<TABLE width=500>' A7 k( n/ p( u
<TBODY>) k' Q, e4 ~7 v7 p9 z, I5 o& `/ R
<TR>: V6 I( }& M. v. e, l+ {, F: H. \4 Q
<TD><PRE>Method 01 ( Z# O5 }& B, f% ^( k
=========0 G! F8 n' j1 X
0 Z7 O- [. h l8 h% G& B+ R: c {
This method of detection of SoftICE (as well as the following one) is+ y( c* o0 A4 }- _5 i8 E" m
used by the majority of packers/encryptors found on Internet., ~! j+ `$ d) n( N6 L% j
It seeks the signature of BoundsChecker in SoftICE
: d8 K6 K# Q A- ]! `( _- L" @0 s! p
mov ebp, 04243484Bh ; 'BCHK'& j2 V2 j, K& ~; i$ T
mov ax, 04h
' p5 l* \/ [! o- p W( h int 3
* @, e! H+ w2 I6 _$ z6 ~9 ^" ^ cmp al,4
* H1 d6 |. @# j) w6 m jnz SoftICE_Detected
# M. B' H, Q- l# ]' {3 u7 T' Y M0 n: V8 D$ r( T
___________________________________________________________________________/ C) ~9 L u& ^6 Z; a0 Q8 h- r
! Z* e, j! {( S2 V& p6 i$ |2 e# p1 g5 VMethod 021 ~: s( Z! B0 h9 T9 ?
=========
* Z7 M4 [1 w C) F; `, _. O% _( Z1 [
Still a method very much used (perhaps the most frequent one). It is used* S0 |4 L) i) ?6 Z$ A0 X' R7 _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( q/ \/ T# @* ^& Q6 F
or execute SoftICE commands...
$ I- ?3 P# H8 M5 j, @* uIt is also used to crash SoftICE and to force it to execute any commands
/ R$ k7 a" S8 t0 D8 t(HBOOT...) :-(( * R O( `, Y& ?# e# E6 a3 k( r' W
1 M1 a; \6 L( F9 O2 G0 V
Here is a quick description:
# ^. L7 R* _' p" q ?-AX = 0910h (Display string in SIce windows)5 Z/ x* e* `" g% y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 f7 a) A# q( @4 N6 A9 x
-AX = 0912h (Get breakpoint infos)2 t0 P3 f0 F) e. ]6 }8 b
-AX = 0913h (Set Sice breakpoints)
& H# A+ ~1 c$ R+ K/ o r-AX = 0914h (Remove SIce breakoints)$ S# L; J/ T1 M0 M7 N
* T& i, s$ E9 @7 A7 L: E
Each time you'll meet this trick, you'll see:) _2 V; r0 `5 p- l ^8 P8 d" ~
-SI = 4647h7 @5 x T( V# ^/ k& i( h
-DI = 4A4Dh1 P7 y5 ^ a* C( h
Which are the 'magic values' used by SoftIce.5 A9 [0 j" ?) \- i5 J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. u) Z0 u2 l( I/ V
! c7 D( ~9 Z% S) \* [ g ?' nHere is one example from the file "Haspinst.exe" which is the dongle HASP# x. d$ g8 \: R# ^9 m+ n
Envelope utility use to protect DOS applications:4 W' n; h+ w7 k+ O3 R, E7 m- U
+ Y# t1 U8 ]0 m0 t
+ [/ }' p( P U& a" {6 {* F1 }4C19:0095 MOV AX,0911 ; execute command., G; d# P' m$ i$ v: r! n
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" N- l/ m% Y0 R6 [6 Q% q4C19:009A MOV SI,4647 ; 1st magic value.2 e2 _6 @2 }8 |( j2 F* w$ v( t/ W( E! R
4C19:009D MOV DI,4A4D ; 2nd magic value.! J+ v! q3 X5 B5 T; ?! ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 K0 q9 z* h: {9 f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 z6 ]! P! u: I4 H7 F% G4C19:00A4 INC CX
3 Q [7 d- J3 M+ B. m( q" }# z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 B5 H5 P! I7 h/ {0 N- i" J2 e4C19:00A8 JB 0095 ; 6 different commands.: e) ]% i8 E" P3 N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.. J7 I4 }' Z8 ~% k \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ \ {2 N% Q; Z- ]* i
& Y' N' y4 z# X! f" GThe program will execute 6 different SIce commands located at ds:dx, which1 N1 C7 f& F) W) z5 B) `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 T% W$ S2 P$ Z2 p+ x1 q
& N3 D* p* O _) [# Y' S: Z k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 b4 m p+ n4 E8 k4 g2 ?. E___________________________________________________________________________
5 n. [2 Z$ X; w' k- E) `$ r
+ J: K6 C0 ]6 p
3 f1 z0 N9 p% b% u: g8 S& p; P% a4 _Method 038 M" G9 C8 w# J2 W8 i
=========
2 T M8 S# U. X7 h# C# P$ U# M6 ~1 I, G. B* @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 v/ ?* g$ e* A0 R, a(API Get entry point)
6 a, C- D+ J4 C9 E a
8 r& A+ m5 d7 E! e4 y* _
5 v2 Y% g/ I- a, I: A+ u/ K xor di,di
3 i$ B* c! ^! L& [( M# b/ ?6 b; l mov es,di
# ]2 u( ]% A( y; X" b$ M ]9 L mov ax, 1684h
8 A, Q( l+ T+ D, P mov bx, 0202h ; VxD ID of winice
2 h5 ~' F, h/ }# q" k' A d4 C int 2Fh* d; ^ g n" D+ V( N
mov ax, es ; ES:DI -> VxD API entry point
' v- m) E1 q ~8 Z add ax, di
, H& q& V1 z( Y4 c test ax,ax
) G; ]" I3 ]+ S% z3 X) v jnz SoftICE_Detected
, _6 Y( N) t: [5 k7 |3 H" q& ~- `
___________________________________________________________________________
% C/ n+ U7 U1 n0 J( s r5 d s" I* l+ t% D+ v
Method 042 _4 u' v& k! h1 \ l$ w
=========
* o- o. [2 A' y" Y1 _* Q" n4 |) d; }/ F- L. a, h
Method identical to the preceding one except that it seeks the ID of SoftICE
7 v* x7 o1 Z2 U; SGFX VxD.
t2 H$ k9 J: D* u0 P* ]; F" K, p( a) C8 ^. q0 N
xor di,di
) ]5 ~/ B( S1 `' [ mov es,di
& }, C& Y! E2 l+ r0 |) c ] mov ax, 1684h
; [! R* a6 z0 ]0 @- X8 L) c7 X4 i mov bx, 7a5Fh ; VxD ID of SIWVID$ S) L" H( _) W& l) s" i/ d# g
int 2fh
" u' S! G0 x4 e mov ax, es ; ES:DI -> VxD API entry point
# C/ Q& L# U( j9 Y2 ?; c add ax, di
, ]+ i# d1 q0 t9 c( j* ~ test ax,ax
7 O$ ]5 i) H6 v7 Q$ e jnz SoftICE_Detected9 T4 ]. g# ?4 n
0 Q. q/ c6 I* P' y__________________________________________________________________________- n- C- Y" v# d2 I
. H" D: U- q4 d" M1 K; X
2 Z) a4 F, A$ u# RMethod 05
7 f& H4 y0 {! A3 M8 d/ F=========2 S1 y$ E4 ^+ A
' J2 h$ H( F7 A0 S6 x7 S4 aMethod seeking the 'magic number' 0F386h returned (in ax) by all system
- E+ w) v1 r8 B1 D5 X: \1 E5 m rdebugger. It calls the int 41h, function 4Fh.
" O5 m+ p3 s) h x4 u8 GThere are several alternatives. ! O+ E" l" a6 w! a
! M6 t0 {8 p; n! wThe following one is the simplest:- S% d: X9 [- R2 O8 l
# p4 ]5 @% }$ k2 f& D
mov ax,4fh$ y7 U: C4 h$ `8 q I, h0 T. J- {+ B% {/ j
int 41h
: c6 Q9 d \/ {6 x) [8 p( `' A. G5 G cmp ax, 0F386
% x1 T" V6 E( [0 B, W jz SoftICE_detected
$ i9 F. W; c. N: P# w
, `/ Q% f$ S( s" l% B) }) p3 R1 ~& G* h+ R- b
Next method as well as the following one are 2 examples from Stone's O- k; ^5 p5 P% p, Y5 [# Q
"stn-wid.zip" (www.cracking.net):) i: B( B: N; V; u% v
. t( G) B% j' {# Y3 N6 F Q9 a mov bx, cs
l7 j& A& z, P# c7 P( N& ? lea dx, int41handler2
( N5 B. k* _" o8 u* Z3 ^ xchg dx, es:[41h*4]
( u6 b8 Y$ ^2 z j, G xchg bx, es:[41h*4+2]
7 Q; p9 q: p6 g8 C* m' T7 D* Q! u mov ax,4fh- ~: d7 s, {! J; n! A
int 41h K8 I4 |9 l# l: E! n
xchg dx, es:[41h*4]
% p% W( ~6 E, F; D; M5 T3 ? xchg bx, es:[41h*4+2]+ [* t; D0 M `7 a
cmp ax, 0f386h; w$ {3 n, ~( R+ f$ x5 I
jz SoftICE_detected7 ^3 B. T# O3 W d* Q
# _/ j: h2 M; }
int41handler2 PROC8 d( x1 T9 `9 I) s& R7 i5 n
iret# ^6 A" ?$ I- b% l2 `
int41handler2 ENDP
$ N0 e! S8 J3 b& k2 Z% R$ P
) |8 d- B" R. [+ v% V4 S- @
/ r, g$ z( l( M+ k* p$ A_________________________________________________________________________
) o' ?: U) s2 O
, r8 k; m( I( x; d) ]( w0 s
4 m6 c7 s) Z( mMethod 06
& g- n8 c; A) i=========
3 L' m9 g' ~0 u& G5 M3 a' U, u; ]8 D* `% w; j' d- Y/ P2 I
" ~, ^- N7 r- ~$ z
2nd method similar to the preceding one but more difficult to detect:
+ }2 v w+ Q* @2 L& H( B$ f& I o' C) \
: ^& l) w$ J+ i$ T: p/ q6 V: s% mint41handler PROC
0 t8 g+ ^. f& [7 P5 A mov cl,al+ F+ S! Y- g4 F7 S3 L' a
iret4 _- P! q: A; b9 {
int41handler ENDP' K2 Z5 x+ S8 ~* \1 X1 m1 ^1 I
; x: L( ~' x5 J1 L% D
' R3 c. e* q" h" F+ c* o" ?: h xor ax,ax2 C+ H# R+ x$ T" z8 }4 ]1 @
mov es,ax
% X$ Y0 ~# r, B9 S mov bx, cs2 G1 ^6 R6 ?2 M2 I! f
lea dx, int41handler2 D9 U* Q/ d' r& p
xchg dx, es:[41h*4]- y8 i4 U+ z. ]8 Z) n
xchg bx, es:[41h*4+2]
. L) r% [* p B% M Y in al, 40h
2 F! y9 V6 i$ S& O4 x xor cx,cx
4 A( _* {3 G1 M int 41h: l( d% o n! a2 P: A1 M
xchg dx, es:[41h*4]
! k- \/ k* m- p' [ xchg bx, es:[41h*4+2]; q6 R5 \7 ~* I# W% ^- p
cmp cl,al3 |3 m9 c, Q" v3 M/ C t1 ~
jnz SoftICE_detected
! c' {4 R. Z X+ w
l* `& G- y0 k! ^& w0 |_________________________________________________________________________
/ ?3 N& c K2 g8 j$ u ~& H) h; }2 J7 }/ n0 Y6 m' L% {: J
Method 07
* _; n; p' \$ }0 B2 {( ^. S5 N=========% j4 _7 I# p) @0 V' V
* C7 U; o& K- U4 hMethod of detection of the WinICE handler in the int68h (V86)
# _' h. {. ~/ _; y) T& h9 H+ M; K, s! Y I: {
mov ah,43h
4 t: E+ Q7 D0 D+ f* E int 68h
, }9 w2 R- }* ~( B1 G cmp ax,0F386h
e: _. c: w, _- t+ T jz SoftICE_Detected
8 o) y( n% L$ g+ K' {5 s! b) K4 [0 S$ b/ g
8 g' ~! f; I: I3 u. A1 N
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: O& X' n7 T( B6 v w7 q: c" M
app like this:" k: |' }- e7 I
5 P. z* }6 K/ A, s; j0 x8 k BPX exec_int if ax==68
}: A% `4 a, }5 ?8 K (function called is located at byte ptr [ebp+1Dh] and client eip is4 U) G& y, Q2 U* L
located at [ebp+48h] for 32Bit apps)
4 _$ v) W9 J1 w a! g; k__________________________________________________________________________
; D, e5 u% K8 T, G0 {# W7 T/ Z5 r; f5 s) a8 w' Q* e1 |
4 E! }8 B/ a$ q3 K+ O5 I9 pMethod 08
$ f+ m* j$ a; h6 k3 H& n3 y5 V=========& F9 M: u" o( r3 N
9 n: T! u; v# W- {$ ]It is not a method of detection of SoftICE but a possibility to crash the/ c3 F5 R( |: I7 M- \1 Q
system by intercepting int 01h and int 03h and redirecting them to another8 f1 ?9 }& ^, ~7 ^
routine.
" h) ^$ f# A$ d8 B9 JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 W, j9 Q) `- @, A/ @2 eto the new routine to execute (hangs computer...)' b# o- a" X, f0 c
9 r a; J( Y0 u8 B" H4 ^ mov ah, 25h
9 S& c% e# y6 x* S4 b' W mov al, Int_Number (01h or 03h)
" n+ c7 I" z, ^; f2 m5 m2 G1 } mov dx, offset New_Int_Routine" [9 A* h& i$ {! i5 h8 e
int 21h3 ?/ N/ n) b) n2 o3 h( T8 N6 H
" c5 K- W& |$ ?% j7 V! w1 o+ L
__________________________________________________________________________
6 m* | l5 Y5 ^9 R9 U' q' K2 J3 f7 Y
Method 09
* n/ W) v r t: x=========
! N7 U6 i. T0 J: R$ f' x/ N5 S H' R" {; n* a3 U* d6 U( l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 \5 Z# T0 Y" U* L$ S: `
performed in ring0 (VxD or a ring3 app using the VxdCall).( t1 f$ q1 J6 z$ L6 V
The Get_DDB service is used to determine whether or not a VxD is installed2 G" I- C6 K2 o) o
for the specified device and returns a Device Description Block (in ecx) for
# W& E$ P) u- H i( s4 d9 s3 |that device if it is installed.; d+ R2 v+ g5 @% b" F3 v8 `
0 k2 A, C x9 ~1 a; V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. a% v1 e; m/ H8 ^, b: R Q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 `: p- B' k! A9 J2 I) t1 F# Z+ D3 H1 M
VMMCall Get_DDB
" A9 V0 H+ ]% Z9 t9 s* S2 u+ ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. U6 e' H" u3 L6 B @& z8 b! X' M2 c$ }# V+ j
Note as well that you can easily detect this method with SoftICE:
, x, P- m) ?# P6 L u5 b9 } bpx Get_DDB if ax==0202 || ax==7a5fh
# O. \5 f( J1 ]' d
& o0 z$ j1 @- ?8 y; G/ N- b__________________________________________________________________________0 Y$ _0 K* n# M! \( Y% V$ n( l/ G
# L; G1 b) n) X* p6 o
Method 10( H! j4 _' S3 d0 ^: ?
=========
" P' K$ ~& G0 P: G! n/ k' ^) o% `# |0 M9 M* R
=>Disable or clear breakpoints before using this feature. DO NOT trace with
! y/ L4 o" R3 F8 F+ m SoftICE while the option is enable!!
3 E7 T3 W1 x7 O
) U" K! \5 p0 Y [- ZThis trick is very efficient:
# x5 Y1 k; p, i$ ?7 @by checking the Debug Registers, you can detect if SoftICE is loaded
- ~* S8 y2 Q W8 t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 k7 n S3 D( v4 pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 d6 Z5 L( I/ `% F' Bvalue (in ring0 only). Values can be manipulated and or changed as well
' M' }$ d* X2 N8 h3 T! \(clearing BPMs for instance) S% U3 D/ w' J" c; \' `$ Y! {
0 y# X# w! H* J; |. R__________________________________________________________________________+ t9 L" g" h! b# [0 M) \* y% [
1 n6 T3 Y: f, s& \+ D8 oMethod 116 v/ S& {4 h$ q: b- a% M
=========1 O' ^' z" D' z3 W2 t$ i
' C* G9 s6 @( nThis method is most known as 'MeltICE' because it has been freely distributed
$ L6 R7 ^. `) C5 M Jvia www.winfiles.com. However it was first used by NuMega people to allow0 h$ m3 @4 @. N9 c4 Z. y
Symbol Loader to check if SoftICE was active or not (the code is located' S# }5 }0 P" l0 `0 M
inside nmtrans.dll).
" ^' }# y) [8 ~& a" f6 A5 J5 A- x; k/ j- {1 p# Y3 [
The way it works is very simple:
' o9 A N/ G8 CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) o% B* c2 F6 m0 w) U2 z
WinNT) with the CreateFileA API.
( t) a: M F4 a4 f. h s% u' ` X& V1 O
Here is a sample (checking for 'SICE'):
; b |% F9 V* E$ j' e
/ O: s2 _# T* ]2 N7 Y% vBOOL IsSoftIce95Loaded()% X; Z$ X' a# y+ [7 D
{
) |: O$ S r% Z$ d4 b6 { HANDLE hFile; 7 y0 U' d: Z) }7 h# ]# ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ G4 P$ f, S, R! m5 U1 n FILE_SHARE_READ | FILE_SHARE_WRITE,
- ~2 t7 K. l3 u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) W4 Q% W4 u N5 _4 N if( hFile != INVALID_HANDLE_VALUE )
% p. q3 F; }5 l6 _) U, H {
# ]" t; \, I; O e CloseHandle(hFile);
1 d% K+ z" h7 n5 _ return TRUE;7 u% X: U: `1 D
}
! Z5 \0 c1 w( l3 |3 e return FALSE;
. H8 N @! F( z% R7 D}
3 d0 R+ f, S, O6 w; r1 [- d! B. B) K/ N8 |8 c$ C( _0 }
Although this trick calls the CreateFileA function, don't even expect to be# k2 K. Y: ]9 f& f+ T Z; X# \
able to intercept it by installing a IFS hook: it will not work, no way!
2 M" d2 d$ p( |) b1 OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! h% a6 ]2 m* j7 Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, L. [" n( E4 A: tand then browse the DDB list until it find the VxD and its DDB_Control_Proc9 x; v' D2 j% V& q
field.
& ~/ F X9 Z# |# j' O2 u1 a' T& a4 LIn fact, its purpose is not to load/unload VxDs but only to send a : O4 e, `, X: r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& V$ i% U2 D; A' B2 G- ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* S2 _, j9 u" v( a+ mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ j1 I+ X- s9 e5 o, o) W& }8 OIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ l% W4 p* @: s: vits handle to be opened and then, will be detected.. P2 V7 z7 O! m. J& c; _
You can check that simply by hooking Winice.exe control proc entry point- W% b( ^# L6 A+ {: e3 V
while running MeltICE.. o6 u9 ]% g2 t1 _; x- @
$ Y) E, w! I+ }4 {3 t/ }: _* W' \% R" q, z
00401067: push 00402025 ; \\.\SICE
+ w- q) c: N c/ s& u( ~ 0040106C: call CreateFileA6 @* H' M% j$ F$ }. h8 Y9 f
00401071: cmp eax,-001. t X" u4 e. W+ \# X- y
00401074: je 00401091
0 f" j# H$ e; {' E. D4 ~9 y# d/ E' w7 f J" [
& F; b& j, l1 i5 b3 mThere could be hundreds of BPX you could use to detect this trick./ {- p7 E: h/ [9 U& q
-The most classical one is:; _8 e2 r0 `4 Z, p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 e1 I* z& X C) j
*(esp->4+4)=='NTIC'
* Y/ x5 ` u2 r, F* \3 `! W# M* ~& |: E. A) ^; S$ y* H
-The most exotic ones (could be very slooooow :-(
9 \7 ?& ?& [% ?" B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( u4 b8 u4 @# h ;will break 3 times :-(0 E1 Y: F$ n9 J5 S/ b
) c& N$ Y" N3 W" F) h9 a' ], U
-or (a bit) faster: " S N$ O1 k' Q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ r& r d' I8 d5 K5 v* w7 s3 q" Y
# O# }, v0 s9 T. b+ Y- M4 |1 G
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' A8 w3 {6 X; H# k+ t ;will break 3 times :-(! l9 ]$ s: t# k, r2 A. ^% I
/ Z9 @# p* J/ L" Y+ {4 o
-Much faster:- M/ Q; G6 i0 Y2 j! K$ V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') B# v: t! t5 u; Q
( B: W9 D/ A3 U& [7 K; W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen G2 T2 p2 g1 a4 S/ _- ^! Q" Y
function to do the same job:: a- o. j; e' P# p
4 }/ F1 L2 F. X
push 00 ; OF_READ
/ x5 p" \ ^; u6 r; i) g mov eax,[00656634] ; '\\.\SICE',0, d# H- \- e8 R) j7 o
push eax+ W; B5 H1 z, F/ v, x
call KERNEL32!_lopen
5 u" ]' Z9 U9 c' { inc eax
, y7 F7 b3 L4 u6 v/ `$ H. A jnz 00650589 ; detected
' N" H+ j: z3 k. y) d push 00 ; OF_READ
' M O0 W, g9 N! c, T- | mov eax,[00656638] ; '\\.\SICE'
0 D# O& k5 ^$ G: K5 ?. F. ] push eax
3 p" ]" @1 U5 ~0 z& I call KERNEL32!_lopen& j* q/ B: ]* }
inc eax
* C6 a5 M- p! J# u8 e: k* d; B7 T jz 006505ae ; not detected
- S" @9 B4 j. f
, B r& I& |1 H% `6 q* Q
8 u/ f) V. ]5 |) e; `2 a# l7 W__________________________________________________________________________
/ U2 Y, W3 l) ~1 k7 k0 e; ]: t v- C, t n+ F, z# p: }: [. a
Method 12- ?8 y! ], s0 ^: z! c5 u( x& b
=========6 Z, E* e3 r' x7 W7 X$ V! @
6 b y0 V; W. t9 q3 E0 b. ]
This trick is similar to int41h/4fh Debugger installation check (code 05
& R3 h% N& s# u" E& 06) but very limited because it's only available for Win95/98 (not NT)
+ z7 B U% y/ i0 xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 {0 }; `) [) [3 V0 p9 d* u5 R( a: [5 \/ C) a ^4 H
push 0000004fh ; function 4fh
% V: A {6 p9 F: h push 002a002ah ; high word specifies which VxD (VWIN32)( Y3 t1 B7 Y2 l$ C+ u7 J! X0 G
; low word specifies which service
. F! z2 k7 v$ L8 ^) t& f$ m7 K0 D7 G; \ (VWIN32_Int41Dispatch)
# o: W: E3 _0 x. G; ]. B call Kernel32!ORD_001 ; VxdCall
; C* ?4 S% Q9 D cmp ax, 0f386h ; magic number returned by system debuggers
% _; ~9 ^4 c* N3 N) O7 B' E d0 n jz SoftICE_detected
L% v1 Y( V k' q: w' H8 p
1 d# r# a" o; h7 l/ V1 J( AHere again, several ways to detect it:
2 M1 e) p6 D7 |* Y B! c
/ X; x, Y0 ^! q4 {% u8 V7 i: a" | BPINT 41 if ax==4f N3 Y; P( d( W5 A3 [' w
2 R* M+ T" }* }! U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one v3 t* _6 A0 }$ O+ V% `; V' p7 D
, t8 R2 J+ p2 {3 d+ ^& H, n* f BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 d8 S% w2 a$ \; B$ v
' ^" X3 |& m2 ^0 s5 i$ j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! }8 B# w9 ~' e) }1 _
+ ]# ?3 k4 k1 f8 u: H
__________________________________________________________________________
; Z y6 k. b% ]$ S6 j4 P# q1 r8 ?: C: q" z
Method 13- I, \# o9 w# b) ]* }6 j
=========9 e9 g+ P8 `, y+ o6 q d( F& i/ }- I
! |2 ~+ D2 ^: ^1 @+ L9 |Not a real method of detection, but a good way to know if SoftICE is
% e3 V5 O- l. Binstalled on a computer and to locate its installation directory.) v/ s( I. w& v3 Y+ H+ U
It is used by few softs which access the following registry keys (usually #2) :: w, [2 X- p" u1 i8 \: j: s
5 |. n# G, h- u: J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( F. J2 }2 r% q
\Uninstall\SoftICE
9 A- r7 Q: a g0 L4 x q4 H: P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! ?1 f3 ]8 `, X0 j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- Z7 M0 W; B( F; {. P
\App Paths\Loader32.Exe
' t, }5 M$ ^* Q+ G8 F1 `. w! R4 G7 z' G3 b8 W. w
. W$ Q3 t5 H& `5 M, E% u) [Note that some nasty apps could then erase all files from SoftICE directory# d6 _) I$ {3 ]6 L2 k: Q( g& C9 ?
(I faced that once :-(0 `$ K* W& Q+ x u5 ^$ D
A1 x; z1 o V$ c8 O7 FUseful breakpoint to detect it:3 ~6 v; c2 l# Y
6 b ]: Y0 a2 k. i; r2 | BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' `5 _! b1 Y8 l& L/ X/ e6 \4 T9 H
/ X6 E. N5 V n& k% E' W3 V__________________________________________________________________________
1 _7 z7 S( w0 y/ `: T" N" Q
" I9 o$ G4 k( U( n+ S# ]1 U) F8 X- V) Z8 c- H2 z
Method 14
, V' G& ]/ n; c% d9 R$ j=========
5 P# e4 B8 M; Y* }
2 z6 _6 D( U! J/ b$ lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 c2 g; p# L, S9 O2 x$ I! v/ Nis to determines whether a debugger is running on your system (ring0 only).
8 Q+ w2 ~$ a1 R) O7 l7 ]) G1 m+ Y7 ^( ~% {1 {1 k0 Y2 O! Y; Z+ t u
VMMCall Test_Debug_Installed- y$ c. C: w0 H1 b) ?9 `3 V5 a/ E
je not_installed t2 u. H5 N& ]# s
9 d% P, b! g2 D JThis service just checks a flag.+ q9 y& t8 i) n
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡