<TABLE width=500>
$ m9 \* W* i! N6 K" s; o<TBODY>
6 \5 |2 F+ _" {<TR>
/ u6 E6 V5 E' A' P<TD><PRE>Method 01 ; } d% Q0 y& K9 S1 k
=========* ~) a6 I* E# z
! K* Y/ J3 `8 y) e: k5 N
This method of detection of SoftICE (as well as the following one) is, L: o( W) q* J/ e4 o' B; x
used by the majority of packers/encryptors found on Internet.
- [& e" Z& m& A! X: t) v- X. xIt seeks the signature of BoundsChecker in SoftICE
# z1 g8 D6 _2 b" i5 G/ q( j2 i4 H1 p1 V( W6 C
mov ebp, 04243484Bh ; 'BCHK'* v8 S% E% Y B* A0 \
mov ax, 04h$ `3 O: `& o* L6 Q! @( U5 n- |
int 3 3 Z- Z0 k" i1 _" o$ W" x+ R5 L3 P
cmp al,4( `* E5 B! c4 l) d; R' w+ u) z
jnz SoftICE_Detected8 Y& x- m$ Y& n$ d! K
: D1 j9 e1 I( b___________________________________________________________________________. B( i3 w9 \3 X# W7 n
3 k3 ` l) i4 w5 g: z/ IMethod 02
) O/ D p# O# n=========
) s! k2 ]2 h6 v: L
r% s6 s$ E6 d9 E3 a }, SStill a method very much used (perhaps the most frequent one). It is used4 |: n$ A* V+ i# Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: ]& o' q4 [) Y5 N
or execute SoftICE commands...
! N! t# X( B8 A% _9 F+ s- QIt is also used to crash SoftICE and to force it to execute any commands- d# V8 l, J5 s/ D. l* R' g
(HBOOT...) :-(( $ B, B) e! {) k* p& ?
& k1 p# L% A& N& N0 E* K; e
Here is a quick description:, c& G8 ~) {% [) F' K
-AX = 0910h (Display string in SIce windows)4 {3 ^; E9 L, J( G
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 [. j8 z ?3 ?) ?6 C# K-AX = 0912h (Get breakpoint infos)& r1 Z. _* b0 d+ m: n8 Z
-AX = 0913h (Set Sice breakpoints)
7 w9 X& G7 Y, s-AX = 0914h (Remove SIce breakoints)
3 O; l/ T# j X: z; b
8 W& }7 V3 \* [0 V. T4 } x! ]Each time you'll meet this trick, you'll see:
/ @, g: g8 k1 v8 P% Z' g-SI = 4647h9 x" V9 p9 q3 z# _! `; i/ J) `
-DI = 4A4Dh
: n5 W! @9 j8 e7 OWhich are the 'magic values' used by SoftIce.$ J' P+ [, m; c9 V4 l; k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! m' W% u: u5 B" b0 g
. f. R* U+ N8 }8 G7 B$ EHere is one example from the file "Haspinst.exe" which is the dongle HASP
* c1 `$ b2 d- dEnvelope utility use to protect DOS applications:
/ h) F/ i4 T. E" h0 H
( {6 M; q7 Y x- Z7 X5 `+ U; _7 c* w% f/ G3 G# `& n
4C19:0095 MOV AX,0911 ; execute command.
[* c9 J6 G) T; m4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 u3 I, \0 [9 B7 f: s
4C19:009A MOV SI,4647 ; 1st magic value.
& |! I& `$ ?( o1 h* L( m% f `' E6 l4C19:009D MOV DI,4A4D ; 2nd magic value.7 }, {( h+ b* T% V0 H
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) }9 N1 z+ r, r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ [" i' y! d1 r9 Q; d2 A& I$ i4C19:00A4 INC CX7 j" h; T- X. j6 Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" K6 k& U; k5 K R6 r4 H2 n2 ?
4C19:00A8 JB 0095 ; 6 different commands.
- O( [' v7 k) R1 H+ H' V4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 X9 \. i3 g0 w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- p* S l8 @0 }& H9 U7 {2 \. o+ p
The program will execute 6 different SIce commands located at ds:dx, which
+ D2 k9 i& x7 t9 H8 J* P* Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 \2 A' Y2 }6 v9 Z( o4 P5 m/ X
, D! ^4 t3 Q6 }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ o6 }, {2 e; ~. a
___________________________________________________________________________
! W( O/ ` W% g% h" G. N5 i) J3 V/ _) g0 }. f) u9 `* T
& b' f: T+ g3 g7 C- @
Method 03. y d3 o: S/ k0 B* K8 X5 [
=========
' Q: X% J c, `' D2 c
, p0 b4 n* _9 w, {( w! [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, t) G7 l0 P; e
(API Get entry point); D+ N- z# D" O3 @- C- [) g( s( e0 f
' R0 S/ `/ R9 M' j8 X+ u* p" ?* V
! b0 Y" k: A: ?( V. D/ K
xor di,di
c7 _( }: m2 f( K, c mov es,di' W! F- p2 K1 K: v( A2 u
mov ax, 1684h
# t0 J- t& R4 r mov bx, 0202h ; VxD ID of winice
/ r" D# v, X ~0 b int 2Fh, o' M+ D1 Q7 L1 U+ [, d- q
mov ax, es ; ES:DI -> VxD API entry point
2 k! B, Y; Q4 m/ q; G c0 J add ax, di
% b5 N( o* @8 P9 ^; ]" D test ax,ax8 d+ c# o9 @$ p* j3 i# j( F2 H0 o
jnz SoftICE_Detected
0 s8 h& A+ t7 h/ u7 T+ }* h1 [ z' Z/ X! B1 ] l
___________________________________________________________________________) B9 _: D" `7 @2 I$ ?4 T& L! j7 O" j
5 I) U% J; d; a. C) n! Q2 V: nMethod 04 Y0 i. ^8 R* M2 z. e. p' T$ |
=========
4 \" a B/ ^0 t5 C/ D! l. x+ s5 L0 _) A$ B8 b
Method identical to the preceding one except that it seeks the ID of SoftICE. ]6 `2 i) u0 V8 \3 d
GFX VxD.
/ y, e& d1 ^- U3 {2 B+ k$ A2 K% Z5 [" d! s. h1 C/ o" J
xor di,di
( u' a8 I7 m0 g8 t: p mov es,di
4 j% y) P$ c+ v: [( u3 m2 l mov ax, 1684h
9 N6 g7 S8 s% G' X( } mov bx, 7a5Fh ; VxD ID of SIWVID7 b" ]$ c9 a0 |
int 2fh
/ T/ L- [* F7 X9 p# [ mov ax, es ; ES:DI -> VxD API entry point/ D8 w; g9 P6 r- S& b" f: W
add ax, di
6 J+ _% l1 t: A4 ]. }% Z+ q) ] test ax,ax
( b2 c6 g7 K' N+ g# P6 z- K jnz SoftICE_Detected
Y: q1 @" C6 G5 }; |7 V1 H, K. M: ~- [6 F* k" z
__________________________________________________________________________
. f* Y2 |. N$ S
* X2 {( J% i7 l8 z( l) V
( V# D0 [! b) Q' V4 Y; t5 zMethod 05+ v- q( C3 G( Q% i& E
=========
& J! ^+ f+ [; w- Y( q/ {7 s$ R6 a8 Y$ L) E
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 e4 \. i8 N$ t! s) K" gdebugger. It calls the int 41h, function 4Fh.3 r2 y# Q2 X" V6 M$ I u( {
There are several alternatives.
, a! i2 z9 n, X _
' N7 n4 \% t* Z' W1 ^ _The following one is the simplest:1 u2 ^5 x; g: D
- V" R7 |" V$ q! n4 y mov ax,4fh" G" K! e5 q' J3 P
int 41h
4 N2 h7 H+ [" S cmp ax, 0F3867 k! U. A( H1 R6 E2 u
jz SoftICE_detected N9 f0 @, I7 c5 T
+ x3 q' \/ g' ~8 g; o: D( S; u/ n9 Y9 F( C$ u
Next method as well as the following one are 2 examples from Stone's 8 ~2 k' D- ]) x! Y z6 U2 @
"stn-wid.zip" (www.cracking.net):9 g8 F, U$ v. M, q6 m' P: F
' Y2 y$ c: @& c' w* k( t' T# B mov bx, cs7 d6 N6 T& b7 z, a% R
lea dx, int41handler2( S4 S3 L7 S' \' z- K9 }0 u! _
xchg dx, es:[41h*4]
7 ]# g& {" U0 R! Y" L3 J. N8 [ xchg bx, es:[41h*4+2]
7 u* M8 M' A1 A; M5 D) a mov ax,4fh
+ t2 d( H- B) `$ \- Q' m int 41h
1 w( R0 @5 K% i9 W- z7 \) l xchg dx, es:[41h*4]. F; k- n, |- Q( C0 P/ T' U; L
xchg bx, es:[41h*4+2]
( c4 Z2 L( C% r cmp ax, 0f386h
; R) o- a! f$ j a( h jz SoftICE_detected. x) k) m3 \+ G
& e p, e2 @" s' `1 T" p$ vint41handler2 PROC
; h# @3 G* @0 V+ [9 p& U' } iret0 Q B, c9 g T* ]
int41handler2 ENDP$ U! ~7 M' l% y0 x2 e5 h- h1 S
- }; E3 d# }# c2 D' x7 u! |
3 L6 ~6 E$ j5 L6 N/ ~6 ~
_________________________________________________________________________: w2 a4 T8 I; \" r
+ I& i3 I5 k" S& G4 _5 A- ]& c
; e# i9 A0 @9 {- K
Method 06
$ E8 X) A- S0 a: `=========# ?6 k/ C& N% Y+ B
6 i$ T! z3 x- H9 o
! @! R9 C% T: O2 Z- c% r& U2nd method similar to the preceding one but more difficult to detect:9 u: E5 \2 t+ U, ?/ ~# q
) W3 V; _: \8 r$ E: h
# R+ h6 z$ s! i9 K
int41handler PROC. i7 b/ o: {2 H; N+ M- E+ F7 o
mov cl,al
$ U9 X& C" p% Z3 X" X9 ^ iret
7 j) z# ^+ \1 Aint41handler ENDP; [2 {. h9 D! w4 X
& g9 v3 E6 H! j8 g% d5 u g' Y) y8 k3 \1 l6 [* i6 H. y+ D
xor ax,ax2 J' M( ~# s( X- u, S$ I
mov es,ax
- s. j/ e. | w; Y# x& K mov bx, cs
; e4 d* \3 ?, t+ O; [) b3 r4 e lea dx, int41handler- {8 j9 e! c$ X$ B
xchg dx, es:[41h*4]2 |2 D3 H, T, v0 w. g* I
xchg bx, es:[41h*4+2]3 I f4 ^- J e7 ?
in al, 40h; U& g* J; l0 F$ Z3 A) w6 e$ J
xor cx,cx
7 D; `" N( ^0 M. N* K' {* z* z int 41h
' r" _! g8 f5 l xchg dx, es:[41h*4]2 p- l4 D/ V0 z0 `/ b$ P8 Z
xchg bx, es:[41h*4+2]$ F8 U# z" C9 `3 ^0 @- ]$ i* f
cmp cl,al1 o; B. c6 d3 A" L$ B$ J
jnz SoftICE_detected
. B7 v4 j# m! k; V, F
" I$ d* x/ u% ~: P6 R_________________________________________________________________________
! R* g/ a3 ]1 \) W! C$ l' ^, ?( J+ o& q6 f
Method 074 O8 `! J" V( @% @# O7 Z
=========
* a2 n' \9 N4 X+ ~8 g: U' {1 A
Method of detection of the WinICE handler in the int68h (V86)$ a4 j; {% `4 `) F. ~" O5 J
|7 \6 U, c! Y3 V$ G, z% P; y
mov ah,43h2 w/ m( f# `8 L- i0 G( \0 h
int 68h
! y( w- I K' M3 l: t cmp ax,0F386h) K, x" L0 B$ a2 j$ V' M/ N7 A
jz SoftICE_Detected
: a8 `- r$ D4 }0 C. ^5 I$ L( n' m7 Q0 r, I* V8 ]
! a" T. L3 @) H2 ~2 c+ O3 }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% o' ~1 {% m3 f7 z- V/ J app like this:
7 G& u. A. {. t7 ^* g% j. d7 z; ~/ x+ @* A* m$ I6 Y$ d
BPX exec_int if ax==68, \- U: x; n1 b1 N
(function called is located at byte ptr [ebp+1Dh] and client eip is$ b! Y/ z3 o2 S; q, b
located at [ebp+48h] for 32Bit apps)
: W+ L2 o9 I2 Z3 ~: O3 b__________________________________________________________________________! ~4 }4 ?" N( `5 S: D7 f' `' d
$ F: r0 ~4 H0 M' R0 w9 A6 x
4 s' ?6 h& I9 [: ?8 lMethod 08, T R3 n# V( ^0 Z& L# L9 |
=========
# \( q* a+ @- T
! S3 N4 W' n1 \It is not a method of detection of SoftICE but a possibility to crash the) M" b5 C1 |9 ] o" {9 g/ X
system by intercepting int 01h and int 03h and redirecting them to another9 H5 d# a+ r+ v
routine.9 h6 @5 s$ V% g" k' Q. M) f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 \6 Z( n8 Q( L% |to the new routine to execute (hangs computer...)+ u/ y( T5 G. @$ }/ O7 G
& s) x3 O, |' D8 z/ W
mov ah, 25h
; o' ^. @/ E5 ^* k! ]( P1 z ? mov al, Int_Number (01h or 03h); X, r3 g" x4 B" {7 K/ W$ O
mov dx, offset New_Int_Routine
& O( e- I& L0 a$ B9 r int 21h4 w4 U) v8 i. q/ m1 ?: E! O4 ~* Y
' ^, E: j* o9 h# Y9 \2 F
__________________________________________________________________________
' t) A, p# _7 c0 s1 j8 V
! D% G& a( K( l% k& u b( _8 _$ w; iMethod 096 k# a8 d w" `& L
=========
9 t9 C- t- l# S: `; y- C, Y+ Z6 r2 I( P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 l4 }' ~9 F) S* N# z8 t" U
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 W" P! H; O/ j/ X: o" w' d, WThe Get_DDB service is used to determine whether or not a VxD is installed. f) F' r. D' l5 f; S( i7 z
for the specified device and returns a Device Description Block (in ecx) for5 e+ e+ A+ t1 l
that device if it is installed.- E; L6 M! Z( @' i; [" F, g8 F9 x% @- p
+ d* U& S/ D; O
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ ], n6 ?4 N3 W" M2 C, n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! e h5 K- C* K2 m! o' \
VMMCall Get_DDB
: l) `$ G: x I' B, W mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 p% ^3 v3 v" p( o: n3 }+ s' \7 R# s" X) H6 l, b
Note as well that you can easily detect this method with SoftICE:% [: v# F. g `' n0 v9 ]' m
bpx Get_DDB if ax==0202 || ax==7a5fh
; A' C+ |7 w: o* [8 L% K7 `& ` M8 M: i5 s8 |# _" ?% f& n
__________________________________________________________________________% s& u# Q* A* L* M& Z
5 u3 W" o) A8 r' t3 hMethod 10
/ ]& U6 _: M3 f=========
9 M. ]& V; M: \/ Q2 W/ G
4 T0 T6 l$ ?9 u" s h5 O6 a=>Disable or clear breakpoints before using this feature. DO NOT trace with$ i v' H, S6 `
SoftICE while the option is enable!!
5 L, y M" X1 f1 a3 y: v7 o/ O) k2 {
This trick is very efficient:
4 H& z# k G9 |3 @0 x/ a6 ~, t3 d! I/ hby checking the Debug Registers, you can detect if SoftICE is loaded
$ x3 v8 c1 f- B0 J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# C; F W; C1 D3 H/ u" D5 z
there are some memory breakpoints set (dr0 to dr3) simply by reading their' H! Z: j4 P4 D* T
value (in ring0 only). Values can be manipulated and or changed as well5 e( P) p7 ]8 J
(clearing BPMs for instance)
0 ~' L9 z0 ~3 O- l# w4 B8 Y
1 v$ X' K/ g7 S__________________________________________________________________________
3 O0 F+ a+ a0 e: e; I6 G5 ?2 X
+ f/ m* s2 \2 |" XMethod 11
. x6 D+ ]6 R$ Y0 h' W=========
& y1 c9 {- X) E+ {, P, B9 l
+ x/ r8 ~5 j0 s+ e' ZThis method is most known as 'MeltICE' because it has been freely distributed
/ K A7 X" Y( Z1 s7 h. o7 s$ Y. ?via www.winfiles.com. However it was first used by NuMega people to allow
- R- n# N: W- K0 GSymbol Loader to check if SoftICE was active or not (the code is located
: I& [( {) @+ D) [" c( {# rinside nmtrans.dll).' Z; g% i+ u& r7 Z7 _2 {. @9 h
9 i+ h2 d& U- h2 T% \# K4 J/ G6 TThe way it works is very simple:5 |. q; P2 g- G" z; L5 G
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( I9 d) K! p& M/ Z( zWinNT) with the CreateFileA API. B: j. V! p/ `* T1 S
: [5 j4 N: |. {
Here is a sample (checking for 'SICE'):
7 v3 o% k+ q& b; T$ R5 F% Z& v, |
BOOL IsSoftIce95Loaded(); `- H9 g' S" z6 S2 M7 n
{
! X+ |% Y2 u/ A7 h. e HANDLE hFile;
0 P: F0 [3 s$ o' u4 ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& [% U p/ f. ^3 h: f# c FILE_SHARE_READ | FILE_SHARE_WRITE,7 c( Z0 O/ @# G# t3 g9 x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 g+ \6 Y a/ D. V! T e1 R2 D if( hFile != INVALID_HANDLE_VALUE )
; t! B' {$ Q& Z4 R {9 k8 f! _0 c; }: g
CloseHandle(hFile);
8 w: f: s! m$ G; h4 v! D# J& x5 D# ] return TRUE;
- G" m/ x2 Z% S+ @. y }+ ~! M, C$ b: B. g
return FALSE;
' |9 F, a `& k/ [( w}
3 [8 M( Y7 b* A4 |* g- R k3 }: a: t; E- O& s O1 v; M6 B0 \
Although this trick calls the CreateFileA function, don't even expect to be
. s7 e, j, S& u9 _9 wable to intercept it by installing a IFS hook: it will not work, no way!
1 N/ A6 f1 N. v! X- S% H& @In fact, after the call to CreateFileA it will get through VWIN32 0x001F* {" |5 b1 H0 x; W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) C& i. S. ?, s( l( }* v3 k/ d5 Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc0 g0 Z! ?! U9 ~. C' P- b5 H
field.
0 `& @' y$ t9 j4 Q6 n* ~/ u9 YIn fact, its purpose is not to load/unload VxDs but only to send a 9 G% [% Q9 p, Y( Q& t
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. O4 H! [, {7 O) |$ n0 a1 fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ o& y# [" [3 D, d6 t8 ^$ Xto load/unload a non-dynamically loadable driver such as SoftICE ;-)., f6 a; L4 |, o5 a* u+ h
If the VxD is loaded, it will always clear eax and the Carry flag to allow- C# i# G- {6 H% f
its handle to be opened and then, will be detected.4 O2 U3 H: k& F& ^) f& M, P7 f
You can check that simply by hooking Winice.exe control proc entry point
7 l ^3 @/ p8 t# }3 n: Lwhile running MeltICE.1 m Q* e# `, y& C, U: N8 d
# c* `4 @7 U, |& y1 W6 X6 o, g, A5 T( O% r z
00401067: push 00402025 ; \\.\SICE
" ^ ?' M& _% g- q 0040106C: call CreateFileA
; h6 ~4 d E7 Q 00401071: cmp eax,-001) y* r( J# a" @
00401074: je 00401091
5 @6 o" j! @: d9 \
3 y3 q, B/ U( o) _
3 h- u; q Q2 QThere could be hundreds of BPX you could use to detect this trick.
/ v0 r8 W t0 P( {-The most classical one is:
# J! |4 V, Y3 t3 m BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 T8 ]2 z. {# B9 @' ]) B( e
*(esp->4+4)=='NTIC'
5 K- t" t0 H! d8 M* N) S! h, t% |0 t" B6 |" |! K6 H
-The most exotic ones (could be very slooooow :-(
: b% M, }' u+ W8 I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. e4 v7 l Z# c$ D; ~: Q3 } ;will break 3 times :-($ P, [& G' J0 S
) q5 e w( i/ \6 @% i' R( q
-or (a bit) faster: - e# G+ Z# O9 k1 E# Y4 C
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 x( [- [* s! k) E7 U3 C- y B/ F" ]
8 j+ o& P- D1 z& z7 Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / h& t( a" T: Y2 Z2 J. K' a
;will break 3 times :-( E4 ^8 e2 `( A( p2 i ]1 M* |
* i5 v2 l5 R4 b3 x-Much faster:
7 ?# J+ j% r E- }* C# U* i- `& {+ Z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# Q; J1 ]& X- Q
) n7 m, ]. L. L! D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 x( H% S0 O' u/ b0 m1 ?
function to do the same job:
, a- D8 I4 {; Q% s$ B
% l5 X5 P1 k9 E' v8 I push 00 ; OF_READ
, y0 I& l% O/ e' u, ~0 L0 m# r mov eax,[00656634] ; '\\.\SICE',0
; ~+ M" _* e3 O" [) U0 r0 [. l( f push eax/ R# Q" Y. a2 Q6 R" \. L
call KERNEL32!_lopen
! c9 r' j8 G u" g1 D inc eax/ y- L/ v6 |, E# b9 d' z# D9 A
jnz 00650589 ; detected
' G4 b6 d8 t0 l& h7 R8 S B' }( o push 00 ; OF_READ
# R; D% m% z; C% v mov eax,[00656638] ; '\\.\SICE'
, H# Q. K! H. ^/ @" l/ N0 S, ] push eax
3 Z) N9 `* b8 [+ t; A call KERNEL32!_lopen w& k8 ~" w- i& X8 ]7 H. R( h+ ?
inc eax* E: q! [0 ]5 C, z
jz 006505ae ; not detected% p$ X8 X8 o( V, Q8 ~! L
4 l$ i# m- ?$ c6 {7 Y: E7 i0 m/ a2 h
__________________________________________________________________________; e' c% P h4 C l4 V
& u( l8 _, @9 H vMethod 12. X" ~) ^/ f! L$ z3 V1 u7 V+ k4 E
=========3 @/ t% J# w+ |
: F, z: e! N" E- M1 v1 m
This trick is similar to int41h/4fh Debugger installation check (code 05$ W! {4 t, Q( ~( W
& 06) but very limited because it's only available for Win95/98 (not NT)
7 v: \1 J r* O% K5 L9 Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 I; a! m- d0 z# ~. `4 p6 |9 A
( b8 t$ N1 Z$ z: `* d+ K, H6 C push 0000004fh ; function 4fh' F$ z" \2 h' r- {8 l# c* u+ M
push 002a002ah ; high word specifies which VxD (VWIN32)
- }+ \4 v; @1 M ; low word specifies which service
/ J8 Z4 H `$ g; o! }$ P (VWIN32_Int41Dispatch)2 x8 {% a3 I; T( d
call Kernel32!ORD_001 ; VxdCall) X+ t; B1 R( {3 M9 G
cmp ax, 0f386h ; magic number returned by system debuggers4 U8 |$ h S% C: @) z0 G& B
jz SoftICE_detected$ w1 j4 X8 n' @* K. Q( v
5 X& {5 ?$ R' h$ ~) R5 N6 k5 H8 n% Y
Here again, several ways to detect it:
8 Y' h9 t2 F' D7 Y' j2 w1 g$ X/ g2 o( T1 }/ y: v: K$ q; {
BPINT 41 if ax==4f' b; ^4 c" F! j
$ ^: F+ Q1 X6 I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. E6 B, n' L: n. C k) S2 g ^2 i- B) z+ H9 }4 o
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, ^ g* _- ~! x$ B* }$ a5 j) s L' l, v" {- i4 K# J' d" b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# X* U* s, {( C% d# }& K! x& t
7 \+ X$ ?1 ^) e% u6 _! D5 `- X
__________________________________________________________________________
) c. A- T: w/ X4 m
+ O: q8 E) r; D6 X3 iMethod 13: j5 ?$ H1 N* g1 L+ G$ F& m6 n1 ]
=========
+ @8 w' J! Y8 B j- z* d# |+ a; P
Not a real method of detection, but a good way to know if SoftICE is# ]' q7 X( p4 G+ L5 t4 t
installed on a computer and to locate its installation directory.0 i# J6 y. M3 z& P! z l
It is used by few softs which access the following registry keys (usually #2) :
$ ^8 R1 i: q) A, I4 ]' a8 C* m8 l: h( s3 c8 p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* j- y4 y/ r& H$ L
\Uninstall\SoftICE0 d3 n9 v/ P' @# b/ O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) `) @1 A7 s# R* V" O: W# j' T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 P( l [; b' F, O$ Z
\App Paths\Loader32.Exe
* ]! S& Y* c8 v2 }; T7 W* [( d* d) W- _$ [: X
/ L% D( O: U4 s4 @0 mNote that some nasty apps could then erase all files from SoftICE directory1 h5 Z5 ?) P9 G4 z1 s
(I faced that once :-(
2 L4 [% G# ~& i+ j o! b: l1 ]% t2 x& _' f/ O" Q. e
Useful breakpoint to detect it:% [ k5 O$ K6 P, f: Y, @4 ?5 N# G, m
* }) Z2 q, a! F4 a+ z8 ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" x% l# r# O5 L- A6 b$ a# \
( O4 i" g: L+ s# n$ v__________________________________________________________________________
+ ^2 }8 P& M4 r/ Q) W& V
2 l, J* e& L4 d( c9 y+ B' _0 B
Method 14 8 _% i# U% C% D# y5 R8 W% D
=========* p9 l8 w0 ]% d$ u5 v; a+ ^
* ?5 j# q$ m& T7 ?8 [ _0 aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ L+ R4 Q- a. ]& T3 W7 k
is to determines whether a debugger is running on your system (ring0 only).3 x7 V+ r' v. H3 W6 E
# Z6 T- _1 m& q4 } VMMCall Test_Debug_Installed
- T( s' Z( f$ o5 _2 q: _ je not_installed
: f- j) _ B: x v
' f; }! {" T& G/ PThis service just checks a flag.
, z8 D# ^2 \2 i, L</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡