<TABLE width=500>- J2 \) H- t$ c. [' }
<TBODY>- A0 n: X/ _5 p( V/ @) c n+ _ k
<TR>. l! D; b; X: S9 ]7 h4 o: t
<TD><PRE>Method 01 3 L( M' ~1 [' D; s- b
=========! J0 q) o3 F4 H8 `
$ o, Y0 @% i4 H+ BThis method of detection of SoftICE (as well as the following one) is! h" z4 t9 k% }& N2 ~4 k
used by the majority of packers/encryptors found on Internet.
* w+ q6 J0 s: V5 C) sIt seeks the signature of BoundsChecker in SoftICE4 d1 L( @& d' T& I
' {, a' b% t6 }7 l, U* m mov ebp, 04243484Bh ; 'BCHK'! @9 W0 I( a0 n, o5 X! O9 y; t
mov ax, 04h
7 s/ ~- [) ^1 x. k( g int 3
- A! w- b3 [8 m! S cmp al,4
& g* U; ?2 _( }/ M! s4 S jnz SoftICE_Detected
* n# ^- ?! H8 W1 E( P$ G7 s' d* N$ g6 h( b+ m+ r4 z
___________________________________________________________________________2 W* p2 {) W! z9 K) P
3 V, ?/ Q1 `: T/ k, T1 aMethod 02
0 E# f; }) ~0 q/ F$ |=========2 o" Y/ B! N5 L" p( I% O, L
0 v2 O+ [% O3 H8 f$ }
Still a method very much used (perhaps the most frequent one). It is used# ~9 y3 t8 N5 b- m- t7 o$ S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ q" t- k! L" ^0 p1 S
or execute SoftICE commands... d& |$ a: H D6 _7 E( t2 O
It is also used to crash SoftICE and to force it to execute any commands! G# P, j9 {) j; y0 l; p; f5 j9 G
(HBOOT...) :-((
- r2 V' H( J. G# Y" E1 m
9 u. M8 b5 \+ c1 H0 W/ yHere is a quick description:4 n& E6 ^/ O/ h2 z& @% C
-AX = 0910h (Display string in SIce windows)
$ j0 r7 e. X% T( g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' F6 R: c9 h. X: C5 k6 R) s
-AX = 0912h (Get breakpoint infos)
/ f; e f2 b$ o" ~% l7 j; Q2 L-AX = 0913h (Set Sice breakpoints)
5 A" H1 l0 D L" U3 @! Z* C: s-AX = 0914h (Remove SIce breakoints)
9 l" o- l, p, R# A% }1 P( ?4 O' b4 D F* H# h) g
Each time you'll meet this trick, you'll see:
1 E6 e0 I$ q2 j5 f1 x-SI = 4647h6 j2 \" h* w4 u; P# B
-DI = 4A4Dh: K& W/ d' \* v( A2 F% R+ v
Which are the 'magic values' used by SoftIce.& Y$ |6 o4 c2 y0 S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 @7 V2 ~3 [: M) v# S- l1 \' \, O+ c4 W3 n6 `# Q, ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 x2 H5 U# t) G3 yEnvelope utility use to protect DOS applications:
4 y! C t# O2 g/ A7 i; J
3 G& T& ^7 @3 ?1 \4 K4 ?5 ~& J4 N, _( F9 t' ^' B
4C19:0095 MOV AX,0911 ; execute command.+ i" Q9 q) {9 M- f' M- T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 B0 m& B* m9 K! e
4C19:009A MOV SI,4647 ; 1st magic value.* y9 r9 X1 h) }/ f2 E
4C19:009D MOV DI,4A4D ; 2nd magic value.. `# A! G, |: w3 g# d; W F/ k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 ~1 q2 ^) {" u$ R; X4 R5 Y# R8 d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute \" {* D& X, S& f. M8 d
4C19:00A4 INC CX
- w. u# o( y+ |$ D! n+ O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. i" A5 @8 [' m
4C19:00A8 JB 0095 ; 6 different commands.! ^; {/ y6 Z6 n( n
4C19:00AA JMP 0002 ; Bad_Guy jmp back., S, |: L4 s( {3 b9 J) _
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 C: C8 N! N+ U6 h3 K7 C4 |$ ?& n+ w
4 Y; u. N6 N2 S% v' K
The program will execute 6 different SIce commands located at ds:dx, which* y3 b& X) P4 o1 s Q" [2 Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 `1 n# X& p I: L6 R9 A6 G/ v! R3 q4 B2 H6 ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% \7 l) k, ?. h4 H# M: T. x___________________________________________________________________________
+ F0 `" S! m" b) V; a4 G/ {
! @! `. S$ y8 }/ z: ?" d. b3 @8 @2 n' O" c$ C3 Z
Method 038 ^6 b$ W. R2 ]& i/ V, ~1 P
=========( p' q# V* p9 P, a
# g% U+ S2 d' Y; o& L3 d. o( ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 _( Z$ c) S" a
(API Get entry point). Y! g2 n2 U- u v- p4 y
) ?, p8 m! j# u* a
1 l3 u9 Q9 Z# w0 y9 m2 t, M xor di,di2 I# G# B1 x1 ? D5 T* E- a/ x
mov es,di
G, ~3 i+ P( D2 N8 A mov ax, 1684h
8 R3 o2 \8 a% s+ u mov bx, 0202h ; VxD ID of winice
% ^8 X6 O4 \* ?) S2 Q' O int 2Fh0 g- C) R p2 T, |* U+ ~
mov ax, es ; ES:DI -> VxD API entry point
/ v8 o) x% o, i add ax, di: r7 o5 n4 _4 p6 Q2 t+ ^
test ax,ax
: R% v+ A: u6 ]; f jnz SoftICE_Detected$ l" w0 ]+ ]5 n g% e
, G. t1 Y; g2 z# }; @___________________________________________________________________________
# C7 G7 x4 r+ o
4 Z1 S$ v5 k6 H2 h" DMethod 04' s$ [5 W' m D4 ?' l- t1 ?
=========
( k7 e% } J3 D9 j8 A" ^; S' \3 O% `( \" t0 f. a& T1 W
Method identical to the preceding one except that it seeks the ID of SoftICE, S" h" R; B8 I7 i* p2 S
GFX VxD.7 W, l- V5 A5 v; t. C& q9 Q
2 j: z; B) g; t5 {0 O9 Q: e' c! r/ q xor di,di
* _5 w- l' M8 \1 [ mov es,di* J% P6 O% T! z& |/ \; T( R8 Y
mov ax, 1684h
x( P- ^5 \3 L, ` mov bx, 7a5Fh ; VxD ID of SIWVID
) d, U% H m% U. W* m, T6 x2 Z/ I% i, { int 2fh
* m. }, w4 Q2 @/ [6 t' Q8 P9 d+ G mov ax, es ; ES:DI -> VxD API entry point; ]/ }4 Q! f x& y8 g5 Z
add ax, di
0 c! _1 U- e d: G3 c test ax,ax
7 H9 @) j9 v. E jnz SoftICE_Detected6 P+ f% }* |" b3 ~5 b
0 a; d3 W$ O9 T5 i7 K__________________________________________________________________________. {; T! p, d/ E {/ r$ m, W
5 t0 L& e" d" k. |. C3 }
7 O) z+ ^; z3 R( a! tMethod 05
2 C) G G& J* ^) h3 O9 o=========7 _7 [% R8 L# W x" b
) A; o: l8 s+ k
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 ^$ p; C$ [9 X( b! Wdebugger. It calls the int 41h, function 4Fh.# R7 g2 d" ^- N$ n0 G- O
There are several alternatives.
' A' m) I; m. _
7 N% A' y2 v _- KThe following one is the simplest:: f) ]1 s* ~& q* A% G% A! E
+ n0 G& F2 ^7 \ mov ax,4fh; h1 `0 p/ e2 v- j$ T W4 q1 f6 c, z( _
int 41h
7 x# C# e* d1 ^" R$ h5 g# n cmp ax, 0F386+ b; l; C$ N( Z9 k; X, x
jz SoftICE_detected
7 ?7 R3 ]# T6 x7 z5 s3 s4 M+ E) |; m2 W% ~, w4 [ r2 M
7 S. r& P3 h6 v/ [6 e7 BNext method as well as the following one are 2 examples from Stone's 7 ~& ?& R9 W5 [" n$ m. v: r, O- X
"stn-wid.zip" (www.cracking.net):; B" Z4 @6 G9 }' V+ L
3 P, T8 M8 Q' b1 E
mov bx, cs. s7 J ^$ h$ d
lea dx, int41handler2+ \9 X2 k9 F4 m& H5 ?) _
xchg dx, es:[41h*4]
$ P) d/ g! Y" a) C3 F) f) m0 g xchg bx, es:[41h*4+2]
! u8 B" n9 \, t# [- a7 q; ] mov ax,4fh
' E/ G1 K/ d0 C1 X7 ?% C$ q int 41h; ~/ s0 |5 ]8 G1 r l9 m
xchg dx, es:[41h*4]
- H6 E) T7 K( { xchg bx, es:[41h*4+2]
/ h4 F. _( M" N) q cmp ax, 0f386h
* ]' w7 A4 K t) p8 R5 {. E jz SoftICE_detected C6 o$ @6 B# T8 S: t: F' E5 r
/ b: L1 N( Y- y+ Q9 n
int41handler2 PROC% I p2 M% S# F; N o
iret% u/ F+ H6 z! S) N7 e1 N
int41handler2 ENDP
3 ?6 X! d) @! _6 M" a# {! w9 \) G$ H" u1 ~
. ` Y; ~; N; X& e5 v+ c' \: |
_________________________________________________________________________; p U0 }1 [* A
, F! g2 J E |( X; u
' B+ A2 Z8 u1 f9 H1 i! wMethod 06/ h6 a6 Q+ b7 z9 w+ F
=========
' B5 O, l+ H2 W/ \9 {8 {6 h# F6 ]$ @# G9 g0 F: {% u
* `+ S. U) Q$ v
2nd method similar to the preceding one but more difficult to detect:
/ e/ f4 {( l7 Q0 l7 S. v0 V! x0 M' d( b; h' K* W
% S: y7 S$ E. J$ S# F4 E# pint41handler PROC
8 ^5 ?" i5 O4 s. A8 i( t3 A) _6 f$ W mov cl,al
9 Z D3 ^7 K: Z7 ~' s% I iret
) [ H) m: R# X# x7 n }2 _4 tint41handler ENDP
& M% M N0 U0 w, i3 G. R) v: G
) Z% z- e, t# d" B4 _- l! V6 H5 _ I6 l
xor ax,ax
% h0 W! y0 F# J5 ]- r( l, v8 Q mov es,ax ^( c7 C7 h0 N+ I1 X
mov bx, cs% l7 g) U4 Q2 s1 R$ @2 ~! C8 `
lea dx, int41handler; C, _- z- O, A5 h
xchg dx, es:[41h*4], ~- s$ A# h6 {6 u
xchg bx, es:[41h*4+2]
9 J% ~/ E: Z+ m; ^1 H in al, 40h
G; r6 ?; R. p' E6 A xor cx,cx
; H) _/ J/ X% `1 ^. p( d int 41h2 m& H0 T. J8 y& u
xchg dx, es:[41h*4]+ D: X0 a7 }9 Q# m0 s3 t+ ^6 S
xchg bx, es:[41h*4+2]
+ X6 Q+ Q: d! X. {) E cmp cl,al$ n' ~: [7 g8 r& ~% d6 @$ W/ f
jnz SoftICE_detected
/ J- C9 h* o% }* f( O" t! y) H1 S2 c) _1 h7 ^3 k" `9 h
_________________________________________________________________________! s9 x! p& q" |
& T5 w$ B+ N5 g! A: M- L
Method 07; u! T* v0 V- l1 p! F! q( w
=========
% k/ }2 e1 I1 G- \% [6 ~8 M9 s+ W( B8 [- C3 x N
Method of detection of the WinICE handler in the int68h (V86)
3 V+ } g2 x s9 c4 S2 \) \: z
mov ah,43h, e; ^; ?6 t. M7 | j
int 68h
. M6 b/ _, O' n: V! B: D' G- \! h0 ?1 ] cmp ax,0F386h! D' I2 v6 B: p* ]+ X1 H
jz SoftICE_Detected
; ]# D- N6 v9 \ B+ _( z6 y+ ?$ ^/ c
$ m) S8 n( S$ C8 `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& U3 @0 @) W: c* O5 N/ l& E) m
app like this:- p5 }! u! n, a
" w; T7 C- e* U3 u1 q BPX exec_int if ax==680 O" L; u. X9 ^; S" G& {. E
(function called is located at byte ptr [ebp+1Dh] and client eip is( F# y6 K1 k) _% H5 i
located at [ebp+48h] for 32Bit apps)
% Q- q* y: R5 z$ o# Z__________________________________________________________________________2 P! \4 i- x7 e) ]) v; P: h
( F; l! E0 ~+ O8 O
4 d7 S- i7 M# x" i7 S
Method 08
& Q4 X) ^' E5 O% O! b) H=========
4 x: F; _! V l- ~2 I
, i+ d6 p/ r2 c: N. I8 PIt is not a method of detection of SoftICE but a possibility to crash the7 i% ^" d$ [ ~
system by intercepting int 01h and int 03h and redirecting them to another
4 G7 k8 {+ p! d( N$ H1 }" rroutine.' D+ M: D. M8 c$ R, B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- P' Z5 Y5 W* G& [* O7 S
to the new routine to execute (hangs computer...)
* u! _8 E2 ?" T4 z6 k$ @# z2 v# y- w
mov ah, 25h8 p1 n) k4 t) k
mov al, Int_Number (01h or 03h)5 Q; P1 m, Q. }
mov dx, offset New_Int_Routine
. g0 X) ?0 F+ L- Q$ k int 21h
3 R, W+ m) X: N$ j6 N
" J7 v& c. y1 S7 o2 [* Z9 W3 ?__________________________________________________________________________3 p4 G( S0 ~. S( X
1 I! N6 n6 b2 @$ oMethod 09$ \% F: K) z# f; a$ l
=========
, e S& [6 L4 p S
5 f. |# `, ?( U2 B9 X% e! i; j: ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( B1 i4 X$ A( a0 W' A
performed in ring0 (VxD or a ring3 app using the VxdCall).' \2 W% X' l+ y1 }$ E; H9 ]
The Get_DDB service is used to determine whether or not a VxD is installed- G" l- U0 |1 t* Q; z0 K; y1 I
for the specified device and returns a Device Description Block (in ecx) for3 e* ~- I$ j- D) v4 D
that device if it is installed.
8 q, c# P& ~; {" p5 w: e$ e5 t! g$ y# N$ U" s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# q% V- B" Y$ i& m: P: Y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' j8 Y+ d. ^2 c& x8 L: \ VMMCall Get_DDB5 n4 K# L( H6 D& N
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 Q |# n. p7 w6 Q4 j% Y; D% {
3 e; h# T7 W' NNote as well that you can easily detect this method with SoftICE:! v: e) E% C0 a: s
bpx Get_DDB if ax==0202 || ax==7a5fh
+ [; }/ a! Z% k2 L& ]/ o$ Y o$ K6 L. f8 J* D; W& G/ ^. S
__________________________________________________________________________. t- b1 ~# ?* G
' Z0 j9 s5 y* c( S9 Z
Method 10$ P: E1 g7 z: J0 A
=========# U# C. e7 `% d: l* _
7 s" ?5 G0 k& f4 P9 i
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 }. D5 i; ~. N
SoftICE while the option is enable!!
5 f& i# x( ~, U
2 @1 [5 ]$ w m0 `/ x' y4 AThis trick is very efficient:6 t. x, \ [+ C" E
by checking the Debug Registers, you can detect if SoftICE is loaded
% k# a, B9 h) M G, _# Y3 q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( L1 k4 ^# Z' z7 f4 R
there are some memory breakpoints set (dr0 to dr3) simply by reading their! { t& X) E$ o4 { k# ~, T
value (in ring0 only). Values can be manipulated and or changed as well1 \. y4 J( F6 }, |7 r
(clearing BPMs for instance); f4 N4 F r' o7 h0 j
) T- p) g* q' e' E$ z/ P__________________________________________________________________________
: M% e2 E2 F2 ~# _' l4 s. |1 d4 ]$ [( ^6 ] a) F2 h: F
Method 11( I/ r$ ?& W- d) G
=========( a0 \5 L# p5 q/ G
9 p% E6 ~0 ^& [6 y0 @$ x
This method is most known as 'MeltICE' because it has been freely distributed
) [; g1 {: a! o/ `' Jvia www.winfiles.com. However it was first used by NuMega people to allow' ^* S9 p, p |0 I2 B3 C
Symbol Loader to check if SoftICE was active or not (the code is located# l- S/ S% [4 m$ w; b1 ?
inside nmtrans.dll).- B, `" e. o! x) w6 G" j
" z! F( E. x" ?% v, c; ~' Q
The way it works is very simple:- }* }/ i6 H5 D% w- X) m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 D. G' x# ^( CWinNT) with the CreateFileA API.3 e5 |1 m! E1 | z' A, S
* d U2 h; @; }: Y' S3 zHere is a sample (checking for 'SICE'): t/ q0 Z1 {* S# i7 M) h
7 t' A! V- x2 y% ?. A6 H: I$ WBOOL IsSoftIce95Loaded()
0 v) p. O6 h1 G7 f{4 l0 L" S- N4 e9 v
HANDLE hFile; + @) N( K, q" ^. J2 I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( [, _* B0 A# V
FILE_SHARE_READ | FILE_SHARE_WRITE,
' m/ V; a; v0 k+ Q" n NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 |5 ^1 ~3 [( t2 }6 b. w
if( hFile != INVALID_HANDLE_VALUE )' o4 y! _! n+ B& C* o
{
2 M. \& h5 h8 J3 _6 } |1 }3 y CloseHandle(hFile);
% c1 t# ]: c3 j x4 _ return TRUE;
- v# r7 B( O) g }! {$ w/ D5 h( f' v$ a
return FALSE;
) u- s, u; b( |. K5 Y: _. Z/ Y9 P}! |& m* t5 I9 o' x- K, Z3 D4 F1 v$ [
1 t8 y2 h5 s5 M$ p3 V( t% v" j
Although this trick calls the CreateFileA function, don't even expect to be
8 k; I0 w4 P: k- Dable to intercept it by installing a IFS hook: it will not work, no way!" j6 T$ _4 V2 ?. S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 s. m7 D ?, Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 I9 y5 @5 u& @ j0 f [( nand then browse the DDB list until it find the VxD and its DDB_Control_Proc o" b* B! j z" P
field.
1 S/ o s5 d d$ r8 T3 ?In fact, its purpose is not to load/unload VxDs but only to send a 8 }/ t5 ?+ b: `$ D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# {9 H9 u0 ]3 b( c4 d9 v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 @7 r e2 e d
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 E. |5 F2 y3 {1 E# X1 K, c6 j
If the VxD is loaded, it will always clear eax and the Carry flag to allow# x. M7 W* n0 f' Y$ y$ Z
its handle to be opened and then, will be detected.
5 i- P" q# N/ D5 v& FYou can check that simply by hooking Winice.exe control proc entry point# x) O3 m O6 @$ C, v2 o& e$ V
while running MeltICE. q) H4 D o, g2 z
- w, e- ?' }, p9 h! }
+ x. p. q: `- d% W! k 00401067: push 00402025 ; \\.\SICE" x) d8 l8 k: I/ h2 E
0040106C: call CreateFileA
( F+ G _6 |3 p: b9 {: \& e1 w 00401071: cmp eax,-0011 y- [) @) J6 _& B; Y4 v* ?
00401074: je 00401091
) l, k _! V* l9 z4 `6 \# j/ \5 T$ D2 z! Q9 F
9 ]# Q( R. ]- D8 m: x% a4 a3 GThere could be hundreds of BPX you could use to detect this trick.7 j4 D z' V& D3 s3 U% @: J, k
-The most classical one is:
y% {" P+ G" {' Z* [3 ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) T* K4 W5 ~6 i X U' @ *(esp->4+4)=='NTIC'& M' t5 E; Z+ J' }# U2 F5 R) G7 @
) F8 L; y: p7 W4 K
-The most exotic ones (could be very slooooow :-(4 j/ f/ d# t1 R" Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 u: E- x/ D# @4 S: J) |
;will break 3 times :-(
1 M+ v8 w% |/ b2 K5 B8 \
% C% L% }$ U# x9 u-or (a bit) faster: 4 T; c0 t [, S. ?1 Y; O' Q) m
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 x9 }! ?$ B Y7 h3 D" f% [ s1 p
0 z, L, J. A/ l
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' Y( @. s- _$ N( } ;will break 3 times :-(
! s! `) _$ H/ s( e
, ^# Z6 y! Z8 m* B: T-Much faster:
4 o6 l+ ~! W- d ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" K: z" r9 O1 c L0 i
Z. M# z1 V. w0 M& M$ d2 |- qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 g. c) H8 l" N7 R; zfunction to do the same job:! Y/ U" J+ o/ s7 `: k1 [+ q
) F! Q j3 a! C: s, {" w
push 00 ; OF_READ
% j, C4 H0 Z* s* R/ k C9 A4 H mov eax,[00656634] ; '\\.\SICE',0
& {* k7 d1 L7 ?* g- B push eax
/ U* L9 ~: \" Q: g0 R& R/ L call KERNEL32!_lopen3 ~* G: m; v. ~" U
inc eax/ y9 D9 B* b; G
jnz 00650589 ; detected
" n2 P5 K9 q5 F) w' C7 { push 00 ; OF_READ
. D! T5 y0 S5 Q7 a0 J: I# Q4 w mov eax,[00656638] ; '\\.\SICE', L& r/ @+ a% x
push eax1 F0 R( r# w# p g) a6 v
call KERNEL32!_lopen
" ]' }" o" s. O, Q# F) J7 ] inc eax
7 D+ p' E" Q4 g jz 006505ae ; not detected. f5 z9 ?4 U0 a
$ J$ K4 b/ @+ r4 u: J( g
2 J1 J; ?! N0 K: U5 k, a7 k, p8 ~! V4 C__________________________________________________________________________
6 G% v& h- D' Z5 y
& D' u- m; N d8 qMethod 12
$ }7 W, O4 S/ G$ r" ]5 L=========5 H1 B9 V' O9 ^: b
% V9 E+ Y1 f% D
This trick is similar to int41h/4fh Debugger installation check (code 05+ P0 E1 v8 _8 O1 \
& 06) but very limited because it's only available for Win95/98 (not NT)
; j# g- x5 m0 R4 p# e8 P8 t, r; o1 ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 f# L! j' {$ w% X! _8 c/ l* y) k/ R
push 0000004fh ; function 4fh
( \) A* R7 d; e% |/ L# _ push 002a002ah ; high word specifies which VxD (VWIN32)
2 [3 R9 F1 Z3 a4 u/ k3 ` ; low word specifies which service7 l" ^* {' s& X' p
(VWIN32_Int41Dispatch)7 W& c6 r* D O& D2 R
call Kernel32!ORD_001 ; VxdCall$ m% @% w: Z: {. C& L3 J, q# r3 U
cmp ax, 0f386h ; magic number returned by system debuggers
' U+ I9 ?: `4 V# O- n J jz SoftICE_detected
+ z: ^0 ?. c7 ^5 f9 t- V9 I8 a
! X! k( Y4 e3 M2 u' qHere again, several ways to detect it:/ Z/ O* Z, Z8 g! c8 a$ ~
' Q# ~) K* t& D BPINT 41 if ax==4f
% H1 A% U7 T$ O) n4 X9 b( o3 Y$ W, y, _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% H5 x% j8 f4 H$ o5 s' B- O# `2 ?2 Z& b* @* Z$ S- ]% o
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ R S, c9 O+ g6 `0 e
5 S6 I4 A. \) X/ X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 b9 `8 E- h$ J6 S5 L, N s/ l* t) X$ }
__________________________________________________________________________; T2 l7 G" k; h t K
# E% t- g: L' |
Method 13: h6 k( ?" w. B' u$ R
=========
4 o* ]2 A3 l) p
9 V; r6 }- U; ^; w4 z* nNot a real method of detection, but a good way to know if SoftICE is
; L+ |/ ]% s3 Tinstalled on a computer and to locate its installation directory.
' w- l, b8 b9 \2 K) JIt is used by few softs which access the following registry keys (usually #2) :
* Z, @5 _2 X1 i0 {7 X2 J7 @4 M. b8 |( U: D' ~6 |% P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 s6 u2 D# j& k+ z5 V0 D$ @\Uninstall\SoftICE
7 Q2 g6 v$ J! _-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* {; `/ K$ G8 E+ o8 P4 N# G
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, g+ c/ O! ~/ ?
\App Paths\Loader32.Exe
4 u, Z4 F9 |; T$ h% @
* I! k5 H0 X* W. a* @5 Z
+ k) h7 G9 S+ x! [Note that some nasty apps could then erase all files from SoftICE directory
( `4 s) Q% d7 p(I faced that once :-(* E5 ~ A$ Q' r. \$ \$ ~! |1 G8 H
+ z2 P! ?" s5 g, FUseful breakpoint to detect it:
9 S% a+ T9 v: c, X7 x( D
" m4 ^& A! a; T& I1 P) ]0 ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* D! z; B& n/ X5 D, h$ r' D$ P/ C* V, v
__________________________________________________________________________
9 r. t! p* W8 p4 U) _: K# B6 V) M. V6 R9 ?3 U4 t
% ~7 ]2 V4 Z* G$ o8 h7 P' jMethod 14 / M$ Q7 B* N! ?3 S6 E# a9 e
=========
0 P3 @/ f; a) r2 l( l) E, m
) ~! X) y8 h. I! jA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! ?* L+ T: @7 ris to determines whether a debugger is running on your system (ring0 only).1 K; b# _0 \/ L a6 m
& G+ l& ?$ Q# t' ?! Q VMMCall Test_Debug_Installed
( X/ Z$ u6 y" }" Q je not_installed- [4 k- F, l& ?8 E# f
3 y) s/ K% Z+ j' f$ vThis service just checks a flag.
$ k4 h! L- @/ v, Q; m: U- `. {</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡