<TABLE width=500>
6 }' O! n% U3 Z( x+ N- M: P8 h<TBODY>2 M7 E3 V; t% o, Z* f! @7 A3 j
<TR>0 B; s" v: Y6 k8 X+ r/ U4 W
<TD><PRE>Method 01 5 K1 O+ H# B9 ^' k# e
=========
% U2 M. c. ^' b& L5 s2 v6 L
$ U5 m/ l6 \' x$ f uThis method of detection of SoftICE (as well as the following one) is8 v; l' X4 r3 {$ J
used by the majority of packers/encryptors found on Internet.
0 d7 b% s3 e: M, z0 N$ P0 ?It seeks the signature of BoundsChecker in SoftICE
U0 a$ i. B0 G( k
4 K& t1 S' Q s1 H, s mov ebp, 04243484Bh ; 'BCHK'% I0 [& ?4 C0 d. a, Q0 V
mov ax, 04h
8 m* ~, _& M; o( T1 F0 I2 d8 e int 3
& W. H6 s- [* a. u P) d cmp al,47 S& K' K. u+ Z' K2 {* E
jnz SoftICE_Detected! C% i" s6 W4 t& P+ M/ C
O0 z# I6 O& D! l# K___________________________________________________________________________, A8 x, u7 D# U' W% x
, N. s; d* k" p- v0 x: Q
Method 02
' I9 G7 v+ E9 n6 }! q: E3 a0 v0 a=========6 J' U* m6 Z2 C- w9 s% l+ _
: A+ J$ y" n/ WStill a method very much used (perhaps the most frequent one). It is used6 r- O9 c$ [6 q# a7 [
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 ~( a/ H, C. [' d: a3 sor execute SoftICE commands...5 p6 A$ B* r9 w# f* V' P0 y
It is also used to crash SoftICE and to force it to execute any commands
( L3 u0 A; k, p8 a) [; v! l. Z(HBOOT...) :-((
- [0 X& `- _: S8 `' S( F3 P1 T' L k
Here is a quick description:1 Z# f9 s; a z" \. q |. m
-AX = 0910h (Display string in SIce windows)
$ P S. J% q3 p& m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, N9 [. [- k' n' m; M& d: S-AX = 0912h (Get breakpoint infos)
5 P% x9 X% y1 u M/ e( p( R5 {-AX = 0913h (Set Sice breakpoints); }8 L% E5 P+ c8 M( z
-AX = 0914h (Remove SIce breakoints)' z; M) V5 Q4 l; P; {1 n* |8 e
, ?) c( a$ t; p4 Y
Each time you'll meet this trick, you'll see:
1 J- c5 q* ?1 k$ a$ h- ?-SI = 4647h2 H( @& z) l2 z1 G7 X
-DI = 4A4Dh
" ~/ _% ?) \" L! F$ X! Q' J! o: E9 _Which are the 'magic values' used by SoftIce.
# |7 w2 R0 N* M! r( @6 q EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ ^5 c( j0 S" u( j. u
4 E+ |8 R5 }1 j+ {Here is one example from the file "Haspinst.exe" which is the dongle HASP
' Z; x- i7 Y+ [' wEnvelope utility use to protect DOS applications:
! _' i/ G8 p0 i4 [0 l \, T( g+ h8 w4 X7 G! \# ?& n
3 \ h& V9 _' i. f
4C19:0095 MOV AX,0911 ; execute command.2 V: l8 i2 p' h/ r9 e1 P$ U
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& g8 Y% K! ] a" l4C19:009A MOV SI,4647 ; 1st magic value.6 R2 d# G7 m) m6 r! w: j
4C19:009D MOV DI,4A4D ; 2nd magic value.
' s/ I. a, f( ^9 E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! l9 v4 B% m( i8 h7 i8 X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* ]: R3 K" S3 E: ]1 ~3 K' g3 a ~
4C19:00A4 INC CX' S3 r- k, M- c& b3 M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; t: `/ Z m) ]% N/ n Q
4C19:00A8 JB 0095 ; 6 different commands.4 R/ q: Y/ W5 X/ \, ~3 {8 A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 ~, t$ l2 N1 o+ d1 j( q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' }9 a# G! |; g& B9 D7 ^6 C5 I$ a: m2 w/ A c
The program will execute 6 different SIce commands located at ds:dx, which
G! \7 r( |% o' w3 Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( _2 I+ S& {1 z! P" Q( A- w4 ^) s+ O0 t$ w- f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 T7 w' C9 |: W
___________________________________________________________________________; N. H; J D; W+ I0 Y
0 a3 W. M) f% [) a9 X9 c5 \' {8 m3 J* D
Method 03) E( `# C( K: R7 N% s/ y
=========
9 s# m& b/ U8 _; w* r C i# m% |- I+ H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 m2 j. n0 [, p' P7 _2 j- e+ L
(API Get entry point)2 H; @1 T5 [( P5 U# e+ r* g5 p% l
& Q1 ^( ]9 J9 t0 C+ T; W" J
/ t, O% _; }$ G; O" o% g. K9 X/ c1 q( B xor di,di
* M8 N1 V4 ~4 |( e! C mov es,di) z& _9 r0 }3 `( }! J( D
mov ax, 1684h " o6 K* d# j" E7 F
mov bx, 0202h ; VxD ID of winice
' d: t6 b0 R0 j* Q int 2Fh
: y m8 _; a% I( Y4 u mov ax, es ; ES:DI -> VxD API entry point
* {* C# S6 Z1 O' p5 |0 B add ax, di
) [. r( O0 R% C4 l test ax,ax) f; y. K b. o% z6 [$ r0 S. O
jnz SoftICE_Detected( B! H: p. M) ~+ b# }- {9 Z
. ]0 Y9 Z9 ?2 S) K% \
___________________________________________________________________________; G8 A- x+ N! ?8 J$ l
* {5 m) Z4 K' e y+ {; F
Method 044 [7 q( Y- R- d4 ?8 T0 E$ R+ x' ^6 r
=========* b3 M Q5 @5 F! k3 c5 A) P$ K% S
% u& {4 o) u6 P7 L7 ?- {( [# z
Method identical to the preceding one except that it seeks the ID of SoftICE4 Y$ h7 M/ p6 W t2 A6 J
GFX VxD.
( W9 c* }- t, t3 F0 y( }
' C& |. ?1 T+ l xor di,di4 f T: W7 f& e/ C* e# o
mov es,di" E! q6 J8 X/ B w9 H4 ]% K
mov ax, 1684h " h5 }! h, n, q! T. j
mov bx, 7a5Fh ; VxD ID of SIWVID
+ E1 R+ ^0 z3 } int 2fh
3 B% G3 c" a* v" D; M mov ax, es ; ES:DI -> VxD API entry point
4 l+ d& ] E! {- T$ p add ax, di. l. Z, C0 ~8 ^0 [
test ax,ax
+ ^" m+ ~" q) D. T0 H$ U" L jnz SoftICE_Detected
/ o) v, L8 B* P8 M! |1 Y$ i6 C, ~- j# D8 B
__________________________________________________________________________# B* W! B; w( c5 X6 k
& z7 P5 j% F2 ?, {/ p3 ^
$ n# f. {& ~/ U" j/ A! eMethod 05- q+ h. Z+ P' @/ |; y. }2 ], j
=========1 h a, l* Q% @9 z7 i0 x
2 R! C* u8 w! u/ E1 M8 LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# F& G0 [, E$ R. u9 V* y) Jdebugger. It calls the int 41h, function 4Fh.; c4 s% b! m& }" a$ P( y( N; M
There are several alternatives. ) |6 N+ M8 Q/ r
! a6 V( o! r/ `% p! O3 w wThe following one is the simplest:
. b4 X( b" C g: r$ {" k* }
" `0 t! `- r3 M% }0 m, g mov ax,4fh
% E, g( _& I; g) ` int 41h
/ G: D3 C0 Q$ J. U3 ^9 b3 h cmp ax, 0F386
m! j$ i3 [# m0 B5 U' D, L jz SoftICE_detected
9 H8 \$ x% I6 p7 h6 d
B2 d5 _4 x" K; V
' F J5 D, D. D- Y! N- kNext method as well as the following one are 2 examples from Stone's ) v5 q$ e6 L# T4 h7 t: L8 E4 r
"stn-wid.zip" (www.cracking.net):7 W6 J9 d8 M( b. b" g& I
L) A- M* w4 R8 U mov bx, cs6 }& n2 `( r+ s" B4 w m: L* ^
lea dx, int41handler2
$ s4 Z) F/ o, w# l- Y xchg dx, es:[41h*4]
9 Z6 t2 @4 M/ Z6 { xchg bx, es:[41h*4+2]* w1 J6 `1 T$ {" A) \ {6 ^. c# y
mov ax,4fh
8 [7 b) A2 }; d int 41h
0 d) X: n' k" H* |7 s1 V, R xchg dx, es:[41h*4]( M) w4 c/ w" U( P/ l Z8 r9 v
xchg bx, es:[41h*4+2]
8 U6 x2 n- V) ~8 C" e cmp ax, 0f386h# \" v0 [2 f) _5 f2 _; p; n
jz SoftICE_detected) I* N: U1 @4 K7 n
% Y! f7 |) z4 X9 j: i; T- N4 c
int41handler2 PROC
/ H- O8 n" @) E% f2 } iret$ Z4 c- {7 X: Y
int41handler2 ENDP1 e: C& v8 W( P+ `0 X% c+ y
?0 [; v* J- v* B
1 W: G- q+ Y" D+ B8 F' G_________________________________________________________________________
9 z" z3 g& ?/ S, M2 a3 D3 H$ J- h% I2 j# g3 H" L
: J6 d/ V) H5 ]Method 06
+ |% G4 @9 |6 b' {" V=========) ~+ l# ~8 @' p1 A8 U8 z
. |( A) m/ O. i. ?$ D0 _) n w* z- f: w3 v
2nd method similar to the preceding one but more difficult to detect:4 H2 m+ z: o) r$ M: N% t* ?
: B2 L& ]/ `. L: s0 x5 V, ?( S9 T+ E
int41handler PROC v2 J: t7 f: {3 s
mov cl,al. b% P8 S) L) J4 K3 w9 _
iret
9 _6 s0 L9 }; d% Q+ } \int41handler ENDP
8 s: U+ B- O* _2 [
# c0 i) H' N. g+ |8 v4 ~
4 o: e9 m% ^5 u# ] xor ax,ax/ M; o& \% |( Y( H1 n
mov es,ax
4 E3 d- }% O/ ?" @% ? mov bx, cs
# t6 O' ^/ w2 @" _1 U9 W, g0 T* Y" V lea dx, int41handler5 R$ s, _! I; H& K
xchg dx, es:[41h*4]
1 J" }2 \ ]/ H2 q0 \- n2 O xchg bx, es:[41h*4+2]# f: V2 q7 {3 i0 u2 q0 R
in al, 40h2 N2 S# N" U. ^- H
xor cx,cx* k2 f% W6 C) S$ \0 X S
int 41h
4 Z) F, z# L# R9 i xchg dx, es:[41h*4]( R+ P6 B8 `+ I% n6 \- O
xchg bx, es:[41h*4+2]6 P5 ^) ]5 R3 Z9 `5 Z/ i( I
cmp cl,al
! r6 Y" B/ R! _5 b9 u+ p jnz SoftICE_detected
. M, i+ w# O9 a- o8 P& [" ~
( p' X9 v3 d3 Z_________________________________________________________________________3 b, @+ g- D; H! \0 K8 t
9 n/ B8 B9 ]2 a1 v+ R/ [" _
Method 07
( ]% o! w: G% R" K5 j1 S }' u, n=========' U+ f9 ?$ s- o t# w3 w1 H$ L
. f a5 Z- T2 _, U- cMethod of detection of the WinICE handler in the int68h (V86)
1 }& ?+ i1 M( @ e2 K5 a& a/ M% i
mov ah,43h+ J, ]& U* ]$ Q
int 68h( x8 R$ u/ o% b: a3 y
cmp ax,0F386h/ p6 Z6 Z3 z: m( `3 l* l3 M
jz SoftICE_Detected
n5 E& H2 q) N% H: o
, \8 j, f5 m. l
4 c v! ?: T$ k4 [, e5 v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, N0 Z& m; j" j& f- x% p4 i& N app like this:
4 ?8 Q0 {( ^6 [6 m+ D- g9 _- q& t# X# h5 h3 V H+ g/ M
BPX exec_int if ax==68/ z/ i/ ^5 F# a1 q8 K
(function called is located at byte ptr [ebp+1Dh] and client eip is) e0 s3 W9 A* r1 ^& c+ i
located at [ebp+48h] for 32Bit apps)
3 d! ~2 L1 f) X7 I/ G__________________________________________________________________________
. G( @( u2 t8 Z J
" D* E7 z$ c- ~# q- Z
0 S$ Q; d e" \5 ]% L& @( w HMethod 08, h9 j# z, U/ O4 W0 A
=========
2 ?2 H! e& v1 k# e* Y. \2 B* l5 K) d: l4 Q) t
It is not a method of detection of SoftICE but a possibility to crash the. i0 G+ G1 i x( v
system by intercepting int 01h and int 03h and redirecting them to another6 i7 o) s6 `: v; ~5 |$ _
routine.- i& z8 i6 r7 D4 u4 t& J* x5 L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* G# b7 \) {2 ~) D: }to the new routine to execute (hangs computer...)
3 O" w0 \, m3 S6 H2 f% h4 B7 V/ \/ \4 L( p" k( Y0 B- n6 m2 r- P
mov ah, 25h, O& d& X8 |$ d9 q6 a2 R
mov al, Int_Number (01h or 03h)
6 `) N* N' T, Z mov dx, offset New_Int_Routine; C+ g$ [/ k, q/ y l( ^- @9 H% _
int 21h
6 E3 G6 t2 U# z) g; l; M2 j a5 R; c
__________________________________________________________________________, v- L2 ~: ~$ m9 `6 R
8 y* M% Y8 q6 X$ F3 r
Method 09, f& t3 A& k7 V) f7 I$ h
=========& Y' k; Y% t( O% F p: B& R* d
; V$ K& d3 e3 e. O4 F( L) `( WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! R) W. A/ V) j. Aperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ s- L! z* p% c; p, ]9 EThe Get_DDB service is used to determine whether or not a VxD is installed" s7 ?% C( L& O
for the specified device and returns a Device Description Block (in ecx) for5 {" Q3 `7 q# e6 Q/ \) i8 [
that device if it is installed.
8 l( [# \. N+ @9 N7 V2 g4 F/ W% R2 y- y' f' h. w5 `* E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ }8 _; [: G( V2 W Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 y" Q" L) T1 q# c! }5 ^; ?' j VMMCall Get_DDB+ R/ b7 \8 g6 n
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" _3 o* c( J1 N7 g5 d0 _' a
' m) P) ?4 X# a3 K: _; K6 `' E
Note as well that you can easily detect this method with SoftICE:* Z) z7 G+ f) A
bpx Get_DDB if ax==0202 || ax==7a5fh
) K' P9 u4 p" _$ h' C- _: b& Y& _+ V$ q! u3 w' r6 l, g
__________________________________________________________________________
- H* c4 @: i" U8 u" r7 V* F$ v; M5 S8 J1 z/ J% U2 I d
Method 10
4 }% u; M6 z, h- O m/ z=========
5 D6 A- d! I8 d
" a# C" w% p' A F1 e3 }=>Disable or clear breakpoints before using this feature. DO NOT trace with$ t, q0 J" t6 Q" n
SoftICE while the option is enable!!; g* k* [! P7 s! Z0 t
* \ e' |2 b/ D4 b! a9 V
This trick is very efficient:7 o0 o- p! o- a$ b
by checking the Debug Registers, you can detect if SoftICE is loaded
' |& E" j. S2 x* U. x6 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 T; y7 N/ V6 e: I0 Z; [there are some memory breakpoints set (dr0 to dr3) simply by reading their1 P, K _% @) M$ _
value (in ring0 only). Values can be manipulated and or changed as well- r. O/ W5 J1 ^# u5 ]
(clearing BPMs for instance)
; k) t2 [- z8 t, ~2 Q4 ^6 X0 j: l9 x7 Z$ H$ R K: U* n9 |7 C
__________________________________________________________________________
c6 y7 F/ K4 V' I/ q+ P
N7 r4 E1 I% H$ d1 C1 c H4 ~, pMethod 11
; o" N: R3 `. @; C=========
: k5 C$ O( S% F/ J" {0 @3 i: B4 K
This method is most known as 'MeltICE' because it has been freely distributed
2 D+ i8 T* [' w2 mvia www.winfiles.com. However it was first used by NuMega people to allow
) b2 w; U8 y( I5 G, OSymbol Loader to check if SoftICE was active or not (the code is located
" a, r+ w# h0 c7 minside nmtrans.dll).
% r- Z' }9 f- Y) _0 N" n6 `: x) K. u4 i2 r/ l& q
The way it works is very simple:. H6 k+ ~0 ^: ~& i8 E- x/ M# F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' c% w- M5 }7 C1 @2 \
WinNT) with the CreateFileA API.+ K2 J8 R4 h1 q
1 q, a; f$ n8 D1 l. @( k" f
Here is a sample (checking for 'SICE'):8 C0 {$ f: \" T% |
8 c4 m- @' k; l# wBOOL IsSoftIce95Loaded()
+ t4 Y5 F% P; b u2 W# [& V0 R{' q3 A1 X6 m+ D6 c# z
HANDLE hFile;
4 u1 R9 `6 b$ p, U- k hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 s( D. d3 ?1 G F+ E+ E6 I" f% x FILE_SHARE_READ | FILE_SHARE_WRITE,: t8 L4 E' Y' ]3 P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) W" d1 F8 }2 C" j4 z9 t
if( hFile != INVALID_HANDLE_VALUE )
9 `$ [/ x( {9 D, f/ X9 B {0 z# Z5 c' `8 i3 B8 E) S. C3 C
CloseHandle(hFile);$ |* X9 x! p& Y* ^9 `) z8 k
return TRUE;
, k( w/ V v l/ b8 U }0 y+ H! ?3 q4 v5 u
return FALSE;
0 N: _& j% ~+ ]4 y* q" j1 m}$ m5 ?* [+ B6 O4 ^% @1 ]
: t! l* u& l/ [' I( E; q7 j: YAlthough this trick calls the CreateFileA function, don't even expect to be: B4 X) G0 {8 h- k) J
able to intercept it by installing a IFS hook: it will not work, no way!$ G1 s, Z/ }1 _" P) I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 p; n( d2 o" K+ W7 g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 K( K8 J/ ]) a+ s4 |, t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 I, Q" \1 M3 K! Zfield./ R- R1 k) W( O5 B# H/ g. Z N
In fact, its purpose is not to load/unload VxDs but only to send a
2 Z+ X% E. j& R5 x8 D$ ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! b$ r: w" f0 l$ P5 }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 ^. s6 [# P- {, ~) b5 m' hto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 f8 e2 D3 a& |, s1 D
If the VxD is loaded, it will always clear eax and the Carry flag to allow& E4 k# @. o* h$ ^* ?; P) _
its handle to be opened and then, will be detected.3 a$ w/ E: W7 {+ T& }0 {! y
You can check that simply by hooking Winice.exe control proc entry point$ J W% w& n% B$ Y) M6 q: b! C1 e
while running MeltICE., [9 s7 `1 g ^/ |
# U/ V( h3 \$ ~( H- X1 g" R. H6 r' u2 H
00401067: push 00402025 ; \\.\SICE
$ S% H/ S% n$ p- t* o' {! |" q 0040106C: call CreateFileA
( S5 n7 y4 V! _8 H$ `5 L6 z 00401071: cmp eax,-001) O" X- u* S7 h2 |9 G
00401074: je 00401091
5 U. p" X# N0 D
' t$ q% e2 w+ ]" O a) Y# G! ?! O: y$ Z+ H& m5 @: \
There could be hundreds of BPX you could use to detect this trick.
& G+ Z/ S2 b+ {/ [ a( j1 `4 n, `, e7 f-The most classical one is:
( S2 L8 X6 R J5 K1 o2 { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 K4 I0 D* y, z0 s1 R. u% h *(esp->4+4)=='NTIC'9 R( [/ A1 I* |/ i
u; ?6 F* y/ P-The most exotic ones (could be very slooooow :-(
- O0 D9 h' `% x1 q4 E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . e- L* e# K7 h u2 f
;will break 3 times :-(
9 l& g' ]- o0 Q! R% B- W0 O. S8 {, U7 k+ f4 M
-or (a bit) faster:
1 b6 I* M* V" l BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); k0 J8 [* f2 {8 T
) `" t M ~) L; v6 s( t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! k2 \& z9 N# f8 u
;will break 3 times :-() |+ Q9 {9 [4 y) L
- |! k9 n) ]: J1 C7 E, @. _2 `-Much faster:. [) [" G/ T" _9 }
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: q0 x* s" R2 u( j- Y% M% @9 N1 W9 v/ t) l0 f" v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( Z) ~& |, U5 {$ E- x7 \' R D
function to do the same job:
$ O; p( p1 Z/ D; ]7 b+ f& k7 Y5 u' Y6 M+ A$ J, t
push 00 ; OF_READ" g) r) g2 `5 h
mov eax,[00656634] ; '\\.\SICE',0
3 S: t/ c% m" ^/ ?; r# } push eax5 {; @1 F7 C- b0 B9 v& m) N( p
call KERNEL32!_lopen
# K" X, e% h& V3 k inc eax* ?6 P+ c9 Z* F) v
jnz 00650589 ; detected/ ~+ d8 C! q! N
push 00 ; OF_READ7 v: m6 u1 W2 L0 q$ _+ f
mov eax,[00656638] ; '\\.\SICE'
5 B/ D! S% d. T1 {, K5 K5 R' ? push eax7 V5 V$ f7 Q- K& L' P. `
call KERNEL32!_lopen
n; M* v; e3 x2 r, O0 M inc eax" d& u' g, G P5 p9 r+ X ~1 j
jz 006505ae ; not detected
- t0 N8 l2 S& i& _4 R/ `( q* Q" n) h; V
) _& i) Z: H4 Z
__________________________________________________________________________
/ ^ F4 ?4 ~: R7 o! i$ S' o, Z# ~) Y4 L5 w6 I4 J* \) L t ^
Method 12% A* M4 L {$ B/ |) f4 e |& p
=========
& K/ p9 Q ]* b2 v: m8 [" T
. m1 k1 m3 j: X& G0 @" o* R/ ?6 cThis trick is similar to int41h/4fh Debugger installation check (code 05" F( Y# a$ M9 `! A# _
& 06) but very limited because it's only available for Win95/98 (not NT)! v- X% \0 Z8 |+ i8 j7 v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 h" m4 t0 A- U/ v' l9 s9 K9 @2 K5 E. ^9 z0 z8 y/ u3 [
push 0000004fh ; function 4fh3 u) ~: U( O. F3 U, D: Z* Y. S
push 002a002ah ; high word specifies which VxD (VWIN32)
8 P4 f4 e6 L3 H3 t- q3 o; W$ Y ; low word specifies which service
$ a9 \" d$ @( {2 x3 ` (VWIN32_Int41Dispatch)8 T- n( _, @. S3 o
call Kernel32!ORD_001 ; VxdCall
4 @; F, } _& |! D+ C; W# s+ m cmp ax, 0f386h ; magic number returned by system debuggers
. z" P& [$ z5 B jz SoftICE_detected$ i# h" ~0 S% f, J1 |- D% G: j4 s
& ?/ {2 q& u' {2 A2 U/ e
Here again, several ways to detect it:" _& T& ?5 A3 L: G; z" y" _
' a# H4 s3 W+ d8 Z# T: a
BPINT 41 if ax==4f
4 A. X, C& b) H4 U- u T
0 F4 N8 \7 }7 B4 d2 j. v% i BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ n% v# Q' Y* d5 ]. o6 ]2 u2 F6 f" B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 [/ U A/ w H c6 ]8 P8 h1 y
' T' o- q/ `" x3 T9 a; r, L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! z) N! p3 i$ X+ h6 g+ [
0 p; s% k: j) m0 D. \
__________________________________________________________________________
0 x+ X/ R& r) i( E F' b
: _& [. @1 ]8 P! r2 E9 sMethod 138 t8 G9 t* g8 J; E+ H( d
=========+ {5 }7 G& @3 F9 q1 `
2 U4 F! _8 X5 P1 M+ b, g: N
Not a real method of detection, but a good way to know if SoftICE is
; T( k% g* j) D$ x2 Einstalled on a computer and to locate its installation directory./ F5 [1 a* p! w% _
It is used by few softs which access the following registry keys (usually #2) :
; m3 B; Z+ N; @2 {5 G5 n: w( h" g9 j8 f4 w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 y$ C, q6 O: f/ k7 b
\Uninstall\SoftICE
4 l& g* W9 ~# \) ~, \, p% A# {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 @7 ]- j: ?5 T) z- s' D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. P, A: \1 x8 [% L* h |
\App Paths\Loader32.Exe
6 e5 _( r# L# {$ I" X. H2 h
3 h& r2 i( G5 t& y5 Q' m% X
' `* ^ [! |. Z/ Z# HNote that some nasty apps could then erase all files from SoftICE directory3 ~, V& P; ]/ N1 Q; u) d% k. y6 t
(I faced that once :-(
$ r: l2 M# m: n/ I/ C. d8 p5 ~1 O: J3 ~* V8 N+ N& m: Y
Useful breakpoint to detect it:
4 p) \3 O4 t& W( N+ O5 ~
1 y8 p1 F2 B+ u, ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 M- Z) [7 D) D g
. h6 q' _" g3 X O# I7 r__________________________________________________________________________
' d G& ?0 V/ e! u5 ~: Y- k) y3 W
# Q/ L' Q! ~7 mMethod 14 # G% [$ [* \3 d* }5 v# A
=========# ^! e! `3 m$ h1 ?, M
7 L3 e$ o- Z+ g z! a; }7 xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ Z/ b5 J; ]2 A
is to determines whether a debugger is running on your system (ring0 only).( u5 U- L# K. K) q
' P7 R2 _ F! a- C2 x VMMCall Test_Debug_Installed0 ~% r, b# i7 ^5 ~
je not_installed: C c* v I( F$ z
% B. U) m ?) ^! q @. A
This service just checks a flag.
) S9 M+ S- }, e5 M</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡