<TABLE width=500>3 u9 Q5 K0 _2 r% Q/ v
<TBODY>5 [3 F8 Q: @ |8 Y5 L
<TR>/ k* V1 f. T' E& g, k$ K5 N$ J% t
<TD><PRE>Method 01
# I+ A% M: U$ _" }# j D=========
. l1 O3 @: I# E) Y6 i
8 T0 T6 N) M. u) y% S u& { EThis method of detection of SoftICE (as well as the following one) is
+ ?& R" W, `0 `" uused by the majority of packers/encryptors found on Internet.
, F$ y3 b( D& AIt seeks the signature of BoundsChecker in SoftICE% z% A7 g# ~/ q
$ z) K, a7 V. `) G; A
mov ebp, 04243484Bh ; 'BCHK'
+ Z7 s2 ~4 H1 E+ k5 g mov ax, 04h3 \* e/ O$ o/ Z5 K7 u
int 3
Z1 {$ n4 ^. l cmp al,4# r8 G; o2 _. j7 I P8 Q% K
jnz SoftICE_Detected
( U1 B- t+ Z8 d- q
4 ?3 H( D6 V! K6 i___________________________________________________________________________7 R. Y u0 z- N+ M& q
7 I% N& o$ f$ Z- p
Method 020 |* e) Q( ]' D7 g" h
=========
9 n$ U, `0 o) ]# C
3 m( X/ {4 e, A. e- PStill a method very much used (perhaps the most frequent one). It is used
, F' Q3 a" E. ?5 d# ] R6 y8 Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ x' [1 a8 |. M: j, M5 E) c8 r
or execute SoftICE commands...
* ^# _* [9 f5 B4 eIt is also used to crash SoftICE and to force it to execute any commands
. l- A/ S- R% t(HBOOT...) :-(( & Q- U# l: F* r6 g' ]
1 C8 @9 a% K1 j5 Q. {0 J0 AHere is a quick description:& Z1 q- t0 q8 m3 r! _$ R
-AX = 0910h (Display string in SIce windows)1 W3 E! D4 |8 F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; v7 I* N" D& I! E& x! r7 t-AX = 0912h (Get breakpoint infos)9 F' x5 r& r( q; \$ J
-AX = 0913h (Set Sice breakpoints)* d. \% @1 X# N. Z! \# R' x1 Y
-AX = 0914h (Remove SIce breakoints)/ X* f' d, A6 A) {( R
5 k, m/ }9 z( r/ IEach time you'll meet this trick, you'll see:9 P, i1 Y( T; k7 L" }
-SI = 4647h
v4 ?9 s7 ?2 ^, r( M-DI = 4A4Dh/ t: Y; n, H* u+ f; p
Which are the 'magic values' used by SoftIce.
/ A, T2 m- m/ D# a9 k* z. oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" H& ]9 T6 f2 N$ t8 a9 Y: ^ p5 k- G& k
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 J4 B# H; b: @; N5 e( L4 LEnvelope utility use to protect DOS applications:
) M& S6 n V2 @& }% J7 c7 S$ g* e% _" S# p7 @
" s+ [8 M( i8 G% f6 n) S
4C19:0095 MOV AX,0911 ; execute command.
' h2 `: w8 v" k/ P C- v6 D/ D( }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
m( P' |- h# M* R/ m4C19:009A MOV SI,4647 ; 1st magic value. N, v$ ]% W# t! r
4C19:009D MOV DI,4A4D ; 2nd magic value.! {3 ]0 @) s/ s |2 g8 n6 H
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 C" w& v# k/ _, ?- g3 U% u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ Z8 J \* Q- e3 L! H4C19:00A4 INC CX
: i$ _% ^7 h6 F& b4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- b4 M+ B; a( R0 }4C19:00A8 JB 0095 ; 6 different commands." t0 w" ?' h* s$ l) U4 A& u' G2 ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 s! S4 S4 V( z7 q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. D- U1 A8 J# C/ p+ ^$ k8 Z+ f
, { s: _8 l! L% T% }; qThe program will execute 6 different SIce commands located at ds:dx, which
2 M8 r9 S2 ~: ?- m0 K6 |5 bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, w. X9 q1 {, p7 m2 a3 T, U8 ^, K* L* z8 z7 g9 m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' Z3 y4 A3 a7 l% B6 C/ x" G
___________________________________________________________________________ n' ~- q) T! w$ ?, V4 Z/ H
$ M' h2 H8 G3 v0 b3 A* t# ]. R$ n
6 \0 g2 S' v8 i& s5 @
Method 031 g0 i8 A: M# U5 _/ u
=========
7 v2 x) @+ R( f! ?, x7 R8 O1 m& u5 E6 i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ T$ ]* `& J# z
(API Get entry point)
' ?6 r1 m4 K6 R( T# w + ]# B* @* T1 u- H3 z
3 g1 k9 o6 f% [# p xor di,di
! o- J5 q" ?0 K% H" o- H0 k mov es,di
' k2 a3 {" ^. c y/ @ mov ax, 1684h
2 c/ `# B! P" _1 @8 J mov bx, 0202h ; VxD ID of winice
& X5 X. S0 E6 F" {) t* n: g; X int 2Fh
5 O3 J; }) q2 V mov ax, es ; ES:DI -> VxD API entry point, u: Z+ p W' {7 P/ {0 ]: h
add ax, di z" U5 V& I/ @8 f" S" z" d! ^ P {! s
test ax,ax
4 X7 k: i$ a5 ~4 K3 J$ N8 g) u: M jnz SoftICE_Detected
- S5 z& u4 l( x$ {1 z- ^0 N E: t1 ]% _3 B; r
___________________________________________________________________________
4 q* u3 B6 s6 ~
6 x3 i2 j. M7 d% f6 yMethod 04
5 U5 Z0 g" k5 q=========9 K. M t& v. m; N% n
3 y6 R# [ q1 H# \: x4 w
Method identical to the preceding one except that it seeks the ID of SoftICE0 f+ S, o% ~' S
GFX VxD.
! @* o9 I8 D- i% a6 i/ ?
6 Y% L7 p l2 \. Y6 c xor di,di
* T: P% G9 X- { mov es,di
, m! b2 y2 e1 d8 u0 D" B3 O8 ^ mov ax, 1684h : u6 f9 }$ a6 _9 t, p% I
mov bx, 7a5Fh ; VxD ID of SIWVID, v& j) P: a" }5 ^$ F$ @
int 2fh0 M$ t; ]+ e9 r4 Z e
mov ax, es ; ES:DI -> VxD API entry point
/ y5 i8 a! |" U: Q' @ add ax, di' Z+ j/ H1 N$ f) H8 V
test ax,ax# [) E6 y& Q5 l t5 D0 q9 Q( v
jnz SoftICE_Detected
$ ^9 R( H: p! a, u& l
2 T# v' S! w; B# T3 F1 X( K, Q0 f__________________________________________________________________________
% [* p" R& a' j- F( {, W2 F7 }6 U: I* Q% P4 }2 T
6 O- E( l7 `' w4 @3 `# s
Method 05
& ?2 B( L o% F6 [" g, O0 ^) N0 S/ M=========
9 z! K: d1 x( Y7 m! ?0 V: o" r/ f
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ d, l9 p, Z9 ^; Odebugger. It calls the int 41h, function 4Fh.6 L4 r5 P2 A5 E6 o- \, a! b
There are several alternatives. # T" @- n2 W4 O) Q; E
6 j { M/ E7 X9 y
The following one is the simplest:$ f+ K9 m4 G9 ]% H3 ^
3 Q- `. T) E2 ^1 K1 s& Y; w7 g
mov ax,4fh
) }8 ^5 m0 \" D/ f% z int 41h
9 E0 F, b# @2 n# r cmp ax, 0F386
( ]3 Y K" Q0 E; }) \9 o# U jz SoftICE_detected
# B- y5 D, E' }/ O0 {
& @$ S/ T5 o# |" ]2 ?* l( u5 [! ?. |1 M M P( J6 \! H; z& R
Next method as well as the following one are 2 examples from Stone's
1 W i( _2 g/ v9 J L6 Y"stn-wid.zip" (www.cracking.net):
& @( K. S S1 b# E
. X' I" s; V8 `8 {) e1 C( z* y- i mov bx, cs
. e8 G+ u1 ]& {" X# l% H6 p lea dx, int41handler2
; T; I+ ~+ M$ K xchg dx, es:[41h*4]
; }( a$ t0 g6 t; O1 V xchg bx, es:[41h*4+2]
! u3 O/ _; J8 z mov ax,4fh' Q6 f$ c; A. b
int 41h
" b' L. p. I% Q$ Z xchg dx, es:[41h*4]
$ k& i* ]! b" k6 r xchg bx, es:[41h*4+2]! E! @1 f% Q7 q
cmp ax, 0f386h- f) {, n6 M; J4 u n1 u: s
jz SoftICE_detected
1 @, I/ Y; W2 h9 ?: I$ y2 T9 |
* _# D3 A S( N% R! T$ pint41handler2 PROC
8 i# Q8 m! M2 Q! V$ D9 O: t1 `8 [ iret1 s3 F/ E* K z& i1 H2 Z
int41handler2 ENDP
* b0 u' \7 B& ~
! c. A$ }4 x' V3 e. |/ \! `5 v: |; t2 j3 {6 N. H( v7 H2 G0 b
_________________________________________________________________________
( k3 l( l$ @5 Q9 f8 H6 i2 E( \/ S1 n8 S* n
* e" r. Y- `$ G- [
Method 06
7 }+ W$ x% p4 ]# E$ C=========
5 ?2 s* U$ ]. p' M1 h' c7 t5 y) N- l+ F% a1 s! D$ `
& S* L# \4 t. t- j: D1 g2nd method similar to the preceding one but more difficult to detect:
+ y6 F( }$ T' e+ B& c% @9 I8 i+ j7 Q" A6 r8 P+ J% q0 {
4 S+ V2 }8 u. G% z% O
int41handler PROC
; M$ z" e3 g3 X- J O: x- L mov cl,al1 R+ J6 p& @( n0 g3 n- ?
iret
* K/ z1 O9 i) e3 ^6 ?int41handler ENDP' \9 K0 o8 ^0 s) ^# X. ]
2 ]+ r4 R2 p) |
2 Z" U/ H6 X- H xor ax,ax
& R: J6 K6 ]1 @) B4 k mov es,ax
8 q# E8 V3 D& x2 T( t$ ~ mov bx, cs- m9 z! f. K% T6 d# K& {
lea dx, int41handler, F: C Z. ]) y9 X. y* B
xchg dx, es:[41h*4]( |! e y+ U( E/ W
xchg bx, es:[41h*4+2]
9 Q# L, V7 H* k* o" |: Q& Q in al, 40h* W; L) ~5 ~, B
xor cx,cx4 x* p- `- C% h: u h& X V) @- F& \
int 41h
) U5 h0 J r* l& F/ e m1 r xchg dx, es:[41h*4]4 t p' S+ t3 D. o7 q3 V7 [( n1 j
xchg bx, es:[41h*4+2]: P7 ]# H$ p, J2 p+ y8 o
cmp cl,al4 N) G2 {, K |- L! l8 F. r
jnz SoftICE_detected2 t7 p) l* ~& G7 _. w
9 P s% ^8 d& L) j [
_________________________________________________________________________1 o5 C% ~9 n. c4 b& c2 o0 \
! f5 L; ~* w, j1 j
Method 07
. p: n1 P2 x. b4 R+ U: y9 `, d=========
. m$ ~4 f% V" H- e- H& V, _7 _! J/ b& B& s
Method of detection of the WinICE handler in the int68h (V86)/ F* o& B% s4 `6 c! U0 o+ p( E
2 r; R, P, U8 V5 P3 c
mov ah,43h$ c0 h9 N6 J" L/ l \& Z
int 68h; T( _0 ~0 t6 D0 D$ J; p
cmp ax,0F386h
[, a& S; r9 I1 [4 \3 L jz SoftICE_Detected+ ]. m$ M) ]6 `/ j0 K; o
& O9 c5 D4 x! o% h' G" `% J9 `3 ^# A9 `3 G1 ~3 }
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 i2 ]+ g5 L5 K% p: t. }! v" ^, S app like this:
& Z, b! ] n1 h) h
! l* h/ t J3 y8 c/ T BPX exec_int if ax==68
; v1 w7 b# N& | (function called is located at byte ptr [ebp+1Dh] and client eip is4 |6 d; L! j/ J, k( { t% d* j
located at [ebp+48h] for 32Bit apps)
) ?* p/ M! x% I/ I4 v4 o( N& L__________________________________________________________________________
. B4 y Q% M5 Q) i* ?# @7 h6 S) R: i% e+ h- j8 A, @
0 ~7 z3 D) S4 ~' ]( o: g; I8 CMethod 08* K" b8 b1 R, D! I! I# @% H
=========
8 _1 a' a# p2 z' V- L
; a. L8 r6 Z6 P' [( [6 ]It is not a method of detection of SoftICE but a possibility to crash the& k+ `; \5 @7 W2 d: [
system by intercepting int 01h and int 03h and redirecting them to another0 j9 T" _& ^6 Q
routine.
% p1 b; C7 H" I! ]3 sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 ?. E' m( r, q2 i# I' M
to the new routine to execute (hangs computer...)
1 b! d: S* Y, I3 L* L; t
5 S. T" N# X9 A0 A1 N0 R mov ah, 25h
$ ]: [; V; p) C3 L8 n4 T2 t mov al, Int_Number (01h or 03h)
- B: W' s) y6 C' H, K" R2 o" X mov dx, offset New_Int_Routine. v5 T0 H* L: e" A
int 21h
" n0 W1 y, F0 O- [ Z% T+ [+ J
H& {+ j* G1 y0 i# @# {& ^# Z__________________________________________________________________________
) S+ @2 A) H U8 a6 \8 V" C' S; o
/ g$ I0 g7 x/ AMethod 09
9 u; S, U3 p5 N0 N6 a=========$ z+ D0 D, ^! v- f# ^2 F" Y8 U
$ @( N( Q0 U, p) k' a/ @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; T: v; l$ i; m V( v1 P0 U Nperformed in ring0 (VxD or a ring3 app using the VxdCall).( Z+ A1 {. {7 J1 m4 A
The Get_DDB service is used to determine whether or not a VxD is installed$ {0 C2 x5 H4 A7 c( F, A6 t
for the specified device and returns a Device Description Block (in ecx) for, J7 j& G6 o N/ a" Y0 ]2 F
that device if it is installed.
; |+ @# ^1 p* c: ?! M( e
% i0 J2 n% p2 \$ h/ }8 @) j. A) ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ {; a/ g" y! o2 R( J mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); N/ G" L7 `; K, \" J* e$ P
VMMCall Get_DDB8 \! y( B# J4 A% Y6 L# _% O
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 c5 ^3 ?7 A/ M: g
2 b, B; T" g* J0 p: Q# T/ D$ t7 n5 K7 W
Note as well that you can easily detect this method with SoftICE:
# ~( b+ s$ c# s7 ]% m8 ~ bpx Get_DDB if ax==0202 || ax==7a5fh! N$ _2 ?0 k: e
# P& y' z1 a: j1 E$ D9 Q: [__________________________________________________________________________
) u# ?( i6 L5 I' P1 q! c" a6 ~9 X! R
Method 10) O/ J m: J* c
=========# G* _2 ~% U3 |. `1 r
j3 O" Z- b0 _& w3 b# s
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# \# x7 x1 S+ a6 ^+ m9 q2 b SoftICE while the option is enable!!
4 \! H5 V' [$ Y" r1 R7 k2 D/ ]6 N, \6 M% K$ r1 `$ _ @- ]& m
This trick is very efficient:+ H3 k* c+ j3 y0 ?! k
by checking the Debug Registers, you can detect if SoftICE is loaded! Z; i1 E( N4 v# }: S5 q. G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' e* i! w0 p! |% N+ o( nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
5 I6 S) L, x5 U, C8 `! W) Yvalue (in ring0 only). Values can be manipulated and or changed as well+ x' T- W, ]( ` K* h
(clearing BPMs for instance)% y' Y8 t* b( y1 b
" i/ c$ U0 o" g! i* p
__________________________________________________________________________2 J. K/ i5 I! |* J: T2 n$ w
! y' z F5 Q* X( Y. D# cMethod 11
0 U0 t0 ?! [. a=========) e& u; h/ Z$ I- ?
! a6 }. s' l3 Z X4 fThis method is most known as 'MeltICE' because it has been freely distributed: [; H$ G9 W. L0 }9 K
via www.winfiles.com. However it was first used by NuMega people to allow
2 @/ x/ `9 q6 a# \4 ]+ |" TSymbol Loader to check if SoftICE was active or not (the code is located
+ F! a* k: t9 W& jinside nmtrans.dll).
2 u1 X3 e- D8 F2 E6 Z }( Q+ A4 m5 ?% e5 H- l0 u
The way it works is very simple:, w( Y) ]+ p; O$ u5 E0 e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- x+ w; R- o/ x uWinNT) with the CreateFileA API.
8 k5 K* q2 n# n6 J0 I3 W/ }6 g( u, n0 [# W
Here is a sample (checking for 'SICE'):7 x' r0 o* t. E- u7 h
2 x2 y4 l, W( c' T! mBOOL IsSoftIce95Loaded()
, ?0 }0 @% ~' G{
2 k* u9 d: ~5 | HANDLE hFile; 6 R* s& C) d1 Q2 _ |" m$ V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 r4 x% F- ^0 H4 t# }0 m
FILE_SHARE_READ | FILE_SHARE_WRITE,- ^1 q" U0 T7 z$ C, T- o4 e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 }. O+ h, P" y& l% K
if( hFile != INVALID_HANDLE_VALUE )7 G7 N: a6 P. L' h; w5 ~; O
{- ?9 V, z& u5 V
CloseHandle(hFile);/ }. e; H6 F( M6 ~) z$ P! j5 d
return TRUE;( {' @/ S& c) }4 `: u
}+ A& r# I) b! ]: q
return FALSE;
% p' Z+ L2 [" {) v8 R8 V9 e6 _: o}
% S7 P% Z5 Z7 r$ d* D' y. c% {5 e0 M/ Y R1 V
Although this trick calls the CreateFileA function, don't even expect to be
; ^) r/ Z, k. }6 p# wable to intercept it by installing a IFS hook: it will not work, no way!
6 X+ T* O4 b- n, ?( x- WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; X3 e! U" u& C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; F s8 h( z: cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ A& m2 S: ?4 `field.# h! g6 G8 e: i* U# p
In fact, its purpose is not to load/unload VxDs but only to send a 6 O4 d- h: \! u: f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 F2 X2 b6 o9 Z1 g, s+ } vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: C2 J7 S I& N' }/ v, Y3 T6 eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
# h' Y6 f, a$ h, B& S `& [If the VxD is loaded, it will always clear eax and the Carry flag to allow$ y7 v; C( P. \8 {, F* \9 F& F
its handle to be opened and then, will be detected.
$ f* T' B# U8 \4 L; |2 gYou can check that simply by hooking Winice.exe control proc entry point
' ~) |$ Y& R8 `$ N$ H+ }while running MeltICE.( h& |1 y2 p0 }4 c
3 c6 T+ p/ T4 W, `: @! `% C# A
/ \; X$ n ^# Q2 Y
00401067: push 00402025 ; \\.\SICE
' d1 W# d g" L6 D7 W( Z8 p& _ 0040106C: call CreateFileA
4 P; D2 j2 h! `$ L d 00401071: cmp eax,-001
4 N) S& n+ b4 a6 ?- h- p 00401074: je 004010910 K4 }* X, e, } y
( r( f& e' q/ C0 r* o
1 J# N9 l$ Z: y+ f0 E( I4 b) k- hThere could be hundreds of BPX you could use to detect this trick.; X! b, m& F: W- l$ O. M: ]7 ?
-The most classical one is:
+ a! x$ N0 ^& u7 y7 Y6 z# L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || n9 M; r6 P) _0 h H
*(esp->4+4)=='NTIC'
8 x( h; f$ G- }' V- M. c8 G0 t- W- `/ m8 b- U7 R3 a
-The most exotic ones (could be very slooooow :-(3 b* `3 d6 m& z% W8 W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : y+ E' v& q! P' E; x
;will break 3 times :-(# i2 _9 X, F- m' M" C! b }- J
% a' x7 G/ d: |: ^* ?8 ?
-or (a bit) faster: P0 w0 j. C- y* b) ^9 w' l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* q# t: G, F& g- ? j" ]6 t4 e9 ]) {3 ^1 E/ B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . _5 Q# G! I4 x6 p
;will break 3 times :-(( W; U' s1 i6 |' R" |
5 s/ D/ R9 [6 u
-Much faster:0 R: U4 O1 J. U+ T$ l* ~
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* h T1 S4 t+ N% i) t+ o% V$ {
0 d& X+ t" q, w7 o
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 t# u! [) {" t% h2 c$ a5 Q* e
function to do the same job:
, t! P! [2 Q& Y8 X
2 x3 Q; H3 p# P5 [ push 00 ; OF_READ
- ]3 B* e0 p; C mov eax,[00656634] ; '\\.\SICE',07 ^/ s: M' f W
push eax
9 H- }% ` J7 G# n call KERNEL32!_lopen) g! t, e3 \# M: h
inc eax1 ?: y( o2 p# y3 w" x
jnz 00650589 ; detected
; s" s( @& f1 l! O" U2 d, c push 00 ; OF_READ" g$ g# x6 D9 i/ {
mov eax,[00656638] ; '\\.\SICE'
& S+ a1 x6 ^ d( h& ]; j' a push eax; b: T* j. z+ I5 C& j) U! ?7 Z
call KERNEL32!_lopen
0 u$ j3 B; z, [% k inc eax
' X' |# d7 q' Y jz 006505ae ; not detected/ K% A4 y# ~0 v# ?7 ]9 M( z/ v
+ l( i2 I2 W; _7 k9 j0 w" [) }# R) o7 U% I
__________________________________________________________________________
4 o1 r y% v; `2 o1 W8 x0 u% j! B0 R
Method 12
3 I9 v% \; `/ Q5 n9 n3 d3 U$ C=========& O) t% T/ _/ i( x3 w% A
5 \1 k E% }& s( M% Z/ u3 V' d
This trick is similar to int41h/4fh Debugger installation check (code 05- }' _9 {- i- M3 u* c
& 06) but very limited because it's only available for Win95/98 (not NT)
; j1 s8 y$ X! C% E2 p* Was it uses the VxDCall backdoor. This detection was found in Bleem Demo.' D1 ]0 Q& z7 u/ D3 d: ^8 `4 t* {
# T; |) O& |+ H* h& z1 e) ]: u push 0000004fh ; function 4fh9 j8 z$ n- B' M; ]: V
push 002a002ah ; high word specifies which VxD (VWIN32), ?) n& ~/ y8 m! C
; low word specifies which service
7 b; F# A4 J; n, `0 X! F- I( } (VWIN32_Int41Dispatch)
+ e. R2 V/ x. D9 S6 @ c) j call Kernel32!ORD_001 ; VxdCall, d! ~0 ^3 F" K5 L8 U l n+ s
cmp ax, 0f386h ; magic number returned by system debuggers
% Z$ `7 y9 h" p0 }4 G jz SoftICE_detected5 a* d0 H& z+ ]0 w& a1 W) H
" f. e' g% z. r1 T
Here again, several ways to detect it:; u3 Q% c9 g# U# u7 O
2 k; ^* m6 ^3 c2 W
BPINT 41 if ax==4f) |( j9 _% K7 i4 N9 o( q1 u2 y& f Q! @
& }. q: Y9 B8 v: Z; _" I' r BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 N* u$ D5 T. R6 }' ]1 z, d6 x
- Q) j% T3 U. W: k9 P* r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; o7 g2 k Y8 H1 b7 x9 K2 ]# i8 Q6 L/ \ {0 M; ^) {( G/ j/ S. J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' C2 U9 G% U& t; m. m
4 y) ^/ F" D" ^. j6 ~$ O6 @' D__________________________________________________________________________
* ~& E9 _1 O, }# }" Z7 G% |. @1 W9 o0 y+ M/ Z- h0 A
Method 13
/ v/ U& ` R% A# O$ \=========+ D; B% F4 Q9 G1 g
6 Q% t4 j7 Y) c* C$ R$ c5 ZNot a real method of detection, but a good way to know if SoftICE is
$ `' h Q% N1 d7 x6 y) f0 |# J0 Binstalled on a computer and to locate its installation directory.
8 g# [0 K8 h& k3 W3 d* e. BIt is used by few softs which access the following registry keys (usually #2) :
$ m+ s" e, {. g) L4 _& C9 @9 A9 H2 ~/ L$ Y* m6 w6 q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 e5 c( h8 V' W E9 I
\Uninstall\SoftICE
% c- F/ D" H T) ^; _& n( Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& M5 b' ~; C1 |: h! C- Z% s. Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 O; | O4 K0 ]8 K) W( }\App Paths\Loader32.Exe
! G; t: l/ t9 Z" i
' O. _3 f9 H1 @1 f X2 h; Y B) c5 y
. w! O1 p4 z5 ]. ?5 y' LNote that some nasty apps could then erase all files from SoftICE directory2 v8 I3 ^$ {+ F5 _( m% F% \
(I faced that once :-(
e) R$ x( L/ ~0 N8 S2 V
# q' `+ h8 ^3 D& T5 XUseful breakpoint to detect it:
& s- r/ D+ L [; v6 z' b& x j5 u0 b
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 M; g- d' L5 ~* {; v/ A1 ]. v8 |4 I
& e; s$ Q0 @; y
__________________________________________________________________________9 W8 w9 R7 B5 X: w8 n$ }* y
9 Z& p; K. I, V
2 n' I2 M; Z4 `& k
Method 14 ! T+ X. O6 h' z- S
=========
& W0 t r5 d2 [# r9 h1 \& P
; A2 J: n8 W4 o8 J2 h+ c6 oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% k! i; B/ W0 G
is to determines whether a debugger is running on your system (ring0 only).
' T, B2 T2 m! I! k5 V3 l5 `' f: `# h, f- h7 z, a
VMMCall Test_Debug_Installed
1 M/ E: T$ U0 V- W8 x je not_installed2 Y2 [* d& \- r7 W- w6 f0 S. w
4 m# w, \, S. H5 o- U4 u! k" X
This service just checks a flag.
/ H* E( w# D- K' l F) c4 \7 ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡