<TABLE width=500>
* T# c2 S& \) C) y2 o4 H+ t6 y<TBODY>; Q9 I9 |; L7 k9 s, I+ ~
<TR>
- a* w) i4 Q! H6 R- \<TD><PRE>Method 01
3 O u V) P# G5 ^4 P=========
[$ C: h2 I- \; {# r4 u9 E- G$ G8 O3 v3 e
This method of detection of SoftICE (as well as the following one) is9 P' L2 c/ r) B6 d7 k$ o
used by the majority of packers/encryptors found on Internet.9 L; U' G5 q$ g+ f* _
It seeks the signature of BoundsChecker in SoftICE
4 b% v4 D. _( `0 G# \8 t: x
% z2 L& R2 I! H! _ mov ebp, 04243484Bh ; 'BCHK'$ S7 v. v& T S) v- k* [* m3 [4 S
mov ax, 04h
@! i! p9 c: R: i int 3 + g1 s: ]' a. M7 L
cmp al,4
/ j. H3 p3 w# q: o6 S, F jnz SoftICE_Detected
" u/ a( h" \& ]% ~9 D: z
M, m" o2 f( j___________________________________________________________________________
8 \, ^/ |0 \% h/ N/ a5 v& ]% I' L" x3 M9 O
Method 02
! [. t6 W" u2 }, R=========
% ?: \9 K3 I" Y, [: e4 G
' l$ q6 ^) `/ y [ l: @Still a method very much used (perhaps the most frequent one). It is used5 I k6 `! u0 z, T3 z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 S# @8 }" b/ j! |/ X ?4 n
or execute SoftICE commands... ^7 `) ?4 v- P# q9 H8 h+ C
It is also used to crash SoftICE and to force it to execute any commands5 {' I5 ~" A: y; l
(HBOOT...) :-(( * s& ?* I% j. a+ T7 C
' b. V0 F2 u. @; {* G9 f
Here is a quick description:. F( j5 f3 _5 m; V& G
-AX = 0910h (Display string in SIce windows)
' D8 H& [& ~+ a' a4 c0 v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), M- d2 ?( n$ {& c, I4 A
-AX = 0912h (Get breakpoint infos)) T. ?- b' s* D7 [ D) }/ b1 r
-AX = 0913h (Set Sice breakpoints)! Q/ E V6 l- \& \' ?
-AX = 0914h (Remove SIce breakoints) r! e& @: b% n, o
& a5 I7 {6 P. TEach time you'll meet this trick, you'll see:
+ c7 C# z3 K2 z% D! e+ ^-SI = 4647h
X9 @& p! ?$ s2 h4 R7 @-DI = 4A4Dh8 P( z1 w( c+ x. n; n
Which are the 'magic values' used by SoftIce.
+ `! \: C8 J0 P h& O4 p6 W" E/ XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: j9 S% g, e( t, v
9 a+ K3 L9 E- s' sHere is one example from the file "Haspinst.exe" which is the dongle HASP
) M3 ]2 v5 n. Q( lEnvelope utility use to protect DOS applications:
2 N+ g" N0 j3 x! M& L+ J0 q
4 C. v, Z& k; y& J: g- x+ A; n) ~, J7 q/ `% |
4C19:0095 MOV AX,0911 ; execute command.# y7 I! z2 F$ q) A6 {9 Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." D# `' H5 }' B8 j- |
4C19:009A MOV SI,4647 ; 1st magic value.
$ i7 [) U- c. F u4C19:009D MOV DI,4A4D ; 2nd magic value.
( u2 ~' u' R% h4 v' N2 d5 ? p! p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 J5 \1 S3 C0 f2 c1 } o4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 H$ y% I J b$ W' U# e4C19:00A4 INC CX
' l3 T8 b2 m4 T/ i! ~" _9 y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: ]6 z, u( G6 u' ]: p
4C19:00A8 JB 0095 ; 6 different commands.0 c- S: e7 L* O9 Z( B
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 _: q) ~" l! b0 n5 |4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! M! s, j/ q- {* P6 o
5 T( p' W; h1 b( U; E4 F/ Y
The program will execute 6 different SIce commands located at ds:dx, which
8 ^9 u5 t6 S1 ^5 L4 }! Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% r5 m6 J' F7 p4 _5 a$ F( X
6 R( V( E' ` E5 `6 E3 u
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 F8 [4 U3 T/ i' t6 A' D& r3 a___________________________________________________________________________" w& U+ G: P# S+ \0 j) m
/ P! ]# A. {4 u! Y
- P3 J J- ^8 L8 u! V0 c; {
Method 03( b9 w- ~# W; ], ^
=========
- m0 O' H2 v# N# P& W$ }4 T5 d, r* O" q. C$ J1 l) r6 ?2 B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 |) v C2 X# g4 X { [(API Get entry point)
( N% z9 y M$ W/ p& i$ K
% ?; X" t+ D* W3 S- p; |3 p, o; K! b
xor di,di0 u4 i3 G" ]) G/ r- `+ ?
mov es,di
g+ u& m% D3 P+ g' v1 m* v mov ax, 1684h
; A: S2 k, j; Y) p g0 V# x mov bx, 0202h ; VxD ID of winice
; x/ K& b* L- v* w int 2Fh0 n* w% r8 t7 W5 A* q
mov ax, es ; ES:DI -> VxD API entry point! c5 v6 X; C2 q, [, b
add ax, di/ } Y8 a& L. _5 j
test ax,ax
" g% f; C2 i8 c! o# c- v jnz SoftICE_Detected
1 K9 k, {7 u `6 \3 t7 A2 y9 o
$ c a4 u, U! A4 n___________________________________________________________________________
5 A: y' K7 p& j2 C2 d) [, q* J, P. y' `
Method 04$ t# q6 a1 S5 w$ h
=========3 m4 n% }: ]' ]5 R( C
% ~ U" W5 \% l4 {. W2 ^/ `$ hMethod identical to the preceding one except that it seeks the ID of SoftICE D6 E3 O; Y9 e' \6 b/ G$ X
GFX VxD.
% P& G3 c1 ]5 M+ j; ?% i" a8 v ^! `" D1 a5 n. \$ O
xor di,di0 `/ `# D& A3 g' ?+ r! I
mov es,di
& w; N/ Q! c4 g! P0 ~ mov ax, 1684h
/ m: O' p3 v/ e+ ^ Y- j& t+ }( p- F& u mov bx, 7a5Fh ; VxD ID of SIWVID% p+ K* j" E% z; A+ n0 ~4 P
int 2fh
) A- \& q. w8 w/ c* ]- u* y5 y mov ax, es ; ES:DI -> VxD API entry point, v4 ?' [# c% x# G/ v; }* b# @
add ax, di$ P- m# V- E8 d* a3 f! Y6 P
test ax,ax
; T/ @( n1 `" J6 o! [; Z7 @; _. @& ] jnz SoftICE_Detected9 I" P/ d' Z. c% m, W2 N2 W1 g' s
& e+ m: Z/ {, e6 R* e& B$ `( W
__________________________________________________________________________
) I+ F& N8 B# v0 A3 g5 g3 o/ Z# e% a+ `( r2 }$ D( G
, ]% i; a+ M( s8 y; m, X9 bMethod 050 w& j7 Y" }9 E( x$ x
=========" Z8 N6 o2 g# { a2 m
' Z. I+ n% L4 d# g$ M$ n
Method seeking the 'magic number' 0F386h returned (in ax) by all system: F. F9 [7 g8 S% n
debugger. It calls the int 41h, function 4Fh.6 b) {. e6 Q: k( h. m! H- }& E
There are several alternatives.
) v) k+ ]3 I9 W4 ^- }+ U5 s
7 j( k& E/ y" nThe following one is the simplest:2 w5 j' o) J+ B# N. E( y1 Z
# f( Z, i; r) Q' @ mov ax,4fh* p5 {( o/ i- v2 A) j
int 41h
' I4 C7 E8 R/ K- N& j6 c cmp ax, 0F386
8 L, G7 [3 b+ i jz SoftICE_detected8 B6 b2 Q) M9 d1 |
+ S# [& N1 n6 X0 V) H
6 _0 o$ n+ n1 I/ z$ v% I0 `6 |
Next method as well as the following one are 2 examples from Stone's - P) X+ X9 G. ]9 N: Y7 b6 B$ a
"stn-wid.zip" (www.cracking.net):& ~4 \4 ?" K* \% F5 Q/ y
! i8 g8 `! F; M2 ~
mov bx, cs0 d0 Z' [5 v- Z+ ]0 o4 G
lea dx, int41handler2
4 @5 P: t) x6 z1 t6 x3 A3 O! r xchg dx, es:[41h*4]
4 m9 s. ~5 _2 a; e7 t* B" Z xchg bx, es:[41h*4+2]& ]2 D. Z" q* N4 h
mov ax,4fh5 q8 h4 ]% [5 A; o
int 41h, c' U# H) |; R) j8 H, L
xchg dx, es:[41h*4]# U6 C5 s- X2 E; e+ H. H+ |8 j
xchg bx, es:[41h*4+2], A5 T6 g/ E* e6 M, B7 b& i3 r
cmp ax, 0f386h
`7 X8 q0 r+ Z( }+ P, [ jz SoftICE_detected
, @, f0 X( a) ^* {" \& |. E# V+ i$ h- ?0 h' y$ W/ X' u
int41handler2 PROC# Y- v9 g( M# A9 ^
iret
( t7 W: E' F7 b! b3 o, R) nint41handler2 ENDP
% _: S, N# l/ |" B* \" l5 i" h3 e. h+ R! G
- h) _6 ]0 J$ I' t+ P( n# p
_________________________________________________________________________# R4 |4 U$ J5 E3 B' `
7 R" u, H4 s6 d! ]* g
+ P, ?; M/ w- e3 z6 x1 dMethod 06: T. H1 l4 s; a& `
=========+ p) t# S! C p7 r
9 u- x+ X, Q' N
0 o. T; \5 c+ F2nd method similar to the preceding one but more difficult to detect:1 W) p3 R0 e5 q: A2 b0 [: T
. f3 u$ K3 B2 W: j% [2 v
. R( L' h8 D/ ]# kint41handler PROC
p$ {0 S. y! H% |1 R2 _ ~/ e/ [ mov cl,al3 x0 h `8 E" ], F/ t
iret. J6 O, ?1 _! R
int41handler ENDP: V5 _+ j3 s6 s$ u: Y5 j
2 ~" v% [% O9 ]' B1 X: ^: b7 U9 Q0 f* i
xor ax,ax
! F$ U* \+ C9 T$ P8 U' N% ? mov es,ax
1 U# r8 N. j- t0 Q1 e mov bx, cs p, r5 `0 c, P
lea dx, int41handler2 G e% J( A" i1 I. e
xchg dx, es:[41h*4]
) r% C; L% P! t5 l" M) C' y( w6 a xchg bx, es:[41h*4+2]
$ r; h" O8 @; R( L% G in al, 40h; `7 k, _9 m( R1 L+ p) X0 N' r
xor cx,cx- e+ D+ v4 T7 ]" a
int 41h
4 _7 G+ U5 Z( D' u xchg dx, es:[41h*4]
# ?. }5 n! I4 g xchg bx, es:[41h*4+2]+ r4 Y& N9 |9 |* Q, j: b* ?* r8 [
cmp cl,al
/ ^0 P6 V0 O7 M s7 _ jnz SoftICE_detected
/ D; h; m ?$ ?/ n, `( O
: }7 E/ r) r3 S+ z_________________________________________________________________________
5 @/ @1 O8 w& @1 R: P- _/ r7 y8 S' m' p( @) F# ~4 F" o
Method 07. R; E/ V9 B% t
=========" N9 u* M' V8 S
3 l" B, n6 {6 E% m8 v: h
Method of detection of the WinICE handler in the int68h (V86)- x& x4 w% a K: ~6 I- R( j$ b
% { ~' W1 {6 S$ t r- I mov ah,43h8 z+ c' a$ P0 ?- n- l0 f
int 68h4 l- u! H2 c0 h" [
cmp ax,0F386h& j$ i) Z3 W8 U9 l9 p
jz SoftICE_Detected% m6 Y: g7 b- D6 Y' d% i
0 ^. D; F$ s; o) a6 n1 ]+ u# v* `: D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 Y d3 J u0 {9 S: `& k: U- M+ H
app like this:
, d( A# E4 h i8 D
' n, Q# b! }' S" M/ a2 ]+ X4 V BPX exec_int if ax==68
" l. h! [3 c: q# a i (function called is located at byte ptr [ebp+1Dh] and client eip is2 F- d g' G. P. e
located at [ebp+48h] for 32Bit apps)
. C7 g+ s \* b__________________________________________________________________________
E* w9 a3 z# L/ h3 V3 W* e3 P# Q* }. j1 j& ^* r6 }& }
. s+ H N/ h9 W# n3 pMethod 08+ w2 O( C' Z! z
=========) B) c# h" k* A
' s/ W0 A2 x$ }1 cIt is not a method of detection of SoftICE but a possibility to crash the: F) w, x1 g4 c7 r
system by intercepting int 01h and int 03h and redirecting them to another
: o1 q4 _2 g& ]2 \routine.9 c; c$ H4 D* @$ W# X% V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, Q% G: ^) O7 y% Y, O' e7 X0 lto the new routine to execute (hangs computer...)$ B) r. a# Y* y0 q
: {9 R# \$ X$ ^ mov ah, 25h
. ?% G6 z: [: H mov al, Int_Number (01h or 03h)
5 a: b$ i9 l. f mov dx, offset New_Int_Routine
8 B2 Z3 U& O6 P" ? int 21h J* Y p [6 G. E' N7 v
, j0 |* u: M" }4 b9 V- V
__________________________________________________________________________
; @3 H9 K1 ~3 E0 G3 l5 H
) s3 s6 \' s( i# ^$ IMethod 09
4 J8 g3 R% X2 L=========) b3 ~6 c1 {+ U
0 z, [8 Y/ g9 f: d% L7 F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ x J5 `$ X& P0 m* D9 T* c6 c- Wperformed in ring0 (VxD or a ring3 app using the VxdCall).
( {4 x. c" V( xThe Get_DDB service is used to determine whether or not a VxD is installed
: _5 G3 y( {; C1 h7 ~for the specified device and returns a Device Description Block (in ecx) for
- N# f& T M( _: w: }0 M5 hthat device if it is installed.
* h$ O7 W. |- }. N$ l& ]: G% Z' e& y. }7 [3 N) w g! p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 Q5 P2 q# u3 i! H4 K mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* |1 O0 T( V) k3 A0 ~& F C6 ]8 H* J VMMCall Get_DDB, n2 F; P! L. r9 A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 y9 _# a3 ^: y( [3 z) f
! Y3 p: p7 ] x$ Y* {, h" iNote as well that you can easily detect this method with SoftICE:& I& n$ D& ^# F) Z& c
bpx Get_DDB if ax==0202 || ax==7a5fh+ q. w$ }; k5 c! A* L
* _- `$ }. U8 V
__________________________________________________________________________8 s }% N- q$ J L: W& N) |; N
0 I. j# l3 y1 i, p6 {
Method 10- N/ R; ]$ r) k
=========
6 H6 ?0 ]: b3 R" h L
9 h3 E% o5 \- W3 I. m$ X8 o=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 N. O/ N8 ~& h4 j. T! Z SoftICE while the option is enable!!
3 K% u5 P' ]: d/ d* R' D. i3 O# {2 d7 O8 v4 y7 m9 p* c+ N( P; l% [
This trick is very efficient:7 C: o6 W& m0 I
by checking the Debug Registers, you can detect if SoftICE is loaded
2 w- E# O5 h6 K4 T/ e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& ?" G- z8 ? q9 B
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. v6 M6 F6 m$ P/ x3 _/ g6 E( ^' Nvalue (in ring0 only). Values can be manipulated and or changed as well
$ K- o; A. \5 o1 J( N$ x1 J(clearing BPMs for instance)# {) a) ]. c3 D6 r
+ r! t6 p/ v) R$ ?$ C0 g
__________________________________________________________________________
& }* J. X3 x3 ?" c I# m, E
9 G* n2 X; q6 T* KMethod 11/ G$ B5 ]$ r" B) o, s
=========
1 T2 L! j; _! [1 ]6 V* [, S) }# B- G4 D5 w& Q( b
This method is most known as 'MeltICE' because it has been freely distributed
4 r- x6 ~" v% ]* t+ i1 [via www.winfiles.com. However it was first used by NuMega people to allow
- z1 _* A P" g7 c2 Q( SSymbol Loader to check if SoftICE was active or not (the code is located* c- @. o8 o9 c; U
inside nmtrans.dll).% w$ a9 v6 g# G# J5 n5 z- v
* W6 M4 Z3 n7 z% V' c5 o4 t
The way it works is very simple:# u- ` c! O% x' G
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) Q4 b J5 Q4 ?+ T
WinNT) with the CreateFileA API.
- S7 E! R8 s5 {4 K% ?( t. j9 I8 Q
# k' N* N- d- _) t! P% ~- @; W, }- sHere is a sample (checking for 'SICE'):/ |, |/ D2 j+ d! C" w
4 N8 m5 |$ U5 @$ r& ]: N( ]1 lBOOL IsSoftIce95Loaded()
. E4 F+ i s6 R, f% l, `{
+ w y) E* |/ X Z" s HANDLE hFile;
v7 d8 O4 J2 V1 z" M3 {2 f, ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ i1 z( F2 I6 b; Q& d, z* @& Y FILE_SHARE_READ | FILE_SHARE_WRITE,
; v: V: t/ ]* J* [; ]. x; v NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 X, |( ^% ]1 G' P2 D7 K
if( hFile != INVALID_HANDLE_VALUE )' K5 T& S. ]) e5 d5 S+ B* j
{
/ K' o1 S/ n1 ~$ F8 h! ` CloseHandle(hFile);
$ s, F7 ?$ J2 E- d i return TRUE;
- e" G7 Z+ W0 |2 {6 f7 @ }
/ p; \( i' P4 F# K4 o return FALSE;
2 N, g( D6 x6 K& Z}1 I9 H+ J! J& y* A8 Z- A [0 l
+ Z# k( k; X+ |9 ]* v) O
Although this trick calls the CreateFileA function, don't even expect to be1 M0 c7 J# m( h2 k
able to intercept it by installing a IFS hook: it will not work, no way! I& `/ `* ]/ w6 s; k7 [; @ O! ^$ J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 d8 F" u$ G* D& T" k+ ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) q; T# P9 J% c" e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% A4 F9 |- s1 y& N$ h9 h
field.
% j! C+ ?% W1 J& h5 J5 uIn fact, its purpose is not to load/unload VxDs but only to send a
5 _" n" ^/ s# S5 _, c9 oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# I# g1 o; y# c/ }% hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
! g9 v) [! b! I; l4 Q9 Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).) ]! S9 j" [+ h1 p$ m
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 [8 e6 V* L+ {its handle to be opened and then, will be detected.* P5 l, y j+ {4 K8 E" ^
You can check that simply by hooking Winice.exe control proc entry point( j3 n2 l/ j8 H
while running MeltICE.
q. A6 b7 t3 H" {7 v8 |- ^: m5 X1 X: O( X1 c% Z) t
' I! A+ e0 P2 K9 b 00401067: push 00402025 ; \\.\SICE
4 j/ @0 O9 N/ o; {$ ? 0040106C: call CreateFileA! X9 z; M5 j. ]. q. {) w2 ^$ N
00401071: cmp eax,-0010 b# I3 o# |- C+ B
00401074: je 00401091( ~% H" n; h7 R- O" ~
; X5 C3 z0 j" [0 v( J* u' E- H: Z+ W7 N; D7 g0 R! M6 X
There could be hundreds of BPX you could use to detect this trick.
" m$ Q2 l0 `5 |5 \) D, J5 D-The most classical one is:* X" @* c; B/ k: ` o5 v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 i6 {+ p- B( G8 I3 x% Y4 Y! K *(esp->4+4)=='NTIC'
1 O0 u8 X6 ~) M3 I/ {+ h( q, ]4 T" i; N n; K' d
-The most exotic ones (could be very slooooow :-(3 a. m" b/ N* _
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 v- S% }+ W; x1 q% I! s0 n
;will break 3 times :-(
0 q5 ~( g, T. Y/ X" `2 p1 E+ M C% b6 a i( \* N
-or (a bit) faster:
$ H1 {! m6 A3 \. F9 z; @3 v) h BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); {' u, o- T' ]+ q, \! c1 @( D
1 `! `4 s! D; V7 K9 ~
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) L5 [3 {1 ^* K ;will break 3 times :-(5 B0 N# @ H' v! n) I9 B7 A
7 _* j! `/ r4 A& s) a" O* P-Much faster:
' s7 O# Y, b) @- R4 r4 B ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% @ a+ b9 D4 R& u7 U6 M
. ~1 `8 K1 G% f5 H( H; INote also that some programs (like AZPR3.00) use de old 16-bit _lopen* N7 F5 k& _: y
function to do the same job:) M7 Z$ n8 c4 q+ n7 ~7 \
2 G) V% g. m; Y7 Q+ ^ push 00 ; OF_READ
1 r0 W" W6 Y# o: v mov eax,[00656634] ; '\\.\SICE',0- x7 L4 H) m, G6 F' P6 O! V
push eax) \$ y6 U! K$ f$ o( \
call KERNEL32!_lopen# L5 j! s c* ^- B& ?7 Y, s8 O
inc eax
B, N) z: n d& e. C) ] jnz 00650589 ; detected
6 I! a7 W f! M# v: z2 [ push 00 ; OF_READ& i" g; a+ e! m6 q$ Z
mov eax,[00656638] ; '\\.\SICE'' S* \' ?" b/ K$ o0 s: g4 {8 d
push eax5 @+ S* s, ~% v$ p
call KERNEL32!_lopen
4 Q0 _, m- @7 Z inc eax d. v- F- J: X
jz 006505ae ; not detected; f) }. ^3 z9 \7 k! K
( T- e8 u0 ?, M5 |. A; E9 t- h/ Z
8 o3 K y! q0 C" {/ i& s. `& n__________________________________________________________________________
4 |+ F& D9 ~" L
3 h, x0 ? P; r5 x2 V' T' N# DMethod 12
9 p) s# V' R+ p) x: g" S! q2 l=========4 u: }, _% |( p3 p% v
6 y: k+ h% o( D* M0 x
This trick is similar to int41h/4fh Debugger installation check (code 05! E& d0 `3 l% J8 w. f
& 06) but very limited because it's only available for Win95/98 (not NT)& M3 U0 Z9 g! j1 @4 _1 z! q) }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 s4 x! R2 t5 c5 M$ Y5 i5 Z- W2 ]* {( {7 b4 f
push 0000004fh ; function 4fh
# a8 _. @6 L" v1 [& u* M6 S push 002a002ah ; high word specifies which VxD (VWIN32)
' p# h6 r5 V; @0 M1 B5 w ; low word specifies which service& K$ ~9 o4 @* N/ ?: R# J/ f
(VWIN32_Int41Dispatch)+ ]! a/ s7 \8 b) L2 v6 I+ `$ F
call Kernel32!ORD_001 ; VxdCall
Z3 E/ p# ~9 `% A- ^& B cmp ax, 0f386h ; magic number returned by system debuggers
! r3 ^1 \8 l2 { jz SoftICE_detected4 K5 O, |: v, t) R1 R7 ]/ ]
/ W" ] F% K: t; M: H; zHere again, several ways to detect it:
7 V5 [+ y! l6 L5 s/ F3 v1 @7 A) T, a: T. W* G8 G5 i& t
BPINT 41 if ax==4f4 t* F0 I, b5 L0 W5 w7 X( l4 ]
. f6 d. {/ b) Z) X; u) i BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. o. a3 Y) \& }) V
$ |+ Q! N5 e8 |: f: B' I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' @" Y5 r6 D6 L! B+ t+ b m3 Y& y2 a8 A/ |/ @, g' i& Z( y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; S0 u- G, L2 Q; z: Y' ]3 D% S' k+ f9 u7 {0 ~, K1 C9 B& o7 }
__________________________________________________________________________8 C$ ^+ K9 O; }$ U0 J" M+ Z# M- H: |
9 q1 w! I( |5 YMethod 132 E* Q! `7 {. E; d* i
=========+ R @4 h" V6 {( q5 U; m
, }9 }; i2 M7 F2 O, A( i) jNot a real method of detection, but a good way to know if SoftICE is+ {- c1 U* T7 t
installed on a computer and to locate its installation directory.8 ^; Y1 w/ I; r8 H; v
It is used by few softs which access the following registry keys (usually #2) :. g! x6 W. L# x) y3 J- \. Y( m8 O0 [
8 y- z" e# i# I: h' A4 C+ I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ q+ Z- _! m6 I ^, q2 d( X\Uninstall\SoftICE& _; C( \2 ]1 l W; Z: i: D. f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& R- ^: _; S9 J+ f1 L9 D: E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* B3 V$ [! P! e4 r# I6 N `+ V6 K2 Y
\App Paths\Loader32.Exe
$ t+ o* [1 j/ p R% ^
; f+ K2 C3 B3 m8 ^9 e
4 i/ e. c$ q$ M$ t1 @; VNote that some nasty apps could then erase all files from SoftICE directory4 w1 r0 D* S! @
(I faced that once :-(
2 q2 U0 Q2 J* p# K) N& }; O' [3 z% k+ d% e, U' P+ C8 C y3 W
Useful breakpoint to detect it:, s3 k2 x# C/ d" N+ S& _
' x8 V4 V" A8 f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 x: i( `9 ~0 v4 T! ^, T
2 H9 ^0 D' t/ c; ?. w9 W) Y% \3 k
__________________________________________________________________________
& e* f! i- m/ C: x) R+ Y7 g/ K/ Y0 p) ?1 W5 j6 D& |. N2 A
4 e6 R3 a4 M/ T ]% s- B
Method 14 & S2 B6 ?' O5 c7 Z; P& E3 M
=========
1 @1 c0 D2 r; l2 R; s% ]7 K7 U+ ]; }& \( X6 \7 `" ^2 I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& w0 w. D- g( Z; ]
is to determines whether a debugger is running on your system (ring0 only).
X/ u4 P, g$ y9 [! \3 T/ }; V9 ?. l, m/ x) K2 Z
VMMCall Test_Debug_Installed
$ W+ D8 v. b$ a5 Z8 K je not_installed0 I- @- M; f7 L3 H$ L
/ J9 F! T: x' [; N( i9 u' Z# wThis service just checks a flag.
V2 @3 c! B7 q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡