<TABLE width=500>5 \+ m4 ~, Q0 {
<TBODY>
4 N' I5 o% N! V- h6 z8 L! K, v<TR>& P' Q) u2 v; I8 o/ H! Q
<TD><PRE>Method 01
; ~& O8 d: B( V" S& E7 L% R=========( D% p) d1 y5 J. `9 i0 {
' M, |5 X2 C1 X- A/ g$ Q
This method of detection of SoftICE (as well as the following one) is6 V2 E9 e7 C& L* x
used by the majority of packers/encryptors found on Internet.% N+ ?5 Q. j. [( k
It seeks the signature of BoundsChecker in SoftICE& V3 E: x0 G8 O% Y1 J, |% \
6 x F/ ?1 E, \! }4 a+ \
mov ebp, 04243484Bh ; 'BCHK'
0 V* U5 m8 |& h- ?# \% ?8 @2 K mov ax, 04h
+ F# S# J$ V, M7 c; ? int 3 : ~, |* L9 l- @9 R
cmp al,44 A# z: _$ }: I: ^
jnz SoftICE_Detected
7 m! u2 Z; S: J! G" B! V% K
7 S4 e2 H0 C* }___________________________________________________________________________; x5 I. `5 T/ v& V: l
4 L6 U- [) }* W( k
Method 02: E; l9 I6 K! {$ p
=========1 f! y) ~- C ~1 H1 j, P
) E6 N! W+ f+ B7 ]( CStill a method very much used (perhaps the most frequent one). It is used& F( d$ g1 r- u+ @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) T8 Z1 f) G3 ^7 ?" n. yor execute SoftICE commands...
1 P: v! f: l/ P8 tIt is also used to crash SoftICE and to force it to execute any commands
! Y* y* u# v2 }% @, Y(HBOOT...) :-((
! u e3 A% |: e, V8 e: M6 K6 \$ ^5 S) Z8 h+ _7 |
Here is a quick description:* D* o$ a- i( V9 A' n/ O
-AX = 0910h (Display string in SIce windows)
0 c6 P3 E9 k k- }4 u' I6 u# c% P-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 P0 Q) D! M& q, Z2 u2 D2 b" s+ s0 |
-AX = 0912h (Get breakpoint infos); E& D( Q% _/ L
-AX = 0913h (Set Sice breakpoints)
2 t7 q" ^$ ^( c9 q2 Y-AX = 0914h (Remove SIce breakoints)+ F( S/ n3 v) v: p4 K" x( x$ k9 m6 m
/ I- ^+ u$ U' {8 c3 P. F* X$ u
Each time you'll meet this trick, you'll see:* g% } } Y' E7 L; f" v
-SI = 4647h
$ I! w" J* o* I: n8 @-DI = 4A4Dh& d9 l5 o8 T8 w3 f+ @% ]% q
Which are the 'magic values' used by SoftIce.' z+ S% J2 l1 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' k* v n& g0 \
0 w! X; {# ]2 r% x- C! @
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# u j# z$ J3 e! T0 @+ oEnvelope utility use to protect DOS applications:# [- P( n7 D2 _: V1 M1 `
3 s! V/ \: _! V; b# b
0 W( p, h) }5 [8 r' e4 ^, Q8 ^4C19:0095 MOV AX,0911 ; execute command.9 y+ r" U( u8 D1 T" F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 m# T5 Y1 N6 k- n0 Q; g: x6 K4C19:009A MOV SI,4647 ; 1st magic value.2 P- U. V4 f0 ]
4C19:009D MOV DI,4A4D ; 2nd magic value.& \& H& l) ^" c- g" T. u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' f/ f" E( O! s; N: b9 k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% P. \& _6 b# l# [7 I* V4C19:00A4 INC CX4 S/ j7 x8 w' ^ E8 M$ Q: r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! R4 E1 M" d5 o' ^% j, R
4C19:00A8 JB 0095 ; 6 different commands.) [3 ~2 e6 C& A6 m7 D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ @1 k) f1 L6 t ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" [& I0 |7 I7 D/ Z; [7 S5 p
0 j0 O8 t c0 M5 l4 o+ OThe program will execute 6 different SIce commands located at ds:dx, which
; s" S1 W7 h# T- d2 ~" `9 ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! _/ E; `% M# k
3 l6 j, d# s; C( |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* @. K# p9 z" [___________________________________________________________________________* d1 ?7 i' E3 j$ I
3 r# g8 t+ I% z& N* Y
% H+ l* T5 _( B* \1 u1 ^Method 03( s- {4 c6 O1 c' T) D7 Y9 ?8 m
=========2 g: z" H0 A( n0 ~- i- u+ _* |
! ?$ a# ]( p& Y( G) N M1 @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' I, L6 u9 f( g9 l, y. ?1 m(API Get entry point)
9 l! f2 T+ w: o
" I, t; ?; @8 K, i* Z c4 B6 V
5 y8 R# D' k/ {$ b xor di,di
: M; B; }: A% s- q9 i2 G$ j) n3 \ mov es,di
9 E. ^" r# s5 A" W! V& h mov ax, 1684h
, e7 K3 b( b6 I1 m& T* t& l mov bx, 0202h ; VxD ID of winice
9 ]3 s$ S, W: _* k int 2Fh& v2 P3 D9 r5 L3 Y9 F. v
mov ax, es ; ES:DI -> VxD API entry point
: }; V" L1 }( a add ax, di7 X4 e5 A. |/ V. n7 T
test ax,ax
1 z+ q2 h: _' L V jnz SoftICE_Detected
, G- h7 D$ R3 r& c% A
( F. S3 D* j# ] Q. f) W- [' a( g___________________________________________________________________________
; f5 A9 z& @, Y- d5 R; W/ H ]6 [0 v# n& H
Method 046 x/ d4 N9 P; X
=========% I& S. Z0 S5 t5 ~) m5 R
' A7 p4 ~5 N& P- H* w! z. c% \
Method identical to the preceding one except that it seeks the ID of SoftICE6 W$ L" a! z6 ^
GFX VxD.
3 ?$ m" O y3 ~! }* g
) L3 k, u- ?4 H, t xor di,di
M. W1 ?1 ~, t mov es,di
$ r7 m: g% K" C" Z# T3 p' v mov ax, 1684h
# U' E( a! g5 n3 }: G# \& R mov bx, 7a5Fh ; VxD ID of SIWVID
( }) h1 }4 s3 P* b* M int 2fh. a7 h) w( o, g1 l
mov ax, es ; ES:DI -> VxD API entry point
0 q1 Q0 t- {4 j0 ?6 P add ax, di. h" L- W" r( H$ `* j' F: i0 d
test ax,ax
) F, j2 z k) a jnz SoftICE_Detected# l# M- p5 U" L" @+ h
% z9 Y1 L. D* n9 n8 \__________________________________________________________________________
) w2 p) r! d8 F
3 D! c+ k5 a( \7 w. E/ T7 b2 b. @ H( x* k! r5 s
Method 05
+ P6 i& ?0 p6 t1 {( _" F, ]=========' n6 n" f6 k7 i6 n4 I/ i; K9 A9 I
8 f! A# ~4 p7 T/ {, ]7 g+ }
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 O$ r1 {9 V, l, h6 Q/ o
debugger. It calls the int 41h, function 4Fh.& _& I9 T/ s- X
There are several alternatives. : L2 ` w/ O$ H" V- Z. C
; n8 p* R3 ~# R/ _ J2 CThe following one is the simplest:; q4 X( E4 U/ P1 g* Y
6 U, m1 W6 V1 a/ r1 n mov ax,4fh
" b- U* B9 U1 K% f9 m; L/ N7 R int 41h1 G& @" h: O5 J0 ]' ^( f& b
cmp ax, 0F3862 z1 A/ l: ]( P8 \
jz SoftICE_detected/ i: X; M" H! o6 m; o3 @
6 { O# c Z1 \# r# T) O
8 g9 C# d2 Z6 C
Next method as well as the following one are 2 examples from Stone's
5 @/ g; ]) Q# c$ N* s"stn-wid.zip" (www.cracking.net):
, ~& T7 n$ m3 V1 T/ k3 i) E+ O% A* B7 I: @8 E7 r9 O8 ~3 z
mov bx, cs3 e* B! _+ g( P3 e4 I( w, U" h
lea dx, int41handler27 z" d1 W% H- e3 E, ^7 q ~* }# I
xchg dx, es:[41h*4]* L+ G' I: j: ^- e% U7 K
xchg bx, es:[41h*4+2]# n* F/ W. z* F7 |3 J6 h
mov ax,4fh% g0 E* W0 ~7 d% ~+ ?! i7 {+ {
int 41h
Q. i! l5 i* P2 S xchg dx, es:[41h*4]: a$ |; B J' p+ D& @( z
xchg bx, es:[41h*4+2]
4 K5 i8 q6 c; T* } cmp ax, 0f386h
1 @5 o$ k9 I; D jz SoftICE_detected
# ~ E! n5 t. H) L$ D* C3 D' h# ?% \8 z( r4 b
int41handler2 PROC
; P; P1 B: W9 T: D J* ?" ]2 @ iret% ~1 ?- \. e; ]0 _) H# N
int41handler2 ENDP
! @' X/ `' L: [* w. t- G( J) z+ f9 Y3 d; x* X! a1 Z- Z- I
5 Y% O: [/ }' O* c5 d% e
_________________________________________________________________________
/ }8 j# i' ^ `: b$ Z
# C+ w4 y5 G- ~1 t, Y8 s1 l# R# z9 G( H- o8 ?+ l
Method 06
1 Z$ K' X7 q+ Y) L" M# y=========
& d- Z6 F d- i: K7 d3 q [$ B: T9 g6 C% d. e u
8 X; U1 Q/ J' ]9 @2 d! v/ l/ s
2nd method similar to the preceding one but more difficult to detect:/ m' v6 x) U3 B; \0 b' Y5 d
3 X$ V. f/ H0 x' u4 k* H9 d6 z' P# ~7 z
int41handler PROC
2 E- R7 {. P3 I& `9 I$ E: B5 R mov cl,al0 c2 ?+ R6 o% r3 \, \5 ?$ ?7 d: ?8 F
iret
5 N, B4 S% B1 k* S. E7 F7 h- yint41handler ENDP/ Y" P& [' S6 M$ P
9 f2 P5 C3 P* |4 f
7 f. o8 M* d `4 Y4 J
xor ax,ax
3 T: G: `/ V2 n. X mov es,ax* S3 T& C! K1 e2 F+ ^) l6 g& r/ m
mov bx, cs
" C3 ~, W) t4 |- B* B; v; q5 W9 B lea dx, int41handler
" c4 n' ^4 U0 j8 ~+ Z xchg dx, es:[41h*4]
9 t1 n) G3 k ^: `- x/ H& x xchg bx, es:[41h*4+2]# q5 B! Q2 a$ r! Y
in al, 40h
% f6 E6 P2 Y9 u- F6 B6 ?1 u) h4 m xor cx,cx: l' F( P0 s* H; H
int 41h5 x& m5 A9 I) v5 ~2 {
xchg dx, es:[41h*4]
0 v3 U! Y' t4 M# J. h7 _3 | xchg bx, es:[41h*4+2]
) j# }4 E* N4 ]: V$ c cmp cl,al
7 V# L, N: Q$ g( d9 I jnz SoftICE_detected& j+ g9 [( E( b- c0 n0 g
; b7 o1 t% Q) c% x5 q
_________________________________________________________________________
3 C( e: L7 ?0 u' Q( Q* l' m% ?8 @: u* t) M. P2 N0 j. R
Method 07. Y2 v3 |/ ]% ^
=========
* f* \1 {- H0 I$ _+ \" A( \
3 U% B( c5 r1 h) L) J* NMethod of detection of the WinICE handler in the int68h (V86). ~ m! N8 x( E5 e
9 t& r, l/ d; k
mov ah,43h/ ]! {# M4 N) _* _
int 68h2 A0 O/ O9 q- s$ K9 y1 P6 W+ Z1 c
cmp ax,0F386h( s7 n. Y$ y# K0 H7 O7 M" U& C
jz SoftICE_Detected
/ G) Y% N) ~ l; t* q6 Y: ^( e, v& F% P, N. e4 U: c# E' ?
2 U; ?- K: S2 M' P# ]5 [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 f% V6 I n, T+ P5 d
app like this:
+ l6 [; @' R0 N& z7 b& ^( F; F7 K6 F* E4 y
BPX exec_int if ax==68
' d/ E1 l. i {# f+ O (function called is located at byte ptr [ebp+1Dh] and client eip is
# ^+ i( K+ m ]# ~/ ? located at [ebp+48h] for 32Bit apps)
$ [: T' k1 B: J: j/ o__________________________________________________________________________
+ O& G) o/ H# H& |1 m h0 l
; I0 y2 c5 c4 Z& D0 \) H9 Z' i& l* E% o. g- b0 i4 S$ { U. @
Method 08' T9 |3 L5 B* N
=========# U( ?% g( A$ J" N9 l
# J3 A: q P5 b* F+ P9 CIt is not a method of detection of SoftICE but a possibility to crash the
1 Q5 }3 W$ E) ]+ {! A9 N7 I$ N2 psystem by intercepting int 01h and int 03h and redirecting them to another! z! C) |" \# c) @; {8 G
routine.1 B2 Z" l$ S/ X" J4 v* j; r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ A2 X0 }8 M5 I6 J/ }
to the new routine to execute (hangs computer...)
& n1 F) `8 w2 h
( ?4 Y" [( @2 k9 S# w' k' p mov ah, 25h! n3 }/ Q2 m: A( M$ ]
mov al, Int_Number (01h or 03h)4 F* k) ]1 U4 b9 q4 g
mov dx, offset New_Int_Routine2 s% e/ J" B8 `; Q
int 21h( T( W+ |6 g9 Z9 r1 d M& K) u
! L; J1 N$ ^3 F2 E. F$ y1 q__________________________________________________________________________
/ ]# V) |9 ^# L8 m* p8 | V5 r
5 H* l7 V- m- Y; g. ?Method 09. C5 d3 H$ g6 M+ c" }, K1 X
=========9 E: S0 ]1 y& H/ a! m
$ ^- F y# S( y$ Q1 E {4 m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: E5 k. e$ o5 l/ O. _' `
performed in ring0 (VxD or a ring3 app using the VxdCall).
, f( s, |- B6 ZThe Get_DDB service is used to determine whether or not a VxD is installed6 I0 m( P# K2 _/ B: c
for the specified device and returns a Device Description Block (in ecx) for
9 W% n" P0 c( h$ P' H" Tthat device if it is installed.
* u3 Y& B( _# b* L! l, v* v5 w& C% s) P5 M. R9 q: W
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID V- |3 k+ C% M. q& Q+ l, J1 C
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, @* ^8 t P! r) F4 v+ @4 Y VMMCall Get_DDB2 r2 X3 L2 k( T8 Z0 V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 l7 L `/ S1 m1 l, L% C
! m4 f9 x7 y0 d% \# F S. T) ZNote as well that you can easily detect this method with SoftICE:
8 [* e; o. ~! `/ `$ J bpx Get_DDB if ax==0202 || ax==7a5fh
) ~4 |7 q$ w2 b4 {0 u! U& W( d O$ A# |2 A1 F4 u
__________________________________________________________________________
7 J1 p/ b+ `. B# n" i' L& K" b9 W2 k& ]; K* U* `$ C: X
Method 10
4 L: q/ ]2 ]" o! [% Q u, Y=========7 a: j. _' W: G- X
5 ]! x9 v7 K4 t; |1 m=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 T1 c0 U% w& g SoftICE while the option is enable!!% t5 I8 U* x: U7 g
9 y7 e% C/ K8 I; X
This trick is very efficient:
! Z* F: s6 u' f( Uby checking the Debug Registers, you can detect if SoftICE is loaded
( e: G' i. b+ T" w+ W- j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; B$ ^. m* q& R! y5 wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 N; C* ?: i$ ]( S' V' H' r- wvalue (in ring0 only). Values can be manipulated and or changed as well
1 }$ p w. b/ m) f- w(clearing BPMs for instance)
- a' |% e/ [# @% l1 H3 }: `3 e( `8 m. g* M
__________________________________________________________________________
' \* | V) J# u) c, ?* q, h; A W% e# j4 p, w! {
Method 11
, W0 A! h, t+ d+ A9 K=========
, g2 n q0 ~# K0 X8 k/ L
( p# t" P2 V- {* s! h1 r& j+ bThis method is most known as 'MeltICE' because it has been freely distributed2 a/ \ y* [/ n# Y" ~- J1 E' S
via www.winfiles.com. However it was first used by NuMega people to allow5 z; P. e$ W: O, G) ?9 n! m, U
Symbol Loader to check if SoftICE was active or not (the code is located
; T. B- P/ q3 A9 [$ E2 F8 N$ {inside nmtrans.dll).
9 K' k# k1 G/ |: t% W. C& p
# J& F# @- [/ } J7 TThe way it works is very simple:% Y8 q: f# t: }& ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ `# [5 \( J6 p' cWinNT) with the CreateFileA API.
( l1 J2 V' o9 d s! M j" r1 X5 o9 V
Here is a sample (checking for 'SICE'):' K3 Q; w9 D' r
( H+ l o0 u/ A: V" F
BOOL IsSoftIce95Loaded()
; w& A8 y0 F1 e1 Q4 f: k8 ?" b{
; y, b( Q# m3 ~" x2 f1 v HANDLE hFile; $ o8 |2 V! ~9 D2 m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 j4 f9 J9 \+ \' N
FILE_SHARE_READ | FILE_SHARE_WRITE,0 G( E( N7 H1 C6 u) x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 x+ K/ S/ J) `+ z if( hFile != INVALID_HANDLE_VALUE )" |$ V+ N' t2 s4 G0 g' R7 N
{
& Z" Q, X. N: e1 y CloseHandle(hFile);
5 T7 ?) J8 _% g! ] return TRUE;9 }1 N. V, b0 n4 g# U }' _
}2 U8 q- F$ d' _, P3 F; @8 b+ x: B0 ~
return FALSE;, w& q$ r' y$ \
}% N" ]6 w* ?* n
, f; a- G5 d! J
Although this trick calls the CreateFileA function, don't even expect to be0 a6 q& S& a+ K3 V8 A
able to intercept it by installing a IFS hook: it will not work, no way!
1 Y* Y4 v; t. n$ W3 dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F8 T6 \, y) ~* I! r9 y n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& Z& q5 x) t# R( G7 Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc: U$ u2 i4 a' y0 B7 x4 `# A" R
field.
6 I. w' C" L( I2 D. {, O& NIn fact, its purpose is not to load/unload VxDs but only to send a : p! b9 m* x! V9 _( w# _5 z$ z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( x+ K: \& x b. _' R) m1 `, k" Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try7 l" y2 l$ w O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; g T. L7 _7 j0 ?. WIf the VxD is loaded, it will always clear eax and the Carry flag to allow
* O1 q5 C& T( a c& E9 jits handle to be opened and then, will be detected. R2 V0 I# p2 n- @% r
You can check that simply by hooking Winice.exe control proc entry point" m, ?5 D; J$ a
while running MeltICE.
5 u1 f' `; J9 _! B) b+ y8 v% Y+ W1 D2 k
8 h" N- a; ]: ~- v" q+ ?2 \2 A6 \" g 00401067: push 00402025 ; \\.\SICE' Q' R( {8 J' m" X6 k& f* N1 n
0040106C: call CreateFileA# {* p1 ?: k' y! X/ {
00401071: cmp eax,-001/ o! o' s5 I+ T# L6 F0 z
00401074: je 00401091' P: h. R; U( \* o
) Z( y5 Z. V( E }5 X$ q- h' {* N& V1 z( R. N" W( o
There could be hundreds of BPX you could use to detect this trick.
9 e. Q, y' `' p2 T T' Z" C3 i-The most classical one is:* N; J0 n9 B% d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& C, k5 h# A, J+ S" F1 o8 M9 C1 V
*(esp->4+4)=='NTIC'
6 {3 N0 a: l% Z, a- k/ d
* Q- R2 y; I( p4 g8 l( D, T-The most exotic ones (could be very slooooow :-(
7 h8 _) ]9 l, e6 b7 q# {) ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! x( P9 r- b7 a* x/ o( i ;will break 3 times :-(, ?8 N" e+ R ~% x( \7 n; N1 [/ _+ W
' h9 ~% g' r9 D1 n4 i/ }-or (a bit) faster: / Y- C. b& p8 S% N4 S: m& Y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), e+ J' c# M4 U! c& w5 R& C c
% q8 ?9 p! d+ R5 F) G BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % N$ N8 ^9 D4 J) G& M
;will break 3 times :-(
& j/ y H; H a# c+ _) n2 f$ F) Z4 W: u4 ?5 j0 L6 c3 o+ w
-Much faster:
3 Q& m; f% P( h BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( O5 n- ]7 D* x- o1 l( E) [' \- c8 E+ l) {# s. e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen B: s. C" D2 c! f
function to do the same job:
6 \& S" @5 u) H( F; z5 K' v! W* f7 g; G: z3 Y5 ^% Z1 V& W
push 00 ; OF_READ2 x2 G% h6 H2 h: ~6 _. w
mov eax,[00656634] ; '\\.\SICE',0
8 ]% m! p! ~1 z; m. e6 X) u. G push eax( |% ^1 {+ x( n+ {8 |, Y
call KERNEL32!_lopen6 v0 _8 h6 y* G# v, {
inc eax
. k! P4 p( }! ?4 E$ @2 s4 r4 D/ |2 R jnz 00650589 ; detected
+ Z* F4 h) u7 M$ w push 00 ; OF_READ
$ e- i1 H k+ K) W# ?& }% s. E mov eax,[00656638] ; '\\.\SICE'
; X) T% c+ Q, x( i% Q) s: S) o push eax
9 B0 K: i, u* L- }; p9 x9 A call KERNEL32!_lopen
# a3 w. }" |. z! p inc eax
4 x3 _; Q. G4 K' E& X jz 006505ae ; not detected
5 m5 c/ A4 b/ M8 w
8 R8 [! p+ U) B
" G+ a, ]" z# a7 x1 w+ o__________________________________________________________________________
" B& e8 b! k! T8 c1 p* h
6 K* z/ {+ ?+ ^4 ~9 m- UMethod 125 G% B0 I( o" J$ K2 V+ \+ \2 N
=========6 Y1 N) ^% z9 O7 Y" W2 b1 O
2 j9 K$ e3 }# g+ @6 YThis trick is similar to int41h/4fh Debugger installation check (code 05) n6 @2 Z h% |+ I" N" Y
& 06) but very limited because it's only available for Win95/98 (not NT)
+ |5 F" U6 m& a6 a; Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 Q% P `6 V+ ~. R6 y
+ E0 p* x+ r/ X3 l, Z push 0000004fh ; function 4fh
8 k$ Y: y4 j' v, r& ]+ I push 002a002ah ; high word specifies which VxD (VWIN32)/ y* w. K2 r' X2 p8 Z5 s' Y9 s+ ?
; low word specifies which service
, ^9 g3 N; L1 `$ O+ c (VWIN32_Int41Dispatch)
% A, V, `6 V" U. `1 _- d; o$ D call Kernel32!ORD_001 ; VxdCall2 h6 V5 o4 o1 K% a5 U
cmp ax, 0f386h ; magic number returned by system debuggers* H- s; R) Y. A' P6 `8 ?
jz SoftICE_detected
, }+ Y2 y# W. E& q' w
% u9 w' j; o4 ^1 O% uHere again, several ways to detect it:3 p) d4 V. a3 ~! z$ F
; W/ o2 Y" r! i# _; j2 {% e: J4 F
BPINT 41 if ax==4f
3 D- R {, p1 q) G3 C5 ? t& _& ?/ i5 Q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 u; V. W* c' k. j3 q; U/ u
: @8 N* U" g/ l. l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 e* u, i' B$ a1 g
6 `# d; d! i9 b5 w+ U BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; F# b! i& L6 v: O
- L) X3 a' U9 E% e$ T
__________________________________________________________________________
5 |. {2 E% T7 h0 U0 q5 {
+ Z& d% ]0 V$ r5 `Method 13) U6 U. m+ J c5 k
=========
~" C' ?" k1 j0 p' r5 ~9 r- l; R- k) Z% R+ p5 `( }: E" _' F$ }
Not a real method of detection, but a good way to know if SoftICE is) t8 F1 l6 n1 i* y, Y; s4 P
installed on a computer and to locate its installation directory.
: |; K( e3 l/ {6 X8 d% }It is used by few softs which access the following registry keys (usually #2) :
$ s, f: @' C8 R j7 x: S3 ^ T5 @( H$ Z: I! g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 k# h8 K% s8 w% z& a. w" W, O\Uninstall\SoftICE
6 F8 }1 w) D! Z" e% m9 r9 [2 U5 }7 [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 r0 M1 u) R: E1 M. P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! X9 \' Z3 H$ K6 {$ ~, R+ @
\App Paths\Loader32.Exe+ i) S9 r$ y4 Q% L2 y, G
* w% H. K! Q v9 @$ q( O8 f
; d. O& }2 C+ \
Note that some nasty apps could then erase all files from SoftICE directory
% F) Y) z" o% `* r3 \; u1 \+ u5 |(I faced that once :-(* Z# m3 f5 D) O% a* J
; i& s+ f e/ |0 i$ O! L6 QUseful breakpoint to detect it:$ y) J1 S l, c7 `' f' T. d
$ d2 M. h; D6 F9 R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 P: `& y' c% C/ M* `1 S, B' w( I3 _+ p
__________________________________________________________________________) @8 g. [9 y- O
1 t: s4 H, q; T; R- V
2 ]+ y* D( c# r8 i1 P& jMethod 14 : B J1 h9 m4 h* u. b6 u, \: P
=========
+ l8 X2 R/ f$ v0 z" i6 \6 _. P: S0 Z8 i& X
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 V5 y: ]' C4 n7 B8 }3 ?
is to determines whether a debugger is running on your system (ring0 only).
) r$ b5 R: O* W/ m0 |' y+ ] V" A" [+ p
VMMCall Test_Debug_Installed. t4 Q/ R% j" }2 ~
je not_installed3 r% {1 o% c( k; X2 K M2 f; P/ L
. \% {' _$ D$ u% }1 F( \3 C, bThis service just checks a flag.4 z i5 {$ P2 A3 L: H6 z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡