<TABLE width=500>
( R1 u# d ]1 v- O3 ?1 d& |<TBODY># u2 G& f1 b8 W5 n' C; X: v1 h
<TR>
% o0 |2 Q! X2 i" U<TD><PRE>Method 01 3 H- w- n7 M9 ?7 Q' u
=========8 t6 ~1 Q* ^8 [1 w& [& S# R( R( j$ B
5 c4 a- o2 p& n( F( `8 _$ d
This method of detection of SoftICE (as well as the following one) is/ L5 M7 W& A$ p) o) h O' \
used by the majority of packers/encryptors found on Internet.
$ Z- Y/ q& ^% C. U$ PIt seeks the signature of BoundsChecker in SoftICE3 r( G+ b6 D( J* o3 }0 c% R
x, {( e8 b3 U; P. ^* |+ E3 B
mov ebp, 04243484Bh ; 'BCHK'2 |* ~3 n5 K1 j0 a9 W
mov ax, 04h
5 f- {* X+ s [& U, { int 3
# u" I1 H' N5 P4 v& [5 o7 ? cmp al,4+ @* ]1 c/ Z8 H
jnz SoftICE_Detected
7 V- Y' S+ Y; u3 I7 y% j8 ^2 G# d/ U, J$ Y2 U% b
___________________________________________________________________________: q% P5 _0 ~+ \0 d6 L' j
& g6 p y6 q6 j( e" FMethod 02
0 A* l, M! s3 p+ O7 J=========7 C) z& p$ c1 y9 j% B$ l
' E6 B& e1 ]3 \6 xStill a method very much used (perhaps the most frequent one). It is used
r! n9 N3 A% I" Y2 @8 O$ T8 Zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% _0 N! i! K' ~: S1 Y1 G4 uor execute SoftICE commands...
9 e4 V( G C# cIt is also used to crash SoftICE and to force it to execute any commands
. T0 M$ n* O1 z(HBOOT...) :-((
3 U: j$ | B2 A- Q! S: p* v) u
9 j; `4 ^. ^4 A' D6 sHere is a quick description:
1 G" e6 W+ y+ _; R, Z" L-AX = 0910h (Display string in SIce windows)2 X, ^8 @. g$ u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 a! c- U& R5 z8 p4 i& x& S
-AX = 0912h (Get breakpoint infos)
& v. s* s& g4 c; m h-AX = 0913h (Set Sice breakpoints)
7 \! ~( Z! Z$ D) y-AX = 0914h (Remove SIce breakoints)
3 c9 O# K# ~% q, z- T- u
6 p+ g; r& `4 W. ]Each time you'll meet this trick, you'll see:
; K1 b7 l' q% a-SI = 4647h- j; J$ D* v& c" l" U, O
-DI = 4A4Dh+ f1 S- W& N8 f5 ~
Which are the 'magic values' used by SoftIce.8 @$ v7 \( s# Q1 E
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 H. J9 _" n! @
* c+ V( p4 q/ C/ Y" |# MHere is one example from the file "Haspinst.exe" which is the dongle HASP' c }& ^% S7 Y/ e/ [* q1 g
Envelope utility use to protect DOS applications:% ~' j' r% k! d0 c) A- s5 c
% b0 d' V: L# h/ {1 Z& c7 q
% b4 I; q6 _5 |4C19:0095 MOV AX,0911 ; execute command.6 S( f) E$ j% ~* F$ _ Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
B/ T. W3 ]4 R/ S4C19:009A MOV SI,4647 ; 1st magic value./ \7 y. e$ M3 e0 }
4C19:009D MOV DI,4A4D ; 2nd magic value.! M8 f5 q6 W( Z+ v9 G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# K. O3 w X0 p4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 C! [ s% N X* T4C19:00A4 INC CX
4 Y# f) r% c8 F) C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- j. ^! D- P5 Z5 _0 e4 H0 G' V4C19:00A8 JB 0095 ; 6 different commands.
) E! a8 ^/ z# d/ n# E, f q' Q2 {4C19:00AA JMP 0002 ; Bad_Guy jmp back.% h8 g: d# d# x( G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" _) s9 k' G4 N+ g2 J m- V; j/ s3 `9 E" O( ]' _. Q
The program will execute 6 different SIce commands located at ds:dx, which5 X& }! X( z+ {9 G3 i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 M! z* Y. i/ e+ e& D& E$ x2 P; O
1 u' S. `5 {/ C; P" |$ r3 C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 w8 \4 Q: E) E3 W J+ F___________________________________________________________________________
0 @* ~6 o* E5 z9 ^2 ^
+ ^& _2 J/ y2 p0 D- e* Q/ k
* `$ W3 l$ v: w4 e+ N9 xMethod 03/ R. k, Y) z% C/ j& T* W2 h9 E
=========
3 l" R% o7 F. C* t5 d8 g
) f* Q6 h; {! ~3 f6 N0 z, j! O0 dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% l7 s9 R; W3 T: C
(API Get entry point)3 b0 m w% ]( J0 _; H0 A- I
' r d/ V! S' `$ | Q5 |& ?
P+ B) V$ p& v4 o: z1 N
xor di,di
* P' Y3 ~& ~' a2 v0 P# y2 G mov es,di
) ~. {8 S% h& z& F mov ax, 1684h ' B) ^+ y- E0 p4 k& I
mov bx, 0202h ; VxD ID of winice! g! b% v1 k$ R# H
int 2Fh& |: T# Q+ E3 ^/ G8 a
mov ax, es ; ES:DI -> VxD API entry point" D0 S1 e: k1 M# J) A
add ax, di- }0 Q2 F* F8 ?' v# r! U; a! |8 H" D
test ax,ax
8 T @3 c2 n* y jnz SoftICE_Detected" H/ g# g9 L W) V
! u; A8 a* _1 R3 H7 |/ u/ X
___________________________________________________________________________
6 ?3 ^/ N" y/ h/ U) Z, V% J3 f5 e$ d
Method 04
7 A9 @, z5 t5 m! _, K b( p=========
6 @/ t0 ^. E6 n% n$ G# W6 Z" ~: |5 v# F& D! o! j& {
Method identical to the preceding one except that it seeks the ID of SoftICE
' g" Q2 l9 f: Y/ ~* yGFX VxD.1 z) u, G" e2 M/ b
! `! m7 B; I0 x* W& G" x$ J) v$ J xor di,di
8 B+ p1 I$ G( l1 h mov es,di
/ o8 K& X, n" | mov ax, 1684h
5 w% d1 w! q' K6 n( Q mov bx, 7a5Fh ; VxD ID of SIWVID
" E" s' T" h) U) ^; H' z7 |# e/ S int 2fh
/ A6 a3 {+ z0 J mov ax, es ; ES:DI -> VxD API entry point
, f/ j) v" f0 }/ }% s4 J add ax, di6 z% }4 Z" `0 N- h1 N1 v
test ax,ax
, r# O# ^% V5 M0 }% A! D# P jnz SoftICE_Detected, D6 U2 @3 q F9 K$ Y0 }+ a
4 t/ ~9 V0 C+ Q$ o. W; u
__________________________________________________________________________- J' W7 x3 e5 ?9 I- ]
8 f% n8 l0 \: R* j \! Y
( o: n+ v, P) P) A+ D( j$ S* b
Method 055 u+ y+ }* k, z' q# b. m8 @
=========3 I- s. ~; C! v9 K& x$ E
" V9 `8 I+ d$ d4 I* e
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 g0 }& b. \& K/ j0 A3 h
debugger. It calls the int 41h, function 4Fh.* u4 h+ L; E/ _" U6 ^7 |" E( g
There are several alternatives. % G4 |7 N+ W6 j5 a6 ]$ X& p; B" E
. I; \! L3 D3 M0 BThe following one is the simplest:3 Y' z k6 g* _# v+ }
4 n$ }& e# Q) j# e' V7 U
mov ax,4fh9 b1 z5 j3 n5 Q
int 41h
! A: b7 W5 X* ]1 K cmp ax, 0F386
& W+ ^0 o: v' o" v! j( z jz SoftICE_detected
; Z: |( o( {) m7 }" f: ~ a3 H1 m* B. @- j0 p
I9 P) o% b( K1 j8 Q$ ~6 ENext method as well as the following one are 2 examples from Stone's ! ?! C2 G( i( V3 O# |* C
"stn-wid.zip" (www.cracking.net):9 H' j# {# Y' _8 Y
7 W2 s1 p- @" D N mov bx, cs" v; T2 o9 x5 C
lea dx, int41handler2
* e3 y( f# M9 l ~, e xchg dx, es:[41h*4] r$ A# j! R3 Z
xchg bx, es:[41h*4+2]
! }7 X' I* ~( } mov ax,4fh9 B4 T9 z8 I/ B1 p
int 41h
: z! o# Y7 c( z( k0 e xchg dx, es:[41h*4]
( Q2 p- E- u( i, r! _5 y xchg bx, es:[41h*4+2]
. j2 n- y2 D: U" f; S; p/ N cmp ax, 0f386h' H* c: X7 u. Y8 e6 D
jz SoftICE_detected
1 ^& c; x& R7 ?( k" C/ j% x& V. P3 D1 x1 U; k
int41handler2 PROC+ a& m9 _0 m+ m! S0 g
iret% d2 m4 I- j% c7 _) ~
int41handler2 ENDP& C0 T( F+ Q: x6 _) k4 l' }4 p
( f6 b1 J W2 M' |! ^/ `
: e" [7 Q# f2 q" D_________________________________________________________________________! I1 [) N, |" W& L
3 O0 J( C# w3 J5 f% c
" [4 r; m% y* f
Method 06
" P! s, P6 L( b7 K% ?6 _=========
0 { w) y, x3 L- ^) s# M3 n @2 g7 b* x: D
$ u( Q) _ q) V8 K, B0 \1 J' `
2nd method similar to the preceding one but more difficult to detect:! L* {2 W- B# t: S1 T- |. \& t- J
3 j+ H4 N( `% k: H0 `
( X! j/ M+ ^$ h* T f) E; Y
int41handler PROC' i& @6 T& G+ Y
mov cl,al7 z+ ^- L0 l) N0 @" G: O5 k
iret6 T6 Q- S% s* O _% X6 \
int41handler ENDP
9 x+ e: C9 p. n, n: K
- A( E% u& b C0 S! n o# x5 t6 e2 h9 o% x! L
xor ax,ax6 j8 z$ m4 k \" W9 L4 x
mov es,ax+ O. J! f T$ V9 A6 h1 z) d5 _
mov bx, cs
. z! I: S+ ?0 _/ E0 @1 R lea dx, int41handler
3 a+ A5 q$ v0 @ xchg dx, es:[41h*4]
! p i a7 N& g; |' J) I xchg bx, es:[41h*4+2]
: V4 l" |# s4 d5 N" O in al, 40h5 T# e: i, X& S" B
xor cx,cx% b7 D4 h2 G; p! z6 K
int 41h
; x, P/ N$ [0 G, i) Q xchg dx, es:[41h*4]* S, `$ g/ e5 M/ x6 E% S
xchg bx, es:[41h*4+2]
7 Y2 D* D K7 a* H* A cmp cl,al) w2 N9 n* W( C. e+ M$ u+ d% C
jnz SoftICE_detected( m, S2 c0 n, _2 }) X! \
" D# }( W4 ]/ r" y' A_________________________________________________________________________
9 }& Y! U% {% A" W. ~/ P) y3 ]( |* Y! l' O
Method 07
. T6 O) H. Q. X4 Q z7 W1 S q' K; {=========
0 X7 r0 a5 ]9 P* T
% S0 r0 Z, _" I: cMethod of detection of the WinICE handler in the int68h (V86)1 u7 F" D V) `2 g2 h- Y/ L
0 z: x, i- j" Y) j mov ah,43h- {& v5 f6 {# H# B/ h$ y9 O( x
int 68h2 P, U# \( U; T: D. s
cmp ax,0F386h
! \0 ~! D" d, l* M# V. Y( x" L4 k jz SoftICE_Detected) l9 ?# U/ f7 M8 O( o4 P# d/ o+ C
3 K+ q9 {# ]) A3 L- ?! H
3 Z8 @) b* n/ x6 h! M5 S9 [# `" V=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: O' n$ M: K- R8 j
app like this:
$ N* o, R' _, e! i9 w# ^6 X6 M) [, X8 ?# v& x, m1 N
BPX exec_int if ax==68$ C- P5 x7 M8 n+ r. e
(function called is located at byte ptr [ebp+1Dh] and client eip is& ]1 A1 X! l9 W* N) D
located at [ebp+48h] for 32Bit apps)
" }/ v$ n, [* U; T: X" |__________________________________________________________________________
, V' `1 n' ~" ^7 x+ O: J9 O2 ]' p1 q
5 ] q2 q) U \+ ~ s; l4 J
Method 08
. z R# Y" D: s( N; u$ w$ q3 I=========+ N7 T6 U# a$ t: u
/ w- x1 X/ ~4 W7 d4 N& mIt is not a method of detection of SoftICE but a possibility to crash the* B) k; d+ ^. h' X# e1 M
system by intercepting int 01h and int 03h and redirecting them to another
$ v3 r9 z l, O+ C1 Croutine.: Z- a6 M1 H. V% g4 \# [- q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 q% z0 h) i$ ~" G# Q8 zto the new routine to execute (hangs computer...)
% d; E5 q& j1 ]& m1 c) q; [$ d& E1 S2 ^: @
mov ah, 25h! b& B( T& c7 y
mov al, Int_Number (01h or 03h)
6 p& j$ w, [7 ^& D, A6 ^' y mov dx, offset New_Int_Routine
]5 u+ @6 W8 { int 21h
# Z1 F9 x. ^1 U! _0 o3 t5 i; N, r S8 W- F! W# n
__________________________________________________________________________
$ k, ^# t! ^# s. b3 x6 O3 B: S7 L
Method 09
2 \9 M% \. `( ^=========
9 c _8 M6 Z$ P
8 Y$ I3 I0 I3 f4 A# B0 t2 y4 P8 wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. o, w' c6 g3 O0 Q; a0 \- [) \performed in ring0 (VxD or a ring3 app using the VxdCall).& |0 D! L' T& x% j3 n2 g2 r
The Get_DDB service is used to determine whether or not a VxD is installed
/ X& ^% C6 F2 u* P5 ^4 ^8 }+ [for the specified device and returns a Device Description Block (in ecx) for D$ z' u% y3 p6 u
that device if it is installed.! u% J0 A0 R$ U5 e H* H" y; e2 x
2 M$ F t- W& Z4 N$ m+ C# y4 |5 d! z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 f8 `+ K, x3 t7 B6 Q; d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& {) _& |7 K/ U# Q5 Q7 q VMMCall Get_DDB: x7 d1 B* v4 N9 }/ t! ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* I0 R4 B! q/ M1 n
6 d/ V/ g/ D9 b5 J+ hNote as well that you can easily detect this method with SoftICE:
4 p2 f8 L1 N9 h; a* B) S% F n. ^0 h bpx Get_DDB if ax==0202 || ax==7a5fh
( C0 c |& i/ \( |. C
6 v! F$ B2 ?. O& n# b__________________________________________________________________________6 X) I$ Z0 ] ^/ p* r2 c `6 t$ q- z
" {* t% w) y7 R, @* q2 L0 Y R8 u
Method 10" g8 ?; n' x# ~: X3 V8 ?
=========
# V( d/ z; y/ k1 J( u( J0 n/ a1 y5 V T& k1 ]& Q( {
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& m$ `2 h0 h+ T5 G SoftICE while the option is enable!!7 L$ B; O* R- y4 w# C
1 t( m" ]- x' n; i, f& rThis trick is very efficient:
- s# a- a! F" T5 X" Mby checking the Debug Registers, you can detect if SoftICE is loaded# E; T7 Y# r& B8 T b! m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 a3 T- T- k: @there are some memory breakpoints set (dr0 to dr3) simply by reading their+ Y% F9 m$ R9 @+ m
value (in ring0 only). Values can be manipulated and or changed as well
0 P/ [6 P3 |5 X$ z7 Z. b" Q; ~(clearing BPMs for instance)
5 Z3 b, Y0 `+ G- ^. b
2 v3 Z6 Q& Q) y0 V__________________________________________________________________________
/ B8 q5 Q3 g+ f d& v: E% I
U5 d e; E- y o7 JMethod 11; o3 u/ Y* W9 F$ V% o9 s) }7 q
=========
2 s- T1 o, e" O) q+ G h3 s; ^6 P# e$ o1 Q) I
This method is most known as 'MeltICE' because it has been freely distributed
! _) a- _# F; K- l* \ @via www.winfiles.com. However it was first used by NuMega people to allow
9 x# C3 y* H1 O( z6 iSymbol Loader to check if SoftICE was active or not (the code is located
* C/ h% t& J% Y; Ginside nmtrans.dll).
x/ Q; U. E$ |" }. f- t5 d, h. }7 x- o/ O2 t) z
The way it works is very simple:
3 Q1 @6 T2 T/ f3 \6 |5 XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& a$ |' v. x- f R
WinNT) with the CreateFileA API." b" K4 w1 K. k8 l" E. q
4 N/ }# _" x a3 D4 f" U* U6 e6 KHere is a sample (checking for 'SICE'):+ k6 s2 i ?. H- y( O
4 L, Q2 R; S: A& g8 bBOOL IsSoftIce95Loaded()
' X d1 q4 F* {& |, y{2 V' f9 U* z7 J2 O, j
HANDLE hFile;
e. ~1 t: t+ _3 w/ r1 s1 L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' V8 P* y d) r! b. ~6 p0 ] FILE_SHARE_READ | FILE_SHARE_WRITE, Q& F( i1 ` y5 y0 @
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" s5 h- ?( ?) E4 q; c" h) `/ N
if( hFile != INVALID_HANDLE_VALUE )* S4 U8 A9 h( P4 H
{. {9 s+ p" X6 `! e: b$ L
CloseHandle(hFile);3 X+ b5 |" O% W1 F7 y- Q) h
return TRUE;
2 [1 H) _) H# ^4 r& x: A5 U }: K9 w" V% P9 M6 u) Y' z9 O+ E' m
return FALSE;
$ x% ?8 i% x0 ~0 V! V# w6 T3 p}! c' Y; O; ?- ]2 L
4 s" D! n- I- i c9 x( eAlthough this trick calls the CreateFileA function, don't even expect to be
7 k, u7 {9 m4 s: Eable to intercept it by installing a IFS hook: it will not work, no way!. E# `5 p0 G$ H9 b+ g9 @4 A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 ~+ o- K" z k* Q uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* {9 P2 Z$ [; ^" b+ e- I- Rand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 a( y& `% O! T Y/ [) P) L
field.
5 s5 C, C; G7 IIn fact, its purpose is not to load/unload VxDs but only to send a
( ]! Y" ?: X0 n& k$ @+ w' e+ QW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 z! Q9 o5 T1 X5 p- f; u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# e/ h" g1 s/ `# ~6 D1 y# ato load/unload a non-dynamically loadable driver such as SoftICE ;-)., r$ n4 u3 H) ]- T$ ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* d! m5 ?$ ]( P$ Q, ]( y/ Pits handle to be opened and then, will be detected.0 J( Y+ g9 D d7 [" g) O
You can check that simply by hooking Winice.exe control proc entry point8 U% C y# n, X
while running MeltICE.
: [0 }, m B- ?- D6 A$ h) k
+ ^# I4 U# O9 ?' `$ \ }
% w) i, }+ V) l) {2 E 00401067: push 00402025 ; \\.\SICE
8 W8 Y/ D7 ? v4 g5 | 0040106C: call CreateFileA
! |1 W, c# ~- O7 B" D% L 00401071: cmp eax,-001& k+ ?4 L: v$ F
00401074: je 00401091' X8 s% W& u6 Y$ a: L% T: y8 ^. M
! q/ i/ ^5 I( l. {( i
$ s) g" A) ~" \! G" w
There could be hundreds of BPX you could use to detect this trick.2 I: \+ l$ C/ B
-The most classical one is:
7 Q1 X3 B2 N G! i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. C8 s& P2 K/ ~, u; b2 J
*(esp->4+4)=='NTIC'
3 l5 d% C: {3 `8 O/ O* h, t+ l2 k: \ p( z
-The most exotic ones (could be very slooooow :-(
& a0 B. f! a3 M7 S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* u3 M7 e5 |' ^# q7 m* N$ |6 I ;will break 3 times :-(( n4 d, Z' a- n% {/ i% k
" v5 f" B- [, {- S( N& c, W5 g-or (a bit) faster: 0 |: \7 Z0 ]* C
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: c4 g5 n# G3 i5 P" S2 Y2 v4 G3 s
8 ~. w0 H3 W$ b& V3 @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. I% L0 ]5 N e- J. L: ]" Y6 g ;will break 3 times :-(/ ?% b: J; \8 j, f O v" S7 ]
0 F) V: s: I6 ]: E6 s' d! ^. c
-Much faster:
$ Z; d) F' k+ `# \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) z- o$ ?9 _' t3 D- u, Z) _
0 a! }& m1 d5 z3 u* h& kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 ~7 X# W* f1 z4 e/ ]6 M2 }function to do the same job:
8 s9 b9 u6 X+ X* U# o% ~, f2 ^! n- W% o) E: ?
push 00 ; OF_READ
: W1 H+ X' Z# s; _( q5 x, w mov eax,[00656634] ; '\\.\SICE',0# C8 i+ `$ v6 o
push eax1 W: {# `1 t5 D! K7 [4 `
call KERNEL32!_lopen
+ z; k) W9 {! f5 |% H# f inc eax% y" P. L" R5 V. q1 C" {9 N
jnz 00650589 ; detected
|1 W0 o2 q/ S+ f' q push 00 ; OF_READ
7 P3 t {& p8 y9 a. [% V mov eax,[00656638] ; '\\.\SICE'
9 c& d8 G8 w; V push eax
- b" v9 T+ ~# P$ R5 V* | call KERNEL32!_lopen# i* P( u5 O6 R9 h# Y1 t9 _
inc eax- M! ^' P) {# o8 |% z
jz 006505ae ; not detected0 g; U# M. M1 _: W) n4 D- c
! G* q( I8 f- ^- I$ {% J- W
, s+ l! c7 H& [; Q6 y__________________________________________________________________________5 N% v9 r! q% G7 c0 E3 h9 |
; k+ B. B$ S+ _; Q8 N
Method 12
, ], h8 A% e& u, i+ J6 J! v* N=========
3 ]* W* O* I. C& J
p( f; A8 V6 c1 f+ ~3 [& SThis trick is similar to int41h/4fh Debugger installation check (code 05
& K9 x1 R0 B8 K: ^; L' D& 06) but very limited because it's only available for Win95/98 (not NT) |/ {3 f7 K6 F. s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ N; T5 D2 u2 @" S* G6 D) k5 ]0 H! ]* `8 ^ p1 Z" u
push 0000004fh ; function 4fh
2 p' H# T& |; a9 o push 002a002ah ; high word specifies which VxD (VWIN32)8 n3 k5 G; v6 Q* E2 n
; low word specifies which service
5 M* H* p% `! o$ W! k6 d e" E (VWIN32_Int41Dispatch)
% g3 F+ n7 Q C call Kernel32!ORD_001 ; VxdCall
9 M) z1 `9 N9 j cmp ax, 0f386h ; magic number returned by system debuggers
* G3 I) R+ t# c3 X5 |3 A+ d jz SoftICE_detected
6 |, ^# @+ n+ ^" i3 ]. V |! A0 k; H& c+ j1 U
Here again, several ways to detect it:
a& L- @, h: B" V) w/ z- v* R
' C. |# I7 o. `9 R2 a BPINT 41 if ax==4f5 N) k9 R0 M# {7 E. l8 c
; e6 P( Z0 g9 L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ e5 r* F {# p$ N& G/ P0 [. M; c5 C* z/ w3 G2 g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 q% a, Y7 c6 m9 U1 G
3 ], w* ~' L" p( x- @+ `( k: D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 ], [; X7 z! E5 m0 J1 O! W* D4 |$ D! f3 W
__________________________________________________________________________ D7 k: R4 t( X
, V" s8 x4 m$ r _" l" j+ Z5 c8 }3 EMethod 13
) F- x2 h% Q- @=========3 K3 W" u' N: p: o2 T* \
2 a/ }3 Y# P6 N$ e% k' n7 SNot a real method of detection, but a good way to know if SoftICE is
6 l$ O3 ~9 y8 o! b2 E' Zinstalled on a computer and to locate its installation directory.; S$ C5 O: r7 ~ S% D
It is used by few softs which access the following registry keys (usually #2) :
: i2 j" x. q6 g4 M$ R
% K ?) a; U) W( Q n% G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- _4 z; d8 E# Z9 _& K# T
\Uninstall\SoftICE7 Y, [2 j1 s* M/ e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 I: F D V. }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! R: v: [0 U0 M9 L\App Paths\Loader32.Exe
* E# ?) {+ Z" D# V: P* Z' L0 z, S1 r- l
5 `: Y% x9 H: h5 L1 M6 gNote that some nasty apps could then erase all files from SoftICE directory& A8 B$ v& t( G7 D- h& d) @$ S! h
(I faced that once :-(
2 G6 P2 C) t( Y1 X# ?" I' g3 U# i& v1 {5 ~4 S3 I7 R
Useful breakpoint to detect it:
+ J8 I+ Q# C0 y+ E+ X. \+ H0 Q6 V; @1 ^& [
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# O7 h2 a1 P( x" r0 L7 C
" s5 B6 B( m/ z y7 ?' u__________________________________________________________________________
. w# y; F, k7 ~3 B7 D% k" P6 \% ]
! ]1 l: D# Z, q2 ]+ s
$ C2 z# c/ W$ V1 lMethod 14
1 ]! \5 U! u: }# |/ U=========
) [7 j! h& M! i9 J0 ~& M+ u$ X( P! a m" u5 m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 i/ t/ |9 P5 Z
is to determines whether a debugger is running on your system (ring0 only).
! E, q! T. u$ m ~1 ~& W' l' G! h4 R: v* H/ R5 _
VMMCall Test_Debug_Installed! r. Z h% O8 H; S6 s9 Q
je not_installed( C& N4 E; H2 A6 K* ~5 @3 x
% A$ q: @. }1 t G) \: R
This service just checks a flag.- R, Q* s: m7 X* k
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡