<TABLE width=500>
2 d# o: M7 E J5 i* q) l<TBODY>
( L4 f. N9 C. S# a. h, y! c/ e; K" L<TR>' Q$ s6 P* R/ G% ?& r
<TD><PRE>Method 01 , y* }6 C0 e3 a6 H, M* Y/ N) Q( h
=========
9 J) X$ @; U( v+ Z9 b" B
% g M' H, Y5 OThis method of detection of SoftICE (as well as the following one) is
; @% @1 r1 `( k% f9 ~4 rused by the majority of packers/encryptors found on Internet.4 z( c& a! b; p, [7 L
It seeks the signature of BoundsChecker in SoftICE" v s0 h& g" Q$ \. j* W i7 e+ I
% e+ E5 ^$ M9 X6 y" h mov ebp, 04243484Bh ; 'BCHK', D. {: u, K8 D4 ?) x
mov ax, 04h! d, `+ F/ y' A4 A
int 3 * _5 j8 @& x5 x5 l3 r% _$ R6 p
cmp al,4" ? H2 M0 c" t
jnz SoftICE_Detected
+ _( O Q# @. D9 F; N$ I% E
/ F& d0 ~5 J# ^. y1 d___________________________________________________________________________0 ^" y$ _! o$ D; f, K- }
1 ]4 Y& i& U+ k/ Z+ R" p0 _Method 02
0 v" n* G( e/ J$ \" t- E; Q=========
S; `6 D& r ^( E
( C! e- t8 O2 V3 d* t! mStill a method very much used (perhaps the most frequent one). It is used+ V6 p# z# q4 g' t5 V* s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, L' p4 U- K$ d U F6 |
or execute SoftICE commands.../ D$ ^$ f) y- ]1 Y. @
It is also used to crash SoftICE and to force it to execute any commands
5 U4 a& I( s+ ~2 y5 K(HBOOT...) :-((
1 @& C) ^* I6 K9 P. Z- F! y$ v1 J$ ~. L8 n8 m' ^$ f9 a3 r
Here is a quick description:
1 i5 A7 {: s: ~; V3 O' B+ Z-AX = 0910h (Display string in SIce windows)
1 A$ S% y9 Z s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: l# ] f: s4 C+ @5 P-AX = 0912h (Get breakpoint infos)
1 G: Z& T5 q! M) e* Q, z0 K9 h-AX = 0913h (Set Sice breakpoints)4 \& L* z- {# }% }& O S
-AX = 0914h (Remove SIce breakoints)8 L. }9 p" i0 g" c4 N" }) s
, {% A3 n; }' T: F
Each time you'll meet this trick, you'll see:
' O( F( t. h9 n3 G& c-SI = 4647h
7 P1 V' i7 l. G% X6 R- |0 M9 @-DI = 4A4Dh% I+ o. H3 A! A: E# F3 F
Which are the 'magic values' used by SoftIce.& C8 L d; b2 w% g; r$ r( b W4 ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% a9 ~ q! v3 x( O5 d# e2 ~0 t, D; @; }* g0 Y# }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" ^8 ^; k+ |9 {: H% Z- b" F/ EEnvelope utility use to protect DOS applications:
# a9 ~7 D# u% C" T, q. a' P6 t2 j+ A" V
) j8 q, U/ N% T$ x% A' Q# \
4C19:0095 MOV AX,0911 ; execute command.
: B" G! H$ T% `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' y: L/ R/ [" ~% G4C19:009A MOV SI,4647 ; 1st magic value.
0 E- g( K' I7 X, `4C19:009D MOV DI,4A4D ; 2nd magic value.
; n! O! J1 Z! z- K' l/ T1 g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% z B% ], Y- M/ W s* c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" O7 V* l5 i5 j5 Q
4C19:00A4 INC CX
?+ C/ O4 m2 e, ?6 I: G) c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 g: O) [! I! L4 ^! ?
4C19:00A8 JB 0095 ; 6 different commands.9 e7 E+ _6 W5 X' u1 J% N
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ L6 V! Y" d, z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
t2 U9 X3 U5 C# L5 b: }
# |) B6 ^- ~5 R* ?/ u" F1 SThe program will execute 6 different SIce commands located at ds:dx, which& B- c$ L" M0 d5 h7 | E1 H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
r' [- u4 Q$ [, K
6 Z- C, M' ]) s9 A4 }9 P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 r* [ H* X/ T
___________________________________________________________________________: l8 o+ S0 X6 _% {' q* K4 j5 }
2 I% M. [) d; s
& `8 i! Q, K" @- A- @Method 03
) c. |3 Y) J6 R. ^( O7 P4 i9 Y" l=========( {$ H o' ]) V6 W
0 m% w) b4 k( ILess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! A, s' r3 U9 d# f5 t# l5 b6 W(API Get entry point)" Y6 _; S6 S0 F! D
% b. q* X3 S/ v5 M, m
. |0 P* }7 a$ d, ?6 z xor di,di: w$ v- C+ ~- R9 |3 h1 M" o, ]
mov es,di
" q: l8 G" a4 j1 _ mov ax, 1684h
: k7 v! |7 o: L( N mov bx, 0202h ; VxD ID of winice
2 c; |3 x; F+ q% ]1 s int 2Fh
/ |; m9 j, W( ^! v* e( C9 k. q mov ax, es ; ES:DI -> VxD API entry point+ x. r, v; n( W$ D' y; ^
add ax, di
! b: c* s* ?$ t test ax,ax( L9 O0 F$ a$ K# m$ S# X! w
jnz SoftICE_Detected2 [ @. l* @ U) V5 y0 z) F) u) [
* S. `# i, H, Q8 n5 A___________________________________________________________________________8 q3 b: L( K) G4 W+ s
2 G# Q. s; @6 ~: MMethod 04
2 o6 A. M7 r" y=========7 k( W! k6 u& x, k$ V
' L1 A$ R0 P5 h' [. ~- w( l
Method identical to the preceding one except that it seeks the ID of SoftICE
" \+ a" y- C. p3 Y5 ]GFX VxD.
{" Z6 A$ j! r2 h5 d8 @, @" H- O8 U x1 U2 l
xor di,di9 x- }. k( w( b! e3 W
mov es,di
# E6 R1 ~* w. i9 }: f mov ax, 1684h
& W: m% U: A# P- i6 g/ Y# @- M mov bx, 7a5Fh ; VxD ID of SIWVID
( |+ M8 T( W' a; g! L1 u G9 {1 { int 2fh
6 H5 T: Q' G4 K; {2 t mov ax, es ; ES:DI -> VxD API entry point) W! L0 ?& `' i' T- j; E) b
add ax, di) f4 z: a+ y( L, h
test ax,ax
5 E% B- B1 `% l2 t; ^8 t1 U2 ^ jnz SoftICE_Detected. }3 @7 \ h# t. J
, |3 @3 Q ?& q/ y
__________________________________________________________________________
9 j4 h) {4 L) F! m: t
3 O" z/ V( w& o
( ?$ U; E- ~8 Y0 a" cMethod 056 j( {' s3 L: V) m* R
=========
7 J3 E8 E( g8 g9 _* ], m3 f& j2 L# N
Method seeking the 'magic number' 0F386h returned (in ax) by all system' J# V2 p3 t w6 b/ ^/ @- z
debugger. It calls the int 41h, function 4Fh.
" Y( a( H j! f$ j }# o) AThere are several alternatives.
0 y, T7 |( t5 C4 V3 N
6 X, |8 t! ?0 s4 D4 D/ YThe following one is the simplest:
4 T O% E% R* C
l" \: b* F2 p8 M, \ mov ax,4fh
& R+ z2 Q, x# e. k5 A' } ` int 41h
' P( w9 [$ r+ m9 ^1 Q6 D% ` cmp ax, 0F386
# A7 I! }% { y jz SoftICE_detected
, g. y1 s* u2 X
2 ]& s0 G9 n; ?& E
) J1 ` c: x$ a# C1 [ bNext method as well as the following one are 2 examples from Stone's ) c" n; q! p7 l7 g
"stn-wid.zip" (www.cracking.net):$ b5 N" M/ _9 G3 X ~1 g
1 N2 u' i$ {! t( C& u% b) ~
mov bx, cs
3 K$ T# @9 E: A" K$ ] lea dx, int41handler29 [! c, X" D/ a1 B7 V* S. [7 P6 U% P$ N
xchg dx, es:[41h*4]
4 f1 @, S2 i4 W' b3 p xchg bx, es:[41h*4+2]
v8 Z7 Y$ w2 D) v" b mov ax,4fh
9 v' {( O0 i( h int 41h) U; ]% A' R5 ]% ]' T* A
xchg dx, es:[41h*4]
+ s$ |* R K$ G) W' y# ^ xchg bx, es:[41h*4+2], c" \/ s5 u, ?4 U. x: D* U* p
cmp ax, 0f386h/ u9 V4 l; }0 ?+ Y* J4 w
jz SoftICE_detected+ Z0 ]9 v" m* p
L4 }+ c. ~' J& ]. ~* |
int41handler2 PROC
9 Q8 c7 C; S) a# d7 w+ N* [- } iret! X3 Y3 e% d$ N6 V
int41handler2 ENDP
; _/ V9 v! d, ~8 s- ]# J; |. {9 V! H- L- ?) @
: A) O. h" R: K5 N$ E_________________________________________________________________________, { W) T& ]* V/ D) K K+ ^& s) ^
. |5 y9 j8 L, q f9 |) D/ U' x2 x# G" R9 d* ^' g
Method 061 ^, {9 E6 z6 g! M- I0 V$ q3 X
=========4 r- L5 V5 |, X$ P4 p/ h: W# R
0 g* ~% `8 o+ P* \. H
. c+ ~; u6 |& O5 y1 m- X2nd method similar to the preceding one but more difficult to detect:
( Q! E5 n$ n: l6 e2 {) t3 l
' |% G H: W$ b1 ~4 q+ }/ f+ M& A6 J5 h# F1 I1 y1 [
int41handler PROC- q. u( y/ x! ~& c" Y
mov cl,al; f/ t0 A, l7 m2 N
iret; l6 N9 Y& \* a+ j, ~( c4 R2 M
int41handler ENDP
& [: e+ |/ G2 ^: R6 ] e1 f" u' a6 [4 N. X- X7 Y1 V
# l3 w8 X* K: c; A xor ax,ax' S1 D" X" e. t' ~- }, ?3 [
mov es,ax
- D7 M$ E& R& a; _ i+ y {/ q mov bx, cs
7 @8 J7 l. ?0 c' i9 [! v lea dx, int41handler
& |- R- q6 G/ M! d+ W! q% L: d9 t xchg dx, es:[41h*4]
$ I; z' n2 K$ E/ u xchg bx, es:[41h*4+2]$ P8 B6 C( F6 s- O. b2 q
in al, 40h2 }, p$ P9 m" E4 A* o
xor cx,cx
]) C( f: |0 O: C int 41h
# F* i) ?% u7 A s3 D$ e xchg dx, es:[41h*4]
+ j+ a; a( _& @) w, @2 D- \& P5 J xchg bx, es:[41h*4+2]8 G T$ s) Z: E
cmp cl,al
/ b6 E' u3 V2 X1 k- V, T' Z) q jnz SoftICE_detected
# Q& l/ E" E1 x' U/ F) O; X+ k! Y6 F5 ^
_________________________________________________________________________) B/ B4 t, G) o w
$ K' I7 @8 v! e) y+ M* @( wMethod 07
/ t6 W; [# O. {5 U=========
( ?; y. b% \- P' G3 z
% ~8 Q! @9 s$ @Method of detection of the WinICE handler in the int68h (V86)
5 b. X( _9 \6 u
" |4 W, |7 F0 r9 g! G mov ah,43h$ Z, J" e, w: `+ ~
int 68h
+ L1 V9 C7 Y( p; S! b cmp ax,0F386h4 ?& V+ J2 K2 l- O2 ^: y7 ?' ^
jz SoftICE_Detected* D9 U u3 K. v6 {! e. T& _
! S9 m: v' R- S1 N# T& s9 V
9 p+ }) b3 ]! E7 a5 }
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 p3 \, f1 u% A3 o' h8 n- a6 N
app like this:/ C+ A' e u- Q+ L) j c; F* \: n
" T0 T* K0 ~; k" B4 r BPX exec_int if ax==68
: F) j6 P. p$ X (function called is located at byte ptr [ebp+1Dh] and client eip is# o/ V Q& T5 J8 n
located at [ebp+48h] for 32Bit apps)! N$ `+ H( |7 n" n6 a/ N
__________________________________________________________________________
5 j( { e1 k2 y* Z5 p S* [- n! p8 u" i/ {2 Z5 {3 p: `
& |& F+ V. R( Q; v% b3 ~3 T( e3 m! PMethod 08* E* d: k4 w4 M; H6 T9 ]) Z
=========4 _6 g2 Q' e1 H6 I* C# c
% B/ E) i% k) q0 V$ ? B1 iIt is not a method of detection of SoftICE but a possibility to crash the
9 {* i% z+ k3 }/ e9 ~system by intercepting int 01h and int 03h and redirecting them to another2 q7 W i. |8 H1 C
routine.
5 u0 {3 z/ `0 [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& T* [/ ^& R* I. F8 b) M+ \4 y
to the new routine to execute (hangs computer...)! I3 P) L* F. ^2 I* B8 z. F
1 g) [0 _9 G" Q2 W; h
mov ah, 25h
$ @" l, W. t$ ~ mov al, Int_Number (01h or 03h)
/ r8 |0 g. V7 ~ c mov dx, offset New_Int_Routine2 X9 o( z. w, h Q0 \" n' ?
int 21h! B' J5 w, ~+ ]+ y* O
8 E0 R0 }+ u' i__________________________________________________________________________
: E& m8 Z6 k) n) b
2 P( q$ \2 O+ T3 eMethod 098 N# o0 ~- R0 R
=========
# Q4 B- x0 _$ N7 X) t% o5 V3 L3 T l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: a N& Z! Z% g3 t" v, B; yperformed in ring0 (VxD or a ring3 app using the VxdCall).- U2 `& Q/ [' U" x6 x
The Get_DDB service is used to determine whether or not a VxD is installed; h6 d/ O4 H* H4 g" {4 l2 S- ?5 t
for the specified device and returns a Device Description Block (in ecx) for. k3 `9 M! n/ E; y/ `
that device if it is installed.6 E3 X3 o) h. F
5 b7 a$ m O$ D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 Q; F6 M4 \' G4 q8 y4 B5 g2 V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% h- o/ j$ d1 U7 J5 D- g VMMCall Get_DDB
: H! N) e, S' G$ r. t( Q7 s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 C# `: v* R7 q* }+ D8 h8 s
! [- S+ ^; V/ y! ]" F! d/ r
Note as well that you can easily detect this method with SoftICE:
+ o% o. ^( ^6 r$ o7 {7 \7 s bpx Get_DDB if ax==0202 || ax==7a5fh, o r. ~: u* y3 u# K$ R
+ k/ @8 q1 E+ M, R1 w6 ]__________________________________________________________________________
/ W7 O; h$ B# |5 m% I
8 [2 I0 P, K' FMethod 10
( R; I" c0 J# z=========* _: R! L' q+ q. F9 L: J
0 [ S% R' Z( I+ B( y=>Disable or clear breakpoints before using this feature. DO NOT trace with1 i9 N2 G- `1 _ M) x
SoftICE while the option is enable!!% H2 A) a& m3 Z( I' M/ T9 J# m
5 {9 N' i/ i1 H* t# Y: w* l; p
This trick is very efficient:9 U h& H/ W& a, q
by checking the Debug Registers, you can detect if SoftICE is loaded
; Z; w: D) I- R$ e' W" x! c4 ?# w: L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 e/ s; \+ f( D- E9 I# t: {8 C7 F& Athere are some memory breakpoints set (dr0 to dr3) simply by reading their
- Z8 G$ D/ Y+ G; lvalue (in ring0 only). Values can be manipulated and or changed as well
" W, T4 Y) W: G, R* N, b" t, S3 u( M(clearing BPMs for instance)6 b/ R& R: `3 L! b; ~" G7 D" L
# \4 m6 ]% }3 T7 G
__________________________________________________________________________
`9 R9 l5 T1 e) @& ~* z
; c) _/ x9 t* L8 a: F0 x9 JMethod 11' K6 t6 ?. K$ M5 W
=========. X4 ]0 d) J9 F; y, E
5 L" d2 P% ~+ G- MThis method is most known as 'MeltICE' because it has been freely distributed
0 g2 v. P' W: Evia www.winfiles.com. However it was first used by NuMega people to allow
% r7 d: x% H# `2 Y6 g( g$ wSymbol Loader to check if SoftICE was active or not (the code is located: ?% N! o: o9 _
inside nmtrans.dll).) w5 w% `# O. x# E6 L- d' A: q
5 h1 I5 P) V' v: M% [
The way it works is very simple:0 r3 J4 b* b+ U- @: d8 P; g6 W9 }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& N6 v0 X5 g3 O5 k
WinNT) with the CreateFileA API., ?* R1 i, r, {/ E% U
% C. W! [- a4 B+ u: d, pHere is a sample (checking for 'SICE'):0 | r8 ~, f6 Q4 b; L
! w& J# A9 h8 b* OBOOL IsSoftIce95Loaded(). ^! [' R& \) T; F$ B
{& v# w. E6 g# A* p# a) R
HANDLE hFile;
1 e( {( w! o* i# M& W( s4 r hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( \0 N3 M/ q1 K3 {: G8 z FILE_SHARE_READ | FILE_SHARE_WRITE,( Z. N) S' B6 o/ D0 o1 m" I8 w
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% Z* _8 G) A5 q1 j( H( J, z if( hFile != INVALID_HANDLE_VALUE )! W2 z/ Z' ?" Q6 ~4 v
{
% I( [7 I/ D% U2 P0 @( Z CloseHandle(hFile);
) k7 Q6 F* h5 I. L return TRUE;6 v. T/ g, S+ `0 z: T$ L
}! J$ {$ q0 x1 v' t. G5 J) a3 l6 }8 M
return FALSE;4 X7 k! i- r3 U- S! u
}$ K& Z/ c' ]4 B7 B
9 U( G& p V7 N$ S, \Although this trick calls the CreateFileA function, don't even expect to be1 \ x7 |0 ?9 c) w" j
able to intercept it by installing a IFS hook: it will not work, no way!
/ ` Q9 ?, K; \9 k# [( F t" _In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 x- s) t5 b5 N, W/ l$ e( |3 eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 \/ a: \" Y* G/ {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 o0 g3 I) v$ q, X' V9 J/ o
field.
I4 n" H: p) LIn fact, its purpose is not to load/unload VxDs but only to send a
7 \) C& c/ v4 c! {! nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" a1 t* o7 z1 q% U9 l5 e3 B" h0 o& |to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 B* Z5 l5 f- K1 G0 Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 r# c% h2 A. Z
If the VxD is loaded, it will always clear eax and the Carry flag to allow" M' h+ c# E8 M3 I
its handle to be opened and then, will be detected.- K# y1 t4 h( @# {3 A
You can check that simply by hooking Winice.exe control proc entry point5 O: k! c2 J* b
while running MeltICE.- R3 n* v. o( {. Q% q6 R
: g* }7 Y, b2 P2 @* ^0 `
) W) b; ^- U: O* i. C/ K3 m/ m5 @ 00401067: push 00402025 ; \\.\SICE
, D4 s8 k4 a& C7 q9 b- ^ 0040106C: call CreateFileA
6 P/ P3 e& R' k 00401071: cmp eax,-001( ^! M% `$ S3 g& X
00401074: je 00401091
+ |: F+ z2 V$ k$ G( G% e! \
6 `4 @+ c, Y) x; v0 W6 a1 u. C7 R9 p4 `& H y
There could be hundreds of BPX you could use to detect this trick.
3 V" M* V6 ~7 n0 K-The most classical one is:) p2 w. Y7 G0 o$ p5 Y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || G+ m+ C4 H# ]- n" Z1 ?
*(esp->4+4)=='NTIC'
$ d9 y- I8 S5 V3 o% p
B' e0 s6 ~7 }3 F-The most exotic ones (could be very slooooow :-(& X0 h& K( C: `3 {8 ~& c R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' V; B+ Q. o5 P1 v ;will break 3 times :-(
0 m0 D; @( s* D b$ O
8 z7 \7 M3 A/ w-or (a bit) faster: 8 w5 R2 ~9 ~. f$ F# M0 {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 h* p( O0 X2 h
. o. q; B7 D X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " a" ^* T4 f/ w- H5 T
;will break 3 times :-(
# c4 q$ v! F+ ?1 N8 |1 P: S: o ]1 e8 ~0 R3 T# F
-Much faster:8 h1 w( J; B5 H6 _6 [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& \6 n: `6 T, t9 o
' z3 @3 N! I8 a" g; |Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 K, ?$ G, ~8 e) Q
function to do the same job:1 j/ l" z) j+ |/ o& ~0 ?
[8 z! D! A- D% B
push 00 ; OF_READ- `/ s. C! k2 v9 V& v8 X# ]
mov eax,[00656634] ; '\\.\SICE',05 Z1 K0 c% \9 e |& Z R
push eax1 f$ T# M- Q2 i. [8 ^. }" c7 [
call KERNEL32!_lopen
3 |" x6 { R; C8 ?# b& p" {3 P inc eax
0 z) M7 I- ?9 [2 f& \ jnz 00650589 ; detected
% {2 K% t! ~+ I5 L# z, Y push 00 ; OF_READ7 i3 M: Y H6 x$ v' u/ g4 f: y
mov eax,[00656638] ; '\\.\SICE'
6 w) P0 Y: {3 N% b* x3 G8 u push eax/ Z Q, _; x/ z8 j4 |. k% g# W
call KERNEL32!_lopen! N1 w! f5 q5 N/ S6 h, b: g
inc eax
& `7 ]2 W" E9 G( g% Y o! q jz 006505ae ; not detected
( S9 m1 ?8 f7 I5 a: d7 E6 a
+ B. F/ t# e% h- A0 _( g5 P6 R+ _- p9 J
__________________________________________________________________________
' M3 t/ p) H ~- F4 }, ]2 E1 ^6 g. ~
! x/ {+ `% m* Z3 G8 QMethod 12
6 e1 G& w8 `, K0 q6 Z) X/ V* @=========
' L+ g3 H) F( q" E; V0 O: E
0 {2 e* e4 d; v9 A! F$ H1 T% n% xThis trick is similar to int41h/4fh Debugger installation check (code 05# E U% v7 c# t2 J! j# ?
& 06) but very limited because it's only available for Win95/98 (not NT): b$ v- v. y p
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ k, x0 a2 n3 z) {
* U" h+ a- S! H; [ push 0000004fh ; function 4fh
5 ?# r! x3 f* v, i, r* {$ B push 002a002ah ; high word specifies which VxD (VWIN32) P! w K6 g9 j$ j) k' \ b+ ~2 {
; low word specifies which service
( h7 T$ I8 W! L1 o+ T/ V (VWIN32_Int41Dispatch)
: D& W! r& w* P: @+ M call Kernel32!ORD_001 ; VxdCall9 J( d" M# H( ~0 @
cmp ax, 0f386h ; magic number returned by system debuggers
% ?, b( z0 k! J5 R! x+ N jz SoftICE_detected
2 p1 J* C& Z, h$ A2 }1 h
5 W3 N8 }0 \; P3 o' NHere again, several ways to detect it:& A1 \( Y' U: j. Y) ~$ H
Y. k) m6 I; ^/ q) N BPINT 41 if ax==4f
# ~ @3 I- ~# @, C& s) ^+ J9 H* R& T* [' m1 G. h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 [0 Q6 H- `) j% r6 E1 c
/ N4 k; F4 ]2 G+ k5 i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! [8 e; J4 `- M
$ P! J! S( [( B, O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* a$ u6 t9 ^. ]- V* Z
0 O" Q$ u( B" n7 s: V: c
__________________________________________________________________________
- f: V$ o' ]# a, H3 d. P5 O
) m! q6 h+ `# P1 q9 d- t$ IMethod 13
' h2 b: {1 E6 H- F; f=========
' {1 L4 \2 g& h. X, X7 V2 s# x1 |
Not a real method of detection, but a good way to know if SoftICE is! A m* y; O* ?4 N- J- F! l
installed on a computer and to locate its installation directory. J5 |3 n0 R% p4 h# G- ~" M
It is used by few softs which access the following registry keys (usually #2) :) H9 F2 l2 B+ ]+ U" U" p
?8 F9 [, `7 m" R: W# s+ Q, @* n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% J4 B" I- E7 a- L\Uninstall\SoftICE t2 f5 {- x5 }) ~6 O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- P. E8 Z/ C* z) ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion k: r# T3 l* ^
\App Paths\Loader32.Exe
4 V! V6 A1 C x+ N. x# i9 {) i+ B* N# Q! ^
% d3 L2 K% I3 ~% o1 U
Note that some nasty apps could then erase all files from SoftICE directory- M5 b$ X1 ]- G+ _) x# P' L2 f
(I faced that once :-(
0 \9 ~7 j: ~! K( H. o3 _ t1 v0 n. [& Z, n
Useful breakpoint to detect it:# n8 \ ~" @3 n( x. |
& H# G; t g7 U1 b! `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 M( N% ~+ b2 c, b7 W, L O
) Y4 y% U8 R+ J. J" t2 F
__________________________________________________________________________" P& c L1 a# X: X
5 |% w; s; n& r7 m7 m6 y4 m) ~0 H' g% Y, K
Method 14 ; p {+ }! c1 o% e' `2 m
=========
2 t# }. c+ |* E5 j; d" l1 n w% h3 g2 u! v% {' {8 o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* T+ f; K$ J2 W3 |
is to determines whether a debugger is running on your system (ring0 only).
* ?7 V2 @! o6 f1 k) D, Q1 e% }7 A" `- }# a
VMMCall Test_Debug_Installed
# c$ ?9 ?3 g9 V. K# z; f je not_installed/ I f* ]$ f( }8 A( ]2 t
( X! W! h9 h$ o% pThis service just checks a flag./ q2 W& l' Q' a8 U2 X
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡