<TABLE width=500>' t2 r7 d* I/ o a* i
<TBODY>2 W6 ?, O& w1 F' R" W# s; Z4 H# d& B
<TR>. S7 c5 f6 p* c: b+ X9 q
<TD><PRE>Method 01
$ D/ n; ~$ h6 P! W |========= [' N3 E) w, E/ z3 U
# c, D3 u1 H5 m, u# C" F: L& z7 }
This method of detection of SoftICE (as well as the following one) is% f& P$ g. j' m
used by the majority of packers/encryptors found on Internet.
# V; D# O6 K, b. ?It seeks the signature of BoundsChecker in SoftICE
( e; M; _! c1 @& c+ L6 ~6 j4 X* k: n% @% f& m S! o5 ^
mov ebp, 04243484Bh ; 'BCHK') M4 \. k: C5 Y/ K
mov ax, 04h C' n9 A1 D3 W- b/ k- p0 U
int 3 7 H+ }" A* g4 w
cmp al,4
% b1 s5 I7 b; C* Q jnz SoftICE_Detected
" A3 W+ E( A( Y) J# g
. c* e' u8 ]' ?( V# \; F$ D; p___________________________________________________________________________! n# Z8 D8 `, n, K6 @* @# [: b
% l! M8 t7 y3 u3 [+ P; Z! W
Method 022 @ k: y! D, r7 E5 k
=========
8 } q0 R8 m2 y, @* F
7 S. H) P' w2 P+ W+ R1 t5 w oStill a method very much used (perhaps the most frequent one). It is used
! \ b3 J/ R, gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" B: X% |) |+ Bor execute SoftICE commands...
0 J) c3 L# Q' B- e3 b$ d: BIt is also used to crash SoftICE and to force it to execute any commands6 h, l8 y" C& V2 a" F" m* a! ?
(HBOOT...) :-(( . [! p% \- d9 R- E5 s
3 E& T* \9 b: e8 X+ @! [Here is a quick description:
0 k7 J: d, h7 R7 M-AX = 0910h (Display string in SIce windows)
* X0 R# r" S0 u) p' P-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- A# L9 A: F( `$ [
-AX = 0912h (Get breakpoint infos)0 v/ @5 V+ \1 B; w
-AX = 0913h (Set Sice breakpoints)
- c9 h" ~- ~& m1 a8 _( ~-AX = 0914h (Remove SIce breakoints)
% a( g4 m" {, g/ x
( `7 u3 M$ ^, v' J* M* P6 UEach time you'll meet this trick, you'll see:. ~' v' D" Z( r, n: _2 [9 _% o# ^
-SI = 4647h4 l3 U4 S& {: g' t
-DI = 4A4Dh4 }* g+ `+ j2 N' u
Which are the 'magic values' used by SoftIce.8 m% c4 {" c/ o4 w, c& g+ l2 y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
K" s/ s, p7 p, U; ]: a
3 W. u7 m! o# x* l( kHere is one example from the file "Haspinst.exe" which is the dongle HASP7 C/ c t9 c% O7 @. k; i6 J3 a6 j
Envelope utility use to protect DOS applications:
8 b' B6 x% u# W5 Q# r8 L3 _
$ U2 F8 j# a+ p$ V/ e% F" [) P5 h$ u+ j0 c4 m; a+ A# T0 {2 M5 E
4C19:0095 MOV AX,0911 ; execute command./ C% K+ s& b3 ^0 g2 C p, z; l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ q+ h+ ^- P" z* [
4C19:009A MOV SI,4647 ; 1st magic value.
- |7 s. [: V; n7 o4C19:009D MOV DI,4A4D ; 2nd magic value.
8 `6 l$ x+ H) P' R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); s8 }# a; ~0 Y" G) r) d1 |& K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' l0 x0 Z: e. G5 b* z, c4C19:00A4 INC CX: c: e+ A: R6 w8 h. R- V' G- Y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. S7 }% W3 k& B) k ~4C19:00A8 JB 0095 ; 6 different commands.
7 ?. s2 M% Z$ n4 @: [9 x: f5 f6 P" Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 g; X) G, p9 _ n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 Y3 T7 J1 ?# l* {) ~' Z
7 Z8 F5 a+ c7 R3 I$ _8 }The program will execute 6 different SIce commands located at ds:dx, which# ]& q6 k+ I3 ~# b }8 a2 U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- g/ J7 l' s( p& s6 O" G' O; E& w/ }1 P' D) ^ h" D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! [0 @% p# }! B___________________________________________________________________________
3 K) B r$ A% R7 g8 E$ y( I/ e+ J, C: L$ H2 Z4 q
0 ?$ s& h5 g1 S* C. pMethod 03. @' P6 w( V& l1 ~ F
=========
2 _" I( Q# L0 z& c, t7 q0 M
) q# i: l1 t/ sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( F5 I, j8 t" F. t3 g% }(API Get entry point)3 {: x0 w& g/ ^! V3 S
8 N6 R3 u5 H/ R' Z5 v
' V! s z# |8 O( R. ]" Q: { xor di,di
) p* [; p& W" U& }: C9 I9 e. W mov es,di l$ L6 B) }, `2 s$ g2 F, k: ~( k
mov ax, 1684h
# i, I% W1 t. ]5 w" ?6 I- O$ o mov bx, 0202h ; VxD ID of winice
* S( v1 N7 ^9 |* c int 2Fh# C9 ?. L2 O' _3 A! @, ]5 p
mov ax, es ; ES:DI -> VxD API entry point
6 L. g( O8 s6 Z add ax, di) ^% c& N4 E; }
test ax,ax
, |0 I. r% k2 T( k4 q1 J jnz SoftICE_Detected' x7 |9 T* `, s# Q n
9 G/ w8 g! g7 U X+ ?___________________________________________________________________________
9 F# k% n" g! _' H- y3 {1 r& h3 O2 e/ z% x) m' X8 e* j
Method 04- U) n) O7 Q7 w! x! f6 Y6 L" y9 d
=========2 u# c$ @' B9 _3 J, q5 C: b
0 Z/ Z, A& o" o; @* e1 d% ?
Method identical to the preceding one except that it seeks the ID of SoftICE
3 @& D" g1 _1 b8 v s6 R) f. L) ~GFX VxD.8 Z+ G4 B: b ?7 o( b$ J+ P6 b3 N/ F1 M
4 F$ {5 ?* }, H- \0 L5 M xor di,di/ q% V* d7 C5 c# {) b* K* A9 b
mov es,di
' P* Q, I( n% E V mov ax, 1684h 2 ?% `7 z8 q. k, n( F
mov bx, 7a5Fh ; VxD ID of SIWVID; {6 @+ e+ e6 X* h
int 2fh* v. I. `! l) C
mov ax, es ; ES:DI -> VxD API entry point' l# s9 g" B: j+ D
add ax, di; \: A: ?9 [3 C) m
test ax,ax& } h3 M/ ?' L$ b1 J: @& Y7 Y7 Z
jnz SoftICE_Detected
4 G3 Y" X6 b, N$ E
) H0 s. o" P) M$ ]+ }6 J7 W9 l# ^__________________________________________________________________________8 w: D) K, F F( O8 N& B7 z
0 Z) R" [; q% x, i7 W# P" {. Q/ a: V4 C
Method 05
f* ]0 `) y5 `6 s: n; F=========: Q# V% T3 ^; J: @1 K
+ O1 A, _0 y" a; _
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; p/ K0 c p' E- ~" _debugger. It calls the int 41h, function 4Fh.- r2 j9 V5 }6 P8 R0 `6 g1 _
There are several alternatives.
% a4 x7 Z) X+ Y/ l$ k" L; K- f# r6 H2 C8 Q1 P! C, F' a+ l
The following one is the simplest:
& Z# [/ b1 E+ }: c& {1 v: M* L8 V5 |: C8 h5 [& y2 V
mov ax,4fh
5 W% L# g# Z9 I& P7 b- h int 41h
6 P2 b: a# R( j& E) @2 ?' T# W cmp ax, 0F3866 z6 r4 n* j2 t3 ~9 C5 Q: h
jz SoftICE_detected
5 r9 s( C+ A% r% p2 Z9 u! X1 K l
% i+ d# L5 i& G' F3 a3 X2 @! V( k5 z" }
Next method as well as the following one are 2 examples from Stone's
8 O) Y; T+ r6 t* g8 N2 Y7 d% w"stn-wid.zip" (www.cracking.net):8 i4 ?* @& @6 M0 ~ ^9 m
0 a7 X1 o' z% a1 d
mov bx, cs
6 M* S. E, N/ Q lea dx, int41handler23 Z/ C4 @. {5 J# t# K4 w+ ~$ c
xchg dx, es:[41h*4]2 L6 X6 h: B/ D
xchg bx, es:[41h*4+2]8 u6 W u" w( j/ O; u& e9 H* ?
mov ax,4fh5 u& ?% V5 K: v
int 41h
) ?4 T* o/ N& e* \$ K xchg dx, es:[41h*4]: f9 P0 N) l3 B5 Z. v
xchg bx, es:[41h*4+2]
3 T" A/ h3 r. P: H: x s cmp ax, 0f386h
4 o! R5 x5 l2 b2 B jz SoftICE_detected
, u9 D" Y& X1 `- I# ]
& u" ^6 w4 W( eint41handler2 PROC8 y. e9 g. ^8 q; {. Q. n* S
iret
' [) F7 u- q) u) `% ^int41handler2 ENDP1 v6 f& ^' v1 E+ }
/ w* X+ N# T- _& U& a. l3 g
% N |# H2 l1 p3 _( X# k) A! u_________________________________________________________________________
: b! J1 _4 Z/ C$ V8 {2 @" l/ V
6 N5 B3 P* @4 t7 ]% f; B; a
) O O- B7 P' t: t; y3 {Method 068 \, M9 Z" S5 E5 L* Z
=========! w- [5 C& s# p
# _. y" m" X; w4 `$ U3 z4 Z
0 B: z; h5 p! m/ `+ B2nd method similar to the preceding one but more difficult to detect:
" O$ R+ n* D- L1 K4 L/ ~. ]! d) L7 K5 T
$ B6 P/ S2 d% u5 ]8 V: l
$ ^9 @8 q3 u4 a- Sint41handler PROC
3 o/ K4 t- g9 P' p! G5 z& J mov cl,al* ?/ z& N* K; o
iret
( i2 q: F) w- C% J% o) Vint41handler ENDP* i( \! }# R3 D" N7 i6 ]
; f ^0 ~* d6 p' X/ \" c
2 c% g& s' l/ P0 v4 o xor ax,ax2 p Q* u0 Y4 [) M. {$ G9 L
mov es,ax
1 x. T/ ` F( j mov bx, cs# q& V) ?2 A) [
lea dx, int41handler% Q ^1 {' M' A6 Y
xchg dx, es:[41h*4], K4 r" q/ V. Y5 X" \/ G3 A' `
xchg bx, es:[41h*4+2]
- I- ^% V0 H, Y& L; e in al, 40h: I" v+ B9 t/ y o+ j9 a! j3 j& q
xor cx,cx
8 x& n) f" u' w# X1 Y& Y4 o int 41h
- [- x, i$ Q; t: e xchg dx, es:[41h*4]5 |2 I* Y# S1 `. H+ M' ^6 Q
xchg bx, es:[41h*4+2]
P" ?- M! K, E9 G cmp cl,al( C; b! [9 @! B# x) t" X
jnz SoftICE_detected' q3 P! o4 s/ U3 ?6 F0 d: ~" e: Z
) x3 v$ c, }2 h6 ?) V9 Q: F
_________________________________________________________________________1 e! {+ J$ \$ d" c
. G9 N; L0 X5 P5 D& S! |Method 07
2 B" T9 y Q! {9 C=========+ M; |) H6 N% o# o4 P. L
+ U0 H) D3 T1 q2 H5 I$ j" JMethod of detection of the WinICE handler in the int68h (V86)+ f& s1 @6 k9 s G9 ^
) O8 r* Q& ^5 c1 s8 o+ J' t+ G
mov ah,43h8 j; o# `) |* [) x
int 68h, |/ D9 B* M* }
cmp ax,0F386h
* W2 J& h0 N7 e% V6 K# K" U jz SoftICE_Detected
0 N3 M- [1 |" P2 x0 O
7 I2 A# [( R) X; f! g6 Z8 J4 {/ \9 J! f( j& [. f+ s5 ?2 w, r3 {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ S7 a6 s* i, v# ^
app like this:
3 G8 T$ `% {# e3 {+ B. r7 R. N/ f8 \
BPX exec_int if ax==68- S2 g2 `, [3 `- a9 G/ n$ Q" }/ C
(function called is located at byte ptr [ebp+1Dh] and client eip is$ A- x$ V: _! _& s/ l, m
located at [ebp+48h] for 32Bit apps)
H. i$ x5 ^9 j; L__________________________________________________________________________; G4 o/ V+ `1 j7 {
3 v3 A3 ^' Q! s1 f% b
0 ^# A/ Y! [, [" ?Method 08
4 o5 _/ S1 `0 k l" s0 J3 P=========8 w( T; a6 a" n" F# K3 t, M" J
% c4 r- T q b8 ?1 a2 xIt is not a method of detection of SoftICE but a possibility to crash the2 b* Q( e5 _9 u4 a3 V5 B* @
system by intercepting int 01h and int 03h and redirecting them to another
1 q9 f& P9 Q! ^$ S! _4 I. @7 m* Hroutine.& j- M9 j! m. T$ O2 w
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 e& @. o) V' I$ o# J8 e
to the new routine to execute (hangs computer...)
/ a+ R! Z- Z {4 b! @% m7 S/ \6 l9 N9 n+ c5 h. e6 G
mov ah, 25h. E# ~; P: Q! y$ f2 P8 U
mov al, Int_Number (01h or 03h)
5 \0 m* S! R7 b% F/ T3 `6 U mov dx, offset New_Int_Routine
. i. D4 n, K0 \) u, Q5 Z: H/ J int 21h
. f7 X1 N2 |' u+ |
2 ` s! C+ y, N0 w% X__________________________________________________________________________
3 S3 v3 X) e' K6 J* }; `7 t6 K' C# p* I
Method 09. V8 j0 \" R9 W% B3 `2 p
========= d! K# q* `. o3 ]: y
- V4 L; }2 _' J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, V8 c) Q9 E4 t- N# dperformed in ring0 (VxD or a ring3 app using the VxdCall).$ d X, \* K. v" v
The Get_DDB service is used to determine whether or not a VxD is installed
3 v( f4 y" F; X" T( m/ \for the specified device and returns a Device Description Block (in ecx) for0 B5 a* ^( b) w
that device if it is installed.
0 y$ u0 h9 s# K+ ~$ N) F' F
( T" i. Y0 p7 M: W4 V$ t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' V% B) H' B4 L( q$ Y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* h" [. R0 C2 n/ i0 A
VMMCall Get_DDB7 D% a( X' j2 X9 X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& Z& |( l7 C$ F9 ^$ H6 o
% A0 a2 @ g, SNote as well that you can easily detect this method with SoftICE:* o4 `( s5 v; m2 P, `
bpx Get_DDB if ax==0202 || ax==7a5fh
5 A. a. ?, [; S: T7 u' u0 n( Y" Z5 G1 j& ~9 {
__________________________________________________________________________ y9 x3 E+ s6 Q+ V6 H. ?7 D
' {; N. C; N: I! k% j
Method 101 X) C6 F' a( n
=========
; I" \, \3 ^) { _
6 }% g: Q- U: e1 X6 _7 e=>Disable or clear breakpoints before using this feature. DO NOT trace with' w0 B& C1 z; u. B; z9 m- P. j7 P1 H
SoftICE while the option is enable!!1 R# B4 [) k/ `# l7 w/ q
; x5 s8 i- J3 hThis trick is very efficient:0 U Q k4 C7 q; O' ^
by checking the Debug Registers, you can detect if SoftICE is loaded
; a! O3 F" T- d1 d0 P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; _9 W' z' N, W1 r% a, G! vthere are some memory breakpoints set (dr0 to dr3) simply by reading their# F5 g; T) H6 z7 }3 O' Q
value (in ring0 only). Values can be manipulated and or changed as well* I1 P4 p8 ]$ n. j8 \
(clearing BPMs for instance)- g- H" i. y. c
/ r! y$ l0 w2 @9 C6 [. ]! D__________________________________________________________________________
, ^8 B- }" Y( j1 u& L
, e9 O: N2 \( J3 yMethod 113 a+ \& }1 c) Y7 b' s! v
=========
, q% t5 z' S! G7 [) u G& x0 B( P9 g* ]9 ^& g( C( z2 W: O
This method is most known as 'MeltICE' because it has been freely distributed
/ j& L, J$ b, f+ K" t1 cvia www.winfiles.com. However it was first used by NuMega people to allow
) z4 K# `0 B+ m9 D# e$ v* P4 hSymbol Loader to check if SoftICE was active or not (the code is located
1 u% d3 T7 G- m* q" Winside nmtrans.dll).
6 j! M F* a3 k) C' z( T
$ O- z& k S$ V5 p* a) ~% |) \The way it works is very simple:
3 o7 E' q5 E7 u% y* w9 ^' H# rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. x% o0 W/ J& a
WinNT) with the CreateFileA API.
' }) z7 u( D, M& X6 k* o; m
/ Z) L7 S6 [$ C# d. ~) b$ {5 \Here is a sample (checking for 'SICE'):- M" v9 L# {9 ] c4 s* J7 A& |' b
! i5 e9 ^% r, e4 w- xBOOL IsSoftIce95Loaded()
6 S7 {% n: m+ b5 ^8 z5 I{
- y% F2 V3 M0 f) O: x c/ Y# L) I HANDLE hFile;
, u9 F) h0 h4 N' e' U& \! u2 K/ B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 ? P5 a, B! {# n7 f
FILE_SHARE_READ | FILE_SHARE_WRITE,
! b, a$ X5 @3 O. @& w' b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# h& E- P1 n/ ?8 [& ?( i if( hFile != INVALID_HANDLE_VALUE )
' k1 f7 p5 ?, m9 h$ ]0 o( F9 | {6 s p- C6 U0 C# a) v& \' `
CloseHandle(hFile);: q/ N) l3 [- ^" }, R
return TRUE;" E7 A. Z N' h' t
}
+ `) O, T7 V4 y+ Y# x return FALSE;
; t6 g% W/ `- Q8 F}
7 q! L0 f! Y0 N+ Z7 m, z
* O- u% U# ^9 X& @& LAlthough this trick calls the CreateFileA function, don't even expect to be" t0 z- k M, m1 l
able to intercept it by installing a IFS hook: it will not work, no way!) y4 Y: A2 K0 O+ b2 K+ S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: n7 L0 V/ Z8 `7 \6 y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- _, H. O" x# {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) g. E$ a5 g% P, c
field.
6 J+ X% r. G! LIn fact, its purpose is not to load/unload VxDs but only to send a " n; \# G$ ?) s2 V! h2 Q* F G2 e
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- X7 [( i* K X1 `" H$ H/ s( G* Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try% o& f1 n1 ^7 A; {6 q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 y4 n) t( l, T9 O3 |" @If the VxD is loaded, it will always clear eax and the Carry flag to allow5 ?2 ]% A3 Q' H, A. Z
its handle to be opened and then, will be detected.9 D1 p9 v( \0 v D4 Q5 |) |9 N" X' p6 u
You can check that simply by hooking Winice.exe control proc entry point# g2 W! r$ I# r2 r' p8 i$ d( D
while running MeltICE.
, z: M3 @. T. u& `
9 i4 Q' |+ ^0 K0 c. G* B& Z+ ^, @+ N+ d7 G: v, U
00401067: push 00402025 ; \\.\SICE
# R& B4 V+ {/ x 0040106C: call CreateFileA+ h% z8 ^# ?- }/ J& j
00401071: cmp eax,-0015 I, t; p2 [8 v; ]6 {
00401074: je 00401091' ?2 a, F+ M, x7 b4 y& i
& ~* ~* d9 b2 L- P$ b' H# z2 t& |1 |$ L2 X
There could be hundreds of BPX you could use to detect this trick.
5 T* ]" W# e7 i-The most classical one is:" I, j* W7 t1 n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 d( a& q& Q" w9 X1 b' v# D
*(esp->4+4)=='NTIC'1 {4 ], z/ N& h1 F- D
% i" X- g" D, ?; w& z
-The most exotic ones (could be very slooooow :-(% h/ U+ D( Q% }# p
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 E& S" J3 x" m$ C! N) M3 m) j ;will break 3 times :-(: }" L9 d4 k4 N0 M' F
' p4 P3 T/ p+ N6 F) v# a
-or (a bit) faster: * i0 ?4 a0 z1 u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 v! |; E- N' i( v2 {; b
+ v" { n/ H5 [* r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. g( j/ P) d& X2 ?5 ~1 X ;will break 3 times :-(7 y$ x! R% t6 z. k
5 o) ]) M& v" V: [-Much faster:
; f {0 G7 U# r+ i% y9 |8 y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' d j' o" h( k, E- v; N
" t# a0 U" _/ f' RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" W8 d1 l: h8 `5 B1 f8 Vfunction to do the same job:
. K4 n1 u4 v) l( k- E7 C: S$ _
- {' @5 K6 j: w push 00 ; OF_READ
/ c) Q$ U8 f7 v( \ mov eax,[00656634] ; '\\.\SICE',0
, \- q- l8 v- j push eax$ y) r% B8 @( j8 }
call KERNEL32!_lopen
# n- {% ?% t j+ \: K inc eax
. o( r8 R) s' P' `/ a8 o! ~# a jnz 00650589 ; detected
: _. N# r) s; K3 x. ^ push 00 ; OF_READ
3 f- m3 e( C% R2 T mov eax,[00656638] ; '\\.\SICE'" g4 b& u0 W6 C% i, W
push eax1 E# s& f4 t$ m/ n, s8 R
call KERNEL32!_lopen
8 x, p! d+ D3 y: N8 g inc eax$ m# d+ }& E7 @
jz 006505ae ; not detected; o& ^9 a. m3 _/ q2 k' v
: {# f: c( p/ m6 g6 D( [7 W* g/ {7 H6 y
- Z! P" V' k4 W5 g__________________________________________________________________________9 V: @6 {8 {& [+ f+ p* D
1 Z T/ d# x* k8 s
Method 12
+ F$ e7 N3 `" V+ U=========
, V: K2 M3 w# J& p0 O
$ v O w' f4 K5 X8 sThis trick is similar to int41h/4fh Debugger installation check (code 053 x4 m) X1 r1 G% P
& 06) but very limited because it's only available for Win95/98 (not NT)
% W$ l2 E9 r4 F2 nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 A7 K# I: z! {9 X
$ |2 ]: P5 q/ W$ N( d push 0000004fh ; function 4fh
4 X, L# A( `) `( p push 002a002ah ; high word specifies which VxD (VWIN32)9 m, t! y7 Q8 w
; low word specifies which service
$ y* C# b" x0 V( q7 V7 ~ (VWIN32_Int41Dispatch)
m) @: ]% \6 ?8 j, m5 ^ call Kernel32!ORD_001 ; VxdCall
: @& C# R' @% p( g* _8 \: c( W9 d/ X cmp ax, 0f386h ; magic number returned by system debuggers2 x5 P" a. s. ?/ b5 J; U ~
jz SoftICE_detected
. z! t$ S) p4 o& _- e( Q$ x2 i, _5 B* n0 Q6 V2 o4 b0 S
Here again, several ways to detect it:/ u- H& G+ M2 V/ U: V4 S
( V2 `2 i( [! N7 w
BPINT 41 if ax==4f
4 u: e- I! E+ z
0 `6 {) @$ T4 `& y& m$ d) d; [0 o# T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 `+ B$ U9 c: O% M1 f0 w
& l0 @7 {( s F. O' P. J, g3 a5 F BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 B$ @' t8 b+ \: C1 J0 x
4 U$ _7 c) h: b( k8 ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ A0 O$ o$ h" \. n+ Y/ ^5 r3 d( z
__________________________________________________________________________
8 K" ~; m9 V# Q+ _8 q0 n" l8 t+ Q9 ^8 c0 z- q6 X7 O8 ]' I" l" h
Method 13
" @2 H9 e' |4 K; p) ?3 f( i=========
Y, s z& j+ D$ f* W N/ h- O2 s' s
Not a real method of detection, but a good way to know if SoftICE is
* d( x9 u, N' }7 W T& ^4 `installed on a computer and to locate its installation directory.
" P8 u' q F2 K8 a; |% fIt is used by few softs which access the following registry keys (usually #2) :0 C) p4 r; O$ P+ h
* V6 M7 p5 ?/ l1 @. H* U. t$ [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 R; ^" y' v9 B. k1 V
\Uninstall\SoftICE
8 V* s- y0 @0 O; t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 w; t$ h3 E; Y5 W% g, B3 L
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& Q* t- k0 ]0 b% v }6 K6 }- p4 t7 u
\App Paths\Loader32.Exe) Q$ e& P0 Q% A2 F5 L$ J, U
. I5 S2 @+ S. V3 a2 z N& e1 i' n2 }9 d, e
Note that some nasty apps could then erase all files from SoftICE directory
7 s7 u( H; l. j, x$ e' m1 P3 z& ~(I faced that once :-(
) E' I, M! G( b" x# J* ~1 K
7 \5 M2 k b3 L6 v: h3 i0 lUseful breakpoint to detect it:
7 D1 n [8 V, j/ ~3 \
6 W. U, S3 x. T BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', \9 T+ l& H7 _/ V% E4 [9 _$ Q
7 V; O/ I1 P8 [$ B: Z) q$ Z) l
__________________________________________________________________________
& I; o+ x. y5 r1 L+ [" z# }3 q; r0 T# |1 s
. k& c q7 d: H$ X/ |
Method 14 2 \4 ~$ j. b% _( V) g5 \3 M
=========1 D( J; {! k0 f9 T/ K
% S; ]" x3 H" R/ z8 [$ l# P4 AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ }/ X5 I' J! ais to determines whether a debugger is running on your system (ring0 only).) c/ |0 n% k8 l3 Z
$ g4 b" a! y# Z2 o# v; H: H% w( k VMMCall Test_Debug_Installed
! k, S5 h7 M( N; Z6 L$ B. S je not_installed
7 e9 u! H# a3 b- B' m4 ]8 }, m' O( O0 |
This service just checks a flag.7 m1 I' d1 j- n
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡