<TABLE width=500>1 B& x2 I Q% a
<TBODY>- ]7 S7 C" {' Y6 U. B( I s
<TR>
' k: d$ S b2 W) f2 { L4 o<TD><PRE>Method 01 ; N% y, K7 N# L1 b6 w" R* h0 H
=========
9 _) [- i, ]( V) d; A) c6 h
: a+ V! C9 W9 i- C0 R' aThis method of detection of SoftICE (as well as the following one) is; U1 F: @; ~5 r7 b& m1 M: I
used by the majority of packers/encryptors found on Internet.
; y8 |1 D' a% x5 t2 i2 c8 ^It seeks the signature of BoundsChecker in SoftICE" Q( G4 q- @* v: l8 S
2 o5 n& N0 k% a# |. I( y4 i T
mov ebp, 04243484Bh ; 'BCHK'
, j. Y: `- J) L6 c' i4 u7 | mov ax, 04h
7 B1 l O+ k# I' e3 p6 b3 { int 3 ( Y( m+ L7 N* o7 F( h
cmp al,4, z7 l4 A3 m% T# T7 G% `
jnz SoftICE_Detected
, s3 e" z: s' @+ y# a% z* g( c! Q
; v8 Q) a1 z3 O. n" Y___________________________________________________________________________5 U) V& l, v5 G, ^! ^
, b9 m( w6 ^7 o' o+ t8 t( I$ VMethod 02& ~4 n5 i9 m4 n
=========
( ^$ c3 y A2 I4 D. m# t5 c1 Y {8 p; @. E/ I
Still a method very much used (perhaps the most frequent one). It is used
/ r, f+ w. S+ C$ e+ L4 Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints," X3 S1 g2 q8 |8 w3 ^+ O" n
or execute SoftICE commands...
9 I5 r- r4 o. [7 Y9 e6 U; p/ ]) eIt is also used to crash SoftICE and to force it to execute any commands
( [- A3 w, q( i(HBOOT...) :-((
# H$ ?! _# K4 n& K. X9 O8 s2 R8 J7 S" i6 g
Here is a quick description:
4 m: l x. X5 g9 P' u8 p F-AX = 0910h (Display string in SIce windows)* T7 d9 @. M) t7 l! k
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 w3 V6 A4 k: n5 v! E-AX = 0912h (Get breakpoint infos)
# E L" L9 p9 Y9 x. S-AX = 0913h (Set Sice breakpoints)' d3 m/ B _9 h
-AX = 0914h (Remove SIce breakoints): R3 m0 u- B* ?" h5 N" v+ b
# A4 G5 i4 J# N: H7 d) L* n! dEach time you'll meet this trick, you'll see:
( X( f# S" A7 m; l! p9 P-SI = 4647h
! G- B6 l" z# X5 O-DI = 4A4Dh6 G; h& l$ g* f f& f
Which are the 'magic values' used by SoftIce.* l( w/ b3 ^4 z' {& U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ V! D, u; s) i0 n
' N8 @; N2 d$ @+ {# M: y+ e
Here is one example from the file "Haspinst.exe" which is the dongle HASP( _* ] k8 m `0 Y5 \3 o
Envelope utility use to protect DOS applications:" c$ _7 b8 y6 K
% Y; |9 S% P0 s D$ O: f5 a! N6 u0 S' L) c
4C19:0095 MOV AX,0911 ; execute command.
$ K8 h! X9 U. w2 u4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* I' y, u# `9 o
4C19:009A MOV SI,4647 ; 1st magic value.7 S0 O8 x- l1 T9 s
4C19:009D MOV DI,4A4D ; 2nd magic value.3 ^5 d7 K: R. c) D- z3 f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, F( U4 l8 ^9 P+ D+ ~2 c! \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: v" d! L/ N- Q" ]
4C19:00A4 INC CX
- `: Y! b& h+ C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& y& G" T8 B$ d6 A4C19:00A8 JB 0095 ; 6 different commands.
% v/ Z. S/ t7 a7 E+ n4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) z# I- @8 E8 p r- I0 P9 \: ]! u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 x1 F& Z( I, {8 {
/ r4 k6 k8 x; [& y6 m+ c+ x2 vThe program will execute 6 different SIce commands located at ds:dx, which
2 d2 E% `$ `1 d; O, {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* `: C3 t- u5 ]3 v9 l, ]( W) R
# h7 C e' z5 e6 [% }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., W Y" H# G) ]" C
___________________________________________________________________________; ]6 [: t/ p: U7 _$ \
' u+ D6 \/ V3 j& M+ K+ d x
( v8 ^+ g3 ^% Q- s1 D
Method 030 s. a' U* a7 q& z5 o
=========* l3 T% z* j5 B$ u# K- X
# h: s. ~- [ }/ X( Q* c5 J8 X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! U: J( ~3 C; \! p1 e2 |
(API Get entry point)
+ U4 [ y/ B' E. z( s# P9 U( A. \& t
- t- u# D; ~0 F3 s
5 [0 B- E! ~: U# b xor di,di8 \* w, e6 W5 a5 \) x
mov es,di
: Q; F4 J6 q4 Z mov ax, 1684h , c6 S8 O$ c$ D9 r- [0 Q
mov bx, 0202h ; VxD ID of winice$ [. Q8 G% o( a) u$ Q1 f2 \+ q
int 2Fh0 D9 j3 z' U% l5 ]/ B& f
mov ax, es ; ES:DI -> VxD API entry point
4 H3 s9 I) |# s* A, @% E add ax, di k" r1 u0 p7 m( A
test ax,ax: C% X) c% g2 @6 x9 V( H
jnz SoftICE_Detected: ~0 z3 T; h5 T; w0 `
: E8 ^, |% ]* n5 Z W. {7 r4 G) E
___________________________________________________________________________& F" X; O9 l. G. E+ x; K
4 Y1 x1 F! F. L: z2 r3 EMethod 04
0 `9 v/ U" k* g+ n=========0 U) `* F8 h+ z( K
6 F# v/ W1 Q$ K8 q. M7 XMethod identical to the preceding one except that it seeks the ID of SoftICE
$ I0 k& l5 t8 p% {0 _3 a1 O+ O$ `GFX VxD.. U" u5 k, _! b2 S' N3 R! J
1 h# N/ r/ m' i6 e0 g+ F$ w" K6 |" R
xor di,di9 q9 @$ y1 b7 p6 H
mov es,di6 g# o* }( |0 B5 A4 A
mov ax, 1684h 6 A4 l' J1 k9 p# v5 L
mov bx, 7a5Fh ; VxD ID of SIWVID! ^8 D8 z, P7 x; z+ {, a
int 2fh2 Z" }) C! ^5 K) i% k/ x* X
mov ax, es ; ES:DI -> VxD API entry point
! \" |& g, O+ ?5 F' u0 z# k6 Y add ax, di- ~2 ~. P0 F O* c, F
test ax,ax
) I- q! q# b2 H* R, m: S* o jnz SoftICE_Detected, M" _, l. o% {5 z3 |$ L- a" G- l
* \+ e' X, K! U' _$ k
__________________________________________________________________________
1 w$ `* G# X/ q
1 m/ M9 p0 n3 b3 S: U7 r8 X1 d( }6 A& H2 X+ C' g4 e+ @
Method 05
) o1 p* g$ Z: P+ E) X=========5 `) `+ K" s+ @* R) b( O! `' q
, a" P e2 S& _, S
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 ^* c# V6 v! Tdebugger. It calls the int 41h, function 4Fh.( `/ l+ L9 z* H$ x6 B% Y# v
There are several alternatives.
) d' n! s4 F2 x5 b! U, i2 J
9 L v3 ~9 q; Z! h; _The following one is the simplest:
$ w+ z5 X! Y7 P' o
2 r; d H8 G S mov ax,4fh
/ K7 Y: P9 \! S T int 41h
% i5 k; p" x# ^) D) `0 @ cmp ax, 0F3868 N2 h, J. H- T+ Z( E. K- a( v
jz SoftICE_detected5 ]4 D. F, z1 d% ~3 D
6 N. Y$ G) L5 `
( _, V( A4 h2 |/ z( [: ]# s' Y
Next method as well as the following one are 2 examples from Stone's
# q" U/ p1 K0 c! d: S* p0 k"stn-wid.zip" (www.cracking.net):1 W1 R7 o4 X/ s p. j% y/ l+ P5 v+ m
, n# @/ g* T3 Y6 R
mov bx, cs% s0 X: ^- r( o8 ~# h: W9 q
lea dx, int41handler2$ m' L* Z N3 Q% |" W' ~3 L
xchg dx, es:[41h*4]/ w2 D7 [$ k2 d5 l5 l6 J
xchg bx, es:[41h*4+2]
4 h& a8 K: [ j$ L2 `' x& z mov ax,4fh0 ]# q1 N1 y. F$ x6 L
int 41h/ e& U+ O0 I; Z a @
xchg dx, es:[41h*4]
1 ^: }) [ s* | xchg bx, es:[41h*4+2]
0 `1 z: D4 x6 l! H8 z, D cmp ax, 0f386h
( U3 n L4 K+ p" A- r0 s0 l jz SoftICE_detected
. f- M: I) ^8 H3 d- ? g4 r+ `( F1 C# B" w) M L7 G/ | R( b
int41handler2 PROC" X+ o9 h; @; q h" F0 \
iret% u7 W* _' K+ N
int41handler2 ENDP/ I4 E1 j7 i1 Y: X4 L
4 Z t# f+ E) s) Q" |5 ?
( H; | J3 D+ Y" \- |_________________________________________________________________________
/ a7 \( q- \1 v! q% l g3 a- a, ~9 h, ?8 W; R' f" r3 C
+ W) C# ~- G# C: V2 ~; `, u
Method 06
8 d$ r8 U- Y8 c9 Z# }9 Q=========
% e: `. W4 g2 W( c7 o- ^$ E! W, L& J" Z( y, x' o, {
1 i( p L0 L% V! H+ z- y0 }
2nd method similar to the preceding one but more difficult to detect:
! a0 o" L) ~( y2 A/ f- ^, k, @& g. T5 E$ w, y. ~
- W8 r2 s+ H) n
int41handler PROC
" G) g% \+ f& `3 n, w4 d5 ? mov cl,al8 E+ t, t) b, j9 Z7 E5 X, [
iret) A1 j ?- M9 k5 e$ Y+ d' s& s
int41handler ENDP
$ }9 {' h% h( ]& O# b4 }& M# o* X6 I2 E7 k, K' ^
4 Z4 w( g/ Z8 ~ _* w xor ax,ax
$ [' p3 E& O8 @* s A6 K mov es,ax$ F! u' Y3 b9 ?8 o& I3 N
mov bx, cs
8 G- t0 b6 Q/ f y lea dx, int41handler8 P* h. A) w% `8 m+ R
xchg dx, es:[41h*4]$ x, R# E5 n3 T9 R1 d! g
xchg bx, es:[41h*4+2]. _$ P C! R" W" n5 L
in al, 40h
* C) Y2 p5 t2 L% J' |; z xor cx,cx
9 Q: q. g1 K/ b7 d# ~ int 41h
; q6 ]- I; B6 {, y xchg dx, es:[41h*4]/ u1 S/ b, [* \7 B, y
xchg bx, es:[41h*4+2]
% L, u+ K7 C3 C3 Z cmp cl,al
. I7 W. S& N) c$ J# K jnz SoftICE_detected
8 z+ n2 S* A6 K: ^" l
: x8 ^9 M' P' O+ ?. \, n) n_________________________________________________________________________
1 \" K) m) Z1 l+ v C9 t+ \7 z# M1 R: I( R( N
Method 077 S2 b g2 M D' S F
=========; g7 _, D: t& ^) A5 ?; v/ T" j
* G. T3 ?( i8 |/ X# x
Method of detection of the WinICE handler in the int68h (V86), r3 Q* r5 ?. ^6 C
5 z( \' Z1 n+ d6 {) O# w
mov ah,43h
& R& _( A4 _3 M' f/ Z8 u7 c3 B int 68h# U, h# S# V7 k( K5 N0 `! u4 @/ e
cmp ax,0F386h& M5 \) z* r: ?
jz SoftICE_Detected; o) O4 V# D) {" Y, M% {% {5 w8 m
( \5 H! Y @7 B" W
% U9 e! U0 n6 d9 r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 G! W, K% R# b) L' } app like this:5 H. C2 F1 [2 |" y. ~3 ?7 q
* l# e E5 n2 U0 y% R" c3 w) ]
BPX exec_int if ax==68
1 d# ]: U8 \9 J% R7 U (function called is located at byte ptr [ebp+1Dh] and client eip is
( I, b9 N; C+ j: d6 l0 K1 ?7 _. s, V: ~8 g located at [ebp+48h] for 32Bit apps)6 T- n* H+ b3 K
__________________________________________________________________________2 b3 v. b( n1 x4 C- u, j% B
( b* ?8 ~1 c3 _% o
/ H- A2 R9 D4 x" Q" }: p8 fMethod 08
6 j+ v9 V: L) r2 L/ D# A=========
3 R: l' Y6 H2 V. }5 W( H0 @
0 f( H8 I% J, b* }5 T/ T: D3 TIt is not a method of detection of SoftICE but a possibility to crash the! M+ x0 [. r; _* q1 A
system by intercepting int 01h and int 03h and redirecting them to another- [( ?3 r; @& a$ L: L. ^3 G/ h8 O
routine.! X( i9 k& r4 Q h' d7 S8 V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 m9 }( z2 z3 T, Z% G @9 Dto the new routine to execute (hangs computer...)9 n, _8 w6 ~* H) S6 w+ D
) u; ~8 N' C5 ?+ y& ~2 n mov ah, 25h* O! q3 R5 d1 v, p
mov al, Int_Number (01h or 03h)
' C/ @: E b+ u# \0 w; u mov dx, offset New_Int_Routine
6 E. H1 o6 W2 E, {& u; F int 21h
2 B. \& g( H# c) \% u' g$ D! K. M7 r* O0 [6 f
__________________________________________________________________________
# I# A C G( U' T W2 B3 V4 V
1 J# p6 I+ v. w( k" u" nMethod 09 O) `& b( j. o# Z
=========! Q& R+ q1 {' `$ p% G
# E/ [* d# U- N$ k! G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ x" M4 h8 b) ]3 v+ Iperformed in ring0 (VxD or a ring3 app using the VxdCall).
/ T# M0 m7 r4 YThe Get_DDB service is used to determine whether or not a VxD is installed
6 T" y \+ {; g5 U1 f! ~( o( Z. ]for the specified device and returns a Device Description Block (in ecx) for5 ^5 E( q8 {8 _) B
that device if it is installed.
$ i( s/ D) y4 q% a- c$ L: j, j* G! N% g+ O
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% `1 U- L$ y; A7 b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): W; L5 m. o3 X# h* ~
VMMCall Get_DDB: a2 I7 g3 H# u2 t/ j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: l6 u2 U& ~- a! e0 H6 X* u: y: D9 g+ q7 ^
Note as well that you can easily detect this method with SoftICE:
: c+ y7 v) z* f" ~# m/ c bpx Get_DDB if ax==0202 || ax==7a5fh
5 a) A0 S5 l) R8 u2 S Q. H
( _5 Y1 c' V. G, x) L7 C__________________________________________________________________________
: h, q& r) ^* I8 ` T6 L3 D5 q. f" [' U$ l- W8 f/ h
Method 10$ G$ j- ?) m, C
=========% r7 S7 u, v! p- r3 h' l2 j
9 M( |6 [( m: h2 E% j* a4 J2 Q# t
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; ]7 A) ?. l& ?. D6 O SoftICE while the option is enable!!
9 P! d; T. A9 L+ f
5 j' \; g1 ~5 z, D+ p3 \$ r' GThis trick is very efficient:
; R4 l" D; L# t1 L- Xby checking the Debug Registers, you can detect if SoftICE is loaded
2 I# t$ S3 l# d3 j( b6 Z- i* p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. Y# V% Q& d- v; ~there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 Q/ Q" B& _9 L$ }( Svalue (in ring0 only). Values can be manipulated and or changed as well
; t; N8 }, e) v- C; Y/ P- k# o9 P(clearing BPMs for instance)8 V: M- C! Q- P1 V! V& A6 s, Y
% B, z$ A* s- i, t7 u1 c# E__________________________________________________________________________' l5 Q" D: {* _. ]! P: T+ ~! H
6 [9 i( z3 ?7 \2 ^% p! `$ r- f
Method 11
, I" z3 }# g0 T5 h7 G* _- C=========
" f! X1 R, y" R
, u; h8 K& V) G' k0 K& {This method is most known as 'MeltICE' because it has been freely distributed) q( k8 {7 V; j: b" U, c5 B
via www.winfiles.com. However it was first used by NuMega people to allow
2 K4 F0 J6 ~5 k1 R2 zSymbol Loader to check if SoftICE was active or not (the code is located' V H! T2 |8 Z
inside nmtrans.dll).( ~1 S# d4 j' N0 x1 i8 V- i
+ E, L2 x% G, w7 Z1 hThe way it works is very simple:( E" e. ^9 |( \$ _6 S) A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; T7 f" F, p& F9 O2 t( U) nWinNT) with the CreateFileA API.
1 P2 H6 A0 {. s2 o# d1 g3 K* M0 ]
Here is a sample (checking for 'SICE'):
1 t- }; y$ k$ a, X [4 M+ G$ A5 }' o5 l+ C" k
BOOL IsSoftIce95Loaded()8 V, s7 m8 F4 J1 c
{
0 I5 t) _. ^! F HANDLE hFile;
: {0 L, Q& `# P) M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; V9 C% c# w# ^% w5 T FILE_SHARE_READ | FILE_SHARE_WRITE,$ t" a% ?% t( L- W y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 y" Q+ H* T& F# a& ~" G% R% L
if( hFile != INVALID_HANDLE_VALUE )
+ b% E! V; Q, j {) X% ` ~( \/ l. X% R/ }; Y
CloseHandle(hFile);7 q0 ^" b q9 m' b- |
return TRUE;
$ z" d: t, P- k0 l4 x }( t' ]0 `6 Y% O& a
return FALSE;
- O% j- D% Q/ M* }}
# F" Z1 x2 _' O
) P4 B( c' \3 K6 b1 g! K( y+ fAlthough this trick calls the CreateFileA function, don't even expect to be3 ]4 Z- j |7 o2 \- `' ^( J
able to intercept it by installing a IFS hook: it will not work, no way!
. d% G# C! _) Z4 OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 ?- Y! M( [" F! E" yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" \+ t; V, B/ K1 q0 i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ \) t A' v+ D4 s1 d, x& v
field.
9 v% X6 G Z; n" k5 c3 WIn fact, its purpose is not to load/unload VxDs but only to send a 5 ~6 g8 A$ w8 C- b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- G9 \ Q8 k- T7 a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% F& a; N+ F5 j+ e+ s' K1 v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* I7 f9 }' }- B3 c
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 h! M" h1 h& T+ |/ C3 c. f
its handle to be opened and then, will be detected.. {5 I) Z) h( t; ~: I
You can check that simply by hooking Winice.exe control proc entry point8 H( q: F# Y% s$ [, R8 G8 u
while running MeltICE. S2 x) y5 w: l: T. F
: \* s+ d9 L1 G j$ U
$ z: w" S2 [1 H 00401067: push 00402025 ; \\.\SICE
0 d% l4 H5 c+ Z8 W k! ? 0040106C: call CreateFileA
& K/ N+ l& w% ^/ L 00401071: cmp eax,-001
- a- T5 B: A" R. M 00401074: je 00401091
9 R7 ?$ y( K5 W9 v- i& N8 f( v% `7 F! D
# b% e: T' Z$ d0 V% {% @0 P5 U: {8 ]
There could be hundreds of BPX you could use to detect this trick.
+ t4 ?6 A4 U$ ^+ l-The most classical one is: t; r( P. s% r7 y; b' G' i
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 J9 T- v' N; C0 J *(esp->4+4)=='NTIC'$ j, W1 k Y L% S
6 w9 K+ h0 S2 Z4 {7 ]+ h& g
-The most exotic ones (could be very slooooow :-(
; j5 l6 ^5 m& s8 ?" B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : r* X R; u( g! Z) k
;will break 3 times :-(/ p' X/ |, C* a9 [
. w3 r/ m! w* f3 j/ K
-or (a bit) faster: 2 x7 `& r7 p$ V" _, i. g6 u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ v4 B8 |# E* Y( z1 h5 {
% N! }8 j( a3 F7 ^- s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! v# `0 V0 S9 K9 _5 c* Y ~9 p7 C ;will break 3 times :-(
5 A9 T+ L: C9 T3 H; W7 d+ X/ [3 |
-Much faster:) f; T# V& i+ L1 ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ a' k; Z% z+ L- G
) U" d0 w9 o6 d0 O: ~4 n+ A: rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! a1 e7 q9 x0 C8 ?$ b
function to do the same job:: V7 z" M6 o9 p9 C& \, n# z! z
0 O3 t& l6 A W. l! Q" j
push 00 ; OF_READ
" w) W9 e- L k mov eax,[00656634] ; '\\.\SICE',0
& h" N% x" v+ N/ x: F2 g; B) {- } push eax$ n1 n, g5 U+ {! O5 [) A
call KERNEL32!_lopen" N# j/ U5 b5 v0 d; y! c
inc eax
+ F* i- T. G5 J5 x% k9 P0 X jnz 00650589 ; detected+ j% k2 g: j' E
push 00 ; OF_READ
0 o! s0 \7 h9 u mov eax,[00656638] ; '\\.\SICE'
+ a6 i4 Y8 f0 f. K& [: a- a3 v+ Z push eax
# @/ S# R3 N9 T0 B) f call KERNEL32!_lopen( G- g4 L2 L7 N2 k1 K2 s: z
inc eax7 p) K* R, ? ?3 c6 x& ]9 p; b4 ]
jz 006505ae ; not detected" A: i$ x) e1 d6 a) `3 U
7 P9 j* ]" U3 O" ~5 _% l, U
6 q+ N/ U; g' z5 W: X F- \
__________________________________________________________________________
, G V( g. e @+ e! n- c
V7 q: {6 z4 ?, z4 |; q) R% `, iMethod 12% l+ O. f d. ]
=========
# ~1 H* W9 m2 M7 W8 c! d/ b
( w( r( m0 O9 PThis trick is similar to int41h/4fh Debugger installation check (code 05
6 W1 O2 ^* l P) s8 K& 06) but very limited because it's only available for Win95/98 (not NT)# s- b' h# B0 X7 g! z2 f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" z, m( u' J% J# Z0 y0 g8 ]3 b3 U. Q
push 0000004fh ; function 4fh
! W3 O( V! Q! r( G9 P push 002a002ah ; high word specifies which VxD (VWIN32)
: U; l: k: n7 V! u6 p ; low word specifies which service7 B# s8 i' l/ j; |, m
(VWIN32_Int41Dispatch)
3 T3 [# C; y& o0 i call Kernel32!ORD_001 ; VxdCall# ]: \; @2 ~ U1 ]6 ?
cmp ax, 0f386h ; magic number returned by system debuggers- h0 n$ c. T$ {8 \
jz SoftICE_detected& F7 B: N* y. p, n' B1 C5 h
# B0 X! f7 P6 Q# y% n
Here again, several ways to detect it:
: c' w2 [0 F: u( o0 X# p
7 J9 u3 Y O" m B BPINT 41 if ax==4f
: D1 C9 T- m" v1 `2 o) J5 w8 k4 {# o5 W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 h" \9 y5 q: e' B, |$ \
: R/ I5 A2 }6 H; ~, }( M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! O& g0 J. y8 |0 G! M8 `9 k8 k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* H n9 D) _) \1 v+ `$ v1 k
8 _4 Y* B: \. w& S+ E& d__________________________________________________________________________
, h, V0 O+ M- w: i6 l; T- V9 R
& a: ^6 ]. J4 Y aMethod 13
! O% l3 N# \9 x- L, R=========
) A4 N+ x1 j6 I j( r9 ^
5 J% D* m4 T6 h" \. y+ hNot a real method of detection, but a good way to know if SoftICE is
7 ]1 q6 A. N& v. a! p) finstalled on a computer and to locate its installation directory.- e, c: G7 L7 a, p4 ]
It is used by few softs which access the following registry keys (usually #2) :
! c% `" B B% @1 }9 W- [# a8 a) H7 M+ i5 W& Q* x/ _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" K6 y s. ]+ A/ t$ n" k8 s! c
\Uninstall\SoftICE
, s; H* c- W0 N9 ]* M0 g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( Y, j' F$ x1 a) r6 X& T2 S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ X2 d7 L7 `2 _) Y4 g! t' }\App Paths\Loader32.Exe
* ~/ P8 i# l% s' K2 j t/ I+ E! P4 j9 j. f9 h0 I( X4 Y& `& v
8 }& n `$ C8 _7 C/ ^! y
Note that some nasty apps could then erase all files from SoftICE directory+ k! i5 k }# d& T
(I faced that once :-(. j4 }* [, S' M# H* v
6 u4 W. m( t; Q+ N( q) l4 EUseful breakpoint to detect it:( e. t# T% b. V- ~2 I
' @* @7 c2 ^/ w$ m0 f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% A( _7 h$ f' \+ @
* C+ ?$ P) ~" V% y! P. s8 a6 Q6 v
__________________________________________________________________________
6 _! ~2 S4 a, Y2 E7 b, g1 [- X' m& N, k q
8 r6 S7 ]: N& l; r7 oMethod 14
2 \; w! D$ X9 I* J=========
8 i5 }6 ^8 W1 t4 R% a5 t4 b7 d5 \# {) \& j
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- X. X/ e [% p6 T5 Z8 [, @" R
is to determines whether a debugger is running on your system (ring0 only).
) M( H+ T5 w) @# z! S+ O; i* p" o! @
- C0 s g0 W, j! N VMMCall Test_Debug_Installed
/ b2 q: M/ F4 u& D$ z- H1 z$ X2 | je not_installed$ Y; E z+ v4 N
. k6 j# [" `; b5 R
This service just checks a flag.
( N, X+ N3 T( ?4 s+ V</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡