<TABLE width=500>3 ]) }4 d( N' X: U( ?' _- Y% J
<TBODY>
) l. d ~3 H; ~$ `3 b<TR>0 {; @2 W) c" ?* b. _ _# W) p
<TD><PRE>Method 01 % `5 K5 o/ c: h) g( N8 `* I
=========) f7 J _) f4 ~% U
7 Q# y) s& O! E/ t: K9 O1 ZThis method of detection of SoftICE (as well as the following one) is _4 P+ t$ ~( n' i6 m7 s
used by the majority of packers/encryptors found on Internet.
+ x8 ]# H7 v& `# i! W& q WIt seeks the signature of BoundsChecker in SoftICE, ^# l7 v: ~0 W' A( S
/ a/ @. B# a3 ^+ f mov ebp, 04243484Bh ; 'BCHK'# k7 O5 \6 P+ \4 ?5 m, D4 U/ B1 k
mov ax, 04h% M7 H7 u9 O4 {$ ~; g; l
int 3 ' }; ~' w K3 x- L4 u3 y B1 e6 ?
cmp al,41 ^, D, o6 V. w
jnz SoftICE_Detected$ H# ?- O: v" C0 a
) o- k: E8 z* [' x+ c, ~+ T5 t___________________________________________________________________________
l: J, x5 x" t5 C; M/ w8 l, I# c$ u$ l% P# t, O9 U2 P$ z1 D. r
Method 02
; C! }3 L7 y0 Q0 P3 o( q+ b=========0 q! y' G# U$ X4 m; w. E
% R# n* F( v6 X1 lStill a method very much used (perhaps the most frequent one). It is used$ [) h/ y. W& A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 \; [ R7 R S+ ?" C) x0 @0 b7 g
or execute SoftICE commands...
8 }! e( ^/ Z; g' W& J, I- OIt is also used to crash SoftICE and to force it to execute any commands u: z% R+ V5 n$ Y
(HBOOT...) :-((
- o( |$ K: @. J- S2 K4 j3 e2 M& K& g- y0 [' L( ]! ?3 _. Y6 z! X
Here is a quick description:
! l d: B" q* Q; y9 H- T-AX = 0910h (Display string in SIce windows)5 u: K3 B" U( V+ z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 C# b2 Z: _& {5 C2 i! }0 c-AX = 0912h (Get breakpoint infos)0 k& L1 ]% w5 U8 d
-AX = 0913h (Set Sice breakpoints)
( Q; {" \) X. `2 u b1 U-AX = 0914h (Remove SIce breakoints)# o, @3 W* L' ]! r Z; k% I; }
- x/ t2 V% [5 R- h; r
Each time you'll meet this trick, you'll see:) K( `& h7 r8 ^% ?+ @, l* N4 [3 y
-SI = 4647h/ K0 A# O- B" l- |) F* H, S( m2 c
-DI = 4A4Dh
0 P& L! j- V9 g! l2 OWhich are the 'magic values' used by SoftIce.
: K B. W' ]0 q. y8 eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 k& b- M' j* A: }5 u2 K- g
9 f: e) S4 f" V3 T
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 n% h, Q9 M6 P# M3 K; `
Envelope utility use to protect DOS applications:
# X; m0 H7 }, g! |& b% L2 _$ o- c9 [+ X
6 H; b; Q: {0 d8 R& w+ u
4C19:0095 MOV AX,0911 ; execute command.% g$ ?3 Q" U' q0 N5 \
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." s! \) M, M) p* J
4C19:009A MOV SI,4647 ; 1st magic value.& e" e( N1 d8 T
4C19:009D MOV DI,4A4D ; 2nd magic value.2 M5 ^ p1 ~# U' J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 m* X5 ]+ ]& _9 v) y& K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) ^5 c8 i" `& c9 V0 v3 @4C19:00A4 INC CX
5 m" J4 `# n4 Y, B! O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' F3 j6 d6 _5 O6 z4C19:00A8 JB 0095 ; 6 different commands.
6 {9 e) T& J! T7 n4C19:00AA JMP 0002 ; Bad_Guy jmp back. v! I9 g/ _7 r: _) X
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% q0 y0 y" M" Z# Q( q+ s2 N
( o" X* t! T" H$ M. QThe program will execute 6 different SIce commands located at ds:dx, which0 A v; r! Q4 O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ F* O% n8 ^& e. T- |3 E4 ]
3 A0 ~& l$ T$ O; L/ v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. o, c( c7 B/ t% w2 y___________________________________________________________________________+ b) s8 O) w, Y- b, R
( v) B0 J, Z$ m
- b: c: M3 ~8 h. Y$ qMethod 034 \2 @0 p) ? @ v# E( N! _# y/ u
=========
4 ^0 b& }. M$ n, u, D
1 v+ }4 o1 t8 E. w% o" I6 CLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ [) Y! R4 B4 H- j8 H, h8 r(API Get entry point)0 S, z; @# |9 L& ~4 D! m
* H- {, H& |5 Y) X% S! k& R9 D& G4 u
. z2 q# ?5 R! i' }1 ~- F/ E2 j2 U
xor di,di, F" t8 z; H# G* s0 h, n
mov es,di6 [; F. l$ s5 S4 u
mov ax, 1684h
+ `% N) y" T! E3 V mov bx, 0202h ; VxD ID of winice& l5 ?0 }: u3 l- e$ d+ u
int 2Fh9 d+ z4 u# D ]* t. M& V
mov ax, es ; ES:DI -> VxD API entry point
4 I4 ^* Y+ D' D B/ C2 p/ _ add ax, di
: ~# C3 m y; I% t: D; g/ ] test ax,ax+ N6 j) E4 [* [) p/ z
jnz SoftICE_Detected
1 r5 o- Y ?" s+ h. r& D1 J) O7 m6 @ |; H4 ?: W
___________________________________________________________________________. d Z$ D ^$ t
& h- O' u3 d2 i# }+ OMethod 04
+ }5 D# `3 b5 i4 g) ^2 C' O+ W=========" ^/ _6 M6 A( _8 m3 h9 H' D2 k
& U+ W! L6 B% tMethod identical to the preceding one except that it seeks the ID of SoftICE
' [+ x! X! J0 O9 |9 z d5 s% N( xGFX VxD.6 a1 c: P/ B) q0 _9 S: X: u: l
4 z0 d5 i8 j/ | xor di,di
4 g$ U% Q/ O, F! s! b. \0 T mov es,di
T% }" Z: r2 s* t, ]* b mov ax, 1684h
) B* O- {2 }5 D' @8 v. }7 E mov bx, 7a5Fh ; VxD ID of SIWVID
' ^ ^* S. m8 k! g7 X7 E, s) M int 2fh
8 C7 y- j) f; V, b4 s mov ax, es ; ES:DI -> VxD API entry point! W" ]; m. \" M8 I2 M& F
add ax, di4 t/ }. B6 |: X
test ax,ax
- Y& ^: W g( K) @; S0 s jnz SoftICE_Detected& R9 j7 g3 J+ B! c: Y
) j4 |4 g. [3 ?( S3 z
__________________________________________________________________________
0 ?1 a2 S4 I& f) Q& R
+ p! u; \# q5 ^7 B4 I, B) ~. @' |1 S9 M. k
Method 05
; y b8 M; z7 A" \" e( ^=========
; @2 L; _! n! @# {7 Y
/ V9 A h [, ?3 u7 ]) C' O$ pMethod seeking the 'magic number' 0F386h returned (in ax) by all system' B% J$ F9 U* v
debugger. It calls the int 41h, function 4Fh.4 `6 ^9 B5 e, ]1 N
There are several alternatives.
6 P$ O, j* {1 U
( [* h: J$ T8 {& o& B3 @1 XThe following one is the simplest:: o5 q- Q' k, H" j B
3 t0 `& \& S( {0 w% |- y7 s1 @ mov ax,4fh
: z/ x( `% Y- F# B+ ^# c int 41h
0 d9 M! p, e% h7 c: U cmp ax, 0F386' Z% S$ l( e. ~+ @, A+ W
jz SoftICE_detected
# j1 n1 R* ?$ G
1 |. K% R$ u4 H. [& q0 @5 ^* c* H, P
/ a( u+ G p/ I8 T8 NNext method as well as the following one are 2 examples from Stone's ! u1 D5 Q0 ~& n
"stn-wid.zip" (www.cracking.net):1 o; F# \2 K _; h5 E D/ a$ E
3 | U8 }. ^1 t1 l) a mov bx, cs; n& F' m5 I0 v( @! ]3 C3 R9 G
lea dx, int41handler2
5 r5 h2 A0 |: y1 X( q% ^" L xchg dx, es:[41h*4]
- g& Z- W9 }( f4 Y) J4 ]; p xchg bx, es:[41h*4+2]) ]" a8 Q6 S( E$ Y. S
mov ax,4fh
1 e& J: f7 [) \% L) F: G, C int 41h% g% D" d! L/ X7 L* s
xchg dx, es:[41h*4]
$ R, O3 q0 o Q! X$ Y+ e xchg bx, es:[41h*4+2]/ V) j# G3 |7 L+ K0 W( z! }8 }1 Z
cmp ax, 0f386h
& W! J5 s9 q3 g5 { jz SoftICE_detected; V* ~, ^" a4 j% Y
6 c1 j2 y0 Y1 z" w7 Q# z* S2 vint41handler2 PROC
! a# V' B4 h c9 {. _' Q iret
( n0 z2 s# V3 Q8 s9 F' g \int41handler2 ENDP
' \ N" o! }% |& t( t2 d
. h1 U) d1 E5 n+ |9 V( M
7 g+ f" Y6 [% l" H- T_________________________________________________________________________7 D- I' k4 `5 C* ^1 D4 d
+ D+ F; ~5 j6 v& ^3 j( k1 V' M; B5 f
7 [+ g2 ]1 f w* v1 ^) \Method 06( A% N. ?9 K; f& K/ F
=========
' C1 Q. S0 ]& o- V% ~2 E" D; J6 @* \/ F" P/ w- q& K2 T2 O% K
' Y9 N0 N" v8 f! P) ^
2nd method similar to the preceding one but more difficult to detect:! d2 O9 [0 H% G' d# X9 a* ~6 h
( _! x& L% `0 m
0 a8 h; v) r- o, U+ ?int41handler PROC
/ v6 C" L3 |( A! } mov cl,al% u+ g9 ?" n( e2 W. x
iret2 A# M; n. w* B* E& }; P4 k0 \
int41handler ENDP
' ~& e d: E) `# {6 X) t
- o4 s& u2 G {
' ?& ^" a# N2 q5 o, p. c4 o+ g: s/ k xor ax,ax1 }& V: W9 O% [' \
mov es,ax$ v$ V/ O9 C' f
mov bx, cs3 ^2 \" Z( \3 l- J/ H
lea dx, int41handler
: A# F- z, }- W6 }3 C xchg dx, es:[41h*4]/ U* A, `' G/ [$ h6 f9 e
xchg bx, es:[41h*4+2]
2 M: S. ~. N( O in al, 40h# B; w/ x9 h9 \0 k6 R V# S7 N
xor cx,cx
0 i B9 A) L J2 B, O int 41h
/ E4 w9 W3 T8 r. Y7 m% K xchg dx, es:[41h*4]- I/ X5 }& q1 x$ W6 e; j
xchg bx, es:[41h*4+2]/ H9 d3 B/ B% u% h4 k6 P! Y
cmp cl,al/ I$ q3 N) ^3 ]2 [: v
jnz SoftICE_detected9 m$ D# O6 x+ ^8 g" n
+ K5 h) k6 |: c& P+ O7 n
_________________________________________________________________________# F, D& Q4 D" ?
/ u" F* k6 D0 n4 g! @0 V/ W4 ~
Method 07% V( ^" o& v) q! N3 H: n, M
=========/ |/ K1 W+ x; K1 k j
1 K, J/ b: e9 L8 q6 k8 M+ n
Method of detection of the WinICE handler in the int68h (V86)2 q, @! U" D6 T) A+ i" @
6 s9 S" \. }8 }# c mov ah,43h2 d0 ~/ X) M, f' V6 p6 p
int 68h
$ f; \2 k& o8 E* d. g+ m* d cmp ax,0F386h( g: ^+ e2 ?- L) L
jz SoftICE_Detected
. U) R, m0 z. l6 d
. X) a" t; P# s) g9 }$ K6 M- p) k6 I& W8 \
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! q; c4 [5 i4 e3 c
app like this:
' P; R# i( n+ g- [9 O$ D+ x' k7 l7 O8 G% {+ g4 j
BPX exec_int if ax==68
- O; ^5 \2 F# k4 u& s/ o) } (function called is located at byte ptr [ebp+1Dh] and client eip is
0 |2 I& x2 a; t0 j3 j located at [ebp+48h] for 32Bit apps)
- z5 I1 z5 Z1 s) ]9 h__________________________________________________________________________
' n( z" \; h2 M! S7 {. I1 k# h; O W
" s- v" H0 i3 ^" {+ _7 EMethod 08
; @- ]3 ]% z* M! g v l u=========
8 m8 V6 J& m2 y+ d' I4 ~$ ]# {9 Y" Q
% {4 j7 A( i$ n2 P |0 l: [It is not a method of detection of SoftICE but a possibility to crash the
, F$ x; x5 J; j2 H0 a( Vsystem by intercepting int 01h and int 03h and redirecting them to another
+ z" y1 ^" j6 J3 F8 croutine.- ~6 _7 a8 x( t2 o& a1 J: m3 H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 s& B1 l& q Z3 n
to the new routine to execute (hangs computer...)% K& ]# f, J8 k- y7 \( G: q4 a& ]0 f
% G9 L7 O8 Y8 J* g! P3 }" S
mov ah, 25h
/ [/ C( n, g+ Z% ?0 b, v mov al, Int_Number (01h or 03h); Q/ s0 h& P" D
mov dx, offset New_Int_Routine% K& s( n) B" n0 B! N" B, j
int 21h
7 i/ J8 A7 x c
5 m" D# R- Q/ ~7 g__________________________________________________________________________
& ]/ L7 k3 n0 `$ G
7 n; s% h2 {) [+ O& z+ S0 G9 pMethod 09
' \' @% P# Z( d7 k% p1 z=========
9 p- D9 O5 L1 C- E. x8 \; J
' }& h: P% s1 u3 b2 f- LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 n0 m7 Y7 w4 R$ z* Tperformed in ring0 (VxD or a ring3 app using the VxdCall).1 N. v4 {7 f) h8 l% c( \8 O
The Get_DDB service is used to determine whether or not a VxD is installed4 I7 c F$ P; _1 N4 g
for the specified device and returns a Device Description Block (in ecx) for& D9 C( h6 R- \% z" [ R
that device if it is installed.! S; c1 c8 f9 d: v
5 S) }; J) _# _' N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. d+ {- f' \7 u& @. A
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& g$ \3 J) V% X5 H$ @& T$ f
VMMCall Get_DDB
; G& k' s1 C) U" u4 R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 q2 V) p7 `; X/ H& i+ s
/ n5 z" H: \, C% n4 S4 wNote as well that you can easily detect this method with SoftICE:
6 ~! @) L% p) F& `& Q. u bpx Get_DDB if ax==0202 || ax==7a5fh x% i) S7 o0 S* {5 {; h9 n
8 i5 H, y1 E4 v: l- M6 H8 J9 O, c
__________________________________________________________________________
; @% J0 b% ?8 R) h$ h8 L7 y, b7 e. E. v- m
Method 10) r3 }* s: @, e
=========
9 u2 g' D! ?) u- |! B4 ^+ \% \( l; P# a! U3 N/ v' W: X# e5 Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 e& Q4 m3 y. U2 k SoftICE while the option is enable!!( i7 W( [( X4 H' A
/ m" x+ B$ f- M* x6 e( E# _3 v
This trick is very efficient:
/ x4 |) g9 ~2 {6 o! `, M {2 ^by checking the Debug Registers, you can detect if SoftICE is loaded
" z/ ]7 G+ {# ?, z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) b# Q; S. M3 {5 x
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 @; y" ^! `- c% `! j9 @value (in ring0 only). Values can be manipulated and or changed as well) M& q% t' U# w6 m2 t0 O
(clearing BPMs for instance)0 f* K& X2 d8 p% o# V1 r
, c1 R2 F) T& H1 @* o8 G9 T
__________________________________________________________________________1 ]3 ?: d! C: Z7 T4 h' E& K! m
" ?4 F! s4 y7 Q. u9 w5 M' W" t
Method 11: O) p. d0 r' N3 L( m* r
=========
) Z) a$ v3 d8 d3 u+ `+ t
7 z4 v! L0 C( T8 TThis method is most known as 'MeltICE' because it has been freely distributed9 T6 i7 Y0 W9 j. m& q+ V
via www.winfiles.com. However it was first used by NuMega people to allow( c8 y/ ` n2 a) U) V! T; @& v& Q
Symbol Loader to check if SoftICE was active or not (the code is located
, D6 E( s# [+ Binside nmtrans.dll).% \; k: a! p9 g% R1 Z
0 F9 Y* ~! c$ }( G- RThe way it works is very simple:
; H8 Y, c/ A0 k& Q9 }$ W7 v- SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 B) n+ f. E1 Q9 y0 [5 ~WinNT) with the CreateFileA API." n3 i8 l$ h+ f% u) b
J# w" m' ` c' [
Here is a sample (checking for 'SICE'):" |' q: U+ c S2 x6 [( B/ i
. r! f1 a( Y; o) f: m
BOOL IsSoftIce95Loaded()
?) o: s/ h5 q2 S6 G0 s+ V+ r{9 i5 Y5 B) k8 d: e2 B& J' u( b
HANDLE hFile; : C4 G9 h/ S& F8 p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ c% L8 M; B4 N' d6 G: B3 r
FILE_SHARE_READ | FILE_SHARE_WRITE,1 g, e" c4 `1 J) n
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) H, |* o3 P3 F( Z1 |6 Z4 f1 s if( hFile != INVALID_HANDLE_VALUE )
7 V- }+ R3 Y& T4 ^ w" B2 ?" g: g {
* `' v6 U2 f5 V# W, {% S CloseHandle(hFile);
; `% g4 J; x1 x! o4 s1 l return TRUE;, b* l n* v1 n ?: N
}
3 ^7 ^( v$ j/ T+ N- ~7 E return FALSE;, S7 N6 q! _ _1 J. X
}5 M, D$ q X8 X- \
- w, w8 U8 K+ l7 CAlthough this trick calls the CreateFileA function, don't even expect to be3 V. [- q4 [# x- k! c
able to intercept it by installing a IFS hook: it will not work, no way!* t1 _# ^: d- W, r% h; g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, o6 e. ?7 N7 _1 K4 y) p
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' T; r9 E" w& g4 N# J! M9 }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 a7 i, n# ~, P! M/ G3 P
field.; W- \/ t0 f9 z. y' x; s
In fact, its purpose is not to load/unload VxDs but only to send a & G2 ?: C8 M4 j. v- }8 V2 l
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# T! M" I: S% @( B- m! y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 [% C/ z. _0 c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 V. J8 L: G0 V, w8 |7 w- J( ]/ Y) y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! k S: L `/ }3 ~) L; |/ Xits handle to be opened and then, will be detected.7 G8 h, e, i1 ~
You can check that simply by hooking Winice.exe control proc entry point
V- x8 q0 V+ `while running MeltICE.0 g1 A% j6 i0 d/ P+ L1 G
. V, t X4 `8 E4 o0 [
! y: g/ A. y @2 s# C; W8 P 00401067: push 00402025 ; \\.\SICE
( U: I, j9 w% F: f) |; H 0040106C: call CreateFileA* \1 G6 V; V' G) o8 T
00401071: cmp eax,-001! P* f! r4 J- \2 V1 v M
00401074: je 00401091$ N$ X b. {4 c% z+ b4 \+ e0 x: j
' w1 ~% [. Y" N$ ^
2 d" V- n' b2 L% sThere could be hundreds of BPX you could use to detect this trick.9 Q0 r/ J! S% M
-The most classical one is:
$ n0 F/ I! F+ A O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% s$ Q) M; z; H8 K
*(esp->4+4)=='NTIC'4 P P/ l" l% A6 u
3 x; `7 h6 |' H( S9 S-The most exotic ones (could be very slooooow :-(, P( ]3 t3 e9 h+ f* N+ w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# k! ^6 M* s1 T, x. _ ;will break 3 times :-(0 X) \8 O( E# R% A5 C$ Z% d0 Q
?1 J7 t2 R# m! j
-or (a bit) faster: V) |# \- X: J
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' J1 Y& s* C/ Q! A/ l$ D
0 Z6 ]! K, @! X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- u) t: a3 |! r' f5 G! ~# }. F ;will break 3 times :-(# c5 u% E- N- l" `( H) ]
2 D3 `; x: J* R8 `; W6 [
-Much faster:
6 v9 B; G( K7 i, H4 q! o BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 N$ f& \1 i$ A2 l" a3 S8 v+ ~
: Z, A1 G; z+ G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ m/ J. }( L) F' q; W
function to do the same job:, X( s' D: H' B, s C
% s8 |$ r$ ~6 Z' Z
push 00 ; OF_READ4 l5 w+ `1 w' g; H3 c8 `2 e
mov eax,[00656634] ; '\\.\SICE',0: I0 D- v: C' @, {0 ?1 x
push eax( _0 d+ B& N; L, X @
call KERNEL32!_lopen+ w! K; N3 w: M; }- T
inc eax! b% e' p, P) [3 g- M
jnz 00650589 ; detected
1 O% t! ^1 r& ~9 C push 00 ; OF_READ
3 w2 Z' i1 S- i; b mov eax,[00656638] ; '\\.\SICE'1 x" c8 }; ?$ {- G5 B) O9 R
push eax
* g" h# }: R$ A call KERNEL32!_lopen5 G0 e$ w: ] Z! H
inc eax
7 J" V$ M3 t/ T, ~# c$ v) G jz 006505ae ; not detected! p% @/ X' P' Y2 t
; y5 t3 O. o6 c& y3 x- k/ c$ E# ~% e0 }. p R0 P) r
__________________________________________________________________________
. U, S" K: S8 |! S
( K; U% T0 Z2 j1 }6 F6 nMethod 124 j) u" J* }& p! G. U2 j
=========5 y% {7 v- V1 [8 _9 M+ p, V
/ n# ?+ F( }, U' [# S& g
This trick is similar to int41h/4fh Debugger installation check (code 05
9 [$ ^4 b2 y; F) Y8 h" v+ Q: A& 06) but very limited because it's only available for Win95/98 (not NT)( g4 J+ s/ q f! P0 a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% K! q( g; z# z3 k: q( J
8 d0 N4 s, D5 Q. F( w0 |# J push 0000004fh ; function 4fh5 R1 c r- P, B% d* q( E
push 002a002ah ; high word specifies which VxD (VWIN32)
$ w- K) z( M' D8 `; c" a1 e# a* G ; low word specifies which service
! Y' L; e1 s3 Q$ d( I+ A" [2 P (VWIN32_Int41Dispatch)
* o) v0 V5 q$ n6 {9 {# V# _0 W4 x( K call Kernel32!ORD_001 ; VxdCall
" d+ g" j& y9 k: m9 _/ N0 u cmp ax, 0f386h ; magic number returned by system debuggers! p; t* E) \8 h8 r$ ?
jz SoftICE_detected
7 w7 |& J' C r7 m. W9 a8 T/ E% x' F( e6 }( A" Z1 ^9 \, n
Here again, several ways to detect it:' }8 u. v; d: a, N, d
6 l4 P- E% M$ j
BPINT 41 if ax==4f
2 y- Q) k/ O! e# i# A! U6 W+ V; K8 V+ e- Z% X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ N, D8 R. D3 O# ?2 l! U. U
# p0 f+ h! }2 f+ k5 j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ o5 K! x" g. e& f
, D; E! q4 C+ w8 Y d p2 q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. s) s# R8 y2 ^8 t( \3 i$ B* d
2 @# B9 s( S- D1 y$ W. f1 P4 |
__________________________________________________________________________) @- B+ ?% W: m5 h8 t q
% t R. G0 B k
Method 13
) P" g" r b1 l1 Z=========
( u2 [ C1 Q, e8 m' e. w$ s, C, H; Y% ]- P, \
Not a real method of detection, but a good way to know if SoftICE is, G) l. ~7 K2 S% t7 N% a3 j7 b* g
installed on a computer and to locate its installation directory.6 e& b$ u- H4 f! R. q* C& `
It is used by few softs which access the following registry keys (usually #2) :! I% T. [2 \( k; S2 a
3 g% N, z* p/ [1 ?6 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% Q! U! g2 z. W\Uninstall\SoftICE; {+ m; F1 m U) I5 r8 B* s+ U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* `$ Q- H$ ^0 H) i' O$ a' S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 E- h4 N: e0 r7 ^ \& A\App Paths\Loader32.Exe9 f3 A A5 O5 d& b: D! U
6 b- t% ~" ]2 b4 k1 ~1 B# j. _
+ D8 N, h2 T( {( m; f
Note that some nasty apps could then erase all files from SoftICE directory
" p" u' F* D, n$ l% p) s, T( \(I faced that once :-(0 G4 g. X" S+ b2 s
( h( c8 i$ M0 K, j
Useful breakpoint to detect it:
) B X$ h' K E, S) H! }" ~4 d! G% X- k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' @* p9 q1 [ M8 I
! _/ o% G% f! |6 _+ b__________________________________________________________________________$ _ t( j) Y% U" U$ x- R3 y7 D5 ^
, R# V B1 @5 j( X8 W5 h; l+ I" a3 V
Method 14 # X/ s0 Y# ?+ O6 C9 E
=========
( O( G& c' c/ W: s( w
+ p+ C/ M4 D5 ]6 M8 I# sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ o. S& [$ K; h3 k' ~9 l
is to determines whether a debugger is running on your system (ring0 only).
7 G/ f0 v. V4 e" H9 W4 \
+ v1 n4 h8 P8 \ _! ] VMMCall Test_Debug_Installed
4 b3 `7 Z, Y3 A6 x+ R/ p# ~& V je not_installed6 h+ y) G5 {& H& d6 x& [+ s+ _9 {
8 S( b7 @* H6 [9 [0 u8 `; sThis service just checks a flag.' Y! ?# V2 u P$ ^$ z! P
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡