<TABLE width=500>
8 `% e& K* \1 _( l) B* B<TBODY>
8 s' s* H1 h7 W- s/ \" Q4 F" Y<TR>
$ ]+ \' S, x3 \4 _3 X<TD><PRE>Method 01 $ y& A- e l+ `
=========; l2 y0 N/ b. ^$ R
/ c p; \) O H% c& t
This method of detection of SoftICE (as well as the following one) is
3 }0 n( n: O9 {5 u) n' Cused by the majority of packers/encryptors found on Internet." H7 z: z7 x- z7 D( l
It seeks the signature of BoundsChecker in SoftICE
. Z5 ?- N6 {. G; I- _
% g5 G Y ^2 F. b mov ebp, 04243484Bh ; 'BCHK'" z% Y9 s+ w3 ?& ^6 x
mov ax, 04h
+ s( `$ G, w* l% G& C int 3
4 p7 x4 V0 F; p cmp al,4
2 A; q+ I$ d/ c9 v jnz SoftICE_Detected4 f. m, o! O. h' d8 g
5 S- t8 _* y m8 N___________________________________________________________________________
9 i" c+ Y2 L' `) Y S* f$ C, c& v0 G9 J7 N6 k+ L
Method 02
2 w5 P' F. G5 t) Z, x% a=========
+ \! ]1 x+ M! Y2 j- Z
9 L7 h! p& ?4 n+ o- tStill a method very much used (perhaps the most frequent one). It is used; J! A( G/ R! w; ~, v8 ^0 {; l# s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% m+ w) N% j% o2 O0 O
or execute SoftICE commands...; e. x6 E" `' F7 F
It is also used to crash SoftICE and to force it to execute any commands
- Q" F5 j; R; m- x1 ?+ o: }(HBOOT...) :-(( - k& z& e4 R. {" n0 H
5 F n1 l* k8 b1 Q9 uHere is a quick description:
. _' u$ S9 U* K$ a! l: Q9 I-AX = 0910h (Display string in SIce windows)8 [# |3 c( @. d4 r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 r3 }, Q5 e. Z: Y-AX = 0912h (Get breakpoint infos)2 x$ @. I% [6 |5 q" j8 t+ C
-AX = 0913h (Set Sice breakpoints)7 V) M+ N2 P. [5 C, i! Y q
-AX = 0914h (Remove SIce breakoints)
8 c5 a* n1 \ ^+ z
3 C' m; B4 C, r; C# kEach time you'll meet this trick, you'll see:
& F' u: R! D- M0 L2 O# B-SI = 4647h1 R6 N( E9 T& u5 |: \
-DI = 4A4Dh. y5 h" V1 f: m% H l- ?
Which are the 'magic values' used by SoftIce.
- e, B# e9 d0 Z6 Q- tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.( h; w* i$ w# M
* `4 h' r" s! ^& v$ sHere is one example from the file "Haspinst.exe" which is the dongle HASP
) m* i, c3 n+ A- J. R( S# z6 [Envelope utility use to protect DOS applications:
7 w" K( r/ j) p0 r" R4 |$ [& h5 Y- v7 a8 X, S
# X5 U" h8 P$ i( u& K. C& w4C19:0095 MOV AX,0911 ; execute command.
$ K, f& H& |- Y7 ]6 k& L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% m! h% M( m E+ H" d4C19:009A MOV SI,4647 ; 1st magic value.
" ]8 J2 j) w. P) N3 f8 Q4C19:009D MOV DI,4A4D ; 2nd magic value.
1 F$ I2 w( C: i8 f8 @6 Z }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 Z0 z7 b; Y$ S) n5 ]+ m
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& Y! w0 Y% o: y# S' O1 _4C19:00A4 INC CX. q' L! g) l3 p! k7 g# ]: o9 T
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 A6 S6 x5 [7 f4C19:00A8 JB 0095 ; 6 different commands.
8 H0 m' ~# Q$ z4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# w2 O: @# c. ~8 C O4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: O( w: V: V" G
( H9 `, K; l1 h# d) o2 }& N& EThe program will execute 6 different SIce commands located at ds:dx, which
* p3 t8 R1 G! N. i0 b( ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 N- z6 B; A: x! _) `- r: b6 o$ _' s/ ]; W$ z4 m; T0 e% }- ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 v2 A. r* x8 K0 A0 Q: l___________________________________________________________________________ O4 d9 X: x; S! i' v) o
! Y: r" u v: d5 H) ?! q* L
4 x$ G, g5 M/ }4 p& R7 kMethod 03
$ C# x- V3 B1 k6 A" r' E=========( K. `" P7 B3 @" ^
, r* ~! r3 u0 ?8 _( |/ O& [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* q' p, e4 h5 W$ G& R9 Y2 v
(API Get entry point)# c$ [1 O9 O x8 y% l
$ R2 J6 I2 H9 S2 R! C
/ ?: g" ?4 w& X. \ xor di,di
) B; Q9 }. D$ e! L% [- E mov es,di$ a. O- z0 t9 m" j
mov ax, 1684h + D6 x( `/ M3 c# {/ L# t1 e
mov bx, 0202h ; VxD ID of winice
. v) F' R7 ?7 Q, l* W* a m1 g int 2Fh
+ R3 e4 d! j" k- r/ x; Q mov ax, es ; ES:DI -> VxD API entry point8 c" i0 _4 v0 E' |+ E
add ax, di
! H' _8 r, P/ f; d! b6 X2 ` test ax,ax
/ U; @, Q* o! S# W8 J# V9 u jnz SoftICE_Detected
9 y0 _. d% M2 K" h2 M, q$ H; }- \) N% h
___________________________________________________________________________
- \7 u( w1 F8 z% k7 K; g( @" }# q" h$ G+ T# w* v: S) d
Method 04
/ m, t9 v9 T! f3 g: P=========
( n5 P: V3 P/ D6 @; S1 q
) B4 J3 y# a, O) N: OMethod identical to the preceding one except that it seeks the ID of SoftICE
$ I0 V2 N4 U1 g) HGFX VxD.
% j/ G, I; Q$ X4 ?$ W6 t
4 v' K8 \& J9 Y# }4 ?+ U$ \9 h+ W xor di,di5 w. M; W' z1 `8 P5 E6 e
mov es,di" @% k1 P- ?8 [; g) }# N8 {
mov ax, 1684h
! x* k3 j- \9 h8 K mov bx, 7a5Fh ; VxD ID of SIWVID* G4 |4 ?! N$ t4 L/ ^
int 2fh& k: `# h# X- U5 m
mov ax, es ; ES:DI -> VxD API entry point
9 G3 N2 y, o1 d- c7 L add ax, di7 u7 t* F2 G K7 `3 Y
test ax,ax v8 V1 b. y$ m+ g8 L+ h/ C7 \
jnz SoftICE_Detected$ @% p( I" Q2 X4 C
6 D; x0 N; q$ w1 p! {6 o- ^__________________________________________________________________________
* Y8 T5 I* J" x5 z h& U1 x: \) T( z7 A0 C
2 ?$ F' \, R7 C- A+ Z. FMethod 05
: [4 X! D+ f# S+ f/ I=========7 Q2 S9 }3 B2 O" i
p' F' t: k. `- {2 P
Method seeking the 'magic number' 0F386h returned (in ax) by all system; ~! I' w" [5 k+ \. ~) _
debugger. It calls the int 41h, function 4Fh.
1 s1 R' L6 Q6 e, OThere are several alternatives. Y- {7 P+ [0 a* F/ G
7 h4 A9 y& \; \. h$ I2 c- {% S% q4 k
The following one is the simplest:
& H% u0 q1 c4 I, D9 w% \2 Y9 e6 \ O4 A: r x
mov ax,4fh
3 q) h8 L0 t" ^7 i9 ~ \2 ~ int 41h
/ A, p+ B. h1 J% m* Y9 s cmp ax, 0F386
! `+ ]8 R* q9 m6 S+ q jz SoftICE_detected
' _8 y8 @2 v& w6 K1 y3 s2 F# N
4 G! v" T- Q7 O& x5 H/ Q [. t0 Y$ _. t1 V H
Next method as well as the following one are 2 examples from Stone's ( y9 h, @9 d8 n8 J. W
"stn-wid.zip" (www.cracking.net):5 m; e# V" o' W6 ~2 ]0 @# g6 o" ~
7 r( \! `1 u: ?2 K r* w+ k mov bx, cs
( j$ ^6 y4 d: W8 W' e, s0 ^# P% y lea dx, int41handler2
( V. F0 D% p0 a" }1 O xchg dx, es:[41h*4]
& L5 [( T3 s0 F' _3 S7 g8 E xchg bx, es:[41h*4+2]
6 q: }2 O- ?, h' d; G6 p( o mov ax,4fh
0 b: ^/ T3 m1 R1 |" j int 41h: f; N1 L3 N* j+ `" j
xchg dx, es:[41h*4]
% D" l* G! |2 ~$ J xchg bx, es:[41h*4+2]
( U, L: c" U! G2 X u cmp ax, 0f386h
7 C- t+ J7 ?8 T, S$ p# |( X jz SoftICE_detected1 H. r, w- D2 @+ c+ s4 S
- k+ M# _9 u. o; ?8 |
int41handler2 PROC% M* f9 _) ^2 @4 ]8 O3 r
iret
% C% t. F# t/ _4 F4 d- b4 sint41handler2 ENDP' F: C0 z! \1 y7 B. \# p
$ M m4 I$ o6 b
' `/ h# J8 ]4 Z+ A# S& q$ m$ i% U_________________________________________________________________________
; p% j6 z' V+ a+ R" p; F: H, [' u, G
! F5 k$ w" @5 s3 l' \; y7 D& s
Method 060 p4 }3 W6 `3 @3 [2 B& K6 b( h
=========
# V$ ?% A7 f0 ~- O/ j$ O6 t0 S7 s+ M5 D0 h6 b5 t8 W% Z
$ F$ R1 s# ] Z, L2nd method similar to the preceding one but more difficult to detect:7 r7 E G0 V( A
9 v# j" m5 w0 e7 Z" N) X
& F2 _7 o3 {1 y# q( f
int41handler PROC# J% q( c! `$ B [$ D) N7 t+ F( y
mov cl,al4 ~' a; Q/ V$ x2 Z4 N" a
iret
& d2 h/ K5 P: j" m6 f9 Q' a Kint41handler ENDP
0 Y# V* h! s/ q( ~* A T6 D- K5 c/ B9 Z( t
) y, K4 Y* n1 x- R xor ax,ax
. X, m D& q+ l% [ mov es,ax
4 n( P' S7 M. X- }' s& G mov bx, cs+ O5 v+ X, g3 [$ b
lea dx, int41handler0 ?! ?- x1 P# ^+ J: l, x2 B4 D
xchg dx, es:[41h*4]
. s% s' F4 S: d5 y4 l% r xchg bx, es:[41h*4+2]
1 j8 B& ]1 {' ~- s% \5 w in al, 40h: L5 a' E/ B6 j9 D4 j- O
xor cx,cx3 ?* G0 ?/ @: T9 }' ]1 Q* h; p
int 41h' c: v; r+ I4 f6 W0 \) f
xchg dx, es:[41h*4]7 w* P- x- V1 w3 r+ l
xchg bx, es:[41h*4+2]
2 z7 N$ ~4 F0 o% B0 I2 C- B8 n cmp cl,al
/ Y9 w$ k d+ S- x ^ jnz SoftICE_detected: w( C6 ^: f2 \, b! D" \
* i( b0 n# P1 n) K* k- B
_________________________________________________________________________& [* ]$ ~0 F5 `0 f; p* S/ z' Z. V
}8 F; G& j+ I& g
Method 075 z' ~% b0 t7 r% e3 f# m
=========
6 C6 V+ [8 q! A5 r/ F* g
3 T7 f" w+ N4 y# y% x1 aMethod of detection of the WinICE handler in the int68h (V86)9 }) z3 [: X9 `/ s8 w' V, o
4 ^6 U: `- Q( Z/ n2 L0 ?
mov ah,43h. k2 m' ^( [ O* ~7 X9 e0 Q0 Y# n4 P
int 68h9 [3 Y' \. P) a/ ]
cmp ax,0F386h
% M& }. n4 L3 e7 n jz SoftICE_Detected
/ F/ f* x# q2 K9 A" [
1 S" ?( k+ O+ g. b5 m$ S3 P- u# L; w2 u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 m8 b- T0 z8 `
app like this: j: d. m* ]8 }( r% Y4 x
5 \8 l$ k. m: ?; F) E( p, q BPX exec_int if ax==68
. T/ i m2 m, X* E3 c: n* i (function called is located at byte ptr [ebp+1Dh] and client eip is6 t% m& }/ C# R& \0 ^
located at [ebp+48h] for 32Bit apps)$ ^5 ^( F' b& }8 r) c
__________________________________________________________________________4 ~! z; x$ q" j9 q" O! {# ~
# o E5 t6 J/ S/ n$ N: F0 N+ V* z7 A5 U! o9 K, q
Method 087 }7 F! l0 H y8 y. V' W
=========/ i: Z+ T7 ?/ S, u) j
1 T# n l: d# Z9 dIt is not a method of detection of SoftICE but a possibility to crash the1 H! e* \2 \; m+ |- o
system by intercepting int 01h and int 03h and redirecting them to another
3 D; ^, N* }) lroutine./ p- I1 Q' C, `7 [! y K" G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 w0 b& D: ~8 g4 M: h/ C1 E4 i3 fto the new routine to execute (hangs computer...)- T" x1 |5 G% x& d& V! K
4 e7 p* Y& M: `: q/ \
mov ah, 25h4 Y0 b4 T9 c( }, g) p
mov al, Int_Number (01h or 03h)
1 V9 t/ v3 F, x mov dx, offset New_Int_Routine
% u+ q' _( h# V4 I& \. o int 21h
! I& ?1 s. w' o
/ v' X5 G' C6 S- e9 M# r `6 F__________________________________________________________________________+ y4 E- k+ U& ?& ^* T) C
: k0 f1 o+ @2 |. t/ r
Method 09
! R, v5 @7 ]0 P, \! q=========. N% {: x$ _0 @) }) x+ k9 G
4 U7 k1 R* A) m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 i5 B0 o& N( o0 qperformed in ring0 (VxD or a ring3 app using the VxdCall).( q/ u( K4 C0 F4 E
The Get_DDB service is used to determine whether or not a VxD is installed
" J$ J* Q6 [/ a/ x& k3 Tfor the specified device and returns a Device Description Block (in ecx) for v0 t, [1 m3 q- u6 O, s, d% V5 F5 h
that device if it is installed.
; K- f# t% K" y4 Z. I) p6 n% T& V. v! q+ y' [% E& _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 P1 G, v/ N8 C7 `$ o' U" W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 c9 n) j2 K5 R VMMCall Get_DDB
M5 k+ K6 c6 [ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% g1 B0 u, T( P2 \; _7 i" a% q' X
7 D7 o+ I, T, Y( ^Note as well that you can easily detect this method with SoftICE:5 w3 ]" ^ @# {/ p: T4 p5 f
bpx Get_DDB if ax==0202 || ax==7a5fh
4 |3 x( {- [3 o5 F j T( `- F9 g+ Q6 @, @8 }1 \
__________________________________________________________________________* x1 `7 u; N0 B7 y
`( U) \) E" A5 _5 L+ X6 \Method 10. z+ [4 H- W- H. @7 p
=========9 M2 c% W- s7 I, G
1 \ d# Y2 C' J! @+ f) t5 Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 |. T; W# M! r SoftICE while the option is enable!!0 o4 `) @2 B: i. x: j0 o/ g
+ i/ s- d* s$ e; P# q
This trick is very efficient:
6 o; t' @! ?7 A' w2 Hby checking the Debug Registers, you can detect if SoftICE is loaded
, o) x- g6 i" j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 A9 M e: d- o8 B! l
there are some memory breakpoints set (dr0 to dr3) simply by reading their- k5 H% `+ `4 M; m) L; g
value (in ring0 only). Values can be manipulated and or changed as well
3 R- p! y/ m2 Y/ r(clearing BPMs for instance)
% [$ G, m8 v' K+ I8 @7 u& z$ `" k5 m2 |& {: H4 |
__________________________________________________________________________; X% G0 \0 J7 `- C# x. q
9 W3 t6 U0 T+ }' nMethod 11
+ e" u: a0 z5 t1 M=========; t$ e6 q) p O& @" V+ w; Z. G, _2 }
! R' r3 B1 O, K3 aThis method is most known as 'MeltICE' because it has been freely distributed$ i2 f3 L5 ^/ ^* c
via www.winfiles.com. However it was first used by NuMega people to allow" \) F$ N! Q. F( `& y
Symbol Loader to check if SoftICE was active or not (the code is located
7 m7 c* i6 O9 t' }inside nmtrans.dll).
2 ~" Z- B8 z, i5 w. h
; l+ z0 I* K' I- iThe way it works is very simple:
' h& u: W; ^9 E gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) u7 l1 F; r& m z" w3 ~
WinNT) with the CreateFileA API.
5 t4 H3 P+ J8 H- g) r* l. k! Y
3 T1 p6 c' R4 o1 `7 D g l; kHere is a sample (checking for 'SICE'):: `. s& N* J6 }) `; X3 d% t+ G
! @' a+ i) c, _# M# O6 A. y6 VBOOL IsSoftIce95Loaded()
" H% l6 c4 ?2 `8 Z{; g: \) y8 e. I9 ]3 j0 v% f3 b$ s
HANDLE hFile;
/ z: l [9 z+ Q, o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) y/ F# M6 `* M FILE_SHARE_READ | FILE_SHARE_WRITE,& q% J0 y/ p3 G/ z) m3 A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. o( v8 l4 m8 L: Y6 V if( hFile != INVALID_HANDLE_VALUE )$ f; {& g- J+ C% Y9 w7 M2 \
{3 k+ E4 O5 k' B: X2 p
CloseHandle(hFile);& q9 T+ d% D% v W
return TRUE;
* x3 Y- Z m- F4 t }) k4 P, \' J+ c/ C) g
return FALSE;6 c3 l! w: z0 w1 _
}
; s- q& p& `4 M+ F
6 H \8 m4 Q5 {. ?% @! QAlthough this trick calls the CreateFileA function, don't even expect to be" T" _: [1 Z; k" y! _9 E7 U+ v
able to intercept it by installing a IFS hook: it will not work, no way!
, \! M- D C- F) s$ i8 y* qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 P) j7 t: n; V: n R) ]' wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; C# d4 n- ~- M1 x0 Y+ K$ Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
. Z% v$ d( C( x7 }- b P8 ~field.7 q: ]! C3 B2 d5 r. U& b
In fact, its purpose is not to load/unload VxDs but only to send a
2 G4 n# q* Q2 S2 x% w. IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 H5 v# l" j/ _, _' e" R) bto the VxD Control_Dispatch proc (how the hell a shareware soft could try: j+ b# D; H+ l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) k% z/ Z# P5 b/ B/ |5 B0 XIf the VxD is loaded, it will always clear eax and the Carry flag to allow! J2 l' K0 i: f% ^. N. K
its handle to be opened and then, will be detected.
2 R( p' m9 J% M. BYou can check that simply by hooking Winice.exe control proc entry point! u$ {& g4 w" F6 ^* S: o, J
while running MeltICE.
/ t6 \" w( i3 K" I3 U) l, t" K( {+ I4 N
4 p: M) s* B- ~; @ 00401067: push 00402025 ; \\.\SICE
( _5 G! I; C5 u 0040106C: call CreateFileA
: m6 K# @$ o+ \: f5 J8 E; w. F 00401071: cmp eax,-0011 t( K- G; S# H
00401074: je 00401091
9 q/ X6 y7 F* p6 q* ~: |5 i% h* D/ Q8 K( _& B& Q1 N
! n. t+ N- w% `$ e* K7 t# A) LThere could be hundreds of BPX you could use to detect this trick.1 Y& j) o; y* q ?9 h
-The most classical one is:
4 g; c t8 B) R* B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ _8 O+ v% Q- _
*(esp->4+4)=='NTIC'7 Z% }- m! Q" a! @& N) s. ^
, d% B3 f& D& G9 n8 b: \8 K$ n# ?-The most exotic ones (could be very slooooow :-(
7 J' C6 y0 M, X3 E/ L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 I0 m2 ^0 a* A9 D) v2 c; u1 f ;will break 3 times :-(
|4 q% g# Z( d7 W2 m5 m1 B6 B+ s
& U+ T% |; s, D9 R2 C; c-or (a bit) faster:
0 t: N7 z4 R) `. c% e BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& g% j/ Q. Z# x4 C& ]9 D! k
8 @- W6 y0 F5 ?6 }/ T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 X: \7 @0 H6 s6 a9 _/ }& k0 S ;will break 3 times :-(
t; Q: f( Q* P7 K7 X; O
- P- B" g& D( n. U0 Y" u-Much faster:4 @, S' z7 F% R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 k, Q% {8 s4 _- d( g3 Z
! B' @' b+ E5 m H8 ]6 l7 ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. s: Y' p" }8 t% `
function to do the same job:" W2 n) |+ v0 P5 _! O }2 y( J
0 |$ l4 b- u3 N' p" z push 00 ; OF_READ' x7 ~9 ^4 N2 q0 l9 z! a
mov eax,[00656634] ; '\\.\SICE',0
4 K( g! k$ @" u push eax+ J4 o5 X; B% t; `" e
call KERNEL32!_lopen
9 l. {, m$ _; |4 m$ H/ W/ W inc eax
$ e; g1 D1 j9 ^ jnz 00650589 ; detected* r: t3 c+ T* n1 W/ T
push 00 ; OF_READ2 `8 C# }/ A4 \9 w) |0 {% p- W
mov eax,[00656638] ; '\\.\SICE'
, ?! v: c" |" L+ b/ Y push eax
6 X5 I- Z2 `2 B* u G call KERNEL32!_lopen& q! r9 A! @+ h/ a" x( C
inc eax1 H1 B ~3 l3 e5 `7 V% V G+ s
jz 006505ae ; not detected
# z3 q/ z( Z( r" n+ K8 H- a+ |- k$ T& V
. ^' x8 l# G# e S" Z__________________________________________________________________________1 r: ^3 r3 h3 e. x- d' [" Z
5 b0 U0 J+ {7 ]- \ s5 |9 |Method 12
3 M% k, _2 W. I5 S=========
# B. N8 o+ \; I" }" V
4 U0 ?3 l R r4 y, X+ k3 l& YThis trick is similar to int41h/4fh Debugger installation check (code 05/ B2 }. _6 Y' m1 v+ i) c
& 06) but very limited because it's only available for Win95/98 (not NT)
5 D# v. X7 s, u* was it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 b, B/ _) h R: W8 F4 Q
2 E5 X C6 f1 r push 0000004fh ; function 4fh
[/ X5 q2 f( q! W- e push 002a002ah ; high word specifies which VxD (VWIN32)
- m8 @/ w/ n6 S! B8 a* W ; low word specifies which service v0 s* Z3 ~9 o- D7 g, y8 t/ }
(VWIN32_Int41Dispatch)
; V* s3 R( s2 t* Q% n0 b( G call Kernel32!ORD_001 ; VxdCall, L1 m4 _, i) S. I
cmp ax, 0f386h ; magic number returned by system debuggers
3 s* @* d% I3 Y0 ~ jz SoftICE_detected5 K2 `, ]2 j9 p) N* E" K$ g
1 J3 ~6 K/ f L) d
Here again, several ways to detect it:
' {: X% O6 g M# @% D2 I) M3 G3 X: z' A& C% A1 c
BPINT 41 if ax==4f" q* h; r' k" S$ Q8 V8 x
7 j" j( L' g( o) E- o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% w) J4 M1 ?$ P+ L
6 v% n- T$ J% U BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 u5 h* o, H4 @9 X* F0 ~* m* p
% D2 l8 ~3 q t7 `6 t0 z' |
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 J( d- l0 N; z/ P* R- l4 w( l
6 C! O1 t( @3 ]__________________________________________________________________________
& p+ r5 [- @" v4 ]# {
6 f K+ s5 Y* w7 v3 }! gMethod 13
+ P+ Q4 W4 E6 i$ d& g/ {, b=========+ o2 I" t- b0 K" I. ^* V
; {) D/ T) q% m' Y7 F
Not a real method of detection, but a good way to know if SoftICE is( T j/ m6 d. b7 O5 G" }
installed on a computer and to locate its installation directory.9 c: r' `) D, v5 X5 A8 G1 k% U8 V x
It is used by few softs which access the following registry keys (usually #2) :
) T* k: O- E: ]9 d+ E
6 k L" t3 u0 }1 E4 Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& m3 c% u6 x ~$ f
\Uninstall\SoftICE( D, t+ H- Z/ z8 M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, T8 V, \1 Y! t" E" J/ i, z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& o: V3 F% Y6 A- F; n\App Paths\Loader32.Exe
/ D9 z/ G5 p3 d0 n+ j* P3 A- O* r* K
8 h' y3 K X/ t
Note that some nasty apps could then erase all files from SoftICE directory
- ?: n7 {4 m- J/ A7 I0 D F0 D(I faced that once :-(- {4 Y, U7 R! |+ G0 I3 o3 t
6 ]% H1 |1 \3 }) k2 {8 M
Useful breakpoint to detect it:, Z: J5 r+ M0 P+ y8 D: F$ n H
* k6 ^* {/ D" V: g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 H* M1 |0 `/ } X/ M+ r2 m* p
; E5 ]) t. `4 x__________________________________________________________________________3 i) S' B8 f1 t5 A
7 m2 X3 u. R1 h! W
2 {" }$ b. O, b) J8 S9 A6 O% \Method 14
/ Y3 b, T, G2 e% R; |=========
4 S: S; `. H* v' g M$ h; ]$ O
* f. L( \- K5 x* c$ ]( XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! ]; f2 q. L( A" W1 }) }# Uis to determines whether a debugger is running on your system (ring0 only).2 M0 O4 f8 o# |+ r# {- H
: i3 O) i6 \/ Y1 T+ I
VMMCall Test_Debug_Installed- S4 d2 I7 M# @
je not_installed
' ?& m8 _- ^* r" f2 l& P9 f4 w/ B
; {1 Z8 }4 \6 K& L3 n- D5 ]! jThis service just checks a flag.
4 I2 z/ u/ {/ a o: k2 X; V</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡