<TABLE width=500>! G! s9 G" u. k$ Z E
<TBODY>
, S/ J. O8 D2 n$ s( E; b<TR>
0 a. H9 T# K) r+ W<TD><PRE>Method 01
0 H3 M# J9 Z, b* P$ i0 ^8 c9 |& x=========
( s( [+ q' L0 }: J8 K: h& ~6 Q/ I- ^4 S* n& \' l5 y* S
This method of detection of SoftICE (as well as the following one) is
2 h Y/ a( `0 Z1 \: [+ a, pused by the majority of packers/encryptors found on Internet.# J9 d$ g. ^6 K4 v; v5 t( H9 @
It seeks the signature of BoundsChecker in SoftICE
5 o1 V# |' x" j: U N3 m! m' S2 g) L4 @* A4 n/ ^0 u
mov ebp, 04243484Bh ; 'BCHK' @( J' P) A: ^% Y) d# o2 X
mov ax, 04h
, M/ p. d- C, G( j; i int 3 : C7 S: X7 m7 Y; c T
cmp al,4
7 {% u. K; w: } jnz SoftICE_Detected9 U/ x$ f" d6 @' z' E% _
! F, @4 U3 C/ I: R Q___________________________________________________________________________0 r' N9 C; T# o& o7 Z7 x
+ I- l5 t, U u: g/ I* _4 \
Method 022 W5 h+ o8 H( l3 a! @8 X
=========: O# Y/ v) U) X
" ^0 G; Q8 i6 V/ O& d, g. h
Still a method very much used (perhaps the most frequent one). It is used. Q" [6 R: f c2 `' O3 w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," v3 M9 _) b2 b$ g
or execute SoftICE commands...: m6 h* `, V0 e
It is also used to crash SoftICE and to force it to execute any commands
7 G( ~$ B) P9 f* z(HBOOT...) :-((
( g. j: X. W! T; p. T+ l2 P
( h( A6 i( c# U% X3 x5 FHere is a quick description:
# o1 ?6 R* C8 P) ^" s- ~-AX = 0910h (Display string in SIce windows)" Q' z3 W8 ]0 X4 ` B7 M, `; `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ _; g# I1 U8 ^
-AX = 0912h (Get breakpoint infos)6 g: j/ p% s0 c& }3 [( a ^
-AX = 0913h (Set Sice breakpoints)9 l0 t: _9 S! h' k H ^
-AX = 0914h (Remove SIce breakoints)
1 j' N+ `9 K' @
e% U2 b3 `( p0 |2 g" c8 V1 QEach time you'll meet this trick, you'll see:6 r9 f/ Q* |8 X' Z
-SI = 4647h
2 |' m, Y, u5 |2 ]6 }/ n' g-DI = 4A4Dh2 @' I$ k0 Y- r- g/ O
Which are the 'magic values' used by SoftIce.2 v) t% B) N* y- ?8 Y: N& K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: V' _; P9 ]1 N- u- u
" A+ i, y- @, _; XHere is one example from the file "Haspinst.exe" which is the dongle HASP1 g9 y, _; ~* s$ n0 M
Envelope utility use to protect DOS applications:
2 {" D% T! Q7 F m: ~
5 ^7 s4 p7 V& s7 T. T6 X; V8 h2 ^) b4 f$ F0 M+ I: Z7 } K% @
4C19:0095 MOV AX,0911 ; execute command.
- D7 i% y+ F9 H% @2 x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 n4 b' `5 A- N, d1 e
4C19:009A MOV SI,4647 ; 1st magic value.. _ A& A* c; O; [+ v% e2 N3 A0 W' Z1 v
4C19:009D MOV DI,4A4D ; 2nd magic value.- a! w9 f l7 [( k4 F; B4 f! }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) u9 I$ S2 t1 Q+ x" [+ m( G% ?/ X4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 w T+ S. P% A0 i( L# p ^, o4C19:00A4 INC CX ?( ]2 b+ L+ D" o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 f+ W6 h3 X& G5 k0 C( T4C19:00A8 JB 0095 ; 6 different commands.! e) @$ J4 p4 P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; S( H+ q9 e- r7 l! X+ A
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
d: o6 Z4 R+ i+ b5 p$ i, y( _2 `: Y7 i1 I6 V( Q1 e
The program will execute 6 different SIce commands located at ds:dx, which
& U L7 J5 P$ A0 s8 xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. e: ?* b' z# q6 g: M/ R: @2 l$ G! P- J0 v4 v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ N9 X4 I/ o6 V; X c___________________________________________________________________________ X, O# K. U6 ~0 j
+ U4 C# C$ k' g" m) A! m
# P+ @2 k5 _0 p, K
Method 03
8 Z" R1 U( F" }0 x+ C9 Q" M! u=========- `+ i2 `6 j3 J% y7 Q
2 u! V: Q7 V4 G, X+ g/ R' h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; a0 }6 w% i2 Z1 D
(API Get entry point)& ~* q1 A, a) j- w w. C" f# v
& {4 d0 d' a s* w6 H* {* c' R$ X7 K
0 Z2 E/ ~% K% U+ P4 ~6 ~/ P xor di,di* R- K }! L! |- c
mov es,di
4 l$ H. E- h! P7 H$ W mov ax, 1684h + L# G) n2 G# R) O
mov bx, 0202h ; VxD ID of winice
6 {& O1 \6 Z! V% @7 Q int 2Fh
$ n* W' J( R# U- W mov ax, es ; ES:DI -> VxD API entry point. P; k; W5 l8 {# h6 u1 D
add ax, di' _1 ~) ?' g" a# c( t
test ax,ax
. z; u* o: g0 s/ o8 O0 g jnz SoftICE_Detected
2 C# Z8 k C6 O6 }7 L# \- ]; t7 G E8 ^
___________________________________________________________________________3 {$ c% _7 ~% f3 G
) x( [* s3 _6 ^: \; u \Method 04 w- p g' K' @& h
=========; _0 l7 l+ h1 M8 l! h/ l
9 C5 f- M8 V/ d# MMethod identical to the preceding one except that it seeks the ID of SoftICE
; u6 k4 _9 p; a }$ H6 rGFX VxD.6 ~6 l- y, Q6 @2 O
# Y$ A$ \" ]2 J4 y xor di,di7 O- @5 K f, @- r4 S3 m7 H
mov es,di
8 Y" N& V" u/ P mov ax, 1684h ' Y& i. Q6 Z( P) W1 y2 @- f6 V% t
mov bx, 7a5Fh ; VxD ID of SIWVID
# l* B# s# R" F$ v$ K! Z+ u/ Z int 2fh
. D$ h( }1 ^) a c mov ax, es ; ES:DI -> VxD API entry point
; O4 U9 a x, s. a. V) a! r add ax, di
l7 H- a" {7 o" R8 M3 ^ test ax,ax1 O. K- n0 s! A+ M5 h1 `
jnz SoftICE_Detected
`" l: c5 Y9 m0 M2 Q3 w* L, h) {" T a5 |3 F' o6 D4 Y+ ?+ R
__________________________________________________________________________
- V5 L/ f7 y) V* ?7 Z" Y: T" H8 v# f" I' N/ c7 w% ~1 t
8 H2 a% g' ]: n
Method 05
! E4 x' h$ y7 s% {; [% Z8 ~8 f/ \; x2 w=========
6 Y% l2 ]4 g6 g4 p
6 A+ C' r1 Y+ Y4 M' X4 zMethod seeking the 'magic number' 0F386h returned (in ax) by all system, q& T ]+ k) O y7 x' V
debugger. It calls the int 41h, function 4Fh.
" A9 f, z1 s, w' H& p) ^, v }% eThere are several alternatives.
1 U( P2 y$ c# p D5 K
6 N8 `% \8 D3 D0 o( LThe following one is the simplest:1 P: @# z3 m1 ?- P: B; U! q
3 d& \& g5 J1 |' p" A' G
mov ax,4fh
1 O/ e+ n( {( `# A int 41h7 @) `2 I. F9 J
cmp ax, 0F386
% L ]$ b) x6 j* K jz SoftICE_detected) |1 |# B0 ]) c% R4 n! k
6 r; b1 R9 K+ H+ @7 s
% T2 x; D% f& Z( |8 t3 Y3 SNext method as well as the following one are 2 examples from Stone's
; y; U8 {1 U6 W' b t"stn-wid.zip" (www.cracking.net):) z7 c6 G4 U, ]7 z' x; H1 i
4 N5 e; I$ N9 N& u
mov bx, cs8 n/ [2 ~, R5 z( \. f5 ~
lea dx, int41handler2! U# B7 G) ^$ y$ k4 Y+ A3 z9 ^
xchg dx, es:[41h*4]
; S y/ m) W/ f3 t# ]7 v! ` xchg bx, es:[41h*4+2]% H k1 ?4 O" N- _4 J* T* D, R9 n. g9 o
mov ax,4fh
# P5 f4 ^* @* J+ a int 41h9 t5 G/ P7 {7 B! ?$ N7 X. ]
xchg dx, es:[41h*4]+ k/ v3 I2 {) I% M: B
xchg bx, es:[41h*4+2]
0 E) Q, M9 ~" B* v6 p( s% o cmp ax, 0f386h
4 s4 o: a8 X7 Q6 M jz SoftICE_detected+ w! T+ [5 O9 O: a5 n
+ H/ |8 x( I+ ]( D5 ~, l P3 B" [# g
int41handler2 PROC' t/ K5 Q- r( k) M! ]; U& y+ o, J
iret: r+ p, w8 y* v. ]& v
int41handler2 ENDP
" _ h+ {& i6 X
5 m- |8 h* u! v! s9 Y5 v' k# y- i" c1 c6 Y% H% O
_________________________________________________________________________
" D. ?1 j& F9 J& ~( Q: h( D% J6 r8 b. s; W9 w$ g! r4 {( ?
8 q# x( @* v+ @7 I" A E9 b
Method 06
2 |; \5 n3 |; i! k=========4 D( q* v: P, d x5 m
3 I/ w/ W2 S6 J5 b W- s1 y" \
9 }# x; \0 ^% g6 v/ ^3 X% O
2nd method similar to the preceding one but more difficult to detect:
6 I: |1 o( _1 O, a& F# ^# l( @! z! k: m, p& `; i
9 O3 {8 o1 ~; |/ U2 ?int41handler PROC# I8 G" G0 c$ x7 \6 Z" ^: \
mov cl,al5 {7 M! I7 I0 M* g6 E# F2 j
iret
/ b7 ^# Z4 G% y& O1 Tint41handler ENDP3 S* D3 T2 T* C7 W J2 e2 j7 p3 K
# b; T# H, S4 a* ~4 D* m
' S/ h0 E0 p3 _( w% z {7 Y$ f4 E; v
xor ax,ax
" b( C0 F- }, V) ^4 S mov es,ax4 T% E F- i0 k5 P5 X( c
mov bx, cs
- \% u& b( t1 e6 \! q% u1 e: f lea dx, int41handler
. G: K. E$ G6 z8 K xchg dx, es:[41h*4]1 K( E5 R% @0 [+ A: Y6 W
xchg bx, es:[41h*4+2]
; r) |* i( J# @ in al, 40h) D* T/ d4 c( u2 w3 x: J) H) R
xor cx,cx C: W0 V, H' U- I' o8 V* ]
int 41h6 O/ `/ a3 h z- e
xchg dx, es:[41h*4]
: L/ f0 l: ^" _& v2 d2 q# a7 o! ?- X xchg bx, es:[41h*4+2]
% D) C- z6 x- `2 ^3 \ cmp cl,al8 I$ N1 J' {8 M2 ^4 ?; d
jnz SoftICE_detected
]1 |- R, |( y; h* n
" K- B% @" }9 h4 ~- P_________________________________________________________________________ g- r6 Q% i" C
+ K( I6 ?* }1 R+ D4 E4 N" FMethod 07
& j% K1 U7 L# k# C=========2 }8 e0 ^% n2 m* i$ l
# z2 n4 l' s" z! EMethod of detection of the WinICE handler in the int68h (V86)
0 K' L- B. ^& |% W" _8 g9 d2 z- K( n9 d- Y) R4 \2 p
mov ah,43h
! l7 x: j# W# [2 P int 68h" [- t+ o+ }: H1 t: L
cmp ax,0F386h
. i% [. G( w1 A t8 R$ ]7 c. g8 w jz SoftICE_Detected- j7 m+ r( H6 M7 K# @: W
( u- \- X% e& C
8 v2 D' @! ?; |2 E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& L6 ~! e% ]! L& G O" J app like this:
. {3 B2 c! h: x( f0 P' i. C. [1 s7 [% _# {! N( d5 T" J! I- ]) ~
BPX exec_int if ax==68
( G/ b& P7 c3 g1 @; d8 h+ G (function called is located at byte ptr [ebp+1Dh] and client eip is! H/ q% z3 ~; k0 p. p ~
located at [ebp+48h] for 32Bit apps)4 }2 H1 }+ h" y' h2 O
__________________________________________________________________________) l9 P, _5 b& A9 @
' \# c, j# E. W* j( u
4 l2 _/ B& d7 pMethod 08
3 w$ Y( `: n4 |=========9 ?$ q* ?; T$ c+ m
& e! g5 e" P* A7 }
It is not a method of detection of SoftICE but a possibility to crash the
3 i7 r: w( Y! R9 T1 C6 {5 T4 nsystem by intercepting int 01h and int 03h and redirecting them to another
, W: n8 c7 M; @, u) v' b' ~" u3 _$ {5 nroutine.4 D2 z4 K% L6 d( u$ s% {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% I; C4 e5 A$ }" l
to the new routine to execute (hangs computer...)
, G5 ?# L2 e9 H5 k4 n" g8 j ^- J& I( z7 y/ y
mov ah, 25h
; w2 ~: J2 K; D8 _$ y1 f+ c mov al, Int_Number (01h or 03h)6 h0 J2 e, T) W
mov dx, offset New_Int_Routine' P! {9 x8 c. B0 L8 w4 {
int 21h
- |2 O6 }0 U1 ^. V% ]; [) l
4 {$ r) f* Q! g& T6 G5 Q: u__________________________________________________________________________) [% y- L, K# t3 X# P/ H- Z
$ U& T- ?: m' G @Method 09
0 H& P% `+ U5 X: f* t5 G, K=========/ @( W- g. g: D4 ?
+ q( S, z" C7 c [( l2 E0 RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' ^( z ]( ?) d; H3 Q) b( b" Gperformed in ring0 (VxD or a ring3 app using the VxdCall).
. s& d' s' C2 b$ `4 H1 v; i: c# LThe Get_DDB service is used to determine whether or not a VxD is installed5 v+ K- \$ O- t
for the specified device and returns a Device Description Block (in ecx) for
% k1 _: x. K% D3 Cthat device if it is installed.
( i- N8 z- C6 _- |
2 E4 v. \/ x: y' Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 Y0 `9 N5 R; ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 c$ `1 c7 m, u x5 m7 Z( P6 n
VMMCall Get_DDB5 |9 u* z% f0 c
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* c5 H, A: W5 }; o) P. G$ f# X7 X, @
# g4 ?. ]. P. B/ O$ d6 `7 j& UNote as well that you can easily detect this method with SoftICE:
7 Q1 e# f1 |, c# K bpx Get_DDB if ax==0202 || ax==7a5fh
( d0 ^: E# d: L& t8 }' R/ ]( S2 p; j1 b$ \
__________________________________________________________________________! W2 ^' q& E$ |
: E) n3 S0 K; D( U# ^% Q# x/ D
Method 10
% ]& k( d+ L# P+ Z=========+ g' f, H! T' m
0 m% h% @# o# Q. X( T$ z7 T# N! j=>Disable or clear breakpoints before using this feature. DO NOT trace with8 D0 O# F3 m1 u5 B# }+ s
SoftICE while the option is enable!!- a/ p; C* U% v. G
/ G$ o. }8 W9 X3 D) q6 RThis trick is very efficient:( l& a6 e, s* Z' ~: g- ]
by checking the Debug Registers, you can detect if SoftICE is loaded3 w3 x. F; Q$ K/ I" U% x$ z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ R0 P, h t5 T1 E! ~% ]% Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their' V; v% s& R0 L) ~
value (in ring0 only). Values can be manipulated and or changed as well0 r. Q+ P, D. m3 q" S+ ~8 G
(clearing BPMs for instance)
7 I, d" s% [/ |# e C( S6 e- p! r5 `0 I1 R+ V) |
__________________________________________________________________________( }: l0 y! }' h" L ]" y* D
$ s; \! J1 ^8 d
Method 116 J) y1 W( g. c
=========' ^4 M" h J' `- R, c) W7 `
+ ~5 u4 @8 k4 N9 D4 P, u; QThis method is most known as 'MeltICE' because it has been freely distributed
/ l, t' ?$ S1 V2 s; b8 c0 Svia www.winfiles.com. However it was first used by NuMega people to allow3 e! R4 r7 j5 G1 H
Symbol Loader to check if SoftICE was active or not (the code is located) U7 E. ~$ N3 D& j% A
inside nmtrans.dll).
1 J/ ^* F3 S4 B0 W9 c& P- _7 P" P3 |# f5 e& Z
The way it works is very simple:0 a% J. X1 C8 ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ L* E5 P& }2 d( w& ]
WinNT) with the CreateFileA API.. x8 F" ^) n8 P
& f2 v: l7 h7 M! lHere is a sample (checking for 'SICE'):
2 y/ W& ?4 R {1 K5 F
$ c& [4 x: p QBOOL IsSoftIce95Loaded()' C/ J8 I' G; }( z, v) m4 |5 t
{
- R* V( ?9 j% u- a" C. { HANDLE hFile; 5 F' w7 c9 `) B$ g1 N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& |7 e4 i9 z: {. w# K: Y7 ] C4 U7 X
FILE_SHARE_READ | FILE_SHARE_WRITE,
& u2 y. o( x& q! l NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 c& N/ s! i- ^& c$ y4 b6 F1 u/ a
if( hFile != INVALID_HANDLE_VALUE )
4 F. ^, r! w- h& U% A+ ~6 v0 e {* i* T% }% ^0 A0 r
CloseHandle(hFile);% r/ G2 J* U9 u
return TRUE;
* D' e' f. B) ?" V% { }& _' N1 M& ]+ s7 a5 u+ R8 W! |% k5 U P# [
return FALSE;' G4 K+ H5 _0 \6 m
}1 y$ k% X; G* E2 f* |3 x5 }
5 X- c3 b. W5 k
Although this trick calls the CreateFileA function, don't even expect to be
. n2 m; W4 A, [7 C% Uable to intercept it by installing a IFS hook: it will not work, no way!
) S+ f6 S3 C% ]5 F: z, BIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 }+ Y1 n2 V7 s0 c* A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( P* H2 F7 V/ a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* g( @. b4 x7 |/ w' u, u
field.& q8 g0 L' A V) Y9 @$ v# E. S
In fact, its purpose is not to load/unload VxDs but only to send a 9 P3 F! }( u Z! l v/ M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 [; H7 S3 y5 {9 q# u0 e8 c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 `! K4 v# |$ H/ m3 c% J6 S3 S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 U7 k: } k8 C+ F
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ ^" T5 @, e4 F f+ A: |" bits handle to be opened and then, will be detected., y, Q/ @( C6 A
You can check that simply by hooking Winice.exe control proc entry point
- K. ] t5 i1 ?( Q3 B$ L, Swhile running MeltICE.# i- P$ o5 a+ l" }. E
; Y# }5 |3 X$ |; f8 {
0 A! v3 @6 I1 I8 K
00401067: push 00402025 ; \\.\SICE8 m1 ^7 A( z* P" J7 U
0040106C: call CreateFileA9 @7 @6 k7 u9 J o2 T: T
00401071: cmp eax,-001
# l: c6 A; }- ?1 p: x: n- R 00401074: je 00401091
( }7 [. |) M* X% h7 j& _: Q1 e6 v" i% J* {9 j+ c$ o; Z
, {* o7 i7 j4 C5 W# R2 {
There could be hundreds of BPX you could use to detect this trick.
$ a* v2 V" S9 ], P) r: y-The most classical one is:' q! v4 U2 M& q1 E S
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& r4 O T- v+ O
*(esp->4+4)=='NTIC'7 o, W# h! C! Q. T" c
/ s7 a& W, D4 q1 S' a
-The most exotic ones (could be very slooooow :-(
3 i3 w% |/ y5 U- a- J4 b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : T& B$ Y s* I3 J9 ^# i
;will break 3 times :-(( U9 R/ J c- d/ \
, }; z% Y- D) A" X; j8 H
-or (a bit) faster: * K" h4 p$ T0 n3 D T1 X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
?+ _$ H ]7 k0 q# M2 X) P$ }8 }. J1 Q3 I1 W: ~* u
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( F9 t; L( a- F& ?+ H3 N% c
;will break 3 times :-(
0 y3 w8 s7 ~% O b( l1 Q+ C- Q, m& \8 w! w# ?$ |
-Much faster:
& x$ F. D: e' i4 @4 l BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 N2 {. c9 Q" v+ f0 k% j/ O: M- z9 d6 s0 x* ]+ H7 Q5 i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, B* v ?0 M0 C9 P3 q: ]0 {% Q
function to do the same job:" E$ }2 R0 u6 @- _1 m/ t! N8 ]
: F, i4 M% v* ]( Z5 w push 00 ; OF_READ
: |* P% K: N4 J% ~ mov eax,[00656634] ; '\\.\SICE',0
7 b7 P2 V' K$ Z" }. W# c push eax) } Z% E% l6 `0 x( [( j F
call KERNEL32!_lopen
% `6 ?" B0 T" J9 D/ c' b* S& D inc eax
2 \3 f9 r! h( |3 l6 B3 b jnz 00650589 ; detected3 m$ h7 m# O5 M
push 00 ; OF_READ
# h6 c: N. G# d* B* O mov eax,[00656638] ; '\\.\SICE'
7 Y& ^4 T. k$ `2 m3 \5 C+ i push eax) e6 ?6 x+ b! a
call KERNEL32!_lopen. R5 V0 J b3 Z' [ q7 D: o
inc eax# x' l0 x& g2 b' _* K+ R! |/ Z$ \
jz 006505ae ; not detected
+ Z# {* f* z6 t: X3 T7 H' l3 s5 O- e% L q1 D
* a9 x1 s# k) L" A3 q__________________________________________________________________________; h9 k `, j% P/ R2 ?7 E
# @- k: e3 _: ^ ]6 T* W+ r1 V
Method 12, t2 i4 l( N5 M
=========
4 P; S6 K; b: i- U, {) g% ?" }$ R; o1 p* C3 c/ K1 w$ x! m5 Q: t {) g
This trick is similar to int41h/4fh Debugger installation check (code 05" j8 z3 Q$ b7 g1 q6 J1 x
& 06) but very limited because it's only available for Win95/98 (not NT)7 m/ T& ]" S& d5 \1 Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ Q' }+ N' r+ S* P1 G5 d0 L! O0 o) ?/ ^" F {+ E; S
push 0000004fh ; function 4fh
# U4 z" O* z8 }: F$ q9 s V& o5 P push 002a002ah ; high word specifies which VxD (VWIN32)
/ W# l7 \) F- y6 j- x ; low word specifies which service/ _' H) ?+ X7 h
(VWIN32_Int41Dispatch)5 p. j) u( w! U% s; T
call Kernel32!ORD_001 ; VxdCall
- v! e5 X8 l4 ?5 O A cmp ax, 0f386h ; magic number returned by system debuggers% L4 k0 f3 F' ?$ q( `2 ?- X D
jz SoftICE_detected
0 G- a7 a1 t; J/ y" i" Q' Z9 `- i
! p( q( h, r2 d3 n+ a/ THere again, several ways to detect it:+ _+ S! D" X$ J! K9 \9 ^0 ^+ j) y
2 E2 j4 I/ I( [# t4 J e, ]$ \/ Z BPINT 41 if ax==4f
# S) {. G6 A H% ^) X* s- @/ N _
4 g9 P0 G& O& D8 s2 C BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% P3 p* e- E# n- P$ `* f# X5 x' l2 |( L5 _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 s& b! C- s3 u
0 g. i% C5 s5 ?- W k7 ?( |5 ~
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% i$ E. [8 I! I9 ]1 O) u
g1 V/ l8 s7 }8 k0 [7 } Y__________________________________________________________________________" K, ]0 P% y! ~( X
% c' U3 I4 S1 Z. X* kMethod 13
7 `6 N, U& j- y+ T; u=========, S$ a: ?2 R. s! {7 R e7 p' h; c
9 R( W, t! |' d v, u* R4 GNot a real method of detection, but a good way to know if SoftICE is
. f0 H, ] `- I/ g% e/ Binstalled on a computer and to locate its installation directory. n" K+ k9 J% `+ A8 z/ p
It is used by few softs which access the following registry keys (usually #2) :2 o/ t+ [7 v* m) v3 U0 a" K# F/ x9 a
' A& z+ X; b% \3 v v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. X6 Z" Y* ^$ D3 W9 o; V
\Uninstall\SoftICE( V! Q; J, K6 E+ k6 a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 E3 \7 h% B; u7 E1 D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, T, Z0 v: q4 ~9 E; S
\App Paths\Loader32.Exe. Z3 R: h* l6 a
8 t3 k' \+ g1 F% @+ Y: R# Z( g, ?+ d
Note that some nasty apps could then erase all files from SoftICE directory' ^$ o$ q4 }1 ]
(I faced that once :-(
' i# u2 z2 L2 L8 M
/ ~7 \) C0 @0 g) b2 Z. rUseful breakpoint to detect it:
- i% [ g& \8 ?. H
# l& i+ d( n5 |4 a4 E* O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: n" V' r: y% j2 ~7 j+ q# C L7 e9 p; F$ I
__________________________________________________________________________
4 c$ v/ h. k; N. y
0 [+ E9 ?* y0 i S" x. X* |7 V* P% Q" l
Method 14
! @/ u; a8 n T; y=========
; [, [% v; M" K8 a: k5 I0 h2 t( w5 s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- P# K; L- f& H3 r; u i% `is to determines whether a debugger is running on your system (ring0 only).
& @4 S% H1 t. |0 u+ e1 U7 ]
: D+ ^% b! A) |3 g4 { VMMCall Test_Debug_Installed
; B# c* i4 d8 ?3 V' K- a je not_installed/ C3 Z/ J. ]# {4 H# ^
5 M: C. @( ]) G9 S+ o$ H+ E4 bThis service just checks a flag.
0 b s C$ W" S</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡