<TABLE width=500>
9 D8 O) p" l5 w# E2 `<TBODY>
8 `# ]: o3 y! X% @% E<TR>3 j- @% t- e# v9 l. [$ }% D' i
<TD><PRE>Method 01 6 v+ j0 E: P& J: C
=========- ]) y1 D |5 P# K4 e
( i$ l. S; B9 }$ d& V* ?+ k& cThis method of detection of SoftICE (as well as the following one) is
2 L% I6 b; R. M+ K+ g, Uused by the majority of packers/encryptors found on Internet./ w* Q! F, M1 J2 G9 U, n% b
It seeks the signature of BoundsChecker in SoftICE4 z! O; F# z L. ^: v& y- h+ Z( o
% P0 b7 U4 N: H* X- n mov ebp, 04243484Bh ; 'BCHK'* \8 E* i/ |/ N
mov ax, 04h: F' F0 [( Q* J) h8 ~: E
int 3 " l/ z. w) l- x$ ]) h
cmp al,4
7 w, H/ e2 C7 g, T* A4 g jnz SoftICE_Detected
9 P, Q, t) @$ o
4 K0 |* C- k" g+ |, ?4 ^___________________________________________________________________________
9 ~3 d4 i" [* k8 n# c o/ H. h. b. ?- Z
Method 028 r+ M t6 y. d) ?; ^+ Z$ \: g$ s
=========
1 E: S1 {+ B/ g- E. Z' U9 A' |# h! v9 ?$ D8 s) H! T
Still a method very much used (perhaps the most frequent one). It is used, j3 {0 B) b2 C; t/ z7 b
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& g6 \2 h1 b+ R+ \. K* j3 Eor execute SoftICE commands...
- M. `# M/ V$ | T4 Q0 a. HIt is also used to crash SoftICE and to force it to execute any commands. |8 N$ `7 v: Y W/ X- s, ?& s
(HBOOT...) :-(( $ I$ M, c/ C9 T- x1 y1 [$ F R
& O2 K0 _+ X& r* ?' j, k; O+ d
Here is a quick description:' j6 _. d1 ^2 ?" H) Y- h
-AX = 0910h (Display string in SIce windows)
* L. S' C3 O6 N/ p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 m2 E1 Z2 _: m5 u* _8 r+ r/ v-AX = 0912h (Get breakpoint infos)
) M( N9 }1 R9 ^) B. d-AX = 0913h (Set Sice breakpoints)
' H$ t% a1 r/ E% J/ d0 h0 M4 L-AX = 0914h (Remove SIce breakoints)
( b, [% N6 W) d0 v0 K8 e: k# ?, ^' d4 M) I5 _/ G: `
Each time you'll meet this trick, you'll see:& m; N# O+ D( n& ]4 y, g, X
-SI = 4647h
2 \5 i9 C& D* C4 M) d4 \-DI = 4A4Dh8 h3 a2 w( ^5 p) _
Which are the 'magic values' used by SoftIce.: T. Q6 \ t" @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." ]4 x' x, w: i" \; B$ [
9 {& f( y8 w. A# _. Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ |4 x. N, R$ O8 ]' u; B% T' NEnvelope utility use to protect DOS applications:
x# c- x& R5 n" ~4 R& {# @, `. Q. K2 O: {3 I
2 N5 l& D" r' i; [) U- x7 b4C19:0095 MOV AX,0911 ; execute command.
: |! M9 U# l; |5 `. O K8 @7 @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. e' L: Y" c/ ~
4C19:009A MOV SI,4647 ; 1st magic value.& d, @: s7 l, p3 I
4C19:009D MOV DI,4A4D ; 2nd magic value.8 h7 ?! x% G* l0 H% u& }) u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ ^; \8 F0 k% p9 ]" c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, C' Z7 V. ]0 N1 |6 P0 z& t. |4 j4 ]
4C19:00A4 INC CX. z1 g" ]/ a& s; \0 q7 r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ I: ~) J2 C) O; U% G s1 L4C19:00A8 JB 0095 ; 6 different commands.
2 W2 z) \5 B+ E8 i+ R. T4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 Y R6 [9 Z0 V t2 h6 i
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! Z3 g+ X$ t) U# A5 F( b; I
) \( x. x7 J2 C v1 `+ k( \The program will execute 6 different SIce commands located at ds:dx, which
. k) ^, C; i" B! Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ |9 n* U9 L$ X: p1 O+ l, e2 s/ I6 f; E1 R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 l& F5 F! Q2 \, ?
___________________________________________________________________________- R6 x0 Z' Q' P1 \2 I2 n& Q& w
) y$ n( e. c3 t" I( E
% ?6 J+ \% T: W- H- r
Method 03
; F$ q& m. d O k7 _7 Y=========8 W4 v3 O# U0 I
2 \9 n$ o. Z. v
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* O3 M2 v' _6 E. C5 Y2 S4 u# ]8 Y
(API Get entry point)
$ v; D% g! t0 T; b! ^ " d7 t+ x# D# T y G1 T- I+ g" D
7 Z: I+ M3 \$ ~
xor di,di
( ~3 Z* m& H# d. q mov es,di9 B: T9 E% [; d4 E4 Y' ~6 c& f
mov ax, 1684h
9 z( F }0 a% `8 a u mov bx, 0202h ; VxD ID of winice, |; @5 Q3 O+ C9 y' ~. I. ^
int 2Fh
( J8 p' ?5 ?% t mov ax, es ; ES:DI -> VxD API entry point
2 e9 A( D7 j" u3 w) ] add ax, di; e! [+ n l' A2 x3 B
test ax,ax8 U- u) n7 D' B/ U
jnz SoftICE_Detected
: e q5 M/ _7 T) E0 b. b. t( T6 Y% {" z
___________________________________________________________________________; d u! z+ L8 r5 d
2 y( G5 o9 G" L u
Method 04) `6 e; }) m' v4 g9 H4 I
=========: X, u3 A; P- ^( X
: \$ l4 d: b4 l
Method identical to the preceding one except that it seeks the ID of SoftICE$ o4 P6 U, w& t. ?( J
GFX VxD. c0 X8 p# p; ^
4 F( @7 [' C- m8 o& F
xor di,di
; \* S) H, @: ^' C) O1 V3 \3 z mov es,di
+ x7 k7 O) r" |9 Y, s2 R) ]# N mov ax, 1684h
# f$ B0 @: F: D/ K& L mov bx, 7a5Fh ; VxD ID of SIWVID
# U* ?; l! ]0 N int 2fh# J A G6 t' H1 l! m2 G
mov ax, es ; ES:DI -> VxD API entry point$ |. P! X j) x, L
add ax, di
' G B, K4 F/ B# P; h+ z0 @ test ax,ax+ L9 ^! H! H, p* N
jnz SoftICE_Detected
/ c+ p* l9 A% J ]8 L
7 O' D9 \6 u1 L__________________________________________________________________________
! i4 ^; x& `1 N% t+ [
# q4 q2 e# n: \ X) @& _( ]2 J; C* M
Method 050 y8 ^ Q8 e( |$ C B
=========
- O) X }& x. ^0 H* t6 V" [ i4 P' l1 N; w5 V; s
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& h$ D0 r) e2 @debugger. It calls the int 41h, function 4Fh.; S1 l5 I/ G+ @
There are several alternatives. 5 B! k- _ ?" B9 A
_+ v- m& e7 |3 t9 Y0 J. Q
The following one is the simplest:6 E" N3 J) c6 k3 ^" L
7 h1 B* L% }3 T( M' A9 O) [
mov ax,4fh0 O9 y( K7 t- V
int 41h
! q' n1 k* _9 t! t* Z' C! t" } cmp ax, 0F386' Q1 j5 f) \6 T* g* `# O) Z
jz SoftICE_detected
8 a! d. D6 u9 `1 v+ y: j: J
3 I& M. M. d- b- w; A
/ h, \4 S! y1 ~) ~+ sNext method as well as the following one are 2 examples from Stone's
) R+ L- `6 g, e; j"stn-wid.zip" (www.cracking.net):
0 g+ n' Q. Q0 q( \( t9 j- H% g- r. \: o, s3 }! W* h7 D, J
mov bx, cs
' W9 c F. R& T2 f( t lea dx, int41handler2( L. W" X. ~4 V' P
xchg dx, es:[41h*4]" ^6 Z- o( g, w' D, W4 K- j
xchg bx, es:[41h*4+2]
/ s. B$ L( T! e: O+ K8 n+ ^( x mov ax,4fh
! D" Y4 s* W! k; a int 41h- g! ~2 F: O: O3 L' }6 m8 c8 p
xchg dx, es:[41h*4]
- [3 a8 x. g8 x R" K# c) ~ xchg bx, es:[41h*4+2]
+ T2 ]5 ~9 T0 U" V cmp ax, 0f386h( _6 I8 e; G) _. n1 m$ i% ?1 |
jz SoftICE_detected
! c3 r6 J, ?, e9 a W( s- q7 b6 G1 B% V( L8 Q" C1 D
int41handler2 PROC; R9 _4 ~8 c0 o5 N' `* S7 ^, \( `
iret
3 T' g% h. `+ q( ^int41handler2 ENDP8 F% X4 {/ ~9 q3 `# @! w
4 v, ?' v5 H8 j" H0 p4 @6 m
4 B) p4 _ G- F& o0 V! g' ?
_________________________________________________________________________# z# g# {! J% n* p$ g
9 N3 Y1 z' n+ I5 q' s. ~
1 b/ k7 O& L7 ]' j8 n u+ CMethod 06: j. }0 t# T4 K6 @; X" s2 o! p) F
=========
. H( ^9 M: E( f$ n2 ?1 ]( x; ]. V
1 Z0 ~! a! m$ y4 M& L) a* R
* f7 i$ Z4 C) U; w* f! e2nd method similar to the preceding one but more difficult to detect:
$ u1 c8 c; W6 Q0 M" @5 I
5 H) H: Q- J {( R9 i, k, i [: `6 o5 @& M0 n' J- x2 V) w
int41handler PROC
1 @# C2 T9 i8 |, x mov cl,al1 Z. J' \* F" z# Q& ^; ^+ L1 B( c2 k3 I
iret
- Y1 {8 u1 F, L. _int41handler ENDP
- ]! p# D4 S- `& n s$ n8 M. N% [+ N' `3 d9 u" ?7 x; U
9 t0 O' k" j: A1 z9 m2 M
xor ax,ax
+ b4 h2 ?/ B# F( ?1 _ mov es,ax
7 L. P, N% s$ |8 P mov bx, cs
( @* j5 K; z' ?: R4 D2 t" V0 B2 c lea dx, int41handler
" u! m9 Z9 n1 k, J1 S0 _ j xchg dx, es:[41h*4]9 f( \4 n9 o8 g
xchg bx, es:[41h*4+2]. E1 J0 G3 w" B$ m; p8 ?
in al, 40h
/ _8 a7 H( u& W; F0 k; P$ @ xor cx,cx
5 [0 j: `, k5 [) S8 c2 J; K; [ int 41h
; r1 U: \: J% V) l P xchg dx, es:[41h*4]
+ B; e* d W4 i# |: @4 v6 e xchg bx, es:[41h*4+2]
0 f% B+ |9 R' S- d0 S) h" c/ V+ ` cmp cl,al
% m. q4 d Z8 i V" v* T! ^* ?# O9 O jnz SoftICE_detected
6 M- n9 ~5 B t( V7 @
w% j5 H2 P/ d: L) i; s8 Z }9 k_________________________________________________________________________
& P5 c% I+ ?! o* Y
0 k7 Y x7 ?# m% o4 }* uMethod 07
& \& j/ |5 Z/ _; t$ T=========, Q7 d5 J, b) `- B: w
: n. v, t% }1 XMethod of detection of the WinICE handler in the int68h (V86)4 _1 J' k, J" X& `% A2 ]9 `6 s3 i) F5 |
6 x1 w5 `; }) v! Q mov ah,43h+ o1 {2 T( ^' d( |! C
int 68h3 `! \4 M: j6 i9 T: H
cmp ax,0F386h
% c6 c! A9 x5 h: G jz SoftICE_Detected) g- Z% x$ q7 P: S$ A
/ C: h0 u; A9 f" S
, C1 V; v1 L9 \, D$ \$ Z% D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; C- x3 y# i# l1 L# K) n4 e( R
app like this:
" h* L- `7 N! f: t, M: ]
4 l- d, x4 C9 ]3 j5 U BPX exec_int if ax==68
' z# }5 D3 l2 K l4 y6 l7 l (function called is located at byte ptr [ebp+1Dh] and client eip is1 V% {5 S- @5 h) _ t
located at [ebp+48h] for 32Bit apps)
: M: _ b X: _# R__________________________________________________________________________$ b* W* P, h8 _+ J* `
' e! `: X @6 y* U% S: v
# h5 ^; L' C: ^3 k: JMethod 08
5 M: _1 i7 u8 A6 u0 P6 n" l=========
+ u [1 {6 D6 _6 ^' _4 v, B7 s0 ~$ F
It is not a method of detection of SoftICE but a possibility to crash the
/ U4 A2 \1 U5 y( m7 psystem by intercepting int 01h and int 03h and redirecting them to another
# {) ~9 h5 |& h' H0 G6 broutine.9 J% ~/ `' V7 j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) s/ k+ J4 P8 ]% r0 Q$ L+ l
to the new routine to execute (hangs computer...)
* k5 z7 k0 F( D& {$ w: P- j+ S
2 d6 o& Y v2 A mov ah, 25h5 I3 ?, Q, q% X0 N5 h& ]: k) @8 i5 x, n
mov al, Int_Number (01h or 03h)
$ J- t1 p$ N ]8 c+ t mov dx, offset New_Int_Routine% Y. M7 j: |# P) x" e$ {
int 21h
2 V7 L' k6 P* F- S- K% f! S
+ Y n4 g; t! k1 d. y9 f0 b__________________________________________________________________________
! p4 o2 _9 g+ [1 {; m/ j5 n
$ Z& L& _8 A7 |: KMethod 09 t8 u+ _$ m) ~
=========
1 J' |- K/ p) S$ D2 _4 ?
( w" V- G3 c$ SThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* A( \6 q: N* I9 R
performed in ring0 (VxD or a ring3 app using the VxdCall).
- S+ M% [. x8 m" L& B" X9 D, PThe Get_DDB service is used to determine whether or not a VxD is installed; \0 Z% m" p, t$ h0 G
for the specified device and returns a Device Description Block (in ecx) for; o/ M+ |% P% q/ L4 t5 y
that device if it is installed." {8 O* G; z) a7 z7 n& l% G
2 _5 R6 _; j' K; A- T% Z; P [
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* m: l2 y/ Y' H3 F% g+ z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% e: l5 l5 v4 c; r2 E8 L: x% }
VMMCall Get_DDB9 ]8 F# z2 R$ R7 q" T; `5 o+ r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: g! }! ^$ G* e* Z# R% h; Q, i! E" B1 E9 \" T: |
Note as well that you can easily detect this method with SoftICE:
( R" e# ~6 d- Q# Z8 Z7 i bpx Get_DDB if ax==0202 || ax==7a5fh+ @$ I& G7 i& {
2 Z2 t* c" F& @0 l
__________________________________________________________________________
( k$ Z& o1 E3 W+ B0 a3 X
- n+ G8 h H) S6 {' p! @Method 107 E0 Q: M3 S9 W5 q7 E0 o; T
=========; }) g. J( m2 e$ b0 @# {
3 ~ C, W: r1 T5 K1 I0 ^=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 V7 b5 ]0 Z7 q. L; ~8 C @7 z SoftICE while the option is enable!!6 ]$ N: Z x; b) U
* C7 g: `* I5 T: P2 K- r1 H1 yThis trick is very efficient:# {3 O9 \1 M& l) p
by checking the Debug Registers, you can detect if SoftICE is loaded
$ ^+ |2 f/ N( u% h# K L' y0 D( X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% C1 m# I* H; t$ u5 l
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 ]* K J) d# A4 Fvalue (in ring0 only). Values can be manipulated and or changed as well
! T) l% @, S" i. h, l! W) k(clearing BPMs for instance)
& ]/ Z2 V _, X2 O0 X
, u- J6 h: j, O: G, ___________________________________________________________________________
6 @, [! g; L' c6 r
. u1 c( {8 ^2 C" PMethod 11: e, C5 T( g: B5 ]9 L0 Q, g, t
=========! m" @, N; r$ O y% m& P
& }3 k9 J" A8 ]0 NThis method is most known as 'MeltICE' because it has been freely distributed6 b) x* q0 {' p* S% I: r+ W
via www.winfiles.com. However it was first used by NuMega people to allow+ x+ x: K4 U" T. |+ Z3 i3 e: D9 G$ G3 c
Symbol Loader to check if SoftICE was active or not (the code is located
6 H6 H* i; R$ Y4 Yinside nmtrans.dll).
7 L# T$ k$ O" ^7 L
4 b) } @ Z4 d( W" ~The way it works is very simple:
' e0 _* x, Z- T& T6 SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; k2 g( I( E. N9 z+ n4 x h RWinNT) with the CreateFileA API.
# p+ n: O. R5 A- [* r; n7 J$ J$ a- J+ v
& [( P" T& \9 r" @Here is a sample (checking for 'SICE'):* r0 Z& Z# q. k6 z; \; I; j* D
. E( T( u" z# y: h0 q) p" g
BOOL IsSoftIce95Loaded()
$ c/ b4 j" X1 t# R2 E4 `{0 a A" e& n% A0 K* R4 m+ U
HANDLE hFile; 6 K1 h- s6 f! N/ F4 v/ k6 l: W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! ^ @2 U3 C$ ^/ F2 |* a. p FILE_SHARE_READ | FILE_SHARE_WRITE,
9 D' ~+ ~5 v; R! d: S( m# K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; }; C) ?8 q( W- i
if( hFile != INVALID_HANDLE_VALUE ), f3 E4 ^' T# V [
{
0 A& P2 n3 u$ a9 } H# m CloseHandle(hFile);+ ~! d% |9 J' h5 M
return TRUE;
n. `0 D. f" g4 c }
' T" l/ Y( m# R return FALSE;) @. y0 U+ w; r. z
}( d: i a- ] H O0 k* O$ b2 w+ G
# x6 [/ i* D% f! q% lAlthough this trick calls the CreateFileA function, don't even expect to be
) C. ^% z" z" [- gable to intercept it by installing a IFS hook: it will not work, no way!
6 e3 p5 S1 V6 N, W* T j" cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' r3 E8 k" Z3 U9 K' a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 w6 w; z! _: [: h7 Q) u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 R; M6 \( I/ r
field.
5 c# p& C7 [* |) H- ?In fact, its purpose is not to load/unload VxDs but only to send a 9 z! j$ Y* ~* w" A/ {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 I0 q4 B' {' E! F3 \( ?2 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 Z) ?5 W" }5 R$ k) ^3 i# J9 l+ t9 Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
R' I* H' G5 oIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ g) X) a0 h2 P- `, O: y
its handle to be opened and then, will be detected./ n4 m7 B8 \$ |
You can check that simply by hooking Winice.exe control proc entry point9 R" E8 j2 @* [3 j5 {8 y* h
while running MeltICE.
; G* G4 L( ^ m/ @, ?$ z& I# d$ I4 K4 m
; n( s: o0 o; f: r+ ?# u8 h
00401067: push 00402025 ; \\.\SICE) K1 {9 ~& d3 B
0040106C: call CreateFileA3 j: V: b" `* v9 o& B. j; b v: ^
00401071: cmp eax,-001( z! B* [6 V. e% n3 p2 S+ x0 j
00401074: je 004010918 z; B: H R5 X
: d( V; F: k# u. f2 N( @, f# `
3 j1 m3 k6 w+ E7 `There could be hundreds of BPX you could use to detect this trick.
$ S7 W0 T Z5 K-The most classical one is:0 g7 s. Y+ I* r3 Z M" I
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' z& I0 y5 r- y1 m" r0 H *(esp->4+4)=='NTIC'
+ _& I2 t I$ q1 U. U7 W* e1 t$ H. p$ w" D
-The most exotic ones (could be very slooooow :-(6 v/ s7 v. J5 }3 }. N+ v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * w$ g& _/ Y& \
;will break 3 times :-(3 _& o; z( |# Q/ n! n6 i
2 y! x: r; z& q6 W! Q$ { F2 z. T3 _0 y
-or (a bit) faster: 1 x3 ?4 N& c5 Y' f& _/ c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 I, ?% k' _ u V) c# s4 A; I- R- r, |% R; b
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 z s o. d" A0 v ;will break 3 times :-(
7 z5 x! P% G$ o: Y# s/ v4 e& y @) `! M! m. r: V6 ~/ {% C
-Much faster:
- o# C; h) ?4 p4 E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) g4 Q; L% Z9 G0 d- A
9 K9 F3 Z4 ^ c6 B3 PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( r; I, V" v: ~& [- Cfunction to do the same job:
4 S- t( n- V1 F7 ^: B) i9 R. P
, X8 N) Z8 L* E$ t) J$ a push 00 ; OF_READ+ G, A8 V" @ F6 J
mov eax,[00656634] ; '\\.\SICE',0& z$ S9 O+ i6 w; ]
push eax. v L, e) N8 i! N: u
call KERNEL32!_lopen- e0 ^0 l0 x$ R/ u; k
inc eax
# W2 f4 j! f) D8 s jnz 00650589 ; detected" R5 ? U) L- i' t
push 00 ; OF_READ, w" k: n | J: z
mov eax,[00656638] ; '\\.\SICE'+ u1 f) g+ Z: V5 U) g' @& S1 A
push eax
: s; { Q2 }( D9 J call KERNEL32!_lopen+ D) I6 j3 N1 _0 Z; `+ t
inc eax
1 g" m& E/ J& U$ g( J: P' v( ~# Z jz 006505ae ; not detected" X+ O- X3 q% ^* P C
1 z: J- }; ^3 u2 C1 {' H2 m
( H7 s: Z6 ]+ D( `, ~
__________________________________________________________________________ E, k* \) A# ^. s' r
( Q" [" _* \: I$ D8 R
Method 124 z0 K; z7 Z5 p' B9 u* F+ f% r
=========
/ q3 w2 U) @% a2 C) B$ Q8 U" \! `; T* I, z' `! z3 V
This trick is similar to int41h/4fh Debugger installation check (code 05; o0 B- o! f. N" O, U
& 06) but very limited because it's only available for Win95/98 (not NT)
1 m, {# r, r- C. k& s0 M, {: a8 D5 \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- k8 o1 [/ X: D; a6 |- h' M* E, N: s, P H" n7 _& t' X4 \% M
push 0000004fh ; function 4fh
' o! i! H% ?* U$ P7 ^ push 002a002ah ; high word specifies which VxD (VWIN32)
Z' U" o' ~$ f2 I: O0 k ; low word specifies which service% Q3 U+ m2 Y% [( \+ E, n
(VWIN32_Int41Dispatch)& ?% }6 Q u' v* T, X' T
call Kernel32!ORD_001 ; VxdCall* B" U) V9 E% t" u) o7 T3 J7 v
cmp ax, 0f386h ; magic number returned by system debuggers% [# m% F1 Z% M* @: B7 p. v3 L5 m
jz SoftICE_detected
& ?# T( [& i" \* w5 k* C$ S& `7 Y
Here again, several ways to detect it:0 A& A) P6 Z9 h1 h. F
W* [: F* I! m3 x5 X
BPINT 41 if ax==4f, Q4 {8 A/ x& j4 I4 e. @/ _$ M
; w2 K" j2 g9 s. I: g
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 ?$ N+ U4 C% z, b. Q4 w
9 s- ~! [+ n" G5 f# z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ u% c! [: H" b. n4 {) H( r
- z4 T W% D8 j6 V" X+ D- ^, E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' K5 M4 L @& @( M7 K2 f e) Z$ v/ t+ m
__________________________________________________________________________
1 E- Z s. B$ J7 w/ p
0 o e G7 K- h3 `Method 13
- e0 W$ x9 x U0 v5 c. r3 y=========& s! \4 \& X e) S3 q
: @! w: R8 k2 |, b% Q* C
Not a real method of detection, but a good way to know if SoftICE is
* w7 x. u! _2 f1 v) [5 k. n0 winstalled on a computer and to locate its installation directory.
- x7 J3 u; o7 f: [It is used by few softs which access the following registry keys (usually #2) :* @0 X+ n, \6 \+ p. Z, Z
F( ?: b1 t7 L$ s. s; b7 |7 c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 D2 k, S0 X5 |9 p- |) f: }
\Uninstall\SoftICE
, {; b' J: E. ~6 M: W# I& _-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ {$ E4 W7 V6 D# d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! f8 o; E1 \$ \
\App Paths\Loader32.Exe
; @: D( P# u! e2 ` U1 K" y5 p1 O! N O
/ G8 Z2 X/ O3 q b3 O" W3 BNote that some nasty apps could then erase all files from SoftICE directory& K8 s' I6 e: U9 i* c
(I faced that once :-(: {7 h- f. ^7 m& Z
+ U4 T' c, x, v; g
Useful breakpoint to detect it:
( b" V# v3 q6 {( H- g* F3 o/ D' {8 ^, x0 K h7 f& x5 C7 }* L1 |9 [
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" A* v0 o5 F6 a
& `" f- F* d0 p) j0 s" J# F__________________________________________________________________________$ ^, [1 }2 L: l1 ?' D& M, d
, L& f+ a$ A4 W4 L) Z$ f+ j
6 V% g, J; G, w1 p% NMethod 14 6 g* H6 i% U+ I8 b- S: J
=========: Y" g* a4 }. p/ W/ k. H/ {) \
) ?' }6 ?3 s" R2 ^2 z# y: R+ s( i3 |7 }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. G6 e# r/ b$ [is to determines whether a debugger is running on your system (ring0 only).
$ H- q7 w+ d2 }& Q
, b5 K7 z+ v. s! P5 d, g0 o7 _( P- } VMMCall Test_Debug_Installed
) S. U# `! X; U- d% f( j, X5 v je not_installed
5 G+ F$ L" [# r* q1 h# l0 X$ |+ d! v& T. m6 J* u) U0 k! m
This service just checks a flag.2 p- O- G/ a! p, i. X1 I, t
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡