<TABLE width=500>5 R/ a* w5 s0 m: F
<TBODY>
7 x! b6 A) A* j# |<TR>
, |; V6 B1 c0 W0 M* S" }; ~9 t$ S<TD><PRE>Method 01 5 P7 }# T' n8 Q
=========
+ C8 W/ ^# E. d4 Q
. T" ~! Q7 O3 Z7 zThis method of detection of SoftICE (as well as the following one) is
1 t: C U7 Z6 i) P) j3 D0 U. M: Gused by the majority of packers/encryptors found on Internet.& z, y. K, f8 t+ H G( A
It seeks the signature of BoundsChecker in SoftICE
8 m! p+ O2 p8 p: n" \' Y" Q, C2 T% Q( e0 r# F' n
mov ebp, 04243484Bh ; 'BCHK'
, L& y- J) Q4 ~& H' J# x mov ax, 04h
/ A" a& m/ d. ]7 H. ?/ E int 3 " ]. f: j% ]: {7 s$ a+ C' L
cmp al,4
! ]! G' m- }! N3 c" {2 }0 K jnz SoftICE_Detected7 J: a3 J, ~$ [" B
: j' E3 y* J5 n___________________________________________________________________________
' n2 M R4 Y" e! R' N1 f+ d- E; v2 V/ Y
Method 02
* P- Z, t4 C, k=========- t7 b, c2 K' h. t( C* c2 H% s
, n: x# k$ q CStill a method very much used (perhaps the most frequent one). It is used
7 @) I! Z0 v' k" h6 Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 r/ A$ D4 {6 D/ ?: n6 B S
or execute SoftICE commands...
8 V" p9 A+ x- Q& B+ k/ `) QIt is also used to crash SoftICE and to force it to execute any commands
3 P8 K7 c& F5 ~) v(HBOOT...) :-(( 8 ?) x. I9 u% _, |* |$ @$ A
9 O1 c* ?6 a8 k- q' T
Here is a quick description:; j, ^" t# e6 m. W
-AX = 0910h (Display string in SIce windows)
3 w% V) v" `( L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ f, k9 {7 `+ |# q5 S-AX = 0912h (Get breakpoint infos)- U+ u0 P$ g- u/ A; Q/ T
-AX = 0913h (Set Sice breakpoints)% i1 D O y1 h0 ^
-AX = 0914h (Remove SIce breakoints)
4 {9 E: ]" F+ c* k- a5 J b0 _! h) }+ t% j$ _
Each time you'll meet this trick, you'll see:
4 t8 B Z8 P" c9 K: b6 t A- [-SI = 4647h
: A2 B- r* o! _& }-DI = 4A4Dh5 g) U; X: [' r8 x& ~2 E
Which are the 'magic values' used by SoftIce.6 ?+ H) s) W$ U, ]7 t8 I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- K2 j$ {7 Y* v3 f0 b4 Z
* M+ i! v y; E* o1 R s9 cHere is one example from the file "Haspinst.exe" which is the dongle HASP9 @; L n7 j+ [/ J0 s/ R
Envelope utility use to protect DOS applications:; S% Y4 n+ V2 i j
* h/ J$ [0 F" T9 d; C: L' l. V
2 ~0 e( C9 h# l( z" y# G
4C19:0095 MOV AX,0911 ; execute command.4 M: A" U$ ` \/ ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) J- N4 L! X( T! N% d7 i4C19:009A MOV SI,4647 ; 1st magic value.
( o: F' U, y; q# N, ?. U, r9 O4C19:009D MOV DI,4A4D ; 2nd magic value.
6 h, ^3 Z$ X) Y# h4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( R @/ J, R& s4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) H' E$ m9 ? k$ l. S
4C19:00A4 INC CX) }- C9 t0 T) `. v9 X4 m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" g9 T0 ` L& G" V; @( ^4C19:00A8 JB 0095 ; 6 different commands.% Q v. b! ]7 ]9 a% M; Y0 z# h
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; U1 k6 h0 c- f% ?( ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( L" f4 [) B" \6 b# V4 Z0 |
8 y* e0 P9 e" V a6 O
The program will execute 6 different SIce commands located at ds:dx, which
6 o* B. ?* u" ~2 f; oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& W2 [! \* q$ f1 h0 \
" I5 K1 j; D3 @9 V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 Y4 S+ D' }1 K4 k7 W
___________________________________________________________________________
* E8 I) |+ b. H @" c* E+ \6 Q& o: w- T
4 i4 ]3 V3 W: L2 O; yMethod 03
$ N* C B0 _* S4 j6 T q=========7 J. x' P; C- q5 f7 H V& a
1 r* [* b6 l( s+ ~
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( [. q) ?+ s T(API Get entry point)4 [9 L8 {+ e; O( A
$ \" N% S2 j- t% r, t8 h
4 T. @1 w$ E: ]% ^! Y7 q. X% D# c
xor di,di
- {( ?) R' E/ U7 z( N6 b! u$ n mov es,di
/ p' y8 Y7 x- c Q4 G) o: ] mov ax, 1684h
$ @8 R/ z2 R- ?) W# { mov bx, 0202h ; VxD ID of winice" U/ e9 p3 A$ W4 M
int 2Fh
' d8 z7 V p' o0 S' @$ [7 u mov ax, es ; ES:DI -> VxD API entry point
$ S3 L0 r w2 s4 v( @" G7 Q# i, s add ax, di
. m% D- l' d4 N. h4 P: o test ax,ax
' M4 z9 |) E9 P- j: L/ S jnz SoftICE_Detected/ ~, o/ T+ z5 y, e$ ~0 a1 Z- J I
0 x9 q# C- B6 I2 ?/ W) c
___________________________________________________________________________
0 e/ D0 m' K- H3 k0 U3 r$ o4 e+ ~
; o- I, U) p) ^8 T, J- uMethod 04
: D( U. T0 I& n1 ~=========% l% U; j4 b6 j; r% T) r
: j: @+ ~5 o, g; F' L- J% VMethod identical to the preceding one except that it seeks the ID of SoftICE
j6 B; b- |& N; E+ dGFX VxD.
: b, { |7 G* O! _' s C
% w, H' K4 _3 ^ U d, _ xor di,di! Y5 r8 ^) w+ F% M
mov es,di
9 Z# O3 p# \3 r" q7 v4 M7 d mov ax, 1684h
" X' ^# f- {) _8 q2 t8 `' n mov bx, 7a5Fh ; VxD ID of SIWVID
9 n' ?! Y/ ]6 e2 ~( ^8 } int 2fh
2 X+ B! h5 y/ y T* n2 p0 ?" w$ w mov ax, es ; ES:DI -> VxD API entry point
8 ?5 _( z& c% D6 l9 Z% j add ax, di, u7 L% u _9 u! n, E7 ^$ w
test ax,ax* Q% N, N8 { w: [; B) H
jnz SoftICE_Detected7 z6 x& J* k. {* a# o7 a
) D/ y- Y1 g/ D" t' o
__________________________________________________________________________
. w8 J, j+ M; ^7 Y( Z5 r, r) f& b8 \7 S
! y0 i- Y& T) |5 D y* eMethod 05
& D, U( ^; ]& I1 L=========- o K. ^6 Y0 [. ]/ E4 c
+ S2 j! I3 T: q; N( d J
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 h: K/ T K" ]! vdebugger. It calls the int 41h, function 4Fh.. g' n2 q* S; O9 u% i4 x% [
There are several alternatives. ! Q( R, L5 F, B# K8 S, `
+ I8 Z0 H$ Z# B7 Y
The following one is the simplest:
: W4 n+ p' |' k+ P7 R) F
+ q, S4 @' w6 |) o mov ax,4fh( d3 k! m2 R3 P7 o7 m# K
int 41h% t8 G( K1 u7 G5 }, }
cmp ax, 0F386
# C$ k; Z7 N! C+ w jz SoftICE_detected
9 n( O& J7 U) o0 f8 ^9 u5 y( a1 y; k9 x' ]! B+ f
* [" P- |& X7 @) K) R
Next method as well as the following one are 2 examples from Stone's k: k8 y3 s) z: N, }
"stn-wid.zip" (www.cracking.net):
1 n, I" \ o5 a$ i) z+ A
, Y2 k) ]: r$ y mov bx, cs
- N" W. c- Y/ e9 Q5 I. M4 z/ ~ lea dx, int41handler2
# [+ y$ t1 S" p0 L9 H; y) p/ k xchg dx, es:[41h*4]# r; P" W/ U( T# O
xchg bx, es:[41h*4+2] V5 d7 V4 H; O) I* v
mov ax,4fh9 x6 J& A6 S4 R: ~
int 41h
2 ]1 t4 Z$ I# Q1 y" c xchg dx, es:[41h*4]2 q3 ?# i @9 C3 S
xchg bx, es:[41h*4+2]
! g- ~* u" q$ o; ^8 `( T cmp ax, 0f386h, p/ D2 c! e- f7 h$ k6 ~+ P
jz SoftICE_detected
, Y1 v* d3 h: @) K/ F+ w. Q H; v6 i! q: S2 z
int41handler2 PROC6 d0 G. e6 v+ z' \( e$ K1 }
iret
$ Q3 y5 G- d( s+ \5 _0 W0 f# Q0 S F; X/ Jint41handler2 ENDP
( ? q. [7 z$ b4 |$ _4 R5 f; _$ Q" ~1 m6 ~4 |. z
; T9 L7 }$ B( u; ]! v' n! H N5 M) w
_________________________________________________________________________
% U U2 n7 _# ^% ?1 d* [$ [5 u6 j! F' J; t
, ^6 A2 l! L0 {% X% |% B! mMethod 06
8 H/ [/ ^6 S+ _# K=========
" ?: K. {0 m/ e5 ]& x; f# b5 H0 p) C1 }
7 i) T: D/ B. F6 t) `
2nd method similar to the preceding one but more difficult to detect:
5 A+ _/ L6 ]0 G; }/ l4 }1 Q5 ?
' c$ [8 u1 r0 w8 u i7 [ M5 B- m& i5 v9 J5 ?$ o6 u
int41handler PROC
5 S K- u5 J( d2 G mov cl,al: u5 a$ f* K2 L' i
iret" s5 }: ]! Y' n! V+ r5 B) S
int41handler ENDP
) l" D% [# D9 ]' f
2 i7 w+ y, `. k4 R( J5 l: K4 C/ o* p% A Y" l
xor ax,ax
- \/ e5 [+ n3 L; ]1 N+ }& \ mov es,ax1 O0 g' t, \6 {( K: J
mov bx, cs
( c2 g0 W0 h' x5 t lea dx, int41handler8 _1 X8 Z6 v! L5 Y" u; G
xchg dx, es:[41h*4]
T# I3 U; _' D# t. l1 J& E& L& @ xchg bx, es:[41h*4+2]
& Y8 Y5 |& u1 |1 D in al, 40h
( ]! {7 H4 G. |4 r2 s' B& ` xor cx,cx- h( c5 V* Y; S) c4 {
int 41h
% [+ \1 L: h6 S' ` xchg dx, es:[41h*4]
; x4 s; }5 D5 b( _: Q xchg bx, es:[41h*4+2]
% N: [, B& j6 K& @! s% P. } cmp cl,al
/ J* P/ z# f, f- Q jnz SoftICE_detected' E( U7 V6 q- e" p. \9 i* x) j
, S$ v" n; J- `& M0 W- e
_________________________________________________________________________
7 @, n1 L6 h* N0 i0 ?) F
) h7 l: Q% J7 n( T4 EMethod 074 U$ d- f, s+ m0 i# K; G3 O
=========* v5 A0 O4 B0 I- t3 i8 V1 E$ S
: Y" W: c! E5 x
Method of detection of the WinICE handler in the int68h (V86): a; R- i- w, N; o1 h
+ o* n1 ^/ M% C8 v7 G mov ah,43h
! a2 F' J+ E' k& X int 68h/ S2 C5 Y! ]& J# n( _
cmp ax,0F386h
7 F' D6 I2 P! F* T7 A jz SoftICE_Detected$ N4 j* l5 s- @* B( q9 M& ^
! C" \! V: M$ y$ ~
7 f4 E# g& ~# g) p8 k3 b
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ N( _# ]$ T m% y4 }
app like this:
! `8 m9 @. M: m7 _3 M a8 X7 R# u/ i" V3 }9 j
BPX exec_int if ax==68: X/ v! A. E, A- k, d
(function called is located at byte ptr [ebp+1Dh] and client eip is1 ?0 T9 P0 {5 c5 \0 d4 {
located at [ebp+48h] for 32Bit apps)
. o# q6 R5 w: {4 \, l/ U4 f7 X. e__________________________________________________________________________0 P# |* \1 y* d; M8 \8 ~7 \, m$ {
. E- [8 o5 l: y) I" s* F
$ h* q+ B3 `, D" e. @2 Y& AMethod 08& F" d% |/ l' {* @/ m7 z1 u8 ?
=========0 O/ f4 B4 O$ [, q' P7 L- r3 }" _# W
9 X- z ]* \% v6 x
It is not a method of detection of SoftICE but a possibility to crash the
* I" R g' a; I" {; w, a1 [+ f) asystem by intercepting int 01h and int 03h and redirecting them to another
. o$ D+ i' m+ h% f2 Froutine.- r' J' E& a" y3 w
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 p+ F. \* M& l5 Y. Y" z; @to the new routine to execute (hangs computer...)
" k' u2 k( O3 z% V+ A* Y
' h9 w- X! u) z. D mov ah, 25h. H9 {9 O y' g" P- P, m$ m
mov al, Int_Number (01h or 03h)
. w6 ~; c9 x# R& ~ mov dx, offset New_Int_Routine
+ c8 ^9 @6 D5 B) b int 21h
% S6 r0 J& W8 K5 Y$ _( ~
9 c" }: m! f# U8 \2 L__________________________________________________________________________& J- }/ u- O9 H
- Q5 x! V; p+ q: i. Z0 dMethod 094 R& P9 u! l: r1 ^* u+ z x
=========$ |5 I4 E7 K0 g0 w! ^6 Y
, r$ A) Q' f F7 T3 b& Q! JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" j) n# \3 _# E3 g6 j) H5 pperformed in ring0 (VxD or a ring3 app using the VxdCall).( u% l& W- F7 Q. |* i. V
The Get_DDB service is used to determine whether or not a VxD is installed
8 N( h% o& j0 @5 `) x& F0 Pfor the specified device and returns a Device Description Block (in ecx) for
8 \6 k% X L7 d0 ]0 | ^that device if it is installed.
; I, @+ c, x8 T8 ^) Y0 K- d* F; k- Y: t* K3 ^ `1 ?
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 ]( a2 n5 G; ~! z3 O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ l/ J% Q! u! H0 O2 _
VMMCall Get_DDB
3 O7 \; A( n' c7 o y$ r N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 N: A1 e! [3 U2 v$ e I, _, _& O5 t7 g6 M8 i! C3 M
Note as well that you can easily detect this method with SoftICE:
* T4 m+ M2 ?7 U$ g9 Y8 x9 f bpx Get_DDB if ax==0202 || ax==7a5fh
) F0 v' {* O' L2 W0 J, V# w! S8 u' `1 r" Y- I3 \
__________________________________________________________________________5 |0 U. B5 b5 q8 v( u! f7 `3 w
/ X" B0 L/ n2 r8 tMethod 10
5 F& I" A9 P, K. s: I=========
2 t1 n, L" S7 S( ?% c5 a( i9 p0 b! O# U" t% H. c6 f' L
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 [* t) M+ [# [( g2 v SoftICE while the option is enable!!
: x. p/ j" Z9 q. o0 Y
* w4 i' c( A, O/ J% c5 n& ?This trick is very efficient:2 b, t, r# _9 o& T
by checking the Debug Registers, you can detect if SoftICE is loaded9 Q! d# R' R+ n, z) R# n2 b3 d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 M8 B) }% p( E6 B+ g
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 H0 h% d. C* U1 r. ~
value (in ring0 only). Values can be manipulated and or changed as well
- ?! W/ `0 f0 R0 ~+ `(clearing BPMs for instance)
' `* G5 Q* u1 p+ y
6 m* D ]$ P7 c& H__________________________________________________________________________, ?' |* k8 s/ ]9 A" e- e3 l
( ?. j9 c9 s$ P: \: T4 U- D
Method 11
* P& j6 A. i5 B=========2 I% M. E8 s8 q+ c
+ [# N8 \1 J5 N3 h* K' u- |3 ]This method is most known as 'MeltICE' because it has been freely distributed) d# o8 l6 W% ]0 |# F# D8 |
via www.winfiles.com. However it was first used by NuMega people to allow) I0 b" n. Y. m/ Y: j% O
Symbol Loader to check if SoftICE was active or not (the code is located) E# j4 _& o. l8 A3 g# k2 ?4 T
inside nmtrans.dll).
% ]5 _5 Z% f# V& A
8 v4 h% ~1 C7 UThe way it works is very simple:$ h- L4 B# \7 n+ j7 f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; n1 O: @7 R, j! I. c. I# f& dWinNT) with the CreateFileA API.
' V) }) h' t( \' \# d. l" @ I: N4 w3 D# W
Here is a sample (checking for 'SICE'):! L$ Z& c3 _" t" m t2 Z
5 z0 L! p5 _" @BOOL IsSoftIce95Loaded()
8 ~2 o4 t! l5 h3 v8 D{' H& v6 |1 Y( x
HANDLE hFile;
( Q! D% q6 J/ X& | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) v+ `- w) H( d# o FILE_SHARE_READ | FILE_SHARE_WRITE,
6 s+ E' [* M- _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 d+ Y3 I6 G1 F u# B; Z
if( hFile != INVALID_HANDLE_VALUE )) ^5 x# k. V+ T5 Y8 t9 T+ t
{
+ y, c. f, K5 ^' R7 K) E0 m CloseHandle(hFile);3 Z3 N; c- h+ d2 `% L. P( Q
return TRUE;% E( N& `" Y6 o! B
}
5 f6 e+ b6 ]8 e+ [ return FALSE;
- Y) h8 N( X: F1 p1 y0 M}
/ [' @2 ^/ D+ \3 l! n6 ^$ J# p6 b I: x
Although this trick calls the CreateFileA function, don't even expect to be
- i8 M3 L! C; N' M% |' l0 @/ f% `able to intercept it by installing a IFS hook: it will not work, no way!
8 P" z2 N; {9 ^& qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) u; E( U) `- Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ N" N+ B Z2 k1 ~& pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& H7 F' P+ I2 ]8 e! lfield.7 y4 Z: G, \" j' @* q
In fact, its purpose is not to load/unload VxDs but only to send a
* p2 n: |. | U8 O" mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 V% B& a d8 ~% n8 B' @
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& V. e+ B% ]1 J7 C- \/ X
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' X2 A. ~/ u( J1 ~" h1 ?2 tIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ z5 ~2 a$ o0 V1 t
its handle to be opened and then, will be detected.
4 {, H; Z8 N9 yYou can check that simply by hooking Winice.exe control proc entry point5 P* X' q+ D4 S% h( N# }4 q
while running MeltICE.5 x$ F% p0 G+ e/ G
# m: Z! I9 ^1 u4 j! l) s7 y
$ u ^1 d, X. H8 } 00401067: push 00402025 ; \\.\SICE* w7 c3 s. T9 S3 S) s: S
0040106C: call CreateFileA1 u- H$ @" `/ r* l
00401071: cmp eax,-0010 D: F* O0 v9 Y
00401074: je 00401091
R+ K) R0 b+ M S3 Z
: \2 m" r4 o4 m( n3 D- A @/ ^9 |2 t. F! ]4 L
There could be hundreds of BPX you could use to detect this trick. E* c. d5 u6 c; g1 R. k8 v2 r/ Y
-The most classical one is:+ H; }% D( R2 q( m5 h
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || R3 f" L5 v: `! A& ?
*(esp->4+4)=='NTIC'' b; `" c$ i% r5 o% H: E2 p
+ Q6 A% l% P5 c( n$ C# i
-The most exotic ones (could be very slooooow :-(; W H( v( H, |3 x: D/ o0 m; M
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) z8 O* w5 @& l q) Y) J) _
;will break 3 times :-(; `, ~# w& f2 b
8 J" P; v$ E5 E& C-or (a bit) faster:
Q2 R8 P! B2 ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 E) k. Z* Q/ V; |4 z- M5 a
0 p5 Y1 ?9 q+ X8 U& V% ~ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ V3 R' r n9 V- ^% d" s7 h ;will break 3 times :-(
5 x% B! I1 D0 l3 d- r' {/ e9 j- Q. S# q8 N& `, L4 K
-Much faster:
6 U) _0 P1 ~; D/ Y! f4 c* N) S$ j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) ^$ o+ {0 e: h+ O
2 ?5 V0 I/ h; Q4 YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 `. N! l7 k: Wfunction to do the same job:
6 a- M ]4 i# b9 C
1 t, l* {) I# i6 N push 00 ; OF_READ
# M: o: B: U0 V$ J, Y mov eax,[00656634] ; '\\.\SICE',0
- f* T) u) K' S" w" p, s push eax
; A: R& Y9 s1 Z+ }) w! ~4 }3 B, c call KERNEL32!_lopen
$ s9 W0 W/ z; C: ^ inc eax0 s$ L4 e* N- X2 _# E) P
jnz 00650589 ; detected. g u8 a7 A' w; C
push 00 ; OF_READ5 k! N0 C1 Z/ g/ b& _& O, i% b' w
mov eax,[00656638] ; '\\.\SICE'" b2 G( `3 T* \: _, @# y
push eax
, r# L) `$ s2 S) Z2 Y call KERNEL32!_lopen
$ Z! l' w! i7 @! ?3 U8 _. h) P inc eax
$ I; ]- x( B! p/ Y jz 006505ae ; not detected
6 {$ Z1 x0 v) k; R E* y# C8 ^4 B" v
3 \5 x1 U2 l( w
__________________________________________________________________________& |9 P# ~' Q# |
5 s v0 ?+ i% r9 _+ ]- }( fMethod 12
, [" B/ Y h f B9 t$ k. d=========
" X; Q7 d7 g& ~: c/ v- B J4 w: f. _$ `8 M0 \
This trick is similar to int41h/4fh Debugger installation check (code 050 C% b! |4 j; b
& 06) but very limited because it's only available for Win95/98 (not NT)/ m% t& N. J% `! U0 W, d0 _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ e6 I3 i' V; J& N( a4 B& m
/ B6 f7 L% ]2 Q8 A' ]4 t push 0000004fh ; function 4fh
& o( G( a! q5 A2 X9 z- u8 X# o" b push 002a002ah ; high word specifies which VxD (VWIN32)
9 i6 C. O( K7 W ; low word specifies which service6 ^+ G% j4 ]: r2 y5 P' b5 F
(VWIN32_Int41Dispatch)
" F4 q$ \4 V, P$ C call Kernel32!ORD_001 ; VxdCall
0 U+ ?0 t# m; o cmp ax, 0f386h ; magic number returned by system debuggers* i( ~" U6 a& `2 K$ r* f: f# B4 l) h
jz SoftICE_detected L+ w1 I2 q Q2 N( a; p
# c! _/ X! E- r! m8 m, S
Here again, several ways to detect it:0 C0 t+ s' G+ ?8 B
! ^$ L$ B9 f& v5 c4 ~+ ` BPINT 41 if ax==4f& M( K1 H; l6 z$ t8 f
6 ]1 b% u: m+ b1 Z* q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# n9 A; X9 ?* z3 [# F1 @) J& A
( \/ w' K/ Q) N7 `
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. H9 W5 C8 T4 B0 Z$ L3 m% k
' Q \' V" i2 i4 }( Y8 P& k BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# _3 s* s1 Q- Y, L5 S
& h; k5 X& K* G) l7 P, s {5 u__________________________________________________________________________
q9 n. S' l. w/ ^/ A8 M3 Z$ ]$ } l) R; L
Method 13
4 b1 D7 v t: g1 m6 H2 N) [=========
6 k* C9 R( B/ @
& n% E; X U& X1 W7 ^0 ?' H( [& D: nNot a real method of detection, but a good way to know if SoftICE is/ _5 B' P' Y* j: N, ~ e
installed on a computer and to locate its installation directory.& A+ B L# X% `7 O0 ~
It is used by few softs which access the following registry keys (usually #2) :
/ j! {9 b; V# x3 ]0 F3 d
/ j( A3 Y& |7 \! A6 t-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 v* |1 t( {( m1 g( i\Uninstall\SoftICE
0 W+ F0 j: k, a) J7 ?% c2 [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) }& ?# d- [0 Q7 J8 F, A! P. U-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! S, r" l, I) S* y- E6 K\App Paths\Loader32.Exe
2 d6 d( Q: i1 f" i) N/ l. L- X# S- a. |+ V0 F( U
4 z* B8 N' Z0 G' d- v& y9 C8 [. MNote that some nasty apps could then erase all files from SoftICE directory C, y6 P8 P% R+ c
(I faced that once :-(( R% g7 m j/ ~. n/ Q* C
1 ?) {& w+ j+ x: M$ A! B Z. F7 XUseful breakpoint to detect it:7 U* M- J! u, k! B+ T X
5 [" A- _ z3 | r, Y# ~, I BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 ^- X4 Q2 C; n7 ]' Z3 B
; z( M( R2 ^+ D__________________________________________________________________________" k9 z( ^3 i' h+ j1 D8 p! o/ z& \
$ x1 C+ M7 e% s: C8 P1 q2 ]( i; A* K& w. j) b* y& ]1 n5 m
Method 14 % ?6 {7 E0 e$ F1 f2 M5 r
=========
5 N0 `/ Y- l/ N' Q& C) S' p6 {# F8 V" L* R! g3 T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 h3 C) I+ F7 s1 \% o4 eis to determines whether a debugger is running on your system (ring0 only).
1 o) g7 y8 x1 w' d$ d. T8 s, z: i, Z
VMMCall Test_Debug_Installed
( B" k S6 ^1 }+ r+ g9 K je not_installed1 Y3 m3 y+ Q8 n5 Q( P5 H
* \+ ]1 |2 J9 R7 _! C! AThis service just checks a flag.3 l+ P% T4 Q+ F/ ^
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡