<TABLE width=500>
% }: y! q+ d n' Z<TBODY>
3 i6 ]0 t" q# }' c+ L% m6 d<TR>
7 Q( q% @# h- e<TD><PRE>Method 01
$ E1 o. G9 P6 }/ H* P& L=========. m( l: |1 n, X2 L
) z2 o6 \0 b( V/ h- M: _
This method of detection of SoftICE (as well as the following one) is$ q( R7 }- T4 @1 M: N2 `* t' m4 `
used by the majority of packers/encryptors found on Internet.
, w9 ^9 j6 w) U7 RIt seeks the signature of BoundsChecker in SoftICE
' `$ `# p) F: S0 o( u P9 u3 g5 W/ F- E) s
mov ebp, 04243484Bh ; 'BCHK'
, T5 }" r8 K/ v% |& { mov ax, 04h2 }) |, M; }! m8 t
int 3
5 v& h+ z" K. E; G( ?2 A cmp al,44 i+ p) o9 z8 j2 b8 |# `0 h
jnz SoftICE_Detected
; b+ b' s$ a; Z8 z. Q/ m! N% ?+ o+ ]2 k$ d4 `( ?# i
___________________________________________________________________________6 S4 {7 Z! L7 E# ?4 [: w
9 w- `# N. r9 G7 {' b0 `1 O- iMethod 02
) q& f( r( T \3 o! M=========
5 w" N9 W* [. Q5 C5 ]+ O) R
7 g! e+ z' N" x/ ?# BStill a method very much used (perhaps the most frequent one). It is used# A m7 U' i' a( V) R) y8 Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, i& v+ j/ h/ E: f9 V4 ?
or execute SoftICE commands...+ d4 F! ~( Z" m) J
It is also used to crash SoftICE and to force it to execute any commands9 X% U) I) I8 U
(HBOOT...) :-((
j# c. m. g: f8 j9 c( p9 u1 D* n# ^
l+ O; e4 \. g, S5 y4 E+ lHere is a quick description:
: k+ d, |, F9 K% y$ @8 x3 N8 E# G-AX = 0910h (Display string in SIce windows); q" r/ {: ]! I7 J3 K; z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 @0 A4 p f* a-AX = 0912h (Get breakpoint infos)
r* g' x! \+ M-AX = 0913h (Set Sice breakpoints)7 u( H! I. R. P# G7 [5 {) k# K
-AX = 0914h (Remove SIce breakoints)
+ d; c" ?: X- \1 ?/ I+ H1 L% {0 _6 H! U' o! x/ [. o
Each time you'll meet this trick, you'll see:( T) @" y% ]7 V! h4 m' k
-SI = 4647h
8 ?+ H2 E" }% q) p+ u8 c-DI = 4A4Dh! d" W! |- V" g' k
Which are the 'magic values' used by SoftIce.
4 Q% c4 _" G- l5 U nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.( [2 O7 g( W4 B
' p) f- v) k, u3 p4 J# ^/ _" y8 P5 ^Here is one example from the file "Haspinst.exe" which is the dongle HASP6 \+ M& C' x. |$ Y$ v! J7 l0 Y
Envelope utility use to protect DOS applications:& _! t/ s$ t+ o8 v& G; b
r% N4 D- `, Y3 E U7 u9 i" Z5 o- I- |/ j$ X/ b+ d
4C19:0095 MOV AX,0911 ; execute command.
3 n4 W h: e7 g6 ]& Y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: A) ]( |/ n: ~. s) q
4C19:009A MOV SI,4647 ; 1st magic value.9 Z; d. _) n5 x* s
4C19:009D MOV DI,4A4D ; 2nd magic value.3 g x7 f$ e8 Y6 x% u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): G2 G) o$ r: Z# Z; }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ @# d$ Z/ z6 O5 G4C19:00A4 INC CX
# h% v: Z, h5 }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# S* i( W& T9 R' @, {" y# i( W# p
4C19:00A8 JB 0095 ; 6 different commands.
3 J# j6 A& c4 P7 p0 f" {4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 D: B8 m& L7 c: k k$ G4C19:00AD MOV BX,SP ; Good_Guy go ahead :), |6 a% K% i, _
6 `2 H/ C) j8 {) _$ j3 J# M
The program will execute 6 different SIce commands located at ds:dx, which
$ c3 w5 C: S0 ~3 _, sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) L6 w) _7 s9 C4 X" k% y: {- Q! o) J6 }/ g/ l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 P# `' `/ _7 K! F! }5 x
___________________________________________________________________________
$ A c) ^* c: u
+ R# O9 ]/ ^3 u! N6 L( n e+ {: A! e. X% D1 H" h
Method 03
0 E' J% L. S, s+ A! k=========
& _4 r" D$ }) b9 c, {4 k" O. A# `( N; s4 _+ D8 W6 `! {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! d. J5 V9 {( h(API Get entry point)2 a! Z$ o4 C' J+ f, W" z7 [' V
7 |1 {9 b, X9 t+ f8 c8 D
: T& j- v/ l$ G* o. a4 {4 M
xor di,di
$ @5 F7 a. Y/ p2 _' Y$ Z. {+ n mov es,di' H3 y" j. U! ]+ d
mov ax, 1684h
, `) g6 p$ Z, f! R( V' v, ]/ V mov bx, 0202h ; VxD ID of winice( s B1 y$ q6 j' V
int 2Fh+ m7 Y1 w. @) u% f; A: d" x/ q
mov ax, es ; ES:DI -> VxD API entry point
2 ^/ V8 n+ v, P, ?* ~+ v, l8 A( C6 Y3 Y add ax, di
E+ |9 W+ f" ]1 q( y1 L test ax,ax
* U0 O8 l" [. U; W/ ~0 f, O: h jnz SoftICE_Detected) [: ~: {( z l8 k$ ]
9 i, G" u9 U# U7 h \. ?___________________________________________________________________________8 i0 C( f p0 M. t
4 K4 y3 T. P4 u; x3 ~6 j% u! S' J/ {9 NMethod 04
5 q1 K! H" W2 P' t/ r=========
5 m/ ^& g. F { g7 J7 o
5 v# r! P. w+ zMethod identical to the preceding one except that it seeks the ID of SoftICE. v7 M$ V9 j% }/ D1 F
GFX VxD.
& t2 U$ |+ f; P- N: ^, ]6 V! F
1 H9 V4 H W/ e- x' i; m7 L xor di,di" Z3 o. R1 ^* e
mov es,di, E" g9 o! O' r, R8 F3 A( J4 V
mov ax, 1684h % P, p1 M4 \* o
mov bx, 7a5Fh ; VxD ID of SIWVID% e# {8 ^2 I- C4 t: q, N
int 2fh
" |% f( [# d- t8 [ mov ax, es ; ES:DI -> VxD API entry point) o: b& F" u/ M6 x" [
add ax, di
5 L, S- X) j1 ]$ o0 k8 m test ax,ax
; H9 w+ B3 q! U7 u4 J1 @) ? jnz SoftICE_Detected
: H8 h$ f1 ]9 |5 U% b! v9 k* P& k8 p$ O
__________________________________________________________________________' G9 I, ^' u2 A
2 B) X7 m# @6 o$ o; e
" E" |; N" b) Y; O7 h2 ?; c, _Method 05
% m6 n# P; M$ E# J=========
8 Y5 u5 o9 V3 U1 J4 F% r. G7 o' W; I# a* T# w: s% @
Method seeking the 'magic number' 0F386h returned (in ax) by all system! @6 W7 Q( |% s$ L+ F) f
debugger. It calls the int 41h, function 4Fh.
/ j8 z# e0 N( v: xThere are several alternatives. % [- O$ p+ j% [5 c
' I2 u; w1 ^' Q" r* e h
The following one is the simplest:3 b- B0 M, D: Q9 ~& ^
) B4 O @% Y0 t, }
mov ax,4fh
+ [1 \5 C1 k$ t# L int 41h
, n2 [! q8 l+ O& W cmp ax, 0F386
* L, k; k7 x$ X( g9 q" N- u! f jz SoftICE_detected7 i) }- v6 d- {1 m, L" K
" t$ b3 Y) T% N/ \$ h2 k# n9 ^3 U
" i+ q0 E/ T3 X" `: x1 b0 Y- t JNext method as well as the following one are 2 examples from Stone's ^/ v% W) R, Q. V O
"stn-wid.zip" (www.cracking.net):9 C. m. _: P4 I0 s
! p# X( s5 @9 q' g% n9 b% P& K
mov bx, cs9 m5 O# U! v' E
lea dx, int41handler2
! V7 b& q0 O! J5 M% h" v xchg dx, es:[41h*4]
: H E: j+ B! g* C xchg bx, es:[41h*4+2]
4 C8 H; D$ N4 W1 y5 |! j mov ax,4fh
( F+ W) ?& C5 G0 N" l" X: ? int 41h
% t2 a" R/ ]( j1 R1 N xchg dx, es:[41h*4]% P% u5 b" }$ x- u* n" b
xchg bx, es:[41h*4+2]
( a2 i& u4 G8 K cmp ax, 0f386h
$ U% C' a0 B" r6 I0 n+ f' x6 F: \6 J) j jz SoftICE_detected% D ^: M; n6 `+ s( q
9 l9 O. V4 t3 z. m5 b
int41handler2 PROC. s; X% `, q$ X7 [
iret
1 Z3 T" ]5 U* n0 S# Y o: eint41handler2 ENDP
# o' B9 O q8 t4 |! O( S0 `* k3 B
# s/ z8 n- c- P1 M8 w4 q; V: ^2 Q: P/ p+ a/ S( d6 V' Q* P
_________________________________________________________________________
, u1 V6 X9 r+ k0 e! Y. C
( D" ?2 K# i9 P4 [ a5 ?' }8 D2 `$ q$ g
Method 06
1 T4 e2 c* H* c$ C+ C( @, g=========
) C! Q& o8 Q7 G+ ^. q/ V q
, ~1 u- [* e! l+ `0 m( z& N3 U1 X. `) g" R9 y" H G
2nd method similar to the preceding one but more difficult to detect:" U7 K" L" @/ b9 H: K3 O- ?7 V$ N" u
1 [# Y& X7 Q( W
+ X# S" `8 @" ]/ a ?
int41handler PROC8 q4 E0 Q; k- h P( v& v
mov cl,al; O4 Z8 N3 \! x. n- l9 Q, h/ G F4 w
iret
- x+ L8 x7 A0 m Eint41handler ENDP0 K' Q( Q. g( ]; { ~! C
% V! d4 U$ Q! M5 u( j
8 N$ U! E {( |+ o# v0 Z, B xor ax,ax
~# S: _6 B) }- m& @: d% x6 C! { mov es,ax2 n$ ~3 ^- a0 y5 i" p
mov bx, cs
`$ m; F8 I: Z3 { lea dx, int41handler1 C% `" v8 X, D0 s4 P. ~2 D
xchg dx, es:[41h*4]
6 e% o# E0 s! b# ~9 t xchg bx, es:[41h*4+2]$ [0 X$ C5 e! Y
in al, 40h
2 \9 [. h9 s0 C" b2 _ xor cx,cx) B+ Q4 {+ }( [4 j
int 41h9 y. ]- V+ h2 G/ a; }. z0 a
xchg dx, es:[41h*4]
. W8 y9 O2 U- N xchg bx, es:[41h*4+2]
+ B, M9 u4 l8 E, C/ ~ cmp cl,al% ~6 y: N& m ]7 J
jnz SoftICE_detected
1 ?, p& {2 L/ ]: X+ P3 e. C) `* Y) H
_________________________________________________________________________
7 B/ [+ C+ G" f# W) E
( Y: K' e- J3 jMethod 07, L, q# _8 S; ?
=========
5 c7 {: J# ]% O6 A1 ?2 E" V, c1 H/ \* ] E
Method of detection of the WinICE handler in the int68h (V86)
5 C! |& `: |" b! S' e9 O c1 R! E+ Q2 P+ N1 a& ^; w3 C2 g" x0 j3 F9 Z
mov ah,43h9 H# N$ h' X" C+ j; l
int 68h1 S' @0 Y& G+ O
cmp ax,0F386h
7 Z. I* Y! [: t( l* B4 k$ \$ I3 u jz SoftICE_Detected
; w8 p2 g& W5 Z) M: v9 k
9 d5 Y6 V, s c* m, D* ]4 G7 D1 c Z' j; p, v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 n- Y6 N+ Q2 Q
app like this:
1 z& v2 U2 S% {9 q, V: i
& C. h" Q! I; F. ~" ?# Y BPX exec_int if ax==68/ V0 _& e0 }- `5 N: F
(function called is located at byte ptr [ebp+1Dh] and client eip is% Z/ W! k$ ?3 ?; H& t: k- Z
located at [ebp+48h] for 32Bit apps)) `! g0 C" H% J, r: N9 C
__________________________________________________________________________
" Y% g: E" z+ T: Q S4 T) C0 e; ^% f8 ]0 k
8 r$ j: y9 ?1 M- s# \8 U% pMethod 08
7 c2 m# L% ~/ ]=========$ T2 W0 W$ `* @8 B z3 {% [. M9 n
. U) @0 I6 j, H& k4 ]( zIt is not a method of detection of SoftICE but a possibility to crash the
, G7 x% {3 I0 S8 \system by intercepting int 01h and int 03h and redirecting them to another
: C! [ x/ r: Z/ h1 u+ u0 Z" Broutine.) O4 z7 t/ R6 b2 V8 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& T, V8 b4 a+ h2 h" Rto the new routine to execute (hangs computer...)# @0 ~' m N8 A( G
5 k `5 Z* J0 w+ c, C! [5 f. G
mov ah, 25h
& Z) H8 W9 W. N( D0 Z" H mov al, Int_Number (01h or 03h)
# b% x$ E( {3 v& i8 ?/ Q0 \ mov dx, offset New_Int_Routine
0 e4 Y# K- |( @6 V int 21h
6 q( _$ `* g p% } Z0 h- s
7 Q+ a, m2 R# C8 Z__________________________________________________________________________7 D9 y3 Y' i! @$ F0 ^- f$ P" c
6 ^9 l! `7 r2 g7 l' t6 ~" [Method 09
4 d3 g% R3 V7 n' w=========
* N- M5 N& C6 Z; B' \# n( K6 d% _ m( J9 T ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" M& J& M0 c$ |7 kperformed in ring0 (VxD or a ring3 app using the VxdCall).
) |( `$ k4 o2 CThe Get_DDB service is used to determine whether or not a VxD is installed, q3 s2 d2 K' q" H% v. h
for the specified device and returns a Device Description Block (in ecx) for% ^4 g i% B& u0 e7 ~
that device if it is installed.) {0 a: M+ z* J( Z5 L1 Z
Q3 ?+ l, e0 p C# y' S4 n. M) R0 t$ H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ J: @* j5 \( G mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 |# ~% J% f' { VMMCall Get_DDB
# T( _: a9 C( h" `% B" T: \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ R2 a; J1 @5 W0 O, A% U
+ @5 i" d1 n" G* y& Q5 f
Note as well that you can easily detect this method with SoftICE:
% F1 u; U+ l4 }$ H bpx Get_DDB if ax==0202 || ax==7a5fh9 w( C: O& b: W0 S. }5 A$ k
& `+ ~( e8 x( `* q, j1 Q/ w__________________________________________________________________________
. k& q# M8 A* }- x
8 X& ]2 w8 r1 RMethod 10
+ ^$ b/ P/ |: \' M" @=========5 r- z: i4 r/ d+ o2 r* f; S! E
" }% [5 E }4 R
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ t8 C5 s) i2 S
SoftICE while the option is enable!!1 U4 K/ N- Z) _7 [
! q. p. [4 D3 W8 X& TThis trick is very efficient: k& T5 b. G( @& W* }6 q( }
by checking the Debug Registers, you can detect if SoftICE is loaded
, ~& x; V. `. X% {0 ]. M( Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 b' v5 C+ t9 B" H* I- J5 A5 sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! o# c! P) h; {% L/ a, x' evalue (in ring0 only). Values can be manipulated and or changed as well' E. l0 q) ~7 S, f4 o
(clearing BPMs for instance) }4 q: i8 j B Q9 e& R
# d1 ]" d2 ]! ~2 l- ]8 S' m2 c8 U7 Z4 ?
__________________________________________________________________________
. |& b( \! g+ h& `
2 q9 ~7 k2 |% q- e* [Method 11
6 |! k! C$ l/ r+ s=========
* |, f, K; f- d1 D2 Q
9 \+ e5 p8 W- k2 BThis method is most known as 'MeltICE' because it has been freely distributed% Q* k" K0 h& T' x! [% o& W
via www.winfiles.com. However it was first used by NuMega people to allow. K, r6 j: C7 S) u7 A
Symbol Loader to check if SoftICE was active or not (the code is located
! ]+ H" V7 ?$ p' Cinside nmtrans.dll).
0 E2 r0 E6 C* Y
& j" T% H0 i. R" Y9 Y# AThe way it works is very simple:! l3 ~) w9 Z X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 h; H7 g! y/ L3 q
WinNT) with the CreateFileA API.
% y! U0 o- ~2 {1 \# b2 B ~; t1 ^. D2 N2 R+ {2 q7 J" f/ X
Here is a sample (checking for 'SICE'):& _; M6 N8 l9 M( q, {% @/ B; V+ V
) p! z1 B- @& i: C+ a$ IBOOL IsSoftIce95Loaded()
9 N2 t1 ^1 K) H( D8 }{
0 k. |9 Z+ g4 b HANDLE hFile;
6 A6 }& V/ e% B' n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( u M+ m' F/ P- Y' s FILE_SHARE_READ | FILE_SHARE_WRITE,/ e7 B" X2 }/ l& B8 r1 I* S3 @9 I( m
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ ?9 @! y9 h/ T
if( hFile != INVALID_HANDLE_VALUE ), b9 v& t: F$ I; x ^& h% q- W
{6 w$ N. h; @9 r
CloseHandle(hFile);! d H# b2 A; z! f" Q
return TRUE;
! A& R! k8 R! L- G/ E }( w9 r& A5 L6 N' T. z
return FALSE;
% I' \+ l5 ?4 \# t7 a}
/ J& v$ I1 n6 x
X$ V A$ v, a* F! u' {& q ]Although this trick calls the CreateFileA function, don't even expect to be
! U3 k% h) [+ k) f( Xable to intercept it by installing a IFS hook: it will not work, no way!
" |; d4 E) @5 y& M& DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F4 O- H) m2 z; g/ `/ }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- l+ _% q5 s$ v4 M L% Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc- Z1 G3 ?% F$ I" W* v( F2 L9 Q5 Z8 a
field.
+ |+ @4 G) a* G4 J5 M) C2 lIn fact, its purpose is not to load/unload VxDs but only to send a
9 F- N0 Y3 y; y' P6 k( v$ ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ Y5 J+ @4 p- ]% ^0 mto the VxD Control_Dispatch proc (how the hell a shareware soft could try# _/ p% N E5 y/ ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ [ Q0 e0 K8 `, C- b$ EIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- Q4 g J3 w4 d* Eits handle to be opened and then, will be detected.
1 h2 V% h. Z7 L: N" ~' }You can check that simply by hooking Winice.exe control proc entry point( w! c3 ^+ y! b% @
while running MeltICE.1 B2 s% j, r% J
$ m; s# c; h$ c+ W0 ~
@ m( m2 g, h6 q 00401067: push 00402025 ; \\.\SICE {0 S- d( X; _
0040106C: call CreateFileA- T2 P* i. }% n; ?* _" _
00401071: cmp eax,-001
* b" C0 ]/ I- p) }/ N 00401074: je 00401091 C5 t5 Z0 _: }6 c
9 Z7 f0 x% r7 I' ]+ o, N/ X
( {) ?7 Q9 c/ P! N) A/ p5 r
There could be hundreds of BPX you could use to detect this trick.2 Z9 n$ q/ }8 g5 R& r" V
-The most classical one is:6 h: |6 K1 q, t5 R$ d& h
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% q [% f3 e7 V8 h- W1 Q6 r
*(esp->4+4)=='NTIC'
& Y+ z/ l+ S5 m& d0 L. z8 T) W$ R" p6 m2 E/ R6 A) V
-The most exotic ones (could be very slooooow :-(0 w- ?! J8 K7 T* t) R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( j. a, O3 ?6 e3 i6 N5 z) T6 O
;will break 3 times :-(
) l3 p ~) t: i w( A5 s9 G/ [8 D( d( ?5 ?9 a M+ W
-or (a bit) faster: / a6 x Z- e8 z7 U6 f1 ^: |3 t' d) p/ k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- G- S( S- Q! p) _& O0 \) L0 i0 r- n* u, v: x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 R8 A* R5 @" o: e0 R# M
;will break 3 times :-(
2 t1 l( ~/ F1 u% C# a* C. E8 y) w e# {, ]; S
-Much faster:1 W5 ~9 q9 D3 L. \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; ], F8 l3 t& `0 P1 S
; h/ u: i1 c/ @: F4 \7 E* O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. n6 g( J1 _8 s, Q% u8 R
function to do the same job:
" V/ S8 z5 N C$ q
5 L: C0 Y- V, r! D9 A+ i | push 00 ; OF_READ
1 [. l& W/ F* y$ Z% u( Q mov eax,[00656634] ; '\\.\SICE',0
9 n+ G, k" L" W1 C2 Z4 t& s, ? push eax, V, b% n; _" \$ f* q& Z/ `
call KERNEL32!_lopen. m. X( ~& r/ s D1 g" Y7 j
inc eax/ d j* X: O' P- p# l& R, a
jnz 00650589 ; detected* d. n& H& p6 S# y
push 00 ; OF_READ; N5 D ~6 d$ S h5 Y, j
mov eax,[00656638] ; '\\.\SICE'
0 ]( P9 E# L3 o- [: f8 D3 O7 \ push eax
$ I- e8 q# r) D T. a% a# M call KERNEL32!_lopen
! \! _3 I% `5 m2 i ^2 Y inc eax
( z6 Y5 y3 \6 b' `' E jz 006505ae ; not detected& s! ?$ C) V6 `$ z
4 @1 {4 ~1 y/ I# Y7 I9 C
9 {8 ?2 m% ~1 ?
__________________________________________________________________________
9 f" O3 X e6 \; O) _. c( h6 b7 Z' z0 R' |4 P4 Z
Method 123 g% y2 P) e/ D! A4 @3 c8 x7 W0 W6 x
=========8 l1 {7 Z3 \& q( y# C
' @8 }! Z4 ^% b1 z* R* ^This trick is similar to int41h/4fh Debugger installation check (code 05
" x; i" I* a& f2 D) G& 06) but very limited because it's only available for Win95/98 (not NT)7 i) ^7 F7 M- Y# J, h# i8 B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' |: j2 L' t4 e1 C; i' D3 y* L
; ], R# P5 l6 a3 ] push 0000004fh ; function 4fh
) w4 a/ e& [0 y4 q5 \# ] push 002a002ah ; high word specifies which VxD (VWIN32)1 ~. G R7 L4 x [
; low word specifies which service
% c. s. N2 i8 F* r (VWIN32_Int41Dispatch) R& ^- t# m* Q5 {4 p) P& Y- f& i
call Kernel32!ORD_001 ; VxdCall
5 L9 _) c9 E& J1 t cmp ax, 0f386h ; magic number returned by system debuggers
7 }, x3 C8 U+ m8 S: `7 S ? C jz SoftICE_detected2 u7 W" Y' z, R3 i
5 D9 k# p: t l, J$ T R
Here again, several ways to detect it:
7 V. ^# B v6 I/ ^# x0 |: T
$ i1 }0 _% i# x, f+ |0 N BPINT 41 if ax==4f$ N5 [& R* K$ U7 @- p
/ a- G0 q, F ^- m* ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ A H. N3 M. [' T, H
: \; u' I; R6 Z+ N; O9 k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 L4 X0 ]. D/ K- j' p
( b9 ~+ d/ T! a' e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: B; Z" f) C- w$ X; F8 t6 A
' ]1 C1 @) v) e. B X
__________________________________________________________________________& y1 i- B# P1 o; P. T
; h0 u! h) [8 J+ O+ D5 a6 }0 \
Method 13
( H. M' n! K; ^% r& j% D=========
, N" L) v- |+ k3 T- ^6 p. |1 q `9 o* h6 S; Y& h
Not a real method of detection, but a good way to know if SoftICE is D+ b8 `0 A3 l+ @
installed on a computer and to locate its installation directory.! ?; r: I) U, G y/ F. l
It is used by few softs which access the following registry keys (usually #2) :
- G9 ~7 }! H8 Z0 E
0 [- P" X0 q5 G* p, v; @/ K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; I! P' {* J- D* u0 N% H
\Uninstall\SoftICE
I0 R9 x8 Q+ d. `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: F; Z, e+ t( f2 B, v
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% d% z" M! B+ W3 v* t9 P0 g. ]
\App Paths\Loader32.Exe' K _( Q) W+ F# N. u
# I9 U2 z( T6 V) _- j2 W% L) T# _, P4 w
Note that some nasty apps could then erase all files from SoftICE directory; _* c& ~* s2 g; L8 O8 f
(I faced that once :-(
7 T1 H7 M, `) R4 R
1 P" y/ n- @, [" C [( ~- Z9 EUseful breakpoint to detect it:
$ B: P1 f: a1 Y, M6 Q1 ^( C' K4 y3 V6 ]
3 c. Z% R. P+ B. Q0 \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' {! D! m6 M3 l C. d
! L1 C9 e- e/ h) h9 o
__________________________________________________________________________
3 ]- K; g3 M1 Z4 Z7 R: Q7 j" K& h1 L& D
+ d9 `) q0 x4 ~Method 14 0 t9 a' F0 ?/ W" K% s4 k
=========
+ q/ d9 N* y3 y9 m: [: P9 B7 W) S6 ~3 t2 x" d; O+ |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 _' W0 z- [' F' S/ Tis to determines whether a debugger is running on your system (ring0 only).
% X; x& E4 g. @) L+ H: i0 x0 D `+ }7 c7 M3 I6 ]* E4 M$ x+ f4 |
VMMCall Test_Debug_Installed
) L% Q5 _5 t9 B7 S: [% x9 L je not_installed
8 x, e5 N! J) m' q9 O4 p
; Q+ b& C0 j5 {This service just checks a flag.
' U9 n- v" Q" ^8 N4 {</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡