<TABLE width=500>
" _7 A0 G( d7 M" e<TBODY>5 @1 X8 q; w: _# K6 S) z
<TR>
3 g6 Q# A+ v5 d" b. v$ X6 p<TD><PRE>Method 01
# F) B p; C2 y5 H! s=========
" | s' x- r# L* y+ k/ a$ Z& v2 q' X
This method of detection of SoftICE (as well as the following one) is2 f2 s6 Z; I1 K; R% Z3 D
used by the majority of packers/encryptors found on Internet.7 Z1 V% C, h% W* K
It seeks the signature of BoundsChecker in SoftICE
5 y# p$ I& E: W- |) K- u1 ~
- N5 M: v2 L6 d7 T) L3 b mov ebp, 04243484Bh ; 'BCHK'
; u3 {7 C% J9 i% z% M mov ax, 04h7 T' n- V1 N) i, v) o
int 3 # m4 D& D: r8 |: {( D
cmp al,4
7 M% z% [* k" j& L0 f$ I# J jnz SoftICE_Detected+ c: l1 H* K0 J( X4 M/ W
5 ~6 _6 u6 \' I; M! y4 U9 v___________________________________________________________________________
6 G! L6 o5 b" b. `6 r$ h- K
* U9 ^/ r( g1 u+ ?( _Method 02
4 _- m+ I6 y+ f4 t=========
* W' n4 s" j' i6 X- u- z, q. d
) u z3 ^0 I4 @$ t; EStill a method very much used (perhaps the most frequent one). It is used
/ d6 }% D. p3 H* r. p% J$ Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) \0 I8 F+ P8 } k! R
or execute SoftICE commands... o1 q% Y0 S( v
It is also used to crash SoftICE and to force it to execute any commands
/ h1 y. R% u2 ]0 a6 Z3 w. i(HBOOT...) :-((
; `( M# N( `$ ~" r# y
& {( U2 g6 {8 m; T1 Q9 PHere is a quick description:" j' z, S# ]* q( J, A5 _
-AX = 0910h (Display string in SIce windows)
: Y v2 X; m6 `2 A-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, E/ l7 |+ s) l4 ^1 l-AX = 0912h (Get breakpoint infos)
6 j: u# Y" q( F) n( { A-AX = 0913h (Set Sice breakpoints)
2 f$ [4 Z& o9 p; ^( V$ D-AX = 0914h (Remove SIce breakoints)
) i1 V- d8 s5 a$ }) p5 {; k' {* i* O+ G0 S% o
Each time you'll meet this trick, you'll see:+ U( E6 ?& o) N* e5 X% K/ n( ?
-SI = 4647h
[" ~- `' y: ^& X$ Y& t5 k-DI = 4A4Dh
) e2 k I) m, x6 K% ^Which are the 'magic values' used by SoftIce.
2 e( {$ r7 x Q7 eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 ]/ ]( e# \" O
' V4 Y, N3 Z5 p* v9 \Here is one example from the file "Haspinst.exe" which is the dongle HASP8 }. [/ M6 ]3 H% p* a3 L
Envelope utility use to protect DOS applications:7 e5 S' s# k1 q& E* |# g' u
+ v& X6 \; j- X1 s
6 ?8 b. d+ s3 B. P& t8 t4C19:0095 MOV AX,0911 ; execute command.
h' n9 A/ Y7 z( o7 p6 T) L* _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! L# I# _ `- I6 }4 P
4C19:009A MOV SI,4647 ; 1st magic value.
* { i9 b" ?5 }4 e3 c! d: Q4C19:009D MOV DI,4A4D ; 2nd magic value.
: h5 U4 l! `. q. a4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! l: P8 i h7 o4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 X, I* @. a I# f, o) s4C19:00A4 INC CX
1 p. y1 H/ }& p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ ]5 H+ y) \% C% C0 Z3 m4C19:00A8 JB 0095 ; 6 different commands.; ~+ e$ r; f: u: f2 t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 g; a% \; j j1 c4 l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 l: G4 q+ t, {, H+ t) w/ J0 c* o! N2 _/ W! V/ ]- l
The program will execute 6 different SIce commands located at ds:dx, which" r& Z) D) ]6 b# Y6 Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
y0 z: t% ` I9 s
( F& r1 w! U0 ?* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& _9 P; Y& n& J6 C8 E
___________________________________________________________________________
# N# [. y7 n) A, @7 i1 n2 B+ Y+ M
& B+ k' l# t8 w' _$ p d+ @, }
; \3 E1 S/ E; l6 d1 C; uMethod 03
3 m' ~6 D/ O. p2 p# q) b; u: J+ y' d=========0 O, B' f3 \: Z& W
5 Y( G' n& x7 E$ [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, c1 G0 w# k& U) ^& I( [
(API Get entry point)1 {$ G4 Z! X# m \4 j
2 T6 b W& |8 a6 A, D+ }# \# J# g4 m: v) w
xor di,di
@$ X' q/ s& [8 P) [) p mov es,di; C% b! M0 b& T
mov ax, 1684h
% z. d# Q) a- A% P mov bx, 0202h ; VxD ID of winice
+ F/ X0 T" z0 X! u* E1 d2 r int 2Fh5 y# h) o! M2 f3 j! [6 E
mov ax, es ; ES:DI -> VxD API entry point
1 I8 G. ^, _+ p, [+ ^" O& m9 {/ D add ax, di
4 f& u, b& @1 P: M! h+ P test ax,ax
6 i6 G L/ T2 h3 V jnz SoftICE_Detected
; q ]) V0 ^. Q: r' ?/ U5 L) Q5 F n# X7 D9 T) s
___________________________________________________________________________
9 ?; g& w: f+ O: t7 H& Z @' x% X/ \4 C b- }+ x9 [: o
Method 04
2 }: S3 U% G; G. N$ t$ c+ g T=========
7 D1 ]: x/ v4 X: i$ b
9 I! g4 w( X5 X9 N+ g" b$ nMethod identical to the preceding one except that it seeks the ID of SoftICE
: x, Y0 I9 k+ I5 e% a! @GFX VxD.
9 u/ w% m0 O( B3 J' u
|0 c5 }5 _7 L xor di,di0 p1 k! F2 g) f
mov es,di9 ^% I& }3 r- ^, N* B O' n
mov ax, 1684h
?: ~, |; I: l/ j3 u* L2 @$ n mov bx, 7a5Fh ; VxD ID of SIWVID) C; |4 N1 p0 w6 ~$ s, @* b0 u
int 2fh
" L' t* e- p/ f5 b! t o mov ax, es ; ES:DI -> VxD API entry point
( c5 M! N6 l2 Y' g1 B- X* T add ax, di
) g) u9 q/ ?' J' [' v test ax,ax
$ q% O1 q, k, E& } jnz SoftICE_Detected
* |3 a% P/ D8 ]" S' J! v0 j, p( G: c& m
__________________________________________________________________________& u, h( A1 d$ n1 q$ e
4 g$ {# ^! Z9 y9 y
4 q# Y5 y! H" ^# |
Method 05) w k- O; \: W* t) {
=========
: F) X1 `! V) b7 V' H, v0 ], a. d/ I+ T) ?& _$ g
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 K; O* G6 V; \, j) I
debugger. It calls the int 41h, function 4Fh.
8 ]/ ] `2 o3 H8 uThere are several alternatives. ! o' q8 J3 u) P
# w6 {# }3 R3 Y/ L+ LThe following one is the simplest:
+ Z$ [+ x0 G$ T. E2 H. x* p
+ I k( e5 F4 |, b3 d1 g d mov ax,4fh* ]& }+ x! R! U; @+ D7 I) `' N
int 41h0 W; W2 G6 Q+ U; ~( j; x7 c' O
cmp ax, 0F386 N6 B+ W1 a4 X+ a( L2 j3 @
jz SoftICE_detected
$ _# ~5 F- c" b+ l7 N( L6 P( N! p6 k' w" B
: ?# w, ]9 s, E$ D& S$ w
Next method as well as the following one are 2 examples from Stone's
. M0 A+ P+ A$ \: L: \"stn-wid.zip" (www.cracking.net):
& a: U3 `1 s4 _/ U, B2 f5 d/ a+ ?" x3 F
mov bx, cs1 s M% Q; c. A% ?" S( k% J- s" r& e4 k
lea dx, int41handler2* m% E n" Z- i5 y1 A u7 E8 h1 n
xchg dx, es:[41h*4]1 Z! |% S7 k/ z' c- z5 e
xchg bx, es:[41h*4+2]
& u$ b% Q/ q/ T/ v% W mov ax,4fh3 |$ Y4 b# a& j6 o4 i- P2 l8 ]8 A3 v
int 41h
; k; Q+ I& R2 Z xchg dx, es:[41h*4]
5 ?1 X9 N7 D+ W6 [2 c) ] xchg bx, es:[41h*4+2]
. q. M2 g# h& h" q G; ? cmp ax, 0f386h
7 X. t- J1 a% R/ k* X% R. T/ s jz SoftICE_detected b3 x. H* E! e
2 h' J& n K, Qint41handler2 PROC9 z9 f7 X6 L b* G
iret7 l+ P! g9 } o. m" {( }
int41handler2 ENDP
+ i! [3 V+ s8 R3 c1 v+ F% i% W3 ]4 H1 Z
% v7 F' }: u/ F8 m! J/ v% k
_________________________________________________________________________
4 D" t: Y% g2 F6 @' a# M& i6 |% w4 W: j5 L0 D9 }
" D2 p6 N3 U* h1 |Method 06
# K( F/ D4 v* S/ q$ b=========1 O4 Q. Y- K4 G0 O5 s0 z+ ~' h4 b
5 y q( q" m% K, q/ T% D4 v& K- ^0 F' ~5 s" F4 M" J
2nd method similar to the preceding one but more difficult to detect:4 e) Q! q8 x% @* ?* ~9 F( T' b
! |6 K3 C$ q @. A( `7 h% }5 V R& Y9 u0 t: z& S
int41handler PROC" ^( x8 L6 S, h
mov cl,al
) U. T# k4 u6 i6 K8 l5 x! Y b; | iret+ ]9 a9 G0 m! v1 _5 U
int41handler ENDP6 T/ `6 Q% H6 k7 I7 y5 h) K6 l
" {# B" w4 k) @- |% T
' k" ~+ _& ]2 y* C( K; K xor ax,ax+ ~* d- u# t' _5 U/ ^
mov es,ax& V1 v+ `2 J: l% ~4 N
mov bx, cs0 y: l9 x$ ^3 n9 I2 v0 F
lea dx, int41handler ~1 M4 u3 o. a" Q/ Y2 ]. `' V
xchg dx, es:[41h*4]% `' l% K9 M, a$ X
xchg bx, es:[41h*4+2]; X2 }1 x& }5 X- w+ _
in al, 40h
' X8 ~, g- \2 Q xor cx,cx
) ^/ O9 a, I8 Y' b9 j int 41h
% R. I1 A/ s% H2 i; I2 B, d( b xchg dx, es:[41h*4]
% Q2 F" v, \7 d# e2 u xchg bx, es:[41h*4+2]5 }8 Y' B8 A& T( j& U N5 y7 N
cmp cl,al
/ Z& B$ H; l, {* r6 v jnz SoftICE_detected
* O9 X' X' O3 A) Z4 j& ^% w+ |, i8 W' d5 y
_________________________________________________________________________9 y1 D& N" p6 {
3 z2 l& L* r. M
Method 07) d5 e5 p7 n# f
=========
# h- p5 B1 y) C6 T% q# _& a( {% m
. ]# T6 w L4 a, d1 {. PMethod of detection of the WinICE handler in the int68h (V86)
: @9 h( {; s7 `4 f1 c$ B# K* P7 X4 Z& z }- y% V
mov ah,43h
8 e! m* P8 _) n9 P int 68h
p6 X# H6 y3 L+ w6 }4 R4 h cmp ax,0F386h
% Q$ i" v2 t' N0 [, O jz SoftICE_Detected1 D# `" l4 L/ d0 j. u2 j
6 q% _# @! @! ?3 o# d" D( c7 a: J3 B; N2 z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' X! I3 E; u! q4 R
app like this:2 k+ q# R& {5 u' C% ?1 ^
/ h1 o9 ]4 o5 \3 j* q; \ BPX exec_int if ax==68% W+ J& m4 T8 R8 e
(function called is located at byte ptr [ebp+1Dh] and client eip is
) K8 A; K$ ~8 w; ^$ ` located at [ebp+48h] for 32Bit apps)
+ k* k! `2 T, n__________________________________________________________________________8 x% i; }6 }% S$ d5 H1 ^4 G: _
, _6 q0 B7 j8 w8 m& ?% ]% a, a
( |% `2 d8 E: e3 mMethod 08
0 R8 A8 G( y( [# W5 g=========
3 C( v1 o' t6 p2 c0 a f0 q1 ?% u+ U, x& P' Q7 Z- h
It is not a method of detection of SoftICE but a possibility to crash the
\' |! A9 M8 w) V: D! @5 ^0 H# Dsystem by intercepting int 01h and int 03h and redirecting them to another8 R0 \& |8 W/ I1 W; I% l& u
routine.
4 }; |5 z! J. YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( f. B6 Z# m7 w7 k$ I6 z
to the new routine to execute (hangs computer...)6 t8 j9 } q s' s
$ l0 D& H- i* M! Z" @, i' {, R. L mov ah, 25h
! |- Z( e5 @ G mov al, Int_Number (01h or 03h)
( r& @2 R' n( e1 t1 T& @ mov dx, offset New_Int_Routine$ q; t2 P: l- w4 R X
int 21h1 `5 V4 d/ m# g
9 {( }8 U( Z' l5 r B6 P__________________________________________________________________________
% |6 o5 |% Y7 b" c, m; p' f. d6 E! v3 f, [% G# X1 V$ P+ `2 g
Method 09$ W7 w0 J, X! t
=========
, j. ^" Y9 } P" V. Y2 d% E( `. d3 ~- s+ L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( L; W; @, m+ h% x3 nperformed in ring0 (VxD or a ring3 app using the VxdCall).1 W5 T. l2 | M
The Get_DDB service is used to determine whether or not a VxD is installed6 _# y8 v/ p- j; |* x0 t7 W6 P$ r1 J
for the specified device and returns a Device Description Block (in ecx) for6 F. E$ \5 a2 v8 i8 K) r) K; f2 m- ]
that device if it is installed.
+ f8 S& i: M i, N5 p G# M2 `6 J; |* `0 x2 l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! y! d6 M% A: G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 y% T3 e0 J7 E( U
VMMCall Get_DDB
; g6 {5 A4 N7 m& r" F8 I mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( k% Q8 d, Z ]$ Z) K: W9 y0 e/ b8 J: x( k4 S4 m# E0 c+ B
Note as well that you can easily detect this method with SoftICE:- N& t# A F' h& b$ K F; a; ?
bpx Get_DDB if ax==0202 || ax==7a5fh8 x2 ]) S8 u8 k9 _# x0 u2 @& d R7 Q7 |
5 N4 ?, a5 e" l8 g V__________________________________________________________________________6 P( H, K: H& t7 J% m& e1 s; |7 C' h
F x$ E( E, h. F% ^# x0 q+ I4 g
Method 10
# K8 N6 j9 N. c=========
% x; J- `2 | u; k, z% K( b
' f5 u% F! e0 @9 F! N9 l8 X=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 M6 f# F) C1 ~ SoftICE while the option is enable!!5 `; T: Y1 w- W
( C5 B! K0 H1 g: SThis trick is very efficient:
6 Z) P! k0 C9 C& ~0 O( ~" p$ xby checking the Debug Registers, you can detect if SoftICE is loaded
$ c: `& A; M! d4 \; P; {(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. i/ w) J% i% n w: e( @/ F
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 | Y- T$ N! `! ivalue (in ring0 only). Values can be manipulated and or changed as well+ ^8 l0 l* g3 E$ k
(clearing BPMs for instance)3 H- [5 N$ K+ ~+ d- A+ q
7 @* z$ C0 {( k$ s* d
__________________________________________________________________________ v7 }2 ^7 p! t9 v" |, X! d
3 r% G! r7 H; C7 xMethod 113 \4 D% i$ c+ i, J5 i- g
=========
7 h) ~! j9 \3 e" i
% ]7 z% [3 w5 F( AThis method is most known as 'MeltICE' because it has been freely distributed+ i( y/ a0 R- }
via www.winfiles.com. However it was first used by NuMega people to allow% x+ X4 i- r! H% e
Symbol Loader to check if SoftICE was active or not (the code is located
* M. C X/ q: @& c" K2 jinside nmtrans.dll).
9 ]# B2 h0 X& X$ R( e i: Z0 x5 \0 G. w" K5 i
The way it works is very simple:
' p4 \# E) ]/ Y0 I: WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; W2 g" q+ K4 e+ B4 t$ `% h
WinNT) with the CreateFileA API. g7 O7 j5 v8 r2 t U
$ V1 p- Q' T' P+ i& P6 X8 o; e# O) R
Here is a sample (checking for 'SICE'):
. r" ?) f1 k4 {
% W5 r: E6 ], k2 L+ [BOOL IsSoftIce95Loaded() ]/ X& i |( }
{
7 \% P" f) S' O- b# X1 g! b' o HANDLE hFile;
4 x0 P7 a" @+ a* \* \ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ h2 w+ ]) Q" a8 o FILE_SHARE_READ | FILE_SHARE_WRITE,
- S5 L7 H0 @3 [: Y2 d4 o& \8 U NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! U: v, O3 T- p$ J6 g
if( hFile != INVALID_HANDLE_VALUE )+ S3 |4 G; s j6 t& L9 @+ p
{/ P/ ?4 H8 k7 }$ F. S
CloseHandle(hFile);
7 d% X( Z+ r, o- v' f# U return TRUE;& E: r1 Y! I$ Z# W, Z; @0 }. ~
}
( i( \; S. R' G return FALSE;
9 Z8 b) m1 q0 w5 |4 n! b: ?8 }. g0 ~) n}0 @! F/ b- _) X
" M4 {. _1 T8 [Although this trick calls the CreateFileA function, don't even expect to be
! l4 M/ J+ b5 G- u/ B2 dable to intercept it by installing a IFS hook: it will not work, no way!! u+ ~4 f4 F( S8 `1 b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ k9 i8 E* [5 _) \% nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* u( q0 k) \' v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% M; K* J4 r/ R6 r- q3 s; qfield.0 ~/ `& q. I* k3 Z& x/ u9 D9 X
In fact, its purpose is not to load/unload VxDs but only to send a
9 E: J6 O" _$ a0 K+ i+ X" t4 ]9 ^: ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ O) G6 m0 t" D6 Q' ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 r9 H% \% `3 F) Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 f/ C6 }$ w- C" VIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ y/ T* {2 S, @3 ]& o4 U
its handle to be opened and then, will be detected.
' y* C* C P, H0 m1 pYou can check that simply by hooking Winice.exe control proc entry point% [1 [; e$ C$ n) j( F8 N8 P
while running MeltICE.- W c1 R! u, T! l5 ] C
9 Q6 @4 a/ V# @8 `5 T8 X9 V3 v/ q4 W( Q, K# v: d* s4 K5 ^! J
00401067: push 00402025 ; \\.\SICE
4 x5 G5 q$ K( } 0040106C: call CreateFileA
5 a f. z/ C f& Q! F/ { 00401071: cmp eax,-001
- j' U& v1 c- f3 m& V6 l( c; M! H 00401074: je 00401091
3 I+ a F" ?) e! Z/ n0 U8 } T) y4 ^
2 E6 W. S4 C' U) X# f* R
There could be hundreds of BPX you could use to detect this trick.* ], l0 e( }8 H0 D
-The most classical one is:
! Q5 a% w* M6 _ m/ b1 f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, D: w! t% M0 }5 k: o2 `( Q *(esp->4+4)=='NTIC'
3 H' _+ w9 j: c. B- P" H) a
* _ u5 f( v) ~" b7 W-The most exotic ones (could be very slooooow :-(+ x6 S% J2 H$ ?8 _; ^8 R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 H9 @8 L1 @* c- J& _/ o3 a ;will break 3 times :-(
: r+ q# b9 `2 x$ e% [! n( w( T* _! n$ y; J
-or (a bit) faster:
$ w6 e q- {) ?$ ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' l7 i! C2 q- ]. e' N* s- p3 U* u1 ]; D A1 G0 M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' C4 p6 x k' G3 @5 L" W
;will break 3 times :-(9 y4 k; s& N# p/ f! Z1 W! |
0 m0 q+ m- n% D {: \/ O-Much faster:
2 c7 C- I0 c( h* X/ C% c6 o BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 I2 E4 ` p4 t6 N& i% d* J
8 e. P/ h3 k4 Q) _& TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 X# Q) v# ^/ w mfunction to do the same job:7 P6 w( B3 }1 {+ D+ U4 Z V# q
9 ]4 M% p# w% D+ k push 00 ; OF_READ. Y% ~, Z' m# D! E/ Z3 |0 T5 a
mov eax,[00656634] ; '\\.\SICE',0
; H j E) i e9 B; ` push eax3 ~5 m0 C' f) D! s: m5 Z6 }
call KERNEL32!_lopen
$ Y4 }0 |8 n y, j. G! n' [. n- t inc eax( Z! }7 {% A! _4 Z& m7 A/ q/ Y
jnz 00650589 ; detected2 a9 ^2 n' ]$ [- w$ M' k
push 00 ; OF_READ
3 r4 {+ h" r9 \( K% E9 y mov eax,[00656638] ; '\\.\SICE' I* A, G( Q8 Y- ?& R3 g
push eax
' _; t# \6 m' w! H call KERNEL32!_lopen P+ S# S! P' m8 T" v, v
inc eax/ W( c- I( q/ H
jz 006505ae ; not detected
; M* H3 i$ W) f. A9 G' V! m: o- }" B! S& Z
) k# s( v$ c- v8 {__________________________________________________________________________9 F' |4 n8 o1 W" b
7 \& f& M0 G5 W# kMethod 12# O2 m4 m. y1 y( R, |/ z
=========* n! e3 C- z. u8 a q( n
5 n' b; I: M7 z& ]7 u) HThis trick is similar to int41h/4fh Debugger installation check (code 05 Q% ~! w w" F% o) r
& 06) but very limited because it's only available for Win95/98 (not NT)
7 C* s4 e8 ~, V; Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ m, Z& C9 [! H, n
0 V. ]* W( O6 ]+ v. `, a. ~" \ push 0000004fh ; function 4fh
! |, u( e- {& c. Z% h& W/ q push 002a002ah ; high word specifies which VxD (VWIN32), Y! R J( `6 m1 \" m
; low word specifies which service
0 R3 w) v1 z ^( } (VWIN32_Int41Dispatch)4 Z) Y/ i8 O+ Z; ]' q& i
call Kernel32!ORD_001 ; VxdCall
( [2 h( u9 `3 o) e cmp ax, 0f386h ; magic number returned by system debuggers" f" h" R: {$ p
jz SoftICE_detected2 U ]; W' X# `( g/ o8 H
. J5 F: }& A" o C" sHere again, several ways to detect it:: n& H; E" {4 N( L0 V
3 q" A. }4 B( H5 u' }
BPINT 41 if ax==4f. {/ b% q( N# b* N; R" B
Y4 g( @+ A1 e& _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 h+ W c- f% R& a# {3 A& |1 I7 |; i5 O6 J( c4 G6 `
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 ]7 Z; B2 @' l7 t. G. a. s* B. \: N0 F" z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ a* ^+ M- |4 M
1 t! L5 P4 B0 Z' r+ k, v2 P! \) l9 g z__________________________________________________________________________# e1 Q* }9 l1 g2 k4 ?
& R" y' g6 `) G, Q% ~/ h
Method 13
" W# r9 }, f$ Q( F3 q; L" N" c. R=========
$ A- Z: q' w+ z% i/ W5 l+ D& D/ K$ W8 k9 @, ^- v3 @
Not a real method of detection, but a good way to know if SoftICE is1 g, _4 Q* @2 n
installed on a computer and to locate its installation directory.6 j8 G% x. D: P+ D
It is used by few softs which access the following registry keys (usually #2) :3 b' _/ y; t% Q0 ?4 L
- k& @( W3 R7 M9 C6 r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# ^" q" c3 S! U# X1 K9 X4 o: p( O\Uninstall\SoftICE
& [5 h0 E1 w! H2 U# Z7 E& }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ |+ g2 \: P( \& f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( L) |* U9 x$ j, Q6 U/ i7 {
\App Paths\Loader32.Exe
& Y5 `' f* U3 e/ d& a, U+ z; U7 I" N
: l! W4 ^5 \: x4 E7 ENote that some nasty apps could then erase all files from SoftICE directory. W7 q$ U( w) L, k! ? E! o
(I faced that once :-(
9 m1 t5 S5 f6 [) w9 O- C$ n5 r
- u' m& t f+ AUseful breakpoint to detect it:/ f; \8 k, E( v0 y, k
6 d1 y1 l( N5 F: D4 u6 @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 z: `- b' [7 E" R8 H
8 ?; I7 N) k0 t
__________________________________________________________________________
: |$ r' `+ H e! o5 Z# u* V6 @) U. g
+ |6 Y8 S) K& }6 M5 @: S7 ZMethod 14 ' r" ?) D8 `0 U: v9 Y' [; e3 v
=========
7 y1 p" X7 w* D+ X( M1 j, ]0 H9 A
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) ^. q" w9 S' r5 sis to determines whether a debugger is running on your system (ring0 only).% a) X2 ~( ^3 D1 h% P
& F7 C1 O$ F3 z' P
VMMCall Test_Debug_Installed' B, j3 ~7 U/ {4 @- D' B
je not_installed
- [2 o; e+ L! q: q/ T9 H t, j- T/ P* K6 {0 K! ]8 @5 Y
This service just checks a flag.
0 M, U: X* W: g' {</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡