<TABLE width=500>
7 g: m' ^" t/ R- @+ E1 t<TBODY>
$ ?; N0 }& I3 o, o b+ A<TR>
: k. `9 F3 U. U, }# f<TD><PRE>Method 01
u' g; r9 l. ]$ B- r=========
+ Y) e7 G% o4 B. f2 G6 h7 l; b1 U7 ^' s7 c
This method of detection of SoftICE (as well as the following one) is
9 f4 r3 U' }9 w/ D" Tused by the majority of packers/encryptors found on Internet.1 w# Q" u, z0 y0 t8 v- c
It seeks the signature of BoundsChecker in SoftICE
6 Z2 D4 L& @- N* z, E) y! Y/ O9 S0 a0 |: _& @! n% }
mov ebp, 04243484Bh ; 'BCHK'! Z2 C4 X/ {/ t6 Z& k0 Z
mov ax, 04h
; ?& l T+ l$ R9 O2 P+ e int 3 7 ^5 f# C0 E! p, a% w3 D* d( D
cmp al,47 Z( s9 ]% Z' w) u+ q
jnz SoftICE_Detected( F( M2 I. z2 c8 f% X* C
, L+ C" h1 [" m! H# f1 T
___________________________________________________________________________
/ A; V* d5 w4 a" a/ J. G+ J3 |0 h6 ?0 g+ X
Method 02
: l& Z% w0 i( L=========8 m' h U( c3 Y- k; N* u
D: [, i3 Q' ?" _2 v* QStill a method very much used (perhaps the most frequent one). It is used' ?7 D4 b/ b& O8 L7 e4 \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" ?0 p0 w# f6 e0 Z; Nor execute SoftICE commands...
1 N9 H1 r1 O \; d9 d( JIt is also used to crash SoftICE and to force it to execute any commands) a& o* L2 \* n/ a6 J8 O4 t
(HBOOT...) :-(( 9 B1 _0 t; q4 w8 V8 H* R
, p# M; y8 S- J
Here is a quick description:
( |0 R/ U2 h5 F H, ]! f% Z-AX = 0910h (Display string in SIce windows)% w3 S$ o$ o8 J( H7 F' H, _ g, K
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( ^% [5 g4 F4 g7 K-AX = 0912h (Get breakpoint infos)
' k2 Z2 ?/ O7 P-AX = 0913h (Set Sice breakpoints)' A7 L1 C: A1 O; M( U
-AX = 0914h (Remove SIce breakoints)
. p$ m2 v( h P G) ~
9 G. D+ K: p, Q8 T$ X9 R% HEach time you'll meet this trick, you'll see:
! G6 V& u( D" a, ^-SI = 4647h
4 Y, t9 r: W0 Q: e& M( M3 N1 @-DI = 4A4Dh
$ Z! d1 [' D( L5 v; j- IWhich are the 'magic values' used by SoftIce. r0 G8 V1 X% q; i# \& k, b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 T& g& ^7 {4 O+ o# W( @; C
4 W/ `/ y E( N; q' e; iHere is one example from the file "Haspinst.exe" which is the dongle HASP+ ]3 R# Z8 R. O; R
Envelope utility use to protect DOS applications:
5 Q$ D/ L/ _7 C5 C4 Q; ^: l4 ]1 R2 r9 B
D. p9 \, R: h: O4C19:0095 MOV AX,0911 ; execute command.
$ {2 D$ u6 q1 _5 v4 ]+ x- {+ f' g0 Y' i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( p* P$ I$ `% \7 R% G- m4C19:009A MOV SI,4647 ; 1st magic value.
p3 Q0 G f3 D4C19:009D MOV DI,4A4D ; 2nd magic value.8 f- Z9 Q9 t4 p) W2 X. H
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& A: h d' A+ z0 B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) ~1 d: k6 p2 U" p1 l6 l# x
4C19:00A4 INC CX
/ P% ~3 F4 L4 N: O& Y* c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. e' B I# C& K4 {% w8 a4C19:00A8 JB 0095 ; 6 different commands.3 \( G4 B) d* G9 U; a s
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, Y h) U" S1 y+ q# h; @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 k9 c) B1 z6 `9 U! ~% B" @5 }" i+ f
The program will execute 6 different SIce commands located at ds:dx, which# V( {+ d f6 f1 ]: D0 T# k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" h/ m7 \3 \0 \, Z Z7 {
3 V1 i/ Y$ n1 R9 T2 b. L+ v( S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ {3 ]' h" `* D+ r# e( z
___________________________________________________________________________
, Y, ~, s4 y9 z( M1 B4 p2 B
- J/ b6 R+ Y5 l2 p/ C c; s2 |$ d
( Y9 S+ T; p' P; L. C5 ZMethod 037 `# M' n+ u$ N; ~
=========
H4 k: P; B0 p- g1 s; x. J" S* P% P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( b9 w" c" B' S! k# q! B* z(API Get entry point)5 b& p) v# H1 D$ U
9 h3 t2 v7 N* a- g. }7 q4 ` x
`$ V4 b" d% r+ y$ e. {) k) d xor di,di
4 ^( h3 w$ ^( _9 a0 r mov es,di( w Z8 a2 n( r1 {0 p6 K
mov ax, 1684h u1 _0 I! `( |/ R2 ^) H
mov bx, 0202h ; VxD ID of winice3 I) u0 Q5 |9 Q9 f/ A! K& [- w
int 2Fh
2 w8 y8 b: ~7 t2 J7 v. b5 a- b mov ax, es ; ES:DI -> VxD API entry point
) ]- Z) h1 w4 m0 B add ax, di
) X0 y1 D( H# v4 C0 c test ax,ax& z6 h* v4 b" s
jnz SoftICE_Detected
4 _. `8 S5 X5 w& o- D; s
2 r" F) o5 r- g5 P+ n5 j2 K C% C___________________________________________________________________________: l6 b5 I& K' U r+ _5 E6 p
! ]$ K$ h F I: ]
Method 04# `4 ~# T; ?3 n$ n7 r
=========
, K7 y6 R. G) F3 j3 r
q z/ k s6 W% c! C6 MMethod identical to the preceding one except that it seeks the ID of SoftICE1 ?- G+ O& f$ {) y N1 X9 e
GFX VxD.0 l# I. F0 e3 L: {
7 }9 h& z6 g- y. C9 Z
xor di,di3 g- Q& T8 Z5 P
mov es,di
! H! R- a% x. H# c6 X mov ax, 1684h
+ L5 c# S9 T+ o1 y' L7 ] mov bx, 7a5Fh ; VxD ID of SIWVID
' o# G1 q z4 B8 b int 2fh
4 J3 t0 ~+ h9 [5 ]3 v mov ax, es ; ES:DI -> VxD API entry point" E6 o6 X1 D- V. `1 u4 _
add ax, di
( M3 ^. k+ a& v test ax,ax+ i1 J# L( E5 i; f6 ^- c' h9 k2 h0 X
jnz SoftICE_Detected" V* v1 r5 d' a+ d* w+ i+ q
- z& w: g* g( \. g. Z) D% s__________________________________________________________________________$ c' b: Y# k0 Z( E: c2 w$ o3 M: P
0 {! V6 G8 g# \) @
8 e* ~/ ]. j1 e& FMethod 050 k% b: i/ O7 x) J `/ ~! C: u' M
=========
& e9 f2 [* {8 `, J5 E' ?1 Y* i% _% e, a7 g- g
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 q2 Z8 c. q, D$ [. hdebugger. It calls the int 41h, function 4Fh.$ S& r0 m% E! O2 N5 E% Q3 ]) K
There are several alternatives.
. U& t3 u: r" [
. G8 G7 z7 z' T @: } k) w+ ^3 gThe following one is the simplest:
3 m9 c! f1 }. A! ~( @
. ^0 \" l& }' R4 Q* s( ?. N% o* T; e% ` mov ax,4fh4 w* E& E( w8 _
int 41h$ f) C: K! ]( K5 ^8 }" H
cmp ax, 0F386
6 A. C/ z! K! G" c jz SoftICE_detected
0 Q' _0 ~7 [& e) ~# `9 P9 @/ h
9 @3 u$ T, B0 K6 L6 o" S: f
9 T( T& x1 K/ L* _Next method as well as the following one are 2 examples from Stone's
0 o. x, Z! C1 u# m+ B8 e5 i"stn-wid.zip" (www.cracking.net):+ E* g' Y& Q R
* ` z: m% s! W mov bx, cs* ~7 [6 F( o! j' u* {" `$ }# j
lea dx, int41handler24 B% v1 G$ J6 I
xchg dx, es:[41h*4], f# k1 w! m z1 V
xchg bx, es:[41h*4+2]3 r5 W3 V1 w9 |* H* L+ O1 R
mov ax,4fh, Y4 n( s$ [( X3 i9 G
int 41h
$ q. L$ c' ~. P$ V/ L xchg dx, es:[41h*4]: b, y9 d4 d6 ~% F4 X
xchg bx, es:[41h*4+2]1 F; X1 W4 Z$ k0 N. [0 p
cmp ax, 0f386h8 D; p: K$ N9 k0 M5 |! a) d
jz SoftICE_detected
3 R- A9 \! h1 l9 A, E2 Z
2 _& U& y3 B6 \int41handler2 PROC7 i( j. `1 e8 |3 M ?# b
iret
) ^+ B$ e, i s* Q/ t0 x0 Lint41handler2 ENDP
9 r4 ? S% X3 h$ z |! e- O- I# P; F' ?6 C2 I
' l1 D% o3 Y) f# t_________________________________________________________________________
[2 B* s" |+ k# v8 e
! V2 j- p1 G( ^+ _ B) P' K: P
: C, r3 u7 S5 KMethod 06
) V1 ^; g$ A% M! ^=========
5 G. l" _% _, u4 @: {" Z1 B& b+ n% l' ?: y/ p5 s
3 @& p% L# w+ d5 E
2nd method similar to the preceding one but more difficult to detect:' x8 A: Y2 V- w% a
! z' R+ ?6 |6 Q. L$ a& K
- P3 L, l' K* C3 _4 z/ H2 a
int41handler PROC+ N0 J; l: P0 S, W
mov cl,al
) C9 |; b x- E- u8 K3 s( f iret
$ z/ O0 h( B4 i& g8 Z3 S9 mint41handler ENDP
" c, t) G- o6 o
1 G# f) E' ]: @$ p. _( [7 p: g3 Q# n6 C; I- s. K
xor ax,ax
% Q) b, W3 k. b& w mov es,ax5 i% l' I( _0 J& Z! c! C
mov bx, cs
# J0 z9 Y5 f+ Z3 A( f lea dx, int41handler
: x- l7 h9 @0 _% E0 J xchg dx, es:[41h*4]- Z+ [$ P+ i, Z% y I, p# U
xchg bx, es:[41h*4+2]+ `) B4 H1 s0 Y5 I$ j
in al, 40h
1 q% U6 w+ y* A: E! z; V xor cx,cx9 t j8 `( o. v3 T& s6 O
int 41h. b. m$ p# W6 I- p) T, P
xchg dx, es:[41h*4]
, G) ~. [$ a: y; R% P$ O+ f$ F5 y xchg bx, es:[41h*4+2]* b+ J( _" e. q) ~3 v
cmp cl,al! U# `0 g3 D( \, {$ G
jnz SoftICE_detected1 q" a; c& K2 K* R' L. U
" Q A2 Z6 I; a8 H( D7 } {
_________________________________________________________________________& e# X" I9 _/ Y1 M+ _
6 [. e- _3 i; _: j7 z0 h! DMethod 07$ G) R6 x0 l4 \. q; O
=========
$ u$ f# g; u' Z0 w8 R, o! B
) \% f6 h) ^5 I3 e8 NMethod of detection of the WinICE handler in the int68h (V86)
# {9 G% T) ]1 g$ D, y0 O: `' U* w# v! J8 T' D2 M
mov ah,43h9 ?* {# I5 p, T2 ^& k8 f
int 68h
& H* C8 `9 I5 x cmp ax,0F386h7 h4 i5 V8 D b1 o j4 U! H
jz SoftICE_Detected
" B* V1 C1 M( H$ z" N- _" P" Q" M6 ^1 v
4 H: s. o6 Q2 I) k! q6 d
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; N. k7 t. X; t y* t app like this:
, ?7 x' U6 o3 M( y" d$ }2 Y! `9 `$ L
BPX exec_int if ax==686 K. ?8 w. Q7 u) T1 ]/ ^9 G2 W0 V# C
(function called is located at byte ptr [ebp+1Dh] and client eip is4 q3 K, a+ d5 o8 e
located at [ebp+48h] for 32Bit apps)
$ B# n2 V& S/ n: J5 e' I3 L" q__________________________________________________________________________$ p& j) L) n2 C8 ?
$ }4 _" W4 Q8 i' _/ v
. H. n* Y6 R+ Y0 t/ c* f
Method 08
: V% S, @0 Z, O0 \. l) r# N# R=========
. Y6 l. _8 Z9 f% S5 N
* W6 n- n: N& F5 H/ xIt is not a method of detection of SoftICE but a possibility to crash the& m b0 r; w" c. i
system by intercepting int 01h and int 03h and redirecting them to another
$ n& N8 r/ k, J& ~+ N h- |routine.6 a- Y, O8 t. [! |/ S5 q g6 X% j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# e j# z+ f) \5 w5 Q5 R& x2 _
to the new routine to execute (hangs computer...)$ f: Q4 w3 P- h# V9 C4 p
2 p) T9 o9 g4 K
mov ah, 25h/ |; q/ O. l! K
mov al, Int_Number (01h or 03h)
& Q M; s4 s' o1 r mov dx, offset New_Int_Routine( u: T+ ?' ?! J2 E; e
int 21h
: t# x! ~$ r) Q" w, i+ v( ]) y& I5 z1 U5 V6 H6 o4 [$ u: W9 b
__________________________________________________________________________
7 t% ]! P9 J" a ^) Q6 z2 D8 W( X9 a
) c* l! V) F9 J7 M) |6 _Method 09
6 K) E, ?, r+ ~ S9 x& A3 O=========* ^" f0 w; h! H; Q
; H6 f7 v6 f2 x; b {" Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) Z, }; i8 ]7 nperformed in ring0 (VxD or a ring3 app using the VxdCall).
; u9 h3 [# J1 D; E. F# f- pThe Get_DDB service is used to determine whether or not a VxD is installed8 p0 V7 ]7 L; O8 q* y l
for the specified device and returns a Device Description Block (in ecx) for
4 D- g0 o6 B# L$ Ithat device if it is installed.
0 w/ p k& I) T! z) i! t% x
( D; t ]) e `4 E" r) S _# X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 S8 L. i) E8 Y5 n' G mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) ^4 G2 {( k: a! P* S7 y5 @
VMMCall Get_DDB/ {- `7 D- ~* f/ I$ I* s% p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; U: v' G! m1 X8 L
j1 y" n, C% z4 H6 O, I( DNote as well that you can easily detect this method with SoftICE:
& e: F/ X' b& A bpx Get_DDB if ax==0202 || ax==7a5fh$ Y7 P4 X8 P$ [) C- Z' G' A
& ~8 G* ?3 u; F0 U, ]2 a1 T$ l- s; E5 V__________________________________________________________________________% G" i. k' V2 b+ I. O
% T" o3 p$ a% u0 h: B
Method 10% S5 M2 F9 ^; q# x0 m3 y4 o
=========
; ?8 c. L5 z% f% X
2 Y& N9 J$ c7 x=>Disable or clear breakpoints before using this feature. DO NOT trace with' Z) t- Y* c7 a
SoftICE while the option is enable!!1 s* P, _6 C! F$ C1 \8 f, J: H
& z' T6 E; Q7 V9 F
This trick is very efficient:. {( @: c% }6 S% i( o1 g# m# q
by checking the Debug Registers, you can detect if SoftICE is loaded
8 o! G% ]. l5 k% S8 W, `, W: A, D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ p& r4 n9 E- w3 U% I. ~$ Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their- M6 M$ Q$ [' d+ @
value (in ring0 only). Values can be manipulated and or changed as well
/ K5 b& B8 z, x8 {: Q* ^% Q(clearing BPMs for instance)+ F# m0 S& @( F/ W
9 d: s1 d) z! X b
__________________________________________________________________________
% G2 o6 N5 G' S2 I4 x/ S8 l% F, F+ w) J, o
Method 11
( k: }3 w3 n9 D; R" l: c=========/ G0 i- `: {; C0 \. ~) Q
" v& X- L" _, J0 }# }8 H8 T9 C( m
This method is most known as 'MeltICE' because it has been freely distributed
: j6 s0 `3 g+ L& a" }5 ]via www.winfiles.com. However it was first used by NuMega people to allow" Y& O; \" k' i3 K3 }
Symbol Loader to check if SoftICE was active or not (the code is located" A5 d( P3 y' M* v I# S2 M; V5 D' [
inside nmtrans.dll).
& d3 S, S ^5 Y1 A4 K1 w' r. f% K9 g: n
The way it works is very simple:0 Z% v: `1 ^" q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" ?. T* t0 E3 q4 nWinNT) with the CreateFileA API.
! } {5 J+ [" ~& {
[) ~, d/ X$ A7 q, V/ X0 O7 mHere is a sample (checking for 'SICE'):
* @8 T, ?7 z1 [8 i2 [3 H. D
2 u5 N j* O1 \5 N6 |BOOL IsSoftIce95Loaded()
8 ]: ?+ [4 F' w{: \/ D3 n0 } F; z5 y! Y Z
HANDLE hFile;
?( D1 z `; L) [9 x( n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. ^* R, e5 h' f0 B1 T
FILE_SHARE_READ | FILE_SHARE_WRITE,
, l- e ]8 Y; G7 Y, L( T5 N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: m7 l+ O @' Y( I% s4 O* B
if( hFile != INVALID_HANDLE_VALUE )
& B' K8 P6 e$ x+ G* E, Y7 k$ u {, \& h1 V% r6 f$ y1 T
CloseHandle(hFile);7 C) C) j5 ]* P7 G
return TRUE;
4 d5 h8 C' p8 D3 Z: O2 N+ n7 | }
, r# [6 D! ^7 y6 a: K/ I# d return FALSE;
% G! K2 d0 z. Z% L7 M# }}$ c/ }: H6 d- _
+ C$ W6 x% a: C8 M e: F) O$ U
Although this trick calls the CreateFileA function, don't even expect to be+ D/ e" Q {7 }: }
able to intercept it by installing a IFS hook: it will not work, no way!# [( m6 m2 K! l; n2 @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 x% U* U9 X, c6 a" t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), Q* z1 K- f4 V/ ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ R% G& P4 Y9 G/ b
field.
* Z5 A" h/ S9 \& D# pIn fact, its purpose is not to load/unload VxDs but only to send a
; `% n& o' o2 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. ^1 r6 E( z8 c, Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
% s) X, {- C! j5 ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& c. ~/ b& r+ a o: ~$ GIf the VxD is loaded, it will always clear eax and the Carry flag to allow# }8 z7 P9 d; P( ?5 Z
its handle to be opened and then, will be detected.
) d0 r) z1 a; ?5 f# EYou can check that simply by hooking Winice.exe control proc entry point4 W9 B" o3 b" p+ S
while running MeltICE.
/ _3 o/ _) f1 A- J
) ?! h3 h) O+ [9 @+ S0 v- `
) W" W: H* ]3 ?& }" c 00401067: push 00402025 ; \\.\SICE" f6 y% u, T# c5 Z. U
0040106C: call CreateFileA9 |. a5 y& |1 f2 l
00401071: cmp eax,-001! j4 C+ r& E c" d9 E. W
00401074: je 00401091 o9 H( }- x% `7 \8 W" H; \
5 B y0 e: ]! N8 g2 r! w1 T
$ i4 }! B5 M( ^. m @There could be hundreds of BPX you could use to detect this trick.+ `2 w, w9 t6 ?% K2 d j
-The most classical one is:
& ~; P& F( G' T$ U+ c( i1 F& S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; k, x! P& A$ z, G9 N
*(esp->4+4)=='NTIC'0 y8 `; K2 T, v# P- D' }. x
5 _9 c1 E) ] `+ C
-The most exotic ones (could be very slooooow :-(" J) a+ G7 _' U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: m6 {; z( ?* G4 y6 L& ]4 r ;will break 3 times :-(
6 D, H) M3 l* Y0 f+ d6 C* ^
9 n/ I9 p# V/ N5 V-or (a bit) faster: 0 `* ?, P1 @8 X, c6 b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" }$ ~8 u. c* }" V2 N. f, Q- e6 w# h$ |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 t$ ~8 X' H6 o9 L' y ;will break 3 times :-() b0 p1 q( D: s9 a1 C
5 l/ }# H ?$ f; O-Much faster:
6 D. u+ q$ J% G. J; P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 \6 S# \) R7 A# T& Z
+ d' c/ x1 m$ a% Q5 YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% @5 ]8 Z M" f; hfunction to do the same job:
\- E, f' t) D. k3 @0 W# [5 [" b+ K6 ]4 P3 T9 v% j# ~ R
push 00 ; OF_READ0 |6 T" q+ x3 J* Q
mov eax,[00656634] ; '\\.\SICE',0
& V' }( F% X4 s3 c G7 | push eax% P' L2 z D% t$ P; X
call KERNEL32!_lopen6 B8 A# C- n6 W% W, }6 h
inc eax% t: a( @& H, }% h0 B/ E
jnz 00650589 ; detected
/ t, q' p" Y2 ~ push 00 ; OF_READ
, r- x4 j9 @! s" V; b mov eax,[00656638] ; '\\.\SICE'
8 i) }- Q8 ? |( [# h4 b8 k. }: _% Q push eax
3 v1 u6 e* w) G# D! h N call KERNEL32!_lopen) Z6 x- m W) N' b8 y8 o
inc eax0 I1 d9 a4 w0 P+ t0 U5 k, j$ U ?# `
jz 006505ae ; not detected
_5 A/ i) q) @+ x7 Y' R0 s* B) f0 ^/ y3 G
& V& j7 A" b! l/ j# c# w__________________________________________________________________________( |, x- z* z# h6 ^/ ]/ r
+ d( y& U' i1 a1 w) S1 |Method 12* g( n/ ^; Q+ \) w, s
=========
7 K, ~- k# X5 R Z0 _6 W5 u
# C- g$ i. K; ~! h9 C! CThis trick is similar to int41h/4fh Debugger installation check (code 05
, W; k; ?% U: a6 q- H$ ]6 V7 w& 06) but very limited because it's only available for Win95/98 (not NT)
$ X! I/ O' Q& E3 s. pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: G2 z5 }7 p Y5 A+ [
; m& w: X5 Q8 D8 r% ~ push 0000004fh ; function 4fh
1 N0 v6 k. t( [ push 002a002ah ; high word specifies which VxD (VWIN32). Y0 o9 x' H; ?; o! o4 a# J: M
; low word specifies which service6 }8 b/ N9 W R D5 t$ q, |7 p
(VWIN32_Int41Dispatch)8 o7 Q0 R$ b5 G" k/ ]4 H& A
call Kernel32!ORD_001 ; VxdCall
h1 w0 `5 n, Y+ x( k* x cmp ax, 0f386h ; magic number returned by system debuggers* X3 b" a! o2 \4 D- Y
jz SoftICE_detected. `" m/ w+ c' O: n" l
6 w y V- z! V, W5 d9 E% D
Here again, several ways to detect it:
" ~) R3 H0 C3 T0 l( H7 b! W2 ^( k# ~1 ~* o* M# s ?: ?
BPINT 41 if ax==4f3 Z6 |0 [6 S5 v, u
$ U/ a( C2 p$ ~- t: T$ M& e BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( N* O9 L- R3 [
% ^& _6 Q/ D7 ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 w0 @( J5 q; k- p! z) A6 u
& W2 h2 R$ p: E5 T$ u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 e, _: y* }; _& m' K @+ y6 V4 t2 L5 p
__________________________________________________________________________3 s! z& a9 w6 v" [' O: Q* @* \
( _1 Z& v, _4 P7 ]9 R
Method 136 B+ J; A* ~* J
=========
* P v. m# u$ |4 o; Z& d: E+ _1 c( s& O0 u) i
Not a real method of detection, but a good way to know if SoftICE is: ]4 k+ O% q& w3 k) D
installed on a computer and to locate its installation directory.+ L" E6 J. ]2 [+ [3 v: X
It is used by few softs which access the following registry keys (usually #2) :
% c1 P$ }4 w- [" {! c5 `0 k* e% O# P% O
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ T q0 P$ {) [0 }7 j, Z% z\Uninstall\SoftICE
- G9 b1 R" j9 b9 C5 r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ R& O: {/ g3 b+ H8 P# F) L7 q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 c+ ]/ }$ d8 n, r" K; _# Z4 c
\App Paths\Loader32.Exe
* Z/ J6 u7 A- ?' r7 D: M; r7 }- K
. g- `3 x& ~3 QNote that some nasty apps could then erase all files from SoftICE directory9 e y3 ^9 t \: g# _& {( }' J
(I faced that once :-(
9 u0 K& N; P# b1 r! R3 @
+ K2 w; U! w: U2 X4 ~Useful breakpoint to detect it:
( U" ]1 _6 k8 ?, \+ g9 u7 J% n$ P5 W+ B$ u1 Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 _ `8 J8 W; r2 F* G/ {6 @2 s! N
; @: A( A. }' A- T__________________________________________________________________________& j/ Y j! r- \& q
* r' J, _# ?; I n9 b* }7 @
: q, t1 }# V8 R8 r3 e3 e% E
Method 14 2 `. M' H* g; X
=========
5 [2 E: ^. l7 P, r, I5 \( I+ \
3 V. T4 G! P, K' r, N) w3 oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 z8 T9 }1 \7 Z" r' z1 Jis to determines whether a debugger is running on your system (ring0 only).
p6 Q6 \0 M E5 ^
2 a2 F& y( N8 D/ B3 g* ]' Y( y VMMCall Test_Debug_Installed6 b3 B3 P0 t$ Y C- T) A! `, E
je not_installed- T8 h) `, a3 Q* r* L
# J! x O4 x( \; I& ^! _9 W- y, ]This service just checks a flag.
$ c( ?( ]0 Q9 l: l9 L) n' O. ]</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡