<TABLE width=500>) v8 y, P! @8 M1 y
<TBODY>8 {" Z: x7 g$ O& f Z ?
<TR>
4 g( ~+ A- W! t+ {1 ^2 E<TD><PRE>Method 01 + [) b: c6 K* `4 F
=========, p" z" S4 z6 ^: k- t+ {1 E
% O K- p1 b' J- c$ A
This method of detection of SoftICE (as well as the following one) is
2 ^: `8 t" q |, ?used by the majority of packers/encryptors found on Internet.0 G K0 `; N, Z& W! d4 p: ^) }
It seeks the signature of BoundsChecker in SoftICE
6 t4 I8 [' W8 a+ U7 F# ~$ S9 |5 q; D; k+ G
mov ebp, 04243484Bh ; 'BCHK'
+ A* ~& S8 i: n/ { D0 \8 ^- U mov ax, 04h
# F, T3 ]+ N; [8 }3 b" f! M* L/ t8 k int 3 # K6 j2 x o$ F) f. O
cmp al,4
1 H( r3 S6 A' G' ? jnz SoftICE_Detected1 R9 g# W& _6 X
0 `/ W; c: y' ]
___________________________________________________________________________0 x0 l2 P& ]2 x. d
2 I, H) S; V5 e+ a, x
Method 02
1 ^) p. I& y( Y=========5 B/ p+ I& x0 R$ M, ?) L2 k
; ?" c5 J3 W' a8 k
Still a method very much used (perhaps the most frequent one). It is used
i! n. u. _' R( y, oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,& P( d% q" \# i3 e5 u
or execute SoftICE commands...
4 Q1 V* C& s4 T" h2 YIt is also used to crash SoftICE and to force it to execute any commands1 _; R9 z5 ?7 f1 A7 i' s. i* n, q
(HBOOT...) :-((
5 C2 u+ d9 x" k& v q
* f7 W6 ?! L8 a+ w4 s! b* c5 X1 \Here is a quick description:8 @. L' ^' J- H/ j; W
-AX = 0910h (Display string in SIce windows)
3 ^9 j& E$ X) M9 o-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- `! K; y+ E! z" s# e-AX = 0912h (Get breakpoint infos)
) P4 }$ H9 @9 s1 K, y8 ]7 i& M! V-AX = 0913h (Set Sice breakpoints)! C$ K7 p2 z# T, |% @+ f3 Q
-AX = 0914h (Remove SIce breakoints)
+ S! m8 M$ M4 O" n/ m: u% ]
9 f% J, T- O( Y" k) t0 e: r0 p2 HEach time you'll meet this trick, you'll see:. E+ c- T+ M! Q
-SI = 4647h
3 x0 n" |; m$ L) F$ ~-DI = 4A4Dh
# V; c e9 K v& J. {7 p9 E1 DWhich are the 'magic values' used by SoftIce.
# p0 a' Z, Y- L5 d2 J& ?! I% c4 JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h. S% E% Y+ ] Z# I# Q4 I* g
, q8 H* [7 A( q6 Q- eHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 I; `! J' @ g4 D0 `% }Envelope utility use to protect DOS applications:
* g) M- Z; B/ Q9 H0 X, c- C0 _
P: M* G$ ~# w1 Z1 s$ I& m* Q
" r- T9 g" y- p9 S9 K' U+ p4C19:0095 MOV AX,0911 ; execute command.6 z" l0 M% f* v/ J: n
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- y/ S% e; d( D+ B0 R! d4C19:009A MOV SI,4647 ; 1st magic value.
- J/ m* N7 B0 k$ t4C19:009D MOV DI,4A4D ; 2nd magic value.
" D4 ^$ \2 f4 N2 m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 P+ j. G2 \# Z1 O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 o4 R- M, }% V+ C Y4C19:00A4 INC CX
3 b0 {) U! \1 a0 O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 u, q. V* m" Y1 n" g* w2 d8 O# W, l
4C19:00A8 JB 0095 ; 6 different commands.& H x5 k- [& y, U0 K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 j: {; C6 z7 T8 n% U1 Y' R, i$ k4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) }8 ^7 D( ^" C' K& Z. T* f; _( o' O
The program will execute 6 different SIce commands located at ds:dx, which! V( A9 ]3 `! X% Z0 P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% O1 r/ Q6 k8 o+ r6 H. p7 B9 t) ^2 n5 u
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 j4 U! I5 N& Y! r7 \___________________________________________________________________________; ^) Q* ^8 t- y9 J
: a& e( i+ @" P
9 c2 J+ ^+ y* _# Z- F$ M
Method 03
+ | i/ Z+ j+ G" n# A=========
7 ]' N# ^6 ^" x1 |2 @
2 \6 D6 s2 ]9 Z. c( i7 h! GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; y& b8 a. t- x8 V: d2 a(API Get entry point)# @' f: e6 |0 T% h, I; w/ t
1 r% ]7 q! q9 P& c- }2 h8 W7 l6 q: m: I: f2 L
xor di,di. p& t) ?! m- `: Z& l+ `
mov es,di
5 C: o9 e8 s6 u& c+ ~% Q+ g4 h mov ax, 1684h
) \/ H0 J5 C2 f+ b7 a- Z+ i mov bx, 0202h ; VxD ID of winice
$ U/ L9 O3 J6 ^& w2 L" J int 2Fh
8 b |, X8 L9 n& V1 b# \! c/ V, @, G% w mov ax, es ; ES:DI -> VxD API entry point% W' T/ J) E4 C
add ax, di
- ^- f1 j! ~& Y" [$ ~/ O# K test ax,ax
. ~1 x0 N r; p6 u0 h3 W jnz SoftICE_Detected
2 H, B& @0 j& V% M) O" ^
: i" E8 n. s: k6 ?5 R) v___________________________________________________________________________
6 \5 g4 n: K) [ D
& B2 u5 g4 N% L r4 X& L5 c+ H+ cMethod 04
/ L% A- o9 O& C+ y. q=========
; D4 A5 A) t R4 s, j
) |7 W, `5 Y/ T3 uMethod identical to the preceding one except that it seeks the ID of SoftICE
! {5 b3 Q% G' Y. P2 RGFX VxD.
- x# y* ^% ^% Z. ]" m( T C+ P# ^5 J; r
xor di,di0 p t; L4 K! C- A1 e- }
mov es,di* I- I% Z$ u$ _, T. ?" Y
mov ax, 1684h + |. @. D1 I Y% r$ s. C- n
mov bx, 7a5Fh ; VxD ID of SIWVID
2 y- @+ h6 a D3 Z( O3 K int 2fh
! R5 q# X3 G. Q P+ \, }# F mov ax, es ; ES:DI -> VxD API entry point
8 B5 I2 H0 I/ j, ~% @$ s0 L add ax, di, |& ~8 L, L( T+ }3 q8 `
test ax,ax) Y7 `, e' g5 A1 E1 w' H
jnz SoftICE_Detected* Z8 ]6 i) p* V$ j$ C [' H
! e* S# _7 O$ c. e$ `9 Q__________________________________________________________________________5 b9 {( I3 |' Q$ [2 R& v7 S! D% b
7 u: e% e0 W/ D9 t# }- ~! J% |, f
, R9 U2 A) D D: t1 GMethod 05+ @8 z9 k2 t4 g" M% \- a. q! O
=========
% r( `; ?+ `# `* v0 o& j8 D* j3 ^0 \( w; o& W- U
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; F; |, v L9 r" ydebugger. It calls the int 41h, function 4Fh.
& j; @! ^* a9 ^$ j/ \% v, UThere are several alternatives.
4 ]1 U0 ~5 k3 o/ X0 A4 j& G# F! {5 j* r. t1 j' P! T
The following one is the simplest:* @, `6 Q0 b2 _
% L+ G6 p/ C: f4 d) M$ h- T! p/ T r
mov ax,4fh/ g' M9 ~" n' k9 M
int 41h- E2 ~ h; }4 M
cmp ax, 0F386
2 N" S3 D' M+ ^! ~8 \ jz SoftICE_detected, Y* D1 q9 _: `
* B# N& V( W0 c+ t
) i6 n8 u$ Z7 GNext method as well as the following one are 2 examples from Stone's
! b$ i* Q+ E: P7 |) Q"stn-wid.zip" (www.cracking.net):8 Z+ ]/ r5 D$ V
2 J8 }. ~' _2 R; w
mov bx, cs4 j( A( H; P; H
lea dx, int41handler26 k* A7 y# h9 |. A' Q
xchg dx, es:[41h*4]
) | L y: m$ I6 e0 C& |$ I xchg bx, es:[41h*4+2]5 a( p8 [$ @6 U- ]
mov ax,4fh
9 m5 X( _, {$ l5 v2 ] int 41h* w5 u0 c7 n7 k! Z
xchg dx, es:[41h*4] [* \! A8 U1 D3 O
xchg bx, es:[41h*4+2], z6 q+ J9 b- |
cmp ax, 0f386h
: @0 Z* l! t5 l# W/ [( m3 s jz SoftICE_detected
! S# [& n0 A5 j( _' l& ~8 w1 J) m/ Q" }; p) a* N
int41handler2 PROC
) o; U! Q- x7 P' g7 j iret. F, o) }; R! b2 Z) }6 c( B
int41handler2 ENDP, x: H) w: T% B8 Z2 m8 ^
8 G1 W; e% c/ j" A c1 B( V
4 X) q8 L# b; h* L( m$ a_________________________________________________________________________
* [# V. G( O- x$ p
; ?) {, u3 g, Q7 \- C4 V, c4 n# n9 v
Method 06
$ N* q' }. s& k& t=========3 j6 H7 E1 m- |2 q
3 o$ f8 p8 ~, R3 g
+ l* _7 k+ g8 {6 }; G5 r* Y' u, O9 B
2nd method similar to the preceding one but more difficult to detect:, Z7 `! b2 u. @& G7 A+ h6 w6 g: s
& ]. T" F z }7 x/ h9 {' x+ N: w+ |, x E) U' d
int41handler PROC
2 W0 J5 j! V% s% u9 y' D mov cl,al; \0 i/ H! ~/ d% o
iret' ~2 T* {" }6 v) o
int41handler ENDP
7 k [4 W5 `1 g. m1 {3 G: K" S" C5 u8 [
6 P+ H7 B5 m& {" p) d1 g
xor ax,ax
9 r; T, ~/ `4 j6 a5 g7 K mov es,ax, F4 O E2 g8 g' r
mov bx, cs
$ h2 b1 T' N; |9 y- w6 F1 N lea dx, int41handler; v" X& a! g6 s
xchg dx, es:[41h*4]" n" m* N7 A2 s6 D8 ]
xchg bx, es:[41h*4+2]* L+ s+ a2 U7 z1 i6 {1 u+ R
in al, 40h
! P: ?( y9 v3 i xor cx,cx3 B( E% ]; A# v. w
int 41h
: K; ~) ?3 w! M1 y3 y xchg dx, es:[41h*4]
4 s6 p- i1 y' ^+ r W+ F9 T: C5 I xchg bx, es:[41h*4+2]% W/ `3 y3 b" J, a; w' V
cmp cl,al
7 d3 {" b. n. q/ g4 P& t0 R jnz SoftICE_detected
$ T% _( g8 v* D; t+ j2 l; R0 ]& E% j# N# p5 E5 p0 {7 N
_________________________________________________________________________* j" [8 j2 J( O% c0 \# N' ?
" G6 d1 v) ^! l
Method 07
6 A% Y( B- I4 v; L7 V, I=========
4 D# q" K7 j z1 d1 F' Z, G5 B1 J
Method of detection of the WinICE handler in the int68h (V86), S+ p) H) N7 Q; r& W
3 A7 H! L0 k5 ~" |" V- _. C
mov ah,43h( d. a( f! X* }+ i ?
int 68h
2 x/ U% S# c2 X/ i( M! N+ ? cmp ax,0F386h
5 N; y( C- d" b! Q, |3 }1 x7 g jz SoftICE_Detected' A$ p6 k# Y' F, Z# m1 P
! y$ T# [ t/ ^7 U! Z- Z. ?' V
% m1 i5 g) n# g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 e: R w. K* C' W9 G
app like this:
! G. U& N0 v$ v6 B3 U! N7 G9 {- \2 I* F) _
BPX exec_int if ax==68' @* g5 L' j9 E, v. L3 C' q7 u
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 o) W- g2 {5 o2 T$ f$ l located at [ebp+48h] for 32Bit apps)) Z6 \' S& E& r! B" q1 j: W+ I' V
__________________________________________________________________________9 _* |- p- W Y; Z- ]
1 M$ q" ]: Y# ?# ?; H1 R7 [! m# F1 }6 a. b1 d) ]+ |8 F! R8 l
Method 08
5 f7 Z5 W7 Y7 e; V* _=========
3 i% U4 W/ }1 b/ V# k9 [
# E& _* N3 o9 I& iIt is not a method of detection of SoftICE but a possibility to crash the* i# z& b- z- _
system by intercepting int 01h and int 03h and redirecting them to another: l+ y* q+ K8 t! w
routine.8 e! Y2 p6 K' H# [5 @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# J( u2 O0 i$ G( L, |to the new routine to execute (hangs computer...)& g1 v, e0 }% H, W
! R2 ?2 Y- k) E3 [
mov ah, 25h
$ [3 _# c4 [/ m f8 F# F7 _ mov al, Int_Number (01h or 03h)' @6 _; U9 y0 z9 L0 n4 [: }
mov dx, offset New_Int_Routine
: X+ d6 H( X* K5 D1 ]- H9 X int 21h/ N0 R" i3 M0 }& A3 P5 v* H
: x" z' K0 u* \% O__________________________________________________________________________
: j/ X4 d+ ^9 O/ L. s9 l3 t. U1 Z2 a5 @* z
Method 09) v& i: {6 n) w. I1 r( G% ~
=========
- @( K O* |, ~$ Q$ w9 x. w% ^( T+ R& S( K) @% a. b# Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) i1 I7 L K. I" kperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 u6 T; Z* i' C' F! j. xThe Get_DDB service is used to determine whether or not a VxD is installed3 g, P2 [4 @0 w9 l
for the specified device and returns a Device Description Block (in ecx) for# u: l, P! Q% m, Q' r) _
that device if it is installed.
% c3 d0 |& \* n* e7 {+ r/ |$ A) j2 z4 f; q5 H; r& V% x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% Z1 e5 b1 ?) D# Q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' I% d4 O ]* m! S1 R3 f VMMCall Get_DDB! V1 {# e, u' r. K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 K. n) h/ j; Z2 Z) q" U8 P `3 ~
4 a8 S( x( a$ p6 c# n( r! ~Note as well that you can easily detect this method with SoftICE:
+ W8 E4 `8 J# k/ g8 W( `- X bpx Get_DDB if ax==0202 || ax==7a5fh% r1 G+ U% {: c: O6 l: s
6 g% k7 V: o9 J4 K* d u
__________________________________________________________________________8 b/ L" w2 Y8 Y" k) r
! C5 V7 _+ ?! e8 h# q$ xMethod 10
; ^2 p, W1 x* C/ ?; Z=========
! a/ ~% v8 c& G* q6 b- E& ]9 f' s# L
; q' X" M/ i, S' b+ H: s0 E# z=>Disable or clear breakpoints before using this feature. DO NOT trace with: P a! x: f1 h6 N3 m
SoftICE while the option is enable!!+ f7 }: L( z; U$ q; K! K
- E) G4 @" y3 M* ?
This trick is very efficient:
! V# w' @0 u0 s% s; aby checking the Debug Registers, you can detect if SoftICE is loaded2 B$ Y) |/ O: h' b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ ^3 e6 Q r' P+ p" o/ X
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 s5 s4 r& n4 o% X6 x x
value (in ring0 only). Values can be manipulated and or changed as well
! g# h" k2 g4 |0 ?, ~# ]; K' L1 e% t(clearing BPMs for instance)
7 w7 a+ T9 X! f5 u) P% K; \4 M( Y
0 M5 W F& Y+ Y4 {; q__________________________________________________________________________
h8 _9 ~* a0 C: S! a) t1 i% n; X
- x6 c! |6 p5 V4 U0 JMethod 11
% f, \2 g7 m+ c=========
1 Q* @3 C1 O+ N
& r; A7 ]4 G' V4 J: D2 VThis method is most known as 'MeltICE' because it has been freely distributed1 }& [* U. l w& B( ?. a' I
via www.winfiles.com. However it was first used by NuMega people to allow" W! p1 a, Z! L& D6 X" z- ]) w
Symbol Loader to check if SoftICE was active or not (the code is located3 e F/ Z. @4 s6 d# K
inside nmtrans.dll).
) O+ f' h4 h* W4 g8 e6 H6 q D/ j2 K& ^+ B4 ?
The way it works is very simple:9 e2 ^' Q/ q; g7 b$ h" Q9 H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! h5 T5 w# M/ E' |5 L/ q
WinNT) with the CreateFileA API.0 [; J4 ?" ^# \, E+ q) q
1 U" w$ W u+ ~9 S
Here is a sample (checking for 'SICE'):: ]# \- D! g% H3 X
9 b, n3 h' i- s& l. H3 B2 uBOOL IsSoftIce95Loaded()4 I- F* X" E# F1 ?" _4 @
{
; ?- M1 I" m2 d0 W; E8 z( s HANDLE hFile;
i ~ z" E8 v2 r. n |3 [ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
V' w! E9 z1 f- C3 b FILE_SHARE_READ | FILE_SHARE_WRITE,, C" j! ?& Z3 _5 k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ k6 N1 o% @" ?( s N if( hFile != INVALID_HANDLE_VALUE ). S& y$ m, y6 Z) c' s
{! O5 z) _: @, e4 S+ t. m
CloseHandle(hFile);5 _; l0 t: k6 M |. D h0 K
return TRUE;, R; L" E4 T) j* S2 g/ V8 }
}
H, e# a1 t' t+ S; X return FALSE;
) `$ ^# u# ?' [# l5 Z) ^}9 S% X9 o7 M6 V- q& q
+ |1 C2 b5 c( d& ?, E- P6 OAlthough this trick calls the CreateFileA function, don't even expect to be/ k" L$ P* s0 P# U9 d
able to intercept it by installing a IFS hook: it will not work, no way!
7 w4 O% J: r& u2 g8 k6 T* bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; ~5 V8 ~: J+ b% ~. Q1 i$ wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( C9 e) |, f* F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( a8 S6 x$ ?4 Ufield.
& Q$ z% _" d4 z. x2 B/ SIn fact, its purpose is not to load/unload VxDs but only to send a
. `% Y7 u/ N7 x. D8 v+ VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 w0 i5 R V, }6 y) k5 J8 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* i6 K+ g$ W; L3 H. b6 \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 c" c* G; O0 C2 r. d: W' j4 @
If the VxD is loaded, it will always clear eax and the Carry flag to allow: d% x8 [! ], ~+ y: Z4 m# z7 X2 a
its handle to be opened and then, will be detected.. W% \( ]; r7 H* c
You can check that simply by hooking Winice.exe control proc entry point
& z! _* @3 P( x% G+ {- Gwhile running MeltICE.) `+ `. C' C) d- O
1 i3 _6 X0 ]: J* f C) {
- E, ~) V5 t% g: A0 D0 ^8 ]
00401067: push 00402025 ; \\.\SICE& \9 G( h0 V0 {! e; F3 L5 K7 X
0040106C: call CreateFileA( |3 b2 c: l, y% }
00401071: cmp eax,-001& W' a; b& r6 e I
00401074: je 00401091
2 E3 \- C) a# ?. b; ~
! I- Y' q3 m' x, U% J. o6 J3 G2 M$ X/ z# O; [$ x+ d- E$ p
There could be hundreds of BPX you could use to detect this trick.! n! f$ t6 s) B% ^
-The most classical one is:
: ^7 ?6 y* [0 _3 B5 Z% E/ Q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& ], C% }2 w b: d- l *(esp->4+4)=='NTIC'
& v: ~( ~- \3 c5 z+ n: X; o3 G! Q2 A/ H5 G
-The most exotic ones (could be very slooooow :-($ A: `! `% d; B! b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! v6 V6 ^1 i) i. R
;will break 3 times :-(. h5 o5 Q& A. J' L8 b$ F9 p7 L! d$ x
0 }1 U* E& U' v2 w
-or (a bit) faster:
( i2 \1 u1 k" ^# R2 M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 g1 m N6 t$ H$ C; Q5 G. X3 G8 P; i6 H/ n, q9 n1 [* \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: T3 Q0 p4 `) X& E1 v7 t ;will break 3 times :-(
! p, f U. ^4 g3 P+ W: b7 }5 {$ O. n$ |
-Much faster:
* {9 ]3 I. z, K; U BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 }1 ^- A( E9 y" }9 q0 y8 }) _
- q! v) R1 @% D: gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 v$ @5 o. o7 v* _. w: bfunction to do the same job:
) ?5 L% H5 u, y5 M! n6 Q
0 g! S$ Z0 L# F+ s push 00 ; OF_READ6 D: F$ i1 A e7 O6 ^
mov eax,[00656634] ; '\\.\SICE',08 {, N* O2 H4 O& w x" r
push eax3 Q1 N2 U# {+ x, o+ N9 v/ B D) w
call KERNEL32!_lopen
- q( q1 C8 |1 ?& v5 H- F inc eax
4 V8 w9 |- h" {$ Y0 P# C jnz 00650589 ; detected2 k: r8 K3 O- `' u. ^' P% {
push 00 ; OF_READ
`4 |$ d% O4 w' @" N mov eax,[00656638] ; '\\.\SICE'8 P! q; I9 X, R; v5 l
push eax- X, E; R( |+ f7 S5 X2 W
call KERNEL32!_lopen' v- A: \4 e; k4 J9 q4 `, D3 ]7 \7 b
inc eax+ k( ]# e8 P- [/ A0 y5 \4 I
jz 006505ae ; not detected, ~2 o! t d, B
' v$ o, y! `9 ]0 a* V$ n/ ` b% a: R' B6 D' V1 X* K
__________________________________________________________________________
: Z& x7 b. l9 d3 n; }3 R, g1 E
! O8 w7 r" ~/ Z) L; s( |% g" aMethod 12 v3 L! a; s! f* Q0 o
=========
3 j$ R$ Y) K' z1 i3 R
2 G# d# ]5 E k; BThis trick is similar to int41h/4fh Debugger installation check (code 058 `. ?: ]$ v& p8 ~- m, Z
& 06) but very limited because it's only available for Win95/98 (not NT). V: ?4 W- V q8 K! G( }, }7 _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ J& l, T9 \! l; j, \! [, J+ ]
3 b8 Y, _! |$ G$ k) c! y push 0000004fh ; function 4fh! U! q b) P* ]) s M M, B$ k
push 002a002ah ; high word specifies which VxD (VWIN32)
1 p8 Y' L" y3 [ }, X ; low word specifies which service
$ u: T) n, \! n* ^/ e. Q (VWIN32_Int41Dispatch)# Q. J% R9 G, _9 G
call Kernel32!ORD_001 ; VxdCall
' D" ^) U. H& H) q2 | cmp ax, 0f386h ; magic number returned by system debuggers
* J+ j* q+ x- Q/ N* ]' I1 `: b jz SoftICE_detected3 z; ]6 ?" Q2 d& B0 y
$ @% P6 s' ~3 s6 r7 tHere again, several ways to detect it:
; O) y: }( V. Z- G+ ^2 ?/ C1 T! S5 }8 j; F, T/ K% F
BPINT 41 if ax==4f
# P- `% S, k9 {, j* ]! X* w0 x; n4 a1 a- Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, b- b; P9 Y( c5 n
+ S% U: }& ?' G/ r) c5 C* g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 g$ C& v. k! u+ F6 i5 E
* w( g& K. N* n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 ?2 S5 m1 k2 Z4 z$ n' J# t2 _( r% ~2 I* e' h- F+ [. M
__________________________________________________________________________
- ]* }/ f( l& ~) g9 C4 O1 U' @' p6 ]1 N" T8 N" V
Method 13# T9 ?, L3 R/ G3 j/ g4 S
=========; j) }* y9 f+ a# O7 A9 k
# W# | W9 |9 q! LNot a real method of detection, but a good way to know if SoftICE is2 ?; I+ g: y4 T' d
installed on a computer and to locate its installation directory.
1 ?, {4 n/ I8 B" t+ x% JIt is used by few softs which access the following registry keys (usually #2) :
! Y3 k/ X8 X/ b
# _, @5 V+ i- Y, x' M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: m* O: S" ]# R6 S& ^9 n2 {' Q
\Uninstall\SoftICE
. ~; {3 u6 H, y2 ? J/ ~( K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' W2 F& A" J% }+ ]! Q0 A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 {' p0 a& J9 p. V\App Paths\Loader32.Exe
9 O+ \4 O$ d3 Z- q+ q* L( Q3 g; V; V7 _
3 v7 w j3 Z) b( J& ]/ G7 u; v
" N: r2 v5 U2 ?! X, P2 U+ P4 ^2 ZNote that some nasty apps could then erase all files from SoftICE directory/ B1 f% U- |* H" x5 O
(I faced that once :-(3 D) L( J- t' H) ^- r+ a: r4 a5 _: [
' z0 ~" a" @0 @1 n; t8 l, t
Useful breakpoint to detect it:2 i6 [: ]0 c0 h2 H3 U( C( A
t% @, P* T/ q* _1 e l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ ?" U( Y( e& O2 ?
P7 m/ A9 D# X3 y__________________________________________________________________________
: G7 B! T& K' `( M: s( Z7 p7 \9 u) @) ?; r
. T6 j$ g: n6 v$ m- {6 U- M
Method 14
5 Q, G) R7 I9 k=========
6 z* g- u: a$ T5 C
* {6 f* t4 T- R8 F1 f9 {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& k! R$ d, u& a4 c5 ?2 }
is to determines whether a debugger is running on your system (ring0 only).8 q+ V" K/ A- y; P+ P
1 s, @! R# v! ^9 L, E. ?- u9 F; K VMMCall Test_Debug_Installed
& n, P1 ]+ p6 E6 K t5 k je not_installed
" {) q0 F* p+ g6 N3 u* x
* R2 ~& ?) a# ^6 r/ W$ b* Y# _This service just checks a flag.
$ [! c; z! d/ D4 A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡