<TABLE width=500>
4 r: o5 |) `' z" G& t4 V- J7 c' |1 m<TBODY>' ^4 U X' i( l7 U
<TR>- a# Z7 X: o& G1 F5 o
<TD><PRE>Method 01
' {; {+ C0 b4 ] _" P=========
: E5 ~4 }& s& p: G: E5 p" O: P8 e/ a+ w- G
This method of detection of SoftICE (as well as the following one) is. `" [+ u3 |, y4 a
used by the majority of packers/encryptors found on Internet.
7 N e+ ]3 {" @7 xIt seeks the signature of BoundsChecker in SoftICE
' _# N4 |! y. B @- E; _9 B2 z
, k9 n- o6 n8 z h! g mov ebp, 04243484Bh ; 'BCHK'0 @: x% t& k7 ]! {
mov ax, 04h
# i6 `* t" D" y, t0 T# e int 3 ; E8 p" B- x" ~. C$ K
cmp al,4) J9 y4 b/ q% T
jnz SoftICE_Detected7 u, h2 H! ]3 {8 D
9 x: u6 X, ]9 [9 I___________________________________________________________________________1 t, Y4 p: I; X8 L; Y0 b. J
6 ~7 }( c' z6 ~- Q1 {7 OMethod 02: f1 h4 s6 r: l9 T7 O1 n
=========
4 _3 i, R5 M2 ]8 G v9 a
, S% O1 m w% J" [ p7 m) h, @# eStill a method very much used (perhaps the most frequent one). It is used8 P( A; ?. B( A: l4 Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 o% b# n* v# p1 Gor execute SoftICE commands...
( @3 W4 z+ |% Z/ iIt is also used to crash SoftICE and to force it to execute any commands9 K- g0 o5 ~3 _( P2 [
(HBOOT...) :-((
q9 z2 i% e+ a' Z! u: R- w
# Q, [. {/ ^0 f% B* X9 xHere is a quick description:
1 x9 E" Y# y: d, b% }-AX = 0910h (Display string in SIce windows); ?! P- f* l) t. t% d1 f2 v' ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. h+ r6 H. l- Z! [8 R/ L* |( @3 U-AX = 0912h (Get breakpoint infos)# y8 a( @8 y; J$ G
-AX = 0913h (Set Sice breakpoints)$ e) T6 ? _' l" Q% \
-AX = 0914h (Remove SIce breakoints)
7 S, J% S" o2 H& V7 d: R/ x: y4 g
Each time you'll meet this trick, you'll see:
' r! @) b) I% N/ y6 c* z$ m& Q2 \2 G-SI = 4647h5 v1 [" m( V- Y
-DI = 4A4Dh
& U( k) b7 h) f+ T% }8 XWhich are the 'magic values' used by SoftIce.
$ [# F) G$ X% o+ CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! _ {, N+ f4 ~5 X* D
/ E! F: m0 O' O, hHere is one example from the file "Haspinst.exe" which is the dongle HASP5 Q3 ~: t3 M. d! Y7 `) [
Envelope utility use to protect DOS applications:
# N: x3 e" ?+ _. J
) n# Y4 I, W- C& _/ L2 I) m6 [" M# o7 f
4C19:0095 MOV AX,0911 ; execute command.
/ X! U5 d% I# [4 _8 a8 _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 x. k H" m7 U3 N/ t4C19:009A MOV SI,4647 ; 1st magic value.9 t7 n7 b( l* l
4C19:009D MOV DI,4A4D ; 2nd magic value.! _) t% n+ P1 z' P! L! T8 c7 r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 K5 ~" I' _5 c9 S" ?
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- e# R; B1 [' b* v2 Z: j" m4C19:00A4 INC CX
D, R6 H/ C( f5 N! r9 m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: C& `* a: o; B- f+ ?
4C19:00A8 JB 0095 ; 6 different commands.
# D/ I6 T' k! G/ L0 H5 J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 Q' u( d6 E8 ], Q* j( V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- [3 w$ Z/ {' r. D- g) T- G7 q* t4 x1 O- K
The program will execute 6 different SIce commands located at ds:dx, which
& `/ s$ p' K j! [4 Q9 i- Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, {+ m4 x# L0 Z: ?8 T0 F) r
. U: H( q4 b7 C: E! B H$ `3 x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& z* V5 ~0 x4 B% e/ v/ r9 p___________________________________________________________________________
( T7 s9 _8 {5 f" z: K# P; Z* ~5 {2 W+ k$ Z& b/ E: I
+ l+ V8 P6 b* I+ K+ {/ u. S
Method 03; f+ y) w$ L; c T
=========
: N& d4 N8 T0 C( ]4 \9 X1 y! t q+ Q Z# o" B' `: E; a; h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ R8 C2 d9 A; p6 \! Q5 T
(API Get entry point)% I* E, q3 L1 k" q% p
$ R$ y, o( ?4 {1 _/ w" }# t) _/ D+ U O' x# n$ z6 z
xor di,di" S2 }$ o3 h* A4 r
mov es,di/ g' }4 p' x4 u. c9 X" X5 s
mov ax, 1684h 3 _: j) G6 B8 c% G
mov bx, 0202h ; VxD ID of winice
P! H6 ?- W- c6 X3 F6 l1 X2 c3 h int 2Fh5 W1 D9 @ C7 K a
mov ax, es ; ES:DI -> VxD API entry point% m4 z1 d7 |; ^0 j
add ax, di
3 p4 O- f/ c9 b: r1 J$ u test ax,ax
4 d. S% W6 I; u, g+ j, y4 J jnz SoftICE_Detected; ^/ ]/ q( Z# y
9 M8 p, L( d& _5 l+ `
___________________________________________________________________________1 `7 {. Z- u) A l6 |+ m
1 U: }& O) g$ w! F; z) h7 \% dMethod 04
* r$ U) y6 P4 k2 u4 Q=========, l2 k) I' L {" t ~, P
8 V5 g5 ^1 `# u0 \* v* wMethod identical to the preceding one except that it seeks the ID of SoftICE3 ^8 T l1 U, b+ A% S/ @% Z+ _
GFX VxD.: P2 h- M) d; ^7 h6 ~( m
c& E: O3 R$ r
xor di,di
( k' R# q6 z+ S! p, `4 Y$ u2 G) m mov es,di- P, r( N" E. W# `: B* S- f
mov ax, 1684h
: x1 P! g7 L9 J mov bx, 7a5Fh ; VxD ID of SIWVID
$ W$ |& R D4 b `' ?0 g4 W int 2fh! s) u; @: v4 ?
mov ax, es ; ES:DI -> VxD API entry point. O3 `* h. S& @- P% u0 }6 x4 j7 r7 ^
add ax, di. K1 O4 v9 c* l. @
test ax,ax
. y3 S2 j% J5 F+ z8 o! C, T jnz SoftICE_Detected. ]: V% Q1 D, ~* {5 J2 _/ I5 o
1 i$ ]3 b [+ N3 {& @3 c
__________________________________________________________________________) F. z0 k2 x6 a' Z/ s% n
' O/ S Z4 M) J# g
) H/ P" {' z9 b1 oMethod 05' h: n. Z" {- s+ H
=========
7 k' G6 F3 I/ U% e
1 o" q+ }* v5 L4 z" qMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 D5 l0 }1 k, B. b
debugger. It calls the int 41h, function 4Fh.
, ~5 O9 o. f* r' xThere are several alternatives. 2 S% D, q6 [7 A/ d5 D2 O
" I7 v! ? v* G- s
The following one is the simplest:4 n, e! z0 P: v2 H: t# `
0 C8 g" R6 j% z8 |9 `. b
mov ax,4fh9 q" ~! T4 j/ E/ l! Z
int 41h
( ~+ f: [9 w) j+ f7 M. \: y cmp ax, 0F386& l8 f) v7 }) x1 i% c, ?1 Q; W. h6 @
jz SoftICE_detected& m. H* Z5 d9 {3 M6 Y* R) U- k; b
% N2 ]- Q2 V) t! z( h% y3 Z3 p1 [( V
/ Z! ^6 Y# [; c5 v8 P5 r/ W- YNext method as well as the following one are 2 examples from Stone's
# @- ^5 n2 n4 p"stn-wid.zip" (www.cracking.net):( m ]7 |7 ]& d* i) T8 L) r+ o
. r; }& R$ V' c( {$ z: a9 z3 `
mov bx, cs
$ ^* z! @2 g8 b8 _7 D. X lea dx, int41handler2
9 W$ O( T& m( k1 C# X xchg dx, es:[41h*4]
. @0 E& p3 d- l j4 P' ~( d# a xchg bx, es:[41h*4+2]. G4 `" S. i5 O1 A0 M6 z
mov ax,4fh! q) q$ @% V. Q. U
int 41h
0 r8 M S5 Q0 g( T1 j% z xchg dx, es:[41h*4]
( |" `3 i0 n7 Y2 O xchg bx, es:[41h*4+2]6 z- X8 k6 y4 S9 E
cmp ax, 0f386h2 v) y9 E$ E7 p+ Y8 Q
jz SoftICE_detected
2 C( Z' [$ B7 m" G7 ^1 @- i) p. u& H# ^+ L
int41handler2 PROC5 y4 q. ~; x9 s, g% ~% W# Q
iret! X/ q2 w& t8 _9 F' j! S. a
int41handler2 ENDP0 @' q7 z: D% t) C1 g; O# u
9 u+ F, z( ^4 l: A# e5 A. _
, ]& ^2 R# g0 k% u( X_________________________________________________________________________
7 K/ R7 w$ Z- q: B" @
$ E9 o+ [- O# P& E- I
+ U$ _* m; B+ b6 Z% c( EMethod 06' \6 o d' B! B# n/ B
=========
# T4 z- k% e- R! o2 {0 v* i+ F
4 }5 h& W/ e4 F+ l( r2 f" E& ]3 Q: ?+ _ ?5 \6 }9 e) Q; I
2nd method similar to the preceding one but more difficult to detect:# V4 }$ v. I: i; t" r
# S, l3 V+ A! s! e! w/ l5 t2 a F' X
int41handler PROC
* y" r4 p& C! O6 |6 N& W& B! P9 S4 v mov cl,al/ g. w7 s8 o! K, d, Y. ]
iret, T2 l' c& [& y: Z' k8 Z4 e9 g: s8 D
int41handler ENDP
2 O9 B [! \9 ]0 ~& A# f+ {" D: `% i2 X) |5 C( f V7 K
1 R# Y9 |. A; `, p' t
xor ax,ax) \" |! r! R+ o/ q( A" \
mov es,ax
1 ?! W, d% j5 R t9 j mov bx, cs/ G. b1 o6 {$ r; f
lea dx, int41handler' c7 @% g9 a! q( M* s" R
xchg dx, es:[41h*4]& c+ I# ^% M5 W! \; x0 o z
xchg bx, es:[41h*4+2]' A1 c: b9 i8 w( o; {
in al, 40h2 S4 D( W1 {' ~3 R- B+ D/ Z
xor cx,cx
+ M- k6 H, P: z int 41h
! o9 u0 s- n3 f4 I# U xchg dx, es:[41h*4]
( p @% X5 R! y( i" `* t @ xchg bx, es:[41h*4+2]
% I, N: Z' n7 }8 W' _ cmp cl,al
' O" L; W( l5 X$ m5 d- T8 q jnz SoftICE_detected
r; R; a: [/ Q9 X* R3 j2 y9 [2 e0 {3 u8 m* S
_________________________________________________________________________
5 a$ W8 N7 y' S7 p/ x }# X
! |7 t9 o9 j( b; Q* O3 MMethod 07& g7 ?$ j$ `# k
=========% o( J, u# Z/ }
+ i# I3 I. F& x" P" E: K) M" }+ c
Method of detection of the WinICE handler in the int68h (V86)
& \$ I1 @: K9 `% u$ x# w' Y" |3 @! y4 N2 V
mov ah,43h
7 Z$ c1 v% O3 ^" j/ j0 v int 68h8 o2 `' y& V/ Q/ v1 h4 Y
cmp ax,0F386h
/ ]. H; A& u# C, g6 C4 c& Z5 u jz SoftICE_Detected( j, v* [2 z S; J% P
& W! m* t3 t% { m: _
M8 i' J: ?& J, H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) W. Y; A' D* p, Q& r app like this:
( d3 ~) I: {2 ^ D% {, W$ R& s; [5 d" b
BPX exec_int if ax==68
/ L. z: {$ e" |0 |# ~. E6 u+ V (function called is located at byte ptr [ebp+1Dh] and client eip is
; i# R* ]$ Q; g7 E located at [ebp+48h] for 32Bit apps)' c' Y; c B( b$ n7 T# y7 U
__________________________________________________________________________
% u9 @( D* l- F9 E+ y
( o/ ]4 B* E% e5 ~$ j
" ^3 R/ ^. v1 @Method 08
r% d9 q5 Q2 b=========1 X: _1 j. s5 d! f
" a$ u# }6 a$ [
It is not a method of detection of SoftICE but a possibility to crash the+ W. w) z" F; ^
system by intercepting int 01h and int 03h and redirecting them to another
. \5 ?* V9 ~8 \7 _" P/ oroutine.
& H* d: ?9 } c3 D" P2 M0 `- ^+ lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: D: N, R, E' W) M2 o+ z8 l- _
to the new routine to execute (hangs computer...)4 a% k9 A ]9 p& g
3 o5 H3 b. z1 m O. G$ h7 J5 t mov ah, 25h
! L4 [1 {7 Y* \ mov al, Int_Number (01h or 03h)
' j2 V% \& d5 Y8 U ` mov dx, offset New_Int_Routine
: y/ ?5 x" o0 i {% g int 21h
( Q8 C( a# {& P- v* \$ |1 X0 j- |- B
__________________________________________________________________________
; {7 w H: X+ V H
. H. H$ r9 d2 T/ lMethod 09
* ?: l4 {5 s- P1 {, }! g$ \=========! g; O" p, u7 l1 O7 @
( r* c; z. u/ S. m" s2 vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 V& y6 u9 F! j1 O1 @; N3 J5 jperformed in ring0 (VxD or a ring3 app using the VxdCall).# z+ ?0 S% z- h0 Y* J% c, ^8 B- O
The Get_DDB service is used to determine whether or not a VxD is installed
% G) p9 Y& H& j0 g9 h1 W2 {for the specified device and returns a Device Description Block (in ecx) for
+ \: Q3 k4 s* d! i, }$ j$ l9 h/ othat device if it is installed.* ^" d0 t1 X. Y4 p" l: B8 l
) x2 q9 {8 k! l3 A' D. V5 W mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ G% m- w, n( x- w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), C- {& @. [3 I4 S- a
VMMCall Get_DDB( ~: C; `3 p! o2 ^" l' S1 W/ ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% T9 J4 L) ^# |- U
9 l! E- \& p' b* W4 r0 hNote as well that you can easily detect this method with SoftICE:) d- E8 P+ G! V7 C
bpx Get_DDB if ax==0202 || ax==7a5fh( i& } d( M8 u) ?6 w$ c8 m" [
$ _4 v( W$ Q P+ b" V$ X) }__________________________________________________________________________
6 H0 p i1 K9 z
% d- v; f- D0 `Method 10
% N) R! S c/ m" y) l2 @=========0 n3 M K8 {5 k% q+ J) v3 O! P
. }1 G3 m F; K& {" }
=>Disable or clear breakpoints before using this feature. DO NOT trace with
! X, ~) q- l& ]$ L$ I SoftICE while the option is enable!!
& ?8 i- s! N/ _7 S5 e1 C
- x* } ]) |5 v5 u. vThis trick is very efficient:2 F0 f$ |0 s3 a: ?. `3 V7 d! A
by checking the Debug Registers, you can detect if SoftICE is loaded) R. m" R V5 A2 g* P/ X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 V+ f6 f% M4 c" g0 Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: f; N8 t8 Q2 Z3 ?, l& vvalue (in ring0 only). Values can be manipulated and or changed as well
5 {# E9 g2 [9 Z) ?8 J(clearing BPMs for instance)7 U+ Z* I' n2 |' \ S5 _+ m/ [- g
7 j# m( ~ I' q# [% q
__________________________________________________________________________+ }0 q" E& b5 K! u: a, x, X1 u' Y
! K' W# y. M( r( J4 LMethod 11 e! _6 x: U! ?# X) `4 J
=========& `4 A/ T# Q c& v: j* }
+ A; h4 O0 J; Y. r( T
This method is most known as 'MeltICE' because it has been freely distributed
1 z# q: ?$ L( n M+ x" d. pvia www.winfiles.com. However it was first used by NuMega people to allow1 z1 T4 B% e5 s( w+ I4 R
Symbol Loader to check if SoftICE was active or not (the code is located( L- B9 C Q, Q4 h( T6 d' p! [
inside nmtrans.dll).
6 m; g5 S4 N5 g# \7 b/ j/ ?# N% a# H! x- i6 e6 Q$ E( S; t& C
The way it works is very simple:7 Q* b# M) `. s) O C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 w) E" N+ N+ z- L
WinNT) with the CreateFileA API.9 ~) s3 d* Y" U2 [, E# m5 \0 P
, {. w3 ~- V0 z
Here is a sample (checking for 'SICE'):
+ \2 h `3 J9 s) N. {! f4 o9 N+ V6 E) Q+ r; O
BOOL IsSoftIce95Loaded()4 v; }! U7 |- Z4 Z- [9 j. N/ q
{2 A" y4 ^! X3 l4 J4 r
HANDLE hFile;
8 S9 a, @6 F) {; s hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: y: {% G. [5 J0 }, h2 g
FILE_SHARE_READ | FILE_SHARE_WRITE,. @" U9 L; u+ ~# k& o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' q* `% [, Y% r8 \
if( hFile != INVALID_HANDLE_VALUE )
6 U3 @% Z2 H# G p. J$ o {
# _# ]9 a0 h8 g8 n CloseHandle(hFile);# t6 ?; T7 [: ?% C
return TRUE;) D; D9 q5 \5 T# g" l/ P( l
}
+ f- H9 J: U) b( @ return FALSE;
" |6 ?; A: \4 ]0 p0 k- H' B}& L* M: y/ E& B$ Y# v4 |
1 A; P5 W7 z: d) S! LAlthough this trick calls the CreateFileA function, don't even expect to be
4 P) c9 Q+ K/ Zable to intercept it by installing a IFS hook: it will not work, no way!
( U+ q7 }# I" \+ ?0 X8 d7 ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* W4 p1 _% L& x$ y: n0 m1 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 @" M1 E! I) sand then browse the DDB list until it find the VxD and its DDB_Control_Proc' Y3 Z& ?5 l( `0 O
field.
8 L. n% c7 h' H9 CIn fact, its purpose is not to load/unload VxDs but only to send a
6 b" ]! b- y9 W9 N0 Q- i fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 P* Z" j6 v. m q3 J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 [8 T* }3 s$ k( Z3 R: f8 I( z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# |9 V+ S4 A, R7 ~3 V0 U
If the VxD is loaded, it will always clear eax and the Carry flag to allow. I$ Y1 m; R) l- I' g! y7 S
its handle to be opened and then, will be detected.
2 R4 U: i8 y# PYou can check that simply by hooking Winice.exe control proc entry point
% S: x; a* |: z9 S: o8 Cwhile running MeltICE.
4 M; a, M) Q2 ~/ z: z- e2 V, m/ Q9 m7 A: w
4 I( k, y. w k9 N 00401067: push 00402025 ; \\.\SICE) G' W2 D2 q$ v0 d9 I# g' H
0040106C: call CreateFileA
8 ~7 E+ r& e1 C' m h; Q! B' d 00401071: cmp eax,-001
( o/ f# e D; } 00401074: je 00401091
! U) w% ]6 N# c/ Q9 i2 L* b1 G" h' L2 y3 J1 D |! w* y1 O
[: S& a4 p9 t L/ u8 E+ dThere could be hundreds of BPX you could use to detect this trick.9 {, h4 Y2 m. L i
-The most classical one is:- o' `5 V( [ |; B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, b) O/ Q5 C6 s' W# ]# @7 W w0 |; U3 ` *(esp->4+4)=='NTIC'
- O T' L4 J' a% R9 ]' a: z* H0 v4 d* Q. H( l, U
-The most exotic ones (could be very slooooow :-() Y( a/ m3 I1 n) G1 V! s) E
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; ~8 j: S, {. I2 o0 q. V ;will break 3 times :-(* i# Y5 N4 _1 f" o9 T
2 {) Y. v \6 \: T
-or (a bit) faster:
! t4 ]7 S( ]8 I9 } BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 A% { @1 E# B. L5 A( r
}/ ~' o5 r: g( z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' g' O! o6 \0 Y9 s0 J ;will break 3 times :-(
8 O) ^7 {. @- j; A5 ~& e
" _' {+ M% a4 O0 y; q2 ^-Much faster:8 d1 p3 z, S/ R6 p! ~9 f
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 j% j- U2 |" |. T; ~, X" I. N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ r$ L* {/ a9 [# P& |* F% c
function to do the same job:
4 W& _) S8 N5 H4 ]9 {
/ l/ ^- D& G, z8 T- r1 h" R0 A push 00 ; OF_READ
3 d" g2 S4 m4 z+ F' Y$ k4 f! l mov eax,[00656634] ; '\\.\SICE',0
! Q( p+ o# B8 ^' z0 J push eax' i+ K4 ]5 A; d8 {5 C5 K
call KERNEL32!_lopen1 }' A4 Z* H2 [( l
inc eax$ K. _' p5 i5 R# u' g
jnz 00650589 ; detected k, t" l9 t4 {& K7 Y' [
push 00 ; OF_READ
, U% C& x' Y! E& ` mov eax,[00656638] ; '\\.\SICE'
' j, O& _2 | u9 Q' O push eax
" X" v0 Q. g, Y0 B6 B! p/ C call KERNEL32!_lopen) w+ V& {- |6 r. h! V
inc eax
4 T- f! J. c" ?+ }& M jz 006505ae ; not detected5 o$ N! I# _+ u1 }
' x9 d- [' x; _9 u9 c
. O% R+ R/ M& o* X' O+ n
__________________________________________________________________________
6 Z6 U+ z, ^0 `7 {! u9 I" P: G
% Y5 i' Y2 U8 }, S& `6 V' hMethod 12
6 g5 F% R6 ?# z$ V& U4 P: n7 E$ p=========
2 J+ e8 s1 T: E) ^5 B: Q* z9 P- j( Y6 J
This trick is similar to int41h/4fh Debugger installation check (code 05
+ F( f. w5 m8 q$ h" r% |& 06) but very limited because it's only available for Win95/98 (not NT)
& | P n" ], m: B1 n: D5 Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 S; k( H3 C+ z6 \5 J; X/ g! \/ {; G
1 g+ x4 n) _4 r- ?( e0 x" a3 x: c push 0000004fh ; function 4fh4 K/ k: x3 @& c: H3 ~8 K
push 002a002ah ; high word specifies which VxD (VWIN32)" x* L( [6 L2 e X
; low word specifies which service
$ k: f& l- l: b (VWIN32_Int41Dispatch)
* a' @1 y2 w( n: @+ F+ ~' {0 P L call Kernel32!ORD_001 ; VxdCall( p6 `% M" |) G0 k" l, c& e
cmp ax, 0f386h ; magic number returned by system debuggers
; s/ K' J" E6 T# r+ L8 c jz SoftICE_detected
/ ^% r, Q' B9 g* w
. }0 y* k7 v" u# O0 k9 y5 `! U$ xHere again, several ways to detect it:4 g5 D \1 `4 g8 J% c
9 a4 s2 T' f! t- ?- C
BPINT 41 if ax==4f; b7 o# S, B) |9 D. i( d/ J ~$ ]
3 I( ~' B: \: L, v/ o% o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 O7 ], m- A1 K
7 h; \4 h% H! o* \ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. m9 ?" M9 B6 G: K( s8 @* k
% V8 |3 \& G+ v1 ^* f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* r7 c7 C$ D& [
- M- P" d) ?/ Z; H3 Z__________________________________________________________________________
0 x8 C/ O$ ~. g: n& Y; Q8 R4 L$ ?- k- K4 E. p
Method 13; H4 i Y5 G! t: s3 s
=========
0 O5 i6 k+ L% L) T4 d' o0 G; f6 { P' l; S8 N8 S7 g/ b' y
Not a real method of detection, but a good way to know if SoftICE is
0 o2 j) @7 d2 Jinstalled on a computer and to locate its installation directory.
) h0 Y! p( v' a" WIt is used by few softs which access the following registry keys (usually #2) :
( R/ ~% ^3 t1 W" Q2 Q' m, u' ^, m
/ Q, h% Z! E6 ^, ]. Y5 [* C; ]-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" ~& ^) }& e4 z: c! {, D\Uninstall\SoftICE& }5 D4 c: ^/ G7 p; k! |* e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( a6 W. F5 C. h W7 w- u8 u
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 u' h2 r; T) X7 y( P\App Paths\Loader32.Exe5 Z! G7 N" K& f/ `- k( O( ]' d
& t9 M# b9 u1 X' [5 M6 a! l' T9 D
* v2 J4 @- m5 b& i" X# s; XNote that some nasty apps could then erase all files from SoftICE directory
- W3 w1 K7 K7 p" J( U& k(I faced that once :-(
: S) m- t' ^* D# A2 @9 b
% a& k3 j& W; T! X3 C4 |3 k1 z, K" x& LUseful breakpoint to detect it:
+ s' C' v* `! [' }: H, V2 m0 u+ Y& x' K/ W% x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 v7 x# p5 j3 h8 o8 B1 Y
' v& K% ?7 v% n" [' L" v__________________________________________________________________________: j7 F g# |/ U
& C$ B6 Y3 X" _3 L6 V
2 c9 x1 w& d5 Z- \6 j% eMethod 14 % {. `3 X N9 Y, y( V) W0 C
=========
$ s5 i& Y" p v( ?4 l, r2 d5 b$ @: _' a6 F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# L# i, R+ t2 u1 i5 I) V! a- |) ^+ ~is to determines whether a debugger is running on your system (ring0 only).
6 H* H" d+ v8 L# F; g4 c% R( p2 \0 \
VMMCall Test_Debug_Installed
" I% d+ g% x' g# C( {4 G je not_installed
[- q T( L' \) e) _) L9 l3 j
8 A6 L3 \) `. W, C4 @! b" [1 H# ?This service just checks a flag.5 X5 k- p+ w; e$ |( W+ ?
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡