<TABLE width=500>6 m5 u5 t8 u, I+ p
<TBODY>
6 K n" k! M. K6 G2 r<TR>
: \& u- z2 B& C( }( U<TD><PRE>Method 01 " ]0 J: _2 e* }7 K9 x. Y. ^
=========
$ v4 I h& K5 b: ^9 t1 N. G2 Q T. s. D' }2 a$ B+ e
This method of detection of SoftICE (as well as the following one) is
5 N0 B6 \1 i, ^ J! A; m8 Rused by the majority of packers/encryptors found on Internet.
2 ~ I: u5 m7 q5 n- V8 VIt seeks the signature of BoundsChecker in SoftICE9 M7 Q+ ^1 E& C6 \0 d, z
3 y, F' y# |- h2 ]5 R! R mov ebp, 04243484Bh ; 'BCHK'
# X q2 d( ~3 u; I5 ] mov ax, 04h
; u* o% H4 `: E g int 3
! i6 f. q7 d7 C) t! e s8 [ cmp al,4) j ]. }- @' A7 i; ^' W; W7 j) J6 d
jnz SoftICE_Detected. E+ e T$ {# j. ^" F3 a1 M* Z
1 W1 V- b( A7 A___________________________________________________________________________
6 c9 s; U% ~! `! T, C
" M8 s; T6 g- h' [' Q; b3 V. xMethod 02
( [$ `) F/ J: s( p4 @=========
: w7 Y/ s; k" ^6 u6 r5 s8 G7 ]. P* G8 g* c3 F. D2 R6 d
Still a method very much used (perhaps the most frequent one). It is used
x% e0 ]9 r$ w dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,; c- @% h9 ^* I0 L5 t
or execute SoftICE commands..." R2 L+ R5 y0 f* L" |) F
It is also used to crash SoftICE and to force it to execute any commands
& e6 P, j) s3 X3 C0 @7 x9 G" S(HBOOT...) :-((
4 G9 c; N0 x, C+ j" ^+ c* O4 D8 r9 L- p3 j% g3 g: a
Here is a quick description:* G2 r( N0 C' J# ~ V# c* s- {( Z- J
-AX = 0910h (Display string in SIce windows)6 N% Q0 c2 j6 |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* l% T) A! w% p2 e& |
-AX = 0912h (Get breakpoint infos)
6 g# O! q1 H/ \-AX = 0913h (Set Sice breakpoints)
2 I7 u. b5 u7 Z9 P M2 r l. n' l-AX = 0914h (Remove SIce breakoints). b$ b$ c, r! S% q0 K0 l
/ k- `2 F- |8 i3 E- Q& MEach time you'll meet this trick, you'll see:; ]: p- i* \1 L7 H6 X6 E
-SI = 4647h b2 }/ ?9 E2 P) K$ T7 _
-DI = 4A4Dh; o: X+ g' w! a' O" a$ |. c
Which are the 'magic values' used by SoftIce.7 J' b+ Q" F' U3 ~2 J+ E& X J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 W* |& d @% |% p; Z: |, M6 N- e; j* j3 ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 \9 W& t1 Z! H: O
Envelope utility use to protect DOS applications:6 D& C+ R; g" Z
( x9 u/ i5 ?( \, Q& ^
A" [& I# P- {$ N3 T3 B4C19:0095 MOV AX,0911 ; execute command.
; o: H. @+ }$ v4 m4 j& X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! A) ] c# w% M6 p9 Q
4C19:009A MOV SI,4647 ; 1st magic value.$ g+ I, ]' U/ a: S0 B8 G
4C19:009D MOV DI,4A4D ; 2nd magic value.( h) g& y y1 O( T' _! h
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 q. v1 n/ W l/ T/ ?- I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- w' _: _- I* n, L2 u7 c
4C19:00A4 INC CX0 N' t: K. ^ J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 i1 Y! Y: M# m6 W4C19:00A8 JB 0095 ; 6 different commands.& }' i. [- X, b+ r+ e' l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( P) u( q* l' J- _1 _
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 `; f; Y: a' F1 R3 u3 A
- P6 k2 ^' R2 m& ^1 N( k# ^The program will execute 6 different SIce commands located at ds:dx, which
: g0 K8 @, e! C- P nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% u& @; z K3 o) e. I
z) Q r/ L8 R. e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 ?5 i; C/ ? Y9 y2 x5 \
___________________________________________________________________________8 L2 w1 w- y' e) k
+ @! H* }; i" Q7 L) K9 c
8 D% n- Q: a. AMethod 03
w7 V* Y# s4 H1 W" G=========+ x* u; W& F; M% X! r: z
2 \5 @* p, e7 t* e+ m6 D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 k* Q/ o& N/ x) V(API Get entry point)/ A+ M& |; T4 |* c
2 X! H# ~* D; b5 Y& U3 f( {7 e% {+ U7 u" b: m0 M v
xor di,di
8 h7 H( E8 j9 a4 B( N/ k mov es,di9 }2 T5 A- z; a+ F/ U
mov ax, 1684h " D% k" `7 @; ^8 ?& i- b! S- L
mov bx, 0202h ; VxD ID of winice: _1 n( v/ m5 o; k1 l
int 2Fh
! K% ^* U0 A% x mov ax, es ; ES:DI -> VxD API entry point
6 g# h. n' h+ y U0 S/ v add ax, di
( j: r: }2 v) M, [- \5 o7 ` test ax,ax1 E6 r9 c6 X! v
jnz SoftICE_Detected8 S0 b! M. Z$ G2 ]: N& g- @
7 Z# [1 G! @8 y. i
___________________________________________________________________________) n; f" h7 z4 A7 l' B0 h8 \
6 p9 [5 ^. q0 j, c
Method 047 v# m1 S0 [5 ]' z4 \
=========# ^, \6 a S1 Z w# U% g4 y& ~( T
7 ?4 r! j( D& A8 E" G# sMethod identical to the preceding one except that it seeks the ID of SoftICE
4 Y6 L4 \! R' P3 `GFX VxD.
% A! B* \ V: O' D$ y. Y
: C4 @$ c* z- ~) o& c: Y xor di,di$ J9 C; Q- J4 C( K
mov es,di; Y$ ` J5 b+ b" ?+ M
mov ax, 1684h 9 _) d) J% i# V( b( q
mov bx, 7a5Fh ; VxD ID of SIWVID
( z3 F5 V* t$ X B$ E: m int 2fh
3 G6 }5 [6 k* R- t/ z mov ax, es ; ES:DI -> VxD API entry point
& y; V/ \; Y6 U Y8 @8 ^" ~ add ax, di
9 \ U$ v3 A6 D' p, z+ \/ Z test ax,ax5 e; x+ |: [3 I5 v! s
jnz SoftICE_Detected
8 z' a5 c. E$ j5 ~2 b. o: x2 @5 Q' n& x- k- O3 B
__________________________________________________________________________: \/ S% ^) ^, m, ]1 C0 t
( l- I! b- M* F% Y& [
4 A4 ?- o# e+ ~6 _( A
Method 05 D6 x, P$ O$ T6 r4 k8 F
=========
3 |; u1 y% s0 |- M3 T
e' T }9 G! m- V$ ~% Q+ TMethod seeking the 'magic number' 0F386h returned (in ax) by all system, _4 W1 I$ R( S; k+ @7 L8 u: _
debugger. It calls the int 41h, function 4Fh.
3 e" F, A/ f; V% i# J; @There are several alternatives. ' S6 `/ S; `: q/ v3 F6 w
; l# w( y( S* i5 m9 K# i" f
The following one is the simplest:
) o6 v- w' _3 v9 i2 b* F3 C. L4 n3 w7 h# E# a4 s
mov ax,4fh. J1 H+ C; ]0 h" X0 H L
int 41h( o0 U8 {. U" D' ]
cmp ax, 0F3861 D! C( z, X3 K# A, P. S0 Y+ U
jz SoftICE_detected
5 x: ^+ }" X$ e$ y1 Y) b& v
: Q2 ]6 Q* p5 p# u
* F/ l% Y) g8 c1 n+ X5 s8 n! jNext method as well as the following one are 2 examples from Stone's
3 I5 A' e- t1 p* c s0 f"stn-wid.zip" (www.cracking.net):
* B& `0 _( ^, U. ~+ v/ x
. D0 [* P9 q2 A, l mov bx, cs9 r: B7 \2 v3 u+ O1 B
lea dx, int41handler2
$ S) j" _3 n8 h9 B( B, o9 I, X xchg dx, es:[41h*4]) l+ \4 F) Y Q; y! [4 W
xchg bx, es:[41h*4+2]9 G' c/ k! C: l3 H, }) B# w# ?8 ]* L" `% y
mov ax,4fh+ q4 H6 }% m4 u8 f9 @- x7 A6 ~- X
int 41h. p" k7 H2 M- F4 [5 @! ^
xchg dx, es:[41h*4]. `% a! n2 h& S: a- N5 `
xchg bx, es:[41h*4+2]
# U' U, V# Y2 X$ m cmp ax, 0f386h# O. G; Y4 @: T
jz SoftICE_detected
f j5 S7 Y: |( [
m& _* E7 r% o; J9 T" x6 u& cint41handler2 PROC
, S$ g0 d$ w: z9 V; Q* K7 V5 e d iret
( T8 D# F# t# o0 Y5 oint41handler2 ENDP8 d* ^. n( o# K' r- P1 l
7 w6 Q, }# L& G2 \ v- C0 \% w& N( j0 S( m
_________________________________________________________________________
9 D# R- `5 b/ @ W0 z! {5 o, f, o0 e; J
3 ~0 f" N8 k, L6 v0 W9 o
Method 06( v* ~! q, _1 N; Q' e. y# i
=========1 @ ?" K0 x) z7 h6 ]! _- q
& Y2 l' R; N; f' h' E
2 D& n; @+ ]3 j! I1 {2nd method similar to the preceding one but more difficult to detect:1 p% l, I+ ]( ^
8 i0 I- t! Z# U
1 N r, i e d6 w
int41handler PROC
; ?& }* p6 r. x" b7 Q9 k W mov cl,al- d7 p+ D! R+ r7 i- |
iret+ z0 h* `1 i" J# U; E, K, `" R
int41handler ENDP3 M( _# M+ `& H: U$ N/ @' v! c, F
0 C$ G8 C9 N/ K6 N1 B) `$ b# I. x# M0 y& X1 F; E, i+ I: Z) F: I
xor ax,ax9 O0 T1 d3 Q4 N8 r" i5 g
mov es,ax
& s/ U% M/ Y, k7 A& ?" c mov bx, cs
% U% V0 l) e1 s( n% | lea dx, int41handler
& ?9 h9 j/ X* B3 `: f xchg dx, es:[41h*4]7 ^5 E4 Q( P. i" {8 T6 U, f
xchg bx, es:[41h*4+2]; i+ k: o' |; V) U
in al, 40h
% g7 n% k- K- |8 W H6 z! U9 E& u xor cx,cx
( p% L$ r4 h4 g) ?0 d int 41h3 p8 f1 k5 C4 P
xchg dx, es:[41h*4]# v6 w9 T7 c+ k. w( i7 R
xchg bx, es:[41h*4+2]
. Q, S; }$ T, i+ ?9 d3 O cmp cl,al
4 p0 v' C- V2 k7 ?3 {+ Y jnz SoftICE_detected0 ]) }+ w1 o, c8 k
8 G' u \2 T8 f: H1 A- J_________________________________________________________________________ U' C7 m* q) N+ ]- z( [
8 ~9 b# ?/ j1 ]7 P+ l1 o- B! M, V
Method 07
8 |* m. g, J8 c! a/ x7 j2 J=========
9 l: D3 ~9 k8 T6 r( A4 O7 e* Q" `; ~# ~5 u
Method of detection of the WinICE handler in the int68h (V86): e4 G3 G. R! }, O1 N
' t8 n, Z5 O& V& ]& N
mov ah,43h
; [. B: W' R n6 C8 d$ o- p- ~ int 68h* l* Y7 W( y3 T% P
cmp ax,0F386h
, {5 s$ C- N. w( f' z' y jz SoftICE_Detected
! _) a/ y) U2 R: n* x0 A2 j' M5 L0 n. `3 u8 j; N$ w
/ V" U Q6 Z/ L0 C! R2 s! C=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! r. K: K1 m1 d app like this:
# q3 @7 W( {' u$ ?. r* h# ~! | U3 s6 O# Y5 A/ V7 ~1 p& s: g
BPX exec_int if ax==68
$ W' Q+ ~/ c6 P6 u: `0 L# b (function called is located at byte ptr [ebp+1Dh] and client eip is
. O6 O% [/ c/ J8 [3 k located at [ebp+48h] for 32Bit apps)
/ c% u. r! l; x9 q! B! S__________________________________________________________________________
: D7 P4 Z# z& D6 N4 s: @
# g+ Q+ y/ P8 b' [# F! B
$ n n! z6 W& _1 ^3 E9 LMethod 08) U8 a6 i- U: Z6 d/ c8 l' T
=========
7 d& l$ W p" u) g7 z+ E) U% D2 i) d8 s' |
It is not a method of detection of SoftICE but a possibility to crash the
/ a; }) Y8 g9 msystem by intercepting int 01h and int 03h and redirecting them to another
$ P& P$ Z" Q) l1 g- y6 {9 oroutine.
3 S; H( w7 T7 F; t& U5 yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 Y, o) Z7 d+ Q) ]& ]) E/ T9 w
to the new routine to execute (hangs computer...)
1 F* K. F- e9 g4 h8 P% B/ |9 M5 K. a, z6 ?; j9 i
mov ah, 25h
/ n+ ]* w* b W" r* E! P mov al, Int_Number (01h or 03h)& {+ F# b) {, z' f4 x1 p; E
mov dx, offset New_Int_Routine) k& V, D# n9 ^; p
int 21h& t& f4 E6 d3 U8 l
3 u2 o2 ~) h$ ?) ___________________________________________________________________________1 D0 e9 o" s* C5 j$ I( J
3 G. ]5 y) z7 c7 nMethod 09
$ q' S4 L, \- X' P0 g/ h' j=========" u h0 z0 }; r; K" H# ?' N; I
B4 u- R8 U' J7 `$ N; i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 M, `4 v$ A5 A8 C5 g
performed in ring0 (VxD or a ring3 app using the VxdCall).2 q- L2 A# R4 t5 A" D- U
The Get_DDB service is used to determine whether or not a VxD is installed
1 r3 [% @/ C3 A! G$ k1 ^1 _for the specified device and returns a Device Description Block (in ecx) for8 d0 R5 {5 [8 X$ f
that device if it is installed.
! C3 b1 a/ N( Z C6 F6 r5 w# Q7 w
/ W5 m+ j2 E6 o' \2 F8 n. [ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 b9 X/ m& s( q! h- o! v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; K4 C$ U5 U# z8 D" {. w, h VMMCall Get_DDB C$ M* s' i+ g- p- H$ m; t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 a7 T3 J; j6 h3 M- v; U; ?. h. T5 {% l% k! m& O
Note as well that you can easily detect this method with SoftICE:, p2 V! p5 e( p) c- p( Z
bpx Get_DDB if ax==0202 || ax==7a5fh9 E7 t* _* B. `! |' V! B
+ q( u9 u K" w) l d! C
__________________________________________________________________________
I; p$ n J9 H( y) m( D' K. ?' W u6 {& O# ?1 M" o. v
Method 10
9 @1 a. @4 X0 J=========* {* A! _& E! ]8 P+ I
: y# r$ ]% a& @$ {$ B d=>Disable or clear breakpoints before using this feature. DO NOT trace with
# e) k5 x- t8 o4 ]3 d7 ?+ P( t' O9 k SoftICE while the option is enable!!
; g h, J* F, s/ R; N: [' b$ i W* t4 U# O3 o8 O
This trick is very efficient:
4 C7 a/ O8 \, \% hby checking the Debug Registers, you can detect if SoftICE is loaded
* s j4 x( L' Z2 V# I- v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
D! U/ ~0 Z" l/ Q$ i: Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their; N8 g! i3 r* G) Q( P+ ~6 H# O
value (in ring0 only). Values can be manipulated and or changed as well4 y N$ H! E L( I- u1 `
(clearing BPMs for instance)
; x7 T9 b- e$ @( o- h! T% t- V$ Y/ O+ h2 h- Y+ `5 X# K/ ]) B0 [$ ]! S: h
__________________________________________________________________________
& A* r8 m0 B5 A- [3 `, @1 r& k' c c: e+ v( \/ F
Method 11
. e* R0 x& K+ @1 |=========* s. G3 ~5 j' g& g' _
4 Y6 o9 p5 Z; J5 J5 s( KThis method is most known as 'MeltICE' because it has been freely distributed
4 w+ r( t; j9 D m- [+ ivia www.winfiles.com. However it was first used by NuMega people to allow
% f M1 |$ y4 j1 l! J8 d1 A. g7 s. QSymbol Loader to check if SoftICE was active or not (the code is located
! F7 X' P. M0 n% Yinside nmtrans.dll).% d; ?# q! n3 r
, \2 w7 S7 k* v8 N8 v; tThe way it works is very simple:
6 D% Z# R6 S' I0 n5 f* V$ oIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* s, ?( @8 O6 v5 i" U% R: A, Q4 g
WinNT) with the CreateFileA API.9 o+ |1 ]9 C6 R' y
5 H4 C" K3 Q* ^2 P9 a$ }Here is a sample (checking for 'SICE'):
. L# {/ z/ c) @1 Q5 O2 [
4 T: f# w' V/ T" z8 Q$ EBOOL IsSoftIce95Loaded()9 D! B8 U& [7 |* `% l) j
{
4 ~/ Y' Z: |! S: T: Y$ X I9 Y HANDLE hFile; $ `; p8 s3 u4 s. W: I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( [5 @. _9 P6 F* j9 b FILE_SHARE_READ | FILE_SHARE_WRITE,: z. a, e$ x7 o5 e: Q$ b: ?! B
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 J& S% j+ ?: Q5 F+ E7 ?
if( hFile != INVALID_HANDLE_VALUE )
( w; ~* R) H+ U8 r" M% c7 | {1 l( Q' z2 e+ u* k6 ^% m. O
CloseHandle(hFile);
& D* G+ X0 R9 M: V6 B' d, b return TRUE;0 F# ^! P. T ]- Z3 X- S
}( h. Z$ Q+ O" I
return FALSE;
6 d( c4 W/ [" n* n}& }8 u' F9 w r' N7 Y2 W4 B
" r# V/ b Q# y- @Although this trick calls the CreateFileA function, don't even expect to be7 f' I( \. [% ]% [# y
able to intercept it by installing a IFS hook: it will not work, no way!
9 a& {8 Y/ L' \/ f& V" d! X& CIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ t9 N2 z+ j/ V! nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' ~: ?" z- ^- s, z( r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( r) c* O# m7 R
field.1 u- I2 x; j$ o1 i- V% I
In fact, its purpose is not to load/unload VxDs but only to send a
$ c4 J- {( Z. ]1 kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, o3 i2 v* p& C# Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 z7 V' j5 t+ z1 ]0 P* Tto load/unload a non-dynamically loadable driver such as SoftICE ;-)., v( I. B' V7 B7 \/ \3 C
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ n, p$ {) ]2 U Y5 [
its handle to be opened and then, will be detected.! E# l* I* o1 B4 V
You can check that simply by hooking Winice.exe control proc entry point% J; b. r) I) ?5 F2 ]
while running MeltICE.; J0 n i) H8 q% F
" S/ ^5 n3 u' K: f
8 x" ~* g% n. ?+ f' j 00401067: push 00402025 ; \\.\SICE: [" [1 q% h1 G0 z5 y
0040106C: call CreateFileA8 ~/ t( s. X9 l/ [
00401071: cmp eax,-001( P* l E4 U) ^! W: b; h
00401074: je 004010914 }. S* H _/ _* E$ `
5 Q9 d' J$ e0 L2 j
. P6 d7 E5 D( T0 }There could be hundreds of BPX you could use to detect this trick.
% o: P5 K u2 `+ ~8 e-The most classical one is:
; W* j H6 A1 J" C/ X6 O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# v, u* \3 S$ j3 {" f5 g: B
*(esp->4+4)=='NTIC'( \3 n( F. D$ B5 X9 R
/ W0 n. F! f5 e2 q) c-The most exotic ones (could be very slooooow :-(
% S2 i( i% E5 T, }! F1 r6 c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
`- r0 o7 z( l }! g! y ;will break 3 times :-() e1 r% i# G* l# ]
5 O* W0 ^, d" z' z) s-or (a bit) faster:
6 p: D+ b# {+ K! e/ U$ L! J* L BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& Q- v, F6 S$ U9 n
- ^$ p$ n% l8 }& f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' u, K+ o+ a% s8 N9 D1 n
;will break 3 times :-(
6 T' G% F, x O4 H% J- z5 w5 p, n6 {4 S9 m+ K; z
-Much faster:
+ O0 i8 y7 `' R% r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: l- r& {. S: ^5 r& c
% D1 y/ P p( x( G7 Z' c3 UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 l2 e& J# \7 g( u/ y8 e
function to do the same job:; S0 t" ?7 }* B9 a8 y9 P
5 h! n- J5 R$ x3 c
push 00 ; OF_READ
! c1 F0 w% X2 l+ P9 `) D mov eax,[00656634] ; '\\.\SICE',0' K; `, B7 F5 w, ^9 k) V( r; V
push eax
, |! `. J1 W% f9 b) W call KERNEL32!_lopen) b, H+ ?5 r* F
inc eax
# A8 J# N& S5 }. c jnz 00650589 ; detected* c& }6 L# N7 S# `" _* X) [
push 00 ; OF_READ
1 M' I; K- t$ h6 L& T mov eax,[00656638] ; '\\.\SICE'
. f. K- A* B2 w' `4 Z5 A push eax5 z! U) K* p8 Z% O
call KERNEL32!_lopen' v, t1 n1 r0 _ i+ Q+ g Z: W! Q
inc eax% r6 f6 e1 E8 m( u" F4 Z
jz 006505ae ; not detected2 P( J) r* S q- G( o
( e8 d7 @ _" \4 `4 K6 ]5 c5 A* }; F6 B* _* R$ D# b) j/ ?
__________________________________________________________________________
0 y/ H: p4 r7 R* f; X2 T% X0 A3 Z
8 P s" }# t, sMethod 12
% l% L' O! [8 B! U- T" u/ r1 B# D* u=========
% t% L4 H. z% b6 ]( j% E
, w! M9 k( b$ N4 N$ [" k& N; MThis trick is similar to int41h/4fh Debugger installation check (code 05
' U- X: }1 Q: n8 b9 A7 x t& 06) but very limited because it's only available for Win95/98 (not NT)
+ F7 O$ R& g0 W) F% S! D0 P7 Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 B" t3 v' M1 |1 f! C! _$ Y, `9 X
# Z: V+ o2 [# ?1 u E push 0000004fh ; function 4fh
6 Y7 X" Q/ F1 _ X E% X push 002a002ah ; high word specifies which VxD (VWIN32)
! z5 R2 K% {: ?/ G% H9 `* S ; low word specifies which service/ q; m8 v" i' B% W/ j& J! l1 c
(VWIN32_Int41Dispatch)) i# |1 K9 G# p( s
call Kernel32!ORD_001 ; VxdCall, G" R2 x& U+ t; N1 d0 k; w2 O
cmp ax, 0f386h ; magic number returned by system debuggers
7 c9 A4 @8 I( S4 Z; H ` jz SoftICE_detected& I2 n6 S! ^( \' C E4 ]! [
) A. Q. `+ O" H, d# \* n6 x. l
Here again, several ways to detect it:1 P* T* ?2 S+ g; D2 B, x+ |
5 C0 P3 p1 F. U/ X
BPINT 41 if ax==4f
, b* v; e6 k6 w# `0 n) L' X* T
; J( U" L0 x2 z9 i, t$ I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 T7 _) k1 i) w2 [# w
/ U [! s6 ]) Q5 u& c: L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) u* x+ A, b. c }$ c$ {
- e% b8 \! G& F l# V2 y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! z4 i" j; h* R! I0 v
0 n/ t* K1 O: W! X k2 A, ?( i. g) U+ @__________________________________________________________________________7 n. M* j% B) j" P
5 |% T; Q2 M9 B( @Method 13
7 W% I) j& v+ p) P=========) U W* b4 }) z) S2 N
3 I4 z' b9 A* Y$ V- P
Not a real method of detection, but a good way to know if SoftICE is) }% @# g7 c G/ F( }5 @8 Q) w$ o$ ~
installed on a computer and to locate its installation directory.3 I8 d" u& ]) n' s; {
It is used by few softs which access the following registry keys (usually #2) :
) @3 Q* |' ?% P% }4 M! o" R& l$ ~8 J/ n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 Q1 C" v9 V# v8 G& w\Uninstall\SoftICE
5 I: S& e# y8 Y9 V; y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 {+ B& V8 f- ^" q, f& [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' q/ q A, D: f' @4 A
\App Paths\Loader32.Exe1 A) l5 S, Q9 C* b! ~
0 N9 I% S+ l& ~' ~7 u, U; h
$ d* \' ?; @" o4 D6 {: G2 Q CNote that some nasty apps could then erase all files from SoftICE directory4 R& @5 ]7 D$ b- N# D9 l, b/ F
(I faced that once :-(; x3 O' x. x+ t( @
" u5 N; e( r+ K7 f' [
Useful breakpoint to detect it:
$ r* P5 w9 [) y: ]3 \
8 ~$ W" x( E, ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') D- w; v$ X4 z$ n: C# r
, o+ g$ D( w4 L n& C" e: @
__________________________________________________________________________
1 e! \' T, n* F3 S' L& _- ?- i3 O9 \2 o2 `9 M0 c9 n% |
1 R' x" e7 W- n0 E: V
Method 14 " X! I5 Z6 W2 y1 r- U' c/ Y
=========
3 F4 u% ]& ^: A# a- w4 L: E7 O: Y p2 A. U2 u
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ Z" F1 l, L1 m( ~: @: V
is to determines whether a debugger is running on your system (ring0 only).
2 o6 p: F- L5 D% n3 X! |0 T$ |- L+ W' x
VMMCall Test_Debug_Installed2 _3 N% Q; Q. e6 u$ x6 q* g+ I, X2 I
je not_installed q/ d* R3 L7 s, ^7 z N2 v0 z
" l: M4 R6 o$ o; A l, \
This service just checks a flag.5 C X* R% Z" a
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡