<TABLE width=500>! I* K: X* j" v' T! V! N
<TBODY>1 t. R4 y& `+ n- {6 h
<TR>
+ q( I. M+ T* M; X<TD><PRE>Method 01 : h9 [+ l3 T6 D
=========$ c& |, ]/ A( X. X
) f4 e Z# B- p7 U2 U& R
This method of detection of SoftICE (as well as the following one) is }7 |. q' q1 J1 w: N0 J
used by the majority of packers/encryptors found on Internet.$ w3 ^8 S4 V$ ?/ t: P- i
It seeks the signature of BoundsChecker in SoftICE# }, ]4 I9 F5 o1 c! N2 \
0 a" n1 H) p. [
mov ebp, 04243484Bh ; 'BCHK'9 o/ T+ T. g8 k0 S# V! {5 ~& R2 f
mov ax, 04h
: s9 w2 Z: \1 `$ C( Q3 ` int 3 ! q: k; @# i4 p2 W0 O$ \4 c4 ^" U
cmp al,4
8 T2 O% s& I9 N9 I0 I; n* O8 M( Q jnz SoftICE_Detected
) m: ?" A9 g/ g8 y% G# e, N" d# b) b" `& b# ^2 [
___________________________________________________________________________1 n t1 T% x# G9 j4 ^( j' r
! k2 G0 _0 L4 `) _Method 027 h5 G+ c/ O9 u, |3 \
=========7 k4 y( _/ \, I# @# Q
8 \8 M" m$ o* C6 q1 Q. S
Still a method very much used (perhaps the most frequent one). It is used
: R5 d7 x6 v- z9 kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- h8 X6 s" C" O0 Nor execute SoftICE commands...
6 m: I+ U+ w0 R# [2 c2 IIt is also used to crash SoftICE and to force it to execute any commands
8 F7 H& P7 S$ }2 O; y8 ~(HBOOT...) :-((
0 N7 D9 ]* l4 ^2 l5 \. [- z# Y
- `' w. P% p) p' S, d7 O' Q5 ?0 NHere is a quick description:( x% P, e5 I( s8 T2 @
-AX = 0910h (Display string in SIce windows)
" T- O& i3 i! }/ m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 s' O4 L) h5 U2 d! t
-AX = 0912h (Get breakpoint infos)% C* V, L9 i9 b X% Z
-AX = 0913h (Set Sice breakpoints)
2 h$ ^" P% f! g: A0 ^-AX = 0914h (Remove SIce breakoints)
& i9 ~, u1 @) f$ @) k% o$ z
8 E/ |1 _, a3 dEach time you'll meet this trick, you'll see:
2 A/ s$ w) f" d: |6 b9 F* f-SI = 4647h9 B4 l# v7 B+ c$ T7 w
-DI = 4A4Dh
9 D2 h3 C4 c3 x+ W3 MWhich are the 'magic values' used by SoftIce.
" g+ l' F4 \. W1 {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' ]% i+ ^3 ]5 X7 Z
: d* r+ k7 M" X# g. G; o @- l: b
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, w4 R2 E* N9 EEnvelope utility use to protect DOS applications:
" X7 X0 z$ P1 s, b* D* [* X& Y5 z! U! z/ h* x$ e- [
( b' t1 W7 k) s/ }7 _ H
4C19:0095 MOV AX,0911 ; execute command.
' Y- ~- r$ I4 t4 E+ d$ e6 F4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 f* h* p- u2 Z4C19:009A MOV SI,4647 ; 1st magic value.
& A+ k \8 S1 Q% z4C19:009D MOV DI,4A4D ; 2nd magic value.8 \8 g2 }. h1 I# X& B/ `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) E, _( R9 z5 a& [4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# a8 }6 r# j* a" l% U: n+ ]! z4C19:00A4 INC CX2 c& P- ~1 e* x6 Y# L+ a. _& x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: \ X. B0 Y4 e! L/ G9 q# J: O
4C19:00A8 JB 0095 ; 6 different commands.& _/ X7 w/ ]; ]. F8 V
4C19:00AA JMP 0002 ; Bad_Guy jmp back." a/ B! P8 K0 l) Y( U
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 Z* b9 B j! Q
$ p( E& }$ y1 T: d6 O( ?The program will execute 6 different SIce commands located at ds:dx, which
# U. T L' i2 f. M# k" vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 n6 Z# x+ P9 m
; O8 K) n8 F( `3 k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* o. o* _. X% O, `& i5 a___________________________________________________________________________- R3 ?; L0 \$ \
% D5 S0 w5 c/ Q2 P
7 T! Q5 V+ F+ u5 Z
Method 03( i0 ?$ p* `# O; j7 U
=========3 f/ i2 `" i, a+ R0 P, e- F, {
( ~9 k# d" ~4 k& H+ @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h z4 b9 E! l& w) }( g
(API Get entry point) @4 f. ?/ [& X+ q7 f# o
+ r& L& G: C6 c4 c$ ?* c
' R. F$ ]% r0 q: ^
xor di,di
, n6 [/ [/ ]7 L5 }7 ` mov es,di, e' i1 C W" z% m! W% u) t
mov ax, 1684h 8 b2 O. h- U2 H) J" V# k
mov bx, 0202h ; VxD ID of winice" Q/ [7 t/ v i
int 2Fh
. \3 e# {$ Y5 O7 h) ?, Z mov ax, es ; ES:DI -> VxD API entry point T/ O) z1 ^1 q, m F- N/ Y
add ax, di3 `$ e6 W( e* E J* Q
test ax,ax8 U" @0 Q! I+ d2 a% w" ~# W& z- X
jnz SoftICE_Detected
. P- g* F2 Y; K _
' e6 H/ B& y! d- M! X, P+ V___________________________________________________________________________0 p3 G2 K/ _% z; r9 o
* I b }# T- H8 `Method 04
, U; v6 W4 ?4 Q: @( V+ N0 S3 h=========
6 S# `. a1 q# q4 h) W+ N$ P1 s t1 l, Y! ^6 f* M0 z! u. _
Method identical to the preceding one except that it seeks the ID of SoftICE
6 |# V( f* K A5 T- [1 ]/ I: j/ CGFX VxD.7 f( v8 q# N m0 i; e( a
" r# G$ t* N1 B r+ T xor di,di5 N3 Z/ X& y! L
mov es,di
/ ^' [( F2 l% k6 q. f$ Z mov ax, 1684h 0 O+ v" v' G8 ]+ k* k* n9 e' i
mov bx, 7a5Fh ; VxD ID of SIWVID
' S" u( U* z. [5 t) i% a; L& I int 2fh
) n: m0 Q6 [; [! y" O" A mov ax, es ; ES:DI -> VxD API entry point
% j; z& H' n2 c add ax, di" x* K# F- N. U5 |" c1 M) ]
test ax,ax
4 R6 A: p$ `3 D- S" ]- L0 p jnz SoftICE_Detected
/ j) M# t9 h4 H) N. \% V. i1 L- ?! G; q u" c$ A( N& v4 L* Z
__________________________________________________________________________
' \ g( Z; J7 t, J
8 T% b9 r8 \' k( K
. G% q# A+ {$ A9 Q4 |Method 05
, q- {2 C* `) ~( n- r=========
+ {) ?" k: u4 i2 |; M* A+ H, l& E- U; C
Method seeking the 'magic number' 0F386h returned (in ax) by all system
. n+ _6 y( o* Z5 p% s( {' q9 @/ Hdebugger. It calls the int 41h, function 4Fh.9 r. _0 ]. s* X6 u) r
There are several alternatives. 3 E1 d& U$ H, d1 X# ~& t" c
& v4 x, B* e3 @: BThe following one is the simplest:
9 C3 [; q: S% y. k' A1 T* K6 V" T; P' P( h+ y' P. w; J3 H9 y+ ], S. G
mov ax,4fh9 n; v. y: x; O- g! r; T8 l, k( s
int 41h; Q$ P" t A* V
cmp ax, 0F386
& p1 T/ M% P; Q* ~ jz SoftICE_detected
4 _* q( L8 P: [2 a1 |: V' _; h8 B% i* F! g+ [6 x2 d
( B3 z! T6 x( Q' T* s) QNext method as well as the following one are 2 examples from Stone's
% O% g; S9 V+ u"stn-wid.zip" (www.cracking.net):6 V, j. Z8 h d" h
# g' p6 @, o& [0 b, v5 l mov bx, cs
. |% d0 b |4 I$ x lea dx, int41handler2
) m7 w* q) x! { \ xchg dx, es:[41h*4]
+ c1 I/ d0 o2 ? xchg bx, es:[41h*4+2]
$ P( w3 @' a' g/ Q# R* Z- @ mov ax,4fh/ Z) A. \% s8 V" j
int 41h
7 O# Q6 t) b7 i. Q. Y2 U xchg dx, es:[41h*4]
$ g7 @4 v: q- ~ I x& ~8 ] @ xchg bx, es:[41h*4+2]8 ? `0 Q6 g4 w
cmp ax, 0f386h/ @, \% \! l+ _, `
jz SoftICE_detected( O! I- k7 N% E1 A- u# d
e4 N; T% e# ]* e. s
int41handler2 PROC
8 o" T; o: m- {# @: q' O; [1 T iret
- E; U1 P( g! S0 C& b! X2 V+ _int41handler2 ENDP0 g, g# Q3 P* E$ D% l7 ?( X
6 o. R& T* T, f$ q3 s/ ]
; {6 i* S9 n: i_________________________________________________________________________
5 e: d. |, M' u0 p4 i: N' i9 B; w0 d4 S$ @7 ^ t
! }( p7 k8 n% S
Method 06
9 }, k& O* i4 S, s! ]+ q+ s5 n=========
: }; w8 s$ m& D. G& f1 H( m! M! h; y0 ^+ I
8 U" ~; @" l/ i6 [' f! n
2nd method similar to the preceding one but more difficult to detect:1 k8 Q& m6 G% |9 H0 M
8 {& P( P+ m) N! Q2 F y$ }/ U( u8 Q$ [5 k7 A' I o
int41handler PROC1 q4 ]0 G" j5 i- v
mov cl,al# n" O# p J6 c. X& k9 {) m
iret6 x2 d% a& [+ F
int41handler ENDP
; @. L. ^( }$ I0 H+ l9 Y$ O( X& N# x+ G
6 p: \& W8 d/ h `. |
xor ax,ax
; e- F9 R9 ^& ^ Y3 V. `8 B- g mov es,ax
* G+ p# T9 _( h2 k* O: y8 c mov bx, cs2 ^: x5 u, ]1 n' g) @ j7 [
lea dx, int41handler) \; N- w q- k( ~2 k9 d
xchg dx, es:[41h*4]" t! v( q" X4 V& E2 {) A3 S( u
xchg bx, es:[41h*4+2]
2 a% n" ]0 W5 s( a. F: H( i in al, 40h
; w8 T1 ]. ]/ Q. S. z4 u7 V( F7 |! { xor cx,cx/ g8 |( v: K6 c! \9 R
int 41h
$ d" {! W8 S+ O; x xchg dx, es:[41h*4]5 O4 @& T8 I. Y" d2 i F
xchg bx, es:[41h*4+2]
% L3 x; y( A, X0 [. v# F) P- S# A cmp cl,al
. T9 F O2 |& q jnz SoftICE_detected7 v, ^2 `8 B; w+ h! I s
" s3 J0 M; W, j+ G9 x
_________________________________________________________________________
7 w" Z; |$ @7 g0 x* h* O9 A0 s* |" @7 z
Method 07
?8 O3 P K r% }! d% ~=========
( J# k# p8 }$ d+ \9 t# M
- I @* @& ]5 m: k& oMethod of detection of the WinICE handler in the int68h (V86)8 _5 m, f% H. x& x' W
) b, s7 a6 }& Z
mov ah,43h" M0 s9 L2 r! c6 E8 ?
int 68h
3 \; v. a5 [! \. U$ h% x cmp ax,0F386h4 C N8 }9 o3 ]" i; v# o: ?
jz SoftICE_Detected! F5 g3 m/ c3 z' u( `" B
2 |1 }. T" l3 j5 T. _: _5 O
+ V6 L% G! W) W- R
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 ]$ W4 @' G5 R, k8 _9 Q
app like this:
. P: ^) h4 I, i% D0 p# x& R# J& d+ U+ W+ X* |+ k% l; T: j
BPX exec_int if ax==68
' |% x5 `9 e* U2 Z/ g (function called is located at byte ptr [ebp+1Dh] and client eip is
' G0 w$ E0 y3 w! P' G" c J located at [ebp+48h] for 32Bit apps)
+ [; r3 o) x0 N' j& L% @__________________________________________________________________________
. |" y/ u" c$ d% b, y' e( Z6 T9 Z+ l& I7 @" S! k4 h
) }( _, `$ d. ?9 R
Method 08
% P( f9 B, R3 q' l0 T=========
. W8 Z j$ |5 U* K& C& p
) P6 S$ B# s6 L: C& W2 jIt is not a method of detection of SoftICE but a possibility to crash the$ A0 i6 m5 e0 b8 x3 @2 X
system by intercepting int 01h and int 03h and redirecting them to another7 l; _4 K- O% f9 T0 a8 N$ s
routine.9 b8 Q+ [7 G. e( j0 [
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# e' {, v3 |& B( u, r% u
to the new routine to execute (hangs computer...)- T" w; o6 h) f6 q: H9 e
' z: B/ i6 A) R4 V. } mov ah, 25h, Y1 A; `' N$ U" |( {
mov al, Int_Number (01h or 03h)
- c1 ?. D" {$ f7 t1 \7 G mov dx, offset New_Int_Routine# I9 [9 Z4 Q4 e
int 21h
7 o" ^$ a" J2 V! A$ d" _7 r. U+ V1 ^* w2 g0 L3 O
__________________________________________________________________________
. \3 U" B8 t7 R n! u: m( ?! A, l) B, j
Method 09
6 \6 e- R* o4 X$ Q1 V=========
3 o$ W, m% i# F1 K6 {; ~" q. {7 n5 ~ G6 X' f& O/ b
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! b2 J& g3 t7 _0 t
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 x) w: v' p3 Y* \6 HThe Get_DDB service is used to determine whether or not a VxD is installed0 @5 b4 H( }$ }& W8 g/ p
for the specified device and returns a Device Description Block (in ecx) for
; f3 I) O9 P% z0 b6 |that device if it is installed.
( W+ [# a( Z( \4 p+ B. r# B* R* Z8 `( {6 ~. l+ W
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. S' |- U% t- r/ g mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) H, P, p7 ~& O2 e& r
VMMCall Get_DDB
; F- e4 V2 A1 X' P$ ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: o; }0 I( E# T5 U
) x+ k9 d M; J$ ]8 s% u J- n0 `- z
Note as well that you can easily detect this method with SoftICE:
" O8 z# D3 G0 F" g bpx Get_DDB if ax==0202 || ax==7a5fh
# k5 }* e- R. Y6 R- L7 Q7 H. v) }: X+ {) x# S
__________________________________________________________________________
9 k' K! @' i8 ^) w5 j3 t6 n/ G7 d, n/ s# g* O
Method 10( s# W9 X% }! R* j# G
=========6 g, h% e, Q4 C6 [( p$ M" m2 s% \* A
) t* A& J' T$ m
=>Disable or clear breakpoints before using this feature. DO NOT trace with- @0 w, i q# j' n1 b5 a
SoftICE while the option is enable!!
3 q; z" V2 o: r6 Y, z7 k1 |/ C4 l6 S* K! x W" Z) U
This trick is very efficient:! I* |$ `) `9 Z$ v- S, W e
by checking the Debug Registers, you can detect if SoftICE is loaded. D) A0 a6 O7 s8 E3 y6 M$ ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 b# P2 q5 ~: \/ |0 _there are some memory breakpoints set (dr0 to dr3) simply by reading their
" W9 F2 k! }) O9 Svalue (in ring0 only). Values can be manipulated and or changed as well
a; b& b1 `% l6 `; w(clearing BPMs for instance)
# }" T# p% g& W+ I- N: s& n+ M) B' M& |3 m, W. |1 F! a
__________________________________________________________________________
3 }- y$ ?6 ?( H9 Q |8 ~
/ S0 P3 k4 c' W- m0 J9 HMethod 11
# ~6 J/ b& K/ C0 ^=========
* j1 g5 k2 Y$ Y* y. t; c1 c+ P( i# V( ?" L3 d
This method is most known as 'MeltICE' because it has been freely distributed0 z- v% u9 T$ M6 r& l6 @7 C
via www.winfiles.com. However it was first used by NuMega people to allow! m7 Z4 Q! }0 a2 N5 ]; Y' t
Symbol Loader to check if SoftICE was active or not (the code is located
* U/ h$ }3 b7 D' d4 b+ ]$ ?" o" Zinside nmtrans.dll).# k7 s9 m: B. H# ^( U
5 r8 |0 Q! K. HThe way it works is very simple:# u: d8 l d* Q# [& B+ `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) k+ a4 L' h1 \! h) |5 ]% V
WinNT) with the CreateFileA API.( s2 L$ r4 r1 Y8 v1 q
- D" F4 _+ b' x9 `7 z; b
Here is a sample (checking for 'SICE'):
# l+ j! B. l4 {! c
! e* i* m1 e! `, ^( h3 H8 f( fBOOL IsSoftIce95Loaded()1 {8 o! r; b* c/ a
{) E* p5 b) z f' k% j7 A' |, ?
HANDLE hFile;
$ u. I! d B7 i* I6 T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 o( \ {6 e; R" }5 @/ U
FILE_SHARE_READ | FILE_SHARE_WRITE,% Q6 A8 |, D+ P/ J, W4 v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ v( J7 B4 l1 ~7 }6 v if( hFile != INVALID_HANDLE_VALUE )1 v$ m# R" B4 l; E
{
" a9 H( X$ S9 _. k CloseHandle(hFile);
& P, |! m! i' L return TRUE;
X) U# O# f3 m }* @3 c7 O0 ~1 Q7 X6 F
return FALSE;
" O; R) i, b$ }9 s. H( n5 T6 C}' t; L& _& Y" ]# w3 N/ Q6 P' H
! {; k: z4 p1 r+ ]1 u* D: eAlthough this trick calls the CreateFileA function, don't even expect to be
' W9 X0 N: n% S6 T0 e* V* }able to intercept it by installing a IFS hook: it will not work, no way!* Y( Z4 H; S2 \' ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 B$ C- r0 q6 _8 Y* ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: P/ h7 i: Y7 |* J$ aand then browse the DDB list until it find the VxD and its DDB_Control_Proc0 @: O9 h: k. W) x8 X+ [
field.8 B8 b8 o0 l. F5 h/ a% W _0 b
In fact, its purpose is not to load/unload VxDs but only to send a
; e% t' e2 {0 M+ |+ U% [! l. EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# U9 J% V$ k/ i% p$ N1 m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 i' Z, q6 T; [% A6 U; Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).) |# N6 I5 ~6 b2 `, ~- j* ?7 j2 ]6 R
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ A$ W( t g6 v2 b- _% @6 K
its handle to be opened and then, will be detected.3 E: O# P/ A: Q9 U% a2 h3 w7 w
You can check that simply by hooking Winice.exe control proc entry point' t* R& c, J% H f
while running MeltICE.
% L- r. m( h! d/ Q7 Q0 {+ D- W m8 a
- A8 C6 |: u) q0 |% Z- } 00401067: push 00402025 ; \\.\SICE' v/ _ E5 Y9 m9 ^7 t/ ~/ B
0040106C: call CreateFileA
$ Q& |/ i# }5 C J: \2 [4 z 00401071: cmp eax,-001; I k$ W# c; a( F5 K
00401074: je 00401091
$ v( ?1 a6 {8 u/ }# I7 k( u K: t, ^" t5 c, A
?! K& X5 X0 D* O' _) `There could be hundreds of BPX you could use to detect this trick.
: T3 g* D* G; F- Z-The most classical one is:
) f; C% o/ o9 p' e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 s7 n( ^9 E# @
*(esp->4+4)=='NTIC'
^/ u [' h% `
) \: C5 }9 ~0 e/ E-The most exotic ones (could be very slooooow :-(! C/ q2 c& B5 e; d" R6 @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 @( K/ g$ z, D% e2 I
;will break 3 times :-(
4 F7 s! g/ @6 Z& j- M
5 K* S( I _6 m. E( X6 E2 L+ P& S-or (a bit) faster: : Y+ B: Y0 \' d S1 q8 f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) g# R6 u1 ^$ N( b4 n, n
5 {* M5 \3 _7 H8 f) X, | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 B+ `, L) C7 |+ d+ v8 H, u! D8 c, c
;will break 3 times :-(9 F8 b: j! T' H) ~
2 d3 Y2 w* V* Y9 {4 J
-Much faster:4 u, F& Z, Y# t/ _" K9 \, V0 w
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ b7 y( t& c& K1 f1 [( C3 L) V1 o- V3 ]7 @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' ^: ?2 Z1 H5 v0 ~7 \
function to do the same job:/ Z9 s8 [. B% @% a' p0 `
, R6 Q' _! T) A1 V6 W( J+ t
push 00 ; OF_READ
7 n6 ^ q9 X0 G+ D# u# G) G mov eax,[00656634] ; '\\.\SICE',0! b1 S) x5 a* {8 A) d( C( D
push eax# Q, |4 t @5 N, K) E# u
call KERNEL32!_lopen5 Z* W3 I) J0 `9 [
inc eax, N# a$ C" t* I% {
jnz 00650589 ; detected" Q8 r, Z2 k, A
push 00 ; OF_READ
: @0 q3 X8 o: Y& N7 V% v mov eax,[00656638] ; '\\.\SICE'1 d c4 @5 ]9 p5 K! L: [+ P2 k
push eax* Z; Z+ k( {- Q9 y# g- T* X
call KERNEL32!_lopen
7 T, _. x0 N% |1 T8 `7 h6 b* h inc eax* ^# x {9 X9 b2 Y. k
jz 006505ae ; not detected
; M. U3 U! }) P& \7 L( ]2 i
+ M! u/ `. ~4 U; O/ w5 `0 J) ]: L0 i3 b( _; _
__________________________________________________________________________
" {0 c' I$ j. } c& n' m. G8 k1 q6 g$ G; S8 A3 Q% r" r! {
Method 12
/ t3 D6 {/ v2 s* `2 I, R6 a( N4 D=========4 W% }2 Q3 j! k+ j* Z
: u3 a8 Z$ i$ F5 ]- n1 x
This trick is similar to int41h/4fh Debugger installation check (code 05
9 T* O: _+ @1 [4 `; O/ n/ q: _& 06) but very limited because it's only available for Win95/98 (not NT)% |1 i" }! [( `& n# ?, F# {: w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& f8 q, A9 I4 X! a- g, D! R
# r ~5 c5 V( x8 m push 0000004fh ; function 4fh+ X" M2 a' h1 B: }, n
push 002a002ah ; high word specifies which VxD (VWIN32)" ?6 j |" H. A: O5 T
; low word specifies which service" x g' T7 S9 e' o9 o( q: e9 B3 Z
(VWIN32_Int41Dispatch)" R8 u" O/ d' F
call Kernel32!ORD_001 ; VxdCall: r; \) S z8 W7 g! M
cmp ax, 0f386h ; magic number returned by system debuggers9 l4 T' s; P. U! M
jz SoftICE_detected1 q. I+ p2 @ R. @9 p- z
9 y5 i; k! }6 @$ B+ kHere again, several ways to detect it:
( }: z7 |4 J4 |' t Y) q- j! F
( H; O' C# S$ s+ H9 E7 K8 @" F BPINT 41 if ax==4f
' [/ w. Z! A/ n- q- J, R U
4 p! }. R i3 p! s& J$ [ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
D" K. t+ d N/ X4 O" n% s& [3 {1 ` L) O6 V* a0 P+ Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. K3 x! S8 ]* V: ~0 ]+ g7 n7 d1 ?$ u: z" G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- i* \3 \% t( c0 F2 ]
4 b8 v v3 m3 d, X7 i; s6 U__________________________________________________________________________ ~+ C4 T2 M4 N+ q, X
& W% ^1 a k- O$ m/ KMethod 13. q$ n' W$ G2 ]6 s7 p; \( U3 R
=========- D) j k/ `! A( C* U
' P% V3 a/ r; V8 w' M- Q% Y
Not a real method of detection, but a good way to know if SoftICE is- Z% y9 l! f5 \" T# e) n8 z# |" ?. l
installed on a computer and to locate its installation directory.' v, S! m6 G6 \4 N
It is used by few softs which access the following registry keys (usually #2) :
! m+ S; L1 v. Q9 V' |9 M4 q, U$ m
4 ~: s0 b f. O# Q/ J-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion @. x( Q% _, M1 F' U- F0 b2 m, h
\Uninstall\SoftICE& [) L% t7 J3 \3 p+ t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) F; v+ |. S; x0 @4 I4 c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' N" b) t3 u+ ?7 w3 R* C$ T5 W\App Paths\Loader32.Exe
. A E5 {- V J$ m5 y
$ p5 _8 D2 G7 X" H! H+ j G
9 V5 r- ^, Y. T& cNote that some nasty apps could then erase all files from SoftICE directory* F1 n+ H; f, ]# K2 v' e3 w. f+ a
(I faced that once :-(
3 q" f: ~3 `& \4 x& X' @& [- Q; ]* i$ E0 z2 o+ P+ T/ s2 U6 O9 [* u
Useful breakpoint to detect it:2 R% m2 i# B( I( f& R: V9 D2 d
0 ?4 ~0 A7 n4 j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) i: U* \" g0 ^. t6 L6 n1 Y8 V9 Z4 c. o
__________________________________________________________________________
: d5 c' p* A0 X+ S, I9 \5 v2 i# s
# ^3 u6 P* Y2 L/ Y9 N3 p
Method 14
- E$ L4 H* U6 n% g9 _6 {=========
9 [, m$ v9 V+ W, g ^
6 b4 `2 d! a. T5 E3 ?/ W N. z9 |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' p- Z3 x* O" L$ V4 s
is to determines whether a debugger is running on your system (ring0 only).
0 ?5 B- z# l9 u
! L/ y6 x% q: _1 R VMMCall Test_Debug_Installed
3 Z0 E4 j5 @- ?. t0 o je not_installed1 h$ O5 `# F4 R) R8 \
( H E" q* F- s; A6 p9 d4 I; a
This service just checks a flag.6 g& L0 i% `! p/ E' t) y" L
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡