<TABLE width=500>* [8 w6 s; S* }: O
<TBODY>
- S, s9 C' C' U E( u<TR>: I8 @# T( C0 r4 U( k- t6 z
<TD><PRE>Method 01 ) f. z1 c8 U5 B0 C9 u* J
=========- `1 I: u) \2 }" k2 h
; V9 N2 N3 x3 S& \ s/ {This method of detection of SoftICE (as well as the following one) is2 n9 Z/ \, k8 l& V) s' g
used by the majority of packers/encryptors found on Internet.3 M( J6 u% k) e
It seeks the signature of BoundsChecker in SoftICE
# q c# ~5 x1 \9 L" U* M, n
1 O F) V y% b. z$ B7 O. @ mov ebp, 04243484Bh ; 'BCHK'/ i7 i# E" e8 @; `& D7 L
mov ax, 04h
* d! w" x& A1 u& q D' u/ ^ int 3
) a6 m- B1 ]; B) c5 e" |7 t3 P0 u1 l cmp al,4
* y8 s' c% R1 G. q jnz SoftICE_Detected
* d! r1 }6 ?! H: U% x; e: ]3 b1 M, }$ v1 K; s: r% S
___________________________________________________________________________
1 \3 o5 u% Z# j* i! L3 a; k6 g1 s
% u0 P& \( `( m4 L3 \Method 027 A, P' K( }, v; {
=========
0 s2 T% s% `4 G4 e+ h' _% e8 D' i) e; W/ `- ^$ k0 G, @- Z9 `
Still a method very much used (perhaps the most frequent one). It is used
$ {. g% K! Y! d4 B7 vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 _" X j0 G. [1 ]or execute SoftICE commands...
/ ?' }1 {% A; @It is also used to crash SoftICE and to force it to execute any commands
& X. o8 f" O- i3 J" O( Z(HBOOT...) :-((
) l1 ~" C- F: j3 [2 V) S# n& i7 b$ Y& s3 ?/ z9 h
Here is a quick description:
' r$ \1 n0 Q- d- A+ i9 D-AX = 0910h (Display string in SIce windows); b8 v% V/ S2 v- o q4 R8 b/ p9 |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) x% o7 g+ o% ^
-AX = 0912h (Get breakpoint infos)
. W q1 Q( Y1 V2 h; `7 R-AX = 0913h (Set Sice breakpoints)/ y2 X4 F6 F3 t
-AX = 0914h (Remove SIce breakoints)
) i" C2 d+ Z+ s$ K+ P$ f( X: ~6 ~# `# W/ j1 k
Each time you'll meet this trick, you'll see:
6 u' j# \" S. m3 e' |2 j) n-SI = 4647h
: f" y! D! _3 x-DI = 4A4Dh
7 h- t v& g5 `8 T, |Which are the 'magic values' used by SoftIce., ?1 ]4 I3 K; b( L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* W- m( _. u. R, O0 v- J
* G3 s7 | V; G- |6 p! l) WHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ `8 u+ T9 h- B, y, f, pEnvelope utility use to protect DOS applications:5 P" f4 W+ M3 Q7 ^) j
# n) D. ~, k% C5 c+ N0 i- r4 o, ]# u/ O3 b* P3 B
4C19:0095 MOV AX,0911 ; execute command.
) }+ ]0 D8 i8 m$ T" m7 q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- u3 Q* C5 y5 `6 E
4C19:009A MOV SI,4647 ; 1st magic value.1 `5 R6 P& N+ R7 b: ^- `6 t
4C19:009D MOV DI,4A4D ; 2nd magic value.
0 s9 d" [4 z' R( d4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). o3 y+ I l# q/ F+ {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! g3 {! h* O6 n2 x$ |: o
4C19:00A4 INC CX
2 X! C$ {( V0 U0 R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 C% A$ _- }- q3 u4 _. [+ \: g
4C19:00A8 JB 0095 ; 6 different commands.
6 Y `9 o0 l8 q4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 h0 ~. c7 s/ ?% k- u0 W+ v- S& \8 P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 I% F7 T+ r; p
" p2 I# x* W6 ~ f; W( {* IThe program will execute 6 different SIce commands located at ds:dx, which
% a8 C3 s# v* ?$ D& c" Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
O# h0 B. N4 p+ U
+ ]* ?, |: [8 o9 \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) X& ~9 p+ S* ^4 q4 \/ o) x0 t' h6 L
___________________________________________________________________________
0 m! c# P/ G% L; d/ j4 r
9 a0 @0 ~# `+ B8 P
: K) i7 U# `; `/ {) {5 v6 m" PMethod 03# i. B: ]' H6 x/ j1 D
=========
9 N5 k; T+ b2 {" S* t' s- [8 w. C+ W: U; J0 l) u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% U/ ^. x0 W! c
(API Get entry point)
" f. r1 w3 d" G % |; @6 K" p$ B5 Q) [& o5 a2 x
, l' F/ N' P& A
xor di,di( G6 T _1 V* r1 S& r% C) j8 M
mov es,di7 M Q; P7 D1 H" y: v; i2 W, h3 B
mov ax, 1684h
1 Y) n+ w7 D- A7 i mov bx, 0202h ; VxD ID of winice
: t- h9 A. T7 V2 O0 `/ q1 C int 2Fh. l7 V( k; O0 E2 }# W' O* Z3 X! X
mov ax, es ; ES:DI -> VxD API entry point5 }. T% n/ Z6 g
add ax, di
# _3 v; @) E) {7 l) X# o7 m test ax,ax9 Q7 z. v' @, r" a
jnz SoftICE_Detected
' d5 a' i/ W% l$ T, ]% B; Q5 `- _5 J5 h
___________________________________________________________________________
3 D4 Z, Y0 F( d3 d, \3 m4 ^8 c( D G
Method 04
$ `, U& }, m- V4 \( l) ]6 V=========
! ]2 U, x( U" ~0 k8 h
/ K2 g# w& a$ R! P( }, ?Method identical to the preceding one except that it seeks the ID of SoftICE9 g& e. P. x1 q8 I _0 h, z
GFX VxD.5 M, m2 m1 j ~5 o
% v3 @3 Z! M% h1 `
xor di,di8 ?+ D& B* }' m
mov es,di
. W" p" U/ y5 u1 n- j* v mov ax, 1684h
/ d2 V$ e" | u5 N* C mov bx, 7a5Fh ; VxD ID of SIWVID
$ }( `; o* p" B3 w5 @1 o int 2fh
+ j/ B' i K8 ] mov ax, es ; ES:DI -> VxD API entry point3 ] A" e5 N* y" c; H O/ ^. A
add ax, di
# s9 f& w6 L. D* a5 ~ test ax,ax; ~; [1 j; P% @
jnz SoftICE_Detected# g* m0 c- R; h3 R7 L+ e0 o
/ M7 z1 \! r+ F
__________________________________________________________________________
0 c2 p5 w4 ]4 F# N* q, S4 w3 u d7 ?5 Y
8 Y0 Z2 D8 M; r+ R+ nMethod 05
2 y# i' f' D- `0 c/ \7 u=========
. `' R6 {/ O( W$ d; V* Z% i: c) E9 N5 I
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& L# a/ D: e5 r" \2 Wdebugger. It calls the int 41h, function 4Fh.& ]: e( ]8 x* ~) A6 {9 ^: e" z
There are several alternatives. 4 C8 k+ i. Y5 B# O: a+ ?
- X$ h+ T' O# G! JThe following one is the simplest:7 W$ g9 N; H6 w/ o5 N, E
' o3 e: q% Y( m% }2 `$ i, \- p! K
mov ax,4fh
3 z. X0 F3 W M int 41h
, Z- W- G2 P: U2 g g5 } cmp ax, 0F386
8 i9 k/ l2 w: f" r2 |" { jz SoftICE_detected
" C0 ^+ ?% K7 s8 o* u, `7 A+ o! ?3 x" U
$ `7 G; b' U! r/ \, D' A8 f; wNext method as well as the following one are 2 examples from Stone's ( h' h4 L% j7 ^& L1 E- M! p3 v
"stn-wid.zip" (www.cracking.net):) v+ r1 k# z5 p8 o
# x) c; S: W& ]7 o5 g mov bx, cs. _9 x; q) V: K! S+ ~" Q8 w
lea dx, int41handler2
+ A% S/ y, u4 C3 x4 H( e3 t( c n7 F xchg dx, es:[41h*4]4 T6 k( ^3 V9 D$ G
xchg bx, es:[41h*4+2]$ r% d) ?0 F+ N, k$ s; x5 [
mov ax,4fh) E5 P4 v$ [6 |6 [/ m+ E
int 41h# ^8 e4 h7 z' P0 U$ U% ^8 Y; s
xchg dx, es:[41h*4]# K/ y) X0 t- T, z6 V) }, {; S/ L
xchg bx, es:[41h*4+2]
1 w- P& R/ e& O, n4 Q! S0 s cmp ax, 0f386h
5 _5 ]4 C) Y3 `. R jz SoftICE_detected
. S' t7 V Z. K! {. [- t- h+ J- Z" S0 h
int41handler2 PROC6 T$ d% ~+ T" O p. }
iret4 C' h V% o: G! k u
int41handler2 ENDP2 W; J5 ]2 Q6 {5 S9 C
{0 u9 y( ?8 p, Y. _
- R9 s# x ^) l
_________________________________________________________________________
) b& B8 `4 g" Z/ u# ]! K' W9 z5 \" F. t, r& i* ~- J4 c* h! Q
6 u9 v. S3 X, x1 x0 J" _) t4 U
Method 06: V2 m, ~9 K m2 Z# P
=========
, c2 p9 ?+ B" A/ N1 R" y+ l" y( w) `5 P9 c/ U8 j
+ x: s/ f* n' _5 H. C% }1 ^
2nd method similar to the preceding one but more difficult to detect:& \6 Q* y0 H, N- y
3 G+ H* S- k, E3 B
7 r3 W0 p$ N' v$ V' d) q- gint41handler PROC7 X& Z: {0 y! p6 b
mov cl,al
& e7 V) A& i, s" |2 S, A iret
6 z9 ]) {" R8 m6 l+ T; e/ B. oint41handler ENDP- F3 @) k. {9 p& f6 P
; W. @; G0 S3 ~
" Q) y- n+ n K xor ax,ax
* a* W: M$ r4 l" }$ W& z mov es,ax
8 U. F: x: |! B3 _4 A mov bx, cs
0 } [6 K2 T y6 [. B lea dx, int41handler
# C5 B6 g/ d! v4 m xchg dx, es:[41h*4]. ]% {9 Y2 x! U+ H4 B& I
xchg bx, es:[41h*4+2]
9 a* |; `* H! L' K2 J in al, 40h
% ~. R& ?+ y. F7 \. D8 x! v xor cx,cx
0 D. i7 D7 g( w: z int 41h7 R8 w" w0 b }* U
xchg dx, es:[41h*4]
: m3 i/ j; j* {; r& ]: d xchg bx, es:[41h*4+2]- D1 s4 J+ ^6 ?( h
cmp cl,al" s/ g' N( Q9 J6 [$ z3 t* B3 T
jnz SoftICE_detected; C! d, ^1 _ F$ j5 z
8 b+ o7 \1 x3 \* A( X1 V: O/ J_________________________________________________________________________: f9 w3 a9 k( l- N, i1 a4 K
! E5 l: w2 z* ^( }$ h4 ]* m0 fMethod 07
" Y, q8 h2 o2 S4 d8 y- g9 W. |# ]=========
2 Q, C4 ?' G' c! v6 m$ q& ]+ G/ B& I& P, @2 T# Z7 X
Method of detection of the WinICE handler in the int68h (V86)
/ h# P7 M- Y) \
2 S/ L* K8 H# \* h: _3 a6 L mov ah,43h9 h- i/ w8 Y' R. A/ n; ^
int 68h4 A) h* `. T4 N3 N3 H2 J
cmp ax,0F386h
$ `4 |+ M: }; Y1 o jz SoftICE_Detected
6 T6 q+ X6 p- j9 o+ ?% z4 _) n; v0 Y# u0 i
' i, e5 U0 L% P: H. `. ?/ \
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* ]' K! \" S( A
app like this:
; T( a0 k C) x' v( @7 T/ V- P' p$ h' f7 y- s
BPX exec_int if ax==68
! Z/ A( b! z1 c: R (function called is located at byte ptr [ebp+1Dh] and client eip is) {- O% r E- T
located at [ebp+48h] for 32Bit apps)( E% \% E7 ^8 w j' ]
__________________________________________________________________________6 h+ O" |+ c8 F# f
: O) A' Q, _/ A: E
$ ~6 d3 Y6 i' C9 DMethod 08% w/ |7 j4 p9 n) u
=========+ S; k; |. g l# q7 p' N
V$ q4 C9 Z- D" H
It is not a method of detection of SoftICE but a possibility to crash the
. k, R8 [% D1 Y; O" wsystem by intercepting int 01h and int 03h and redirecting them to another- T( _0 b* T, \" ~; K$ {* B
routine.3 b) J% V- R0 L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. c9 b( [$ A- T0 A) {+ hto the new routine to execute (hangs computer...)3 S3 F. B7 X, v* Y5 ]2 m* K
- b4 o! z. l5 V( z7 P+ F mov ah, 25h
5 \' f" H( O% U6 K6 f2 U% q mov al, Int_Number (01h or 03h)
. d. y/ ?9 Y6 O l* F5 _ mov dx, offset New_Int_Routine
: ^1 P$ ^2 {7 D- b5 N5 D( ^$ Y int 21h; h2 `1 u; ?5 j8 D
2 l, X7 f* L6 q: g" Y5 @
__________________________________________________________________________
7 e, D. F0 Q% e5 A, O# e
% z& s& \& L6 A# u- ?Method 09: h, C% U; B- K4 K' d
=========
/ u- n$ q" ]# i. B' E
) r) M4 T- n% {+ l4 ?! |This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, s& t4 B% P/ ]6 eperformed in ring0 (VxD or a ring3 app using the VxdCall).
; I5 u9 ^9 H) Q4 iThe Get_DDB service is used to determine whether or not a VxD is installed+ c4 S, F& Z! d2 E+ D3 m
for the specified device and returns a Device Description Block (in ecx) for3 d) F' ?8 W; h0 {0 w1 g
that device if it is installed.- ~" a9 e _3 Y; i
) s2 M/ `' J* y8 w0 u) `. u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# G" a1 v5 y9 ], x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 N. _* D' y4 a, t, p VMMCall Get_DDB s+ ?( m$ n; S! t; ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed s6 `3 M9 X9 a9 ?8 X& ?
. B( \( j* M% R3 P5 B6 C! }* J
Note as well that you can easily detect this method with SoftICE:
c9 j) w$ c' v7 C bpx Get_DDB if ax==0202 || ax==7a5fh
# }( h' W: J) J. K
2 Q1 j3 d1 n9 w4 e/ Y__________________________________________________________________________- v" t1 S' h* U0 Y: A
( X. T H( d t$ T& ^
Method 10
* @+ I; C# P. P3 s- h( k# T. O) U=========+ ] I9 }, v) {. E A. o
# ]( k2 K" _. t2 r$ V
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* O$ G! ]- {# o7 M( E6 O1 o SoftICE while the option is enable!!
! S9 R/ x& r7 L+ B, F8 X# X6 t6 I, Z% `5 B$ L7 K( ~
This trick is very efficient:
: `/ E T y1 I7 D3 o6 Fby checking the Debug Registers, you can detect if SoftICE is loaded, n) P( [4 u& [" F- W7 x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 g# [( s; F; U& d" u* ^1 `/ d3 \6 y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 w6 s( w. e8 d2 Qvalue (in ring0 only). Values can be manipulated and or changed as well
. \& M; t/ Q) j(clearing BPMs for instance)
0 S9 L% K( }6 N% q
7 r4 `" b( ]+ I! j! b- R__________________________________________________________________________
* `+ W7 L5 z8 ~5 o% c6 s5 Q
$ x: |# X9 e, E2 r9 QMethod 11
6 e; z. A: H& p7 o* _=========% j* I2 S5 |! Y5 z" C, d: y, i! z
( q; F) c" P2 E1 d% N
This method is most known as 'MeltICE' because it has been freely distributed
% \0 \: v# k) H; b b7 \- Evia www.winfiles.com. However it was first used by NuMega people to allow
9 l) M9 E3 M, x& {Symbol Loader to check if SoftICE was active or not (the code is located! G) D3 U/ G; e! D: M$ o
inside nmtrans.dll).
' ~ M/ s$ y, k4 l2 k4 B, _3 J( {" b( u# H/ R/ |
The way it works is very simple:
+ Z) M4 S! y# d9 y9 h7 @1 s$ d* x4 b8 VIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& {, Z5 w0 p6 }: l2 O2 [; `1 jWinNT) with the CreateFileA API.; V1 q. @& Z. T$ n
: u* v: |) P; e, I$ ~8 ~
Here is a sample (checking for 'SICE'):) ?& y$ g0 T+ p/ i
3 m. }7 c& H9 E+ Q, @* { a
BOOL IsSoftIce95Loaded()) s: ^8 C& P, y5 ]8 Q9 j6 a
{
: A* ~; m4 _6 @ HANDLE hFile;
$ L0 c+ F, ~ |) p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ J, u4 N: O; ]6 O) F FILE_SHARE_READ | FILE_SHARE_WRITE,
& i* l, F4 X) ~+ \. N( M$ Z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ g' U' j) ~% Q9 A" X8 | if( hFile != INVALID_HANDLE_VALUE )- ]$ I- }- a4 S9 T* i; P( _
{
# C/ U" l' _1 f" b. B- v* @ X. X CloseHandle(hFile);
& x% l* o0 w* D) e$ u return TRUE;, B# h' z% ^6 W1 k, {# v s! Q% t$ T: m
}
/ n i5 [8 g; y6 v6 q4 b- y5 p3 G return FALSE;9 ? i. `# P) I9 Z/ `
}/ t# w6 I6 t1 F4 @
7 g% O+ h K- a! r$ t7 ]Although this trick calls the CreateFileA function, don't even expect to be' j M" r k7 l3 @4 {1 P
able to intercept it by installing a IFS hook: it will not work, no way!
& ?. t5 ?6 G) Y( Y& t) `. OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F7 l0 K- K0 ]- j( k. _8 K# |# K9 z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ `: P+ l- r9 x# ?7 q8 q hand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 Q/ a" t8 `% C7 Q6 |1 t) \
field.
+ ]1 Z0 t9 u: O6 H! G; L& yIn fact, its purpose is not to load/unload VxDs but only to send a
1 @% {" k# p( MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- k& S; Z; c8 d; Q4 i i4 C3 U5 @) Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) ?$ C2 U3 Y. Q% Kto load/unload a non-dynamically loadable driver such as SoftICE ;-).- S# O2 h$ Z/ O* T3 _
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 n& G- d& z" j) o, j Xits handle to be opened and then, will be detected.
$ L. J, d# [( pYou can check that simply by hooking Winice.exe control proc entry point$ b) c/ s; b$ r& U3 ~
while running MeltICE.6 e0 z; l1 C% v* k$ X* ~& ~
, r. ?5 I( G1 X7 x2 q& z, ^8 J4 y6 Z
00401067: push 00402025 ; \\.\SICE0 v& x9 J* E" r3 |" ?9 b
0040106C: call CreateFileA
' f5 @, ^" m8 W- U 00401071: cmp eax,-0014 f' @" o5 R; u2 y( B
00401074: je 00401091. U3 Y8 _0 {: P
1 f C- r& q6 X
: s! W4 l* w* v( d: h
There could be hundreds of BPX you could use to detect this trick.* R& v8 k4 r" S* X6 u% t* V7 S
-The most classical one is:
) q; p4 f: s5 z8 s6 D+ S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. \+ J: V2 p$ p) a! w- r
*(esp->4+4)=='NTIC'
' P" W$ e$ H) h- c$ R* H: b4 ]/ A. t7 E6 d& D
-The most exotic ones (could be very slooooow :-(2 o) S/ p3 m Z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 X+ f/ C; }) g6 Y* h% o ;will break 3 times :-(
$ ~2 @- p6 Z, d# o
5 K' G' y* V& ?2 y9 X/ A-or (a bit) faster:
! C$ z* N+ V2 T, g7 A% i( l BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# y) @# R" X: }+ {
# c0 g0 e) _! ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 I$ m: }# ^) w1 [
;will break 3 times :-(% r+ Q& a9 L9 x" |) j- `+ G# a6 u
1 T! e3 [6 y8 [2 M
-Much faster:
# L# m8 `+ ~, C$ T* G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& b' M Y% \7 t; M( t
6 o9 }& }8 f% F6 o3 ?+ ]& WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 S+ U3 b/ d" L0 B
function to do the same job:
6 c- V$ p* U/ Z7 s
( }. [6 E1 t% t3 |! G push 00 ; OF_READ
3 h8 U8 o1 W: J mov eax,[00656634] ; '\\.\SICE',0' g8 _6 y- r9 }% ?5 S& w9 F6 i! r
push eax
9 K* x3 ]) P( Q9 v" N/ ~ call KERNEL32!_lopen
( u* e: i! P5 F3 H& A: h+ P inc eax
1 w" D7 i6 Q( ~8 H: ~7 E& u jnz 00650589 ; detected* h9 G3 h3 P3 F' T! z1 u
push 00 ; OF_READ4 z) u" @2 J _" J) }! V
mov eax,[00656638] ; '\\.\SICE'
" k D7 [9 w! X- H push eax
' A7 r2 M: c$ O call KERNEL32!_lopen8 i3 g; d- \0 o; K( Q5 g, I: a
inc eax0 |, n s7 x7 Z T5 q+ |9 R4 v
jz 006505ae ; not detected
/ a6 c1 i5 x3 A5 M) p
1 }; u5 N5 N8 ~. h! g& L1 n9 n+ ~, |1 g6 |
/ t- D$ `; f, a$ U( d' v__________________________________________________________________________4 t8 M. s, C- E$ B. W: P- W
, ^5 z' Z; U0 h; O6 d
Method 128 O5 \$ u n; W3 P- g8 M" h' y$ U; [
=========
/ l; l, t) a2 V) t( n+ W( |8 Z' t; B
7 k: Y% f/ P8 J8 F% b1 vThis trick is similar to int41h/4fh Debugger installation check (code 05, L2 z# c' _+ t+ i" v) b
& 06) but very limited because it's only available for Win95/98 (not NT)
+ F2 v' b0 V2 w6 }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( X+ r4 }; Z; _5 P
) J5 |+ Y- D8 v8 N n/ K
push 0000004fh ; function 4fh
. R$ {" m$ U' x push 002a002ah ; high word specifies which VxD (VWIN32); N0 L( g: V5 g* _! U
; low word specifies which service J0 P# ?0 ?; ^* b8 h* F
(VWIN32_Int41Dispatch)
) H8 Y+ F* Z# m7 |3 o call Kernel32!ORD_001 ; VxdCall
( `$ M2 ]2 ]+ e9 d( O% m cmp ax, 0f386h ; magic number returned by system debuggers
; v- X. |" }$ p9 M! i6 G4 W9 k jz SoftICE_detected
8 P+ `! ?/ R7 Y8 f& d# {: M: r
Here again, several ways to detect it:
0 p: D8 I' g( j3 ^, [
" C- Y. o V% A( h2 h6 e8 E% [ BPINT 41 if ax==4f
# M, U, X. J( e w# U4 b8 a" W/ U$ I
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' T. U+ S A n
1 ~2 R5 L* ?' s, H( l& T1 d+ k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! t5 u. s, J; y S- t8 A; q* G7 A4 L; p" M% P0 N$ x. N; A7 f* r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 G7 U9 `& Z6 P% u0 C
6 o; |6 p% y/ [8 j* R( K
__________________________________________________________________________" ]* z, e4 h4 k, ~& ]( W
4 i. v8 [% {0 t& [" S
Method 13; \, A. N1 B# v% @, T8 q
=========. n+ V, t; q, `: e9 U3 O
" r7 G) {) z5 v* P& F9 P6 i6 M; Q: INot a real method of detection, but a good way to know if SoftICE is3 z2 r1 O5 E6 |2 p$ D" [0 Z$ ]% f
installed on a computer and to locate its installation directory.
8 G. f5 f# w5 V6 M3 Y5 \+ G: |It is used by few softs which access the following registry keys (usually #2) :
5 O$ f* T# L! h! w) X( r: J V; \: S/ @& s0 e& h! X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) t2 @% G/ R5 m5 ]7 {( c% \( @\Uninstall\SoftICE
% ^1 k7 r2 C' g2 K% o$ w-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% g+ \. k0 _/ U5 j* H% h5 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion n2 v1 P, y% \ I, w* L5 V
\App Paths\Loader32.Exe
* h: O7 z0 }0 u4 D! Q
* @5 V% d0 ^7 ?! Y$ i2 k; J$ \! ~" |2 k
Note that some nasty apps could then erase all files from SoftICE directory
7 g& v4 {1 s& O1 Y) P% h$ r0 H( a(I faced that once :-(5 V* h: V V6 B, h3 C
6 Q3 N; Z; N% C% O* \9 k2 p
Useful breakpoint to detect it:
; C3 Q# p% d" q) a7 Q2 y! b- p" F+ \0 s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 a9 c% t6 F3 m0 t
# x/ X; n; d( k6 D; a__________________________________________________________________________( J' y) N; k5 z$ c9 w
# h3 q" B8 Z% E, v q
3 r0 d+ N+ W# _7 W, Z1 ~Method 14
! i5 l6 V7 T0 t R: d* g=========: S1 k. T" c/ O+ F, m/ X( `5 |
0 Q& K9 h- L l3 }% N* G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose o. E& U+ o _8 f* B+ v
is to determines whether a debugger is running on your system (ring0 only).5 [3 j3 g# G$ Z/ z* i/ M
' {( [$ }1 E/ }5 @$ S VMMCall Test_Debug_Installed" q" ~# w+ J9 k6 s8 v& D
je not_installed2 \. O; J) s1 ], v: z
. ?% K& f3 X7 N8 I3 T9 ~% o- M, z3 pThis service just checks a flag.$ Z1 w) L! U/ D. C: l$ y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡