<TABLE width=500>7 i0 f; a4 i8 x6 x% b+ Q6 L+ B% O
<TBODY>
( V2 ]/ v% a) h# d* G; i. q<TR>
J& J. E# w F P, l9 p<TD><PRE>Method 01
8 e% t) Z6 A8 Z4 k=========5 { g4 w# h" ^! x
8 a. b8 ]! _& d! L
This method of detection of SoftICE (as well as the following one) is
0 y! K2 V; u1 yused by the majority of packers/encryptors found on Internet. k) p; ~: d( V* t, J
It seeks the signature of BoundsChecker in SoftICE* S7 E2 C6 S8 u1 ~
* k' Y1 N- t, v/ y/ P |6 G' w9 Y mov ebp, 04243484Bh ; 'BCHK'/ [2 f! L" f1 V
mov ax, 04h; f+ A+ y/ k# u$ T7 t
int 3
4 W% p+ X7 j0 D; D cmp al,4. m1 ^4 l& V- @0 [7 U1 k/ M3 ?
jnz SoftICE_Detected
% U8 M- K! c7 w
) U2 B& k9 n3 u {" a1 U: g! ^___________________________________________________________________________
; s7 k6 l7 z# O5 O' g0 D- O
6 ]& m+ f- U7 `! s1 w# T3 V* A7 |Method 02+ z4 H1 H# C, p4 ^# y! I9 Y, t
=========* [9 h6 ~' z% \/ D* o! f
9 v0 E& Z9 P. t0 pStill a method very much used (perhaps the most frequent one). It is used6 v; m r2 Y0 Y. A4 f) z+ S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& e0 K' e1 e; k- cor execute SoftICE commands...- L+ f* G4 N Z9 H- ]; W. C A
It is also used to crash SoftICE and to force it to execute any commands
' Q( E" Q; {4 Q M9 A; O(HBOOT...) :-((
; G* x+ Q {, y* y' w, m- Z" ~) O o! l: y7 F- a
Here is a quick description:6 Q5 {* j5 J9 Q) g/ N& u: y
-AX = 0910h (Display string in SIce windows)
& m6 h5 k# i! z2 D4 b" Y$ v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 }0 u$ M) e& h. z/ C+ c: \
-AX = 0912h (Get breakpoint infos)3 j7 U( c. |& f( `
-AX = 0913h (Set Sice breakpoints)7 l8 g0 X) l4 Y
-AX = 0914h (Remove SIce breakoints)
, }2 Z5 I* q9 z: z8 B$ Y- h2 q, O8 a, i- Q! s* H/ j& \; Y
Each time you'll meet this trick, you'll see:% I& O7 s, ^' x# c7 A, ^6 j
-SI = 4647h% p" e- @3 u' Y! _, V3 w0 Q" Z7 x
-DI = 4A4Dh: B u) H# O d) f" K
Which are the 'magic values' used by SoftIce.
1 Y' D. R7 v: H. J4 zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: v: Q+ ]) I. G
3 m$ }: z; ~. m2 \Here is one example from the file "Haspinst.exe" which is the dongle HASP2 x/ T& G- o' E& k' b
Envelope utility use to protect DOS applications:8 e& b5 y; N6 l+ f: {
0 ?( A( k9 X2 F; X
P1 o& S1 V% Z) A4C19:0095 MOV AX,0911 ; execute command.
4 g6 P& i% C `/ _* K" q' J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) I: S6 `- @- [! H
4C19:009A MOV SI,4647 ; 1st magic value.
; X7 v+ }1 v- ]6 e: T7 |4C19:009D MOV DI,4A4D ; 2nd magic value.& R4 g& w7 ]* W/ @+ z$ c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ I0 e+ h( g. w8 y' O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( R# B5 W4 H3 r% D, p f( A
4C19:00A4 INC CX
V9 _( P: B- S# ^ n, j6 c* M4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. j, A4 I4 x; K0 v8 r" x
4C19:00A8 JB 0095 ; 6 different commands.5 m+ r) S$ u9 o$ |, ]. x
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 w; @2 F& g4 B' X8 @+ V2 ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :): \% H' a% h; ^& q9 o
- x' R$ O6 {) e [
The program will execute 6 different SIce commands located at ds:dx, which
3 L# q# R0 z% Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: \9 K5 \8 r% S$ k3 X5 A+ X$ s
5 F8 P. N5 j/ a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) s; s$ Y# a" L9 F8 B* w___________________________________________________________________________
5 S: v" A. A" v$ f5 f! i1 H% W; \& a' ~
) a0 a! s1 t1 a
Method 03 u0 x, p. J5 g
=========9 i7 ~2 D; S' ]
' N* P% G1 I$ L2 W* F# GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& U( X4 Z2 b' w) _. i V ^
(API Get entry point)
+ k5 Z8 e5 O- d$ C | # x! }5 z1 y- M2 x' {+ k: V6 G! i1 x$ Y
" `: f/ s* ~8 y, o' u
xor di,di
" ]& }1 f' |3 Y& b. d7 u+ q' ]( p mov es,di) Y5 I/ B1 j$ B$ O j
mov ax, 1684h
; A- e+ ]" p1 x6 d- I6 o/ E5 ~ mov bx, 0202h ; VxD ID of winice
$ u2 w4 ]8 f2 I3 W0 |5 ]- x int 2Fh
9 l. c' N0 L" ? mov ax, es ; ES:DI -> VxD API entry point
& @. [! F7 X5 U5 q& x e add ax, di
& {. X# d* v' E5 d test ax,ax" B/ B4 O& z: ]/ O* e: S G' N) Y
jnz SoftICE_Detected
1 G6 u6 |* W# b; n5 W. y/ E7 ?, F
: q5 Z! g- G# Y1 b___________________________________________________________________________- Z |2 k7 ]( q8 S& a. t" Q
6 ^1 t! t& I2 j( N7 o& [Method 04
$ ^. G F0 `, v0 z9 _=========
! ]; j0 y) ^5 Z; H
; Z% W% b+ s9 h' n# GMethod identical to the preceding one except that it seeks the ID of SoftICE8 P; N+ H0 d( x% [
GFX VxD.
+ F. g- g7 a$ \& @0 p6 ]" \/ U; H# i' x3 H7 x. W- |
xor di,di
' N4 ]' Z h& q+ D1 g. p) g, C mov es,di
6 P0 v) [* w, W) \! X2 x3 @! q mov ax, 1684h Q+ _2 u# i& p) h' }# B* I8 G
mov bx, 7a5Fh ; VxD ID of SIWVID
$ b' \" Z3 H0 _9 q int 2fh5 `; N& W+ T7 v" n4 P
mov ax, es ; ES:DI -> VxD API entry point3 Z. [& u" i. |4 ~) {( X; U" k
add ax, di& D% p8 x# g* E6 I
test ax,ax
0 t# p' T1 c2 Z. n* b jnz SoftICE_Detected. V$ G) a, S# K! S0 O
- Y9 z8 P& \' }7 M1 P7 S
__________________________________________________________________________
}- \1 s, ?4 v c; S8 e! J/ n$ Z* K: w6 |* j
# ]3 l: u/ C! z
Method 05& e# z0 @1 ?1 |; t1 i% e9 s# Q
=========
8 N7 x* Q. |8 P3 ~2 D5 z2 E; q
% e3 C9 ^; m" M: a. b* GMethod seeking the 'magic number' 0F386h returned (in ax) by all system1 i# v. G, L- V0 }# D
debugger. It calls the int 41h, function 4Fh.
& ?8 m; _6 u! M4 f3 E; v! N# oThere are several alternatives.
7 |) G; X+ Z/ d5 V3 j! K# \! ]' K
* H% M2 r4 A# A! J/ Z8 UThe following one is the simplest:* |4 H0 H3 l, v# T, k0 j' n
2 S8 @# ~% I# `# f
mov ax,4fh
4 t1 l9 q$ B: x; o int 41h
1 ^. x. B! P1 L( H+ E5 V cmp ax, 0F386
' N+ B, J% S; i" H0 Y* A/ ~ jz SoftICE_detected" B1 D3 F) O( { e( Y. s
0 m. ]0 s) b( t9 _0 m; r
) L% D, }# O oNext method as well as the following one are 2 examples from Stone's $ ?9 L b: G9 z3 e, V. F
"stn-wid.zip" (www.cracking.net):" N5 ^6 J7 W/ D7 @. |9 g5 X
& Q! Y( K* D2 v3 H8 g
mov bx, cs3 ^1 ]) @* n" h2 @$ w
lea dx, int41handler2
7 W, ~; B/ [1 J; T3 B xchg dx, es:[41h*4]" `+ {* K: y% ~
xchg bx, es:[41h*4+2]% S: n( v" _" |0 H1 e1 m q
mov ax,4fh
- Q* h+ {) t/ M# f6 t) O6 d int 41h
# n; Q1 a! a% Q xchg dx, es:[41h*4]
* l; S8 ^5 u2 W! B U' I$ n xchg bx, es:[41h*4+2]9 n- v' l1 @7 q/ w
cmp ax, 0f386h+ O P* B3 Z2 ?2 m
jz SoftICE_detected
2 o) ^, I7 L4 x- ?& O- q# o
) k% m4 l1 r# T% Dint41handler2 PROC
! D) G1 B. q/ [ iret
. }% Z4 D4 q- ~( `& ]int41handler2 ENDP2 Y' y3 T3 M+ F' Z
$ T2 S, f* D {. Z
# w, T {' O: v- x" e
_________________________________________________________________________7 M4 v9 w- r0 n( K) `
" b' Z1 t5 R" _1 [0 y" u6 ]
9 E' E8 V9 m$ \. IMethod 069 j: v% A/ [3 f3 k% H1 g
=========
' @% G6 T6 L* e7 z
0 B- e2 J* Q F6 y: E, Q4 }1 T. b( X6 f; [" k6 J
2nd method similar to the preceding one but more difficult to detect:
% j$ g. @3 L7 d M0 T s. k0 A7 A8 o Y6 g% O* ]
9 I( ]# D, s( ]8 f& u" e
int41handler PROC
5 d0 v+ X5 w' e3 I2 l mov cl,al' d% ^ M0 t F. g& J7 K7 G7 `
iret
+ @7 Z& [2 E* t1 ~( Dint41handler ENDP9 C" w7 ^" B# C
. w R& c; T7 S# H6 Q- V" `. f$ A2 j4 R- U; [
xor ax,ax( |, m% t" x, s' G* n" a# e* Y
mov es,ax
D* }0 Q5 i3 N& q6 \6 j% t: t mov bx, cs1 ^; ]3 T: T* d2 n2 ^- Y; O
lea dx, int41handler8 h% d6 d1 R+ u
xchg dx, es:[41h*4]
v9 D5 @. o5 u; a8 N0 s. v xchg bx, es:[41h*4+2]3 x- T; [8 Z! A/ O5 @* k
in al, 40h- k+ b' E2 i& f4 ^# {8 \) _
xor cx,cx4 S% ]2 l& b- S
int 41h
0 R5 A; h: d* x' ?4 {/ X xchg dx, es:[41h*4]/ F% h/ O! t' k+ A( u
xchg bx, es:[41h*4+2]9 w9 k: p5 n, } w, b
cmp cl,al) P+ h0 `. Q( j" W7 R+ T
jnz SoftICE_detected! r$ Q% E! {$ f
9 m5 ~ Z: v# l* J. p( x_________________________________________________________________________* v5 d$ w$ s2 s9 e* s5 M6 `
4 |. O6 J1 |- C$ U$ Q* F+ G6 E9 o ?
Method 071 `! E4 V1 L8 `: }1 B
=========, n5 Q# m: A% a2 k$ Y' D, L
/ d0 P7 [4 ~! ]) z" u8 lMethod of detection of the WinICE handler in the int68h (V86)
: f0 }+ [0 e1 c' p# |( \; U) u5 x* F! i$ y+ S9 i ~
mov ah,43h
# Q& [" T3 k, e1 _- a! n, e' D) c int 68h' t h8 r1 A/ ?
cmp ax,0F386h
" q- E9 y, t' E* O5 z jz SoftICE_Detected
7 Z. K& s, _$ z: t0 Q. X
* A5 e& T) B$ e# i0 f9 [8 R7 d, u& s1 X9 m" [( }; t$ ]
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) v# m! t. _ L4 H6 Q6 Z
app like this:4 d2 U1 j" b# {. Y$ f4 F
+ t6 c1 X( K9 B3 A BPX exec_int if ax==68
4 n' o4 t% q# t# a6 T (function called is located at byte ptr [ebp+1Dh] and client eip is, g$ t" j5 v$ a2 y% t v
located at [ebp+48h] for 32Bit apps)
* ]4 `" I, Q8 m1 {9 g- d( B__________________________________________________________________________
' }2 ]8 K; T2 B5 p# D* y2 Z3 |: R1 T' o! T
4 M/ b0 y% G+ O: f# q
Method 08) F" l4 v* k0 W3 {
=========' z; \. f; p# D) j5 H
% S4 B7 ~4 ?) W/ w/ y
It is not a method of detection of SoftICE but a possibility to crash the
$ \: s0 \ q3 Y5 fsystem by intercepting int 01h and int 03h and redirecting them to another4 k0 i4 j. O0 n8 }' v
routine.
) ^; N: a0 P) E: ~0 W" g/ D# eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 [1 S; A& x) k9 p! ]* b$ n4 u
to the new routine to execute (hangs computer...)# o# R; [0 m$ x" ?1 N. L# k* R
' N: [* x% T2 x( x( h. j mov ah, 25h
/ t% ~. w1 A/ n6 H4 @ mov al, Int_Number (01h or 03h)# ^5 U9 x" I1 x& E
mov dx, offset New_Int_Routine
! W* |# W( a# U' b/ L int 21h [8 q) a4 I+ ^6 h! F% K8 m7 z
4 ]* t* J+ X/ j7 z__________________________________________________________________________. I+ x6 [' G3 [8 s% n5 _7 p
5 z/ @# l( l, o4 ~7 B$ p1 a/ mMethod 09
' a9 z* r9 N y=========2 G" j* j1 @4 d. S9 m
& u' V( y2 a, U8 Q8 O
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' h: ?. b" o9 H- _2 B0 yperformed in ring0 (VxD or a ring3 app using the VxdCall).5 ^- Q i V# Y
The Get_DDB service is used to determine whether or not a VxD is installed
9 h1 u5 G4 d5 U6 e2 Xfor the specified device and returns a Device Description Block (in ecx) for; d) `8 K' H& \) q2 M, l& S: b, K
that device if it is installed.
8 W- a( Q9 X9 ^) p( e
5 h, v8 {* u0 m% S+ ]" g) D' z @ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
M9 U" q, n0 `3 N P% }- M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" H3 a$ L* b: W, x VMMCall Get_DDB
% d/ `" {7 N6 S8 i G; ]2 ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) h9 K( S/ h+ j, W" X7 T0 u+ P7 z* b. ~* d: c' W1 |# ~( R
Note as well that you can easily detect this method with SoftICE:
- g( x2 p1 Y$ E& E& y3 O1 | bpx Get_DDB if ax==0202 || ax==7a5fh
% M" ~1 B0 B# K+ Q* Y0 I4 \, b; E, p0 M/ L2 F( f
__________________________________________________________________________* d- u( }+ Z U$ e, H1 i3 C5 P
" u' _) C; A3 K2 \
Method 10
2 U' b) ^7 v, R=========$ `0 X1 f) |' L9 ]: l* Y4 |
9 M! E; [" r4 f4 J4 Z0 v
=>Disable or clear breakpoints before using this feature. DO NOT trace with) M- s, ^6 O, R! [. L5 I
SoftICE while the option is enable!!8 A# b; I1 w2 d
/ h! W) I1 @ a' w0 u9 _0 q
This trick is very efficient:5 p. y' u' ~, ~- O4 o
by checking the Debug Registers, you can detect if SoftICE is loaded$ g' x$ v, o: ]% Z; q7 F5 z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 m! c( @% m3 y- d: \8 p. _there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 o! J" Z' \( qvalue (in ring0 only). Values can be manipulated and or changed as well: z2 V0 b7 M: q2 a
(clearing BPMs for instance)) M7 B3 H' q. l7 r6 D: a
( G+ M: L+ F5 ?+ u6 L S
__________________________________________________________________________' r$ l0 a5 z& u1 _
: Q! W8 w1 X& @- P Y( o# w/ g+ g7 m
Method 11
( m" v. o5 x- t* M. [+ L=========
, D, |. k# {7 P) t
$ k; [1 O- m% a9 k6 a$ CThis method is most known as 'MeltICE' because it has been freely distributed
2 [5 S: Q& P1 }via www.winfiles.com. However it was first used by NuMega people to allow
h1 d! a5 L9 l& `+ aSymbol Loader to check if SoftICE was active or not (the code is located
! d( F( E- B9 Y2 k# p& s% ninside nmtrans.dll).
/ M/ F1 K" u: e& c) x9 W4 @$ h1 M/ L; D
The way it works is very simple:
" A- [2 Q6 t9 N, k. [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 F2 W( q- v& |9 P$ M2 S7 [1 }7 DWinNT) with the CreateFileA API.7 ~# L' _- S& c# h
; n- c2 O' D' b+ }; ~, D4 BHere is a sample (checking for 'SICE'):
8 @! f! h8 S" z3 r }* A C& F
$ X( l& i* ~; E: Z1 G. mBOOL IsSoftIce95Loaded()# v9 k4 l% ?6 S' ^2 ^
{) N4 g% o! ^: I8 G; M
HANDLE hFile;
3 ~1 N( U* _3 j1 e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& K) E) o, r& K+ g1 `2 ?1 _$ f FILE_SHARE_READ | FILE_SHARE_WRITE,
! ^6 g8 n- M& D4 c, v! Q3 Z# f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 \/ l- Z& Q4 u
if( hFile != INVALID_HANDLE_VALUE )
" ?& ~: i, S$ g* Z9 G) T { I# g& k) V! P5 s# X
CloseHandle(hFile);' Q% z8 w. b0 m
return TRUE;7 n) y) e: ]) C2 ^5 u& O" S
}( z5 S- n" b- y6 r0 q- ?1 U1 E
return FALSE;8 _" ~4 R: A/ P7 _" _8 u$ v
}
7 I. ~$ H$ M# q, n% i- `4 p
3 Y% v1 z3 u/ l/ ~, B& ]/ hAlthough this trick calls the CreateFileA function, don't even expect to be/ v ?* v; T# ~3 k
able to intercept it by installing a IFS hook: it will not work, no way!( r! Q. j1 Z1 a6 c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 N: C, {$ t+ T5 O) V
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. Q, u$ s0 n) B0 uand then browse the DDB list until it find the VxD and its DDB_Control_Proc. T3 U; R* j1 y' @8 D, @4 c
field.: c2 i# w1 H7 q0 Z
In fact, its purpose is not to load/unload VxDs but only to send a
- J$ t3 o9 H! }. zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' l% o- u9 T/ i0 e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ d, r# d$ J9 J3 t2 n( `4 T# j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 f1 L) g9 C: C6 K( F0 u9 B2 QIf the VxD is loaded, it will always clear eax and the Carry flag to allow* G; b. F# I8 O7 T4 ^ V
its handle to be opened and then, will be detected." p, }9 u+ ]% O& D( `
You can check that simply by hooking Winice.exe control proc entry point% F5 {, u+ i" X4 V/ K
while running MeltICE.% |! F. K: L% P1 i
, V6 k( ^" m# K# b( L: q7 p3 A& J# x- V9 A' r
00401067: push 00402025 ; \\.\SICE1 j/ i* ^. _; l1 y* X
0040106C: call CreateFileA
$ ~1 A' @* m% I. t$ t- i, h0 e 00401071: cmp eax,-0017 j3 z0 q4 E, ?9 c4 A( y
00401074: je 004010919 g! K V7 u- T6 Y! z( ]" o9 [5 n6 [
8 s* u* @. Z. O9 Y# Q2 {& E, S3 X$ Y8 X+ I1 Z
There could be hundreds of BPX you could use to detect this trick.
$ S4 s2 n9 c; v! V; a-The most classical one is:' [+ H) X' c$ N" v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* E, l% z! k( p/ W6 d7 g( h$ s
*(esp->4+4)=='NTIC'. f' U; Z% y# o& E" N
% A5 O8 e, N9 z# _- i) `
-The most exotic ones (could be very slooooow :-(
; f0 ]- y, V# l0 r/ e3 t6 ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* ]3 O. C3 K7 r+ g' r4 A ;will break 3 times :-(
( M+ o3 y6 g; y% K7 r( _7 b& ?# a+ O, `* C o7 L( c3 U; J9 s
-or (a bit) faster: 9 q8 b" \6 d8 R( S: O. k% d( e4 w3 n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ S5 s4 S% H( n9 @1 F1 \* c H& ~; L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ a" q% y2 ?; B8 h ;will break 3 times :-(8 ^' c- h- p1 O3 [, U3 w+ ~. n
0 {( |$ n2 X1 p. z3 P0 R* f-Much faster:
J( u6 {. T8 ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. @! A7 X5 y' i1 x0 M( X# [( N' [5 K& l4 m7 F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 k: T1 Y; V: Y2 S( p7 x
function to do the same job:
( s' y; G3 O& o, ~7 K% l+ C! H1 R9 K# p0 c* s
push 00 ; OF_READ8 J0 O% {: V2 M* D
mov eax,[00656634] ; '\\.\SICE',06 r( \6 x! x: |, X6 b5 i& m7 d6 ?; g- T
push eax
( b4 P) P, p- [1 ^% M call KERNEL32!_lopen
8 @; E, m* H( t+ [# j7 Z inc eax7 R! m0 U1 }1 S, g! [7 v4 \8 `
jnz 00650589 ; detected
& m5 y& ~" z) L% ~ push 00 ; OF_READ( [7 [3 ]# p( L- b" r
mov eax,[00656638] ; '\\.\SICE'4 m1 H5 ~6 [7 r& Y$ B d. D5 y
push eax5 J+ M9 @" T5 J/ V
call KERNEL32!_lopen# i2 U( _, l2 E- J
inc eax
; i! I9 R- i- q jz 006505ae ; not detected
+ W9 k4 e: g3 q" L# `* n) s9 g& H, G2 L8 K. v7 k& W6 h J* `
3 W7 i" H' f7 P. O9 K$ L3 q
__________________________________________________________________________
' D8 W6 |7 w# ~$ H$ B/ c
6 M8 K9 Y4 E4 O, [8 Q9 U1 K6 DMethod 12
: O4 }7 h+ W" R# \$ M2 H, D# m! O=========
2 q8 m c! q E+ E' }3 T$ ^+ w2 M. S" C! c4 B4 i* s7 W$ b0 |
This trick is similar to int41h/4fh Debugger installation check (code 05
5 i$ Y) r. {3 {0 U3 q0 r% t8 Y1 p& 06) but very limited because it's only available for Win95/98 (not NT)+ m; @, i$ ^5 ?, p6 \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 ^7 R1 S; U3 J+ E" Y3 o, [
/ L x. X/ ~- h0 v8 n1 e8 k1 D push 0000004fh ; function 4fh
9 ?: u1 C8 s- ]" C$ }2 D8 g, S push 002a002ah ; high word specifies which VxD (VWIN32)4 h; X9 c/ J" y5 j3 `% ^# l
; low word specifies which service
7 n4 d5 o9 N0 j (VWIN32_Int41Dispatch)
- i: I0 e1 r( `0 C a( D. R9 g6 q call Kernel32!ORD_001 ; VxdCall' q1 L, Q, p! J1 M" B4 o0 `
cmp ax, 0f386h ; magic number returned by system debuggers3 R, j B5 T7 [# q4 Q9 h
jz SoftICE_detected
# h/ p$ R( ?4 c+ j1 s- k* @" E* z0 T% Q% Y; t
Here again, several ways to detect it:
$ k3 S1 T0 X: A9 u3 r
9 V% ~ ]) T o" M. r BPINT 41 if ax==4f
4 U9 u' B" S ^% @+ C Z
' {4 W+ d3 v7 X. C BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. \) W6 h% n) L; Y7 j9 X8 s+ u1 C; j7 L Z3 M; }* q9 z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% a: |, }$ k+ `+ |; f6 c$ q; I N6 j1 Y! i
- ~( c. g9 H8 q' R7 J3 x# `# O! K BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. q+ _4 P! _' R4 U j0 r7 Y1 b2 |: z: r- z# t2 B3 n+ w
__________________________________________________________________________
) R! N0 E5 l1 i. Z1 D/ T' z& a! q% C8 p7 ~
Method 134 ~, R( y9 U+ M. |) H
=========+ S$ J/ R, Z: k0 a3 k# u
g( N* g# G6 T! N
Not a real method of detection, but a good way to know if SoftICE is
+ ~& F1 y) n9 ^$ kinstalled on a computer and to locate its installation directory.2 M% x9 C& S8 d5 A9 E( v
It is used by few softs which access the following registry keys (usually #2) :" `9 F. v: c' ^7 r7 O
: k* M: {; Q( V! e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' y7 m# o/ k% `2 Z! C2 g\Uninstall\SoftICE
+ E/ _" J5 X3 A S/ C- H3 q$ t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" A0 _- d, o, f' t3 x0 {" P \( z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 z$ ?, `) B" t: K8 V# ]\App Paths\Loader32.Exe1 C- i5 g( N: i0 K9 D5 y. _" H. q
8 k+ D9 l5 L! \' _+ g; K$ X. a6 Z' @( q1 [. T
Note that some nasty apps could then erase all files from SoftICE directory
9 e! h( A7 o! w% \- k; |/ `- A(I faced that once :-(
?3 v- A) w" M$ R* S5 W& M
( Y3 `3 p6 Z2 ~# Y! B3 DUseful breakpoint to detect it:: s$ U& n# a( I5 Y+ {6 X$ [/ |
; v. r5 Z8 t2 d( c" I1 n0 n7 r
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ E6 w0 R# }$ t$ ^1 F2 ]
* i$ Z" V. i0 p6 h7 W% m. `__________________________________________________________________________7 q$ S, R" m# L; M, P( l% D
6 ^; d4 O+ N( ]5 n! |% g
X8 F: ?) {/ |& Q- T5 \6 q. G2 dMethod 14
% C: p# Q& E/ C+ R$ r' t+ N=========3 ]2 v# T- |9 q7 e) s5 i# ^
5 @) a: L3 |& R9 w7 jA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ I4 _" P4 c3 T3 V8 P& Mis to determines whether a debugger is running on your system (ring0 only).
' ^/ O5 F% d- E0 J8 ~3 _
3 E7 o* F+ _1 Y VMMCall Test_Debug_Installed( o: D; `+ U. Z" y" \/ \9 N
je not_installed D% J) e$ b5 u ~. b! t Y; L* R
5 ?7 r3 P. R( | r! l, N8 @" y# O, lThis service just checks a flag.
( Y! z$ R% x5 |8 r6 L4 E9 M1 j</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡