<TABLE width=500>- v4 o7 A# m# v
<TBODY>: U p, c" ^' C# x0 i1 W# d$ ?
<TR>+ |5 }& _% H a
<TD><PRE>Method 01 ! t2 u4 u& d# f1 V) y
=========8 l- C6 N! N5 D# x9 E; ~
/ R4 F- p% c' R, M6 g
This method of detection of SoftICE (as well as the following one) is N# O4 W$ G3 \+ t$ u0 }
used by the majority of packers/encryptors found on Internet.& t" M/ u3 A# {1 d
It seeks the signature of BoundsChecker in SoftICE+ w- a% S/ o& I2 ?
5 L( s. K* u; T* c# q% l6 Q
mov ebp, 04243484Bh ; 'BCHK'
: z9 s5 ~* f2 f. Y, E8 ` S mov ax, 04h
$ A+ t- S" w- V0 d int 3
2 g4 W) f0 h( i, b cmp al,4. r( i8 f" b& O* N
jnz SoftICE_Detected
( X: t2 ~$ H4 o( t& B* R9 f8 P b8 X( ]) K/ J6 _. o9 Z0 g
___________________________________________________________________________
+ ^! Q/ \ a' K$ f
! U. k7 {: v8 C* GMethod 02
$ }- _" m- @8 E" }7 y4 ?! o7 }=========3 C5 h/ {2 p- v8 {9 H3 ^- ^3 t
% Y: H0 @: l& |Still a method very much used (perhaps the most frequent one). It is used
/ C* L B% [0 p; u$ g- uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* Z i1 X& c' E6 q% t( Aor execute SoftICE commands...
7 }$ P6 q4 m7 G* P, tIt is also used to crash SoftICE and to force it to execute any commands
" M& G# F, _- K) l1 I(HBOOT...) :-((
: k* u) M) v) L# n" U% a
5 U p+ I4 q+ l, Q; ~$ rHere is a quick description:# M. H8 J& O4 L- f3 Y
-AX = 0910h (Display string in SIce windows), y: U, B' {% z! u8 e
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
D0 }& q. ]$ m& _& d% i-AX = 0912h (Get breakpoint infos)
. W) M9 h. o( w _-AX = 0913h (Set Sice breakpoints)! {$ z+ q5 ~$ d. u& d% b' F& c0 V
-AX = 0914h (Remove SIce breakoints)
% b5 f7 j5 s/ E" x% B; o; A
" q. @8 v- v" w/ _Each time you'll meet this trick, you'll see:
% B2 e3 ?" _. S. s-SI = 4647h
9 S# Y2 p9 I1 K5 p+ {-DI = 4A4Dh
+ I) x/ Z Q1 v$ L7 t1 OWhich are the 'magic values' used by SoftIce.
+ M t4 @1 `# @! ^4 ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ c. D1 f8 g) C/ J5 p
: I8 L4 | F3 K4 o+ _* L
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 H5 P. p6 j8 D' m. I$ MEnvelope utility use to protect DOS applications:
' ?5 f# q& X- @8 B5 W- g
5 b1 P+ e+ ^+ ]* M/ T: n6 T0 r8 U( W' m# L/ N* y! h3 h' R2 {
4C19:0095 MOV AX,0911 ; execute command.
1 p% Z& _; _ a4 w6 [; k. O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" C4 G, a6 @& c: B2 l# f- \8 G- p4C19:009A MOV SI,4647 ; 1st magic value.
7 D# d6 j3 F+ n- N2 X) y V4C19:009D MOV DI,4A4D ; 2nd magic value.0 ~3 `( ~1 ~5 D) c' a2 ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& t# t4 }2 a( `4 W9 s4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ Q, O! r) ^5 Q" |$ O1 h
4C19:00A4 INC CX( S9 `) m( t6 c
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" l% z/ ?/ F d: f; i& {4C19:00A8 JB 0095 ; 6 different commands.9 I7 D) P/ c8 O* H; l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 M: ]) N: w8 X1 C$ {% S3 o# ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" O4 g" U, s2 x6 `) I% r
$ J m7 \3 N% r8 D
The program will execute 6 different SIce commands located at ds:dx, which
9 I8 l, Y# R8 d* lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 V# M. I/ [ g& Z/ A0 F
! D) h$ u4 t& l& ` d7 ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 }/ R& v% h8 q___________________________________________________________________________
: o U' Q9 p7 b0 `* ~1 n5 S: T+ B& }+ k( q: d
* A5 n n2 O. M' Q& ^Method 03
) j. ^' J0 I3 |3 Z% E* D=========
! R! `6 }0 k( Q/ b% r7 S- R! B( j
' W1 x3 m' ~: z- ]; _* jLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 O/ ]: k- p- I2 Z
(API Get entry point). g5 b0 Z2 \% g8 [
( J1 c" ~9 v' `) Z
# U2 K8 l# b& R: P xor di,di
5 Y/ v2 s$ V7 P" |3 v- V- w mov es,di
0 A& L/ [/ ~5 y4 i. [( {! { mov ax, 1684h + p# ?% X! @- l1 {. q3 ]1 i1 k
mov bx, 0202h ; VxD ID of winice
" P" n5 K# r4 i( a/ C& q4 P int 2Fh+ e/ w4 P# ~; i: a p; S
mov ax, es ; ES:DI -> VxD API entry point, l' G- u9 I' l6 y' Y- @ u
add ax, di
" w' L& C# f5 q. [' l test ax,ax
, J* `) Y) _# Q: H jnz SoftICE_Detected) f/ M) f; T' u1 [9 g& s. [( B
0 s0 p7 o* Q* D \% }# W___________________________________________________________________________% S2 n7 D# P( G9 v
0 e9 F0 K: d+ {5 r! PMethod 04
: x5 N; B* h5 V: Y! p5 m=========. _" u3 C1 U7 u( M9 P2 k9 ^
3 U2 }" O$ r% x$ y3 GMethod identical to the preceding one except that it seeks the ID of SoftICE! q# E/ u/ P5 u1 M) n
GFX VxD.9 f8 j- e1 L& O/ W
7 x; v+ b* G. u) w
xor di,di
3 U$ P3 b# f0 f, m5 O0 @& K) V' W mov es,di! @9 X. O% }3 r$ B9 s% _
mov ax, 1684h . w7 B2 G: Y) J: i) i0 t
mov bx, 7a5Fh ; VxD ID of SIWVID
* k B, b/ x- ~& ~! N# r int 2fh
5 u2 Z6 M: F0 F6 b j' D3 h0 C& ? l mov ax, es ; ES:DI -> VxD API entry point" a! w M( ^; L/ H
add ax, di
' S% c5 _ @ o+ p+ J8 l test ax,ax* }- U3 G( Q+ x: i% d
jnz SoftICE_Detected$ E0 l. P3 P" e% {: r' D- v
: J7 C# B0 z2 g% y. L- Y: ?__________________________________________________________________________
" A8 @, G- g# h: ^: S0 n0 r" {6 Y! |, e- R* |9 g3 K
t$ H6 J% d/ U6 b% |1 bMethod 05 N9 z* i4 s& J& C& D" E
=========
' z0 g) p$ L7 m6 ?! h5 k- R$ ^3 ^6 T
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 i# C1 C. S/ T' q0 R. d
debugger. It calls the int 41h, function 4Fh.
2 k! R! c* M, i7 R5 E @) B8 GThere are several alternatives.
! y) v& o$ x+ }) \ ^' t# P
6 g8 o5 V0 o4 Y1 I9 L2 AThe following one is the simplest:" Z+ V! o8 J% _7 V& ~! s9 `. o3 W' m m
! i6 q2 g0 n( |8 r& ]+ M mov ax,4fh) K- G8 A/ Q, X' ^2 E0 S
int 41h
a- [# s* A0 D. ?" P- \ cmp ax, 0F386
g! Q2 G, G/ t4 G) B- Q$ k+ M jz SoftICE_detected" Y5 {/ t" h2 C8 H; X) P; _# p
* @# p% u5 M; A s4 l1 G# T& n
# F/ B* {( d S# k& F* s/ `' ^Next method as well as the following one are 2 examples from Stone's
* U* g, c3 o8 e"stn-wid.zip" (www.cracking.net):
3 V" V; ]/ ^) a$ \' _# W; Y% x3 X) A$ W8 x, S6 d! |# h& k
mov bx, cs4 T( h0 }3 V" I, V) F
lea dx, int41handler2
8 Q$ u6 n5 [: _' W! L- l% i# {! Z5 _ xchg dx, es:[41h*4]
6 P, {3 x4 m' N, `. `. M xchg bx, es:[41h*4+2]/ C$ w( w3 ~! k
mov ax,4fh
0 `0 u9 Z' c7 x4 q+ w int 41h# v' k1 M# i! b+ i. y# K- f
xchg dx, es:[41h*4]
* S0 s1 ~& _8 y _: S xchg bx, es:[41h*4+2]9 X4 r! X% j) ~5 p
cmp ax, 0f386h* v* I4 |1 p+ y5 @
jz SoftICE_detected
- l( N/ M$ F. X% G5 g- I- Q1 c0 A% B/ S/ R3 X7 m( Y! P6 @
int41handler2 PROC
2 T) A* K6 u. [ w3 u5 F; g% m iret) i6 R: {$ o! D8 X
int41handler2 ENDP
% Q- W+ D7 v) R( h# x6 Z8 k& P9 X" F/ [8 s+ R7 X
9 \0 y# y# _* l D" y' C6 ]_________________________________________________________________________. d1 D, L; T# R8 A$ W: O
; I E& x0 K! [0 R2 w/ ^% Z8 K) ^" j; J8 V& a$ A6 O2 r. c
Method 06
+ ^ _. n0 M" i5 Q! S========= H5 u1 i0 y; e8 `" }
; m( J0 Q6 J" Y# I+ c" _6 q
. e8 C" P' a* y5 r0 K4 K2nd method similar to the preceding one but more difficult to detect:2 b# @5 b5 n; w, Q8 L9 T* ?* E
! M% z" A8 l6 O" a) s
! {% v. m2 ?. E! nint41handler PROC
8 I& F! o, z2 \) N3 q% V3 B mov cl,al6 ]9 E, z" y: c7 i9 ?9 q6 {
iret( B5 g4 Y" G* x
int41handler ENDP
; I3 s* P) U3 C% w
9 t9 R" @& ?2 A! [! E5 _9 O; Z) s! g `4 n
xor ax,ax D; b. X3 Z; u8 c4 Q
mov es,ax" G) W, q) ~9 ~0 _ m3 W" I! ^
mov bx, cs1 @1 z* @4 J; Q! \
lea dx, int41handler% v2 `* Z( p+ T. a8 d; x. e8 B
xchg dx, es:[41h*4]
! D: l) B* U% D P/ n xchg bx, es:[41h*4+2]
' s9 f5 K. X. B# a in al, 40h, ^1 a5 V2 J4 n2 H- ]
xor cx,cx$ Q2 x+ {! ~' J
int 41h
$ l+ N8 o( E5 f- E0 `) { xchg dx, es:[41h*4]
+ r6 E4 [" H5 h; i1 I' M xchg bx, es:[41h*4+2]& `- b: [ y( Q: N' Z
cmp cl,al
# G6 G2 C9 ~5 N; v+ X, Q jnz SoftICE_detected- C$ B! ]) b" W/ U) F8 E% h
1 S" \/ I- `, f2 {/ x! y_________________________________________________________________________
7 z' i1 I* N5 [7 c2 n0 e0 L9 _# _5 u; L" h4 {) A( D) k9 }8 Q
Method 076 d( B* X: i1 p" ~0 m' E
=========
% g; e% j( ]: O( y' V6 J, E' b
0 d+ h# r, ]; n6 ]& L! f8 a PMethod of detection of the WinICE handler in the int68h (V86) m. _1 S i* b3 u, }9 d
. d! S; h8 P. @& z/ i+ h
mov ah,43h
% F( d x( W" k. q2 N int 68h
& ]" N f$ Z$ C) `+ T, G$ p2 [9 A* l. b cmp ax,0F386h
$ U o% _% l$ v9 k+ | jz SoftICE_Detected
) n0 d8 ^: ^6 b# G! \# D& {( g% T( l2 V+ m! P h3 |& N6 @, W
1 z, e% l2 }6 |; P6 T7 T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* l! u/ m- |. l! G2 s
app like this:. Q' ~9 E% a; g5 }3 U8 l
- l8 v j8 y! J, i# ~5 v4 [9 ~. N" |4 \$ O
BPX exec_int if ax==68: Q" O0 V1 }6 o. q
(function called is located at byte ptr [ebp+1Dh] and client eip is% k. V7 A# F- w8 r9 ?1 c. i$ y2 a
located at [ebp+48h] for 32Bit apps)+ `/ r# [0 {1 O
__________________________________________________________________________1 E8 V. k, h: ^3 H
; X7 e; X( ~' x: A6 _+ W
7 j" i& _0 ^2 P* |/ XMethod 08
) B7 a( ]6 U6 c2 Q6 S9 o=========
1 A2 i u+ z/ }' f) d; S3 a/ d: F$ M5 z. j1 C: x
It is not a method of detection of SoftICE but a possibility to crash the
) d( x; c( v9 R9 B: }6 x( H) P* W, ]system by intercepting int 01h and int 03h and redirecting them to another3 ?1 b, y5 a! ? L) ^( i
routine.3 w0 {2 C1 J$ g8 l* G& Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& L$ N( e& U# [% v* |to the new routine to execute (hangs computer...)
+ N) t! w: U2 G- s
* q: i6 x/ [, c mov ah, 25h
( W2 m# }% U- H4 j; P mov al, Int_Number (01h or 03h)
# a6 Z7 r7 [3 l8 @& _3 y- G mov dx, offset New_Int_Routine8 ? M" [, y9 L5 w
int 21h9 s- x" L4 c; E/ G" \! F( F
6 A# J' ^3 ]% {/ _* Y__________________________________________________________________________; ^' ` R" e* C; h5 t4 \7 D$ A
* m* r7 s7 ]2 y; o6 e$ _, hMethod 09' [2 b. U- |% m' k" ]
=========
3 A( r# w5 O' z% p) A
* ^1 n# c, H6 K4 o" AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 F+ @6 X; p2 ^2 _& H1 ?) _
performed in ring0 (VxD or a ring3 app using the VxdCall).
' w+ r( ~8 j& f. e; G( ~8 ^The Get_DDB service is used to determine whether or not a VxD is installed
1 a* o. Q3 A1 V, I8 h8 z5 r% Ufor the specified device and returns a Device Description Block (in ecx) for! g: Q5 f! [; _+ f4 \- W# l
that device if it is installed./ T! I0 P# P" k* X1 ~8 r
% R. n; {; r; q: f. C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 A4 ? \( I2 b( m, c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); ]( P! b$ i- ]! Q* C
VMMCall Get_DDB
9 M% X8 S( Y" |) I8 Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 \( \" J7 T ^; ~
6 H# D% T1 K( P/ T4 Q& z
Note as well that you can easily detect this method with SoftICE:
# O0 B8 I0 K q# Q bpx Get_DDB if ax==0202 || ax==7a5fh
5 m6 L+ w9 r' J& h; \) [( q) T6 d
__________________________________________________________________________
" ~5 I1 x2 |; |+ T8 `2 o# G5 Y/ R
2 ?' t. c1 ^* r' d5 HMethod 10
/ c, m# p* P( f' i9 y' O- k# f=========6 w0 X3 z8 N- ?$ O1 n
; h, |& V9 J- e5 N" g=>Disable or clear breakpoints before using this feature. DO NOT trace with, Q- a9 d+ d n# I( {% m
SoftICE while the option is enable!!% a, n" E) c ^2 S
8 x# ^- U- {" Z
This trick is very efficient:( X% b' L' t7 w M& N
by checking the Debug Registers, you can detect if SoftICE is loaded
S/ A) T( W& `) _- W: d' x4 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! y0 x0 R- V! b* M! ^* g/ C
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) L& A# j* L& ?8 [value (in ring0 only). Values can be manipulated and or changed as well
2 d( R& X. N9 J) V(clearing BPMs for instance)- t7 q) F! {9 H0 k6 d3 C/ O0 x
# G- V3 l% }1 q& B' U& Q" c& ~
__________________________________________________________________________5 H0 J0 e3 P1 u/ N4 m) o
' S4 n. W6 [0 y2 U! z9 x5 PMethod 11
$ [3 d" w d8 u! Q! E; J=========
2 b: p' u: _7 w s v0 N
; l6 L. @. r4 IThis method is most known as 'MeltICE' because it has been freely distributed
. a: G5 E9 E2 [9 wvia www.winfiles.com. However it was first used by NuMega people to allow- B% J) Z4 P6 Z6 ]0 k. \
Symbol Loader to check if SoftICE was active or not (the code is located
$ M' t Z1 S. t: }inside nmtrans.dll).
. y7 y6 ~, q4 z$ p* t$ w9 O" _" K! f- Z/ {. B
The way it works is very simple:1 |% d& c; n2 c" B! B# C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! B3 h- T; |$ H; NWinNT) with the CreateFileA API.
3 i! g4 k6 F* q% D6 r3 }: b
' m x; M! L0 Z z% b S' L& AHere is a sample (checking for 'SICE'):3 ^! P* ~' y; N3 c
$ w5 E5 v, n! b! E
BOOL IsSoftIce95Loaded()
: u7 k1 R/ ]7 U9 O{
A1 h1 S( ^& p HANDLE hFile;
( s N2 ^2 p q& H# ^# h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 s# O5 `( J: Y/ P FILE_SHARE_READ | FILE_SHARE_WRITE,
, W2 P0 ?4 ?- c% E NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ k0 w+ H6 y& B$ J+ c, S" T. ^/ v
if( hFile != INVALID_HANDLE_VALUE )
& L' P2 q2 E. |2 O& `: \7 j% Y {1 [) V- k8 U1 K7 R2 K% m6 Y. B
CloseHandle(hFile);; a B" |3 t: h! U) j0 ]- H# y+ m7 L/ I
return TRUE;
0 j: ]$ B K. R3 e% o- V }' v4 g& D" f" ^9 l/ I% F3 _" q8 w
return FALSE;
2 F5 L% {6 [& p( B5 v; }}
" m- K' u2 R I/ R& N, t' n& r$ L% U8 {. m9 U7 u
Although this trick calls the CreateFileA function, don't even expect to be: Z8 }( C. x0 \) a$ l
able to intercept it by installing a IFS hook: it will not work, no way!
% L. B: {+ c- h' ?% R ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; J! J4 p3 S0 ?& k8 [$ q1 b6 Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' m: M8 k% {2 `8 y3 j9 dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 r8 ?! `, V/ i$ V- ^# j7 u- ffield.' u! | X+ o5 t
In fact, its purpose is not to load/unload VxDs but only to send a
2 i7 t4 ~; I4 ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 i6 y, a+ B/ S: m r9 J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
- f. L) O4 {, w! x, Q+ h+ y! Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).) b9 B1 z6 Y# f) M @: T# S
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ H. H& R/ G' t! l* R
its handle to be opened and then, will be detected.
! ?9 W1 `" c5 QYou can check that simply by hooking Winice.exe control proc entry point
5 J* w3 z; J# Lwhile running MeltICE.( [( R1 f- z3 k8 D' ?
2 X3 z& c! k1 S. b
9 Z1 @& o& W4 ]0 ]" I 00401067: push 00402025 ; \\.\SICE
& J$ Z2 L( n; k) f7 d 0040106C: call CreateFileA' l4 c- [2 f# U- F2 t7 k
00401071: cmp eax,-001! T4 Y- y: H1 m' T, y3 [
00401074: je 00401091
( i; V' @5 A3 }9 m+ A" ]9 j7 [1 }- ?; Y$ h6 W3 T3 U- y2 ]
* Z' ?; K) }. L9 s- hThere could be hundreds of BPX you could use to detect this trick.
2 |! g' y( G6 D K-The most classical one is:1 c- B; ?. a4 _/ \# R
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; F2 W3 o0 I# `) ]4 I
*(esp->4+4)=='NTIC'- J" b" H5 G# s: B6 l9 }
* S+ i8 t/ o8 E: Q
-The most exotic ones (could be very slooooow :-(# z/ h) i( _- m" q1 ?' j3 |# G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 F# ]: U& q/ Y/ O" @
;will break 3 times :-(
5 _$ O D- v& y8 ^1 D+ ^
/ v2 F2 [* I) J9 D: u: d6 n* r1 I* a-or (a bit) faster: 1 n! `4 w' h8 X3 D0 d& q9 K4 G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
b5 g+ _% G/ q# e2 X
3 ^! V: H. n" l' \& U: R2 T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 u. `1 i3 W/ }" c ;will break 3 times :-(
: _7 I! q9 M9 J& \: A5 F3 g
( w4 e$ G+ x5 `' ]$ i+ }1 z-Much faster:
: r' M; e# |+ d5 V1 @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 |) A0 w; ]( v- ?% d: E X+ g' H
0 W: F* r1 N2 `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, e6 D: r% A7 q. R6 } q; h& d
function to do the same job:- \8 v' P8 `: l7 L- L
, b) y" r6 z) K0 u9 ?* {: I) }( R push 00 ; OF_READ
* V1 L* J' n! m7 b6 C- b mov eax,[00656634] ; '\\.\SICE',0
& k* r! L2 L0 `+ r b push eax
2 _ f6 H: Q- W3 a call KERNEL32!_lopen
% {7 z4 c3 X- s! r1 x inc eax
8 t0 v9 H+ x/ x jnz 00650589 ; detected; r/ y! z' D/ s! {5 D
push 00 ; OF_READ
5 ^- F: c3 v. {' X- ~ mov eax,[00656638] ; '\\.\SICE'- B4 c! q* I+ S4 F. V
push eax
/ v, {1 m8 D2 y! L5 x0 V call KERNEL32!_lopen
: u) m! l6 K+ ~' E* P inc eax! I! L1 r" \5 z5 u
jz 006505ae ; not detected
$ l4 S, Y* q t8 t! A3 x% L
! {5 q7 D* {: c- n: {: E j0 L5 b/ N, }. x
__________________________________________________________________________
N' d S' c* N; l* t3 I9 K9 b0 j; w8 w4 [7 ]% G
Method 12. w$ ~) e# g; f
=========
; ^8 c; O& t3 P1 X' p& W4 P9 D( Q" j$ i+ f
This trick is similar to int41h/4fh Debugger installation check (code 05& L' c" r# ?# y9 q6 ~; \
& 06) but very limited because it's only available for Win95/98 (not NT) o6 N) e6 s6 C2 }& i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% W6 M1 [$ C+ A+ ~$ _3 ~( K/ C& N/ R2 K2 S: H4 O0 j; J
push 0000004fh ; function 4fh
( ~0 J8 l2 C! |( v0 b push 002a002ah ; high word specifies which VxD (VWIN32)
d& I% o% Z( x, o ; low word specifies which service
: q! H' \6 a0 I" {1 B (VWIN32_Int41Dispatch)
" \) K8 y$ g0 B, n1 x; I! d m# e* g call Kernel32!ORD_001 ; VxdCall
4 r# R# f" F/ I; C cmp ax, 0f386h ; magic number returned by system debuggers
. }6 q" [* r9 S- I7 r: {9 E: D jz SoftICE_detected2 u) ?$ Y( Q" E
$ b0 I7 \9 o2 Y
Here again, several ways to detect it:; }3 `9 Y4 S; t/ l
9 O# v* b6 t+ `) F% @9 z
BPINT 41 if ax==4f9 |" b( O4 z( O9 a$ p+ M, N
J E) ^' T: \: j U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 i; L) ^ ?: q# C1 d+ q+ z3 d y: P3 q( f$ A E7 q7 l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 e- `. Y& _5 h2 \0 y8 J8 A C7 w$ A0 M/ L: I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 b/ P+ T" D: b! \ K+ L" L9 f1 U k, @. Y$ v
__________________________________________________________________________8 ~" y/ d# I" g F7 K
! Y( K2 J% u1 d
Method 13 ~% F( v8 M. H% ~- [4 _
=========
7 R& B/ f8 L: m5 r7 `" `5 Y+ C; \0 l U9 l* H
Not a real method of detection, but a good way to know if SoftICE is
- o! K+ O0 Q1 z! O- U+ q% qinstalled on a computer and to locate its installation directory.
6 n1 C- x* P! ^# w, A- eIt is used by few softs which access the following registry keys (usually #2) :
, `9 H- m8 Q2 \! u1 N/ J/ ?; w2 B0 s d+ F0 L9 G( T3 A# R
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ L- @3 D# E6 Y, {9 M+ n- P
\Uninstall\SoftICE
9 b: C! {1 N3 C' {2 u" w" Y- d. `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) n' b* w, x$ t" i+ Q3 t
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion d2 J: k, ?% k" _
\App Paths\Loader32.Exe
n( O9 e9 }/ R. G7 d; k$ \$ Y2 O1 @& S, D
3 y) R6 Q5 O* U* [Note that some nasty apps could then erase all files from SoftICE directory2 N$ f. {' E( V* a2 }: [! W
(I faced that once :-(
( _0 ~# N9 t8 E( E1 p3 f6 W. w% V0 |9 J* B# z8 ^- {
Useful breakpoint to detect it:. y( C4 {8 ^5 O9 u+ F6 G
& b( e3 J$ E$ A/ U/ A0 _: Y0 \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, a7 A, M$ { b' s: i2 a- q5 s6 q% c, [* @ C2 Z
__________________________________________________________________________4 t% S: _! [6 y' [9 D
2 B5 T, W0 k4 K& ~, L8 `# w" s& W5 D x) F
Method 14 7 x; s) b; v- T* a* P9 j! m! \4 G
=========, k# y$ P! r3 z% h' H* V
8 S$ K1 y& O8 C# MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% O4 k! w; M! Xis to determines whether a debugger is running on your system (ring0 only).
: I2 H, Y) v1 |1 W/ [5 ^+ O3 C' A0 e0 W8 l: C
VMMCall Test_Debug_Installed e" ~* V1 u# c3 l4 U
je not_installed; l! p0 J( D" T4 X
# O1 D, s5 L1 R$ _+ p) ]6 }# EThis service just checks a flag.
+ p! ?- |& i- O</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡