<TABLE width=500>' i& O+ @7 t& X1 n0 [/ H, B. k
<TBODY>
4 N9 a* u: A6 @" L k<TR>
* f5 P6 W ?$ d v+ n<TD><PRE>Method 01
3 T+ O/ Y( C! c9 K% u" F=========
4 ^2 o4 [3 k. L( N. a# C0 z" y. U; T: a* C6 o, W9 L
This method of detection of SoftICE (as well as the following one) is
% I# Q. [0 w1 k4 B& }) \$ x( X6 Hused by the majority of packers/encryptors found on Internet.
, D: [. z/ n3 }8 p+ q. C1 Z" wIt seeks the signature of BoundsChecker in SoftICE; s4 U- L4 j/ p% c
' Q4 ^# f% S* V& j mov ebp, 04243484Bh ; 'BCHK'
8 X i$ M3 R' l; J$ N* B: { mov ax, 04h
8 C' ^# v0 [; ?( t% c g T int 3
# |) ?! H; l3 k4 ]$ I/ K" o" F/ R cmp al,4' a" j( x& s" N. \* P* f" W
jnz SoftICE_Detected2 H3 i0 Y! G+ m% @( F* s: V9 y5 q
: K* `/ U% x' J1 J
___________________________________________________________________________9 t8 B+ X) Z) _# q8 d3 M
+ s- V+ X8 d+ k' n5 p. `Method 02* i5 C* O$ W8 L2 D
=========
E* e+ |1 @1 h% m3 I4 |8 A- Y7 R0 K, j# j' ]4 S2 Y
Still a method very much used (perhaps the most frequent one). It is used
% A4 e8 Z- ], G. S( V& r' Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# e) Y$ W6 q( X- ior execute SoftICE commands...3 d/ B9 n4 M. ?# j( @$ i- I
It is also used to crash SoftICE and to force it to execute any commands
* Y; L% ?" m" b0 O(HBOOT...) :-(( 5 C0 s5 j5 g' u5 T+ k( L5 @* L
I, t3 V5 A! k, Q3 X
Here is a quick description:5 ?5 C; p# a' [. c; f. }! W# R O
-AX = 0910h (Display string in SIce windows)0 w+ D/ M: M! U, | j; q$ ]1 E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 h9 u( d) s. d3 O. ~/ J1 Z8 X! h-AX = 0912h (Get breakpoint infos)
2 l( a$ k: _6 V-AX = 0913h (Set Sice breakpoints)+ Z8 n5 A' o7 L$ y& `" j
-AX = 0914h (Remove SIce breakoints)
& K; X, `6 e/ Z; I! G
- L8 S1 j; g( b" W1 m, L" Z: f QEach time you'll meet this trick, you'll see:
+ E! Z/ q9 ]' \* _6 T( c5 O* t# ?& D-SI = 4647h
z6 p; Q$ w, X-DI = 4A4Dh
0 G J6 x$ }4 XWhich are the 'magic values' used by SoftIce.
# S3 | X* o* A. }2 MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* r. E+ c& g/ n9 i8 T8 g* ^: M: C8 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 V5 w8 y3 ` ~/ {+ c( A0 WEnvelope utility use to protect DOS applications:! E2 Z% s# |# C; z; M( X
+ G/ w3 ~2 f. j& {* {) J, g) A9 U( Y
: m1 A6 S: w% J, q; Z4 ^/ r
4C19:0095 MOV AX,0911 ; execute command.
2 d% ^6 v4 j; i# w; u+ C. ]4 h2 Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( A6 Q4 }" M- k3 t% p. O) u4C19:009A MOV SI,4647 ; 1st magic value.8 @6 U5 v, V \6 L! n! N" Y1 G
4C19:009D MOV DI,4A4D ; 2nd magic value.+ l* R5 _1 k; W1 F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( z: e5 r% V4 S& {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) o+ ]" Z u+ i5 q, _: `
4C19:00A4 INC CX
0 V- \% ?( [0 a; @9 k4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& D1 B/ | O, l4C19:00A8 JB 0095 ; 6 different commands.
% P3 ^- x, h4 j4C19:00AA JMP 0002 ; Bad_Guy jmp back.& k _" S# @0 M6 U; a& o
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ l9 X a( \8 a: T% d
- t2 E# o. Y2 \' ~" a2 {The program will execute 6 different SIce commands located at ds:dx, which
; }( F; @0 h# Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 H# ?3 m$ Q* r/ B( n0 S' _9 \ X+ h% P, t/ a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ D# n, |+ {6 E* \8 {
___________________________________________________________________________; _9 w( ^+ r( q7 x- w! t7 Q
# @' K( F$ W/ y/ J7 R7 P) O4 E% A. \7 u4 _+ E/ K8 F
Method 03
/ ^; p, t- B/ J% `1 b' C=========) k1 Q Z% I" F5 k; D# s) O
9 {0 x( u4 k( s$ x4 M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 ^ o3 X! K! q. ]9 [! E) p. [& `7 w
(API Get entry point)6 d0 O6 y. j- G& O
$ C) O0 C) G+ g: r" k& o8 d
. t6 M2 f6 [& J
xor di,di
, v/ U! [6 k8 o mov es,di, O1 A0 p1 n5 E) A1 N
mov ax, 1684h ) [) H3 _1 U) n' X
mov bx, 0202h ; VxD ID of winice
4 V x" m' H8 p. a8 e! _) K int 2Fh
% G) P* _/ l- W& n; U9 j mov ax, es ; ES:DI -> VxD API entry point
+ l3 g. {" m# Q9 k+ ` add ax, di' Q& P* `3 |* F" T
test ax,ax
- Q- A, V; N; [7 {2 `5 d6 q8 c/ ^ jnz SoftICE_Detected; W) d, c; N4 P/ a! Z
/ ]% ]7 o' _& _! r5 l
___________________________________________________________________________
5 B6 n* g/ U0 p: ^9 M y# F' W# g& l# ]4 u r! M: `
Method 04, e, [, I4 }. O7 R7 `: E
=========1 ? N% m, K0 f, D) n% I" {
3 d" f5 I( ?6 u; H8 l( _/ B
Method identical to the preceding one except that it seeks the ID of SoftICE
) f) n1 K. w$ k; DGFX VxD.* _' n: C0 ~2 z f8 \0 W( ^& ~: ~
0 y0 n+ u. O; i5 ~- z
xor di,di
; A* G' r C: K. a mov es,di
0 A8 z7 y! O C: N mov ax, 1684h
! d2 Y/ Q4 W4 ]# b mov bx, 7a5Fh ; VxD ID of SIWVID
) S9 l# @8 ^. | int 2fh% h% O& F: k2 p
mov ax, es ; ES:DI -> VxD API entry point
) ^' o' ]5 Q& _; g. |& d- E add ax, di
* p- k# v8 m+ `. `7 Q test ax,ax
8 [# h2 |* [# b+ g G jnz SoftICE_Detected
1 I& b, Z! A1 h4 y4 P. R& h, Q) a: j
__________________________________________________________________________: I5 f) _9 L! R! |3 [+ o2 K! U
^8 F" }- d0 M
$ M! ^# l! @5 X+ t9 J# r7 JMethod 05
- s$ F$ `5 q" l- i, u/ |=========
8 ~+ |) }5 ^+ A) s* j% U& [, C9 o6 H- Y! ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system, s9 f. K( m+ x: l$ T
debugger. It calls the int 41h, function 4Fh.5 r- y4 e0 e4 m7 s4 F, @7 Y; k) ?
There are several alternatives.
" P4 ~9 J$ _! x/ W( z& M1 S+ t- d% o; M- d3 M0 I* O
The following one is the simplest: N5 j3 i: d, m4 V& P" ~, G
3 x, g! w- e! L' Y3 [
mov ax,4fh
, e3 b" n( H: ]6 D# U& _3 E int 41h; _. [, Q7 D0 H. u& z0 o
cmp ax, 0F3861 h# n( T9 s- F$ N+ k
jz SoftICE_detected
: {3 x8 Z* D. T7 y9 d5 m+ E7 s* |% g2 A3 R; ^% |; Q
# t6 d% U& R5 QNext method as well as the following one are 2 examples from Stone's
9 T: {" Z$ G2 s2 q0 ^* A7 m8 C"stn-wid.zip" (www.cracking.net):6 O' G8 ]- C9 n8 y6 C
5 s+ c0 V! w$ a. D: C mov bx, cs" l* g [5 I& Q
lea dx, int41handler2
) c9 Y F& Y9 U% \4 w8 x xchg dx, es:[41h*4]
1 [; f- r% h8 Z& q$ G xchg bx, es:[41h*4+2]
/ w6 q* F* f% t' k8 a mov ax,4fh
, P) Q. m1 z( d$ { int 41h
6 T" [- R { V2 e+ X" }6 S xchg dx, es:[41h*4]5 `4 C( s/ y6 J; |
xchg bx, es:[41h*4+2]9 f& v' F; ]# e* ^
cmp ax, 0f386h
( u+ h8 t4 W# m9 N7 Q! S+ ^ jz SoftICE_detected
0 ]! I/ s! y7 s+ c+ T4 ?! C
0 S" {) i, H, K- U8 hint41handler2 PROC5 f7 P. T8 O* l5 B' i" l& b
iret
3 |0 w, i0 ^. cint41handler2 ENDP
2 f: E. B8 H# K% \/ w# u0 B$ t- I3 ^5 K2 c+ m8 Q
+ D% s4 v4 ], g_________________________________________________________________________
, {3 C! y7 L) ^; B: F
: ~! k; C3 `: V0 M' v4 f ]3 b$ y" c8 o1 U& ~3 [: [. }& ~
Method 06" x( A7 f* c k0 E* H6 y, ^+ `* k
=========
# V. P+ D) c5 {6 x
# t" R: j1 J J) L8 N! u' j5 A* C( a
2nd method similar to the preceding one but more difficult to detect:
6 d4 t$ k' L% T- S5 i% p
3 T' r7 y0 f) F% B) N4 t! E, {1 k# j
N! w0 Z0 g8 {0 J: ^. Dint41handler PROC( I4 E2 C& O" D8 d8 e
mov cl,al1 Y* p( D0 n8 d+ [2 F
iret
8 V+ f+ _1 m7 Z! [" u% zint41handler ENDP
3 I: @( V5 ] L2 t7 h- [) T/ Q
- \) T% p* {5 y% ?5 @0 D7 Q
9 X9 d; Q8 B/ e* b& X5 f xor ax,ax3 e; r) V2 K$ T$ w' I
mov es,ax
y. v4 p# G& W mov bx, cs
. V0 X7 w! v6 Y: b3 ?- p6 w lea dx, int41handler/ P8 p0 y3 ^" }' u6 n; w
xchg dx, es:[41h*4]" N3 Y* r1 M/ n
xchg bx, es:[41h*4+2]* U% t! q' j1 S& L: v# M% ~
in al, 40h
5 d8 F3 F r6 K* H xor cx,cx C+ ~1 @4 R- @
int 41h0 M$ Y- M! c* G3 |+ K5 A: ]
xchg dx, es:[41h*4]1 w( B; z n+ w
xchg bx, es:[41h*4+2]
0 \; _6 k# o( l* x8 Q; K+ t cmp cl,al
, B4 k; A4 j, w! y8 M jnz SoftICE_detected: o. Q+ B Z- k7 g
' ]* `- W' H- A$ U0 d( t6 X
_________________________________________________________________________& \9 X/ L: L* Z1 o6 V6 _
; {+ f$ u2 N4 \% d- ~( H: O' H9 m
Method 07+ D" ~( G, H: a# @; Z
=========
' b% e2 b- q& Z' d0 n" z: X& _; K" m: [: s1 Z( }
Method of detection of the WinICE handler in the int68h (V86)
$ {& u+ u# `1 O0 K- ]+ Z" ]2 e
0 o! j3 M" d5 W+ k4 r, A mov ah,43h
6 _) y* i* R! g7 ?. } int 68h' @' Y. P6 u' B# Y) C9 e# D }
cmp ax,0F386h
' Z; ~' C, }% `2 t9 t+ U4 p6 j jz SoftICE_Detected
+ U" D0 x3 A4 ~8 X! N0 s' i# u( ~4 s& Y
4 @" Y8 P5 @- v% I& \6 l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& ~3 G b* i2 ^7 j! Q
app like this:. a2 k# n0 a1 J, L0 I, C) o) p
+ M& y; u0 s* P! H BPX exec_int if ax==68. D3 O& t- |/ \# m6 _+ P9 M
(function called is located at byte ptr [ebp+1Dh] and client eip is
: i+ k% v& q0 h8 O located at [ebp+48h] for 32Bit apps). f! w( Q( B0 T
__________________________________________________________________________4 r% q6 \: Z1 }- `. v6 M
. z1 B' @9 f9 Z$ V2 Q+ p
* @7 R& z0 j# m% d! xMethod 08
: ]! d! |6 g3 t5 T7 _=========
4 N9 z6 f. q: w1 M$ t& x2 p# u! B9 `: L* O) ]
It is not a method of detection of SoftICE but a possibility to crash the& u) V. d) N9 z8 N, a$ o. ~% ^6 F0 t
system by intercepting int 01h and int 03h and redirecting them to another
% N( u1 J3 E0 x1 V" W* h: Q% E4 \routine.: I! _0 ~. a8 ~3 e: \2 L: m6 a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 Y) ^* q* K# L2 G' \to the new routine to execute (hangs computer...)
% x6 a) ^8 A9 j6 V; J8 ~6 ?, l& k U! Q$ G
mov ah, 25h2 }/ }4 Y8 ?# V! ?5 v. W6 R% ]
mov al, Int_Number (01h or 03h)2 U% m$ ^5 H/ S% p: u) H
mov dx, offset New_Int_Routine
% l: b5 r1 C" p- K int 21h
( E. y( [4 s+ v% e+ _3 L$ Q( |( w# O- G9 C. {# f
__________________________________________________________________________& k9 a) [9 _$ H2 M
; z' C: Q6 X3 e9 T# d
Method 099 Y9 ~2 z- r6 O2 J" p1 a
=========& Y3 V& v1 o) R6 H: U
$ \3 ^. z9 p q! W3 i9 @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' B4 @2 ^- _+ I E) ?/ yperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 ]1 B% Q6 }# I/ o) A* sThe Get_DDB service is used to determine whether or not a VxD is installed/ c/ h- \. O$ h$ e% f( k3 U! d
for the specified device and returns a Device Description Block (in ecx) for
; M6 f% j+ R1 a) Q; }2 A% Mthat device if it is installed.1 ~1 u& O: N: a5 a& o4 ^
; k2 c& S$ E7 v' m; v) ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 P( y: i1 F, r# P4 O# D, w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 B1 I% J% t) |7 Z
VMMCall Get_DDB
, Y9 W" p( F2 B7 M# ^6 {$ b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, |: M! G% C8 B4 j: @/ I
! C/ a1 q# ^. p+ s
Note as well that you can easily detect this method with SoftICE:( O1 i! w% W/ _# U
bpx Get_DDB if ax==0202 || ax==7a5fh
! X0 x$ ?$ _: Y* X
3 b$ U, n/ {- a' V+ ~3 O__________________________________________________________________________& U9 q2 M8 Z3 {( o, M" F
$ c# a5 C: ]% ~: @: S2 b# \" ?
Method 10
' z) O/ O6 _8 B* c+ g1 O# ]! f8 X( J=========3 W7 C/ h8 V$ |6 J$ p' @
, w0 Q+ ^! G/ v8 k; f* p
=>Disable or clear breakpoints before using this feature. DO NOT trace with% p/ J6 ~+ }. m; X; J% [
SoftICE while the option is enable!!
! _8 p* b! N4 I8 l2 m
$ Z" q9 X" Q9 m9 D6 v7 JThis trick is very efficient:
( g2 W& R: S. O* u) L C6 |3 iby checking the Debug Registers, you can detect if SoftICE is loaded9 J- P u' h1 A! z" w$ A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& D+ S* K7 g1 E; I) I0 dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& a: G3 ?% O# Ivalue (in ring0 only). Values can be manipulated and or changed as well' w0 v u: R0 V' d4 y% i
(clearing BPMs for instance)+ h% l; e8 r! K( X3 Y
& {% ^, C% _' E4 O. H
__________________________________________________________________________
, M# V! _2 i3 k9 b- n
) w8 V, }" W6 a+ E5 N3 TMethod 11; H8 b5 }2 g \. ?
=========( N2 }. T, i2 k; y4 f- |
* G1 j/ i: l5 ]( c
This method is most known as 'MeltICE' because it has been freely distributed
4 K$ x4 L2 B" N' x3 i6 t9 @, J! |via www.winfiles.com. However it was first used by NuMega people to allow
; s+ q3 h. Y( a7 W1 f' _% n. Z0 LSymbol Loader to check if SoftICE was active or not (the code is located& i- t8 d `7 t" F1 }
inside nmtrans.dll).
/ U+ T7 R, j$ m5 ]& V+ r
B# S( l7 c0 I, aThe way it works is very simple:" T* g) D6 s3 u3 W6 M8 |3 C6 r! H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" [2 p1 `! S% k% SWinNT) with the CreateFileA API.* Z! a4 L" F8 w" L
' N) [# F9 C- B+ w x9 I7 @
Here is a sample (checking for 'SICE'):( e% k1 d- z/ [
. I# l; ~+ P0 Z, V a; S
BOOL IsSoftIce95Loaded()
9 W9 z! ?2 v9 k{
/ U: X1 p: n, A2 v: @( D0 V: j3 w HANDLE hFile; 8 U& m7 b$ x0 V, h- {: x3 X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' }$ M1 X/ T9 w. S7 P4 p: f8 ^ FILE_SHARE_READ | FILE_SHARE_WRITE,8 O* g, ~3 O, `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! l9 B: V! [1 _$ O$ F3 W. u
if( hFile != INVALID_HANDLE_VALUE )
7 n7 d5 d/ o3 [9 f1 M. S {
# ]+ t! e" ^6 m7 |' {8 f* {3 X- k CloseHandle(hFile);
2 \, l9 d1 _/ i, X! Z return TRUE;. e1 N, n! F# m6 U" T7 Z
}
( R" A' A& q) P/ }) {7 Q return FALSE;
% B1 h6 s% ]! s P* P}* e1 T# Y5 }4 M, V( o
! X w5 ]) T* ]Although this trick calls the CreateFileA function, don't even expect to be7 M6 p; X" t& M2 y! ?( o
able to intercept it by installing a IFS hook: it will not work, no way!
& `" A# e& I& n: E/ O! N% fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ m+ x2 Q3 @7 Q, A/ Pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& P8 b) E; u" n. T* h" G+ V# \and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 w9 v4 ~8 o! ]( ]6 {field.0 d! r% X1 }5 ]4 d- q% D
In fact, its purpose is not to load/unload VxDs but only to send a
& r% y6 A* e$ h( sW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 m( {# J1 U! m- v$ x1 P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, x0 p, l" H& j3 rto load/unload a non-dynamically loadable driver such as SoftICE ;-).4 c: T& Q2 ]1 ~; D
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ B! |! [6 f: [2 a6 X9 y6 T0 {
its handle to be opened and then, will be detected.
" n. H" e' c8 k- {$ y9 AYou can check that simply by hooking Winice.exe control proc entry point
3 g+ [( e* D: G3 v2 d! owhile running MeltICE.# r* k: R3 t) `. O( `
, C/ [& J1 ~/ y" T: T |% c4 q! i* D! Y. p+ d
00401067: push 00402025 ; \\.\SICE
6 l- y" g6 s( ~ 0040106C: call CreateFileA( j; H1 C3 i& a) T' G3 \ c
00401071: cmp eax,-001
8 a6 b W. i$ ]" h5 X 00401074: je 00401091. E- C3 t+ Y% U
% {/ ]9 J/ |3 \
9 ~$ T( U' ?3 c0 {, KThere could be hundreds of BPX you could use to detect this trick.
0 q7 ^) J+ m' e" t4 j, L' o7 d-The most classical one is:% b$ Q1 [1 @1 Y0 T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; b6 e/ F/ j' v5 O *(esp->4+4)=='NTIC'
8 W: \) q4 M3 o# j
5 y! Z+ R# L. }% O- t; D* a-The most exotic ones (could be very slooooow :-() H6 H/ |# U5 |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 W1 ~" H( Y3 K) A# D
;will break 3 times :-(
5 Z" x, x' |5 [. j3 M
+ x8 w* A6 [( g-or (a bit) faster: . {* t5 t3 S$ A% `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! c D6 P3 |" \8 @+ [# j: D! U
9 P9 x% [8 n# c0 {4 q* l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 Z! S; U: l2 e/ T% \4 M; j ;will break 3 times :-(1 L: v) E* _( l6 B
( L( d2 c: Q! ^; ^3 \
-Much faster:% E, B+ k* ] f: S
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 H3 \: Y- l- R) o8 g- F9 \; Z# Y2 w2 V1 Y, I! Q- S6 W( P) b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) `. p& n" G9 P4 Ofunction to do the same job:
# g8 v, E* a x0 j, L
2 ~! ]0 s _- E }) Y push 00 ; OF_READ4 c* P% T) g# y7 j9 v
mov eax,[00656634] ; '\\.\SICE',0
3 e. J5 {% ?( x% j push eax
1 D9 E2 Q: C( M" \' H, E call KERNEL32!_lopen' o0 f6 t f. g
inc eax
5 w% ~. E) M6 `/ E a. W0 j" N6 b jnz 00650589 ; detected
N% e# M- x2 E+ ]2 Y4 O push 00 ; OF_READ
+ T& t# B( o) [! f8 Y mov eax,[00656638] ; '\\.\SICE'
( D) H; ? U1 g a push eax2 J7 J4 e+ v) B u$ E) k. Y3 c
call KERNEL32!_lopen+ D; O( d3 u: N# }$ X9 i
inc eax
2 k# y' y. G/ R2 J jz 006505ae ; not detected
4 u0 {. `' Q% Z
0 W% P, P M& k! n+ G# |/ p5 O) m& q9 ]
__________________________________________________________________________
9 o- d/ Y0 }. x5 t9 J2 r" t: Q) l' H$ h' Z+ d( ~( S1 x
Method 127 i' a' H' F" d' T4 g! K( x' e+ r
=========! X0 X/ ?; j7 O* ]
9 g; z H5 E7 k J! A. \This trick is similar to int41h/4fh Debugger installation check (code 05
$ T% g8 ]6 U( `0 f2 {& 06) but very limited because it's only available for Win95/98 (not NT)
- O/ ^+ T1 b" R6 o* y; ^: D% V2 Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 k/ }+ v2 }9 G
! t6 m! p4 q9 Y# M push 0000004fh ; function 4fh# \5 b; u7 g3 [0 A& C
push 002a002ah ; high word specifies which VxD (VWIN32)" j& g U/ y C5 [
; low word specifies which service
# z- @' ]0 t% b3 M (VWIN32_Int41Dispatch)
, y7 h- n6 ?% W7 l0 `- v) s call Kernel32!ORD_001 ; VxdCall
' v# V6 I: v) Q' m' h cmp ax, 0f386h ; magic number returned by system debuggers6 P, L! H8 w% u0 m; G
jz SoftICE_detected
" S, d# E! G, ?" p! v) H6 b" Z# K( ]! Z& K5 Y7 B A. i0 m6 z
Here again, several ways to detect it:
' T! b- W1 ^3 u; y
( f1 F D. @8 s: r9 p! N5 ^4 }' N BPINT 41 if ax==4f
8 z: Y7 o5 G! t- h& \: T2 E! l& e( W- ]+ O: M. \: T n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# x. I' X9 k7 v
% _# }9 \7 ]4 L2 I9 [
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 d& d, x+ ?8 \$ V
! Y% h3 G7 _0 q% B. A
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, p5 J Z u6 A4 v( o
1 d s! J% G6 N* K8 \7 N$ f__________________________________________________________________________
0 ?6 J1 P% G" }6 n' g# h( F' Y
+ N- V; N0 Z5 ~& n, \/ A9 UMethod 13
+ i2 c' J/ S$ U; L' v=========" B8 P0 j) W0 O5 d7 F( n
' e- N3 t$ O, k
Not a real method of detection, but a good way to know if SoftICE is
( e, |3 F, X7 F* k1 ^8 linstalled on a computer and to locate its installation directory.& U Q( h5 f; s; J9 u+ N2 b
It is used by few softs which access the following registry keys (usually #2) :
8 M& m+ z: H3 V% ?2 W, I/ {! S ^
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. H/ B. M6 ? Q+ m& Q4 @
\Uninstall\SoftICE( X0 O; M( O" v) v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- `4 n i- U& `. S7 z8 i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* _- D2 `' B j. Q3 Y, L
\App Paths\Loader32.Exe& K9 w* a6 ~" z% ~! j
. A% r6 L, X- a' i( @' [1 M! ]1 a# a: o# o/ Q# m5 B) i7 V
Note that some nasty apps could then erase all files from SoftICE directory) D! J. D0 `1 j3 |% t0 }6 g. H
(I faced that once :-(/ w) i& m8 c+ H$ Q
! K" W0 y V9 s+ i
Useful breakpoint to detect it:) D* F8 z6 ]: N4 q, W1 o: f
V# |; S+ P, J! S- N: N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( w5 X. `0 E7 W. f3 h! \
, u: A% ?* t; d# P; b
__________________________________________________________________________
4 @* c$ \3 I! D2 `' t" t5 D; I" G0 r( X' |* Y
0 j* r* f0 L3 j# B" {3 O( }! x
Method 14 T" R! {% @% P( i1 x( X
=========% z* W( m: _) }( J1 G% v+ `( T% p
! Y; G9 k% }: ~& n7 G- f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 Q U( A! c- y3 ^3 q0 }, Yis to determines whether a debugger is running on your system (ring0 only)., K! j0 X) }, H
. i- J: x! \) V, l5 V, K3 e7 o VMMCall Test_Debug_Installed
3 a5 L( r$ l+ Q je not_installed
. f0 Z0 f: T9 d% @9 N9 W
( u" t1 q, K" W* i9 ?This service just checks a flag.3 X! n3 t! b5 G, z, I& C- h, V
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡