<TABLE width=500>
7 |# \6 R( t* {$ l- F<TBODY>- a& H, k, x. w
<TR>
# w0 p4 S6 Y; k: L" X<TD><PRE>Method 01 4 ^ q L" Z& T) Z
=========' l. y! i; i+ s1 T3 C
2 G v4 B% C: g- e$ A* rThis method of detection of SoftICE (as well as the following one) is& w! J. o7 j. P1 g; K1 m
used by the majority of packers/encryptors found on Internet.
# d D! c- {# w' g M: j6 N4 wIt seeks the signature of BoundsChecker in SoftICE* G) m) F0 f1 m3 M9 N; C; @
9 x u. z& e! A* y& ?6 E mov ebp, 04243484Bh ; 'BCHK'5 _; u; Q% B: ^/ z D4 b @+ z8 Y. R c3 j
mov ax, 04h
: c9 E) L+ |* f' c& n" Y4 c/ ` int 3 5 P/ f* X E1 |/ _$ x* T8 S1 T1 ^$ w
cmp al,4
7 z- X+ |1 r( u: e jnz SoftICE_Detected F* D# V8 v) n+ Y
. a& D; a+ V2 h0 h0 i. o___________________________________________________________________________# z; V3 l8 C$ U* n' S: f
2 O( h* U9 o/ x2 g# H# GMethod 02* y4 k t @! S) p) P) C& l
=========2 W8 o9 Y: J! E( W
) A, m5 Q/ X1 P+ ?Still a method very much used (perhaps the most frequent one). It is used
K" n# n$ P n% F/ c5 h' Bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 s* u) j- D" V! J5 K* Bor execute SoftICE commands...
& C) T. D8 I5 _ F% oIt is also used to crash SoftICE and to force it to execute any commands
- {2 I8 ?6 W8 f; B7 t' p& l(HBOOT...) :-((
: l; C8 ~$ [$ X9 K
( m1 |, | U/ E" P0 j5 W2 HHere is a quick description:
. L$ B, j6 R. L$ m-AX = 0910h (Display string in SIce windows)
& r- [, i/ ^: W' h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 N8 k2 M; V! {( r! R( ^
-AX = 0912h (Get breakpoint infos)! B0 V- g) r y, q" V; ]. ?' k. A
-AX = 0913h (Set Sice breakpoints) G0 n7 V2 l1 x8 j
-AX = 0914h (Remove SIce breakoints)/ W- p" [) d9 o
3 B% a/ C0 P6 BEach time you'll meet this trick, you'll see:7 _) N+ J" Z' H7 Q! l$ I
-SI = 4647h3 g1 R( O2 q" j( L+ E7 Z, ]8 q
-DI = 4A4Dh
. m1 |' I) b% X# k1 V, V! gWhich are the 'magic values' used by SoftIce.
0 v" U& O% i+ [* x+ ~/ O0 TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 O" I' C ?7 }& T$ E
4 A, n( Y6 ~/ C# R* }4 DHere is one example from the file "Haspinst.exe" which is the dongle HASP
* u- Q2 v! j% [" p, ]Envelope utility use to protect DOS applications:
. E0 Y( s; p( H h* z1 v8 l$ t t2 ~3 C" Y. J: d! u
: |$ p+ X- \) A d4C19:0095 MOV AX,0911 ; execute command.1 ?6 w( S. q' I" \
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). i# d4 p y& O% }& N2 n/ n
4C19:009A MOV SI,4647 ; 1st magic value.; l* d: C% {. O3 x2 |
4C19:009D MOV DI,4A4D ; 2nd magic value.0 r( l/ ]0 B N$ [. o0 o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 E+ ~3 j2 K5 W& V& F0 m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; |: Q" `, Z9 g4 d0 {4C19:00A4 INC CX
. r$ y% p- v. d1 k1 U3 f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) y3 r0 D4 }2 `! q
4C19:00A8 JB 0095 ; 6 different commands.
0 G p2 m* T/ a( t2 O4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: Z9 `1 C3 A8 _4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" z0 e" ~( Q3 R
' n) a9 b- a/ A( u! q2 rThe program will execute 6 different SIce commands located at ds:dx, which* Y5 D2 Z! t+ L& M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( x/ d8 V4 x/ |5 j- L
' f: R3 j, U! n& F7 V" e( F- x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; Y0 E& X( G) \- }
___________________________________________________________________________& P6 M+ Z/ H# v
1 x+ m2 O' \% u8 F+ G
- w- \/ u2 J1 x0 t6 R1 s# g1 FMethod 03
; Y$ p6 Y& u& b# {% ?" J$ l' z=========
: X) _7 w5 i/ R
. [1 U$ B5 d9 [9 fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 |' \6 [ ^) S; m; y) l6 h. i
(API Get entry point)
; l: r4 @7 R/ s; p # _1 j8 p6 y" r- i
& D+ x2 D ~9 @ xor di,di
2 \2 V0 O: v6 Q) L( c mov es,di
7 S+ ?. [; {7 n- O' A% Y5 ? mov ax, 1684h 8 F% n# y8 Z5 m* {- p4 z0 E+ t
mov bx, 0202h ; VxD ID of winice
# k) u# v1 Z8 G' S int 2Fh9 S4 I! _ y# S( ^
mov ax, es ; ES:DI -> VxD API entry point. }7 v& ?( B* }5 G1 E) h
add ax, di# v2 D' l$ l! V/ R
test ax,ax
" `- h* c# y. n Z* w$ h jnz SoftICE_Detected5 A% c4 W1 X8 k, c6 Y
% J7 B% U7 ~! s4 a' } e! x1 H___________________________________________________________________________! D0 C4 M. a# H' }4 N) R" \
9 h x0 [ d2 q2 V rMethod 04
5 k! e5 [5 c6 _/ D% ^% s @=========
+ c _) H3 B( ^* E( v6 n$ a/ X" X) E: w7 A, H; o2 F1 O0 [! T4 O) e
Method identical to the preceding one except that it seeks the ID of SoftICE
; S' ?. Z3 a& f1 OGFX VxD.7 H" c0 G( \7 R( I! i. ]
4 G) I, L- l5 T! k n9 {
xor di,di
- n) j. A" u3 A mov es,di
' S" D% x0 M6 r: [ mov ax, 1684h
& h; V$ Y' n; X$ ~; o3 s+ ^ mov bx, 7a5Fh ; VxD ID of SIWVID2 _* O2 U* N" e2 Z! ]' {# d
int 2fh
2 i4 Z, a8 I1 o# Z1 a1 Z mov ax, es ; ES:DI -> VxD API entry point' e. V$ N0 T$ K. T
add ax, di; f) S; u+ k# N# m8 |, Q8 J- I
test ax,ax7 N/ m. @) ^. N
jnz SoftICE_Detected
! k, C" x' Y2 i' o
+ D. w- }5 \: E__________________________________________________________________________9 I4 h3 u9 W3 H, }, ~
1 ]) A$ v2 z9 c6 d& l9 |
' ]: A. \8 G! r! N; O Q' oMethod 05
; k. w0 C8 b% o6 ]=========6 m& O6 k2 o, x9 H/ s2 z( p3 H
6 E# @7 `5 P6 D( \Method seeking the 'magic number' 0F386h returned (in ax) by all system. ^4 H3 t4 q1 m& T& z
debugger. It calls the int 41h, function 4Fh.
# k! @" F% k5 |& I8 }. k5 AThere are several alternatives. / R* X1 f: }2 F' x e5 q
/ R$ T% [& a4 H+ r
The following one is the simplest:
4 N o, _* y) C7 O# y5 u- ]) U& |& x5 b- G5 [7 }0 \
mov ax,4fh
* }- E- [9 \4 V9 ]9 n- ~5 ?) W int 41h
4 e! u k/ a/ s8 p+ T$ y: \. h cmp ax, 0F3861 i3 `4 H. X, @9 _! s, U$ q7 o$ f
jz SoftICE_detected
% G, Q% ]) ?. [5 z) G, w, f3 y) P, f' _' @8 `# E+ l1 P3 v
1 O3 a5 P% A2 p( N3 O- pNext method as well as the following one are 2 examples from Stone's
7 T( L. [) q; {1 Q0 y"stn-wid.zip" (www.cracking.net):
- [2 g* O/ ?2 B. F4 |0 p+ b% Z7 o) `" |
mov bx, cs
& d' `0 T, y+ { lea dx, int41handler2/ P( T; a/ U+ H& m1 C5 e+ z
xchg dx, es:[41h*4]0 r$ T% `( Q5 M; q+ V
xchg bx, es:[41h*4+2]
3 |7 j. |( ~' t: k mov ax,4fh2 |2 g# x1 z8 V* x( c
int 41h9 e$ C* S9 n( v( \ ]3 j
xchg dx, es:[41h*4]
! P1 p6 F* n: ^ xchg bx, es:[41h*4+2]
/ b o. g& K1 a2 a: Z cmp ax, 0f386h7 M8 N5 J/ v% ]% _- C0 k
jz SoftICE_detected
+ [- g" Z$ y' V, l, a M5 n
( R; Z. q# ^8 P1 ^0 Rint41handler2 PROC, s) v$ _/ ~1 L5 o/ s8 D* R7 x5 G
iret9 G% I F) L8 L- o
int41handler2 ENDP
& v/ g4 v% x8 W) \2 X$ I8 b4 Y5 k# D6 B
5 w7 }' E; G6 s9 m# l
/ ~4 j, c3 a8 O6 z_________________________________________________________________________
: n: S: n+ W) d' ~, \9 m2 g! H8 D6 d
# ]4 u. w5 ?; ]! Q# ^% R
Method 06' D9 [# O3 k) Y; R( i
=========
0 i+ w: N$ g+ `! ?% A1 M' y @# N1 A$ v1 T# _# `
1 j6 d" Q/ {( r2 Y: M) |( D
2nd method similar to the preceding one but more difficult to detect:0 w- v+ ]1 E2 l: G" n9 d
9 z2 c: |. v) a
8 U/ F }, R2 w. M, e9 o# D# Nint41handler PROC
?; G4 f2 k+ {% P' @* m. Q mov cl,al( x; @0 m, j2 m) p
iret
* j0 c ^& |: a/ [9 zint41handler ENDP$ p( U# T6 A$ Q* f: K! h; S1 y V
1 e- _' {4 J* y4 L* q9 y, o! H0 ]; n) }$ M# R7 V: }
xor ax,ax4 _/ J3 P% q/ z5 A4 Y( ]! w/ c
mov es,ax
2 g8 Y- o. |; B) k( H/ b0 H mov bx, cs
+ X }" b' F: g: A lea dx, int41handler
, e1 _, w8 ~: u7 e3 v xchg dx, es:[41h*4]
( r d: }, g8 e1 l6 K xchg bx, es:[41h*4+2]) ] b& P* w% [+ l7 O$ p3 f: x6 d
in al, 40h, R; \% {8 A. U1 l0 `/ A6 [; t
xor cx,cx1 o8 u# |" c! K! t/ S- w+ ]
int 41h
8 a% p8 |" j' s0 J- |' y+ k xchg dx, es:[41h*4]* a" C9 n9 M* A
xchg bx, es:[41h*4+2]: {% e& x! T. _4 F [2 Q: ?6 G* U" _6 e/ D
cmp cl,al! Y7 N! d' X+ p( l
jnz SoftICE_detected
, \0 D' T3 y8 s$ c
& k6 @ b( G! K5 G5 l_________________________________________________________________________$ k5 y+ \$ ~- k
# `- D" k' ^" vMethod 07
- [2 M6 K: O. [$ g) D* Z" y' k7 I=========3 ^( w* ] N0 W: B1 H) c2 ]
' e1 f% z! ~0 M" ^6 yMethod of detection of the WinICE handler in the int68h (V86)
1 w8 X1 p# s9 r/ W: e' {9 J% Z. |! X, i0 O. V
mov ah,43h
) r$ k" D! d3 f- b$ e( W int 68h
$ L, U3 C+ b. M3 L; @7 @ cmp ax,0F386h
7 g* ?# T' L4 A, m jz SoftICE_Detected
" R: F* m- L7 \" A( E1 |* N+ M
: Q6 |! U3 g+ T- z3 M# B( |, `# Q% \7 R$ |7 S& T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- s) j* d6 s8 q3 W$ S2 J- y- | app like this:
6 x( n3 @( W; S+ U# F
9 @" | v8 u' P0 h0 d BPX exec_int if ax==68* O* x7 G" u! ?
(function called is located at byte ptr [ebp+1Dh] and client eip is
) u. `7 Z& |) \$ I$ l located at [ebp+48h] for 32Bit apps); b# G6 t: F# B3 E1 v& v
__________________________________________________________________________/ j; A9 x/ y* J4 O; i" O2 }
; @8 {) F Z! g5 [! B" i. \1 P+ w/ F$ u8 v# z
Method 08" {& x* L- `7 f s# r
=========. }6 m' S, r n8 i% R1 A' ~
- E5 l8 {4 F" K4 @4 v$ R
It is not a method of detection of SoftICE but a possibility to crash the1 }) {8 Z0 N5 p* F0 c: e C
system by intercepting int 01h and int 03h and redirecting them to another/ s5 J" j0 x& i k
routine.
; b1 m1 s+ d/ i1 o! f, ^7 nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ [1 J/ G C# p$ Zto the new routine to execute (hangs computer...)
: S" A5 a: p# c. h4 X2 v1 c0 \2 F1 N* I
3 X" F0 P- {$ _; S' l+ x8 Q5 E5 H( Y mov ah, 25h( M. h1 `6 Q; I
mov al, Int_Number (01h or 03h)
6 }* k1 ~6 @- n- E mov dx, offset New_Int_Routine0 J1 z% o% M. ?" D! M! m
int 21h) l; V* q3 {1 M3 Y1 X ^$ M4 @
5 Q7 r& |6 i- P% l__________________________________________________________________________, t" s' |. A! ^
1 \' e- `' U/ g+ r" j
Method 09
' l4 ~$ d' f0 `: p/ |$ P; E=========
. L" v+ L+ `! V/ T7 z0 e: F9 z8 b ?) b) w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% P% M5 H# o! r: A) }& f+ Eperformed in ring0 (VxD or a ring3 app using the VxdCall).5 e% `$ _' Q" q$ x" c% g
The Get_DDB service is used to determine whether or not a VxD is installed( B$ G; ?5 O, o6 C) D
for the specified device and returns a Device Description Block (in ecx) for' y3 k9 H# v4 `' i' H) x. c: i: W' C
that device if it is installed./ J" q5 W& Y5 A( s5 i- l! {
( Y- }3 S# b4 I! J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' u7 U6 A6 Z& x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 O2 v; [8 q2 P4 \+ U" H; \
VMMCall Get_DDB5 h# Z% o. c) D" j7 G( b, F' v( A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 i! A: R: K* v2 e. p3 z
7 B! |/ V7 P `# z. k1 Z [Note as well that you can easily detect this method with SoftICE:
* `& f1 ^ N' g bpx Get_DDB if ax==0202 || ax==7a5fh) F7 |( |& V+ H+ N& \9 @
+ A7 x p; O: O' u% T- M
__________________________________________________________________________( Z# O4 O! v3 Q- ^# `
8 P6 M) _" f3 y- e: J
Method 10" L6 B c. b8 h0 X
=========
{6 ?* g" e' G, w. \# c+ u
8 W3 C: a- k% H% i! }3 V c3 u1 ?=>Disable or clear breakpoints before using this feature. DO NOT trace with
: T5 l$ f! t2 T SoftICE while the option is enable!!
% w4 U4 V! d! F/ |
7 b! ]6 f/ I9 z% l8 D4 q1 [This trick is very efficient:' {4 v* p' ^0 [6 D6 j
by checking the Debug Registers, you can detect if SoftICE is loaded1 H/ b. t! T0 C1 e4 m2 ~4 B) S
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' Z, f% s0 s. g2 i% q2 C
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 Y( h+ @9 l8 b5 E9 I
value (in ring0 only). Values can be manipulated and or changed as well5 u9 ^7 i9 Z2 |! F7 G% b! z# N
(clearing BPMs for instance)
% Z: g2 l: t: C- D) H! s7 ^& D) D& Y) E1 S: H( u: @: @. U* |
__________________________________________________________________________/ C, f5 P$ {& ?4 R2 W0 b! _6 @5 u
r2 {* g/ f8 X: ? _9 c1 Y
Method 11
6 [! l: m# U% g( N# l/ V) M1 [" \=========- f* f3 p2 d& n6 E: H( r: n9 C
# w* U3 S) _; O* I" j, d2 a
This method is most known as 'MeltICE' because it has been freely distributed
0 t: @1 o- b# N/ x% y# Dvia www.winfiles.com. However it was first used by NuMega people to allow. h1 S1 L. Z( H* }+ ~6 ^
Symbol Loader to check if SoftICE was active or not (the code is located
- _; a ?5 B" @$ b# vinside nmtrans.dll).
7 S8 S4 H6 R( I4 A; ]8 G" F1 \2 q% S# I- z& w6 Z% p! J
The way it works is very simple:
( _- r; K! v4 b: @6 s) IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 b! d' o$ s# lWinNT) with the CreateFileA API.
7 L3 Y& ^; i8 e* C6 O! G% b9 A: |: g2 q
Here is a sample (checking for 'SICE'):, `8 ]+ X& `. F3 U
5 d$ e8 R0 \- d
BOOL IsSoftIce95Loaded()
1 \8 m7 N$ A! |" a( C3 ?2 B{
& k. P. L& @3 N2 J# g: B HANDLE hFile;
. f5 q* s! h% j9 w& P- c1 T( a hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 ~" g5 Y9 [; }. k. B. o' {; Y
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ J* h, Y$ X0 r2 \" [* H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 f: V4 h1 L# X if( hFile != INVALID_HANDLE_VALUE )
% H/ V6 K1 x1 a: a' w {/ V4 U/ B) G. f# ]+ P
CloseHandle(hFile);
% b0 F' R# U& J, B4 C return TRUE;# A o4 Z& y! f4 s& A. J2 h3 m5 j ~8 s" y+ N
}
3 s* [1 c1 a# j return FALSE;3 s" v. P" Q0 L! i
}
/ O% P) f+ ?. c& @
, j; A$ W/ K$ ZAlthough this trick calls the CreateFileA function, don't even expect to be. o" h; Q& d' q9 ]6 s
able to intercept it by installing a IFS hook: it will not work, no way!) p' ^4 m2 Y, i( h& ~: v0 g/ Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! H/ }7 i& v3 Q A- y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 V- }4 W& R- S6 I' r9 zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, j! ~( C3 D+ {8 y \5 Gfield.+ L: P1 E( b% u" f
In fact, its purpose is not to load/unload VxDs but only to send a
/ v8 {5 ~$ P; A% B# d& HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 a2 c6 H/ F8 _3 F( z4 @" Eto the VxD Control_Dispatch proc (how the hell a shareware soft could try" {2 P0 m0 s T/ U8 O6 B0 L
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 Y8 n* @) ]8 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow' @# j( ~9 O2 r, n, ?% M; K' E
its handle to be opened and then, will be detected.
. U0 X& M0 c2 B. M# T6 x' hYou can check that simply by hooking Winice.exe control proc entry point
) Y* F( Y% `7 L& M" J% Qwhile running MeltICE.9 Q" _5 e) n1 W% Q! _$ D
: F1 D; A7 n! t5 x/ `
4 k' y7 }* b% X6 r; t9 N 00401067: push 00402025 ; \\.\SICE: [: ^+ y2 q4 W
0040106C: call CreateFileA
7 i5 j$ [1 {' j" D. s 00401071: cmp eax,-001
: X2 ?2 a# |7 Q 00401074: je 00401091% ^# h# z. ^$ L* r# e' Y
1 p+ k- w0 S. Q, P& H
* v& u c/ A1 h+ O& j* ^. a
There could be hundreds of BPX you could use to detect this trick.9 {3 V' N( `1 e0 `, M$ N8 v
-The most classical one is:
3 i7 ]& y, |: P$ M( r7 X% G5 t BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% {3 m0 \: t i+ w; Z *(esp->4+4)=='NTIC'
! a' d* i! g& _" w
2 o( J: w9 M) d+ [' S4 E-The most exotic ones (could be very slooooow :-(" F6 I5 j% p, d4 T9 S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 K; l, v% V1 |* f; z- |
;will break 3 times :-(0 V( r( R# d: l4 d! }2 R$ j
1 q' ~1 |2 x, o( |. l" Z3 y. m-or (a bit) faster:
# A, B1 V: Z0 L" {6 R; P" X BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). L/ h5 C! o1 @! |0 l# Z
$ i) v" n% `$ K4 M" x' X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 T8 I/ E* ?" {, R9 o" j! S% u
;will break 3 times :-(' q Q, h; [/ j I! Q! k/ E6 `& P
6 B, H; i5 m" Z-Much faster:
/ ?! w3 l, i/ b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ F# V1 Z* H! `& P" d8 i7 Z
$ l/ O( X3 v% u6 mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; ^- Q3 w4 W# B+ J; |( [
function to do the same job:
0 ~+ {8 Q2 S( r! p( b R$ S8 @# Z3 J8 J! t
push 00 ; OF_READ
$ m" Z7 h8 |, T1 ]+ f8 g mov eax,[00656634] ; '\\.\SICE',04 c4 H% J( J; r0 ^
push eax
3 T! S2 K4 F! ?" `( ?' A2 O- Y call KERNEL32!_lopen
* j O+ K% @- s! T7 Q6 ^ inc eax. E5 o* p! \7 e9 O) Q
jnz 00650589 ; detected
" `) z+ P) P" d push 00 ; OF_READ" U! z' `2 S g& f0 m5 r% {- J# _
mov eax,[00656638] ; '\\.\SICE'* Y$ X/ p7 d5 ~* H
push eax. \9 D3 \: |1 }1 l
call KERNEL32!_lopen
1 k8 {3 R' b& T inc eax" Z# P/ c6 Y! J3 H0 g
jz 006505ae ; not detected p) \" W: J4 c6 t$ N5 S% l! f/ D
; e5 ~) L% a" Z4 X, M5 r9 T: r% C( J- w. A, T; i* F* B2 y
__________________________________________________________________________
, U7 f, K) b( L, O
3 k6 h# X+ W. m4 t2 k4 b9 j4 pMethod 12
8 g% A z& b- g Z: u- o6 o3 m2 l=========
$ y( f9 s$ P) Z- Q8 i# j e
& ~3 ^ X0 w# K. ?/ QThis trick is similar to int41h/4fh Debugger installation check (code 05
; M4 s% j5 O0 c+ g& 06) but very limited because it's only available for Win95/98 (not NT)6 e+ z# l' Y# J, a+ C0 Q/ S+ j* s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 k0 O* t& w* O' M! P* ^9 t
9 _+ h3 \& s. `: C$ W push 0000004fh ; function 4fh
, L+ y2 v o$ H3 m3 j8 y* p9 W5 m push 002a002ah ; high word specifies which VxD (VWIN32)
8 b: t' Z5 w2 y2 l) m ; low word specifies which service ?( n- `' I- V8 a
(VWIN32_Int41Dispatch)
- \$ N6 `+ ], K call Kernel32!ORD_001 ; VxdCall
- C1 g& Q/ a1 B- X/ ? H/ | cmp ax, 0f386h ; magic number returned by system debuggers7 s& n4 f9 M% [" r6 F
jz SoftICE_detected1 u6 E6 x' R+ {/ N- k
7 I' }1 Y( S; w, H* A) J
Here again, several ways to detect it:
v. q9 w; r' Y% o; j6 |$ F& X- ]0 y5 u+ R4 x+ k7 F
BPINT 41 if ax==4f A6 p) [8 P, \, i2 Q
0 K: @: R7 H8 x5 {- g( R8 j% K$ ?: M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 p; N' F& M3 I6 x& x& v0 D6 t
6 E1 o' y1 c+ p2 H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* _% J2 B( ~3 _+ z: V" ?' }) ?7 U' A" f+ A/ j2 T
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: W& b) ]8 t- D' |, u7 q0 ?
& }) m0 X# S! t$ b% ?9 _5 Z
__________________________________________________________________________, o+ E. _) C( N
[7 b* @! ~' s- o/ q0 cMethod 13
) {% _7 s' I, p! \# c8 _$ d$ C=========$ K% l8 A2 j. ]# {: {0 U" z
3 k m4 V/ ]" V' J' M. Q4 WNot a real method of detection, but a good way to know if SoftICE is
, N& `' {" X; Y% a( Vinstalled on a computer and to locate its installation directory.
Y0 `. [' `, I$ E8 cIt is used by few softs which access the following registry keys (usually #2) :
9 o5 b! U# W6 M. b+ {3 }& @1 G+ }
" ?. H: @' e- A- O-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ Z2 H* f5 A" x
\Uninstall\SoftICE; Q% h9 Q5 V0 p: o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% K4 X3 I- P5 z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 c# q0 a" u4 i5 Y- z\App Paths\Loader32.Exe! m' G8 x4 t; H3 \
4 w2 u$ R. ^, [; r
1 }. V* M, ? K# g- T
Note that some nasty apps could then erase all files from SoftICE directory3 A5 k. O7 l6 P- S2 Y H$ N
(I faced that once :-(/ l4 |& s; G" \+ \7 C
8 f6 O2 R8 {! {( _
Useful breakpoint to detect it:2 x/ s) i1 ` S9 M
6 h, H7 K. C/ H0 z( m6 g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& ]+ V) x/ _* g& ^
2 I( W8 W7 P% z7 M& {1 t* [
__________________________________________________________________________ a# _$ k g$ f' u* D' z: J
' ~$ ~6 \8 C9 R+ N3 m: q6 u* U
% Q8 |: Q& I4 n0 N, Z0 a$ o
Method 14
' ]4 c7 \6 V5 s/ o* U8 e=========
* @9 q) a. W! q( A; i8 i8 [) J- x. s3 o, q, o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; s. x# J& ?+ P$ G
is to determines whether a debugger is running on your system (ring0 only).8 }$ [+ g" {! n M. a% n- c
# w! T# l; c D# Z VMMCall Test_Debug_Installed& C& M% u' o; E" W7 m/ S
je not_installed" `; d. }6 g! ]/ H0 v0 k
5 a: q8 ~& L# C8 FThis service just checks a flag.( X5 F, p. o) ?- i9 w/ a" }. \
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡