<TABLE width=500>
9 m8 Z# [, ]8 {<TBODY>/ R4 |1 j$ ]9 J: e9 _# }& t9 | x
<TR>) b! @4 J. Z$ ?$ A) M
<TD><PRE>Method 01
/ W. w2 h" {+ Z3 B=========+ A. Y1 o/ t, V% c3 t' O$ y
" }5 q8 K) e" A, y) ] q
This method of detection of SoftICE (as well as the following one) is
/ }# F% ?+ }# K* D7 Fused by the majority of packers/encryptors found on Internet.
) z: p- r4 ]/ g, y' l+ uIt seeks the signature of BoundsChecker in SoftICE1 c. V7 {& A% u9 K. T) {1 f
( c# ^! o! F4 l f
mov ebp, 04243484Bh ; 'BCHK'+ S- s7 ~7 B3 G$ }8 Y7 m/ s
mov ax, 04h" Y3 ? C, E1 T0 [% B
int 3 9 Z# P4 S" L( i$ A- P+ T' \0 ]
cmp al,4
" T, A, I) M( F j2 B- [ jnz SoftICE_Detected4 J8 y2 B* \, ^9 f9 \9 W/ g$ y
) I; E( a# X/ d- I
___________________________________________________________________________
: e9 ^! ]7 t4 m0 E1 L
`* M9 L* y, D# W$ ]Method 02' z5 `, U$ y$ n, c: S5 u% F
=========, F$ o; ]1 P: l p
; Q: v2 D% W, D- H
Still a method very much used (perhaps the most frequent one). It is used
* X( m/ E. R) Y$ h2 L% `8 Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 c% L' d3 p+ X5 N1 H- y jor execute SoftICE commands...# N6 H) \1 p/ Q( Y5 v) @, H) P8 j. C
It is also used to crash SoftICE and to force it to execute any commands
; L* z8 E& ^4 g, G(HBOOT...) :-(( 0 u& j3 J; ]3 r- c" l* P# e6 @1 }9 d. h# g
3 q& A5 Y t9 s {" K. a+ ]; t
Here is a quick description:
3 U3 K! `3 @* n0 T" B5 e5 g `3 t-AX = 0910h (Display string in SIce windows)5 t: d3 l+ A0 p5 b
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 ?2 W4 f# L. L r6 L$ i-AX = 0912h (Get breakpoint infos)4 s9 \; L9 ?/ t6 h7 P4 u4 k: e
-AX = 0913h (Set Sice breakpoints)1 Z1 C! @ y0 C9 g5 N
-AX = 0914h (Remove SIce breakoints)
' L7 g9 m0 i& n
) n# a. ]- H- c' a2 @! SEach time you'll meet this trick, you'll see:
6 ` I; s7 d( g-SI = 4647h$ O6 M. g4 p# P2 ^3 e
-DI = 4A4Dh$ `( b* f, d I; ^* X
Which are the 'magic values' used by SoftIce.
0 {- `1 k2 C% ^2 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ Y( S" F+ C7 c; q! K
& M# J$ E4 b$ K) g6 K" \9 @; e3 |
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ y5 v% u$ A; O/ B4 rEnvelope utility use to protect DOS applications:
2 E, X4 K U5 } ~$ H: |2 \8 S9 L* e+ |
2 C7 j5 q4 }- ^, d+ z& G4 y. e( c2 t4C19:0095 MOV AX,0911 ; execute command.
9 o, A5 g# A& N- n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! D3 g9 m6 k3 c# K. C0 A
4C19:009A MOV SI,4647 ; 1st magic value.
, b2 D- U9 C5 _4C19:009D MOV DI,4A4D ; 2nd magic value. ?( X1 s, @ J3 u& }0 @
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 s8 w# k1 d# W$ I& T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 Z) ]" B" ]1 i7 G2 v2 u0 I4C19:00A4 INC CX: c9 ?8 [$ @+ G
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 m; `; t+ O, O) |$ ^& e6 A
4C19:00A8 JB 0095 ; 6 different commands.+ `: N0 c) B* _2 |+ I
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ U" T4 R+ K9 t8 Z% M) `
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 F4 X: i+ p0 F/ w
+ v7 \: Y; ]) j- [/ i
The program will execute 6 different SIce commands located at ds:dx, which
, d; J. V" l( A: K4 Uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 F2 x E* R7 F$ h1 @% [' U
# \% o$ S L+ ^! x6 w% H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& m' W' i# n" V R# ?/ E___________________________________________________________________________# N3 O$ D! u$ f) D- v% P! U
% p- u2 ~9 e" |7 A# k& t
: B) e) M, \" a7 zMethod 03$ {8 j8 B) R0 @9 N0 f
=========: U7 i5 P7 i6 ]
* V8 w9 n8 h" f( W
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 W7 H; r* n3 l9 g& J(API Get entry point)
2 s: z1 Q. S) a2 ^$ [# X" _ 4 N, y) A, Z J
! r) {# a; }+ V* j; q" ]- g
xor di,di& h8 ]" q, r( s# a! V
mov es,di
a8 P) V; _6 s2 U) u0 r mov ax, 1684h + u9 w7 `& M1 J8 i3 P
mov bx, 0202h ; VxD ID of winice4 H2 F2 b: y t) t: f
int 2Fh
4 L% X: u ~. L* [0 M& ]: l mov ax, es ; ES:DI -> VxD API entry point
' r: L, N: I2 `6 ?( u+ y add ax, di) J3 Q; ^* g4 Y% Y) t) B
test ax,ax4 B D I' H0 a% D
jnz SoftICE_Detected+ l" |: b# \% h
( n% f& s" r% Y) j1 o% u; ~$ e___________________________________________________________________________" p k. H, F1 l
! h6 _1 c5 I7 m9 b- M. j$ ?4 q7 J, }: ?0 lMethod 048 V4 S& \* A6 B
=========( V( F! B/ y# f- e+ a
0 F8 v |, t) y# o0 D
Method identical to the preceding one except that it seeks the ID of SoftICE& M f5 Q' R" V& ^4 w1 e/ N! g: Q# x o
GFX VxD.* i: ]* c& P- ] Q& K' q
8 d' \- i; \8 Y5 N- d
xor di,di4 ~2 r1 C$ w0 x" t8 a. ` J+ a
mov es,di
/ R, m4 y/ M% X6 q/ E* ~, X$ r# @& x/ u mov ax, 1684h
m9 G7 D! V/ h- ]2 P mov bx, 7a5Fh ; VxD ID of SIWVID6 M q& Q! r! m: u1 j+ _
int 2fh' q& v/ r9 s" [
mov ax, es ; ES:DI -> VxD API entry point
% l7 ~/ }3 @ R3 h) [& {" r add ax, di) G! G3 Y$ @# p3 _9 ^( F
test ax,ax: J: c9 ^# i: ?# i+ K
jnz SoftICE_Detected
2 \; y0 }' j# @6 _0 \; `& u, A6 p$ S' d& R1 Q
__________________________________________________________________________
; ]; L8 X1 i+ ]/ ]. s9 b3 g
# @8 M6 L% e# C3 I2 j6 |% U
8 n* _! `- p/ _( \4 s( U9 EMethod 05! O7 n3 W! W: x$ l8 g; S
=========
3 c. C( s% j y) C# L; C
- }8 M# a3 X) q. LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 L, [. d! E* S6 E% f% v S Cdebugger. It calls the int 41h, function 4Fh.
( @; M; L u- |. lThere are several alternatives.
& _$ Y5 F. m/ M4 I% W' [* a. F, u( _5 A9 |
The following one is the simplest:
+ M7 j" o8 w& c! g4 ^9 x0 g* E4 g7 |2 C
mov ax,4fh
: M! N( U) K0 x" a2 z { int 41h
: |$ w8 v6 p" K/ }% D, |+ \0 T: z cmp ax, 0F386- f% B, Z, t: g+ c- u4 V
jz SoftICE_detected- q: }0 U7 b3 l3 Y6 ?( Q% z
* _8 G! k; c( A* g
4 j( u4 t- f; k, w4 T5 lNext method as well as the following one are 2 examples from Stone's
3 t1 o# O* d/ u"stn-wid.zip" (www.cracking.net):0 Z1 ~5 I4 L) ^0 v$ D/ ~1 \
" k. y* r. \: F4 H" ^4 k3 o
mov bx, cs
# ^* {$ B& h6 S( f2 @ lea dx, int41handler2
3 x, b! D3 {5 U$ M xchg dx, es:[41h*4]% n9 p* W4 g4 O/ \: E7 H' V
xchg bx, es:[41h*4+2]
3 s" w7 W( q1 u$ N mov ax,4fh
: h: t' L: k- {2 Q+ u; r8 P1 R int 41h; m& H: T, n, N: v0 ^, n2 q, X
xchg dx, es:[41h*4]' @( N$ i( z1 Z6 d
xchg bx, es:[41h*4+2]; V" f' l" Q% o0 L# O7 Q
cmp ax, 0f386h; t6 U1 t' F6 ] K$ I) l
jz SoftICE_detected, p0 S- B+ ~8 S) B7 T: I
% f1 _2 W6 F) Y% R% Yint41handler2 PROC" z5 R1 ^, T; F3 i( k; X
iret
' O5 X& F5 L9 h& K$ g6 zint41handler2 ENDP
( e+ g6 x: ^- E/ u. k% s) f
6 C+ T$ R- p9 v5 b0 f! `8 P l" r' w$ _; \# o- B8 e) R9 U
_________________________________________________________________________/ R x* C5 @5 C! ?1 j/ R8 c0 {
( ^4 D7 _4 [' h5 r( a& d
) ]6 M- c# a. h/ z d- B4 h
Method 06; r2 `$ S, \! a1 O
=========
! Y+ [; f: M) K0 T0 g" z$ z+ w/ W7 F$ X
3 b) N+ Q& V4 q7 U7 P4 R
2nd method similar to the preceding one but more difficult to detect:
, }3 H0 H* W7 m! d3 ^+ f8 ^8 H; N+ P1 ?+ E
4 p2 a. L0 n2 s4 O Nint41handler PROC
5 m& o7 @( P; |. N mov cl,al
2 J2 t( w T1 m iret
: h* r: Z% w4 e. g( p9 {* jint41handler ENDP
5 o% L5 j" d. z9 \
( A9 D/ T8 ]& w/ @
4 j3 w1 ~0 ]0 ]0 H- Z9 `9 q xor ax,ax
( f# l4 @9 a) } mov es,ax
- r/ R5 m/ z p6 o" ?4 x( ] mov bx, cs% P8 T% K y' K$ s, R' w2 ?
lea dx, int41handler
) j q7 ]# y& u/ y xchg dx, es:[41h*4]6 a& k) }5 }, q: W8 Z+ \+ R( ]
xchg bx, es:[41h*4+2]
$ }* q; |) X/ ]* H# }( n8 L in al, 40h
1 X+ K) i9 b7 `3 o m xor cx,cx7 \. R# ?0 {- h& l* T$ g, l
int 41h
8 U2 H) O1 h0 x. E4 z xchg dx, es:[41h*4]
+ `' ~3 J- M% X7 w1 K8 u: C2 { xchg bx, es:[41h*4+2]
8 X& c ?. F% w& r4 E cmp cl,al1 P$ p1 ~' K$ G; ^
jnz SoftICE_detected
3 \& z% \* z5 Y6 D
+ l* j7 f' v. {- Z8 g! z, Z" N_________________________________________________________________________
7 ~' v/ r1 o3 N$ ?/ n5 T
$ f! \$ D! g ]% n0 KMethod 071 L* t) E! ?! E( Z1 a
=========9 r5 @; Q3 w |" g- T( C* v. ~
( N& `/ h7 ]" n W0 `4 n9 R: KMethod of detection of the WinICE handler in the int68h (V86)
8 d C+ C) I& R& _: \8 N5 {
4 C6 x. E0 j0 W. ]2 x0 R3 E mov ah,43h
+ c/ w9 d1 B- Q! h* D% g int 68h% {1 C8 E! q' i
cmp ax,0F386h" a5 q9 y4 ^6 _* m
jz SoftICE_Detected0 Y T) j4 I# `
) l( ~: Q# }* U0 g N% N
( [, U ]5 O, J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 o% J! }/ l3 c! Y- p
app like this:* V1 a1 Y9 C5 h, m% {9 E( W
8 I' V2 p Y4 x. D( p BPX exec_int if ax==684 J) y8 E; g2 b- c$ C/ K3 q( P1 z
(function called is located at byte ptr [ebp+1Dh] and client eip is
# W- g* ]& j2 R2 j9 U+ ? located at [ebp+48h] for 32Bit apps)) W& U6 } G$ U3 k" ?
__________________________________________________________________________. @- z. ^/ m7 @
* _3 @ x! _' w5 v; X7 S: O* E2 n6 w- |' |
Method 08
# K S" D& j3 C' _) S+ A: J; {=========
. I% T+ ?3 J. B$ m) [ H" O' [, I9 Z
; M' u ~7 @' T, H% KIt is not a method of detection of SoftICE but a possibility to crash the* m! \( D1 t" q4 l0 t, B1 P
system by intercepting int 01h and int 03h and redirecting them to another
2 x: t* v! _0 H* Aroutine.$ T9 z% k6 o- i% X0 W4 f! @( |7 H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 ?+ O: j/ Q8 t* pto the new routine to execute (hangs computer...)
* O5 C! C, {& l3 G. v( h4 }6 K0 K5 u1 \+ b
mov ah, 25h
" Q2 ?4 `& `1 ]7 k, Q/ Q mov al, Int_Number (01h or 03h): B9 Q' c2 W3 u3 X# {8 L* t) W/ k
mov dx, offset New_Int_Routine% p/ l: F, ~7 }- s* a; P4 l) k
int 21h
; K0 d% Y- d6 [% y6 F8 F1 F7 i6 Q0 f% S7 Z1 T6 W" O4 d1 ?
__________________________________________________________________________" C! B9 N# D _
1 m: I; i ~/ E( y g+ N
Method 09, L: x! z8 j& S; l5 {8 v' b
=========
( }; c( a( u! @9 f. ` ^$ ?+ W X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 |+ F+ _0 R& d2 P- B0 q& O! aperformed in ring0 (VxD or a ring3 app using the VxdCall).
, M! Y! c* L* i- e& kThe Get_DDB service is used to determine whether or not a VxD is installed
* q8 a0 H! j. ~ Cfor the specified device and returns a Device Description Block (in ecx) for
6 p+ r( n! Z, R/ Tthat device if it is installed.
: t; R; F; i" [9 e& M& U7 x$ C$ _
, d. \) s+ O! ?8 p* c6 r$ [) _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, P1 N9 m- H5 K. H* B! R. j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 @2 d) Z& ~# Q4 W; t2 B VMMCall Get_DDB0 \7 E+ b& t- ~1 \/ c1 ^' d: }- {9 o$ s
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. `& N q4 l' P$ v. v3 B2 j4 D0 K4 @3 h9 d; M- W
Note as well that you can easily detect this method with SoftICE:" s; z. K# [5 U0 ~* M; J
bpx Get_DDB if ax==0202 || ax==7a5fh
0 o( }1 U9 _" l9 E
1 o, u! C3 y& y% k, f& h. @% B__________________________________________________________________________% [# @3 j8 _2 O
+ }& |; D+ D5 y( s. L
Method 10
8 U8 D; h/ R: c7 O9 O* h$ [/ `3 g2 P=========0 Q# U; }5 [1 L a; r
9 G- N5 Q' m" M: G \( X=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ ~3 Z0 o/ E% }' c8 m6 {$ s SoftICE while the option is enable!! D. Q* ~& s* Q" ^' h
2 ], _3 f* V7 e) N) LThis trick is very efficient:8 m0 y3 `( Q% X% ?
by checking the Debug Registers, you can detect if SoftICE is loaded
' T9 m6 ^! Q, I. Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: s3 { `$ {. Q" E/ m$ m3 Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their4 c* L, X3 h2 [* F% J" R
value (in ring0 only). Values can be manipulated and or changed as well! m- z1 ?# V6 b& y: g* X: _
(clearing BPMs for instance)' D9 L9 |% ?, }$ {! K3 m& f
: a; Q/ b7 h0 B
__________________________________________________________________________
" r8 e2 B, z$ ?; {8 @8 q% c0 n# [; Z ?: R7 D5 E
Method 118 ~& n+ A% P! o& _) J2 l0 O
=========' w% x$ Y7 ?; p& D
! L7 d+ X5 r, |& K$ z
This method is most known as 'MeltICE' because it has been freely distributed. ?6 h" f/ a" l u
via www.winfiles.com. However it was first used by NuMega people to allow/ m5 C, A& t/ _4 i8 P8 N
Symbol Loader to check if SoftICE was active or not (the code is located. h) [9 B w! k8 i# ~2 L
inside nmtrans.dll).
) q2 X: y! }, M& t2 ~3 m, i# S
W, r1 n7 p0 VThe way it works is very simple:
4 O- I. A; D& v- O5 t9 }% V, D$ lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! J/ f" Y& q2 |/ o: g: wWinNT) with the CreateFileA API.
; o2 z4 d/ _3 T" g3 c4 V( N
6 [( A1 _" \: `0 W3 pHere is a sample (checking for 'SICE'):
! I/ j( W! R/ @( h6 j9 \; O. X. P7 h* n- {. ^, w2 b0 J
BOOL IsSoftIce95Loaded()
* c' E$ Z9 r) w! Z8 X5 B{
2 r% O8 S% [+ ^3 {; r- { HANDLE hFile; 3 }' ]1 y" {! }* \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. [3 Z% `" D6 b% o3 L# B: U4 c FILE_SHARE_READ | FILE_SHARE_WRITE,7 |1 n3 t, _5 D% Q5 t! ?: @# Y) l I& b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* s& @6 T; i/ c( [, g
if( hFile != INVALID_HANDLE_VALUE )
5 ^0 d" Q' S5 p- B9 e0 u {/ a& w/ Q* T" T* {$ _' ]3 Y7 K
CloseHandle(hFile);- \" d8 L; e7 I8 u+ f
return TRUE;. s9 M; p8 K# m! P) E
}
. N& x' Y& @: o6 E0 f$ F return FALSE;
. l+ U4 q3 |7 ]}+ R5 o6 E8 X4 x2 E
, V" F4 L9 q2 {
Although this trick calls the CreateFileA function, don't even expect to be+ b% h0 G% G$ n
able to intercept it by installing a IFS hook: it will not work, no way!1 K; m) p B) A! J- q" c* | N% |8 K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! J" G$ V: K* D- ? f3 |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 Y7 V" c9 W$ D* iand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ c6 z7 S7 N3 Tfield.
8 m$ q: |1 G4 cIn fact, its purpose is not to load/unload VxDs but only to send a
2 s# K; s; V" @. F1 M* K7 Y4 SW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 ~ G$ v! I- v* _to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 r' y8 Q( P. X! K: C% J* R& \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 c9 q. D" k$ o( J' P0 D3 VIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 }9 b P t) F E' F$ L$ hits handle to be opened and then, will be detected.+ u0 ]3 @7 l/ p* |" O. E
You can check that simply by hooking Winice.exe control proc entry point
5 W% Z# t, }# A0 `while running MeltICE.2 K* {' @1 H3 L3 T1 u4 G
* l: U* N: t& W: Z+ L
o) K) J' c% l
00401067: push 00402025 ; \\.\SICE
/ v1 l6 Y' P: P, \+ S/ }6 T! E8 Y 0040106C: call CreateFileA
. @) t& \$ _+ M 00401071: cmp eax,-001
. b! s0 Q G S1 C0 s) M) ^, \ g, B4 v 00401074: je 00401091
) m/ c1 H n: y' d0 L+ c$ s, C* B; J0 r' q
, J8 b) W! q4 t7 Z2 xThere could be hundreds of BPX you could use to detect this trick.1 D1 q3 ~ z+ S
-The most classical one is:, c$ ?* _5 X7 k
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ }# j5 P+ W6 Z" ^) f9 J y# ~
*(esp->4+4)=='NTIC'! ~1 X, U" U h% |' w
9 Z, i( y M! B, k( Y" T
-The most exotic ones (could be very slooooow :-(
" j- K9 O$ P5 A) b) Q' A, z7 C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " W2 N( T- S2 e3 ]" M+ ]
;will break 3 times :-(' l4 s( d* V/ Q4 K6 B1 Z. w
. l% ~( E- c1 `- P-or (a bit) faster: . D: G& t8 \' M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 C9 v. o' }: F. |1 f; g
& ]- R% x5 e* X) ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 { o3 X8 C$ |- }1 e
;will break 3 times :-( t2 @* n# t8 u; X9 E" ^/ b7 \
' e# a$ z- r+ S! U; h
-Much faster:. J/ ^! Q! f0 v. {1 b) w2 I8 \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! [4 B2 l( x |. o- \2 Q
$ @4 n8 }! t @* v% aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 l/ l8 b O+ f) a0 }( {' Afunction to do the same job:
: f. u2 Z" n, v4 {# }7 J6 E) l% k" P( c, @1 b" ^
push 00 ; OF_READ
4 M6 k# q: G) `+ i# t mov eax,[00656634] ; '\\.\SICE',0
% c3 h# u. K7 k4 ~- U push eax: _' d, l6 {0 G; `9 k
call KERNEL32!_lopen
6 k9 @) V, k) U1 q5 n inc eax- K; Q$ e9 w _- B0 Y+ _
jnz 00650589 ; detected
1 {1 }- b+ p. w push 00 ; OF_READ5 }4 r1 r+ p+ ^# y. \" V9 t
mov eax,[00656638] ; '\\.\SICE'+ y& w1 P8 {0 N2 x
push eax7 j4 u2 ^) ]3 J" P" D* i
call KERNEL32!_lopen
; c( n/ |8 D! u% U9 C inc eax3 _& C) G, |5 L. T: }& ^ b
jz 006505ae ; not detected
$ r3 B; ]4 N; O% S3 m% O* B5 Z. d. M j
/ ?$ T) \ s- @__________________________________________________________________________3 `* B# G. {8 N" i" p& |. w9 d
! J& G$ U- S% n8 H1 j& l, G
Method 12
% j; R8 d8 C8 }8 b$ J9 S( f3 B=========
9 b0 W- A5 ]% C# }) V- w8 c# v! A0 `
This trick is similar to int41h/4fh Debugger installation check (code 052 y9 {% ~2 H: a9 w- Y
& 06) but very limited because it's only available for Win95/98 (not NT)% n u6 y) ]: m7 @( ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 g9 L( F3 D3 @- J; P8 V1 {- U6 S6 {
push 0000004fh ; function 4fh+ e1 V. W- G/ ^0 S! k3 j
push 002a002ah ; high word specifies which VxD (VWIN32)
7 B$ [3 Z8 i; ~9 l ; low word specifies which service
) |7 A. ?- o; I \4 g' f (VWIN32_Int41Dispatch)
" ? H1 S4 m$ i+ v call Kernel32!ORD_001 ; VxdCall
' c7 U& ]* K% U7 A* c, o cmp ax, 0f386h ; magic number returned by system debuggers
2 ^$ \+ O: I6 u( C D: g! @5 n jz SoftICE_detected
* B* P5 ^2 ~3 ?( W
1 }8 g! z$ P% r( ~Here again, several ways to detect it:. m a7 R$ G6 Q+ l2 C# f
/ v6 n3 G3 b3 j( }# b) W( }$ o* k2 i BPINT 41 if ax==4f8 e" h2 R3 u. x2 K4 B" T6 T
9 q4 w% G. ?9 w. X% b9 H: R7 |
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" c7 {+ p' d; X5 I! ]$ n- i/ W u
. L3 S2 C9 ^, [1 U! R6 N
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 k1 {9 j- M; ]7 ^6 N
: `( j5 N: G3 I! M$ Y4 \ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, g( M2 D' J7 b" S' y6 c5 b4 |! M* O0 U1 s# b( |( l3 C4 J
__________________________________________________________________________, @1 K0 ?3 d2 j1 G# R7 L( {8 b! B
5 o4 _4 C H( m2 W Z4 WMethod 13
/ z5 U4 y5 H' f=========
7 p4 j( \3 ]. o, l- L& M" ?7 I: M4 X c
Not a real method of detection, but a good way to know if SoftICE is& G3 X$ b% z: p" A, ~- [% @% @+ {
installed on a computer and to locate its installation directory.
) E- H e$ P% OIt is used by few softs which access the following registry keys (usually #2) :
3 W- \, q" n. _" v1 i0 h/ x6 F+ d2 i' E) y) g. ~4 \7 ~ P; r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- W( H: T9 @: T) m/ `$ C8 ?# g\Uninstall\SoftICE) i* X0 k+ B- U* d; \) [. E! b L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, @; O4 @2 S+ I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; y: v3 e# @) m
\App Paths\Loader32.Exe4 z( F5 Z% [3 [
: a* f; N, R8 k: [$ G o. _2 s& l7 i
?. c- e+ E! S! U7 P `% i2 rNote that some nasty apps could then erase all files from SoftICE directory
, D- e. s+ V& |8 d% v9 d(I faced that once :-(, ^- s* _, P5 G& u
1 M5 y" n) N; y# C8 @4 eUseful breakpoint to detect it:; C+ u8 A' n+ J( m. P
4 U l' q: x+ l; I. n7 l6 @+ t BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ Y8 R8 G* O: O9 C, I
! h; E1 O' E" B
__________________________________________________________________________
/ G, u) o# w! U* p/ j% V# k7 W* T+ G; v4 S- d* J
! ~' N+ Z) n% ?4 \2 u% Y5 mMethod 14 ; _# I) D! Q/ l7 e; ?9 P" X- Q
=========3 \% n4 ^, W$ L1 G3 S0 c1 v6 u N
, ]) `# f6 j( o; W+ J) L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
~4 i4 l7 a, [4 @' y% z0 }0 |is to determines whether a debugger is running on your system (ring0 only).
3 ~ U x& T% z' s
5 m: E, G9 e+ B VMMCall Test_Debug_Installed y2 Q3 P8 N9 w% ]
je not_installed
% t2 ~* B0 I1 ]: H$ x4 ~7 c
" z. f4 e, X( c5 B l# fThis service just checks a flag.# H& @% I' o0 I% j+ b) M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡