<TABLE width=500>
9 P3 ~0 K: D# ^$ T: C<TBODY>
7 s' h7 V! l4 s) a, Q0 X7 `$ m6 @8 y<TR>5 B/ f9 G- x b6 K( P, U9 R* [4 G
<TD><PRE>Method 01 & y. y% y4 ]5 B8 M* ]$ ^. h
=========
8 C1 `' i$ n: S3 A- G3 S! J, v/ \( Q) B& D
This method of detection of SoftICE (as well as the following one) is9 g0 n& i2 E. j% p: H
used by the majority of packers/encryptors found on Internet.' h1 n: C5 q7 d' A, V( D9 t
It seeks the signature of BoundsChecker in SoftICE/ [% g- k: I3 s0 A& U5 T6 T
7 E7 H7 N; P' Y6 m- v8 e
mov ebp, 04243484Bh ; 'BCHK'0 _. d" U, S" |1 E# E
mov ax, 04h
3 L) a7 t- y4 A/ i! s int 3
; z: P' t7 B! ~; E/ n cmp al,4, w; e5 _. Z6 e& Q
jnz SoftICE_Detected
1 X. n b6 p6 w4 c
8 v$ x& p6 c! g$ D. J/ e2 L" X___________________________________________________________________________) C, Z, E; u$ i' |6 U# J7 \
! s0 q0 ?) e: h( [" m4 P/ wMethod 021 z" H1 j6 z) [, z D% A& b
=========
( R$ P1 a& ]# c: }1 s7 X, L; y/ e B3 y! {4 K
Still a method very much used (perhaps the most frequent one). It is used
% `6 s5 R* V3 p/ l, L0 Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,; D6 r# v% Z* \& X. H- o
or execute SoftICE commands...
$ w p) f) V4 r* n% H" r& O) ]It is also used to crash SoftICE and to force it to execute any commands9 P7 w( ]4 I/ I: S @
(HBOOT...) :-((
; c8 ~) o0 M. a l+ }1 B9 m5 v( H j4 C; ^
Here is a quick description:, P ]! x7 j# W
-AX = 0910h (Display string in SIce windows)
3 N$ v: N5 F9 A# }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# y; }' ~1 j/ U: U M; I
-AX = 0912h (Get breakpoint infos); V( A3 _+ _ {% N1 P8 m
-AX = 0913h (Set Sice breakpoints) f W% p/ ~) }) Q7 H1 k
-AX = 0914h (Remove SIce breakoints)
# w/ H8 a& T5 N
* m+ j2 N3 C7 l, DEach time you'll meet this trick, you'll see:
- \/ l7 V4 \% Q, |-SI = 4647h
, V; H+ x5 y: b* p& {1 P. D' V6 V-DI = 4A4Dh. o* |" o x9 R) v% _
Which are the 'magic values' used by SoftIce.
/ D" f; j1 {: A# qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.. C9 n) j' w* V9 y
8 o% b& d5 G4 w8 aHere is one example from the file "Haspinst.exe" which is the dongle HASP B9 x9 s. K- {& _( D
Envelope utility use to protect DOS applications:
- i" s$ K' {) O( C8 ~3 [% z, Y8 {) H7 I3 _* K& `) H6 t% z2 D
; q8 Q* D) A3 F7 H, m
4C19:0095 MOV AX,0911 ; execute command.
" E7 I8 H6 ]2 M: u4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! ^" l8 ^8 i7 z* S2 B8 X4C19:009A MOV SI,4647 ; 1st magic value.0 o; |$ b3 d9 U' J. k
4C19:009D MOV DI,4A4D ; 2nd magic value.
) ]* w7 Y$ Z6 Y+ M8 ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 c6 |$ ?' P( `' H3 x+ a/ ?2 ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) G4 a# J, W, o: \4C19:00A4 INC CX% Y/ S- a$ P7 p/ x7 y7 }+ [0 m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
c, M1 | G; g4 h* C$ o- X4C19:00A8 JB 0095 ; 6 different commands.
h' s: v0 h! X5 \% |6 r4C19:00AA JMP 0002 ; Bad_Guy jmp back.. u+ b9 r+ U; T
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( c8 _" t6 a! I0 `
# k3 @1 T9 m% k5 Y7 r$ DThe program will execute 6 different SIce commands located at ds:dx, which
F- e S' v* L: Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# F1 I% J1 y$ F" h' r F' A1 f3 u0 a% b' w
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, o+ q6 M+ V: t: L* ^___________________________________________________________________________
+ G! U' h: u3 J; {( Y( J% Y, G
) Y+ R* ]4 N5 C& f
( I' h; n/ v( \Method 036 V6 c& f# d+ Z. Q. G
=========4 v' Z% O* p. ^4 P! F; i
& z* f8 Y* ~7 l; ~+ ^' f2 V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 k/ c$ z7 Q& s(API Get entry point)
: r9 `6 D) O" `5 m, ?. X9 E
. t& e( G2 l4 C/ Z# M' ^ H5 _
! H6 D" v1 \5 M xor di,di" L! M. u4 h9 R7 B: N
mov es,di
k" u: ^* v; m. h$ [+ G4 c$ [: F7 C mov ax, 1684h
6 r1 Q h) G4 i& b! ]2 l: B1 V mov bx, 0202h ; VxD ID of winice
2 y5 O# b; b5 I$ [7 {0 y: K int 2Fh
5 [# x* _5 x1 H- x8 H! J$ z2 r mov ax, es ; ES:DI -> VxD API entry point
6 C( x$ ]: f) A add ax, di
" T5 E* i9 e% O* Y% | test ax,ax! n4 n' f" @# a- U
jnz SoftICE_Detected1 k- s1 B4 q# w7 X6 P1 R
; S5 J+ N5 q4 y2 N
___________________________________________________________________________
/ g3 r) T; m# ]( u% q! r
9 N( ~9 V8 W dMethod 04% |% l- ~+ W: B/ c- ^4 M4 p/ H# l
========= ^1 K- E# x' N
+ [, i" o X0 U7 t2 GMethod identical to the preceding one except that it seeks the ID of SoftICE
6 L( I! [; B$ M5 b% a) c9 gGFX VxD.+ q8 w: g/ J9 o2 g, w
/ e! w* z6 \$ l8 A5 h& T xor di,di
# X5 I* n/ D4 j& k* Q7 v. L mov es,di% n- g2 S/ f E! X
mov ax, 1684h
; b; k- U/ {& Q. i5 Z mov bx, 7a5Fh ; VxD ID of SIWVID4 z9 m' P6 d9 R+ q* V, L3 S
int 2fh; S3 r j& ^( E0 L6 u) A% E0 M6 D
mov ax, es ; ES:DI -> VxD API entry point- }! Y& _( n. u
add ax, di6 j2 }8 p Z- V( x
test ax,ax* F8 f% z9 ^. h' R3 [5 o
jnz SoftICE_Detected4 u* w$ b q. @8 @/ u/ [( F
* z; G/ Y w( V4 P9 [. z1 z% l
__________________________________________________________________________
: R. k. p+ z. A2 q+ ] T( O) U" T7 \+ e2 t& r* r
q9 ?3 T3 q3 J, L0 \Method 05
3 e' a7 Z1 T& |: ?) Q=========2 C" m+ O, s' X7 n% k
: e5 n2 N9 n: a9 N4 j' K" tMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ a" ~5 Y- [. C9 s( w1 h) ndebugger. It calls the int 41h, function 4Fh.
/ v/ S# Z! X8 q) B5 \There are several alternatives.
# B# q$ M% ~' b) C v) {7 {- N4 z/ v2 N
The following one is the simplest: @/ I# z( c' X U( A
; N; H$ p) i; f: b+ D
mov ax,4fh/ |4 X/ ^$ L1 W. h9 D7 g
int 41h
# q/ u1 r) N5 {6 d( \3 F cmp ax, 0F386
d* _* C \# S+ l. p jz SoftICE_detected% \+ E3 r, ~5 l# l. O
B2 q* i& Z+ \# |
! c9 ^% z* [" K' i' e' Q! yNext method as well as the following one are 2 examples from Stone's
d6 A% e4 g) ^6 O! d! A+ t"stn-wid.zip" (www.cracking.net):
b1 R/ W! u( H7 F/ T
4 f6 P) D/ Q6 u2 ` mov bx, cs* C3 d+ L |+ G6 P* m3 G/ p* P
lea dx, int41handler2
9 s1 Q. K2 U4 U xchg dx, es:[41h*4]
( A7 s {) U( w) U s$ L xchg bx, es:[41h*4+2]0 T' m6 t8 i0 s7 K" L
mov ax,4fh. \8 K; M9 F4 R1 R8 o3 c0 P# P
int 41h% s' I; H' x4 X% q" c
xchg dx, es:[41h*4]
0 W' w& C$ l, W$ d# L8 ~ xchg bx, es:[41h*4+2]) p# h8 c: i( j4 \$ W0 i+ ]
cmp ax, 0f386h6 e5 {6 {7 b3 U
jz SoftICE_detected0 ^" b( F+ M2 f. [4 V% R
4 b/ P: J$ M% M. z9 W4 L) bint41handler2 PROC
+ h$ V; k* D$ C/ G+ i iret
- \1 l3 @ X2 Y+ ?9 \int41handler2 ENDP
1 D3 X& x+ }) M6 ~: G: N
4 n& C/ ?0 s' T! o; i! s- A5 R \; n8 T0 B& C9 o
_________________________________________________________________________
E+ D& ]) @1 @5 Q
* W g l3 L. K" g- E: A! A& `
Method 065 B" u1 ]$ B% I0 O: e# R
=========- ]. y" b3 w, L6 b8 K }+ U7 N9 ]
8 x; A& |! k/ H
# l9 b- y @2 g2nd method similar to the preceding one but more difficult to detect:- g1 ?6 @# h6 d1 ^" m7 J
1 A \: [0 h, G2 C6 w2 `
8 S4 L0 ]& H' n0 iint41handler PROC
n# j6 \3 p4 E; P& B4 } mov cl,al
6 g+ v G7 C$ B1 A: u: e a, K iret+ t- Y* i) u5 m, S% _7 C! _7 { i
int41handler ENDP
. m5 |8 w- d7 j- O9 ~. w/ o* c1 y0 M, Q+ K+ G) c
3 d2 A1 D a0 x9 m8 ^: X xor ax,ax/ S5 |& r4 s J V4 W
mov es,ax
% S5 x/ x: i3 l& J1 K& e mov bx, cs
+ Y; B; d5 v* O" j lea dx, int41handler
) g3 C( v" w* V xchg dx, es:[41h*4]
5 T. | m1 N+ w$ H- L4 B7 l: D) R xchg bx, es:[41h*4+2]* a' t; ?1 a, t
in al, 40h
* b! ~# }6 l( U) J xor cx,cx. p( D+ q; s. S( u, w, }
int 41h
5 @9 ^: q. v' k$ z2 Y4 A xchg dx, es:[41h*4]
^4 ^; k3 ^: |6 J" q. q- D8 S xchg bx, es:[41h*4+2]/ i G8 H0 i" r$ H3 J
cmp cl,al
4 E+ C9 @5 R a( o jnz SoftICE_detected
1 x% [" I1 E h9 t- }+ x
: |/ ^, W1 X6 @_________________________________________________________________________
/ _: I# Y4 D+ O1 `, }- x" X* }$ j) s: ?" s' ^' m
Method 075 ? p3 I3 U2 R. g7 l+ E0 N
=========
# r) c% a7 v$ f. I' W! z/ m5 \3 L6 q* H& Y x }- k
Method of detection of the WinICE handler in the int68h (V86)) V& U, l* B" A7 j& {7 Y
# ~# M5 R9 W+ E+ P! X @4 T
mov ah,43h) A2 \6 K1 v# Z% M1 e% a' ~( B
int 68h
% [3 X& m9 M! w* b cmp ax,0F386h9 u" N, [8 D: S6 w+ Q& Y
jz SoftICE_Detected
2 {2 q# v; X7 W6 _( ^1 N: H8 `) [! T. M# N U3 r4 v
% {3 Y+ D, V W% G2 S7 t9 k3 J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 f( N& A& e4 u+ u0 R app like this:
1 Q; L& J5 n% {: @ }; q
$ X" U- e U6 k8 `) O' W BPX exec_int if ax==680 h) e: ~7 L1 j" A: y
(function called is located at byte ptr [ebp+1Dh] and client eip is
& H0 \/ G1 S6 `9 f q* l located at [ebp+48h] for 32Bit apps)
m5 s+ V! w" J( l3 ?. A9 Y7 e4 y__________________________________________________________________________+ X$ p1 T0 n; `
6 h1 _" u. `# E: [) B
( }* S2 V2 j8 O
Method 08
% u5 S, o* ]) X=========% M. j/ r( q; ^
' w5 \3 E8 X3 _It is not a method of detection of SoftICE but a possibility to crash the4 V6 q/ T. V+ ? l0 }7 l
system by intercepting int 01h and int 03h and redirecting them to another0 t2 X7 A h/ C2 l4 F4 p
routine.
8 B B$ x) g5 ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 z4 T' Y. P( h7 Oto the new routine to execute (hangs computer...)
0 \' s; {+ x0 E1 m J' u
0 p7 m! }4 Z4 K, A7 m* t mov ah, 25h; H* o( U! }- c7 f" {. `0 U
mov al, Int_Number (01h or 03h)0 D" d9 |4 f( r- H$ y4 @
mov dx, offset New_Int_Routine
1 Y+ x0 z' V) U: K: V5 r" S int 21h
9 l N6 ~' F/ ?* `' L( Q
; M1 S z0 u X0 v y__________________________________________________________________________' k' P2 ]& ?+ l- E( ^4 ]- G
" O. G g. M' n0 I
Method 09
. w( I2 W- x- x A `7 \9 o% [% g=========- a+ H: S+ v; ?3 `) V; @7 L
. k; ]& ~0 ^- e. E: BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 V; _( N6 T+ f2 a6 mperformed in ring0 (VxD or a ring3 app using the VxdCall).1 O, }- |8 y6 [* |
The Get_DDB service is used to determine whether or not a VxD is installed. M7 z3 C* H4 A
for the specified device and returns a Device Description Block (in ecx) for* X* b3 T. c+ b. B2 ]5 O1 a
that device if it is installed.
* s( }6 D8 R1 ^+ f" |3 O
# V) B* D( a/ q" r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! a. w$ {# X* L! X4 W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), P2 [% u8 K" x
VMMCall Get_DDB
3 [& p3 A% e( L" ^$ e" R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; Y; q+ J4 M6 [6 [& ? u
( Y5 a( t4 v4 w1 X% d7 |3 RNote as well that you can easily detect this method with SoftICE:: j% Z1 V9 U! l& [6 a
bpx Get_DDB if ax==0202 || ax==7a5fh" p5 B6 Y5 O2 i. o: R& `) \
4 l3 ~/ _9 U( ~) n* L
__________________________________________________________________________
2 L# c! T. w: \: c$ l) f; |) D* m+ x5 h- E2 ]
Method 10
* o/ Q# w6 A8 y5 ]=========& l6 ^1 D% M) W' A0 q
5 x3 h- m: n- s0 P. \1 y
=>Disable or clear breakpoints before using this feature. DO NOT trace with
! {# ~* s6 X; { SoftICE while the option is enable!!
! W; e4 M/ E2 D" _- b# ^3 Y, g# T b
This trick is very efficient:- `5 z8 I$ q$ ~1 f8 Y) z) l8 Z, s/ o
by checking the Debug Registers, you can detect if SoftICE is loaded
0 R5 n* m$ s& k! O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% [! I" l7 [ H9 {' Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 F6 k# e. ]2 D$ Z: I$ j& c0 G: i
value (in ring0 only). Values can be manipulated and or changed as well& j U) S% c7 c' j, o0 s1 c
(clearing BPMs for instance). s4 P( B; [- F! @9 T2 o
7 M+ Q: h0 n9 W. R__________________________________________________________________________) }* v& Y3 p( C y F+ n
, K- N$ q$ b0 q" T& @Method 11
5 N) m# m' X7 |6 e# a' ]6 P=========5 P7 C- M$ o4 k
9 }3 n- O4 }. a# ^7 |This method is most known as 'MeltICE' because it has been freely distributed
5 t& U* D# m5 X$ K% M. f* zvia www.winfiles.com. However it was first used by NuMega people to allow9 F0 B& j7 C: m+ x* l% Z* y4 D3 K
Symbol Loader to check if SoftICE was active or not (the code is located# W! L% S# A6 J1 }& t3 U
inside nmtrans.dll).
) e; p5 Y) t# `' I" X, k5 \/ O# t- ]; t
The way it works is very simple:
4 v3 q+ V& r2 p6 G @7 E, sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, r0 ], t( I; @+ {2 X
WinNT) with the CreateFileA API.
9 p* Y* [0 |" v- p2 y' d& {- q0 }
0 w4 G) i- t/ {7 |, n7 eHere is a sample (checking for 'SICE'):
9 a2 A* ~+ w ?- @+ V+ ~0 K# i7 g s( U4 b
BOOL IsSoftIce95Loaded()* \9 H- F' S- a: Z
{- s; m6 v/ |" F' c9 |
HANDLE hFile;
1 M& w6 [& a4 d* N3 A' | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 C1 B; M# O7 R- ~; ~( [- ] FILE_SHARE_READ | FILE_SHARE_WRITE,+ Y$ v$ y' f, T/ N# b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 e; |" }4 |6 W- I. K% a, F
if( hFile != INVALID_HANDLE_VALUE )
5 d$ M e0 E9 C" p% a/ t {- r J& N0 |9 J/ Z7 s3 q: V2 F8 @, M/ p
CloseHandle(hFile);
- o1 s3 Q; }& J( C( g3 G2 h0 s/ | return TRUE;1 e. @# L6 c a- Y" M1 X7 X! R; {
}) ?; b$ r6 C3 a1 c9 K4 |/ Z" w
return FALSE;
+ q y# q5 _; F1 R+ p: f}
6 E( H+ i( u' F8 N/ o; M- r
3 t- p$ r% n; J7 t/ cAlthough this trick calls the CreateFileA function, don't even expect to be9 \7 o" x% \- R4 j" I
able to intercept it by installing a IFS hook: it will not work, no way!; v. S! Z2 Z: |/ R% E& s8 f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 ^$ f# y: c4 Z1 \0 Xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ B% L" z! s, S, R% |- V Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) T2 t! R( \/ i) [7 k' ?# t
field.
- q8 Y8 s5 |7 S/ XIn fact, its purpose is not to load/unload VxDs but only to send a
; X/ B' H2 b* w0 i; ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 C: B5 q+ ]+ |: E) w7 L3 P, m6 |. bto the VxD Control_Dispatch proc (how the hell a shareware soft could try. N; `0 v- N+ @' U8 I2 Q4 f8 A+ F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 }0 o! J5 P; V7 S. @" SIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 u, A# A4 n' ?. l# s
its handle to be opened and then, will be detected.
8 U) J: R: z# `; h7 SYou can check that simply by hooking Winice.exe control proc entry point" S% [ j" t# F1 P* J( h4 T
while running MeltICE.
( X) j& ^) @# f. |$ o9 k; v1 I$ Q$ Z4 E
5 z. \8 j3 J! S
00401067: push 00402025 ; \\.\SICE
B' l. H3 U1 g% u 0040106C: call CreateFileA( _8 d9 n" k; `
00401071: cmp eax,-0010 {5 H7 X* C* L
00401074: je 00401091
% z. c# f q6 D. b) h" m `1 n; n: o' r0 v
" N M1 a% ?* m: @
There could be hundreds of BPX you could use to detect this trick.
3 p# W5 K& i+ ]9 W5 v7 q p3 }-The most classical one is:
0 m% H7 Z5 _( N8 G' d! e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ D7 \6 e9 x% L' o8 r
*(esp->4+4)=='NTIC'+ b' n$ \" }# i
1 F( U2 v P0 I! Y- ~3 p0 A' t
-The most exotic ones (could be very slooooow :-(2 M$ |1 g# x) w( S4 k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * m* Q1 Y4 n5 R: e( X+ {
;will break 3 times :-(
6 ]* H- O0 j2 u; W# Z+ Q. B
5 ?0 y, Y8 R) a* y! I: I) L-or (a bit) faster:
: @& G; w0 X" R/ `6 ]( J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ [ q1 ^8 Q( N) l! m" g( W3 K) H, N& o
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & G; L9 F B5 l1 _) V
;will break 3 times :-(
9 R; ~' r# Q, b7 r6 o* C# ~* ?* `8 x2 _* A2 A) w, U# }4 e
-Much faster:/ Z+ H' k0 J0 \ v) U: u9 K5 q0 K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ b; x8 y( f* ~$ d: _6 [, R+ Q% `, z
2 t G* F$ p" b H' ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" ^! C% b9 u% n8 C2 I" V2 }function to do the same job:
1 \; G& b a* v" W" B
: Z: L8 V8 q# D+ c% w; U push 00 ; OF_READ5 A9 Z: i6 Z7 A- c/ U0 ?
mov eax,[00656634] ; '\\.\SICE',0
1 |( d0 a5 z! H6 R0 w1 m$ j+ J push eax
8 Q) F" Z( ]! c" { call KERNEL32!_lopen3 v9 Q4 h9 r6 c, k& C
inc eax
( k. p# V) A: H6 X6 x1 w jnz 00650589 ; detected. O8 L' p( U3 ]( l0 O
push 00 ; OF_READ( k, P- t4 O$ w& p" F
mov eax,[00656638] ; '\\.\SICE'' I4 O. X X( N
push eax y1 E0 b' B4 ]$ h
call KERNEL32!_lopen
$ g( b; z5 t, F& k1 ]8 s8 u inc eax
2 z& t# X( N% ]/ B jz 006505ae ; not detected4 V9 ^2 t+ z& k; E! l
, e0 v6 p5 j7 y6 b# u5 i
% N7 x& Y4 w5 `1 b( H) K+ v& L__________________________________________________________________________) {/ V, J' z" N+ \4 _% }% x e7 I. l
* N. L$ h; z! h c# V/ E1 a
Method 12( h' x: D- E! s& X$ q. U/ N8 X# p; P
=========
% d/ _; T2 {% \; x, T- C% f2 E1 j: `5 K8 q# E- b$ z1 P
This trick is similar to int41h/4fh Debugger installation check (code 05
$ n% v2 ~6 f) ?8 |& 06) but very limited because it's only available for Win95/98 (not NT)
2 T3 A1 u# C! U% Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# t: [! t. Q, ]. m5 t/ F
# g R9 O4 c" s0 O) v5 v push 0000004fh ; function 4fh7 ]6 i. N r9 m3 C8 K4 E
push 002a002ah ; high word specifies which VxD (VWIN32)& G( C! O2 c' j' a4 l3 p% a1 f
; low word specifies which service1 W! g4 z2 ~ I/ {% p
(VWIN32_Int41Dispatch)9 l0 N$ u( I. V
call Kernel32!ORD_001 ; VxdCall
" }% Q: F# X2 Z$ W' a% y2 g cmp ax, 0f386h ; magic number returned by system debuggers
' I I5 \6 G6 y7 W jz SoftICE_detected" r0 p1 t& w: n7 t& q
& a2 Q& g! N/ d1 y) L6 N4 {Here again, several ways to detect it:
8 u$ s S5 E; k0 W2 m2 M
" t2 h' ^- f# w BPINT 41 if ax==4f* B5 o! ?! B+ k
# j: E9 a( Q' V% Y! e$ R2 Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& @/ o ]' g: P/ Q5 ^! j
9 k* m1 _* N) l# x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ S) E& i0 J: u8 Q, \3 p; |9 d4 p7 D" X8 f C2 \% c8 V0 ?1 }/ B- x
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& s+ W9 H5 z/ H2 k
3 C1 A) h; ^# T7 J* j5 W/ w__________________________________________________________________________
, E; s2 d3 `% k9 {1 S \+ L7 A# T1 E5 `/ Q: d* I
Method 13
6 J* h5 {1 @1 P$ d$ l4 u=========/ r: W& C. _. r. N# j0 n
+ ?( ~9 a: U' X3 }" DNot a real method of detection, but a good way to know if SoftICE is
" ]* e6 K7 r" o" J. x. xinstalled on a computer and to locate its installation directory.1 B& o* K# r# `: e) T( w% c! d
It is used by few softs which access the following registry keys (usually #2) :0 j e. }4 g4 l. @- H! E5 n0 r
3 f7 \2 `( j1 I! h5 \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. R" V( e* O% X z4 g) x\Uninstall\SoftICE2 }/ \4 X7 N1 ]' S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 j$ Q( D$ m9 [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* i1 X8 O; N2 N' U; l# R0 U
\App Paths\Loader32.Exe; o: i) f9 k5 X8 p) T. y. }
6 l; O; d7 R- a: n; |$ t
% f j# s% N$ b. q/ ~; l) mNote that some nasty apps could then erase all files from SoftICE directory
; w; r' k; {. D5 a' U8 u- n2 z(I faced that once :-(
. T% G0 C! y1 X, Z: f* ^9 u4 [, S1 w5 i: @4 W' N4 B& Z
Useful breakpoint to detect it:
4 ?) x# Z" U& F1 Y. O* [1 c. S6 O" L) @& V+ ^# X
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( b# ?& _6 ?2 k, m8 E" O( o
& p" ?3 \( {/ T# e, b$ q/ c o7 N6 c__________________________________________________________________________% J4 \; W" F' n! X% L( _4 d* \- v) ?
* H+ t$ n- d3 a \: L# q+ P- D2 M8 q: W5 n% x$ W/ b
Method 14
3 m: I7 W% ]8 M0 O! l& M=========( X/ `2 F- ^0 N) E: H" K/ p
( U4 s {; k w& A' G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: f9 F! I/ P9 Yis to determines whether a debugger is running on your system (ring0 only).0 x/ L* q6 V5 O" U3 @, s3 M3 N
?$ ?# H6 p9 f9 k
VMMCall Test_Debug_Installed- `3 J9 \) j7 B0 W+ p' M6 _
je not_installed8 p5 q F) _7 X
3 q% }. Y6 e, j( |This service just checks a flag.
% P+ M( d( P& F& ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡