<TABLE width=500>, \4 M9 U* e( t% l$ p
<TBODY>
: v6 i2 W _: P L2 a1 l- p<TR>+ G5 v& d; v, O! i
<TD><PRE>Method 01 & k5 E% e- ^" ^
=========4 k }# i3 n1 N8 l( k2 X& {
- f; w5 x p8 N: @# J
This method of detection of SoftICE (as well as the following one) is1 t5 R! {+ a. N# C
used by the majority of packers/encryptors found on Internet.
4 R) t* h' ^! X1 ?: C. {" i, U) FIt seeks the signature of BoundsChecker in SoftICE, i$ n: D7 u. N% d+ G
* r" x/ @7 Z* m: q+ K( o
mov ebp, 04243484Bh ; 'BCHK': p( S- {' I/ y+ \& k" h8 `7 g
mov ax, 04h- `4 I9 l" t& [- |( ^
int 3
, j8 y5 h- z& D" ^ cmp al,4
( \, m1 W5 f. Y. I" _& W& Q5 v jnz SoftICE_Detected
+ M& w) o7 R+ S. ]5 s+ {" K% E
2 }# `' [& {6 I3 y___________________________________________________________________________. L( t4 r! r4 l9 T6 ?
- _/ Q& [, q% [: o, g
Method 02
7 T$ o: [2 l3 B6 R& }( w=========2 Q5 `2 z' o3 }
, o: \5 a* z' H
Still a method very much used (perhaps the most frequent one). It is used
; U+ u; i) S+ |# M0 t; K# y2 sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& \2 J" e" d9 E; W: N3 w( F* Ror execute SoftICE commands...8 B B; x. u' M& A
It is also used to crash SoftICE and to force it to execute any commands! }: @# \- e3 w2 g. h- C" z
(HBOOT...) :-(( ( f. v8 L# `, k5 Q2 D) ^. `
' X! I- I* o9 H F& k
Here is a quick description:
7 t9 y$ d0 K4 A-AX = 0910h (Display string in SIce windows)) T. S) ~, |' I; u# t9 l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 Y. t: }3 q/ m( W) ~7 _$ {-AX = 0912h (Get breakpoint infos)& _% T+ s! a2 e; G2 r' u
-AX = 0913h (Set Sice breakpoints)
' U5 g# I6 t3 w. j1 O5 N-AX = 0914h (Remove SIce breakoints) C( L8 H/ l4 ~" Z
/ M) `7 {$ R7 m& v" [! F* M
Each time you'll meet this trick, you'll see:
* i- U# }! M1 K-SI = 4647h" `3 D+ N/ h' M, D" w/ Z, p1 \- Z
-DI = 4A4Dh. Y p6 c6 Y1 e3 l! T0 R; T2 F
Which are the 'magic values' used by SoftIce.
% B( m4 Z$ z- T E" J. [- YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 O; `: Z! h; W
9 ^( N9 C) K I4 L, g7 h7 \9 D: y& w
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) n1 p9 X7 J, [1 D% s! B' cEnvelope utility use to protect DOS applications:
: h7 T& E6 x. B( I6 v3 \
) H. k0 N0 `5 y; U; Y- c2 _0 @: K* @; ^6 m2 l
4C19:0095 MOV AX,0911 ; execute command.
. Z4 | P o8 w/ v# }' j4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
I+ m; B& m4 a" f0 i0 }4C19:009A MOV SI,4647 ; 1st magic value.( g) v% W9 v5 k# m0 w" g
4C19:009D MOV DI,4A4D ; 2nd magic value.! A2 i0 F4 B: s- m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). G( h+ I* P0 ]$ b" H
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 l) N% I3 \& ?) z4C19:00A4 INC CX6 n8 f! W! X1 \" E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; W4 Y0 j8 @* Y. Z
4C19:00A8 JB 0095 ; 6 different commands., h. M, S; Y: r. k; G, n+ }' s
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ D" W' C! z; a7 Z7 F* V8 n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ `; x+ u5 J: s, }
8 D! X$ R$ p5 S! rThe program will execute 6 different SIce commands located at ds:dx, which
. X% c5 S# n A: yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) p; B1 N5 B) f O" b7 ^
0 `+ E9 I( \. j' I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
]3 [2 f6 E0 P7 j( y___________________________________________________________________________
& T; N# ^% h J1 v) r# o/ F$ f5 p: c4 v
- ^2 R& V9 ]! u2 M. y8 U( y$ W* a9 qMethod 03
0 w8 q- A0 j: M; G+ z* B=========6 d3 V* s6 ^2 g2 D3 _
/ ~ o1 S- ?( M+ N: m1 sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' R& z( D2 V2 U; t4 v% x2 N- Z0 Y+ H
(API Get entry point)
. X( j% G1 L. d6 r `/ i
( Z7 [7 r; x8 ^9 _# `$ @3 {- s9 g- R7 l6 h% J' q; t8 u- W
xor di,di
- @3 m3 Y# g \9 ` mov es,di8 A* g& Z4 f9 d! e( H3 o8 r
mov ax, 1684h
. ~5 }& ^9 s# `8 n& ` \! u! H mov bx, 0202h ; VxD ID of winice7 y2 ~* b3 p6 W9 u( u
int 2Fh$ ~( |4 ]/ ^* \% \3 T& `
mov ax, es ; ES:DI -> VxD API entry point
$ t' ]3 D: g: [) G# T add ax, di$ ]6 o) K- p3 j7 ]3 L. p
test ax,ax
5 w- a! {, B- F2 K jnz SoftICE_Detected
# p% F% y* }- Y2 ^! o2 p
& T" K8 g% E% z___________________________________________________________________________9 I- p8 ^; d* T. G6 I" Y( a$ ~
% r# z! f& i1 W; o5 @5 @2 R3 E
Method 04
) U! ]' R- [. w9 Q3 }=========/ X8 |! E9 O" D: i/ N' M
& i! q" }7 H1 J3 M6 A, `9 x
Method identical to the preceding one except that it seeks the ID of SoftICE1 g0 t, A) s1 l( I
GFX VxD.
0 `/ h6 w6 @; `. @4 N4 t% {& ]7 f w# o2 c6 G2 J
xor di,di1 r) z5 S; w# m8 I3 f& t
mov es,di0 B4 X* \: d5 P8 n% l+ ?5 t) y! ~
mov ax, 1684h 8 @- r+ w2 Z3 ~, L7 X b6 e, _
mov bx, 7a5Fh ; VxD ID of SIWVID
/ h9 `5 J+ E5 D2 N& Q, w int 2fh3 e9 c; J# x2 e. @6 Q- n0 E
mov ax, es ; ES:DI -> VxD API entry point
& {* \$ n* q) `$ Y! l add ax, di
, c) Z# n" U, k O! c$ c9 u N test ax,ax
8 r; J0 \8 o. ^1 [" E jnz SoftICE_Detected
1 U& S/ u6 t6 k" H
' u5 v' X) {7 _) X/ Y! {__________________________________________________________________________
# L! @6 X& F7 i& g; J) {+ ?. e b& i! ]0 n6 Z
6 x7 I4 C9 L& ]( t2 }
Method 05
7 D+ b8 m) g, z' l7 r+ j=========
& `, h1 d4 w7 ]7 N9 W- Q
/ S6 [( Y1 f* `9 N% dMethod seeking the 'magic number' 0F386h returned (in ax) by all system: V& F/ H: ^- R) t
debugger. It calls the int 41h, function 4Fh.1 o% U2 Q7 e& j% V _
There are several alternatives.
2 P' r6 t- {) ?& A4 c3 I: Z& Y, X
The following one is the simplest: c; A. O/ |) m5 e1 Z9 u
6 Z6 L6 T6 }( _& ?8 T
mov ax,4fh+ Y+ x. W: V/ q4 `* x* A
int 41h
! v/ V' k t1 M) S. c! M' ^+ n cmp ax, 0F386$ r9 M' a; p! v. N3 Y: j( f: \
jz SoftICE_detected
( ~8 b% \8 w7 G) O( v5 H$ C- {+ F' [9 o. J2 D
7 n; `% ^. v: p# e' K0 e8 Y5 g
Next method as well as the following one are 2 examples from Stone's % d& E) O1 p0 t% ?; L3 u
"stn-wid.zip" (www.cracking.net):2 |. M( {& G# w5 o" |4 w
# {; c4 p( h: E3 e: n1 W
mov bx, cs2 M; o: \3 U6 A$ d
lea dx, int41handler2. s: d t& g! e
xchg dx, es:[41h*4]
- }3 t/ }+ \: H } xchg bx, es:[41h*4+2]! p9 P# F% ~8 K, m
mov ax,4fh
4 Y w2 g2 F5 ]- V' Q; @5 x int 41h
3 \' g) h3 X2 R xchg dx, es:[41h*4]
) J b" Z# B" D xchg bx, es:[41h*4+2]
/ j; w$ s! Y$ N cmp ax, 0f386h
# I! Z3 J5 g% ]) d+ i jz SoftICE_detected6 O+ h# s J6 | W4 H' m" v& L: ~
8 _7 g, k! P' [8 \int41handler2 PROC
( U6 H# q# Z( P1 f6 } iret8 E2 S( @ B/ D! y( Z$ Z7 ~
int41handler2 ENDP
8 Q$ Z/ Y! o: c: U& I; Y' P0 w( w& W
) v. f( s) x& D$ Y" T O/ l/ `+ X: `8 J ^+ o
_________________________________________________________________________6 L2 ]" `' h! V/ t+ A/ k% q
1 t- H. e: v: z+ \
7 S, I& Q* a/ o8 WMethod 06) m3 I8 r$ W6 J* Q4 M Y% i/ `
=========
6 C/ l, `( D% n2 j
/ }6 b' ?" N0 ]; G3 @( r0 t# [* j5 m- X" q
2nd method similar to the preceding one but more difficult to detect:# p6 F8 H* R2 C' w* F, u* g
# \4 j# }; _- {( E6 G& W8 e( z! Z! C$ o- P: Q3 E% {1 h
int41handler PROC
( a5 ?- _9 i' z1 Q7 o" F3 @. t mov cl,al6 a9 r/ s2 r1 a9 ]
iret
{5 q7 o( `* E$ lint41handler ENDP9 E/ q/ `9 R) e2 z$ z# a/ O* T9 G
, S/ K. \6 [5 V6 F. x/ ^; w& r/ Q! b( T- Q
xor ax,ax/ \6 t2 |2 m+ R6 U% B6 r
mov es,ax1 I# A1 w2 a! h; A5 c& _
mov bx, cs% x( f5 {" u+ {$ ^ r' a: t3 Y+ T+ w! L
lea dx, int41handler# M: d+ a! |- `- N
xchg dx, es:[41h*4]% L6 o* C: f9 e* H; ?8 T
xchg bx, es:[41h*4+2]
3 b' s: s0 ]6 h9 k! e% u" B in al, 40h+ z4 m$ O3 t/ @* d
xor cx,cx
! P( s( c, t. y% [$ u( e! p/ a int 41h5 S, O3 Z, N: N% D% R* \
xchg dx, es:[41h*4]
+ J" o, m9 d! v/ Z/ s4 q0 \ xchg bx, es:[41h*4+2]) V) _# u! ^& ]( F
cmp cl,al
& W& n, r; Q# r7 \# p jnz SoftICE_detected- h( \+ t# p, R y
* x& O# G+ N0 h! |1 o/ ?) `_________________________________________________________________________
9 g( Q/ p+ H+ A, Q. H
+ Z2 e q: U0 |Method 07, Z% W# c& J2 s8 I8 G
=========/ ?* m4 T; C* `3 B5 `! R3 x6 n8 a; d7 u
6 O& h9 c$ o2 d1 lMethod of detection of the WinICE handler in the int68h (V86): O( h) V) ~5 P- g5 }- e& y
9 \/ }5 j1 a, Y mov ah,43h, h& q1 I& T5 F+ x4 x
int 68h
& I, |$ }9 h7 M8 ^ cmp ax,0F386h
2 r; s6 |$ I0 W5 K jz SoftICE_Detected
# z7 u, U K3 i) i6 R7 A0 M# c3 p! _
: \9 z: o- T' h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 t0 A; `5 c* |* `% O' y* @% d app like this:' \. B5 V$ U, H
0 l6 J6 f3 `2 T( |* a" y BPX exec_int if ax==68% S& p: b5 C0 f _+ @2 R
(function called is located at byte ptr [ebp+1Dh] and client eip is
- U0 ?* n6 G, l( n located at [ebp+48h] for 32Bit apps)) P- }! z7 T4 W" U
__________________________________________________________________________
4 B0 F3 r |; v! A; e) M" E2 X( f$ p/ \3 {( [; S: y
# j9 t( _1 r! b; g4 V: }
Method 082 u! W6 s( E1 _
=========
; X# r: |+ U' @ b, q" ~
: r" \8 B3 Z U8 hIt is not a method of detection of SoftICE but a possibility to crash the
4 @# v7 l' C. }% K8 Asystem by intercepting int 01h and int 03h and redirecting them to another
, ^/ `: X* j o' P- t6 sroutine.1 L3 T$ p% j# z# w0 G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 x- Z l! o8 S$ r
to the new routine to execute (hangs computer...)
2 ], ^# C9 p! g) }/ x3 U3 s. m! K7 b" o2 U4 h8 b
mov ah, 25h
2 T8 ~5 m1 T/ H, m4 G: [6 J mov al, Int_Number (01h or 03h)) [3 _3 v8 N" B# d/ _8 C
mov dx, offset New_Int_Routine' a5 G4 `! A1 f7 ^3 ?( B" ~3 z
int 21h$ @9 }% p }9 _- t
+ E* k1 s0 I& b* ?/ s. ~1 ?5 M7 s__________________________________________________________________________
% [9 c/ A5 q3 H9 t* ~8 X; u
" S3 Y2 d* x/ P7 Z; ~( r! \$ m$ r/ MMethod 09
; S) o6 t3 d; h8 v=========
8 {$ K5 s9 b1 g3 t3 `! S( A+ y
7 Y0 L8 w- Q# W9 V8 UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! ^9 _3 h7 E, Pperformed in ring0 (VxD or a ring3 app using the VxdCall).: H( T- s3 [8 U4 `8 R" N! o
The Get_DDB service is used to determine whether or not a VxD is installed8 k4 b1 K e m8 |/ w! [
for the specified device and returns a Device Description Block (in ecx) for
. @3 U4 x. i! q5 b, C5 y6 x& qthat device if it is installed.4 z y% I A9 z' r* l3 O9 D
1 [- H+ c/ P7 n6 k" e8 s: l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" y' i( E# P; t7 r3 z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 o6 N7 q) l8 n, n VMMCall Get_DDB5 V3 h/ ?8 a, ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 j0 q- Q4 ^8 U* d) p9 v
) d6 p \7 H: w% |8 |4 l# r
Note as well that you can easily detect this method with SoftICE:
" t' R: F3 _# k bpx Get_DDB if ax==0202 || ax==7a5fh
* e# i6 B5 J, `8 h5 }, i4 |! ~2 B7 N- h8 `; Q& M' Z
__________________________________________________________________________( q7 s" y q' Z" N3 l/ H6 T
9 u" U# F3 |% |# u7 b; AMethod 10% n8 A1 E, d& i- I. ?- @
=========
- w1 I, u) [1 t6 v" ^# p- E9 X( o
1 o' s4 Y, J/ }6 V0 e=>Disable or clear breakpoints before using this feature. DO NOT trace with
x/ W( S) y- D7 i9 Z K* ? SoftICE while the option is enable!! p+ H) v1 b+ r# N
2 v/ m9 S3 a$ R( sThis trick is very efficient:
) \! r- t1 R# ?! Pby checking the Debug Registers, you can detect if SoftICE is loaded% ?. L0 A/ R. K3 p6 r+ G O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) Y. m8 I: M ]+ w2 H2 {7 {5 x, rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. L5 |9 _" W! i( I+ }value (in ring0 only). Values can be manipulated and or changed as well; [' K4 g1 x% T+ E
(clearing BPMs for instance)2 W$ a7 W& L! d" T9 m1 a
4 Y/ A5 g) f! Q; C! ^
__________________________________________________________________________
8 I- H( Q' D2 i
. W5 b& H, R) v9 f, W* N+ d/ @2 p4 e) hMethod 11
0 f- D! \% Y# g( ]+ o=========
, k- M. S/ t) P1 V+ ^$ I5 ~' S6 ~% J( @: A* F( K/ }' U
This method is most known as 'MeltICE' because it has been freely distributed
+ D' z4 M& t6 _0 Uvia www.winfiles.com. However it was first used by NuMega people to allow
+ T$ v7 _' t0 O; O {Symbol Loader to check if SoftICE was active or not (the code is located
* @. U ?" Q4 x: U5 q% m5 Z1 ainside nmtrans.dll).6 Q2 t5 P8 ]2 w- V6 ~
3 o" G0 c Q8 C1 u% e3 X6 f7 {
The way it works is very simple:
: V- L/ V; r- KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& c( y7 N+ X% Y2 A1 ~# WWinNT) with the CreateFileA API.. f( |* X. {% R6 a a
. @% R# l6 I0 a4 Q& P$ k+ h
Here is a sample (checking for 'SICE'):
! x: R" D9 {, @/ V! @0 U2 r" ]7 j/ z$ u& x
BOOL IsSoftIce95Loaded()+ A7 q' |# i- M$ Y
{% @5 I! C0 z# Y
HANDLE hFile;
# ]: J1 \/ j$ ^' j @. M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& U6 [3 ?" l% x* p4 c
FILE_SHARE_READ | FILE_SHARE_WRITE,3 `. s+ x- m" f: K+ c; x1 S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* U" \* K1 Z7 O& U5 l
if( hFile != INVALID_HANDLE_VALUE )5 b/ o0 M6 S0 p/ [0 j0 g: j! f
{' l) V9 ?1 X* `, y
CloseHandle(hFile);
: B$ V# U2 i6 M' k! h return TRUE;, [7 U7 }2 a4 U- q& x' Y, X
}
8 W8 i( c# o0 A% e6 ? Z return FALSE;
5 i5 E6 l5 H) i}# _: y# J% i- Z
) B& \2 r4 c1 R4 ~$ }; Y1 \% w5 }. E
Although this trick calls the CreateFileA function, don't even expect to be% H9 S+ I+ Q6 o7 [" a5 l, y0 v
able to intercept it by installing a IFS hook: it will not work, no way!0 l6 e+ p& Z; W, X8 t6 A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ l8 t1 @1 r- N8 W7 Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 ?- Z: N u# C3 P" J
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 a- r1 W5 ~0 ?
field.
' |# w0 o. h9 FIn fact, its purpose is not to load/unload VxDs but only to send a 7 k# y3 I5 ?- e1 o0 v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% V5 y) W: Y6 d E9 cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 S# `* E# A( B" S8 Kto load/unload a non-dynamically loadable driver such as SoftICE ;-).- j3 C: v$ J/ J( R
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; X3 z, b. s( g) r2 [# eits handle to be opened and then, will be detected.
0 g! v' L3 Z/ E [( k' b' CYou can check that simply by hooking Winice.exe control proc entry point
7 Q) |) P/ q( a0 Q2 ?while running MeltICE.
# m$ Y7 N7 F. ~9 m
' J/ ~0 O3 N( W7 }4 B+ E3 ?. n1 A
00401067: push 00402025 ; \\.\SICE
{' i2 t. P( g- V* q' }& E 0040106C: call CreateFileA6 x8 {* o! b! T0 H. n. Y
00401071: cmp eax,-001
2 ?4 l0 Q9 p+ j 00401074: je 00401091! V2 W; b2 r& y% p; a
, s. o) y& X/ G+ D$ B
! h U- w" V, T0 [& L! wThere could be hundreds of BPX you could use to detect this trick.( K8 q" g* ]) [; `' n
-The most classical one is:
3 Q5 M2 Y( S# I5 b0 I$ Z5 O7 t BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- q, m4 b$ N+ T( j3 X
*(esp->4+4)=='NTIC'
! F- ^; d/ v' {( J j4 I0 g8 R- w) s1 ? A. h9 I ]
-The most exotic ones (could be very slooooow :-(
4 D( H4 |. ?( {/ T- g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ E# |/ u6 x0 N& Q ;will break 3 times :-(" m; c5 m7 u+ W. _5 b# F5 w
" h3 g z# t3 L
-or (a bit) faster: # J, q3 g m$ x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 I- d i8 r. h2 E: N0 { ?" x5 \$ N" }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ j: ^+ G( t3 w! J( E+ q6 K ;will break 3 times :-(
6 @/ q- ]1 [: i8 P5 \! c5 N- Q: r, V( R9 U/ c6 c4 m( D1 D
-Much faster:6 Z K0 x7 Y- Y+ Z8 R; h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 e& ?+ S; w% f
$ L6 _6 _9 Z, l, }- \Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 W& e X5 t! d
function to do the same job:
9 r: ?! p5 R. N& `
6 c v# x7 J+ T8 ^4 l push 00 ; OF_READ. o: F6 Z: j/ x8 S* E4 o$ f
mov eax,[00656634] ; '\\.\SICE',0
( m& G' w: N6 z6 N/ e9 | push eax
4 M% S, \& g% j call KERNEL32!_lopen
. d* c( a% O, s' r inc eax, b7 a3 l/ w% M4 ^" B" f& M
jnz 00650589 ; detected3 R6 K J. [, t- [7 j* R7 J8 |
push 00 ; OF_READ
E- l& a+ X3 I7 Z% d; M mov eax,[00656638] ; '\\.\SICE'3 Z3 d% `( D3 @. H/ ?: h) Q1 P
push eax# \6 P+ p b* \; a6 f
call KERNEL32!_lopen
4 J0 k6 F E9 O4 ~ inc eax; u8 U; F4 W! W8 `* X
jz 006505ae ; not detected6 ~% j% _) j+ J5 \# M
3 `2 v2 ]: J# H" H' [
4 P; _5 z4 l9 z9 `" C/ z( |: Y__________________________________________________________________________
8 k7 Z* T! {/ v3 Y9 ~$ l0 \, g; u' C6 I' g: w
Method 12! M2 T1 Z# l. R) u; Z; l
=========
3 ~9 [( F6 p# v3 d7 w# [! n3 Q8 _) s- L- ~4 L- _9 h
This trick is similar to int41h/4fh Debugger installation check (code 05
* ?1 Y2 m# O/ c+ R% N, k! m& 06) but very limited because it's only available for Win95/98 (not NT)
' Z8 K9 d3 I* W5 bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( \* z" q7 R0 @% @# O
' n7 `. w& s; x6 b2 }; Y* \ push 0000004fh ; function 4fh
7 Y& P" F% L8 @% ~# ?4 F push 002a002ah ; high word specifies which VxD (VWIN32)
8 n1 h9 A' t8 s8 P5 o0 |$ g ; low word specifies which service$ p( ^6 B( A0 Q4 m9 @! m) d
(VWIN32_Int41Dispatch)# a( Y8 z w8 q, ?4 m# |) j E
call Kernel32!ORD_001 ; VxdCall
: ?) ^! z- Y% j1 W" O3 d cmp ax, 0f386h ; magic number returned by system debuggers
, b; M& Z# H0 {9 ^0 c jz SoftICE_detected' v/ Q4 V2 U" o; H/ Q" I5 u! c
5 g4 j) S g; u9 w7 S( K
Here again, several ways to detect it:0 r# Q3 o# S8 _0 R" q
: Z$ Q9 G1 k0 p! f& n! f
BPINT 41 if ax==4f
5 I L( j3 e+ J% [; H2 I; t6 y I8 o( y/ ^. a3 L# J: ?- p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 u) B' ]! f/ a
8 t, |# P' D, {% R% |/ p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% t" f) L8 m' |) e! ]" @ Y' u
3 D o/ {1 a) s! B3 ?: a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 S; p. S6 g/ F( O; c0 u$ z- [
3 l* p5 T/ `* h. M9 L o) i7 r
__________________________________________________________________________" E- w) ?7 y' r3 u+ Y% B- s z
1 t2 ]. s3 T& I( t& {0 M
Method 13
+ H" B, _1 D/ v5 u9 z' Z0 J" Z=========
9 I X1 X$ k2 I; B
. o$ T- {2 U% n1 o- @0 vNot a real method of detection, but a good way to know if SoftICE is7 V+ g0 u5 S' \/ S8 ~/ D0 b' P
installed on a computer and to locate its installation directory.
" ]; W, v" Y2 @7 e& L r0 \# s9 QIt is used by few softs which access the following registry keys (usually #2) :
) r% k. y. \# x, U9 A- A' c" }6 D7 h% K" ~' ]# }' V6 Q# r. O4 u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# m: V& c ~1 _, p1 x0 {/ M; a\Uninstall\SoftICE; V4 T2 ]3 ^. U9 _/ P8 u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ d9 ?4 i# w0 \" E) d6 d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# W0 L. e, t4 b! D6 i\App Paths\Loader32.Exe
: h) A# `8 d- q' u5 u" O
6 k: I5 Y" j% Q
- b: K7 j3 U; p) I2 p; u& i6 uNote that some nasty apps could then erase all files from SoftICE directory1 Q) N0 g& Y2 C9 @
(I faced that once :-(
$ ?0 F" R% @$ w* G$ t/ |/ ~! e9 v0 N+ ?( j
Useful breakpoint to detect it:
7 ~% Y- r$ z8 J \" v/ t- k a( Z1 X6 i9 J
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 c1 n. d, F* t" i* s7 ?. s8 }+ K: B( n; m
__________________________________________________________________________& B- M- y+ A; Z4 F
( j8 c) w6 _; u3 s( E
% f! x: `+ }9 L5 VMethod 14 0 ~! M& T. ]9 e. a/ w: o! c
=========
) C- y8 O1 T0 F. c! z" }: Z" g r( |0 V; f- }; F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* Q) D6 q7 a3 B/ d6 s8 G
is to determines whether a debugger is running on your system (ring0 only).
, V4 W- t6 B5 [6 W5 N& w0 R! t. Q) b7 J6 r; I4 Y
VMMCall Test_Debug_Installed
- s0 _. y [* ?3 h* i je not_installed
7 F! q% V- ~( j. D- N! D- L8 R, z. n5 z" T1 z2 x
This service just checks a flag.
2 W! A7 u+ w; U1 D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡