<TABLE width=500>
% b& W" m! E' e8 d( z8 m<TBODY>
& }* l, ~) r ~% D0 G# @<TR>2 z$ \" ~/ Q- h
<TD><PRE>Method 01 " T7 x( V! ~1 H! m$ w" O
=========
# _2 @6 X5 q) N" {' B7 A( M
7 L' a" c; `' m1 [This method of detection of SoftICE (as well as the following one) is
* G2 j! a3 A& v) n4 R% Hused by the majority of packers/encryptors found on Internet.
4 h( F0 ^/ K6 ^4 J' ]It seeks the signature of BoundsChecker in SoftICE
9 Z4 Y4 _3 u/ u9 r4 F; L2 y
3 B$ _! Q" B1 Q) I/ y* M mov ebp, 04243484Bh ; 'BCHK') m( V1 B/ g. X& W3 Y
mov ax, 04h
; m) v/ o' X! g* ^) e9 o4 V int 3
( W) K% E. r9 F8 ~# o l cmp al,4
& ]$ v" ]6 {+ Q8 T. [8 p! y jnz SoftICE_Detected8 O e! f8 I# E$ t
& a, r% X6 D6 D5 x* r d# y
___________________________________________________________________________
6 F; D2 ?! E7 C" h' l9 ]9 }3 `3 M8 \6 u0 d( |9 W
Method 02* Q( R5 G+ @8 o+ \- c
=========
9 s- x6 r& V4 w! L8 C$ O' o) B6 C- b( A7 ~" U( g
Still a method very much used (perhaps the most frequent one). It is used
" y/ q# b5 p0 L# mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( c. r! [0 m8 h: W+ eor execute SoftICE commands...' c; ?- I7 G8 c" D% A
It is also used to crash SoftICE and to force it to execute any commands' t; I& b, R- k& d# B, u7 o
(HBOOT...) :-((
2 s; g3 z: F: d0 L) e. }* h2 R/ b( X' O
Here is a quick description:
. Y5 Z/ s3 H2 T+ D) n-AX = 0910h (Display string in SIce windows)6 K6 G* E8 w4 E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% f& k8 y( j! v- b. W: S-AX = 0912h (Get breakpoint infos)
" X. n) `( Q- ]" x2 @-AX = 0913h (Set Sice breakpoints)
( y1 r# O9 ?) f+ @-AX = 0914h (Remove SIce breakoints)) j; J( F/ {& m/ G$ d' q
o: x( ] f: v4 y- P* B0 A
Each time you'll meet this trick, you'll see:
6 a# ]' z6 R8 X/ H/ K" U-SI = 4647h% W3 i/ B& C, ?$ ~$ X& ?
-DI = 4A4Dh
4 W$ d8 v o* v, c/ e: V! sWhich are the 'magic values' used by SoftIce.
4 d, I# X3 |$ ~; a0 P( A0 f6 YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; w" U3 D# T4 b
0 ~! _% s$ _( u, ~* e, y: O5 LHere is one example from the file "Haspinst.exe" which is the dongle HASP0 n) ?9 \+ B2 _/ K- @( G" m
Envelope utility use to protect DOS applications:
& z5 L+ q. B; _
B3 V& x w) Y- `3 g& n$ u; K9 B9 R, Q9 `
4C19:0095 MOV AX,0911 ; execute command.
. f ]0 o0 c- \6 s2 w3 A4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., x- L) c, x; x8 ?# M
4C19:009A MOV SI,4647 ; 1st magic value.
7 k$ [2 ]* t/ s, D9 s( n! `# D4C19:009D MOV DI,4A4D ; 2nd magic value.! p! o+ o5 v; ?$ r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); n: z; S5 B7 H9 y) k4 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ k% D [0 h1 ?- E3 H! ^0 a
4C19:00A4 INC CX1 ^2 ?0 O+ t0 C& z7 e) I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) j/ {) f) _' N6 x
4C19:00A8 JB 0095 ; 6 different commands.8 M+ c% r' K3 ?5 @; Y9 o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( Q9 \$ u# z; _! E: C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ o) R/ y2 U; m$ V( s. n6 s9 w0 f
3 I- M) N0 o Y
The program will execute 6 different SIce commands located at ds:dx, which- P; D) s# k' F- ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ O+ D9 u" E; o6 X7 A/ t$ p: {
' p5 ~" T: f/ c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 ?6 X, z1 B, p4 X& [6 Q2 O3 K
___________________________________________________________________________# _, L6 }5 w( y1 T' \4 E2 Z
8 J! \. k- T6 g3 S6 J, m2 I0 ]: q! R/ s9 L3 Q& c! S. p
Method 03; w# h+ W C0 N: ^, ^! \ x, d
=========
' K, i; b9 X- d/ K" j' q I E
4 m* S9 ? C, C" L" L/ iLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ G1 t g5 A0 [# B9 f(API Get entry point)1 t/ `& {/ q2 v) v, j9 b
$ f; G8 I4 U8 @. G7 X
, N' G2 \8 @6 |) O9 _) I" u4 p1 a xor di,di
7 f( p+ P$ ~! @: h mov es,di
" ?/ B1 C8 i3 r3 S/ ` mov ax, 1684h 6 n4 ~3 V Q7 J9 E$ o0 w, s0 M% Y& \
mov bx, 0202h ; VxD ID of winice
u( B% B, T! ^ R7 A# H$ b int 2Fh
+ E% h" M+ ?. E* o mov ax, es ; ES:DI -> VxD API entry point+ A% Z$ p7 Z! x0 i
add ax, di
: ~, H) {1 G+ y% P test ax,ax
& r0 p: m! Y: ^5 d jnz SoftICE_Detected
" J6 }0 e& e8 }
3 e% f# |5 x6 R8 v6 J% i___________________________________________________________________________2 q# }$ G- D6 D# C
8 r' x: L6 s6 K( y) _% l
Method 04
/ O2 o/ k$ @" y9 _4 z=========% u9 ~% F4 [/ E
) X9 A/ c8 I% fMethod identical to the preceding one except that it seeks the ID of SoftICE
3 T. u6 y6 |, e0 q/ d+ eGFX VxD.- L: m. d+ H, K7 e
# _6 h' A2 G" c3 ?/ @ xor di,di
: g" _2 |% J4 x3 O+ Q* Q mov es,di" N$ O" `. c+ C0 B
mov ax, 1684h
. \; h8 G# A7 [% D* p8 }1 o mov bx, 7a5Fh ; VxD ID of SIWVID
7 ?( @( _. K- ]* P2 a& | int 2fh; x9 D/ c3 W+ m& j& s9 @8 x
mov ax, es ; ES:DI -> VxD API entry point5 M( a8 U& O8 F4 Y
add ax, di7 n$ ]0 F1 w9 B/ B
test ax,ax
7 ]! J; S* |' O9 a3 s& h v. } jnz SoftICE_Detected
Q; N, r/ _1 y9 X3 [0 t
3 j: d: W U' I' @__________________________________________________________________________- ]* F: Q0 q# f' l
# l( x& p8 `4 T8 @0 y8 s
M/ d; A; E- v" K5 cMethod 05
; d* B+ S( n5 e, l$ @=========
+ o+ W+ R( k6 g! r$ Y: C
* X, s. a3 C7 t0 y% dMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 k! |& r9 M! \- s4 |debugger. It calls the int 41h, function 4Fh.
$ M% X2 U: a6 ?, Z8 E! b2 l# K6 OThere are several alternatives.
. A/ ^. Q& i7 T8 ]" t' |! m3 C7 t
7 E8 @5 H* Q9 `The following one is the simplest:* w/ f4 S5 l- e! B/ S
9 s7 d8 }& K) V8 q( d! o L$ R mov ax,4fh: g0 D0 @: W0 h" I4 _$ ^
int 41h
2 ^1 D _5 h: q4 Z* w) C cmp ax, 0F386
9 H$ l- G5 }6 c jz SoftICE_detected5 R: f0 m) } N+ R2 D9 Q& k& v) i
6 V3 {6 M: T( Z5 x9 y
, n7 p" p0 z2 h( y* G$ ENext method as well as the following one are 2 examples from Stone's 5 P2 Z) G$ v. {) M6 D8 V
"stn-wid.zip" (www.cracking.net):
3 X; ] j" i$ O4 f) o1 Q7 T P" G. R5 G) z
mov bx, cs
4 D. L8 L; \5 R lea dx, int41handler2
! w' [! c6 b& ^/ S; |' o. C xchg dx, es:[41h*4]) X }' a3 V( s
xchg bx, es:[41h*4+2]+ i3 a* z) R' D4 G
mov ax,4fh
0 `& L0 b; W" V6 e3 K9 C3 A int 41h& y: P9 l! d ]7 O6 q
xchg dx, es:[41h*4]3 _6 H& l! ^. B
xchg bx, es:[41h*4+2]
. E5 I" [0 E+ X3 `8 L @ cmp ax, 0f386h7 Z7 Z, C! r; k: f
jz SoftICE_detected a# |7 V6 [( b& R" y
0 t5 `, [: l* d+ h9 w$ v7 tint41handler2 PROC
/ b0 l! l' z) P( d iret
5 \( T$ E6 W4 ^1 F6 X0 l. Yint41handler2 ENDP
- Q+ A7 Z) R$ @' F6 b4 o, u2 o2 q: o% z2 I
# T+ B1 ?" D7 `( I8 `7 w_________________________________________________________________________: R3 F2 l* m& x6 s+ x* T; I% Z
5 C9 |1 B, k3 P# m! `3 z+ l1 e3 a6 c7 U
Method 066 \4 k, u1 n8 g/ A
=========% b- ~* x. ~4 H, L. R, ^
/ B- Z- L( p/ B* I" ?3 J- [4 E3 f
8 r( B! y/ N) [4 a6 r' X0 a2nd method similar to the preceding one but more difficult to detect:
* j6 B+ G% ? M8 I3 K7 h4 R# ^3 k' l9 ]7 Q: \
. f% z" ~' A+ ^ J3 i$ {- xint41handler PROC
( G$ I v0 a6 Z1 r9 Y& w( h4 h mov cl,al! B/ g4 c/ b* j" h5 f
iret6 \9 S# P/ D% ?# }- T$ N& T' A
int41handler ENDP) Q1 c- K% }# t% d6 m
# F# _' o; d k$ R4 ^" l
+ w g$ w8 Q" G3 C# N9 o; J xor ax,ax2 h1 x4 W: u. p
mov es,ax7 E9 q* }" K. t6 H9 O5 T
mov bx, cs
+ O$ ?( x9 c/ g X5 B lea dx, int41handler
: }, Q/ Q5 e6 U7 l xchg dx, es:[41h*4]& f: u3 w, x/ h( U7 Z" N6 u
xchg bx, es:[41h*4+2]% \% z, H+ g |
in al, 40h
- M( c- p. h% D% R xor cx,cx
( l" A1 D$ |+ j: }) K- y1 D int 41h+ G# |/ \' d6 U) L/ v( ~
xchg dx, es:[41h*4]; B" H2 L/ e$ T/ i
xchg bx, es:[41h*4+2]
! j* h$ p: J& u cmp cl,al
3 \$ q, g$ t6 T+ H8 X jnz SoftICE_detected4 I' f. t4 _1 V( Z
) o% H1 r, u6 E& ]! _) \_________________________________________________________________________
, s# h; _9 m, p+ m! P7 P Z3 ~ @
; y( ]4 f, P0 q( dMethod 07
* M+ o; L" p, C( Z7 b' [. l=========
0 r6 R% v/ K. Q2 c" [
0 ^1 W9 @) O; t6 \; OMethod of detection of the WinICE handler in the int68h (V86)) T: ?0 R% V0 A7 c5 S' t* _
( U, l( w# G' ^* I8 _) l( x mov ah,43h. o$ n& D, M( t. R6 d
int 68h
2 p' d5 L# n2 N4 c3 m/ |" \ cmp ax,0F386h
2 m; s$ l! P; G6 k" E8 w$ i2 y jz SoftICE_Detected
7 `. y' m! u) ~- [9 O
1 D2 g& t5 I& V- Y2 D& F! S/ d" m! A9 K4 `+ E+ M- v$ [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& i/ C1 y6 p, }: m& F+ k8 B5 R) F: ] app like this:
/ V; }" o4 I; d# R+ J+ c+ k d3 p# b' o. \/ @" l6 Y; H
BPX exec_int if ax==684 f$ [/ p& m2 F
(function called is located at byte ptr [ebp+1Dh] and client eip is! R+ V7 ~5 q$ K* r+ [
located at [ebp+48h] for 32Bit apps)- y. y) c( J( g, i$ t
__________________________________________________________________________
1 j# T* k, ]6 t: V f' n8 o' I1 o/ x+ ^1 U. T3 [* [- S% J
, a+ @! V1 A) U9 s# f8 \$ \
Method 08
`: M: j% U# u4 [) m- y+ B. L=========
9 L" {1 D; t& Y# H5 z! [2 }" {3 A$ G9 ?% y% C
It is not a method of detection of SoftICE but a possibility to crash the
0 ?7 T. {; d/ L1 e; L/ E2 ?system by intercepting int 01h and int 03h and redirecting them to another' m! R% P* e+ @. R# M+ J- n
routine.
& i, A5 K! p! D# q, f3 P) lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) H2 d* F, ^: R; W% bto the new routine to execute (hangs computer...)
) Q. C2 b" t3 F6 p0 Q% l- u9 t# C/ O. O
7 G+ o8 X1 r4 A `7 E mov ah, 25h( S) x, N$ u2 e+ B, s# W
mov al, Int_Number (01h or 03h)
2 U3 ]3 s+ r7 f( l6 {- ` mov dx, offset New_Int_Routine8 q/ t& z3 p/ d
int 21h
+ |- Y! d; u# ~% E& y6 T5 B/ q+ O
$ T) ]" c$ q; |# \* C: n7 g__________________________________________________________________________" {8 b: o: I6 o# g. n8 l: H% e
' h2 _( Y! j5 v0 E* B! b
Method 09
* o `3 l6 i5 v0 P=========+ }) P- ~' y3 z0 m5 f9 g
5 Q- X# d8 E* G+ c( `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 X/ z6 J; S" Rperformed in ring0 (VxD or a ring3 app using the VxdCall)., j" Y4 ~( @, C
The Get_DDB service is used to determine whether or not a VxD is installed- d3 {# r, O- Q/ i$ V) V& t
for the specified device and returns a Device Description Block (in ecx) for1 E. v& i |) A' v' Q
that device if it is installed.4 Q+ A+ {# C+ Q/ C& n8 G
5 o( k% U0 m8 z0 G, G# L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 |" a2 J3 u8 N: s+ J6 Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) A/ v& q2 @+ g1 z: x3 O4 w& s j
VMMCall Get_DDB8 m* o* \* a- @. {7 h% k! d1 C
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 s$ O& p2 W' @6 L+ Z; [5 _
% y0 n. [3 h) a5 v& K; {- D& a
Note as well that you can easily detect this method with SoftICE:$ \0 J. E C3 k; `6 B; x) |
bpx Get_DDB if ax==0202 || ax==7a5fh8 l9 K) X4 i' E) ~4 o
# a" C2 ?9 ^0 x- B$ P% U__________________________________________________________________________' A/ S9 U( V9 r0 ^; n; [
, L) U T8 F) T' a& j: JMethod 109 L* q8 l! E3 _" w: t" c( }3 O
=========
2 G4 P8 M/ Q% A# H
0 G5 z# ?! T3 g=>Disable or clear breakpoints before using this feature. DO NOT trace with; t5 B: N6 r8 x
SoftICE while the option is enable!!
. l* O+ J8 j2 U2 E$ c" L; e9 M2 _. F I: \2 M: p* Z3 @3 J
This trick is very efficient:, {+ u i* N( _
by checking the Debug Registers, you can detect if SoftICE is loaded# \8 K+ R8 s9 m) x& e0 v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 K J3 s0 g1 c% z1 N( l
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ O, S1 } Z, y: I0 Z: `( `value (in ring0 only). Values can be manipulated and or changed as well" M4 A( ~: F# S% `. {1 }7 x: m7 k% H
(clearing BPMs for instance)
3 n/ P0 Z* b( h9 u* F( |6 ]$ s
4 k. o9 a0 P- t# {/ ^% X__________________________________________________________________________% L4 ?. H7 B4 N
4 W/ i4 n' u; h
Method 11
1 Z* o! }0 x& [1 V) @' K, z=========
6 x3 O7 u+ t1 I+ a+ l7 L
) P1 e8 e$ s! a- r) }! t4 xThis method is most known as 'MeltICE' because it has been freely distributed
i5 S6 ~+ U8 r3 U5 qvia www.winfiles.com. However it was first used by NuMega people to allow7 n( T* H; Y' n! _
Symbol Loader to check if SoftICE was active or not (the code is located0 ]7 l5 }! w+ T: M) k8 w
inside nmtrans.dll).
7 P8 ]6 j4 u, k1 i! `
8 e4 E& e# o+ q6 n: ]& C5 n& cThe way it works is very simple:, f0 N( Q( k& r, p$ D
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' |7 ?: |+ V- |* D: ?' qWinNT) with the CreateFileA API.
' c u( |& U) `4 s- N1 G
1 I% M$ H. o: v, xHere is a sample (checking for 'SICE'):
1 X" O+ K' V0 W L2 f
2 M, B) Y k6 SBOOL IsSoftIce95Loaded()8 y! o7 l! C6 R# ? L( Z
{
8 U2 u$ v- F6 Q. h HANDLE hFile; / T$ e# k1 m" W3 c5 Y( x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ X4 N: M! {; g' E( X
FILE_SHARE_READ | FILE_SHARE_WRITE,* {, o5 L, O* h+ b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; [6 C. v& o8 o" ]# Q if( hFile != INVALID_HANDLE_VALUE )
; s' U8 @: _( E! @ {2 q8 T. W4 |5 C- y" ^ i2 a7 e
CloseHandle(hFile);
$ v' G, ~; W) D. l return TRUE;; X: t* X' f$ w- N9 B
}% @, A$ N7 y; t: w$ p( d" t
return FALSE;
5 u( O) T% k8 W8 v( Y; x% G}# F9 f+ g/ E4 H. P3 q
, p5 V6 n; O K" J
Although this trick calls the CreateFileA function, don't even expect to be
) ~5 _* K }; E$ }: aable to intercept it by installing a IFS hook: it will not work, no way!
* l. R/ x7 _ Z! s; g' ^2 h* y0 y5 u! nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# V* x% P: `4 X9 U& s, c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* \) V2 V+ \& Y0 V2 _; S- w+ ] cand then browse the DDB list until it find the VxD and its DDB_Control_Proc M6 `+ S1 Z. B* k5 ^% r' B
field." N) L4 @6 B- c
In fact, its purpose is not to load/unload VxDs but only to send a
! Q& _7 a, E! Z- D+ O" j4 z- @/ TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 B3 B( P& t5 G
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 l! {, G2 ` b# L3 K k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ a$ ~; n b( n K% \
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 q2 R5 d; z; r+ |9 Q5 M2 M
its handle to be opened and then, will be detected.( x* z1 k7 ~, P8 J
You can check that simply by hooking Winice.exe control proc entry point V) g0 A% ~0 {' a4 S" o$ V
while running MeltICE.
% |% u$ o" b6 c4 s+ s' {
3 x) L7 p% `5 v8 [" z B$ n$ X
' l7 ~$ w2 Q+ e% Q 00401067: push 00402025 ; \\.\SICE9 o6 `1 m) ?# L4 f m% K# B+ d
0040106C: call CreateFileA
0 K0 c4 r7 C3 A- M 00401071: cmp eax,-001
: I! N% k7 H+ F% c6 P 00401074: je 00401091. E- ]$ ~: s6 L1 x" S# a
1 c+ E% A- i( O+ |0 ^* E( u# k- ^, _1 J
There could be hundreds of BPX you could use to detect this trick.5 R' ]# p: {; K! e* f
-The most classical one is:4 z& B8 x5 m5 F& @+ \* Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) v2 Z' \9 L. V! _" g
*(esp->4+4)=='NTIC'. g- ~) n4 q+ j1 x+ v( D5 Q
$ E' |% X4 E6 H. \( ~/ r! x-The most exotic ones (could be very slooooow :-(% e1 }1 L# x% O- j: }
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 Y3 Q/ v C1 Y# P* r ;will break 3 times :-(+ Z" C; y* I2 c
& ]* E1 m! {( \2 B-or (a bit) faster:
( Q( B5 v8 D& P6 y$ z0 K$ g7 z, R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( x0 A5 {8 x+ T
& N p5 T( Q3 y+ B. r1 j/ m& h/ k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& e8 y% e2 W/ k+ `( I) o ;will break 3 times :-(
3 V7 ]( N* b6 P p
5 G; c, V- `: V; z-Much faster:* M3 b% B0 O% V- H
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' u$ V# K* q# B* h4 b( z
! o8 Y6 V1 S) w$ \) r0 x- u" zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 n( W5 Z6 `8 [7 A$ f. X" ifunction to do the same job:9 I& S J6 J( \7 b
) z( z3 g3 Q8 X8 I) G( K push 00 ; OF_READ) Y% v4 x$ p$ {( I, a
mov eax,[00656634] ; '\\.\SICE',03 h# P( M5 B/ f$ K
push eax: H4 H! _. I2 a' E) Q
call KERNEL32!_lopen4 P) a1 f0 K8 r5 w4 P1 N" j
inc eax
2 H9 W5 M6 q0 A/ f/ u jnz 00650589 ; detected- i* r% [5 c1 ^# y
push 00 ; OF_READ6 {0 a+ w: P7 _$ f3 ]
mov eax,[00656638] ; '\\.\SICE'$ E/ _8 b5 h" o6 y+ |8 m& ~( I
push eax
- i/ f! R1 A/ P5 W call KERNEL32!_lopen/ |1 f4 M4 d2 Q) v2 G) M6 w' U
inc eax" C, B7 t* \2 r6 o$ R2 s8 b& l
jz 006505ae ; not detected
6 U. M- m! i& b1 A: {, x6 l
& s3 B/ N d- M0 f* c3 Z1 }$ c3 e7 A4 [5 V0 J; l6 q
__________________________________________________________________________. @1 F. f7 Z: o) m( [
( J; k. D/ {8 Z
Method 12
+ b/ L$ O9 Q$ O' w7 Q& z# c/ W7 X=========/ K `$ I7 L$ ~
9 r3 w7 Y( Y2 B: D8 fThis trick is similar to int41h/4fh Debugger installation check (code 053 v# n7 r( | F% Z- e
& 06) but very limited because it's only available for Win95/98 (not NT)* H8 o. T4 V" D" n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; O3 P: P+ t0 b7 {
5 V7 g( F8 a* Y% t1 U4 Q' Q5 j( u' p
push 0000004fh ; function 4fh$ S) k: h0 C5 Y& t" ~
push 002a002ah ; high word specifies which VxD (VWIN32)
e% Q: T5 A2 V2 H( W0 { ; low word specifies which service0 ]% U5 D( W5 ^$ z5 d+ i
(VWIN32_Int41Dispatch)
/ M2 q4 R7 e/ L( p% L0 ]4 i5 U$ t call Kernel32!ORD_001 ; VxdCall# P" T8 }6 l& H% p' `1 [4 R0 p& l% \
cmp ax, 0f386h ; magic number returned by system debuggers9 ^" X, e2 j" o- \
jz SoftICE_detected. r V& |! ]+ F
% W% ^' g4 a+ t7 pHere again, several ways to detect it:
# O% R7 a \9 _
# B8 |! {# r4 s2 i. ] BPINT 41 if ax==4f( A' `6 j! t i( L$ }" A3 _7 n1 i% E
$ {# T/ @5 A* g& ]' z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# }5 |6 J( ?1 Y h" [7 S& {9 q
' ^7 V5 G5 ]9 Y! |8 r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ H s; K- Q" \$ z
1 A/ s# C+ d# P( G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 h7 I' j6 w* d) w( p' {1 h
! S2 g3 d0 o6 H6 k) I
__________________________________________________________________________! e, J4 \/ y7 a `, E8 W5 a3 G
' G" @# n0 ]" i0 P) t7 y7 uMethod 13
\0 O. t; o6 G0 R=========% A- Q6 Z0 W* |1 g7 ], Q$ S) o
) i2 D& ~) E, @2 iNot a real method of detection, but a good way to know if SoftICE is. Y9 \7 Y+ ]' S) ]9 I- K
installed on a computer and to locate its installation directory.7 t7 ?! A2 B& ~% a! V6 z) o5 V
It is used by few softs which access the following registry keys (usually #2) :. [8 _/ v' i$ B
( \; H2 b* D; ^& x% ^6 {. q) Q" R: v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 b9 j& `3 a0 B% a/ [, a
\Uninstall\SoftICE
# M! H) H& [0 c$ ]. o& t% q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' t: \' l" s( n" m1 c7 ?-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 F% r7 M8 w6 R! M* `) Y
\App Paths\Loader32.Exe
9 @; D, e0 s0 C8 `
: z, x2 }3 U: H7 q3 ^6 D& r [+ m$ q# g: G/ ^
Note that some nasty apps could then erase all files from SoftICE directory
2 E2 K7 m5 y* |(I faced that once :-(" A) v/ |0 R6 O$ l) i" b" i: o/ [/ w
/ }8 M+ |5 M3 f( N) K
Useful breakpoint to detect it:
) v2 t$ A: r% S4 M5 Z( V) v# v* m$ n: }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; [2 A- u! ^8 N5 S
E" B0 |: P |2 v8 X5 K2 q7 I__________________________________________________________________________+ n' F9 y) E f$ s4 X
1 I+ R- G8 d5 N7 y1 z5 {
/ v$ {; f! Q; h$ F4 G' |
Method 14
( A& z( M% ?2 b3 \5 @4 k1 _=========! a6 Y2 v' R- z0 }
& |9 @- S; }7 F- z _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& P1 N% O5 S% i; T: H/ d
is to determines whether a debugger is running on your system (ring0 only).
1 t& M7 X' a3 F4 \* c6 t8 W! O; W
VMMCall Test_Debug_Installed1 e: v, q4 l. w/ j
je not_installed
. r; ^0 L' X- ^+ X3 d" m+ d* R3 [' @5 k* l
This service just checks a flag.7 o$ T/ }1 z- p3 _: {9 L
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡