<TABLE width=500>! s, e' Q# K+ C4 t
<TBODY>
% Y# y! g# E! C( p2 h<TR>
' J* D3 J$ f0 N<TD><PRE>Method 01 4 J7 F v1 L' c# G# N$ [/ R
=========+ [- \- `9 p6 k( D7 E
: i3 Z2 p4 g5 r7 P; C2 IThis method of detection of SoftICE (as well as the following one) is
2 `+ s" k, X4 R! h& rused by the majority of packers/encryptors found on Internet.
+ ^8 t& ]; ~+ a- I; N0 SIt seeks the signature of BoundsChecker in SoftICE
, Y* W% {8 ^2 k ?0 M- p1 P6 `( Z
2 K8 z- M2 h% m8 }9 H7 { mov ebp, 04243484Bh ; 'BCHK'
; K* x5 D9 j7 g, P8 p3 C mov ax, 04h, P# `( R% E3 Q6 H, q; E
int 3
4 ]2 ]3 S7 w8 a, q; W \ cmp al,47 G0 \: T- a/ {2 O; W
jnz SoftICE_Detected6 _$ g' K8 {4 F& l1 g
& s" O o: c: ]8 o- D6 M8 ____________________________________________________________________________& W( `2 J! L8 T; K4 S7 L# l
5 U) I6 e: k. f8 r5 g$ nMethod 026 F; ?* ~1 `4 ~( N' ~) U. j5 U4 N
=========. U" ]5 p7 o2 ~1 C
+ W9 y, Q$ r5 a& NStill a method very much used (perhaps the most frequent one). It is used. O f3 R1 ?1 Q/ _2 b
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 o9 F. ~) g" ?% v' uor execute SoftICE commands...
! }7 g; `# `6 a& ~* |5 jIt is also used to crash SoftICE and to force it to execute any commands* p5 e9 u& f" e0 _- a: n
(HBOOT...) :-((
9 Y. K x3 g9 q$ k: w
; B7 W4 N: \5 G- Q. v2 q0 aHere is a quick description:- o3 T2 F" u! o+ |* g3 C% A
-AX = 0910h (Display string in SIce windows)
( _" E7 M* @, D: k& j) T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 c; `7 l' y* ]( \7 }; y- B: ^) N-AX = 0912h (Get breakpoint infos)
) x6 V0 ]' V$ p7 V9 j% e$ }1 h-AX = 0913h (Set Sice breakpoints); E( I' {4 {. k2 j9 I1 D$ F
-AX = 0914h (Remove SIce breakoints), X" V8 }) B/ H1 _
1 L3 f* g" K) N- O: y% y9 E0 I6 N
Each time you'll meet this trick, you'll see:4 u. D3 y, P g
-SI = 4647h$ V8 c6 P" I2 b3 o3 ]2 b, i9 t
-DI = 4A4Dh. k7 ^: ~% z9 I& s$ V
Which are the 'magic values' used by SoftIce.- s7 ?# n* o+ `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% t! i& A! V( l/ ^4 s, `
5 y% w0 ~# ~9 u' t& N( w
Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 W4 d7 m5 x# r+ j: t* {Envelope utility use to protect DOS applications:
& ~# G1 {1 J% l7 g5 ~" P+ y( W; O5 I) @. s' u
; B9 G9 y M; Q% m0 m
4C19:0095 MOV AX,0911 ; execute command.
; G' R4 X5 m" h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) x1 w( M( Z3 O# v1 i1 T7 l& D
4C19:009A MOV SI,4647 ; 1st magic value.
" D5 I! p/ J1 `1 x* p7 f4C19:009D MOV DI,4A4D ; 2nd magic value.0 d% \# n0 \6 s% c+ o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 U8 E$ {. T& U' f; x: V8 ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ s# P* ?: i& w- E( \2 c6 o8 v
4C19:00A4 INC CX, C0 r1 n3 k$ C) W, E) Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* K* {+ U5 Y2 Z* H
4C19:00A8 JB 0095 ; 6 different commands.! n9 R& \+ ^! }# n9 }' v
4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 c1 A6 \0 Q+ o
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), f f( M. {! g' [' I
; r" b2 f3 ?' x
The program will execute 6 different SIce commands located at ds:dx, which
7 L3 t3 x& H! j( t! E! z& gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 i2 S6 }4 |$ A' u
& f9 r+ O9 U. w7 @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 ~ W, i: O6 S, [3 Z
___________________________________________________________________________5 q% A- A; w: J! U
& l/ C8 V$ b; s: y8 S# U- \$ T" O* p+ E [
Method 03
' K; E6 q% M4 L2 d/ C5 ^* @% w=========
, _7 X$ O, l$ ?5 v) ?
! D0 Z. l6 w. J+ E. Z* DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. E; ?6 _$ i( @9 f& B$ F(API Get entry point)7 A+ l. e6 b7 w, I8 Q: l( F
; a" T% b, i) a) }$ S! m& e& l
xor di,di
& h5 [3 `+ a- e- Z& Z/ B$ E% _ mov es,di9 ?, p2 h3 P$ I* ]
mov ax, 1684h 1 Q, r- v0 t# S
mov bx, 0202h ; VxD ID of winice" N, T. J0 R; {) c6 A
int 2Fh
7 u) m: y: U& B- i# V mov ax, es ; ES:DI -> VxD API entry point' f8 D! P7 C( Z5 v- e( i; Z4 P' \
add ax, di; T4 ?+ M( W' I9 [/ A L
test ax,ax
+ o( q* x& B9 q' I. N7 v* K jnz SoftICE_Detected
) ]2 ]- g7 l `& L! |7 d5 I
7 k3 |5 F V# {___________________________________________________________________________9 m7 m2 D" D3 p1 _
S( X B- b1 R0 k6 Q# s7 bMethod 04. o) K* t( M$ I G
=========
% p$ ^3 j7 l. T# M( V& n3 W' K4 y5 c$ e
Method identical to the preceding one except that it seeks the ID of SoftICE A" I) y3 Z7 Z2 d9 I/ j$ o, W
GFX VxD.. i1 h$ Z" ^. Y1 T4 N
8 `) y- \# r8 S3 d xor di,di ~( n$ p \/ u& x S* A
mov es,di5 _6 M+ M: ]3 V8 g( Z/ E# Y
mov ax, 1684h + n% `) _& w" L4 e
mov bx, 7a5Fh ; VxD ID of SIWVID8 e/ |2 E* Y V7 _2 z) J: L6 l
int 2fh# j' x9 u+ h5 J, W g7 k: h6 Q
mov ax, es ; ES:DI -> VxD API entry point
) m% v5 e# o- N7 u& d4 ^( d2 ^ add ax, di; c( z" K$ ~0 E7 }) m( {
test ax,ax
. i2 A( V# Y/ q' S, p! w. v8 ] jnz SoftICE_Detected
; e- N F" U9 g$ v8 I
- Y) y' s) D; N8 u__________________________________________________________________________6 W2 V& H$ L5 r
' q/ ]! r2 z1 R& W. i( |5 |. J% T1 P
Method 05
+ K( E0 U' T. {) C8 i$ f6 R=========
6 _! K2 u. R) Z- I" S7 {, S" N' i! Y5 n3 ]( J) ?
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' ^! c8 S6 r5 b. c$ u/ O2 wdebugger. It calls the int 41h, function 4Fh.
$ W# Q3 Q# F8 I X! BThere are several alternatives. , p3 n8 v Q* K3 @" m; L
4 b$ q& W- U8 t- }: yThe following one is the simplest:6 C: |& l P) w) V5 ~
4 O3 J1 y. o2 T. y+ y: W: Z: U mov ax,4fh) T2 e9 \( F, P+ }3 r, x2 S
int 41h
' J) i+ p' M" g( r cmp ax, 0F3863 n# u2 h9 q* {+ A
jz SoftICE_detected
1 }+ r1 ], r! l9 u/ K% N8 ]
2 `, C& |: U5 I: {2 N
$ ^* c: @) P4 q+ ~! Y0 \Next method as well as the following one are 2 examples from Stone's
' [7 d1 v0 _- b D. V5 g9 q/ N"stn-wid.zip" (www.cracking.net):
& ^9 Q) b6 x5 R
_5 [# F- h* g, j% m/ s) g mov bx, cs3 }8 d# v6 @7 R" E
lea dx, int41handler2: { Y" J0 L8 m. d- s3 u% l V
xchg dx, es:[41h*4]
! G; z8 U# _/ I# D+ ]- E xchg bx, es:[41h*4+2]
5 K; G1 @$ N+ n5 k mov ax,4fh/ \8 I$ N! ~) f# o5 Q! l: W
int 41h0 _* a) k: _' k, _! q2 s. F" U) \( r
xchg dx, es:[41h*4]2 V, ?* `( J7 ]5 L, J
xchg bx, es:[41h*4+2]+ w6 Y* Z5 b2 \; Z7 [' i7 e
cmp ax, 0f386h( j e& }4 V8 l, O1 A/ X) g1 M
jz SoftICE_detected; g+ H+ u" x& o# d
! l+ E# Y# D; p
int41handler2 PROC" |; B7 d5 K0 C0 }: W. N0 ^' G
iret
; p- g" R5 g r2 ~+ Qint41handler2 ENDP
- u( ~* x( {1 a& w u# `% a
6 @; ?4 E! i- r: r& g) H- \# q1 p1 ]1 [4 ^2 v
_________________________________________________________________________
& S) M: K7 q4 ^2 X1 |+ k
- \! `( v- w8 `5 i; Z- j; t
. B4 |1 ^+ K8 M: W; IMethod 06
- h6 Y. ?$ F2 q=========
) Z' A/ w1 `) f) g, G4 t+ E6 ]9 U" r
, q6 s+ H5 c) x" ^: H2nd method similar to the preceding one but more difficult to detect:9 w+ Y, P2 o9 T/ k( O
+ T6 |7 j; E+ l& Q ?1 ?7 _ G6 N; L
8 N: l. J# b* ~: b& h$ Gint41handler PROC# ^. L+ |9 h" q2 W" s1 ^
mov cl,al
) h# H, Y/ U3 b4 G/ ~ iret i7 P! X$ g' R- \6 a
int41handler ENDP1 v3 `6 d0 }* _
% B' B% z& x' x2 F$ I% s" T
6 e8 w7 R. s. M) }! q; C xor ax,ax
; w$ w5 K5 u" t$ p5 O8 ?, j" n3 | mov es,ax$ K% N( n }% N( g$ Z( b
mov bx, cs% K' ~+ V+ \4 [& m4 ^+ S
lea dx, int41handler/ p* D, i2 I" w7 ~
xchg dx, es:[41h*4]
! M$ B& B9 T$ S& T B xchg bx, es:[41h*4+2]; @; o2 _6 ~7 r, x+ o# F
in al, 40h8 }4 J- i) I3 T
xor cx,cx9 D3 s) U- |4 }- f. m; w j7 T
int 41h0 r3 o0 Y' t* H& o) P% C9 q) R
xchg dx, es:[41h*4]& c; t( }6 Y% ~; i& h2 M
xchg bx, es:[41h*4+2]
! A9 @6 x" P7 n! N) d( I! t cmp cl,al! t6 U; }. ?. S% y! f; S2 L
jnz SoftICE_detected% |1 n4 r% Y' E6 x9 I
. I. Y7 ^1 L7 p; t) g0 G# Q
_________________________________________________________________________
0 W3 I, g( M" s. F( w2 ~/ i0 C0 @4 W
+ H( I, ?" ^0 R% Q+ j" {) u! ]8 zMethod 07
; x# {, }! x) g' K/ y=========- g9 K& U3 K& J9 ~0 `# y
- x8 l" j9 G7 V5 gMethod of detection of the WinICE handler in the int68h (V86)5 O6 M: U* a- H8 J# X" H7 i, A
8 J. O5 C+ _& K! \1 a4 E* b
mov ah,43h- `# R6 R$ k$ Z' {
int 68h
; g" h% V. Y5 @8 e cmp ax,0F386h
1 l* G9 g# Q2 W5 H! | jz SoftICE_Detected. L# W+ P5 _/ y7 b* u& Z) p3 D
& F; i+ a9 b% ^0 F! ]) b, y2 y- v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ E; ^# }2 D9 @; N
app like this:
8 U5 }. Z0 z' p" p q8 Z4 h, Q n5 u' A" D8 {& p* e }& v
BPX exec_int if ax==68% V8 G/ [) J# {, s/ b' y
(function called is located at byte ptr [ebp+1Dh] and client eip is9 F1 F- p3 p$ a
located at [ebp+48h] for 32Bit apps): A1 B: J0 w- n, r3 I
__________________________________________________________________________ B' n# u7 D8 G3 u
- |6 [: d, |% X8 b/ W+ \' u/ X; @! ]& }
Method 08: n- X. D1 A8 p, b; }. u/ ?' M# g
=========
/ n# U9 J/ |- y0 ^# n7 m- a0 p0 }, w% @
It is not a method of detection of SoftICE but a possibility to crash the; J W9 y3 T+ q" B$ S1 o( E/ ?
system by intercepting int 01h and int 03h and redirecting them to another- ]: n6 [& q. S! T$ A$ l: L2 X$ K
routine.
& A3 p+ I4 H& V& L% i9 v- ^% Q# Q/ P+ {) [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 E4 U4 K H) G3 u; m& l4 Ato the new routine to execute (hangs computer...)
0 k6 ?& H7 I x3 g2 W8 \! T3 Z$ ]2 |# D) N
mov ah, 25h6 w* I5 j. a, y( B4 u
mov al, Int_Number (01h or 03h)1 E6 E. D; N7 z: M% Y$ ^
mov dx, offset New_Int_Routine n* E2 h! J( G! }: Z! X: I
int 21h
1 h, ~, G7 u- B, Q9 l! e' a
9 B' {- [/ W _! h; l. V2 h: [__________________________________________________________________________
K" B! R2 H- [' \8 k0 e2 s7 W% ^# y$ Q1 Y8 ? w
Method 09. F9 P% U' B2 u7 w
=========1 B) b/ z5 C, h5 b+ Z" n
; F6 }5 m2 S- f4 [; L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; V6 j! Y6 p7 `. \8 h
performed in ring0 (VxD or a ring3 app using the VxdCall).
6 |# k% y6 @9 E& [6 v' bThe Get_DDB service is used to determine whether or not a VxD is installed
+ d* H* i( w2 n8 ?8 K) G+ Sfor the specified device and returns a Device Description Block (in ecx) for
# K y. D! i3 e% d$ @' _- Gthat device if it is installed.1 F" m6 ?+ P/ G& W6 y
' M+ \9 a# B4 G' k$ s! R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 P, A( A1 }) f5 {4 Z: L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 n6 T- P. E# k" n: B
VMMCall Get_DDB1 w$ _- B: B c7 _5 P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) x* y0 r$ E3 l. N) J! N, v
& B: |7 N: w6 U8 j4 b7 ^4 FNote as well that you can easily detect this method with SoftICE:
v0 {: V' C* T5 u: U& j! a bpx Get_DDB if ax==0202 || ax==7a5fh
' p& b; R6 ~$ Y$ X& x) A
) D( q6 `6 p3 N1 [: @ e3 X__________________________________________________________________________
. i1 [- J7 c; D! j" K* X- K @ R/ u, Z4 x9 n
Method 100 O3 P# m# R8 K |! k5 y# R
=========& j; ~4 H, v1 l& R5 ]4 _$ C
2 M( O X1 A9 o=>Disable or clear breakpoints before using this feature. DO NOT trace with; J+ e8 f! @% U" F% `) {3 B
SoftICE while the option is enable!!
6 x. o% I \; X/ W: b
0 P5 S2 M" y5 P: {+ O% w+ m# eThis trick is very efficient:! X5 U1 V/ ]+ A2 k$ l9 K. \; _
by checking the Debug Registers, you can detect if SoftICE is loaded
+ w5 B" E# J2 b F) O( ]: Q1 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ f) ^9 M4 o# ^% I% Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 N+ Y8 d* d" e' A Xvalue (in ring0 only). Values can be manipulated and or changed as well# B* v! a( l0 h& l$ f/ t$ C5 x
(clearing BPMs for instance)
7 x' I1 T2 Y9 V1 I" |* W1 o M$ q+ [; q0 m4 Q
__________________________________________________________________________
2 Z, g$ {! |3 i7 Z/ |
( V2 m3 }; c: b5 }Method 11# A6 Z6 B! j' h! y. o
=========1 R- i2 T% ~5 P8 u( v& ]
) ~# u) `+ M/ _; b- q+ T! W
This method is most known as 'MeltICE' because it has been freely distributed( X3 h# ?# \/ M5 _6 y
via www.winfiles.com. However it was first used by NuMega people to allow
9 N8 I# b& q+ v9 a! n' o% ^; ^Symbol Loader to check if SoftICE was active or not (the code is located0 g3 v6 R6 g; s' ?6 T' x6 J5 W: r
inside nmtrans.dll).5 _1 c6 d4 {2 w) ]% \/ k8 |
0 _! b% I9 w. LThe way it works is very simple:" E8 h2 K7 r/ ^( Z/ I. T# y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 a% _ l: A, v" b( wWinNT) with the CreateFileA API.
9 _5 M V/ Q! v% R* v# h( ]. b' S' z" S$ b. h9 M0 _
Here is a sample (checking for 'SICE'):* x) F/ Q* @' r! H r. |
" D: r, j+ a& a: p9 M( y* J
BOOL IsSoftIce95Loaded()" C/ ]5 G% M7 K. ]# y. n) Y) T
{
) t) @+ P' n& } HANDLE hFile;
& j( G9 m! s4 @ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 P! K1 R. R2 b# N; z1 | FILE_SHARE_READ | FILE_SHARE_WRITE,9 c) J; N/ h! [# p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. m* q5 v) f' a$ _4 h$ Z4 D; j if( hFile != INVALID_HANDLE_VALUE )& ]% E: m/ ]6 a- `
{9 w5 T) y. |' d: W% w
CloseHandle(hFile);
7 l4 v' n" t) ]5 d% W @ l return TRUE;) O3 T, ~, j' s4 _
}
1 A5 y( d: L6 a; }8 E! W return FALSE;* W7 m: f0 d( C0 t! m9 K: w0 N% h: y1 R
}
$ E+ @" c# M/ x% ~) f9 V2 f8 `, w2 V/ T
Although this trick calls the CreateFileA function, don't even expect to be
3 ^2 i3 \" K/ Z* ]! h# iable to intercept it by installing a IFS hook: it will not work, no way!
, X" w+ o8 c$ IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 M# k, X3 s! |9 V2 T1 Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* a7 K* ~ a) J9 R# f8 @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- b! p/ C& V, }) M8 f3 T& ~field.
! C5 L c2 o% E: D R1 N+ oIn fact, its purpose is not to load/unload VxDs but only to send a ) |& Y1 g- E1 U8 M3 {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 B0 n8 U# z: w, y1 u' V& [to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) C- {; W7 H7 h- G4 R! qto load/unload a non-dynamically loadable driver such as SoftICE ;-).8 Q2 `' l8 V" P2 X* k
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. E/ O& n2 |) G& X6 s$ F' s. Jits handle to be opened and then, will be detected.
2 A6 l6 b, F3 A+ S3 ~You can check that simply by hooking Winice.exe control proc entry point
) J6 Y# f: \, H$ U& [8 [while running MeltICE.
$ `- G0 B' H) x8 B$ n& v4 b, S! D% P- L
6 s, k5 S8 w. J6 M
00401067: push 00402025 ; \\.\SICE
+ C: s' G; m, c8 a7 H 0040106C: call CreateFileA; m: d8 q5 V5 I& u& K
00401071: cmp eax,-001
2 e0 k, g+ B8 C. L- s 00401074: je 00401091& S+ q( e3 {, K: e; O; C6 k
0 Z" S& D5 @! p q
# o, {/ T; h6 Z8 M' oThere could be hundreds of BPX you could use to detect this trick.# p( j7 m, X3 a+ g: X* a, P
-The most classical one is:- Q+ P6 {+ q9 A' _2 F6 d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- q. E5 j9 |& U% W *(esp->4+4)=='NTIC'
. ^0 ]- z( V% Y _% d: Q0 t; j; R6 t& o1 D
-The most exotic ones (could be very slooooow :-(* \# B! \% s! i& S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 T% l" R1 D. e+ k
;will break 3 times :-(: ^. U) F( {1 a
, _/ o+ Q' r, y2 y6 }) c-or (a bit) faster:
+ }; W$ c+ D/ C BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 M0 g8 _' t6 H; z
7 t) T% d" o5 ~ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 O" I- i! N* Q" \1 v4 I
;will break 3 times :-( t( A0 {+ B& L* b' G
' ^7 q5 [+ l" S! j# ]% G6 y-Much faster:$ U d& Q& D9 k) x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ P s, d7 V+ \/ ?( |
7 o. A/ [" x! q l5 J k2 _8 `; \Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# g; k- @! j7 u z6 F6 r/ O$ _function to do the same job:
8 O0 F. t6 [1 w* ^4 P& |/ E1 j; o7 f. H" p/ b
push 00 ; OF_READ) d# x/ @& m# Z0 S4 y; c
mov eax,[00656634] ; '\\.\SICE',0" N7 c; D+ ^, H
push eax
; K. |, }( X' } call KERNEL32!_lopen' Z! |' R4 I1 B& A8 o4 ^
inc eax* F) U/ J+ ^' r# ~4 j9 R$ z
jnz 00650589 ; detected
0 u- J4 W0 V7 l! F: t push 00 ; OF_READ& R b- z8 x* D: j# j0 } u& I
mov eax,[00656638] ; '\\.\SICE'+ \6 X. Y M" r1 R2 o7 j; T
push eax3 P- w6 u8 P+ o s
call KERNEL32!_lopen( O) A6 Q4 s0 ]/ |
inc eax
1 U4 x; C1 u3 }" w jz 006505ae ; not detected
W7 ^4 v# r% B% L/ y u! x5 K) s, g0 g+ Y* ?+ j5 I0 `; P8 Z+ L
# j% L$ j, N" e# m__________________________________________________________________________$ k7 j0 I) h! L6 w
9 v3 D; a; j' }# s3 M4 Z$ vMethod 122 U6 U3 m* l( ~& u, _) N/ \ S k
=========8 M' q6 Z/ E( V! v+ |- R
^% S2 L/ ^5 ~& _1 `- vThis trick is similar to int41h/4fh Debugger installation check (code 05
4 O4 q* ^# f8 i. r, _& \& 06) but very limited because it's only available for Win95/98 (not NT)
3 I; F% I% }# R: @0 X7 Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 M( s. C! V3 w9 h2 r
& }, K o3 S. A' m v5 k% e2 w push 0000004fh ; function 4fh6 }5 H) K% p. p1 b$ w
push 002a002ah ; high word specifies which VxD (VWIN32)
5 D0 y; u* ?! n) g9 t! ~; \, J ; low word specifies which service( L5 d j3 T$ E0 s- |2 m0 i
(VWIN32_Int41Dispatch)
) d2 X! d4 L1 g0 t" f( |* t* I7 y call Kernel32!ORD_001 ; VxdCall
( a' M1 X, O, C. k' u& M8 ^* x cmp ax, 0f386h ; magic number returned by system debuggers+ D" S8 x: T" b) R. h/ W
jz SoftICE_detected+ \# y0 V, }( c) B* i# c# _0 c
2 Z! x2 S E% d0 D6 y5 F) ~
Here again, several ways to detect it:
! c* [* O6 X, K1 W8 T( }9 \! c. H, X( ?0 k5 S$ ?9 X6 i
BPINT 41 if ax==4f
0 h: I8 m) c9 O8 Q* I( [0 c% L/ n B2 [% p. Q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( ~% V) z0 Z: Z# N. |5 B9 v
l: P& {7 t3 b( V8 p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 s( M j6 E n3 z g
' S" y+ |1 T, t9 M V2 N, L O! E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* i: b& M6 a9 O$ ~0 D( c1 s/ q S+ i4 s! H/ O, d1 b% o
__________________________________________________________________________+ m' Y F6 g: q* Z* [" Z! A
7 R. B) e* E. D" i: PMethod 13
& I% T/ I5 @! E, [/ v" l=========6 A4 o: T: w- C0 l
; Y" b% n& a* K) G1 } Y
Not a real method of detection, but a good way to know if SoftICE is/ j4 T) p0 [) G+ t; W' {. D% m7 V
installed on a computer and to locate its installation directory.5 s. o& V3 Y% y& m$ }# V# `) c# j
It is used by few softs which access the following registry keys (usually #2) :
! @/ I* a4 F, o! z( V0 r# G3 e8 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) H, V4 H: g* i) X. [
\Uninstall\SoftICE
% ~# i5 O) c9 L9 L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- f( t+ A' [9 D! m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. @0 m% A0 L0 w8 C! _$ m# S
\App Paths\Loader32.Exe5 I. z8 [( v& m
1 z" \$ d7 s, L6 U- _" H
1 ]" x" I+ o' P5 z% U2 R: e/ Z( M8 A
Note that some nasty apps could then erase all files from SoftICE directory) x+ m$ X6 r0 e5 l: B0 m' q! M
(I faced that once :-(
& q3 v; ~$ e2 t j* m3 s8 k
! S1 ~% n: I7 j9 y# x! p/ rUseful breakpoint to detect it:; ]" o& k% `# ^6 P7 H) {3 t! g( L
6 Y% A1 I N s. l& s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 _8 `+ w& o- E! ?9 ~, T
+ t' Z& ?5 e2 `7 J) P
__________________________________________________________________________
8 E7 p0 `% @9 \( } h) m- j% W2 \4 C& v! S& R" c
# j$ v1 R$ x8 MMethod 14 : J. C+ V. X+ v5 v% O9 i: H
=========; u. W, N7 v5 `% z! [
3 n$ m6 p" F6 U9 {, S# k* w# C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) M" y. T5 { I5 _; [# O; Z2 Z
is to determines whether a debugger is running on your system (ring0 only).
& y7 ^- B6 F# t) b+ ~) d3 M* V" F5 m3 c1 m
VMMCall Test_Debug_Installed8 A! t4 n+ I& a% L+ B
je not_installed
+ _; s$ A: e5 b6 v
+ F8 N/ e0 w( n7 ?4 { A3 rThis service just checks a flag.( d2 I! J( R1 l ^3 P
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡