<TABLE width=500># T6 I+ V9 w4 O* F4 M E
<TBODY>* B4 E" o- M; C4 A
<TR>
- X4 \- r( Y: G5 ?% f/ A<TD><PRE>Method 01
( @" C4 w" }2 n+ q=========2 d' F' r) ]5 }2 i K( N' y
3 I" ~0 I" c# ]3 d7 e) `0 `This method of detection of SoftICE (as well as the following one) is
8 z+ L8 Q9 M I# E$ cused by the majority of packers/encryptors found on Internet.
7 d9 l" Z( T8 |7 Z: D! K6 ^& g& yIt seeks the signature of BoundsChecker in SoftICE! L" I2 l7 P# B h! R
" i2 [( A8 E- j* d/ \ mov ebp, 04243484Bh ; 'BCHK'/ P" A0 f6 Q( ?$ _* y5 t
mov ax, 04h
' f: ?' k% ]' A& O8 Y& B! `2 U int 3 4 |" i5 N- C: ?( V) l
cmp al,4
! x# ^' N! e( @, S4 t( a% J jnz SoftICE_Detected
+ N* N' J" W! M8 H# d* d2 b0 ^) `' r- }5 \9 \
___________________________________________________________________________% q+ m: Z8 U, E) m9 |6 q0 S, i
4 u0 Z9 ~6 E" M: F
Method 021 V3 b: {) v6 Y- K0 k1 A
=========
4 m j _- d8 B; [) [( q. B3 \- A. [1 k! n
Still a method very much used (perhaps the most frequent one). It is used4 Q% q0 C8 Q, ~ u/ i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% @1 }# N& Y% h+ F
or execute SoftICE commands.../ ]) f" g9 Q# i5 ]
It is also used to crash SoftICE and to force it to execute any commands* ~9 q7 k/ p; Z, @0 u$ U }
(HBOOT...) :-(( / `. V7 s6 I: T: k) R
4 w# h; w0 ~* s% i3 I# }
Here is a quick description:3 w# g. G# c) C: K4 }& P. f; N
-AX = 0910h (Display string in SIce windows)
8 d& v1 J/ t1 J" y3 \-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 F* h5 |. o; Y/ H-AX = 0912h (Get breakpoint infos) G& q4 f F3 a- W5 a+ e& ?
-AX = 0913h (Set Sice breakpoints)
' F) l6 Y8 |0 ~: O* P. `-AX = 0914h (Remove SIce breakoints)
0 @/ w6 ?- A8 a9 B7 e- L, L5 ]% T4 b+ F1 z: z# v3 C" ]$ z
Each time you'll meet this trick, you'll see:- _3 l- S8 e. u0 i1 ~, @8 n5 m; _" S
-SI = 4647h
t1 `2 Z+ {8 e* V- d: S/ F( `-DI = 4A4Dh
- q% U) C6 b! B( jWhich are the 'magic values' used by SoftIce.
' W. l7 }$ \8 A' B& aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 M" w4 z# k! Z7 u
( f2 l! C4 H. i1 X* S4 IHere is one example from the file "Haspinst.exe" which is the dongle HASP9 u* \% R" c6 m( j T1 }
Envelope utility use to protect DOS applications:
% }+ Y0 y# Y9 h8 k! z( Z
( b* Q! I `* L4 ^6 d7 |# Q
) A# Z! v, L8 b @! v4C19:0095 MOV AX,0911 ; execute command.' y- T7 N$ z" H C& {. T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 n/ W& y9 V8 {" Y4 e* G4C19:009A MOV SI,4647 ; 1st magic value.
" |- ^2 X! x% s" B, [4C19:009D MOV DI,4A4D ; 2nd magic value.. d$ A5 n! n' m% ?% I' \ J; W4 l- T
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& O9 M( a+ T5 u/ e4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( H% X4 Q8 E, K
4C19:00A4 INC CX
% w' h/ {) s* ?8 T( P- F; m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ U- ~3 y; ?: @3 F
4C19:00A8 JB 0095 ; 6 different commands.) J0 P, E- w1 f3 b+ d, q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- d. [( ^& J5 Q* S5 a6 M7 e- [/ x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 \1 ?* }$ P$ t4 f2 g- c- m
& n1 q; g' E$ ^1 A$ ]/ Z* ]
The program will execute 6 different SIce commands located at ds:dx, which% K% b+ T: c; M5 |, w/ e: M9 E
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ K9 g3 g$ q$ e* v
' t3 W! a1 W+ T8 Z! \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: q( |* d6 \9 `___________________________________________________________________________
+ \. Z. i' `6 I9 n" _' X! @* v3 Z7 A# @" j1 j% f1 V* d
+ M @9 i9 |: `3 }' l: U
Method 03, J: _' F& B" s3 C0 H
=========
0 z8 g. @7 ^7 V: j+ k( `
0 a: h) ? m* k$ r- \% Z( ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. n! Y8 J _! ]
(API Get entry point) b) U, ]2 P0 N! C- q7 ?8 K& e
! r( ?! Z. K! T9 q9 T0 `
& _, Z8 U8 K0 o9 J" s# K xor di,di
/ i3 ^# i' m# w* | mov es,di3 E, ?- _& s: F- J# a
mov ax, 1684h
) }+ L: P0 j% O+ a- N% _- v mov bx, 0202h ; VxD ID of winice/ r9 E D1 R p1 E [; J( b
int 2Fh' K% Z' c5 d' b* D# O' _/ @
mov ax, es ; ES:DI -> VxD API entry point
2 v/ Q6 m, z; o {2 j# l3 | add ax, di7 D6 B$ S( g6 r; L; Z% c
test ax,ax
, P$ J! ?4 x9 b& q- o$ M jnz SoftICE_Detected$ `1 d0 k4 m7 B. X3 J: t0 n$ k
+ |0 Z& S! f% X8 |
___________________________________________________________________________1 m! |# B# Q% z6 I4 d: `! _: C
2 ~- X) @" E o4 H" \6 v' PMethod 04+ Q; D- [- ~0 d
=========; |* r0 r- z0 i6 L$ N! F
9 g. g2 \7 }* L2 \6 e( E' @2 l2 TMethod identical to the preceding one except that it seeks the ID of SoftICE! c6 X; a3 V M0 L* t3 ?8 f3 L
GFX VxD.: n; @% M& Z0 V# K2 k# Q! y- `1 B
2 N% K; A1 u" j: a* F) A) R
xor di,di
6 }' V+ |. L& q- C: A. b mov es,di1 v) @; m9 g# M3 H- B
mov ax, 1684h 2 x* r8 d( b) e* o: N
mov bx, 7a5Fh ; VxD ID of SIWVID" L1 C! S6 \; C- E" L
int 2fh
" r6 T z6 v; w b mov ax, es ; ES:DI -> VxD API entry point* v/ ?$ \. F4 t/ k+ A' d0 k& }
add ax, di- {0 }* R/ d5 v$ x D( A
test ax,ax& R% N2 d+ k2 ~
jnz SoftICE_Detected
* v( d2 D! h' S8 f2 {; i* N; s
3 y. e* f* a( Q9 j- g `2 z t" O__________________________________________________________________________6 z2 f6 _' Y- ^
+ Y l" r( C: D+ q6 T5 J8 [" ?9 r
. P/ X8 r. T. z: [* e. _Method 05
3 k0 C$ r# w. Z=========
* P2 b$ Q6 g% F9 A9 ?) H
: g* F% L" x+ V/ p' C. uMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ e. i0 v" y7 f6 h: Y5 d& [
debugger. It calls the int 41h, function 4Fh.
/ Y& A2 c9 m- s- ~$ D0 z7 yThere are several alternatives. , n. x8 o! b. m! `
, P( U* ?+ W+ _The following one is the simplest:0 o$ y. i s' g2 O: l j7 z
' G3 M5 c4 e/ A% q; I* `9 @ mov ax,4fh
* r0 J/ b1 b& G int 41h
/ u) J6 E# i1 ^" V- v cmp ax, 0F386
2 s( y `5 i; O4 a jz SoftICE_detected/ ]5 v3 Q4 a5 ]$ z
/ K, L8 i& ?' I! j- b7 U* x; R7 r7 O, n
* t' ]& j0 P8 kNext method as well as the following one are 2 examples from Stone's : M8 o" U/ S6 e+ X9 M
"stn-wid.zip" (www.cracking.net):, _( v c- ^" g$ ]" o
& r( J. q, N' d; @! h: s$ V# H8 i mov bx, cs( S6 n" E2 u( g0 ~& @
lea dx, int41handler2
! g( v4 n7 d2 m' z' D' b9 R$ m xchg dx, es:[41h*4]
$ q4 t; G& F7 T! _ xchg bx, es:[41h*4+2]
2 o/ s" L& n! u' c! A Q" { mov ax,4fh
2 @' _0 p8 X# x4 l int 41h, p! x* k: r9 w7 k
xchg dx, es:[41h*4]( O+ @. @3 {( H5 Y: L: k% g+ S
xchg bx, es:[41h*4+2]# W" p, a# I: b: X+ {
cmp ax, 0f386h% P9 G( M. }5 L) m
jz SoftICE_detected
4 u7 U% M' N5 e- l& L0 o9 Y5 Y7 X {4 o6 D3 n8 `1 s9 i
int41handler2 PROC
3 \( l, p1 B; F/ R$ N: X& ] iret
% N I: ~3 E" A, I/ ^, B; }int41handler2 ENDP$ m' `' x4 Z$ J& v0 C
/ N E% M& M6 I/ |% J! S/ A) I0 H
_________________________________________________________________________+ ~) J* w* [9 g" p" t0 \
+ _3 i1 ?+ [8 S" ^8 S- H' ^5 g) i8 l. _1 J
Method 06+ b6 j' K; \8 O5 f0 @5 |9 y
=========
0 r) t' K% q6 q: D: ^, z( B' U1 ?. l" ~( h
' c g. Y/ i9 D. y: |) I2nd method similar to the preceding one but more difficult to detect:
+ O) R3 c: y# s7 H5 H$ F3 t' U4 B
6 k' ~1 F7 G; o& f# `$ n' u1 q
I2 z4 a/ s. R) l1 gint41handler PROC1 R$ p# w( x# a, x/ A
mov cl,al% y0 g- w' _0 m3 t3 O
iret
4 B( @! R9 E4 aint41handler ENDP
& q# |+ p+ f+ ^% I8 t" _. B) t" ?; P8 V7 g9 H# V3 {
& ]! S: J2 A. Z% I3 z xor ax,ax
( Z5 R% |- u) f* l5 A! G0 K mov es,ax7 {9 C3 u* B5 w6 H6 H* b, }
mov bx, cs6 A5 ] g7 y" P' @
lea dx, int41handler
7 h& a f' _% d* D' { xchg dx, es:[41h*4]
2 ^9 | g4 _8 U' v+ C) Q( ^ xchg bx, es:[41h*4+2]- ~$ ~. C* h$ {* S# r2 m( [
in al, 40h
! g+ e- [! n5 i% G( _% Q7 G xor cx,cx- n( x+ \! T0 I* Q# x7 D
int 41h
6 `9 c; \* |- L" |" V xchg dx, es:[41h*4]$ D# H0 O$ b; o& T
xchg bx, es:[41h*4+2]
2 `* L, a8 B h& M0 r6 W/ p' w cmp cl,al
: ?5 U+ \# y1 u: c2 z1 L jnz SoftICE_detected
/ E$ U/ U, C8 ~4 T' ]+ Q. C$ u7 v8 ] f( x B. W0 v4 Y
_________________________________________________________________________% D5 ~, f+ U0 C B/ j
* s+ R+ r ?0 c" E2 {
Method 07
& W. L n5 S" g6 x1 v. _( O2 I=========9 L: K3 Z( d* W' X5 |
: _3 T6 n$ j- s5 ~
Method of detection of the WinICE handler in the int68h (V86)
: C; p% Z: _5 T1 D3 z. {/ U0 r- B) ~7 A( S" D
mov ah,43h
5 z7 z y, I# j int 68h$ `1 S: `7 `$ A* Y
cmp ax,0F386h
1 O6 W" Z+ g* {$ p. v' x" Q. h jz SoftICE_Detected
# ?4 f% Q3 f0 C( G A1 u- e' v7 V' `3 m- g9 a w
7 M1 R4 \: k$ N, m9 [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 J2 |4 @+ X2 f* H
app like this:' O2 Q3 T) x& n& Z( c* l/ ]
% U0 R N, R( {+ V
BPX exec_int if ax==68' J! C( o5 D5 f2 V
(function called is located at byte ptr [ebp+1Dh] and client eip is' o$ B: S+ a) T
located at [ebp+48h] for 32Bit apps). ^0 R- R/ e' ]
__________________________________________________________________________
) G+ m. o- n. v1 G
% l+ [: ]+ z: J' u! z
) i2 f2 A8 o( x, ~) ~Method 08" N/ |2 Q! l) I1 w6 z* L$ h
=========
# s0 V+ M- a$ }. n. U% @) X7 p3 e8 |7 a
It is not a method of detection of SoftICE but a possibility to crash the0 Y2 e1 m: n( w% @" M2 B2 V5 j" c
system by intercepting int 01h and int 03h and redirecting them to another
H+ I* z1 b& O6 i' }8 P/ ~routine.
% q0 t5 i- v+ M" b2 yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& ]5 D2 ^! S: Z! B" d! Qto the new routine to execute (hangs computer...)) C1 n" k* \( f1 X% N4 f$ e
7 t: A+ M {* F( c$ d4 L' { mov ah, 25h* S" E$ f! `5 a# x4 `6 P: s
mov al, Int_Number (01h or 03h). ^9 k( G M6 h- \% y$ \ Y, Q
mov dx, offset New_Int_Routine5 l: P) d) Z0 ]4 D7 S9 |
int 21h7 d, t3 D: [* w' O* u
& s5 E# Y/ O0 Q: U
__________________________________________________________________________3 u' t- |" ?6 b% f
6 \% _9 y- V" |$ W1 y: L( e' p5 dMethod 09
9 d" O- d, T: a. Q$ ^% A" U=========
+ D# E/ G1 L* S- L& n; r ]9 L4 s' J+ x5 J) p k; A$ ]/ b
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ J9 l2 u) H1 D, n2 ?# v& }) i
performed in ring0 (VxD or a ring3 app using the VxdCall).2 q+ s6 m/ m. R
The Get_DDB service is used to determine whether or not a VxD is installed1 q! J; [5 T1 q! _
for the specified device and returns a Device Description Block (in ecx) for
3 V) q; i& Q' O8 I, o5 |that device if it is installed.2 B" x& e& ~/ H
, D0 l! Y, C6 T- G8 g. L# i: E7 R7 b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) j4 V6 |) i) p1 g9 m! L. l mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, c2 Y, X/ g1 P$ k n VMMCall Get_DDB
* [5 M/ }1 ]) n) s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- `# Q4 \ q" N/ Q$ i1 q
7 l, [1 r T3 x5 p u
Note as well that you can easily detect this method with SoftICE:
: I- W" o' A( V k! P9 N bpx Get_DDB if ax==0202 || ax==7a5fh
( t) c! Y9 Q s. M5 _4 U% y
8 K5 C1 s9 t5 X! s7 V' [__________________________________________________________________________
* w/ L' B7 T2 J5 K# {" _9 v$ Y1 P" d- V, n: `4 }- v. n
Method 10
, N5 {6 U: R. T=========
( G4 O3 [+ M" j/ N. ]4 E% Y3 X* X2 {9 n) y4 o! R
=>Disable or clear breakpoints before using this feature. DO NOT trace with, a( c( e8 [7 ]! X% m% J3 o* l0 \9 L
SoftICE while the option is enable!!
0 m: N ?% Q _; o0 {- y' _8 u5 z: W4 x3 q$ u& y" F
This trick is very efficient:: u' u' h! _1 L, U3 m, F& T. ~
by checking the Debug Registers, you can detect if SoftICE is loaded' s, N* }# x8 ]9 [: `9 G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
a! v5 m- r! ~( y, V1 Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. g- s! e6 B J+ U% d9 B' mvalue (in ring0 only). Values can be manipulated and or changed as well
3 @* ]* `! A+ P: s/ H$ v8 g6 G(clearing BPMs for instance)% v! f+ ?5 x6 q2 o$ t5 x
2 l ^- T1 z. k/ B. p__________________________________________________________________________9 ~3 c; }$ a& `) d0 n" e
u! Z. G& h, P$ a* \& w, K1 OMethod 11$ `! ~ r2 ?8 W9 M E" w
=========4 Y& Q4 l+ ~8 U
5 e$ L; C4 o+ D+ @! \5 r, NThis method is most known as 'MeltICE' because it has been freely distributed U5 G: j* T( ~8 k6 Z' F
via www.winfiles.com. However it was first used by NuMega people to allow7 ]1 t5 V+ S* g4 H' R7 M, [ |0 Y) ^
Symbol Loader to check if SoftICE was active or not (the code is located
, j& i# w0 n' P9 Binside nmtrans.dll)., ~2 r& [0 L6 @% x8 F
7 ?" f. b+ E* A6 xThe way it works is very simple:7 Y8 j; e3 G# ]/ l/ ?1 y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- q' N7 f) b: S. N. r* v1 sWinNT) with the CreateFileA API. L& W0 f/ G6 s2 E
- w# A& H7 Z) U6 l' {7 P( G; l NHere is a sample (checking for 'SICE'):
( h" M" S. x. ?0 x2 R7 V- z# B" k9 T* }, X" E$ F) R- y
BOOL IsSoftIce95Loaded()& @ {: y9 ~$ A5 f, Q
{8 Z. E, y5 t$ d: s- H$ M8 g" B
HANDLE hFile;
+ c! l7 o3 G# x: ], X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; L0 V9 b4 G$ C, m2 j# n! ~
FILE_SHARE_READ | FILE_SHARE_WRITE,- x0 K3 B5 q+ Q1 A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: H' U/ d# V- W2 W( l7 ~
if( hFile != INVALID_HANDLE_VALUE )
2 M# Y$ T0 |5 ` J) M* ^ {
# x$ s5 G5 F) O. s A CloseHandle(hFile);7 f4 c, f# N& s ~, Q
return TRUE;
l b5 S- B( S1 W }
: h: ~/ H7 C* i( n9 l. r- Z* _6 u! @ return FALSE;" | @' c* ^+ `" P' P
}/ _; b% p( m' W0 S
7 i0 Y9 M: U' \( H7 F' iAlthough this trick calls the CreateFileA function, don't even expect to be3 _; P$ k3 z4 o0 i
able to intercept it by installing a IFS hook: it will not work, no way!7 r2 G* P1 s- R+ p9 b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" \5 t' l% L6 N; g E4 dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" q, j$ I& e* t A1 k' _9 R( d2 A. L4 h
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 d9 x: @8 A0 ]/ M, |- _! Z) x
field.
" Q: l. A- G, w, XIn fact, its purpose is not to load/unload VxDs but only to send a
$ x9 E. B9 U; Z/ v0 J1 P" pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 ~8 m# |/ E4 p A* h7 ^' x9 pto the VxD Control_Dispatch proc (how the hell a shareware soft could try: d, I$ m, q" L3 J5 J/ h B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- b9 s' n7 }: w' o
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% T6 m1 C- \ r: {its handle to be opened and then, will be detected.
4 s% t0 D/ j7 C- @ p4 AYou can check that simply by hooking Winice.exe control proc entry point8 u0 b( C* E" X# ]
while running MeltICE.
& M3 z- e0 t9 H5 n; v
* W" c- [8 J% ]7 K) p2 t
`1 N, f4 b$ P; G4 f 00401067: push 00402025 ; \\.\SICE0 C- m- O! S, Y! @7 |% y- J
0040106C: call CreateFileA
5 q: K: W- A5 C 00401071: cmp eax,-0019 i( ^' y; I+ c+ D
00401074: je 00401091
: S& R" G! h/ |, z$ R9 |5 y! o1 K8 x$ i
% u* G8 q2 V4 r) N) d/ G
There could be hundreds of BPX you could use to detect this trick.! {, k3 f. @- W. c
-The most classical one is:
* r1 Z: r7 g$ W& ~6 P$ X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! c4 z; a3 l& F9 K; H$ q
*(esp->4+4)=='NTIC'* I, b2 M' }1 S( o% j
+ j0 h6 H: O/ |$ g-The most exotic ones (could be very slooooow :-(
- ?7 J: _: t5 r7 {. i6 b2 @* [. D BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ z' V( z8 [! ]) `5 J3 P, R7 e
;will break 3 times :-(
3 o% W/ S6 k6 [" A5 ]8 u7 f3 q F8 E, }
-or (a bit) faster:
: k) A$ ~! X ]: b0 y" h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. H2 h% n, R1 w! N: L* ~$ H% k, f" J& r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % I3 w5 D. P4 b9 o5 @9 i+ Z4 W e
;will break 3 times :-(
; i1 l: ^( r; ]; H- r' C4 z$ o2 b! ?
& _# n4 H! l- a5 z; n* X8 d-Much faster:
7 y' j' }3 j8 p- x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# w& y: D/ B8 ~/ ]! A6 Q' N
9 }9 T$ f3 {9 o3 P9 S. INote also that some programs (like AZPR3.00) use de old 16-bit _lopen& U8 z+ a) w5 _+ _
function to do the same job:+ h4 o! s: b; L4 {+ `4 R
- m- r& z& N0 H" N, [
push 00 ; OF_READ
* q5 m7 j- i2 _. m! ^ mov eax,[00656634] ; '\\.\SICE',0; K5 P' \6 W0 H2 _
push eax
7 v8 U) t- J& Z1 l8 |4 B call KERNEL32!_lopen
% O( g Y. u8 |% `$ K7 ?6 ^ inc eax# ?( w F1 ` h3 M0 c/ G
jnz 00650589 ; detected
( G7 ` ~: L$ k; R& S! S+ \ push 00 ; OF_READ" [/ y, x( C- M" o$ p1 J
mov eax,[00656638] ; '\\.\SICE'/ a$ }- h# t$ G' M# H
push eax% ~5 V1 T. Q# |! @3 y" J# T: [
call KERNEL32!_lopen
+ g" {2 p) O, @* l0 a inc eax
8 x8 h1 ^) A# g1 h0 | jz 006505ae ; not detected
! _5 ?' F: j5 Z2 | _/ s, \
2 V6 N/ S: x+ y# h" i9 I6 `5 Y
% H7 ~; x! ?( G/ o8 Y$ }% m__________________________________________________________________________7 Q; y7 t I2 C8 |
- @4 H1 R1 }5 a& X& Z$ OMethod 120 x* ?# m, [- o
=========# D$ h8 j# J$ P8 F
. u% Q$ w( n" I! SThis trick is similar to int41h/4fh Debugger installation check (code 05
6 s) U E) C9 z/ t- r1 I& 06) but very limited because it's only available for Win95/98 (not NT)
* r' H# w1 Z0 `' s6 X3 A! [4 Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ {; |+ |' Q. T. S
& J7 |( U; |# k push 0000004fh ; function 4fh
' R0 e' l+ R( _, p+ X8 l$ d* L push 002a002ah ; high word specifies which VxD (VWIN32)
6 U% t$ y5 X+ c ; low word specifies which service" |& \8 V" R( {- n* ]9 E) B7 O
(VWIN32_Int41Dispatch)
5 m1 N1 Y: V6 Z2 e2 f( O' R call Kernel32!ORD_001 ; VxdCall7 r, y9 \; n- P n7 H
cmp ax, 0f386h ; magic number returned by system debuggers2 U3 ?5 U: U0 E3 {" p! S1 n
jz SoftICE_detected
! i0 L* g" z* ?$ y. s+ j0 w
: ?9 b/ O. z3 B' X9 i" fHere again, several ways to detect it:
+ J7 i7 w9 }: |
) b: o! L$ k# `; K y; ` BPINT 41 if ax==4f
8 L$ L$ B; Z: N% t( _8 g, S+ Y) x1 v: x* D' u0 |
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 J9 J# g" d0 T
1 C% T7 K6 _, f5 [7 @: _6 M. Z* e BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 Z4 t; U8 u# k7 U l3 T$ u; f; X$ Q4 v1 F8 ?! s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# \% X* T. q3 N+ o' z; _/ x/ E% [' d: Z) ~" C2 I: T
__________________________________________________________________________; J, [) r7 ^; r/ n4 t
8 u" z! h; R' ^$ }1 e
Method 13
9 _# T- P0 g. f3 v G, Y=========
k- r: h! k- X; O
* Q' j0 }9 X9 G3 a( qNot a real method of detection, but a good way to know if SoftICE is) \. z0 X2 I; @. h8 r3 Z' F' h$ \
installed on a computer and to locate its installation directory.
0 y2 S, L9 R9 ^! K! y: vIt is used by few softs which access the following registry keys (usually #2) :. O2 N4 ^; n. K) }, M% ]
T7 b: z) }, M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion b0 ]# H2 L2 U- p# ]
\Uninstall\SoftICE
8 ?1 C! `: a3 D! {3 @- A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# z& n. O! s% l2 S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* D% c( A3 E& h) j2 s4 q1 b' c5 }\App Paths\Loader32.Exe
1 L: Y' W; ]1 k. H- _1 }* p- z* ]( ^
* d8 C7 }. _4 c1 |
) }) `6 h2 [7 t, U4 WNote that some nasty apps could then erase all files from SoftICE directory
6 l0 a) E9 p! k. }! s1 }(I faced that once :-(0 d1 F/ m2 Q q% [# P+ d6 x
) O/ W7 x& j- I) |- D
Useful breakpoint to detect it:
% S% q: J$ Z7 D1 R$ b9 ?6 v
+ e# ]+ r2 b7 @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; ]" L+ u& e8 [/ u/ |# M4 m
" f& j* c- K8 Q9 c; b3 x5 D__________________________________________________________________________1 p5 E. Q) y9 a, Q
}, ~ o! o0 _1 e# v, Y! Y
. d% i! H' @& H- W$ ]Method 14 9 z4 ^2 Y! D, d5 x: k
=========3 F. ?9 Q& t& r- w% T, l
- Y/ u( W* D2 r8 s& u' [; ^% EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: d3 w$ R& @4 r+ y0 H& Pis to determines whether a debugger is running on your system (ring0 only).
0 @9 G% ]8 ^$ V- D# Q O
. q# M! L3 C1 e" ?' {" I( O3 q% t VMMCall Test_Debug_Installed. {/ e2 o6 V7 R7 e$ ?+ c3 H5 V: ~3 X
je not_installed
% U& f: ~# \! S. ]
5 ]6 W0 p. r. l8 Q/ O% f" M2 ~This service just checks a flag.
. P& i& n9 Q4 Z" Q5 e4 S& O</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡