<TABLE width=500>7 n! {6 l, f0 J: H$ q
<TBODY>
, f/ \% g `4 | c8 U$ p<TR># d% I- i }! b6 W! q W
<TD><PRE>Method 01 . K. _4 q' I' M+ D* S; G) `2 ~
=========
2 e4 {4 y0 k* o4 \& f- b! l* V$ W% A9 R' q
This method of detection of SoftICE (as well as the following one) is
# g% i$ g* r. P# F8 i- e9 Xused by the majority of packers/encryptors found on Internet.( [1 Q0 }: m$ u9 O1 Z: i a
It seeks the signature of BoundsChecker in SoftICE+ \ L$ G& n- Y' A: _% D
$ f( J) m, o+ h4 n; r' p4 W
mov ebp, 04243484Bh ; 'BCHK': M( o, s0 x7 ^' `; R/ W
mov ax, 04h- Y! B) C E$ s
int 3 ! O4 ^2 Q U# l7 d( E; q5 `
cmp al,4
0 R( k9 g5 t4 m1 N jnz SoftICE_Detected) V8 P* k+ @# D& f3 a! c
0 e9 B! N& [3 l% M
___________________________________________________________________________' G! h1 S; t% L7 }
& I6 h: U5 F! V& }
Method 02
* O- n) f; A2 k; x" [2 N! g=========: |9 ~1 k( I# V8 Z/ ]
' d: U% z2 i9 }* k9 t% w h4 C
Still a method very much used (perhaps the most frequent one). It is used+ g$ T+ P9 |! ]1 d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, t6 t7 a: V: [2 S- w1 z
or execute SoftICE commands...8 H. P+ F$ l2 {- ^6 g
It is also used to crash SoftICE and to force it to execute any commands! J! z2 U3 z. w1 \4 o" B
(HBOOT...) :-((
4 ~4 M5 m. J# M( u p1 c% ]1 {5 F+ m- q% T# j% O
Here is a quick description:
0 O3 L6 h4 _* @1 i7 p' t-AX = 0910h (Display string in SIce windows)
6 n$ t4 y- W3 K! ^( \-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 R% Z u+ W& c; J. a; i6 L+ H-AX = 0912h (Get breakpoint infos)6 z' K7 x$ c4 _5 b& i
-AX = 0913h (Set Sice breakpoints)
& y( L1 Y5 v& p" Z0 s-AX = 0914h (Remove SIce breakoints)
! X0 M1 b& |0 z4 `0 Q; ^) q
/ o& s, w8 ~& M4 m( GEach time you'll meet this trick, you'll see:
: f' B# i3 n2 A7 E! K5 X M' L-SI = 4647h
: S2 A# |/ x* y5 D% Q) J-DI = 4A4Dh
. R) h# T- q1 `0 @8 t NWhich are the 'magic values' used by SoftIce.
) z7 L. U( F }" [9 W5 z! L5 O* MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 U3 r8 O, b, x3 r7 l
Q! I" D1 Z8 D- l# b, \" z
Here is one example from the file "Haspinst.exe" which is the dongle HASP) f( l- b c- O% h
Envelope utility use to protect DOS applications:
8 [( ^( |" C; P/ Y; L. G' k" l
% ?( W9 I" a. p. S q8 Z- ~
! x! X$ M& L7 `: ?) o# `% A4C19:0095 MOV AX,0911 ; execute command.
j( \- Z3 J8 \( `# o% E9 y" [% K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; E2 w) n% ]; Q# `7 S4C19:009A MOV SI,4647 ; 1st magic value.* @. o( d8 G" m7 P( L, W# K- f
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 W% Y6 n$ I) `9 r# z' h4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) E* D9 R+ Q7 h$ c2 D! q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, ?& `' P9 y- j; a$ n
4C19:00A4 INC CX+ q6 v" J. ~3 P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 F7 } q3 f0 {5 j/ R
4C19:00A8 JB 0095 ; 6 different commands.2 m! @" |$ N9 S, ~" a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 H6 f; A$ Y$ U, x0 J0 a, i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; ~- R4 _' e) M, X* F' q) D3 r# B" |7 X
The program will execute 6 different SIce commands located at ds:dx, which9 M; Y9 ?5 b1 S8 }9 ? P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! r& Z; d+ u* a! E5 X u: l+ f8 i) K) A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# q. S( H# H" T* ^1 W
___________________________________________________________________________5 r8 D8 ]* Y& n+ R7 b
% K$ f4 n" o/ q) O, {
9 O. ~8 V5 R8 g( hMethod 035 o; \' n5 @3 |
=========
, |% o/ A) b O9 a& P# z& m T2 u( Q; l, u" C& O7 P1 D. w
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: p# O* {1 J( f1 K W
(API Get entry point)9 u- \# Z1 j; E* e
$ |5 P* B0 i3 R; w4 L
& a( g/ R4 Y- ~
xor di,di7 ^( c, W. m z, x8 c V/ w; v$ \ S& [
mov es,di
! L: ^3 R j' M9 X- a! S3 V mov ax, 1684h ' f7 n3 S" k- x0 Y
mov bx, 0202h ; VxD ID of winice3 h s* |9 e+ m
int 2Fh
% t7 h/ ?" ]! J* V1 f, L4 h, B/ Z mov ax, es ; ES:DI -> VxD API entry point
0 t2 w- |0 Q5 L( R% h add ax, di
; s* ^7 B1 f8 r test ax,ax& Z7 d7 M- ]' ?: A
jnz SoftICE_Detected" c+ s7 V2 o! ^; S, w1 ?/ Z8 B0 Y( ]
: b5 m& O. O, \* j___________________________________________________________________________
/ n% J. R* I; `! O5 u2 v) `4 D! G5 D! d
Method 04& |4 g1 r2 c' N
=========8 k( P! _4 t. _( e
! s0 ]/ H. S! s
Method identical to the preceding one except that it seeks the ID of SoftICE, c3 K3 Q4 u( X. l7 _; i
GFX VxD." N, Q3 X+ H2 s3 M6 V% w
& |* _* k y3 m% R' C+ T xor di,di; Y! ^7 U) `( W3 L3 O
mov es,di
; P( ], u% |8 y# H# b# } mov ax, 1684h ~1 X4 s8 d- J8 J. v
mov bx, 7a5Fh ; VxD ID of SIWVID# ]; m& R# a+ X
int 2fh
/ h( x9 q# X+ d mov ax, es ; ES:DI -> VxD API entry point1 W9 e' U3 F1 A/ ]; e+ X4 g
add ax, di
+ ~! Z4 T, Z. a9 g- }- [/ L test ax,ax
8 h I* ~ T( I, F0 F0 Y jnz SoftICE_Detected
2 F$ @+ K* f5 w) Q( b( t* m& m$ k! S) G6 w) C
__________________________________________________________________________4 Z3 }+ Z$ }+ i
! {& B* }1 e& S2 }
$ J! B U6 X4 @6 t( i4 d" FMethod 05
1 V0 v: A. |& R: x; }' J8 _=========% Z# g5 k- I- X# h* _
$ w- _. v& e, P$ e( a! l- X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 Q- x" S+ @- O. R0 ]; E- ddebugger. It calls the int 41h, function 4Fh.
$ n) ? U$ q5 a+ ~' b# @; S- HThere are several alternatives. ; l2 I, x/ b4 h* c
5 s2 J8 w2 c+ m; z8 LThe following one is the simplest:
\ G3 i- g8 a- {3 h7 F6 ~* ~# z( r5 q7 @" U
mov ax,4fh% A I6 b9 O- u; H/ P: ?0 D
int 41h1 b: B! H2 _7 z0 g" ~0 Q- G' e
cmp ax, 0F386
. e7 N7 x w* ~9 D1 \ jz SoftICE_detected% [9 ?5 {/ W2 S7 q. ^% h" Y
7 f" F; X4 n5 q
. B+ l/ Y( B6 M- yNext method as well as the following one are 2 examples from Stone's
2 ]0 h. M: Q$ P6 e$ ~"stn-wid.zip" (www.cracking.net):
, ^% ^* H1 x, C2 y( r
7 }/ H2 h; D4 } mov bx, cs
, b* o0 U( U6 E' I& i lea dx, int41handler25 I t2 P" p5 H2 ]% F& N! a
xchg dx, es:[41h*4]# P; P, t: n+ Y F
xchg bx, es:[41h*4+2]* z' |5 p) Q" b# B% D) a: A
mov ax,4fh0 A- F4 z% R/ `8 _3 c& P
int 41h! }9 e- y# O- }5 V: ^
xchg dx, es:[41h*4]0 l4 J) h- O, L1 Y( M% |# k/ ?( ?
xchg bx, es:[41h*4+2]: p- G" _; f- t! C* \5 z
cmp ax, 0f386h
* \: @, ^- x- r0 O3 J, z2 ]5 g jz SoftICE_detected; {) M1 O: s1 `: D1 g% x! O
: ~" s. w+ @* \* s% E/ C
int41handler2 PROC
7 @1 W( A3 j& M iret0 B& f. C1 @) P0 d
int41handler2 ENDP
) v( A8 o, D7 m0 F1 R! K1 z- _4 k+ L) }
7 k; H: _% m# N# ~5 L
_________________________________________________________________________
* e% N/ Y* w' V9 u' U6 E! k- u$ }+ M8 H2 q" W! m" n
1 K0 {, K6 W3 s0 O1 [5 V
Method 06
6 L x8 R# O1 e=========5 L: n4 I v6 F0 P; I* W
% p4 ]: X# n& B2 Z2 v) Y/ w% n
3 U! |. H" R6 C
2nd method similar to the preceding one but more difficult to detect:
6 X' k: \% Z5 ?8 \+ ]. R* R* Q5 O% I2 E9 U; }& ?+ _3 |
9 n) v. M* T) J: T8 Z( `1 Sint41handler PROC4 u0 A4 ?# t+ G7 }5 _8 ^8 y8 K
mov cl,al, p, M3 b8 E7 m3 J7 x
iret
1 g3 U3 H" D$ }int41handler ENDP
7 [% d8 G) B- F# m" D4 E; ]4 n+ x$ b, n8 m8 B9 H! I
2 D! C6 \4 r3 E" r* \ xor ax,ax
: R; `1 ?& P; P9 ^ K4 I5 A mov es,ax
' ]" A6 p9 D" Y) a4 ^# J, m* [ mov bx, cs
# X" r1 p/ B# h lea dx, int41handler5 k# t+ T* G4 v. M w9 a# t0 g
xchg dx, es:[41h*4]
9 X+ E, h$ b. ^. `1 [' K xchg bx, es:[41h*4+2]
, ^5 u. o+ O1 v _/ t# F4 s in al, 40h# q! E4 a& P7 Q4 u+ Y
xor cx,cx
8 J7 ]! z% z& s0 E" C; D& \+ @, R int 41h
/ y% o0 B- Y4 C4 g xchg dx, es:[41h*4]
" K5 O# x# B$ e0 U xchg bx, es:[41h*4+2]
9 m. P6 Q+ l) E- \1 c- o' s1 {* G, D cmp cl,al
" B5 Y, n: V6 X6 c jnz SoftICE_detected1 |: T) t7 B& O7 f9 c
6 {4 J) U6 G, A_________________________________________________________________________+ d3 A6 M, d! m- ?8 l
- ]& l9 T) M3 Y; F9 }Method 07) A' Z3 `7 i8 W/ S
=========
" \9 I2 ?$ L& D% t/ |/ M4 u. J7 P$ d
Method of detection of the WinICE handler in the int68h (V86)/ \# W8 }1 B8 |" A h2 b- j
8 b( C! q0 p& N mov ah,43h
; r2 _* J$ e! p4 ` int 68h
6 \- L$ f: e% h cmp ax,0F386h- {+ @9 G5 y/ Z1 M1 l, ?, \% c
jz SoftICE_Detected
8 ]; k$ n5 j! B2 S, }
Z5 ]/ I8 }! `9 s# S% h
5 ` s6 V; k0 y8 T* r; p% I& @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; b; |6 d9 o/ h) a
app like this:
. H& v- ?- Z* U" t& w& h. y8 z: X
" J5 o; ^7 J0 z" x5 D. b BPX exec_int if ax==68
% U. u5 ?/ k- U0 m% P& q8 @ (function called is located at byte ptr [ebp+1Dh] and client eip is) P% _% m$ \" ]: p
located at [ebp+48h] for 32Bit apps)
2 a- |* p& j! w( `0 ~__________________________________________________________________________
7 m7 m- ^( X9 c& N
+ p: K" F( ~; _
* t/ V v. k) O$ g8 `Method 08* \/ N# X& K. n0 D
=========* J5 s/ r- ]9 Q, @5 c* Z) E
! j! {5 D' U9 K2 M. }9 f+ J8 YIt is not a method of detection of SoftICE but a possibility to crash the, y2 g4 h8 Z# n
system by intercepting int 01h and int 03h and redirecting them to another
8 r, R; h' Z$ N* aroutine.
9 I0 ?& {2 x5 Q6 ?! H/ OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) R& O: }, h- D$ {! }& L
to the new routine to execute (hangs computer...)
/ X) J$ {# x8 W1 t1 j0 ]5 `0 u V$ m' V0 Y$ M4 h6 ? J
mov ah, 25h5 @, E: b. p& g* z) U
mov al, Int_Number (01h or 03h)
# ^: G7 g# ~( I1 R mov dx, offset New_Int_Routine
* \$ @" J% [( L+ e. t int 21h
# P8 D4 G: d& Z* C0 r6 L# a( n2 n B! U r
__________________________________________________________________________
" [, L$ R8 |+ ~- N% n
1 A- }6 L0 ?5 Q% n. yMethod 09
" S) ^( ~9 h% l e4 Z* h=========
; S6 K2 d$ \% u( z. O* G/ E1 Z1 A5 M! h ~- M, {! G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
j" ]4 G8 S" L" N# W# bperformed in ring0 (VxD or a ring3 app using the VxdCall).
T" K7 g; b7 u+ {- T% uThe Get_DDB service is used to determine whether or not a VxD is installed
! b0 p* Z& ~: yfor the specified device and returns a Device Description Block (in ecx) for, b9 S" Q2 I" ^; |& D+ o9 [* ^
that device if it is installed.6 H/ {7 G% l$ i5 ?6 O4 Y
2 i9 N6 v9 p) O, _! O
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 X4 m( q; e8 L% F+ v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% h, R6 a+ B- m8 ^, e
VMMCall Get_DDB
: V. w2 y* m+ O* |( _8 j y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" g3 ~8 ?1 y' K" {
9 I" r8 `6 g9 v0 `Note as well that you can easily detect this method with SoftICE:# S/ l# f; H: C t2 ]* d
bpx Get_DDB if ax==0202 || ax==7a5fh
% C8 H% |3 S- o# E
; A6 w: z u1 ___________________________________________________________________________
: E- c# g& m8 s) e/ h; l
+ o+ U- I) _/ f/ V* V! e% dMethod 10
3 e1 Q8 u# b7 u# j: V2 P; J2 E=========
! ?( v; F" \5 }) w9 c4 c5 r$ s+ a: C& T2 _, q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& f4 A0 Z' d' y8 W SoftICE while the option is enable!!+ {6 h, _9 @2 b6 n% \/ Y
9 J, [# _/ y/ Y& o+ Q6 L
This trick is very efficient:; i0 t1 K8 U% d, p8 b" \% {
by checking the Debug Registers, you can detect if SoftICE is loaded5 z- J/ e) @$ F3 t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ ]+ H* h0 t4 c2 l: v+ A3 Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ @$ _& s# j- n0 I3 A" hvalue (in ring0 only). Values can be manipulated and or changed as well: F; O# s) }5 w% a2 e3 G
(clearing BPMs for instance)
9 @! G" d4 n) |$ h, Z7 L; s( `) J5 F& x# ?
__________________________________________________________________________$ p9 a3 b; Z+ i
% A6 \- r( s1 \9 a2 |3 T
Method 110 z2 q/ `5 s0 A9 S1 i( B$ ]' W! \6 v6 {
=========
+ U; i) v$ w) K* Q; v+ h, m- U% U r( U
This method is most known as 'MeltICE' because it has been freely distributed9 S7 e1 L$ F9 L& {( S9 H* M$ c
via www.winfiles.com. However it was first used by NuMega people to allow; {( B; H/ \0 j3 w: S
Symbol Loader to check if SoftICE was active or not (the code is located
; r) ]- @' ^6 `( k( Sinside nmtrans.dll).. q: a) [& r- Y# d
6 M: o- e' s* d; {9 {' A; j
The way it works is very simple:7 K' E% m) Y, K9 H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* ^- y: @+ x( `5 }
WinNT) with the CreateFileA API.0 O2 d4 i9 |, ?; j. p# g" i
$ Q0 n P6 Z' D" Z- ?/ LHere is a sample (checking for 'SICE'):
' `: ~6 v9 J# i+ z* w+ [; ~" D7 } O( Z
BOOL IsSoftIce95Loaded()
y) ]$ ^! `$ P+ J{; I8 N" {+ ?6 f- \4 I
HANDLE hFile; ( y) c& y5 O) E: ^! @
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 N) @$ A5 X# C5 u4 @. M# U+ g
FILE_SHARE_READ | FILE_SHARE_WRITE,
) P+ K4 K9 ^$ j. P Q/ Q; } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 r4 r0 M7 K: y4 l6 S0 }- l7 l if( hFile != INVALID_HANDLE_VALUE )1 ?& N6 `4 d" e. j6 i
{8 b c& V- _. I" w
CloseHandle(hFile);
- |3 U: j" a) E" A return TRUE;* N6 a. D4 f5 {6 V: `# N
}/ W; o) I4 Q( O, j9 S4 v2 ^* s
return FALSE;+ @( H* J# B% m v1 Z% A2 n" h5 Z
}
! t0 D) U6 q0 g4 ]" K9 Y+ X' r+ E0 b& Q* c" e$ S
Although this trick calls the CreateFileA function, don't even expect to be/ @5 n# @# N! j0 e) Z4 U
able to intercept it by installing a IFS hook: it will not work, no way!( d4 ?: }$ g. Z0 c6 b% y3 \# p# Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: w0 [! v" t$ O8 [; S4 G6 l0 sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! d; K% M2 N. ?. [and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ J; q3 l H- o, X- jfield.2 z8 ?. r) P. p0 H/ V1 X6 l
In fact, its purpose is not to load/unload VxDs but only to send a
$ j9 F: G$ y' J% ^4 C+ p8 ?* MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" @1 s; s# G& o
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 C3 B# o& r- I! ?' N# W: Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).
) `& t) P8 h: I4 }) \If the VxD is loaded, it will always clear eax and the Carry flag to allow
' ~% ]- t/ h) A' `- Vits handle to be opened and then, will be detected.
. L7 s) M n& M* QYou can check that simply by hooking Winice.exe control proc entry point
5 U6 }# s' n( [ G1 ~6 F1 w( q! swhile running MeltICE.( x$ |- B! t! j2 I n4 T
2 G- b) [* U0 Y1 v7 D5 o
, R. |, [5 K V' T6 B
00401067: push 00402025 ; \\.\SICE j- D6 W9 D1 x% |$ D6 i0 u2 z- }
0040106C: call CreateFileA1 R; q! J; m8 B7 ]2 a
00401071: cmp eax,-001
- G3 l+ A2 }( L3 B; [/ R) N 00401074: je 00401091
9 Y3 X4 P8 d# I1 N& u( ]; v- F# y9 z8 X! ?. ~* `1 t. q6 y
- V& ^% _: S/ E q+ Q9 N. WThere could be hundreds of BPX you could use to detect this trick.
$ a4 Z' g; G) l: [) f! W! W-The most classical one is:+ A5 J- x3 U1 y N$ h: |6 Z$ n7 o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 S! ~) } N/ u1 q8 U0 M *(esp->4+4)=='NTIC'
6 y) ?) S) Z4 r1 k0 z
* o- h& W: P8 }! I. _-The most exotic ones (could be very slooooow :-(+ @' ?- L$ d, Y: c2 \" \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( B& \0 F) H2 r& b
;will break 3 times :-(
% M- o' V# L' ?/ Y2 z! }" r) L6 ]0 ~
-or (a bit) faster:
$ S [1 W- H4 x$ y7 I" A BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ n- [+ }1 L0 K% ]- ]
0 W& t' V1 c' _/ e6 u7 @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 O( x! O; _9 r8 I' i7 ~7 x
;will break 3 times :-(
# w. t6 _) @8 F! P! k+ q+ }5 D/ R4 g2 E5 Y2 y. q9 _
-Much faster:7 R/ [0 t1 ]( }* [. f+ S1 i$ U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 c9 |0 w0 ]1 ^- Q3 ?
9 p" ~ x* d9 |$ ?( f% I. VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 ^8 w0 L& Y+ E# d4 E+ H% Rfunction to do the same job:: f Y" t& y. o6 y- j5 ]
& i5 L+ P/ C" q7 h5 \/ }5 [ push 00 ; OF_READ; M; p$ s7 v. z0 K
mov eax,[00656634] ; '\\.\SICE',0* W) N7 y+ `0 U* t# c
push eax$ J( z3 G" W$ q1 E. o
call KERNEL32!_lopen. i2 l+ z* ?4 ]" q" m! K
inc eax
) s. V! h3 F1 e- i) g2 z jnz 00650589 ; detected. r% W! C6 P6 y k4 d
push 00 ; OF_READ
6 v$ r4 z9 e9 D4 L9 f* v1 x! U mov eax,[00656638] ; '\\.\SICE'/ W" w. d# O9 K$ p7 J
push eax
# i2 a# @9 y$ [ call KERNEL32!_lopen
6 U C5 |9 V' ]2 q1 q inc eax8 z+ J. }" b5 D6 t; Z
jz 006505ae ; not detected# V0 ^8 ? @9 ^! \
- G5 H! S2 `) N" [. W' F) d* d- }% _3 I+ b& `: j& L8 ?3 H) M
__________________________________________________________________________7 g p3 s/ [, [0 p5 B/ O- a
( K- d* ]! x$ {
Method 12
4 c: Y- I) S# f+ ]3 z. f9 e=========
8 i7 D0 ^ N5 d0 x
# X- M! s/ J3 X" `This trick is similar to int41h/4fh Debugger installation check (code 05
( W: D/ F; f M: L& 06) but very limited because it's only available for Win95/98 (not NT)
" ~7 x5 B! y4 d5 _5 {- j8 K- Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( `3 y& |% b9 e V! I6 |* g; X8 B
4 u5 ]( F3 s. F7 y8 }3 d% n push 0000004fh ; function 4fh
" _8 s8 S: _; g' ~( ^ push 002a002ah ; high word specifies which VxD (VWIN32)8 A+ L3 Y. |4 ?; Q
; low word specifies which service
8 ?7 H) [1 @$ M7 X5 S (VWIN32_Int41Dispatch)3 \$ w6 \4 t4 ?5 U' b; V# ?
call Kernel32!ORD_001 ; VxdCall
- t1 [; \( l( Y! a2 R' z* z. { cmp ax, 0f386h ; magic number returned by system debuggers
- b+ d3 K' u6 }+ i4 k3 q jz SoftICE_detected+ F f3 }" B, j6 d: {
: O: L9 \/ | pHere again, several ways to detect it:
1 O6 v- r1 G% Y8 Z, S, p" w w N/ j% c% ~6 b% I
BPINT 41 if ax==4f
' C1 ]- Q. ]) [1 o1 f) q
; m2 ]2 U& ^9 j( I( F1 W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) V; z* i% D' Z- R1 K
+ J7 j* h: g& I; w BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# M2 C* x+ n# I& O
9 K* v! f- }* m6 M; u3 @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 k6 {# W1 O3 ~9 A2 l4 `, S
. V5 u# l% D# f6 Z, X5 G* P__________________________________________________________________________
G- \# X6 m- |! O( L' m) V/ S( T4 v. @. D* k8 ~# }
Method 13
& z3 X7 V. M. W7 ^0 Q" X=========5 I$ ~ K) }4 Q. h6 u8 ?
4 E+ N: X/ ~ C& ^! {Not a real method of detection, but a good way to know if SoftICE is
0 j. x1 ?( a& Q$ _& t, Z0 d6 j- z3 Hinstalled on a computer and to locate its installation directory.; T9 _/ V+ w: q8 j1 r
It is used by few softs which access the following registry keys (usually #2) :
# N% A* K7 M1 ` `7 q% C
/ N6 q8 s- ?" Q4 K# C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; h/ Q% P+ C6 w) m( f
\Uninstall\SoftICE
4 h, h8 u+ E6 E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE ~7 g) W5 i' N0 i) M ~% U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& u: A$ H7 [5 x\App Paths\Loader32.Exe
3 w* h( V% E) D$ O [$ `! G9 J* S7 ?- m4 @2 g; }5 i
2 d: J3 g6 k1 z0 ZNote that some nasty apps could then erase all files from SoftICE directory
7 q' l1 V6 W. K4 E5 V* Y8 m% {(I faced that once :-(
8 C, p" B+ A$ ~
- s) g% B1 y7 B7 T0 R& w* AUseful breakpoint to detect it:& U9 o& b& K" o. b5 k3 O( I
0 c5 t+ R' B: p- g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" H4 v5 k4 x' ~
# m: I+ c6 L4 ^3 I__________________________________________________________________________
; |, ]6 E* t) i. x6 y1 {7 i) h
! e( Q0 h6 f+ e4 n% @2 n; v
6 L8 j5 y+ J. f) W" ?# [0 Y$ u3 hMethod 14 5 b6 B- ?4 ^, V2 y0 I( J! Q) b4 ?
=========9 l5 V/ W; ~7 S, d# `! l. b" w
G: e. ?) @- A, ^$ @/ aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* f) ?6 s5 O; S. r- Pis to determines whether a debugger is running on your system (ring0 only).
( F0 o+ p' G9 [0 S8 Q: o7 n: }
0 p9 j5 U$ G! n( n" o9 ` VMMCall Test_Debug_Installed
8 H% L! r' G( S F( T Y6 T. s je not_installed' d- j( ~0 j6 j9 Z
! y% H. k7 B1 h( T4 M/ Z. h& r
This service just checks a flag.
$ m: ^' O% o3 y7 X( L</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡