<TABLE width=500>
; y# |) z; m. P4 ^; {<TBODY>7 B( ~# G& ?" x, ]( K' m8 G1 D7 a
<TR>) `4 x# U8 Q; [/ l" R; s
<TD><PRE>Method 01
' U5 G. j, m9 Q; p( P=========
0 E/ d' `$ R) B2 u, n( \
, ]! B, Y: p# t8 |This method of detection of SoftICE (as well as the following one) is( R' d6 \" N, j2 ], h* u
used by the majority of packers/encryptors found on Internet.
^1 q" d; e$ L C! d7 rIt seeks the signature of BoundsChecker in SoftICE
, `1 L5 c. v* K
& G3 _: x0 k! ~% @0 ] mov ebp, 04243484Bh ; 'BCHK'
! t; b: z* `/ P$ R' Q+ Z mov ax, 04h
) K1 V6 r! S& I# \7 O' I P* _ int 3
) M( ]5 d/ b! I1 N cmp al,4: ]# @, v7 w$ ~; ?3 ]& J9 |: w" D
jnz SoftICE_Detected# a4 {/ f3 h' n' x/ k
* K& l2 ?$ \5 R9 U! K; G
___________________________________________________________________________: E. B. v, y+ |+ A( S5 X9 W
, ]* v9 F2 e [+ B$ H
Method 02
# n6 o& l) m& F% k8 S1 G+ _& g=========
" x8 W4 K' `- q' N0 ~( v( c" j
' T9 w% m) b# c1 KStill a method very much used (perhaps the most frequent one). It is used, Q( A/ G" v4 V7 m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 Y1 U$ V/ T3 u Jor execute SoftICE commands...
# I) i1 v& a8 W. KIt is also used to crash SoftICE and to force it to execute any commands
& F- D7 W3 i$ Y, U, h& q(HBOOT...) :-((
+ x+ G E2 y# m: T d
3 ]9 o3 @1 M Q6 Z o/ SHere is a quick description:
0 g4 w2 z6 o5 J: |: A2 _-AX = 0910h (Display string in SIce windows)+ I! \) N# k, B& s6 \2 ?% N" N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% P8 R# I0 H0 {-AX = 0912h (Get breakpoint infos)
- y( A% M8 ^9 \+ L7 r-AX = 0913h (Set Sice breakpoints)5 R3 ?- j# u3 I5 X& i+ }$ z
-AX = 0914h (Remove SIce breakoints)+ E) w9 l. a+ U5 b7 o4 ~' T
# h* x# V8 D- G5 G+ @ U- AEach time you'll meet this trick, you'll see:* U2 `) V2 R5 p4 T/ y
-SI = 4647h
: s' x; g# a/ ]: T# b9 x6 ]- s$ r-DI = 4A4Dh
: U3 h9 u; S8 T) A6 X1 r* a1 UWhich are the 'magic values' used by SoftIce.% H/ M3 n5 N, _/ s" |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ q( y7 _) u, k# B X* i- v
$ |% z9 @: |) O7 w% }8 k4 }" T" j( i* @
Here is one example from the file "Haspinst.exe" which is the dongle HASP( U7 [0 C5 B- ~$ j! w8 j
Envelope utility use to protect DOS applications:
, Z _0 M* h2 \& I
' j: {# n- E& E# r/ h. a# {' e: d6 y
4C19:0095 MOV AX,0911 ; execute command.
# B5 l$ o* ? G2 t% j4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 o6 i/ m" J- p& a8 @5 K0 k L* D; s
4C19:009A MOV SI,4647 ; 1st magic value.! a# M L: ]% D* \$ y% R
4C19:009D MOV DI,4A4D ; 2nd magic value., R) v! d4 e7 M( B: k6 I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! i1 h: D+ e* r) P( ^, B
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 ]' R" q3 V8 Q2 x* w9 o( m
4C19:00A4 INC CX
2 ^; i- M' v3 S2 w3 g: C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ ^: Q) x A# o, E3 _( c/ b4C19:00A8 JB 0095 ; 6 different commands.0 ~( I7 P1 [4 x. H+ r6 @* x$ R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 s$ T/ ?9 }) l4 x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ l$ X: t6 G% g. A1 f9 X' J4 N9 L/ Z6 e0 p
The program will execute 6 different SIce commands located at ds:dx, which8 l: V6 j/ a" p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 T S: |" u$ ~1 O$ |3 }/ h g) D7 p8 ?" ^5 R' H+ n2 }# \ s9 l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* n" _9 I6 s1 p
___________________________________________________________________________4 {. f$ |% H }1 W7 s
# A! b5 Q' j5 m- ~
. \7 U6 @$ j+ tMethod 03$ v ]6 G5 x a
=========: Q* l( ]) C `* F" M& J9 Y
# Q% R, y- x+ o- Q' pLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h o6 k6 q! o$ S- y( u+ G. L
(API Get entry point)
& r1 y) G% C/ k+ I : S' m& z" b' Y0 k4 F
* v- V' {* \% D0 x: Y xor di,di) V4 H$ E3 i ~/ j, i5 _
mov es,di7 _3 x% G; @9 [+ p7 s! d# O
mov ax, 1684h $ k7 A* a4 M! z( f2 c5 N0 n5 l' E
mov bx, 0202h ; VxD ID of winice, Z5 f3 ]/ L( m9 b3 T1 b
int 2Fh! l: A. ~3 C& {2 L- Z
mov ax, es ; ES:DI -> VxD API entry point
& X% @/ v2 {6 W. F) b: k+ c* c add ax, di
- n9 N1 \2 s. O5 L& U test ax,ax4 }( u8 S% A, V/ V4 Z
jnz SoftICE_Detected
& R) `( N' E) [7 Y/ g
" @' D U- n- M& m( A4 R( ^9 g1 A___________________________________________________________________________
8 ^- o; t- `0 ^% N
* Y. E9 V; ^, b/ hMethod 047 ]& x; D3 `$ k F
=========
# O* j6 B w( ]2 W+ R |2 t/ m
5 S1 [ o6 V' B; |) CMethod identical to the preceding one except that it seeks the ID of SoftICE: U4 C d1 @; g% D, ^: V
GFX VxD.9 Z% a8 i5 a9 F0 ?+ d& K
, \: L1 `: j9 [7 S( j6 u# Q& S xor di,di
/ r: l0 i1 f: w$ y" x4 o mov es,di9 ]" K. q) F: ]8 I
mov ax, 1684h , i0 _1 d' k( ?& [& k
mov bx, 7a5Fh ; VxD ID of SIWVID; x; L& J: E. g* A. h+ A" X' w
int 2fh+ V* z; D6 {2 D) Y Z# l
mov ax, es ; ES:DI -> VxD API entry point
, F9 ?6 n% r+ G add ax, di1 q# M( A* B7 x. N4 D2 ?9 z' B( q- r
test ax,ax
. S, x7 [8 B) f( m jnz SoftICE_Detected. e3 u8 z) T7 n5 {; {3 f4 z! B* S
2 ?, e% g- G# L& R3 V
__________________________________________________________________________
7 b' d5 E/ t D/ F
5 a- h4 x# B8 `) Z! b
Y, |( H: V! x. D V' P& yMethod 05' E2 n: `% u @9 o% P$ W2 `, y
=========2 ~0 Q/ v" b6 A7 A' L0 l
$ \( l" W, a8 ?2 J9 @7 p
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! P& ]; p+ u2 w; ]& y4 ]4 Gdebugger. It calls the int 41h, function 4Fh.
( Y V: R. g$ ?. Z. m% @There are several alternatives. ( f4 w: `3 y* L2 @6 M
r+ c b+ {, \; ~9 A4 I2 j
The following one is the simplest:
, K, y* p3 r6 r
, U. A; [ t8 J; z7 f, o mov ax,4fh4 [" k. a* S! U$ h
int 41h
# I- e q2 P* l5 l cmp ax, 0F386
& w& p# D+ n% v. n N9 v- h$ l jz SoftICE_detected
' G D. Y5 \/ ]# P. H
3 g- u, i1 N2 M- |) [ D8 |( F |
Next method as well as the following one are 2 examples from Stone's : J3 C6 m7 j! u
"stn-wid.zip" (www.cracking.net):
0 X8 v; X1 Q3 E: l# k
1 C8 f3 q9 U; U) |4 I0 ]; W8 z% _ mov bx, cs
5 K# v2 b# a: g/ h" D lea dx, int41handler2
: S) E! ?# B) g% @9 W: f% ]3 K2 n xchg dx, es:[41h*4]8 C& }) n/ Z1 t
xchg bx, es:[41h*4+2]
9 T, ~8 S5 B/ s+ N1 F4 z mov ax,4fh' Z7 ~/ a" E4 O) n# l3 O5 M
int 41h+ V7 d: h6 D2 k' g- [5 ~
xchg dx, es:[41h*4]
' C3 Y& Z7 d$ Y1 K3 M; W+ r- F: V; h xchg bx, es:[41h*4+2]9 i J4 X# ^3 d# @: u( W: l! R
cmp ax, 0f386h
' C# K& q0 ?% Z! M jz SoftICE_detected
* u' @1 k2 E9 _ n2 i. ^; b4 v$ Y, E N" ^) N- X
int41handler2 PROC
+ _: q4 ~* R9 j' \) E. ^ iret: _4 o$ n# Q) U# o- E4 Y$ Z
int41handler2 ENDP
* v$ x+ m, A0 i; l) Q# y \3 s" z4 r0 z0 p1 a6 l
6 M7 X U- E3 d/ @" K ?_________________________________________________________________________
( I* O, p6 x G6 h
S( ` H5 W! k) F6 d. i* {# |9 Z4 i
Method 06
8 _( r- m$ a. |0 x' a2 A=========6 Y0 w+ t$ R1 x) a
P( w. Z* `/ h
# h+ P1 P! W3 v3 D' v7 M% Y2nd method similar to the preceding one but more difficult to detect:
9 S0 U8 W8 F+ N" q7 R* P$ c. ?: i3 R+ r A; K( c
4 T. F& q& @4 [, V% M2 g
int41handler PROC$ I' U: Y8 [* y) W
mov cl,al8 ~* J; k- {, r% E
iret# \5 l$ f& A: ^; q, N0 }
int41handler ENDP
& Q( N+ X5 W6 ]$ I% K. r8 i( N# D. |- L% H9 Y3 R( c/ v
9 ?' A! M6 B, M B xor ax,ax" J1 m, w6 S' A6 t/ w. I9 E
mov es,ax9 D8 q) {# J! W l7 q: R6 o) C
mov bx, cs$ n! A6 i2 Z- ?, m4 [$ M, v7 E8 r: m
lea dx, int41handler. i4 X# x' F: R& V! @8 }
xchg dx, es:[41h*4]
$ d, i. _% W) L2 ?/ u xchg bx, es:[41h*4+2]
) ^. B- E A( ^( G) O4 W in al, 40h9 y" [( ?9 n& O; c
xor cx,cx. E$ l5 U1 K' }
int 41h- `0 T2 {7 E# s1 P
xchg dx, es:[41h*4]
8 |% L7 O5 b/ z K# n+ O! O4 d xchg bx, es:[41h*4+2]
- Y/ z# Z- Z" | cmp cl,al
+ w" G% E; `5 @) Z; w! @- R2 | jnz SoftICE_detected
9 Q ^& H& {4 I' }
; s7 U/ i: k( T% N_________________________________________________________________________
' ~7 }/ ?* K& r, w5 b5 W: g4 d
l7 e- K [: m! vMethod 07
0 ^5 o$ M# [" f=========
& d! p' {( G, \8 \9 I+ X
0 i* {! k- [* h2 cMethod of detection of the WinICE handler in the int68h (V86)! U; V0 h! k/ b
* k6 `) a- X. i( E! [" Y mov ah,43h. B2 g: R1 y' W% Q
int 68h3 F+ m+ v+ U, i4 J( u
cmp ax,0F386h: @4 r* k) q7 ] P6 _6 F) ^0 N
jz SoftICE_Detected8 o# X; W+ u- Y1 T+ Z) A- a& }
& u1 A1 I0 L+ O% U2 C/ G" E t4 J1 Z p, W; R
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 e4 S4 Z! Q& i7 t V/ O- |1 r: O5 D- K
app like this:
$ d' f8 L" y! r/ e* D8 C) A$ h5 T( R+ o; S- n
BPX exec_int if ax==68% t( h8 ]" X6 E& ?. J0 w: X
(function called is located at byte ptr [ebp+1Dh] and client eip is2 s1 G3 R/ e' t/ w0 O7 R
located at [ebp+48h] for 32Bit apps)6 c$ Q! E/ j+ M% G( f% l5 T
__________________________________________________________________________6 e. D( F& E. R$ s& g" n6 |
# J5 l8 |# i9 n2 i+ \* g3 Y& Z
w! O$ @5 v C9 k5 A4 `% }3 f
Method 08+ s" r$ l8 R8 z. i+ w
=========
+ `+ ]+ n' k/ Y5 T. D
: _; U' X: _ _8 A( Z& ?It is not a method of detection of SoftICE but a possibility to crash the! P' q* N5 l9 B: f' L
system by intercepting int 01h and int 03h and redirecting them to another; m ]. m( ~, O2 h' g
routine.: H# p5 X: U2 [
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" C' C1 }! t- D: D3 ?
to the new routine to execute (hangs computer...)
" F1 J5 Y2 ^- _# Y! G) ~" [0 J3 p+ j, |% w
mov ah, 25h
7 P3 i7 G, P0 u2 Z mov al, Int_Number (01h or 03h)
* S2 T M5 W0 c1 \: A mov dx, offset New_Int_Routine5 l' R) w- F# m; L# \
int 21h
/ r% ^6 \# v5 Y: {/ x* U( _" R( I
__________________________________________________________________________
$ [# M3 r1 x9 }) m( M
5 I- Q I( L! b( w. qMethod 09
7 ~9 S, w& e8 q0 n- y" V=========- t4 t$ h! U& c n Z. H
# B' d2 g9 a' L) `9 v# Q* C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 _( k- | U: C9 }* z1 {" ]performed in ring0 (VxD or a ring3 app using the VxdCall).# {/ l5 t5 y' z
The Get_DDB service is used to determine whether or not a VxD is installed
, Z, }3 J* o# A& G: Dfor the specified device and returns a Device Description Block (in ecx) for8 z0 p, \1 `/ T2 n
that device if it is installed.& e/ s R8 r' p
- L: w7 @8 \) c; R mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 e9 ]# J- E% e; A7 {/ D3 E3 \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): _) [; A, f7 k7 }5 u/ F. X
VMMCall Get_DDB5 c, B+ C" [9 T0 u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 y! t$ \- @% j, O' }
! u! Q, k$ a7 Q; Y) a* \" w/ G3 F
Note as well that you can easily detect this method with SoftICE:
/ J; M# P. w' ^; [! l9 E+ S bpx Get_DDB if ax==0202 || ax==7a5fh
) d N6 I- Z7 W' {, d9 b
1 }% ^4 j" G8 D1 M__________________________________________________________________________1 M' h# ^, f% `9 ~
1 v) Z9 T2 L5 Y- F2 B/ t
Method 10
9 S+ V ?4 F @1 c5 R6 D+ a# B# ]2 Q6 n=========- I' D" d% z# Y: w; Y0 W/ S& k
* K0 a: `9 A& S2 X+ z; l
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 P9 L) D; |9 }# ~7 B: I SoftICE while the option is enable!!2 }+ k, c9 W( C) q/ y
' a( o/ F( a2 b, \This trick is very efficient:
# m H: m8 _+ z8 c- a; n( {" Zby checking the Debug Registers, you can detect if SoftICE is loaded
* r2 K# j! }- u" |: F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 k* p/ \% T5 C3 l3 R; C Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their& V# a. R4 y8 Q( M+ b
value (in ring0 only). Values can be manipulated and or changed as well
$ w& ], ?9 V3 C, y, { r(clearing BPMs for instance)
6 B1 Q1 q* W2 W8 R1 h3 {
$ j; K* N# ^& B9 _! ]* X1 b__________________________________________________________________________
7 n+ Y. N* H( `% V
! Z3 @! W/ X" {" A; UMethod 11! X- i1 t% ?( W; K; U/ \, s$ ^' Y
=========( v. w+ X! f! j3 K8 G7 A
/ o) ?" c N" S: @This method is most known as 'MeltICE' because it has been freely distributed
3 `2 f l& T" T" z/ A- B6 ^via www.winfiles.com. However it was first used by NuMega people to allow
# X0 h( O2 G7 `; D' CSymbol Loader to check if SoftICE was active or not (the code is located
6 z3 g' t: c' z6 `& x: y' Y' s6 rinside nmtrans.dll)." D" d6 m/ m/ ^# }: S c
& O/ g& @" J N3 }4 t7 w1 P0 D
The way it works is very simple:: e8 w* Q# Y# e- O& B$ F" |8 o- X r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; ]* Z1 T4 |" s: HWinNT) with the CreateFileA API.4 W0 X, s9 Y- l6 c! } ~2 _
8 f( n p+ w1 wHere is a sample (checking for 'SICE'):
$ G$ }' @' C& d5 H. v/ D$ u* m
' ~6 H+ D/ [$ J+ m. ]1 c$ w6 HBOOL IsSoftIce95Loaded()0 ^3 ]. D+ }. _, N3 E
{% L+ I a; i& u2 r$ |( L
HANDLE hFile;
9 t4 K1 d) m9 a _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) ~1 G+ [$ o7 e. g FILE_SHARE_READ | FILE_SHARE_WRITE,$ ]$ j# T& B* G g: U* B
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) m8 K! ?/ e/ n, G9 P k# O0 T& u; |- B if( hFile != INVALID_HANDLE_VALUE )8 ]" C/ n5 P1 j' v/ c0 }% Q
{
}! o; S6 `8 Q! i* u CloseHandle(hFile);
# k3 N9 {/ ^# W' L% F8 R! M# i4 Z! | return TRUE;4 _! M2 E1 Q* |3 `) E
}: z6 t% ]1 T; O2 I
return FALSE;
6 a3 h0 z: q7 _1 [' e1 ]}
- l) ^' K9 P2 N& O9 {0 I) w6 f/ ^
$ @! I' i6 T) |Although this trick calls the CreateFileA function, don't even expect to be
8 h8 [5 U( W, C) U- e6 x* Y" Uable to intercept it by installing a IFS hook: it will not work, no way!2 I. @1 k% k+ Q: f( z4 ? \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ \: e# U; E4 M7 u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: x' W& g9 X4 [( _- i! k% jand then browse the DDB list until it find the VxD and its DDB_Control_Proc# l; l, v- a5 _2 q1 k" I
field. `# A* R5 X# Q. c
In fact, its purpose is not to load/unload VxDs but only to send a
0 y" N6 T" U4 o5 |5 S" q% zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 W$ x k5 u* X! Q, j, Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ T ]+ N$ E* C4 h3 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- h6 j' e! o) c9 ~ F3 V# g8 l) @
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 Q& J: l* i% v3 pits handle to be opened and then, will be detected.) M1 a1 t$ T% d* q6 }# x
You can check that simply by hooking Winice.exe control proc entry point
8 d, [! P) z7 O, q' W/ Mwhile running MeltICE.& b7 r& Y H) C! X( o/ O0 n
, q+ Y& J) A2 K) ?( g7 T7 @
; k ~0 k9 ]! w' g1 m6 { 00401067: push 00402025 ; \\.\SICE
/ Y, A( j, Q4 p5 U! y- G 0040106C: call CreateFileA
6 { U" Y% {+ m. ~/ W 00401071: cmp eax,-0012 k, C0 P8 V1 X! e
00401074: je 00401091
7 H/ z1 {- [8 D2 r# p. }9 V
8 T' e# n. P5 C, s
1 w' K( D s' f5 Z2 FThere could be hundreds of BPX you could use to detect this trick.& o1 f1 ^' \, J: L
-The most classical one is:
+ e# b; W$ b, c9 j' S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! S( U3 o7 B. K8 E
*(esp->4+4)=='NTIC'; d2 D/ B2 E; g
! ]) y: L0 d' P) a* J0 r
-The most exotic ones (could be very slooooow :-(
) }0 w4 C, l4 b3 g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& x1 h& h0 {, O4 }1 X* v$ m- F ;will break 3 times :-(
3 t# y, d( i$ R. ?# L/ [+ U) O( @5 F: d s! s# V
-or (a bit) faster: 3 o/ g9 X2 l2 ]/ k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! t9 ]5 f. e* n+ k7 U7 l9 i5 g+ f7 {3 \4 E4 [2 m
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* V- C+ l1 Z4 `' a0 q ;will break 3 times :-(" v7 \2 A5 E: T
& e4 z1 v1 Y4 t) A# P- Y- T) L6 Y-Much faster:
7 ^: W/ V. d3 L- i% `2 m BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. B3 f0 o" @4 K1 _! ~, y- \
& u5 B) M( H) W4 B; E. j
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% S. l( i( x2 y. Q$ ]function to do the same job:
# @7 v/ q" W# h% _
4 F& o1 t9 c& i+ W: y. c4 ]1 q push 00 ; OF_READ
4 C7 A) ~( U" s; {8 P mov eax,[00656634] ; '\\.\SICE',0
k* P8 w: G5 c# D: b' V" J* \ j push eax
E/ Z. z( K1 ^$ l' T call KERNEL32!_lopen
. S& n8 i$ N5 f3 c& J inc eax
6 i5 n7 k0 [ @. c/ n" x! s0 h! `2 B jnz 00650589 ; detected8 C$ k$ x/ [/ n/ o
push 00 ; OF_READ% f) A5 c7 }. l
mov eax,[00656638] ; '\\.\SICE') ~8 d6 w& q, R( ?. q
push eax
) L: u' P a* L a; l call KERNEL32!_lopen
. G; b% H& [, o) ` inc eax
x. n/ G" ~+ W jz 006505ae ; not detected
3 C& k% X" f' Y2 M, d' J/ f |3 d/ f' D# i
. t2 c( z4 _6 _% P$ ^__________________________________________________________________________1 N3 Z6 O) l% A: @& H* A( l
' R2 i6 d1 F; j+ K0 [
Method 123 q w$ j& f+ r8 l
=========
9 i2 B) N* g( U- I. p0 r" T
' S4 I k* Q0 h% Q- X# wThis trick is similar to int41h/4fh Debugger installation check (code 05
7 }, I0 k8 o% U F2 w- w& 06) but very limited because it's only available for Win95/98 (not NT), `6 x/ l! q# K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) t4 V+ v6 k7 z. C6 K- \ J8 k* a# P0 L$ A
push 0000004fh ; function 4fh
: c$ m1 Z3 ]% r8 J7 b push 002a002ah ; high word specifies which VxD (VWIN32)2 }+ R/ ?7 F4 B; I9 t8 R
; low word specifies which service; O3 ^ ^8 b$ r6 `! H C
(VWIN32_Int41Dispatch)
/ I" s$ u. L# u7 t call Kernel32!ORD_001 ; VxdCall+ ~2 Z4 H* u7 z$ w. v4 t+ H
cmp ax, 0f386h ; magic number returned by system debuggers: L1 A" ^9 g1 V& f
jz SoftICE_detected
" ]+ C- J* L5 s, T7 H( d3 g _& y
2 W& d, k$ z; f1 oHere again, several ways to detect it:2 Q9 L4 ^ ]2 B. y3 F
8 T8 A, o) L- ^/ Y. D& h
BPINT 41 if ax==4f2 k2 y1 o& ]! ]7 h# O) S; n
9 f: {0 y: S1 d3 G6 a* E" z7 \4 ] BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 N& d+ W/ g4 c* _
5 r p( j! S3 s5 ~9 p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 v* L$ X' }& O1 j1 D2 W" D1 d
$ C. p& Z' p1 |- Z6 i9 W# J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' L* Z0 Y; Z# W' q0 v% [; m- V7 B6 L/ \
__________________________________________________________________________. C9 v( k9 W( i7 I( n6 h6 D5 V& N7 V
* }8 T0 B& \% u; A2 x1 m
Method 13
( I* r* R3 v. C4 v% f0 x n=========, X- [+ @) h+ ]9 \( E: _
, w s) v$ [' x6 n2 b* oNot a real method of detection, but a good way to know if SoftICE is
$ a0 H7 `5 l& N# c& T( jinstalled on a computer and to locate its installation directory.
, j) L/ l1 w9 @4 t! nIt is used by few softs which access the following registry keys (usually #2) :5 n* w$ U. u/ q# G- C4 s% j& L
! d$ O( w4 \ `+ w+ I7 X- d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ |& E: W0 o8 x1 i8 p( ?\Uninstall\SoftICE
4 Q$ q8 c- h" a8 m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, t. ?1 s- r4 n' k; v j; D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 S( w% _6 |( R+ _/ X6 z" H
\App Paths\Loader32.Exe
/ ~ y) l4 c0 f8 U Z3 l, d! |# |( g9 K
! y+ A' Y5 S9 [( B
Note that some nasty apps could then erase all files from SoftICE directory$ j* T! H- ]3 t! _
(I faced that once :-(6 u4 B# c& c' m; j3 g( m/ o: g
9 E4 @6 Y. k+ O* d! J- DUseful breakpoint to detect it:
/ c+ i5 ~- |! _% _3 _
5 ~! ]% W& z1 G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* L7 x0 B! c' L2 Y, p c; Z; }" R B: b g; E
__________________________________________________________________________
. h3 S# j) N5 M. [' k7 @7 A
0 B B( U1 O$ C2 S2 J6 p$ X; C
8 ^" F' z- c4 T6 tMethod 14 4 X7 `+ b# |/ P1 a/ x9 K
=========
. ^7 G" {& O8 z3 D2 M4 G$ `
$ M3 u" F+ F. \4 F* ~7 P4 w4 cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ \0 v' t9 j& U) T. ?7 D
is to determines whether a debugger is running on your system (ring0 only).
+ p" ]" N8 G8 p& B8 n) H1 n+ h3 g" c% u6 V" B& Y: n
VMMCall Test_Debug_Installed! p2 L7 C% ~/ q/ l2 `& j0 o
je not_installed
1 R; {6 [& B. k) S6 l
3 k9 W K# H3 r3 `8 t& G! X( P1 pThis service just checks a flag.# g" P1 U% X4 E0 q# b0 K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡