<TABLE width=500>
. s+ g" l/ N) z5 n- K% }<TBODY>
[( T! w: n( G5 }<TR>' c9 M1 r5 b' K$ T9 G. N
<TD><PRE>Method 01
0 N# t6 y' D8 b3 C7 y=========% p4 C/ A+ C$ m1 a3 C+ b7 f* ?" ]
4 T! s: ^5 F5 h) N9 bThis method of detection of SoftICE (as well as the following one) is
0 D! p6 j$ h: Qused by the majority of packers/encryptors found on Internet.4 X; y6 W! }" ^# o- X
It seeks the signature of BoundsChecker in SoftICE: Q% M8 \) C9 J9 r, ]
F. O! ^, [/ `9 C
mov ebp, 04243484Bh ; 'BCHK'2 _& ?1 _: [0 a$ k& ]. Q) d
mov ax, 04h1 l" P2 I6 r' t2 B5 b3 F
int 3 . E& V, A# _/ K) T" k/ {
cmp al,44 W( p3 J' c. d2 w2 O' B4 S6 u
jnz SoftICE_Detected* H% a+ R: J# R# [( O! Z4 x
$ |. F0 r' Z" M: x8 Q___________________________________________________________________________' P) q4 p, z3 q+ c- \6 r% Y
0 d% h3 V/ ] Y6 R/ _2 |& H$ F5 M6 A
Method 028 U! o$ `) ?" Y
=========
6 S/ h1 x1 o! [9 O& `- v+ O& T. }1 t
* u; y0 r, n9 k$ }9 HStill a method very much used (perhaps the most frequent one). It is used
! B. o2 ^& h0 ?9 o5 cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! L+ t% E6 j+ i2 Q" K5 @or execute SoftICE commands...% n" l9 |' `/ R2 ?6 ]! T% O
It is also used to crash SoftICE and to force it to execute any commands
# b+ ^( a7 V% h- w; G, ^(HBOOT...) :-(( $ @( N: J# r e
" P! G/ V! h( T
Here is a quick description:
& }1 [" Q9 c+ X/ ?6 r, u9 `6 l- A-AX = 0910h (Display string in SIce windows)
3 R, r+ Z( @. p5 i/ E/ M- F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ p" L+ z# J% H) o' n8 Q
-AX = 0912h (Get breakpoint infos)
7 D! z. @, b" j9 i( ?- s( y-AX = 0913h (Set Sice breakpoints)
! Z! r1 B; x7 A) F* g( [-AX = 0914h (Remove SIce breakoints)
+ d r) r* g2 h" E
2 Q' @! X3 ^% C; V* `$ b) CEach time you'll meet this trick, you'll see:
7 C, R. P+ v( j2 `- ~; }/ L-SI = 4647h! h6 D: ]7 K3 m, d8 B# q
-DI = 4A4Dh4 [0 J" h5 t$ f9 b
Which are the 'magic values' used by SoftIce.
( `) ~) y. E, n8 P( D& [. ` N# ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 }2 p2 W" T5 U# a% l) ]+ k9 D0 O9 P5 X4 f4 w) V+ M9 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 h: P0 z' C/ G/ z' L0 g
Envelope utility use to protect DOS applications:
7 Z# u5 x6 j2 g& [) n* [
, K$ N# U4 p1 l* U% p/ L( |# Z+ H, b
4C19:0095 MOV AX,0911 ; execute command.
* P6 E; h$ ]# `8 l- z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! a; P, z) ], |: k
4C19:009A MOV SI,4647 ; 1st magic value.4 _! B& H; g2 u2 D) G
4C19:009D MOV DI,4A4D ; 2nd magic value.! C6 I: N* E) u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 q: \& \7 b, p( d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 L" w4 H; G* F Y; _2 y& \4 ^4C19:00A4 INC CX
3 d5 V+ { B0 f" b- Y5 H- ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# v2 v6 e9 D) ]; k0 p3 y3 }% ~
4C19:00A8 JB 0095 ; 6 different commands.
/ w. b0 }( t# [1 k# m4C19:00AA JMP 0002 ; Bad_Guy jmp back.# J; _8 p q9 h" C' ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 ]! T3 I2 _, }6 g. J. }
$ B* P/ f* h- x, U, X! \
The program will execute 6 different SIce commands located at ds:dx, which/ F5 d( }: T+ X. f1 q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ X* R2 N& x# f k, s9 E# I. l! f/ P# \# [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ L& F! K! S0 g% W6 q
___________________________________________________________________________
5 [( _! F% D7 N2 ` n' m9 O% c W3 f# a1 Y8 @
+ [$ c4 G9 D2 T3 O! OMethod 03) z9 r! e8 d* c* O& |, q3 Y
=========/ A3 |: g8 W! d$ G. f
" J2 r c" P8 g/ q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 e" U( S; q f% c(API Get entry point)
8 r! \4 n7 {1 f6 C/ `, D
' L4 B- |& r0 P- ^
% _: C+ {$ G) O9 [2 U: o xor di,di
1 \: e" h4 I7 p$ M! Y% v3 m: B mov es,di
4 ]- R6 ^1 ?& n |) @, [ mov ax, 1684h
1 P% H8 [% A1 c/ b mov bx, 0202h ; VxD ID of winice
/ A; ?. f3 M" X* {3 k int 2Fh
) T4 x8 B/ d: y' S( _" [) o3 R mov ax, es ; ES:DI -> VxD API entry point
9 p8 F" q7 [: E8 C8 h# P add ax, di
8 O1 S+ x' B) Q" r test ax,ax0 b, X* o' H+ y6 ]0 T6 e
jnz SoftICE_Detected
5 n0 Y8 z" E. {6 s+ |( U
9 E$ G. b. k3 x* f y7 s___________________________________________________________________________
% Y$ G; ^" P) @! A7 @7 @& z. P% R
9 O+ A) M- Y) m }( E2 uMethod 04+ g# p( [8 ^1 \7 b
=========* m$ ^; I. f3 f* v# ]7 g5 m2 Y
+ y. }4 @! J9 t, f# J
Method identical to the preceding one except that it seeks the ID of SoftICE
5 k5 y e, v" _8 N( R/ BGFX VxD.
8 A+ h: R9 K; l* @, w8 A R5 L- R5 F5 I1 }5 e, {/ E
xor di,di
0 b; t/ j# j' U. i7 m8 Q A% m mov es,di
& l+ ^/ u' I$ V+ D+ O" e# _* X' N mov ax, 1684h : {% ?6 ^( D9 G9 p& P
mov bx, 7a5Fh ; VxD ID of SIWVID
3 X9 E. F$ ]6 K+ t& @5 p int 2fh
- o `; s g+ K( k& n! c mov ax, es ; ES:DI -> VxD API entry point
0 ]* i6 r) D% w4 N# I add ax, di6 _4 J( V8 x+ x; h
test ax,ax# J4 P) y, H' J, ^
jnz SoftICE_Detected9 t7 ` O$ h) \4 o- l& i& d
+ I* b3 I; e3 Q/ u" j% l! U__________________________________________________________________________
4 m2 }! S0 j9 {7 I3 v! `
& ^: h: l, h1 G6 X) I
4 B; \1 Z! b, E0 p; RMethod 05( I& e9 j0 L; r k& U
=========
0 E/ W3 _- Q* P" Z! w
6 }% x5 O7 r9 jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' [/ r, x( a0 K& G8 Y+ ]5 u; {) r+ qdebugger. It calls the int 41h, function 4Fh.' @3 e5 J( {' [5 F; H+ r, C4 T
There are several alternatives. : r$ a' z6 s) V: P! j, O5 C
: a% ^- P( p4 n% x, x4 m7 `' `: iThe following one is the simplest:* ]* B- S% v/ E f/ _7 _: `; a
" p( v$ i5 R& N2 ]! a
mov ax,4fh# p$ e5 c9 r: _+ K0 \
int 41h
, b$ U4 V+ r) J. I cmp ax, 0F386
/ ?# h$ L3 P& m; f5 y jz SoftICE_detected
3 V8 B5 x6 Y. i v
) d7 x& `& {- F; z! p( Q% b2 y! }8 |8 k/ M# C/ [ o
Next method as well as the following one are 2 examples from Stone's
6 \$ Z& N+ H$ ~6 U2 Z"stn-wid.zip" (www.cracking.net):$ z# Z" F. z3 q5 d3 J' r
) {# X* ~% V5 |2 H2 t mov bx, cs
) l$ K+ k- j4 e% P# Z4 D lea dx, int41handler2. e( V) `+ A5 v$ N- h- Y4 P
xchg dx, es:[41h*4]
( y. _' g+ y& N. }+ o& z; w xchg bx, es:[41h*4+2]
, }+ G3 M0 N! Z/ S7 R! O1 E. N mov ax,4fh
9 Y6 T1 w! _) g3 i) f( L# K int 41h( a3 g" q, e8 ^. t: c( t/ A
xchg dx, es:[41h*4]* }5 b ^/ I" {4 D3 _
xchg bx, es:[41h*4+2]
2 W* i) ?$ H6 j1 H* l& |! s cmp ax, 0f386h' q' Q* U* I, ]
jz SoftICE_detected- c; O: a, G4 F0 j! [' X
2 T- @4 u/ W& d3 @* A
int41handler2 PROC
& S8 [; K: V6 V- h7 [5 W iret
; A t2 _4 v$ h' F& d6 D" u/ {int41handler2 ENDP7 C5 P0 v E. f( `7 t; N/ A1 @
: ^* V% s+ c& [: @8 R
- T" [% O) [: p0 C3 ~
_________________________________________________________________________3 u# C. K; t1 o4 q
- x; `# J* H: W7 G6 m- a2 Y
" [0 z$ W- a6 I# Y9 DMethod 06
: v1 K0 w' n7 P1 e% J# v=========/ r! ?) t. Q; {
5 f& C0 {5 _- v' w' `0 I/ m) U( `& C: r$ d
2nd method similar to the preceding one but more difficult to detect:4 X: V# S4 O, [; g3 I
7 E G: r9 D. z0 V( V: j
/ T% u+ s+ D9 G0 gint41handler PROC
. D( B: J; Z5 a5 } mov cl,al5 Z; W; l; Z6 a, U
iret6 `. r$ e* ^- T7 i4 r
int41handler ENDP3 @ W2 f: e+ P: D. g) x+ V
4 k* y* {7 A0 c+ J( `5 R' H4 ~2 X' @
xor ax,ax% j0 E; o( ~1 ?/ `5 |* M9 C8 Q
mov es,ax
9 ^* P+ R0 K) \1 L! P mov bx, cs
1 _( P. R" _- {. e5 {" d i lea dx, int41handler
1 n! q3 {- ^4 K: ]( P5 s xchg dx, es:[41h*4]' S1 d2 m! `' E7 b2 E
xchg bx, es:[41h*4+2]& A2 M" `0 ^' C& ~1 e
in al, 40h
5 j0 K, Q# a: d0 a$ s xor cx,cx# c5 k" m6 `5 D: A; g! G" K( ?; m
int 41h
* G& K; N+ L: F, K8 k; F+ S xchg dx, es:[41h*4]
. {7 s- h8 r( \/ d/ m) n( Y xchg bx, es:[41h*4+2]* S$ u6 T3 L4 `! o9 Y/ Y; F1 F) W: d" @
cmp cl,al
2 L: W& z5 J$ i jnz SoftICE_detected
9 c& i: R. m/ Y* c8 U
3 P: |4 ?% Q( C5 S' w_________________________________________________________________________
2 J3 [0 A0 T! h0 K$ C9 @' _. n! e i, H# Z# A+ [. ]. M
Method 077 d/ e' o |! R. P: J
=========
! R9 h" P/ I- L/ P
; _8 j8 w7 W% {. U& }Method of detection of the WinICE handler in the int68h (V86)$ v) I0 D" G" g
" r4 a* k3 }$ H$ M# ~6 a mov ah,43h# S- p) T/ Z, Y
int 68h
- X& K) g% f z" C6 ^, o+ U7 a cmp ax,0F386h
6 h) y6 o; i% m" i jz SoftICE_Detected
% X7 b1 r2 d1 D
7 T+ F1 Z/ _! ~! c& C# D& O# T
$ s# w! Z+ U% i$ n& Z u3 L=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% H2 F! f @' q" A7 C
app like this:
' _. E- }. c6 }
, Q' o: o0 | A6 E. g! U BPX exec_int if ax==68
# A( C" O) B9 p (function called is located at byte ptr [ebp+1Dh] and client eip is# Y. D; a7 C. i7 o( h8 E: ]. F6 L
located at [ebp+48h] for 32Bit apps)
* y# `, }! M e5 ]__________________________________________________________________________* l4 ?, G% X5 e2 Q
. }0 B* N/ S. I3 K7 G- ?. [' |0 N% {0 X
7 d% s2 W& B0 K$ Y% fMethod 08 I* M0 u' N5 U# _1 E
=========6 }1 t1 I9 \( m L; R7 Y
+ H; A% }" b5 q7 `
It is not a method of detection of SoftICE but a possibility to crash the
4 q/ m% t: l4 m4 H& a& \/ `4 hsystem by intercepting int 01h and int 03h and redirecting them to another4 U$ t4 \9 f0 H4 q
routine./ h, q( b1 F: p6 E4 t- H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) q# N: p0 |8 ]" O( T" B
to the new routine to execute (hangs computer...)! K( U* e# n' i' g
6 Y# @# B7 u# l% o, e9 f) k$ W
mov ah, 25h, l# n5 T! ]) L/ w$ J
mov al, Int_Number (01h or 03h), j! g( f. p: S" o2 o
mov dx, offset New_Int_Routine
5 Q! [5 S& C) J# @3 }2 m# _$ o int 21h" J7 }8 ^5 b" h$ B% ~6 \
; o1 n3 {( C6 S6 X- H7 z1 l
__________________________________________________________________________ z6 Y( ^8 O5 x! j
5 o! @" S- A) M+ y9 |Method 09% C2 F7 a+ M4 _( O H3 [
=========6 m( Y- i9 ?+ C I* C( V% Y1 S
2 U6 o) F L* {$ }7 v$ i# jThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 q9 X: [. w* t, @performed in ring0 (VxD or a ring3 app using the VxdCall).2 Y8 c0 c: Y* N$ K# a) \( ]
The Get_DDB service is used to determine whether or not a VxD is installed1 [5 T. R3 k9 u( Q) g
for the specified device and returns a Device Description Block (in ecx) for }& R2 o6 o) h1 t( m% \6 G4 d
that device if it is installed.* V$ O1 A% I( u4 o- c* c3 a
, ?( ]1 [( E3 Y9 i j3 v* x& x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% k: k; V8 ~" p& F1 S, R- x6 X' t' J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 L8 v1 x. w" u VMMCall Get_DDB2 s0 \# y) V) y5 v
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 j/ n, S2 N! L- D/ b: j s7 S+ X7 l% E5 g! e: t6 b+ ~. ~* n
Note as well that you can easily detect this method with SoftICE:8 @& |2 K* o* {8 F1 _* }7 g
bpx Get_DDB if ax==0202 || ax==7a5fh. i( y {1 V+ `) i6 o
3 Q9 m x- H; E( {- g- Q
__________________________________________________________________________
9 [5 w5 r0 D) C! q' Z% b/ Z
& F; V4 \. Y1 D& v; E- r4 Z M8 xMethod 10
) U$ d1 T; b) U0 Z3 T=========2 K* T p) n3 G
/ \' y$ O6 n& ` |
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 H5 l8 {: ~1 J9 I$ E
SoftICE while the option is enable!!
& S$ \; n2 j0 \ F9 A8 L" R
* [( i6 I% P w- I1 T, O+ X9 rThis trick is very efficient:; _' i1 [4 A; l( P
by checking the Debug Registers, you can detect if SoftICE is loaded$ v* a- X% V/ [* N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- A4 P9 T' h/ b) O b+ K/ k6 Athere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 U# H2 [1 m2 O) p2 I5 c2 @value (in ring0 only). Values can be manipulated and or changed as well, J) Q) v- x4 ^: |6 ~
(clearing BPMs for instance)
' x# a& {) [5 y# p/ A. V
6 j1 J @% o6 U5 K__________________________________________________________________________
0 @% T$ J3 \) `+ E2 ?& w6 Z
z( ]' w" h6 ~Method 112 Z4 H! W, M. ~9 L7 s. N
=========3 v8 \5 @7 z7 x, I8 M
D3 A2 D2 {+ Y. P& v: ~This method is most known as 'MeltICE' because it has been freely distributed
# s; p3 o- g- ^/ kvia www.winfiles.com. However it was first used by NuMega people to allow4 t2 H* _3 [$ q8 h5 j% M) L" A; M
Symbol Loader to check if SoftICE was active or not (the code is located
; P) ] R- j# a* ]inside nmtrans.dll).9 ?; p% ~3 H; G/ l8 D+ ?
; |+ ?, L2 Y4 l2 U, R
The way it works is very simple:
1 _) {: X5 @7 `8 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% a* I/ E# i" T* SWinNT) with the CreateFileA API.& q9 M/ ^& X' H' ?9 ?" N2 K
: j4 J; x2 E, y5 D F7 G3 pHere is a sample (checking for 'SICE'):) }* W+ G) s4 e3 G; F( {
9 l2 J, u' R" C5 ]. A6 F3 N7 E
BOOL IsSoftIce95Loaded()1 r' ^: O* \% p& e7 B
{
q B) [& d$ D6 C4 Y% v2 ~( N# Z) x4 [ HANDLE hFile; 7 y6 Y, q- z; E* s N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 w# s4 Z. f; w8 [1 {8 \ FILE_SHARE_READ | FILE_SHARE_WRITE,
6 S+ e [* @+ N0 H8 ^' R0 b( t( [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 e6 j4 K) D( g7 S6 P8 q if( hFile != INVALID_HANDLE_VALUE )3 ~6 i# |+ ^6 s6 N
{
% {, v5 f; s! g% t1 T CloseHandle(hFile);7 m+ I1 i. i- F* n2 d4 j
return TRUE;
3 j: y; D. o- T3 o* k7 e5 S5 [ }. y9 W. o' d* e, M; i- H( R8 P
return FALSE;
- c; N l( B4 f7 Z}) _! Z8 d. ~, s* I4 k) P
" Q1 G4 F2 x# j f3 Y0 f RAlthough this trick calls the CreateFileA function, don't even expect to be
) ]. O4 g7 a# |, S2 v1 Kable to intercept it by installing a IFS hook: it will not work, no way!
# }2 F& e4 z" q/ wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& p. }1 P' G) |9 u% iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 h: ]( [. x" r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( V# J7 T3 V3 w+ Z. v
field.% W$ l2 l! |- ?0 d' D6 l. f. C
In fact, its purpose is not to load/unload VxDs but only to send a
3 ^3 U/ H# |! P& p. YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 i* B, ^2 Q3 ?5 K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 S, J6 q% [1 j, }8 b' h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: W9 n/ Y; o: l; a4 x: KIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ t) L" k1 {9 d2 sits handle to be opened and then, will be detected.
% }: w/ l* P3 `6 b8 fYou can check that simply by hooking Winice.exe control proc entry point
6 q4 b) m. S" G( d/ _while running MeltICE.
+ V9 M1 \. z5 T) I% ?4 t
# p' N% L2 H% s0 o" S- J# _
" _7 z/ T* D3 P9 Z 00401067: push 00402025 ; \\.\SICE
0 o4 ?% {2 F6 o( ~# f" I0 n: k 0040106C: call CreateFileA4 `1 ~& v5 y' @! w2 T/ @+ O- j
00401071: cmp eax,-001! M* k# Y1 [8 P
00401074: je 00401091
+ F% I1 b7 ^1 B' A
# h8 n( V3 S8 f& H A# C# B7 |- U6 D
There could be hundreds of BPX you could use to detect this trick.: v8 Y3 x7 U1 N
-The most classical one is:0 ]% `# t& i7 s/ C* ]$ u: U/ D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, L$ s1 L3 ]5 f0 q9 t. \ *(esp->4+4)=='NTIC'7 x& H# ?$ ^) y; L
4 R9 T* x9 _ g/ g, }; E
-The most exotic ones (could be very slooooow :-(
6 [8 e* _' ~; T$ v, T0 u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ N3 F+ O) E, \' C3 w0 ` ;will break 3 times :-(: ^: ^: }1 [/ ]
4 b9 C2 l6 c: J/ A-or (a bit) faster: 0 l6 w/ A/ L5 q( l1 `( u; Z6 K
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 a/ K7 r/ _, ]3 z8 L7 q7 o
) x L7 d$ ~8 @$ c) [& h$ R( { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * J2 H* R. L8 O: P
;will break 3 times :-(' x+ S% n4 L+ G, t* ^
# J+ b) C O# A( H: c3 g+ U-Much faster:
9 D( s" S Z# g3 W1 D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ N$ I4 y& M0 S! E4 O! p+ k
8 E1 }& y/ _( v0 A9 Z, h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( ?: |, ?# _9 I1 e) s" ?% k( n! zfunction to do the same job:
' T( m+ V6 u; z# V7 c2 D+ {* B5 P& C1 O' y+ F, R
push 00 ; OF_READ: y5 B$ Y5 E) s6 O
mov eax,[00656634] ; '\\.\SICE',0
7 N6 s2 E8 O1 {, D$ E push eax" I' Q5 x) z$ {9 M. K( y
call KERNEL32!_lopen) ~% w( B; S0 g- t! \$ R+ h9 l
inc eax
& U/ t, s' x X0 G' z# o% c jnz 00650589 ; detected
4 O, D- l7 C; Y4 A9 ~6 [" R push 00 ; OF_READ- w+ W6 v" k- o( n
mov eax,[00656638] ; '\\.\SICE'
/ I% |& {, J# ^ push eax
# N, {- D) M7 ^1 R% j+ R& ] call KERNEL32!_lopen
M$ X" N5 K5 t' ]! Y inc eax# H- H2 ~: N7 |3 c* i, w
jz 006505ae ; not detected' N( p) _2 z! j8 ?% z5 @7 ?4 C
4 u; e8 J( x1 ~
9 t g* J3 P }- x! f__________________________________________________________________________
4 \; r3 t! y+ T0 b* [3 ]9 z! z$ X e
Method 124 s, f; N( l6 s- d2 K2 I+ C {
=========
& ^/ e$ |+ ]2 y# j' h+ U: y
3 F* \* I0 G2 K& jThis trick is similar to int41h/4fh Debugger installation check (code 052 }% m5 r5 X p) F
& 06) but very limited because it's only available for Win95/98 (not NT)5 w8 N7 i9 n. Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* q/ \' v5 j! U" x$ G. [: k. m
* M0 v4 R8 n* a8 U- H6 @ push 0000004fh ; function 4fh
/ O0 z+ L0 C4 I# s3 [ push 002a002ah ; high word specifies which VxD (VWIN32)
4 }9 ^; f* A( E7 l( W$ w, |/ P# C ; low word specifies which service0 ^) J1 K+ G) `( `, i5 r
(VWIN32_Int41Dispatch)
# W5 K' q+ i( P/ d. s1 c9 ? call Kernel32!ORD_001 ; VxdCall( Z' U# e! H: e e
cmp ax, 0f386h ; magic number returned by system debuggers
]0 q. K L& b' }' A jz SoftICE_detected" s7 p9 V% j2 b" y. d# S
. k% {% E- s# x2 I
Here again, several ways to detect it:
2 E& J2 ?; T9 Y: W& y1 q! H
3 `: t9 g* }9 L, Q4 @ BPINT 41 if ax==4f D, d2 ?& R+ I! O
: C2 }8 |% p5 Z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 L% [* J9 q2 S3 C+ y1 l& u4 B6 l4 I! O% a: Z# k* G
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
\8 O3 S. ?4 J; o G1 U' v* G( u
4 ~: C& N6 a9 [, k+ s BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ v# w" W6 A* z' E) g
" z( [+ _; w, \% V: ?__________________________________________________________________________$ U5 G1 W/ K; n0 N
. V# \( e4 S/ X, X: mMethod 139 i: V( Q& n4 k# j( H5 ]
=========) t5 o/ g1 a2 D, d5 _/ F% w
1 T8 Q4 L7 `# n. y8 W5 d" jNot a real method of detection, but a good way to know if SoftICE is
* |! P: k2 O; K8 hinstalled on a computer and to locate its installation directory.4 s4 [! q n$ J- ^% a
It is used by few softs which access the following registry keys (usually #2) :
* b+ C& H3 O. j6 h& Y9 X* |! U
: N" ]0 W5 O" R" o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 t$ g6 Y/ C! H) _; T
\Uninstall\SoftICE
7 F: I, A. v; h# F" ~9 U6 M' o* D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE C" t6 F5 ?1 D S7 \6 m2 |& x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" l1 u0 e! k m: Y" w! Z
\App Paths\Loader32.Exe
* \( V: I9 W2 e- M- b, f! m* a; y4 c6 ^5 u C+ a& V
& E2 x8 B5 i" D% |Note that some nasty apps could then erase all files from SoftICE directory
, e; A4 j& E$ P- X(I faced that once :-(4 }+ S3 }6 f& l, _
+ U1 E; D z: t" o3 g) h! }* p$ b
Useful breakpoint to detect it:9 m$ q7 U ?' u
1 V, A, s0 K9 A6 s, c BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 H4 n& _8 ^& B
. r2 x# C4 b" i# D( M
__________________________________________________________________________6 Y" D9 w1 l( C- ^, [
1 X* i- A8 `5 W
$ {: Y+ D0 j3 j* u6 D. J
Method 14 & r* @) s. [. r" [
=========
: } |+ C1 Y; M; l7 f" C
3 M v" K9 a4 q9 e, | DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( F0 L1 M9 l1 A+ u4 b4 p3 D2 `
is to determines whether a debugger is running on your system (ring0 only).
a- ^6 F- q5 U& U5 p! [# J5 R1 T8 d' L$ d$ n% Z
VMMCall Test_Debug_Installed2 u% O) F, K, Y6 i+ z
je not_installed
0 m% |# ~- X0 E" v
! a7 \2 x. A" W: e2 Y4 [This service just checks a flag.
2 L! U7 h) ]3 J</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡