<TABLE width=500>: z3 j! J1 l8 V+ K: W
<TBODY>
$ D* @1 l- ]5 R' E4 K<TR>/ R9 p- `- W- \6 z' n2 s4 Q
<TD><PRE>Method 01
) V* n, t! w4 u=========0 F7 j: Y6 ] z- K
7 W) p' F( u6 Z( JThis method of detection of SoftICE (as well as the following one) is
, q8 K! F& m0 d5 k. \) vused by the majority of packers/encryptors found on Internet.
* E9 d6 o. L1 U& U! q' iIt seeks the signature of BoundsChecker in SoftICE
7 ^- w% O {3 ^% U0 l; L w9 d6 Q9 }7 ~) T
mov ebp, 04243484Bh ; 'BCHK'9 `, \% {. @& ?2 `# T
mov ax, 04h# m1 }- I9 x0 Z q0 d* Q
int 3
5 ?0 X& K; v0 {' t; I) f; g cmp al,4, ~' I) @ m0 @/ a
jnz SoftICE_Detected- F$ E8 y: F, G( ^5 O L/ b
) @, O& q! N8 f' @* m, A$ o
___________________________________________________________________________- M! `0 ]% k) \. K. K$ S. h
* v+ x3 p3 F5 C) _
Method 02
4 c8 R* n/ |2 Y/ R" K+ B& W=========8 x, Q2 P, f, D+ [' }
# e! q# z+ A' B/ N( y
Still a method very much used (perhaps the most frequent one). It is used
! G; E8 l q+ Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 x% j" o+ [; L& a k$ G# @& L% M. C
or execute SoftICE commands...$ K4 b) r& Q/ j, K
It is also used to crash SoftICE and to force it to execute any commands4 G8 ]( w$ o! ^4 b9 i4 j8 ?
(HBOOT...) :-(( ' l5 f: p. _; s3 H0 w6 U' Z$ ^( e, @0 U
- d& H% k- W& U- M
Here is a quick description:
- P: w' u1 G; r$ y9 [-AX = 0910h (Display string in SIce windows)$ V2 O: m+ E2 p: {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): c, V% d# L! a- N& m9 |
-AX = 0912h (Get breakpoint infos)
9 l- [/ R. q% K" K-AX = 0913h (Set Sice breakpoints)9 [' T( s4 h' @* |
-AX = 0914h (Remove SIce breakoints)
6 E$ e* G' N6 _% n
" d& T s( E3 T: rEach time you'll meet this trick, you'll see:
. C; D7 K3 V( s) y2 Q# x' O-SI = 4647h
( U+ m0 R4 j; ?7 _2 ~+ Z7 g-DI = 4A4Dh
: N" u0 c7 X. M( L% D) r0 S1 ~" T+ EWhich are the 'magic values' used by SoftIce.0 v- l" x. |# _8 r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& L' c# F8 K3 W8 o4 p8 N& E b. ]+ Z
2 k5 s, Q- L7 r" \. l
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ G, W! d) ?$ d$ R5 dEnvelope utility use to protect DOS applications:3 @. A: F2 J+ ^8 s( d, U
# c! ]1 S4 n+ X: M* C) T0 U9 m# N* B
5 a0 i7 D) J% k0 P* C. x& l4C19:0095 MOV AX,0911 ; execute command.
! w' h4 R& r8 r8 i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ D# i+ y9 D! V# |- E. b: g
4C19:009A MOV SI,4647 ; 1st magic value.4 ~8 S; s4 v5 D, e8 {
4C19:009D MOV DI,4A4D ; 2nd magic value.- l/ X8 K, K |' t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ H2 h" z9 v0 j- S- U# f6 A* ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# I b+ O3 J4 x* @4C19:00A4 INC CX. Y- V! T, Z% X' S
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% u5 ?2 O& a% T: ~4C19:00A8 JB 0095 ; 6 different commands.* S; L ~5 ?' U- X: ~9 W; I5 [: h
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 P1 t3 W0 A1 H% r5 r+ u" o" N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 f% q; ~. l4 R; p/ A) Q0 r
, v* x* S% L8 z6 @The program will execute 6 different SIce commands located at ds:dx, which
6 D) N9 y1 s4 ]3 tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" r, }( f! K, W$ R' K; V( e
7 t6 Z6 ?1 \% I" v9 \: C" ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( q% @* f, u" U0 J___________________________________________________________________________
/ M! I" `! j3 d% S9 S, X' J& [
/ i" b' q/ f) b+ `1 ^6 R
1 B8 w5 U S& xMethod 03
+ D: [7 V: G9 T! l=========$ p2 ~/ l7 M/ h) z6 u; q1 S
. I7 h) {) |& _* sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% |* r8 C: k* Q, P a4 ^
(API Get entry point)9 [0 B: k& h3 A3 D- q, Z
: T0 v( }6 _% X/ Z
, u5 w3 F7 W" b( Q) J0 B! Q Z
xor di,di
- }' t( `" v$ j' ^3 z mov es,di8 V& f9 P) Q) [. |
mov ax, 1684h
" T; d5 R/ j$ N) P# n B5 A mov bx, 0202h ; VxD ID of winice
: _& M. N; N* ~+ w1 I0 b6 b int 2Fh
, d: P2 X! T4 @9 j3 f, e mov ax, es ; ES:DI -> VxD API entry point
2 t) [, D0 X2 B" R add ax, di
, S: }& q+ [! L2 { test ax,ax
: z& j( p( ^" {+ b8 F$ y. l jnz SoftICE_Detected
9 n2 x, c! S( n$ E8 c$ l; D+ M8 U* j6 Y; S! ^" j8 B! |
___________________________________________________________________________
" F0 A4 t" `( Y
6 P) ?7 c; }5 q$ N7 DMethod 04
) H: H: K1 W, x& _4 {4 F: N' b=========
2 T" C% m2 P& W2 A; C7 h: \
- i$ Q( x8 p# z% R" TMethod identical to the preceding one except that it seeks the ID of SoftICE
6 L9 F/ p1 u8 U: j$ zGFX VxD.5 n& @ V" L- c. G4 K" j# \
( ?" A& c# k2 e$ [, C, \$ [, |, S7 _ xor di,di
0 E- K; D8 T) n mov es,di
0 }- z% B, h! W/ Y4 z mov ax, 1684h
; D/ i; h2 s6 b( d4 V- a* l& a. H mov bx, 7a5Fh ; VxD ID of SIWVID$ a" D/ l! b) S' Q8 U
int 2fh
. s& O6 U+ S% r4 H mov ax, es ; ES:DI -> VxD API entry point
]' F+ @# ~$ w. j6 B add ax, di
3 P% h8 e& d* R* v$ S/ j test ax,ax
2 O& l! d" M! O jnz SoftICE_Detected- H! [. {: V7 C# C3 D# ]
, j! o4 H3 A$ s5 x9 o__________________________________________________________________________4 P+ h( _: E, b# d$ L5 c% R- R. S N
- D" `* l2 g' s& F# Q; e$ e
/ [5 L, n8 J' W6 ]. y0 CMethod 05
- A% H, q- e, `. O% U1 Q, |7 x. v' J=========
" U# d$ |% j$ i5 }
" [2 u1 \6 j/ sMethod seeking the 'magic number' 0F386h returned (in ax) by all system) X& U* d% d! B& }0 [; V
debugger. It calls the int 41h, function 4Fh.* \4 R9 `: R% }4 O( y( b
There are several alternatives. 4 r. Y" j4 `+ d4 F3 {
F" o9 V0 W. \The following one is the simplest:1 Z" U8 {3 r! a
5 }0 [* P& Z* j( m, [" \9 A! l mov ax,4fh
. Z2 q- \, l1 T7 n int 41h
; j! V* F E% z: [; J cmp ax, 0F386) ^( L$ E3 U; N1 ?
jz SoftICE_detected) F% Q2 Y2 D, R! [/ [
% n7 J v( G" B/ f1 \
/ @0 B1 s$ |2 |Next method as well as the following one are 2 examples from Stone's 3 t+ j* L2 @' U, z7 c1 F- c( F# q
"stn-wid.zip" (www.cracking.net): f8 t& p" d- c! f" J3 {
9 A$ C7 S& ^3 p# i- ]2 x: S: f- s1 K mov bx, cs) g6 O/ I- S/ }9 X# A& k7 ]( B
lea dx, int41handler2
4 I. P. u3 L V; }$ k xchg dx, es:[41h*4]
^: ~$ \8 i; F- y xchg bx, es:[41h*4+2]
) P }4 t, | U! [1 q mov ax,4fh
/ ?% u" f5 G m* v int 41h
; g, n$ V% O8 L. ?+ c xchg dx, es:[41h*4]2 b& S8 v8 D( B& a) O- l, M- i7 C3 L
xchg bx, es:[41h*4+2]
$ u- ?9 v" u% I7 ~ cmp ax, 0f386h
! I- J- R4 }/ M3 a* w! \ jz SoftICE_detected3 C; u4 D& \, p! b, P+ ]
8 X0 @3 E4 C( ]( Z
int41handler2 PROC/ f, y) q( h- v
iret
) |" J& ?; A8 Yint41handler2 ENDP$ ^ B# }5 M8 d" ?! h( E
9 M$ U0 C, ~1 t
, p# ?5 u; P: S' f_________________________________________________________________________$ V1 L: ^. J! F8 E
3 `0 e: Q2 f" W: {, n; z7 f; l
* q) }8 i Z5 \- j* O4 U" {Method 06. ?0 ]1 u. s8 R) d/ J- o5 C
=========
! a. S+ H& z: n C6 Q: q# C# k3 }8 U5 u; M z& ~
0 R( T$ ~# v" l3 r2nd method similar to the preceding one but more difficult to detect:
& H- w. y* W6 r) ~7 O7 q# v% W$ b0 f1 u3 k8 z
( @4 `2 _$ n1 L5 k
int41handler PROC
5 ~3 e6 c9 w9 v6 q5 [ mov cl,al
% p0 k& ~$ G$ S2 i8 s& \/ v iret+ x! _5 D3 W: l+ @$ _. a7 c
int41handler ENDP
) v/ `( r+ ? n
3 D# Y7 S4 p; s. O( h! \8 \5 Z
5 ]4 ]1 j% }' |' V9 H xor ax,ax$ F& m* t. g. ^- A$ {$ y; X' R5 _/ U
mov es,ax
8 Q: v2 I* k: ^* J' }6 ^; D mov bx, cs
$ C+ I1 Q: d5 j, N z! F" {% n lea dx, int41handler4 _. ^& d; Q+ ^( Z6 B3 _8 f3 V
xchg dx, es:[41h*4]% ?) L% X* |0 C" A) Z
xchg bx, es:[41h*4+2]
* G S9 W4 L5 d" | in al, 40h
# u: p+ ], `( d7 z xor cx,cx
" `$ H% p4 R* i: U int 41h: I; s0 s) N* z% K M4 f$ ^
xchg dx, es:[41h*4]7 Z5 v2 o8 D# Q1 ]' D+ {9 |2 ]
xchg bx, es:[41h*4+2]1 Q9 d( a! L5 c. H# t
cmp cl,al
9 {4 _0 ]- r5 Z jnz SoftICE_detected1 x1 Y0 |2 B/ [! y$ K
9 l4 N2 t) _3 l7 y6 T
_________________________________________________________________________
' C3 X( x( s% y1 X, K1 R; r- E% G+ M2 \
Method 077 f/ t& \0 q) A# e
=========
- R5 X) a* s2 ~0 Z; |, d9 {8 f% f. W q: T% I
Method of detection of the WinICE handler in the int68h (V86)
4 n, v [+ c2 C3 \- u& Q0 d2 K9 ?) t9 d6 T I8 ^" ?3 R8 K! q# g
mov ah,43h9 s2 s. r& }/ k2 I3 @) c8 N* w
int 68h, ~" \) V9 I. e, |* ]
cmp ax,0F386h5 ]2 n+ O# I- B1 F7 N
jz SoftICE_Detected! n5 F1 F- e' w* U# x0 m x, n* I$ E& z
2 P" z6 g" q8 h% j- K
+ j5 `% Z6 ^0 E% p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& I- A" N! l% Y) h1 ~ app like this:
3 ^/ ? L" e9 k+ `+ x* B
2 M: _6 h) v# [6 o1 Q0 V BPX exec_int if ax==68! X! h9 d: o% v' a: [
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 c3 R+ r: ]& M* h! F, U located at [ebp+48h] for 32Bit apps)0 i$ R7 H1 m/ b$ @. W/ U E
__________________________________________________________________________
: p; ~$ D8 @' E- J2 B
# F. [/ U/ t+ F* Z
, `" x6 W4 \; \! }7 oMethod 08; m& W5 b$ m9 W$ N7 e, d7 I8 j
=========
, P; k) h( K6 T& {+ r8 O5 c& e' \4 A( e! \
It is not a method of detection of SoftICE but a possibility to crash the
0 ^% s: \0 w2 ] }$ i0 c8 _system by intercepting int 01h and int 03h and redirecting them to another/ t, }8 i2 O' U( H% L9 V: B( {
routine., \/ L3 b1 N1 d% |+ O, r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" |, }: [4 T3 m4 a3 X" {* E+ S, A, F% u# Tto the new routine to execute (hangs computer...)
( g% V \/ P0 H1 q/ U, |8 A; t3 ~# O3 o
mov ah, 25h
; t' C8 d$ M' j1 a! L mov al, Int_Number (01h or 03h)
: q" S! o( k6 q7 m. L1 S mov dx, offset New_Int_Routine
5 J L, H) Z9 X int 21h( S/ c; ?: E% p% c& @' E( w( M
( H) @6 l2 B+ t$ v__________________________________________________________________________
7 ^( T: b- I* R* `7 e$ d
^' E+ A6 }' m" Z3 F7 sMethod 09
% S4 l$ S( k' x* P+ a=========* \9 N. u8 G- a1 t$ c
# O( j$ R- \% f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( `' ?* k5 w6 a3 ^, z$ |# Vperformed in ring0 (VxD or a ring3 app using the VxdCall).0 {4 E0 a8 j( E6 C% {
The Get_DDB service is used to determine whether or not a VxD is installed
: u2 O/ n$ M0 y' Vfor the specified device and returns a Device Description Block (in ecx) for+ Y" M7 ?- h0 N( D
that device if it is installed.
3 c! ]/ m2 ]0 G+ T1 _+ A
, p; G. K& V, f mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; H& s& g4 A6 L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- T$ @9 v% k" l7 {0 x
VMMCall Get_DDB
0 O7 Q7 q) K1 B/ m ~3 t$ s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: r0 w5 A O, I2 l/ m: }4 g! O( i& R
3 S5 g( Q! }; X$ n/ p
Note as well that you can easily detect this method with SoftICE:
$ _) |8 ^4 Z$ @, H& M bpx Get_DDB if ax==0202 || ax==7a5fh
! i7 F; W' W. D( B0 z( c
1 G( _6 t. r" S" ]7 I3 u__________________________________________________________________________
- K5 [9 F2 N2 h- C# y* `! j7 f+ E0 m6 L( P+ L4 D. \( r
Method 10& @, W$ ^; ?, S/ j2 J
=========
% I" w m' c0 f( K F/ ^2 R5 ?2 c- q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
Y' @1 g( A. D/ M SoftICE while the option is enable!!
0 o: ^7 p4 T/ V4 T# m
" i0 b& d9 s) tThis trick is very efficient:
1 U. a( R+ H2 ~: J& s4 ]" Bby checking the Debug Registers, you can detect if SoftICE is loaded
9 @3 D1 N& G$ |" [. T, l, ^(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) _4 b- p" A* j; X+ Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 I* O! u8 R/ C# y8 f4 F7 e A
value (in ring0 only). Values can be manipulated and or changed as well
; i' x( S/ j: ^7 H8 H/ I$ i- h(clearing BPMs for instance)/ q* j% l2 F; X) ?
; }: T) F: p O$ f" u' @1 x5 P9 ~3 i2 u
__________________________________________________________________________- x( G! U( o8 b/ c/ U, l" e' t
- [, i* p4 I7 D6 \
Method 11
5 {5 p9 g5 p7 q9 D0 m+ j/ \ U d========= b# V" b$ w2 W
2 Y, j" |; p/ D( D5 h; o; [This method is most known as 'MeltICE' because it has been freely distributed
& z) E3 Z% l/ }$ R8 {8 f8 O0 U% hvia www.winfiles.com. However it was first used by NuMega people to allow
' I' d6 o; h2 [1 T. `Symbol Loader to check if SoftICE was active or not (the code is located4 R: u7 q+ _* ?' V; @7 q: z8 F
inside nmtrans.dll).
h! e! W# e) }8 w- w# D( p% ~- w5 r ^* E
The way it works is very simple:
- r o+ k7 d1 p: j" @) eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 r5 j: ^% f. j' mWinNT) with the CreateFileA API.$ |3 X4 Y) F( p) q4 t8 U9 ~3 m, R
4 k" \& [$ V1 L1 p2 HHere is a sample (checking for 'SICE'):( r( s9 A9 J5 w+ h
# \ E: F+ \! o I" U' d6 b! e. bBOOL IsSoftIce95Loaded()" `# h" D c9 @0 G1 p- b3 w
{! k- \6 F2 }' z9 j& g
HANDLE hFile;
# p4 c5 w- c1 o, W s& n5 f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; Y* T1 ~9 b# g3 l FILE_SHARE_READ | FILE_SHARE_WRITE,2 Q9 @) \) r; \3 m6 E& u- K
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); x/ h |; c/ B4 R3 Z- G# c: I: v
if( hFile != INVALID_HANDLE_VALUE )% i% a% R# m, R, M8 a9 g
{' b) L; x: V2 x0 ~. r2 R
CloseHandle(hFile);
- C' L5 S, C& C; l3 H2 { return TRUE;
4 C8 j: [. r7 H }
' R* t9 g/ E# j4 g; e/ | return FALSE;
5 z* j' H+ V: \ Q( N: H}
( R4 u3 ^# L, E
' w' n! ]# S' E! ?; o' @$ `8 [Although this trick calls the CreateFileA function, don't even expect to be8 E4 g0 d( H& O q
able to intercept it by installing a IFS hook: it will not work, no way!
3 d) U6 Y$ |9 Z, N7 OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 J- \& P5 H7 p4 Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# X P) O" l: d8 z' hand then browse the DDB list until it find the VxD and its DDB_Control_Proc" Y- `/ C% N0 M
field.+ g. @* k, z9 C$ \5 Y
In fact, its purpose is not to load/unload VxDs but only to send a $ h3 p( F) x) ^ u) S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- Y: S# z) [6 Q2 n% X. W4 e ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 b- X; y; j3 {: I( i7 U7 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 M3 l* l2 x* I' W: e6 HIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ |/ N4 Q& Z( S+ Y: K2 wits handle to be opened and then, will be detected.$ R+ L" l* F N. \: |' H
You can check that simply by hooking Winice.exe control proc entry point n/ C) z8 Y8 d. M
while running MeltICE.
7 q2 Q0 l- a. [
( g: }9 C1 U0 O8 H! p2 c+ |
3 [' I3 ^/ H/ m# j! Z2 a 00401067: push 00402025 ; \\.\SICE4 _0 `: S8 k2 F
0040106C: call CreateFileA
6 D, g& }( u5 o3 D( ~) y' y9 y 00401071: cmp eax,-001: B$ q1 |2 {0 H( _2 s) V
00401074: je 00401091* l& J1 w! q, E$ n3 M
$ V& z9 D g$ B6 A* y" e, y
X. d4 k" l" i6 }3 i& `There could be hundreds of BPX you could use to detect this trick.
# X' I- Z5 ]0 J) Z/ H( v-The most classical one is:8 d( E4 L( D8 v6 O% ^* N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ G- j: b( W: W9 I3 n( [
*(esp->4+4)=='NTIC'" @" w6 R L9 J y( A! @
4 j9 }; e* f' Y- s' `* w-The most exotic ones (could be very slooooow :-(0 ?* S( c \ H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 C$ ~! k; Y3 K) d' e ;will break 3 times :-(
1 z" G! F" S% W
0 N# q \' X% M, U' C5 i-or (a bit) faster:
' q5 y$ H3 H( A6 l( k- I4 K- u! z4 J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- C9 B1 i' h: e& K5 M7 y
& {1 l! t7 G; k' g8 E- O BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 A$ e J% V/ F: M0 |- G ;will break 3 times :-(
% k$ U V: Y# Q7 Q& @) U$ Q+ f8 ]- X; `2 ]7 |( ~
-Much faster:
1 P0 K! B; R8 `; ? BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& R$ j. o$ e7 ^( ]2 m+ s, K: |7 ~
2 r" B# E5 A' J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) k9 T9 o5 v. a3 K6 ]
function to do the same job:6 t6 l. R0 k0 t: l' Q- i
z2 s: r1 g1 E0 q9 a$ u" \ push 00 ; OF_READ
- f) W, \5 f: u& n. i' ?. J* I8 h mov eax,[00656634] ; '\\.\SICE',0* W: ^( h' L9 ]
push eax
+ ~) m+ Y( x; P call KERNEL32!_lopen" H, G$ h k1 I2 n
inc eax
2 |) ?& K/ W. X6 a& S/ R; s jnz 00650589 ; detected
% F3 B8 R: ~" @+ i' p push 00 ; OF_READ
+ W+ i1 I7 N& R( {+ t mov eax,[00656638] ; '\\.\SICE'- o6 x* |/ Y! c9 @
push eax
1 f/ V$ b" y8 O5 F$ p/ K* t call KERNEL32!_lopen
e; I( g. | n) b3 u- A inc eax o( V" }; g& u& p3 ?' I1 {$ [
jz 006505ae ; not detected0 t: B8 t" T1 T" z
3 t+ j0 \9 c- Z) @" Q+ ]* D0 z4 K, j
. s0 `" [* y$ N5 {) G# o
__________________________________________________________________________# J+ ]/ e7 A1 ?$ {( D6 U9 ^" c5 z
0 X c3 D' M5 R- L! D6 y/ d
Method 12
' S% |* ]6 j" k! l, ~=========
) ?1 H* J1 m; }, ~# L4 c9 [2 J4 o/ B" \! J* ~3 ^$ c: I; V
This trick is similar to int41h/4fh Debugger installation check (code 05' L7 j) u' U2 b* M6 B8 |
& 06) but very limited because it's only available for Win95/98 (not NT)* H( X* W- ] k5 }) \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ N9 ?) J- M( d( n
: ~: q F" N3 H push 0000004fh ; function 4fh
: D& t3 N! ]7 c$ e* R/ ] push 002a002ah ; high word specifies which VxD (VWIN32)" c) ~* |2 L% P* g: U+ g
; low word specifies which service
% h7 V: H( L$ S# G) M: y! v (VWIN32_Int41Dispatch)
' b/ {; r. f$ G call Kernel32!ORD_001 ; VxdCall8 C1 Q7 D | \1 Y7 i
cmp ax, 0f386h ; magic number returned by system debuggers
- N, m0 A: E3 R6 ^1 g3 ~2 x" N jz SoftICE_detected
2 T# n5 j8 D3 O5 O |& v3 Z9 P- |4 W" G( Y$ O; \8 Y J8 e0 r
Here again, several ways to detect it:- y' f% Z. p5 t$ F: h% t% r
& Y6 c' D" Y; V1 X
BPINT 41 if ax==4f
: {' l# Z" w2 X* H7 d
" i9 Z9 E9 q) k" g9 }) q& { BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 V( q5 h3 @5 g4 z3 Z+ J
+ l/ M* _+ ~2 v) h7 H$ I1 p/ w BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A `/ x3 K4 U7 F, w
/ J. f1 m* a5 H2 n; o
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 I* Y- F" |+ X9 `. Q
0 _$ ^- h: p3 a__________________________________________________________________________" X$ x$ | [& Z8 o! Z. N
3 \- m8 q3 }3 N# K( gMethod 13
+ r* \" g$ D8 |! w& X=========
, S0 u2 H5 v1 U4 @9 Y L
; l% p8 r$ `+ }3 `, _& gNot a real method of detection, but a good way to know if SoftICE is
7 `2 e( ~7 P/ ]; s2 @6 {installed on a computer and to locate its installation directory.
6 c! u& J5 r0 p, _, VIt is used by few softs which access the following registry keys (usually #2) :
; L. T$ D; l3 |# |4 l
9 V m& f5 {( G1 f5 ]-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ h W" w0 H& |# s9 a3 [' b3 ?\Uninstall\SoftICE
4 z6 m; H3 F- `* H( C$ J. Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 M5 ^& I- ~- r* B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. C$ X) P2 z; [: H. }\App Paths\Loader32.Exe
0 D* j1 o+ _$ t
/ M- f% b4 w( }# W ?2 |& ] J, T* L; S9 b2 v
Note that some nasty apps could then erase all files from SoftICE directory2 R' v+ T4 J0 u, r7 H
(I faced that once :-(; a( C2 ~9 X5 E0 \ o1 Y/ p
: Y; U# m$ m0 }& b/ J8 N
Useful breakpoint to detect it:
5 b1 t8 j: |& l6 Y- m8 _+ i0 H, p
6 N2 v5 ^! u/ s# Z5 s& q) v) ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 S3 M# B" P, Y5 a* J5 L" t- c0 t: {6 M
__________________________________________________________________________
$ L( _$ t1 i4 K8 E' B' `% c% D, E, H- G7 |8 a) F3 k
# E+ A7 {, W, J9 U' |9 D B, J+ PMethod 14
5 V/ @7 G- D0 v& k- X' K=========/ B+ C3 l V9 R3 r; ^/ K- A2 V
0 N7 Q8 \; o/ ~9 Q# a5 \4 G0 I# SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. t' ^! n3 e8 W$ k7 T; G$ S& eis to determines whether a debugger is running on your system (ring0 only).6 v2 O6 A D0 {6 q
5 {. Y. O Y' r+ A/ t, a
VMMCall Test_Debug_Installed
4 j4 C/ q6 t3 P& l) Z je not_installed
$ x) C7 I+ ]; m* }2 D, {7 A6 @! K. ]2 j9 I) d
This service just checks a flag.( T. K, f/ U V: Q2 S( A; Y2 m/ Q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡