<TABLE width=500>: j- i% ^, W- `% q, U2 u$ g
<TBODY>0 z3 ?) j' p0 `0 Y# S
<TR>
& g% {* h' a5 U<TD><PRE>Method 01 # T" O0 |& x! `. B# v5 ]$ H: G
=========
0 G" L7 A Q0 U. ^6 C x" P R. o# w H1 l
This method of detection of SoftICE (as well as the following one) is
/ f9 v9 ~5 }" q( \used by the majority of packers/encryptors found on Internet.2 Y/ N) s! B% m( h" m4 `
It seeks the signature of BoundsChecker in SoftICE' e" G6 m4 p5 x0 D& T1 _- ^
+ J3 ?* y$ i2 R9 l) [. y3 g w
mov ebp, 04243484Bh ; 'BCHK'
) B) ?; v7 i1 ^# i& W7 U! H mov ax, 04h
0 C$ k+ I" k0 f+ a( y int 3
/ L/ t3 Z# O' D, J1 f% { cmp al,4
4 Z. e1 U1 J# q" x. K$ ^ jnz SoftICE_Detected% b/ L- p5 L( D6 ~: C
) |3 h* _$ f4 W y( K9 Z: Z' v
___________________________________________________________________________- C$ ~% D2 O1 E% O7 c9 I
$ T; A! I" p( i; q5 N/ kMethod 02
1 @: a+ Q8 k* C) Q=========9 I. e5 f( \0 R) o" U- P
3 c5 [- i% v0 f+ V8 L2 FStill a method very much used (perhaps the most frequent one). It is used
) l+ @3 o1 r' Ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,, a. d" u# x, L; ]4 p6 S6 j" e
or execute SoftICE commands...
/ b6 S3 l6 H! f: hIt is also used to crash SoftICE and to force it to execute any commands4 [' S) Y3 I+ Q* p
(HBOOT...) :-(( & g- X- M6 d; j7 I
5 Q) P, X4 ^- \1 c" u" \
Here is a quick description:
8 c) z# u. N( y3 y! u3 d$ N-AX = 0910h (Display string in SIce windows)
" g/ U3 e$ z/ O-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ k7 S! k- ?+ i- Q
-AX = 0912h (Get breakpoint infos)
: W$ M$ o+ _0 a-AX = 0913h (Set Sice breakpoints)- u J. X: q" i! E
-AX = 0914h (Remove SIce breakoints)
) c* h- M( s" S; B$ V6 @* Y: [3 f+ j6 K# [9 @* X. G2 n2 z
Each time you'll meet this trick, you'll see:$ Y7 V8 j( H4 ~! y0 f! C
-SI = 4647h
8 \4 @/ Q8 w0 y5 x/ R$ h7 g-DI = 4A4Dh
/ X0 \; X Y9 ]/ M! d% x( mWhich are the 'magic values' used by SoftIce., z0 f) j, ?: b! a' i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ D0 Z; N; b8 m+ t, v+ K2 \
% Z" X3 ^0 W( Z& L' q) OHere is one example from the file "Haspinst.exe" which is the dongle HASP* l4 P/ x' j+ t! J, H
Envelope utility use to protect DOS applications:
7 [1 Y+ g; v$ L; t
' Z% @: {! J* m8 b1 c2 W/ J
. Y' l1 z( y# d( ` _4C19:0095 MOV AX,0911 ; execute command." b3 C8 k3 e7 w3 V- P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ I6 l: R7 O( ]$ J
4C19:009A MOV SI,4647 ; 1st magic value.
0 T' M; n' ~; ?& `$ @4C19:009D MOV DI,4A4D ; 2nd magic value.9 A0 J( x0 U, ^% x: l, ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) I- F& g2 h' i* Y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( k( i- t5 y' u, ]0 k: s, N* ?4C19:00A4 INC CX0 q3 e! C6 a5 `) t! U" |& w) `3 q6 |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* {7 W% \- E) D# Q4 O, U4C19:00A8 JB 0095 ; 6 different commands.
' {3 h$ ~8 o! y8 R. O! j4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 ]' j" }: l' l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 ^' b5 D, b8 A0 U! k* J) C! N) ?# T6 @: Y# `6 v$ u( _
The program will execute 6 different SIce commands located at ds:dx, which
, Y7 ]8 F( b# Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! Q7 k7 n. j2 ^: t# e' a4 ~! b7 R* h0 L
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, Y) ^5 Z0 P9 L& [% Y- H___________________________________________________________________________5 Q( _! Z# l, b" i5 F
2 i' K: l2 C3 {, L+ u# f
+ @- }! ?& B2 E0 ~Method 03* q* v9 v$ d* F z' ]& t# Y
=========
' }( C C& X& h f% D& Y+ l+ T
$ E$ J6 t3 p0 P+ L' U' SLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ s: i( ^6 x% q, `" p$ f(API Get entry point): w$ B# p- \1 x9 ~
" W* }$ M+ E# A
; E2 C4 G2 C, U' E; {5 p9 X
xor di,di
* [* W6 D- i3 O1 L3 Z8 { mov es,di
; G3 s$ H3 \1 Z$ h) K. q mov ax, 1684h - O* a, H' `. A) D6 E' L& D9 A1 o9 X
mov bx, 0202h ; VxD ID of winice e4 j$ }+ v. _. S) T- j* z" |
int 2Fh8 ?+ |: f5 E8 ^! h
mov ax, es ; ES:DI -> VxD API entry point6 X* w+ e1 ^- S
add ax, di
# P! q' A) \3 b* w( w% h" Z test ax,ax F; [: Y b0 W9 W
jnz SoftICE_Detected
7 S) ^* d4 J+ G) Y7 x/ E) m' `% N: k$ I6 c' { ?" u+ y
___________________________________________________________________________3 x: e. I! S% o- q, b* V0 L6 S) m! V) _
9 X z( e8 {( T9 {. \9 U) p( t, D yMethod 04! v" y# L0 ?# }5 x+ ?% n% K
=========
2 g8 s5 ^- d8 j1 Q& f
) d' g. Z l( rMethod identical to the preceding one except that it seeks the ID of SoftICE6 T* l3 \5 x5 ]# o+ y }
GFX VxD.
& @, @" q6 ]3 C) J8 z5 p7 p5 m4 [6 ^+ `) N! k! |
xor di,di( b$ b* K; y% g+ P
mov es,di) r% `& C: n4 f& O$ r5 I
mov ax, 1684h
0 }: j# o- c7 I1 p mov bx, 7a5Fh ; VxD ID of SIWVID. @8 V2 j7 u% B7 {
int 2fh5 j. k2 S, X6 ?% o
mov ax, es ; ES:DI -> VxD API entry point
- |! t( J1 O0 ], A9 j. W: f add ax, di
; b1 ]/ a2 L% f5 o+ y test ax,ax
) V' x) M/ I: A. |" N' Q$ ?, F jnz SoftICE_Detected' ?! x% J& d8 P! h
[0 O" Y* H5 n( g% N__________________________________________________________________________7 g9 s2 ~. A' U. J
- z9 E7 P O% s" U& j/ ~, L& i1 p* F+ M% W( T
Method 05
: {, a; S8 Z; U; {$ Z, u9 e. l# O& o=========( U! w W) D+ Y0 k. j8 Z* G" F
: W; `0 ~7 X4 L1 y7 E' |; mMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# l. @. r9 `5 U7 k% h6 l( t: s* {debugger. It calls the int 41h, function 4Fh.4 E7 j( y& R. A
There are several alternatives.
; @, U8 g$ ~9 D* ~
. p9 _/ n$ D8 [6 ~! C& P0 c& z9 fThe following one is the simplest:7 A+ k% H& c M# s5 S
j0 e# r: d$ l% E+ v
mov ax,4fh
/ B6 c% o# B0 Z int 41h$ q0 j4 `0 O! o( @# r1 D/ F
cmp ax, 0F386% O& Y2 l i$ r9 t
jz SoftICE_detected( r# Z/ L, x# e( R2 I3 U/ W
0 e2 P2 i" }6 L4 m. p: b+ ~$ L& _% L! W' L% z8 o' H
Next method as well as the following one are 2 examples from Stone's
7 x2 n1 H- H+ D9 A$ t"stn-wid.zip" (www.cracking.net):. n5 Z k; u' s- g
8 ~2 N9 I2 ~4 _$ N0 |$ m' w. { ]
mov bx, cs# E9 I) p8 G7 K. G1 N7 p e
lea dx, int41handler2
( b. C1 T, K. m xchg dx, es:[41h*4]
. x& I- @) J; S, r% D% Z) H+ `4 q xchg bx, es:[41h*4+2]
- x2 K2 U2 _- S! k8 Q mov ax,4fh9 u" L1 ~: Y4 z+ {+ t
int 41h$ @: C% m K8 W. S. z
xchg dx, es:[41h*4]& k2 j! e# @' Z5 F$ O4 ^
xchg bx, es:[41h*4+2]$ L1 V8 ]. {6 M+ J" S0 o) |
cmp ax, 0f386h
6 z$ S1 @# p2 D3 h* d jz SoftICE_detected
* `/ n' l+ U' T7 z/ f J( a8 P1 [' @; ` o) J8 A% O8 e& ?
int41handler2 PROC) z' F) Z a& V- }
iret% Y5 u3 w' X. u1 g
int41handler2 ENDP/ b1 i" r, ~. b' K8 R6 a
# M7 L& r3 z, _. d
' j. W/ _$ ~9 X$ ~# c$ N7 O4 M
_________________________________________________________________________
% B0 h, D2 X$ q: Y Q% b; `* a& P
$ _+ f) P, t2 G9 X
& K; R/ x4 o: w- z% C- lMethod 06
4 A& Z: w X' o=========9 ~7 H+ l! o Z- {9 ^# C6 z
3 R% V- f) n( P7 i% |
6 M1 \& @! f3 i' y% w0 E' s4 l2nd method similar to the preceding one but more difficult to detect:
# ]' c2 K! c0 D R% M4 P& k2 x3 `5 h9 B$ Z6 q. J
# t- R1 ]8 h6 \+ W0 [- Qint41handler PROC
1 l% L. E8 V8 b: b9 }6 a mov cl,al/ b/ I2 `+ h0 i5 _5 G( M
iret
6 C2 j+ U" L( ` Mint41handler ENDP
. m& Q; s+ g0 _% n4 ^& B y2 X5 @: a
+ ?7 q; [$ C' \+ U9 g9 Q, x xor ax,ax
0 c- }5 u- G0 {1 s+ L. Y% n mov es,ax" l7 Z$ I* l( Z5 V- {
mov bx, cs
1 A6 ^% O/ L8 r# U lea dx, int41handler
* d7 J$ d4 }3 r; U: u xchg dx, es:[41h*4]; }; D" ^, m* W/ ]
xchg bx, es:[41h*4+2]/ r; J- ~# `# x) C) q/ z, l
in al, 40h- G4 M" K! V2 ]
xor cx,cx
& d1 A; Q" z1 ]1 c% T1 r, x int 41h: X/ x: M; D* X* R P+ A
xchg dx, es:[41h*4]5 @2 b+ u. O! \/ t3 S: {8 V" [
xchg bx, es:[41h*4+2]( n# a/ T6 w" V& T+ z) A7 i
cmp cl,al" x3 P6 A* K$ X& M: {( J: j
jnz SoftICE_detected
* h+ |: l0 g B2 t& \4 \0 ^- n, V+ f9 M" H ]3 k7 Q! J" U/ i
_________________________________________________________________________
, F6 b( V; k3 {7 @3 }. D
. z l5 g3 o! Q, J g Q0 bMethod 076 e; Y- S5 f- v$ W
=========
& D2 P& U, y+ w* ^7 ^0 e i. U
( a7 h" k O+ T8 |Method of detection of the WinICE handler in the int68h (V86)/ t% B' G6 |0 T0 @2 {
$ K& w% f% H. C! A5 U2 |
mov ah,43h9 ^0 z, m1 a/ S
int 68h' _! v) Z( j e# V, z j% t" v
cmp ax,0F386h& Q- e+ T& K8 @& z
jz SoftICE_Detected
4 c& r2 F7 ` z! [# ]8 f2 M- S; C7 \: U* q' o
1 u3 v2 t5 [6 M" _1 ~; v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 c2 I( T! O& m, c( E
app like this:
; e, y4 l0 w& b
$ ]3 X0 \* O1 ]8 ]- o/ |, ]7 X9 } BPX exec_int if ax==68$ ?- E, J7 T" p4 K, v, A
(function called is located at byte ptr [ebp+1Dh] and client eip is4 g9 X7 k& P' a! ?6 F
located at [ebp+48h] for 32Bit apps)
0 P5 w2 O# e* e6 H3 |( D__________________________________________________________________________% t3 R4 M9 L* S
8 L2 _. D6 M/ U* `9 K
+ n9 q# S8 ]" P# w' w% |Method 08( r7 s6 f* `7 }% y& B
=========
4 M8 I# |& N+ W0 P% C5 N* I, Y0 Y+ f& t
It is not a method of detection of SoftICE but a possibility to crash the9 U" ?% w ]' u. P
system by intercepting int 01h and int 03h and redirecting them to another+ R* P: G+ e: s4 y
routine.
% V8 L. _! A U- [0 {0 h( cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ s0 X( E) O4 ]to the new routine to execute (hangs computer...)
4 N- ]) }+ I# U% U( l. A. I9 b" K7 P
# E$ X) w5 b! d3 f mov ah, 25h
& T* x/ M' j% l' M6 o3 q mov al, Int_Number (01h or 03h): }! k! F( A6 R$ e
mov dx, offset New_Int_Routine
9 A F& o- B7 O6 N& \1 e$ G% q int 21h
Q! ]3 K$ e. }$ C* X+ h3 |
5 E0 d6 }2 `1 [# V) U9 N__________________________________________________________________________
) z) ~: S% P3 f+ n, T" p5 S" r/ O! R# A1 J3 B3 W2 ~
Method 09
" \2 s. l' y# D# |) A* R/ N=========
) @' O" H: {, [6 N
8 `! C" f3 X5 X+ PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 f) E8 e, O: B# n1 _& cperformed in ring0 (VxD or a ring3 app using the VxdCall).
( v, m4 M# q' C$ T6 ?; KThe Get_DDB service is used to determine whether or not a VxD is installed
, r; u" k/ w% ofor the specified device and returns a Device Description Block (in ecx) for+ A* P8 e2 z1 |; y! |0 L3 y" d1 t. f
that device if it is installed.6 r, N, S& v* r
; d1 c9 Y' i3 c& R. m1 ^ o' Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; O. r$ ?4 d+ f1 e/ \! h mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 ?3 V6 e5 i+ q* k
VMMCall Get_DDB
_* @& A9 N7 {* I/ O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ F$ r4 O7 u K& M
( t' Y( ~& C8 Q# I. I- i! vNote as well that you can easily detect this method with SoftICE:8 G; ~0 q: k }1 d4 G
bpx Get_DDB if ax==0202 || ax==7a5fh* q" h: @& f; U
4 x% n5 V( C, ___________________________________________________________________________0 A3 m1 y: u: P' A/ y+ E
9 h I" j! i9 }5 g: QMethod 10" O& P# M) D5 H0 q9 N# S
=========! c# F: d! Z/ o+ F# Z& n s3 p
& v) A+ k" _* y/ Y" [( W=>Disable or clear breakpoints before using this feature. DO NOT trace with( j; L" n- K* r' {4 u
SoftICE while the option is enable!!+ q5 k% i' J( w" q8 N8 }6 R
# |, Z& o$ J: {1 y+ \. c" T$ @This trick is very efficient:
8 K# F0 T- b& I5 s9 l$ e5 G3 Qby checking the Debug Registers, you can detect if SoftICE is loaded& o' {, _* ]. }" k, S" g# o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" I Q. g6 C; ~) {3 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( X7 t2 x4 P; i8 R$ i. Jvalue (in ring0 only). Values can be manipulated and or changed as well
i+ g. t$ P: e7 @- Q( K' x(clearing BPMs for instance)( j) `$ c1 C h
; G0 R; Z+ ~4 N, G e
__________________________________________________________________________8 d' @! q* y% m7 ]; U
) `! {7 p) F; b+ h& z/ ^Method 11
4 o/ [( ~, M2 E! A! i' n=========# \) e9 f$ r( u* R$ A
5 G) R7 O1 G F8 K# Y( n
This method is most known as 'MeltICE' because it has been freely distributed
% [1 V' o, A% E6 Y0 t7 k4 Q0 wvia www.winfiles.com. However it was first used by NuMega people to allow
5 S) s. Y2 D) Z+ V( C) ~Symbol Loader to check if SoftICE was active or not (the code is located
' X# N) u& M" ]7 O L9 M* P6 Linside nmtrans.dll).
2 W0 o1 \) e {0 |$ Y8 U D. x
# n& k* O s0 o4 b$ DThe way it works is very simple:
9 ~5 V5 u6 l/ Z0 n- C* G9 q! U% u- J, QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, Y! u3 h. D; k9 M. p. aWinNT) with the CreateFileA API.4 c) L: T0 U* q) |) [; s: t6 v
: P+ T) N: M( O0 UHere is a sample (checking for 'SICE'):' w3 x9 G: r4 H: T+ A" E
0 {3 J0 W* O) o7 m
BOOL IsSoftIce95Loaded()+ J6 q: M: D e4 A+ J, L; F
{
4 k' x1 W# l- G) D3 `8 Q: } HANDLE hFile;
4 n" n/ S* h7 {0 q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 P7 P0 T4 \/ R. p/ V! m/ J FILE_SHARE_READ | FILE_SHARE_WRITE,
3 @* m( \) ]7 S" z4 S NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 n* a8 e- q0 G3 W if( hFile != INVALID_HANDLE_VALUE )
0 e+ u" E9 u* ?' c- Y {4 V+ c) V5 o* s9 z& k' b3 q& g
CloseHandle(hFile);
* e* ^8 t6 B8 ]" S# `6 @ return TRUE;
7 O3 k, J. L) @ }
5 R& g% y8 ]9 j* z8 M6 B7 J, `- w9 N return FALSE;
1 b9 b; f* r! q$ b/ h( Y}, \3 ?4 J% k) [- \6 O% D
' Q3 F$ k" p( R- u
Although this trick calls the CreateFileA function, don't even expect to be
0 L1 z9 v! V- j5 X5 Q! lable to intercept it by installing a IFS hook: it will not work, no way!
% f% w; q t/ E5 |0 m1 QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: a9 o4 `2 w2 x1 j+ t# tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# w+ Z# ]; E( t/ j7 C2 a4 \ M* jand then browse the DDB list until it find the VxD and its DDB_Control_Proc. [- ~1 e0 D Z. Q5 V
field.# {' K9 w. W, a5 q/ ^" U2 [+ Q
In fact, its purpose is not to load/unload VxDs but only to send a
9 i( k% _4 f7 O. t3 Y9 @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 U+ b: ^1 R7 ~ h8 Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try; u/ W6 ?% x' f, Y9 e* t$ Z/ I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% e2 |; s3 k7 \& Y: G) a8 p
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 _: C9 d1 w! |( s- j: _: Q3 W
its handle to be opened and then, will be detected.2 h- L- u- d2 L
You can check that simply by hooking Winice.exe control proc entry point! ^6 h7 b+ M4 o; E( d. I+ Y3 t) V
while running MeltICE.( `8 P) Z0 \% T0 P2 V! K9 U
3 ~9 o# Z: A& u9 m& A7 n7 ~/ e& r
; k n+ o4 F; ^. `' f+ g; i
00401067: push 00402025 ; \\.\SICE$ g& O8 | g( U% u; j5 D& t A i6 J
0040106C: call CreateFileA% J1 P ^7 E7 B( b8 T$ @
00401071: cmp eax,-001* c Y9 S( ?' B% a* g4 z
00401074: je 00401091+ s* [" J+ H: }4 `" e. O
% p: g* g$ P5 P4 A- H% t
- s) }% J/ O' F. a. {% I5 RThere could be hundreds of BPX you could use to detect this trick.
" W8 Y9 n. w9 e-The most classical one is:0 v$ o n" ]( }% }! w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ |( o/ g7 T! N J8 p
*(esp->4+4)=='NTIC'8 P8 C0 d3 m! [4 n9 k! `
" m3 O+ [! s; T-The most exotic ones (could be very slooooow :-(
6 L8 l' W; x: Z' Q; B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
L6 T0 d! E& v( C( k) x ;will break 3 times :-(: Y) N7 J0 a; N) m* e8 y4 O
4 U/ `2 V2 |) d) u/ e% M1 R* Z
-or (a bit) faster:
7 Q9 _ n- S0 X2 P2 R3 | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& u, Q+ t' X ~# U, s& ~
& Q' o$ M) U, u* s. ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( B9 n* X% n l U# q
;will break 3 times :-(
8 o9 t B/ X' O9 I) {7 M2 I% ^: J" A, H( Y" o7 S
-Much faster:
3 o" v& `7 W1 Y5 K5 h* Z0 O1 g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 L& @ h" p! I" M9 N2 C7 k5 p, n' F* e' b/ N: d+ t3 z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 [% H# a* l( Y1 u: W" }! ^, S2 }
function to do the same job:
0 |1 E* |# p/ [( `% R6 v$ r
) r# G. b; @3 M* D4 D. | push 00 ; OF_READ
; y( o; B3 k* W5 f4 z mov eax,[00656634] ; '\\.\SICE',0$ }" B" L7 L9 c
push eax, w) S4 d5 q/ p) U1 G( q
call KERNEL32!_lopen
1 l2 y+ b0 b, T k inc eax
! Z. |% V2 g9 H7 H jnz 00650589 ; detected8 h# f' [1 k7 @( k) \2 e/ Q
push 00 ; OF_READ
Q7 x2 o; @5 ]: ]5 [ mov eax,[00656638] ; '\\.\SICE'! C$ O/ q0 Z p- V
push eax6 G, \( n6 O k
call KERNEL32!_lopen" A; |+ \8 k6 S j
inc eax& G3 r& M! \1 T, B3 m8 z
jz 006505ae ; not detected
8 ]' z9 u I$ W3 O t: d% R; ?# r, f
d/ L8 S/ o1 q5 T4 a1 @__________________________________________________________________________& g6 k; b7 F: d N( w3 b* J
' C3 x* k( _0 B7 W- y2 P
Method 12
. E+ {4 U# y" t5 e x% a=========
; x. d6 {3 }/ H# i0 y' y
* P# v% E. n5 I; ^, hThis trick is similar to int41h/4fh Debugger installation check (code 05; E" i- x: z% a* k+ i/ g* i
& 06) but very limited because it's only available for Win95/98 (not NT): P0 @8 H% }: _" @% i. r8 r! g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ {; a- ^& b- t$ c0 H7 x& A N7 c3 N
push 0000004fh ; function 4fh
" K) d; a- w6 E7 y. y' z K9 D% I push 002a002ah ; high word specifies which VxD (VWIN32)
% ^4 E5 D1 X- E& z0 T1 S ; low word specifies which service
( Z, Y7 z3 v& ~; t$ u) M% n (VWIN32_Int41Dispatch)
6 t0 |1 f; O9 P5 [- \ call Kernel32!ORD_001 ; VxdCall
. i2 P& u% f$ S+ a, P$ x5 n cmp ax, 0f386h ; magic number returned by system debuggers/ c3 n1 a$ Y3 `
jz SoftICE_detected
# b/ D& y; G6 l1 b/ E/ w
0 B. k) b: r/ w3 iHere again, several ways to detect it:
3 d; ]* J* z+ ~6 p0 _" l" N6 A$ s
BPINT 41 if ax==4f
) |, ~/ l$ i: l1 ~
. w, @2 q' X7 h; w& B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
j- Z2 G1 E ]- q! P0 F+ C, o) k: L; D0 A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- E, [" z& @) B8 o/ ]
6 z; @) J1 l# B+ Z" B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: n3 `+ S" Y& t7 c. K8 Q& b, W# Q) S4 u/ t2 z
__________________________________________________________________________
! z, e5 F0 L9 J" b0 a- q8 I+ R% t6 U: Y4 S5 S
Method 13
% S+ z& p. m! v5 O6 o$ H=========* ^% f) T& r- r# y
0 V7 C: P8 \5 M7 s% M% t. @
Not a real method of detection, but a good way to know if SoftICE is) G* d$ H- Z0 E7 y8 a" E
installed on a computer and to locate its installation directory.
1 C) j0 l9 m& @ f O6 ~0 A% kIt is used by few softs which access the following registry keys (usually #2) :8 u% D0 N6 l7 L8 x
* X4 P% J, e# J, T2 h" Q. ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ g: D. A6 ], }+ Y- {" W\Uninstall\SoftICE
& H5 s, E2 u( Z% W4 m! C( M-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( Q& L7 X5 e3 F! C2 |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% K% u7 R& ?/ g
\App Paths\Loader32.Exe
6 y3 x+ b% H }3 e T9 A: m4 S" T) y7 a4 x
) `: b! o) k7 S/ k* t/ ?3 F$ pNote that some nasty apps could then erase all files from SoftICE directory: U1 h/ X% z7 c1 N& c
(I faced that once :-(8 F: l) f! V9 A4 J( K
" X0 `$ N7 k1 H L0 K# TUseful breakpoint to detect it:- A; T! B7 V! T! T9 S `
$ `+ x, [! @4 ]9 p$ C BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 _! f# {) n2 X5 S2 q3 r
/ I9 u0 Q8 t! V- v3 p. M__________________________________________________________________________
0 E2 {& }! {! C1 d$ P1 h% A6 Y7 z0 W) K5 b
/ K/ }% D% ?% O+ a9 h
Method 14
" M) C9 y" Z! B+ F=========2 C' h+ E+ d' s( D
5 C$ K8 |$ r( i6 h: o9 XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: G/ ?$ V$ x/ H( s/ {1 ^9 Mis to determines whether a debugger is running on your system (ring0 only).
4 ?9 Y/ V/ T9 Z1 q4 X
1 c; d+ i$ e' H7 G+ } [: r VMMCall Test_Debug_Installed
. T2 U9 K9 Q9 @7 a, e/ N% H2 |8 ^ je not_installed/ s0 j' o- p: X) Z1 T
! G ~' i2 O1 G7 z# c
This service just checks a flag.
* B( F* m7 ?) Z</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡