<TABLE width=500>
o+ H! \3 z6 w<TBODY>* |. u% e( H0 e4 d
<TR>
0 q5 b. g6 n0 t V<TD><PRE>Method 01 8 T: ], v& l( E6 `
=========! { b, G1 w. K% K" j0 O2 I7 x: r
4 D. O' A1 T6 x7 G! H* {. r7 G3 l
This method of detection of SoftICE (as well as the following one) is
, Y8 O" L6 |4 c+ C7 Bused by the majority of packers/encryptors found on Internet.# Y1 v- K ?! O: S+ j
It seeks the signature of BoundsChecker in SoftICE
* [1 R8 n4 l. Q
2 m3 y, d/ I1 m! f mov ebp, 04243484Bh ; 'BCHK'
) s: }( ~; }* W( j4 q mov ax, 04h
# b! H; O( G0 d# j! u+ O int 3 3 m. e9 M" R4 f' i+ f" @: Q
cmp al,4
* T% h" P- T/ K5 ~9 Q& g( R+ ~ jnz SoftICE_Detected
F |0 {) {* h8 I: O' N* Y1 E1 N! H# Z% d' e4 S
___________________________________________________________________________
6 p7 W2 L2 g+ `7 T% ?! m. d2 s2 I+ u3 C
Method 02% H% C% @) x- N& s3 w8 n
=========
, o1 b3 _0 O3 e7 f
+ ~+ {5 |# N* }& h D% jStill a method very much used (perhaps the most frequent one). It is used
2 O4 ]; F8 Y. w8 G6 F, {/ Ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# p5 m- g2 d r8 Uor execute SoftICE commands...
" ]- H* G. c; G# fIt is also used to crash SoftICE and to force it to execute any commands$ m4 [( k2 Y0 h% A- m
(HBOOT...) :-((
% a0 X1 ^2 B) u- c8 h% d0 t5 y! ?8 d. s8 Y) x7 Q+ L/ @
Here is a quick description:
7 ^6 ^0 r9 d0 ?' u4 j-AX = 0910h (Display string in SIce windows)
9 a% e% I" D/ A4 Y; d5 ~* L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ _1 |5 ~& i2 M% g! u0 p8 I: E
-AX = 0912h (Get breakpoint infos)
! T1 J% m" \* w-AX = 0913h (Set Sice breakpoints)
# C D1 U. t" X: \- P, q-AX = 0914h (Remove SIce breakoints)
& R0 y1 N' D- H% X6 y G. d* N# L5 z5 M6 \- }
Each time you'll meet this trick, you'll see:- r+ V5 T$ B( J# h
-SI = 4647h* h+ H$ I5 Z3 x! b4 Y+ \ ~9 ^( E
-DI = 4A4Dh% x ?3 S' v/ a2 H- D* M
Which are the 'magic values' used by SoftIce.; J( B- e" @- {7 B$ F. A- B! F& u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; }& d: n2 B: m a& l$ s
1 ]! G! ^! b6 p4 z* C) X
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 h$ W' L: \* V, I3 N. Q
Envelope utility use to protect DOS applications:% w1 j1 p2 \# s- O* ]! F
3 ?8 D0 m) R5 C' T K6 L5 f& q8 \1 B* A' P" x6 F9 G; X/ M% g5 b
4C19:0095 MOV AX,0911 ; execute command. I$ {3 I8 F; z8 t5 V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ y4 B I* I/ e) y7 N& e4C19:009A MOV SI,4647 ; 1st magic value.
2 C" _% S; [- C/ J: u* \4C19:009D MOV DI,4A4D ; 2nd magic value.: c" k; [- F+ k; p
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( `8 h8 ?7 ^6 w' |$ _7 _9 |5 m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 ?; [* q+ r: A" }4C19:00A4 INC CX3 Q& y5 R% w9 H
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 O$ m+ u4 T9 l p- J% C1 ^- T4C19:00A8 JB 0095 ; 6 different commands.
9 F' ?3 \: ^8 [ l0 a4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% N/ B' u* Y6 g' P$ f9 z+ ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 Y8 W0 T9 ~! x8 @3 E% _0 I9 O% n6 b
The program will execute 6 different SIce commands located at ds:dx, which# r& v) W8 \7 _4 j3 z( |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: L/ o. j3 L- ?, i- l
" K1 ?- i' t( w$ w7 O8 ], u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' v, Z1 `6 s: w9 ]5 v
___________________________________________________________________________0 G8 Y4 B; |' q# G; g
( E0 _! H; e+ V" B r0 t, o8 N) }, c" i! \6 p; G1 o2 K
Method 03
% d$ x+ m6 s5 S=========
" R2 v% j* m. `: ?) w$ a0 b: r* J L4 v0 W- d5 d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: N0 h: A, {9 n) k(API Get entry point)$ Y& }* c4 c" [" M" z
+ Z' z" [$ H! t
; u3 f8 r2 }1 f! Y$ w xor di,di% I" r2 ~8 J% }( |& ^1 V+ k: M
mov es,di
4 R3 y$ h2 b3 P$ y, [ T mov ax, 1684h
( X, p7 y4 q! Y0 h mov bx, 0202h ; VxD ID of winice9 s6 Z Q* g- n4 @
int 2Fh2 \" O% b5 M: p# o2 J* s
mov ax, es ; ES:DI -> VxD API entry point" ?* o3 Q5 B+ f: r. x& g
add ax, di" G% H6 X0 v! Q3 X$ o4 V
test ax,ax \ o' K% x4 J! g3 x2 r& Q
jnz SoftICE_Detected
5 `# U6 G% ~8 Q; |# ]1 V
4 i4 ~0 d3 L4 u: Z) Z- x [___________________________________________________________________________
) x4 ]4 H7 E+ Z$ {: T8 V F
3 ?7 }* [: b4 o) B& H% `Method 04
! A; {& y& h J- S=========( |; R9 O- m" A3 b' c
8 w$ w; ?& y$ j3 m
Method identical to the preceding one except that it seeks the ID of SoftICE0 g" _( [) N4 m" J: l
GFX VxD.
4 P" P# m( o8 ]" k/ ^, f0 c3 L1 `: {; J: L3 e% ]3 d) X
xor di,di
9 B) @. l/ q0 \% O2 H/ F mov es,di
y6 L( U9 k) t/ ?4 e mov ax, 1684h
0 H6 n V7 u Z* F/ \ mov bx, 7a5Fh ; VxD ID of SIWVID& G* f: b6 I/ D# o
int 2fh7 j1 m g* ^! J2 M. f% T$ O
mov ax, es ; ES:DI -> VxD API entry point
6 G! }( k b! E add ax, di3 `# f x% j2 b& c
test ax,ax
+ c( L8 |* `+ C6 f2 `4 { jnz SoftICE_Detected6 i& z: _+ W2 J$ r) u9 j# d
6 i+ q) X3 J* t3 V- b# v, j__________________________________________________________________________$ e, t C( K- V5 b; x' Z( G
t* a V8 Y' [3 K) s
4 V4 Q* q0 f- @6 F) V7 j
Method 05+ @' C2 ~# k/ i! K- _# Q
=========; ?# I5 ]6 T6 y6 |- R7 [" |! e
; T' w* m6 k [1 P* a* g& N
Method seeking the 'magic number' 0F386h returned (in ax) by all system Y \! C e- b6 ^" `$ `$ O# t
debugger. It calls the int 41h, function 4Fh.0 t9 y8 |1 ] j5 T2 b* t' Z
There are several alternatives.
% Q' L/ q% o4 m7 y! `) u
! F: h1 l3 d# H, ~! E0 G7 @The following one is the simplest:6 e$ V* F( h) Y! } X% C
2 V3 o& J; r) V' J/ i8 \% \ mov ax,4fh- r. f" {5 j7 {/ W' V
int 41h2 ~% r& O: Y* n- z
cmp ax, 0F386" ~2 u4 \" u) c' U/ ?
jz SoftICE_detected
% r1 n2 y+ z' R4 w% A$ C$ R/ k, C( k0 Z5 [$ x; _2 t
- b6 A _) d% {1 {
Next method as well as the following one are 2 examples from Stone's ) [1 R& B; H$ ], b6 B
"stn-wid.zip" (www.cracking.net):
; j: z( I3 ~1 Y: \
$ `- U7 j8 y9 K% r1 M/ y mov bx, cs
m* S9 b5 f9 e2 j! d; h- T: ^ lea dx, int41handler2+ A9 }" q2 @. u" X# B
xchg dx, es:[41h*4] ^/ V( _+ c1 w9 }! o* m, {1 L
xchg bx, es:[41h*4+2]
# _ I- ~8 |! d# \/ G! T, s' E" V mov ax,4fh9 w' c+ }5 I, }1 Z0 ?1 Y
int 41h
0 u. c0 H7 r- q; ]2 G3 ^6 I xchg dx, es:[41h*4]
2 _ s( m3 D. b8 R: Z) | xchg bx, es:[41h*4+2]0 T) g; y& p4 J; X/ [
cmp ax, 0f386h
6 I# J2 b$ M# K* c jz SoftICE_detected
1 w) }5 w# q% b3 |) L$ \$ S/ E& n1 q; m- b1 y9 c1 Z6 E
int41handler2 PROC
! k+ V9 ^+ n( F$ l5 K a iret4 D8 J- K d$ x8 J0 F
int41handler2 ENDP
( R o! l( x: C. F' K' o$ L& m4 h6 Q9 \0 F S+ V6 F
8 e: o% J# V( }/ o* ^6 ] G_________________________________________________________________________
4 c+ m& V3 S" \5 B: z. @
2 W! A4 \* L( g) B" t8 ]4 a: K W9 s' L
Method 067 L( f2 x w; U5 P5 v
=========
2 Z- C+ {: i/ e) g2 R- W( C" w, @& d) a4 \2 g- r! ~* r7 j
1 q1 ^& c$ h& o7 q# Y" S0 m
2nd method similar to the preceding one but more difficult to detect:
. x5 T; ] X+ ^! X" |' v9 b3 k, Y* z' q1 ~3 C
* e- }+ H8 z$ g! X# z7 ?
int41handler PROC
3 f8 Q, w1 S9 j mov cl,al: @" \% P) @+ P
iret) S; n* j& K( _3 Y, z/ |( b
int41handler ENDP
8 {1 I/ w# ^; _ ~
6 \8 Y! l9 v! Q1 S8 L, l
9 m3 R; S) ^$ h# u xor ax,ax# [2 P, I5 f3 d5 L. [5 O
mov es,ax' t5 b$ p- w3 l3 K- L7 {2 u
mov bx, cs
p, X% M; W, d6 z4 }$ I D lea dx, int41handler
, T8 U" e* o& Z+ G5 I xchg dx, es:[41h*4]
/ F+ C9 }6 x" l& |5 } xchg bx, es:[41h*4+2]( c8 D) K9 L: e
in al, 40h
+ U+ a: m* M7 r* ^+ t- ?- M xor cx,cx
- j: _2 ]% ^2 p# f9 B int 41h
- j2 [8 s% r# G% q4 D xchg dx, es:[41h*4]/ X' K/ L, S7 h) e
xchg bx, es:[41h*4+2]( A' l( {( s0 q1 D* x
cmp cl,al- v) G7 q$ m/ ?
jnz SoftICE_detected9 f5 d& U2 u0 @5 a. v% l
6 l6 s% K* M/ k5 s S* _+ `! Z_________________________________________________________________________1 D2 c# i. Q, f! r& X5 ~
2 @1 |; e) k4 i0 G) y: n# vMethod 079 r! G0 M, A: ~% I1 } z
=========* M7 ]% y/ q+ I& ?" M& X! F
, q+ i4 a# O/ W' H7 dMethod of detection of the WinICE handler in the int68h (V86); _) n! l, I' p$ O2 ~
$ d5 A$ ~# y0 a" k' k, a \7 P mov ah,43h
( x6 a/ e1 ^9 J {+ V! }9 S int 68h' Q, j# H4 l" u) P# }# I
cmp ax,0F386h8 c# m7 w! e% n5 W- i- R$ ~
jz SoftICE_Detected8 L+ z1 b1 U: n# ^$ A9 x' o6 ~- e
( o' o8 u, D* U" W" J# E* t2 B0 Q9 @3 v8 j: u+ l, x
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* i! q6 f" X) c) ]+ N+ H
app like this:- l. c) J. e2 d* O
r# D2 L8 Q) N/ t( V4 @ BPX exec_int if ax==68 Z. a7 u6 C* ^ n$ F/ n
(function called is located at byte ptr [ebp+1Dh] and client eip is
# q8 O# Y/ h* W* y" R! Y+ z located at [ebp+48h] for 32Bit apps)! T: \' @) y5 ]* y% s9 L1 ~' i; G9 Y
__________________________________________________________________________
- I% e( z8 G0 D( R6 x' U/ L
" r+ N& z, J7 `; q7 _) s \. |% f" a9 n' |& r
Method 08
7 Q7 O3 z! \* g$ s( k=========9 a4 o- x3 e8 [/ U5 K+ p4 S0 |
* x0 h: |; |6 F9 i: V5 t' |
It is not a method of detection of SoftICE but a possibility to crash the! ~7 K) H! G, Q! F3 i) W
system by intercepting int 01h and int 03h and redirecting them to another; `: g7 W5 w* D% p# T: B$ s3 h
routine.0 m: s. P' T1 q/ x& i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# N% f4 ~$ X4 ^' ~- ]
to the new routine to execute (hangs computer...)
, T1 H0 h) S) [7 e" q' o* a- D7 w- ?6 Y; X
mov ah, 25h
: Y+ ?3 m: J; f) X4 V4 ~. U: J mov al, Int_Number (01h or 03h)% X+ ?5 M* W3 |) W$ ?8 C
mov dx, offset New_Int_Routine
; r& g/ i( ^3 V1 Y% X4 V; ` int 21h/ w9 y y }4 [0 s5 E; X
3 t/ _0 C W' h, ^: U
__________________________________________________________________________1 m. x) ` h# k7 R, Z- {0 }
/ C: p8 P' r$ u* ~1 Z5 u
Method 09! w4 e+ D' ?, Z- U& x5 S# G
=========
0 K9 f6 _, L6 h1 B( \/ x; S5 R4 w
" `# }. }% e+ }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 U$ Y# Q) E) B0 Q; X9 ^performed in ring0 (VxD or a ring3 app using the VxdCall).0 j, N2 L* z4 m4 G4 v& w, F
The Get_DDB service is used to determine whether or not a VxD is installed
R2 a1 k8 S: E" O- P+ j* kfor the specified device and returns a Device Description Block (in ecx) for
- h" u0 C# e! `/ V: K. Y& Wthat device if it is installed.
9 b2 \; L$ l* t1 k$ y- I! `5 H' A6 r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; H* X8 e! g6 X" t7 N6 n' ^) t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( T$ {6 w$ E$ r: N6 ?& A3 y
VMMCall Get_DDB- l) h8 e: O/ B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) y, O2 {! _ e# B- R- o. C8 `# s( Q9 c3 W( [, v1 H
Note as well that you can easily detect this method with SoftICE:4 D7 m! Z3 U2 t: k
bpx Get_DDB if ax==0202 || ax==7a5fh
% M( W2 X+ G# K! C: v* H# l( ~- e) ?& U: U+ ^* S
__________________________________________________________________________+ A) e4 d6 G% z0 e, `# ]; a- R
" c: q. U! d2 y, s# n
Method 10+ q1 L- N- x! O& Q$ b4 S/ V$ Y
=========& K/ F7 T1 w; [1 P' }0 P5 m: U
/ E$ D S. r. z7 I) N, _=>Disable or clear breakpoints before using this feature. DO NOT trace with
: @) p, E& c; H1 ~$ T1 g2 J- { SoftICE while the option is enable!!
; h: ~5 `( S# R: j, u
. E' a2 o# Z7 M9 h+ OThis trick is very efficient:
4 a! r1 H' C; Z: Xby checking the Debug Registers, you can detect if SoftICE is loaded
& D# d' u t! Z6 l# e1 p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! b* c$ c: J. J4 o5 cthere are some memory breakpoints set (dr0 to dr3) simply by reading their! T# Q' E5 c N& S% Q8 R8 ~
value (in ring0 only). Values can be manipulated and or changed as well3 h, i/ }; O1 y: c+ w# t
(clearing BPMs for instance)& L( a+ {6 O$ c! n c
+ M& q% {/ K" `2 z l$ y2 D' k__________________________________________________________________________
# s3 e+ q* f; t) r) l$ e
( l: u# y" }. m7 @Method 11 N9 n' j$ x c& e6 n. |. w& f# L$ @
=========8 T: r. V% E' i* A
* o" d% y, H& Z5 c) p( S a3 U' IThis method is most known as 'MeltICE' because it has been freely distributed
: A* J. o( N2 ], M) M' Z6 k% N$ lvia www.winfiles.com. However it was first used by NuMega people to allow
& ~7 y ^9 ?4 N% S) y* CSymbol Loader to check if SoftICE was active or not (the code is located
2 f3 m# C/ v3 y4 vinside nmtrans.dll).
. b8 F' m% {8 K, z+ e1 k5 {# n- m
. l* l. B1 F' k$ L( f, cThe way it works is very simple:7 w' ^- F' n( [) ]7 U$ {) n/ J
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" V3 _& [" s: Q4 v' O! x9 j% nWinNT) with the CreateFileA API.! ]# J) O. y4 s( w; ^# c
& n, o8 _) \- F3 d$ c' i- Q/ ]Here is a sample (checking for 'SICE'):+ r% r- `; g9 t& w9 }
+ W) l( r4 e2 F$ QBOOL IsSoftIce95Loaded(), _6 v5 C" U# J/ j* h8 e
{1 E5 C! X* |. H3 ?) a
HANDLE hFile; , F. P% e& A) H8 f4 W p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) `% [& Y& b0 i# C$ ^; K( m- L
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 ~7 A1 {9 ^( j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ `! r. R1 i2 B# C) m if( hFile != INVALID_HANDLE_VALUE )1 d6 K3 u3 m. I! r5 H) L
{
9 g2 R5 q2 S* Z( w8 h& g5 O% o CloseHandle(hFile);
# J. H# E: H) J* R+ W return TRUE;& {$ ?" v. s. s' L2 l1 v+ u
} E' \- Q" q/ J$ B- W
return FALSE;* X1 A+ l/ d {
}
6 G* p/ n2 `$ C. p. }' z3 W
/ ^- G) l" Y3 B! ?4 _Although this trick calls the CreateFileA function, don't even expect to be
+ |$ w, F4 a4 @: }; \able to intercept it by installing a IFS hook: it will not work, no way!4 Z6 g% B/ l' x6 m* L
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 Q4 \# g$ S. }; x. W7 w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( b. c/ r2 t9 [" L8 R K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 g& Y, k5 g3 c& t% w5 f5 f- e9 }field.
/ k0 C! d, ~( ], gIn fact, its purpose is not to load/unload VxDs but only to send a
9 h# H* E1 f" d# j% l# mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 Z, f, H5 u0 g. Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try g% O4 }& u* D/ D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 d5 `) D7 a j; JIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" }% z) h- Y6 e, @its handle to be opened and then, will be detected.$ C( m/ Q. t4 v/ L
You can check that simply by hooking Winice.exe control proc entry point& Y% Y8 B* X& v, @) f% }
while running MeltICE.. P0 S4 X) {9 R ]& O+ ^. T0 q
: i- u# D k" Y3 a/ ?/ |8 ?7 v3 Q3 z$ v$ {/ N+ C
00401067: push 00402025 ; \\.\SICE
3 Q2 U/ a# t; r0 P4 U( X6 M 0040106C: call CreateFileA
) d' o2 [( n9 R3 p9 F 00401071: cmp eax,-0019 \8 u3 i( N+ ~3 H
00401074: je 00401091) c% G% B7 }1 ~, }) X
$ c- w7 q* A! L" F' G! o5 w! B4 ]4 q9 }6 K/ A. j- r
There could be hundreds of BPX you could use to detect this trick.
' l$ D% Q. v, \ \( M-The most classical one is:7 N( {4 }$ _& o! B1 C( E2 o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: d: I9 h& ]6 V& ^; c! o! |6 \ *(esp->4+4)=='NTIC'0 X4 |. N5 n, s$ p9 Q j: m
$ W3 n# E% n: n; F-The most exotic ones (could be very slooooow :-(+ c" n: Z; _5 m. X5 y* n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: [* X% E# d3 j/ u" M ;will break 3 times :-( x I8 C) r& p8 d
& e+ f3 @) b! ?) e. v W1 d-or (a bit) faster:
$ b& V' m+ q8 T& j( l3 h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 ]4 D# {. W% `8 `; g, k& C* r7 _, t" \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 H! [; S$ y3 O! R ;will break 3 times :-(. I2 a. H- S4 y% R& j
) q' s; K+ T% h-Much faster:
9 C8 w2 i! V e, d+ v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. j/ a) F% Y/ l7 K9 y, a4 W
; _' C, m9 k! D' u" x" e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* \" @8 \8 @, d V8 tfunction to do the same job: p2 H. z& D9 Z! Z; D8 }; P2 P
" L$ T5 @+ A# L6 @; g7 ]4 _ push 00 ; OF_READ
/ L6 _) ^4 G2 |3 m" M1 C mov eax,[00656634] ; '\\.\SICE',0
8 ]: K: f1 L2 `. y% x4 v9 H push eax# _8 ~' G/ S, B' Q6 x1 D% x
call KERNEL32!_lopen
6 f( Y; b: {( O5 ~8 h: o: q inc eax! |2 @1 c2 U6 l0 ?
jnz 00650589 ; detected+ [9 b( T1 s( ]+ A, [1 S+ P
push 00 ; OF_READ6 _/ d! Z5 V- m4 j' W
mov eax,[00656638] ; '\\.\SICE'
3 @; i8 j2 y; V# D0 Z3 m, W0 r; D push eax } r7 n$ }$ i# T
call KERNEL32!_lopen
R* V/ D( i7 f, a) e- x0 O* J inc eax7 x2 }4 f/ r+ o$ u; v$ h* `' Y0 ~! {
jz 006505ae ; not detected* m, x$ W0 g6 y
/ P$ i9 S/ V2 L; y2 m- @
8 X/ Y- z4 `; _( v__________________________________________________________________________7 g, T, Q$ {/ g: k" o
: P) K' a, k$ g+ i6 V% @. E9 x$ {6 PMethod 120 M6 y( Q( n6 Y, \( `# ^
=========
6 [ x: g% w- o# S, u9 w8 \7 R% g9 S9 W$ m B8 P' C! i
This trick is similar to int41h/4fh Debugger installation check (code 05
- ]/ R/ X# V, L* @& 06) but very limited because it's only available for Win95/98 (not NT)
" s$ ?+ N( r; V6 Q& w, uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.& z1 g6 v$ B" N) E
; h2 k9 c/ U" n! u! r- ~& ?, W
push 0000004fh ; function 4fh
7 w Y+ ~2 {6 t push 002a002ah ; high word specifies which VxD (VWIN32)
+ o+ ^' b ^5 U9 Q ; low word specifies which service6 o7 d! }7 v6 B
(VWIN32_Int41Dispatch): P1 E, ]6 ~0 r. V2 Y
call Kernel32!ORD_001 ; VxdCall
( C j- a0 k0 f0 U' y6 `- { cmp ax, 0f386h ; magic number returned by system debuggers, c0 c' ^$ A x) u6 I
jz SoftICE_detected J* G8 B/ d9 M, E& w" y
6 {4 R: J. W( g3 }$ b" {8 ~& nHere again, several ways to detect it:7 V+ @! W" p9 k+ O. O5 o- `+ B$ {
% k% }; s: }, N+ C7 \0 r BPINT 41 if ax==4f
- g9 [( n* M- t: L, `: }7 C( g6 M( _3 M4 s$ G' o
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 P7 [8 W5 j5 B. ~: n
2 a3 }/ Z/ V* @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 k, [7 j# K2 |# `% }! i! o1 }. B: L$ N, H- G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, M0 b, ~( u' q0 u
0 a5 A, m0 u, ~! Q: Z4 ]
__________________________________________________________________________
, U$ P) `% f1 n. T3 @8 s0 s) V* o2 a! W
+ t( Y/ z2 q: W! H; Z! X, c# w; l/ lMethod 13
; q. ^& t5 H. L' x=========1 |7 l3 d) z- n4 \$ I
4 O+ L0 ~4 Q0 {# fNot a real method of detection, but a good way to know if SoftICE is
8 h. g; W4 B& |7 pinstalled on a computer and to locate its installation directory.
2 W% V! F( X% @- T7 ]It is used by few softs which access the following registry keys (usually #2) :9 z* }# {$ s/ V c4 x: [" i
$ ]: H: h5 |$ T# g" |" u4 O6 j, j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 M. W5 R1 P7 Z0 s8 Q9 {/ s\Uninstall\SoftICE0 k' U7 _ [7 z- X/ z# _% w' z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' v# y; r& B5 i- E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 Z/ O- [7 W' m7 i* ?\App Paths\Loader32.Exe7 u, O. h' e7 c$ ~( X# }6 e) {8 q
% D. m3 F4 c R, r" s
/ j* C& a1 ^$ ONote that some nasty apps could then erase all files from SoftICE directory
5 c4 t6 ^0 V' F6 _(I faced that once :-(
- r! _6 W) `; s, E6 A9 r- r0 L6 `$ u# V# Z4 f- R3 o3 O; _
Useful breakpoint to detect it:( w% V& @, t* v
7 m e+ i3 p* q [ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% b4 J0 M& u% Y- l2 d5 Q
8 i- | z# K7 i__________________________________________________________________________6 d4 j2 v7 \3 A; }+ p4 t5 @5 t
- N4 z4 }( U' {8 }. \2 A1 T' m' m$ q4 a; A9 ~6 @9 d: _
Method 14 " C( D& U3 o' j/ R
=========
d6 E9 B; z) X9 |/ ~( H" V3 ~
' B3 p8 u A, LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose S; S+ [$ d4 F% ? @4 n& k
is to determines whether a debugger is running on your system (ring0 only).: ^/ j/ x7 ^" t) v' h+ `
9 C4 U8 M7 x1 _ VMMCall Test_Debug_Installed/ @+ E; ^! M( Q2 G5 @) l
je not_installed
; H, z8 M( d% S. Z5 O
" G& L8 C3 @3 l, t1 D" [This service just checks a flag.$ `4 u) v" j8 i. r N* g* ?- T
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡