<TABLE width=500>* o; L2 ?# V' z$ f; r
<TBODY>
! `$ H2 W" K1 H/ Z% E5 n<TR>
+ x2 ^+ w$ M6 A" x9 P. O<TD><PRE>Method 01
Q# ?5 k# O* A' J( N0 v=========" P% n+ k: r0 w/ B8 ^& H
) T$ E" l( R" L# ~3 R! \- t1 x- PThis method of detection of SoftICE (as well as the following one) is
- u; X8 v) C/ l i- M$ dused by the majority of packers/encryptors found on Internet./ X% t9 S* L: C# ?3 W
It seeks the signature of BoundsChecker in SoftICE# J; D5 a+ J( F, d, E L9 G
) J6 b' a' q+ e/ @4 P
mov ebp, 04243484Bh ; 'BCHK'
5 L7 X, k5 W5 W; [2 b8 v( J mov ax, 04h, e; P3 _3 ~# q0 n1 v# {
int 3 - s! C o8 x7 r+ R( K, ], B( V3 v1 g
cmp al,4# X8 W: q+ c" L5 G& _
jnz SoftICE_Detected
4 x) c4 Y( D/ X' R) z# c
4 s8 [8 w# ?+ f___________________________________________________________________________
& v. \, H0 {8 ?! R" g
w- d3 ]' a$ _1 j; IMethod 02
5 X1 o" J b/ f! k2 p=========
E! ]* U% Z* g* J' B2 m. e W2 N2 v/ |# c
Still a method very much used (perhaps the most frequent one). It is used" W' R" }, `6 j9 N1 j& g: P& ^5 E" @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 \0 L M- e5 F6 ?2 w, E; H
or execute SoftICE commands...
) K7 t4 j+ Y& @It is also used to crash SoftICE and to force it to execute any commands
+ K# M5 L% g( x9 Y; M/ [(HBOOT...) :-(( ; f) G& @0 H0 n5 S9 b& q
0 O. ^, f( `) A8 ^Here is a quick description:! F1 W0 @$ m! [6 G: [! {& I$ X
-AX = 0910h (Display string in SIce windows), Z- o, ]& S+ P0 ~2 j* U+ `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 I1 I/ L# _/ M5 r-AX = 0912h (Get breakpoint infos)( P' u9 ?7 m% j3 C( R
-AX = 0913h (Set Sice breakpoints) {/ p9 f. S4 }0 g/ F; o. w
-AX = 0914h (Remove SIce breakoints)9 l: q6 j0 t$ \; Y, ]# p
6 h n/ _3 d" ^. M" Z, IEach time you'll meet this trick, you'll see:7 |& m: {6 n: I# C* M
-SI = 4647h& U) T! V& z& W/ ]8 B
-DI = 4A4Dh9 `% U* _! E( Y( [$ O4 S: J0 Z' [
Which are the 'magic values' used by SoftIce.
9 q9 l+ E3 P; {( l1 e( ]) {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 G3 ? @) n* B
8 q. B3 G0 u1 n1 z/ V2 JHere is one example from the file "Haspinst.exe" which is the dongle HASP& P2 S! U9 F- \' [; s
Envelope utility use to protect DOS applications:+ b2 F# y: C& v
' N: C5 l9 ?# S# Z' X
) X' B" ] f$ P2 C8 I: n: j8 S
4C19:0095 MOV AX,0911 ; execute command.
% u4 \& X/ ~5 V4 H: W4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 [! k" g2 o. B4 ~& D' e
4C19:009A MOV SI,4647 ; 1st magic value., s& j; I* n! @6 W% Q
4C19:009D MOV DI,4A4D ; 2nd magic value.2 v' X) E# I2 j( A- q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 H( I& F9 g6 r. i1 a. q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 X! u4 b; b/ {3 d# f
4C19:00A4 INC CX9 U' H. @) S" u" Y9 T: c
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 F9 a. b4 q- i+ J8 f' U9 p
4C19:00A8 JB 0095 ; 6 different commands.7 x, J# X* W2 {, L2 V) [% C# X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 R8 A w) W, q- R8 [# F3 W1 F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 s( Y! I2 v0 _0 i0 S, |6 D" S
* V6 g) |8 f7 @/ FThe program will execute 6 different SIce commands located at ds:dx, which) n9 d7 R' b% K+ _- n S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" Y+ V6 T( @6 k; r+ L+ m/ P! `( e! L, N$ t( f) J4 r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* q- @8 J: }0 u8 `" ^ i) r! O
___________________________________________________________________________" `: { P" x4 z
3 |7 v7 q* T& X1 r$ D) B
! d% D6 Y4 p' Q! `Method 030 U, }# M# P `" s) s" h1 Q- H
=========% O# f5 C' P3 F
% {$ G- ^7 O$ f1 _! VLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: C3 p/ |+ c) g0 y/ q
(API Get entry point)
0 G; M# }7 f0 o2 m- B& i # w7 ^* d4 W J/ ~
/ i0 t' L+ @' \ xor di,di
\9 Q& b+ m, c5 b/ O2 K mov es,di
- @4 B: f9 D2 r mov ax, 1684h
# @9 R0 S* Y* V mov bx, 0202h ; VxD ID of winice9 n! ]7 K) _' B2 ~
int 2Fh
( m8 k, g' J) U/ U, C6 m6 s a+ Z/ x mov ax, es ; ES:DI -> VxD API entry point" X9 Q0 D, v. {3 U) u
add ax, di* S# r: x7 E4 @
test ax,ax
h: f5 T/ |7 J/ I jnz SoftICE_Detected& B8 l' d. h- W9 V9 }
" }3 Y0 `4 Z0 N! J___________________________________________________________________________% @. P* \' }9 K& O# H, b
/ V# Y- t W# ^2 \Method 04. B7 M) Y6 y; l8 T; X
=========
, ?- H9 B5 A, ^, k* B+ W9 C# d8 `) n D9 U2 @
Method identical to the preceding one except that it seeks the ID of SoftICE
" ~! W' J6 }4 {# v* }2 b( G3 KGFX VxD.
4 G, y7 v8 u+ d7 P! D* v; h5 g& o) d- |3 ~* U8 s1 i: X. ]. N3 |
xor di,di
) e5 k' E' h5 @6 Q% H mov es,di
3 _) s( Y+ T9 }: ]& z mov ax, 1684h 1 d0 Y# [1 h* r- V n) B
mov bx, 7a5Fh ; VxD ID of SIWVID
) {) U$ N% v2 Q, W% g int 2fh0 z' D, ]7 d {) c4 q: Z+ K. ~
mov ax, es ; ES:DI -> VxD API entry point1 D6 s7 v& R8 _3 z( l- h
add ax, di" Q _% T7 Z$ W7 P* i* I; J
test ax,ax% K9 {7 M, L0 I4 G' n" |" [
jnz SoftICE_Detected- h! O4 G7 u, G. |' u: S6 Y
9 l2 Q: q! G+ L, K
__________________________________________________________________________
2 ?- V; \: n3 O# B1 O# V
7 _% o: [. z4 z2 Z: U. u9 ~( Z, n/ e" m. x% K* R
Method 054 S# s: m# C5 u. P
=========" c' k( w8 s: v# U. U
9 I" I% @+ X+ F; m4 d, _Method seeking the 'magic number' 0F386h returned (in ax) by all system& C2 z5 e' I% N& ~! G9 q" [% c* Q- L
debugger. It calls the int 41h, function 4Fh.
+ n! M' r0 i: a0 |. b, b G' QThere are several alternatives.
2 K. C# v% y- u8 x. r) q5 m" i K; F# c2 A
The following one is the simplest:
, h, A: {* g3 C+ l; P, w8 } U# n& k* C) Q) j5 T
mov ax,4fh
: c9 M% c! {2 |2 k. |. x! G. M# O int 41h7 |- j2 @% X2 @7 y
cmp ax, 0F386 g; @4 b" i2 u4 L
jz SoftICE_detected- R: {% V4 t3 v; H- ]" h
1 t* c+ l+ B0 ?) ^$ B. t0 ^, n" |' m. w- t' Q
Next method as well as the following one are 2 examples from Stone's 1 A, _8 K& x: R; a( A2 ]
"stn-wid.zip" (www.cracking.net):: M1 {- v+ L5 f
2 ~& v2 K8 T; [- ?
mov bx, cs
9 t# S+ d) t3 K0 w lea dx, int41handler2
& \: e1 O9 Q5 b% t; O6 o6 s xchg dx, es:[41h*4]
) @$ l9 @# Y0 N3 T xchg bx, es:[41h*4+2]
9 C; N* q1 ~2 p# o* w- l6 E mov ax,4fh3 ^' q) ^2 v5 G/ f% z
int 41h6 \6 n2 W C/ v% I+ @1 `
xchg dx, es:[41h*4]2 H) {9 b9 z4 `9 }( b1 K
xchg bx, es:[41h*4+2]
0 \$ x6 R2 F0 a- M7 Y( \( c8 ` cmp ax, 0f386h% S7 y- ~, p. |& N0 n7 F6 |
jz SoftICE_detected
% `" M! D+ M$ q2 K6 {" X2 {# g, L+ Q2 D$ o
int41handler2 PROC1 h0 ]5 a+ y& A2 h# k: Z: x% b+ t
iret' |6 _+ D; U( V8 ?$ Y
int41handler2 ENDP
* v0 S( U3 Z8 V1 o% Y9 R& Y9 u% s* |* ]% A1 @0 g* r
/ c2 K) N& o* `4 e9 y$ s- o; U
_________________________________________________________________________* ]9 V$ a, x. \. b* m1 f- n+ C1 U
! g4 Q. B. f$ G3 G- I( M2 i Z/ w" l; S) P6 e
Method 06' y7 v, G! k/ D2 P' R" u- I# K
=========) w4 n7 x8 V- y( M# R
+ v' n- x# b: I, ^& f, ?4 u
* P& Q; I3 I# ?9 z& J2nd method similar to the preceding one but more difficult to detect:
, Y: _; s; s& Z: a- W* l0 x7 z$ e2 C3 F V
* q3 D7 ` _% v3 V' @! Iint41handler PROC0 m4 L6 ^% K! m* w F9 J; N
mov cl,al$ ?& i, M# l2 _' Q) V
iret5 a5 v: ]7 |# R/ y8 A5 g0 ?" G; i
int41handler ENDP
4 a6 N& i. x- ?, m
0 X% e. J0 A6 b9 @# N
& ~; g$ F1 I- [ xor ax,ax/ Q0 J, Q2 s/ j/ X0 }4 q, g6 z& w
mov es,ax
/ d3 \) Q; ]- F! P" n6 r mov bx, cs
# A: e; Q% v8 u, ~$ N! U lea dx, int41handler
+ h- Y* B7 m$ t) B. {% x xchg dx, es:[41h*4]4 K9 H: [6 F2 p; X. C
xchg bx, es:[41h*4+2]9 {. V+ `. X( \$ Y
in al, 40h
% V& i9 \. _; [% z xor cx,cx" o+ B" b6 j! i: d: X E" T2 O
int 41h% @! u, q) U0 Y. Z( I+ ^3 n1 T
xchg dx, es:[41h*4]
; O/ F8 r" J( t/ @ xchg bx, es:[41h*4+2]
* n2 O+ a( L. k: _ cmp cl,al
0 j& O7 R! F' Y4 v! Q' L+ B jnz SoftICE_detected6 a5 p% X( G: U9 q! {8 H
) ?, m {: Y. o9 D9 q4 Y5 G% t_________________________________________________________________________
4 W. J# ^" u6 j W0 w6 `2 g, I8 ~. N6 N
Method 07
, e" Q' ?8 w: P=========5 P% v& c$ H9 R+ r5 L
5 y4 V: w9 B3 a, B) W0 l$ k" p2 V
Method of detection of the WinICE handler in the int68h (V86)& x0 D4 m7 t. `4 v
& A j9 @% f' c3 \4 ~) D mov ah,43h& j- l! ?2 B* ^& I- F1 E
int 68h
" g8 g8 J8 l- E o4 x9 x2 | cmp ax,0F386h1 a" n- K# H: j
jz SoftICE_Detected: I5 E7 a0 A9 |% k
9 t5 ?( p2 C. m1 H; j( B! S: U1 Y% n. i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" q1 x* y- {5 e+ n5 h; }' V9 x- ^
app like this:4 m+ I/ L2 `7 r) i3 t p# O) M
' _5 G# ~# Y) w# J: n1 Q7 t BPX exec_int if ax==68, D# p. t/ D. {( f2 j, n# w% |
(function called is located at byte ptr [ebp+1Dh] and client eip is
! D$ I2 `) o9 F) Q6 ` located at [ebp+48h] for 32Bit apps)
; w. m& x; q6 L _5 [: {: g& d* n0 T__________________________________________________________________________
$ Z% X& J* u3 ~0 \6 r4 ]& y) I
+ Q% T1 s) ~8 i$ L; n% O, Y) K7 [7 ^5 ?6 x
Method 08
* U9 Y9 a. g9 B=========
# K ~7 E; G0 u Q' F5 L; M$ N1 a/ p2 c9 `5 x, ^
It is not a method of detection of SoftICE but a possibility to crash the& F3 ~ j- s$ A0 W6 W+ p
system by intercepting int 01h and int 03h and redirecting them to another( n* K4 ?) q0 \0 l
routine.
! L F; ~4 W0 {' p6 C- W# sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# q* l: A' S# i# \' D
to the new routine to execute (hangs computer...)7 Q: I& t5 ~" G. w0 i) G" Z
5 H+ J: a6 \8 n: O0 {& } mov ah, 25h
: E) N0 r% y+ i0 {' m0 c H mov al, Int_Number (01h or 03h)# m/ Z* f) l, p6 s t
mov dx, offset New_Int_Routine5 V$ n( C) S r3 s: e9 W$ ]
int 21h
- @ k8 S' k& o0 Y, F: O( V; c+ s% Y/ e
__________________________________________________________________________
+ {4 J0 E* J' U6 X/ ^" Y# ~ h' o0 I; n2 C4 D
Method 09
% a4 d i/ _5 e6 H1 _2 L* b- I+ v! }=========% R9 `9 A. u# K. {
0 D3 g5 G6 Y+ L# x; n( VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, d' U- B2 _; p, ?. S/ {8 o8 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).
: T1 j* w8 \5 K3 w9 eThe Get_DDB service is used to determine whether or not a VxD is installed7 l$ A- u( b6 G6 {8 Q5 n( P
for the specified device and returns a Device Description Block (in ecx) for
$ G; K; K# @0 e/ D: tthat device if it is installed.
3 g- d! j& |0 a7 s& K6 J, S2 e% \0 \5 E' _9 z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: V0 U, t% s. R4 x! P1 C/ s% o- K
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 r; ?8 m; [8 `
VMMCall Get_DDB
1 T- p" S% D+ ]& M. b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 b* P0 Z# U/ h: `! t! X
( A% f" W( R9 o2 F2 ZNote as well that you can easily detect this method with SoftICE:
# o1 X0 e" y# D4 F& Q bpx Get_DDB if ax==0202 || ax==7a5fh$ N4 |" y/ Z% c- R+ _) c: [
( E6 G' S# y6 a, i" }
__________________________________________________________________________
9 F1 n3 a7 U9 u7 m
" s' @2 h8 u' ?9 t Z2 r2 ZMethod 10# k+ V% ] d, `4 d5 w. Q
=========
9 {, q. y1 n& k$ r+ J, ^4 z: t9 Y" n
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 V6 d$ H. D" v% n/ T* b" ]$ ] SoftICE while the option is enable!!
2 s5 s9 J8 m5 n, B: M7 O2 S0 x8 f- T4 r6 t
This trick is very efficient:
. |* c( l! \) L. F ^7 I8 gby checking the Debug Registers, you can detect if SoftICE is loaded2 | t& W/ V4 y, a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
X* c' t0 `7 N# N9 T% {! `( Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their
\% B8 E* E$ Fvalue (in ring0 only). Values can be manipulated and or changed as well) p, _- O' _' g( s4 ~# {% S4 K' L
(clearing BPMs for instance)- h1 b }+ Z2 H4 m
( P5 ^: ~) N4 U, ]4 ]: J4 d__________________________________________________________________________ }7 d$ h) n1 t$ _- O
- ?" }6 Y) X' L+ r
Method 11
7 |7 D w( C7 ?6 f; v$ \=========& R1 H8 q8 y: K3 D; L+ m
! C& Y& W% n6 [ F8 h8 y' t8 NThis method is most known as 'MeltICE' because it has been freely distributed
# s2 A& [+ Y2 r6 |; `, rvia www.winfiles.com. However it was first used by NuMega people to allow
% |1 e+ P+ l7 `/ u K3 u, RSymbol Loader to check if SoftICE was active or not (the code is located4 a' C; w& o/ W1 I
inside nmtrans.dll).
! R- C c% e( h0 ?& _) d5 F5 @5 o& H/ ?
The way it works is very simple:
1 }1 W5 J! [9 N& hIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: t m6 R/ q5 uWinNT) with the CreateFileA API.9 M* {* O6 B: z( G4 [7 H
& r$ I, K# G/ `' L6 Q* {
Here is a sample (checking for 'SICE'):- s& `7 S! t) x1 r; n. U
: ^/ Q3 X( Q, d+ v" _# PBOOL IsSoftIce95Loaded()/ i- n5 X5 Q4 a K( D# F
{- e+ W1 O8 S# X4 m6 C
HANDLE hFile;
. V. C; {2 J* C( H5 [6 X: { k, X+ n' _6 x hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 W1 B5 f$ N- h7 {
FILE_SHARE_READ | FILE_SHARE_WRITE,
d' j1 h9 [3 K7 m( j! k& | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* v8 x2 w5 T8 q. e9 l: T; p; u+ j if( hFile != INVALID_HANDLE_VALUE )" G/ b: R, }% \) r! k2 U
{& ]( Z/ i! Y$ p8 C$ K3 X% d, P6 K
CloseHandle(hFile);, r1 x" c0 K% o" g" _& [
return TRUE;
1 _ R0 A/ C6 H# h9 R: ?$ ? }6 j2 K8 }% \- U5 Z" \4 |" W) g }
return FALSE;. d8 N& f: ?+ \# K
}
- [0 U1 O0 K- J" a! C' _0 G0 i. @5 K+ u/ t8 v! @1 V
Although this trick calls the CreateFileA function, don't even expect to be, I) y \9 K5 I
able to intercept it by installing a IFS hook: it will not work, no way!
$ q9 ^- e3 j. B* H& l jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* b" t5 ]- }: s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); B4 j. r4 f7 K& H5 M9 i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 g' x3 U( \5 t" |
field.
6 V2 n6 g* J1 h, {) p7 ]* CIn fact, its purpose is not to load/unload VxDs but only to send a 1 ~4 A: v( n8 t$ d8 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" ~3 p- y8 l* z! Q7 E, Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
% @* S2 Y/ k r5 ~5 P8 ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. q! {1 t! V' `If the VxD is loaded, it will always clear eax and the Carry flag to allow$ ]1 t4 a- M5 o. Y$ g+ G0 S/ _2 ?
its handle to be opened and then, will be detected.( X k5 D) J# ^% j# _
You can check that simply by hooking Winice.exe control proc entry point+ q- ?4 H# b$ L0 y4 W
while running MeltICE.
! \, D% I+ P4 R& J5 m7 H
# ]$ W5 ^1 p' I3 ]
1 ^9 q' l9 e0 {9 k 00401067: push 00402025 ; \\.\SICE
/ J- s0 G) m6 a# z) p7 x3 O4 H! D 0040106C: call CreateFileA
& I& v: ~9 }, Y: p 00401071: cmp eax,-001
' o# p! X& W. X5 U 00401074: je 00401091" ^. H# O: P4 P
5 L. W* p0 A$ s$ W/ h; R {; q
2 `: c! y1 C$ o" eThere could be hundreds of BPX you could use to detect this trick.
7 E5 T, X7 r$ s8 Z-The most classical one is:
3 L6 o0 ?: d% q! p$ {( B# ]* V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- G$ f8 m: a# d3 P- W. V) e6 j8 c# Q
*(esp->4+4)=='NTIC'* g6 y# V; g9 Z7 V# C' [. M
& i8 E( S9 B- r-The most exotic ones (could be very slooooow :-(+ y9 k2 M, U! ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - E7 G4 E/ V7 y) A7 Y8 y
;will break 3 times :-(
. v1 l: w" g8 t2 a+ `( _
' W3 B7 B: i& ? I) l' B6 |( V" i: S( n-or (a bit) faster: ( C; X5 c" p6 [* H
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 B) X* E B' O% n. E7 u& F. I* m% p0 W) x) y% E/ n# o/ g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% \6 F7 m" M5 } ;will break 3 times :-(
+ v3 X; x* ~6 ?6 S, j* V F: f( y5 e4 S& U
-Much faster:
; |- L |' B; |4 Z. b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 a# o- A$ w6 S$ u) A! l& M* p, e: ?* M# m5 y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ g$ `; p) ^& p- L7 L e Y6 V$ I
function to do the same job:. J S( E! `5 D8 i) g2 C
2 m/ p) e1 ~/ t3 @* K
push 00 ; OF_READ5 F7 Z* [$ c, P' K& @# M" p( d
mov eax,[00656634] ; '\\.\SICE',0
) k' u; K+ l* x$ p8 f9 m push eax
8 B2 \# f# W; b. h1 r5 f# v call KERNEL32!_lopen0 F0 b+ k. a3 W- V" A" |, v
inc eax
+ w$ `+ Q% K7 Q4 q- p, C1 P0 Q9 f jnz 00650589 ; detected, f5 d6 r& t# D/ S
push 00 ; OF_READ# k6 z1 @; C) ]6 y) O5 |$ F
mov eax,[00656638] ; '\\.\SICE'
* e7 M8 @# x0 r' Z3 S1 | push eax+ s$ B9 m- R+ ^7 {( T# s2 y
call KERNEL32!_lopen
3 ]2 ~( [! M; n+ S inc eax
; u6 j3 s P$ ]* h jz 006505ae ; not detected# t( \7 r& d: O& i4 D) H/ Z* H# w
+ |9 f+ S6 b( N) p+ H3 [2 d) F
( V2 C( ^. }! R; ~' J__________________________________________________________________________
- ~0 d0 G9 w; y0 q
, A O) J3 Q: Y5 N6 N& }& |, oMethod 12
/ L( U/ i, ~2 M7 F=========! S+ j; o( m: C9 o
$ u& x& z G: i% c# A% iThis trick is similar to int41h/4fh Debugger installation check (code 051 f' k6 p6 f; U Y
& 06) but very limited because it's only available for Win95/98 (not NT)
* w% |( ~) H+ f+ x* yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" ^! f1 ^, E% A, D, U, c- }3 b
5 f" l" y6 G/ _9 `; V push 0000004fh ; function 4fh( }* l; F8 h5 t% h4 f, J! [ W
push 002a002ah ; high word specifies which VxD (VWIN32)8 u& h3 ` m1 p( C" D' k
; low word specifies which service- v5 k, j& p+ w5 v& n2 X
(VWIN32_Int41Dispatch) ~, W; @( C9 X+ S
call Kernel32!ORD_001 ; VxdCall. m, H, B9 z' W% E# y0 O
cmp ax, 0f386h ; magic number returned by system debuggers
" ^- i0 y$ \2 X4 `8 ~7 J1 ? jz SoftICE_detected
- N% H' M! W! H+ P; B
; u$ j" i. h; @, U' h8 ~: sHere again, several ways to detect it:- B$ H6 j' \. w. Q" M, ?) \
; Y' ~; {" V! Q" @$ r
BPINT 41 if ax==4f
* [7 F) u) S6 h0 ^
9 a5 V- G6 S+ W3 ^ n+ Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) r7 z2 A+ Y) @, h3 g
) M+ |' V1 ~! B6 v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' S2 y5 l1 o8 e* i, [3 d0 m' H
) n9 n3 c4 U0 |8 D5 E5 T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' K8 P3 S0 G7 u
1 V3 X* N" u$ U1 O1 [& x8 W9 Y# p__________________________________________________________________________/ f: u2 b3 b; r$ {3 m
; Q. q- u' C* ]. Y3 N
Method 13
/ P0 b7 ?* k0 b. @: ^=========
3 ?0 Z5 G8 Y8 ?( T* Q/ K+ Q0 y( F; o. t/ h2 [
Not a real method of detection, but a good way to know if SoftICE is
% V3 c1 u- X0 E9 ?2 Pinstalled on a computer and to locate its installation directory.+ u+ }: l# e( O q* t( ~8 M! G
It is used by few softs which access the following registry keys (usually #2) :
8 G% g5 O. V& s" t' S Q/ F; ]5 r0 D. p% ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 i. o- W1 r( m/ U0 f" e U% k\Uninstall\SoftICE
- Z1 `: e) V$ d2 [; L+ J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; V# W1 B8 i$ ]$ e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 c9 k4 Y, [( ?3 g. w\App Paths\Loader32.Exe
9 E# k% Y, j, x% r. N: ]0 v- m+ A7 x; r" e- ^
7 G2 A% u; Y# D- J! m$ S
Note that some nasty apps could then erase all files from SoftICE directory
) L$ w5 D- n; P+ {(I faced that once :-(
2 L3 `8 x; D9 E, |/ } r. T. ?9 }6 k
Useful breakpoint to detect it:0 Y9 e0 w# T1 m, v1 Z2 ?
" T. ]/ a6 J, ^. s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: l$ y, j. a+ s# [5 W, s; l% J" Z j) ^ E
0 I" l5 c7 T* r' ]' ~0 s* B__________________________________________________________________________* p' f* L5 {( U/ z! O M3 b; b/ o
% t B5 [0 {3 G3 x4 {* g
5 ?9 i: H/ k" i+ X7 T6 q& eMethod 14 . J; m! T# P. Y/ n: w S
=========! n) F0 ~9 A8 E
$ _6 n" R$ r+ n R2 N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! x% [8 b" [0 g- P
is to determines whether a debugger is running on your system (ring0 only).# T2 z% L2 h' |
) s3 o2 o, n" u) t& W
VMMCall Test_Debug_Installed
# D- X! t( E3 f( f9 |" \ je not_installed1 p- |5 |* q" Z. H' Q8 Y' u
8 `/ P: I) p( W& I$ m) Z+ w- w$ x
This service just checks a flag.
+ ]3 y$ X# s! g) b7 w. ~</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡