<TABLE width=500>1 }7 e y) V2 g" ]: m# e
<TBODY>9 @+ Q, R, U2 Q e
<TR>
% E% j- [8 n5 K& f7 q. ~3 u. A$ Y<TD><PRE>Method 01 / _0 _$ O6 k2 P$ ?2 g. d
=========
7 h% H0 x4 c0 J ]5 `/ _# n0 Z6 m# J" ?/ Z) i* C# E
This method of detection of SoftICE (as well as the following one) is
6 u- p+ C$ M* [7 yused by the majority of packers/encryptors found on Internet.
K+ J1 t; k7 G( dIt seeks the signature of BoundsChecker in SoftICE1 F9 M* J' S7 ?' m/ T+ y/ B% d
7 e7 @1 q3 r6 W$ K' v' G
mov ebp, 04243484Bh ; 'BCHK'% d* k9 a4 M7 ~$ N; B% {3 `( U' }
mov ax, 04h
5 O* ?; V# y& j4 G int 3
$ N | l8 b* } cmp al,4
( q3 h+ X7 K% @8 \) K jnz SoftICE_Detected
X5 g5 g2 M1 O4 E+ Y) o- z9 B: z7 g3 f
___________________________________________________________________________
: w+ s% _$ s$ Q& X; q, v Z C5 |" v( S" F
Method 022 ]' n3 b& k2 C' q+ G
=========
- k* c6 L- _# `: A; ]0 o! J& _0 a1 b" r- f$ B I5 {: O) s
Still a method very much used (perhaps the most frequent one). It is used! k o$ `7 ^/ e* m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 g; S& } e$ A3 A* dor execute SoftICE commands...
. Z; j, _% z* `' Q4 V, jIt is also used to crash SoftICE and to force it to execute any commands
) j( I, p" W+ k$ S) M(HBOOT...) :-(( / s$ g8 u" D, L/ X _% q
- V# D9 a/ L, w! h# p9 S
Here is a quick description:: Y4 e k; f- m* o3 b4 o9 d1 S
-AX = 0910h (Display string in SIce windows)' b' R5 L m5 f5 r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ I! ?+ v6 {1 b2 T& E
-AX = 0912h (Get breakpoint infos); D/ I2 I1 c' v0 w! |
-AX = 0913h (Set Sice breakpoints)
7 g1 I8 L/ |6 s# S. i* Y-AX = 0914h (Remove SIce breakoints)
1 a7 H# a' B6 @6 l: t
1 b9 ]" P& s7 _' f7 ]8 nEach time you'll meet this trick, you'll see:
$ E) N9 U' m+ i' |-SI = 4647h
6 U- Y. g+ ?" T8 h0 `, f, b-DI = 4A4Dh. H, L: V, S! a' m3 d
Which are the 'magic values' used by SoftIce.2 L @7 P3 p7 T% e2 t; J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' [3 i% c4 }; z8 e/ ]* O+ T r
( n6 Z& h* ^2 m) D l$ JHere is one example from the file "Haspinst.exe" which is the dongle HASP
) G3 P# U& l7 _( V5 ~4 p# hEnvelope utility use to protect DOS applications:
( v2 Z4 g' ]0 M' m* V1 Z7 }" Z( I
- _$ n$ P& M! Z; [4C19:0095 MOV AX,0911 ; execute command.' T1 q+ v% Z9 Z6 U' B+ W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% r# A; G1 B6 j* ]5 q3 v8 {9 J
4C19:009A MOV SI,4647 ; 1st magic value." L. M# M0 S4 \& r
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 S3 X8 C5 f! |0 F( \+ @4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ k$ z" K# L" K; L' l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 V6 j# t0 t" E+ }2 p1 B
4C19:00A4 INC CX& r) ]' ^( K* m8 d5 ]8 p( e% A
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ L! b, P) w- Y9 G5 Z6 M* {4C19:00A8 JB 0095 ; 6 different commands.
" y7 d. Z$ i" i6 L5 y: w0 ]* N4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 C9 M! q! e8 |0 T9 s5 r3 [4 [( @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); K. M( Y+ y' z1 I& `: o* B* ^5 T
, t$ R' |( M3 y2 y# SThe program will execute 6 different SIce commands located at ds:dx, which% L" y0 R! m: [: x3 a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ G$ o/ v5 B/ g1 N' a
: V1 S0 s R W/ R% c" O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* t. k P' [ w7 d" _/ k5 @
___________________________________________________________________________
2 ?/ G+ g* z, e8 S
" w7 C Q5 q; o- I9 i( g: _" N+ }) l' E* M( L: j1 N- K/ x3 b
Method 03
7 _" Q4 B0 T) i" M=========
( h3 u8 c, N9 N% ^9 y5 q
9 ~; \5 l) @2 o# p$ R) J4 A: qLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 n2 I8 ~8 q A/ q: t* i
(API Get entry point)1 Z7 ?. [% ^1 p0 }6 _- y$ [8 K' ~
]; j4 J5 t' M$ ~" _; B& w; ]
# W7 {# Q# z4 G' M+ s0 x xor di,di
1 _7 q7 y( {6 \3 h7 k& N+ s mov es,di
+ H8 E; F/ {2 N( k mov ax, 1684h
y; Q; c0 n6 O0 d9 s mov bx, 0202h ; VxD ID of winice3 S3 D: n5 E" w% m
int 2Fh' n% K" j, Q6 L& Q6 d7 Z- s
mov ax, es ; ES:DI -> VxD API entry point* J1 Y H+ n4 J: N5 Q) \' ^
add ax, di
" E: [1 Z, Z1 j" L/ r test ax,ax8 ^4 n: z0 ]) c0 u/ f
jnz SoftICE_Detected& x' W8 O2 { b8 s0 {
; g% v0 [) T: Z5 a1 t9 S2 R___________________________________________________________________________
: V7 n( T6 |% T; [! i5 h# c! O+ |$ d! I
Method 04' E6 {, A2 _; H* C& i
=========, a& W8 u d& G5 R. ~
]4 A% B* d# s& A2 p WMethod identical to the preceding one except that it seeks the ID of SoftICE, |" \, x9 l) V* i
GFX VxD.
# y* t0 E8 w2 w1 ^ @" K3 L. v' R o) X
xor di,di
8 y, z2 [8 E- A4 ]! o1 Y mov es,di: N2 @; m) p. t2 ?: d
mov ax, 1684h 4 P# l- o6 _ d% c" T
mov bx, 7a5Fh ; VxD ID of SIWVID0 o6 ], U% D6 y* i
int 2fh7 z% ?7 F2 v8 r' w6 V6 e
mov ax, es ; ES:DI -> VxD API entry point( M( `) c; \6 Q; Y
add ax, di/ F) j! ^7 J9 H" w" W* g
test ax,ax
+ P' J6 E7 o' l" T W: L7 ~& y jnz SoftICE_Detected
4 m3 R. w- w. T
# s+ B. K1 r7 U& ?( W) Z }; X5 e__________________________________________________________________________
* j! ]( X5 f0 ]% G% [- g# A9 K R( q& T& H
* a# K+ F" x3 e6 J$ \( q: S
Method 052 e4 c! y2 B3 L& X
=========
j; Z9 G$ i7 o/ ~; j% a4 d) B d
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 |1 B# n, o5 Q% K% L1 D
debugger. It calls the int 41h, function 4Fh.
- l* W1 S% {/ H \( Q: IThere are several alternatives. " j. } F6 x' C# D
$ s6 V9 b% Y( h% KThe following one is the simplest:
' O7 j5 s8 b9 x1 b! k
) Z x! |' n2 g: V: q* u mov ax,4fh$ C! I4 i2 z1 L' L, y* d4 v5 c5 D
int 41h
. u2 i% S% \; B cmp ax, 0F386: J V, V# Z; }# |0 H0 Q7 A
jz SoftICE_detected
$ L* q8 }' Z' r2 s9 K
3 {& I& A0 \% o, H: [( V: a) a8 _ c& {% S6 C
Next method as well as the following one are 2 examples from Stone's
% X0 |% X7 ]- K# O7 K8 ?"stn-wid.zip" (www.cracking.net):) P5 y, @( _8 r* ~$ C0 P& `. s& w Z
# X2 ]! u3 N; E P+ @# O
mov bx, cs- c/ M- M5 n' c" y' W8 Q9 I% e
lea dx, int41handler25 T% Q0 p4 L1 S# N" ]
xchg dx, es:[41h*4]
8 K/ k% F5 }4 E1 p* n6 d0 V xchg bx, es:[41h*4+2]
) L2 Q' G2 s- k3 u! g mov ax,4fh
" f& o* H, ]$ y; y* E6 t int 41h- n5 a* }; w2 C$ x, Z
xchg dx, es:[41h*4]
5 d6 s2 L$ }$ H" n5 P, J4 g xchg bx, es:[41h*4+2]! E7 o2 E, D$ s
cmp ax, 0f386h3 c( S0 c* u/ \: s: x- U& z
jz SoftICE_detected4 d) ~2 D) l0 z N& O# f+ a4 R
+ B6 o, C" ~! _ `6 rint41handler2 PROC: d- U8 m2 y$ j$ w
iret
3 r5 M# D' I% V: d4 I" ?4 z! wint41handler2 ENDP' k; q- O4 Y. Z
1 _- i. C7 i5 v% y, Z* F3 l& n ? t
_________________________________________________________________________
2 m; D1 p: E- p9 o4 q
( |; {% j" |* J/ O& i) P+ s. y) C9 T3 z2 [& z0 E
Method 06
: ]1 d4 y5 ]/ T) e1 `7 }- J=========
% w1 y R4 X9 h' r- u$ _8 ?; Q% |9 {; h4 m; m: M) `+ @" b
8 Q+ m& H: \$ w. r3 Q' |2nd method similar to the preceding one but more difficult to detect:9 H" _- r8 a1 j1 Y' k
" K. ]& I' i# R6 T
3 A: G0 ^! L$ V$ `1 c/ r
int41handler PROC
^7 x1 E/ i8 }0 h' e' S1 `1 y8 d6 y mov cl,al, c! s" L/ o& H/ M7 l1 ^/ C4 B
iret
- U+ x3 r4 q- H5 J- hint41handler ENDP
0 _2 O9 ~4 U9 G8 D7 J" Z) ~& r8 Q& q: D4 q& r3 b) G% A
) X) y' D$ Y8 r k4 V; Q W% J e
xor ax,ax
- c" A: Y9 C1 [# m8 N5 z& V mov es,ax% T6 H+ P! S# t4 y
mov bx, cs# a' Q/ s- [8 R
lea dx, int41handler
1 }7 R) d+ o( Z& _* X: Y& P: B0 m xchg dx, es:[41h*4]
; @8 w. P- |2 s) k# ]7 h) h7 i0 W xchg bx, es:[41h*4+2]
: h8 n; d6 k: Y( }. \7 Q in al, 40h
6 t ~" d$ [% c; W! { xor cx,cx) Q I+ q3 C; e- u3 I! p6 v
int 41h* o* H/ j! U2 ~9 r
xchg dx, es:[41h*4]' |: l, }, Q" J( i
xchg bx, es:[41h*4+2]
$ I9 P3 |) ?& m6 ?* Y8 z! ^9 Y8 A cmp cl,al. m- j) O8 p% t) V
jnz SoftICE_detected
* q! m6 b% G7 }/ Q& R2 C, R& q+ g$ ?3 O5 u4 J7 s5 f' Q
_________________________________________________________________________. |' {3 w- W! o h; p9 N4 C7 o! t
( O# s8 B; c6 |4 ?- _2 x
Method 07
+ k9 W0 E8 X. N3 f=========
# L& l C# t5 |" v$ x- O
+ w T: g. Q6 \Method of detection of the WinICE handler in the int68h (V86)9 V3 {) O. C# t- @0 X" J6 G
7 j. ?% B" f& F( X, f4 o" X) p4 x/ m$ W
mov ah,43h
# D7 V5 e, Y' A8 | int 68h
8 t# `0 d |8 m2 @$ ^& a/ _# M* Y cmp ax,0F386h S3 ^" m6 s6 \! O: [
jz SoftICE_Detected4 o% m$ J& @* J3 K( o
+ c# T0 {4 j7 `( Q4 a% B) ]; b& Y
# ?7 l, @4 x0 Z9 a& H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, M1 c M V( Z, ^3 } app like this:
4 y4 S. R% g5 j( j& X) i0 ~2 P# \# E) g: W1 g
BPX exec_int if ax==68. ?. ~$ q; [2 z3 e1 H! {3 n
(function called is located at byte ptr [ebp+1Dh] and client eip is
t7 x$ ~9 R/ D8 ? located at [ebp+48h] for 32Bit apps)( R6 J' O, x1 C. ?: E- t3 N
__________________________________________________________________________( O- E, d/ y- p
' a% A' d4 V4 L3 N# E
/ B( w; f- w% x- @+ C, r& m x
Method 08
+ @, ~9 n- @% e$ I4 J; {=========
4 y# T, m! G6 W4 |% o& Y' Q: x4 T& s2 j) T8 ~- ^8 O
It is not a method of detection of SoftICE but a possibility to crash the
. N0 ]' f+ Z/ {3 f; z. T! r9 ]1 {system by intercepting int 01h and int 03h and redirecting them to another2 n0 L4 w' M4 e. [8 p* Q. e
routine.
: ]/ l% s: a6 Q2 N' C9 \% K# {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 [! i* K! x: b1 Uto the new routine to execute (hangs computer...)
& S# m* d* x+ ~# W3 Z, c1 u8 l- y5 U
mov ah, 25h
{. O" b- I- C; d& I mov al, Int_Number (01h or 03h)/ J$ b: H; S! j( y
mov dx, offset New_Int_Routine
: Z! B! w! C& M5 i( B int 21h
. e1 H! r; l4 ^
, L: Z$ s# n+ d__________________________________________________________________________# \8 ^7 j/ x2 I. s7 o
0 U* U" ^: T$ a2 W4 k0 C ZMethod 09
" v5 ^1 W+ k8 o+ V0 j* [=========
, a+ b9 W* ?8 J
- E& [6 i9 [; T) mThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& b/ \! w3 t# C% h" q+ ~performed in ring0 (VxD or a ring3 app using the VxdCall).
8 w2 l! ^9 n# n$ K" ]The Get_DDB service is used to determine whether or not a VxD is installed
$ @5 s- u+ B% C) a( B) lfor the specified device and returns a Device Description Block (in ecx) for
0 g3 r( A- m) g- O9 }that device if it is installed.4 c6 b- a# w: P% N/ Z$ h
; a/ w1 K& I7 r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% V- C% e, O7 ~; E! f. r! [
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 `/ }9 |) D S7 E( g VMMCall Get_DDB
3 E+ P. U+ w9 a* R! Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 s/ z/ ?/ i$ z; i( _5 {3 A3 u
- u! q! A9 e" E0 n: x
Note as well that you can easily detect this method with SoftICE:
' B% K" G1 c$ u. }% K bpx Get_DDB if ax==0202 || ax==7a5fh. `7 D1 P: A C( Y0 y
- k# x# u: S+ _
__________________________________________________________________________
1 e3 Y6 f8 L! p9 v4 f
4 J a* {. W% A# r2 qMethod 10
9 W: p$ `: d) E/ c' w; o4 z* ]=========
0 l. W) c! Q& b1 Y, | |( `/ C3 C
& E+ Y @* S q* I=>Disable or clear breakpoints before using this feature. DO NOT trace with
) d K" T! b7 G: |7 o1 S SoftICE while the option is enable!!0 Z8 s4 Z' G& _& u% P, W- e2 M
, b( {$ ~9 B5 }3 @2 a, {8 I$ DThis trick is very efficient:
$ l g* ~" e9 a% Nby checking the Debug Registers, you can detect if SoftICE is loaded# G& L6 p/ X |- g
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. \$ J. [0 v, Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 b0 J) A' s/ _value (in ring0 only). Values can be manipulated and or changed as well
* d0 ~& x. W+ f# ~3 J0 @0 z(clearing BPMs for instance)
/ B w. o1 L7 T+ Z5 D1 j6 k
) O- b% \2 F4 N) z6 H9 G__________________________________________________________________________
& d! T! e% x( }8 x! D! j" m5 {
; P) }' T! Q( L' O+ e& h% ZMethod 11
8 B- F+ x* y) n# l/ {=========& q, i# R, K& Z+ Y m# ~3 t; L
/ F5 W# y( F: f4 ?' V" ]
This method is most known as 'MeltICE' because it has been freely distributed$ I% u( ?- R; g3 p( S
via www.winfiles.com. However it was first used by NuMega people to allow# ~1 s2 s6 Q, h/ ~2 g% U. ?5 O
Symbol Loader to check if SoftICE was active or not (the code is located2 m! G# G$ u4 P
inside nmtrans.dll).
# j6 |3 } ~# i' |% r/ k) ^( t* K
/ e4 i4 h, g! L1 y* {3 TThe way it works is very simple:
9 v7 V) v# Z G4 tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; S7 i/ u# U, A) l0 d- uWinNT) with the CreateFileA API.
( ]* d" Z6 i/ s5 m) _* b% d, b4 D' \ k! ^5 ~4 o X
Here is a sample (checking for 'SICE'):
V* U! \( Z" w; z0 Y* v
" b! g; u$ W5 D7 eBOOL IsSoftIce95Loaded()
7 P- P7 v [+ v) d& p{
7 ^ w7 G; f- D' u HANDLE hFile;
" n/ W% J- `) [2 { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# [' X/ g& V Y% o4 E' l2 X+ o FILE_SHARE_READ | FILE_SHARE_WRITE,
3 z4 O5 L8 G- o: e0 j2 Y* | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 b. W9 p7 G7 e/ c if( hFile != INVALID_HANDLE_VALUE )
9 H; }4 j" u0 A" h: r {
, ^4 r& n+ i4 ^0 b4 ~/ H" l! P0 U* @ CloseHandle(hFile);/ I! {9 ^5 J6 b, j
return TRUE;
: W2 {" w% Q# j }
( ]8 x( U0 K$ p- ~) n, Y return FALSE;( m% h( q! C& U- k% n9 Q# I
}) ]1 V4 W& a& [2 E. G3 @
0 p4 _' A1 u; x z
Although this trick calls the CreateFileA function, don't even expect to be8 p' c9 K- N+ K& K5 T
able to intercept it by installing a IFS hook: it will not work, no way!2 ~4 n# ^4 a* d9 `* h9 E+ y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 @3 |" t& q8 O- }3 {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). t; C7 ]* X0 w( ^! N" g! x- |3 g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! z C+ ]% g2 ]( H! g
field.# L5 T9 _+ @+ b. D% ]6 x0 x2 w
In fact, its purpose is not to load/unload VxDs but only to send a # s5 b7 {3 f& z2 `. w3 D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* i3 U" i/ c5 B7 X/ m( eto the VxD Control_Dispatch proc (how the hell a shareware soft could try( M% c6 f$ _ J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! J Z7 j) w4 cIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: R* d9 P0 Y. s o# u- kits handle to be opened and then, will be detected.1 d1 N9 ~+ g. J% G! i
You can check that simply by hooking Winice.exe control proc entry point
: M7 ]. d7 G+ M) u, pwhile running MeltICE.
I4 X, r( G! W6 V/ e$ x. d7 L( A
9 w# X& f2 k: {4 y5 l
- w4 v# S3 [7 d% B( ~. Z* f5 } 00401067: push 00402025 ; \\.\SICE
0 `( M' X$ P1 I5 i3 [ 0040106C: call CreateFileA, E7 Q( |4 t' [2 A- r, E/ Y
00401071: cmp eax,-001
4 a, I9 h+ _4 R3 Z 00401074: je 00401091
, }1 \9 m8 { f% y8 l! `
6 @6 ]: W. R; y& L* m. y5 F" _1 [/ d' V; P
There could be hundreds of BPX you could use to detect this trick.
. S1 x3 C O5 R% o) R* U# \-The most classical one is:
& B L8 X8 c1 } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 E& P% \+ r d8 i) X7 ~) h
*(esp->4+4)=='NTIC'+ ?* V6 r' S" f! J0 Y6 }; L. Y
" D% B- g+ t9 ]
-The most exotic ones (could be very slooooow :-(- W" N6 \' s, W: ]# [: R3 o( L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# P9 \" y5 g- I3 f ;will break 3 times :-(4 D2 f% v( S. s+ \* k
|# X; \. g Z) R1 V
-or (a bit) faster:
1 C5 e* _* U: T/ y5 ]3 s BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ e5 o0 D' k' K. {- o( T
- b9 O- p# R2 Y. @, C% c% D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 X V5 p; U. w ;will break 3 times :-(2 y: q0 C# l: N& A3 h7 q
$ j3 M# t* o3 r1 @
-Much faster:
) H- }( y. Q+ }. B m5 k# `2 z k7 x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 O6 O/ I: e" {9 b3 U) }' A
2 I1 g" V" M: P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. V. ]/ R6 h4 S8 K! t. f
function to do the same job:
6 N t. D& e& p& h7 g# y2 ]6 w( b) T6 u' M1 y1 A1 W
push 00 ; OF_READ
, x5 Z/ `! Y/ T$ k9 R mov eax,[00656634] ; '\\.\SICE',0
# F( l( b# E, X/ ~ push eax
. p4 f* Y# D5 Y. v, j call KERNEL32!_lopen; M4 t' {3 ^+ Q* B
inc eax
. z2 i1 Q8 [" d$ E6 P# x6 S jnz 00650589 ; detected' V: z6 y Q- y2 l; f* x5 \5 I+ Y
push 00 ; OF_READ+ K7 d2 ?! g( m: {8 b1 k
mov eax,[00656638] ; '\\.\SICE'5 X% i0 T% M0 B) i* H
push eax' u$ M w/ M3 [
call KERNEL32!_lopen, `# [. @ D) v) z
inc eax
: V$ I9 t1 p% K1 _; x jz 006505ae ; not detected
, e- t7 V9 @6 e/ a% ?; j* Z( F/ C' C. T8 |2 V' l+ }
9 u$ T: Z `% q. t; S0 Z
__________________________________________________________________________
' y3 E) _3 B) g1 Q7 t. G+ H& y
1 J: w* V9 M' c0 xMethod 12
0 u& ~4 J' [! S6 c=========6 E$ U' Y3 Z! K* P2 G% |' z7 L2 d
% D- [' X8 a9 M! R
This trick is similar to int41h/4fh Debugger installation check (code 05
3 t1 G) [( n' ? ]) I; i: L; S& 06) but very limited because it's only available for Win95/98 (not NT)$ |- C6 Q5 s: G5 F& r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 U5 d% q( y# W a
4 i) e9 L' h; w* I- i push 0000004fh ; function 4fh
9 N, |0 r. T5 V0 A push 002a002ah ; high word specifies which VxD (VWIN32)( l# b& i" E& q5 z, a7 c3 e
; low word specifies which service3 q. ?" x0 {: {4 J) z; l( |) L
(VWIN32_Int41Dispatch)
- C) R) N3 s9 F1 G) D% X call Kernel32!ORD_001 ; VxdCall
: X4 T/ S. j% e& V% { cmp ax, 0f386h ; magic number returned by system debuggers
- i4 t. a; N8 S r6 X/ ` jz SoftICE_detected5 U& ~8 e6 R# l- `+ P# t
6 Z2 z3 b! R2 Y/ K2 ?+ Y
Here again, several ways to detect it:' X, I0 Y, Z( C" q4 P0 M
3 L& D- o N; t, [- f BPINT 41 if ax==4f) n% e/ d/ R, L3 V1 d5 m
" M) _5 W$ l, v" Y# o+ y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% j2 x( y$ d9 D* ]) `$ z- h
! C, o# N' `6 ^* O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ n; o0 e% C& w/ E. G
( [0 Q+ d# `5 @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 E. a, @' ]7 L
* J$ d0 Q2 H: G
__________________________________________________________________________* {3 H v* W1 ]- {: S
& ~2 p8 e/ ^8 a# t3 Y
Method 13: F6 k+ c5 e2 P. P1 Q
=========( o9 Y; V5 y7 y. m! a* W& c
0 O6 Q, ?# e5 A3 ^5 S; lNot a real method of detection, but a good way to know if SoftICE is
- T5 V: t- K' Z2 [, iinstalled on a computer and to locate its installation directory.
$ W7 ]9 K3 z0 b3 T5 lIt is used by few softs which access the following registry keys (usually #2) :) L P, n+ Z% C* E
- Z( T# t& B+ m: }9 z/ d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 O; g; A {1 m- K' ]
\Uninstall\SoftICE6 z" p5 C( Q, w2 ~4 ?; |# j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# T; X/ S2 q* f. W+ i/ S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 o- y8 f/ Y9 C1 [6 [\App Paths\Loader32.Exe3 L I( b( Z7 ~7 Y: X1 n% N, t% q, g
1 \3 {6 U" [0 ~% E5 W5 H8 e4 a z ^/ S: Q- ~7 Y- U- C: }) m3 E
Note that some nasty apps could then erase all files from SoftICE directory& A" |6 q K& {
(I faced that once :-(: r6 c) A7 p b& C
, d/ [6 m; ]2 V8 yUseful breakpoint to detect it:" L. R7 ~$ ]8 [9 O) k: L
) `! q- K Z u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 t# P7 n6 j: j$ s7 Q5 `0 ~
t1 G. n1 G* T; ]# r- k8 w
__________________________________________________________________________5 w7 R! b8 o5 x' e0 s8 n0 W" m0 m
; V+ j& r# A! P- c- W9 {- p( C! D9 _0 f# \. g2 h! E
Method 14
4 ~. _; L8 {+ O/ ^8 N7 ^=========( L1 {$ h7 o0 {" x
& q5 L) q1 N: f/ o- A5 j
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! N7 {. b6 ]9 J9 r, m' J' Xis to determines whether a debugger is running on your system (ring0 only).
) {7 `2 M7 C6 N0 a# w5 j U, |- A8 A I/ U6 k) d" Q$ j9 L( j
VMMCall Test_Debug_Installed# {9 K, C: o9 ~! I' ~
je not_installed1 }" ^- s d: d0 t7 Q
" n* ]9 S$ Z8 A* aThis service just checks a flag.( q7 p( F0 t2 W- k& E+ a" ?
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡