<TABLE width=500>1 y J" p% m3 V- a
<TBODY>
( T5 \, T, s/ V' d2 t<TR>
5 S/ c& J! x0 Z }, ~; {<TD><PRE>Method 01
# x0 J4 G' O1 `3 ^=========+ d! g a9 G7 ^! S9 m4 z
5 F- R: h0 V2 k- C( O
This method of detection of SoftICE (as well as the following one) is/ @6 z1 w0 ?% C* Q# Z: i
used by the majority of packers/encryptors found on Internet.
' t! u+ f! z3 Z( W/ ^+ MIt seeks the signature of BoundsChecker in SoftICE7 _9 c' }' i5 J. v
- W* O- V: @ c$ S, U: Z
mov ebp, 04243484Bh ; 'BCHK'
' a0 w, G5 j# F$ K mov ax, 04h0 C% c; U/ s! f' Q, ~- o
int 3 - T9 M0 o' N6 M8 J* y! i; C7 x
cmp al,4, @+ `) T7 F3 ^0 o e4 R
jnz SoftICE_Detected1 b2 d! e* C5 b6 ^: y
* k; Z' b& j& K% N* x
___________________________________________________________________________ i$ Q, n7 p6 r: P
3 G& ~7 ]. K8 d. l. Y+ j4 H% WMethod 024 t2 C( r: D4 ?) D
=========9 ~: f6 K! [% e) f
- w+ K6 i4 e& N5 fStill a method very much used (perhaps the most frequent one). It is used
+ |, d M( Q) Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. Z& k* x" O$ L- ^0 R4 w
or execute SoftICE commands...# ^5 w3 i( d1 | e$ L7 L! T+ I- o
It is also used to crash SoftICE and to force it to execute any commands
, v0 z$ Z) s$ _" C, L6 m5 _8 X$ |( L: J) v(HBOOT...) :-((
4 W( _4 k$ p) O4 Q& M: D) M" @( @$ Q) {- r6 f- S
Here is a quick description:, ~* e! N; @4 F* H9 G
-AX = 0910h (Display string in SIce windows)
" E% C S% s3 u9 f2 X" k) |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). M9 S4 r' g, t2 J8 Y3 h t
-AX = 0912h (Get breakpoint infos)
- H+ [0 ^/ U4 F, j-AX = 0913h (Set Sice breakpoints)) w% }3 S) d0 E
-AX = 0914h (Remove SIce breakoints)
! {4 b2 U2 r, l& G' S) {2 v, [6 Q6 C+ M+ A
Each time you'll meet this trick, you'll see:) K" d# W" {4 q' ~
-SI = 4647h
, _0 J, w( A: O6 C6 u( c-DI = 4A4Dh
: o% p9 ~- }2 l. |3 VWhich are the 'magic values' used by SoftIce. q9 P t( I2 K1 }- M" I% ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" B0 U. ?+ W$ z; J2 S7 U2 q6 D6 M6 V% [
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 r/ m0 n% B% O+ J, d, fEnvelope utility use to protect DOS applications:8 I( t/ M8 _* L$ D
7 }5 v4 t' }, Y* u$ U- b
9 d' `0 ~" O& E( i% [( k
4C19:0095 MOV AX,0911 ; execute command.4 O9 o5 k$ l+ ^2 F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 w7 D* N8 j5 O7 {' H: p0 b, C. t- ` c
4C19:009A MOV SI,4647 ; 1st magic value." |8 \& N. a. W
4C19:009D MOV DI,4A4D ; 2nd magic value.
7 f- |) a" z. _& p' s+ Q, Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" \; ], T/ v! C4 s2 Y+ R
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 s r3 F6 @" n5 y$ M- J& f; M4C19:00A4 INC CX/ e! N$ d6 `+ y9 ^. O% \: F( h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 I: _; x2 N! z6 b4C19:00A8 JB 0095 ; 6 different commands.3 T3 z4 i8 @" w/ b
4C19:00AA JMP 0002 ; Bad_Guy jmp back., U+ P! A* N/ \( p9 [- J/ ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 K1 ?, D8 \. b( r7 t5 s, A6 v, v
# u/ Y+ s6 ?5 x6 [' a+ l( `6 uThe program will execute 6 different SIce commands located at ds:dx, which) @6 c5 z7 w# W+ E' ?3 k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ P' `9 k5 L4 C, a
/ A; z* ?. N" ], N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 c5 [: f! f9 a% ~; x
___________________________________________________________________________
; P) C( c+ x. u8 {' n, H ^1 d. ~! {7 I' Y" {
5 u! x: ^3 b+ B3 C, O; Z- z0 k
Method 03
- |+ Y' g' s* ?4 g: ^3 S e=========
9 M9 f$ D3 M+ b. A' i+ z& n/ ?0 x/ |/ ~$ B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; z/ ]% o( n" i" a4 m5 q$ j8 g! }(API Get entry point)' C( r% @, y L' L+ g n) C& C* l
9 j7 c8 t& m/ `/ \1 j, n+ h; ~2 G' j8 ^% u9 S
xor di,di, k2 P# O2 a b- F/ X: G
mov es,di3 ~: M- n9 J! x; ^* F
mov ax, 1684h
# _; N( G: y# W( }7 S1 [ mov bx, 0202h ; VxD ID of winice
9 ^/ I. w# C- v int 2Fh
6 N' C! s* n% [# _+ n+ ? mov ax, es ; ES:DI -> VxD API entry point
! b! a* s( n! u8 s6 G add ax, di
/ W) |1 \4 a& D; m* g7 ^2 n test ax,ax1 y; l) z( t7 h# M* N0 q+ L/ ~- N
jnz SoftICE_Detected, [- K+ y, n9 w) n. j
8 J9 n- {9 o5 k% o; b4 s- U___________________________________________________________________________
8 ~8 U: J) w3 R, B4 H2 {) B5 }. L' b w' G
Method 04
& J% M. {' n$ o=========
/ h: a! ?( y8 P) x' t: w
! G; `5 J b- N& B; U! MMethod identical to the preceding one except that it seeks the ID of SoftICE6 H( H, u Y. }( B; `9 d7 c4 `
GFX VxD.
" r, a2 }9 W4 L" p' ]0 c: V4 {. i: l* @" O! u
xor di,di
0 O4 F2 t! Y/ N6 D! O( X+ W( s mov es,di3 F0 H6 @: `5 K/ T' b( N- M
mov ax, 1684h
! S* Z& i& |+ ^4 M; E) Z: p mov bx, 7a5Fh ; VxD ID of SIWVID! j/ X$ R, k! X2 l* b3 c
int 2fh
) s& G+ c) k1 H. X' V. W; l mov ax, es ; ES:DI -> VxD API entry point
9 Y5 ^! v; x& b& G/ n2 X6 c add ax, di& Z) e x& Q" d
test ax,ax2 t, \8 G% D: ?6 M. Z8 G3 _9 V- X" \
jnz SoftICE_Detected
' h0 `4 v( t" Y2 j; N9 A& t( Q; t4 Z5 G1 C& T) f/ }
__________________________________________________________________________9 D0 t) r: ~" }, a+ n: w5 T5 Q; @
" T- o# {5 a* M) ?. O0 y( H# y+ o* P# o k% ]$ Q/ H
Method 05- Y$ Y: ~! \6 Y5 {; E* Q" J- }
=========
* t2 W& M+ G2 \4 s% Q
/ H1 Z& K% M/ C9 mMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# c- [) X3 i! ?1 Idebugger. It calls the int 41h, function 4Fh.
2 J7 `8 I8 j. P. F/ ]# }5 `# H7 @# sThere are several alternatives.
* |0 C, t; f" t) I2 j% s! u. |0 q( A+ \/ r+ h& W9 k
The following one is the simplest:4 d d, ?: B. v1 o7 D7 _7 S5 Q
+ Z8 G0 ^% i4 t) n( \
mov ax,4fh/ `) P8 L4 O* M2 M
int 41h
4 x; c* y5 L0 v2 T2 B$ N cmp ax, 0F386
, w% |( m, O3 Q1 m5 b( V7 [ jz SoftICE_detected0 r4 g1 k" Q6 }6 B
U. _+ _0 {3 J" V" D
5 P4 o: E& o. u: B" q' F6 gNext method as well as the following one are 2 examples from Stone's
& q# _% I$ p% [! T( ?"stn-wid.zip" (www.cracking.net):
3 m% D! T- F( R% c' I4 f
) X, v; `8 \8 i0 r8 n3 W9 [ mov bx, cs
+ t$ r4 c! t; a y lea dx, int41handler2+ }: r+ F3 Y8 T6 I: k) l a
xchg dx, es:[41h*4]
/ z o S8 ^9 y0 [3 c5 W1 p m xchg bx, es:[41h*4+2]
- @5 ^5 X5 G1 m mov ax,4fh
9 V8 @" g8 a" n1 _' Q" x* I int 41h$ K5 Z0 q I2 m9 s" z. U K; e* _# o# C
xchg dx, es:[41h*4]! ^, i( o2 ?+ q+ S8 z
xchg bx, es:[41h*4+2]
3 @9 S. Z1 N7 }$ l! i cmp ax, 0f386h& @+ S5 c2 y% e* z
jz SoftICE_detected
, m0 B- a8 T3 J2 I9 Q% o( ^
8 A1 b( `7 v% p2 y* }% v# Pint41handler2 PROC. v1 u6 U1 R' X/ k9 c
iret
, E6 k# l4 R/ v$ W4 `2 C/ |int41handler2 ENDP( \+ m" q# Q% f6 Y' Z- y
0 w3 R$ i/ C; Y
" A& S" d8 N2 \
_________________________________________________________________________
/ S' G9 {* J& F$ [) c- @) V9 U/ u/ P* I% u2 S
/ ]9 e6 v, A+ a" qMethod 06
0 I4 c+ Q1 p% S- k% x4 s=========
8 [% X2 n7 l" M% }' ^' i% ^! `5 p- C( p! `
0 A# k5 T8 a) m( I; d% p3 L2nd method similar to the preceding one but more difficult to detect:! V4 A' K U) D
& g7 B8 f# {, c' b$ h
, r+ q4 I q1 r- F: xint41handler PROC
$ K4 R( ]7 U& D& {( }: l mov cl,al
+ r& N4 k' G) Z; D' A P- `' h iret
& x1 k/ O+ v* ^5 ~9 Vint41handler ENDP# D/ ^4 N2 P$ ~! S; C3 D, w4 o; h
! k; i2 v' q) }+ _4 g( K
& {1 Q* C7 B8 w4 U. h2 j xor ax,ax4 o; f7 T6 G# L# a
mov es,ax I, {3 T0 O; e) I3 I% X
mov bx, cs
* H5 m. e. t, V7 I& j# U lea dx, int41handler
# C$ D! C1 W- l# l1 ` xchg dx, es:[41h*4]
7 l2 B' G* Q. I8 | xchg bx, es:[41h*4+2]' U Q6 X. K; w1 e1 \
in al, 40h4 I* ]1 \8 N Z6 a9 N. p" j9 e
xor cx,cx
5 @! E# _+ n; i/ V; ~ int 41h
7 t2 t. q# H) N% i* @. O. \1 r; O xchg dx, es:[41h*4]0 {- S# S1 e* u) f& I! G. ^, E1 |+ M
xchg bx, es:[41h*4+2]
' P5 R9 I+ t% `6 q L, |- G cmp cl,al
. ?6 V$ Z* N/ X/ f3 ` jnz SoftICE_detected
% J; B( d( i# |1 L, u0 g( l1 Y& W) t' S2 K0 ^( X: q
_________________________________________________________________________% f, j- q/ L$ O0 y4 U4 g) H
! s1 {/ R1 d5 z' EMethod 07
+ k' E- B1 V$ q1 c- Q5 Q( ?" s: i: G=========
% h# U5 T. Q! l. i- b7 e3 a1 x/ C: h5 W' i- d, H3 w" R/ M6 |
Method of detection of the WinICE handler in the int68h (V86)
: W2 a' }1 V" c( c& x& Y% C( v% s# b. D% Q/ D' j
mov ah,43h
1 X$ |) j0 R- b: | int 68h
+ n$ W6 F$ k! `, H, Z$ I/ y$ V* ]! D cmp ax,0F386h
7 z9 r9 [2 c- X6 d2 s5 t jz SoftICE_Detected
. d& f; [7 t: r% G/ g/ Q+ j) y! \# Y- m) [: |6 p
6 U, j+ `4 F) m4 R& i9 X! \8 N
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 |5 O+ X) v" s& s app like this:1 Z+ v5 S! c! B: ^: B
& ^! f! w: _* b% L0 W- @
BPX exec_int if ax==68, j- x2 x9 q% ?& P* a
(function called is located at byte ptr [ebp+1Dh] and client eip is$ F) B) J9 J4 r: K' ^
located at [ebp+48h] for 32Bit apps)
3 B4 i% b- x) G, U" q__________________________________________________________________________
* a) x/ U, ~1 J8 B# U" a) l @, P9 h) p3 y% \2 T, a! D5 Y
2 n& I0 V3 g$ O, u& x1 d
Method 08# q1 [; q+ R* w9 @
=========& L* Y5 e% }. \6 `" G
$ l- ?5 Y# [, w9 O ?$ I: KIt is not a method of detection of SoftICE but a possibility to crash the6 _: O- b( W; O9 P
system by intercepting int 01h and int 03h and redirecting them to another2 [% G' n3 d- F: _+ ]# k: ]& q9 v) C
routine.7 I' k* O+ C3 N. o: c8 x6 p1 G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! x/ R. Q# {& |9 e1 Qto the new routine to execute (hangs computer...)
3 V! L, [* A. r, [1 V0 s
/ z0 ^! @! S+ r; e mov ah, 25h. b+ N4 R7 D0 A: u8 S( Q
mov al, Int_Number (01h or 03h) _+ C& ^% v- o& L( z9 u1 P
mov dx, offset New_Int_Routine$ T" j" O6 a8 C) L" d" Q# c$ w
int 21h
w6 V7 b4 N7 ?
6 b6 D- ?5 A" w& N' w__________________________________________________________________________
! B' ]# _$ i F( I# @2 d/ Q" D* [
Method 09
6 F* S8 ~2 ^0 P6 i/ |% [& ]=========$ _0 l4 X" x6 v [, L
- z* d2 V3 t% `; t- G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 p$ w# y( G$ Z2 K2 Q- r: D
performed in ring0 (VxD or a ring3 app using the VxdCall).
. U) d0 A; y# s$ OThe Get_DDB service is used to determine whether or not a VxD is installed. H* j: d f5 L, |/ q- o
for the specified device and returns a Device Description Block (in ecx) for
) |% v h7 @/ C4 I$ nthat device if it is installed.
; L% X9 C0 F7 C* w" u2 `, o0 I/ n9 a) z+ q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID l8 n3 ^8 {3 V% G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 N; Z' |5 `3 A8 d2 G! ^ VMMCall Get_DDB
- M% G! m% Y& O# O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, c5 k. l9 r9 N6 v6 p" B
" S! W/ w2 e }4 }7 s
Note as well that you can easily detect this method with SoftICE:% K6 H" C2 c: B# E
bpx Get_DDB if ax==0202 || ax==7a5fh
' L6 I3 m E; s
) z. m5 e0 M- Q# m__________________________________________________________________________# _$ s/ w' {# K6 |% e6 i& k/ T; {8 r
/ S8 j2 ^# X4 d0 X) s. C* YMethod 104 C$ e) B, \! }/ R( o& |$ L! K
=========
3 j% {9 U7 G+ x& }
( F! y5 [4 r) M& C6 X8 N0 e: H' `=>Disable or clear breakpoints before using this feature. DO NOT trace with* F- O& l1 ~& r" C5 e/ t2 k
SoftICE while the option is enable!!* a! s5 Y+ M* ]5 V7 U6 G# q+ ^
' D% I2 D' Q4 ^4 {8 o
This trick is very efficient:' \$ U, W+ U a! H
by checking the Debug Registers, you can detect if SoftICE is loaded
! ^( S2 K1 P/ I9 l4 p4 p1 S% K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, H7 L/ W( q: q0 c" F/ M/ Ithere are some memory breakpoints set (dr0 to dr3) simply by reading their; n: ~" v" w9 C, C
value (in ring0 only). Values can be manipulated and or changed as well9 _; D& S7 [& E
(clearing BPMs for instance)
) Y. j7 K5 f( P7 h9 m$ z
7 r2 I- U2 V9 T' y# {__________________________________________________________________________9 }: o" ~( v& j
# c: S9 Z# Q) C) NMethod 11
% \! E' X3 k$ M6 E5 d7 l=========" E( n) x% y3 |3 K5 ^
0 _" x3 M2 O7 i# r7 x& w5 d
This method is most known as 'MeltICE' because it has been freely distributed- x7 L. w1 S1 i% M
via www.winfiles.com. However it was first used by NuMega people to allow
* l% Z( r* x8 rSymbol Loader to check if SoftICE was active or not (the code is located6 e) Q! t; p3 K1 J
inside nmtrans.dll).& P0 ?. k& B2 y
6 M0 G( B, l" @0 ^2 UThe way it works is very simple:
s2 l3 Q0 ]; }3 E% s+ s1 |- cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ }% @4 a8 i+ J4 L$ ?* n! v, bWinNT) with the CreateFileA API.! ]$ L8 k; D4 \# V2 L% _* V. v( ?
" x% A9 q3 x- X4 cHere is a sample (checking for 'SICE'):
4 u5 s9 |4 q% j! r4 C( n5 T( ^% K$ e2 D
BOOL IsSoftIce95Loaded()
5 |1 g* n/ A# I) v{
3 h1 J2 M, M& O% j* f. |& |: e3 j$ C HANDLE hFile;
* m, M V: s) K! W hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. }0 @$ H3 b/ X. m
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 A- f4 J/ E- d6 k; }) s NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) A$ Q. z5 x( z# Q if( hFile != INVALID_HANDLE_VALUE )+ e- Y* a: Z* E- r9 y2 K. t
{
% [4 {5 ~1 w. m8 M) q. B CloseHandle(hFile);
4 E; y6 {: \7 p7 t# W C+ L8 l9 e return TRUE;
' [5 }6 W9 Z: I7 e- a }( {6 u( |- e! k$ {4 X
return FALSE;
$ x# q7 r. r6 d8 h0 r}
7 X3 [5 H, x$ S Z0 }4 k6 y/ P, y' E2 B
Although this trick calls the CreateFileA function, don't even expect to be5 x" c% @/ q$ T9 |
able to intercept it by installing a IFS hook: it will not work, no way!
, [% b" R8 n. O% GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: j9 Y; w; ?& c. z( fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 o5 [( f7 {$ `+ B* G: v- z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# d+ t* M- I- j7 c9 f9 u kfield." x! G( V( ?3 Y7 R2 K% M2 V u" J& ]
In fact, its purpose is not to load/unload VxDs but only to send a
+ s3 O- s5 E& y6 [, U/ MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ c, v; m2 _ q$ Y% @* A, [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ {* F% G! C4 c! H7 Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).# r$ }- i, E- Q# y: Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" g: r4 O% f+ a4 x5 Y9 ]7 \& u- \its handle to be opened and then, will be detected.
- `! |6 c! j( ^, U" WYou can check that simply by hooking Winice.exe control proc entry point
5 {4 L+ Y8 p% t7 u6 F' Lwhile running MeltICE.
. n3 ~" y, r" U6 h! a* j
9 q# q- Z# a- ~* |0 q Y
$ @+ I8 B1 D5 s4 n9 d# F( ~+ y" h 00401067: push 00402025 ; \\.\SICE
/ v; A1 u! m* Z+ i) u 0040106C: call CreateFileA
5 C! C1 s* `7 t; I 00401071: cmp eax,-001% R" K0 _; f% x
00401074: je 00401091
) Z( [5 I+ z9 z/ O' K# Y5 ?
3 g' I( F3 c5 S
Y: S' n) n5 o% d" g7 xThere could be hundreds of BPX you could use to detect this trick.
- d& f- r2 x& R) y-The most classical one is:! C) Q& m$ f. {8 \+ d4 p: t( b* w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ j2 j6 A$ Q S
*(esp->4+4)=='NTIC'
4 i+ f. D+ p/ ]9 L/ K3 U
: K6 _% l. w1 ?% h8 _: A; V-The most exotic ones (could be very slooooow :-(
- e+ ^6 ^* g9 E. _+ _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 F9 T0 q7 `. ~ ;will break 3 times :-(. t+ }1 F, l: j" `
& Y5 b* ^* Y8 |1 a) [! I
-or (a bit) faster: 8 I3 A+ F3 T6 }/ O f- r5 O1 Q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 ~1 y3 H- T5 X) P9 }, R
, J& K- a- Z. N) u) u1 [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 ?8 ^) L+ I# m3 b$ S ;will break 3 times :-(6 H/ ~7 J) Y1 ~; m7 W
4 L7 ?' h# k+ U/ R-Much faster:
" `* G: u2 L9 ]8 A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' O) q3 Z3 Q2 G# _9 a/ `5 X" x8 [% n) j4 R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% { x% @8 e6 g( M- @( K
function to do the same job:0 h! E6 l; C d; S5 h3 s
, g4 Q# V8 ^# S: E& V. v9 s push 00 ; OF_READ
* A: g9 a" d$ O0 \3 _ mov eax,[00656634] ; '\\.\SICE',0
: w& h! K' Y5 N push eax) X+ E/ W7 { C$ A& f* A
call KERNEL32!_lopen
5 W7 V; T" E! u' V inc eax9 b; }" O |8 a
jnz 00650589 ; detected4 s) n$ J O- T% \0 C
push 00 ; OF_READ- i. v7 A* Z: q% K k
mov eax,[00656638] ; '\\.\SICE'
7 C/ d1 g# V4 i# M push eax
, @% K5 V f6 Z% K" c call KERNEL32!_lopen
7 l' U" |2 J4 X, A1 I( M. Q4 a inc eax
( l1 d0 k/ ], {( a jz 006505ae ; not detected
( [$ Z% x+ u+ D' h& _# O. u7 Y% o/ H5 E4 J
. w/ U, b) p6 n9 n7 O0 g
__________________________________________________________________________
) o2 x8 m( [" A2 i
, ], ]( e! I1 o, n6 Z; Z- [Method 12: X/ O) J6 H% M3 g2 I: o- s
=========& j( F" ^; ]+ f9 G! F C. A
% b7 V2 c+ @4 \1 U. @
This trick is similar to int41h/4fh Debugger installation check (code 059 J0 d5 @! c1 |4 l( S f7 M, a7 `
& 06) but very limited because it's only available for Win95/98 (not NT)* x2 r+ E7 @. N8 Y9 B& j$ _; G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- Q/ Z: V# e5 M5 P( ?
# I: e2 C: a' V
push 0000004fh ; function 4fh/ } T q8 u" n* S+ Z
push 002a002ah ; high word specifies which VxD (VWIN32)# z1 `; O) j7 T0 A+ E
; low word specifies which service
6 X% B) o* J1 g7 Q2 b& l: z7 j (VWIN32_Int41Dispatch)' z& t& n$ i I1 I+ i
call Kernel32!ORD_001 ; VxdCall
! p" e; j4 ?, O: K; H/ X* x cmp ax, 0f386h ; magic number returned by system debuggers
, G; g& f! H/ R1 j9 e! c! s jz SoftICE_detected
: l% D( R& L8 ^0 m: n$ _& s% [
- J3 ]3 A9 d# c' f+ lHere again, several ways to detect it:
" i% [7 g ~: x4 }- r0 [- b3 K8 Z: h# B P
BPINT 41 if ax==4f% p; o# O' h3 [$ |; z
- p+ x$ q1 g6 e! q8 V
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 i6 C0 B; T& T. ~( b$ |# ]
- S6 t, c6 S2 ?; j% S/ I+ p# A7 { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 ?, }. B8 K3 i2 [5 X$ U* x
?, p: r- j: T3 w9 d8 `( e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& w N2 {. P- r# j
6 B& ^! A7 k4 @, W% F; J
__________________________________________________________________________$ H/ [. V" {6 c; ^4 I" A
; I% m% `2 I1 J" e5 H. R& `) tMethod 13
) a7 i$ d: N" Z=========7 ^0 A# u* v$ O% d
P7 B/ [ w" P3 \4 |# M, h
Not a real method of detection, but a good way to know if SoftICE is6 A6 A( ~) e9 {- _* k3 b
installed on a computer and to locate its installation directory.: J% ~8 C+ u V( V
It is used by few softs which access the following registry keys (usually #2) :
8 @6 q A/ u; \1 ?8 {
: @* E; Q# z$ ^# v/ \4 H" g2 ?0 n0 G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% I' s- B- Z& v* m. j( X\Uninstall\SoftICE# N8 m) x* `. E; |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ x- x5 }) U; T% y1 V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: z7 P8 B6 M: `* s8 {$ y6 n" }\App Paths\Loader32.Exe
; q8 g$ `/ r0 X4 O/ w! M' O8 ~% g; S- r- A2 a) @
# Z* K8 K* Z7 B `' Z% x9 N1 O
Note that some nasty apps could then erase all files from SoftICE directory8 O5 r$ ]3 R) E/ _ x& G/ [
(I faced that once :-(
) M2 t" k$ B* J5 R/ U9 O$ _9 u! Y5 h- Q/ Y4 u9 _
Useful breakpoint to detect it:: X9 R- i/ m& b7 Z" G4 f9 |% k
) r5 U& N8 c7 m7 Q2 `! a4 |7 I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. l% M% r# t* Y$ j( A I9 E
/ p1 x1 t, ^. c4 M# w* t' j__________________________________________________________________________
1 B% u: y3 @# _* l4 O% U8 T
1 [/ i3 d3 R8 v# l" Q; ~
, ^+ d4 |' i* R/ PMethod 14
) O6 M& T! W4 B) G( D) u=========
, o/ @6 w8 h) b1 i: A6 e& N6 x# F
, C+ ]7 F) [6 r9 XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 L" b; M3 P8 ^( @0 P( F8 fis to determines whether a debugger is running on your system (ring0 only).
7 y% V' @" a" }* G+ E/ E- W$ \0 z- V8 b- j( L
VMMCall Test_Debug_Installed0 h `$ _' @. N- W' d1 Z
je not_installed1 c( h5 `: t7 y' R: m
) b8 k0 P0 S' E+ K4 z7 f) y. R2 X! vThis service just checks a flag.! @$ z; h1 @2 `% ~% X q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡