<TABLE width=500>
# ~+ e7 s3 ?! P4 i<TBODY>
6 a% c3 Y! t! [# c4 t% ]/ \<TR>
2 S6 K# K/ @" {, E. n8 e; ]' A<TD><PRE>Method 01
) K1 S2 @1 ]; ?5 }; W' A( k=========) j$ x5 n/ [* ?
5 Q1 G3 h- j$ V+ e1 p+ OThis method of detection of SoftICE (as well as the following one) is
0 w! A- k: v. f" g2 ^3 lused by the majority of packers/encryptors found on Internet.
2 A- u. k& I- Q% zIt seeks the signature of BoundsChecker in SoftICE" N' c& f6 ]8 W1 c$ C
5 U1 E; [1 g: W5 ~ mov ebp, 04243484Bh ; 'BCHK') r1 R7 x3 f8 v# \6 H* H r
mov ax, 04h
& m# _1 J9 D$ Z; ]% c0 l0 b int 3
" v! N* U: J G- L cmp al,4 @3 G5 _( ^. ~& x( b* D+ a
jnz SoftICE_Detected
- d N; p2 r, o* m2 V
! V9 L5 y* D- ~, W___________________________________________________________________________
3 B* u/ @5 p) v/ j6 r# r$ S
; A7 Y3 G5 b4 }3 PMethod 02
# E3 M D2 J# }$ U; v=========
H/ A3 A2 {# V% `5 ?" ?0 H3 c2 w. l; [% ?
Still a method very much used (perhaps the most frequent one). It is used
5 d0 A% }. u& g6 D$ h6 d' Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints, I: Y$ b C. v R5 A# l6 x
or execute SoftICE commands...$ S c( y! K9 [9 Y/ j! s
It is also used to crash SoftICE and to force it to execute any commands
2 Y. F+ Q# J6 B& M( I [; [8 K6 m(HBOOT...) :-((
5 l0 n" U: \. N7 H
) ~5 x# s! T; aHere is a quick description:
# b! y3 H5 ?$ O0 f& D" D- f/ ?-AX = 0910h (Display string in SIce windows)4 J& S8 L. u1 m: Y& c6 b: I
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 u: L. g6 j5 V
-AX = 0912h (Get breakpoint infos); I" W B: |# L
-AX = 0913h (Set Sice breakpoints)
; ?3 ~+ }$ K" a9 q-AX = 0914h (Remove SIce breakoints)$ c& p7 d" o: V5 {9 R- r" A, K2 l
4 Y% |7 ` O K G1 W5 Y# K4 n2 }Each time you'll meet this trick, you'll see:2 [8 W; f/ G2 Y* A6 a0 f D/ X
-SI = 4647h
. @2 y+ c' A3 n9 b1 C" c; }/ Q! T-DI = 4A4Dh
, ^0 _( j& M+ O6 x% V* h# w$ i- FWhich are the 'magic values' used by SoftIce.
9 u" g2 |: G2 u3 hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 c( h7 K) T$ {/ t& \# U
& x" ~" N: j) }* M
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 c b' k+ [4 J2 {
Envelope utility use to protect DOS applications:
3 X" F4 {- j3 S6 N; E) b. S* r6 d* X3 @2 o" D5 L$ H& s
# |% E6 k7 Y' L: c+ o- q" W4C19:0095 MOV AX,0911 ; execute command.
6 R0 [ G% R- h n. b( b- |! e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, k( }7 x4 R, v+ R* F9 c4C19:009A MOV SI,4647 ; 1st magic value.' [- A3 t l) m1 b6 Z3 C
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 ]; ], f9 c. ^' u. o; e q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 G, {4 l3 c- H! r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% P. `3 l% W A8 r5 i
4C19:00A4 INC CX- y1 V/ h0 c6 y, K) c. l6 D% u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 D8 `" c9 t7 j$ t2 Z, q4C19:00A8 JB 0095 ; 6 different commands.
7 {- A- j" R9 a1 [( j4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 z: p7 D5 v$ M+ J* r$ b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& }8 L' v( A( J$ T$ t
3 i! s K6 n# \The program will execute 6 different SIce commands located at ds:dx, which
# x# V% ?' ?# Z0 u4 y" Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 G, h% e5 k" I- @* w
: @6 W( F1 F* v- r) t+ F" C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ J2 W& {, P$ i! c___________________________________________________________________________! x# C( t7 j" |6 N# N% M- n, h
. v( r, K4 Q, {# ~: Q, F |
& A: |, y/ y( i `6 D4 G0 GMethod 03
i1 q: `$ M( ?' e=========
% N( Y, H! \2 p& C* a1 }7 w S- h9 B: ?6 J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ @/ d# s0 N: h; d, _; ]) p& [
(API Get entry point)
- W) }9 E' B* M. n: ] % z7 x( N, {0 r7 p
' v( ?: z5 T4 [) P( ?8 f xor di,di
% t0 X: c* k. w mov es,di
; [( Z4 H& i3 D! w5 D' ] mov ax, 1684h
8 R2 B, w& v& q+ w mov bx, 0202h ; VxD ID of winice
) f7 ?6 z9 c D3 Q/ }/ L) e+ J int 2Fh- w7 e" x/ g l+ B3 [+ q8 K& }
mov ax, es ; ES:DI -> VxD API entry point
( _: V" R7 V" Y D add ax, di' p4 D, @! u3 E+ ?* a3 y! [
test ax,ax
& e5 t& v2 g: M* @" I, r- K% f jnz SoftICE_Detected! B) e8 K- N0 g$ b
* F s: ~. X' ]* I M___________________________________________________________________________0 L4 E1 v; X% G: @ o
9 ^' \+ [% X' j% d9 b1 yMethod 04
! V* n$ D: Z; g( X=========( r# |' A% {1 z) C5 Z: Q
, H+ h7 J1 o2 h& x
Method identical to the preceding one except that it seeks the ID of SoftICE
7 T( [9 ]' w* FGFX VxD.
5 w& A' r" h4 A7 M0 u+ s, i- D5 A6 W/ ~
xor di,di4 v+ \7 D. v7 M8 N; q) B: I
mov es,di: |# e7 ]; j$ Y" Z# ~9 _! f
mov ax, 1684h 1 t* O& R M/ b+ m
mov bx, 7a5Fh ; VxD ID of SIWVID; b3 N$ S4 R7 P3 k+ f4 J e3 _; L+ }
int 2fh- }/ s7 W( M" K( |6 t
mov ax, es ; ES:DI -> VxD API entry point0 A+ ~) X: ?! ^( S# ]: ~# ~
add ax, di0 z' L+ f9 c+ i. F% K3 e: j! j
test ax,ax
5 z* R0 Y6 U/ Y' G6 f, ^7 o. x jnz SoftICE_Detected: |! \5 g# F& J
' j! d+ F# B9 S6 C S# s& {__________________________________________________________________________# R0 Z# g6 t( x0 v6 V
3 Z7 p" V9 G9 u2 ?9 Y) T
' G+ }/ Q) |4 W. i8 n# r0 Z0 fMethod 05$ r+ V5 I& n u( D
=========
! B: d4 M8 j) |# Y* t
* n1 H7 h/ j: B5 L" OMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, f$ ]4 E; U: Z c3 c1 Z: Edebugger. It calls the int 41h, function 4Fh.
* D& D) L h( [" Y: m5 DThere are several alternatives.
: Y& r% F/ }7 E6 v5 [! c
; P9 V$ P' S) v( Q& CThe following one is the simplest:
2 N* k8 s E5 e2 B) z8 S" D( d( q `& O8 X* j& x
mov ax,4fh' K: t% Z$ K6 R4 C; B
int 41h6 P$ D9 V6 B `* L. T6 R+ M5 b
cmp ax, 0F3861 J. H2 _! Y1 i7 ]- r7 G' X8 ]
jz SoftICE_detected
, W( }- ?* `" a1 J1 C* L1 C
r8 @" d0 _3 i% p. j u
( ~/ C' y( E- Z1 u! MNext method as well as the following one are 2 examples from Stone's / H) P5 ]* `+ G. b5 f+ h& P$ \; R
"stn-wid.zip" (www.cracking.net):8 }0 S. N7 B- D2 k! T
2 h! Q+ q) T% \% F+ V
mov bx, cs6 h4 g) v" x( |$ G4 q! H- h
lea dx, int41handler2
; [& B$ ]8 o5 } B, j4 `) d xchg dx, es:[41h*4]! c- a, p. j6 _& ^/ u$ O* }6 i
xchg bx, es:[41h*4+2]& j/ A" V6 H. B r2 K6 k
mov ax,4fh6 ^5 D; u' Q* X* ~8 \8 f
int 41h
/ o8 F# s1 _, R9 E: |# y, p) h- f" q xchg dx, es:[41h*4]: ~# F4 H9 \+ f- v$ ]- W
xchg bx, es:[41h*4+2]
/ a1 e; `( w. l3 }# O3 F cmp ax, 0f386h
- y5 p- ~ i# S4 |% ?/ Y) X jz SoftICE_detected
# g/ {. m" i% y9 p. Q f& Q; s$ S% g" K3 v+ y0 n; W
int41handler2 PROC
' o- w& M* _+ t4 j5 Z; l9 j- w iret
- m# v. ?( z( i" M; Dint41handler2 ENDP! ^& p6 H& m0 D( i" X9 {4 B- c
7 x+ @: ]6 T% v+ {3 B2 Z( E# _0 G; Q, r1 J7 c
_________________________________________________________________________
, o! l0 u* X) x( i- ^. U) d% u x2 A- ~- c' m
M( r5 D- |/ |3 K! s
Method 06! ]* Q2 Z" i; h/ H: V
=========7 C/ _- J8 k7 S" c
9 a7 n' h) O1 K$ ^- R" S, H. ]2 Q! j" ^5 K% Q( I3 V8 K) I
2nd method similar to the preceding one but more difficult to detect:
8 w/ Q8 e- K' h, s3 c" w9 F7 \, g) V" K/ u2 m1 o# D
X# y m! d; n ]7 W* \6 ]& Y
int41handler PROC
/ u0 {6 |. y; D9 U# J }: }, ~ a mov cl,al
, F0 Q/ u3 }4 _3 z7 h& i: [ iret- y- w4 ]9 _' N8 s. {
int41handler ENDP
; W4 t* H6 c5 j5 a( E: {% \7 C; \( o
. I1 w( h) g- Y xor ax,ax6 F- ^6 G' [3 e$ j8 d4 }8 r
mov es,ax4 n1 w. Q4 U2 c& E Z& C8 p
mov bx, cs
& t: I" c# h3 y, H lea dx, int41handler
+ M, t: E. V$ D! ` b0 |, w% D xchg dx, es:[41h*4]
* B- p7 g4 H: O' q xchg bx, es:[41h*4+2]
* ]7 z9 b' c8 | in al, 40h) ] s3 q2 a. Z% z+ B8 S8 J s
xor cx,cx1 R; ^* |/ F" {1 q0 ~+ z( K
int 41h
1 V6 m" b0 _7 ^, \8 r xchg dx, es:[41h*4]
! J0 W `$ ^$ ?- ?/ `1 A xchg bx, es:[41h*4+2]
1 @7 i0 h# a+ b" F! R/ G cmp cl,al& L! G4 D7 Y* ^4 \1 O, K! Y5 q. U# w
jnz SoftICE_detected
1 j P: s4 X( e6 g, i* g
$ i: N3 ]; N2 _! y3 [$ t_________________________________________________________________________
* ^2 J k0 Y7 t; a- F9 m, y# b1 M7 Y3 i" h+ {
Method 07; m- g; i4 H* ~: C& g
=========4 q5 R& {. s7 `1 J6 r
3 U1 h7 }8 {/ n( ?Method of detection of the WinICE handler in the int68h (V86)
9 |2 ~+ j* t# H8 ^$ ?) h2 z5 d
9 S& u. J7 x- R. K* w% }6 \: w mov ah,43h
* ~) E/ d, ~+ a) G1 [ int 68h
9 K6 B! o8 {7 u cmp ax,0F386h
& x$ S1 o" Z0 b U6 P jz SoftICE_Detected
/ b: Q8 M' x/ ?9 y+ c' L; Z& n" c4 e8 ^5 {: P- f# m4 o
+ x+ U$ w& ^: \9 L" v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& c. |1 o1 F" q. \+ v3 R, N/ q, l' i app like this:
/ d7 l3 c6 H8 G H) X! b1 w* A- l+ ^4 H) `
BPX exec_int if ax==68
0 A ^ e, {' ?+ \ (function called is located at byte ptr [ebp+1Dh] and client eip is u* S8 N$ @ k
located at [ebp+48h] for 32Bit apps)3 J" j+ |, S: Z
__________________________________________________________________________# n/ b# y5 I- F1 o9 I# D
8 p% l" ` ^. D) x
# d1 v! L- ~* H# WMethod 08% [/ J( o; Z3 K1 |
=========
1 K9 e7 P4 @$ @. G V3 ^' J3 k+ u4 D( _
It is not a method of detection of SoftICE but a possibility to crash the
$ j' C" P+ V c0 jsystem by intercepting int 01h and int 03h and redirecting them to another
5 l# x n9 l) T) c8 Nroutine." r3 a' [# @# R; k+ k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) N6 x2 x$ P' S- t$ m* j
to the new routine to execute (hangs computer...)" D( J7 p9 y9 B* W9 A: W
2 k: u b% X% O9 T mov ah, 25h+ s( W) ]2 ?( o$ A
mov al, Int_Number (01h or 03h)
3 A# {1 G9 C1 o& C" C: F5 X7 D% K mov dx, offset New_Int_Routine
5 q; V8 q6 |0 \) [1 `$ U int 21h
" A {( S0 h' f k0 T* e/ o4 n# K8 L- B' X' m1 L8 y( u
__________________________________________________________________________
' n: Z: s5 U5 U7 p2 A* z3 R1 ~
D- f' y t2 m0 gMethod 095 K6 A5 B4 D, U$ n
=========
2 a8 H4 r+ Y! K4 R) s/ d
2 T% ]* I! s" VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 `# y2 j$ f7 r% {
performed in ring0 (VxD or a ring3 app using the VxdCall)./ p' W1 @1 _$ ~; v
The Get_DDB service is used to determine whether or not a VxD is installed. b. n- ~8 p, U/ L/ F9 R: u! p2 X
for the specified device and returns a Device Description Block (in ecx) for
) A$ S2 ^- N% Pthat device if it is installed.
. T& {8 Y$ P4 l2 Q9 N, c3 r* @ Z! v; n5 H5 `9 v7 q$ x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 ^. d! u+ {& w# ~7 {9 A7 c' H* E, h$ V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ m' Y" h( |" w% ]! A! f5 V8 |
VMMCall Get_DDB; k( z0 O$ i7 j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 m7 `% ?7 f+ v6 t
* u# u- v! ~& ~Note as well that you can easily detect this method with SoftICE:
4 z" u6 e H* C1 U2 O" k bpx Get_DDB if ax==0202 || ax==7a5fh; B) U: b/ x! U4 S) c! M# H
3 T7 _( H2 s' B5 Q3 A
__________________________________________________________________________
7 s! w+ X9 y# }: S g1 a% W5 t; r0 Q) p* Y6 {
0 G) w' a/ P+ z- Y6 Z9 IMethod 10! U* u- R& ? q& o& g
=========
+ T5 X" j8 i9 E6 B
& e2 j7 f5 `. J( n* E' l6 H+ c=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 o* P1 ?# X* z SoftICE while the option is enable!!3 x% p5 _& O4 A, t
- g) S: R. \9 T. [This trick is very efficient:4 N I P; @. }6 j* N7 m/ T
by checking the Debug Registers, you can detect if SoftICE is loaded1 `2 `2 {: L" j2 y6 t9 p( R5 c0 ~+ Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 W) ?& a0 S3 V! Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 L; Q. g: f2 x1 u: c2 I7 pvalue (in ring0 only). Values can be manipulated and or changed as well5 h$ j7 ^+ u. w5 x8 u, Z+ B$ C
(clearing BPMs for instance)
0 n/ {4 R: d8 R5 h5 |
7 T# G. f; X$ `7 t5 Q. k/ ?__________________________________________________________________________/ I, J6 A m6 f+ d* d
% }1 q& C# b# h" B
Method 11
5 h2 z0 ]* m2 ^4 K: ^=========: A- v) S \; K
) X1 N1 j# L" W) D
This method is most known as 'MeltICE' because it has been freely distributed8 p" T8 N( @& U9 v; n( s
via www.winfiles.com. However it was first used by NuMega people to allow
* Z, D- m; y& |" T$ gSymbol Loader to check if SoftICE was active or not (the code is located1 V9 L: D& g. P' K& N
inside nmtrans.dll).
9 a$ R; q+ o" h' F2 @
7 _: q" l+ e4 M/ C, {The way it works is very simple:
. a- o$ `4 Q' p5 g. d( l2 QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: E C. k O5 d+ H+ I- I; r
WinNT) with the CreateFileA API.7 T9 c; K- |" A4 w! P: Z
+ I# j' n9 B+ B, g, |5 XHere is a sample (checking for 'SICE'):. z9 ~8 G4 Y( p- y! G1 H+ F8 v
' e. v: X: g2 [6 @+ Q& v
BOOL IsSoftIce95Loaded()
4 P, \. e# N! ?* v{0 L) b# l! U8 [* V1 Q# F) r
HANDLE hFile;
' H& z4 f1 q3 }4 m% p6 K: ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 h9 s* p' f1 @3 c, c& g3 l
FILE_SHARE_READ | FILE_SHARE_WRITE,/ M7 z9 m$ K5 k5 h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) N. z* ?: A. T' {
if( hFile != INVALID_HANDLE_VALUE )0 R0 z" L/ I$ d2 s7 V
{
/ I. q8 {! y4 k/ y" H9 V CloseHandle(hFile);7 N3 _: u% A* N0 p7 v1 s& O
return TRUE;7 q* R; r( P9 s8 ^6 t
}1 M3 f; f" f; |2 d3 |+ M
return FALSE;, Z+ C0 y0 [' ~- y$ z
}
% d3 R' p) J/ N- q
) v" u7 X: F% Q! _Although this trick calls the CreateFileA function, don't even expect to be* l. L- R i+ m! X N. U+ ^
able to intercept it by installing a IFS hook: it will not work, no way!7 }7 j4 ^( v f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; F# ^8 w3 [- E$ p! g8 O
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: w0 C- \6 i# m. A/ q+ Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 y3 `; b& z% s8 l: D
field.$ Y7 y2 E+ m0 Y, @6 o2 k
In fact, its purpose is not to load/unload VxDs but only to send a / i6 @: Z, ^( \! T" z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. g- |9 y* @6 T$ F$ C5 kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& b0 L" B8 b0 qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- Q9 G; {0 u$ _) f" P; X; FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% B" q& W# e' l) k+ oits handle to be opened and then, will be detected.
7 f8 D& z4 k* g9 l# b1 ZYou can check that simply by hooking Winice.exe control proc entry point
I; J! ]! b" S N% Q/ x6 a$ Nwhile running MeltICE.8 q1 n5 s) \0 |; y D. P" k
?* w7 _7 O8 @0 [
% N% }8 {' F: a' ^( s0 f 00401067: push 00402025 ; \\.\SICE2 w& k6 ]' b7 n# |
0040106C: call CreateFileA
9 A1 F6 a% T/ B* R7 e/ J' x) @! N 00401071: cmp eax,-001- `" }' K( q7 N$ e+ A# u
00401074: je 00401091* E& f: ], B; Z* v5 X
) `) ~2 U7 t1 ~# p, m, b' H B) {
" `( n: }9 [( S& }( I4 H) yThere could be hundreds of BPX you could use to detect this trick.' z% n1 A4 M3 m( Q) e# R
-The most classical one is:7 I) p- k! D% }2 t: ]5 t# L
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 L9 B# n2 N! ]5 w% U L
*(esp->4+4)=='NTIC'" w# H; J/ u3 ?5 u* r$ z
7 K3 D; z9 J6 o6 R3 P% k; }# h6 y
-The most exotic ones (could be very slooooow :-(
4 a4 w, W" h% t, e0 ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 Q+ J* `7 u. G; X A ;will break 3 times :-(3 V9 h+ j; ]- o% v
' ~& E! ~3 h5 o-or (a bit) faster:
+ }1 h! L" m$ J" h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- m, P7 b- v k" i; Z
) w. `1 u& r. g6 r9 y& `% m+ Q! [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ |0 }8 y$ v! O. L! T
;will break 3 times :-(
. t+ d! G" d( [' e0 v" b/ ]$ c! l# P4 z
5 u% M% `; @4 o3 p$ z-Much faster:! Q3 y. ~) ?* H! ~
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* X% ^' j& B6 R4 L$ d
2 y+ }" ?2 X9 c7 [. ^& eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 E' [. `4 a9 K5 J' ?function to do the same job:: F( ]5 p" g' D. I; ?! A
+ |: V6 Z* a0 M4 }, ~+ `; h7 s push 00 ; OF_READ
2 W- o5 b- n8 n4 o! U' d mov eax,[00656634] ; '\\.\SICE',00 X0 `& K; H% x! u4 F, _0 M
push eax
6 c3 Y: U: O" }( o. G4 @ call KERNEL32!_lopen: h) A: ?: Y7 e. W7 }0 ]7 |
inc eax- r8 S) E6 f$ V! |& d
jnz 00650589 ; detected
% \8 n1 w6 c) D9 F7 ^+ x- m% g- B! s push 00 ; OF_READ
2 I6 c) ]9 i% o; S0 V mov eax,[00656638] ; '\\.\SICE'
, y4 h5 E* r ]+ d push eax d3 H' h E& U& e
call KERNEL32!_lopen. F; g" |5 K T) d) `) H$ } P. Y6 C# s
inc eax) o5 p; ]7 s/ U- W1 |. Z
jz 006505ae ; not detected
. [2 t; M" v, i2 q6 ?, G6 ?
) J7 |7 _+ D& r1 v8 ~# T% L0 H1 \3 @# j
__________________________________________________________________________" x9 ]1 M* O; ?/ u" q) c( x
% b1 H( @0 m5 w& v/ @Method 123 E7 V& S: C0 a8 ~" h$ |
=========
% W' v& B+ s+ {1 X0 ]/ `
C% c( R- k5 \- M: yThis trick is similar to int41h/4fh Debugger installation check (code 053 t5 ]- J6 K/ J" [$ Q8 o
& 06) but very limited because it's only available for Win95/98 (not NT)9 ^* C+ i, T' ?% f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( o; K+ V2 o. R
9 }# O5 `. `7 C2 m! e8 K& A' ~ push 0000004fh ; function 4fh
# G; _5 A$ E+ c0 w7 E" u4 v8 R push 002a002ah ; high word specifies which VxD (VWIN32)+ y1 z& L9 f, T/ C8 t
; low word specifies which service
, ]( U( |& a( Q" s9 Q8 f0 S, e (VWIN32_Int41Dispatch)
9 U7 K: \3 P" G7 b1 V call Kernel32!ORD_001 ; VxdCall
. b/ Q- ?! Y+ {+ E cmp ax, 0f386h ; magic number returned by system debuggers9 Q7 W: X% Z' t+ D0 V2 X
jz SoftICE_detected
5 k) d! F3 k- V* K$ i1 b( x& W" m
1 R8 C( N8 U' n2 V" T: n* O" J; yHere again, several ways to detect it:
W/ x0 [. e# j% E
0 L1 h7 @: u8 C9 A H h$ d BPINT 41 if ax==4f
5 q C; S5 o; l8 Q* L/ u
, V& e: d% A- c P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 H. I2 [) V1 z" V4 F& _9 o4 V# e& [
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 ]1 m- e3 l/ `2 ?0 [4 Y
4 v p3 c6 p/ M( B, l7 k/ O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* s. m; r. M5 c; z' B0 B9 W
1 h: v `! G8 F/ H; B) P0 D! `__________________________________________________________________________8 M. V! O X% I# j( H; ]
, {: C" b" h) t- Z0 Z0 }4 o7 p. S
Method 13% ~: V( H% t: x: ]
=========" `/ t$ N. M' Z$ y# K7 G) c( Z& y& Z
; x' _# y; k+ d& N. e2 `; N
Not a real method of detection, but a good way to know if SoftICE is# a$ [+ R' Y% d. y# Z h& b
installed on a computer and to locate its installation directory.
& ^9 m& ~0 a$ [9 DIt is used by few softs which access the following registry keys (usually #2) :
" U9 l% @; A6 N4 S
6 P* m3 P i! d! v1 s. d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ z6 S6 ?& F, }+ z( W! u
\Uninstall\SoftICE0 P2 B; R( U9 y2 w) |9 _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 G" y- B9 `* C, ^+ h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 n" A7 F$ |! b8 ]! R7 a\App Paths\Loader32.Exe
* \+ L& G t# W: `5 U! X* Q# Y' l
$ z9 x$ y7 h; x6 T S/ [& V$ a m
0 b+ H- M0 K3 ~& X9 |+ |, ]Note that some nasty apps could then erase all files from SoftICE directory3 Z0 B/ L U8 z
(I faced that once :-(' J& ~9 M/ P' d" O) q
. U! [$ @( f0 B
Useful breakpoint to detect it:6 I* ?9 {8 G: H; o" q
% e, A2 O; j/ ?2 g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# o0 P+ _* X' a: m- {# R
/ U- _/ c5 _% A- |+ h, P/ h__________________________________________________________________________% V! s5 b1 J# t% {3 O0 o3 b5 D
; I& g0 M9 U# O4 [/ d5 ?; {. q0 u+ G1 M- a o
Method 14 t4 o5 j: g( z L4 D, F6 i- ~
=========+ L, r2 T( M0 d" c
5 `: x* Z. }& o' f4 `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' ?7 O4 _$ D- Sis to determines whether a debugger is running on your system (ring0 only).3 E1 B, E9 {3 E0 t5 S/ t
1 L9 ~& F' z* u
VMMCall Test_Debug_Installed
W) h4 G+ K5 ^- k& D( [ je not_installed+ g7 D7 c5 E+ ~9 k3 ^7 ~$ f' ?
" \1 B% j4 \8 h5 tThis service just checks a flag." q4 ^. M9 ?$ u, }" w6 o
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡