<TABLE width=500>9 x' E4 E) L4 v8 r" [
<TBODY>( M1 l' H1 E' R9 L4 \
<TR>, @: r" a) ~( D. o$ H
<TD><PRE>Method 01
& q9 W. k6 W, n9 y=========
" ^4 Z% }8 C: p- l9 F- M
; V# k; T1 K1 z- v5 E& F* H/ zThis method of detection of SoftICE (as well as the following one) is
: R% q4 n; c4 D9 v8 r& O3 t* hused by the majority of packers/encryptors found on Internet.' l2 H) `" T o9 M. }1 u, ?( O. `! b3 M
It seeks the signature of BoundsChecker in SoftICE
7 t% T( ~+ G8 h8 D7 L6 i
: f4 ~+ ]/ e* V1 R- X3 h mov ebp, 04243484Bh ; 'BCHK'
, B' p$ m- b8 e |, O mov ax, 04h
- P/ i0 f# E. Y int 3 % t1 o8 m/ b4 R' V
cmp al,4
: u9 E" Q8 ]1 D7 ^; v2 U jnz SoftICE_Detected. G8 X2 _( r8 [: b
0 y/ W1 j9 ~# U& _! M___________________________________________________________________________
: O2 K, Q7 p; s9 K! X$ @
# j4 m' T6 z YMethod 02
% Z' D8 y+ z! T1 y& r9 k=========
+ F7 \! q7 }6 o- E- O2 B `8 G6 l- G; W5 W4 U) s' M
Still a method very much used (perhaps the most frequent one). It is used
+ U% [/ }. l! \$ u0 Z1 tto get SoftICE 'Back Door commands' which gives infos on Breakpoints," a% X" T2 @7 N1 j
or execute SoftICE commands...
& z: p" l% h( d4 o' aIt is also used to crash SoftICE and to force it to execute any commands3 r, D8 k: A, A" t4 Q' Q
(HBOOT...) :-(( - J9 a2 |( K- `% {, }6 r2 Q
- L/ }$ D, r6 z* Q5 O7 {: LHere is a quick description:# u# [# h6 Y; h8 e: q5 \
-AX = 0910h (Display string in SIce windows)/ w/ k( V% {1 d, O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 s- ]( t# ]$ U-AX = 0912h (Get breakpoint infos)
2 B8 q. ]8 S+ H/ o* P( [6 Q" l-AX = 0913h (Set Sice breakpoints)
& N' ]* d8 Q% m9 O; W-AX = 0914h (Remove SIce breakoints)) d8 @! @6 o" ]( G
5 v4 L( N$ `/ j% R9 V0 e4 O& a- @Each time you'll meet this trick, you'll see:+ b5 @3 E' c0 U$ N8 N4 `% x
-SI = 4647h
7 ~' i I8 R: [6 j-DI = 4A4Dh: x% d* V+ h: e0 W( c! \3 {* c
Which are the 'magic values' used by SoftIce.
7 d7 W2 c0 E/ b: n. U9 n3 w6 }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 W( w/ I% s8 K" q& t& R% W/ O: l& B$ c }$ k
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 ^# n# `2 `; v/ a+ UEnvelope utility use to protect DOS applications:
7 i* b0 u i1 ^ W
, m0 k$ u1 m( G7 S+ O$ r: Z- M: Q" |9 K9 Y/ o, N
4C19:0095 MOV AX,0911 ; execute command.
4 @4 k+ J+ u# {# d4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( {0 i R6 S& |$ B& Q, M. @ d" Z4C19:009A MOV SI,4647 ; 1st magic value.( ]) S+ v" X5 K% V$ i9 X
4C19:009D MOV DI,4A4D ; 2nd magic value.
: p8 y5 `; Y8 p" M+ g5 C5 \4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 t# ^9 V# K; I7 N1 g
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: ]# a/ a% k) I Y
4C19:00A4 INC CX
2 q5 r" L0 L8 C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
r- b+ _( J( N3 M# x) R4 ~& n4C19:00A8 JB 0095 ; 6 different commands.9 P& l2 U/ B. F. R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' f/ M9 I: k1 X( u" @+ N* h- A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ i7 ]9 O6 R# a) r# k# E8 T2 Q+ c. [
' u. c- m: p4 ?( X1 q C
The program will execute 6 different SIce commands located at ds:dx, which
1 n3 g8 N1 }# x: u, x" P, _! T, Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) H7 g3 n, X8 f
7 i$ E& Y' Y, {6 e9 s" X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( A# W. i H- f8 B8 C+ h___________________________________________________________________________
' |" E2 E" P/ q, u5 A$ ?! j/ R* I# c" |% d* N+ s
# @3 g' q" m3 m9 n5 aMethod 032 ~4 s# U. D. ^. e% j; L3 z% o, H
=========6 f+ k) z4 |. `
6 @: n5 i' S- L8 q( F$ L1 r% NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" m% s- S) F/ A2 F% _2 T4 \
(API Get entry point)- q* ?' C5 X5 G+ X, O# o
6 |/ }& ~ l- S, d# A/ L7 P1 L& ^, Y2 [' q& r( D! @+ N0 o
xor di,di2 l# p1 v+ [) Z# B' _
mov es,di3 n$ V+ R* U5 n$ a, ^4 B
mov ax, 1684h
0 v. R$ R& n( f. }: L mov bx, 0202h ; VxD ID of winice7 ^) _! }( x. }! {. n/ m
int 2Fh
& U3 z. r% ?+ W2 C5 E mov ax, es ; ES:DI -> VxD API entry point ?( J9 B3 i2 p3 M% P
add ax, di
0 d% B% D2 P2 h) o4 Q' [ test ax,ax" Y+ m' }$ n. I6 E
jnz SoftICE_Detected3 C6 b" Z: S7 y7 G
! {0 |5 r! @! |& _# ^+ B___________________________________________________________________________
+ |* J( Z. V% R' u. ]/ y$ v1 ~; ]1 x. |0 p5 G
Method 04
8 i) U- `4 [' ?/ p( l=========- I9 E. Z* ~- [) u4 q! P- _
7 z) P# J3 z8 z6 W/ }9 ^
Method identical to the preceding one except that it seeks the ID of SoftICE% Y4 v+ [9 F1 _ i( F& r
GFX VxD.
8 e9 I1 _3 f0 ?6 w
9 R' j" P* b9 E& |5 Q+ X* j xor di,di$ c z, a6 S6 d( v- N) I2 D
mov es,di# h/ ]; {3 x5 N' D
mov ax, 1684h
5 D! Y+ E8 B: k5 R, ^3 b6 p; k mov bx, 7a5Fh ; VxD ID of SIWVID, u% D2 M6 ~* v: M& A
int 2fh
# a! f( |0 C: ?1 z8 d mov ax, es ; ES:DI -> VxD API entry point
* b* C$ Q) ?+ r( F. ?# K add ax, di
! s) g2 g# H( \ test ax,ax. A7 g: k. I% j" E# l- L
jnz SoftICE_Detected+ B7 q2 P2 m* S \
Q! V' k9 H' s* L__________________________________________________________________________
% U' T% W! `! f4 c9 }9 V S- T6 O% Y& i3 S. U$ x5 v4 {7 [
, C/ {! d" @1 m' t; W( Q4 J& M
Method 05
2 p6 e# W5 J' g0 V( z=========
) [1 t: D, y3 H1 B: z
q" s( L/ ~' o+ o S5 F8 zMethod seeking the 'magic number' 0F386h returned (in ax) by all system. ^- M) A% b. V$ @$ a
debugger. It calls the int 41h, function 4Fh.
$ H) G6 e4 L) C2 f* j5 X8 UThere are several alternatives.
- {) ~9 m3 x& {2 V+ Z
! A* W2 X9 b8 a+ B$ ]* @The following one is the simplest:
' a# Y2 D4 z, B. F* P" s- p) l( C
) F8 A* }% z0 W# d mov ax,4fh
5 U1 t" B. V7 i3 G; d% f int 41h
3 ^! w3 V1 f+ k% E cmp ax, 0F386
7 y+ ^6 h% R$ D+ L7 L- O jz SoftICE_detected5 g" v- D8 V$ A! V' x R
3 e9 m1 \7 X0 v% m- a. r
/ v: W& x, f5 O6 I* m! ENext method as well as the following one are 2 examples from Stone's
X0 P# a- F9 N, w# L"stn-wid.zip" (www.cracking.net):. W) ?& W! a$ g" @5 p" h
% Z- h; P" P1 Z' p mov bx, cs! q! ]( P1 I- x r
lea dx, int41handler2% i2 V2 i0 X, {+ ?, _5 u
xchg dx, es:[41h*4]+ a3 A% {6 u( T) t- s+ b/ i+ W
xchg bx, es:[41h*4+2], a* Y! Z0 Q; v1 I S
mov ax,4fh
$ b C) l8 W( h# ~7 j X4 j int 41h7 W4 v3 x# d0 ]; F" K
xchg dx, es:[41h*4]
7 N4 V4 M" u& o" d xchg bx, es:[41h*4+2]
1 Z# Z0 U: ?+ w cmp ax, 0f386h
; G, U- b( }- ~0 o3 K. Y9 ~ jz SoftICE_detected
+ y- u) P4 X6 [4 D' N. V x" e( X: n+ v9 Z/ l' T
int41handler2 PROC" R8 F5 ]# j( g- J1 e, ~- G
iret
0 c! p: J- O1 c" B4 [: _. Wint41handler2 ENDP
, _9 G6 I; Y3 p/ N6 g2 `5 F2 f2 b. H4 C$ f
7 h5 J5 h, f. T( y_________________________________________________________________________
+ K- V9 ~* ~; h+ c$ D/ W& U9 g9 Y8 d0 M# { J
% Z1 h0 I9 \; e$ OMethod 06
% ]- f l- `; m+ v' H=========: D6 U, f6 L. k) B, d; Y' L( F
% X! _' T6 y* F% B' x4 j5 ^# l
* s, F" P- u/ s( ]) ?( `2nd method similar to the preceding one but more difficult to detect:
0 G( j: {" n& O- ]# d
& n, } c3 j: Q3 ~% m0 Q% K" @. o4 x; p
int41handler PROC
+ M- a; h5 D- h0 F4 V mov cl,al
5 E$ Z5 @- G/ s# s# v9 o iret) g/ w; j5 H8 m- C5 V( N
int41handler ENDP. ^4 b8 a; d$ Z* E, t
$ s3 o0 T$ z z* P- u4 `* B, q
* p c- x9 {! D5 K* h/ k: k
xor ax,ax
. H2 _% t- q2 d, N% ~: x& Y( H* S mov es,ax
0 a* @5 n& p- P) Y mov bx, cs
' @& R! }+ }+ C) j- z7 a lea dx, int41handler( g: z9 {' y `: d8 ]7 Y5 v9 `' g
xchg dx, es:[41h*4]3 z) c+ e3 E6 X3 m
xchg bx, es:[41h*4+2]9 j1 O& n8 e% Y& P& O# H* N
in al, 40h
% _5 N9 i6 s) q4 Z: F6 u xor cx,cx# O& z" r8 E; U
int 41h$ K4 |0 K: u2 h. }0 L/ i
xchg dx, es:[41h*4]' W+ s1 e4 P1 b: W9 J& c
xchg bx, es:[41h*4+2]6 e, l0 G1 j! t0 k7 F3 v3 o
cmp cl,al
, `" D3 |9 L& Z( [7 c$ } jnz SoftICE_detected' S+ _+ G' A1 M* s
0 y# Q* i [1 j_________________________________________________________________________# H$ Q5 Z: S$ g+ h% m+ E5 I
) g1 ~7 `, y7 `Method 07
. @5 k5 z: c* d* c U3 A: k- b=========
3 d5 \+ G% Y0 `. v! r- Z: e' ~2 e3 G- P9 s. q
Method of detection of the WinICE handler in the int68h (V86)
9 ?, v: P. Y5 [5 l
9 W; b- i7 e8 O! q, P. G* S mov ah,43h
/ ]: g, X; T: p% W int 68h4 j, w8 [% @5 l2 d
cmp ax,0F386h
+ z# j: v$ e+ c7 \8 W( K jz SoftICE_Detected/ \, ^9 H0 t4 C/ l% j6 u- ?" ~
) z* @1 _5 m2 [) I& H$ s
, D, D' N0 L# Y* s/ N=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 K- z7 s+ B- [* T. y g' V app like this:
+ ?4 D7 C$ p% K$ Q
. i/ X* y6 a5 b, f% f1 z7 ?* N BPX exec_int if ax==68: |* W. H# t' Y5 ~- N( R
(function called is located at byte ptr [ebp+1Dh] and client eip is6 X; x# z( ~; P1 Y# O5 W4 M. ~
located at [ebp+48h] for 32Bit apps)
' M j$ l7 K" }__________________________________________________________________________
8 m5 ?/ b9 P; Q" @' Z! T2 W/ e' W7 `) J! y# ]7 F0 M
& r2 m2 Z3 |. r5 b+ t: K* s
Method 08
, i2 _% V4 J. e! H0 G3 A$ K=========
6 _( e4 }9 M, ^, k5 F _9 U$ F: m3 i: C) r' S) U( G2 D
It is not a method of detection of SoftICE but a possibility to crash the
* Q/ b: f; t: z- Fsystem by intercepting int 01h and int 03h and redirecting them to another2 T# _8 z- }, Z: ~4 t1 P
routine.7 W7 k, C+ ~$ P0 n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ G. q& j+ u$ a$ D$ t0 J9 Y
to the new routine to execute (hangs computer...)% P0 _, |' \; _$ Z' s4 l
6 c B0 @2 t/ T9 v
mov ah, 25h8 `! ~0 ~( ?) b) V2 U$ N
mov al, Int_Number (01h or 03h)% N: n' r# j4 m& R* b7 g3 _% j
mov dx, offset New_Int_Routine
/ d8 l3 \- {4 n3 H+ K$ J int 21h5 L6 g3 i$ a1 U& X7 g9 m* }
+ _% v% J# h* F6 Y# C2 _
__________________________________________________________________________
4 p O- O& Z* [4 X2 J8 o7 g6 u3 e- Z( G2 Y
Method 09& T0 l# }) P; x: m# r, x
=========
! z0 a: u5 x& a: c6 z) o+ f5 Z5 r: z. w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 v" y& E5 b' c* y% p
performed in ring0 (VxD or a ring3 app using the VxdCall).9 }5 I+ O/ q4 d( {: M
The Get_DDB service is used to determine whether or not a VxD is installed s& G- o5 `$ J. o; c8 G
for the specified device and returns a Device Description Block (in ecx) for* k- I: q5 O# U& Y
that device if it is installed./ F1 Q, S! S/ ?7 l; A$ d. n
3 C K P' o c" B- ?) x1 H( j) s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. s" c: s3 ]% B( ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; [% }1 \3 z9 M! K' h: g5 |. M VMMCall Get_DDB* g3 c, o( N$ K- w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 R/ n8 I) A" n4 A0 [; W
5 x& H$ G4 m: ]) W9 KNote as well that you can easily detect this method with SoftICE:
& d1 m" i+ S2 C, j7 n bpx Get_DDB if ax==0202 || ax==7a5fh
- P4 e2 y* W. A8 D d3 F! V
; w* ^6 ?* j* y& w__________________________________________________________________________
$ K1 V8 P# d2 o& K
& b8 s6 `& i) E, A5 b% N0 ZMethod 10
. {) _* t( b0 o7 U/ P" m=========' c2 W' g- w v' P# _$ X0 Y
) U- `" ]2 O* D3 k9 I L
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 h+ Q% ?5 v7 z; i! C- ?# F' ?' S
SoftICE while the option is enable!!1 ]! _6 V" p9 o* b: _
?' X4 S2 H c! E: MThis trick is very efficient:
5 X" b7 V3 U* {/ }3 ~$ p$ zby checking the Debug Registers, you can detect if SoftICE is loaded3 j' M: q! r2 {& z1 K% J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
W a7 ? r/ D: v& h! w3 `( Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their- r$ @% q2 z- ` W
value (in ring0 only). Values can be manipulated and or changed as well3 a4 N3 c) ~6 F$ v6 w
(clearing BPMs for instance)
% T. I/ q6 k# m# k0 L; P# k3 g& X) k! k, }: ~! K7 _; T# k
__________________________________________________________________________, h. S, \$ Q1 E4 r8 n2 I! f
7 B9 u5 Z: ^- \ X& n: Y7 l
Method 113 M4 z$ b1 c6 a0 q8 E' W
=========8 j! C8 z+ N- T2 O) ?
& @0 n- ~! L5 C" h) @. O" F! L/ \
This method is most known as 'MeltICE' because it has been freely distributed
! [ W$ U9 h# svia www.winfiles.com. However it was first used by NuMega people to allow
8 F( g) P$ P; F+ s% \. Z' b+ bSymbol Loader to check if SoftICE was active or not (the code is located* B) R( ?+ X# _* n# G
inside nmtrans.dll).
% [) F, s7 F- G5 B3 k& z" u7 L
- N. v( ]; p2 K0 L4 |# B6 x3 o$ zThe way it works is very simple:4 a0 X3 g/ L+ N: F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. d4 M6 a) f% F6 o- h `WinNT) with the CreateFileA API.
5 ?, \4 @" z* u) {$ O$ ~$ r! P: ?0 f6 A5 Z- C3 S
Here is a sample (checking for 'SICE'):5 \$ i1 C7 I: n q$ ?4 S
( w/ A: V) l9 c8 ?: a O
BOOL IsSoftIce95Loaded(). @6 M$ g- P' ^9 z! T
{3 P" Z4 ?- p. X+ w
HANDLE hFile;
. A! Y( l% Q [6 n8 M3 Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 Z/ e6 |4 @/ P
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 ]! v% j6 B' P3 L: w NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* C2 r- T M; N8 e, A
if( hFile != INVALID_HANDLE_VALUE )# I# O6 T- B+ X' H. c1 H
{( d9 }0 Z- m7 l, A
CloseHandle(hFile);
& u$ R' V" v1 Z. M return TRUE;
1 X% ]5 {3 D, T/ z. h7 ] }
7 a( A% [0 o& \) ^0 W+ r: e return FALSE;
1 x/ I! h3 t7 y' x}" i. ]. X- j( a9 z! h; }# G& W
0 L6 O( n _- DAlthough this trick calls the CreateFileA function, don't even expect to be
4 E2 }. B1 }8 ~5 J2 uable to intercept it by installing a IFS hook: it will not work, no way!
# n* d7 u2 t( ]6 EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& d+ j8 T+ n, F0 F( A$ i; ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 y5 Y: a3 t! p7 H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 C* V8 P* j! ?field.7 U0 |! Q. @) D/ J8 D+ F5 W
In fact, its purpose is not to load/unload VxDs but only to send a " @8 O/ [/ i5 A, a5 \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( L# i6 H/ |) ~3 b% ], [) Q9 A0 Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ ?' n, d! [. K( D0 ^0 w- q9 U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# m( R' N6 z, w( F" M% M2 R
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 j) }4 Q/ @2 \% M. n& {8 I3 `
its handle to be opened and then, will be detected.
4 v, m F1 q5 k MYou can check that simply by hooking Winice.exe control proc entry point
: ^% j6 E! D$ [; ^. O9 p; f1 H0 dwhile running MeltICE.1 F# z3 I% k# N" j# W5 ~
" d/ J, |# q; i0 b0 ^6 b$ r' L( U3 n) g$ M, @) @
00401067: push 00402025 ; \\.\SICE: O, {5 u7 |5 ^/ Z W
0040106C: call CreateFileA
7 `5 l6 }$ Y7 p, B5 N 00401071: cmp eax,-001
3 g+ h4 k# g3 X! ^3 N" Q& c 00401074: je 00401091+ c6 V; f- x) I: e1 N
1 e" O# y. D; q7 y$ m8 U
S' F9 J- O7 u- u j1 tThere could be hundreds of BPX you could use to detect this trick.
3 h% Z T# S2 N* }-The most classical one is:+ ~) @9 q5 j0 |) C+ E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ K9 c R" B. D+ O* }* |. p' { *(esp->4+4)=='NTIC'# M: G* C; ~: _7 R# F+ {
?- y- k, n: T- Z% v-The most exotic ones (could be very slooooow :-( F8 f8 U0 r" v- v2 k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 D' B( H n1 ?% Q: J( X% O" ^+ }+ k& p3 Y ;will break 3 times :-(
0 _$ J; Q) c; E1 C+ [' _1 M: F: G/ ]$ a9 f/ A
-or (a bit) faster:
! x6 C. ]7 w9 _# `# | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( _2 H0 R4 y2 M- i
. D6 }0 Y0 f; [9 d# T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & e' k b) N+ [1 v6 \
;will break 3 times :-(
1 b! a+ o( T- h3 _( }1 A# O# }. {2 B2 w; y. Q# S, @: _, b/ g
-Much faster:* i9 w9 ` ?! x7 L6 W
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 f2 I, x% H, X& D G# c0 o$ W' X
# R D2 }2 h: P. WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
? c, Q% [8 x2 d0 }function to do the same job:
, k& y' R, G9 O' h& u/ d! Q
# q' l' u2 w: ^: R; f9 K push 00 ; OF_READ n7 I) P8 D: D: z
mov eax,[00656634] ; '\\.\SICE',0- ~$ [+ D' P" A' B
push eax
7 r: V( {# P* {# s* y9 W* _, Q call KERNEL32!_lopen
- x& G/ D* {4 s" k- b# K6 e1 P' v inc eax3 Q/ ~; E9 q/ Q
jnz 00650589 ; detected3 g8 z0 |7 c, [6 P0 L) v' r
push 00 ; OF_READ
: r$ ]& q6 n7 v# K mov eax,[00656638] ; '\\.\SICE'
' F5 z/ b& O; z0 r# n push eax
4 x5 b3 c3 c' k- K( w; [* h call KERNEL32!_lopen
1 a9 S$ F$ }4 g0 y8 j inc eax3 \3 ]# T: ]& i- U3 T" b9 w9 ?- q, R1 ]
jz 006505ae ; not detected
! x7 l" k% P& A* k+ Q$ v8 P; }9 P2 s' L
7 t/ r6 Q' b8 O0 m1 \% X
__________________________________________________________________________
2 t& F! V b5 N! a% S' t+ r1 k) o# P+ l' p8 Z: h/ ?- E8 y, g( Y2 I v: D
Method 12
3 ]1 a, r# C+ `4 B2 o========= z$ F& j1 v1 `8 N
9 A& N- C' R4 P$ u `1 r0 b! _3 TThis trick is similar to int41h/4fh Debugger installation check (code 05
0 M+ k) y( j, p& `) E4 V" q( y& 06) but very limited because it's only available for Win95/98 (not NT)* y _/ u$ T) @" |, x, U6 w: B, k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# I0 b4 C4 q" ]7 s: L( _( P. B k
push 0000004fh ; function 4fh
! Z+ X- g* T1 r- Z% T/ S# L( Y, r push 002a002ah ; high word specifies which VxD (VWIN32)( w% l! f& B$ S; E% p3 P# N
; low word specifies which service' ]8 ?9 }& ?7 \/ }1 j4 K
(VWIN32_Int41Dispatch)) k! M; o" }" p" f
call Kernel32!ORD_001 ; VxdCall
+ g7 D4 r' t6 i1 n1 m/ l cmp ax, 0f386h ; magic number returned by system debuggers; c/ _; M! Z: N7 w' f, |$ C7 f7 [
jz SoftICE_detected
@5 P; k+ I; i4 S
8 A, W$ o$ w: c) |; U4 }/ m! JHere again, several ways to detect it:
2 }% a+ `9 n2 x' A9 f9 o$ ^
: M- k& I+ C7 I. s BPINT 41 if ax==4f
, j$ f% S& x3 `6 [$ o
3 _9 J7 a$ s8 X BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ i2 U1 r. H2 ^" R% i+ m
! E, C* w7 U) a
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, }( z1 i9 t- }, T. t% P$ }4 X" E) M- p& f% k ]2 J$ N
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" E6 p; L9 z' l$ v
, y4 O9 E) j4 D
__________________________________________________________________________
" V4 ?# ?* W0 S5 }/ q3 A* G9 B& w9 B4 ~! o2 k% Y
Method 13
) H# ^1 Q2 u3 @& ?* X=========; [8 U c. v0 f$ ?
0 F0 e( Y8 Q1 }' J: RNot a real method of detection, but a good way to know if SoftICE is
) |* b) Z; T8 U2 I. A: n9 iinstalled on a computer and to locate its installation directory.
2 ^: t& {% ^0 bIt is used by few softs which access the following registry keys (usually #2) :
" A" N8 U+ ^; L4 H0 k7 k* D" ?( f
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& `7 X. X b3 u\Uninstall\SoftICE0 e" D3 @' c/ k- e* J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ s0 v/ G) f( ?" i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ n' y9 i0 L. _7 H9 _ A' @2 u\App Paths\Loader32.Exe
* E0 C2 N+ t2 H$ |6 q
$ _! S0 g, i6 ^5 ]5 o; _) F5 i
# c8 b0 X: g$ B4 T/ T K/ ?Note that some nasty apps could then erase all files from SoftICE directory6 M1 r# h( m% C) `$ P) G
(I faced that once :-(" u, y2 J. T8 x$ T9 n( V; q
6 J O4 D' r/ ?; i2 ^
Useful breakpoint to detect it:, e4 {& O- y+ ^" J
" x' }1 T- M5 i' n/ N, J* B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& z) }: c7 I9 ]* K8 y
7 {- G- e; A5 s' _. d) F: t__________________________________________________________________________3 t- Z* |0 r! k2 P
$ G2 q" c9 Z+ {$ `! K
& G# ^- C8 C: U
Method 14 ; X0 u6 k/ C) _2 k. q4 `
=========3 F" ~2 i+ S1 k$ D/ f. y
# s8 E% | y3 l9 a- Z; V+ G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' M3 C, I; z/ S. R/ ]8 C4 H
is to determines whether a debugger is running on your system (ring0 only).
) n3 j [. }2 N0 ^
1 x% j/ P' T l VMMCall Test_Debug_Installed
* V3 E6 W- f5 X" L je not_installed4 C4 n& F: \. ~0 v
0 W1 S& C+ S% o. B
This service just checks a flag.* j+ @, E+ P( Q; E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡