<TABLE width=500>+ A4 i% V$ z0 K$ {* m: g! `
<TBODY>$ F7 L, f9 u+ D1 B( \
<TR>
4 g8 ?: R' J& r* w! u8 Z- r3 R) z<TD><PRE>Method 01
; R8 b, n. I% U" z7 ~7 R=========
( ]' K% A6 t: S
4 U" }: U7 B2 u1 h lThis method of detection of SoftICE (as well as the following one) is# |0 v6 A! v6 q$ b( M6 x
used by the majority of packers/encryptors found on Internet./ {, m$ P( t+ A8 F
It seeks the signature of BoundsChecker in SoftICE
. f8 @0 k# j9 \; M
9 e" N1 b9 f1 p3 m9 w6 Q mov ebp, 04243484Bh ; 'BCHK'
) q+ R# v# m* I mov ax, 04h0 w* Y* c3 o+ L: x
int 3 ( x+ j. {7 X! b# T
cmp al,4- G3 C/ G; C1 D
jnz SoftICE_Detected) }: a' k' I5 q; E4 X* {2 k
) c+ ~. b. r) v# O7 Q' ]5 _( n___________________________________________________________________________
" J- G$ V# U: |; U
, x/ r8 ^% k2 r) C. [Method 02
9 @5 [0 j1 U5 @( B. Y% j' Z" |: w=========' C3 z7 e9 V- d
4 M+ N1 D. A$ F; @8 [- j/ l1 [Still a method very much used (perhaps the most frequent one). It is used
3 |) S- }% n2 u0 n6 lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 H8 w _. C2 _$ v/ i, E2 @* p7 r0 Cor execute SoftICE commands.... S1 ~" ~; [0 [
It is also used to crash SoftICE and to force it to execute any commands% G% s( r% x. R4 B: ]( l- W9 D
(HBOOT...) :-(( 8 s: P" U! T$ g' t
: B H8 v" f9 n$ N' z4 t
Here is a quick description:* Q$ A$ M- @6 G: _8 H
-AX = 0910h (Display string in SIce windows)
1 h9 l" J1 ]2 `7 n) c$ ^; F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' o) U( J+ U4 b Z-AX = 0912h (Get breakpoint infos)6 S0 P* C# S" u1 Z. W. s, w$ K
-AX = 0913h (Set Sice breakpoints)/ k- }# r: \# L! p0 ?$ J+ @
-AX = 0914h (Remove SIce breakoints)
$ O, e2 T) ]3 @* ~
/ e" Q8 T, W7 q" G9 VEach time you'll meet this trick, you'll see:
' q! O- g- f( q! O2 j2 w-SI = 4647h: o- i5 [6 o5 W: r
-DI = 4A4Dh
2 s* s# ]! z2 {' [" }5 h0 [Which are the 'magic values' used by SoftIce.
. R3 a- s3 }8 |( R0 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ b& G2 Z2 Q- {* k0 S
" a8 T6 _' m% c; L" r# U
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, n0 \. I% o9 b2 _; q5 {Envelope utility use to protect DOS applications: l/ V. R/ }+ m1 F% Y
9 X# K4 _- {: {2 Z- P9 G" b
* w j0 z1 L0 Y k, U6 i4C19:0095 MOV AX,0911 ; execute command.
0 u/ I$ r7 e# J. I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ [; k% r$ }5 \0 a0 l
4C19:009A MOV SI,4647 ; 1st magic value./ _; D6 N8 [. f' M
4C19:009D MOV DI,4A4D ; 2nd magic value.( D) l' B5 [2 ~: ^5 B
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# ]5 w+ W: }8 H; z) Z" m, y n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 E# b' q$ ?$ M4C19:00A4 INC CX
+ S. U9 ?9 }+ {) @* k+ d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) p$ B- u! w5 x' ` x4C19:00A8 JB 0095 ; 6 different commands." N4 c9 a- I6 e7 N+ E' P$ l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, \$ C2 ^7 W, N* W3 n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
F) l4 N6 t/ A/ b! R" o& y/ x2 u4 P f4 s, S
The program will execute 6 different SIce commands located at ds:dx, which
7 y: \+ N. I) s0 F1 c" Z" Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 \: g& M( u5 _# y# H: U7 @/ k
8 g9 j6 } s% N T, n# h2 g8 l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- w, C1 A7 y! @, R
___________________________________________________________________________5 W* h# u$ z% ^8 b `8 ~
]: Q9 F4 `" e f
1 i$ g! ~' n: d0 a
Method 03
) s1 y+ r) B1 z1 U3 {$ [* U7 z=========
6 Y4 A8 v4 F' c* | q9 r
1 _, s; t! _7 ^; vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. X5 _- j9 ?, z* A( w(API Get entry point), w8 Z& W n% \
; H; y" p: o0 O1 s! u: Z) d* R3 M, e6 W
xor di,di
v/ Y) y3 Q9 T T+ Z mov es,di
# N, o0 B S0 m# y2 T, P7 _- G mov ax, 1684h
. j. d1 V. `& w/ k; J mov bx, 0202h ; VxD ID of winice* r+ j$ K) L! l/ B R
int 2Fh9 m( v! b5 w: |! G2 d ]
mov ax, es ; ES:DI -> VxD API entry point
- j$ Y# c+ h1 ^. j, K& x( z4 A$ @ add ax, di
- l4 u! B4 p- ^& u8 |* N% V0 \ test ax,ax
3 r; S( {; s6 o c+ A$ {& R jnz SoftICE_Detected( J6 ]) ~0 J3 A9 [8 ~
* R s) g, c0 w) y$ R
___________________________________________________________________________& o8 @5 n+ v6 }
7 `/ D' n' U0 B( D2 i
Method 04
# v9 O( d5 F) Z' A& M. b' j( p=========( _) `/ y% L' L4 r9 q3 ?- J
3 G' \0 V4 `; {7 a4 D: XMethod identical to the preceding one except that it seeks the ID of SoftICE- P* F4 G8 W y0 C* ?9 ?- F& P
GFX VxD.2 P4 Z6 x6 u4 @6 u: V! A
- f: M, w! g) q/ X" F
xor di,di: ^: X' l% V; U; a
mov es,di
4 d; j7 P$ A) H! G- p( c2 J mov ax, 1684h
+ B, v( C7 ]0 ]+ _3 N7 z mov bx, 7a5Fh ; VxD ID of SIWVID
, e( w) J% ?, a8 j int 2fh5 v" R. D5 |" o% y7 n, E
mov ax, es ; ES:DI -> VxD API entry point2 `# o+ N% G# [7 V1 k. ^
add ax, di
- p. o" }( A/ y8 a$ E. t test ax,ax; h/ z- _, |1 U& R# L$ H+ \
jnz SoftICE_Detected
% f' `" @$ r4 V4 X1 U! g7 G3 M/ p3 [& E5 y; \
__________________________________________________________________________4 x7 l5 I1 @; R& V+ c" l5 D% B/ |
/ T9 Y6 g' Q) g; }3 g
" y2 k3 M; j( b, d) [Method 05
; f; V. ~: g1 g% p- z* K=========
) H c% X$ ?: N1 U( C+ l7 r0 C$ Y1 |0 ~* ^# P5 G" V4 e$ z' n* u
Method seeking the 'magic number' 0F386h returned (in ax) by all system$ h; N' n4 K6 u1 w8 i# x
debugger. It calls the int 41h, function 4Fh.
O3 c) u& e7 g% c5 U* oThere are several alternatives.
' f; I& V9 b E7 n; F* r9 K. t5 v; G8 u- o' m E! `
The following one is the simplest:
8 q2 b7 a, P [9 t
* y' }& j9 E" i, J; K, j mov ax,4fh
$ X% q2 I H$ v int 41h! _$ |5 c! q# i
cmp ax, 0F3863 {' A# Z2 H# ]5 ?0 ?
jz SoftICE_detected
4 \4 K3 X+ d' x- k( y
4 e3 B4 g* |! f" o: M( x8 {
8 u: [/ X) _7 d# s hNext method as well as the following one are 2 examples from Stone's * f+ N( p% P2 n0 B f
"stn-wid.zip" (www.cracking.net):2 I" f5 L; ~5 @# T0 m4 z
/ {, N0 K7 K: f7 C$ @2 q
mov bx, cs
6 r9 [0 f, o! l lea dx, int41handler2
% Z: i g! \' g' J* K8 Q xchg dx, es:[41h*4]* Q& R/ Q3 e3 Z; o1 Z' z, F' W. P3 h
xchg bx, es:[41h*4+2]: E" U* u; L- W ]2 k
mov ax,4fh2 {, o b/ W( H2 u7 [2 M
int 41h- ^) U3 L* H* i6 D' J* [# I
xchg dx, es:[41h*4]
" b H+ K1 W: F2 \& o/ z7 C0 w xchg bx, es:[41h*4+2]
y# n6 R# ~+ X7 A- | cmp ax, 0f386h
F9 S) `. J4 k9 }, \. S jz SoftICE_detected* m; _0 ?1 j' S4 u# ~( A
4 v* x1 I4 r9 \8 ~$ n
int41handler2 PROC
0 s+ o$ m: y0 T- X# h9 e6 d3 _ iret
! s9 n1 g+ `3 u* j5 V Aint41handler2 ENDP
- s2 f, Q3 H; i/ D7 q) h8 c o: d. L* ^/ ]
% Z8 g6 e9 _7 b0 B_________________________________________________________________________) e" J% s# |. w$ y% u( j6 m' k1 ]
6 W* I" [' v K2 @" |3 m
3 n! }1 Y& ^" V* C- xMethod 06
1 u+ w, q; w& ^' I. g=========
* S$ a5 [- H. t: c8 V% T, c J3 M1 E( ^7 }% [! L9 Z
+ G' V' n/ l; j% @& I1 [2 S
2nd method similar to the preceding one but more difficult to detect: n U7 ]1 T m3 V8 u$ d
8 q" Z! `/ f% v' p/ R& \1 s! f) B
3 _, w4 K6 q- z7 U, i; P, zint41handler PROC
" l# @7 J! A* \ l, t" t mov cl,al+ @: l# v* C: I2 r0 X; g. E) v
iret8 {2 l8 [/ T; c7 j' T" {8 R
int41handler ENDP3 }7 q' s9 \* z% ]- `5 v. t
, R9 b l2 Y: [$ H$ F' F% R0 A1 T' U) y0 q/ _5 \
xor ax,ax6 A2 T0 p6 j2 @2 s2 [0 m# n
mov es,ax
4 w; g& b7 M6 W" S: Q mov bx, cs
/ v; k# V' M6 Y1 O lea dx, int41handler
6 v8 K& W! h. g1 i xchg dx, es:[41h*4]8 G" Y7 V5 T8 u" s( s9 b5 V: {% x$ }0 V
xchg bx, es:[41h*4+2]
: f) B6 }4 V$ Y0 E% W) \ in al, 40h4 m+ M9 z2 T' n
xor cx,cx2 s6 B1 E1 ~0 ?, B/ e$ I
int 41h% f6 M- [: P5 }% J; s7 `5 |# s3 B
xchg dx, es:[41h*4]
' T5 j- `. V3 a xchg bx, es:[41h*4+2]
1 ]% P5 R: L" ?4 g0 R cmp cl,al
, S; G& p. R. l* ? jnz SoftICE_detected' G$ ~/ p* K' K7 W: G( U% b
0 d& s/ a+ n' M4 J/ W Q* b T
_________________________________________________________________________" g H( |0 p2 v1 {
( \$ W* W, O. b) E- c8 M: y
Method 075 J7 P) Q# V5 s$ x
=========
- F* f" b H' m4 a) y/ q
. U+ i" n* U( M! ?Method of detection of the WinICE handler in the int68h (V86)
* k$ L1 q X; ~; |: E+ O# C3 i6 f1 D9 T3 _8 ]# F. i* m @
mov ah,43h
, S; R. y7 K/ {0 R0 N0 ?. a! y5 h int 68h) Q+ c6 `& c, d/ w9 {: y% b
cmp ax,0F386h/ }& N1 O/ q/ p
jz SoftICE_Detected W6 B: U. H, \, i9 U
! p; q, h3 ?% I( ?3 l
$ @5 |6 n' g) u9 N. t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( H+ @0 C7 I$ p* e3 ? app like this:
- q! y& O0 \) Z2 s' Q* l1 i5 P. i
2 L( T& a2 H( y1 E4 v BPX exec_int if ax==68
5 A4 L" r) q! X$ f. R* [+ } (function called is located at byte ptr [ebp+1Dh] and client eip is
$ U6 c) F R' J( _ located at [ebp+48h] for 32Bit apps)
. @$ D5 t6 w1 p t$ S% C__________________________________________________________________________ ]# n' o4 K5 U: L
5 Y) u+ J5 h8 U7 }. N
9 L7 F" ` W {9 _- `Method 08
6 f ~- V. }/ e( O) ^7 }=========. m, h4 ^/ \+ y) G; h
2 Q. y6 V3 s0 C2 v) E5 ~It is not a method of detection of SoftICE but a possibility to crash the, ~# h. R# g- s: S8 H- K
system by intercepting int 01h and int 03h and redirecting them to another! o3 ~$ c6 t9 M: O! C
routine.( K0 x- n) J9 _1 Z3 ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. J. O, X8 H8 x4 a, h" tto the new routine to execute (hangs computer...)6 V" Y1 ^* k- H, c9 a3 e3 A7 q
( {4 k% E! E9 U' u E
mov ah, 25h* V& c8 r4 K0 D5 h3 |( T
mov al, Int_Number (01h or 03h)
" _$ c& j! s) a; ]7 R% P mov dx, offset New_Int_Routine
8 ~0 S8 \' u1 s# p int 21h/ l6 c) ]% G! L8 U- `
; h2 \+ r: o, E1 i& R4 x
__________________________________________________________________________
$ q: k# @' B2 d* k% H! @0 \ l3 ~( i* w) [5 T
Method 09- K5 E$ {7 q/ l) ~7 r
=========' ~ g: T, |7 T( }0 N
2 T- B+ w' B4 G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
i% \8 k( ]' ^) D" |, xperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 G% z* H X$ j2 V- GThe Get_DDB service is used to determine whether or not a VxD is installed8 a6 n O% A" { Y) ?8 t; [ N
for the specified device and returns a Device Description Block (in ecx) for
5 R& |0 M9 h1 u( W9 X/ d% mthat device if it is installed.9 E' ]/ S+ i2 h3 z# b; ]
* n5 j+ t) e$ N# f e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# l- M% u. u: _ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( @5 O2 H6 a8 B VMMCall Get_DDB
5 L& w1 \. J* J+ Y4 x. w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 w4 V% w1 u0 T* r8 [ `% E- ]8 S1 U; z( t( y( u7 p! ]% v% @
Note as well that you can easily detect this method with SoftICE:6 l' O/ q& o/ t* R v4 x+ \3 |) p
bpx Get_DDB if ax==0202 || ax==7a5fh" K! F' ]1 p! a
0 ?) Q; S0 Q/ s__________________________________________________________________________
2 I( H* ~8 |0 N. X% O$ C
- M0 L# W9 b3 }1 a3 YMethod 108 Y8 t& j; G/ B+ {) r
=========. t1 G. }5 J- p8 f( G1 f9 k1 X
: x! g, f7 U! J
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 J( n7 c+ P/ K
SoftICE while the option is enable!!
, |* k2 O3 A& u- \& d+ k+ E( J/ T. ?& W: F7 P2 k/ `
This trick is very efficient:) t J- j/ I# U: ^9 P! v* o
by checking the Debug Registers, you can detect if SoftICE is loaded
2 N6 D# K/ ?5 h2 e5 F. E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 E* L; i/ ~; g. Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their
f( n: b" \' C7 jvalue (in ring0 only). Values can be manipulated and or changed as well
4 z3 }" Y t9 G! ?(clearing BPMs for instance)2 @0 _: _6 C% G' ]2 s" U
' z }) N" L9 d5 }) ^__________________________________________________________________________
7 K; x: v: M0 V9 j }7 |* A$ T- |1 o9 e% s
Method 11
) F6 H5 W+ r6 {4 z=========
0 Z# h& A l; E# e8 [; c4 S1 ^0 l# x1 C4 J
This method is most known as 'MeltICE' because it has been freely distributed
' d0 l5 O% J. ^! x) ~via www.winfiles.com. However it was first used by NuMega people to allow3 e& L+ v- C- K8 B! N+ D. h& {# d
Symbol Loader to check if SoftICE was active or not (the code is located1 ^- F/ {0 x& c |) l# w% w
inside nmtrans.dll).
z4 g' ]! K0 y) l4 \7 n, Z; P0 _6 N
- ^, f% H! |& G" RThe way it works is very simple:5 ]7 @3 h6 C* O9 Z# F, Q+ ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 Y# Q* a+ Z& [
WinNT) with the CreateFileA API.
7 J0 ? K0 A* j! p+ w' _4 D8 g
3 z# V. [+ j0 t# {# M x! UHere is a sample (checking for 'SICE'):9 s- N% Z: j+ U! y0 l
- } J' P1 C# W9 @
BOOL IsSoftIce95Loaded()
% E5 u' Q3 _5 x. p8 n$ L& b{0 a: T9 G, M* z! @
HANDLE hFile;
0 [8 H8 s% W5 B% Y+ Q( t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( {0 n! K8 ]7 c7 D: i5 t+ O FILE_SHARE_READ | FILE_SHARE_WRITE,
6 j6 {0 M A+ C7 i% Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 g$ z. T5 h/ v% j6 E
if( hFile != INVALID_HANDLE_VALUE )
7 C* B4 k Q% t0 A! _ J9 D {
7 A- _2 L) L2 p5 s0 d- _, M CloseHandle(hFile);4 ?' @) ]9 I6 ~9 K4 O8 j+ W
return TRUE;! G. F+ T: u% `
}
" C- X9 J) }5 g1 U' v8 n+ a d return FALSE;7 q7 Z7 m0 D3 ?& Y% H& U
}
6 h( i$ K7 J! r! p8 N2 X& t- q/ n7 u/ P8 q5 w
Although this trick calls the CreateFileA function, don't even expect to be
( @. V( x8 J$ V- L+ M) |able to intercept it by installing a IFS hook: it will not work, no way!; K- W6 N/ K5 h5 C4 s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: a" S7 T' S7 g7 b+ v: E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; q2 \( o: G3 U3 T$ c$ Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: n& p: ~4 W. P' [( O0 D: V. gfield.
8 F! V x$ F; l) b2 pIn fact, its purpose is not to load/unload VxDs but only to send a P2 i6 @% x0 W" D+ j' ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 d9 W. B* Q y* r+ v, gto the VxD Control_Dispatch proc (how the hell a shareware soft could try ~% X8 f. W; ]* ]4 a6 P
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 Q5 j& ]& T6 s7 g V/ X. GIf the VxD is loaded, it will always clear eax and the Carry flag to allow' a$ W" c% {; C: j4 d% K/ I
its handle to be opened and then, will be detected.
& D2 S( X( k/ ^( MYou can check that simply by hooking Winice.exe control proc entry point
, p6 F2 `# g+ n6 I' Owhile running MeltICE.$ r p# d9 G. D4 l
+ d0 A m- u" h% `( u4 h! H3 ^8 \' o( R9 f) |6 ~ F i
00401067: push 00402025 ; \\.\SICE
2 p( i- N) J, @3 i2 Z+ }: {) K9 g0 f1 z 0040106C: call CreateFileA
' d* A# j" ^. Y# v, h6 q 00401071: cmp eax,-001
G9 e% u0 k4 X$ p+ Y 00401074: je 00401091
% f5 }& E" C/ _+ |8 G( T7 U% Z8 m
; e- }; v) m8 k7 G! h4 e
* c4 T1 E3 F9 a5 {5 x1 ]) ~+ IThere could be hundreds of BPX you could use to detect this trick.9 n3 ]- @0 m& y; [* \, N- G
-The most classical one is:1 t! L) f" G: H' b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: q: e! @* m4 W9 M8 \* T9 _% m *(esp->4+4)=='NTIC'
5 `) @0 t D0 Z2 x
4 z( q4 c& A9 s$ }* u. G0 @! T, ^-The most exotic ones (could be very slooooow :-(
, w+ j/ l4 c8 R0 l* R- ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 X4 T* H& D+ i& ]: D1 K ;will break 3 times :-(
/ ^: n! O" `4 M6 Q+ t/ W0 v% P7 f: _# Q" I w6 R/ |
-or (a bit) faster: / U, e- d- `/ B
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ o& V7 n( E J. O" _% k# \
: S/ d0 h0 t7 a& |' D3 T- Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! f2 R0 K9 |4 q+ [8 q ;will break 3 times :-(
7 F5 H( t+ _: ? B3 m" Q
! ^* D1 j. [# C2 r. k& E-Much faster:
`1 h2 T2 s A% v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, A/ L T1 d8 R* E- Z/ e
K$ M/ r9 `: x: v; @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ g& C8 |1 w ffunction to do the same job:
* J8 R2 W( H# l0 V
* F5 F; R! m9 `+ X/ S( ` push 00 ; OF_READ
# b P2 ^0 L( ~! W9 v mov eax,[00656634] ; '\\.\SICE',0
* ~# N/ `8 i4 X push eax
- v* \' j* m2 u call KERNEL32!_lopen
- p& C x+ i3 Q" N' N; S" V* E inc eax5 ?6 ?/ V: U9 u" R$ x
jnz 00650589 ; detected a( Q6 p0 m5 Z5 }1 e+ p
push 00 ; OF_READ6 Z5 m$ ?& c: v$ r: I
mov eax,[00656638] ; '\\.\SICE'
9 d B" Z3 |- G' t5 v push eax
c5 V1 i# u' S7 X( f8 ^& P call KERNEL32!_lopen
$ }3 D9 v6 F; x) N3 o, @; w I$ O inc eax
- T+ N2 K$ a& ] jz 006505ae ; not detected
/ u) S- n4 M$ w$ I, E# L( G# r7 a) W, W5 W
8 g }6 ~" s! B q7 Z0 B__________________________________________________________________________. ~! n! R; T. a0 ~$ V
6 w. z4 l' U0 x/ b) T! `6 X# ]Method 120 P1 @( K, K& [5 i' \
=========
* `0 l5 G- ^$ R4 q }" ^9 {
4 ^) G! C. U# u) ~, U3 HThis trick is similar to int41h/4fh Debugger installation check (code 057 P( ?# [" ?9 ?- c2 L2 k
& 06) but very limited because it's only available for Win95/98 (not NT)
5 x' L) W* J; f3 oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 l4 R% X5 K6 w; q. A
" x4 n* l7 y; B6 C: Y$ ]& R' R8 R X push 0000004fh ; function 4fh
% C( I* q$ R8 n1 x/ {$ g% V8 ] push 002a002ah ; high word specifies which VxD (VWIN32)
9 z: ^! x+ u( e5 w ; low word specifies which service, `; {/ D" I4 e8 L( P$ Q: }
(VWIN32_Int41Dispatch)& e/ ]; V1 Z- h) z
call Kernel32!ORD_001 ; VxdCall
1 t5 j7 Z# `# u$ k- X cmp ax, 0f386h ; magic number returned by system debuggers
9 n3 p7 b% g+ a. x- l% Z jz SoftICE_detected
5 v5 ~6 Q0 |2 J. M3 N1 b% i& y+ `" h
Here again, several ways to detect it:0 P: ~! g) v* G1 m
$ s. y6 d5 M' x3 \8 z$ v6 @
BPINT 41 if ax==4f
/ l8 g3 v/ a0 r0 [) {8 I! E3 Z2 E6 M8 o2 [, Y& w8 O( D+ O6 d1 G
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: M2 A( `5 y" B) t/ {' u
9 x( `2 v {7 y4 ?8 g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. a* Z% Q* i7 ^$ s1 H8 C; Q$ v. L" d5 }, x! _* V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& t! \" ]4 {* K: ]
1 G4 @! Q- s& Q d__________________________________________________________________________7 H$ n$ y: |7 S% e5 K, S! Z V
' V5 p0 ]: w9 A# a1 @Method 133 `0 v* m( m3 i8 W5 H
=========
! L8 x- s+ I8 W4 D$ m2 a
8 o& ]! t+ g" `& c9 ]Not a real method of detection, but a good way to know if SoftICE is
* ^; q" e+ k9 minstalled on a computer and to locate its installation directory.
) I0 f$ e( A MIt is used by few softs which access the following registry keys (usually #2) :4 Z- A) z" W" k3 O) D. C
8 c8 m! ^0 I$ u1 P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" b" @2 @% b' C& s; h
\Uninstall\SoftICE/ ?+ o3 r9 I) p) C; ?; E1 B7 U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ g) U9 R7 e7 N( O) Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" Y ^& M( V; s* e
\App Paths\Loader32.Exe
9 R, n$ x% }6 n" l/ }& P" U- i! k* {3 Q: e
/ f3 O' ]4 N8 g2 y6 {$ J4 vNote that some nasty apps could then erase all files from SoftICE directory
9 S" W6 J1 s% M(I faced that once :-(
8 S3 X; R5 R2 g1 w( c3 P1 F0 ?2 p5 ^: b$ W
Useful breakpoint to detect it:
" \& ^0 k0 J/ w) t N
$ \% `) A+ G. t/ ^7 O' b( A& N0 y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', J5 U9 d3 r d/ c! Y3 T
; x" r+ ^) f4 N% D$ w& d* _/ q__________________________________________________________________________) u: Y9 j0 x, Q& ^6 ?- g6 h3 a2 ]
8 u1 O4 X1 u+ E5 d7 {: f& i
9 T# |# j+ v! Q8 t; z Y) w9 `
Method 14
' C2 C$ S5 c0 Y=========. n& t: H0 X, j7 u9 X3 Y) J# A
0 _1 h( V" u0 p" f( `/ E& uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ I1 B( p" n" v) Y: q1 W6 q
is to determines whether a debugger is running on your system (ring0 only).
; d) U2 G+ t! A* V. ~+ b4 B
n. X' f) k V2 | VMMCall Test_Debug_Installed* a7 b9 u/ z3 F# O! @7 ~
je not_installed
5 r$ L' M) U+ Z, H5 Q Q1 g2 O( T+ v/ D( ~
This service just checks a flag.4 u0 o' ~4 j: M( d- F6 o" r- Z1 G
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡