<TABLE width=500>8 F3 }: z- c7 U, ?
<TBODY>
4 _$ n% S6 C: n<TR>5 l4 G; v; A; E; B& C
<TD><PRE>Method 01
3 A7 j9 e* c, p=========
" \7 O! W O9 {& H0 {
# |+ D8 R' n0 U* gThis method of detection of SoftICE (as well as the following one) is0 J! n3 V$ Z# E6 g6 u% t" J/ ~
used by the majority of packers/encryptors found on Internet.0 q, r+ s5 t9 A6 k- l
It seeks the signature of BoundsChecker in SoftICE+ Q' d$ l0 M! B0 l
4 @# e% Y3 f( v' |* s" w
mov ebp, 04243484Bh ; 'BCHK'7 w$ {; X8 i+ N6 \) I2 @8 p9 k
mov ax, 04h
( H# r- \* @7 K0 h1 Q int 3
1 _! Q- ~4 Q8 B _6 T4 A7 \5 z& V cmp al,43 |( ]5 I, x* z+ v4 I3 m1 N; _
jnz SoftICE_Detected
3 t. H+ q% a" E8 j
$ }( S. L, W' |$ X, G___________________________________________________________________________
* z+ p! Y% A% x# G; q6 _6 K* q( R* X* L2 }2 K5 }0 I2 H
Method 02& O1 R& U. Y+ W7 Q
=========
7 k' ?& [& X- }0 F/ d4 {( ~9 A+ }4 c$ S6 J: L
Still a method very much used (perhaps the most frequent one). It is used8 j& u6 ^; A C* L2 _! ]7 V: j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 l% L0 @$ m" }, d" Aor execute SoftICE commands...
% z( h! i- Z( Q& ^" Q' iIt is also used to crash SoftICE and to force it to execute any commands
7 i" W0 V' V0 K1 j, u: y(HBOOT...) :-(( 0 Q% F0 J8 n* F; ]; m
2 o) O! C Z! b7 I- p
Here is a quick description:" U5 G9 S+ v- M4 q7 I9 e. R1 ^
-AX = 0910h (Display string in SIce windows)" d0 D& P. w N& R( d o, e) |0 M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% d; P3 G: [$ V-AX = 0912h (Get breakpoint infos)
" D) z$ l. A! c( O+ z-AX = 0913h (Set Sice breakpoints)' l3 `# ]. O1 g4 z& N
-AX = 0914h (Remove SIce breakoints)) ~$ y7 a4 a! q+ Y! u
2 w3 c- |- `5 I, v, R: X$ u
Each time you'll meet this trick, you'll see:
8 A1 N4 x9 ^- k-SI = 4647h
* Q% W6 i, T* C-DI = 4A4Dh
. n! y% `) ]" n+ R2 \Which are the 'magic values' used by SoftIce.& A: k+ t) a1 D; W' b& p3 I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 |1 `/ \$ b0 x k0 I3 [8 w7 ]
7 i. Y& G7 g- b! e% O+ V: ^9 o) W! EHere is one example from the file "Haspinst.exe" which is the dongle HASP3 y8 U$ A7 L, D; o9 I* x0 U
Envelope utility use to protect DOS applications:) U8 ?+ W6 p6 e1 B R Q3 p
' K- Q& f2 t$ P6 s/ b% y2 V! E0 ^0 U4 o0 x0 ]/ N7 [. k0 t, ^
4C19:0095 MOV AX,0911 ; execute command.0 A" ]% I6 U6 P# H- _7 G. @8 F5 _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. g; |: P/ t! W( u, k4C19:009A MOV SI,4647 ; 1st magic value.6 ^' c% V F) o
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 q7 B& Z! o& m" \; ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 Y/ b F- u8 a4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ X" O0 ?( k! _8 x
4C19:00A4 INC CX, p! E& r/ W- t( p
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" S" C! z' ]/ I6 O( e% ]4C19:00A8 JB 0095 ; 6 different commands.% e& q2 l4 Q2 ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( k) u/ x' F. h3 J: X4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 [ E' ]1 Q0 x& a( k, M
$ k- G" Z v1 c4 d) nThe program will execute 6 different SIce commands located at ds:dx, which. a3 l! q- v' n! @1 j9 m; J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! d, w M$ u9 E4 F5 d" T% }' X
7 i4 p2 P- m# i9 f( ?: I" e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ N! O# }% \7 M( `2 {* {7 B+ ]# u
___________________________________________________________________________
. F2 o6 u" d3 a: h% m# |
: t( ?' {1 D7 g) V A( L
7 z' Z+ W7 Q6 _2 ~. }/ g0 J! P! jMethod 03
' n9 h7 s7 T2 M! } m1 U=========" k7 M! G- ~8 C, C8 z
2 z! A, z4 R# ?7 {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 D: E5 r1 ]- O" `( X- q' u7 x(API Get entry point) E, K( F/ i$ g; k0 k4 s+ E
$ A% ?5 M: ?6 @" P$ u7 J2 J; D
; B, d5 x& N. y; q, A4 g xor di,di
) u8 @8 E* E0 L6 y; {& Z mov es,di
# y5 ], n3 O6 X( P6 k- p1 w" u; y1 ? mov ax, 1684h `% v% t% V2 ^% G6 L) { q6 g a
mov bx, 0202h ; VxD ID of winice- m, K- Y3 Y2 S& \* w0 g
int 2Fh b. y* W% i M: K
mov ax, es ; ES:DI -> VxD API entry point8 f6 Q y9 [5 {% C6 f
add ax, di/ }" s' f2 F. j
test ax,ax- E8 Z2 N: b/ j, a" ^; B9 K8 ^
jnz SoftICE_Detected( X |4 t- q8 t( A+ q
% `+ ^$ C s W: U7 u0 S
___________________________________________________________________________
2 y& }# y1 b( I1 [* q; v P! t! T' s- p7 n
Method 04
: n- {9 [+ M5 g8 b6 u, e4 @* @=========0 M3 a: p+ v6 W- G, W7 X
' p4 o5 _6 ~; RMethod identical to the preceding one except that it seeks the ID of SoftICE/ Q! p T; V0 b7 d) w/ J- [
GFX VxD.
, _4 J, F/ T1 T4 M: j0 {3 q/ y# n* n8 [* ]8 x5 L+ ^2 N
xor di,di
( t5 w3 j$ f5 J/ e mov es,di: U& y; i7 @/ O8 {
mov ax, 1684h
, A$ `6 [! s, A2 q) H mov bx, 7a5Fh ; VxD ID of SIWVID
) ?8 l5 K; {4 s1 r# ^ int 2fh
' ^, |3 l; g5 T6 O3 \+ R& S& R mov ax, es ; ES:DI -> VxD API entry point
3 \5 z, {4 Y/ {1 j3 L add ax, di! I& g6 p; y6 d
test ax,ax5 z4 h K# p, K4 h
jnz SoftICE_Detected' c0 d8 Q1 t$ d7 p3 Y2 D5 t8 V
4 q8 W0 J* f n4 |! P( @4 M__________________________________________________________________________, p2 Q' ?; Y7 D6 W
w" ]) |1 X! {) f
" B9 S% z0 `+ L' Y/ @; N* }Method 055 N) s+ s# V# F
=========+ I4 P a& X, ~, ]8 c o, |1 y" @
* j- A3 U' [# M; V3 lMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 q' P( j+ [/ O+ xdebugger. It calls the int 41h, function 4Fh.7 `6 x1 i$ g, q2 S2 ]
There are several alternatives. 8 |7 s9 q0 V. b+ ^
9 [3 c: | r7 L' OThe following one is the simplest:
, T1 o! ^) `9 i0 s
8 D. i8 i; E$ v mov ax,4fh4 f2 t, z, B6 ^6 h# p7 P9 o
int 41h7 \. d* H1 H6 }. l: Q! G
cmp ax, 0F3867 E0 R: a* T7 |1 X. _6 B) W+ E
jz SoftICE_detected: u0 M+ s, L; ]0 q$ w/ K
( k+ k8 }) J6 B7 l) l8 Y. M$ {0 `9 J9 ` w- C8 d
Next method as well as the following one are 2 examples from Stone's 3 t0 j, t! u* { l. u
"stn-wid.zip" (www.cracking.net):
8 O# b% \& b/ X" D* A9 i) x; O+ ]. ~4 c* I8 Q5 \" y# s/ A' ~
mov bx, cs! B# b7 x+ K2 k
lea dx, int41handler2
* V8 j) ]" ]* N I( e9 g xchg dx, es:[41h*4]
' Z$ H f* z" q" M# b& K xchg bx, es:[41h*4+2]# G* R: `% P% C( C* p6 |7 |& Z
mov ax,4fh; L) U6 B' Z( S4 X# F) m! J
int 41h
! r' G* t0 ~1 s3 w5 O* ~. L xchg dx, es:[41h*4]
% g6 M9 j% U, V' ` xchg bx, es:[41h*4+2]% Z* U: F* S- G& u @
cmp ax, 0f386h
8 L" {, V0 \" |& ?" Y1 x E6 j. I jz SoftICE_detected
' u& m$ E( M w
1 A/ a7 Q- t. e E4 U+ I6 pint41handler2 PROC
) u- m' b- }6 C& J8 j iret
_9 n& |" [6 _2 }0 k4 kint41handler2 ENDP# |" L0 E4 N5 u
3 ~/ t B* p ?2 B" Q) ^$ a) z1 ?
9 N$ o: j* ?" U: L- T' A_________________________________________________________________________
* j* p0 L, \# X a4 M: M( T$ F6 t# D
: u+ r& G, }( M) ^$ V$ W" FMethod 06
1 [1 U4 Z- s( l=========
. X: ^- n" r! z* w* M5 w8 D! J: r# \! K k
0 }( O J- {7 V8 o2nd method similar to the preceding one but more difficult to detect:( `1 G5 Y+ Z+ I4 Z$ `! o0 s
3 I# k5 O4 S9 [
' t% X, X) y9 ^& r' i# e7 e# bint41handler PROC
% A+ n f% k: J3 W$ h mov cl,al
) D% P2 r4 u Q. N: X iret
. v9 W L4 u" X3 t+ M7 @ bint41handler ENDP
* H( q+ }+ L# a: b5 W8 ]1 q. d+ w# J/ t3 _! t j! q/ @
7 \" e- V6 \" ~4 x' H& ]; d& A
xor ax,ax- Q$ Q0 c8 j) L; \" ~
mov es,ax
6 Z# \* F1 c& p* O mov bx, cs
, S2 R" }, u* j" S lea dx, int41handler% k2 ?1 d* U3 ]* h' O5 z* ]
xchg dx, es:[41h*4]
/ F* q8 c! x( ?6 {/ M xchg bx, es:[41h*4+2]1 f" f4 n4 B" M+ z: n/ [1 W
in al, 40h
' ]: T. Z. o; ]7 t xor cx,cx" ~ l- S9 _; `1 _
int 41h) M/ Z1 J$ e9 l+ b
xchg dx, es:[41h*4]
# M# n8 E9 s% G$ U xchg bx, es:[41h*4+2]
$ M$ }8 c$ p* U* W" q cmp cl,al' y1 x- r' O6 `, p" p U( d) {
jnz SoftICE_detected* a, B" S/ i$ @, W0 K$ w
$ \1 Q5 a( p+ K* m9 ^
_________________________________________________________________________
* R# e/ }$ d3 t( x i' G/ o6 ~ T3 g& j" ?& n1 Q+ m
Method 07
" q# T# Q0 Q6 K3 q+ r=========6 o8 m: Z% P* y E+ _
, Q! P8 y' Z: Q V. y
Method of detection of the WinICE handler in the int68h (V86)
" c$ k& ?8 `* c( S; D& ?% F; I, R" h' {4 U. c" q1 k7 `
mov ah,43h; M y; _2 _6 a# g% i* T! y8 e! U( M
int 68h6 o- E$ C0 S s6 {
cmp ax,0F386h
+ [' X: \* x/ g4 d jz SoftICE_Detected- \4 o+ ~0 u, D3 T: P: M* O
# t1 b; R& O+ q, X0 A% I0 P
4 k2 ~5 T n8 m3 ?; }: c5 ~! g. b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 w) `2 u( ~! N
app like this:
5 `) t( W3 ^0 j* ~$ h9 z8 y9 A( O% y
6 Y- h6 G' {) p& Z. T4 e, h BPX exec_int if ax==68
& ]% i+ n( Z3 h# }( E; B, U (function called is located at byte ptr [ebp+1Dh] and client eip is
$ v7 Z9 d+ q; l# g) D. a located at [ebp+48h] for 32Bit apps)
& z6 R# j# F: O$ b$ T3 G$ u8 T__________________________________________________________________________
" w4 G* _( C, Q, a; O1 F' @9 p" Q4 m/ V: N3 r$ \% `
+ d9 [$ g$ j! z P7 r* P( m" K+ wMethod 089 g$ ~& |$ m4 A w
=========( _0 i/ A" I5 O7 B; \2 W' ^, B0 g
8 g! O, m4 p6 O( T; rIt is not a method of detection of SoftICE but a possibility to crash the
" \! W" d w# Z( M% _system by intercepting int 01h and int 03h and redirecting them to another, _# e' j+ T: g2 f1 C0 Y8 t0 d4 Y: N
routine.
( s2 {& \/ c/ u/ P+ _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( B& q; H: k! Hto the new routine to execute (hangs computer...)
. X+ g; N3 v4 G! M& } J2 A* j8 {$ Q9 H8 f( z
mov ah, 25h
& \ o3 N4 R, u mov al, Int_Number (01h or 03h)
& y& t% t9 w( G) _1 k; V. N mov dx, offset New_Int_Routine* W: q n5 F% U2 T5 A, U. d+ A
int 21h
% }% m, W/ g3 y% G- Y6 W8 x
4 z( Z+ u C) c% e. M5 `4 O& n! E__________________________________________________________________________
* v1 K# g; C! |8 ^ I7 x; A+ |
2 k, q# P0 E$ r ZMethod 093 c; Y& i4 [8 {
=========
+ \5 Y0 E7 b* B6 y, T" }' U( z. z, V8 C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 ~( n/ g; m0 S' uperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 h5 W2 W7 j, M0 ZThe Get_DDB service is used to determine whether or not a VxD is installed" ]! W' b j! G9 B" w
for the specified device and returns a Device Description Block (in ecx) for
& t' h8 c' D/ G7 Q4 ]# z. bthat device if it is installed.+ J2 Y% o/ ]* C/ _
) c, m; a7 L1 Y |! p; l# l: ~+ f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ M7 r; n/ p3 z3 X! r- F# ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 H- T3 @& o: U
VMMCall Get_DDB
$ b8 @ ~' @3 ?& w9 d3 R! o- t# a mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 y. m% U% A% ~: A$ a
5 H+ r2 z' j; o. [. VNote as well that you can easily detect this method with SoftICE:0 `# S7 K, a9 i+ _6 b' h: ~
bpx Get_DDB if ax==0202 || ax==7a5fh: b- B) U% [; T. ]$ ^3 p3 c& x
1 l' a2 v0 }5 Z
__________________________________________________________________________: X' |2 U: l5 B+ ^8 _2 c
* p+ G; s; E% S, w3 J% V1 \- y
Method 10) A8 N4 M; z' _3 a- {# w
=========* s, O, O. B4 h7 r
7 t- y3 r `# D=>Disable or clear breakpoints before using this feature. DO NOT trace with0 Q9 g- O, a* K: i& T; l$ U7 c
SoftICE while the option is enable!!3 ^( I6 |; w) |
' A0 z* c$ b2 R
This trick is very efficient:, }2 K) T( Z8 x6 Q4 V
by checking the Debug Registers, you can detect if SoftICE is loaded3 q! \: F3 P! L+ s r& |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 t H- C1 I8 [+ p2 H& E& Z" G7 Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their& e# i+ A5 c& @- X
value (in ring0 only). Values can be manipulated and or changed as well
1 S: @, s5 N' I* C(clearing BPMs for instance)
' T2 d: x( d/ p, R: b3 p# P2 X- P4 h# ]; N; Y0 l0 y% I! e
__________________________________________________________________________
7 x! ^4 C4 j7 g8 |+ u5 k$ o1 ?& T9 y) T6 V& p- e
Method 11% j8 r9 F+ f+ N
=========
+ A0 S; i8 ^1 J# o# C
; h2 A$ a& B& O/ M7 gThis method is most known as 'MeltICE' because it has been freely distributed9 J, E. V8 D, a/ H
via www.winfiles.com. However it was first used by NuMega people to allow
5 [$ b' |1 O3 b, q$ }/ rSymbol Loader to check if SoftICE was active or not (the code is located
) C1 W; M: G+ q4 l) z2 l% {4 Tinside nmtrans.dll).
# o+ O9 [. X. Z# b
) a. J. E- y/ e# i4 M4 D& z% d+ HThe way it works is very simple:! w, \) K7 D+ Q; X' [) a8 R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& |% ^# L. S2 u! CWinNT) with the CreateFileA API.
, A* i" |' g3 X% a+ ^5 G" ^7 o
v) V; _, l3 O) O; @0 [Here is a sample (checking for 'SICE'):
5 J) Y8 d$ u1 P W" S0 a" Z; N7 K5 r7 F: O
BOOL IsSoftIce95Loaded()4 N* v8 ?* Z$ J/ I2 A
{0 k0 o* ~+ @5 K' c* ?/ @
HANDLE hFile; F1 f* W. v p) O2 Q# x7 o0 [( \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: A. ^& f* A, M# m0 N
FILE_SHARE_READ | FILE_SHARE_WRITE,( @# [9 j: q# P1 ~, `9 Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! L" ~% b8 I7 Z
if( hFile != INVALID_HANDLE_VALUE )
( t& q/ _; F) o9 P+ s {1 E# ]' _0 [' P5 S" w
CloseHandle(hFile);
- D2 s0 ~2 s5 W9 j$ y. T, V6 M8 d! O* f9 H return TRUE;$ \, S g7 \ V; L/ O' b3 L9 M
}
& [% J) ~, D; `, j return FALSE;7 Y$ B9 h; J' M3 a
}; W* a- E- r3 O& j6 p
( a' o( Z* ~0 c
Although this trick calls the CreateFileA function, don't even expect to be1 a; Q3 J2 H1 q+ e' S- T4 ~$ N' W
able to intercept it by installing a IFS hook: it will not work, no way!: a" k; T( Y" k% [, A* V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) y7 T, Y. s5 ]8 R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# B8 l; W2 W% @5 _" Rand then browse the DDB list until it find the VxD and its DDB_Control_Proc. U% K' o" T+ N9 q) l4 Z* v5 w
field.
, e5 Z+ T; K& c% e; X8 q3 N% oIn fact, its purpose is not to load/unload VxDs but only to send a
7 d3 O( @0 O6 J: tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) O7 {$ u& L2 x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 {( P" @) p1 W* E& k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 T2 o2 e4 [- [# T$ P2 W$ t+ E eIf the VxD is loaded, it will always clear eax and the Carry flag to allow" U7 N# l {2 v) |
its handle to be opened and then, will be detected.
( }) u4 V3 k, X7 XYou can check that simply by hooking Winice.exe control proc entry point# d4 i" m, n: Z$ k; e
while running MeltICE., j) r5 T9 q& l4 H
4 C! P! k+ j( _9 U x7 W" i9 c! P1 G6 F) T3 V% x6 O2 C
00401067: push 00402025 ; \\.\SICE
# ]; w8 g" z- P+ }* b N 0040106C: call CreateFileA# T1 f' ^* ^) I1 g7 B Y/ {* d: e# y
00401071: cmp eax,-001& b; K1 V$ B5 U; R! _& X
00401074: je 00401091' i/ a9 l, C9 W* @
$ k( \1 {" J: C; s, w3 j
, C9 d% g' a% F; q( A& ZThere could be hundreds of BPX you could use to detect this trick.
( {0 S8 } B' l$ q-The most classical one is:
5 s6 Z- {+ |6 [+ D# a' Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# o% Z; ], o9 h9 y5 @' f
*(esp->4+4)=='NTIC'& F2 }3 P' x7 k! s7 x$ L
$ o- ^5 b* {- C5 ^; L' U
-The most exotic ones (could be very slooooow :-(1 @ ^% r% x s7 B# v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - l# w$ s; L, i( q1 U
;will break 3 times :-(
* X. f% r2 F4 B/ Z; u; q3 Y% E3 e7 {+ G, _
-or (a bit) faster: 1 ~/ d0 M% l# [7 P; g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 w- I1 w7 U6 ]# O! i/ Y
4 k# V% I' d6 X6 ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 H5 i+ R! i; D& A5 |) E4 w( [2 A
;will break 3 times :-(
! }1 a: Y9 r/ z7 r/ e% m
$ w/ M" V3 ^4 p: Z) _9 x-Much faster:( p; @ I6 Y, {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 U- c: e' ~/ s k, m0 E, A
! C: a' |& L I- `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 t% q4 {/ U9 t, B6 L* f- i
function to do the same job:
4 K/ P9 Z) \# d# k2 p- Y' A1 g6 H: U6 y ]
push 00 ; OF_READ X, @ K$ |9 g/ g8 o
mov eax,[00656634] ; '\\.\SICE',0
. ?7 D3 u1 X4 E9 H1 B push eax
- n5 l% R4 g- U: i i" J1 d call KERNEL32!_lopen# v: W/ b3 \ N7 p5 P) V- e
inc eax9 g2 V; I4 ^; p, c. l- Q
jnz 00650589 ; detected9 A8 F4 p. Q- z9 n
push 00 ; OF_READ% E8 a2 X# E- E: V) L& J
mov eax,[00656638] ; '\\.\SICE'' o3 i5 l V/ G4 I/ _( |0 p
push eax& I/ l4 c3 L" e8 Y" s
call KERNEL32!_lopen' a5 J" h$ n- v% n1 r; l: n9 I9 Y! Y
inc eax) f8 z: |! G8 N
jz 006505ae ; not detected: r5 ]; D% h2 z7 O5 E
: j9 i5 f# F# _) T
! B# c! t4 y& Z2 g
__________________________________________________________________________
8 M" L4 F7 G' x! K/ q8 A) L! q
8 v3 ~: Q4 [. W) Y" S! cMethod 12
) P. v, V3 G! l$ C; p8 `. E=========: `7 ?0 x% j& N/ L
6 f3 i9 i H* Y! R0 y. y
This trick is similar to int41h/4fh Debugger installation check (code 056 U3 t: m# V. ~) U' L) e* I
& 06) but very limited because it's only available for Win95/98 (not NT)
# d+ M, _) z% |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! L/ U. c6 ]2 F6 M# `
3 a4 g+ F }. |# Q4 g' | push 0000004fh ; function 4fh
0 a+ y9 Q* Y ~- G, n push 002a002ah ; high word specifies which VxD (VWIN32)
+ } u6 `5 ^3 t) r' \0 p3 ] ; low word specifies which service
# M& P" u0 W5 ?& H# W& r8 I (VWIN32_Int41Dispatch)2 T; H3 E* D% f6 F6 G6 g
call Kernel32!ORD_001 ; VxdCall
/ O/ A9 \! w4 c) t/ H% h cmp ax, 0f386h ; magic number returned by system debuggers; L- J {+ I4 d/ ~ ^( ?: F
jz SoftICE_detected9 }4 G# x, h% c1 W' V$ X! q
/ a, U i% u y9 J
Here again, several ways to detect it:
: k$ `7 N# ]: y5 b3 ]3 J& S5 P
8 a) W7 c: T& P BPINT 41 if ax==4f
+ L7 R2 E; L* t. M L& e; Y. r# x& w: A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 u, @7 s7 n9 w9 i l/ Z- O: j; |
8 D& a: _. O8 J4 y6 ~$ g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 d. \9 m- X: D$ Y" J9 A
, ~! t) ?/ V# L4 H: g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- R0 i4 r6 q& E5 F, J( I
8 ]0 K+ y; s0 E" D& n__________________________________________________________________________5 T- O9 L3 F k6 h6 d U% o1 N
; i" R; b$ c* `/ o0 O) UMethod 137 Z8 E1 E4 s1 I: [- w% b0 t
=========2 N% h( q8 d Q$ j
0 R( j# h: @, L; D3 U
Not a real method of detection, but a good way to know if SoftICE is/ }+ z6 H: A, R. x: q
installed on a computer and to locate its installation directory.( P/ h6 {/ I; N! F
It is used by few softs which access the following registry keys (usually #2) :
3 A# D! s+ `2 Q0 Z. a) ^6 P- ]/ v; n5 Y0 G( m q+ H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) r! y' t- S/ m0 l
\Uninstall\SoftICE& f6 }6 E$ n0 \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ B7 @8 e# R w: y5 T. M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ I2 }+ w$ b# @; b6 X5 [\App Paths\Loader32.Exe a8 B$ Q0 K% ^! J7 Z2 T; D* v
& S& u' f" y$ w o
3 @& n: f# G" ?6 s7 ?+ x7 V7 ]
Note that some nasty apps could then erase all files from SoftICE directory( G. x2 v7 Q$ X$ K: J3 H
(I faced that once :-(
* |8 {* v! z1 M [- D
' W4 a# S% U/ z% t* tUseful breakpoint to detect it:
u3 O' q, Y! t! l
$ Y- n8 u: P) Y& w. K) j# L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 Z) {/ ?; E8 J. L$ `6 ~
8 Z8 Y1 s9 F6 V' t: s I; o__________________________________________________________________________
% V; B( Z; ^" o% m% G# p! ~8 N1 l
2 |- @# B/ u9 i0 F9 o YMethod 14
g( w; Q, I1 `* `=========
8 n O+ O5 r0 ]' X8 ]5 g0 b
) ~& M% {1 _6 ^5 u) pA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 ]' `' w: {" g, E* R7 L1 ?is to determines whether a debugger is running on your system (ring0 only). x, C6 m: |) \1 U1 y% `1 v) E
3 l3 M! R$ ~( k7 Q VMMCall Test_Debug_Installed3 F, g9 W8 A5 D k+ B
je not_installed
4 G0 D& R" { ^& x4 U7 Y
G) @+ `" j9 EThis service just checks a flag.
' l9 X. M- e) }, a0 n7 v- B' ~</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡