<TABLE width=500>
^' i) k) F, W8 _7 f0 E |& K<TBODY>
6 n# |4 o: F. z1 [$ I' z3 [<TR>" r% B4 i( {1 V; F
<TD><PRE>Method 01
! H) _9 C( E# L=========8 Z1 h5 o# e' a) a
" s( Y+ Z( E1 L- n
This method of detection of SoftICE (as well as the following one) is7 s# m1 r; n6 A2 D+ W V
used by the majority of packers/encryptors found on Internet./ f- U$ s4 s1 ?% B; O/ m
It seeks the signature of BoundsChecker in SoftICE
- V( {9 m6 I! s
! I6 s5 o" H# p/ z mov ebp, 04243484Bh ; 'BCHK'
9 N$ p# y# a& V } mov ax, 04h, O, g" z. d. W: u
int 3
4 |) u3 _# n8 }- r) f cmp al,4) m- I6 g, y, [
jnz SoftICE_Detected* |+ y& |; o/ k
, G* S0 U! |: |+ z4 T# a___________________________________________________________________________
+ t2 @# |# N6 f$ W$ o( {* u6 Y( j3 r9 m" n
Method 02! \. d, H& @$ Q
=========
* ?. H3 G- D& f" ^, h/ m0 t
# c- G" C, {* e" r2 k8 S2 R! |Still a method very much used (perhaps the most frequent one). It is used
- P$ h; Y# y8 Y U" T. |& Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints, T6 D; J" \" B# e7 k3 y0 P
or execute SoftICE commands...2 _3 d# z7 f! w5 b7 b: ?
It is also used to crash SoftICE and to force it to execute any commands
. {7 f# O; p$ m6 R. K(HBOOT...) :-(( 2 l" Q3 Q; w2 R; v$ x
7 T! D) d) h' }' c m5 P$ I
Here is a quick description:. ?' o; Y3 F! z
-AX = 0910h (Display string in SIce windows)4 b2 k+ n0 d( Z& Z$ E: X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ V$ o( P: E8 ~6 A. N
-AX = 0912h (Get breakpoint infos)
# O- Q* D6 T, q$ y8 X9 S2 p-AX = 0913h (Set Sice breakpoints)
4 y+ m8 c; f1 M- E: m-AX = 0914h (Remove SIce breakoints)
. v# ^' Y2 v0 p% k/ q* W" a3 u) r% ?* t8 h2 s! P- o. O
Each time you'll meet this trick, you'll see:7 K ~9 }1 m! Q3 I' h2 @6 B
-SI = 4647h
4 c+ ~* X0 g) T-DI = 4A4Dh" c5 d+ O6 w4 J7 j
Which are the 'magic values' used by SoftIce.& ^! ~3 h. r6 ^& T+ U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
c% S" `7 ^3 d$ G; s6 ~8 p: G) B; g/ s- E6 T
Here is one example from the file "Haspinst.exe" which is the dongle HASP
_* x1 ?* X: k7 tEnvelope utility use to protect DOS applications:
. |/ n9 A. N$ J6 D+ U6 q1 P7 h. l% C1 P! y! z: U/ z
- R- ?1 A* i$ R; p; _1 i+ m" A4C19:0095 MOV AX,0911 ; execute command.; X/ R- s8 q) q# \- f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." `0 x* s* E" I% l T# u, N
4C19:009A MOV SI,4647 ; 1st magic value.
: Q9 i' W) u5 L4C19:009D MOV DI,4A4D ; 2nd magic value.; G7 E" z% A0 t0 g! h1 K0 z* h4 u7 d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 b b% B7 }7 O' M4 A( I7 u9 A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& _' c& Y& {* n9 F% w4 @" H4 T" ~4C19:00A4 INC CX
4 D: z1 _0 o7 Y6 b5 q1 f% S+ k- U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% F. c/ B; i6 J/ g k- X9 O7 s/ ]
4C19:00A8 JB 0095 ; 6 different commands.
6 E* p' m3 G$ q {( E* e- J' Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 ]- S) ]! _; [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. [9 E) h; G8 q3 C& O* W) x
7 [4 M- a) P% }* h$ ^The program will execute 6 different SIce commands located at ds:dx, which
% m: E+ z: \- k; Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) U& b8 a) p9 G1 n- |
# d$ e9 p8 I0 o+ l+ ?: m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( l& R. ?1 M8 v% C: T2 o$ @
___________________________________________________________________________' T" u6 d# F6 |7 K
+ I7 E: n ^1 X6 A5 X
3 ?2 B4 U7 M4 M* _+ x% kMethod 03
2 l& l: N& b, V% j w# N7 k. T=========
8 F: A) N2 u. N4 f
$ X( N% I1 {- R2 S) T+ FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ w8 b, @7 {% L8 a(API Get entry point)' `" S6 q9 y7 z8 g
. z; v3 \: e+ w) e. g
) K9 s L# a+ `/ P; w
xor di,di* O, r. P9 L/ C, v" M
mov es,di7 ?7 X& U5 r8 |5 n4 P+ |6 x
mov ax, 1684h 6 v* w0 l9 Z, I: O( F, z, o& ^
mov bx, 0202h ; VxD ID of winice6 z1 P7 m" m2 I: M; i
int 2Fh
+ z3 z/ J# @( m; w z. h ? mov ax, es ; ES:DI -> VxD API entry point
8 i: o; o4 ?) d t8 a* x add ax, di- Z- M7 c$ G" }5 Y% i- _! v
test ax,ax
" K6 v+ _5 Y, `1 b) V9 h jnz SoftICE_Detected; S* \. P. a% H) [
, D) F, A* \$ l9 U/ n; B( \0 Y& K ]___________________________________________________________________________9 P* {/ N& j+ _0 b8 P
- r# G1 @) G) {7 q6 IMethod 04' w8 L Q _1 B1 Y
=========
+ j b9 ?9 c# U* k5 s
) R8 l( X9 ], x9 |$ u9 yMethod identical to the preceding one except that it seeks the ID of SoftICE
, B+ t7 n% N" |: }: Q, Y& \- xGFX VxD.
# j1 z6 _# v! B! r" V% E" V
/ y E3 H, J0 c2 }: d, B# Y+ I- C xor di,di
" C9 t1 j+ G' S/ y mov es,di
# d* u- O' r/ V+ B9 m$ o: A( h mov ax, 1684h ' |$ H9 B3 _! R% o. y
mov bx, 7a5Fh ; VxD ID of SIWVID
: H& d7 T% E' b1 k4 k( C int 2fh2 E8 y' _4 R1 r1 c3 n& J: Q/ W
mov ax, es ; ES:DI -> VxD API entry point6 J; y% t# A$ H! t8 Y, C3 e
add ax, di
& n9 R7 ?- `! e; `+ u C$ u test ax,ax0 a- B& n4 M2 h: r* d" d6 J7 i5 r4 M
jnz SoftICE_Detected
# _# G7 I2 S' w% z5 z6 z3 N& i. I
__________________________________________________________________________3 n" R8 ^4 A# Y0 l; o! [( R
' Z( `$ Z8 `& l; A$ F
1 o9 b8 @+ G1 L# RMethod 05
. Q" _. z* l& `5 e) B- E9 c+ z z=========& g5 S7 `& ]6 V
6 I0 @' ?# [$ l' k w
Method seeking the 'magic number' 0F386h returned (in ax) by all system' O1 ]% z/ c: U
debugger. It calls the int 41h, function 4Fh." P+ a9 d+ I6 Q3 j* k2 }. J' B' L
There are several alternatives.
: R" N. ~: R0 ^/ Y9 A O
, L- |) |" a2 }, PThe following one is the simplest:# p" G% O7 T! Y' ?
9 v6 H7 _% X& o, [4 Q
mov ax,4fh% _, m0 G, `- c' z( `. V' m
int 41h" J. {9 s7 A! t
cmp ax, 0F3869 B. [# s; D& E
jz SoftICE_detected
. z- O: U& z: c3 `; a9 L% w0 o) K) y7 I/ g- I6 \
2 M5 y6 J6 W( G+ ]1 c0 J% ?$ nNext method as well as the following one are 2 examples from Stone's 0 h& L, Y( b7 J
"stn-wid.zip" (www.cracking.net):
/ Q3 \9 `8 Y/ A" w- w
- O6 \( x9 Z+ `1 f# T mov bx, cs O+ q( k; d: d, D
lea dx, int41handler2
* g" J. r) f0 w/ [% V xchg dx, es:[41h*4]# l% P; K4 T$ I
xchg bx, es:[41h*4+2]
: V+ _. c. W9 h; ~6 {" h2 x; { mov ax,4fh* t. ]7 A- a/ s0 _, [1 V8 X9 M
int 41h, s i, i/ P! S; r; R+ G$ o; Q
xchg dx, es:[41h*4]
1 X( G0 Y5 }: U3 F xchg bx, es:[41h*4+2]6 u& h# k4 o. n
cmp ax, 0f386h' |7 t8 Q. c" u! x+ b
jz SoftICE_detected
, H' X9 d( w7 u; W" a1 W+ |7 W" y
' A; v- `. f7 Mint41handler2 PROC+ z6 x! L7 V& z+ L3 C. i
iret
7 D9 e9 W8 @1 nint41handler2 ENDP: _0 D& E, E2 I- l7 n6 Q3 q4 B' i
/ p2 R4 E2 q: E/ O
: Q0 [. S! z8 b C& A_________________________________________________________________________
% b8 z- W, w, Q. b) S* B) C; \9 l" p5 p5 ?' K$ T
* G+ Q" T/ ]) J" _6 z& P I3 s/ t0 \
Method 06
$ T0 q+ B2 [ J7 z" \' r4 I=========
! n# P: u5 Y% \' K- Y% r! t( [# J" O: r, U. v
0 S5 h4 h; p( o' \
2nd method similar to the preceding one but more difficult to detect:; o+ G- Z( ^. l8 K2 k' ?" m
/ }! E+ q5 ]( A" ]2 I
1 o9 @! r( \ C) s) [7 vint41handler PROC
! M/ C- J1 w( L mov cl,al
6 g. B; X! |, I! P iret
7 b2 F7 P; N# t; vint41handler ENDP9 ]6 o6 B# B8 F9 ?" u
9 w) q4 y* D: \* j1 ^$ m5 q J$ T
0 o2 p2 S8 t( C% X xor ax,ax3 G9 L5 }/ n: |+ E0 E/ g U2 I8 E
mov es,ax
0 Z' i7 H6 @7 L% E8 d; s5 X) h mov bx, cs7 Q1 A. N" C& K& u: k. A: R! a4 @* K
lea dx, int41handler
: Y# D. l: q9 Q9 D8 g1 ?3 y xchg dx, es:[41h*4]
0 ~, c) H0 q5 O$ @2 s* R8 G9 w/ u xchg bx, es:[41h*4+2]
) W& l; C" A5 Z$ T" X* W+ B x in al, 40h
5 k3 B1 I% K0 k9 F! S xor cx,cx, m" P- m8 L% u1 W' C: E( ]' t
int 41h3 p5 R6 v; M0 @3 B; d
xchg dx, es:[41h*4]0 W+ u3 D0 M" ] Y. y; a4 X! |) l, K
xchg bx, es:[41h*4+2]
8 h: d1 W- T7 p, G cmp cl,al/ ~- X2 q3 b' w* f2 r
jnz SoftICE_detected
# S( A( N9 N8 P: F6 |4 O" i5 w& Y0 o; U
_________________________________________________________________________
$ d1 {% A% X) |$ O
& S- K c3 m" MMethod 072 d8 c) [9 i7 M: O
=========
+ ` b/ z- Z: u% y
0 e" a: x8 I, Y. DMethod of detection of the WinICE handler in the int68h (V86)
' ~* ?: y; C5 a# s c3 x8 W/ Z: R- W+ Z' o$ c$ L3 E# {% U& D( p
mov ah,43h
% x( R0 d& A+ ^$ q7 E int 68h4 u0 f5 ]* J: b" ^
cmp ax,0F386h: L9 f9 p. h) A [- e Z
jz SoftICE_Detected9 Z& R/ U, `% l" D* N8 T: l
0 ~3 U, U# h# N. [) z; M6 G x; L+ D/ d, m6 d6 r3 d$ e- c* W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* ~' r) t% b' U* @ app like this:
4 Q1 e( S: B2 ]( h$ c5 v' a, M" Q
% T; C9 J) d7 h% W BPX exec_int if ax==680 f& [+ v' U% ~1 M7 |3 |! y
(function called is located at byte ptr [ebp+1Dh] and client eip is6 u& J' |! |- ~
located at [ebp+48h] for 32Bit apps)
9 s0 x* |3 b% s0 }% o6 F5 B: B2 \__________________________________________________________________________6 m( `5 I0 Z2 U9 L1 O
" o# X9 @' p- I, l/ {( w
% G+ J" E" H' B) J+ Q
Method 08! x) m# `" A- O+ D! n9 C1 {$ r
=========0 E5 ?( S- U& \5 _. a
2 L) i7 }! ~) L6 F' c5 D5 f
It is not a method of detection of SoftICE but a possibility to crash the" R( p6 n9 i m, F) q
system by intercepting int 01h and int 03h and redirecting them to another0 i3 N' X2 i' d7 ^! I! V' T
routine.( ^ [2 a: ?2 E3 F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 o* L+ [ r s/ gto the new routine to execute (hangs computer...)
1 O Y: t8 J( A9 L
4 y' X9 {6 S6 }5 {" b( n. J mov ah, 25h3 T4 ~+ t0 _5 H; }, U( {* s2 a
mov al, Int_Number (01h or 03h)
+ o! J3 w8 K7 X& ]9 V0 B; E mov dx, offset New_Int_Routine2 C8 J# _6 d& _' N5 r+ a n; U
int 21h8 h# C0 M( m9 c
' g; S. k' ]8 D. h% ^7 I
__________________________________________________________________________
- I0 k" ^. d3 U" N+ L$ J/ K
+ R. y; x2 f2 f1 s4 N8 Q6 j- ^Method 09+ R) j# k3 u5 |0 }( F8 C2 y
=========, t1 `: L& s$ s8 }" B
1 p. l, A6 ]; LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 m" s3 i; K5 y. F" d9 Fperformed in ring0 (VxD or a ring3 app using the VxdCall).
" g- V5 ]. D5 RThe Get_DDB service is used to determine whether or not a VxD is installed& n" p; r- L G8 a4 z3 e
for the specified device and returns a Device Description Block (in ecx) for
/ {+ Z9 X9 j- l' @! _2 B9 dthat device if it is installed.
$ I7 V0 g9 f4 [! L6 V' i$ W# b
4 H5 {3 z6 j. M" P8 l6 t; ~6 E, z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" g; k& ^( I& L d2 P) S- O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 J6 e& {$ B- i" W
VMMCall Get_DDB
1 f, L( f2 x$ E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, K" g/ x& w5 P" v) _6 P+ y$ p
. e! l& Y; g2 z6 o0 p2 CNote as well that you can easily detect this method with SoftICE:* n; c+ G9 H$ @, R7 N. g3 y! f) M
bpx Get_DDB if ax==0202 || ax==7a5fh5 h5 ?( }+ u" [: D& f# _
) @# \0 Q3 f. m E5 K: N8 Y+ |
__________________________________________________________________________
- H( O# |( S* F1 h! T! d5 v5 |+ W$ {. ]& C9 g( a2 {) Z
Method 10
5 k* X+ d) a) q& s7 U: V, }=========
$ H/ P' N: m I5 h+ Y. D: [
* O0 b) \6 ?) w( T, |=>Disable or clear breakpoints before using this feature. DO NOT trace with, r5 v" k: w; { z/ t0 }
SoftICE while the option is enable!!
$ {4 u! Y2 o! \7 d! q S1 `8 m7 S( e! S- `! E* O
This trick is very efficient:
+ F( t% `5 n1 @by checking the Debug Registers, you can detect if SoftICE is loaded
9 c9 \) Q! z( K- K0 P, [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 G, }6 t5 h: Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their4 ]5 P5 ?. g3 S& z
value (in ring0 only). Values can be manipulated and or changed as well
& U3 `/ T+ M0 D& j1 Q, d, u(clearing BPMs for instance)( V. t" w; t, v/ Y
; f, R$ t2 e* v. A__________________________________________________________________________; U! g) u- ?: o; k" q
- p' u6 m6 ~6 [- P" |( E' `9 j
Method 112 q' C: w! I) f/ L+ f' F& a
=========
% V! X# H" ^, ^: E* k3 q! i1 B2 B9 e( s$ F) N9 `" n, Z- c; w
This method is most known as 'MeltICE' because it has been freely distributed. |8 k' W; |& y; q3 I
via www.winfiles.com. However it was first used by NuMega people to allow+ C5 s( v% A: H
Symbol Loader to check if SoftICE was active or not (the code is located
8 v' l3 ]7 p/ x6 r. ginside nmtrans.dll).
+ x/ \% U3 K' B& T( p% o6 P& R; H5 z: B/ b
The way it works is very simple:
' v+ }7 c; n) g' s: C2 iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- r* \/ M" G* d8 A% e
WinNT) with the CreateFileA API., h* w# R9 x, I$ `2 A
! B$ ]1 \% L8 X) t* p6 P3 }Here is a sample (checking for 'SICE'):* d# J0 V: n/ v# u3 f
( c5 I. ]+ t9 {& M5 p8 SBOOL IsSoftIce95Loaded()
" i/ f) n5 v* f, z! E( ^' x/ d{
' P2 t+ U O0 O1 k HANDLE hFile;
% H# J" z1 e! X! s% n2 K hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' ?6 ^5 t5 h. S9 }/ k/ O FILE_SHARE_READ | FILE_SHARE_WRITE,
: F% m4 R# z% |6 N/ w6 H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. B# d& A# H1 R2 N: n
if( hFile != INVALID_HANDLE_VALUE )6 G; w- \6 s1 D1 E+ k v$ Q4 C
{
- G# {$ l7 {% u CloseHandle(hFile);- o+ v/ b" S' i
return TRUE;
- k- z+ ?. V4 ~ }
4 i! i4 v: e& ~: i! Q k; P" Y" K return FALSE;6 O4 Q1 i2 W# j6 m
}: Z- n- A- I, l- f6 ]7 r8 P' H
& ^4 [( [" w- V7 m/ s8 f }' }
Although this trick calls the CreateFileA function, don't even expect to be
q3 M' f# o1 d8 sable to intercept it by installing a IFS hook: it will not work, no way!
& m/ @! b9 ~# C2 n8 ], \7 b: b- gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F+ b8 l2 u& ] `8 A: X4 C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' n+ M7 ]8 i% j& l5 i* cand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 U" R2 w5 j# X
field.
# X: u: [. J2 b2 gIn fact, its purpose is not to load/unload VxDs but only to send a % I: x% C3 E$ Q; v4 m& }5 s/ q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ X: N1 W& X5 ?/ d# ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 q# w, Z6 S3 |& ?% k0 U# e" k/ \. Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: T; L- r; a8 P2 b9 @- d7 pIf the VxD is loaded, it will always clear eax and the Carry flag to allow, @" A& z% s" ^( o0 r) w# x5 a
its handle to be opened and then, will be detected.* i: z. u! J# K2 x
You can check that simply by hooking Winice.exe control proc entry point4 y$ T+ } i% f8 J: J
while running MeltICE./ }" ]# @5 X+ p
9 r5 L" W, _4 l. Q3 i' L: i8 M! `5 g T( f3 q: G* B" I$ V
00401067: push 00402025 ; \\.\SICE
" n3 y' E- d2 `2 @0 n" G 0040106C: call CreateFileA
# {6 y; N! r0 g x, ` 00401071: cmp eax,-001
4 [' j0 i- v4 } 00401074: je 004010911 O1 H: a# ~! W2 x5 W0 N
! h4 a* _2 I$ }
+ x2 U; C; J' p3 M2 n) ~& `7 dThere could be hundreds of BPX you could use to detect this trick.% V8 u5 ?/ g- Z* e5 R: K+ k
-The most classical one is:
% i+ ^+ h& @/ f/ I4 [9 w% L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# o) \/ l4 K# _1 E- j" V *(esp->4+4)=='NTIC', X% o e9 W1 B& D3 N% N
1 C6 U2 f' V4 @7 ~ L; [8 C-The most exotic ones (could be very slooooow :-(
% D( |, b; U( G* e' H* x BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
f3 U1 [: Z6 E$ H ;will break 3 times :-(! N/ m g) Z6 J
9 k6 b- V' L# X' z6 o; W" M5 `: F-or (a bit) faster: ' `0 v/ V( S! B( a* j# G4 f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# m& \1 H# Z6 t l# Y0 M
/ m& q% c5 K/ d# w$ f# R/ U- P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' [- N5 t5 t9 t- T( J
;will break 3 times :-(
! @; y/ b6 A$ ] t; L# x+ T- g/ z) x8 p9 F5 u0 o
-Much faster:* q- r6 R, c+ A( Y$ G u- p: ?# L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 T7 u7 h# s" v3 W3 @% s9 d& k& A. ^ ?1 {6 q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. T" c5 i+ [6 `0 Wfunction to do the same job:
4 _8 P1 |( V9 E2 [
. H: x4 g$ m* ] Q7 o push 00 ; OF_READ
$ p/ c: G4 c0 y3 N mov eax,[00656634] ; '\\.\SICE',0( [* n" j2 V% t/ Z' G% x0 J) ^" D8 {
push eax
. k" Q" N& z7 s call KERNEL32!_lopen( Q* {8 q- G- `9 r. F& Z
inc eax
3 q7 r& V* d/ d7 H/ a* `' k jnz 00650589 ; detected
( ]) w+ E( w8 Q3 M push 00 ; OF_READ
. U* M/ `; K0 o2 T& L mov eax,[00656638] ; '\\.\SICE'
4 ^ L0 v. [3 | push eax8 g% J7 ~ A. K9 N
call KERNEL32!_lopen
: v* v; r$ G4 H K) r inc eax8 ~5 X/ v7 e- x9 t% h! s
jz 006505ae ; not detected
! C/ I, `& `+ B+ T: t' v* W" k: A3 f8 z/ f
8 H! k4 ?+ j+ @3 u% Q' w( v( ^__________________________________________________________________________
6 {6 V% ?8 I) p! v: }: E6 r& N* ~
3 V. S+ d* G* `$ o/ PMethod 12! l7 G" R3 S3 Z; w0 H+ w. E5 X% O- K
=========7 P X4 t1 z& J J% ?
- j1 z; |$ ]* r+ {
This trick is similar to int41h/4fh Debugger installation check (code 05) h* e6 B: h7 S4 j( S
& 06) but very limited because it's only available for Win95/98 (not NT)
+ z8 N' v2 u+ ~* F9 ^, R3 eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ A& A2 \4 X2 ~4 q" l: R' k
/ Y1 M+ I5 Z' G& k: i0 D. ^" p3 V! x push 0000004fh ; function 4fh
7 q) P9 s* ?# H* m push 002a002ah ; high word specifies which VxD (VWIN32)2 T9 A' S8 f3 l
; low word specifies which service
0 f7 M1 Y* k# X- A (VWIN32_Int41Dispatch)
[ @; R& F8 s$ u# T! G+ t call Kernel32!ORD_001 ; VxdCall9 y& V% M) _1 U! l: _/ a) C! f
cmp ax, 0f386h ; magic number returned by system debuggers, h# ^ T' J3 g2 |- ^* U+ ?
jz SoftICE_detected
+ v& @6 s5 p- k, ?$ W% ^
1 F! `- W! Q2 k7 x6 bHere again, several ways to detect it:
, Q: _; A- @. @ ^: b5 U* T0 f" z7 W; T8 K
BPINT 41 if ax==4f7 P1 U7 t' t% x4 Q5 s6 A
% P# f+ R5 s" y& { BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ @- H; k( ^3 [9 ?
) p5 Y" J8 p$ z: s9 m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ ]+ L2 ]1 i! c1 m1 j- c
# n' a: q2 c$ L2 P2 k; c7 d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
b* [' @6 ?1 k
$ H/ v, F( d9 s1 ], M8 w, z& I/ |__________________________________________________________________________
7 e8 {- {! Y9 A" F+ |3 y( W# _% w3 X- }8 K1 W6 N0 {
Method 13
# i8 O2 B% `* H2 k. R=========
# g% L: L8 \) x% q# h7 g2 P0 O$ g9 \3 J" t
Not a real method of detection, but a good way to know if SoftICE is
$ x9 d4 }" s6 b7 E' y( kinstalled on a computer and to locate its installation directory., [. {6 b6 w+ v/ }5 o% Y4 c
It is used by few softs which access the following registry keys (usually #2) :/ L: s" e$ O" H. S9 O
/ X" k% X I( P- u- Y8 s; Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; I, N! C' Z& q; C+ { l\Uninstall\SoftICE) V' Y$ A0 O6 Y( \& C4 f! d1 p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ U8 Q, D- W. X-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 h% p* S9 Y: h# z9 `3 Q( a
\App Paths\Loader32.Exe
7 K' R% N1 g+ S! l6 q
0 m+ r6 @" a5 o* `% @8 [
?* N) n, U' C3 i; B, [8 j- u |Note that some nasty apps could then erase all files from SoftICE directory. i! T7 ]; [# v! ]2 q ~
(I faced that once :-(4 h: h9 I! I7 }* h: {7 V7 e1 ?
- z+ w+ d( N p. E& n; H) U& P( ?" iUseful breakpoint to detect it:$ q, |" t% j* Z( E& B
# l& G0 O$ h) _! b& C# @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 M5 C; [9 A3 J+ \
9 {# E _! I% x- S2 G__________________________________________________________________________' ]* ] T9 P" g& B
$ _5 Q/ c2 u0 e, b
* L3 V0 f8 s3 A; \1 uMethod 14
! B, v: m4 {; b' R3 \=========
8 g0 \+ ?- k% d/ h! |! T
; f, S( o8 f, E9 j: GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 E6 X1 G( {0 G& O6 L
is to determines whether a debugger is running on your system (ring0 only).
5 o: l( Z: ~8 e/ o6 |( h3 a- h$ `- C* I( c1 @( O; n
VMMCall Test_Debug_Installed
6 W( F1 [5 y! X0 {8 U je not_installed
" Q1 {( i2 E0 [: ~$ x" L7 W, \1 l, x) F) R, h: o& O
This service just checks a flag.
4 x( W6 k! f! A' z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡