<TABLE width=500>8 I k8 ]/ p! h: v7 P
<TBODY>; z; O% \ M) A( U& w, w6 R
<TR>
" \9 B, d: U7 O<TD><PRE>Method 01
$ K" y4 ~: y4 C3 k# x4 J% r& d=========
, ]$ d7 Q6 {+ v) ?& q2 [5 t1 Z$ ^" M4 n. {4 U! m) K2 q3 }
This method of detection of SoftICE (as well as the following one) is$ k+ T0 ]) C8 U
used by the majority of packers/encryptors found on Internet.; ]) h; Q; b& J/ n. c9 Z- u
It seeks the signature of BoundsChecker in SoftICE
0 h. {9 L( Y1 i h- Y! `" M- T
3 C( y- n9 @5 s& p& [ mov ebp, 04243484Bh ; 'BCHK'/ b, H) `& m4 z K1 n
mov ax, 04h ?. W0 f8 q7 T& N5 I8 @
int 3 ; {+ {7 N! T& ~
cmp al,4
; A# V8 n! r) ~: F jnz SoftICE_Detected( e" F7 n& ^3 a9 [
/ w3 y1 J8 p. z+ H& ?___________________________________________________________________________
4 [/ c8 [7 y4 X. {, I3 w. m1 p% `6 j9 ]# X6 g6 \
Method 025 B5 x/ {' \, a; L- c9 [+ r
=========
( @& u; i& }% P4 _' |7 z4 t& r% I4 w2 W# A
Still a method very much used (perhaps the most frequent one). It is used' y5 I. h7 n2 ~" Y0 i# j! X q! ?
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ _6 K0 ~" v& w: m. v6 ^' E% r
or execute SoftICE commands...
# c" m: S( F+ C) S+ \/ c1 z( n& UIt is also used to crash SoftICE and to force it to execute any commands
( V# l, V( z' `* C+ B, O5 R(HBOOT...) :-(( ' C$ r5 X! O; W) e. y' L
! E: Q/ r4 b5 K4 o1 p0 a
Here is a quick description:* q& V+ ~4 r6 W: o4 A
-AX = 0910h (Display string in SIce windows)
+ b/ v1 K5 r. E7 {5 a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% s8 K2 N, R5 J5 J1 R-AX = 0912h (Get breakpoint infos)' ~& l- A5 ]( j' ^5 g
-AX = 0913h (Set Sice breakpoints)1 R' J" B1 }# i
-AX = 0914h (Remove SIce breakoints)& ?6 D* P& v; S" o! |
& ^6 Z& H' E& X8 u/ D! y
Each time you'll meet this trick, you'll see:
3 j: x7 ]; W- u7 I. A7 j6 M, f-SI = 4647h0 e4 c6 L- y4 |5 b* n! B
-DI = 4A4Dh0 F* x3 D O) S
Which are the 'magic values' used by SoftIce.
) S( ~/ q0 s$ s! }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- j! S: {# w/ V X+ u
0 u1 V8 s7 P% L( F: m5 U. Z" a2 q% {Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ L& y0 G1 _3 V. Z. IEnvelope utility use to protect DOS applications:/ @) T( R% R$ [4 k* i
+ _" B6 l3 d+ q4 _+ |; ~4 f* h
3 a+ }# x8 a7 L4 h
4C19:0095 MOV AX,0911 ; execute command.
q( T$ U9 z: F% ~$ K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' Y/ j2 E" k0 z$ m5 S3 T+ i3 ~' L
4C19:009A MOV SI,4647 ; 1st magic value.
4 @7 s! {6 n3 l& b {4C19:009D MOV DI,4A4D ; 2nd magic value.
3 H9 X7 _) H k0 I9 c4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), ` l0 V0 k2 Q0 L- x+ }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 f% k3 t9 V% s! Y, \4C19:00A4 INC CX
) @ H( L3 |$ H- ~4 e7 d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 K# ^7 Z2 j( {% p$ g7 H/ m+ p
4C19:00A8 JB 0095 ; 6 different commands.
9 d* _4 t- P! m; A; ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.' t# t, @2 l7 j; q; a. z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 V& j: j q6 ^5 Z2 z
: I0 i! w8 r& S. IThe program will execute 6 different SIce commands located at ds:dx, which
( F4 p4 F6 `' Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" b- O- `* O4 t0 n! e
; `. v3 K" C8 X# c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 p; b! c; b0 K9 P! \1 a4 o$ G
___________________________________________________________________________
. K5 A9 I' T0 w; C
1 {" F7 w: H9 |5 ]5 y* _9 k4 P3 H& w) Q( K, p7 y
Method 03
/ b% ^5 _5 z' D* F0 _3 [=========2 Z: @2 B& k4 N( E8 V: A G
* Q4 u1 R& s, d- ]) [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ j+ c& l0 c. D1 D6 j: k, \
(API Get entry point)8 D, \4 f% R$ d7 |4 L
, u8 T% h$ t5 V* V8 K" L# {* F9 {' v K) {+ w8 d1 X; x; D' R
xor di,di5 [! X- G# O$ U, s" |* V
mov es,di2 D" _9 Q- l( x& |7 T$ X8 V
mov ax, 1684h + E$ ~: [( m+ h" t5 @
mov bx, 0202h ; VxD ID of winice
0 S( C6 M4 F3 v) e4 y int 2Fh
+ {( \( `8 A1 y7 b mov ax, es ; ES:DI -> VxD API entry point
$ u8 @1 [; z4 b. F- R' I g. z; {6 m add ax, di5 Y" {2 Y4 E8 Y1 C2 A+ D
test ax,ax
. X1 Y/ V, s# g; {( q jnz SoftICE_Detected
7 N" M/ f# n7 U1 W; L2 F* J# U7 C. r0 ~2 w6 Z d$ L7 z; F" h0 `# N
___________________________________________________________________________
6 B D4 s* ^1 e8 E+ D
, e% [! u# O. u4 Z! a3 DMethod 04
1 r. j- h* N/ S" }% x# M$ E=========
7 X* W1 u# s) f0 T- O# u: O
8 x( d9 I$ M3 \% o" G' aMethod identical to the preceding one except that it seeks the ID of SoftICE
; ]. n! e% D$ I3 W8 K' WGFX VxD.
+ Q4 V* X/ O9 B4 v' n- B1 T: H
( ?" \- m) N+ q( } xor di,di
# b/ C" L. Q$ c! p2 v mov es,di) J& M0 e& x0 W" e! H! i
mov ax, 1684h + B5 D+ l3 |4 q5 M
mov bx, 7a5Fh ; VxD ID of SIWVID
/ L3 Y0 X7 m2 k! x4 v int 2fh2 o- P. N6 ]* p
mov ax, es ; ES:DI -> VxD API entry point! G" |9 `& W/ ?0 J
add ax, di
- p) o' i9 o% T V) ?( D test ax,ax
( W) U/ P+ |# N/ W1 C jnz SoftICE_Detected3 I- Q+ T/ z& w4 a3 [! H6 s2 K
! \1 s. q; A4 J( O* t' u
__________________________________________________________________________
0 E. Z4 n0 f0 @. W. d( h* r
, z. Z$ O4 ^( G1 S' Q& m- g+ Q
* }0 M% ~# w0 |, v! {: c2 TMethod 05
/ W; }: [* z, d( W- L! L=========
" w6 F' O0 k" C* I! E+ P5 A
7 |: }( `9 s+ k8 f* x- ZMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 Q& o0 j6 P) z$ M; x z' b, B8 Cdebugger. It calls the int 41h, function 4Fh.
( G0 A; I" t6 v* h( rThere are several alternatives.
" V! G1 y: M0 h
9 B) P d1 _8 Z8 Q5 zThe following one is the simplest:: b$ ~! l0 k$ g' _# ~% E: n
/ B M* C- @+ W R
mov ax,4fh
& @/ J+ e6 C2 { int 41h4 T; m" q. |5 D g; ]# k/ g3 b
cmp ax, 0F386- d4 |+ g6 y& A* O0 q2 u7 R' I
jz SoftICE_detected
) Q2 O. _0 Z# s7 ~
& S( g7 _) ^+ K# S% C, |
8 s4 K( p2 R$ a3 t# |2 G3 d# INext method as well as the following one are 2 examples from Stone's
# B7 v( q0 A) V0 j6 ^"stn-wid.zip" (www.cracking.net):
3 r# d! K+ g7 u9 N9 g
8 h3 F, X9 x C! F. f mov bx, cs1 z X' v' S% O) w! N6 [
lea dx, int41handler2
- X1 w8 e0 b7 Z+ s xchg dx, es:[41h*4]; I$ k- S( E) |+ S# _
xchg bx, es:[41h*4+2]
& @/ Z7 Q( Z3 j$ x/ C mov ax,4fh6 G/ k+ w, f" B
int 41h+ S v% ], b2 J$ X0 O
xchg dx, es:[41h*4]. J& N4 k) n) z! A& i5 f
xchg bx, es:[41h*4+2]& x3 V' \# q2 s" [& m
cmp ax, 0f386h
9 Z% G; a2 _6 f( Z: D$ U, C+ g jz SoftICE_detected
" a' ~/ \2 K6 @! x3 a7 }! @; e" Y# s! [6 y, X$ x2 f1 S
int41handler2 PROC+ t0 J3 q3 m, G. `1 C4 Y
iret- l/ S6 ]& i# u( D/ C7 v/ S' g
int41handler2 ENDP, J0 G# t; x L5 X9 T; [ U) h- ~
# b* }8 ~% E" O U
1 q7 I4 |7 r. ^0 W2 k! B
_________________________________________________________________________' Y+ C+ C7 ~* X& b( Y
; s8 X6 p* V: W
8 p9 U, C8 o7 O% bMethod 06. h& H- D4 X+ c+ l
=========
T. J3 H9 M" D! d! D8 G; \1 Y
7 R7 z3 t K, L4 N: e4 P2 S( `
0 h1 l% L% i$ o# ?; ~2nd method similar to the preceding one but more difficult to detect:! K( @- c, A" E" D, a
9 h3 B3 I. V+ g# q/ ~ S1 i6 v( h e: D1 E% ^) g/ n% q
int41handler PROC
+ z# W( u& P( _! t% V# i5 J mov cl,al
" I. J6 r* o; k iret
1 G) n9 E8 b0 N8 ?7 l" f1 \int41handler ENDP& b5 a0 p* s, J- A4 N2 M) ~6 D. J
% }2 G$ a' I, t5 e6 b2 w+ {. V% ^* O P) G
xor ax,ax
* }$ ?& n) |# Q+ i& X8 W mov es,ax0 e: R$ `2 W6 S" i' l* J
mov bx, cs) b {% n6 T2 c
lea dx, int41handler: `' T: P8 v5 `- \2 m' ~
xchg dx, es:[41h*4]0 ]5 f/ }2 h5 T! r1 g. V% ]
xchg bx, es:[41h*4+2]
4 F5 h( ~- d* k- P3 T" s in al, 40h
$ V3 D& @% C2 y% }3 d& h& u- F1 @ xor cx,cx
/ P! `3 ]6 q7 j int 41h" S! E1 ?$ [& |% R
xchg dx, es:[41h*4]
% _, a! r9 T) J# { xchg bx, es:[41h*4+2]
6 H: _; ^- d" I1 S cmp cl,al
0 g- o! }6 Q7 i, @# o2 r jnz SoftICE_detected8 c& L" t2 A E: ^
/ ?) d3 a- E% q, S& |$ }_________________________________________________________________________
0 K% }8 _9 x8 T: j8 H' g9 x7 N( s* Z0 F/ N3 B8 f9 }) Y+ w, |
Method 07
+ ]1 o, D/ o$ @=========
7 j( n8 X6 t: [6 N* R2 |) n7 [# m
Method of detection of the WinICE handler in the int68h (V86)
+ N. a0 j0 A( z' w( L- N/ M- {# y1 b. A6 s9 t
mov ah,43h- p( [3 p* m# O1 r" K
int 68h: Q5 c7 v: l( A0 N9 j; K. ^& R
cmp ax,0F386h
+ d2 {0 b+ w$ f& W jz SoftICE_Detected9 v6 n/ P3 D) j4 ]
1 L& U; t: x% u, z
/ X- J) `5 ?* ~- Z [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ S9 f2 J. q! ^ app like this:/ w7 ~: h" c3 q) M" i* N. n$ q
, q. }4 g+ c' {$ Z2 O' s BPX exec_int if ax==68$ N5 W1 _2 ?, B9 z
(function called is located at byte ptr [ebp+1Dh] and client eip is
" R) h1 u3 b8 r located at [ebp+48h] for 32Bit apps)
Y5 g7 |/ V p- D__________________________________________________________________________
: T" q, R& f/ k! M
/ b8 a* |4 P" W3 p0 W, J
/ g1 a8 H! L! C8 oMethod 08
7 o) ]/ i- A: L4 i' [=========
2 D3 G. c5 l* k- C( C3 q# `5 W, U: g- }; N. h$ E7 G3 \( S
It is not a method of detection of SoftICE but a possibility to crash the
$ n( y; ]# k% E( {1 Q+ m& Fsystem by intercepting int 01h and int 03h and redirecting them to another
9 h" K; F7 W9 ~3 i8 Mroutine.6 l& q, F9 b1 Q4 B3 J6 A, G2 v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 y& L- Z8 a8 C; m% |# ]
to the new routine to execute (hangs computer...)
; u/ _- {1 i" F6 d1 |/ I7 B
5 Z: T$ }4 a6 n( b- _ mov ah, 25h
3 |0 g. a- X U% e2 ^4 D \( q mov al, Int_Number (01h or 03h)
/ ?# w3 l) B. S% D mov dx, offset New_Int_Routine, w; s# m' Y4 U3 F+ K# U/ `
int 21h) Y6 y l- j1 ]- y7 V" y! J
4 x4 n9 K$ C" _
__________________________________________________________________________
$ }$ r( z1 k% [# z& J; P
! o, l6 v1 X& \ t' q( ]: y" eMethod 09
* u3 o7 Z" [- P1 T* I& j( v=========% m! E7 G4 y$ y- B$ `: v. w
* `& k2 w* X8 W* DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ i# f6 [6 Z1 g- {/ E, S+ {performed in ring0 (VxD or a ring3 app using the VxdCall).
' t8 ~& l2 i* I9 RThe Get_DDB service is used to determine whether or not a VxD is installed
, `" z$ L, S/ F4 Q( ` B$ U$ ufor the specified device and returns a Device Description Block (in ecx) for
1 j' U" a+ R0 ^: i. [# P$ }that device if it is installed.! T3 m% F% M& c% k! L2 G2 p. ^2 w g
6 E& g0 g9 V# `- F- f9 p" A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& ]( I1 @- p: y9 R% I6 j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 X& }$ |) `& b8 _5 ~
VMMCall Get_DDB5 V. \* ^3 |/ E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 q& h9 r3 {$ ]) P# a4 t# l% }3 G# x, z* J
Note as well that you can easily detect this method with SoftICE:2 d; i z8 m* G* P- y* p0 [
bpx Get_DDB if ax==0202 || ax==7a5fh4 A. h5 E8 b5 b- V7 o% {' s. }
# t% z2 ?! K/ q# [0 q
__________________________________________________________________________
. D2 h5 U6 F1 k7 _; s$ i& b2 t( p" w" ?
% P0 O2 _5 N+ o+ J5 W/ eMethod 10
0 r- B; v4 @$ C l( D=========
: E" s& u, y" V1 H$ B
4 l/ S2 }# w5 C, V9 [=>Disable or clear breakpoints before using this feature. DO NOT trace with2 b$ @5 l! _2 L
SoftICE while the option is enable!!
5 S) i! t6 q9 y) i# O, `- K$ Y' [+ A* X+ h
This trick is very efficient:& A+ i1 L8 n7 _) k5 W
by checking the Debug Registers, you can detect if SoftICE is loaded. T6 H, X3 V8 a- |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# S/ `/ i' K5 @. \3 Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ l2 A* `8 E: R6 a5 |8 J/ E* [value (in ring0 only). Values can be manipulated and or changed as well
' j! t! ~' t0 s9 Y(clearing BPMs for instance)$ k( Y) w3 w4 X# G* t" ^, }0 ^; o
, s& U9 F! M- z' _. [) q" G
__________________________________________________________________________" m& q' ]+ F8 {* L
0 P1 ?* p5 w$ O2 D" L
Method 110 g* r& J$ z5 ~ I
=========
+ i" n1 q" j+ U
" B& v; K! b/ nThis method is most known as 'MeltICE' because it has been freely distributed+ Z+ k% c/ ^9 \0 U6 X
via www.winfiles.com. However it was first used by NuMega people to allow
. P7 P0 ?, B. T Q% j. t0 {Symbol Loader to check if SoftICE was active or not (the code is located* V* u. P8 m, w. c- |/ ~
inside nmtrans.dll).
( u! V$ q1 o+ j+ m! H# b
5 u7 V% j- r5 z E3 z- z2 KThe way it works is very simple:7 d9 F# D. E' [$ ?* W d+ R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 _3 C4 b8 H3 \. D/ g5 ]* ~ yWinNT) with the CreateFileA API.. I( A0 ~( J# C/ J
$ ]$ z z) o* d* c
Here is a sample (checking for 'SICE'):
. v. [$ V4 x) C: T7 \& C' R8 u, _, \, m g/ j, l) W
BOOL IsSoftIce95Loaded(): ^& @8 f( k& |* C$ p, _5 N6 A/ r
{# I. b( C4 s5 A& F4 c2 l
HANDLE hFile; 9 G* x8 \, n8 y+ z+ U8 s( r
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, I! h, k& }( w7 p
FILE_SHARE_READ | FILE_SHARE_WRITE,6 ?% ?) h0 r& _3 f' Z5 A1 u0 a
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) k# `- f9 L" m$ f- D9 z6 P if( hFile != INVALID_HANDLE_VALUE )8 e9 g$ l, Q% Q1 e# Z
{9 F% C' k1 K! L O8 o5 U( i
CloseHandle(hFile);: f" U H' v; w9 t+ b$ i4 f
return TRUE;) v) I# N) V5 k1 H3 t
}
2 d4 Y. d) {+ ^% z, l* e% I return FALSE;; e9 X' F( p b8 M. P% g+ G
}3 b) s( i3 R' o$ w$ b# W6 S
4 L% ^9 ?: o$ ~- n0 N* n$ S/ R) H3 Z' y
Although this trick calls the CreateFileA function, don't even expect to be2 @. J* l8 t# g, X6 g
able to intercept it by installing a IFS hook: it will not work, no way!
! \) `2 L7 A8 V0 KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: \1 @# c2 [, c1 `" ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 j# O. P6 R) qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 U& A% v& H u) Dfield.: n% u6 Y$ x( B' v2 B) G. I: m
In fact, its purpose is not to load/unload VxDs but only to send a ; `& I9 H. W" s. m, o$ v- Z# f6 Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 Y0 N& @/ m3 F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try w" {! ^) a) {3 H" T8 u% ]# ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 X! _0 B$ X/ J; ~9 T
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 j8 l' U* Z9 l6 i$ M4 {
its handle to be opened and then, will be detected.* ^! @: N6 _) I& |+ \
You can check that simply by hooking Winice.exe control proc entry point
3 K s' f' A! x5 \7 j2 \ E* Qwhile running MeltICE.
3 \# T8 j# C, j7 ^( v8 O
4 k6 y: f" @/ A* _! c
0 k' j) f6 f% P4 i0 @" Y" U 00401067: push 00402025 ; \\.\SICE v8 A9 J) o( J
0040106C: call CreateFileA
* ` T' p- _1 _$ y1 J9 z, c6 N 00401071: cmp eax,-0018 b) \8 K; Q8 j
00401074: je 00401091/ O6 }6 q' Q! G& ^' m
/ w+ z( V# I7 Q6 V% R3 I* a
: _' ]8 m5 x( E3 Z1 m; C* B. j9 [There could be hundreds of BPX you could use to detect this trick.0 T Q0 u* c% S2 d$ o
-The most classical one is:& W, `" \, T+ C" i. K0 h9 q* l
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 h4 C2 ]4 t. Q5 M
*(esp->4+4)=='NTIC'
- {8 S6 S/ U2 ?5 W8 R' O
3 D! u, T6 R% F4 P" a-The most exotic ones (could be very slooooow :-(, W P* d. y& l: [2 g$ e4 P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 n, x* e ]6 O( X4 ?( y$ O) ~
;will break 3 times :-(, ?& U. v% S* c
7 P; A E8 b+ {9 ]
-or (a bit) faster:
, a+ u* d1 s& Q, f BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, y4 l4 g, h) ~7 p# ?6 {' c# ^, i" {1 T6 s2 d* B% D
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ m+ M! ~, M: U- m* c ;will break 3 times :-(! o# O" R* P; s2 o+ o2 n% z) p
, ~, k0 a" h M5 [! E. y-Much faster:
q: [& F8 p5 W* u& X BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': r- ?' G! G( p! I
; `( n5 r; H8 l1 v wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. P3 S5 v7 y, F% j! _
function to do the same job:* b/ f b9 l: T, `
! d* |7 s& B \7 g+ h* x" ~, Y
push 00 ; OF_READ; m a" Q2 _3 l& z
mov eax,[00656634] ; '\\.\SICE',0
0 \, W: \8 R5 R6 J% d0 ^/ [ push eax
( D3 E9 N/ J0 J* X- t: O call KERNEL32!_lopen
' l5 P$ O: J% z4 U% s' j# u6 k8 R inc eax
; N) l6 J* o# j% A jnz 00650589 ; detected- F' R: X$ b1 B% W
push 00 ; OF_READ: K9 @; s0 Y" _9 n2 v" h
mov eax,[00656638] ; '\\.\SICE'
3 ]" ?$ t7 Q* t9 X* E1 |0 l% ~3 e push eax' x# y2 e( K( J g j* l
call KERNEL32!_lopen
& V* T. X8 L& B$ I" n9 q inc eax
% x& w( N3 X; u; p% k3 f jz 006505ae ; not detected$ D& B& I1 g9 }. I) b# W, F% W
3 R, w9 F" E9 f1 L, D4 \, L
|( i4 J5 _% N% u) \2 {) t" L Z) D__________________________________________________________________________
0 E" s8 h7 I" R6 L+ W' L3 Y& c. g/ L& T4 F
Method 126 S3 Z* N2 k* f) e( u
=========% `0 E$ M2 G6 }4 R. z# `. M
8 ~2 q7 k2 _+ J& m, ^' J, ]This trick is similar to int41h/4fh Debugger installation check (code 05
1 F8 c @$ U5 z! k6 [2 y& 06) but very limited because it's only available for Win95/98 (not NT)
Y( h$ `- s* m# Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% ]$ h: n- J8 u- Y- a2 U
- ~5 J" h" P7 E* @+ @( V push 0000004fh ; function 4fh. u! g( A0 P8 o2 Z
push 002a002ah ; high word specifies which VxD (VWIN32)
9 O( w0 Q4 N2 y: i" }' G6 ] ; low word specifies which service
* ^) B0 o9 v Y! Z (VWIN32_Int41Dispatch)6 p+ x9 W% D( C5 C% V
call Kernel32!ORD_001 ; VxdCall2 D' L9 B3 L! M) H% b7 C
cmp ax, 0f386h ; magic number returned by system debuggers" q) H) p7 {8 x+ ?3 S( S
jz SoftICE_detected4 m2 @4 w3 U E% Z" S
$ V9 }- B4 f3 w! B) I: f* o
Here again, several ways to detect it:' q0 R+ A9 g) z7 M
3 Q- X+ m3 \! p" B
BPINT 41 if ax==4f, ?/ V) r; n1 M
5 y) m( t/ x1 f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( R' `2 Q7 N, W6 @1 W1 @" _& _+ y2 i' M- I; P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ d+ o2 ]* p, R& q' p1 y- Z" u0 i1 _$ e9 o, p& r8 X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' o- ^, w. O9 q2 i6 Q' o
# L8 [$ e4 B$ m! m__________________________________________________________________________
4 ?" K/ c( f6 J; e* D( B7 I7 ~$ `" X% s& O. K# U* L: x7 }
Method 13
5 w6 @7 ^2 G& w' y" Z$ n=========/ ?% _6 F* Y0 j
( v" N/ X' Z' [4 d( C, f! B# _
Not a real method of detection, but a good way to know if SoftICE is# ~1 Q. I% R6 [
installed on a computer and to locate its installation directory., ?( h6 u) m( O8 V* k2 N$ `. p
It is used by few softs which access the following registry keys (usually #2) :
0 g' q# A9 A) `/ W5 W1 k' B/ i1 E# p# X& B; v* N
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, @% P9 b. d; _, r\Uninstall\SoftICE( k6 F6 v2 B, S: I1 o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' x& d. e8 t4 |# F, C7 K; H
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 `- A9 Z+ @# y- v; V
\App Paths\Loader32.Exe
D7 X0 N8 k+ }/ t/ u! q
9 d- j0 @( k& R' b: A8 {+ ^+ }% j, K
Note that some nasty apps could then erase all files from SoftICE directory
" l K R% ~: }(I faced that once :-(
9 Z& C8 O( c. c5 e: K+ }* J8 z6 S! V2 N- ?
Useful breakpoint to detect it:, H- E( t; p- r0 [$ U. a. M
% s Q3 [( M% t! E& k6 B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ F* l! F% m. R0 E' m) H' n7 ]; O- F/ S
__________________________________________________________________________6 {5 _- ^! t- A2 D2 s3 X
7 `& m. ?9 U9 B) e
( B1 `5 ]3 C4 j i) t0 O9 @Method 14
! [. b7 \6 j* o; {=========
, d- A; W% l7 ^6 c1 k# F! U9 G$ K7 z1 x1 N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! x6 M7 I4 [( p0 \, D! d. u$ T
is to determines whether a debugger is running on your system (ring0 only).6 D$ Y6 S* z& t! I6 p1 R) J
; c0 G% d& @) ?" U0 g' ^ VMMCall Test_Debug_Installed+ T6 P+ F, q: b6 w
je not_installed
& p; z2 G7 S, T. y; [0 l
9 q, W4 ?# E1 [, e/ j" EThis service just checks a flag.' I% r6 F+ R; e# ]! H1 p) c7 P: J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡