<TABLE width=500>
# h) `+ N, N6 M* A6 l<TBODY>. `1 q3 h- q' \9 M0 |
<TR>% z/ X2 w7 i+ s6 {
<TD><PRE>Method 01 8 N$ P, J0 N2 [; t& o
=========% {, q% f; g- ^2 u, P3 D& Z
y# c( d+ @# Q" e% m; y
This method of detection of SoftICE (as well as the following one) is
; c5 T5 c) {/ kused by the majority of packers/encryptors found on Internet.& p! ~1 l2 ?! V5 h5 U
It seeks the signature of BoundsChecker in SoftICE
/ l- o' ` H2 f5 D
: d! _! {; O/ ] mov ebp, 04243484Bh ; 'BCHK'
; Q, M, k1 J% r: F; M mov ax, 04h
& \1 u$ U; `4 q, L( q int 3
! C D( ]! C8 f$ X cmp al,4
, O9 y6 c) o5 m jnz SoftICE_Detected
2 s R. J, q/ E2 R" ]5 l) P7 r8 f7 v" R3 E: ?* p; q, @
___________________________________________________________________________4 H3 f4 F3 p5 c; B6 z
9 y g0 e6 y0 J b' oMethod 02
. L. _/ ]- T, N5 T=========
, B/ _( V! u+ k4 q( }. O8 M( s9 h' \# p" u {
Still a method very much used (perhaps the most frequent one). It is used6 t6 \! \' o) O* P( e* H% l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! r/ @1 K% E% G3 j' A) q
or execute SoftICE commands...
2 P; ^9 O" m% b; K! \ [7 bIt is also used to crash SoftICE and to force it to execute any commands' Z; y. l" }) h* X1 w
(HBOOT...) :-((
R* l5 v; X9 f; B$ Q7 C
% [' z `( M0 W+ C7 Z: x+ n2 jHere is a quick description:
8 [; {* ]/ g( e" U8 `, k-AX = 0910h (Display string in SIce windows)
. h9 [" B0 o9 l2 l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 }, ]3 ~% P0 z. }
-AX = 0912h (Get breakpoint infos)) S0 g, s; D Y# w7 l
-AX = 0913h (Set Sice breakpoints)" c! T c6 ^+ D- s Z
-AX = 0914h (Remove SIce breakoints)$ t: P7 n( c. j7 v9 m. ]
# k2 M0 }: K3 R' K/ Z' F0 U* k: FEach time you'll meet this trick, you'll see:
5 k% q! k+ ]$ j/ D' m- U$ \-SI = 4647h& o7 I* W- t* z _0 o9 W9 F
-DI = 4A4Dh
% n2 a/ c( P$ x8 w2 Q0 d$ ?+ ?Which are the 'magic values' used by SoftIce.; l" V, V: \+ h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
w3 r, Q. ~7 k
/ O% d0 r" j. b" ?. G' WHere is one example from the file "Haspinst.exe" which is the dongle HASP4 h& Q( Q& a' [4 X5 N
Envelope utility use to protect DOS applications:
+ ?' @/ a) ?# `/ Q
# n, H# [5 W* e9 D& p$ w: o4 s8 r* I) [; |7 k- h- C: |" Y
4C19:0095 MOV AX,0911 ; execute command.3 A4 }" |7 S1 A) A0 J7 L. S
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( }8 W5 R0 r! o/ R
4C19:009A MOV SI,4647 ; 1st magic value.
/ z {: e& D& X7 S, e/ G$ i4C19:009D MOV DI,4A4D ; 2nd magic value.
- z5 N( U! T5 D0 Z! j% t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) y: ?9 E; x8 E+ \% A0 z. I1 b# X) v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 y8 g4 k3 G$ X" c4C19:00A4 INC CX
3 N9 }7 ^8 E2 U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, s# p. r: O# p4 `& n# j
4C19:00A8 JB 0095 ; 6 different commands.
0 F+ D5 [4 I h. i0 d5 Y0 ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 p! H! a: J9 ~) C1 j0 K* S5 e2 ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 t. m% A0 k, x$ f0 f4 t- x! f: E! t* e0 P O ]
The program will execute 6 different SIce commands located at ds:dx, which( q3 G& o! c' p" j, E5 h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ Y3 o, z+ d' r9 R3 Z1 N( F& u
- c% s. D4 E! W# c. W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% c7 L, C+ s" M5 z___________________________________________________________________________
8 |& v* b5 S6 L5 ^9 ?- c, l% g" k6 E! F ]
* S$ `5 N) j+ B' B1 U. q& d
Method 038 k- g) V( ^; n# s3 |' q
=========
% X* z! p, C% l$ z" J! }
. @$ P% K0 c2 E, Y0 {9 h0 dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 h0 }6 g5 m' L5 Q(API Get entry point)
8 `) I2 F! C6 H
7 T# y& J$ p1 C% Y% n$ }* V( o1 b( A5 n3 j+ f
xor di,di
# ~" D/ Q9 I7 {0 D mov es,di
( k/ o f) _* ]9 X7 w# H# m mov ax, 1684h 3 R M% k5 s/ Y) s
mov bx, 0202h ; VxD ID of winice" v7 n; k3 q4 Q8 m
int 2Fh
4 @ j2 k: u% j q mov ax, es ; ES:DI -> VxD API entry point
2 `. k& u0 `. b( o( ~. { add ax, di
* X" W& V# ?1 m7 V1 E test ax,ax9 y& i) q0 Z' ]. U r, m
jnz SoftICE_Detected
0 p3 f/ A1 S4 U* }3 m$ j
- ~, }7 W+ w/ t% c, m2 R___________________________________________________________________________' S3 g! X8 Q/ T1 S
* J: m3 e4 A% k" f; b
Method 045 x2 n# _- c0 N Y: @
=========3 ]+ f0 c( X; p( f
) b; E% V8 o) ^$ z" {Method identical to the preceding one except that it seeks the ID of SoftICE
$ `1 _, y' z ^, F- c9 u* P H+ vGFX VxD.- f7 b0 u0 N, @! L# V
7 f4 u o9 ^7 f0 I/ | xor di,di' T+ G# |4 f3 ?: U- z
mov es,di( c& Z( M) @* I, C
mov ax, 1684h
. a' D' c @/ U8 e mov bx, 7a5Fh ; VxD ID of SIWVID
2 ~) C! Z! C2 K# O5 ? int 2fh' v) R0 ?7 w% m2 [! w/ r
mov ax, es ; ES:DI -> VxD API entry point. x- t1 e4 A3 X; c9 n, \# V
add ax, di0 A" N8 {/ a7 }) N) x
test ax,ax
1 b( R0 N+ d$ m1 q J* n+ Z jnz SoftICE_Detected& A" q) S! f8 f0 ^
2 k1 A- w! S4 u& _1 ^) A2 W3 f
__________________________________________________________________________
, _7 ~- ]( B% W% S2 b% [' n( V( N. K& {' h
$ @( @6 L. u6 ~+ H/ l. n$ lMethod 051 q' x3 B! Y# K" N- o6 ]0 g
=========
e6 N+ o9 M* B* \
6 b v+ M; {5 X$ D; w, `! H) RMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 z" i4 p# M1 wdebugger. It calls the int 41h, function 4Fh." L! P2 ^- r& y9 Q* m
There are several alternatives.
- \0 [) v# r$ i" W, Y3 D8 u9 s7 m0 [4 w/ @/ e V; D
The following one is the simplest:* D' n$ h% ?6 Y1 F- o8 J! X: ~
. t v G& ^0 {- c/ ]
mov ax,4fh
: |7 M; Q. [: w8 K" O int 41h
1 b3 O( [; J6 h. `* l cmp ax, 0F386' \3 T3 f1 f0 J4 r
jz SoftICE_detected
" D8 \! B* F7 c# }1 h
1 m3 B- U9 n, i1 C6 |0 }. c" E( Z
?) H3 v- l6 N7 W( q" M5 qNext method as well as the following one are 2 examples from Stone's 7 \7 G& j* Z. I& U4 z* L' y
"stn-wid.zip" (www.cracking.net):9 H0 [. {. A$ [; W
1 f. ^0 O* m( j; P) e mov bx, cs
- X/ b: r8 F9 y0 D lea dx, int41handler2% @+ {: w- R1 j
xchg dx, es:[41h*4]" s- K+ B; O' u, v/ ^3 ^
xchg bx, es:[41h*4+2], V& H- j* P8 k8 p1 P
mov ax,4fh
8 h$ g$ w# P1 j9 r3 z+ U int 41h; u& X+ M" _3 j' w
xchg dx, es:[41h*4]
5 C2 T3 w, a1 q1 O$ E+ m xchg bx, es:[41h*4+2]
0 Y' k. `+ X' y cmp ax, 0f386h
# t7 n8 `, J" U& L$ Y" K+ y jz SoftICE_detected
, g9 Z7 D9 N9 _# i4 e# [( d% K0 ~2 x
int41handler2 PROC' d9 d& i& N" `/ L% s9 _/ Y6 t0 _* _, u
iret$ L5 e7 }7 I2 T; U- N& ?( t; S
int41handler2 ENDP$ N7 @$ M q5 Y% r1 O8 \% [- D
1 ^( U5 n1 _8 u% _
7 _7 Q( w' j. c- a' r_________________________________________________________________________; n! a; {; n! D9 g$ i5 n h% T
, A2 r/ X% L0 M% l) D, m
" W! \9 s5 `/ J4 SMethod 06, M* U$ e* k$ u: `. J8 n$ H
=========( P0 }: e0 K8 |# `$ W6 Q- p) i
) ^; U) j/ b: k1 M
9 C, R9 e/ l5 w" q8 `) V5 r! Y1 ]2nd method similar to the preceding one but more difficult to detect:
6 l7 C. J' ]9 I2 @2 D- t/ O5 J/ r2 l5 ^9 g
& G2 K1 h( l1 ]0 V: V$ W( F% A" D, q1 wint41handler PROC
, O z/ v( r6 f$ [2 l mov cl,al
0 {5 D# z* B6 U# f6 X, u" n5 D/ G- T iret
/ f- ], x# {0 @$ zint41handler ENDP( L( N7 {( h& g# c3 j- E: g
) P8 j$ W5 W/ B. p4 O
+ f( N% a% v) t; a* Y& k" N$ G _# p2 l
xor ax,ax
1 L. g& Y9 f+ ]( ^9 G' W# L L/ F mov es,ax
, a" D ?& E3 r$ f* N7 m1 G mov bx, cs
- q2 O0 J! p' } lea dx, int41handler
" B% a( a1 f# x6 s xchg dx, es:[41h*4]. K$ b0 d) @& R! Q$ ~! H3 v
xchg bx, es:[41h*4+2]
3 K9 b$ j( D9 b8 ~ in al, 40h" X- W0 y! P( i% Q, a! a: ?( d
xor cx,cx* {; A5 E4 @: l
int 41h( p9 L Q: j9 S" S) N
xchg dx, es:[41h*4]
' H0 j8 u0 a3 D" F7 |, } xchg bx, es:[41h*4+2]
0 s7 ]9 p' S" i% ]& S: F cmp cl,al
7 a) s( y* v0 R jnz SoftICE_detected1 o1 r; ?, h. R) R2 `7 \2 p
& A" q/ f8 g8 M. k
_________________________________________________________________________- U2 @8 `/ G/ ^
/ u2 {5 X# D7 E/ Z8 U s3 AMethod 07
8 A3 j" E; b0 W' |, J7 r/ a=========. F' X8 Y4 J9 q1 @
/ b9 }; b! @7 ^8 Y' m# y4 _
Method of detection of the WinICE handler in the int68h (V86)
/ u! t- r& z$ i. ?% ^/ q8 ^& H( N& i& A
mov ah,43h* x8 x: w, B; g! u6 n( n2 d( T5 X
int 68h
3 O% o( N$ i6 ], y; D2 J cmp ax,0F386h
) ], |! h! X& ?: M) @) j jz SoftICE_Detected' G8 I+ t5 z6 @" _$ P8 U& K; g, @
]% S% w. `6 e, l* i7 F8 {5 o- V
9 ?6 h0 E0 R0 a) O=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 \- _+ E- q( N, ~$ Q) e! B
app like this:
1 M3 t/ a# C8 {" @1 u3 y1 l4 @
( P# [. `" M8 L3 e/ D# g BPX exec_int if ax==680 k* Q; W! N8 o0 D) `
(function called is located at byte ptr [ebp+1Dh] and client eip is
( D% w6 @4 ]5 y' [9 j# `% \ located at [ebp+48h] for 32Bit apps)
2 b0 m0 \6 ?4 V8 c, h__________________________________________________________________________* W3 K0 u; C* H% M: b/ c5 m, o
- P8 z v1 B% d9 E
- c4 D' ]2 A% i o# J4 x9 yMethod 08
5 a! {5 ?0 C e: i2 i! t) {=========
* l6 p( R# j+ t& m; `/ [
9 G; |( F; K' x6 \' Y/ _It is not a method of detection of SoftICE but a possibility to crash the; s" y' s; i4 \; ?
system by intercepting int 01h and int 03h and redirecting them to another8 ~+ R% b' H( k% I! w0 s% c
routine.. d/ @/ C2 z7 }! j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: ` ~+ r9 e; t
to the new routine to execute (hangs computer...)7 X0 ?- M% u4 U; S, }- [/ |
" O/ u6 c3 z) @3 @" [9 W mov ah, 25h
$ Y" Y) ]0 |( S( x8 Z! \ mov al, Int_Number (01h or 03h)
1 k0 J, ~, A9 B' p/ X% W mov dx, offset New_Int_Routine
9 V$ `* K4 `8 P# o/ d1 E1 r, k3 h int 21h" K0 b1 @! q" M& S& J
' ?+ }0 x5 R5 F__________________________________________________________________________
6 w6 n3 o4 o; J5 A. x) c4 f) M6 r4 F6 A2 l, M: R0 u3 y( H
Method 09
) U8 p2 j. l+ v& H5 l=========
$ k0 O. B2 o V8 P, f1 ^5 M. P" ^/ R: q9 J/ }8 D. u4 q7 G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 T! l" ^3 ]( | s* [
performed in ring0 (VxD or a ring3 app using the VxdCall).
& |" Y( B) g( e% d- W9 f; jThe Get_DDB service is used to determine whether or not a VxD is installed" m) q" j5 a: j0 |6 I) F
for the specified device and returns a Device Description Block (in ecx) for k, z( X; z( ?
that device if it is installed.+ L1 L" l2 ?1 X# e( Y
- C% ?& O4 q) w( Q; g) h mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 V# Y+ j' s8 L) K" \- _. Z- i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ I; u9 B$ @( j! i VMMCall Get_DDB) f0 B) |5 R+ s) @2 S8 V$ i4 s
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# \. x2 N+ W- i; M9 _& F
' Y2 f5 h9 v+ w4 hNote as well that you can easily detect this method with SoftICE:
" f8 p/ Q1 u! F. ^# G7 _ bpx Get_DDB if ax==0202 || ax==7a5fh
( [$ ]- `4 s4 o7 n
' S( @$ l5 O; q- o1 s5 C" O, p__________________________________________________________________________2 Z* }% P$ e: X" u0 d
% ?. [0 @2 R; W- j6 g3 P
Method 10
0 c r2 s$ _3 x' Y* s+ ]=========0 }( P/ d1 b* L5 N
+ i9 U5 ]! O+ h* ~( h
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ ?0 l' A0 e; X
SoftICE while the option is enable!!
" P# j) N! z# K1 \4 }. K4 {0 P$ V" j! s! [7 ^ }
This trick is very efficient:( Z5 s* q1 S: Z2 m
by checking the Debug Registers, you can detect if SoftICE is loaded
* |2 B$ {1 t* M5 G5 h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 L# y' ^! i% t$ y. T
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 B( F' w# P! t. Z1 Svalue (in ring0 only). Values can be manipulated and or changed as well5 ^, } l/ ?2 A0 L- g
(clearing BPMs for instance): V/ d8 g8 n- c! Z/ `! F) ^
( K4 p' Z2 T) I% A
__________________________________________________________________________
& V4 f- d+ t. z" E! ~
, M. X' O! ?# u" e# l5 ~& X; D! XMethod 11. L; p c2 I1 L- _
=========
4 A# i' W/ x1 Y; U1 ] C2 E, V5 W9 D% s5 y
This method is most known as 'MeltICE' because it has been freely distributed
. k6 V- G5 R, wvia www.winfiles.com. However it was first used by NuMega people to allow" k% c' X: r6 f& I: s# Y
Symbol Loader to check if SoftICE was active or not (the code is located
* Z+ R" A b6 g8 zinside nmtrans.dll).
2 S: r3 d, x( B* ^; W; n4 m4 u0 C4 y3 r4 K y
The way it works is very simple:
* {+ e @0 m$ A: w6 q, q* vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# c, a G' Y- x5 Q4 E: |
WinNT) with the CreateFileA API.
5 K1 @( S5 a9 v: `) L
* a, r. U( k( gHere is a sample (checking for 'SICE'):" Q6 H( h m9 `# Q; J6 h# t7 b
$ f3 C6 V- ~$ FBOOL IsSoftIce95Loaded()! s+ w3 ]* `% e- ?/ Y; w+ g0 p
{
& U- e3 y" f5 Z- | HANDLE hFile;
2 V }; d1 w( W# v- g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, f$ R' [0 P6 Q& L2 g6 z
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 A3 _2 [* g# ?$ \3 _- B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* x% |) S8 w& I9 z' u if( hFile != INVALID_HANDLE_VALUE )
: {1 B8 a, T+ w5 u+ K$ I& p {
- I p8 N2 y% b- M" O CloseHandle(hFile);
1 y) _7 a8 [: |8 Y1 l return TRUE;* ~, M+ E2 h2 |1 n- }
}
3 b3 U4 W0 R# n& ~4 E. g return FALSE;
3 b) {7 a, X9 V0 k. d}
2 e8 R$ H q$ S" j1 P" B: P1 w& `
6 |1 B2 d9 E( S* R5 l/ NAlthough this trick calls the CreateFileA function, don't even expect to be
& B0 h$ E) V1 A qable to intercept it by installing a IFS hook: it will not work, no way!( D6 h1 f: G; }: ?1 @* N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, g$ H# s! S+ p$ r% P8 E/ f+ `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( d0 N" Y8 @& l: j7 l3 |9 @1 [/ Z R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 B9 g7 V" P0 U2 X" J2 ~field.
6 L, y1 q" m3 k6 [# N6 ~In fact, its purpose is not to load/unload VxDs but only to send a
2 m; W! o4 `% Y2 `0 \+ w( sW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), Y0 r6 p# { l9 Z+ ^' r# N) x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; A6 q" @) G2 D* \0 I3 @to load/unload a non-dynamically loadable driver such as SoftICE ;-).% O, r3 g6 L" F" ~+ r
If the VxD is loaded, it will always clear eax and the Carry flag to allow& U* r: O3 `4 G/ q$ K G
its handle to be opened and then, will be detected.3 S- z( q2 r/ E) t
You can check that simply by hooking Winice.exe control proc entry point3 P# j) l! d4 b' D
while running MeltICE.: i/ P2 N- T' \8 d* S
# Q) w3 l9 w* z& v" P; ?
& {+ ~& B/ g1 u1 r) f1 G' H
00401067: push 00402025 ; \\.\SICE
4 s) ^3 u% K/ Y# Q3 X 0040106C: call CreateFileA& \/ j9 L- b% d3 C
00401071: cmp eax,-001* X, y Z- D' i) Q8 Y, N7 x
00401074: je 00401091
" `$ T$ J8 _2 r- U0 q+ j( e
8 q8 B" _" q) b( f* M, _- Q- C+ n$ R' K) a. L k& K9 W; s: W
There could be hundreds of BPX you could use to detect this trick.
& [ b; l3 _ k8 ~; O" Z4 |0 G-The most classical one is:
. a8 E2 C( T9 h; D" r" T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& E( G! T. d. T *(esp->4+4)=='NTIC'! g0 ]4 P: @' G2 K4 A' ^$ e
9 b, c- c' e! S4 T-The most exotic ones (could be very slooooow :-(3 E4 K0 x' F, w" P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 {8 ~0 i' p; {5 U+ `# S' a/ w
;will break 3 times :-(
" G" k/ c1 E$ ?8 D+ O; L6 K1 z0 A
-or (a bit) faster:
# c3 C8 K" }+ [( O( S: o. v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 D7 F& e4 [7 {1 T7 G0 ~' Z3 @
; y9 f/ f& e# }# Y3 Z, r, |1 B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + [) E$ I9 ?8 a
;will break 3 times :-(
7 x# W" `* H0 b- d: N" z$ A; ~
, F* B Z* L* y* U-Much faster:
4 H/ e- i, D, ~. Y# y* g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 E8 P( z9 J% I. A# m, A8 ]- m" e* j
J9 o. E5 Y3 @/ h' O0 G. F* W8 a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 m6 |* I6 ^( ` B
function to do the same job:
% g1 `" c$ T, N. j4 N/ p# a# y5 j2 h9 p1 b. U }
push 00 ; OF_READ
0 ^% [2 e3 d g4 i$ G/ r0 w5 u; Y! L mov eax,[00656634] ; '\\.\SICE',0
$ Q0 Y1 M; M( \! o& H push eax
+ k* }. H& v: k' i9 r) L call KERNEL32!_lopen2 ?+ O9 \3 m1 |' G% a
inc eax
1 w+ w, v( V4 G5 d jnz 00650589 ; detected5 W4 f( w: f! ]" `, c9 ?
push 00 ; OF_READ
; i, B( o& j* D) G/ q# a- [ mov eax,[00656638] ; '\\.\SICE'
& O9 s3 H- a. v1 Q S: S. y: ] push eax
3 K0 d$ `7 ~, T% h. L call KERNEL32!_lopen
% b3 I; R6 ]4 F inc eax' a9 U$ T. J( K- O
jz 006505ae ; not detected
" M4 L5 m7 j Y9 ?2 z
/ ~) n8 X$ I" K, Q
; I7 Q2 H* C m3 h. U4 z__________________________________________________________________________
2 F& @- e5 L' H0 f) P. G
+ E* J4 @! ~ w* n7 V' QMethod 127 C! A3 y. U% x
=========
" y3 e6 C1 b/ x( e( C* O7 y5 j1 P5 `0 D* W6 ^2 h6 C; k
This trick is similar to int41h/4fh Debugger installation check (code 055 b" m$ P5 S U
& 06) but very limited because it's only available for Win95/98 (not NT)
0 j' F) p0 ?0 r! f8 H4 G% l3 P0 was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 g' G2 [: o. j0 c
% j$ V, F H, b% Y( l push 0000004fh ; function 4fh
3 |/ ]& a3 w- p. D$ R s* Z push 002a002ah ; high word specifies which VxD (VWIN32)
' C5 l7 C% ^$ k7 p2 S& f ; low word specifies which service! ?; T; ~# ]! V# c) W' ^
(VWIN32_Int41Dispatch)+ N! i+ S& Y5 c
call Kernel32!ORD_001 ; VxdCall
1 C! Y( Z9 O- X. f2 U+ R cmp ax, 0f386h ; magic number returned by system debuggers% U% t' D. F: ^8 b% j2 {
jz SoftICE_detected$ E0 f6 u( P5 o4 p
3 j1 M, p6 g7 e0 I
Here again, several ways to detect it:' R }: ^$ S5 N: [& N
+ @4 E6 T5 d& l3 |- N5 R) ~' f" G4 A5 c BPINT 41 if ax==4f
+ U4 l; m* z/ T8 X3 d- ^/ N, q2 X0 y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; C( w0 p* b, [# O8 B
* F: m5 u/ F: z' @" ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ T7 w% k* [8 [7 L3 `
9 E, c% [9 Q9 o6 A. y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! M/ O. M) w7 K2 Q+ I7 S
4 G) c; G j- F# N8 ]5 m__________________________________________________________________________3 l( X9 }9 E* X* N3 d$ `
* C. l* t! i5 v! W. a' j# U
Method 133 Z, s- m' Z) |* @" b1 {
=========
7 u6 ]- m' h3 h! \4 Y+ O% \
7 o# b @. e8 nNot a real method of detection, but a good way to know if SoftICE is
. L9 @9 ~* O7 i5 G- G$ b* X) O# _7 tinstalled on a computer and to locate its installation directory.
) k. ~4 [, d6 |7 z: p9 i; r3 y' mIt is used by few softs which access the following registry keys (usually #2) :
0 I, g' P/ z6 v/ T0 \5 N6 W. H- R8 t2 u' L- B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! j, `" I! l! i$ E7 u
\Uninstall\SoftICE
* d; D( j3 v( x. H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' j9 R# D) G. M$ z4 L-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 t) X* C- K6 Y7 V7 q\App Paths\Loader32.Exe
. e1 M3 y5 o0 T |' ~; M2 Z: o* H; R, Y; Z1 Y9 h
! X% }0 h# Y6 _7 F" t+ @Note that some nasty apps could then erase all files from SoftICE directory0 N3 U& g4 u5 w6 l6 r f
(I faced that once :-(
( W! i( b) k: P4 G! [. e' m C0 g1 h8 q/ I; A
Useful breakpoint to detect it:( M! N6 K( u2 ]3 |. b& l6 D
6 e2 z* h6 X/ h; i5 e0 X3 |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! y: _6 F% n8 ?: I$ S
4 i/ A9 Y! q* l3 R) o! h8 j__________________________________________________________________________
* A0 m* w( @1 c- R E4 Y4 j
0 _0 l9 d1 E3 i% x- V" |+ p c4 z) I: E0 [, i# J; R5 ~1 E
Method 14 3 T8 ?* L) Q9 I( {" e2 ^& s; Z% y
=========# C& y- g, H1 P: {% H+ e
( j& y7 f( a: F! f8 t7 Q1 ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% T5 {6 Y* A% h' M" wis to determines whether a debugger is running on your system (ring0 only).4 Y: h9 g0 f. E$ C: Q
( U& _5 M! z3 C0 X; X VMMCall Test_Debug_Installed
& q! n3 X7 t1 a. r. P$ ` je not_installed7 L, o# e" [0 j& B3 X7 W
) ?# n* b7 N$ oThis service just checks a flag.. [+ r- {7 `3 X) q! }# \8 S% J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡