<TABLE width=500>+ }! _' M6 q8 w- F9 g
<TBODY>$ C) P! H/ K! x
<TR>7 C1 @# a' ?+ i- m+ r' }: A$ U
<TD><PRE>Method 01 * J- \8 U: Z) X" U
=========
3 x; \" w7 U: J6 I" V7 R* {. n$ U( g1 m/ Y, i
This method of detection of SoftICE (as well as the following one) is0 y/ j# e9 L$ k: `$ K; s3 o
used by the majority of packers/encryptors found on Internet.6 @. b; D! D- ]' s" O
It seeks the signature of BoundsChecker in SoftICE& S) \* t: W0 _
/ {% }% B0 {6 @3 `
mov ebp, 04243484Bh ; 'BCHK'
' r$ R# R8 X4 X" ^7 y mov ax, 04h
( {0 K$ [+ k t' O) E3 e int 3 3 }7 i1 S: z+ m( G
cmp al,4$ ?0 q- [- G/ _' O7 h
jnz SoftICE_Detected, q$ P; R1 f: [6 E8 V g3 u* Y9 M/ `
& r/ f! l. o1 u- ~1 U* Z N* n
___________________________________________________________________________
' C3 \- t; j- n' L* S w
0 ^. |; ?$ e' r! B% wMethod 02
" K8 V0 P7 c# I& I! R5 h1 z=========
& R/ G6 z- J% u9 ?/ N0 v" b1 A6 Y' S, T- d" u
Still a method very much used (perhaps the most frequent one). It is used
% |; \. @6 d; D$ b8 sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 N6 R6 `) F" K7 |4 y" Nor execute SoftICE commands...
. x# O' G: i& eIt is also used to crash SoftICE and to force it to execute any commands9 A/ Q" R8 i0 t$ D# l! [& C) Z& M+ K, K
(HBOOT...) :-((
( O/ H9 J8 P! k$ o9 K$ M7 H, I* ^+ N( F% Z0 A: I8 X- h! @! |) ~
Here is a quick description:
$ ]* }2 o4 q! T-AX = 0910h (Display string in SIce windows)
4 `7 |! [. [$ }) m$ {' U+ s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: q' I, P- a4 W! d1 c-AX = 0912h (Get breakpoint infos)" F) m( y3 Q1 l; @
-AX = 0913h (Set Sice breakpoints)
( c4 n" Z9 L- T7 D-AX = 0914h (Remove SIce breakoints). d( l8 j$ I; e, t
4 S3 H! E2 @/ JEach time you'll meet this trick, you'll see:
& c c6 P9 u0 m% \-SI = 4647h
/ y! a6 Z' x% S! T* [4 {-DI = 4A4Dh
R" P% G9 b9 z' `/ ~6 UWhich are the 'magic values' used by SoftIce.2 A9 s8 [: A, ?# d2 V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' M/ T i* J% d3 d( |' \8 G
$ ], k* y/ v7 U/ L" V2 a+ B; Y2 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 \* W! I6 U0 B$ y5 V; r- z& c$ XEnvelope utility use to protect DOS applications:
+ X! H% z/ @5 ~, t9 I# s; R0 o8 _* L ?3 J
/ w- I, y& Y7 g% v: `5 I: h
4C19:0095 MOV AX,0911 ; execute command.* N1 E3 z9 [, Q1 X) T* _9 r
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& x- P n/ q( E. Z
4C19:009A MOV SI,4647 ; 1st magic value.7 i Z% _ X+ }6 P0 J+ ?7 A4 q7 W
4C19:009D MOV DI,4A4D ; 2nd magic value.1 A1 p9 j3 `) e0 B/ E) Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 f, l3 u$ g4 K' A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! l% N& i$ v% P0 e8 z6 q4C19:00A4 INC CX$ Z* e. q2 k. @) |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 t: d8 @8 ^9 v: \
4C19:00A8 JB 0095 ; 6 different commands.
5 {1 ^# H) j& m4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ X7 [4 M6 [% L4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 Y4 P& i! \' V* ~9 r
$ M0 E0 Y1 U. a7 j! j; S
The program will execute 6 different SIce commands located at ds:dx, which3 ^# e" ^8 R" s( n6 L- T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 S& N1 R2 j7 |6 Y3 w' N' D6 e
( Z3 }0 Q2 E( N# e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ Z* ?1 M( ~6 j___________________________________________________________________________
( B9 L9 s$ G% ]7 a( Y4 T
1 P# Y: v# u4 Y
# ?/ } u5 x, G: H/ |4 l* fMethod 03
- y8 y. z0 e: d; h=========
4 x$ {8 K6 c& l8 h* J E
4 p+ G3 R, v* z! X0 OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( Z' M) E( p( _! I(API Get entry point)9 ]5 Q* U2 X* I$ ^# e
1 I" U; f& k. y! K: S3 W
6 u; w0 O8 \$ y4 r; n! B2 S xor di,di& V0 i- }$ a: q( a
mov es,di" }, u3 c7 l9 p
mov ax, 1684h " t" r, X0 x; z4 X
mov bx, 0202h ; VxD ID of winice' x8 t% Z5 v( S( W9 A
int 2Fh, _0 Y& A) ^8 m# A4 w- ~; i o
mov ax, es ; ES:DI -> VxD API entry point! b7 ]9 L8 V; i5 B: W7 W
add ax, di
8 Q9 o/ }4 X' S; ^/ E0 F" X8 C test ax,ax* Y9 [8 r# M# H, n
jnz SoftICE_Detected8 t( L* L( r# \8 c
8 ?/ H: N; V3 x( k$ g5 t( s___________________________________________________________________________, T! u. h/ N* ~- n5 M9 P
& z' ~" {# O$ _! C/ u5 FMethod 04 v( C# O5 v+ {& Q/ L5 h, n1 S! M
=========
; A, W2 E: W/ p$ r6 i& j- Y% }9 L
Method identical to the preceding one except that it seeks the ID of SoftICE
( w/ }( { T3 RGFX VxD.
+ }7 ? A1 L: G% ?% L7 L
: O) z2 H: y/ }3 L+ C# P xor di,di: [9 Q( @, L9 `7 R9 [" z& X
mov es,di
0 U! g# Y# X! J8 |; D6 o mov ax, 1684h , O' }% {% A9 L1 g
mov bx, 7a5Fh ; VxD ID of SIWVID
O- z5 r: C0 d& w int 2fh
1 p9 @8 S' W" L5 f. o3 x mov ax, es ; ES:DI -> VxD API entry point; y% E4 r m: ]
add ax, di- K* B! | F6 x1 I' t6 C8 v- g
test ax,ax0 n/ ~9 { ]% b0 T/ z2 N
jnz SoftICE_Detected
, [: ~& I! U% ^1 l ?+ b1 L: d' Z+ ]$ g/ t# b1 _/ _# u
__________________________________________________________________________7 `- X3 D7 b! v
5 K. K6 X1 T5 Y3 M+ i# }
: o [$ N% K# S2 E/ o! h- F% x8 o* F" eMethod 05! E$ o* K4 |1 ?& y! ^# X! ?
=========# W7 p: F5 e7 J4 K
4 A. z7 z! h, `6 G( n
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 K+ v6 w9 d! K# t0 {debugger. It calls the int 41h, function 4Fh.- v3 J. F3 i9 f6 H- W' }! Q2 h6 x
There are several alternatives.
- ]5 k+ Q2 d8 Y8 Z; m9 I$ D. `, w) i' q3 [
The following one is the simplest:
- Z9 L p' J( C+ Y- ~+ k1 c$ t, l) z
mov ax,4fh5 K( B E+ A1 D' `8 u( b
int 41h/ n8 u* L# M+ D) A" f8 H) }, x, G: N
cmp ax, 0F386% S! x! \. w0 t1 C( f) m4 i7 T
jz SoftICE_detected" T' p& E! {$ K1 K# S
& j f: O( F. H4 q8 V, M: R6 i- X* e4 S9 P
Next method as well as the following one are 2 examples from Stone's ) w+ X9 X; T' g1 b$ t5 C/ {0 B
"stn-wid.zip" (www.cracking.net):/ I2 H0 c2 I9 h' J
6 v' Z+ J1 a& D4 G! f! Y mov bx, cs6 m. V# N5 ]% o4 U( o
lea dx, int41handler2
3 H* v) f9 n2 H4 z+ f0 B8 { xchg dx, es:[41h*4]
2 D/ P. o" B1 K xchg bx, es:[41h*4+2]
; V- f6 D6 R/ K' L2 [8 O mov ax,4fh( J9 s9 }- o' u, s
int 41h
& X3 P" ?2 L% ^. Z' N6 x xchg dx, es:[41h*4]
" x* j4 T, D- ^ xchg bx, es:[41h*4+2]' q! m8 B* r: w9 J
cmp ax, 0f386h' n. Z4 f8 T: _! d8 q/ Z
jz SoftICE_detected
% y1 ]" d# ^1 ?$ ^. \: k! k, r2 T' D; |% H4 I8 U* M
int41handler2 PROC3 S L0 q* a+ d& |4 W
iret
6 ~- R/ M; b+ y9 Z$ H, ^int41handler2 ENDP( h$ S% h; ^( [* X z
3 X5 N. E, T2 T! b4 }
) g2 a5 R7 l$ X6 [/ |* s_________________________________________________________________________
* L' m. b8 S- i6 b
5 s; I' X- r8 K& H( k* }+ x" k6 F5 c' k9 b! i
Method 06
, o" y2 ~$ c/ f( T& o6 \# c( O9 _1 F=========
" p9 ^# Y0 b$ M3 t3 n+ t9 ]2 m$ T r' a& e
; y; L/ q( x& Z( @: M1 r
2nd method similar to the preceding one but more difficult to detect:( _0 s4 u) E' x3 V! N
2 [; q b0 ]% r7 c6 b3 l
2 r# `' s3 x, E3 L. y3 A
int41handler PROC7 N, E: _4 Y( c. u5 U- x
mov cl,al
* Z0 K" A' K1 t1 c* e) d iret
& n; k1 w: O% v3 ^+ V M7 v, ~9 |int41handler ENDP+ q B, L: F3 [: n
( a7 Y( } P* g7 A( s, ~9 ^3 K, v# k5 O! ~
xor ax,ax
" U v0 y+ I. R( j+ _/ \( A9 r+ d mov es,ax
4 |; N. W# G0 @; m$ u mov bx, cs
# j: q, L7 ^6 q lea dx, int41handler
# @/ B; i y, L xchg dx, es:[41h*4]/ s; h2 k. \! h9 B' S
xchg bx, es:[41h*4+2]
) B% B, W: n! @6 k- V& x0 O8 ` in al, 40h$ K7 z+ W, v- L( }9 w" J/ W3 f
xor cx,cx
+ V# P5 I- K/ }+ a( U/ C7 h int 41h
5 N& {8 m, U, ^# F0 Z7 B [ xchg dx, es:[41h*4]
W8 b5 X3 H) G5 ^ xchg bx, es:[41h*4+2]- F5 r, O5 D3 i3 k0 r; Y7 q+ R" V
cmp cl,al# {# l# ~3 j! s- t. }. S
jnz SoftICE_detected" z% |- v6 f8 m7 G# r0 S2 i$ @
6 {! M L9 ^& p1 z h3 n4 R_________________________________________________________________________
6 H; A/ T& f4 R e: _* {# T. m8 b1 l9 V, U Z7 O
Method 07
( d/ ]8 y" t* e2 n+ H; K/ V1 `=========
& Q' E P! D1 m6 T) O R$ H# r- b! a3 ~
Method of detection of the WinICE handler in the int68h (V86)! H( i* `% \: a1 M# \- W) `1 I- z6 N
z- K2 w/ B) [/ A
mov ah,43h# ?# x P. w$ t% J9 I
int 68h/ P% a- J! |6 u/ p- u, i
cmp ax,0F386h$ l- k2 }* t! k5 H( I5 w5 v
jz SoftICE_Detected
6 Z8 F* q4 d# r1 e0 Q
" _% Q+ b! o" e1 Q, v. ^; m1 b9 W) y) k1 P$ d& f% v' R0 ]
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 z7 C" I8 Q$ [
app like this:1 R4 f. w7 u6 d
9 d9 H- | f! g1 h
BPX exec_int if ax==68
: M# L( U8 i& r* Z (function called is located at byte ptr [ebp+1Dh] and client eip is+ z. L2 D2 ~; ?+ H2 s
located at [ebp+48h] for 32Bit apps)
; E6 w) ^+ F. R# }. K8 j- R6 O__________________________________________________________________________
1 ]/ L; z9 R( P9 a+ Y% s
7 N2 `6 x$ o. g1 b& _7 H
2 i2 g' K" D. g; JMethod 08
5 |+ W: |- U" e" y7 I) E; @=========
/ B6 F3 F! N: e7 O% {7 S! W a% F$ b( u8 _9 J% c* P; `: L3 ]$ H! R6 W
It is not a method of detection of SoftICE but a possibility to crash the, c- J( V6 [- Z* s- q
system by intercepting int 01h and int 03h and redirecting them to another
( e* z3 ~5 ~% G5 broutine. E0 n7 }# B. n: j2 }/ P/ A
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& T5 Q; d2 m8 z6 M
to the new routine to execute (hangs computer...)
3 N {' p' W3 n" C# M+ r) m! U
mov ah, 25h
7 a% Z& L4 n9 Z2 K I mov al, Int_Number (01h or 03h)2 ?& D3 W; o- x7 K' Y
mov dx, offset New_Int_Routine# e5 `' W7 S/ ]/ S t9 T8 D
int 21h
6 K& s& e7 o8 A1 H0 i- C- R* \
1 W/ q {& S: R U* l8 v! a__________________________________________________________________________" W6 w9 u W4 s2 b$ \
; o' b; g3 S4 r
Method 09) |0 k& h5 g% A8 C5 W
=========
' `0 Q' a' ]* L/ q
1 B+ G, D2 k& T$ s' W6 `% yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! S9 j3 [ i2 a: L* v( q" k! Q( qperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 W7 U6 k# N1 wThe Get_DDB service is used to determine whether or not a VxD is installed
5 A3 `" R7 A5 D3 Ufor the specified device and returns a Device Description Block (in ecx) for
0 T6 k; U) X% `; F8 P( uthat device if it is installed.
2 }' ?" ? s% ^. I. C& w" {
$ o7 Y, {; L/ `' l: j1 C3 s" I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* N, B$ K7 G# i2 o3 p mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 A& x) a' }- ? VMMCall Get_DDB. ~, |+ W4 X X0 y* k
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& ?1 O' P/ Y/ F4 ~, a% l R, {* x# Q8 C( E. K
Note as well that you can easily detect this method with SoftICE:" D% i* o/ N5 t. {
bpx Get_DDB if ax==0202 || ax==7a5fh( j9 I$ b Y% K$ O& }% k) t i
. j9 Y9 C' X) q+ D__________________________________________________________________________
; Z9 @0 T$ x; B& j( |3 Z% c6 `3 W) }. | n9 z
Method 10/ c2 C ^- A9 g, Z4 V6 v
=========
# J/ n1 J$ M1 M
* n" z. A0 V8 G/ N8 S- C3 R# P=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 y$ Z( K! ?+ { SoftICE while the option is enable!!
: _4 C" a5 w3 ]0 T" e8 p0 a% ?/ F! D. X
This trick is very efficient:" r0 {3 |, [: r
by checking the Debug Registers, you can detect if SoftICE is loaded
+ D2 F( q4 c2 |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ {6 v! ]( p+ c3 [
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 C6 L, k M% c; o( K S, e( uvalue (in ring0 only). Values can be manipulated and or changed as well
* R2 W7 [8 n( x: o- @(clearing BPMs for instance) N! _3 X/ T0 j8 Y
' j i, W4 q2 h
__________________________________________________________________________
4 s0 ]# C7 r- H0 c) H! E9 E/ L; h( j; ^8 o
Method 11
- H( [/ N r# P9 F! t=========' q' t( B& z, f' ~" a
3 y% k5 d. V, g( DThis method is most known as 'MeltICE' because it has been freely distributed
4 i) M; |- A9 A8 F! y5 }1 O5 G8 |via www.winfiles.com. However it was first used by NuMega people to allow1 F$ B; Y- N" w: D# B
Symbol Loader to check if SoftICE was active or not (the code is located" ?; u8 @; ]% e
inside nmtrans.dll).
+ U6 M" u, I; T, p8 s0 v
+ N' ~4 ^: v( {: M AThe way it works is very simple:
' K( Q5 R# J! _3 a5 Y% \3 SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 O9 x/ @2 f, U8 ?; UWinNT) with the CreateFileA API.
+ Q$ ^2 W4 Y% r" V- {
8 U, F0 ^0 I# y) {+ @; KHere is a sample (checking for 'SICE'):
/ @3 Y, G5 \6 u: t2 s
; X! c" e% f: {& fBOOL IsSoftIce95Loaded()( W n+ ^' g& p6 g& R" a
{ M3 f9 [; o; Q$ D6 K. ^* e
HANDLE hFile; ( U7 E6 Y/ n i4 T4 |3 T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 `% A5 ], A; w; ?% V0 F; e7 i$ G! g1 ~ FILE_SHARE_READ | FILE_SHARE_WRITE,' H9 g9 f$ D I, D; c3 p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, N' D% f3 i" Y, {
if( hFile != INVALID_HANDLE_VALUE )! R8 w0 I2 T" ?1 J; i# {- F1 _) p
{* A$ P- R4 w' p& o/ t8 R" B
CloseHandle(hFile);
9 ]8 b+ `. U4 z! r return TRUE;
5 Y0 P- O$ n0 h: X) ^ }
4 h: t6 v& i& F1 t9 h2 v6 q return FALSE;
- }$ U& M- i; ?. b}% E' y* c* v0 o9 z- j0 x: z
/ k g' E$ ~, k: RAlthough this trick calls the CreateFileA function, don't even expect to be7 [7 b2 n6 z, l! P) Y/ W( _ N
able to intercept it by installing a IFS hook: it will not work, no way!
* A+ v7 A7 I0 Z; T1 r1 rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- {, j# d1 f0 c- e2 _" O* T/ ?0 Gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. N* d2 ~' p3 ]- d; p- V) Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc' e5 r" i0 s1 Y2 u6 ]
field.8 Z1 E( _& d" G9 l
In fact, its purpose is not to load/unload VxDs but only to send a
. R1 o# X: ]7 b0 C$ e" t6 N3 EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- q3 E( ~) E! i* s$ p n; N9 z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 |/ [; I' j& j; } Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 N& d3 n0 m _7 v5 t- UIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- w- u9 z F2 C1 }7 T7 s4 xits handle to be opened and then, will be detected.
! c0 H8 L- k8 G: u6 RYou can check that simply by hooking Winice.exe control proc entry point: z# a3 N/ Z* ]- _& n$ t
while running MeltICE.& U: S+ I* Y S( v7 { N
( n$ D% |4 |4 J9 \7 f
5 E# l! u2 S; ]: |1 I 00401067: push 00402025 ; \\.\SICE
9 x% x: R6 S8 L. |% W 0040106C: call CreateFileA
: m( h/ U0 F5 {4 j2 l' h 00401071: cmp eax,-001
' U, d8 E8 m3 |+ L& G' z 00401074: je 00401091
/ k7 t+ O% N3 q2 F+ x. ?9 c4 e4 d, f- f6 @
3 H7 j6 L" b/ JThere could be hundreds of BPX you could use to detect this trick.
+ y4 o8 J$ _+ E& X4 n-The most classical one is:& a$ l' M# u: S! b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 z6 I6 m/ Z9 R
*(esp->4+4)=='NTIC'
5 t: F3 p- ^4 H3 ?" @- j" A1 Y- M9 J$ l3 x" F8 @6 Y/ ~3 r9 U
-The most exotic ones (could be very slooooow :-(
: a) p& l4 B& o BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 Q' }9 y! u/ W0 f ;will break 3 times :-(
: h8 b' f0 q D9 y
; v' o- R5 v" l: d p-or (a bit) faster:
- k& I' p! }: d, l: \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): z. b& ?; @. G+ h8 a8 u4 X! q
3 p7 T3 f* C+ w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ O; E# q; s- V8 t1 g
;will break 3 times :-(5 G& W' _: k2 y0 c+ C$ ~% i
7 z) D" i" k9 Q. b
-Much faster:& D0 T/ D; W( a7 O$ h+ v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) J9 H) o3 _! a! p s
( B7 j: T) L! y! y& QNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* H0 v+ q2 P% M f7 a
function to do the same job:
^ M7 \- J' U. V
6 C Z- f0 V) ~ F; i( m1 ~! @- @ push 00 ; OF_READ+ l0 x5 `( D( k/ Z; i! T9 |. ^
mov eax,[00656634] ; '\\.\SICE',0
8 C! _% B) [/ y1 @. L/ f9 Y$ y& E push eax4 ?; @) O/ l, i; Z: \% @( ?
call KERNEL32!_lopen1 B- i. R; C b1 @* ~2 v1 B" I
inc eax
6 T% C: ] p4 b jnz 00650589 ; detected& }1 M* R0 s) H' _$ X% _
push 00 ; OF_READ2 K- \4 D# k, }+ ~
mov eax,[00656638] ; '\\.\SICE'& r* m" s; K7 K6 a5 o/ Q2 l- z
push eax
$ v5 ]+ V+ N' B& f( h/ k0 E call KERNEL32!_lopen
1 [0 H) T( x8 a9 Z% ` inc eax
9 V6 u* w" S& ?( Y5 J0 s4 T jz 006505ae ; not detected7 ?, w _8 ]8 d$ {7 H: R$ [3 }
: u+ Q3 [( |0 p- X) W8 H
6 C5 Q1 M6 r! p0 _ M0 R& L__________________________________________________________________________
) h, i, V! f1 i1 k8 }. L7 \7 v' G; _& b8 h& F& o7 l E8 I
Method 12
y7 e8 `- X3 u2 c=========7 B5 j, E4 ^, U
8 s" N/ S% m! O/ c! [& ]( H+ TThis trick is similar to int41h/4fh Debugger installation check (code 05' ~3 s& C! B% x# @+ [" a
& 06) but very limited because it's only available for Win95/98 (not NT)/ j; C9 r4 I# }, f' U- j8 j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 @2 J2 @/ G9 O7 u) O( C8 R5 f& z7 q' W: T4 M* K
push 0000004fh ; function 4fh
8 e. e& v; q7 @2 } push 002a002ah ; high word specifies which VxD (VWIN32)7 i" M* X6 W' X& P/ s7 w
; low word specifies which service
* Z0 Y' R. }8 e$ \1 _ (VWIN32_Int41Dispatch)" i8 A9 s+ d. Z( u8 [5 g4 o) s
call Kernel32!ORD_001 ; VxdCall
# r3 V. Z- {% u/ C7 D& u cmp ax, 0f386h ; magic number returned by system debuggers" }* ]$ r* w i5 }2 E$ e
jz SoftICE_detected) ^3 R. q* O* ~7 v
4 y! k4 u$ t3 \Here again, several ways to detect it:
; h$ d8 Y8 ]$ i# I% }( A' Y5 g9 T/ d$ Q7 H: ^
BPINT 41 if ax==4f2 D8 b& ? N' n7 n2 Q5 i/ X
5 \' Q' Y1 m0 a; D' S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 P+ A& `) G8 `$ c$ U' E, i$ ]% U
$ c, L( k& z7 @7 u9 Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 d2 M5 L1 ?& v1 t+ o* x E( F! [. x# @: ^0 D2 D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: c+ G- C4 u( P N4 p; T8 u
* K+ u# n# e6 |__________________________________________________________________________5 t( v: {4 h8 ? _
8 x# }3 o4 h9 SMethod 13
" Y9 K# \- _# J+ L7 U5 U, q; Y=========7 O0 u. M5 L( A
* Q! V6 H5 h6 x/ b
Not a real method of detection, but a good way to know if SoftICE is
! t8 P: y1 Q$ J; U& `installed on a computer and to locate its installation directory.1 t& S9 o, m+ D% [" ^1 u: v
It is used by few softs which access the following registry keys (usually #2) :
2 ~1 n$ N* v n; b7 J1 t2 t( G | Y, v; d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& G" p: X P5 P: M4 Q( j$ q\Uninstall\SoftICE' T/ N) @" Z! o) o3 e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ w0 S q' n: m* x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& C" w) n1 {6 o- g. U
\App Paths\Loader32.Exe
, ^+ g9 Y5 j5 d4 k9 q+ ~8 k% J5 m8 S! G
" q7 R) }+ [& J) ~
# l/ S: ~" F$ v/ L4 P- sNote that some nasty apps could then erase all files from SoftICE directory$ n: ~$ u! ]3 a8 C7 g
(I faced that once :-(! B0 @8 V: m) E8 X
# C' m, `( q, |7 h5 l5 E6 H6 o* HUseful breakpoint to detect it:8 e- m$ v8 W& \. m, M3 U4 {& {
, P! e7 o" }4 V9 \/ B! I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- N* K5 t5 k r" q; I+ b" k
9 `- G7 v/ Q1 ~7 n1 s$ y0 q' d7 @__________________________________________________________________________
$ I; X$ u0 J( l3 J' i8 p$ E- b) h# v) |+ B- P
4 [; H1 L, L$ M/ S/ s: ~; PMethod 14 * U- _- F J4 h' t# E; d
=========
5 G( R+ E1 G% y; z/ |+ g1 L
4 Q& Y% z* d! m) S' C. K- J5 e0 LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 i2 W, B1 s' Qis to determines whether a debugger is running on your system (ring0 only).0 y2 m5 O. G5 z
( C: O6 D$ P9 |. @. u& N: { VMMCall Test_Debug_Installed6 z2 o, v8 u E8 d* T7 R0 e. l3 }
je not_installed
! j7 @/ |6 i% E. a! l, Y
2 U" _2 R, e2 D4 M) DThis service just checks a flag.+ |* P0 I: x0 c
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡