<TABLE width=500>
8 \( Q7 Y4 [1 G! r<TBODY>5 r: S$ Q. n) E N5 ?% l5 ?
<TR>8 M9 @& c" G1 U% U1 w% P) o2 e
<TD><PRE>Method 01
# Q, n, r, L" W: [" e: Y" ~- m=========
* M# m5 Z# T' D% w! ~4 k; }9 f# m, Z* w' ^& u5 ~0 p
This method of detection of SoftICE (as well as the following one) is
8 e ]. l7 z; n& K" oused by the majority of packers/encryptors found on Internet.9 ], r6 ]. Z4 g$ a8 {5 V: y" g! @
It seeks the signature of BoundsChecker in SoftICE
! f9 }3 w, t& L, C( h
* b6 F+ z' r: j: R) F% X mov ebp, 04243484Bh ; 'BCHK'
0 [) Q ^1 z5 Y2 k; E mov ax, 04h
. D( G$ Y5 k: T7 ?, \ int 3 & E; X/ c1 T1 {' e9 h
cmp al,46 @. O3 S$ o: A/ b
jnz SoftICE_Detected
; p' \' D( z6 ?
$ O9 r4 s; C: W0 m5 A! o2 ^, y% l___________________________________________________________________________
4 y6 ]7 H! \6 j; F0 r$ u2 U9 A, q, c0 k8 c9 X
Method 02
% I. f2 A6 b6 s========= N% ?# [/ |% }5 j9 K! d6 u( z
7 |0 |7 e6 X* G8 |8 y9 T! RStill a method very much used (perhaps the most frequent one). It is used
# ^ T8 U1 N7 P, [4 bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 ~+ f( {8 V( F0 m& @8 ~8 sor execute SoftICE commands...4 D- Z$ G5 P6 I
It is also used to crash SoftICE and to force it to execute any commands
+ R3 p5 l# t' S+ A- Q8 y2 B& ]9 a(HBOOT...) :-(( ( u. V% s0 H! S/ Q+ `
; q! f# m3 h& J4 Y) Q4 K! d; [Here is a quick description:) e, u% x+ m) x7 v
-AX = 0910h (Display string in SIce windows)
" J- u' ~9 h! c4 {-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" s9 c M: f) R. ~' l M: [+ [-AX = 0912h (Get breakpoint infos)
/ N: o8 N: e& J/ E, `" K& Z-AX = 0913h (Set Sice breakpoints): w1 J% C$ [& k+ D; s# j( P$ {
-AX = 0914h (Remove SIce breakoints) W0 d/ T! z) n3 F9 s
- h* a: x1 @5 V9 t: @( ~
Each time you'll meet this trick, you'll see:% h' P, D( d/ A' F" n, d& T, ]
-SI = 4647h
( ^: g( l4 [# C; O1 [-DI = 4A4Dh! O& D! j/ H8 S J( ~8 C- ]6 t2 _
Which are the 'magic values' used by SoftIce.
5 T' Z p0 @- m; oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ k. f* F6 W) e3 }* |2 D; i1 u& r6 [+ I
Here is one example from the file "Haspinst.exe" which is the dongle HASP- \: }; h+ S+ u2 n' \# H' y$ e6 Y+ m
Envelope utility use to protect DOS applications:7 D5 F$ W% i! O
( c( {/ [$ a Q& f4 I* Y5 ? b0 z2 f- R1 ~4 j. @! @1 i* u. x
4C19:0095 MOV AX,0911 ; execute command.
( @4 _; ]+ F9 y' P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 C4 J+ b# M8 I6 ?% o, u$ `' C, t4C19:009A MOV SI,4647 ; 1st magic value.
9 y/ M/ a9 }% }4C19:009D MOV DI,4A4D ; 2nd magic value.
2 m" R+ @, ~7 Z/ Z. p7 @" @: a7 Z; E) O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 K K0 X6 K2 W# p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ j! h3 w( s/ o4 u( M& f4C19:00A4 INC CX
; J' ?8 }/ }4 P1 A$ Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) w4 y4 X6 j3 K; r4C19:00A8 JB 0095 ; 6 different commands.
, A% [! a! s& ?) i! F# f4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 c& g& e" E, b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 y" ^ P# _- {" V$ m/ w6 O' {
2 N6 P. [; K! t5 {" SThe program will execute 6 different SIce commands located at ds:dx, which4 A P$ [# _; L- }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' K7 H: Q G5 @$ k& ?
$ T: E& t @1 W7 q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ I4 ` H) t, L9 X8 g___________________________________________________________________________
1 w C8 V+ s* F/ \3 q/ y0 E6 t9 @# i4 U& ?
" r0 P3 Q) `2 Y; H8 @Method 03
' j9 g: ^; j0 G) ?2 U$ P& d$ z=========
# z8 r9 ^- g' s2 d6 U3 U0 @: S+ D* {! y7 i; K
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ w2 r' Z3 m' X& S
(API Get entry point)
! i6 L! {' D9 ~8 z) j. z" E 0 J! v( C. \3 M! |& M/ k
6 F0 j' u6 K, d9 Y E1 _ u* _# W
xor di,di
4 i# H# ] I0 F mov es,di6 M; \+ |( k3 R% y9 a4 I
mov ax, 1684h
v7 f2 e) y, V mov bx, 0202h ; VxD ID of winice( B3 X9 |- K% l5 \
int 2Fh
6 t4 C+ ^0 l' y3 | o8 M mov ax, es ; ES:DI -> VxD API entry point5 i" g X V, h/ G
add ax, di# x, Y% U9 f' \. f# V) l. Z
test ax,ax9 q8 Z0 ?; Z/ m
jnz SoftICE_Detected: R- X+ `" R& x+ N9 t
3 q1 n: S0 B2 C- g, V$ ^6 q
___________________________________________________________________________
1 j0 h1 c' `! Y9 G5 S4 @6 |( q0 a! f" H
Method 04
# M$ l, C8 j! {=========% {( |, W0 P& B: x* t' g
* W6 H6 l/ B& d7 {" H+ MMethod identical to the preceding one except that it seeks the ID of SoftICE& _: g0 \: t$ U, V8 S/ `4 r, f9 J" c
GFX VxD.# A% ~1 N3 W1 y+ W7 T# g
& v# W0 |" n& a6 U: v
xor di,di
$ b$ C* a. V @: V mov es,di" `3 ~5 B: H& ], t; ~0 I
mov ax, 1684h ' ]; j, [0 B( ]: A8 L) y
mov bx, 7a5Fh ; VxD ID of SIWVID! M, n+ d$ J$ l2 H' x
int 2fh- y6 E( Y0 c7 l; E( e6 y, V
mov ax, es ; ES:DI -> VxD API entry point* S8 ^: G ]' }8 B* u# U
add ax, di3 y5 F& o, T y$ L
test ax,ax
9 H* y" N) a5 G; c7 O jnz SoftICE_Detected
5 V8 j7 F$ D2 R$ F; M- c5 T) N1 [. W3 z# Z0 ]- b
__________________________________________________________________________- l* Q+ }" H8 h+ v; X5 u9 B
' w# h2 k# x' t
$ q: z* b( W4 k& ]Method 05
; `( r# c" u, {7 |=========
; a) y6 g! a' o8 P" ]& j3 l' s( h% e$ R) U9 s( Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; c! i0 m$ i7 `7 z4 Odebugger. It calls the int 41h, function 4Fh.
+ s5 `5 }. O( q# C( k# ^0 bThere are several alternatives. 7 o, K8 [/ h/ r4 |; ]6 T6 G J
/ M# H0 {2 D+ VThe following one is the simplest:
* w: f2 O _4 V8 f" i, b& b+ c: x b: j2 R/ q/ ?/ u- o9 P
mov ax,4fh) C8 a- ?: P0 j- _8 ?
int 41h
1 r/ h8 Z% p d0 A8 V cmp ax, 0F3865 O! w. x7 j* b( A' F
jz SoftICE_detected
5 ~5 a! i5 J4 }0 e/ {( G6 u* a$ \# z0 H# r' E
. g k8 s3 {& @% |, P* U' S
Next method as well as the following one are 2 examples from Stone's . v, c; W( T* u+ Y
"stn-wid.zip" (www.cracking.net):; r+ s9 F5 }6 r
/ D9 v) R# y9 b- x mov bx, cs, P; y0 Y) V" c" x
lea dx, int41handler27 V8 l* `2 Z- J3 u8 K
xchg dx, es:[41h*4]
n' Y& B7 ^5 i. G; }0 e2 x6 Z& t xchg bx, es:[41h*4+2]
0 \7 w( ]( v$ _' m mov ax,4fh6 w% d: I5 @" F; [% U! f
int 41h
! i4 y9 v: m. ] xchg dx, es:[41h*4]9 E9 `2 Z) T3 E% ^
xchg bx, es:[41h*4+2] D- b. D* w' U) M$ v" G5 y$ \
cmp ax, 0f386h
' N+ @+ w; M+ x) L: f% Y jz SoftICE_detected
, X8 ~1 r# p/ M a% S' B! a6 |! h; D) `5 u
int41handler2 PROC/ W; u; T! Y0 X8 Y( \
iret& M- R2 l9 f: Q2 }( e0 l, k
int41handler2 ENDP- I! O+ b# U I4 ~2 r; m
7 W+ ~3 L4 G6 J9 B
5 @- k2 g b7 v1 d0 j# V3 U6 C
_________________________________________________________________________
" X$ h% b. R: n
7 \7 ~ ~ s: z: X
4 Y: [- @: ]" I' [4 V% hMethod 06% p1 J8 @9 b j
=========
4 Z) _9 E; k2 u
! J' x, ~5 i. d) u" v. C# I @3 E+ V+ T" I0 V& S% D8 M$ C
2nd method similar to the preceding one but more difficult to detect:
2 d+ s! v. F% n7 Q& S) u [5 p5 b" Y7 J/ i! \! `
+ C w+ X3 h+ Z. @- i( lint41handler PROC
! N4 M6 H9 d) u9 I9 {+ ] mov cl,al
# X; S2 t1 F9 P0 n0 g- C4 ~ iret
0 q8 e' }/ d- |" Nint41handler ENDP
+ u9 v8 Y5 i8 y3 t2 t5 m/ P! N9 \" C$ O# ]6 c( Q7 O9 ?4 Z& F/ W
8 V/ o ]2 T0 m/ d
xor ax,ax3 \ a! C. S v& v& Z1 d( E( C
mov es,ax1 u! B, y- S2 [0 W) v1 d% Z2 u
mov bx, cs
7 A7 O- X8 V0 F2 Y) Y lea dx, int41handler
; P( ?& w3 j$ O$ U xchg dx, es:[41h*4]
( ^7 C5 s% }5 F2 W( D xchg bx, es:[41h*4+2]* W' P1 u0 v) k8 v' `! w
in al, 40h8 T; W$ u4 c: R+ d6 ]- r; ^
xor cx,cx3 j6 n8 B0 u$ H! b1 Z
int 41h
1 [9 J, P) y5 ]+ C4 Q xchg dx, es:[41h*4]
4 j* m3 _: y8 M$ }) @. z xchg bx, es:[41h*4+2]2 }1 k. F7 e" y: z; l: O0 }
cmp cl,al3 f1 d# @9 O9 N( Z
jnz SoftICE_detected
9 i3 G d2 @# e
- l7 q( y# H( p8 |7 O" Q Z6 G4 j_________________________________________________________________________
# g9 L; O$ G8 l; @4 P- D. ]0 L% P J8 f, w6 \2 n5 W
Method 07! O4 \( r4 d9 x& w" s( O
=========2 m0 f4 H: B- @- O$ M9 v
( l. [$ e6 w7 e, e+ pMethod of detection of the WinICE handler in the int68h (V86)
6 x3 ~$ v: X2 u S" [' }2 I3 O4 d8 _+ X4 K
mov ah,43h! q1 M3 J- L7 K) H0 y2 Q
int 68h
1 |( i" [2 L; B( g cmp ax,0F386h. R4 Y/ x& d3 U) `* l: C# D
jz SoftICE_Detected+ M Q6 V& n+ G* S; c! S
+ v# g0 v1 Z, {9 v6 h
# N: m0 _1 {) Y( v+ N
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: j/ C2 g5 H" s7 q4 [: z app like this:
) { ~- c5 N) p, z5 M' h4 T
1 B$ B% y" t2 N* R& \- ` BPX exec_int if ax==68
4 p3 m* R" e% P3 t1 d (function called is located at byte ptr [ebp+1Dh] and client eip is( Z9 T6 ]+ A! \) C, C" G) y
located at [ebp+48h] for 32Bit apps)0 s& v5 U$ p. S0 S
__________________________________________________________________________
3 b3 V# C# S# C4 w- B# X$ ]. }5 s9 }8 o
% t$ C4 E! f# FMethod 08
7 F1 y( M% u& g0 Z: |5 r=========
* p6 G. z# f( j% G W" A0 n C1 H& z' j+ u7 B& m) C9 Z- L0 a
It is not a method of detection of SoftICE but a possibility to crash the1 f( k$ z: H; i3 Q8 u$ j1 @' i8 ?
system by intercepting int 01h and int 03h and redirecting them to another
* E+ T/ @' o: Z- Iroutine.& L0 r+ @" t: i+ e" _ x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% I/ H8 b: t3 I$ J W c9 r4 N( j
to the new routine to execute (hangs computer...)! G7 K, b. M8 M, ]2 j
% _$ f9 K1 V1 c8 a2 Y- r) v
mov ah, 25h
# F& ~2 i1 J O4 f: x. w5 C& C mov al, Int_Number (01h or 03h)
a& e) K& K- T) Y mov dx, offset New_Int_Routine
. K& I |% m+ U! B int 21h
+ }9 E7 s9 e9 Q6 k; j4 o$ x& B5 A' I
__________________________________________________________________________
, p5 I2 a, _- z1 O; ~
' m. p, \4 B1 p$ y) d6 MMethod 09* h6 N6 K; T2 J# A7 |
=========
. z8 M' e. j, Q+ w- O! `3 J4 S5 @) q3 d0 H" B, x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# h$ {- L7 U& t- sperformed in ring0 (VxD or a ring3 app using the VxdCall).
" a$ R3 _ W' S8 G4 e4 {* oThe Get_DDB service is used to determine whether or not a VxD is installed
: p, y/ H/ m4 R' J6 `; Nfor the specified device and returns a Device Description Block (in ecx) for9 K. `: R3 b T- i* Y
that device if it is installed.2 |2 D' A$ ~) T8 g) Q) l
/ a( e0 p3 p6 }, q5 r( ^( @- N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 l ?, ]- `4 t; j- }+ u9 _ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. ?8 w+ K8 T& E$ B% B3 ` VMMCall Get_DDB
' o+ @. d. |* S" c mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 r7 Y+ {7 T0 H& \/ f2 E/ s+ ~1 K: u
1 V6 `1 r* A+ l- Y- Z" Q
Note as well that you can easily detect this method with SoftICE:7 {7 [" W& o* X: |% X
bpx Get_DDB if ax==0202 || ax==7a5fh
0 v) {5 G/ l0 Y/ E8 V& t5 m
6 e- E5 d h6 b2 M+ l% }0 C__________________________________________________________________________7 |4 X8 i5 l9 r6 i
+ o a% l9 Y. U8 k
Method 100 |3 }; {: k3 F0 C5 p+ E
=========
* _5 K6 [3 J- d+ p$ P9 m1 f, ~1 V$ }- J$ f9 z+ n
=>Disable or clear breakpoints before using this feature. DO NOT trace with! T" n1 E8 b/ @4 G
SoftICE while the option is enable!!
9 M x9 f' d2 q6 ?9 J
# w* e' o7 I UThis trick is very efficient:# Y0 i: B6 H0 l+ I) o& r
by checking the Debug Registers, you can detect if SoftICE is loaded
2 |" k: O* K; ], O$ z% e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( X- n5 p2 H0 ^! p- J, w
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& q. C8 {1 c3 Q) G1 _3 \1 svalue (in ring0 only). Values can be manipulated and or changed as well( @, D& w2 N J6 J: Z/ Z
(clearing BPMs for instance)3 Y% O3 |3 X1 I% J; g% h0 f
$ |; [# h% K6 n, |) q) i8 d: D
__________________________________________________________________________
8 M7 X1 _) c$ S1 Z. f7 C/ Z& }# `0 C* T, S/ a
Method 11+ n# m6 l6 g- ^; \5 F; L
=========; U4 m& h K: s% ]0 d: y% ~
2 d3 J2 h* k8 {This method is most known as 'MeltICE' because it has been freely distributed/ u# t: s. s9 J* @: }* {
via www.winfiles.com. However it was first used by NuMega people to allow" R7 C" Z$ l& r9 \$ {, L% k
Symbol Loader to check if SoftICE was active or not (the code is located- d0 L( l3 b7 [, T
inside nmtrans.dll).
6 @# F% w3 \& }. h" ^: b' J/ }4 H# _& z3 |
The way it works is very simple:: S. F1 I) H' [5 N# }+ ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 O+ X, Y- X( w9 O: n: d
WinNT) with the CreateFileA API.2 i( ~& C1 S0 A
$ A! x2 j) H4 H {+ G6 J" S( LHere is a sample (checking for 'SICE'):
& l! \: B6 K- |* O9 R2 a
1 h& c+ @2 ^4 r0 R, {9 r) M9 xBOOL IsSoftIce95Loaded()
* Q/ O! A, R+ j. W4 p1 x{
+ X) b: K9 c, z( H- Z9 }) O HANDLE hFile;
$ w! B# F' R, Y# I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," L* |$ f1 d9 S* U. k7 r; k
FILE_SHARE_READ | FILE_SHARE_WRITE,- a# e S* ~/ J' X; g! y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 }7 `4 |5 g9 S8 e0 y( } if( hFile != INVALID_HANDLE_VALUE )# `5 {2 }3 m! B) e2 y. S: }
{
/ i4 F* ~$ w) |% Q: m CloseHandle(hFile);9 v3 f: R3 n" \3 l, | A
return TRUE;
* X+ I+ a( w5 T) c1 y }
" j$ n( Q8 G$ P9 N; W( B return FALSE;% A- v# p6 V3 R: d# r4 K$ G% m7 X
}: [0 J( z, x& s$ M/ D( r
( b( C. S2 O6 E5 v: L3 P/ m: `Although this trick calls the CreateFileA function, don't even expect to be
+ p% u! u$ ~3 i4 Mable to intercept it by installing a IFS hook: it will not work, no way!; V1 q- ]( s* w2 q# q+ `5 p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- y8 t8 n& x6 ~$ J c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# d4 c# m1 M( M, R5 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 t0 W+ O: e: [6 z" k( Jfield.8 M9 n5 b( b$ ~( D9 O: H
In fact, its purpose is not to load/unload VxDs but only to send a 5 c# x# O f6 |7 o' V# n, i
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 K/ }* P4 F: o9 B3 D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* v6 f3 K4 @# C# {& K5 y% c8 z( Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: _5 b, M3 |/ g9 Q$ X* ] V5 EIf the VxD is loaded, it will always clear eax and the Carry flag to allow) u* h; k& x8 _; D1 C' d
its handle to be opened and then, will be detected.
- L/ S$ E3 s+ U9 m6 c0 P1 tYou can check that simply by hooking Winice.exe control proc entry point
! z, B0 W, @9 G7 Swhile running MeltICE.
3 c8 b. N6 T6 W' _% z* z
; a: k& z% u& K8 I4 B8 L. }# ~+ ?+ b& w
00401067: push 00402025 ; \\.\SICE
4 G. g; R: R/ e9 w3 l 0040106C: call CreateFileA
( Y& B4 o' S2 q" F7 u 00401071: cmp eax,-001
) G8 f4 R* A* { N! e9 Y 00401074: je 004010915 E0 N* ^: l3 @4 _
2 o8 B @8 H( x+ d# \
! _! x2 [% e' J7 V" b* j7 g
There could be hundreds of BPX you could use to detect this trick.2 y9 |9 x( `$ B6 U7 x" r7 ]
-The most classical one is:
[0 e3 [4 I; [& [1 u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 Y( S6 W) R; x! x. @7 Q
*(esp->4+4)=='NTIC'
/ _1 L/ E5 d' [9 d+ v6 s2 E% \, l
9 P- W- R% v* s8 I6 ?-The most exotic ones (could be very slooooow :-(
B( m$ j; O+ P+ C# \( L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 G4 h- p4 ]0 o+ E/ C6 W. s/ q4 v ;will break 3 times :-(2 G( N$ [7 f% F3 A4 r
( e" u8 e0 A n9 j0 [' K6 {/ f-or (a bit) faster:
8 `: B$ N/ ?; ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( s' U$ w& N4 P- R
/ f' e: W# x4 i% s7 A& c$ \3 ~; E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / y R* b3 [( \7 g9 _
;will break 3 times :-(+ E$ Y/ b$ y8 T4 X; e
6 J5 }( B2 o/ p4 q& d% v-Much faster:
, y! y. K, ]6 e+ C' P3 T2 r7 q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, Z& H+ S- d% ?2 y+ {1 V' E. T" c3 m F. @9 `$ _3 W6 l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, _/ m& n; c: Q7 Pfunction to do the same job:9 Z. |% y5 B3 w1 _
: Y" h2 J0 x6 Z! i) c# ~ J
push 00 ; OF_READ
4 {$ p" ^' i( }7 b; w$ R mov eax,[00656634] ; '\\.\SICE',0* e7 p* f' n# v& w
push eax
, C( Q" R9 h8 d4 Z call KERNEL32!_lopen' v% I! q; R% K" ?; w7 y+ \* C( d
inc eax0 {; X' d# k- T C4 X
jnz 00650589 ; detected! J" _8 p' z- `! {+ A
push 00 ; OF_READ# \" }( q0 b x L
mov eax,[00656638] ; '\\.\SICE'
% o4 V6 c7 z3 l% T: `# P8 M3 f+ _ push eax3 q2 Z& _( U2 w1 o! w3 h5 t
call KERNEL32!_lopen0 ?0 z1 L9 Q# Q- w+ V0 {* W
inc eax# X) C7 e2 j8 e( l1 j
jz 006505ae ; not detected
" \; j( ? D$ ^6 N: H! p) ]( A
' O% n; z7 e- x% g
+ ~ l) {4 Z. Y$ q% o__________________________________________________________________________6 d0 J5 A" x% O9 J/ k( n+ a
6 M4 p _8 e" M& l+ B7 I9 nMethod 12+ c3 ^/ z( {# v& d3 M
=========
& ?2 a; I4 j4 A7 T, P2 G0 _1 z! r: j) `% T7 C- L$ E, b6 i' \5 w
This trick is similar to int41h/4fh Debugger installation check (code 05 s2 Q) O( w* o7 h& x- G
& 06) but very limited because it's only available for Win95/98 (not NT); U2 ?. C( o6 x' }. z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; j w2 Z" I' s# m
* I* h9 Q9 }8 J9 u push 0000004fh ; function 4fh& ]; X2 e, j i/ W
push 002a002ah ; high word specifies which VxD (VWIN32)
# q4 o/ F# @8 k5 v7 S. k ; low word specifies which service
% V) j) a E+ j& z* _ (VWIN32_Int41Dispatch). n+ g6 f) E* A1 F! \" K& k; n* E/ a& G
call Kernel32!ORD_001 ; VxdCall; Z+ U) T+ I4 p# `7 R
cmp ax, 0f386h ; magic number returned by system debuggers0 F' \ z3 t% X# C) c+ }! h
jz SoftICE_detected. A/ o0 v5 @8 B0 [$ F; o
6 d$ r; s) p( t8 R1 f4 q. i- E" K
Here again, several ways to detect it:/ ~) [- ~- N* y3 l* j
* z/ z7 [( e* D: K
BPINT 41 if ax==4f6 I# U* M6 a! a5 ^5 M, g# w
. d& g6 e& A6 B, t+ b9 o+ C; B$ W; C1 V BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 Y3 p* k6 \9 x0 o+ p0 Z# p* S
# {+ f* E. T; r0 u: K' F
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 f9 G b2 n' I: ]
. n. _% i6 s# I h' T7 \0 X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 T" Z6 l/ ?/ D2 m4 ?, Y% y4 I* J
3 z$ |# J2 _& k n. o* b
__________________________________________________________________________
" m4 x- X2 w5 e$ K. p4 b) P7 S. V1 L8 S
) y; Y6 c) n1 |Method 13! a7 r" P$ s2 p8 I$ ~8 P0 o
=========: p! [& e0 X3 I @% e" o5 a
& ^6 t" X: P& B* h/ _Not a real method of detection, but a good way to know if SoftICE is
8 |- Y( k& L: z1 }% L7 Sinstalled on a computer and to locate its installation directory.
7 {5 [6 P5 ?) k+ [ WIt is used by few softs which access the following registry keys (usually #2) :3 R K' b) ^: M2 i( [
" P% h" [5 `) V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 z% Z' g7 y$ e\Uninstall\SoftICE
5 |+ e/ [9 i1 @1 O. E* v% Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" S/ ]( h& R; w! a! R8 t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ q0 ~3 w; P$ ?' Y; q2 }& ?\App Paths\Loader32.Exe5 P2 G* f& ~+ g" p& L3 b
~# t6 D# O5 a% P; |" [# A% A
* d' ^: L7 P( J- QNote that some nasty apps could then erase all files from SoftICE directory
n/ P' G2 u- d5 N/ V(I faced that once :-(
; k5 c( X/ k" e) k4 q& m# A: Z$ @% J, D- A( O" S7 z2 }
Useful breakpoint to detect it:5 c9 J% \8 P$ U
* D8 Z* j, V2 f3 b& ~: F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 H4 ?) a# l1 ]4 r# E$ P, A& ^ A& P
! n' U( E2 s- g
__________________________________________________________________________
9 v& @. K, M, B3 V K$ k$ C8 u
/ S: S$ v$ m. }- @. z X
! b- ?9 b! i/ X" f7 ^/ b6 \2 S* |Method 14 - m) D( K" I1 b* X, ?7 V8 @. C
=========
1 q: I" h% `, m7 j# ]0 Y! K5 Z' D/ \/ O. A: V. `, ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 S. w7 I2 d0 {# u1 kis to determines whether a debugger is running on your system (ring0 only).
7 i; V& y& X. G% {6 Q. t h8 L; i; o: E9 N
VMMCall Test_Debug_Installed
. K7 t4 E4 S# K2 L1 ~: l& a je not_installed5 ?) \( [0 c, ~, R) a
5 l; t6 Z$ k1 z$ y! J8 ^4 Y5 HThis service just checks a flag." c" R/ r$ }4 z' A/ Z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡