<TABLE width=500># w' c6 O7 d# s# [, p* ^
<TBODY>
K3 _. B8 w9 s# \3 @<TR>- k C p+ \3 B1 h1 J' I4 p& E
<TD><PRE>Method 01 # u* z9 K. l, g3 ~
=========, Z. @9 U; e9 ]+ F2 J( R2 f5 V$ r
1 q; x3 \: S5 }* p0 s5 Y4 p: v1 C
This method of detection of SoftICE (as well as the following one) is
8 S- g& n" H- Mused by the majority of packers/encryptors found on Internet.
) }+ a" a- I" n: q& k# ]It seeks the signature of BoundsChecker in SoftICE: v$ q3 v: F4 _! n# d
; z* A7 ~7 h3 ?7 R y mov ebp, 04243484Bh ; 'BCHK'
0 T" @, ]4 Q+ S: ?* U5 D mov ax, 04h+ w5 l8 @- p$ G5 k1 x" |8 k6 R
int 3
$ L# V s$ T% N! {8 ~ cmp al,40 @1 ~/ _# N% Q, e
jnz SoftICE_Detected
. Z/ E; s, N( ^! _6 q; [7 h! W ]- m6 x
___________________________________________________________________________2 _4 \) u, i' f' ]: x& f; ~; Y6 Z
2 f, o: a& J* ^( K# f3 I! yMethod 02, n7 R3 h8 y' Q, y8 G
=========
+ \# K. q) ~7 [7 ]
: Z& i! T& G" JStill a method very much used (perhaps the most frequent one). It is used+ f9 X. ^! v% y1 {5 E' a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% W" W- ?! X4 T3 X2 R6 l9 ]
or execute SoftICE commands...$ n& Y1 p5 L5 n; s# H/ f: Z4 w; Q
It is also used to crash SoftICE and to force it to execute any commands- _- ]# T P. Q( W* l& C
(HBOOT...) :-((
+ j: o1 ?8 K% o. q" \& @8 I( D. O+ {& ]2 \6 k$ {# Z _7 p
Here is a quick description:# \2 e: T6 f m2 W
-AX = 0910h (Display string in SIce windows)
! t; z9 @, l& u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 D7 D$ `6 B4 Y$ _ Y6 p& i2 ~
-AX = 0912h (Get breakpoint infos)2 E2 ]; J) C' p9 Z
-AX = 0913h (Set Sice breakpoints)
) O0 w4 ~ j% C" p2 A5 D-AX = 0914h (Remove SIce breakoints)+ v; a8 W. w# s1 l% L/ T
# x8 c) j0 @6 L: D C: f$ \6 P
Each time you'll meet this trick, you'll see:7 U1 p- G" P g8 ^% R7 g0 l$ b
-SI = 4647h
$ B, P: F; Z8 C& Y4 _1 O# l; g9 q-DI = 4A4Dh; |7 V8 ?9 T" X7 h7 S4 X
Which are the 'magic values' used by SoftIce.) m: S) n2 t* P" M4 J, m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 c3 F# U/ V2 h
8 T, M- e; n/ P/ ?" f4 f
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 U- E' A. m4 c$ i+ M2 OEnvelope utility use to protect DOS applications:
G$ Q. D$ p7 I& f4 x# J0 o- }$ n8 o2 Q! L. J8 C. @
/ h3 L: \) P/ L! a& q4C19:0095 MOV AX,0911 ; execute command.
/ Y5 B8 o1 H) g5 a: O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 H& T+ ^# F) X! p4C19:009A MOV SI,4647 ; 1st magic value.8 L9 H& B" \! K* q) }; D
4C19:009D MOV DI,4A4D ; 2nd magic value./ O" J- ]" x+ Z) f0 c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 f b u5 S) b5 `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" W+ _# y9 u @" A" \4C19:00A4 INC CX
# M* s7 y' C: {, `1 H1 a) j; A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- _* d I2 K8 v3 c4C19:00A8 JB 0095 ; 6 different commands.
( h( ]. a+ [* @" k4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ U# c: s2 C1 C9 ~/ a4 a M
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& |# g0 T }/ U% `! T. N3 y7 u
( ^# d W: I r
The program will execute 6 different SIce commands located at ds:dx, which+ f5 b1 |% K& `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* `9 f8 b) t# H' K3 D' M, G8 k
! j# k& P( r" D1 @& _1 `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 E4 O5 I( |; p& |. g( {
___________________________________________________________________________
) t1 C( I+ t4 }, e) D) S+ u9 o) j
3 S2 \8 G5 z+ M: J
, C7 m9 o8 q. j! j9 }& f. qMethod 03
1 H7 N. s/ U- V/ p: H" V=========, r9 a; ~3 n/ n% K
* O. T z2 I4 Q9 ~& wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ g' _' {. f5 }' G% H- Y. @
(API Get entry point)6 T5 I6 n5 C. G5 \. t1 P
# ]/ p9 \5 f$ s) K$ I7 |) F k9 {
% A- \" z/ s# o xor di,di
3 c R: T5 K- O. E% ~; _ mov es,di
; L; r5 i+ W/ Z" g+ p+ F mov ax, 1684h " w0 ^7 a3 m D
mov bx, 0202h ; VxD ID of winice; n8 t' {; U) G6 ~0 o: P3 l8 f
int 2Fh
3 e |; D7 V) E& K* J mov ax, es ; ES:DI -> VxD API entry point
. C0 L! K g& ?6 t @% P add ax, di7 X( g1 \5 E# N3 t% c
test ax,ax# W- V1 y0 e) R* e5 Q
jnz SoftICE_Detected
4 @0 Y; P$ _+ P" Y8 U" k* |" A2 V k! q9 r4 P
___________________________________________________________________________1 r* y9 X$ Y4 h$ u# `2 H5 `
2 N+ } n! | z5 [
Method 04+ F/ L9 p, \0 y5 `% l+ R1 T
=========! A0 N: R) i# s5 `% m
# `# W$ k/ D% o& N @
Method identical to the preceding one except that it seeks the ID of SoftICE
4 Z" l7 e, D9 O+ V' t4 P0 B9 j; QGFX VxD.
* H, r7 `* d2 w0 x
6 a1 g# @2 m W1 j0 N' R0 H xor di,di3 W1 _3 h) M+ @! B
mov es,di
& L* i) \$ B+ y! b mov ax, 1684h 8 s! d- m: a( M m& C
mov bx, 7a5Fh ; VxD ID of SIWVID1 k% B' h P3 h( m) e
int 2fh
3 ]3 k( E+ N& A: N) n# L mov ax, es ; ES:DI -> VxD API entry point
, P& W2 K* M6 x" S/ j, O) F add ax, di
' B, ^. N7 b+ H/ q9 F# [, v test ax,ax- ?9 N% [3 H, Y2 {
jnz SoftICE_Detected
" i% G$ [: Y7 K- \
8 B, l% g9 F, h* _% V- F__________________________________________________________________________. g" t9 `; V& M7 F9 ~. b
' O; X) x: b, R/ r7 X! q5 X3 w: j0 A' W) S+ R/ x
Method 05
# N/ C% k, S- j=========
0 Q7 I$ N/ @/ m3 G) \. k1 z. F+ ~+ B2 \- `+ G% z% V8 s+ q" i5 l) R
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 W- B0 Q3 ~' ?& \+ Hdebugger. It calls the int 41h, function 4Fh.
) {; j2 [/ y5 w1 l5 `There are several alternatives. ' c3 Z0 T. {+ Z+ H0 e
3 [/ b4 u# o: ?/ Q/ jThe following one is the simplest:( Q, _9 s" Z2 E
0 D/ A d" z% v/ k8 K% t7 @2 j4 J3 d
mov ax,4fh
6 V$ ?6 h) m8 _3 P2 x" I int 41h
# Y1 a& L6 v1 \( e: Y" g cmp ax, 0F386
, U4 P1 J2 H7 O3 z& p4 A. V jz SoftICE_detected
* h! ?0 T) H0 V7 j
* |7 c6 i' p1 f0 S' a/ g
% q) l( q; |4 uNext method as well as the following one are 2 examples from Stone's ( k% ]) a: B* w1 P7 G4 z
"stn-wid.zip" (www.cracking.net):! k7 P6 }- B* ~: X1 z4 Y0 k
4 t$ G) U- D- G/ q0 R mov bx, cs
: E+ x9 `/ {( f3 q lea dx, int41handler2/ H& l" A) g4 b1 W: |
xchg dx, es:[41h*4]& A' w. [! ]: q8 U
xchg bx, es:[41h*4+2]. ?; w3 x( X6 N3 K. G* m
mov ax,4fh
' ^; ]8 \5 y. R" Y/ z3 c int 41h
. L8 V- P6 U$ y8 b+ W8 n xchg dx, es:[41h*4]3 a$ ]4 D: ?& I& f
xchg bx, es:[41h*4+2]
. H- }3 b" F1 b* Y; l cmp ax, 0f386h+ V! _" @! Z3 K% W6 ?# h/ o
jz SoftICE_detected0 p+ Z- P' F5 h. X
3 |. v M! @, {( {int41handler2 PROC# y! s2 d: R7 c, j7 T1 d3 V
iret
6 }7 w: ]) O5 b ]4 aint41handler2 ENDP
+ C+ O. x0 {* n+ j- V. ]5 C8 @6 Y6 p2 H5 l! j3 S3 e' _
8 F. K8 v2 q' @( g. l_________________________________________________________________________
9 L( }; O" `; U
6 A" `2 m' T! Y, i* @6 o1 f' g' G1 O2 ?4 w# V. X' G
Method 068 B, a( S) C) z, F6 |- Q! z
=========5 A x: @2 t' |# F$ ]; `
7 M4 {$ Q+ f0 I( t
$ d/ h& D1 V; t1 {2nd method similar to the preceding one but more difficult to detect:
1 l F& o* J4 w5 _4 l; J. H+ z
4 P' {- u; @1 q: k( I* N v: M2 t" L
( j8 B$ l' M& x6 [: f1 W9 _int41handler PROC' L; p" l0 ~5 z$ a4 X
mov cl,al4 u/ j# u/ w4 H
iret
3 D: i9 T: Y4 t: f5 n9 k9 aint41handler ENDP
- E3 \# L" L5 _5 x$ {. h$ c6 p& f! V- m/ K! f6 c) p2 s
. P6 v9 D0 F# T& z# H) z. F+ {
xor ax,ax% m6 G+ c# N" v& W+ v4 H" h
mov es,ax
. i( _$ M4 M. P mov bx, cs* {# i" N, q7 M
lea dx, int41handler: E# z3 o! L/ U: i5 }4 n3 |8 Q1 G5 I
xchg dx, es:[41h*4]- u3 l/ G, \ ^) v5 V5 N, E
xchg bx, es:[41h*4+2]
1 p) M2 [; W. c) u6 X" d9 r in al, 40h
# F9 i- Q: s# i8 L/ X6 X xor cx,cx/ I: L8 Q6 W$ K
int 41h: }7 \$ z6 S9 ~+ e' l. t
xchg dx, es:[41h*4]' d, L, j2 \: J/ w- x3 t8 Z( [+ l
xchg bx, es:[41h*4+2]
( x; T0 z) o" y: J V' G+ T& A/ q+ z cmp cl,al1 f& r7 t' c, u: s
jnz SoftICE_detected$ d3 J, H5 k7 o$ u9 q+ Q3 {6 P+ `
) H- ]: ~# k. \: v$ W! ], d_________________________________________________________________________! E3 `0 K: v" d+ M
7 V( O. S: ^9 K2 ]# ` M5 r
Method 07
6 t! X9 N# F# L" g* {& o" t=========; X+ ]$ w5 K: s& D
9 ~, y7 L% a) R6 ^/ @8 B
Method of detection of the WinICE handler in the int68h (V86)
; \; j, d5 y* {) M! A5 i2 J! C' x& Z% s" ]
mov ah,43h
, P' n! N8 I F: I* C/ L# }" X. F T int 68h
. I8 D6 Z, k3 s& ]% c cmp ax,0F386h
* X0 g& y0 e; V* A. N9 i. v jz SoftICE_Detected3 B2 H7 f4 j U. R3 H/ l
9 D l" `2 Y4 v( E4 A8 z
0 W* V, X; c2 Q. ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- f8 J$ x% H5 a, d app like this:
, M; ~7 I! ^2 c. K- R7 Q# H& W) Y% Z
BPX exec_int if ax==68- t# P- [: Q: |; u+ n
(function called is located at byte ptr [ebp+1Dh] and client eip is2 a1 w; [: K }3 f! u* V
located at [ebp+48h] for 32Bit apps)
3 d! U8 l9 j; G: S- p# j3 t__________________________________________________________________________
) d E0 K# h* o6 a, r: _/ ~ K1 x/ N9 |0 C
2 O. C6 h( D4 ?/ Q$ yMethod 08
! Y5 M% c7 f$ f" |. g, ^=========; { X) p9 V1 N0 b
1 A7 N- b+ y! S" iIt is not a method of detection of SoftICE but a possibility to crash the+ `+ i$ b: v3 l
system by intercepting int 01h and int 03h and redirecting them to another
1 @0 y \# {* \0 broutine.: k$ W& }* x! O' i9 Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 d. `) N$ v0 t, Sto the new routine to execute (hangs computer...)7 c4 i& [$ o# w; D
1 y9 x% Z e) v, }& _2 z* p mov ah, 25h8 g; M! w2 `9 Q# {
mov al, Int_Number (01h or 03h)
% _# Q& ? s. F6 G" _ mov dx, offset New_Int_Routine
/ Y" B$ _2 i; U' S9 U' c int 21h* ^* O. ~2 I0 X5 z& V8 |
4 y: G7 A" T. D1 b) O5 v) }
__________________________________________________________________________+ y; Z" T' f) ]; T+ {1 d8 n6 J
; ^ _& Y: }* Y4 t* |1 qMethod 09$ k: W T% x3 G3 Q) x, s- ^$ t c
=========
3 z3 _9 _0 d0 X
# o0 U' b# I0 ~& `) yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( P: _% C3 D e% b
performed in ring0 (VxD or a ring3 app using the VxdCall).
' f8 [* u; | q' J* e0 I; S; R3 vThe Get_DDB service is used to determine whether or not a VxD is installed0 h8 p- ~9 x4 W* E) U
for the specified device and returns a Device Description Block (in ecx) for- ]5 P3 c* Y! `: Q1 g- C& f8 L5 ?
that device if it is installed.- x9 U( i7 Y1 T; C: g
1 w7 y: ^, a: m2 z, \/ i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% c0 J& j+ V2 [9 h% M
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% {& t2 y! r- C5 S7 `$ c8 y6 _
VMMCall Get_DDB
& D: S1 T8 I: c mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; B4 M* F# L' a! n; n% h* A I% d- V+ N9 F. @0 v
Note as well that you can easily detect this method with SoftICE:+ \. i9 B: M5 v
bpx Get_DDB if ax==0202 || ax==7a5fh
5 c- k4 B5 h5 X! b& I+ k) A
9 C) v$ b5 \5 v. p! I: |+ ^( H3 s1 v0 @# M__________________________________________________________________________( }7 U7 K; b% G2 u/ M4 _2 G
/ r# Y i" J& E+ h
Method 101 g$ m. `; q9 D; Q! j. q0 f5 I
=========1 t# ?: T; U8 o
, G. f- |5 {1 @" b: x$ Z=>Disable or clear breakpoints before using this feature. DO NOT trace with
# c. D0 e3 j+ W+ l$ N: G% p SoftICE while the option is enable!!7 H1 o, x8 R6 q$ m
( p- `! m1 G7 i9 j' }3 a. WThis trick is very efficient:
' J `/ A, ^- kby checking the Debug Registers, you can detect if SoftICE is loaded
/ v$ |/ E, F m8 ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' M; b+ x t9 B1 h. f4 f2 I; nthere are some memory breakpoints set (dr0 to dr3) simply by reading their! A4 `% o" m3 ]$ l& m
value (in ring0 only). Values can be manipulated and or changed as well
) C. W! S" S8 ^4 F N# X(clearing BPMs for instance)1 ]# y5 c7 l- p7 U: z. o
1 x. G& \- J3 p9 u/ b9 M7 `/ E
__________________________________________________________________________
2 U4 y* Y& s( }% x1 } e& z0 V7 K7 v: {
Method 11
: x6 k" |) ~5 X+ k4 L2 W6 \" v& n=========; X1 }6 f/ R+ v: c
# F( m- M2 K8 C- J* K$ C
This method is most known as 'MeltICE' because it has been freely distributed
! a7 r1 T" X& _, g0 wvia www.winfiles.com. However it was first used by NuMega people to allow6 `$ [ G0 o& @. g' f6 \
Symbol Loader to check if SoftICE was active or not (the code is located! ?' |& V7 l. v4 A) N
inside nmtrans.dll).; Z2 @7 ^- G% `' X: l* F
5 d" f1 w7 T! r7 sThe way it works is very simple:& ^* S9 I; L5 ]- u" X6 l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, s. |8 q5 p. q3 O8 u# g( FWinNT) with the CreateFileA API.
0 p6 Y- P( ?/ D* J3 z
- {( k( _2 G, q/ e% eHere is a sample (checking for 'SICE'):, I" I( w9 O4 i' ~! R
* ]; Y- @2 X/ C; FBOOL IsSoftIce95Loaded()* @- z3 e' i" m
{2 E4 a# X. x$ S o
HANDLE hFile; , f/ ?# Q4 v% c5 w( h& S o
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 c m; z* V! y( U( R8 ?" B( H0 s
FILE_SHARE_READ | FILE_SHARE_WRITE,
* S" d! b! s+ A: ]" k7 K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: O" L; x' W) I( ~+ _' V8 |
if( hFile != INVALID_HANDLE_VALUE )
3 Y; l, {* }9 }4 g {
( y* t1 z* G( K; _* k CloseHandle(hFile);
) C3 a- ^" C$ N; R2 \ return TRUE;: C+ m& S+ {. `
}8 q% o. ]4 o: y( I- u
return FALSE;5 z4 \) B, `7 n* i
}9 o! \ I9 }* E: z
# D. I7 Y4 d; U2 O3 h. |
Although this trick calls the CreateFileA function, don't even expect to be* P: C/ }3 l2 W* A
able to intercept it by installing a IFS hook: it will not work, no way!% g8 ~$ m9 @- X$ }$ w% l* ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# r% }) Q9 }6 _" A! }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" S9 H; P! c# ? Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 U2 c. W) h' ?: N0 A
field.
5 C! a% \$ { |In fact, its purpose is not to load/unload VxDs but only to send a
% [! u3 ]. q3 @1 g+ OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 Z, q; b" T [: t$ ]. x C2 t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 U" R1 e6 b( ~( z% {! u0 }& `to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 R+ Z8 E8 t2 |- H' S9 `& [
If the VxD is loaded, it will always clear eax and the Carry flag to allow% ~/ Q) V* S, B% \
its handle to be opened and then, will be detected.
$ r4 ]4 S2 A* @9 i YYou can check that simply by hooking Winice.exe control proc entry point
* H' q0 O4 h7 v" ^! t* nwhile running MeltICE.
% Y- v) q/ _ ^/ m4 s4 [- i+ I5 G, |9 R* p
) v# W# {' I! B4 B |& i
00401067: push 00402025 ; \\.\SICE4 l9 F, L8 w# I4 r
0040106C: call CreateFileA
3 S; T; C- y. l 00401071: cmp eax,-001' g {0 a$ M* M4 L, f) d$ [
00401074: je 00401091, k. G) `7 G2 c2 z7 U
6 O! b2 I% D8 Y% B6 O5 x
4 V$ _% s* L7 Q) n* x, N& `
There could be hundreds of BPX you could use to detect this trick.7 P3 Z5 J8 d9 Y, G1 e( j
-The most classical one is:
9 R5 I. I7 A; i& z/ J U7 [) r BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. [/ }* B5 H5 t) G
*(esp->4+4)=='NTIC'# F+ Z2 q o3 s% F$ X; v% b
# L1 x5 o4 E5 ^- Z+ h% Z( J6 l2 J-The most exotic ones (could be very slooooow :-(
% P4 z$ \; A0 |, \/ O& G% C- ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - n! Y2 p: F# \2 C
;will break 3 times :-(/ v0 d0 F/ {/ R; O" }+ t
) R. \* A; M. X4 i6 v8 `
-or (a bit) faster: * ^. B! K! P/ q* O! v: g- g( _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! l) W J3 ^0 y9 S2 ]
* c( q0 q* g1 [% r' w* y+ p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ @( N4 @7 g' ~+ {) x ;will break 3 times :-(* t; h6 |; F* Q% h5 {& z
4 O L2 |. i- }4 P0 j" K-Much faster:
1 t/ D( \" R: R- D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# u. Z$ ?$ V: U. I% y% i) F
0 E* k. H$ T; XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( y& W" M; q, E. T) I0 `) L2 y
function to do the same job:
9 O/ V- S. ` u* z' `/ \- U! _0 o# |6 g( y5 c+ i( b M
push 00 ; OF_READ- u5 q7 [8 V6 D$ ^1 E6 o P7 {
mov eax,[00656634] ; '\\.\SICE',0( {2 G6 I! g# G( d
push eax
& f# P# D$ ?3 D6 r call KERNEL32!_lopen
' [! k% K# }( M. x9 ~ inc eax
% ~% g7 J) x7 E1 ^( B jnz 00650589 ; detected* |1 G( Z$ ~, V9 U. g
push 00 ; OF_READ x& l3 Y6 N" Y/ X4 \
mov eax,[00656638] ; '\\.\SICE'
2 E% k: r) Z8 x push eax @8 m' J) W5 m7 w/ f; h* O
call KERNEL32!_lopen
1 \8 G0 Y! k; k F' f5 l# c! [ inc eax2 O$ d6 U) T5 `; R/ y# N
jz 006505ae ; not detected$ }* X7 E) P* D% [
4 w y" |+ }- y3 S
: t% e! @" x) n
__________________________________________________________________________5 H# [: b! M' |8 g0 ]% F, z! [
0 z) J5 d# q, B% Z1 E) _Method 12
7 ~- t7 p+ s7 L1 Y- H) S* L7 j=========; _2 j% m! F# ~5 N
& p$ u0 C9 K% B7 _
This trick is similar to int41h/4fh Debugger installation check (code 05) D+ y) T5 L k% t, x! Z
& 06) but very limited because it's only available for Win95/98 (not NT)
7 @ s* ~7 B% F& m9 Was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 Y, D; Z1 U1 o+ S! r2 }: M
8 c/ W& Z( b' l9 W7 f push 0000004fh ; function 4fh
1 T C5 m3 ?/ J: C, t5 h: @ push 002a002ah ; high word specifies which VxD (VWIN32)7 Y3 e' k( ]1 Y. J) c/ ^
; low word specifies which service) k# @3 n6 N7 s$ W9 w9 [
(VWIN32_Int41Dispatch)
1 L# y$ ?* m8 q1 g0 [ call Kernel32!ORD_001 ; VxdCall5 {6 `! H0 [( T- O% {8 A; _% c& U6 k
cmp ax, 0f386h ; magic number returned by system debuggers
+ u' Z. z: w0 q4 r; ^ }7 D jz SoftICE_detected
0 W( W: P, h& e6 @* h. k j# F) m2 |" ~3 ~' L4 Q0 @% K9 Q1 q
Here again, several ways to detect it:6 a |4 U4 C9 }* N" N
# q+ l' C, K/ Q2 d+ L& l
BPINT 41 if ax==4f& {- A6 E1 e$ G0 D6 i+ G" l' `0 o
8 q. h8 r- j/ N* K1 \+ G/ W& l- N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ r6 f: k" J( ~. J1 _3 H# o7 `' F/ ]# L+ L7 P. Q ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 ` a, W g$ j- Y* D3 t9 b# ?0 ]& G; X1 g* {5 t8 {6 }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 l( s- x0 l* x% i0 Z& ]4 W# A a
. ]$ k7 }0 { @__________________________________________________________________________2 O4 J( A; S- y! Y5 N9 \
+ u |1 S- g, U0 P! f& z9 _
Method 13
) V; W7 Y/ r- W/ m, I/ x=========" @7 b$ x; s( ?; l! {9 P
* I: b& A( U# _$ j! ]
Not a real method of detection, but a good way to know if SoftICE is
+ `. Y7 M2 u/ C$ L4 rinstalled on a computer and to locate its installation directory.5 x4 Z* I& ]4 _/ N8 R+ k2 c
It is used by few softs which access the following registry keys (usually #2) :1 C. i: x o* L; r. S- R
" I; K" b" b9 m" [; g) F( |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 l8 z1 ~+ r5 p9 l
\Uninstall\SoftICE& x9 E5 ^1 a5 N! f. S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ O$ J' C7 O' ?9 N, J1 X-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 T% Q) m3 w9 U6 V3 N\App Paths\Loader32.Exe
: `& v. q5 ^8 v! J/ L( ^
) P2 \% K- F2 [8 q9 @6 l& g' v! M2 K6 @4 G# N" v% N# S
Note that some nasty apps could then erase all files from SoftICE directory" n9 O% V8 D P
(I faced that once :-(7 {4 C) a; O- |1 K9 Y2 c
* y6 b' o; [" a: i- B lUseful breakpoint to detect it:6 [0 V& C4 S0 r! W. [: n
Q4 q6 W+ Q3 |/ o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 g# D0 o0 c% y" W2 U+ S
% m/ Z) j# H7 v* [% X__________________________________________________________________________
( Z3 K; K, g6 \$ q0 l d8 H4 _( Q# n* `2 ^
* U! G/ \0 U4 y. g- `" |% RMethod 14
B. u; M" Y9 B7 u% j=========
' U/ q7 R- H4 |( I% P ]0 _) |. X/ X
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# q( P: k: f9 ?8 _4 w
is to determines whether a debugger is running on your system (ring0 only).
N0 | W# N% ]8 ]4 C2 K8 i- F7 T
: M. }0 K3 Y7 M- K VMMCall Test_Debug_Installed
/ N3 V0 O' I4 Q% A) K/ y je not_installed- R/ N1 V( V5 |- X
8 N0 Q& Q* M/ TThis service just checks a flag.
, U. w P/ r8 f# M0 k</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡