<TABLE width=500>$ d5 F5 W/ g+ k5 S
<TBODY>& m( Z9 p% j- ^- w
<TR>
/ T8 e& F: ^* u0 a0 X0 h<TD><PRE>Method 01 ) x! f2 q! X$ h" S
=========' u' U; g/ j( Y v, }; k$ x+ G" Z. a
: i! A! o* b4 O. `This method of detection of SoftICE (as well as the following one) is
$ |+ q& n, D0 lused by the majority of packers/encryptors found on Internet.
" K2 r8 K! K5 a T+ X$ x: q# |It seeks the signature of BoundsChecker in SoftICE
+ L0 D$ J# }1 w/ Y- V* T3 b7 V) V( O; @% M3 g+ \: K& R
mov ebp, 04243484Bh ; 'BCHK'/ ?, w F7 ?8 N% [+ g+ u) J, n
mov ax, 04h" Q( j+ N5 p5 [% {
int 3
- B2 m: H& x" [2 |5 {- r0 t cmp al,4
* p" M7 T) f6 M# R9 k7 P6 k8 _9 ] jnz SoftICE_Detected
& O8 s4 o! s: g6 v {
5 a+ @! K- P1 I6 @' R+ z3 } u___________________________________________________________________________) T k) O6 A% y+ L
0 O* k7 O9 l, O8 X" r
Method 02
# \. Z i- D: K6 R=========/ L1 f4 i+ \- z4 R1 Y
0 W! I8 b1 _+ i3 C$ |6 F" zStill a method very much used (perhaps the most frequent one). It is used
# H9 F; {6 f' Y8 I ?- R' \$ Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: f& t( [/ ^' S; aor execute SoftICE commands...
3 X% ~" q, E. Z/ QIt is also used to crash SoftICE and to force it to execute any commands# @3 `& T! }" D: a4 x9 j
(HBOOT...) :-(( 7 p& F. [: \, I6 S# R# e M r0 H
+ m% S# ^5 u9 L' a. iHere is a quick description:
% }7 d! X. `. p6 R5 l/ |-AX = 0910h (Display string in SIce windows)5 w2 o8 a; X" J) {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 |3 |6 U, P4 }% W
-AX = 0912h (Get breakpoint infos)
& I+ }/ P" @ K-AX = 0913h (Set Sice breakpoints)4 Q5 M; R* b+ I5 b
-AX = 0914h (Remove SIce breakoints)
' o5 u3 _ ^5 s) f# f6 ]
, w$ D% l: I( c \5 rEach time you'll meet this trick, you'll see:
8 w7 y- E. J, W# m6 Z# ^-SI = 4647h8 j0 | ~2 G1 S1 i
-DI = 4A4Dh1 C% o5 u/ b, x1 m) Z$ h* j7 D
Which are the 'magic values' used by SoftIce.
0 j" t" z* M) V- O E3 m; tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- @2 d5 ~0 Q% H0 Z, Z
. W- {6 ?5 ]5 G S/ \9 ^2 kHere is one example from the file "Haspinst.exe" which is the dongle HASP4 O& ]7 q: ~2 u( ?( @
Envelope utility use to protect DOS applications:
4 O% _) o3 f- E' D1 y: @ Y/ ^& W4 v' |' m
: F1 T0 K; K8 e2 V& G7 c4C19:0095 MOV AX,0911 ; execute command.( B& l% z) Y( c2 I+ ~$ A I
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). N4 ]3 H; K/ A R: j
4C19:009A MOV SI,4647 ; 1st magic value.# w& Q' W6 e2 Z( }" ~8 B- h
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 T! o& Z8 i, s4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 t* B! e \6 E' ?& U9 O! r( q$ H
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
f, P- C% O0 r) S( S4C19:00A4 INC CX) v5 L7 g7 B% u* f/ P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( Q+ p7 i1 k* |; Z. E* m" p4C19:00A8 JB 0095 ; 6 different commands.
1 z6 _: n, \$ Z( ]* c5 K* _4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% I& e1 g# a) ~, a2 H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) S3 `) n- ~/ h n8 @* P/ `
$ n) X5 e$ C( g) fThe program will execute 6 different SIce commands located at ds:dx, which' u& _( _) L$ e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( d. v" P# I0 f0 Y& M9 L% i4 G4 r- `8 e3 b0 l8 I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' n* C" h8 L P l% a0 S
___________________________________________________________________________
/ C/ t$ K% A/ o9 r( s! q4 _4 \
8 a, T% m( f9 h# \" A4 j
& {' j. v. P/ [$ K/ A6 G* tMethod 03 P2 v' z. Y4 a& T/ s }. b% ^
=========
) |5 `( n0 _0 X. w
% I6 u* R; l* NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 ?# ]" p' m# s/ S: g
(API Get entry point)
& k+ H1 l) U% _% \4 o3 E
. M& d5 }( Y0 ?8 a, a& ~0 ^
4 L* I. I2 O: w( s2 k xor di,di1 Q. e. J. s" S/ g
mov es,di& A4 }- ]4 T" o" u7 q' l2 G
mov ax, 1684h
L* S) @) r: g4 a! x7 V0 R/ g mov bx, 0202h ; VxD ID of winice
: ]) p9 ~+ z. W1 O4 V int 2Fh
7 A% k, s6 ]; x. M. [7 @7 d* \. n. z- k mov ax, es ; ES:DI -> VxD API entry point- _4 S, R' o- H' K" S; m
add ax, di
: ?8 q$ p" {" G8 U4 d" S4 t' W* X test ax,ax
$ d+ P7 x, s$ t8 g% ^ jnz SoftICE_Detected+ H9 v& L- b+ Z s+ L2 n
( W C6 f( Y3 k0 f3 ]. Y___________________________________________________________________________
( u$ A6 W3 K( @8 X$ E p$ b, @6 ^$ v0 q8 f; ?, ]/ _) G! D
Method 04
: @3 Q, }# l0 q t$ c; Z=========
1 a8 ~( i5 b9 v! ], j6 [! D, d, U; H1 y0 k
Method identical to the preceding one except that it seeks the ID of SoftICE1 ~$ d7 \! m# |
GFX VxD.
) |' p2 o* d' I! i
" \( Q/ j* D7 w* j xor di,di
1 ?3 z0 \6 x$ Y- u1 O# ^3 L4 { mov es,di9 I; E$ `1 R' N4 m9 f# k
mov ax, 1684h
% Q. h0 N, R( C( `/ s0 P U: G" I4 \ mov bx, 7a5Fh ; VxD ID of SIWVID- G% U) W8 e$ C
int 2fh& b, G2 h; }+ z
mov ax, es ; ES:DI -> VxD API entry point
0 G1 S, `! O' b6 H- @ add ax, di& g# p1 ~6 }, c0 z
test ax,ax; S& U' J: |3 k( m# u* {+ }
jnz SoftICE_Detected1 ^6 y1 a) ^& {4 l4 D6 U( U
/ Q/ g8 R9 J* D- e. G
__________________________________________________________________________+ @' f3 x5 f& ~$ n
) j- Y% a% B7 f* i5 O
) S- H8 g3 E0 ]3 G1 GMethod 05
, u. i9 v' R) D [=========
4 h5 v" A) t; Z, ^. K0 B, g$ ]( a: J
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 |) U o0 i/ T& w, L( R! ~$ X) w
debugger. It calls the int 41h, function 4Fh.
1 o1 C2 ~3 v6 xThere are several alternatives.
* F) S6 S, K7 y! v1 j9 _* e8 d" f" H/ G
The following one is the simplest:
7 v: @4 k- { c3 @6 _9 F% `3 I Y. w1 K% E! W! E
mov ax,4fh( Y' k8 b) V: H. @" u
int 41h/ d- D% v2 u7 p& e7 Y' Q2 v# p
cmp ax, 0F386
, e; H* H. `4 \: @4 Q, j- q jz SoftICE_detected
! t' M: i7 w3 V. k9 W
& S4 f$ `" G) |& |( C8 @
/ h4 c2 Q: {7 G4 v/ U" qNext method as well as the following one are 2 examples from Stone's & q* Z9 O, S! A! S5 D. h
"stn-wid.zip" (www.cracking.net):& L) C* `! {3 F% z1 G0 d; j
/ H6 s! N% K3 b" a$ b @0 Y. u
mov bx, cs) O6 d# W8 ~: u6 U4 g. l
lea dx, int41handler2
' G" f# v2 u- u# e I5 {% W a xchg dx, es:[41h*4]
8 n/ ~- W9 O1 S! Z+ ~ xchg bx, es:[41h*4+2]( |& a; {& R9 N1 o o: c! s
mov ax,4fh
1 u; ? U: H# Q* e int 41h- O, b; l z; q% }! s5 m- \6 \
xchg dx, es:[41h*4]- B& c; F6 Q- O- F7 ?2 q! a
xchg bx, es:[41h*4+2]' R" X/ }/ b& p, A+ L- u0 y" G0 u
cmp ax, 0f386h
R* V! ]" D f4 M+ z( ^ jz SoftICE_detected3 P" P. ]9 Z5 b' v& E, i
9 \8 C2 d8 H3 Y7 a7 ~int41handler2 PROC8 S0 D* A p0 l8 D
iret
8 h- C+ o" N* e0 ]int41handler2 ENDP
& S" T& V% f) U# t5 d4 C- v3 y6 L0 N4 `9 j' L7 M" D! c; X
0 b, T! c9 t; W1 K2 {' V_________________________________________________________________________. q1 K( m s3 o) g0 ?; V
& @8 A6 i& r) {. ]* T
9 V+ f4 x: J1 g2 A7 n Z
Method 06% a/ H7 w9 I- P
=========& ^5 A7 y% E H; w3 F
% ^3 e# @" O) y
) p9 ?& e4 F' D* \7 \2nd method similar to the preceding one but more difficult to detect:
$ X1 d& R4 e/ w& z. o9 L* z2 C; |6 R( ` f8 g+ j% Q( R
4 w; X9 w: O# w- t0 M8 ^
int41handler PROC
4 c. M. d$ w: ]8 ]; `9 n mov cl,al6 T. X2 C( }1 l1 o5 s( A9 G
iret
, |* i1 x( A3 q: b$ Rint41handler ENDP
' p/ d; O* H8 v7 x* M
" S# c. b" x8 ^# I
1 X0 A& t# J. ?0 T6 g: [ xor ax,ax
- W+ h) h0 E& a6 p) j5 | mov es,ax
: ^1 g* v1 D' J; } mov bx, cs( B3 ^, ~1 u6 n9 W& J4 O
lea dx, int41handler
1 W9 E8 O' y2 a; Y y# o, C xchg dx, es:[41h*4]* |) x2 v8 u6 Z; @3 m# y% L
xchg bx, es:[41h*4+2]
/ i+ Y0 A, g( T# d in al, 40h/ T$ {% b# |* C4 t" J, ^% L
xor cx,cx
( f2 S* C; h4 `# H9 Z; I2 l9 A4 Z int 41h
T$ D( @; l' Y5 t6 [0 Y) J xchg dx, es:[41h*4]
# x: S- |8 F. d# Y) Y3 | xchg bx, es:[41h*4+2]
6 Y: W: _, E R, ~ cmp cl,al E, c" F- A1 {, V, Q5 q. c
jnz SoftICE_detected
9 R# o5 E: ~1 ]% J. k. C- L( h2 ~+ L: j. w
_________________________________________________________________________7 R" D) i$ X) D: R
1 B# ~7 ?2 P1 w4 y# ?( Y
Method 07$ N% Y$ b7 p* p1 J4 r
=========/ P4 a1 ]! ^, W% ?3 _
' j1 X, ]: r2 ~5 j Z1 D) x2 Q
Method of detection of the WinICE handler in the int68h (V86)
8 x+ c f W! T2 m$ e# d3 I1 U
mov ah,43h1 J. X7 G; ^! G4 f8 Q7 y
int 68h* ?1 E k) {! V% u- O
cmp ax,0F386h- x; E! p' D$ w6 D- J s L H* g
jz SoftICE_Detected$ H1 K7 ?- M% |
" ~$ M' c8 J- H
% e7 U( V/ S0 X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 T2 R" H* M' a0 e' {
app like this:) O5 A% f& y/ N. T" a: U5 b3 `
( Z/ [7 C' Q& G6 p' _, A. ?3 q
BPX exec_int if ax==68
3 U; G& J+ D! d; r (function called is located at byte ptr [ebp+1Dh] and client eip is
q# N8 O' k: ~+ E located at [ebp+48h] for 32Bit apps)4 }' Z- v0 D1 z* `( M' x
__________________________________________________________________________
" w6 F, N( e* I6 } \( p
. Z: m' {/ Z3 |3 ?4 z& S
+ k8 {# Z, q3 e2 P$ q+ X5 gMethod 083 m0 z9 L' P0 u' c0 Z1 C5 f5 _
=========
! ^2 j) R+ z. z/ m- S* n4 ^4 ~$ H# G9 A' T; t
It is not a method of detection of SoftICE but a possibility to crash the5 s& k* W+ I* B/ l5 t0 e
system by intercepting int 01h and int 03h and redirecting them to another. k1 E' E( Y( Y6 n- [+ `
routine.: w6 H8 [+ r3 N: B: t) g
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" ]9 s9 v9 \: [" B
to the new routine to execute (hangs computer...)) h$ p# b% h9 Z. J
* X) Q% E) o8 H c mov ah, 25h
8 Y C- ^, |! l, j+ l+ O5 \* U mov al, Int_Number (01h or 03h)* r& n8 \# Y5 K3 R& {
mov dx, offset New_Int_Routine1 M: i' q) t5 v5 e* ]/ N5 R
int 21h3 { {7 H4 t0 ^7 X$ Z ?
! Z7 n/ ~; k) n6 e8 S$ |
__________________________________________________________________________. p+ b) H Q5 K3 l5 ]& Q3 }" k
x( u1 Z3 { y8 O* T
Method 098 z2 c6 l4 Z- y
=========
3 H. X" X4 m# k4 D7 X
8 j( ^% o/ U* r2 A, n7 I8 @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 [* x+ |8 D! T4 W4 B$ D5 f
performed in ring0 (VxD or a ring3 app using the VxdCall).. Y2 F" F9 f% k/ T7 Z
The Get_DDB service is used to determine whether or not a VxD is installed
4 b# C' l- g2 I( C3 hfor the specified device and returns a Device Description Block (in ecx) for0 M& y, A& N' l, U3 H9 I0 r, |# G
that device if it is installed./ M6 O4 E! {4 r6 P- W8 o
3 L& M+ h# ?/ j/ V, z) i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ |" O- |! \" E& v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 |! h$ M: E* _; P VMMCall Get_DDB2 h+ \7 @2 i2 ?: i# s
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: p7 E$ S& O$ z# K: r$ L+ z8 `
6 r, j$ v4 }* _) ~* j- N' LNote as well that you can easily detect this method with SoftICE:( A& o# @! W6 \% m& Q
bpx Get_DDB if ax==0202 || ax==7a5fh
2 ~" {' d' J$ Q8 [9 B$ w$ m5 D) J$ ]# R2 ~/ o! Z5 i8 A
__________________________________________________________________________/ f! k# c$ I+ x; d8 X( \
: W/ b- s, A" \: Z
Method 10
% J! _- H% q9 m! U=========2 @' M' d+ s v
1 j7 N, ^; Q7 ?7 ~! i
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 d9 t; J- n+ O1 D, Q SoftICE while the option is enable!!. X# q) R/ P& E& J
; i ~2 o/ j9 E2 Z8 P" UThis trick is very efficient:" z2 S2 B2 M$ `8 i
by checking the Debug Registers, you can detect if SoftICE is loaded
' G, y' _+ X/ u9 R% ?: B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 z* [, o- H2 ^7 Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their3 m4 ?, g8 P5 D5 |7 d
value (in ring0 only). Values can be manipulated and or changed as well# x! Q3 n. ]2 u$ E
(clearing BPMs for instance)
, B5 ]& ]$ c# w( N
% a& T" S3 O. H7 l7 N$ Y__________________________________________________________________________* `, j _% d2 }, [
; z# e( E2 h8 g) E6 \' T7 oMethod 11
7 ~8 V8 R* |; S/ n=========8 ]- b6 M) g1 }! h% e5 Z% e# Z
5 Q% d3 R7 N4 e& w' F9 p
This method is most known as 'MeltICE' because it has been freely distributed) w \' j( G; F9 R' H: D; Q" h8 w
via www.winfiles.com. However it was first used by NuMega people to allow5 g9 M- F. O* v& M( x7 {' ~
Symbol Loader to check if SoftICE was active or not (the code is located
. R4 _) n" _4 x; o7 L4 w. _! yinside nmtrans.dll).9 ?/ H* W! k K* a8 y
& O+ k$ z" w( M+ F
The way it works is very simple:+ d1 h, l: g% P2 d( E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 T, Z% C8 W# W X" R' \' E$ G
WinNT) with the CreateFileA API.: k9 ]) y2 m4 z1 b% k! J/ {8 u
. ~1 K- R" z* m+ s6 @
Here is a sample (checking for 'SICE'):: f# b% h8 f) H& a1 h6 _
9 p& f/ X9 ^" x6 }# r8 e1 gBOOL IsSoftIce95Loaded()
O+ }* n g3 [! n& Z2 Q{- ~ B+ k, N" l0 G0 \/ q
HANDLE hFile; 8 K3 M- f3 K: T$ U
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% {$ [$ B7 ?3 I, ^8 K8 G Y FILE_SHARE_READ | FILE_SHARE_WRITE,( O. {/ F! N# Q4 @$ |, _8 ^$ _
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 L' {4 y) s2 ~ if( hFile != INVALID_HANDLE_VALUE )' F" `$ S! w% v# a- L5 h% e
{
4 b1 \ j5 h$ d. Z2 W' m N" m+ ` CloseHandle(hFile);$ s! V9 A# w4 e
return TRUE;; u% P5 g3 n7 }, q
}
8 g% ~4 Y; U, m8 O+ c" |2 H return FALSE;
7 V5 |# v, Y, ^7 x* n8 F( }}
( ~+ V& c* Y/ I2 Y1 Z, I2 P) F. W
" B+ W/ Y" g& a' ^# UAlthough this trick calls the CreateFileA function, don't even expect to be
' z0 G! V( w0 V4 bable to intercept it by installing a IFS hook: it will not work, no way!
' R4 S9 G8 k3 v# HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; _, J( r, o5 e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( I. Q! o, l( _and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 V8 f, E' n$ G; ~. }& P, H& dfield.2 } ?* [& S. X }/ G; h
In fact, its purpose is not to load/unload VxDs but only to send a
' Q* b. g/ f9 M6 A# q/ j! |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
r1 {) h; \* v1 jto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 ~8 d7 @1 \' C2 p- m8 n$ B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) _" b- P' C; ?, b5 L1 j# A6 [
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: b$ H! ]( p* ^its handle to be opened and then, will be detected.
9 a" u0 P! m% U. o# s% XYou can check that simply by hooking Winice.exe control proc entry point9 w' q: Q. t/ v+ J( e
while running MeltICE.
; w5 Z4 F6 x& \9 G# Z V6 E% a7 x3 Y7 N
8 [1 e; L$ M/ i
00401067: push 00402025 ; \\.\SICE$ b; [4 L( B2 x+ L# O
0040106C: call CreateFileA! \) G. E! N! M D# G7 V1 f2 f
00401071: cmp eax,-001; @" R2 r' M0 A2 l; n. E( J
00401074: je 00401091
' I( M* _! ^( Z6 C( ^; A
^0 A4 u7 [& y6 g3 R! o' L. x. a) j9 i' r2 p# A
There could be hundreds of BPX you could use to detect this trick.7 r) W1 S7 b0 S( H# N: n
-The most classical one is:( ^% S* S5 X, U1 g5 p/ ^' ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 g; R6 x" g. q8 J# k *(esp->4+4)=='NTIC'
$ b0 j9 a/ \9 X/ ?/ j
2 H3 S* l7 @/ h) B7 O3 P X-The most exotic ones (could be very slooooow :-(
1 u. R. q* G! \ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * K5 t2 Y5 X7 h6 b
;will break 3 times :-(
: y% @2 _; q( ~. s$ b! x% X e/ q/ q7 O! m! r7 }4 |% ?
-or (a bit) faster: , ]* {6 N( G- a8 Y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 p3 M& p1 L6 U! R8 j$ A" O* ~
x* p9 k' }: j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( E% Y* D# `/ Y2 h2 i1 X6 A& J
;will break 3 times :-(
\, y$ F% m5 d0 u* b8 D/ d) Y$ o, J9 T. a! d) ?
-Much faster:* t8 q1 N' U, S% W( J5 i/ t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& y+ y7 m. y. V* N- X8 e
# c" q0 r( n0 U* k9 W. y4 U/ UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* C* k7 C/ a$ v( h" K' A. Afunction to do the same job:
7 Y. @2 R! w: E+ D
7 Z: D8 a( g- a: F push 00 ; OF_READ8 T+ @& t5 O1 E( ~2 _, k6 d P/ h
mov eax,[00656634] ; '\\.\SICE',07 U2 M) R/ ?8 b# \9 j+ E
push eax
8 @( k, Y7 Y+ ]% x call KERNEL32!_lopen
/ j# c) Z7 h$ T; K" g8 D7 A, c inc eax
9 E: z7 o+ h! H! V s% ^* M, [ jnz 00650589 ; detected
# Z: o3 v* k" Z7 y7 F! t push 00 ; OF_READ
5 O! s$ r% q; u& @* H mov eax,[00656638] ; '\\.\SICE') n2 C% X4 T7 R6 q, J1 m4 V
push eax% C/ T( F& _: Z2 d
call KERNEL32!_lopen m" o& T! | v! f/ u# L
inc eax3 Y" {! V( r W' ^7 O; O
jz 006505ae ; not detected
4 K @$ Z. n% _) B: S% X- G. J! P9 F; y/ E
6 w. {0 {9 Z/ b. b
__________________________________________________________________________
$ e0 D6 ~. [3 I/ W* a( O3 `0 r! \ E M! T; Z
Method 128 J$ l- r! N6 G' Q0 n
=========
) K. L3 ^! O" G* }" \% ?
* {8 l8 S2 R7 {( tThis trick is similar to int41h/4fh Debugger installation check (code 05
( V) b% |' f2 o* N& 06) but very limited because it's only available for Win95/98 (not NT)/ J# d6 M# ` V
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 r" n; q+ t( O2 f/ t+ b! C# Y9 A$ v; f0 @) h
push 0000004fh ; function 4fh" b- r+ ^4 O' T; W' l7 m8 _5 v
push 002a002ah ; high word specifies which VxD (VWIN32)
3 h9 ?4 B! M+ B0 ~* F( x3 ? ; low word specifies which service* l9 U4 F0 M! O4 Z& C
(VWIN32_Int41Dispatch)0 k1 v' R2 n: V n0 M0 }
call Kernel32!ORD_001 ; VxdCall' X, X, A2 D6 \) Z( x2 |6 F
cmp ax, 0f386h ; magic number returned by system debuggers
5 m6 ~4 u) ^* Y9 T- E1 G' ~ jz SoftICE_detected6 H7 [4 J! o& Y+ d/ F3 N9 j
3 \5 M4 c( G3 n1 Q( z& G6 fHere again, several ways to detect it:
* X. }7 j$ T$ ?' A/ n: r" O6 A ~5 J7 u& D
BPINT 41 if ax==4f: Y8 w3 M3 ~4 u' d. w( g+ ? W0 t
2 K, p3 I t- } ~& [ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 N$ }) H; G3 Y1 U6 z
/ T! U4 O1 C4 p8 j3 N' p' C; v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; A5 y" X- [' D9 k$ ^0 h% T# g8 S, d5 ?* U
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 Y- y5 J! d8 X0 J8 j- L
" v _/ j2 b$ B; m* T__________________________________________________________________________
6 W/ F1 v6 K: ]7 j' A5 U6 l4 s l* y4 \. a. m
Method 13
$ }! ^- v6 s, j. C, P=========
+ W5 B) \; `9 K6 j
' _. j: ^+ g ENot a real method of detection, but a good way to know if SoftICE is: b2 [% w) v7 {. ]
installed on a computer and to locate its installation directory.
/ }- Z( B; p; v5 D# h, Q' V( eIt is used by few softs which access the following registry keys (usually #2) :8 D& h$ `8 t$ j! i
$ L$ @8 _" S) M) m/ c b" O) b u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 @1 C9 O4 [& q
\Uninstall\SoftICE K+ t% K* n5 M G: n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 y! A. R. z( b; e4 V. A+ x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 b8 D3 { d9 U0 P( U: L
\App Paths\Loader32.Exe$ i! z7 q/ P! O( A! z, D
) l( {3 j- i/ h$ k' R" R) `7 _ X
* m: `" K6 |7 n( M2 ~+ J) h
Note that some nasty apps could then erase all files from SoftICE directory
# q6 k7 {# v" u4 C+ u(I faced that once :-(+ p# v$ N- a) K+ p/ t6 f
& B/ ` P% N5 _2 W, k9 N
Useful breakpoint to detect it:& s. S1 ?# q7 w$ s! O7 p( l/ ]9 a
8 w' v& A |2 t
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 D) a/ I% F; o( l% F
* {) U! ~, y4 a- J- O9 u__________________________________________________________________________
+ |5 x( A) Q8 `) v/ t3 m& |2 e; U7 V; w t
6 J3 N! c, e0 f. L" VMethod 14
4 G* ^ h1 k6 l2 ^=========9 w7 r7 y; _: |* D; ` v
$ F6 J# H. H& U8 D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( ]/ X+ n8 J6 Q/ Z0 g
is to determines whether a debugger is running on your system (ring0 only)., O# L, w, d9 O3 D
" N1 j7 x! Q) F( G# r5 `1 I5 d$ B VMMCall Test_Debug_Installed9 H* Z+ o) v& J2 e3 n0 Q7 ^, f
je not_installed7 K# I+ e0 W( D
. t5 i, V! t7 \This service just checks a flag.# Z+ g; w' b! r) Q0 @/ }& v
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡