<TABLE width=500>
. e4 I# ]9 ~& f2 T<TBODY>& s8 j5 z; i r- \; K+ ?
<TR>. a/ ]8 ^2 }! p# W' C
<TD><PRE>Method 01 # o, n l) u4 H$ d: Z" D) L% t
=========
' s& h% n" Y g1 q ?$ ]$ Q& ~. v& |$ e& p+ ?
This method of detection of SoftICE (as well as the following one) is
?$ {) U1 ~* Y* {/ b1 Vused by the majority of packers/encryptors found on Internet.5 `7 I! O0 v: G! Q9 b+ \
It seeks the signature of BoundsChecker in SoftICE
; F: X/ M3 g0 y$ P4 L
2 B: d' Q p; Z: z* z0 {6 t mov ebp, 04243484Bh ; 'BCHK'4 O7 Z& p1 w$ \8 V% l& L
mov ax, 04h
0 b0 h) p% m1 n int 3
8 ]& n' P$ {4 _2 ~& G% W6 ~ cmp al,40 U* Q. s! {* j
jnz SoftICE_Detected& f- J. K# q- v# Y
9 v/ Z* R* j4 N( A9 C
___________________________________________________________________________$ e/ X* Q; y0 \
; s: X" C! \( _Method 02) i, p" s3 V4 B' d1 U/ N
=========4 Z$ c {2 F8 f: ^
8 e: @6 o) i+ K+ q
Still a method very much used (perhaps the most frequent one). It is used3 _. Q& X# O1 e b7 Q# \/ Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: d% R e; G1 y$ S0 J {7 Mor execute SoftICE commands...2 i+ c8 c- T2 z2 W: {. [3 M
It is also used to crash SoftICE and to force it to execute any commands
0 c$ M( }4 ]* T5 o(HBOOT...) :-(( - C) I3 `2 [ J' C, D* i
% q7 k2 h; b; I1 m' K
Here is a quick description:( s3 r4 s( T& {( ~5 g
-AX = 0910h (Display string in SIce windows)
* z0 d7 t2 {, T' m# T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 \3 s% w6 {, G-AX = 0912h (Get breakpoint infos)% b2 T+ t0 }4 P! P* n
-AX = 0913h (Set Sice breakpoints)
: u3 w! Z+ }, W# i" b-AX = 0914h (Remove SIce breakoints)2 l/ A" U5 r. J1 {
+ `, W2 D9 R7 S& J4 I! g0 t
Each time you'll meet this trick, you'll see:+ |6 w. f8 V$ C6 r y/ f( r9 H+ V
-SI = 4647h
6 Q7 I8 S8 E ^" [- H. ^-DI = 4A4Dh$ O0 I6 l E; T+ C
Which are the 'magic values' used by SoftIce.
0 d4 b, s+ f, Q8 R* YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- m7 y/ a* b, I$ V( g8 q" o2 D' V
4 }7 z& m3 m5 G1 m F! W- f7 I
Here is one example from the file "Haspinst.exe" which is the dongle HASP% i; Y# W/ e3 N+ b
Envelope utility use to protect DOS applications:
6 f5 F0 ^# ?! V( P0 y; Q4 ]( ?8 ?) s2 o [+ O
9 H" Q% W' Z) L7 s H4C19:0095 MOV AX,0911 ; execute command.
1 {+ l5 e+ |( g9 Z& t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ f' x d8 T+ Z3 Y+ q8 @4C19:009A MOV SI,4647 ; 1st magic value.
! b4 K0 e' R) R M5 p. j4C19:009D MOV DI,4A4D ; 2nd magic value.
3 O7 {. j5 R6 ~2 p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), a6 h; G4 l1 M* w9 d" c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) I. ~! r. ?( t. ?4 k j4C19:00A4 INC CX
) f" S2 @* F1 l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 g4 C9 M+ E5 Y& u9 ~2 _1 Z/ M
4C19:00A8 JB 0095 ; 6 different commands.- a% h% Z4 B! e' u" P6 d
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% X+ v, q6 m0 @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 o8 a: L1 n+ `8 \$ o+ S7 @ q+ \1 ^0 C( W9 k6 E
The program will execute 6 different SIce commands located at ds:dx, which
4 S, m2 R) G7 d1 ^6 _* }$ }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( O. c$ n" F/ [+ o- l7 C
& P' r: p" @' \/ x* B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 y O5 d. g: H# w___________________________________________________________________________7 p g8 L9 {2 k- O( X8 }
, F2 s8 ]+ E! Y7 R9 ]3 W
/ h: H! R- I( W6 zMethod 034 E9 k' f3 |1 }4 ?9 F$ `
=========
* o1 Z; _$ Z4 `& p
+ C# F; n- O. x. V# Y$ _0 WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ s3 x. ~* f9 }5 e(API Get entry point)- W! x$ g5 m7 h1 j
" W5 X* b) s2 ]9 ~ y) a- t+ h+ ]$ `" T
xor di,di
6 g7 `: k3 f2 p, ?1 W mov es,di, r( s- }. ]; W. E! p/ _
mov ax, 1684h
$ I: f4 ~! O1 C; ]+ d1 I* {5 A mov bx, 0202h ; VxD ID of winice
9 F; k! e, }; @) Z5 K int 2Fh' b% E3 [7 S C6 D& C; p
mov ax, es ; ES:DI -> VxD API entry point
9 u& [* ?. E, F/ a1 T add ax, di
' v/ @ ?0 b: `" t test ax,ax
" D& d8 M8 k: Q9 A6 {5 t: ~ jnz SoftICE_Detected, b4 A3 A8 k4 L- \6 z" p
0 x: w: n1 q1 t; X M) X; U* q8 K/ Y___________________________________________________________________________* ?/ z v. I8 V
, @6 ^: b& C* M5 H+ T" ^
Method 04* @5 u2 }7 t# l! ?0 N3 c, G
=========
N Z/ M4 c5 p1 k, L8 q# n' h8 q; s F: Q9 G7 F& _
Method identical to the preceding one except that it seeks the ID of SoftICE$ t4 x z+ t- g4 Y/ Q! D
GFX VxD.
. P0 [* _: D4 A. R1 O# `+ R; E3 E
3 P! h' X; @7 Q. x) M6 ? xor di,di0 S: T: ^3 E8 a; V
mov es,di
/ w9 b' H' K1 N. F/ H9 | mov ax, 1684h
4 l# H( F' K( {+ r1 P/ v: o mov bx, 7a5Fh ; VxD ID of SIWVID- h, b1 M; z! a8 k
int 2fh1 q: s" n( b: q+ `/ _$ |
mov ax, es ; ES:DI -> VxD API entry point( Q+ v0 D7 V- X1 e
add ax, di6 @' O ~" f9 P) K2 n& E
test ax,ax" |' W- L# @8 S6 M
jnz SoftICE_Detected/ w$ k* z* U1 v8 x" F* V/ G
( V+ U% A& e! f
__________________________________________________________________________1 @, d; z7 i, ^& A5 ~8 E# U
9 I" M8 v c/ N+ h
2 l& x8 N$ o6 W( l7 f" T8 CMethod 05
" {6 l9 Y) [5 ~( S& I) e=========5 R' ^8 o" b. G J( e0 y& W
3 b7 Y9 A4 `, V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) P0 H0 A2 V$ O; _1 Tdebugger. It calls the int 41h, function 4Fh. M0 F/ q" G/ n+ ^% O! Y
There are several alternatives.
3 w* }; G3 C, u# B2 ^) n( U( R+ r0 V( X8 _# d
The following one is the simplest:
8 V6 d. q$ V* F
' Y' t1 }& f% N, W* _4 l0 y mov ax,4fh) @0 g7 Q* b% N, W# P7 _- y
int 41h
& B1 r) J& n1 h cmp ax, 0F386
- W9 v0 U. D7 q; J jz SoftICE_detected" H8 h% L0 C# B* C6 P# j
. \4 m/ b- ^' ^3 ~4 x i8 Y9 Q& q5 d# ?6 ^ l
Next method as well as the following one are 2 examples from Stone's " b. {# M5 R: P8 X# R, Y
"stn-wid.zip" (www.cracking.net):( L8 ~ Y( W" {3 I% G
, C: m( z/ w. E* K' m; [+ x mov bx, cs
5 N5 P. o( w# S+ b y c4 }2 { lea dx, int41handler2
/ `% @* _1 G7 Q4 m* a3 I' z) | xchg dx, es:[41h*4]
$ K# i- C# m) x% W; y# j3 w xchg bx, es:[41h*4+2]8 e" Y4 d9 o0 H% j/ n0 J; z5 h
mov ax,4fh+ o2 q7 ]# K9 u
int 41h
" a) u. W* Z4 S. | xchg dx, es:[41h*4]
; i& X/ h1 e% G7 F U# l- C M xchg bx, es:[41h*4+2]- a) T' ]1 z& F c; |
cmp ax, 0f386h
2 r$ T+ V) X/ F) t' a jz SoftICE_detected
3 c/ K7 s9 ^4 }7 S
l* {* {; h9 U& \int41handler2 PROC
# F* G8 F7 a n7 I0 q iret
: c' y$ _" b/ ]& T+ U$ O$ [2 t! oint41handler2 ENDP
+ w8 Q% G3 o2 }$ {9 m2 J% Z
3 h2 {& p0 { i4 i, B2 }3 f; X( v' |" e* ?- ~
_________________________________________________________________________' s$ y/ u# [5 l. e3 I
& p8 @8 i( y6 B% A5 N7 n& W! t- Y# ], H8 C1 J G
Method 06
2 E/ b8 v) ]3 F1 G=========2 Y5 Q! d/ ^8 n4 w
3 _8 x9 j2 `; R B
1 e+ S4 H% @$ L. K- l3 c2nd method similar to the preceding one but more difficult to detect:# t# W- p8 P% V1 l
& a: x3 ?$ A6 J
5 }6 e' }7 X& J7 n
int41handler PROC( L( R4 H: C% q0 |- ^, s2 i
mov cl,al6 L+ q3 l: W6 ?9 z
iret9 ~7 f- V: F4 M( S8 `
int41handler ENDP& Q: S" z( v1 `- o9 T
0 C3 K& y( d" O/ L) B; T: e( z! N1 c8 Z, S. c
xor ax,ax' w) R' r+ W' `' ]
mov es,ax
7 _ V; A, b# z9 ^4 g mov bx, cs
H3 j' m5 k9 N! q, a5 p lea dx, int41handler( j, l# F- r- I7 w
xchg dx, es:[41h*4]
7 c! I, _# j5 _9 d/ x xchg bx, es:[41h*4+2]5 m+ p4 E* `5 l) \
in al, 40h
# k) s, Z. ^7 m K xor cx,cx8 M$ \& g7 E' O) B* e" l1 f
int 41h
2 C4 j J- R, ?" O/ E1 b: t# Z xchg dx, es:[41h*4]8 n" y' |. @0 e. A
xchg bx, es:[41h*4+2]
- d5 m; C! @1 w( ^$ }2 L cmp cl,al
- g% _# s& o& u d jnz SoftICE_detected) F4 H1 P: t1 \3 B8 P7 o% u+ z2 T6 G
/ g, ?2 P3 v6 B( e
_________________________________________________________________________' } @& [( c. L% Y" x; s U6 e% v
0 L8 L. Y1 `& B- EMethod 07
( X6 y# @7 p/ D9 s5 q=========. i' W3 ~- i! b3 o( x0 x
( n8 o3 v0 p7 ?; a5 T) uMethod of detection of the WinICE handler in the int68h (V86)
6 U Z3 G1 @& U& O& Z2 K6 P1 L, }+ |. ^4 y, W6 r% H. n
mov ah,43h# y z" }+ X* z b, h
int 68h
! `( }$ M( B+ f% g% } cmp ax,0F386h3 }) U7 }" J! ]6 F
jz SoftICE_Detected0 D8 ^* N9 U, t7 }4 m* }: P0 K- n
9 Q& s4 L. F5 o& N6 V5 M0 {+ R4 @" K1 G: D/ J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 u) N/ A% {% S3 w
app like this:
7 h( @: T; c+ a8 u
. y0 x/ ~2 p/ E" ^. _2 |+ | BPX exec_int if ax==682 G$ |( }8 D9 o& j7 W {
(function called is located at byte ptr [ebp+1Dh] and client eip is
* V, K1 y" O% p. Q+ @. O located at [ebp+48h] for 32Bit apps)
& Q2 I8 }6 E. F+ z6 J% J- E5 B2 V__________________________________________________________________________! @& x, J" C) I Z @3 \
- ~9 f9 i# l% _0 W4 A1 z! g) E8 }) k) Y6 A5 h2 \- f
Method 08) D: |, w+ U: f8 @ C/ I8 h7 n
=========6 M: L6 q1 R" v0 @
0 x- T7 z% T1 uIt is not a method of detection of SoftICE but a possibility to crash the" G2 ]* C/ @, p7 i' }
system by intercepting int 01h and int 03h and redirecting them to another
, a- E0 C; X; v3 d6 v9 g& M j* V' vroutine.
6 P6 W$ b& J, G* X$ |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 k& ~/ H$ c3 o' P
to the new routine to execute (hangs computer...): l+ X+ h% b5 m6 V- F$ U
/ Y3 P3 a9 z7 W5 M4 ]2 P Y9 c mov ah, 25h: }; n8 Y' c9 h5 ^5 Z' ~
mov al, Int_Number (01h or 03h)! @/ i. Q. n# q7 p+ Y3 c
mov dx, offset New_Int_Routine
; A5 V6 s( @) ^6 w- _2 u4 [ int 21h# Q+ s/ A5 G4 T- |
& ? Y0 k2 l3 x__________________________________________________________________________
7 d+ N4 a' s1 x* {3 ~4 N- v( t
4 E8 t" v ?: ~ }- F6 `: \. B! \Method 09
6 p; q4 y6 G& O* k=========
2 }0 B( C0 V) y8 g0 b3 z9 P9 O0 p+ q, |8 |' I) m: e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' s {5 z+ [, K1 `. yperformed in ring0 (VxD or a ring3 app using the VxdCall).3 y, i7 N* d- f* K/ c, B ~
The Get_DDB service is used to determine whether or not a VxD is installed
) Q8 \/ p d- B( q3 dfor the specified device and returns a Device Description Block (in ecx) for
8 l9 `' X! s9 x% s. I. S. Sthat device if it is installed.- k( i2 I# O. ~- [2 d
3 s% r5 n+ H7 D2 N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: w d6 Y. H% P, b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! `6 Q: s6 Q8 U) J( L ?
VMMCall Get_DDB
, W0 e: ]7 _: _8 r: @, I' ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# l$ c0 ?5 x4 _8 I
; h0 V. H! x" ]2 m
Note as well that you can easily detect this method with SoftICE:" W: b G1 ]( d! `/ t
bpx Get_DDB if ax==0202 || ax==7a5fh: ^8 j3 n8 d: ~
$ M6 q% s0 T5 x4 k__________________________________________________________________________
4 O; q# z8 D N1 X* e8 t, U) k! v M
* E" p# N+ F" G( dMethod 10. A( @! @% F' R& K8 O
=========/ n/ m3 [) B* D1 h( w
3 P8 c- F3 S/ Z=>Disable or clear breakpoints before using this feature. DO NOT trace with1 Q+ I. s5 w8 q" x6 i5 B% D
SoftICE while the option is enable!!5 K h) N3 j* \3 `# S' W p
, F8 @. r/ i' s8 U
This trick is very efficient:3 K: c2 T* @$ U$ T
by checking the Debug Registers, you can detect if SoftICE is loaded
0 Q5 U3 B2 l! _5 w8 `/ A& F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# ?3 F) Z! U: t* x2 b
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 W3 y5 k& c* D: S
value (in ring0 only). Values can be manipulated and or changed as well
5 C5 u W, e" J(clearing BPMs for instance)! l U8 y- I& ?; V
4 C3 |4 X+ B9 v0 |2 U8 J+ j$ @__________________________________________________________________________
/ g: d. G( y) z# l8 Y
/ |3 d' T% b# x; @, C5 DMethod 118 f) |. t; P7 h0 c
=========
8 C, o; D2 a$ T! [, | G m8 E+ f' d A$ O! s+ ^
This method is most known as 'MeltICE' because it has been freely distributed$ n! `" r" X& V+ }% Y; f" H4 o. n
via www.winfiles.com. However it was first used by NuMega people to allow
8 @( X1 j7 G& \0 u) ySymbol Loader to check if SoftICE was active or not (the code is located
( t% y8 A8 a( V0 @- a1 S' Sinside nmtrans.dll).
! f' r" u( ?1 g( ?8 W
8 I, K% d8 ?/ GThe way it works is very simple:
& D: _" F7 U+ d" s( y+ F3 w2 {5 R8 f" IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# k2 u/ g. {9 L G7 a9 i
WinNT) with the CreateFileA API.
7 r% q6 C' b& V! q* i- y7 T. t! ~# C: i. V2 C1 h
Here is a sample (checking for 'SICE'):9 `0 h! S* P# v8 M
5 h6 V+ R) f9 b5 Y6 }
BOOL IsSoftIce95Loaded()) B3 j0 e* e! M& a7 Y
{
# ^1 t+ d9 U0 G! ~7 v- O d) r HANDLE hFile;
' U9 j: }$ f* Y7 V: L: u1 Z; {0 [ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% c" [3 a0 X3 c: t: H6 r# n
FILE_SHARE_READ | FILE_SHARE_WRITE,' k6 K6 j. v9 G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( \7 ~4 i8 `3 n7 x if( hFile != INVALID_HANDLE_VALUE )
. J& f# I1 x% R {
' b* Z; H2 V2 \3 r5 Q CloseHandle(hFile);
" B' K! ~; n: x7 S5 i return TRUE;/ |$ e. w1 E$ H7 H
}
% C$ U$ M# T: ]$ V* Y return FALSE;8 a. W O& O) y( A# S! L
}
$ B, k1 Q& r* \5 N/ c2 j1 u4 b4 M( y9 I2 g0 i+ K
Although this trick calls the CreateFileA function, don't even expect to be* U" T9 R* @1 |' C* `# P. T1 z5 X
able to intercept it by installing a IFS hook: it will not work, no way!
" y6 h! G; B! a7 ^& j( kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F S8 S' ?9 ?4 X" U) t* T2 v: I( |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): ^) i8 i0 E: J$ U I2 u8 g8 U. X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* t$ q; d. b) }
field.9 O/ U% q3 r2 b, g- p8 n
In fact, its purpose is not to load/unload VxDs but only to send a
/ _3 l) d1 j. y6 h sW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 I$ ~& D- v N& L Z( Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
M2 x! ~, @8 n- Y) tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
* V( I! f$ o, c4 R1 ]- ?If the VxD is loaded, it will always clear eax and the Carry flag to allow% ~. E% O/ {. l" B$ R
its handle to be opened and then, will be detected.
. l. p. C& j1 J* t* f( q/ eYou can check that simply by hooking Winice.exe control proc entry point
2 `- Z7 l7 z7 o# S3 Vwhile running MeltICE.
! O/ x6 e) N; g3 u. u1 a4 [% e; m: f* u8 B& [
+ M( H2 m& d7 V) m 00401067: push 00402025 ; \\.\SICE
9 O; L8 d" L. o2 B6 M& l4 g% j! g 0040106C: call CreateFileA+ E+ K5 D" V2 o3 T m$ `$ y" @
00401071: cmp eax,-001! E1 r+ F7 q u2 e% ]
00401074: je 004010911 x. R9 w) p+ ~# A
3 q1 }" {6 D# i
- Q+ c2 U: ^8 o1 o3 } vThere could be hundreds of BPX you could use to detect this trick.. o0 ]' |3 j* d1 @5 g- C J7 G, v! ]" I
-The most classical one is:) z4 e* |- l! W! S! c8 a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 L! p# O* r. J' V, v* V7 q L0 m
*(esp->4+4)=='NTIC'
* t; A* W4 W# f7 A8 o( b" x4 ]
" L1 H0 E- p( o; c0 g+ J$ v/ a-The most exotic ones (could be very slooooow :-(
' `) R, [) E- ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( H( s3 {# S9 P1 b( f! b( a
;will break 3 times :-(" J% m4 D" U( ?0 s' Z# `; `7 e/ |
( O R7 J: m6 m: v
-or (a bit) faster:
- V' F9 b: J, [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; d; s$ |+ e* N- g$ ]
. k9 C b: m; C# w& s6 F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : T( m& l [! u2 v0 g/ S
;will break 3 times :-(
* N1 N' _- a( r( j. V# w
0 E3 o6 K. X4 L4 {-Much faster:
5 w+ l" u% S+ M6 ~# R: c6 ~5 Y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 Q8 K( p! {& f: N0 m2 e8 N; T7 j; V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 r u+ R) _5 d+ G/ w7 k4 }$ s
function to do the same job:
3 L* z4 ` r; I+ b* c
: x) i* q# M, |; G) u! ~ push 00 ; OF_READ
: y- j5 P! e( h. }' {" \+ n mov eax,[00656634] ; '\\.\SICE',0# C2 E6 ]6 F. L1 O: }# e, a Y
push eax
! [- Q$ \2 A6 M7 J6 g call KERNEL32!_lopen
# V6 c& S9 D1 W& F& K inc eax+ Q7 Z0 l2 [! M+ |: ?8 E- x
jnz 00650589 ; detected o8 Y# e! v# R1 F8 y$ \+ g9 J
push 00 ; OF_READ7 {& e- S) I. e/ s0 _. S( i# D
mov eax,[00656638] ; '\\.\SICE'& u3 O5 T& D, s) ^. s
push eax% T& q& C" q: b7 r6 Q" _ y# S
call KERNEL32!_lopen B% F6 p5 X$ a" |8 u$ d9 c
inc eax) `. f- r: j; S( a' P% I' Z8 |) I
jz 006505ae ; not detected
9 F/ d$ ]" f& M4 w8 |
J# ]! c$ w4 g$ k) j4 }, O
3 L9 N$ j: m+ q* e" ~__________________________________________________________________________
_( A2 Q$ Q/ h( r$ V' c- s# I+ G
" t# V. a5 v3 @# z! e3 M' j% ]Method 12
$ Y, ?( s) l. U& \=========& E& U$ ?$ B! H/ W* H
: c3 N4 e. v, [7 E. q- |5 |8 M
This trick is similar to int41h/4fh Debugger installation check (code 054 `: x; ~5 w2 ? K! q; d- Q
& 06) but very limited because it's only available for Win95/98 (not NT)
, z2 a7 H, V0 G7 B0 @. d) \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 H$ G9 y* P3 D. J
+ ^7 n4 l; C# p1 h p+ j5 C$ h push 0000004fh ; function 4fh# ~3 m( p+ ?8 H, v* I- b
push 002a002ah ; high word specifies which VxD (VWIN32)) Q* g+ S! X* _4 f$ T$ G
; low word specifies which service* z5 A0 Q) O5 F+ ?" E# ~
(VWIN32_Int41Dispatch)! m. ?* O& z$ F8 z
call Kernel32!ORD_001 ; VxdCall
' L( f9 Q e1 q+ A* u5 H3 p cmp ax, 0f386h ; magic number returned by system debuggers
3 P4 S1 [% M7 c% ^ jz SoftICE_detected
! D1 l J& l8 @" J+ Z" d# X7 W4 o. u. ~9 E: g' N
Here again, several ways to detect it:- Q; r- T: L3 ?. N2 J+ H
0 u1 U9 H1 r' E6 i2 a BPINT 41 if ax==4f
0 X( C% Z M0 ~2 j* t7 O0 U- t: i, f+ n& _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 v0 l6 s" T/ ~8 B% V- Q* W2 O
# F( {: i+ g& n( J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& ^, `( n+ i0 [4 j
4 V3 {/ n( u, q- S
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) g3 Z% y' d1 K, M& ]& }# v& J, u" n, M" v' W
__________________________________________________________________________
' ]# ?6 p: f- I& r* Q# d7 [. s
$ e( d4 Z3 c7 [0 |4 ~4 wMethod 13
, S* h, F4 N- @4 I=========5 {: o$ e$ {2 e) W* W, @' b
' F0 m$ j U4 }# [" n' j
Not a real method of detection, but a good way to know if SoftICE is
4 Q3 F9 _: A, S/ @" c( i7 Ainstalled on a computer and to locate its installation directory.
8 i! k5 R' B" Z8 [" G9 iIt is used by few softs which access the following registry keys (usually #2) :
% `/ V( H4 B+ A/ O- K
0 y0 Y' [8 S9 x2 }* C) i- }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 B0 o& [% P3 q5 ~3 e& _
\Uninstall\SoftICE( M- i+ {9 }' o' `: Y$ ^ U; w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' E2 A2 V2 F* h5 f. w% ]. x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 ^2 h0 }6 T& {9 E\App Paths\Loader32.Exe. j! `/ m8 Y. S1 t% r" t% V! u
, T$ E( D" I) Y
- u4 ~! G( z7 z+ g1 d
Note that some nasty apps could then erase all files from SoftICE directory% b5 u/ d8 [8 E7 d- z3 X
(I faced that once :-(8 l+ d* i! ^% |* I9 X* u) }
6 D7 f, i6 @/ A4 @4 E) n. O0 L
Useful breakpoint to detect it:7 T" [8 F; q5 `- i5 y
& X7 n8 [7 M% B" z: }3 \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ r, `: k. [7 E8 I
' {/ |& P3 |9 B
__________________________________________________________________________3 ^. q$ x+ L$ e# @
' I6 r! k( b1 p9 ~# ]) j; n
" ~5 v1 l! G& t* ^. }) }
Method 14
1 Z4 z+ r* p4 e8 ~, K1 M=========
. \+ @, [$ Q# l! e. E; z. M& K5 [/ U' y9 L; E4 V6 t+ n0 y+ R# S3 p4 a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 M- b- d/ m& e9 b6 o0 Bis to determines whether a debugger is running on your system (ring0 only).5 x! o9 \% \' b* }* t+ v. P
6 Z: O6 j" t1 U8 q1 ^: e1 w
VMMCall Test_Debug_Installed
! ]8 K/ y5 F6 @; x: x je not_installed
0 F5 Z' F A& a# I/ Q, V6 c7 s; K F# C% I
This service just checks a flag.
% T" v+ Q! [+ Z! {</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡