<TABLE width=500>8 N( ^/ C1 f2 C, o5 x
<TBODY> U3 l/ d" Y% z0 R4 n, u$ h( J
<TR>% Y) @* D" d8 |( O. H; P8 R: |! N
<TD><PRE>Method 01
2 M6 @" l" t2 l4 x7 P4 V=========. Z. q: }" V8 R% p8 O9 g
' W; R$ B! y# I6 R
This method of detection of SoftICE (as well as the following one) is
( {) @! t7 C0 M* D6 \" Hused by the majority of packers/encryptors found on Internet.
1 w# S" S' R8 H$ U# y5 mIt seeks the signature of BoundsChecker in SoftICE
$ {: p5 k' _) S1 M. A, T. X3 s- R" p) ?
mov ebp, 04243484Bh ; 'BCHK') _' Z$ A2 P& h' D" k
mov ax, 04h
$ N% w# H, o- _ int 3
8 Y" `5 b e( x; c1 K& b cmp al,4
) C* m( E; @6 L+ m jnz SoftICE_Detected
6 F2 z) s' M1 ^ ]( q, o4 N. R, T* ?( @2 _
___________________________________________________________________________
- a* t8 T! m/ J; s7 F) b6 E2 `8 O% r1 w* P, v+ a9 `
Method 02
5 ^: n; I8 r" a=========3 I7 k w( q5 F
/ C% Z& [7 [6 b3 q3 n+ w, `Still a method very much used (perhaps the most frequent one). It is used5 Z: Z: s5 V. o4 m& W* N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 x) ?) K; E r# t* d% k7 {, _$ i
or execute SoftICE commands...
; d0 h4 |; V$ W5 UIt is also used to crash SoftICE and to force it to execute any commands
0 U/ I( _; H: b4 ^# p* Z(HBOOT...) :-((
! x* j# K3 f. W G2 f6 U8 m
3 _4 m! J) H# i7 _; a! d/ _Here is a quick description:
5 q. I1 k) ?9 @-AX = 0910h (Display string in SIce windows)3 G B0 k, S' Z K0 }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 U5 k j" M1 T! [. h
-AX = 0912h (Get breakpoint infos)/ ~' U" w: O# Y1 W
-AX = 0913h (Set Sice breakpoints)
1 X* l7 f1 S" A( @0 K) J-AX = 0914h (Remove SIce breakoints)
6 V# U& ]% a" {- C$ W* D3 h* E
$ ]8 j. G( |& ]4 Q. K, tEach time you'll meet this trick, you'll see:& x4 q( B8 }5 [6 s6 }, s5 i9 Q
-SI = 4647h
U, y- l/ l' V' O9 t-DI = 4A4Dh
* j* Q4 m1 l, S5 c1 dWhich are the 'magic values' used by SoftIce.& }- R; }/ j9 J( P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ |* Q1 F# n! o! d
8 E3 q4 _6 [, M7 r) f4 c4 |& hHere is one example from the file "Haspinst.exe" which is the dongle HASP0 S; M7 n% ? j5 f
Envelope utility use to protect DOS applications:
/ f& R' M1 y& x6 h% D U; K
/ r/ m9 d1 U' F v7 p
7 I! S6 y8 P( F3 j3 Z1 R4 ?' X4C19:0095 MOV AX,0911 ; execute command.
. i% X3 W! V/ [* V6 a* O( V4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. w; z3 H5 P8 ^9 T
4C19:009A MOV SI,4647 ; 1st magic value.. E7 P, B/ A# L
4C19:009D MOV DI,4A4D ; 2nd magic value.
' `9 ^5 G8 B5 w- I. J7 I- a4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 B5 ?* v) t' D7 _% R2 W+ _8 [4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
F; n9 L' j8 R& O' ^4C19:00A4 INC CX
% y0 E1 A: v" a5 o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 e0 E6 r& g, ?: D% d$ E4C19:00A8 JB 0095 ; 6 different commands.! p+ D/ C! N/ q% _, |' H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) @) @( ]. y" q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# [" a$ y& e2 Z! T, U% e
5 B# v) J/ a: ]+ w% P5 [
The program will execute 6 different SIce commands located at ds:dx, which$ ]1 p0 p* N# W. {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., P1 T; K i6 @; o) k* Z: b
8 q, q" [1 W2 k; [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: E3 F! R" l( o; n
___________________________________________________________________________4 o6 b4 e1 k5 H
3 B w& [9 m. k+ }, M6 u* d9 g- L
Method 03
$ ^( Z6 g0 I) O=========5 f/ [4 ?% n( j6 e
4 s* V2 r7 y7 v+ |) ?5 c' w$ _
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 C' H( h8 S: x, e% ]% H
(API Get entry point)
0 J. E; m/ c5 h# q3 _
6 e; h3 @$ {( m+ d$ r1 d8 d
, E* r% T. [1 s ?9 l! |3 c xor di,di
$ r% M1 g6 Q& k; v* U/ N mov es,di, S' _+ `- A8 y) H% U$ e4 \" W
mov ax, 1684h 6 X Y! Q, d# m, H
mov bx, 0202h ; VxD ID of winice
, Z {& z6 r; v3 d int 2Fh x0 c2 i1 O$ _8 j" ^7 g" Y
mov ax, es ; ES:DI -> VxD API entry point$ r' i( ~9 x; _5 f% N
add ax, di
" L. \4 |" @3 F test ax,ax
. U6 Q' e1 ^8 z: w7 K( N; H jnz SoftICE_Detected
# A0 U5 K, `, m) j% j$ ] G0 H- Q# X1 r# Z3 ?4 }
___________________________________________________________________________7 A6 s4 P" A) e
4 ?2 N( i* ^+ s) A! o& {) l
Method 04
9 w6 M' ^( y0 Y=========" L8 w* @/ Y+ o3 `
# {% }+ ?- l' |" V
Method identical to the preceding one except that it seeks the ID of SoftICE3 [& C U) ?: [# T
GFX VxD.
7 A! }6 n( _0 _# m6 Y P
) m( a0 }9 ~; ~" c9 F xor di,di1 ]. g1 B% F# O! f7 i3 E3 N
mov es,di
2 J: ~) F- ]5 W; |2 f% i, M mov ax, 1684h 3 t4 `) ]: W3 \( i& ^( L
mov bx, 7a5Fh ; VxD ID of SIWVID. k( x: j& y% K4 h, K* t4 U6 O7 S
int 2fh2 a3 i z5 L9 T
mov ax, es ; ES:DI -> VxD API entry point% H8 D( K$ Q4 l2 I: W* o& ?5 k" [
add ax, di+ H: l" t. X$ O* f/ Q" r' }
test ax,ax9 M' ?" r$ N( H' a$ Z
jnz SoftICE_Detected
: |2 s5 d- z+ H g+ O1 M7 }
2 ]$ h. D9 @ l' A4 e; C& Z! q__________________________________________________________________________
) k; S/ f) j, |/ m; [& N5 `. R
5 s4 S5 r2 d6 _5 i* r/ h- t
" E Q6 [5 t2 e8 ^7 e* pMethod 05* N7 B0 I6 Y5 d2 W1 `
=========" n0 k1 V0 w+ t4 S
% x# h6 o j! W2 ?4 p/ H- s7 e
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 u' D* A/ k( c' n. ]
debugger. It calls the int 41h, function 4Fh.5 N) r1 [1 S3 M# \) K
There are several alternatives.
. F J+ w/ w7 D4 u3 z' ` u
7 J& }. b- W9 j* B% o1 JThe following one is the simplest:
7 V% ^7 L! }: ?
0 C- r$ b7 y1 Y( h$ m, \, |, Y3 J1 M% V mov ax,4fh) g }" _/ k- G( k
int 41h2 ?2 s9 g+ J" |/ Y/ ]
cmp ax, 0F386% j' f. X4 _/ l
jz SoftICE_detected
6 N& `2 l$ O, @' F7 H! L8 B* R5 Z: t( w
$ [4 D# w* k4 q7 _" z4 Z
Next method as well as the following one are 2 examples from Stone's 3 n5 Y. |9 ?/ {8 G* N5 ^) Z
"stn-wid.zip" (www.cracking.net):
6 I3 [! H/ Q6 P0 v7 |- }& k' Z2 u# q/ j, u/ b0 L6 F2 s
mov bx, cs0 J' B- A+ H; l# X# ?) i
lea dx, int41handler2
/ x' G3 O5 X k! U3 L7 @ xchg dx, es:[41h*4]
5 S9 k! y1 \ F: H xchg bx, es:[41h*4+2]- G9 ~6 v4 S" B* w, y) G
mov ax,4fh
7 ]! b2 H1 w u: R! _' d7 q int 41h/ v0 S) G9 v4 D: f6 q5 v6 A
xchg dx, es:[41h*4]
, j* [8 R5 N, I* \- a; |, N xchg bx, es:[41h*4+2]* P k4 d% _- G* D2 l
cmp ax, 0f386h9 J1 B6 T) M6 Q1 m, `0 t1 ` b
jz SoftICE_detected
3 H# w/ X3 I, W1 T% |2 H0 _2 C
# _( @) Y8 `! r4 d4 H3 ^& i' ^, Rint41handler2 PROC: Y7 F' X) u, b n& c. t- A* X
iret
2 f7 g/ V, f8 g2 Z) B' M% gint41handler2 ENDP
# E6 B9 F# M2 s0 v3 W% O& Q: H# W5 ?; @' e" E4 @# @; O; E
w+ l" ~& f' H8 H' @
_________________________________________________________________________
' A# ~! x) Z t6 w c1 \$ m8 z. u3 v8 h% d3 l' B/ r, q2 \
1 h& Y% B* V2 Y7 S
Method 06
- ]4 b9 h' q7 K! M6 F=========% f; U+ e) m- p: [2 L+ L1 B# A
) s( U% J4 E" g! y/ L {
7 B% ?0 c: \7 @" d* b2nd method similar to the preceding one but more difficult to detect:- r. D4 k+ M5 @8 D
5 w" T- d$ y4 F) c6 |3 T' D
( r) P: G1 Z0 d5 }int41handler PROC
0 ^! e; u: E* V4 z9 L& l mov cl,al
% Z7 q1 r! p- E6 e: r iret" L& D2 n0 \, t& x0 {
int41handler ENDP
9 i0 }( K" m3 d' T* V
' f' ^) S k! R( k$ r0 i2 Q8 ]. G$ {% A( N' h+ c: E
xor ax,ax2 o& ^4 }) O, c, a2 p2 w @
mov es,ax
5 ?- U' h; L, L+ E, m M8 \3 a mov bx, cs
7 G/ s; O) D) m5 }9 f# t lea dx, int41handler1 ?) C. O7 c6 O
xchg dx, es:[41h*4]
, d1 R+ {4 M( `- d( U xchg bx, es:[41h*4+2]
+ `2 A/ ^+ Z( Y; l/ }* H in al, 40h4 S2 O# A/ B, E4 H
xor cx,cx
0 y) ^+ |% z8 s+ H( o5 X- V int 41h3 m5 V( A9 ?( x, j- i
xchg dx, es:[41h*4]
* o; i9 p5 x4 Y& n; L' ~$ w6 \ xchg bx, es:[41h*4+2]
; [/ }8 {( N! y' h; `3 U* k! g cmp cl,al: y2 ^: W" f# V7 C( T! I; u
jnz SoftICE_detected
: {5 _' _- c H# z/ j6 z" O, X0 ?4 e5 C! z; l/ q/ d) y
_________________________________________________________________________
5 n9 L6 J3 ]+ ^# U8 Q2 Z* R5 R. y; L4 D% B1 A
Method 07, @2 j4 a- K2 q% q% G% V' u+ L
=========9 X& A7 ?# i) c. E" r- X$ I: ^4 r
D) p- `' K9 p7 x @7 K( JMethod of detection of the WinICE handler in the int68h (V86)
2 l, \! t9 W( D' B- B* ?# r
* l0 s) @ L7 y5 b6 ` mov ah,43h( ?, P' w! X7 X7 e/ L$ K0 e
int 68h& ?& K: ~7 p$ k
cmp ax,0F386h
+ z2 [4 G" j w- Z; Z jz SoftICE_Detected8 B0 C& Y7 @; y. N
, m( [ _- t, o; n. Q9 e/ Z1 j0 h
5 G& @1 m7 o W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 e" Q' r) D2 N- B3 |9 t app like this:: _& `# ~3 `- V. d. K& h' E, s. i1 p
0 X+ j4 C+ q& s" H# Z( M BPX exec_int if ax==68
5 O/ x$ B' }, n, d' V# H9 l (function called is located at byte ptr [ebp+1Dh] and client eip is
. b7 C6 \& ~; J% z located at [ebp+48h] for 32Bit apps)
! q3 c1 d8 ~5 |( y7 u8 H9 ?7 p__________________________________________________________________________7 x* h& C; W2 F% ~: R
1 s5 z7 Q4 q* ~3 {2 L. v- q
* X- G7 W5 A* U& a: ~' \# SMethod 08
# i9 z1 f5 m* W=========
$ C7 [6 y# x* g2 z7 Z) g1 K+ w8 A* n5 w& L8 n: n4 v
It is not a method of detection of SoftICE but a possibility to crash the- o. U4 k' d2 I3 _+ ?2 Q" l- G
system by intercepting int 01h and int 03h and redirecting them to another8 }( G7 g: r" A! _/ I3 j0 F N
routine. P% g+ R+ \) B/ J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& j! F5 _3 d7 a) s
to the new routine to execute (hangs computer...)
8 m* l$ M% S: R! v+ {4 n1 s4 ~6 f5 z! e) _
mov ah, 25h
; M+ J- a2 s& h; M$ g5 p mov al, Int_Number (01h or 03h)
5 w% C3 U+ k \7 Z% J" q mov dx, offset New_Int_Routine
& J) F: A) C0 d- q8 x1 _ int 21h+ T. J4 v" m& {) _
) a$ z( ]! O: v
__________________________________________________________________________) P5 ^4 [% G, K1 d2 e( |( G
3 I( s+ Z; _* C- Z6 Z' hMethod 094 S2 L& r0 Q1 I, D0 F
=========! P" M- H& q7 \* O
% \+ G% {( z6 ^9 ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 m8 O6 R: X' W
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 [' |' `. H% _0 x) B/ ZThe Get_DDB service is used to determine whether or not a VxD is installed
" t. D, ]( [, x' Sfor the specified device and returns a Device Description Block (in ecx) for
, x9 P- i' F b) e* gthat device if it is installed.
: A: B/ C$ a2 H. O) }
1 S" y# ^" O2 S: A6 l" u$ } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 o. E$ n* s; {: w mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& n4 I! u: {! z7 J8 y- W VMMCall Get_DDB0 k5 i; o/ v4 R0 r5 @! x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 g/ Q: k; C9 R% z7 ^; |! Y
! |, t: D+ R5 BNote as well that you can easily detect this method with SoftICE:. s# d* ~- o: a" T
bpx Get_DDB if ax==0202 || ax==7a5fh0 m2 M8 O# M* e1 ~( p0 r1 Q
) {: q3 m' M: G( K) U
__________________________________________________________________________: B; E5 l h/ e9 `2 |1 q$ C
$ K, [7 w, \- U. y% NMethod 108 W3 e' N- J) c. n0 D
=========
: d& `. l* i' S/ i3 e W. s e. @6 V! H4 B0 R/ c
=>Disable or clear breakpoints before using this feature. DO NOT trace with' N" X( V/ F) Z( [) K7 S
SoftICE while the option is enable!!
( @+ }3 F- ?! U& F f
* I" n a( z. Y# p& k* Z/ {& gThis trick is very efficient:& u j! k- q" }0 Y& E: |, X, m$ b5 @
by checking the Debug Registers, you can detect if SoftICE is loaded
% \1 _5 q* }# @2 {( \4 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% y( ^; v- G0 d' f' \4 R
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% a- S: n, B/ F5 x/ cvalue (in ring0 only). Values can be manipulated and or changed as well
+ Q0 }$ G5 X f- h# |(clearing BPMs for instance)
, g! ^2 {7 L: C. J# O# C
+ u2 r; S- q# f& c3 a; X' x/ @$ G__________________________________________________________________________& E% v$ C; z0 g$ |) F
Q+ `: v! T u/ X
Method 11& z: E+ _3 ^+ k" c% k( g" {( \4 k& m
=========! P% d- |9 m' G: d' J& j1 b
1 T( K* f+ r6 Z5 PThis method is most known as 'MeltICE' because it has been freely distributed) }5 K$ W$ V. l! ]
via www.winfiles.com. However it was first used by NuMega people to allow
0 V$ D, i9 B* v* R4 ?Symbol Loader to check if SoftICE was active or not (the code is located
/ N- o& \ F+ M$ I5 X1 _" f# y4 dinside nmtrans.dll).
4 n/ j3 a1 `; [ W
" J5 f% w8 t9 nThe way it works is very simple:, A" [9 p& s, r' `9 i, w S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. L; i* P# f+ k6 j" FWinNT) with the CreateFileA API.( z$ t! Y9 b* B( j1 K9 X- Y1 V
9 }% G3 Z3 b0 `1 a- QHere is a sample (checking for 'SICE'):
4 H; q8 S" s# \9 z6 h9 o0 M3 g- D* @+ N
BOOL IsSoftIce95Loaded()
6 S" A% V- O9 U) s- o; b{
2 G3 x% C' f, N7 `! a. q HANDLE hFile;
" W% D. [' m3 S! J! ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- M6 Q4 z& U6 j; B) T
FILE_SHARE_READ | FILE_SHARE_WRITE,
! {4 i4 J f$ T2 x' b( t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 D9 u+ o# y9 p/ h: E" x if( hFile != INVALID_HANDLE_VALUE )
: _6 e6 b& U# M" W {& v% @: a' |, X- T" E5 t9 J
CloseHandle(hFile);) b' e3 ?& ^( [. J
return TRUE;5 \# `/ \0 k8 Z1 I0 k
}
6 X ^0 Z/ P/ s7 g# x; p return FALSE;
/ ?0 s: q4 \% o1 z; M}* E5 L, q Z* {6 M
8 G* b) C A8 D4 s4 R% dAlthough this trick calls the CreateFileA function, don't even expect to be
9 ]$ s1 ?& u( a! ]( iable to intercept it by installing a IFS hook: it will not work, no way!# J. E8 i" j+ w, M4 `# }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& v( ?# y! N9 Q6 s' K) e3 p6 X# b9 I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# J+ I, G3 ^2 i7 Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc) k9 B1 n5 L4 F$ N. H7 H
field.
8 C0 D0 R: B7 Z. k0 LIn fact, its purpose is not to load/unload VxDs but only to send a $ [; Q8 I, ?- A5 p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: l" y* o: b. ]. w% [1 Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 b8 G% u" v" u& E1 ~/ d: qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 [* F. k2 i* D1 k: T+ m# b+ kIf the VxD is loaded, it will always clear eax and the Carry flag to allow
) H% _9 v/ r; k3 D) k/ L$ dits handle to be opened and then, will be detected.' w8 t# x1 N& O$ s
You can check that simply by hooking Winice.exe control proc entry point
6 [! E) Y2 ~' N7 v* O" swhile running MeltICE. c" B) b( R7 I% S
3 {8 \$ C/ p6 i, Y! |4 i8 U7 \
5 p. i* ^$ c: T* m2 d
00401067: push 00402025 ; \\.\SICE
7 V0 e! I$ M! H! \4 p; S" S! A2 K 0040106C: call CreateFileA1 h# \8 T) N! ?" \
00401071: cmp eax,-001
2 z. `; M* A7 O/ I! a' \ 00401074: je 00401091
: n: D1 L0 `' i* x& y, m6 |- m! n: @7 y! `9 w' a
( f& t# |& T/ Y7 BThere could be hundreds of BPX you could use to detect this trick.3 V8 D; |0 E+ s+ i
-The most classical one is:
/ q1 N6 q: P, T3 G' v BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 F- Z K" |) y/ o# p
*(esp->4+4)=='NTIC'
/ n( M m# ~, T3 p& K; I; }7 P2 T W6 ~- s
-The most exotic ones (could be very slooooow :-(
9 X) R1 }7 q* U/ v* ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; X" k L' u( R/ [* d& h' ?8 `* R
;will break 3 times :-(/ u% P8 W- B. c9 ~
% X" k! ?2 d6 s% i# t-or (a bit) faster: 5 j6 J' C3 L- n' t$ \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 K, L8 }0 z; C2 l8 H4 D+ G4 L# f; b* N* J* h+ O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% U$ C& T' | ?5 b& M ;will break 3 times :-(
5 ~# T' y3 T. N+ x) q# M
' v7 }* _( h4 a5 o: \& ^# a-Much faster:
$ w5 G* F! b/ E: R' m* _* S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& N0 s) z& Z- k! b' h5 \$ w% m$ L2 p' \ N" k2 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# T# c9 q, C2 i. h- e& ?function to do the same job:
" `1 p6 Y: U4 \( X. M+ @) f$ V( B/ N/ a: F4 t/ r# ?
push 00 ; OF_READ( ~( j7 t+ H U, |! |5 `* u
mov eax,[00656634] ; '\\.\SICE',0
6 c! l. {0 m% ~2 Z! W* _ push eax. z ^; ^# T! w4 W, F. ]
call KERNEL32!_lopen
( _5 P) }2 j. c! J; Q inc eax* m6 T: m( j. _) {% Z5 V+ X
jnz 00650589 ; detected
8 o& h) Z% J$ k& p/ R- A! D7 h4 Z push 00 ; OF_READ
8 M& J0 [$ g% t/ g" }6 q mov eax,[00656638] ; '\\.\SICE'
6 ]$ C% i9 w! c% X }5 c push eax
2 ^% `3 f2 v* E7 G call KERNEL32!_lopen' F" i, Y( k! \1 q; D9 n, H+ v
inc eax0 f' o9 a2 a, o5 S
jz 006505ae ; not detected# ?0 n c6 ~1 X1 o
9 z% p! }" T, X q! i
$ Y$ H- E2 \' t' d9 K' U6 X- X__________________________________________________________________________4 Z- [' M; M: x) M# R! J
2 m; W3 Y5 b0 V% g9 NMethod 12
7 f; W/ h3 s3 {- E=========3 ?0 }: `, B/ V4 U w$ V
/ q9 u0 w w$ a2 [This trick is similar to int41h/4fh Debugger installation check (code 05
1 Y$ k7 Q* n$ c* _1 M5 _& 06) but very limited because it's only available for Win95/98 (not NT)
" u; {" h0 g! p+ V) pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. N: A5 Z: }6 Z& H* G, r" F6 x/ k H" i! X
push 0000004fh ; function 4fh W) X) y! h1 T, O3 F% u
push 002a002ah ; high word specifies which VxD (VWIN32): J* k$ _3 M! b/ U4 a9 i
; low word specifies which service9 H7 z, ]1 ~2 k: S2 T# l1 E0 G
(VWIN32_Int41Dispatch)5 R& [- Y+ d( j5 u: u, Y7 ?
call Kernel32!ORD_001 ; VxdCall& r* G7 B* \5 [+ _) j
cmp ax, 0f386h ; magic number returned by system debuggers P& P6 }2 @$ _# H5 v$ j; i `# s, H
jz SoftICE_detected
- V( O. j5 L/ H h
- s) F0 N* x. [Here again, several ways to detect it:4 J2 A: L# D/ A4 ~! Y
% n5 J# W i# `6 x. R: X; K8 ~0 E BPINT 41 if ax==4f2 J/ V2 ^5 ?! L" l
) p' e; z4 Y3 z, w7 _( l( f, O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! ^5 \' ]0 I3 @) z
6 L- s3 o2 t$ [) @2 Y" f/ ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; O7 R2 O% K5 @
$ ] |" L3 z/ R( h: I8 o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 k* j9 w8 h& s$ A% n, d$ M0 |( z6 ^
__________________________________________________________________________
& b+ @- s9 B: m' q6 O; d& O) v. v$ C" h A, K r% I& Y2 M
Method 13) ~ |7 L! O3 Z& S% H. g
=========2 c% O$ s! c/ }/ e
6 m e) ]9 M x% D
Not a real method of detection, but a good way to know if SoftICE is
+ m! n$ f: A. Q7 ?/ r& winstalled on a computer and to locate its installation directory.
& B, M6 e* w: i' s! U0 B$ z9 wIt is used by few softs which access the following registry keys (usually #2) :
5 E4 {) B" r* D$ p
$ }, x( }0 k6 j9 ?' q4 k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. b! P1 H) V! Q& K' B6 e\Uninstall\SoftICE0 E5 h5 B3 q3 g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 z- Z1 _3 _8 R' z7 F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# e& ^& W. f+ D! ?7 q
\App Paths\Loader32.Exe9 K5 h/ |+ V) J4 g7 C
) X7 ]6 B, M: F F$ y' r$ Q5 _' Q1 e. o2 x9 ^2 r
Note that some nasty apps could then erase all files from SoftICE directory0 J) u" F4 `( v4 Z& s/ ?# @
(I faced that once :-(1 A+ w+ T* G0 j
# l! J0 V) f9 Y7 U+ b( ?0 `; vUseful breakpoint to detect it:" U ^& v( v# u# i8 W
$ F- v; j* k' N3 G1 q- O( h
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 Q2 |8 ^ o! \# X* y
4 ]# A" a( ?, b8 t, b0 F$ w__________________________________________________________________________2 b( N# {3 h ~5 n% n$ m
! m6 W( n( x. g! z6 R- n( B1 \; V) p
Method 14 / z6 Z! q. _$ T% W/ M* c0 h! F
=========
% l6 n# M6 H; y8 s9 P% c ~* {- A+ G& W& T3 P+ Z6 M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ c+ _) I* e! @9 }is to determines whether a debugger is running on your system (ring0 only).
! p6 w4 h/ k2 r0 t; u1 I5 J+ H1 p* G) k& ?; q
VMMCall Test_Debug_Installed
* _" S* b- h2 J# N je not_installed
8 M; G+ @6 S2 W3 ?
/ s2 `/ z8 H5 W; Z: o7 NThis service just checks a flag.
6 f: G* Z* G, Z3 ^7 c</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡