<TABLE width=500>1 k) s7 C4 O3 p5 P; ?" p. @
<TBODY>
& h/ I- s/ x. L! H! k) e: v& R# M<TR>
, B. @* f& ]) k' [! P6 F<TD><PRE>Method 01 - e; F% i4 U3 R$ j9 J' _+ K
=========7 q3 }4 s1 k* l7 y4 K; b' e
: ]* j- e( E# E- G3 r1 u2 j- ?
This method of detection of SoftICE (as well as the following one) is) u7 x9 c" A+ g
used by the majority of packers/encryptors found on Internet.6 q1 F2 t( D- ^2 a9 k. Z( R
It seeks the signature of BoundsChecker in SoftICE9 N3 S$ N8 o0 {( [8 D
- M s! E0 X3 ^% W: K mov ebp, 04243484Bh ; 'BCHK'
" h6 E! z" Y" N0 L( p) g! V5 I mov ax, 04h9 |7 i) m7 v& D
int 3 i/ {7 o# B! z# h8 J% ]) F' _
cmp al,4 c& M/ B% O# V" x. d0 V* p& C% p
jnz SoftICE_Detected
% f4 H2 R! R; H4 i5 {, j- Q
5 G4 s5 d. p, E `& F Z___________________________________________________________________________
l1 T2 T, F( t' L; S, H2 J# E7 V7 J& Q4 c0 f$ M6 c* s
Method 02
& f$ H, m: m5 d, Q+ n: }/ a=========3 B5 H' }& k9 C* K0 g: |
. p0 Z8 Z7 y: _" F+ FStill a method very much used (perhaps the most frequent one). It is used
: a) U) m, I- b3 q3 [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ K* U8 c) p# ^ L8 P1 t! W" f
or execute SoftICE commands...
; k; F1 r6 V, B+ e$ {- AIt is also used to crash SoftICE and to force it to execute any commands
8 |2 U! Z d+ h4 {( V(HBOOT...) :-(( * ~) F, i( }" Q9 {2 s: `8 o
1 H4 n3 ?) a" W6 m2 f
Here is a quick description:
/ h$ d, i( V7 _; |) A-AX = 0910h (Display string in SIce windows)
! L N; j% e- J! D' c5 ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): C% _8 Y4 T2 ]
-AX = 0912h (Get breakpoint infos)
9 r& k2 R/ L5 A: H* a-AX = 0913h (Set Sice breakpoints)2 C+ r7 P6 X2 h0 p6 g. G: @7 `
-AX = 0914h (Remove SIce breakoints)
5 g( y" E' r) }$ g" Q! h8 p y5 c- N: T2 C- r
Each time you'll meet this trick, you'll see:
$ `( ?% M, i2 P* T! _6 \" b! u- e-SI = 4647h
: c6 x# M, A- b& @% H. [-DI = 4A4Dh. h/ G/ a& v0 W, _
Which are the 'magic values' used by SoftIce.
% I& ]' w/ G% l( O0 sFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., Q5 K. c- K/ g- ^5 [6 K* q- ?
9 B6 w( p$ J4 x
Here is one example from the file "Haspinst.exe" which is the dongle HASP, p- g0 j7 n7 G' e0 \2 X# ?# L R
Envelope utility use to protect DOS applications:, F0 w' P$ L8 ]
7 c, w0 F" ]; A- _" y
, T) U w% k; W. H# G* A4C19:0095 MOV AX,0911 ; execute command.0 U2 `+ W b, t
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! l3 _. A1 r9 k' E* U
4C19:009A MOV SI,4647 ; 1st magic value.: U/ k" H0 U% R2 P) p1 b4 e
4C19:009D MOV DI,4A4D ; 2nd magic value.- ?5 s- ^" l2 ]* k, \8 h8 N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ {' D( V9 Q6 H) J$ [0 I1 ?' R4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* r' f7 S' j H! ^) }" e) H4 q
4C19:00A4 INC CX$ ]" q- d; k7 |) b
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: B' u9 L+ {4 ~& h6 e3 m4C19:00A8 JB 0095 ; 6 different commands.
% b+ H9 Z: @' E2 t1 k% D3 u4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 {2 R8 ~6 z% F8 i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& \3 g/ t2 p2 C$ V% C" I
7 A" j* ~" e# c' ~: HThe program will execute 6 different SIce commands located at ds:dx, which9 {. \: S5 I# u+ N: M0 v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 k" P7 G3 @( U% s2 ?
- g* A' n. ^( D @: R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ E2 q1 w0 y A( ^: K" [___________________________________________________________________________
* h! |" ?( o5 f) k# |# i9 z, d
. l0 f9 f/ v) p. {% v% ~* v) |. U$ }2 p- n Q! X; e
Method 03
4 L( b0 b6 y) w3 D8 P=========- n4 q0 k' j g% k2 X
7 N$ \! x, E, O PLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# W/ R, L3 K) C* |; Q7 v
(API Get entry point)) g: ?8 ^6 J; B* N
) O. A7 g* h2 Y2 K# H i: x& h) d! Z% q5 w+ b9 u8 k' h+ x# v4 D: F
xor di,di# S" R# A: J8 K! F
mov es,di
' g; z# l/ d+ b2 m4 n+ B7 m* [9 ] mov ax, 1684h " \0 I( d3 ]# G5 Q
mov bx, 0202h ; VxD ID of winice3 \% N1 \1 {6 }# D& H( U
int 2Fh
% \* @1 t6 q* h mov ax, es ; ES:DI -> VxD API entry point
4 o( H" Y7 {: @2 U add ax, di% |0 z6 T% e* x
test ax,ax# s; w0 U5 R$ a, y% c4 B
jnz SoftICE_Detected
9 t) ?6 d! X2 Z5 l! F9 |
+ S3 f+ _6 _8 K: @$ s% p. ?- B* U___________________________________________________________________________& E$ Z1 V& y F
2 F, B8 r" D+ ?/ Y+ w; v" Y Z; @
Method 04
( m6 C4 E9 e; P1 J8 p/ q=========$ D) u. v5 S8 j$ r, G$ I& ~6 @
* f" o" w1 R. E/ ^Method identical to the preceding one except that it seeks the ID of SoftICE
2 d5 T* U" Q9 }GFX VxD. d; W; S0 S8 M) h
) U8 G/ B- i6 F! Y/ E& H* U xor di,di! v& n# j& a3 C- t& _) u
mov es,di* l2 `" ~; P- F' M. N; z8 e
mov ax, 1684h ; l1 O. Y0 ^0 D2 K) a5 U
mov bx, 7a5Fh ; VxD ID of SIWVID: D$ {) X+ ^: i
int 2fh
1 j) _ d$ k9 I, C: [) ` mov ax, es ; ES:DI -> VxD API entry point
4 _! J4 L! u& d3 m; ^9 c add ax, di
, S% |" \) |% d6 J3 G: U5 C% l f test ax,ax
( d' `+ p5 ~, A. t. k; J jnz SoftICE_Detected
* s- I V3 B ~ }% F
+ b8 K9 I5 G1 j* c$ E4 f$ U! O__________________________________________________________________________
9 q; w# j0 ~3 d/ ]1 B
+ _' a; N# @: [* K2 y2 ^/ f% [" L6 v! a
Method 05
6 [8 R1 Z2 x) D=========
( N. S- O8 ?9 D4 I7 L* y9 r" x; @( y1 T8 Q' \+ Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" b. S, v9 k$ e; a6 `% C" K* qdebugger. It calls the int 41h, function 4Fh.
7 S2 v# C, ?5 o% B3 HThere are several alternatives. ; f0 o5 s( M! W$ o& u
4 F! s8 y+ k: N9 T- @The following one is the simplest:. ^/ |( ^2 H) }- {# B$ `
6 B9 ~4 {7 N' Z! o/ g- S9 f$ x
mov ax,4fh
9 f: ^" }3 b% X. t int 41h
+ V- t7 n# |' T* ~9 k0 ^ cmp ax, 0F386
6 P( h* O0 m, l# O jz SoftICE_detected
% p/ G* w$ P% d+ |) b! I ^5 a2 X7 v( _: i' e4 f
2 l( ~8 }- ~5 Y& G, @5 _Next method as well as the following one are 2 examples from Stone's
" r# Z w7 R: }"stn-wid.zip" (www.cracking.net): {6 A l+ @' }9 P G
5 Q# T. h. D- p mov bx, cs& \' x- D; A: V* }
lea dx, int41handler2* Q" X( M1 R0 t0 @- f
xchg dx, es:[41h*4]
9 W1 d A8 R) ~: F S) K xchg bx, es:[41h*4+2]5 K! |9 S% M k7 E& s& T
mov ax,4fh; o) v/ D/ q: X2 H3 L; w s8 D
int 41h
/ \' M5 j0 N- o6 E0 I1 [7 \ xchg dx, es:[41h*4]
) B2 y- Y* R: {% b xchg bx, es:[41h*4+2]9 z3 R# Y2 q$ t* R8 v
cmp ax, 0f386h
0 l% t) X5 h3 A. |! y# z9 f* l jz SoftICE_detected: P! V" v: s) a; y @; N/ w5 X- _
B6 n% h! e% ?1 p9 ~ {int41handler2 PROC
2 k$ V7 I' R/ [* P, l' }1 ?8 W$ S iret
! W0 F: L4 Z8 {! z Iint41handler2 ENDP/ x8 B/ Q8 x8 q; z
+ r8 ]4 E: c/ W( ]. v
% g* o4 Z' G2 {8 E0 a& s_________________________________________________________________________
: F8 f4 t; E _4 o
" g4 q: }9 f3 g. l& Y2 e7 g3 l) r! Q/ | B/ ^" H
Method 06
" a, j: O8 S0 h' A) `, v=========3 M5 T l+ B6 e- i0 w
0 {) s$ U5 s5 x' p' y5 X
# |& B: N' f/ F3 y2nd method similar to the preceding one but more difficult to detect:
$ [! ~1 h" b2 q1 C: W: n3 y/ g% I& {
5 Y0 m' f& C! X4 [3 k U7 e; @: e# h) _int41handler PROC6 \+ z2 C" Z' o- n- R2 h) C
mov cl,al
0 i, [- f1 M7 E& i3 I h0 B iret
6 y" B& C$ \0 g* U+ \, n, ?9 Wint41handler ENDP
) Z$ Z9 b! s( b( U7 a) W" u9 |3 l9 v! k" V% t
7 m0 H# l+ c, I& i6 s0 K! o$ l' Q, P% B
xor ax,ax
9 E; v2 O" W O' [0 ^1 b/ N mov es,ax5 Q0 L& B9 |( U3 _$ E
mov bx, cs
0 x% s+ S" p6 j: }0 a I, h; [. a lea dx, int41handler
$ U% O, n6 }/ \) O8 T0 l! o xchg dx, es:[41h*4]1 e8 w/ B1 \ j. P5 |; }1 |, t# c
xchg bx, es:[41h*4+2]
' O. x" M8 e1 ]# r9 _. |5 P in al, 40h$ M1 A, N8 O5 M! f& L
xor cx,cx
( [0 `4 n, R8 L6 {9 A; Y: h int 41h$ s( p& X" b+ ]- S8 U! A
xchg dx, es:[41h*4]( C' c- R! W% t* D
xchg bx, es:[41h*4+2]
4 E9 N$ t) D4 H2 O. M r, W/ G cmp cl,al' D# z$ J( r! T. Y5 o* R
jnz SoftICE_detected' @: h, }! y& y' R
8 G; `0 ~8 n9 }. r5 `4 Q_________________________________________________________________________/ {# G5 N1 S& K- w8 W3 N6 w6 S9 |
7 M+ U1 K' A. M) E7 q. y8 k9 D E
Method 07
8 {' i, B4 I! v4 Q4 v=========
2 N& v% p& q3 h. l" a1 W* p6 D2 R( l" I- h
Method of detection of the WinICE handler in the int68h (V86)! y+ N- r# C0 ~, ^
# h2 |# p0 Q' J+ A7 ?* A
mov ah,43h/ M9 p( q$ K8 B4 j3 O: r
int 68h0 ~- S6 E7 B( [. \( ~* C
cmp ax,0F386h% W- j8 h) r, I q# ~4 O4 o j
jz SoftICE_Detected
* D/ d9 w+ D- m- C/ X, y. N/ h% z$ e) @* z7 n8 ^. r
) f: w# |# M4 Y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; {( P4 \7 Y! y" J9 u$ U
app like this:- y6 v1 Q8 }- g- v
3 f& `3 T4 M+ Z( s6 P
BPX exec_int if ax==68
+ t- C; c& }8 m- R; K! E (function called is located at byte ptr [ebp+1Dh] and client eip is
$ l) r3 J# ^$ X! h8 R located at [ebp+48h] for 32Bit apps)# G @+ ]2 z7 j ?7 v; Q6 D
__________________________________________________________________________
* h$ {* X/ l0 G2 L1 x8 J) s6 l) b+ w. N8 ^+ `
; p0 S% t S0 M! NMethod 08
% o2 k3 d) _7 N; c. P* T# F=========
5 ~. Y6 k# B- J1 v' }1 B. ^. p% E+ |+ {+ M& L- E1 F& E, K% H
It is not a method of detection of SoftICE but a possibility to crash the
" T4 V8 s+ q" [* }2 H: usystem by intercepting int 01h and int 03h and redirecting them to another0 |: s* ~' O! b4 O2 l/ B! I# e
routine./ r# }3 K5 M/ y! a; ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 S# k- |6 C- M! @8 U% U: qto the new routine to execute (hangs computer...)
2 @- Q4 o$ x* `* b% v9 C$ z! L# _
0 f- I8 x. k5 l) h& d mov ah, 25h5 Z/ R/ ^# ~ D' ^& A
mov al, Int_Number (01h or 03h)# r3 R. ~9 d) K& F1 M
mov dx, offset New_Int_Routine
) ~: n: C* ^+ I int 21h# L% }1 w e5 p7 Y4 v& u2 \
" p) R* I, ]5 Y: V* |6 g
__________________________________________________________________________7 F' i: E7 X- Q
( n, ?0 T! d1 }8 o4 EMethod 09
; F* S! R4 H: h! l/ r=========
* p3 ]! I; b: K5 i' }0 Q
! d8 A3 N# I* oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* Y" Y6 E) @- c8 u. N6 W# ^8 v" l
performed in ring0 (VxD or a ring3 app using the VxdCall)., p# f M. i j9 z$ e
The Get_DDB service is used to determine whether or not a VxD is installed
. Y% B9 t5 a) m; t0 G( T1 bfor the specified device and returns a Device Description Block (in ecx) for
( I1 M9 _/ {& g9 E, p" vthat device if it is installed.
; S- X. M: h2 t5 A5 {1 b6 U/ [# g4 e% m1 {) r7 U0 \. U' o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" P& f6 T% P: ~+ \- O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ q% }5 K" R3 z8 h! p* C
VMMCall Get_DDB6 V" O: s* g1 D& i' g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ A1 N3 h n, B. K# ?0 W) @
& a; }+ u) \+ D% y+ `& q5 \Note as well that you can easily detect this method with SoftICE:
; u8 Q0 C, z+ v g% j$ O bpx Get_DDB if ax==0202 || ax==7a5fh
2 M+ A, _& C2 x' r
3 C& U: s( M8 k( P, W__________________________________________________________________________2 Q- w4 N3 @$ ]/ ?) g
% A0 W; X* U o2 dMethod 10
* c. J1 ]4 [9 G8 Y. b=========
1 G8 y6 ~ p& K. w% z+ _* x1 O$ j, L8 j; t1 Q7 |8 K4 R# Z% c- e6 d* }
=>Disable or clear breakpoints before using this feature. DO NOT trace with, V6 A8 j5 K+ H; @
SoftICE while the option is enable!!% L- h3 c: T3 B% B
# e1 a" T) t E# ?
This trick is very efficient:( P' o* D J* v9 u" a
by checking the Debug Registers, you can detect if SoftICE is loaded! u0 G/ Z2 Q! U7 c, s' x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 J' L _4 J6 |" e! X% S+ ithere are some memory breakpoints set (dr0 to dr3) simply by reading their H- |7 D5 Q& Z! ?+ ~8 y
value (in ring0 only). Values can be manipulated and or changed as well
/ ^( v( V: V3 M: S(clearing BPMs for instance)
. V5 G) `. }! A# B& _( Q
_4 `6 Y; o# ~7 s+ ?# g__________________________________________________________________________
4 d0 y1 k' [: A7 z p" X6 [ Q2 i9 j$ ?3 X
Method 11
( p) q: j; | f5 r8 d=========
% P& s8 w+ N* R8 |) F- ~9 R; X0 b, `/ ]6 f% m J6 ~/ P
This method is most known as 'MeltICE' because it has been freely distributed; R! b+ e$ A c; q( F+ y, a! R, B- m0 X
via www.winfiles.com. However it was first used by NuMega people to allow
2 s" i$ a; O8 |0 h8 i3 m3 FSymbol Loader to check if SoftICE was active or not (the code is located! X. J1 X) A. J, y) }& Q: Z
inside nmtrans.dll).% o, }4 r, y9 ^
) h4 {2 W% ^) J( M
The way it works is very simple:
) D: _+ B; x0 z4 U# @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% P; \! u0 o0 Y; c$ J& O
WinNT) with the CreateFileA API. _6 w" T9 b/ Q7 G) W+ S
" X/ ]4 [8 S- ^$ @Here is a sample (checking for 'SICE'):+ J! _" y7 ~) d3 n$ U% P* R
* K0 Q5 S. j* n7 b; n9 Q5 ]
BOOL IsSoftIce95Loaded()5 S, V% I- M5 \# V
{
. G% I6 ?7 y' f5 p) a c HANDLE hFile; ; U) z" K; ~+ Z7 b- N0 C7 E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) o y' u2 k+ K; i2 o2 F9 H$ M. B FILE_SHARE_READ | FILE_SHARE_WRITE,
) `. ~8 b% _+ f. f( R NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ ]4 N" j) c: O/ t: h' d
if( hFile != INVALID_HANDLE_VALUE )% k0 N* s0 {. C/ }# _3 @6 C8 w
{; `& ^, i( A5 g
CloseHandle(hFile);8 Q/ S8 R$ Y& B
return TRUE;
; Y! O8 `: G H: ?4 U }
' u. {0 a T* c% R! o# k return FALSE;8 c$ k' A1 x/ y) D( s
}+ C; |- d* E. U. H4 j
6 i" v& I1 d0 ?# wAlthough this trick calls the CreateFileA function, don't even expect to be
. p9 W7 {5 B! L" I1 ~. N# kable to intercept it by installing a IFS hook: it will not work, no way!, K) }" G0 G ^: Y4 w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) H; p1 n! T+ [4 Z7 w& lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( i3 B+ X$ j7 P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 q1 S" j3 p5 n& q1 ^8 Xfield.3 }0 X8 d; }9 G# a* l8 [
In fact, its purpose is not to load/unload VxDs but only to send a
: @5 k% A0 i, h) h; VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 o; Q( }( L9 B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, ?* L' }9 E7 d" p0 Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).* @0 {" X) n0 C5 O2 c4 p3 U
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 A& h1 ~7 ^' n. k$ n: s( i9 Pits handle to be opened and then, will be detected.
. D9 l* @) g; S# a" Y/ ^. A* W; vYou can check that simply by hooking Winice.exe control proc entry point
! p+ r9 O W. z) mwhile running MeltICE.
" Z5 a! ^( t4 Z" S1 I L' X, y
! v; o5 U: X! n. \9 v+ b+ E- k! |4 n( W) E h7 f6 c7 D" K
00401067: push 00402025 ; \\.\SICE
! i9 h" I [# a8 m0 I 0040106C: call CreateFileA5 W) Z2 C r O3 N# B) a0 q
00401071: cmp eax,-0015 a- Y- T6 u& v- q
00401074: je 00401091
$ `0 `) [7 X7 n* z8 s7 Q( F/ o
) y" Q, y; j6 y" l5 ?
0 L$ c' D1 M! ^, K2 y2 v: o% V# CThere could be hundreds of BPX you could use to detect this trick.
: U0 f0 ?! d. @' [3 P7 b. x2 B0 x-The most classical one is:5 ^& j& d; |5 G, o& X, Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& T5 t& e7 w' M2 K4 _+ x
*(esp->4+4)=='NTIC', a4 s3 r# Y2 s: N9 E
) |. d! S8 M# P# V-The most exotic ones (could be very slooooow :-(
& K7 t% L' w& b. _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( ~4 w2 h0 h: Q" k ;will break 3 times :-( ^2 r8 f) q, \
5 g' E# |: O) i+ }
-or (a bit) faster:
& _, M/ ^: K# p$ ^8 ^! v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ h! `% `8 y* q/ Y- A! H6 F. K% e+ T* {8 o: a d/ o1 S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' y& P, s- X% w" p9 U: J7 _& C( \3 } ;will break 3 times :-(0 j$ n d( h! T' J5 H# @
8 t' z$ @, i" Q* y( d-Much faster:9 s6 @" @# ~# K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( J4 Y) J" C) ]6 E) M* ]2 o2 C
4 [: H4 J! p9 X/ r
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( E% U# ?6 h' b: D. ~( Dfunction to do the same job:5 V! ]' d. A4 {# y" j5 F
& I6 N( q& F. J, ~- [
push 00 ; OF_READ: T5 f4 I: Y) T+ Y6 E8 h- h% x3 G
mov eax,[00656634] ; '\\.\SICE',0
# K3 O# ?: f3 c push eax. Z. v5 N/ ~. J& c
call KERNEL32!_lopen
" R& T. t5 `$ U' J9 M1 y inc eax
' i* s" s" A7 E' T jnz 00650589 ; detected
( O* A C& [2 @2 B& D c( f push 00 ; OF_READ
; M) T# f' \! y. K& z6 [6 w mov eax,[00656638] ; '\\.\SICE'
& C5 N4 z& q& t! f( E push eax
# ?1 @ ~% H/ K. a8 U$ } call KERNEL32!_lopen
# Z6 K# y2 \1 Q3 D. M inc eax5 i# q8 d8 H5 `" ]+ g% Q7 U2 b
jz 006505ae ; not detected
( c q2 |8 {4 d- y0 }: H D1 q0 v5 @+ K/ d# [3 H0 ~7 \
, q. I) j7 Z; i7 Y3 u" Y
__________________________________________________________________________) S! l8 N! i3 T: q( r
6 f M( @! o; q4 E \9 AMethod 12
8 g7 t/ S8 d+ r2 |% b7 L" |=========
% U# j, U6 T( q! I" o9 E7 Y, U
4 K8 S8 @# a6 S" YThis trick is similar to int41h/4fh Debugger installation check (code 056 T O0 J" N9 T# f5 ^4 ~
& 06) but very limited because it's only available for Win95/98 (not NT)
! Q, G* g' A, qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' R3 K- c! J" p$ N" B$ d% E
2 v3 q8 E" j& J/ }7 S push 0000004fh ; function 4fh/ u" `6 Q' G# c- ]
push 002a002ah ; high word specifies which VxD (VWIN32)6 Y7 L; g9 }! ^3 P( Y2 ]( \
; low word specifies which service) b, ]# V8 R4 t0 y
(VWIN32_Int41Dispatch)
; q+ W' U. I4 W5 {) l call Kernel32!ORD_001 ; VxdCall
! g$ A& {( |! G- y9 s. Q+ s, F0 }4 J cmp ax, 0f386h ; magic number returned by system debuggers& `# E5 Q. o; ?1 G8 n1 e6 H. F0 t( M
jz SoftICE_detected
" H& E# W' a5 W0 s3 g% e4 r, d, t8 T4 w
Here again, several ways to detect it:5 z# d- z% l* \8 P2 p; m) U$ `$ A% ~
. Y; g2 v$ m" a- J+ H) e
BPINT 41 if ax==4f
; k% R: W4 o9 @# l ^$ G
! v. D9 O$ @' T4 D5 p/ u7 f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 C$ l( @% u- {& W- n
9 m8 s3 d; {) Y7 t) R7 K% @( Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A {! }( s }* O' A+ B) I7 J3 ~
& v# `% r: s6 M0 ]& g; x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# b [ r$ r6 |5 d7 |0 u
2 F. ~. m& | I8 @6 ]6 h. p__________________________________________________________________________
7 g& ?( x8 m/ @/ o: [* |8 {2 R3 j* j' ?: Q* k2 d
Method 13# m! _4 d |) k: R6 R* q) ^9 [; N
=========
- \- a/ Y4 _) [0 Q, s" P- u- D+ h4 b, r6 V9 X5 `* E- f* o# ~5 R! g
Not a real method of detection, but a good way to know if SoftICE is9 t1 g# g" w5 I- W$ b
installed on a computer and to locate its installation directory.
& C6 c! O( V$ S" ]7 M, Z8 lIt is used by few softs which access the following registry keys (usually #2) :- w4 |1 s9 v' F5 o% S! p7 { d
8 e4 [. j& W9 ~' u* x6 I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; v* U. H% e9 M\Uninstall\SoftICE
, H2 L; v6 ^: | W% t. I0 n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: E: T3 Y7 ^+ Y# W, L- D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' G0 }) J* U5 g) I2 \1 ^2 M
\App Paths\Loader32.Exe
' R, g. G1 ]1 c4 L7 Y8 M9 l7 z$ [. ]& x# v9 \
{& v8 G' d2 @7 S3 LNote that some nasty apps could then erase all files from SoftICE directory. x1 A- \) ] s+ \6 V3 [9 q% U
(I faced that once :-($ I$ q& u f: l
$ @2 q. [% w4 o: M
Useful breakpoint to detect it:9 Q( f& R; k& K! j7 n1 N
- H9 K+ d A' Y: @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, q+ g# b( x+ L) j
7 a: ^3 I6 h( r+ a! ?* y+ G__________________________________________________________________________
, w$ _( t Z" a+ K+ C; |7 h9 a+ j8 ? I4 z
( ^/ k1 \; ^8 C. n: i9 Z
Method 14 ' K. Q2 y+ N) g: V- [5 K
=========
5 g. ]' H* b$ k- @1 q
( p" M: [5 [& Y4 j F6 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* g4 X- K& |2 W. y
is to determines whether a debugger is running on your system (ring0 only).) b6 H; l* |; E" x* v
: h# `+ ^5 h( i3 z! z VMMCall Test_Debug_Installed
6 e, V, f9 q2 }: w9 i2 W je not_installed
- U P/ N- q! x* { r+ S2 X) |* L( U3 }& j4 J; Y( d
This service just checks a flag.4 T/ R9 a; A. J/ R# N, M! L s: ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡