<TABLE width=500>7 y$ {* C9 |) N/ ?
<TBODY>( v6 C! j# g( q- i+ _% ]' A& _# w
<TR>, x5 D: ] f% t: l, i3 F9 a0 P
<TD><PRE>Method 01 # T3 A# |( @3 ^, ]6 u8 t2 L
=========9 T) t4 S, H0 w. k5 r5 ], {8 r! ^
2 Y5 ?; a) T5 A* Y2 ~% l! p
This method of detection of SoftICE (as well as the following one) is q6 i5 @7 C) j' ?- f; @
used by the majority of packers/encryptors found on Internet.! \3 j1 \1 P0 v* L
It seeks the signature of BoundsChecker in SoftICE
3 Y0 l& V! p% [% c, \4 P3 _! x
\" N9 a- U9 ?4 ]. d% N( [ mov ebp, 04243484Bh ; 'BCHK'
7 Y: ~/ H$ N2 c2 g' g4 s) O mov ax, 04h
8 W; h% o4 T, I8 m6 K2 J int 3 6 U$ s8 d' X- {- @; ^1 T# v- B
cmp al,4
. G& E( W4 e- m1 B jnz SoftICE_Detected [$ w, ^7 b7 s8 U7 J! B8 p9 _, m- j3 u
. C, e, i( Z5 i___________________________________________________________________________
: ^) q% J5 G2 G$ V1 M3 G, K
& V3 D4 @1 O9 ?( F& m! I* u% }7 rMethod 02
+ ^: P) B* c' @# _# \/ u" v=========
& ~* V$ W- R- @( l3 }( u4 j. t) o& V. f5 Y% l3 Z
Still a method very much used (perhaps the most frequent one). It is used
+ v' \. i5 }( r( G$ Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' u: s1 B' ?: ?+ q- Hor execute SoftICE commands...
) f+ v3 ~+ b6 CIt is also used to crash SoftICE and to force it to execute any commands
8 y' d$ ]1 ^6 `1 T(HBOOT...) :-(( ) W4 J2 L5 w3 b* }- m
- v4 t) ]5 _8 EHere is a quick description:* y" T) b& v! o1 d6 u3 T9 a
-AX = 0910h (Display string in SIce windows)
. h# K5 F8 V. ~( s8 X8 e6 |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 N7 H/ o& t+ i& d, r( Q-AX = 0912h (Get breakpoint infos), _" P5 M/ G( r- M% Q
-AX = 0913h (Set Sice breakpoints)% v9 @2 e: L9 T; g
-AX = 0914h (Remove SIce breakoints)
[( A: H! {$ \4 }/ Q( P, I
+ n" m5 N( c* D1 I+ N2 R8 {Each time you'll meet this trick, you'll see:
% Q$ J' Q: p3 ~4 _$ V6 W$ N-SI = 4647h
* A$ D8 {8 G: R/ A7 M* G" L-DI = 4A4Dh, z% | B" C. K; `& m
Which are the 'magic values' used by SoftIce.3 R+ T) z1 q; _# s' Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ I7 j8 z+ t2 x$ d
o! w4 G6 B. ~1 sHere is one example from the file "Haspinst.exe" which is the dongle HASP4 r( e( M8 ]7 Y2 n( y
Envelope utility use to protect DOS applications:
5 c% r, d1 A% z2 R. T+ w, c8 D/ y$ C4 k
$ S6 w7 U+ m/ P4C19:0095 MOV AX,0911 ; execute command.7 B$ ~3 W7 E: s9 {4 k4 ]5 a1 [
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 p5 B+ U% P l. a5 d$ {& d+ I4C19:009A MOV SI,4647 ; 1st magic value.
& p9 N/ e* A+ M4C19:009D MOV DI,4A4D ; 2nd magic value.
. M6 c. a5 c( f8 m! @" e5 w$ f4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 P6 R/ p1 h* [3 z9 c! u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- w+ T h# k# e+ I
4C19:00A4 INC CX \: i# ^# A! d1 x, o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* d2 o% R; i L8 D4C19:00A8 JB 0095 ; 6 different commands.; [4 S( f' D8 e( T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 u( u$ r. M% w* B! f2 d( @& n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ c& y+ }& g; G, a6 v4 n& K: I8 X
The program will execute 6 different SIce commands located at ds:dx, which
$ |- M+ j. W1 X7 \& Z5 nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! m' B) e! y& l/ U
" }! m# P4 c! v, B3 s* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# K' R; u G3 l& I___________________________________________________________________________
+ D# q2 a! L- c9 M& R% z" f: _, f. B' T
+ _. J) S/ C- H% {& r; ~7 H4 t
Method 03' _3 y, \* b A
=========5 S' x' o3 {4 O* n% r/ b" s3 |9 n
" v% M) B( C' i! I% D( N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ H) Q7 ^9 n2 g$ Y(API Get entry point)' f/ V# _# r6 M5 V. S/ t
. X, M" \; L; T f b! Y, O9 S2 |$ N* s
xor di,di% [. W! j# j ?& j" I' p
mov es,di9 e' u! o! h6 g1 _
mov ax, 1684h 1 v2 p6 }! t3 n$ r$ t( {4 t
mov bx, 0202h ; VxD ID of winice
" M7 A" p6 O. i, ]6 D* O$ F int 2Fh
* ?% I G6 n7 R0 R, _' x) \/ a mov ax, es ; ES:DI -> VxD API entry point8 H& ` m- g% X) D
add ax, di
9 O( p# Y" b9 H- L, f" d test ax,ax1 Z0 b4 y3 |! f; L; W- y
jnz SoftICE_Detected' K( y# ]: I$ a1 ~, o6 j) \
2 i! C5 \# u% ~
___________________________________________________________________________& m: O2 {. L6 [* v
3 F( u r* k# O2 |3 G; ~
Method 049 ?/ B! n) O: n, e! D- o. a) N- o
=========4 t- F( E, c+ F+ S: O- ~+ r
& U, ]/ f& |. n( `$ CMethod identical to the preceding one except that it seeks the ID of SoftICE
3 H% e8 m. W3 bGFX VxD.% ?* d/ A; p. a1 s l% B
. P8 ^2 Y% D. f8 s' a+ X3 e# g. e xor di,di$ I, W6 f- N) p6 m. F* L
mov es,di
. \! o# P3 A) ~9 P2 [* C mov ax, 1684h
) S+ W$ j* o7 K; X+ j4 E mov bx, 7a5Fh ; VxD ID of SIWVID. x% u4 {6 V6 p+ I5 J. N
int 2fh3 }+ ^2 B- U0 h3 V
mov ax, es ; ES:DI -> VxD API entry point, I) m, s' h! O0 w- }5 G
add ax, di' m6 E" L) K0 E2 H6 F
test ax,ax3 i8 {; ?2 s* m3 J( H' Q
jnz SoftICE_Detected% ?# p' U, \- j
' K) c- f5 G- u0 q
__________________________________________________________________________
" Y; z( ^- y' J& ^/ C: T6 y9 V1 F; b, Y+ z5 m8 k* U" f: y/ p3 v* a
' [+ x! W- D' F; N
Method 05
% u( W$ b n, Q" L0 y9 m8 Q( l=========' Z: k. t- F; L
6 q# z9 j1 n9 p. v2 sMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 R" t: x3 L+ ?/ C, f& }3 [
debugger. It calls the int 41h, function 4Fh.: S. \1 c) k+ a: H7 F# P0 S6 j& N
There are several alternatives.
& b+ Q( z; N5 A& _% r3 V }
. B: J8 P! l2 |; j. H) v EThe following one is the simplest:9 _" U* `( l' `" m# C
7 n3 E4 B3 G- e( G" S; s
mov ax,4fh3 z l1 f" k) B# c! E. }5 K
int 41h
4 D7 |* N; E+ O$ b+ r6 Y cmp ax, 0F386
% e. |4 C" g6 s jz SoftICE_detected
) Y% H: Z: c( S# \9 v9 a9 t! U& ~& T9 M7 l0 X t' k
% M% Z1 R) i3 B& i1 x$ f. sNext method as well as the following one are 2 examples from Stone's " g$ {8 f; e6 @/ t. `8 t( G- |
"stn-wid.zip" (www.cracking.net):
, p' i$ q$ q- F6 y3 o5 u! m
! `# J4 ~. {% @0 B' ^: ~ mov bx, cs: X" M7 l- y3 T* G. u5 R: E
lea dx, int41handler2/ e3 k% l( f7 [# i. \
xchg dx, es:[41h*4]6 b% v8 g- a' K" a f. n. K4 ~! x
xchg bx, es:[41h*4+2]
$ w2 V% v+ k: S0 K5 ?7 E mov ax,4fh8 N8 X6 l" Q) {- A. J* w/ {
int 41h
: I- E: h+ D9 z" E7 y' H. I xchg dx, es:[41h*4]
8 v; r) h/ E( h1 _ xchg bx, es:[41h*4+2] j3 w; b4 u5 }: E: D' u# h5 W# U
cmp ax, 0f386h) r2 u6 u# E9 N
jz SoftICE_detected
0 G7 C: d# \0 s. ?9 } g- M/ G1 a/ t' L, ?
int41handler2 PROC
9 t3 M9 B# S5 u4 @! X! o iret: a* J! j3 B+ M: q7 x$ S k& A
int41handler2 ENDP! Q9 {- B! m: ^+ J6 [
- l5 c6 @: f: r4 R! k7 U
" K. X4 d% o5 T H( Z+ _4 ?6 e_________________________________________________________________________
$ x0 x+ o* r+ ~# N1 e( A" Q+ W) N; v! V8 s7 h- _, {4 P5 ~: {( w* ~8 Y
; X" n$ W) Q7 m3 `4 k% IMethod 06
. M* F# |7 j7 b+ q, L% b=========9 i; I1 {: s( h% T* U7 P2 R
1 A8 h) l b! z6 Z" h
! O y# Q) Y" o5 |* R o' f/ Y
2nd method similar to the preceding one but more difficult to detect:# c, P | |7 q" I' D: e
8 b8 j- Z2 v: Z. e
9 c& n, K/ ~4 c+ Wint41handler PROC
( X: _1 d% Z1 ?. i: J0 A7 d mov cl,al
: N' `3 x. y5 \$ j) W iret- I1 m, t: {3 b7 |/ Y# N1 v; a
int41handler ENDP
( K/ w' b1 i/ b
# P: l( e v a3 ~- n- d, y. \7 f/ H: K: [. v2 o
xor ax,ax' P& I1 L" }* l* l/ R- J
mov es,ax
0 x" S& N" l5 x! j% o mov bx, cs4 z9 j5 b6 e7 U' I0 Q
lea dx, int41handler
' }: Q7 f K! \) W; A a6 g2 [ xchg dx, es:[41h*4]! p3 c) w# S9 Z0 |
xchg bx, es:[41h*4+2]
& T2 `1 C/ w9 G- S7 y5 P8 j in al, 40h, A8 g; G# Q& C+ @" W: m: G: o
xor cx,cx, w5 }$ I3 }$ S$ y- f- _6 B
int 41h
: C$ S# F4 |4 j* { xchg dx, es:[41h*4]
9 S8 }* w2 x% x3 J7 z, B; N: ]$ k xchg bx, es:[41h*4+2]# }, h5 c. ~( @4 b
cmp cl,al! ]. ]9 C% Q5 ]$ |- M1 m" R
jnz SoftICE_detected
% i; D$ @( u% t
" c4 x! k- Y$ J/ J_________________________________________________________________________: _! d& x* E0 J$ t5 b# ~9 h
5 w- f5 T6 |4 d3 H
Method 07% e6 S( y. _ s; o
=========, m; d8 y2 P5 K/ s7 l, c- Z
! I) h, v, w: E% d# w2 OMethod of detection of the WinICE handler in the int68h (V86)# A4 U6 o6 x& w4 r
/ z. s, F, O( p: L$ n
mov ah,43h: {+ V# J$ T6 v" F6 e5 R+ f* P( d
int 68h" J" ]4 R O- V+ X0 g
cmp ax,0F386h
; n- @: X% ~1 K jz SoftICE_Detected
) `, ~) r4 Z1 I; y; s8 H n
6 a/ h# T4 u, G* z8 e
2 `9 f1 V, u( I! d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ ] C) ^7 }. D$ L' |4 P+ K
app like this:
/ z+ l! `) ]. o( l2 ]! |3 I+ p1 j3 |8 A/ }) X
BPX exec_int if ax==68
. s$ A6 Q# t' O (function called is located at byte ptr [ebp+1Dh] and client eip is
0 R+ j( u0 h5 z; p e( h' x- D6 @* d located at [ebp+48h] for 32Bit apps)
& `6 f+ Z- O% ^& J# l% R0 x4 t__________________________________________________________________________
' U' H# W- U& l Y! B8 A) e" F+ N6 G3 W) {& f
" w( Y: v3 f/ |Method 08( ]3 s6 f5 k) ^1 g* M; b
=========
: P. P5 Z r3 M D( h3 w$ X6 X4 m7 k' b) M s2 f' f9 j
It is not a method of detection of SoftICE but a possibility to crash the0 M6 ~, J9 G/ T7 H# J6 a
system by intercepting int 01h and int 03h and redirecting them to another% X; r# e: @6 X2 V) }. |2 O
routine.: F$ L2 ?: L7 C7 v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' H6 r+ _$ D: I3 q2 T" pto the new routine to execute (hangs computer...)
# v. z% @0 y% I# u# C, O& W" i* l3 b* Z. Z& B( K* a% _
mov ah, 25h( W2 ~0 W0 Y" ]3 x6 B! _+ x
mov al, Int_Number (01h or 03h)) k. ]/ `2 {1 X7 _* ~- E
mov dx, offset New_Int_Routine! D& J4 t$ c/ X. @: |
int 21h
3 ~2 O0 @4 }# R! n
5 Z' j+ E0 }1 K+ n; D__________________________________________________________________________
" m! o0 o q& {. H3 X2 F7 V! ?3 o' ?1 j$ g9 x
Method 09
4 {1 p4 a$ @' l. a=========+ @+ A+ K/ t5 k' @+ Z/ g
+ w7 W0 Y6 P5 O1 V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 R7 h! x, }# A P2 k y8 I) n: P
performed in ring0 (VxD or a ring3 app using the VxdCall).1 d1 @8 [ n0 e. z3 X
The Get_DDB service is used to determine whether or not a VxD is installed: f( t+ Y3 O, b" i/ }5 Q+ H. s2 C8 z% v
for the specified device and returns a Device Description Block (in ecx) for! f+ l/ L x6 f$ a$ z
that device if it is installed.
P; \2 U( F6 T6 J1 r% O9 j
' y: b! E8 O2 t+ `' z, ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# Z4 z' d% Z8 T; g mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% h( y8 F5 `1 @ F/ i9 i7 N
VMMCall Get_DDB
3 n# ]* `& R1 I! p9 |4 A% M9 G mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 v5 H, k5 d; Z+ T w* O3 m @: w4 ?" H0 b
' r4 Q1 [8 D( h' g
Note as well that you can easily detect this method with SoftICE:
; a( w' L k$ ^$ G bpx Get_DDB if ax==0202 || ax==7a5fh& |1 r" N. S4 o: p7 x- F
z/ Y# ^6 x* e, ~; D% c& w$ o__________________________________________________________________________
0 `6 T0 H2 [) i3 O1 ^
$ V: m) G( K# zMethod 10& _4 s) v0 D- e; K) O: N
=========5 Y6 M+ [, k$ ~/ N0 V2 I# v
' Y3 h7 M7 i4 w/ ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 `( f4 A( F: L SoftICE while the option is enable!!+ Z) R/ y$ ?2 @, p
3 @0 s0 X% F! }( S$ `This trick is very efficient:
, r5 I# g1 y" T+ r4 L7 Cby checking the Debug Registers, you can detect if SoftICE is loaded5 i/ P3 q; P/ t% ^2 Q, l4 K* ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: ]- U! i1 u! f; @8 ]3 k! k7 hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ ]- Y8 _) F: ~! m$ nvalue (in ring0 only). Values can be manipulated and or changed as well
! H' t4 \+ Q5 e( ]$ k(clearing BPMs for instance)$ J# a- I! |, f
9 q1 }6 q' Q0 ~& X__________________________________________________________________________& P) w: |! [* |, r: n
. x3 t+ A/ M- q& [. @
Method 118 C! I# ^( K& D4 e" W) _
=========
0 B$ a3 r4 G5 U9 P/ o( X
# x. r' s. }+ CThis method is most known as 'MeltICE' because it has been freely distributed- X* p* J# Z5 Y1 g% A6 S
via www.winfiles.com. However it was first used by NuMega people to allow
; b. _" @3 z+ F2 [6 _ t$ |Symbol Loader to check if SoftICE was active or not (the code is located
* g" C; V8 x finside nmtrans.dll).
) K* _( e; }$ f4 X6 u3 p
, \0 Y) j$ l8 S7 E4 w" |) Q4 ?The way it works is very simple:
6 y; G) w% a- q4 W5 Y2 CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 X: ?5 q' z9 h9 _- [WinNT) with the CreateFileA API.
3 f' P5 m: o: I7 w8 l: K0 X! k" ?+ H5 Z
Here is a sample (checking for 'SICE'):& d1 O x" |0 _$ H) c0 g
$ ~/ X# w8 X/ b6 l, a YBOOL IsSoftIce95Loaded()0 P/ F1 d3 e0 O& N7 t
{
; \7 E" D( q" W) ` HANDLE hFile;
+ {1 A7 g, N- Q- d/ t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 H! q. x- C% W. Z- g# O
FILE_SHARE_READ | FILE_SHARE_WRITE,! w m& p' H# T
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* y( u. b& D4 k, G9 q
if( hFile != INVALID_HANDLE_VALUE )
% I4 o9 Z/ o/ D t {
: j" I2 B+ m" t CloseHandle(hFile);/ B' g ]2 S; w. c' T0 k6 s; B
return TRUE;" C) t- v" S6 S6 [' d
}3 F2 _# J7 i# b
return FALSE;# I+ ^7 p: o/ w- ?" e; X; H
}% j: R+ {( A* J. z3 b% A6 E
, h5 V( U2 C6 c5 `/ b5 _Although this trick calls the CreateFileA function, don't even expect to be
6 ?& T' V1 s) f4 ]% Y# Xable to intercept it by installing a IFS hook: it will not work, no way!! j, F; \2 Y0 b& U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, f9 f# R; \. }; w, F4 ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% P8 m. m3 m. f5 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& s" c) M# v6 h0 k4 R6 c. T, ufield.- f! ^; P! B5 j, @. T
In fact, its purpose is not to load/unload VxDs but only to send a
0 n5 n# b) N- ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% h, d1 [) w1 ^$ a+ s5 O- Q1 Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 V+ D0 G* T: k( R2 C% X9 e; n
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' k5 f, R4 a5 p5 O# X3 B
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, d. i; K4 U. B fits handle to be opened and then, will be detected.8 y3 _ R' Q! V$ p( V" T
You can check that simply by hooking Winice.exe control proc entry point$ O* O8 s. y- @$ W6 Y" m3 W( N7 D
while running MeltICE.
9 T+ [" v' a: h2 K+ q
/ R. t% O, a l" B9 O& ~* g" H( q9 e, _( D1 l& z( Y' L
00401067: push 00402025 ; \\.\SICE
0 J1 h9 g) _0 @% m* J1 E+ X 0040106C: call CreateFileA# Q2 e$ c7 y4 a2 B
00401071: cmp eax,-0019 `7 v1 `; ]$ f& I
00401074: je 00401091
( n8 f, j9 H; B+ `9 K7 y7 z5 V V& o9 L* o
3 X! s6 ?, _* VThere could be hundreds of BPX you could use to detect this trick.
" u5 ?+ a9 }' A4 e6 Q0 B$ x [7 l0 o-The most classical one is:
' g, u# x7 p6 x w: Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 ~" }* d3 Q6 d; K. t *(esp->4+4)=='NTIC'
: T, W; b- P( ]
$ F& Q. g; g* m% `3 ]9 [+ v-The most exotic ones (could be very slooooow :-(
6 P# P: P% O2 J' j/ S2 J+ R BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / Q" n8 s. H% m: C6 ~9 H) m/ |
;will break 3 times :-(( d5 D2 |' j2 z$ G
. S6 S2 c) ^8 U4 _# V& _
-or (a bit) faster: # J# Z: @' C/ d5 T* V$ ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 I- M! t5 b: I: Z F% ~/ ?; b$ g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) q1 L c3 R7 `8 ^, X ;will break 3 times :-(
F: w9 E" F. z W2 k
! L) T9 p3 d. `/ l-Much faster:) Y( d s# w) i3 {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- Q/ n: ~2 a e) B( c1 F/ o9 V+ S8 X1 B; l. p2 Y8 t/ [; c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; T. ? j& \3 X$ l& {
function to do the same job:
5 d8 {* b& Z) q7 w4 R7 N3 E+ t1 M- I& |* S1 u
push 00 ; OF_READ
0 p7 c: j4 y, p, C4 ~0 h. `0 i( U; z mov eax,[00656634] ; '\\.\SICE',0
' `( z; q& G( z push eax
% j) d. I% B$ T call KERNEL32!_lopen8 j, I$ t* s7 Y5 y3 ?& }
inc eax
8 C; o" _3 W' U. \. m: p4 @ jnz 00650589 ; detected
9 r' b0 \* ]9 i0 d. [' P8 w9 [ push 00 ; OF_READ( Z4 V, o( p3 x W/ q
mov eax,[00656638] ; '\\.\SICE'3 f1 [& z. d0 H# h. F) w4 [
push eax7 X/ F3 s/ M% k" \. b
call KERNEL32!_lopen. Y; l7 ` A4 ]2 u
inc eax0 P% g9 p- ~% U8 \ |3 z: N: H9 L
jz 006505ae ; not detected
7 M: q" W7 ^: O3 k6 {/ p. U9 E# T( H+ }$ k, x+ n% M" `' l# {- }( s
/ n9 z) y$ C! H( R3 W__________________________________________________________________________
6 ?; c8 D7 J F0 K4 h( K7 S' Y1 W
8 g0 _* }% u8 \- yMethod 12- z* M7 O; w( H/ p) {
=========
; H5 m2 [2 h/ L& a1 m7 W) b1 Z5 f5 n ?- h9 c* M; J9 M
This trick is similar to int41h/4fh Debugger installation check (code 05
& q0 H8 w9 ^) }3 o. ]& 06) but very limited because it's only available for Win95/98 (not NT)
' h9 {& t5 |. A1 u1 ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# \3 g# Y- A) t" A8 M, }. [. J8 _) ~" ^* l; `
push 0000004fh ; function 4fh
, x( Z$ f' C8 M. `% e push 002a002ah ; high word specifies which VxD (VWIN32)) o* M3 |. Q! d( Z# Q9 t( W6 `
; low word specifies which service+ b; R# R9 I0 |: M1 \
(VWIN32_Int41Dispatch)
, Z! A$ F9 o8 F7 G% x- C call Kernel32!ORD_001 ; VxdCall% b3 U+ y0 b" X$ F. d% W+ P
cmp ax, 0f386h ; magic number returned by system debuggers$ d- j2 D! @" b z/ u
jz SoftICE_detected( M% C* e& e* y
9 k0 t8 Z6 H" Q) E5 z/ g
Here again, several ways to detect it:+ [ P) v0 i' B
9 c. q" w0 L# f5 s) t
BPINT 41 if ax==4f
8 z* I. [8 r! K1 U! v+ R2 T7 s, g1 C! ], g" w9 W. R8 k
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 \* [% H; u s- H4 \1 h
* b6 t$ t) q8 ^' v+ s4 l8 W: U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ s$ ~) m7 l$ J
$ x9 f0 D9 h1 b. {. y6 v9 i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 D/ Z* s: @0 ]9 U. H
: H, F e) T5 ^* z6 Q
__________________________________________________________________________
( N" f+ }5 H, J0 `, z
* Q0 Z# ]' C3 v( u# F7 iMethod 13* r5 b M+ v+ z4 c4 B
=========# d3 w7 L( S7 z. K6 l% w+ z% N
( c" X4 D, S7 U- b/ G2 `4 X) T5 \
Not a real method of detection, but a good way to know if SoftICE is* t( B- v! J# E* c* l* ?. I1 J8 W
installed on a computer and to locate its installation directory. x1 E9 Q, P* e( F- V0 ?% b8 N
It is used by few softs which access the following registry keys (usually #2) :0 m! {" Y/ y) V6 [6 Z% l: d
* y4 f# E1 {6 N- D, X3 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. f4 D" p! g3 X& i3 T1 i5 U
\Uninstall\SoftICE+ j; ^6 a7 E @7 M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 o# S1 M7 j2 s& E, x& k' m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: U- ~( H6 d+ y
\App Paths\Loader32.Exe! ~; `3 ]7 R4 L
. v7 Z3 f2 }8 A( U: A8 ?
! `- d+ E' K" p3 F/ r) L4 G+ b& |
Note that some nasty apps could then erase all files from SoftICE directory
( S4 `/ ^- }( T; v3 v(I faced that once :-(% x7 m' d7 v) {# w, l
5 ?" U5 ?/ R X. {1 \
Useful breakpoint to detect it:2 V* t, J1 n# }" r4 @7 P
2 x7 n8 o$ k( g1 x: y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# y$ U0 T. M: Q+ f$ y
6 [2 z1 S- n1 b% u. E' H+ A
__________________________________________________________________________
( k: c7 V5 \! Z" d
+ o/ A- k- H4 ~6 E) v, y
3 H' B. S0 z$ E% h" ?Method 14 $ u/ \7 r$ {* B- J7 X8 X
=========: P w, q# s6 q) S
& A* y% T6 C1 b! Z8 x2 eA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" o2 V4 ?) D3 f
is to determines whether a debugger is running on your system (ring0 only).
, r- \3 @0 M0 u6 Q! n7 k& |- y- w2 p' R5 [! y# f" C* S
VMMCall Test_Debug_Installed
' Z0 H3 q `9 H. P je not_installed
- \$ k( y0 A9 D$ D+ H6 `+ P( f7 m6 Z' m9 w5 _
This service just checks a flag.7 l0 T9 y( c# D
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡