<TABLE width=500>3 w" o1 i# g: b- x# P; m2 ?
<TBODY>; Y7 M/ O; M. x, [
<TR>
1 D6 j& | }% \+ f9 I5 l3 a0 a<TD><PRE>Method 01
: N* M! _; c, x8 C8 U=========
- q( k9 O, k# ~. C8 I* ]
% c2 l: u' A1 [This method of detection of SoftICE (as well as the following one) is, L9 S( ]0 L$ x4 w- x% k
used by the majority of packers/encryptors found on Internet.
) M |9 }0 V: |# ]( VIt seeks the signature of BoundsChecker in SoftICE4 A. O' Q/ s4 m) O+ \! L
: F+ S# }5 n' G/ x( U( Z& ]; \9 [6 g3 O
mov ebp, 04243484Bh ; 'BCHK'0 [+ z! H9 ?+ g" e! X
mov ax, 04h' f E' n4 ?, V- W. ^
int 3
1 \# c: q7 _8 l9 R, r* [ cmp al,4: o$ k7 \" j* b' I
jnz SoftICE_Detected1 x1 Y: S! D7 [# c8 B0 P
. t+ f' Q* ^6 s___________________________________________________________________________* \0 P" r; _: M( u; ^1 l
2 P' n0 o% S3 p: |8 b3 W! \
Method 02
P/ N1 F, Y; i: V* j5 T3 C=========
}9 N( h; ^1 J6 _7 x
2 o p0 }0 t' ~Still a method very much used (perhaps the most frequent one). It is used
2 J p' f4 r: y9 y |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' z. G; d3 |3 K3 V
or execute SoftICE commands...
& ?9 M7 |5 G: I# i' d+ k2 j! J6 aIt is also used to crash SoftICE and to force it to execute any commands
2 E) p1 W* T: S$ Y$ J(HBOOT...) :-(( ' q4 G4 g A E6 C
6 M9 e" l2 ?3 p" P$ `8 hHere is a quick description:
9 k' m" C. R" q. v/ z: r-AX = 0910h (Display string in SIce windows)4 x1 a9 e( j: ]' k5 l+ g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! _6 s4 c6 g# n6 @-AX = 0912h (Get breakpoint infos)% w# l2 p0 c5 J. B1 ?, L
-AX = 0913h (Set Sice breakpoints), e9 ^* w. y/ o$ G1 }5 _
-AX = 0914h (Remove SIce breakoints)
J$ [. }$ n3 _( t
3 T$ u7 {1 p& J- c+ I+ cEach time you'll meet this trick, you'll see:
/ W9 M6 s4 P" y% b0 X-SI = 4647h
; }; y0 O7 _ H' i8 S-DI = 4A4Dh
; D9 u, j) h, @$ i1 x# o- }* [Which are the 'magic values' used by SoftIce.) n: n) y9 a. n. g3 z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 j: m" {% P; Y
1 I# u) h2 H; Q3 Y$ lHere is one example from the file "Haspinst.exe" which is the dongle HASP+ O# U, I* |' J
Envelope utility use to protect DOS applications:
& ] X. ^/ O# ?' [9 ]: ]& }. A0 ^( w' E6 o- u
4 N. N8 u' I. {7 y, `; ^
4C19:0095 MOV AX,0911 ; execute command.
' ~* v9 ^/ t' q4 D' Q: R' t) g4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: {$ X! p+ r) m, E! }6 N+ h4C19:009A MOV SI,4647 ; 1st magic value.
: e# s& ~* f& B* I( S/ x4C19:009D MOV DI,4A4D ; 2nd magic value.
) J& j! b" h4 Y( \( Y7 I4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) W& t0 |% e; o" E" q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 O( Q: {. a7 [5 G$ C
4C19:00A4 INC CX/ p( M. A0 x9 L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ o+ D0 U+ n" k! x: n( o' c7 v/ V
4C19:00A8 JB 0095 ; 6 different commands.
5 ?, [7 n2 _9 z* \- Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# p% S. K* m4 T! e# c% x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 j. K2 ~8 j9 a' K* D; E4 X7 \' v7 S8 S
The program will execute 6 different SIce commands located at ds:dx, which* G2 y: D0 {* z8 @/ @$ o$ F1 j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., T# n8 N% i6 V4 s
5 Y2 i M M3 ^. G9 A: f# ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 D, }/ S( P" O% b9 {0 }- d& n5 F___________________________________________________________________________! B0 n0 h \0 J+ p* \
( G4 [! { R7 a; Z# o! J! a' }
/ N! r% G& l1 MMethod 03' m$ t3 o0 n1 u5 t9 Y o% C: O
=========
2 T; G# p& S! @# S/ G: [* G( Y
" Z1 m' Q, I, s: Q* P# wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. P9 R N6 ?6 R4 n& o- Q4 g# J(API Get entry point)$ L Y' Z- W# O( y
+ s. q/ @1 ~4 w: x0 J
" f9 z+ K, p( Q. ^8 w) Z xor di,di& ?: ^/ q, [8 ~
mov es,di
! f( Q6 j: _" A4 j# Y( _' N mov ax, 1684h / b% G* m( b3 M$ ^; R
mov bx, 0202h ; VxD ID of winice. D6 V* h4 |8 g" R# s0 O5 I
int 2Fh
# C" }9 Y; W+ v2 \. ^8 P mov ax, es ; ES:DI -> VxD API entry point; }9 O: E" M0 y
add ax, di
8 r& G6 m1 e2 Y1 f9 E test ax,ax
0 n8 \7 x3 r7 r' t" m( U jnz SoftICE_Detected
& p) M* s3 t! j# x) V7 D" n$ K: `( w: X+ h3 @
___________________________________________________________________________
3 ~) W+ D ?5 q/ b3 r: ~% J$ W! U# c9 p& l' a1 E4 K) h S/ ?
Method 04
4 U0 g% ?6 x2 M6 K8 U- b0 z. |=========) Z8 p! H7 t" r% T) O6 h9 ~
# A) e+ k# X( f. G
Method identical to the preceding one except that it seeks the ID of SoftICE
9 a7 q" m! c# v2 L. s C! uGFX VxD.6 o. r: D6 k$ z! l
5 O3 t0 Q" z F$ y+ v- l( f% `
xor di,di
2 N! ^- i0 r8 u5 O4 K, o mov es,di
6 o- ?0 e. U* D mov ax, 1684h & P- ]4 N8 W: k5 E2 P- {
mov bx, 7a5Fh ; VxD ID of SIWVID z) i0 T9 c7 b- i% w# X2 \
int 2fh& m' C2 A3 R) u4 R( _
mov ax, es ; ES:DI -> VxD API entry point
9 Z6 ]( ^+ D4 W: h9 W add ax, di
) C/ j" ]+ g9 J, O1 A, K! q* D/ Q test ax,ax
$ v! j5 v1 F& p c& f8 l5 \. e. W jnz SoftICE_Detected; |3 |3 W- Q/ @% G/ } G
& m6 O1 h9 `. Y
__________________________________________________________________________- ^" Q u+ c3 S1 k, a; b2 ?4 O: b
! Y# Z1 C% C2 t9 f5 s) r h9 Q6 w8 T: b e! T- Y
Method 05' ^& z0 {+ P* O! S
=========! U) h! V" }' H% C7 f# G* ~" J
0 n" V u9 G$ @ d0 @& ~, jMethod seeking the 'magic number' 0F386h returned (in ax) by all system! W8 u' @& |2 c! ?4 v
debugger. It calls the int 41h, function 4Fh., I; Y% Z: Z3 G+ m* b
There are several alternatives. ; u2 f. \7 z4 n/ }7 I! h8 [* X% l/ u
' T. L, @* \9 gThe following one is the simplest:; @9 S' m4 |2 Z! L, u
: B; j! p k; @4 P5 Y$ X4 | mov ax,4fh
/ e, n* b! D6 a# { int 41h
2 V6 _4 L1 f p0 { cmp ax, 0F386
8 w1 S, V/ h g1 w jz SoftICE_detected# O6 `3 ~- p' C, e8 g7 J9 W( u
% e: J1 ~ ]) [- p
0 z. m6 t$ z S X0 K K9 q* b" [Next method as well as the following one are 2 examples from Stone's
# p" `0 d- x* O. _"stn-wid.zip" (www.cracking.net):
4 u. R, s) q( G; _7 }
) F+ x* d1 C+ h; z$ ^# b3 j) Q+ _ mov bx, cs
+ j7 w# `9 `* a% U8 E. Q lea dx, int41handler2
$ t3 d7 a' ?8 p9 O xchg dx, es:[41h*4]/ D6 Q* R: \2 p1 r$ |4 E* Q% {
xchg bx, es:[41h*4+2]- }1 w6 ]( O# }1 Q- `" h0 N
mov ax,4fh8 u( c3 Z1 O. q! @5 j* b5 @
int 41h# l$ u+ e3 _/ ~
xchg dx, es:[41h*4]/ W4 h. K' d1 ~- o! h# V# Q
xchg bx, es:[41h*4+2]
/ M _# N2 q! k Z& L cmp ax, 0f386h: i2 R1 @7 h/ x! U. h: q# w
jz SoftICE_detected
& ]- }; b' B5 j- \8 Q* Z3 ^+ ^9 E9 z! f* f+ g) {' S
int41handler2 PROC
+ n4 W. L( C0 o U2 y. h: P7 Y iret% B) N8 ~/ I% w. Z
int41handler2 ENDP) W! c5 X$ c8 {
7 _2 p5 ^; i; w6 X/ s# }/ |
! i% a0 m/ c6 }& \
_________________________________________________________________________3 o+ f9 f0 F- ]; o
5 u" A2 J5 c- L
+ o- F; m3 [) [5 {' I: rMethod 06
( O5 j& C5 }7 u8 T# E5 b/ `=========' y4 f' |3 s3 ~5 R" S/ p. Z. ^
3 y1 q ^6 D* k+ D6 w6 K- N: s/ r, e3 [
2nd method similar to the preceding one but more difficult to detect:
8 C( q% ], v! u: m J" T0 ~6 G9 f5 F7 n0 t
8 H$ v$ B3 Q$ z3 J& @
int41handler PROC
1 ^+ n$ e9 R) A0 a( |$ s mov cl,al
9 n5 b4 V( D) [$ O2 }2 G iret
, u+ w2 U6 O7 B: U( Eint41handler ENDP
- }) ^, i8 q# O2 S
# |4 \) ]/ L1 H% ^/ J) @4 j" q* g4 \" D
xor ax,ax
" v0 G L& u+ T# |7 V9 b# R0 [ mov es,ax) f" w9 y+ R: Z0 Y6 y+ ^) G# Q
mov bx, cs
8 Z) A" w% ? x ` lea dx, int41handler8 @# B1 D) L* Z R: q- D
xchg dx, es:[41h*4]
7 P3 F; Z* m" L& } Y. r; D5 l xchg bx, es:[41h*4+2]& w' l- a9 v; a5 U5 f- w1 v
in al, 40h3 n; ?4 q: n/ i6 r
xor cx,cx
1 u! U X( u/ ?. o X( F7 G8 s5 B int 41h
; v* }" s: D* T, ?6 `1 r# U1 Y xchg dx, es:[41h*4]
6 Z7 f- U5 G9 L" ^8 C9 H9 X xchg bx, es:[41h*4+2]2 D# Z, W* i9 x# ?( a
cmp cl,al
+ N, f5 Y' j1 \* Y/ `: V jnz SoftICE_detected
& @' B; v: W& U1 @; B/ ^
+ u+ L- U" _, a; r_________________________________________________________________________6 z0 f) A, M0 P
8 ], ?3 {7 b+ M6 n$ oMethod 074 G2 y( x1 @' G
=========( J8 |9 t0 @! S! q- E5 s% n
( T+ o* ~2 |: m" ?Method of detection of the WinICE handler in the int68h (V86)* ~. V: E) C# f& y( }+ t
W4 z) R$ A' t; F; @5 {/ Y- @ mov ah,43h3 u5 O( _0 z7 v5 c6 c
int 68h% s8 x0 \! k* p+ H" R, a
cmp ax,0F386h
6 }3 L2 U: g8 F; ^3 b jz SoftICE_Detected
% ~6 q# N/ J. P2 {$ t B t7 w
% g! @: R. y$ I4 `. P& \* x
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 [0 T$ W0 D6 y; P' f
app like this:$ \$ f& z( ^- `" {
% M+ W, c/ C2 f" m" C4 ~
BPX exec_int if ax==68
& E7 c: r/ ^9 I5 ?9 X. a (function called is located at byte ptr [ebp+1Dh] and client eip is
7 r4 _6 W+ k# n. `* P located at [ebp+48h] for 32Bit apps)
. @: h. i4 U$ g__________________________________________________________________________
5 U5 N, O% J" M5 ^0 [9 N. y4 G+ @
7 o3 t9 O6 X4 G1 C& r5 R& S$ ?5 n" L4 W" s i) x: f
Method 08
7 A0 b& N; b$ N=========- h1 o% J) y; `0 i
' w% j: j4 y9 \- \# `It is not a method of detection of SoftICE but a possibility to crash the
4 t1 u. a6 c; j9 J+ F" ^7 L9 @6 usystem by intercepting int 01h and int 03h and redirecting them to another8 [2 B4 b: V1 o x
routine.2 ]; U- }! V# T0 B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ @* h0 \# A7 x7 ito the new routine to execute (hangs computer...)( V! G! M6 l+ G/ I$ s# n: H
7 T- J3 V. C$ o Q0 y mov ah, 25h' J. a! N, n7 _& q! @
mov al, Int_Number (01h or 03h)/ ]' i# Y2 W& g7 i
mov dx, offset New_Int_Routine
& _9 U7 `: L* k int 21h. y' R& m, M1 _/ k% e, V
3 R$ ~& p5 x& ]+ s+ D! z2 G( t9 I
__________________________________________________________________________
% D) G: k& L6 w
$ f; [' \; |$ o4 o p2 XMethod 09
: S8 S5 J8 B5 B# F=========
5 F! _" ~% w. R6 h$ P4 l D* ^9 o6 t' T- M% J9 [2 l M7 f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( c' \2 I& X) I6 s2 b( T# Aperformed in ring0 (VxD or a ring3 app using the VxdCall).
, f' k9 w. ?( f+ t: s9 v% H7 jThe Get_DDB service is used to determine whether or not a VxD is installed# G% O! {! s: E2 C8 @/ @4 I4 i
for the specified device and returns a Device Description Block (in ecx) for
- V9 p; w% x7 h$ V* p. mthat device if it is installed.; L7 A6 G5 P# R9 V" Q
+ e( h8 C5 w: a3 c
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) I( x4 v1 G5 c: n- }# \1 Q$ F1 V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 v* b4 G& _9 J; R( r' t VMMCall Get_DDB' t5 G" @' M4 n+ p6 t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( {) o. F3 c. v( i. O8 V' d+ v5 H1 V- j0 ~: `, _' K
Note as well that you can easily detect this method with SoftICE:0 ^. S0 }7 [# t" I+ K
bpx Get_DDB if ax==0202 || ax==7a5fh* \5 p5 U5 z# R5 J g4 l5 C
1 a! e3 p, ^7 M1 k+ G
__________________________________________________________________________
7 b, z9 `7 M2 v5 E; E" P h( \6 J0 n" O% Y( q
Method 10
. p4 `( ]* u" ~- {1 |=========
! q- }; n% Q1 m. \. }
4 [, m! m% _9 x6 g& q' R5 W4 K=>Disable or clear breakpoints before using this feature. DO NOT trace with+ @4 v, q. K% ]( c: h( Z
SoftICE while the option is enable!!
# R: v( C @/ ?
1 O. ~8 w+ H3 f: [This trick is very efficient:6 h# n) Z. x; t/ s \
by checking the Debug Registers, you can detect if SoftICE is loaded& Z! ^! ^, ]4 ~( s, e+ D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 a2 H2 b+ q' e
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 d' p. u! M. I
value (in ring0 only). Values can be manipulated and or changed as well) O4 o; [: z; \- p' Y# s- Z
(clearing BPMs for instance)
8 v& s- P( c% C! m
. J2 E) r3 [2 K$ m. s: D) D__________________________________________________________________________" I# R- O+ \9 h. D* A
9 u. U6 c& F3 R
Method 11
' J3 Q0 Q2 g: G=========
, _$ V0 Q' @# c' N: w) a$ Z7 o) B' P' D+ D! L5 O
This method is most known as 'MeltICE' because it has been freely distributed
+ e6 U/ Y( @$ l- z/ Dvia www.winfiles.com. However it was first used by NuMega people to allow, R* Y3 v4 j7 ^& M& D% X
Symbol Loader to check if SoftICE was active or not (the code is located+ [5 B5 q( Z/ ^
inside nmtrans.dll).
?5 u2 O4 E1 H9 K, X, ?) R1 @, A# }) s* Q
The way it works is very simple:/ d! [3 K6 d4 ?0 r. [! R3 E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 _* ?0 r1 f' r. ^9 aWinNT) with the CreateFileA API.8 F# t$ L7 e& K! k
9 F0 y$ `2 z9 {- U
Here is a sample (checking for 'SICE'):1 {$ h u8 y4 Z, a
( Z5 y: Y# X( p9 }) r6 C: z
BOOL IsSoftIce95Loaded()
3 t! O7 g0 y' P* p: L, ^4 A{5 k. E! A) ^$ z
HANDLE hFile; - [1 @! C* u! O2 Q+ K: E+ z0 h0 R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 D6 a: h& s' C! ]
FILE_SHARE_READ | FILE_SHARE_WRITE,2 a: K6 F7 r3 `7 f
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" i" X6 G* O/ _5 P1 z8 D
if( hFile != INVALID_HANDLE_VALUE )
0 K* B& R9 @; H/ c# B, a {3 I) d6 S1 d* E# o0 K* I
CloseHandle(hFile);
& p9 W: _/ i) M/ s return TRUE;, s) P+ [1 H0 e4 E' @6 b
}
+ z s; [# G/ ?# f( Z7 \ return FALSE;
6 ] Q3 I3 k y9 E2 I+ a) V}
6 S/ a/ E, O* A5 ~4 K% Z- ?) w
2 a3 J# S0 n% a' H! t8 Y \Although this trick calls the CreateFileA function, don't even expect to be
: b5 X' ?, v: Z2 X5 Hable to intercept it by installing a IFS hook: it will not work, no way!
( U. Q$ z9 {: v, d* h9 n( p& ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; ]6 h, c: k5 Q+ v' cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 u6 U, j, m3 v1 Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc& k0 P( O6 f, f( ?
field.
7 t0 P9 n( W& ^$ j: BIn fact, its purpose is not to load/unload VxDs but only to send a 6 }6 V: y+ e/ B! n8 l0 s5 f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 w/ u) d$ F0 ?6 B U- \to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 M# |9 L2 F, G7 Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 V) {$ S6 R6 ?6 p; Q: @
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 Y) z( S* J- @4 D' C ~
its handle to be opened and then, will be detected.2 P. {; ^4 `" s$ b/ Q: v5 y( b
You can check that simply by hooking Winice.exe control proc entry point
1 G" d. w; M y* G) c) kwhile running MeltICE.
% Q G1 f' s z5 D# u' j+ c8 x6 z
' K( Q* S+ s3 ~% x0 x B
00401067: push 00402025 ; \\.\SICE, U% j# H( e* ~+ Q! d% n W
0040106C: call CreateFileA( c( U! I' `+ R! Q
00401071: cmp eax,-001
: C4 J, k: T* w- I. l 00401074: je 00401091, n( _# v8 D& E3 p1 E6 I0 x* ~
, x! ?3 N1 f, s' u7 T8 d1 }) u
6 @% ^' J; }/ n4 u9 W4 LThere could be hundreds of BPX you could use to detect this trick.! z, Y+ U2 A6 K
-The most classical one is:
' R+ h7 S1 h! T O! f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 x! {/ Q2 O, |" b
*(esp->4+4)=='NTIC'. d8 G9 v H# P x, e; o
4 ^+ Q: y9 T/ o+ M: n! @( {- b
-The most exotic ones (could be very slooooow :-(4 W! d* ?7 x( z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: _8 L @% A* j$ M1 ^ ;will break 3 times :-(
9 t5 ]9 y6 X5 r. | `: {
+ U. I; Q W ]-or (a bit) faster: + C. j& X$ p) K! I- x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ }4 k' s. x6 e0 l
7 Q& j* {- d7 q' @ }2 x0 v BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 X# a* @8 M$ G: s/ u) z4 [
;will break 3 times :-(. _ @9 k8 u: [- I; a! _3 t- ?5 |
$ d8 t( t, u) o0 k# K3 Q
-Much faster:
g$ W4 O7 U: X% E) \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& O: k+ {- C' p* E+ R `8 d0 L- S7 V: l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. ]+ K% j, {) j* Kfunction to do the same job:9 d2 b, g# U6 x* l! E* ]" l
3 w2 s4 k7 }+ t4 C" e" `2 f push 00 ; OF_READ
1 y+ _% D2 P& d( T. t3 A mov eax,[00656634] ; '\\.\SICE',0# H# U4 L) E, |. ?8 v0 u p
push eax
* b, B& J0 t$ a( y5 m call KERNEL32!_lopen3 i+ s% M* p4 e( Q) I! f$ H+ W* E
inc eax- M- |9 c& R" X# ~# e4 {
jnz 00650589 ; detected. e$ X, _2 a5 h" ^* O+ v; F
push 00 ; OF_READ
% ^2 W2 ~9 K1 ?; j; L mov eax,[00656638] ; '\\.\SICE'
5 W+ g" M5 |4 v, T" z8 y push eax1 D1 r' T6 o8 @$ K
call KERNEL32!_lopen& ?0 N1 i7 h6 w% x/ l7 y8 X
inc eax
- `+ p3 a* p0 { jz 006505ae ; not detected
( ?7 N O, h; G3 c, a& W6 e- b( [# A% j" o% M! s6 n4 X, v
. _3 k, T2 b3 N* U3 P
__________________________________________________________________________/ E/ m, T6 W9 Y& g0 n7 E% m
6 ?( w4 g& n$ F4 |5 A2 r# P
Method 12
: [! _: B: [1 u+ f=========% d9 c, L. u q8 Y/ a, _
7 z. c7 t) U2 R
This trick is similar to int41h/4fh Debugger installation check (code 05% Z, C s; ?8 T \4 d) V; F _
& 06) but very limited because it's only available for Win95/98 (not NT)
6 f, J" |9 d+ ]( s3 Yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( ^# a/ |$ P" I9 A6 ]# ?" V: b/ b! i' w
push 0000004fh ; function 4fh
- X( X n. Z$ q2 A/ J' V& {- U push 002a002ah ; high word specifies which VxD (VWIN32)8 G+ g6 _" q( D- s. E( q
; low word specifies which service$ J' O, X: f4 M6 y* s; h( q7 Q3 ]; Z
(VWIN32_Int41Dispatch)3 L( N7 u' Y$ ~# g$ Y1 g
call Kernel32!ORD_001 ; VxdCall
' B/ q" Z+ H, p! o6 j cmp ax, 0f386h ; magic number returned by system debuggers
, V7 K6 g7 o# m jz SoftICE_detected
2 j1 G& B- y; m8 V( V7 L9 W L$ z# k( ]
Here again, several ways to detect it:: t6 G2 R5 l* w: f
# j; k) ^( B2 F' ^6 u/ Y BPINT 41 if ax==4f7 \* c5 L; A- U; X( W* r( r# M
/ M2 m/ y" {5 k8 N" ?: F% x# }
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! @5 V+ z+ F, X' r' ^
% h- M" \ ^7 M' ^( B7 j: M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; R; o& I6 V% v# }, f
' b0 W$ g9 i1 R w' M: s! W BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ |$ b E' g! h% ^
8 b: E; _2 a* I% M__________________________________________________________________________
/ ~% S% l9 S) K5 r* |! E! m; N% Z9 a3 {+ |8 d7 u3 l/ S. A
Method 13
6 X5 B& D$ `7 B; p& g. Y2 E0 d=========
" `% d! ^' W8 z8 t- i9 u1 ~
2 F. ~% I1 C( {* ^Not a real method of detection, but a good way to know if SoftICE is
F: m) x9 i# v/ T- Ainstalled on a computer and to locate its installation directory.
# D/ s' q$ h- b. G+ Y# C* KIt is used by few softs which access the following registry keys (usually #2) :
( B0 A9 X5 @, k; q _: F# q9 M( N* H8 a5 c) u; Q5 Q+ e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' f) y2 e/ H0 ?8 r2 h\Uninstall\SoftICE
' X9 Y2 K7 J' T7 y- }6 H9 U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 C1 k9 G* ?' C+ h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( w( q: U6 T$ L- v7 V3 V( d
\App Paths\Loader32.Exe7 X& f+ o/ l9 O& f8 }4 @
( v6 g" l/ [ R& [/ H- G7 @) N, F
5 X7 p( H* x, ~6 h$ T( G7 oNote that some nasty apps could then erase all files from SoftICE directory2 ^6 `& h1 d! X" \, k. d5 i! b) i7 H: X
(I faced that once :-(: g7 [5 T L: ~+ ?4 o8 m8 b9 S8 Z* y
. x9 `5 {8 t; a2 {/ \. |Useful breakpoint to detect it:) _* p9 [# Q2 F: U. u7 w: i
: x& n9 s/ a6 u* _$ X1 E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% Q2 k9 G6 b E: K; e" n& ?. R2 b( W* P' V
__________________________________________________________________________. a1 X& ` Z8 U, E2 \- @
: d, a3 m& ^7 G
6 f6 ?( E2 |& J& cMethod 14
# R; {: @5 ~" G, }4 t=========: z) y: p' ^- s# b& B1 O1 {
" o, X. P3 i$ }% I QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) F: F, ~5 t# @/ ^% F% U m
is to determines whether a debugger is running on your system (ring0 only).! Q ^0 N5 R2 {8 l
( ?) V Q% w) E8 P& L VMMCall Test_Debug_Installed6 v& R. z1 |) {: t& P
je not_installed
5 i" B6 E8 I" ]. q1 I! C [: C6 \+ |) r! W
This service just checks a flag.
3 ?* z& Q N- f: s</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡