<TABLE width=500>. E) V6 i [7 X$ n
<TBODY>6 E7 X" x1 h5 j0 a' p# U
<TR>
. m( W# g1 W$ ?( M' ?. D<TD><PRE>Method 01 5 ]6 }$ u. ?5 N% b/ _% ?
=========
8 J3 r6 p4 H2 s9 U8 s7 {
) y" ]! z; V3 l: e; S" n; UThis method of detection of SoftICE (as well as the following one) is
! B4 A) Q/ Q' P+ s; Z) xused by the majority of packers/encryptors found on Internet.0 A+ k' \! v( q
It seeks the signature of BoundsChecker in SoftICE4 w/ [6 E* a. w* v
+ M) A c* Y& t- e8 O9 ^4 X: h
mov ebp, 04243484Bh ; 'BCHK'
% ~/ \% y, R+ h9 U4 {: `8 v5 L mov ax, 04h
0 b. v7 i! ]2 m+ a int 3
* y& ]5 z1 G D: `# H' e0 g( y cmp al,4
3 V. ?0 h& q8 R jnz SoftICE_Detected
+ M3 h- {0 N! [- C4 w- G
7 z$ m+ a% H) v/ L1 Z8 k___________________________________________________________________________
& J4 K. s% P! ^ ?. ~! G" e8 x" e; d9 g$ T7 @/ m! R
Method 02
% N5 o( T9 Z% M# O=========! s/ w/ R+ N! E# i5 q* ]
5 L0 Q) }" ~- ]! k
Still a method very much used (perhaps the most frequent one). It is used
6 C# B/ X: I; k u |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) J. |' |$ c' }, {3 U7 t! y; p6 Cor execute SoftICE commands...
, q4 k2 I$ ?$ ~) l- w' s5 tIt is also used to crash SoftICE and to force it to execute any commands7 j. J F" m0 m5 v( q( {# V
(HBOOT...) :-((
$ n& |2 {) d- |! S* n1 g$ U+ ]! j. L* a6 V' {& Q
Here is a quick description:
; Y3 @4 ]2 O u2 L7 E( p-AX = 0910h (Display string in SIce windows)
% X7 H. \; H; [-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" m5 h- L, B* h" W; Y% [
-AX = 0912h (Get breakpoint infos)% o& ]/ f/ }, a+ ^, }# O: Y
-AX = 0913h (Set Sice breakpoints). o) M5 ~% ?! t
-AX = 0914h (Remove SIce breakoints)5 Z' |! b8 X" E: ?* Z3 d
; \: \4 @% `: K$ IEach time you'll meet this trick, you'll see:% d" ?# h7 l* _- Q& a
-SI = 4647h
8 ~/ V3 ?4 W- B-DI = 4A4Dh
8 h% s) l6 J9 P$ L) cWhich are the 'magic values' used by SoftIce.
+ _2 Z; e9 m( M, G% KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 M2 G, z0 ^( C, a7 {6 ]
4 K6 G2 X" p; j& \; [2 KHere is one example from the file "Haspinst.exe" which is the dongle HASP4 m) G+ k! C% H) [0 O4 e. j
Envelope utility use to protect DOS applications:
: B; p$ Q8 H/ g3 _" ^
5 b# I6 H, ~- k) C$ A0 i
9 p" x3 D! S. q* k4C19:0095 MOV AX,0911 ; execute command.
7 v: O' L, j2 S5 N' I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 _; L6 h; a0 s4C19:009A MOV SI,4647 ; 1st magic value.( M. ]3 W' k' u3 P+ X/ ~' B
4C19:009D MOV DI,4A4D ; 2nd magic value.1 Z G- U6 q r$ n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ Q$ c- e6 T. L1 Y( b- Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& v7 e7 [; V* z5 U9 o4C19:00A4 INC CX5 @! e5 [+ M P- w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ K1 L. E( O: d2 s" _9 p, P
4C19:00A8 JB 0095 ; 6 different commands.
2 t# N* Q* f( c4C19:00AA JMP 0002 ; Bad_Guy jmp back.
C1 b/ @/ n7 G# o% X; ~6 X4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 M* M; ]% j: M$ c7 B7 y0 F8 P) u
% S: `. ~0 c: f8 T TThe program will execute 6 different SIce commands located at ds:dx, which: X' E% }! D1 }3 {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ G6 s( s4 Z& w7 g! l4 i, Z& J
u u) `/ r$ Q! N. H2 s
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' _) ]! x5 x% H8 P2 G0 M
___________________________________________________________________________: d3 H! x5 l$ ]1 D
9 M& ]3 q# v b
8 F- J$ r; G6 \" tMethod 03
y) Z" w5 x# s1 Z=========
4 c1 ~! ]0 }* x. r! Y8 b# ^# G' N/ K
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ c1 L0 ]& n/ D* _2 ](API Get entry point)
( |: x% {7 j: J$ c& l' |
: a9 u4 }4 {4 F0 W) t
4 N' r c2 _$ S( b8 Y xor di,di9 m9 G$ e& ?4 r
mov es,di: A$ y# K( B4 v6 B2 J3 `
mov ax, 1684h . {( I& q7 Y; Q
mov bx, 0202h ; VxD ID of winice% C- I: h+ q) M3 F
int 2Fh3 n7 u: `8 C: Q4 r& P' x/ O
mov ax, es ; ES:DI -> VxD API entry point
9 r; o! D) `. q& ~; J1 i' s add ax, di
5 e. u( q( Y5 v& H1 P, h test ax,ax8 F' T( k" O3 ]3 J
jnz SoftICE_Detected
) G5 X& o: y, j. r
/ l8 H$ M6 x$ c1 N- v___________________________________________________________________________5 x7 x9 L0 h6 p: O" n* w
, k( g; V U: M' c y
Method 04- i2 c! ^9 `8 h3 C% c9 a1 O
=========) `+ B& f: B# z. O( Q' _$ {
8 a% Z5 {2 x# `* ?
Method identical to the preceding one except that it seeks the ID of SoftICE
" \7 [9 P% ~ Q; uGFX VxD.
; v8 j0 Z/ M! r5 O
& j" Y2 v- {. ?' _, f xor di,di2 p) L- j, x- n4 } d1 L: N7 \
mov es,di# A8 a; I3 Q1 ~5 R$ E+ c
mov ax, 1684h + Y& B, b2 N C4 x9 a
mov bx, 7a5Fh ; VxD ID of SIWVID) a' \0 t# M- @8 J I; V
int 2fh
9 v5 ^" u2 `1 z* w. J mov ax, es ; ES:DI -> VxD API entry point- S h5 E/ t' D A/ q3 I! U$ S
add ax, di
! m) w' Z9 q9 J) D( q test ax,ax* v" ~5 @8 j- y! g, t6 a! G
jnz SoftICE_Detected" }7 \" i0 `" G% h: Y- n
% o7 Y$ R9 W" }; i
__________________________________________________________________________
& U1 R# \9 x1 g+ P" d( J
% Z9 m9 |7 k. M) R ?+ E5 ^- S9 J
Method 05/ D& a5 ~! N, \: x# Z7 M* T0 Y
=========
1 c3 Q, e1 D; N, J7 I0 B
0 S3 j% o, D, g [! `7 t) I# iMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 Z* N9 z& R6 z2 X3 }! adebugger. It calls the int 41h, function 4Fh.
; l+ K3 G& i) \There are several alternatives.
( n; g$ G0 l! c2 E
* ~! |7 O) Q$ m T& I! YThe following one is the simplest:
- t/ I3 c6 N! O6 {4 F/ j! m: y
- p1 U; m+ h8 e7 z1 S- z mov ax,4fh
( B9 m1 X' B: c* m% d9 ^1 M int 41h1 t8 e- ^4 k2 V- j
cmp ax, 0F386! Z" ?, R9 [! d) j3 q1 c( q2 Q8 _
jz SoftICE_detected/ U, T3 J* }8 }. G
4 W0 @' h& T% x* i( G& t2 y
0 N, L% y# E0 T
Next method as well as the following one are 2 examples from Stone's
+ D. o9 ~8 @; Q& ^"stn-wid.zip" (www.cracking.net):
" \: g. F; W. p/ \/ f* E
X4 m% i Y/ f mov bx, cs
7 o. I! W( x. X6 P- V9 n( y. b lea dx, int41handler2 K0 l4 G! V6 Z, [
xchg dx, es:[41h*4]3 _; n: ], }* u3 |
xchg bx, es:[41h*4+2]
5 ?1 L6 e& f* K' @% z2 v/ t mov ax,4fh+ I* E4 }5 _9 L' f4 R H: B3 |
int 41h6 W0 y: T; w5 f& P+ _
xchg dx, es:[41h*4]
. ^: O5 \ B8 e, R/ q& T xchg bx, es:[41h*4+2]
6 i( a% k# y/ K cmp ax, 0f386h7 W. z: A$ M& h3 D; y. E8 y
jz SoftICE_detected
( I9 B7 f9 P9 y" L: k' {! P) L- H
' z( a3 f; w; v6 m3 bint41handler2 PROC) f. d; F# r. t: o
iret
y( h7 |% j2 `int41handler2 ENDP' F l9 c& {8 s$ c
2 N' z" d' |; T- D; \6 j, n7 t$ K# i4 J! d* r
_________________________________________________________________________
- P. e7 B, g+ X1 b' d/ h
* _6 Q0 b6 Y. K8 W7 E! r5 z0 c; Y! x1 p* I3 ]" M/ I
Method 06
( _: e% q9 T# H1 ]) H=========1 d8 H! w4 m( D, y
% [) U: X: I( g+ a0 h: t
. \2 }6 \0 K9 G! b4 ~% Z2nd method similar to the preceding one but more difficult to detect:( F3 m1 E1 t/ `
! D) U$ c! A( O0 K7 T! n
* T9 ~* G* F( [, ]- h9 J. O/ n
int41handler PROC- K& G: p/ {4 M9 i
mov cl,al
R/ a1 e) q2 [% E8 G% u8 L1 p iret
4 E9 Z8 w" r; p+ Uint41handler ENDP
9 _4 o; `! B; _% z2 t+ z6 N' J: k) X& |& S
_0 q# @8 u& G+ v5 D
xor ax,ax# X4 x' [) H. ^/ g7 d2 ~( V+ ? p
mov es,ax; I+ `% e1 u$ q( F: H
mov bx, cs( W, k4 I$ z1 S% v4 {8 u( X
lea dx, int41handler2 k4 T2 D! P2 |* r# ^
xchg dx, es:[41h*4]/ V$ O) M4 _- n3 g
xchg bx, es:[41h*4+2]
# \. n2 ?. [6 o in al, 40h! K. J K0 [4 w, @
xor cx,cx3 Y4 Q3 @+ c% p2 ~3 n% A) G
int 41h
* W# e5 O1 P/ p. y N+ Y) v xchg dx, es:[41h*4]
9 x* ` c. E4 U0 O! r xchg bx, es:[41h*4+2]' |5 O: X0 Q! l6 N
cmp cl,al
. y7 K, W" k8 ?- h6 t4 @ jnz SoftICE_detected' _$ p! U$ N1 x5 l, @3 `8 @" v2 i$ I
, h: y: k3 g4 `1 @
_________________________________________________________________________ k) T/ F+ o6 Y, v: r
0 d* i- H5 U7 u! F/ EMethod 07
% Q& h" n# T# [7 v6 ]=========
: m6 z9 O/ x( O9 q
6 J- ^. S' _) N0 y. P0 XMethod of detection of the WinICE handler in the int68h (V86)
, n& h+ b) a7 C# S2 C1 ?
3 k# {* o4 _; R: ]* x mov ah,43h4 m/ w- z- Y) F s: F" {2 O
int 68h/ m- I; y/ h$ K8 W9 t2 c
cmp ax,0F386h
, Z4 l1 [5 z4 _4 U jz SoftICE_Detected; p4 z7 A$ y1 K7 M, b( R5 m
: A+ h7 x# b& h7 y" A/ W/ a4 h! f, r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 `! w* Q- E& J$ T; {% J3 |
app like this:4 k- _) g. @$ E6 Q. Z
* r! G, O9 J0 }7 L# r BPX exec_int if ax==68
" t1 U$ {' n' R X' T. C; Q" t (function called is located at byte ptr [ebp+1Dh] and client eip is
; t% L$ H' ^" t) f located at [ebp+48h] for 32Bit apps)
; f( i4 \2 d# i* ?__________________________________________________________________________
9 [. t# S9 @5 n6 }- M7 Z7 o3 E4 R& o$ _
5 q4 S5 @6 D5 k5 g# P6 _
Method 08
5 d/ `+ \: e+ b- _& ?=========& h; d9 X$ x u
4 }; X# [" [. p+ V) w9 ]6 {1 WIt is not a method of detection of SoftICE but a possibility to crash the6 k" ^9 f2 O" G' e$ x5 A1 s
system by intercepting int 01h and int 03h and redirecting them to another
& x* }8 ^, {: C! vroutine.3 f+ ]0 h% Q! x' D& ]% J9 ~6 m! ]# f. R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! p+ | @- n) y) q! U8 A: w7 j: V# nto the new routine to execute (hangs computer...)/ b8 e3 U1 Z9 i1 ?- K# f
9 N. ^2 a5 i3 `, R& m
mov ah, 25h" \5 h. r5 j; j+ G3 k
mov al, Int_Number (01h or 03h), w* b, W" ]9 y: L: B' o4 a
mov dx, offset New_Int_Routine( `9 y+ D9 H( A5 F" g) }
int 21h1 f9 K' _: ~' B4 j4 o6 C2 d; M V5 {
# D* }' ~! N/ C: L u6 ^__________________________________________________________________________
# o3 \* T' E* j0 q+ M' ~3 L; b7 k
Method 09
6 p1 z0 C- d ^8 t3 t8 C: {3 J. v& J=========0 F8 d. z# M# J m* y
- @' |5 [# K; s5 M8 l+ |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 V5 l1 u2 t6 o
performed in ring0 (VxD or a ring3 app using the VxdCall).* T9 `0 q7 s2 N0 b4 h
The Get_DDB service is used to determine whether or not a VxD is installed
( g" r& M( e3 xfor the specified device and returns a Device Description Block (in ecx) for; v! G7 b; ?/ _+ [, I# l. D' v
that device if it is installed.. g# m3 G$ M: `3 N; m( O
1 k& ^& V" Q; B6 [/ g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- B6 {. q+ p; U! \2 T c4 B8 X: o
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ Z2 O$ Y9 Z3 n) ~% B; A
VMMCall Get_DDB2 q* G, Q. b0 J# s/ ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ m9 y% R% |' g9 ]( k' j0 X8 C" n
1 m0 [1 j6 L& p' {8 h- cNote as well that you can easily detect this method with SoftICE:+ Y1 L+ |0 r2 _, y! x
bpx Get_DDB if ax==0202 || ax==7a5fh9 n6 r- O5 [7 r1 J( q
2 B+ E d& p! f- v# w: ~
__________________________________________________________________________
$ x5 ]$ u% \/ S4 m& @6 ^6 A
j* i& y2 ?9 ?0 _. ?Method 10! N; i1 D) U5 ~5 `8 W9 g3 b `5 ]$ I1 u
=========7 \0 G" Z; \) o% m, _9 n
% N( S% A$ t8 y% E0 R. Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& A; c; m6 Z- f- \+ u( `1 i9 Z SoftICE while the option is enable!! v* O1 q1 y) n9 k: O
1 l& v# |+ P( C8 I$ |6 T9 Q) zThis trick is very efficient:
0 F% U; n9 a. y2 G( w1 Jby checking the Debug Registers, you can detect if SoftICE is loaded
7 a3 c4 d8 o0 M3 g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ @' a2 L8 p0 R5 F4 c: a$ hthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 o% K! c' w5 h! {" `$ O3 v2 e
value (in ring0 only). Values can be manipulated and or changed as well
3 V- R( p' o& g, ~" h' u(clearing BPMs for instance)
8 B5 T) Y, Y4 f; A4 ?8 N8 ]6 D% H3 G6 i- P) r( k
__________________________________________________________________________: B" m9 v; a9 l% L4 ^( c
2 x2 T& w; B( [( V2 P6 P( t
Method 112 T# N$ V; d& u( Y& Z$ x; X6 S
=========
3 q) c w5 l# L8 \# ^
. q+ d6 U( i* c* @+ M8 R, _This method is most known as 'MeltICE' because it has been freely distributed- x4 F0 {7 n% x
via www.winfiles.com. However it was first used by NuMega people to allow
, K* ~* \3 O" s" i& V0 YSymbol Loader to check if SoftICE was active or not (the code is located+ {2 m1 S# V4 `* q: c
inside nmtrans.dll).' ?+ d/ C1 B+ J, s$ f: v
* e3 T6 W. ?' J, E# g: r
The way it works is very simple:/ t2 P; A+ K4 F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* Y9 m( N, ?+ o
WinNT) with the CreateFileA API.+ }& w: C0 C. _. L4 \8 D) c
- i" S9 O" T }$ `Here is a sample (checking for 'SICE'):- @4 }8 o* G4 b2 |0 e. N" V
0 g* r0 }$ F" ?% }BOOL IsSoftIce95Loaded()7 P: C9 A: @5 z+ _
{- P$ N( M) l/ H& u$ m) ?" z
HANDLE hFile; 0 d" F( F; ]) Y2 u) M
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 p( b3 S* O! ` FILE_SHARE_READ | FILE_SHARE_WRITE,
# S h' P" O' f% q7 u' b! |, i& t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 @' a& Z8 R$ T
if( hFile != INVALID_HANDLE_VALUE ): @3 b# S- K! n$ ?, m
{! |' O, [; U7 m+ C
CloseHandle(hFile);
( @$ j2 q7 W; {9 B, w! w$ b% O5 N return TRUE;* a8 a2 ~% F7 F; L+ Q) \& u
}2 b* ?7 T3 u3 o: S7 Q
return FALSE;6 l. C1 X1 }5 ?: R& |- M, L' |( n5 h3 k
}; u' O/ X% t' v# ]( w, ^
7 w3 b" D8 h. I+ B& SAlthough this trick calls the CreateFileA function, don't even expect to be0 Y# `0 c) C( b0 y1 w- @# x
able to intercept it by installing a IFS hook: it will not work, no way!
4 c0 |4 t1 \0 g3 a9 ^ c6 Q5 ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 z/ p( M+ u, A: N+ M, [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- `& m+ M& @ _" p2 land then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 n2 D9 G6 y. Y$ \. K- qfield.
7 o; C7 }3 @) V$ n0 ^. Q: d3 p" G! L( B dIn fact, its purpose is not to load/unload VxDs but only to send a - c! s" ^" \2 i* n7 b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
f7 ?; O; K: j5 I% C" zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" B: m+ N/ } y: `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ F4 \- F5 i: o7 f6 _1 fIf the VxD is loaded, it will always clear eax and the Carry flag to allow4 ~: _& @ d+ y9 _, E& x
its handle to be opened and then, will be detected.+ i9 Y6 f4 S) f# k3 C* P, o
You can check that simply by hooking Winice.exe control proc entry point( k, U5 ]* ]! o. e. x
while running MeltICE.! J2 U, A! q+ {& q& E/ T' e
p1 D' C% g' l( F/ o2 ~ s z2 }
00401067: push 00402025 ; \\.\SICE/ B9 g, I" K. U$ r* i& c9 S
0040106C: call CreateFileA
' [2 l, D* J$ l+ e* s6 n 00401071: cmp eax,-0015 r' F7 d4 R/ b' L( x" r
00401074: je 00401091
( s: A+ g9 i) z' m; T H0 M6 j! t$ Z7 W& r9 a0 S- Y- q D% Z
G/ K) T" r, k" s
There could be hundreds of BPX you could use to detect this trick.3 M4 X, @5 V7 Z `- {$ ~
-The most classical one is:
7 i. @) e! w: r. E/ \, S2 G- ~ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- ?$ ^# W! k: B- {" A+ q; R& [
*(esp->4+4)=='NTIC'
( K' n( O/ D+ H6 H7 D7 q" \" a; E3 R1 ^
-The most exotic ones (could be very slooooow :-(
" U4 p) N0 Y2 ?1 U# i" |# N4 j+ a5 a9 e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 \. { m$ e: h7 z3 @, I0 Z( R# u
;will break 3 times :-(: C: j- [( f( x& h1 G3 i, _
2 O4 B0 B: E; [7 B
-or (a bit) faster:
2 q( |+ ?& s$ c" w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 G; Y" O+ Y8 s {! K
: @6 n" h% q$ B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ y4 x: c) O7 i5 l ;will break 3 times :-(
; [1 N* ^! J2 p7 [0 t. u9 A
6 M, _/ o. [- P-Much faster:
) `! N2 J4 F3 ~% k BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; H- s, J0 ], Z* @0 V% x7 P: b
; Z4 f' j3 i4 }4 u& C y& q4 R# _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! ^! r6 n( B! y. d5 ]& pfunction to do the same job:3 V7 n1 Y: m, a1 d$ h
6 Y' S$ a8 x: k& ^$ B+ n$ s
push 00 ; OF_READ
+ I5 e7 V4 a6 t' B mov eax,[00656634] ; '\\.\SICE',0* |/ [7 R3 {/ ~ f
push eax
" I6 I: _# w V' A1 [) D call KERNEL32!_lopen( {3 L7 I7 y* h( F6 h
inc eax! C2 u4 P1 |7 S1 e; s0 [& c
jnz 00650589 ; detected
+ O/ U- R4 W* |9 p push 00 ; OF_READ
2 _! g. J" G. P. l6 E' d3 i& A8 ^ mov eax,[00656638] ; '\\.\SICE'
0 v6 a9 O- F) x" S/ J! z push eax
0 `* J' y: r4 h7 H; @ call KERNEL32!_lopen8 h$ t5 o& q0 H: r) ~) w
inc eax, N) ^% m3 E& H
jz 006505ae ; not detected/ O l0 x7 f' h
% E9 w5 w8 X# K( {. }9 t! `# X$ X6 f
__________________________________________________________________________6 Y/ A8 g/ i b# ~0 }' z
; c) M$ _5 l+ V6 Y, p* p
Method 120 [2 O# q; w+ X" m0 P% B
=========6 }4 N/ @! l# k. l' o
; `$ C ^1 U8 ]2 a- |/ L- ZThis trick is similar to int41h/4fh Debugger installation check (code 05, V; \# w5 p, y- T- v# `4 T
& 06) but very limited because it's only available for Win95/98 (not NT)/ j6 Q- v# Z, P) h5 w f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 |4 K9 d. p. ?7 o
h" {6 z: u1 q) U) R" } push 0000004fh ; function 4fh. z. `* g, H% I3 E, E& f
push 002a002ah ; high word specifies which VxD (VWIN32)
g) I$ p/ R, o5 D. [; y ; low word specifies which service
0 [- y# j1 M4 }/ N7 A5 V (VWIN32_Int41Dispatch)& w; K; V3 N6 M* J3 A
call Kernel32!ORD_001 ; VxdCall
# B) X2 s! u& C: ^- ?6 \( G* | cmp ax, 0f386h ; magic number returned by system debuggers( ~% o9 N5 z' B8 t) L7 M/ u; j9 H
jz SoftICE_detected- `# Q3 E) e8 o6 p6 f/ n
6 s: l: A5 I& {( S/ bHere again, several ways to detect it: i0 H" @& b) s' `3 ^% Z
8 f, p( y0 k" w1 D, A
BPINT 41 if ax==4f* f5 `, V6 r" e" y6 ~# s
; L; A- X; I. k
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# s, ^# j- f! _1 _8 S8 U; t
- z" N6 M% Q3 i3 m* m# Y: y3 k" l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, b( ^; O+ n2 s; a) A" d$ e: h" x! J* J' d% i, p2 g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; U& o# k- E$ J% d
) _+ ~, j+ h9 Z. k! [__________________________________________________________________________. V. }9 D" W/ \1 |* u p% g3 b. Q
; G9 g% U+ e( \' s5 T
Method 13
2 v0 [0 o1 n* z8 p4 I) L% `=========6 [: x+ l; d9 c, T) ?5 M
/ F+ t! h+ l, D& f& @
Not a real method of detection, but a good way to know if SoftICE is5 W# A4 I6 i% q9 k' {
installed on a computer and to locate its installation directory.) s1 U* i; ^/ @* j, U# W
It is used by few softs which access the following registry keys (usually #2) :/ S j! f+ m# \* I( N
+ B7 j% S* g5 H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' r( [$ C' ?9 @; h1 ~+ m3 N
\Uninstall\SoftICE& U& L" C- g+ b. ~5 y/ U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- U4 l% p. k. d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- a& a3 |6 G9 t% V; {8 k: ? w
\App Paths\Loader32.Exe% v) N0 V. W2 I1 @
' q/ R1 h2 Z+ ^: L3 {/ o5 L$ Y/ v$ T) z3 h& S% O
Note that some nasty apps could then erase all files from SoftICE directory
# N8 G* ~7 x+ Q2 x(I faced that once :-(* B) w. k' P# n8 X6 Z
( T0 e1 J' k# k9 z; C( R$ @( _Useful breakpoint to detect it:
* o8 V* o9 n& t0 E6 s) ^! ^7 @& w0 q4 K! i" e/ C7 H9 z* g: X
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% {) b! e1 D" W) l+ @2 p$ F5 q: K3 q$ ^
) w% d$ h: b% k7 s
__________________________________________________________________________2 v; t2 K! B7 ~6 i% z* m! _
, D9 p2 p" x) E9 K" ?) i
. S" m4 n8 G# N) k" AMethod 14 1 M' f, b% t$ s( ]8 s8 | T6 j1 B8 l
=========
. l& I& m1 N) N5 a7 T$ J6 a6 \
( c* M; n3 j. y) WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 M3 ?5 B6 V: b8 o2 O
is to determines whether a debugger is running on your system (ring0 only).. I; R. s' {+ q& n- s/ I
C' ^' }7 \$ k6 D- @
VMMCall Test_Debug_Installed
" ^/ c! _9 P) v$ N) _3 | je not_installed1 U3 e) Y% M) `
h* h1 [* V' C: y; t# f
This service just checks a flag.5 y5 v7 g+ w7 }6 A# A) S! u
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡