<TABLE width=500>7 u5 Y, ~ y; d+ x2 S' H. s
<TBODY>3 d& ]9 t* u& M9 R4 K/ M2 N
<TR>7 F0 y) Q: m8 U# K$ m
<TD><PRE>Method 01
* S+ m2 P5 m( o7 Y( H=========; h, z' g9 Y5 o9 _# {6 a( A0 P
2 T7 M# M' x2 }0 F" F; X6 rThis method of detection of SoftICE (as well as the following one) is2 K; ~7 Y/ S! I) v
used by the majority of packers/encryptors found on Internet.
8 @# Z8 W% {, K( L6 O$ d2 BIt seeks the signature of BoundsChecker in SoftICE# H; p/ S) [9 _+ M" ^" ]! E$ o% {% j
7 ~- Z. c, j" c) m: ?+ d mov ebp, 04243484Bh ; 'BCHK'4 |. P$ T6 j; N& H
mov ax, 04h" E$ s4 T9 d( y
int 3 c; O/ ]/ C( K# l& s# C
cmp al,4# _! n; k+ X! G2 }' Z. z: P
jnz SoftICE_Detected
& _( Z& h s" Z2 e; V$ |& |) U7 @1 V: N9 m
___________________________________________________________________________2 W/ N* V0 {% R) H2 [- h
7 u* z. [ L4 f9 A+ C
Method 02
! m) e4 A5 n" f, q( o W0 ?=========/ J: r, ~% F' ?9 ~; Y' i
8 Q$ _* H+ D6 P7 mStill a method very much used (perhaps the most frequent one). It is used D, P6 l. ~# A! D f& l5 g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 q: s# x- {2 f* n$ Z/ e" Jor execute SoftICE commands...3 [$ x, P2 b+ H! F
It is also used to crash SoftICE and to force it to execute any commands6 P7 G d' q7 r: j3 [+ c6 y! y- x
(HBOOT...) :-(( 4 g3 Z, m( k( C
% Z- Z! U, n; q" H2 K$ F% D
Here is a quick description:. }% p+ X8 L* o8 t" S
-AX = 0910h (Display string in SIce windows)) W5 o8 q' |; K2 ]" ?6 V9 g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ k9 `" O8 ~- ~: x- Q8 j9 u" F-AX = 0912h (Get breakpoint infos)
0 C; n3 i2 z1 _3 k3 s1 k1 r% C-AX = 0913h (Set Sice breakpoints)
- k; s5 {: }4 Y8 t- E-AX = 0914h (Remove SIce breakoints)9 U4 L6 `/ d; p
0 R5 y' o' `) j" p
Each time you'll meet this trick, you'll see:, b# G# r6 X: k2 x# j
-SI = 4647h& G0 A& ~, Q7 a
-DI = 4A4Dh) w" x, \9 ^3 }, q* Q
Which are the 'magic values' used by SoftIce.0 O3 U+ s+ {& k) x& |4 D; I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 |' ?" X( b% Q1 {
# i z) t1 {# ?# m+ h
Here is one example from the file "Haspinst.exe" which is the dongle HASP, n& Z% }8 m+ V$ G2 } u9 R
Envelope utility use to protect DOS applications:
% X' x, A+ U( B* f- P; K
- ?! c9 E% A J! T% A; E3 L
8 }" ~! n T- t- R" @( H: _9 S4C19:0095 MOV AX,0911 ; execute command.4 C, D( z) T+ ^3 A$ L! m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! G9 H! @ p% d# k/ z
4C19:009A MOV SI,4647 ; 1st magic value.4 o2 Q; Z( T$ w4 f5 I. E: a
4C19:009D MOV DI,4A4D ; 2nd magic value.
6 X0 R" T! |0 S. {( M) b2 _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! Q, Q! d* \5 g# v; M
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) m; c8 p8 \& Z
4C19:00A4 INC CX
4 ]" |% o; N" e1 l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ Q, V# _7 T! a, j; H: J, |& c0 q4C19:00A8 JB 0095 ; 6 different commands.. k1 g( L' \9 I: f6 Z" X+ J2 {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) M1 d! ~. Y2 h4 q' G" ~* ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 K+ S0 A' U3 D, G1 p$ Z9 M
) u" F% b( A+ q# ?) q! l$ m$ e
The program will execute 6 different SIce commands located at ds:dx, which7 F4 ^ n @+ ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 D, r( U# _% K4 J
3 a- C- s! b: t! `( @: D/ E, M, y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., M K/ [) @' v
___________________________________________________________________________
/ W; `$ x( S# W6 @- a. {: I/ S$ K2 J
- k6 u" q% c- V) @7 y6 k6 ~# F
Method 03, J2 U/ o& f1 ?" w `
=========
{# E" d; m, U( `
( @. |! f/ |* _9 I0 N+ ` ?$ ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- e3 ^' Q; X8 U$ ~5 _6 E. t
(API Get entry point)) @2 }1 ]8 J; w
7 f, d! N& @( t( z r+ b' s
- E' p0 V2 l& x$ P7 y8 A xor di,di! a% P- E3 P8 o( t# b) e# p( w
mov es,di' W$ ]8 i: E6 e# b2 R. v% U
mov ax, 1684h % g% B" ?0 A0 h" s
mov bx, 0202h ; VxD ID of winice; V' ^# o1 E% V9 t4 x; g
int 2Fh- {( {$ `% m$ i& ^3 } G$ ~! {2 R
mov ax, es ; ES:DI -> VxD API entry point" z8 }' D1 ?/ T. J
add ax, di
0 U* @1 Z6 `& S3 |0 L6 c4 z test ax,ax1 T) k- ~, p" ^2 z% {
jnz SoftICE_Detected
6 `9 m/ L& m; K; f7 k( }; u4 ^' j7 ?1 U' c& e
___________________________________________________________________________- R# S+ s6 V( T
. i9 V* d' [: l, o( KMethod 04/ G8 v& ?* }0 c# J
=========# m8 z9 `5 o7 h# p) E+ I5 X( t
/ r( V5 U8 }. c2 t' B: B4 x" NMethod identical to the preceding one except that it seeks the ID of SoftICE6 J+ a: t4 N9 d. [+ E, d
GFX VxD.! X& c4 ~" g7 f
; B- U. |( W; v* g' G# G) A) B6 \0 ~ xor di,di
; } E0 U5 l( q S mov es,di
# U- o9 u. B) K, \) H- z% q mov ax, 1684h
4 s2 `; A o" d$ K( o5 c4 h mov bx, 7a5Fh ; VxD ID of SIWVID: j7 s6 c* V- n
int 2fh
8 e$ }/ Y6 H6 V mov ax, es ; ES:DI -> VxD API entry point( A8 t, v1 a( Q9 H- P
add ax, di
" R5 q- ?6 m4 R6 b! K. o" s' R test ax,ax
+ ?+ ~1 S& r' _; z jnz SoftICE_Detected
3 i, B8 ]0 A! k& j- X
# g' h, `0 F5 A! M( l1 Y1 U h__________________________________________________________________________
; [. V3 O/ j, Y5 O
- ^( j3 l! Q$ \, l- t; Z9 N) X; ~' z& [. ]& H, s0 H) t+ Q
Method 05
: l9 l! d6 M# k$ I9 ~9 M% l=========. @. x/ O& e5 z. z5 Y
/ R3 r6 q a+ P
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 r, S; F$ l& c) m$ W5 y: q! Vdebugger. It calls the int 41h, function 4Fh.
& D1 M! t. ~9 G0 Y0 ?There are several alternatives.
2 g1 a3 C, Q2 l" s, q! v1 b. \
) W+ O* z( y6 n# EThe following one is the simplest:; M: y6 }% n: V% ~, y% H1 @
! t: {; b/ ~) @& h1 C5 ?4 z mov ax,4fh/ V9 Q _8 X( Y5 L4 S8 h6 q& X
int 41h! d0 d/ U0 }* `4 O
cmp ax, 0F3864 i% z' L+ A _" i* Q7 l
jz SoftICE_detected
3 H2 p1 ^3 h. ?8 v+ L
1 t' b4 d; D3 x% N9 \
8 n- _+ I5 C; e" pNext method as well as the following one are 2 examples from Stone's 5 D9 |& i' `$ M0 A: Y2 x
"stn-wid.zip" (www.cracking.net):
b" Z% D+ G. t8 {7 v7 w3 |' B( f* M$ o! s& D
mov bx, cs9 `9 X' d7 ]( h9 c! Z
lea dx, int41handler28 ?6 Z, z# Y, k, g0 e5 N
xchg dx, es:[41h*4]9 X! V/ F; N! f
xchg bx, es:[41h*4+2]- }2 Z6 ~# r! o4 ]6 t, \: \
mov ax,4fh& K, W0 M! l) P; k4 j( I
int 41h
$ u3 X: X9 q3 Z) ]8 { xchg dx, es:[41h*4]
|/ K9 Q0 ?0 A" f' x( c/ K xchg bx, es:[41h*4+2]
! V) M4 x# A) J! j cmp ax, 0f386h, Y$ I8 W, T5 V( n3 P/ W
jz SoftICE_detected
; y& ~* c: m' I) S1 D
2 d. e8 k; P/ fint41handler2 PROC
" P1 S# t" s5 ~( u5 w4 H- e8 v iret
7 V/ \. s" t' b6 }int41handler2 ENDP
8 V' L8 f3 g4 Q3 i; \; d9 _( z; e8 n! B' U9 o2 @8 U1 x4 K0 P2 t
& r5 s1 C4 q* l2 [ X
_________________________________________________________________________' c& l2 H+ v: t
Y; `. n% Y C; a$ g
& V# g. C3 e n1 c- \3 g9 M8 \Method 06. b; D1 k" E. y* F6 L
=========+ N( m* ?1 l$ @. _
$ f, Q4 m7 b6 [1 h0 X1 H0 z
3 E' ?7 _( J* O( W3 Y2nd method similar to the preceding one but more difficult to detect:3 W4 t D, Y. g. }3 L/ @/ @( r
0 S F) f" [ {4 Z, R! |1 Y
( V4 {7 Y$ K" dint41handler PROC4 k* m4 K! t2 b1 L
mov cl,al5 |& P) o8 j: N: }0 n
iret
8 J: \' E8 j% g3 E# E6 jint41handler ENDP S" p: s# U3 n! u- F# B
/ o5 u2 H' j' G! ]4 N/ G6 o$ v0 O9 ~9 i# f$ K
xor ax,ax
, m. ?, u3 e, R8 ], l) d6 y mov es,ax0 I& E! t$ [. k3 B& {7 m5 R
mov bx, cs
! g3 a1 i9 r! q/ U7 R lea dx, int41handler
1 V0 q5 A2 i! q xchg dx, es:[41h*4]& p. Y! f1 I7 Q- L
xchg bx, es:[41h*4+2]
% l/ y, o) m9 x in al, 40h' \" ?# A0 q3 d: j! }; y* s" W( Q
xor cx,cx
* Y$ |/ n& \" V, L! r* U: Q, m8 z int 41h
" \/ H" \$ Y$ l xchg dx, es:[41h*4]
0 S4 ^' s6 O! e) w5 p4 R xchg bx, es:[41h*4+2]
! M9 K$ f5 s8 B* ]1 ? cmp cl,al8 B% r/ d' {' {4 _
jnz SoftICE_detected' d! I& e* W: C
# n! |0 O! Q, Y$ ]
_________________________________________________________________________/ q$ }1 F1 f& \) X! b6 p
9 i/ A( x6 O4 r( ?/ O
Method 07$ n- J( Q( s( y" w
========= [) |7 H" p1 N3 E( J3 ]3 ?
( v+ O- ?) B% Z7 _( f# t0 Z% w
Method of detection of the WinICE handler in the int68h (V86)
! d5 `$ m3 I& }0 W0 \9 n5 [
# z! ?' u8 M1 K mov ah,43h; O5 O- m3 J; {, A1 k0 T- U* M
int 68h8 s5 Z6 t( u+ J" v) {" ~
cmp ax,0F386h
7 N+ o1 u+ Y) Y7 [ jz SoftICE_Detected7 @$ r2 ^6 P7 \5 r. Y5 m1 K; w
9 b+ W/ ?8 ^( y- @% z
. {: N0 @! s$ q h/ [1 r=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ B; g4 e6 n9 \6 @
app like this:
6 I' _+ O4 @- ~( i
( W0 C) g! f+ v' d! }5 ] BPX exec_int if ax==68
2 g2 l+ O; Q* O (function called is located at byte ptr [ebp+1Dh] and client eip is7 b+ I# u% _% H
located at [ebp+48h] for 32Bit apps)5 s# P1 h8 [/ S E: u" |
__________________________________________________________________________
. H l% _0 g. h9 e' [& { O* u( b
, J, ]. ~" u4 a) N
Method 08( F I. J" C J& d/ y% F5 h8 M
=========
0 E1 ]5 X; F4 b* E
" C3 x' b' t, W4 g! J! e+ pIt is not a method of detection of SoftICE but a possibility to crash the
! I% U9 D5 _. d9 H! Csystem by intercepting int 01h and int 03h and redirecting them to another" p; }0 F. V4 x& V& |
routine.
/ d& f% ~+ I$ o, G- B7 a" bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 x9 V. _: Q9 O9 n$ Z+ |3 b' y
to the new routine to execute (hangs computer...)9 @3 p; k! r- [0 n
4 I# ?. G( r7 l mov ah, 25h( c3 e, w5 L* D. S* A% X
mov al, Int_Number (01h or 03h), v6 ^: j% H5 [' j l: k% c) k
mov dx, offset New_Int_Routine. V" G4 e2 _- {
int 21h
# h& `" P) X$ n8 w& S0 R% J6 v5 N9 V; j# }" T+ d
__________________________________________________________________________
5 P5 A3 S2 e! T% R# y5 q. ^0 x0 C4 z7 q/ T: {8 Q2 m
Method 09
9 R7 `2 H' q+ c" r3 i=========" t' |+ n9 p7 D+ J8 z8 n* k
! R4 f$ t5 f3 y4 l- r* iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ Z' b; @. ]: o) w3 W) S; }, y" c
performed in ring0 (VxD or a ring3 app using the VxdCall).
) e. {; Y0 n0 G TThe Get_DDB service is used to determine whether or not a VxD is installed
! }: C `7 Z8 z4 i& Ofor the specified device and returns a Device Description Block (in ecx) for
7 D' Z+ `6 @; Athat device if it is installed.
: x, V; a5 d& F0 r. e& x' T
- k" v# h) I& H! v mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% \/ ^ A, K8 N+ n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 g: y/ F6 N: z VMMCall Get_DDB
$ T' f* e$ T* k3 o( D z7 z' N6 h mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 K0 J( q) H; d; k2 l5 D* k3 G
) s8 w) G, n: ]. S2 fNote as well that you can easily detect this method with SoftICE:$ @! V& g1 u/ U! e
bpx Get_DDB if ax==0202 || ax==7a5fh
3 K0 {& e. P! v6 F. E- z: y
" E, S) P7 J8 y4 m' |! m__________________________________________________________________________* R7 N( \0 }; ~5 j
, \( E! k$ O" o/ V, F* n/ J7 k$ ^Method 10
" W2 w# O8 e7 C. {=========5 ]- Y% ]: y" A9 R' t& P' X, Z
3 ~4 V7 L& U" D F
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ f# q7 F9 P2 l& P; r SoftICE while the option is enable!!# F, k& l! U0 p# W t$ @
; I, m, u# u5 N, B0 T3 T4 b. TThis trick is very efficient:
) W' O! y" n* x% s7 l M) {0 jby checking the Debug Registers, you can detect if SoftICE is loaded
" o* |1 ], M6 Q7 q W2 A2 N) F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- k6 D$ n4 n2 ^& w4 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their. m. J9 k- r# N3 M) f* y2 v5 R
value (in ring0 only). Values can be manipulated and or changed as well
0 y r# T) M! y4 R(clearing BPMs for instance)
# b* X: }" W% O- j( f2 X& ?+ y. q. _: h) H
__________________________________________________________________________ i2 ]. R5 F4 Y2 Y# l; O
1 n+ z) J5 b% p! u9 w, L' W
Method 11
1 M1 c7 ^) g& K1 z" o4 X, J=========$ ^9 t; G6 b7 ~# e* T' k2 [9 j
' T4 X5 |4 ~7 A3 i) o3 G. d RThis method is most known as 'MeltICE' because it has been freely distributed
( E @ i! }3 [8 nvia www.winfiles.com. However it was first used by NuMega people to allow0 u' B- M% o Y+ {7 k% [5 m
Symbol Loader to check if SoftICE was active or not (the code is located
3 |9 F( S* B( b& J5 kinside nmtrans.dll).' t2 X3 c# S7 I! g! O
: b# n5 |) Y. J8 Q& XThe way it works is very simple:+ I) ?( ~1 p; w% w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% F" U8 ]4 m; _$ E. }" t
WinNT) with the CreateFileA API.
% t9 ^$ u; E" o9 Q, a6 ~2 |0 ^; T3 d9 V: h
Here is a sample (checking for 'SICE'):$ T( H# @& @7 E, l) I' t
. Z! Q8 Q0 f$ [$ g1 ?( D
BOOL IsSoftIce95Loaded()
! z6 O9 D! s3 t7 ]{
: R/ Y/ F+ [1 B* E5 y* w HANDLE hFile; , R! Z! u5 Z8 s8 ?0 l+ _
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 J1 ]) i1 s1 t4 R FILE_SHARE_READ | FILE_SHARE_WRITE,6 ^, k/ ^' z6 }2 g& k; J7 a
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! U8 Y U% y# p/ C0 r if( hFile != INVALID_HANDLE_VALUE )
4 s7 t7 r/ j8 x# U, W! l; a {1 W6 A7 [( f0 q2 |
CloseHandle(hFile);
6 c& n8 k c8 }2 s return TRUE;
# I R6 U( S8 [: \, e7 A. v/ C }
; k5 D0 G: H+ q9 {* Q! A: U return FALSE;6 l* l: ]& o1 b4 r% t
}/ `& m4 s/ p8 B
/ I$ F( c* m2 r7 K9 y2 `0 X5 g
Although this trick calls the CreateFileA function, don't even expect to be
( F. u# M, l7 t. Pable to intercept it by installing a IFS hook: it will not work, no way!5 v+ l8 ^; f3 i6 y! w' O7 K: r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: s2 F" |: v0 h+ H9 H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 @- H9 | H- w: p8 K; @: |) p# O9 |and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 K+ @% b) G* i! N, I* Bfield.
" H \- T4 _/ W! a0 OIn fact, its purpose is not to load/unload VxDs but only to send a ! u6 U1 R! }# C) @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). I! s; |- V" w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 P8 b3 v I9 x# k- e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* D j% k) B: h# H) E; ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 i H2 c! e+ e/ q& v
its handle to be opened and then, will be detected.
5 _/ K& e# f, S7 aYou can check that simply by hooking Winice.exe control proc entry point7 C- s; y7 i. ^3 N# s) }* B
while running MeltICE.4 Z _! P M/ b& `3 M" v+ k
8 Y8 `8 w4 O' o3 I' B* J g! C1 t
: p" P) |& b, C$ Y& f0 i2 Q 00401067: push 00402025 ; \\.\SICE: F% `' Y- [3 I$ G
0040106C: call CreateFileA Q) K# m" U+ T& }; H( P) a
00401071: cmp eax,-001
0 W1 h9 q. j$ x( I5 N1 r& X8 v 00401074: je 004010918 q: [( z" m' `
& J# |( [0 x: k, a9 n# {
, `: _# X$ o6 I$ [ c! ^ h3 w" r: YThere could be hundreds of BPX you could use to detect this trick.
- f) V8 g/ z" J. G2 }-The most classical one is:
$ `+ P8 u( k2 a7 r3 C% i0 O5 j, U- ` BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
I: w0 y: y, y9 F/ k *(esp->4+4)=='NTIC'
0 J: X. @/ I' X! F/ J5 t6 P* Y; _- S9 {, M
-The most exotic ones (could be very slooooow :-(% G9 p: f, |5 P4 Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: {# g1 H5 a3 j, Y ;will break 3 times :-(9 C; l/ g3 w' L$ q1 Y/ R( E
, r M0 `( F I: O1 c* G-or (a bit) faster: 2 _: \3 p" r6 G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 t4 k% t' n. `0 d! N+ k- ]- }
+ ? ]5 I. i1 Q, o& N# c& k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% ]) g$ P/ l3 c ;will break 3 times :-(
2 u8 Y/ _+ r$ J _6 K- n% p- }2 B- N5 D1 d5 u# y( u
-Much faster:' o; T5 G" w" g9 D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" [ r' O y" X& X2 u+ g
! h% q# j; s' g) @2 {# P' p' SNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 H; k( r+ W7 o4 }
function to do the same job:
/ v' ~' c+ f; }* O9 m9 r4 s! ]' |7 {/ a. X( n6 V0 Q/ v( W! x: n) v1 V
push 00 ; OF_READ# \! o6 Y3 t" j2 ~+ S5 D
mov eax,[00656634] ; '\\.\SICE',01 f/ _" l( h5 e6 P* q) `
push eax
; \# ^* ~% ?5 U; s" X6 L( s call KERNEL32!_lopen
" K4 D! |0 e: d* l1 ~) r r inc eax
, w! ^7 w( c- e) X, Z: w jnz 00650589 ; detected3 {* n" y1 [; b# w
push 00 ; OF_READ
; o% d" v* @# {/ M# b mov eax,[00656638] ; '\\.\SICE'
5 e8 @1 `* ^. p3 @/ a' L push eax
) o, ~4 E4 G8 e+ j; Y call KERNEL32!_lopen
; a @2 b( J- K9 \2 i inc eax7 A1 c2 f/ X3 o
jz 006505ae ; not detected* B3 A3 z% T9 C5 Z+ M c# I0 H
5 M( D( M7 G& F: [6 W1 j1 V" _$ n8 k
7 P- s6 m- W8 p5 Z( g__________________________________________________________________________4 I: a* g: t! Z! G3 a0 D5 ]6 t
- |+ \7 K2 Z0 P3 `" v8 U; s6 k
Method 12+ l! l' F R$ S
=========8 j' @+ }3 \: W X0 W1 c) f
6 F2 k8 x2 R8 I+ _& [" y3 b- A6 j, D
This trick is similar to int41h/4fh Debugger installation check (code 05
1 l8 Q8 }. F( ^- x* S- b& 06) but very limited because it's only available for Win95/98 (not NT)
+ P( v% q7 \# r7 qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: @1 x, U2 C( Q0 K7 b- o
/ q7 w* M* D% [, p( M( X- [ push 0000004fh ; function 4fh
+ a; _4 [. ?& D0 r. c push 002a002ah ; high word specifies which VxD (VWIN32)
" G: q- {4 C7 P# a ; low word specifies which service" Z& h/ e; ]9 u" A" z: D: R) z8 D
(VWIN32_Int41Dispatch)
" J8 D( L- `$ ?( Y% J call Kernel32!ORD_001 ; VxdCall
+ D$ E* Q. t# @! m4 c3 [ cmp ax, 0f386h ; magic number returned by system debuggers
8 `2 Z. ?0 z. V9 {1 Q; a jz SoftICE_detected4 p7 \& p4 E: J0 y" D3 X; F, H5 g
/ G; J7 B$ n2 O; p6 Y/ d' ~7 W1 t* T
Here again, several ways to detect it:
4 D9 \6 x8 ^ ^& p: k" N! Q; ~$ h$ P* d1 T' `3 ?6 O5 C
BPINT 41 if ax==4f0 w" D$ i0 V# ~4 M
1 T8 a- [; [4 `
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; ~: A' d( [ Y6 o
z, F- q" a5 K* J6 \; A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. I/ G/ H' d! M+ {$ ]
* _3 h p6 b5 [8 h9 j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ n& h2 U7 k m t: U- @# I
" i% S/ L5 T# r/ c5 \& s8 x8 [6 t, I
__________________________________________________________________________
8 H1 s6 }9 V2 b; e1 L
' J3 y9 k, D' R" wMethod 131 {- \$ y4 I0 G& \2 J3 ^+ p
=========
3 E( t. C- o2 F/ W0 E& l/ v0 f3 L! J& X% C
Not a real method of detection, but a good way to know if SoftICE is
- F+ r) W1 ?; _) _8 \installed on a computer and to locate its installation directory.
7 G3 F1 V7 K: B; g# bIt is used by few softs which access the following registry keys (usually #2) :
, f, V: R3 c. K* d+ x" F- L( i4 w c2 H; E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! ]+ m# q- ]2 H h- o( G
\Uninstall\SoftICE" Q( R+ Z* O' Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% Q0 O: k: C0 ^* J8 T a4 T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) |$ o0 \0 R! F\App Paths\Loader32.Exe
7 f- P" O& ]: U, L# I; O+ X4 {0 @+ `' L) X% I
( v7 v7 }7 K& N8 [0 C/ h" L( v
Note that some nasty apps could then erase all files from SoftICE directory1 l! J6 ?; r/ x2 A# L
(I faced that once :-(4 |5 o, i& N% s+ R7 s) [
4 W& X7 p/ q( g- Y2 U/ pUseful breakpoint to detect it:& @$ {- d0 T- z2 x, g9 p2 I) p
# J P( w( _2 h$ R2 \2 ]( _
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: ], e3 ^1 F0 z+ j+ U: t @
% a2 ~0 I1 q9 Z& w: P__________________________________________________________________________4 {1 W% u `1 W/ o& h6 U! }
! v: \$ U# H/ _' J3 w/ y. z- V
" J3 x4 C+ f/ @
Method 14 : m7 k! e* f. ~0 C# C7 h4 E% F( m
=========5 N9 b: |6 m [
8 `! z x) w2 B$ `0 q% c, eA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: |' Q; _0 ^3 p/ Y0 N
is to determines whether a debugger is running on your system (ring0 only)., `4 Y. r1 R! ~1 C/ g" O1 H
9 @6 f' j# r' ^# v. J, B
VMMCall Test_Debug_Installed, `8 I5 z9 E! S. r) `( S+ q
je not_installed
& H$ X5 z0 P- G& O& w+ s) V2 `0 ^( G( Q
This service just checks a flag.
( {' i6 I9 W7 d, H# v5 Z; A* K* K0 g</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡