<TABLE width=500>
0 _2 y# N# a' ?# `<TBODY>
- n) F. x/ u. ]( C! I<TR>8 V& Y# y1 v7 K6 W/ c$ X. Y
<TD><PRE>Method 01 " C! }9 }+ s" L% W; |' m
=========
, I: s+ S! I# x2 e4 n+ M1 a* z& C2 `
) e7 r6 C! g2 v* ^This method of detection of SoftICE (as well as the following one) is
5 J4 D/ J3 _* g2 g- q8 m3 Iused by the majority of packers/encryptors found on Internet.
# h. ~& A! y9 s& \% H+ s" r0 iIt seeks the signature of BoundsChecker in SoftICE. t- d% j# K, ^' R$ U& A
5 t. b: C$ b2 I4 z: I, U mov ebp, 04243484Bh ; 'BCHK'
" s+ A' @" [: g) T mov ax, 04h6 D; B" X3 s1 p
int 3 0 Z7 E8 _7 Y3 n+ Y# ? P& `
cmp al,49 `7 D2 |; D# Y. N$ s' l$ q
jnz SoftICE_Detected
0 V, i# S# j7 @; t9 s/ `- s
, ?" L9 J7 |) |___________________________________________________________________________- v& w: a6 P, c4 Z
8 p: ?0 x' V, f5 {Method 02
' q& m: h: ^: h, F- [2 D=========- R* {& Q$ v! @. n
, @6 Y) h- |: S% y- f- pStill a method very much used (perhaps the most frequent one). It is used# O' h4 |4 Z ?" [2 J4 t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( j' |6 y9 R+ m$ Eor execute SoftICE commands.../ c o h( h, q1 I9 u
It is also used to crash SoftICE and to force it to execute any commands
" C" J- } d# \; J, A(HBOOT...) :-(( ( r7 {! y( O4 {! T5 L
* L7 i5 O/ E' X1 ]9 SHere is a quick description:
/ P8 k: C+ ~, v/ M, Y$ t-AX = 0910h (Display string in SIce windows) \# G& T4 u& z3 _. `7 L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ L4 ^1 c2 A) r* V/ \% G: o6 b, D' A
-AX = 0912h (Get breakpoint infos)
4 V2 r) Q9 @3 q5 X! D-AX = 0913h (Set Sice breakpoints)
4 e8 n6 y" A1 p-AX = 0914h (Remove SIce breakoints)
) m. B) H8 J9 U# ]7 V
( A; m# A: b# MEach time you'll meet this trick, you'll see:
+ q, O; ?4 ?9 Z) f7 H-SI = 4647h! F$ F6 {$ V2 _1 |1 ^5 Y, }: W9 U
-DI = 4A4Dh- L4 U& U3 A8 A$ J; w8 e1 i/ k4 F
Which are the 'magic values' used by SoftIce.( a5 ^4 V# S* k& J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* O) i/ K2 R; n, e3 B* h4 |
( |$ z. A9 S2 u+ o5 VHere is one example from the file "Haspinst.exe" which is the dongle HASP
- S" a0 h; W* O$ l$ dEnvelope utility use to protect DOS applications:( {2 O' J; S& z% b- T3 u/ {& G
1 I6 v+ U- }4 Z- B0 }
$ S& X5 H/ x( W: n
4C19:0095 MOV AX,0911 ; execute command.
3 }' k) o! @, r. ~6 j. w+ X7 r0 }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( d4 [: t, t% D. q! l1 B2 F
4C19:009A MOV SI,4647 ; 1st magic value.
! y, ~" {3 t" o4C19:009D MOV DI,4A4D ; 2nd magic value.
1 O2 d3 g% q* W! ~& s. x+ w3 D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- e3 D: `. ^. [, O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. L5 e" \8 }6 H2 \: |/ m. p
4C19:00A4 INC CX) C( _. K$ V6 |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- n3 p, W9 V$ J0 C
4C19:00A8 JB 0095 ; 6 different commands., W' D- u2 }. d% ]2 C$ @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# T% M' ?9 P5 i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 T/ @/ [# p8 p, h$ Y4 Q$ M; z
( n- P8 @4 y6 P0 R* H3 I( N* |" H, JThe program will execute 6 different SIce commands located at ds:dx, which
# ]# y+ C1 S3 V; aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. q. X1 Z$ F+ `3 j. K
2 _9 c' ^: O: h' I" }2 O% J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ L3 J0 t" g+ j% R$ Q+ Z$ m, g___________________________________________________________________________
( L6 k1 t1 @- S& U3 s: h# o/ S1 [
$ S5 C: T. V1 {! W: Q8 e- f1 b) U
Method 033 S& Z, Q- q: @' Y u4 Z
=========
( Y& i$ \! N! w7 w1 j
. J/ C9 h! t; B3 \; ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; @( c \& [; `2 O(API Get entry point): V- o, X. P4 G
; G/ i# c" N1 M( r( Y$ ^: X$ q- W" l/ I4 ^) @
xor di,di
1 F+ f% e- n+ U4 P+ J mov es,di' P, Y0 O& J, C, H5 g; |
mov ax, 1684h 9 u& ^) d; q6 p$ M) _9 A
mov bx, 0202h ; VxD ID of winice
; T" C$ K* S1 M; A* O4 s3 I int 2Fh0 ~* _% M* o/ Y- N4 P5 {" v1 l
mov ax, es ; ES:DI -> VxD API entry point* v. {' s3 @) V
add ax, di/ m& i8 A- M0 R8 f: V2 ]
test ax,ax$ C7 W- ?0 P+ m8 U! h
jnz SoftICE_Detected
1 \) n- \! x. }* h! P% A z4 j( M0 |! t* |' h+ c* y
___________________________________________________________________________
' x3 f/ O9 U9 p0 D" e' l- q
$ {( b6 h0 v5 Q! U8 {/ Z6 XMethod 046 S# o: }6 r# i+ x" m) n4 K* h# s' }# J0 H& o
=========
! |) U8 x2 Y+ q
! [9 M/ _, S1 o( a+ d6 r, K, zMethod identical to the preceding one except that it seeks the ID of SoftICE
0 R/ S, O+ x+ I) jGFX VxD.) I" T& C! N3 P+ h' y' o6 X U
w3 a! l& A# S; x6 L
xor di,di2 }& a, S3 C! L) O, _" `. V* M, n
mov es,di
1 k0 }8 t: R5 x- p+ G mov ax, 1684h
" S' E$ X* a5 ]- b: [% q% ?' O mov bx, 7a5Fh ; VxD ID of SIWVID
+ e6 E) u$ B& p& ?1 C8 x int 2fh
+ c: x8 v/ `0 n mov ax, es ; ES:DI -> VxD API entry point* y9 A4 E2 n& \" w
add ax, di0 _& x- v8 j1 M7 ]8 B% `
test ax,ax
9 E# s+ q* j; T! E jnz SoftICE_Detected( [, ?: H1 y& h2 A# D
$ ]# o. o2 F; ?% |+ B4 i2 W0 t
__________________________________________________________________________& ]' ^- T6 K# v; D4 n9 O, @& K
7 Q/ }, r4 i8 L, r% M) M/ K T3 y5 K4 D9 k9 R9 f; Y
Method 055 \9 w8 |5 ^+ _" Z/ q& l0 k y
=========
; _; O( \ N# j5 e% S e5 ]- T5 G6 ]2 i
Method seeking the 'magic number' 0F386h returned (in ax) by all system. \0 L9 ]5 c$ H0 m. d7 g; x
debugger. It calls the int 41h, function 4Fh.4 x# b. C: Y7 l1 ~
There are several alternatives. 2 w' ^( r/ N8 }0 H* L% Z- N
7 U2 U; f- t. u# w- i# ]The following one is the simplest:" i- ?( G# [ w$ B+ G; H+ I
5 ^- K, c' ^# U0 c- b
mov ax,4fh& f$ v# H) w0 W/ C- _
int 41h; S; j3 H9 `$ C) `4 x; m( }
cmp ax, 0F386; ?6 Z8 \$ H& H3 b# ?7 E
jz SoftICE_detected
0 [; h" ~1 p+ t2 y: }( p/ C7 S+ N2 r
- Z# P$ d1 F* J2 i8 ENext method as well as the following one are 2 examples from Stone's ! L' ?, j6 I3 n N- d4 @8 S/ M% [
"stn-wid.zip" (www.cracking.net):' }$ r' l6 x2 S
# w& R- a! r, k
mov bx, cs
. P4 l4 p) V0 b) Z lea dx, int41handler2
( Z( H" V/ R& \ xchg dx, es:[41h*4]1 G1 x$ g8 e8 Y7 j/ l% K
xchg bx, es:[41h*4+2]: j/ l, f v( Z" P' o( y
mov ax,4fh7 T/ q' d) a8 W+ N
int 41h* @- t( @( m( X0 u$ L/ `
xchg dx, es:[41h*4]% y+ p @! B2 d3 l! u( h. E5 }
xchg bx, es:[41h*4+2]* B$ { G8 Z: S; J$ Q) U
cmp ax, 0f386h
' f4 q& R% {* t! G: f/ E" m t jz SoftICE_detected G3 k' z3 @. P" s( f4 J1 T
) Y% X% |1 c# i. D
int41handler2 PROC7 w7 J, {! e3 n( o& M& m- E
iret
9 ?: |' t+ w: v$ C' \* Dint41handler2 ENDP
8 L/ b- @ e4 y! Z0 C7 P- D& [+ Z) q% B0 V) {# c
% r- ]! {* J/ m5 i8 _+ e$ C
_________________________________________________________________________ {- f( I7 C9 W+ n* u% \
3 w3 B c2 C9 m ?- R) x
7 ?* H- f) l9 s; G1 L+ @% z% gMethod 06/ a' |6 G/ }0 `
=========
6 @- [1 S9 `- ]. S' J3 h+ Z, Q9 \6 z" H4 i
1 A5 ^, Z7 ^- G: x% k2nd method similar to the preceding one but more difficult to detect:
7 N( t ^2 g( j2 j7 w9 @
* j" @% ?# R! l) E! W' L# r: |- u$ w: Y4 v
int41handler PROC8 |: @" b: j, e* K* j( R
mov cl,al
+ Z$ J9 C, Q K iret9 ~1 t/ h9 u" z( t8 e$ C# Y, ^7 I% W
int41handler ENDP; v5 o0 h" _( `1 v9 w* o! m
* q3 O' N1 Q5 i2 [: q3 N
7 g; r4 L( R) [! @$ c+ w xor ax,ax
4 D* n' Y, j, I2 O# s( i1 L mov es,ax
! L7 V) m: W- _% p% L! X, d, N6 r mov bx, cs
- i+ E3 ^- ?" ^& b5 u( p lea dx, int41handler
2 I5 I6 y) O$ } xchg dx, es:[41h*4]
' m6 s) O" C% \( n) M xchg bx, es:[41h*4+2]# u1 z0 q- |- s# h' n. V0 [
in al, 40h8 m0 }6 E: V! J9 p0 ^
xor cx,cx
. i F8 L% m$ X+ T2 m int 41h- u5 p4 X/ s9 t- V8 c/ D6 ]
xchg dx, es:[41h*4]
, U+ I4 v! N3 g& \3 t$ R- r* ` xchg bx, es:[41h*4+2]) x+ Y& N. g" ^# p {. ]/ p3 w m E
cmp cl,al
6 t5 ^) y; f' O jnz SoftICE_detected
) b4 m7 R" q+ K/ D/ w$ \
+ N) c+ K" L& a9 ]1 ]0 u_________________________________________________________________________
! G+ R/ H/ E* Q2 } L
1 E4 s8 e7 a E9 w4 JMethod 07 y/ U; u7 V8 @* x3 w
=========3 i9 Z6 r! g2 p8 j4 L0 J) m
3 p+ d: M) g8 Z/ fMethod of detection of the WinICE handler in the int68h (V86)
# E# m" g2 v; `0 G, J% G& R4 y0 n1 V! p; F3 t+ }
mov ah,43h
, M+ c" a3 K" @( D! [ int 68h
2 ^3 C2 Z( d1 U% N cmp ax,0F386h. G' b; W. j. f0 k+ r( o. i
jz SoftICE_Detected
! A( `( k( d7 o- x" V) K
- D p6 P# g+ E# k! R8 X& \: b- `! N5 E" ?) L+ }3 K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 c8 K9 E% H8 ] app like this:* V, u" r9 M+ j
+ K0 B/ O+ H9 j4 g+ {
BPX exec_int if ax==68
" ~& @5 V4 L3 M6 e7 F' u (function called is located at byte ptr [ebp+1Dh] and client eip is, Q+ o. f1 p ]6 t* _
located at [ebp+48h] for 32Bit apps)
& {; b# v+ V0 `7 f$ F( R5 s__________________________________________________________________________$ b6 P6 P% Y4 v% ~! |6 F
) W) `# E# I9 L
8 n8 x" Z" D8 ^4 R" J8 f
Method 08
; q6 U/ S2 t" S; h! W=========5 J* e% `0 H; w9 u
9 E! C% m( @. W; |It is not a method of detection of SoftICE but a possibility to crash the
8 L8 U c( n0 xsystem by intercepting int 01h and int 03h and redirecting them to another
& h4 c$ [7 `1 n/ @' p- groutine." p$ d" n& Y* S3 e( J- C; h' ~6 t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 _8 `: B/ ?; e
to the new routine to execute (hangs computer...)
! ?3 A0 U2 [. a' V1 L# J( ^3 m9 O7 Z" V
mov ah, 25h* o5 L/ V4 k2 n* }# A0 w- r
mov al, Int_Number (01h or 03h)' G. Z) x4 D5 i+ A( {3 t
mov dx, offset New_Int_Routine" t: R) g2 n. c; w: q
int 21h, ~2 F* x' Z# p% M1 ]8 R: w
+ ]5 q: o7 v6 d3 T X; `
__________________________________________________________________________
' u" M9 |9 I/ V8 O5 j X# C* m A& ~4 c3 G- s
Method 09
. F2 ^$ V: [) `, R* q+ B; q=========" f# b& p% O7 t6 E( C; T- Q
+ ^' S: y9 n% [+ \. H% ~" M0 k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, W' j) _; W" L0 M$ g
performed in ring0 (VxD or a ring3 app using the VxdCall).' P/ s7 p, B( O, B
The Get_DDB service is used to determine whether or not a VxD is installed
# ^1 A* b: C7 @2 P& @for the specified device and returns a Device Description Block (in ecx) for
3 T- f$ s4 \! c7 u8 T; pthat device if it is installed.
* m% w/ m4 m# y2 P, c7 g0 q# `2 H6 ]# h/ _0 F6 [: N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! c8 |. u' n$ G3 ?
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 G: U8 \- P' B/ d8 N( b VMMCall Get_DDB# L# p- L& ?0 p# h$ @) l' H5 D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 y0 ]4 X' [3 P/ }
1 u0 p+ ~: }1 d4 s2 @
Note as well that you can easily detect this method with SoftICE:
' B" A0 a" s) z bpx Get_DDB if ax==0202 || ax==7a5fh
: I& l7 q* Q$ W
; z- o# @$ E- S `3 V; Q__________________________________________________________________________1 I, w3 j5 J& r3 o- r
4 P: j* E# A A- l3 w3 DMethod 10
# Y" r1 Q& x' C1 C=========
. { E; T/ @5 a& A4 N' U) @% b& t' k* q& {
=>Disable or clear breakpoints before using this feature. DO NOT trace with& w% d8 T! h( V3 H+ }6 q- }/ \" q/ J- A
SoftICE while the option is enable!!
3 H/ }" G" r( J
; A8 U) Q' D* |1 Q, C6 E5 FThis trick is very efficient:
' Y6 O- F7 z, R) ^/ Z; pby checking the Debug Registers, you can detect if SoftICE is loaded
, R0 Q2 ^3 H+ Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 ?. D! E @/ I8 D
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 a" s3 m8 p0 Z+ T% c+ n
value (in ring0 only). Values can be manipulated and or changed as well. z( V% u. v3 R8 I" M
(clearing BPMs for instance)
- n7 N; K; k, C0 c f; X
" l3 I8 d3 |: |" K__________________________________________________________________________5 ^7 p& S9 d3 w
9 P0 F( Q# l2 s( ]5 YMethod 11( ~- M+ J; D# H, D. B
=========
0 l2 S) _- D0 r7 L6 \/ z5 Z, i
# v7 j8 p/ A; FThis method is most known as 'MeltICE' because it has been freely distributed- {# U# m( O$ M$ D6 A1 a
via www.winfiles.com. However it was first used by NuMega people to allow Z) j( Z2 u1 H( M4 v
Symbol Loader to check if SoftICE was active or not (the code is located
2 j- r3 W4 n" f8 `inside nmtrans.dll).: b' X( l+ y3 F U/ x9 e1 s5 Z5 J
* T7 ^0 Q' h# _) z* _. M, q
The way it works is very simple:
* U( x( b& p3 m9 _ ?$ ^. eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 R8 }2 } B7 k! A0 v
WinNT) with the CreateFileA API.
1 p$ Z }. j) C, i. _4 G; `' a& d0 [! y5 p. F! C
Here is a sample (checking for 'SICE'):
( S) j& K* J3 W9 z7 l* \
# K" p* J6 p, b) `' T# XBOOL IsSoftIce95Loaded()
9 D7 K/ }' N8 M. K. K1 J{
" W2 X7 k Q! v* r. T HANDLE hFile;
' E3 X; Z, h- h6 i5 k$ q. E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' g0 W: _% Q' L: K4 q# | R' |
FILE_SHARE_READ | FILE_SHARE_WRITE,
& O6 h/ {0 ^" A& c; S NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# b: d( r: P, t$ _
if( hFile != INVALID_HANDLE_VALUE )2 h& I8 m+ }- P3 A0 h! H7 |2 x3 V& ~7 p
{
8 P4 F; @2 B2 L3 P8 V S% |0 d1 S CloseHandle(hFile);
: z' y: Z5 S5 n5 d return TRUE;
" L# [' P0 \3 r* t8 ?0 s }
+ O4 _( U' e1 G; ] return FALSE;( J1 y7 ^0 x- B2 [. I/ N4 y& l
}. P) K9 I m, U: }
7 _6 R+ J5 G% K Q# n
Although this trick calls the CreateFileA function, don't even expect to be! Y5 U1 h3 r4 w) e
able to intercept it by installing a IFS hook: it will not work, no way!
3 J" n @2 X+ W+ A( ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F# J2 i/ x/ e+ a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 R, a* v1 j6 u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! J$ P- i$ S% v( B6 Tfield.6 N7 k+ U: c; U! a5 T# R) q0 |
In fact, its purpose is not to load/unload VxDs but only to send a 2 n; ]; |' l) ]# _6 B) P8 d
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" g* l% g4 d& N- I! @/ ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 F8 G1 ~2 b2 k9 P$ A. w9 b4 y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& j3 [+ L8 \4 E6 v t, ]; O
If the VxD is loaded, it will always clear eax and the Carry flag to allow
|! h& m# h/ O7 b4 T' ~its handle to be opened and then, will be detected.
4 w, h0 \+ C5 AYou can check that simply by hooking Winice.exe control proc entry point- M, S/ J K8 k6 C2 r' J7 C* J& v
while running MeltICE.
0 R' J1 \/ x$ v# H1 b# y3 u0 v+ N& G# V$ E4 _ Q3 R% C: G
9 \( j2 Z+ K0 ^6 l
00401067: push 00402025 ; \\.\SICE3 n `2 c' P6 T1 X- z& ~ f' J
0040106C: call CreateFileA ~: R( s: B" N- l; V
00401071: cmp eax,-001 L+ L4 c; g& o5 `! N1 h5 y
00401074: je 00401091
. V. S. z5 b7 P+ u) a
: w3 B$ I: X a' \" W2 x$ p4 e# z8 n2 i( m! T, l' ]1 z2 N
There could be hundreds of BPX you could use to detect this trick.$ k+ T* T- c9 a+ y f
-The most classical one is:
) {+ \1 `7 T+ ?5 P BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. Q4 D7 f6 \. t9 v* w1 Q
*(esp->4+4)=='NTIC'8 F; V+ N% y) v. Z- t, U: h1 U
" _5 j, k5 k% k, y2 q3 E-The most exotic ones (could be very slooooow :-(
+ B/ A" m- ]3 z; Q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; @( u- Q% v" f5 e% E
;will break 3 times :-(3 o& u! V; I- E0 b W' w9 I
; a$ Z( x, a& W$ w: A-or (a bit) faster: ! b9 {/ L/ p4 Y3 `! ?: g9 H, @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! Z( i2 `# b, K+ Z
( R1 j9 K; ^: `( Y, O( B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 d0 B" J4 K! a
;will break 3 times :-(5 @* C9 g7 g7 v! H; ^# G
% h8 Y4 [: @1 p9 ~-Much faster:- ]: {6 x# A# E" n( Y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 ]* I' u% ]" L1 h9 S: w) R1 ^# T$ T5 M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 L1 z) ~$ u; f6 h. E0 z2 u
function to do the same job:9 \7 |- t; C i, W/ J- a# F) z
( t* o6 l( w- T3 @
push 00 ; OF_READ
0 K# s; n* Z. P0 ^7 A mov eax,[00656634] ; '\\.\SICE',0! N }) Q% @& Y6 ]' O, D
push eax& C% c5 U( K& b5 ?* R1 U
call KERNEL32!_lopen
4 p9 ?9 D1 ~4 S/ Q) J# L7 p. j6 \$ U inc eax
9 k' W2 |8 f4 W5 M jnz 00650589 ; detected
: ^% \4 j7 R1 G: ^ j push 00 ; OF_READ
/ A) e0 Y4 W5 \# F. ~ mov eax,[00656638] ; '\\.\SICE'
: j/ F* \& W/ Y: A push eax( W O0 {7 e5 i
call KERNEL32!_lopen: G& }( v% v# v+ ^: ~3 A) o, K/ L; s! u
inc eax, P, ]% k5 a9 Y: M' n( m
jz 006505ae ; not detected7 b" g- N6 X+ D) g( N0 X* G
" }: B% L( z* t( N6 z; z+ Y
4 m/ J/ `* U+ T' H__________________________________________________________________________# n( b% a" V8 ^# d' i
5 n$ h6 C2 ]7 W' ^% V2 VMethod 12
5 Q/ z" q( {6 R! W8 D; r6 k=========% h' \9 u4 a+ \$ P8 S
8 e$ f: K% N2 m6 }This trick is similar to int41h/4fh Debugger installation check (code 05# S `2 g) @2 H- @/ q) l
& 06) but very limited because it's only available for Win95/98 (not NT)
Y7 Y( Z" P( L% j) Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 w% U" {' z6 X- i* X) D; A
* t6 Z& i! X: X: a, s push 0000004fh ; function 4fh
5 R; Y1 T. K8 ?7 { push 002a002ah ; high word specifies which VxD (VWIN32): b/ x! a7 E7 p; x" ?
; low word specifies which service
; d4 S3 ]* ~) s, p+ a (VWIN32_Int41Dispatch)
: M8 G9 r4 D4 q8 o5 k call Kernel32!ORD_001 ; VxdCall3 W) l4 I0 b2 a- O; \8 @
cmp ax, 0f386h ; magic number returned by system debuggers
% y* F' s5 `# k! I: ] jz SoftICE_detected- X4 S. |4 K6 I# p# Z
' M6 ~& v: g: HHere again, several ways to detect it:) `* G5 \9 r% d
: D9 V. b. @3 w6 y2 P! f( e
BPINT 41 if ax==4f
9 u' @+ v& w0 h" d! t& M$ ~4 w) U7 P$ z& x$ n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* `% y, i! j5 h, v
" e0 M% `/ D$ g4 { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 E# e% L1 r# ^, y1 a
/ m( F& R! `; ?' P8 Q, I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. n) V9 X* g: z) H: [" }
5 A$ r9 N) d' m% B/ A6 [9 s4 h__________________________________________________________________________# E/ ~0 v$ i; E* Z4 E
8 N, N+ ? f% h3 ~
Method 13
2 n. G! h% C9 \% D& a=========
( l5 _6 j9 O ^0 p, z* P# P& s7 i) i! |3 w4 p4 _
Not a real method of detection, but a good way to know if SoftICE is
4 p7 Z- N, ^& X& ]4 dinstalled on a computer and to locate its installation directory.
& Q# @, t3 R3 ]/ @, G% u# NIt is used by few softs which access the following registry keys (usually #2) :- s+ v0 [+ D( ?
0 j* X' ~4 o, }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ M8 `; N# J A
\Uninstall\SoftICE I. Y9 ^+ S" B( o! w2 T; j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ T! x+ ~' W( D# S }; {, R* }0 ^+ E2 }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. O( v" }1 f J8 [% f e
\App Paths\Loader32.Exe6 a+ k) h1 [; B+ Y- j
2 `: j$ g3 W9 A, T& a! {: M! `# G
( P. o* h c8 g7 i
Note that some nasty apps could then erase all files from SoftICE directory R, N, w2 T5 p" ~" ~# Q) m9 j
(I faced that once :-(
3 q6 |0 P6 d$ C$ n" _& F' V( R, E' s0 T9 Y7 r- a
Useful breakpoint to detect it:
) c# V" T/ C% b4 b, i* C2 I
3 U$ r' l& } N+ X p BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' d- p/ o; S: J6 w0 N
+ E; J$ R5 i& v" ~3 z. u, y__________________________________________________________________________
. m) V y) X0 ~( H5 V& X7 ~( _; J2 X4 s
# P, |1 @6 `* M8 \1 ^7 @9 R
Method 14 1 Z1 a2 B+ I! V
=========) l6 u0 [; ^; w" w% m
4 T$ e$ S$ ?5 w, u3 ~. J" SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 q/ p# ]8 T( l+ c a# m* x! Z
is to determines whether a debugger is running on your system (ring0 only).
5 i @+ i8 Y* F0 d U4 k b/ w# z) U. p5 @2 k& u3 j
VMMCall Test_Debug_Installed6 O2 I& F- i5 j
je not_installed8 K( ?5 u( M& \! c0 c9 ]6 @+ K
; l6 f9 j8 [* c9 n& a8 wThis service just checks a flag.
% L2 M, B% b v' |</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡