<TABLE width=500>4 O K' E' c( m! [- [ F- h4 n' B
<TBODY>
8 c1 n/ w3 m, o5 ~* K3 O<TR>
+ K# t$ N* X# ?" { J<TD><PRE>Method 01 # Y# L% L' U4 V' X+ c3 e* y! y' N
=========5 H# @& h% v* B6 H# s
9 y. R2 h. _8 k! F: [5 `This method of detection of SoftICE (as well as the following one) is3 C( P: V2 j7 y6 [
used by the majority of packers/encryptors found on Internet.
* S) c6 I1 |1 O J: j9 {! bIt seeks the signature of BoundsChecker in SoftICE) C( l7 T. g6 p$ A% M. f
+ }+ K" _$ ?: j) e$ Y mov ebp, 04243484Bh ; 'BCHK'
) `! U% \! Z# a$ l& |4 L mov ax, 04h
. k/ a1 j/ s4 u int 3 7 Q, t3 d( j- l+ A
cmp al,4
; |& C4 k7 U! e jnz SoftICE_Detected
3 _% S8 Q! j2 ]& p8 \& x( {) H8 a: P3 \, `% |
___________________________________________________________________________
) `% w6 |1 X/ K
+ R) F+ [, b$ _: C7 {9 v @4 Y6 WMethod 02
/ d1 ?& @! N( v# ^=========
O) a# P. [2 i/ i% ]
# G6 X1 }. [" V! f, P! AStill a method very much used (perhaps the most frequent one). It is used
, b' d; y0 i& ]# Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: c& o+ `$ {4 s5 Cor execute SoftICE commands...
; ~$ y; d3 ^* x- U% N9 GIt is also used to crash SoftICE and to force it to execute any commands
$ S; d% g/ Y3 ?) a' t( k(HBOOT...) :-(( $ ]$ d+ U' s5 [6 V, `0 d" f
1 K V6 q. X# m' g. f! MHere is a quick description:+ ^4 o2 G- a! x
-AX = 0910h (Display string in SIce windows)9 V* t5 o, r; X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); u; H9 i! i! q4 L6 w2 Q: t
-AX = 0912h (Get breakpoint infos)/ W5 {+ l% y5 Y2 m; C; _
-AX = 0913h (Set Sice breakpoints)* k1 r: M3 W. ^" j/ h
-AX = 0914h (Remove SIce breakoints)
, t* X2 Q; p" \% X: l' a, W% ?, P6 U
Each time you'll meet this trick, you'll see:/ i4 t6 s+ G1 {5 z5 M
-SI = 4647h
' d" c1 s7 i6 S-DI = 4A4Dh' I4 C, I' g' ?6 H- b
Which are the 'magic values' used by SoftIce.
5 R$ E3 L0 ^5 i* ^+ {3 }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. p+ Q5 T' q% r+ \* E1 P% Z6 }0 k: Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( I6 G. ?" D7 o: Q' xEnvelope utility use to protect DOS applications:/ {7 i6 X# ?( I3 }
8 d$ x# @2 A' B0 p9 n8 {' X# M" L+ k0 p1 R% M: v
4C19:0095 MOV AX,0911 ; execute command.
- l/ H1 {5 I3 {- N3 z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ t" J# i5 X0 v7 Z* D9 g$ B, o4C19:009A MOV SI,4647 ; 1st magic value.
0 `& m2 @ |; {) t4C19:009D MOV DI,4A4D ; 2nd magic value./ ]& V1 [) v" s$ [9 N0 }7 n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 t6 F7 b+ h2 q, Z9 K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute J7 n0 Y) i# ~5 n) E
4C19:00A4 INC CX8 I' D, [" Z& Z+ E6 h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 x9 \( c+ }) `& {, Z
4C19:00A8 JB 0095 ; 6 different commands. P0 n( W/ T' l: |4 Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 n/ N) z; x# `3 n9 O; |/ K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 B4 C9 h5 \4 n+ G5 o A
L+ j; ^5 W Z; p; z$ M+ }" {The program will execute 6 different SIce commands located at ds:dx, which- |- B* ]# A2 G3 L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 _5 Z! c e Q9 ~& b( e0 y( |3 K5 u* x; T1 r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 T4 C m6 E% Z2 _" Y___________________________________________________________________________
4 l' c' n4 a5 n
4 I3 L( i& t( Y9 f+ X8 C0 c* B
2 K& H6 {" h; W; B. uMethod 03
2 W( h$ D* |1 |" g' R=========
3 e$ K; _8 }/ Y' ?' U% v/ {( E4 o U0 V5 b1 c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 h" L' G( o& m5 j$ K G
(API Get entry point)
9 E4 D7 X3 q! J0 a8 c6 z
u0 ]; V$ s4 r* @8 o% Y. K% ]. d5 ~# U- b% _: Z; m
xor di,di; z! Y, O. S( a0 h3 ?( T
mov es,di
, \( v y, T4 X) U4 m mov ax, 1684h
+ K" f; U* ], Q mov bx, 0202h ; VxD ID of winice
' T. H8 N4 @. `* O6 r int 2Fh
+ p* f: D* G. w mov ax, es ; ES:DI -> VxD API entry point0 k# N+ V& J! P: {2 Q3 G. y
add ax, di
9 L- f3 ^+ H; B& J6 z7 k1 q test ax,ax# W; @" d" Q1 W) O: a
jnz SoftICE_Detected
/ h3 } l" J; v9 p+ X6 m, \+ ?2 t5 f; Q7 U) s
___________________________________________________________________________
% v' l8 c1 F- i K9 t* ~
1 C% w5 j: z: W: h6 p9 EMethod 04
9 \, ^5 G) P1 k=========! p: `4 H6 ^( H' g0 t
6 N: E; {+ y! @/ Y6 F9 nMethod identical to the preceding one except that it seeks the ID of SoftICE/ w& T5 X: k4 `8 n3 G7 F
GFX VxD.+ ~* k1 {# ~) p3 e; S- ?6 k& B
0 g F9 ~, f& S4 v xor di,di
; m( q @0 |8 }% ~7 x mov es,di
6 Z3 [: I) ~# } P mov ax, 1684h
1 b3 s! A# t9 p* S mov bx, 7a5Fh ; VxD ID of SIWVID0 I. U" X8 O# ]# D, L
int 2fh5 [" e6 k6 ]/ @! ^
mov ax, es ; ES:DI -> VxD API entry point
& P' v9 F0 ^- c9 x7 G, o add ax, di
' F3 ]/ d* `' C" Y test ax,ax# S$ E; s0 I# I: a3 J
jnz SoftICE_Detected
+ P" u" T2 I3 y+ D" |
J5 U$ P8 I% f0 }4 |) C; `__________________________________________________________________________' ~+ a! _0 }- ~! K5 d) `. w
] ]# C) ? S) T, u* G& S
1 E0 g/ z) U! s, S5 D! {+ d$ R
Method 05
z* W; T- X" P0 M$ R' S4 m5 q0 \=========* O4 t( `& N8 t6 A0 w \7 B0 Q- W
# I" M* n$ X/ l) ~
Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 q* O6 m; S! h' a# N# Hdebugger. It calls the int 41h, function 4Fh.7 Q3 V. N5 ?& J& ?5 |: K0 K
There are several alternatives.
8 p& Q# t5 q7 R" I$ @6 `3 n/ n' |$ ^
The following one is the simplest:
% m9 y) R4 x& b
' }* |$ Q2 h, E# k( h% ] mov ax,4fh
9 N0 w& s. l7 C/ d3 e( s int 41h8 R, R, F: B6 T8 q* X- o* B
cmp ax, 0F3865 T9 x5 d! I; y1 i0 } C8 G
jz SoftICE_detected# q/ G8 ?9 V5 X$ p% f$ K
, N3 s/ ?, @+ D- M
0 l$ Z7 n \+ |% q, x& [$ \# z/ C
Next method as well as the following one are 2 examples from Stone's # k2 k5 ?1 {$ @# O9 A1 O
"stn-wid.zip" (www.cracking.net):
: m* M1 \5 p/ S. e# A
# J9 a( K9 |# R2 ~9 }) } mov bx, cs( _9 `9 X4 k7 `2 v* W, o8 I; }( x
lea dx, int41handler2
) Y$ Y- L7 ^' } xchg dx, es:[41h*4] A; S! D1 D: @* _/ R8 K% |
xchg bx, es:[41h*4+2]
7 J: C# e/ W. R" F1 `. Y mov ax,4fh2 |$ N& q* A" M; w. k
int 41h
% J1 E" q7 T2 d" z: H0 ^0 M9 i xchg dx, es:[41h*4]
3 S' @$ [7 E1 q' m0 `, b$ B xchg bx, es:[41h*4+2]7 R9 J, G$ ?. V Y. S
cmp ax, 0f386h. O1 F+ ?# z4 r3 L
jz SoftICE_detected! ^+ }% F6 h) s$ E+ [" ^
4 ?2 u# k3 E9 w0 I$ B
int41handler2 PROC! Q: Y9 B, z2 D) L$ M
iret' D( y# C0 p3 b- t" K1 T+ U% k
int41handler2 ENDP
# A d6 p. ?: w" i. H* I9 i7 x' V4 `( \, ~* {
& C! q" `% d8 z4 l& ?_________________________________________________________________________3 k& i* x, L; h0 ~+ w
0 K7 d3 R5 P$ @$ j( Q* n" [/ ]$ d" s5 W: \* X& Y" c
Method 06; ^! b: J5 g+ A6 z
=========
`! Q3 |% i% h3 p. ~
$ j1 G5 o. F, a) m- P
& l# G0 G. w1 V1 ^# l2nd method similar to the preceding one but more difficult to detect:6 Z- T) s* [5 i2 F
2 l* C" X0 P0 A3 v4 P: G+ e u+ S
. |' i+ f$ m( K+ \8 Pint41handler PROC
% L* }3 ~8 L8 Q0 J9 P4 }3 w mov cl,al
' C O+ g+ W% `9 C0 E iret, \+ n0 b4 r1 N+ o) i1 Q7 D
int41handler ENDP8 a a7 K% p; t: o
9 l" n6 }" X, R2 ^7 r+ s0 f$ M, x: H/ Y
xor ax,ax
- s7 R( s& l2 j @) I; i mov es,ax
: Q9 c( V2 [5 b7 J mov bx, cs
% W; v# F7 J' s# b3 s4 | o+ H lea dx, int41handler8 Q+ V" {% W# I5 h! y6 l. w) o1 z
xchg dx, es:[41h*4]
9 w6 i: F- `5 I% P7 ?2 A# \ xchg bx, es:[41h*4+2]
0 c7 V" X* p! e( ]: u' V" O2 L in al, 40h$ a9 s2 V1 i2 d+ W5 ?$ b- ]# U
xor cx,cx
& q: ^% D" d2 D: R- D& _ int 41h; d! e$ h, k0 p+ c( |5 V) x
xchg dx, es:[41h*4]/ W. T. K9 c. q
xchg bx, es:[41h*4+2]7 J) O+ \2 W& X1 R Z' S, b, _4 d/ d. }6 W
cmp cl,al s) L% ^4 ]' {3 C! I
jnz SoftICE_detected: U9 r5 J9 S1 e3 D/ A
7 a- y" s6 N+ X' I) B
_________________________________________________________________________
! e& V/ H3 R; w
n6 w' |, i" K$ O4 Y- C: s( a( PMethod 07) t- y9 D* P1 S
=========
# C0 l* F' i" E8 t% G3 E% o1 V. L+ H+ }
Method of detection of the WinICE handler in the int68h (V86)
* Y/ Y$ n% g3 T k& n) S# Y$ S" C. U2 m# T
mov ah,43h
* u+ {9 f6 A8 u! h! U5 J, Y int 68h
1 w$ B4 T, S8 t% c" }: z cmp ax,0F386h, f4 l8 |7 t" l" C4 b( F: N% e$ t
jz SoftICE_Detected! u/ [8 F8 s- I" j1 ~3 g
, o R4 X0 [4 [
. z* s7 ^3 ~/ R' k% B. N=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' O& b$ G p, q8 ^. {/ P
app like this:
$ P2 g2 Q+ L: t1 H* n
' N$ s) x+ f6 U BPX exec_int if ax==68/ V7 _: V ]1 B1 E! x0 v' P& d
(function called is located at byte ptr [ebp+1Dh] and client eip is% j7 c# n& a) M) _( O0 ]% N. h( v
located at [ebp+48h] for 32Bit apps)' H6 o0 k. r0 e1 }; N Q
__________________________________________________________________________1 T2 U4 b Y5 a' ?8 b" y/ c1 B
- ^# e6 r& a0 U* x& s) ?, Y# K! O: y
Method 08
+ @" }" n+ w. G; N3 n3 G=========
0 P2 U. A r5 r. s1 P {, D
5 R) Q; S0 _/ J8 N D* bIt is not a method of detection of SoftICE but a possibility to crash the
$ K* |3 T" V) G0 i+ w1 Usystem by intercepting int 01h and int 03h and redirecting them to another$ L% h: w4 t. M! q4 \$ t' p: h/ H
routine.# z8 j. \, q4 ]7 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- |& t) i+ n$ Z) \+ @5 x- B
to the new routine to execute (hangs computer...)
$ o; C0 D, ^% W/ _4 c4 `, L0 z6 v r1 q3 m( z
mov ah, 25h
4 o* ?9 Q$ b9 E3 j2 g! y' ~ mov al, Int_Number (01h or 03h)+ v3 h F4 E- n8 f
mov dx, offset New_Int_Routine
0 C$ Y* Y) C! @/ n' ~ }; H int 21h
2 G4 T: P. i M/ Q8 x
' G' I( k5 U( \( x; u( P9 {6 \__________________________________________________________________________% V) P f! F6 }1 M3 S/ o& B
( d! O( b: }- W* @- V8 w- \
Method 094 [ G; I3 o5 d; i4 {/ S6 w
=========: G. m( C% o p C0 c
, E7 O# W# F( u9 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( m* j& B& v2 e( X4 m$ c0 v
performed in ring0 (VxD or a ring3 app using the VxdCall).( {( \% Q3 ~$ @" y9 n2 d6 |
The Get_DDB service is used to determine whether or not a VxD is installed
$ v* I8 ^' g7 T. S( H0 _9 ], \for the specified device and returns a Device Description Block (in ecx) for
. h# g J P( f0 {6 ~+ ]that device if it is installed.4 ~- @4 U6 n5 E$ R9 C
4 ~# [ ~9 c n4 q& v mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: H- Q( e. W# Q3 `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 ^8 e/ G0 }' b
VMMCall Get_DDB
: B" y. H3 T6 z) V2 r0 k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* h9 h7 i& k+ g% _7 w
6 C3 E- ?; x2 C
Note as well that you can easily detect this method with SoftICE:2 l% Q- c! M" E0 D! z7 K5 _: X
bpx Get_DDB if ax==0202 || ax==7a5fh* G6 Q# z Q0 B7 O2 q) u9 Q
* N! k) Q, B" X( p
__________________________________________________________________________. Z* E) y) |5 R# f' p- s. t
4 J+ z2 r& h. |. M
Method 10
- o z& h+ {" u- V! C$ n=========% {5 s( d' |/ F* i- x) W% G* H8 M
, |& ]' m8 u ?" O. Y" @=>Disable or clear breakpoints before using this feature. DO NOT trace with
% O2 m! y: F& S g& b* x3 Z2 X SoftICE while the option is enable!!# y8 I U3 s7 `- }9 }
: D# h: m, T& hThis trick is very efficient:6 T4 h$ N" z' g- T0 z$ ]
by checking the Debug Registers, you can detect if SoftICE is loaded/ @6 Z. x) w' J. n# Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ l% j3 t1 |9 O
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 C& W/ b( E% r- L8 y3 K4 K
value (in ring0 only). Values can be manipulated and or changed as well
" s. W3 A( c* M [ m; k(clearing BPMs for instance)
. E( z, S" s3 ?; \: {: P
# G! w8 e- K1 [4 d6 v+ a__________________________________________________________________________
- A. ~4 c, \3 S/ D* S0 m/ q" d) z' q8 |! Q* d" k1 R) l& u: L
Method 11
y9 [3 d% @% o! z" Q=========
' H- r: R$ N5 B2 k: H- j9 l6 k2 C% }' V7 b, `/ u9 o& C
This method is most known as 'MeltICE' because it has been freely distributed
: h$ W4 x9 a* _; `: Dvia www.winfiles.com. However it was first used by NuMega people to allow
[3 T1 w" o, D1 |; p/ F' GSymbol Loader to check if SoftICE was active or not (the code is located
' p( N1 G/ R3 N- B8 k' o) T9 D8 vinside nmtrans.dll)., a/ l! `: M. `7 C5 h, ~0 ^; ~
# g* [+ y! V$ U; L2 uThe way it works is very simple:# ?: B* \; v, l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* a. k4 a5 C8 p) N
WinNT) with the CreateFileA API.9 j* @( v' {! C% o) Y
( H( ]! B4 ]) y0 z7 I% IHere is a sample (checking for 'SICE'):; Q/ y: M& l7 N$ p ?7 s( q
6 C( y2 y8 K" a! H6 i) h
BOOL IsSoftIce95Loaded()
8 e( F( a! r* U& S* P' ~{. J5 y) }6 \+ ~$ x; p( h
HANDLE hFile;
+ m! X/ b8 R7 U hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 |% k. p, g E
FILE_SHARE_READ | FILE_SHARE_WRITE,
* d5 `$ ?5 k/ Z* u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 w- L( [+ H, |9 l
if( hFile != INVALID_HANDLE_VALUE )
3 O- w0 ]4 z( n" \: G {
9 y& J/ C5 z; ]/ Z3 b2 x% j5 x$ k CloseHandle(hFile);7 a1 W8 G& Q5 J3 B
return TRUE;
. r R2 u8 ] h }5 o4 T5 W p+ M- t2 n3 V
return FALSE;3 ~% n# r) q2 B) c! N
}
* _# r' U5 c9 [
* t! B% x, w' XAlthough this trick calls the CreateFileA function, don't even expect to be
& ?( P0 d4 V- r/ ^) q/ V) U; a/ |! Uable to intercept it by installing a IFS hook: it will not work, no way!
$ S- k% s8 _9 P( y$ WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* D' r9 o ?2 D$ u2 uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 F" l* U3 N* w, e" i$ D' r X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 ], N! `: m5 R, k* ofield.
Z2 Y0 ?, i5 {8 O1 DIn fact, its purpose is not to load/unload VxDs but only to send a
$ q* _- @7 r+ h, O5 k0 s0 J- l2 J3 dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* \/ d6 o0 G }3 w1 x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* J% ~9 Z! s% Q! k5 Q8 z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; r$ {$ n% s' _- oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 ]; B; G2 o7 e [* \its handle to be opened and then, will be detected.( M t8 R8 w9 B
You can check that simply by hooking Winice.exe control proc entry point
) R6 N D: `- Z, t+ xwhile running MeltICE.' H2 h$ ~2 F7 k
- ~4 c9 m- G2 n: |- N8 n u
$ r; B+ y f, l, |8 y! A; m0 V8 R 00401067: push 00402025 ; \\.\SICE
+ H, F: U# J2 x& n7 X 0040106C: call CreateFileA/ N3 J7 r7 X. Y. h6 _
00401071: cmp eax,-001
# m. X* `/ y% e' V9 t: Z 00401074: je 00401091, Q1 A9 ?7 ]2 j! L; y& S
0 K- A1 S; Y( W- T3 M; n; L; s0 O0 l( w, E) ?
There could be hundreds of BPX you could use to detect this trick.
E/ J! f8 }. {/ v-The most classical one is:- U' R% e0 C* N2 n: W7 ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, |! S& {0 w- u8 h *(esp->4+4)=='NTIC'
( Q& C! P! e5 v% r! r- `' \& T# _+ M8 o; M% w; o, P5 Z. \# b5 u
-The most exotic ones (could be very slooooow :-(. c1 p6 T: ~# G+ G& X! e0 P r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & X( X5 a$ ?5 h3 h) H& X5 J5 {
;will break 3 times :-(
" k1 O, I. `# X8 }/ c
4 W/ O7 K5 {! t7 C4 d4 \1 N R" i-or (a bit) faster: $ H9 [; q& ?9 c* O' B
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- ?4 {4 Y' e$ {0 m4 G y! c% o
& ]7 _( k% _3 T; w# Q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( o/ Y6 ? }% E, Y/ ^' K7 a3 ^ ;will break 3 times :-(
& U2 b. Z' Q. ?9 t6 g3 z- x; I' t* @8 Z8 y4 \! F
-Much faster:( v; z7 c. ^0 g" @1 z/ T) g( a
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 z: P% T- Q9 V s N
$ H+ [- f6 y7 X2 |& d: j3 bNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- k+ Z+ ?9 d2 _" H) f3 h' a6 q$ x
function to do the same job: u" X5 p0 I J1 n0 o0 m
) L/ n! H; k0 l8 [! k4 H$ C
push 00 ; OF_READ7 S4 b+ h" R& ]9 @8 N4 Q) T
mov eax,[00656634] ; '\\.\SICE',03 b% f' `# Q. A' k0 {' d
push eax% ], o4 C+ O/ o, U3 C4 u& V; D& |
call KERNEL32!_lopen9 Q, n- l( Y6 I4 W7 f) X& G! J. ~/ V
inc eax
5 }# A- z1 R9 V4 Y! U8 J; D: R+ M jnz 00650589 ; detected) q. o& @$ \" }. U) { u& o
push 00 ; OF_READ e2 z' c9 N+ k. J) v- {
mov eax,[00656638] ; '\\.\SICE'
) U4 V& V( a- `# K push eax3 o" Y0 @, U0 U) y1 P( Q
call KERNEL32!_lopen9 d6 d6 T# d* [" f) x0 P
inc eax
+ s A/ \( r; j; M4 F/ g jz 006505ae ; not detected" x* T% j) Q- B K) m' n1 h% C
7 F6 e& G( ~7 Q$ b" |
0 {# x& b$ E$ O% @$ B9 _# T+ x__________________________________________________________________________# n9 x& S9 C- D! U3 I( q+ Y
" Z% L1 j0 K: ^( ?# x0 I, vMethod 12# l4 s* q1 @7 H& X( P/ w" k4 K
=========
& ?6 s$ L: S/ O4 |* Q/ v& J
' o/ S0 y. `( U3 T) _This trick is similar to int41h/4fh Debugger installation check (code 05% B. B) s+ i2 f6 A, f0 ]
& 06) but very limited because it's only available for Win95/98 (not NT)# X+ o/ @& R6 {: s6 S4 v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' |3 t6 T/ d5 k3 K. i" V; v+ c' @& i/ P; `1 g T! s" u
push 0000004fh ; function 4fh/ A4 T. F: d d3 k- A
push 002a002ah ; high word specifies which VxD (VWIN32)0 p2 Q: F( t6 t8 ?# k8 x/ k+ S! F/ A
; low word specifies which service
% C/ O, p! c2 m2 Y (VWIN32_Int41Dispatch)
; P8 \- U5 H3 G n2 s: ~3 l call Kernel32!ORD_001 ; VxdCall
3 q' ^5 @9 v6 Q+ ]9 _! h" U) Z cmp ax, 0f386h ; magic number returned by system debuggers7 R& |, A7 q E5 D1 G
jz SoftICE_detected
' W' p: ?& |) R* q; j* E- s7 @
' W' ^/ J: Q/ [0 n: `( HHere again, several ways to detect it:& U' S- ]. j7 N8 {
- w, R" G! x; |; v0 V1 m- z BPINT 41 if ax==4f# s4 }) C( B4 h2 Z
/ b- G: g j+ v BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; U2 l1 X& {7 U
2 _4 v6 H3 E2 \+ O6 | j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 f3 V+ e$ A( M2 A! r" f
- U2 @; d" W5 u0 j! R E( N6 O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 a! T( {) ?& ^. E1 v' q& e6 |% u, y* V
__________________________________________________________________________
- t9 D# s: X1 D
( b" j: Y+ w8 GMethod 13
. g9 D( Q# L$ Z% W6 ]. B=========
; X; f' x% Q3 _3 M" X2 h1 I. L) a! d' H* ]
Not a real method of detection, but a good way to know if SoftICE is
- \* U3 p3 K- ~$ n4 K/ Ainstalled on a computer and to locate its installation directory.: H2 G I7 I% D$ h# O
It is used by few softs which access the following registry keys (usually #2) :
, y5 @/ C4 |) [9 D/ z, b# I- E: }- e9 m% R. R; Q. f
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 D; _. J" F2 a( L, N\Uninstall\SoftICE, ?5 M# U( W& a: K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( a# j9 x$ C7 \3 W- Q1 [" {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% K+ Z5 P7 k" g! A
\App Paths\Loader32.Exe
- q! M) k3 J( b- ~% b _
- F- F2 A3 P4 P8 j3 D; J+ j- b; ]: w$ c2 G( D; F1 [3 a6 u' U
Note that some nasty apps could then erase all files from SoftICE directory5 d& B& O2 a, W5 ~3 |& |
(I faced that once :-(
t& g& l8 Q6 F9 d. p- c" } ]" P7 B/ |$ w2 D1 b7 G1 a- m
Useful breakpoint to detect it:
+ {4 N- p& Q* J. A7 Y) Z% L
. W/ F5 L# I7 ]8 h% Y9 ~# y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 f+ ]/ F8 E( d3 E I2 q
; V- T3 F0 C6 P& P' {: s" a__________________________________________________________________________
( o4 M, o$ R7 I% d/ u, K
3 ?/ N/ Q8 E. Q* w" |! ^" e+ i! c4 h8 g
Method 14
& B+ h, w" X: G9 D# c& @3 r=========
/ n" w* T! ~( c S+ [! J! P" g& a% P# d5 T! V* Q4 F0 z& S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# r/ d+ A0 l; ais to determines whether a debugger is running on your system (ring0 only)., p3 X5 i5 q4 X5 z
2 l( Y7 u8 X+ `6 M& d: j VMMCall Test_Debug_Installed
! {8 \' e- f" q& T je not_installed
% {& c6 u G# J9 P9 H/ E! I7 L% @4 ]
. h% S: u1 h$ G3 NThis service just checks a flag.2 S# g2 q# j1 S0 a- l% _7 Y5 w
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡