<TABLE width=500>
$ V0 k! e( d! \* ^<TBODY>( G" U- |, a3 y. v. G, y4 r
<TR>
* F( O' G0 t0 E) _' B& S<TD><PRE>Method 01
[0 w, M! f! p) k4 A2 ]+ d+ |=========8 d/ U( E. y @+ z6 _' g, P
+ [8 I+ g9 p; m' n g) }This method of detection of SoftICE (as well as the following one) is( X; S; s+ T9 y- }& Y3 o3 k ~* G
used by the majority of packers/encryptors found on Internet.9 @: l+ c4 C. y+ L; g! L T1 U2 ?- I
It seeks the signature of BoundsChecker in SoftICE
) g7 M' C" ?$ g" N, j0 @- T' f) D
7 q$ d+ c: V$ H0 f+ O mov ebp, 04243484Bh ; 'BCHK'
1 R/ u& k2 `* G" p4 \0 ^ mov ax, 04h/ U8 ?) T, x" P' p
int 3
! J' n! D8 H ^. A cmp al,44 ]5 j" ?! u) C m
jnz SoftICE_Detected+ p1 j9 c. k, P) N. n0 Z
5 E6 d1 I! U% i/ A___________________________________________________________________________# X9 {5 g8 n9 \$ M& O& {4 U
7 O* ]+ l$ S' N0 [Method 02" _$ {+ F! ~% i* f
=========
$ f! ^& q- [ t
g ^/ m% b5 V/ zStill a method very much used (perhaps the most frequent one). It is used- a7 Y8 ?1 W: ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! m" P2 Z q: V: r5 E0 z' nor execute SoftICE commands...
, l- o8 x( y' L9 y6 ]It is also used to crash SoftICE and to force it to execute any commands; f2 K4 c6 C3 A+ P% q
(HBOOT...) :-((
7 n2 V) _: o$ @' }* ~8 m1 d/ w. S! F0 {& Z2 ?
Here is a quick description:9 m) i5 K7 i! N5 V4 a2 c
-AX = 0910h (Display string in SIce windows)3 O3 Q, D) W% c( x% B, B" _) U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 }2 y! W* D6 X8 I g! E
-AX = 0912h (Get breakpoint infos)
' E6 m; \; W" r! \: Q-AX = 0913h (Set Sice breakpoints): d* I( o1 q/ A' e2 z+ z
-AX = 0914h (Remove SIce breakoints)5 F: t6 _1 s0 A" F0 b
" }$ _3 D v: _& o4 g
Each time you'll meet this trick, you'll see:" d% A K# K8 B7 M( V( {0 v
-SI = 4647h
! x, D* }" ~1 e4 o0 M-DI = 4A4Dh
, H) A/ S: y: q9 B* L; P/ xWhich are the 'magic values' used by SoftIce. A, n8 C, l8 F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 Y- F0 d# ]9 N& r0 ?
' ~ j0 Z9 b, h3 B2 U' h5 |Here is one example from the file "Haspinst.exe" which is the dongle HASP9 i; @; P1 F9 k' L$ d
Envelope utility use to protect DOS applications:7 W! v2 S6 t5 Z2 e
0 N% x5 ^: R5 J' a
- ]# ~1 L" G6 h
4C19:0095 MOV AX,0911 ; execute command.
' `; o2 a2 w; h& [7 y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) p0 Z% v- T4 o- b
4C19:009A MOV SI,4647 ; 1st magic value.% B6 ^: `- `: x7 |& N$ U6 H& N
4C19:009D MOV DI,4A4D ; 2nd magic value. q3 P# {' R$ M: \1 y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( g7 ], y" C! P6 g7 m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% S. q4 h4 ^/ m
4C19:00A4 INC CX
6 c* d/ t) a8 E& A( }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' D8 W3 T$ x2 T+ ~% S4C19:00A8 JB 0095 ; 6 different commands.2 i4 _7 M8 m! P4 K" g- u8 L( J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.! D' u0 t6 R- X; `
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 J5 {9 o ^+ k1 X, c2 v
Q2 `( x! S' ]2 d- M; y2 s- O
The program will execute 6 different SIce commands located at ds:dx, which* D3 w8 C% y1 [: a+ V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 E8 _, E$ W L* L) W" o9 a
" \: c/ T4 p4 i7 `+ O1 g8 Q1 b6 M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 M* [$ w( E/ K. G9 O
___________________________________________________________________________' P9 s% |! z4 C7 k8 G& i" R
/ ~* U! n; V9 X7 Q5 w
! F" M3 [" C! Z8 G( |: z/ b& D _Method 03$ X2 o+ G' x j2 i7 r
=========, m" Y9 s, w& ^0 U
$ E* N1 w% w6 g+ w
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 g9 z3 b3 ?1 o/ q(API Get entry point)
2 ~4 M% y q3 H# H
" w5 I" |2 Y8 c7 N1 i* M9 M8 F, |5 F, T& [- u N
xor di,di
7 f0 a# k4 _# M B) O$ W$ H mov es,di
$ [% n# d4 x: j1 l mov ax, 1684h 0 d9 e% |) R( A( s
mov bx, 0202h ; VxD ID of winice0 S& ~4 m9 [, j0 ~9 d4 d
int 2Fh
$ {" v# v N- O" p: d' H) h mov ax, es ; ES:DI -> VxD API entry point
1 u. u) |: G# V7 U( h add ax, di
6 Z/ N4 }0 p2 k/ V9 r0 p4 z! B test ax,ax; e9 O, g1 l1 O4 d
jnz SoftICE_Detected; C5 A5 P+ o! o6 _2 F/ z0 v. C
: X- n! t" S. G$ ~: g___________________________________________________________________________
3 P; t+ H j) f8 y
5 L# w% V( d5 oMethod 04
& s% F; S3 T. F. w=========3 O- d1 f- N& j' A' W
0 O! f% G9 J: h7 Q7 C) [+ \Method identical to the preceding one except that it seeks the ID of SoftICE
" q' C) I$ I7 o3 v9 zGFX VxD.
8 V8 w: s4 a- [+ u- O4 _# h1 X9 I: x& B% r o& [
xor di,di% Z A9 g( r) S( N/ C- O$ s! o
mov es,di" ^8 r( R8 k: A2 j
mov ax, 1684h
+ X1 D$ }3 j/ b0 ~; A- R mov bx, 7a5Fh ; VxD ID of SIWVID
- ^% U3 v9 a* e) n, A6 b int 2fh
% ]# K! a& E5 ~ mov ax, es ; ES:DI -> VxD API entry point
/ N/ D1 e( E: }5 a2 Y- Z/ p$ m add ax, di6 Y' l. C4 {" p% a W' h- `+ }* |
test ax,ax
2 m- M7 ~+ O5 @2 _ jnz SoftICE_Detected
* B! F. \6 c! f7 U+ f; g* X2 E+ }3 Z+ _+ ^' G
__________________________________________________________________________5 t1 M% s% X' Q
% w2 Q$ r4 h: K# R/ `- v6 X
" r3 K: i1 U- P$ @# i8 eMethod 05
, i8 r/ ]3 z& N8 X: N. n: f=========6 z( R$ ]7 D; k
; y7 H2 O; C! }8 p& d: lMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 O0 H$ ^9 L, r @7 R! Q
debugger. It calls the int 41h, function 4Fh.' W" B2 D" w* a7 g/ t$ S% n
There are several alternatives. ( p$ C8 J* d8 j' t' T7 `
0 M& _; c" N% y0 x; ~! L
The following one is the simplest:0 s) l i+ Z! ^3 X' z3 b2 `; y
# G% n5 B( ~; V% o9 m: p
mov ax,4fh
; B0 s9 b' w" x int 41h# G$ t! b4 m# Y% {3 e
cmp ax, 0F3866 Z+ r% w- h7 g) B3 N: O' {
jz SoftICE_detected
6 J% ^- Z" `" ~; t9 f( A8 l% m% P9 t" W
/ p5 m+ j9 s5 ^Next method as well as the following one are 2 examples from Stone's
3 w( u4 J" B8 T+ W `+ H. V"stn-wid.zip" (www.cracking.net):( B; u# Q( |$ n
5 p/ J! u0 i' L5 |9 J/ ^
mov bx, cs4 w2 u# \# X: g2 Y: u6 {6 B
lea dx, int41handler24 `: O6 B# b1 M9 O) u/ u; Y
xchg dx, es:[41h*4]% T3 w7 g! w7 B* N, Q% d# G
xchg bx, es:[41h*4+2] C/ V4 `9 R$ z" m9 K& t u
mov ax,4fh7 e# u$ X# }% |) }
int 41h
+ p1 F) A7 b7 G" l/ l. a: e xchg dx, es:[41h*4]
7 S3 z+ F9 R0 [: Q1 {$ l: d0 K xchg bx, es:[41h*4+2]
& y7 ~1 x3 e1 W$ d$ p5 H cmp ax, 0f386h( u* U; k2 y2 V% B% y; l9 d
jz SoftICE_detected4 r) P. g$ j4 f3 d* p
1 \8 n C: y [5 o* ]5 \* m! R
int41handler2 PROC7 E5 A- e# c; i( C
iret' x, k n3 c& i3 y6 ^
int41handler2 ENDP
1 O, ^8 P+ k' Y. p }+ H- ]
% }' q. n( l" F
+ {& R: S7 X9 N2 K8 g, l_________________________________________________________________________4 J" D9 ]& t8 V
0 M0 `$ }5 T( p9 |) W C. q
8 p4 g4 k# \" VMethod 067 ?! J; w4 H* \1 t
=========
+ d. Q6 W4 R8 L# W6 b+ i* T% @5 f# g% h
1 v0 Q* d: Y1 ~/ r H
2nd method similar to the preceding one but more difficult to detect:
! M) b* b! `- q" K
! X9 z8 y" t% Z9 u
# T* D$ R7 C7 ]& \* wint41handler PROC
( t6 e' a' y4 F" h3 v3 G mov cl,al; A" F8 z; }! B, }. c- D$ a
iret
8 U* V9 @8 U. U% Wint41handler ENDP
, ~& b; d& x' ?. e
' v7 G5 X: C! H' t3 n# o
: E) u9 h) u! w5 R; b: o xor ax,ax
* Z0 n. i: G1 \7 d mov es,ax
0 k. r! F8 i. z% ^9 O; x: [ z mov bx, cs. Z' `2 }, t4 W* Z% \) G1 O
lea dx, int41handler9 A6 ]8 ]* T" w4 w
xchg dx, es:[41h*4]
% F( @! [8 B! `; V H6 F* f xchg bx, es:[41h*4+2]* F9 p7 h+ E& D7 |0 R& ^* h# ?% x
in al, 40h
* ]- o: Q z6 D V8 T3 O: @ xor cx,cx
& z5 D3 u9 g8 x4 Y2 T/ x% e. F int 41h! R- Q' m( G, Y% O9 Y
xchg dx, es:[41h*4]% r6 c$ F5 p% [% z4 R
xchg bx, es:[41h*4+2]
2 l3 k! _) @6 Z6 n0 h3 h( L: k cmp cl,al! e( |% C! B( d# b
jnz SoftICE_detected
7 b# D- t* B, l( [' b0 V( O
8 O( U1 L$ c# }; {$ B+ B( O$ ~. ?_________________________________________________________________________' a2 b( Q4 x1 A5 h; P1 I
; D7 o4 R2 Q- Z- b* D
Method 07% ?: |6 Y6 X# r+ n, I/ e l: f
=========
( l3 b5 k8 \& M% K# d6 W: ~0 o8 b) }, ]! o
Method of detection of the WinICE handler in the int68h (V86)6 }" I" o7 }3 ?2 v+ Z- `# A
n* }/ a4 I; D: h4 c% A mov ah,43h' P4 J+ e$ |8 \' `9 p: T
int 68h
, h8 ?# h1 b4 O1 y cmp ax,0F386h
+ v. Y; r+ D. j9 a) R jz SoftICE_Detected% c# k3 w# u2 i& f9 f8 X& R
, v4 s0 U9 M7 Z' F( M& K$ A
& v& Y1 E$ d" D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ P0 u& c( \2 A/ m
app like this:
( ?# @3 u- W$ X, A
# z' u( ?3 M1 f1 S BPX exec_int if ax==683 }" z& [3 f$ M$ M
(function called is located at byte ptr [ebp+1Dh] and client eip is
. E* B( Z* O) F located at [ebp+48h] for 32Bit apps)
1 h8 k9 t+ D$ s9 Q% U5 T6 }__________________________________________________________________________9 h/ \* M% f; j6 Z/ V
9 x: j$ p& S, a+ B! y) Z+ T2 C6 a5 l* M" X/ \# C0 a; f6 @
Method 08: k: W( ~: A9 Y# h$ _5 t( f
=========
K" C- g( ]4 Z9 C* l; c( ]! C8 F3 a
It is not a method of detection of SoftICE but a possibility to crash the# `7 o! @ T" J. _/ @
system by intercepting int 01h and int 03h and redirecting them to another
# q" ^6 Z- R* S2 j( \routine.1 F8 [4 R( D7 }4 R- O$ E( z* v( \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, I+ w, Z/ x; g3 ]# x' {6 Z" Dto the new routine to execute (hangs computer...)
5 |7 g( K: w2 i$ ^1 j d3 K8 t% d' E: M8 H; [+ }
mov ah, 25h
, `( E d% u+ f2 i0 `; v/ p mov al, Int_Number (01h or 03h)7 T Y }8 R$ x. N: q
mov dx, offset New_Int_Routine
# |( o: P; [$ B6 C1 v, b int 21h1 Q: B( u L; M0 ?: n
( I' n0 [0 J+ ~7 E4 D0 b4 Y' W& g__________________________________________________________________________3 S2 l$ \ b/ M
3 `" ?/ e# M* F7 [$ t( L) C' TMethod 09- h$ V5 A$ Q e1 o
=========
' s1 d: y7 E/ p' ] @3 c4 T9 G# N$ d0 c: u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& C- M1 m. B3 `! k" Vperformed in ring0 (VxD or a ring3 app using the VxdCall).) \2 e1 f3 l3 F6 S5 X6 `
The Get_DDB service is used to determine whether or not a VxD is installed
& t+ J& q _2 P8 @6 _6 ~for the specified device and returns a Device Description Block (in ecx) for
) B0 ?) p. P) w, s( o5 sthat device if it is installed.
) V/ r8 {$ p2 W$ c2 W" k
( H) ^. y1 v/ O mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ q7 j' E9 j) m" t7 N% s7 } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( L; N4 M5 y3 `& |6 C" Q6 Y8 P
VMMCall Get_DDB
! F2 p5 _( i5 j( u: j" B mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& D- w, b i* a( u8 c' H# z) T9 o
& k& j* T5 b1 Y C- o. ]1 cNote as well that you can easily detect this method with SoftICE:
4 Q b( K0 L5 J b: |, o bpx Get_DDB if ax==0202 || ax==7a5fh2 t+ i5 Y8 z8 o
Z: q* z; j, x7 n! w
__________________________________________________________________________
; j: S; ?9 T; w+ c: Q- o) Q" A- N
/ ^. [% R1 b FMethod 10
1 Y1 a6 N) `' l- y2 R, s; j=========
: [; b O/ _3 [1 q
$ ?. d/ u( L, N& n=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 L0 W+ Q( S: ^, C3 b# k SoftICE while the option is enable!!
# T! E( D! F) h8 V$ o. p( a
' o8 \: r# @8 B- [* C' I5 x% oThis trick is very efficient:9 R, S$ d: i- a2 w- M
by checking the Debug Registers, you can detect if SoftICE is loaded
3 X2 _! O: E, I: I* k) }* f6 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 U! y5 B/ I/ o. C3 M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% `, W9 j7 G6 c' {7 bvalue (in ring0 only). Values can be manipulated and or changed as well% p1 X% c" Z- g6 C6 ?3 _
(clearing BPMs for instance)
F: N/ R4 v( _, K+ l' d- ]: Q5 o6 D+ |
__________________________________________________________________________6 m% L- d# j* z1 k2 B; M
2 E& L, Z) z' j5 v! _9 y/ m: o" H0 mMethod 11
( n- r4 P: Z$ ~. |3 x3 ]0 Y=========
( C. X* w* d+ {# R0 d6 E/ J1 w4 r5 G
, ?4 n# j9 V7 e; z' c! @, v8 l& OThis method is most known as 'MeltICE' because it has been freely distributed
/ q5 {$ u: L* {3 d$ mvia www.winfiles.com. However it was first used by NuMega people to allow2 Y1 Q# m/ t$ x( y0 A" Z
Symbol Loader to check if SoftICE was active or not (the code is located
. i" L" P/ B7 d& {4 Hinside nmtrans.dll).4 D+ `( e% o; [; ]# C! {
! ]* g3 H6 g. q) bThe way it works is very simple:& d1 O% N# d6 f7 a, V7 T/ k4 x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ ]1 [( I1 |% B3 {$ P, I$ h
WinNT) with the CreateFileA API.0 p9 ^; d- f; D0 U; {( t; }9 b4 o
% m5 Z' y S+ q5 R
Here is a sample (checking for 'SICE'):
; W- }: b6 h& M3 O, W+ {5 V
. |+ _5 B9 j6 E% e3 GBOOL IsSoftIce95Loaded()' v% d- V' V# r0 }- ~8 J
{6 J5 J+ u5 p/ q6 W2 s
HANDLE hFile;
3 V0 {' Y8 e# ^( h2 @; r hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 E, t. }* C2 `$ J" @9 ? FILE_SHARE_READ | FILE_SHARE_WRITE,- [* ]7 P, J4 d" f, u; i5 R# P* h( V
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 x; q4 C1 O% i if( hFile != INVALID_HANDLE_VALUE )
4 R- r# U6 c6 {/ |9 B, ? {
. K1 g1 L6 ~8 h' @ CloseHandle(hFile);
' V5 [4 |! B, z return TRUE;
3 L" t5 M# M' p( N6 Y$ s1 D }/ a% q3 K# _; e& M
return FALSE;
$ b0 W+ c! ~( W8 @# ^- u' y" Y( `}. q* s% l: \5 ~3 K" s$ n
! Z! L1 l2 M: WAlthough this trick calls the CreateFileA function, don't even expect to be h% |2 ]& K8 q% R" U" k; F
able to intercept it by installing a IFS hook: it will not work, no way!
# R p3 L4 H4 ^2 E0 U2 ], t! qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 x: B0 L* X8 {. qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. e( ^: M3 _" L- }8 i3 Iand then browse the DDB list until it find the VxD and its DDB_Control_Proc% ^ v" B& L* y$ L8 r
field.: E1 u* F* q7 t% @6 R; t
In fact, its purpose is not to load/unload VxDs but only to send a
N7 f5 B5 F% }7 g1 eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 N) h4 H- _0 ^) ]0 | m& lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 {2 ]/ d8 \# o# Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 g# A" o' {+ _If the VxD is loaded, it will always clear eax and the Carry flag to allow- N3 R) P" ~& H t% p1 m
its handle to be opened and then, will be detected.+ S$ [# {: S5 y5 B* G$ ]* J
You can check that simply by hooking Winice.exe control proc entry point
! K+ j! N8 |! G5 C, @% K+ L+ \while running MeltICE.; Y8 b; h) a2 R# t% X, {( y6 j
8 c+ @2 G5 C8 v, w
5 m/ A$ V. n' i* G( O 00401067: push 00402025 ; \\.\SICE
& T. Z6 j9 L5 {4 _ 0040106C: call CreateFileA5 m& g9 J6 ?6 c$ v2 y
00401071: cmp eax,-001
2 O/ m& p* ^9 E3 {" k2 \ 00401074: je 00401091
% o3 k2 `' G5 j3 G0 u
' e* D: {- q$ |& i: N
0 j0 e3 T6 M; s4 Q* b+ oThere could be hundreds of BPX you could use to detect this trick.! I7 f: ]+ F/ |% y" W
-The most classical one is:2 y1 B/ M5 [: o) j5 {. ?- W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& l/ o4 @; b- Z& A% C *(esp->4+4)=='NTIC'+ l) v/ \5 c2 ]' i& A9 T
7 u; p! h: ^/ J* m- @7 p+ L
-The most exotic ones (could be very slooooow :-(5 g2 o; _9 k/ v; A- s# A0 d
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 T9 U2 d+ H( | ;will break 3 times :-(0 `' ?; P# m* _) d: _ Z e+ ]
! `+ Y0 L4 P* `% ]8 b-or (a bit) faster:
' n; z6 X0 v! E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 P; b3 S4 w4 c4 H# t% N3 n1 i
6 P* A( ?% a; {- p6 K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' I) l2 S u; ?% y. P ;will break 3 times :-(& R3 r+ T* _& K) P; O8 P
2 j' i' M) |! f/ g, V2 Z7 s-Much faster:$ ]6 k. Z0 ^1 R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 e" c7 k3 s1 S. u
$ ~( r& v8 o. q# f2 |Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 n, k" F$ j, s& @* Ufunction to do the same job:
" g4 ^6 x% N$ k9 |3 O5 w. W. D6 v* B- y$ k2 `; i& [
push 00 ; OF_READ
& Z. \& |/ b' v mov eax,[00656634] ; '\\.\SICE',0# w! d# n# i. V3 F
push eax
, b) {- S2 \6 C) [" d0 y3 J call KERNEL32!_lopen( L' n6 b& I$ M; t& @/ [% J
inc eax3 g2 r7 w+ b% \
jnz 00650589 ; detected
9 R$ p/ ~7 g; q; X& { push 00 ; OF_READ
' ]6 s! {" i9 |! K mov eax,[00656638] ; '\\.\SICE'+ W1 }4 O+ `( }8 K C
push eax
; a# j* |/ X, B6 B& Z call KERNEL32!_lopen
* H0 X( R% F' ?# v9 F0 A inc eax
# j6 ?/ D: x8 `9 `. p% c jz 006505ae ; not detected
' L' Y/ L4 `- B. Q8 W3 Z
; i$ y* Q8 H) ^% g9 ?
0 B0 C2 J$ \* j3 n# v- r6 T: E__________________________________________________________________________
7 ^. u0 i; x% A! y3 o' O) }+ o/ {8 u. E4 m6 s
Method 12
7 W. s8 x# J- x/ T! X# R1 k4 e=========
6 z! _# m& [; n( l( N
8 V$ u/ g0 S* z: X% s! OThis trick is similar to int41h/4fh Debugger installation check (code 05
* W8 x; N# V( Q& M( H/ g& 06) but very limited because it's only available for Win95/98 (not NT)# c$ g6 N4 o4 _# m5 l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" A! c' J* V: Y+ u: g3 j Y9 M% e" W" O$ V6 b' {6 l
push 0000004fh ; function 4fh7 O8 O: p7 j* k
push 002a002ah ; high word specifies which VxD (VWIN32)$ `5 i r* H+ M
; low word specifies which service ^. \2 E! M, F
(VWIN32_Int41Dispatch)
; F1 P1 ]" h$ u: X% z6 ? call Kernel32!ORD_001 ; VxdCall. N. H) G6 e5 ~- L7 J
cmp ax, 0f386h ; magic number returned by system debuggers% ]0 D9 G' R w# _3 _
jz SoftICE_detected9 g i/ w' T" U
6 r9 |. X6 A# u0 W) ? ~ ^
Here again, several ways to detect it:
) T4 e' F! m; \- i$ G% v
$ E. z' G" M3 {! O BPINT 41 if ax==4f8 q- |; A' L$ a1 R+ X$ C9 o' e
3 I# k( R$ [7 Z8 K
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" u# J ]# G; P( T) S
4 \0 L$ K$ k+ ?; j; {2 @) b, {: m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* ?+ Y3 w% l6 {
( j& l9 J7 \9 l' S! b0 | J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! j5 c0 _/ V7 d
+ z4 r0 [/ V) R2 e* D( A1 A. @0 e__________________________________________________________________________& `4 ~6 o7 }* j3 h3 X; O
+ q0 k& i, n1 @8 ~9 c) D7 uMethod 13
/ S- g' _* k; a=========1 m+ Z# [+ z$ h1 r
6 p t' Y0 Y: P+ _
Not a real method of detection, but a good way to know if SoftICE is, k$ C* C6 a- [0 v: o9 w
installed on a computer and to locate its installation directory.$ m# D( v7 d- J" ?% v0 K9 H
It is used by few softs which access the following registry keys (usually #2) :+ F4 D' n! l* k+ `7 O
. G) H; B0 q3 J5 R8 W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: x1 V# {0 j; U& |+ D7 B( ]1 e\Uninstall\SoftICE
+ G6 H% L) e a; N-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 V/ b) s" H2 s' _& b9 n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% u. p* X' d! G+ C\App Paths\Loader32.Exe
/ ? O1 K( _% t
: M$ G1 W' Z6 D" a
6 i9 C, r5 `% U( t& Q+ vNote that some nasty apps could then erase all files from SoftICE directory# r8 w. o0 e3 L7 i! h! x
(I faced that once :-(4 S; p: s& a' _
4 L5 e; E1 x% }2 ]4 g0 TUseful breakpoint to detect it:
- ]- T1 |- d. S: z9 j- @% I6 I) Q3 F" v/ \0 F& G, S' ]2 k, B
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 L* p- N# P0 K$ ~% U9 B' C4 _/ u
) o! S; C, ~- D7 d__________________________________________________________________________; L! C4 C2 l w
: T2 u) V% S4 q9 ]' W% ?2 o" [
! Y! W7 s* Y: K" O
Method 14
5 L' |- S5 c e( g0 a2 X: m8 }=========5 A5 z: x I6 o
8 P6 H+ _1 i5 Q" ]* eA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ x% c. O+ C$ T6 m# t( y: pis to determines whether a debugger is running on your system (ring0 only).
' O6 G1 e0 }( \' M: @% p5 z7 t
5 Z6 H$ W6 i2 |0 K+ n% M' `6 D# W VMMCall Test_Debug_Installed
% ]1 ^( G6 Q- I' g& l je not_installed
- S3 s# y; m) N7 _0 T. P
( m. Q; F+ G. o$ i+ Q- x8 ^This service just checks a flag.) Z, c7 }( V0 @4 V6 F4 f% }, x
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡