<TABLE width=500>) ~" e2 d7 K) v
<TBODY>5 u4 U& H7 r& T4 ]9 P
<TR> C: C6 u s, Q/ Z
<TD><PRE>Method 01
1 o7 k u& l" M0 \: B/ ^7 E=========
& D1 E$ O8 ]1 L. j2 `2 E7 {
/ g7 E' \. i9 T" C3 x2 h0 R$ fThis method of detection of SoftICE (as well as the following one) is/ }( M* ]- H( A1 p
used by the majority of packers/encryptors found on Internet.
$ J* J# Q) h H# W! z. xIt seeks the signature of BoundsChecker in SoftICE. U. i1 z, v! y3 X0 r
: G8 i! ~/ B ` mov ebp, 04243484Bh ; 'BCHK'
6 T) F& e% B. f s mov ax, 04h0 m% j7 r* I+ E/ U$ L; P
int 3 - D+ d$ D, c4 Y- }6 E8 f
cmp al,4
1 o# s! X, b7 A6 _6 B jnz SoftICE_Detected
1 d( D7 U u0 U- ]- E ?5 s4 L7 _9 e
0 T# y1 ?4 l2 t___________________________________________________________________________3 a2 [% s- f; N. n' V
. k( n% J- k0 z# S: |
Method 02: ?4 b9 m5 y$ A5 T; R& F' F
=========/ ?& W! [5 c$ U5 B
/ E/ I4 u* N5 L1 R9 T
Still a method very much used (perhaps the most frequent one). It is used
; X- z$ ]* W$ R- Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# N( d1 S: U/ `* k- c* eor execute SoftICE commands...
8 Q) [' h; \4 c* P. K5 B( pIt is also used to crash SoftICE and to force it to execute any commands
; ~3 c: R" R6 N9 ?1 z I(HBOOT...) :-((
' x* r. a }5 X3 y- J
6 m ?7 a6 H( t9 X5 ~' N) QHere is a quick description:
4 W4 N( H0 r. W/ X( v/ T3 V-AX = 0910h (Display string in SIce windows)
5 W* ^. W5 x a E( Y8 J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 r" f" ~( j( }# B9 K
-AX = 0912h (Get breakpoint infos)+ Y, F8 O- L h3 u
-AX = 0913h (Set Sice breakpoints)
/ [: o, X6 A1 X. [* [/ s% J& \5 i ^) o" @-AX = 0914h (Remove SIce breakoints)7 C: c% N) V" p9 ?/ R) a; O' { }" @% N
( I! J! H: c0 q" m8 U8 E, l- l
Each time you'll meet this trick, you'll see:
( t; {# u0 ^5 l6 D-SI = 4647h& L9 Y% B! i @- R, j# t
-DI = 4A4Dh8 _6 m/ v. O2 N% }: y
Which are the 'magic values' used by SoftIce.* u- s! g2 l! K! V& y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 k9 ^% e& s k# X& T
. R; K( ~$ p0 M. e7 hHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 ~( q% v9 R+ e$ `Envelope utility use to protect DOS applications:
0 s+ B. b/ I8 Y' l& Z* w4 A
9 [- s" `" D% d1 E, t" L6 W) i$ B' w% }+ ?- C' P
4C19:0095 MOV AX,0911 ; execute command.7 r4 [8 X; Q I* b! s/ W3 F( D! X5 m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 B" x0 v3 i. o" ~0 Q! _
4C19:009A MOV SI,4647 ; 1st magic value.
9 |9 [0 @) L2 N/ S0 L9 \8 v$ F4C19:009D MOV DI,4A4D ; 2nd magic value.$ c3 p* K0 S5 [# Z& C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 s4 L# V7 y: R' Y# A# m- p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; R, b8 F' ?6 _3 ?: i& U/ m
4C19:00A4 INC CX
+ s+ ]: W, j* z- ~% J: G' T7 u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" n7 O3 x+ m8 Y- x9 O7 k; v4C19:00A8 JB 0095 ; 6 different commands.8 x7 p( V/ |, a6 H( e( H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 {9 q: f5 R! o& ^* P4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) b! `7 [- k# G: w; F- w- t7 D( n) \
% ^) U X3 I1 _. X* e" r3 J5 q
The program will execute 6 different SIce commands located at ds:dx, which1 }3 L# e% j) B* D5 @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 u, e: Q7 H5 h
6 i( O2 k1 c3 H- t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" O' a8 r0 }2 ^% a; t3 w___________________________________________________________________________* p7 m5 v& g* w; v% V2 r
" c+ E$ v4 h6 C* M4 ?! Y
" U6 Y- G2 ]5 R! J+ j, u! ~% S) iMethod 038 E C) y# j' k' Y V5 W
=========
9 p6 _* ^3 P3 e: G2 }1 L5 Y- |4 `$ P |$ h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" d0 f* |; ]' T3 `(API Get entry point)9 P7 B4 a4 c- n0 c
: p8 Z! H' `" M5 L# [) h5 B w1 K
6 ^: F1 M( U8 n$ o xor di,di
8 X7 ~/ c* |1 l$ V0 J# V mov es,di
& Z6 |4 B5 W0 s3 p1 }7 { mov ax, 1684h
) M7 Q5 p. d- X$ D mov bx, 0202h ; VxD ID of winice, l ~" {7 C% F. z0 D
int 2Fh
; n, d4 v; V% P1 j* m: _2 {! q mov ax, es ; ES:DI -> VxD API entry point
- |- ?1 w# [- g. ]+ { add ax, di* z& n6 r* F: E/ k/ @4 f
test ax,ax, O& e n1 h/ u) O. _4 N& t$ i
jnz SoftICE_Detected
" X6 u `* L# ?+ Q, m2 l3 M% Z& G, U
___________________________________________________________________________3 y+ K* l8 ^2 f0 p+ b+ \! c2 g1 h# n
9 ~' M& k' Y6 D8 D; T" r
Method 04
9 \5 p2 d# y) \% t* h=========
( G: L4 v4 w/ @6 Y- J5 Y3 i6 O/ p8 ~4 T9 L( U% c3 f/ A) C
Method identical to the preceding one except that it seeks the ID of SoftICE: o' B6 {% h: F
GFX VxD.
( U; a& I# K6 B, o# F# D6 s5 }4 ?/ d5 q, K
xor di,di, \2 N3 [4 R" p+ W1 l
mov es,di
# q& V2 S/ K9 f5 X" _2 n7 s mov ax, 1684h ( m. y a4 h5 {8 ]
mov bx, 7a5Fh ; VxD ID of SIWVID. Z( ?/ H$ V% K- M* {. S. u. M5 Z
int 2fh: Y# [& X5 i3 ~! M" A4 y
mov ax, es ; ES:DI -> VxD API entry point0 W0 B b6 A/ J1 w
add ax, di
' X4 J |% q; S; b! x* o, ^ test ax,ax
" ]2 c& e) K: P5 \7 H' r% z; W jnz SoftICE_Detected" ~8 T! X* E1 I% p t
4 _# Y3 g3 w. M- B# w4 @__________________________________________________________________________
7 g# N. b4 R" M& h/ H4 ?% B" k
+ b1 Q) _; z& D. z( J8 \3 w& @9 u( p/ X @
Method 05
1 }) q) T, U" ~7 ?5 O& ~=========
* B5 d+ E* u1 v1 i
2 t8 g8 u4 s/ _Method seeking the 'magic number' 0F386h returned (in ax) by all system1 ?9 w+ b& a" F6 O4 j! v# U
debugger. It calls the int 41h, function 4Fh.
9 T7 ?7 x- x O- V! t3 R1 VThere are several alternatives.
$ W# s0 |2 g1 O; ~+ e' w- _
4 t% i- e( [7 M4 F+ n, g$ E" DThe following one is the simplest:( [' E' |! H9 h2 R5 Z
( E2 d% o# N# ~$ U6 Z mov ax,4fh* T6 v& m3 t5 x( J5 Z; d+ z
int 41h f+ ~) I" [1 s; z8 t
cmp ax, 0F386
3 C( e) {1 Q X1 u$ E" f jz SoftICE_detected
! V2 {: n: r2 x" @6 e+ K5 t2 d
1 g2 v( f+ u$ }7 H) h+ U. P' E1 H l( \
Next method as well as the following one are 2 examples from Stone's : R; k1 q5 U6 n" `
"stn-wid.zip" (www.cracking.net):3 L$ A, `! b0 }: `4 b) k* ?% ?
# u# K+ w5 T, l9 N+ n% y' b* k1 x mov bx, cs3 @7 v& A# p$ e
lea dx, int41handler2
- ~$ R9 @; G2 b3 u) B# a# c. ^ xchg dx, es:[41h*4]
5 R( j0 h9 Y- G G( x+ g$ b# r xchg bx, es:[41h*4+2]9 \* [3 v: p3 d# p* R
mov ax,4fh
. b2 q& p2 z, }7 n int 41h( F; l/ w1 s# M e6 c- p$ n
xchg dx, es:[41h*4]* Z) w* r! C9 s8 I/ E1 O
xchg bx, es:[41h*4+2]
9 W) H! G) ~: G. W/ l4 I: K cmp ax, 0f386h
) F! I% j* ~3 t s3 _4 |5 b" Z jz SoftICE_detected# ?* m5 q; _5 X% Z8 H! _
7 `" z- m ` ?" h5 h
int41handler2 PROC
* {. [3 ?6 N! Q; H, |; _1 P( | iret
7 d' D6 _, N) o# @3 @int41handler2 ENDP) g5 x. r6 s9 I; ^) ^% V+ T
6 t# V O# k# T0 d- @' [8 Y
; e4 M" D: v8 K: C" B_________________________________________________________________________$ ^% g* f+ u3 J& G- e
$ x; P7 M5 j4 P- P8 J }
3 E9 n2 b. [" ]1 l! i" W( a9 wMethod 06 A h" y. w6 w7 D, h$ o) m
=========
" D- I4 {5 X' a, A$ J* Q* c2 [4 P/ } V( C$ P4 J& j
$ f+ H/ A6 }# [& R
2nd method similar to the preceding one but more difficult to detect:
; G w2 R8 `2 [1 u7 A3 e4 Z0 v! `6 p" i
( _0 F0 j% Y7 q$ p
int41handler PROC
( R0 W) Q5 E" i mov cl,al4 o6 J! A4 N! c2 j9 A! S
iret
' U: E, J* c; ^& I) X4 m. Pint41handler ENDP5 [9 r p0 }( {% E+ c- |- D& V6 r
# r3 f! [( m N$ T% ~2 {- Z
0 }+ D, S7 c5 a) I$ k
xor ax,ax l# S J R: t0 l4 F
mov es,ax5 W8 J* z6 k1 y l
mov bx, cs5 C6 I+ s- A# }) w% |% n) x
lea dx, int41handler3 ~# N% v, t1 _9 y
xchg dx, es:[41h*4]
! R9 A9 a- |% L7 l1 s xchg bx, es:[41h*4+2]
7 |! I) \; a% g' P in al, 40h
: i) U" i# y+ `5 ^1 \/ Z xor cx,cx8 X! o5 N! l: j
int 41h, r0 x4 d" U+ i4 w+ x3 ]# N
xchg dx, es:[41h*4]0 d1 ?( i5 l) J4 z% W
xchg bx, es:[41h*4+2]
$ d& y5 l9 @+ O" H' _. N; z6 u4 ^ cmp cl,al) [4 t1 B* _ `$ t' }
jnz SoftICE_detected9 t+ {8 l. ]4 J" u
& l6 X8 W+ Q7 Q) h7 W
_________________________________________________________________________
. R6 c1 B6 m, T- _ r& r5 o L" |/ M, I
Method 071 L) d; V; @' R
=========
" P1 I ]5 Z0 U1 j' e) V0 x9 m4 o2 }1 g5 m
Method of detection of the WinICE handler in the int68h (V86)
- t" c: I7 j9 d9 N- w
% m* ~8 G* ~/ V2 Y# v G' K mov ah,43h, c. X3 L, l0 {7 B
int 68h" J2 ~) W5 ~6 G0 R- i
cmp ax,0F386h- p: O: n. H0 m/ N8 k* _
jz SoftICE_Detected, p, L( r7 _ e7 z" S
9 u1 k. J4 j% ^. u4 y
8 T, a6 o& C) I7 X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 C% B" ]) |% n' }" d1 b app like this:% x# E( z: _& n+ T( u0 W8 P
) W( A1 k, o- w3 Y BPX exec_int if ax==68
6 Y5 _' q4 a- n' Q7 G+ E6 d (function called is located at byte ptr [ebp+1Dh] and client eip is
f# l0 I6 h& ^6 y. V: e2 Q$ [ located at [ebp+48h] for 32Bit apps)
$ v5 S+ M. H: U/ P, p) q__________________________________________________________________________/ S7 ^" s( S9 Y# H
" z- S6 c9 p, c8 G5 K: g
f: \" j: ]# Q u; L* K1 D6 UMethod 08
9 v. m5 w' p* G. Q=========
' [) g% `& K/ X' j( H- {
7 ~& N* X! {9 Q1 i. RIt is not a method of detection of SoftICE but a possibility to crash the0 I, K& ^) S* s+ Q
system by intercepting int 01h and int 03h and redirecting them to another7 ^! v* {% k6 b" A+ ?
routine.8 }* ^# C* Z$ j' _2 z0 }1 u" a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 M+ J% l. _: p5 b; J. Eto the new routine to execute (hangs computer...)
7 r: Z. \2 X' t# M
/ S$ I3 W' D% l" `7 S- y/ U mov ah, 25h
9 U( W7 F& D* C! A mov al, Int_Number (01h or 03h)
' }" s2 d4 m* { mov dx, offset New_Int_Routine
6 O/ v% Z: d7 q6 W; K int 21h6 }" _ P6 Q$ W; Z; Z' d( M5 e7 q
( E/ c" U0 `4 f__________________________________________________________________________* G$ i8 a* R$ O: b1 e) Q4 l
8 ]6 \3 ]7 c0 ?( l
Method 092 F8 p: U1 l* n6 y0 b! Z
=========
6 N& U) g5 a4 Z9 g3 W% W, ]
' ~9 H! V8 Z- u$ l$ M. P: sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 c% ]! L4 r; C
performed in ring0 (VxD or a ring3 app using the VxdCall).% Y+ N0 r1 U$ f8 _" T* J9 z
The Get_DDB service is used to determine whether or not a VxD is installed2 D$ H3 `: G ~3 z! i: j
for the specified device and returns a Device Description Block (in ecx) for
: E" d$ o6 i5 a, t; ^9 ]that device if it is installed.
! N* a" U2 _& y8 q: a/ R/ [ x" }) ?9 y* k" [8 X
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 h2 A: |( r, t) R% i f mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 b, ~' g" B% D& H' m4 u& A VMMCall Get_DDB( G: U0 n* e5 g& f3 @
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 T6 O% K/ T T* E# ]' }/ E( [1 D9 N- w
Note as well that you can easily detect this method with SoftICE:! M: x i; k- V* Z/ ^0 I
bpx Get_DDB if ax==0202 || ax==7a5fh
' d4 o6 P" D! b* r1 _# Z! B# a/ `) R3 I: a# }4 W
__________________________________________________________________________
7 v7 q' e6 s+ h9 s( q" G+ |% r
' [" c" K$ Z# {4 n3 RMethod 102 @& l2 v, [4 O
=========
E3 m$ y% Y& i& w* U
" C; ~' A* U* j/ Q* X9 K) v: {=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ r, ]: L# s3 a& t9 ~1 p. h SoftICE while the option is enable!!8 E) }$ C' O! d% V# {1 T/ Y, Q
+ V4 W* s4 x2 RThis trick is very efficient:
J& w$ `7 T9 ? zby checking the Debug Registers, you can detect if SoftICE is loaded
* r2 A. Q: i! Y/ L( x$ w' ~5 t; H7 v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if B/ C. }* M" q7 \ b# w! s/ G
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 ?1 ^6 F. L* L! p
value (in ring0 only). Values can be manipulated and or changed as well
8 C/ Y8 n3 |2 t(clearing BPMs for instance). U y! w0 }5 H' [" Z5 `
7 b+ s) @' k6 ]. p: N& B
__________________________________________________________________________
' y( k k6 { [. |% |
3 M* ?- H. Q0 a4 I* ~* XMethod 11: Q" U2 z% J6 ^9 }& L
=========
8 B- v! s' K+ W z- Y& D* H0 Z: L
! E: f8 ?0 m/ |5 x( |This method is most known as 'MeltICE' because it has been freely distributed
* h- W! [4 c% ~5 y$ [via www.winfiles.com. However it was first used by NuMega people to allow
5 c6 z3 v% a4 a( t( dSymbol Loader to check if SoftICE was active or not (the code is located& _* G! N1 Y$ c4 W( G
inside nmtrans.dll).
8 G; `% q" C6 G0 j& I. L" o4 I7 x) {: T, A8 _
The way it works is very simple:
5 A, E' \# U1 tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 b0 d* c9 _' VWinNT) with the CreateFileA API.% B( y# Z0 c$ h; J. |
6 w0 b) }* }5 w/ HHere is a sample (checking for 'SICE'):6 s0 g4 @3 M4 D3 w9 `: F6 J
# v# M. E# E; G6 W, ^+ |
BOOL IsSoftIce95Loaded()
. H- q: u. r# U: c# B{' Z7 Y- o8 m( y$ ]
HANDLE hFile;
* F+ _& J; F* ?. `9 {% c/ _( d) S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; }9 O$ y, A. ^, }3 C- H5 ] FILE_SHARE_READ | FILE_SHARE_WRITE,
- [$ G2 r& U: R NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( H$ b, T$ a, z4 C2 h+ T
if( hFile != INVALID_HANDLE_VALUE )
# F* J$ V- z9 P% `3 j {
, n @; Q' B3 v+ A CloseHandle(hFile);
+ |; X2 ^: y s( x6 E4 }% {7 Y' T return TRUE;8 q6 t5 U i: w I" X
}" a: {: `0 [. J7 r% b4 g( [
return FALSE;
: P7 Q* @8 _% K' U! o}
2 y" l2 C* n$ i( |1 s+ `* U3 B: I
Although this trick calls the CreateFileA function, don't even expect to be
( F0 _+ a, F% W, s6 v- V7 Iable to intercept it by installing a IFS hook: it will not work, no way!0 g" p! k. t! Z) M4 X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 V9 Q) {- G9 b0 K% iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 l" q: p. A' j+ O+ O$ q3 @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
C0 c. z5 b( l/ l. j Y. m4 Y6 bfield.
5 g: z9 `$ L) {; x# ` ], ^$ _In fact, its purpose is not to load/unload VxDs but only to send a
; G( I: o8 Q D9 [% [- u+ ~3 u6 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- e) Q- r+ Y g; L/ T% [to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( j, R% j: F: x4 }0 \0 @to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 p3 M0 N! [# {3 g- Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 w( R( O: e/ M: k, d! U3 \
its handle to be opened and then, will be detected.- _4 y4 \( k2 Q/ e% n! x, D
You can check that simply by hooking Winice.exe control proc entry point
8 ^3 u# X( Y. J# d+ y! }while running MeltICE.1 I' W0 C( ]% s9 d
Y& c$ k8 u- w. S) I( T
; w5 O) g5 O: q3 k 00401067: push 00402025 ; \\.\SICE. n6 k. p& H7 V! k0 f
0040106C: call CreateFileA j4 \4 ?8 @1 U o
00401071: cmp eax,-0019 x4 i% l! P3 \; m5 f& d3 [& R2 ^
00401074: je 00401091
5 f" \& g" I' `7 C0 N; T9 y
9 X+ H/ B# t& i! r% B+ k/ x& R3 }8 g) u
There could be hundreds of BPX you could use to detect this trick.
, C( K7 n( D7 H s) n-The most classical one is:% L) H3 p# N/ F$ E* I. R# B3 h& o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ a* d3 R2 G8 |. Y) D
*(esp->4+4)=='NTIC'
" x* J6 P7 v# Z+ J3 @# L7 e3 P' O" t3 g) L6 t6 y% d2 d
-The most exotic ones (could be very slooooow :-(
, E5 V/ C1 t+ f BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# i# w1 z( Y$ @1 l1 x- Z ;will break 3 times :-(9 G) L& j& C; f
8 ~+ G j$ \3 u% s, j
-or (a bit) faster:
" K4 G( s! g& S/ j# B. } BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 C9 B, O7 S& d' j7 v# d+ [3 q5 K3 _* X6 w* ^( R& {; J( r0 o
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! Z! e7 l4 F( F! X& ~- j# `
;will break 3 times :-(
5 c) O0 D% i8 s1 @! G3 G. e
2 ?" M+ z4 o. m% p! p" _( t. `4 n U _-Much faster:
8 g8 x* m+ v: \! P, B8 j& o BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 c% l. w- M( k; Q, X% n
" P! u7 Q* t1 Q' K6 \Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 L" x9 Y7 @; [* L
function to do the same job:& e3 Y* r7 [4 a/ U; B
1 ^3 F- r" ?' O Z+ e push 00 ; OF_READ% O# I5 p0 Z5 O% Q5 G( N
mov eax,[00656634] ; '\\.\SICE',0
7 e" X8 x. c% H! ~ push eax& ? d1 k# V+ `* X
call KERNEL32!_lopen' C& W) O# l$ d) Z! j/ I: q
inc eax, g- G5 T; s" E
jnz 00650589 ; detected
9 o) T( j" R+ A3 H% q/ q% L2 p' z push 00 ; OF_READ% M" U+ Q6 G2 ~! K
mov eax,[00656638] ; '\\.\SICE'- {7 ?5 h7 t3 e8 d* W
push eax6 o- u5 ^& B- A+ R+ a
call KERNEL32!_lopen
7 } N9 I. g f inc eax/ e# r7 O9 p! i# H2 s( u
jz 006505ae ; not detected' I* o+ v7 B( J+ N( T
0 Y/ g' E2 L. \. V
' l5 H; |6 k* j' C! f
__________________________________________________________________________ P6 u; G, L8 W3 H: k3 J
& \( o% E* c2 g2 K7 O5 `4 `Method 12% w8 s' L9 R3 ^# `
=========
2 m9 w; m4 ~& Y) A/ S3 p, g$ B/ ~; g) p) @, X. `
This trick is similar to int41h/4fh Debugger installation check (code 05
( M$ }6 H1 v2 _% h; c, b3 y& 06) but very limited because it's only available for Win95/98 (not NT)
6 F ~0 w ]9 \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ H2 l8 U" g) g# h& j' i$ S
7 H, D3 h$ P" y! |( o% j6 N
push 0000004fh ; function 4fh
% L& y4 a2 ]& z4 h push 002a002ah ; high word specifies which VxD (VWIN32)
' c- H% \; t6 ^/ w" p0 L, f$ |( p ; low word specifies which service. A8 ]7 Z& M6 x- J
(VWIN32_Int41Dispatch)
! n8 i& b. j# l call Kernel32!ORD_001 ; VxdCall, _2 c7 Q4 R: i; A
cmp ax, 0f386h ; magic number returned by system debuggers
: K' U4 d* r$ n& C6 s; b9 D) B" j% } jz SoftICE_detected
1 s0 C* `- W6 Q: A3 \0 E/ W( I( W* P! |8 b w/ l5 D; L
Here again, several ways to detect it:
' l: F# I- z( U% @: B$ \: J0 E# Y2 J% K/ Y6 b H9 W7 V# d
BPINT 41 if ax==4f9 H$ U# L+ b9 P) I
% U7 i$ m( q: m+ G! v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& O& m/ R3 J! J" ?5 o# b" h3 ~# r" Q& y' ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; K' Q/ K0 Q4 W/ `
/ E9 Y9 y2 T* E8 ? BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( x5 P, Y- }# p1 h7 _$ M$ `! p2 Z9 z3 N0 i, A0 P
__________________________________________________________________________
4 H X+ ~9 T# F$ F5 f5 Q4 U. @: I5 Z/ r' ?% w# u/ {. d6 x8 d' |& o
Method 13
7 C2 ]. [9 [4 h. l& V+ H7 P=========) `" o0 O+ A& B) d' m
# m% O1 y9 Q2 M" v) {3 T1 g' WNot a real method of detection, but a good way to know if SoftICE is) m3 Z- h* u( A9 Y
installed on a computer and to locate its installation directory.! D0 H4 c: l4 S
It is used by few softs which access the following registry keys (usually #2) :( ^1 s0 r, }! K* D. ?$ o& a. X
! ~; {. n( q9 E( |0 s) Q, o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ U3 R! T4 {/ Q8 f) d\Uninstall\SoftICE
( g7 }0 r* j* _6 y" p$ B: }* E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' f3 A) k) Z+ [2 l0 y) V" e' g- x5 Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) \$ R5 ^( r6 Y. ` c- m
\App Paths\Loader32.Exe
% q( O/ E1 h0 L8 q2 u
6 ~, h2 P; A$ z1 w& q1 W1 e9 ?1 ~7 Y: \( C
1 E: O, N5 }' z3 e- ~$ cNote that some nasty apps could then erase all files from SoftICE directory
: l1 Z# q# P: v' Q/ R1 C(I faced that once :-(' j8 `' J0 P: Q6 q+ T
( n& Q! ]' }( W% G! A. OUseful breakpoint to detect it:
0 i7 o+ I2 L, A/ Q& x" F1 m, c* z9 G; I9 Z- ]
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 t: j8 y! g$ Z9 k }' w) K* r
: N+ U2 t/ J6 `3 j9 n, R
__________________________________________________________________________: a, S8 v% m$ l. V1 p
) F5 G" V& B5 M) W1 K9 T0 ?' {
6 p+ v( D) q7 R% R+ s! W
Method 14
, @3 y- O; [2 _7 ?( ~: F! w. R=========. |$ t4 \8 u6 S7 w
+ I0 |4 [1 P% O9 R# U) k- K2 X, nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' V7 n+ K- E7 }9 {& u, f% D3 x6 [is to determines whether a debugger is running on your system (ring0 only).
9 a& n. W/ U9 g2 o" V7 H0 g6 s9 F, }5 _1 l W
VMMCall Test_Debug_Installed* i4 o5 j+ g1 z2 b
je not_installed
* C- n/ y# S7 r4 E0 x) D8 y$ x+ t) Z6 o; w, h3 b1 N
This service just checks a flag.
2 D! D/ A! E6 C5 a' I" Z. Y' P</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡