ S" b0 ?) ]# d5 `% V, n* B0 @
=========/ n$ B; m9 p' N6 n5 I: ?$ M# H; R
, c' |: K. r6 G5 j6 M, O) IIt is not a method of detection of SoftICE but a possibility to crash the1 X# h' a! J: A" D+ ?
system by intercepting int 01h and int 03h and redirecting them to another' u8 v: A) d) r4 Z! {* W& x
routine.
( F# X5 @! I# H% O9 X, c6 sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ t0 W9 r! Q- z2 ^+ |1 J
to the new routine to execute (hangs computer...)! } k& w D8 G: E
- J9 e* ?( Z# @' z) l: c mov ah, 25h
1 c2 o( @1 C- _6 { mov al, Int_Number (01h or 03h)8 c" e0 @' Z7 k, g
mov dx, offset New_Int_Routine% v, ?7 p4 E1 R* [: {! B, H
int 21h" ^3 t4 I0 Z& }! K
( g" k1 P6 _: ^; Y, |( C__________________________________________________________________________; d' [6 r& j4 L+ R" ^
/ i5 N+ V ~8 z6 ~Method 09
5 {9 S1 s6 y& g w F2 v=========
3 j7 {7 r1 B$ Z; w, m* o
6 h+ q' y \8 Z; Z* F ^) oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 Y0 I# |, Q. _' O. v5 Y! i, O
performed in ring0 (VxD or a ring3 app using the VxdCall).
, V4 Q: A( j0 @3 x* ~" IThe Get_DDB service is used to determine whether or not a VxD is installed* S# M% M! e$ F9 W k7 \' k! ^5 Z
for the specified device and returns a Device Description Block (in ecx) for
* N1 I( X# ?! K6 o% B$ L2 ethat device if it is installed.5 }/ i* [: Z& \6 c1 d7 r) y7 h
+ s/ c5 F2 L. u6 I" U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 y- Y k/ ^6 m- T+ R/ z) H0 E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% K9 Z$ K5 N4 c* t/ t% D; y
VMMCall Get_DDB# Z/ [( X. m+ s( Q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& c, G$ r& I% P* x' S5 v' ]6 Q
Note as well that you can easily detect this method with SoftICE:# a4 N" Q6 M. J/ M! c ~" z2 F' e
bpx Get_DDB if ax==0202 || ax==7a5fh4 d# Y8 C3 k" b x5 ^; p6 p, B( i
0 v `* D4 T; ]$ s3 O8 ]' J__________________________________________________________________________; z, i8 b& q. H+ n
3 X! |; ]& `2 M! _
Method 108 `7 J* Z$ H( L$ H4 ?4 f" c/ Z" P
=========+ w% {' ?3 `! x% X7 d- I
' L6 \+ V6 K) h
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 _' G: N' T' d% k* w" n% T+ b7 K SoftICE while the option is enable!!% i, R8 o" l9 m. b
5 q0 P" V9 p& h/ v3 s8 z
This trick is very efficient:5 g" F; b5 f# c
by checking the Debug Registers, you can detect if SoftICE is loaded
) E8 E% R- r4 W8 T; L: z: D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% B9 x! C' N5 Z3 O. [0 F1 R7 d
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 T( p8 e3 j5 W5 X3 q4 s
value (in ring0 only). Values can be manipulated and or changed as well
4 |1 u# j7 {" d# R6 F4 y(clearing BPMs for instance)# u6 x9 u1 D/ F/ n4 X4 F- ~' j
' p7 z* l7 l$ S8 _7 J5 A7 ]) ]__________________________________________________________________________6 J0 [, c' G2 E% k* O$ c/ b1 {) B
8 a" ]7 B+ R4 z4 _! w7 l: SMethod 11
1 e& ~+ ^# @( Y=========+ p7 a2 B+ u8 @3 Q8 |! T: z& r
/ c; [6 H* A% Z# I2 E8 ?This method is most known as 'MeltICE' because it has been freely distributed, [: \1 r6 D1 k! N
via www.winfiles.com. However it was first used by NuMega people to allow
B/ O% Z: }! v) x9 t+ ~1 Y- c2 sSymbol Loader to check if SoftICE was active or not (the code is located
# }' q2 z0 K p5 X7 n- w" H# iinside nmtrans.dll).2 m( ]' m( n3 [8 \" g, t
* C+ O$ a4 R2 Z7 o' g$ C! M6 e
The way it works is very simple:
& c' | \* w* q' R) r9 c, U" IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 B( I5 A) n. fWinNT) with the CreateFileA API.: J- `* L+ ^+ H6 ?& y$ N9 V/ R
8 U4 \& L& |; _& h6 v
Here is a sample (checking for 'SICE'):: Y% D2 w' M# H8 K: X
7 C* u. J* D8 w4 {3 H6 m+ R
BOOL IsSoftIce95Loaded()
; I& M: L4 i/ G{! `* b7 S* k: e5 b9 T7 _
HANDLE hFile;
% C: h `0 }+ F( J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," q* O( F1 z3 c# z/ w
FILE_SHARE_READ | FILE_SHARE_WRITE,- A0 d8 `- q! L7 H% d
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& H! s+ W5 @* z0 ?& |0 Q if( hFile != INVALID_HANDLE_VALUE )9 `: a0 W, f; X' C- r, C+ R' {
{
- v" \0 i5 D# m- R! @7 n9 v CloseHandle(hFile);
) C: Q6 }2 H2 \( p; f7 X return TRUE;
9 G+ c: D# k9 e9 y6 z }
& u5 L; i# \- D- C: m5 ]! D- @8 N return FALSE;# `' m' h } g6 e7 G3 q, O8 y
}& n6 ^' _; M; b4 ]$ D z
8 U+ D0 V, E' w$ ^) y
Although this trick calls the CreateFileA function, don't even expect to be; T! |1 c8 {$ x
able to intercept it by installing a IFS hook: it will not work, no way! M0 Y' S, z' i" r- V0 [- n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! m8 X& }+ _/ N; h8 r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
r3 ^" V8 i. v/ m Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
- i8 D; [: T" f, m) C( ffield.+ G- O; M- W# C9 M! J
In fact, its purpose is not to load/unload VxDs but only to send a
& R; b7 k# }4 IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- _+ N7 b3 i y" l5 c/ m, J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 Y$ W* i8 q% m! \4 F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 X+ B( v) J4 R
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 U+ J# o" |# R% i6 zits handle to be opened and then, will be detected.
& `4 P% D8 G, _7 O8 D5 QYou can check that simply by hooking Winice.exe control proc entry point
1 y5 R% k% a, M; pwhile running MeltICE. g- ]1 e8 {: }. _% e' Q
: X# I& n9 {* U! X! O. D
7 q3 W& F3 Z2 D; c9 U& x 00401067: push 00402025 ; \\.\SICE9 O. m; g6 e. Y" e5 h* W7 e
0040106C: call CreateFileA3 {5 U& v6 _- e6 f
00401071: cmp eax,-001
9 S% G9 h3 m, k! O 00401074: je 00401091" ^, k: `0 f2 I: q% `
8 V) E2 r8 T5 A8 c' ]0 _1 G8 ^4 T( ~0 y
There could be hundreds of BPX you could use to detect this trick.+ Q& }( X. F5 l
-The most classical one is:' X. i& l& ]" L' N$ M' ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 e/ \* m M0 r. l6 S* e) m *(esp->4+4)=='NTIC'0 F8 s0 N7 p) U* u% t2 r
% ?2 F0 t* ?' _5 N, {( d3 {-The most exotic ones (could be very slooooow :-(
* j7 @5 ^/ @8 j% o3 K& J% V BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! f+ P+ F$ J. G' F
;will break 3 times :-(
, A( j& W- |. V8 H- a) m9 D! Y9 J6 e3 o5 R/ u8 x" a& v/ W0 l. r
-or (a bit) faster:
0 U/ ^( k: h9 W1 e, K5 A5 z9 m BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& T1 a9 f/ O* u7 O" B# z
3 t$ ~& o" T+ D5 o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 G2 P2 y: R1 M+ R4 c7 g- T+ ~ ;will break 3 times :-(
+ G( F; }: V1 R7 f: h% ]4 R# o. {1 j9 n& }8 k
-Much faster:
1 d7 G6 d0 ]3 U+ J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
w6 h/ s3 z0 N1 }# @/ u
/ Q1 M/ Q* V# g% Q0 zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 S' c- ]$ S9 H% Yfunction to do the same job:9 U5 F; k/ d9 r" S/ c, W
3 t/ u7 |* b& h
push 00 ; OF_READ
* W7 ~+ c |0 p6 j mov eax,[00656634] ; '\\.\SICE',0
9 h8 p3 K: a# P6 J/ U push eax
" }' q( N1 f4 U+ Z7 V1 J4 O call KERNEL32!_lopen
\% r1 ]) v& L: \ A& p inc eax
- _. _" `3 t+ U$ J/ j jnz 00650589 ; detected
p0 V( j: |6 L" Q4 ?& `' W( _ push 00 ; OF_READ
% ^ Q1 k \% G; w$ ~, I mov eax,[00656638] ; '\\.\SICE'4 O# K- u4 S% F3 W3 K
push eax! d, z. _ Z! X8 N& J z0 X
call KERNEL32!_lopen( B! I% `. R. ]1 t* Z
inc eax
- G1 z7 L( s/ B# s jz 006505ae ; not detected8 K$ S) F0 S$ u. _, N; ]& U) @
; N+ c0 g/ U& i; [( r- o3 v
/ p2 i! c2 ?* v. N& A4 N: a1 R4 }__________________________________________________________________________1 R: ^, R9 ^' @, i6 o* j
( @/ i- a6 `& RMethod 12* s1 P( M" u, [' x- ?7 m1 `( J9 y
=========
- I3 h, S+ R5 p$ n+ [
3 D. U' U; K+ [! h L0 k0 o- w6 C5 dThis trick is similar to int41h/4fh Debugger installation check (code 05& g- x* J4 N& P$ R5 E; \' H0 c+ B' o
& 06) but very limited because it's only available for Win95/98 (not NT)
* {* ?# R4 s1 e; P+ x, e; Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 B( X( H) T! c* w; n, d+ v1 E1 c K6 u, \, x X
push 0000004fh ; function 4fh; s) n& ^. ~% |/ p
push 002a002ah ; high word specifies which VxD (VWIN32)
' @6 s; ]5 n2 Z9 x9 F$ |' o: {, q ; low word specifies which service9 a% k# T4 Z& q! c* M0 q, s
(VWIN32_Int41Dispatch)" a2 M* l; L; @7 K- u- Z, q
call Kernel32!ORD_001 ; VxdCall
0 p$ g. K" ?1 m7 T) s- ^2 U# d( @ cmp ax, 0f386h ; magic number returned by system debuggers$ ~2 U3 E: \1 A- f% U
jz SoftICE_detected
& E$ R& n6 C8 w' G5 P7 M3 z. J' D, L# k" B) d8 |+ r, f7 O2 |( ?9 T r
Here again, several ways to detect it:
3 n$ r Y/ P: @/ r4 y( S/ Z5 ]5 o' c" L- L( _; @
BPINT 41 if ax==4f
4 p" ~2 U$ F& r, m9 O3 e# U( U' N3 S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 [, J- g1 o+ J% [
2 Q4 A3 o9 v4 ]& m( e BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' A- n2 G' t t5 Z- Z9 [2 \. Y9 u& C1 R& G$ d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* J- C$ m& C. D' K; W l& Y; ~
+ k4 e* A1 }0 I: N__________________________________________________________________________
( u3 f4 H+ Z! V1 y1 V: ]; I- U6 u8 q) \' P1 P
Method 13) S* r% |8 u* e* y4 Y: |5 V
=========* M7 g9 G6 I8 z! r/ W
7 T0 l7 x# w& P: d
Not a real method of detection, but a good way to know if SoftICE is8 g# P. D2 ]4 Y
installed on a computer and to locate its installation directory.
$ q3 ^, l* D Q' Q1 W$ x( j3 ~It is used by few softs which access the following registry keys (usually #2) :6 Z, ]2 G0 {3 g( U5 f" P
$ G: F7 X( q4 ]0 u8 x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 p& r {5 A- X( P9 g6 E
\Uninstall\SoftICE
! N- R+ y) n! k* J q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 j- b p, ^' d. [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! w9 g7 `' e+ S2 N
\App Paths\Loader32.Exe: Q) R6 E7 I# Z! l
9 r( W5 S# } r; j- }, v2 l9 k4 J! w" {4 @ H% K. {& h
Note that some nasty apps could then erase all files from SoftICE directory
0 N" {3 }" ^* f& L: \* Q5 E% u& s(I faced that once :-(: L8 G% v b( r6 j8 X* n1 Y/ h+ p
: R1 M c0 j& W6 L6 m9 K
Useful breakpoint to detect it:* C; o! ^0 [, {1 D, B( v1 d
+ I/ u# W$ V6 I3 z1 K) n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 L! I; ], h, i. V/ o/ h- K
; e3 |9 P B0 S: v
__________________________________________________________________________
1 Q, E- f4 y' m# e* \' B s% Y8 b1 C3 s0 j9 `# H8 w
& H, C- K# ]! t' K. |Method 14
, G! d7 }: k9 E=========% v L4 {3 v2 G' e
7 V; G, O2 W/ u+ e! z3 p1 M8 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 P: F+ Z4 C" Q' H% |
is to determines whether a debugger is running on your system (ring0 only).
' c* @$ L" G0 j2 [$ q: S! V3 ]9 E; B! G! S' @5 @$ }/ V
VMMCall Test_Debug_Installed
& |2 h9 ]5 m) w' k) g je not_installed+ v! P$ A8 \3 J% ?' P
$ E0 P! K6 S" s2 J% L
This service just checks a flag.
1 V3 b# Y% [1 U6 L</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡