<TABLE width=500>
9 s, K4 J/ _* B% E0 a) Z<TBODY>% d: E2 Y5 p$ _ p0 n& u% t/ a, Z
<TR>
( K: q9 G/ d: D* I# b<TD><PRE>Method 01 4 E& e6 U* A: z7 x, o- ]
=========. ]4 }. X/ F7 n4 v7 e: A; z: B& A
" S. N- C% X6 [2 c- m
This method of detection of SoftICE (as well as the following one) is7 o! ^+ G3 j( y
used by the majority of packers/encryptors found on Internet., ~: ~; Z- S) Q& h# [5 M
It seeks the signature of BoundsChecker in SoftICE
' u5 i6 |+ t' k( Q/ G( S, W2 P) \: h5 D2 `
mov ebp, 04243484Bh ; 'BCHK'
( t1 l3 I2 e$ X( G9 @: {" Q. C: G mov ax, 04h. v& \* ?( H& u! U7 j0 g, g
int 3 % A0 \" P9 j4 k1 G7 M
cmp al,4
! |8 d5 p" f [, B+ ? jnz SoftICE_Detected4 p$ B: K5 S' n9 h7 t
( {1 a6 C: I% N( _% D1 f9 I, U/ R' ~% G___________________________________________________________________________
8 E2 ]( d: v. {- A+ |0 `, o/ i1 w; ~* O9 Y
Method 02
h x- Y* g- w=========
) y( z1 J) A( X r$ C0 Z! i4 D' p D) [' v
Still a method very much used (perhaps the most frequent one). It is used
! v0 W7 T! ?) R% [' W `+ Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 E1 f1 ], n; A
or execute SoftICE commands.../ {' r. S, i6 |
It is also used to crash SoftICE and to force it to execute any commands/ e8 ^* L3 w) W2 v
(HBOOT...) :-(( ! F) I" s6 P* R% R
7 F9 Q. P+ N/ [ `# E7 D. FHere is a quick description:
0 p4 y6 z7 h0 x& F-AX = 0910h (Display string in SIce windows)
& A& f$ s, A1 S" Y5 r" A y0 B$ k-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# d! c* y. ^$ a! ?" G# Z _/ O
-AX = 0912h (Get breakpoint infos)
9 ]/ _( }# |$ t+ C9 \-AX = 0913h (Set Sice breakpoints)
( t9 @2 U1 G7 R-AX = 0914h (Remove SIce breakoints)
) O1 S( K! S4 J I! B9 U9 k0 v4 D# T) u, x: e: z5 q5 I
Each time you'll meet this trick, you'll see:" a D+ ~/ G& H0 x' M+ ^% [. i
-SI = 4647h9 A! C8 \" \7 C0 o
-DI = 4A4Dh o5 s6 y% ?5 _# m M* }
Which are the 'magic values' used by SoftIce.
$ F3 V7 a$ \0 C& ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: m% k" L; p% N- d
! m1 d! ~, j iHere is one example from the file "Haspinst.exe" which is the dongle HASP8 ]& J! D; ]" z6 T" O
Envelope utility use to protect DOS applications:, B, {: t1 N# p
1 ?, z4 ]: M. C# o( E; F; J( z
/ J( h2 N7 ^( A# |9 H$ ?4C19:0095 MOV AX,0911 ; execute command.8 s% E' o6 {3 i. ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 R+ J# Y2 p" m' P4C19:009A MOV SI,4647 ; 1st magic value.' v( l5 K% q3 F" V0 F
4C19:009D MOV DI,4A4D ; 2nd magic value.
. L7 Y2 U! r& h5 O7 O1 B& V4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( \3 h5 N4 D- x) j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* q9 h: P6 \2 g4C19:00A4 INC CX1 Z0 p: }3 p% @6 t. O R8 C
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; M% ]1 f0 y+ w4C19:00A8 JB 0095 ; 6 different commands.+ u0 k! x. x0 \& _) @% H9 c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 p3 @3 ?6 X7 u/ l* H% I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! ?& Q! [' I. q! p* n4 S
: Q9 @. @5 U, \4 l8 pThe program will execute 6 different SIce commands located at ds:dx, which3 M/ T$ R! v) y3 ]; y4 B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ ?3 {" n/ C$ A- X u! G' e. d
: }" X! s) l1 N) v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ V1 |! m: }0 h6 l9 |% r
___________________________________________________________________________
( f+ ?) E( u/ q! E, x/ K2 S, g" ^0 j$ e# B4 j$ T
T& N9 D1 [8 E- G
Method 03: V2 z! I) ~$ Q% o
=========7 k$ O' O7 y; r; O( e" }( b
$ D# |! G4 `. G* {1 XLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ V; L& X. x- J& M! g I/ e. e5 ~
(API Get entry point)( B& |! }5 l$ g5 X; a5 z
6 k% o& A+ g3 [+ B
: W% t" W- {) f# H9 J* F0 t
xor di,di
) Z+ T& K9 `& b. y9 D2 t/ f mov es,di
/ q0 X5 {5 T0 U! R: _5 | mov ax, 1684h
& v: h0 Y. o, T mov bx, 0202h ; VxD ID of winice
' N6 \% N% f0 M$ p9 O9 p int 2Fh2 D5 B8 V5 z6 ]) ^+ W% a. {
mov ax, es ; ES:DI -> VxD API entry point
- i2 @9 z. O: d4 @ add ax, di! ~" H% E7 u8 U0 s; P& `
test ax,ax
: T* ~4 U. F# o1 y0 \( P1 f7 | jnz SoftICE_Detected8 i$ J5 T8 |9 h3 k8 o
3 j; c" q. N, h2 ~ }3 {___________________________________________________________________________: y7 _, A% n o6 |6 ?
" |% P( m3 u3 a4 W
Method 04
* X( x; z, @& G* \=========- i! Q6 A2 ~. m4 M: `8 ^5 Y
% S- f; M9 B' W: a' w2 U
Method identical to the preceding one except that it seeks the ID of SoftICE
F1 c- I- V! m9 W6 JGFX VxD." c& z5 x4 ? U% q- M0 Z3 s1 s2 _
T. v- B0 T' ]) J
xor di,di b2 n0 O8 ?+ |
mov es,di' A8 y5 v3 d" e" D
mov ax, 1684h
9 ^9 ^: ~* z/ S1 S* G' d' _6 [ mov bx, 7a5Fh ; VxD ID of SIWVID
8 Z/ b# o1 z& F" ]. t int 2fh2 o% z; _# m. y' P6 u
mov ax, es ; ES:DI -> VxD API entry point
% |8 K$ k9 e7 C3 p* { h3 ~ a/ h add ax, di# l1 C8 u9 I l! V4 F9 x
test ax,ax8 c) M1 _9 o2 _3 I3 `
jnz SoftICE_Detected
j8 Q1 Y2 H5 Z. A M5 D" a- u F9 O* {! y$ L
__________________________________________________________________________
$ D7 e* K) ~! R+ q1 l; ~' H$ J) O* ^
" S6 b/ i% w6 l# rMethod 05) a( R! W& f9 F. L: ~0 r C. n
=========+ p) M( b+ j) b# f2 R
; h2 f5 A, E w( a A, [5 k
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( ~9 z" P" I2 _debugger. It calls the int 41h, function 4Fh.5 L0 [: s4 }9 [4 g: C- L' c' n
There are several alternatives. 7 A7 ?8 c; s" `0 }" O' [
7 |* N! ?9 T9 U/ A6 u2 ^, ^% a
The following one is the simplest:
, `% i- w# Q* T, w
7 [" G1 w7 } M5 q mov ax,4fh9 g2 C W! H* d: F4 v, M2 y
int 41h
1 U; Z/ K4 a" Y f" |1 _ cmp ax, 0F386
6 L: P. c2 V/ J+ C jz SoftICE_detected
! m! B: F" [7 ]7 F1 h
& _$ W" b+ p. N/ O% s) v7 B z: d1 R6 j y1 L) E6 u
Next method as well as the following one are 2 examples from Stone's
- b9 w8 F. z0 h4 C5 g"stn-wid.zip" (www.cracking.net):' x) L5 M1 F) y4 M
5 L/ y: J7 ]; S! m: F
mov bx, cs3 D* Y" @7 X7 j9 W4 J( _7 j7 {: I3 M
lea dx, int41handler22 C8 b0 N& k4 t/ ^0 O
xchg dx, es:[41h*4]
2 N2 P% x3 y6 B7 U q xchg bx, es:[41h*4+2]$ h( G% J5 w' C f( H
mov ax,4fh5 g- ]# v- B4 S; T$ w
int 41h
0 m/ [3 U" X$ o. Q& W! A xchg dx, es:[41h*4], R8 d @) Q/ `- |1 @
xchg bx, es:[41h*4+2]
0 K/ U# C2 c* _8 E7 n4 R cmp ax, 0f386h5 F8 u4 u2 i; P
jz SoftICE_detected, T: E& A3 r0 \+ g
! v$ c9 n- ?' {& ^9 e; k8 s
int41handler2 PROC# m H2 M6 Q# j7 z
iret+ F+ T% q Q! u- F4 N
int41handler2 ENDP
$ e) F3 e. Y1 k# J) V1 R. T1 f+ q F U. ^* |: {
5 z" q/ z2 U6 ]4 |- G_________________________________________________________________________ ^: a3 |; \3 } h4 p6 l0 s
1 f1 l5 U/ H& {6 G6 ~: c6 x
& [5 R# B: Q" }Method 067 N( s/ A$ N$ a4 p l
=========
% X, K4 E) S. Y1 c3 M7 `4 E* D# {) l0 B7 @ W
6 A8 U2 s: Z. d: p2nd method similar to the preceding one but more difficult to detect:# g" w8 z- _7 G6 G, g
) P/ I% E8 n, ]8 U0 g+ o T. H2 @/ ` E2 n
int41handler PROC8 `2 Z; e( \( w2 r8 F
mov cl,al
! q6 R9 J3 i Y8 d/ v/ O: [ iret" B& N* t* |8 a0 n4 f5 g8 L) Z) }* {
int41handler ENDP
- g9 g+ ] {7 X7 W1 P# n4 U7 I' H& \7 h. w3 b3 @
% X2 q6 Q" u% @- i9 R! @. I+ ]0 r xor ax,ax- T7 |/ z! o7 y
mov es,ax
+ k* m3 R6 S, W( J+ T% X mov bx, cs4 i( t' d1 n! k$ X$ ~
lea dx, int41handler
8 q- M e1 o3 l! b, x xchg dx, es:[41h*4]/ S: K4 u! p3 H$ J" D% `
xchg bx, es:[41h*4+2]
" O, J+ P" t6 ]1 [7 `( f4 e. f in al, 40h
1 Y* R/ Z( N3 k8 X3 C Y3 `; @& e xor cx,cx
( R6 I% E# B% h3 V3 Y: P int 41h2 H4 _/ s. E9 D5 Q: C
xchg dx, es:[41h*4]3 y) K! c/ _, U, R E
xchg bx, es:[41h*4+2]9 K3 g7 }: h% X0 G% E, b% H$ c+ b
cmp cl,al7 h/ Y2 I( h0 {9 b' i
jnz SoftICE_detected
5 [1 G- a$ L y# [$ N
) u% F) h; T9 b_________________________________________________________________________
, F4 ]/ Q; [; i. w5 e6 R5 S
1 t6 y, |( g$ f s/ A# O: [Method 070 ?2 [ p# d$ X# F: Y! A
=========
5 a8 @5 A" N- X& P/ f: m
4 ~6 J8 h5 o t+ Z0 J) b/ Z' e. @Method of detection of the WinICE handler in the int68h (V86)
2 W J( F1 F6 C9 E# v1 e* L
, _8 i* G8 Y% g6 x2 y6 Z8 t mov ah,43h, P" \/ T" f. e5 h7 I
int 68h" h/ Y7 O1 ^3 D, V; O! S
cmp ax,0F386h
" n6 S6 L" F( C9 |. t, X& h jz SoftICE_Detected
- \. @. R Z3 V: y' T. l' }# z- D3 E8 M4 F0 M: B
# l! a! a7 {/ w4 |! y( J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( r+ U0 P# y5 n& f
app like this:
" O' p4 |9 W% ~
2 o6 E, S. z9 m8 d. Z BPX exec_int if ax==68
1 \' G* p& c( M (function called is located at byte ptr [ebp+1Dh] and client eip is
! X0 h% z# v( C' m; U w9 U* ` located at [ebp+48h] for 32Bit apps)8 S9 H0 W: x5 Z+ B) U, V
__________________________________________________________________________
" i ]4 {* t2 w: Q8 S; X/ i
. h* U+ d8 N0 X) K T) E8 j$ k+ O r+ v$ j% @ Q
Method 08
5 U9 Z# {1 z M, s9 F5 k=========
( d# {$ x1 ~+ n! m6 _) y# l' b8 ~$ |1 T) ~; a& V
It is not a method of detection of SoftICE but a possibility to crash the
3 o0 x0 r! D* c9 `1 W$ o& osystem by intercepting int 01h and int 03h and redirecting them to another
6 ?( t2 ^. O% troutine.$ H" Y+ L( d* K" [* L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( E2 t; ^5 `, m( G) }- M- Qto the new routine to execute (hangs computer...)$ ~' ^0 L5 q" ?" j8 C# q
2 ]8 Z7 P' R; y+ T' S% J1 c6 { mov ah, 25h
3 L: R5 Z& K' F/ N' i3 F k mov al, Int_Number (01h or 03h)5 s3 b% j+ |8 M: m |7 z; Q
mov dx, offset New_Int_Routine4 O% ^; u7 _7 R- c p3 f
int 21h
$ T1 C3 T9 P7 f/ |+ D
& ]6 \. G; a q `6 X; e& u8 t__________________________________________________________________________1 P8 q. K7 p# X+ @+ |+ C
. n B! g) W, X* D+ u% N" @, x1 tMethod 09
: f3 Z, l! A" t=========
( i8 c. O2 @/ O' l4 g! d$ s
! X# e: _% ^: b1 p) z9 zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 T0 j6 o2 n9 aperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 Q( [2 [# o$ d6 rThe Get_DDB service is used to determine whether or not a VxD is installed: H& [) W. L2 X# u. R
for the specified device and returns a Device Description Block (in ecx) for9 Q. {" p$ v4 k( Z9 ~
that device if it is installed.
7 I; p$ s& r3 x8 e4 |) ~7 f* [+ e# D; [. E+ e! E, ?2 e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ R8 k9 M% w% [6 n4 a5 O3 W ~5 y- a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" X2 G4 L$ I3 p: M0 J3 u VMMCall Get_DDB" B0 B( k1 [# k2 H" l/ {: i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, J- P1 x( C9 J) m- p1 p
5 U7 I; j+ S8 W& Q
Note as well that you can easily detect this method with SoftICE:9 U, {' \/ ?1 n
bpx Get_DDB if ax==0202 || ax==7a5fh+ K7 n% w$ R P
3 S6 o* e- x" j7 y$ e__________________________________________________________________________' ]; }& U' A. Y$ U+ `" P- @
0 Z- F0 `' y, ?+ _
Method 10! }$ f$ o: M6 o: E& ~ ^! E$ O) u
=========
O: D& b( C% L6 l/ j/ C/ Q, _5 i& N; G/ J5 a0 ~0 z/ l8 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with- F( K7 V7 X7 X+ a% h
SoftICE while the option is enable!!4 q) P1 Q/ W7 j$ z! z# P3 B) `6 c
7 d" D/ u) s ~+ \) X
This trick is very efficient:
8 P2 o9 r' e: J- Kby checking the Debug Registers, you can detect if SoftICE is loaded
# P+ m9 i: k6 V: x8 S8 X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ ~: w6 F. o' X
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 ]# {% c- t ~. j7 R1 u: l5 Nvalue (in ring0 only). Values can be manipulated and or changed as well
5 |4 {. Y& N5 o(clearing BPMs for instance)
& `" y7 l2 ?; a
% S0 N9 X. u4 D& l; `__________________________________________________________________________
9 y' }7 L; t* N# t; y8 T9 t4 @
, s4 C+ A% j0 ], F+ h5 v; SMethod 114 {( s$ n: J9 }* ^2 t; x0 w* X* R
=========
+ h1 z, L4 S! w8 c6 ?: [! T/ I9 p1 Y% K+ m
This method is most known as 'MeltICE' because it has been freely distributed
# b5 r5 [$ q. v' G: }( v( kvia www.winfiles.com. However it was first used by NuMega people to allow
v6 N8 ?; p$ e x1 [Symbol Loader to check if SoftICE was active or not (the code is located
2 X5 p7 F! \# g# E3 I4 J# d! linside nmtrans.dll).* h; l8 t: F O: Z9 b( q
% v3 \; k' r2 }; q% xThe way it works is very simple:- P1 U/ B, c; }' P9 z% _* S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 l* [8 c" R: I$ R
WinNT) with the CreateFileA API.7 C9 H; d, ]6 S: o! G' O1 c1 z
+ s3 I, w. ~: R y7 O3 \) q
Here is a sample (checking for 'SICE'):
$ W* U2 n3 \* N- o" ~ c; E
1 E( K0 U- a. Y. b" D; j4 V- o, o1 CBOOL IsSoftIce95Loaded()) [- ?$ e5 ?; R# o( R& T" f
{
, V+ T W- {! ?& o( l HANDLE hFile; . S* }- \( B) b
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 x! p$ B3 l4 E) u9 f
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 N7 {, k! p3 n) E1 Y. U NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 ? n; h. Q/ M" H, i
if( hFile != INVALID_HANDLE_VALUE )
2 z# x/ i. k: b4 ]8 y {
/ U- ?' E( n. o! z! @ CloseHandle(hFile);
9 t- e9 W2 b$ W4 K6 B" s return TRUE;
$ ]+ N, q. \# b" { }: {4 q6 o, W6 E& g
return FALSE;
1 |+ a0 K! p% G}
/ Z7 t. {+ @# k9 P
' U$ `7 F% t0 u; b7 M2 wAlthough this trick calls the CreateFileA function, don't even expect to be
3 H1 v/ F* \/ }7 ]" f: l' o# [able to intercept it by installing a IFS hook: it will not work, no way!
8 [; O% y; U! @, mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; Y0 }' w( f# w8 q/ Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 J! j* c. s; }' b: `and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; w( C! T9 B" e3 x$ s4 G! w! S( J; dfield.
$ D0 r! s) M8 I2 ?1 R- E3 Y7 AIn fact, its purpose is not to load/unload VxDs but only to send a
) j( [7 ?, G5 i8 J* Z3 lW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 x& N- g9 u0 i! j- vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 [$ G6 R* B' Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).7 M& x. S2 w, M4 h9 B$ J3 E
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 x( S' j5 K! i n
its handle to be opened and then, will be detected.0 d9 {! F- S4 T% ]1 n4 E
You can check that simply by hooking Winice.exe control proc entry point: o* u4 C3 T! _. A: Q+ H
while running MeltICE., Y, L# `5 ~2 F9 y& Q( ?2 U7 y
5 I% O' }& x6 ?1 t, P
?& Z- A" A# I' l; f4 I
00401067: push 00402025 ; \\.\SICE7 y, B* I9 @6 c7 N- r7 v& P" b
0040106C: call CreateFileA
4 `. x% ?0 |" G6 v- w" w! a 00401071: cmp eax,-001: m9 s( {. W0 H: A. P3 y2 s
00401074: je 00401091 J+ C: M0 }* X. Y+ P
' L& ]: H9 K3 t
! P) i8 l: X6 cThere could be hundreds of BPX you could use to detect this trick.
% x. H* n v6 Y: g4 f-The most classical one is:
- K$ p1 V( f" ]3 j$ h/ g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. i5 m" m. V: v: E3 _$ I0 M *(esp->4+4)=='NTIC'& K& Q7 J" m2 `! i& L7 L" e3 L
4 n8 A' [ n. r2 \4 d5 E
-The most exotic ones (could be very slooooow :-(+ K" g) T' R* |, y- E
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 w7 H6 O6 A9 }0 E. x& ]
;will break 3 times :-(& Y, R' X. ~; p$ c
, g9 C# f' _2 h9 I- e. }
-or (a bit) faster: ; z& _8 P- X) h# w ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); n7 p6 R. W+ X5 f
* ^, s/ H! f3 [0 F: C
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 V) V3 B3 I8 G& f# q
;will break 3 times :-(
) a' N0 l7 q- G
+ Y( U7 v1 V& R$ [% |6 `7 }7 ]# w# G-Much faster:
! [8 M# @+ k; H3 {3 S! I9 g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 r( C* w+ z U
4 y! z' }' }" Q: U; Y i9 w: _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 z; u. ^) h9 s C2 |$ |function to do the same job:! p. R% [" p9 f% A
% {5 G. q+ u8 n" I [ push 00 ; OF_READ$ v( g* i# C5 @9 g& T; p: j* ?
mov eax,[00656634] ; '\\.\SICE',0- j3 ^6 b1 E* }8 X. I' I' d) G2 a+ g
push eax$ l, ~) Z& z/ T8 n% C" G7 |
call KERNEL32!_lopen
/ r* }9 [6 i2 Z6 a inc eax
, ?! g4 o# x) s! v8 [ jnz 00650589 ; detected0 O! t0 _6 Z1 g* B/ B
push 00 ; OF_READ4 E% j7 Z* ^. A/ F
mov eax,[00656638] ; '\\.\SICE'& _( U. l1 e9 h: y
push eax
8 y0 x. u8 U T7 m* T$ C5 r3 c call KERNEL32!_lopen
6 K4 I& U8 _& c5 Q6 z y inc eax
% \/ c' W6 z3 n6 |, R5 O v jz 006505ae ; not detected+ N; l! ^- N! L( P2 O! R7 D
1 i2 F4 j& Z2 L* ]( U, Y. P
. Q0 G6 V/ D0 \0 P9 i5 ]% }
__________________________________________________________________________7 W9 Z& k! V! Y0 Z
" m9 R: m3 Q( d; T r) b
Method 12
% k' l4 S/ v, w* n) ~=========
" Z, w5 |3 x' T; B
: b5 V5 a% A* `6 e+ g* n" P5 D( DThis trick is similar to int41h/4fh Debugger installation check (code 053 |# w1 d' [4 c
& 06) but very limited because it's only available for Win95/98 (not NT)1 E* b& a5 X6 U4 Q, o3 |! }# k2 _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" S/ u& C% Q6 t" [( ^% ?5 V3 L5 |8 X, E
push 0000004fh ; function 4fh
- j+ Z4 H: R6 n6 T) Q H8 d/ ?6 s$ [6 J push 002a002ah ; high word specifies which VxD (VWIN32)9 w' l6 q# G: X# q
; low word specifies which service: W: J+ J" `+ d4 k
(VWIN32_Int41Dispatch)
7 n7 q7 P% a1 u( ^* y( O3 I% M _ call Kernel32!ORD_001 ; VxdCall& ?8 ~ B! v+ X
cmp ax, 0f386h ; magic number returned by system debuggers
( K6 J. l. A2 R6 y) n! P% j# r jz SoftICE_detected: R1 s- S. M+ h% x, e
' ^! J4 R: \9 y0 lHere again, several ways to detect it:& r; p! o! ^: K+ L! I- {
$ ~2 l7 K" \1 e; R) B l C
BPINT 41 if ax==4f
/ d! R# S5 u$ ?8 Z" E# L2 s8 d, D: i2 r O2 E, a/ G' S/ G
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
a. B% V& A, Z
2 F/ l$ t. _$ M8 \) m( ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: y! f2 L r6 O! Y; w* `" P4 R2 s5 h
* s Q5 M& ^0 W. { BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% l) G; ]5 q. A4 N3 a% ^6 a- |
3 l/ s/ l5 R2 o+ k1 t__________________________________________________________________________$ z1 S7 ]6 \6 l3 f) [' |
G" a' x( p# k
Method 13
7 q# R0 e: l) s=========
) o ~% y% R3 w4 k6 w: p3 G5 b2 S
0 o2 z3 }4 G" J. w6 h. t7 MNot a real method of detection, but a good way to know if SoftICE is
) e5 S- u( n: V! k, M( einstalled on a computer and to locate its installation directory.% e6 `) C4 f2 \& ? K' t
It is used by few softs which access the following registry keys (usually #2) :
: @% U) o! l) Y b2 u' x! C5 D4 X9 S/ |% T: s% O0 E: q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 r: M: b# ]1 s7 ?; X* \
\Uninstall\SoftICE
. y9 I4 }4 h. j) j8 E& p8 c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ K; Y9 S$ A) N1 _5 ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 [6 U' b5 W7 K: k7 M/ [
\App Paths\Loader32.Exe" g1 z/ u' l( \% a5 f
* {% i- A( H! e- y9 @' ]# ~% t+ K: `$ [8 j
Note that some nasty apps could then erase all files from SoftICE directory% M1 H4 u, q, N+ ]* y
(I faced that once :-(
: H( E9 s, v% u: Y7 K9 R
0 a! E3 V( {: h! }+ eUseful breakpoint to detect it:" v, F. l" U$ {0 W9 B, C1 Q0 W
$ D2 m: e7 J; o7 X; N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 b4 ~- U# u G: U! q4 s. m9 n: c. ~; p, u
__________________________________________________________________________
3 V7 E% ^9 r& ^# m0 j; }2 }! j# H7 g6 X) D! R: c- I. S* q" T8 P
2 n9 z4 [, N4 g8 NMethod 14
: W6 L, T: c4 O' U8 n8 h=========9 X5 J3 s+ F' i& i8 a
% {" K- ~. p( R- J9 E5 K4 O1 vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: o, S0 f9 j6 a; Q! p f
is to determines whether a debugger is running on your system (ring0 only).0 M: u2 V! u7 K$ z7 ^: j+ a$ e
/ b5 O9 u) O0 S {5 g- E VMMCall Test_Debug_Installed
" U9 r- a2 }0 z. @ je not_installed
4 X6 B& [1 z; @; s5 m, |9 _1 ^
! [) T3 F! X2 O) ^This service just checks a flag.
" |& s8 m' X7 R i, z6 `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡