<TABLE width=500>9 f5 E! c% q* f& r7 j0 v
<TBODY>
( s0 z- O. h, n- P" B" s<TR>
7 _" L% X* C+ D6 O<TD><PRE>Method 01
% E, r3 H; m; ]4 \1 G=========
: T) F0 |+ I9 L! t: Q8 j
* h" ]* i* M6 E$ [5 Y; LThis method of detection of SoftICE (as well as the following one) is- W2 D; @( B- g! y: f$ m$ c) A w
used by the majority of packers/encryptors found on Internet.* N% {( v0 U! {& B
It seeks the signature of BoundsChecker in SoftICE
& f6 W' `6 N. x
9 N4 O7 }' J- Q8 e3 v! l: m; p mov ebp, 04243484Bh ; 'BCHK' o7 d8 L! X5 Z2 q* C4 r. M
mov ax, 04h
4 h d* C8 ?1 H; V int 3
$ C% j! k/ t n" `& t cmp al,4
% F- V9 H5 [3 h2 u5 f2 s jnz SoftICE_Detected& I; d% {# R6 N! g* h
$ P7 S; r9 G4 W- s/ Z) R# t3 w
___________________________________________________________________________
. @) N' P$ @+ ]# N. ]
9 k" M! S- z% _" DMethod 02* W; e' l7 J! \4 D1 c0 K5 J
=========3 L* u, S$ H2 q& K L
, @# n) d- X6 o( z, Z. e9 |; VStill a method very much used (perhaps the most frequent one). It is used1 ^- Z6 a& z9 `# E: ?# Q9 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 O d/ X5 f0 @( ^1 {8 j
or execute SoftICE commands...
; d! r8 U9 n q# QIt is also used to crash SoftICE and to force it to execute any commands/ `: [7 ]9 ^! T- a( [- F+ ]( w
(HBOOT...) :-((
1 M$ S! b" h' t' A& z5 Y6 x9 ~& ]0 z l6 p) h
Here is a quick description:8 K& W6 j9 U) r8 w( A6 a
-AX = 0910h (Display string in SIce windows)1 E5 l& z( _8 w! K# V w2 |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). g# m- m- Y% d- g0 Z
-AX = 0912h (Get breakpoint infos)
0 P# e W) ^) N8 J H-AX = 0913h (Set Sice breakpoints)
8 m+ U) g4 Q7 h-AX = 0914h (Remove SIce breakoints)
% l% X' I# h; @' f$ R) c7 S9 Q7 s4 d, }
Each time you'll meet this trick, you'll see:1 `6 W9 v& S' S2 b7 b q
-SI = 4647h
2 R6 T. E8 I% S) @* p6 B. r) T-DI = 4A4Dh
8 M" F2 Y* S, M0 {9 @Which are the 'magic values' used by SoftIce.6 e ^$ H4 X& y" t% y0 ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 d) G+ t1 j' O6 K" @
+ U8 a' g3 L+ S$ _- k( f7 V
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 p* L' C' S! S, \Envelope utility use to protect DOS applications:( n7 G) s3 A0 d: g' \- T5 ^* ^
! z8 Y1 R. {' A8 O$ D
/ }8 D9 k' g8 v2 l/ M. c, ^/ t4C19:0095 MOV AX,0911 ; execute command.
, ~# w( ~4 d6 U- L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 r6 C) @+ m) G, H* V0 a
4C19:009A MOV SI,4647 ; 1st magic value.7 [, v/ H1 {$ ~2 ]+ {
4C19:009D MOV DI,4A4D ; 2nd magic value. c4 Y* S4 H8 N# Z+ q" F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); o1 A) ], ?- ]0 U1 g
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 q# j0 u- ]; s2 w5 _! |$ D4 h4C19:00A4 INC CX. d6 J" N3 |& o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- t3 V8 N0 r5 C% X1 r R+ G" X+ R
4C19:00A8 JB 0095 ; 6 different commands.
( ~4 a$ R5 r- R: n2 p7 [4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 l: {. w; ~9 B O% \) J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) W. `* `5 v, i# {7 {# ^4 p4 |# {8 B8 s
6 Z. t) ]2 l5 |+ C
The program will execute 6 different SIce commands located at ds:dx, which' w0 L4 p) P5 {7 F4 B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: m2 d2 ?2 `3 V1 Y
6 D$ i$ X6 m: Q' ^+ |1 _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 m0 y- R A# K. Q' r- e___________________________________________________________________________# K& [9 X g0 p$ A1 t$ e
, s3 z! z$ ?5 f- [/ y" H8 K
8 M7 t+ P% _3 H7 z6 |- X( fMethod 03
3 T$ S4 @1 W- \. J=========8 }$ M+ l; K6 i& N2 q4 P$ N: }
7 m1 L2 ~4 J/ s( A/ L# Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 U$ l% K9 u4 [
(API Get entry point)
% ~% F% D' Q3 Z1 V0 I & M. B: A% {$ c& C/ }( K; h
0 o1 ?! v6 C3 _0 [) R
xor di,di1 y$ y7 U( _$ H1 l% A& d
mov es,di
3 x1 P3 i" X% r2 h; w+ k6 t3 O mov ax, 1684h
( V* ?4 r8 h0 E7 v; g e, r mov bx, 0202h ; VxD ID of winice
* ~9 P, d- n6 _ int 2Fh
5 N! U- K/ u; m mov ax, es ; ES:DI -> VxD API entry point
8 y7 j3 z" e3 S+ t- { add ax, di
/ F0 s7 `) O4 ~1 b- c( |& N$ V test ax,ax
3 j0 d- M+ J! Q) l* a- i jnz SoftICE_Detected
7 I+ v1 F7 a; b) X8 H# l0 u6 B
1 _# r5 e) y/ a5 J9 H- e4 H___________________________________________________________________________
# D# J) a# b; }0 N: [$ g# t7 v9 P4 X+ q
Method 045 I; W& F" p1 i3 l& M& R+ H
=========0 H6 G6 m5 e& _' J. P) Y
" x. @ b4 J. `" q, ~
Method identical to the preceding one except that it seeks the ID of SoftICE+ ^, q4 l( H$ b: E- e# P
GFX VxD.8 L F, D0 x7 ^4 `2 o+ |, F e
4 j2 P% C& g D1 Z" f. A xor di,di S/ A( o" I) w
mov es,di3 ]8 f0 A* g; |: ~3 O: {" K
mov ax, 1684h
1 \( f: W# x3 a9 I" Y mov bx, 7a5Fh ; VxD ID of SIWVID
# [ M( B; `8 ^ int 2fh& d& n4 _; E& ?6 F4 |/ S
mov ax, es ; ES:DI -> VxD API entry point# L0 I5 h% r. ?7 K' L1 t
add ax, di
* C; Y/ e/ [- \5 _ test ax,ax2 j& o; k: X9 ^3 {
jnz SoftICE_Detected
. X, C# { W) f8 c$ V$ B7 H! o7 a) p$ p5 A
__________________________________________________________________________
8 a+ l2 b( _; D$ z* L" }* s
* W; t, l# \9 S/ _
* I5 Q2 ]- p( C7 a2 _" HMethod 05
) K& A( ^6 F* C=========" [# E* D+ z4 d- ?6 W t# n
$ B0 D8 z( {9 ~, q$ L# E( Z. kMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ k( g( p9 e! i0 [4 ^8 N# q
debugger. It calls the int 41h, function 4Fh./ L) c- f0 R) F2 L
There are several alternatives. ) w; C! v5 f6 p4 m. y! c B
_( f' c! y" N& `! |# s9 S
The following one is the simplest:
* _ i6 U0 S4 j7 O1 K- U3 Y
1 e8 J$ |. ]; I$ L2 C& x1 W" h( a mov ax,4fh
1 G: x9 [$ X2 h; w ?) f int 41h) W @ M/ A5 J3 b- F. W
cmp ax, 0F386
$ H& T/ i* W+ Z5 e1 ]6 J- j jz SoftICE_detected( h) }, @5 e4 [
6 S7 J' u6 r& [* V! p+ H( P9 a
, z6 L0 |) O6 p. F& e- t: J
Next method as well as the following one are 2 examples from Stone's ' e8 K' W) z. T: n$ @8 D: X
"stn-wid.zip" (www.cracking.net):
9 Z" w2 J' R4 ~& J6 N
" n. j5 C; v3 a! V+ y mov bx, cs' i, m; B; O* O8 K3 {: v+ N' `& j) c* F
lea dx, int41handler2* E8 k; i( ~: d
xchg dx, es:[41h*4]
' ]# j% ]) m4 E) D' p0 B o xchg bx, es:[41h*4+2]
' b s! _% E6 ?9 T6 _+ a v1 U mov ax,4fh
' B' ]; i9 l) [/ C7 W4 } int 41h
& v+ D; J9 o; g xchg dx, es:[41h*4]. G7 v3 d; m) b' R; U e) q
xchg bx, es:[41h*4+2]* x2 g* M7 A2 P& G
cmp ax, 0f386h5 R) Q% l ~) m! T% d$ o5 m. k
jz SoftICE_detected
9 h/ A+ P! i* v* ~# Y5 W: ]
% I6 t- `/ A: u2 gint41handler2 PROC
/ O- K* Z6 F* f" m D" M. g j iret1 A5 T1 [: Q9 P
int41handler2 ENDP
* x# i! K B6 M6 |. x# X0 h( x4 d. a1 c. [
& ]' J) @! ]2 U6 R' {_________________________________________________________________________
9 I7 h. I; `" B5 L5 D
0 y5 n+ i5 c& o U3 Z2 ~8 t. D' M4 d, U! v1 |. I
Method 06* L* N1 Z, i$ ^
=========
/ E+ e( B# \- S" [7 k: i {9 q* p8 ]- W. S( f
7 c: E( [5 ?$ T* i5 M# J
2nd method similar to the preceding one but more difficult to detect:8 A8 _3 J" z, {: J
) @8 I* m6 V; i5 A% e, x0 W& A5 G" } f U( @ P" n
int41handler PROC5 x; Z( i4 a/ Z" D) n
mov cl,al' T. N' u8 }$ C; [: I# D
iret
( b# f! t4 A! Gint41handler ENDP
# h0 M0 `, w1 R! x" Z$ P$ \$ Y
+ H' P( G: y8 n6 [! U! F# a; p. n5 s f( A, R
xor ax,ax5 H9 \- Z4 N! p: |) Z
mov es,ax
) R. r% p8 h) f z3 P2 | mov bx, cs
. Z! ?. E. c4 r# }$ C lea dx, int41handler8 O7 n' t0 q _; q+ d
xchg dx, es:[41h*4]/ \5 {4 T! J! p. t; x
xchg bx, es:[41h*4+2]' l# ?) [- u, z( U. a6 S: ~* c }
in al, 40h
4 Z( F* W' X& Q8 j k xor cx,cx
1 r* V) a7 J0 ~ t5 N int 41h
+ G9 }* b8 `/ A2 R0 a" | xchg dx, es:[41h*4]8 H3 ?% X; M8 ~% G0 p/ L
xchg bx, es:[41h*4+2]
q% Y8 W; L& a& b9 M! x cmp cl,al
( h" {6 t- f. I4 W7 i; ~' W; Z jnz SoftICE_detected) f3 L7 Y# _ E' `8 H
$ P1 E. K# F- f_________________________________________________________________________0 Z' B1 m' d! G6 }0 T
% l# {) z' I# ?9 @% Q* i7 [( ^
Method 07: ?% X& {; g5 v- z# S6 k% R
=========# I. T4 Q5 |! c: i2 H3 H
3 R: o3 x0 ?9 g0 e
Method of detection of the WinICE handler in the int68h (V86)
I/ V3 H' \2 K$ G5 k* U
- K' @$ m1 b" q- N M) G mov ah,43h
( J9 q. B" r2 V9 m9 B int 68h/ h5 o/ A7 ~! {1 _
cmp ax,0F386h. U( L8 G; P6 ~$ E9 c( @
jz SoftICE_Detected: k0 }' V* b3 d: G+ p7 H- ?( q/ a
h$ l2 x! z4 T% I- ^) G* `/ e* r( f4 _! o4 p% w ?
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ w" X+ u6 j) K app like this:
' M2 S/ \ n% Y4 C2 d1 [! e5 R- w; T q
BPX exec_int if ax==68
0 T( Z5 s2 R" q& l r (function called is located at byte ptr [ebp+1Dh] and client eip is# d$ P: C$ Z9 B# M( T! l
located at [ebp+48h] for 32Bit apps)
7 f) ^% e: X o__________________________________________________________________________' J# h9 \8 g9 ~4 x
@3 \8 a0 O i+ ~, o% ^0 q+ k+ x& p W
Method 08" Y; {# k! c2 |5 @2 Q' c
=========
/ {3 T4 w: M: J+ M, d8 Y4 W
4 M. ]2 Y+ |# Y9 ]+ j* IIt is not a method of detection of SoftICE but a possibility to crash the9 C. @) D1 q, Y9 h# L7 a1 v
system by intercepting int 01h and int 03h and redirecting them to another
9 G: K8 e- P6 |, |' wroutine.' o' ~, x/ I1 C( V- @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 C, {. E' v; B# N gto the new routine to execute (hangs computer...)5 a& k& l/ b; r N
9 X: h- Q! g# y
mov ah, 25h
7 f- }: f% H% q& H& N mov al, Int_Number (01h or 03h)
& n2 [! [! M+ V3 x4 A' O/ T/ Z mov dx, offset New_Int_Routine4 F d o0 y' K- c- a1 \
int 21h
5 r! u. I. Z, z9 s& |+ e4 r3 l A" U" w3 z4 R
__________________________________________________________________________
( C2 _' O$ W! d! m& q4 v. H6 B: D# M% c, D/ J
Method 09" Y; m0 B: m3 J2 m) h
=========
1 L; q$ u4 Q, k9 I7 w6 R" D; B2 a5 U V( `- Z: n1 {# n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 n7 d( h5 A5 C: N' S1 R! sperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ [* J5 x3 U* @+ G; l& wThe Get_DDB service is used to determine whether or not a VxD is installed
0 G& r6 |3 w! \; L$ c% Y* Nfor the specified device and returns a Device Description Block (in ecx) for- n* k& G' O8 j, d
that device if it is installed.
) t! _' F; Z( ~+ w% D. M1 Q3 ]& h' a5 f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. L* v6 d/ ]2 v3 ~1 K$ ^; x4 b, s5 o
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! n) h! t7 I3 @
VMMCall Get_DDB
! C1 m* i% p4 P3 S$ ?# E" B6 J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; x/ g- d% L( b( v1 U p
: p4 T- Y2 B0 I8 I; ENote as well that you can easily detect this method with SoftICE:
2 m" ^2 q. w* S6 W bpx Get_DDB if ax==0202 || ax==7a5fh
H. T2 m$ C( e+ N. @ J
9 G5 P. ^0 s. X( c% d__________________________________________________________________________, u" F' {2 U/ o5 h$ }1 k+ @$ U
, ^$ w+ U6 ^* K1 cMethod 10- e) x5 @$ K4 W6 }. J7 Q
=========
! r3 J; }4 h5 ^& ?5 B4 @ ~ V9 t9 K& ~2 }4 |: d4 r2 q. K
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 H, }1 w' Y3 M8 V SoftICE while the option is enable!!
: N, _8 P$ h) z8 V S; B' u. y, E5 a, I1 M- \7 K
This trick is very efficient:
5 N, p7 u; \1 J& }# c+ yby checking the Debug Registers, you can detect if SoftICE is loaded4 I8 A( E; G& f# X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* k- ^7 O9 _7 C+ C; pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 ?! T; d f+ n5 @" ]value (in ring0 only). Values can be manipulated and or changed as well) [" ~3 C; Z+ ~; t. ?: G5 m0 @- y
(clearing BPMs for instance)- ^' c3 p& m! E
. Q* O) Z% i0 F2 G6 p__________________________________________________________________________
6 I& {% ]7 l% Y6 I' p/ Z4 O" U' W8 @) t' [! E$ F
Method 114 _* M1 l. N$ z' X5 N! ~2 k4 R
========= f7 n' y( D* U6 @: R) K
9 x+ F, E8 q$ y* ?5 P
This method is most known as 'MeltICE' because it has been freely distributed
4 n1 H% ^0 G- c( p) p& lvia www.winfiles.com. However it was first used by NuMega people to allow
+ I& s& v' P, B. O0 mSymbol Loader to check if SoftICE was active or not (the code is located
. i% ]9 U! U* winside nmtrans.dll).
; W& r9 ^+ q) c/ e/ e& G! C u# j2 g8 I1 ]0 R$ E0 }
The way it works is very simple: N: `- A' P& {+ I6 p# {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 S2 K X' v: K+ M6 Y: K% IWinNT) with the CreateFileA API.) q [7 p! Y. ^* p: O1 J: S, A# O
" z$ k$ i& F! cHere is a sample (checking for 'SICE'):, N2 C6 Q1 M* I) r; C+ R( Z2 t0 r
/ z$ ^5 m0 x5 n2 a8 LBOOL IsSoftIce95Loaded()% ?) o" P6 ~$ `( H7 A6 w+ I
{
% y# E, u8 |9 F HANDLE hFile;
7 {" F0 L# Y( w' d* I2 K hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 s: ^1 E+ P0 J0 ]9 m3 x3 y$ x
FILE_SHARE_READ | FILE_SHARE_WRITE,
. r5 z5 y5 B# H' q- u7 Z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- D% j4 Z, S- N& ^/ m if( hFile != INVALID_HANDLE_VALUE )
8 z3 u" ^$ g, d4 Q {; b3 M0 y& Y b) D4 k
CloseHandle(hFile);
8 n, a( u- h* W2 ] q" E return TRUE;" p: v; h3 S4 v% I8 J. g5 J
}
! m! P5 O/ }$ q1 I& [ return FALSE;9 H! }8 j6 X* M$ A, a1 S$ J
}9 G _; ~8 Z5 L" Y3 ]" S
6 H# e# Z* U8 _3 T$ @
Although this trick calls the CreateFileA function, don't even expect to be- z% [0 N+ Y- o# R
able to intercept it by installing a IFS hook: it will not work, no way!
& d1 B3 r; w1 f4 X; D7 _2 t/ oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 E2 k% } E( w/ i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- Q: b7 g! O4 ^1 y. U; Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) A5 T. d3 y7 T& Q' hfield.# ^* X; D+ z+ `7 z0 d% J
In fact, its purpose is not to load/unload VxDs but only to send a
2 U* A: L6 x. ^$ f7 ]% KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 v3 Z. I2 l) R5 q# F$ T0 }3 K6 Q( Y/ jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ F7 g q! j% ]: U; ~/ Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: E0 l+ \: N' H* q- lIf the VxD is loaded, it will always clear eax and the Carry flag to allow
5 y. m" i& T) [# m2 H+ Wits handle to be opened and then, will be detected.. w! Y. x7 M) j/ v* X
You can check that simply by hooking Winice.exe control proc entry point
* L0 n# V, O8 I. ~( Kwhile running MeltICE.
, V: r( M$ ]$ P9 s7 j0 A. ^" R( v- y4 U
# z, w' O( \/ F- Y
00401067: push 00402025 ; \\.\SICE
6 T( W1 p, X# V1 Y2 O% S 0040106C: call CreateFileA9 n' s$ f# ^* d6 C. Y
00401071: cmp eax,-001
: m1 d' a# ~; H: ^" o1 r+ Q( s 00401074: je 00401091/ J$ }' G9 U2 B; W! j2 z4 n
1 y* e7 D: U. o7 h- \0 Z
9 C! Q1 `( k3 O6 [0 @) S6 n" iThere could be hundreds of BPX you could use to detect this trick.
( z; A/ q' J# Y8 T& V, p S" \! ]( e-The most classical one is:
+ s d. `$ ]! ?/ O; x4 M2 T0 H( ]) o BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: v$ V" k6 b- C *(esp->4+4)=='NTIC'7 l0 ]+ b: y. E0 c9 A
7 s; G& E+ K" N
-The most exotic ones (could be very slooooow :-(! J, Z* w4 ^4 W# n- d+ o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 n& U7 {% i& B9 f
;will break 3 times :-(
5 Z* f* q+ y0 h8 [/ r, L, @, |2 i4 K& P" Y+ k- p: y
-or (a bit) faster:
3 ]( w0 f% k( N: P# s BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 h, L/ m: ^7 l+ i
# F0 y# T4 h2 C7 ~) X+ ?- E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 _8 j3 d H/ K8 V, T3 X2 `; E0 W" C
;will break 3 times :-() ~5 W- K! `0 w2 y# j: |, J
( k$ f) A) i: {- z0 E+ F-Much faster:
% I& p/ v4 a- J* O BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# k3 g6 I Y8 S1 k5 s8 @0 U* W# k" F% |, U7 y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 Z5 \9 ~& M/ ?# A+ `
function to do the same job:
7 A) m3 S7 r% M5 D" f, i! i# E1 d+ `" ?
push 00 ; OF_READ
2 t/ e1 v9 p$ {) { mov eax,[00656634] ; '\\.\SICE',0
! O8 N+ b: q) d5 @ push eax
! J, e! H/ _5 h call KERNEL32!_lopen8 J0 ]% D. v& w& @" R
inc eax
9 U% L, j8 o# n4 a jnz 00650589 ; detected( A1 @5 t! `! p ~
push 00 ; OF_READ. C- E* h+ @8 d4 B- ~
mov eax,[00656638] ; '\\.\SICE'9 |) w! a$ }* E& }
push eax
- u; W# w4 e5 V. w3 x5 ? call KERNEL32!_lopen g3 i# O; q& z- y- t5 s! ~
inc eax
) ~3 x, x& Y |0 i, f2 [2 O9 ]/ L jz 006505ae ; not detected3 T8 n+ R8 x) S Y* ^7 a
) Q" j$ s7 I" m- ~% K8 Z
5 c6 L: ?5 C7 r" T2 V: y
__________________________________________________________________________* `$ z, ~( D# N. G
7 r& a1 x# o- M0 G# a+ F
Method 122 z! c% ]$ C, @
=========, Z1 T. b; k7 `, O% T
h5 M# }. e5 G3 \4 M2 w9 c, z0 ]
This trick is similar to int41h/4fh Debugger installation check (code 05
- ^4 O+ u$ L7 q. O! Z& 06) but very limited because it's only available for Win95/98 (not NT)6 z: K$ I1 x9 d! l4 y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! i' M; W& z: h8 u" f0 Y- o! X d/ p! m2 J& ~) M6 f2 t
push 0000004fh ; function 4fh$ p$ w; ~/ s x5 V: l+ ^/ @1 g
push 002a002ah ; high word specifies which VxD (VWIN32)! X$ P+ K' B5 T3 Z' o3 [% f! F
; low word specifies which service* _% \1 K4 D/ \, K# _
(VWIN32_Int41Dispatch)
0 ~) q. c% F0 P$ v6 Z2 x; [ call Kernel32!ORD_001 ; VxdCall
9 w X, o3 ~* p; X; s- X# z8 _ cmp ax, 0f386h ; magic number returned by system debuggers; |" K: h+ \2 C# ^( c
jz SoftICE_detected
$ Q7 q |6 ~8 q( y2 p M6 @; E% O0 \9 U O! W. F
Here again, several ways to detect it:- o8 h& q6 p3 g9 R9 G8 G2 `
5 k/ t1 n; A. E0 k$ ? BPINT 41 if ax==4f! k, v' O, E# v5 Y4 x
# S1 }, g3 N* D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! X3 m( p1 y6 d1 @
- Z3 O6 R$ t7 p6 f$ q5 E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ F, C- ~5 |7 ?8 c; Y$ U% f5 s9 |
7 \/ Q0 E. n4 M4 U: C# M/ D; f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 j! j3 y, O) D8 w5 }* p
" M9 L5 r- ], R* \5 u__________________________________________________________________________% o: s [2 I/ C# z
2 G2 {% j' J& T' q1 B4 G
Method 13
' l" z' o5 n6 x5 w# f& H1 R=========
/ w. C" _6 k2 a+ |0 U+ S5 q5 e+ o$ C
Not a real method of detection, but a good way to know if SoftICE is
) B* ~7 h( y8 T' Y3 M8 r" Linstalled on a computer and to locate its installation directory.
& n9 W5 m3 [# v5 p$ I! Y0 ]7 kIt is used by few softs which access the following registry keys (usually #2) :
2 l8 ?( f; s# _- l) `0 J4 [1 H9 s p, c5 ]) m- h" h9 {4 r6 J2 w6 D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: }! r& `0 F! L: Y+ K& a
\Uninstall\SoftICE! R5 J% Q- e6 Z W5 ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 _( ?" n2 E7 B8 N5 j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 r' K2 B3 ?8 m- g\App Paths\Loader32.Exe( G8 P9 f. i6 O k6 Z9 q1 T
" {8 H9 V- [' e6 {* C
% ]. o5 o0 ]( D/ K' c
Note that some nasty apps could then erase all files from SoftICE directory K, X- V, Y- {$ }( a) O
(I faced that once :-(
" B+ j1 L( K5 A$ n& C' S( H
* q. r& |6 f% Z) P0 `Useful breakpoint to detect it:
8 U# |" p9 v1 C) v, D4 W; Y7 k6 ]" {# t B2 ^& N E% p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 Q2 [, m' @& u& `+ g, n& p8 u2 I+ x8 Q0 x& R7 K' W! q* B
__________________________________________________________________________
. v4 u r1 p7 W2 L- B
8 U# m% ]' ?+ |+ E+ p( k
. i. b% h! U. a" y3 j+ o9 ] u; a, bMethod 14
( I" u) c3 _/ j=========
S- o5 i e- i+ e1 h, \3 c& z; a; h, b9 z, e+ P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# v6 I1 I5 P# [# X. K2 ]* K0 Uis to determines whether a debugger is running on your system (ring0 only).5 h" ^/ C' c7 t U# {( b1 E
: }+ p: H% r& d; l8 N/ M, \ F
VMMCall Test_Debug_Installed
1 r* d' n _6 Y' j6 _ je not_installed- f4 _. w/ @& D- S0 H0 N
3 G) J1 S) v2 l: bThis service just checks a flag.
; f2 {7 W9 ?; W+ V; h9 x6 N</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡