<TABLE width=500>4 ~- A5 T: V. w! z/ U
<TBODY>
8 q9 `8 m. h" ~<TR>
\6 t$ |; U9 |' r% A6 h' ~<TD><PRE>Method 01 9 |8 \- J+ L+ H W' t
=========1 b; |6 O. N5 L" E' o
# |- C+ y' I" n6 y$ \This method of detection of SoftICE (as well as the following one) is
9 z3 M$ r* K7 o' w6 a& s4 Tused by the majority of packers/encryptors found on Internet.7 T: s( W6 ]: @" e
It seeks the signature of BoundsChecker in SoftICE
" S* K$ t3 h* ?" N2 a2 z/ y- b2 Q) b9 \9 w: v
mov ebp, 04243484Bh ; 'BCHK'
* T" X; F M: [9 \# | mov ax, 04h4 Q7 C! N2 J% Z) S$ s: G
int 3
- ~# E, B" N( a, b5 H! n cmp al,4
; Q9 c6 q) U& U* Y% F" l: L jnz SoftICE_Detected
1 T3 ~( q. I& i- m. z
2 y6 [9 ^# C, V$ z0 Q___________________________________________________________________________
, ]' G( m! w1 y4 U# ~) _9 n' x {
Method 02% ^4 i/ I% s% F3 P4 W
=========
1 n' k+ w! E3 T' }' c, C
$ d. ~$ |0 \2 tStill a method very much used (perhaps the most frequent one). It is used v3 U) R: N+ s8 B& D) Z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 o' P1 t0 n* R. M0 g, U* c
or execute SoftICE commands...- [- Z0 W* m1 e$ K% a7 J- I7 y5 Q! e
It is also used to crash SoftICE and to force it to execute any commands3 ?& T& ~$ _% [" g/ W
(HBOOT...) :-((
+ j" y# M5 H) H* ]$ j! ]% k* ]" w5 P; Q5 G8 G" H/ H/ @$ S
Here is a quick description:* X; _& B; \2 s. @4 `' a
-AX = 0910h (Display string in SIce windows)
: P; T3 O) \4 R$ g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 L( T7 o, o9 u* D! ?2 p
-AX = 0912h (Get breakpoint infos)
; q* t" F/ U3 `6 r, ?-AX = 0913h (Set Sice breakpoints)/ `( g' x; P- m @# {5 ?
-AX = 0914h (Remove SIce breakoints) q2 t; ]# c: j# j' C3 x
7 M* K- t3 z2 g
Each time you'll meet this trick, you'll see:% V! O' j3 k! w1 L. r; u9 A
-SI = 4647h! Z: b b$ K. F, K5 n: J* k1 ]
-DI = 4A4Dh
, z4 D. m1 i# |5 E X9 f4 YWhich are the 'magic values' used by SoftIce.+ g: [9 _% c; E$ W4 K) j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, \! u1 F! S5 U4 ]# G$ I) z- @9 n( U$ H$ @0 f @% b9 W
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ |0 E8 R, U* B# T: ]- T' I2 p: `
Envelope utility use to protect DOS applications:& Q; p4 ]+ A+ f1 n( P+ s! p
) q' W/ \+ o1 R' J* O) u" v% U
4C19:0095 MOV AX,0911 ; execute command.& X& u# s; m5 z* H" E8 h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 [% H9 `* Z" O; X0 C
4C19:009A MOV SI,4647 ; 1st magic value.
$ I1 } H; F- C- h4C19:009D MOV DI,4A4D ; 2nd magic value.# h# Z8 Q. q A. e6 P$ n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ z3 D' a2 w5 T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- }* W. ]0 V0 Z1 i# A2 k! u+ u
4C19:00A4 INC CX
7 ?" I w2 f# }% x" p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ R0 G8 U7 ?+ ?# i1 J- l$ }5 _4C19:00A8 JB 0095 ; 6 different commands.
6 D+ V0 b' t$ Q1 f! I4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 Q9 m7 b _$ ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 t- S* B) Y" {) s( u8 h3 X* R- ?* F
The program will execute 6 different SIce commands located at ds:dx, which
4 j/ t$ \9 F# P( |, rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 Y5 a! O: w2 Q0 h$ [
) W+ O+ D6 A! K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ l- d$ ~/ ^ k! n( E___________________________________________________________________________
0 e8 V" ?9 S# S0 _/ A* {
3 y6 B9 w6 I' c( Z
2 ?" z7 L( r, ?$ z9 |! h6 X: }/ gMethod 03
4 M7 j5 D& f. | J+ ]=========) g& R# @$ W' @, K3 O9 j* y' v
$ m( b0 X" c" ILess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 i' c5 k$ v6 {$ P3 M(API Get entry point)$ J7 u! O7 {% b$ L
6 g& Y0 q n, q
0 Y: B( p) o1 a. D0 ^ xor di,di7 h' P1 [: N0 U; a$ Z/ @
mov es,di
& V7 B0 E% @6 G+ Z! B0 Z% `( D1 k mov ax, 1684h 9 L8 o; }- E6 }7 ~6 l$ J' w$ `
mov bx, 0202h ; VxD ID of winice/ C/ h5 ^8 Z) k; r) `& \
int 2Fh
( b7 D' F; f P$ D' F+ H mov ax, es ; ES:DI -> VxD API entry point
0 X9 R: y7 F- q. Q1 u% {/ P* Y add ax, di F2 F1 Z' V" f, l, I t
test ax,ax
$ t' W O8 r6 C+ Q( c7 W jnz SoftICE_Detected: t2 _ y% ~* j5 D3 G9 p$ y
4 l0 v% G- m5 [' O5 L+ J" |6 G
___________________________________________________________________________7 K7 z! e! y2 t
" _0 y& M1 X8 h2 D4 K1 vMethod 04
" p: |) @, r+ T2 o9 e=========8 o8 a! q/ A- s
1 E% T" M1 I& T7 ~. v) C, BMethod identical to the preceding one except that it seeks the ID of SoftICE, u, T0 V8 s: d
GFX VxD.
( ~ \8 }* \* H$ l# I+ ?0 ?# p) _7 H: `8 s% A
xor di,di+ K+ h1 S5 l3 G7 v
mov es,di9 u; Y) c( p$ R
mov ax, 1684h 1 p2 d7 @$ C' w) o9 E
mov bx, 7a5Fh ; VxD ID of SIWVID
) {! u! |- M9 k. P int 2fh9 f% i0 g! {& n4 I! E) K% D
mov ax, es ; ES:DI -> VxD API entry point; i0 p& E) B) r6 s6 u
add ax, di+ Q" i) l% F9 z b7 P' `; A
test ax,ax; V4 f' J/ p& J, ?0 r8 D
jnz SoftICE_Detected
8 L& { r- S/ p6 U( n+ s( G" \4 [( l( p- W& Q# j
__________________________________________________________________________
7 T4 M6 K) N2 g) w9 @9 s, n/ g# {3 h5 `
9 d( a4 N7 }& y) H2 O/ {Method 05
, K% [. [* |6 }/ r( Z: M; F: H! I7 Q=========
2 C# s8 Y" ?) a, Z# F9 ~- ^ q6 O) j
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" d0 L: j" e. O# r/ q. Ldebugger. It calls the int 41h, function 4Fh.
/ g- K, D, |( ?' M1 b8 L7 TThere are several alternatives. 5 ^' R4 p) T W M; a% b
+ Q }4 ]+ {( G- m# b
The following one is the simplest:
( j6 c( r- _4 n3 D6 `2 X* N; E+ x {+ d6 X% Z# p* \3 `
mov ax,4fh4 q5 \" N2 O {5 y7 F7 C
int 41h
8 u5 X& k" @, | cmp ax, 0F386 M& G8 d) g# z" P
jz SoftICE_detected! |6 |8 q2 |$ f
9 c/ |/ L+ g1 x- `9 b& N( H/ n5 B6 I) }, {6 d+ r
Next method as well as the following one are 2 examples from Stone's 0 z6 o/ H7 x$ A: t2 d5 N
"stn-wid.zip" (www.cracking.net):
) R H9 H# G9 T# R5 ~- b/ n5 A: T: A& t3 L/ n9 N
mov bx, cs% s' m/ I* l, d- e# A* O+ b. `5 X
lea dx, int41handler2
% |6 }6 K: ]; }" e; F5 R7 E4 r xchg dx, es:[41h*4]% U1 {; K1 D: R4 X: W
xchg bx, es:[41h*4+2]
; I5 o+ |$ Z* ~: C* P, R% Q# @$ l mov ax,4fh7 O6 Z2 {4 \8 P7 ?- @8 ?
int 41h
4 w4 H) m4 l6 D$ _ xchg dx, es:[41h*4]
1 h4 c# e# D/ P ^; n, O) O xchg bx, es:[41h*4+2]
1 q$ K @; b C cmp ax, 0f386h
+ e. i1 D5 }8 Y. a/ A jz SoftICE_detected8 {4 y* {8 X( U
0 {. \5 Y/ |. {: w& A7 gint41handler2 PROC
8 a1 ^' A" b8 J iret
; ^6 G4 b- S* w3 |int41handler2 ENDP2 ]1 f3 `: n# O0 B5 ~6 c+ R" _1 n Z7 C
$ V' [# ?$ |% o9 N$ y( L3 Z
" F4 e. F1 N2 {: j_________________________________________________________________________3 T: G5 A% ]5 U
* B4 i" c6 k! M, c# I/ D0 T* v [/ w/ S0 `! e+ c1 e( S
Method 06
3 e! y! w2 p2 A; }0 v) o( r& [6 G=========
4 E8 `. U: i+ O. ~# }
& g; ^9 g# o" ]$ i& Y
" i( X& v' x5 U7 ^, n9 n5 h# g2nd method similar to the preceding one but more difficult to detect:2 o% t4 q$ I* _& i: G
, w! |# H' B, i( `, i( k$ H8 ]- z4 F$ R, j- [
int41handler PROC ~# K/ K/ {7 I, N8 ]& f- G. @- e5 O
mov cl,al4 T0 t( a9 h1 B) O: L4 H% U% J
iret- ~' z* c/ t9 Q) h, v9 n& m
int41handler ENDP
; Z( U# H/ \4 s& b. k2 b/ [7 y& t% x- D3 ~
0 w' |& ?; i# A, t/ Y
xor ax,ax$ u7 W5 {- h3 V
mov es,ax( z, E1 Q8 d2 z& N8 |
mov bx, cs
/ k: `3 M: c# }7 S$ }7 U6 @ lea dx, int41handler
) p9 l( Z( W/ Y8 ^4 T/ k( ^* L* L xchg dx, es:[41h*4]' e' @: f* H& X5 V6 H0 c2 Y
xchg bx, es:[41h*4+2]& B" w, b3 [. r9 q' K) J% f2 j3 X5 j
in al, 40h
# X- R$ b+ i8 u4 D/ u xor cx,cx+ e1 C/ i' `4 u- J0 A
int 41h
& R9 r/ v/ I R9 I# i xchg dx, es:[41h*4]
2 M. ?+ I6 c7 a% E0 g, a xchg bx, es:[41h*4+2]
* P$ m7 Z# o H T6 c L cmp cl,al5 g% v" Z9 E8 X/ A- f+ K
jnz SoftICE_detected
3 c% [& X" z7 i' f3 c5 \$ i; ]( ~* L/ b
_________________________________________________________________________
, w+ ^) D3 |7 w8 q: M1 }) b; E( R% c& g' `
Method 07
1 C' L3 F; R& Z* s=========# j8 H& K5 H9 z
3 Q4 T( c- p k" j5 |
Method of detection of the WinICE handler in the int68h (V86)
$ \& s2 e/ G% g5 K4 i5 e% ?3 k4 o3 C
mov ah,43h
$ s0 q3 _. J( U int 68h
& j6 h t r \" b cmp ax,0F386h0 a) F' {) k) f/ _( h
jz SoftICE_Detected& T* c' d. r. M3 b$ J. K
. ?. P! j8 u; f* N
1 _1 {3 Z. x+ L=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* `1 d- T) a, b8 O& T- {6 i
app like this:6 c8 A, e3 A; v& h
5 K# } f7 d) C% ?* a' u( z
BPX exec_int if ax==68/ W6 x8 P! ?6 U) d
(function called is located at byte ptr [ebp+1Dh] and client eip is
1 T" n. V6 E" a2 ^7 \7 w5 Y/ \, E+ r located at [ebp+48h] for 32Bit apps)* e/ n- Z" }; }' i
__________________________________________________________________________: W2 V: I* P4 [/ @
) A4 T: R! k* K% U |
* U& R! e- `# {& r. x$ EMethod 08' _. G' q8 u9 l, t
=========. ^- X% [1 G. x6 ~* t
7 P2 Q; Q* f' O- n& B% U) |
It is not a method of detection of SoftICE but a possibility to crash the
! b; O! {8 L1 q# r, a& k! a0 msystem by intercepting int 01h and int 03h and redirecting them to another( Z0 P# M+ M0 L9 J5 F
routine.. ^* ?* `+ P1 o) ^ u4 ^) ]( U9 |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 L4 h2 n# @; E$ ^0 Z
to the new routine to execute (hangs computer...)
# j; F, L) V7 ?% N+ R- C$ J' {) K, Y g( t
mov ah, 25h, X. w% @5 c8 U' X% }# N
mov al, Int_Number (01h or 03h)
$ ~! z6 n- f( X' |7 s mov dx, offset New_Int_Routine
6 Z V4 Z4 z! y3 _/ p% \: k int 21h2 w7 |& I5 ~1 G9 ~9 Q. ]1 v" ^4 c
8 `* c5 m% E5 \0 L/ j" u4 A__________________________________________________________________________
8 d6 ~0 D4 y; Y( V+ `
' |, ]4 Y, k GMethod 09
; w5 V( s" z7 S=========
! g; [. s3 I- N7 R
' C- R2 |' k& F H( ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 z( s) v9 E) K" _" J% g$ vperformed in ring0 (VxD or a ring3 app using the VxdCall).7 I# Y2 \; k' y- |+ m
The Get_DDB service is used to determine whether or not a VxD is installed* j+ [( [4 D& t0 ]5 K: m' D) l
for the specified device and returns a Device Description Block (in ecx) for0 v3 ? d' v5 W' x$ ?( p
that device if it is installed.
. F1 C. s2 V6 ^2 H0 a
" F& T+ m' s/ U4 b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# H; M( {- N O7 `8 X mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! `. v4 {1 l1 u0 p
VMMCall Get_DDB
! A, z* n3 ?& Q/ \( W mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 G2 S6 l4 X. E5 [
/ S5 Y! k( ? m9 pNote as well that you can easily detect this method with SoftICE:' f# J' H2 l# D1 Y; Q: i7 q; G
bpx Get_DDB if ax==0202 || ax==7a5fh; e: k" }% [" }* {2 y
G: S& B, {' S__________________________________________________________________________' r; i4 `5 H7 y* W3 j
' F- }; P4 ^$ v4 I
Method 10" _! `9 F$ @! E3 y4 G
=========
/ o7 s+ V6 C" | G% }2 u& O, r- J: S! l2 D9 K& L
=>Disable or clear breakpoints before using this feature. DO NOT trace with- `; J$ e% Q+ {# r9 }, u0 M
SoftICE while the option is enable!!+ q4 Y0 r9 u5 I9 a1 D" h! W
& D$ z" m! J6 iThis trick is very efficient:
: l" @! f ]9 Pby checking the Debug Registers, you can detect if SoftICE is loaded
5 |+ l! ^9 R6 D; C; N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* U+ k5 h J& f
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ T4 C7 b( i. K$ h7 Mvalue (in ring0 only). Values can be manipulated and or changed as well
8 N- {1 H: h3 B(clearing BPMs for instance)
. z3 B1 A+ `1 h; ?6 [9 v* p; K# t( f! Q3 D% y9 j: D) ?
__________________________________________________________________________
5 G2 p+ k0 `" B: b* |
9 N; f$ R- b" V5 m ~- YMethod 11
. D/ A" B( t9 n0 l; M, ^4 Y) @* O=========- y m$ }0 [$ X: o: ^; s
5 x0 f0 L6 }* p! }3 iThis method is most known as 'MeltICE' because it has been freely distributed
: ? {6 \+ n* k% Ovia www.winfiles.com. However it was first used by NuMega people to allow
l1 W% A' H y2 p) b. x5 kSymbol Loader to check if SoftICE was active or not (the code is located
u! j1 T, N& x) E- X2 qinside nmtrans.dll).
1 {9 Q. n6 [ n9 Y% V9 o, e/ K5 ~) ]
The way it works is very simple:6 p1 D: Z" V, ]9 x* U- J! Q4 y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- y% J6 m9 S5 v; [6 g& I6 n9 U
WinNT) with the CreateFileA API.6 n' g( ~+ t7 v( M7 v& K: @
, H" e4 `. z5 m |4 ^% `2 oHere is a sample (checking for 'SICE'):
/ n# ]% q% [! _, Z5 B) }
p1 J% w5 R8 I# c- c' k% YBOOL IsSoftIce95Loaded()+ R f7 E# ~% A7 M& H
{
& s) d; e0 Y( R HANDLE hFile;
1 o, o" x2 |; @+ H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( G! X( x, ^3 }# t; m8 d, m0 ~
FILE_SHARE_READ | FILE_SHARE_WRITE,% [3 [4 U1 a9 N* [, K" h6 N
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
f% e, e0 ^+ @ if( hFile != INVALID_HANDLE_VALUE )
7 p0 i0 m* z8 F' ^! C: j {# s! l0 f \7 v
CloseHandle(hFile);+ O6 W- g( \. t$ x1 A, s! l
return TRUE;
6 n( Y$ ?. a# R; { s. F }
; z0 P/ {' P" u+ O return FALSE;% b. N2 k/ a# r" x: m4 q+ J4 U
}
* G9 ], k' H$ K* t* y
6 F2 n! l$ p: Y- i2 dAlthough this trick calls the CreateFileA function, don't even expect to be" Y3 i+ x! i" a3 Q* O
able to intercept it by installing a IFS hook: it will not work, no way!
" \& a1 R5 W: ]& [4 _In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' e) M3 J+ K% _- _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 B/ \5 B) }% ~, |0 u! _and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. q9 v) A8 D8 Vfield.! K* x& f9 z5 a2 u
In fact, its purpose is not to load/unload VxDs but only to send a
8 z. Q ?1 h( l7 q5 f% T) D4 HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, ]- b8 ?. b; Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 k2 N; Y( Z+ K2 u9 M# [
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." T" q% j& L: |, P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 n' Q. V* R4 l& ]( gits handle to be opened and then, will be detected.; ~0 @: C8 T( m
You can check that simply by hooking Winice.exe control proc entry point+ U' J7 ]) t& Q% S3 S
while running MeltICE.
! @/ N! d' `* S$ x& j/ G
4 P% n/ T) t/ g2 n( @: d. p, g- |' q2 p
00401067: push 00402025 ; \\.\SICE
/ w8 E5 z0 |2 S; w# D 0040106C: call CreateFileA# c1 X# q6 F4 E( E' w0 _
00401071: cmp eax,-001# p* V( c2 f3 M6 ^. B5 g6 O4 [
00401074: je 00401091) W' j) D) B2 J5 v, C/ B: N
) Y: J8 i4 N! J
! y* ^1 N$ U3 Y( e$ I/ `3 W
There could be hundreds of BPX you could use to detect this trick.
1 p- j" B: |. I) r4 A- i-The most classical one is:
% }7 ?0 r' k; h7 ~5 } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 g9 D! _% m# ~: E7 D8 K *(esp->4+4)=='NTIC'
3 {1 u1 r& \, c3 Q: g0 |9 v
l, f- n. c" \8 r-The most exotic ones (could be very slooooow :-(+ s# p3 E+ t: t3 r* f$ E
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * e" U+ G* t" C$ J. X
;will break 3 times :-(1 N9 s+ ?4 {& V$ F6 P! i
) q) w7 D3 s6 t5 Q& r
-or (a bit) faster:
5 {* Z; n/ z+ z4 I m0 o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 s" T1 J8 q9 @" U6 { O& g
" p" g0 Z! ^4 j* F1 t7 e" ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! O7 o7 Q: H5 `+ @) O4 i2 Z ;will break 3 times :-(
8 c3 m' P( X9 P; r
) u; c5 I' p# W W1 y& s-Much faster:
8 x3 x* P3 X7 X5 O5 F BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ e- ?& l; S9 d a
$ |+ p3 ` g d6 j* gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen& @% b& {% E( | K) x
function to do the same job:
5 M' v& ?3 a( P% z4 q( S& X6 Z' _. \, v7 H
4 L, V5 [; w( t push 00 ; OF_READ
. f+ h, b G; k. \, z mov eax,[00656634] ; '\\.\SICE',0
b S# H+ @- z: `& S1 d0 B push eax
* J" w8 y: e' v0 H& ]3 \- ^ call KERNEL32!_lopen* {# |1 Q# t) v
inc eax
p3 U* ~; V: X7 \1 i5 Q jnz 00650589 ; detected- w) L3 _* b' s3 E/ ^/ p2 j( l* k! h6 V
push 00 ; OF_READ" y, Y8 g9 E/ Z- | s
mov eax,[00656638] ; '\\.\SICE'
4 \' O8 _- u. ^3 D7 Y1 R- j push eax
5 E+ Z5 }8 z7 I5 M6 h call KERNEL32!_lopen2 b! N, y$ v. Z0 Q
inc eax1 F5 p4 u4 c Y% O" w9 t* D+ s
jz 006505ae ; not detected
" E* Y. _4 U2 @/ X/ H9 Z2 e; c; Y) B. W
/ G, e. S( B" ~' C* h
__________________________________________________________________________' {+ x) G4 P5 @. u* |
9 F1 A3 c3 a. wMethod 12
& \ o# B$ v# z2 G$ L5 e! N7 ?=========! r- |. f7 S, |' S: Q
/ M& B ~' l1 W' N5 AThis trick is similar to int41h/4fh Debugger installation check (code 05: [3 K* O7 t: p; G1 ?8 k
& 06) but very limited because it's only available for Win95/98 (not NT)7 L4 |. \7 E, S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, C9 G, [0 B8 q$ U% N6 P: |9 h2 b: X
push 0000004fh ; function 4fh$ P4 t3 P5 i% @/ [* [ S% }7 o
push 002a002ah ; high word specifies which VxD (VWIN32)4 f# b" P( @# h) y* }
; low word specifies which service; i) U9 Z- x3 |- N/ B
(VWIN32_Int41Dispatch)0 ^- b$ Y8 U; O
call Kernel32!ORD_001 ; VxdCall ^/ f) [% P+ }0 J9 W0 T
cmp ax, 0f386h ; magic number returned by system debuggers# X% b' ?1 F' q" J- Q9 j
jz SoftICE_detected
- B* `; |( D4 ^1 l2 k& a- H. @& `( |
Here again, several ways to detect it:
" [/ G! W r4 W! P3 |) ]3 z+ M8 P, p. a3 X
BPINT 41 if ax==4f
) ]9 c4 h5 q( Q& \
" n9 g% Y' v v2 g9 I- y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 J; ^* J+ r, Q6 A7 u/ J& ~/ G: c; [) E7 k. \& E* V9 p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ \8 R' Y+ G. K/ E( q9 H& [( ^- Q/ L+ i% K( |5 |4 A
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 I# ?% `% r+ @- k' z' \8 e- t9 ^! P6 |/ U- q6 ]) u9 s
__________________________________________________________________________/ r0 C2 U9 C; z+ I( `7 E, Y
' O+ C0 A( E x4 E9 m7 m s2 oMethod 13+ E; h# X9 \ Y) `7 e8 o5 W( U+ w) u
=========. \ L# L0 A( G O. R* a, ]
, o6 ?$ P0 H4 v* L R, q; F$ A
Not a real method of detection, but a good way to know if SoftICE is
. }( [1 ~" N8 c! d$ Kinstalled on a computer and to locate its installation directory.! B; @: Y( s6 D4 j! s& q3 `8 R+ a
It is used by few softs which access the following registry keys (usually #2) :
; `6 W3 f7 V# i7 ~9 s% t3 J( r/ b% p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 G) T; e2 j) e6 m8 I5 \* K
\Uninstall\SoftICE
2 M) d- D! C& U1 V: x' d6 ^" g% j+ _-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 C7 K7 k4 }* x: ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 I2 t W9 C3 y/ v% T/ o% @\App Paths\Loader32.Exe a; S/ s6 M$ {5 O& g/ J
% o# n; J8 }0 g6 b. a8 E7 @6 g6 ^. O4 S6 Q. r0 w5 W
Note that some nasty apps could then erase all files from SoftICE directory$ ?6 _$ U/ z" i+ p6 s B- I
(I faced that once :-(7 M- ~- q' h2 ]7 Q
( u% t0 x7 H' V Z
Useful breakpoint to detect it:# J1 _; d2 b" [0 C
* f+ C- k; {! z% b
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! @8 f8 Q V B8 G6 z( [; k$ U- f
6 r6 |' e$ o" ~__________________________________________________________________________. z; h( k: N+ ^1 t; P0 m# I0 a: ?
) z2 H0 z0 D) g1 v- h
4 Q/ |( h5 p" ^' s3 S% _& fMethod 14 # o7 u2 o% T" m; f
=========& s; f# l) `/ q6 L& X' J9 o/ _
" t& Z+ ?* z. [3 S: OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
X+ o( ~2 p7 k' s& ]is to determines whether a debugger is running on your system (ring0 only).2 J4 Y( u( K# {
@/ t5 S' e! C
VMMCall Test_Debug_Installed
9 ^8 j$ I# G9 a4 L8 O# ]1 V je not_installed8 P m5 c3 K' k. ?( m
4 e! ?$ w0 E, B E# O7 h4 U1 v
This service just checks a flag.
: \. C' H7 s4 l% A1 }; ?4 R6 X</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡