<TABLE width=500>
# r! o/ a2 B+ i% n6 q6 G- h2 Q<TBODY>; l' ?4 n( e% H* y+ K9 {7 c
<TR>
' e x _% o* q( d L& M+ E# A<TD><PRE>Method 01
+ u' h7 x+ v& l/ ]+ Y=========/ O7 q+ ~: B7 _
/ k0 `& d% v" K2 d% w; X
This method of detection of SoftICE (as well as the following one) is
: F) }- ^: \* h# _6 V9 L: Oused by the majority of packers/encryptors found on Internet.
5 P$ t& g1 @% D6 v! w4 CIt seeks the signature of BoundsChecker in SoftICE
$ G" y$ q( i9 D. g4 F$ Y- R3 C7 T6 Q$ S/ B) x5 q# j8 ?
mov ebp, 04243484Bh ; 'BCHK'
' w8 _7 i; X" M8 K* T mov ax, 04h7 m# W0 e" n$ \( O. X K) a
int 3
0 g: J1 W" h7 N3 X cmp al,4/ [) e( Z. R1 x9 M8 Y' e* ?; K
jnz SoftICE_Detected
+ n6 d' ~" O+ S. m Z
+ g0 M: W0 c: {( j; z% g. g. Q6 X___________________________________________________________________________
# h) T X) b3 n# i7 H1 U4 Z! M5 `9 [; v7 W. L% W
Method 02* S: _3 i( y% p4 }, I
=========" S. F! i# r' X" s
! I/ ~2 j5 g1 ]! |' R& p `
Still a method very much used (perhaps the most frequent one). It is used
r. O. w; i- U! d+ }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ Y3 e8 A( u1 G# d5 y
or execute SoftICE commands...4 h* A% q+ t# t4 q: Y! ~8 |0 Y
It is also used to crash SoftICE and to force it to execute any commands: y: O5 ?& v8 J u1 }
(HBOOT...) :-(( + T# t+ [4 R/ X! y
" O' q, _5 N0 w( v: o9 yHere is a quick description:
) [* P: i/ v) b% W: c9 U- w: a-AX = 0910h (Display string in SIce windows)2 D W, R9 s! X8 {1 |& k& H
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ j4 G* [6 Y/ d: q
-AX = 0912h (Get breakpoint infos)
1 g. v/ Y _. L5 F( `5 n/ F3 d-AX = 0913h (Set Sice breakpoints)
/ o' c1 O3 N- V# R- G7 }+ x-AX = 0914h (Remove SIce breakoints)
7 X; H5 r7 z2 o- C: f0 N0 w3 K
; z6 Y+ z! E5 rEach time you'll meet this trick, you'll see:0 U7 ?' i4 @3 d1 v! r9 c
-SI = 4647h
* C9 P- n0 i3 \/ u6 ]& o-DI = 4A4Dh) O3 F) r$ B- N; m7 ]5 L( A
Which are the 'magic values' used by SoftIce.% z" L3 ^, ^! N0 b7 h) R" E
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 B( H# P. D# E+ L" a
$ ~; P2 M" R+ {. f/ KHere is one example from the file "Haspinst.exe" which is the dongle HASP9 }* a5 r ~1 G m4 Z
Envelope utility use to protect DOS applications:) f- c' O ^) Y d. x6 z6 k
, b0 N9 _; j* m% ?! p- n
# ~$ R$ d# _6 U( K6 ?3 L4C19:0095 MOV AX,0911 ; execute command.
% s) D, i3 l ~) j4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! u) B8 b, h' S1 D& D' d6 z7 K4C19:009A MOV SI,4647 ; 1st magic value.
1 w j1 g& W3 k5 t4C19:009D MOV DI,4A4D ; 2nd magic value.
* C6 u( D5 j, c& `! G4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
H% o( q6 G7 _3 s4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' I) C1 j. x: P X' K% U4C19:00A4 INC CX
. |+ x, e$ |3 U" _4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: g% V- e9 s# j& a- [6 f
4C19:00A8 JB 0095 ; 6 different commands.3 `' l3 v" A/ L
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- e. E+ Z4 \) U7 j0 I8 }5 C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 e/ ~2 h- c, g0 P& M( W, k
9 K: t" T4 M- O' s0 M6 i
The program will execute 6 different SIce commands located at ds:dx, which
# ~6 d7 S1 x6 r- S5 }+ l+ Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) \9 l7 u6 C& d- |7 ~1 n* x- v/ o9 b8 b a( V) N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ e9 E) M5 L2 S! P
___________________________________________________________________________ d, d: R6 v7 k) M2 d
: H3 Q' q# C" J& W$ q9 ]) p
8 w6 t* J* V4 R I; w
Method 03
' s2 _. E* z; m* d& Y3 s$ S=========
& J/ K1 U/ {/ w1 K
j T. k9 J% B8 u; wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; T, j# k6 ~; f; w- k& b. F4 t
(API Get entry point). `: X" l+ w& K2 K
) |3 o6 i# d2 P, ~% Z# D
) {) x v, O( s! Q" i xor di,di
5 @8 n4 V8 E; E5 B. O' t" O0 @+ u mov es,di4 ~" N8 a; }( z T7 f; `7 T& H
mov ax, 1684h
1 ^) ?/ L% E; a mov bx, 0202h ; VxD ID of winice. N# ]% c- ]2 E
int 2Fh) E0 q! U% k5 p: z0 @
mov ax, es ; ES:DI -> VxD API entry point
( Z5 d- G- D: A, ~$ E, s+ { add ax, di! U, I+ R9 \3 A. Y; O5 J/ J' A1 Q
test ax,ax5 p r9 R. {1 O
jnz SoftICE_Detected
' f$ g* P. q7 T" K! w! Z2 e- I& t: u
___________________________________________________________________________
2 g6 D6 u7 }% Q$ C ]$ Q" O$ s1 x* k4 _: T3 i( w
Method 04' |1 H% c7 L, L1 w7 E
=========
- y) U. p+ B7 O7 W
2 E8 l9 K+ u0 p( DMethod identical to the preceding one except that it seeks the ID of SoftICE# K& t( l: _, ?
GFX VxD.
& y* C, v& a) q0 D; J: g- x0 W! l! P1 [& w. x7 }. e! U
xor di,di: r0 G) a% B! j( s \; e
mov es,di( J6 Q8 k# S9 A: `7 k; c7 |
mov ax, 1684h
& ~) l: z1 D+ M5 T& x" D0 Y8 L: c mov bx, 7a5Fh ; VxD ID of SIWVID
: r' I4 i/ ] U( { int 2fh+ S4 h. V1 x% p9 r7 I
mov ax, es ; ES:DI -> VxD API entry point
( _) q2 K# z: @' _; ]8 U5 u4 @ add ax, di- `6 r5 y) l* P+ J: l8 Z+ r
test ax,ax
4 ]8 p! p) e8 V1 Z: c. D! n) \# ~/ n jnz SoftICE_Detected
) e1 j% D. |+ @' E8 K6 R1 |* c: d8 ^! r! r
__________________________________________________________________________2 q3 G3 |, z3 q" {/ z
# X2 B, Z# a0 F" `7 \6 ^( b# Q t* D! k4 h
Method 05
+ x$ h) H3 r% G0 {' ^0 E1 c6 v=========
: b. C: }" ]9 A$ O5 ^& n6 k3 l/ B0 a) m5 M5 i% Q/ E
Method seeking the 'magic number' 0F386h returned (in ax) by all system, a2 Z& M; n. F' n/ t
debugger. It calls the int 41h, function 4Fh.9 j9 p2 z g {4 Q
There are several alternatives. ( q& C% `7 I: P1 w& L8 I$ \6 w
2 m; ~' _' n U; s* `# e% \
The following one is the simplest:6 B# A' I9 d8 d4 X3 L6 u7 c, ~
9 c$ E/ S4 U) J mov ax,4fh
/ _; }; L8 o4 i4 h int 41h
& O/ I. L: x% ?' H0 `' z" L5 c: m cmp ax, 0F386
6 v6 `: B5 Y# Q' b jz SoftICE_detected
8 L0 j9 S2 Z6 B, Q' B, s8 ^1 m1 ?& ~1 R' V4 s" q
- A, u3 _# w# q# ^0 b* ], A cNext method as well as the following one are 2 examples from Stone's
& o2 b. R5 H& Y1 D"stn-wid.zip" (www.cracking.net):
: m5 J- C, J5 e
* `5 k7 O0 K" K, i8 ]& k. l% w mov bx, cs
d4 \5 }% R! b$ ?: s lea dx, int41handler2( I3 y6 ~: C- @% ^& @# {% W
xchg dx, es:[41h*4]
; F7 H% R+ P! [1 g! t xchg bx, es:[41h*4+2]4 |& c; R4 J7 A, I
mov ax,4fh4 Q( f3 B$ E& p8 w" w% ^7 [, P; i
int 41h; K" c' p& h v. W& I: J3 l. h
xchg dx, es:[41h*4]& v! Z2 B+ v2 t$ N
xchg bx, es:[41h*4+2]
( M: o9 R( T9 p- V5 n* m cmp ax, 0f386h" ~- S$ N7 V9 U; Y0 D6 w1 g3 z* T
jz SoftICE_detected
( C& @; m* E( i; u
p8 n, @0 g8 w; E( b% c1 f0 [- ^% K3 f( kint41handler2 PROC5 Z6 h% ?8 y" h; @$ ?! v
iret
* p5 t0 \1 b& S( _& u# j4 zint41handler2 ENDP
& e* I! U: e& c+ K! ~( N; Y# H; s3 p+ U! n; A
" H1 S$ c3 z" k_________________________________________________________________________
: n; B* G' B% r j3 @# O6 b" R- Q$ ~, ^
8 I3 O! u, t; C5 n% s2 r6 h
Method 06
* e4 K& S$ `2 t, J, D1 L=========" l/ x! H4 m* J$ M. N
k }7 z5 ]* ?% I3 D( g7 o3 x1 Z! |
2nd method similar to the preceding one but more difficult to detect:" B# t. T' {) T E& {
0 R) H# p+ z- Z
" C6 U4 M0 m, Y$ ?* Z1 Uint41handler PROC5 _# m P, D* j9 i: D$ F$ E
mov cl,al y3 Z: A% i, ]- X
iret' H2 }. R* x+ j
int41handler ENDP
5 F7 ] c" J! w l8 ?2 s- h1 I
8 X& T. K* M* G2 o1 L. F! t0 J& ?! z7 e9 l
xor ax,ax2 V1 d' x3 V1 X( S# T9 n+ z
mov es,ax
/ p# t* m5 r. Z9 e1 L: a% \% E mov bx, cs- X/ a: ?" X: J/ a p' v2 d7 E! z4 ?
lea dx, int41handler
& ?6 a* s' u4 Y# @) q: L* a xchg dx, es:[41h*4]( G" T r K8 b0 K# T
xchg bx, es:[41h*4+2]
3 M3 t" n! c9 h$ ~* ?1 ?# E# A in al, 40h
; O) @$ d5 \$ F xor cx,cx
3 w1 V0 q6 B4 ^; |3 Q# ^+ x! t int 41h
- k8 {! d) o2 W0 k; x, R% p( | xchg dx, es:[41h*4]" K3 I) Q! S6 C0 C' t) ?
xchg bx, es:[41h*4+2]
% Q7 ?; |* v& e cmp cl,al
2 C% M2 o) ?3 K# k3 R jnz SoftICE_detected
- o3 `) G; J6 I8 Y# @- M' Q1 m" t
_________________________________________________________________________- S/ t. h; s) X. T% ?
) k2 R; w) e) m8 c5 p
Method 07# e& w6 d. N4 B( p4 o5 o/ F9 p7 L
=========
2 E. Z+ r7 K/ w$ g0 w8 N4 u; ^4 h- h# ]
Method of detection of the WinICE handler in the int68h (V86)
& y7 n( s9 j# S; A' n/ ~
8 z) n* V% @2 J3 O8 w1 d% o mov ah,43h
, o, T2 c9 o" p1 E j1 O5 z int 68h
3 ~- j$ K7 r- P cmp ax,0F386h9 n& I& D7 N9 y& t; l+ _
jz SoftICE_Detected
3 P& S6 Y0 M5 G3 z# d
+ M* Y% s* B+ O4 N& F
& a2 i- ^# C: }4 ]' L9 G=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit M8 B+ l) k- D4 K3 i
app like this:
% I& w0 x( n C N0 ^2 r1 q' x
8 w3 h6 w- ^# i( }9 P2 z6 N7 Y! V, t BPX exec_int if ax==68
) v6 t! k* u q: P (function called is located at byte ptr [ebp+1Dh] and client eip is
1 a% q0 C; g5 j% r9 t! j located at [ebp+48h] for 32Bit apps)
9 }. y* @6 I( I. J7 j/ k V' r8 p1 f__________________________________________________________________________# o" E, S; u7 {
0 y; K2 g7 V! p U. S2 I6 h
0 n4 L1 B1 v; ?( ?! V; o
Method 08
# d/ n3 g! j% G% N6 T! v5 n=========; ?5 h/ S: g t
J6 N2 o$ ~) {- ]; }
It is not a method of detection of SoftICE but a possibility to crash the/ I) ?7 i' G7 f, `9 E2 x
system by intercepting int 01h and int 03h and redirecting them to another
" _1 c! }. Q, u7 t/ i; N5 broutine.2 j, T" P7 w8 y% B2 x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: m* e. p2 b& \# e0 A; V) hto the new routine to execute (hangs computer...)7 u" q2 O. Q! }3 k- y( @
# w2 `3 ~8 X+ X2 z
mov ah, 25h- m% c- v- w, W% L5 d4 p; ]1 O
mov al, Int_Number (01h or 03h)
6 q' ?% v7 F* r" b* ?9 C' j mov dx, offset New_Int_Routine
$ n _% Y6 \- k$ O# M int 21h
% }4 k8 s/ C! w5 ?1 [) Y+ q2 G9 }. Z9 w5 I0 N( Y) F
__________________________________________________________________________# j1 I4 x K8 w( Q; {
6 V) }0 o) Y+ D' _6 l: e( xMethod 09& V- I/ E5 y" g" c1 M7 r
=========) O( L0 P1 s+ Q/ |
: O: G2 f& l3 SThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; l8 ~9 U: {' B+ K/ T& q1 G8 c2 Z4 Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 ^0 E$ Q* L( ]1 pThe Get_DDB service is used to determine whether or not a VxD is installed% F2 l, B4 Y+ g3 u! J2 X p
for the specified device and returns a Device Description Block (in ecx) for
; n( ~2 x4 t1 N9 D. _that device if it is installed.
, y: H- U% M; R" c$ V- j" p1 w" r# ?- p' r, U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: _1 H" s( D$ `3 t3 b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
L8 x8 p Z" N VMMCall Get_DDB$ `$ E, g# L! e: W# l
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* I0 U' e+ v& A3 } p4 |. u K) B$ }# p1 G/ u: v
Note as well that you can easily detect this method with SoftICE:+ o. W7 m* Y1 f. K
bpx Get_DDB if ax==0202 || ax==7a5fh
+ z, F) L6 ?# Y: @, h- r8 n9 V1 R$ ^7 Z/ X0 [ h
__________________________________________________________________________+ B3 \+ Q# e9 n ~
; Z# j S4 N$ x7 P/ B8 B
Method 10$ f. N- |7 p, F% s+ O0 P
=========8 y) p$ v4 o. M3 a* e( n" ^
& Y$ J* w4 M: w' q, o, i=>Disable or clear breakpoints before using this feature. DO NOT trace with% }5 ?0 T. S0 @* x% l6 O0 i8 r
SoftICE while the option is enable!!
" _" N. s6 e7 A0 E) |( W) S6 |
; c+ d1 b& `3 W- KThis trick is very efficient:
% p! m" C1 x2 e, s2 | X- Zby checking the Debug Registers, you can detect if SoftICE is loaded! g+ d) `/ S# n0 Z% z$ T5 R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' V9 V2 {5 S7 J- u9 V! X% v: ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 N% v1 N$ t1 x& z; Ovalue (in ring0 only). Values can be manipulated and or changed as well
/ K/ A1 [- A- H(clearing BPMs for instance); K& N) \7 c1 q. _( w2 ?
1 ~/ s6 G `% r__________________________________________________________________________+ A3 ?. H" @* D
/ R. E; `% x9 I/ c% tMethod 11! [6 R8 h- J( s8 D$ w
=========
, }# _2 x3 K: N4 p4 q4 m+ g" s8 W* {0 |
This method is most known as 'MeltICE' because it has been freely distributed
k) d% ~; H+ d, y9 s: Vvia www.winfiles.com. However it was first used by NuMega people to allow
* q9 ~% B: D9 l' U# s6 F6 I0 `7 JSymbol Loader to check if SoftICE was active or not (the code is located! M. j; S" E# {+ ~. Q* \1 v0 B# }! i7 @
inside nmtrans.dll).
2 e3 b; H+ ~) t& E3 A$ P5 J2 Y m. m$ X
The way it works is very simple:
, Z% v$ }7 `- w- Y+ uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 b+ i2 K0 L, q( S3 VWinNT) with the CreateFileA API.3 l& s6 X) S9 c% U: s7 m
9 U3 ]! d9 m' V+ `" s& N& r3 @
Here is a sample (checking for 'SICE'):' X7 a( \9 r$ @# c
2 l) f. O$ Q( l9 C
BOOL IsSoftIce95Loaded()% Y* S" Z) \- J {) @
{9 K/ }5 H; s5 x3 R% b, \# r
HANDLE hFile; $ R f3 ?: i/ \/ S7 i
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* R7 a3 m- [( @0 r8 `) z* J2 Y FILE_SHARE_READ | FILE_SHARE_WRITE,
: Y$ w' f( J1 } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ @; G4 y7 N- d. M! R
if( hFile != INVALID_HANDLE_VALUE )
1 c7 ]* s3 l) A. i6 z {
l0 c# ~ b+ A4 v0 p" i CloseHandle(hFile);
" m3 Q* D3 p. Y8 Z; B return TRUE;) h+ `. A* a4 O3 s
}
9 W( m1 |, F! P1 k return FALSE;5 E* M4 a7 G+ j7 S
}6 o; \+ h- k" P/ p2 B, \ w
. J5 z/ w; R; Y4 E6 W' _! Z9 u% ?. X
Although this trick calls the CreateFileA function, don't even expect to be; J& a! F- y: H+ H0 W
able to intercept it by installing a IFS hook: it will not work, no way!9 @# s1 b' s( O7 r/ V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 I6 p9 I) c% c7 P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# }" ^! ?0 o% }6 pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 _! d% e* a1 H4 E" U' @field." Y8 p/ t9 U" l
In fact, its purpose is not to load/unload VxDs but only to send a . z8 Y7 |5 ]3 I- J; z% h, N* W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 D4 g, N) t" f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* _6 {. ~% U9 S; v/ L Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 p/ O- c% s/ k3 n$ C' RIf the VxD is loaded, it will always clear eax and the Carry flag to allow- p: o% R8 U! J/ B+ A
its handle to be opened and then, will be detected.1 P O' B% W: O
You can check that simply by hooking Winice.exe control proc entry point
3 d) t0 ]( C6 G7 U- i( y$ k8 }, Pwhile running MeltICE.
1 Y# ]1 t6 f+ T& H
% Z( b8 h' f/ G4 N
$ g0 p1 Q4 A- j$ j0 N7 {" D# Z 00401067: push 00402025 ; \\.\SICE
/ n6 S7 q u, v) t; |" C 0040106C: call CreateFileA4 C: Z! e+ u% _: G
00401071: cmp eax,-001
% J- d; A4 ^: M \+ O3 `6 _, Y 00401074: je 00401091
, X) j/ U( g( _
* ?& M \) r( b7 H; [1 [0 l) l2 k7 D: |# q
There could be hundreds of BPX you could use to detect this trick.
) ?' M( c; Q" c( M4 q- w$ O-The most classical one is:
% L# j5 {! _* n( L5 I$ k3 E' K6 | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ p9 ]8 j' T, w3 v; N4 s2 `* ` *(esp->4+4)=='NTIC'5 t0 v5 d ~$ ]$ f4 f
( Q- s" n0 n- X0 T7 A9 l2 t-The most exotic ones (could be very slooooow :-(
1 v. u& B- I u4 A! E5 P' Q; w k BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 |" l) Y/ p7 t, S+ c6 W0 U
;will break 3 times :-(% z! J3 x9 X1 _2 z" H( N8 Y
0 I( @" P4 h9 L7 g' y( j
-or (a bit) faster:
) @- K( e# X3 y% E5 i2 p$ f BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 v6 O0 p' j( V- d- { q1 g( }8 |: m
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ ^$ H" v$ P6 q9 b& \8 l! A ;will break 3 times :-(# _$ B: @) P8 A
/ C( ~9 E- r* C. A9 R
-Much faster:1 h! }- `2 h% u- u3 h3 r
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ I) r" C, _5 e0 i" @4 Q5 s6 `$ s- _+ u+ O$ y! r2 @! a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 M k7 Z M/ Wfunction to do the same job:8 Z% Y, ?, _* C
0 `- i! D- N) c) L( w9 P push 00 ; OF_READ
) J- h. \( f# x; F% m4 z1 L mov eax,[00656634] ; '\\.\SICE',0
) [ p3 d; w$ j# R) c push eax
# D' F/ H% V h! e4 P call KERNEL32!_lopen& X2 r! o8 @2 T. _/ v( i+ o8 {
inc eax
- n! w B9 o/ N( M$ U jnz 00650589 ; detected% O8 M& d4 L) @' H: B
push 00 ; OF_READ5 p8 W9 ?! ^: k1 c# \
mov eax,[00656638] ; '\\.\SICE'% \+ ]( H+ A( t) g; \1 ?4 w' i, t
push eax
$ P2 ~ `; x1 ]8 F call KERNEL32!_lopen
7 u- W; s9 a1 Z+ P inc eax# R7 Z9 P- C# W# B/ F7 f: W: e
jz 006505ae ; not detected
) }& e& y0 C" y. L) ]
. Y# I) N; I. B8 J9 o2 Z. ^$ h: `& _2 j H' n. E* s' J
__________________________________________________________________________
# I+ W# P7 u% i% w- ^
, A' T* R6 o$ A* L( C0 M0 rMethod 12) H+ i9 o% @& ^5 i! p: p0 Y5 D
=========( W D& B7 ]6 }# P
& s5 V8 g( F/ F7 A2 f# jThis trick is similar to int41h/4fh Debugger installation check (code 05, ? }+ s# v$ k
& 06) but very limited because it's only available for Win95/98 (not NT)* `8 A, S3 W( Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. X: v; ~# X$ k! B! U0 \. C6 {* R$ h$ o3 T E, a; ~" Y) r0 U
push 0000004fh ; function 4fh
) s/ y% O9 d X/ C push 002a002ah ; high word specifies which VxD (VWIN32)
, a6 r1 y9 M6 M ; low word specifies which service
1 u4 _3 y, H- o (VWIN32_Int41Dispatch)
& Q6 M8 [# i# F, w call Kernel32!ORD_001 ; VxdCall
+ T2 `/ V3 [1 f+ H cmp ax, 0f386h ; magic number returned by system debuggers0 Y& ~0 L0 Q& c) O, _
jz SoftICE_detected: V8 ^' Z+ G2 }& D1 I
8 c" C: |* K* P, `" n; d/ d8 kHere again, several ways to detect it:
: Q* ?# i) b0 p
4 i/ V5 ~( S. v t, |5 { BPINT 41 if ax==4f
: b$ _6 O" n3 }1 K) ]) ~2 A2 x7 E
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% A7 X: F% f8 x2 A& O0 E
n( a2 P5 I8 T9 [- K# M) u2 p4 x
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& B: N; y& F# l. q# g+ W1 n
& a4 O B. X4 S BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 w( V; H# g, D) R) D+ H E8 A3 C2 q: C
__________________________________________________________________________
/ N) X0 I" U1 n6 N. u6 [9 F( v5 C) }
! i E8 _( p) L! ?. L" IMethod 13
2 ?5 u1 f- p/ ^0 w=========6 i9 z7 y9 R0 d9 G
" i: I2 Q G& p; q4 {
Not a real method of detection, but a good way to know if SoftICE is
& c9 o ^# a2 { R1 L1 { Tinstalled on a computer and to locate its installation directory.
3 k5 ]3 O! r# l9 F4 Z- J- fIt is used by few softs which access the following registry keys (usually #2) :) g# w, o: [9 a4 b9 B( w _( X2 e
B4 r0 e- }! V5 M& F. D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 M1 U9 P% d$ I& y% G& Y7 r, E/ u' k3 @\Uninstall\SoftICE1 z! m9 s6 O# Y. Y+ L1 g! T) U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 M# O, [& P S' R' n/ h4 `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) J4 |4 P9 u2 H( y1 j
\App Paths\Loader32.Exe# M0 |+ _2 P2 u- P! M
+ ^" }0 [: H4 }4 n# i
2 f% P! j% j" o+ M- E4 V( }" P nNote that some nasty apps could then erase all files from SoftICE directory
) J! _" `6 A. {1 M0 s" v(I faced that once :-(
4 P, o- |5 Q0 c$ t( F8 G" @1 e( y4 c1 P- w3 m* I- ^
Useful breakpoint to detect it:
1 ^ h! i6 T; \% ~0 e
* V: u _. C; v" @) D t BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 M6 g" f; z' d' H8 z" v' P# Y5 o1 d/ G8 P+ h2 Z1 l( C
__________________________________________________________________________
' {6 m* w! P6 m M y' {
6 b( A3 b9 T8 A% t* w( _- w# @) ]0 i- m: e
Method 14 ; \" i6 Z6 p9 t) _
=========* `5 v% @4 x7 \4 o" H1 k
% Z" y! D+ v9 I# E) VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" @( r8 l3 A: v. U5 I2 [+ m
is to determines whether a debugger is running on your system (ring0 only).
5 T( R% i$ R R' z- U' t
7 a. m* q, E* Z# t" X VMMCall Test_Debug_Installed
$ n# O+ u, c: B' l je not_installed
5 b P& r, ?( F% R- E! V$ X7 B1 u5 r! l7 L" k
This service just checks a flag.1 h& k. T- G& J" q8 ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡