<TABLE width=500>
) k% ]" X! B9 Z% g* ^+ P" n<TBODY>
. X ~' W# C( {( t/ V<TR>
1 R+ }) Z) I: H' R5 y$ p9 n/ g<TD><PRE>Method 01
- u# j: |0 z9 j! F, N- K7 H$ R=========
* z9 @( L0 s" c, a5 ]" A. ]1 P" W9 Y" i$ }2 z8 H
This method of detection of SoftICE (as well as the following one) is
) v3 Q! I+ H4 P& t+ [2 s) oused by the majority of packers/encryptors found on Internet.! m% v# S& l# a ?% D) ?3 _
It seeks the signature of BoundsChecker in SoftICE
% \0 G7 n! H5 _4 I# v' G& b6 f: D7 B! T- l8 B% p) G
mov ebp, 04243484Bh ; 'BCHK'
3 X- G6 X9 v* ~) D" C) ?& Z: ` ^ mov ax, 04h
% G% O% f* [. W int 3
# b$ G: J6 D% k/ w$ { cmp al,4
3 i, N/ H, u9 s5 p/ I8 Q jnz SoftICE_Detected
* M8 |* B- Z) S7 z4 J0 L: _
. b: H# p1 g: B6 X( ?8 ` x; m5 L___________________________________________________________________________
9 u3 d$ Z8 N! Z; `, T# ^
1 w6 ~! X3 k! \ V5 cMethod 02( x. f4 N' u n, X
=========/ J9 W4 V$ f& X5 `+ j1 t' }
/ W# q1 s3 q) A& fStill a method very much used (perhaps the most frequent one). It is used
9 ^' n K7 C1 e) j, r+ qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) g6 j2 H. Z7 p J+ o# ?
or execute SoftICE commands...
' E7 E- M7 Q2 n* VIt is also used to crash SoftICE and to force it to execute any commands
. D6 i# ~: e) g% M3 g' T- d(HBOOT...) :-(( 4 L9 b' Q0 {. }0 l! ~
; x# H+ I4 S' N) X8 v; G0 iHere is a quick description:
+ @- C. f1 d' L( g( @& W$ Z-AX = 0910h (Display string in SIce windows)4 u- E+ C1 F& k5 z( f( R0 U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) {# G8 ~4 ^( M4 L1 o+ C7 P) m
-AX = 0912h (Get breakpoint infos)- y( F( J ]0 \& q
-AX = 0913h (Set Sice breakpoints)6 b9 ]/ ~; V4 _
-AX = 0914h (Remove SIce breakoints)2 R7 \1 e/ P0 h! O1 r; w, @0 S! w
9 g% h% o5 o% _7 E: G$ w! {
Each time you'll meet this trick, you'll see:
. S# V/ V# G d7 w-SI = 4647h
- ?- y$ @" W6 w2 h1 `# y-DI = 4A4Dh( y3 v* V" T5 d% U
Which are the 'magic values' used by SoftIce.
# x& o/ |8 ^, nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.( q: L' ]2 L5 S: ~, O7 `
: O& c* ^3 u: C* s; }# Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP; f. r! F, P/ ]1 f' [2 {
Envelope utility use to protect DOS applications:% c8 f6 ]4 m4 }# U0 m
; u8 C% t m9 C
4 D; z7 H. L- a* K' t) R3 A) T4C19:0095 MOV AX,0911 ; execute command.
# g! g6 |1 D) X, J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& t5 h3 V1 g7 a4 w4C19:009A MOV SI,4647 ; 1st magic value.
* t4 W! v! _5 D" L9 ~3 e. ?, T4C19:009D MOV DI,4A4D ; 2nd magic value.
# i8 L4 p- y$ H" N1 I9 i( h4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; w2 \/ q K- d) O5 W. i- G4 f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 B: t: a/ J9 o) @, | n4 S9 N4C19:00A4 INC CX/ P) Z1 A- c& H* v5 l
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 x$ d2 I @7 p3 K2 P+ x7 Z2 i- g- H
4C19:00A8 JB 0095 ; 6 different commands.
% F% ]: p+ |1 A( X4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 R3 }* ]) l5 p" P9 w+ U
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* P, e# \! c z d5 u7 b
6 o' k6 j' I/ ]6 q* MThe program will execute 6 different SIce commands located at ds:dx, which0 i+ B! ~7 t9 t( o5 G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 l4 S% ]1 i% @, W+ l: S
& Z) w4 ]+ H9 t F2 C3 T) n2 C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., c3 | J4 L6 S" e& r- g
___________________________________________________________________________* v+ g1 w. G. |. E. A
: E5 K4 f$ v6 q4 i6 y; Q* a; r" Q, @ `$ G# b; }8 E0 X
Method 03: P+ y! Z' m# Q( s, V% N
=========, J$ _, f0 N6 G" v) f
4 v1 d! P% X: @+ j6 sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 I( O6 ]$ C/ E, A9 R! b4 o
(API Get entry point)
- [4 C+ V2 [1 S# d( J7 X # H/ I& {) e: v% f, W( Y
$ n4 k9 O/ }8 q% u! I; s xor di,di1 f% j$ ~% ^0 n2 j) ^' v' j
mov es,di
. v5 w# r6 N' R1 F; ^ T( f1 g mov ax, 1684h
* K8 l4 {1 r$ t. o) T mov bx, 0202h ; VxD ID of winice
9 d- a8 l6 v L6 b int 2Fh
- y* V: L2 H4 f: ^ mov ax, es ; ES:DI -> VxD API entry point8 V8 [; V# k6 k
add ax, di
2 d% @* \8 f4 W7 |+ z2 L; D test ax,ax k) H5 U9 [& M5 N
jnz SoftICE_Detected
4 k- c* I8 o4 Q2 a
+ y1 f/ m( R k6 W___________________________________________________________________________- G1 u& P0 ]- \7 e
. ?+ R& a3 {: g) _. B5 s* `' H5 H- PMethod 04# l) Z3 q. h1 K5 L" D& k
=========
L9 h, z# c" k' ]: _+ D- D% D% I& U# Y. G# N
Method identical to the preceding one except that it seeks the ID of SoftICE" f' \/ v) R/ G+ R( s e- g7 y
GFX VxD.
. i& G9 v9 w- W7 D8 @$ l G `- a$ T: t5 _0 R& U$ V& h
xor di,di
, `+ H6 B/ A5 O9 K' F$ ?9 u- u, [ mov es,di+ l7 ^. [- [5 C
mov ax, 1684h 7 E# R5 c7 G2 N! \
mov bx, 7a5Fh ; VxD ID of SIWVID: P* G& x( E2 n8 f
int 2fh' _# ~+ g4 k: D) P6 n2 S) X' {0 w
mov ax, es ; ES:DI -> VxD API entry point8 Z& D1 h p' B( g F( j; Y
add ax, di+ r6 k! A# j5 n/ C. _' c
test ax,ax! u8 H% z k% i Z1 w
jnz SoftICE_Detected, f! l! W& m, A7 L- ~+ C
* i* |' J+ E4 n5 ~* Y& A
__________________________________________________________________________+ [% G2 ]/ j; S( Z
( J* Q/ {# S5 |( d$ O- {) e) r1 ]/ u) G, H$ Z" p
Method 05
7 F" S, T, B! B. p9 j=========6 |7 N1 w1 }5 |* E* p
: `! l2 H, j B1 T4 cMethod seeking the 'magic number' 0F386h returned (in ax) by all system
3 `# `0 s# C6 |( H- a+ z/ [debugger. It calls the int 41h, function 4Fh." [. c# ]1 C/ T/ R( Z. E- r
There are several alternatives.
! A o, O& e) n& b7 F$ [2 r, [! N6 y2 F+ ^
The following one is the simplest:
8 _$ @/ j! B# R) ?: d- ]
; ?5 t* I. s; D7 M5 g mov ax,4fh8 p1 W; f8 K/ z/ n8 K1 C
int 41h. ~( ~: p: H7 j2 Q
cmp ax, 0F386
0 }! A% J% f1 f5 K6 Z' v# I% S jz SoftICE_detected
* T+ G0 D1 R4 X7 d0 |, U
1 y- }/ r! j7 R5 p- Q* K) S6 ^* _! X: |
Next method as well as the following one are 2 examples from Stone's
0 s/ x. j3 p( Z"stn-wid.zip" (www.cracking.net):
; w! _& T& A/ X
9 w) n" j! A0 G& B mov bx, cs
) p' O; v1 L) ?: ?8 S0 X lea dx, int41handler2% l( g/ `6 b! U- L' D# M
xchg dx, es:[41h*4]
& {5 w6 E6 m3 M& _: K xchg bx, es:[41h*4+2]0 L D# i5 A |& ~% g; Q
mov ax,4fh# w9 S4 F# m$ V' X- }0 g
int 41h
' O: Y% c J+ t xchg dx, es:[41h*4]2 e* J" U# L- Z& c6 G9 e
xchg bx, es:[41h*4+2]) o W2 w/ d- p" ?+ K
cmp ax, 0f386h
, D. _/ O2 y% m2 @ jz SoftICE_detected- X4 W F# z3 M* P& X
6 H) D8 b% Y- C4 W
int41handler2 PROC7 w. L1 K0 o! e0 r ~1 Q
iret6 g; T0 e# ]: K t$ S( ^) t
int41handler2 ENDP4 B! ~( v. V$ V5 q
& f: ]7 _8 U" l: Z2 R: t( @
+ v! m, U& W$ G; u
_________________________________________________________________________
) j! m6 G: v8 t2 n, I) H
4 t* L6 _& \5 b/ `; s% {5 I: a7 k7 j+ D! [- @* {5 o
Method 066 _; z. i' h/ B1 E. Z7 q
=========
8 [/ J! R5 Z3 d! @; s$ |- r( G) M9 G+ M+ T- Y
- ^2 ~9 K- B4 a$ D, g+ Y1 D# N2nd method similar to the preceding one but more difficult to detect:; S* u1 s( ]+ Y8 B9 {
3 U; \ e9 ` I- C4 V
4 @3 i& ~- x2 G3 x5 xint41handler PROC$ z& R. A& P( K% M: t9 T( y
mov cl,al0 w) P+ \8 k, [( e5 K3 j
iret# ]3 i# ~+ t3 d9 Z1 F
int41handler ENDP' {: G3 S/ l( ~
" F+ t8 O# \. m; S# x. X1 v+ I
( e& C( ~3 I u9 t- x' B
xor ax,ax
* z: x% q7 l+ J; h6 h mov es,ax, D6 e& E; {5 O
mov bx, cs
" K4 w5 q% \1 ^# K. H( ] \1 ` lea dx, int41handler
8 B) J5 K9 R/ Z5 v2 s! Q1 Y* y xchg dx, es:[41h*4]
, ~" J) ?9 a+ P( z xchg bx, es:[41h*4+2]
: S, C9 b4 K7 r1 i) ?" x0 S& V! U in al, 40h4 i# I6 {9 [0 H/ [
xor cx,cx
" F+ \6 D$ ]- N9 Q! l" _0 S int 41h
7 ^# p3 e4 N4 @/ G- @% w xchg dx, es:[41h*4]$ c! a% k3 Q) T
xchg bx, es:[41h*4+2]
- X, J) j$ O/ p% C9 N* y6 k cmp cl,al# @6 K8 Q; \8 j h. {
jnz SoftICE_detected7 `5 r* u/ j% x/ k
6 M: b5 Q. y; i6 v/ K6 c+ s
_________________________________________________________________________# M* ~5 v9 h5 Z! k8 n. c& \
6 C. E" \+ Z! J$ O# E* cMethod 07; C t& J0 Z; l8 V+ d% M0 B
=========; i2 w+ R! q* [8 m8 H4 F6 U
$ c! J! E0 P" W0 O/ U8 I
Method of detection of the WinICE handler in the int68h (V86)
7 w4 e0 z5 J6 l+ s8 ~. l' J& d$ P( a2 s$ r6 E2 C0 p; s
mov ah,43h
' k, a6 ]" P( u/ _4 t int 68h
x3 G; h7 D, u" z; ]7 L* o cmp ax,0F386h2 _& C% y: l) V7 H6 }4 Y2 j
jz SoftICE_Detected
% ~4 Y8 ?; V$ m3 u
! g* `6 P# U/ i; @2 b& \4 y
9 ~4 b: l) \! J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! o u5 Z2 {2 Q7 x. l. G app like this:. G; q4 l" T1 E
' I% G1 c. ?% q T+ s- V- C. k) V BPX exec_int if ax==68$ H9 E, P5 ^, [+ I
(function called is located at byte ptr [ebp+1Dh] and client eip is
; \- u- ?2 I/ {# t6 T located at [ebp+48h] for 32Bit apps)
5 W: _; e4 }' N) @" |6 B__________________________________________________________________________
/ q2 c1 M1 h+ X: {# r. Q, n
9 N" {! f Y, A, ~0 q1 L
/ u; x7 U: h0 M3 _! ^" e, e* IMethod 08
7 { I! O' A5 K; Z2 K9 r5 S=========
5 y, ?( ^3 B: j& |, s. a. H ] a9 e4 @+ G9 l; ?6 [
It is not a method of detection of SoftICE but a possibility to crash the
1 l/ M' L: u4 E3 c6 ]system by intercepting int 01h and int 03h and redirecting them to another
1 E/ s/ {/ E( H: u8 _, N c7 M( T/ Oroutine.
7 W4 n) ^- D6 P; _3 B" E( m" [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' o+ P. e& k6 E
to the new routine to execute (hangs computer...)
6 T _ a$ j& A' s
" v* @0 \& K$ t+ b5 \3 X mov ah, 25h- h$ K* a; S" \! d
mov al, Int_Number (01h or 03h)
1 C2 ?8 u p& C6 f+ w9 U' F mov dx, offset New_Int_Routine7 I5 y" |& z1 {4 p6 d8 G
int 21h- U4 Z3 F5 I& r1 j R9 \7 v T3 j
/ S1 @/ q% `% I
__________________________________________________________________________
7 c z$ y' E9 Q
! q. [4 H8 Q6 UMethod 09* D# o/ P& n5 {3 h) L( c; ]$ D
=========5 X9 A, G z0 }: ^+ _
; S# A- Q0 {( D6 {8 F. CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. ]6 k* b& }- gperformed in ring0 (VxD or a ring3 app using the VxdCall).* g5 w; T0 o) }
The Get_DDB service is used to determine whether or not a VxD is installed
( t* I2 v, a$ F3 C9 j8 K' X. D# B/ Kfor the specified device and returns a Device Description Block (in ecx) for2 U9 l( l) \% X7 s4 p" V- L: @ s% S
that device if it is installed.
3 @5 r8 p: R. L2 ~; p
/ o0 k/ j) ~. f mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 t+ ~- e( `$ S" d2 B1 e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 Q7 b% n! E& M+ ]% t, M0 B+ z
VMMCall Get_DDB: C5 q/ {' Q1 w% B! x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, W% L9 s9 L$ y$ ~* O0 v! P
- Z; N; }8 q6 Q% i4 v0 a7 R; X& @* @Note as well that you can easily detect this method with SoftICE:
4 _ Q! \9 C- l5 m5 U; ~ bpx Get_DDB if ax==0202 || ax==7a5fh1 i) w9 w& c3 X
4 F& p/ x& z8 E. s8 b6 [, `
__________________________________________________________________________
7 {, n/ i/ m8 s8 z. w3 r# J! ?! F8 M" n6 Z
Method 10
' G8 R/ p+ R5 A7 e$ g=========
, p: L1 f, I5 v$ g$ M; r( U
0 S7 B1 W, k' ~=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ I- {4 \6 X7 ]! a; ^$ N5 |6 W SoftICE while the option is enable!!
! j7 H% i, {6 _) p) _3 Q. s4 }6 A* o0 ]
This trick is very efficient:
5 O: s/ q. }% ^by checking the Debug Registers, you can detect if SoftICE is loaded* ]3 c; }! r* L% C0 T0 u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 C4 D1 I a. ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ q9 G! F" i. b2 s2 ?, _% yvalue (in ring0 only). Values can be manipulated and or changed as well
; \" \! }, i# z! z7 }4 A(clearing BPMs for instance)
0 ^( A; V7 U$ ~, i
. O* G( Q0 d0 k) }2 S, c6 {__________________________________________________________________________
: D5 k" y! P1 R! D% s/ N! c7 ^+ L$ ?# d4 k* C! {
Method 11' U N& p1 C) }# I
=========
6 u. R, }1 d% Q P. ?& H( E) A; R$ S3 L: K- H. Y5 w! p
This method is most known as 'MeltICE' because it has been freely distributed
4 {6 Z r1 D' W/ [) W* ?; kvia www.winfiles.com. However it was first used by NuMega people to allow& t( V8 v) K% s+ ~; y1 ]
Symbol Loader to check if SoftICE was active or not (the code is located- n7 T3 ?; X# ]" K" F! L
inside nmtrans.dll).
! `: p1 h8 w& _) o& l* R: a; R' Y3 q! @5 `2 w- d" B
The way it works is very simple:
Q4 }- A Z1 {6 l$ QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" s. {0 ]# `. \: m4 f/ v3 D# f+ K
WinNT) with the CreateFileA API.
d9 W9 v3 b! R; K! o
4 v: [! s& _! d5 O7 d+ h: mHere is a sample (checking for 'SICE'):% `$ ~( L; }' k
# b. ^6 V* u+ n; L& B! M* y: k
BOOL IsSoftIce95Loaded()# Q1 L( \3 n( |- A/ F5 ^
{1 E; R9 q' [" q- ]
HANDLE hFile;
" }, I1 k7 p3 d2 I! w) ~* Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ H* t& j. ?5 D1 y3 a
FILE_SHARE_READ | FILE_SHARE_WRITE,
' B/ o: m% o- l. J, b2 T1 ] NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 H1 \7 p0 f% ^
if( hFile != INVALID_HANDLE_VALUE )- q- P, j# W' G* X
{% s" N# r; d) p. G+ k
CloseHandle(hFile);
# U% \4 j! I# _+ ^- i return TRUE;9 h! V# |& X. s
}4 k- l- x: D3 x
return FALSE;
9 T- ?, X0 R3 D; s, j9 y}
% i( O0 W- a. R- n* X
0 {% a+ U; s) B* |Although this trick calls the CreateFileA function, don't even expect to be
: r) I/ Y7 I" N7 e! ?0 hable to intercept it by installing a IFS hook: it will not work, no way!% s" r& Q) P/ ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ D) N% o0 {6 t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" d' h& { ~5 \* Z+ _and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- h; l1 \. d2 g7 tfield.: D# d0 l* D9 A) l6 h5 ?
In fact, its purpose is not to load/unload VxDs but only to send a ' Y! s* [+ f8 C) q- M1 l, E/ W' R/ @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) {* y: r7 J1 r- S, Z/ ~; u- `6 i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ x9 [: L: y: i. A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 X+ L& Q5 c3 H: w* V" z h
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 \9 g! T. i# V
its handle to be opened and then, will be detected.. P+ y7 F1 C6 g# s4 f
You can check that simply by hooking Winice.exe control proc entry point
* e% d4 v3 j7 G! uwhile running MeltICE.4 m. d1 ~3 s3 K; @
( R+ X" o- h+ l4 J4 u; h6 Y' {* m3 M3 ~' c( h/ T7 H. t3 G
00401067: push 00402025 ; \\.\SICE
4 E, X4 l7 a; r2 x( Y 0040106C: call CreateFileA- E0 w) O/ w1 |7 a8 }- s
00401071: cmp eax,-001
' k- [+ I3 X- v" f" A0 R( | 00401074: je 004010913 I6 z; s% G3 G6 |: E
- E! _& L" ?6 K \' ]" k
1 P/ D$ W' y7 o/ K# QThere could be hundreds of BPX you could use to detect this trick.; u* v8 [ k+ @( E. _0 B0 G% U; d; h
-The most classical one is:- u- J9 N' W- G* T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) @8 B/ j8 a# X0 Y- L0 @: C: a0 \ *(esp->4+4)=='NTIC'' v% x! [8 f2 I% V l) P
" x. ?/ h% N( z4 _* U( ~8 u-The most exotic ones (could be very slooooow :-(
6 ^: C3 R {/ ~7 e* j1 a BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 {1 Y9 U3 ~0 s4 P/ }' C& Q; o5 ?" f ;will break 3 times :-(7 F$ M4 L/ f: F; W$ S
6 N( z. l, N) G( g6 H2 U
-or (a bit) faster:
# c0 {5 V: @% v" i/ t BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& r( f0 R% W M, P! N) i
+ z7 q7 [: S5 a" m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: H% Q; R9 a" T ;will break 3 times :-(* K. I' l/ P' e% h' X8 F7 y" V
" R: a- e0 I2 Q6 E7 G; F
-Much faster:" M5 k. V0 z6 w: j6 J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' N, r5 f4 j6 |; g# b5 h
" S* w5 {# R/ l% }; D% X% `$ BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ ]% z4 ~6 x' B( F$ W+ g
function to do the same job:
9 Q% O/ f0 d) c5 B9 D! T6 d v8 z: e$ P4 Z( s3 K
push 00 ; OF_READ. Z8 o- S7 t1 j/ D* g+ o& w
mov eax,[00656634] ; '\\.\SICE',0
. ?# j' k! u: E: T4 g. U push eax# W; U8 @; \3 @- {
call KERNEL32!_lopen
7 K+ \& C3 t1 w4 E3 K1 [2 ?# Z inc eax3 U/ u6 J3 B4 o& N
jnz 00650589 ; detected' T" p7 J" t: w6 T# K- E4 ]0 c
push 00 ; OF_READ% g; T- O1 h4 `9 Q T3 [8 h( W( s+ c
mov eax,[00656638] ; '\\.\SICE'
% F z" A" W! n6 i# t3 o push eax* B1 B2 f( \4 g# |3 r/ \4 ]( A
call KERNEL32!_lopen
, \+ L p6 R! O$ Y' u( r5 u' q0 v inc eax
4 d# _. P4 `3 `, ]- P jz 006505ae ; not detected- T i% c( O$ H: K& V" M9 e7 L
" k: E, m: Y( O4 u0 W
N7 g& v; M* F8 Y3 e__________________________________________________________________________5 q( J# z# F U
% B* e2 J+ l* c. \Method 12# i, S r1 N, C) e/ o. T4 @
=========
) |. n! y7 N5 o3 y/ A& [! m- T0 d: J) q" Z! Q
This trick is similar to int41h/4fh Debugger installation check (code 05
# C+ |, }/ a, v& 06) but very limited because it's only available for Win95/98 (not NT)
/ |0 ~- q8 r7 l: ~, N5 P( G1 F$ Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 t# V' d8 T9 [& `0 ]! A
# Z' A |3 }7 R' P1 l8 ] push 0000004fh ; function 4fh
/ r! F% h' R0 X% D/ d+ r push 002a002ah ; high word specifies which VxD (VWIN32)
4 c5 S9 n5 }" C! X ; low word specifies which service5 ^. H, ^, z/ n$ ]$ r$ b1 \/ i
(VWIN32_Int41Dispatch)
% J- x) r, f' F& G; W" F' d call Kernel32!ORD_001 ; VxdCall! F* i- Q# k: S2 }% j
cmp ax, 0f386h ; magic number returned by system debuggers# X8 Q. e e/ K9 L' h
jz SoftICE_detected
- D1 }. q* L3 o. n* F0 e# i. B& l- x3 F) B
Here again, several ways to detect it:
3 G3 g7 W- k+ q7 _ t# B: P7 W$ ]2 M- i M8 h6 S1 X
BPINT 41 if ax==4f7 m. l" x1 h( K" ~: P5 K$ c
3 {6 A) A# z/ q6 D) F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- P" q R3 J2 i* F$ H0 t" J; p* p2 O4 y: W/ `* r( t. g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 G' f8 r8 `8 ?
. i2 Z! Z/ E8 y; v BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; y9 Y, x: b0 Y" M* Y0 ]' K
! i4 f' z% t* J6 r# l: Y3 b__________________________________________________________________________
1 q- _ W& z1 z1 k$ D' ]% w$ J, ]. X, ?, q
Method 13/ v1 m5 x" ?1 a2 T6 N
=========
, v( M- R. o5 A& n( G) e
! q7 Z! l! c. M6 Z( C; pNot a real method of detection, but a good way to know if SoftICE is# c( a, a" Z( i6 l5 q0 V! n
installed on a computer and to locate its installation directory.# g. ~* ]% ~" o, `
It is used by few softs which access the following registry keys (usually #2) :
4 i0 b5 q: r$ C8 a! d F
* @0 u; _0 l7 @5 k. @8 Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) }1 j r) |: B3 i# @\Uninstall\SoftICE
- w; z `3 e/ I( y! G& v( k6 B3 H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 j m# ]! j- H9 ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 S6 `$ u" W0 @2 T; b
\App Paths\Loader32.Exe
* @/ n U! n+ @2 A& X% F* v8 H4 t: M1 [
2 `) Y, a9 I! @3 M+ a- |Note that some nasty apps could then erase all files from SoftICE directory5 c; N* f# e9 J; `9 B: W z6 p
(I faced that once :-(
. L3 O9 @3 O* L6 N7 z# N$ d4 P# \+ u; t
h9 k9 t7 a$ h7 E9 fUseful breakpoint to detect it:
/ B% I% V% ?8 N! I% ]. y! c, F, [5 T, M1 A0 o
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' Z7 {* g$ t% {
% F6 p. \/ L" ]+ r' g4 o__________________________________________________________________________! j( h+ e3 j C+ Y' ?2 k
7 U3 _$ v4 Y& V) g1 G4 {
7 ]- z# v1 q1 ~Method 14 D0 C, C1 P( D$ s6 Q3 Y( R( Q
=========
& X$ z! C8 F7 I) r% S7 \
& z' l8 v8 P8 ?# L0 b; B6 M6 [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! H7 ]! \& q) a5 M
is to determines whether a debugger is running on your system (ring0 only).3 G# E3 |- }- D0 R+ i" a1 r$ j# `
7 j3 z: U( _) H, d VMMCall Test_Debug_Installed
% |, g" Q8 F& ^, E; l8 F je not_installed
5 Z7 `' ?# j2 G" u
. V- ]- i) \8 K8 y, x7 yThis service just checks a flag.
! K9 `* b3 Y+ W: c6 A, n</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡