<TABLE width=500>( M" M; u' f- c) f' r) t. }, c
<TBODY>
2 C0 K0 L: u) i# O3 g<TR>& b- d/ u* B% b: a
<TD><PRE>Method 01
* Q- o) y, @" j) `0 w. G=========9 J$ I3 s3 w9 p! P# g# r" x8 r
5 J4 X5 [6 v( Y1 U6 ZThis method of detection of SoftICE (as well as the following one) is
9 D+ q; |: ]+ r$ m( Rused by the majority of packers/encryptors found on Internet.$ r) {+ R# E+ r- g- y
It seeks the signature of BoundsChecker in SoftICE
& e5 m" A- b; F" M1 j
3 @. F) |+ _ |4 d0 d mov ebp, 04243484Bh ; 'BCHK' R. W( \, }5 j" K" Q" ^
mov ax, 04h1 j: I0 O2 X1 {3 V6 ]
int 3
1 }$ o! \5 f6 j# U cmp al,4
5 B( m! y- l9 x0 j, \# I; } jnz SoftICE_Detected2 D, |- r, y" M: Z
# P3 H' o8 W8 a5 P+ K
___________________________________________________________________________: b) ~6 D9 o2 X* R" ]
; }$ y3 Y V+ r' Z/ L" @Method 02$ Z4 ]0 p( t U8 Y6 H$ h' s
=========" l: f4 @" t: S3 ~
: U% a8 U3 Q" H& g- jStill a method very much used (perhaps the most frequent one). It is used6 L& l; Z6 L3 F4 t. Y: M' Q* Y* x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 U0 Z7 @/ _- K9 ]! G
or execute SoftICE commands...( I5 `; B: x: l) q
It is also used to crash SoftICE and to force it to execute any commands
! K) _" P9 D( g7 h1 \(HBOOT...) :-((
) L" w% i4 K4 Z' o. |
% g* S+ b, k, F& O7 I' M; oHere is a quick description:1 b6 }! e0 f2 M0 X* ]
-AX = 0910h (Display string in SIce windows)
& j& [/ @. j1 U9 F, n* g* o) u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ {+ |/ Q1 |- O! I-AX = 0912h (Get breakpoint infos)
0 i5 @( a8 Z) m2 X' |5 Y q-AX = 0913h (Set Sice breakpoints) |3 F# F C2 w
-AX = 0914h (Remove SIce breakoints)
8 Z' O2 ?# d) q6 C1 G O- s/ g9 a1 o% y1 ]4 b
Each time you'll meet this trick, you'll see:5 f- E% r+ n1 H
-SI = 4647h
; T8 _7 o- u2 v! @ _! t7 |( H8 j6 ~-DI = 4A4Dh" Q; c5 t2 @& z9 I# U! h, ^
Which are the 'magic values' used by SoftIce.
6 O; E& H+ Y# [ g8 bFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ v- M+ r: _# i5 [1 P/ s$ J! f
# B% y& I- J( d8 W* ?! ^- AHere is one example from the file "Haspinst.exe" which is the dongle HASP5 c5 ~1 {+ ~/ B; `2 S! }$ n: @
Envelope utility use to protect DOS applications:+ b1 q- a9 T: A' t+ C
$ L: K" [1 D+ k; t. ]8 v# k4 H! b
( f- t1 y" m% K, W, f8 L( n1 t4C19:0095 MOV AX,0911 ; execute command.& s( M" f1 T! p- ]9 y& U5 y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; O1 x7 f2 m4 w
4C19:009A MOV SI,4647 ; 1st magic value.
+ w, K5 w$ G- `" G/ B4C19:009D MOV DI,4A4D ; 2nd magic value.
- f! ^6 A& w+ k4 s5 u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! k7 ]+ m o6 j8 D" T4 U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 b- G4 P7 S' ?4 z9 y4C19:00A4 INC CX
& }$ U3 R! S8 }" M4 j2 ]- ?9 C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! \2 b7 O7 Q" }- f& k0 y6 f( P
4C19:00A8 JB 0095 ; 6 different commands.1 M' b t6 d7 G2 k0 \9 J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 F1 u6 S+ p# `) g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' |: h+ ~: X/ {6 Z: R" ~; W
- u6 `: a5 P& M4 R- ^* C
The program will execute 6 different SIce commands located at ds:dx, which
( t2 z* r' f2 Q2 C9 iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 f% l( @ c8 g. |% L; P) Y% K
$ K7 v; ?2 B5 }+ U; o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 g- R" O8 E8 u% D" u___________________________________________________________________________* E4 y1 V1 y! F, ]
/ h' ~/ J- T7 X. }0 Y- m
/ `3 h2 M. q* i8 ]. @Method 03) {1 l" ^# {5 [, u1 H. N
=========* Y4 B0 o; D0 O" Y' a# m2 ?$ z8 G# i
Z! K. S, a6 b Y' m* wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" Z. Z t/ F5 n& s2 r
(API Get entry point)
# V4 @) @5 O, O& b% b 2 y6 n( ~" j' R' b8 n9 p+ Y
: B5 o- Y4 F& q: f$ B# V/ D
xor di,di; Z0 o* s4 }) ~
mov es,di
4 r! P$ v% H; Y h; @/ }4 e; g6 a) ^7 e mov ax, 1684h ! q0 w$ ^5 a0 \7 r; y1 Q
mov bx, 0202h ; VxD ID of winice/ l7 x/ c/ L* Z& N* Y( |
int 2Fh4 n& v, ^+ }9 i' Z& A. U8 Y0 N/ V
mov ax, es ; ES:DI -> VxD API entry point
2 ^. j. z+ O' `- E) ?2 G add ax, di
+ G0 V) O9 q. l# g j7 [ test ax,ax
+ J) e9 y+ w, |) v( Q# F! J$ [ jnz SoftICE_Detected
" m! J- w" A* q. {' i2 R
; {# k* W4 ~/ S: l/ }( e' G___________________________________________________________________________
( J/ ^1 z1 B+ w- v/ ?! E; t
6 I" |: u! F6 ?6 HMethod 04" s2 O' Q; N$ I0 N8 ]
=========( m+ _6 Z% U2 W* W
! c) T$ K: h/ L4 I" m% U* LMethod identical to the preceding one except that it seeks the ID of SoftICE9 l! k) j8 y7 w
GFX VxD.
, J }2 p' Y4 Q
9 u E- q6 j; f& k2 V- ? xor di,di
6 t" R; |/ i/ K. G mov es,di
/ W2 n& _5 Z& f# J/ `+ r mov ax, 1684h
6 @ ~: f/ f) w; T7 }( u mov bx, 7a5Fh ; VxD ID of SIWVID
6 ~( n5 P9 e* ]# ^8 C2 ] int 2fh- T4 C, w& ^8 j( n! r5 R
mov ax, es ; ES:DI -> VxD API entry point, ?8 M: {( P5 H& N0 W( e
add ax, di
/ m! y$ l0 [* |$ a! K test ax,ax. U! a/ _, Q a5 s( L2 U) `
jnz SoftICE_Detected. k+ O w& I: ` ^5 s& @. l7 ?
8 k* p8 R+ h- A( @3 C: @
__________________________________________________________________________
; ?8 x* T; U1 { `3 _+ y8 t! j- W0 y
6 F( }: `( g1 I3 p( c1 F
Method 050 l' I% H1 s0 b# |) v$ Q1 i' g
=========1 w/ A% O. l U( g; G
! n8 N& K+ @. S- s9 C; g0 d
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 o/ D1 y7 k1 d2 h' G! Adebugger. It calls the int 41h, function 4Fh.
% F" f4 Z# u6 g$ ~6 tThere are several alternatives. : Y9 O% O/ K1 V5 }, L6 M# m
' X* ^( B5 V- D# P" J9 tThe following one is the simplest:% `7 C3 h7 J W, m
+ Y; E1 U# V; {" @6 d mov ax,4fh7 o7 X5 `/ g( \' \ y( _2 m& L
int 41h
( L6 L O' }, O9 D9 }/ P6 L7 R cmp ax, 0F386' d/ O J9 O' _! K
jz SoftICE_detected
: R1 m6 Y* \: c0 k& [$ B& D7 q; h, F, N; T
A' A& y" K& ~7 k0 eNext method as well as the following one are 2 examples from Stone's 6 Q7 D# X0 [+ x2 g
"stn-wid.zip" (www.cracking.net):$ g6 } I# \+ o) y: W. D9 L
7 d2 S1 D- z: `4 t( [6 x mov bx, cs7 o: P- n5 O3 i
lea dx, int41handler28 B" _: V. U$ j1 ?
xchg dx, es:[41h*4]
$ o, I# M/ l& h A- s! Q xchg bx, es:[41h*4+2]0 z/ t" ^7 c: _7 j$ k
mov ax,4fh
4 K4 v5 O. k1 R0 z, Y0 Q$ ^ int 41h
; h) S. d# i2 _. ]- L$ B" p3 c xchg dx, es:[41h*4]
' I. S2 }+ {6 A! A) Q4 k7 _ xchg bx, es:[41h*4+2]; T7 g! B2 P, {- {
cmp ax, 0f386h
8 _+ r4 O9 B$ Q5 \ jz SoftICE_detected
+ w& ^. _$ ^0 ^+ n: I/ G% z) j) d3 Y% A8 z
int41handler2 PROC
' i" L- e& c; T9 |2 I* e iret4 b0 Y. s) \- h) Q! }3 i
int41handler2 ENDP
8 Z5 R! o$ w8 a- H
. F2 t- i$ I8 D" z3 p! L) j2 g) H9 C/ h& }1 }" K
_________________________________________________________________________7 C/ F+ @, X, e7 M5 K6 \
4 P: I2 \0 O. I+ [/ L! M
; C) J; C7 D" t6 PMethod 06; C: o7 x7 {) {7 f" I0 Z% k" u3 S7 h
=========
) @. K, C1 s' V- x& o0 I3 K3 |. M& E' U8 B! N) P3 e5 m. N: p7 B
0 s) a* b* t$ O8 }6 V
2nd method similar to the preceding one but more difficult to detect:8 C0 [5 g" [3 L, k$ H) E7 r
. o( I4 B* ?6 n% `, q: M! j) i' \: a" s: h/ B
int41handler PROC
* L+ w8 a- x. \1 H+ H mov cl,al
% u+ T( g: k! b) } iret
& l6 O5 N$ C& y6 l8 l" ]) \int41handler ENDP
, b" e" A" d% K* E( Z4 D8 j3 L* o
9 v, ~, e7 P! y# O
xor ax,ax& M1 c- {: K$ O6 u8 `4 ^# x
mov es,ax% }( Z% Q& P' C2 n/ ?' {
mov bx, cs$ Z( k6 l4 G9 a
lea dx, int41handler) i- Q/ W2 D6 v" f D5 L+ g+ H
xchg dx, es:[41h*4]3 f/ k% E; |# {# B J
xchg bx, es:[41h*4+2]
- E e! O2 t# F4 V& `- g# Z7 k2 U in al, 40h9 o( o: N6 l% h. e' {+ [
xor cx,cx4 c# k, Q8 o5 X1 a
int 41h
. l+ T/ G; t' { xchg dx, es:[41h*4]2 O8 Y- s" Q8 e5 v4 q" U
xchg bx, es:[41h*4+2], k" a( K* m, I6 K' A9 N
cmp cl,al
% X1 K1 u, v8 I' V8 y jnz SoftICE_detected
5 Z5 c3 d M+ Q$ n
/ n3 r- m6 _3 A6 } }1 ^& T_________________________________________________________________________
9 ?, n0 N' R1 \, \2 p
1 i* j6 I3 R9 x' ~+ z" ^8 ~Method 07( J2 g+ Y# |7 I- S
=========, t, c. P \1 _# R
3 M( Y% O) _" s( l" w5 o4 C" zMethod of detection of the WinICE handler in the int68h (V86)
; P" ?0 n! W# G
2 o! |$ d8 R n+ ? mov ah,43h
# E) B" `% L l3 k8 ~, m int 68h
# Z0 v+ p! z0 G7 f) n cmp ax,0F386h
# `# ?% v) Y7 \ ]: G8 d: a. k jz SoftICE_Detected4 u# _0 q6 w3 ?* T" ?4 A
2 p. i' E. {7 k x. R, _- w x/ l3 P9 [0 ?8 e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. U1 d( R" y& O app like this:: _6 U* f z! p" ?
$ N6 H$ |" v! ]3 e' ~ BPX exec_int if ax==68
9 ]) I2 k8 T B, m0 } (function called is located at byte ptr [ebp+1Dh] and client eip is$ ]: R' \$ P6 x' U* w/ H
located at [ebp+48h] for 32Bit apps)
; M+ x% f! E7 ^__________________________________________________________________________
1 p' T$ ~; D8 A- ?5 x/ k4 f3 Q- h& \% e# y- f( ^
O& n/ H; F* Z2 ?9 u6 z( o" @Method 08
' E/ K; N% U- m9 I8 i n2 v y=========
& {) f6 }& d7 n p8 Q. J% N' O: y: J5 G. j
It is not a method of detection of SoftICE but a possibility to crash the
3 V% z5 \: \8 s1 }( Rsystem by intercepting int 01h and int 03h and redirecting them to another
1 p3 l3 R1 P9 E+ C" uroutine.
' V# Y0 E- x4 S0 f& Q. u& U$ XIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
q$ `1 r1 G3 v8 l3 @to the new routine to execute (hangs computer...)
. C+ ~% k+ m2 F0 E
( J# b- c; n H mov ah, 25h" J/ E+ e* K1 U+ \
mov al, Int_Number (01h or 03h)) F, n, X( _2 C, i8 V" j* ~2 q6 i
mov dx, offset New_Int_Routine
/ H8 y1 t1 m! p3 B* O% {: Y int 21h5 J$ I9 |+ h! {7 u
- d% D$ d4 l& v5 b1 g* }8 L* }__________________________________________________________________________
; Q' o- W) x8 H4 N; s; K W" c$ d/ e8 }9 P
Method 09( U1 q5 X6 ?& y/ b: c+ \+ X
=========
, [* [ r. n: K
' k) T/ ]6 W/ g: R6 L1 T8 \9 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 r: G% K! y. a- `
performed in ring0 (VxD or a ring3 app using the VxdCall).
! D7 m1 L( t( a6 h# Q4 _7 ?8 J& _The Get_DDB service is used to determine whether or not a VxD is installed) D5 M& _9 e9 n) n# S( ~* t& U
for the specified device and returns a Device Description Block (in ecx) for
% x9 w8 O; A2 ythat device if it is installed. R/ @5 y& M1 ^" G: s3 y7 X& T
8 r5 j: j3 m& I5 W/ R mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# m' o" O" R" {3 R/ q0 h5 E mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 ~' O7 g% A8 Y5 K VMMCall Get_DDB
* N$ X/ \# C- m4 N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 d0 l6 Z3 y! n" u" t
F# N1 E) p: d1 G$ L' Y5 ^
Note as well that you can easily detect this method with SoftICE:
. u1 n: I! F8 L j$ k4 G bpx Get_DDB if ax==0202 || ax==7a5fh
^3 k' A# a: R5 p7 ]
8 n( w; k; ^# _8 b5 h__________________________________________________________________________
5 ~3 ]8 a) {# {) Y0 J+ L
8 Z7 w& ~8 T! }& u ?/ xMethod 10+ d3 k1 H8 ~# t/ D5 B
=========
. z, N. E8 P& G
+ H: t' e" h$ l) A8 }6 L: n=>Disable or clear breakpoints before using this feature. DO NOT trace with8 L( L# m; Q N7 k( g
SoftICE while the option is enable!!
" F9 O l( G% A7 X3 z2 P3 _
1 f( G. z. s9 ^; a5 s \, ~/ M6 pThis trick is very efficient:# O/ j( {) F( i* o6 ?
by checking the Debug Registers, you can detect if SoftICE is loaded% ~0 Y$ M5 y+ Z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; M [) E7 G7 J* L" g: jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
- ]/ ^9 A4 h& e; Lvalue (in ring0 only). Values can be manipulated and or changed as well
/ A& D( A, p0 u# e(clearing BPMs for instance)! @/ G* r: D9 z3 d4 K- M5 h( I9 A
* T+ w2 y+ `$ Q7 x. \__________________________________________________________________________ t1 C# n; B/ B
) D" Z5 Y+ m* L% O5 [( I
Method 11
. o/ l- o6 H6 l2 {/ a7 r=========- I, j6 z& t* u Z5 h" T; h
1 ~" a, p% V) J
This method is most known as 'MeltICE' because it has been freely distributed
9 E2 x% K7 q# Y5 F( s* n7 e8 l- qvia www.winfiles.com. However it was first used by NuMega people to allow; _0 }8 N" m$ N9 z
Symbol Loader to check if SoftICE was active or not (the code is located8 j2 A' f& J: t
inside nmtrans.dll).- @7 t- M( z( }2 x+ L ?6 a" p2 _
+ x$ Q6 d, s$ fThe way it works is very simple:2 G# a( ^. w- T$ e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ [( K$ F# J/ D$ S2 a& _
WinNT) with the CreateFileA API.
' M4 I) [6 f/ P8 D
/ h* o: U) _+ O1 D: dHere is a sample (checking for 'SICE'):" m* v& v6 T8 e7 o
+ h4 H2 Q/ F! P, @) vBOOL IsSoftIce95Loaded()( _# Z) n2 y# G% F/ |
{& X+ ]# J* O$ m7 Z1 p6 F6 ]
HANDLE hFile;
3 u! q6 O: v9 E) ]4 e+ M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- Z. ?6 w/ X! y FILE_SHARE_READ | FILE_SHARE_WRITE,
( i6 Q: `) c: r, J NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* N0 X3 x/ r9 |0 W: h* s if( hFile != INVALID_HANDLE_VALUE )
9 e% a* P0 o: r$ ~- `8 ~; l' A {
7 T4 w0 p) Q0 D1 m9 H+ _( h CloseHandle(hFile);# |) Z% A2 L2 E* a7 `- H
return TRUE;
# d$ D+ U2 j- r, b }
. h" @& `+ Q; n- w return FALSE;
# r, ]0 K2 i- ?}
/ U4 C$ f5 H! }- ]* L0 v2 p3 d% n/ b. Z% w0 b7 H" |
Although this trick calls the CreateFileA function, don't even expect to be4 X; e( c! Q/ }$ V
able to intercept it by installing a IFS hook: it will not work, no way!5 ]" A: v9 }; J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( B3 ]4 @+ H H s- f# w, S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* U& V- \0 R8 M+ C& r0 t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; [! R" k" m1 O8 B) c
field.8 b8 Z A, E; P
In fact, its purpose is not to load/unload VxDs but only to send a : k3 E! {0 v! G% k1 } G, S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( A4 F6 o* G% E! ~" l6 u5 _+ Z0 [9 b+ p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& Y3 T4 w Z |1 y! w' @# sto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 @, K+ x- Z$ }, E2 q
If the VxD is loaded, it will always clear eax and the Carry flag to allow( {+ ]- L) U- C
its handle to be opened and then, will be detected.
* P/ D: W" r. R6 l; A, D3 _3 tYou can check that simply by hooking Winice.exe control proc entry point! {; X+ r& N& Z
while running MeltICE.
+ O" j' s! S! I# B/ O, C: u! ~$ Q5 [3 n) y: p D) _
' l0 d4 d- O" u; M& m3 _" w* `4 v 00401067: push 00402025 ; \\.\SICE
5 L2 r' M9 c& _ 0040106C: call CreateFileA- E/ \+ b% c& n; a5 R* f. {
00401071: cmp eax,-0014 K5 k# P i$ m1 D6 e' }0 _% B
00401074: je 00401091
! H* {% r, z. S) U& {7 G- l" R
& g+ U) R) T& b9 K$ \3 f4 M1 i. g! z3 ?6 e
There could be hundreds of BPX you could use to detect this trick.: F6 J, N8 A6 A; H: Y0 d
-The most classical one is:' I3 ~6 r$ A, q1 n) i1 ~* u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) j% v5 o$ o# P *(esp->4+4)=='NTIC'
+ c* A7 y8 e# I" _0 c) {8 {3 m' n2 _4 F. Q
-The most exotic ones (could be very slooooow :-(0 A- e) P* s7 a; t# [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# a4 L, c: w2 ~0 n ;will break 3 times :-(7 W9 I0 s7 U) t1 I: i* ?& J9 i
: X5 k8 j# r% Q+ L7 b5 R
-or (a bit) faster: 5 M( _# w! W, u2 @1 P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 }# t/ ^) \# _
L. Q$ x: o2 E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , s# ^! s" ~- A$ d. W; ~& v
;will break 3 times :-(
. a, Q* Y9 a& z @1 q$ w0 r' K2 t6 Y
-Much faster:& Y+ |7 i( j" `# L- o
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- L0 W6 ?" K# L- t' A# C/ b9 {9 _, n) D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. q$ y7 w4 [* rfunction to do the same job:% b5 l0 G9 I0 U1 g, \
; S& t: c9 T: p* K push 00 ; OF_READ3 f7 X! W3 ~2 W, Z* I. ~7 r7 V% m
mov eax,[00656634] ; '\\.\SICE',0& Y( M7 [' l7 }
push eax
( \: @7 f; D R$ ?* a' K, t) s" P call KERNEL32!_lopen
! V* A) h8 Y a* F inc eax
7 k( M' ?3 z" q% P- @7 |) d6 Q jnz 00650589 ; detected+ V5 o; ?! d" X
push 00 ; OF_READ/ Y. L3 Q3 a6 d
mov eax,[00656638] ; '\\.\SICE'% K# E4 v% [% U1 ?) j( |& d
push eax7 @3 F6 n1 j m8 x6 a0 a
call KERNEL32!_lopen: P5 }! q# J$ r1 m8 q
inc eax! K8 X9 d) m. K4 \4 u- T; M- s
jz 006505ae ; not detected
, x5 ~ T4 d f$ z* r$ i% U5 _- o4 D6 M
1 ~+ a* K4 f3 V; [- c) |, L__________________________________________________________________________/ P' {* P5 @9 p S
2 H$ F. I; V4 Y q
Method 12
3 }9 F& I" B$ D=========
& Y |5 u; D. f- O9 `6 G, n: z1 U9 @' L B0 {( l
This trick is similar to int41h/4fh Debugger installation check (code 05
: ^. `! | j* }) \* t& 06) but very limited because it's only available for Win95/98 (not NT)# v) A7 s6 i! Z/ {3 S5 B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% H1 p( l9 G; x% b, P( p3 I5 C; N
push 0000004fh ; function 4fh
" R4 K7 U3 K# F push 002a002ah ; high word specifies which VxD (VWIN32)! U- S3 P* }! }; h& R
; low word specifies which service
! m$ Q) f1 J8 [ C/ i (VWIN32_Int41Dispatch)' [' O, F4 x. W2 B
call Kernel32!ORD_001 ; VxdCall
% e5 f! x8 r& C& l+ s cmp ax, 0f386h ; magic number returned by system debuggers
' I, e5 y6 f; s) j' r# N jz SoftICE_detected
& c, s5 g& v- v- h8 r+ E1 [ f5 H8 u5 a& X# Q
Here again, several ways to detect it:5 q% ^4 t1 {7 G' X7 A9 i0 t
5 i' |4 C; m/ z! _+ b6 P BPINT 41 if ax==4f: K/ u1 X* }; r$ V7 J5 A; G
1 u9 [# M2 q8 ~. n P! P
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) m; c' d2 O: h T, T5 X
+ b8 C$ j/ k! C2 `2 x6 U; R2 v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' f! }$ W4 ?$ C# N& H5 [4 r
( z# w, K4 P' t5 M* s2 X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. f5 Q( A8 M7 A- q4 L6 |; _% z8 ~/ Z9 N. K
__________________________________________________________________________+ B6 U# P0 N, }3 R% M: {; _
2 U* j5 k0 S+ A7 p/ f( w0 kMethod 131 t# x' N* L. k: J( x" X
=========) c3 Y/ Y+ J( x+ s+ C
# b2 ~2 O1 g# q+ q# i
Not a real method of detection, but a good way to know if SoftICE is$ Z1 k+ h" T: `( C/ O
installed on a computer and to locate its installation directory.
' z4 \, ~+ ], t2 O! f9 V2 JIt is used by few softs which access the following registry keys (usually #2) :
9 M3 X4 y8 [! o
8 E1 `4 K% r: n1 R7 D( N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ o1 ~+ r0 n8 U
\Uninstall\SoftICE
' P5 T5 S3 j) c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 [8 W8 }8 X/ F- T& z. J. ^3 }( O% _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 w4 X% A8 M8 O. B5 j
\App Paths\Loader32.Exe0 O* L1 B( {* r/ G2 r+ H( t- Y$ r
) S \) H, T, E& Z1 y0 D/ j! u# Q. l! p W1 ^6 P
Note that some nasty apps could then erase all files from SoftICE directory+ e( @# v- N6 A! o" }6 g
(I faced that once :-(1 p% W' Q! R) G' F( y$ H ?' v
& K7 A4 D& i, |) P+ _Useful breakpoint to detect it:
/ v0 [, N3 j% e8 [! R# X4 D1 }7 w# n0 s/ q# ~$ s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! R5 s" y; H8 u# v" @
4 Y" K3 u' j; f3 V1 j2 A__________________________________________________________________________; u; b @8 [; o/ b1 v- x( c: \( }
( K$ x3 @7 l+ P1 O) K" t2 a1 g/ u
( K/ D; h) w$ F6 N* g
Method 14 2 O7 R7 ]* C7 }' o8 t Y8 W
=========
6 h) ?- e( I1 g" L, o) V4 w; ]
$ ^* O" ]! G8 z5 wA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' z6 w9 s& Z+ h0 a% K, _is to determines whether a debugger is running on your system (ring0 only).; J& l& {; v/ h( A2 o, @
" U' ?% _% {3 U1 R6 O VMMCall Test_Debug_Installed
" V. {. l9 ?) C) W$ ]8 j6 M, M6 S je not_installed
+ z' }( X' h. M$ L+ E+ Y, m0 [) z) n' U2 n. K9 a# @( d2 E
This service just checks a flag.6 O& H- B* N V0 o
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡