<TABLE width=500># B6 t& ]/ a% ]: T! ~' ^, j* S! x* j
<TBODY>, x3 ^) P1 F' T" W @0 W
<TR>
% l! ?5 |6 s5 K5 M0 K1 E<TD><PRE>Method 01 . |$ J0 R$ n! f1 Z: U2 A
=========
/ Z3 P, D' t3 A9 J9 N1 I6 t& X
This method of detection of SoftICE (as well as the following one) is8 i. I' Z7 u6 L) q% M9 Y
used by the majority of packers/encryptors found on Internet.
/ `3 d! K' k4 q$ j0 fIt seeks the signature of BoundsChecker in SoftICE- H' L, O* d- ?/ X& O1 G: s
+ ?- h/ t0 }6 U* u( P- _1 f mov ebp, 04243484Bh ; 'BCHK'* l' C# G7 |! p: m% J$ K: H
mov ax, 04h- \ i) T2 x; r5 s- l8 K! S2 t
int 3 0 }$ }9 C. r7 v2 n3 R
cmp al,42 Z" }; u% f! z5 F m
jnz SoftICE_Detected1 B; A& T: X% t( R% v
- x' h- l j6 l4 r$ R! f' n
___________________________________________________________________________
: _) F9 T5 Z; j" f) L
3 q) a! y- }4 a+ yMethod 022 M% D4 }% M$ K* i) j: }
=========1 h/ Q* |7 _; G9 k3 U
. W" X' m/ W7 V- LStill a method very much used (perhaps the most frequent one). It is used
6 w7 M3 p# |2 b1 r+ ^) ^( U! mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 {1 Q% V$ H. X
or execute SoftICE commands...8 x" l4 T' |. T" o5 `- d$ |
It is also used to crash SoftICE and to force it to execute any commands- o$ F: w/ G' x9 u
(HBOOT...) :-((
) T% l/ d4 U; u0 T) ?1 N# I# }+ I" X" [: F7 J
Here is a quick description:0 `. W6 q4 A2 u/ D
-AX = 0910h (Display string in SIce windows)
& N0 G, i8 Z0 x! D. K* R" d) T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 _) G( r! O3 V1 D
-AX = 0912h (Get breakpoint infos)
( J0 o4 ^5 |- N& P" H$ {( ?* ~-AX = 0913h (Set Sice breakpoints)3 y% G; W" k/ g
-AX = 0914h (Remove SIce breakoints)+ o& {# d0 n; j( O3 l g2 R0 a
# G+ k: c. a8 O0 n& y0 |' {Each time you'll meet this trick, you'll see:
& _& r8 s7 ]6 q3 j. z-SI = 4647h
5 X' I$ Q7 N) P-DI = 4A4Dh( r: P- a6 f X* _
Which are the 'magic values' used by SoftIce.
x! c- ?- |/ ?% R; cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 u, {8 K2 G% g4 k7 q
: s1 p. N7 r& M- X: y0 y
Here is one example from the file "Haspinst.exe" which is the dongle HASP y- r1 C" q. ]' h
Envelope utility use to protect DOS applications:; ?- V4 p3 @: {* h: f* z
; W+ |& [; J; F: b( i6 r; {8 [+ B T8 H6 p5 e- Y) [
4C19:0095 MOV AX,0911 ; execute command." I" w: \/ a) y% h' ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( j6 [0 O \- H
4C19:009A MOV SI,4647 ; 1st magic value.
k I! G5 y% o0 k4C19:009D MOV DI,4A4D ; 2nd magic value.( D/ a# X1 F$ U: ~/ V$ d, }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). ?1 o4 Y# [' @5 K: b4 e
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 T" I/ R; N7 Y" `# D7 a6 C
4C19:00A4 INC CX1 |6 Z& V: g) f5 x1 W% b
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* o6 g+ d. d b- @8 `
4C19:00A8 JB 0095 ; 6 different commands.- r! K0 g7 W- L! o/ w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 g. _( y+ t( u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 y: G5 V% W$ F5 l, E: Y1 E
4 r8 d5 X& `; q: |The program will execute 6 different SIce commands located at ds:dx, which
+ E% E% r; M* X. Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* V* B( `. |+ `* Y4 t. j
$ F0 F: m5 ?; [5 v: G! R0 ]% s% B, d* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 ]! e! o3 ]7 Q+ p# _
___________________________________________________________________________
6 c9 L+ h. T3 [
/ t' C k" G- I* c" W* P/ O
" R5 L U) W D+ x$ I* xMethod 03: E0 I0 S t5 k" q
=========- v: M3 M% {8 v9 C+ Z) o) d
. M0 G/ T2 O. e, y, A* A( n3 zLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ y4 F, K9 I7 x; }. O, F9 S( }(API Get entry point). T) K, I. g# U( @& ]
& w$ ^) N! u* v2 e( q. m6 {" R* ?; p# O# I$ I+ i4 @
xor di,di
* {4 }0 T$ y6 Z( X; z( c mov es,di
5 n& ]2 ^; L' }6 w0 W) B* M mov ax, 1684h
& m7 [+ T- z7 j$ J+ l8 d8 d4 @0 Z mov bx, 0202h ; VxD ID of winice. P: @: ~5 `: g& A- k
int 2Fh
9 I9 b7 w* w1 h; r M. e mov ax, es ; ES:DI -> VxD API entry point8 |2 ]3 Y o4 U/ Q) u
add ax, di" [$ p, Q. b" ?
test ax,ax* t2 ~3 F# k3 C: @: L6 L7 l/ C
jnz SoftICE_Detected
- z2 _, s M! s Y8 \
% r6 K4 U: h3 P# K7 }/ M$ q___________________________________________________________________________, a$ E* `! W) E+ F) z* H8 y1 E2 m3 E
; }6 M5 a; v: e/ }; Q
Method 04
: D5 i) u! u( k=========+ s: ^% _) B8 j' e# B' ]
* I6 f% g0 L' }( ?2 w% ?. _Method identical to the preceding one except that it seeks the ID of SoftICE
: I6 f' c- _! t, ~$ I$ C) i- YGFX VxD.- T' ?& I8 D8 a
' X" p/ K: z+ L4 o* x' r; _
xor di,di7 L: {0 t5 z& G
mov es,di
" T! a A; [' \' z mov ax, 1684h * l2 N( W2 H* U
mov bx, 7a5Fh ; VxD ID of SIWVID0 _. t7 G, T0 R- K* s( X
int 2fh
' p" V# H: I' U" N mov ax, es ; ES:DI -> VxD API entry point
3 g6 K6 E; }/ G4 q+ c add ax, di, N' ~8 X4 b# D" H1 y [
test ax,ax
; n; J+ e7 e0 J3 O' j jnz SoftICE_Detected
: J) J5 c5 \' [% O
1 b1 D+ R2 Z. D+ u- ~2 ?__________________________________________________________________________
# h& ~3 G+ c a! y, C2 R! t4 u1 a9 d3 v2 R: Z W, Q$ C
+ `, l2 Y( J5 ]* D
Method 05. y1 D3 b+ R- P( r! w( ^
=========
0 D. U* c+ z7 d2 y+ f$ \" c) r4 {
! M7 A- ^% Q+ l( v8 z* y4 D% qMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ U3 z% r' M' Y! \0 u
debugger. It calls the int 41h, function 4Fh.- \4 T, P$ _( h) [) a0 _* d
There are several alternatives. 2 ~. N0 p8 {0 i+ ?+ j/ Z
) n9 k4 p* r% z4 ^4 l) y
The following one is the simplest:; p# q: I. h, y9 T/ M; j3 _/ l
0 P' k- x( B, T+ h8 D2 U3 b
mov ax,4fh
$ k1 R1 }- J+ ?- J n int 41h
9 T% S! g7 h4 a) \ w1 c* ] cmp ax, 0F386+ a3 u8 L9 T* z
jz SoftICE_detected* H* G6 N, k `5 ] P3 ^
5 A8 B; i$ q4 n/ p2 ?' c
3 S$ z7 r$ d/ |! n1 @Next method as well as the following one are 2 examples from Stone's
- q+ F4 W) {' U9 Q% i5 \"stn-wid.zip" (www.cracking.net):
+ ]; `. W& b3 j/ v# W: {, ]
# y. I) x4 _" y# \ mov bx, cs
7 Y B$ v3 J6 x9 M; Y lea dx, int41handler2
9 c+ O9 j) N! D xchg dx, es:[41h*4]
! Z( F9 I' S% ~/ K) k. } xchg bx, es:[41h*4+2]
% G9 T1 E B+ l mov ax,4fh
' H9 i6 N- ]: F3 Y1 _ int 41h+ G0 I8 f3 M. [
xchg dx, es:[41h*4]8 p0 R0 t3 S: T9 P c/ ^5 z
xchg bx, es:[41h*4+2]* h5 j4 {. F1 }: J6 Q5 g/ g
cmp ax, 0f386h% ?( E& Z5 f7 k e: j
jz SoftICE_detected) i. y7 W, `0 j
" X0 T( f/ q8 Y7 L# i
int41handler2 PROC
: _" X! N d1 [; Q, ?( l. u5 L iret V5 w3 R5 l5 g& z! S" G
int41handler2 ENDP
' G! @! d1 i8 P; ?. [, W E: F& x5 V- s
% J0 j- [5 x' d7 F2 g5 n_________________________________________________________________________8 \3 e: H& o# z. v3 z5 w: u) q
0 V; L# m% Q& b, N0 j) t( c
9 ~ @. r7 |3 m; d) VMethod 06
" B2 \6 {5 A# B. J- j$ \3 P3 g5 j========= ]5 I5 N% s2 S: @ f
$ k7 N; R7 A4 r/ Z' Q+ Y1 N; x) b6 O& G: P2 r% |
2nd method similar to the preceding one but more difficult to detect:
4 c( _3 d( j. X# h6 U5 i# \$ c8 s" F* y" x( ^* k; l
1 O: y" e- r; i2 ^. Y' [
int41handler PROC, \* m, a# l! Z8 [: G
mov cl,al
4 e% i0 k" o' V$ h+ h iret. [$ t4 E% T5 W* ~
int41handler ENDP
. b7 k6 N! S+ R5 c5 P: [ v1 X- x' D( z+ y; F1 W+ N
5 l, {; \& q; I9 Z+ c8 U xor ax,ax$ Z: S/ b0 @# _$ }/ w. t
mov es,ax
+ r" d4 k/ m) Y! ^2 \* a, O mov bx, cs) p9 t- o/ o% }- g6 {1 g
lea dx, int41handler
0 y1 k9 h& ~; i1 u xchg dx, es:[41h*4] R. X$ V$ G( {1 @
xchg bx, es:[41h*4+2]/ ~4 ~7 d9 W; R
in al, 40h3 _/ a& T0 d) i- U
xor cx,cx# }( p( m- D3 [# w. e0 u9 d* b g8 V
int 41h0 r! H, y' _& k/ p
xchg dx, es:[41h*4] K5 m) Z6 x: J$ s% D8 ~7 M
xchg bx, es:[41h*4+2]1 C% ], I5 F8 i
cmp cl,al9 f1 s0 s" w! {$ |
jnz SoftICE_detected
4 x% l; V6 A$ o3 u, J* V3 W
' b" V4 n: a; J2 r/ S, ]. L_________________________________________________________________________
; H4 E6 T7 {, ^' Q3 K/ H' j' ?2 x! ?8 f5 q M
Method 072 l8 o! k, s9 J
=========
. v, x" B& w& O/ { E1 l( f, u1 y! R& |6 |- W+ H" W5 _+ q
Method of detection of the WinICE handler in the int68h (V86): K) a' f! J) n( S |
$ h: \% I4 I( ]( }% r/ W mov ah,43h! |3 x7 y3 m8 \$ b, x0 D1 k* L P
int 68h
4 i. F0 {% t0 H& a0 _! [9 r cmp ax,0F386h9 z5 B8 _, Q/ c2 m" h+ E0 V+ t+ t& v
jz SoftICE_Detected" l2 K8 p$ {4 g$ s* z5 x
: P7 A7 y' m$ T6 \# o: j
$ B7 [1 d. X- U' ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ }) {" z/ B. q! w$ U; F app like this:
' J! u+ `: }% z+ J2 F
6 C) C4 ?# Y: e; w BPX exec_int if ax==68
2 |# z! u' s6 N6 y' ?* L (function called is located at byte ptr [ebp+1Dh] and client eip is
7 h: l6 h5 n* K located at [ebp+48h] for 32Bit apps)
/ M/ O) n* k* x+ X9 S D5 {__________________________________________________________________________
: }; y6 T$ W4 u% y( |7 L
O% y* l. D& S: t2 X% i9 `4 ^! R. A& T- ]
Method 08
1 q6 x+ G9 i7 f5 n4 s1 h=========- g% V1 w0 S5 v6 A6 B: }' Y8 b
8 Q- s! r0 Z5 {" I% p8 c
It is not a method of detection of SoftICE but a possibility to crash the1 X& _# g/ u1 ?+ e; Q! m
system by intercepting int 01h and int 03h and redirecting them to another( y# o* b Y5 l0 V# x% Y
routine.8 p6 U$ x/ y8 Z: c& w
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 w; u- U% Q! c4 [& Mto the new routine to execute (hangs computer...)
7 ^3 z' D9 G* E3 k. k7 s
4 E) O7 U! j+ h, Z mov ah, 25h
+ Q% X9 }% c4 T- |3 _% G0 t mov al, Int_Number (01h or 03h)8 V$ l! U) M& D
mov dx, offset New_Int_Routine
% r* `5 W( |4 T* S2 B7 L5 [$ s! M int 21h
@6 j5 K+ y1 h1 P1 R) [5 g# n% z; r& C' h
__________________________________________________________________________
- z( L8 t3 e% F1 w+ T0 T
1 J. x6 }/ Q+ A# T6 FMethod 09
+ H$ f% L5 m* j3 f=========
; Z# i/ F' p, v, k6 b; j
6 l) x* l" Q6 ~: E$ W+ tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( H$ l8 B8 q0 m5 c' Rperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 R: l1 {% i4 ]% @5 d4 gThe Get_DDB service is used to determine whether or not a VxD is installed: Z% u- ~& y5 h5 m
for the specified device and returns a Device Description Block (in ecx) for8 y$ @% L5 c6 l2 @, H
that device if it is installed.
+ k) d7 w* ?1 P* [. Y& [
( [9 {( \! A1 S. _" Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# D: p, O: K Z& a; f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" m+ |+ n( D1 z9 D. E3 V) j7 P E
VMMCall Get_DDB) J0 m, z" a' B ^6 [ f0 h/ `
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 A6 t' y2 Q( e! S5 }1 \' M% I
7 h- w9 f1 A9 ?: x* K& A" H4 F
Note as well that you can easily detect this method with SoftICE:: t! T) w! i3 T7 y; O
bpx Get_DDB if ax==0202 || ax==7a5fh1 u1 n' N) i+ G5 q; |! @
) I+ |9 _. j1 E. ~8 y
__________________________________________________________________________
4 X5 A& A* I3 M) p
" j0 o$ Y/ ?5 H- Q7 V3 qMethod 10* l: i* D' Q/ @( M4 ]; I
=========
# x7 ~/ p. |# v& u" b- k3 q x8 H$ {: x3 `5 M, J
=>Disable or clear breakpoints before using this feature. DO NOT trace with
A, [- l( v8 L0 ?2 H SoftICE while the option is enable!!
, a. p* a! U1 ?: M. Y( k& ^7 P
4 d+ S( m/ m0 W) O; J3 P- OThis trick is very efficient:6 Y2 L6 p; e- c# G; L c% Q5 L5 I5 f
by checking the Debug Registers, you can detect if SoftICE is loaded
8 P1 x x. Q5 S. i- t: u( g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ p3 T# e. Z7 X) g7 ^# t4 N9 [there are some memory breakpoints set (dr0 to dr3) simply by reading their# ?4 v: j; t: m& }/ V" t3 d
value (in ring0 only). Values can be manipulated and or changed as well
5 X" G! X/ g. i) d3 O(clearing BPMs for instance)/ o( Y8 J+ ?/ H* a. W+ P7 G' U
9 w* I. r: I+ x% o1 w# M/ _; S5 u__________________________________________________________________________
% k/ N6 Z( m$ m* g
% V" h- ]; @4 o6 W& X4 G' n$ g$ jMethod 11* J0 @0 ]; v3 ~
=========% q% T4 V4 H! {$ N: U
* `& M- `: J* `This method is most known as 'MeltICE' because it has been freely distributed1 V4 z' r1 S. l( R# K9 E: F* ?. d
via www.winfiles.com. However it was first used by NuMega people to allow* ?+ N7 p# D/ k4 M5 V: u$ a
Symbol Loader to check if SoftICE was active or not (the code is located
- B3 Z6 V; E) a+ N, \4 Hinside nmtrans.dll).
5 q# j/ X. j% f6 A& D R. g
9 I7 @9 e5 a1 ]: p7 z# PThe way it works is very simple:
* Y2 l$ P, p8 l! x ?# g4 AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" |) T( x* z/ UWinNT) with the CreateFileA API./ t, V3 R$ ^0 p3 Q2 n5 H9 F
* w8 D3 @ T* d( g' P3 A2 x3 `
Here is a sample (checking for 'SICE'):$ y/ k8 E8 X f1 }* c
( q7 S( S5 J, @! N* ]# jBOOL IsSoftIce95Loaded()
3 X5 o. W( ?* c, g7 r: n" `{
4 i" Q/ r! t# p2 j" N HANDLE hFile; 5 N! }. Q* ]: y5 H, k1 M# c
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: P7 q5 B8 T g; h7 ` FILE_SHARE_READ | FILE_SHARE_WRITE,) h$ [# q) d, ~, J0 m/ ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ |& ^ v+ ?9 _0 V; l* b) |
if( hFile != INVALID_HANDLE_VALUE )
$ u& m9 v( }3 i. o. p& C! | {0 [% d, Q# S9 I' L _3 C: O! Q' h
CloseHandle(hFile);
2 z; U0 _% L3 ~# a# X return TRUE;
# n4 j! E& `, i- [) Z- s }
1 T) ` q' L4 m8 C9 a return FALSE;
! r, x4 s4 l. b: a$ D/ a }}
* Y! m p2 @# @ Y) H: {, z6 W2 K' s! N( b3 P" O8 X
Although this trick calls the CreateFileA function, don't even expect to be
5 O2 e2 Q+ h; [- l# uable to intercept it by installing a IFS hook: it will not work, no way!/ P% I. n0 e& N9 W! l
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; }6 h- ?( x; a- V% x* [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- H4 W$ N1 Z) F9 Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! V2 h1 T. u9 M Pfield.
: `+ P! |) s9 G8 iIn fact, its purpose is not to load/unload VxDs but only to send a
5 N3 ?7 {2 \: q, R# j! FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! n; ~2 `' y8 Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
' S6 k% c6 Z; l0 oto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 j& l$ K+ s0 d% t4 c2 A: i% d
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 y1 Q0 Y$ S- N! t
its handle to be opened and then, will be detected.6 b# j# c2 ~# W' G: X
You can check that simply by hooking Winice.exe control proc entry point; @6 @# K5 Q/ C* S
while running MeltICE.
! R6 o& i" e# `4 E4 _& [% \
: o3 G: e, Z$ {7 \; s& `; k" @* `( T. o3 t
00401067: push 00402025 ; \\.\SICE
9 f: f8 x1 D" ]* U: K0 s' v 0040106C: call CreateFileA
! m8 S1 k7 q% W7 b 00401071: cmp eax,-001
& C/ L$ B9 z. Z7 w 00401074: je 00401091, w) Y3 R4 j+ L; k! C( ]" R" \9 ?% y- y
$ B% r- Q, L+ z! w8 \& a$ P+ m- u* W6 K1 x
There could be hundreds of BPX you could use to detect this trick.6 q f9 b, _2 E
-The most classical one is:! u: N, U V8 b9 M0 E8 {; O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! C4 x# |2 ]+ c0 b" `4 q *(esp->4+4)=='NTIC'
# L/ I, R; |" F# t2 q/ E8 H
6 v0 ?& D9 B$ k-The most exotic ones (could be very slooooow :-(; Y* }0 N9 o, R3 \8 W6 g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& v; f2 a9 Z6 B5 K+ G ;will break 3 times :-(
# k4 N: N% p0 o8 R4 K( b3 U( ], j. `$ D( t' V5 H+ X
-or (a bit) faster: & y' d3 x" H J, X0 k! h
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ e0 N7 M: q1 ]) S& |1 J
1 p0 ^& p' `/ F8 N( [8 I5 Z/ _/ z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & V+ i* U3 N8 |8 _+ ~
;will break 3 times :-(: S1 c$ T% f v: D J$ ^2 I
" Q4 D2 w% D+ k2 n( _+ `-Much faster:
, P# v, R, [/ U9 }9 o1 N* r0 \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
]* |( t z/ W' G
) t" j% _* _. K) `6 S" J' |Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# c: I6 p4 o" z5 rfunction to do the same job:% ^0 o/ s# W6 R& G( J Z* k
3 Q# t8 K; h4 T$ q+ F; a# g push 00 ; OF_READ
- a4 s2 g) a, v* T/ t mov eax,[00656634] ; '\\.\SICE',0
4 p* @$ ?# {5 H: i$ j* s, x* N! C push eax6 v9 t; Q- T. D. X
call KERNEL32!_lopen4 ?3 f* O# ?+ V1 Z7 s c4 ]+ o
inc eax; c) y1 p* D4 K h1 l. t" c v _
jnz 00650589 ; detected
5 y7 V! c' }) P7 r$ P push 00 ; OF_READ# G5 X( L4 l& W* ^1 i& l( M
mov eax,[00656638] ; '\\.\SICE'
! A8 J! c7 U) d% g* A push eax9 t. y5 }5 [/ L+ P G: e5 m. p
call KERNEL32!_lopen2 ^7 [- ]2 j# R: a5 T# ]8 ?, I, s% W
inc eax
/ {+ u4 [! R6 L jz 006505ae ; not detected
5 w) x- u* ]# v: g+ L: M
; H4 Q( }8 c- q+ a, w
( U& L6 [- Y8 F) Z, F__________________________________________________________________________7 T6 M d; a, v7 b2 [
: r1 \5 t! j- fMethod 12' @* y- ?2 B5 g3 L7 i
=========
- A9 Z5 J* U* w( n8 d" a+ x3 ?$ h8 k/ R4 |
This trick is similar to int41h/4fh Debugger installation check (code 052 D* o0 A' n8 _' g! H0 x# F
& 06) but very limited because it's only available for Win95/98 (not NT). N% D% I( P( L) \ T; u8 d) J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 ?( o l2 |3 Z: T
3 R/ c, n" T4 T0 n8 B push 0000004fh ; function 4fh
2 p0 d# o" C9 Y' _7 H% ~1 c6 ` push 002a002ah ; high word specifies which VxD (VWIN32). l5 y. h' H# U2 l
; low word specifies which service
' g/ Z6 _* F. S, ^% ?9 j (VWIN32_Int41Dispatch)
9 }. d6 A1 R) Z2 c call Kernel32!ORD_001 ; VxdCall
& @2 m$ I t2 a# u7 x* n4 @ cmp ax, 0f386h ; magic number returned by system debuggers
: B, ~6 H3 X8 s4 I5 r6 S7 R8 ^ jz SoftICE_detected
. ? |5 g& F2 \# c2 Z ^, b+ I7 p) H
Here again, several ways to detect it:
5 [" h7 R" n5 o! z
4 b% Q" V8 ]6 O' R BPINT 41 if ax==4f2 n1 ~2 ]- l( ^7 ]* w1 d; u w
& Q2 ]6 Z( t6 E9 O) U. E
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ }, {, F b2 |
5 O" \: i; O6 f1 i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( s7 p M" m, B" F" d
6 M1 Z7 D1 ~: m; m7 j+ ^4 W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' \: _7 e0 R: T
% d" ^3 z# ?6 c& Z+ P6 l& }
__________________________________________________________________________
d2 K$ H3 M g" V9 E2 H. j8 b, Z- C. F' |1 ~. y* Y, U
Method 13
9 l! H/ Q8 I- }( p3 P5 m=========7 p5 H5 v* U! l# S1 V/ B
: J# G: o2 L; O+ P; ]Not a real method of detection, but a good way to know if SoftICE is
& J* y3 n. R9 j/ e. B) \: z9 ^installed on a computer and to locate its installation directory.1 S/ G2 |8 d1 q1 Y( x
It is used by few softs which access the following registry keys (usually #2) :
$ }, {, E* n ^$ |% f) ~ V) \5 n% J2 j) e$ N4 W) D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
e w: O+ y8 ]( Y( {% T\Uninstall\SoftICE! A; A6 c( R1 [
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- ^% q& ?; a% {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' ?* c: }0 P( ^& |0 H
\App Paths\Loader32.Exe- H5 I3 l9 _$ q2 U4 d
$ U) p5 W: f- P8 I- t+ x% y( q( r% S( j! b
Note that some nasty apps could then erase all files from SoftICE directory8 g* B: y7 R3 @1 Z w7 h _
(I faced that once :-(7 k9 R1 J7 e- M2 S" J2 d" P
/ p: j2 F& k/ k. D
Useful breakpoint to detect it:" k7 Y) P: a* j
/ {0 \/ ^7 @4 ]2 d- {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 u/ _, E3 o% b9 f& f8 o2 i" D! y& J( {' W; o% ]0 D5 Q
__________________________________________________________________________
$ p1 ~; O+ ?! `, O. ?- A' A
4 t% ^ s4 s! F# S1 W% |" j
+ J) V- o* H+ vMethod 14 . G# c& r7 O7 n! O( \* q5 o
=========
- W" r4 V. [& J2 r: @8 L: e: M1 x9 I: w! U' m; d4 T% @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 n9 }8 z' H0 Q3 R
is to determines whether a debugger is running on your system (ring0 only).
; n6 j# b! u7 P1 D0 S
9 Z2 u0 u9 D/ M6 J+ u& j. ~8 l# i VMMCall Test_Debug_Installed
L+ G+ u% h. Z& N% Q je not_installed
z% N: t! Y- z/ S# H1 v7 {
( K) ~4 S# X: iThis service just checks a flag.; `5 t0 w4 W \6 N
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡