<TABLE width=500>5 w" D0 C2 p' w. e# N) A
<TBODY>
1 c0 W% e: [) F3 U<TR>, n1 I8 ~% b4 v5 i6 G
<TD><PRE>Method 01 ; y& u3 _) f* w
=========
7 m) o8 A: U- q6 R1 @
% p* P5 Z4 ` G) v" G+ @This method of detection of SoftICE (as well as the following one) is6 s; t c' R7 Z$ g; `+ l% \
used by the majority of packers/encryptors found on Internet. T5 m& O7 _0 c5 l
It seeks the signature of BoundsChecker in SoftICE
5 \! S$ _6 ^/ `" m. M9 j7 k2 ~2 T, U: ?# w& u
mov ebp, 04243484Bh ; 'BCHK'
7 W5 W. G2 ^; V' _. ^* { mov ax, 04h; f4 y# g5 y; K) i3 Y& g$ R
int 3
! q5 Y8 U( M- @5 J) I cmp al,46 l3 v- c) @# p
jnz SoftICE_Detected
6 X- ]' A, \3 {: X; w$ p3 d% {( ^/ \+ j9 s
___________________________________________________________________________
; C9 E4 y1 \2 L" C
: Z4 H8 x, K' U' J: t1 P* j9 t2 GMethod 02 Z1 I- U# K( N: z1 I W0 l1 z
=========" i, ~. p8 v" ~
6 z0 x4 l& |" i; VStill a method very much used (perhaps the most frequent one). It is used6 w) F s* n+ }7 H8 c! O; `! C V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ a8 H5 q; }( w6 H- e: {: r
or execute SoftICE commands...
/ u5 {0 @6 q" a$ m* P2 JIt is also used to crash SoftICE and to force it to execute any commands* W; ?( S) [- e5 w- p4 H' z' Y6 H6 Q
(HBOOT...) :-(( % A/ D( }5 n" o$ H, Q0 ~
1 |; q; ]2 H- I
Here is a quick description:" I& ^; }0 g8 m( ]
-AX = 0910h (Display string in SIce windows)
, S6 ?+ a4 M2 w* C6 w1 E-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! X$ j0 \5 C, q* v-AX = 0912h (Get breakpoint infos); d4 K8 `2 |* o @3 q& O
-AX = 0913h (Set Sice breakpoints)
1 B x/ m0 ^" I-AX = 0914h (Remove SIce breakoints)
9 |# C# {- `4 J( V% c+ s, h" s, g
Each time you'll meet this trick, you'll see:/ Y3 k# `% u: f
-SI = 4647h
2 g% @, A! c( E# o! b$ c, H-DI = 4A4Dh
7 ]0 A) F: H. j8 NWhich are the 'magic values' used by SoftIce.1 |7 V5 a5 x0 Z J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: [) Z# `% l4 G& m3 Y, N
" u. K4 T- F4 q) f
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% q3 C( q3 I6 H" u. gEnvelope utility use to protect DOS applications:5 w7 ^' C5 l5 C+ ~
& U. }) l J, @3 `' a
* A# @1 L q% M6 \/ j7 z4C19:0095 MOV AX,0911 ; execute command.
B- L* U/ O( B# Y; }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( N5 U7 R" T0 }4C19:009A MOV SI,4647 ; 1st magic value.
* ]$ d! O+ ~9 {4C19:009D MOV DI,4A4D ; 2nd magic value.# L4 d, b4 {% V( F' S
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 i! v5 D, k: ]' q+ P7 b/ Z( k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 X. a. c) |( @( r. ?
4C19:00A4 INC CX
! p' s% }+ j( _* x, V! Z7 H4 W4 C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* I' x/ t8 ~4 w! S6 S
4C19:00A8 JB 0095 ; 6 different commands.. f+ Y! D8 e6 g# T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 T' m. l! B+ o( e% g# Q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* k) I( N+ c8 i( X
) o( h' m0 a& V0 e$ R: @' h' F$ NThe program will execute 6 different SIce commands located at ds:dx, which
. v2 B. d3 B4 Z3 z( Z1 jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* p8 D7 L' M& q% O# p- e$ M$ [
. Y' U3 a1 E( V" n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 j+ y/ [/ C: }
___________________________________________________________________________) E+ O) P0 G9 Q- {5 `8 Z
|7 Q7 V( f/ M
9 r( Y0 l! u# s0 ~3 L3 i n
Method 03
7 t- o. E! {" C; t7 l=========
9 K% |6 ]4 g* V8 P0 `
9 x9 c4 u0 ?: X+ V% r4 KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! A# E- j% O: M' X7 C& @* b
(API Get entry point)
# Y3 C( N: z# G: v1 o4 j$ h 7 y! O/ R) G. R8 R$ Y, q
. F* T* [0 e: X. o& ]/ h, r; v& U, ]
xor di,di
) t5 g1 k# V! l! w, S+ N mov es,di
& k0 n- P: _/ O. Q& s3 Q mov ax, 1684h
& _# o) @! S$ y' K& m+ I' z( E mov bx, 0202h ; VxD ID of winice
* @ c/ x" s! u$ A2 ] int 2Fh6 C& ~' w+ q+ p1 A7 q0 B6 j1 v% R
mov ax, es ; ES:DI -> VxD API entry point# R5 m, {, M! v* h) t% c: N; ]
add ax, di
; S$ L/ L ?! U$ S test ax,ax/ c+ P' I& y# J; O1 n' f$ b9 Y
jnz SoftICE_Detected
8 S, p* Q) y0 m$ ?, w M
: e+ ~. u& C. h% l# u3 P7 ^" X5 Q8 ^" K___________________________________________________________________________/ Q# f" c2 n! B2 R4 X
. ~6 e/ j) Z. A& A$ b' R* c- `
Method 04
: p4 t7 K# c* X+ I" Q=========% W' t7 s8 @4 O4 x6 h8 P
9 \& f0 a( D% P5 o
Method identical to the preceding one except that it seeks the ID of SoftICE5 \+ d2 ^+ @+ N0 o3 {
GFX VxD.
3 ` l$ R5 k$ v9 Z2 o( k$ G* W; N& n& R; s3 g) r8 G: M
xor di,di1 a# v6 i; a. I5 e4 ^
mov es,di
$ d/ a# b6 R* i! P0 f mov ax, 1684h ' ^/ ]* c t+ r: A3 K7 R
mov bx, 7a5Fh ; VxD ID of SIWVID1 c1 I6 Q4 X. @) r/ Y. b
int 2fh
! e; x% d) r- i mov ax, es ; ES:DI -> VxD API entry point
& p5 O y6 U8 i" v9 @3 T: _+ d" N add ax, di1 Y$ S* t8 R( x1 G5 Q& p: _
test ax,ax! I o9 ^9 {8 {5 ^% w. _
jnz SoftICE_Detected) H& b" u: {: J2 e
8 W$ `" S" }" ?; ?7 v6 {- i' F
__________________________________________________________________________8 s. J7 ^) r5 K7 Q* a; A
+ A3 c9 y3 i& o4 z1 f! ^: i% e8 V4 P7 i/ V- D4 ]2 V" d$ S
Method 05! m1 \/ K/ }$ I% y- u
=========2 b' U1 d& H5 H8 s. |
y' X; n% n& L1 P. S; X% E& I
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) @' P5 I% o0 N/ ddebugger. It calls the int 41h, function 4Fh., _9 {6 F! q* y, X
There are several alternatives.
7 n" b) g1 {! T+ O. A" j4 y8 {/ Y# ~# u/ { i! X# a
The following one is the simplest:6 Q5 t) o9 {' L; U( C; {
* k6 e* R8 s6 p& z
mov ax,4fh6 B$ }% J% c8 ?7 b: L- ]
int 41h
! ~$ ^9 k. t" t9 X cmp ax, 0F386
5 D. {# {$ [7 c" w! U8 ]( X jz SoftICE_detected
* V. s$ ]" J- u( W) Q4 l
& U( g) G3 U) q! O2 Y3 D6 G
8 n- A& j9 L+ TNext method as well as the following one are 2 examples from Stone's
+ k# O; [! T) |"stn-wid.zip" (www.cracking.net):- B) r* I- _$ i
! u7 g4 _4 l, R2 e: U. Z, f mov bx, cs. I; a$ [( [6 H1 J4 K
lea dx, int41handler2% j/ v* W4 L: C$ K. C5 k
xchg dx, es:[41h*4]
" ^3 l) ^7 |0 v. v0 l" E9 Z7 ]% s xchg bx, es:[41h*4+2]5 c ^2 r* ^: z1 |9 D$ C9 V
mov ax,4fh
7 z1 J" a% u" }7 k4 }4 Q1 l int 41h* K0 x: J3 u% z- h9 K- o0 [3 w- y
xchg dx, es:[41h*4]& |' X7 Z/ e2 o) y
xchg bx, es:[41h*4+2]' W0 W* o' E7 [" d3 c) J
cmp ax, 0f386h
6 W( K6 z* g7 V9 j) A jz SoftICE_detected
' r. \/ l. A8 Y: H- Y' k
& K: o$ R- S+ B) n/ uint41handler2 PROC4 D( V8 {, h# b; O
iret
0 L! y- B5 n( h) \/ p1 Cint41handler2 ENDP! u9 F. U3 b; |" i
. g# |, E: n6 K) E! @$ F2 e# d6 T
2 t- z b1 W1 x6 U( |_________________________________________________________________________
0 K d/ M8 B/ z: B
! U9 L8 S9 z9 ]+ F2 a
8 `; W- q( k; B, D `& YMethod 06
# E9 L8 x) K {$ x! \) m5 E$ ~=========
2 q! {2 K: \, ]9 \
1 f# A$ [9 p6 H9 s3 v6 g6 Y p2 x2 C5 D% Y
2nd method similar to the preceding one but more difficult to detect:1 z0 e' z6 ?5 Q: |/ ?
8 ]8 g- C& D5 ?0 ]. d( g. f& ^) \! @# I4 b$ @/ c
int41handler PROC2 ~9 s7 j* R4 x5 q- m) g3 l* W
mov cl,al" }' V6 L; W4 U0 X8 h6 m& a
iret) z0 X% n. G( }6 e- B. b
int41handler ENDP
; M. i9 }' b# [6 B' A7 E! w( d- I0 v- }' \# R& x8 U& |. b
6 q8 r9 Y! ~& S! Y+ K) z. ~4 U U% } xor ax,ax
1 ^+ ?: z2 C4 P) ?3 A mov es,ax
6 e8 S j! w- P K; } mov bx, cs+ I- K' ?$ z/ v
lea dx, int41handler
: ~1 q W0 f6 J xchg dx, es:[41h*4]
; }$ v2 t3 k- G1 L5 M8 }" X V2 A xchg bx, es:[41h*4+2]) T0 h' @& ?- V E" d
in al, 40h
3 N* J3 V: Q" r" h8 s% U; P N xor cx,cx4 P; e& J7 J2 c Z
int 41h
$ f7 R7 e( \7 ]0 b8 L! D xchg dx, es:[41h*4]8 U" J% A8 J/ m8 d& @5 M& }! q
xchg bx, es:[41h*4+2]. T; l8 d1 r* r( Z! i% z
cmp cl,al& m+ U* d. M$ j+ H% n0 K
jnz SoftICE_detected6 ~& B1 G* v2 A( H+ c4 |
# L( p& C a- D3 S1 c
_________________________________________________________________________
# C* y3 U" V- Z! ~6 \( u$ m- L* }, o4 c u) {/ W( e
Method 07
4 X( B3 j2 \' Q3 K9 P4 j6 `=========
( W9 a0 Z5 H. V: r- \. }, ~/ _+ I' Z/ R' x% j, T2 \
Method of detection of the WinICE handler in the int68h (V86), b5 m* ~! i8 v6 }$ s
8 n8 F! L1 C: U3 ?# \ mov ah,43h
+ k' O7 ^6 Z# X M2 q& [" O int 68h
. y/ i5 W w1 o2 w4 X cmp ax,0F386h" K1 m+ I, x2 f$ q; H4 z5 b
jz SoftICE_Detected
# u( O& [' H# J7 {0 m7 G: h O$ ] u# j, Q% E( R9 ^& O' g& T
9 l7 G/ Z3 Y! }. k" b; P' f( g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" W, N1 @- q. q: J: p
app like this:
) `% a$ G) J* n& N
9 V$ L8 L6 S. b4 Q$ J BPX exec_int if ax==68
( F& Y; P& n5 H. ~7 v- I (function called is located at byte ptr [ebp+1Dh] and client eip is) a0 K2 h2 M% {; B0 d- a8 y
located at [ebp+48h] for 32Bit apps)
; k' y- M V$ @1 O v__________________________________________________________________________! d Y3 s) m$ u, w) w( _
7 ^2 ~3 ?+ C$ q6 P. ^! X! C0 \( p l+ x T" G7 l
Method 08$ p- W' F7 U( P9 |! h5 b2 I$ Q
=========
2 E1 m; `" _0 r: J) c: E) H- p; V2 D, }+ p, ?" E
It is not a method of detection of SoftICE but a possibility to crash the
T' b; `3 Q. Q' y0 U2 @9 Bsystem by intercepting int 01h and int 03h and redirecting them to another
- S* Q2 _6 r f qroutine.
E& O5 S4 v8 iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" g3 V5 N) f+ X3 z, g1 |0 Qto the new routine to execute (hangs computer...)# ?; d/ a" }! U6 o
# M( h) l5 l" [' v/ ]* n
mov ah, 25h
9 x: f; \6 J8 v, t mov al, Int_Number (01h or 03h)
, E( Z( }9 c4 A g( Y5 I mov dx, offset New_Int_Routine
s# M( l" n# J int 21h6 }" y+ I( H8 O
- n5 V* Z4 z' R$ L, y: g6 e- C
__________________________________________________________________________0 U: s* p( l+ A) y5 ~3 i. X
( L: q4 e# {! A7 }7 n3 o( i" oMethod 09' L3 g9 a+ Y: ~9 {; q
=========
0 z# y" ]# i* u' i) r4 P6 E- K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# o2 d. E* Q& g# g% T) q) ~
performed in ring0 (VxD or a ring3 app using the VxdCall).
: r$ u& ]( B! ~ b2 A9 ?The Get_DDB service is used to determine whether or not a VxD is installed
5 q7 ]5 ?( ^2 o& H9 g2 lfor the specified device and returns a Device Description Block (in ecx) for, L5 ?% x: d R4 i( E
that device if it is installed.8 T9 t. V( G7 ` q* p
d* O) y- N2 g7 R2 S% v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# D2 h5 i7 Y- @4 h2 C% H1 W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" F( W0 d7 t8 ]- h# G3 w6 u/ L VMMCall Get_DDB
8 h7 h6 O1 X6 ] _ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ i4 W; D& B$ n. d! R- o L
, R3 l4 Q4 _' F8 w; Q; i2 yNote as well that you can easily detect this method with SoftICE:
' c6 ^5 P3 L( M bpx Get_DDB if ax==0202 || ax==7a5fh$ i3 C2 G+ s. Q, \1 X
6 @, @7 v& J7 C, P# u: |__________________________________________________________________________
! N6 @ ]2 _& i0 A9 `& M! h& Z: k, ~8 n2 ~# e7 }% {' B6 Z
Method 10
9 C: D& a5 `# v! q/ g5 y6 z=========# K' O/ G) i) B
! C( Y2 {# J- _9 Y& U
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& d3 a) L. ]. X SoftICE while the option is enable!!' S% `: Q$ P2 W% u2 {. `) w
8 C( o# h0 `9 c+ nThis trick is very efficient:
$ L5 J9 c. ~! `* V, J. M* tby checking the Debug Registers, you can detect if SoftICE is loaded
( D" {0 {5 x C2 i(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ [& {" ?9 l$ d- Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their+ i- c/ R9 p* t# E2 W8 @% K d" X! g! r
value (in ring0 only). Values can be manipulated and or changed as well
. h1 c/ r; B3 J {(clearing BPMs for instance)
4 f- w0 {* U! \$ t" H, A) [) _/ R
2 w; G! [' d. M1 Z! a0 k& E2 j__________________________________________________________________________# z1 d% C, K4 N$ u6 N
: J9 H1 W2 }" X& `$ L* j
Method 11 K9 l, v. f4 V0 g, h# B
=========
2 M, `3 d; q4 p
3 o* ^! G* |' q0 s! n& e: r$ V; wThis method is most known as 'MeltICE' because it has been freely distributed/ P6 r7 m' ~2 ?
via www.winfiles.com. However it was first used by NuMega people to allow
4 o: w( A: t- G3 W* ]# {9 KSymbol Loader to check if SoftICE was active or not (the code is located
* E- L9 }. S3 Y9 Yinside nmtrans.dll).8 V2 p' d0 \2 s) M. h* v) X
' m9 u/ l; k/ J
The way it works is very simple:
) V5 v( o/ r* S" U8 o9 jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& a5 H* w% M: _0 l3 q3 jWinNT) with the CreateFileA API.9 k# q9 ^1 R3 R# L0 a
; E3 Y; Z& k6 k [Here is a sample (checking for 'SICE'):/ m6 W3 K; V6 d2 f
' h( n" M6 [' x5 V# \BOOL IsSoftIce95Loaded()
) L$ Q- O, b7 f; B- w1 w. ~) t{, ^2 d i @( o3 X
HANDLE hFile;
; l; N+ Z0 L7 h, C( d3 `& V hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ d0 N. I7 H* f* M( ? FILE_SHARE_READ | FILE_SHARE_WRITE,
* _4 P3 B2 P' Z) s) K2 G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 o( U3 G) K9 A if( hFile != INVALID_HANDLE_VALUE )
. X2 r+ P0 W+ g" U; M {
' }7 E' o5 M; E CloseHandle(hFile);
! _, |; C( k r9 X return TRUE;
+ ]5 b- K# ?' @ a8 J, ^* x% l }
H* ]1 q9 L' t& _+ u6 N return FALSE;
$ Q( C6 v) C l6 J9 R8 ?}% s7 j- c& [, ]5 z+ w3 E5 d1 g
# m* G. b7 k6 QAlthough this trick calls the CreateFileA function, don't even expect to be6 B" `* z# W/ \: |
able to intercept it by installing a IFS hook: it will not work, no way!
2 i$ S3 b* H. Z7 Y2 f4 N% lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 a {' z5 U% Q+ I( |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 N4 H; j* o [4 l/ B% k9 aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& E( h8 i3 Y( yfield.% t- a; q* c6 B# W7 s- @3 ?
In fact, its purpose is not to load/unload VxDs but only to send a
% P' A, }; I: U; LW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
S l. }) h. p3 h9 X+ e Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, O, \& r# [7 Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).0 M1 d, \" V& D: ~
If the VxD is loaded, it will always clear eax and the Carry flag to allow d# V$ q2 \, g; o4 a% D7 Q
its handle to be opened and then, will be detected.
5 R& p0 k* U, v( n; CYou can check that simply by hooking Winice.exe control proc entry point* [% f8 D9 T5 F* X- S
while running MeltICE.
2 D6 z) {% X2 S& \$ q
; F6 w( _7 M x5 w" K
+ A# g `" t6 B1 D' n, E; |2 G 00401067: push 00402025 ; \\.\SICE& L4 |3 \ c" R+ v$ e& ^& R5 v9 z
0040106C: call CreateFileA
/ b: z) Y$ c. A! p- ] 00401071: cmp eax,-001% d0 x7 I: [" ~* B' S3 i
00401074: je 004010917 F) J' z" \, t: B0 U! ]
% l7 J7 G/ p+ O. {
9 s/ J! b* o6 e% {7 F3 uThere could be hundreds of BPX you could use to detect this trick.+ H0 j: [* B/ s# f8 z( M7 J1 o
-The most classical one is:
! M7 H! V, \: t& p2 Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 |9 m. X, \5 T5 j i/ o6 [; m0 ] *(esp->4+4)=='NTIC'3 K0 z: k/ b& K
+ q! i+ d7 M6 ?-The most exotic ones (could be very slooooow :-(
$ t) N% T# o9 m- e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 m* H, `3 _# g6 M ;will break 3 times :-(, l# f+ D( r" w4 i' F1 w
7 d* I0 q0 z0 j' r/ |. g9 Y& ]
-or (a bit) faster: 4 L) C# O$ B8 ]# C
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& }: W3 w; {5 L# q( t
# H# `7 o( r) |, G2 e BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 Z- R+ _0 `) p/ J+ ] ;will break 3 times :-(
, b1 |4 U+ N* F& L A$ Q& `6 {& g' i% J. B
-Much faster:7 y$ z i9 a ]- ^ T; R t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" S) O4 I* w% a2 F& y. e
2 m! @# ^9 J; I+ C4 @" t" H/ HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) @+ h) _) x4 Q3 z* ]: g/ F4 Z
function to do the same job: |# F1 e/ ]8 e; ]
8 i& L3 l& S$ d; Y" n0 ?* @6 _ push 00 ; OF_READ
5 M; ~* a) X: M3 V8 m+ i3 ^ mov eax,[00656634] ; '\\.\SICE',0+ f) r: Q+ Y; Z3 q6 l
push eax2 F0 b0 u7 H! {* z
call KERNEL32!_lopen7 q y7 L. k( i% R7 e" @6 [
inc eax9 h( P( U+ f4 W. w0 b
jnz 00650589 ; detected
- Z" p& P' s5 _3 v; q* J push 00 ; OF_READ. z( ?1 `; b# L$ d' F+ ~
mov eax,[00656638] ; '\\.\SICE'
?1 W7 B& r; n0 ?" h- V, Z$ T4 [ push eax, n4 a9 ?7 v2 m. L5 ]! b' l
call KERNEL32!_lopen% W8 g s7 v. ?
inc eax; J' t" _: v% h* W; F6 M
jz 006505ae ; not detected
; ~# l! @$ u, n- Z( i# M; y5 g2 g; ~4 R
" A! ]2 t5 n) m* ~; s; U
__________________________________________________________________________
9 s! d# g2 U( x, B" d/ J R# ]4 c9 U# }, y! W3 s! C* R
Method 12
' X/ ]0 m; ]) ?=========
7 ?* ]! n, S- K* ^
) w' B1 ?/ G% [6 W5 H( BThis trick is similar to int41h/4fh Debugger installation check (code 05
& s2 V/ {2 }$ b& L P# o w& 06) but very limited because it's only available for Win95/98 (not NT)
* n7 F! }- l0 E s- t, jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ d0 |; d) l" ?1 B
! `) R/ w% T: J( w' e- V/ u8 C7 D push 0000004fh ; function 4fh! s6 c4 G+ A- \, w! }
push 002a002ah ; high word specifies which VxD (VWIN32)( o7 _6 F/ V& g5 f% B
; low word specifies which service+ m" O' r/ O0 H8 S# r ^
(VWIN32_Int41Dispatch), B/ h5 ]4 H& |9 n
call Kernel32!ORD_001 ; VxdCall
+ ]& J+ c1 w) C0 n9 ? cmp ax, 0f386h ; magic number returned by system debuggers
! c+ E' k7 O9 T- G; f4 P2 C jz SoftICE_detected
) J* O2 b1 q. u2 r0 a3 `' ~
3 e4 `0 f0 Q) s1 w# Q; IHere again, several ways to detect it:3 ^. R" z% B" U4 H% J
: a' s- E B, j' o BPINT 41 if ax==4f! i. {2 p& R) D- I
5 E+ i* i( u+ D: c' u6 H! x BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 h) N9 F2 P& Z* ^9 B: u: E9 v
, G7 z# ^0 R/ a- X" x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# U$ i- m% S" m* b% t1 R9 ?9 _
: V5 |/ P) B; b0 [9 Z3 O/ g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 d! T7 U$ S U( ~( w
5 l% H0 Z: t# \$ M/ E9 [% [& f6 |__________________________________________________________________________( ]5 Q/ `7 w! f# Y/ G- U+ }, V
1 H9 N- K* C7 c* y$ I3 K$ }7 y$ uMethod 13
- m! t, v- b- L- ^" l# y. M( L=========3 A% q9 e/ k2 w6 h
2 k9 ]) V/ u% Z% P W- z3 ]9 HNot a real method of detection, but a good way to know if SoftICE is2 ^& B9 N$ z, V, F4 [
installed on a computer and to locate its installation directory.: O, b& M- r; z; S Z
It is used by few softs which access the following registry keys (usually #2) :
' v# C3 D; \3 S5 J2 A6 q
: a, j% M$ I7 S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 ~, K2 C' O9 h# c& U- | Y( U% Q5 p\Uninstall\SoftICE
# S3 E6 Y& J- ~4 V7 h" m9 U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; k( m3 D9 O* d: o y( q/ F5 @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% P) O* L# `" T& n
\App Paths\Loader32.Exe
6 A+ b/ z) ^# I' v5 o1 I! t4 Q1 J4 l1 J' N4 x* F
6 t: E) g$ H' e- W v0 I
Note that some nasty apps could then erase all files from SoftICE directory0 b! ~# R+ ]; s# k# R Q
(I faced that once :-(
v2 o6 i; h2 Z) V. d. k
Z+ s2 u+ P" V; N& C: GUseful breakpoint to detect it:
k* ^: Q" k( I( b! t- M3 N* N; O5 q7 W5 c6 k# e/ B# \
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 c- Q4 F9 Y' T) M+ K3 N. a# q8 S& z9 |- o% D2 M: m
__________________________________________________________________________; y+ d& g' H- A# u8 p9 y
9 g+ b; e1 Y' ]
& ?0 G% ] J; w4 r% _0 k vMethod 14 + j' u& k. Z: e I! P
=========
8 Z1 ^. Z; g2 b2 G. D# X: W0 I( t1 E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 G1 ]3 u3 b" j
is to determines whether a debugger is running on your system (ring0 only).
3 }/ L9 Y& Y* s+ m6 x6 ?0 Y" w
4 Q& c9 s7 e* U2 i Q3 D. @ VMMCall Test_Debug_Installed0 @2 m P) }" u' q" ^8 m
je not_installed. w* x' B" y. q$ o
5 a( z# W1 u9 QThis service just checks a flag.
) q6 o! A8 R5 T</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡