<TABLE width=500>
0 q1 y1 o3 p0 F- d<TBODY>
9 R6 g: J3 V1 N& Y- T( ]) Z<TR>
# J* |! G% L: Z) `) U/ Y<TD><PRE>Method 01
5 z7 N/ Q' x: r' [4 Q9 x=========
# Y( R v5 D: ?1 I) l9 ~* W, B( ]: q3 d8 R# ?! \0 a
This method of detection of SoftICE (as well as the following one) is7 H& S& N1 }: C! p+ r7 W" z8 c z
used by the majority of packers/encryptors found on Internet.. K7 P9 _" |) e- E5 W0 G
It seeks the signature of BoundsChecker in SoftICE. W6 p1 c- x( N. V- N1 z1 `
6 F2 m0 i9 Y# b8 r% @( L mov ebp, 04243484Bh ; 'BCHK'
9 p. C6 E" ]) \( M mov ax, 04h
2 g. y& e( e6 F0 t: { int 3 0 u7 \. K/ y5 ~1 u1 _/ W8 z
cmp al,4
, X0 c G6 H. |, R9 v6 b' E% y jnz SoftICE_Detected
. O/ e+ l; W! i
( V/ r4 j |8 |& G3 E \3 X/ b8 O' B3 }___________________________________________________________________________" a: H# i5 n$ _ A; s& E
: y6 S H' s! j* y
Method 02
1 P, E9 V6 E I) w. d/ i=========
# X C$ j+ ^3 x) m( v
+ r+ \2 d" D# U7 s+ t5 _Still a method very much used (perhaps the most frequent one). It is used
/ k! x' L7 x5 @/ _& U% k6 xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 {+ p( |- l2 w' n# ?
or execute SoftICE commands...
( u K# u; R/ f) X6 |& K, Q/ i, tIt is also used to crash SoftICE and to force it to execute any commands |) o. F; Q/ G% l' R# l) N
(HBOOT...) :-(( ! J7 x: P" z0 y C4 J3 O
2 w, ~" d+ G+ g& W/ u* i. m1 kHere is a quick description:
% Y4 h! g* ]4 F# o: w+ }5 g _+ C-AX = 0910h (Display string in SIce windows)
$ i2 ]0 ~! T6 ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' U2 [* [1 l9 f* _
-AX = 0912h (Get breakpoint infos)4 g; |0 A5 E0 Y
-AX = 0913h (Set Sice breakpoints)0 J% ~8 }, V3 ]4 |
-AX = 0914h (Remove SIce breakoints)
) y9 k& c/ t- a; M2 m% ^! D9 y2 s( w8 K9 Y W
Each time you'll meet this trick, you'll see:
" l ^& p. A, ~' \-SI = 4647h
+ j8 a' _/ I- ^' f, N-DI = 4A4Dh
$ Q( ^" t! K: @. c3 n- I2 @( k, d6 mWhich are the 'magic values' used by SoftIce.
9 C' s8 [* h6 _For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 t0 a1 m; m' g' q( b
) K, y# s! [8 B8 x0 r) W5 Z. u, ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 `) p) g0 R+ ?: B, IEnvelope utility use to protect DOS applications:
8 p$ T4 D$ P# }( k3 t5 a/ J
3 Q6 C4 \4 u- S: q6 G: M" o1 ?4 q- D2 W- |* {3 H! c
4C19:0095 MOV AX,0911 ; execute command.0 L/ ?! y% e$ t U( b& M7 b+ _. P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). B9 {+ @% c! h8 @) U5 o' \6 P
4C19:009A MOV SI,4647 ; 1st magic value.
) n+ r" y" V0 u4 N# W# V# o4C19:009D MOV DI,4A4D ; 2nd magic value.
H# i. U$ ^( C9 I5 |8 p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). r" I- i, E; c- w2 ^3 Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, P* K: V% I, ^2 G0 [/ I$ z
4C19:00A4 INC CX
+ D7 ] I; E6 @6 g4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: Y) o" q% r1 h: I: F C( f
4C19:00A8 JB 0095 ; 6 different commands.
- B( s- R6 o2 Q4 t5 L# `5 A; o4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 ~7 z8 L9 K4 s! M [4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 b* B9 k1 y" N4 a% z% V" t( F0 P+ t8 |5 L
The program will execute 6 different SIce commands located at ds:dx, which& ?) m' T0 B# ?* Q0 R& ^7 q9 v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 j5 s W. e1 P0 V
2 ~# b$ `+ a, u, Y0 ]( k2 |1 V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ W( O. X" {7 s) M! e
___________________________________________________________________________, _. k7 |( _: F7 q( Z! G6 O
, R1 n/ c& E" C5 ]) A0 C' p
' Z5 v* x' _& d- A! NMethod 03
7 K6 X8 e9 B) I=========: L0 B' Y! d7 g5 Y% @, ~
/ j1 o* s$ ]) ?2 [' o( c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 B/ e/ ?' g/ O6 \8 v5 G/ g
(API Get entry point)
, S' m+ J U7 k7 N8 i- D. Y . y) T& _2 L, v! c" a- w
8 E& o9 \2 m' x( O8 i xor di,di5 m3 [! S, w/ H' U/ ]
mov es,di1 G4 L6 v2 v/ k
mov ax, 1684h , C8 {8 ] j2 u$ V! P8 I1 h
mov bx, 0202h ; VxD ID of winice/ v. s: g4 C7 M1 m
int 2Fh
$ y& @+ P0 S+ X2 a mov ax, es ; ES:DI -> VxD API entry point) @: T4 u! p- }7 s1 s+ {
add ax, di
7 e9 O1 [% p+ w+ s2 a test ax,ax+ ?: G3 G8 l& v, I
jnz SoftICE_Detected
& o* Z, s( A- Z8 W* W' s; R
7 Z+ N( Q1 O. x g8 L___________________________________________________________________________3 p" q( G' w J& W$ k U% N
6 p& C" ]" a) b9 H8 J1 L3 SMethod 04+ B3 l- m7 q: w, F6 H
=========
+ x8 F: \8 n0 Z! I6 p5 K
2 r! `1 D. h# ~- P; q' C3 xMethod identical to the preceding one except that it seeks the ID of SoftICE
7 ], _0 l6 i. l5 X. X$ kGFX VxD.4 U' J, S y0 c7 @$ i1 h; a
1 R1 X0 A6 G# V9 W( J( B, T2 I xor di,di m! Q- f J6 _/ \! Q. A7 h
mov es,di9 D: g7 j+ X# P
mov ax, 1684h
8 Q' b: v/ `' o! v" V8 j mov bx, 7a5Fh ; VxD ID of SIWVID) ^$ h% y0 ]& t
int 2fh) d& }% _7 M2 t2 F- P E O5 m) W
mov ax, es ; ES:DI -> VxD API entry point, R) J# K3 Q+ l/ u
add ax, di
! k/ [) U& b5 h* ] @ test ax,ax& M" U( V, f, U7 K
jnz SoftICE_Detected
, g3 E( H* r3 ]9 o
, M8 @0 I' r4 n j& J* @9 t. Z__________________________________________________________________________8 o1 g. e. b0 p2 Z3 |4 A
" A" K4 ~; t% c% z
" C$ H( c) a& L! V% x
Method 05
9 l/ W* H& g. D2 G5 q$ X=========
% O% T$ \( o7 D, W
1 m3 I. K- r1 l1 |Method seeking the 'magic number' 0F386h returned (in ax) by all system
) Y$ d; G7 s* G! D( Sdebugger. It calls the int 41h, function 4Fh.# f" F9 I, j% I3 r7 j* B f) x; a
There are several alternatives.
9 f$ i& T ~! s5 @2 C7 ?7 w9 F$ U) N5 n1 o* g0 z6 O: h
The following one is the simplest:3 j9 f4 f$ k' u( T' {: o
" [* b. o% N9 ?. D, H mov ax,4fh- w7 s6 S/ u! S1 o
int 41h
& ]( C) q6 }( J- \ cmp ax, 0F386
$ A" _5 h) O2 c% V. T6 ]4 J jz SoftICE_detected$ w3 j+ x9 @1 c7 j' r9 ]4 ~3 X; p# r
% w! v3 C4 Z9 |! H9 e) h X4 Z5 y
8 r2 ^/ ^. A. U0 R t+ d: `Next method as well as the following one are 2 examples from Stone's
3 X, M. U) t5 a- C4 t"stn-wid.zip" (www.cracking.net):& N; R3 m' z+ _+ ~0 ?# x+ O, {
* ^2 M* ^* T6 y S2 i mov bx, cs
% s) \, S6 r! Y+ S$ V- | lea dx, int41handler21 n7 }0 c( r8 d6 n0 b1 e i0 [
xchg dx, es:[41h*4]
3 a; v" \6 \/ U0 p2 G$ ? xchg bx, es:[41h*4+2]4 J, x. c4 U$ s; e( `
mov ax,4fh
- q( P8 r# ` n8 V- g int 41h6 M" Y! u: Q/ i& B) l, y; _
xchg dx, es:[41h*4]
0 c+ U r" _) o9 B$ W xchg bx, es:[41h*4+2]
0 w8 u+ X: w6 ]( r% V cmp ax, 0f386h
" Q8 q0 \- b1 `) \4 i3 x/ H$ ? jz SoftICE_detected
! ^- X+ h h# K1 M/ A. b9 `7 w4 X
int41handler2 PROC# K+ p* C7 C! Q$ }! r/ k
iret
F. `! `" ~$ v$ b. x$ l3 Hint41handler2 ENDP# m: m/ A+ x2 H% {9 {( Q H6 D
6 p2 p9 R' v+ l: e
G @& I6 g1 }
_________________________________________________________________________# ^& w7 t, L1 P. H4 {
* {: Z$ C' p& K8 ~4 m# e6 ^1 E+ t
; P3 u, l' }1 `4 Y' X. z8 N; T
Method 06( n) G9 M+ d9 i* A! |& j. ?# B' v" R
=========
* E, w! b3 s8 L' v: } x5 z, p) s0 o$ W7 w1 @$ L; f
* @4 l2 q* ]2 _+ q; O" t2nd method similar to the preceding one but more difficult to detect:
; U% j$ `- b. U; Y7 s1 T
- P8 V9 J7 I* x: [$ Y& O) i" D! e% u
int41handler PROC
! u7 W3 c/ S' k7 R) [ mov cl,al$ O. `( y: Y# K& A! ^
iret
. I0 i/ @0 p, b/ y- `int41handler ENDP
/ I7 B. _" w& \, n; O) e8 f& x6 \* G9 P2 p0 n
( h8 G/ L3 s% @9 P. z% s3 a' j* H xor ax,ax
) U# C% O; w- S" w mov es,ax5 I! h% J& o3 f" k+ D; g. ]
mov bx, cs! n5 r4 }3 K# Q1 m
lea dx, int41handler! N3 H# r- @! l8 ?( j2 ?, {6 H
xchg dx, es:[41h*4]8 C3 Q2 X! w# d9 {, A( N
xchg bx, es:[41h*4+2]( t& A5 q' z2 Q7 b6 T* U# ~. G1 t
in al, 40h
8 C m. E1 I& t5 K# [2 D7 { xor cx,cx
$ O7 d0 u. u( M* m8 N int 41h! U5 r2 z3 H& B% H# B
xchg dx, es:[41h*4]
2 M w- Z' l& u: A# S xchg bx, es:[41h*4+2]
# q2 Q$ A2 R* [ cmp cl,al
9 F/ ~/ k/ A) ?$ f5 e6 V" f jnz SoftICE_detected
" J0 ]9 r( G- y( Y* ^6 I' R
/ H2 U, P9 U4 A_________________________________________________________________________- E0 F1 S5 F0 o) J
! B8 y; A2 t6 @. A. o5 T$ |% JMethod 07
8 P; a3 ]6 @2 _2 T( v4 C=========
0 l k6 h. X$ @* N
( E- V) u1 T X8 [( R7 ?# CMethod of detection of the WinICE handler in the int68h (V86)0 [. h) A" v& E- A9 E3 H/ Z- L
* I7 B! w7 x% }% V/ ~
mov ah,43h
K# _# t( u! S, u int 68h
8 |3 V# T, e3 _6 A5 X2 R cmp ax,0F386h
, S/ A0 o! i0 b; J/ w/ M9 k& U jz SoftICE_Detected
+ l5 N1 x- W6 ?+ s; v; d9 W, d# p& c5 T9 L9 j( J. ]
. ~- _# o. G. N. C1 a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
y: m b3 [1 \# P) f: P" \ app like this:- q% s' S% J% ~9 C4 r( _/ `0 L4 C& ]3 w
" [( _* q8 e4 h& p0 T8 }$ s
BPX exec_int if ax==68
3 Y5 _2 \* y% ]# O8 W. E (function called is located at byte ptr [ebp+1Dh] and client eip is* D$ m$ u$ s/ S, E3 I$ t
located at [ebp+48h] for 32Bit apps)2 ~* {2 Y% U9 r4 ~7 Y/ B. o
__________________________________________________________________________( f& B4 b% k; K7 z
$ {( U6 L5 u5 i
8 r+ e3 Q4 ]% p8 _! H0 q' OMethod 08
( t$ s- q7 A1 w' Z; T9 A$ l=========% `! r0 I q) x" S- ~
2 F8 E8 ~6 D' F \! b KIt is not a method of detection of SoftICE but a possibility to crash the) \8 J5 O: k. X" U. K2 T
system by intercepting int 01h and int 03h and redirecting them to another
. Z* P# A& x- ^; u9 F9 Nroutine.; t) i/ O1 q8 O1 _4 M' N4 z8 [
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; W9 d a" b: Z. J
to the new routine to execute (hangs computer...)
& J5 l5 o& B }& r0 ~; h) m, @+ X5 u( c+ w" X2 F
mov ah, 25h
8 ?4 F# g# ~8 P' @ mov al, Int_Number (01h or 03h)
: [ Y$ d) E4 e8 {0 J mov dx, offset New_Int_Routine; [- G0 E [8 g: I( [
int 21h
; x! N7 Z2 V9 t" y
. ^' @$ Y. }2 Y3 g__________________________________________________________________________* T! ~+ `- y: P- S+ N
6 |2 y* A D- T y" NMethod 09
2 E( E* I4 j: Y6 w! z! i=========
! x- ~9 `, |8 v. B1 j: @. J" ]/ N Z: W5 J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
`- P) r3 t% dperformed in ring0 (VxD or a ring3 app using the VxdCall).4 f7 ]% Z; _1 ?1 D/ m3 w+ v
The Get_DDB service is used to determine whether or not a VxD is installed
: a, `2 [6 C: s& y8 qfor the specified device and returns a Device Description Block (in ecx) for- ?. l- q; }2 ^' _0 [
that device if it is installed.
3 [; C) p( b% s. z! e% X- E# l2 }' s) _+ w! j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& O1 s6 U! a: H* |2 Y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- p" S6 n6 U7 W
VMMCall Get_DDB
5 |* s/ G; j" u9 T$ y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 ~8 |; D& D/ E. `2 @: H* i) j$ J8 ^& v2 r( b9 A8 e! o& _
Note as well that you can easily detect this method with SoftICE:" y, R! B+ s6 ^/ x! r
bpx Get_DDB if ax==0202 || ax==7a5fh
0 i; I* W- |, ~2 O8 h7 \# Y& k: C% }1 J+ |0 C
__________________________________________________________________________
# k% Q ?, s& |# `, t
6 }+ }3 O/ ^6 D7 N& E2 Q9 `" {Method 10
" d }* a/ @5 Z4 A0 ?=========9 x' b8 T- A# B/ ?" t
0 }3 c& z* u* F3 r" J5 V
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 U# B4 D4 s+ I SoftICE while the option is enable!!
+ N' E6 N! u$ Z% I; b( _- `$ E" H/ Y! T. `: x) T
This trick is very efficient:
3 g( \. I% T, u- Lby checking the Debug Registers, you can detect if SoftICE is loaded1 q, z3 R: U+ M: }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: g5 D: v2 Q: `) \3 V( R4 w" Q5 X% ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their, _: i9 U0 e U5 h$ f+ k) x* }+ ?
value (in ring0 only). Values can be manipulated and or changed as well
7 a1 d U% o$ l. \9 Q. J4 P(clearing BPMs for instance)
+ E' }- e t, j* S9 ]
9 f- X. o: o Y. k* `8 j__________________________________________________________________________
; s# u# y* t9 \2 E" f; h# N+ A! k3 X- x8 `' _# m
Method 11 r) R4 t; j, g0 h" Q
=========8 b# K$ o! O# d% l1 B/ F2 q8 G8 F7 N
4 r7 c$ _) x# ~7 e9 f2 G
This method is most known as 'MeltICE' because it has been freely distributed* x8 T& O6 ^5 P, ` y% {0 Y
via www.winfiles.com. However it was first used by NuMega people to allow
) I0 u8 ]. T2 I0 DSymbol Loader to check if SoftICE was active or not (the code is located: d& y w* m: O" l- v1 M
inside nmtrans.dll).
0 _5 a+ v; @, c7 V' Y3 N- g: T" F& K/ Y6 u) f1 x/ N% L
The way it works is very simple:
; ^ b ?& t" {6 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! f5 W& a3 M+ d6 P R
WinNT) with the CreateFileA API.
6 p4 I. R# ^4 Y+ v0 v s/ _: e
; Y. W% ~9 T7 `4 y1 K7 l' lHere is a sample (checking for 'SICE'):2 C2 H0 e6 w, v. f
~& H: j8 [; XBOOL IsSoftIce95Loaded()4 c# \1 M! p, l2 c& E* x
{9 k) ?, S6 ^( O/ ]- B) u
HANDLE hFile; % ]! x" h3 s' n/ l* n- r8 }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ O7 K. `; s( v; {% p" G' r9 y3 l
FILE_SHARE_READ | FILE_SHARE_WRITE,
z1 d, o1 o: |. l NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! E( g# O2 y2 ?( M if( hFile != INVALID_HANDLE_VALUE )& A) A3 ?& P: p& L
{
- i( z3 r; r; |( X. d5 V2 g CloseHandle(hFile);3 e( y* y! m8 n
return TRUE;
7 b; G3 ^4 ^4 V' U8 ~3 {3 _ }2 z( d5 S1 f6 y% j
return FALSE;
0 h- F1 U/ J- W7 |}
: I5 B( j! m3 s; Y* y( O8 _& K% G4 j+ J6 a6 c: |
Although this trick calls the CreateFileA function, don't even expect to be
+ R' ?" _$ b% |( D4 K1 X7 k' g- T2 |, Kable to intercept it by installing a IFS hook: it will not work, no way!
* J0 R5 l: ~+ Z' T% sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ @! }6 U2 T/ c+ }' a* W1 hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. v( H D3 I, land then browse the DDB list until it find the VxD and its DDB_Control_Proc
" L1 M9 \) @1 b: hfield.
/ O0 U2 O: o0 TIn fact, its purpose is not to load/unload VxDs but only to send a 5 v" x, B7 O8 [( i
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( A8 Z; a8 K% u y T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 o: Q4 \/ ~* Gto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ D) `& c# I/ s. S
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 b( u$ v! H, Q, |, \; fits handle to be opened and then, will be detected.
& w9 W1 Y$ T: dYou can check that simply by hooking Winice.exe control proc entry point
: N. P# G2 q% l' rwhile running MeltICE.
: M' l( @+ G' e i# S2 x i. S) R9 l' \$ p6 L4 j
2 {; h% l* w4 D1 Y) ^
00401067: push 00402025 ; \\.\SICE1 K+ [- `6 O1 G
0040106C: call CreateFileA
( U6 D0 ]) p5 o, _ G 00401071: cmp eax,-0012 x* L0 r" w: g" A& U
00401074: je 004010912 z* R3 Z) R m% B: x
& S) H' N. q. [1 s. H% C
& w! {. m. m+ H$ D# CThere could be hundreds of BPX you could use to detect this trick.
5 c& P8 n; B% n4 {" f-The most classical one is:
) m# D' E: f4 F, X* V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 x6 [& x( n; Q: c' i *(esp->4+4)=='NTIC'
! l# ~8 d# ]* `- `8 G9 Y9 y* ]5 C+ I& v9 e8 C
-The most exotic ones (could be very slooooow :-(4 a/ c$ \7 g O3 ?- G, W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, j5 `( t3 O! I: N ;will break 3 times :-(
# ?0 p5 r& d& B, ]' [5 [' \3 E( b( b/ h# ^9 r
-or (a bit) faster:
) P) ?( E' @6 ?6 Q( Q; v/ b BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) s+ O ^ n8 @. n9 L
) G) L1 E; Y! K3 Q8 z& m4 w9 V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 E5 P2 G V/ ]( B4 {! j9 o
;will break 3 times :-(
w" j/ i' ^; Q I# U6 z: a
% Q+ A$ _7 p9 M3 i/ y-Much faster:
B7 G; @+ e \. K+ C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 {! e/ B4 P8 y0 G# C" `. w2 A: J% I& F5 ^8 x0 ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, _4 w. J& ` I B# @/ Wfunction to do the same job:
! A- Z2 @$ [( v7 Q+ L" U8 j5 \
, z c z/ i- P; Z3 ~ push 00 ; OF_READ
* V, e; P2 y+ L- I$ E mov eax,[00656634] ; '\\.\SICE',0: Z' l0 v& }* f v! }7 `
push eax
1 E! K4 j" t; Z4 d& ` call KERNEL32!_lopen' L+ V3 H- F9 v9 g& a8 W$ O1 M! u
inc eax( }$ T6 b; P; M, l! ]3 u- D
jnz 00650589 ; detected
* j$ M: Y8 u; Y& p) l+ t" U push 00 ; OF_READ
) ~# u0 T" S9 U$ o! g; a8 J3 C mov eax,[00656638] ; '\\.\SICE'8 J! w1 ]8 l5 k: R; I
push eax
6 O+ k$ c) O$ z& O- {/ J4 l call KERNEL32!_lopen; S$ y7 T, ]2 s0 {
inc eax
$ n' C5 p6 ^, [# H J# o jz 006505ae ; not detected
5 U+ @* ~! g; j" M0 \) q" a/ n/ |( ^9 g, ^# M9 w. ^% P
+ F% u6 p" I6 ]! v: s__________________________________________________________________________( ~3 P5 ?4 v" L) I' K/ p
8 ~& h% y. g: t' w& R- U' IMethod 123 d( Z" B- u S+ B% T
=========
$ U1 \ e, _% T" k7 v0 U7 K W" _. X
This trick is similar to int41h/4fh Debugger installation check (code 05
$ S" t8 O9 F% J& 06) but very limited because it's only available for Win95/98 (not NT)+ f6 _% b5 x1 t( t
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. K* }. R7 E4 c" L/ c3 I; m3 U
" @3 l9 D6 U: P- a; E. j push 0000004fh ; function 4fh
6 ?) p: F4 ]" S/ T8 J0 E push 002a002ah ; high word specifies which VxD (VWIN32)
S7 x, m/ a' q ; low word specifies which service n! \( l2 z" H9 h5 c$ T! m, K
(VWIN32_Int41Dispatch)
6 h- g5 r/ @7 I9 U/ i$ Q7 c7 T2 I6 U call Kernel32!ORD_001 ; VxdCall/ x- M4 J% x# j1 Z; u
cmp ax, 0f386h ; magic number returned by system debuggers
" p( d% l+ F; ^ jz SoftICE_detected
5 k1 s& a* ]" e- g* {7 R+ H( J- M: ?6 X# {- M/ i" `
Here again, several ways to detect it:! O; o# v6 I3 q/ }9 l
$ {( R6 p* H) }1 |6 I
BPINT 41 if ax==4f H; c+ M" z4 h& q
, _, j$ M7 Y! h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: D7 v5 r) X! x6 u' Z9 Q
) x2 i/ e: O9 _3 T. r" \# W4 m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( m% ~/ w# u, Y# t0 H* p
, j8 ^& M6 h8 p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ J. D0 M: F. u+ ]1 k3 |
0 K Q. ?/ A) d+ r1 [% J0 D: k! Q u__________________________________________________________________________% E! U' ^( {2 Z: X3 Z
$ ]: {' m3 [. y# y/ O; _1 iMethod 13
U6 J! V% Q- E# o# o=========
9 R6 }0 {( M) g! B9 _
* t( D6 F; I% H z/ bNot a real method of detection, but a good way to know if SoftICE is
/ s) [( X& U0 ?' }. Ainstalled on a computer and to locate its installation directory.5 q& [; p- i& m. {
It is used by few softs which access the following registry keys (usually #2) :: Y* I: @! m/ Z" Y
# [; C) o" e! N
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' U& s5 I" q, l4 q
\Uninstall\SoftICE- r2 }/ r3 b: t2 z, x8 v7 L( z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! q+ x4 |' r, n+ \6 X8 X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! ?, n; u2 t! D' @\App Paths\Loader32.Exe4 r# G% {" r8 n6 E/ T/ N
6 O) A7 M, T) A" R e2 R( c. l
- e! d& m4 @( O" v8 fNote that some nasty apps could then erase all files from SoftICE directory
; x5 R# z2 z) b" C(I faced that once :-(+ `) \9 q5 C$ f7 J# u1 ?
8 f# d5 g9 i5 uUseful breakpoint to detect it:& d' x I9 S! C+ D! x4 @% N
~, g$ d0 j2 v& {9 A1 D( u6 ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! i$ |$ ?/ x3 A N' B
& _- ` T+ r, G2 O1 j
__________________________________________________________________________! r* W* A0 ]4 Q1 X
$ t" ^6 d, \/ b" l. ~
( s G x& v4 J% BMethod 14 5 x8 I1 c; m; @5 O$ R3 p' n1 n
=========4 V) y- S1 u$ W" m
' N3 y5 |# l$ n- j! x3 h7 e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 J& [# |% \: [3 x5 j% Ois to determines whether a debugger is running on your system (ring0 only).
1 m. q) a" t. Z
) u2 G+ [& X+ l6 Y6 u VMMCall Test_Debug_Installed
1 k2 o% T, ?% ^( J% l# h6 I, w; S je not_installed3 m9 ?( X( ^# X" T
( b8 P$ P2 A2 Z! QThis service just checks a flag.
, x% m% \/ b1 P7 ^$ i0 U' {</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡