<TABLE width=500>
m( T& _1 v3 h% L/ P<TBODY>3 ~* p @7 d( g* U& h! T p9 F7 @3 @
<TR>
( A8 I- ^" q$ v3 S& n% c* x" r<TD><PRE>Method 01 : w' @* t, c, `9 `9 C! M3 d u7 t
=========
; a: W5 v! w A2 f- h5 R) ]9 C' M* }8 M+ \9 e
This method of detection of SoftICE (as well as the following one) is
$ P: A: b% n( \4 p! ? nused by the majority of packers/encryptors found on Internet.
, N1 j% h* G( F: A+ A! v6 VIt seeks the signature of BoundsChecker in SoftICE
4 k. t7 {1 j5 l0 M& Z4 _
5 T6 n9 j# v; Y( J" G% [6 C mov ebp, 04243484Bh ; 'BCHK'
2 m7 s u5 {6 h- c( T mov ax, 04h2 e) c- l) M; n/ Y; _
int 3
' G, f) D" n; q cmp al,40 ?) [5 d _- P2 j/ M
jnz SoftICE_Detected
' p0 b- g o, `9 o8 o! ]9 d+ R: W2 `2 [: _; s9 n
___________________________________________________________________________' C* f( t' | `, y1 P! `3 C; b
) R4 R9 E! K8 _! C: FMethod 02
# l4 g% E; y7 ^. k8 `/ ^! n=========- W! b5 M+ k2 {+ [- f! ]
! y' P) b4 R O$ ^& H9 J+ d
Still a method very much used (perhaps the most frequent one). It is used0 T- j* ~" @3 @7 Y) n6 I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 s1 q8 v3 K' z+ i E' W1 c
or execute SoftICE commands...
" u( I- ] T6 ^7 q/ A# NIt is also used to crash SoftICE and to force it to execute any commands
: H! p% t7 @0 \8 Q7 M: a$ l(HBOOT...) :-(( 2 {+ q# w# ^* m
' B) u7 o! e: w/ |0 b+ o+ KHere is a quick description:" h' ]8 F; a- ?9 V
-AX = 0910h (Display string in SIce windows); Q, ?( X4 k3 F8 ?4 }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 M6 ~& F* f! E' ?! @; G
-AX = 0912h (Get breakpoint infos)$ ]. H* _( M9 ^& D, u7 A7 ~! g; |
-AX = 0913h (Set Sice breakpoints)
8 `& o) {- e' p+ Z0 M-AX = 0914h (Remove SIce breakoints)
# e- ~" ?; Q6 Z& @' Z7 ]8 Q3 t
8 d0 Z4 y& ^ I# f) i0 BEach time you'll meet this trick, you'll see:
; R5 Y+ y4 m3 r# D+ H-SI = 4647h; V) V* d7 x- `6 Z5 J5 G: R
-DI = 4A4Dh
+ Y& v, h( k# ~( ?. m7 gWhich are the 'magic values' used by SoftIce.
9 P" p9 R" l* T- }( s( {* kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, q! l* T7 S; K; ]) w$ v3 `3 a( e& s$ @* `# G0 Q$ w5 k
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ H' @$ H1 r$ t7 D: h- X+ FEnvelope utility use to protect DOS applications:
+ _( f* l- @5 m {( ^& h
4 X Q7 B, L5 O C. y9 }0 A& q; u4 x* W! q8 l) d- K% j
4C19:0095 MOV AX,0911 ; execute command.
1 k+ o/ M1 L! G, e a2 x. }( }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) X5 G9 ?# N+ t% ?6 l" F
4C19:009A MOV SI,4647 ; 1st magic value.8 J* R4 a! z: ~5 p- G4 j4 X
4C19:009D MOV DI,4A4D ; 2nd magic value.
" L5 y6 l+ C7 x: o T. M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' \% `% ~2 \( b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! F- J- ^; t- G- q2 }% ?4 |4C19:00A4 INC CX
: B, H9 z0 d# k$ V+ R' G$ ~$ \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 D4 x) z. C3 s) ~4C19:00A8 JB 0095 ; 6 different commands.9 o9 P, B$ @( p I7 n5 k' Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 d- d! @7 y' r8 y4 j+ H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- U2 A E j) o8 w! K' L' V
" h2 p4 a; g" WThe program will execute 6 different SIce commands located at ds:dx, which8 r7 F. }8 C$ u: B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. Z; _+ U4 Z/ s: A# N- b* B% C7 L; t" U. g' Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& J$ Q8 X* M D9 k___________________________________________________________________________
! A5 t9 j* K" v' N0 D8 w1 C4 N
/ A* Z# |/ _+ L- _9 s! ^' v1 h/ S1 k3 w% ^& ^* y* W8 C- z
Method 03
`# r8 I b% t' O; ?=========+ x( \' |% @1 f; c f6 N
; L+ h# W- r! c2 e* O0 v
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 T3 |# `2 r* d6 G4 B
(API Get entry point)
, G5 _) t7 @) O4 L 8 n$ E& S' {4 d7 \1 ~; G# t
" U5 V: P# A0 r& J# a
xor di,di
, ~- \' v) z! P5 u4 L- b* _' h mov es,di
8 U7 m! `5 n3 k7 T3 R3 @ mov ax, 1684h 5 n$ L' |# J/ |% k4 Q) _' F
mov bx, 0202h ; VxD ID of winice% T5 V7 j7 z. D2 d) U0 [; y
int 2Fh
( n9 \$ s P- g& `/ _: }. q2 } mov ax, es ; ES:DI -> VxD API entry point
$ \0 e: C) }* p' u add ax, di, d0 @0 H v7 }
test ax,ax8 M9 }4 `" b |' A4 W# t: R" R
jnz SoftICE_Detected
. _+ S, {! W' {% L
. u7 m, ?! \0 P3 p___________________________________________________________________________& S/ p2 v- \! b# P
0 l. f! n3 I3 w& h6 X5 p8 Q
Method 04
; Q( ^) e- t% b4 I6 a=========6 ]3 r5 o h' K8 ] i- p5 H# u0 q
/ O) ~9 e k( B6 i/ J3 zMethod identical to the preceding one except that it seeks the ID of SoftICE
- t2 E) _# E- n$ m) h5 aGFX VxD.
. j3 e! V( C! q! R' ?3 Z/ y9 b- M6 q' R+ Z* h# X
xor di,di
* \) R0 F$ E6 H4 Z' j mov es,di
3 |. r+ M- s6 e' x8 C: e$ _8 I mov ax, 1684h $ e& h' O% `" ~8 M4 H9 @: j9 s+ d
mov bx, 7a5Fh ; VxD ID of SIWVID
5 m% z/ i! N [' Z! S- d5 q2 T int 2fh
1 Q O$ H: z1 b' c% Q4 c mov ax, es ; ES:DI -> VxD API entry point
6 q# L" n1 C7 T1 @6 X: U add ax, di
( _4 @9 v. y! q- ], v+ } test ax,ax9 E$ ?$ x$ m+ O3 o. k
jnz SoftICE_Detected
; Z/ E, b* H5 {& Z# Z# A( N a) M; j3 c+ t; M
__________________________________________________________________________; q. {+ h8 h3 |( l, F
% f7 l2 i/ T1 A& | H
) x1 O1 T" [& y2 O
Method 05* e b6 Q. ^* z: ~
=========
- |* i( d& r2 I* B9 j. s k6 Q, @% T
0 I, Y! B, e; N R DMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. Y7 f7 e, `( F# h& W# L* adebugger. It calls the int 41h, function 4Fh.
& h! |& D3 `6 o/ qThere are several alternatives. 6 ?% X& p% y, K# p' U; P! w1 U
' r2 b; q J1 K* x9 p4 j Q7 `: I7 uThe following one is the simplest:/ U5 B) z& U0 U8 S: ?0 { y0 ]
# i# K3 i9 `3 f% b" b5 |8 o P mov ax,4fh% H# o) `7 x% }
int 41h0 }( q+ o; b1 j6 g" K2 N
cmp ax, 0F386
/ L; V: H3 p2 X2 m jz SoftICE_detected
$ D6 p, T& t) h# S- p" S. Q* M8 K* o! N# ]
- V/ T8 [+ [. E( g& S x
Next method as well as the following one are 2 examples from Stone's
- k6 [4 p' z( Z& p/ n& V"stn-wid.zip" (www.cracking.net):
" D& _/ T$ z+ i+ u8 p! M: G0 V O+ X
mov bx, cs6 m' K, J8 I$ E% @* e. ~3 N
lea dx, int41handler2, x) L- c* j( S5 F. Y" q& i7 B
xchg dx, es:[41h*4]
+ e b0 s! s. ^4 M# e4 } xchg bx, es:[41h*4+2]/ F0 `- s5 ~9 t! W
mov ax,4fh* a$ D4 |9 K; R* A: n: a
int 41h- N; R& \1 W. v, I" w
xchg dx, es:[41h*4]
1 ~5 l# T, ^9 E" q& B! q( M xchg bx, es:[41h*4+2]& a" z* Q! i2 N6 ^! j
cmp ax, 0f386h6 V! G A& A" w2 ~7 h
jz SoftICE_detected
" j9 ~9 {* u! C, @+ b
! B F: ?/ f7 F; M. ^; @, nint41handler2 PROC
2 N$ H! \7 `! m3 {$ k+ f iret+ B& J* M! I% m+ _0 L
int41handler2 ENDP
4 c5 R; H8 F G% M1 f# J: k8 p& d! z: D5 |
$ E' j, R8 ]( |' D_________________________________________________________________________0 h" f1 S* d" b3 o+ ^" S3 i
! ^! h4 u6 N+ Y( u7 w# x
/ ?$ }$ Y P' o0 O- D# h1 U% t8 VMethod 06
9 ^- g, R3 W! \4 X( A=========
+ y- @* p: l3 q/ X3 Y
@7 j7 u+ w/ `7 K/ d5 P( A
& q- Q6 \0 b& p, k8 C9 T8 ]: `5 M4 d2nd method similar to the preceding one but more difficult to detect:
) u, A @5 B7 G' _! @6 H/ [' E4 Y; ]& o2 u& U) n0 Q" U$ m
# ?) f/ Q. |" ^2 T
int41handler PROC
% c* o. U9 b& |$ ~! ~ mov cl,al9 _, V& c5 b" q9 m1 d
iret* T% k: Z! Z" s5 }4 B5 F
int41handler ENDP. d# Z% f& L7 @( x
7 P! e& N3 X8 T- {/ @
3 t4 j4 D+ |8 r8 S7 Y J xor ax,ax
- f0 ^* T# k0 u, p0 P. q, f1 B mov es,ax+ e5 d6 D" ]& X5 n# l
mov bx, cs8 N9 {( ^' q g" @, S z$ n- N
lea dx, int41handler
+ e8 ], f6 W( ]3 L) O- F1 O xchg dx, es:[41h*4]6 I; q& X \& z f
xchg bx, es:[41h*4+2]5 ^, {3 Q: B V3 G0 U
in al, 40h. @) }& u, m S$ p, l, A1 L
xor cx,cx" J3 b2 q* y q. Y. I, R
int 41h$ K% z( y# t: M) t' W# m
xchg dx, es:[41h*4]/ z1 X; u, t" j; O& Y0 M
xchg bx, es:[41h*4+2]' T" a' U- h o) o) c! ^5 J
cmp cl,al+ S0 k1 [' Z4 A- U6 N
jnz SoftICE_detected
6 H$ R! z2 i0 ]7 g# A1 _3 ?! g! J5 ? L6 |. P2 l3 H; K7 `/ h
_________________________________________________________________________
2 T4 i5 \- q5 B& m
/ T4 [; P/ G2 c6 x! q8 k# ~- dMethod 079 S" U. \/ g' i* v6 T, W: ?
=========
7 A5 E% P# C' \0 x0 A6 }& ]$ y; I7 e$ ]* S* T: e0 {8 r
Method of detection of the WinICE handler in the int68h (V86)
/ s( I; j2 t" _% e4 _# X" Z( |8 R0 o, G) ^
mov ah,43h$ a7 _+ V. A' V% v3 _
int 68h' Z% i6 W7 D+ v3 t9 }) _
cmp ax,0F386h) j+ c* |, n& _
jz SoftICE_Detected# Q% M7 O% J0 n; T
& d+ w. h, e2 s$ m2 ^8 T& v
9 ]8 j, a9 j q; P) c" X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 @3 w* W/ Z3 N! ]1 Z: ~' w app like this:
' X' T+ `2 X# N- @+ A% j2 e$ T- j+ g9 p
BPX exec_int if ax==68
7 i% e2 X- i6 r1 { (function called is located at byte ptr [ebp+1Dh] and client eip is) w# U' B, |: [7 M4 ^6 ^
located at [ebp+48h] for 32Bit apps)6 s0 O; _! J! C# W' }
__________________________________________________________________________
: \7 M+ ]/ R5 ^/ u' M; ^2 d" D4 u& E1 v; Z1 g
7 O- P- k3 B: Q! V- m
Method 08" Q* |% M1 P: c/ ^, h
=========( Q/ M+ L. S# i6 E9 b8 J" q
7 Y. U& _3 ~- {$ P- A/ z m4 ^1 v, B
It is not a method of detection of SoftICE but a possibility to crash the
7 g& r3 \5 T) Q R2 T2 ^, C" ?system by intercepting int 01h and int 03h and redirecting them to another
1 y' N, M I6 e: b' Q: Uroutine.
6 F8 K& K1 t, t, ^/ B% y) AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, N* ] \; y7 Q1 E4 g m& jto the new routine to execute (hangs computer...)
% ?3 l" d1 n0 \, W0 X. y1 F+ i' b( X# Z
mov ah, 25h; h7 i x# x4 C: I0 O- h, s& [
mov al, Int_Number (01h or 03h)! p! Z+ Q: m% R* D: Y. ]4 L) w
mov dx, offset New_Int_Routine) P$ U8 A# c: }! I
int 21h" F5 d/ D" w2 x7 N3 P! ?1 b) n
7 c& Y4 r7 Y a1 q2 a
__________________________________________________________________________
8 X8 G' ~3 a ~- G
7 ]8 }7 p" ^% \ }1 R% pMethod 09. ?* g4 F% G3 |
=========
0 Y t) h! Z8 x* v1 N* b( c
% f/ g- K; g% qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 ], i. W* Q9 h/ m3 y yperformed in ring0 (VxD or a ring3 app using the VxdCall).0 r% _* g/ l2 N6 s. j5 b
The Get_DDB service is used to determine whether or not a VxD is installed! o: p' f Q7 S% P
for the specified device and returns a Device Description Block (in ecx) for+ R: G |. Z0 C/ [
that device if it is installed.# |( W' F( V2 F2 P/ I; n1 R* k6 {: e% i
* ~5 d% q: I# L# M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 C* ?; q" j5 [6 ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
b5 |* ^5 ?2 x$ `) \4 D VMMCall Get_DDB" H8 _ ?% F) i! T/ L
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! L. T p$ x$ O# e5 z
5 m( h% O* t5 B# ~& _Note as well that you can easily detect this method with SoftICE:
. C' c6 S6 T* j! S/ {& K bpx Get_DDB if ax==0202 || ax==7a5fh
. G/ R( K: X8 q( u( |0 X1 W! V0 O' e& Z! `
__________________________________________________________________________
. L8 c$ b6 R5 Z
6 A! C( n, u& k2 bMethod 10$ t. ]. h. r6 i/ f7 s+ H2 v
=========
1 i2 J; v6 O- M6 ~% B+ J! S/ |) R6 } m0 m
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' O% i9 X& L4 B- v% l' Z SoftICE while the option is enable!!
Y/ W' T% ?( c: ]/ m5 Z
: D U% V) }8 E( ]# \8 y' A, m6 mThis trick is very efficient:
! \& B0 ~* a5 m4 R, f, M% X( hby checking the Debug Registers, you can detect if SoftICE is loaded/ i/ g& G0 ]+ P+ W! v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# @8 U) f. r( q, c4 h- _0 _: \" [3 Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ t% i+ h1 Z* T4 P) }$ {value (in ring0 only). Values can be manipulated and or changed as well
5 r$ |3 r% ^8 f(clearing BPMs for instance)
' i% {- |. B, `7 I" k q
) b) Q! h- v% w C2 t1 T__________________________________________________________________________
, u: U$ [/ A8 u4 p% e& ]
6 i! G' p0 j/ }" NMethod 11; V7 r4 U3 |- W% [8 h5 r% u
=========
M& Y: s1 G% t5 n0 w I* O4 A. [7 o4 [! G3 ^1 {+ L9 N2 M% L$ y
This method is most known as 'MeltICE' because it has been freely distributed
n% [4 w! i5 W" M+ x% @) Mvia www.winfiles.com. However it was first used by NuMega people to allow# [& x/ u4 [! I
Symbol Loader to check if SoftICE was active or not (the code is located, `' {8 x" L3 U% [8 O; E
inside nmtrans.dll).
8 y8 q" d8 Z: T/ I: k& r% u6 m" ^( j) w( A3 S c) w5 |
The way it works is very simple:
Y+ D- I8 T3 ?- qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ Y* x% i5 c1 `; D; J/ |WinNT) with the CreateFileA API.
" }+ \: [" N8 B: V3 r3 \% U) ^" V8 v5 P5 ?; u* K( r; }
Here is a sample (checking for 'SICE'):
/ t8 B; O$ G# e! u$ A( \% P
1 k$ Q5 t! K1 H* ]6 zBOOL IsSoftIce95Loaded()7 K" F \! t" H) u, A/ S
{, U3 P* W" X! I1 j5 {
HANDLE hFile;
+ v7 d; O1 C2 u( z% K5 F. H; U. E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 p" O; o7 s b/ u FILE_SHARE_READ | FILE_SHARE_WRITE,6 V" T* C: ~- C2 i k" a
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! t/ u# k, m. z; e* e3 |
if( hFile != INVALID_HANDLE_VALUE )
5 T6 t [, `7 y {
- s$ Z) a4 i. |( u+ X CloseHandle(hFile);, w4 Y$ e, }7 Q, G6 M- E
return TRUE;2 l% T% L5 q V0 | v
} p+ `4 K4 J @- s9 @: v
return FALSE;0 J; ]1 C. E1 G0 x6 ?
}
! o2 F3 O' z8 B) r7 W( J
$ P+ e4 W# o& k! a q" s% E0 i8 W AAlthough this trick calls the CreateFileA function, don't even expect to be6 z. a* I3 j/ y* y) |
able to intercept it by installing a IFS hook: it will not work, no way!
' r2 q) w! s1 q# x3 }In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% ]( S4 o" e, {% _) Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! D, ~ x8 b% G9 u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# V! K% t5 V" }
field.
9 N+ j P2 \% R R5 fIn fact, its purpose is not to load/unload VxDs but only to send a
/ O2 M& C( A0 w! f( ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); C: n) I1 L `1 I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 V/ |2 j! o- ] q% j! Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).' Q5 p/ x5 z: i
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 _1 g3 I1 k" A9 ?# I) m% T
its handle to be opened and then, will be detected.& A+ P J" b. n) J. F, V
You can check that simply by hooking Winice.exe control proc entry point1 `& ^/ {$ n2 v: K8 _
while running MeltICE.6 G+ C3 T9 y# {. a
; `4 e! e# ]6 q% L
" a# P/ q9 \, T& i" h
00401067: push 00402025 ; \\.\SICE1 {# E; h: B. K4 q. K# @/ o+ P) f0 z
0040106C: call CreateFileA
2 m( c3 y) s: b# q$ v: a 00401071: cmp eax,-0010 h9 L1 V, x" a0 S
00401074: je 00401091# u) Z8 m3 m* F( K3 I! K% h
) `# E& G, b! @, I& T# g4 W8 _* M* ~; C
There could be hundreds of BPX you could use to detect this trick.( D1 D1 v' Y; x" d; E) h: k
-The most classical one is:/ O X9 ?, W4 f) G+ X8 l0 M
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 A) v1 I2 n' u, b6 Y: \7 t
*(esp->4+4)=='NTIC'
1 o& a( C" Q% Z! S+ \7 d
7 }. A9 r& J" i/ g1 B7 U2 [5 v-The most exotic ones (could be very slooooow :-(
0 U) X8 @8 R& ~1 {. u2 P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 Q" i# C1 x( M. ~+ L( _3 ? ;will break 3 times :-(7 ]; o0 X! V9 c: a) R! T
( o0 F% H. v( a-or (a bit) faster: 5 u+ x- Y7 j1 O) L
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- m u* U$ w! a, `
. p U' b( K6 W: `( ^& ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + ]9 B( R/ |; C/ k# C
;will break 3 times :-(6 d4 x5 d* x: X
; x! _$ P2 P6 V
-Much faster:
7 _% q+ s) u4 H+ _ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# @8 r* i7 h2 ~5 \5 F2 ]+ B
# v, c' `! j8 ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* u* A0 c$ s4 A- D' Efunction to do the same job:
: y9 {" ^) N- j2 }- f7 D' L9 b
push 00 ; OF_READ' i) I9 K, p# c7 m+ X
mov eax,[00656634] ; '\\.\SICE',09 i: R2 w l, U. y# E3 p
push eax8 {# A ?, G b0 ?
call KERNEL32!_lopen& s+ J2 W- W+ @$ ?$ k% P% w
inc eax. ~+ y8 m$ V9 C5 x
jnz 00650589 ; detected7 s+ j3 u0 L6 Z; c' y
push 00 ; OF_READ
! n- { n) y7 F& o" _% W mov eax,[00656638] ; '\\.\SICE'
$ k5 v" H& V. A! j' v: `* m push eax
" u8 F0 L) J2 x4 j$ E call KERNEL32!_lopen
+ |' |* r* v7 j# ^6 V# g" M3 @ inc eax; z0 \& o# v6 Z9 x" i
jz 006505ae ; not detected3 _' `9 Q4 ]! ?$ c+ }
3 {6 X' _& L# q2 W4 ]! Y' g9 P1 B7 n; i4 `: p
__________________________________________________________________________
1 h* L) Q2 A! N+ J7 c" G" a$ H3 ~* t: K) V
Method 12- D/ U2 ]# X q
=========
$ c% [1 r: u1 b
: @- n5 h! o- {2 O- _7 cThis trick is similar to int41h/4fh Debugger installation check (code 05
. E- n7 p0 t1 J- ]+ e2 S& 06) but very limited because it's only available for Win95/98 (not NT)
; x. H T) i1 S* y, d' Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* d) A" {# c6 z6 E0 o: A! ~6 H6 n7 m9 U0 s3 V9 D* D( Q
push 0000004fh ; function 4fh
9 x' w9 h* O6 r {; X$ O+ k push 002a002ah ; high word specifies which VxD (VWIN32)
8 J* n# \# A! C5 F3 T ; low word specifies which service
; s N9 d) b. M" ~& u. I1 g' L (VWIN32_Int41Dispatch)
2 I( _' h* C* J8 Q6 ^' z call Kernel32!ORD_001 ; VxdCall! @9 q( C: J" Q2 G( I2 P
cmp ax, 0f386h ; magic number returned by system debuggers
4 R( B2 M, K3 {- S3 Q jz SoftICE_detected; `3 J& X# j% y; }7 g: Z- g" v& H
) t5 r3 w5 B! t; E& ]- {
Here again, several ways to detect it:3 g+ l* J% P& a' K; P. v
* t& g9 S* C, r2 M" _
BPINT 41 if ax==4f' S, m0 ?- n+ v: k" i
0 o' j& j1 d0 O6 U8 K' [2 } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" {6 _4 `4 T4 w$ I; t6 j! H& }2 p; o) G- i: A( | _: j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" i) r, ~: K& A
! g. C! R/ ^8 M& u/ z, o8 t, k BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 L6 c4 e0 M U6 A7 O# M
3 |9 o9 Z$ v* S' @! w2 Q
__________________________________________________________________________5 I1 F% p, k# R' Y) D: U
( |# R+ V, g. j* W& R5 R/ l) Q; f
Method 13
' U8 [- r b+ e=========
' W- R- P% y& A" p& ^" o
) r4 I& t9 Z7 MNot a real method of detection, but a good way to know if SoftICE is% a4 U9 \8 h( j ?+ f6 P
installed on a computer and to locate its installation directory.7 f/ n2 Y# A2 @% x, L* R0 c5 R# l H
It is used by few softs which access the following registry keys (usually #2) :1 r: W! A- t* \. P
' A, y# P4 e- t5 \8 `8 Q' Y( D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( }6 h: i3 b: ^3 J\Uninstall\SoftICE
5 z: ?. e/ R; s. c0 Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) `: P' I/ F! v5 ?( W& I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ _1 D7 S; V1 f" D+ a6 G
\App Paths\Loader32.Exe/ r, m1 x9 e3 W# ?: X! V3 t( c4 Y: V4 D) k
0 g* L+ z- b1 b3 I
. V- k: s g' A
Note that some nasty apps could then erase all files from SoftICE directory( r4 b6 b5 e& h, N- ~; ] H
(I faced that once :-(* V- J: ^. z4 z
- t% X5 q o* J) _2 V
Useful breakpoint to detect it:# l1 W" u- Q+ M; {! J: I
, b2 h W* W/ Z4 Y% O" C: R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! t5 f" S% ^, a( w- `- I1 z
* G+ R& H- o6 d6 V. r
__________________________________________________________________________
7 p2 ?7 k% K, ]! y: U1 {( [# `5 e& s) ]# V0 w0 r# L, k
+ w, M) Z; k3 q- e9 A8 {
Method 14 ( q& i K% J' e
=========( j# b! @$ B+ T% m
: ?7 S2 n: B+ ^. |# q: F1 {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 e% W% A3 g3 z, ` p. ? ]is to determines whether a debugger is running on your system (ring0 only).
! h+ k% r1 Y) {, `0 x0 X# P5 `% w9 m+ `+ z# I: Y7 h* a
VMMCall Test_Debug_Installed8 A! \# ]& A- Z" I. I( ~
je not_installed
$ I. \8 i g. w) U; [3 W+ ^, \$ p G* t7 ], k. y; g9 ]# Z
This service just checks a flag.. U- ~4 x- N' S& \3 j
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡