<TABLE width=500>& c% k( v. G$ d5 S2 W. C E; ~
<TBODY>
2 C% b$ H( c1 A* W P) t" ^<TR>- c0 i$ s, A4 i. D4 E/ |1 E
<TD><PRE>Method 01 * x- D) H5 T& h7 f$ @5 p$ }, H4 K
=========
# X4 G- @2 }( q% m) G7 @- p$ |( o* l) e3 `
This method of detection of SoftICE (as well as the following one) is
3 M! v. }) a8 xused by the majority of packers/encryptors found on Internet.
2 C3 T* _9 i% H. D3 C8 g9 w7 z3 v% hIt seeks the signature of BoundsChecker in SoftICE5 ~* w! v' v3 i8 k' I
1 }- s! r m0 G& n1 v
mov ebp, 04243484Bh ; 'BCHK'
% W6 R$ P" F$ ^6 j mov ax, 04h. u" [+ |# a- i7 V
int 3
- T1 s d3 W5 L cmp al,4
1 D3 c6 c K, \$ Y8 F: a4 h jnz SoftICE_Detected
( K% [5 w- G. Z4 \$ \! g) {% Y0 d7 y! v3 A5 Y, M; c
___________________________________________________________________________
5 K8 `" S$ u9 z3 x5 R6 v+ d+ p3 R+ ?4 {+ C& s% Z" T
Method 02
* F& q5 E w$ r5 ^) c4 o8 q2 K=========
9 S0 A; o9 d. T& w% P5 V" P1 J$ f+ E8 S. k+ ]
Still a method very much used (perhaps the most frequent one). It is used- M3 P% D' J6 W% T/ X* y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 i& b. |! e5 w) I7 Sor execute SoftICE commands...
* R4 `- L- r8 |" V$ XIt is also used to crash SoftICE and to force it to execute any commands- v3 C4 V0 K6 V* ~% T8 @8 \
(HBOOT...) :-((
: q7 A7 ?4 S; f+ b' n I2 B
( O0 ^' K0 @6 I, g8 Q1 q8 e8 oHere is a quick description:* T) r' i% T+ p! c6 F3 }
-AX = 0910h (Display string in SIce windows)
8 U' h, U' q( X6 y1 J! Y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 r7 {6 ~- [, u- B! X# A p: }-AX = 0912h (Get breakpoint infos)
' Z8 I' D5 ~( G1 f7 {6 o-AX = 0913h (Set Sice breakpoints)
' ?% L, h0 ~0 F5 ^; w) l* M-AX = 0914h (Remove SIce breakoints)) B6 e: p# [0 T$ l# O& p
4 \8 D) s: w+ J& J; W5 FEach time you'll meet this trick, you'll see:
! D8 _! a7 k9 i-SI = 4647h
& p D0 W l# M1 n, {-DI = 4A4Dh
- H/ Q- X: |/ b3 _$ w$ KWhich are the 'magic values' used by SoftIce., H3 I$ B9 f3 `6 Z9 p/ G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: a5 I, E+ u6 }. D2 q3 x% Y6 J- x& S1 p- Y6 G
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 k c# {- n1 u
Envelope utility use to protect DOS applications:
" P6 M) ?3 Z! I& f) H# a
) }5 ^2 a+ u0 O4 }, {; E0 ^
/ F9 Y, d0 `: v' G; V9 q/ { }3 g! X4C19:0095 MOV AX,0911 ; execute command.
' v$ s3 X7 `1 R: `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). G7 e4 ~8 t1 u& s J
4C19:009A MOV SI,4647 ; 1st magic value.
- w. y3 l* E) Z( L& A: r N' d4C19:009D MOV DI,4A4D ; 2nd magic value.
( V" Q0 g9 c6 I( S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), R1 ^. K* I& f# ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 p$ w- }2 i' c* `4 Y4C19:00A4 INC CX( `. o7 M N3 u* x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& @ u; V9 L/ ` U9 {$ w
4C19:00A8 JB 0095 ; 6 different commands.
, X8 Q) X+ \, \/ G! x0 G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" x T! C8 ~/ g. E- H% e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 U9 U/ h5 ^. z) E; }$ j2 J4 i- A( L ]
The program will execute 6 different SIce commands located at ds:dx, which2 D9 _. E3 n) _: [( N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" I) p% A; K1 n+ k/ d2 z# T; r8 R& w7 z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" Y; @' J; M) b___________________________________________________________________________
% \8 \' |" X/ b% B- s, Y7 O A7 @" }. O, y! X+ @* s
" B1 u# p* E4 z, UMethod 03
$ _; B# W7 b! x, V* w9 V=========
9 U& H! X F+ i
8 r' e( [4 X/ C" _1 {9 XLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 }% O4 n' P$ V6 L(API Get entry point)
8 a- C- A" a3 f' ]: ~( w! X' a6 c" ] " l0 r4 [0 A$ O
; L: r* Q5 N7 Z0 b, O: h
xor di,di. ^+ F( i8 R/ {# p5 r U
mov es,di: }" T8 v7 @6 {$ q* a9 g& D
mov ax, 1684h
, ]; I' t3 [9 m6 W mov bx, 0202h ; VxD ID of winice
. V- l$ u/ L% U int 2Fh
" U1 y& r3 F2 u, |2 A8 _ mov ax, es ; ES:DI -> VxD API entry point9 a4 I" P6 U) J) |5 Z) @; ^
add ax, di, b2 ~& \6 Y6 Y; I* Y+ A/ {
test ax,ax
* z* }: S# R" V& _# |: Q jnz SoftICE_Detected+ K7 g# c; I0 p" t! q( G, ~- H
! g0 T/ P2 ]3 R! ]) {- G- ^/ }
___________________________________________________________________________1 T4 [2 }2 _, D# l0 q
* q5 \( a) G0 {, F% L! T6 CMethod 04
$ b* y+ O* K( i. |. X% m=========8 ~! ~* o7 f% F. g% I8 h
2 p* v5 S) y1 v+ f
Method identical to the preceding one except that it seeks the ID of SoftICE) S7 B" V. d. Y; B. X( C
GFX VxD.3 w/ `8 f; A7 j I
( y& s7 H& s7 ]$ n% q+ v
xor di,di
+ M! j# ~( g! N) a/ L mov es,di* X# y$ D' C8 M0 W# ^
mov ax, 1684h
8 W8 E% k% m, d h6 I" S* H% ` mov bx, 7a5Fh ; VxD ID of SIWVID' x; `* ~- l' |( I% o
int 2fh
8 ~7 x4 u+ @ m5 R. v) U mov ax, es ; ES:DI -> VxD API entry point( n3 n1 H& d% c
add ax, di
" x6 r2 u6 M$ j test ax,ax
. x4 |7 Q, N) C/ @ jnz SoftICE_Detected
U3 i1 }, f& s/ r& D6 y
, k' S# R8 B! Y__________________________________________________________________________
" z4 O: U I+ J) i1 M ~) ~
0 F6 }; V7 N3 m. e5 w& J( }
6 c- n+ K! c% h% ?+ k# L+ XMethod 05" l! l8 K9 w) ?4 G$ }
=========
' f, o3 W" u$ Q2 |& q% b8 F
- I2 f1 [, ?: z( ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
' j3 J. P0 o% a. v" J' Gdebugger. It calls the int 41h, function 4Fh., T6 X9 F* E n6 B8 f
There are several alternatives. # C4 |* O6 k$ C& K `
" s# G4 ?; `: w- V* P" C8 JThe following one is the simplest:
( Y; w* Y3 O! P% g) q* L; u8 k$ s. t& H" l6 E8 [
mov ax,4fh
; C* _3 X' ~4 f1 l6 Q int 41h/ S7 w* \4 ~) d, {5 N
cmp ax, 0F3869 Y" ~, e6 R8 R6 j
jz SoftICE_detected
: W, G) @+ p- Z4 X
+ @' ^( i2 _- d) ]& |1 j- @9 a3 u: Z9 F8 b$ n
Next method as well as the following one are 2 examples from Stone's
8 z7 o% D, f! O- H' C8 [7 t/ R6 X"stn-wid.zip" (www.cracking.net):
$ \1 A% d$ L0 h6 O/ m6 R+ E% d! X- C! Z Z
mov bx, cs, v8 q# x7 n- b- g) {9 F: P, Q) U
lea dx, int41handler2* s$ M3 J- ~8 {3 Z
xchg dx, es:[41h*4]
W) ^; N, x/ j2 h. H' N# k" r xchg bx, es:[41h*4+2]) [+ R X8 Q, c# q$ {) `
mov ax,4fh% z; U8 y6 ?! E8 o
int 41h( i* `! e$ {# ]. D
xchg dx, es:[41h*4]3 T h9 X* B6 S/ i; O
xchg bx, es:[41h*4+2]
8 t* f% _) ?3 }- R$ w& y5 [ cmp ax, 0f386h3 U5 m, V8 l$ {5 F8 a7 w! N* u
jz SoftICE_detected
, h: a: n4 G* _. J
/ [/ }* j- O6 \/ wint41handler2 PROC2 w9 G o) U3 w/ ~* _* A q
iret
7 Z" J5 v1 j; f1 g& f4 q. r, f4 kint41handler2 ENDP4 Z k! p3 o ~$ y' j; N$ z
% o# h3 k0 u9 s- f8 [' x
0 k4 {( g- t! e1 \_________________________________________________________________________2 `# R' Z: w+ C$ F* u' N
# `$ C5 ]# B' K9 w% \5 c3 M) y: i
" }9 ?- m, U4 O. ~
Method 06
$ d9 L8 Z0 _5 i! C8 g( m$ C1 g/ l=========3 N$ ^& A1 m- a& G$ c
( w$ y" ~) E) k X/ L. V7 g
. `/ {7 M* Y8 G7 s9 }% B' ~! [2nd method similar to the preceding one but more difficult to detect:
9 {7 M; Q8 Z% d5 S, Q `& b$ Y9 s, ?4 u* B' s, m0 }( S+ e
; y2 K7 |) i' s7 D* X* b, O+ Y
int41handler PROC1 M& N, W9 ]; M. ]. w% |9 [# W
mov cl,al
! ~9 w) w, j! Y. J+ C' M iret
( f% }6 Z% R( u8 f) W2 }, Wint41handler ENDP
, z- C( | {8 I5 ]2 j& y' @% E1 b+ d# l* \$ J7 |1 B3 o
, y2 r$ [) s( ~ x xor ax,ax
/ z9 J2 E; L* r6 y- m' {. L mov es,ax0 x+ _& ?" a$ G+ l
mov bx, cs# Y! o. @. ]) y' \$ F. G; E6 c; y
lea dx, int41handler
6 v, b) E6 I& d% s% s8 \ xchg dx, es:[41h*4]$ t; t2 a! G, p( m$ Z% p
xchg bx, es:[41h*4+2]
% D; u0 V6 q1 _% e& i in al, 40h8 D6 Q, G8 F) ~
xor cx,cx/ x0 c; F1 n& z1 ?& N4 {% c
int 41h
. U% j& h/ i, H K$ L% i xchg dx, es:[41h*4]' c \, W( J6 A; S& L/ e
xchg bx, es:[41h*4+2]/ g! {5 z) `* J8 Z6 ^
cmp cl,al
* { p: w; `+ q jnz SoftICE_detected
: ^. K7 P6 E* ?# b2 _5 r4 |6 I$ g+ [
4 h6 Z% r/ Y* L5 G5 r# x_________________________________________________________________________' H+ x5 F) k% @0 w+ E+ `$ f* E
# i9 ?% Z9 ]1 r* _* W5 TMethod 07/ g! P0 j+ W u8 L
=========8 S3 @: W9 ^: d
- q e5 R; ]' h- A4 Y3 cMethod of detection of the WinICE handler in the int68h (V86)
: b; p7 ^6 g6 Y% x6 @$ x
: ~6 p% D1 n, X( V mov ah,43h1 C) n. ^/ C& w: q7 d: t4 ?
int 68h1 H1 ?6 o, T9 U) d, d
cmp ax,0F386h
, C6 h _; |6 ]6 k( H9 Q; R! a0 e jz SoftICE_Detected6 |! c8 p1 T/ A% T! M! x( x1 _
9 t. h# U2 L& h% R( d. x- v' M" Z$ W }' u4 D% f8 I. t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) J! U2 E' j2 j! P5 W1 L! o' y" Q
app like this:
1 L1 l7 q6 a; b& {9 Q! D# }; V! Q3 I* y" x( r* T3 h" ]6 u! s( M
BPX exec_int if ax==68, u0 V* ~. ]+ N T5 K
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 C, `" @0 d# _1 E* Z3 d9 n located at [ebp+48h] for 32Bit apps)
4 E% M8 W/ w) U) w0 j7 I__________________________________________________________________________- v& G1 p# D( q
; u- Q$ R) G) j+ Z0 ?: N* C7 w+ F1 Z" B2 x7 h3 A$ i7 h
Method 08$ k: j- k d: w O0 i8 O, ^
=========6 A1 b6 q& \* R" W4 r0 i! V, ?+ f
% y+ B9 w" k E& u
It is not a method of detection of SoftICE but a possibility to crash the
- ^9 B9 F5 G% t8 h# Xsystem by intercepting int 01h and int 03h and redirecting them to another
: H3 ]4 s3 w; C \routine.
5 j; Q) j' H+ B& e& p- }! z* hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ q* |0 q( I, w9 _0 ]
to the new routine to execute (hangs computer...)6 o B0 d- {/ e1 |! f
1 ~8 L: e( b8 [: t6 m mov ah, 25h' q! K, i$ `: k# S. y
mov al, Int_Number (01h or 03h)
r* m! z% G# X( f: @$ r mov dx, offset New_Int_Routine9 B; d4 I' e7 y
int 21h. k8 D+ ~ q; l
. \1 ?9 O7 G7 v5 m2 H s__________________________________________________________________________
% ^2 U* _3 q1 G. x) m6 _0 N) {3 V0 l+ c' `9 W' u( v6 }
Method 09" G$ r' g: C6 q: H
=========
* a6 _. w0 T* \7 M
! A$ m: E- M) \6 s( m% O: n4 CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! x/ E. s% A" J% h9 y& g% {performed in ring0 (VxD or a ring3 app using the VxdCall).
' `9 v8 [( t' Y$ [5 gThe Get_DDB service is used to determine whether or not a VxD is installed
, _, M1 _3 M: @/ z6 `+ Xfor the specified device and returns a Device Description Block (in ecx) for
6 n2 i3 y! a3 a% vthat device if it is installed.
: v' m+ Z# q' I9 Z. j2 {
+ S5 L+ J8 c5 |3 v+ U+ K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ W, g, c: [8 f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# g0 d# a0 U. d V& y/ c
VMMCall Get_DDB
3 s' L+ T7 Z \; l0 k/ g9 L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; D# w; y+ R4 C2 X" z* a
. h+ \5 r; u) R# DNote as well that you can easily detect this method with SoftICE:) E, Q( V. j; y; B0 L, ~% e" M
bpx Get_DDB if ax==0202 || ax==7a5fh
& b% b& [& [1 a9 A8 O! m0 g
, `3 K# |0 Y2 T1 b; B% H__________________________________________________________________________1 D# y) l: t$ V* m
0 ?% q& G. B1 e$ cMethod 10+ ~6 C0 Z* j( b/ H2 x/ g5 z
=========
/ P2 [' u: Z6 Q. L& E. X. {& S/ E; _' y. B" J
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 ]/ ^# u" m+ d* P1 r2 l SoftICE while the option is enable!!8 K* v' e$ p$ w* y% p+ ?# f( V
( [2 Q) Y$ W; J. Y- A! pThis trick is very efficient:
6 J7 G# R- O- q/ Lby checking the Debug Registers, you can detect if SoftICE is loaded! A& y6 m1 A$ t6 ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ h0 x- E8 }2 m5 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 K3 l h* ^# Tvalue (in ring0 only). Values can be manipulated and or changed as well: C9 l; M5 v2 E% h( E
(clearing BPMs for instance)% D6 R: H. E: c* H1 e
; A4 V- |; M u0 y6 q9 T
__________________________________________________________________________
$ i1 b( [7 ?! H0 V$ V: ?# ^' j- z: \- X! V
Method 11
2 \; X9 e, }+ ^) |0 U=========+ v# y5 Z, v* U
0 K2 V% I) ]. c0 Q. b
This method is most known as 'MeltICE' because it has been freely distributed. o7 B) ~! y l+ X3 Q
via www.winfiles.com. However it was first used by NuMega people to allow
' B; M3 d7 O/ F1 p/ o4 H( lSymbol Loader to check if SoftICE was active or not (the code is located; i( v, b) p7 U: S, {9 z
inside nmtrans.dll).* ~3 f0 ]6 P7 C# F0 ]
+ e+ g: d& _7 N" r, v8 vThe way it works is very simple:. T' T d3 a6 Z2 z# X. l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 \; `5 s6 z5 ^3 O3 X- ]: H1 DWinNT) with the CreateFileA API.& I4 Q( b) j& A" E$ ~! B
: _. R+ N2 ^+ l+ b- O
Here is a sample (checking for 'SICE'):
- s- r- ?, P! E# e. V C! s! q' k# |: I5 u. @
BOOL IsSoftIce95Loaded()/ k/ {, |& s- @3 _0 n# S
{) T3 @/ s7 L" n# J, l: O, s2 L
HANDLE hFile;
( u- |/ {2 E. v% U! g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: A/ M& {: [2 \) e4 P+ |: D
FILE_SHARE_READ | FILE_SHARE_WRITE,% o3 }7 U Q/ H6 B1 q, b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# n2 S9 a9 [$ `# `/ S
if( hFile != INVALID_HANDLE_VALUE )
3 L7 m3 f6 ~1 g; j' ^& V2 ] {
/ f) m& g' X5 R5 S3 X8 a l. A8 N CloseHandle(hFile);
/ x* {# N9 S: Z( I! W( y) z2 i return TRUE;
% N3 Q+ U- B0 {0 ^ }; n e7 R/ k6 T) }
return FALSE;
* d# }5 O( J$ h r" o}1 c5 ]; M* {7 |; ~
6 E+ A5 k' T; W; c! Q8 a" qAlthough this trick calls the CreateFileA function, don't even expect to be
3 \ J3 w# H" ^/ Zable to intercept it by installing a IFS hook: it will not work, no way!$ R2 j$ M A" G1 Y% n1 {/ {- M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 J5 B& c7 |9 ?1 lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- v P7 q5 O+ V2 S+ ~1 Y$ v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 U6 y% c; \5 f8 a8 S: Qfield.
. C- E% a X& H W2 \In fact, its purpose is not to load/unload VxDs but only to send a
6 t1 o5 P% L( n$ d: jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; p, U- g/ [* J/ @to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 Z( p! }7 i: r6 ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 S. N# f' U" F% \
If the VxD is loaded, it will always clear eax and the Carry flag to allow- Q1 O" X9 ]: x7 E2 h% ~' y+ f+ F
its handle to be opened and then, will be detected.
3 ]- S- c: a' N1 a) ?6 K7 p9 CYou can check that simply by hooking Winice.exe control proc entry point
% g, W! U- Z. k$ @9 _' Twhile running MeltICE.
4 J6 Y+ z, G; [/ Q8 g
* Y/ t) u" S P+ w" V9 R! L; z0 N" @1 h% V1 p7 F! ^6 _
00401067: push 00402025 ; \\.\SICE
% s% K" t. o: e) @* s 0040106C: call CreateFileA' l9 p9 h5 k! z
00401071: cmp eax,-001
& m3 a3 _; Z( e 00401074: je 00401091
! O- ]1 Z; h/ k
, U; K9 T1 b* Z& L& Z* F6 ^3 u; q
There could be hundreds of BPX you could use to detect this trick.
: f$ M1 U* J+ c7 q' J% a% Y% |6 @; o-The most classical one is:$ ^8 R- D+ p1 [2 u2 R+ B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' D% d# d" {6 M: `. Y *(esp->4+4)=='NTIC'1 \! K5 j( a" V3 Z
5 ^" U, n- D' }; j4 [
-The most exotic ones (could be very slooooow :-(
9 X! U+ u$ T2 ?8 p% A7 s BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. L- z- e& ?# O+ m) n8 G* l ;will break 3 times :-(
# W! @3 M" g$ ?9 z
7 L6 C9 G- j6 ~-or (a bit) faster:
+ ^# A: A9 v" n, L! h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 m* L' C( _0 S M! x5 }3 L9 W3 w2 U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' m$ e1 {4 P2 I0 V8 |! Q ;will break 3 times :-(
0 o: z% J* U2 v }* H- M& r# ]" z* S# b: [3 h1 u8 U
-Much faster:
, H# I; Q9 \; d, \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' X/ M( v2 ^; _1 K; |2 h- s! y
1 _9 z7 L5 }3 z: }% ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen
; e& z5 ~# }* x+ \' {function to do the same job:6 l, u7 I6 p/ L# N- I/ o! m. ^
4 v2 A l8 D' i; _3 j, a) j push 00 ; OF_READ- V% f I! u1 z5 {8 c, d* L) h; P0 @
mov eax,[00656634] ; '\\.\SICE',0+ ~5 a. V z9 T; d, O- m
push eax0 i- Z; K: Y! d1 K+ H1 L- A( ~
call KERNEL32!_lopen
) o( \8 Q/ h9 W/ j( { inc eax
* v$ L0 S2 t+ i9 m jnz 00650589 ; detected) V$ O) T; z; X$ t7 T
push 00 ; OF_READ4 {' v2 j( ~3 p0 Q1 C' Q$ |! q
mov eax,[00656638] ; '\\.\SICE': b( ]" K) h0 q7 z" r! @) z$ ]
push eax
/ s9 i' x9 M8 f f h$ l call KERNEL32!_lopen, }! A U6 p' V, t2 l
inc eax
6 [2 C5 [+ X1 }9 O( ]1 K- | jz 006505ae ; not detected
3 b) y/ i- o! M7 P! H) a
, v$ H& y, C, p! y4 B, Y" q* T5 i% c* e. z
__________________________________________________________________________% b3 b( R! d4 ~3 a V2 G0 L2 W
+ k- E/ e3 }1 W
Method 12; @9 Z2 ~% t* c) I6 ~4 m+ u$ Z
=========
# J) n' B0 d* i, {( S2 f
4 d% L$ k8 }) {& l& u2 E1 FThis trick is similar to int41h/4fh Debugger installation check (code 052 I0 _( S( x U) \2 w9 m
& 06) but very limited because it's only available for Win95/98 (not NT)
# j: X, ~+ L4 K" pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" r X" V; d" Q5 K4 |4 I) n% h( J) U) \- [* X9 d; u
push 0000004fh ; function 4fh
9 q# \. Q1 b w2 D, j& I3 Y3 y% K push 002a002ah ; high word specifies which VxD (VWIN32)& D0 G- i. _. E* b' K7 C
; low word specifies which service
) r( H q* f ~. B (VWIN32_Int41Dispatch)( f) m6 O, g' a$ e) H9 x6 H' _
call Kernel32!ORD_001 ; VxdCall9 E. c+ }# L0 b7 x9 b
cmp ax, 0f386h ; magic number returned by system debuggers4 _8 e3 r0 b$ _
jz SoftICE_detected$ P5 C6 ~$ T ]/ k+ B2 o2 Y
1 `9 g& a; z, _6 ^- n* u0 w& q* e
Here again, several ways to detect it:
; h" Q) m- _2 a' [5 v' f" ?
8 }: E& V! x: C' | BPINT 41 if ax==4f5 g* \1 {2 S/ T- V L9 z2 Z* E0 i
}8 s& C" H; P' M" y+ \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: u6 `# U& |* `+ ^ @& b4 t& e; I
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 l; }! L' m3 _6 e6 j
5 L. d4 x1 r/ r6 p/ O6 u3 S BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ d& b' |! i6 z5 g, K/ z! w' N& N# [1 E, n
__________________________________________________________________________
0 I- e3 o* A+ L: i
6 s1 g1 `( G6 w# U1 X! SMethod 13
2 n( x& D+ a6 Y=========7 w9 r7 L& }6 ^
" N6 M! R: m0 D4 `6 |* R
Not a real method of detection, but a good way to know if SoftICE is
$ N+ s( J5 } T, j( Yinstalled on a computer and to locate its installation directory.9 y& S% h3 P; ~5 B0 b k
It is used by few softs which access the following registry keys (usually #2) :$ i, B8 |( g- }6 Y/ a5 N+ R
/ s4 R8 z' L R' P+ L d/ G# P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 O# q5 q0 N- J/ y0 E' T7 t
\Uninstall\SoftICE! k0 ]5 y6 o- M. H$ N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 j% E' Z+ M% m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# t4 `6 U$ S. g: E: o\App Paths\Loader32.Exe- N( H3 }3 a) i, I% T2 x% C& W
7 J% z5 C9 U# b# O8 B& B9 |1 r+ i! h9 b) n
Note that some nasty apps could then erase all files from SoftICE directory0 k8 n4 `7 l4 l, D( o
(I faced that once :-(
6 G& s8 J9 ~# {; r( \4 R- j
6 T3 l% r, |. I. `8 C/ DUseful breakpoint to detect it:
9 Q+ q2 n) ~4 y: G8 C) R
8 B! t" O' F) l7 a% f, M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 b) u5 F% i: P
$ X' B- _2 b, [2 T
__________________________________________________________________________
2 I2 o1 u1 O9 q& k7 _9 R; V+ _
% g8 b( W1 u- e3 \* n5 M
( f+ C; e/ ~& u" lMethod 14
7 K5 \8 y3 s8 N=========) v& i1 X: {# Q* z7 n
; `+ M% o# \ [5 Q, ~5 l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- b. e1 [7 _7 w, G1 qis to determines whether a debugger is running on your system (ring0 only).! d- @; S: M! c9 S! K r
2 D3 Q* H* d2 ?0 a VMMCall Test_Debug_Installed
& n3 g4 `( I4 J- b6 E" b je not_installed
& i: O5 R; I' V2 w' b
$ R& b: N' e/ [& E0 D; @This service just checks a flag.
' k0 V: J d( T</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡