<TABLE width=500># K/ \3 _. J# g2 o
<TBODY>
% ]) A; \3 A* @<TR>" ~- F, D9 [) n4 a# F
<TD><PRE>Method 01
+ F A% Z* ?# J* L9 }7 ^# z=========" \/ @! i5 Q9 C7 m8 f) D
3 x& `4 _ C0 i& q& X( Z# X! JThis method of detection of SoftICE (as well as the following one) is+ o7 X9 U- X2 C! ~/ Y
used by the majority of packers/encryptors found on Internet.2 u* D5 T _6 W+ `! U' E
It seeks the signature of BoundsChecker in SoftICE$ _; Y- k2 k% V- N+ F! @
, z3 N$ z" l/ d2 i2 M6 L mov ebp, 04243484Bh ; 'BCHK'
9 G! s% h. ~$ e* s. L7 M mov ax, 04h
5 a) v S' T# Z( y" n- f9 g int 3 V6 s3 \5 H8 D4 ?8 \' F' e$ L
cmp al,44 R; I! a3 Y( g6 i* Q
jnz SoftICE_Detected' I% X2 |, [0 a, p# u6 i( i t0 I
' X! \' ?8 |, o, }7 W8 @* m$ o___________________________________________________________________________
. h6 o- y* K# S" U
+ t H) `) s2 _4 N7 pMethod 02, d' X$ `2 ^$ _2 _* e
=========. v1 S: _4 K5 Y' i
; s3 s, a1 v+ g2 F) M0 ~
Still a method very much used (perhaps the most frequent one). It is used- m: m1 e' O' J7 f5 Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 K; A+ W5 @( t8 N8 W& F
or execute SoftICE commands...
6 i* u% i1 b/ p; j7 fIt is also used to crash SoftICE and to force it to execute any commands
2 `0 P% R X" z8 D6 j9 ~8 Q5 h# j(HBOOT...) :-((
8 T0 A1 P* K! g0 a% l0 c: K
5 x. c$ J5 H k* uHere is a quick description:
! Y( R3 C" b/ l0 E# D. N; F-AX = 0910h (Display string in SIce windows)
y9 m+ p0 g) X- i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ H: b6 K0 X/ q# O4 a' K
-AX = 0912h (Get breakpoint infos)
; I' k: a- ~* X-AX = 0913h (Set Sice breakpoints)
# E6 F, d* I- ^7 G3 m V% Z8 o-AX = 0914h (Remove SIce breakoints)
: e# Y5 x8 ? r6 k+ D" P+ J4 @5 u6 j: K. M e
Each time you'll meet this trick, you'll see:
7 o( L0 U2 i) |* }) W+ q$ x: U2 _-SI = 4647h
+ P4 M" _1 [7 i( k-DI = 4A4Dh
/ E9 y3 d7 i& sWhich are the 'magic values' used by SoftIce.
6 z: a& a! ]- z! NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." |# S( K# C+ l
9 `+ t8 Q( @$ z3 u, oHere is one example from the file "Haspinst.exe" which is the dongle HASP
' w1 I, P M+ o; I( _Envelope utility use to protect DOS applications:
% S) ]1 v/ T6 o1 j( C' R0 H6 b6 N" _; G9 z9 y
, i/ O* `/ @( C5 V3 H7 s* f
4C19:0095 MOV AX,0911 ; execute command.
0 [+ x( g0 ?7 z* D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% r2 V8 P" e9 l! G' H6 L% B
4C19:009A MOV SI,4647 ; 1st magic value.
/ |7 C3 E l( a9 r0 J) A' U6 V8 t4C19:009D MOV DI,4A4D ; 2nd magic value.3 o! [7 M* N/ J0 q- f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ S1 a$ U4 U1 W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 U1 c9 |! g, @% O5 |6 j4C19:00A4 INC CX0 k* e, C- [* {/ T
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! A3 W* k* R$ G8 e4C19:00A8 JB 0095 ; 6 different commands.
; g0 ]; h5 @8 g5 @* [ K& i4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ \; R4 s0 R" H2 o4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 x! u6 f5 I% K# `2 H0 P
$ V/ P% b/ l9 V2 E( nThe program will execute 6 different SIce commands located at ds:dx, which! a( K7 l! [3 L$ h5 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; M1 e6 s% u1 ]1 a8 R# G! W7 p" j
9 a& [9 b$ i9 b$ r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. K+ K( Y# U0 l$ L
___________________________________________________________________________0 q0 s' I8 r) T" s) V' q/ |
3 a7 o g) t; L6 S- M7 N, s
: h9 q1 Q/ _7 X6 z' M& y& E. F2 DMethod 03
' U' F+ v) u7 k& p: j=========, Z/ c+ t; U6 t t& j# m
8 I$ V" X! h9 t
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 S. I3 Q& ^* K" w
(API Get entry point)
0 N! o+ L; R( R$ k
6 B, G4 m7 e. V" C1 @3 U' a/ P+ _9 H* j* u( |" ^: }, ?3 Z6 q
xor di,di! W3 P) z; [: L) ]. P# h: S: ^
mov es,di
$ S3 l) v9 S; y8 Z5 t( V; D mov ax, 1684h " _8 ^" I, ?$ L, m% R; l+ x( j7 V
mov bx, 0202h ; VxD ID of winice5 }8 E: Q/ _/ Z6 M. ^; i
int 2Fh
: Z. o+ b! w. v _5 Z mov ax, es ; ES:DI -> VxD API entry point! K4 V# b# [; `6 y, }6 V
add ax, di
. H- y5 S9 S3 F" Q0 t test ax,ax, S2 u. P" ?+ R* a/ M: X6 ]- a
jnz SoftICE_Detected9 q! Y4 ?% a2 Z0 {: Y
$ D7 z) X; L: r# t7 k+ X
___________________________________________________________________________
, G/ m9 ~7 D7 @6 D2 T$ S. E) o$ a7 l* c0 u W+ L. O ~
Method 04) f: b1 y2 r1 R
=========: K. \- ^5 h; n/ Y
+ ]: a; ^6 t! L/ QMethod identical to the preceding one except that it seeks the ID of SoftICE$ N' G7 V4 s6 j
GFX VxD.
/ a4 ?" o8 K1 ~8 X. L# e8 l. h
, J) `" A0 ~% i) e8 v xor di,di$ ]" n* x Z5 D0 C; P: F
mov es,di; y; b2 `% q8 R+ K2 h1 j K) U
mov ax, 1684h
, m( Z2 a; @8 R. c8 ~( s. D mov bx, 7a5Fh ; VxD ID of SIWVID
6 U9 h4 x8 q! s2 _: R: `" C int 2fh
+ o k$ ^. y9 ], q mov ax, es ; ES:DI -> VxD API entry point
: R/ C# r9 p" s5 i) Q2 a5 g add ax, di g* g+ O' U. P2 t: U
test ax,ax
# g* s* A& A) O5 \0 U jnz SoftICE_Detected6 F3 o: u2 j3 K
8 t1 w4 g5 W, B8 w- ~6 v4 e/ B& I7 s
__________________________________________________________________________0 S( `0 I5 {- ?1 y4 z, f
$ Z# Z* G" y- h& g% q" K# y" O& ^+ Z
$ k2 _0 L. z) w1 {8 r/ J5 yMethod 05# U: p0 P' h' a
=========0 C8 ~# j0 G6 U" M7 q& }
3 @2 a8 \ y9 S" o: v8 ]Method seeking the 'magic number' 0F386h returned (in ax) by all system
% f, U+ h+ F+ ~7 P: I: ?: M Bdebugger. It calls the int 41h, function 4Fh.0 N$ }# k# Z0 u( g0 n
There are several alternatives.
! h L' q7 n5 F. s6 X% X' M5 ]5 \; |" s& o* F
The following one is the simplest:
' d# A) X$ |9 q& z- j
; q/ f; L0 e& V# N mov ax,4fh
; O! I8 Z6 y+ ]" L7 G+ b; |9 V9 u9 Z int 41h
7 b5 b% O \# E z; G7 Y* n cmp ax, 0F386
6 Z& R+ d7 Z, e) S7 V: ? jz SoftICE_detected
! h' u& P- [0 l* g& N" Z! Q9 K/ v5 P6 {$ G
p9 W$ E1 P' S$ m
Next method as well as the following one are 2 examples from Stone's
& K0 T& d! ] [" l) s0 R4 e"stn-wid.zip" (www.cracking.net):
6 [& H# `4 `" Z. p2 i% M; S. t
$ a' |5 W5 V% Q4 [& b mov bx, cs' u; y) q9 Y) D% D( S
lea dx, int41handler2% G6 P h) {$ e) P9 x# U' ?( f- O
xchg dx, es:[41h*4]! {6 [; a7 a; F! q, H
xchg bx, es:[41h*4+2]- h* @+ y' I9 W. q
mov ax,4fh
8 H" @9 V! o% B- C int 41h
% _" W2 C7 G, U/ l! V xchg dx, es:[41h*4]: G* D4 ^, `' S
xchg bx, es:[41h*4+2]
/ O0 V( W0 [& o) w" ]1 S D* Y6 s cmp ax, 0f386h& l5 u/ f, |4 Y
jz SoftICE_detected$ i( W& [! T" g: m5 r+ u$ f
) H; N( r- N2 J- \2 G( m; b
int41handler2 PROC
1 m! \+ \) a4 |9 c* z* k iret
]' Q3 d# f2 A# o; ~! _/ Yint41handler2 ENDP
* F) W0 @# n) d7 J2 d' Y6 O$ a
Z$ D( v. s/ U W) \. i U1 O$ ~$ |' m+ e
_________________________________________________________________________: Z* I1 W% T, j* W2 F# u" O; a
6 t& m1 n E4 e1 s( R3 v0 J; }& j& x+ p
Method 06
- n! k. P- h+ ^& E& `9 u$ m: X=========
7 q* U; M8 k4 z2 X* ]0 e
, B' E2 H* f' K0 r0 Q" G' D4 L* h
2nd method similar to the preceding one but more difficult to detect:
9 b; q6 D; X+ q
' W2 N' c% u' F! r2 Y& P) _* J7 \8 F% r/ [3 O8 ]" `
int41handler PROC
; ]- E1 q, ?/ ^/ U% n; d) D. H mov cl,al# u& {; R' S6 \ T; n9 B
iret1 k, \6 _3 A! a: P+ O3 c' j8 U
int41handler ENDP% _8 }& _, e! d) r7 k' `
; @: W* B3 @9 T' n) D; x) P0 n5 ?) _, L
xor ax,ax
0 `1 C. C1 s7 ?" j5 s- _& I mov es,ax
6 P6 o1 e, q9 g& y4 H+ Z' ~ mov bx, cs
6 ]# ]/ s. U8 Z- d8 k# N) J9 @ lea dx, int41handler. i( p. @) ?3 k9 K a/ e4 U
xchg dx, es:[41h*4]+ ^5 _( T$ \# @! x" x" W
xchg bx, es:[41h*4+2]
; N \- b: [& k/ p; ^3 S4 w in al, 40h8 S4 p! L& a, j7 S
xor cx,cx
$ s1 u* N0 f: J int 41h2 ^9 l# ?+ E+ T
xchg dx, es:[41h*4]
4 O# c o. n( L- k/ J6 r xchg bx, es:[41h*4+2]
, M8 i+ j2 D0 ~1 |- b cmp cl,al# G+ q R C* r, f& l6 c
jnz SoftICE_detected
! o, a7 o# r" S) C3 n1 |) h# }
3 D0 O* v9 a; J; I; p2 ]_________________________________________________________________________1 L+ d7 Y" O7 c3 T
4 g3 s2 j5 p( I$ `7 [/ x
Method 07
6 h5 ]. ~8 o4 V- x=========
# d2 @ W/ m- i* h3 m+ l
5 e; `6 W$ U& W% s4 O& \5 U. yMethod of detection of the WinICE handler in the int68h (V86)7 \9 b3 P% C& e5 @ Z4 H
( X1 y" y+ {; J1 t" h& L6 r( f mov ah,43h0 F; q4 }5 f- A
int 68h
U4 \1 }. q" J# y9 O cmp ax,0F386h" @& u4 J% A) W [7 @' O( h9 \
jz SoftICE_Detected
8 s; _- B4 Z3 c( D1 p/ l7 `
& r7 W0 r0 t; o% E" @ F- Y, a2 Y
( [$ L$ |0 [7 P: e0 ^% O=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 x! a0 p$ D1 i# p; A( e
app like this:
2 w6 O* S4 F7 R4 R( J# H4 M8 z G- D/ w/ t# L
BPX exec_int if ax==687 B9 x, g" F5 i* O; R4 T
(function called is located at byte ptr [ebp+1Dh] and client eip is8 _$ B0 T4 ~9 W) d( ~
located at [ebp+48h] for 32Bit apps)0 m$ b8 O* i9 X! F
__________________________________________________________________________* M9 x+ l9 `$ j
- A* ], V2 l7 u! K# C: U% Q
6 H, E3 J; |9 x2 a C/ }Method 08
4 y. m; Y2 n ?: p( W=========
" p7 Q; _, f x- }' Q: _' Q4 g$ X( b" }) I+ u
It is not a method of detection of SoftICE but a possibility to crash the
& ~6 W$ Y7 d% A& r, C- {. U& P: ]system by intercepting int 01h and int 03h and redirecting them to another
2 c- D5 p( C* y: ]routine.( x5 ^( g; |! o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" p$ C0 X7 A7 `3 d8 n/ f; R0 u" w
to the new routine to execute (hangs computer...)7 J5 ~! t+ s3 O' }9 w
/ n! m. y$ @! ` mov ah, 25h% Z2 C* L/ J( v3 p- t) @; A2 @
mov al, Int_Number (01h or 03h)
, j6 K) v+ ^7 u# m- I mov dx, offset New_Int_Routine a& K. k6 v" k' A$ h; U# Z O) v
int 21h
+ i4 u+ _9 n" I+ E$ {/ F
" i# a8 G+ G, X) h5 }, F, q__________________________________________________________________________* x- t9 ^0 o% U& y# V6 H" Z2 t
" }$ f V6 l \+ DMethod 09# I5 M+ r+ f" l7 l& _& o
=========6 o1 @/ B/ l1 c. ?5 k
9 s" J3 S( i( T) W$ g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& v( \( N9 a) ], E/ P+ cperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 b/ B$ G i+ p/ Q' oThe Get_DDB service is used to determine whether or not a VxD is installed
& {0 {; v7 x. x* m, n. ` Tfor the specified device and returns a Device Description Block (in ecx) for
! t0 ^" E9 b) B5 R ^that device if it is installed.
+ G4 v' D( K2 k3 `
2 K6 O* L' s2 D! f: V: n mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ J: u( x* g. h" Z# n& u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 R, k/ W( Q# r9 G4 |3 Q' d% v
VMMCall Get_DDB# x j6 \) @. m) n, e5 y2 M: k7 ^( c
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* g' O: S. x, E1 Y& X. ]. V
; F B/ `- Y5 n. @, s9 @. S
Note as well that you can easily detect this method with SoftICE:
$ b9 Q. a) T8 b" ~7 [' m4 f bpx Get_DDB if ax==0202 || ax==7a5fh. f6 Y1 p) |, B- P. ?
" l* N1 X+ v2 k8 O
__________________________________________________________________________* ~4 K* h$ o7 R0 K7 i5 L0 }
) L" P1 C# @: m- E% | T0 T" lMethod 10
7 q0 S- ^8 S" c=========- d* ?) a/ j8 B: l% o" B
5 @ N! M' C. e+ {1 u=>Disable or clear breakpoints before using this feature. DO NOT trace with! @5 x" y0 R% r2 S) E5 y
SoftICE while the option is enable!!
5 ?; r( F& X# s; C% z" k$ f/ ?2 ]0 `$ H6 f
This trick is very efficient:
9 S" L+ z9 w5 V! |0 Hby checking the Debug Registers, you can detect if SoftICE is loaded
6 a# q/ X" y4 z) e) L k' }9 H' o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- ?& p: a: b+ f) V! u0 W
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 y9 }) ?# R/ S0 y) o) O6 k6 h; ~value (in ring0 only). Values can be manipulated and or changed as well" z6 Z3 ?! k1 x" o+ |. q6 |
(clearing BPMs for instance)
% c1 B$ H! I+ J; A9 s0 \) d% r
9 m! Y f+ w# s__________________________________________________________________________
: a% R4 d- M0 T% K; Z: Y7 ~8 \4 I
Method 11
% n+ t8 R0 `- r' a I=========9 W0 d* k8 W! B4 i
2 D: B2 `! T! }: X* h
This method is most known as 'MeltICE' because it has been freely distributed
; k! B* w0 @7 rvia www.winfiles.com. However it was first used by NuMega people to allow
* N3 z' [1 j2 K% z2 ~Symbol Loader to check if SoftICE was active or not (the code is located5 s3 E0 O8 l9 [8 R O$ M
inside nmtrans.dll).: D0 a; v ^" B ~ |" S
- a. o( ]7 x2 k1 K% v
The way it works is very simple:# `$ S, g) i7 ^( {( L) G- m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' B% I7 M E3 T$ L0 v
WinNT) with the CreateFileA API.
* i8 v1 T0 c1 h/ [- e! _5 g; V" k, F2 f# e
Here is a sample (checking for 'SICE'):$ a; {2 b* _0 O' E% T& C6 B1 w
/ G+ K1 p0 d6 x- k( E
BOOL IsSoftIce95Loaded()
+ k9 L1 I) ^5 x) h{9 A4 K! h; O3 A( A% @7 z
HANDLE hFile; X1 \4 n# z- q$ v# W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 T. P8 p/ N$ P @* ^- R. q) a
FILE_SHARE_READ | FILE_SHARE_WRITE,
! [* i# Y8 E% B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 q' B" G2 E5 N5 U
if( hFile != INVALID_HANDLE_VALUE )+ x/ [7 ~# }' T+ A
{
$ B/ S/ ]# d$ Z# _ CloseHandle(hFile);
B7 U5 j" ^ r' x: t" Z9 m3 ^ return TRUE;7 W2 a& M8 `9 w
}; `, k, f3 n# e7 `
return FALSE;
) D/ R1 y- D, L- h5 q4 z}
2 Y; A Z( N' [; N
, y$ V0 `! i9 v5 A/ Z, pAlthough this trick calls the CreateFileA function, don't even expect to be1 G' o' E% f0 W4 z8 m
able to intercept it by installing a IFS hook: it will not work, no way!
1 y0 p1 j2 P% U2 OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, U9 {6 l/ W3 w. ~ ~+ J
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# z0 N! W g4 b l& Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 P& U" l$ m! V! s5 xfield.
4 q8 y' W" k8 c" z. dIn fact, its purpose is not to load/unload VxDs but only to send a 9 ^1 C# h# D' b2 ~* z7 P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; k5 T3 p8 h( I" Q2 Y1 W+ h# m# Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
P9 z# U% r3 P/ p! z, `to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 M, d/ i) @/ I' M* J# y
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 G6 @2 D; x5 r7 d5 v/ M
its handle to be opened and then, will be detected.
+ A* _1 ?: b+ T% OYou can check that simply by hooking Winice.exe control proc entry point) N1 `4 l: }5 r, H8 s
while running MeltICE.
! T' M; b' ~9 W: p! _7 c; |4 s4 n# t" J8 q% }
, V7 z7 R, z3 C
00401067: push 00402025 ; \\.\SICE
3 [+ P% E! v6 e6 C( Y* S 0040106C: call CreateFileA* C0 Y9 U$ j) W6 A0 H! Q0 C
00401071: cmp eax,-001! H. n w* ?* r+ Q" V& u6 d. r
00401074: je 004010919 e9 E$ O7 [- x# x3 w: Q
F6 p5 v. t- ]! R3 C
* I' X5 A* M7 I% t: x2 IThere could be hundreds of BPX you could use to detect this trick.
' |1 s# a3 c/ s j d7 l/ ~5 K-The most classical one is:6 [+ M) W: Z. Z1 M7 ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* b( y$ V' @) o: g" d3 s7 q+ g) Z *(esp->4+4)=='NTIC'
2 X1 g& C; [. g. o- y- W+ \; T' W# [; W" S
-The most exotic ones (could be very slooooow :-(; w+ Y* {1 J4 @# ?% {: ?4 A& ~) o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 H4 w2 p9 c" P( S" Q0 j0 Q/ j
;will break 3 times :-(! }- Z5 F, w, K: L( r* o. _ L# W
2 C) k& H' u. h
-or (a bit) faster: ! Q& a- N/ D' W4 h, t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) n) y: q9 Q/ D- v# @9 |9 w
, \! d9 v: e. E% K8 N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' H* q1 S9 ?2 g: u
;will break 3 times :-( b0 R: _+ L w8 l" G6 j+ E' l6 e
3 f% s: m5 Z7 q
-Much faster:% ^. m" P4 ?$ ~# `8 ?2 q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
G D' M& h7 b+ D* |" y+ |( B! j9 n9 {; E, X# S7 J" H' [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' y1 t, ~) i( K8 Mfunction to do the same job:
' n) Y! n2 Q4 h4 V
5 m0 [. T9 L: A* @8 L! j( c push 00 ; OF_READ
2 G0 v: t* i: S) s5 r mov eax,[00656634] ; '\\.\SICE',0
# n. e5 ]: K* D2 @& O* C2 U push eax
+ ~* T9 _& @7 M call KERNEL32!_lopen
0 w5 q8 q' ~% L7 L: v- ?1 U inc eax- Y$ I) C) n" b; k: z
jnz 00650589 ; detected
0 C5 z: _8 k8 y, Y) F- N' d push 00 ; OF_READ9 s3 L" ?5 b! }7 [# b, A: k8 T
mov eax,[00656638] ; '\\.\SICE'3 R- q; [' M2 _+ q8 Z! b, E# W: L& {0 {
push eax7 T* u s+ ~! _# p: W9 E
call KERNEL32!_lopen
1 d: Y5 Q8 ^! K$ Q) H5 s- }. k9 N inc eax! X4 f5 C7 r( B- R6 ~1 G
jz 006505ae ; not detected. Y. O3 K' E+ V4 @' G, E
0 j v/ F; e# c J S ]' w
" B0 u" }7 [% m1 k7 D q' `__________________________________________________________________________
3 H# P+ C! q+ y% \. T. M
( Q- A' \4 D8 h! PMethod 126 `6 G* i" _/ I5 H
=========( g3 x6 a. A: I6 ], p
# E r# p" F0 ^5 ]& i! U
This trick is similar to int41h/4fh Debugger installation check (code 05- d/ U3 c' P% a- n6 I" l/ z
& 06) but very limited because it's only available for Win95/98 (not NT)7 `% [. Q" X# d3 n- ?( Z% _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ i$ u" L8 Y8 Q3 E- ?4 L3 n
# _ C, ?; H2 {8 r: F& Y push 0000004fh ; function 4fh
* U( ~1 O8 h3 B6 ? push 002a002ah ; high word specifies which VxD (VWIN32)7 _2 @ m* X/ C9 v3 U5 F- \
; low word specifies which service
6 n( e) ~) ?9 M3 W5 k; `3 }7 w* [ (VWIN32_Int41Dispatch)
" T& z0 B% n( D call Kernel32!ORD_001 ; VxdCall1 z% _) ~0 c& m6 O1 _( B0 U
cmp ax, 0f386h ; magic number returned by system debuggers3 z4 J% X W3 L- X: l: t& e
jz SoftICE_detected
4 J f( B( m: _% Y; `, [; {) p! j9 N Y+ J I
Here again, several ways to detect it:
G( G" N. ~! ~
9 A5 w7 G7 V: s t9 H4 m3 C1 [ BPINT 41 if ax==4f
1 K4 }- v. X8 b1 D$ P7 B
; G4 {; B: Y1 I2 C BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 ^1 l1 j. g* Y, f. |8 }2 O U
5 W3 i3 c& V. p7 L% k% h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 y) u& O4 [, d2 d- s
3 s9 k! b1 D. W1 @" ], \% S, A BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& j& {# O2 O, ~; K) X+ e
7 c$ P; G# u8 Y) Y$ U% G__________________________________________________________________________& m4 a d- F7 Z5 a5 J h$ L+ p N
; t+ v$ v( n3 F- y2 c7 @Method 13
e' b$ Q2 f0 s+ N0 G=========; u F* H6 _ d
, U! P1 [0 Z5 f7 [. Y jNot a real method of detection, but a good way to know if SoftICE is/ B F6 q( v* M* E
installed on a computer and to locate its installation directory.$ h& {; a0 {6 j$ _
It is used by few softs which access the following registry keys (usually #2) :
2 e A+ y2 g" C3 O5 a+ V. d' j
% S: Z# J+ k8 B9 d5 X+ x D# `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, h8 Q1 g) S' J% P$ \
\Uninstall\SoftICE
& K* G) L& x! E5 C' K% J1 Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 z& d3 f# y z+ }' \3 P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- S( ~; _) z3 o' J ]3 g
\App Paths\Loader32.Exe( ^- k9 H* e& r
7 i2 B1 ^) d, F' O, ]
+ y% [- p* X* } Z9 j7 dNote that some nasty apps could then erase all files from SoftICE directory4 N- q' t3 f) k8 N! k8 _
(I faced that once :-(
, `2 ]7 j; s' d- |5 C4 f/ a/ E% k; g( |' v' C. Y0 f' A
Useful breakpoint to detect it:
; O8 b$ ^5 @! K
0 Q$ l7 J0 Q6 P* T4 `# z; |; F BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' B& n3 [6 n- ~$ ^2 [1 ~
$ E5 ?& A+ h4 L2 `" D5 v* W; ~__________________________________________________________________________
* l1 ?! D r0 i7 N: c2 T$ _, P# ~5 V5 A, Q; O% k# s( y
& p: L! f) k6 V4 R8 y4 E
Method 14 2 D' L( c* p% x: _4 \$ K# r# d. U9 b. C: e
=========* o4 v. t9 o1 [. h2 ?
0 s1 o$ G/ M: _. D: m+ hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 |2 }5 r4 z1 A r! A3 _- `$ y) y5 P
is to determines whether a debugger is running on your system (ring0 only).
8 m8 Y c9 W. o- d6 }8 ]& p. D% j3 F. b: \& S! @: N9 {2 M+ E1 u
VMMCall Test_Debug_Installed
0 `( V# ~# X+ K$ ^' ?0 b je not_installed4 g& W& I: j! W3 P+ Y6 I
+ ~* X2 S7 ]3 cThis service just checks a flag.
) j! Z+ o" y6 H' l0 u6 [$ L) L' f# Y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡