<TABLE width=500>3 A5 H( z0 o' B7 ^; \- x! n T, v! D
<TBODY>/ U2 f7 a# n8 S& F+ p* J/ U4 {- s
<TR>
8 o3 [) U$ }# h8 z<TD><PRE>Method 01
- T& q! c0 g2 G7 G=========2 g! p! A# E6 _% K5 R$ `0 T
1 G* k% x9 N2 U2 x5 gThis method of detection of SoftICE (as well as the following one) is
. B" z1 N; o' N: T; V Y# n5 r( dused by the majority of packers/encryptors found on Internet.. v' g# N4 n6 s+ t. g2 _
It seeks the signature of BoundsChecker in SoftICE
+ i+ u# Q% q- w0 _* i, @& Y3 x, q5 G- q
mov ebp, 04243484Bh ; 'BCHK'# J: ]9 M) d( X6 Y* l \
mov ax, 04h8 k/ ^6 s7 G0 z$ t$ h# U
int 3
. q# q4 A7 W H5 s5 Z1 A, p4 ?' B! ?; i cmp al,4
3 r8 I, }8 P; |* A$ f jnz SoftICE_Detected$ ^' p6 ^, {' y9 Z Y
, ^3 C3 ~" C" e+ f( r___________________________________________________________________________+ i3 c* a! U6 f
0 Y5 | Q1 e9 B Y1 TMethod 02# ~$ d3 G) K; P
=========7 @$ l7 X1 X4 w$ p1 D
, {4 r n( A0 q4 Z9 Z7 s. a
Still a method very much used (perhaps the most frequent one). It is used
% n& u( X) ` D# m$ m# w. fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,, b: S$ d& ]1 B, J4 E
or execute SoftICE commands...
2 X; S( o! Z0 p4 Z1 v& VIt is also used to crash SoftICE and to force it to execute any commands
V; v9 w2 u: h* I1 A. e+ ?(HBOOT...) :-(( 4 ^9 \2 e' Y% i- U) c- n
) ?6 a D% P) YHere is a quick description:
4 Q: d. r0 N s8 u! c-AX = 0910h (Display string in SIce windows)
7 \8 z' I) k3 f7 k, n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" U( C& ]2 P6 x! J6 i: ^' e-AX = 0912h (Get breakpoint infos)8 W" J, p7 \3 E: S1 B. u
-AX = 0913h (Set Sice breakpoints)) f, c( p7 j1 I% \0 i3 Z
-AX = 0914h (Remove SIce breakoints)8 m( Q! g" H8 N
' b6 N/ I. y6 aEach time you'll meet this trick, you'll see:
: Y4 b+ Z; z: f" }-SI = 4647h' {! o4 ? `% D9 f
-DI = 4A4Dh
8 f+ u X) V8 ~4 s6 r/ U1 [* ^5 rWhich are the 'magic values' used by SoftIce.
* [( x1 v; y' ]$ }- B0 [0 q$ xFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- Z& i' [3 N7 G6 c8 J
( H- x9 L1 p; h. X4 jHere is one example from the file "Haspinst.exe" which is the dongle HASP9 a! \# X0 k* O# t
Envelope utility use to protect DOS applications:
, ]5 m% k0 w& a* _' e! w1 ]/ E9 y/ V. J7 {
% z# @' b: y% L3 ^. A) c8 w( h. `
4C19:0095 MOV AX,0911 ; execute command." S8 X% K W+ ?- f/ N+ ?- @
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" F% z, [/ i. q/ w4C19:009A MOV SI,4647 ; 1st magic value.: d2 s1 g, u0 v9 }$ ^$ v7 `& c
4C19:009D MOV DI,4A4D ; 2nd magic value.2 P% _. I- [0 e( w2 C# u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). C# O2 |9 Y9 H2 ?3 b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- j6 s& Q* [1 ^4C19:00A4 INC CX
& M: s8 H# }& h* j4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* Q" ^7 v9 W- P6 O8 e8 D3 n! I4C19:00A8 JB 0095 ; 6 different commands.+ T0 t. s7 w4 Q# e- \
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% }3 ^) G+ i/ j" y9 Z6 K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ L9 E7 ?( j2 ^, [/ f
6 q" f2 w' Z2 @. e! ~
The program will execute 6 different SIce commands located at ds:dx, which
1 B: g, s* v" Y+ `& qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) c/ y$ `) h* ~, _) x) W
# Q0 Q4 p: z" n0 ^2 ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( a. a9 K2 M8 X- y4 C( q___________________________________________________________________________
# b" P V/ _8 }( O& B% k0 u" Q! l8 L
. {/ s4 b8 _9 ?3 X- n' O
Method 03
3 c, I% D/ C$ W$ L4 R1 a9 s=========
! `8 {+ ^$ z2 A$ I$ b. Z$ D) _5 G, t2 D+ J7 ~% ^. \5 e" k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: M p# f7 |% n0 Q: h(API Get entry point)2 G* n$ @& Z% q- J; Z3 s9 N5 }
: Y% G" k9 S9 I! q; z
# Z9 s5 `& w- {; m/ m/ i
xor di,di
K; S: Z3 Z, {1 Z% T mov es,di
2 b# t( v* F8 J! D) h5 ~ mov ax, 1684h # W6 A# k+ _' V- z& A* C5 C9 O& A
mov bx, 0202h ; VxD ID of winice
& M. B' J* F1 U# d0 t+ F7 @8 h' v int 2Fh
( n( Q4 w* ~# f5 U4 m9 K) u mov ax, es ; ES:DI -> VxD API entry point, {$ z, [" i5 K7 Z% e
add ax, di- k. D8 P, B: f9 n& P. J( _
test ax,ax
, j/ d% ~2 F9 e( y L; E jnz SoftICE_Detected+ p7 R' p* L7 ~' G
7 U7 C& ?* C/ n1 H5 I0 D___________________________________________________________________________; m: B/ O- i5 V0 e5 i8 W
+ M, l/ _" ~( d# B7 Z2 OMethod 042 H5 x8 m1 F$ n+ }$ B7 e/ q
=========
$ v+ v: A' R! r$ P
: ^4 l7 i6 Z2 D1 M, D; hMethod identical to the preceding one except that it seeks the ID of SoftICE4 j2 _! t% M: y2 s5 n
GFX VxD.
1 g$ O0 A/ E- u3 I" w6 W6 N9 t9 b6 H' J) j( |4 h
xor di,di3 L- o9 ?8 X, p9 W3 m+ g
mov es,di
0 G( [, e. b4 E mov ax, 1684h
( \9 g3 \( G: J mov bx, 7a5Fh ; VxD ID of SIWVID8 W4 {% v7 L5 ^; t
int 2fh6 l& ?: g9 `3 J" V7 B& b
mov ax, es ; ES:DI -> VxD API entry point. Q0 Y# N; m% d
add ax, di
! M* Y2 p$ B- _* j/ s test ax,ax# A. g, H& X1 |9 d# y
jnz SoftICE_Detected% X! [$ S9 C2 o& y- D* S, _# M
/ m! n8 {6 | R! V( `* k& S
__________________________________________________________________________$ g& q0 [, {9 O3 a, ]- i
4 X7 D3 K* a7 I' ^
6 w8 o* B9 u! M. u# u9 Z+ ~, l
Method 05" S4 G4 x# W8 U/ z& S
=========1 f4 q: H% p" o0 t( Q) t
/ A3 d5 F) R5 } YMethod seeking the 'magic number' 0F386h returned (in ax) by all system% l: `; v4 p1 y# I% G3 q0 v
debugger. It calls the int 41h, function 4Fh.
% J, T9 k# }7 W+ f) KThere are several alternatives.
o# P: k! D; @0 _4 c( ?. u# S/ H* F! [! P, c
The following one is the simplest:
! b6 Y' s- C3 _: O1 Y& T2 Q: k) A+ {0 b& L3 Q% l; R2 o# q" }
mov ax,4fh/ @' `2 l: t: l1 u8 J5 O
int 41h
1 G: r( K% M8 I4 \' S cmp ax, 0F386
; Y- z! m% d' l8 ^' C& `/ j jz SoftICE_detected
% Q0 i: V1 M1 p+ R" e0 \* `' X( C( H6 x& F0 d. v" h- Z
+ l% r* y7 F! f! x4 `Next method as well as the following one are 2 examples from Stone's " m+ o5 z9 _ B! w' S8 h1 w
"stn-wid.zip" (www.cracking.net):" V. A# f5 @4 Z8 [9 k% l
- U' G2 {* j. W5 Y3 b mov bx, cs
; o; [- T" y* r. t" w- J lea dx, int41handler2
# P: y4 Y2 f2 _: l1 f xchg dx, es:[41h*4]
; e$ v0 C" d( S xchg bx, es:[41h*4+2]
% C1 R+ j. d& f/ E" j9 l mov ax,4fh
( z6 V B; q b2 c' A' }5 F* I int 41h4 l& ~" Z. I: o4 w: G! Z1 b9 Z; A+ Z
xchg dx, es:[41h*4], v" l4 f) V/ c0 \: A
xchg bx, es:[41h*4+2]4 d+ A4 N C# }/ o0 {& w
cmp ax, 0f386h9 b( c% ~2 h* o) A" o+ O$ j9 l" |
jz SoftICE_detected0 m' l1 M: y, d [8 b: s. \
u% c& v- e1 v) [% t# T
int41handler2 PROC
( f' [! D9 Q$ t% z, D- S2 `8 @( E iret
- ^; M, M' X$ `$ T1 [9 hint41handler2 ENDP
- F8 L5 X1 J D& i% j* |
7 O2 y: H J) n
: n" \0 _% b3 h$ \! \_________________________________________________________________________; g3 o4 J3 k. ?; z
8 G8 l$ O* J# \
- V* K6 D5 B. P& b- \* i% _
Method 065 N8 I# ^* r& U- v4 v7 F/ R
=========
0 q1 i7 _* u# w1 [* Z+ D2 U
2 J0 a% X p$ ?
9 B' [1 B! R8 |2nd method similar to the preceding one but more difficult to detect:) u1 Q) ?3 [& K
E3 a2 ~5 {; x# a. O, l
; z1 v: e0 w: i) N" R! |1 Q' G& o# eint41handler PROC
+ i, N( R% X& q3 T3 @ mov cl,al; U6 G. I3 [% y
iret
* L9 _2 b3 Z% G xint41handler ENDP W, T y6 ~3 z7 v- l
) Q2 N, f, m$ n" `5 L/ F( B9 D+ G7 h' t S" a- B3 [- E
xor ax,ax
. n! O- K3 M! ~9 ~6 ^ mov es,ax
( [. o7 Q z% r J1 ^ mov bx, cs: @. S9 R! w& s
lea dx, int41handler
1 e/ C# D O9 J xchg dx, es:[41h*4]
$ u# q. @5 O; B xchg bx, es:[41h*4+2]* B+ S3 T( r7 p
in al, 40h
3 ]- u, U* ], Y) G9 g% c xor cx,cx
3 d3 K) u- k# g+ o7 \4 h int 41h
; A0 K3 |3 [. Q" j xchg dx, es:[41h*4]: t) m Z# N- I1 j9 C
xchg bx, es:[41h*4+2]2 b& o. F9 `; K' B' f/ V$ b
cmp cl,al
& l) f( {3 H/ \, C8 s jnz SoftICE_detected! h& S7 d6 \1 K8 Z6 |+ `
a, y) \% I! c& h_________________________________________________________________________
: {4 r" o( z5 e$ O& c, q$ H4 C0 q3 |: U
Method 07
F) J0 ?# E0 l: E=========
3 K: U' u5 ]$ F2 c' s
6 J0 D8 y' ~' Q" K" rMethod of detection of the WinICE handler in the int68h (V86)
( V% N) P( y: J0 a; p" u& c/ b2 K: X% Z
mov ah,43h
^+ Y0 \# m" ]7 T. l int 68h
, _9 j* ^2 w+ D% ]4 t; f7 ]) t8 ] cmp ax,0F386h9 Q& e! x( d# r- W
jz SoftICE_Detected
" u; l$ G& `5 ?5 u' R% N
6 \( m+ d4 I0 r$ Q. w5 }
, Y9 ^- f. r0 X# u' {, V0 ]" Q; e# E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; q* G; }9 g, f1 K* ]! u# q app like this:
) Q2 Z+ R& u* T4 \4 ?4 N( P1 g; M' {2 U" P8 h4 s9 r
BPX exec_int if ax==68
# @2 M0 b6 v$ t x (function called is located at byte ptr [ebp+1Dh] and client eip is
5 C, M) L5 R1 n6 w% o1 N located at [ebp+48h] for 32Bit apps)* \ d$ a2 k0 D( w- n
__________________________________________________________________________! I4 n1 R* Z! K3 j+ H2 H$ S: d9 M
- X' I/ ^+ R' [& d. P
f: Q5 n: Z: o4 w6 r: CMethod 08
+ g! Y7 N% m6 N5 S5 v=========% s2 w6 J+ m' u3 w. Y
2 R4 W9 A. e* ]2 x1 Q
It is not a method of detection of SoftICE but a possibility to crash the
' s/ e% C; a0 m7 B" k* r2 osystem by intercepting int 01h and int 03h and redirecting them to another
! Y0 }1 T; N: wroutine.! j% s0 p7 g6 n: b! ]2 t% {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points [3 s; r ~( F* R* |2 Z
to the new routine to execute (hangs computer...)
. n8 x, D' f+ d3 C v1 Y/ D- b* E
& `2 t/ g0 g$ `7 y- T' T mov ah, 25h
& `" t* O0 S% A: n- \4 K mov al, Int_Number (01h or 03h): K( D9 u, d! L: H9 J
mov dx, offset New_Int_Routine! z9 D/ Y) [8 w( u& Z5 }+ s
int 21h" C" O" W$ D4 P
0 t2 t4 [' E6 e" H2 p+ H) N__________________________________________________________________________1 r5 G: Y* [' O: {6 t
3 b4 `" b7 ?" C, O# q
Method 09
5 ]2 [# p* h7 ^8 x% U! `/ z=========
' \5 b. P+ ]2 S/ b: Z2 @+ p Z$ c0 D4 E" c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* d. V* j& {8 }- c" U1 S' g0 M3 mperformed in ring0 (VxD or a ring3 app using the VxdCall).
' a8 w9 Z+ t# B9 M6 s3 ?The Get_DDB service is used to determine whether or not a VxD is installed
2 j1 P2 h4 D* ufor the specified device and returns a Device Description Block (in ecx) for1 w! _, t2 O. N, ^( Y0 m
that device if it is installed.9 |6 I2 I$ [! l4 `3 k
1 F9 `/ N2 m, p* }/ o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, B0 n% U/ k% s! s mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 i+ h2 V2 U) a! ~ VMMCall Get_DDB: l: @: H, j3 J+ Y7 Q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- P5 p1 L3 [1 {+ L5 f: a
0 `% a9 p4 c2 j8 n QNote as well that you can easily detect this method with SoftICE:; F0 [% Z$ x3 Q) b- R( o
bpx Get_DDB if ax==0202 || ax==7a5fh
' G* @) v# W: g e
, p& ~: @ U- z( y1 l' s6 G+ Y__________________________________________________________________________
+ G% E9 I, S* b' H, s* R8 j& I# |/ \; L
Method 10
/ `$ m% C( x% J8 u: W=========% p; w4 ^3 n2 o: [, @$ f& y& @/ b- \, [
- {+ c& a% B) \, G! j) n. _
=>Disable or clear breakpoints before using this feature. DO NOT trace with% R* o1 v5 N. R6 B& X8 d" f! x `0 \
SoftICE while the option is enable!!: Y7 Z" V$ a! M
) L) V8 g Q- n. F" [8 P
This trick is very efficient:
/ | r" i" `% \ n6 ]6 N7 S% _- r Mby checking the Debug Registers, you can detect if SoftICE is loaded
9 A( W! U2 E \- e6 K- m" A1 A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 C/ i2 Z" u% E% d) s" E
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 V( p! f0 S( F/ a! M( [value (in ring0 only). Values can be manipulated and or changed as well
1 m# [+ H' \- }$ }7 _! j(clearing BPMs for instance)8 P6 S' P* r: j k- Y% B
2 z0 r! y2 J( F1 K+ O4 E/ Q__________________________________________________________________________5 o+ @* o! c: I0 {) E
9 D% s% \+ |* q! P& q8 j% XMethod 113 @& A3 z' B5 N
=========
2 {9 ?( C8 S* j2 H+ {, Z( U& r: F( \$ g) w8 z
This method is most known as 'MeltICE' because it has been freely distributed
( i4 J3 C* C) _) ~) |via www.winfiles.com. However it was first used by NuMega people to allow
0 a' F9 v" n1 O8 r4 z: |: r$ C' qSymbol Loader to check if SoftICE was active or not (the code is located
; N# ]2 S5 u- ^* f" {% C( R* d5 Ainside nmtrans.dll)." q7 f( L; Q) i. j+ Z: m7 W# p
" H2 x9 c4 i' {( a
The way it works is very simple:, |; h8 _* \) z/ x" o/ g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 l2 I" s+ [( g: J
WinNT) with the CreateFileA API.# `( i& k3 C2 i$ H( e0 \! u/ s
* x: `; `1 j2 A! @% vHere is a sample (checking for 'SICE'):, r% o7 J9 c+ {) g- i k
p( x( M2 l! P
BOOL IsSoftIce95Loaded()6 H8 _: Y" M% g9 J+ N& ~8 u8 D
{
. j# Z3 m2 x7 f4 i! Q j HANDLE hFile;
+ {- ]/ v/ z3 e; T. Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, ~, }0 W) u! l( P3 ?* `/ @
FILE_SHARE_READ | FILE_SHARE_WRITE,8 I# ~1 s1 b# W3 R3 Q: L% T+ t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 q6 c/ C* d5 F6 }& G8 h2 o- } if( hFile != INVALID_HANDLE_VALUE )4 r7 i4 T' m. C/ d/ o
{; J& Z, c% t- w8 }+ i
CloseHandle(hFile);" P( l1 _2 r1 s5 S
return TRUE;4 j0 x1 d/ ~( [% G
}! V1 l3 f$ b$ q+ k4 j3 p
return FALSE;0 b" p( B3 m6 I9 }+ W
}+ ~2 ^: c0 N% |) }0 ~; x ?7 a. O
$ \+ Q. ^: h+ `8 f' n/ v+ s
Although this trick calls the CreateFileA function, don't even expect to be
" p7 g2 _9 ^3 S& @# [$ e+ K; @able to intercept it by installing a IFS hook: it will not work, no way!
2 ~+ @9 V6 i: l& `In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 [9 }3 h: h7 _ F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" B7 L) f9 ?9 n I5 }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) G$ V- f% D" r# @: `6 @field.. a( U+ t( w% \: I
In fact, its purpose is not to load/unload VxDs but only to send a
- ?9 } E* m7 vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 v: T( w; M3 g; L0 [+ c, n& g4 G
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& Z) j m% v. P8 ^$ I. I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 Z) g8 O" G6 O7 \
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 m& n. E0 _% L Qits handle to be opened and then, will be detected.' w) c, y0 v) u! s
You can check that simply by hooking Winice.exe control proc entry point7 ]# G5 v" B- _- {+ P, H
while running MeltICE., c/ `# A) j) }( s) G
5 O ~% x2 f% t$ i( K# s, W; q. R6 q
00401067: push 00402025 ; \\.\SICE
) F, W7 ^4 |0 Y" W7 p$ }7 r" u 0040106C: call CreateFileA
* D9 X3 M$ h+ J u* ~! v 00401071: cmp eax,-001( \! I" A. D9 k" y- ~" f
00401074: je 00401091
" s) P* y1 H" M" }9 v s9 U/ n" F' V+ V4 y
1 U0 \: ~8 r8 B6 x5 n) f* a
There could be hundreds of BPX you could use to detect this trick.# ]+ G/ s, |! U/ A# w3 {) ?! _
-The most classical one is:
( F; K! ` W; @) v! h. z+ e9 V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; f }) o, f! E2 y
*(esp->4+4)=='NTIC'' P' ^8 `& y$ q( y- j9 Y8 r" j
2 V0 F( O; n$ I/ I- n6 F, |
-The most exotic ones (could be very slooooow :-(
" N# R3 g. S5 r! }, e+ }1 o BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 |/ J; h% r9 J: j3 i6 G ;will break 3 times :-(5 y* m2 E" ~$ _+ d1 A! L
) ]! q3 R( O0 C* g; Y
-or (a bit) faster: ; v. w2 g. Z8 a7 j/ B+ M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 K& m( O# K6 t' o0 _0 J2 d. O& @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' o7 t" c! _4 d1 a! } ;will break 3 times :-(
; ]. F/ M% ~! S' _0 m3 W7 M( o7 u
% F6 J6 z- d8 D6 k-Much faster: C' c( e" J' f; @" \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; J6 \, e' U8 R
, U; G1 z( W0 A3 ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 o9 j( v% O+ c8 C7 _6 Gfunction to do the same job:' s/ {4 s# H7 s+ z+ d9 K
! {+ v0 R+ J% l5 B0 N push 00 ; OF_READ
2 E; i4 h5 @4 h+ t( L8 y" O2 P" n$ J mov eax,[00656634] ; '\\.\SICE',0& p' i" }& n |$ Y1 l5 M
push eax
$ D t8 S2 y1 \+ y) a$ z- g call KERNEL32!_lopen
* h3 [, B6 k% z5 r8 ^0 Q inc eax
5 O0 u& K% u' | jnz 00650589 ; detected% u* k4 `1 z8 E; P- i& J
push 00 ; OF_READ
- D" W8 l% X/ k' U2 d mov eax,[00656638] ; '\\.\SICE'" T. @- S4 b S
push eax* e1 p1 Q* M5 `; P3 _
call KERNEL32!_lopen
: x3 h, J% x' V( b inc eax
% d* g" F, E1 M$ n jz 006505ae ; not detected- E# p# Q$ J1 ]! d6 s4 \" F
! c( X! G6 h5 K! F% g
7 c8 t4 H2 T }__________________________________________________________________________
# p1 d* ]& z) p, j8 e. S7 u
8 Z: t* C1 g: |* WMethod 12/ G! {, o) i) B1 |
=========* _2 U* A6 {/ b0 u- Z
9 O' T8 k, v% P' j& ]. gThis trick is similar to int41h/4fh Debugger installation check (code 05* Q& B& ~" ~) O+ c5 _% X! b. c
& 06) but very limited because it's only available for Win95/98 (not NT)$ S; v: Q6 s& v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, J) ]7 h; G+ N+ r
6 D1 V; X ^% j1 k( B$ l push 0000004fh ; function 4fh2 V4 s$ Q9 V; P8 u
push 002a002ah ; high word specifies which VxD (VWIN32)( E6 \" N1 x1 b% g+ j2 r
; low word specifies which service w1 c2 _. [3 k$ V
(VWIN32_Int41Dispatch)
p* K; F1 b' z# n call Kernel32!ORD_001 ; VxdCall
9 m% l7 C! ^* ~: a cmp ax, 0f386h ; magic number returned by system debuggers
- ]/ d! @! K0 |" G jz SoftICE_detected
6 [1 m/ A: F; N' C+ c" Y! A7 C* D: f& z! S2 W g, A
Here again, several ways to detect it:
( V) l( Z1 {. Q: o
( q3 j3 G4 M3 B# l/ Z3 o BPINT 41 if ax==4f' `0 `- c- u5 ^4 H4 u
; Z2 w& B2 @9 M# n* t& F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 _' d2 \6 V. a
( B$ ?: O! g" q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 L7 Y+ c3 [$ o) W6 p6 y
9 G5 \- ^2 r. z5 z! I& D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" ?6 T6 }) Y) h0 v' j; q9 w
' t3 u# N$ p, @, g: y
__________________________________________________________________________
6 o/ `5 r+ p2 e5 {( p3 b
+ {. J* \, m0 W- LMethod 13
* `3 Z# H( X9 s=========: }$ n; d1 E+ ~$ n0 u* I# ~
1 V& ^& y1 b J+ g: t# a. l
Not a real method of detection, but a good way to know if SoftICE is
( x7 E/ W9 U2 a; ]installed on a computer and to locate its installation directory.
- O1 v' P: z- J8 H5 rIt is used by few softs which access the following registry keys (usually #2) :) I! |. B: o& S8 W! U- |7 L
# J5 u9 |1 z0 x1 o% r1 b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 j) k P r. b% N% W" Z" F\Uninstall\SoftICE% ]8 }# k: z3 l: g- _' I& M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 I9 X2 x: u; L, ~' q( J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 |+ S9 Y6 F0 @8 y
\App Paths\Loader32.Exe
1 ^+ Y% V6 `- q" V( n" s k: |" K, P) s! p+ v. c; P
: Z4 k1 W8 ~4 A9 [4 h8 pNote that some nasty apps could then erase all files from SoftICE directory: X+ X3 l( f: e- {1 J
(I faced that once :-(
1 c+ [$ d3 F4 y2 N
: x5 w4 N9 j$ T6 ~' RUseful breakpoint to detect it:
$ l9 Z8 Y! v5 l- w& Q2 m7 Q$ v% {& E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': g- m& R! q2 d7 K
) e' I- @! o/ }) u# B
__________________________________________________________________________+ V* w% V8 [' A
" S! T2 R( p6 `4 d* n, _8 U
2 `1 A3 Q; x4 G8 FMethod 14
" V% P6 [+ v S- y5 M c/ _6 d=========+ n9 S8 M7 @' p8 \3 T( p
& N- `6 @/ N+ l& J# A. @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% b8 ^4 v4 c/ q, Z- E, Q* Vis to determines whether a debugger is running on your system (ring0 only).- h1 b2 B" b* R3 c" g* i
6 N% j0 R* w4 p! o
VMMCall Test_Debug_Installed
. s" l. ]: p0 B! {2 F9 @9 [5 E1 Y: L je not_installed
; M+ f2 E) D) o
% y# s6 h8 j/ ^This service just checks a flag.+ @* l! i6 j$ b' v# u+ M* v4 J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡