<TABLE width=500>, \. U8 J- Y+ | |2 `* {
<TBODY>; t2 @2 _" n g9 H6 G
<TR>7 q1 T- y, Q. w( U) g6 z C( U
<TD><PRE>Method 01 0 [' i0 x2 y2 y& k0 s h
=========
: U7 _8 D. t5 U* T6 i. m
: J) N* m! S) D& z: Q9 HThis method of detection of SoftICE (as well as the following one) is( m5 u1 W" W' G& v! c: |! \. J* I {: [
used by the majority of packers/encryptors found on Internet.: W/ ^: S' @4 r7 d) b5 G
It seeks the signature of BoundsChecker in SoftICE
8 G0 _% ]+ D0 M1 e2 U0 `
3 O3 v; P$ R, f7 s: @4 S3 C$ } mov ebp, 04243484Bh ; 'BCHK'
3 [4 r3 V1 _. K2 A/ v" m1 `+ F mov ax, 04h( e8 t. a' W: U7 ~ h6 ~- H9 y
int 3
9 e; q; [4 Y" y7 e9 R cmp al,4/ s) s2 M$ w" U$ n% R
jnz SoftICE_Detected
5 ]2 Z0 t. p" w* R+ k2 C$ y; d
. L0 _) V( c, ]& d4 |" f! ]___________________________________________________________________________
0 v- \6 {% \1 R, J0 ?" \
L) G' _2 w0 {. }0 q& W/ G4 WMethod 02# y" r; V) C- }, J+ |
========= H! \3 g5 R- I: w
) A: z$ s& f, x% v3 o% m
Still a method very much used (perhaps the most frequent one). It is used6 g& {" A# T0 R3 v' Z: Q4 F+ x8 }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" s) d8 w# ~4 R( [or execute SoftICE commands...: a* [& ~7 r, k8 {) d5 Q
It is also used to crash SoftICE and to force it to execute any commands
1 O J6 u! S6 n" C(HBOOT...) :-(( ! @: l( \8 T, Y" d6 W
. M9 d3 z( S0 k' V* wHere is a quick description:% v5 z7 Z# Z7 R) B- w% D" Y
-AX = 0910h (Display string in SIce windows)0 B! q5 l/ I! u$ s" p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- O$ r- O r3 R% m' t-AX = 0912h (Get breakpoint infos)6 L: s: i7 l2 `: p& S
-AX = 0913h (Set Sice breakpoints), ^+ @; b3 d7 {5 y7 w; S
-AX = 0914h (Remove SIce breakoints)/ o3 J. d3 e( B! ]
+ C8 w: c" ]2 t3 s, k- i
Each time you'll meet this trick, you'll see:$ T8 I+ L. K( _8 w0 Z+ B6 S
-SI = 4647h
; i% a3 q2 {* q. ~7 F-DI = 4A4Dh
0 E$ u, O. ]: D& H9 V( vWhich are the 'magic values' used by SoftIce.
8 M& z9 F! P$ M, f6 MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 j1 }9 M3 m* @: ]& e, m4 c
. `) F6 C' c2 p" `4 _6 p$ rHere is one example from the file "Haspinst.exe" which is the dongle HASP
% J% J7 t& @3 K9 k+ dEnvelope utility use to protect DOS applications:
( {5 r3 n; R* l0 Y4 s g
( l N) M& e% h9 G
. {+ C0 X; z1 x" }0 }4 Q4 x6 h4C19:0095 MOV AX,0911 ; execute command.
) Q3 q5 W a8 k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; r* S: H+ ^9 A! S4C19:009A MOV SI,4647 ; 1st magic value.
4 J" |- P9 F" {* D4C19:009D MOV DI,4A4D ; 2nd magic value.
/ } k5 E% h( ~& h4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* p" V% Z9 H1 X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 i/ @- ~9 \+ ?( d! ?6 K3 U, a
4C19:00A4 INC CX$ r* O- W5 _# @7 q% {" U0 u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. g% v3 |/ x0 [2 v t$ Z4C19:00A8 JB 0095 ; 6 different commands.
6 {- U. K/ h. q; r4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% _" U N' j1 z: E4C19:00AD MOV BX,SP ; Good_Guy go ahead :): v8 u; F n7 u. w% r
- ^. r: g0 p) dThe program will execute 6 different SIce commands located at ds:dx, which
; ^8 _; N+ B3 |' Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 B, U' z( I3 t5 N. @# m5 Y
8 b6 n& C: f/ s0 y' N# B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ {4 f$ y) p {6 F2 d___________________________________________________________________________3 V% A- G6 p3 }9 X$ B2 o
* i6 v6 {; ] ~7 @( K' G% ^. j: e3 R
Method 03
9 x9 Y& m" m c, v( i1 w=========
# a. M) G2 `/ e" m5 W7 r# o4 L9 Y3 b4 z; ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* V3 b1 V/ h( F. ~& V
(API Get entry point)
2 }: S3 |. e+ o, R/ \+ G$ ` @ 0 `- x& W% r7 u0 |" [ n
4 h6 \$ i0 V' `' n H& V- R9 u xor di,di6 g" z2 P1 c4 o4 o0 S. m
mov es,di }: {. v) V& }1 I" l/ ]' i
mov ax, 1684h
! u8 _* C$ k" C; G3 Y# j3 R7 P mov bx, 0202h ; VxD ID of winice8 b1 {. Q3 o; F
int 2Fh% U3 b9 e+ [( S# S" u9 K- Z& x8 ]8 h
mov ax, es ; ES:DI -> VxD API entry point. j0 S6 ]/ W& ]$ _4 P/ O
add ax, di; }0 x5 ]: K6 P' o+ k
test ax,ax
# |' Z4 R0 Y" i' ? jnz SoftICE_Detected3 @, [9 n# E+ W& k2 o
4 p/ O7 e0 w- L) v! y6 |___________________________________________________________________________& e5 ?9 K a, K- K: r$ s
& p& |$ u0 w: x
Method 043 [% C5 ^. ]' G$ A2 m/ s$ u/ [
========= i3 b" d6 _" o% N
+ g" k0 V) u, e2 Z; v" x) d* R, @
Method identical to the preceding one except that it seeks the ID of SoftICE
% o. j4 ?/ g/ e# W3 LGFX VxD.1 t4 e% ]+ s; |* O
0 }5 u" J; j% \: o- Q8 Y
xor di,di) k0 [( B: O( \* [, w
mov es,di
x" p' b7 Z1 H! M0 u- D mov ax, 1684h
6 {( c& c/ O9 j2 R9 V+ ~. U mov bx, 7a5Fh ; VxD ID of SIWVID4 _) E) Y' W. q- W3 M: v% Z
int 2fh3 P3 V, o0 Y$ \9 T
mov ax, es ; ES:DI -> VxD API entry point
0 T- u6 @7 L8 C/ x$ s7 Y* m& @! G add ax, di& X( e+ m$ V$ x4 h% p
test ax,ax
- W7 l, b9 D/ A jnz SoftICE_Detected
/ _7 O8 ?- V f$ p
8 p2 e* R7 W6 [) x& {# @__________________________________________________________________________
" `4 }; s) g. J2 O% Q9 Z; a8 X" {- ?! |( {1 ~/ V/ K
L" O6 W! Y4 E7 m7 ?
Method 05
' ?- c- |, ~4 L; Q/ t% I=========
- D. M" H5 r+ q: {& E; p3 J/ P3 ^& u
Method seeking the 'magic number' 0F386h returned (in ax) by all system x/ e. D5 \6 {4 Q" z& D
debugger. It calls the int 41h, function 4Fh.
% B0 }. B w6 v q8 nThere are several alternatives.
4 p5 f( f$ r* n$ Q6 T" c% r# j% c8 |- v+ a* |; d5 r1 M8 x: t% M
The following one is the simplest:
" X$ H! q" r2 k' [2 K% J8 n! F$ x" _7 F! k4 |0 P
mov ax,4fh
4 W; _) b7 F2 j% a! R$ i8 A, l4 z int 41h& j0 }+ ]: c; O1 I7 s# H
cmp ax, 0F386 X. z/ }- Q" p* B# g
jz SoftICE_detected) @) z4 ]/ }. ^7 {6 l, @; s: e u. I
3 l$ w7 M5 y4 a5 O; R+ v
( w. R! O3 E' t1 e8 Z2 SNext method as well as the following one are 2 examples from Stone's 0 S& C) f% X) @, r
"stn-wid.zip" (www.cracking.net):
a* ~$ f/ a+ K4 v+ C% B+ [& o# C7 J1 K
mov bx, cs2 k* q2 D* s( X& y* B3 W/ S$ m
lea dx, int41handler2; U$ r$ \+ _/ C2 m4 t3 X% p
xchg dx, es:[41h*4]
4 r; b; T8 g4 O7 q% _, g, d4 T xchg bx, es:[41h*4+2]2 I/ M+ h/ L7 L$ f
mov ax,4fh6 v) J! {) N/ n/ ]" z
int 41h
8 i1 U) x/ t1 C3 b6 Z8 ^4 \& X9 o1 \ xchg dx, es:[41h*4]9 n6 D+ z/ Y( r! C
xchg bx, es:[41h*4+2]
, ]6 \4 v; S! R cmp ax, 0f386h1 h* H$ w- N+ o2 _8 G% T$ B: f! h% I
jz SoftICE_detected: K$ p8 T; t& _$ T) E1 K3 l' `
; X; |+ j* U# A' _int41handler2 PROC) g- f4 _6 F6 a# ~& k' }! \9 x
iret( e+ `( X8 u) R2 ?9 @! ~# q E" X
int41handler2 ENDP2 f) z, K& x: r2 S
. g. ]/ q/ O% G4 M) N2 w; f
6 a1 o! H* V* i8 D7 m2 d, v. D# A
_________________________________________________________________________; l' v- r- c0 \5 ?6 |
$ }6 Q/ s5 M7 Q: Y, [8 M9 i! c K: `7 v6 K3 E& n; k
Method 06
9 R' _; x7 [# m" O, A: D=========- f5 b2 |- w# M, d% I3 h2 M0 q+ ?/ d
P3 Z& f, j+ f3 u
" O( s. d3 r: M2 ~* h
2nd method similar to the preceding one but more difficult to detect:3 A( h8 z2 ]; a9 s( f
5 M4 r, n: O) O) F2 {6 p$ M m& O9 A6 W5 Y
int41handler PROC
j$ O* l8 K7 t8 R- b mov cl,al
- V% J: R: ?" `7 Y8 } iret
8 v8 B, ~% ~' K( M# Tint41handler ENDP
* M6 x" m/ M3 f3 y$ X" f l6 C! H7 k$ X+ P8 {0 p
/ h: V, p- e! [/ V xor ax,ax3 D" ~; f, f) s6 n# z: p8 ~" y
mov es,ax0 F. N: L/ @' @+ c4 f9 |
mov bx, cs
; x" U: y+ b4 b lea dx, int41handler
/ [; {4 J2 f% ^ xchg dx, es:[41h*4]! l2 }' x/ u' x5 ^6 X3 D: X7 s
xchg bx, es:[41h*4+2]
4 K2 [ {- f' Z3 x, | in al, 40h
3 ]8 [) a" |3 K xor cx,cx x, w0 L' M& D9 p! n1 `$ g2 k
int 41h
' E' ]/ R% F, ]: E# \+ o& v+ n7 | xchg dx, es:[41h*4]0 \4 {# S* ]% z: |8 G
xchg bx, es:[41h*4+2]
# M0 O5 {; g9 |* e! a" B cmp cl,al
?( p7 O8 P& C: v- y# I; z& T2 ` jnz SoftICE_detected
1 }6 m3 ?5 ], \- ~) Z$ }0 J7 a+ N
_________________________________________________________________________
; f& Y( W& w0 m+ s1 U8 P: p: c" V# h6 J% R' r
Method 07$ x9 u+ L* j4 \, |
=========+ p# S3 R4 }/ l: @! Y6 R) _6 m
) ^& t& e) M/ Y0 hMethod of detection of the WinICE handler in the int68h (V86)
( a# s) w+ G% Y' w7 O) J
: m7 H& c2 K z' t mov ah,43h
# [9 e; \7 _* p# r! x int 68h) x8 l3 b% F$ {( k
cmp ax,0F386h
; `& ^/ G% T! M/ {- v jz SoftICE_Detected
; i7 f9 u& ?/ B S, I# g2 E& g
" s) A6 J& K1 V s2 `0 i
6 d# B' x" m4 w0 ~# L1 s0 \- {=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ j0 Z8 E, ?- e7 b+ }
app like this:
3 x- [4 E# w* g7 \" _
h E, i" }: w2 Y& l) V BPX exec_int if ax==68
. j; h2 J' F0 T( i (function called is located at byte ptr [ebp+1Dh] and client eip is7 v; Q( u. o* @1 R
located at [ebp+48h] for 32Bit apps)$ u) r% S1 t. T: L
__________________________________________________________________________
8 s: B6 \3 b; I& H( F3 m( H, ~% a8 z0 ^
* R3 N9 R4 ?; @" e) X
Method 08
\, q# _! N+ W5 a0 O* o=========
: m' S- T# ^' }9 M+ n
0 H. r) a3 I9 m" G" F: T- S! kIt is not a method of detection of SoftICE but a possibility to crash the
9 b! \/ a% C ^. n3 o. N( msystem by intercepting int 01h and int 03h and redirecting them to another
+ l1 G7 z2 A: n/ n: ]% L4 qroutine.
, A8 u) M$ x! ?0 J; M7 U3 A! eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' c, i$ K2 v5 q6 m' Mto the new routine to execute (hangs computer...)
3 t" V! t% ]! J& T) l8 T
; j: u/ F6 {+ t6 e* f mov ah, 25h& M9 c' v7 h, ~7 r$ H" y D
mov al, Int_Number (01h or 03h)
1 H; \( n6 c' b! V$ u# D mov dx, offset New_Int_Routine7 x9 l3 S) V- C( l5 v
int 21h5 B R8 p' r1 b
7 \5 f0 i: C! s! w! f$ h6 K7 \, ^
__________________________________________________________________________
% C9 q" _. ~* s; j0 g1 i& `4 @- d2 @& n3 Y9 m
Method 09
j; t+ t9 c- g- b7 E=========' H1 t, v# K6 P
% p/ t' h% L- ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 ~/ T$ o3 f' n, ]& r+ t5 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).9 F* _0 c- Q7 Y- X+ j# M5 f
The Get_DDB service is used to determine whether or not a VxD is installed
6 U3 j6 R" L ofor the specified device and returns a Device Description Block (in ecx) for
4 f3 s6 }# _3 m" Othat device if it is installed.0 K8 W; U4 l3 g! Q
/ @# z% \* P' i3 H" d% k
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. |( i" J! U2 W8 i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 Q3 u' Z5 k; {& C VMMCall Get_DDB& P% |: K( l# ]4 g9 H8 I* M0 ?! i" F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" k; P, I2 T" v* m _6 l! C6 B& }" H0 ~$ Q6 m& P6 Y; `
Note as well that you can easily detect this method with SoftICE:
* U" `% y# H$ t6 N6 R+ W$ ] bpx Get_DDB if ax==0202 || ax==7a5fh' V( u/ \$ g4 I A
! A5 b% i5 J- Y. n__________________________________________________________________________
* N% n* f( J4 m* k5 ^
" A- {# @4 R% h& SMethod 10
- }, T8 E8 D r" \=========! ~; u% f( ?1 c5 G2 O% c! F! h
! H* g* M4 x2 r=>Disable or clear breakpoints before using this feature. DO NOT trace with! W5 w: A6 v# L
SoftICE while the option is enable!!
; _5 f- ]/ R+ {- Y2 z
5 |. {8 [) M' V2 R3 Z& l! oThis trick is very efficient:$ c) v' g( E1 L% o
by checking the Debug Registers, you can detect if SoftICE is loaded! [" X. F) _& x' {% _: G8 E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% w$ t% j' u5 w; Z& v- Q- Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 {: D0 a) {0 s! b* S
value (in ring0 only). Values can be manipulated and or changed as well; Y7 `6 v. ^4 t1 J9 k
(clearing BPMs for instance)
! I( ]2 j! n/ T/ A2 V( S5 Y. @# v+ b7 ^! p2 Q
__________________________________________________________________________; r9 D) U' {" t4 T Z
" q3 r" w: `, K% [# u' p
Method 115 A4 E) \' x2 |, N2 l! C
=========2 T, \2 t/ L, e* U1 _
* N; H- I9 t% l; |0 e
This method is most known as 'MeltICE' because it has been freely distributed
' X: D+ V0 g9 B1 v; Ivia www.winfiles.com. However it was first used by NuMega people to allow
3 G( l% a; G% L+ o% kSymbol Loader to check if SoftICE was active or not (the code is located
, u4 o0 ^6 a' V6 P8 U4 p1 \/ Minside nmtrans.dll).
6 h& l: n- v# o1 v9 q- ~+ P0 O: M& M/ U' ~/ H
The way it works is very simple:. s4 H$ h& k' O$ {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 f) `4 h- ?# Q
WinNT) with the CreateFileA API.
5 _1 k( C! m& Q
* E9 B1 V: k9 E) YHere is a sample (checking for 'SICE'):1 L) i N% t, ?5 _5 h7 h
0 J# w4 z1 s+ X# A( C" _8 _# v+ K
BOOL IsSoftIce95Loaded()( C+ h! e3 p! n) r4 {
{3 p) N: D1 S, _2 `/ C/ Y
HANDLE hFile; 2 I0 q$ o' \$ f8 ?( x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' t, [" P- I3 J0 \6 z2 L FILE_SHARE_READ | FILE_SHARE_WRITE,# T+ w/ K, X2 M( P' r6 j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 G8 T9 B* P" D4 U: j( d7 S
if( hFile != INVALID_HANDLE_VALUE )0 w0 T* g. g. p! x
{ @% y4 `& P) X/ F
CloseHandle(hFile);# t$ s6 x: D1 i7 P e) {
return TRUE;/ a, c8 m/ |5 m: U! `( u$ U( J
}
) s6 y0 t, b5 z, S return FALSE;2 _9 P/ ~4 L" {# P
}
; z, q6 @2 @0 K8 [/ w3 U; f4 g
/ S; h$ }; B0 ?" C$ H& t' [+ d! ~Although this trick calls the CreateFileA function, don't even expect to be
9 E3 N' l y6 s7 g7 wable to intercept it by installing a IFS hook: it will not work, no way!, r- E" o4 Y' \4 f9 m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. c" x* p; Q' M! S0 W; |2 Q, N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; g4 F( \: a; y7 L' B; Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ c6 C7 b0 n* Y2 d b! t
field.
5 ?9 `9 P: I/ T" OIn fact, its purpose is not to load/unload VxDs but only to send a
# f; w2 \! S( m. T t- UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 W1 i5 K/ C0 V8 G' ?) P. f/ l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 U: `+ p7 o; A# Q, `. A2 Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).4 f7 \1 v! O! ]8 V3 {
If the VxD is loaded, it will always clear eax and the Carry flag to allow& M& g6 ?3 a. T; p: f3 t
its handle to be opened and then, will be detected.& h2 t/ n* B; L/ t4 m+ i V
You can check that simply by hooking Winice.exe control proc entry point: S4 a5 f) X/ I0 e
while running MeltICE.
' d9 {( o" X+ j, I
' k" v7 ]. n) b U
) V8 U: J: s1 S) ^ 00401067: push 00402025 ; \\.\SICE! }" P9 A" x4 n8 M, d
0040106C: call CreateFileA
1 I3 b ]. \9 u6 \ 00401071: cmp eax,-001
! j/ c. T# u, ~+ ^8 _9 p( K" {( b6 P 00401074: je 00401091
( n9 D: Y' |: _9 b! P
6 w5 c, V- ~* O6 O( ?. Z, ]) v
9 w' ]% O3 [# BThere could be hundreds of BPX you could use to detect this trick.3 l3 v3 d: a+ n3 P _ }
-The most classical one is:
( u" {' e! q' p5 Y# B# U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; I5 W4 A8 m0 r$ n; n" X: s *(esp->4+4)=='NTIC'- Y5 m9 V* p6 ]. r4 w2 ^
; B; B) u( s& S$ J-The most exotic ones (could be very slooooow :-(' v4 d2 ~* }2 ?" w6 s
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) z0 S7 X& b, b ;will break 3 times :-(
2 j6 c( ?) b8 Y4 l! V ?6 j* U9 z0 V/ `! Y
-or (a bit) faster:
" s& l2 |+ P F$ r7 [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* A8 o1 k9 G$ q" v u6 k; \: X/ y1 n" t; j. t/ m3 o; f: d" ?! g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) x$ O7 L: }7 a0 o ;will break 3 times :-(: I3 p8 }% V( I7 q1 a
- L4 s5 u3 S3 N
-Much faster:& u+ J. n/ T0 G3 T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 ^% q' r0 i. z8 ]* n8 M$ A, E
7 U* {- |" r8 J' n5 c0 GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' s: t$ [% u$ k, _3 u7 t( sfunction to do the same job:
) f' g/ ^2 j3 \& B
8 {' v8 [( p I5 [! z push 00 ; OF_READ+ `/ R* j8 W& i2 q! `0 i
mov eax,[00656634] ; '\\.\SICE',0; e; l1 M+ c5 J- {, j
push eax
3 |$ N9 z3 X( b& w, u! k& L, ? call KERNEL32!_lopen# G# U) A9 T( \, L" V" @& \' J6 p
inc eax
$ U5 k& O+ V$ M8 n! a5 B jnz 00650589 ; detected% a( v7 @. E1 e7 ?# a, D6 b
push 00 ; OF_READ5 C+ H/ _2 p& I& a+ ^
mov eax,[00656638] ; '\\.\SICE'
8 g3 f1 Q* v' @, j push eax2 Q9 ?7 T& U; ]- [ s+ W) k
call KERNEL32!_lopen$ A; ~. w- U" m
inc eax/ ` Q, x X% |' X9 J5 |
jz 006505ae ; not detected
& A+ V5 f0 Z) o' g- Y( p7 v) Z1 H" w9 A; `' C- w/ e
; [8 Z# R$ S( U__________________________________________________________________________
1 b3 o" r, h7 }' s& V% E: w t8 U' E
Method 12
; d4 O+ b- }1 }- n6 K- b2 L; h=========
9 l% H" B8 Z# ^3 m1 ]) k( l$ L$ h4 f' _8 t. e/ A" s/ b" i
This trick is similar to int41h/4fh Debugger installation check (code 05" m: k; Y. k8 d2 h5 x* |
& 06) but very limited because it's only available for Win95/98 (not NT)
) l: p4 U3 S+ K' j6 m2 Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: K q% |* X, Q4 ~) @& f
/ N' Y9 q. ^) K* F push 0000004fh ; function 4fh
9 S L! |" E0 \0 i7 q, K push 002a002ah ; high word specifies which VxD (VWIN32)
# B8 N; q. K8 c S/ U7 e ; low word specifies which service/ v+ I8 U1 I8 o6 {! M
(VWIN32_Int41Dispatch)! U7 p2 g' F, Q
call Kernel32!ORD_001 ; VxdCall+ m$ d' [" t9 C) ]* l7 l
cmp ax, 0f386h ; magic number returned by system debuggers" J f% L& c+ h9 ~
jz SoftICE_detected
. y( {! d+ c8 s/ K; {3 X! @/ V# T, t% Y4 U/ F
Here again, several ways to detect it:& E( ?" [- h) Z) B [
2 x: g) ~5 X3 \7 B( H, ` BPINT 41 if ax==4f
! F0 M6 ^* i5 p# l* \1 C% o
1 v- N. Q$ y, V8 W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 G+ `- d4 j& h3 h" h4 G; c r
# n3 {: V7 R h1 g' X1 N. y W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& i8 t+ A0 ?' U8 O5 c+ F: F
; e4 f4 J( B( F' d# L% X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 s& [( F! |9 H; n8 x; U, n
! _/ ]* {' @2 Q9 ?2 k__________________________________________________________________________
5 q2 F" V9 P& L: V2 j5 |# [. }) v8 X$ T% e" Y/ g- n( p( k/ G! @
Method 13
: N @$ T. _: J5 b. t6 S2 S) s$ {- l0 J=========
9 ~. o- U8 m2 ~, ^ ?& n
- [ n* A' ]( g: sNot a real method of detection, but a good way to know if SoftICE is
9 T" D- L+ d" u: T& Y' Vinstalled on a computer and to locate its installation directory.9 n" \7 }& \% |' {- E2 \0 `
It is used by few softs which access the following registry keys (usually #2) :3 v; D# ~: u8 X: H9 t
6 A: u& t& K6 I% U! ~7 A. w+ S1 f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 h$ b, U, @8 q
\Uninstall\SoftICE
, r! Z5 n# Q' _* {& x/ _-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. e+ R2 {& s8 ?9 o5 Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* y' h& S Q: d5 s\App Paths\Loader32.Exe
1 u/ j3 @8 C/ }
% J1 v8 `0 Y1 l- c B
8 a+ V! p1 ~0 \% ^4 E* ZNote that some nasty apps could then erase all files from SoftICE directory
, L" a! u. i. ]) E, x) ^! X- _(I faced that once :-(; X; m ]; f0 G3 j
5 u# z. Q* g' _2 PUseful breakpoint to detect it:8 a; ?0 G2 a; w0 J0 f4 l3 O
* x* j8 k1 ~% y5 U$ n T BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 a* s$ h4 T9 k& y7 \6 o
* B: L6 W; W( k( y- ~8 u; _& u__________________________________________________________________________8 |& e- G, f/ I! T |. c9 T; j
) C4 J4 P1 f4 J" }& c: x, A0 f7 K, X, C. E( }
Method 14 ( E( A# f, Y' j$ B }' F, |8 I0 \
=========9 L; f0 H+ ^$ P6 p
, b& Y0 z0 L hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* e8 D4 I/ J- P3 ~5 Iis to determines whether a debugger is running on your system (ring0 only).
/ G/ B( W: }: S. V+ r/ A' ]. s! O" }3 M9 n; x& V% G8 y
VMMCall Test_Debug_Installed1 {! u8 l5 r, \. }. M x: W
je not_installed
& w6 L' `. E5 p4 {& a
8 I& P) P' B- p: \, jThis service just checks a flag.0 T+ n4 O: o; x( i$ v e$ @
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡