<TABLE width=500>" t# I) D' S" q+ H. i
<TBODY>
+ e$ X( k5 X' l8 \2 r# Y<TR>
6 F) E( N7 H; Z9 ]6 t<TD><PRE>Method 01
' [* A: F: Z* g) S. K+ x=========
' W O0 h8 W4 [
& }* Z6 _& o- Q C: sThis method of detection of SoftICE (as well as the following one) is
0 h3 P* a; q+ }, O0 \# o+ }used by the majority of packers/encryptors found on Internet.$ {# K- r4 A4 t1 r+ q) i
It seeks the signature of BoundsChecker in SoftICE
* E/ }( h! q' x* x7 F3 [& B2 z- K+ \8 Y' K% o
mov ebp, 04243484Bh ; 'BCHK'/ L7 A5 ]/ ?* y- V1 d
mov ax, 04h
* x" e" z" O# d+ m5 l+ w- I' E int 3 $ `- M2 } S& f* v
cmp al,4* G+ Y; ]8 B8 ^1 ?4 B' E6 Q7 x
jnz SoftICE_Detected
& E( L' D) X$ D/ F) x8 ?+ ]1 F( I
___________________________________________________________________________8 `8 p8 ]7 s1 O( R3 U
! O% o) F1 q- Z7 L1 d' F
Method 02
& f4 Y4 l% b7 `) g=========9 G$ }0 h* Z' c: [
( X# o: {+ i! A
Still a method very much used (perhaps the most frequent one). It is used% x" ~0 v1 j5 Y3 `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' Q- b6 z% j. d
or execute SoftICE commands...
" U- k5 t5 I7 DIt is also used to crash SoftICE and to force it to execute any commands
N( [" E+ _0 R( s; W. U# ^) {(HBOOT...) :-(( # @4 i; P) }# v8 f, V$ k
/ w) I# Y- j: a' h% x
Here is a quick description:; `5 M" J' M& N9 O. i- M
-AX = 0910h (Display string in SIce windows)
8 H i/ a( Y5 c5 p3 f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# M$ I* w7 J9 H2 l e$ d7 `9 ?-AX = 0912h (Get breakpoint infos)
) [) a% ]& ^+ b7 f9 K-AX = 0913h (Set Sice breakpoints)
' E( ?2 A$ U4 j9 ]3 P-AX = 0914h (Remove SIce breakoints)$ [ ]6 ?( }7 [, ?- U/ f+ j
h. z5 |2 e* a" g# c6 n7 @3 ?( W: dEach time you'll meet this trick, you'll see:* b8 o) s$ A4 `. h; D8 b
-SI = 4647h- J( l. T' j8 V2 z+ ~) U
-DI = 4A4Dh/ s- E" p" d( `/ o$ u9 Y L' T
Which are the 'magic values' used by SoftIce.
! Y6 b0 }1 T/ ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: c2 w- ^3 X0 k
. `2 I0 {, F" y% c& fHere is one example from the file "Haspinst.exe" which is the dongle HASP
* @% @; I" B( t, [1 IEnvelope utility use to protect DOS applications:
: K/ l. i7 F0 n# T6 f9 n* K1 _- J
/ X% X" Y9 N# h+ ~% N3 y4C19:0095 MOV AX,0911 ; execute command.
% \3 R+ [" ~: G! \& q3 {7 O7 W( L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( C9 X! }7 |8 h; t
4C19:009A MOV SI,4647 ; 1st magic value. _; J# m& w/ R* Z) K: ?* n- [8 B
4C19:009D MOV DI,4A4D ; 2nd magic value.* G# C3 i' U) g' _1 h4 c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& O- C% O" x5 f! A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
_5 w+ ?- t- B4 [2 j, ~2 k4C19:00A4 INC CX' H3 Q1 I- M7 P8 u2 v q9 v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) u8 |) Y8 m# J. z$ T4C19:00A8 JB 0095 ; 6 different commands.5 {& }1 R5 C7 n# Z( |1 L
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; M# [3 b( y w: D# Z0 L4 @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ [! y9 x2 A& @
" B' l& t, c) l$ V) h3 h' p# HThe program will execute 6 different SIce commands located at ds:dx, which1 e$ Z$ l) P& R' y& f {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* B- l1 }" @, r! X. ]" g- e: r: D- i$ b4 ?6 H ^$ S4 V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 r% i" o: o, W/ _2 `( b
___________________________________________________________________________$ P5 B6 h! \ Q
; |0 t0 F0 v |4 ?, k
t1 b# J$ @3 w+ xMethod 03
+ r( B9 ?3 K% m* y" e" n3 G=========
/ S& U, V$ y$ p% x5 W8 ^1 ~
3 h k3 o9 k( R) a/ xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 b% x+ I5 R0 ~& A(API Get entry point)5 o4 L0 W. X; W# E" [' `9 j
% P% Q8 q, e0 P& X7 v2 @" \
* H/ d3 P4 L1 `; l; e4 m0 t xor di,di
0 D2 [+ I6 p- j+ r' v mov es,di" q$ L4 N! q) W
mov ax, 1684h + _0 L" ?+ h. Z! E
mov bx, 0202h ; VxD ID of winice2 d; i. J5 F7 S7 a D5 Y& V
int 2Fh2 `) c0 X1 T- Y! S+ h- @ u
mov ax, es ; ES:DI -> VxD API entry point
/ T3 b, L& v, ^ add ax, di% ?8 k# v# W# L7 e. r% w; F9 E9 S3 j
test ax,ax
* _5 G1 t+ J* @& @! R& ^- g jnz SoftICE_Detected
* o0 Z5 l& c$ b0 Y3 Z& K1 _
" @" ^) f1 c0 A; I( ]2 v* [( C5 u___________________________________________________________________________
! t2 N" U: `6 T
7 R$ O4 W+ t: Z& M- H4 eMethod 04& S( y0 H8 d+ f/ d! y4 U: w( Y
=========
* T5 x# D0 ]0 ]1 M9 Z; U& z3 |0 u, K# Z3 b0 y: Z; T
Method identical to the preceding one except that it seeks the ID of SoftICE
; l# w3 ^6 u, a% @5 p5 `GFX VxD.
3 k$ p! @' J% \/ L
3 v- S k# Z& j xor di,di& e( k a l8 t5 t- r4 J
mov es,di
6 S# {' {9 u. ]5 ?- Z! _, Z mov ax, 1684h
$ ^( v _' f6 y0 a/ e8 `# ?$ @ mov bx, 7a5Fh ; VxD ID of SIWVID
4 P0 @4 ]' |( V: d' n, V% i int 2fh# b8 D9 v' b: h* h) h+ O
mov ax, es ; ES:DI -> VxD API entry point& b# \: g4 `- T
add ax, di- q4 p h2 `9 F. H% [; x/ L
test ax,ax
( \4 [9 m9 P: ~; e H jnz SoftICE_Detected
' t7 z( _- W+ U, x* B& k8 |
4 @* K9 q/ H1 f4 Q__________________________________________________________________________
C. h. |( m. ~0 d6 I E$ K, k9 a' c" g' }% Z
S8 l- V+ ~8 t2 d8 s8 U, s9 v
Method 05- c$ A6 q% j( U2 x
=========
1 A* S5 Q. O! d& c3 s; p, H$ r7 G1 |+ I! R
Method seeking the 'magic number' 0F386h returned (in ax) by all system; s/ t* {4 Q0 u) v. k
debugger. It calls the int 41h, function 4Fh.( H) p% t( h4 H5 B/ e" Q
There are several alternatives.
- Y# V$ ^1 _. W' ^8 V' P5 Y: x& ^, I! x+ V# ^3 [
The following one is the simplest:
& t) ^9 L* w8 d6 Z h$ E3 ]) ~% Y( k! x1 t
mov ax,4fh
9 A4 I) ]7 ]+ W" b int 41h: U. Z) o/ F- q$ v0 }
cmp ax, 0F386: d% Z- T7 j3 s& Z$ ]/ v
jz SoftICE_detected
! x3 E, P# a9 x0 E3 g* D4 _! [: F' p3 A
$ G/ h8 c9 Y% s( A
Next method as well as the following one are 2 examples from Stone's ) G2 Q4 v& c( t j7 K- s" L9 @6 x
"stn-wid.zip" (www.cracking.net):
7 V$ |- L3 c: P/ X9 \& Y. h4 E" O8 x( K+ x* m5 X
mov bx, cs
$ Z+ L$ Y1 \" n2 t; P7 {! f( ` lea dx, int41handler2
+ U: `% j$ Z4 A1 N* E* t xchg dx, es:[41h*4]
- U4 k# _+ s; E: F; j W xchg bx, es:[41h*4+2]! v( M% d$ X$ b& I3 n
mov ax,4fh9 \- u g6 U( {# ?
int 41h
) [7 h5 M2 `; M9 a3 @( U; j5 m7 c xchg dx, es:[41h*4]
; _/ W; h ?* Q+ K. a6 O xchg bx, es:[41h*4+2]! {! }* x' Y6 h6 x
cmp ax, 0f386h$ ~* c" z6 s: z% q
jz SoftICE_detected
* [$ O* D- ]+ x+ V2 u5 d( z, ~ u2 B6 S1 [! s* L
int41handler2 PROC' _* C1 D3 Q y) U( e& o) ]# Y
iret
8 a: e* _. B0 _1 x% ?0 Bint41handler2 ENDP% [0 u9 n0 G M3 g* l2 s
4 W. M. [3 i: k
0 A' V" A9 e" t( S4 {- U
_________________________________________________________________________+ a# C( ^1 i q! J6 J+ B
1 l% B- G S# D R
3 t8 o& R, F" j' U4 u. QMethod 06
, w B7 f# c# }0 q# w: n7 j, j=========
3 M9 T$ ]4 `0 r/ y% d6 H( C8 E& @9 I0 b
L( u+ }5 ^' b* D& J2nd method similar to the preceding one but more difficult to detect:
3 {6 D1 G+ {, u
. w( V$ ^& }2 m# n5 D( P0 q' r* O5 x- ~. J! p- W' o: e9 |* W
int41handler PROC0 Z7 @0 G" T4 S7 Y
mov cl,al/ e6 Z$ g5 R' [
iret" @9 H0 o' S4 n: t; y# V
int41handler ENDP/ p4 G9 A2 d+ _1 L* Y) V- g+ v
; V- m* e/ E+ E. f
! t- c( @( Q: C3 c
xor ax,ax8 o- g$ p6 ^) ~. ~. e& ^/ v1 O) C
mov es,ax
3 D; c/ v4 |- C; ]2 x5 U( X) M mov bx, cs
7 @# o. z( n) J s3 T2 r3 c/ u lea dx, int41handler% s$ S! ~7 b! @
xchg dx, es:[41h*4] d" @, [! |3 j5 |# z% c2 V
xchg bx, es:[41h*4+2]
4 A1 W$ i5 U. C) x in al, 40h
9 o0 [4 a; y6 i& G, B2 K xor cx,cx# y5 D6 w8 g" ^
int 41h
: g+ r! @8 W5 ? xchg dx, es:[41h*4]
/ \+ l# c! b, r9 Y xchg bx, es:[41h*4+2]
1 U1 ^" g1 y. ^2 ~ cmp cl,al7 |' ^6 K& n4 o+ g
jnz SoftICE_detected$ f$ [- }* i- S5 D, E/ v9 |
4 q. C4 y1 g; S_________________________________________________________________________4 l* V+ d R% g
- T# E# b5 ~& a2 y% Y; O0 H
Method 07
6 X1 j2 e- ]9 l6 Y4 b# ^=========% B4 R2 W- ~$ n: M8 }
& q8 I% O( ~# \* \: P
Method of detection of the WinICE handler in the int68h (V86)
1 @; a! E1 k( e' n+ M I
3 e, E C! i* k) F( V% }& v mov ah,43h
7 x4 H% Q1 ~1 g, {! z% c; E int 68h; Q& S! w( c# Z
cmp ax,0F386h
2 n( O" K2 P% u jz SoftICE_Detected
% K! k& h) l3 k( O+ ?2 a- W9 t' A3 s. M& u; \3 O
8 U9 `6 _. m7 {3 O6 ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ J6 W4 o4 H4 W9 z app like this:
$ R& ?" ^+ B3 |0 i9 o) F, v2 g C# t* i: q4 l
BPX exec_int if ax==684 e( b2 k- c& B8 G
(function called is located at byte ptr [ebp+1Dh] and client eip is9 v3 T! E9 ~8 z" m* ]4 Q- ]
located at [ebp+48h] for 32Bit apps)) a' n1 M/ u6 y; q4 i
__________________________________________________________________________7 i" i. K3 r. Y+ q! U3 y
' G0 R: g5 J, P( n& W% s
% w; V: C7 }; y; w* y
Method 08( W! W$ ]5 U! [6 k0 |- O
=========
4 _5 L! I# u& w8 s& D2 T* a: A3 k4 G
It is not a method of detection of SoftICE but a possibility to crash the6 O8 K! ~9 E5 q
system by intercepting int 01h and int 03h and redirecting them to another
& o5 f$ Q9 w0 v9 ]routine.
" }. g" q7 z) ^ d, K) F, E" T5 |+ SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 R4 c6 j a+ O4 t9 I- bto the new routine to execute (hangs computer...)
& A4 V7 p4 g5 g7 K$ z0 r5 B4 S# Q0 |
! z& b1 R1 {! N+ F9 I2 u mov ah, 25h
z3 h8 O6 [ r' r mov al, Int_Number (01h or 03h)
: X/ w+ R8 H) p* r& A9 E* E- n0 N mov dx, offset New_Int_Routine7 K7 u2 W( L; ?0 ^% Q i
int 21h# Q- r! x2 j5 ]1 H& e1 j
, ^+ M+ n* _, `: u9 z
__________________________________________________________________________
& y9 Q; ~) b( E. ^3 \6 w' S8 j5 Y# o) a. i
Method 09, v7 O2 W! J! ?$ R/ a0 f, `
=========
$ d! R- _( Q: q3 L' x0 ?. Q4 z5 \; y- g9 A( z+ U( F1 w/ C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* B- D. }; ^' k9 o" m$ H( zperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ q \3 Q- `, n) _0 RThe Get_DDB service is used to determine whether or not a VxD is installed2 E9 @5 ?# T7 |& b
for the specified device and returns a Device Description Block (in ecx) for
2 x3 M" H( L' @- U+ Othat device if it is installed.
) `7 V! C8 S" h! h( C$ v/ x% s4 ]# P' u; y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 T1 _$ v0 B% |9 a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 {- }: a$ J, i( Q% b! J VMMCall Get_DDB
( c# N% v+ S7 G mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. ?6 m9 j) c: |+ u& v* B" r
2 J ?6 e k" i5 ANote as well that you can easily detect this method with SoftICE:+ [) _- p; ~# w {" m; B
bpx Get_DDB if ax==0202 || ax==7a5fh+ K9 V4 [4 S$ k+ G! E
3 ?2 ?; {: ~! o; y! \
__________________________________________________________________________
% T1 E- E/ P1 Z& q$ ]& D/ k
/ s' a8 @6 \# M8 ]4 u7 E* JMethod 106 U; ?; V5 L! D+ S+ M6 Q8 L
=========
* Q( d9 ]% ~2 w9 x2 {
1 B' F5 f8 }0 m0 p4 `=>Disable or clear breakpoints before using this feature. DO NOT trace with
& h+ s( u! H6 n" J SoftICE while the option is enable!!
' \% @6 o5 n4 C+ k8 \$ Z/ J
7 |* p1 g' ^6 D6 D" O2 Y; U! ]This trick is very efficient:: s) J/ o/ A. G" K; O2 M' `4 p! w
by checking the Debug Registers, you can detect if SoftICE is loaded
* J, z/ y- K; T/ |5 L, d$ y+ L7 y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# V+ y% ~6 e0 r; ~" |. n& i' a1 m5 Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 Q) n9 f @7 {; t
value (in ring0 only). Values can be manipulated and or changed as well
, o Z# T5 R* a+ F. T(clearing BPMs for instance)4 z- M7 z/ ?* ?2 u" j4 Z
/ \$ c w6 f/ Q( n- ___________________________________________________________________________
7 N5 w0 s- p% ~% A1 S2 ~
y( h5 \# [3 y0 o v6 ^Method 11: q! s7 w1 G) b7 i3 x2 _
=========
N7 d' p: {6 v, t: K- @ |" J
; f/ p1 R% }$ R( B! k0 @+ GThis method is most known as 'MeltICE' because it has been freely distributed
6 ?, F- u9 Z8 ^via www.winfiles.com. However it was first used by NuMega people to allow0 Y: Q" E0 b7 l, c% l$ b- @
Symbol Loader to check if SoftICE was active or not (the code is located/ z3 f3 N$ t6 H, x H/ T
inside nmtrans.dll).
?; a: q! N; e! m( G; p+ c) M/ M2 J' a( O/ }
The way it works is very simple:! M6 b. v1 y8 _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" Y# P- O5 z' H, KWinNT) with the CreateFileA API.! O3 ? l# M$ j( Z
2 D' a; @* g, G4 Y. DHere is a sample (checking for 'SICE'):
, S9 I: z) ?0 p0 T8 f6 z! b" m n! l' W, W
BOOL IsSoftIce95Loaded()' q/ B2 b' f8 u
{
4 _! F, M% Z) B" x1 G" j. z HANDLE hFile; [6 ]/ h9 K/ }' `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 y ^% U3 c% L% V! [1 A
FILE_SHARE_READ | FILE_SHARE_WRITE,6 x8 O$ o8 k: |; R3 D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: [% l) s- j, @+ h) l if( hFile != INVALID_HANDLE_VALUE )& P6 {& ^! R( x6 ^& j
{$ e/ t/ ~& E8 \2 [2 J
CloseHandle(hFile);( M- x2 `' u3 ^0 w6 U+ E/ w
return TRUE;1 ^% a. D) M1 f# L
}
& i" i. @, a7 c! d4 C return FALSE;
' Z5 m6 U' Z/ L$ Y& \}
( I1 {" M+ `7 T2 }! O9 b" N* }5 x: \0 U
Although this trick calls the CreateFileA function, don't even expect to be( C$ ]: o( ]9 X/ \' {
able to intercept it by installing a IFS hook: it will not work, no way!( |- @1 i) c: [0 j5 G- }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. \) q/ e, L( b5 G# z4 J' O" J3 p
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 K: @7 [0 Q7 s5 g4 b: [2 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; ~8 R1 x( Z6 R& kfield.
: m$ ]+ G3 b( s, [In fact, its purpose is not to load/unload VxDs but only to send a
) i# b& t' U' JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ L' p$ E$ J+ O J5 a8 V, W0 O5 Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
. x+ S h' z" k% S- ito load/unload a non-dynamically loadable driver such as SoftICE ;-).# F) I0 B- k9 B2 T8 m- r
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 U" p0 p9 [$ b! s
its handle to be opened and then, will be detected.- o, ?9 u+ p$ I4 c& N1 s- v" I
You can check that simply by hooking Winice.exe control proc entry point
+ a* ?5 V" Y: N3 G$ E% lwhile running MeltICE.
/ o6 B2 `" X% A- i& n9 e) R1 g; _' W7 g7 f
7 l( _+ P3 j$ Q2 _/ v6 g2 o* k 00401067: push 00402025 ; \\.\SICE9 p$ K, M( e- u/ s" d% ^
0040106C: call CreateFileA
/ |2 j2 K' q0 J& U 00401071: cmp eax,-001
6 j! H- j/ t/ a- o- S) X- R 00401074: je 00401091
7 d4 _. n- c( k- @8 \- L* w0 ^. |% R9 r q9 C
1 k# j3 x2 a7 A8 _5 t# v: C
There could be hundreds of BPX you could use to detect this trick.
( X6 v. q$ K K8 m. j-The most classical one is:) K3 D' T# B8 g' W! M0 e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# ]7 b; \! F# `' |# v *(esp->4+4)=='NTIC'
) d2 c6 b! ~& D: R7 q0 K2 J$ d0 U- `" t1 c5 G' r0 ^8 l
-The most exotic ones (could be very slooooow :-(
. y D* f3 N1 Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( D( S( a! h5 r2 x! Y4 |0 E/ L2 M ;will break 3 times :-(, X( X- q9 c0 r [/ @' g4 e7 w
6 G9 r; T, P; |' i& t: ?3 ?3 O
-or (a bit) faster:
: \ _; I* w4 a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 A% T4 W) G, ]$ g7 W' R1 A
+ u( y# E' f# k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' g" C4 F9 F3 r& s5 J( L( a' Y
;will break 3 times :-(* H: m" T4 I d0 Y. i5 Q5 J5 l: A
|" ?+ B0 {, c5 M+ c. ?; Q+ g4 C8 E# c
-Much faster:2 J+ X. E- W6 b9 ~( e0 A* Y" T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 o! l+ s5 L+ A5 H; b7 K
; E8 [) C3 L9 e6 E1 b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% Z5 }( f" t" @$ dfunction to do the same job:
8 E+ n& y( m! T
! I. O3 x; c! `% t. X push 00 ; OF_READ9 s3 X9 q X8 F z) O2 }
mov eax,[00656634] ; '\\.\SICE',08 Z1 B; \2 j# M _/ T' H5 }& A" b
push eax0 H3 [" F6 F+ Z' y- z l( y
call KERNEL32!_lopen6 I$ h0 w: i3 K9 k; K0 Z7 K: h
inc eax
" l) d, I/ x3 d5 }1 J* J) g z% i# } jnz 00650589 ; detected% H' E% \6 x; U
push 00 ; OF_READ
& t, L' p- ^' g' y mov eax,[00656638] ; '\\.\SICE'- x, Q) n8 l, N- I: a
push eax
9 S# F9 d" z: M9 q$ Z% s call KERNEL32!_lopen2 q% P+ F4 Y8 o# [+ ~* c
inc eax
6 I( `# O: ^) C8 I# v jz 006505ae ; not detected
; Q5 n6 h- E5 ]. O
( ^$ i# o; ? `- ], C* l% k* M" i; c7 C6 _' n- L
__________________________________________________________________________
5 [3 Q0 @: |& u* l P* U Q! T9 A% N I6 b! J( K7 H
Method 12
T; c. K3 U9 Y5 f \2 M* i$ N=========
, k1 B; i4 ~1 w& k8 c- z1 h: [, q0 L) y, z8 O
This trick is similar to int41h/4fh Debugger installation check (code 05
3 h" D0 ~7 i& N& A9 }& 06) but very limited because it's only available for Win95/98 (not NT)
+ I4 n; e+ u% Q- ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: _6 |0 |2 c% ^0 U& Z/ {- {' t8 P! p- m
push 0000004fh ; function 4fh
5 ^# w0 C/ ~2 r2 T push 002a002ah ; high word specifies which VxD (VWIN32)
1 Z1 [: I! A( R* J ; low word specifies which service
8 z/ d D" l5 w# ]. t2 t: x# C (VWIN32_Int41Dispatch)
7 ?% R1 A, ]8 w% x; ^ call Kernel32!ORD_001 ; VxdCall" r$ r+ S: s% U# b( F
cmp ax, 0f386h ; magic number returned by system debuggers1 g4 O, ?: @! J7 T/ K; C
jz SoftICE_detected
4 ]$ y# c7 J# M: _1 V" B
3 W& a( {! Q! ~6 |! U7 c* rHere again, several ways to detect it:
7 c. |* M# O( b' @% M& n: Q- Y
6 h% f$ s0 J4 t6 f, D BPINT 41 if ax==4f
( p7 W: S$ j5 B% {; {3 Q: O5 \4 \* W9 c1 n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) r2 A9 ? ^3 X n) H! h y" Z
7 v r* }. w: T6 W BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 T. X. |7 N0 w7 b9 c" S
8 K! j5 U+ }$ Q! `' b+ B- J3 z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 e2 `" F! x% A, a+ P. c: i2 p h
, Y+ V7 T; T' b# b, K9 O
__________________________________________________________________________
6 S8 s9 H$ I! y! ~/ ?
+ S( n: v' Y9 D3 G* _" XMethod 13
5 }! Y( b, [9 M# R=========
, s8 w% d7 f( X
0 P" M B L. V4 y+ K& o$ SNot a real method of detection, but a good way to know if SoftICE is
: p5 b: \0 q0 G& K, P& Q9 Tinstalled on a computer and to locate its installation directory.
( t1 n2 t0 m. o/ h7 D: ^It is used by few softs which access the following registry keys (usually #2) :
6 n2 v0 e0 V& U ^1 P" ]
( i' t2 |( ?# o, \* |+ T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' \% k$ |4 d* a8 l# K6 z( l
\Uninstall\SoftICE4 ~( X8 _' h: {6 ~3 y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 n: a7 Q- l7 B( L-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& S' m) x8 v" w* [& l% J5 a
\App Paths\Loader32.Exe
, n5 k4 X% [1 S. z3 v" H% e1 R
% l' I) n8 m+ i7 C& w( ]: w3 u5 [/ |7 l" Y2 b+ p
Note that some nasty apps could then erase all files from SoftICE directory' ?3 m9 F9 V F+ @3 t+ Y, e
(I faced that once :-(
+ _: n, D m! q3 |# A! x5 s) ?& N/ r$ N+ X4 S; i @( G+ K( N* L) S
Useful breakpoint to detect it:' i; y; Y0 b$ E# N2 p% D
0 r$ `1 b9 C( v1 x9 ^7 @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ x/ J9 F7 S# C) r+ N6 B1 w
- P" Q9 R) n0 Z) \' _! Q
__________________________________________________________________________
: c/ j$ A& B$ _& n
% j* F2 J% Z7 P( k) g2 H- p g3 W; U' a1 H6 C8 B$ t
Method 14 9 }! b; |; {& Y" d6 G# Z
=========
, V0 u& y @3 V7 q |: u) ?
7 B5 Q/ e3 \' {- X2 H% TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; d/ U4 C6 u/ N: Wis to determines whether a debugger is running on your system (ring0 only).! }; p# ^4 Z/ L' r( o' K% V
4 a* Z0 m. u7 |
VMMCall Test_Debug_Installed1 A; u. K2 N' j) ~" p
je not_installed9 y( d6 q, u( x1 g2 _) x
: n* t" C1 Q1 U$ d# g3 g
This service just checks a flag.3 h6 h0 s% q; c& h$ W, |6 y2 g. K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡