<TABLE width=500>- N, @3 g! o* J* i" y8 R' `/ u
<TBODY>
; @) a% T: g/ T<TR>- F- X3 ~' Z0 u( K$ f
<TD><PRE>Method 01
, O( u! e9 C5 z) Z c; H4 B=========
/ K5 Y) U. S( z0 ~3 z1 }7 h! y# f& G5 @
This method of detection of SoftICE (as well as the following one) is+ l2 `/ c- q& B: y) g! B# c
used by the majority of packers/encryptors found on Internet.
( D5 [$ s0 L+ q7 D8 sIt seeks the signature of BoundsChecker in SoftICE
- \' f. h: t: \* P7 Q# o5 e% Z) B8 g! A/ w9 n. _
mov ebp, 04243484Bh ; 'BCHK'* l2 u% c; }2 s% a! d7 }) ^1 P) V
mov ax, 04h0 t: c Z6 [5 i/ _ Y, P% E! ~
int 3
4 y! ~% p) l6 P0 k$ u( x cmp al,4
9 u0 q- s% A. T" {8 Q7 h: [ jnz SoftICE_Detected3 z/ \" l9 [" Q" _7 ?3 J
7 C0 u8 r# W' m: O___________________________________________________________________________6 J( T7 A( U+ g$ H' y
7 _& a/ l4 T+ y1 \; NMethod 027 u$ Q( \1 B+ {
=========9 I h* U! k( L" x6 H- k) ?: J% J
- x! o, x& D6 Z3 S
Still a method very much used (perhaps the most frequent one). It is used I( M b, q& v' k' A0 y" ~! @5 _9 f2 ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( E3 o4 w% x' _" ^$ l
or execute SoftICE commands.... C9 H# F. f& Q. W
It is also used to crash SoftICE and to force it to execute any commands
% g; j# h) l% d7 S4 Q$ {(HBOOT...) :-(( ( q8 i7 G5 P: M w6 ?, b
+ j5 t1 w+ v6 ?1 W# e- Z0 E. Q9 kHere is a quick description:7 ^: v1 Q& ]) h& ^5 p% d, Q& S/ c
-AX = 0910h (Display string in SIce windows)
( ?. a. P- l0 L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ \4 x5 {, f( \-AX = 0912h (Get breakpoint infos)" q& V8 x u. p4 D' y
-AX = 0913h (Set Sice breakpoints) c2 B+ P' V4 H }8 c% |& C
-AX = 0914h (Remove SIce breakoints)1 r! y: n" p5 o8 @* |
! \2 i* ]) B% n' M m4 KEach time you'll meet this trick, you'll see:8 E8 ?7 R5 \9 n; y
-SI = 4647h
4 Z1 E) v3 ^. Z# C-DI = 4A4Dh$ u0 g m9 u. n, Y: _; E. q
Which are the 'magic values' used by SoftIce.
. ]9 } q, l) C1 FFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- S& v; }% h$ X) ^6 f
- \" f% V- D6 ~ `/ F( _( C1 [
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 \+ y" ~2 m; [ f
Envelope utility use to protect DOS applications:
# I) _& m7 z: |5 i, T
1 A; ~# d1 r0 _. @$ ~
, I; H ~% l( i. z( N& l4C19:0095 MOV AX,0911 ; execute command.
! ~( h4 `( n, n* a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* m5 h3 R+ |/ d4 b, u% t0 g4C19:009A MOV SI,4647 ; 1st magic value.: S) H) E6 ?) g4 A. D6 w
4C19:009D MOV DI,4A4D ; 2nd magic value.: G$ n. J5 r6 ^# Y# ? s" g# Y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ A3 x$ x. t# j' [9 e+ F* x
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! v2 k+ x9 b1 c- B) f4C19:00A4 INC CX
7 a6 D: I2 E# c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 l5 d8 I: Q- T! ]2 a4C19:00A8 JB 0095 ; 6 different commands.3 `1 l/ a) ?1 R$ E! A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. |( S6 j, k, a4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) g3 |6 d. Q# X" i( v. I. `' b
6 h3 H. Q8 n1 L- m& J" {$ p4 wThe program will execute 6 different SIce commands located at ds:dx, which
6 e& ^& R7 G/ x# e, t8 G( C4 Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' c6 K& H1 ?' y1 t
1 f2 x8 K$ C' U8 m& n" n/ A' g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' L& R( b' U3 Q/ p3 o2 ^- [+ ^
___________________________________________________________________________
' a/ P7 _8 h" l9 @9 d
: U. n! n5 g; Q5 G' c# n/ t! y
Method 030 ^. H: \: @8 H4 g" o$ s( z! w
=========! |5 h; E7 ?9 p) T% ]
% x9 ^5 q$ E5 H4 x- ^, y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 h# g; P% b: M8 d
(API Get entry point)
/ b2 r; {0 n5 n * m( T( ~; r0 n; q8 I, \
( T7 {9 I' E% _$ o) K( C
xor di,di# J5 K5 \8 n" O1 B3 | @
mov es,di1 m1 p7 K' E. g! z/ T4 U
mov ax, 1684h 6 p u) ]. Z; ~5 m) F$ X- {
mov bx, 0202h ; VxD ID of winice
$ u$ E/ F6 T2 u) e# d# G" d" D int 2Fh
+ y, A1 i, Q0 _2 q6 \ mov ax, es ; ES:DI -> VxD API entry point
; Q9 h: S X% E: e' B0 ] add ax, di
D% o) N+ D% ^6 r test ax,ax
/ W p2 b, E* L% V& Y+ j+ ^/ j jnz SoftICE_Detected
) y7 ^' _2 Q+ m& F; P. w- H( {: j% T9 M
___________________________________________________________________________
% e! C/ s2 w: s! G: L
/ I+ Z! p% i- T! _5 _- ?5 r9 fMethod 04
3 H& v$ o) `' H: I1 @=========$ f* g, \$ P) d. n0 }
+ q3 v) h( A- k0 vMethod identical to the preceding one except that it seeks the ID of SoftICE
; U7 j) I* i$ @6 C9 W: ?GFX VxD.
9 B% s. ?6 T, q6 n: D2 N2 q4 c& q- N5 ]3 a% ]( U% K4 ?1 y1 R
xor di,di' b$ ?2 t9 f7 m* a3 y' G8 I
mov es,di
% x& I+ O j0 x% v5 X7 P/ Z mov ax, 1684h
4 L7 c: p$ h4 P0 M mov bx, 7a5Fh ; VxD ID of SIWVID, ], j; }7 s; _6 c
int 2fh) ]$ _6 A! }. D* c
mov ax, es ; ES:DI -> VxD API entry point$ N I! D& H4 Z( V
add ax, di* U$ @! x; n' y( C* y. b
test ax,ax
$ M; W8 K# V- j- H1 w5 _& o3 S jnz SoftICE_Detected
+ e* D$ F; y7 F9 i& X
# _2 G3 T0 B1 X( j% k2 z__________________________________________________________________________
# `, L. [3 R0 i6 p& b3 \4 P- o# |; {8 _0 _& j
' K# E. l" N" y
Method 05
( o! D3 ?/ I5 L! p' A, t=========( h4 J! U% l2 O3 P7 _. H) e0 ~
2 J% J5 n2 ?9 J, M$ L$ Y: n9 b
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 Z* Q& n# z5 r/ Z2 N1 A- P) T8 h5 l; fdebugger. It calls the int 41h, function 4Fh.- b4 ^2 j. c% r- d# q5 n
There are several alternatives. ( t5 z" d) k8 {% r
1 C) v' _$ l i. _The following one is the simplest:
) f; e9 Q% w$ w1 M- m1 ]4 A6 ?6 W$ J. L
mov ax,4fh6 I, p) ^7 q) E; e- V- s/ O3 O
int 41h; H" _' `/ I; ~6 M% w& B+ l" F
cmp ax, 0F3863 @% |$ F- u/ Y. c/ t
jz SoftICE_detected# A6 ~# ]6 R% ?' C7 A0 o
9 j) r( v+ Y6 h' k! Z% i4 a
# u) l5 A2 }* o. S3 c
Next method as well as the following one are 2 examples from Stone's
+ F! B) f4 c7 i# w1 m8 W- c"stn-wid.zip" (www.cracking.net):
5 s: c4 W- y! p
7 r m- p: ], x: i mov bx, cs& P. d% e3 Z5 R" c* B0 {
lea dx, int41handler2
2 \7 D) o8 ]( }) o. _- D8 Z& M: K xchg dx, es:[41h*4]8 v: X, t" O2 K9 @+ }' \
xchg bx, es:[41h*4+2]
6 l" e: ~/ O* k& c9 c2 x" k0 J mov ax,4fh# x, W2 e/ E" }7 O
int 41h% {3 J) C! p6 M/ c4 z
xchg dx, es:[41h*4]* M9 O% I) F& V" n" c
xchg bx, es:[41h*4+2]
8 [8 L5 c U4 z' Z1 K, g cmp ax, 0f386h
1 M+ O# ^1 ?7 z jz SoftICE_detected
* v" {/ O* R: q% |/ Q' M! B6 H5 V0 t( `
int41handler2 PROC
1 K+ c9 l5 U% m" x" n$ y iret! J4 y. H- m) \* z# b
int41handler2 ENDP. w2 z+ d0 t4 U$ a4 j j( s
. X1 i: F e6 c! q- e A' D {" M1 Z9 u% g+ \) P2 k9 c
_________________________________________________________________________8 ?' M ~4 |! O: }
0 y( y+ k% g) G' o
1 N3 t' Z% s& d/ z, t1 E) M& |0 `Method 068 i6 N; P$ `0 p, ~# @2 \" `$ P
=========
9 X5 q" L2 ]. f6 A/ q
) U* W6 i3 |# [& v6 x
3 j R0 q) e! W) g( M h2nd method similar to the preceding one but more difficult to detect:: d7 S0 q5 f, B8 \0 h+ K' A/ h
/ o/ C& x: z1 u5 y$ ?, m6 }- H3 q" B, W H1 W/ q
int41handler PROC
& [. Q1 g. k0 q( c: N! w mov cl,al& x4 | C+ ?! y) D. m
iret
U# p4 ^7 y4 jint41handler ENDP+ Y) l- {4 Y ~. s( C. ]! \
, e; D. ^/ }1 e
, T; O. t) ^, ]- X2 o4 W! f
xor ax,ax
/ @3 y7 E" D3 F9 \6 k mov es,ax0 {! C* N B1 b, y+ P
mov bx, cs
: f% D# z7 d8 ?' f2 y lea dx, int41handler
5 k1 e8 ~9 X, ?# i' T' k1 D8 p xchg dx, es:[41h*4]0 c% |. o& T* M, e1 ~
xchg bx, es:[41h*4+2]
7 ?% v. o( h7 j/ n/ ] in al, 40h3 i: r7 p0 |. ~5 [+ k/ Z& L
xor cx,cx: U; O0 L( a% H) T3 M
int 41h
/ G* N; y0 z: {+ G7 W xchg dx, es:[41h*4]
8 c$ @5 x1 ^+ b4 E xchg bx, es:[41h*4+2]
+ n7 }7 C! `3 ?* Q$ I cmp cl,al. c9 h2 n2 A% |. G: r4 Z" x& F
jnz SoftICE_detected
# `5 H* A. [* J; u* L* l+ P) H: v) n' {2 C8 @8 H
_________________________________________________________________________1 T: q) q* g& J3 a) N
" G2 s; L! {( C* p4 u UMethod 07
+ y' c/ O7 v" v=========
8 G% i7 w6 v& L% h2 X* a8 t6 W8 L
( e( F) o# A0 q& E7 X$ zMethod of detection of the WinICE handler in the int68h (V86)* _9 V9 r+ p9 Q1 @4 O& z
# [, I. A, R# S& W- T+ } mov ah,43h
, ?7 {2 J. ^0 }$ a int 68h4 k6 C( q" Y- ^! Y9 n1 w d
cmp ax,0F386h
$ g; V( e2 Z) K& m! O jz SoftICE_Detected
$ L) Z5 p. n5 {3 m
) ?% p; r! ~' Z& g' {" J% x) }% v2 O/ d
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# x3 {: R/ ~7 D4 | app like this:% ~) z( L* `2 K. K- Q
- t9 M$ f* e3 r8 D9 V, i$ k/ L
BPX exec_int if ax==68
7 g, x3 @/ I0 l- \/ f4 r$ U (function called is located at byte ptr [ebp+1Dh] and client eip is) P0 ]3 v' j9 V3 f$ ~8 m6 a1 M
located at [ebp+48h] for 32Bit apps)
* Y/ K0 U7 |* G; A__________________________________________________________________________
& ^- K( R5 W' x n, j
6 D; B% S& A5 d; r* z7 d" |
, f3 R/ n! w$ c& f: }) v) uMethod 08 M" C% d# i* I6 D8 m
=========, u, E+ \: r4 B4 p* r
3 k& f9 j* {8 P) C; q& x$ gIt is not a method of detection of SoftICE but a possibility to crash the
5 S u. s- S; f! Q, D( l. b$ Ksystem by intercepting int 01h and int 03h and redirecting them to another! ^6 c9 ~: D! P1 l
routine.) t* `/ U8 K( K9 M I+ p1 b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; n* J' g. k7 e: l- t6 V+ f
to the new routine to execute (hangs computer...)
6 O& }. |3 c3 [. y2 l# w3 c* t# u n7 o3 L& {$ `4 k- _
mov ah, 25h. n, B! _" I0 F C0 h7 i& b- \8 G
mov al, Int_Number (01h or 03h)
) S) l2 ]5 d, \+ a; Y mov dx, offset New_Int_Routine& f, L- Q% C" m
int 21h
9 K8 }: ^8 E) A. Z6 s& R' a* S& E& e: D# ^
__________________________________________________________________________- S; h' L7 N% \ `& j
- G; o8 M+ O( y, w' T D8 }7 {7 ]
Method 09$ j1 J4 x. e$ S6 N$ q' @ c5 M* q
=========
3 n4 X9 n% B, ?9 w( r* o6 |3 X+ S* j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* H7 V; ~3 E0 E# nperformed in ring0 (VxD or a ring3 app using the VxdCall).
( c& d' v5 E! ?0 MThe Get_DDB service is used to determine whether or not a VxD is installed
; r0 Z: \% t" |" V8 cfor the specified device and returns a Device Description Block (in ecx) for
$ v& @9 m- u% ]1 [; I4 c2 [0 Ethat device if it is installed., Y3 U% I- s; C" J0 k8 {
; [; Q. F, S+ E9 N/ o) Q' M/ a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
j3 ]5 H, ?7 X mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ Z, l( b) ?) C$ m: q j
VMMCall Get_DDB
# Q5 ^" O* F3 w) I. { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( K4 k9 |) B- p* [" J
) B K* F- E4 [3 I
Note as well that you can easily detect this method with SoftICE:
) t$ [- P& K3 z/ T# U" r* X bpx Get_DDB if ax==0202 || ax==7a5fh
: X: n9 S; L9 N: Z/ c+ a6 }# A! O4 w% c1 Y3 A, H
__________________________________________________________________________1 T) \8 g: ~6 p( F2 u) O9 W8 K
: R) Q1 r. ?/ I3 NMethod 10
F8 s% c+ r3 J, Y( |=========
' P2 `; C* O0 C; e5 t5 u- b1 x+ L# m- l% d# E9 |; M) `
=>Disable or clear breakpoints before using this feature. DO NOT trace with; C- y7 W; j5 D- N
SoftICE while the option is enable!!( Y$ u) F6 ] y) j9 G
1 o9 ?9 ~4 O) U% J: D% y. `+ d) V$ zThis trick is very efficient:8 B" I% S' I8 w- e; \3 q$ z
by checking the Debug Registers, you can detect if SoftICE is loaded
! r$ F1 a" F" M4 l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ I0 _0 ]3 e# B% \( `) n$ s% u3 T
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' s$ A7 N3 }7 g$ U$ |value (in ring0 only). Values can be manipulated and or changed as well/ C' _9 o _/ e
(clearing BPMs for instance)
1 j2 M% J7 P- d K2 _7 O4 y2 g, g/ I6 g7 W3 M. Q1 c( p$ k. }
__________________________________________________________________________
) M# P+ e$ G' G+ ]8 l
0 d" Q+ W* \7 {( N ^% K# A# L! t, hMethod 11
2 l" A2 ?0 ^* _0 e! b=========
, Q: [* K( d/ @% f, V
8 e8 n: r3 z. j$ Q% j+ xThis method is most known as 'MeltICE' because it has been freely distributed% y7 U. d5 w* U- ~/ F7 v M& e
via www.winfiles.com. However it was first used by NuMega people to allow
1 N9 e4 {, e/ G' C7 dSymbol Loader to check if SoftICE was active or not (the code is located& n: N: L- n* j# r, ~9 h( Z
inside nmtrans.dll).
: j2 G' f. k7 H0 b, H% u0 u \# O+ y4 ?5 T5 M+ j
The way it works is very simple:
7 d! h b4 \+ IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ _8 _* b+ y2 M) d9 U9 {0 J0 d
WinNT) with the CreateFileA API.% }1 E0 [6 T9 `" v
7 I9 x- ]6 F9 ~& o6 q& g) W- A
Here is a sample (checking for 'SICE'):$ u. ^( S- }7 a) R- R
: |/ k8 }. Q1 a" QBOOL IsSoftIce95Loaded()
Q% f. r0 c, D' Q7 D% ^' p% L{7 V: t2 Q1 Z C2 ?6 i
HANDLE hFile; 1 D2 H' @9 t4 y2 A; l% e- {8 k7 w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- _ [3 S" L8 m6 Q& I2 R
FILE_SHARE_READ | FILE_SHARE_WRITE,
; U4 }/ X+ e8 G7 L' Z4 Y. t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 R; f- v+ \* t2 x0 {' ~ if( hFile != INVALID_HANDLE_VALUE )
* E. I4 |2 b* P6 F& F4 P {: \- N( n8 V a |
CloseHandle(hFile);
: v% h$ G5 P" N$ u return TRUE;" y7 B& i8 o A6 J& \' h8 M& M7 W& u9 J
}
, `; c$ W/ R$ g* U4 Q return FALSE;4 L) H/ b4 X9 O& ^
}
$ x0 `" R0 I) H- @- N. @0 @; W& q; R9 o; Y& c
Although this trick calls the CreateFileA function, don't even expect to be7 j+ t2 y* X; v' \8 {* Z% p
able to intercept it by installing a IFS hook: it will not work, no way!$ u' g7 W( r( X* Q+ K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" t: w3 h" w* oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' C+ c' B3 m6 `; F) H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 c. u& R7 p: ~4 ^" \field.
& { G* _. `- ?8 YIn fact, its purpose is not to load/unload VxDs but only to send a
8 _4 B/ T1 m8 d0 ^; J9 YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ f: x' W$ P2 y) l6 ~' N, _0 I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 }% l( Z! e) s9 `1 O( P
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 X& f4 f$ \" Y. W8 L: f$ mIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 J9 T* c, P" {
its handle to be opened and then, will be detected.
A# N) c3 {7 a, c) P+ LYou can check that simply by hooking Winice.exe control proc entry point
" m$ ~; o5 j" s2 S" k/ b( l' ^while running MeltICE.
: k$ V8 v; U1 I* D; [1 Y. |
C. T% G& ?0 \2 J v. r: M/ ?& _
00401067: push 00402025 ; \\.\SICE
7 _/ L' l5 E! M 0040106C: call CreateFileA8 T# I4 V9 E5 Z& ?
00401071: cmp eax,-001
2 S" N* H1 u+ `$ t& A/ T 00401074: je 00401091
. R2 j4 \2 ]$ Y2 V) w5 Q1 E, {
8 w$ u0 K1 u2 A
- y% q, q" G$ T) ?0 K, fThere could be hundreds of BPX you could use to detect this trick.4 C" Y6 w* U2 E9 b
-The most classical one is:
6 T- D% b& a( A. p3 v6 ~ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' q }/ K: j1 u# n1 {
*(esp->4+4)=='NTIC'
7 F0 R% d1 T! h# k* i5 h' T& o
$ x& q- i; {4 a-The most exotic ones (could be very slooooow :-(9 w' W" g5 M/ ?. _
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 J4 H) o1 R4 u4 u ;will break 3 times :-(- [+ U! _- i+ P" d
0 O; W# b. I; q4 X$ s-or (a bit) faster: 8 ^2 a8 C# x4 N* u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" Z5 U, @8 N4 Q; J% ]
5 q. z" M* p+ F% W% ^/ A) I BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 Q; [+ D: o4 I" X! B8 P; K ;will break 3 times :-(
( ^/ G: x7 R# b6 w5 s( }$ n. ~; T& d% }* I- L% D; c! V' R
-Much faster:; W2 d' r# y. ?/ _! N' t1 N
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
|2 S8 _8 \8 M! W6 X2 o0 E% ~; A# I$ Z U6 `. O+ E, G$ e' W' u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 E) ]5 y2 K" W) H, m4 o7 ofunction to do the same job:/ @5 W+ V, @% x0 m2 y- J
3 ^& h( D) {0 }; D3 P push 00 ; OF_READ; W v+ Z: v$ F: l7 L! C
mov eax,[00656634] ; '\\.\SICE',0) F8 L6 @, ^: j/ t1 y
push eax# X7 ]. \" w* @9 @8 G
call KERNEL32!_lopen
# _' {2 N, d! }9 Q" E) b inc eax
, q3 Y( B; G# d& z) ? jnz 00650589 ; detected0 \7 c: h4 u8 s
push 00 ; OF_READ
* H- A; d5 @) z mov eax,[00656638] ; '\\.\SICE' G6 s& {* C# \
push eax
+ i/ s% K' q. y3 L8 e call KERNEL32!_lopen+ W) b" Q) [! Y3 |) W
inc eax
J# i: o! G2 g1 S* G! c9 z( \ jz 006505ae ; not detected* |6 K0 f& ^# P$ j/ E* T4 C* Q
2 z J6 h3 p9 b2 r
0 x% ^( p1 a s5 Y+ |
__________________________________________________________________________( Y" I. K' b5 U9 r( q, c X1 A
0 |# n, e0 n" R6 f$ E, lMethod 124 L9 J, o6 e, Q4 y4 X$ J& o
=========
- p4 S! ]6 k$ z, g
; F, a- y4 n6 K' ?7 J' JThis trick is similar to int41h/4fh Debugger installation check (code 05: T2 z- Q% v/ K }+ c" U7 x. W
& 06) but very limited because it's only available for Win95/98 (not NT)/ Q3 @, }9 ~% N) A( \: g8 J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: T& k) Z2 Z0 Y i `
8 b6 [: ^/ n9 g push 0000004fh ; function 4fh* X% v0 D$ l2 [7 R
push 002a002ah ; high word specifies which VxD (VWIN32)
/ u! `' z, E, L ; low word specifies which service! W; l* Y& ~2 G0 Y2 c9 A4 }5 _
(VWIN32_Int41Dispatch)
) r* G4 n; y9 Q1 M; p, ` call Kernel32!ORD_001 ; VxdCall
' E% p) i1 f! | X# m- T cmp ax, 0f386h ; magic number returned by system debuggers7 ^1 G8 {" V6 s& D$ F9 `- d
jz SoftICE_detected
, B- Y5 \$ j6 n: m& s# n/ [/ Y; @2 b9 K# i4 D0 ^" u" r
Here again, several ways to detect it:
6 V$ H8 T' w( J7 [' I+ ^$ ]+ F+ o" }2 ?
BPINT 41 if ax==4f
2 L7 [) h: F' g
5 ?# d. I. P/ V4 Q% w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; m4 w' V; w% n8 b& ]3 L* D
# P9 B; m+ W/ {# Y6 } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! o# q y3 i& N- E7 c& R
6 T6 C! G/ x0 u0 c BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. Z. i1 _5 L$ u! G
/ D' D; U+ J: i- X1 s, L__________________________________________________________________________6 B8 L: G( I. r
& f$ ^& R0 n" C: o, H( m6 l/ HMethod 13
# Z) T) h0 y- @5 \4 L=========- E# s, |. [ }" T
2 o6 Q! P1 R! Y+ U0 sNot a real method of detection, but a good way to know if SoftICE is- X( d0 C! d& y( G: J
installed on a computer and to locate its installation directory.4 H |; T$ J! {+ h. l/ R1 B# b
It is used by few softs which access the following registry keys (usually #2) :3 N5 \ Q$ f9 N$ H1 ?$ H1 t
: \: `5 G! r7 O' x5 D8 H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 y! |9 n- p$ v! i8 s8 D; o
\Uninstall\SoftICE
" d2 s8 _0 q0 }5 h5 x* R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ H# \* ]' W/ c, e0 i H, x7 g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& R0 ^* s* Q9 Y6 J [- u" A0 m1 I\App Paths\Loader32.Exe7 D1 M, B/ S$ D" V! P
# K" K4 V r% }+ E% J4 r+ W& ]8 y+ S$ x
Note that some nasty apps could then erase all files from SoftICE directory' v, P) Q. J' U$ a
(I faced that once :-(
7 G6 @1 z4 b+ }: |7 b) S9 E4 F
; z: y' e- t7 M$ B7 t& sUseful breakpoint to detect it:' g' a3 [& L: s) J! v
# L K6 z6 b: A' G( a) L( R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ a' I. Z2 e2 |, r/ {
& Z# h3 N+ ~6 d1 ?' B; W; b( Y4 B__________________________________________________________________________/ n- Y. P( B8 D) @3 v$ L1 p1 A' I
# W/ L7 r' u8 o( i" J4 K% g9 \% M
# X% c }) C5 z5 _0 CMethod 14
) T! r/ H* c& N. ~- y9 _=========
+ d% {" E F# c* }9 r0 Z7 x
4 M! @ H, I3 e0 o6 JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: e1 h- X$ {8 K1 k1 r
is to determines whether a debugger is running on your system (ring0 only).
1 Z i6 @# U; f5 S, @$ y
& B9 m& a( O4 y: f' t% c VMMCall Test_Debug_Installed
' G& D9 N9 C: M4 N* ]6 U5 p je not_installed
) L" M) {" u ` q, y( A1 }) G$ w8 b
; k& _4 `) m; _# zThis service just checks a flag.. w ?2 K d7 n) D
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡