<TABLE width=500>$ T c# N- Z. d
<TBODY>
* ~4 V( k. |! b<TR>
" B; g6 F/ d0 S$ }' P1 D$ l5 M<TD><PRE>Method 01
5 v9 R9 h- ?" ?% `=========3 H# A8 O0 O* O) g
* C$ f9 I" N; AThis method of detection of SoftICE (as well as the following one) is9 a8 f+ G8 M' Z, M* D
used by the majority of packers/encryptors found on Internet.* d. V9 m" Z7 d! Q9 S4 d
It seeks the signature of BoundsChecker in SoftICE# L3 Y1 |8 U4 }6 V4 @
4 q( m$ l1 J9 T' s T! H
mov ebp, 04243484Bh ; 'BCHK'% \& w o& F$ v% _9 E8 S
mov ax, 04h
2 c& L3 I! M- A) \, W; R% y1 | int 3
; ^$ I# V3 c4 @# X* X) Y$ W cmp al,4
/ H1 z" R& h+ }7 y jnz SoftICE_Detected o( m7 D6 l) T
1 A2 E- j7 i% S5 ?: v& z
___________________________________________________________________________ X2 K2 [1 _' W; S$ m
9 e; V& I2 p* S' [; A: P6 s
Method 02
8 i2 E3 e8 y( F: h2 Z" J/ ?* n. }=========
# V5 x' d* I# \) d, R1 D1 B- g7 b9 Y. J0 R9 z
Still a method very much used (perhaps the most frequent one). It is used
8 N# h( [$ s/ M- _5 e, Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, |8 A" |" W2 d$ yor execute SoftICE commands...# u0 |5 M. S/ H
It is also used to crash SoftICE and to force it to execute any commands( X. M: \6 ]0 z3 o1 F0 [1 u
(HBOOT...) :-(( 6 U" e1 o+ s- b" U; v
$ I9 v1 H3 C, OHere is a quick description:: w# d; ^$ d& s. m0 z; ]: m2 h
-AX = 0910h (Display string in SIce windows)
* g5 N O1 A+ N }6 D4 I5 A-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: L; a9 w" r* S" b8 v0 L x! w M-AX = 0912h (Get breakpoint infos)3 k& k, I5 g0 m! o- g# u
-AX = 0913h (Set Sice breakpoints)
/ y/ ?" A/ ^( e& X. C: l2 z7 b8 O-AX = 0914h (Remove SIce breakoints)6 U8 Q3 ]: n; ^: X3 N5 w' G) X
& X) N7 h* G7 s4 sEach time you'll meet this trick, you'll see:3 q, S$ M0 Y0 I$ H( F* T6 Q6 n
-SI = 4647h
, n( ~4 h, q& }. p: U7 l: g-DI = 4A4Dh# E2 K; n C1 X( _
Which are the 'magic values' used by SoftIce.; j" q& Q6 k# [1 P r q# L' `! ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." ]7 s9 Y3 g7 e8 v
- \+ I% y" S# r0 m9 [
Here is one example from the file "Haspinst.exe" which is the dongle HASP" G2 d% S- o6 y. k7 f3 R1 H
Envelope utility use to protect DOS applications:
0 c7 r7 f( y1 O
# p# q7 h' W7 Y, c* [: v) c k. o! q5 C) W$ v2 E
4C19:0095 MOV AX,0911 ; execute command.
% e, W# f) ?! G# K( {! ~; Y7 b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) s+ T0 g# Q# b4C19:009A MOV SI,4647 ; 1st magic value.
! O5 G0 r$ [# E$ ?: U4C19:009D MOV DI,4A4D ; 2nd magic value.
0 F" G( B! ~2 Q8 _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). A- a3 ?9 P: l/ i5 e3 e+ T
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* K5 C, O. U# d$ {
4C19:00A4 INC CX! x. v; `( D2 _ P+ a; q/ ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& ?. z* D7 S8 \8 _
4C19:00A8 JB 0095 ; 6 different commands.
# Y- u- e0 ^- k$ `4C19:00AA JMP 0002 ; Bad_Guy jmp back.& R; i# _) Y! m3 z: s
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 G) ~) ?$ R( c* Y% H& L6 T& D" O$ D& O, h
The program will execute 6 different SIce commands located at ds:dx, which
* T, d0 Y. i8 d2 Q# uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- M2 I+ b g9 H T4 j" C8 Z0 ? e, E2 G" O- Q# n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" _" i1 {; n" @0 m___________________________________________________________________________, g7 V% {$ r# \! C7 x% i; G: n9 P
6 H i! O; @) [5 i! ^7 F2 e! V8 z
) b o. b% Q6 {( ]4 n0 @
Method 03
5 Q3 B9 R. z) n# s2 q: o=========: O& D# g' o* x; E; O( N: }7 Y
/ g: T3 C- Y; D( g! P7 ~Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- N/ V2 Z, R, ^" X9 M
(API Get entry point)- P) m X' c# M9 H
, V) Y0 b- @. R# D+ W
' N& Y5 t$ i5 p0 m- H4 { o
xor di,di2 m- w$ q+ J: U! ~5 K
mov es,di
* u+ S+ m1 Y% U; Z% }+ w mov ax, 1684h
" m; g% _9 `- f/ b2 e- a6 ^- T mov bx, 0202h ; VxD ID of winice$ ~7 v# p! W" c+ s
int 2Fh( A; s# e8 X- v9 ?8 `
mov ax, es ; ES:DI -> VxD API entry point
# @# B5 Q1 e' J9 W/ H, v+ i [; T add ax, di
0 d' U( F2 ^8 }9 x% n test ax,ax
7 h2 R, F/ b9 h& l$ q jnz SoftICE_Detected1 W) W+ S+ X; _ _) l
" _+ Y9 o6 |) l0 }" U
___________________________________________________________________________( U0 R. F, a: }$ W8 Y
2 V" l+ s2 z! D0 D
Method 04" M N3 H. W$ E8 T
=========7 b3 t" }0 U/ d/ B* Q" x
; |8 p1 U4 _1 K: HMethod identical to the preceding one except that it seeks the ID of SoftICE; f- j: u' `3 M- q& P! t0 F
GFX VxD.
" c1 ~6 \, w* o$ t% o3 c! K
2 ^# z, M/ x4 ?* b2 P! o5 n9 F xor di,di. Y! E, u* h: r. w) G
mov es,di; l* E* B4 N" X7 S. w% i3 o
mov ax, 1684h
' S3 {0 s0 C" g! j mov bx, 7a5Fh ; VxD ID of SIWVID# ^, k/ O* ~3 I/ I; q# O
int 2fh
3 x8 r2 J; l6 y Z mov ax, es ; ES:DI -> VxD API entry point
0 \8 l& h! F; i add ax, di
+ g; t- m8 B% c1 Z2 H6 \1 X test ax,ax
) B! {4 f: @ d3 F7 w* Q) [. @' r jnz SoftICE_Detected) u; D3 |, i3 R" c8 j5 W) [9 A
1 P0 p y t$ G% e4 t
__________________________________________________________________________1 G, t; T$ Y/ j; @9 O
, _ f! u! r' [0 Q2 m6 Y
- K0 n% s( a( y( P* W5 L* [Method 05! @& }$ ]! {2 i7 a9 P
=========/ p( k& ~$ v F+ R8 g
9 \; x! e' U/ c. E
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 \$ R4 K+ N0 V& }+ m' M, X
debugger. It calls the int 41h, function 4Fh.% l' F, e& D, n: x) _5 A
There are several alternatives.
6 n& _% U( }% Z6 [( m6 @6 H6 i& ]0 S* X8 o8 H+ f n" S
The following one is the simplest:
2 ~! A3 r* M# e. ]/ L: X6 f
* i4 X' n$ H7 M7 \0 |; D: }: t mov ax,4fh* Z3 T& R; ?1 X( A. x$ V. `
int 41h
2 N% k6 y6 f# K' I' E8 G2 h cmp ax, 0F386
p$ I$ j7 w# I3 a jz SoftICE_detected
8 a. [* {7 R/ M2 ?2 n: q* @, u9 e; i% r
: V' U. s* X. t/ z% rNext method as well as the following one are 2 examples from Stone's , n; v/ Q R1 l
"stn-wid.zip" (www.cracking.net):$ ?# W# [7 U' u Q) C
3 P, v) Z5 H: S; l
mov bx, cs
* ]2 {, N, n9 C lea dx, int41handler2
! E2 K+ U$ M: j xchg dx, es:[41h*4]
- _! L1 Z( A0 D, m4 p+ I* ?2 Y xchg bx, es:[41h*4+2]
7 G% u6 z4 z8 h+ }0 ~. m. K mov ax,4fh4 Q' K5 ?& p j! r* Z4 [3 ~1 ^
int 41h
( S" A4 h# k& B$ B% M5 ~6 h xchg dx, es:[41h*4]
' `+ k6 o8 `3 n5 R6 ~ xchg bx, es:[41h*4+2]: ]4 m4 q9 b$ `( H1 d0 ^7 J
cmp ax, 0f386h
1 n) [1 s0 I3 `4 { jz SoftICE_detected
% `) q( A$ J+ T7 N$ o* f1 ~! @3 F2 n: N1 l2 {; P1 x7 k
int41handler2 PROC
9 {& I5 h, f/ D% ^" D6 u$ Z iret M- U! f7 m( v8 |
int41handler2 ENDP- V5 O2 o0 [. s# A4 O$ L1 D- F
2 a$ y0 J/ r7 o+ r% e
+ j- w" }' ~( } W9 K) W_________________________________________________________________________3 p" `% F7 \& h5 j/ N
# i8 F: S4 W. [, I2 m8 e+ l& ]3 n
( Y2 T! Z2 ]- K
Method 06, w6 p3 C% z& A/ t. z
=========4 ?0 Q( O7 u. L. P
) [2 e1 h1 w' y) t, ]& O+ v8 L. e( E8 u6 v# x: {- A# ^8 a
2nd method similar to the preceding one but more difficult to detect:
f/ `5 A' N- k1 U" R/ d& V; C6 A6 H( ~$ T" h7 ^/ |/ n
- f2 H' p6 I# P5 p( u: P
int41handler PROC
! ]7 M& i% Q) t+ g. J/ U4 m" j6 } mov cl,al
" S; z" f* b0 y, D# I& t% i! y iret
3 _- U0 P* H$ c/ `int41handler ENDP+ I; L1 ?. H1 G3 t+ y
% j1 F9 I9 q- v
% ?! ]1 j. H- U8 r) d; ~ d, z, `- c6 D
xor ax,ax
9 O& Y# O+ [% G5 h( j mov es,ax
3 ]0 P4 _2 b7 `8 Y- T mov bx, cs) q6 g1 \# |. E9 l9 a+ p
lea dx, int41handler' {4 _ `( G& q* J6 c
xchg dx, es:[41h*4]
2 c2 g; Z/ p" Q4 S# `" f- [3 S xchg bx, es:[41h*4+2]) ?& @) G( H/ w7 g5 z+ A
in al, 40h2 \9 h. s; g2 N8 O3 \
xor cx,cx' c# P6 l2 U; y2 \
int 41h' C3 B' `6 p7 |% F
xchg dx, es:[41h*4]
/ W7 n2 W) g: k2 a xchg bx, es:[41h*4+2]
3 e& ?4 W0 f# H" E cmp cl,al
$ H6 O) r' h! U; k; i4 g jnz SoftICE_detected
3 X/ I( k& _; Q: b h" u% y1 H/ R/ h# Z7 v$ I. S
_________________________________________________________________________
* f( U3 y& K7 _3 \, T7 d7 D+ B& _2 X% f/ z. v# o I4 X5 p# l/ v
Method 07
: c3 ?. \+ M- ^% a. e2 b=========
' T1 e+ U: y" w) w# a0 J; i1 Y: Y
Method of detection of the WinICE handler in the int68h (V86)
; r) n2 c. B) j) t& F
1 T/ _6 V+ D8 p" M6 B mov ah,43h. w( |, A4 `2 a
int 68h' J+ ]( j7 ~( q9 j9 e
cmp ax,0F386h% ~- Q; _! v# ~! L+ T
jz SoftICE_Detected, a$ f- z6 j; x( E
) y7 w% a) K* w, m7 J
: |. X1 {& l# I/ ~; O; o0 e) ?2 f=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 R8 q8 h5 D @6 V
app like this:
# b3 x8 p2 w* x O& m- a9 K# U" z) \2 D8 G* ?
BPX exec_int if ax==68
# m; N5 x' |5 K. m (function called is located at byte ptr [ebp+1Dh] and client eip is: M$ K0 W% T1 V3 a! ^
located at [ebp+48h] for 32Bit apps)
* f# m: ~7 G! F, a) w__________________________________________________________________________4 n# h$ L5 f k* G7 K7 W- E
! e+ I& J1 p% r" H, y" r( ~. R# p9 {( {
Method 08
9 ~8 l I- @# h: ~: O" g4 ?=========, ?8 V0 ^0 w$ U) g
- ~! M" |1 u Q4 M: n3 q: P
It is not a method of detection of SoftICE but a possibility to crash the4 [! D2 x: f8 o2 d5 d' D
system by intercepting int 01h and int 03h and redirecting them to another1 g6 X* k; V" k
routine.
) m! _) R/ {/ p5 P$ qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 c+ P' A6 E3 ^
to the new routine to execute (hangs computer...)+ c" i8 L# A$ ]2 [( W
8 ^8 F, s6 y3 o9 V mov ah, 25h
1 t0 ~' }; {* B/ I; F( ?8 k) L mov al, Int_Number (01h or 03h)
9 {, `" u& v5 y mov dx, offset New_Int_Routine
7 e" g# R/ u1 a3 a" y int 21h7 X ~' V2 j/ [) l/ @& n
, k; p9 v$ U4 k7 E
__________________________________________________________________________9 C- V3 J+ E6 V- h& C
# U1 ` f+ i& P' P, H. qMethod 095 \, V8 y/ |+ M: |# T: C: n, F
=========9 v( W9 x$ Y. c( N* h/ l) `* @) w v
. U* _9 [ T/ l+ J- f$ z2 |, yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 b* J" k6 `8 V' @* B! ~
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ _6 Z( O# }( \$ u0 \+ g5 Z! `# YThe Get_DDB service is used to determine whether or not a VxD is installed
" M1 [& L: K& {/ v( J1 p# ufor the specified device and returns a Device Description Block (in ecx) for: B! b C1 c/ z2 N
that device if it is installed.
9 f- s- t8 a; J3 w# y% W. U0 u+ N# Z7 p Y, W- { l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( @; F( `+ Y9 Q& b4 R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; }$ c, M. {: E VMMCall Get_DDB! P* v4 ^7 k) K. v5 U- H( j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- v5 w( Z c1 M3 T! j
/ P% N6 |1 V p# f5 ]. s
Note as well that you can easily detect this method with SoftICE:
8 F% h- \8 d: X/ Z H9 B+ L bpx Get_DDB if ax==0202 || ax==7a5fh
; l. [6 e# t4 d) e% E F, v
9 M6 g9 Z) _0 |* \6 S, ^# Z' S__________________________________________________________________________' T: k5 \, s' F- Q! ~; p: F/ O
5 W0 b2 u+ {3 Q! @/ |
Method 10% @4 I K1 y, e* X5 a) `
=========; K- ^( r* O. Z- ^
- ?6 u" \9 A) A5 c7 k1 |
=>Disable or clear breakpoints before using this feature. DO NOT trace with
! D* o: F$ b' Y/ y* U& u0 }9 Y SoftICE while the option is enable!!; P% S$ i. n- O: [. p
5 \1 V; o3 k" x& H& e4 J5 D! {This trick is very efficient:
- z' ^( l" V- m! B6 jby checking the Debug Registers, you can detect if SoftICE is loaded
4 M0 p; Q! Z+ v( U(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ w5 @ E' b$ f) q9 t! }
there are some memory breakpoints set (dr0 to dr3) simply by reading their! m" |7 ~7 d% ^! `. t' F
value (in ring0 only). Values can be manipulated and or changed as well$ B* V% U: ]2 _
(clearing BPMs for instance)
) Y0 [+ K1 y6 j- p* [8 A+ a) e# b @* V
__________________________________________________________________________
* X8 g, x' s# N3 j; D% C/ E* ~* ]4 \' ^9 _9 B9 r* U) A+ ?% e
Method 113 J4 @2 p6 h* K' [* l$ y" C
=========
( T: T$ H2 h: e9 O# H g1 s- F
This method is most known as 'MeltICE' because it has been freely distributed7 a X! S0 z" e' R' R
via www.winfiles.com. However it was first used by NuMega people to allow
4 K4 C) s; o- R4 e% x* b% \' qSymbol Loader to check if SoftICE was active or not (the code is located" h' T: Z9 ]7 [
inside nmtrans.dll).
6 d2 ~+ Y- B2 X8 ^
" e4 X5 v5 J# m0 ?9 @The way it works is very simple:7 m" g2 N) ^, z2 T$ H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: K# L# }" ?7 ^: |4 z! z
WinNT) with the CreateFileA API.
) \7 W, C2 a5 p4 {
; F- P+ |+ k. ? p; T8 RHere is a sample (checking for 'SICE'):
; j5 t# e! ~/ z9 G) J. b6 t
- T8 C- b E# [BOOL IsSoftIce95Loaded()
" {. w$ H5 W6 q4 y" b' c{
6 g6 c: ~! H( {1 v' g! K, m HANDLE hFile;
; R/ w2 b& X+ x2 O9 B' ~. g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: f8 G8 }/ t9 H1 k+ H x4 A FILE_SHARE_READ | FILE_SHARE_WRITE,
/ s$ o4 z' n+ k$ z9 L7 A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 S- h& a* l/ b _- u0 A
if( hFile != INVALID_HANDLE_VALUE )' v+ m/ H }8 E: }% b7 V
{
' n0 b7 U* q! } CloseHandle(hFile);$ M( b1 }! @0 |+ F! W0 q
return TRUE;
" P$ w9 E) W$ W1 E$ a3 B }
! b7 m, A' t$ a% G: g return FALSE;
2 R; u l: ]0 ] A8 v}
5 ^0 n0 e5 X0 Y' f
4 ^9 `; c% r0 C+ B2 M" q9 xAlthough this trick calls the CreateFileA function, don't even expect to be/ F" c3 J7 Q8 T
able to intercept it by installing a IFS hook: it will not work, no way!
) L2 R3 e( N+ o' p. @! yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, i9 J& V# k# m+ Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) f q. y# R) ?' L7 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' A6 ^5 F" x1 k3 k. Q: i, U" K- K- b
field.
6 @" ^* X3 u/ `( `- o! J/ ?; _In fact, its purpose is not to load/unload VxDs but only to send a
* l! q2 e$ z; P9 ^ pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( i. _! r9 V3 R$ eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
' p1 ]# l; t* Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).! D$ b; H0 i: q# Y9 N
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ j, v( ]/ {+ \+ i0 { M& I0 Nits handle to be opened and then, will be detected./ v$ j* v7 Y6 d
You can check that simply by hooking Winice.exe control proc entry point6 e1 t+ R% r( N2 i
while running MeltICE.
3 I! s0 M+ F5 L$ J0 x q
" U2 h- c: [% h* i8 o* \
' v! A5 }6 j/ e 00401067: push 00402025 ; \\.\SICE
) U0 v3 s: q' I& ^5 R4 ?0 ?& o @ 0040106C: call CreateFileA
5 ~' V k+ j: i l9 R 00401071: cmp eax,-0015 O) H( d/ g8 }8 _5 }$ m, X8 M2 _
00401074: je 00401091
. y( F# @9 \& ?5 C* X# ?& S6 ^
* z8 ?2 l9 V+ w. |( \1 m
6 p7 W2 B! p+ r# S/ |3 bThere could be hundreds of BPX you could use to detect this trick.% o# Q. x: ~& p& x0 |" Q. l& Q
-The most classical one is:3 B; Q8 p' h' n2 ~6 T+ t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% p, `% X+ X8 m! y *(esp->4+4)=='NTIC'
% u9 I2 t: n& W9 r0 t+ a2 Q& R( Y: b0 B3 E
-The most exotic ones (could be very slooooow :-(
- L% d( y* L4 N* R5 O0 \6 D BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * _/ f: h9 J' L$ ]5 R
;will break 3 times :-(, G; @' U. o0 C, c" v' [# g* _
3 p& J+ O' A0 r& F1 O
-or (a bit) faster: . x7 P) ^& B9 l% r- F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 ^0 h% n0 B7 p& A9 w
) n( O a8 g: `* X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % E; Q8 ], N% j; x( r
;will break 3 times :-(
( L( f5 A2 W; I' F3 l. j; ^7 r' u6 M" S9 b* L% X* T3 X
-Much faster:
# X' x, k) v% f8 S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; c _& s9 m0 ~' e1 U! D: k7 d0 }# A
8 h2 Q3 a# U3 q. k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ z2 U! ^, x/ a1 E) o( E; P4 nfunction to do the same job:/ b* C" ^4 d( A3 i" i/ S& `* o1 ]
( @9 j( c; w- n9 @( {- r push 00 ; OF_READ! @" y9 Y8 [! B& ? `9 Q! l
mov eax,[00656634] ; '\\.\SICE',08 {! c/ w: L1 h7 a/ ~) U
push eax
5 z$ c2 P) [2 A. H9 U* o4 ` call KERNEL32!_lopen+ k7 C0 l1 | T. \4 n7 Z; I# P; Z
inc eax: f8 J' h, {7 T* [3 d& d) c" Z) e- ~
jnz 00650589 ; detected& b6 w; c1 }# T, h
push 00 ; OF_READ
, R9 h# j. P- q8 U2 L5 k mov eax,[00656638] ; '\\.\SICE'# J" a$ d* i+ g6 a% a$ V
push eax! q5 ?/ K9 N& Y3 N/ F
call KERNEL32!_lopen+ Y5 o X! [1 E" T. P
inc eax
9 p! v$ ^: y5 F: w8 ]6 R9 i5 V jz 006505ae ; not detected/ S) _; E2 d( A" U1 Y4 h3 W
; |3 ]2 c. M/ [+ V7 z) @( ~& X! Z8 M+ ]" Y5 ]2 _4 t! x
__________________________________________________________________________
: m2 w3 i3 K6 s: H5 P$ E3 }. P1 Z+ |6 g; Q9 w, m A
Method 12
2 a3 L; z; O& ^5 X+ P5 f% y=========* u! l9 R+ Q0 \* n- _& ^
$ z# E% y* B9 f, r3 ~$ k* n
This trick is similar to int41h/4fh Debugger installation check (code 05% j$ D* w! e, {* `+ o6 g2 ?% h
& 06) but very limited because it's only available for Win95/98 (not NT)
8 F& p& Q Z2 nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! ?% y1 X$ |1 M6 N% a
- s ?* @0 D- t7 b5 B' j6 F# p push 0000004fh ; function 4fh
0 J" ~) v) \2 J7 L. ^) Z2 Z push 002a002ah ; high word specifies which VxD (VWIN32)& _* i7 a0 D$ i/ m. J2 v+ a
; low word specifies which service5 p, ]/ e; O3 Y# T
(VWIN32_Int41Dispatch)
: [$ {! I* X6 _. H( A6 x1 i4 L" o call Kernel32!ORD_001 ; VxdCall
/ t! t9 g( B5 D cmp ax, 0f386h ; magic number returned by system debuggers$ F& q9 c; @# ~9 w- E
jz SoftICE_detected5 n" T3 m1 O" i1 y
5 R( w# v# _. x- u$ N
Here again, several ways to detect it:1 ]$ d7 ^, M9 ]
L& j- K% K& v" r7 E" @: z
BPINT 41 if ax==4f( j6 {! y7 H% g! J7 Y$ q' A
8 i7 S& E, P: t' \4 n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# Q& p5 t& }; `* |& |2 ]
4 ]1 Y% T4 `% A BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- i# \9 R, V& K" ]3 Q% b
$ {$ D6 O P" i; `# Q- `0 x
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" ?6 M) M! A6 M! L8 w d) b6 W3 g
0 I; B" T3 t, s__________________________________________________________________________- i4 x0 @! i4 b6 K- U7 Q1 C* Y9 _
+ `+ _3 p: W- n; N8 y9 [
Method 13: U; _( F" s/ K' D
=========
% _# ?" B ~* y
+ U* q5 F1 F* R4 n# u. F: dNot a real method of detection, but a good way to know if SoftICE is
1 K% ^- Q1 E; a- ]- Winstalled on a computer and to locate its installation directory.
- R; d# w5 s8 t# X: j% d! vIt is used by few softs which access the following registry keys (usually #2) :
7 t- j$ ]7 e' P. V# g8 Z! t
/ g. e5 T" F7 L& W& e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ {, i" _, t/ z0 Y\Uninstall\SoftICE
- N$ `- r4 R5 K6 S9 ~0 r- {: C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 Z4 o% X, s1 m9 {" }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; ]- ?8 C7 q' ^8 }, K
\App Paths\Loader32.Exe$ f6 X3 N. {* ]" j ~, ?) w
( _2 A) |; \8 q J* O- j
" [1 }- \% Z9 V( V. ?- nNote that some nasty apps could then erase all files from SoftICE directory. q; n, r$ Z+ W7 ]
(I faced that once :-(. H9 z0 B, U; i
( m5 K' W. h% c2 \4 Q4 h' A' L
Useful breakpoint to detect it:
( t; p3 D2 E9 j! o1 X/ y( _( o. a) d8 s2 E T9 x6 X, e" G2 W
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ Y" F* |3 ~8 U' L5 u. ?' r) ^; A+ ?; s G# r# E# N6 p" E
__________________________________________________________________________
# f) h) i9 g' D( j. [) ~2 I+ Q9 C: G$ @
' [( X+ T4 `8 X! N" Q% d$ A
Method 14
0 L0 Z0 `( q% x( B/ \=========
& l0 Q1 |3 H, V0 v7 s) X, T! o. M- P9 D5 o& \- @% r
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- O2 W j9 {+ n# @; Bis to determines whether a debugger is running on your system (ring0 only).3 ^4 e! S7 E& c* K5 v2 m
% i: N* e/ |- X9 X# r VMMCall Test_Debug_Installed3 j8 O8 d, |" ]$ }* c# p
je not_installed
1 l+ B/ i2 A) e! R- X$ T9 H0 e+ q$ S; B0 V0 O8 [1 E
This service just checks a flag.
/ K I5 x- m" I</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡