<TABLE width=500>/ `/ J- I( m! M+ s, `: W
<TBODY>
$ M3 h, {' e6 x; g- t ]* u: [<TR>
9 T; F$ M: N+ X" y<TD><PRE>Method 01 0 s# P0 P+ A# ~2 D
=========+ r& `0 s& q% @5 ~0 e) c& e
4 A& ]. b8 [" [2 _* s, ]$ a
This method of detection of SoftICE (as well as the following one) is
$ v d3 k; k5 e1 Y: Yused by the majority of packers/encryptors found on Internet.
% o" I, U& E. d# k0 GIt seeks the signature of BoundsChecker in SoftICE$ z% b# M }, R( m3 J
4 b P2 }- B% }+ J mov ebp, 04243484Bh ; 'BCHK'' y5 i6 j% E1 U" g2 T1 V
mov ax, 04h
# Z" U! J% e( e: G% e x int 3
! }# Y q2 w9 t/ H% p cmp al,4
8 J5 N8 e; d2 T/ n jnz SoftICE_Detected: ~: }9 S0 o- H
( E& T' I! @* r6 c/ U
___________________________________________________________________________% }4 i8 W: }; C: m; w: f
! u$ V' I# _! ]9 c- s: L
Method 02, h: P" p0 C3 c2 i) n
=========( \0 m: }7 q0 u; S
8 ?3 I. ^1 j T/ g1 C4 m3 e3 uStill a method very much used (perhaps the most frequent one). It is used' z% }8 x4 _7 I0 i) a5 r: Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# @6 [; a. e" S7 l
or execute SoftICE commands...9 A; S' X" z2 d' o) J
It is also used to crash SoftICE and to force it to execute any commands
3 o7 M% O9 H: u5 @( v! U(HBOOT...) :-((
/ W% z+ L3 M& t) `/ k! }5 }5 b. N2 Q
Here is a quick description:5 [( u4 d1 X2 ~* i$ X$ u/ J8 B" E
-AX = 0910h (Display string in SIce windows)9 G' c( Z$ L! x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! Y4 `! d) x' s( D, u# U- f: a-AX = 0912h (Get breakpoint infos)+ m* A7 Z+ k1 o
-AX = 0913h (Set Sice breakpoints)
/ C$ M% C0 a; w% P" R-AX = 0914h (Remove SIce breakoints)+ _( M0 X7 _" t. G/ V2 P
0 i1 [$ k# n: iEach time you'll meet this trick, you'll see:8 X3 q/ Q* b4 e1 O& L5 u# N
-SI = 4647h. p2 z5 N( v5 k5 |! W& [2 f f1 z
-DI = 4A4Dh
8 C+ H* G; ?/ s3 JWhich are the 'magic values' used by SoftIce.) U) ~& f1 w+ b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# E, D5 |3 H6 Z: O# W% o3 \7 ^3 ?( Y5 h, g5 U: x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ Q, U) D2 I' U3 O$ O8 t# Q' qEnvelope utility use to protect DOS applications:# g% V, s% ^6 B4 [, x5 I
2 ` m3 P; t/ O9 q- h
9 t0 g! J) B( T4 q4 s7 t/ _3 T1 O4C19:0095 MOV AX,0911 ; execute command.. n& Z6 o: g7 r; Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% e& m& O& t+ J
4C19:009A MOV SI,4647 ; 1st magic value.
# Q) U9 v. S, z- h# O4C19:009D MOV DI,4A4D ; 2nd magic value. Y1 W8 R1 Z5 z- b& u) M' v9 x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ d1 J# t9 K% U( R/ a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 e- Y% M( B8 d$ Z' a! n/ P* T" k9 u
4C19:00A4 INC CX+ `% U' ~- {5 K$ \5 S
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! v3 `$ P( W1 J$ { c# H7 Y
4C19:00A8 JB 0095 ; 6 different commands.
" K2 Q9 t9 E. J v& u4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: l. L; u* Z! a. h1 y, j x# G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# h% W7 ^6 ]9 u
( ^4 l0 X3 g0 q* Q1 F% `" m8 c& [
The program will execute 6 different SIce commands located at ds:dx, which
) d/ Y& d4 ~. e) U6 F5 Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) {6 H2 `2 _; }; I( S0 {
5 i' n+ Q: y: Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 s8 ?+ p) V2 a" t. t1 c4 l g/ C___________________________________________________________________________& I+ O" s" r0 ?4 ?: t5 l: R
2 P! ]/ x& \4 n8 ]1 k4 ?, u" \- S0 E' E u4 h" ?
Method 03
* [& C1 e4 b- E% ]- p=========
, X8 }* ~0 e* p: N! R. w s0 ~! X- E( a9 s3 H* z' e
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% `' c$ O1 X2 P(API Get entry point)+ g5 _; x7 S6 H/ R
; y S1 V" w" d# j- m; s3 O" G* R1 C) P7 Y7 P+ \
xor di,di
* b |! m+ H( w8 ?, V$ X mov es,di! C: c8 E0 p& ~3 `0 Y
mov ax, 1684h 4 C, q! y: _& u# l3 g* O6 \ f2 X
mov bx, 0202h ; VxD ID of winice
! N5 `# N7 X2 f+ `& y/ j int 2Fh8 e- I& Z* L7 }( p
mov ax, es ; ES:DI -> VxD API entry point9 L1 ~, [$ P! L; ~: g
add ax, di* p* f2 w/ t* c
test ax,ax
. v1 w- F! u* C& ` jnz SoftICE_Detected
# d) _, z. o# Q1 e; }
U* M: [+ Q# S: j" Y6 X___________________________________________________________________________+ D. W' ?9 ~6 N
' L! T( Y; E2 j! A
Method 04
5 \% L0 @: l# @1 H$ f=========
k6 x$ n2 S* i2 m6 {- A) @: f/ ~9 {$ ~( j4 _8 t
Method identical to the preceding one except that it seeks the ID of SoftICE
4 t8 \* [4 W" I& L+ ^: S* h% t6 yGFX VxD.
: i! y5 C' W0 Q$ c& K; k- J& j" R9 m4 W9 t k. [0 c& ~
xor di,di1 k8 `3 [& Q1 F8 x, o
mov es,di
2 F! A/ Y! ]. W5 q0 m) y: w$ [ mov ax, 1684h 5 I5 ?, q: G% x: X7 \" i
mov bx, 7a5Fh ; VxD ID of SIWVID
- ]" `( p P- a# z, b: k0 v int 2fh
" o& a. ^8 e8 a5 W+ ~( X mov ax, es ; ES:DI -> VxD API entry point
4 o# R- P& f, k% o+ `2 v7 T3 k0 A add ax, di
' k; a, M8 ?8 t" a) M# I test ax,ax5 y9 g# {: z' S
jnz SoftICE_Detected
8 Q/ u: I- p1 f4 L; b- [
$ b r8 R! e: i6 e9 E__________________________________________________________________________, k" I2 F# s# y; v. K! e0 I& e% k
0 J2 D1 Z9 }1 D$ D1 U1 M4 a
( D# T8 J F! O8 G* B3 a4 pMethod 050 X: ]* q9 G- T$ d7 E; M
=========
3 _) A" K! g( W0 ?, ~" O9 d( i# j# \5 X: B5 y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' Z5 S. W& b/ edebugger. It calls the int 41h, function 4Fh.
) y6 K5 l$ ~% W5 h5 [$ k& U/ @There are several alternatives. ! }6 }! X$ N, m1 l, G
- j+ a$ h* H/ q0 @/ d7 V3 @The following one is the simplest:, x& S$ T+ l5 O2 d* E: O' l
8 b3 U* L' Y" e# w, C' t* @- V+ Z mov ax,4fh# v0 O \: f$ [& d5 j3 v5 \" u
int 41h* W# C7 t/ m& U; f* C( H
cmp ax, 0F386% [. P7 \6 S/ `- _( M$ @
jz SoftICE_detected0 l9 k, M8 @" C C1 l
' A9 P1 P6 p% Y, \7 L8 a6 E
0 i/ I1 \" D- _% i# {
Next method as well as the following one are 2 examples from Stone's
2 |4 Q0 N4 {( ?9 v+ {% r"stn-wid.zip" (www.cracking.net):/ Q2 d6 i/ k2 r$ b9 `
- i9 H' [0 j# l5 t% k mov bx, cs
2 L/ s2 R5 W7 a, `. N4 F lea dx, int41handler22 N/ C* R4 P7 C% t
xchg dx, es:[41h*4]( D* g* ^( r& C' U& }
xchg bx, es:[41h*4+2]
+ a7 g) }. j/ N* j mov ax,4fh, ~. E6 i- r9 S# F* D" B. H9 C
int 41h
: n8 k' Z1 W+ n xchg dx, es:[41h*4]
* l/ h$ I/ c% a5 G4 m/ _/ v xchg bx, es:[41h*4+2]$ ~& s% }- x3 q5 ^
cmp ax, 0f386h4 {( E- x( u( {) r4 w
jz SoftICE_detected
: P S; @# v/ m2 U( [
& C2 G) F! l- c3 v' \ @int41handler2 PROC% Z# h; c! h- l. l, P
iret
, [% P) f' J2 |% ?int41handler2 ENDP1 X+ W0 K2 a8 X; n
& G) Z0 r0 K7 K
: O% U; x8 c& y1 O- r5 x% p_________________________________________________________________________
: h+ Q- ~' D; J* f
1 |2 ]/ `+ y. F# [: \0 {3 E/ o8 v( c- g9 \' N
Method 06/ @) U6 C) ?4 g2 E/ B. \# f+ x
=========! c. t2 u2 B6 p3 U9 o* w2 z, q7 h
: I% f. b' J( X+ v* S
/ B! p" x1 v: `6 d1 ?. c2nd method similar to the preceding one but more difficult to detect:) _& ]/ _* n' G# n
3 G$ K0 K: ^8 U
. I0 A+ `. v' u' [1 @! r1 {int41handler PROC
8 g6 A- w$ Z% l9 d mov cl,al
$ @# T' g% d5 _ iret
' D4 j) n; w$ \4 Y: uint41handler ENDP& A& H8 W- d( f
5 \( p/ [9 ~ D. Z8 u" i8 e% T7 D" k% T8 ?$ q! |
xor ax,ax0 ], L1 d7 E9 g3 T
mov es,ax ?1 U% M u# A# D/ s
mov bx, cs
- z5 h8 [0 L! i' c2 i5 f6 X0 h lea dx, int41handler: |0 ^) ^+ p- M ]
xchg dx, es:[41h*4]; v. h ?5 N" g
xchg bx, es:[41h*4+2]0 B9 E$ i- f0 q9 @
in al, 40h
; J+ a& b+ p8 p xor cx,cx$ s3 l- m* ^5 { L
int 41h
( X- \4 _/ h# o xchg dx, es:[41h*4]
6 `9 W! [: I# L# m xchg bx, es:[41h*4+2]+ _2 ?/ O1 H7 i v+ Q
cmp cl,al" Q* e- r m$ t$ @# z$ z+ e o5 R
jnz SoftICE_detected8 y0 v' A g+ s* _" t1 w
3 J1 M- {# k0 ^" I/ {
_________________________________________________________________________- Q+ o% [5 c! \( P% R$ t/ O0 b1 V) b
* `0 v- y6 k5 X% I; Q8 ^Method 07
. K( d9 ]; }6 j: ~ S& K=========
( |3 P* ]3 Z" }* e6 ?, D. k c' |, N
Method of detection of the WinICE handler in the int68h (V86)
' L7 N) Y7 ^& I4 j3 {1 p" l' n- w# c) U7 X
mov ah,43h; s6 x& j' u& k
int 68h7 g& ~/ P% u+ }
cmp ax,0F386h; i* W- W f- B4 o
jz SoftICE_Detected
L4 u0 \8 D7 x2 L1 i( h7 B! j
4 m1 |8 o1 F7 Y2 o2 X- x. [& a7 |+ D7 J# t1 p2 \ v" a8 b
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 F6 T9 ]' c g
app like this:
# R" ~9 t4 t, U# t( l" t
2 p1 {! c) U7 ]# x, n* O BPX exec_int if ax==68
- v8 ^* _+ t7 `2 i' X0 ^- P (function called is located at byte ptr [ebp+1Dh] and client eip is
0 T* }2 ^$ j; c! b1 s located at [ebp+48h] for 32Bit apps)
$ A2 H! m: n1 E( n K v9 i6 b1 }__________________________________________________________________________+ {4 C8 |% y0 R8 X) @
4 \" y( z9 |" [: C: E) `% X$ N
. m( k" @, [+ n9 u) R6 IMethod 085 ^8 J, e4 R3 D$ n+ @
=========
$ y4 X3 ^) m$ H8 s
! u Y% O( g3 ZIt is not a method of detection of SoftICE but a possibility to crash the0 C# N* j) j X7 c8 Q9 ^
system by intercepting int 01h and int 03h and redirecting them to another8 _1 P) G8 |+ L5 g! d
routine.4 ~- y: H$ M/ e+ r) h7 ^/ t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& B4 F* H% @1 X: R7 Dto the new routine to execute (hangs computer...)4 b8 F9 [! [8 \9 K
" @1 [* y! i K& ~; \0 F% H- n mov ah, 25h- W J5 f) m5 e' t
mov al, Int_Number (01h or 03h)0 q7 f- F+ |7 G! `6 F+ K- E
mov dx, offset New_Int_Routine! P4 _- x: c4 a
int 21h
; G E: Z: V; u% y9 N
! K1 l K% u2 ], M3 ]! c__________________________________________________________________________) J$ w, |6 z1 m
7 Q6 ~* [" c4 r3 {) q2 i" m7 z* fMethod 092 |" X6 I6 k! U v* K {2 W9 l
=========- M. D/ S9 J* U. G% y; `& _
& t7 [" Y$ g9 z. LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, `) H8 t. x* uperformed in ring0 (VxD or a ring3 app using the VxdCall).7 f& X& b% m! a9 c r
The Get_DDB service is used to determine whether or not a VxD is installed* {8 i; V- g4 [* ^
for the specified device and returns a Device Description Block (in ecx) for# S1 V+ ?+ L9 t# \" E
that device if it is installed.) l9 j9 p, b# p
: C1 ~. @. z# C$ s/ n5 I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 K9 ~2 z! v; J* x0 e& J( [
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 H, t. o) e/ ~1 V+ x VMMCall Get_DDB
" l/ G& b& l# V/ D) `: f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 t' E1 i7 n+ N# k0 ?
, ~6 T( r+ j9 ^! X* TNote as well that you can easily detect this method with SoftICE:
& P5 `4 ~) U6 Q) f3 m( L bpx Get_DDB if ax==0202 || ax==7a5fh1 |! w- ]# H0 a+ j% x6 ~
* b T' Y6 q( R/ M, S7 {. T& s2 \3 W__________________________________________________________________________
" F. t i0 E9 J6 J
4 t. a# S9 ]8 c& ~& fMethod 10
, f0 z0 _$ g1 C ^8 M! A=========; Y/ ^$ N! T: _, x
: l' J/ c5 }2 f& N! L S. F
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; W6 u M8 q2 h* x9 y4 } SoftICE while the option is enable!!
& G+ ]: B3 w, i0 ~7 y. S. S
9 ~) h% b' S' G' }This trick is very efficient:' `# \; y [. W. L, s- n! O8 S
by checking the Debug Registers, you can detect if SoftICE is loaded
- v2 B# k8 Q4 i(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 E- l2 d7 q/ E: B6 M! M1 }" ^there are some memory breakpoints set (dr0 to dr3) simply by reading their
: z( Z" \9 ^! C4 g4 P( j2 T1 A6 Y0 F1 |value (in ring0 only). Values can be manipulated and or changed as well \' x! b/ l; ?1 l- V) U
(clearing BPMs for instance)- l3 \) x& `" ^! |; ?2 U
! s f* C! t8 g2 }( z7 d__________________________________________________________________________9 H) A/ G4 J! J* i m
; L, I3 G( s8 X0 C% k! JMethod 113 h9 P% N g1 O* `
=========
4 w3 R9 V) s* z# ]8 z
" W: u _- ]) q( QThis method is most known as 'MeltICE' because it has been freely distributed9 b( ]8 Y& r8 J" g+ K2 P; m' G
via www.winfiles.com. However it was first used by NuMega people to allow
" ~$ q- c% K3 wSymbol Loader to check if SoftICE was active or not (the code is located
6 u$ h; @# a$ n; g+ `( J! `2 _+ ~inside nmtrans.dll).
& v% A- W3 I' Z7 K$ a* X* D+ m4 }2 V2 g3 `$ y; j& n5 g9 U( U
The way it works is very simple:: m6 o$ R( n% N0 ^ E0 {4 ~- m ~
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! }: k0 p) r; ?' l4 VWinNT) with the CreateFileA API. U$ d1 q* l0 W' V
6 Y" Z5 B5 l% d2 h }1 h3 S
Here is a sample (checking for 'SICE'):# b' m0 U, T5 G. Y% X/ x* [/ L
8 P8 a: y* z7 ] L% k
BOOL IsSoftIce95Loaded()0 I, w( s" f! V6 L0 ]1 T6 ]' v
{
- g# B! k6 b7 s- R6 q: W HANDLE hFile; + B+ }/ C/ n7 m2 D
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 Y8 S0 Z, A# l2 m FILE_SHARE_READ | FILE_SHARE_WRITE,3 r9 Q! [' _- ]; ^3 @ |$ j# l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: [" y* T8 q9 [7 D% S, Y7 T" y, `
if( hFile != INVALID_HANDLE_VALUE )
0 a/ { g6 l$ ^3 ^; Y7 R {8 X8 |( I; _0 t& {( x1 Q- W! m
CloseHandle(hFile);
2 O$ S" i5 i! q2 z! L6 R return TRUE;
5 f( _1 y% e7 M3 d) w. U b }
' @ L! L2 n9 z; x return FALSE;9 \7 p1 H9 E# }& A2 y3 k
}
* O: X# f5 w# n
5 M& x/ k: o4 X6 AAlthough this trick calls the CreateFileA function, don't even expect to be8 [& U6 Q, o) L& P1 z5 T+ ?2 P
able to intercept it by installing a IFS hook: it will not work, no way!: c& C' P8 D z# i: W7 s! U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 a2 p, ^& n' k2 Z, l
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 s5 N2 y& A: l! Q0 D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 e% m# d4 O* Ifield.
J1 u7 k* F# V8 }' IIn fact, its purpose is not to load/unload VxDs but only to send a M A/ w: z# O" U( z9 `. _+ l- Q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 x, \8 ~. F* q! g* v% C$ `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% b# j& I" b) A/ x8 pto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 ?. r& f' g* r3 h- }' \6 E" S
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 n" K8 w7 ^4 j0 N, S
its handle to be opened and then, will be detected.5 a, K! r2 Z! F; V
You can check that simply by hooking Winice.exe control proc entry point
1 c+ ]! |" C) K" {* @) l; Cwhile running MeltICE.
0 `4 u7 d+ m+ ?' `0 X/ R0 q [3 _8 d4 @" q
$ S% N, h- x. l' _6 T6 b; G
00401067: push 00402025 ; \\.\SICE, P, R7 m+ f. Q% E$ R7 p$ A
0040106C: call CreateFileA- h. S; S1 A9 J4 h$ ^1 U, y/ @
00401071: cmp eax,-001
8 \) B! B' @7 Z) i2 Y 00401074: je 004010913 {' P& S$ w3 v3 L" n- W0 H
% C. }1 c2 }! U2 W8 u$ J) R
2 w" I1 n& ?- `/ O: lThere could be hundreds of BPX you could use to detect this trick.& [2 m2 f/ ^7 @ ~
-The most classical one is:/ |" h6 q+ `: V/ }, O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 v9 `0 n! m+ k$ ^6 a2 Z6 `" \
*(esp->4+4)=='NTIC'
+ _8 z. G! L2 k J" B6 a3 c2 h3 l+ c& ?9 |
-The most exotic ones (could be very slooooow :-(
' o J* J% Z+ c ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! z0 G$ b$ O# m ;will break 3 times :-(
) _6 Z0 P# X4 U, z) Z4 ?8 u1 h. T3 J
-or (a bit) faster:
3 U! I! S) ]+ w BPINT 30 if (*edi=='SICE' || *edi=='SIWV') ]7 x9 k1 G: r; Q6 y; D
+ v! m& f/ ~' N, Z7 `& q2 R
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 m# E8 I0 J9 d$ W
;will break 3 times :-(
* R& `* e+ |. V; h0 |- V4 ^: [" M
-Much faster:
! o9 j( Y" i2 s( u BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% y- W+ y' Z/ E" S& {
# g6 q) w% j( `3 y3 q/ PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 B4 U) K1 A3 K. z7 }8 xfunction to do the same job:
8 u' W4 d2 [0 ]# l1 @# k* N/ K
# M: X9 f8 W# ^9 S$ A% o push 00 ; OF_READ% \! e" u8 ] i8 U# ~8 O% p
mov eax,[00656634] ; '\\.\SICE',0. Q! H' ]$ Y$ Q5 \+ Y% F0 f9 b4 d: F
push eax
2 l1 e: g, J1 b- g. R1 {7 N call KERNEL32!_lopen! W6 F2 M8 J! j% Q0 K% r% I
inc eax; I6 r8 b, j: @
jnz 00650589 ; detected
* r! K+ b& u: s2 c$ o* k" a push 00 ; OF_READ
3 j( C) ?' d7 I" d$ J$ _ mov eax,[00656638] ; '\\.\SICE'
8 w- n/ i6 `# r' ]. E- ] push eax$ F. D/ I# u, a* J$ S
call KERNEL32!_lopen* o( t5 ^5 i$ Y* z! T
inc eax
" @: L {8 O" A: ~& }. u: E jz 006505ae ; not detected; u, l1 i; O" j, f: a6 |( `
, e: F5 F4 X H! V( Q$ @- }4 ^: ]$ O4 ]2 N9 V. Z7 s2 H3 e
__________________________________________________________________________1 h' P5 T0 b1 K) f
, r' R" O0 ?/ l4 n
Method 12
! U/ K& w, x# l& J, a3 S5 a9 s=========
* r& ~* `, b4 e
) i* X D: s. FThis trick is similar to int41h/4fh Debugger installation check (code 056 r5 B, W1 B9 c' C
& 06) but very limited because it's only available for Win95/98 (not NT)( @: h, S4 B! l3 I7 Y: r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 l0 @" H" J2 J7 O+ s/ N# [( Z" z* _& x2 ?/ N
push 0000004fh ; function 4fh1 \9 @) C5 c: Y( [
push 002a002ah ; high word specifies which VxD (VWIN32)
* s5 B1 Y! R- z% H ; low word specifies which service
8 j; N5 I& f" P- r: X q" R (VWIN32_Int41Dispatch)- ~" N. W1 s9 R) B1 {9 H
call Kernel32!ORD_001 ; VxdCall
9 B& b9 Y0 S- u2 q8 W9 j* }/ D; Q9 N cmp ax, 0f386h ; magic number returned by system debuggers
7 z: F7 n5 m9 P# \0 a jz SoftICE_detected5 ]. T) ?* B+ }' b: `
* L8 R# R* `2 F2 B k
Here again, several ways to detect it:
0 {$ j% I7 N1 A" a' @3 N( d: n' K- R1 X+ @3 f4 d; @* S" z
BPINT 41 if ax==4f
2 |1 H x4 v' `! E3 @$ I
7 a- X3 i; S n r5 e, w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% R6 O$ Y/ B6 f: ~; k
( a& M% F* _0 u+ {! I8 T$ a5 m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; {1 V/ R2 n, w, g5 |0 Q( q0 _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( E+ r5 b: X- Y- J% w6 X3 d* s
$ F3 R1 o6 R# J
__________________________________________________________________________% K! y: s! F9 [) t. \% f1 L9 X3 B! I
: ?$ C' O! }, l- b: Z1 DMethod 13! _1 u/ a$ P: I6 E. _( `
=========
7 s i/ C6 K2 j1 O4 f- W2 L" A9 i6 `; M1 @
Not a real method of detection, but a good way to know if SoftICE is
" f- N# L4 j, D3 b# pinstalled on a computer and to locate its installation directory.7 y" L3 P& H+ @9 m
It is used by few softs which access the following registry keys (usually #2) :
. p1 R) c7 ?% T+ A" Y1 S# M
2 V5 J* G# v( h |) M( @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 n! r$ [6 V# v5 X8 Q& L
\Uninstall\SoftICE
6 S) W. M' ^6 g" W e) Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ H. o U" q9 V. |" U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' r% B9 z+ F+ E/ T! p\App Paths\Loader32.Exe
+ ]# \$ Y/ G6 m Y/ T0 O4 |
, V, l* t9 C6 d- w, d/ }2 y! y& x5 i% H/ n( N( N. b! |
Note that some nasty apps could then erase all files from SoftICE directory
. P u* Y8 r7 j6 M) ^# \(I faced that once :-(+ n$ T8 k, T9 j( K
3 u& R% L6 t4 \0 W% M5 t5 P9 MUseful breakpoint to detect it:
! }8 i t2 I4 g; @1 s% M8 {1 y, H, o5 L, c/ @( F' M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 g' A' F) Y% |3 `5 `9 i
- E' I1 U' p/ i8 ]__________________________________________________________________________
% e) q- \$ p. O1 P# d+ Z
2 i0 Z% t- m- |+ G3 H" r, G2 l. ]& y& C8 p, Z
Method 14
/ |* P$ W7 j% {% \- z5 Q- q' `=========4 u! D7 I/ P2 N$ m) N
- _* F% H6 l, k. @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 a( }: l4 u0 D+ z
is to determines whether a debugger is running on your system (ring0 only).* `. y* n' m6 B! \4 a, O
0 s" f+ ?2 ^( u! L8 h
VMMCall Test_Debug_Installed
5 |- Z3 i" O* u2 L. B* U! O8 c: J je not_installed
" |: e/ U- B1 f5 {1 A8 s1 E2 [0 t3 N5 K3 L9 X
This service just checks a flag.
3 v5 m. k. b2 s; g# c</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡