<TABLE width=500>
$ i1 [* v+ ]# I. q& }+ k" P' p% B<TBODY>' ~/ ^* ~7 [1 v% ~$ _; W8 I
<TR>
7 _" r7 [) X6 M1 H5 w' n<TD><PRE>Method 01
% j7 a. s7 @4 q# n=========8 J) z2 `1 P# M' k; x
& j# S" Y: J2 E n8 Y; @; uThis method of detection of SoftICE (as well as the following one) is# U# I5 |! C% T8 ?/ _& O
used by the majority of packers/encryptors found on Internet.
4 {3 r- ?! h0 c) K9 QIt seeks the signature of BoundsChecker in SoftICE
( r/ U3 @/ k; @
) g; ^* q" t6 b: X9 K mov ebp, 04243484Bh ; 'BCHK'' }" z6 B; R q b/ Q( r, o3 X0 s5 J0 G0 L
mov ax, 04h7 u1 R* o$ w2 c$ ^. n
int 3 " W0 l1 w! L( f8 U
cmp al,4& j/ p6 w3 c2 L; X/ \: j
jnz SoftICE_Detected G. Q( ~- C( s# T
/ @9 f% w* U8 N2 R8 \* Q. F
___________________________________________________________________________5 W; y2 ~6 B: z5 @ q; Y% e" k( ^! d9 d
6 x5 C/ h% {6 s8 R% ~) s7 j
Method 02
. q& [9 D7 O8 R. ~1 r. r=========
* I. h0 _, u/ h3 {. o. b5 H& S
$ O" S: T, w1 T, ^1 oStill a method very much used (perhaps the most frequent one). It is used x: N- N8 S1 D5 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. G* `9 {% S$ \+ bor execute SoftICE commands...
1 Z3 w3 R. ^$ _8 }+ \: [( [It is also used to crash SoftICE and to force it to execute any commands
5 o& W8 {) K+ \' ?) @* s(HBOOT...) :-(( 3 _1 ]! Y, o4 v2 ~ K5 |' E) x' o
9 X- y6 {+ m' R* L1 m$ gHere is a quick description:
9 E* { P+ [& e- Q4 u. c, [0 u4 ?-AX = 0910h (Display string in SIce windows): }$ K) W" }6 M( T- c8 V" v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& {% m: k" m9 D" L4 L-AX = 0912h (Get breakpoint infos)
) }6 ^1 M0 K( R5 `-AX = 0913h (Set Sice breakpoints)
/ ~& f. Z4 z! W5 q: \% W-AX = 0914h (Remove SIce breakoints)
' M7 D! X( n' V' Z j K3 B* H
9 ?# d6 T) {/ jEach time you'll meet this trick, you'll see:
' }" j2 E3 m! `, K- I4 x7 M4 M# ]-SI = 4647h- [& @! j; T7 m& T+ }+ H: M
-DI = 4A4Dh7 l4 }' H# M# u: v( Z+ X
Which are the 'magic values' used by SoftIce.9 f/ Y1 Z& Z- ^$ G% [& {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, k* u8 f" r( M
) ^! m, R2 H3 {1 V& s, c; O* u7 NHere is one example from the file "Haspinst.exe" which is the dongle HASP G& u# ?* {9 q. V* [& ?$ _
Envelope utility use to protect DOS applications:. }4 ]6 ^, D* j& R/ W) S( I) [4 A
0 _4 w P$ i7 Y) y- {2 c4 B% K
9 `4 Q, g3 |! z2 p4C19:0095 MOV AX,0911 ; execute command.
6 B$ z5 K% {$ E) K' j4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." L/ `; W, {5 p7 b, x
4C19:009A MOV SI,4647 ; 1st magic value.; K) s, `+ L1 u; {
4C19:009D MOV DI,4A4D ; 2nd magic value.7 N j2 O' S @! B$ a- h7 W" D! A6 u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; @: S. M; y T- Y* l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 g+ V- m! t& n& [4 A D
4C19:00A4 INC CX" B7 {) \0 ] ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 r* D0 R+ q2 Y% T+ \# a. y% a" d4C19:00A8 JB 0095 ; 6 different commands.+ Y5 G% J) _: C+ G+ i* X5 Q2 ^# y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 M( D. u, J9 T, l2 ^; g0 W1 \9 w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. Y9 _% `, _/ H4 f5 L* s7 b% {# b! h* U
The program will execute 6 different SIce commands located at ds:dx, which
: P" L) j$ ^* ?6 C; |! Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
G* x% T) k; g% m* \) W" f+ D3 V$ J/ g7 r- l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 L1 ?. c8 b; `/ V
___________________________________________________________________________
* J* B5 l i5 W) Q: V3 B1 G( r2 C @$ C/ P2 \
4 R) g9 D4 I8 F) P( eMethod 03. E$ O: R- U+ G* O! P, j
=========4 P4 s5 h! g/ ?) |( S
9 C; p% Q a5 D+ @ B9 ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 _* C& b1 A9 H/ D! k6 l4 D, h7 t
(API Get entry point)
. t L- `1 `2 v
+ @- u/ G# l3 Q* ^1 {' z$ Z L* z& A4 G+ I
xor di,di3 H2 g* I+ R. `4 w4 d6 |$ n0 O
mov es,di, ^3 T# i+ T Q/ j
mov ax, 1684h ) X0 w1 T3 I( E5 ~# P% r8 G, D
mov bx, 0202h ; VxD ID of winice
3 S. ^# I/ y$ ~$ z int 2Fh- r3 \+ L% {+ x& S0 T7 ~, n, a
mov ax, es ; ES:DI -> VxD API entry point7 I8 Y3 m+ N/ |1 I
add ax, di
! G" V! M1 f3 l, ` test ax,ax$ K! o( Q* N0 u: ]8 Q3 Q* A' V2 B
jnz SoftICE_Detected7 f1 I$ Y; z2 Y+ A1 R1 ]" l
: k. {% o# m: c5 @
___________________________________________________________________________
1 _5 W. c+ K% \* C( P
% u( n8 ~3 K5 dMethod 04" Y6 D6 ? v! w) U
=========- J* T* M8 ~5 S4 P9 v9 K; ?% V: @, \- o
4 a, y1 A( N0 q7 K$ _8 BMethod identical to the preceding one except that it seeks the ID of SoftICE0 a8 O$ ?/ N6 K' ]: F! u5 K. i
GFX VxD.
" N4 ~- Y- X, i7 \: s* k @5 J9 A( d b, }8 R, R
xor di,di
8 J, c0 a* }' l D! u4 b mov es,di
. B; o# T$ h, T: z! t& a2 J+ B. r mov ax, 1684h 1 l* G/ S+ E* ?' i3 h8 I/ Y' h
mov bx, 7a5Fh ; VxD ID of SIWVID
1 `1 w6 @$ l5 D7 A* \ int 2fh
3 Z9 T1 S3 L& ]! t- I7 ~* Y mov ax, es ; ES:DI -> VxD API entry point
" _3 E. r8 l2 ~2 n add ax, di3 @ j" L8 b3 i3 y7 o- G
test ax,ax
, V! N* S* o3 Q1 g# }8 D! S) f/ Q! _ jnz SoftICE_Detected. S1 p2 n% y5 O, d% C1 q& P9 S
+ ^. x& |! e. X' j
__________________________________________________________________________3 b" u+ y6 d) o! s) ?" Y
6 x+ R! b+ G9 j# { b9 ]( P$ e" m0 K8 w) {
Method 052 [' ]4 ~" T2 h. b/ |1 X3 f Y
=========% `; h6 `% c( ~! {2 F7 T' J
0 ^* h0 U: e, S$ @* YMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 s9 f/ V" k' E m5 B- gdebugger. It calls the int 41h, function 4Fh.
9 ~4 |7 K* m1 G( n; t O8 B- M, tThere are several alternatives.
" Q9 b7 ]3 E. h1 ~9 Z a
3 G' `* I' M2 TThe following one is the simplest:3 o/ ~* X# J! B) G2 Y
1 |8 \( Y" Q1 l. W! Y8 }# g4 ]4 ]! c" S
mov ax,4fh( b+ n+ ]) ~1 ?6 W- e$ K
int 41h
4 j5 x; a5 k. }2 ]( F" T2 y cmp ax, 0F386
; Z A# i+ K* V: G8 r jz SoftICE_detected
, ~9 {7 `/ O8 u( |! Z$ U" c6 W" e, h' ?9 v- M7 u
6 x/ _: e0 y) R
Next method as well as the following one are 2 examples from Stone's
, a3 c! u/ Y4 L3 \! l"stn-wid.zip" (www.cracking.net):
8 ], w# R. a9 v: x5 A. l9 z: u2 |# ?
mov bx, cs. V7 Y) Q* u3 U0 @4 A1 ^: ?7 K' D
lea dx, int41handler2
% \4 p; R C. ?. @6 D: B xchg dx, es:[41h*4]! ^3 k4 E9 \$ p+ P# w* u
xchg bx, es:[41h*4+2]' k9 H& P7 m. Y7 w+ {# U
mov ax,4fh
2 f! y% [$ F5 q, F2 _ Z5 z3 ] int 41h! g7 s. u6 R" H9 k# u8 q
xchg dx, es:[41h*4]
$ q1 i2 @8 ~6 W5 d' U xchg bx, es:[41h*4+2]
" a T6 w, W/ Y" g1 A cmp ax, 0f386h
# I" g5 r! L5 c jz SoftICE_detected8 b. f, X: t4 M; r$ X' A! [
: N' g: @) t& T. P# X) Cint41handler2 PROC
$ V# @1 [2 \9 ?) I1 J+ f iret) x& L6 p5 `- Q* d7 H, N1 ^
int41handler2 ENDP
4 y4 F$ t. Z/ O8 l% n, a3 p
+ M8 t. k4 I0 |9 f& {
. W) [. q. H: H- |_________________________________________________________________________; v: H5 q `; N& [- O
. g4 m6 \3 `9 q* P- O! B6 L& H4 R( |1 \% x/ W
Method 06
; A% I P# O; K# e=========! ~; l; }0 M4 I
; M/ b1 {1 A+ M
7 u: D! s) j5 H x2 w2nd method similar to the preceding one but more difficult to detect: p U) v- G7 T0 ^
/ S/ F6 `( \' H0 R; d+ Q. R
2 W- s9 h& g- R* xint41handler PROC
$ _! c, j4 a: d' R8 P mov cl,al/ P; s1 M, Y7 {# u
iret' d: L: L3 F' m( b. H( x- q0 A
int41handler ENDP0 W7 l4 ?7 W; B% B7 x: L/ L R& {
, }7 d$ o1 j' e, K6 K0 }' N4 K
8 N% |( i- |4 F$ y2 }; m xor ax,ax
. H) M% q& ?9 y* f mov es,ax
' w6 e0 F: S( v: a' d: Y3 c mov bx, cs
; g0 o6 K$ R) c! q, ~* B9 x lea dx, int41handler
0 v$ ?: `# i0 w R xchg dx, es:[41h*4]" V9 e4 X4 W2 M X# |4 g- D6 x
xchg bx, es:[41h*4+2]
* ~% \( Y7 }! m# C in al, 40h5 N! S1 ]" B* O( s$ k7 Q
xor cx,cx6 o2 y1 ?1 b) i
int 41h
k& Y; p- R: S9 V- T) F! w xchg dx, es:[41h*4] t% V& v2 e& g" x" o) d
xchg bx, es:[41h*4+2]
% d+ w4 m7 w" q `7 P; ? cmp cl,al
& S# `- p5 a: z5 P5 i2 x4 L jnz SoftICE_detected8 t/ w* d/ ~! J8 O: A" o
" y. U! a/ E Y) _# w
_________________________________________________________________________* [! t' k& J. v
) i! x# G. G* G; k. B; C' r) yMethod 07" a% W7 t$ d$ \) }: l5 R1 Z, x
=========
8 S7 Z1 C' }8 |$ W1 m6 W
/ S) V: y% g6 h# lMethod of detection of the WinICE handler in the int68h (V86)4 u7 T! W9 @+ a/ D/ [
* k- c/ o, S, l/ \1 s6 h- d0 w mov ah,43h
) D& W( U7 n% L7 l int 68h) ^: l$ ^! k. X, n7 O& Q3 R, H
cmp ax,0F386h7 K7 A: w! [$ i+ B/ `
jz SoftICE_Detected
8 s3 M) f2 |% |6 `$ W
% h- {1 _+ b4 R6 ~+ m$ [/ X+ |$ R! U6 T( y* t9 O: h
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- W, v+ @. O7 w# i" W% L1 T! O0 z
app like this:
4 C6 U% g' H9 z0 ~; v) _; r# f6 H: r1 A& E3 p! S' A
BPX exec_int if ax==68
' b; g, U+ F8 ]" G! a1 F: L' U (function called is located at byte ptr [ebp+1Dh] and client eip is
7 |( B9 R: t' I6 Y8 e located at [ebp+48h] for 32Bit apps)
1 q6 Q8 ]0 p8 ^) Q__________________________________________________________________________0 s5 @5 C/ U+ B y
% N% N5 z* Z( C- R! ?; ^, s; T6 F+ T
Method 08
- z! l4 g: I9 E' g, b=========1 W+ k5 g8 Q. i3 q! [1 A
! e2 w) l5 `, N: D
It is not a method of detection of SoftICE but a possibility to crash the
1 M/ r( u( s+ r O$ X Z/ R) h7 F& Gsystem by intercepting int 01h and int 03h and redirecting them to another: m& s. M0 d2 _9 ~# K
routine.9 ~& M6 D# F* S
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! K1 {4 W' H- Ato the new routine to execute (hangs computer...); |* d/ v: I" _; z
2 F5 }# r3 z6 ~' U7 a mov ah, 25h
; H1 N- O0 E5 B mov al, Int_Number (01h or 03h)
7 j# X% r( y7 c# n mov dx, offset New_Int_Routine& i1 u% H: Q6 N" \2 q
int 21h
2 n/ t$ h: Z3 W* [! B. Y; U
3 o2 X9 o3 b; ~1 ]4 R__________________________________________________________________________
2 P5 T$ J; h1 E0 k
1 @3 j+ Q$ Y& I! p R$ u+ YMethod 09/ l+ y& x( O- o1 O5 R0 c
=========" |: L6 f- T. U+ H. C
; e2 p" L) z7 @$ \4 XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 z8 ^' @6 u q$ M! M2 S$ ^performed in ring0 (VxD or a ring3 app using the VxdCall).* g- M- W0 F! u) V0 Z. P
The Get_DDB service is used to determine whether or not a VxD is installed
) \+ j" Q$ w' p7 o$ Ifor the specified device and returns a Device Description Block (in ecx) for2 E- ?+ L) o0 H
that device if it is installed.: Z1 w& e0 Y5 [* h
1 ?$ ~: a2 f4 L# w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ J6 I9 }: q/ w! m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: O- q* s$ e! {% J VMMCall Get_DDB
) Y; a$ L" }, E/ a mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, C. g1 U4 w! P; f( z- k
5 y2 {$ P, z) RNote as well that you can easily detect this method with SoftICE:$ q; N/ L, D5 B/ M# q' C2 R! o
bpx Get_DDB if ax==0202 || ax==7a5fh
4 \0 k5 R, S$ n7 i8 H8 e: d. U+ e4 M, C' R0 M2 @
__________________________________________________________________________ X& b( ~: |& {' C4 b3 N* F
% a% j S9 Z1 ?* k
Method 100 S% e2 G" I& f. e
=========8 z# M0 r8 z4 e: e/ _/ @) G
" ?+ a' R/ p; B) _6 ^' k2 T- D
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" M5 k# {' m9 Y" f1 m, | SoftICE while the option is enable!!( I: P" S; `$ \6 r' E
_/ K, r) g: N3 f
This trick is very efficient:( Z3 J2 X+ _8 ~2 N
by checking the Debug Registers, you can detect if SoftICE is loaded, F! ] f( s; e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; }% y" X2 O$ P2 D% O2 `# t
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 U' g! m( Z- v( k0 H1 [% |8 K
value (in ring0 only). Values can be manipulated and or changed as well }8 }+ l/ w6 f/ |
(clearing BPMs for instance)3 i% d8 z# y: R2 Q3 L9 G7 s+ u
. l0 n t! H8 Y' W: E, G- `__________________________________________________________________________
" S6 m9 A7 x. N: t; H: \& B9 R1 O$ V. A5 h7 I9 d2 o
Method 11
5 T( v, |5 N5 c- i=========
# s& ~9 N4 o8 }" f
- x( y% t5 g# @5 t7 c8 t9 lThis method is most known as 'MeltICE' because it has been freely distributed
' D( L, y0 c0 ^( n! ~via www.winfiles.com. However it was first used by NuMega people to allow& D# I$ ^9 B2 D% Z* B0 p4 n1 L" E
Symbol Loader to check if SoftICE was active or not (the code is located
) R/ N. y9 L/ c% d9 Finside nmtrans.dll).; H! p! ~7 h; t% v
1 Z, x p3 k" g2 D4 ~5 HThe way it works is very simple:# |4 V( U/ m/ V/ O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( F: w+ ~7 T- n1 X8 i" t2 ^! A
WinNT) with the CreateFileA API.
8 j# R3 c m" Z! ?8 u0 H( R
& y5 {5 x/ M+ ^Here is a sample (checking for 'SICE'):9 \) @7 H N6 B; i$ e
$ O; g! E* a( ~) H0 t0 gBOOL IsSoftIce95Loaded()
' G; M5 i6 ^; Q3 l/ i; @) d{
4 P+ [ E# w7 @; d' G# s1 j HANDLE hFile;
$ s' K2 Y0 v g' n" g) B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 l) v! c4 g5 ^2 l) y6 j9 O7 ` FILE_SHARE_READ | FILE_SHARE_WRITE,
: q1 K, A) G. w8 s: ?9 W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 ^9 [8 ~+ \6 E8 k2 S! r. r+ ` if( hFile != INVALID_HANDLE_VALUE )
# Z' N: l& \2 h {
, m. s, A) A' C' d. P" K$ t CloseHandle(hFile);6 j; ~4 u4 S" R3 m- o7 {3 P
return TRUE;
" N! a/ g2 Z: G$ t7 t! h }
9 W( M. | L! Q0 k) v0 d return FALSE;) }. t) T0 e! z# l
} G1 U/ o7 e( l" u1 a% `
& N/ f; L1 ~' U2 f+ V8 |
Although this trick calls the CreateFileA function, don't even expect to be
+ [( A* n8 Y/ r5 r) Kable to intercept it by installing a IFS hook: it will not work, no way!
3 V7 a1 k2 T rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F e+ s& A m) u/ F7 W8 Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" m% x8 ?* i. c- V% Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% P: [/ K- `& }/ Z- n: ?field.- F, `: ^& {/ g7 M
In fact, its purpose is not to load/unload VxDs but only to send a
3 A! t& B& g N# ~6 C* PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 X2 k" `0 z+ Z1 @9 Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 o2 l _ u8 k6 x& Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 \# S* y* l3 h B5 T/ V! ] j5 MIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 S# Z8 m- T* L* c; a" {
its handle to be opened and then, will be detected.; T' A5 X$ J+ }. y6 h- x' D; X, j
You can check that simply by hooking Winice.exe control proc entry point: |' O$ r3 g+ {0 k# p6 V& c
while running MeltICE.0 n2 B2 o8 a* V# p# ~2 x; L2 F! y
- r1 b* ~' m* z
9 @& P8 w% L. b 00401067: push 00402025 ; \\.\SICE- g7 ~" C* p, w" J
0040106C: call CreateFileA( J0 p1 q& |, l1 @4 v0 A- l7 B4 J
00401071: cmp eax,-0010 H! e- {- v* {+ a* z" }+ A2 V1 F
00401074: je 00401091# M' h' }7 e7 J% V
. K9 D \ \. l" x2 ]. A+ F& Z7 a. }! Y
There could be hundreds of BPX you could use to detect this trick.5 n/ P; ?. D& c# `! m& d
-The most classical one is:
/ [( p* `" o4 `* d& m' R BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: a8 z7 ~; C% v; N7 H! r4 K *(esp->4+4)=='NTIC'
' B( `! u. P& e3 n+ A/ z& O7 L
1 B9 e! ]% {5 l& F6 W7 u-The most exotic ones (could be very slooooow :-(
; x% b4 N1 h8 |6 u3 ?8 g% ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ e, y$ H% W8 Q' O ;will break 3 times :-(
( G1 z# y+ `0 X* K. I: X: @+ c8 K# a! i, O, I
-or (a bit) faster:
8 l" E7 z q& H- K7 r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. q4 K8 o6 s7 E: Y7 s8 v
, Q3 @; t4 j0 f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: H$ K& g W, T. @( I3 W) R ;will break 3 times :-(
5 w% y# c* d6 }
( K1 t5 R2 p- O7 i4 w" \7 {-Much faster:' A. h8 `. A. d* Q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* \' Z/ x0 r, o" v# @8 v* F
: W2 O8 |, m& I4 F1 d! N* h+ j2 BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 r/ V" k5 Q9 p, b4 q: }function to do the same job:- Z6 }3 c) K4 ` j
8 M& t f5 b: S. g
push 00 ; OF_READ
8 ~( V" H$ Z) k9 m4 `. C4 g mov eax,[00656634] ; '\\.\SICE',0
5 z" m+ c1 C' J: s push eax# `' L; u, ^/ o# h T$ m3 Q
call KERNEL32!_lopen
" d' t) m T+ a, y; [1 e inc eax) A8 Y6 `9 R) d, U
jnz 00650589 ; detected
0 w8 P+ q+ f' Q# i! ` F push 00 ; OF_READ7 y5 f9 U# C. F4 @1 T
mov eax,[00656638] ; '\\.\SICE'; _0 \7 U5 Q8 P: r- r6 g/ O
push eax
1 B6 t$ _/ D: v! I call KERNEL32!_lopen! t: X8 z$ t# a& t% _
inc eax3 J; \8 |0 t, r' _% \
jz 006505ae ; not detected
; `2 R. C, h( k; v6 r. ]
7 G" q4 L' j: N+ e0 z# ]( B
3 u! W, D3 }, Z* q# m__________________________________________________________________________& [4 V$ y4 W/ p
$ y2 f7 T0 C- g. gMethod 124 ?8 Y2 _ a+ G, {# n0 b
=========
' n, M" l+ I6 D3 n* v9 y" Z) r+ T' f {
This trick is similar to int41h/4fh Debugger installation check (code 059 W; b% ^& L! L" e% g9 z
& 06) but very limited because it's only available for Win95/98 (not NT)
8 r k% N: C# [, z1 Y: uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 n7 e) W9 m8 C1 _( l1 f% y
* @9 ^! }( n6 b! D( o7 c) R0 G. C push 0000004fh ; function 4fh7 n, P: k [* Z; s# Q
push 002a002ah ; high word specifies which VxD (VWIN32); i, |$ }2 ~# @8 w* U: Y
; low word specifies which service8 J% h0 O& z l( S
(VWIN32_Int41Dispatch)2 Q, J4 S4 g, N" e# I$ d
call Kernel32!ORD_001 ; VxdCall0 j5 {* u: x5 C! Q
cmp ax, 0f386h ; magic number returned by system debuggers
! U8 x* C+ p$ C2 o! ~* ^" z) X jz SoftICE_detected* c2 P; G g9 L" ^) O- @! k
) l: n4 G1 d$ ~6 p4 s3 p
Here again, several ways to detect it:) I$ C- O: i3 ^4 ^
& L2 C- B; [& Z; c
BPINT 41 if ax==4f
$ {2 x F+ t% O
, B0 g& v5 _& {; k G& B2 J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& K! M8 S6 j" W& ~+ j3 t* r
/ s* D. X5 ~! N, e6 w% \ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: ]* i# M( F. r0 ?4 L
) P# c% X6 k' u) e8 h: U1 D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ {- ^4 V! \- a
% q3 {/ n0 Y$ k( X! Q0 K! e& d
__________________________________________________________________________8 }! s: e. I8 l6 e9 F7 |" g
- _) n* ^" [2 I- K$ `Method 13
" N# K6 r6 z. [! c9 Y! u=========
6 R8 X$ \) N. R- i. w: c) I6 |4 n2 P( a# U4 O: F8 [( I
Not a real method of detection, but a good way to know if SoftICE is4 w2 C- j1 S$ F4 l0 j$ ? q
installed on a computer and to locate its installation directory.
3 p4 A ^8 n2 ZIt is used by few softs which access the following registry keys (usually #2) :
* Q# M# V7 c1 i3 n, w% Z1 P/ L7 D% b: b9 y6 p8 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ L; A8 W Y+ x% U* W0 w\Uninstall\SoftICE( q5 ?$ b1 p. ?$ y! p3 V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( n7 e8 Q. |! n, b$ T6 h6 j
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& w/ T: w/ c$ m+ O8 p\App Paths\Loader32.Exe
& A6 _$ o$ i r8 _2 P" s; Y
! J$ {# R. Y+ h4 H) f/ {: t' M' d+ U% v; ` Y8 r' Z
Note that some nasty apps could then erase all files from SoftICE directory+ [- T4 h$ F: i$ }
(I faced that once :-(
) a) N3 ^0 {% _, h2 @! w5 \1 _& J: _5 X7 _: ]- `1 Y, x
Useful breakpoint to detect it:
) M, w" l ^3 S" k5 X+ ~$ a% e* f, }# B3 n/ l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' o3 l0 w5 _5 y5 M. l' e* x! ?
9 D: t) W/ R6 r; H1 ]5 w( n4 C8 H% B__________________________________________________________________________
9 H$ J6 n# M: e8 G, U9 y$ X- M
$ f; E0 D- o! N4 ^0 ?8 y' @; U/ R
) ^: W" d2 b9 I$ G- X+ ]! r: K% KMethod 14 4 O+ s) x# u; i2 z0 z
=========' S& W1 v4 r' D, h' \3 i( ~
2 H S; w, S/ j- Z7 XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: d9 h6 ?' S& O! U. n% b* c$ r3 ^is to determines whether a debugger is running on your system (ring0 only).
2 y8 E' h- l8 R' S6 z( e
; s$ ?5 y* @: l# {2 \ VMMCall Test_Debug_Installed4 _! I. d" \# h8 t. m& G: V
je not_installed+ y1 ]! N% s" e* H; y* }
' Z2 o+ P/ ?6 T! ?2 z( B4 I
This service just checks a flag.* J2 P, D. t/ O6 W
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡