<TABLE width=500>
0 |/ |) e8 D* o }, L+ N& @3 l<TBODY>; ?+ B$ E/ b! U
<TR>) i3 g9 H8 z% D8 E& K( k9 x5 t
<TD><PRE>Method 01
8 K' p; |. B! ]) [8 i! t0 P=========+ [9 i# k& y% e5 e3 E5 h- _. F
/ y, @, ?5 ]& \, z2 A+ R6 g
This method of detection of SoftICE (as well as the following one) is
: S( Y( p7 w% \* Z F; p8 V! Nused by the majority of packers/encryptors found on Internet.5 m: f+ W/ }1 t. X/ r0 H6 Q
It seeks the signature of BoundsChecker in SoftICE( E8 N- M6 L c' ~( p& [8 o
V8 K% S; ?- n1 c9 F0 w
mov ebp, 04243484Bh ; 'BCHK'
' ]6 [8 z5 _( I mov ax, 04h( Q" i3 S& v( {) G' o- Q1 j
int 3 & N: U$ I: u0 }. k, _
cmp al,4
( q2 F( R) d, X/ a jnz SoftICE_Detected
5 t. h( [/ U. Z7 h
$ @* d. R4 v6 e# D# n___________________________________________________________________________ O7 b( ?* S" }
: G1 }" b' D4 B0 M: A. k; r1 a) |: |
Method 02
; y. S7 K( O% ]' C* q=========. J/ M8 o# v- |) Z8 U: @+ t
/ D+ V ?% e. `- \! A+ _
Still a method very much used (perhaps the most frequent one). It is used
_! _1 c6 [2 w4 Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 c. S& L3 d; E$ Y+ o- _2 x4 P
or execute SoftICE commands...7 i- t$ \3 P8 F& Y
It is also used to crash SoftICE and to force it to execute any commands
. X% Q; c' m6 I3 p(HBOOT...) :-((
! X' s7 E1 X5 S) d' |* S
) F' ?! ?" Y; D! i- s. J' `0 n& D. XHere is a quick description:" l v- r6 |$ Z7 G2 I, h3 G W
-AX = 0910h (Display string in SIce windows)
# v0 t I) u, z3 ]- q" \-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 c# |2 f, G' M: |-AX = 0912h (Get breakpoint infos)
6 F# d& G1 P* X2 C5 Z a; ?-AX = 0913h (Set Sice breakpoints)& R- M- g" ]1 d) g1 H
-AX = 0914h (Remove SIce breakoints)
; T+ W2 h# n6 u% d0 p6 N8 [' h7 _' t4 x9 U" [
Each time you'll meet this trick, you'll see:
* |1 ]- _ i9 n! j0 Y% v+ t-SI = 4647h( l. g, b' Y! c4 F' f
-DI = 4A4Dh
$ q" q( p* D. n, H dWhich are the 'magic values' used by SoftIce.) U2 z; o) j. b1 h) L: ~- [5 \& l
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ ~! W5 m! j+ k% G6 S7 d
' j( r; r7 D3 H1 yHere is one example from the file "Haspinst.exe" which is the dongle HASP0 X" f7 F7 ?8 X0 w
Envelope utility use to protect DOS applications:% X2 q8 {3 s5 P
2 _+ j4 x$ U, t" ?$ K L" g4 ~1 `8 y! B8 E C% X" b3 q
4C19:0095 MOV AX,0911 ; execute command.
0 I% z' z3 U/ h ~) G" G4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' A. E8 c. N' m
4C19:009A MOV SI,4647 ; 1st magic value.
2 J$ b; ^; e5 @4C19:009D MOV DI,4A4D ; 2nd magic value.4 u6 R2 j: `# s; s5 u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 Y- L# }' E, P! T& e1 c% x, E4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 D. k; ?) [. k2 R5 F+ j
4C19:00A4 INC CX; P; u3 j- I! c2 o# `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! h& L, ~; R0 M; `5 a) M# l4C19:00A8 JB 0095 ; 6 different commands.
" g1 r! O! C0 Y4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 y$ B T$ E& r3 z: y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
q( v/ c7 x7 G. w! |. F6 s
) T' A6 A& l% u) Z0 q6 e0 VThe program will execute 6 different SIce commands located at ds:dx, which3 o$ d) i. n! @$ c) d6 Q9 A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ u: M( j6 H/ E d! C% }* s
; D5 L$ C. i: j+ v0 Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; c1 O% A& f0 \ p___________________________________________________________________________4 Z4 U$ ?1 r- ^4 Y4 ?
% k/ F; b0 Q A3 B' N( U5 q
. |. M0 A# F. N. ~+ aMethod 033 B; l& V" f) V+ Q3 h
=========) }2 F- n) b# `* D& C
+ |& W/ p4 M2 k1 lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ u7 n( M0 M% r/ ^1 \( [(API Get entry point)
& D* U. d1 M; z4 `( k+ f7 p ! M. t, B* } H# T# Q, o( ~/ u
3 J0 O2 D I- H
xor di,di* }9 Y6 }( R* m) r+ P7 G4 W% v4 V
mov es,di) u% ~+ I, _, n9 V$ G
mov ax, 1684h
V7 L( ?) w. M, R8 ^ mov bx, 0202h ; VxD ID of winice, `9 l; r: S* ~
int 2Fh
5 Q3 i* s. y) n2 b2 h N5 g" j* O mov ax, es ; ES:DI -> VxD API entry point
7 Z+ j( F$ J1 F: r3 a: Y add ax, di
& x" ^" D& R0 H" ] ? test ax,ax
: }3 N+ ~7 g* Q5 T jnz SoftICE_Detected
; ^# z! [. g+ S4 x; ?7 ?* y# w$ F2 {5 W# ]9 h" r
___________________________________________________________________________
2 \& s7 U& w. A4 G
6 Q S( ~4 s$ J& \' P- _Method 04$ { s6 W9 A g0 x
=========0 D# u' U8 i$ @; T$ E
3 k' B* s2 @( W" ^9 Q$ F: ^# ]7 lMethod identical to the preceding one except that it seeks the ID of SoftICE
& y3 ?) J8 l# y9 S8 j; E) fGFX VxD.6 R& q1 O# k: i$ O: [& v
% L' ^: w# V% H V. A, F
xor di,di& ?/ S3 z: J$ o4 ^# ^
mov es,di
% ?8 Y3 r2 E2 q: _: y mov ax, 1684h 9 T9 ]/ w. B6 {, f5 h
mov bx, 7a5Fh ; VxD ID of SIWVID
- U4 q- J$ X% E9 M+ W2 h int 2fh! j6 {1 s ~' `5 x |! R
mov ax, es ; ES:DI -> VxD API entry point( z9 m! P: K8 R
add ax, di. l& {, @8 T5 Y8 K
test ax,ax2 W6 w \2 ?$ Z1 e
jnz SoftICE_Detected
4 O. s# _. P/ H
) j; N2 K" @1 g) G8 r; \__________________________________________________________________________
3 D9 O! k- a+ G& R
" O: F) Q( u6 }
+ R" m6 C3 ]( UMethod 05
! Z5 @* ?+ `/ `1 U0 P- |( f6 {& q=========& W: Y- d% l) w! \' r h* b* Q: E3 k
3 k% A9 S8 O# x1 x+ `8 }" ?Method seeking the 'magic number' 0F386h returned (in ax) by all system
# r( ?3 _6 B: i3 Ldebugger. It calls the int 41h, function 4Fh./ ~: `: j5 p& |. v( Y
There are several alternatives. ; `. x% w |* m b+ T
" P3 E$ Z& C4 c/ x/ u5 P+ K
The following one is the simplest:; w2 x; y5 J7 L" K
r; P+ t0 T: t5 z, x; r
mov ax,4fh2 T2 }/ {, `' x
int 41h
3 P& H5 g8 }9 j4 J6 V9 w cmp ax, 0F386" S0 c# P h: g7 _
jz SoftICE_detected& i8 L# N3 R0 {, ~0 W( z1 m
1 d$ m5 u' C3 {, B3 G) K
, ~8 h: U" F) P! F tNext method as well as the following one are 2 examples from Stone's
1 D' z& W' z1 K, d- f& Z9 k8 u"stn-wid.zip" (www.cracking.net):
5 v! m# O( v: b; O' O
7 `* @- V) b: B7 H m mov bx, cs
/ A1 H3 z) B; L6 l( L. S4 h lea dx, int41handler2 D& }$ f8 Y# b7 G
xchg dx, es:[41h*4]
+ G. U4 ^8 M4 u! T1 ]# }5 {" c xchg bx, es:[41h*4+2]
' @3 O+ t9 `, s$ U" | mov ax,4fh
/ Q- T" I# }8 D. ^+ r int 41h5 H7 K4 H5 `3 R" Z' n2 M
xchg dx, es:[41h*4]: u: f i4 J" x' J' h6 H' a
xchg bx, es:[41h*4+2]3 `5 X$ v$ I7 [3 ^+ R; f
cmp ax, 0f386h) V+ S* l$ s$ ?
jz SoftICE_detected
; V( f& A/ |" a- r' j7 U
# K3 @8 @) y: Y" g3 \ }# Lint41handler2 PROC
' ~$ I4 c& a( T. {7 y iret) S* ?3 u" E, M; L7 R7 r; l
int41handler2 ENDP7 N$ O8 j c' X+ ~% X
) N5 N4 v+ N" J! P* h' Y6 {7 y0 t k- I" r7 J* S0 m
_________________________________________________________________________
- d7 g' W1 a" D; u) W; Z4 a" o9 Y5 z `+ ~
/ Q9 H% O5 |4 yMethod 06
* X7 E, U; E4 W" T* b3 @( ~ B=========+ ?8 p5 Y8 F: M# W9 ?8 i
0 y h/ h/ r5 [: d/ d- P; U5 {
0 P# d. Z3 W8 f z4 I2nd method similar to the preceding one but more difficult to detect:, d! {2 \& M; g
0 W& y* H+ y& U8 M$ p* t9 r& d9 h
int41handler PROC: R4 Q- d# @1 e* y
mov cl,al, w( f- O# |" ]+ c2 G4 k
iret4 x0 M/ f: d( T5 W- v
int41handler ENDP- K- w: {( C# V/ K) ~0 T2 R9 ?
5 ^# [7 b: f- f( `
) v4 b, d2 `- ?: I xor ax,ax
' K( ~' S+ Q% t) C; }% a mov es,ax1 q1 L* c9 w# f6 h* N
mov bx, cs
- {6 m$ s% B$ v, i2 i" M6 t$ O+ v lea dx, int41handler
- I8 ]6 g7 r" g ?% q xchg dx, es:[41h*4]
% C+ [! j% V( v) L# K* s' P xchg bx, es:[41h*4+2]
& b4 E! V: t* C9 { in al, 40h# ]* f | _2 u% S3 W, Z1 h$ L
xor cx,cx5 O) i: Y$ g/ v
int 41h
2 `4 A" b& [$ W( u; Z7 l xchg dx, es:[41h*4]7 X% L. C+ D% q, g1 F
xchg bx, es:[41h*4+2]
. i o( l# g$ ?5 L: q cmp cl,al4 }! e" }6 w! @4 {0 f# a; h& r _
jnz SoftICE_detected' w% Y5 j5 w7 ?7 ~& _ {5 Q" D
0 e+ v8 M$ C: u8 Z4 G( x, @: u_________________________________________________________________________: T. j+ k' H3 e/ w) g' e4 J
+ o M q0 q+ J9 X7 \0 E! {
Method 07
- d9 E2 q$ e$ k' v# |=========
. p& C8 r* ?% A9 I9 _) Q6 T! [: O5 p _+ c P8 l% k7 Y
Method of detection of the WinICE handler in the int68h (V86)
' I' E) K8 Z, Q
3 H3 j6 A% X3 l& N mov ah,43h
]/ c: v; h; ~% l5 r, n int 68h K3 _3 ?8 F0 \
cmp ax,0F386h3 ~# L( C: }8 P. X( V
jz SoftICE_Detected+ K, g) x7 w- _/ T
, m) |: P' g. m& J
0 x' x* M1 j# }) v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& |1 H# Q( S; S/ p* ^6 s/ w7 T/ Y app like this:
6 O; P) V3 f; D5 O& y* @# I* \
& a1 |1 _) u) O7 R, S3 ~ BPX exec_int if ax==68" l) O: y2 a4 W+ B# z9 r
(function called is located at byte ptr [ebp+1Dh] and client eip is, {* Q& C9 C8 Y" b& r' f
located at [ebp+48h] for 32Bit apps)) n' ?2 i% D% F2 B! c4 H% H
__________________________________________________________________________2 r- H: F) z% L3 _) \- D9 H; \
+ N. {7 h9 U& S' }$ D6 h) x
6 l8 ]9 s9 A! x% `/ N* o' ?* Q
Method 083 c5 n E( S+ L& t
=========
" U5 l/ e3 Y; h4 M1 B( x0 _/ O3 T Y- B# y
It is not a method of detection of SoftICE but a possibility to crash the
; o% B( e# j6 y3 H) I/ osystem by intercepting int 01h and int 03h and redirecting them to another
4 Q* S9 b7 H' X* W3 `' B& g" X broutine., T+ r- Z. @% H8 y$ s3 x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! w; b, ~5 a; \1 x
to the new routine to execute (hangs computer...)
; \ m3 ^) u% ?. O" s7 c9 C6 i0 ?# s8 I
7 D* U' M/ ^) B% e: U% h0 p mov ah, 25h
& x- Z& A5 R4 c7 S0 a4 q mov al, Int_Number (01h or 03h)9 q3 I1 d5 e# p; \( f K1 E1 h4 B- m
mov dx, offset New_Int_Routine, G5 w+ F. H: R& y) U+ B* R4 y
int 21h. t0 ~- t6 t, Q
0 d g g# B4 {+ e) L8 X2 }
__________________________________________________________________________
2 L$ A2 K, l' ?
' D: Q$ ], R; B1 w9 u% G, rMethod 09+ E% A+ S1 s/ A# f" Q
=========
# I1 A! _8 ^4 X* Z1 v3 \* j
& I& L, j2 L) C1 e4 CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 O4 U3 I3 r4 s U& fperformed in ring0 (VxD or a ring3 app using the VxdCall).3 d4 m! R5 F/ S; P9 [7 h
The Get_DDB service is used to determine whether or not a VxD is installed; h2 q- L( h& T: |6 C! K
for the specified device and returns a Device Description Block (in ecx) for G! m& ^9 C; y! u ?3 F* y
that device if it is installed.% {2 D' d1 L+ M* M( H% A
3 {* r/ V6 g! |: D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, N$ f+ H) K( G9 j! ^+ T, N) y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 n/ G8 M) D$ J r8 @0 R9 | VMMCall Get_DDB7 ]" l* v R. h4 w& }( b
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 ]5 h1 s0 t% b1 ]; i5 q2 x
- R4 d# U1 O$ J2 Z6 |. G. B4 _$ |4 J
Note as well that you can easily detect this method with SoftICE:: {# l: h; q7 e' U' x* o
bpx Get_DDB if ax==0202 || ax==7a5fh
6 `# \+ z. }3 @" q. ?/ E7 l6 M* O7 e; ~& G' k* `& V% V, C
__________________________________________________________________________
: l& X/ b5 n! {3 i2 b% | |- k
Method 10
$ i6 k: |" s: r1 x=========! \1 j7 g6 n8 [; X
$ y0 q- h" r& h( W. m
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 R- W6 V/ |6 }" m! p4 R" P; n! x SoftICE while the option is enable!!, d! \ z; F9 n. p1 T
3 N. W" T. n2 RThis trick is very efficient:
# y1 `2 z. ~8 o$ D7 M- Z6 A5 z. Jby checking the Debug Registers, you can detect if SoftICE is loaded
" `4 w, }( ? T& ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& |5 w4 s6 V. y+ f Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their( f- x4 ?& A3 h1 r
value (in ring0 only). Values can be manipulated and or changed as well) {" n$ X0 n! B2 H9 P8 |
(clearing BPMs for instance)5 F' Z4 p# j. k# A9 }4 L
5 j; P, m }$ ?5 c7 {- S+ P__________________________________________________________________________
/ ?4 Y3 j, k$ O7 @7 @2 ^% B6 A/ I
Method 119 j; B3 V( A& a8 Q* I' C+ i
=========
% C w l9 g6 a6 C( v# r! S% {. q: N0 _. N% D
This method is most known as 'MeltICE' because it has been freely distributed
, g, ^9 y/ n8 zvia www.winfiles.com. However it was first used by NuMega people to allow) g4 ^# U# S, ?. x$ c
Symbol Loader to check if SoftICE was active or not (the code is located
7 g7 o- B$ o$ d7 [8 @& Jinside nmtrans.dll).
& ^$ y0 ^$ \# @4 r) `' _0 |2 M- U. [; D2 a2 p
The way it works is very simple:
* V+ Z% P3 B, ]8 v! Z+ e: b7 TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' I5 p9 M/ Y+ C, W) k$ vWinNT) with the CreateFileA API.
5 A8 k G/ \6 s( k7 F, k
5 G4 C; p2 a7 G/ z4 jHere is a sample (checking for 'SICE'):' Q e# l6 D4 h7 `, i
) R- z. i. { l9 C" YBOOL IsSoftIce95Loaded()8 {5 H+ z" h. E+ ^4 \! i
{' k, J9 `) D ~2 d
HANDLE hFile;
1 n8 I+ l6 j; W9 ~+ \/ y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# A; |0 d0 S6 c
FILE_SHARE_READ | FILE_SHARE_WRITE,
& K6 Q v4 L2 j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 M2 O' ?& J# r# ~- W' ^
if( hFile != INVALID_HANDLE_VALUE )
; M" X+ r! B* b9 u! s& x {- M2 m$ F0 M$ a3 L P4 D* E
CloseHandle(hFile);
/ L# y+ f; a: J9 J+ Q return TRUE;- x: Z! F b0 A$ h& L$ X4 W
}" |- Z* o$ u# ]* T# A' J
return FALSE;
7 P1 b; ?3 r( q g2 D}# m* R6 S" j! j
# u4 A' U/ @9 e3 M
Although this trick calls the CreateFileA function, don't even expect to be. \8 v: @- U- M; P, E. f
able to intercept it by installing a IFS hook: it will not work, no way!
2 J3 e# b* j# E7 H& ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F# Q( J7 I# g1 z6 n/ y# W* T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 G' F2 ^; [4 P0 E5 ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 \7 \ q) D4 O& |% |6 x. X' x
field.0 a% `/ R0 E* d- ?, a7 p# @
In fact, its purpose is not to load/unload VxDs but only to send a
3 l6 A- x. v' hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) }* c; ~, Y6 a3 {, G. [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; Y( j& i; K% Y+ `* K) l) _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 n8 U3 E9 S2 v( @If the VxD is loaded, it will always clear eax and the Carry flag to allow) d! ?; b' m2 b( g; a+ C3 \, d( j
its handle to be opened and then, will be detected.
* i$ K) M5 N$ }* y2 J4 f( O4 n+ |You can check that simply by hooking Winice.exe control proc entry point/ q1 Z+ n$ e" l7 L0 h; u
while running MeltICE.& L S" v- k7 ?! `* I
2 I5 ~1 }4 s( v2 V
( f8 F; C6 C, r, V+ S
00401067: push 00402025 ; \\.\SICE0 i' g. a5 n: Q+ S$ F
0040106C: call CreateFileA6 Y1 l0 m, s% M3 ]
00401071: cmp eax,-001
! @& H {, e* o: X 00401074: je 00401091& V* }9 Y$ E. U& G8 @* e. [# W; t$ x
9 F* q" Z. T2 }# u' P" d
4 [1 A. K F: z1 X
There could be hundreds of BPX you could use to detect this trick.
0 W. m! y. A$ a0 J' N1 K; S; W-The most classical one is:
3 p% n9 D4 Q4 r+ O" L4 b BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 d9 y/ Q# _, q% ]/ F *(esp->4+4)=='NTIC'% U* ?) l# A6 M7 O
0 E4 k) M9 _# t t. Q; y& `4 ^+ O2 q
-The most exotic ones (could be very slooooow :-(
& }9 ^1 T" h6 k; N; |4 q4 g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 q4 I$ q$ g3 V* H( b9 z0 M7 f
;will break 3 times :-(
9 I/ k+ _) c8 B. n9 t8 C' h( p/ C1 J* S7 Y5 ?5 S1 D7 S
-or (a bit) faster: 1 X* u5 R* A+ e$ a- J9 k" P7 j
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* \6 J$ L/ \7 d; I n# |( S
5 L8 m0 X6 z# P: D2 R8 o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' r3 {% J5 Y+ ?9 U ;will break 3 times :-(4 g! ^ k& {# A1 F: Y
# `& g5 M, r$ H5 X6 V; r8 [7 k
-Much faster:8 W M, z, l% C+ }9 g
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 ?9 [, E7 e9 t1 P6 n* y
. {% K+ |8 E% o& nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* D% B7 o7 [- d# M, ]! U ofunction to do the same job:
$ a/ Y, O9 S9 q5 |' _! X5 y. Y' d4 @& D# v) H* x0 Y
push 00 ; OF_READ
0 J9 s7 W* A& S0 w- } mov eax,[00656634] ; '\\.\SICE',0
2 U% h( W/ v; h) c! i push eax L: f- f% y4 v5 ]$ X8 m. E5 c# n8 U+ o
call KERNEL32!_lopen8 P- ], C7 n8 l- j. H' @, O
inc eax0 }. [8 G! K! U8 D! C
jnz 00650589 ; detected# \5 C* g0 N( l; C! E/ K
push 00 ; OF_READ
& m; \( ]' o0 H3 A7 ?* P mov eax,[00656638] ; '\\.\SICE'% f* p9 w4 H. k: a
push eax" h2 y5 ~; b0 ^- h x
call KERNEL32!_lopen
+ }# z: J& B7 V, Z' i inc eax
2 t6 q; J7 D6 d5 D, |( y( a jz 006505ae ; not detected
& U' [" M5 p+ z: q; W$ @* I8 K9 `' b2 U; {* a9 @# J. m/ Y5 P
( X3 q. c* w3 O3 r. K* i__________________________________________________________________________
V" h+ j: t3 D \$ H; A/ B$ _7 J7 ^
, i8 }, e7 ?" \3 QMethod 12
* P2 h$ O! e, X0 i) f4 b% ?- b& \=========
2 L' M% _3 r. B |5 T
! ~0 j& b0 v) a, I+ n8 \This trick is similar to int41h/4fh Debugger installation check (code 05
# w) r5 P& r- `6 U2 a& 06) but very limited because it's only available for Win95/98 (not NT)
4 {. r: @' u$ x0 S0 Y2 zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 W$ r- d7 z0 ^7 o0 I1 [2 y
' e k3 \+ \$ G- `. m% }
push 0000004fh ; function 4fh6 x( J5 C9 ?# b7 c2 T6 \
push 002a002ah ; high word specifies which VxD (VWIN32). \9 I% X z' Y4 M( F
; low word specifies which service
, Y& ^1 Q2 O* O X. J (VWIN32_Int41Dispatch)- v/ d; F9 r2 R$ W* x1 i+ }
call Kernel32!ORD_001 ; VxdCall* Q5 S6 L; m; a: R$ f
cmp ax, 0f386h ; magic number returned by system debuggers
8 @# \3 v O* a/ @" L5 t* x jz SoftICE_detected
" {, H+ D3 I/ _# _0 y; q" x4 V5 Z
: c* \ s1 }9 t4 y9 EHere again, several ways to detect it:# c( Q4 e/ e# g1 q) A& v3 s* c# G& G
5 k# U% D7 Y, J2 u$ K, T
BPINT 41 if ax==4f
8 u6 A. F2 A- G. s) w8 O+ l' E
4 a3 `- a1 G: w# B9 ~9 F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ @6 f' W8 }7 T0 s/ w F' m* `
/ x% r( Z0 m8 R1 d( G& c- a BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A S; N8 r8 {0 k7 t/ X5 k1 t
1 v+ {1 s! K$ L, @ x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ O" d/ _) b! n3 F0 ], D
$ P5 Y3 a& S. y2 a7 {$ `__________________________________________________________________________
" N. G$ s5 S) p6 a* Z; I n6 u0 ?2 {: {5 i* ^5 @
Method 13( E. Y9 N- [7 A- l5 }% h* y5 r/ q
=========
8 H7 D0 e6 ]- l# w
2 y! z6 q8 d9 N+ P8 i5 M2 [% r5 Q! SNot a real method of detection, but a good way to know if SoftICE is
4 q8 }& X( q# }. X0 J% sinstalled on a computer and to locate its installation directory.3 V4 ]$ v! \% B# A: M
It is used by few softs which access the following registry keys (usually #2) :
. Y/ v2 R$ y2 e7 F
9 n8 j+ y; W+ Q* q' N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 C, ~8 j0 A. E
\Uninstall\SoftICE
: R; k. F+ F, d J% N9 c( S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 |! k, Q6 ^, f8 H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* J3 N$ ~+ |, t& J; ?' |" ]
\App Paths\Loader32.Exe
" g0 {: w+ J4 ^# K, _
: E5 K$ t6 [! }- s
5 U0 A( s# @, s/ g9 _3 V4 {Note that some nasty apps could then erase all files from SoftICE directory* m- g: G" @8 ^$ N8 q3 P2 z$ ^8 _/ K
(I faced that once :-(- N' u5 p/ a' r; [+ t- H% [& @
- I5 `& b5 d+ [( q+ f; i' \Useful breakpoint to detect it:
: N. J+ h, r! U7 ]9 T! H( F) D. O7 x. `6 {$ h: W" y* K) e
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 d7 [6 E+ X h! t3 @
6 Y9 X2 s4 ^" \/ L {__________________________________________________________________________1 [7 k: }1 W7 L! E; K: z5 o) T
/ R; ^; m4 p6 |8 J E+ `; o( S+ f1 V4 J/ `9 q0 Y9 ~" F; W
Method 14 / e! e9 [% i6 d7 k5 `2 T, S$ y
=========$ _3 D) R; w5 M. [
0 ^) @, f/ A7 I" e5 @& F4 `4 RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- u3 J3 q, i/ A1 W6 \5 t- R1 ]is to determines whether a debugger is running on your system (ring0 only).
) k+ r, s/ X& r! E/ U- Z' b& i' ]$ Y) L5 L+ y! g8 I4 Z0 \
VMMCall Test_Debug_Installed( E& `; v3 D3 t
je not_installed
: F" d _& j' q) p" _' @7 G/ n: n2 s
This service just checks a flag.' {6 M" a$ d1 Y& L' x O8 o
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡