<TABLE width=500>2 d( |, w- c6 R! [0 l. P
<TBODY>
5 O- V6 L, D# F+ i( y, e8 K<TR>7 i+ O4 }- p( y1 E
<TD><PRE>Method 01 9 Y2 |2 _* F/ j+ m/ W! U+ M* i
=========* A5 ]. |" k: R- G
2 l2 K) x. d+ f. Z
This method of detection of SoftICE (as well as the following one) is
( B. v9 d$ X% {: D0 I0 A6 tused by the majority of packers/encryptors found on Internet.+ ~$ M# b% T- V
It seeks the signature of BoundsChecker in SoftICE4 j% g2 d" e* B+ B w# j
2 I$ C9 z9 V7 A, ? A( @( v
mov ebp, 04243484Bh ; 'BCHK'
- j" w! v, D2 d) _0 r mov ax, 04h
4 K- x# W) n: w/ M$ f3 N. j int 3 & E4 Q1 z: b5 A& v! r7 {
cmp al,4
7 z2 {- ?, L& ]& N9 {4 }5 { jnz SoftICE_Detected7 v( ?( H" c/ h: t
& l) `) i$ k' x3 e
___________________________________________________________________________
- k7 F( I/ O+ B' C5 z1 c( e% J
/ X0 m1 F) S H2 O. IMethod 024 }4 D3 C: T4 t- ^7 i
=========
& [0 u) W4 ]5 m# |/ U& I, S8 |& A! m5 X& E2 `8 s6 A, o
Still a method very much used (perhaps the most frequent one). It is used' `, [; o! n3 Z3 S. P* e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& a; I8 K/ @- f' {1 {) hor execute SoftICE commands...
% I) `& @* ?$ s6 n8 {5 tIt is also used to crash SoftICE and to force it to execute any commands
9 L2 c( ?% s, o# w(HBOOT...) :-((
( l9 W, ^' U" v/ E& e1 k
" I v9 l( p( F4 l4 `% ^) K ?Here is a quick description:
. u6 h5 t& x8 P) _-AX = 0910h (Display string in SIce windows)$ ]# W0 f; T: @6 o# ]$ `2 ]( g' N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), @: Y) O# Q; X8 q; S% t) I
-AX = 0912h (Get breakpoint infos)
) z& c% C7 H! C g8 l" K-AX = 0913h (Set Sice breakpoints)# W3 N0 p" H; E6 P" b
-AX = 0914h (Remove SIce breakoints); o% _5 {- @' y1 W) Y
- T% @. {& ?$ }- W; a/ n; QEach time you'll meet this trick, you'll see:
$ Y* c, g f, B1 M-SI = 4647h8 T! z* ?- J: i: Z7 ^
-DI = 4A4Dh' L* n+ |: J% r6 l
Which are the 'magic values' used by SoftIce.
8 Q5 z& [5 f z) iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.% K6 O- c/ t3 I+ w6 M
+ [; M' x I# q7 x8 H7 w
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. O+ d" e" |: aEnvelope utility use to protect DOS applications:
( D T% ]: F8 M2 P; Y3 `0 b6 |4 y6 P" J
/ y: c) g0 y3 ]% G; x0 e
4C19:0095 MOV AX,0911 ; execute command.
+ R- H/ B4 M6 w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" [ O# ~' L; I0 h1 I4C19:009A MOV SI,4647 ; 1st magic value./ R/ ]! [. c1 q8 ]/ ~
4C19:009D MOV DI,4A4D ; 2nd magic value.
% C6 E5 q" W8 c, h0 [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( M( N. W2 \3 z9 }& c. d( H+ I a6 _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 |2 O- K& G6 G! C+ h# N+ k
4C19:00A4 INC CX
# Y5 X( q" n/ Z4 U2 v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 o$ J& T2 D; I
4C19:00A8 JB 0095 ; 6 different commands., Y# U: C% W; k. b( N7 n" Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 T7 }* X5 G) O$ J: X
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' E; Y/ Q9 C* }( n& u5 J
7 q1 y% R( K- \2 ZThe program will execute 6 different SIce commands located at ds:dx, which
& K5 h, S) [) V* _& nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, z" w0 v% F( Q6 ]2 R( z- o5 q+ z3 H$ b! r/ k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% @# a% w; e5 f( M3 b4 r___________________________________________________________________________& Z: A1 G: D+ N# N; q4 r
/ v7 j( S0 N" T2 x' i6 E8 J2 u8 E* E# ^ H( T f
Method 03& M8 @1 Y, r4 X, D
=========1 y! a+ s0 D- @: _- N
, x! W2 U' T1 i- gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ N0 x2 {/ J, r/ U(API Get entry point)" ]& y" y( u- A* t- @. g1 t7 o7 y
3 p# @+ F# N {1 \7 Q/ S; d
2 a9 t! e: l" \7 h3 L! s1 Z
xor di,di( p1 X) i9 V3 O+ @5 P- C
mov es,di
, G7 \/ }% A4 w* I' p mov ax, 1684h
8 `! b1 j, z0 e+ f% ?! |8 Z mov bx, 0202h ; VxD ID of winice- U4 H- I, f" S% I0 \+ r
int 2Fh
7 x) v" |" G- J3 e2 [ mov ax, es ; ES:DI -> VxD API entry point, p7 u% i" E. r! d- ~4 ~
add ax, di" O; F* ~. K- L& h5 P/ u
test ax,ax6 `, X- U9 F6 a9 E
jnz SoftICE_Detected
2 D/ b) o9 ]% v( V, _9 M" P4 S0 H) Q
___________________________________________________________________________3 U, W* A- G4 U5 {5 r' G0 D" l
/ h; J' h/ B/ Q. KMethod 04
" d4 o$ V) ?; g z, S' j" w" A=========, V" o" Y6 H7 D7 [7 j. f- B( n
# K! Y6 i# N6 N3 gMethod identical to the preceding one except that it seeks the ID of SoftICE1 a3 q: z5 t* }( Q e% ~8 |8 \5 `" P5 @
GFX VxD.
! q. o! V. a/ l/ R! P$ X8 c: U4 |* V( L4 @6 J1 k, m& s
xor di,di, D! Z! N+ P/ @
mov es,di0 k" F' R3 K* A6 \; L
mov ax, 1684h 3 D9 b( T9 p7 D9 D7 a
mov bx, 7a5Fh ; VxD ID of SIWVID4 M/ R9 ?4 H: C0 }! ]# A
int 2fh
# i1 S5 ~" C% |3 }- p4 {& B+ m: I mov ax, es ; ES:DI -> VxD API entry point
9 j! ~+ V% Z- y( o, M: [ add ax, di
' O7 w8 w" E+ i0 @7 E+ S test ax,ax* x# N6 m9 O( [# Q8 S& c. D
jnz SoftICE_Detected
. b! u5 _2 n9 L; F0 c2 X" R; Q
/ v1 C7 @3 [( o5 E% j- j6 S7 y__________________________________________________________________________' [' R2 G; o4 H
; E- O" T3 R* h5 K
9 G% C! N( Z3 t- A9 O0 h; JMethod 05
1 } X9 g( ~6 @0 {. W=========- u6 c+ ?9 h2 U1 a# S7 K5 v! o6 x
9 u2 Y- |0 [. ?% Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 P6 g# B1 }1 Q7 i0 }debugger. It calls the int 41h, function 4Fh.
. k. c: G8 u6 sThere are several alternatives. 1 n/ G+ A3 W: E, A/ } M z! O
. F9 N1 L! ^& c1 V# q0 j
The following one is the simplest:
1 Y1 ?( |; |8 ]) d% q
4 `6 d4 J o; k% J3 _! E2 @1 y mov ax,4fh% ]. H9 c. r" |
int 41h
+ A% F, k3 |2 m3 p$ c9 L cmp ax, 0F386* {9 ^' _8 A( Y3 [; w
jz SoftICE_detected# {0 t' U/ V- @/ K( h
& ]0 L7 `( E& i+ A# }; S
: H1 h" h( A2 Y {) @! i5 dNext method as well as the following one are 2 examples from Stone's
( }' ^$ g; E- i% u- \1 b, h5 p"stn-wid.zip" (www.cracking.net):8 Z! d) o4 ~6 X( w8 c
' `2 \- E; w9 B# r4 ~0 c
mov bx, cs
- F; {; S1 v1 o/ M lea dx, int41handler2
0 E9 b3 m* I. b+ B% d: M3 r( J% L; Z xchg dx, es:[41h*4]- `1 O! E4 k! P9 u% S# C, n. L
xchg bx, es:[41h*4+2]
" k* h# A% Y, T E( b1 Y J mov ax,4fh0 u- a( D% B7 F2 t- L) ]; p
int 41h
, n7 B' L Q& _, ^% U1 l xchg dx, es:[41h*4]
3 ^4 }) t) S+ g2 X7 Y/ ~/ k9 a xchg bx, es:[41h*4+2]
# Y& J7 t! H" N- F" c cmp ax, 0f386h+ ]7 ?+ j2 Y/ m& C
jz SoftICE_detected
+ h# k9 j/ o2 F* h& N7 K
; A$ E1 }3 f5 v' Rint41handler2 PROC
' Z+ Q; D- s) X+ }3 l/ I iret& K0 D* ]: A8 A" z
int41handler2 ENDP. U, N# l. g6 _4 W* R: K* R+ D8 t
& t) `/ L4 o5 Y+ Y
1 j1 p! P1 `- Q6 K3 F_________________________________________________________________________
7 ~3 Q, I7 X8 ~$ |# g9 s- i! _8 V. ~
% \$ @# I3 Y# X3 G7 |5 Y
Method 06/ a1 N! s4 {, e2 ? u
=========
" [! I- ^7 v) T$ I) g$ L) D2 ^+ s# q9 a
}) y& {5 @ K
2nd method similar to the preceding one but more difficult to detect:# [8 X/ {8 Z/ h
- h% H0 M4 G" \$ J' t" ^ s
8 }5 o4 s2 {- a
int41handler PROC
3 p8 L- l# g) Z4 T mov cl,al& K0 ?8 s8 N7 r0 n
iret
, ^) a& B5 g4 U2 t# Z1 J" a. cint41handler ENDP
7 `4 u7 q. X- K. w; o j; x) d" S, C3 w! s, _! }
' E3 [5 \7 ~* v/ f- F
xor ax,ax/ @! Z" c6 m6 z( d3 ]
mov es,ax
' S; Y# ?+ L0 b- P mov bx, cs
* L1 s% I1 _, b% S# ]% L% u; f( K lea dx, int41handler
; G9 R+ I4 m: Y" Y: B$ z' L xchg dx, es:[41h*4]
( E4 O Z8 j. ~ xchg bx, es:[41h*4+2], D5 O3 k; \* g: ]5 z2 k
in al, 40h
/ Z O2 q9 v' | xor cx,cx. d' r! O5 }& ]& t$ x: l$ M" w
int 41h7 I! s& F& ? s& Y4 u
xchg dx, es:[41h*4]
. J6 n: P2 c+ F" }& x) ^ xchg bx, es:[41h*4+2]/ Y+ S" c% S" D- O0 F
cmp cl,al2 f ?* f3 M$ ? U
jnz SoftICE_detected( r! a0 ]! y, X2 k
1 D0 ~) r1 R2 f- g* P' u0 t' `
_________________________________________________________________________
/ I# X9 P, d5 s( `
" Q* M) Q- g7 X. zMethod 07
- O$ g9 Q, ^. r0 s- ~=========
" _0 T+ i4 {4 G( k; I* c6 i! F# [5 |; S* \
Method of detection of the WinICE handler in the int68h (V86)
4 ~' |% J( n& |: V) X6 P+ }+ p5 d# j2 l/ @
mov ah,43h' s& w" H, V+ |6 J. _
int 68h- @. Q0 n' a0 W, _
cmp ax,0F386h7 E. H3 e9 B' k/ ^* H O6 ~
jz SoftICE_Detected
4 b! o' B6 E, J% [; {0 R* y
" K- k4 t, H! C( o
8 J& v- `' \" G# m* A9 r! o- R! |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 w- z: H1 I @( J9 h0 V t9 y9 ^
app like this:
" q1 q" M: v! `5 R: D, P; a* d4 C, V F; N; S) N4 i8 a
BPX exec_int if ax==68
+ t* n/ S+ ?# B$ ` H# i4 H% z7 q3 X (function called is located at byte ptr [ebp+1Dh] and client eip is
6 Z% q2 m6 w9 i2 k located at [ebp+48h] for 32Bit apps)$ Q9 k2 H, f Q4 [+ s8 s. @
__________________________________________________________________________3 A Q1 Z6 I; v% _- W5 @
& @: S* c+ T# f9 g. P9 ?: }1 \' j
/ G L6 F9 r' a0 K7 U& cMethod 08. ?1 L. I1 T, [
=========
$ @1 H# L$ i5 f6 r0 u7 E6 J5 \6 P }# z4 B
It is not a method of detection of SoftICE but a possibility to crash the2 @' n- k$ ?- y, h
system by intercepting int 01h and int 03h and redirecting them to another
; w/ B) p l0 |/ _& T. Uroutine.
; m% d3 B6 r6 \' H! s8 L/ h5 gIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, n4 G' z g: S' o
to the new routine to execute (hangs computer...)- t3 x5 V0 [2 {6 a. H
/ J% ?$ W! ~8 j C7 Q
mov ah, 25h
+ Z4 F% l% h* G% K, x# N mov al, Int_Number (01h or 03h)
. d6 v+ y. G4 r+ x% f mov dx, offset New_Int_Routine
- o# C- J4 V3 [% z int 21h
9 f1 v& i$ S9 o2 I( a1 K
3 P d; I; O: P- Z4 T! S__________________________________________________________________________* \3 p+ v! y+ r8 n
7 A# R% w% f" z4 O" ?Method 09
5 y; H( d& q% M+ V2 h1 Q3 R=========
8 D/ V# Y! }8 V x
3 r. o T$ X; H+ E9 uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 [- t2 E& }& A$ {( D3 v) W
performed in ring0 (VxD or a ring3 app using the VxdCall).
: @) j0 p" l0 o3 B1 Q, fThe Get_DDB service is used to determine whether or not a VxD is installed
) r* s) F0 C2 J, Xfor the specified device and returns a Device Description Block (in ecx) for
! b t! K" }8 j8 H# ^that device if it is installed.% s- L/ J2 x! W: f& N: f4 H
; E3 L2 c5 x m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" w- b' v; C0 n9 E mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 R& G" |$ M4 V+ L5 j VMMCall Get_DDB
# M* T/ R; j1 A# ^+ J) U; q. n$ V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( Y6 s: B7 g! R% ]- }" Z5 A3 B" R+ a6 }$ v* h2 J- \' |, {6 c/ A
Note as well that you can easily detect this method with SoftICE:' C9 c- @6 }3 L: P
bpx Get_DDB if ax==0202 || ax==7a5fh% d f9 s4 @6 D& h
" z7 l7 i5 |2 l! x% A1 B! r! ]
__________________________________________________________________________
9 B9 q) x4 ]+ Q# @9 \6 Q E! ^3 p, k% A" e0 i& Z: i! q5 T
Method 10* ~% y! H0 y$ o" d- W# K
=========2 E4 R; y) Z3 a2 p
5 s% {# p9 `4 U7 U
=>Disable or clear breakpoints before using this feature. DO NOT trace with, f8 \7 x& q+ I" i
SoftICE while the option is enable!!0 g0 k! n- d L ]3 W$ A L5 _
7 l% T8 o8 x- z. \This trick is very efficient:
6 p; L; C5 b; n% T0 M# ?0 f' u/ kby checking the Debug Registers, you can detect if SoftICE is loaded9 k* L4 Z% \5 a# P4 b- `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" m; I) w' c0 p$ K* Z; ]. Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
; Y" i, f8 a0 L0 qvalue (in ring0 only). Values can be manipulated and or changed as well( e3 I/ _. ?3 b
(clearing BPMs for instance)
' ]7 V/ ^- u) I- \+ D* D2 g+ n8 p+ W7 `& w' r9 m% x
__________________________________________________________________________3 q( |8 Q3 s+ v6 }
8 m1 a5 ]- g& v* G# ?Method 11
/ a$ q# Y" P" Q% l5 ]& {: w! a=========
+ C, i/ T4 s5 O& f8 i: C# m) b' z* E
This method is most known as 'MeltICE' because it has been freely distributed
9 {. p- i6 a6 }2 Avia www.winfiles.com. However it was first used by NuMega people to allow
$ o; z3 j, S3 R2 Q; v! r& vSymbol Loader to check if SoftICE was active or not (the code is located
+ [0 u" E7 [; f1 ?# Yinside nmtrans.dll)." x0 P$ |$ `5 W E) I* H$ N
$ a6 S6 a7 i2 s7 o- C; H$ R+ [7 OThe way it works is very simple:9 P: H- C) ]( z1 Z- `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for s' s/ S0 m" B U0 O
WinNT) with the CreateFileA API.* p/ b, h9 ]2 B
7 [. U3 ]' H: X, ^& X2 w1 T5 D
Here is a sample (checking for 'SICE'):
8 h+ X% L2 ^+ o* V5 [& a6 Y
- `+ j% c. A( w( z. h% j( CBOOL IsSoftIce95Loaded()1 v9 k! v) q6 Y8 F) l4 w) F
{4 Q$ R0 Q. [8 _" M! I
HANDLE hFile;
5 [, w# h+ T9 b& h3 z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- o. D8 `5 C: ]7 L FILE_SHARE_READ | FILE_SHARE_WRITE,, ]& ?* {: `1 q+ ^7 k9 c, i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 d1 d- t b1 d, ?, ]" c
if( hFile != INVALID_HANDLE_VALUE )+ y; R: \' R5 [" s& p
{
4 W7 S6 ^! ]' t6 M! i CloseHandle(hFile);- `7 d* i) _% C$ o2 F/ Y4 p
return TRUE;
% [; m* S# O+ N( d+ x8 w }/ L. H2 U6 F0 L) r7 d4 n) h; a
return FALSE;
! F! [8 i8 p$ T}# N' a0 v4 @ i7 A' s: j' J
8 q$ \7 X3 u' O+ QAlthough this trick calls the CreateFileA function, don't even expect to be
X% Q+ g" W4 b% cable to intercept it by installing a IFS hook: it will not work, no way!
" m1 F3 b" O9 S1 mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 J6 I. d/ ?" N; p) V
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 W. U: W/ z* r; b' K, O0 D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& E% ]& H! Y2 t
field./ K" f) R) i% ?* Y
In fact, its purpose is not to load/unload VxDs but only to send a
1 T5 u* L) v- x6 V, `; t! i+ xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% m0 m$ [" i4 @7 O5 p; O( X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 f( k1 Q2 _9 Z; J6 j* t" R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 V% M# h3 z" k! _2 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' y9 ]" Z6 P& w; k* d) xits handle to be opened and then, will be detected.' Z4 a/ U+ {- ^% z/ ?7 O8 n( u) Y
You can check that simply by hooking Winice.exe control proc entry point7 D# Z3 a( q, M9 J2 w' b
while running MeltICE.9 A, c5 m, c3 y p1 g
: j- a6 K, U' k- |6 k8 W
, G$ T1 `% M9 w+ \) h9 t 00401067: push 00402025 ; \\.\SICE" E* b3 f) e* W9 l( r
0040106C: call CreateFileA# b# ~& E7 a, U4 P; c- O6 g
00401071: cmp eax,-001
+ [: b7 G; P# K+ S, G2 }5 [$ r 00401074: je 004010919 F% s* W4 G7 O' e5 T2 w
1 l7 i0 `: b8 \1 U" v) k r e- B6 h3 I* h
There could be hundreds of BPX you could use to detect this trick.! X( w% @- E$ s0 P' Z
-The most classical one is:
. Z# U; c; i. A* e; ~* X8 f/ }( J2 K BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: X- M, H- ~- v. q- v2 U& L *(esp->4+4)=='NTIC'6 n5 ]# t* ~' H9 c0 U( d# l8 u
# k* E$ O( c- X. F( `
-The most exotic ones (could be very slooooow :-(! g( r; u/ H- E% ^
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 f8 b1 N/ L6 {; c, @% c0 G ;will break 3 times :-(# P+ j" Z! L2 c
+ i3 R% v8 }+ ?) c6 D! d-or (a bit) faster: : I2 c" w% w) v+ D( D! t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% k1 i( w+ F. n- L7 r0 M( Q7 d7 q+ E- D% |1 e) c, v
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 [& ^" f9 A& J. a+ P; l ;will break 3 times :-(
% O) x/ L: b9 `3 J* I4 N9 r
) L: q" N+ F5 }-Much faster:
' Z* f) _! [6 X! V8 } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" E( l: M% p* F U3 P1 W, u
) q* F+ L! P( _$ [$ ^ O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% |, n: r5 _/ ^! W2 H1 ]' a
function to do the same job:6 A5 [5 g: x: l% _, a* h
# |) q# M" m0 x3 l- Y5 A, w& L# J push 00 ; OF_READ
I. F0 G1 K' w9 T- v. Y8 f; Q* z% [; l mov eax,[00656634] ; '\\.\SICE',09 u9 V$ e8 c" |( [. d8 s
push eax9 a& c7 t, ]) f: k( C2 a
call KERNEL32!_lopen( j+ _$ f2 K# D/ U1 ~/ F \( Y! {$ L
inc eax
# [; A8 w5 }+ ?8 ?9 s& o7 b% ` jnz 00650589 ; detected
* c b% v6 d, ~' y' a push 00 ; OF_READ
( b. v/ r4 _) N) J% x& m mov eax,[00656638] ; '\\.\SICE'+ [- o w; i; F
push eax
9 V! w1 z A" _$ T9 o5 m a call KERNEL32!_lopen
0 p2 q$ h7 I, |! P inc eax2 G" H9 y/ L N( f3 x
jz 006505ae ; not detected
% W3 t+ W' [6 @' B2 O
+ s, l& H4 i+ ~3 ~& I4 m$ D# w
3 f# _- r. r l- a8 ~5 c1 V% D% K( A__________________________________________________________________________
% ?5 u. l9 t* F4 w4 T
( S+ n& k: C" G0 e0 H+ MMethod 120 J& A7 n3 y$ C' s8 z% r
=========
! b" H$ ^- K$ ]" G1 }
+ {$ V- ?# a uThis trick is similar to int41h/4fh Debugger installation check (code 05
! i; Z+ T6 @6 i- ]. \& 06) but very limited because it's only available for Win95/98 (not NT)
" y) k; o& p6 \7 a( E3 Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 ~/ X" I: N7 v# Q: F+ ~- f
8 X( _/ m8 `1 Y3 k8 Z v push 0000004fh ; function 4fh
5 J+ N" R- R( @1 \ push 002a002ah ; high word specifies which VxD (VWIN32)
9 a8 q' F3 m7 m2 ` ; low word specifies which service, L6 ~2 Q' l" u8 O+ f
(VWIN32_Int41Dispatch)
/ x O' M# \8 z" g- d( L/ d9 i call Kernel32!ORD_001 ; VxdCall. I0 \/ z* I) P1 u1 N
cmp ax, 0f386h ; magic number returned by system debuggers4 Y( y4 J. [, c/ ]6 A
jz SoftICE_detected
2 b' U9 k2 }- k6 s* @8 f% m0 j( n: p% c4 B' P/ r! o* \5 x
Here again, several ways to detect it:
: H5 M. i9 e( y0 d/ H9 H P" W) h0 D8 W* F! c
BPINT 41 if ax==4f0 n j4 G) v) w2 X7 S2 a% }0 L
6 Z/ ~/ O/ t+ V3 L7 J/ K' K
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! P% L4 v e1 P) l6 [
- M# O; R" Y$ l6 l0 e' k9 a) u* y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& |- p1 u z1 [7 v" ?
9 m! o, K" ^3 V" V) t8 v7 D8 M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" {' i: h$ z: K5 T8 k/ t2 t7 T$ s, q' p9 d) K8 [. s
__________________________________________________________________________
5 [$ M. ` S7 o. ^: r* ]( X) x0 d% x: i" [# m" _
Method 13 m3 g& r, k( @$ a# C4 N
=========
% I6 \. U1 @$ q0 k7 |( w- i7 L$ J1 w
Not a real method of detection, but a good way to know if SoftICE is- t8 n+ C+ y$ J3 C+ K& |' f5 o
installed on a computer and to locate its installation directory.2 i9 r$ T7 ^: B1 s/ r- @% M
It is used by few softs which access the following registry keys (usually #2) :) v$ j8 H- t5 |% Y: @3 h
' x1 M0 X( E }% U4 s: v. c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 @, n1 t( N2 n* D* r
\Uninstall\SoftICE
) B3 j, }( X, C- y4 G1 Z, T; ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' P$ e% p" z2 R. v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; f( \/ I ]' q. e" ?5 \& ]\App Paths\Loader32.Exe- {0 B* F( @9 y6 D7 ~1 I
; H9 I+ Y: K: z8 U. w# n, k$ q% _
1 B. D. Z0 O- i4 R0 x& f8 Z# qNote that some nasty apps could then erase all files from SoftICE directory
7 c6 u' ?. _2 a, W(I faced that once :-($ I! Q. x4 P1 l* Q" r2 y
* ]+ l7 ?. D. I9 t5 {7 `3 l& aUseful breakpoint to detect it:. ~& F' O2 i' M( Z
x/ X4 i& Z: n5 y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; _, D3 F7 Y- D5 A3 K0 X) f
Y. C: V: a% v0 Z5 s__________________________________________________________________________! m n' T. A u6 t& j
3 B5 O1 O- O; G+ z4 V6 P [0 K; l6 U. F, w/ N2 y
Method 14
9 J. m1 [" N5 C& s=========' [0 M3 H2 h6 w- p+ V$ _
5 z$ u6 n5 b' }% T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( k8 e5 h; c- d; \+ o l2 \is to determines whether a debugger is running on your system (ring0 only).
0 B( {! {* T) u! p" n
# k8 S! C. L8 A2 p4 C# G VMMCall Test_Debug_Installed* m+ q1 N5 \" V! \4 z; [4 \
je not_installed! v% _% n$ q0 @. i" x
) p. K2 b+ ?# u' J: n4 y
This service just checks a flag.7 P, |% T( }7 Z$ k1 K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡