<TABLE width=500># [. z9 Q0 d! t) g6 T6 Y0 |' ^( T
<TBODY>
/ w- Z$ W" G/ u6 P' Z& v) A3 C$ l<TR> v8 A6 e( W, o
<TD><PRE>Method 01
* F' V# @3 A: y1 y8 Q$ j; j7 X3 W=========
; }* m+ J9 D& a' f+ i; L1 n8 I) w6 s6 s; C9 o1 I
This method of detection of SoftICE (as well as the following one) is
1 ?. x. O4 P F8 L& f3 Y, vused by the majority of packers/encryptors found on Internet.! H* M$ o( O s
It seeks the signature of BoundsChecker in SoftICE7 M1 g. r9 r' _- ^- C& x
, f3 Q" _8 ? Q: e, v# L; ?9 @1 w
mov ebp, 04243484Bh ; 'BCHK'
5 a+ h5 Q! r/ H mov ax, 04h1 u4 O+ a% Z* c! Y9 ^
int 3 ; G0 @: ?) A7 [# f* ?
cmp al,4# ]6 e+ b; y9 `
jnz SoftICE_Detected
6 k3 E, W# y! g2 @' ^* n6 V J
/ G% r& Z3 T& q* U5 [' B___________________________________________________________________________' `) o( n& _0 J3 I; g! M, D
+ F6 i' _# W! j
Method 02
G: B/ h, y, i0 K# W: S' _' {=========# Q$ w' P% _/ ^ V
* x G+ e: H1 m1 l/ t5 z3 NStill a method very much used (perhaps the most frequent one). It is used8 z. H: X& h9 Y9 F4 A# m A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, h0 o# r6 w+ g/ b' Y! u ~
or execute SoftICE commands.../ @# n9 c8 ]8 A% l9 ^9 T
It is also used to crash SoftICE and to force it to execute any commands
8 b: o( B y+ X5 e(HBOOT...) :-(( ( V# K5 P% q4 z
3 x+ o! b1 `# p
Here is a quick description:
9 S: X& w1 y1 V& V0 T-AX = 0910h (Display string in SIce windows)) o- I, @' ]5 O1 o: i H4 B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 a) `1 l2 |& M) V7 t! W1 Y$ @3 g-AX = 0912h (Get breakpoint infos)
/ y% p9 v+ R1 B+ w* S-AX = 0913h (Set Sice breakpoints)/ r' R/ p& K$ p0 p/ p! _
-AX = 0914h (Remove SIce breakoints)
* }; N: B+ B$ O' L s
% X, S9 B" E7 }8 ]9 oEach time you'll meet this trick, you'll see:
2 K5 O& C/ g9 y8 k* @7 d' [: ^2 z-SI = 4647h+ ]% |) E. h+ J& O- {
-DI = 4A4Dh: o8 l9 D# v" a# I4 X) E
Which are the 'magic values' used by SoftIce.
8 b! \9 K- {" l" W& SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 P# I' C% M4 c5 \1 F0 x% D* t$ a! Q- }1 f; n& V
Here is one example from the file "Haspinst.exe" which is the dongle HASP) w0 d x1 O% h Z% C/ P
Envelope utility use to protect DOS applications:
5 P0 L# a. p6 t* {& ?5 n
; j' u2 R+ k3 t1 I: Z5 a5 ~! I- S8 J& K" s
4C19:0095 MOV AX,0911 ; execute command.
0 [4 V; b6 g9 {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 b$ @8 }& y d0 {0 l5 y% L
4C19:009A MOV SI,4647 ; 1st magic value.# Z( Z) p* G1 i0 x# b
4C19:009D MOV DI,4A4D ; 2nd magic value.
) B) o# t1 `( `: f8 `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 G! P, N: K. w7 d# Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ d+ }& K- p; l$ l
4C19:00A4 INC CX
- R" g% o e6 H( E! E4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( Y$ g* Y, @: `+ ]- o- a
4C19:00A8 JB 0095 ; 6 different commands.2 Q" \! C$ x: D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; d( d: ~5 {( y2 [" ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; y- M" H9 J+ r, ?: G2 |% y1 u, C& T. m9 ~9 X, a
The program will execute 6 different SIce commands located at ds:dx, which
; i6 \$ l0 X ^, j! P& Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; o: h7 I' W8 e4 }4 w5 D' H, M. C$ m7 T7 B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 b* b* X! V8 y- I% E) y
___________________________________________________________________________
0 E3 C" R+ J- G" M6 u# d+ C2 ^- w# l
' L9 ]: M$ f; D W3 X
Method 03
" y% F( _. c- e! }" J4 S' w=========
1 K( }" Y7 C* f6 o p/ P5 h( @- I, q$ D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 u8 z8 Y0 p) | u5 H
(API Get entry point)2 J- c. ^- {8 b
" L# g9 X ~# c8 @- }6 L: |( }$ y0 `: P+ w8 c: H
xor di,di
. f0 G" f- F" W7 _, H5 p! Y4 K$ l mov es,di; k; Z" p/ K' k
mov ax, 1684h * H$ A8 v# q! ~0 Z. @) }
mov bx, 0202h ; VxD ID of winice
! j$ P7 E9 Y, a1 N) q4 g int 2Fh& D( M# N; O8 J7 f q
mov ax, es ; ES:DI -> VxD API entry point% a. D- B! m, p4 Z5 o/ a, h
add ax, di( m$ }# Y1 I% {7 W* O
test ax,ax
7 b8 G2 U2 V: \9 g+ n jnz SoftICE_Detected- X" F& ^8 w' Z, p8 }; x- o) X3 \
7 e, U/ `' _" W7 V8 y" K___________________________________________________________________________
/ N& l ^( E- K( H! S% k2 a, N0 V! L
Method 04: G& b2 ?9 R5 g5 m
=========3 J4 l g7 U- R+ B
; ~% T4 A3 a! R8 x7 m. EMethod identical to the preceding one except that it seeks the ID of SoftICE' Q/ m! E: k* P9 f C% n
GFX VxD.% i1 r+ q/ E" Y: X
) x! ^9 X- w, |( N, I# l1 H5 H
xor di,di2 }3 W: o/ f5 X! A f1 b" K
mov es,di# S$ O4 B3 L# F7 \: @2 h- J
mov ax, 1684h
% v1 [7 v+ L5 [- d mov bx, 7a5Fh ; VxD ID of SIWVID& c! j' d& g% X' x( J5 G
int 2fh
3 i( u! y6 p3 X8 k9 ^ mov ax, es ; ES:DI -> VxD API entry point
( B* y& W# ^1 J! T, X add ax, di, o3 T% i/ N$ f
test ax,ax
; }# r% W" Y) c7 Y5 r jnz SoftICE_Detected
, N% k' R% Q& L" ]* }( \5 F% u( Y6 Z7 e3 Q% L
__________________________________________________________________________
7 a8 ] T3 e- K1 K* @
: Q: r, D2 O; A: y; g: ]7 p8 s$ _3 o% L# g' Y- O
Method 05
* q% F, {7 _5 p" j) d p4 J, s5 a/ q& G1 e=========9 h/ o( _; F- L" W; h; G/ Z
/ A b. X n1 R8 ]* P( X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 u6 E, ?+ @& N- y7 U4 Sdebugger. It calls the int 41h, function 4Fh.6 Y0 |4 t1 t0 Q9 P. _( v6 }) x
There are several alternatives.
9 ?4 r9 q$ K( G$ ~0 m* f' ~ [4 z; B+ Q$ M3 ~4 c. X
The following one is the simplest:
* k5 X# S6 ^7 E
7 l9 l6 p6 A+ F! c; o* Q3 }& _6 m mov ax,4fh% _ }% {/ G" g* p0 r6 j( G
int 41h( l( G8 y1 K6 H9 t w& C! T
cmp ax, 0F386
% V' Q. X0 b" ~: b% S jz SoftICE_detected* Z- Z8 Z4 W( c! r! |# Q6 Q& z4 D
- I% F4 L! D8 w8 H# X
. R! w8 {5 \8 |% e! O7 J) LNext method as well as the following one are 2 examples from Stone's
+ I( j5 W( h' o( T l"stn-wid.zip" (www.cracking.net):1 t# V6 |" e0 J9 K9 r/ B
A) }, f& F) }$ Y- s
mov bx, cs
8 W g; a/ h+ z) |, \. _ lea dx, int41handler2
2 z5 G/ N. W! b2 P) R+ | xchg dx, es:[41h*4]
- ~8 R% M/ S. i3 h* G. a( n0 ~) l xchg bx, es:[41h*4+2]6 [' w2 V3 v* a9 o' p
mov ax,4fh0 i# C2 } h- N, n
int 41h- o5 ]$ u; t; u w6 f
xchg dx, es:[41h*4]
- ~3 `% q- p3 q% O7 o4 J xchg bx, es:[41h*4+2]+ Z5 _+ ^! g$ e+ y2 d
cmp ax, 0f386h
; {% s) t- C' q {' p- r3 ^0 X jz SoftICE_detected- W7 C1 e' V( l- C
: l0 c1 w5 t' @) w, Q$ u
int41handler2 PROC) B- I$ O) M8 T, N/ N
iret/ i4 E( k4 g8 s& v' ^: [+ E2 T
int41handler2 ENDP
9 v: l7 e2 @; |2 w; [
# J3 M+ r% m1 C f: h
+ n6 ~, H% V/ [* I) }; f9 }_________________________________________________________________________
$ {( A% L- R) B4 R) o; D `" y/ T3 G* l( u6 M0 Z
6 Q) j( S4 p' }0 e' QMethod 06; Q) m: D; G) R5 J- \# Q' O4 Q4 J
=========
0 _/ I+ f; J7 g3 k* Q
/ M% j( u, X- r& S2 t6 k) J3 T( R9 r
% b+ Q6 A+ s G" [# N& |1 ?# \0 o- T' s2nd method similar to the preceding one but more difficult to detect:
) ~- b8 w1 Y# L$ N
$ r1 a+ w- |* f8 d3 a, X
7 e/ G: V8 i) z" _int41handler PROC
, b/ B) ]8 u- X0 C& p" ~+ F$ Y. E mov cl,al+ f7 e7 H- s1 d% v! H
iret
) d0 V) i% \ @int41handler ENDP. [# o% w9 v# u
- ]! b1 F( y/ ?
1 `& r/ i6 V' s/ y
xor ax,ax
6 m o- j* ~0 e mov es,ax
5 ]4 x1 \" Q, A; Q mov bx, cs* |/ d0 {9 `9 [0 E
lea dx, int41handler
6 @8 _7 e7 x0 g8 I' V8 K' o xchg dx, es:[41h*4]( S. Z& }& s7 \! H
xchg bx, es:[41h*4+2]
3 {9 |/ R1 i G# X. `8 R2 z in al, 40h5 }4 p) D" `. w; x
xor cx,cx x5 m& p4 N3 f) f, g! U
int 41h
( `8 ^7 Q: r( O0 V( q' W& ` xchg dx, es:[41h*4], k5 t6 }/ F- e+ U) N; A3 ?1 u; e; _; E
xchg bx, es:[41h*4+2]' j# U$ y7 @( I/ R
cmp cl,al% v( w$ @5 Q+ d/ R0 r7 w2 @: D
jnz SoftICE_detected6 f5 k/ U' ?1 [% W6 V; p
! j6 m+ a( \5 j9 K_________________________________________________________________________
) @1 I5 Z5 ^! ~5 S0 h4 Y/ `3 i2 k
Method 07
; T/ S Y/ T3 n. D=========' d9 }& v" x$ a
1 A. D/ k' a7 c2 BMethod of detection of the WinICE handler in the int68h (V86)
8 c7 D5 u1 M3 y3 |
" m9 p* @2 @! r5 z" s' ] mov ah,43h
+ k: |4 v/ @: \6 `4 q int 68h
% }4 W' O0 \5 V4 F% \9 q8 y cmp ax,0F386h
8 U% K- g0 _- b9 M5 b9 `( G% ^ jz SoftICE_Detected) j" w! ] F# x
. M9 k4 N' T/ X. L- h
0 y E4 F/ ~" {; U( J' j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 [2 l6 N: H/ f4 l- ]
app like this:7 H/ ~) w2 I" ]5 a9 u: h
& D& q f7 A# e2 d, B
BPX exec_int if ax==68: L0 L" l: z; q0 B
(function called is located at byte ptr [ebp+1Dh] and client eip is8 R- o4 W6 T( Y) C; K* O
located at [ebp+48h] for 32Bit apps), ^3 ~, b1 m0 [2 n0 k1 }4 S. R& H
__________________________________________________________________________* b5 I- b3 Z. j2 P8 Q+ e4 J/ _
7 }% ]$ O- q4 T; Z/ ]* m7 i0 s3 d: L' L2 v9 Y
Method 08
7 R2 p- {1 w8 I- D=========
2 j0 r5 ~! Z& b7 b8 k( A% ?2 E% @$ p4 g& f" t2 a" d0 Y- K3 X
It is not a method of detection of SoftICE but a possibility to crash the
5 z% Y( V7 |8 m6 }$ isystem by intercepting int 01h and int 03h and redirecting them to another: i7 A6 {" N0 c7 u& G5 L
routine.
* j# I6 R* m6 U" M0 | [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points _1 N! u6 e+ u4 R
to the new routine to execute (hangs computer...)( I& z3 h% ^! y" U8 t% X
8 s; I0 O1 y$ E
mov ah, 25h
" W# t) E T' w mov al, Int_Number (01h or 03h)
& C+ t) ?0 P$ q6 O mov dx, offset New_Int_Routine
' W# M# S8 F7 v9 L5 V+ c9 q; E. B int 21h% I( u( k& f" \ U* R
( H, q3 Q' {$ n* V+ H+ F
__________________________________________________________________________9 [7 A; B6 q! H$ ?; B: E ^
$ y) D( P$ u/ A3 p& t. OMethod 09
% _. a4 S5 |4 A4 @=========% y/ }: H i( y* s; N) t' s8 r J
9 u1 f- ?8 J5 GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 z( K$ C6 X0 w1 a- X( E/ [# N% Nperformed in ring0 (VxD or a ring3 app using the VxdCall).
% f: w, n" X: k' IThe Get_DDB service is used to determine whether or not a VxD is installed" ?0 {: v# v9 X" b
for the specified device and returns a Device Description Block (in ecx) for: v, A9 f& @) z, f8 i, f
that device if it is installed.
0 }' _2 y# a* R" y& x" V; r T8 B; @0 e% s k6 o" {6 I. v2 X0 _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 I1 y) p8 H& B$ `- T
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! H$ L: Y- l* z4 D
VMMCall Get_DDB
9 W: G7 ~' O) B mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, w* ~5 m* q# @6 K* ^
6 p5 U0 U' ?* w$ XNote as well that you can easily detect this method with SoftICE:
7 b+ m& o4 I( T1 {: G( ^ bpx Get_DDB if ax==0202 || ax==7a5fh
* K5 i$ k! L+ T }2 }% n3 ~5 A4 @! V3 k! L8 a. L
__________________________________________________________________________5 ?8 g) g& I# H% K$ C6 v
5 D& I" q5 W- h% qMethod 10" L# Z6 L% ]5 u3 r
=========, n) _; |: b' O) I
3 E N4 `5 I* H, s5 v, F* H, h8 \=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ S e" k6 K. C! H% E- F# o SoftICE while the option is enable!!% r# V0 i& H% p% }. X8 f7 X6 X
; C' n; O7 {) s: b" k
This trick is very efficient:9 [8 A4 F( ?6 u& `6 A
by checking the Debug Registers, you can detect if SoftICE is loaded
: d& v$ x- s' I o; ]0 c. Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# C* J6 V) ^& T7 N( G, ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 o# I% J0 a. h) q p* N9 pvalue (in ring0 only). Values can be manipulated and or changed as well0 k X# z4 c; E0 K% N; V/ h
(clearing BPMs for instance)
( T! H: o" b% z( Q* s+ q( a" @" [) B# P) P
__________________________________________________________________________
/ s/ e* T$ u; |0 f1 R
6 k* D+ [) d0 B+ Z% H; a8 KMethod 11
9 c6 `. g, K3 p=========
8 F, Q9 J, s' X* |1 }. I/ z
0 } Y" D: ~/ ], \+ A" X: ]7 iThis method is most known as 'MeltICE' because it has been freely distributed
* Z5 n2 }# H6 _ p5 }via www.winfiles.com. However it was first used by NuMega people to allow
8 g. [# P/ p. U; ~$ r& RSymbol Loader to check if SoftICE was active or not (the code is located% w0 S/ D- ^! I# q: D
inside nmtrans.dll).
0 y7 m% x$ I3 t5 |1 K/ Y
8 M/ [# f( N' z4 ?# y7 |The way it works is very simple:
- t5 {2 B) y: \! GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 w4 W, Q: X7 e# O( a9 G6 ~: W
WinNT) with the CreateFileA API.3 a9 M! x+ z$ y1 X! d$ Z& |, M, n
J; T! }! j3 x2 ?8 e
Here is a sample (checking for 'SICE'):, ^3 J: @2 j5 W" H' w% Y( w" y
3 @1 y3 ?- |* w! P, Q7 vBOOL IsSoftIce95Loaded()& x0 o7 E& g3 E7 U* v2 }) N# ^
{
" _" z, P: t% F x HANDLE hFile; 4 S) |' e8 j2 s9 Q& I+ q% }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 P. H6 R8 R9 h }6 h" j
FILE_SHARE_READ | FILE_SHARE_WRITE,
( P* b2 q C' D/ g0 y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# w5 b0 z& D G" t6 q" ` if( hFile != INVALID_HANDLE_VALUE ), q1 O% [: j' Y- @. Q# u
{
% Z0 m0 f6 @- I! ~ CloseHandle(hFile);
9 ?, _0 |' e8 p& y# l return TRUE;
# _8 B) `& i) N6 ^& _$ t8 w }, h9 ~) q% H' W2 I7 m9 b
return FALSE;
7 ]5 \) {" x* L, b3 u} \0 H4 _: k$ t" f2 r
- L/ Q! g d4 z- U" [Although this trick calls the CreateFileA function, don't even expect to be
) A9 U' z* _% o& Dable to intercept it by installing a IFS hook: it will not work, no way!
+ Z' `8 `! G9 G& V+ {In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! y5 U/ f% _* M0 P: A$ iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# @! B& D* B. Z; [. g/ y) V
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ X0 d* u1 A4 p% `field.
+ c2 o& }8 U' hIn fact, its purpose is not to load/unload VxDs but only to send a
) p* R# P. w* X1 `5 F5 i XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ d' f8 N- p% _
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# h; A" C+ P- X" U7 Y' `
to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ i) C2 ]& k' i6 a& N4 M0 S
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 |% h% j( L* [. X9 T
its handle to be opened and then, will be detected.: r# Z A8 O9 F0 F
You can check that simply by hooking Winice.exe control proc entry point6 D% \' ?, {' @9 a) |' }
while running MeltICE.
% u1 l! u) M8 R% J7 c( G2 X' z; h; w4 l* K+ ] Z6 c: O
7 \+ B0 J2 L" ^ i, q" M 00401067: push 00402025 ; \\.\SICE3 L5 T: ]: b! M7 W5 o3 H4 }
0040106C: call CreateFileA. Q$ W: ?4 E; `8 {- E/ C# R
00401071: cmp eax,-001
/ R) J: T. |3 d! ]9 j 00401074: je 00401091
1 ^( \& |" B |; n, E
' ?% i0 v) ~5 Q4 I G# y% Q4 S( X; B& U% u l
There could be hundreds of BPX you could use to detect this trick.
6 o& P# W6 s* `-The most classical one is:% ~; B& J8 g% T% j+ s% M* ~* p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ Z# C6 ]9 e* K* W4 q
*(esp->4+4)=='NTIC'4 U2 @; B6 {- y
7 o2 c7 T% O- N M# l# q
-The most exotic ones (could be very slooooow :-(
8 I( J- D5 ?3 ~( Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 V+ j/ A/ V4 @0 I5 X
;will break 3 times :-(
7 a3 E3 A) A. }# q i
! U ~1 f! ?. F, [) x-or (a bit) faster: 9 y( R" @! E' p" s2 X2 N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) X. f6 q/ G$ K( E
5 i3 d7 p# p6 G5 p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* h$ ]. g+ |, u J4 \: y ;will break 3 times :-(
& h* f; l5 ]4 t. L$ T) t2 ] E b4 ^3 d1 x
-Much faster:
7 l6 L1 q* L( j7 U5 U5 h. D7 P# z/ S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 l" _( f3 O6 I7 k4 d
$ E) L( o2 {: e7 i( _. mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ [' j. T8 W6 E* A5 F
function to do the same job:
O5 N: H1 r; r' G
+ g. m$ k: Y* }6 ~( C5 m! M push 00 ; OF_READ1 j5 I/ a0 f+ ?5 D7 X1 v; p
mov eax,[00656634] ; '\\.\SICE',05 S2 d" c* g9 Y; [/ `% E' Y
push eax
. W8 J2 ]0 E6 E( Q+ b [ call KERNEL32!_lopen% e0 j( s" b7 n# {( G' m
inc eax e5 u$ U4 B0 U, ]
jnz 00650589 ; detected
5 N# a1 h/ U% a! E4 g push 00 ; OF_READ/ i. }5 O# s+ _) ^- _2 K4 v( F6 |4 Q# x
mov eax,[00656638] ; '\\.\SICE'/ o7 I$ r/ ~: J
push eax
: n0 h3 H* E) ^6 V5 R call KERNEL32!_lopen
3 L f( u b$ M; T" z inc eax
$ [0 v/ x9 v4 S( t- S jz 006505ae ; not detected
: R2 y) y$ A6 \- ^; n
6 {* M+ @2 @9 @* \$ D9 u
4 y& ]" K0 |7 X6 R__________________________________________________________________________! q* y$ s7 f% c6 A
3 c4 h# ^& Q% E/ T. Y' I9 e- m- U
Method 12
% {+ H* V7 y" c=========
0 [" l# }0 S, q: A8 i2 W- V; r( H7 D' D2 ?* D+ h6 x
This trick is similar to int41h/4fh Debugger installation check (code 05
8 {/ X( Y1 e+ D9 z! P+ C& 06) but very limited because it's only available for Win95/98 (not NT)
T9 L5 u4 x/ ?& T7 `# Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 d: w$ y5 o% t. j5 M2 {# X, e l2 h; x3 Q) X% R
push 0000004fh ; function 4fh
+ ]% A- A* j0 R" A: c+ D( @ push 002a002ah ; high word specifies which VxD (VWIN32)
# R( l c0 V! W$ f ; low word specifies which service' ^6 e0 d$ Q/ n. ]
(VWIN32_Int41Dispatch)
2 G1 C& _3 ~/ W X) K+ K call Kernel32!ORD_001 ; VxdCall4 |" L* d# V: |& w8 x
cmp ax, 0f386h ; magic number returned by system debuggers& q" `( q4 G# y& E9 p6 i' q
jz SoftICE_detected
8 L- F/ u- S0 E6 D& V" q% H9 p, y8 | U$ s9 M
Here again, several ways to detect it: h4 k- i' j# R$ o+ _3 y/ ~
) e+ N- I/ V: h- }% o+ |
BPINT 41 if ax==4f& K2 C4 ~; ~# s& g: Y
7 H0 U* d9 z' X6 V BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 B- {! r/ P+ @. H* u; P/ s1 B2 D3 b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; F7 H, c9 L$ g+ O: d3 B7 Z. j4 A0 @ E$ x
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# v, u* k t0 C K
7 [" C/ G% a5 }) q5 I
__________________________________________________________________________
& O4 T& [1 e2 u. v4 y: y& G$ ^ A( e$ ]% M" K/ c/ g, a/ k; K
Method 13
( B& v) \. X6 }% D; F9 G! h=========, b4 R! t* }* @
7 S' q* x, K; ` h+ s: h
Not a real method of detection, but a good way to know if SoftICE is/ x8 o0 g5 v- R8 `0 g8 h. c& C
installed on a computer and to locate its installation directory.6 y0 E" U& U. `: L, t, z9 c
It is used by few softs which access the following registry keys (usually #2) :9 {2 ~( `" R0 R* {2 e, n+ S
3 E% m! I: Y7 ~, H( J1 z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 h2 e* g$ r$ M0 ~- ~6 j
\Uninstall\SoftICE& ]6 k) Q0 w/ D$ f+ Z* ~2 Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% V6 m2 D: m, d' \3 Y) s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' I8 s' x: K8 o: Q9 e\App Paths\Loader32.Exe
! I0 i& O# m0 t+ j; E" s/ I, ?: \1 [' `3 A0 ~
/ M4 `7 C$ I; w3 [; y6 g; H1 D0 Z
Note that some nasty apps could then erase all files from SoftICE directory
4 f+ r8 q4 t4 \- @. L; ](I faced that once :-(
" K5 q. u+ O$ ]( R8 s7 s
r: {9 j% l: ?; W9 @Useful breakpoint to detect it:0 G0 H) G: e6 h! c
, T) ^4 P& G8 u* @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# M7 w! |/ O* g) U2 _8 [0 v
+ T m, @1 O* Y. X k1 @/ Z0 w' u' i. G
__________________________________________________________________________
! u$ L1 J- Q# A7 w( I! d# s# r
4 i6 S* |+ n, a. d& v0 i( L8 x5 K/ a+ B$ x- I
Method 14 ' [/ M8 f7 K& z: C
=========
! ^+ z, i. a& v2 B5 I/ g0 T$ W' w4 O& x% {! d: z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ S \; p" Y* S+ Y, L
is to determines whether a debugger is running on your system (ring0 only)./ k+ l$ W/ r; F( e& c) y
( f+ f4 E& w; [4 G: p$ U VMMCall Test_Debug_Installed F% ^0 w+ {' n7 \ G
je not_installed
( z) @; S! W q- t5 n0 j
- T; c5 I) i2 z5 u, A9 xThis service just checks a flag.1 t9 [: [2 h; o. ~1 E; t
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡