<TABLE width=500>
* S- C; k3 {* S5 q' W<TBODY>
9 c7 ?/ E% m+ l<TR>2 ?5 `& e' F2 S" V+ Y/ v& K% @3 V* ^
<TD><PRE>Method 01 5 b; |% w# V( I7 h' G+ U
=========2 W, m# E' _# s$ Z ]
& v% y3 s9 `9 v
This method of detection of SoftICE (as well as the following one) is3 D8 F9 i1 B! m, q5 u
used by the majority of packers/encryptors found on Internet.
5 V5 D# w: ]( f/ k, Q kIt seeks the signature of BoundsChecker in SoftICE7 q5 C* L1 O) h; t7 a5 H
" }* ~, [. q- u( ^% z3 R3 S mov ebp, 04243484Bh ; 'BCHK'! k% ~$ C8 }" B, Q! A
mov ax, 04h1 p, j+ {0 F' ^9 k* `, n0 d7 T
int 3
$ l8 G6 N7 N6 N2 g% u) x& O! x cmp al,4
; g# N' u8 l/ ]: f& C: ? jnz SoftICE_Detected
6 B6 ]8 E' f3 U4 H7 y. C# I* ~% p: j5 z% v! O a# V3 R
___________________________________________________________________________, D1 J3 i7 |7 K, ?3 g- v3 _7 Q
% A2 X: q8 g3 L$ q, n2 j3 E& U3 \Method 02
9 D! E- w- n5 K3 u1 ^=========; A# C" A& i0 [8 ^7 M
% b6 {- i+ x7 `% PStill a method very much used (perhaps the most frequent one). It is used- h2 \) u7 B& D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' n0 p& g1 {+ ]
or execute SoftICE commands...
" k: J( A. v/ O, cIt is also used to crash SoftICE and to force it to execute any commands
0 ~( V5 N$ p) R3 c- }(HBOOT...) :-((
0 f& z. g/ `$ v+ l+ P* V2 r/ K( h1 I Z! R
Here is a quick description:* a( T) b0 n: b+ M3 h" ~1 e/ B, s
-AX = 0910h (Display string in SIce windows)+ q# c! K( W- c) Z3 Z, z' ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& i% z" Q0 \* o7 ~# Q G; H
-AX = 0912h (Get breakpoint infos)$ ^# ^4 |. W. f' }: w& ^' A% C" D/ f
-AX = 0913h (Set Sice breakpoints)
7 C/ z4 p; Y* q: L1 c! W-AX = 0914h (Remove SIce breakoints)
. r+ N/ f: b4 h% s1 f3 k
( I7 t! O+ s& u6 b' C0 XEach time you'll meet this trick, you'll see:
' k+ u; s4 F1 H6 Z- K- W B-SI = 4647h
/ N: h9 H. M7 a2 Y-DI = 4A4Dh
* n: t; w- |, b9 U! G: lWhich are the 'magic values' used by SoftIce.8 _5 l5 X9 M; s' N/ P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% z; f# u5 Z1 z$ b
' `6 D0 Q" b/ h: h" a3 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP$ J, Q9 H/ O9 Q
Envelope utility use to protect DOS applications:; c6 J1 M7 Y9 L# g# t# S+ o
* U' w- n6 `- K4 }
+ e* Y8 d7 a$ z4C19:0095 MOV AX,0911 ; execute command." k# w% F- _5 g2 [" x) c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 Z- I+ M+ Q& v9 {" \; u
4C19:009A MOV SI,4647 ; 1st magic value.
; F* v, e* B9 V3 \. h4C19:009D MOV DI,4A4D ; 2nd magic value.
7 B; }, b6 \/ U7 N4 y: H; P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. o. C6 A/ L# K9 h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 w1 x+ r, R; n4C19:00A4 INC CX
+ H9 M m8 W0 r( x" P! u4 H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! V. T1 M& H7 g' L4C19:00A8 JB 0095 ; 6 different commands.; v- ?9 L+ U& u4 p' c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% @. }6 T! |4 E
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 i! M* F. Z; D7 K2 L% m
+ ?, l! w0 e1 r! h
The program will execute 6 different SIce commands located at ds:dx, which
4 R0 m$ U; X2 t/ J7 A) dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& W: Z0 s& e; c6 t
( D- B! G% e. Y$ z; K& j4 F0 K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# l* z/ G% K' N) x5 T
___________________________________________________________________________) w9 [# H5 k2 P/ Q1 e$ y1 w
( O# ~/ B6 ]- k, R
/ ~7 a' U0 U6 S. S# [% U7 xMethod 03
4 V3 p9 Q, k y8 Q2 ^! l x; y=========$ z' F# ~! d: O' v4 d+ D
& L! @9 a, @0 h0 z ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# \/ x$ v5 N, K# c
(API Get entry point): Z# X( g( w S. z
1 v" E9 R9 n% X2 W
- u2 t( ?" _0 m$ B' q ^6 U0 y
xor di,di3 }! s' j i" N7 o
mov es,di
$ [: _; }6 a x' K" P# d mov ax, 1684h
& ]; [ u$ j( ^' I- ]* j# I, M/ _ mov bx, 0202h ; VxD ID of winice
& H" }5 m! a, N7 G6 F int 2Fh
9 O. _" z2 I2 B7 ^ mov ax, es ; ES:DI -> VxD API entry point$ `+ [6 I' r& D6 y
add ax, di
+ ~8 w: N8 |9 t! _. e; ^ test ax,ax. `8 u& h. q+ E
jnz SoftICE_Detected
# [# a; L6 I8 Q9 w2 ^9 U7 m& k. J! s- o1 y! L1 j
___________________________________________________________________________
" G! [1 P' H4 w# E0 k" @4 X" | x" X) T( A) }) N) l
Method 046 M0 W6 Z* h1 c5 P
=========
$ ^) K$ v8 \3 L5 U6 j
. J) d o) n: \( E' q. y' M8 OMethod identical to the preceding one except that it seeks the ID of SoftICE$ a2 c; j) y' B( a. _
GFX VxD.
$ R4 Z# t6 c) B4 z! `; ]3 y: W% G
$ \+ @; p! E- ?2 t5 ` r xor di,di, B0 i. e( ^% Y. L
mov es,di
( U( v' G5 d, H4 A+ s mov ax, 1684h * w+ P, v9 n% [6 D/ u
mov bx, 7a5Fh ; VxD ID of SIWVID
3 `& x8 V4 o$ j9 R1 R4 S int 2fh
! F9 f- X( b7 d& r mov ax, es ; ES:DI -> VxD API entry point$ J2 }- u1 O5 t6 _
add ax, di
, h+ z( w% y2 \& ^% Z# Z test ax,ax/ @$ f: k. l- s9 v- e8 ?1 J
jnz SoftICE_Detected9 U8 Q3 T/ n3 Y+ V
3 b1 z5 C9 a( T__________________________________________________________________________
1 |) Y+ g7 b$ M. T1 K
g Z* r; b! v I( ]
& S5 _- y4 d) O l8 r) M$ lMethod 05* i5 U; R# c4 x5 [$ _; B" M I
=========; [$ i/ @4 S7 e2 p, G
2 A0 B( \" N- h1 ?$ ^+ J! I; A- c
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ K6 \" V6 w2 E e) Y5 d, W
debugger. It calls the int 41h, function 4Fh.* X) g( i" H5 h% A
There are several alternatives.
2 E4 n* [+ C; g1 w
6 H1 r- B( B4 {, o* _The following one is the simplest:
& O6 m: g! e( a6 v% t7 H* G' p8 J# C7 B# I& x. J
mov ax,4fh
, c# F4 N2 P0 y- V4 @/ @ int 41h
2 e: T* h2 A9 H+ ]; E cmp ax, 0F386
4 J) P) M% z3 [! }1 D% k jz SoftICE_detected$ c% j1 M* U: V3 B2 {5 j
F" y( j+ l8 B! f! d- q
- T" x9 ?3 E* K7 T8 B8 K/ M5 `Next method as well as the following one are 2 examples from Stone's
0 P! r, v4 G0 ]! A0 F! j7 P! Z" X"stn-wid.zip" (www.cracking.net):# ], j0 u4 z3 M5 w
9 W3 ?4 t: r$ o( ?6 |- d/ k
mov bx, cs0 d9 c: |' m3 ]$ M1 H9 o% j
lea dx, int41handler2- |% }: e$ Z- _8 ]2 i( b/ Y" L
xchg dx, es:[41h*4]) J8 K3 }' B* p
xchg bx, es:[41h*4+2]" U! w; f r5 X) }
mov ax,4fh
' a( ~* v) q- X# ?3 h) [ int 41h
4 x# J7 q5 c# X z0 q- T3 Z xchg dx, es:[41h*4]8 Q7 n0 \- F2 {+ Y& x8 E# q6 F
xchg bx, es:[41h*4+2]
7 U! `8 D. M" E2 {& X. Y1 S* }7 `7 _ cmp ax, 0f386h
! k, ]+ S4 J, ], W& F jz SoftICE_detected
- _: B6 ^, `7 v# h2 L! A. f/ d7 q' O' l: r
int41handler2 PROC
! ]3 `2 z. \' j/ Y6 W iret
% B A, ^1 f" E, T1 r9 K1 k4 t2 B, nint41handler2 ENDP, e4 O$ [9 K6 r8 g
& o; }9 C" ~. e1 [ |7 s% B3 N
8 Y3 K; z4 t6 i1 Z# t* z
_________________________________________________________________________
2 t% u( M# L- _! r" P6 O, O& B0 R* b6 b4 x0 T7 B% L
: Z# h: `" B& u4 G( b' [Method 06
) w' t9 Y" F, y/ ^$ t2 O=========
) @: L/ T+ I% Q- N) t
0 w. u, @6 D# c, i0 k
& c3 V2 D6 a" C* x- ^- u2nd method similar to the preceding one but more difficult to detect:( j) J$ e+ _; k. T
( s- t2 X8 I$ Z9 A; I5 y) v& }
; z9 o5 d, L8 Z& s5 S; _
int41handler PROC$ ?; g; P! P$ q2 L: Z
mov cl,al5 Y) {; ]/ J P" E( p( J
iret& h4 I$ G; B6 h f
int41handler ENDP) ]: U: g' d2 x2 k
t# L, t) d7 H
2 ]& ?6 | ]/ p xor ax,ax
, n! t; }- S7 t# M: _ m; l9 | mov es,ax
# u8 `* x. D( i" s, N. ], ` mov bx, cs
( |4 q) M& {; v) A% g9 d lea dx, int41handler( H, K: k5 ~# ]9 l
xchg dx, es:[41h*4]' F( s0 V7 ^0 o3 U _
xchg bx, es:[41h*4+2] y: d* [( U, B* O* U6 ~& j8 }$ v
in al, 40h
. R0 n! ], g- [; c- v) k2 \ xor cx,cx
) j: ?6 @ m- E int 41h
! A9 C- @1 a' v$ O( l xchg dx, es:[41h*4]
! ], q6 t5 h Q1 c xchg bx, es:[41h*4+2]! m1 N# ~4 Q3 p. K
cmp cl,al& S, v8 p, z7 m( T
jnz SoftICE_detected
, y. w2 c8 [5 {* l, [- h I- U% i; `
) K8 S4 B1 |1 T1 q) h1 T! C_________________________________________________________________________5 T! J. }! I/ \1 j" M4 O
) T( Z, c/ V# D" F9 h, ?
Method 07& Q$ B5 e7 y1 H1 `! O7 b( s
=========
( I# E9 `, I3 q/ s* x+ ]. l4 i' \
Method of detection of the WinICE handler in the int68h (V86). {6 I, ^% s2 D" l: z$ x
7 U# t3 A5 G: `; C M
mov ah,43h3 k( ^# f/ M" L& O
int 68h
0 \; E# r: G! `% M cmp ax,0F386h
+ p: {$ _# Q% U% z! _6 ~* q jz SoftICE_Detected( F. E' T9 C- H
; \( R9 D# v) H2 g( `7 Q2 j, z3 k4 J5 A7 e: p
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 Z, \" N, s$ O% M
app like this:
: Z& y: A" M. e9 G- r& D2 Y' j' j- _, G6 Z# E; U y
BPX exec_int if ax==68
7 T, ^8 e* f' P& M1 ?1 I* o5 S) M (function called is located at byte ptr [ebp+1Dh] and client eip is# x" c5 k/ o: u/ m" Y- @# p* [
located at [ebp+48h] for 32Bit apps)
/ p! K% z+ E# G; E( n g__________________________________________________________________________% f. `% A: u0 }- L( B: `8 l' W
' e/ s; [1 j7 J" y1 T& U: R# Z+ \
: [4 n4 J* B0 Y0 c+ h8 F
Method 083 `$ o+ `7 q: ^: \1 z
=========4 A; j& Z4 E# ~) \6 \+ \
* j1 A$ n+ e& a$ s9 I
It is not a method of detection of SoftICE but a possibility to crash the4 `) \( Z+ k: h+ J* Q; X6 X
system by intercepting int 01h and int 03h and redirecting them to another
1 F. T$ d& m, s; }2 Q/ Vroutine." w1 }# l$ K% @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. c$ h' H- W+ i Wto the new routine to execute (hangs computer...)! ]6 p3 G& c+ C; H8 S) K H
1 m0 r& i h2 `2 t6 v8 l' U
mov ah, 25h
! z$ x, M% @( w; n mov al, Int_Number (01h or 03h)
% y5 u" I* M/ D, M4 m mov dx, offset New_Int_Routine& `; |0 }5 t2 p5 Y1 c3 ?
int 21h
2 c) _$ }' x. h1 W; F1 V1 b0 \" B* J: R. S1 P
__________________________________________________________________________! r( Y$ J# D, H; p% v6 X" m
+ D- h% d: n3 ^2 K% |1 OMethod 09( T& f: k+ R& K+ G& X
=========
, N; K7 E; J& s. i& z
" ~8 u8 o+ n ^. QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- l# R% B5 e* J+ [* G% I
performed in ring0 (VxD or a ring3 app using the VxdCall).! t1 l4 S5 g% z7 @' c
The Get_DDB service is used to determine whether or not a VxD is installed
: J( V6 q; O5 N, X$ ?for the specified device and returns a Device Description Block (in ecx) for
6 _. J. m8 Y0 \that device if it is installed.9 G( [2 w5 `( j5 @8 c# C
. T5 y' r+ ?( j5 R' S/ z5 A# n
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- |$ u& Z u* y/ k$ q- o mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( P1 e3 s/ y" ~( Q* c+ w VMMCall Get_DDB
: P! F5 ?: Z- e3 y+ E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% Y1 l h$ t& F' P
8 h" u- P5 i* [Note as well that you can easily detect this method with SoftICE:- Z% }- P; @8 h( }. K9 F
bpx Get_DDB if ax==0202 || ax==7a5fh5 t, R$ p+ t" n% p
4 H: U/ V2 s+ G2 I8 u$ M1 ?
__________________________________________________________________________; [5 K" \4 g- @9 P6 M) a
1 O; V9 [/ E4 p6 d/ L8 v- P& NMethod 10" S; I# j5 q8 G& ?2 X
=========4 F3 {( p* i% F N/ I
( U5 ~6 q3 D6 e: R0 @( a! A! f
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; S$ D; B0 S9 G6 U w) G/ L SoftICE while the option is enable!!1 Y. ]( j# q. e
6 G9 k7 g% e$ @8 @/ CThis trick is very efficient:" } F( _. q% j" j
by checking the Debug Registers, you can detect if SoftICE is loaded
5 `& [) E8 _: c; w2 B* y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. O0 Z! H- R# j. c$ M" q( E. D3 fthere are some memory breakpoints set (dr0 to dr3) simply by reading their6 }3 V1 E* d- h* q
value (in ring0 only). Values can be manipulated and or changed as well0 i' Y* w$ ]+ H1 q+ b
(clearing BPMs for instance)
, M4 m S8 J$ ?# K; B9 `
, y# Z" Z, W1 D% ]- H! [ f& x6 X__________________________________________________________________________
. u: d; Z0 r* b/ S0 q2 i. ~9 ?" S0 |/ y8 p% n; T
Method 11
' Z) K! q0 c; I) H+ z( K=========
4 W1 F% h" ~ _$ D6 L5 u8 `( K3 H; d1 m! \ }3 Z
This method is most known as 'MeltICE' because it has been freely distributed
8 @/ ?0 e7 W' \9 R Gvia www.winfiles.com. However it was first used by NuMega people to allow. ?5 ?5 W2 L& a
Symbol Loader to check if SoftICE was active or not (the code is located! |5 }# d1 G- r0 R$ S- _
inside nmtrans.dll).9 F8 t* ^+ x {7 g! ~
/ v& O* ?1 {9 L- T: NThe way it works is very simple:
. d# e$ U/ F2 E& s8 W( OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
a, k) V; w6 l3 K7 PWinNT) with the CreateFileA API.0 P; J# w$ r( z/ b/ i
# i) f& ^6 |/ X" G
Here is a sample (checking for 'SICE'):& ?, D# D1 z1 {1 U3 N
) s5 z* _" e" U2 m; CBOOL IsSoftIce95Loaded()" H/ q3 M9 S, p, \
{
7 |# } `/ `$ x) s HANDLE hFile; ; b) @3 M0 I+ d& E `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; e5 f- @: g& D7 U8 b9 j( L$ u* M FILE_SHARE_READ | FILE_SHARE_WRITE,4 p( _5 z( w: H4 F3 Y! }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ `5 ]4 E) ]+ T r
if( hFile != INVALID_HANDLE_VALUE )1 ^# h0 J1 I! l6 c* [; v; q* _
{8 a) Y: g9 d# E$ G+ U' n3 R9 m
CloseHandle(hFile);6 L/ y, d6 q/ O3 g% t
return TRUE;# J2 ?' y# Q8 D
}# G7 \+ J8 B+ O; I: Q1 H, z( ?; L# o
return FALSE;5 Q8 z4 l& [* y0 w$ M8 i i/ w# G
}
* \' I' H' A6 ~4 R
4 E6 X( ?9 q' _9 g6 R T( gAlthough this trick calls the CreateFileA function, don't even expect to be5 C8 R4 Y1 Y/ S' i
able to intercept it by installing a IFS hook: it will not work, no way!
* U2 {- g" H f4 }In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 r+ ]# L7 V+ O0 t- m% Y% q- o
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) v( `* M& p- Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) v6 o! N5 R% s: V; b7 ]field.
* [8 O2 E e4 z: q7 @In fact, its purpose is not to load/unload VxDs but only to send a
- r# Y, B, Z R, ]7 ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
V' T* e. `8 X+ Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try& e3 |; M4 }. ]# f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; E2 |/ p% p' k" JIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; D$ o7 |# r) o* ^' Uits handle to be opened and then, will be detected.
2 A% |6 @: m) u6 P; ]9 dYou can check that simply by hooking Winice.exe control proc entry point# o: T4 f1 }2 Z3 ]; s
while running MeltICE. G6 `; m. i' A/ r) M2 L
3 v) i. A+ V6 P: ?1 Y! \4 A5 z2 H* g7 `0 k( g2 t
00401067: push 00402025 ; \\.\SICE
- `6 g, F6 v' j) f/ W9 Z* Z- f: W 0040106C: call CreateFileA
, X* M* P$ ?$ [/ X& ~8 ~& x 00401071: cmp eax,-001
9 T" S+ r, T$ q) \4 I6 G& Z) e9 h8 W" ~ 00401074: je 00401091
) `7 m$ @' k+ |7 x L9 i% u( j* S& H \. L }) G& f
; D2 y) |* Z( q# ~6 F: }
There could be hundreds of BPX you could use to detect this trick.) H6 s' c' l: f% @& h0 b0 `
-The most classical one is:
9 S. }+ z% C/ Z" G4 ~! T9 Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 w& ]$ ]: z* [" Z' Q* @8 M
*(esp->4+4)=='NTIC'
3 m; i& u/ a! p8 d! \3 u7 |! s, V3 p7 B3 y
-The most exotic ones (could be very slooooow :-(
8 Y! l/ e: l" Z0 w) a) `& M& q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 f8 \3 y j# P; I, @7 D! s
;will break 3 times :-(7 {" }! I$ q$ y' z2 i3 j
" d& M5 H* D6 p
-or (a bit) faster:
" e V2 e. o7 A+ P4 L BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ T' T( g6 t0 y4 A" |! a
! ~' i% j) R% K2 Y6 q: y5 D- ?4 H8 | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 o" N y9 |8 O& X8 y& z6 a; ?! h ;will break 3 times :-(
5 b$ Z' g9 _- m6 }
$ i' ^+ x5 H8 g( t9 u! p6 a! d6 t2 @-Much faster:5 Q) d2 c8 @* x; c
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- A: d7 M3 Z+ G1 n+ }
$ K4 J+ ^3 {& N! B3 q0 p9 A) z2 Z9 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 W( {( |/ c" E2 Yfunction to do the same job:
" X/ Z7 v4 E, Y! Q; I% {. u X1 V s: c# U1 r
push 00 ; OF_READ
I) K: l2 f+ \/ u% M mov eax,[00656634] ; '\\.\SICE',0
0 [( r' s3 U2 d" {5 ^, [ push eax( J4 N$ b! Z& g- ]
call KERNEL32!_lopen" t- L* K4 s2 U
inc eax& y$ R9 P. N8 r8 N" o- m5 K! s
jnz 00650589 ; detected
1 e9 F5 l$ P' v push 00 ; OF_READ
$ s, p9 s \ Z, n mov eax,[00656638] ; '\\.\SICE'6 i( L4 S8 V, }, U3 |9 J: a! o
push eax
) S- O+ I% e0 C& g call KERNEL32!_lopen j. k* C- M3 c0 e6 Z2 M
inc eax
" Y& t5 a2 R Y; r D jz 006505ae ; not detected7 M u/ n# ]8 w0 X$ ?. o
9 a' R3 [. }2 ?8 l, |# W2 @( ^; n0 a( z- V& Z7 w
__________________________________________________________________________
" C% ~; y- q+ C- c y( d
8 b9 s+ H+ z. T2 P) O9 l' ]+ a( }Method 12
, a6 `: v, P: a- Q5 N* i=========
- t0 W7 a) [( N1 Z3 I$ n$ @4 v5 V$ J$ ?, G& e' N
This trick is similar to int41h/4fh Debugger installation check (code 05
) }. Z% b* w, O7 [, w) l: f! s& 06) but very limited because it's only available for Win95/98 (not NT)5 X1 u& \: w2 {) L2 {* x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 _' u% F- V2 a' e$ ~ `* M. B
4 f) ]+ H( ~% X: W7 U. u push 0000004fh ; function 4fh# [% K* Y: r7 I- y
push 002a002ah ; high word specifies which VxD (VWIN32)
6 M7 K8 @: J# P* c ; low word specifies which service. G3 g8 n& T! C% p" r
(VWIN32_Int41Dispatch)
2 L0 b2 j! l! T2 G9 S! x. Z call Kernel32!ORD_001 ; VxdCall
" m# N+ j6 B& V) N& ? cmp ax, 0f386h ; magic number returned by system debuggers d1 N6 ]' c# l
jz SoftICE_detected$ v r4 W. p0 I$ p3 g4 a! |5 ^8 m+ Q c( f
$ T( I0 c, s/ s/ J. k) |& M- @
Here again, several ways to detect it:
& S$ O/ q; K- P% b7 p6 ^+ \) I% ?8 x3 z Q$ a
BPINT 41 if ax==4f
& I) [' u i% l& b$ Q
. G: S3 |5 t( c5 d1 \: I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# S0 R3 n* p6 t9 w; x+ i N
7 g8 D& b c j2 o! I
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 f8 \3 N; L3 J
. N9 z7 `( K+ q( R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. a5 n" M' F' o# _( y* H$ h% n) T
__________________________________________________________________________/ l, o6 B8 ]9 G0 e* x" [
, U- ~) L+ [* a' C3 xMethod 13
4 D7 y: v4 ^% j t8 p& w P% N C2 L=========
) E1 `4 Q7 N, N* Z, {# g2 O
, h3 ?' G. n. O0 H5 Y1 x: G5 vNot a real method of detection, but a good way to know if SoftICE is
% R( G' o( S e! iinstalled on a computer and to locate its installation directory.
1 N9 I* K9 t8 E# O- B. I3 [9 A/ [It is used by few softs which access the following registry keys (usually #2) :
( z1 I. X2 u& A. z
2 E6 W# P z0 T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# L' W3 N8 [; r7 D
\Uninstall\SoftICE
2 H6 p$ Y! ^4 @5 ?5 U$ S! j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& t5 y: b' g" y" y0 q' r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 d: A6 A' v, d\App Paths\Loader32.Exe
; a9 M! v! ?0 ]' }" t& b
& U+ u6 ]' O9 n: H) t- [" Q- D' @- r- {) e# W
Note that some nasty apps could then erase all files from SoftICE directory9 y' U! K/ U' ~
(I faced that once :-(
* Q4 D# N+ J( w* P2 v
0 d# |- N2 y( m' e" ]( v% _Useful breakpoint to detect it:- ?, U1 Y# H# G4 b! D; N* h) S a
! ~6 B* F" l j( o6 t% |% y+ Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* r; g4 f9 k0 K" d* u5 w+ W# \; V$ R
* |0 o6 _3 E4 t, j1 Z8 @
__________________________________________________________________________4 A! M& A8 z2 J# V- F/ E8 K- P0 e, Y
% s$ t" p- z3 y9 _1 p% X& J' j
0 {' h- t3 B2 ~ o2 Q: _8 `Method 14 3 O9 i3 {# T0 a2 \- s" f) O$ @
=========
- \# h7 `, F6 H) t0 }4 w% C; C6 f2 ]6 x- \4 _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( a2 N! u1 I6 b. ~) b( M
is to determines whether a debugger is running on your system (ring0 only).
# k6 x6 Q0 n" {! j6 N- u
5 Y b0 }5 N& s# a VMMCall Test_Debug_Installed
" y l) r* a- Y1 E N je not_installed
6 ]$ U4 C* Q4 b) r7 p# @! v B0 T- w8 \' L9 t, q
This service just checks a flag.% _; ]4 j! [. t& p" ^8 e$ w
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡