<TABLE width=500>
' R/ F$ z! e1 s! q- F/ r<TBODY>0 T/ t( H* i7 b: @6 c; @$ d3 `
<TR>7 z1 O/ a. o! U2 P6 ^
<TD><PRE>Method 01 4 O0 v# k, G5 G6 k4 \ }
=========7 c" J7 @0 ^: l- a8 Z, `
$ \; ^4 \4 v+ {& B, ~ i* T
This method of detection of SoftICE (as well as the following one) is' K, I. w1 J% k& O- u; r
used by the majority of packers/encryptors found on Internet.
" d8 w# G* e, @/ B. o, ]) @2 N- h5 o8 MIt seeks the signature of BoundsChecker in SoftICE
1 _8 u' N/ E( T# S: f" A
5 }6 o2 \$ O1 f% L# U) v& G# t mov ebp, 04243484Bh ; 'BCHK'
! t6 @9 ], N) N6 s- U2 Y% m mov ax, 04h
F% U" \" a& B int 3
; L2 M+ G5 D) \, k% ~1 [ cmp al,4
/ u! K' S, Z+ m) e0 A( y- H: ] jnz SoftICE_Detected, p l, @7 o: U* x8 u
& g6 P4 k3 P5 G+ _ J
___________________________________________________________________________ J/ G& a, M3 h* ]7 G) T5 E* n
. \0 J- d, p& H; F, m
Method 02! J9 d2 y( h: X; D
=========, s$ W0 s3 J8 q2 Y4 ]; d0 F4 q7 }
8 k' e s1 f+ N8 {
Still a method very much used (perhaps the most frequent one). It is used
5 r6 z& f7 a. r' A) w; Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 K4 E, I, M+ R2 I% J3 for execute SoftICE commands...% ]/ e9 H5 C& }2 H3 e
It is also used to crash SoftICE and to force it to execute any commands0 p. T i f5 w8 S
(HBOOT...) :-((
@/ C' ?. J, I! h% d' Z' f; R# m P5 e+ u8 F
Here is a quick description:
: x; I6 J; @- J' d' X4 _-AX = 0910h (Display string in SIce windows)! g5 I: ]6 r* x8 e3 l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 c" u0 d5 {8 \-AX = 0912h (Get breakpoint infos)- h! f) G* E4 A. m1 I1 n
-AX = 0913h (Set Sice breakpoints), h$ u- ~+ n5 M3 i4 c+ Y
-AX = 0914h (Remove SIce breakoints)
* c# {0 r/ g) M3 W; n
/ [( k( V. w, f) A& TEach time you'll meet this trick, you'll see:2 m6 Y) D2 x b' m7 E
-SI = 4647h1 ]9 X' {5 P' I
-DI = 4A4Dh
6 S/ }" w) K" w* r: r/ q0 lWhich are the 'magic values' used by SoftIce.
0 J) r# R* C$ X" I$ i7 Q( y E: nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) B' I' [0 s" F' b
& D7 Z2 |3 p7 V: ^% ^+ SHere is one example from the file "Haspinst.exe" which is the dongle HASP
! p, C+ P. j) i ~+ O$ hEnvelope utility use to protect DOS applications:& v5 o4 i* R9 t- e3 p0 ^
' f& t" @2 U. |" K( ]& R- {1 W0 V
! d- e& ?) ^5 p" k# Q, }
4C19:0095 MOV AX,0911 ; execute command.
! B- S- X4 Y- [- w& O8 E |* |! z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; T8 O( f% T2 [( I$ W. h' j& J" K
4C19:009A MOV SI,4647 ; 1st magic value., E# I9 z, W/ Y, {6 u1 M
4C19:009D MOV DI,4A4D ; 2nd magic value.2 T" B) a& c6 ]3 s) A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' u+ ^! Y. C+ f- G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 j! _5 j$ d" H+ O' N4C19:00A4 INC CX
& Q, p4 H6 G8 |; O7 X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 ~5 f* [ {' _- O* d. \/ U; C/ p8 t4C19:00A8 JB 0095 ; 6 different commands.3 j$ b1 q' t# j" b: T+ }9 C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: |5 C: R7 o9 Y. d+ i: h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# z$ `2 d3 R2 r) Z# L+ P
6 z) p9 c9 Q! R, m
The program will execute 6 different SIce commands located at ds:dx, which7 T" C9 \6 P j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' d+ j- v+ q$ N$ g
) z8 I& m7 g1 ~! i/ F& z( k7 l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
k& \% E7 }, }& N+ f. o___________________________________________________________________________" M+ Z7 L& U2 G) n J4 Q. o
4 b8 W" r/ W8 w) J! x
% L% e* y8 q2 b+ v
Method 03
, X0 V4 J# u. ]+ p=========; W& X3 F& M3 S- F6 I! R
( u5 J# h! F+ oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
G% n6 Z+ X1 v, q1 B(API Get entry point)
7 w% V! X0 j8 z% v# ~
6 g" O! V1 k; \1 p. A+ j8 D: A i7 l6 N& D2 A
xor di,di3 o# X3 u' u7 x( g5 Z2 W: n9 [
mov es,di. B: _! N" ]8 X/ R3 |/ [* ]
mov ax, 1684h
* o' G9 C, [' O, k mov bx, 0202h ; VxD ID of winice
9 {4 o' w& {+ v int 2Fh
. s+ H1 X5 [# X" d* g) [ mov ax, es ; ES:DI -> VxD API entry point% g, j# |; w$ ?7 V
add ax, di% A6 v0 [/ X% m+ |' s
test ax,ax
0 W2 r; z7 [& w* d3 V2 Y0 @ jnz SoftICE_Detected% a+ s q3 ]9 v" e/ `/ d
4 ^1 F, s8 a7 v* h6 H( _7 `" p
___________________________________________________________________________+ U/ y% O* `/ N% H+ Z& X: m9 I1 L
9 {, V2 A& w( x o' jMethod 04, m; b- D% W' s4 D4 t9 v& |
=========
8 G0 H- O6 C+ F# [5 d4 r2 n! s8 S6 f% t. k$ d9 v$ g) t. r
Method identical to the preceding one except that it seeks the ID of SoftICE2 e' @3 ~2 r3 O! x3 M/ {5 d
GFX VxD.: P7 u* r+ \8 o2 i( f) h
9 r! Z' Z! D6 q) T, R
xor di,di
2 |* C9 u% c5 ]3 [! J mov es,di
- B/ ?3 V* x f mov ax, 1684h
* m! ^- i5 N" x) G4 ~ mov bx, 7a5Fh ; VxD ID of SIWVID
1 @ `3 W7 v3 j' u9 S int 2fh
2 m$ U8 k. E" \ C: f0 L* U! t0 i mov ax, es ; ES:DI -> VxD API entry point8 e: C4 k6 q/ H# l- n2 e
add ax, di
) `1 R+ f4 K% p- P( W) B" R test ax,ax4 _; o1 w3 A2 m3 a: A
jnz SoftICE_Detected3 K; o4 V% y. R" g! E
/ p7 A: L! m/ o
__________________________________________________________________________0 d) y) E! w4 z+ N# C/ p6 ^
$ j7 h3 C ]% t# a6 G& _8 X
0 R6 y4 ~. D! ^3 Y' e2 x/ k
Method 05
) U+ g6 m% }8 R3 E4 k=========* Y! s4 A0 [ f$ S
5 I) f7 ^; Q2 g ?' j6 GMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 D; r6 O9 m$ w. s; e5 M8 F% odebugger. It calls the int 41h, function 4Fh.
$ [ n8 z1 f) lThere are several alternatives.
4 Z- z1 {# L* m- ?3 I2 H3 V2 a
6 O g$ T4 F, oThe following one is the simplest:$ g* p& E) ^5 b* g6 I1 u3 H
- g: \+ e. S0 o2 M
mov ax,4fh5 U, _9 j6 D: f2 h3 X5 k4 X+ \
int 41h
9 R0 n& H* u( p+ J6 i' x) g cmp ax, 0F386' ?; u0 D4 m2 c# _1 n* W) H
jz SoftICE_detected! ~- V. J7 ^6 [2 T7 Y2 H
* n% \# D5 p/ L. A
0 {0 ]! b! p' r% r$ h6 F1 I- {* }6 _Next method as well as the following one are 2 examples from Stone's
) q2 u- O. @$ y. I% z) {"stn-wid.zip" (www.cracking.net):
9 q" } y* p; ?8 ?$ }- V5 A* w: ^% `9 @0 f4 Q \' Q: a
mov bx, cs" C! C6 m6 R+ L) s1 b% B$ n
lea dx, int41handler2
1 U: Q" |% }- v! z xchg dx, es:[41h*4], }( @! z6 {& B( K$ J" p3 a
xchg bx, es:[41h*4+2]8 m2 Q5 ]1 ~. o
mov ax,4fh R: h/ l: Q4 \ n. r! X8 M
int 41h
* S2 ?+ s0 P d; V: l1 a! o1 m xchg dx, es:[41h*4]& L5 {# m* y$ y: A# ?
xchg bx, es:[41h*4+2]3 h H" W, ]( N) B
cmp ax, 0f386h" {5 A# `( y' b: q
jz SoftICE_detected7 b4 u! p5 S6 X! {& w" z- h, p
# g: b. L7 Q4 R" s: _$ Q5 T' ]int41handler2 PROC2 f `+ ]7 P% Z% I) l: Y3 a& B+ E) z
iret
* w- q$ G0 `" w6 ]9 D. X( I+ ]int41handler2 ENDP
7 t5 f, Q6 w( A0 g+ I
. {; @2 w$ p V; F4 p4 `) @' I" u6 n, _" W
_________________________________________________________________________
* C' W' [9 l8 h7 {. M* T1 M3 I$ P: s1 X5 o
W: [) ]4 d/ J7 DMethod 065 H/ D6 A) M/ n c% O- ~
=========
- m |7 O+ h8 m- r& ?( s3 I! n
{& u8 p5 l. o J) A1 J2 Q4 u! h/ m
2nd method similar to the preceding one but more difficult to detect:" `& b# [1 i2 z; O$ n# t) N9 R
8 @" g. r) k, z
3 \" s- Z K3 @2 D# X. V7 Xint41handler PROC
0 \! S; B; D h9 ` mov cl,al
/ n8 n) F% |) O* m; K9 S3 |) Y/ K iret7 m! {# J o! K( T5 M% v: T
int41handler ENDP$ q1 N5 W G- l( \: J
+ Y, q- a( C$ @# P
& F1 ~2 f& F" g6 S1 d9 d. V xor ax,ax# J4 H9 J: A* l. `; p% s
mov es,ax& {5 C' _) g* t' [
mov bx, cs& Y$ P7 {5 c. _7 f9 s
lea dx, int41handler
' y2 g7 C( n. W; S' v% f# { xchg dx, es:[41h*4]6 |9 @+ W- L' Q7 w+ F
xchg bx, es:[41h*4+2]
" [% D( x' a" F5 [# C% W' _ in al, 40h
8 f, C: _. m" ~; |9 w. M4 s9 B9 ^ xor cx,cx) `0 [% r6 Q; d9 z( i
int 41h
+ K/ D$ k& s; t: J r. g0 v xchg dx, es:[41h*4]
! y( i* B! A! H' _% y7 o4 M3 q xchg bx, es:[41h*4+2]
( ~, N7 o! J' X4 p* m. K/ n2 e cmp cl,al
. L- K( V/ s8 q( \) V: N7 i- } jnz SoftICE_detected
. g) h0 V* N9 {8 \! y9 V# j% s
& \' x) B: a# @2 T) \; I_________________________________________________________________________8 G f$ ]! B$ I/ l
- @/ V+ g) S+ p9 `Method 07
! M9 [: n5 J, ~/ R* g! N=========+ j9 M" M6 j8 V$ q* M
8 M# c' Z" r0 m+ k- y( z
Method of detection of the WinICE handler in the int68h (V86)
+ \& d$ D2 {. s+ |( Q- _3 s* J2 T- {9 D3 J4 X m8 h
mov ah,43h
1 g3 @5 K( r* S3 `) r! G int 68h
/ n0 k3 N$ ?$ h7 p L- C cmp ax,0F386h
# T: r) O# U7 ~4 A jz SoftICE_Detected
5 [7 {2 g7 ]& p( v( i) k
1 D# K% M) o0 A4 p# H0 P/ @: }
% d4 J5 Q; a6 R; ^=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) |, `- Y' S4 M, S8 h, r( }
app like this:
3 Z% p1 \6 L! r2 ^
/ W* Z7 Y, u8 Q! k BPX exec_int if ax==68' Y3 V1 }9 A8 w8 K
(function called is located at byte ptr [ebp+1Dh] and client eip is
3 x0 L9 I1 x8 ~ located at [ebp+48h] for 32Bit apps)
1 u" v, u4 y C__________________________________________________________________________8 k( _0 t5 G- D* Q" S
: h+ Y0 _5 W `9 d/ a& I$ C
: o4 d5 J/ t# e J( vMethod 08
9 Z7 S& o( v3 h+ Y/ J, E=========
- B2 L+ J" c- t. X) U/ `
' r+ D2 v1 J. N& N# E4 Y( b! cIt is not a method of detection of SoftICE but a possibility to crash the
- Q- H: j q6 U5 Qsystem by intercepting int 01h and int 03h and redirecting them to another
5 s: @) B; K6 x# [% nroutine.
% f% M* o v; I: M' iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% L, d' ]$ v( P3 ?8 v. o( ~+ ato the new routine to execute (hangs computer...)
3 H. C* ]8 N; d, Y! J8 X7 V/ a1 i. ~$ {# k* L
mov ah, 25h- I1 p1 k, Q! @
mov al, Int_Number (01h or 03h), U$ e3 J2 m- f: ?; H
mov dx, offset New_Int_Routine
. |6 F `- D0 M$ J# Q5 z int 21h
6 E! _# b1 K4 _; k3 Y. u x
. Y2 m L3 g: B8 y__________________________________________________________________________0 S( F' {& i5 M9 w1 b
/ S3 [" ~& z# W
Method 097 U1 r) ?0 E& f7 I0 @2 k
=========
* _; X+ y I. V" y) A
- k$ C: P: I4 I$ z- zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 _& M$ C7 D: C7 y/ Y9 T3 r
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ X8 \7 Z8 Y" n# e) m% @The Get_DDB service is used to determine whether or not a VxD is installed
1 @' U6 [( F! \. Kfor the specified device and returns a Device Description Block (in ecx) for3 B0 U% P# Q$ J
that device if it is installed.
|7 I2 k5 ]& \- W8 ^0 N- z5 O, R3 R9 Z w! m; X
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; @" J5 y. e& d! ?" \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- O# c: v8 [0 E. B4 O$ p) u: Q VMMCall Get_DDB A$ H3 ?0 G( h. e0 x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& _2 v8 t* D. p8 L! F. e
9 e# [- o5 V7 M8 ONote as well that you can easily detect this method with SoftICE:
8 Y0 q* n* m6 \& I& E# w bpx Get_DDB if ax==0202 || ax==7a5fh
# o, H$ G; g' p ^1 o" E1 I$ M. s) _/ R9 t2 i
__________________________________________________________________________4 f; l8 {8 c2 n& t1 e- \
8 D% R. z* T8 i, Q3 g, HMethod 10* s7 H. \4 w9 d ~' E
=========& r4 C! I3 [- T- Y r7 S5 h
7 D* y1 g* l! C7 v' p=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 g- O( u% c/ e& I5 [ SoftICE while the option is enable!!
' E7 k6 F) @: L0 D! S/ g- R9 f' |8 |# I
This trick is very efficient:
' w, y; G) x; }by checking the Debug Registers, you can detect if SoftICE is loaded
& h; f1 P, C7 O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* N! m4 q) O7 V- h; m& c" M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ A7 [, R0 x7 [) J7 U: t/ G3 ]6 gvalue (in ring0 only). Values can be manipulated and or changed as well
+ A- o) i/ f! d& F# [2 n(clearing BPMs for instance)
6 F+ y; G* k. y6 C& s" A: } H. N9 T2 @* w
__________________________________________________________________________. ?: `8 X$ n( {1 s; E8 O k; k7 o! @
# W. ]7 e+ ?) k7 Y- R( q0 ^ M1 p# cMethod 11
: V8 N4 R. p& t# X' p, \=========7 u0 ~9 D: D, M7 n8 n) X4 L
8 p+ _6 h9 H: T- B
This method is most known as 'MeltICE' because it has been freely distributed }2 N! |5 d* p# W5 a3 T% H+ E
via www.winfiles.com. However it was first used by NuMega people to allow
: [' ]$ h- ^ xSymbol Loader to check if SoftICE was active or not (the code is located
) f/ r2 u1 L% b6 h. qinside nmtrans.dll).
8 } C" ?2 q4 ^. [( e" s' h* s" t" w1 S/ B% _+ W
The way it works is very simple:: l- p& b l& L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" F: j p! v; B- j. |
WinNT) with the CreateFileA API.6 \+ W6 `8 z$ g# a' C! [
- P) C4 z* L6 l7 x. cHere is a sample (checking for 'SICE'):( g8 U( X) b+ {) R. L# I$ }0 `
6 _7 s6 {% ^1 r" [0 a
BOOL IsSoftIce95Loaded()
' c* P7 M1 ~4 Y" Q7 r- X{
: h! |* @: @' w% B) }7 H HANDLE hFile; ) J( J+ k" H# q, m0 n6 |
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- b/ m2 m8 p* ]1 j9 b
FILE_SHARE_READ | FILE_SHARE_WRITE,
( h$ N$ E$ Y1 p NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 D, f8 e0 L4 z% d5 Z) e& J4 C if( hFile != INVALID_HANDLE_VALUE )7 Y2 _( l: n& D& j% `
{- D( j; r- w: b8 W
CloseHandle(hFile);
- m \0 c* q- [; J* t ^ u return TRUE;8 M$ }) u; @5 N2 b$ G3 L H
}; [6 \ u, E4 _% [
return FALSE;
6 l, n( E! e* |6 V/ i- @3 x}3 O3 l2 `8 k' C* j/ s
! e# @; A; p. S: a: A) b! V
Although this trick calls the CreateFileA function, don't even expect to be! ?. ^ G: _& ^5 T9 [$ [
able to intercept it by installing a IFS hook: it will not work, no way!
- F1 G( x, O9 Z' U* W* gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 L) @1 Z0 X/ z2 v4 gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): @4 m5 l6 D3 T( s H4 U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: y0 H9 p6 c5 A* l, b3 e" vfield. N9 b y2 U$ N/ P" F) d% W: d9 b
In fact, its purpose is not to load/unload VxDs but only to send a
% N/ y+ {/ S' {9 iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) ]& m/ F+ `2 `& M2 s4 cto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 H7 _# e# Z3 q; H+ |" z8 u- @
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." S2 t# h, y3 d; S
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) I" U q5 Y9 X( o$ ^its handle to be opened and then, will be detected.
4 k3 a/ l( S9 v ]. XYou can check that simply by hooking Winice.exe control proc entry point- F, E; W0 z2 ?! g
while running MeltICE.
$ {: t& N2 s* N4 v. u3 f9 N. y; y4 X- }1 y+ W9 U
; z& t9 U, P5 A/ Z 00401067: push 00402025 ; \\.\SICE& B) @/ K! }6 Z3 E& s
0040106C: call CreateFileA
+ L: _" @/ F) o% D 00401071: cmp eax,-001
- u Y( M8 k' p& r; d+ ]% b: z 00401074: je 00401091
7 H5 J e2 ], F8 Y0 }
. J7 f7 F0 U/ w( ~0 e1 R. G: R5 E
9 @" h+ v* O6 s9 _0 w+ g+ u/ vThere could be hundreds of BPX you could use to detect this trick.
Q# e" r4 W$ _* _% Y* p-The most classical one is:
4 D& S& R0 ]) g, E0 u% K! o6 S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 b4 Y! `; X3 o* U W9 y# E1 h
*(esp->4+4)=='NTIC'
7 [: g8 _$ ~4 c. e) T7 X5 b# ~0 I2 B s) g- v
-The most exotic ones (could be very slooooow :-(
# m2 O6 H" A( F1 ?. y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 Q# w0 j$ g+ e$ {* U0 r! f1 G ;will break 3 times :-(5 o' {. w& V2 B& V
' d+ [; ^3 \* H" A! G8 Y0 \
-or (a bit) faster:
/ y) Z$ y9 A) A9 U BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! C0 s3 h% k4 g( y0 ^5 ^* g
) _& T- G! _9 g3 S1 h5 r" W2 m& ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 A0 `$ y6 j S% O( l' w3 p
;will break 3 times :-(4 {: q; x ?. F( X1 n
# y( k! O+ w! T1 {, |' W-Much faster:# {$ B- }+ t+ [' ]6 i. X, I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 e- b1 k7 z( Q: H
* M. I: _) @/ ~0 NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ d/ S" `' N* e# V+ X% o, }
function to do the same job:
3 k9 `: C7 _# K
. t, Z/ o; f- r* s; E" W$ b push 00 ; OF_READ
" k r8 f$ s+ f0 X% d2 o mov eax,[00656634] ; '\\.\SICE',0
! X# L# i- O5 N* ] push eax4 x! p8 p2 W! D9 U% p4 z+ } C
call KERNEL32!_lopen2 N5 H. T l) i/ Q
inc eax4 |- Z) b `5 q$ |8 ^7 Y$ ?
jnz 00650589 ; detected
! m, e$ a, @" h8 {' ~. t7 d push 00 ; OF_READ2 q7 n3 C8 X: G
mov eax,[00656638] ; '\\.\SICE'
' Q" f) E1 s- ~- ]* X* V push eax! a7 |; _! W! }% n* \+ Y' |' m/ v* J
call KERNEL32!_lopen
4 I) I( }! W( u. l- F inc eax
0 ^3 ]* J9 q3 q( o6 H% D jz 006505ae ; not detected4 E+ i- g: J+ e8 |
( Z- G: \% U, j, X
$ r+ E% W0 Q, k1 y
__________________________________________________________________________2 f3 J; m" v. k/ F# ]( O
& b/ s, b$ N3 {* e3 O* TMethod 12
& J( N+ M/ R" s/ r=========# t- \! A g- @* j; a. k7 H
h# k D# m |) `- g6 T
This trick is similar to int41h/4fh Debugger installation check (code 05
1 K4 |3 j6 n2 U( _& 06) but very limited because it's only available for Win95/98 (not NT)2 F& @+ B1 M7 V& b9 |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 k: e0 n* C- ~$ q. Q! {& o$ c0 ]( G
push 0000004fh ; function 4fh4 Y1 \: k7 P- ?( e2 y
push 002a002ah ; high word specifies which VxD (VWIN32). `* T; I u4 U R3 d+ I2 V) V
; low word specifies which service
. u7 M# ]) D ~4 W0 I1 W# T' I (VWIN32_Int41Dispatch)
r6 w$ U: ? I* ^ call Kernel32!ORD_001 ; VxdCall# }* T, \' ?0 J
cmp ax, 0f386h ; magic number returned by system debuggers
! X8 i8 l( R, c1 Z B+ W b3 w jz SoftICE_detected5 I$ U/ R* r" {' g0 F3 _
0 s) w6 _) W+ k) X* N6 K* V
Here again, several ways to detect it:
. @3 {6 o+ E" o( G+ D9 |, j: f( o9 E% w8 V# x
BPINT 41 if ax==4f
* Z: M: `: F" @2 \5 y: ^; U# G$ J" A. T8 ]' t& Y" ?# z0 o( F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 Q P' N) @7 z+ g D
8 |- `- Z+ R7 ^' G) h9 z" l$ N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 K/ a6 u2 G- N# j/ @
& W+ Q/ f& s3 _. C6 j. D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 k7 |1 ]- Z8 V* g; S$ h
: K; c. M. ?0 I; Z4 C
__________________________________________________________________________# u8 L$ _; ~$ C- J
8 O. |, ?/ y- K
Method 138 h. x9 \+ [+ R4 J0 p0 u f7 F& s
=========& }" i7 j/ b! [, K
, g! o( u0 @. K0 YNot a real method of detection, but a good way to know if SoftICE is
3 y* T( R5 x% R. cinstalled on a computer and to locate its installation directory.$ T4 A: p% L9 o5 g5 M
It is used by few softs which access the following registry keys (usually #2) :$ h, z1 s4 {# {9 z+ o/ k
& u2 p1 o0 k; Z! u! [1 }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 n6 Z; y& v5 i7 f: H/ T& w4 M! F
\Uninstall\SoftICE
" e H; Q" }6 S O& p3 d w- c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: {# ?& A" x# q# h2 p; F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
w5 h; | b6 P. E7 B; \3 n( b\App Paths\Loader32.Exe
, H, K( d! S) _ u3 T* B% @; G9 c6 O
4 U/ r* K2 a" \6 p/ c1 Q
: B4 [+ y' o& U$ _Note that some nasty apps could then erase all files from SoftICE directory
& k$ B6 I) |0 F+ m4 s7 h* D4 ](I faced that once :-(
. c n+ a. H* d7 p Q0 x( {! f- p$ d* T; d" K0 L2 d
Useful breakpoint to detect it:
5 r! U3 Z& L( H7 C6 \4 r6 s3 \) F' _2 X
& \8 I2 L) E0 r; o; Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ v, ^+ d% b- v( ]. _2 S6 l+ ^9 G
" u/ [( w$ o; q% [+ T! C4 u2 I__________________________________________________________________________
" K$ R1 }6 R8 q; G! S
4 ^. V f1 l0 h$ e" ?4 S; C1 i: L1 |, U' r* M7 f
Method 14 , s9 T) p4 o( B& z# N! e! R
=========- i* s* _" ~' i
4 F! E. M" Y" Y. r& B1 M3 ]0 DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& b6 S. s2 M% |6 N
is to determines whether a debugger is running on your system (ring0 only).
3 n. A! y' R' R8 O" ]
: v' `7 y* N# l9 x1 s+ n! L. ? VMMCall Test_Debug_Installed
: s! r# g A- X6 C# `7 q% M je not_installed
- H# v& P8 V$ o: e$ ~) d
" X# U# w' ` JThis service just checks a flag.
2 m9 @3 s" S! r# Z9 s</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡