<TABLE width=500>
& W# M* a- w9 i" v3 h<TBODY>: F: ]8 h3 x8 p% n/ B, R2 j
<TR>
# ?6 v `! ?# F. Q, F s<TD><PRE>Method 01
5 B' D5 j4 `- A* C) [========= S4 h) U5 E9 |9 B8 q( `1 \$ h7 g
/ g j& H4 Y3 f1 ]This method of detection of SoftICE (as well as the following one) is
! u( j; g$ N6 }; j( ]! _used by the majority of packers/encryptors found on Internet.
6 T9 u! c# v! m$ D, FIt seeks the signature of BoundsChecker in SoftICE
/ w0 q! a) V$ M0 O& N& c5 D
) _& E) q7 K! k; u9 {& u- w mov ebp, 04243484Bh ; 'BCHK'
3 m9 C6 k0 c8 R( w/ A$ K& m mov ax, 04h, t8 e; W$ ^5 H! B) t) A
int 3
; o/ ~& ~# L( M B4 x' e, `6 d# L2 n cmp al,43 @3 Y, {2 k2 r# W/ x* Y4 ]5 R: ^
jnz SoftICE_Detected5 G- n+ T1 y1 [0 p8 Q' {
4 q* E0 R# V- C, w- [___________________________________________________________________________8 v1 U7 c0 Z! w3 h# V# g1 c1 `9 W4 P
7 i! W- x- v- e5 T5 ?2 K0 i! b
Method 02. T' E9 R7 ]$ D0 B
=========) v% S9 i9 l& V! w; X
+ ~- [; ]( J" O; f5 h: P q! Y* tStill a method very much used (perhaps the most frequent one). It is used2 p, E$ a0 C+ m3 V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 ?: b: e1 \. h* s$ b* }% r2 Mor execute SoftICE commands...; p* R$ h$ Q& t$ C
It is also used to crash SoftICE and to force it to execute any commands
3 ?1 q7 c$ R$ o. O(HBOOT...) :-(( ! D% R, I4 f# Z& x& ^4 `# Q% t
* E% |: Q1 y+ fHere is a quick description:# Z; T* B* V1 L" z
-AX = 0910h (Display string in SIce windows)/ |) H" I9 R, F! t5 L4 x" Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, D5 _' N) O0 w-AX = 0912h (Get breakpoint infos)
/ P9 H6 f2 A- S# {* N% d-AX = 0913h (Set Sice breakpoints)
1 I' o( g% F2 J- O- w6 @' G' K3 G5 C; v-AX = 0914h (Remove SIce breakoints)
* g6 Y' I0 D" F9 J2 D; O8 Z5 `$ A- X, X2 Q! h# j+ l
Each time you'll meet this trick, you'll see:
6 E& |6 U! n4 f' }, O$ i-SI = 4647h: N( g& x$ {* r+ v- B! f
-DI = 4A4Dh
6 h" u5 [2 `% G+ U3 Q+ lWhich are the 'magic values' used by SoftIce.
' e! G# S9 w) E. x# lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" Y. H* l- O) S" J3 K4 `+ j
+ f u2 O! `% @Here is one example from the file "Haspinst.exe" which is the dongle HASP# F$ `9 g7 {: U7 }" K+ w
Envelope utility use to protect DOS applications:
0 \4 F- q; |) D+ N3 m& \* E" V3 v6 `
1 x* s, g! U$ g( y6 S* _7 d0 f z* H! O4C19:0095 MOV AX,0911 ; execute command.
: u0 {/ H* S( d( g! J5 ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; g+ X7 [. t5 ]% }+ G6 u+ o: L3 ?4C19:009A MOV SI,4647 ; 1st magic value.1 S' O; ` y2 E/ a6 i/ T
4C19:009D MOV DI,4A4D ; 2nd magic value./ |) d: n* @; G/ k5 ?% G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 }' x; Z# P6 W0 o( r0 R# y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ X0 T% ^5 y7 A: R1 }# e H
4C19:00A4 INC CX' {6 i8 B: v. e/ V
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute z5 e8 z/ B* E
4C19:00A8 JB 0095 ; 6 different commands.9 f( w3 h9 x0 Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ \" [/ E! R- X4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- _$ p) Z, D' _- r- c& o8 n& i$ \& f$ b( Y' H! D2 ^/ v
The program will execute 6 different SIce commands located at ds:dx, which
! A: M1 C5 X% d# u# U+ Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ V5 @. J" ]2 l+ J3 x8 M
7 T$ o3 b7 e5 D0 }+ w0 {4 j, \+ Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ L; x% b+ A( N! a4 v. k___________________________________________________________________________
5 \& r% L/ X6 y4 X6 A, \2 h- h7 s. c" q" D: s
' V$ f- f( d! K% o1 w+ e' ?+ ?2 J" t: LMethod 03
& N, b. @5 S3 S H=========
. s6 {9 w2 |9 O9 C
- w: N3 N& p, sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) i! y) o! M. o' {/ h. S. u; ](API Get entry point)" x. Z) m: D& i: c2 p
. X/ ~% X1 C8 n! O, y8 v* _4 ~: B
. i: y- K9 X6 \, u xor di,di9 W; w% H5 ], O* Z3 p
mov es,di
. S! t1 O% Q6 K% H" ~ mov ax, 1684h
& l( t! |$ C- s! b" T, v mov bx, 0202h ; VxD ID of winice
8 y/ V( ?3 M; k2 b int 2Fh
, O5 K& |6 r; Y+ p& d9 P mov ax, es ; ES:DI -> VxD API entry point
$ |% v/ N% O& w8 D \% { add ax, di
- c, I* A+ v" Z: C. W6 b4 t/ Y test ax,ax
' p. T. Z- \' R I! \% d jnz SoftICE_Detected
. n4 @/ f) M' f9 p" n
1 A6 z, W9 W4 |' a+ U( W___________________________________________________________________________3 O# H! \3 r6 \& k0 `3 V
. J1 i. {: e: D; L1 M
Method 04* _: j& b# C! l) q' e. X
=========
7 X% Q' B, r( a" P/ J, L
, R' K# U( L* u9 N) O8 `) {# \Method identical to the preceding one except that it seeks the ID of SoftICE
; s1 a7 H$ B% d6 @% iGFX VxD.
7 U, R. C8 H9 n- D8 A
7 a: R+ G: j& O( I/ {* G xor di,di9 ]+ W9 U9 D8 L( \. O( h, {1 U) z
mov es,di- J* \) Q" \; o& A" B
mov ax, 1684h ! k3 ? _( K( n8 H, n! }
mov bx, 7a5Fh ; VxD ID of SIWVID
$ v ^: B; E! Y" J; k/ l& c1 P int 2fh
9 u. _& B" ~9 r: `+ m mov ax, es ; ES:DI -> VxD API entry point) t( ?0 A. R$ K' n
add ax, di
2 S+ F' j. M: ~- S test ax,ax# c8 y/ }/ @8 X }4 t2 P6 Q
jnz SoftICE_Detected
2 u/ {) E% t, B8 c& n2 y1 Z: _& U1 G8 x3 @' C( z8 R8 O
__________________________________________________________________________8 ^) x7 j9 a( \0 A1 Y
& \( L0 e" f: |- J% H1 M. w
# l# [: g( T! k- s7 V( _3 y( gMethod 05" d5 U! A- `; g# z* d: _. y v# A; i" P
=========1 u% D) W' B* O" t
1 r4 `- ]; q5 z `5 S
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( ~+ x, f- d1 H- mdebugger. It calls the int 41h, function 4Fh.
- V4 V: W. C7 _# ?$ E( d' e6 G1 BThere are several alternatives. 1 d5 p! ~$ h0 T9 O
$ e/ ?; K& O- @
The following one is the simplest:
4 p% M. r7 L4 F; |7 m
9 Z: G. G9 ?# M) A% j mov ax,4fh
" X- j! S* R# h: M int 41h
8 T9 R3 A9 L, v& ~' V3 r7 a1 | cmp ax, 0F3863 b8 a0 G, s1 N P: B: a' G0 |% B
jz SoftICE_detected; V+ G/ [4 R1 z8 ^5 K! J
q( b! ?0 e. Y$ V! x, j+ J
3 `5 a( i7 ~! W% R+ t" e1 f7 H
Next method as well as the following one are 2 examples from Stone's * O* i2 b% ?. f% s0 S
"stn-wid.zip" (www.cracking.net):9 M5 H5 B# c, \. J9 U# A
- U8 C* L* v1 D+ }9 i0 K( c0 l mov bx, cs
C8 L. ~3 Q) O lea dx, int41handler20 e2 e& Q' E8 _- t: m& \6 P
xchg dx, es:[41h*4]: W3 R- t( u0 B5 |0 `* ^, [: v! [
xchg bx, es:[41h*4+2]! P! ]' J% E4 U* D
mov ax,4fh
* n8 S5 A# D# A$ \; s' m int 41h
' L3 p! h! J3 m$ m; X S/ J; _: ~% f xchg dx, es:[41h*4]
G6 j5 X6 ^1 R( w1 x xchg bx, es:[41h*4+2]. r( P X5 K8 _" H/ v' c t
cmp ax, 0f386h
9 q3 f) _" B* e2 x) Q& h: Y jz SoftICE_detected
]- ?* L1 m0 { I3 k3 R
4 p* _$ ^6 L- T* f% u' Zint41handler2 PROC: c4 ^2 @& L4 z( l5 t9 Q
iret
1 a# }4 }, ]1 S. u/ I& v3 g8 {3 `int41handler2 ENDP3 A3 P" r2 H& v4 s% o+ G0 W
; @. v5 h* Z# e$ e& o7 ?2 ~) b# }- T/ D, u
_________________________________________________________________________; y+ y5 J# O* D/ N
. s- k0 X3 w- s. }; E4 A4 W( V7 T$ r2 D/ E3 h
Method 06
, ?7 |8 _6 M B7 g# ~' n. p=========
% j0 I' r6 t$ J; `8 W) F- L$ d2 h3 k: P0 X# L! T( Q
( n7 U" f6 h0 W* j. z! e
2nd method similar to the preceding one but more difficult to detect:! T3 o/ d: D0 D s7 w- s
2 H& z; j6 C. K7 e4 ?) B- m
: x& u8 v: e$ ^! a- K
int41handler PROC
3 Y/ c) k, v& x, r6 }1 {; j! ]2 B mov cl,al# V! L* z" W( t+ m* G% X6 H2 k
iret
3 J n" p/ i4 o( oint41handler ENDP
6 c8 ]) ~+ o7 q( l; W, m7 T' \: h8 e7 l h' w
+ F1 o8 }( n0 S( ]3 m8 i
xor ax,ax9 f6 W, r8 K( v
mov es,ax4 u/ a6 v! m6 S1 d) A$ v
mov bx, cs
* L0 t% z; s5 k, T7 ~ lea dx, int41handler: @/ C2 O8 G" j+ J
xchg dx, es:[41h*4]
" P9 A8 |, b* R1 r8 u+ r, q xchg bx, es:[41h*4+2]7 b; j7 d) v u7 b
in al, 40h$ g; S j) H9 W, q9 A
xor cx,cx+ \7 T3 v7 k V& Z
int 41h
r" n; b H0 w! g xchg dx, es:[41h*4]* u w2 B3 O L U- y9 I7 e- S
xchg bx, es:[41h*4+2]0 i7 y6 m5 @ N3 x& D& M1 x) _- p
cmp cl,al1 w( C: Z. c$ V0 j
jnz SoftICE_detected: K' \ K% _- p) k2 Z3 t' t
; S0 m/ X5 ]5 ]- W; O
_________________________________________________________________________1 P! j/ _) e$ ^4 E0 K! Z* }
3 N5 c2 |* G/ g9 h8 `: @
Method 07
1 P7 m8 [ a; x3 U) {0 u=========
" ?1 h4 U8 k/ @7 C N3 `# d4 B" [3 Y V( t
Method of detection of the WinICE handler in the int68h (V86)
+ N+ S& [9 Q# X8 l
8 _: q) o; ?: |; i0 F# ` mov ah,43h( |$ N+ a' ?0 h+ H! u
int 68h
: t& B# Z, m7 Q/ g2 d9 }; r cmp ax,0F386h
8 R4 d9 g8 Z' `+ G jz SoftICE_Detected
8 E4 A# v1 I* Y
5 f' x& k, i/ J2 B% b8 ~, ?# X5 R5 C# }- w: O
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, u$ f! W: v0 {( Q app like this:
/ }5 t% z8 \' v/ T! ^1 C8 J' t6 Y2 i i8 G2 l
BPX exec_int if ax==68
* `4 d, J7 W) m) \ (function called is located at byte ptr [ebp+1Dh] and client eip is
* @$ V+ x' r3 j1 m located at [ebp+48h] for 32Bit apps)1 G2 n* R/ U/ e8 C- {
__________________________________________________________________________
+ S$ z, s& S: ], k. M
" J6 R; V) a& g" z7 A6 |$ M
* ^# Y, {# ?- e7 iMethod 08- J3 s1 m- T; e5 t2 S* A: N5 O
=========. v* w1 J2 a+ }! ]4 J" w" b/ P
6 l5 o5 C% l r k/ d# V% q
It is not a method of detection of SoftICE but a possibility to crash the% @+ W* c; m1 n/ l
system by intercepting int 01h and int 03h and redirecting them to another
% M: [/ Y$ Y* t/ sroutine.# A0 p3 O, `- @& U. i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 J( T* a9 o9 E4 s
to the new routine to execute (hangs computer...); P! `! j& f9 `1 b) y& Q
9 r' w7 j0 p7 a3 y9 h# S) J4 @# [ mov ah, 25h
2 V$ v! R8 q m( r mov al, Int_Number (01h or 03h)* A" B* v3 t# [8 s% @8 r. R$ L
mov dx, offset New_Int_Routine+ n* P* N$ Z' }8 f7 C$ J! u
int 21h
9 h7 P# D. x( D4 T, E7 y s3 w
7 o. Q- X- v9 @& t' h) V__________________________________________________________________________
$ X/ h# V- z7 s, ], J5 d& q) ^* A) ~- I) k, V2 X" l# t
Method 09
+ |$ p* [* ]! N=========, u1 {0 a( o X+ Z
" t7 _1 V+ |1 B, N9 i" f! FThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 [' a+ o& L; T* r2 e. Q: m
performed in ring0 (VxD or a ring3 app using the VxdCall).
) w Q/ H# g0 K s, |! }The Get_DDB service is used to determine whether or not a VxD is installed5 V% [( U Q: b: I% F( g
for the specified device and returns a Device Description Block (in ecx) for
' k V/ V7 O1 J1 @4 a, J* O1 S% k( nthat device if it is installed.$ O$ X: K* e. Y
6 `5 m2 B2 A$ I+ Z- Y4 ?9 ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 ]% s+ k( Q$ B% L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ u" q$ Z- [* Q: s& j; L) i
VMMCall Get_DDB/ H# o r8 s! A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) V7 t% {" l6 l; v' y! r; z# i: h/ g7 d
! e) N0 k6 W& DNote as well that you can easily detect this method with SoftICE:8 [8 M7 |( x2 O6 F# q
bpx Get_DDB if ax==0202 || ax==7a5fh
# v j% P' q* C! G9 O; m+ U$ ?! J% q" B, P
__________________________________________________________________________# a& d" ?( k$ p4 h
% ]) \2 u8 B8 n' u+ T9 \6 mMethod 10( d- n; [! ?6 t
=========
( G8 K Y& p- T! L
7 F- d' t `" `& Y0 T) Z=>Disable or clear breakpoints before using this feature. DO NOT trace with Q- `/ h; P/ W2 ?+ e: }1 |* t4 V
SoftICE while the option is enable!!6 G% `7 d0 _/ \, N' s% k
% e& f. R* G2 F3 cThis trick is very efficient:
. ?1 R$ `& Z$ vby checking the Debug Registers, you can detect if SoftICE is loaded% g- ^+ N L& z5 P+ K- D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 u! B g: X& b% q# T$ J. {& a
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 m1 R/ ~8 h; C# o5 Y( evalue (in ring0 only). Values can be manipulated and or changed as well8 W' ?& i& f. D: T) { [# {' g2 s
(clearing BPMs for instance)' r' s \" p- B. ?: u
) k; \% }; a* {, n- t2 d) U__________________________________________________________________________
9 E5 x% C- Y: Y- _% L/ G) a% _3 v0 O' c* |. V
Method 119 q9 a' F: s, y7 E- I/ i7 T7 X
=========
4 u* w1 b' i" ]! J J& N& d
) Y/ X: N& K FThis method is most known as 'MeltICE' because it has been freely distributed
^0 e& S( ~8 ^; q$ F& ivia www.winfiles.com. However it was first used by NuMega people to allow ~' z# o8 V5 G! @% H" b+ U
Symbol Loader to check if SoftICE was active or not (the code is located
; ?& C' f0 |7 Kinside nmtrans.dll).3 ~) d% W5 [% D2 i. d& S
5 Q# y( B& l; k2 C' OThe way it works is very simple:
9 K: A( V4 K9 y3 cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- V; Q1 m8 n- k' Z* \ i7 x
WinNT) with the CreateFileA API.- i: j% ^- `; w0 W
, g( e0 Q1 \% i3 s9 w# w0 `Here is a sample (checking for 'SICE'):
: G, R- d9 n; ]4 } ~5 U0 R. |- i1 B
BOOL IsSoftIce95Loaded()! {; c: x3 K( H
{0 `" Q$ ]* ~$ R6 m" N
HANDLE hFile; ) ]$ z q/ k1 U2 k# J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 \: G8 y* ^* C" t" ]/ D
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ r7 o' E" M, M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 d* V- e) N* h" e if( hFile != INVALID_HANDLE_VALUE )5 B: w1 [2 M0 U5 y- O* ~6 O& b8 g
{ v% \: W0 Z8 c, X
CloseHandle(hFile);! z& |, x! m Q: r, |
return TRUE;
- v$ M+ i# ^; L9 D. V }, x/ t/ v/ A# f7 V% x
return FALSE;
# Y5 u5 x$ H* a}
/ d2 ?; P' r* `
- |9 ?+ J. @* c, K) ]Although this trick calls the CreateFileA function, don't even expect to be
9 M' V- c; b! V) C6 Mable to intercept it by installing a IFS hook: it will not work, no way!
; k! q1 Z3 ?/ u( `In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ p; s0 Q7 n# u/ w. i3 q( j0 N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) e0 | T/ V2 F! g6 P* y/ d# F5 M D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 b5 r, N# ]; K' x! r" t) ifield.2 }6 m( W( \5 ^- l, k6 v& a2 u
In fact, its purpose is not to load/unload VxDs but only to send a * o* S" B, A" y* j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) S7 U! P; A Q5 b8 n) E8 D( A& Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 p+ F) r9 \7 @+ \' W0 Z4 a7 o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) z6 J6 Q m) B3 L4 O; dIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 L& ]' h! `/ D4 n" e2 z
its handle to be opened and then, will be detected.* T$ R# v. Q; l; i( s
You can check that simply by hooking Winice.exe control proc entry point
/ @4 S5 k( u- g( jwhile running MeltICE.; I0 z/ }: m" k0 p7 k; y
' t+ e: @, m* e# b5 ^8 A' T0 a( i) V3 b
00401067: push 00402025 ; \\.\SICE
6 f: ~( i& b! l 0040106C: call CreateFileA" ] T& f2 r; ], Z8 [4 C4 C. v& n
00401071: cmp eax,-001
& t- F6 C; L2 ~. D/ u: j' C 00401074: je 00401091
0 A1 Q5 r$ b2 C i0 n( B. X9 Q
, m5 x. M+ z# e: G5 d6 P9 I* ]' Z2 O4 l' Q- t4 a
There could be hundreds of BPX you could use to detect this trick.5 ?" \0 X& o4 ~2 n, ?
-The most classical one is:
3 S( A$ |6 L' B) Y4 m9 W BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; H& e0 i( d& q) @1 V; O
*(esp->4+4)=='NTIC'" w. a' I& M- C) w3 T
0 O! Q, z$ d' `& \2 s% b1 i9 `9 z-The most exotic ones (could be very slooooow :-(
~+ ~; R9 }7 ]/ l7 k6 [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , n& I& ~- L7 T) M( e# T5 n
;will break 3 times :-(
+ ?7 ^2 W9 D/ G1 Z8 I6 z: P* |7 ?. B! x2 c5 k0 _
-or (a bit) faster:
0 ?, G2 n+ b$ V) b BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& Y7 l: F. A6 r$ c. K# G. n; ] v& Q, V" \; F
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% T, v: r+ a8 I: |6 z6 W ;will break 3 times :-(
9 q- x( L4 Z3 \* [' y- @8 L
2 R3 a8 B& A+ \4 H v-Much faster:
9 F3 k6 h. `* Y+ C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 B9 I: I1 D! h9 W# k
+ n7 T! w. {: w& [! ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
W) Z+ f+ \6 N7 c. Q+ }function to do the same job:/ \6 K' E, k2 ?# O m5 K' ?
7 M S4 w6 o8 ]/ M push 00 ; OF_READ) O' d0 ^/ y6 I( i( e; [% |* H( b
mov eax,[00656634] ; '\\.\SICE',0
& J9 t% l8 J" L o push eax
: K" a3 w9 \& z3 z9 C; A) V call KERNEL32!_lopen0 P, I. b1 C& Z* f; \: l
inc eax. S+ W7 O. @: @4 C& A0 ~
jnz 00650589 ; detected
# l) R6 v9 y F ^9 w# ?, s5 t1 F push 00 ; OF_READ/ {. v. Q' R. K
mov eax,[00656638] ; '\\.\SICE'
! e6 r2 L+ @# z: ^" ~' L push eax
, P& S# E$ z% V% P call KERNEL32!_lopen
9 g6 l- F* T! u& I inc eax% A+ v* X' R4 {2 l% x
jz 006505ae ; not detected
* l' S( M4 j; l$ h
2 y+ p! H) u% T& S9 ?
1 B0 ^# U; M. m) }% Q7 g2 @__________________________________________________________________________5 \9 Z" I# _& Q1 B% J q
& q% K$ y3 ^% i3 J( H$ j
Method 127 G! L7 M, k; R! |( H, I
=========
]0 T; N$ A+ e, Q: K8 U: L0 X" d5 E- }( j2 q$ w8 B# H
This trick is similar to int41h/4fh Debugger installation check (code 053 I7 b# g2 ^* f
& 06) but very limited because it's only available for Win95/98 (not NT)
- E$ L6 L* G* f& Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* C7 B7 Y$ D& l) `- P/ v$ h/ V6 [+ Y! |& M, i/ |
push 0000004fh ; function 4fh
5 |& N! h8 d% E7 \: p% e3 l* I) R push 002a002ah ; high word specifies which VxD (VWIN32)# Z# \# r: ?% _ h* E
; low word specifies which service
2 p# }% q9 `& {* H (VWIN32_Int41Dispatch)
: }; J% v, s) r4 `3 C# |; u call Kernel32!ORD_001 ; VxdCall2 r' n+ W4 _% J2 N/ g6 C" Y
cmp ax, 0f386h ; magic number returned by system debuggers
8 J: g, l& N. l( o/ O jz SoftICE_detected
9 d" y) T; I' S U: m
: e" q# {3 F$ p; q. nHere again, several ways to detect it:
" L! s7 [- _! s5 L5 \5 D! T* @$ s8 ^4 [# y& o0 p* f5 A5 u
BPINT 41 if ax==4f; Y* ^/ S& y2 @9 |* g: l( M
, N, |% r; l* ]+ v! {: f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
w( l f% ~7 ^6 v! v9 g5 \ J
1 i$ B- V$ _8 x. W. a9 w0 X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( i8 z( l/ W2 ~7 J4 T7 n4 V) H( D5 i$ f6 E$ |( c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 |2 { c' N8 i- f
+ M5 |& O2 ]5 ?. N) Q9 ^$ N__________________________________________________________________________; c! G, b% [, z$ p, g
/ g2 a3 ~: I6 x; I- ]
Method 13% v* X+ x L1 I8 `7 N6 N
=========
" l0 N2 N1 }/ W+ J. f0 W8 [* k% C" q2 w) h
Not a real method of detection, but a good way to know if SoftICE is" k) w2 L6 k; t$ _; X
installed on a computer and to locate its installation directory.
' W8 ~; V3 `$ J ]It is used by few softs which access the following registry keys (usually #2) :
% H; b* K: z: _- o+ ^6 r! k( ]9 [$ C* O P1 C4 k/ w5 A. A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 o- ?; @: x. ~; W\Uninstall\SoftICE
' }6 o0 Q; Q$ E( I7 _7 {/ \-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ R; T: G8 ~+ I( l4 O* h: v7 x( D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 ^0 a, K& [; z" c" B\App Paths\Loader32.Exe% ]0 v; y5 C5 g/ ^3 N
/ }3 t. L3 A+ ]
) _6 ~* n9 p& D6 G7 h4 P
Note that some nasty apps could then erase all files from SoftICE directory
, f" B$ Q+ ?& ~# f(I faced that once :-(
0 W: s6 n8 i; w5 B3 m* K5 X. r/ l' a. J: V# c3 y% x% D
Useful breakpoint to detect it:2 w5 D' Q0 q2 Y {9 J: k) W
! W' P; q1 T# |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 x# K+ D% Y6 n8 [# C3 w
+ {- [) y: n$ |& |$ s- f4 \
__________________________________________________________________________7 Y1 F( d' I3 }" B/ g( d( P5 e
& n3 _4 _5 Y/ b, G, z7 O0 j' i. k( Y" M) b: D
Method 14 2 U. x1 G) z) S9 F
=========
: z! i* u( g" O& M# I9 h# s# _) f; y9 L, Y- z+ ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 ~$ s3 k) \+ r7 \" z# T+ E
is to determines whether a debugger is running on your system (ring0 only).9 x& `/ G k; R: v: _+ h3 ]% R
$ I! J" }: y7 k+ [3 E
VMMCall Test_Debug_Installed) N: f: Z! Z+ Y" z# J7 P! ~
je not_installed
+ d' i& P* K1 `5 C4 F2 Q
B; d5 m' k0 C' C! U4 gThis service just checks a flag.
& E: m- V8 F0 }9 M/ Z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡