<TABLE width=500>
! }* e$ _( _4 g8 F, L<TBODY>6 b' I' o* f" d9 p8 `, `; {
<TR>
3 E% |; j$ j, E1 }0 }$ q0 D( w8 I) v<TD><PRE>Method 01
& U" L. o* z- o9 [$ `) }* X=========) v6 Z p+ F: ~4 ~" _8 J! T, M
: Y6 a7 n: h8 Z$ M% l4 ]# \This method of detection of SoftICE (as well as the following one) is
- D% r( h, d h2 p' Y3 {used by the majority of packers/encryptors found on Internet." Y8 @$ Y2 B( o
It seeks the signature of BoundsChecker in SoftICE
; ~, ~& O- j; |: }6 B3 c* c9 g. M6 J q+ a
mov ebp, 04243484Bh ; 'BCHK'9 M, l& U3 ?9 w) b% J/ o& x
mov ax, 04h
4 V0 T! d( \7 w0 a int 3 % @& U" A) v" [% Y
cmp al,4
1 o d/ Y* H# Y, r7 ? @+ x& T jnz SoftICE_Detected& t, Z0 k9 @ x5 L" A2 E
k- c) k; m/ t( e# k! P
___________________________________________________________________________
2 |$ R! K" a1 Z) M5 X- u6 K: C0 f! F8 }' x8 q7 b
Method 02
- j8 O% d: h% v! k/ T=========$ h- H# }' k; @! b8 y/ N2 F8 c
) M9 k' g' @7 G% O! c) a
Still a method very much used (perhaps the most frequent one). It is used8 J+ U8 W; S3 T
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 I* k0 D- t o
or execute SoftICE commands...
% B+ y5 F6 u! E& g) _It is also used to crash SoftICE and to force it to execute any commands
8 t+ p4 M; }# Y; |. l7 s! q(HBOOT...) :-(( 3 L4 o8 t0 R& Q/ N, Y' I
! p% t2 G) V, D* o* \
Here is a quick description:
$ X$ P2 m5 q" B" g/ {& N-AX = 0910h (Display string in SIce windows)9 o3 a& j, N( r5 T7 |# f2 n$ Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, N% ]0 F- J2 g; u: n( g! I: D2 O-AX = 0912h (Get breakpoint infos)
d/ u4 C; c" d/ ?-AX = 0913h (Set Sice breakpoints)2 f0 V" A6 C3 g5 l. a+ \" l
-AX = 0914h (Remove SIce breakoints)- Z1 `7 d8 g I
7 }% \ \. v( b6 N0 q! uEach time you'll meet this trick, you'll see:
$ b' e, K& d3 z-SI = 4647h
- u3 O. L9 x- a' U-DI = 4A4Dh
% x h; `. p4 V' ?9 c2 HWhich are the 'magic values' used by SoftIce.
! n: R1 z$ l- U: QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: i8 a4 n- ?. b$ K7 z6 z
5 {2 N) {( w$ x1 j w9 {2 s: rHere is one example from the file "Haspinst.exe" which is the dongle HASP! f7 E( a# J# {3 a" ~9 w
Envelope utility use to protect DOS applications:
+ i+ P( ^2 H+ w- K6 n$ w
# G8 p" t, |. m
& g9 Z8 H* ]/ v( r4C19:0095 MOV AX,0911 ; execute command.
. y2 a* l$ H! f4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" f% ^2 m7 j" C8 z6 c) I4C19:009A MOV SI,4647 ; 1st magic value.) T- l: i$ {6 M- g8 E
4C19:009D MOV DI,4A4D ; 2nd magic value.4 v, i# v0 I0 ]3 Y) h6 v; H) Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- v$ o* o1 G9 R4 y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& [- c8 n. O# J8 W. C4C19:00A4 INC CX
7 O% r: v4 _9 @, q( c2 `& G4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% _$ }; F8 q" P: N- t4C19:00A8 JB 0095 ; 6 different commands.0 G: s0 v2 |& i' f$ i! z$ [) x* K( Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ m# Q2 h4 n# O; f" }
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# f; \& h3 K3 c. P6 l G) I" n0 k
& D/ B. C" l* k) C2 M3 \" N) E
The program will execute 6 different SIce commands located at ds:dx, which* J% J4 ]7 A, [" w
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ g' }( P* W* S) o+ H# y" h
' q) \# M! v! X/ i% n3 a. f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 t0 }/ T) m5 q+ S4 o___________________________________________________________________________" B3 G8 a" C; ~0 Q; t$ P0 _- W
& Q9 q! N" g7 o5 _: Y8 N4 N7 s1 n. i' c- {
Method 03
+ q9 ^$ [5 g: m) m2 K=========$ b, k4 y' ]: b C* {- Y
" K0 ]/ S0 D8 c' _& C( e9 N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; j, D( E0 n8 H(API Get entry point)+ V0 D: u1 b7 ~' n/ u7 A+ m. i
" x+ ~" y3 ~: x* n |0 p. Q& K
9 M# ?2 j& ?2 O( q6 \+ D
xor di,di
. r: e* R& b/ o5 K5 A; @5 q mov es,di6 B/ v% L" N# F. Z* l% D, e( d# ?
mov ax, 1684h 1 P; n4 e; d# B0 p7 x& @; h
mov bx, 0202h ; VxD ID of winice
0 a1 m3 ?% Z% Z; J' l int 2Fh& G' R4 U- G o" v9 i4 b
mov ax, es ; ES:DI -> VxD API entry point0 q: c! r" I+ h/ v: {: M
add ax, di6 Y- [) i, h" [0 C# I
test ax,ax$ I7 ~$ c: D, O! j! S4 Y+ \
jnz SoftICE_Detected1 O; G+ D0 G4 A
( f% E2 _" K# q. V+ h! z/ R
___________________________________________________________________________# n0 v( {0 i6 Z7 p9 ^7 p0 A
2 C+ f/ L+ k* ^3 s- C7 G* UMethod 04
+ K8 e2 K' @9 u( p- c: k=========0 K( s$ M& S: C$ ^# G; z: ~
. [4 J9 Z5 p9 F! Y- r
Method identical to the preceding one except that it seeks the ID of SoftICE
" d; `$ H& T! Q/ D; _5 G/ w6 xGFX VxD.+ d6 I) r& ]& }, j0 g6 C
2 f8 U' q0 k' M! i5 J! G- s4 V+ Y
xor di,di
, c3 |1 N6 Y. B; y; P x mov es,di6 \. D, d$ X, I7 K# B/ m
mov ax, 1684h # g6 @ X: ^% S9 _; G: R3 D
mov bx, 7a5Fh ; VxD ID of SIWVID4 M7 _: F9 N0 v5 A' V6 d
int 2fh
4 p9 g4 K$ z/ E7 a3 j6 m" @ mov ax, es ; ES:DI -> VxD API entry point2 b- ]+ P/ M! a* Q3 m* g
add ax, di' s1 v3 E0 }6 q7 K
test ax,ax% V' m* R, ~* Z1 g' D' H
jnz SoftICE_Detected3 s' B6 M) y: m
5 C# f9 g* w; R__________________________________________________________________________! l$ E0 s' k( l- j
7 ]$ g" K* |! u6 e0 J2 h4 Z# D O$ K/ z% i
Method 053 }9 Y0 \: {, E( W3 Z" k+ x1 t
=========. c, O1 v: e$ P, {
$ [& C7 v! w7 O
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" B; U# Q( U1 S. K( z* q" bdebugger. It calls the int 41h, function 4Fh.6 i5 K6 C, f; A4 a6 B7 e
There are several alternatives. : H+ @9 W# r. {- B, s# w& ^5 f2 E
1 t1 c; A& z3 a$ P
The following one is the simplest:
: C3 d2 J E; i; @1 I9 g& n% `: q# G- K4 I3 j" o1 t X
mov ax,4fh! j& H1 \ c# ^# o; A
int 41h" B! O+ s" H6 o2 g* |
cmp ax, 0F386" v1 J b# @* _+ n
jz SoftICE_detected% ^+ o8 T' q( _& g, r4 N
7 L. N# K G! v
. z, b5 v$ Y; j1 |1 {( G6 hNext method as well as the following one are 2 examples from Stone's / T$ p! g) C6 z+ }3 Z7 G3 ]2 V# X
"stn-wid.zip" (www.cracking.net):" x$ r+ s) q* U- `, |
8 L, o' B$ F9 O# s- n# c
mov bx, cs6 x* q3 i2 q3 g: Z% ?1 b
lea dx, int41handler2
1 z1 _# O- d9 X; U7 h, ]8 l: ~/ d2 H xchg dx, es:[41h*4]
7 s4 L1 W2 h% g7 A$ B n xchg bx, es:[41h*4+2]- h3 x' h( X2 T
mov ax,4fh
3 L. K& B0 W; l" B$ J int 41h! w; b+ b" K2 X; ?9 `
xchg dx, es:[41h*4]
g+ I" e5 c1 a xchg bx, es:[41h*4+2]1 `& o h% ?; s; r1 _
cmp ax, 0f386h
$ f% h) Z- ^( L* c2 m0 Y, { jz SoftICE_detected6 a6 a" A$ T; A8 _, e, j- a% P U
6 o7 d! D' v8 N0 p/ B A" L7 Hint41handler2 PROC
. z/ I/ d6 i& ^: \8 j" m) g/ F+ C iret4 K# ^2 c$ Y3 \ T' [* h8 V
int41handler2 ENDP4 D0 C3 s% w+ c3 O8 O5 a
6 y0 ~- e# `& r" S% o% Q: {
; L2 D* {* d# j0 g# o_________________________________________________________________________" Q! m/ n* E0 g
0 P2 k. s$ O& g5 j0 O/ b8 w+ l. C* A/ a
Method 065 n) }' \% E; O9 N Q6 X" ?$ d
=========% X) u' t' V( D
5 X* g3 s3 R9 A; x* |! ^
8 g0 `) v3 e! D+ V3 V2nd method similar to the preceding one but more difficult to detect:3 n; o# F8 u( N n# m& ^& f0 l
`" f. r; L- b- X( x
( \3 Z- e* b7 c X6 g. Xint41handler PROC
' `; Z x. w7 g+ A* A" s( v mov cl,al
. h" S: G- w) f& q& M4 S0 Y3 W iret
! Z; {# F' \6 w3 nint41handler ENDP
" [% f/ I& @: [! D/ k9 e- }% M- q' X+ R* N
! N" R# ~5 _) I. ^( `6 L
xor ax,ax
8 C: W5 C; J' Y; b. W mov es,ax
4 @! I+ o# c/ y2 m mov bx, cs4 S: d- ~- N" ?! R
lea dx, int41handler T& u u# ?9 w7 t8 j" c; m
xchg dx, es:[41h*4]" ~4 r& F" u( t7 P3 U9 r2 G& e3 K# D
xchg bx, es:[41h*4+2]
/ l( x# ^6 h& Q* _1 N, J in al, 40h' p0 y. \' y# x& Z3 O8 f
xor cx,cx
* G& m9 ?8 w, A. D5 d, Y7 k3 U int 41h
; F x9 c# i2 ~ xchg dx, es:[41h*4]7 s1 H: S2 s" h0 C
xchg bx, es:[41h*4+2]
7 p$ }5 p# L" I( Q( A9 @ cmp cl,al
! i# t! { O$ s jnz SoftICE_detected
3 x2 h, O" {/ r1 P" e# |$ C! u3 E; d, s
_________________________________________________________________________1 T. C$ K6 S! P) U
* p0 G& g, l9 j* S9 ]0 ]5 ]
Method 07; [( K0 o& @: D# O8 U- X- Y: W
=========* Y* w2 V' x: N' V; h/ Z9 `
) w; S5 q6 }$ J4 o2 U, }5 n! ]Method of detection of the WinICE handler in the int68h (V86)
$ f9 ]0 G; y' G9 V4 `0 X& E
& ?' A# y( x8 b& _( V0 M mov ah,43h) L% `9 w E" C" ~( U6 }& o/ ~
int 68h
( I( R7 i+ v. N5 {: E/ i cmp ax,0F386h8 _0 M) D& v8 f" H2 T
jz SoftICE_Detected8 Y s/ _9 M: @
5 O# B! V$ X8 c4 q; C
7 h2 S, G/ Q. Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* {6 s9 M" B( C! r
app like this:! |9 A9 t8 }4 ]5 {3 G; v! r
" r) ^6 j Q3 a5 i1 }5 R
BPX exec_int if ax==68
$ ?+ D! b/ G+ j$ M5 Y! }) S) J' l (function called is located at byte ptr [ebp+1Dh] and client eip is
( D! y% F; ~1 d: v/ S! _1 Q' { located at [ebp+48h] for 32Bit apps)
+ @ M0 z: u6 G( k__________________________________________________________________________
! ~" S- M, z, T; g# \% J) A
5 k$ L8 V+ K7 Y" [( ?9 R3 E2 Y/ y" ^6 ~) [& t
Method 08
/ n. n ~% ]6 Z! }=========
/ b, O/ c& Z0 M% c/ g* e, w3 e: ]
It is not a method of detection of SoftICE but a possibility to crash the
) d& s1 L& |& [ Y7 T4 \ n$ f" isystem by intercepting int 01h and int 03h and redirecting them to another
& H$ r! C$ o: T9 f% t$ Sroutine.: _7 ]1 u; I4 F6 L, w3 S8 \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) J q! l0 a4 ^$ v. vto the new routine to execute (hangs computer...)/ b p' j( b& M
1 h% t Q+ ~" j
mov ah, 25h7 D) U& @* s4 k# q* X
mov al, Int_Number (01h or 03h)( [" i6 R. g/ y- b8 a# z& v
mov dx, offset New_Int_Routine
- q& l( H0 Y5 s, v V0 | int 21h& Q5 L1 }+ l) `
/ }# l" @0 u9 ] S* O__________________________________________________________________________3 P5 P7 N' v. L, u+ H. l
5 |% }; b5 g& a! J. {* }/ U4 YMethod 093 ^$ s# F4 X H$ Q
=========
7 G- y2 x" U' b$ A4 F, F6 F
4 O* a( ~' H! b0 Q! `$ ?+ [' J# jThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, I9 D. `: S9 J9 l+ a* `performed in ring0 (VxD or a ring3 app using the VxdCall).
) ~4 O) l& h9 JThe Get_DDB service is used to determine whether or not a VxD is installed
% g4 t) Y4 B @7 K& T/ Hfor the specified device and returns a Device Description Block (in ecx) for$ m0 w/ L8 Q# ?. H) Y- m E/ |
that device if it is installed.: y% i" J, E0 N" @: u
o. U2 t D) p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) ~2 O' V3 p2 S% {( h mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- U! f K( k7 s7 u( a- X& b- \ VMMCall Get_DDB
# X% Q* J0 ^( G9 i0 Y6 i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ w' h2 S/ i a
# |& k( q! `# `
Note as well that you can easily detect this method with SoftICE:; f5 T! L( F1 K
bpx Get_DDB if ax==0202 || ax==7a5fh
6 K0 r9 O5 }4 n# ~* y; R- {* ~- T( w. I
__________________________________________________________________________9 t7 C; S ]7 h j
9 v7 u m* P. d, l- WMethod 10
! f. ]$ ?5 h+ b8 K=========
1 x% I8 n+ \ n+ S# F
: A" |. j% i7 o: Y9 {8 n; l=>Disable or clear breakpoints before using this feature. DO NOT trace with% D8 H! g, I# O$ n
SoftICE while the option is enable!!( H: x- m$ ~ c2 |
) j# @% b, f, R, w/ n# MThis trick is very efficient:. t2 C" I. h6 Y/ n9 C
by checking the Debug Registers, you can detect if SoftICE is loaded
: S* x; N( r4 M5 U9 q1 {(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; y# j- r) I. W6 B3 |" b9 Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 W, u/ B1 `) Kvalue (in ring0 only). Values can be manipulated and or changed as well
# I/ F- ]& N7 m+ H(clearing BPMs for instance)
; f) D' X; j* ~
! I \0 I* h4 H8 j3 p# u__________________________________________________________________________
. V' L* m- U0 T, I
7 T7 z' v- U; r1 r& q( g+ cMethod 11/ @0 `# ]. h/ b1 P
========= G2 ^! j, |2 G2 E* j1 d
7 E7 N, K( X: [This method is most known as 'MeltICE' because it has been freely distributed
3 ^, i6 z% m$ ]# vvia www.winfiles.com. However it was first used by NuMega people to allow+ ?, W7 w0 V, G- U
Symbol Loader to check if SoftICE was active or not (the code is located+ j: K t$ Y! E$ C
inside nmtrans.dll).8 o+ I1 P; x' @5 ], x% S9 X1 m
0 M5 I \0 U8 n% N, I1 GThe way it works is very simple:
/ ]9 b! z' B- R1 y4 c' Q, iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 C" X. d7 z0 v, uWinNT) with the CreateFileA API.
6 H3 C; J+ Y" o. |( F* j9 C
& c$ O% n% k% N2 K' c8 XHere is a sample (checking for 'SICE'):; ^; Y* @$ h) G, W' `" P
$ M* Z1 `7 m) m4 f7 X
BOOL IsSoftIce95Loaded()
! W' ~" l% }, p8 f# @# _{0 {) R9 b" ]2 h2 u9 T$ W) t
HANDLE hFile;
3 F4 W; j! {/ P3 A# @7 F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& W Y4 a, z5 o% |1 \
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ C6 ~$ o# n4 ?8 Z o+ H0 j' O) M x NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ S F9 b1 z) b/ }
if( hFile != INVALID_HANDLE_VALUE )$ x+ R7 j( U7 w# `! |- I- }
{
- ?4 _5 j& z z* l" E. f5 E0 e5 m2 R CloseHandle(hFile);# L7 i- q) Q/ W9 B8 n1 Q% p
return TRUE;
0 X8 o9 y& X4 h: c c7 H( o }9 j5 k4 H. `! h& o' D# C
return FALSE;
/ d1 k. E& j! J# ^}: B Z% F8 {. G8 }0 ?0 D
- y0 H, S }! eAlthough this trick calls the CreateFileA function, don't even expect to be
9 E8 H( I# S$ q5 v/ |able to intercept it by installing a IFS hook: it will not work, no way!
7 o) _# F4 F- K( nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, j- j1 @4 f; v; Y. Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# s9 R- ]( \( E3 rand then browse the DDB list until it find the VxD and its DDB_Control_Proc; |$ l9 C! s5 n6 p
field.$ R- n, a( s; E: B0 Y# A" \
In fact, its purpose is not to load/unload VxDs but only to send a
# O, c) j1 e9 a& Q# n% G( B8 LW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- ~6 t! v5 u* l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 ~! J- A) X7 `to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 L% O* q; V+ b+ \* G1 k
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 n6 N0 c0 M5 A8 o+ G
its handle to be opened and then, will be detected.
. S& i6 _0 @0 @. P0 vYou can check that simply by hooking Winice.exe control proc entry point
! w. Y' o. o& t% F4 Pwhile running MeltICE.
. x7 `4 V5 g4 ?
/ O) H: n0 \8 _$ i% w$ e, ^' f" y! ]5 l7 R! s0 l# A( U% b" j8 A
00401067: push 00402025 ; \\.\SICE
* x( h) d |! v0 h- `# R7 Y 0040106C: call CreateFileA: R; N, x: d, T
00401071: cmp eax,-001% J3 y ?9 K+ u
00401074: je 00401091
* I, a X @' Z6 H+ I$ O( G" U6 N% x& T" m1 ~7 J6 R# l
, H+ P/ ]6 ]5 U: h K D' hThere could be hundreds of BPX you could use to detect this trick.- d% N. G( [ T: r
-The most classical one is:% Q8 Z, k7 \! x/ N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) O& K% ~) ~! C5 l/ s2 |4 i *(esp->4+4)=='NTIC'6 o5 j' e6 w5 Z- |
/ i1 S, z0 Z/ l8 [ i-The most exotic ones (could be very slooooow :-(
4 C- {% G3 n# U3 V BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 }5 ]7 N* V6 y9 F! n: I8 r$ R
;will break 3 times :-(: Q9 t: W+ |8 P1 V! A% ?
6 w% I. s" }" D# D f
-or (a bit) faster: 2 b+ i6 {1 {& k( N0 a2 W+ W, ?, M- U, X: h
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). X/ }2 ^7 b. Y4 j
. T6 c. v- O' m- G) I1 H+ B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 S! ~' l: i2 `1 K
;will break 3 times :-(- V3 _& y( q5 q, f
. e5 a7 A: _9 G4 Q
-Much faster:/ i+ |& E. U) h6 m* }) @/ {( M! S
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ q4 d" S7 _! t. U, R
) ^( l. N/ ` U* lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ A+ \5 z; ?% o. ]( n" R$ t0 mfunction to do the same job:
2 h& h1 Y0 t. I* h8 [5 a4 y; s( D9 [
push 00 ; OF_READ4 } S% g7 [/ B9 ?" L1 C. l* A5 f
mov eax,[00656634] ; '\\.\SICE',0
+ l4 N M, i& [$ }6 ^ push eax$ d2 [5 w1 U1 F9 v0 H
call KERNEL32!_lopen. y/ D8 ~+ U: Q- `( U
inc eax
1 d! i8 |5 k1 J9 Q( w, b5 n+ s* q jnz 00650589 ; detected/ N0 }1 ^0 |$ x; m# d: s$ p
push 00 ; OF_READ: Y$ O8 k6 u, P* O# L% t
mov eax,[00656638] ; '\\.\SICE'$ L9 t: A ^( K) O% Y0 A4 n
push eax9 B3 E0 B& Q$ p6 v6 P @+ S3 @
call KERNEL32!_lopen
1 Q+ a$ A# V5 x5 Q% n inc eax
9 _" [ u% x9 n1 a1 v jz 006505ae ; not detected4 d w+ g; K5 S( {7 m
9 h2 u+ P7 U/ A7 [
( w& i; _+ X! f2 k, [$ f- g' s- M7 G__________________________________________________________________________' T# O9 N% ?2 K ?
$ x2 P: J% G2 ^* | G; p
Method 12* K% S7 {% E' S& Q2 x, z' ]
=========
3 z$ {0 ]' {; ?6 {, x& V8 A
- Z7 S! g. X: k3 D5 x B, O( [0 CThis trick is similar to int41h/4fh Debugger installation check (code 05/ j) W+ N: E( B, c/ K" }6 i+ w
& 06) but very limited because it's only available for Win95/98 (not NT)7 l! _* F: J- Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ ~" ~4 c2 V. }6 f& f3 _) Z% K2 Z) W7 y4 Q
push 0000004fh ; function 4fh# f4 y( i* }& f2 m3 [' {
push 002a002ah ; high word specifies which VxD (VWIN32)2 r! b" j5 C& ?/ r* K9 O! Z# a
; low word specifies which service, d& H& M5 M# Y# z2 k* c! \
(VWIN32_Int41Dispatch)
: ?4 }5 V6 j* D5 E% I* d/ O- Q( P call Kernel32!ORD_001 ; VxdCall7 h q9 s" ]) ]* U2 K) ?
cmp ax, 0f386h ; magic number returned by system debuggers. b$ Z6 a4 W0 [& k) m3 Q$ j
jz SoftICE_detected
! ^2 z$ F7 K# h# |6 A. T7 N3 Y* T7 e$ S( B2 C
Here again, several ways to detect it:- S( L, J; r1 B2 d" k
+ L; b! ?) ]0 Q4 p! I2 e9 H
BPINT 41 if ax==4f; q; r+ c; W, }* J ?
' m$ q( m9 O* u k8 D: s4 K BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 M/ I7 k4 `$ A. a5 T
( _* }1 [' e1 w+ |+ h) v6 p2 t) h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) Y. d- S8 U' ~# \/ T ~
]& m! v$ O1 L3 Q, [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* O9 P+ B) L% |, j+ D- F8 W2 t0 p: \
) B! d+ B7 |( ~& F; S__________________________________________________________________________
; a1 _* X& x' _ I9 H: e
" `' \) p7 O \/ A$ ?Method 13) c T3 f" [0 B, a, o3 U5 c/ n
=========
8 W2 ~' R7 W+ \5 B4 J, B5 J) k& a6 a5 t
Not a real method of detection, but a good way to know if SoftICE is
" [! A/ i0 {+ F0 Q; ]3 o$ q% Qinstalled on a computer and to locate its installation directory.7 O5 ^8 s9 s" k; u* G
It is used by few softs which access the following registry keys (usually #2) :/ d4 F" e0 j; ?
5 w# D! o/ E& X B. X1 V' d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, T5 v, F9 F3 s) i( H/ F$ G6 S0 r4 Y7 K\Uninstall\SoftICE
! y4 S$ f% \4 _7 Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. n8 I) @. X& ^9 |0 ?1 ^! [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% F8 {; D) b9 n# W- I% k
\App Paths\Loader32.Exe
/ q! E4 }- @. o# K+ e0 D7 n0 b6 H& O, W r
) t. j( V. P2 a7 e2 ~9 vNote that some nasty apps could then erase all files from SoftICE directory$ `5 I# [' K5 o3 S- g- z
(I faced that once :-(
$ N& E7 j( }, K/ O3 Q# F" w! o# |) X! G2 L
Useful breakpoint to detect it:
; V- v5 W) O4 ~. z: M" \) v
# }8 c: Y P/ C* m0 W- i% i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ `0 J& T, o% L9 E/ E
1 X3 Y; C+ F4 }& }0 I5 q
__________________________________________________________________________
2 |. C6 Q, L4 a: h+ b7 c& k) O7 q8 o+ D. K5 G* c- l
- E+ A( E1 [. n( _- u& e
Method 14 % a( W' p" P' F) ^
=========3 m9 H* D" |# P# F8 r
; T) t1 X; G; m5 Q ]! TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; R+ |7 W7 @$ }5 ?$ J- p) ~8 \% L
is to determines whether a debugger is running on your system (ring0 only)., r# @/ s" C3 [- F- a1 E3 J5 v
' e! T4 P& }1 j0 J VMMCall Test_Debug_Installed
! H: R5 z% h5 `8 b- M je not_installed+ M/ S5 I; }0 i# b |9 b/ I4 `: {4 q
) e9 ?& h" g- D9 OThis service just checks a flag.
7 K" Z1 X4 _2 N9 P3 b</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡