<TABLE width=500>0 d( k. H# T: a
<TBODY>9 q& V4 j1 L8 R' P
<TR>
4 N8 h5 R6 N, Q' \( S<TD><PRE>Method 01
/ W/ ?% o2 s `) m=========
8 J; ^2 }% S; H3 s. p: r' h
) G: \) C& y! U; p7 ~/ `This method of detection of SoftICE (as well as the following one) is& T* T7 C( _6 ?0 I8 ~
used by the majority of packers/encryptors found on Internet.5 ]$ L. F# R0 I
It seeks the signature of BoundsChecker in SoftICE3 G: a+ |) \; a2 T
6 C7 a6 D+ u: S1 v8 F' B mov ebp, 04243484Bh ; 'BCHK'
4 k: Y ^8 m5 x' q+ a- F! ^8 p) d mov ax, 04h
* v2 f9 A: G2 x& U$ Q4 r6 ~ int 3 . d7 T4 C/ I4 Z, }
cmp al,4
; c4 G/ W3 ~9 ^, X jnz SoftICE_Detected
7 Q' V$ ]# H, c# V, h! N, V) \4 D- g- D' m. S4 b
___________________________________________________________________________
6 X% a: {# m& N, ?+ N' w9 ^7 G& p% s! t* U T) V& W
Method 02
% c& q1 F3 o& Z- \* p4 }0 t4 o=========
' @# S }5 y; j# b2 ]$ U
2 l S- f7 Z8 J, l4 o' l; g9 TStill a method very much used (perhaps the most frequent one). It is used
& t/ M: w. u" o0 ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ o5 w2 ^; n! Z4 T$ kor execute SoftICE commands...
! }. A% k* k7 k' jIt is also used to crash SoftICE and to force it to execute any commands
1 Q* _' w# H2 l4 p' ^+ Z7 q/ D(HBOOT...) :-(( 8 f* |- U! J: b! F" Q5 J# V
/ e) ~7 p8 J- ^! j) j1 BHere is a quick description:/ A5 ~1 G+ E" X
-AX = 0910h (Display string in SIce windows)
. o- u6 b! n8 y S+ h4 s& k3 Z0 G-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& M+ D9 g d0 c% X0 _; [8 M
-AX = 0912h (Get breakpoint infos)
1 A3 c' t" G) k! W( z( q2 X-AX = 0913h (Set Sice breakpoints)& B8 ?0 N" r0 E/ l
-AX = 0914h (Remove SIce breakoints)
: b7 D3 o" c( g: }' Q( w
4 o! X9 z- t" p: H. |7 LEach time you'll meet this trick, you'll see:$ u% h7 D8 K# L6 ?+ m" a q
-SI = 4647h2 p5 k, z8 p5 b) e% R# J
-DI = 4A4Dh1 T; o% u: Y/ x! k2 u
Which are the 'magic values' used by SoftIce.
) K: V8 a) c# k% J$ {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 Z* N j d$ Z1 A/ a* P# o: i
- `* l' o4 Y0 r- \, t- s, N6 KHere is one example from the file "Haspinst.exe" which is the dongle HASP S) Q$ M$ R) [6 ^* w6 q
Envelope utility use to protect DOS applications:
3 D6 D( _1 K& z8 @: B
# }8 c' D; \- |) Z' A1 `( b) U
$ R: k4 K# I+ J' U) i- e4C19:0095 MOV AX,0911 ; execute command.
$ N. s& `0 L) B+ X% E* L3 l1 j3 R& a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 q: v% Q- l5 N! W/ T" s4 @
4C19:009A MOV SI,4647 ; 1st magic value.8 ~: f2 B7 |9 T+ a
4C19:009D MOV DI,4A4D ; 2nd magic value.! J) p) h j- Z/ z, r4 {# r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 V" g2 q* |! O' J. C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' n! U X K3 X% N5 m' s6 V+ @. x4C19:00A4 INC CX4 T4 a1 z) h% Z+ H- g% ~ u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' S2 C, [; L5 Q: w7 x: K
4C19:00A8 JB 0095 ; 6 different commands.
/ ~* E V5 o E7 S! o7 U9 t4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 K) Z1 U3 w1 t! w4C19:00AD MOV BX,SP ; Good_Guy go ahead :). Z) g, i" r. ?( V' Z( j2 j% q
0 i0 R: `3 W: b: eThe program will execute 6 different SIce commands located at ds:dx, which5 w7 ?, {8 F: ~, [7 G8 d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! C) j7 \9 L2 B$ c
% `2 F9 V' r! v7 L( s* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ _2 f8 {! [8 u, V2 p/ L; R
___________________________________________________________________________
# D2 ~$ ?& t+ i7 X- g8 X
N/ t" ]% y$ I" B6 N! ]5 ?$ h) v
# L3 {0 ]( m. v iMethod 03
/ O) t D6 m; u1 e# c5 }=========' F5 X! e3 A) i, a: |# L e9 V
3 t. l$ U& h' ]' U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. r4 u! T/ s/ o5 K5 @3 t
(API Get entry point)+ L* ~" t3 N r, ^: i* `
) Q3 E% { J6 l/ D6 K9 {: K
% t" V' h: C4 w W xor di,di
/ n4 ~ `. }6 f1 O2 g. d; M mov es,di2 l0 {8 G) ]# U2 c
mov ax, 1684h 7 Z( l/ e3 i4 t
mov bx, 0202h ; VxD ID of winice
P: }+ E! b4 s# L int 2Fh8 K8 C2 B: f& C
mov ax, es ; ES:DI -> VxD API entry point3 ]; d7 g. n. E8 ?6 x+ k
add ax, di* v: t1 Q" m) R) V: O; H1 ?: t% n) Z
test ax,ax
% b; F' u" f n' \0 r" i0 e* ^ jnz SoftICE_Detected
$ B+ U. z' ]+ u, c/ f3 l2 b6 n0 a! u' h% o; n1 n1 f
___________________________________________________________________________: {0 }% X. z9 G: @0 e- R8 ?
" i8 _: u9 U' y% ~1 XMethod 049 e/ K# k) L. B
=========7 Y, M J& o1 ~( A0 m1 l
( x/ D$ g; k. Z
Method identical to the preceding one except that it seeks the ID of SoftICE
: I1 }0 C A" RGFX VxD.5 M, v* w) N0 K0 R. `
2 f& e# A0 O8 Z# W2 j" A; W
xor di,di: v8 L0 S! p, p; A& X1 s
mov es,di
) {8 R3 G8 d/ r& h7 p mov ax, 1684h ' m4 Q! g! Z2 _5 W5 ^
mov bx, 7a5Fh ; VxD ID of SIWVID* ]/ V# K u" | X d( }
int 2fh; J2 E8 s" p9 L1 L3 R
mov ax, es ; ES:DI -> VxD API entry point+ a) ]4 s6 O7 r% ?/ x
add ax, di: x% ]/ m7 \3 N5 a; E5 _8 [7 V2 f
test ax,ax
. W: T9 T/ _6 \* I jnz SoftICE_Detected
9 P. F( u1 ~ s( ]9 N
k+ e4 \; |# c2 X; v__________________________________________________________________________+ b8 Q6 D3 @8 ^2 H
( D/ P* O8 t% ?( c# f4 E
* F% I% ^; O$ KMethod 051 |0 Y$ j+ K$ X9 u
=========
' M; v- }. l0 {; v2 P$ F; _' ]3 y& i% f
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 }1 z2 N! p; v( L1 S; \. c
debugger. It calls the int 41h, function 4Fh.% L2 P3 W5 ]" w& B8 s# n& ]
There are several alternatives. # B' \/ {5 C1 y; F9 |% Q; r, }
( X# ]) U) F' x8 [; r# k2 K& T9 u
The following one is the simplest:
: @$ R% s9 e$ f$ D0 `
4 P4 k3 I1 g" `7 i2 \ mov ax,4fh
: K5 o- g) B8 G2 N* \ int 41h
" D8 K- i( v( U3 Q cmp ax, 0F386
% u+ t9 q6 Y3 B* J) \5 A jz SoftICE_detected$ p& C2 k! Y( S
( r X: h! h1 [5 C& H# ]! R. O* n( p* P. z% q! K7 t& G
Next method as well as the following one are 2 examples from Stone's 8 O6 U, G4 A5 `8 W# D0 H$ \
"stn-wid.zip" (www.cracking.net):9 a L' N' K ?* t) \
! d. `* z- X/ P' R, C mov bx, cs
. i$ s# G& d' f( ]/ v8 W5 w lea dx, int41handler2
8 F3 h$ q9 O C5 A# A8 { xchg dx, es:[41h*4]
7 N! N7 C$ Q3 P xchg bx, es:[41h*4+2]; R' D! d/ n2 F. a( ~; ?
mov ax,4fh
1 I# Y1 e% a2 h+ ~9 ~; Z int 41h; d/ u# e1 h) ~0 K. A
xchg dx, es:[41h*4]
; \/ y) ?$ U9 n1 |; T xchg bx, es:[41h*4+2], k% @- x) b5 r$ f
cmp ax, 0f386h
3 ?4 i" L- R+ n jz SoftICE_detected' e4 V q$ \7 X, K+ `. t
# R# I! m& r! X) @$ c# s
int41handler2 PROC
2 [: z. J7 n! i0 N, v- E6 r iret
( j( A/ |8 K* nint41handler2 ENDP$ R+ f5 C `+ V% h2 I
8 x1 A5 O, V- ~4 c5 [* _& ?! ?$ b$ b5 s; ]" r6 c/ M9 [& }
_________________________________________________________________________# O( i' Y C+ [5 Z7 q2 r- s
+ H4 h% d# y' W- D, N. S! v
% S# \6 ?- M1 Q7 dMethod 06
/ s2 y% \) g" w=========* D2 L; n; n7 ^$ D8 E
h( F$ N) I7 K/ E# }
- |; T! b6 ^( g) g/ Q9 D2nd method similar to the preceding one but more difficult to detect:
" k- _) R- b/ ?; V3 M# ]" M: r2 u5 U; t, @
% W: S! V0 r: ?* \
int41handler PROC& W# L3 k% V2 {1 z }1 h# [6 a
mov cl,al
& D( f2 m" |) k4 o iret
6 S- Z l7 y" |# u. vint41handler ENDP
% N/ i% N% u0 c) p/ H" i4 a, l* Z8 f9 a% P. O1 \) T
% e' P- f) S2 T1 P8 n, U
xor ax,ax
. I! z0 o! K+ X/ }0 b mov es,ax: }, z2 V5 Z. B
mov bx, cs
% W: z _4 s- U' E9 q lea dx, int41handler
. Q; V* f: W# O* q Z% `2 Y xchg dx, es:[41h*4], m) Y$ e8 K y0 p4 z% C* f
xchg bx, es:[41h*4+2]
, O0 l; l7 z5 p; [+ s in al, 40h
3 p7 y" S' b: J9 a xor cx,cx0 \* Z3 ?& a4 Q
int 41h$ l3 L5 _6 q S( H) u. L% y
xchg dx, es:[41h*4]
( m$ M7 s& j: R8 E. A/ X* B xchg bx, es:[41h*4+2]
q9 Z( [+ {) L. e- `' z' I" i3 r/ E* Z$ z cmp cl,al
* K1 l8 [+ C4 M9 j; X: ]" T jnz SoftICE_detected
/ L9 R) j+ j0 ]& r8 D/ o1 `* u+ _! Q' V0 l9 f# b; {: G& W# c
_________________________________________________________________________
$ r1 t8 X& H5 F6 F2 U/ S3 s$ T9 g
Method 07+ J! X- s- [$ A% F$ @
=========/ A5 B# _! V; f# U7 x5 ?. e
8 a/ I/ k! \; w+ W& v+ i# Q
Method of detection of the WinICE handler in the int68h (V86)
/ N2 b) |4 c a& v* d
3 |; o% s$ {; V+ r* ]; \ mov ah,43h" b4 _* b* F/ I" d, O/ P0 ~
int 68h/ n% P9 e; O7 o; |% I2 N2 |
cmp ax,0F386h
* R+ {6 B3 w+ p) S# D f jz SoftICE_Detected
4 h9 g( E, a$ P
! _8 ]- w3 U) m m; q( g0 r; I
1 q8 x+ X0 b( P% t4 L* k- l=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% K' _ k3 T: \+ n1 _5 W
app like this:
, E* B# [) h4 @7 z& S# L
9 d5 }* P# z4 ^* A' T BPX exec_int if ax==68$ s8 l- g0 @7 [2 u; r) Q
(function called is located at byte ptr [ebp+1Dh] and client eip is
' E! t! }$ G" e5 @! k located at [ebp+48h] for 32Bit apps)- H) r; o* c1 B0 F
__________________________________________________________________________+ y: N* S+ Y6 R; S- s; b
3 p$ v4 s/ v5 Z8 A) y; [% W& Y/ D( b S: F& _
Method 08( B. E$ N/ X# ?2 R1 x2 k9 ?
=========$ t4 p% l; d" B6 R/ E! t! y
/ m M4 d: ^) Z, @( q' }
It is not a method of detection of SoftICE but a possibility to crash the' V6 b$ f6 M0 b3 B
system by intercepting int 01h and int 03h and redirecting them to another' L' D8 g) x4 _+ {9 v
routine.
8 i0 |, s$ \8 ^9 I8 a+ WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* F8 Y& [$ r+ d7 n$ W1 `8 v+ J4 bto the new routine to execute (hangs computer...)
% [* s8 `! B5 D( M
% ?; h! e9 @6 x* p' v mov ah, 25h
7 d' p7 `2 G+ r& n mov al, Int_Number (01h or 03h)
c. S/ ^( v/ Z mov dx, offset New_Int_Routine
# ]( a$ ^* f' e# R% \3 J2 S int 21h
$ M8 ^7 l% D5 ~3 i3 ?" |! Y4 |
) v0 a" B4 k% M5 G6 A4 x- [__________________________________________________________________________
3 F1 L: F y R* A* q' m6 @
* Q ]8 L, V' S5 M% mMethod 09; c, m& h& j7 f i
=========- Y& ]# I& E" i( S; d4 t
; }) A9 M; R1 @( D7 D: Y& lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" o) `, A# N9 m, p9 qperformed in ring0 (VxD or a ring3 app using the VxdCall).
% p# S: `6 @0 {* q' {The Get_DDB service is used to determine whether or not a VxD is installed
% t/ d1 O! x' q0 xfor the specified device and returns a Device Description Block (in ecx) for, t3 V' |# ]% C: \; ?, Y6 |
that device if it is installed.
7 F$ V: u/ q0 m. k- } ^/ e3 r( |9 r6 k0 k9 u
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% }9 J* O* @& y; V; H/ y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ f; X! ^$ b9 K) d4 u6 J
VMMCall Get_DDB+ K. n0 Z% i, z: G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 ?. `9 \5 t. S0 [2 d$ C, q
. t8 T" n5 ]5 o3 GNote as well that you can easily detect this method with SoftICE:1 c! C f2 o( I5 m( x* P
bpx Get_DDB if ax==0202 || ax==7a5fh) j U) O5 i+ F# [
, m' t' n0 ~6 n8 V) x+ ]__________________________________________________________________________0 u. ?# o% D0 i, o
9 |8 ~- J; F7 L) @0 W( y
Method 100 x& p1 o9 Q4 T. ?: J
=========
7 ]; Y' [* J+ x3 U( [: D' `
% h$ Q7 N& [6 V- u6 r& O=>Disable or clear breakpoints before using this feature. DO NOT trace with/ P0 b6 [; o% j/ l. A+ n; {; u* P# P
SoftICE while the option is enable!!8 \& i8 Q4 D2 `, l
+ D) A8 ?' f$ l, Q. B
This trick is very efficient:- `. e* o: R. Y% w! G9 S5 j
by checking the Debug Registers, you can detect if SoftICE is loaded
4 \/ U- Q2 M* K" f. {(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# G( i% U z4 j" lthere are some memory breakpoints set (dr0 to dr3) simply by reading their, N2 Y; Q' s* w. W k/ a8 L
value (in ring0 only). Values can be manipulated and or changed as well- x6 f( x0 o; B3 B, c4 \+ M
(clearing BPMs for instance), W# Q0 r& H$ {4 J9 a b: b9 o
- H/ O- R, @9 ~8 h9 _7 |
__________________________________________________________________________
9 Z: T2 y2 Y1 R2 w H
6 f: H; [( A. cMethod 11
0 _5 v; E! L: F7 L! O=========
: w& }: R2 x1 x& e2 Z( l1 e Z5 e7 e
This method is most known as 'MeltICE' because it has been freely distributed
4 `8 q4 n# X8 Z* G6 n+ lvia www.winfiles.com. However it was first used by NuMega people to allow
* e9 C, i* u% N# J5 g, B/ R0 F9 rSymbol Loader to check if SoftICE was active or not (the code is located
2 ^: M6 q: l) o" h& [inside nmtrans.dll).
- L2 b5 V: F. l2 Z
/ }8 O: I$ C3 V3 [" WThe way it works is very simple:+ f" x; a* o+ l+ ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 B, R& M, _/ a1 f l3 o! h1 fWinNT) with the CreateFileA API.
1 Z$ u0 e. ^! \1 k: M z# }, O& ~$ k
Here is a sample (checking for 'SICE'):& \/ J! u9 z6 b7 f
; G0 ]: h# e: X3 V. N
BOOL IsSoftIce95Loaded()
$ l( G5 j5 U5 {7 `. H{
8 R6 {+ G) h% {+ s8 ] HANDLE hFile; . ]4 I& P g/ d7 K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ K# V' o" M. @0 v3 E
FILE_SHARE_READ | FILE_SHARE_WRITE,
% o# o& P1 @; h& i# z; B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# h" |$ e7 ]8 }* `& q% R$ z- W
if( hFile != INVALID_HANDLE_VALUE )
9 ]/ _7 y% O/ f" W- z {3 C# R- ^; D) `' n Z
CloseHandle(hFile);+ a9 X% V C$ d5 c5 n
return TRUE;. ?0 \3 H) x/ \. o9 w
}
% |- u4 G. q9 X X. c* u4 n return FALSE;
0 ]: W& A, D/ A/ Q, r5 q3 H+ T7 ^}
' K+ H6 o% i1 a1 Y% V3 c$ e
7 x2 k. F3 c3 F Q2 c2 V VAlthough this trick calls the CreateFileA function, don't even expect to be
5 y/ i, `* w E) R; mable to intercept it by installing a IFS hook: it will not work, no way!' e' @; Q; \+ Z3 l/ V1 ]5 _2 ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ m7 \2 A) x, V+ \( aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) [, s5 [: I, t/ u9 f% M1 X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 |2 `( H' [! J0 k; i3 M0 J! @
field.) [1 ]# P6 [$ `1 R5 k( D) D) o7 H
In fact, its purpose is not to load/unload VxDs but only to send a
# i. \& y7 w. l* V, S1 d$ F9 WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 X" _- m& {1 f9 D2 z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ |' _) y9 n9 Z0 `; ~! Y& ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ T2 z' M- J; V! k* E6 H
If the VxD is loaded, it will always clear eax and the Carry flag to allow# m- H/ @9 V% H( @+ c$ l7 I
its handle to be opened and then, will be detected.
{* a/ n4 o$ z3 }6 BYou can check that simply by hooking Winice.exe control proc entry point, Q* f5 |. x) i4 V. e
while running MeltICE.% v2 F3 q9 E& L9 i* W
2 X6 o2 V4 |, |. U
' t; e b7 @- ]- `
00401067: push 00402025 ; \\.\SICE+ ]8 j/ F/ k$ L+ N) w. e; E' O& k# J
0040106C: call CreateFileA% {. M" K! D1 l+ m
00401071: cmp eax,-001# M! w8 a* X* j
00401074: je 004010913 C& X$ \6 _1 R
+ ^1 K7 a! {- w& L q, l* ?8 }6 T
) o; U7 q G; |/ R6 h
There could be hundreds of BPX you could use to detect this trick.
9 g' }% o, q9 o-The most classical one is:4 y5 t0 j( C- z9 W8 \6 y/ C
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 `1 q k0 R3 k1 T }% C *(esp->4+4)=='NTIC'
" z4 U0 C2 [* g' T. F7 _, }7 \3 i3 U0 f* k3 K! @
-The most exotic ones (could be very slooooow :-(
8 K# {8 w0 `$ w# E4 m; S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 |+ ?! {) c: w6 J! T6 Q2 D& o5 | ;will break 3 times :-(
; q \. i. F% D0 d/ h% i+ f
! ^/ l5 G& M b3 p& v2 A-or (a bit) faster:
$ d4 B* a. @& G4 d, w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ n: `$ o9 X% o' }" L) i( I
. G+ g w" t+ _6 _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* H q: C9 ^7 t7 Y0 G ;will break 3 times :-(
9 W! m$ _/ L& o5 A5 L( K3 I6 ~
) F; H9 ?# x- \7 v3 A/ `! N-Much faster:$ ?' K: Q" r. r2 ^, y' a
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 U0 C6 Z' {: ?% x3 D+ e. s
5 b$ t6 ^& ?; {Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& J$ G, _& T/ Efunction to do the same job:5 p. O( A; G5 n! g' n
/ e5 d, D' |( w) S- \. O0 i& }
push 00 ; OF_READ
3 K0 X# B' k: O! o& G- ` mov eax,[00656634] ; '\\.\SICE',0
; T2 S. [) H' A push eax% W6 ~) k* i5 w2 i/ F
call KERNEL32!_lopen3 G6 O B, e+ H9 c# L) h0 v: S t
inc eax5 o3 z3 a' a& b
jnz 00650589 ; detected
6 ?* b+ n( t0 i. _4 I' x/ A) d0 J+ W push 00 ; OF_READ
, ^, t( z8 d9 o# e# Y mov eax,[00656638] ; '\\.\SICE'
& w; p+ t4 V' C0 c. K push eax
6 s% O. c9 P! q; c- [3 b& }( s0 i* m call KERNEL32!_lopen
, v; }9 X! D$ P" x1 ~ inc eax
: U3 `6 ]# s6 t" |0 O( @, T jz 006505ae ; not detected" G9 S4 ^% W8 I8 @9 E7 F( M
. U. O0 d0 d9 ~
1 q, Y9 x0 V3 p) A0 o9 K__________________________________________________________________________8 o+ T) h/ Q& a& M4 M8 v
! \2 j- y& `7 w7 T/ V- h3 J: BMethod 12
8 o0 V4 e$ B4 Q# D=========. d) |* A( c$ L7 F5 M9 J
- [: |. s% X- wThis trick is similar to int41h/4fh Debugger installation check (code 05" t% A, X8 j m1 D" L# n" R) Q
& 06) but very limited because it's only available for Win95/98 (not NT)
) {/ Z! b' @: i9 Q2 Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" x0 f6 E6 @0 X- Y# ?; q
& P* }1 M. f! D2 h* | T push 0000004fh ; function 4fh7 v9 Z4 t1 ~! G! {1 a
push 002a002ah ; high word specifies which VxD (VWIN32)+ x& [9 k1 \9 U$ q
; low word specifies which service
0 t, X# G9 B1 _: ~; Q (VWIN32_Int41Dispatch)% w/ f4 c. P4 f$ P2 h2 D
call Kernel32!ORD_001 ; VxdCall8 D4 Y. }" I7 z; D/ g
cmp ax, 0f386h ; magic number returned by system debuggers2 [2 `7 C- B, U0 w* W
jz SoftICE_detected& E& S9 C- N" a0 v
# U0 R, v7 C2 pHere again, several ways to detect it:7 V' t% N; i5 q2 q
" Z, N+ Z7 i# b$ A. F4 U) a2 q BPINT 41 if ax==4f! e* ?: i5 o; g
' i+ P" j- i0 l; u5 L8 u$ a/ ~& N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) e) T9 ~4 l7 z2 l& M- e
/ m: M; ]( n, k% D" o' C BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! _0 q1 H0 C- ~$ W& ]* W0 l
2 U( R1 t& L8 E7 X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' g" @2 p5 @2 {' |- y' O: P8 o' G* L0 {" s2 @, E- j
__________________________________________________________________________' k3 \6 G* x: I, D1 {
/ d( C4 g! R2 X2 t# }Method 13
2 `* W: a$ v. C$ L+ p1 G0 V" O=========; \- T( W" |! M& d8 X& X
( m4 {. ~8 r& i- M' i( @Not a real method of detection, but a good way to know if SoftICE is
0 c( W& G% ^& j* J) \" s4 W, minstalled on a computer and to locate its installation directory.
: g* L3 `, R: g4 @It is used by few softs which access the following registry keys (usually #2) :
$ W' q3 }; g C0 Q% p) d, v9 \7 ?6 n& E5 j9 ^3 h
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 n( G" d& b1 E6 Q( Q7 d\Uninstall\SoftICE
. m8 v( T0 L3 W9 ]3 K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" u% c% `5 K1 n: g6 y/ b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% F! D! |+ L% ~# W: ^0 M6 I\App Paths\Loader32.Exe# e" R. {' [1 Q1 `! b
5 b; Y& j* _7 _
' C1 I8 j* X' A5 U, p
Note that some nasty apps could then erase all files from SoftICE directory
" E6 [4 H9 x3 R4 |& T! r9 J(I faced that once :-(# M, [% i- ~" r( p1 e5 p
! Y5 W- G9 u% s2 C0 b; mUseful breakpoint to detect it:
' ^$ e% `8 Y+ V7 c/ _# [. E3 w+ K' p7 V0 B/ t* x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 _; O/ L4 ?- d2 e6 Z& q) I
: q6 R# v0 }6 Q' ^__________________________________________________________________________# ^. P8 W9 Q( b( v$ Z
& C# V' L0 B# z2 ^7 F8 O* D0 J( k7 C
+ i. N' C; h% E7 {: O9 z: f. V* z& p
Method 14 0 q! S! J& b' `. m2 @
=========7 d! s! K. C! `9 r9 R# }- ]
r0 n9 z$ c% d8 m* D6 z4 O8 ]' d, Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) M8 l# w3 M# k0 i( L8 J8 nis to determines whether a debugger is running on your system (ring0 only).
, n: u* Q4 L: W) r p- q! O/ u, U5 o& h3 k8 i. o2 D, K6 u; ~7 N& ~& A
VMMCall Test_Debug_Installed
8 s* P/ O% }3 u5 z1 K! u" ~8 ] H7 S- ? je not_installed
% E5 w [. F r8 N2 p9 a- S! d: D- H0 v2 Q$ d
This service just checks a flag.
' f2 @. i% O4 m8 s, i</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡