<TABLE width=500>
% v$ O% L2 s# [. B7 }+ I4 x+ p<TBODY># A( p) I2 N- Q5 y1 I6 e$ k! ~9 C3 }( F+ _
<TR>6 G) K) F1 s6 y
<TD><PRE>Method 01 $ Z5 ~' _+ h @% T# g' O
=========
+ j- ?( g* g2 D: ~& o
- j7 g% D; H0 Z* ZThis method of detection of SoftICE (as well as the following one) is- M6 _5 U* n2 T
used by the majority of packers/encryptors found on Internet.( t- k0 O) r" i% B( {+ E
It seeks the signature of BoundsChecker in SoftICE
6 Z+ m7 r/ ]( n [0 x4 D
% e2 h L& t2 e. p$ k* Z mov ebp, 04243484Bh ; 'BCHK'$ S& f4 o8 I, s( M3 n9 i
mov ax, 04h
* |; y3 z- U: {# m! K int 3 ) z* I3 j4 T3 Q
cmp al,4
. p/ K" P/ S, }. S jnz SoftICE_Detected
: B+ N, b* } i5 h& f3 \* N$ g7 e4 p4 }& F% Y3 A
___________________________________________________________________________
) P5 W+ J5 @, @2 {6 I( j, r x0 J$ O; Q# n
Method 021 ~4 R/ ? K0 I8 [. U' |2 B; d$ l
=========; e: t1 b! m# H% Z! {2 e& t0 k
0 t/ ^6 N ^; K7 r6 Z' RStill a method very much used (perhaps the most frequent one). It is used7 J; z5 K4 o# J. ^3 \% S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
R% d u" r0 {! U bor execute SoftICE commands..., y K9 i2 p I- L
It is also used to crash SoftICE and to force it to execute any commands+ S7 e* d, t2 I4 F6 Z3 T! m6 j
(HBOOT...) :-(( 3 k- p% o" M) {9 \
3 y6 w6 W' g- K/ U7 p; s1 kHere is a quick description: A/ H5 t* d$ d7 V W; r
-AX = 0910h (Display string in SIce windows), M, a* O- a6 q2 ^$ v, E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& Q4 h& N) V0 p+ R" w
-AX = 0912h (Get breakpoint infos)5 y) V( P; W# {, o, p/ _/ @
-AX = 0913h (Set Sice breakpoints)
5 ^+ c, n) G+ _" C) y: _0 B-AX = 0914h (Remove SIce breakoints). L5 M7 f( g0 \
& D6 a3 R4 S# O$ U6 w2 J* I
Each time you'll meet this trick, you'll see:
5 A2 ]5 y1 W7 u# B: e-SI = 4647h4 r) r" S) E& z. j
-DI = 4A4Dh
4 E* G, V8 r! {1 z2 y4 R: V4 SWhich are the 'magic values' used by SoftIce.
) }) K9 g$ o e( mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, j0 m2 x2 }( k% D7 Y( z& p" d1 ]& g# P0 m) R; c
Here is one example from the file "Haspinst.exe" which is the dongle HASP j" {6 m/ l" p/ y7 `) y
Envelope utility use to protect DOS applications:
O- k U! T0 M# d1 s' _, _) V: f
. \- ?; m4 l9 C6 D$ |% z+ V" C
& Y; p' \: c7 s& w4C19:0095 MOV AX,0911 ; execute command.
4 G$ _1 D* X8 j- L9 O. }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- f. z% |- E* D- l4C19:009A MOV SI,4647 ; 1st magic value.
9 d; g7 d" ~) O8 L7 F4C19:009D MOV DI,4A4D ; 2nd magic value.
) F0 o( V* y* O! T9 U9 {# z( H3 R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) d( N# m6 }0 c _' q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 L3 Q e; B( T1 K+ n
4C19:00A4 INC CX
, n% f9 c; H' Y" Q6 D4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 X5 r8 |9 ~: S; M" `2 F' v; Q4C19:00A8 JB 0095 ; 6 different commands.
" h7 T) Y+ E; l+ [4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 A: K) m. E [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) V; v* P0 i/ \5 H! k' R: e
4 }! |. \2 @2 T3 ~: Q" gThe program will execute 6 different SIce commands located at ds:dx, which
& p' l+ E* \3 |0 y: e7 gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) y# ?. |* A. P! u) O. k
1 g W" s7 A5 K' U# X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 Q) E" \1 d; q- o7 O. C
___________________________________________________________________________, I& D8 _3 I, H3 g# v
0 w0 D. s7 E- _! f
# C8 T$ L9 u& |+ K" \# JMethod 03
5 h9 F7 _! n% x7 m5 J# W=========2 h+ V; l4 m3 \0 G
; y$ O! }' e! P9 K$ V- LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! C* {8 y6 S6 ?( i7 g* w) l
(API Get entry point)# x/ ~1 Y w" h% K
0 L/ v' t. Z9 v) |
9 ~( w8 ~9 G. B; o% g: M xor di,di
- i) W. W5 x: a& ~3 R mov es,di
5 ?7 w: H. N j1 d mov ax, 1684h
" v4 R- ?/ w9 h/ F mov bx, 0202h ; VxD ID of winice$ p+ K! D/ ~( l# v! |" L8 l. U
int 2Fh
4 ^! Z2 w8 z% P% h" }( U8 | mov ax, es ; ES:DI -> VxD API entry point+ j9 d" _: K5 e
add ax, di
9 L0 B' t1 J) C+ d test ax,ax
% d8 R- @+ H. h& x M jnz SoftICE_Detected. @2 E: L. U9 ]5 [1 t) l9 }% p3 ?
! L) |6 p! ~! ~! [+ ^" _4 B) L8 p
___________________________________________________________________________0 P/ y9 I1 h7 }1 W( L, w
# O# J- c* i1 r g9 L9 z4 H
Method 04
1 D/ j7 A" q* k. Q; j=========5 E0 U+ q; e" F: S7 p/ B- c
: ]) w9 \0 U& x. P" A. G+ ?$ }
Method identical to the preceding one except that it seeks the ID of SoftICE, V& @9 o, W! ~' b, [) b% V, ~1 s' C
GFX VxD.
4 E. n1 H6 o% y* s1 R J# F% j) q: q' D$ g
xor di,di* g+ w* p: H$ q( [
mov es,di4 }( z0 Q8 U0 R0 }
mov ax, 1684h
( \" Y4 h6 l5 O" g0 y z( Q mov bx, 7a5Fh ; VxD ID of SIWVID ^3 J* {7 |( ?* A
int 2fh
& \7 O9 K& |8 N9 w( q mov ax, es ; ES:DI -> VxD API entry point
- n1 D# X- F! }0 w add ax, di0 c/ O! c# z5 E* x2 o' i
test ax,ax
% \1 x( y+ l% o2 ]0 O jnz SoftICE_Detected+ J7 Z' A* X1 v' `! R& Z g! M, |
3 b4 D# _4 B1 z& D! j. N
__________________________________________________________________________0 E+ N( q* Z4 W( w
3 o: V( F9 X7 R: s9 X+ T* o; v2 i8 ~
' w- o& J! ^. j3 P
Method 055 u5 r6 R/ h8 } B& U0 J
=========& r9 W, V% x5 u2 P
/ @. i3 q$ N; d q+ \+ GMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# e' ~0 p+ s ] Vdebugger. It calls the int 41h, function 4Fh.
. j! T8 ~' J5 w8 U$ P" MThere are several alternatives.
/ ~( V) D+ V: Y7 k" F! ^+ e- w+ `% d& q1 s6 m- r8 @
The following one is the simplest:8 I, T' w% K& a! m5 l
* H" p9 g. F3 K
mov ax,4fh
, d: m, G( l! d1 Y2 f int 41h/ X% r8 c) K& ~9 P& v
cmp ax, 0F386
3 f( e" z: i! J% e# W jz SoftICE_detected
6 z) M% V8 }0 f5 X/ ^- v F2 u& o2 k6 b2 C" _$ F: S
6 F0 ~" z" Q. v; {. z% X2 c6 U5 q- w
Next method as well as the following one are 2 examples from Stone's
% |% ^- q1 C! o0 `* p" n d9 T$ D* _"stn-wid.zip" (www.cracking.net):; O, O$ ? k! ?, C0 r# e
; P ], a$ j. t" Z
mov bx, cs* G, U. _& ]1 s* f
lea dx, int41handler28 V3 X) ~) }2 X0 Y g+ A
xchg dx, es:[41h*4]# q- H: C$ X7 F( |$ P
xchg bx, es:[41h*4+2]
. T& j9 o1 d0 c$ \, w8 r6 x mov ax,4fh8 Z( |1 f7 P; }& d4 o/ J# L* J$ j
int 41h
* a) e/ X# `; `1 L0 l xchg dx, es:[41h*4]
, A3 _- }9 C; G1 `) Q xchg bx, es:[41h*4+2]% I- T1 f# m" j
cmp ax, 0f386h
+ F/ C7 [' ?% x& q& T3 z! ~ jz SoftICE_detected
3 L% z7 ^: _, ? h. A7 V, q! i% o# D" ]
int41handler2 PROC
5 J. n0 t' O7 [. o+ w: \ iret
( R7 d/ _$ j9 [ Jint41handler2 ENDP3 B) A/ E" s# x
8 c8 H' Y! y. Z# V9 r
% O2 l1 _' ?; T; `2 ~7 I_________________________________________________________________________
+ g5 x4 Y% I/ T1 a5 T: g
+ p& M% F5 o% t' N* q6 ~% F& j' C- t! X1 J5 X! P8 T
Method 065 L5 G" {0 o4 Y/ T- w5 h) E
=========% z( q0 [9 K% G
; ?; m$ f# A/ D$ _7 b7 q' s/ |/ w/ k
2nd method similar to the preceding one but more difficult to detect:
7 ~6 o3 x% H; y- K! b
% \% k% x4 p1 P$ Q/ S. @
) p( B" \1 X+ I# a/ dint41handler PROC; F( _3 ]( B+ a5 p
mov cl,al4 ]' b% i' C3 N5 ^" d" X$ i
iret9 R6 O+ ^( Y7 ?1 ^: D; ]
int41handler ENDP
+ l' ?( W o H' ~+ X; f* y+ o# [% F
- z' v u. O$ q
6 n W9 ~6 ]$ A7 q+ v) L' g- U xor ax,ax- v r7 `" Z8 t6 ?7 I6 v0 @
mov es,ax: H( c6 H! {: S# `0 K# B
mov bx, cs- ]* `; n2 m: n5 X: ?/ z
lea dx, int41handler$ z2 w0 E) F, O7 P4 e5 i( w
xchg dx, es:[41h*4]9 {5 v0 B. W5 P5 I1 f/ D
xchg bx, es:[41h*4+2]
/ t) L- e5 o X in al, 40h
% J% k6 _5 P' b7 G9 @+ a9 ? xor cx,cx
5 Q) K9 j k( a# X" D8 w0 J% S int 41h
( o1 n1 h5 t! M- L xchg dx, es:[41h*4]/ f( \2 Y, I2 [7 _( r5 z7 @
xchg bx, es:[41h*4+2]
' M' B6 t8 R' ?5 X cmp cl,al
( F& ]; I. C% e jnz SoftICE_detected H6 |3 r" T8 Y7 l3 r6 A% T
! R5 u- I$ E$ T8 o
_________________________________________________________________________
; ^- O! m' Q# ]( o9 L
" @3 b) \+ R1 [; t% C% EMethod 07$ l1 `" J4 ?$ _4 K+ }
=========
4 n" X& h' Y% Y1 G J: W( \* o# a
) N/ N( b% q# `+ \* d9 z: RMethod of detection of the WinICE handler in the int68h (V86)
* k2 ]+ A- {8 T2 e3 M7 m
2 u7 d0 u5 n: H8 ~ mov ah,43h, A( Q1 n( U+ t8 K* d- u6 k5 b# r
int 68h) x+ l ?7 q2 [
cmp ax,0F386h- |& W7 o# e9 H0 ^ f
jz SoftICE_Detected/ g+ V- V" ?. O' L* M8 W0 X
, h3 o) S4 f5 Y- J6 S
5 `5 a& u7 `7 ?$ q/ F3 |3 a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 a) m1 [8 }2 B
app like this:7 @. E3 g% p% `
4 Z7 z* T( S$ ^ BPX exec_int if ax==68
6 H0 s1 L7 E; H/ X: J4 @/ y% K' s (function called is located at byte ptr [ebp+1Dh] and client eip is
# L: n+ x5 T5 p* p located at [ebp+48h] for 32Bit apps)
: I2 d# Y: S$ t' U__________________________________________________________________________5 W8 ?% e v" X" l3 L" C
8 m5 k# _0 y- h* `% Y B- a% ^! s" \ c$ ], D, r, S, G# \
Method 08
4 a# T5 w6 |) z z=========
c. p0 i6 W6 S& ^- a) D- d
- e2 i$ n& `) A2 i" ?It is not a method of detection of SoftICE but a possibility to crash the
4 S8 Y1 T5 `0 u- l1 ^/ g$ [system by intercepting int 01h and int 03h and redirecting them to another
, S7 I2 K4 W1 uroutine.
b$ ^5 s1 A$ s7 bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ K' P; s; {, o; [* P) P+ _5 Y
to the new routine to execute (hangs computer...)2 [& E3 s' |" T' }
' \8 @7 ]# l9 @& e mov ah, 25h
" Z& x, [1 \7 ]7 X- | mov al, Int_Number (01h or 03h)* K1 K4 }" ?9 w2 ~) j0 i
mov dx, offset New_Int_Routine9 E) Y* {3 c( @+ F
int 21h6 T; S& E+ z* _5 L- A$ u
9 r0 z8 i5 n6 e2 z& D__________________________________________________________________________
: h0 B7 z3 F+ v$ h. N& M- F7 I8 l; ^7 ~+ c+ V
Method 091 w+ ]$ c- P+ f
=========
$ q& s) y9 d. l: p, }" J& H4 P
4 p. a1 b5 L/ ^8 j; q0 ]: a4 aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. A2 Q* P( a' j3 I- _( R$ Eperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 i* \- k& l+ A( V$ v9 TThe Get_DDB service is used to determine whether or not a VxD is installed/ m2 L! \; } ]5 z: d% n0 \
for the specified device and returns a Device Description Block (in ecx) for' r3 j! i5 P! e4 _! Q9 E
that device if it is installed.
$ S# P6 Z+ y; n3 w- x7 R/ c, n: M
2 r; I- R9 F/ N' g: y1 b7 _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; }# R6 d* l( m G" _ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* ?$ X4 B- @5 y0 K VMMCall Get_DDB' J6 R, j. w$ F) t4 o7 q I2 a& u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: X$ V8 B5 M% G. E$ c7 }; A5 i: i+ w/ S8 [4 M& K8 l8 Z- Z" G: s) Z
Note as well that you can easily detect this method with SoftICE:
2 c' j2 P' M/ U bpx Get_DDB if ax==0202 || ax==7a5fh
2 C+ y0 c* [+ B4 D. u
: R- X* y7 q) n3 i__________________________________________________________________________6 r5 G! _. Y4 n [
4 Y% A' x% W/ |! k4 y* S, w
Method 10$ a9 @6 J# ~- X6 R$ w& H% v5 |4 K' R
=========$ W/ t- Z5 q, Z- l
0 k0 C; `5 p% d0 X=>Disable or clear breakpoints before using this feature. DO NOT trace with, p1 ~0 r/ u, [) p7 c
SoftICE while the option is enable!!
{; l7 q2 c/ D9 r' J, P! S2 s) x5 R
: j1 t1 G/ u8 b" f9 z) KThis trick is very efficient:9 q% t; m8 }0 ?2 R% c% @
by checking the Debug Registers, you can detect if SoftICE is loaded1 e( o3 h, n- J/ V; f
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" h. S/ v: h4 e+ K# X9 W+ R# Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 f* R) [+ U$ y( ~0 Y6 jvalue (in ring0 only). Values can be manipulated and or changed as well. q4 A3 C8 U. e
(clearing BPMs for instance)4 T2 v1 ?+ @6 I% h6 U
% f* n# r/ i1 }2 Y__________________________________________________________________________
( O$ V, M( }1 v, w- Y
' `3 q4 ] s9 s" k) ]Method 118 [0 n% {$ R6 C& v
=========5 k9 P8 Z' V+ W6 y* e2 e6 K
! O- G. [) A" lThis method is most known as 'MeltICE' because it has been freely distributed4 x9 u- H8 L H& m( Y0 J
via www.winfiles.com. However it was first used by NuMega people to allow
! Z) j, G7 L1 V8 |6 x0 H- V4 PSymbol Loader to check if SoftICE was active or not (the code is located
3 v$ p, I M7 F5 |- Rinside nmtrans.dll).
5 v$ S( g6 D+ d' F% l! M5 P5 f7 J. a9 Y5 _' T/ l$ m6 q
The way it works is very simple:
e7 N' K- O- o+ o8 @$ L% J& TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ U- e' @$ C7 \
WinNT) with the CreateFileA API.
. i3 b; m- ?7 R9 Z# `
# f0 U \3 m9 K) cHere is a sample (checking for 'SICE'):+ V& Z }6 K. ~$ [, A
1 y8 c( B1 d4 ~6 lBOOL IsSoftIce95Loaded(), O$ d# J% u1 N+ @
{3 ^5 S) g9 }8 w8 f Y
HANDLE hFile; $ r5 R+ |6 b+ W, b! Z# Q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. s+ a2 ]. {: y: {) n1 c5 X
FILE_SHARE_READ | FILE_SHARE_WRITE,
4 M. Q- S( Y3 `" E" [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 S3 `& E/ } C if( hFile != INVALID_HANDLE_VALUE )) d5 B9 C% a5 V7 V. F5 Z& r" J
{
* u6 G& i0 n# z! z) f, Y1 } CloseHandle(hFile);
$ ~) Z7 c5 m2 S2 D6 F return TRUE;
1 G/ i8 [( ^2 d- D o+ G }' G( r/ R$ n4 D9 O& z$ S: N
return FALSE;' C) X0 h2 z6 c5 Z. f- \, |' t
}
+ @. r$ ]% F7 W/ I& t7 k; ?& N8 u* p$ A+ k, C* M1 w* J
Although this trick calls the CreateFileA function, don't even expect to be( _& f/ l: z8 L3 M6 [1 n
able to intercept it by installing a IFS hook: it will not work, no way!: W! r, Q( W/ W7 i0 ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ ^: I. U. T/ f) q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), S5 e/ w1 Q6 A5 x% s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" K, p" G' ^8 [& b) B
field.9 v9 D( w x- G- P% w/ g8 Y4 n7 c
In fact, its purpose is not to load/unload VxDs but only to send a
9 ^8 O: F' K8 @ c* nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 r* j" y" i/ z6 h1 L/ @to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 ]( P' o* d/ B- N6 S5 S$ tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 z' M( h' v1 ^: G/ K% [If the VxD is loaded, it will always clear eax and the Carry flag to allow, l, m$ ]5 E0 e e
its handle to be opened and then, will be detected.
0 E- K. n7 U: g. u- [You can check that simply by hooking Winice.exe control proc entry point5 u4 G) {0 l: M U
while running MeltICE.
" s8 s( m1 G4 p# \8 Q. Q* d) |( U5 D$ m. m& Z' W2 y- v
5 V) V! L. E3 P! ? 00401067: push 00402025 ; \\.\SICE
; D- L7 c2 {: C" W 0040106C: call CreateFileA
$ r. v+ h2 {' ~, \: y& i 00401071: cmp eax,-001
. t* g6 M+ H; Z1 L 00401074: je 00401091
& R8 ~9 d7 ?& T4 a: i0 k+ a* p1 w% n* L, E1 H
$ l$ }2 d# E' C: @There could be hundreds of BPX you could use to detect this trick.
$ L( D) G% a5 M# K6 j% @6 y-The most classical one is:
5 B V3 b1 d: U1 e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& W- U: U' l/ o9 B# _7 b1 Q *(esp->4+4)=='NTIC'
, R5 Q" `0 Z) U. R2 `9 n, p) Q* |: d0 P8 u" m4 k4 x" {; F
-The most exotic ones (could be very slooooow :-(+ W9 w, B4 A9 L: w6 [( p
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 Y9 A; S1 @) f# U" L. T ;will break 3 times :-(
2 _0 ?2 Q) M' p) e* G% O: [( q- {% _. S) h* j1 N
-or (a bit) faster:
7 d0 Q' [/ M& K F- B3 F5 G t/ Y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ L! d) }4 S$ s- F0 N) D
: p9 |5 c" m) l9 z5 Q5 }4 O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , a/ `% T ], J2 {6 C5 Y
;will break 3 times :-(
& v/ c$ b2 ]* K4 a: x' g& X/ {5 L( n
-Much faster:# Z0 |) X5 C* ^, c) `: m' `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ o5 s4 @0 o- ~0 P( v& {
% F1 g- m( ?* b9 e* J9 k. GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 j& Q* [) ^/ O* l
function to do the same job:
) P, c1 U& D+ i; ~6 B" k" F5 }: c
push 00 ; OF_READ* O9 T3 N. p2 N5 n" I
mov eax,[00656634] ; '\\.\SICE',07 k# ^6 \; ]; L- u
push eax
* S; q9 r/ [+ B0 @5 q call KERNEL32!_lopen
& {* c i; i3 B4 s0 |& v inc eax
) q! ?( t) R2 j4 e( T jnz 00650589 ; detected$ S' G/ p$ \. f
push 00 ; OF_READ& a; Q: Z7 s/ M5 i9 u* _
mov eax,[00656638] ; '\\.\SICE'
$ b- c* n7 g% n0 D6 i6 I" I push eax
/ m' @. I$ ~# b: G/ z call KERNEL32!_lopen _! n/ b' M! ]! w9 c) r$ i% z! q
inc eax
3 q: I7 R% O% |1 _2 r$ C jz 006505ae ; not detected0 v- I+ v. h- x
3 V; V# \' H6 \8 _' b, h
* B/ f( [6 }3 e, M2 r
__________________________________________________________________________2 ~* v- H% a! a0 z5 ~; N
) n$ m7 A7 J4 u" i* }, H
Method 12; p9 t5 Y0 u4 D7 J
=========
9 c9 R. h& \2 ?" u
0 { M Z% G, W( X, }7 q$ w, WThis trick is similar to int41h/4fh Debugger installation check (code 05
$ [/ Y- R7 f+ N. T! {8 \& 06) but very limited because it's only available for Win95/98 (not NT)" E% f1 `1 y x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( A/ D8 F7 O7 y3 }
, i$ ]0 b: {; d6 I0 G push 0000004fh ; function 4fh
_: Z$ r5 K; F1 I- t push 002a002ah ; high word specifies which VxD (VWIN32)$ e* [6 v* [" Q; [2 s J O- L4 u
; low word specifies which service
0 n5 f" E* d1 ~ (VWIN32_Int41Dispatch)
; l! i! y! W% g, A; \ call Kernel32!ORD_001 ; VxdCall8 k) a" m% J4 V% N
cmp ax, 0f386h ; magic number returned by system debuggers8 o0 u, J: t% `5 E+ h% ?9 j
jz SoftICE_detected
# G# o6 Y; t0 i9 D# E( I/ ?; K$ I4 Q- z8 v
Here again, several ways to detect it:
% D* z5 c6 T; S5 v4 j6 w! t: g6 E. l7 s+ s1 m/ g
BPINT 41 if ax==4f
( t: r: \1 N- d. }2 n. C
+ v" {* f* c; L( `$ T5 @' J+ L: U) W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 S) P' v5 r* o6 p6 D/ i5 {
- h" y Y4 G5 c2 Y$ h" I0 s. f8 l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: I& j2 |5 \7 M; P6 J$ i
. Z- c, k/ q8 i* [, Y- t/ y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) X6 S! J# C/ n4 h! M* q8 o8 N$ p+ E$ K: A4 ]4 H
__________________________________________________________________________% h H6 G4 b6 r/ }7 `& F
8 W. e! H( t# i7 o/ [( CMethod 13) c' ]/ H E Q" k$ f. D% c
=========
$ z- b! e8 j; ~4 M9 M1 `: L; ~( \4 V/ B8 |# v
Not a real method of detection, but a good way to know if SoftICE is' t% l7 C! J F+ A T5 S
installed on a computer and to locate its installation directory.
2 c* u7 e7 Y c6 D4 p# B, _# UIt is used by few softs which access the following registry keys (usually #2) :) l# }, f A1 k9 K
5 Z' y" | D2 N+ T( v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 ^) H3 r7 r; w# k\Uninstall\SoftICE
* E5 G/ K! G+ S- h0 J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# f* O3 k" H( _/ N2 I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, ] ?0 X+ m# l\App Paths\Loader32.Exe
1 s: Q4 l/ }1 D( z. S" h# F+ D0 n
/ D1 u: }' t4 A2 N
G O* n& e8 j/ ~: MNote that some nasty apps could then erase all files from SoftICE directory1 h2 n( H5 z6 K/ ]% F$ [
(I faced that once :-(. _# J1 y' U) f! X- J/ G4 _
. E% x# v, `' u$ [Useful breakpoint to detect it:- E/ Q% J6 V/ B# A9 {* I" Q
( h ~1 D% C/ G* G( d* W5 Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 K* Y. W! V+ W7 t4 ?' b3 \+ Y# p- v* I
& R6 l, { H& _% L+ y c9 ?__________________________________________________________________________
3 }, z, ^/ W0 E" `
$ s: P" ~& ?; a+ c1 u7 V# h A
]+ x* U2 Z) \3 F; ?* tMethod 14 . D6 P' l* [) J) ~$ f$ e- }2 t
=========' h) t5 O* c3 r8 K4 A
0 o# ], ^ U% `2 d" r7 ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, h6 z1 M- I) P8 X/ jis to determines whether a debugger is running on your system (ring0 only).
& |" J: M' ?. W' q4 }# g3 y/ u6 {9 _, K
VMMCall Test_Debug_Installed9 K& M3 b1 b3 r$ s$ U% N% G
je not_installed; A) G" Y- M5 M3 J" F
+ q7 @! r; j+ F" H( ~- W
This service just checks a flag.
" Y$ { J% Y4 W; Q# |</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡