<TABLE width=500>+ N6 T' m2 A. r+ q/ X
<TBODY>
; }( j* {# U- U0 Q; p' B. `" N5 e% P8 M<TR>
" H: ?; C* t/ U9 E<TD><PRE>Method 01 ; E i, j1 C# N3 R( b U7 p
=========
4 b7 v2 W! c) H
9 S8 u3 L) V, w$ N& K9 tThis method of detection of SoftICE (as well as the following one) is7 v$ \1 {8 J! S
used by the majority of packers/encryptors found on Internet.
7 M6 k6 _' R5 U6 H d8 TIt seeks the signature of BoundsChecker in SoftICE
% \. }7 @4 D. V* \5 y% u2 K, O7 K+ }2 b0 y4 h
mov ebp, 04243484Bh ; 'BCHK'; H0 J3 F/ y2 e+ d! |; G% D
mov ax, 04h( B4 w1 g; a" C! z
int 3 6 R$ i3 m; ~" q& m$ N' S
cmp al,4$ G) u5 M. d2 C; B' b6 w6 d
jnz SoftICE_Detected
G& i' ^. E0 J1 h0 j) v
\; z$ R+ c6 M___________________________________________________________________________: N+ Z2 n9 ^2 t
7 ?: W Q$ m" u1 m
Method 02
) {) b' @. G0 _=========
: Z& n" S" O- i0 I- E: r+ m
1 X& `: S+ B0 t8 D1 t$ l. QStill a method very much used (perhaps the most frequent one). It is used
9 I$ z0 Q4 e1 d" Q; `6 R# Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ _; I( \. N7 q
or execute SoftICE commands...+ J t! y. Y8 \% K) ?4 c4 X$ U
It is also used to crash SoftICE and to force it to execute any commands& Z4 M) s) o- x+ ^0 C: Z
(HBOOT...) :-(( 3 i; Z3 t# }. U9 M4 v
! E& y7 K& d3 z9 X$ |4 aHere is a quick description:0 J# ^: b3 d+ B
-AX = 0910h (Display string in SIce windows)2 K+ X' }7 ]# M) J, D$ s" I# A/ R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 p0 K% f! d1 |. l-AX = 0912h (Get breakpoint infos)# c; V3 ~- e3 u( x
-AX = 0913h (Set Sice breakpoints)
6 g) l, i' l3 _5 r. x-AX = 0914h (Remove SIce breakoints)! b2 [+ a) L) {4 i7 ^
' N) e" M; F" b) m! IEach time you'll meet this trick, you'll see:
+ C) _, _" d4 c" z) q/ I, U m4 `-SI = 4647h
# {7 A3 W0 M6 \, ]-DI = 4A4Dh
0 z1 K- V# l" a q6 tWhich are the 'magic values' used by SoftIce.
/ \0 U6 T! ?" s7 }! BFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." B$ P: @( ]" ]* s
4 R, L1 Z6 i4 j0 j$ C9 ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ l( \: O1 Z2 ]Envelope utility use to protect DOS applications:/ {7 L8 h$ ~$ z5 U
, V4 o( N2 O' i
5 B6 g" R5 Z2 m
4C19:0095 MOV AX,0911 ; execute command.
" _4 @, c L+ b% \4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' j) C! Z6 P, a5 H
4C19:009A MOV SI,4647 ; 1st magic value.
- E& V# w2 A8 o3 Q9 k4C19:009D MOV DI,4A4D ; 2nd magic value.0 h4 J. r9 m8 L4 U5 c$ ^, ]
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 k1 M% ~+ b9 p% ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 @) e8 P$ T9 ?$ N* E3 M% X5 g4C19:00A4 INC CX& {5 u0 Z) Q3 K) @) H* Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
|% o2 L2 P9 a' o- S- X" s4C19:00A8 JB 0095 ; 6 different commands.2 o% L0 `0 r8 |) K1 a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; u/ d$ A0 e/ ]5 W! R. {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' b1 r. k$ @0 o7 [2 s' O
- n+ M+ |0 h" @/ UThe program will execute 6 different SIce commands located at ds:dx, which m, B, u% Y) N9 X# s7 u$ x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. J4 G ?1 ]! J$ F1 i
$ a3 v& U5 Y; f0 h* V5 e& E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. L; m3 o$ P& y% d
___________________________________________________________________________. @6 T1 y! |' {9 `, u S
( p2 W9 P; ]4 h; [
( z% D: X7 c$ Z& E- Z: n* j4 TMethod 03
+ z% @( e1 \# X=========
3 O. l* n. c1 z, `& p: \& B* g% t
% b3 n o0 q; L2 c7 y* E6 cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 r: M! H8 p) r1 J# v6 d8 b: t1 N(API Get entry point)' M* W! @( d0 r/ r1 O( _+ a9 ~
. E5 x0 u9 U" t( Q: w$ }% s h5 [% O3 `3 t' z- e6 c- T n
xor di,di
: h/ ~4 F- \ R mov es,di% [! ^- r( E/ W
mov ax, 1684h
: C. u8 y; h6 Y6 G2 |- t- }2 V mov bx, 0202h ; VxD ID of winice
. t, g2 z9 A0 S: p) j2 s# Q int 2Fh0 O. }( z0 H( ]. j: g& B9 [
mov ax, es ; ES:DI -> VxD API entry point
W% J8 b- N1 y5 z. }& H& r3 D add ax, di6 m9 { Y ~ ^% {* z- b: v" X( L; V
test ax,ax
# I1 \- g4 w& k3 {2 u jnz SoftICE_Detected: k8 h7 t* u9 _8 U* E7 Y3 Z# M
2 H7 W! G; r0 u* F; p$ ]8 j___________________________________________________________________________
3 m, q: f7 C% j2 I5 S$ Q) S+ d9 h' y( R
Method 04% P# D( x, U! I7 B' }5 F
=========
+ L" T( t& D8 _7 b. r3 j
* E+ P# [( R/ K1 RMethod identical to the preceding one except that it seeks the ID of SoftICE- G2 Q. z5 U7 G0 r3 L( C
GFX VxD.4 D) Z) S- t9 X8 |2 R' k
. x! w1 u: c" O xor di,di ~% _) `6 F; U s
mov es,di
' b& U U. Q; ~" o mov ax, 1684h ) ?, q* v8 Z+ I/ e5 r6 o
mov bx, 7a5Fh ; VxD ID of SIWVID$ ^" F9 {6 l* Q: H! z
int 2fh
5 X7 Q/ I# @- n" K# K0 G: X mov ax, es ; ES:DI -> VxD API entry point7 h r' h/ b: B, a6 j+ o
add ax, di9 z# a/ v% Q7 c; c9 r$ p* J
test ax,ax
$ W7 O6 w, U& K2 U7 J- I2 ` jnz SoftICE_Detected+ Q) H+ }; V5 ^
: x2 T$ ?1 b5 u% f. ?2 D
__________________________________________________________________________
; Z3 _: L+ C) k9 ^# H( D: X5 H2 r: E( q2 ?5 c
- E8 C+ d. z9 ~: J1 {Method 05
. X# [% e3 D3 o# B2 N=========
3 Z" Q2 Z6 B& ]& _% C3 H
% y+ {) }8 @. o9 {; C( ]Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 s9 k4 h" F, m( U+ ^debugger. It calls the int 41h, function 4Fh.
/ N. K& w( ?5 o+ r" @! ?. Q% _There are several alternatives.
8 `' j: w7 c+ D" | ]* w, ?2 p8 J( w4 t1 D6 n4 ?) d+ d
The following one is the simplest:( f& I9 N" z1 k" W7 M
' R2 _% {( _! d1 ?4 l) N mov ax,4fh
& n! f2 P) L! `' a, X- m: R int 41h
5 ~$ U P: s( M) C- U2 W; I c/ } cmp ax, 0F386
/ Z( m6 i: Y( b8 G: [( O7 O9 s! n jz SoftICE_detected
, i. c" D" H( N6 p6 q, z" _* r+ v% f3 N; p& c& [
* e; I$ j+ y5 S) e. w; T7 wNext method as well as the following one are 2 examples from Stone's 6 O! f$ q2 ^4 z3 N
"stn-wid.zip" (www.cracking.net):
# [+ X& `9 T; w4 K/ w. T; q0 O7 M5 E( g5 Y; v4 |2 W
mov bx, cs
& G. T2 H! h3 r- {( P lea dx, int41handler2" g) M. j; t' |9 ?3 u1 ^" g5 w0 V
xchg dx, es:[41h*4]+ n, X* c0 y. E y
xchg bx, es:[41h*4+2]& b( d# Y- x* I2 E5 j
mov ax,4fh9 M' \" m6 _2 ]
int 41h
) @( U2 _7 ~' i xchg dx, es:[41h*4], Z3 o; n# a0 ~/ Y) i
xchg bx, es:[41h*4+2]! M, \" A8 m* ]6 T8 A( k3 R
cmp ax, 0f386h
$ k( Q6 p! j2 k jz SoftICE_detected
) Z9 ]$ h/ s$ L/ O' A2 [7 @4 R O8 ]5 A. _3 }
int41handler2 PROC* k5 z6 G, h4 k) \
iret$ e: g5 h& v3 U- l5 T
int41handler2 ENDP
7 ^$ [3 v" v6 s8 v* S
; Q( E/ d d' _" z, }2 i% v9 Q8 p/ H. L4 w
_________________________________________________________________________4 r1 X- ?$ Z& x2 a' X
; R) m" C$ ~! h% H3 W, r2 j9 J0 {9 m0 N
Method 06
3 j$ o6 \8 G2 |6 J=========
$ \, N: O2 Q3 n! n4 Z' e5 n/ L/ Z+ ^
% }1 z: `$ V" l( D' _& @% y( v0 M# ?2nd method similar to the preceding one but more difficult to detect:9 u2 g3 h/ @, o3 J: T
# I u L" M9 g$ [& J6 x) V; M
2 h: y6 i5 ?& q" _) I% o
int41handler PROC
_, ?& F- M% b5 Q mov cl,al
# i/ g+ e* r" ]5 {4 Q iret$ Z0 Y: t# R, ^9 v) K9 o
int41handler ENDP
5 w! v& k, r0 n* C5 T, U
' `3 j s- q5 Z+ c3 q8 N9 l9 K2 z6 h2 Q: h
xor ax,ax) f ~5 @6 d7 F& R' u+ X
mov es,ax
& t5 I. L! p( x) _ mov bx, cs
- n$ W F5 C1 v4 k: B$ r lea dx, int41handler
; I9 r/ F* d1 C4 _6 M xchg dx, es:[41h*4]( V3 F; ]1 m. n& ~3 G
xchg bx, es:[41h*4+2]
) \- o9 z8 M, G" r' ]4 A. J in al, 40h
* B2 G" z" n' b7 i' [ xor cx,cx/ e2 T. }6 X r+ Y7 ?- ]! v
int 41h" K: d5 |- V! m, G- G
xchg dx, es:[41h*4]! e6 P$ i( T, [; j
xchg bx, es:[41h*4+2]5 w( u8 J) F- L+ Q2 |
cmp cl,al6 f& \* K3 B0 p: {' u. b
jnz SoftICE_detected
( g5 c, d6 t- a; L; l2 m% B q
: U8 m: x' l( h$ P_________________________________________________________________________) O$ w) D1 H' Y3 V1 O* {) x
& P5 @- p* g% C" H* ~
Method 07
# G/ u! {; I$ T. { R( P2 A" z- ?=========* ~1 k0 B+ s2 C- R
. f+ _3 ]; }; E* g" R6 J
Method of detection of the WinICE handler in the int68h (V86)
! i- d7 z; t' I
0 U" a, H6 [' v" S8 F mov ah,43h
M1 O9 a- J9 v8 J, X int 68h0 {1 h9 g0 z1 C/ Z6 v$ d
cmp ax,0F386h9 t. m, T% F. q' Y" r6 ?
jz SoftICE_Detected$ Y$ D$ N9 H6 R1 c# K
0 k: {; b. t+ S; [7 R; F/ ?; |
% O3 J; y; c$ o! v' d$ K3 {& y- D8 b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ I" a. O. C4 R# W0 e
app like this:) A+ F/ |6 T# h/ a
$ T) @( D9 t" e0 a4 s8 ?
BPX exec_int if ax==68* ]9 ]; Y" Z9 w3 R; Q* z9 a
(function called is located at byte ptr [ebp+1Dh] and client eip is$ ^1 D$ m/ t n7 Z0 K7 Y
located at [ebp+48h] for 32Bit apps)9 ^7 ^4 ^( r& C: ]& u
__________________________________________________________________________
4 ^8 w! Z5 e) M5 u
5 E$ N" i# v* |6 _3 W- a0 @: q1 n
3 w- q9 ?1 P+ cMethod 08* B5 }1 ^2 ~! O* s
=========3 G; N) j( k2 s \, M# S
2 o6 j) M# c1 v: ?. _It is not a method of detection of SoftICE but a possibility to crash the" {0 J2 r; ]0 h: b
system by intercepting int 01h and int 03h and redirecting them to another
" M- p$ D( A7 U" A# L$ } Wroutine.
1 D5 t4 Q7 c% ~8 a5 X1 C4 O/ Y' i( ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! t* p: }8 F$ R
to the new routine to execute (hangs computer...)* F5 L. O! f: h6 i9 [. _" ~
! L/ G- L0 o1 T mov ah, 25h% n* ?% a8 K. g* P
mov al, Int_Number (01h or 03h)3 V% B1 c$ v: e; J5 x: z! [0 J
mov dx, offset New_Int_Routine
1 m3 D5 z) K: T, c ~4 R7 s% W int 21h
2 Y8 |! V3 e4 ~9 P! ?6 U& A v, e) q7 x& V) j5 ~ N" l O# l
__________________________________________________________________________3 {0 @% {) Z7 q6 u2 ?# F
3 k( t" b4 t, N9 ~- iMethod 093 p2 T0 b: z# P; e, A- P
=========+ _5 k! B( V k
' g; u- k; ~. U$ F. r l9 ~5 r3 sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ q7 @* t, r( bperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 h1 `3 Z+ i4 Z6 K3 a1 yThe Get_DDB service is used to determine whether or not a VxD is installed$ y) T! n( M- y; G
for the specified device and returns a Device Description Block (in ecx) for0 h* F1 r! p# ^, G
that device if it is installed.& d y# i- i$ E: m! }6 A
" y& S$ Z7 y, @4 i( q' W& d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* e4 ] }/ N8 G( I# O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; b5 E3 r: e. L- t# Y) u$ k5 _ VMMCall Get_DDB1 U" s% W, `+ [6 H5 R& p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! f+ V' b% u" m( g. B) N
* ~8 D1 \2 J, e$ I0 X/ E
Note as well that you can easily detect this method with SoftICE:
" Y5 K" ]+ I; K2 ^$ ]" T bpx Get_DDB if ax==0202 || ax==7a5fh
! o1 M ~+ O: T% G7 r& D* B+ ?- z$ C6 E/ l6 B& M3 z- ^" i X
__________________________________________________________________________1 t% o; p& C4 O! M3 x
( p* E: D# C" ]0 _- IMethod 10
9 b/ P' S2 m3 i: z+ n4 ^=========/ \! b7 z, M' t1 i1 m+ Z6 C
9 `; F- G" V w7 a" I& `=>Disable or clear breakpoints before using this feature. DO NOT trace with/ X; s2 U; k! o6 T
SoftICE while the option is enable!!
" l6 v0 `& O, {/ b5 H7 m/ p6 P0 Z
# q! ~8 b6 S; R1 TThis trick is very efficient:
) I' q( c |$ A8 [+ m+ yby checking the Debug Registers, you can detect if SoftICE is loaded
1 l) s# q8 s) J; a& Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
S8 I) l* c2 j- u1 Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 Y0 M% ]2 y0 {3 n. g
value (in ring0 only). Values can be manipulated and or changed as well
, i7 |5 F& Z# z9 E( c' A1 R(clearing BPMs for instance)' c" V0 ]( O( U* E
1 J4 A' f8 z3 k" S. [: N
__________________________________________________________________________
8 J2 u" ^: y) H( F
! S8 Y% T" l% f, mMethod 11% N' O0 N9 {6 Q3 Q+ Z0 ~9 K
=========3 j$ b; J3 N% {7 C( u
2 L3 D- T: u6 ^' V
This method is most known as 'MeltICE' because it has been freely distributed3 s ?& b: f4 e
via www.winfiles.com. However it was first used by NuMega people to allow
; f3 S* s( R1 K: g9 }+ E6 HSymbol Loader to check if SoftICE was active or not (the code is located
2 P$ \7 m' B3 u$ a0 q O) Tinside nmtrans.dll).
' c5 q1 a$ {4 P. e( |9 ]
: ~! J) b, R$ e$ n- e5 |! r# l/ V# lThe way it works is very simple:
" x7 y0 i) c; {; B& |8 ]0 OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* h5 C* e+ h8 \! q [
WinNT) with the CreateFileA API.
6 W6 @6 ^( Y4 |- C+ [& r* i$ G) I' d' z2 p& I9 o6 H: Z
Here is a sample (checking for 'SICE'):
& E7 \' c( |) A
j/ x. p% {& P# [BOOL IsSoftIce95Loaded(); N7 ^% ~- e* p
{8 |$ V7 @5 w' ?( Q* I8 L9 z4 V
HANDLE hFile;
E; \* ^# X" O2 o0 q4 G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 c3 }5 ~& O& i) G+ A& d FILE_SHARE_READ | FILE_SHARE_WRITE,% _ Y2 }& u3 Z7 ^; D$ m+ ]6 M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 g' E( g1 q; X
if( hFile != INVALID_HANDLE_VALUE )
" Q1 x$ E% W! |0 M; q {
6 u7 h1 p! g& P# Y. R CloseHandle(hFile);1 ?- I# |/ ~/ Q' |: ~' A
return TRUE;
& X. H ^% U4 |+ ?7 f- t/ o$ s }
+ K& ~+ X7 D; l) v3 W# W return FALSE;0 b' e8 m2 j7 v
}( z' I/ u+ e( V) r
, L8 d9 P9 Z$ z" `6 F+ e WAlthough this trick calls the CreateFileA function, don't even expect to be+ ~. M! l( z# i% T
able to intercept it by installing a IFS hook: it will not work, no way!* t2 Z3 m7 |( G/ [* `' q, z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 l; Y, E: v. u( I3 {+ {; ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 Q* t. ~$ F* Y8 O; q. e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc O9 s% G# u8 Y) m2 \
field.$ B4 y2 Z% l; L
In fact, its purpose is not to load/unload VxDs but only to send a , v6 ^7 O8 t; u U; z2 ~- c3 Q6 p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 P* S0 d1 P; ]6 K* Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! v0 r0 d4 p( A7 }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! n3 ?) E L m$ ^% x
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 |* \* p- c o# Q
its handle to be opened and then, will be detected., f, ^+ p! T( z6 x4 c
You can check that simply by hooking Winice.exe control proc entry point4 _! o0 v2 l0 B) x) ^
while running MeltICE.
- b2 `" v- u; ^7 @) w, ^; l' X& l( |7 k! Z
7 E2 L9 c" r% ?& M) R8 m. G 00401067: push 00402025 ; \\.\SICE3 \2 z+ X0 R+ }: p
0040106C: call CreateFileA
( A# E3 P$ ~! R0 Q% U 00401071: cmp eax,-001+ W4 J" P2 k& n* [
00401074: je 00401091
4 s" _* m { p" \
$ p9 z$ {4 I# Y: X* L) t! f+ @/ y j0 U, A
There could be hundreds of BPX you could use to detect this trick.9 x' l4 ?4 b( R
-The most classical one is:( G( P( c" G/ B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 F4 d* }: k7 A0 J& G *(esp->4+4)=='NTIC'# e( k: E' ?1 |" J8 w! N f5 r
$ X4 n1 E3 k4 X% Q" D1 P+ f( ?
-The most exotic ones (could be very slooooow :-(3 L+ T! z( O! ~* Y; G. @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 W6 e3 _0 ^$ d# X! t- c* a8 p
;will break 3 times :-(2 J# F9 i W( n, |3 x
' Q& c& Y) z! X. m-or (a bit) faster:
3 m% ~ H' W# U( T" c, y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" t2 W8 a5 w- P7 ~8 \
5 U* q2 G( {( d! B; Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) K$ |6 ?4 T8 e, B, M ;will break 3 times :-(1 N. g# p! G( I/ E+ _9 d
% p2 ^: L7 |" @9 L) F: E
-Much faster:
4 J4 C: T' B) |$ u, K BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 {- ?$ Y$ c# [0 Y9 D& l# _! _. B$ d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 @% H* `7 h+ G0 B2 `$ rfunction to do the same job:
- W) O" M2 u) @# O- K: `+ @, o# }8 \4 l5 g, N# H5 K/ J7 R
push 00 ; OF_READ6 b) H) x9 G, F( p4 n" m: L9 y
mov eax,[00656634] ; '\\.\SICE',00 w P' t: _5 n" e" {
push eax
2 m+ y+ m% |% {) K call KERNEL32!_lopen: Y" e& W; K \. l1 U
inc eax
K8 y0 h' ]( o, p0 o' n3 [ jnz 00650589 ; detected
8 I& q$ ^* N! S& X push 00 ; OF_READ
/ f' B3 [, O- T% W5 `& q mov eax,[00656638] ; '\\.\SICE'
_2 U0 d) ]. L6 c2 C: d push eax
3 _9 p! b# Q, }* H5 j( b call KERNEL32!_lopen; X2 ~* V6 u4 x' y" S- M2 q3 k
inc eax
$ L X: M$ ^1 T. X" K0 P jz 006505ae ; not detected
_! N) A6 o& I" X9 O: v% V; K6 \, j' U- m. }6 Q) m
, J, L3 {. b( V9 \8 Z6 d__________________________________________________________________________8 ]$ j& @( r( l
: P$ U% A+ P" ?
Method 12+ d9 W6 l% n1 S0 w
=========3 G# o5 u! g8 U* ]" X9 L k
; ]4 t( ]# J' B cThis trick is similar to int41h/4fh Debugger installation check (code 05& ?; X$ O Q2 u
& 06) but very limited because it's only available for Win95/98 (not NT)1 q$ ^) k% f5 y% n& E( n5 [0 O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 D9 M% D9 G3 w
3 z% o" H$ p$ Z push 0000004fh ; function 4fh
4 V+ N4 R+ v0 X) z% o; R push 002a002ah ; high word specifies which VxD (VWIN32)+ M1 Q8 I$ s* Z( e
; low word specifies which service& g1 z) v$ P5 n. L
(VWIN32_Int41Dispatch)3 i: ]1 K; p6 W8 ]
call Kernel32!ORD_001 ; VxdCall1 D( O" r Z) g! V, Q1 w
cmp ax, 0f386h ; magic number returned by system debuggers2 d) D Q' p1 S. u' M
jz SoftICE_detected
E% V ^8 x& a3 w6 J. n+ L/ F- {
Here again, several ways to detect it:
/ ]" ^. ^7 i! m( r0 g8 F7 k$ ]( V+ ]) M& M7 R
BPINT 41 if ax==4f
! Y4 @/ i# w' z: N0 e! W3 S" c
0 M# u$ ~# |) F" e6 s3 e BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 O5 x5 F, y, Z5 L
0 G! n: I3 m/ z7 D, b5 J* O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ O2 k6 z% j |/ F1 a) i! Z- m- v' s# F. c& x, Y3 Q) s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. u! g# [) \1 y2 Z8 M5 F
, h- u# d0 i* { g1 d5 i, k% N__________________________________________________________________________
. y4 I2 [* L% N
$ g0 ~6 I9 U: p4 o9 I* B) F9 QMethod 13
" i. \5 G0 }: f! c' i0 {7 v0 k=========
8 Q6 E3 d0 G5 y9 A% `' M: {& S8 c
/ a& Y4 ^! T; Y% D% h7 p; J- ZNot a real method of detection, but a good way to know if SoftICE is
R1 m- H5 G8 c u# Y8 Iinstalled on a computer and to locate its installation directory./ ~! a4 m( o+ u0 n) D
It is used by few softs which access the following registry keys (usually #2) :
: G1 M* H0 v" W7 T/ X" F
* Y. W& ^' n& P! |% Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* f; G3 j& p1 D$ m8 L. M* g6 f3 k
\Uninstall\SoftICE9 D' [. t& \0 \, q: u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ d# k# o3 _, G! N; \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 F8 o7 v7 _3 D" l- }+ v0 _\App Paths\Loader32.Exe
2 y: B* h0 f9 [ G4 n" ?, U; G3 q0 U# @; d
% @3 Z2 c" [) s: k, q& x& {
- l& o1 |& B3 a6 g$ B" k+ Q# @; Z7 t! tNote that some nasty apps could then erase all files from SoftICE directory7 n8 I1 H- @! f) P4 O. t0 c) g
(I faced that once :-(1 `+ J6 B4 \2 S& c/ [0 I& `
b( C8 h9 l& h% [7 ~' |Useful breakpoint to detect it:
( i) I+ ?. O$ w" j7 l
$ x. P: m, `- s1 i* {+ b: ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 w+ a C% P% G" y( D2 {6 {
' ?" q& k( E2 U' w+ N
__________________________________________________________________________
) W) f' Z1 a7 F
8 w) @0 c: d% f- ?( A( [; D- D$ f4 _+ m
Method 14
0 [* i- l6 j7 b9 h=========. t8 U5 H7 e' C0 D
0 t% r' A: N6 N1 f* R6 N: I' d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, f' P- V6 u z& o
is to determines whether a debugger is running on your system (ring0 only).
% L2 e* e! T, ?" g4 L" f t
$ a( } H" s/ G# v VMMCall Test_Debug_Installed
; n$ v" J' c8 `2 S7 r# ]. I7 Y je not_installed$ V' ^! {1 c1 N, \, v% K
7 @+ [4 _" [5 Q( p1 a0 LThis service just checks a flag.
7 Q3 u5 B" N: z4 r( U1 f</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡