<TABLE width=500>. f9 W5 B( u9 @2 q' j& A
<TBODY>5 O/ @# J6 K0 i: X4 L; q
<TR>
# a6 {# p2 N) {3 v3 R+ c<TD><PRE>Method 01
- k" _5 X9 i' R- s) a=========
( a$ g# R& h! U1 l. Z# t. f5 ^5 W) z- I( m7 g
This method of detection of SoftICE (as well as the following one) is# Z( f, M4 x1 d4 s: X
used by the majority of packers/encryptors found on Internet.$ h. F, p' l! }3 L
It seeks the signature of BoundsChecker in SoftICE5 V5 K$ j/ n* o) p" m9 @
1 B1 y" k9 Q3 N4 V) _/ d mov ebp, 04243484Bh ; 'BCHK'1 _, b# U% x: q/ _: w" n8 Z
mov ax, 04h% o; v+ Q0 d+ z \; r
int 3 $ F1 p: T- a7 _. N/ Z) {
cmp al,4
/ Y6 s, ]4 y) R K v jnz SoftICE_Detected6 a9 }) c' ^. V. m
$ |9 _/ p1 ^7 L* p) T5 l4 @___________________________________________________________________________8 Q$ l$ z9 S7 _# m7 R
" Z1 y. Y, \* S& D. D* V" ^2 AMethod 02' G( {& v6 d$ N" Y7 C3 d, G
=========
8 m( J. h9 z* t/ x2 c: Y1 H/ H! K( G1 e, N3 A, I4 B
Still a method very much used (perhaps the most frequent one). It is used9 S7 [5 g. h( D0 J9 o
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 L, W7 j, ]0 L4 t; N5 ^
or execute SoftICE commands...; @' c* z5 z7 F Q" w
It is also used to crash SoftICE and to force it to execute any commands# U, C* r9 W) [- A d) A
(HBOOT...) :-(( 3 J0 y" ^, H) u) j/ _
z$ x; u6 C: a) O2 GHere is a quick description:1 H/ [, t' X& T7 ?0 Q5 ?4 K& e
-AX = 0910h (Display string in SIce windows). ^+ ` T; j" o9 F0 d
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 \ j4 l; _' q4 ]* O3 Q- I
-AX = 0912h (Get breakpoint infos). G: G0 S; n/ t9 l* o9 [
-AX = 0913h (Set Sice breakpoints)
. t/ b8 o# k X-AX = 0914h (Remove SIce breakoints)
: O# R$ ]! M8 u" L* e
3 s* U9 t$ V5 j) eEach time you'll meet this trick, you'll see:
- E2 ~0 ~4 M# G( T0 w/ z4 U! ~-SI = 4647h
% ?5 P5 h) L4 C1 ~6 }-DI = 4A4Dh
& N" w' |7 w0 U- N4 C8 ?, P' @- yWhich are the 'magic values' used by SoftIce.
8 f* f* l# p3 [# q$ Z( V& AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 b3 Y( r8 P# ^. r, _
- R( T4 _$ D N* a
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 @4 N# ]" k3 Q7 b, p$ f
Envelope utility use to protect DOS applications:8 p% ?/ V, \& ~8 p
8 Y& o6 ?: Q% X5 n$ Z4 p
) G0 T0 P3 Z# j
4C19:0095 MOV AX,0911 ; execute command.# l3 E6 R9 b o* a' w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 p) O3 D* T# S U! T4C19:009A MOV SI,4647 ; 1st magic value.
5 w1 k, k5 ^) u3 s4C19:009D MOV DI,4A4D ; 2nd magic value.
, k2 s0 D& w, M# `3 I4 ]9 x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' A0 S0 F; m7 @/ x4 U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 e+ y8 l- Q0 N4 [" Y
4C19:00A4 INC CX+ F/ R- l$ [, X* S1 c8 _- T
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 L7 X2 O. S1 M$ j! p
4C19:00A8 JB 0095 ; 6 different commands.
; p2 ?( Q& [6 ]! I; |& Y4C19:00AA JMP 0002 ; Bad_Guy jmp back. D) C+ \2 L9 ]& r" m) H6 h; U- Q( a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 D* V3 o+ z5 n8 G3 b7 C
6 N2 ]! x2 o9 s5 [
The program will execute 6 different SIce commands located at ds:dx, which, \( Z* @% c2 [+ _: u/ m* f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* l1 o4 u6 p3 e
1 g7 [) Q, d& w9 o' ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 R: a% O3 U# J___________________________________________________________________________
# Z9 `. Q1 Z0 Y5 Q( x3 m# |- d% f: \3 P6 r6 s
/ s4 b+ H6 ]) N& AMethod 030 }/ M2 P \. v! P; G
=========
+ }4 J& I! X6 e9 X% E) c
z$ G4 V% X0 I/ P) n" ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 H8 @. \! K/ G( o a* ?(API Get entry point)
7 J' P4 I% H) }: F# `. N4 |4 z
0 M9 y/ G7 W1 S5 L4 x6 `2 w& R }( [ J! v9 |/ ?' T) k
xor di,di8 t4 i! q2 \9 j/ F2 U" o
mov es,di# ?; Y8 H" D' e/ t4 }0 d
mov ax, 1684h
; E2 n! T6 ]6 {) X7 ~ mov bx, 0202h ; VxD ID of winice% i; D- M9 V1 b) A, v( j
int 2Fh+ ~* W3 S) |2 v6 h/ R3 A) b3 j9 s. ?
mov ax, es ; ES:DI -> VxD API entry point. M) \. k' H, ~3 ^& B
add ax, di# N) R; ~! L& ^1 x1 K
test ax,ax
4 d; x/ s ~0 W4 v7 E jnz SoftICE_Detected
% l: D( f7 Q) v2 q% W/ Q
$ t6 R- h, C, `4 c6 i___________________________________________________________________________$ i) Y" C* d7 b, F: j
8 {* U b6 z3 o pMethod 04; [ E" [# g& J5 P
=========
\3 J3 l0 U' E2 [ L% Q5 p! O! S# U2 n# d
Method identical to the preceding one except that it seeks the ID of SoftICE
5 P: Q! `9 b2 \) w* U1 V/ wGFX VxD.: c- p( h; r$ ]
# V' E8 a0 x# e" [0 w; z( K$ D5 {7 ], h
xor di,di
' k& R& V0 T& h& s7 p0 ^6 w# R% S mov es,di
) |* R/ f) {& b, }1 e9 R$ o4 {* \ mov ax, 1684h
' U! U" j2 u: P1 e% z8 r mov bx, 7a5Fh ; VxD ID of SIWVID
9 |# ~ B4 ] L2 G/ R! G int 2fh* {. g+ E& W5 o! P2 u
mov ax, es ; ES:DI -> VxD API entry point
* z. H! | T/ R8 T add ax, di
, E/ K3 S. F% J; A test ax,ax
- ~. e; \6 C( x2 n jnz SoftICE_Detected3 [0 J# h# L6 h1 w: R' P2 @. S) D
% w2 b+ [$ _/ r, I__________________________________________________________________________
0 R. R0 [3 p' O1 j( c) z" Q6 P8 A' I6 n' R" J
0 A$ m5 D& q) K- M b
Method 052 V& ~: z1 Y( Y' N) Y
=========9 R6 V; W' w- x7 C5 N5 B
1 h& u8 T- }! w7 |9 v& nMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 n; O o5 o' Jdebugger. It calls the int 41h, function 4Fh.5 |0 V; P1 K4 l- ?
There are several alternatives.
9 B: H- F( T5 }6 E( F4 I
3 I7 `( ~: |7 @6 N* I. rThe following one is the simplest:
1 d4 `) S* b" \: W5 Z" r) v3 o9 i
' {- k4 B6 \. o9 l" M8 s) _+ j mov ax,4fh0 q) b5 S9 s! A9 j7 d( V( e
int 41h
6 f- n' h0 n7 H; { cmp ax, 0F386( f& m' O( R1 U
jz SoftICE_detected+ L1 N( p E5 f1 U1 h7 Q! i) E: x
$ a" ?! V: s% ]% [" U; }8 a5 g% q
, Z* c' f. N. V5 {Next method as well as the following one are 2 examples from Stone's
0 C( V( u! Q& Y9 f- E"stn-wid.zip" (www.cracking.net):4 j4 L7 G; v" T- x8 y
) V8 ]. M# j% ^% E
mov bx, cs
" P6 }6 G+ |1 f B# {' \6 v lea dx, int41handler2+ ^! @. H7 m9 C5 E( E# j
xchg dx, es:[41h*4]+ R9 S6 x3 f) R) V1 k7 R
xchg bx, es:[41h*4+2]
4 X& f1 q; i. W+ g+ c: k mov ax,4fh3 R% O4 l6 n/ d1 j6 i( F, R
int 41h
: u2 l' X7 |- k% W/ u0 \ xchg dx, es:[41h*4]
* v5 _$ v- {6 H0 l xchg bx, es:[41h*4+2]3 K# d3 V* Q8 z; _$ x |) A
cmp ax, 0f386h
! A9 c I; Z9 S& j: W% h: q jz SoftICE_detected1 r* b" X0 S% O B1 m
. e: i0 S( b3 g e: m$ Eint41handler2 PROC. y/ A/ Y9 Z- H* W A5 b3 H
iret
( v i; P a# Aint41handler2 ENDP9 ?, ]+ b6 g( r$ `5 i
1 l* y. q, h0 F) f1 i
* H& h) ]+ P+ m/ U
_________________________________________________________________________
( F' |% u- s. K8 E' s- \
3 E2 v4 I( z' w( o; f$ o
1 H, `9 p w' K2 b/ N' qMethod 06
. J) Y. G, Q5 } Y( @=========
* b: a9 X. M) U+ _- s! `5 }- W: t" j' y, @* s2 `2 x# d
4 A4 ~* i3 M$ X& D7 R: ~
2nd method similar to the preceding one but more difficult to detect:* S* N1 g* ?( p8 Y, L- H
6 p$ H6 u) i7 }2 }) P5 a2 Y
0 W. V; z! l; I5 n. e# ?
int41handler PROC( }' R, a- `8 ]4 w* a
mov cl,al
: _1 A0 a. Y% | z& H2 F3 I( h7 _& V iret
2 ~/ n( Z0 A1 O# M: bint41handler ENDP
+ P( g. }3 c" ~& c% P3 N; R3 Y# {
2 L' E+ C* x6 Q) n8 ?8 F% j xor ax,ax
, O, E9 J, }) N! j mov es,ax+ o. z, F5 H' u; S, o. N
mov bx, cs
j: G' [, w7 @ T lea dx, int41handler% }4 U3 { y7 ^, k7 u7 ?6 }
xchg dx, es:[41h*4]! F3 C ^" [1 ^: A0 X \, n, J0 y
xchg bx, es:[41h*4+2]& P) U* B- s2 T& h$ D
in al, 40h
C& n' M5 B8 E: ]& B7 h( p xor cx,cx" n4 Z& `7 A( G7 _' |& ^
int 41h
! }2 X0 f; D: |( a# Q; Q xchg dx, es:[41h*4]
# N; f* L% P( | Q2 y* p xchg bx, es:[41h*4+2]
. G8 E' h# S+ N' N& t; i cmp cl,al! M0 v5 z! D* _/ U; ^ d
jnz SoftICE_detected8 g; ]" e: b: ^8 s
1 y W( V: K- u; e
_________________________________________________________________________3 w, v$ c5 |# @! ^* z+ `, R
$ J8 G* X" Q b) t9 q+ j3 H+ GMethod 07
3 T% w; j. @' }# x=========4 W, t$ v$ q# }9 k0 ^
2 q! X& F) V3 Y0 A1 W. GMethod of detection of the WinICE handler in the int68h (V86)
9 t; ~- p- z. c2 @5 u
7 @/ |* t- }" Q9 b8 J' o; T mov ah,43h
3 S. ~2 z! v* [: T int 68h- o ?2 @1 f0 V
cmp ax,0F386h
( U, q: ]$ {. X% H1 V6 C# i jz SoftICE_Detected
/ m4 u# F6 I- O) i& U9 e8 Z+ h+ b1 s+ b( w) ?" O: n
5 M: b. I/ y c- K1 z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! q$ p+ m' k: i1 s1 \' t& L' U4 k o
app like this:; Q- a; p3 M' ~; z' J6 X
3 C' A* c& V0 t BPX exec_int if ax==68
K! ?& P" p" F9 g' {# Y (function called is located at byte ptr [ebp+1Dh] and client eip is9 ]. M. V2 c' N% H8 r1 j4 |0 X
located at [ebp+48h] for 32Bit apps)! A) d |( D- w/ x5 x
__________________________________________________________________________5 M0 {& L, g1 ]: W9 O( [
/ E7 C2 F) U8 i+ I% [
9 a" s; I; ~9 w# u7 c- P8 z2 NMethod 08' H8 A. |9 F# N/ { b
=========6 y. `! y) r' S0 k* U4 u2 O& S- s
& z* {# H6 `5 j- J- g! U
It is not a method of detection of SoftICE but a possibility to crash the7 k: ~5 X! B+ y \
system by intercepting int 01h and int 03h and redirecting them to another
# P$ c% d# x+ j f0 P0 Proutine.1 k" i. T. E4 M. u/ K" J$ e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: w7 q. ^" Y8 W/ F! k" |" _to the new routine to execute (hangs computer...)
( U( y" Y9 w6 b- v
9 S+ |6 q k# B$ |$ {( P mov ah, 25h! f% |& w" K2 a) s, E
mov al, Int_Number (01h or 03h)0 u" z" R" ?7 h+ U$ z7 A
mov dx, offset New_Int_Routine0 j) y' @; E) T7 V: j
int 21h
3 Y3 n: `. Z7 P! q3 V: z2 A7 C3 a" \( v# S, {
__________________________________________________________________________
8 L; m3 u1 d6 e7 O! W
; \/ d) O- c* C1 e/ B: G3 v4 @9 T7 DMethod 097 ^& L+ o6 O( B$ Y
=========! L& h. d; a( A" n1 X7 a
, X! o( Z& E8 N6 \4 d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 P) R9 j0 j3 a4 D6 H0 vperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 d# w, O3 n$ |- t( C9 HThe Get_DDB service is used to determine whether or not a VxD is installed
7 T% P3 } @ Y3 T$ i7 B% l" ifor the specified device and returns a Device Description Block (in ecx) for
P7 x) f }/ @that device if it is installed.
$ R) v# [; `7 R& f- u- V! \2 T: s$ v9 b q o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ c7 y( Y7 l/ ?7 }; B; E mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ Y8 A" Z1 C, o VMMCall Get_DDB
) r8 ^( e% y* E8 _ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 V/ ^: C. F' y) ]0 c! S
2 H* m+ T* k- L* K, TNote as well that you can easily detect this method with SoftICE:7 a9 B; r- N2 O" H
bpx Get_DDB if ax==0202 || ax==7a5fh1 ]3 b) ^% E2 ?8 t# N7 ?4 s2 D
- N2 [+ ]3 a; O! W. o! ?$ {
__________________________________________________________________________
6 y" J+ S( J/ e0 _, v& w2 e" k( s, K$ I9 q
Method 100 T! i# [' m: y( \) _
=========7 q% v: \- i L5 E, I D
; A6 V/ ?8 h5 z4 X6 M8 y5 \9 e
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' A! r. [5 m4 D* @$ j1 | SoftICE while the option is enable!!0 _: @ Y& z& z: k0 b7 C
' D0 I8 W& a; XThis trick is very efficient:
0 p6 S9 y$ _9 z$ R* Z/ [: t. oby checking the Debug Registers, you can detect if SoftICE is loaded
: D/ F4 h0 {' r6 l2 l; L+ Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, O9 ~8 E; n1 f5 r) u& \8 W
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ _/ u: C/ H7 ?) T9 w$ j
value (in ring0 only). Values can be manipulated and or changed as well
3 Q, R A f; |2 C. K2 k g$ Z$ s(clearing BPMs for instance)3 y) z/ [( Z0 I+ R( C
! F* }$ x0 h- p
__________________________________________________________________________
# ^) `; R2 M6 B( [* w u/ {" F, G
6 F$ h% l3 z% V( q* w6 zMethod 11
8 t6 {7 u4 w, R' H6 V' P4 p=========
9 ]* W6 R( G4 J$ y" w( x1 a" H# @7 n/ r- {
This method is most known as 'MeltICE' because it has been freely distributed
- Z2 T; u8 F1 `9 T+ cvia www.winfiles.com. However it was first used by NuMega people to allow( A0 A; f7 [2 S& p! | O
Symbol Loader to check if SoftICE was active or not (the code is located
. V' R; r0 [1 A2 j linside nmtrans.dll)., ?7 s, M" ^2 g' H1 h' g H
9 ]& P& G* ^/ A1 |The way it works is very simple:1 e. g1 H6 d+ O9 I. G3 G, _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( L9 D7 I9 O" g
WinNT) with the CreateFileA API.* K, E: T7 C& G. S; g3 ^3 g
* m( j: N7 X" L2 k F. yHere is a sample (checking for 'SICE'):! i2 O8 ^+ M3 n) B
! Z9 [% Q' X+ }& `5 r% W) `BOOL IsSoftIce95Loaded()
! d7 B/ ~6 X6 w d{
- i: L! R# L. b0 Y2 g9 s HANDLE hFile;
$ c1 j+ ?+ T" T& M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* L' o" ~. L# o
FILE_SHARE_READ | FILE_SHARE_WRITE,
; I2 \0 E+ ]% ^ C6 M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ O. s3 b/ t+ v" |- q0 ^8 S6 r7 x if( hFile != INVALID_HANDLE_VALUE )
# r/ H7 h' O+ s) b, T$ D( E {
! S; y5 O. ~$ P! G- ` CloseHandle(hFile);
2 g5 g+ T8 N/ P8 H. N" W return TRUE;
& N( }+ p, W6 g }8 N3 ^! ?3 a# m
return FALSE;, ]; l4 @/ o. _
}
+ P7 ~ y! q2 x; M0 @& y- ]' m* e1 {9 w% w' |# S$ F* v
Although this trick calls the CreateFileA function, don't even expect to be2 E' B# n$ T5 n, x4 q9 E! A N8 d4 q
able to intercept it by installing a IFS hook: it will not work, no way!
* B# V7 }+ U; K6 o/ NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# y$ F* c& U8 d9 L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) \) k4 r6 z) ?8 g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- w/ y3 [7 f2 p! Xfield.
5 m, `5 ]# R- n- O6 cIn fact, its purpose is not to load/unload VxDs but only to send a
$ @1 X% n0 \) x5 XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# m6 d0 j: p' B0 h: dto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 R- A' U; N" [9 A$ Z+ k) J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 w& L8 [( W/ ]8 i1 o
If the VxD is loaded, it will always clear eax and the Carry flag to allow' U, a* `( o W; P, X
its handle to be opened and then, will be detected. r- L2 o; R4 f
You can check that simply by hooking Winice.exe control proc entry point# O0 c% N: J3 w$ @" p! m1 A4 Y
while running MeltICE.
2 ~7 ?% s& v$ H8 z$ M+ [
' s. f6 i" ^" Q8 |) z8 Z8 _2 F, B( v- r) {( E
00401067: push 00402025 ; \\.\SICE
9 U7 H+ F6 J9 K/ J1 Y+ o P1 n7 d& k( S 0040106C: call CreateFileA' }4 B! P/ k& d, B1 O& P
00401071: cmp eax,-001: n5 s3 P; l4 F. Q0 g
00401074: je 00401091
: T, _0 c$ i# l0 G# [ k( \+ H7 C" R1 z1 ~+ p }
& N; q& i0 h+ j1 M; V' P7 MThere could be hundreds of BPX you could use to detect this trick.
. [ F- K( C: Z2 `& K-The most classical one is:
4 S( @4 \! h, z7 m2 I: b BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& ?+ f& J* r% v, e v0 V
*(esp->4+4)=='NTIC'
% X3 G& i7 k- R! ^1 ~: o: F0 t5 O2 L' s2 I" @
-The most exotic ones (could be very slooooow :-(/ ?5 J$ g/ X& w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( T# m% e1 i: b$ t
;will break 3 times :-(6 P) \3 ?1 p" L) b+ J4 a4 _1 F; `
* c. G9 G9 h$ V9 ?
-or (a bit) faster:
5 r( M) ~5 s- F' w: k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" T; u$ b. A9 _, g3 {
% D3 D+ B1 W. [, o) p. w8 ?
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % m! }, d- }3 n, R
;will break 3 times :-(
/ h+ A/ L- v+ I* X
0 r' l, x( D g, g3 K# s! H-Much faster:
* x+ i6 G/ D1 u; R+ h# N# } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 W2 F4 X. n2 i* e$ {' X X" @6 K; _1 Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ O* {& {$ t5 `$ u* T2 o- {
function to do the same job:
# d0 p& @0 S% Z& Q0 @' ~' x0 g& M! y9 R M& t6 `+ i
push 00 ; OF_READ+ T& @3 d6 [* l
mov eax,[00656634] ; '\\.\SICE',00 G- h% c" v+ q: q% _; `) }
push eax4 X" b% E) m9 u
call KERNEL32!_lopen
3 @$ q# e' s: U+ q! D2 n+ ~9 i inc eax
' ]7 k1 g0 G/ D9 w! } jnz 00650589 ; detected
* Y6 t' |0 P! U push 00 ; OF_READ
" q% R S3 q2 D) [6 L8 M mov eax,[00656638] ; '\\.\SICE'
6 B2 ?; ^; q! y# k& R2 J) H7 C push eax1 c! a0 ~0 X5 H: i7 R" N
call KERNEL32!_lopen3 z% E+ L8 C( m% e1 o8 q, v' b+ K
inc eax: ]2 L6 k6 f( e' i) Z
jz 006505ae ; not detected
2 S6 e& U3 u. V6 S4 N+ n7 C; R6 p. R" o+ Z) b) A) p
# `& k- v2 B& K1 E4 }__________________________________________________________________________
7 u# g0 _( Y* p" A5 v, a
& w& y% q# J+ a A* e4 ]% }7 CMethod 127 d6 ^5 m% Y- X% J5 H
=========! j) [* [9 R( T
) b/ H- }8 g3 @This trick is similar to int41h/4fh Debugger installation check (code 05
* f1 g' b% Y9 u% V( }& 06) but very limited because it's only available for Win95/98 (not NT)
) {/ y& L! l# @# h+ was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 o9 c, O1 K6 v1 P
# W3 Q, e- B9 |/ A push 0000004fh ; function 4fh
. X3 l E" E( A/ g/ g push 002a002ah ; high word specifies which VxD (VWIN32)
8 r- [5 B+ B$ [7 S2 M0 D% A ; low word specifies which service* ]. C6 @( w; Y, [7 ^
(VWIN32_Int41Dispatch): {# s S" e& d. _7 t$ }
call Kernel32!ORD_001 ; VxdCall
# ?1 E: t* A/ m ]: Z+ ] l- w9 r cmp ax, 0f386h ; magic number returned by system debuggers
- C6 |# y- j' m" N jz SoftICE_detected! g3 }# q. U" z6 @; N4 b. ^1 {
+ E0 p0 \& `, m( u8 y L# ^+ v2 G
Here again, several ways to detect it:
- l* x: n$ Q' i0 l1 {8 o4 r1 l! o8 x" p
BPINT 41 if ax==4f6 e/ f2 p( p$ M
# A( p0 s4 y* e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 `$ X: c7 m4 \6 u) b
; Q: q1 f% H G6 V6 M: X# d
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 j# |4 h$ u& Y) A) m @& J4 ?6 `7 g/ X' {0 J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% ~- P& d7 |2 ?4 ^; z3 L! R8 Y
5 l, o9 `0 h4 }: A D3 J__________________________________________________________________________, k6 L# z# f1 o% M0 M) v
8 U- ^6 g, ~' ^& _- MMethod 13
) l- p2 w/ F- K. X7 S=========
; ?1 K: D$ {1 c! n N/ R* h% i" o
4 ~ k& n# R+ w6 q% I( ONot a real method of detection, but a good way to know if SoftICE is
5 ^7 J; x" _2 U: Ainstalled on a computer and to locate its installation directory.
6 n/ V3 W" s" \8 w& P' k/ VIt is used by few softs which access the following registry keys (usually #2) :, ^2 ]5 p- F& ?2 v
4 l/ \# a0 U! x ~3 b1 C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- b4 q' w# B& \* T2 h# m2 `\Uninstall\SoftICE
' t9 h; A* r1 y) D- k- \-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& A& J, h" ^: g" a8 L% b, M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 W3 K3 P) n0 b; V# c2 p
\App Paths\Loader32.Exe8 W% \$ ^! K7 ^ v t
) n. R# b( K) q' Q, u
6 F8 @1 H4 q) C" i1 kNote that some nasty apps could then erase all files from SoftICE directory* Y% u" A, G0 ~2 ~
(I faced that once :-(% \' _/ x, k/ p# o, R Q
, a1 p0 a$ M8 U5 oUseful breakpoint to detect it:
8 j- F& _2 P0 H! N$ v+ Y
2 i1 W+ u2 M1 X- ~5 A8 O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
b* e+ Q% R# x6 ~& [7 K3 C/ G
9 J5 h2 r- N% p+ `; p& d__________________________________________________________________________
7 t, W0 [2 w1 [* v. ] B( k. D! F: A3 p
' ?7 Z2 Q9 U- z8 EMethod 14 ; l, I" B2 v" X0 y: T
=========4 g" D6 f- o- \2 j0 s! ]
( C# ]1 N+ t2 `2 r1 q* E& KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! U d7 ~/ a4 P L( w5 q2 N6 ?
is to determines whether a debugger is running on your system (ring0 only).8 z3 L) R; p, D3 F# H- O
, b* X2 M) I* S9 a
VMMCall Test_Debug_Installed+ w e: y) @- d1 a6 l: R
je not_installed
% X' Q" m. U: f; W. ]0 b+ [7 t4 D2 Y- f. y4 F) h' E* X
This service just checks a flag.
' w9 j G6 y; V1 @</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡