<TABLE width=500>& F/ D+ C6 }! D g8 ^' r( L/ m
<TBODY>
# T$ A# m3 j3 s9 B& x<TR> T" i7 B) U8 [1 n
<TD><PRE>Method 01
+ v% \$ J8 ]; I/ O+ C=========
3 |* k8 E7 i' a8 Z; |9 l4 D" m( s3 x [7 q6 s: u
This method of detection of SoftICE (as well as the following one) is% E7 e! k8 x" _4 r
used by the majority of packers/encryptors found on Internet." q L. Q i* x4 t+ D
It seeks the signature of BoundsChecker in SoftICE
p5 t# H& x' y3 s! L8 @/ l- I# X6 ^( m) @
mov ebp, 04243484Bh ; 'BCHK'
& p2 F) O% T6 Z7 p& b5 _2 U) B mov ax, 04h/ a! H8 ^$ \: i& z( U
int 3 . t, L( L8 @% a- S/ S* X/ b2 Q
cmp al,4
" l$ b$ Q5 s t' E5 d/ L jnz SoftICE_Detected1 @, Q& `; a9 V/ H
8 [+ f4 c: \* R. f: I0 d___________________________________________________________________________
1 E. t3 Q8 ]1 E$ a+ e2 c
" j* E! n4 Z' e1 z/ \Method 02
- ~: y4 w+ i7 Q=========7 T( n, J8 v! @4 j! s- w
; x" e+ r7 j w' P9 K
Still a method very much used (perhaps the most frequent one). It is used" j* g( Q( W6 o: p, ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) N; g- y4 B6 jor execute SoftICE commands...9 e H. r" U5 _% L
It is also used to crash SoftICE and to force it to execute any commands5 }# S2 n" \3 {4 o+ i2 I
(HBOOT...) :-((
0 y( J9 J, H% _$ V
0 m1 s6 U" F9 W; E$ f- SHere is a quick description:9 ^% e, A7 |: b" Z
-AX = 0910h (Display string in SIce windows)
" v5 J& u+ `, l6 q" {' t1 G-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 G0 c$ v: }' M4 J
-AX = 0912h (Get breakpoint infos)
4 _; q5 y. F- ~# W8 r-AX = 0913h (Set Sice breakpoints)
5 k* M" G" w1 S& P3 P$ U-AX = 0914h (Remove SIce breakoints)# X& K( k- t3 d8 M6 `
* w3 x0 ^6 d2 j) ]+ pEach time you'll meet this trick, you'll see:1 I( h& D9 T2 j& e
-SI = 4647h' B; d/ g0 q- Y0 z$ }+ p7 v: E
-DI = 4A4Dh% I& z. F5 d# x+ I
Which are the 'magic values' used by SoftIce.. F: u! @& m. S5 O7 m0 a# z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, _# X2 g6 t" W! Z5 e _2 R" n1 o: N% u3 C+ E X1 A' g
Here is one example from the file "Haspinst.exe" which is the dongle HASP' h5 A3 ^3 w9 T4 j2 \: U( I l
Envelope utility use to protect DOS applications:" z) p% ^3 p# ^) L+ H2 q7 ?4 E z
5 o" ?: B A1 t( z) N" ^ |4 ]
5 d, J# K! Q$ b. ?7 t# v4C19:0095 MOV AX,0911 ; execute command.* E$ m7 o& V7 T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" ]2 m0 H% @7 x4C19:009A MOV SI,4647 ; 1st magic value.: e/ E2 T* L4 A( ~. q
4C19:009D MOV DI,4A4D ; 2nd magic value./ ^. H3 v! m4 {% Z2 @( X, Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) r# J, ]" k, r$ o+ @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 [; T. r: T x, p2 V! P$ h4C19:00A4 INC CX
! }3 O- K6 K. ~$ N [- [. _# q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' A r4 d O8 O. a6 o% l$ _3 k4C19:00A8 JB 0095 ; 6 different commands.
$ e2 |9 B, U# G, b) t, P4C19:00AA JMP 0002 ; Bad_Guy jmp back.
E; t7 [4 `: `; q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. Q5 |3 D) J6 b% p" l
6 y& g9 p+ h$ |8 v' C/ MThe program will execute 6 different SIce commands located at ds:dx, which
& k6 U. U. [& Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
r) }+ w6 {3 ~; Q9 o6 D/ ?2 \# Q; ^$ P+ O7 a# D7 u2 d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: g. N, e/ s; E5 i! ?; A2 E
___________________________________________________________________________
! d; g4 K, |& l1 _* w% f9 s4 Y' Y* i+ M$ P2 g
5 \5 f7 o9 J, v, r' rMethod 03: _9 U" H; M/ x# A5 E% A0 S. w
=========) @3 B2 n" Q$ V
7 |0 `# H( C8 { ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ l; u5 e) D& l* V5 p4 b8 F% t# {(API Get entry point)$ F$ o% U+ Z P( X# U" F
& A1 v! a* M# J% l& N
$ A r( L V: S; B: y xor di,di n' d1 h& X+ c8 b1 W
mov es,di- @! r8 x7 [/ I+ J' U
mov ax, 1684h : \2 ?" v# U5 k
mov bx, 0202h ; VxD ID of winice' `! x+ h9 z, j4 g
int 2Fh
: D) C( s W1 ` W7 L$ c) R mov ax, es ; ES:DI -> VxD API entry point- r1 M! p8 }7 Q) F# z" r
add ax, di
- k% |6 A! r7 v, ^ test ax,ax
( R! X6 J5 r- m) E5 C7 Z3 a4 n$ m jnz SoftICE_Detected
+ h- ^6 m/ N; k) E% Y" m) B* [ u; e/ B: Z( T% [
___________________________________________________________________________
5 X% ]% ~7 n* ~ a& q H) f
; N9 v6 w6 _7 T7 uMethod 04
: J# r7 k8 |, W3 G* E G4 ?$ o( o9 T=========6 `" f! I+ z q" L
$ R: W! ^- N* }4 @1 Y
Method identical to the preceding one except that it seeks the ID of SoftICE
. i! X6 X* Z2 ]9 SGFX VxD." u* x4 j% ?8 Z
5 t2 s) w& { x
xor di,di" E' |+ P8 P& U2 O d0 G5 H+ I c
mov es,di
: I0 h4 K+ g! ]8 \- | mov ax, 1684h
2 d1 r' h4 i) G7 { mov bx, 7a5Fh ; VxD ID of SIWVID6 k, z P2 d# W
int 2fh
& R) |) ?6 S* c mov ax, es ; ES:DI -> VxD API entry point
1 } i i7 [! E( B& Y( n! N9 o add ax, di2 H9 ]* O' l' a) R$ D! J. d
test ax,ax- N, L9 u3 d: l0 o M1 K& j- k- F
jnz SoftICE_Detected8 ?# ?- m/ V* Z( Q$ i4 b* ~" r
, {: B: _) P* q0 ^! j+ `, F
__________________________________________________________________________8 w) A, L/ @5 `+ k
+ v5 H/ c- a9 S$ c7 r0 u& V O$ f, _
Method 05
l* W t5 L5 M% A) q=========
5 J" q) ^3 l5 T+ d; q* U1 W/ o1 k
, i' g" `4 u) bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 s* B7 I5 g1 _! Z9 ~$ cdebugger. It calls the int 41h, function 4Fh.8 B" y' z/ w. `1 F) v
There are several alternatives.
) N% z8 u2 U6 c/ d; G; p o
" _2 K- h) v7 o* _, q! \The following one is the simplest: r; W: r2 b+ r4 e9 n8 X! e
- J. f& s7 P$ v; o mov ax,4fh
- A1 x S9 v" a' _9 p int 41h
$ f, S2 b) _( R. P' A9 y/ W cmp ax, 0F386
8 G' K S+ r: p% J jz SoftICE_detected
7 l5 _& L" P I$ A2 F
$ e. ^; F1 e$ j6 |5 H1 V/ L; `! ?9 c- ~) D+ I9 K5 P
Next method as well as the following one are 2 examples from Stone's
L7 m3 D$ A, h" t"stn-wid.zip" (www.cracking.net):3 p! z* a; Q1 }* |' p' B$ \* B" l
9 D: I1 c6 W: P E
mov bx, cs
& ]" \4 V" g; m2 \$ s/ P lea dx, int41handler2' f2 h) R9 k" F
xchg dx, es:[41h*4]" Y) W/ F S8 T- A8 {! w0 m& ?* T
xchg bx, es:[41h*4+2]
; _& W2 h( m C& O mov ax,4fh
% H7 p6 a% w3 _( ]; s int 41h
. Y# ` c. S- R6 C* K# b+ m% c- L xchg dx, es:[41h*4]
! R' B( j! h% D0 f. B xchg bx, es:[41h*4+2]
1 r7 R0 K3 ~. O( v: T' K6 R cmp ax, 0f386h7 S, A) n8 S3 [% A. e( a# n. e
jz SoftICE_detected
6 ~' D$ T" {- n- D; u' b
4 L @4 {; R5 L" w& l6 Mint41handler2 PROC
, b/ t0 u- n1 E! H2 \9 b iret4 _# w/ y1 K( d- i' t1 R# q+ i
int41handler2 ENDP
# f( _% T* A- Y: l# k; |0 ]' ?0 i0 G( N+ u
1 s4 u2 V4 L; Q
_________________________________________________________________________
$ u% W+ x7 l8 Q/ q+ C0 U
: v, E( C3 g% D* X. K0 Y5 s0 P* \% m9 H5 k2 O2 R) x* c9 M. t
Method 06" S0 [* S5 Y# s- k0 q6 w7 i' E
=========
7 i& a6 @5 U2 B9 n, ? E) v/ d# c; H) i5 \4 F
) j- m% R) x6 y6 i& G
2nd method similar to the preceding one but more difficult to detect:! a1 v- a7 ^2 O. I7 s+ H
+ Z6 }% q/ I! o/ ^1 N* B! I
5 a- ?5 r& Y: l- G+ tint41handler PROC5 a, j! w/ r, ?/ Z! x5 n7 z
mov cl,al
" j; h+ Q9 f- y- v% x iret2 b: }/ T: r- b& }) @% g
int41handler ENDP! J# E: C# l& X7 z2 o, `
& Z: j4 Q6 V/ q! f7 I
& n! K9 ]9 T7 e1 x
xor ax,ax4 `7 i7 {/ ]% t- u3 p! T1 F
mov es,ax
$ g3 _+ s( i7 _, b' |- [% d mov bx, cs4 C/ |6 J9 }' a0 G; M' `4 P1 h& W
lea dx, int41handler
g& }) j2 l) I: Z4 {/ J# S xchg dx, es:[41h*4]) D% o6 i, k. O) ]
xchg bx, es:[41h*4+2]' z& P# s# t0 p' O8 A- l+ v
in al, 40h
2 ] N1 Q8 D) p) ~2 N xor cx,cx
0 A4 Y$ g# j& c$ }, b; l* ]& `; j3 a int 41h$ {2 P7 ]* @. ]; W2 _6 c( |
xchg dx, es:[41h*4] J" B/ n+ V, |; `5 }
xchg bx, es:[41h*4+2]3 A$ d2 V7 b' \8 P
cmp cl,al+ i! ~. p; H( B0 X& R; m, w
jnz SoftICE_detected! b. j; Q7 G+ K' @: U5 y g" |5 Q; n
8 U1 [) |+ q1 P' z' [
_________________________________________________________________________
1 `1 c- E1 l2 O% x- _$ w* }5 f; q3 R6 P
Method 07" l* [/ B( I/ V; N
=========
" c$ e; v- J: j3 s. Y$ r3 U
" h, S* [6 t" N% E9 J6 LMethod of detection of the WinICE handler in the int68h (V86)8 l& N9 V: s; y. X' T1 y
( h+ k f6 Q1 G9 d8 y a mov ah,43h# n" L1 Q1 s6 I6 W! J. R
int 68h
" ?4 |* o! ~5 X% F cmp ax,0F386h2 {- W( E: V' o" t S9 g/ }
jz SoftICE_Detected1 g4 x% M4 u! ~) T9 M0 O& A( y+ j
3 g T4 B: C+ w# C
k8 H$ l8 D2 P ~3 C7 [' ?! G=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) m* h+ m$ u" v4 v
app like this:
9 c8 ?* F4 Y+ L1 b6 q2 B: C/ B4 m x
BPX exec_int if ax==68
' Z5 ]* L& g8 F1 K' p (function called is located at byte ptr [ebp+1Dh] and client eip is, e5 N" e. ]4 p' f- j' P
located at [ebp+48h] for 32Bit apps)
1 G- ?) J9 s7 F3 q& H: N__________________________________________________________________________
' W h" q, D7 g5 B$ r' I- H# K, b3 `* i/ M3 _
# c+ M1 G( t: i4 j
Method 08
& e7 b& {2 Z8 R d8 {5 e=========
; v- X8 B) t; i& j9 s' m# [; [
9 {: r$ ~' I ]8 O, mIt is not a method of detection of SoftICE but a possibility to crash the
# H6 J ^* s9 e% d; Z: ?, L+ |system by intercepting int 01h and int 03h and redirecting them to another
* J$ l, E8 y: O1 m3 S1 Vroutine.+ ^# P' S5 i8 I% j6 d1 e& U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" w- |1 J% r( D6 ^2 [to the new routine to execute (hangs computer...)
! t! C' J! t) C, A
s) J% a; S u( w C! d) E mov ah, 25h
- }9 Q: R$ {3 g5 `7 E mov al, Int_Number (01h or 03h)# M* l4 A% X& i" e
mov dx, offset New_Int_Routine
7 E' p* u+ M7 {$ D2 W" Q$ n int 21h, X. r4 K* R9 @
& C1 `' s9 f; O# k4 M% t* Y- D5 l
__________________________________________________________________________9 L$ P! w( m1 G; A8 G- V
3 H& j8 \/ g, ^" K$ j0 w4 O0 M# p2 M) r
Method 09
* a' ~ z# L1 b' k+ v4 ~=========
# ^. i i+ h4 o) s4 c4 R; [5 m6 X! X- i
( i1 }2 h+ I% J! Y" _. GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 H7 D( c+ t3 D0 ]performed in ring0 (VxD or a ring3 app using the VxdCall).. U) A7 d$ ]# l
The Get_DDB service is used to determine whether or not a VxD is installed* W4 t+ o* m ?+ Z
for the specified device and returns a Device Description Block (in ecx) for
7 R- s# M! U' ^0 h8 Uthat device if it is installed.7 J3 f* F, A- J! B
# x% `! u8 \7 _$ Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 n1 m' v6 T1 ^) X" g; H
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- I% Z G, p3 w; e, | VMMCall Get_DDB. A! O1 i. b# S* }$ D% _
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' J7 _2 V8 m% {* ?0 A- i" b# I! e! `! w8 M6 h4 x9 c8 n
Note as well that you can easily detect this method with SoftICE:$ z* @( k8 {/ W5 s9 A/ y' t* C [8 J
bpx Get_DDB if ax==0202 || ax==7a5fh& @$ t3 t5 r# [( u0 Q' H# n) U
% I$ \& `2 z+ g__________________________________________________________________________- c0 j6 ?% S3 k" v% w* P
& {: r! }3 e+ A2 ^3 S& M0 {Method 10+ I7 ?( m! E4 B9 A L
=========5 o" X8 O, v' W: d' [
5 `$ H4 `2 f; m1 u* _4 ]/ T=>Disable or clear breakpoints before using this feature. DO NOT trace with
) V0 L, o# H% q5 e, w SoftICE while the option is enable!!' ~0 c4 z3 t/ v+ E
: J7 ?, h, T* z! m# D3 R1 B# L7 nThis trick is very efficient:+ q- x0 a* \# X; L" m
by checking the Debug Registers, you can detect if SoftICE is loaded
( Y1 {- Y( j( i" D( K" \3 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: ^2 q7 W; T1 \: i6 s' O" @there are some memory breakpoints set (dr0 to dr3) simply by reading their
! j! T) A! N* K6 Q& J) ]value (in ring0 only). Values can be manipulated and or changed as well
' S" g2 X* @4 W. K6 J1 [(clearing BPMs for instance)
" u; d/ ]. _# q1 i5 t) d* G- X# S7 h5 e( J; g
__________________________________________________________________________
# Q1 K! Y5 c T2 M) Q
& e8 V5 \- y6 b3 _! RMethod 11. c/ k8 d0 O$ @4 [& g
=========; e+ D! m; o/ F9 B; }
5 q0 W% J: G! T# |8 a: b2 m h( e, p" I
This method is most known as 'MeltICE' because it has been freely distributed( F* \+ G; g `8 J0 U( {
via www.winfiles.com. However it was first used by NuMega people to allow
$ ?5 W; k1 k% hSymbol Loader to check if SoftICE was active or not (the code is located
. x0 E' c3 }3 f& v! pinside nmtrans.dll).8 ` O, U" [) P' A
0 R5 }2 a8 i$ ?9 U
The way it works is very simple:
& B4 P& b/ f, S8 x9 K# kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. i- J; {/ F$ B, V l+ K- NWinNT) with the CreateFileA API.
+ Y4 K% G$ B- B' a; x
- z% [% X: r/ |! _0 JHere is a sample (checking for 'SICE'):
5 z* G' h/ D! u+ o# @( l% ^/ o1 e5 s+ @8 G, ?
BOOL IsSoftIce95Loaded()" [$ {; [% C2 X. J) S8 W: ~6 T% m
{
0 \5 N; k' S0 D( S) K0 q HANDLE hFile; & f# U0 a- g, C
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' t: R/ ^ J F: M9 ^! c
FILE_SHARE_READ | FILE_SHARE_WRITE,
" @# \$ [/ @1 c( j0 B4 A: X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 k" u- M* m, F6 }
if( hFile != INVALID_HANDLE_VALUE )
0 F; W6 M* p% _' d! m6 j+ j {- h+ Z' b2 ?% m4 l f ~5 r
CloseHandle(hFile);5 [+ E- ~' P6 E K4 H, [5 q& H
return TRUE;
. E2 i0 _& h0 l2 U! a) w }
- V4 ]- Q0 Y, j1 \5 i9 R return FALSE;# j) `8 C2 u: }) O/ n
}% Y+ J# G( A1 E. F0 f
/ N; ?' w" g5 d p
Although this trick calls the CreateFileA function, don't even expect to be
, U/ B8 J) L- T* _+ f; x" {! }able to intercept it by installing a IFS hook: it will not work, no way!" r6 Z9 n/ W a. l# X! G* R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
h; [) [9 _7 R1 _( T) h3 T: Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 ?1 x% s+ Y' y1 T+ U6 E! ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 [: {1 t6 K, `field.
' K! Z! t$ ^5 o. V* uIn fact, its purpose is not to load/unload VxDs but only to send a ! n9 t; m0 S" N A! |# t1 q @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), V% D/ _1 p$ T% G5 `+ j; W4 `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" W& [9 Q9 P$ j/ @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 c6 j1 z9 y% O; ?# l9 f; IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' F, k7 Q7 ^: e1 Yits handle to be opened and then, will be detected.
! m3 Q5 G/ o" l/ O: h/ c- wYou can check that simply by hooking Winice.exe control proc entry point
8 z8 G" A2 Q0 O. |while running MeltICE. B1 M7 ~* L! F8 D8 \& Z
" J, l4 E& h" X; F7 P
, h, O1 }9 ]* g! U% j# R7 e
00401067: push 00402025 ; \\.\SICE% n! m b+ x) Q! Q; |
0040106C: call CreateFileA7 _& v9 C6 Q0 m6 ^5 Y1 t0 X
00401071: cmp eax,-001
, U V( |2 P4 I 00401074: je 00401091# d# f X9 W) O$ M
/ ^* x3 P# |) P! ]" f/ H" q" v
, F n* H* u7 V/ U( T z0 _: I5 G3 sThere could be hundreds of BPX you could use to detect this trick.
/ e9 Z+ Y' S6 f- j-The most classical one is:6 Z- b2 O* X# ?0 {8 _9 ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
b6 O1 l0 u. g1 q5 G7 O *(esp->4+4)=='NTIC'
. W; j. }7 k% {, b+ s, Z0 j# M- w; f' X0 t
-The most exotic ones (could be very slooooow :-(. z& j; c" s( [7 n: C4 h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 }9 x0 \- h4 x8 ~/ K ;will break 3 times :-(3 U+ H7 t/ `+ E8 t# Q, _
1 G ?7 A( ]8 Q* U ]+ |- s, S, J) u
-or (a bit) faster:
/ y" H1 |! U/ @$ j4 R% g BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); R3 m5 m9 A6 u3 d3 x5 p
7 T, y/ R5 ^7 }, D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! y9 J! S8 `5 _4 }/ d# S, a8 ]! t
;will break 3 times :-(% M, W- j" a/ V
' @* Z: V: s8 f' ]. h. c0 w, D4 |-Much faster:
/ T9 K6 i: v3 s" y& I- g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 P7 g4 X9 }* M0 o; G, y8 g( |7 A$ H4 y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! Z9 Q$ l( a- g1 W/ Y5 H Zfunction to do the same job:0 C! v) K* J& ?5 g
N& i) i6 z) q
push 00 ; OF_READ
, i% X6 G. R$ `4 ^: `. M mov eax,[00656634] ; '\\.\SICE',0; k. K: }2 t7 F4 u
push eax
0 Q- l& ~3 ?- r0 v' Z0 v call KERNEL32!_lopen
% o( V: a, A2 U5 i, r8 y. x6 T inc eax8 C N# [4 k& T \1 x
jnz 00650589 ; detected3 @, R, E, g, `1 W
push 00 ; OF_READ
# J$ N& [4 z1 j. U9 s mov eax,[00656638] ; '\\.\SICE'
) A# a, V1 r9 I- B! | push eax
7 ?' O* N* o2 Q& y: h# e call KERNEL32!_lopen# R* \* m1 z% a* l: I
inc eax
2 m" L" S# o" z; [) _+ ` r R jz 006505ae ; not detected# I& O: E/ U4 G, ^- Y6 a
9 m4 S' P" H* D) l1 I9 a5 b
2 L4 Z: B; K' {7 w/ B__________________________________________________________________________2 f1 ^1 Q- u: E J
- S' D' F* }- x" p& z/ i6 {1 jMethod 12
( l/ s$ o$ E- ]( Q4 h=========
. @0 ~4 b1 i% s
3 h m$ ?+ G7 H+ W% u' @This trick is similar to int41h/4fh Debugger installation check (code 055 ]5 G$ B# l" i' T
& 06) but very limited because it's only available for Win95/98 (not NT)2 y3 ~ _! J% }( g2 B% X/ }: y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 e% L5 ~, L: l$ ^ M- e# r
- I' R1 g2 E/ m' H& x& |: a3 P, h
push 0000004fh ; function 4fh
2 {0 e: ^8 G7 a push 002a002ah ; high word specifies which VxD (VWIN32)
* r7 Y9 Y8 r0 X, y ; low word specifies which service% e0 Y3 ^7 N. X
(VWIN32_Int41Dispatch)9 W/ T# \3 R! W2 h6 B6 v
call Kernel32!ORD_001 ; VxdCall& h0 `* Z2 s( E! {
cmp ax, 0f386h ; magic number returned by system debuggers& j! B3 T. {8 E% J, R2 j2 @: i
jz SoftICE_detected
/ I: G0 x3 p* L
" P3 i; g+ {. gHere again, several ways to detect it:
4 a% F9 I- X' V- {
0 l- R! x: V- D BPINT 41 if ax==4f
. w3 f6 a4 `( c. s# q8 L% H
# x# n9 X+ j% B, v. j) a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, I0 ^1 g0 L$ _- P1 ~1 b$ X. p
+ ^4 d/ Z- k- _; o( |2 S
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: y! o. q/ S: d& K7 w& _+ S5 v4 y
& v" C% y+ h5 Z, b6 R1 {6 j u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# x+ Z( h# J. W7 p0 c
+ Y4 t6 ]" [# q' t__________________________________________________________________________
5 P: |* c% K3 l
+ n+ ^1 r8 K& u0 ]$ l- E" ?9 tMethod 13& E1 a# V: z9 r3 a+ N+ ^
=========4 ~% d1 ]$ a1 }. c" c: q5 Q
5 q1 n8 m) N( z
Not a real method of detection, but a good way to know if SoftICE is
% \/ W6 r. K9 t! ]installed on a computer and to locate its installation directory.
Q9 o/ L ?) Y, M1 S6 Y0 f8 cIt is used by few softs which access the following registry keys (usually #2) :1 r2 a2 E/ W; b2 }
9 s( O, ?! w. @, G' N* Y c3 v# {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! u( W6 q7 W9 h
\Uninstall\SoftICE: u$ K8 u/ o0 I7 h$ x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 H. I4 `' @ }. n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 z) ~* n5 D$ D, p* X
\App Paths\Loader32.Exe/ d, w7 ^5 S J6 [2 O" r/ E
6 ^5 H) p+ F- K# ]9 n! g5 c
?3 W7 c; d4 ?, e% }9 jNote that some nasty apps could then erase all files from SoftICE directory
! b& P: A* l; u) {2 ?(I faced that once :-(
! ^# g |; y: X
2 p: z( `. X* W7 h9 OUseful breakpoint to detect it:( l: E/ y- }4 T3 }
5 ^+ l, K3 W/ K0 T6 N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 c0 @4 ?. U3 D4 Y0 j
) g4 W. l! W6 m' E__________________________________________________________________________0 Y. r% o2 C+ W
8 g7 A5 q3 P) `, k) E' x- ?% [% X& t' E
Method 14
3 P# ^8 j; S% N% q* R+ ~# \=========
* n- o3 x9 |3 H1 E: O# M9 {" ]! m5 Y- D4 x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! c( S' c, w8 X2 n' ]6 {$ Tis to determines whether a debugger is running on your system (ring0 only).4 k" p8 U6 c1 c P4 P
4 H6 T! z' M9 s ?* R8 M
VMMCall Test_Debug_Installed2 \8 w) K" Z% c5 w1 F' `4 \4 R7 P
je not_installed
$ F" \' P! J; s! l, g8 ?2 l3 v- [9 P ]9 v% }, ~" t' e
This service just checks a flag.( l9 x( _; g2 \& {/ |! m6 V
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡