<TABLE width=500>
, R8 ?. l$ } f" B E" Y4 `<TBODY>3 Q- W+ S, b8 {* P
<TR>
$ t5 @4 c) i h4 [6 e. E<TD><PRE>Method 01 ) W5 O8 D& ~# ]9 v# t/ W
=========' }( n: H; O( j- L& i
* u, i: v g, c/ N3 B8 M0 O$ {
This method of detection of SoftICE (as well as the following one) is# R/ A) H3 P3 T' ~2 T% `7 [ d* B
used by the majority of packers/encryptors found on Internet.! V1 P6 B2 A8 Q+ Y* a$ E
It seeks the signature of BoundsChecker in SoftICE8 f8 ]; J% v8 C( t$ y
" K( }1 E# }* B2 ]( |
mov ebp, 04243484Bh ; 'BCHK'
4 B; L. a, e, m1 E# o mov ax, 04h$ g# m/ }7 J0 u! b
int 3 * n7 r1 y! `' F: S1 x) |
cmp al,4! i/ Q1 w& Y- W) p7 t5 Y" O
jnz SoftICE_Detected
4 z5 K5 G- S! z& s9 H# S' ?5 ^) G6 v6 u/ L+ K. v6 l" K
___________________________________________________________________________! _' ^9 H5 x4 q+ j5 h- W7 d
/ m5 [" _* M! HMethod 02( J7 K# h8 I- Q6 S
=========+ k% i/ ~ K& W* c! F/ `& `
' n; S" y6 o7 J
Still a method very much used (perhaps the most frequent one). It is used
( S5 Q |5 c5 Y9 {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ O5 n$ c2 ]* S, v6 B6 B
or execute SoftICE commands...' |8 p9 S$ q; ?. d5 g9 w
It is also used to crash SoftICE and to force it to execute any commands9 ^' u7 x* f: A& R! X; s
(HBOOT...) :-(( 5 }; M( t" ~( {3 X" n
7 m$ D Z8 `" Y4 hHere is a quick description:
! v P5 t: R: A. L$ z-AX = 0910h (Display string in SIce windows)" M' `$ I% E# a7 |; }" g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 k& H7 B! {. h8 f0 D r
-AX = 0912h (Get breakpoint infos)) [# r6 K/ E! {7 t. K- o- _
-AX = 0913h (Set Sice breakpoints)2 U6 [0 Y$ M6 r: z
-AX = 0914h (Remove SIce breakoints)( S# c# ^6 o% u0 w8 ]! L% L* {
0 I* N7 q! t' ~9 f5 N9 R
Each time you'll meet this trick, you'll see:
+ M2 R1 X9 U# s0 O& w-SI = 4647h( _# C. ^7 B% P: m7 C0 D
-DI = 4A4Dh) n- H& I: D: X/ j: T U
Which are the 'magic values' used by SoftIce.
/ m# ]3 h% B8 Y' H# t! H* R3 @. fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." d- W* n/ ?- Q: E. P
3 ^& @* T7 p' X9 r3 c
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. K+ k o- F; n+ B6 p! [8 mEnvelope utility use to protect DOS applications:
$ c7 M- K0 Z, {: |9 u7 i/ i1 x' P R
$ c* l2 o; @' P# x4C19:0095 MOV AX,0911 ; execute command." N% i1 z; w) y- p' [7 L; j
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 R' i% I6 d* S4 b# I
4C19:009A MOV SI,4647 ; 1st magic value.
* n" `5 U" Q7 f9 z$ j4C19:009D MOV DI,4A4D ; 2nd magic value." X9 H5 H# F6 i" x" M5 ?* k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ t9 S- N) V/ @! {, u. j( A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ C4 s6 I6 D$ L b0 a4C19:00A4 INC CX
6 }% V. ?. w' f: i9 x4 C: R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 l! ]& B7 |1 k$ r$ j% @4C19:00A8 JB 0095 ; 6 different commands.
% ^* ~1 m2 u( r4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! H, ^# Z# Y1 U% F) O+ V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
y. g3 P- `* g+ _# _
6 p+ m/ S6 Q$ _The program will execute 6 different SIce commands located at ds:dx, which& _7 o8 b4 r; y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) C% f4 G% ]7 \% M% a, e
: q& U: v' \1 C+ z6 x7 i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 q- D( @. E9 Y
___________________________________________________________________________! y( v+ H0 w, R) b8 a5 H3 r
# G6 `3 M7 @6 H
+ u1 j- p% l0 Y8 [) m' h% AMethod 03# o) Z7 {" `4 t* ]# b; V
=========
* r: D% d5 B, r( e% T% i7 U# c S0 i0 K9 J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 p/ n+ A8 q$ ~9 T- P( k; K% ?8 g(API Get entry point)+ I/ {, r/ `- v2 Y; v; \/ }2 Z
% `$ Y: K% I$ o5 I! w
- F3 q4 o d4 M" g
xor di,di/ y/ T, F0 i0 B" v% r
mov es,di
Q) K c; W$ ^) I U7 j mov ax, 1684h 0 i9 V* N& A, Z: \+ Q* e! ~6 P
mov bx, 0202h ; VxD ID of winice* Z. A/ c! Y' N9 \( E) x, h. T
int 2Fh: \0 K8 `7 z9 E% Y+ q. b+ u' B
mov ax, es ; ES:DI -> VxD API entry point4 S, n9 T7 `7 L2 ?# N5 s( T+ t
add ax, di( N7 V# a, H$ z) U: U- `# I, J3 u
test ax,ax
$ c! ?: W+ H q) Q" p+ f jnz SoftICE_Detected
- C7 x, O- b6 v2 q2 m T+ D1 Z
___________________________________________________________________________
4 g0 e3 i& k m' V. J; S% e( ?( T' d4 P! D8 l9 d0 F$ D9 i4 N2 t8 c. Q
Method 04
, h7 K$ w5 _$ h, K8 u6 X- a" w% J# Y=========
8 @& J8 ~ u) G4 Q4 K: A# N, C! z% W# U! f( }5 X
Method identical to the preceding one except that it seeks the ID of SoftICE/ @# t8 k4 f K9 e
GFX VxD.. i( ]5 N7 k$ S- M7 J- K+ f
8 S/ S; @* R1 `) a
xor di,di* G& @8 A3 [% {; L* k, L) H; ?
mov es,di
% F6 v! ~; |- G; x8 b mov ax, 1684h
, @3 F( j' Q# L mov bx, 7a5Fh ; VxD ID of SIWVID5 M$ [- w1 m8 v; }& ^" P* a
int 2fh
. W; U2 `3 L ~. [ mov ax, es ; ES:DI -> VxD API entry point
+ h! ^- ?" K9 J3 E! i add ax, di
7 a2 a/ x8 s& {0 V1 | test ax,ax7 ~& H1 A, G3 O
jnz SoftICE_Detected
3 X) _! p( @( I* u' i3 j9 j
4 Q1 E$ q; P8 |$ X__________________________________________________________________________8 B0 A9 k+ X P' S- \. q& D
W3 D0 H# h; g! g, p4 ]' K9 E1 `$ ]5 Q2 u
Method 05
1 c) R6 Y% e$ W' }! y% T4 ^=========
2 U7 ? O# f7 F* P$ _" Z3 }- Y- M- S
) M) ~7 d! c! \Method seeking the 'magic number' 0F386h returned (in ax) by all system7 Y' J M c7 n7 J9 h2 o9 C4 C* q9 m
debugger. It calls the int 41h, function 4Fh.7 g9 b8 C& U8 }) h" J& k
There are several alternatives. % x$ O" @7 K3 s: x3 q1 C e
2 w: H, \: b4 c# X4 h& p2 S' W
The following one is the simplest:- G# N( V7 D. D7 C
+ c8 S2 ] a& _
mov ax,4fh
3 g7 i: P" e" P2 \- `7 O int 41h% F/ i) O/ O0 f. E
cmp ax, 0F386
& j# N% b( K {0 |% j9 G4 w; _0 B jz SoftICE_detected* o+ \2 \" j4 b* k* h* a
4 r5 \* a$ l% W7 _, r1 E
% i8 E- T# Z3 o, I( x: Z
Next method as well as the following one are 2 examples from Stone's
2 R9 z) z) r! e* j U5 n9 A1 I8 V"stn-wid.zip" (www.cracking.net):
0 ^% g5 [" C2 H! F
. v% h5 H5 F4 S# Z mov bx, cs
0 a! M) P" @$ n" u4 n& \: P8 L lea dx, int41handler27 {# U; s' V, b+ E0 {
xchg dx, es:[41h*4]
# a! ?1 H' k% M5 M xchg bx, es:[41h*4+2]; Y( w8 v! E' S' W$ l5 p, F6 b
mov ax,4fh1 F9 N0 [" @' v9 ~' b. W; q
int 41h
3 W) T2 J- ~" G5 P. G4 n xchg dx, es:[41h*4]
- ~. q4 V" u1 s- w. a$ h' U xchg bx, es:[41h*4+2]
8 ]( y$ e: _, F* W0 Y: y2 I cmp ax, 0f386h9 e7 q& E% _. r
jz SoftICE_detected
$ {( p# B0 u7 U+ V K1 T& }
: b7 v3 s, K7 K; U2 Dint41handler2 PROC
- P. a% U* v" I' O iret
- N% v* l" D# V, E6 K& b" _7 _int41handler2 ENDP' U. T; |5 P8 |' r
" I' Q9 I4 K3 G
& m1 B+ c; e T+ ?: k_________________________________________________________________________- d$ i. z* j0 t6 j2 N
$ v5 D" }; u8 f/ g' s
* c2 m; `& I7 B, J
Method 06
6 @) n- G6 v: T$ M& o/ i=========4 m3 U$ s$ x3 Y; d% O0 j
) H2 Q9 g: A( m9 r$ R+ Q0 `& z9 }
. ^9 R# |1 T7 h, E5 S9 r: m0 V* l
2nd method similar to the preceding one but more difficult to detect:
2 N- u N8 m& a5 C7 x
# V1 d5 g0 l- u* N
& G$ S [) M- w/ @' _: @: A* B8 O, qint41handler PROC. t, _5 X1 U# u5 s* `+ y* v
mov cl,al
2 { r& t9 O. g& ?# E1 J% I iret
) o. X/ b- H. c8 \4 Y, M6 `int41handler ENDP
' X. c+ z* o7 J+ M+ Z. [ } Y
) G' v6 W) }6 l; D, M. j
; K# W3 h+ L0 l# p9 I+ r xor ax,ax
3 j; S! }0 ?' s- ?& p y* W. K mov es,ax
9 R# v, ~! U6 Y3 y mov bx, cs9 h0 k. r# u$ E. R
lea dx, int41handler
" ]! C- g) c' v xchg dx, es:[41h*4]3 A& H/ Y- G/ h1 p
xchg bx, es:[41h*4+2]
0 B% N/ X& @5 T6 C. R" O* D in al, 40h
+ p/ g5 O* [( b+ q! k. P, S! i xor cx,cx
3 i/ x% V! z6 |" E$ W% p b3 ~- T int 41h D* d+ g J' `2 t" d4 x7 F' m+ N2 d
xchg dx, es:[41h*4]
3 l( a6 h7 A1 N, | xchg bx, es:[41h*4+2]9 k. a( |3 [# r
cmp cl,al4 [: I9 p+ Z% F! b) S6 x% K, v
jnz SoftICE_detected
; P+ I+ \4 F9 u& V3 l! X4 J( s/ z# @- r% F
_________________________________________________________________________
* L% N& h" z7 }& x) g0 k: ~1 q: r6 z, r1 h# h) ?
Method 078 T8 V. G+ g+ t; g$ i/ M) b: g @
=========3 y( A3 J" x. o3 L5 o+ q
1 S8 @* J7 z6 I7 O8 w! P8 JMethod of detection of the WinICE handler in the int68h (V86)- A2 \0 d. u& {$ J
) D+ `& v& A1 U+ w1 r& Y mov ah,43h
: f3 U/ U( P0 k: ^( y$ |$ T+ ]1 P) B int 68h/ e% p' S/ V( ?# x- n+ F& f0 @
cmp ax,0F386h
& b0 j. D& k: s. s% p jz SoftICE_Detected2 J+ q' `7 N9 Y; D4 P- @' u
' o7 j- h0 T( J1 \
/ W9 H" J1 {$ [% s u2 a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 m# r& A, f' T% j7 n& Y# P app like this:
+ W5 p0 T* r9 ]) ` u+ p
5 I0 `$ ^3 g0 A4 R! m4 A BPX exec_int if ax==68
* V, M) I7 |0 P% c (function called is located at byte ptr [ebp+1Dh] and client eip is ?/ o3 ^1 x) w/ n0 m) F1 m5 R
located at [ebp+48h] for 32Bit apps)- p! t0 F2 Z% l/ h. r& l' A* h
__________________________________________________________________________9 X) F9 B t7 J. o: T& O& i) Z% M! S
5 ]5 d. a. Q0 @+ g* r1 o2 o) o' V# P* e
Method 08
. D4 K4 s/ n8 J# M=========
& y; J# w0 x, b j5 f) v0 X4 a9 A- `" ]% B
It is not a method of detection of SoftICE but a possibility to crash the
% C' g: j& q4 m1 Hsystem by intercepting int 01h and int 03h and redirecting them to another
# Z( H/ j* P+ p( |5 wroutine.2 p; X* Z7 {3 G! \. m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 ~4 d1 e5 J4 Q4 R* R) f Hto the new routine to execute (hangs computer...)
5 Z* W, ], {, S% V% a) @3 s+ g4 y. L. m
mov ah, 25h" d% Y8 d D2 P
mov al, Int_Number (01h or 03h)
( S& P- R5 P% t6 O1 J mov dx, offset New_Int_Routine- H& k5 {" e+ A, K# G
int 21h
- k1 \, i& }2 M$ b0 c
+ c+ O; @; I! p- b3 G__________________________________________________________________________4 ]5 @. o" N7 y# c6 D
0 P% _. X5 {8 b( i2 s0 s+ C0 \$ ~
Method 092 ^8 z8 o7 t; w- i2 t( A7 A" n/ e
=========# Q/ r. P4 y3 U1 A# U/ @1 Y
6 k9 H7 r+ Y$ y; wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) n9 Q( n* f! [7 O" m0 _3 y& xperformed in ring0 (VxD or a ring3 app using the VxdCall).7 a9 b4 e3 L6 _% M1 {4 o
The Get_DDB service is used to determine whether or not a VxD is installed
" r( N& K! G; lfor the specified device and returns a Device Description Block (in ecx) for
" S6 L) O: m* [6 O% d1 Xthat device if it is installed.% ^5 p$ V1 F5 v# C
& l/ V; s8 _; P+ |/ y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; i. ]; _2 B) p1 J# Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 |( I. C$ c/ a1 t2 C" W- [% | B VMMCall Get_DDB
+ Z) Q8 {$ p& |) d. o6 O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( M- l2 }, ]. G+ j7 H
. H& X" i' j. L; E$ d0 D yNote as well that you can easily detect this method with SoftICE:+ c2 ^! M( Q5 |- w
bpx Get_DDB if ax==0202 || ax==7a5fh! N" D( T0 U+ b2 N1 B" n
( D2 R: e! ^7 t) M" q__________________________________________________________________________
$ A! {/ P% n: ]2 G) z" m, z& S6 a4 \9 u% g& \7 y) I4 x) U
Method 10( ~# h; q& i) f4 K3 o
=========
; H6 }4 ~" b! d. T& ~$ ~4 Z1 f" k$ {: {. k" E
=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 }* ^3 E' ?4 E! k+ m SoftICE while the option is enable!!! t5 y' `/ T2 ~" h
# \4 a. i& l0 T- L- SThis trick is very efficient:' k5 x, A6 G/ e3 f9 Y! x
by checking the Debug Registers, you can detect if SoftICE is loaded' z+ |- G5 x0 v9 x V, e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 d$ c; t* {4 R, s2 f7 Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& s/ R7 Z5 x9 z0 C* Q/ P' V a0 Z/ W fvalue (in ring0 only). Values can be manipulated and or changed as well
' J0 b [7 X' v* l Y(clearing BPMs for instance)! b5 O+ f1 t& W5 \$ k) ]0 i1 Z
# a9 E. X: {6 Y A7 ^
__________________________________________________________________________
8 y3 T. h5 \5 S/ a# t2 v) Q5 w q! K5 A7 C. v6 d8 T5 D
Method 11
Y3 l0 m9 G3 r9 H% u" m' p=========. j, M! e' M: V5 v6 ^$ ?
- }: N( C' F* c" K; q5 W( Q
This method is most known as 'MeltICE' because it has been freely distributed* _5 ]9 c$ \6 `1 t) _
via www.winfiles.com. However it was first used by NuMega people to allow
+ k# C7 ?# R3 b8 u, }5 U. m3 s* uSymbol Loader to check if SoftICE was active or not (the code is located6 A( \, p1 U8 r0 [
inside nmtrans.dll)./ g# G: T( y+ r% O E
; X0 |- O) ]% D' p: Z' Y
The way it works is very simple:8 t# P% J. \/ g9 h% q3 h& O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& h7 [. T" d0 S8 EWinNT) with the CreateFileA API.
( b( F! P1 O7 j+ d7 C4 R
8 D- P* \ }5 a: \1 n' b) _- nHere is a sample (checking for 'SICE'):
- i3 T$ {$ q x% n& X
2 i( ~% V# ]" sBOOL IsSoftIce95Loaded()
! m9 X: J+ @1 X y$ L3 Q{
3 |8 J4 K" e" E HANDLE hFile;
& x& O( k9 z+ L3 e: O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% h" L1 b# L8 ]% M$ g9 B; c
FILE_SHARE_READ | FILE_SHARE_WRITE,1 `. b* |5 d; N5 m# y) V- D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 h3 [" Y$ y# x# y# T
if( hFile != INVALID_HANDLE_VALUE )
2 y) b* q, R$ `7 V8 n* X {4 {- {* v& r) t2 m" j# l% Z
CloseHandle(hFile);
6 Z& W% q/ ^& B, N& D return TRUE;
& ^" O9 b: n$ f7 c( |. j0 R }
! v& Y# p! J) r! S: b4 Y% I return FALSE;
( q! D) ]1 ?; [1 t% V}7 N) j, f5 @/ R- W% N7 d
/ {1 M F; y1 K; E4 y" P: K! SAlthough this trick calls the CreateFileA function, don't even expect to be2 p3 w* E/ ^4 b/ U
able to intercept it by installing a IFS hook: it will not work, no way! i; q& X9 O7 l3 B: ]% Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 h( X) V! u% J0 n+ q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ a6 ]4 y' a- h* |# Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 z: X4 T* ?4 Jfield. V. W/ F% A9 j! w
In fact, its purpose is not to load/unload VxDs but only to send a P6 G2 S+ ~ s l% s. t. c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 w9 ~* o1 u, v5 E1 e9 l1 t* M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. V% N% i0 `8 _' w9 a6 X4 ~9 z2 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 y# a; ?, o. r5 ?; \. J" A0 o
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 X" T: ?; ?/ E- V/ n, Y
its handle to be opened and then, will be detected., b7 h- Z. P7 e) P" T( a( {! {! B
You can check that simply by hooking Winice.exe control proc entry point/ K2 I$ B' F! [+ [" f0 [
while running MeltICE.
& i2 p# e3 B( ?3 i' G5 O) N& b: l( X+ o
{0 T/ l' m; \- S/ \; b5 n+ c 00401067: push 00402025 ; \\.\SICE
$ A: `. U& R7 U7 N8 P( g 0040106C: call CreateFileA& a" S9 \2 j5 P0 i' u
00401071: cmp eax,-001& t( b& q ^. p) h7 |
00401074: je 00401091- l8 |* m5 O+ B9 J- k* r* X
' s8 ?7 F( u! Q! Q0 @2 v1 M- {- G' Z
There could be hundreds of BPX you could use to detect this trick.
9 {' k/ Z8 ?, A7 M, F1 C1 h-The most classical one is:* H' N) ~; S: m% M0 P( r9 S
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; m5 W$ P8 {' w& b *(esp->4+4)=='NTIC'% D9 ` V* S4 c! `
/ [% h u* O/ v( C# ?% D# P
-The most exotic ones (could be very slooooow :-(
: Y9 w P9 U2 z+ E6 U2 c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! p) b/ T5 ?: I, @ ;will break 3 times :-(! J/ u' p! Z @
4 T* r, m- S0 I& C. w-or (a bit) faster:
3 g. {. n' r% h3 |3 x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; m5 l# w( N* a2 \3 [% T) t+ [! c- n$ \$ T1 X3 k7 y/ W- v
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, y& ], g' s$ {6 b& M$ H ;will break 3 times :-(
# V: l8 I+ }% t- c
; `' G2 b" [, j+ Q: g/ V-Much faster:
; S6 h. z3 k3 h$ r! V1 B) Y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ E( Z* F2 k* F6 f
% N. k: |' y/ Q- v" W3 SNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ E2 C2 u [4 B) Q% efunction to do the same job:
% f5 |; k8 V$ T' U* g$ c2 }" B' J; }( Y. ?5 j
push 00 ; OF_READ
+ v( z$ E$ [6 {# J6 M mov eax,[00656634] ; '\\.\SICE',0
6 a0 l% `1 ^" c push eax1 z/ [: h3 @( z2 b
call KERNEL32!_lopen
: w2 W3 e- t! i inc eax
5 F( [1 @0 r- M& C, H3 P jnz 00650589 ; detected
1 {* X) ] x0 k8 }# y: Y( @7 \ push 00 ; OF_READ/ ~; O- o0 g3 @7 u" m- m+ Q
mov eax,[00656638] ; '\\.\SICE': x1 n3 E; e4 ~3 e
push eax, Q$ q4 y/ l4 U" V% `; Z
call KERNEL32!_lopen
2 A3 ?! h' n& P K inc eax
4 ?( N2 |7 D) T! p- ^% Z8 U! e jz 006505ae ; not detected3 t$ J; o: [# c0 d) v
) H) F# y2 J5 V9 f1 A X v0 H2 {5 H, i1 } |5 J: |/ G
__________________________________________________________________________+ g. d; ?( l& j, t l
. v4 c2 k1 u/ u$ @7 jMethod 12
# g, J( R, t* v$ t=========
4 C) T& t, z% S B/ X6 F" m
% ^: ?* ]+ P; z. k% b9 D7 z% MThis trick is similar to int41h/4fh Debugger installation check (code 05% i Y( k/ Y8 s9 @5 h
& 06) but very limited because it's only available for Win95/98 (not NT)9 p5 a" I9 W! ~4 p0 {. U3 W l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 G" }5 ^% m; V3 N$ h
& \( A5 Y% R0 u" P7 c6 z push 0000004fh ; function 4fh' a; K, K1 U# X! L) X6 |% @! a
push 002a002ah ; high word specifies which VxD (VWIN32)* V* R' O K6 [$ W* ]
; low word specifies which service
) v3 k- W3 b- F [1 m (VWIN32_Int41Dispatch)
( s- \ |- f. u+ P call Kernel32!ORD_001 ; VxdCall
1 t/ l; x( U7 j* G b+ H8 N cmp ax, 0f386h ; magic number returned by system debuggers
6 A! g3 m* O2 A* N7 Q8 Y7 a jz SoftICE_detected( D0 W! c" S7 l1 Z. ]2 ?4 Y$ G" |
- x" Z/ T) o, U# \( s h) f
Here again, several ways to detect it:
1 |' Q& E2 m) C; _* S
/ E1 d9 v7 O" _) Z( s+ i+ I BPINT 41 if ax==4f
8 z! n$ R! a3 K6 H/ b r. l( P
# A8 \ ^2 F0 k2 A, x9 H BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 |8 M- Y( R7 g
+ s/ S a, k- u2 A9 H3 i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" T8 F7 G9 A& J" K* v
! \# Q- L# r6 ? BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ j5 H# k r8 i8 M
5 y+ X7 a/ h$ k( h0 ]+ h__________________________________________________________________________% v7 X$ `/ C3 U' B' j( s. f
5 C8 | l' o. V3 ~
Method 13# q" k2 ]' w( z2 b, E4 A% L
=========
8 o$ e( g1 q4 {) i9 _. y6 B, |7 S2 a
Not a real method of detection, but a good way to know if SoftICE is! h0 T" L1 K- ^3 V: z1 I, `
installed on a computer and to locate its installation directory.9 Y8 g7 H+ b6 a7 Y7 f% M: m% ~3 ~
It is used by few softs which access the following registry keys (usually #2) :
1 b5 m1 K8 _+ o* Z( o' e
8 j! l- c6 S) g, ^& ^& |- l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 h8 g2 s8 u* M J+ Q# i$ C
\Uninstall\SoftICE& r% _: x1 g; \1 T: X8 z1 n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" ^+ a: r& \2 b C$ Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' y- }, T* ^6 e4 [. g5 b
\App Paths\Loader32.Exe
) o+ U5 ]7 r" @6 M, r7 H3 ?6 n
0 D& A' b/ V% r: Z4 v! b! G( M! M' ~3 s
Note that some nasty apps could then erase all files from SoftICE directory& D( P0 U+ R2 ?6 _3 A: m) ]/ }3 C
(I faced that once :-(
0 z7 l6 s) `! ]( i @& `
# M$ F' ^! K9 t5 r) vUseful breakpoint to detect it:
+ a! ^5 g C& l/ a, ~% b3 J" L- i" Q, r M9 D: F0 S- [. q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- U4 b8 `" ?+ x9 ?
1 L# \* V2 g! |1 [$ r& P
__________________________________________________________________________! G& d4 F: v& G1 s- [
) v* i; ^+ o' u- t+ T
7 \' d- v7 p9 Y# b2 q, z, w
Method 14
6 m9 o! ~3 d- t B& \4 Y=========" B- P, N0 T- o$ Y' M! B' B
) g' |7 ]% O3 `- q$ K' m1 }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" Q2 p- x3 q# T. {* Y% \is to determines whether a debugger is running on your system (ring0 only).2 @! q3 k$ V$ ?* Q; N& `
, A7 C. P J4 W2 _& [ VMMCall Test_Debug_Installed
1 ]5 u, `+ G6 P4 F- Y1 p* r je not_installed
) \: f V" B. ?" [9 A( e$ ~; Q* o# l2 I' q0 t
This service just checks a flag.- n7 [2 U, n: e9 j
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡