<TABLE width=500>1 v7 D$ o: S: y z8 d( A
<TBODY>
! T- K" M6 ]9 C* E<TR> `0 j; E( `* k9 u& O1 k0 I
<TD><PRE>Method 01 $ p7 c4 B( ]( A( p6 g
=========
* r5 f" d$ |. y; t7 \& v) [0 o2 l7 T }* O- b9 K; Y
This method of detection of SoftICE (as well as the following one) is
2 q1 z4 X, u; a" ]- D5 @) hused by the majority of packers/encryptors found on Internet." t3 Z% x! Q8 H' {4 _
It seeks the signature of BoundsChecker in SoftICE
! U, u+ W, C- f. p$ h6 [! J H- Q. I7 P: W5 P5 V$ \$ z
mov ebp, 04243484Bh ; 'BCHK'
: I- @- y+ x' l mov ax, 04h
6 r9 l& v& i9 s1 n! z int 3 2 e( L- B( `* u. b3 x- L
cmp al,4% d* K# L$ ]( P* ~' ?" }
jnz SoftICE_Detected
1 c; z; j. o6 Z4 U8 `+ R' T- ]# ], |" w% O
___________________________________________________________________________ u% s+ E W: e3 F' [0 ]- J9 N
( z3 {: _% w3 M' `Method 02% Q9 `3 ?& i* O+ n9 P' q
=========
3 q+ `' b/ f6 M" o8 M L0 @" d0 i' l, |. F2 P
Still a method very much used (perhaps the most frequent one). It is used$ C+ v+ |' z. w5 ]- J( X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* x3 }. P& A s! z+ For execute SoftICE commands...
5 d& R5 Q1 v4 \" `; V$ |It is also used to crash SoftICE and to force it to execute any commands
0 c- B* D$ j I# M0 r7 D(HBOOT...) :-(( , |1 B/ w+ N& e/ q/ ?
- P5 N. U; X3 D* o9 d" vHere is a quick description:* ~" H, R$ E& w1 L9 A! P
-AX = 0910h (Display string in SIce windows)- } N% O. c7 n
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), [3 A" `+ }% o: D _6 E3 j+ X, w
-AX = 0912h (Get breakpoint infos)& f- \' r- V5 m) z* I, ~4 `2 h/ v
-AX = 0913h (Set Sice breakpoints)
3 F3 ^( n, M2 ~4 c. J& a-AX = 0914h (Remove SIce breakoints)$ Q' t* I, e k9 s2 H
0 c9 E+ x4 o8 k# H5 j1 h
Each time you'll meet this trick, you'll see:+ g$ u$ J5 k# [# {
-SI = 4647h$ B+ t {, b5 T7 c/ s% ~0 M
-DI = 4A4Dh' O7 \7 ]. s! O$ ~9 |8 ~
Which are the 'magic values' used by SoftIce.( U `+ a+ \7 {2 ?$ _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ y9 h! m. Y! n' w( W! D5 N8 E/ ?& h
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 ]* @) b+ R" f* k8 A- @
Envelope utility use to protect DOS applications:
3 r0 e+ p4 j& ?4 T. b9 L# _ e: `% k6 I
8 X# @; x2 f5 r8 \! _4C19:0095 MOV AX,0911 ; execute command.
2 t& ~2 f, B0 `5 E) T# r) c& N7 G( e+ w4 _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). y# i- D* f7 f6 K2 M
4C19:009A MOV SI,4647 ; 1st magic value.# V; @. R1 ~( ~! x, G+ M
4C19:009D MOV DI,4A4D ; 2nd magic value.+ i7 K: z7 m9 A9 {
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 `2 \8 t; l$ V! [/ Q% j7 H( a; B
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 }9 J. m4 R9 ^& I+ c) @4C19:00A4 INC CX
8 F+ u0 i; } M! ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
g/ O7 q8 V& M* J4C19:00A8 JB 0095 ; 6 different commands.
4 c9 u$ U# o Y- d" Z. c4 T9 T2 U& g4C19:00AA JMP 0002 ; Bad_Guy jmp back.! F. F ^; \( u0 N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ a0 x4 k4 S# H" C
0 K! N5 ]' {0 i, O0 i/ d- TThe program will execute 6 different SIce commands located at ds:dx, which
4 r+ i% m, W% j i& c0 w3 yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, Q; v+ |3 D i0 n& F U; I& Z& q- K1 s2 Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 t( f/ S' O4 y$ e m! q
___________________________________________________________________________
2 J: u) L1 m8 p$ _& B" G# `# i& M$ g5 o% c+ f% ?
1 q- y6 _5 s9 ~Method 030 k5 n! H/ U$ t* e" u2 r/ Z
=========+ K0 n6 q; T* k P5 O R9 F% I
* n5 j2 D& u: _* RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: M+ p, V( \4 {3 Z0 ^+ d
(API Get entry point)8 o3 k k; x; }- L) E2 e
2 i7 c, [4 G# m6 g- q
. w9 ?4 a. f8 S# v xor di,di" Z, j0 X3 w9 V( Z3 C% t
mov es,di; v' E& Z: u+ ^5 I: ?
mov ax, 1684h
4 e9 K. ^) \9 t; u mov bx, 0202h ; VxD ID of winice0 e& Z, a5 u* B8 J* D
int 2Fh
/ m' n# j/ ]8 T! T7 |. w mov ax, es ; ES:DI -> VxD API entry point
/ G1 Q* f* @# x. B' S add ax, di
5 R% s' \/ F( ]" P/ } test ax,ax" z3 s$ {) V E$ b6 }5 {
jnz SoftICE_Detected0 X' d0 B2 c( B+ L+ ^
3 e; @5 J# u+ o3 ?! L___________________________________________________________________________
/ {6 n a5 }5 v0 ^% Z
7 w+ R ~( \2 g! Q5 A N- aMethod 04
' W3 |# |5 x: p0 o P$ R=========1 Q, J6 ^, {/ I( g3 A
, s8 b2 q/ h. Q% J, j8 Q! f+ J# ?/ m kMethod identical to the preceding one except that it seeks the ID of SoftICE
2 }% @& W/ s5 }' o+ _GFX VxD.0 `- r7 w) v3 ]0 _' i
) f+ u0 Y" g% i- H: k* y) [
xor di,di
8 h( [, ~' A8 f9 X6 R mov es,di
( ~3 {8 k8 Q& e B3 [0 ]' u mov ax, 1684h
# v4 Z4 x5 e8 u$ F1 w& @2 V mov bx, 7a5Fh ; VxD ID of SIWVID* v+ y% v9 ]8 s _7 P/ r" a$ ~
int 2fh
' {% g/ w6 m# J+ ~0 z* u mov ax, es ; ES:DI -> VxD API entry point/ E7 b( y( W9 H( {, W! }$ V
add ax, di
+ J0 [3 s) S# A* ]! k0 M; p( G test ax,ax$ S2 ]/ T- l ?# O! M
jnz SoftICE_Detected
7 L% p; x* A' D5 u6 u/ R% s+ i. N' n6 [( o L4 i2 s1 J- P% j& z1 s
__________________________________________________________________________
/ C$ l; Y8 c2 x3 g: u) m; p/ |/ X" [* v" A l1 @
4 L; L# v& o; G1 H# s& a; D
Method 05- b# [% u! d+ \
=========
. m4 U9 E- X5 b. W! N8 Q2 B0 x- Y6 Y2 f `( c- x* G$ c. H6 d
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ p, Z! C, Z$ Vdebugger. It calls the int 41h, function 4Fh.
/ l/ v. B5 x6 b0 k/ oThere are several alternatives. 1 p- \. _9 x, A3 M# C
9 ?% t9 P; d* k& {: _, H0 e
The following one is the simplest:
0 q3 R5 k" q( s) L% \8 T
$ x; y# L8 j+ u, K# L" x2 f, V mov ax,4fh t6 n! k' t, n1 ~3 V% M
int 41h
) s# d: t7 n; A1 ?! R cmp ax, 0F3866 x- P/ Z% ^) D4 r5 N @3 O
jz SoftICE_detected
6 N* q1 P- j9 v v6 a [6 _
. O9 W: X" \7 |. A8 T, [! r1 s R8 p2 Q1 c
Next method as well as the following one are 2 examples from Stone's
6 E0 N" \( A) f: D. z"stn-wid.zip" (www.cracking.net):
9 n+ e" U* g1 y3 K" R
, }$ W. M, S! c mov bx, cs( O4 g2 e- e. Q3 G, Q4 q& R
lea dx, int41handler24 o* G5 j. O9 f& k; N- I4 x3 M
xchg dx, es:[41h*4]! n: T' ?* `& {1 ^
xchg bx, es:[41h*4+2]: d6 T! v9 Z. _3 ^7 j
mov ax,4fh
1 @) \! B ~! d+ n int 41h! J. p j8 G% {
xchg dx, es:[41h*4]* x& F* r5 B& u2 l$ a% l: A0 w1 b
xchg bx, es:[41h*4+2]0 `6 \4 c. k" y/ {
cmp ax, 0f386h5 _$ x8 d+ [; x2 ?
jz SoftICE_detected Z$ ~: n3 T% o! O$ s' n. m
6 y$ r5 d! g' \' e% S
int41handler2 PROC' C+ f8 E# m$ w. t4 Q$ g
iret
9 a; r0 q) G$ b5 Q. x" u( y) n, Fint41handler2 ENDP, W, t. p9 ], A- q2 U
) n0 B2 U8 v: k$ y% {# ^7 K( o: {
+ ^/ R( {+ [' U6 h
_________________________________________________________________________
- q, I9 m% F4 W! {* O+ q# A; y/ t( G& T: L* b
! i0 b" v$ q6 ]Method 06; ~( K( u" y: w, s) D/ Z
=========' w* y! h X' g6 Q- v3 V
# q/ \8 b: K/ w; k& g
5 o; ]3 a+ G" P0 _* I2nd method similar to the preceding one but more difficult to detect:
) B) A$ A" m7 q( D9 M/ {
# E) T( k0 h2 j& G: r% K+ ~4 u+ Q! j, s. L( s( w0 Y
int41handler PROC. S2 [7 U6 c0 ]1 d% \
mov cl,al' P- M- }" z& l% z/ \& P+ {
iret
) ~* D5 [, A. Q8 Dint41handler ENDP( A& _- Q$ e; i% q
# X1 N/ {( j0 @) ]
* z# E: f7 `: o xor ax,ax w2 X6 I5 b3 t2 [2 Q
mov es,ax0 j6 m- E0 |2 K! ]- N
mov bx, cs' u+ t- O* @, N, [7 ]
lea dx, int41handler
, K5 p* z! o' N3 h) o' e xchg dx, es:[41h*4]! |5 u) M) u3 d6 e) v
xchg bx, es:[41h*4+2]
3 `- `% c" B |3 z in al, 40h
. z# s9 W1 }8 ` xor cx,cx
' X: ?( R i. ^; {, J, `* o& g int 41h! d* z' @6 ]! x# F) P
xchg dx, es:[41h*4]
- x% q- [3 {3 m) w xchg bx, es:[41h*4+2]4 p- Z2 T6 J- F: T) E
cmp cl,al
4 U' D+ V5 `6 s5 g7 U9 z8 M jnz SoftICE_detected
2 l$ U _+ c. y2 F) H, E* a7 W) y8 E6 ^2 y" K7 P0 D1 d. Y# _0 {
_________________________________________________________________________
- l/ f0 r) [. G
3 L% P% G6 d) Z9 P6 cMethod 07$ D, g6 c' z6 M- }
=========
$ U. Y( ^2 v1 B6 Y6 w$ C! K! C
7 P7 h( U0 _$ ]+ J8 R; a3 S7 FMethod of detection of the WinICE handler in the int68h (V86)9 {$ Z2 s4 O7 R0 n/ L& x; Y% z
9 d0 y) T$ X! u' N mov ah,43h1 Z. ?- a2 l8 K( x$ i' B. z+ k0 h
int 68h
( Y- v+ r1 c! d8 f! q, w( S4 v cmp ax,0F386h
# c) s& c9 H- Y; {+ g$ p* B# u jz SoftICE_Detected9 P+ R4 w1 i& W+ q B
1 p6 i7 a2 o& P0 i# Z; |* Z! [1 J
/ w. D* a- L2 E) a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 W" t X: l& i" H- ]! a& X
app like this:* M% O# J! x0 P8 T0 w
' C; t8 U# e( e& V [& N7 [- k
BPX exec_int if ax==68 i) E. S, t; Z/ b
(function called is located at byte ptr [ebp+1Dh] and client eip is; o2 Q! b& X9 u( h" y
located at [ebp+48h] for 32Bit apps)& F* k% \) {' B
__________________________________________________________________________
, J5 ?, I. x3 t' w2 _+ a
; A! B: l3 |' `6 X. m; ]3 Z2 s" J* S9 M' O. E
Method 08! `3 D; d' Z& K, `5 g4 [! S6 X
=========9 ^. e! C' H8 l& j' P# C: _
. w% `6 Q2 _/ f" iIt is not a method of detection of SoftICE but a possibility to crash the% v# i( w- W# `0 }! _$ ~$ `2 C4 j2 I
system by intercepting int 01h and int 03h and redirecting them to another: a# O+ F) Q9 k) y( N3 C
routine.: E' @: U- U$ @0 N2 I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 `: O, C5 m) M1 gto the new routine to execute (hangs computer...)! C' M+ y( U9 n5 n5 V* s! p6 A5 ]
/ z5 c; Z- i) F4 `9 W3 C3 G mov ah, 25h5 Q9 b! I4 z6 o! f0 _3 _) U' S
mov al, Int_Number (01h or 03h)
% H P; Q. K1 U6 c3 d1 O9 B mov dx, offset New_Int_Routine5 S$ Z: ^# Z- z- j, ~
int 21h/ t5 y [8 n ]6 @* G. J
% i9 A, p. R3 G {. N__________________________________________________________________________
^5 k q! S& O0 a0 \
$ ?, B; I, C1 P& Z: JMethod 09
! q4 r+ \7 z# Q=========
: Y+ b4 F# W, s+ W& W+ Q9 @% e; g: C$ \1 M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) B- G5 |' r# _9 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).3 d/ c5 {0 ~$ u1 K ?
The Get_DDB service is used to determine whether or not a VxD is installed {7 ^* W& T0 a# h
for the specified device and returns a Device Description Block (in ecx) for
, N+ V; Q, l8 n, _# _: Kthat device if it is installed.$ Q" Z" }( `8 q& i- Z* s% i
% [# h& U( `* S6 w; W mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 o2 j( C. d$ P+ G% Q" k+ N# z9 ~! g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 e" e7 I+ w7 A# j VMMCall Get_DDB
" S- h) O. d# g3 z: L! A" R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* G! E# w5 Q+ C" h* L$ @2 N/ F, S h- _3 {) O. A- C
Note as well that you can easily detect this method with SoftICE:
) W+ O. ^3 G3 u0 P6 G8 Y+ V4 |! b. l bpx Get_DDB if ax==0202 || ax==7a5fh
+ {7 `% J8 i& G" y( g& X1 t7 D
4 o/ w" T1 U: Y: h9 L/ ^ F__________________________________________________________________________
' t8 W5 E. c7 S7 U& @6 a* x1 C* j6 _* A( `
Method 10
, b$ m u: w6 h3 Z; ~4 y=========
) L* c! T5 Q1 }3 j, F) z! `5 x4 B7 Q: X
=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ i) V+ {1 t, E4 N' L9 F SoftICE while the option is enable!!
) ]% S3 M2 Z" u& Y! y5 B T8 r8 J; |! R$ T! s
This trick is very efficient:
. Y0 D% k+ y. c) ~by checking the Debug Registers, you can detect if SoftICE is loaded
( C. ]- [- m: `- Y/ R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. S% N4 i! K' s' \! M: X
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; j, w4 Z. c" e6 S8 U) B+ O$ o. Q1 nvalue (in ring0 only). Values can be manipulated and or changed as well' L# i- ?& }( B
(clearing BPMs for instance)
% Y3 x1 q. G6 P: d4 R8 h+ f2 j- u
__________________________________________________________________________+ F! R6 r& b q& i4 U) W
1 g& r" j) m# t$ G& r5 LMethod 11
- O- e# `- E% I=========
5 E" a( U. K/ v# Y$ L
, {$ q, k3 ` N' s) SThis method is most known as 'MeltICE' because it has been freely distributed
4 V+ {) O5 B) t* U& Fvia www.winfiles.com. However it was first used by NuMega people to allow
' \8 M: Y* s8 V2 E. y/ a7 VSymbol Loader to check if SoftICE was active or not (the code is located
$ _% Q' w8 ?8 }0 f. d4 k: w9 x/ finside nmtrans.dll).6 Z; ~3 h0 q' Z2 {
0 y: x T4 h( M, O& [9 b1 [The way it works is very simple:$ b) Q3 o0 I5 o% q) E3 J: K
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 D. e8 H, P+ B* G8 G4 w& |WinNT) with the CreateFileA API.
; h% x) h# u: O/ e; A$ b4 n0 l) l+ l0 V3 X: N
Here is a sample (checking for 'SICE'):6 b6 N. l; {4 C4 ?2 V: v2 R
, Q! O* e$ V( U$ x
BOOL IsSoftIce95Loaded()) h6 c; Y; T# h5 N0 }% E
{
+ ?* W$ A4 s! y6 Y2 s/ v' [' K HANDLE hFile; - u& |, T# e3 | E, C1 E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! n" H2 p `; L3 w2 K. d: g* V FILE_SHARE_READ | FILE_SHARE_WRITE,3 U; s6 C1 X f$ L7 N( ^
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ t I" w* n5 x! e
if( hFile != INVALID_HANDLE_VALUE )
8 t; s. t7 d2 C1 o; A$ D+ \ {
3 b9 V' I) s. b CloseHandle(hFile);# f8 `/ r$ {/ `2 B- n, J* E
return TRUE;
# p5 F F8 n% \' ?, I8 a }
" E' g+ F) g C N5 A5 ] return FALSE;: g" c( L& A3 r9 w
}. M" u" r. q6 p' w# X
7 i8 J' x% E& `: c8 X A5 WAlthough this trick calls the CreateFileA function, don't even expect to be5 [! y7 I: g6 c7 Z+ L; l1 h- S
able to intercept it by installing a IFS hook: it will not work, no way!
5 y/ _- K/ H3 n. _& C% o: k1 }In fact, after the call to CreateFileA it will get through VWIN32 0x001F! ]. [+ H" r# V3 W9 d' Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ g& Y. e( a6 u o6 O, g% Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ ^9 g0 x& w1 P/ v, ~( G
field.
: f7 b- i) l/ U# R5 F% M2 b' mIn fact, its purpose is not to load/unload VxDs but only to send a * q" E2 x4 B3 p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ k/ V7 Z4 |% a* s8 D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, J. b) t8 h5 Z2 P$ eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: C" h8 p* O- U% }If the VxD is loaded, it will always clear eax and the Carry flag to allow( f, t. S- b; E: y g( D
its handle to be opened and then, will be detected.' `* H I- e- i
You can check that simply by hooking Winice.exe control proc entry point
4 U. a8 r$ G5 O- ]% \4 Qwhile running MeltICE. r- _" [0 G9 n7 h& v) Q7 k
q: Q1 V( v; V* ?# P+ U4 ], s
* S$ }# _7 e: u3 W 00401067: push 00402025 ; \\.\SICE
0 f; a" y0 z" [3 W 0040106C: call CreateFileA
# G. C7 c/ V: J% x 00401071: cmp eax,-001
: k9 _1 A8 i# f$ D 00401074: je 00401091) M7 v7 v0 Q- ]
0 N, ~9 V# o3 D- B# w. D) d* d U- c
There could be hundreds of BPX you could use to detect this trick.
/ n2 H+ q9 t+ H" M2 i' W-The most classical one is:. u9 g, U2 K# F6 M
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; b9 M3 M( c4 R& Q' p* w$ u! a
*(esp->4+4)=='NTIC'7 Z# C9 P$ ^0 h o! q& F' Z
9 x- n' Y0 B6 C& O3 S) Q Y-The most exotic ones (could be very slooooow :-(- H0 `8 `8 O9 j# O' v# I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . ]5 n. L# g: ^8 C* V
;will break 3 times :-(
7 ^0 M# T2 |; L. _% ]! C
+ `+ a* Y ], v0 Q/ l- C: B; W-or (a bit) faster:
+ k; S* a# q+ K6 z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& z, N. v6 v+ i9 y
0 d* n" X7 Q( v- \! n% v; J5 W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 N" } D( F Y6 C
;will break 3 times :-(
3 q1 [; ?- I( G+ t! q+ v+ \$ j0 G" S$ P. G8 o; `( `6 i
-Much faster:4 T/ B$ h( [2 a6 l# ~9 O" y2 x9 {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- G; g9 z% b4 J4 Q; |# h2 G
! Q3 S1 a9 h1 d; ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen* L l' P5 h4 _5 O
function to do the same job:7 t% h, W% P' d9 l2 b1 @
: h$ j4 E) D ?% L7 M# W. | push 00 ; OF_READ
# y$ |3 R: @( V' S+ Q4 s mov eax,[00656634] ; '\\.\SICE',0
. U- ` F$ Y8 Q; h push eax, N! N0 D' K2 g. V4 t
call KERNEL32!_lopen
+ o0 d- @8 n6 Q% l. X inc eax
* U7 @1 F. h. p jnz 00650589 ; detected
/ m9 k" ]: |! h. u/ v push 00 ; OF_READ2 `/ l0 U# a: p$ k) k& u
mov eax,[00656638] ; '\\.\SICE'
0 j5 w4 m% P) Y push eax
" B. |+ v7 T, N( H1 h call KERNEL32!_lopen
8 j, S5 P4 e& N( q7 ]! S) n. F; W inc eax9 T1 ]8 X0 ]/ C
jz 006505ae ; not detected
9 F' z( m3 O3 z: V8 ~* E
; W9 O! G( m% B6 G# J2 T# C3 {# X7 q, z+ S4 k: b* t
__________________________________________________________________________
( p- S4 g& B! U0 e9 G' v! ~
9 n) L6 T, i. o0 YMethod 12
% M/ f+ B0 o4 [8 x0 v+ N4 [=========
+ D1 W0 ~9 B+ { B; T% Y
1 }4 J a$ ]1 d3 h5 KThis trick is similar to int41h/4fh Debugger installation check (code 05
4 H2 r5 N* z, Y/ y% {4 B* ~, q& 06) but very limited because it's only available for Win95/98 (not NT)" `1 R7 H) B D" W! V# l7 e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! _% Y v7 [4 V J0 P/ N
( I+ i% j2 V, P0 d; Y5 J push 0000004fh ; function 4fh
: e) `/ `# [5 g; W push 002a002ah ; high word specifies which VxD (VWIN32)% M% t& @( L, u" `4 w3 X" s
; low word specifies which service
5 ^2 z( g7 O7 F, Y9 I) B (VWIN32_Int41Dispatch)
: I# o) _+ C* L; }- s, l call Kernel32!ORD_001 ; VxdCall
1 D8 B0 `% f( d1 n cmp ax, 0f386h ; magic number returned by system debuggers& V3 ~( U8 @5 f7 V; }3 E" D
jz SoftICE_detected4 S6 o+ M6 x- c( f, d
0 o8 P& G: s% u) }Here again, several ways to detect it:* l) S1 M; d; I
+ g$ f Y9 P% H
BPINT 41 if ax==4f5 I5 w1 D' A, H0 n2 k* g0 y
+ L, ^. j0 F3 ?; d# v0 d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 _" P8 C0 c z' V6 \8 h2 ~: c
' y: E$ x$ ` \1 D: q4 F. A; {: P9 x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 }* h$ s. c8 Z, d
. A9 {) C8 P0 f. { BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( r& B C/ } n: _2 @6 U2 I8 I+ S& C& \4 N/ d0 q% {' \! Q. s
__________________________________________________________________________& Z! t. h& O( t5 X* O4 v: R# }8 Z
( l( t$ w8 P) \; x# [: }- Y
Method 13
8 I! p: F& L+ K=========; y$ u' Y, g9 T; i! \% `
3 _ u- W6 h( e3 O1 z
Not a real method of detection, but a good way to know if SoftICE is
1 {3 C; N' s/ @) Uinstalled on a computer and to locate its installation directory.
3 ]) O& W( E' P) u/ Y5 a: U' ^It is used by few softs which access the following registry keys (usually #2) :- c% l" a' ]# h# s) K" v) g
* O) @9 ]0 Y* q A2 c# ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" y. z$ M/ `, Y1 B/ \$ Z" S0 e, p3 H\Uninstall\SoftICE$ [6 Y1 _+ R3 ~( z6 g8 L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: }* A1 T& \8 F5 C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ }) \5 J& h6 E3 d) S/ S1 g\App Paths\Loader32.Exe5 u" p) l6 D' E6 t2 R
7 k$ K2 c/ k( x3 I* J9 t
# F6 T4 t, l7 ], d9 s4 N* ENote that some nasty apps could then erase all files from SoftICE directory# U5 b9 \8 h, s/ ]
(I faced that once :-(
- n, }) e2 X6 l- j
2 K3 b( G2 G4 L B0 u5 I% ZUseful breakpoint to detect it:% q% x3 e5 ~ N+ H6 k8 u
) M6 u0 a2 F) r% d) j. I: m& F BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% h' W4 ?% k& k- {; I1 z+ T, y+ J+ J+ R! Y" d' ^1 N
__________________________________________________________________________
) S% V6 c! N! q+ }$ F: y5 K$ c$ u$ U5 g
+ h( \% A$ X6 J: n' z/ E
Method 14
$ `- r% D. U/ u; q9 Y. s- w=========$ ]3 F" d# K. ]( P; y8 m* s( M
! a6 e* x4 T: t7 {- [1 Q yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& k* p* `! E3 L0 v+ {; a2 f( ~is to determines whether a debugger is running on your system (ring0 only).. e+ _2 @- y2 c4 W
& z2 K1 o8 y( i* D$ s" A6 Q
VMMCall Test_Debug_Installed
; A6 L; ^/ R( d je not_installed' h- E, y. q/ ]! Z' K- Y4 S
6 r- M. w. B% a. K* J) z
This service just checks a flag.
. S4 }; T2 @4 X* B# `- W1 N</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡