<TABLE width=500>( V8 v k' y( O" J+ S" {
<TBODY>
/ L$ ~3 U H( D6 ]. E% [<TR>
1 }. C! a- c: L' O<TD><PRE>Method 01
+ G5 j. F. s: a6 R" v1 r6 L9 ?( W- ?=========8 K8 t3 f' \. e! T6 x* h/ X
+ Y4 z5 X0 v: ?6 Z
This method of detection of SoftICE (as well as the following one) is
' K6 a; P8 i$ i( L& M' L% oused by the majority of packers/encryptors found on Internet.( I3 {0 ~( a, z( e1 @3 M
It seeks the signature of BoundsChecker in SoftICE: U6 K- p7 [' f+ x
* ~" S- u2 U- C% S; q
mov ebp, 04243484Bh ; 'BCHK'0 {' b- W6 k6 ^7 C
mov ax, 04h
8 X$ \% g; n0 A% [% S* r. n. c int 3 9 r. w) z7 s# J9 T. M8 K
cmp al,4
: v( t/ w, T6 K) Y jnz SoftICE_Detected
* D% X. [: b9 t# _: D+ A8 j6 K$ l: n$ m& i; t) l) f
___________________________________________________________________________
$ }2 v+ C- S( n( @
U, ?4 G. |. D% E1 J( X p* o$ d" c2 |Method 02/ b z( H% j: `0 z
=========9 W$ _/ @/ H1 f8 q+ l
4 u- y! L" s7 `% B4 W
Still a method very much used (perhaps the most frequent one). It is used" g5 `( @( i) a0 A0 U0 [ v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; D5 I2 d( K. [5 Q( v% ror execute SoftICE commands.../ f4 B* |# u8 r/ M4 g# s( f
It is also used to crash SoftICE and to force it to execute any commands
) @# }+ j* N: I(HBOOT...) :-(( % K% h9 j- ^5 c- b5 V, A
( |; R' v5 M8 |$ g8 W
Here is a quick description:
`3 ^7 s" J6 f+ n: o- A# D8 \-AX = 0910h (Display string in SIce windows)
. P' t+ L9 Z/ ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 |! i0 X7 M( S5 ^3 D6 i-AX = 0912h (Get breakpoint infos)
2 w( n r) G# o" S0 e# f-AX = 0913h (Set Sice breakpoints)) ?% w7 C7 U5 J/ {
-AX = 0914h (Remove SIce breakoints)0 \( g- q# F& J
% }/ V6 X% A' g& ]Each time you'll meet this trick, you'll see:1 i! D9 E- }; L2 o- A
-SI = 4647h. u0 |3 Y# ]" { ~6 |
-DI = 4A4Dh$ A4 t b3 B& O) @$ n' A0 t
Which are the 'magic values' used by SoftIce.
( N8 W4 A7 T0 l: SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ a8 F3 W7 M. L- z0 o4 M1 A$ B4 P# ]6 s6 a- _
Here is one example from the file "Haspinst.exe" which is the dongle HASP& l9 l) A, V: J, d5 A
Envelope utility use to protect DOS applications:
; f$ a+ Q8 M, @1 W3 Y' ~3 t
; A4 P) k# Z9 f5 W3 a
% W7 ^+ d$ ?% J9 y" w1 g4C19:0095 MOV AX,0911 ; execute command.
$ R0 `5 g5 q5 g. ]! M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 M( w6 q( \. [4C19:009A MOV SI,4647 ; 1st magic value.
/ a2 a% v, ]' t4C19:009D MOV DI,4A4D ; 2nd magic value.
; R8 d. @% s$ ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 x' z0 M& G% O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) V: S) @) m5 X4C19:00A4 INC CX
/ Z0 w- s! M; {8 ~7 v, C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& f! n. x8 A1 Q4 ^: H- W& a3 p
4C19:00A8 JB 0095 ; 6 different commands.
5 q+ X( U, A& l3 b1 k) u1 \$ h4 E4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' Z; W( E f: A1 h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! u1 b, _7 h! D$ O4 u
0 m3 h; e/ T8 m6 ^The program will execute 6 different SIce commands located at ds:dx, which
& I) e' E) |& Y+ nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* F! U9 z# @6 Q$ ^
6 n3 Q) x% q4 F& x/ g" I9 K* W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: S# \4 o0 C4 F0 W7 T' o& [0 W___________________________________________________________________________8 K1 b. K8 ~4 E9 e# {2 s
+ a1 V8 F7 Y8 v+ J: t, R0 M
5 x1 E* _0 s) rMethod 03% Z( X; H/ o2 F/ E; f3 r ^: X) b
=========' W0 c# w7 n8 B+ [; b
8 x2 p3 }$ A5 |6 |/ A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. C( _0 ?% R7 z' s. ]( O) D& \: \(API Get entry point)
' r$ W8 Q9 k1 P8 L* w: y) Y5 N 6 K2 }" A5 \" Q
/ V: U6 \ Y7 h4 m; B3 k xor di,di
/ X5 [! I/ b( w+ G# a+ ~ mov es,di. d, |) A' r, \) y8 u: {
mov ax, 1684h
% b$ A4 J+ z! g. @1 w- b mov bx, 0202h ; VxD ID of winice; `8 v4 d, }- b' q) x* t' p6 U
int 2Fh2 q8 a+ M/ {- u2 O
mov ax, es ; ES:DI -> VxD API entry point5 ?( A1 [9 t% B5 i8 m8 a
add ax, di
: L( l, F* [' P; k8 ^! b J. {* U test ax,ax$ S) \1 |3 X2 _
jnz SoftICE_Detected, }8 E% D y I* P6 C( ?* d) c: @
; f) }6 r5 f) s
___________________________________________________________________________
" [) {- Q3 p, T- n/ }; Z5 p3 B) V2 X
1 S! J ^3 |/ r+ QMethod 04
9 t0 h: u* ^0 u' K! v; ]=========
1 W0 Q4 {- }( u. |9 D7 N4 d+ X9 s( |( Y+ c
Method identical to the preceding one except that it seeks the ID of SoftICE
3 m5 {2 n T1 `- q3 Y1 u. G+ AGFX VxD.
- V- l# x4 N6 V# O/ |+ Q! p8 W( U1 G+ U; r( M, `3 t2 t
xor di,di
2 J( `5 p, h: V: k% U mov es,di; E$ Y8 @7 ~1 v O- e' K% C. J
mov ax, 1684h ) e& I$ k$ ^5 a: y* {5 S; }! O/ z
mov bx, 7a5Fh ; VxD ID of SIWVID9 p9 [' J2 m. W( H6 x& l4 l( G
int 2fh
0 S; y$ a: {3 v6 H* x2 k4 g9 T mov ax, es ; ES:DI -> VxD API entry point
2 K$ z7 z+ Q1 Z+ @* Z add ax, di
( f; ] R9 Y# H" C, H* y* Y: v test ax,ax
. D" ]4 ?5 @( u1 G" w' S jnz SoftICE_Detected
) f2 |4 V. e, y% n0 J, m6 D6 W( o3 e& R: Q9 K/ O; v q
__________________________________________________________________________ ^! P3 ?) {0 ?5 i
2 |& B, e/ n' E. ?
* ^ Q9 u) t8 o# b' XMethod 05+ D' x# z' B* [7 e# y
=========3 L- a0 E k8 }4 i
, p- j+ _8 U7 e; pMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 l& X, c" L! `- E: s& F+ U
debugger. It calls the int 41h, function 4Fh.6 t8 S# f' Z" K& `' U
There are several alternatives.
7 v6 N0 Y: J! n3 I* f/ E4 }9 {1 v1 k
The following one is the simplest:
. r- }3 |6 ]' I6 J8 U: u0 \7 J! Y' R* |, [* M% q) j# ~0 h
mov ax,4fh
$ d, Z" U# v. J+ l& e- O2 a int 41h
0 ], H6 Q- T# V1 O8 k; l$ V cmp ax, 0F386
+ u4 n1 n+ l" U( o& y6 q- x jz SoftICE_detected
# V) y! Q4 z( a: Z2 t" K$ ^0 d6 e/ h) l$ D
3 Y" \. S/ `+ u; `6 mNext method as well as the following one are 2 examples from Stone's 0 v" I) G& w6 s: C* U) u: l3 @
"stn-wid.zip" (www.cracking.net):0 `5 y2 C7 X) t5 f
- Q. f) h% a7 R" x/ w mov bx, cs; c a7 ]3 K+ X( z& u( X3 N0 L
lea dx, int41handler27 \! Q$ _ `; O1 |+ b$ d- e" `
xchg dx, es:[41h*4]
0 Y' N0 W& K: H# g xchg bx, es:[41h*4+2]0 s* Y9 g; _( A7 D4 v/ T( k* u4 X
mov ax,4fh" F& x2 Z* K! b7 Z) E' T: {
int 41h+ w P- ?3 B8 x5 q! a
xchg dx, es:[41h*4]/ y. J1 {. m- L F4 W0 c
xchg bx, es:[41h*4+2]4 `! e; V3 Y q2 J
cmp ax, 0f386h
- [1 C* [1 g% i3 Q2 H3 V3 k jz SoftICE_detected' p. d1 C. W' {6 a0 k4 e' P
1 Z/ A# E! [/ z8 j+ E
int41handler2 PROC! E* j5 g* |3 W' m
iret9 w' f. c. b: W( n' t) R: ]
int41handler2 ENDP
7 I& t& |) d5 I# }/ J" A% m
& K0 q9 E- o r" ~; s6 |7 j. T, c( o1 v: O% J
_________________________________________________________________________
) C% [% H1 j" Q" u2 o/ Z) W
& E# ~# ?* W/ f, |# v- j* g
% {8 r, D3 W( B: B1 x2 v4 JMethod 06
3 J* U2 [- i2 q, A) E1 H' q& O+ j=========
- w6 N- a! q$ R5 v
$ |6 d0 V+ ^3 i, |7 y, x! \( C% r. `7 N$ X6 B
2nd method similar to the preceding one but more difficult to detect:; L* S: H9 I7 S5 P8 m' I h4 Y
# ]6 W3 K; }3 q7 Q% f& z s C4 p9 f, [- d3 v9 q
int41handler PROC- n5 Q* C( }! k4 c* j+ ?
mov cl,al
; w2 ^# l- K' g0 y/ q iret2 i6 N0 F: j* m2 l, o4 i0 s/ d4 `
int41handler ENDP
$ d2 c$ T* F6 n% g9 L: G/ r7 S5 s$ k& o0 d5 e0 G" B6 O4 E, d
$ X8 P7 R/ ~9 {% h% ]4 y; t: D& u xor ax,ax
! L* G( M0 L4 j# M7 p mov es,ax
K1 w& G0 d9 F5 {: U2 { mov bx, cs
- U' H9 e5 x, O! }' E) k% `5 P lea dx, int41handler0 x+ @' o8 B: G5 N" ]2 Y% e' [
xchg dx, es:[41h*4]
5 F8 A/ H( a' e6 A xchg bx, es:[41h*4+2]
" k1 c: g3 |% z8 y in al, 40h
. F8 H: D- u6 V$ Y. T, p$ C* d xor cx,cx5 o. L/ b2 L6 W( y1 V
int 41h+ R# C! Z+ M; v) q) H+ J
xchg dx, es:[41h*4]' w6 o- s/ m5 q* [/ Z8 Y
xchg bx, es:[41h*4+2]
0 w \ T% N& |6 k cmp cl,al; A$ |1 f' N& m( x
jnz SoftICE_detected! }9 t! c$ ^5 x8 g" _% v3 Q
+ R1 C* P" }& G6 f; T
_________________________________________________________________________
/ V* W* Y, {9 D7 b" e% g! \
8 g& ?/ @- U9 r5 r, u ?5 N' PMethod 072 k3 @, E a6 U$ y) H z0 [
=========& m5 q( w! j' Y2 E, y( a4 `
& Q/ E W& p, H1 }. ^+ w* MMethod of detection of the WinICE handler in the int68h (V86)
- R9 d* L$ {7 @6 U
_0 I) T! y4 Z& n! h* f3 ^ mov ah,43h \, Q- g% Q: a0 k a7 l
int 68h; a8 L u+ J: e7 \& ~" |5 j
cmp ax,0F386h+ f, E$ ~( C& B, }0 c8 j0 v
jz SoftICE_Detected2 [: j+ w6 Q6 l6 X$ w/ A
F4 U8 K4 J0 u6 z3 {) x. i. [, X( C1 Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# i7 P# p; D3 E/ ^
app like this:
# v& x8 m/ ~: }- ?. W5 v. T/ _, y( t% N2 H
BPX exec_int if ax==68# @7 ?" v* T1 J% j/ G: O3 M
(function called is located at byte ptr [ebp+1Dh] and client eip is2 C. Z1 d# ?+ f: S! F _
located at [ebp+48h] for 32Bit apps)
% i/ Q5 v; t; Y7 C- @1 @9 M, `__________________________________________________________________________
$ U- o" H; o$ C/ X# S; s$ f1 N0 v4 P; X# s L/ r
# u1 i8 E% C3 [' E% o
Method 08
2 H+ m. n+ {" |) w=========
: s- b& u9 l4 i5 _3 ]- H8 I
4 u0 d3 m6 f7 w& }' ^: ?It is not a method of detection of SoftICE but a possibility to crash the
8 E# f) E9 ?4 A _system by intercepting int 01h and int 03h and redirecting them to another# V6 d: z; w2 K3 W; `0 }" H
routine.- ?) P+ v( z1 N8 e+ J8 q$ Y$ F9 P. F, t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 y3 V+ r7 }( c0 G( jto the new routine to execute (hangs computer...)' n$ R* r. s7 J* @
$ S7 |6 b! Y1 l
mov ah, 25h
. S- c% R0 T e mov al, Int_Number (01h or 03h)2 Y6 n) R# f4 {( N" q9 I8 h
mov dx, offset New_Int_Routine
3 M" z" ?% D/ i# g k5 p- f int 21h" d& z2 N8 ~9 m' H- m
' }* n9 s8 \; Y$ Z9 m4 Z( R__________________________________________________________________________
9 I* H, B- A9 b5 p9 d, v, [& Q. w3 i$ O, G3 I6 q3 q8 I
Method 092 i& y; ?/ q# X
=========; b5 u$ f3 b) m- i
" }. Z/ W8 F4 V5 e% W+ v0 p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, k" z) m% W' Iperformed in ring0 (VxD or a ring3 app using the VxdCall)., u' J- `! E# F+ x
The Get_DDB service is used to determine whether or not a VxD is installed
. p$ J E4 j' Qfor the specified device and returns a Device Description Block (in ecx) for
( p! y+ p+ z" ^that device if it is installed.& O5 T: ^) |) @6 [/ I4 [
' m; H- |/ t* l! x& M) E: u; N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" J/ i5 Y2 `/ Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& W$ d9 Z2 Y" A( N6 ~4 ^2 `
VMMCall Get_DDB
+ V1 \- e- T1 k- A' D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; U7 t% P6 P/ i$ h
+ Y T, H* R) P/ h6 ~0 F+ T! F& R- yNote as well that you can easily detect this method with SoftICE:
( V* L2 Z" S: @' Z bpx Get_DDB if ax==0202 || ax==7a5fh
# r, C# v. y" x: E
4 m' }/ H! K) i__________________________________________________________________________
2 K% r9 R* ^) @7 Z% r& |
& }7 q1 ?4 n! y( n7 a: g3 k: wMethod 100 n! B# M! p0 a" O6 E& b& X2 S0 G1 W
=========3 P* Q. r1 b/ Z" O4 @! z# L
/ q8 P7 Y L% @
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 t7 y( X7 s# Z; S9 V. t X, X4 v; l SoftICE while the option is enable!!6 ]. r* R: B" |5 w; c+ e
6 D1 e9 c7 w( F, EThis trick is very efficient:. T2 h, f+ \' R4 ? k1 {' F
by checking the Debug Registers, you can detect if SoftICE is loaded
2 ^* V1 G A, C( ^& z: p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ t1 a0 d( } \$ n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" ~! ~1 I( j/ Rvalue (in ring0 only). Values can be manipulated and or changed as well& F9 H/ _ M8 ]1 F+ t
(clearing BPMs for instance)
/ x/ q) ?3 N6 r& T% K% B# O# @, C i: U( q% z
__________________________________________________________________________
) H5 j- u- O3 L3 {* ] X2 ~" R0 f% J I- p
Method 11
) R5 Z7 ?$ { U6 \: y=========
1 u+ L- m K% H( ]" H0 d9 V; I% o$ b( i* C8 J+ R' x6 y
This method is most known as 'MeltICE' because it has been freely distributed% n) S8 I, {, ^0 U
via www.winfiles.com. However it was first used by NuMega people to allow
! g! p- z# l) tSymbol Loader to check if SoftICE was active or not (the code is located
7 L# e9 o1 A( t. t% ?inside nmtrans.dll).9 ~( I: ]) j+ ?$ R& |# K- _
. `7 P8 R$ Y# k
The way it works is very simple:
$ j2 u, u3 A* [0 f4 MIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* y1 ^' X2 D) F4 P
WinNT) with the CreateFileA API.
+ i2 Y% h8 d" e1 _6 w$ }4 C$ S* d7 K$ w
Here is a sample (checking for 'SICE'):
! E8 c+ W9 T) J( x# Q9 A* a8 g) i% A
BOOL IsSoftIce95Loaded()
1 B" q$ O* m0 n9 X* ?{' w | m6 R- n
HANDLE hFile; 4 d( X8 q }. a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) k; k3 ^/ Y3 }& W; z5 u
FILE_SHARE_READ | FILE_SHARE_WRITE,, f; P% F5 X, j( C: K
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% ^+ V" w' [% G D3 y% e; M' u
if( hFile != INVALID_HANDLE_VALUE )3 X% N8 r- Q+ [: ?
{
1 S7 J5 w/ z! V% D CloseHandle(hFile);3 a' W) s; x+ t, U! J' o( [
return TRUE;- j4 w* A1 _) B3 c
}
7 M( ~1 T# D2 T6 ^9 @ | return FALSE;
, Y, o3 h7 U" z5 K}) X' C3 p( a; ]5 z+ ^
/ \% x [& t& D4 X; S- S, o+ O- V
Although this trick calls the CreateFileA function, don't even expect to be
( A( V$ h$ k7 Z$ K( }, r5 Cable to intercept it by installing a IFS hook: it will not work, no way!7 r' G! }2 m& y! A6 S; X3 Y3 y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 D" M# y- G$ Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 r. O5 u. ^' a0 H! M* F2 rand then browse the DDB list until it find the VxD and its DDB_Control_Proc* n0 B3 B( r; e% T8 |+ [+ v8 z: ~
field.6 k* O" Y+ c* C0 ~2 `5 e1 l
In fact, its purpose is not to load/unload VxDs but only to send a
# R( v3 i' v$ A) vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 \. x' P5 S. } z5 _8 vto the VxD Control_Dispatch proc (how the hell a shareware soft could try, [1 \7 q) U8 v/ `, N; ~) a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
e2 c _, g0 L* P* }2 A1 l7 {If the VxD is loaded, it will always clear eax and the Carry flag to allow4 N. _- Z5 h. k* ~7 D$ b; B; _
its handle to be opened and then, will be detected.
" f6 e" ?2 A( u1 G4 z, G1 cYou can check that simply by hooking Winice.exe control proc entry point g# }) N9 N$ Y4 _7 Q% U
while running MeltICE.
! ^/ T1 O1 ~" U8 V
- s1 Q2 C, |& ~7 M: L" U: f: X& l. V7 y" S1 x1 y
00401067: push 00402025 ; \\.\SICE! S+ \9 v' _+ v$ O6 x
0040106C: call CreateFileA4 e$ B3 I% w8 N6 D; M/ p
00401071: cmp eax,-001' r8 b) \$ Z7 L: q5 c0 y
00401074: je 00401091
8 W7 U% g7 g% v( P
; X& K' ^; M, }$ G( t
# f0 `7 E+ n+ L% O' g, ?There could be hundreds of BPX you could use to detect this trick.+ e& t( N# ~! G3 L; f
-The most classical one is:3 Z- j9 F( G! p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) \) h1 I5 m. d* n) l/ L
*(esp->4+4)=='NTIC'
$ m8 c# R+ Y, |0 N8 C0 C# d3 f$ c: }, f! o# _: J
-The most exotic ones (could be very slooooow :-(
) U7 l+ q2 _' ~" g; d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ Z, q6 \( e/ l) T) M9 d p6 o# y( z ;will break 3 times :-(
$ Q* D5 x" l. p1 E' v) u1 P
7 @3 R, L: G" J5 R-or (a bit) faster: ! D+ {( c7 n. K! P1 w6 w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 v: k6 n$ C ~- n/ Y+ q( y [) f- U$ @5 M3 ^2 d4 F G( t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ |) _4 P: V1 r ;will break 3 times :-(
# d, x8 [8 }, e
* h7 n3 Y8 B+ Z! s8 y, k-Much faster:
; t2 p. \5 a/ y6 V& Z w% J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" i, _" Y3 ]9 m- M6 l
* B$ D3 ?3 |+ Q: C/ g+ U! [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen z2 Z8 w5 \4 }, @ N: ~6 C
function to do the same job:
: x' x5 E6 k1 V1 n( u: P
& G5 ^9 W) G9 r4 k3 } push 00 ; OF_READ$ w; e( L% c: o. ^& `1 S4 h4 F
mov eax,[00656634] ; '\\.\SICE',0" R' b4 Q, ~6 z( [
push eax
% ]6 z) C$ y& f call KERNEL32!_lopen5 e* ^4 s( V% r1 t- B3 M( H' z) j
inc eax2 s* Z4 D/ T7 g% l. m& d$ _- f
jnz 00650589 ; detected1 o7 ^; Q% @9 \
push 00 ; OF_READ( J+ x- W' A3 n( i& c
mov eax,[00656638] ; '\\.\SICE'
( ~# t0 z2 C9 t$ r- I( d push eax
# z8 K0 S" z5 x- P2 O call KERNEL32!_lopen
3 x% A; g: n9 g8 n' l$ g inc eax
8 t* t1 M" T2 v2 ~' I, N- A jz 006505ae ; not detected; I! |% d9 U! C: p6 ]5 v: x
q8 e6 o6 R: f" k/ l' E
1 m0 I2 B; i# G- s X/ J__________________________________________________________________________9 P! R5 m0 q, O1 {2 @* r4 s
0 e( ^" S8 P- B1 z; i/ F8 S
Method 12
3 ?. n: y( m. P9 Y. T=========
2 ~/ U$ x7 C+ v
! |+ j/ ^8 N8 h3 [5 }! LThis trick is similar to int41h/4fh Debugger installation check (code 058 @( T& a K" ?9 t$ j9 g7 S
& 06) but very limited because it's only available for Win95/98 (not NT)# \! e. U$ Y; f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) R- n8 N3 i( Z
& S! G8 A* f1 h0 ]7 ` push 0000004fh ; function 4fh
& T# S+ l# u) ~% c3 I push 002a002ah ; high word specifies which VxD (VWIN32)% z1 Q5 N4 o- A# i
; low word specifies which service
# O1 q3 ^! r7 R" a- | (VWIN32_Int41Dispatch)& y$ p( s% Q P5 B( J2 ?2 l2 R
call Kernel32!ORD_001 ; VxdCall4 b( ?% w ?8 R: O. x& U
cmp ax, 0f386h ; magic number returned by system debuggers
" T. d# p9 U5 i6 J( T9 a4 J+ U$ ?* R jz SoftICE_detected+ h% }& X! [* k
# ~, u. K; B, w8 ?! M9 p4 s5 F% \Here again, several ways to detect it:
( K# T7 G% j* f% Z# |& {, ]3 _8 C! O% |# D' W( I0 U, P. n
BPINT 41 if ax==4f) j! i- a: f0 [
1 W' l) V0 t9 x" z9 q, U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ L8 E' d: [/ k. g2 b2 U; A
- t1 Z5 \% U* T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A D5 x2 s) a* @( y
, C% W# @+ f+ X4 M1 Q. @- Q) ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 V9 n& `, B2 q& U' J4 k& Z
" f$ g4 d9 c- z% i
__________________________________________________________________________9 C$ c+ U" p$ r% e1 K( j4 b7 E
( r; G/ _5 N! a7 M/ Y, _) Q0 |. oMethod 13
/ e `. {) u- T j/ k=========
3 n) V* |/ S) v1 O# W: w" x7 \7 }2 B% t: X8 G* x4 K# S! E
Not a real method of detection, but a good way to know if SoftICE is
. l$ Z; s( d0 V6 Finstalled on a computer and to locate its installation directory.0 G# H4 I8 L, K
It is used by few softs which access the following registry keys (usually #2) :/ @ H: f, U" N
4 q+ n/ \- |0 W/ ?4 k p# Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ q2 ~/ z' ^* \; B1 s\Uninstall\SoftICE8 T+ L1 M2 k; M1 |5 G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) H* z0 q1 \8 A0 z8 Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 N/ _6 G4 t) Y, n6 }0 z m2 W
\App Paths\Loader32.Exe8 O) i4 T2 l( q
* p1 ~" `! |( `' U% H/ l+ B+ s8 y# j: `
Note that some nasty apps could then erase all files from SoftICE directory
1 b) T1 V% w7 {& t# `6 Y# m(I faced that once :-(
, V9 a; p$ o8 t' j: t6 L2 E7 y0 O1 \, t0 y
Useful breakpoint to detect it:
5 T; z7 M9 J$ B; { D$ H) g1 ]' M3 p. X+ x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ g8 a4 n$ B/ l& l$ s! ]
4 X% x N" v7 \: n8 x/ o__________________________________________________________________________
. p B5 t, W4 [& \* i" g0 a
9 ^& F) d: `( [$ l/ u6 p3 n* f8 ~7 e3 f2 y+ p- _
Method 14 " |* M& e+ {& \) P, ^
=========. x1 b) h" x7 j& g. c2 W1 v
! E3 _: ^; e* d$ G H6 N6 F' _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
W9 c3 c/ G% X7 v$ f( W" u9 Xis to determines whether a debugger is running on your system (ring0 only).- ], I; h$ h6 \
0 |/ y4 f$ k. ]& z" j: ^+ o' H VMMCall Test_Debug_Installed ?. F6 o, C$ H0 b
je not_installed
0 i$ I/ C$ w& J" C$ R' d1 M% c3 V! M0 O, X/ X
This service just checks a flag.
) c; ~' K8 Y, D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡