<TABLE width=500>
! T; Y* \- g) e. i" F! O<TBODY>2 e" q# J7 M9 x% I. X; G* E& U) C
<TR>' S8 W) A! j. @0 E( {
<TD><PRE>Method 01
& W% w6 t. L7 K H=========4 w. `3 Q6 ]3 v# W% ?( `! R0 J
! P ^9 G9 @" ~% A- f& b' ^4 V* ]
This method of detection of SoftICE (as well as the following one) is
4 I8 Y2 D. n1 Yused by the majority of packers/encryptors found on Internet.
& n% D+ W1 C- D' K& e. aIt seeks the signature of BoundsChecker in SoftICE5 Z% g) E: u( K4 ]: Y7 x
$ K! [2 H) w; F4 J" b6 I A mov ebp, 04243484Bh ; 'BCHK'
' w) N1 ]6 }, Z% s1 f8 B( W mov ax, 04h: k& |! X- Q% {8 ~& b+ q- M6 O; ^4 o% b
int 3 6 f* Y2 ]3 e2 z
cmp al,4
0 a `, }8 O; C N0 C& b( `6 a, F jnz SoftICE_Detected
4 l7 ^& j B$ z8 E
! e9 L# M1 S7 \; g" D___________________________________________________________________________
- g$ t ~$ i4 }. }) Y, v' D. Q* c' m7 J! g7 F( L* w
Method 02
. D `* C- ?5 Q/ P=========- I5 B8 N# X8 z9 A" M
1 U4 c6 F0 z) K7 V- C/ yStill a method very much used (perhaps the most frequent one). It is used: v6 L! A0 ]# J) Q/ w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) ?5 C, Y; J' ?$ j! c' V
or execute SoftICE commands..., {5 p5 [9 }# D- ^( o- e
It is also used to crash SoftICE and to force it to execute any commands4 t f/ U8 o* I
(HBOOT...) :-((
7 I( z0 ^ @ U, ?
/ P9 _. I; E) n' s- S8 U0 @Here is a quick description:
. r" R; N! [: Y. U6 |-AX = 0910h (Display string in SIce windows). w" n8 @# n- G5 d) C( A) x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): I1 `& G1 F- j, _2 N3 F/ n' m
-AX = 0912h (Get breakpoint infos)
4 w" T9 m7 D6 v$ | R; r) f-AX = 0913h (Set Sice breakpoints)
2 z/ ^0 i# e9 Z-AX = 0914h (Remove SIce breakoints)* _. F2 L0 l9 M- g" _3 b: J
8 j0 {$ @0 G) e- G7 V. z
Each time you'll meet this trick, you'll see:
( O5 [3 a; {1 _" y X$ L" o# _5 U-SI = 4647h. j$ ^) f: o3 T
-DI = 4A4Dh
- A. C) p' j0 P* w- v$ g5 @2 YWhich are the 'magic values' used by SoftIce.
2 ~1 H, a& q2 V6 \( S' iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& O$ X: w- y1 q' D: Z7 r& R
0 B) E- h3 I [) L0 CHere is one example from the file "Haspinst.exe" which is the dongle HASP- W8 D; u; F) m- P# `
Envelope utility use to protect DOS applications: R0 o4 a5 `: k5 G. A
5 |6 s' U: o* ~" [8 k2 D1 T, k( z F) c8 i
4C19:0095 MOV AX,0911 ; execute command.
y& s( S3 k- E( z0 X) R4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ A- F& w$ i6 J8 A4C19:009A MOV SI,4647 ; 1st magic value.: C( F( b+ T' t0 A, b/ l
4C19:009D MOV DI,4A4D ; 2nd magic value.
, Z: y* v7 b; R9 v" S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# I. p! O7 v; @2 f: c! h
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 y; z& j* k2 h) u4C19:00A4 INC CX
3 l: W+ D7 A9 D4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 B- Q1 `8 q% O a, g6 D! p% T
4C19:00A8 JB 0095 ; 6 different commands.
% I2 {' j, S' f" ^( }' Z/ \4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 |$ m& z2 X0 {% ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ U6 I+ M6 r6 J& @2 q8 [
$ F- k' i( ^$ x" l, ~5 wThe program will execute 6 different SIce commands located at ds:dx, which
. W1 b6 ?' x6 `+ Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ w( V* M8 a+ H: C$ T0 M( {/ e! w6 e! G9 x: s) `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% _8 q% ]& f7 u+ k
___________________________________________________________________________
7 q1 E2 o" e( }0 [8 z% U
8 i: ]* n+ y5 W( y) j7 A
4 a, D3 k* Q) c3 o. k; JMethod 03
) t- C8 v$ o# Z$ V, x5 ^% b% n# J=========
y; T( J# I( f( k0 H
& m0 o5 P5 U( lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; q4 p1 d/ v5 s1 Q( @ u5 z
(API Get entry point)
* b' @' f# d( P9 {9 D9 I: ~ ! ?/ Y: G) N) `& R9 e$ j
( p, k2 g" c0 m. ]$ A2 } xor di,di/ g0 w9 a* @+ d( K1 A7 B
mov es,di( H# l* T3 {' {- c# |
mov ax, 1684h
, C/ H1 H4 O( w' C: B9 k' V mov bx, 0202h ; VxD ID of winice @5 g" x) s# e0 C
int 2Fh
: m) r# A$ |# u) ~ mov ax, es ; ES:DI -> VxD API entry point" r0 ^" ^4 X% a" U6 y: `3 a# b
add ax, di9 \! o# N" q8 Z7 }
test ax,ax
5 O: N$ l8 S7 k( ~, o jnz SoftICE_Detected
: Q, t9 k5 x B" K3 W9 q' l2 I# X
* U) q9 X; J$ a- d( r) w" n___________________________________________________________________________
3 E1 [5 F0 i7 m9 S/ `6 {' m/ x% p0 M# l9 Y/ k* d- p1 [
Method 047 M4 r; R& |8 b- N8 ^9 d1 g0 R/ f
========= i; Y3 P( ]/ ^, K, v- V
+ v, ]# p' k+ ]
Method identical to the preceding one except that it seeks the ID of SoftICE
9 i7 K. r' c3 W. p! q( `- ?, FGFX VxD.
3 a I; C u2 |. j3 }6 g4 q+ Q. L2 n- i
xor di,di
2 V0 `" ~; C' g, G) T) A mov es,di: y( c% A5 {7 ]. h% n
mov ax, 1684h
: e6 O m9 Z, r4 n% S8 U* n mov bx, 7a5Fh ; VxD ID of SIWVID
7 ]* ~) M5 e* A, c3 ^2 H int 2fh0 m& S* ` H, T) t& H
mov ax, es ; ES:DI -> VxD API entry point
- U! H4 B/ ~0 w) z$ z% D9 l add ax, di
. Y6 i9 |7 _7 V6 ?* g test ax,ax3 U0 `8 W8 O! U( Q& G3 Z. D0 L1 z
jnz SoftICE_Detected
' W9 K0 l( `8 x( U4 a; W1 R3 y2 p% i
( g; ~" r% W6 l# A; c7 X; g__________________________________________________________________________9 F, r, k6 \& K9 G- y0 @3 C
' V, \- O9 w% e% o( F1 U
# L' f. a2 s7 T0 ?( s. Z# g; n( QMethod 05& b- G, R @: |) R3 ~5 @( a5 f
=========: t) K2 y1 X v1 E3 n6 N
% O! w2 Q' \0 `3 C; q, F, GMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 {, b' c' Q' idebugger. It calls the int 41h, function 4Fh.+ f. [' y) t3 b
There are several alternatives. ; z9 i% G" X8 y& J# x# r( B9 R! E
3 y3 |% n, r1 F6 n) p2 yThe following one is the simplest:1 M5 [7 i: e( @2 N+ H8 ^
1 u/ z9 [% [8 M1 m( [ mov ax,4fh
& v( ^ Z0 C q; }8 d* x$ }8 l int 41h* p; O- p; C, m8 n+ J2 p
cmp ax, 0F386
9 z; T {1 J+ `; @; ^ u& O. A jz SoftICE_detected
5 {- o4 \% i3 {" H2 A/ A6 T1 Z# U0 [& ^
. j7 x" i/ P1 z9 i" K* r
Next method as well as the following one are 2 examples from Stone's
m9 ?2 l. e4 x4 r' e"stn-wid.zip" (www.cracking.net):, m' J& s( D b$ F1 {# Q+ [: K
8 B" t" j" i) O) ?4 c
mov bx, cs
9 E- n- [9 E A, W lea dx, int41handler2
5 G" \$ M7 K& w8 X4 ]% G+ x" k xchg dx, es:[41h*4]( R, r8 k# O0 S* U0 V
xchg bx, es:[41h*4+2]* }1 O, ^: a: @/ d W& K
mov ax,4fh2 u/ a( [7 y& l+ H# T+ v
int 41h) h8 M4 f1 V- i
xchg dx, es:[41h*4]- X% A0 q! j, b9 v; ~: A
xchg bx, es:[41h*4+2] k4 f6 P7 X( q1 Q' ?& X; w9 n
cmp ax, 0f386h
# h# R* f' T7 J" P1 b$ `+ G jz SoftICE_detected
; r' E/ Z/ n- L- E- E2 N" {/ V. b- T6 I
int41handler2 PROC: A- |' ~( ]- M( ~" {
iret
& N# x# f& C; n* M5 zint41handler2 ENDP
+ t# p2 u, V0 J6 x% S9 Q& e8 R: q- A. s; A
; l/ x, B0 i* q, n s) y_________________________________________________________________________ [' @2 H2 \/ @
& p3 K8 C8 J; \
8 y4 P! t- g* y1 G
Method 06
* k1 C, y! ?$ j) H. m( g=========
& R; p% G5 h `/ I) K
) X( y" t$ j2 E' Z, o
! U2 @0 z$ @1 q n* `: O2nd method similar to the preceding one but more difficult to detect:
) K2 q6 G& ^1 U( |0 O$ V1 P3 s
( ]& c; A4 F8 B; D C* K1 v: v$ |8 n+ T( H
int41handler PROC6 s6 ^$ ~' [( H
mov cl,al
9 }8 h* k, X+ Z2 U2 a1 N8 A iret& w+ [5 h8 E: h
int41handler ENDP
# H' H) q2 J, z7 X ^; F/ _4 A3 f/ P/ K. b' Z$ T7 G
% K B! F2 ]5 D, S
xor ax,ax
4 a: R9 F, S, L, I mov es,ax
2 w3 Y/ Q! b, E mov bx, cs
3 |- r6 z Z& c% N* X5 R# W lea dx, int41handler& o3 u$ Y: P. w; Z8 \0 v% \
xchg dx, es:[41h*4]
! h5 C+ g: \( d) V q xchg bx, es:[41h*4+2]
% g3 o2 R( ^* R! V in al, 40h
( `2 w* I( W6 ^$ `1 @$ A! ] t xor cx,cx
3 l+ ^' N! m- _ int 41h+ z# R; J7 t$ i0 E/ N0 h
xchg dx, es:[41h*4], r4 R" Y$ |' b& a" B8 R& C h E
xchg bx, es:[41h*4+2]
1 j, n& M. v2 @1 ]2 H9 e+ q cmp cl,al
- C6 e/ {4 ` y* c: }/ w( ? jnz SoftICE_detected3 \8 C0 I! ~5 P' [, ?) U
5 o3 P+ v8 L- ~. __________________________________________________________________________7 i6 y: e# C: E7 G9 y1 {
( O* X- [7 s, t7 P6 cMethod 07, Z& E) a: ?" _5 |. H8 `, O$ S1 \
=========
8 J: B1 ^% ^% g* B+ V; m
+ o; L4 E9 H8 q! F. |% KMethod of detection of the WinICE handler in the int68h (V86)
2 E. p2 Y4 d5 \* V' e+ u3 b3 \: _) F. a/ ?& [2 ^
mov ah,43h0 E# Y6 P! I; r3 P; q2 O X$ f
int 68h
; x& \1 T! s) H# ` Q cmp ax,0F386h, Q- P3 _2 V) @3 a! s8 W/ P, ~7 \" i
jz SoftICE_Detected
8 r# Q0 J1 b1 e( L& S6 f. O, I* I9 L b6 J/ D; p7 Q7 F
4 g$ }; d G+ x. [4 m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& r( S: d, _, X2 L6 v+ J
app like this:. | M6 {/ y: s; ?
2 F9 \( L" O& p1 F9 K BPX exec_int if ax==68
$ d5 @( i# ~. j3 |; |! H (function called is located at byte ptr [ebp+1Dh] and client eip is: Q5 V7 D. C7 f3 h2 y
located at [ebp+48h] for 32Bit apps)
& w4 q: T M' k# K__________________________________________________________________________
5 _0 X; L) m: e" U( l0 w1 l) `( t7 ~" y
; G7 P' y1 v+ X$ A) E+ w% |" c
' W+ |; z( n% a* k3 {Method 08$ s Y |+ J% A6 v: z
=========
, r! i, J1 \; n9 | w& L; y3 q( j1 [+ [6 q6 l# `+ A: g X
It is not a method of detection of SoftICE but a possibility to crash the
7 Q! l- s( a3 `" O esystem by intercepting int 01h and int 03h and redirecting them to another/ _: Z+ s0 v) F$ K
routine.
6 d0 d. G Q2 j) EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 G# R& F" [0 ]3 J3 |
to the new routine to execute (hangs computer...)) s1 I$ ^5 _% O+ c- S+ Z
* @; l) g5 h$ `+ t
mov ah, 25h( k* O( o* ~% m9 d, F! k; R8 ~+ ?
mov al, Int_Number (01h or 03h)8 ?$ D- f' A) Q/ j, N$ u* n
mov dx, offset New_Int_Routine
* x' a+ W% R% d/ [ int 21h
- ?4 F1 d" _7 C9 F) s& `- B% U. }/ |) t( _5 h
__________________________________________________________________________6 x* w( |+ k. x- ?
' m3 E! u7 v- Y0 h+ q* a; I5 W
Method 09, E; D/ g6 V$ o+ v& z/ O3 j) R
=========
/ Y6 M ?% `- n% i7 g7 f
, ~/ [7 c4 s+ [) q& \9 hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 r! F# F: y5 Q1 \2 w vperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 `7 W8 s" Y9 `The Get_DDB service is used to determine whether or not a VxD is installed1 H: A* @/ [3 G& e$ ^
for the specified device and returns a Device Description Block (in ecx) for
& U, G" J" z$ L! Ithat device if it is installed.
, b4 w4 C' i7 m
& ?( v" H# a% V5 F$ A, j& M* \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 c, @! t! G5 Y, } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" R! \/ E: w" j4 k" a7 l v" R% o
VMMCall Get_DDB" K4 d: L4 E3 {/ s" a5 }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ C; X" D1 ` m3 B3 E, T
( z) J; [9 ?2 z C- _( h- f! i2 jNote as well that you can easily detect this method with SoftICE:/ }: Z: F. e, [5 {
bpx Get_DDB if ax==0202 || ax==7a5fh& B9 Y9 d7 n3 x) _5 [$ z
2 `! r& a. m3 p8 r' V. F
__________________________________________________________________________
4 S" P/ u# i& l: c$ a' H, T" P
0 M& C& ]% ]4 l8 ?: A |$ WMethod 10
" _4 f0 _4 _- @! m% C& {=========
9 X% E$ _' `" L; H% Z/ R
# w4 R/ I" J; O/ G) _+ E" O=>Disable or clear breakpoints before using this feature. DO NOT trace with
) E: W, x9 |6 J7 T% D6 m SoftICE while the option is enable!!1 i) ]8 s. h1 |( `! V
# t! k4 X% A3 N1 N0 CThis trick is very efficient:
$ Y; A( y% h- l, q, Tby checking the Debug Registers, you can detect if SoftICE is loaded
& j W* D% C9 H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. P1 k+ ~8 A9 N
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 z& p! }$ c" Q$ Z' y& h8 X+ s
value (in ring0 only). Values can be manipulated and or changed as well
g8 {) [) v6 N(clearing BPMs for instance), o/ H6 h( U) H P/ d8 ]
) i3 b! p) V/ ?( E' f9 j* S2 q__________________________________________________________________________/ r- O3 N3 K& b" Q- Q1 Z$ B, F
, U7 r; m) f! h+ y$ {Method 114 g8 h. |: S8 T4 n! T4 D
=========
- C- G' K3 c/ I9 X3 I: r0 S) `# ~, g. S$ _9 V4 } B
This method is most known as 'MeltICE' because it has been freely distributed9 ~& U: c# n2 g2 t& M! t% z$ m
via www.winfiles.com. However it was first used by NuMega people to allow
9 o" v5 K4 F7 S6 fSymbol Loader to check if SoftICE was active or not (the code is located+ S1 v% b& S" `$ F
inside nmtrans.dll)., P" x& j7 k# H
6 @# Q7 ~' x* @4 b% e& n) I6 MThe way it works is very simple:
: v# n. T9 I8 }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ F/ D2 |% L% Y( ~# @4 K1 F5 C
WinNT) with the CreateFileA API.0 m9 d( c' ^# m* n8 a+ k
. o+ y; T3 G, |Here is a sample (checking for 'SICE'):$ K3 m2 E8 P) b3 u) \+ M, e
' }4 d! ~, Q7 ^" t3 W
BOOL IsSoftIce95Loaded(). p7 |" x9 u2 [# K7 e( R
{" p9 @3 {5 N- e6 G6 A/ S Z8 P
HANDLE hFile;
" y# l& L! T% j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, r3 k) E- t t. L FILE_SHARE_READ | FILE_SHARE_WRITE,
/ e2 [6 H- m/ ?4 w8 v NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 s$ L6 u( W; K2 o4 w8 M' x& Y8 m
if( hFile != INVALID_HANDLE_VALUE )( X5 Y9 p. s* x7 f
{# n1 R! j( E( H+ ?# b' K8 |
CloseHandle(hFile);
3 i8 L0 C8 \/ j) [! ~$ t1 ^- q1 S6 b return TRUE;8 `( C! t0 }6 m- \2 w
}$ v1 n3 d' L6 _2 K" r/ x
return FALSE;
2 |6 F& o# Y" A5 a9 C1 m}3 A% x. ^& L1 J3 V
7 T3 w+ T1 Y1 e4 s
Although this trick calls the CreateFileA function, don't even expect to be
7 {1 n- i: ~* A# q6 h5 bable to intercept it by installing a IFS hook: it will not work, no way!
0 {) b* a7 Q' S1 f; r, b& Z* C: HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- a, j# `7 P' {6 G* {9 w+ o1 Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ h! D! n5 P+ B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 @4 _; E% G$ |5 N- v) E' S
field.
. }. F3 `' o7 ^8 E& pIn fact, its purpose is not to load/unload VxDs but only to send a
4 o4 s. C+ i" P# p' p a- ^3 lW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# q5 @! z+ D1 l6 f. y2 o' \to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* W0 a) g! F: |! eto load/unload a non-dynamically loadable driver such as SoftICE ;-).1 P6 U. ]7 P% [7 ~& v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 G, k( n3 o- m/ Y. V2 I" ^ rits handle to be opened and then, will be detected." a- t+ u: Z+ r& X( ?. v: Z7 m
You can check that simply by hooking Winice.exe control proc entry point/ v5 M4 P# U% r* B1 O1 n, w# Y) |
while running MeltICE.
* A7 [1 q" L4 J, t
* I8 E/ v# y: E8 q; Y4 H) G7 n* m @9 P4 \! X
00401067: push 00402025 ; \\.\SICE
" v" v. B) F3 m( ^* ` 0040106C: call CreateFileA
5 S3 p2 M) j' a6 i, u5 R" _# y) Y 00401071: cmp eax,-001
, X M$ _1 d) g3 v1 Q! V+ z 00401074: je 00401091
) @/ L: Q& H1 h# G9 D4 N/ r$ r- v: f# P# p* G, O' Q3 T$ D+ V1 X
9 z+ r# D5 Z: h' p- b/ ^% j! WThere could be hundreds of BPX you could use to detect this trick.9 g/ s/ r8 K) s9 j& C, j# H% t8 Y
-The most classical one is:
9 W* b2 }1 Q, g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- g9 L6 l6 G/ Z# E K
*(esp->4+4)=='NTIC'
. T6 B8 ~4 b3 i' {' P5 W: Z9 _7 Y$ q$ A2 y0 Y+ O
-The most exotic ones (could be very slooooow :-(
9 k! C I+ C3 m- `3 m C; S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 h2 e' t& B$ T: ]. @, S9 F
;will break 3 times :-() b; J/ I: g- F8 E6 ]* a& t
& A0 K; I) D f+ }# Y& g-or (a bit) faster:
5 _9 W! k( w- ]9 W G# J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ p% o8 H$ z e5 ^" g$ X/ m& ^+ c
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , s' R5 o2 q5 i- S
;will break 3 times :-(
. a& z9 c( i9 e# S* c8 }. n1 f! X4 W+ |2 \
-Much faster:
5 u9 s8 j0 i% Y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 f5 L* s% @3 @: v9 p
8 a& ^& q- y% B/ [8 A$ V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. Y5 \# B% T- G! o& ffunction to do the same job:
# O" Y8 @5 F' m2 A/ v T1 W; H& K% ]
push 00 ; OF_READ
: ^* X5 R6 O' Z5 h mov eax,[00656634] ; '\\.\SICE',0. o9 z+ T; z+ |& ^- W: n
push eax
: T9 P" Q% }0 ~& w6 a call KERNEL32!_lopen
% K+ Z' \; o5 p inc eax
y8 a" D) U% }8 O# }( d jnz 00650589 ; detected3 h: r q9 u- p8 J9 u. c R
push 00 ; OF_READ, z5 u6 G0 m4 b
mov eax,[00656638] ; '\\.\SICE'. p* _! S( m, @ o$ Y# S& n
push eax8 X! J" I3 I& u
call KERNEL32!_lopen8 [( C( B) J- p! J/ N( y
inc eax$ ^9 D5 j4 s. k( f8 P
jz 006505ae ; not detected
$ i1 z+ e# o( s1 G+ q: D7 G
6 a6 e1 g8 a1 y. E6 p- t
9 k- F7 z( F7 n' m' ?, A7 g+ ___________________________________________________________________________1 a1 ~4 H5 x3 e" n
1 A- M% {. r. y+ K9 p" JMethod 12! H* P+ c0 s$ p5 ^5 ^
=========/ N8 c/ I0 l8 \0 t, r
8 H0 `0 g9 ~7 _$ u! M( {3 p0 X( d7 tThis trick is similar to int41h/4fh Debugger installation check (code 053 s' O. z f0 |8 w6 q
& 06) but very limited because it's only available for Win95/98 (not NT)
+ ?. V1 b- W4 Z. x+ ?% `; G2 Was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 v% x7 o' a: h& x' h5 P' O% n( i7 u. K. o" H I8 ~
push 0000004fh ; function 4fh: w# ?! _( S: {' i( T. e
push 002a002ah ; high word specifies which VxD (VWIN32)" x: C0 v6 s3 B
; low word specifies which service* I* |# a; V# \+ F, R4 t: U3 z4 P& F
(VWIN32_Int41Dispatch)' U& q2 M# ?: _; ?6 R* ]
call Kernel32!ORD_001 ; VxdCall
) g- R. n" v7 l, t. d/ z cmp ax, 0f386h ; magic number returned by system debuggers7 A( C2 c; \( H
jz SoftICE_detected
2 e) d% }# c0 K6 M) c0 J
, l: B9 T/ h+ {! W; u% z bHere again, several ways to detect it:6 m& e5 z: E O
# ^, O* i4 |' [1 C" y. n) h, j% ~) |
BPINT 41 if ax==4f
/ @& z" J" B/ v* [: _/ P4 ^! |; K4 C& W7 ?! B) i
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% q* Z1 ?8 t G0 X3 v
6 M6 b% x! {) z( q& N; f( s! n
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 Q: b# f. L( R7 O# y/ { J9 P9 R+ r& K/ b6 {
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' O! [; y- j3 J4 R+ x$ i; q8 A
( F5 v! V4 d8 t( ]4 ?8 ~; }
__________________________________________________________________________
1 P4 U8 u) E- a
$ X, q1 L9 [+ q) D) {/ XMethod 13
$ a$ L; g" G9 O1 Q/ `=========4 `( |" ~- w: i, b. y
1 [4 n2 s* n; }
Not a real method of detection, but a good way to know if SoftICE is3 ]) Q) Z Z i. P
installed on a computer and to locate its installation directory.7 [' u: F6 E5 Q% U( m" _
It is used by few softs which access the following registry keys (usually #2) :
7 j+ @; `, l; L4 z! H/ ]2 D
. m. }7 q5 r3 H( ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 Q+ \' p, a3 |! g$ U! B }4 Z
\Uninstall\SoftICE" C7 l0 f7 v) f# [) ^! Q% h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' c& [% I! M3 [$ h- S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% U7 W2 j" S& }# e' b1 v+ A
\App Paths\Loader32.Exe
; } [6 Y* v; k% w3 ]
8 ?" S- `6 Q3 k, s
9 x/ V7 y& _! E+ H. N/ vNote that some nasty apps could then erase all files from SoftICE directory( Z* \4 d) G1 M* A3 U* V/ p* ?
(I faced that once :-(
% t. b. Q8 N2 e4 ?3 T3 i: H- V4 t9 L# G7 M' D) g% C" Y; S) L
Useful breakpoint to detect it:
9 [& F- a) u' C; ~; \7 [6 X& C, x; N! n& [8 ]* e. t1 c6 S
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. ]& n& H j+ O8 s2 y7 _5 @( Y( [3 Y$ y/ M* s$ p3 a* y
__________________________________________________________________________
2 b) H$ l: k7 l7 ] }% U3 Q6 h: F2 `* f5 I+ i, {9 f
8 o( E, e# m$ B* h8 YMethod 14
: N6 ?& z# W& P=========# k$ g2 u4 q- ?/ ~
- H* {8 X- G. k2 O1 ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ z' `; Z8 l/ Z/ H& {is to determines whether a debugger is running on your system (ring0 only).
+ S# j! c5 m+ a( j& f/ l, j0 U8 o* \0 {: E3 L
VMMCall Test_Debug_Installed- H, k- O5 {5 h5 F- l; K6 b- {
je not_installed
0 M) N6 y! ?+ P- q. ^) Z6 m" ^, r ]8 K. l$ V! P
This service just checks a flag.
; ^9 U% s8 e! {' b+ Y6 R$ Y: z0 v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡