<TABLE width=500>' i! H! s0 L( E( R2 m [9 A& p
<TBODY>1 B+ Q/ B9 l4 w- T/ i
<TR>
, S/ Z6 S' H; q% k% q<TD><PRE>Method 01 # C# f' p1 @( ]( a; N
=========& o1 O6 [- m7 o4 @% b, M
2 j6 s( V* [1 D0 v- E$ rThis method of detection of SoftICE (as well as the following one) is
2 E% N" o+ E9 zused by the majority of packers/encryptors found on Internet.
7 y' C7 {5 q: M2 P* Z; ^9 mIt seeks the signature of BoundsChecker in SoftICE
# M6 Z. ~# G" c3 W! R |! s
2 E _2 S. {1 r3 t mov ebp, 04243484Bh ; 'BCHK'
* t9 I5 B7 Y! t }/ O7 g mov ax, 04h
2 i% ?' F5 f- h int 3
Z$ U4 F+ L0 G$ X$ E cmp al,4
$ A# z n( D. t9 f+ s7 v! \ jnz SoftICE_Detected+ z& j# i& q- n( m0 r4 \
, e7 \+ O( I3 s: h2 X+ L# g___________________________________________________________________________, k# ~2 u1 u+ O0 J
9 m T; ]7 Y# R( N2 f4 jMethod 02; t2 E: w# h! w3 n+ t8 Q4 a
=========' }5 f4 X* h. C; `
- X( p6 }& `1 f ?) O7 e9 a9 `* O
Still a method very much used (perhaps the most frequent one). It is used2 e6 b* y3 o e0 x. ^7 v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; N7 I9 o2 [, C+ D( {, N+ N& Y" Jor execute SoftICE commands...1 [; W! \( T! v) v2 |
It is also used to crash SoftICE and to force it to execute any commands3 U# N1 ]' U" `
(HBOOT...) :-((
. f8 ?" a% O- v
2 _/ j5 k+ u/ c* X3 a3 cHere is a quick description:
( o7 M* T- H5 q( q& P-AX = 0910h (Display string in SIce windows)6 P& ^; E; y3 Y& H+ s! @) p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
C% t: n7 U! M' _) v0 |: [-AX = 0912h (Get breakpoint infos)
" Y5 g5 D, h$ a8 [2 z-AX = 0913h (Set Sice breakpoints)
5 I2 m9 L5 A) N# e5 m, k-AX = 0914h (Remove SIce breakoints)2 B5 n; L; ~% k, s# H8 T
6 g" S# {: y. k& ?+ ?/ d3 m( s0 J5 k
Each time you'll meet this trick, you'll see:
- \1 w( a: \, A$ \: y$ T-SI = 4647h& p- s$ x( r* P0 g
-DI = 4A4Dh
2 @) g" r) e1 dWhich are the 'magic values' used by SoftIce.0 k) M9 Y# @& H' p" K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! i4 b; d) F) Z1 l* V
; A$ R9 Y3 h" d+ j, FHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 }. U% u3 o5 k- l3 `) h$ b. z' pEnvelope utility use to protect DOS applications:
, R( v+ i) h; t {3 T% `8 Q1 J, O0 D$ {
. ^: b7 V5 N8 N3 X- O# K; R4C19:0095 MOV AX,0911 ; execute command.
$ m4 D1 d; u/ a: A: i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; d. z1 ` l7 T, H3 w4C19:009A MOV SI,4647 ; 1st magic value.: G! v" X/ E6 ?5 z1 Q- r& ]
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 S+ g" `# i: I: p$ N% s4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 p8 u9 f. D% }5 j8 r x/ E4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' h, t1 Q9 {1 L# f4C19:00A4 INC CX$ n! N3 n C+ Q2 a* N2 J4 \8 S
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ M- Y6 u/ ]" V- f" ~1 @+ k4 T( W; k
4C19:00A8 JB 0095 ; 6 different commands.' l6 o* `4 E2 m" B- M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 {; j# B4 `! t- O& Q2 ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" n y' u& z: j4 x& @
; p% y2 Y, G4 x) `8 m$ r dThe program will execute 6 different SIce commands located at ds:dx, which
4 u: d, [0 H( {7 Q- q( Q w9 }* Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& z5 Z4 f4 Y) r1 ]4 g; O
; ]' n0 @ ]9 m& ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 Z# \6 a5 q6 G8 A
___________________________________________________________________________ x t6 C0 S: S* K2 i7 \8 v
! H2 [# K( k# K! A6 v
, G& E. z4 l2 g2 xMethod 03
7 Y4 P$ r/ j/ a/ N========= U0 R, t! O L4 D) O9 d
2 I3 K- p! K; D" WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- [% d; q3 F) s" z9 z(API Get entry point)% ~% S9 y) g! I4 C1 h9 d% m! |) l4 G5 Q
- W6 e/ v/ S% w' D
2 s5 u. o! w( J$ _" S0 l" |" q- M
xor di,di8 f- `. Y W4 }
mov es,di
, v; Q6 Z9 a6 e/ z3 m' \ mov ax, 1684h ; u+ ~ E4 L5 g! G% Q, N
mov bx, 0202h ; VxD ID of winice
; o' w5 b% c& c' s3 k int 2Fh
. ]4 M9 D5 s/ } mov ax, es ; ES:DI -> VxD API entry point
5 j( r) [* y- q* f! N* i add ax, di) }& P+ i0 i. Q5 P; f
test ax,ax
( T$ \9 v; m$ u jnz SoftICE_Detected
" `6 K# `0 l1 @3 e* V; _+ o/ h5 }' i
___________________________________________________________________________1 T- |) F0 l) M% `' |
7 ? L* A$ {. [+ S, V9 A: ?9 IMethod 04" [! O* h( _# P1 B5 L4 z1 l
=========9 p* w5 w$ a u2 y
: q3 _1 i. u x) T. @' E/ z0 K. rMethod identical to the preceding one except that it seeks the ID of SoftICE
/ q, G! n6 U/ E6 E0 ?GFX VxD.
( j! r9 ^7 E7 U+ N0 L6 T
3 ~# ^/ o6 S$ U; A xor di,di
% }! h$ O% ~2 z' g/ l& c7 W mov es,di
" b/ t4 Z% c: F4 K4 \- f mov ax, 1684h
6 P/ `8 V9 D! U, h! @. a mov bx, 7a5Fh ; VxD ID of SIWVID; y4 y% o8 h6 ?# X
int 2fh+ }- D, R0 ~; K9 R4 ]- ?
mov ax, es ; ES:DI -> VxD API entry point
, U, y9 ]' h& W6 t7 ~; Y add ax, di
6 H9 N9 r, ~" N B, K test ax,ax& L! O, C. U0 _* ]
jnz SoftICE_Detected
- Z2 _: R, o' j8 k2 X" b B# x5 p; |" Y5 v/ R1 n
__________________________________________________________________________& G4 b1 L' f+ A4 s! o8 ~8 F; ~% C
" @7 @0 q) y& r+ i
0 P5 O( ~; ~- j0 l* X0 J0 E w HMethod 05
3 ]# i% x$ P% ^6 g; }* [0 ]8 W: i=========/ |3 [% e! J- x: u
0 d+ l6 B6 N1 e0 Z% m, l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ Q: E; d1 K0 kdebugger. It calls the int 41h, function 4Fh.
3 A+ ^- ~5 @, C) K' j) z/ r' kThere are several alternatives. 6 m" T4 b/ M, \9 [; Q
3 B- O$ q8 ]! m' uThe following one is the simplest:
0 Q$ u/ h6 g( M: ^
; |5 F8 G2 Y7 N& q7 w# a mov ax,4fh
* z) b/ T" H: ]( k int 41h
( y; f# ~5 ?+ X# l! b) G" N8 l cmp ax, 0F386! r) c$ W5 s* w+ R' S Q
jz SoftICE_detected
W' S! h$ V% F9 _9 I: t- u) s
# e/ l9 c5 N+ [4 p7 |- L/ ^) m! w; C4 f- C4 ?, F
Next method as well as the following one are 2 examples from Stone's
, y, v6 m: C) d"stn-wid.zip" (www.cracking.net):; n2 m q3 h* }
; l& q: x* D/ }$ ?( G
mov bx, cs- Q( T. u. o. ]5 w2 D( O
lea dx, int41handler2
3 t( g% K- o+ v3 W( _ xchg dx, es:[41h*4]
+ Q- L4 Q9 j3 x8 k4 t xchg bx, es:[41h*4+2]
" b4 v7 H- t1 a/ ?+ { mov ax,4fh* U3 K5 J* o/ d: A: l1 _; ]% y
int 41h" n% Z/ w3 Z& p/ r. z& n
xchg dx, es:[41h*4]2 p/ Y# f" C" v4 V# S1 n
xchg bx, es:[41h*4+2]8 \) x5 L r" P
cmp ax, 0f386h( y( O4 G' ?: B( ~- Y1 \* l
jz SoftICE_detected
4 o, {* e7 U b9 L- x. w
5 h# ~/ A! P a7 Hint41handler2 PROC
9 f* |- a' K7 W" T iret
. n1 o* W5 u' cint41handler2 ENDP/ E4 K3 V# C/ O$ z; P) V
, I+ _ J" _: g+ n4 b; S' K0 a
/ }! m& `- {! C_________________________________________________________________________" v# o5 {. F( r( f. M( {2 z- P4 M
$ G6 e: @; a. N" F ? J
4 w4 | x. B) q
Method 06
2 u$ g6 Z7 u. F% H& X=========" q! c6 S x+ V: R1 {! A- ~5 }
1 k4 K- y6 G3 z: o
& z. D+ e( K& g3 a" I2nd method similar to the preceding one but more difficult to detect:
4 Q2 Y7 S, g! p( g6 b( X% y" E# I+ H
. f" B( `2 \8 b- ?- ^
int41handler PROC
L$ f% h) h3 s1 T) E mov cl,al& u8 V( Q( U- n
iret. N0 r) r( |+ I7 _' L
int41handler ENDP; ^: u7 @8 u' |, E& C/ F
+ v. X. _+ M) k, U O0 Y/ c" L
2 X* X' R2 x: E xor ax,ax" T, R5 R/ j2 T7 w0 I0 [" K1 |- P
mov es,ax
; P) b1 W. Q: P' e R. E1 p/ | mov bx, cs5 r" m: k4 c2 N- H( h8 Q' c
lea dx, int41handler
2 Y) K3 ?" g" m) @7 o xchg dx, es:[41h*4]; |% ]. E J* ^. x" m; e
xchg bx, es:[41h*4+2]( s2 k$ c! |4 u( t4 h
in al, 40h
% ~! A6 \4 D2 L xor cx,cx' g: o$ a8 q1 c- \
int 41h# g6 ^4 `: T/ r& _. f+ m
xchg dx, es:[41h*4]/ e( o5 N% b I: r; T( U
xchg bx, es:[41h*4+2]' Y) a U2 C# `6 q
cmp cl,al
6 q% e" }& t; u" r( T: y: A jnz SoftICE_detected
- h, r2 z) A {8 @+ L
. f0 z0 v- P. U7 V& A_________________________________________________________________________, U) a0 ]; u2 x: l6 p7 q5 Z; M
2 }8 D! B4 k/ E; e) [9 {Method 07- P# L! I( r/ D1 u1 P* v- w$ o
=========
$ U& U" S& F9 w3 X, G' n. r b+ K Y3 [3 h6 n
Method of detection of the WinICE handler in the int68h (V86) a1 ?4 L# I" [9 t! u
% s2 {/ g1 f6 K9 [* { mov ah,43h% L# V6 |2 n$ f0 u N2 B
int 68h* A6 {- V! u; a4 |( x6 y
cmp ax,0F386h2 o, d* v; K5 N# ]$ s6 H% m
jz SoftICE_Detected
# ~" \8 D' }0 r) f" ^1 S! C& k6 {( W
5 b' b1 F9 i( M0 S$ B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ ?' g/ G* y7 C+ n0 x W: P7 B
app like this:
' n: b% K2 G$ n& E& O$ @
( }8 |0 P# V5 E& c P) }6 C BPX exec_int if ax==683 P* X) w1 Q- {0 i4 @' H' m! @ b
(function called is located at byte ptr [ebp+1Dh] and client eip is
) X" x' T" l u6 M8 u located at [ebp+48h] for 32Bit apps)
: S" _8 h+ H: o' E9 ]8 u) B8 ]6 ^__________________________________________________________________________% @- L; r# n1 U+ i
2 r( w1 r9 X# `* |6 O. {' i3 {
6 i' l8 W, j) k: `. S
Method 08' n6 ~4 V$ t2 W, a, A+ Z
=========
: [! _4 B. u2 f' h Y& s* }; u9 t0 [" i' J% v
It is not a method of detection of SoftICE but a possibility to crash the
% z& q7 R3 v6 n" A# t0 H+ ^* Usystem by intercepting int 01h and int 03h and redirecting them to another
/ u g H: X0 T/ R& J7 Q1 I$ J1 }routine.6 _6 p; F# G0 x) E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- K" ^3 k2 {' C. k9 ?5 Oto the new routine to execute (hangs computer...)
3 T! d# o+ t2 K
9 e+ x# _' l$ C' c mov ah, 25h# l; }& x8 _1 E6 g/ o' ?* C5 o3 c
mov al, Int_Number (01h or 03h)! X5 }2 t& P. y( Z1 R4 v. C
mov dx, offset New_Int_Routine
/ k# E( Q% O% [% w int 21h) D) u9 c, a, a4 Z% l3 q
6 E2 J9 F: _& @% x7 O8 W/ i
__________________________________________________________________________
' ]( `. @ |% M9 d0 d8 M6 z- p$ z: I$ r1 H2 P
Method 09, {, n4 x1 H3 J1 e# l9 G& _% j1 ~0 `
=========
/ A1 `( j2 q0 D! F5 E' s' U5 W" z5 C8 y9 N( K0 W' c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 q: g3 `2 e2 W# v' n
performed in ring0 (VxD or a ring3 app using the VxdCall). p1 n! c% P& P% z/ s4 v4 u c
The Get_DDB service is used to determine whether or not a VxD is installed
9 X1 L Q& P8 {7 ~for the specified device and returns a Device Description Block (in ecx) for: `; ~' P( r0 [; D' O4 M, l
that device if it is installed.
0 k3 b$ S' o# @+ c" L) Q3 `( r* t8 y0 B: m; y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
[6 z+ s: K* }6 ^. c {' D, A& j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' S$ L% h$ \; B% E& O, S2 Q VMMCall Get_DDB
% Q; o- O: t/ `5 H$ N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: B8 m9 D2 |- m
1 c4 |) M! @9 A" F8 m( f
Note as well that you can easily detect this method with SoftICE:6 {# O; v: f0 ?7 h( j) j
bpx Get_DDB if ax==0202 || ax==7a5fh) |+ C7 W8 ~: w; L d: `
! f+ Y+ v, @3 K7 L__________________________________________________________________________
2 x5 [0 }* m5 L% x% ]
2 T$ |6 ?% N3 Q9 L( z. MMethod 10
6 I' ^1 k; u, ^, W=========
4 N( d, [! L B9 Z; O1 F- }" _5 { m2 B! n8 [4 m, n
=>Disable or clear breakpoints before using this feature. DO NOT trace with: Q/ P* C: z2 H- j+ }- }; p) o
SoftICE while the option is enable!!% }" g+ V) P* V# x/ F$ ]( M' L5 C; U
$ S) P" b: m" W7 m0 a
This trick is very efficient:
+ `6 i J L& S; iby checking the Debug Registers, you can detect if SoftICE is loaded( L9 p& e' Y2 n0 o# A" v" G+ N3 ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 w, ?; Q3 H- S! U; D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" a2 I' n0 t1 Y/ l9 D! yvalue (in ring0 only). Values can be manipulated and or changed as well
+ Y" z6 w# B: S2 S8 i(clearing BPMs for instance)
9 R. c3 {4 p1 V4 L0 M3 H7 I- {8 A4 p! D3 |! a5 [" m3 J4 q* j
__________________________________________________________________________3 |6 f$ _$ m7 Z5 \" _3 M' i# u# }
! h. z9 o# ^: b8 `+ E
Method 11
2 J$ I% }. X5 {' o$ B: K. p=========
" E2 I7 j" f0 w; W# s$ Q3 @0 u" x, o0 F0 T
This method is most known as 'MeltICE' because it has been freely distributed5 X$ b% s O; s$ _# |! P: V
via www.winfiles.com. However it was first used by NuMega people to allow
& r- Z% |# A4 {% ]: F2 ESymbol Loader to check if SoftICE was active or not (the code is located
3 Y3 l6 W- S) {2 Vinside nmtrans.dll).; I/ r' w$ }7 M# E! t1 |* r. s
4 O5 | |$ x: g9 L# D& v
The way it works is very simple:4 R# X g) W/ z [' ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& l- W: L Z$ K! QWinNT) with the CreateFileA API.( b0 h, Z6 t$ C" V0 m ], g
3 C' ^( F7 W2 E P/ u- [9 u9 GHere is a sample (checking for 'SICE'):! ]+ t7 ^1 E3 }
6 d, B: c1 s$ i& O: K" jBOOL IsSoftIce95Loaded()& _6 B. s5 r) ]2 L, b$ u
{
7 {) W' _; l/ v/ S HANDLE hFile;
% W* I" {6 M6 w/ l- B4 C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 c& V4 l: n {# |/ N FILE_SHARE_READ | FILE_SHARE_WRITE,0 M( ~4 q6 y! d. Z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 N3 G" P! |7 t/ I0 Q6 L if( hFile != INVALID_HANDLE_VALUE )
7 Q1 I! @- Z* P {
: X* b N) d: Z. x& d# ~/ D$ }+ i CloseHandle(hFile);
L! c9 P5 ^6 g return TRUE;
% C. y, l( }' d }
' X/ @" ]( c( q2 t+ m4 [ return FALSE;
% ]8 p% z% v, w! N. H8 S7 t9 r+ I}
6 K7 U" \- x: _) N3 t8 g2 m$ }8 Z9 ?
Although this trick calls the CreateFileA function, don't even expect to be; \4 W+ J* c5 R. g) l/ ~
able to intercept it by installing a IFS hook: it will not work, no way!
' F' V5 \( _! z3 A1 Z1 n5 |4 {2 kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& q* E9 A& G( X! q0 ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 `+ m2 `6 t; d7 `& h! G' v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. q8 `1 i- V1 b, t2 k) }0 rfield. l8 F7 Z* q; z3 h( Q3 F
In fact, its purpose is not to load/unload VxDs but only to send a
9 U7 t. c0 P5 b& c9 p2 oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- S( }. p) F8 _" \, Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try+ {& ~- d- E+ M3 z \6 L4 m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 k$ S1 \+ k& |. T9 yIf the VxD is loaded, it will always clear eax and the Carry flag to allow( F; M7 O4 N: D, K
its handle to be opened and then, will be detected.
' T; Q. ^: k0 X, Z, ^You can check that simply by hooking Winice.exe control proc entry point
9 ?; G7 Y! B' K1 D' m/ Ywhile running MeltICE.4 C% \: t, c. b3 K# `, J
, |2 _6 K ^/ z0 e" D% O' k1 l) j7 T* B3 Q3 [( L
00401067: push 00402025 ; \\.\SICE' L9 M E* Q1 n- e( k- ~9 `
0040106C: call CreateFileA
- e! q6 \% |+ F& V+ K! j/ F 00401071: cmp eax,-001& Y+ Q+ d. I" A$ M( Z& ]+ Z' o5 A
00401074: je 00401091
g+ e; g8 `+ P- R6 [& l0 Z$ j d: c, F5 Q- L8 Z
$ K0 I; C7 z6 e* j/ a ]
There could be hundreds of BPX you could use to detect this trick.
& p, }* Q4 u. v& S- O h# {-The most classical one is:' _/ E7 [* ]) G& d& \( ~: e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' W. P5 X I0 |1 n3 e *(esp->4+4)=='NTIC'7 ]9 {6 k( E/ K
- t: `, ]7 ~5 V4 u$ w& x! j-The most exotic ones (could be very slooooow :-(
$ b8 F& n3 ~/ e3 O4 l BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " |& Q1 H! h O* ^( O; C
;will break 3 times :-(
8 o% T i9 |8 h1 Y. {
, t+ c) q' Z. r9 I-or (a bit) faster: , e: e: w# K9 \0 N: ?5 r g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 Y' T* y4 N0 i) t- p w
+ ?& G+ [' F6 j. L0 I R9 P BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 Q# ^ n. x, E& X8 P* n
;will break 3 times :-(
5 K A% \1 o( U( H" z' T$ C) i+ b/ W7 I8 [
-Much faster:; a( ^8 o* q6 ~: |8 f) J: M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; C- x' |- X& I
/ ^; K0 g7 q U( e/ qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ T% z4 @" a, j
function to do the same job:% H$ J4 ^8 M: ^
3 W5 q/ r* h: F4 b
push 00 ; OF_READ
# e" x7 a5 f& Y mov eax,[00656634] ; '\\.\SICE',0
9 Q6 Y6 {4 s+ ^: N8 ? push eax5 i* u0 d% n2 F7 v" [
call KERNEL32!_lopen- F; @& T# L1 |) T# T
inc eax( u2 P" t w6 v; t
jnz 00650589 ; detected6 m' ^0 [9 m |9 H1 I2 Y- x. r3 l
push 00 ; OF_READ4 w! x) J1 F( K4 m1 Y
mov eax,[00656638] ; '\\.\SICE' K* N8 p5 k) I- J/ ]
push eax
, n" [& Y! E1 o- J9 ?* N4 N! \6 Z call KERNEL32!_lopen
& ?4 K! M3 Z' v4 P0 s4 @% } inc eax
$ m8 f- N; H* q$ n) `% ?/ F' Q9 D jz 006505ae ; not detected
1 b# e; I* _$ J& [$ u+ [7 k: H7 E% d- X" s" R; ^: N- x' g
' n) D& d# B5 L7 |8 l$ h5 ^__________________________________________________________________________' c* z3 b6 B/ I4 [9 F8 _
/ e% L& d3 ?, w& P4 ^: _! K6 j: wMethod 12
0 q* b' P7 z5 D6 V1 O, x=========6 t& [* T' r5 ^# s
* q# ^ g& A, T& }
This trick is similar to int41h/4fh Debugger installation check (code 05. J4 Z: ]& V8 T! {/ [6 |
& 06) but very limited because it's only available for Win95/98 (not NT)
, x" D E2 n4 G: k- h" F5 R! was it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 w3 A2 w$ h/ O( |) B3 D4 ~) T8 ]
9 f8 M* n5 M# \8 B1 ?
push 0000004fh ; function 4fh0 p0 y- {+ k7 I
push 002a002ah ; high word specifies which VxD (VWIN32)2 p7 U& s2 v6 y- m
; low word specifies which service/ n- _& `% r: K. G
(VWIN32_Int41Dispatch)( k0 R" r5 p! G. I0 K6 T3 z
call Kernel32!ORD_001 ; VxdCall$ D* [! t1 [7 ?
cmp ax, 0f386h ; magic number returned by system debuggers' m2 o3 S. i" O5 B7 j8 Y8 E: r
jz SoftICE_detected
- @( \" x0 I& T- ]0 a* w' s3 V: _5 Y* B( x" k2 J
Here again, several ways to detect it:- e: Q+ R. g( O4 a6 h
1 u1 H5 [9 ]- u$ u( K* p8 x/ e BPINT 41 if ax==4f
+ B6 M! h- R( [! ]- l8 p8 l& x" R1 L* i. T8 K1 V
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 W7 Q7 j: `% ]/ j" I6 N1 ]
+ t0 l! k& S/ _( m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 e/ c! t' Y3 ^8 s8 _% u! |; f, B) O& x- m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( X6 n6 b0 T6 J4 X+ h
& x0 K# m" a+ m2 r. X__________________________________________________________________________
% ]3 s% A% U% { A! H; k& C# y, v1 W4 Q$ I w
Method 13% ]4 b& E2 \" K3 M$ h
=========
) D$ @ J" x) }7 L6 x/ R" Q. z" W& C6 M+ W6 b% P3 z6 H2 [* j
Not a real method of detection, but a good way to know if SoftICE is
: d4 t9 ?4 I/ e) {9 m4 ^9 Z% W% sinstalled on a computer and to locate its installation directory.( t2 V. I4 E( T* T2 n
It is used by few softs which access the following registry keys (usually #2) :
/ Y- ~: k- Q$ H- ?; l' |+ x; [
% p& Q% M! l1 }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 W$ m8 H+ e8 n" C5 `! ^7 L
\Uninstall\SoftICE W- c$ N: q8 u$ L% f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ m- f) k& w0 q/ ]% @& t2 D" a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 @6 b0 ~! ?; R6 Y\App Paths\Loader32.Exe6 j* a9 _ H' q% w% _5 |
, C: c& y) e2 f* U
V& M, ?" X' p- u* F# @
Note that some nasty apps could then erase all files from SoftICE directory
. q' m( T6 j2 D' M8 n. e# [(I faced that once :-(5 O% P1 N1 ]+ b# h
# J- S$ m* i9 l: B( ~' PUseful breakpoint to detect it:+ ^, d% c3 G& N- R: n* |' Z
) u) H4 n. v7 a" E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% [9 r- {, S) \! V N4 M1 ]
) A) Q$ u c* |% v% R G8 g; M__________________________________________________________________________
9 D W" y8 V8 ?! v8 K5 X, ~' H- Q; c5 x5 E# [# j3 A4 d- j: I
- U p/ F+ e) Q, j1 d2 w; l
Method 14
* n% t% ~! `4 K=========
( K5 z& x# E" M) `( g( E |
, _/ E1 ^$ w! P7 F) ]: e% nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ @9 H8 p4 J* Z$ ~4 h/ U. t
is to determines whether a debugger is running on your system (ring0 only)., }6 X. @# K+ e( c1 O/ j
& E/ z9 f5 s. O/ S2 b
VMMCall Test_Debug_Installed
" m& Z4 ~4 p x je not_installed
2 x) F$ u. J) K, n/ ^5 S8 F b9 p6 D7 G$ L; q1 g5 S( m* @$ l) |! t; c* Y
This service just checks a flag.
% {' J, \9 j2 `0 w9 O! A$ a" i</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡