<TABLE width=500>' K- p8 X& x" D# r
<TBODY>! p" k0 u2 N4 h+ g( \
<TR>, f A( A2 H$ ?
<TD><PRE>Method 01
( ^- {$ F3 k, F: l=========! N$ {6 O; [9 I, o4 L
/ ^0 i+ }6 S9 `' C; t k3 w
This method of detection of SoftICE (as well as the following one) is% D- V3 G8 J) G$ S1 }' Z; U
used by the majority of packers/encryptors found on Internet.3 l$ H7 `6 d5 t
It seeks the signature of BoundsChecker in SoftICE& y) D) P1 S& F
" e' E4 G: c$ q, i' K
mov ebp, 04243484Bh ; 'BCHK'8 u7 k( z2 j- O+ A, F2 V6 z
mov ax, 04h
; z; ^3 h8 q: C, |# y# u int 3 ! t* p6 f: l6 }" h* u
cmp al,4
0 w. K) S+ B, ?* Y/ g6 c' a jnz SoftICE_Detected
& q3 b. c# B4 s% n7 _
C. ]; j+ [- ~- D___________________________________________________________________________ v) [9 }5 w+ m7 _. N
3 s) E& x; I1 }, B; o1 _8 ~
Method 02
% R+ s) F0 d4 B. D, d2 q=========1 y4 @/ w% R8 ~% C& Q8 {
. U- r, @' ~. g' h( c+ wStill a method very much used (perhaps the most frequent one). It is used
3 }/ l8 u0 t O4 rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 U* @9 J" O/ H0 \0 q [
or execute SoftICE commands...7 X* c4 ]! P/ S0 L
It is also used to crash SoftICE and to force it to execute any commands
* b' p' B {, ~) b/ O(HBOOT...) :-(( 6 i3 Z& b' s+ a8 N
2 I: |% ?- [8 _- K, d3 m9 e
Here is a quick description:! @2 Y. y1 w4 X' ]4 k: i
-AX = 0910h (Display string in SIce windows)3 C% p, P1 _! [3 \( l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). H5 V8 j& M0 h8 f6 Y! Y+ j N
-AX = 0912h (Get breakpoint infos)1 u V6 e% u- H6 Q+ h b
-AX = 0913h (Set Sice breakpoints)
, Y* r9 [" {% _7 V2 n s-AX = 0914h (Remove SIce breakoints)
/ z& D0 Q- g7 N" r. v% s
* n+ i) \) q+ n$ @Each time you'll meet this trick, you'll see:
6 c, u) y6 H) n n( k: v-SI = 4647h; F8 G: {# O: A) O
-DI = 4A4Dh& G/ G5 O1 L0 C$ p W
Which are the 'magic values' used by SoftIce.) I- P0 R( j! }8 ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- g4 s) |0 g: ]7 E
+ G3 y- D2 U, h1 T* G% e4 \6 ~, U. G( sHere is one example from the file "Haspinst.exe" which is the dongle HASP3 y6 U3 Y% P5 H) V! p
Envelope utility use to protect DOS applications:1 p" d/ W$ K; _5 k3 r: N
6 b/ f; ?& x: |8 w
0 N. P- T/ D- d5 G: ]* Z4 Z
4C19:0095 MOV AX,0911 ; execute command.0 `7 R4 v: w% a/ K! W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* B* i/ f4 Y- N7 g
4C19:009A MOV SI,4647 ; 1st magic value.
! g7 m: C- P$ L' ^1 V4C19:009D MOV DI,4A4D ; 2nd magic value.: W, |/ S: U' ?4 L; O3 a
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ G" v8 D# i5 ^* \. P5 D+ `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. G# L ?; A6 [ V" p# {8 K4C19:00A4 INC CX, L0 b: V9 I5 `: L; z& y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! ?- l( [% G/ Y1 ^% L% c4C19:00A8 JB 0095 ; 6 different commands.# Y9 w5 L% N1 C9 }
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 f4 ? f6 l8 k4C19:00AD MOV BX,SP ; Good_Guy go ahead :), [7 w" G- N+ W2 @9 ?# s
/ Z8 a7 U i& U8 \The program will execute 6 different SIce commands located at ds:dx, which
* q9 [9 ]. Q& d$ F5 L2 l# J0 Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. B1 g* A% A- z& M4 P! S$ @3 p
2 X e* Z' A4 h2 J( K K; c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 r" y3 i7 e' a, l6 }
___________________________________________________________________________
5 H: V. |( ]& z3 Y3 L: M- {5 A: n
9 i x4 _5 {/ N: ?4 v% e
- x8 O3 `. J2 g& t B2 [Method 03# G' L1 D* ~/ X! {1 h6 q
=========
b2 [8 P0 ~+ P4 `- D5 d6 A# a3 U+ |: w; O+ k6 i9 r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' b: F" i. X4 X0 T1 a3 ] k(API Get entry point)# A% x4 H) g- H% J; d$ _1 b
6 r0 i" V" O4 l: |
( {% w0 H+ q) [; u
xor di,di( `; `, h) B2 f: w# I/ i
mov es,di
& t( ~% S# b. C3 Y- W mov ax, 1684h
" ?; A, D. h3 X3 V5 }% o mov bx, 0202h ; VxD ID of winice; A: \3 t* Y- _, O r. ^, R) E
int 2Fh h* b) @' m4 o) s
mov ax, es ; ES:DI -> VxD API entry point4 [! M7 U9 C. q
add ax, di& I# g: a; K3 c5 ]- i
test ax,ax
( ^9 l9 ?) A/ G- F& \- f/ s4 F jnz SoftICE_Detected; B0 b, {+ c* q6 `2 [# a3 \
- E1 H: S" ~) y7 U___________________________________________________________________________8 [, {" p, K; d& n H
; l! ^3 }1 Z. X4 O) y
Method 04
% Z0 d$ X$ G) |- i" L=========
- n, P4 y+ q$ G3 g4 d" l
) v% V- j: P6 A- _9 FMethod identical to the preceding one except that it seeks the ID of SoftICE
# f1 c2 k* |# Z3 }7 g: ^GFX VxD.8 c2 y9 O- _0 F& ~7 ?) `6 }3 R4 a
$ d* z- ^+ q$ S8 M5 ? xor di,di$ X4 l& v" U% r* c m6 r, ~
mov es,di, o& @- k( Y M' f: I P) r5 j! n$ d
mov ax, 1684h
" z/ H, n0 \6 p) |, \* w mov bx, 7a5Fh ; VxD ID of SIWVID0 h3 D9 a+ k0 g% v
int 2fh
' s/ l" \3 ^ G+ G& o mov ax, es ; ES:DI -> VxD API entry point
% W( B8 z" e% K: e add ax, di
- N6 a: J$ Q9 A4 ^( O* \! O; C( [ test ax,ax
6 U4 x" U4 }$ G0 T* \ jnz SoftICE_Detected6 m3 x! h3 g6 q0 r3 @+ R9 x/ x/ p- K
% ?$ U( z4 P& z7 n0 z
__________________________________________________________________________) E" [( u* A0 R; O( S; F6 b/ Y8 g. ~& U
) }$ [6 g7 j. e4 J; s1 P* }& b9 K& s, A# P; H- `
Method 05: e+ @" ^: _: a
=========1 H" |# ]2 M* b; P4 @
" y5 D" U' d$ q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 k7 W1 z: f7 F. \8 Ndebugger. It calls the int 41h, function 4Fh.* a% v( R# A$ I: O" t4 A
There are several alternatives. 0 i" B/ A( @" U9 _$ f, T& T! E
7 o) [3 I3 t% }: @
The following one is the simplest:
& s# v. w+ } m5 z+ D( m3 l, P, \. I( J6 U/ Q! M* i Y* ?
mov ax,4fh
1 B( s: D' \ c0 K! j int 41h/ i/ j3 o5 F% u* ^* s) L
cmp ax, 0F386- L; l0 g- l3 H7 K
jz SoftICE_detected+ p$ V$ ~8 P% R% t( n. ]( b
j1 k; R8 K. U7 ^+ Z" b
6 E, l+ D) ?( @2 T: q$ @
Next method as well as the following one are 2 examples from Stone's
J: j) |- M7 V, q4 X; M# N8 d"stn-wid.zip" (www.cracking.net):4 B4 G6 R5 b( J, C3 k; R
7 T F5 O- r+ [! V4 @+ y mov bx, cs8 _# C6 r0 v J) K% S6 T: U9 J
lea dx, int41handler2
& ]) n6 z' u3 `* }" K xchg dx, es:[41h*4]
& t9 C6 S1 ~$ o+ a( J xchg bx, es:[41h*4+2]
4 a. W% r; ?9 Y, R% d mov ax,4fh9 |; {3 U7 y1 \2 `, \) y
int 41h" g+ x! _3 S" A9 ]3 l
xchg dx, es:[41h*4]
7 ]8 O5 F2 n6 J2 E. C/ \ xchg bx, es:[41h*4+2] B0 S5 k8 D& X, U
cmp ax, 0f386h: M* d% x% O. z8 t! y1 G1 o% j
jz SoftICE_detected
3 p9 g2 D# X: ~ E3 H+ v9 l {- Q) t" P, p& U% R
int41handler2 PROC' G0 Y, D" m/ {. F( o8 h& I
iret
% J2 N: F4 v' G# Fint41handler2 ENDP1 A/ L( j) O4 J0 q" _' ~0 I0 z0 H
1 {9 N5 e4 n; { h, }0 g8 c
: C0 [* u* w$ X_________________________________________________________________________
$ }$ h' S" K, b! k; l; o" T6 z, u4 p# S6 v) m
0 j" E( F! t* _. A
Method 06
8 n" N$ F! } z8 Q=========7 W: {/ \# S: z6 b2 p" v" E, _
! i5 \* H' P$ f+ x; L9 n0 e. U- i L D$ L: r
2nd method similar to the preceding one but more difficult to detect:
2 z8 g; B: a8 o5 s! {3 T8 _! |
8 a2 o. F" S2 z6 M' o1 F* _) M7 P" B- w
int41handler PROC
+ P8 s! R0 R/ h) c& K mov cl,al
' e. X8 _( q( c5 b, _ iret' ]# |2 d- t) @* i( K B% |8 q
int41handler ENDP# r* z; @, h- d, p( n9 `/ U
0 K9 h4 E7 k/ E
" B1 r. L) M, w: g xor ax,ax: ?( e3 b J! w$ t' U: Q
mov es,ax
& O* j3 D- o1 v mov bx, cs
- G: ]. M2 ~5 q; x lea dx, int41handler
. f$ d3 S6 D c4 p8 i: k% Z% y xchg dx, es:[41h*4]
* }9 P* y6 [0 d6 u/ ~ xchg bx, es:[41h*4+2]1 b$ k7 Y: K! f: [3 G
in al, 40h
9 x# x# g8 R: e7 T" ~7 u xor cx,cx- R7 M6 @0 B3 n5 F
int 41h' w; w5 {* s, `$ r7 `
xchg dx, es:[41h*4]) F3 J4 R1 E) ^ g9 Z z. J! u
xchg bx, es:[41h*4+2]( h& _& z: Q( D% B+ Z( b0 U
cmp cl,al
2 H$ i3 D$ f" J% d4 h2 E4 Q jnz SoftICE_detected
" }* f J; U5 P% F
) z* J# T/ m9 ?( r" j, W_________________________________________________________________________! V, t( p; i" @, Y( ^
1 ^! z+ h7 r6 v( B) OMethod 07
+ N0 @( N0 Y4 @=========! y3 \7 D1 c$ m x, V
/ i3 |; `# f U) M$ qMethod of detection of the WinICE handler in the int68h (V86)( e! G9 D3 u7 |1 w5 d
' l% j% E$ G6 m L( Z+ D mov ah,43h
- ~7 r7 S! y' {1 W! A int 68h
$ ]6 k8 H" J# U5 b cmp ax,0F386h* s: u9 ^7 D! q( X3 L9 C
jz SoftICE_Detected5 o r* E4 F) a7 O) b0 R2 W- q
9 d) z5 g3 Y( c
N+ w- t" h1 g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ _; w7 d3 l1 Q: N3 K* m app like this:9 }: E9 n2 h: {; ~: q8 [. w
1 r" o% Y" r) X
BPX exec_int if ax==68
. p, V" j2 }* v0 R: p (function called is located at byte ptr [ebp+1Dh] and client eip is
2 B8 ?7 y4 `# ^0 _7 i) X5 t located at [ebp+48h] for 32Bit apps)% w7 E$ F% o0 M; r R: \8 Z
__________________________________________________________________________- X( l3 d: G/ n4 y
3 n) E% H0 k, n6 D1 `
8 O: ?* h; N& E+ E5 R5 h4 [. rMethod 08
1 H& G# X; \/ u5 Z0 s6 N! ]' U0 L+ `3 a=========3 Q' W* A- y2 A$ ?/ W; \
9 a# I2 X9 @6 o& X' B* l/ GIt is not a method of detection of SoftICE but a possibility to crash the
7 _- c. y4 d# a4 P& Zsystem by intercepting int 01h and int 03h and redirecting them to another2 M5 ?3 I8 q# R" g
routine.
) ]& J# h/ g% j1 DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ U3 B! {0 r/ F: |
to the new routine to execute (hangs computer...)0 c1 ?1 a# e) D/ z9 J) @) l6 d
3 d! U0 a" R& l
mov ah, 25h) A1 H7 y. g V" w4 x; I
mov al, Int_Number (01h or 03h)5 s/ R8 ~, r, C' ^# _$ ]. W' c
mov dx, offset New_Int_Routine
. ?$ Z% S1 H+ t& ~* N$ _; v' x int 21h+ K; |8 {7 ~9 ^' g1 n
8 N4 D; l1 J ]* @__________________________________________________________________________
$ j3 a# i+ {" S- @: o$ v: g" b' Q% X; {4 R, t, X- b, n7 Z! U
Method 09
8 @! S/ n7 t/ P9 ^$ k2 K=========
8 Q9 T; n4 J3 F& v7 L0 G2 ~$ C$ C8 c5 L s/ L" \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only q* p9 z) a" j$ S; z6 x
performed in ring0 (VxD or a ring3 app using the VxdCall).1 z- p+ G1 C5 O. ~% t: I7 Q' c) G7 p
The Get_DDB service is used to determine whether or not a VxD is installed$ V+ w7 }2 o* p% o9 Y! L) f& Y/ ?
for the specified device and returns a Device Description Block (in ecx) for
" W: X! o+ V/ R- ethat device if it is installed.
N/ G6 [! M! ?; t& t
9 u8 m& i0 T7 l4 \6 | mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 d+ ~: ~1 h- e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 Z) y2 h* x% N) x
VMMCall Get_DDB
: U6 |4 g8 f2 K) r' c6 V' w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- V u2 O$ B" m8 p: O; ^
# r( Q7 H! ^% i) c! C e' f9 i& {
Note as well that you can easily detect this method with SoftICE:% I' v, c+ s/ l
bpx Get_DDB if ax==0202 || ax==7a5fh; F- `. y6 e/ C: `4 H% H
2 b$ e/ K5 \5 `1 F* F$ _
__________________________________________________________________________4 O0 J% t$ a6 U" k! i" _1 I
& ?0 J. Y% d, tMethod 10
# d. s; M9 ~# o! _, `=========4 g3 {# X. o# u4 s" C
) |* N3 A d" P5 r. |+ Y=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 x9 \8 W) p7 f SoftICE while the option is enable!!
r9 [( [+ S/ i) M
$ x1 a8 [- t' Z" g# _9 ?# EThis trick is very efficient:% q+ o4 v, r* G4 Y( y# [8 m( J
by checking the Debug Registers, you can detect if SoftICE is loaded% D( s: [7 ^5 t) s) G" ?' `5 j/ u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- R3 T6 g; C' e$ m0 l" k
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 m ]# s L" r" f4 Bvalue (in ring0 only). Values can be manipulated and or changed as well
* ]4 c' _, H3 p/ m% m" S(clearing BPMs for instance)7 x# c0 @5 W- `
6 b+ ^( L& X {) b6 N/ |0 {- J__________________________________________________________________________
6 B V+ O6 o, p$ x: \2 W _% }2 e9 k
Method 11
9 T+ M0 _/ L; V) a=========
, S8 _- v# ]! j1 ?/ X6 w/ G
/ w) X: S2 g- |This method is most known as 'MeltICE' because it has been freely distributed
; S, G: }# S ]. m. _3 jvia www.winfiles.com. However it was first used by NuMega people to allow
6 a5 m0 T/ B7 P4 ?6 M2 GSymbol Loader to check if SoftICE was active or not (the code is located$ ^! d8 t, T) b3 T: Q% t+ Y# \
inside nmtrans.dll).
2 a+ |/ U) j: X) g8 L. a$ \- Q) d1 ]* t% d& u. L, k
The way it works is very simple:! h# O+ R- T: s' \% w, [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 M# Z5 I5 E6 u* I3 yWinNT) with the CreateFileA API.: B* o* ~; b( d& }) E
' _5 b I/ T3 v( k; l
Here is a sample (checking for 'SICE'):
' P& { N4 E$ z; I3 C' j$ O
; v" q! S; h d4 nBOOL IsSoftIce95Loaded()( D, d# a0 x9 I: d; A& \
{
u/ B& D) n! h3 U( E/ o% O& h HANDLE hFile;
2 [, \8 V4 ]; }/ ~1 c9 J. t5 Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- m% G6 w" R4 `* g" u9 A
FILE_SHARE_READ | FILE_SHARE_WRITE,
) d7 ]8 M1 ~# u- z- i) \, q2 I5 V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" O- J- M# K( b0 p if( hFile != INVALID_HANDLE_VALUE )" d& m1 ~# g* S# Q$ }4 V) y* G }
{) ~5 u: A( `" p& i
CloseHandle(hFile);
~) d8 W3 q7 @# L" D6 H return TRUE;- ~2 Z9 g. W0 C
}5 \( p* Y9 j* d4 }" P" z( h& N
return FALSE;, ^6 I+ j+ w5 y1 L3 W) ^4 J
}
2 `5 ^* ?: t0 f9 B9 o
$ A5 s" h4 |3 m) eAlthough this trick calls the CreateFileA function, don't even expect to be( s& v1 |9 v- L8 Q% ]+ M: Y8 ]
able to intercept it by installing a IFS hook: it will not work, no way!; Z$ B$ z8 ^$ |9 p6 S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) ~+ V% S4 r2 n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 L! |! e1 Z- \" S- j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 n2 P5 H, C& M+ _
field.
5 j& A+ p$ o+ f5 D, EIn fact, its purpose is not to load/unload VxDs but only to send a 4 q+ s/ L+ t- N# `2 z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; e: t& ?% |8 q' oto the VxD Control_Dispatch proc (how the hell a shareware soft could try# _# d& L, G9 N3 o& C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- ?# X& }9 @% v) GIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! _! \( D2 P4 `7 n) |* pits handle to be opened and then, will be detected.+ B; W% W1 B8 H1 s
You can check that simply by hooking Winice.exe control proc entry point3 m4 h2 j# n; t% w
while running MeltICE.: \3 @" ^& }% Q- F
6 E2 _. Y4 l* q1 ]0 w
$ _2 O$ `. m# w+ S g1 d 00401067: push 00402025 ; \\.\SICE
w( X; C! S4 c& x5 b4 A 0040106C: call CreateFileA
7 _" P& x1 l6 L) o% w4 L 00401071: cmp eax,-001/ K! h) j. S$ x
00401074: je 00401091
" Q7 a* E: {/ \* n- u! z1 Y" h) h& l) `+ D% H4 Z! t
' q) t- ?+ ?6 q2 v5 f% r: `
There could be hundreds of BPX you could use to detect this trick.- V- J7 u- ?1 I; P8 a5 v4 {; y
-The most classical one is:% H5 g$ L) ~) |: G) u3 l) o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' f. D" M2 [0 K. h- O! `$ O: C& B *(esp->4+4)=='NTIC'
) O( ^6 F$ F Y [7 r/ A4 g' z* `
-The most exotic ones (could be very slooooow :-(8 G. E: Y5 A$ g6 f# L3 M" f
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 v8 o/ q0 c! o
;will break 3 times :-(5 U( ^7 a3 ?8 j6 @/ I u. l
# \' }& K) X% X7 X2 J2 G
-or (a bit) faster: / g; B7 Z7 V9 T/ t$ a& G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 G3 k* [( F# w8 J1 R; d, {# {3 T( i
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ N% A, f2 r6 U* M( n' }. a: v+ s; X6 Y X ;will break 3 times :-(- `9 `1 e7 K3 `: U/ T! X7 e# I
, K/ s+ k/ R/ [
-Much faster:- E5 Z. d3 u, g5 y' G+ G* Y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 Y" A3 s+ y. T* f9 l! `* |- J
. r% X* [2 F* E# T- z; O+ u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ c- B6 V R' o) G: t8 Afunction to do the same job:
( ?$ A: @/ P! R
C* s/ p+ J* n& R6 G push 00 ; OF_READ. [2 `: N/ U$ w
mov eax,[00656634] ; '\\.\SICE',0
3 {, `- e) B9 c( t push eax
0 m5 A: T( |; r4 X( _$ p$ Y/ q call KERNEL32!_lopen2 h1 v; ?' y7 `9 R
inc eax
9 p( k7 n& J! | v8 j% ? jnz 00650589 ; detected: m$ e. I$ g! l: h7 g! Z
push 00 ; OF_READ& o; |) r9 s# d# f1 z; i! J/ l
mov eax,[00656638] ; '\\.\SICE'0 W3 y: _" M; v b
push eax
* t& Z, t% ?& ]* C6 Q3 X# Q& I7 V call KERNEL32!_lopen
2 F1 N4 k( q9 \* n) [9 j inc eax4 e w# B$ ?+ O4 t m9 y5 G
jz 006505ae ; not detected
) v! ^+ m$ N4 q' g
: s6 U3 t4 e5 I, P$ s0 [* G
8 d4 }' U5 ~. b0 u$ z' [+ o__________________________________________________________________________# J+ s; ~- z/ L0 d& w2 x
% p0 [, O0 \% T2 @1 H0 O O& t/ @5 F' w$ AMethod 12* p6 W3 O" A1 G- C; m
=========0 u+ T9 \! Z- L2 R: a
) S6 A5 }% c, _$ E! h' ^. HThis trick is similar to int41h/4fh Debugger installation check (code 05
* d! G+ S' K) ?- t6 F0 |! O" }& 06) but very limited because it's only available for Win95/98 (not NT)
) ], s; f: ^' ras it uses the VxDCall backdoor. This detection was found in Bleem Demo. Z1 f4 T: k3 a, l
( t: X3 `* l# p
push 0000004fh ; function 4fh+ Z3 u+ V* w) ~1 i: ?5 e
push 002a002ah ; high word specifies which VxD (VWIN32)
3 H" t0 R3 w. M K) Y# O4 ~- Q ; low word specifies which service
E* P" \7 M; ~0 z- {0 `3 n (VWIN32_Int41Dispatch)
+ |% j+ c5 m! g call Kernel32!ORD_001 ; VxdCall
4 y- M. M1 a# p- {3 f& q2 D& c$ m cmp ax, 0f386h ; magic number returned by system debuggers
, V7 {$ C1 X2 Q8 ?* b+ j jz SoftICE_detected
6 w0 u! |) n M, O$ T0 c
1 e$ q+ H) u& |0 ]2 {) UHere again, several ways to detect it:- a5 A+ V8 M' k+ W
. X$ W ]+ {# _" e% z6 n" q; i
BPINT 41 if ax==4f
! I9 z; d Q& J+ s5 s+ F( _5 S8 B, e& \) ]% P1 c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ h1 y" g3 O) r" l$ `$ f
6 T. P# ]! j2 B+ Z- v' K5 G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 K w+ T+ F& H8 q
9 n) Q' L2 X, Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, n- t+ z I1 b1 q
9 {7 @# X7 a$ `' X. d( S. }
__________________________________________________________________________8 h6 e" f; S" k4 @( J* [. P
0 C+ N* p* a/ _6 |: s3 rMethod 13 W' X& c7 ~- p- n: U
=========/ g8 x5 g+ R# F# M# O; O
7 T8 `! D4 `/ L; A, P
Not a real method of detection, but a good way to know if SoftICE is1 T) d. N) N7 V% E; }3 \( P6 W
installed on a computer and to locate its installation directory.
2 V) Q# P& W; Z. KIt is used by few softs which access the following registry keys (usually #2) :
" ~) n {6 m/ q- A- X! ]2 X2 [# A O0 }$ R% l8 M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. O. I& [) g* H\Uninstall\SoftICE# v; V! ]: ]' Y2 U& j5 C2 w: J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ ~1 x8 u# f0 j, H5 D( a/ x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 ]7 g+ h" m" {\App Paths\Loader32.Exe; D$ t: L( ~4 \2 h* j: ^6 ~9 ~5 [) u
" H% I- L- r, T% ]/ Z& s0 x8 I: U' R2 [
Note that some nasty apps could then erase all files from SoftICE directory6 z) T! P* l( q
(I faced that once :-(
6 z& F8 X9 \0 |0 R: h8 p" U6 i- g& s" f0 |! q
Useful breakpoint to detect it:
. x9 U0 j. f& o, q
& P1 K. @3 c# u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ K0 ` c+ O& v: D
- }9 |7 J. ]- W7 G0 F__________________________________________________________________________, q' A Q+ C. u: y2 v3 r
! ^( @0 J3 H3 q" r3 x6 l9 @
0 L2 G) Q$ t' g+ I& U, }3 [% }& EMethod 14
- a* s% D- `4 P0 v3 F; X6 A7 ^=========
2 U& B2 e' P6 h) q' n; _) H
' W: V0 a# e$ n) F, s! H; P+ i/ i! WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 q* m# p, Z6 A- Q; [# U3 Ris to determines whether a debugger is running on your system (ring0 only).& `0 y! O# R7 s
; E0 V6 o* `# ]2 o" e: L0 D VMMCall Test_Debug_Installed
3 {: E/ x8 y( ]% h1 ? je not_installed, K1 n* f, |' `' G' F3 N4 _6 E4 R
* v1 T8 ]$ |& d/ }6 J. pThis service just checks a flag.
: K) ?2 N( x w# x( Y% b</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡