<TABLE width=500>
) j1 r+ j& e7 B1 f, Q<TBODY>1 i1 s9 C$ ]0 r/ c% g, p1 E, l
<TR>
! o7 F) W2 O( j<TD><PRE>Method 01
9 w7 u3 \' B5 @2 F=========
" v2 s3 f5 \ [, b. H' e; w% \3 Q& R4 c0 ~: {6 j4 R9 a
This method of detection of SoftICE (as well as the following one) is: s2 p* M( b% G: S6 A* x: v
used by the majority of packers/encryptors found on Internet.! f2 M+ P' o$ P( v3 E2 h
It seeks the signature of BoundsChecker in SoftICE
1 m- p/ P/ G0 ~* d% X( ]3 m: {: v: k6 w1 X
mov ebp, 04243484Bh ; 'BCHK') R. n2 \) t' r2 m; F5 Y8 t* \: {% X
mov ax, 04h
3 P5 h# L9 H7 b4 t7 T int 3 . i/ a' B0 m! F
cmp al,4
) Y* n2 P' w+ P \( M) d jnz SoftICE_Detected
U- ^$ R0 P& G" i/ d- V( z% P
2 l9 M3 G8 a" s' {___________________________________________________________________________# x) F3 ?+ C/ m
! b8 [! i4 e' v( L" nMethod 02
0 E" T+ ~! B; U=========
; P# |, A7 T! K( q" Z6 {: M- U
/ b9 e" D5 ]4 V1 _9 j% zStill a method very much used (perhaps the most frequent one). It is used
8 o: \- ^( q! ]/ mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ w8 ~, w) C; [6 W% sor execute SoftICE commands...+ s' e; j& A4 z: Q2 m3 x1 U9 z# `
It is also used to crash SoftICE and to force it to execute any commands
, \% L/ q0 W/ e(HBOOT...) :-(( # I; U+ `* _* |* f) o
9 m; q' h( r- S" v5 a5 g Y j
Here is a quick description:* o2 B- O5 I4 F) i( N
-AX = 0910h (Display string in SIce windows)! n% H" r* K: q, o5 G4 h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 b* D8 k& N5 X) W-AX = 0912h (Get breakpoint infos)/ h$ S2 s# H7 _5 ?0 A3 N
-AX = 0913h (Set Sice breakpoints). t9 ?: p0 ~4 u/ c! P+ U
-AX = 0914h (Remove SIce breakoints)
+ x% A% C, H4 m' c7 H
! q" M n' n$ g4 ^; n/ ^Each time you'll meet this trick, you'll see:7 _- j. v% L4 k/ S$ h! w; Q% y
-SI = 4647h1 S7 W# v& u1 ~2 B" i8 G2 O
-DI = 4A4Dh. V5 f" R j7 w0 F! x
Which are the 'magic values' used by SoftIce.5 l$ Q# N8 S5 Y4 K* c3 S; k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 c$ U; k# l5 T" o
+ b. b% D. X( X: qHere is one example from the file "Haspinst.exe" which is the dongle HASP
* h8 @* N% l3 G2 z3 e, ~0 [" @9 Z i, AEnvelope utility use to protect DOS applications:
: m7 g X i9 n o& |# B$ x" L$ `0 C* W0 H a- h5 l
6 ^3 Q; v* |, p, }7 J
4C19:0095 MOV AX,0911 ; execute command.
5 {7 T9 l/ l6 k0 [3 g7 K0 P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! K r! J7 A- y, G! n
4C19:009A MOV SI,4647 ; 1st magic value.
, i9 O/ O$ u f* a( p- S0 b/ E" \4C19:009D MOV DI,4A4D ; 2nd magic value.
, v1 l3 \. E* X5 C8 o: P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ {* P$ T0 S# o- U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! r5 D+ H( K! d6 F! ]
4C19:00A4 INC CX# D1 G# P! B+ x) G3 h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 t# o5 I7 e& n4 |4C19:00A8 JB 0095 ; 6 different commands.' X. e2 k* f3 Y3 J; _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- @5 Q+ T% Q/ Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! a9 B, e& q+ J5 Z
$ v' a+ B0 l, g8 KThe program will execute 6 different SIce commands located at ds:dx, which
7 |( `: O8 S9 i1 Y; Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT." D7 X0 k+ a4 Y$ K9 H
' h" ?& X: v8 y, A- L3 G$ \. q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
H# z2 @, t3 E5 ~' X___________________________________________________________________________
, c% y5 H2 I( q0 M, @+ R% ^: z t: ?2 p% i
- v& r" @% x, C- A. ]- O
Method 03
! {" K/ P$ g, r8 N6 u$ A' w=========
, s* A" F8 }" k! x- i% ^7 R% X$ Z7 C6 `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: D* w" }7 L) }- Z( y3 d, |+ J(API Get entry point)0 X) @' s% G5 Q S: {) F
2 Q; j2 M' X0 e" L* Y5 M
W+ J+ v5 I9 a6 ?* p9 c
xor di,di
: x1 ?. A% B1 l/ W; f2 o ] mov es,di" z- x7 ]$ |9 s0 Z M+ ^1 i
mov ax, 1684h ; F$ h0 d* n: V- p1 I
mov bx, 0202h ; VxD ID of winice
+ @8 y; W0 T0 E$ N( P int 2Fh
$ r9 w! Y7 c% g1 v& B- k+ _ mov ax, es ; ES:DI -> VxD API entry point5 Y" C2 E3 m f1 M( A
add ax, di) I7 P- [, z, Z( `: z6 f& _
test ax,ax) z2 Z4 ~$ E: S' U, F' g
jnz SoftICE_Detected) w3 I) m5 v3 i/ ]- B1 O7 l4 j
. ?5 }0 m1 m: N% G6 h1 {3 `___________________________________________________________________________% h) [5 p. B8 F4 E: G* t
3 {' e4 r% r4 U' j2 i! n6 q D# P5 FMethod 04
2 D: m9 H0 m( N+ S=========, l( b2 r/ d* L
, C4 c4 G* Y1 v# `" U, J
Method identical to the preceding one except that it seeks the ID of SoftICE
4 N6 G. i' c8 m2 R; x2 {0 o: `$ ~GFX VxD.
' C8 r# [$ a0 ~# J$ Q1 n1 Q- ~& e/ f% I% Q3 h
xor di,di
, c7 X) g7 G* i/ r0 I mov es,di
' l" K) L% x* F; H+ q/ b8 m mov ax, 1684h
! K+ S7 {6 Q9 c* ^% U2 }7 _% u3 c& V mov bx, 7a5Fh ; VxD ID of SIWVID( R1 V8 Z: a' A0 M6 |3 E
int 2fh4 D% ~" ]4 w/ r
mov ax, es ; ES:DI -> VxD API entry point5 Z% J E: ?9 k6 Y& z+ U4 I
add ax, di; b0 N6 ]4 W- w5 R4 R/ p r& c- `
test ax,ax! A1 f/ ?6 | p- o+ d
jnz SoftICE_Detected8 d, d" G, _) B
( B% f6 M |6 `1 w2 @4 G
__________________________________________________________________________
8 s' t1 _5 @/ d( M5 E5 ^1 A" _4 c$ f. h/ c) g( o9 Y" I
( J6 H% n4 q0 b' A. `7 }4 q
Method 05
; G& v" M7 M- f6 W2 E* B) L0 Q' ]2 e=========+ ^) R- b$ `8 ?9 A6 n; W
. W7 L% o) ?7 d3 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 i0 D$ m7 o2 m" _
debugger. It calls the int 41h, function 4Fh.
0 `# c) d* v( N6 g# DThere are several alternatives.
1 q6 R1 X3 q/ J# r) c, n; ~# H
/ d. A+ Q6 _% ?4 Z0 ~5 l' a5 ^# G! dThe following one is the simplest:
- p- B% l3 C0 E0 ~, F" C+ o' W, h" _
mov ax,4fh
& y8 n7 j8 W# M int 41h) p" H( h4 Z+ }" k) s
cmp ax, 0F386
9 s- o: k4 g3 m* y/ Y# U4 a: _- E. g jz SoftICE_detected
* ]4 n! y/ z" [ f
, U! e# d! j4 y, ]5 K! }' p* @ j, ?; u; O
Next method as well as the following one are 2 examples from Stone's
$ m; V4 \& y: W3 H% a- l8 ]+ ~* t/ N' V"stn-wid.zip" (www.cracking.net):, c+ h! s9 @* M: l8 F* `) O
+ x; E# h. {) Y, n* y7 Z, ^ mov bx, cs$ ]; i8 q8 W6 O3 I4 Y
lea dx, int41handler2' q3 G; e0 j& [! p' }. u
xchg dx, es:[41h*4]
}* v( @ B8 H2 u* ?/ e- c: w xchg bx, es:[41h*4+2]
) E1 b1 H5 V) ` mov ax,4fh
& ]' T# U0 p" y, d1 v! t int 41h
# x" m# l9 @! j/ F" [% R* c xchg dx, es:[41h*4]
; {7 ?6 `4 F, L$ I xchg bx, es:[41h*4+2]
s6 o! ]* v( b6 J5 [( D1 B cmp ax, 0f386h o! r9 O1 x' |- e
jz SoftICE_detected
3 Z$ a" o+ F$ A/ p# K/ m) c4 z2 a
int41handler2 PROC
! y. E* I; u7 O5 H. s2 }1 R iret! H! \) j& p7 V% X* \( r: U
int41handler2 ENDP: y/ y; K. c4 n Z5 f1 I2 {" Q
2 F+ U. r+ B6 M' P+ \1 [0 h
2 W$ i# S% d" W$ @: e; n_________________________________________________________________________8 n0 G; m$ U) h' A1 ?
: a: K5 c9 t( X* D5 d
) k; u6 \9 m! a" f$ t/ g k, I
Method 06
. M, u! V3 W- u! v- S, [) @, u9 p=========: B! t# ]' D [/ J( V$ _* }. T
' S; f7 Q: q2 K; F6 W1 G6 i% Y1 }) ] T6 u- H# t
2nd method similar to the preceding one but more difficult to detect:6 d- {* k* K& ]9 |) p6 d
: g, {3 }; ]6 F
2 k( _3 Y2 l$ G- s* {: L% xint41handler PROC" P% c2 n1 T, x6 o
mov cl,al8 S- e" b D7 t9 u9 ^- B# L) C
iret6 J2 O# k& F8 q, u+ O
int41handler ENDP
0 V6 A/ J* ^- L- b
/ r: ?$ B, k$ V) @. \. B& g9 y7 P8 c2 l
xor ax,ax
1 v% [( |! l% Z1 W# N* ? mov es,ax
3 u5 E, S# N. `6 ~ mov bx, cs* C8 h2 z# F, \! s, B( I- o
lea dx, int41handler1 g- ?( e) J: B0 X8 }1 k/ G7 m0 O- {
xchg dx, es:[41h*4]( \: d* t+ o% e3 A
xchg bx, es:[41h*4+2]
' u9 o9 r1 |8 ^' z$ k% g; s. [ in al, 40h& O4 ^ c! F9 U: E
xor cx,cx
* [6 f$ V7 N) l* z$ B! S2 ?/ p int 41h: e- O" K3 N3 J" ~
xchg dx, es:[41h*4]+ }& J! ^( K9 _) G( A% Z/ L
xchg bx, es:[41h*4+2]
3 U* G% U: P6 T9 I# N cmp cl,al
4 \" r( M7 N7 B- i( K0 k/ _ jnz SoftICE_detected
' r% v, N' F# U0 U6 l0 C4 V
$ m, m, d$ w- `# L! b$ }" [_________________________________________________________________________% M& P a2 J @! I$ Q" @! S
' c. P3 c% j& L1 C$ X
Method 079 v# H6 z* v) f& `% D& L
=========6 s" {' f! Z9 l/ V) p
2 i5 w" _/ ^" DMethod of detection of the WinICE handler in the int68h (V86)
) C7 ]5 D1 l6 D& c, ]2 x, x+ U+ V2 w- {" m) |
mov ah,43h
" Z+ Z$ Z/ m. S int 68h
. l* C0 o0 `2 J" Z cmp ax,0F386h* m) S" U6 z- G8 T$ W
jz SoftICE_Detected
6 B& d9 y4 x) f3 z" u3 I% f2 o d, I6 _# Q2 b! u' X
- L5 u5 L/ E; B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* }! I2 l' z8 E) T0 f1 A$ e app like this:1 t9 g6 w& `6 M- C6 Q# J
$ n: K! y4 T. u: i0 V
BPX exec_int if ax==68) Q9 Y7 T! l5 l$ B
(function called is located at byte ptr [ebp+1Dh] and client eip is1 _, _: e5 Q, e" f5 l# i* M7 f
located at [ebp+48h] for 32Bit apps)
2 H$ K- h4 q* w G$ ]& {$ b) K1 x__________________________________________________________________________2 W4 @; J1 ]* ?% _: T
( A9 M5 q$ W$ ~4 N1 ~' v# p& y/ m$ ?, K$ T
Method 085 w/ U! s* o! Q [" J
=========+ e* h4 `8 |' {' L% U4 M
' z# g) l/ _1 ~It is not a method of detection of SoftICE but a possibility to crash the! \- r# h7 Y) |$ {- E2 v- v [
system by intercepting int 01h and int 03h and redirecting them to another5 R" U. N7 q6 Q% d9 r$ w
routine.( z& ^) a, B, ~: P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' E3 ^4 F g$ Y- \$ d f1 I+ @to the new routine to execute (hangs computer...)+ E- B- W e0 \+ @, d. u* [; d
0 b8 D# L- c0 q) C9 f mov ah, 25h
' T8 u1 E/ _6 S- e8 P; F' y4 a mov al, Int_Number (01h or 03h) F* L- N; \! @
mov dx, offset New_Int_Routine
& X& ^8 E# G5 g' e( G, q w' } int 21h" I$ Y% P& m' R0 f+ S6 p* N
* s$ ^- b; W% c
__________________________________________________________________________
* I+ I; x! F* {% q3 s* L: d* ?3 R5 z" M5 _3 J- F" `0 Q
Method 09
$ t+ F3 s; n# D5 Q6 |& ~' \9 a7 H=========
0 N4 t4 p; t8 A! G+ w: H: u* X1 N" E3 H$ z3 _' o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: d0 W. u* l: ]8 m5 U; f
performed in ring0 (VxD or a ring3 app using the VxdCall).
: |2 a% F8 q, h5 \2 C; EThe Get_DDB service is used to determine whether or not a VxD is installed( a* N& L# j* v* d3 w0 B0 |# v
for the specified device and returns a Device Description Block (in ecx) for
# p9 C, X8 _0 F3 u* Y3 z# q jthat device if it is installed.& _; z1 C0 C% F& g7 N% @
4 J# S5 S7 z( p( Y3 N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" o* x4 o m: I4 p; A/ g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). q0 K; M7 p$ d+ b/ E1 n. C; f
VMMCall Get_DDB A2 R5 M: u' ^* r7 U5 e6 j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* l* m3 a) S/ n
; Q$ V4 {" }1 o, k- UNote as well that you can easily detect this method with SoftICE:" {6 _: Z5 k! ^+ w9 l
bpx Get_DDB if ax==0202 || ax==7a5fh
% N' F) g0 [$ M* s0 _* o, r, [+ ]+ c
__________________________________________________________________________$ E1 b; Y$ t% d; X( w
7 A& N" c5 O9 Q6 MMethod 10
3 A9 A% g) m* j) j+ r# f# m) b8 v6 G=========8 t( b9 Z6 [1 ]* ^& m% A$ p
8 Q) u# B+ Y6 e3 ]; z% I8 _. O |
=>Disable or clear breakpoints before using this feature. DO NOT trace with
! F/ w2 F% H* z p( ]1 j, g SoftICE while the option is enable!!4 ?, V% w* {9 F; T
; Z$ ? V, E2 V& {$ b7 q% dThis trick is very efficient:9 I2 J- G0 ]9 b
by checking the Debug Registers, you can detect if SoftICE is loaded
& Q6 Q+ Z: o- ]: _4 k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ z0 H% b! V7 Q( B3 G) F' E' a {
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 w5 c4 S+ [( L; H5 U
value (in ring0 only). Values can be manipulated and or changed as well
/ ?5 ]. n1 @! Q(clearing BPMs for instance)0 R( \3 X. V/ @
4 a& E9 I0 P+ I__________________________________________________________________________
4 y9 @3 [/ ]$ w4 v+ q
. g1 D( ^; U& mMethod 11
' H( |! x; F6 b2 E) \=========1 K0 _) {. y# \* T* E
: ?' S3 R9 {( _ TThis method is most known as 'MeltICE' because it has been freely distributed
8 l1 a+ h. Q4 @via www.winfiles.com. However it was first used by NuMega people to allow' u' T: {8 T9 @9 ?! [* A0 R7 J) `5 {# N
Symbol Loader to check if SoftICE was active or not (the code is located
5 `" i; Z" [% Q: L, m, ainside nmtrans.dll).
6 E+ j5 D2 R2 b$ e \
+ ?, j, q W5 I5 U. aThe way it works is very simple:2 a2 ^! j8 e, g1 W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 c& m3 R+ m6 q' z# J- N
WinNT) with the CreateFileA API.
) z5 T& N: n$ b3 w8 q: I9 f8 w! `, w4 _/ X7 }
Here is a sample (checking for 'SICE'):
- R; J8 h; ]8 d; N( c: u' s! U3 `: k' z4 p
BOOL IsSoftIce95Loaded()' l: O6 N! Y& h
{) l% j" Z& r# h9 X O7 d
HANDLE hFile;
% O: @4 B* r# J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- k, C- W9 e' |0 g* ` FILE_SHARE_READ | FILE_SHARE_WRITE,- `0 [& s* {; @
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: ?) V: k5 z/ x7 z$ O6 p$ \5 p
if( hFile != INVALID_HANDLE_VALUE )
; d5 S$ p2 ~5 r$ w; v5 J: O { a5 X" J5 p6 u
CloseHandle(hFile);
- g2 [; m9 h( T, I. P return TRUE;4 f2 l% A& {& m0 e0 V# t; ^
}* ?+ N; p! N5 r4 t) ? g, a
return FALSE;
. | D8 N6 C6 N# @5 _( L# P5 `. p}8 F& X, O" d9 X, H, |: \
7 E S5 B) o2 z* |' bAlthough this trick calls the CreateFileA function, don't even expect to be
. `' `* P. J6 m8 [able to intercept it by installing a IFS hook: it will not work, no way!
2 m8 l* E) ]7 C1 V U) EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ M, @% A# K+ r7 C& C ]' T, W* Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 L4 q" A, b4 w, U% N% ?& Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc( P- ^: w' z4 ~+ o4 p% ]
field.
% ^; j. L8 U: C8 P7 LIn fact, its purpose is not to load/unload VxDs but only to send a
" R$ @; f) r0 `/ D9 k6 pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 F( z2 o9 \4 c& X. M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
^' K/ Z L( G) q( t: eto load/unload a non-dynamically loadable driver such as SoftICE ;-).; |0 D; V/ V8 L; \5 J& Y2 L; k
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% J( Y5 D2 j( ?) r1 hits handle to be opened and then, will be detected.
8 ?: ]: @" \9 m" X; a k7 |You can check that simply by hooking Winice.exe control proc entry point
8 R4 C J1 c1 Z. @, w# Lwhile running MeltICE.
! B/ z0 ]9 g7 m) b+ ^$ s; @8 L* Y( G& a3 M6 C1 j7 A c
. I% D V9 \) e" F
00401067: push 00402025 ; \\.\SICE: d& O' L4 i9 m" w, W
0040106C: call CreateFileA2 Q! t1 A2 Z! H! r0 m) H
00401071: cmp eax,-001
8 B B* l9 h3 {1 W& v2 o 00401074: je 00401091
# V+ X% G, Z+ b
9 D* x! J. u$ n' w( H, w1 }
! B% B4 V/ [1 [6 G, y/ g6 G, nThere could be hundreds of BPX you could use to detect this trick.: f6 C% a, J3 o( l8 M# d3 d
-The most classical one is:2 |" F- O! | {3 I
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ [# x6 J2 J) _ O3 p *(esp->4+4)=='NTIC'
. ^7 y0 w3 W/ E& b: I
; b( ^* s! u" F2 D6 T) V-The most exotic ones (could be very slooooow :-(! B& U4 b) m+ V% p6 v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 w9 P' a6 }; h
;will break 3 times :-(
( z) y/ L# ]) c. X& l$ O
& L* L. Y e2 }# ]/ r0 y) Q5 d. g/ g2 J-or (a bit) faster:
+ [( ]" j) f) n: ~1 n BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* O$ h9 l9 ?: j8 n7 c" U6 F* H% r
3 U0 U6 O) Q6 e, j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 S3 @8 J: M* R6 R8 r
;will break 3 times :-(1 X1 |- U2 j( ~' i5 a( Z
: o& t* \0 v8 O1 e1 _; V: x
-Much faster:, O4 ]2 H i$ t8 B6 `: Q# t/ t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" W( q: }4 n! p) ?, L1 ^7 b
4 k$ l- A& Z0 v, A" uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" Q# \" P# O3 [* s* o/ jfunction to do the same job:$ H; n/ p* |: p2 |7 J' c) J
9 P' D, R& y; D X9 _
push 00 ; OF_READ1 H, ^4 j$ G! j
mov eax,[00656634] ; '\\.\SICE',0
$ q1 J& d% M Z- V9 G0 d9 T push eax
+ D( c+ T- P. w* X% } call KERNEL32!_lopen
* A4 }4 Q( R7 }' M inc eax7 l/ p( K8 S" w E# T& b
jnz 00650589 ; detected7 ]8 q' R- l) l% |
push 00 ; OF_READ% o& S$ \1 j1 z6 R1 L2 [; Y
mov eax,[00656638] ; '\\.\SICE'
/ F; ]3 Q' p$ _3 ]9 @* p push eax7 G y/ U2 ?6 d, o2 @6 k: v
call KERNEL32!_lopen; ~ N2 u$ a, z7 ^2 s( b9 f3 B
inc eax$ ]; L$ k; x5 E! {8 o6 y+ q: s
jz 006505ae ; not detected
2 G2 }9 W6 {( V& m9 O1 i& i: X. _( x# L2 {7 L5 o8 O, f+ E
- x. i; a I! v$ X7 T/ Q__________________________________________________________________________/ o) c9 C. u7 d, n, `! Q
, e) [% M) m- J( TMethod 12
: w$ v# ^& M3 ]& o4 }1 p9 k=========
# k7 D% p, n6 B
0 G/ T. B6 U8 l# |/ \9 u. G( qThis trick is similar to int41h/4fh Debugger installation check (code 050 G Z& `6 q' }7 J4 @
& 06) but very limited because it's only available for Win95/98 (not NT)4 x% \1 R' }& \+ A9 i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" i1 q; U: M' C$ c$ ^2 O; R4 Z3 W5 m& P" y
push 0000004fh ; function 4fh7 V3 m: [! i0 y
push 002a002ah ; high word specifies which VxD (VWIN32)
$ o1 I% h# ^: B ; low word specifies which service
$ Q: d( t3 l* |) D. N (VWIN32_Int41Dispatch)
7 E4 X9 }: n; [# B" ? call Kernel32!ORD_001 ; VxdCall
8 N2 g. J& J9 P. [# | cmp ax, 0f386h ; magic number returned by system debuggers
1 c D/ y9 X& f' K. A jz SoftICE_detected. i0 F6 }) K6 e! B" J' \" k
, j+ ^* `, c* o! _5 W2 [9 E; [4 t+ d
Here again, several ways to detect it:
1 \* t$ \& ]- p. G7 u2 [- V! Z' V" }$ P9 e* F; j
BPINT 41 if ax==4f
* J6 o* G. T* g+ R! u" r0 |
& |: c- T' u3 L+ H9 k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* z" }# I' g* R* `
! G$ n m, |2 f6 n6 V" v- H. { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% [ p7 y/ F& k
4 _# k" W1 R, D [. G' `7 t BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! [$ A" m1 u8 @5 B
% i$ c! _9 T. k& e2 b__________________________________________________________________________
! e% q4 d5 v: [* b* |) D* K9 p6 J7 F! Z) u, K) y" l
Method 133 J& q7 [% H; Q4 C6 z4 E! \
========= M% T, Q- C q4 D
0 J6 @7 N" A2 N
Not a real method of detection, but a good way to know if SoftICE is) v$ I# j4 q; U
installed on a computer and to locate its installation directory.
" h. \& ^2 U' LIt is used by few softs which access the following registry keys (usually #2) :: d- x* S8 Y: {* I; U. k6 Y
# D; T$ e7 t( d; ]/ J6 ^, S+ T8 u: w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- K' S2 a+ ^: w# e( [/ s
\Uninstall\SoftICE
. j. T K) Y$ W/ y5 }& h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 x7 ?' A% U) Q1 y+ g: i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' \- @: H4 d3 M; `1 s# V7 {) S\App Paths\Loader32.Exe0 ~- Y! g1 O4 }7 _
6 K# U$ u' R: L, f+ C
2 ~! H( n2 H' U! FNote that some nasty apps could then erase all files from SoftICE directory# D' J: m0 {' J' v) k
(I faced that once :-($ q8 m) M! N, m" r, M
( M* r& b( M' B2 Y
Useful breakpoint to detect it:
; K- V R9 H; J) C* ?6 ^% X2 _1 [( D
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' p0 U9 a) o) d" r6 a' N2 P
?, ^% F' M7 f( ~1 H' g
__________________________________________________________________________7 W, q. d8 d8 v( x7 N
) o! e- c3 j8 _8 e: a0 U& s1 E! k9 ]: Z0 ? x
Method 14
9 ]3 H7 @7 O5 G9 Z. A# }' q. E9 n=========
}: d# Z, z6 L# ?4 f+ G
3 u X+ }& {! K# h" n9 HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! a' }# `" D0 A! w* j( W3 K2 w
is to determines whether a debugger is running on your system (ring0 only).
2 Y4 t6 l* Z- t! d$ [+ Z
( |/ o1 j7 n8 G1 F! |- M VMMCall Test_Debug_Installed
3 T r4 [0 j$ ]0 D) N' I je not_installed F8 }5 w0 \. T% G
% S' _" n4 `( l( H m# K
This service just checks a flag.. [9 o& D* f5 E9 s
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡