<TABLE width=500>
) { J0 B j7 q% j& p<TBODY>
5 P! N( ]3 `% H" u<TR>9 ~ ~7 ]; v' c
<TD><PRE>Method 01
( `" C" z. M& K+ {2 w. }' |$ T1 Y8 n: c=========
3 {# w0 o+ ?0 j5 M& W. D/ f4 I7 Q2 d
: u3 O# D% `+ Y# s; pThis method of detection of SoftICE (as well as the following one) is, a1 d, x4 C) U8 v% f; s
used by the majority of packers/encryptors found on Internet.! L! c: u' c3 @. Z3 O3 H
It seeks the signature of BoundsChecker in SoftICE; R9 G- s) I% n. E0 B: R! I' S
5 B% Y& P' P# \3 r* N mov ebp, 04243484Bh ; 'BCHK'
: i2 E5 `" A0 `" w6 C' B, D mov ax, 04h K# J3 M n- b' X" [3 q% S8 ` b6 c
int 3
9 V# B! g6 L* q$ ~ cmp al,4
2 V( C2 n* f( I$ c jnz SoftICE_Detected
v9 S# c* E! [/ r) a0 Z4 s" v5 [, Z! h$ x; [8 Q1 e: V# I, c: c
___________________________________________________________________________
. \$ h9 x+ {/ |% j7 e( q, A% Q$ D; |) t0 W
Method 02
* r I- I6 n f=========
6 ~* u' b% K: j9 X! {: @( N" K& c4 m* k) i
Still a method very much used (perhaps the most frequent one). It is used
# E6 K8 `1 f3 U0 wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" d& G# B* l7 H* Y7 qor execute SoftICE commands...
5 X4 j4 t8 {7 p& ^. |4 oIt is also used to crash SoftICE and to force it to execute any commands
" ~) N+ }+ y' @: v! c(HBOOT...) :-(( 5 }5 o- q7 y+ P# d4 p; N
3 |% s" g5 h9 u* q% P6 A. X
Here is a quick description:: F1 t8 Y6 z" y% o& U
-AX = 0910h (Display string in SIce windows)& l' j4 ?" Y0 l+ m/ f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" H) b( g. l0 Z- G
-AX = 0912h (Get breakpoint infos)
8 P& ^' L/ S7 _& s-AX = 0913h (Set Sice breakpoints)& j% J8 K }% A* f
-AX = 0914h (Remove SIce breakoints)' R& ]6 u* v& ~& u
) J7 b9 k, o, d
Each time you'll meet this trick, you'll see:. S# U, l L W
-SI = 4647h
* R- b1 c+ o$ t5 \* \" @-DI = 4A4Dh% `5 v& B; ^- F. W7 [" X
Which are the 'magic values' used by SoftIce.
5 r; q! z4 ]8 N( KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 l( K. Q N+ W b; C7 g. ?# ^
. L2 l( }7 Z3 I% A( Z9 rHere is one example from the file "Haspinst.exe" which is the dongle HASP9 ~4 S, [/ m' q9 ~5 v
Envelope utility use to protect DOS applications:
$ x9 x ^1 p& h; |( b0 h% @0 v
( W, b) \. m" `# J! ~. c# r. u7 B5 b. Y! ]7 d) e/ N& _: V
4C19:0095 MOV AX,0911 ; execute command.4 e+ o) S0 ]+ c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* q5 _. j( b: v5 \1 x ~" D3 e
4C19:009A MOV SI,4647 ; 1st magic value. K, [1 E3 k( v9 T% V8 c1 i% J
4C19:009D MOV DI,4A4D ; 2nd magic value.# x% r9 L6 Y/ ^4 q$ x0 h
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) a9 g' c b7 I' b" |
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* [! u9 c- w- o! ?7 V, h
4C19:00A4 INC CX& e5 O. g( ], ]! [& Z: a4 d3 C% y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute E) ~4 `- ]# m1 F2 i, g
4C19:00A8 JB 0095 ; 6 different commands.1 j* U7 y) g6 Z& C. j
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 r2 D" S0 h1 C6 `' n" c: U% V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 h! S L2 t: ~5 s. F& `" g( r/ A S3 T- D: H' c
The program will execute 6 different SIce commands located at ds:dx, which+ s2 i4 ~0 K( W1 V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! @7 y$ m5 T8 L
9 S2 m. E8 h4 v# e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. {5 ~0 W, N5 e4 d) d- d# A1 X: W___________________________________________________________________________! f# O% J* h4 f2 }+ A
; O F U* H/ B
6 ?8 V* q4 N/ p3 i+ TMethod 03
. `" w& K3 r, I1 f6 C0 p=========
6 T& j4 w8 W- p0 u* u/ \7 q
0 P2 H$ X3 o. |2 Z( TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 h) D* o% w+ K+ e; C8 j$ ^9 o(API Get entry point)
/ e4 }/ N- p, Q 7 U$ y( R& }! m4 D l; c9 Q
1 O+ l# {2 n5 p
xor di,di
( S2 j2 T# H9 m& |( D& v mov es,di
7 _2 E) G9 m4 S; u& g; y mov ax, 1684h
* j( |$ _2 U* Q" u, _' } mov bx, 0202h ; VxD ID of winice
9 G2 h( m- E3 [+ [* U) S8 N$ Z: P/ o int 2Fh
g( n, s2 ]/ O9 f: [! T mov ax, es ; ES:DI -> VxD API entry point
& e1 r% d3 r( x' P# u' D add ax, di
5 m. `6 i4 a: s0 z' e2 s test ax,ax# E$ u% e9 A/ T) I! Z
jnz SoftICE_Detected
# O. W" j% K1 ]% U G5 J e! D
5 ^* y) L( {. U& W___________________________________________________________________________
3 g6 B* F- ?; `: h) e/ \. |4 M/ N0 [; ^/ V% s
Method 04
- R+ K! E$ Y( ^2 y8 z=========7 s6 M6 L! L% g# q
- E+ ?, A( e8 s% L' O
Method identical to the preceding one except that it seeks the ID of SoftICE% B1 w" m* T7 y' ^6 C& \" Q
GFX VxD.9 O' G9 N; m5 w- o1 p0 q+ d
" n! u' ?* R+ k+ f% U
xor di,di/ B$ K: \. T4 Y* @1 R" q; P$ C
mov es,di
+ d& w* ]$ Q6 j$ m5 \ mov ax, 1684h , w3 S4 I2 R: ^3 R5 K% n6 ?* ~5 Z1 o
mov bx, 7a5Fh ; VxD ID of SIWVID
; e/ S/ A0 c& F4 Y int 2fh- L$ s9 m/ I% Y3 \7 ^: m- a# @. O% n
mov ax, es ; ES:DI -> VxD API entry point$ d8 k: Z8 s* a/ R/ i( t* |; y# ^
add ax, di+ \! p) `' K3 y
test ax,ax
: X# B( ?" f7 i' k4 X jnz SoftICE_Detected$ g$ A7 D- T9 y& ?2 w) Y9 Y
0 K0 v3 O; H* g1 Y3 K__________________________________________________________________________
2 R, y8 S5 s) _2 M
; p5 z3 p& i* \1 ?7 F2 Z$ Z1 K8 e3 {7 |: d S9 y
Method 058 T/ w1 a- R3 t$ |% a1 |1 \* E; \+ X
=========
9 d2 R4 q+ ?; x
" y* L- `+ h8 cMethod seeking the 'magic number' 0F386h returned (in ax) by all system2 y$ X- u& R+ W: D! X4 D
debugger. It calls the int 41h, function 4Fh." R: k3 z7 D, M2 X& W$ G% ~2 u/ ] n
There are several alternatives.
3 C5 Q: M/ d- ?1 Q3 m# T0 A; P0 L
# j. J. z y$ ]0 hThe following one is the simplest:6 C( f9 b J$ j
* S& H5 G9 K; t& F$ X mov ax,4fh
# m4 H2 g0 i% n" c* ?2 S int 41h
6 r, O" R. I: ^% z; y$ M w( V) G cmp ax, 0F386
2 a/ X' _0 e( v# @! ~. w: h jz SoftICE_detected3 D6 d4 y$ _8 `6 N( \( s t/ ?
, U3 N4 c' Z) P
2 Y" k6 e+ Y( [; B" T) U+ w
Next method as well as the following one are 2 examples from Stone's 0 s9 b* D' M- M& e! ?) Z7 c
"stn-wid.zip" (www.cracking.net):( ~+ F8 z1 Q6 _: I2 k
# o: [/ a- J5 m1 O- d$ X5 E mov bx, cs
# u2 X& u% |% j% t/ w lea dx, int41handler2
) J) k/ r" ?5 [1 M: D xchg dx, es:[41h*4]
! v6 j. d: K S* G& t G xchg bx, es:[41h*4+2]; n3 E2 s" g# O
mov ax,4fh% Z$ }" @- s* Z
int 41h; R+ w# X* L. m( ]. r
xchg dx, es:[41h*4]0 @# o4 O& [$ d9 t, \
xchg bx, es:[41h*4+2]
! `) {/ F0 v7 f9 e+ F cmp ax, 0f386h9 z4 J) L# r1 D4 K$ r- w
jz SoftICE_detected
; T. _# {2 p, `; n
5 d, e1 Z3 f( L3 @8 cint41handler2 PROC
5 u- t. _; I* n iret
. y7 Y- |- W8 w1 h3 `int41handler2 ENDP
/ ?! [' \' o0 `- l
; e6 w$ J! q. @9 E2 k9 ]: Q) r$ O- U# ^7 P: z( O. z
_________________________________________________________________________
* D d; y7 D" Y; G3 l
- l0 _( p& Q+ [0 i6 k z0 G4 p/ {# O5 M9 A" c
Method 06( H1 S+ V: c- A T
=========
( Z: q o7 l: X
+ R+ Q: w# |" l% b) K- U7 m
1 J7 e' J. d% Z2nd method similar to the preceding one but more difficult to detect:* y' V& n0 Q( P! h8 \) ?; S
& G. D8 L( f% X8 |: ~, Z
A) v( R/ G7 E' s) C* C* E
int41handler PROC
! Y; ^0 m# d& v! x2 ] mov cl,al
$ ^1 _% a d t; v$ L1 R iret- @ D; d4 F/ ` `! H/ z
int41handler ENDP V- Y8 W+ d5 a/ T! N8 ]
4 j% I- t. N+ d2 F* W, y
9 n- v% l9 e8 k* K3 b% f, X6 f! u
xor ax,ax2 U4 ]! _9 d' }- h8 a
mov es,ax
! m9 X9 ?" v' w: B; S; O) e mov bx, cs
# }. V! d+ r S+ e" V8 r) l; v. m3 g lea dx, int41handler6 W6 B* n$ ^% G# R Z5 t1 k
xchg dx, es:[41h*4]. P' B, Z* K; a( D3 t: b
xchg bx, es:[41h*4+2]
2 a9 f% g2 @* G$ O9 F in al, 40h# r& k# i$ u9 a2 P4 u) c4 C! b
xor cx,cx& t: z# D8 y. `' z
int 41h
7 q* n$ M& \3 R4 ?3 M: S xchg dx, es:[41h*4]
6 H. O8 q- H" B- Q$ [) h xchg bx, es:[41h*4+2]
3 i* @& S" d, U9 K7 r/ R4 p cmp cl,al
! ~) H$ B( O) k+ S, { jnz SoftICE_detected
$ K6 H( Z- t0 Z
u, i# G) m/ s9 l_________________________________________________________________________3 H' u$ Y3 [& Z% d
& W! u( z. X0 R# Q" q
Method 07$ N7 a+ R6 g h' k7 P9 J: o
=========
6 X+ S9 i0 z) m- Q7 M/ r
% e7 t" @+ F3 T8 t+ w. zMethod of detection of the WinICE handler in the int68h (V86)
/ ~% i1 {) A3 v9 M! w8 E
1 v& e K) v) b mov ah,43h" u4 j! ]2 Q% }4 j9 A4 g
int 68h
) y5 f2 J# w9 m cmp ax,0F386h2 x3 r6 v4 y* c U! w
jz SoftICE_Detected
7 x5 u1 V; p/ p
0 }7 A6 O$ p5 a' y
0 `' N7 V6 r/ J: Z$ t! u: {; `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 X8 I3 ]% G$ C) V, a
app like this:
5 i9 Q5 _6 l: m2 ]* {
# L3 `2 x# f. N6 `+ x BPX exec_int if ax==68" I6 n1 l$ y7 f* F$ n: j
(function called is located at byte ptr [ebp+1Dh] and client eip is
! G" o6 D7 O1 S7 O located at [ebp+48h] for 32Bit apps)
' _5 R6 {4 v' ^! ]3 `5 k) i__________________________________________________________________________. m$ \1 N2 C& z6 ^, V
3 z) r' U4 a) M% N; y3 H- ]
& D3 Q- ]' t6 }
Method 08& T7 n' w" @, x/ O( R( \# }
=========4 k! x- g' W V4 X
, @" e! C Q. O6 [, X$ lIt is not a method of detection of SoftICE but a possibility to crash the: _1 X S! Z' E1 B
system by intercepting int 01h and int 03h and redirecting them to another
& C# h# g6 F. [1 O4 a9 iroutine.
j) G( s8 e8 U. w' o. h) _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ u% P/ f8 K8 f1 M: P8 Uto the new routine to execute (hangs computer...)
# v5 B* s9 p/ {- }' e* Z' j# J
# E6 i' B/ V& N mov ah, 25h3 O7 Y* l% i5 `$ }
mov al, Int_Number (01h or 03h)
2 g; o1 L* t% H A! X! x mov dx, offset New_Int_Routine) A2 E% J$ V& i& c Z: ^9 h
int 21h& S5 T: i" R) u3 p' o% t
" @( r% w# F. ^! L: l% k__________________________________________________________________________
% E. {1 h5 Z1 M$ E2 g2 g" R. F' }2 ~% F: a$ y
Method 09
* ^0 o \ z9 L) [0 B=========$ u& W2 r% Q( A$ B; ^ [+ J1 e
" H! R1 F1 \& `; U9 K% r5 O
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: c4 _) W- I8 K6 lperformed in ring0 (VxD or a ring3 app using the VxdCall).4 {9 o+ Z, Z# E+ V
The Get_DDB service is used to determine whether or not a VxD is installed t- Q; h2 M5 ]" k2 ]8 N
for the specified device and returns a Device Description Block (in ecx) for
: e7 L5 }. O, c0 E* X+ othat device if it is installed./ E$ S p5 `/ [" I6 A+ X% b
9 T0 b: B8 v2 b" t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# e; L# P0 N9 F6 T mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' ~) Q+ E9 T1 h) Q
VMMCall Get_DDB
( b0 A1 r- L" b1 w9 w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ n* R5 i2 |! G0 t) N
0 f) L) z% j; m* D( O
Note as well that you can easily detect this method with SoftICE:( y6 }+ |" h \* k9 v- {
bpx Get_DDB if ax==0202 || ax==7a5fh5 C9 E m1 h! D/ s* s( ]; A
* c; s! I# k3 }9 @: B
__________________________________________________________________________" _' u- C) |% ?: L m: q5 B
2 ~0 H# j6 R# TMethod 10- V7 C) S0 r# o/ Z' R% y+ u6 @
=========
: J8 Y1 S# J2 p" E( E& M% m4 K5 m8 C3 K+ K, s; g9 [; F) ^0 r! U a
=>Disable or clear breakpoints before using this feature. DO NOT trace with2 X/ _" {! a0 b( V
SoftICE while the option is enable!!
, T/ ~7 @8 J. Z2 M1 r7 {; w7 l2 c! o6 A/ H
This trick is very efficient:4 k w: \$ Y4 ?
by checking the Debug Registers, you can detect if SoftICE is loaded% R9 O+ w' a/ C! H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! o. j! J# g4 d$ N6 B4 fthere are some memory breakpoints set (dr0 to dr3) simply by reading their: K/ d9 a, D& e( m( p# z
value (in ring0 only). Values can be manipulated and or changed as well
+ T+ y# V8 W r% z$ p1 P(clearing BPMs for instance)5 X' t; f, F1 B
/ \' R7 a2 H+ Z" Y t/ j+ x; _
__________________________________________________________________________
. o# ?3 j3 H6 T# @0 a l! G# E( y
Method 11) d/ o$ Z7 s; f9 j$ b9 k- ^
=========, j6 q6 A* @+ X8 l6 B6 \5 z
7 x$ f5 f( y7 \* A: v; m! Q' u8 F5 @This method is most known as 'MeltICE' because it has been freely distributed+ {1 e; ~: ?) v7 D
via www.winfiles.com. However it was first used by NuMega people to allow
+ f4 x n7 p) J& USymbol Loader to check if SoftICE was active or not (the code is located$ G. I' a) F, S/ V6 u! A! h2 j
inside nmtrans.dll).; h) R r, K1 h! {+ {. {; t
( E& |8 u5 \& Y4 W4 z: l9 gThe way it works is very simple:" e T- [" T0 x9 @
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' W7 R `1 E0 m/ G
WinNT) with the CreateFileA API.* {, @3 I6 G: O, ] V+ g3 R
5 \* ]* ]8 j4 rHere is a sample (checking for 'SICE'):7 K8 H; v3 e+ Y/ j: d" [. A* H
9 P n2 `2 I: [$ o9 U5 uBOOL IsSoftIce95Loaded()7 H0 e# F5 K5 u4 j x- @
{
" s0 F- y! o" s) a, q HANDLE hFile;
/ R i! m0 ~) I' O9 J W hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 r5 d! y+ v6 a2 y6 j7 {7 w4 P/ y& M FILE_SHARE_READ | FILE_SHARE_WRITE,
& M& I/ X# }+ B% N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, x0 g" u$ |1 K; Q0 t; X* f( K1 P( W
if( hFile != INVALID_HANDLE_VALUE )
" k5 a* F! b( H% u {
' O8 t# n9 b* l' F h$ t- L CloseHandle(hFile);, X' t7 y8 k1 ^ j5 l
return TRUE;
* J- `" C9 J7 U }* F9 \& ^; O6 w; i5 S# l f' k* {# u+ O
return FALSE;
# _# I6 L: g; j9 }) c( S9 ]}
6 Q; h* K" g4 e0 W7 m7 b' {* y) i- a% K2 J
Although this trick calls the CreateFileA function, don't even expect to be1 f" o4 g/ d8 U! N; c
able to intercept it by installing a IFS hook: it will not work, no way!* D1 c) A( E+ \, c0 B* S7 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F l+ c, d% D' r [* Y$ Y" f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" l! r, b, z% s: X1 _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- t- g1 C! P4 |2 N- U3 F
field.
2 P- G9 a1 d' ^8 I% U1 ?In fact, its purpose is not to load/unload VxDs but only to send a
5 p/ Z. j7 K# w$ aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% Y# B, z/ q& [: J7 J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ [% ]* j$ `9 w2 A O$ Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 R8 I( b2 G' c5 X6 ^6 u$ lIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 C5 n0 |2 _" C, m( K! N8 cits handle to be opened and then, will be detected.
( Q9 w2 Q/ \4 d1 ~* ZYou can check that simply by hooking Winice.exe control proc entry point
0 t: D" W; x1 d$ u. o, bwhile running MeltICE.
7 A! x& j3 V* _/ C4 |& b, ?
7 M H9 c8 C) O8 t
3 o7 o0 D0 {# L: J. b 00401067: push 00402025 ; \\.\SICE7 H, e7 _" u% x" Z ]
0040106C: call CreateFileA
8 U6 i* u* l& E) Z 00401071: cmp eax,-001
( |6 B0 _" b3 x 00401074: je 00401091
6 i/ s8 y2 p: b6 E5 f& W( e/ x4 {
0 f6 [6 }# \9 W: s, X) q
There could be hundreds of BPX you could use to detect this trick.
9 l/ S% U0 }/ t: A6 c+ a. r# y9 {/ }-The most classical one is:% f v/ G/ ^3 x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 W* W1 s8 w% a5 `0 }& i" b
*(esp->4+4)=='NTIC'
X& ?; g8 O' n4 W- N, e# q1 N; r0 I+ W/ S8 c
-The most exotic ones (could be very slooooow :-(
+ p t. e* m- f" L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 f! ^0 j; h# k
;will break 3 times :-(0 G( {. y" u4 O2 I( v5 B
* p( O. r, U& D- V4 g-or (a bit) faster:
& ]/ P( c# o8 _6 B/ x9 _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& f5 D$ k+ N" N" i% ]# U
' }% ]$ W5 y% q( ^, t) C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ F9 \% Z$ S# K: w
;will break 3 times :-(
: d$ z% j3 `. Z' I) P4 N0 E, X) ^) H* z: n' ]1 H1 Y) o
-Much faster:5 F+ C: I" B/ l* a+ A4 a1 c. k
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 T o! W4 j; Y* n5 @8 k
# P* @/ z9 b5 D) K2 D, XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' P9 B" U4 E' J
function to do the same job:, x6 y0 o( C( L6 e
: \+ ]$ N E2 [' [" G: H `
push 00 ; OF_READ1 ?+ a. S5 R# D: q8 j
mov eax,[00656634] ; '\\.\SICE',0' _ X) S, z' g* ?" i
push eax4 D& V; c2 N; O( Q" h2 F' r
call KERNEL32!_lopen
3 B/ Q! i1 U2 g& B. Z0 P* N8 `5 n* m! z inc eax
" j( j# Q& K, M% ]: u2 e jnz 00650589 ; detected. h y& ]5 _# S# `: X
push 00 ; OF_READ
9 v0 H6 @/ k4 h' `, G+ F2 V mov eax,[00656638] ; '\\.\SICE'5 C: [9 G+ _2 W0 d3 W
push eax$ K ^+ O/ T$ c, H3 b, x
call KERNEL32!_lopen
0 A0 Q1 {7 G) o% A' R1 \ inc eax
@* x0 x+ _. I5 y jz 006505ae ; not detected" S6 z( x6 X, `$ H1 f i7 M
+ n+ i! b8 o3 |' q9 L. e
- F& U" M: \6 T! [
__________________________________________________________________________
1 Z- p2 k5 _2 i% g" [* D" |! C" o% \, f0 A5 X9 ?) R5 x0 G @
Method 126 J" b0 l+ L( }3 R9 A
=========
* p7 ]+ \! W# m" y
5 v8 ^5 M% a4 [This trick is similar to int41h/4fh Debugger installation check (code 05
& ~( _! ?: d$ W& 06) but very limited because it's only available for Win95/98 (not NT)
. K8 `/ [# y) K# d8 p* Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ c* t' S% s+ G5 @2 H/ r7 x: [
- o" _; m1 x0 } `! y! k push 0000004fh ; function 4fh
5 J/ C6 X. E2 l9 p( Z8 K push 002a002ah ; high word specifies which VxD (VWIN32)9 l4 \9 s" Q5 k2 f n$ R' S
; low word specifies which service0 r7 c, @' k& Y' V- d
(VWIN32_Int41Dispatch)
0 a n/ ^! c4 [4 V call Kernel32!ORD_001 ; VxdCall" g U( S: u$ ^
cmp ax, 0f386h ; magic number returned by system debuggers
; G$ Z5 B( H' |: M! C: I2 g7 Y jz SoftICE_detected
) Z/ ]! k( f" ~ `7 c. z' z
! H# v8 O0 g' y' ?& f, RHere again, several ways to detect it:; E) d0 S. z/ u
8 S) m2 d. T# f2 J; L: K( b7 B
BPINT 41 if ax==4f
3 y& r( ?# y9 x" ?: v: r, x
5 r! u2 i) l; H! Z3 @4 m0 X0 y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& k9 g/ l U6 U& r
. J B$ y# t* \: S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 e5 j0 J/ Z3 [& L9 a. a, D M
2 b7 N$ ~) _' c7 O9 s6 J, q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 [7 E4 A$ f M) e+ v* E' ~2 y6 Q
& ~' ~5 X; u, v( ?4 ]__________________________________________________________________________
9 u. c' l0 n0 j1 [% E) k, V% F; L) A0 W" l; ^9 M8 G
Method 13% b0 a1 i8 L9 t% ?# m, E
=========
$ N' n1 t% Y* U/ {2 B w: u s+ l
2 L7 e( Z; K# O7 h( u; dNot a real method of detection, but a good way to know if SoftICE is7 P) |. F5 V; g1 w" `" K( p
installed on a computer and to locate its installation directory.
, g3 _+ f$ D( V& sIt is used by few softs which access the following registry keys (usually #2) :
, b+ ?5 P- D( s. D& n: i% x2 @) k: Y! C2 f/ G2 A1 y3 s U. }3 B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* l& @; b- i+ L4 |! E" A' P\Uninstall\SoftICE7 m/ F r5 q" G8 }1 J, |& ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* a+ j% ~6 n( g. Q* T+ w' a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* o1 q) O. @+ m0 F9 n* h
\App Paths\Loader32.Exe% w3 U5 J* B. T4 y7 f9 g5 @
0 y5 `- [; N8 i2 a
% S; M5 Z4 Q% Y7 |Note that some nasty apps could then erase all files from SoftICE directory. ], k* }" t u' @" I* z- }
(I faced that once :-(
$ ^7 _0 V7 D. U, E9 {1 B
) {' c1 s% F4 w8 ?5 A( V2 }" q% ]Useful breakpoint to detect it:' g- E8 N( L- q: S, ?9 U: \0 i
+ H7 F' k$ G% n* r2 `9 g; o! | BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 x& o3 Z- ~! S# l. _- }$ `; G f
__________________________________________________________________________
7 U' b4 x3 J8 d0 X) i/ O0 M' V
. L2 [ d3 F! G+ `* [# }7 k* F) @8 K8 T3 Y( C$ ]" w& Q9 G3 Z
Method 14 " F8 W. h& t# ~8 y; A. ~! |3 n7 C
=========
' Z2 u9 R! p7 v. ?' J' J4 r
, n- `0 @* v& H; b' m5 WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, i" {' w7 X# ^1 c! |$ o
is to determines whether a debugger is running on your system (ring0 only).3 k) @% @# a Z' c' m
! D0 H, U% W" ]/ O
VMMCall Test_Debug_Installed
1 t2 ]0 Y+ u% v: N) a je not_installed2 V D W$ j# |* y( b
# e' n) }; w* P% D2 `7 yThis service just checks a flag.: }. N8 n* }0 q4 {2 F J2 h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡