<TABLE width=500>
6 ^' M8 c( T* N5 ` M, U<TBODY>
* E9 |; d! a. s" h0 m) A7 g: W<TR>: `- ]8 W: {9 F3 r7 r, r
<TD><PRE>Method 01
6 e. M* _( V/ u5 J/ a) v. w=========
: f/ }' E& H3 n6 ?" A
* N5 G2 W4 ^! {( G. JThis method of detection of SoftICE (as well as the following one) is% ~6 X2 C9 l& K4 S' b
used by the majority of packers/encryptors found on Internet.
+ ~$ e8 Z4 E' i! ]It seeks the signature of BoundsChecker in SoftICE
$ \# w' f; n4 {
$ D z. t! w3 {# e/ Y" `5 I mov ebp, 04243484Bh ; 'BCHK'2 Y+ g; \ x* S* w* y6 \+ z& i7 Y. ?7 S
mov ax, 04h
2 c, ^0 J3 T. U# j% G int 3
6 W, }+ ]: v* {9 b9 t, t cmp al,45 a7 E+ i! X* Q' ]2 L
jnz SoftICE_Detected( L* q! g B0 q& b8 s$ Z
5 Z4 u F; ~' b( ~1 f4 F
___________________________________________________________________________
! ^1 [1 D0 Z! w; m6 E9 r' ~/ L c2 l, Z
% r/ I3 p$ J4 jMethod 02
2 q; D. A Z# n=========& _5 K0 \$ I G a4 x0 g
4 n3 [% V; s+ `- D4 c" E
Still a method very much used (perhaps the most frequent one). It is used
' e* b& i3 I$ l" r+ b& G, `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% Y3 X) N7 g6 E' V2 s) ?/ h
or execute SoftICE commands...7 r A; v5 M/ O+ G, N+ ?4 w
It is also used to crash SoftICE and to force it to execute any commands& a) }! |( {. q4 O
(HBOOT...) :-(( 1 S4 ]4 \ `- [' ?
+ X! C& p; p8 e! h* X% I# e) n/ [
Here is a quick description:
# K. n: N" U% Z# J-AX = 0910h (Display string in SIce windows)
, q! S1 X3 _1 t5 y. E! {# q$ ?; L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); T! N$ E: m: t# g8 w7 [
-AX = 0912h (Get breakpoint infos)
4 \$ [7 D3 k) {& ]9 t) j1 S-AX = 0913h (Set Sice breakpoints)
' k- x, p' D. O- g7 g" X& v-AX = 0914h (Remove SIce breakoints)
( S* z4 c8 o7 w) j$ y3 r: Z1 b* I) f7 S+ ^: Y; P
Each time you'll meet this trick, you'll see:& k- V) P3 R. M. {' g
-SI = 4647h
6 x3 i S* M4 a) ?+ k5 L-DI = 4A4Dh
; o7 |9 Q8 L- [6 j% H$ d6 hWhich are the 'magic values' used by SoftIce.
4 v. v. C2 l$ _* kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ [# a" U# } G- x5 d. {5 u
$ N2 N5 O! C* s7 y$ n0 d- lHere is one example from the file "Haspinst.exe" which is the dongle HASP% I) _) }$ f; a8 A0 D' m
Envelope utility use to protect DOS applications:
" j9 c7 A' { ]: w0 M2 L% o7 O
4 r6 ^% q' J' n& j8 j; H X* A% w6 [: g! _( ~1 ?1 u* [& y
4C19:0095 MOV AX,0911 ; execute command.
, T2 k0 J- u. \& Y+ u3 [, H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ a' u. ]9 @9 l4 P( ]; x6 d9 ~4C19:009A MOV SI,4647 ; 1st magic value.: m6 w* G: {9 J+ c' {
4C19:009D MOV DI,4A4D ; 2nd magic value.
% A' w. z/ h5 W0 C: Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 n0 M" b% B# z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& l# _1 g8 X& \4C19:00A4 INC CX: y% c; Y" P7 J% }1 c/ m, }8 ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 N u* J O3 N
4C19:00A8 JB 0095 ; 6 different commands.1 r- K- T! l v: N, m3 J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# C4 s1 M, X3 ^: |8 I h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ q. [) t) h& H! v6 l$ U9 [$ l( i: N6 c/ q) ]8 U' i" x
The program will execute 6 different SIce commands located at ds:dx, which5 g" Z/ A; S5 l) h5 `9 [
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 E% \3 b* T8 ], H/ R, R
5 X1 k" V, Y2 H) D& `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- t2 [& N" i' Z0 j% G8 @& H
___________________________________________________________________________
! z4 f8 J# b2 t6 i5 T( D5 Y! p6 \6 i. m/ Z, P+ [8 G
g# u" }6 z% F+ zMethod 03
: c/ U; u; x* m' Z5 y=========9 H% j6 d6 ?( l! k
/ F+ n& ~9 I( l* @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 T$ i/ f5 z {
(API Get entry point)
" ^- ?: w, |$ }6 W) \" _ + j1 l6 V% M4 s3 ?0 Y+ I+ m
1 h+ g$ f( c5 i" G b6 O$ S xor di,di+ S% u+ g) m6 N( w- h
mov es,di# G' f, e0 \3 B
mov ax, 1684h
. N) y _! l8 K- g3 } mov bx, 0202h ; VxD ID of winice- Q7 w# A( b: v1 J3 i! |8 X
int 2Fh
% G7 S+ l5 j2 i3 ` mov ax, es ; ES:DI -> VxD API entry point! T( h0 |0 r( k/ S, k/ I9 K K
add ax, di/ r. S9 A+ C3 y5 r
test ax,ax# t4 e/ j) V! g; H/ [( T
jnz SoftICE_Detected4 L! F5 K! `0 j$ @
$ D) x5 ~& {) C. u* k$ [& x* g___________________________________________________________________________
& o" `* G+ o+ C/ Y* N5 g
; R* v& q$ C! V4 b6 KMethod 048 E/ P5 D( @/ X# o. u
=========. Q. |3 u, j, ]$ c/ J
0 q: A) k$ N4 a- K4 x
Method identical to the preceding one except that it seeks the ID of SoftICE
8 L" ^% l" u- d, `GFX VxD.
9 l! \. c, m7 M o* \
; }% W& F3 r4 C xor di,di
: x% ^! ~: f# F( T5 R1 x& b mov es,di
0 [9 i( O; k N+ ~1 z/ h mov ax, 1684h
5 V! P N* [7 F3 |7 _6 C( _) J' G mov bx, 7a5Fh ; VxD ID of SIWVID
{6 e3 L% y: h; P7 s! g4 { int 2fh
4 ^) `; R2 e1 s5 H& T2 J) b mov ax, es ; ES:DI -> VxD API entry point- N- |& O) f e) @
add ax, di7 `" d8 A# A3 z G T# G
test ax,ax! |+ \5 E" f! s0 a" h& `- u/ L
jnz SoftICE_Detected
2 d! I$ o; x0 L6 R6 p" k
' N, @" x! c4 Z8 ^8 {3 [__________________________________________________________________________
2 Z5 H: k" s) \6 u' t5 p& m% v2 _
* W; @0 |6 A: i' k, G3 @2 B- z) z3 w( d9 a$ J
Method 056 q' O' ~* H, i$ r' e
=========
( I1 v& I4 t3 O
/ B) K8 g1 p& L! ZMethod seeking the 'magic number' 0F386h returned (in ax) by all system0 m8 G- N0 d4 r' T; |7 u
debugger. It calls the int 41h, function 4Fh.
2 w% I- p/ u5 i/ u; y- AThere are several alternatives. 2 l( j* Y! s. D+ C9 H) R. y; V
$ a: c# Z+ E4 Z# i8 Q
The following one is the simplest:8 u* U4 N' q9 S( V: e' d/ k
O1 `. I& T$ B% [ j
mov ax,4fh
8 g. Z/ m i" i- p0 h: O int 41h8 z& ~5 d j6 H5 O! k
cmp ax, 0F386
1 w1 k O. D3 L3 b: T$ ? J u( \ jz SoftICE_detected) x! @3 O; t2 ~: r% q6 b+ [( i
- ~6 \; n% M. [1 t* e! R) H7 l7 F) s+ _
Next method as well as the following one are 2 examples from Stone's
+ @% C, _7 x5 F"stn-wid.zip" (www.cracking.net):6 k& K) k, x- d3 G
; M2 }* r7 i9 n9 x( m7 \6 O( i
mov bx, cs6 J: ]; ~' B2 H
lea dx, int41handler2
$ m4 H- n, u7 R8 ]7 ^ xchg dx, es:[41h*4]
2 u) X/ B& k( [ xchg bx, es:[41h*4+2]
0 |/ ^8 I7 X! X% E: L9 u mov ax,4fh9 {' r, S/ Z+ n) ~ M: j* I
int 41h
/ |- E* K8 I* q xchg dx, es:[41h*4]
) x& s$ O" ?2 I" z- p$ K( g/ q$ ? xchg bx, es:[41h*4+2]
& I+ B% Q0 Y4 J# r& m2 j cmp ax, 0f386h
. p' c+ i2 |" _ [6 S; Y jz SoftICE_detected
8 f2 s$ D& k( q4 S j7 {
5 N: m. C. ]# g0 n" X* L/ Uint41handler2 PROC3 U# G% D0 I5 k9 b: [" q+ v: W
iret/ l7 W3 c3 `* n! t8 n z
int41handler2 ENDP* o( ?8 I! q' v3 H- `7 ?; l2 Z
1 \4 h! L; a* e( L" c2 ^) {
2 k; L' m$ f# f, i# k! V_________________________________________________________________________
% p9 Z' g( n, c4 Z1 ~0 g' X' ]1 W) w; t* A
# U, O% Q7 ^( @3 u( {Method 06
4 ~% R7 p* n& f3 f' B" E' t) q+ Y! q=========
6 f4 c" {! }1 q5 f
- A6 D2 w8 o' x! B: |$ ^! T, J9 M5 W+ p$ o& e* d
2nd method similar to the preceding one but more difficult to detect:
/ T5 w0 d# E; f( Y# n, s0 q# J: G' _4 k
1 D3 z p4 i. P+ u0 C/ k4 k/ g" j/ ^' {6 f, O/ c; k4 ~9 c
int41handler PROC% g/ v) \4 j. D* p! z: Q$ h
mov cl,al% @! V( [$ r$ |# ?9 Q* o3 y( x
iret
" k9 Z# m% M# `1 Z0 k3 B+ |. hint41handler ENDP5 {7 }' x8 e+ v' r; i
- ~, U Y9 {+ i; z! d( j& V3 I
9 u# e) Q% m0 z2 ]( O% O; i xor ax,ax
" K9 g7 e6 v' k mov es,ax
! i1 B& m) p' g* f$ b mov bx, cs8 j: T9 W6 D* w" D
lea dx, int41handler. \9 V' C0 `( `1 j
xchg dx, es:[41h*4]
4 h- p3 F$ ^2 H2 F. i I7 g xchg bx, es:[41h*4+2], ]6 f3 A3 [( M1 A W2 s
in al, 40h
2 h/ q/ k& O7 L* a6 w# j% x xor cx,cx+ s7 f0 V* S' Q" j) `( @
int 41h
& d$ _# _' q# C+ {/ q% e1 @) D j xchg dx, es:[41h*4]
1 J: ?* E% }0 k5 q; {9 y xchg bx, es:[41h*4+2]
7 y/ M! A' c. e) I5 p cmp cl,al& ^! U" l' [. P
jnz SoftICE_detected7 |1 L' X2 u5 `6 G0 X& Y$ }9 e
4 t+ S2 U2 y9 c6 H! P4 X
_________________________________________________________________________4 D+ C7 \3 }% \: A7 Z, }. F
' s0 Y T# p4 ]1 s8 v. H/ }) JMethod 079 c% v7 s# M, t ~. b, B
=========5 l$ n! ~3 r8 D( ~
. [& e% t$ k6 @
Method of detection of the WinICE handler in the int68h (V86)
* J( {4 [: F: g5 ]+ k" t7 @$ q i! ]5 @" G8 `( Q6 L
mov ah,43h
/ y, `: {, R; Z7 ?7 j( d- @ int 68h
6 Z. E! o2 I9 @7 I cmp ax,0F386h* h) ~9 i, j' H. `. l2 Y
jz SoftICE_Detected
3 m. {/ J1 [$ J, s7 N4 ]. }* e* d* F1 }+ a. ]9 }
+ n a0 d2 v6 {* L& R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" z; g* E: W, c# t- i
app like this:& _! n4 K b1 }6 q& p
- U0 Q& n+ L) H: n1 T BPX exec_int if ax==68
3 Q" e) T! M. y C6 A1 i* I4 j (function called is located at byte ptr [ebp+1Dh] and client eip is
7 H! u" W! s' |) E# N located at [ebp+48h] for 32Bit apps)7 b4 k0 h. s7 ]0 n' A1 E
__________________________________________________________________________+ l0 z9 a( i/ z" p* z
! ^3 P- ~ T' V
( g b. s% x3 c" B4 w- v
Method 08+ n& |: \ H" H( _& }* ~" T
=========& K+ [9 U: X1 D9 o% h
: {* [1 {/ I! y+ N
It is not a method of detection of SoftICE but a possibility to crash the9 m8 \1 `- t) S' c
system by intercepting int 01h and int 03h and redirecting them to another5 T; Z8 M" c9 ]0 L
routine.
$ E/ i+ q1 j1 h& |1 Y) o6 _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% p9 r. n" P& y8 n- {& ?* D! Ato the new routine to execute (hangs computer...)' X, z# {) `4 G5 o) F' t: s
N( t. v$ I3 V) A
mov ah, 25h
$ ]5 u' u |# E8 X mov al, Int_Number (01h or 03h)" t6 H6 N! z! Y! {
mov dx, offset New_Int_Routine
; g2 c0 V; C' q) s6 ~# G5 m9 E int 21h1 a6 ^- l# Y- D" c8 j \4 ?& v5 M" s
1 C$ I( ]) x8 ~5 p' K2 Y, h B) m. [
__________________________________________________________________________
. t0 I9 p. C I
# N& e {, K8 ]6 k/ s5 [- I' yMethod 09
. c4 |( s1 C' G* s* i: w3 P=========
O. Z+ i) j- K& `. _) i# Y2 |- N G$ X" y Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! u4 Z5 q4 `: cperformed in ring0 (VxD or a ring3 app using the VxdCall).' q! ~) U" G/ I5 k m: D
The Get_DDB service is used to determine whether or not a VxD is installed {% h3 @! e; L( }/ D
for the specified device and returns a Device Description Block (in ecx) for
: k+ i; j) y; ^- qthat device if it is installed.
8 Q0 Z. R: D+ L2 k6 c" K& X
9 K9 S# U( x( s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 ], R+ y% a" }0 ?: \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 Z0 X/ ^ S1 e( _* E5 s
VMMCall Get_DDB7 b0 Q& m4 {( O+ [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- [" O: J9 ~0 C* `5 Y
- x, \' M2 x# c, j: \
Note as well that you can easily detect this method with SoftICE:
' ?+ j0 w! @9 R1 E5 p; A. f bpx Get_DDB if ax==0202 || ax==7a5fh
0 `5 `. a. I" e9 K" l" K" V3 D. \9 J
__________________________________________________________________________1 x: ?, U0 k) u" a
5 D S1 W, E j9 d5 {7 x; k/ C
Method 10
: D: d- K1 s4 `" b( v=========& B& A I: f" @. |
! z9 Y' i q7 D4 e# c=>Disable or clear breakpoints before using this feature. DO NOT trace with/ }, \( k T' p- S9 a; g. w
SoftICE while the option is enable!!
3 R" F7 `% ?% B2 N5 n F) X% t; _/ Y1 y; w
This trick is very efficient:
: T' d' q2 X' W& T$ eby checking the Debug Registers, you can detect if SoftICE is loaded; _0 g5 ^: }% D [& u) [% b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, w( V$ `$ F9 F1 [( D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! C( ^3 w4 ]" x w& c( \value (in ring0 only). Values can be manipulated and or changed as well9 d& ^* }: _6 f! V
(clearing BPMs for instance)
5 L: ^( P3 _; Y
; v3 x. P5 w0 I" m1 P* D# l__________________________________________________________________________
6 O* X2 U' H K+ X% i
' ~2 E( C; t* M0 oMethod 11* @/ t7 g' P# T! I
=========0 U) R6 p$ _- q
% [, T) U! ~* W. EThis method is most known as 'MeltICE' because it has been freely distributed
( M5 _! a0 M- ^! q) L6 O6 S0 l! ^0 V* ]via www.winfiles.com. However it was first used by NuMega people to allow8 c' ` C# Q% r. W
Symbol Loader to check if SoftICE was active or not (the code is located8 V$ \( u: S8 A+ \5 Z0 ?
inside nmtrans.dll).# v+ q0 h5 x. l; k" L8 p
, c( m v7 Q6 J* i9 `2 W
The way it works is very simple:
# @0 \( Y3 K. M" g0 K/ R6 WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' o- W8 }) D$ Q' S& l9 k
WinNT) with the CreateFileA API.
5 _0 X$ j- y1 j4 H, w& h- h+ N4 x/ L4 K& g4 y3 m' {
Here is a sample (checking for 'SICE'):
, @8 Z/ h) z8 |3 w p2 y2 h* n- ]+ n6 b
BOOL IsSoftIce95Loaded()
9 p" v! N( }$ @{8 ^. T3 ~9 a' S* n7 }
HANDLE hFile;
2 Q9 T. x5 {' R; f, ~. {. ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 y1 f$ ]4 V9 g
FILE_SHARE_READ | FILE_SHARE_WRITE,5 }7 ~1 Q$ P* S2 \; O, f$ g; k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 P9 ^# _' _7 X. V
if( hFile != INVALID_HANDLE_VALUE ): I' F0 q; a/ [9 v1 u- t
{
% j" F3 T& o% k CloseHandle(hFile);: O# I; ~( \5 H1 c% ?( B! S
return TRUE;
. w) v; `/ E1 S+ N1 U& l) b }/ l' e& E+ R, M
return FALSE;+ k7 w( ~# B* v$ o `
}
. e, O. ]9 B4 k+ ^- L$ D# z( M9 V' a; I) ^6 J' g5 b5 E& P: B
Although this trick calls the CreateFileA function, don't even expect to be- A/ \$ | P* P& j( ~
able to intercept it by installing a IFS hook: it will not work, no way!$ |) K8 a2 r& u
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: i' Q5 H3 o. [) O& t; Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 ?/ C% @# n, {7 d* A, Z4 R2 yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 b+ X: r( k# vfield.$ t; u1 R$ B' `, O# o# ]
In fact, its purpose is not to load/unload VxDs but only to send a - C& ?6 M U9 L8 D! W: B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% o- p$ _3 d( H c1 Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 L2 e9 v( `# W4 o* p M3 Kto load/unload a non-dynamically loadable driver such as SoftICE ;-).- I1 `% E( h: G( M- F
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 _+ G; n) O/ t
its handle to be opened and then, will be detected.
9 j% D# [* B SYou can check that simply by hooking Winice.exe control proc entry point
; }: c4 w9 U9 Z4 x! p# ?' vwhile running MeltICE." F# Q/ M* I2 o# b! Z; V5 A
& A T5 k8 _3 P. M, b8 h$ h& P9 |8 b. @
00401067: push 00402025 ; \\.\SICE
; M" W8 s9 U- F6 a$ b; i4 w 0040106C: call CreateFileA
: I" U5 c4 n* v0 L 00401071: cmp eax,-001
/ x5 j' B5 ?3 S$ V 00401074: je 00401091
, @0 g, U$ }- n$ N9 L3 ~8 Q
8 m+ |3 L0 |( R: H$ u7 t. P7 x! H' B3 q
There could be hundreds of BPX you could use to detect this trick.0 Z/ s# G& _9 j1 {( Z
-The most classical one is:4 W7 e: A0 H( H+ M& z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; i- }/ v4 ~# W5 b4 o
*(esp->4+4)=='NTIC'
5 d5 j* h8 a) D; w9 u5 y5 n+ Z+ g; U3 N9 Z" Z, @& V; E
-The most exotic ones (could be very slooooow :-(* V8 B) [2 u+ ]- ]
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') _* _9 {7 U/ @& Y8 ]) _, _
;will break 3 times :-(
0 L4 z5 L* l" X# c+ R5 n v# E4 r `2 g7 r5 x
-or (a bit) faster: . b5 {. R, i+ A+ D& G6 q1 y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: l, ^5 p2 z" x/ f% g# w1 d/ E3 j# F1 ?" l- G+ G3 b6 O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & ~3 A! U5 p: V
;will break 3 times :-(5 f5 ]1 Q% ^, l$ `
2 M) P- n7 u) p$ t2 t
-Much faster:. n1 R5 H8 G$ X) A. {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; H+ T, M1 `2 c: x+ Q, T
! b N$ T0 ]/ z0 ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# a7 R6 h/ f$ l, b/ b4 Ofunction to do the same job:1 o1 {' N: g/ P
4 }+ T3 y. h2 i0 Y4 k1 Z* B$ a# n
push 00 ; OF_READ
; |" c+ n8 n3 z d6 s0 h( g8 p mov eax,[00656634] ; '\\.\SICE',0
" t2 h+ g' m- Y7 b push eax
5 ~9 x& I: k. ~( V* U2 E) h3 l call KERNEL32!_lopen
( Z% K) \' L$ N; d; [ inc eax! f& x2 B6 b7 Z1 l; J! g; R [% F
jnz 00650589 ; detected
$ M, m" [: b# y push 00 ; OF_READ
: ^ e7 q& n8 k. _7 N mov eax,[00656638] ; '\\.\SICE': N! G7 g! L1 K' ]
push eax
. J1 f `1 G8 g' t call KERNEL32!_lopen* \+ }' K' }5 { A5 j u/ u
inc eax# |" H0 n0 A) c" {7 {2 N6 A
jz 006505ae ; not detected
5 |/ Y+ m7 ]" ~ j- `2 w" @
$ i, u/ r' s5 _( A @% [
3 b8 q7 p) M, R* G# K/ |1 N0 J% \2 T__________________________________________________________________________, ~4 i. g( a$ Z) W$ Y2 y1 m
5 X9 R6 P7 M8 h. I
Method 12
, Q9 ~: a+ I0 H8 ?$ D; J=========
$ G9 w- w$ x+ }; ]- ]3 \- h
6 n( @% z, n8 u- dThis trick is similar to int41h/4fh Debugger installation check (code 05
?4 ^2 m; W8 \/ S8 S& 06) but very limited because it's only available for Win95/98 (not NT)
( f0 t: W0 Z" e8 Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 S! l q, ^3 y% ?
! W/ ]0 v0 K0 S7 }3 H$ d, f push 0000004fh ; function 4fh: `+ E2 y" B u
push 002a002ah ; high word specifies which VxD (VWIN32)' k2 F; d0 P# _6 s# `4 g4 ?- q! r
; low word specifies which service W/ l1 l! O/ m9 N7 A
(VWIN32_Int41Dispatch)/ |3 v$ S. s5 H) y n
call Kernel32!ORD_001 ; VxdCall1 ?: z& @2 ]3 p1 D, O& B# I' X
cmp ax, 0f386h ; magic number returned by system debuggers
) N6 W {# D$ c2 l* \ jz SoftICE_detected& l: k% _2 |' w z
1 `5 t9 ~; y# sHere again, several ways to detect it:& R7 C; \1 n2 J/ ^# g" r
& s# p, z8 ^" w, z7 }" H/ D BPINT 41 if ax==4f
+ |2 d' s5 G3 Y1 l
2 V, Y' N4 l& H$ ^" x. J) i BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one I9 y, S$ S% B3 x
% ]" J$ d' \$ g: `8 g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 u3 n# Y* T6 K8 H/ t
: Y3 @% O* f8 j% @/ Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 \! k0 h6 w" }# \
( E/ ^6 o- }: B8 I0 W__________________________________________________________________________
. Y/ r% X( f4 y' b& Q$ I% \+ U( b9 r: y( e8 a' \% @- H
Method 13
) P6 x$ w0 i, U3 u: g=========
# c' Z) S9 O6 o# B2 J
2 e; c8 h/ u' H: F& mNot a real method of detection, but a good way to know if SoftICE is/ s6 G% I. e/ A, \
installed on a computer and to locate its installation directory. f4 i) i- e, H
It is used by few softs which access the following registry keys (usually #2) :
0 r) z3 Z6 ^- V$ e/ k, d9 v
" ?' H$ c( ?: d- y: e) I; `$ }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; K2 @ e! ?5 z
\Uninstall\SoftICE( J: m* i. B6 g. r3 ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, s1 Y3 P8 f( ^9 I$ s1 U4 C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ ]2 F9 E. l. X7 }/ [\App Paths\Loader32.Exe
! o/ o0 F3 n' d% m; L$ N, v# H% g
" x3 W: b- z7 i6 p k/ ]% S. U+ Q5 Y% P! |
Note that some nasty apps could then erase all files from SoftICE directory: Y! a3 ?( a4 F% }
(I faced that once :-(
3 P& C3 P* y- ^( e) n$ Z2 \) R1 Y' K% w4 O& c
Useful breakpoint to detect it:
8 d) _0 A/ J+ P1 Y) }5 c* B+ g! ~8 {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 K' p P4 ` o* [
7 \# g- \8 z5 h4 ^$ M" T! p0 E__________________________________________________________________________: t# l2 F8 N, I# q+ L5 M2 u8 Q. ~
3 Z2 h+ B) X" q- ^9 [2 I1 k8 U' }- b: x5 n
Method 14 7 c" G1 d; u9 k F3 T8 Q
=========
- ^+ o4 g0 G: Q1 {& W
8 A% }/ t$ \- q4 dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# g6 V; K) W+ x6 _
is to determines whether a debugger is running on your system (ring0 only).% Z% C: s* h: V( P- O
0 v& I& o. ]' o W& w8 ]
VMMCall Test_Debug_Installed
% Q6 i0 J3 r, ` u# U$ o) M je not_installed
& h* o/ n- {# K4 S
K+ J" @4 E( x* j: N j6 I6 a pThis service just checks a flag.
% v. w& e' M0 P0 K8 h0 u</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡