<TABLE width=500> f$ h3 x6 F! s L
<TBODY>
/ y8 W4 g1 P0 F T<TR>
z& z$ k3 \9 a+ |<TD><PRE>Method 01
; P3 s" y/ w! l6 C t3 |3 W" q* ~# E=========+ e* X% G3 @: S0 j) N% {; n
8 T* J# X D" R ?: [. j0 x7 V
This method of detection of SoftICE (as well as the following one) is
1 o |# l* g0 Q6 L- Z3 j" Hused by the majority of packers/encryptors found on Internet.
% g0 _4 h! Q1 Z4 b, ?- u: ZIt seeks the signature of BoundsChecker in SoftICE
7 `: w+ n$ M1 T2 |2 b3 ?
! w+ V) w/ D- h* R( `8 b% R mov ebp, 04243484Bh ; 'BCHK'
8 }$ ~1 O! g( H0 D mov ax, 04h! X/ g; T( ?8 V; o( }! D1 W: k; [
int 3 - a7 p6 Z1 i9 x! \
cmp al,4
+ Z- x$ i2 w1 g$ V4 e3 H jnz SoftICE_Detected* f' u- \, k8 W7 f6 f+ }! c
, Q4 l0 `. L. n* w/ f
___________________________________________________________________________
/ m* H6 o4 G* e3 U
- n3 U# t4 o6 H; [+ n1 {6 vMethod 02
' e- z# w/ h! ~=========
: K* q" n. b5 y' J, ?0 \! F+ D! I, y! n& f$ ^1 o
Still a method very much used (perhaps the most frequent one). It is used$ W# E9 ?% |9 X( B! C; I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 ^ n& W' C7 l( K, {or execute SoftICE commands...4 @ q2 ~- P' R# d' ]# m, T
It is also used to crash SoftICE and to force it to execute any commands
. S- r( t1 J- x( O& A4 A: r(HBOOT...) :-(( - k# q$ u1 x9 j' L6 a2 J
; H* i2 L/ B' u7 zHere is a quick description:
' C4 h3 q+ p' e& S-AX = 0910h (Display string in SIce windows)
1 N9 f% x @! ^8 p. B' M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 i# b9 ?# l0 q8 Y- ?" F
-AX = 0912h (Get breakpoint infos)
2 v; O. I& x* n$ I' H% K-AX = 0913h (Set Sice breakpoints)5 S; o( X% E& O4 S
-AX = 0914h (Remove SIce breakoints)" w6 N7 J, M0 m3 O
/ b. q1 x# m; i
Each time you'll meet this trick, you'll see:$ B5 I! ]) Z, B9 s! b
-SI = 4647h
+ ^9 |6 c) L' y7 s6 o2 q" `-DI = 4A4Dh+ m: X6 E0 y' E
Which are the 'magic values' used by SoftIce., u F8 M1 i1 Z; `; a! q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# v0 l; r7 r M6 g9 E
3 u5 _* @/ E, f9 S: ]3 n9 m+ uHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ B$ I7 \. y: k X2 @# ^6 a) H2 ^Envelope utility use to protect DOS applications:) j9 E6 Y/ Q! T" N3 X/ J7 T* `* e
3 B5 g8 L2 ?$ m
x7 K0 O6 U( @/ N! ~3 E' v4C19:0095 MOV AX,0911 ; execute command.6 W/ M/ u! t2 D/ v# ?1 i+ r& l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! U: m( D2 q: K2 T* w5 ~9 U! }2 I8 Q4C19:009A MOV SI,4647 ; 1st magic value.0 D4 m: u+ v# Z- ?9 N
4C19:009D MOV DI,4A4D ; 2nd magic value.
: {; {+ ^) |3 R2 v0 ^# ~; G3 T/ z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 y5 i0 S$ m h2 k$ w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) | m& G3 l8 Q1 }4 h7 E% {3 I
4C19:00A4 INC CX
4 V: f% m& t. F7 M2 J! L6 S4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: I4 U, n3 j N2 C" n- l; q3 i! w4C19:00A8 JB 0095 ; 6 different commands.
4 T# t# e+ Y3 x: O9 W( S4C19:00AA JMP 0002 ; Bad_Guy jmp back." t# o1 k* m/ c3 ^1 }% O. n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* {1 [0 I2 k1 B( Q. C- y8 U4 K8 |
8 l4 y$ y- I1 YThe program will execute 6 different SIce commands located at ds:dx, which
( I, T, M+ ^3 g( ]9 _2 z5 w7 tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# [: @/ Q: _$ w( H- J
$ {) ^* S" g7 o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 V9 ~3 H3 i5 s9 J
___________________________________________________________________________
3 b2 S5 c: o+ M" w' n3 A7 p1 [4 \
7 D: a p) ~* v0 L, e6 j
Method 03
; D6 t: u/ E N1 q+ y( {=========
5 u; [6 {; _6 Y( f4 \- W7 H# G3 H6 |' I0 y# D U2 ~
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& f. r6 f, L/ @8 D
(API Get entry point)
7 @, y- Y# I/ b; E! O 3 U/ I( e; k6 P5 \/ t/ a
( n; S) _2 }9 Y xor di,di' o8 P9 l) \. b1 W: K
mov es,di% N0 U1 G, L& g+ z
mov ax, 1684h
Y7 p: E) _1 P2 W mov bx, 0202h ; VxD ID of winice
4 p% f; Q% E, i+ ^9 B int 2Fh' u- n6 g5 {* n8 n8 L( l) Z0 T9 y% f
mov ax, es ; ES:DI -> VxD API entry point. g% _$ G% M8 m. t) f
add ax, di, z V1 L9 G& f4 h% a
test ax,ax: {5 ^) W8 ?4 k" Z7 d$ w) H
jnz SoftICE_Detected% u, R3 T7 z6 k
t) G8 W( l. O. S6 { e7 u7 G' L
___________________________________________________________________________6 Y/ a3 o: c# B
* l5 I; P0 L* A% s# e
Method 04
/ ~9 u7 R: ^- z) J" J& B' _=========! z1 x( F' U) q& A. {
7 |4 \: i3 }3 g8 L8 S8 JMethod identical to the preceding one except that it seeks the ID of SoftICE
7 `0 @, I% D: H2 g3 GGFX VxD.! x) J# L/ P4 o7 p/ o
$ f% m: h# X H9 M+ f: K
xor di,di; M$ F/ ^) P1 i4 |- l) y7 A
mov es,di. |# F* y# Y3 p. Q" h$ |
mov ax, 1684h 4 |4 D3 |6 S0 T" K
mov bx, 7a5Fh ; VxD ID of SIWVID
# P5 ^: t' [2 U) b int 2fh
" j3 q3 y+ P$ i4 N5 t- X0 w mov ax, es ; ES:DI -> VxD API entry point* [5 ]8 Z; r) i. o3 ^
add ax, di0 v6 w% u, [& o6 |$ b
test ax,ax
5 g8 ]$ [0 }+ Z9 E# ~ jnz SoftICE_Detected
. k; d- \- g& l( K7 R, B+ p
9 j0 X' o. f5 b8 h& s' F. _' j! z__________________________________________________________________________- L9 Q" h5 _; @1 a; X/ _
/ s0 q1 \( t3 M9 u' A& p2 p- {* F& h) U+ U z
Method 05# h$ u% T' P6 t- J
=========
& n) V! c; R! _: ^
9 t9 `# ~) q" | @' eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 O1 O- \* T. h- r. A1 Udebugger. It calls the int 41h, function 4Fh.
9 w* ^/ m( X- QThere are several alternatives. - G5 \8 I6 o8 _& @# u+ e. r
4 t; w* b' V# k( K9 p3 Z9 j
The following one is the simplest:/ N: a- |1 P H* E1 f
% D: t' t: r4 { mov ax,4fh! E5 y5 B! e9 i! ?
int 41h
% c/ j+ ^" i5 Y cmp ax, 0F386
6 h# b4 v7 C) I. h jz SoftICE_detected
6 {$ @5 V3 p& O F8 z4 W) G! N
# U9 `$ }) B* Z; A) x1 M7 L* h$ l2 M+ D
Next method as well as the following one are 2 examples from Stone's
( w* z& i7 k. G, Z"stn-wid.zip" (www.cracking.net):! Z5 C, P8 a" A
6 s7 T! u: I: Y, f; k" p- ~
mov bx, cs4 D; S" V& B/ u# p* L$ n6 P6 Z
lea dx, int41handler2
5 u- Y5 A; _# E$ ]9 {- e1 L xchg dx, es:[41h*4]
, {- u" q1 T! ]: I% @ xchg bx, es:[41h*4+2]! w+ F% S+ v$ K1 ]
mov ax,4fh
$ ~5 A; S) |1 M P$ s9 | int 41h
+ b* C& g1 B5 h1 D* ?* Z& B xchg dx, es:[41h*4]
+ s9 [' c$ Z4 K xchg bx, es:[41h*4+2]
! {6 }' I. q) A8 I; |7 N$ { cmp ax, 0f386h
6 z% O+ H- S+ m+ ]$ s, U jz SoftICE_detected
& g+ M& g5 j2 W, N. ]4 `& H B5 p8 U3 g+ U! ^5 T$ S. F5 H
int41handler2 PROC6 g4 o; m* _- f1 I# l& D
iret. A8 C' R& x: l5 ?) Y6 Q: ^
int41handler2 ENDP
3 ~ w- w, F5 a% ~$ M( S3 [, f7 _! o* z" J' Q
( u3 N& D& {+ `) ]" d
_________________________________________________________________________
! H9 q: `0 n- K* Q% S8 t4 L' a
+ `2 M( c$ S3 d+ O1 U
2 v2 _ g& e+ J/ P/ RMethod 06+ A: Z3 \' s5 I) J) U- l/ }+ x
=========
) D6 B& k. g/ O, h' x0 {4 z5 f( s1 m. K# B: h
5 ?6 N$ s3 ]; Y6 V
2nd method similar to the preceding one but more difficult to detect:
i: r! \! A6 T# K- \8 d# P: o S- [8 A
- R' h% x, ~& E' O* e4 B7 e9 w
int41handler PROC2 T* g5 y9 w5 L7 ?* B: V6 @
mov cl,al) J0 d W0 x8 \3 S) S N7 [! P
iret
( B' u: S- R, L6 x dint41handler ENDP) ]/ |' P+ B) W$ @! s& S8 S
" `. b' @; l& L- ?, h) [# M- ~+ q# `8 ~3 ` T0 C
xor ax,ax- Z1 R, P$ `& ]8 \% H
mov es,ax
$ R$ Z, @) i1 b0 S: o mov bx, cs
/ c7 r0 O9 E4 I3 d+ B3 |9 z" B* t lea dx, int41handler
- D* F9 j( O, k2 R& N( x xchg dx, es:[41h*4]8 C* o* P* T1 O' F
xchg bx, es:[41h*4+2]
; X3 z$ ?4 A: t8 m in al, 40h
" X G d) |) I' h7 P6 U0 X xor cx,cx/ J/ `9 T) ]6 w* s) d& G6 Z
int 41h- P+ X, u% a' D+ w r
xchg dx, es:[41h*4]: I5 c7 Y; Y6 g/ X' @0 u
xchg bx, es:[41h*4+2]
& M8 {0 Z1 e( q# _1 x, y; \+ i* ~7 t cmp cl,al
]" Z" U- W$ q5 f jnz SoftICE_detected
: Z. i6 ` z6 p7 A2 Z
! z; I1 `5 \ S6 C_________________________________________________________________________
$ p9 O" N5 ~6 d! N: |5 U7 v
2 u3 M- ~. K, ]9 G$ a' IMethod 07
1 F$ l# H8 z9 I' ~9 z6 X$ c% u% l=========1 U' K& L" q8 W
$ z Z+ D- v, a \& uMethod of detection of the WinICE handler in the int68h (V86)
5 N0 v* o6 L) Q) t8 e7 u* O; @; E3 W9 F/ A, n9 v
mov ah,43h* S, m$ v b' v
int 68h/ T1 v. Z" g3 }2 @# R
cmp ax,0F386h7 B7 t$ p2 [- G
jz SoftICE_Detected
2 M& K$ H& B; N. ~
# e: S, t. v: x% U
2 m6 h/ T5 {; [( M. D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" e$ c$ A p: d2 A
app like this:
* f7 p) s7 |8 v( l( K6 {/ l" `/ q& ~
BPX exec_int if ax==68+ j# C" ?0 q* P Z4 {
(function called is located at byte ptr [ebp+1Dh] and client eip is
: F* ?( T, D4 P0 `8 i# m* V2 o located at [ebp+48h] for 32Bit apps)
) Q/ o5 A p3 d__________________________________________________________________________0 h% \" S! y$ k; H
$ h$ v! J7 R: m, L& X: M1 [; e
! ^+ ]' E( f" r/ tMethod 08
; d0 O, q; r! H7 j% x=========
& F! c5 R% t3 c- f8 P8 b2 y2 X+ ?
6 F# r. g& s) BIt is not a method of detection of SoftICE but a possibility to crash the
0 @% `. N$ h6 S; s% S) m8 Ksystem by intercepting int 01h and int 03h and redirecting them to another* U1 P' O& D4 ?. ^
routine.
2 V0 }8 u% v+ H( c, l: m* K- HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: B* C, c" Q yto the new routine to execute (hangs computer...)
8 e4 H/ ~8 G( F- s$ U
. n* S/ e X! Z E7 f$ ^ mov ah, 25h
$ L% |" z+ W% h mov al, Int_Number (01h or 03h)
& q3 ?3 R6 y5 l# p+ {1 ~ mov dx, offset New_Int_Routine3 \$ k2 k6 k/ | i% U
int 21h3 j1 H& U8 r& L. ~+ `
1 G# x. ?. {( R# B__________________________________________________________________________9 \& s7 w! _9 s3 { W: |8 {' k
' R; Z/ J$ j, |7 q4 H
Method 09
, C3 ?( E, C) k2 j, _, b- M=========
0 O2 R p. k- j& f
8 Y9 _3 w; T ^; g- vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 F4 r/ ]! v$ a) Y& g% J3 O8 E8 ^
performed in ring0 (VxD or a ring3 app using the VxdCall).
# y" Y8 a; e' j# u5 U9 ?The Get_DDB service is used to determine whether or not a VxD is installed
4 B1 E( n0 E3 W1 g& F$ p% ffor the specified device and returns a Device Description Block (in ecx) for
: y- [0 K$ y( Y) S7 w# f6 X9 x$ Z, o1 b. ]7 vthat device if it is installed.2 p% _8 A4 q. w6 Y
, E% p* n' L! q: E- M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 F6 L! d+ h9 k2 h4 h/ n z. e4 ?. X mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ E8 a7 ]) c* f VMMCall Get_DDB# N! y$ Y& a5 ^# [- p% F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 V$ J8 N3 D/ G" J; L& w5 K" j" b* Q# s# n5 b3 l
Note as well that you can easily detect this method with SoftICE:- e" X* F( B2 N/ Q
bpx Get_DDB if ax==0202 || ax==7a5fh
v! O6 S1 N/ [& J+ n4 E9 { u
__________________________________________________________________________: i# d) e7 B# l k1 s+ \# Q
. V6 G" T4 L$ V( J7 I" w4 [* w4 IMethod 104 d% [3 M3 c2 h( x7 j
=========9 x# J4 @: K: y2 Y9 V0 W
* ?& q5 P) B7 I) a9 n/ U
=>Disable or clear breakpoints before using this feature. DO NOT trace with5 U3 L3 g! N9 {# j9 [
SoftICE while the option is enable!!
2 W# B9 [* i$ p1 z$ v; _9 R: j8 }4 y2 m7 ^: }1 L
This trick is very efficient:
' M O( ?' X5 D0 Z6 M3 q. I; @by checking the Debug Registers, you can detect if SoftICE is loaded0 f: b# j/ {) s4 N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if d7 Y, A9 Y$ ^4 t, b
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- P1 f1 i" Q T+ r& Y/ Yvalue (in ring0 only). Values can be manipulated and or changed as well
; B% [+ W2 [& I: {(clearing BPMs for instance)
4 D, J: y/ n' `8 i. @& w6 ~: m2 Z' K' H* [; j
__________________________________________________________________________( J% W2 s! Z y% }( W! v# i8 n. t
# }" X4 [, R1 W3 W# f' N. MMethod 11# s; `/ _0 E) T2 T
=========
% y& `; V- A! e+ f3 g- {0 C2 ?. \5 e0 S$ c
This method is most known as 'MeltICE' because it has been freely distributed
% o h- C t+ Y" d8 wvia www.winfiles.com. However it was first used by NuMega people to allow' z+ ?! |5 _8 G- w/ Y
Symbol Loader to check if SoftICE was active or not (the code is located
c2 f9 U5 J% @/ c) \. Q5 Zinside nmtrans.dll).
) q( ^; P2 b. _6 i1 v' g! @$ z- T+ P8 S5 b
The way it works is very simple:
- p) O# S2 q. A9 _$ J! M$ ^* iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 ~& v3 F% ^) B' R% RWinNT) with the CreateFileA API.
7 h4 N& U' J# V3 W+ N0 h5 D* N. z1 R( S
Here is a sample (checking for 'SICE'):
' F% Z% n% x; `# [! G" X$ @6 [
1 h8 c- _$ a- \! i( gBOOL IsSoftIce95Loaded()1 o$ z, `8 }2 ?, K4 h
{' W) @+ N' `# u6 z) ]4 u
HANDLE hFile;
9 J6 p& v* v! O8 ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. b( H; B5 w( F3 o FILE_SHARE_READ | FILE_SHARE_WRITE,
2 H$ s5 q/ N$ A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: S5 B, c% J# {3 L2 d- k
if( hFile != INVALID_HANDLE_VALUE )
* Y$ c% f& ]( X {2 [# [& _; ^/ K; G0 ^ e9 a e
CloseHandle(hFile);
# d+ \! U( W/ ]+ s7 g" e1 @0 F- O return TRUE;
+ p5 U1 Q; r3 ~( e2 y) e }) T( h8 n- j, {" Y* p3 m
return FALSE;
' T1 o) l: Y+ `8 P7 h}
( y0 K8 P2 W; F6 b5 O/ c2 w+ o3 I" V3 P" v' O
Although this trick calls the CreateFileA function, don't even expect to be
6 |' }2 v/ N2 Z4 table to intercept it by installing a IFS hook: it will not work, no way!
# o) N' W! |4 ?' W0 v, mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& O: O# x. ]$ _1 C( H0 s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# {/ u! q6 n' n& N) G/ x4 }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! ]1 J1 {0 T8 N/ W. z# U6 O" Dfield.8 Z' h" U9 E0 {; D. W
In fact, its purpose is not to load/unload VxDs but only to send a 2 h! |. j7 f4 {+ H( @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* R/ Y9 n: c$ w/ D& c$ zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 f7 O# H( ~( }* O9 uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- r: }; H* |2 M: m6 bIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ r, k: z+ I# g7 I1 @! N/ ]
its handle to be opened and then, will be detected.
# }. O9 c0 s1 ^ \2 @You can check that simply by hooking Winice.exe control proc entry point
7 |7 z H) ^6 zwhile running MeltICE.2 O4 y# X. u) b
& c% u4 b! C! b; r
% E+ q/ J( y+ U) a1 ~- K: C+ L, D
00401067: push 00402025 ; \\.\SICE F6 M/ q4 n) G/ k2 @+ K+ i0 _
0040106C: call CreateFileA" c* i7 ^2 C& ]8 e6 x7 L& o
00401071: cmp eax,-001) J- s: A# l; k* g
00401074: je 00401091 y- i9 o& \/ ]# R) {6 p5 C4 s
/ L$ F2 p+ I+ v* u, J
4 p+ S- P( U2 `# Q
There could be hundreds of BPX you could use to detect this trick.
3 C2 Z' `: t$ _- D* y- V-The most classical one is:
- E9 m3 |% q+ Q! u7 H0 ~ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; l) f7 t: N$ U/ i, p- a! R( L *(esp->4+4)=='NTIC': x, m# r# O$ Z L. T
% J* w# E1 X* `. V* D) O/ L-The most exotic ones (could be very slooooow :-(
6 l2 j: b: c) g3 \: A, L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% t0 Q$ T" \; Z/ X( y$ t ;will break 3 times :-(" y8 L1 p$ E+ H, b k
, l2 I) @8 M. g# N* e* h-or (a bit) faster: j W5 x5 c3 p b% C& Z& m
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 M9 z% F5 a; N* b$ b2 I' u. a+ j
+ l) M7 `5 Z: `4 [9 ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 a* n0 L4 e; Q; { ;will break 3 times :-(
( [7 z7 F& p9 G* k: B
8 M( s( q! O, W) h9 a' K( w' d' B-Much faster:; `0 \; C( \! X! w: M. v: ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 b5 v+ L- P9 I+ }% b0 H! N; g. E0 L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 |# c* ~- g5 E. }/ e: Z- `
function to do the same job:( u* C4 l' T# e
6 J: n8 f5 r2 k4 p! a/ L* B8 i push 00 ; OF_READ
+ I( [4 Z" h- \2 A1 j1 x. c" N mov eax,[00656634] ; '\\.\SICE',0( F; Q6 H6 V: |
push eax
! V) q$ T4 X3 f9 y call KERNEL32!_lopen
3 D5 `6 D& Z; z* M% h# e! i inc eax! W% {% a% a5 S) S( x
jnz 00650589 ; detected! n. Y' |% e8 ]
push 00 ; OF_READ; \4 m) J6 }+ {3 K& \
mov eax,[00656638] ; '\\.\SICE'
% M0 V! B$ X3 i+ x& W! p push eax; ]6 W- X- I6 t7 [
call KERNEL32!_lopen* @6 D) x! I# y/ o* c5 Y# M! j
inc eax
% t }( h& o0 G; i- v, J& A9 Z% F jz 006505ae ; not detected [* @- s# C @8 D
" h* i0 ]2 N% g7 i
. b. ]' k, }- w- E9 Y/ e
__________________________________________________________________________' d, g. e( s" _
- l! L( v2 q- B5 G% j( jMethod 12
9 L \( X9 E" s) I# f$ Y( O3 Q=========
, e* p3 X/ b5 F- i8 n- N7 p
/ _$ e: l7 O% o1 X; ]This trick is similar to int41h/4fh Debugger installation check (code 05
( u5 a2 r* e. a' M* H. T# }& 06) but very limited because it's only available for Win95/98 (not NT)
) Z! c; U9 ~3 K Y5 v: w& V. {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) P1 A9 j9 x8 n% Z3 k: T* h \6 c( @" z4 H! a
push 0000004fh ; function 4fh. D$ ]3 Y+ O. O6 D& z
push 002a002ah ; high word specifies which VxD (VWIN32)
' \+ j6 v. `$ S# t ; low word specifies which service
w8 d& p( I+ u5 s* l% p* s (VWIN32_Int41Dispatch)
2 h+ B. u- P( Z3 d4 L3 S' C call Kernel32!ORD_001 ; VxdCall
, q# e! G1 @( n+ N. n9 y: ` cmp ax, 0f386h ; magic number returned by system debuggers
/ X) X4 X4 a6 F. r jz SoftICE_detected
6 i: k6 N7 E4 D' ]% R8 e
% z' q3 l$ D u* S% |6 p# I8 RHere again, several ways to detect it:
) G0 h, T4 I2 P& R. b
) \8 G5 r+ I* K4 N BPINT 41 if ax==4f$ X( P. b1 R: d4 n; B: X J
+ B0 p" q% K4 C* Y8 n9 S3 y$ J3 a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ z) M) ~2 Z' L# u7 a% B
- l+ m* y5 W1 X& m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ ], {1 P, {* a/ |* t
! X/ d9 p2 j/ ]/ ? BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) `$ C, {; v5 u0 `
" x* |. W8 z k% F" b' M: [__________________________________________________________________________
2 z( n/ B6 Q+ y, w8 ?5 o g7 x5 y' _. `: \
Method 13
* @5 c% S( L0 r2 s- P: e=========
7 l8 V9 r2 |9 X* V( r. G! E7 U( P7 U: ]* }0 {1 m
Not a real method of detection, but a good way to know if SoftICE is! D- R @' h' G5 X7 _/ ]
installed on a computer and to locate its installation directory.
; x3 P( h, `, E' S4 U, T& M. qIt is used by few softs which access the following registry keys (usually #2) :) B8 c7 i0 T% a- m& Y) Y4 H
8 {& @5 u$ `5 z4 S+ _$ z: M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) {8 t$ ` g+ x* ?: M
\Uninstall\SoftICE: v4 E4 L0 T( n( f5 H& H/ |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ Z0 x7 M2 J; W+ `3 j; b) ]
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. s+ u/ x0 \: I. y$ D\App Paths\Loader32.Exe6 I5 w4 s4 T+ r4 S8 T& q& C
6 C( S+ j. N, y$ O: d& I3 s C/ M1 t0 Z3 G
Note that some nasty apps could then erase all files from SoftICE directory* q6 i0 y' G: Y: ^9 E7 A
(I faced that once :-(1 R3 ^& T8 V6 v) h
; I7 V X! P. L6 x# B. pUseful breakpoint to detect it:0 P/ [& v" F9 \9 {* z- w
8 D. r6 z0 b- h- ?0 l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 R# p! B1 u% ~: b0 G3 G& |
! h$ ?% n. c3 s3 C5 A
__________________________________________________________________________
f9 a% c& p h6 ^. p, \+ l* O: s. c3 _* J
% r6 _/ m1 z% ?Method 14
2 I* ~# M6 M. x=========- ^2 a' t. L1 V
g( l7 ^: A* M: {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ H: S4 U9 @1 r& q6 Kis to determines whether a debugger is running on your system (ring0 only).' \: E9 O+ ~9 S% s
9 L( U1 {* z. k$ e! C. g
VMMCall Test_Debug_Installed
q4 W. Q% P: W2 R. D; Z8 \ je not_installed& K* O* C8 l, C7 f m
$ E* D9 B$ s! N r9 _+ _, ? J; s
This service just checks a flag.
* N9 l- M, `% |$ ^& ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡