<TABLE width=500>' O) A8 q% }8 g, |! o
<TBODY>
) V5 E6 m- s6 Q9 ^<TR>
1 n* j, H: B% `& @, l. F( |<TD><PRE>Method 01 : G; e w9 e/ G( C: l$ w/ Q
=========1 r/ h- G0 s/ F7 V7 E
8 ?* z, b: ^- ?. D6 O0 E8 i6 U
This method of detection of SoftICE (as well as the following one) is; ^1 H" R+ [% i2 U
used by the majority of packers/encryptors found on Internet.
- t1 L2 ^; }, I1 |: B9 [It seeks the signature of BoundsChecker in SoftICE2 ~$ \. @4 h. U2 E5 ~
" c+ l b$ T4 m5 q( @ mov ebp, 04243484Bh ; 'BCHK'7 s' ~. V3 m' L' b* `# v5 [# O
mov ax, 04h/ [" X9 V+ d V* \3 C
int 3
/ \) |3 y& R" \! G) G4 r. e( z cmp al,4
% D# d( m% o% T jnz SoftICE_Detected. T4 J% _8 o% B% R3 Z+ m2 |
) q( `# H: [- \___________________________________________________________________________
M, r* B( J) c; q# o8 O' G. _# A( U+ @) d
Method 02
) E8 v/ Z3 x' n& l, u# G% N. F=========
6 ^, o) ^% h# ~2 f3 W. i9 o7 b( s# O) _2 S5 |
Still a method very much used (perhaps the most frequent one). It is used
& N M1 z$ L" Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,; ^, M1 b' ]" o9 {
or execute SoftICE commands...
$ v" L6 h& G7 @; F6 L4 L& |0 IIt is also used to crash SoftICE and to force it to execute any commands& S! s$ e' E0 q- y
(HBOOT...) :-((
* y' s8 z4 v# t2 t/ z4 u% g- |
/ ^7 T4 h4 R; G* yHere is a quick description:" L4 e* l# v0 V! k, O% ?5 g
-AX = 0910h (Display string in SIce windows)
2 Y4 i# V0 q+ K% G; U6 E5 f; y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ D, V" e4 c6 f, d, Q; ]$ i-AX = 0912h (Get breakpoint infos)
* Z6 B' M c+ a8 M5 {-AX = 0913h (Set Sice breakpoints)
, w4 Y) z$ `5 D# M& f) l7 |-AX = 0914h (Remove SIce breakoints), V7 c& g+ W3 `
+ t) x3 }) ~+ C D9 i
Each time you'll meet this trick, you'll see:3 k$ B2 p* |( o9 R. H: T+ H
-SI = 4647h
' |$ i1 m- H/ q9 T% N: d+ \' I4 G' c-DI = 4A4Dh
3 ^$ Z7 E( e* X4 d# z2 D* i9 E W7 Y! a. }Which are the 'magic values' used by SoftIce.9 }- B$ O; F7 h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 G4 w/ t* c) G9 D- d9 g! k9 B: Y: E' q- Z6 J9 f" Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 b3 o! l- e0 S/ u7 K2 j
Envelope utility use to protect DOS applications:) a1 m$ E1 _: i0 y7 ?! t6 y
2 ?. T+ d# ]. k$ V& _
- ^6 i2 t) |/ ] F n4C19:0095 MOV AX,0911 ; execute command.
# x; S' s- @! t# S& Z, O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ R) n( n( l5 J$ e1 F5 x4C19:009A MOV SI,4647 ; 1st magic value.& ]; Z2 v- S3 u
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 l+ [, ^0 g9 D* ~1 u' e4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ B A( Y# G, ?8 W5 T8 N. p) w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, M5 u$ U9 ~% v& w, _
4C19:00A4 INC CX; ?$ v: D A9 y2 Q- ?+ ~9 \* j; y: N
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) e( P- M% o+ o4C19:00A8 JB 0095 ; 6 different commands.
- i9 C/ i, l$ L+ z, d2 S4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 f: x0 H5 o* c/ k4 @; H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( ]% ^1 P2 C* L, k) b
* k7 M, z6 a* u' LThe program will execute 6 different SIce commands located at ds:dx, which
5 z; Z/ \5 s/ Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 n( y2 W: `( y# K6 H
1 Q- S! ?7 q8 g7 z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- [$ M1 v; I! p: `- X
___________________________________________________________________________
1 D( u( A& F$ p7 y7 a! W9 Y' z1 w6 W A$ U) T: x
6 a7 e1 h" p2 H1 mMethod 039 @. {3 P: F/ Q
=========
' k& o% u, g: h& M( L. b+ s( [+ _- w S z6 l4 [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 e) d' t; F9 ^; i$ Z
(API Get entry point)
( I8 h) w4 s: `1 ]# N
* `, K' K9 l; S+ b4 a0 N3 i; e& R. K8 }
xor di,di( }) N7 y" I4 ~+ g9 u: s5 w- r
mov es,di
) P1 }. h6 G% l/ P( D2 n mov ax, 1684h ' d9 T* I. l* M, a6 D: ^4 N4 a# i
mov bx, 0202h ; VxD ID of winice
1 I( {4 u1 z1 g$ Y# ^ int 2Fh9 e2 J1 R5 E' w
mov ax, es ; ES:DI -> VxD API entry point- H: ~$ ~ k: j
add ax, di
- M5 Q) o3 o- c5 i7 F0 m test ax,ax
2 m. ]) y3 ^- u- r/ j8 o: |4 p jnz SoftICE_Detected
. a, h5 u, C. R6 Y- a0 S
3 l) u o. o/ m/ u/ o! @0 V0 I5 L7 ~___________________________________________________________________________" j! P6 T* U( [ F3 B3 E/ f" [
1 m9 j- e! V8 l& q2 @1 H$ A
Method 04
4 s' N% l4 h3 E& @8 n=========2 A R6 \' Z+ z2 y3 M
/ |/ C* ^: B& v( j/ j* ~$ @& C8 H: Q
Method identical to the preceding one except that it seeks the ID of SoftICE% y4 S" `+ ~: W2 Z" i
GFX VxD.
3 @2 @% e- G2 E' F& P' F
4 j. L5 d- K6 C- j/ _# q; p xor di,di7 b4 a/ K, n; c# f7 i# _& _4 k4 [- A- \
mov es,di
) v+ _* _& d9 K+ q& d! _ mov ax, 1684h
6 {; p& h8 Z& z! m/ H* i, Y mov bx, 7a5Fh ; VxD ID of SIWVID; r- W( m) T/ W \ Z% F
int 2fh" Z* f+ A8 s" m$ r3 u; \% }5 c
mov ax, es ; ES:DI -> VxD API entry point
7 w. u# y9 n* G- l" Q% } Y7 l add ax, di0 [0 O' @6 L5 r! `4 d
test ax,ax
- ?. o, d6 W* [- n$ A4 L. f jnz SoftICE_Detected. ?) b' ^/ V2 U( j! S8 u3 U% [! b
( E4 |/ y3 _( Q% L3 c/ M9 Z
__________________________________________________________________________8 p/ D0 b% F) u P9 Z
9 |- U' ]; O3 c7 h( v# A, t6 Z. L: ?7 [; j
Method 05) d) h1 k; x' d
=========! W/ ^5 V; b# Z; d9 b
k/ t$ \7 _' a& _7 f( i3 `Method seeking the 'magic number' 0F386h returned (in ax) by all system8 O4 S0 r% i' w' E+ I7 q
debugger. It calls the int 41h, function 4Fh.9 D3 j0 d; o( P. D
There are several alternatives. : [9 b! n+ ?1 I. @' V/ R
) F3 n0 M0 o2 {) f: W
The following one is the simplest:
% P# c, w9 u) A5 x. U% m
' p; A" E$ k6 K# f/ H3 u mov ax,4fh# Y# @. D+ f X; ?) l6 z
int 41h$ F2 D' B: K, [4 X7 V6 j
cmp ax, 0F386+ J$ y0 Q0 N- W) v4 ]: {
jz SoftICE_detected% k+ f' A: j, ~$ {3 A
' z" ~- q4 C, \3 \
8 J4 h B, s) h8 C) _4 V. aNext method as well as the following one are 2 examples from Stone's
+ R; P' a ]8 C1 f4 g- r. d# \% V) M7 ~"stn-wid.zip" (www.cracking.net):6 u3 ~8 _$ E+ Z. h: @
6 \6 v8 W% f3 K0 C
mov bx, cs
' z7 S0 y& n- O' @' b* g5 ] lea dx, int41handler2( T3 i% A' ?- e0 H
xchg dx, es:[41h*4]
* E* X" }$ o* J. X& k5 @3 g xchg bx, es:[41h*4+2]: l% U; b R# ^- \! {- m$ a
mov ax,4fh, R2 D" P; i: k: h
int 41h. [6 r) B. B4 l7 ~4 e
xchg dx, es:[41h*4]' l; p2 y) f& `3 K1 s% y
xchg bx, es:[41h*4+2]$ d% E3 c/ n Q u7 h' k
cmp ax, 0f386h7 D& u0 m# @- i+ `
jz SoftICE_detected) _: U2 V! q4 D
+ L3 }2 Y; H- Y3 r4 i1 ?7 o; qint41handler2 PROC2 d0 z) O" [" O& N" o) Q1 e/ Z
iret, N2 V: f" }4 x- L" l8 X2 G& @5 C
int41handler2 ENDP+ o( v6 c1 M4 E) x) V
d; t+ {; I. ^: ^
! e' P3 r' b+ V1 R, ^$ Z& W
_________________________________________________________________________
, R% T7 O0 Q: G1 c4 `7 U4 _) _, j. f% j' k1 N9 E) F' k
& N$ A4 b) i# S* ]$ l1 J$ oMethod 06
1 O4 a6 Z6 B2 r" Z( X=========* Y2 x: w7 z5 ~! e) X
; A; y9 ~/ B1 F5 v& @) \& c9 ~9 @! s3 H" U/ _/ J5 a
2nd method similar to the preceding one but more difficult to detect:; z; w3 |4 E" n& v) U2 g0 t- s
2 z$ Y7 D# T% N; P
/ }8 a- w* ~3 q8 W2 pint41handler PROC
9 N& N4 w' d2 X6 c. K0 F. r mov cl,al
: t [+ q- v9 ]6 b9 E iret
' t0 `+ V L1 Y9 g+ p# N1 E- [int41handler ENDP
1 k( p* R( q! R/ v4 M; J/ q& P: ?+ \: D$ Y2 q& q
) t: F; g$ e* u; q xor ax,ax
: h/ k0 r. \1 k6 M O0 ` mov es,ax9 M3 P- i, ]: l. q4 ~, z
mov bx, cs
H; I5 n z8 ^5 `! P0 N2 y lea dx, int41handler
5 W" _$ ^! j! i: _9 |! ~ xchg dx, es:[41h*4]
' n# V1 E4 x+ H( ?/ F- \ xchg bx, es:[41h*4+2]
0 N w4 P, U* K$ @ in al, 40h
5 t. j. I3 v! | xor cx,cx
) d8 C( x! o3 V& U& c+ S. Z int 41h
: X3 q/ ?8 l4 {# M xchg dx, es:[41h*4]! K# R1 Z) X$ V4 j {
xchg bx, es:[41h*4+2]
7 L% L7 m$ K% J6 K1 Z+ A cmp cl,al
8 j" ~8 _/ Y P' e! o& Y3 J3 H jnz SoftICE_detected9 e! V- O J# f
8 E# O/ A# U7 {: e* [: s_________________________________________________________________________& _" a( l( O- t( m
" @1 ]8 N2 K- H3 @Method 07
r' G2 _- K6 h' r=========8 M& {% o+ Y8 M+ L# L7 V1 d
/ q/ K' D% S4 w+ ]( mMethod of detection of the WinICE handler in the int68h (V86)4 U! |( [8 Q. a4 V3 d
: f ]0 w* f" N8 z- G& e+ e mov ah,43h" v' `. X9 ~* H
int 68h6 [6 u# K7 }: N& h7 h
cmp ax,0F386h/ H2 I8 _& U8 w7 F2 s
jz SoftICE_Detected. @- \) r3 m" ^0 L+ y: u4 V1 F0 B
) v1 R4 O( K2 p7 t) e- M! o( ^
7 j% f1 J. G3 d5 j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! _# f( j5 [0 c2 {. G
app like this:
! r9 Z5 \4 a: ~2 @
5 y& Z% \) k4 e3 F BPX exec_int if ax==681 X5 u0 l- E$ Z |
(function called is located at byte ptr [ebp+1Dh] and client eip is
) M- I$ s" k0 D located at [ebp+48h] for 32Bit apps)
7 j, A F9 a8 _2 [3 y7 t__________________________________________________________________________
9 Z% e) G+ f. Q8 z9 H
8 l1 V# _5 t0 N
4 S3 }5 C a% u o! ZMethod 08
+ A' m- `4 c% W0 f; f) A=========& e7 s6 G5 j% b' c& P. i) o7 k
% ?8 X6 f/ T7 p5 p5 a0 J1 V
It is not a method of detection of SoftICE but a possibility to crash the& M& A' _) p9 M! r
system by intercepting int 01h and int 03h and redirecting them to another
' @) @5 |/ |8 e8 h) `! _- S/ E2 o6 W) W! I/ Vroutine.( f* v$ x+ j; A! \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 l, ?, y$ C) j% B2 L, [+ jto the new routine to execute (hangs computer...)- ?. s8 {" I$ Q( P
6 [3 T; u6 X( @1 ^
mov ah, 25h
$ ^' r" T4 K z+ N! _& e! S2 ~ mov al, Int_Number (01h or 03h)
) s1 [% R: Y2 ? mov dx, offset New_Int_Routine
! S& a5 m( |* n" y! D int 21h
4 ^# Y Z' b7 D! A# i& ~3 @, U% \, e/ r# T0 Y* ]5 c! P
__________________________________________________________________________
6 j. U" n9 f5 n: W1 _4 q! ^: V5 h5 L# f1 E
Method 093 S4 x; v1 b! w* k: m; m
=========% ^ ?, m3 K' Z8 _( W" Z9 G
+ {0 W2 u I- A; H( H' U1 s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* X6 w, N* | R. J, b9 l4 a
performed in ring0 (VxD or a ring3 app using the VxdCall).% H; O4 S# k5 J% p5 E7 W
The Get_DDB service is used to determine whether or not a VxD is installed; v3 s- L! n) f" Y' a7 N( V$ N
for the specified device and returns a Device Description Block (in ecx) for
2 u$ Y1 i7 U# I$ o5 v ~that device if it is installed.
* ?9 ]8 i; `. R! {' i
7 k1 D. }8 A4 y- z7 g& h0 f mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- R _, u3 r8 B; V7 S# V' ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 Q( x/ w0 |! @2 [ VMMCall Get_DDB
2 s4 @% u2 e6 l u3 Y/ Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ s% F( m- c+ t. m" B
3 c7 {. w' M& L$ ]
Note as well that you can easily detect this method with SoftICE:) _5 z. {- v4 q' E( e
bpx Get_DDB if ax==0202 || ax==7a5fh: E/ V( n1 n7 \
; b' m$ j( d. e8 G__________________________________________________________________________
8 I; W9 N* T4 [, ~ y: v
' q0 c, ` N' b, YMethod 10
9 H2 P+ C2 F1 R! i7 Z% N=========( b8 m/ N, j& m. p) V! ~
6 [2 |, a# `" S. [9 @( U
=>Disable or clear breakpoints before using this feature. DO NOT trace with
% t( g% c( @# E SoftICE while the option is enable!!6 y" h/ T) `* d6 q9 q
9 F* r3 K* Y2 _7 \$ qThis trick is very efficient:
! w* D9 L- Q3 O" p( wby checking the Debug Registers, you can detect if SoftICE is loaded
7 S, K% j5 O. c# L( c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; ]( C" `5 }+ k; X8 I, `0 othere are some memory breakpoints set (dr0 to dr3) simply by reading their8 ]! V& ^0 }1 ^6 R
value (in ring0 only). Values can be manipulated and or changed as well
1 j# @1 f4 B7 ?/ b(clearing BPMs for instance)
( n% T! }# T1 a# Q9 c$ F( C$ D5 n0 f2 U2 t) a
__________________________________________________________________________# Q6 I# b% r8 l& U( J
/ s: a9 O, O4 [& c- j+ v) s9 GMethod 111 \# r; G! S2 E3 R
=========
% z2 p( ~/ Z s8 S6 }1 T' ~9 K: e2 X0 ]9 h" m
This method is most known as 'MeltICE' because it has been freely distributed8 `+ D# } Y% s7 g
via www.winfiles.com. However it was first used by NuMega people to allow! p7 s! _2 }4 ]( C3 ^3 A. x
Symbol Loader to check if SoftICE was active or not (the code is located
$ K" Q O1 H5 e4 F* Q4 U# Ninside nmtrans.dll).
. ^& I2 w% W" A' M9 ]1 d; \4 T! G) H3 V& p$ Y6 ]! E" B) Z" z
The way it works is very simple:
/ A g* k3 l! ^+ D4 i+ K: [( @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, z$ n2 u ~/ a4 ?+ iWinNT) with the CreateFileA API.0 V4 {- r# X& K' R) R" }3 H _
1 ] Q* X. w, }% k* ^, p2 hHere is a sample (checking for 'SICE'):
6 x( [" y* D( W9 k/ x
( Y! j# F# L0 z, o+ G+ u7 V) PBOOL IsSoftIce95Loaded()
0 x$ h9 V% t7 m; e' J) j{ [. \4 ^) t7 O% R* w
HANDLE hFile; . C! Y& q# U+ p8 N4 U: u% a6 @: f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* b' S3 T( H. Z& W FILE_SHARE_READ | FILE_SHARE_WRITE,- x- }- F! {! A( |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 S! ~2 U/ \1 |# m( k6 @5 {$ _ if( hFile != INVALID_HANDLE_VALUE ): v; G( ?6 p- h( M" \/ k7 k
{
! P! m0 R. J* u f" ~ M CloseHandle(hFile);3 n+ w; O' t& y
return TRUE;
, O* V% F, h; m; r1 e" J }
- o: [; R5 j) u- T4 X return FALSE;6 Y3 s8 L, Q4 l0 t3 P5 K
}
5 e. y9 t) H, t O+ D# ^; ?
7 o; [* j4 X& gAlthough this trick calls the CreateFileA function, don't even expect to be* G7 o+ @3 _& |
able to intercept it by installing a IFS hook: it will not work, no way!6 r: V. U8 { z- @ w2 `
In fact, after the call to CreateFileA it will get through VWIN32 0x001F7 }; n2 a8 }! ^% U( ~; j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ c& b7 Z2 e& i% U/ m. Z9 q' Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! O! w2 [1 D S7 ~- q9 hfield.0 [% _! U5 g6 g7 U; w4 |* }: q3 `
In fact, its purpose is not to load/unload VxDs but only to send a
% [& G1 s) ~/ `- t2 R5 j5 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- [9 Q- M( o+ c1 t5 Z0 `) K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. z2 i8 k4 v: d& ?9 u( L2 B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# h7 f6 g& j% c/ w6 l
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 d/ Y3 z- T2 q2 d: k3 L
its handle to be opened and then, will be detected.
. g) r" L1 t8 Y0 [# FYou can check that simply by hooking Winice.exe control proc entry point; E; ?& Y; E+ K! v! l
while running MeltICE.
# K* O! \) L8 Y* P- Y3 o: B, u) I6 f% q7 N" s# h( Z2 M ^
$ v! b) K. J9 O# [
00401067: push 00402025 ; \\.\SICE4 y9 R4 }/ \" B% J4 s& @9 i3 c
0040106C: call CreateFileA
3 S; a/ H# y& a7 C" r3 t 00401071: cmp eax,-0014 e3 R- d& d/ B4 U1 v7 U7 R
00401074: je 004010914 z5 |& x$ P/ j; @0 O
; Q+ g# I- G Q1 d R# ], h$ J4 W& E+ k) T1 ]
There could be hundreds of BPX you could use to detect this trick.
! G* J3 G# L m. E/ i; K-The most classical one is:
* S' r. j" B% t7 k; |/ e# L: x- |! D BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 V3 u- w' u8 ?' E% v *(esp->4+4)=='NTIC'. \6 S+ j9 s4 R0 v$ K
3 x; @# t. a. F+ x3 y+ M-The most exotic ones (could be very slooooow :-(
5 A3 |/ Y+ W, r2 Y9 k" F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 W1 b( V" i8 ?) H, w6 I
;will break 3 times :-(7 I% O0 l; }# b, Z& Y6 N
1 p0 k: P. t3 C7 f-or (a bit) faster:
9 P5 Y; {1 Y9 F) @+ @5 e$ y# S' u BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 d& [: e: c& c( y/ D3 X0 o4 H f- [' w( K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( q! l/ d& Y4 e
;will break 3 times :-(
9 k* q% S- G) X+ d
' p2 A, U5 ^; d- `! U4 g) A1 \-Much faster:9 s( l0 u$ m- B/ s9 s" d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 G' y+ G7 N3 F
6 p3 |# C/ g1 W. Y0 [% R. T- QNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# x- G( O7 N( e; h/ g
function to do the same job:
' S% N J. L& S+ G3 A d, s1 c! g4 @% P# M, A
push 00 ; OF_READ. ^2 C4 k. t( s. m+ B
mov eax,[00656634] ; '\\.\SICE',0
. G& x3 t6 k/ Y7 `. p# ] push eax* v$ |* }' |3 r& B+ {
call KERNEL32!_lopen9 y! p& N5 z1 S7 H% {
inc eax
9 [' T- I4 Q+ d' U0 L. ~ jnz 00650589 ; detected3 I$ B E$ C7 e6 F- W
push 00 ; OF_READ2 ]/ p5 h$ b3 D, c$ P
mov eax,[00656638] ; '\\.\SICE'
$ ?* ]8 @7 z* o, \ push eax
) f" R9 S. C7 q2 H7 ^ A& r2 I# c call KERNEL32!_lopen% C% z( L/ j! m- P; e" X
inc eax2 O% J3 u* q" i+ X# J
jz 006505ae ; not detected' Y: {( `' \. O: z3 w/ L! Y
+ B( j# \% g0 P- s" H
$ M& F0 g& v z) n. c0 J$ t
__________________________________________________________________________
* J! \ O. f' k
2 [1 V- S; l( ]1 X. yMethod 12
% k5 I8 j$ n6 O5 F4 Y& B=========; @1 U$ ]+ G7 _ }2 ^* S
! v, @" G9 U9 B7 ~This trick is similar to int41h/4fh Debugger installation check (code 054 X4 e7 ?. N: T0 r
& 06) but very limited because it's only available for Win95/98 (not NT)
3 G1 ~2 p( w; Q7 |0 u! s' Y1 Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& A' q" [% [2 G) B: M4 e7 {+ W% @$ k( u; t2 Y L3 j. x& l- [
push 0000004fh ; function 4fh
$ l) V8 Q n2 t* }% B* m% W+ A7 I push 002a002ah ; high word specifies which VxD (VWIN32)( q- N F7 {% o( f
; low word specifies which service
' W! A( l. K- A" p/ O& w5 V3 H (VWIN32_Int41Dispatch)
+ c. M* V. u( v7 }7 ` call Kernel32!ORD_001 ; VxdCall
& ?( {# P" `" F0 C8 Y7 E9 Z$ | cmp ax, 0f386h ; magic number returned by system debuggers( B% q( V* D, c# Q6 f) H4 @
jz SoftICE_detected8 ]/ P( P! u9 E5 L
- I3 U5 f% `/ B5 \' a+ O
Here again, several ways to detect it:. O0 [. T5 I5 P7 ~& V G6 I1 p3 k
s" O3 J# D6 d) W1 O" C, p
BPINT 41 if ax==4f
- c* V, S+ r N+ d1 j9 [
* c2 q+ ^1 V: ~; P8 e, M BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% I' T, k! f5 D' Y, O) I
1 N* \# p4 e6 J/ U- A- f BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; w6 u2 @6 H5 Z5 s f% {
% h) J8 F$ a3 i' u& S* w+ B9 E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 v& Z- g! m3 \& P9 n5 P; ?$ ^+ D6 x$ z$ Q8 b, C! L' i: o: \
__________________________________________________________________________
2 Y, l9 t1 }) W, K3 J
6 C4 u: J5 e8 SMethod 132 Q2 ] \4 k# T: k; y$ }: P
=========
* p7 D }) R) m3 A0 U9 z' d; j
& E F. `1 n1 Q) x' i$ S$ ^5 u$ i- ENot a real method of detection, but a good way to know if SoftICE is& B n& w# ^3 @0 f
installed on a computer and to locate its installation directory." m8 [* d+ {- u4 m/ \
It is used by few softs which access the following registry keys (usually #2) :& |: G& h3 O% i D7 m5 r
) N& ~- V9 W6 G& b; y0 ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 i& H5 C0 \; T1 w1 \
\Uninstall\SoftICE7 T3 r5 R9 x& _ Z! o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! |- k, K$ n8 V" J: N) N) h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 D# i8 O0 t9 U' e' N\App Paths\Loader32.Exe
0 `& V+ D' U7 U3 k4 m7 r+ ~1 _5 E( ^% n4 O Y, S
1 O/ x1 ?: T9 UNote that some nasty apps could then erase all files from SoftICE directory& f4 u% J7 D0 R0 }' u+ R& ?# ?
(I faced that once :-(
, E) [; j" g. t n% b3 p0 G. _. ?/ A% \
Useful breakpoint to detect it:
7 f2 @5 G8 \- T0 u" a ], R/ k1 {; t* y/ _) `6 D' O7 O4 V+ k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
z. }8 O' n% v7 Q2 U
3 S4 e4 K) ?: \% n) m- R S__________________________________________________________________________
( E4 B( [( G7 t3 u* Y9 ~
/ c" n/ P- c3 _% P
( s; _0 Z! R' V, {+ yMethod 14
. M. f# M, ^! m1 x# Z=========" U' C# k; _$ P' C, S, A
+ y6 P4 T( o. xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ K: ^* \0 G4 n- }. Z
is to determines whether a debugger is running on your system (ring0 only).
4 [# ^2 e+ x6 V: `( {/ c+ p* W
: V5 q" y% g5 A9 l( m, A2 v) K VMMCall Test_Debug_Installed
* p3 L9 Z3 d: n4 x- ^6 M je not_installed A! j" j; S8 Z9 {4 L* {, H
5 t& b M, L- [2 r2 n& aThis service just checks a flag.1 j1 O+ T, `( s; H
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡