<TABLE width=500>
% b8 k7 e5 e. q# ~' `9 `<TBODY>3 z' p$ b: }# m1 P
<TR>) d7 x3 n& w: \0 A( B
<TD><PRE>Method 01 * X& E7 u! p5 a* a
=========
- U) _& U/ E' y/ Q9 |* x( l* [* x3 @
This method of detection of SoftICE (as well as the following one) is% H& b; _5 x6 \2 \' A
used by the majority of packers/encryptors found on Internet.$ O, Q& R; [" C/ X Q
It seeks the signature of BoundsChecker in SoftICE
, O! X5 u2 H9 {! m6 |' u+ I
# H5 S' s! ? e5 Y' P/ I% U mov ebp, 04243484Bh ; 'BCHK'# y9 y, n% l+ T' n, z
mov ax, 04h
. J1 z. s, g8 l7 ^& }. E" ~ int 3
1 P1 F$ i' m+ _# f- n' g( Y cmp al,4
& y9 q" A0 R7 V3 j4 M- @ x' i4 H jnz SoftICE_Detected0 y+ B ~6 V/ G! X6 _
2 `0 f' b+ y$ t. C) _
___________________________________________________________________________
4 L- x( D5 a/ E6 n8 [1 [; r
# y: d9 @$ `. E4 WMethod 02" h7 ^( @7 R0 g; w8 F% F; n
=========5 W% W1 u6 A) `/ i; B) G% z
$ L% B9 M+ g8 l3 z2 z" o. IStill a method very much used (perhaps the most frequent one). It is used
7 u3 ~0 m& [& x" E: e: R, H& S" [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
C; @! ~$ w- {6 Nor execute SoftICE commands...
0 ~; b7 h' P% x) J3 GIt is also used to crash SoftICE and to force it to execute any commands
* `9 ]) T# v! @1 O# Q3 n, ]1 `2 F(HBOOT...) :-(( + f. e) c# o7 M' g! D2 G
; r3 L( z& h. C' b! {( P. p
Here is a quick description:7 g6 R* r) M% k* I" M7 M, }# h
-AX = 0910h (Display string in SIce windows)* W0 ~3 ~' M9 w. t+ \7 v: u* N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' w |, o$ n4 L-AX = 0912h (Get breakpoint infos)
* p0 r; T, p1 z-AX = 0913h (Set Sice breakpoints)# P1 {( x$ z/ I _' X8 l& j
-AX = 0914h (Remove SIce breakoints)
! ^3 H; q" o+ T! ^
( I! K2 A% O! ?Each time you'll meet this trick, you'll see:
) F) K2 w6 L( Y1 m" b0 M$ j-SI = 4647h! @& j( M0 B9 Z
-DI = 4A4Dh. _1 N" d3 {) O. x0 p
Which are the 'magic values' used by SoftIce.
% Q+ O i4 X# S7 M' J, NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 E# a% h. i, W1 n2 K$ X; @% T+ f! X& Q+ V* w# I# C
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 a% A+ f7 e Z R$ A W6 {Envelope utility use to protect DOS applications:& S# ~. q- L6 s# r
' x5 O2 e3 [2 ~: d. B
9 w8 R4 J6 |3 R+ w# u4C19:0095 MOV AX,0911 ; execute command.3 z! v8 y; j3 q# k% ~0 P; m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) t* t6 ^% T( n$ C* H- [
4C19:009A MOV SI,4647 ; 1st magic value.$ G& ~$ F6 c: ?2 y6 C- v
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 G9 ^/ S/ b8 Q, l8 E& r2 l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): B4 N0 a3 z7 D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" l+ _$ s O& l- @6 `) d& ]; q4C19:00A4 INC CX8 s+ G# {% p/ q: u9 P" X6 I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute G* J3 d# ?2 s- {) y2 T, h! Z( H
4C19:00A8 JB 0095 ; 6 different commands.6 @6 P& i+ H2 c* C$ k- @
4C19:00AA JMP 0002 ; Bad_Guy jmp back." ~9 p3 X$ P3 C$ }3 M8 H/ e
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- J; A, C9 L2 R* \
) I( X# q/ O$ M/ W+ w! KThe program will execute 6 different SIce commands located at ds:dx, which6 F5 a9 V+ W: W2 H6 v* Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ H! [1 U( T! p; M; Q
7 \: @3 I3 |$ T: F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ U$ Y2 l: q2 l b3 l+ B
___________________________________________________________________________
4 o' j8 g1 a$ c7 @8 j7 f `0 l( R3 Z2 P: j# p
8 ?2 I% x' F0 v/ j# f& AMethod 03/ X$ t- M1 f$ M. G d0 @' y
=========* R/ A, ^; t" j
+ y# ?7 E7 Y$ K' k9 }Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 ~0 X3 R W- s0 }/ Z7 V: D) ~
(API Get entry point)6 n) W" j* I* q- u! R
9 g& ^2 i: E8 \7 D5 r0 Z/ H8 A" C* r9 L( k
xor di,di
7 ]* h1 Y) D2 F; p- j mov es,di% ~; C0 Q2 i' v4 f7 p
mov ax, 1684h 8 d6 e1 G/ x' C5 t& L X
mov bx, 0202h ; VxD ID of winice7 [: N6 z1 S4 `
int 2Fh$ W w( J' X0 z) H+ D) U N
mov ax, es ; ES:DI -> VxD API entry point/ N* A! _( O( O* Z" q
add ax, di( W0 s0 H p9 ?- z6 m
test ax,ax
: _9 f, u2 l: f9 r9 h jnz SoftICE_Detected* F4 R( d( c, G5 C0 `- [- u% Z+ V
# t- D, H% N( k$ h( R% Q" @; w7 z
___________________________________________________________________________
- P- j) i% ^9 g, Z" _0 z3 J$ m) p7 c; D6 s" t
Method 045 @+ I1 D* C' J4 W v0 [6 a# x
=========: w; ?0 A! Y' I% W2 d7 F
$ C$ E1 P5 N; ?+ p# fMethod identical to the preceding one except that it seeks the ID of SoftICE8 J- t! b% K; F; H# x
GFX VxD.
9 }0 L6 p \$ _" N H3 b: {# z$ Y9 z4 K" E
xor di,di# A0 z+ E9 z$ c: }
mov es,di2 c- ]. n9 o/ b
mov ax, 1684h
2 @+ j; M" N6 u! g mov bx, 7a5Fh ; VxD ID of SIWVID
) E' m) w4 b' b5 J+ @) q int 2fh
8 w) q) Y8 y* f mov ax, es ; ES:DI -> VxD API entry point% q# b& Z" {1 I2 \/ G
add ax, di: K% `8 G9 J9 Z% s" N2 j
test ax,ax' P$ s, ~! U& O8 c$ C1 X
jnz SoftICE_Detected
- h2 z$ Y! j* C9 O2 v+ v" X: X1 P6 r. z% w2 G1 a/ ^* t# |
__________________________________________________________________________
! ?7 v. V+ a6 W3 X3 G1 E9 \& H; M! ]
# m* \' y' W$ O! `% x2 X
Method 05$ c& Z( x: H& O' `/ g
=========5 S$ S/ w; O0 q9 O" X2 o0 P: R
0 s9 U8 |. P7 O; O. v! h
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 D s% Z! F/ B2 ~- {+ ?
debugger. It calls the int 41h, function 4Fh.
* M' n: x+ H( Z7 i8 OThere are several alternatives. ! }6 R! f2 r7 f/ n& _9 U
- e* I& q2 t+ {3 Z5 n sThe following one is the simplest:: {; e* E+ ^# J3 E/ @
" U. O2 w2 i! {+ ?2 T$ [$ F! b
mov ax,4fh y4 p5 ?' y+ @; G* _3 z+ e
int 41h# M. n, v. y0 n$ p
cmp ax, 0F386; @$ X( K# B" M/ n
jz SoftICE_detected$ Q1 t$ d( P+ s5 `
% `. ~* w% S. V. R% E1 H% z8 j' l; H6 A% l
Next method as well as the following one are 2 examples from Stone's
& B8 s8 ^6 z e7 H"stn-wid.zip" (www.cracking.net):
5 \ O8 h9 A3 j9 l2 u% Y8 H o9 ?" E. S' @' k7 b. i
mov bx, cs
& b$ K0 U/ q4 g" t5 V- p1 g g lea dx, int41handler2
4 [1 H0 c" N1 z$ x xchg dx, es:[41h*4]
. ]# d5 g1 ~: v/ T6 o- k xchg bx, es:[41h*4+2]$ q+ w# x+ t- u5 c& T5 _
mov ax,4fh5 c2 W( n2 |, ~( x
int 41h
6 e0 ?! A! {5 K% z" Z xchg dx, es:[41h*4]
$ z, ?2 @ x- h/ z" Q xchg bx, es:[41h*4+2]" s8 P* `+ I% Y8 e& _- r) ? y* g# D
cmp ax, 0f386h
v& r9 D) |0 ]+ h; q jz SoftICE_detected
9 v9 y! Q: G6 c& q1 U6 ?. [' S2 K4 D. S
int41handler2 PROC
6 f5 ]8 {2 h, C0 e. U2 \ iret5 D/ o* g4 j2 }) B3 |4 S
int41handler2 ENDP* J7 X" w/ Y3 Q7 w
& v4 _/ t% I$ g* y9 g3 x8 X
7 o( B/ P9 F* X" C( [9 w( k_________________________________________________________________________
' L$ V$ n( c! z5 |- M3 y: H0 U0 h' L. b. R
/ s7 }) X" c. k% M$ B% k& F7 yMethod 06
3 G" c: u V4 t' M- K=========+ |: E+ ^3 X% r' k" z
: T4 ?, w$ L' |2 e: y0 c$ o% z: n% [ Z0 r% n
2nd method similar to the preceding one but more difficult to detect:
( O: ?3 w3 ?; [2 `2 d" a; ^3 Y' P* M9 C+ l3 H7 Q& h. ]1 c" s8 q( M
4 b7 W( l; ?9 Hint41handler PROC
" T8 C$ m N: O2 v5 }( c9 {" Z mov cl,al
8 h1 y0 Z6 y% W* ` iret
F' X5 [" d# \9 {5 Hint41handler ENDP7 ~& E+ F7 [7 ^+ }
4 _ @% d4 g* u5 c; @9 k- s
! c' P3 y: o5 x/ T# E0 b5 L, j
xor ax,ax
2 H6 D. b7 y) M% h mov es,ax: c& k2 @' M) c9 p, \4 f
mov bx, cs) K6 H# x; l* m* O+ D. ]
lea dx, int41handler4 f$ S, D }& e3 s9 u' G" A7 \
xchg dx, es:[41h*4]' P( x* O0 H. X+ v% C" Q" Q
xchg bx, es:[41h*4+2]5 n1 m# {5 y' V) J' d) E; u. F
in al, 40h
, [( d( S+ U! _5 [( R xor cx,cx+ @4 \. x! N1 h: D
int 41h
! ^9 n3 B+ c: I5 u8 ` }& i8 R xchg dx, es:[41h*4]3 ~5 t) {& L# p$ w! y# _
xchg bx, es:[41h*4+2]
$ ]9 U0 c7 A3 e% i% Z3 D6 e cmp cl,al) m G' H# o3 G# m1 y
jnz SoftICE_detected
5 N. q" T- @3 ?$ q4 L
2 m- A' c$ J7 ~" o% b# d_________________________________________________________________________. y7 j# C2 `- X. n: h4 A$ v5 k2 G
& l% ^' |: {+ |$ N( o+ Z
Method 07$ @5 a# ]! g" J) [& O! {
=========. t6 _( p5 U1 L6 L
$ U) R- f: {# E# B9 n
Method of detection of the WinICE handler in the int68h (V86)
4 C3 R% k; g7 i& t }; ?$ ?7 I
' {1 f7 i1 F6 D7 G/ L mov ah,43h; S# @/ i: i0 D; ?3 B' J* \
int 68h
; x+ {/ r8 m* P6 q% R! M8 H cmp ax,0F386h; `$ E% w5 g2 M @+ z0 H3 _
jz SoftICE_Detected8 B8 w9 P* W) g) o1 K! L* p2 C! W
! E6 r: M$ R' k p8 w* |# ^
+ X! J2 R- q c1 e5 i$ l4 ?$ M: l=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: g& g( [. v% d/ R$ ^
app like this:
u) ?( I) }! I
3 Y4 J; F. D8 y) e# q! ]) F BPX exec_int if ax==68
1 W: `3 [' ?# t (function called is located at byte ptr [ebp+1Dh] and client eip is
# g" ]. L) f+ A& R4 ]) F- k6 i located at [ebp+48h] for 32Bit apps)
) H* L/ e2 z ?& D, } W__________________________________________________________________________
. F: l1 G" n# I0 a( a' a. M, R) ]/ `0 y( u" ~8 W$ Z
( `, g0 }) j v" |: i$ h
Method 08/ T: d6 H( @+ V0 J$ n6 e$ G
=========
- A$ N5 x: R+ f# ~5 j, T4 H# T$ F, t1 L: F" q
It is not a method of detection of SoftICE but a possibility to crash the( B; f `. u) H0 e$ i
system by intercepting int 01h and int 03h and redirecting them to another
1 j. M2 E: X2 [5 W/ @* lroutine.
: ^& {% b# R- p5 o+ a5 ]( r, g: ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! d! N u8 f3 |6 y7 B' |
to the new routine to execute (hangs computer...)
+ G3 J. B" L! k0 B' N- F/ O
( t8 w) e% n [( P8 D; ?+ l7 Q mov ah, 25h) _" o6 O# A$ x& E4 `
mov al, Int_Number (01h or 03h)
& \/ l" c/ m4 b; @* @ mov dx, offset New_Int_Routine% K, V) S/ u9 A5 I
int 21h
5 ~7 C: z9 S `: { b5 \
2 w d" E% _7 v6 {' N0 c__________________________________________________________________________. d, w1 a% S! J# n. I: Y
4 Y+ Q2 w$ @$ l) ?1 \. W$ WMethod 09
; V3 V$ F+ J8 I4 j=========5 W* @4 {$ z! X& U# k! L
+ o+ ~8 t! R- k, n' FThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 M/ _- Y% H7 _4 K5 Fperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 A8 L# x* \( M% N! v6 sThe Get_DDB service is used to determine whether or not a VxD is installed
$ _" q! k. S9 B9 y9 {' c+ w/ r! Z afor the specified device and returns a Device Description Block (in ecx) for7 c/ a* P% o+ q8 \
that device if it is installed.
) d6 g5 D+ n+ x$ L1 J$ } H" y+ y, X: \- f9 \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 Q$ F% l7 i8 U% Z6 }$ ^' q4 l
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ Y4 a' r: u: I7 V( t VMMCall Get_DDB0 t- a5 `# V$ L% |5 W9 d
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 n6 f3 K' k. h8 }, q
) a* f! o; w: q" R8 y, H, s
Note as well that you can easily detect this method with SoftICE:* G9 `0 R* }5 I
bpx Get_DDB if ax==0202 || ax==7a5fh
( W: n0 d: }( b$ O$ \
9 T: ~" O5 _1 R0 E0 e1 t__________________________________________________________________________* M& A% a+ t5 n+ ~5 R. }
/ U4 p c b% o5 UMethod 10
+ ]" `. i! M5 b7 D=========
% H6 o% |- n: l% i6 ?7 | r; ~, @
% D: c. u- k5 y Q=>Disable or clear breakpoints before using this feature. DO NOT trace with; ~- o5 x6 f+ U" `+ m0 f2 m( s
SoftICE while the option is enable!!
+ [* {7 f8 y9 r: ?8 X, a9 p, I+ U5 ]
This trick is very efficient:
6 c1 |4 o$ s2 K; M7 j8 Zby checking the Debug Registers, you can detect if SoftICE is loaded, R4 U; h) z" W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# x9 u( \3 F. R& L
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 G0 N; [0 c* k3 p% m+ Gvalue (in ring0 only). Values can be manipulated and or changed as well7 Z- x+ b" ^' |* H, e
(clearing BPMs for instance)7 v% G* G' o& M2 w# s& @: C
$ u+ u# L1 D: W" ?__________________________________________________________________________
, Q# d4 I3 [0 J' S5 v9 h
0 M/ j6 F0 Q: b) d; b2 n4 @Method 11
1 l1 z u7 O2 {. t6 l- v' r=========
+ i2 D+ V h( U! t1 y
% g0 J6 ^. q8 S8 X6 YThis method is most known as 'MeltICE' because it has been freely distributed, \4 m! H6 C0 p% ]
via www.winfiles.com. However it was first used by NuMega people to allow
$ a9 r3 R0 |! ]% Q2 |8 @+ j, LSymbol Loader to check if SoftICE was active or not (the code is located
) J# o, O8 q4 h& C8 {" vinside nmtrans.dll).
! G6 x" p$ N" l4 w9 A) @ ?1 S7 U* o1 a" |$ w- d
The way it works is very simple:
& A; J, s! G Z8 q. s* bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ B9 q3 F/ J0 J! e
WinNT) with the CreateFileA API.
7 ^( x7 G, @2 U* ^2 ~% g9 Z0 q" X5 T' l
Here is a sample (checking for 'SICE'):
: f- ?; h. `6 Q# E0 h& N$ a/ Y" p! u3 M3 W6 C7 F7 O' R
BOOL IsSoftIce95Loaded() u7 F7 V' g; a8 n! S; D+ {
{8 ? L4 m3 x! f5 f1 j$ c
HANDLE hFile;
* W% J9 T. ?; E! t0 m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. b; N5 W1 t# N$ p
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ f0 w: k' y& z! u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& ?7 \: b5 D! W$ g if( hFile != INVALID_HANDLE_VALUE )
8 g2 w- v' X' B! x0 c4 A% Z1 [; } {
0 n, E/ P6 e4 x4 s7 \: k7 z CloseHandle(hFile);
- d; ]" c* x- J1 f return TRUE;1 E6 @: o: Y+ D& Z
}) L, r2 t5 n$ M3 H5 W
return FALSE;1 B: [8 A+ o2 j# `! q) m
}! Q0 E, X+ ^$ ^5 o, J& j4 f3 F
0 H8 P: c) [2 E: k" h) g/ V. }Although this trick calls the CreateFileA function, don't even expect to be7 _# h: ~9 W F
able to intercept it by installing a IFS hook: it will not work, no way!* a! X6 Q6 P2 Y# M) U8 }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 l+ a1 B( f: Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 k( Y, H6 R* x0 L9 q- g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. e1 G0 Y0 Q3 f# i" q2 E
field.2 i$ T! T& |, _# I7 k$ G
In fact, its purpose is not to load/unload VxDs but only to send a
1 ] N" o! {& r( r1 n- fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& t3 D$ a8 W' g, T+ vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) Q: B6 q; T2 |: E }% h7 m) {$ @* Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).- f3 _. q0 N& a9 \! J; u3 \
If the VxD is loaded, it will always clear eax and the Carry flag to allow% L @4 G. d P/ @; T, T+ c
its handle to be opened and then, will be detected.
) c# h+ q1 T# X( P$ t) tYou can check that simply by hooking Winice.exe control proc entry point, X5 v. x( \' t! A
while running MeltICE.4 H2 ?+ P1 H0 \% H
2 f3 Q/ P; k' h
' T* U! W; ]& `+ S% U 00401067: push 00402025 ; \\.\SICE
# U! O! |6 m, K% D 0040106C: call CreateFileA- _0 Q& ^" e( @0 S6 a
00401071: cmp eax,-001
$ V! L3 k/ @4 G, v* h 00401074: je 00401091
: S8 @( Z; O+ R) J3 R- o/ D
6 f9 y) |/ T4 ]" R8 l- \! ]2 X! j3 B4 G' d
There could be hundreds of BPX you could use to detect this trick.
# t2 I/ D- R* P* ?-The most classical one is:+ {! ~0 Q" Z( i2 s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 P8 h+ t3 ^ ?7 O' [* ~3 ^ *(esp->4+4)=='NTIC'
" z u7 X0 X! R; O0 ]) J( p/ E( t; m9 d% ~% H4 z5 ~$ b
-The most exotic ones (could be very slooooow :-(
4 P8 R) p. d+ ]% p$ O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! ~3 \! |5 Y e3 x1 J- J1 ^8 q ;will break 3 times :-(
1 p$ ?& n" \6 t6 ]7 g' P8 E7 n# J# A* _; v
-or (a bit) faster:
! L' E2 [ x( I9 J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) w ?* \* W. g
7 H9 v! e( f& ?7 z/ X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ {! [4 O' O, Z. s$ B% p: k ;will break 3 times :-($ f1 N$ ?6 ~7 n3 z2 y
- F3 F! z' C# H' p* {+ {8 L7 |" J* a
-Much faster:
7 n" s; Y# Q2 j0 v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ E* r4 ?7 w. m U4 t
, M8 x% f( [( g. y Z: ]& J9 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) b9 g$ \' T& i9 j2 xfunction to do the same job:3 {) X, _: Z" K
) a) m6 d6 H1 c8 |6 Q0 W
push 00 ; OF_READ
' N w8 A2 k$ {' `" H @ mov eax,[00656634] ; '\\.\SICE',0
8 O& ?* [5 S' [& } b* p push eax+ `7 X& Q6 g2 i9 ]
call KERNEL32!_lopen* ^$ Q8 e" k3 j/ h' j A% s6 g
inc eax
( l4 ]) s8 N) U! @1 H8 _% K" ~. \ jnz 00650589 ; detected
5 X! i5 |- g. A# R8 E9 E, b push 00 ; OF_READ4 l- [( s6 Z$ J
mov eax,[00656638] ; '\\.\SICE'
V% M* o, u& s9 ^% W push eax
; c# w) A% k4 c! g9 u) `6 x call KERNEL32!_lopen( d3 Z8 S0 ^6 N
inc eax
; K! b7 o7 N5 _; t jz 006505ae ; not detected/ x" x* K0 u3 }. h$ f
$ N/ i( I6 @0 j' T$ H' Q
1 S2 t( y% L, \$ ^5 t5 L5 t2 `* O
__________________________________________________________________________& }) O0 z9 @+ ^; t ~* B8 e
1 S6 ^: p/ A$ X% J4 x& I5 vMethod 12
/ {/ ~5 s9 V6 d+ K* ]2 ~. z8 V=========' ]% F+ p& N" W. X2 n' z( U `# _
6 w! @$ C7 \$ H2 g, f# M# C
This trick is similar to int41h/4fh Debugger installation check (code 05
/ i% @ X5 C3 a: G& 06) but very limited because it's only available for Win95/98 (not NT)& R8 p6 c0 H& E- M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 q) `8 P$ E4 @% r: m; D0 r
9 L8 \! Z! Y: b' u4 T% `6 k2 m push 0000004fh ; function 4fh. B9 e2 w+ }0 M
push 002a002ah ; high word specifies which VxD (VWIN32)' `6 G& _ Y1 o6 \ h& i: Q; n
; low word specifies which service
% h! K# X: b: J( C (VWIN32_Int41Dispatch)
$ _$ V& M7 H$ f! [ call Kernel32!ORD_001 ; VxdCall
0 e- F5 _: n+ A8 W$ @ cmp ax, 0f386h ; magic number returned by system debuggers
8 Z8 W) U. i( s4 } jz SoftICE_detected8 `! ]6 {$ e6 a2 F0 X3 U
& G6 {7 ~. V0 F
Here again, several ways to detect it:; D e) M. X1 Q6 U" B; w- Z9 k
" I6 y# L2 C7 p6 Q/ o
BPINT 41 if ax==4f4 H$ n& f% a' `9 a% Q/ n! x
2 e- X) r1 k' i! h. L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 m4 F/ o7 ?! r! N* G1 `- D/ X' Z6 C! i) S7 _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 I$ s/ i; n- T' x; m# q- @
9 K( t/ v/ E$ m( f+ g& `) H
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& `7 M9 c; {& }4 |( s& x9 c
4 r4 |" [* _& b' a8 E5 i__________________________________________________________________________
P( a# W1 r; ]8 A
: U" }4 C/ l8 b- ]& UMethod 13
, R; N* E' |- A+ q! r=========
& S- d2 t. \( B& P7 m7 z# R1 @) \. ?
4 ]2 u. W, l* \0 oNot a real method of detection, but a good way to know if SoftICE is
5 r# T% n/ B' H( x' G5 einstalled on a computer and to locate its installation directory.
7 |7 H; J% b2 I# Y: {' m9 XIt is used by few softs which access the following registry keys (usually #2) :
6 h/ Z% p7 \# o# y/ A8 B1 ~: y7 k, N5 r) k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 |) {. L& n6 a4 b! g) R1 Y& ?. @
\Uninstall\SoftICE
; p: l" n) {3 O-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, n0 L5 o# R! H: R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ X% R }2 H# }5 C/ n7 v\App Paths\Loader32.Exe1 Q4 G+ Z9 a1 ^' R
& c4 p t+ I0 t4 H* w
# E" W/ K4 n7 U1 I+ pNote that some nasty apps could then erase all files from SoftICE directory& v8 q5 t$ f! T2 P! z: @) d) Y
(I faced that once :-(2 b' e- z, W6 |( \) I# c
5 X5 t5 I. t' ~( `2 {
Useful breakpoint to detect it:5 q: }% k: \: H) r( b! f5 m3 U0 i3 @
) T Z" F, x$ c8 q& P" e' [
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* `/ K3 O7 t" Y& b8 t, e% o( [8 ?( ]0 U8 Y' j8 {2 c
__________________________________________________________________________( b+ j8 Y9 G+ v# ~9 W
2 r! r$ ~+ x- w) h2 m5 t3 y& X( ~6 O) j' z% ]& x$ Z, t2 T$ y
Method 14
# z3 }7 R: T" ?# Z0 u4 d) _=========
6 c4 e" E8 w; A# L% C& R" I9 S
* F. {: C. }' [5 X( y3 ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; b+ O2 {6 b& g- l
is to determines whether a debugger is running on your system (ring0 only).0 |- @9 ?4 s; K4 E' t
& `/ r* Y8 D! S
VMMCall Test_Debug_Installed
5 ?1 s/ r: G/ q4 ] je not_installed: X' ?2 e+ B$ U. R6 z8 b
* T; S5 N% L, s- {! E: a3 Y
This service just checks a flag.
' H2 ^2 J, h- q) F- H0 i% U</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡