<TABLE width=500>' G* ^* q- n0 A. J2 ~
<TBODY>
, w# Q8 y. t7 S$ {<TR>
" T1 P! \( [1 \4 I<TD><PRE>Method 01 " X+ R- F% s. D9 u; N. x9 D* n) Q
=========4 w7 S' a3 R+ F/ ~1 z
8 p1 @+ O) s$ D6 |This method of detection of SoftICE (as well as the following one) is
5 l( x# c' r; ]3 e, @4 n; B/ eused by the majority of packers/encryptors found on Internet.7 v" \7 T2 c! W/ R8 g! R6 [) p
It seeks the signature of BoundsChecker in SoftICE ?1 p6 e7 T9 b# d" q
# R! i# b) ?" u. ^% k mov ebp, 04243484Bh ; 'BCHK'' @, r9 Z8 r$ p3 F
mov ax, 04h
! h3 _5 V) n/ u int 3 : t1 e9 X) }* r0 z% u2 p5 U0 Y; d
cmp al,43 J6 C* z: g) Y- F/ s5 x+ T
jnz SoftICE_Detected
& F; f: `! A' a3 ^- ]. v; n2 E( Z3 O+ J
___________________________________________________________________________$ z7 y) T! X" C
$ ^ |! B; l& c' Q8 a/ @5 |
Method 02
2 n" p$ o' O( Q=========3 k) H) P- P+ b7 }" R" L! R
. [9 Q8 q: g; w
Still a method very much used (perhaps the most frequent one). It is used! [5 O8 P _' O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 g# d# x8 o4 n5 Uor execute SoftICE commands...: \) _1 _1 G ]. L- i2 r6 x
It is also used to crash SoftICE and to force it to execute any commands7 T" y9 j/ X# e$ q4 _5 W, C
(HBOOT...) :-(( - U5 j: k& o: l
/ b3 x( ?" C' V9 b [) r0 {
Here is a quick description:
) n+ U$ V; Q! x& c-AX = 0910h (Display string in SIce windows)7 b9 S2 q! S" ]9 e" u5 f+ z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" B, l/ N/ b# N! g7 P1 B4 s
-AX = 0912h (Get breakpoint infos)0 n/ I8 D+ a$ B
-AX = 0913h (Set Sice breakpoints)7 _5 N0 j6 Z& V8 ]! r
-AX = 0914h (Remove SIce breakoints)$ p' Y% F# D) M H! a" L
1 @! e, G7 b! ]7 Y" f" h9 q2 WEach time you'll meet this trick, you'll see:+ r5 m' ]3 d5 n, v' o; b# m
-SI = 4647h0 p1 |! S0 x3 L1 p, V
-DI = 4A4Dh
, Y# M% }3 o& }3 l; CWhich are the 'magic values' used by SoftIce.4 A& R% p3 H; J8 b# }0 w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 v f9 {/ p4 [- p
% }" [+ m0 T8 K+ ?) c
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 M/ y* C* x" e& I7 q& H2 Y" N
Envelope utility use to protect DOS applications:
( O, i$ A T1 ~) a1 K& ^, ^8 l" |: x( ?- e2 c+ V% B* V& n! H; d$ b9 q
2 Y/ ]. u8 u4 m4C19:0095 MOV AX,0911 ; execute command.
% X7 `+ i( m! t! i% q9 a$ ^0 L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ E3 C7 G% q- b, C: N( _
4C19:009A MOV SI,4647 ; 1st magic value.7 q4 w; o8 n4 z8 m$ t# b
4C19:009D MOV DI,4A4D ; 2nd magic value.1 ]+ X( x" H) w9 K4 O N0 d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, Z7 \$ b% O/ _/ e4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ O! R$ }( Y! R5 T8 {+ i4C19:00A4 INC CX7 N( p4 E9 E" w L( ^
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) \3 z7 _, Z5 C
4C19:00A8 JB 0095 ; 6 different commands.6 X- y/ t1 Q' i5 Z- ?; k0 J" P% H# a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& Y0 w- C' f; k# R4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 M# ^# N3 h5 w) ?6 Z% }! F2 m( }7 x
The program will execute 6 different SIce commands located at ds:dx, which- @6 U3 c( l+ @+ n' t! g% F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! S6 m- v- s6 F0 Y) P( n
# z- k$ e& D* Q7 a9 a' n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- x! l2 i* S8 r% w3 }" |___________________________________________________________________________: h/ u$ M! }1 n/ }
0 F$ k6 o- g b; A) B
0 F+ e& s8 K2 ` C: L0 v: d
Method 03
8 U3 O. P2 Y* @=========
! F# I T8 A" W- ^/ n9 \' Q2 ?8 }2 \+ @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! e: a, S. Q4 N
(API Get entry point), f0 m4 S) U1 c; f2 [4 s" r3 [
& f7 N: T# r' G# g
N8 X5 ]% G, f! E) x1 E, B
xor di,di
: I0 p0 w+ ^$ d mov es,di
! K2 v, Y/ }" n1 L mov ax, 1684h
# _9 Z$ D* c" V! v mov bx, 0202h ; VxD ID of winice7 }, \; W+ e1 R+ L
int 2Fh
& E# n' r, j9 P, j+ R3 ^ R mov ax, es ; ES:DI -> VxD API entry point- c) r4 v5 K* L9 A5 n; G4 V7 n
add ax, di6 v4 ?" X/ u( @" \7 Y
test ax,ax
! X- q! e) j5 G1 r3 L' E7 d jnz SoftICE_Detected, P* h* i9 `0 W5 P
4 C; K% V6 m D/ F$ N/ h
___________________________________________________________________________9 h$ B2 f4 V7 ?+ \4 f1 L# o* H
V" x5 T9 F* T" p* k
Method 040 t3 R- A' O% l
=========
5 O6 y* p o6 d1 N1 N
# h: U- v, a8 f* _+ x! IMethod identical to the preceding one except that it seeks the ID of SoftICE4 L" O+ s! ^. B! O( X% z$ w5 q" K/ _$ c
GFX VxD.
$ q* S1 Z2 E& e2 C9 \
0 k' M: q" H# \* C3 ^8 p) i- r xor di,di
$ d9 W/ `6 s8 }) j1 I8 D; m) } mov es,di0 V* G0 b: E7 ^2 T E
mov ax, 1684h
+ J3 s9 k9 t# N7 X, @, k mov bx, 7a5Fh ; VxD ID of SIWVID9 W0 r4 P! i- B; h
int 2fh4 i+ D, G# P! ~9 E* |
mov ax, es ; ES:DI -> VxD API entry point
% o2 |4 q/ t1 w Y* d add ax, di9 M6 N/ ]7 j/ R8 A
test ax,ax# Z+ q% @6 P. ]9 N
jnz SoftICE_Detected
, P1 U6 H$ H+ Y2 o' N
- f1 L9 ~: O+ s5 m8 |0 z% O+ a__________________________________________________________________________2 O U/ h: o: `! M
9 \7 w" Y$ N1 y/ V2 d1 S
6 W0 i& x G! X- e- R" zMethod 05
* S$ W7 T, t( z& s=========" y9 z& ?0 X4 n; u& k
& K3 n3 U0 U+ SMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% f8 z& w* V) ^% z7 W/ ~5 |debugger. It calls the int 41h, function 4Fh.$ c( E& c8 l% e6 S
There are several alternatives.
% X( l+ t+ t1 F1 y: U; y& I" |+ L( t6 Z! m
The following one is the simplest:7 c& N5 f) e+ T8 P% l, \4 H7 a* v$ b
+ y% A( H2 L# B# h' A! ]( ~" x& p
mov ax,4fh
6 K" O( C+ k9 B: L) \) l \ int 41h. Q7 w3 J' \6 `' S
cmp ax, 0F386/ g& R4 I+ K5 n! N+ t9 b
jz SoftICE_detected
8 K3 C5 N0 \) u% \# ]" m) z h9 v6 J; W4 i9 ?
& v! V; }5 j: k+ E7 r( ^Next method as well as the following one are 2 examples from Stone's ' s' v5 M r* V" _5 L
"stn-wid.zip" (www.cracking.net):8 D# m% D5 y+ q, g% O) n8 O. k5 B
% L+ Q2 P2 D3 ?4 e2 n mov bx, cs: o( Q4 C n3 R+ V. v
lea dx, int41handler2) K) K2 }3 E U+ L
xchg dx, es:[41h*4]
2 M6 |# N* m. a xchg bx, es:[41h*4+2]7 X/ _* t" B! x" C" w" v
mov ax,4fh- y' b( N# Y) n& j# g+ @
int 41h% w' e+ t0 [7 h5 [4 s) `5 h: E
xchg dx, es:[41h*4]5 M# v5 w" X I2 w. M
xchg bx, es:[41h*4+2]; d" \- N" T1 x) h; t- P: D
cmp ax, 0f386h: E7 r, P3 E8 a& t& c8 Q3 k) s
jz SoftICE_detected
@; H. L& M+ K& j) }; T t' e
) u" d! Z8 n0 l" rint41handler2 PROC! L; R' I/ {) S; S: T. h* O
iret
0 |0 C0 e1 h% L3 M" ?( Hint41handler2 ENDP
1 ?0 F+ p2 V7 g! f. V' ]
7 ^6 V4 U2 K C' ~+ U _1 u4 K" l r; F
_________________________________________________________________________
# ?4 H& W4 s/ m k( B2 W- c: ?3 l* @2 S' P4 e( @
+ v* x. M( _! C% rMethod 06
% Y" }6 f; A( Y4 M7 l=========
% K1 D, X/ ^. b# M" W0 M$ X: L7 i" e( ^1 z! V( K
, ~! V S$ K- E6 L, ]+ b, X# a
2nd method similar to the preceding one but more difficult to detect:
$ B0 o! Q+ h) x- W. e# W- U; V, |( h' z6 [6 z1 K0 f0 C" c5 g
" U* f/ H( b9 k9 @: V1 C
int41handler PROC- z" ~4 \, r ^) O6 S; K( X
mov cl,al" E) L/ k8 m* L" z7 z
iret
5 m- J% J4 Y/ z* I/ eint41handler ENDP
; H$ b' `$ z3 L/ G) }% O0 G7 G/ r, q O$ Y! w
7 D u: P6 ]: ^
xor ax,ax2 F# x# P4 \# R% R
mov es,ax( [" Q3 g, v; M
mov bx, cs
( y) K6 X Z- t lea dx, int41handler0 i3 u# u% x# G( j! E# o$ ]
xchg dx, es:[41h*4]6 `7 W+ B4 C. c- Y- C' p
xchg bx, es:[41h*4+2]
+ b: `3 l) @# E! d& c in al, 40h9 }/ g- Q5 o2 U3 y9 Q. w
xor cx,cx" E/ Z! ?1 X+ R0 b C
int 41h& v" f) {- x9 g
xchg dx, es:[41h*4]
6 y. h5 s: B! F( b9 [ xchg bx, es:[41h*4+2]
2 }! l+ y8 _" }0 } cmp cl,al
. s: a: ?( w: ] jnz SoftICE_detected, _$ q6 r: d9 t4 k4 v
/ U2 I& X a, ]4 Z7 S3 c_________________________________________________________________________/ U4 o% g7 V* a/ U( a
7 \3 Q; n9 j. x3 D1 O0 dMethod 07$ A4 w8 J. d' k
=========
' b7 C# S1 ]2 P4 f, ^# | s$ s; N$ t7 s2 R2 z( a
Method of detection of the WinICE handler in the int68h (V86)
8 E, L* d) Z- L# J" S" O9 ?; e: X. R
! f: [- r6 G* m+ \8 P4 ] mov ah,43h4 }7 F& n1 D( F5 P5 Y9 M
int 68h
3 E* X" R% s+ C* W cmp ax,0F386h
) Z( q/ L& y( o. W, B+ ? jz SoftICE_Detected9 {, c- ~, h& U+ ?" S* h5 z
: }% A9 }: ^( ?' S# e& u. y1 e
! E; M5 d: [( N! N=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. H1 C- @5 Q; Y7 K0 |# w4 \
app like this:' P# h2 m, p; a
0 u- g" Q) Y, U0 X/ F
BPX exec_int if ax==68
1 ?- [) S1 Y8 I. a- Z. U (function called is located at byte ptr [ebp+1Dh] and client eip is
8 P3 O0 S6 P9 k0 h! Q3 t4 O0 d% B located at [ebp+48h] for 32Bit apps)7 a0 a: w5 L' E _& G- R
__________________________________________________________________________" e- w0 l, X: A; G3 Q/ P/ J6 ^/ Z- T
/ l {. r" U7 l- T" J' B! A; d$ ]: ~- v% V4 Q" ` c
Method 08
& `! G# f8 a7 s- ^) ]) e9 T. Y=========
* _; {+ u r0 c+ A* y* k4 o
" L+ b4 o b3 h2 S( ~. Q% c9 y9 ~# b& hIt is not a method of detection of SoftICE but a possibility to crash the
& w( d. f2 x6 A2 C$ k y% I- Wsystem by intercepting int 01h and int 03h and redirecting them to another7 f% r% B9 S" _! x- o# f8 e
routine.
7 m/ Y, \6 ]# F$ B' Y+ LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) ~9 I: S# {& S+ g7 i2 Qto the new routine to execute (hangs computer...)* N/ J2 m6 I# ~4 H R
- h8 m2 d" {/ Q0 L mov ah, 25h7 O( M4 a4 g" R4 i& x) j
mov al, Int_Number (01h or 03h)( Y3 P7 D2 x6 A, \( q3 `8 n
mov dx, offset New_Int_Routine- f2 E0 D! s3 a0 E5 w
int 21h7 M! Z& I. q0 C J! D- l! Z
$ q. u0 y( ]+ u__________________________________________________________________________8 ?3 G8 p" @( G4 J" P
6 |0 G8 a8 _6 T' R, |& O; s
Method 09
) K5 ]5 ]2 G7 r# M=========2 u' B" B8 j' n
8 p- J. D* Y6 V& ]" |! Z( _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 H: d9 F) _/ |
performed in ring0 (VxD or a ring3 app using the VxdCall).: B# H( ~; O) D/ E8 N8 a2 i
The Get_DDB service is used to determine whether or not a VxD is installed. {! Q" E. K- k+ u1 w2 _
for the specified device and returns a Device Description Block (in ecx) for
G' p" T, a' N; U* o/ ^- G% qthat device if it is installed.
+ |- ]9 b5 Q( @2 o
! J7 H4 v; L( S% l, M+ i6 x/ } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 ]6 L9 O$ `' h mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 B8 c* K P% G& n. |1 z" B9 q VMMCall Get_DDB
7 y" P5 \! F" L v mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* k$ K# ^( r( J
. K! A" P+ J" A9 C7 M. UNote as well that you can easily detect this method with SoftICE:- O: }. \/ V* H! q% l; p
bpx Get_DDB if ax==0202 || ax==7a5fh5 x' N3 A6 A1 K4 X+ y6 U$ @5 ] D
' Y, A* x2 j$ l4 v8 H6 p* G4 I__________________________________________________________________________
" K. K ^5 A! G) R$ d
* d& N# P7 {* G# hMethod 10
6 w4 `% _1 r2 U; d6 J+ l=========9 Q$ `0 Z, {( R& n: M0 G
9 t# ]. _( x4 v: R% {- w=>Disable or clear breakpoints before using this feature. DO NOT trace with- r8 N: G- m# K P2 G) N
SoftICE while the option is enable!!4 w; y8 x5 \2 Y! H/ V( t
- k1 g& h- Z9 v, sThis trick is very efficient:
2 |: _0 ~3 N7 `by checking the Debug Registers, you can detect if SoftICE is loaded+ t) _$ n7 [" I! A" A" A) a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 U( v5 ?! z1 l2 Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their* ~+ r* ^! J6 @3 g
value (in ring0 only). Values can be manipulated and or changed as well" j9 }$ L' q( }) p5 r8 r7 k
(clearing BPMs for instance)
' `. n$ r! |; ?8 O; I1 _$ M+ R0 F0 |/ z- W @, T* }
__________________________________________________________________________3 r2 ]7 e8 b: m: T, P! D# |) M
7 m0 p. S4 i% T
Method 11
* Q" d, X9 W2 b, d=========7 C1 j# o* y/ ?2 p( {' u; Q' P- L' N
. [6 ?! {" D4 r. a6 GThis method is most known as 'MeltICE' because it has been freely distributed
5 R. |, _. z2 a1 p# o; V2 Z# \via www.winfiles.com. However it was first used by NuMega people to allow" i7 G$ M9 w+ I4 j6 _# W* \
Symbol Loader to check if SoftICE was active or not (the code is located
, i0 a) `# r6 s, ?' I* f' C- g3 `inside nmtrans.dll).
: L0 S! ]- @ ]& j8 B6 w4 Y' s9 t: }# I) j% t/ @
The way it works is very simple:' x u8 Y( ?7 P! V5 n: V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for u% x2 {6 d( x" ~; h* a% L' N) N0 ]
WinNT) with the CreateFileA API.
" C4 X+ C( O( Y$ u9 |7 ]' V! B: q: U$ G/ z6 O' z5 J
Here is a sample (checking for 'SICE'):
. A9 M; L( W: T* t: P& D' y/ y5 R+ i1 P8 K
BOOL IsSoftIce95Loaded()& O. i; q! |, U. p( t
{
i, H9 l3 g4 k HANDLE hFile;
2 E% G& C9 S: K/ f- M( ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( u6 T( N7 l6 w6 h: ?0 o" v4 t FILE_SHARE_READ | FILE_SHARE_WRITE,
6 ]- M$ s& L8 i! s' [6 e' }7 B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# B# U3 `. S9 {( Q& Y if( hFile != INVALID_HANDLE_VALUE ) I9 w- K) p& u6 G; j; A
{
) O( h. J! w- v! v& D; ^. W3 F CloseHandle(hFile);( ?$ M' @- B: { V- _4 N5 r. w$ _
return TRUE;3 \' Z y9 _( K' T3 U- g% [
}+ V) ~6 F! `+ k, m( u2 s9 Z I1 ?
return FALSE;+ o2 y) `$ q; b k8 q9 T* X
}
# M( e5 }2 C/ h5 Q6 D+ {; S: j' ?/ m, ~
Although this trick calls the CreateFileA function, don't even expect to be% V! S* v6 }, ~! w
able to intercept it by installing a IFS hook: it will not work, no way!
1 i( c9 n8 M. H7 P% y' _4 ~1 O ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
L! [" \6 L3 x$ jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) Y% s; l& R; F/ Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( \) k% u: \/ E$ N2 I- U/ b7 lfield.
2 P: J# Z/ U7 U Q0 b* cIn fact, its purpose is not to load/unload VxDs but only to send a ( R, Y- W" x; F! g( O0 Z( {( Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ z* I6 U1 o/ _+ ^9 Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try* t4 H; r! V) f7 g: O. Q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( I9 H5 x! h. D4 B( E$ R9 z- ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( x+ n, E0 x; [9 k0 Rits handle to be opened and then, will be detected.
2 @: H" S: J6 `% `0 k9 X6 {# sYou can check that simply by hooking Winice.exe control proc entry point( K1 o1 w+ a2 m; N/ _( x5 q. M
while running MeltICE.( J% s7 w% J* z9 i$ W u# B; F
7 T7 k% m0 {$ R) {
+ Q: Y9 p5 u# d: }" U- D
00401067: push 00402025 ; \\.\SICE
* T* A0 E; D/ K5 b& p5 W' V 0040106C: call CreateFileA
! ~9 x+ d+ T% ?0 j! k) p 00401071: cmp eax,-001, c& p/ a4 @1 Y: @
00401074: je 004010911 S# u B7 X7 ]; N# ~: n
9 e6 S9 {: V t5 V- U* B! n" S2 ^. R! K1 E
There could be hundreds of BPX you could use to detect this trick.
d; f3 k/ ~9 Z& j6 h# v-The most classical one is:7 y! [) Y2 F+ \2 w' y% J
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ ^% P p/ R4 W9 E2 B
*(esp->4+4)=='NTIC'
( u& r! I$ V, z j2 e: P
9 w; e/ o' V: U-The most exotic ones (could be very slooooow :-(" L$ r- J- [% T9 a
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; ?# o/ p6 m4 |" g0 _: _1 t
;will break 3 times :-(" }* ^0 a6 B2 x! p
+ `+ ^, W1 V( m4 V/ u6 C6 J8 E-or (a bit) faster: " ]( @9 A/ |8 L4 s- \* w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') V2 I# @: t$ p
) W: n% a, W) \5 ?+ b8 [
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- T) z- w; ?1 X( r6 h2 d! ~ ;will break 3 times :-(
7 q- F% }1 h$ M9 r
* G3 F; [ _$ R5 i-Much faster:
4 u" {% |) G2 n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 K" N( w; X; U/ Z8 B& v: ^
( r$ Z! d1 K2 _# D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 A) J9 b0 U+ Z5 d& {3 x5 v m) K4 Y. rfunction to do the same job:
& E" K) r1 o; j& l
+ Z1 I1 b" f5 H+ S2 P8 r0 b$ _ push 00 ; OF_READ& N1 K1 t! _( ~2 r5 [! d
mov eax,[00656634] ; '\\.\SICE',0- U* M! B# r2 C2 X& |% W
push eax
$ J! T. G8 _! N- ]- I8 i call KERNEL32!_lopen: t8 {4 D( R6 X
inc eax" e* O; g# B) C# w5 O$ @
jnz 00650589 ; detected
8 @1 l0 E* ]( p; [; m/ @ push 00 ; OF_READ1 y* b3 P. T/ P8 Y2 H1 Y' J0 U
mov eax,[00656638] ; '\\.\SICE'! D" s( [: h, O4 s; v
push eax" q- g8 ] m( v2 w
call KERNEL32!_lopen8 {" j- V. { `! ^
inc eax. H6 i% K; M/ {* h4 B9 [
jz 006505ae ; not detected
% L. o0 `2 k6 g2 b
+ \% I3 C; Q) Q& U3 T
% E4 K/ y5 z9 `" _- w" G__________________________________________________________________________
: X- p9 b2 ^9 C# w. R
9 y3 F' {$ O! C8 xMethod 12( ?9 ^7 R3 {: v
=========
& ]) |- P V: X8 h4 A1 n9 m/ B( t3 A) ]: {( Z2 u2 A) A5 i& K
This trick is similar to int41h/4fh Debugger installation check (code 05/ C& C: H; x3 v
& 06) but very limited because it's only available for Win95/98 (not NT)
( J3 K i8 x; G5 a0 Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 {# E6 a' X. c4 F' h6 ?' T ~- r/ o! X& t9 P- C6 E
push 0000004fh ; function 4fh
* Q6 M8 M0 k6 t; g U/ D push 002a002ah ; high word specifies which VxD (VWIN32)
4 j/ b/ t5 K& O4 F; V" d: F ; low word specifies which service9 O" {1 y, H9 ]% b" S" ~- X. @
(VWIN32_Int41Dispatch)2 R3 F/ c. r5 h K8 c+ a& @5 h
call Kernel32!ORD_001 ; VxdCall
; V" r; [: b$ M9 i& Z* ] cmp ax, 0f386h ; magic number returned by system debuggers
4 x$ ?4 z4 A& \ jz SoftICE_detected
5 i7 R. p- q: i, T9 o) W; K0 z* }, C8 Y/ d3 ~2 H
Here again, several ways to detect it:
}" M& e2 m1 l2 J7 r, C9 {" @$ G+ w8 ]
BPINT 41 if ax==4f" d( k- W! \, W/ y5 a5 @. r& z
% _ o4 c+ b* c: z. O2 A* D/ p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& R/ S w) z. h+ }6 k7 p( ]
/ S6 L8 ?' S9 u5 d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: x, _3 Y, j5 r+ s" \' v. [* B
! a p8 F$ F+ G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ {7 Q- r7 p& I* _; I) M
4 G: G' S, _; S+ ^# `$ ?5 I__________________________________________________________________________5 ^8 E$ x, ~/ T, n
* E0 R/ L* v, U2 H+ d
Method 139 l' F/ l; |) |! x5 Q
=========; A* \2 `, [; s
( Y8 n5 v" x/ @& Y# O9 z; TNot a real method of detection, but a good way to know if SoftICE is) s( G4 Y% ?' ~0 E# E L
installed on a computer and to locate its installation directory.
; ^% M+ v. C4 ]It is used by few softs which access the following registry keys (usually #2) :
' L F" _% e1 y% y4 u0 h3 }5 f( B
" j) |- R+ [4 `' k5 r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ P* A4 u* V$ Z8 l6 t M
\Uninstall\SoftICE
) }/ x: f9 I& c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 I/ A- k7 {" b& N s, A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* w U3 ^6 o7 ]6 f% E' U\App Paths\Loader32.Exe
. g1 o5 Q& J; C% ~% Z' N1 N: u$ r/ A1 ]9 u
4 Y6 w8 `) z% m$ G9 p( [) }0 u: h8 ZNote that some nasty apps could then erase all files from SoftICE directory
' k' X; V4 f" _" ~- R6 C/ f$ V(I faced that once :-(( a2 q5 r. w( t1 J3 b& ~7 F) t
+ s2 V2 e! O# I: Z; p" W% ?; N; uUseful breakpoint to detect it: ?8 T i6 |+ s( C! b" r
% Z9 d- h g ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 B) W# c; f! N i A8 X2 b* ]! @
$ j2 |% a0 F4 w: G__________________________________________________________________________4 Y9 Q7 \4 Q |% j: U0 A# ?8 D
. `' M: b" G% N# Z! ]; `
0 t" W% x1 R8 R( U$ ?0 A% rMethod 14 ! E z" x$ e: H" C& n2 I
=========- N& S- l9 Z+ v7 T
# r e4 Y7 j* R7 `& z/ l: G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 R5 V0 c/ ]4 m; A
is to determines whether a debugger is running on your system (ring0 only).
0 x- r, g4 W4 P, p$ u6 B! K8 ^; \, p" q/ i( F
VMMCall Test_Debug_Installed4 _# T! k; l2 L5 x
je not_installed
/ r% Z k- P, E9 {3 C! P! m( ^% K1 N8 Z7 N; Z+ N
This service just checks a flag.
5 u% n5 Q. n) w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡