<TABLE width=500>
. b; c' V' h3 N: x" j. q<TBODY>, }& G2 ?$ J, I# a: t3 |/ l2 }
<TR>3 Z8 b* C( ?. R7 L$ ~. M4 H
<TD><PRE>Method 01
9 q2 _! E; \+ i+ E8 W=========" i/ v1 C2 [3 J) U
/ ^! `- q2 z9 d2 u9 {This method of detection of SoftICE (as well as the following one) is
Z( H/ G# h) M* l0 H. x; S4 R# cused by the majority of packers/encryptors found on Internet.: p. y) A. j7 L5 v2 D- C# A6 ^
It seeks the signature of BoundsChecker in SoftICE
4 v, y4 d* l# ^ p9 M
/ H8 l1 E! v, v4 f# w mov ebp, 04243484Bh ; 'BCHK' s' l$ J4 A( @9 ?9 F
mov ax, 04h5 s7 L% v- [+ d6 P+ X2 e# v
int 3 . D, p* _, U; H8 A
cmp al,4+ [- O5 D* {, r w/ N
jnz SoftICE_Detected! N. u& M. l% ?. u4 E4 J6 j
* A6 G9 R+ F! L; n: P$ T, \___________________________________________________________________________0 {- _# c- A' F8 d W( y* g; _
: U! i& s% ~+ s% H1 C0 o5 o
Method 02
9 Q2 e: @! y$ R2 i+ k! @) j=========* T% E ^, s9 C8 S
+ c3 M+ y6 M8 P; zStill a method very much used (perhaps the most frequent one). It is used
4 k5 N# {; L/ ~3 g/ @* {( q8 mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% R' j, P7 {* Kor execute SoftICE commands...$ ~0 U- n' `* o1 j& c8 V
It is also used to crash SoftICE and to force it to execute any commands
: s0 d# y5 P1 L2 m, ?- b Q: F(HBOOT...) :-((
0 i- c: X* p6 p1 o
& p+ F$ b+ o- d) ~# y2 b4 dHere is a quick description:
# ]7 ?3 n! e0 `: v$ q$ N( U-AX = 0910h (Display string in SIce windows)! J7 p9 Z9 N' u* l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): o# y! R B1 _: O* s% T
-AX = 0912h (Get breakpoint infos)
$ g# O+ X7 t9 ^& A: C/ d, s-AX = 0913h (Set Sice breakpoints)
# `; H( V% o. M0 T-AX = 0914h (Remove SIce breakoints)
& _/ m6 H( ^% h+ V' r3 C! Z- ^9 U+ P* l, I- [' }
Each time you'll meet this trick, you'll see:
! V+ L' K$ Q' K-SI = 4647h
( x+ X$ j' N+ _8 M( R0 L-DI = 4A4Dh, `1 D! l$ v: K; T0 s5 x
Which are the 'magic values' used by SoftIce.7 ?8 U* ]' M9 S; e2 u" m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 Z& Z6 Z( M* A" B( d
- O! U( f: P4 D. |+ _0 ^8 G6 GHere is one example from the file "Haspinst.exe" which is the dongle HASP2 N, N$ e, H5 z* v
Envelope utility use to protect DOS applications:
0 X2 k7 a P; I3 U1 c* u
4 L7 R; d$ k! F/ z' N% F
: F/ ~: j$ N l* D4C19:0095 MOV AX,0911 ; execute command. L6 `( l+ O1 ?$ P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' h4 Z; e; q! P) D! Q' T
4C19:009A MOV SI,4647 ; 1st magic value.
# q, L9 |. k9 z& I r: k) H4C19:009D MOV DI,4A4D ; 2nd magic value.) S4 n% k6 t% Z4 c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* [8 }3 E4 h) ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) I5 G) |) O2 \2 x5 L1 J: N t4C19:00A4 INC CX% q/ U9 _% B8 D; x9 Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% D( ?; o! t. m& D C; e( |3 u4C19:00A8 JB 0095 ; 6 different commands.
' I$ o& ?9 h0 f2 R# O$ } |7 s/ ^. Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.) g0 e: l3 J' R
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); a/ a8 l# D5 T" X
2 `7 f9 Z+ [1 [& r! b, L f
The program will execute 6 different SIce commands located at ds:dx, which
) S4 S1 h/ x$ B' L8 T0 @1 sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( N8 e6 p9 p0 ~
5 g, t! v% r, B6 g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) C: O+ O4 {* ~___________________________________________________________________________7 ?+ N p5 m* I6 [
8 H+ ?) S/ B) a8 A0 U( M
6 A1 e( W! ~6 n: _4 X }Method 03/ A( W( W! ~$ r( R/ N( X( {$ L& x5 o
=========
6 k }9 N3 h; \! c: Z0 P; A7 j( l3 ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 W2 D3 W& M8 v; [(API Get entry point)4 Y0 w2 N* l) \1 @' H
2 [2 O2 H. a/ Q4 {8 U. O
- L: }$ M% r# ~7 {2 q
xor di,di
% ^5 I/ G2 J4 D% k6 ]2 R mov es,di# O, f: V( x4 A
mov ax, 1684h ( q" Z/ ]( U+ L7 u9 [ D8 j
mov bx, 0202h ; VxD ID of winice* K/ Q& s6 q( u0 t% E5 g
int 2Fh
* V: H; a ?( ~ mov ax, es ; ES:DI -> VxD API entry point. V7 c$ l, e l1 U5 s4 g3 y
add ax, di% s/ j- Y/ ~* R4 V# Y0 ~' S" R
test ax,ax
/ t3 \0 v0 m$ R# ^6 Z% r jnz SoftICE_Detected
9 @& x+ R( K9 X7 i/ T/ a2 `! |* ?- {) N4 Z- s
___________________________________________________________________________
Z. B( s2 c) ~* S
% P) ~8 G! h5 b$ X2 b2 ^Method 04/ |, A6 _. [- e. N' z2 x
=========
4 K r2 N: O) d# k( u6 Y1 w. g# Q: X
Method identical to the preceding one except that it seeks the ID of SoftICE+ a' `/ J5 ?/ b G. Z- A1 W
GFX VxD./ o# ^6 G- ^' e* L& B6 G
5 w6 Y3 V# _3 @4 ?6 r; A
xor di,di
' y6 M& \- B( U6 B mov es,di
0 Q+ M& J2 Y+ h Q* G mov ax, 1684h ( p: A5 o' {( \+ x: ]& N
mov bx, 7a5Fh ; VxD ID of SIWVID
5 I5 x$ E& F2 F ~' [ E int 2fh8 Q' L; A1 h( V8 g+ Y1 {
mov ax, es ; ES:DI -> VxD API entry point3 L! n" E! o8 [/ C5 u& n6 s
add ax, di% F9 o1 Y% ?3 j3 V1 R% D. S
test ax,ax" e) h/ t/ ?- }( S! D7 Q
jnz SoftICE_Detected
6 q4 _8 [! a/ v9 Z8 G7 E* I9 s- Z; p; z7 R+ x4 Z
__________________________________________________________________________
" k/ G- R: d* |: K) E5 ?% `) N1 ~& x. B3 h$ a* I# h
# k1 M) T$ p1 H1 K7 S
Method 05
) D9 z& r; [6 a) N4 i$ ?4 j( N=========9 T( Y; y* H+ _3 v& G1 S' ]& k
' f6 J- X: H5 W/ QMethod seeking the 'magic number' 0F386h returned (in ax) by all system1 Z( G+ m `; g
debugger. It calls the int 41h, function 4Fh.
7 T1 i) l4 j( G+ GThere are several alternatives. # \. J; M+ {% h G
b X$ Z" ]1 O& j1 s0 ^. h y
The following one is the simplest:' H& R, Z0 I, s" t U S8 |9 Y7 B
! t2 [8 w7 G0 o+ X mov ax,4fh$ l6 [& w6 H2 P. g! a* m4 W
int 41h
0 N/ k. E4 R# A' N, B7 C cmp ax, 0F386% q; U2 L+ Z' m$ n, F# T7 O( d
jz SoftICE_detected. ~4 Z6 x/ Y7 Z. c1 q- k, ]6 u
, G e" ?" H: Q
( ]7 }$ w8 X7 pNext method as well as the following one are 2 examples from Stone's
0 j; y# s% A* I1 ~0 x"stn-wid.zip" (www.cracking.net):
9 i+ ~9 H- S" c; R# v x; h$ \ O3 b7 @) l5 i4 v
mov bx, cs' s, A. ~" m( \ w6 ^
lea dx, int41handler2
8 Q9 @' e8 e/ i xchg dx, es:[41h*4]1 B& k, b) H- T+ A5 t# R
xchg bx, es:[41h*4+2]
% b9 v+ V8 \: U* A2 h2 W/ B mov ax,4fh
4 i3 N. X6 E. f! Y6 Y6 V. u int 41h
7 O* L4 \7 w9 [' S$ { xchg dx, es:[41h*4] ?) @5 e g4 w) d- M& Q
xchg bx, es:[41h*4+2]4 y( Q0 \4 O. R/ x( W
cmp ax, 0f386h
0 ?0 [. ]$ o" A6 h0 h# S/ N jz SoftICE_detected% S$ U$ q4 C6 W* F/ K2 T$ {
2 }+ v$ } S) X8 K: |- Q
int41handler2 PROC
) {- f6 T) m( c$ A0 ]' A7 c iret
/ L! ^7 f. Q3 X4 fint41handler2 ENDP4 V: l' B1 X$ }: g0 f9 S2 a
6 s% ^# E* u3 D0 m7 P: A8 T* f1 O) o+ q2 Z/ L7 k' V
_________________________________________________________________________
/ Q% m% t" t4 ~: Q- d4 ^8 ~6 q. T, [9 {# y* \# x# s- {
0 G- T. E. N+ `
Method 06; r( h$ A/ r* m- x4 ], I
=========" I$ L8 I: V- U
6 V7 `% Z7 T, h) c6 l
) M3 r$ q) |. t+ z' ?
2nd method similar to the preceding one but more difficult to detect:
9 g& w0 e8 |2 g. ~7 _- {, b* r# U/ Z8 k/ H7 S3 j# r) V
: L; C) ^8 X) Z5 s& L; x6 g( x- J& ]
int41handler PROC( z# C# ]& R2 B: \2 {3 |
mov cl,al
$ W/ i" b' ^* E+ W9 [- p iret
4 J; ?, V1 t. x* S8 ^ h$ u% `int41handler ENDP* I+ D( [; S* f! \8 f0 J+ o. Q
; I3 l! }' b5 [
" n0 X k$ m% Y1 d1 q8 ?( G xor ax,ax
! r: S3 Q: t- E mov es,ax! V; C% ?4 m0 _
mov bx, cs, W) \! F' l% X5 Q
lea dx, int41handler
6 p& V( z( C& o1 i5 J5 o* U# ?1 v xchg dx, es:[41h*4]
( K3 ~ u4 o& c xchg bx, es:[41h*4+2]
8 b$ h9 n6 x- y. w: A6 ]% W in al, 40h9 o" L( d+ m4 O+ e4 z
xor cx,cx
: `, ?. o) [$ V" x$ v* E* P$ i int 41h
2 y) O8 b, f3 F/ \( F7 u/ | xchg dx, es:[41h*4]
2 b/ j' F; z% O% h xchg bx, es:[41h*4+2]
4 \) y; U5 i; K+ A2 }' d cmp cl,al5 n% l7 r* x0 j, A m: C& w) d
jnz SoftICE_detected
- Z# O( P4 d9 C# q q- \+ h1 \: r0 E% V, q
_________________________________________________________________________# v, R, Q5 V* {6 z) J
6 Y. V- e% w& q$ L0 v$ V: |
Method 076 l) d- u6 M. R; e7 F8 O( k
========= e/ B' b* k5 Y$ h9 m% O C
m$ O' D a6 c7 A1 j, [0 A( N+ C
Method of detection of the WinICE handler in the int68h (V86)
( h# P2 I$ `* R L0 d( k% o$ c: z
' m: Y- q$ [! a mov ah,43h
& t- n" P3 a+ D- J- `2 M9 \( D8 e$ H, V int 68h
% k. T; R7 e9 L. l' b cmp ax,0F386h6 L) s$ d: \- c+ ]% F: o
jz SoftICE_Detected3 K7 `* h; c% G8 O+ ~1 q9 I2 t' d f8 {
8 j$ _. ]3 ?! O7 k% P
3 i" @4 B- Z% [& A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 }2 }& i" `1 @ app like this:% P( U' p, \: R3 y0 P1 d U
* M+ G" ] y' V3 B BPX exec_int if ax==68
# n8 C4 n3 C) M7 h (function called is located at byte ptr [ebp+1Dh] and client eip is
& k. r& {: ^5 |9 v located at [ebp+48h] for 32Bit apps)
9 n; ]3 P0 a T6 |7 X ?; Y5 J! F__________________________________________________________________________% a o. q" k& ?( }; ]
- |! M) P! t, K$ v8 x) r8 Z8 r3 D, L5 K' |
Method 08. X/ A3 [/ R6 X* B4 L; q4 s
=========! Q* q9 z0 Y* ~1 y* R
! K* @- Z$ C% g: O z3 _It is not a method of detection of SoftICE but a possibility to crash the
5 M- H- ?, u( [' D, r9 t0 Asystem by intercepting int 01h and int 03h and redirecting them to another8 x" D, \/ W9 u) ?- X3 z8 w
routine.8 z$ q4 Q& u: h0 ?0 ]6 I8 @( H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, b+ c' e% X4 G# m0 N5 Fto the new routine to execute (hangs computer...)
' }2 B0 p' R1 a5 E8 {
2 E4 w+ t# r3 }4 T! k4 t* a2 D mov ah, 25h5 J1 x/ t9 a5 {" s
mov al, Int_Number (01h or 03h)
1 X5 j" D6 l0 b mov dx, offset New_Int_Routine
' c; l% _9 h& |/ U! F int 21h
+ B: j0 h" c. U5 T' V5 h
9 c: U+ [: T* F% K. N! D. }__________________________________________________________________________/ D0 a% D. {, W4 K! t p
# ~) g) j+ d9 I, Q6 z
Method 09) R' m6 P$ x4 j9 [7 { n
=========
; G4 r9 ^& u) W! _" u1 M
& @- p1 k; ^! J( mThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 h/ P0 F' G; \7 ^* |; d
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 s$ q+ B9 ?6 c: JThe Get_DDB service is used to determine whether or not a VxD is installed; c* F2 l) q* c) c1 p! f1 o
for the specified device and returns a Device Description Block (in ecx) for
( k! a0 ?3 T3 v0 v9 _# }. w$ bthat device if it is installed.
. _5 {0 ]; R4 _. y2 M" S2 F
i2 d- \, z) V# q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 }' z. J1 i0 j, {. O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. T/ t5 k1 @! | j) Q0 v2 \ VMMCall Get_DDB5 f( z) D! @4 x5 }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 w+ g8 o: u/ R& H
8 q) @0 m2 T# q' j" W1 A& o, G; S. qNote as well that you can easily detect this method with SoftICE:
0 f% ~ f8 m1 U" e. J# r" }+ I: T bpx Get_DDB if ax==0202 || ax==7a5fh
$ Z& G% _# ^9 a- c" [7 D
! J( `8 U# z- e1 b__________________________________________________________________________
, h" i- P8 B, ^( k/ E4 r: ~; @$ z/ P1 w
Method 10
; b4 B5 q4 F7 i5 K" e=========
i% A* K5 m5 E6 @2 A% m$ V) ~1 e# ]0 L" K& d
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 g% G5 P5 N' R* Z f1 e/ }
SoftICE while the option is enable!!
5 y1 J" m1 B4 r' u( N. h% o2 ^" S% r; E( u/ |: c, r. r8 C) [5 l
This trick is very efficient:
, X- l# ~; S5 S b0 yby checking the Debug Registers, you can detect if SoftICE is loaded
' @6 e8 H/ \0 p4 C7 r3 D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 b/ q) q. _' E5 O# ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ ?' X* n) G1 A' `! Z
value (in ring0 only). Values can be manipulated and or changed as well
" ~% N. [$ S, m6 z(clearing BPMs for instance)1 ?# n" P; T+ N% {) u2 ]
3 E3 T% [/ H5 F: D* F) E2 \- T
__________________________________________________________________________2 k+ ^& R( `5 g5 _# K8 i4 e
# f3 B# s N: k r& h+ q( O" pMethod 11& q. |4 r0 {9 |/ f# O b" N
=========
& w0 D2 s! O$ e1 M3 M. @
0 O( @7 o: Q A$ LThis method is most known as 'MeltICE' because it has been freely distributed) L, ?2 f7 s4 q$ C. }
via www.winfiles.com. However it was first used by NuMega people to allow
8 J' C4 }# L6 |, [, YSymbol Loader to check if SoftICE was active or not (the code is located
9 ` X- H1 y$ Y& n1 tinside nmtrans.dll).
2 B& N9 m% a7 Y6 t$ m6 k
2 d6 k1 N; H8 k+ r7 GThe way it works is very simple:
, L) V: V3 A2 A* Y6 ^% L! YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 a) G; X" T+ J [WinNT) with the CreateFileA API.
. k' Y Q% M" G* f# G& H
, N) E1 Y1 F& h8 ZHere is a sample (checking for 'SICE'):7 V, X% Y# n4 d0 P2 t
. b0 m; a0 q+ z5 q9 L2 @$ V) p' v
BOOL IsSoftIce95Loaded()
8 k. h, l. P9 E! d; Q{
7 x: ?/ `: v; I# d* G HANDLE hFile; ; o& S w. `0 R" i
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 }; ]) m3 b, H$ U, O$ B0 n
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 r9 E/ g4 Q' M( h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ Y6 E4 n, R1 L5 \. j7 [8 Z
if( hFile != INVALID_HANDLE_VALUE )" s \, k) X/ l
{
0 [# F0 f; m$ d CloseHandle(hFile);: \0 y' s! K& G7 F
return TRUE;
/ Z% m; C- P4 g" R& D }( ^* }0 F' Y- |. i1 B
return FALSE;# a1 p/ [0 Z1 N. f2 g; K2 F5 _: a
}8 {) N9 n$ k5 _# l" `! [
; M) i5 N; Z$ I$ \; B: |
Although this trick calls the CreateFileA function, don't even expect to be
8 r8 ^, W, F5 w; ?0 Qable to intercept it by installing a IFS hook: it will not work, no way!
4 b3 r6 h- u2 s7 \4 iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! ~1 P0 u" x0 j& o$ g2 L6 c eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 `; Y" h" ?& P8 m. C6 D$ L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. c& r. o- X# O. A. I9 R
field.; @* ^0 f) M W/ \- {' y$ I O
In fact, its purpose is not to load/unload VxDs but only to send a : e, ^" G* b* J8 ~' k0 i& `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" a2 {# L ?1 L% jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
% Q) W* F" Z, t0 ?to load/unload a non-dynamically loadable driver such as SoftICE ;-)." D$ f( N$ F* e( X
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* K8 o+ {' [9 Q7 cits handle to be opened and then, will be detected.
# ]8 V% Q: Z. OYou can check that simply by hooking Winice.exe control proc entry point6 H! o5 I5 c) @& d+ o& t) A5 D
while running MeltICE.; m: ~/ {/ H, b0 s3 h' e8 m
4 |" L, K# S* O) d: G
1 \' B( ?" e/ |) X ]
00401067: push 00402025 ; \\.\SICE
2 {/ T0 A- D* _/ r 0040106C: call CreateFileA% N) t( ^3 {& M
00401071: cmp eax,-0010 u7 u) p7 |" v: z. y
00401074: je 00401091( Q# G7 \; Y* S$ L& ^
& P* ]" V j5 X2 _7 `- g. @
5 e/ Q( H( n; b' o2 S. I
There could be hundreds of BPX you could use to detect this trick.. C% O. y9 B: W
-The most classical one is:
* h% K" k5 D" u) g$ r$ R) _2 ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 w9 h! p8 M4 ?, G( I
*(esp->4+4)=='NTIC'& q3 W$ |9 f$ S8 w9 d- q: N% Q( H6 f
8 z0 M" Q* J4 R) A. _0 v, Z' I+ C
-The most exotic ones (could be very slooooow :-(4 Q: B/ m- w( m3 S# e5 W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & b E% l0 q- }$ M- I) K1 B
;will break 3 times :-($ y% Y; x q8 o
. C" M' {# K) M& [& B5 m6 s-or (a bit) faster:
7 A J$ d s/ X2 w5 d- O! Y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 t x! b5 f2 z( g1 n0 \4 ^
: `' N1 Q1 s1 Z% K8 ]$ q& G2 E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 @6 z/ U. ?0 i0 j
;will break 3 times :-(/ u9 }; O4 J6 ?
3 L5 b' S4 k' Z# B) J6 e-Much faster:/ m: h3 D- {( h+ T+ A; F5 @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 s# V3 m+ X* V% M; C4 Q; p; A+ @
2 m9 C$ v+ u, a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 u1 D6 g# p9 X+ w7 z/ g5 tfunction to do the same job:
* z" b) c6 I0 \6 O1 o
! q3 U' I- B9 o7 k: [: e) `0 x push 00 ; OF_READ' ], G, J; L, ?- L
mov eax,[00656634] ; '\\.\SICE',0
7 P4 ?* K+ {* t push eax- o7 s. F1 ~. G
call KERNEL32!_lopen5 k2 X% H G3 W" T% z% r
inc eax
1 K- e v% ?( J4 V C: y jnz 00650589 ; detected
8 A6 w, h+ y9 X: N/ P# V push 00 ; OF_READ4 a3 J7 S; A( ^2 g- H
mov eax,[00656638] ; '\\.\SICE'
, v, t2 W" x" Q' l2 f push eax
2 a+ ?9 N; e* A7 s0 u call KERNEL32!_lopen, X; A, j9 ^2 g6 j
inc eax9 t9 Q) O( S" j, w* G- H* q X- a
jz 006505ae ; not detected M9 M6 y5 x$ n+ h/ ?
+ y+ z& E7 I% w9 x& S2 T
6 ]) P: p E( }& u: @* d5 w9 j9 W+ n__________________________________________________________________________; b& g) M' q# v0 Q2 I& g
# x D1 U/ C$ ] F$ G1 Q
Method 12% a8 Y B9 W4 ^: Q/ ~9 q
=========, `# J" z8 x% r! N, z6 c
. p8 b* [$ d* ~
This trick is similar to int41h/4fh Debugger installation check (code 05
* E: X) U) P4 x6 J$ n! e( p; z, R& 06) but very limited because it's only available for Win95/98 (not NT)' e7 h0 Z& x. j4 h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ ^7 }6 M+ i; w! @ e e: x5 p2 l3 Z
+ t( l4 k# {( i* k9 `5 U: V/ I- b push 0000004fh ; function 4fh
5 `8 v* N0 ]0 P8 t* Y push 002a002ah ; high word specifies which VxD (VWIN32)
1 \- T$ o7 ?9 V3 k' c, { ; low word specifies which service
8 w2 y) G5 ]# r( ? (VWIN32_Int41Dispatch)
2 P0 l, z5 ?. e call Kernel32!ORD_001 ; VxdCall
8 d0 }+ m2 z: x0 m3 p: a cmp ax, 0f386h ; magic number returned by system debuggers
5 r: m) q, M' _! H jz SoftICE_detected
# h- Q2 X2 X5 w, a, @. _9 T( X( x+ h: P
Here again, several ways to detect it:3 ~1 h: a/ p5 W9 c' L- Q1 Z% y2 Q
0 }' C5 B! b$ G) F
BPINT 41 if ax==4f( v9 V1 w/ m& b* a# r
, M" g7 {. w. d/ z' J& P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( B6 U! s1 X6 _0 B4 x( @6 z: V7 X+ q6 o$ @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: }% n9 H( L* l1 N8 i m/ e$ V v" d6 S( V+ k. C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( b: e" x( G; X8 B; h1 V
|( E- `2 n5 |1 ]1 @__________________________________________________________________________
+ x3 h9 [( U+ L7 X# T0 B4 S! ~4 ]+ u3 o5 b2 X- _- C
Method 13
5 E% n5 q1 P% I; p$ r! ]+ ~=========
; v) W, s( m' M7 A# X" X& @) v: ^6 ~
Not a real method of detection, but a good way to know if SoftICE is# @( K, t. z, X% H0 h1 @
installed on a computer and to locate its installation directory.
% c/ y& \2 Z# Z) fIt is used by few softs which access the following registry keys (usually #2) :
" c' b+ Z! R1 \) E& q# i5 p0 D) e* k9 [' i4 M: A2 y. E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ l" ]- t# o# s7 |7 u\Uninstall\SoftICE
4 \/ T: [$ m2 M' Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 a2 [$ v' ~; O B9 J" M0 D7 f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. w; t+ y" y4 x- z
\App Paths\Loader32.Exe6 A+ N2 W$ [! X( P# K
7 ]0 z$ `9 @ n. b/ ~3 {# A
8 `3 ] B! V. Z* a
Note that some nasty apps could then erase all files from SoftICE directory( A! s+ Y. w! V; }
(I faced that once :-(; Y) s" t6 x4 w
- \( _7 U( ~9 e9 ^
Useful breakpoint to detect it:
& P3 [' {& R0 m1 R/ l1 l2 t# [- F3 {# Y, I& u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': `% ~! v; O4 X% ?2 v! q
- d- M$ Y, J, x3 ]; H' W
__________________________________________________________________________
$ ~. r2 \+ o( v; k' U* A" ~; N8 [
% ?; j, x" K- ~ f; |/ ]; @# S4 V# F8 `; `1 F
Method 14 + r8 h% P6 E* W7 X. q' @4 l
=========' S0 _& U$ y5 |- w* l
! n# h$ e7 m* y3 e6 V% u5 R/ ]+ d9 mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ ^9 o. C) |+ y
is to determines whether a debugger is running on your system (ring0 only).1 |2 \2 `. d7 o- W: ~
/ l* U' V+ w" V VMMCall Test_Debug_Installed
" s7 Q6 b' c8 D% O0 p2 R je not_installed
B2 C# x# z6 o2 p% O7 e* V( k! z, s7 e) P7 @
This service just checks a flag.
- x( a( F. [- x: |4 v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡