<TABLE width=500>
F! }; }% m: h: Y; C: R3 _. M<TBODY>" x4 _. O# i, r
<TR>
: I& z/ H. C$ u6 ^; a" F) W2 E<TD><PRE>Method 01
9 V6 H3 G& I [' q8 W=========
6 k4 H1 L0 l; t/ H9 l
* B U' `( t7 T* [* D. xThis method of detection of SoftICE (as well as the following one) is3 p- g, C3 j: Q( m6 |( q" V- f. w
used by the majority of packers/encryptors found on Internet., Z, A6 `: K" L0 ~4 {/ ?& y
It seeks the signature of BoundsChecker in SoftICE% N+ l3 L' Z0 S8 B
8 F" ~, d; V: ?; U, ~) L mov ebp, 04243484Bh ; 'BCHK'
" j; W) M9 B) t* C" w) V mov ax, 04h
0 l8 n4 m: O. ^! `: z) q5 w) | int 3 6 h& O# M9 n+ Q. {3 E
cmp al,4
1 I$ a9 z! D2 F jnz SoftICE_Detected
# r5 L8 Z* Y' i2 i
9 x8 C1 z- E; m, s___________________________________________________________________________
% U# @9 G+ w, z- I6 \+ T! D* u0 E8 `2 D1 R
Method 02
2 M5 P8 T. ?4 s6 o" y. p( A& h=========2 v6 V+ ^4 D8 u4 y0 N* l
, l" W: c0 V. L" f
Still a method very much used (perhaps the most frequent one). It is used
1 U; d6 ]3 i) n7 E6 l* C5 ]5 w3 Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 k: d5 \! [) x9 e& y# c0 Yor execute SoftICE commands...
8 S7 N* A8 o% c i6 I" X; GIt is also used to crash SoftICE and to force it to execute any commands
) ~% G- `, d2 D8 |(HBOOT...) :-(( M+ J8 a; o! j* C! }
* W$ r, k* p! I3 h' g: t' k/ jHere is a quick description:4 A1 g' U# a$ m. u
-AX = 0910h (Display string in SIce windows)
/ O5 k0 _* p6 w0 ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 O; u0 O# g* o& S-AX = 0912h (Get breakpoint infos)
8 Y2 h- h1 y4 S7 K-AX = 0913h (Set Sice breakpoints)6 R6 k! A$ A {
-AX = 0914h (Remove SIce breakoints)1 }3 U) x9 I; b; I. p8 U+ R
" R+ @+ w: D7 z/ V6 p
Each time you'll meet this trick, you'll see:
$ d, l; ?4 t; C, w" X2 y9 R; f! G-SI = 4647h; L8 z. ~; |. a/ T9 e! T+ b
-DI = 4A4Dh& Z4 r0 i; [7 q
Which are the 'magic values' used by SoftIce.
/ J C- B' Z# A, t: SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
[1 a/ H, t; V. h' n1 @7 j4 `" K4 p% `' c L5 W1 k
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 y& |* L4 R- V3 `Envelope utility use to protect DOS applications:
4 u; P, S) R: d) e$ L" q- l. d# \ Y3 p/ j" N
. A4 R3 p# v) T: U: Z
4C19:0095 MOV AX,0911 ; execute command.
( R5 M& N0 Q* F/ h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 G1 G' r+ D1 j- I8 F" @% M( \4C19:009A MOV SI,4647 ; 1st magic value.6 }# @4 d* z' p) C1 x$ B, z
4C19:009D MOV DI,4A4D ; 2nd magic value.
# k- V i4 R, X) C$ I. K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 b8 C- M; L' F, h2 i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' `1 n' |4 ?6 U
4C19:00A4 INC CX
6 O) I' I g8 R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 R' |9 A7 a8 N( T: U4C19:00A8 JB 0095 ; 6 different commands.
& h( q/ j- ~, t3 u" Z% S4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ ~7 |2 c/ E3 w# F+ E9 v; i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' A5 v) U! J: S% e3 ^, O7 j/ a% O
& L# n' B% p- z3 i8 F& w9 O# rThe program will execute 6 different SIce commands located at ds:dx, which
- m+ ?. D* C- i: L6 x$ b; D, G$ care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 }; B0 f3 x4 o- E5 y3 P! y2 o2 B
( e- S% B& e* z7 c, m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! y+ y) q* w6 B% H
___________________________________________________________________________
) y7 a) ?+ g2 \! Z. c0 z3 x3 P
* }( M1 s' ?* E" n
q3 ]+ ~ e: L* m" ^- TMethod 036 j' {9 i' R% Z/ A1 T
=========; J% {8 [4 B7 ~3 i1 @; f
* h0 t8 c4 m* s' Z7 x$ F7 {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) I# z- X6 j4 F7 {. c i
(API Get entry point)8 x1 L& e' S1 I5 p4 Q6 L. F
+ Z5 ~" |3 v$ `2 Y" r# ^
, l$ o5 a0 S3 T( ~* _) i) H1 t0 L xor di,di9 G) c+ y' X& V# V! z
mov es,di& Z2 j) _( q( v5 I7 R
mov ax, 1684h 9 K, q# H( }0 C$ s3 S% c7 o/ n
mov bx, 0202h ; VxD ID of winice
) H* t9 k0 e3 G int 2Fh3 f0 B+ H5 F2 O8 i# z( M
mov ax, es ; ES:DI -> VxD API entry point% P7 D& w/ K2 M* p
add ax, di/ J9 ~3 K: E! v! d
test ax,ax
: L; j) {( H# @3 `6 E jnz SoftICE_Detected3 L- i* w2 F2 m; }& j. X& ]4 l L
0 t8 n5 m+ ^& E& d% K
___________________________________________________________________________$ Y2 e$ X; d# S" F( N
% P( U6 n X: D( l; x
Method 04$ S5 R: U! y; f& [3 w; l
=========1 f: y2 ?! a4 K$ J1 V9 y1 E
: p2 k: M7 A' _2 D" U% UMethod identical to the preceding one except that it seeks the ID of SoftICE
9 y, F& @) c2 Q! K6 WGFX VxD.0 H' F) b/ h$ _5 e9 o
( t3 J; w0 c# o) V0 w2 q xor di,di% f2 N5 T$ _4 T& |9 {
mov es,di
% e; r& f4 H L% A& W: c mov ax, 1684h 0 r. E' C2 s) S) i, ^$ |
mov bx, 7a5Fh ; VxD ID of SIWVID) \! S" c9 P% B# W% |! m# K, ]1 l
int 2fh
" J) ~* h- x6 R. [" h6 _2 y3 c. a6 W mov ax, es ; ES:DI -> VxD API entry point8 c2 T; [1 a; `. k
add ax, di/ S8 k7 y' @( f# K3 ~- F3 y+ w7 \
test ax,ax
+ z3 ^2 y4 c' h. F9 p jnz SoftICE_Detected2 T; G5 P7 q9 L4 }! y
$ z! g# T: [3 J: D& }& L1 [3 @6 Q
__________________________________________________________________________ r* m3 T* g- r$ l
. e" h1 I0 e+ b; z- ]* S( ]6 g2 U" a' z- K# ?+ o7 F J
Method 05
, b/ b5 C' ]8 F/ Q, \* p=========
% ?. ], @6 n3 k& h& R7 x7 f& E; n6 d; `3 ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system d8 S+ N6 b+ Y
debugger. It calls the int 41h, function 4Fh.
* c0 H l6 z* v& ^; V3 hThere are several alternatives.
$ }& H- H) t' o. y) a) x4 M# z
5 u+ r+ g" z4 I {. X2 v+ vThe following one is the simplest:8 L1 v0 V% |. {2 F; ]/ L
: u" K2 k9 N; S$ P O k mov ax,4fh
0 Q0 \6 ^- L: c# C7 o int 41h3 a& Z3 n( g2 c8 }8 g: \3 {8 Y
cmp ax, 0F386& z4 T; t3 ^9 ~ S! X4 Z
jz SoftICE_detected
$ z4 r! U- U' j# U E- y7 ?7 _* a5 E- Y* ?9 m( g$ U# w3 f
1 Y+ l3 L0 y& U; P/ w# e: XNext method as well as the following one are 2 examples from Stone's " \& B% r$ z% |1 b
"stn-wid.zip" (www.cracking.net):
E/ e5 L3 \8 t: W' j, b6 R6 ~! r2 G6 u/ C- W
mov bx, cs! k& ^. \/ a+ q
lea dx, int41handler2
# `$ e0 f; |4 w0 s/ ^ xchg dx, es:[41h*4]
8 l8 y1 b5 ?! a7 f2 x' Z: t xchg bx, es:[41h*4+2]
; t' M9 q/ [( {' D' O4 [: R mov ax,4fh& C w4 A; d& M' u6 ~4 Z" @
int 41h. f( E% ~6 \+ j/ M9 k
xchg dx, es:[41h*4]
& O1 o% {6 |& `- N; L5 `' N xchg bx, es:[41h*4+2]
% W- D/ K5 Z2 D5 `$ o cmp ax, 0f386h j' G+ a, d; X$ h" `/ Y
jz SoftICE_detected
! ^7 c G6 M3 M- J X8 K6 C. e v. l& A. a7 s
int41handler2 PROC. o3 S5 k. R) P, M/ U8 ~: O8 h
iret( [. C( _' ^4 k1 o1 }4 D$ V* D
int41handler2 ENDP6 R: n+ h% x- I5 O1 W1 d
2 T; k: N! ^3 j# L
, ^6 x( ^# n/ J e* P_________________________________________________________________________
# {# u6 I, W6 ~. S1 E" r
8 c; u1 A- c' U+ C" e' ]! C
" y6 N7 e4 f. e4 vMethod 06
/ O- b* K4 o, Y( Q. J ]( s9 `=========
7 q, j; F8 h* Y: r
/ R! j& v5 E4 ]/ }9 f' y% |
4 _( G4 F; p; ]2 l2nd method similar to the preceding one but more difficult to detect:! [3 Z0 C) e( r- d
6 T, G- b' ]7 W+ x/ v4 l
: }1 n5 @- p; H' |8 o* i% l4 hint41handler PROC
" [7 {: @/ `! i: b* @ mov cl,al. J5 C! f3 k/ Z, O4 C; o7 w- ~
iret9 A- Q2 i+ y+ N; K C
int41handler ENDP4 k! e$ R$ R7 M% W9 d
) {9 Q# w! U. R7 k
) q3 `' S9 m; x5 Z/ ? xor ax,ax$ G. _& c8 G! B: E
mov es,ax
4 c+ I1 @" l# J3 ~8 | mov bx, cs) ?1 f N" Y: d8 h$ E$ }
lea dx, int41handler
% |9 g* v; ?* l o( S xchg dx, es:[41h*4]
% U: _, U3 B+ @! @% [# W xchg bx, es:[41h*4+2]' ~+ [8 R6 X$ {" M
in al, 40h7 u& z4 ]" C' Z& s& o% R/ a$ y
xor cx,cx
" ]+ E( t( Q- Q( F# U/ H int 41h
9 C, R3 k( l" y xchg dx, es:[41h*4]
7 y6 V. A0 h! Z. h$ [ xchg bx, es:[41h*4+2]
# o4 h5 U) J5 Y' e* M7 [ cmp cl,al0 B' o1 E. x" y# [( ^
jnz SoftICE_detected7 n# V, c: O0 x! H- n% D" P( h' M- F: J
V y" R3 d* }3 |_________________________________________________________________________
) S- m1 l4 u2 K# V
3 J1 p. \ ~2 Q8 D. E3 AMethod 076 \7 y: @1 C5 t% S2 s8 B' p( m
=========# l) R$ M& E5 F- p
4 S: V2 ^0 }, b% BMethod of detection of the WinICE handler in the int68h (V86)7 g8 ^; r" I8 R U3 W2 t$ p
" {+ X. W# Y* n3 Q9 V* W
mov ah,43h
1 N" C0 {. Q: K int 68h
3 c r$ g+ B) Z" H# q: c7 ? cmp ax,0F386h8 l5 m# }" \+ _* p2 x, q% C
jz SoftICE_Detected
9 w# g& x. @* s; _0 Q9 ~
, Y! |1 x; j8 e5 i
% `% |- C" M7 @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 ^) J) R. H- }& u' T7 W
app like this:
V9 B* Y* t+ M- \& J
2 s& |2 M+ |8 }# Q3 Y BPX exec_int if ax==68
) y4 N& \; N1 i# l G B- ~ (function called is located at byte ptr [ebp+1Dh] and client eip is6 [- m! g D1 w* g9 m9 F
located at [ebp+48h] for 32Bit apps)
* L" }# i* }" ~8 E$ Z# w__________________________________________________________________________4 m% @0 y6 o5 L2 S& [) H3 O
1 R9 {7 r5 e' e. D
% x8 M$ F! y. X+ uMethod 08$ E2 _; |! v6 V$ r4 ^( S& a
=========5 c, C. Y3 O' G; O; l. K
; |+ g5 T/ G+ @9 D9 F9 E2 h+ A
It is not a method of detection of SoftICE but a possibility to crash the
5 R( c1 i& k0 a2 z M; r+ Zsystem by intercepting int 01h and int 03h and redirecting them to another
9 W8 N( M8 s4 I) |routine.1 Q; \+ M; x) r- N& W0 v* A
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ y# F$ @: g4 f/ C, Ito the new routine to execute (hangs computer...)
/ \$ R" M8 H9 ]5 u! m {3 g2 @
6 x7 J& b4 M& P/ ? mov ah, 25h
. O5 G) t+ j* a/ h- W mov al, Int_Number (01h or 03h)1 `! d! l* g) U& Z) x
mov dx, offset New_Int_Routine
- k( m0 o* R9 p' W B: N int 21h
/ q( W9 @$ j- L8 ~: h: d; Y9 B& i9 ^: k
__________________________________________________________________________. z5 W- c% F* `6 p3 \! a: h
. |# n# b+ ]% H/ K
Method 093 E2 _. E# J: H0 C( h) _6 j
=========; C* ~8 ~4 ^' d9 k0 p9 t) |; U
* \# E$ G& d, Z& Y& jThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 @, L) k% k( K% c K8 \ i8 ]/ @
performed in ring0 (VxD or a ring3 app using the VxdCall).% i3 `" i. {* R c8 U
The Get_DDB service is used to determine whether or not a VxD is installed, q3 d+ U6 V9 k% u! |: F: e9 t
for the specified device and returns a Device Description Block (in ecx) for
0 y( {' W$ ~3 o( cthat device if it is installed.
9 D6 w8 V! U2 Q% }$ B' R( y9 B$ m+ ^7 K% V$ s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' h" w! ?9 p+ Y1 z+ ?! |% Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 ?' ]1 Z- ^, F$ n* F
VMMCall Get_DDB y9 [7 t0 s2 D& F% H ^8 m: Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ b; s N: f' t; ?5 b8 y, H9 k! N. a9 f. t/ w
Note as well that you can easily detect this method with SoftICE:& r) g) Z( ^/ w5 B# I; K
bpx Get_DDB if ax==0202 || ax==7a5fh
& P" D- b, `4 q& V, o1 x, ~
0 ~- i4 }0 R* I6 V; N$ s__________________________________________________________________________2 v$ n9 V! H% Y2 O+ |
" D% k P. T6 ~' n8 o
Method 10
: i; x+ b6 ` ]8 X! ~1 r7 {=========# A( d" ~* V! R, X; ]
& r6 A- l3 ^, z=>Disable or clear breakpoints before using this feature. DO NOT trace with$ A7 _/ y1 k0 U
SoftICE while the option is enable!!
% x1 I* Z6 z! t. O$ d- _/ Z3 B* A3 X" r3 l
This trick is very efficient:
, {1 z) \' H2 a8 P0 x5 Qby checking the Debug Registers, you can detect if SoftICE is loaded7 d% f* h# H* T: G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- ^# V0 O/ D8 Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 D. k/ G) k* ~1 L) L8 c- Fvalue (in ring0 only). Values can be manipulated and or changed as well
2 d4 ]; b6 f+ l(clearing BPMs for instance)
1 ^& k7 J" }7 G+ J( r+ ?2 ]& O. s+ B g0 G7 V
__________________________________________________________________________
$ C1 i( A- O: T7 f- @( \& g# v0 R- {+ l
Method 11" o d; s6 A: P% G
=========
5 H, u; j, @" W
; Q! u/ \5 {; A( w4 _4 wThis method is most known as 'MeltICE' because it has been freely distributed8 U. F, V7 @( f1 P/ ?
via www.winfiles.com. However it was first used by NuMega people to allow8 ~3 y/ P9 E/ p
Symbol Loader to check if SoftICE was active or not (the code is located
* \6 j2 N+ f6 M/ Kinside nmtrans.dll).
% K/ t8 Y% | A x7 [8 C q+ k6 q2 I- _# i% |; ^
The way it works is very simple:
8 K. h6 v3 ~# l+ G. WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 l5 O% d c7 `. z4 x6 X* B- cWinNT) with the CreateFileA API.
, [! T7 \; @& ~, I7 I9 x, P
8 c! Q( d+ I, G7 l; lHere is a sample (checking for 'SICE'):
0 V. _& A4 q$ @4 a. v0 l: A( w: Q& N7 A% A6 t
BOOL IsSoftIce95Loaded()4 C8 g& h; k+ z
{
2 t9 z6 l V3 S3 J2 g2 J HANDLE hFile;
1 j: g- B# d; {" O: g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 M; T1 z% g9 l7 G FILE_SHARE_READ | FILE_SHARE_WRITE,
5 B7 T) O5 ~% [( e NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 O; F' |# `6 U& X+ |6 L if( hFile != INVALID_HANDLE_VALUE )( ^9 v/ F/ R S/ g! E
{
; [9 U7 A; E. ?: t% I1 S5 [ CloseHandle(hFile);# p% A. a9 G3 n! U
return TRUE;
0 Q* r- _6 `7 c/ A2 ^$ Q9 | }" w! u2 m" `& z+ }7 u/ @
return FALSE;9 h4 A# g L5 p1 D7 v$ R
}
0 L: w( Q% r" o, b5 B+ k+ Q% F4 Z/ @" A# q, ]4 M# c
Although this trick calls the CreateFileA function, don't even expect to be" K/ B# }1 @+ @; X7 o- [
able to intercept it by installing a IFS hook: it will not work, no way! U# _% }$ W* Q9 s! r) @6 V! C8 B3 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% O/ i7 R/ f' g5 F, Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! H/ W& J' r) U* _8 _! e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# r e+ D! Q' ^/ P0 T, Y8 l1 qfield.+ y6 o% T. Z/ y ]; a4 r
In fact, its purpose is not to load/unload VxDs but only to send a 3 u0 q2 t) Y: \( u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- P) ]$ c3 l( N8 q( ` s: wto the VxD Control_Dispatch proc (how the hell a shareware soft could try# b3 B" S& c; ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 e: A! A! R! u8 Q8 J! c
If the VxD is loaded, it will always clear eax and the Carry flag to allow; m+ A+ Z/ y: d2 ^) c' K. V
its handle to be opened and then, will be detected.
5 _& @0 H& k8 U, kYou can check that simply by hooking Winice.exe control proc entry point: R# Q; U" b; m/ n5 r# @9 r2 z' k( O
while running MeltICE.
; J- w! H& f1 ?3 [( c o$ s/ x/ j
% B6 e0 Z2 g7 }0 C6 B7 R
1 [: q& h- o6 v 00401067: push 00402025 ; \\.\SICE: b6 U0 T7 u9 o0 `4 D V7 `( a( k/ t
0040106C: call CreateFileA
9 L5 D; I1 S) k M8 |4 A& | 00401071: cmp eax,-001- h9 m; g9 J* v1 o
00401074: je 00401091
& K/ N. y, \ Q' x
% ]1 Y d8 f @2 ?. @/ S
6 Z# H- G e- ~- C7 Q$ V) c% @There could be hundreds of BPX you could use to detect this trick.# k# q0 t% M! n+ E6 V
-The most classical one is:
2 F1 a6 a+ \+ _: y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 N! e2 ^, z4 [* D" N& ^ *(esp->4+4)=='NTIC', E" q+ g ?. J9 n& o
5 G2 S' T& E2 M) U9 q/ l-The most exotic ones (could be very slooooow :-(
% Z! E+ q* x% g. e# b. \8 g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 h% L/ ?5 J6 B- d2 q# ]
;will break 3 times :-(
% V/ R$ {( K r2 R9 D+ x
: ?& C, N* I% h-or (a bit) faster: * t1 k, G; Y5 @+ [0 ]( ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). L _& O& v0 j/ T
- a6 m) _5 \+ j$ h5 \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 Z# _, l4 I' d4 ]
;will break 3 times :-(
+ V4 _! O3 C9 {7 l7 K
0 B- w' c; r7 M$ Y* S1 O-Much faster:
/ U, @5 `/ J/ v; z, Q9 X BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& Q4 x3 X3 Q8 h% z
, `4 k: v4 Z! B" C1 u6 wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ n7 S+ X1 P0 B" n F8 y$ Ffunction to do the same job:
: C1 D+ H3 e V3 r3 [% _, k7 @' S, B
push 00 ; OF_READ. B& v: W3 b! n; n8 I9 m
mov eax,[00656634] ; '\\.\SICE',06 m# ?4 S! ?3 h) K. c( D1 C* o5 D) }
push eax
1 }! S6 V5 C( c& A4 A call KERNEL32!_lopen
+ R/ k8 j: B7 K% i% W inc eax, }5 z! A! H2 }/ S/ T& Z0 i
jnz 00650589 ; detected
3 |3 I2 b8 b& o3 Y6 J. _, { push 00 ; OF_READ/ R7 i @2 M0 c3 Z2 I" h% n* h
mov eax,[00656638] ; '\\.\SICE'+ C0 s( P* i3 }' \6 T
push eax: U4 |# w7 c9 S% _
call KERNEL32!_lopen$ S, W. S" F3 L
inc eax. i6 j, N1 X9 ?
jz 006505ae ; not detected& a. ^1 Z% `* X% R! `6 J
0 L* }7 r n* V3 A7 L+ U) V. x: M& P% g+ ?6 I, B; [* s, j% o
__________________________________________________________________________" T! i0 i5 k' j% h& i
- \9 J. y% H- M* B- p) y& w0 a9 qMethod 12
; @# t Z1 ^/ ~- w& c$ S=========' \$ x# a7 N, `$ ^+ q/ o
5 Q, l% i6 E& K8 V9 u7 c
This trick is similar to int41h/4fh Debugger installation check (code 059 p4 O, A- p" y5 G, D
& 06) but very limited because it's only available for Win95/98 (not NT)$ [4 P& {1 k" X8 t0 J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* @6 e$ C; t. `; O: n
# P3 T, ^6 ~- b. Z
push 0000004fh ; function 4fh+ [3 [: ]& @4 K4 l0 W/ K, c- m1 y
push 002a002ah ; high word specifies which VxD (VWIN32)
& a* w, Y4 V9 a8 i, h& s: E' u& E0 j0 ] ; low word specifies which service
& x& N, e5 V3 ^6 h: D: m (VWIN32_Int41Dispatch)8 S- @& |5 c" ]2 D/ O' D
call Kernel32!ORD_001 ; VxdCall
7 f9 N" y, e: S7 i" R5 P cmp ax, 0f386h ; magic number returned by system debuggers: |" z; l- w) T# T/ o9 ]
jz SoftICE_detected q% C1 y0 D4 y2 l
! O6 g$ }* L. X" k- s9 Y* _3 ]& C% DHere again, several ways to detect it:
9 W% I7 s0 e5 K- j" @
. k" r" u( E' B' l5 l- Z9 f8 ~ BPINT 41 if ax==4f& `) z# t" {* j
! {! g1 N$ R+ | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: Z! J( u; ~& \" z5 j! r) p
! m0 M" d4 W }+ x2 A' h4 f4 ~% D7 q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 [0 n, D8 B- c* c
1 c* C, n+ A3 b# m* {! I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& m" d% z' v/ C$ A7 h2 M6 I! m9 d: ~
- a# O; n4 \7 C; i__________________________________________________________________________
9 A: P7 ^+ U7 t1 d7 n. a4 H$ n8 |5 ?6 @0 X0 F& z
Method 13
8 C, P9 Z8 p5 w/ W+ ~; P=========
5 o. K) q" o6 q4 Z1 \9 E7 b- ?/ g; J% o
+ @0 }6 e3 y# } j. s* aNot a real method of detection, but a good way to know if SoftICE is
: B% s" z$ s. oinstalled on a computer and to locate its installation directory.
$ ?8 B3 i0 A6 g/ `0 H- QIt is used by few softs which access the following registry keys (usually #2) :1 @& D% k0 t/ P2 ~
8 v, C/ M6 y7 E( T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 g' _! e5 K/ M1 A5 B\Uninstall\SoftICE
6 C) V9 s& b0 S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- q! `3 Z% O, M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% S/ Y0 c% p7 b\App Paths\Loader32.Exe
2 {/ t1 E. b/ T A) W; d; z
4 v: N" i4 p4 L
5 a/ a3 W0 r0 q# Y+ W0 n; `6 B' x9 G! GNote that some nasty apps could then erase all files from SoftICE directory( V8 g1 G9 C& G
(I faced that once :-(. h3 I# `0 d- Z; q0 p! C" O
2 R- A0 P7 J/ @& W
Useful breakpoint to detect it:
) F3 _& ~2 R- A( p$ ]& Z7 h& ^) u# I+ T9 u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 G! B1 m/ R: _7 c! ~/ U# W( j$ y9 x
$ e9 ]& S2 v* ___________________________________________________________________________# O, V/ l7 `" ?+ k& P
, x0 [/ g% L/ K) h) U. y' R+ S& i5 |+ Q5 W$ a$ }3 e9 E }
Method 14
* g" F% ]- f2 @ w" o=========
0 ~) |8 J+ d; B) X. L$ H* W8 [* q' F b, n; D" G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 W# g' j# [% i2 T% m& x J& Y0 A: D
is to determines whether a debugger is running on your system (ring0 only).
! m7 a2 d" K$ I# |* |1 d: _' `! ]5 \9 U7 O$ f8 z
VMMCall Test_Debug_Installed8 s& o' n) _& y2 y4 U. z4 b$ _
je not_installed: V) o& G9 @0 Q- z, T. X2 X; Q- i1 u
1 X9 k8 V3 T0 {1 t
This service just checks a flag.2 ^% a t/ b, |% i& [* Z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡