<TABLE width=500>, V' `1 \ R z" T* {1 y
<TBODY>7 L6 i m- Y' @
<TR>
7 I& C6 x* W% e- G+ S8 g<TD><PRE>Method 01
8 c( k0 n) c' f7 K=========" X$ |/ K. [1 H% ^1 b, \
% _/ Q6 F8 l' T4 y% C4 q1 xThis method of detection of SoftICE (as well as the following one) is/ T! Y( Z# [3 M- |
used by the majority of packers/encryptors found on Internet.8 m0 R& V) G W+ w/ Y
It seeks the signature of BoundsChecker in SoftICE
) Y% M$ f T0 A% N, Z, V" K' p0 ?+ A/ n4 E9 j5 V! B. d- v
mov ebp, 04243484Bh ; 'BCHK'
# ]- ]4 f3 y$ j6 _" V( E4 y mov ax, 04h7 P [- T( G q6 C7 U: b
int 3 : H3 F) ^& f1 x) ^. `, R
cmp al,4
8 z, L! g# M: [: a6 _ c jnz SoftICE_Detected6 E n0 g1 U4 t% s* o3 g
& @/ w- h$ }( z, \% w3 V___________________________________________________________________________$ X3 L" H# f* o9 [' W6 H
, W: V" O0 y7 f
Method 02
3 x" E; N, E& E8 _$ |: J& }! _=========6 O$ q$ m; A* K/ G) n: d p: _3 k
5 W8 D3 G2 l" u. n$ N( tStill a method very much used (perhaps the most frequent one). It is used0 S; ]. H8 h7 s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( U1 H- w, a) vor execute SoftICE commands...
& m! L: w/ {7 ?- tIt is also used to crash SoftICE and to force it to execute any commands+ ~- H2 t! S. f% t. Q
(HBOOT...) :-((
7 p0 g" j# \( `) D2 W2 n
% S( T6 S: O# E( YHere is a quick description:! t* Q) G" M5 y/ ^: }3 g
-AX = 0910h (Display string in SIce windows)
' d/ N {: M+ S, ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' m5 j$ V, K! l; k9 c2 L* O
-AX = 0912h (Get breakpoint infos)- u& u- }( m+ h9 z' H1 p
-AX = 0913h (Set Sice breakpoints)
) z5 a7 U- d' N S5 Y% g# g-AX = 0914h (Remove SIce breakoints)
& ^. X+ R; O) _7 G$ x7 b5 h; \+ s' l" b" y5 B! e
Each time you'll meet this trick, you'll see:; [6 c2 t1 N0 d5 q5 f: j
-SI = 4647h
: H$ ~$ b- O* R/ f g-DI = 4A4Dh
5 G" G0 H0 M0 x/ z1 r6 u% oWhich are the 'magic values' used by SoftIce./ V+ A7 U* W% V; s6 m, p; `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) J, D+ K( G' t3 s" ]* I. e U" }1 l( l( z$ {$ _) H7 `2 p$ }
Here is one example from the file "Haspinst.exe" which is the dongle HASP& D, H# Z- g5 V& t
Envelope utility use to protect DOS applications:5 ~' m' H( F0 ]) J' u
) p1 S6 B7 v7 ?5 l7 c. m+ {
( X7 R+ X- J% G- ]3 r: U4C19:0095 MOV AX,0911 ; execute command.' f+ E: H" C5 |& f8 h* @$ m ~/ ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 h8 J. X1 Z3 ?+ S4 y8 d! a
4C19:009A MOV SI,4647 ; 1st magic value.
/ v n: {( t$ ]; n f- x- H& d! F8 S* g4C19:009D MOV DI,4A4D ; 2nd magic value.
3 W7 y- ~8 H# v) u8 G" k8 L0 y. e4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" b. I! \2 S6 u# f9 `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' |8 G4 D& s6 G0 C8 Z; I; f4C19:00A4 INC CX
! t, p5 ~2 h3 _. J: O/ _. V( @4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: a; t6 L* W: R, @4C19:00A8 JB 0095 ; 6 different commands.. i3 I* l# A* W
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) ]0 F3 E5 P+ R8 l7 v7 }0 X# k# N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# W. r3 F: h3 U# V) _/ Z& b
7 U! @; q5 i3 v v7 v* k3 rThe program will execute 6 different SIce commands located at ds:dx, which6 e9 W- h0 X. v- x# T: o5 W9 o; F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; d3 n& e* r/ {/ w7 u \# U9 a& v+ i, N0 i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: L3 T8 [. F3 p___________________________________________________________________________
# Z$ c+ L7 {, c5 Q5 W% O0 C
! M9 d& T$ I- ~8 q( ^! c8 [
( v8 A$ t* ?! i5 h( J$ ~; P( bMethod 03
- t( ~) J) S& v! C; x=========
( }" M. K5 c: y9 a1 `. N! ^$ \% F/ h$ L+ a! ^$ Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% G) w. W2 N+ q: f; R$ X, i(API Get entry point)
4 Z) V& w: s; D2 i, q+ P+ z ! W& {3 z3 l" l( l
9 m8 `9 m" G4 {5 \1 Y
xor di,di
* p e' U4 B* A. N7 Y8 V4 @ mov es,di
0 G7 T4 z- o& M J, a* u! e8 c5 o mov ax, 1684h
/ P* e$ c. Y: { mov bx, 0202h ; VxD ID of winice
# C s0 n( [0 S' }# C int 2Fh
0 J. m" V& r; i! G mov ax, es ; ES:DI -> VxD API entry point
# v4 E. f8 l# ]6 `+ E3 G* b7 M+ L add ax, di
# W/ Q% L; w6 W1 y test ax,ax
k7 H, n: i- O) X9 A9 e jnz SoftICE_Detected
) M: _% R4 A1 c# _1 I9 G; d/ s6 O$ V
___________________________________________________________________________
/ D7 s. m4 v, i. s" c& O8 H$ A: i% N: |. o
Method 04
" N) ?& f" F* T5 f; c/ D=========
( _0 C8 M4 \1 V
# E0 v5 r9 f/ W- ^$ A1 b1 ?Method identical to the preceding one except that it seeks the ID of SoftICE
, X4 E2 Q/ R" W3 K' t, q8 R$ J) }GFX VxD.7 b# v9 x/ }( g- R
# [" J8 \$ [* v' S' K8 |# V xor di,di3 u$ K7 r- e7 L$ P6 ~; y9 J$ v
mov es,di
' h0 q8 i+ i+ ^4 `* M7 e% s mov ax, 1684h
$ g8 E# L. E- D! y mov bx, 7a5Fh ; VxD ID of SIWVID
+ q2 V$ h3 L9 l int 2fh
4 f% a1 N( } t, C mov ax, es ; ES:DI -> VxD API entry point
! Y( s+ u" t5 j+ N/ n/ [# V, s add ax, di" T7 X, n" i" n: [. t
test ax,ax+ C. G4 `) N8 N1 u
jnz SoftICE_Detected% [0 p( \, q7 l2 W
' n; c" f, n6 x% N+ [' e4 r8 ]__________________________________________________________________________
* i9 H) G5 Q c7 D) }" N
7 x; j. W1 ?# U4 x9 U8 {% H- @; Y" {6 z# J4 e
Method 05! |3 ?/ w. t2 W# r; S C9 ^) l
=========0 h5 [! c* V+ ]$ [5 h+ u' e, c
0 Z$ H- T: v' T) ~& v" O
Method seeking the 'magic number' 0F386h returned (in ax) by all system
w6 i, `3 R4 f( [debugger. It calls the int 41h, function 4Fh.
0 m D D) D" s% h _1 {) s8 u" {There are several alternatives.
; O7 t7 ^# o0 `* M0 `) |6 O1 I( l6 z* a
The following one is the simplest:
c% V- r% b; Z5 E5 S
% ^9 E! I; g& v- z( i6 G. Y% o) P mov ax,4fh
+ {3 `$ Q, z9 k int 41h
, G! t( y* o3 r4 m8 n# F cmp ax, 0F386
8 F6 G+ L( G# [( _7 L4 Y jz SoftICE_detected
0 j' l; s+ R N" p
. v2 `, h$ H7 f# D0 p1 W! p- i. c6 @$ Q2 h5 B5 [6 L: z% ]0 Q- ?9 [
Next method as well as the following one are 2 examples from Stone's
2 G% b9 P/ s2 i9 }( f0 x- s"stn-wid.zip" (www.cracking.net):
" v6 c* o3 d+ ?- f/ V& [/ T( L; o$ p1 y3 P4 k" `
mov bx, cs
$ r$ c# p( Y6 X! N. \ B lea dx, int41handler26 p) f S7 n1 n0 a* ~2 g
xchg dx, es:[41h*4]
$ s& V7 e( a$ L5 N' J5 R xchg bx, es:[41h*4+2]3 i y/ \% P+ Y9 M2 u& m1 R
mov ax,4fh! D6 |2 i% @" @% O8 b- q# L
int 41h
6 x F( p: t' y; i7 k8 W3 i xchg dx, es:[41h*4] k2 G' }1 \% @* V: G
xchg bx, es:[41h*4+2]
! A$ | i1 y2 [# D8 p cmp ax, 0f386h
3 R9 P) q9 C) n jz SoftICE_detected9 v8 x( o3 K0 R4 n8 ]3 |
; ?# P9 r, K; {int41handler2 PROC- e( e6 B: A3 T
iret9 L C) H& [1 m; v
int41handler2 ENDP
; \. d' O: i) U7 \9 W6 [# y" G2 [5 p, s; ]% C' ~, e" ~$ R
4 ]/ W6 q) _1 }. H) D% z- X_________________________________________________________________________9 Z6 f0 f5 X6 x& p) a0 X
; V' D6 D5 Y$ d/ y8 j3 l( P
! `+ F" H$ K) \% _, d- ?; k, ]Method 06
0 J4 H/ B' ]+ Y# P* w5 V3 \ e=========8 ]2 w- F9 @/ z' c
7 I0 j8 P0 {3 `; O( ?3 D& |1 b; z
2nd method similar to the preceding one but more difficult to detect:
" n% s& D/ j8 D5 T% w+ f2 o: `% n7 x/ U8 D0 R
9 Z* I" \/ K/ {% _, kint41handler PROC
9 }# e z3 e- T/ z4 K* ^6 Z% K! s mov cl,al7 c; c$ L( h/ ?# z- N; i/ \1 l6 j. ^
iret
0 v) s4 O6 D& B7 O+ Bint41handler ENDP+ \, F( ]: H U
g7 {! {& G8 h7 U% {
( g) a" @9 M3 U% F5 z& O xor ax,ax
) k; |5 E( p6 Q* o mov es,ax
6 p5 J1 W8 J1 W) q mov bx, cs! Z w. c6 p5 a( K" [3 T- P
lea dx, int41handler
$ a* z+ N! d8 V+ y4 Y" p% H xchg dx, es:[41h*4]
% b" O1 ~2 m7 V3 H( A5 h xchg bx, es:[41h*4+2]
5 _/ k% ~" ~7 U, |; Q# Y C in al, 40h
0 K" O" P3 E+ L6 E$ s, k xor cx,cx
$ G" K9 E& I J5 e int 41h
1 [. N+ o( ~7 E2 c- e xchg dx, es:[41h*4]
0 f. Q k3 B. D0 I xchg bx, es:[41h*4+2]
: g" ^8 U" G* L& [* T3 H8 t8 y cmp cl,al
/ O. ^2 ^8 a1 t5 a0 L" N7 w7 s jnz SoftICE_detected3 V+ M6 ~7 q+ L0 I! P
) x3 W4 N; a8 h% T$ n# ^
_________________________________________________________________________
) S8 U# X' M1 [" n
; F) n! X7 o( YMethod 07
2 ?3 r+ W+ P/ j: s6 ^=========7 N) I& A8 G: v1 g
& P3 E) B/ L. O9 n" ~; a" k2 U0 ?
Method of detection of the WinICE handler in the int68h (V86), G+ `8 m# L3 K* a: [2 n, u
+ W% K7 f1 h9 r! H/ A
mov ah,43h* q1 N0 t$ C' B+ w
int 68h3 z2 n9 q* q* ]- u3 U3 ]
cmp ax,0F386h
/ {2 a) D3 W* j* [# ~" B jz SoftICE_Detected0 c# Q5 E8 @& H! m
( _2 }2 S! T3 s2 c7 k- Y; Q
6 A* ?! t h7 o
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& U$ l0 a$ W8 u) Y app like this:9 b! d6 t2 v: ~
3 j% H. O& r4 o7 G" Z BPX exec_int if ax==682 d! v# n6 \, m* }6 T0 F% w
(function called is located at byte ptr [ebp+1Dh] and client eip is2 f& f$ l/ N# s' B9 t
located at [ebp+48h] for 32Bit apps)" k) Q1 v6 E1 R6 W
__________________________________________________________________________
a. Q0 _+ E$ [( T. t- A! x! r$ q: I, H
, ?% W5 `3 R: Y# y8 D* b
Method 08. ^* z2 y- W/ \
=========) C! N( S4 ]( y
6 q$ l# E) L8 P) |) f( f
It is not a method of detection of SoftICE but a possibility to crash the% {# j i! s h: ^4 }/ u5 i
system by intercepting int 01h and int 03h and redirecting them to another( Q3 t9 c. O) s) J
routine.# f: _" }" B/ e V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 H6 C% v' M8 s- Ito the new routine to execute (hangs computer...)
. G6 U0 q& A/ r
; j F. l. C! z: r8 J mov ah, 25h+ T$ E& ~( j l, y5 n
mov al, Int_Number (01h or 03h)" E' T( n$ |# V
mov dx, offset New_Int_Routine
+ ~" S; p' _9 p2 r2 I/ h int 21h9 n, _2 R0 t2 V1 N; K; Z' r$ {
8 D7 h+ N+ B; {# a$ d& }2 F' Z+ p__________________________________________________________________________* X, R; I. A8 u2 s/ g, J
0 {- c0 `+ U7 m1 C6 A
Method 09
* Y8 P+ q; [/ F# K! ]=========
6 h, k0 Z; h. I% c% ~' z4 g; q. {' ^/ o# X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ |" M1 x9 K# p2 }. x
performed in ring0 (VxD or a ring3 app using the VxdCall).: t8 A8 j) A# q/ P* F
The Get_DDB service is used to determine whether or not a VxD is installed3 }/ P( ?( J! P/ y. K) O' ^
for the specified device and returns a Device Description Block (in ecx) for
$ ^# n( B; o1 e# |0 t& z6 Zthat device if it is installed.
4 v8 {9 a2 B& ~. w; B& }; G9 J' o6 @* J1 Q- q8 d0 y& P" ]4 X
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 X" {) Q& c5 R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 L% O h3 k2 a2 U3 g" d6 B# Y VMMCall Get_DDB8 L! [$ e6 l6 i f B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* x* z/ _* ?9 l o& M
0 W) n- b/ V; Z7 v) VNote as well that you can easily detect this method with SoftICE:8 U: t! a4 ~* c1 Z2 X9 r' l
bpx Get_DDB if ax==0202 || ax==7a5fh$ O$ g; y2 m- ^2 X
+ H1 [+ _9 Y- b; Q
__________________________________________________________________________
?2 [: D6 ]6 E5 ~# Y
4 X' B1 f' A& CMethod 10
. n( ~8 G1 j3 R$ n6 C; n=========
% {; ^/ V: e+ l" \* m# v
: [3 Q6 h( U" U=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ K) C) ^. n7 f1 E% q# i SoftICE while the option is enable!!. |. B3 H: A- s' Z4 T
. G: Z+ z2 @! A% f4 T% Z; m% ?7 JThis trick is very efficient:
9 J" f! N+ u5 m& E6 qby checking the Debug Registers, you can detect if SoftICE is loaded6 F/ c/ e6 ^2 X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 Z' A$ r) j4 I
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ Y4 D3 L# A5 k. O" ]- D# Evalue (in ring0 only). Values can be manipulated and or changed as well
5 _: `3 Q) J: x(clearing BPMs for instance)
% ?9 a$ C% q+ T8 f& d
Y2 [ W/ v0 u0 u! O8 x__________________________________________________________________________5 L% \1 Q& Y0 F4 g$ @! Z
. S2 d; q+ h1 T6 x- A
Method 11/ l. q, ]8 f: O( }6 m" y+ s& A
=========- ^% w, q+ I+ \, S3 x& }
+ _9 E/ D0 B0 h! A0 }! J$ Q: ~* l3 T
This method is most known as 'MeltICE' because it has been freely distributed
/ q! x3 j8 T) q" I; o, r, ?via www.winfiles.com. However it was first used by NuMega people to allow
- }1 j# s% X+ z/ _9 L+ z3 cSymbol Loader to check if SoftICE was active or not (the code is located- `0 C q, b3 [& `1 \
inside nmtrans.dll).
4 f* }5 d' B) X. ^. i& ~6 y- z$ q; I* e" Z
The way it works is very simple:0 K4 T& Y6 Q: K' a$ Y( T. [" {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 Z. A4 k, J2 H
WinNT) with the CreateFileA API.
4 [; b. `& S0 D2 P& B, P3 k' a. v; l3 P. A9 W* ]( F3 r) C0 ]. @, F
Here is a sample (checking for 'SICE'):
% G" G' w% x( N% S7 k
% S5 G0 q% Y1 x0 PBOOL IsSoftIce95Loaded()
( B. B C1 k/ _. R! `{6 p& m6 x3 r$ b4 p: [! p7 w" U2 O
HANDLE hFile;
% s9 i# X" R. N2 Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. [. a, ^5 s0 u FILE_SHARE_READ | FILE_SHARE_WRITE,: @4 ^1 [8 E! |! f
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& Z/ Q$ U L& j( u6 i, i ]
if( hFile != INVALID_HANDLE_VALUE )
/ G. h! K4 {! s* v9 T& {+ ]6 ^& w {: u4 m7 x* o/ b3 {/ F" u+ B
CloseHandle(hFile);
, P* `& m0 M- _5 V return TRUE;
' |8 d! k9 c7 t y3 g }8 O$ {' S+ x9 r8 h& h( W0 o5 L8 `; k
return FALSE;+ f0 Y3 d+ C7 r4 _! _: ?" z7 x
}: q: B9 W. P( w# I: `! b m
5 w% G9 [9 R7 z
Although this trick calls the CreateFileA function, don't even expect to be
) ]7 y( `" ]4 H: J0 ^able to intercept it by installing a IFS hook: it will not work, no way!; A. V7 @! u3 ]- B6 p L5 B; a' W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, s$ @! @$ Y& a7 q5 G: {( dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( ?( | \1 l% r1 Y5 y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; e$ ?- Z4 d7 o. L
field.
G# T; }) Q8 v# i! p; W ^3 P! z0 qIn fact, its purpose is not to load/unload VxDs but only to send a $ I, H9 _/ w6 o5 Q! J. w
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% d2 X3 h& l) ]. N% Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) V1 R& A! ^& _to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 V) x- M+ x. \; r% [If the VxD is loaded, it will always clear eax and the Carry flag to allow
/ v6 { v4 a: Cits handle to be opened and then, will be detected.' A( u% i$ B' i. k" p5 l
You can check that simply by hooking Winice.exe control proc entry point2 R. X& J& G5 a) X
while running MeltICE.
% _( ?3 N, @) d% s: n
3 r9 F' a5 u# r" r9 R$ g% ~$ r$ [- f
00401067: push 00402025 ; \\.\SICE
, U1 Z0 `+ m" q% o' X: x7 F% I: ^1 ]2 a 0040106C: call CreateFileA
$ p2 F% j* C- Y$ p7 m 00401071: cmp eax,-001
8 r. E! U3 J- l9 e( U' E 00401074: je 00401091
- X% u7 X! Q# S$ C P$ E- C8 d5 q3 A6 g
+ V" D2 Z b9 fThere could be hundreds of BPX you could use to detect this trick.
1 h. _, ?) j; ?-The most classical one is:
' Y: T3 z# ]' Z6 N+ b6 ~" \3 X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ o0 U! g/ _, x" c: q C
*(esp->4+4)=='NTIC'* ? w; {0 f( U$ Z+ d1 v/ X
( a+ G# G! i$ s-The most exotic ones (could be very slooooow :-(& q0 i. @( V5 g9 Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* d' U& u% r6 B2 I( p ;will break 3 times :-(
8 q+ ~0 Q* d6 ] O* h9 Y
! y2 H+ b) \+ b6 b-or (a bit) faster: , X% p0 }& z; Y4 h
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ c( c/ y$ a2 {+ T8 z! A2 U( h, R) r# I8 L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 l# j4 C: k1 t! f2 [' Q ;will break 3 times :-(
5 t5 a! N- s) M( B8 J$ E$ W x0 G5 O& k
-Much faster:
3 g2 f/ V( y2 ?7 n. L9 ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 c2 y9 I' \5 T
* }* W3 @. m1 x1 K, [ g: ~, y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ c- h8 f" |4 vfunction to do the same job:0 w0 u- x% V4 b: {" I. a* V' v' K
; f' v/ [ v' j$ \ push 00 ; OF_READ/ v# B! z9 I9 a* U
mov eax,[00656634] ; '\\.\SICE',0
3 c& h1 B# h$ V* {+ q push eax
/ N7 s5 |+ E) \% ?3 j& V' p3 { call KERNEL32!_lopen \' Y" L0 P4 D* C) n/ _
inc eax9 M$ T. ^8 ^6 R# R
jnz 00650589 ; detected
# W; c. P$ w! u( b push 00 ; OF_READ& _ U; `5 r/ [# c& D- r# _2 F
mov eax,[00656638] ; '\\.\SICE'
* B& G! ?2 F# [' I0 V& g push eax
5 t$ C) b: o& o# M call KERNEL32!_lopen
0 p6 u+ T& r( o1 H1 {5 P( n inc eax. U: ?* W. Z1 b% ?& ?8 b
jz 006505ae ; not detected4 K) N: U& |/ R6 c$ C
8 A K- l& u$ _. D8 @; ^4 t( Z$ D# `, O) [- }6 U
__________________________________________________________________________7 ^7 }8 F+ w* e. [
5 M! y. P( D, K- L+ N4 ^- eMethod 12/ f& \2 z2 Y! P+ c
=========/ \5 u# V. d0 l1 V( q
/ E$ O8 R f% Z8 R" x5 P Q
This trick is similar to int41h/4fh Debugger installation check (code 05
4 L' v9 @, ^2 }8 J& 06) but very limited because it's only available for Win95/98 (not NT)
8 s: F/ L0 e4 |- b2 M( v5 |; N$ eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. }* l/ W& s+ ^. r7 b# G* z- h n2 G' F( T% y
push 0000004fh ; function 4fh' W! r! K n V6 R
push 002a002ah ; high word specifies which VxD (VWIN32)0 V0 Y: l* |/ q. j R9 \
; low word specifies which service
2 `- C0 `/ A1 k( Q+ Y) h (VWIN32_Int41Dispatch)
! X) J1 q# c2 `% u# L o, n call Kernel32!ORD_001 ; VxdCall
6 I2 t7 d9 r+ h" o& a% x% x6 w cmp ax, 0f386h ; magic number returned by system debuggers
% q7 p6 h2 `( Y8 p% U jz SoftICE_detected
# y% q- r; F2 I7 u: `2 U- @% T" G' `7 e
Here again, several ways to detect it:3 t% P b$ R" M, a
# E" J( E: q* U- P; F! R. J8 C
BPINT 41 if ax==4f
: F, I; @- |0 F9 ~) C
8 u/ d# |- U Q- j BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% ]2 \ b9 K6 z9 I( d7 o
2 p* m% \+ u5 V1 K BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! u) L7 [. Q- g( V2 K8 x
1 a! I4 z+ m+ D8 X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ d" N6 X7 A0 p, e& {; m
0 |' N7 Z& f7 Y5 r( ~
__________________________________________________________________________3 I! B1 g" _: x# T$ ?3 r
, C4 v" ]; g+ a! L8 G
Method 13& J8 W' ^/ N" t0 z) w: x3 }
=========
, g% A* s) R# b8 B$ f$ \5 M4 \9 L, U# J- _6 p A
Not a real method of detection, but a good way to know if SoftICE is8 Z5 J: U+ ?: V& b) x5 n/ ?
installed on a computer and to locate its installation directory.; e+ S; j9 s% l6 t7 d0 A1 x
It is used by few softs which access the following registry keys (usually #2) :+ J: {1 K0 X0 l0 T
% }9 J1 K3 V- ^* i3 R6 B* M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ D/ f0 V8 A- ?+ T
\Uninstall\SoftICE4 w: W/ d9 x/ W$ c- p4 g% m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# T/ W+ G) O$ x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ q, F9 K) g$ c5 C7 K$ j( H. a$ g\App Paths\Loader32.Exe
9 i3 u1 ~; A& Q7 l. n9 Z, k& y J
- @6 O* Q& a) P$ {1 z' \+ cNote that some nasty apps could then erase all files from SoftICE directory
% L3 J) z2 X/ Z% B1 h3 f(I faced that once :-(
9 r& h4 r+ \, k; a! Y6 @
m$ o- g5 y" M6 O1 U) OUseful breakpoint to detect it:
q% O7 e- X' V: a) Q" d6 c0 g+ `8 |! M. D: I: M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 k+ w/ I8 R ?& U" k/ e0 A8 d
7 ?$ Z! I% ^3 Y__________________________________________________________________________
+ s, S0 @8 J6 W5 d
& W- L% T3 T8 R8 r/ X) v0 f8 ~
+ z E1 g! Q& E* G# L( zMethod 14 $ ^4 U3 J1 v1 |" w; C& k0 E+ M
=========
# T+ ~( G+ V% X9 m8 ^: U) I& O1 A0 p. b' x7 J& N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, h! L- d( L2 d2 ^) W. H
is to determines whether a debugger is running on your system (ring0 only).% [- L6 L" A& h1 ]4 o
0 M) _7 I( [! T l4 |7 F7 G. C
VMMCall Test_Debug_Installed+ o* A, a1 R2 `4 t
je not_installed
2 k% C$ {0 P) T2 h: Q0 [1 w' U8 n" k9 I5 j. q, J
This service just checks a flag.
0 \1 Z! Y8 G# o7 x' v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡