<TABLE width=500>: [" I) i5 j I- Q0 B5 C# ~
<TBODY>
9 {0 f* f" P! b; M) J<TR>
( h3 D* N* I; Q9 n( j, Z<TD><PRE>Method 01 ) H/ N1 v4 P( i; ?
=========3 x& C! E6 A+ Y1 y
$ d* L" l. `# N
This method of detection of SoftICE (as well as the following one) is
6 A6 }& [ u3 A0 ~8 x. _% c; Iused by the majority of packers/encryptors found on Internet.
) S) m; y3 |# A n/ B$ }2 aIt seeks the signature of BoundsChecker in SoftICE
1 l6 k; F. k) [, m2 ]" C8 l/ p
$ l( S: z4 T' y" j1 u mov ebp, 04243484Bh ; 'BCHK'0 m3 N! }% y! Z
mov ax, 04h
' N# H5 u# O8 g7 } I/ d" N int 3 9 V9 Z& W8 r# `" g$ J4 C' X7 l. C# Z
cmp al,4+ C0 _; W: q( Z9 Y# V
jnz SoftICE_Detected
$ K0 E* w$ d/ d1 h8 N3 K
2 k) j" n- i- T- \/ \___________________________________________________________________________
Z7 a4 e4 W$ g3 S$ w8 z8 {- M0 y1 r( S2 `
Method 025 o1 Y2 Y# L$ u, n# Z d% F
=========% M8 t& v* {; i$ o$ t
2 k# k7 Y$ U2 T' x8 s9 L+ ]
Still a method very much used (perhaps the most frequent one). It is used5 d+ a. ?7 M/ ]. X+ Y* h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" g* q+ _/ \) w: V9 s. sor execute SoftICE commands...
( i5 C. @. z% M6 Z0 kIt is also used to crash SoftICE and to force it to execute any commands
* X1 `# j/ m+ g(HBOOT...) :-((
/ t% G% h: f0 j' b c- I5 C7 s: b6 g: I& K
Here is a quick description:3 _" \" B1 ]' u- t p
-AX = 0910h (Display string in SIce windows)
$ L0 X. ]- ]9 {: R. `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 G8 r7 m- N1 \; z) V; x: p) U. y
-AX = 0912h (Get breakpoint infos) q! T. z7 \' l
-AX = 0913h (Set Sice breakpoints)* z9 U# U* C$ S Q+ w9 Y
-AX = 0914h (Remove SIce breakoints)' S4 z1 k9 V1 w8 o
+ v, t. v4 N2 K9 Y$ x
Each time you'll meet this trick, you'll see:) ^) p" x7 l3 R; c, D
-SI = 4647h
: y5 j1 N, t& J3 T( m-DI = 4A4Dh) i% f5 e0 j% U0 U
Which are the 'magic values' used by SoftIce.! P+ \( E8 k ?" ?: O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) Z. a3 o N. w% P3 ?; s- @ _' U' \7 i
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: T: O/ D ]2 T$ Z# S! l5 s& FEnvelope utility use to protect DOS applications:
$ p7 @% m/ P% i% O0 c, f8 r; C1 a; i) t+ ^6 c
: \3 h2 y+ \7 V( B. V5 t. D
4C19:0095 MOV AX,0911 ; execute command.: t! c8 C' z- D. c+ v2 ^# G- I
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." Y* L3 e: I5 j4 Y
4C19:009A MOV SI,4647 ; 1st magic value.3 Y- P2 b# H; q; N, T* O( N
4C19:009D MOV DI,4A4D ; 2nd magic value.' D1 M$ U. I2 Y- F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 E+ `7 |. S- Z* B0 n* L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 `9 ^6 S5 v0 m) }% @2 a+ V# K7 u4C19:00A4 INC CX
6 m" y- z. ^$ f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 ^1 @5 X& b3 R, ?& x3 X6 u- q4C19:00A8 JB 0095 ; 6 different commands.
, f4 P5 y3 v( v) W% i4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' _2 J4 v/ U- H! ]" W4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 O% F* h5 U z5 q4 ~/ g4 M! Y$ u7 N
- `4 p, e% u( r7 n3 n- {% n9 n
The program will execute 6 different SIce commands located at ds:dx, which% R1 L. z9 ~# A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 C+ F- }7 ~3 a4 i+ K3 m+ g5 y" M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& K9 @* Q; B8 b& b+ Q7 m" Q! }
___________________________________________________________________________0 y- k. [1 x. j, t" D2 M0 {: g
$ u& m# r$ r1 i# o5 D
, }% s, _9 V! f; D7 ]6 GMethod 03( L* | s2 F, y& ]6 s: e
=========5 w1 a) h+ n: O6 ^. |
; j+ X5 U" H+ K+ t3 \& {4 QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 z3 q" t: c' S+ o(API Get entry point)
6 I$ Q# J# k: G 4 F ^" _7 S% O7 F
2 e5 h- W- a. P xor di,di
5 d/ N4 i1 D% P mov es,di
0 s8 f( s$ Z# i mov ax, 1684h " G# D3 I& W! K) \ ?, H9 V5 Y
mov bx, 0202h ; VxD ID of winice
6 V+ N3 n/ l* ^8 q4 T. U! x1 k( S/ M+ Y5 ` int 2Fh
6 h- m9 u9 V$ Z& d6 G+ I; n0 G3 j mov ax, es ; ES:DI -> VxD API entry point
# L; Z1 k7 ?2 i add ax, di% x. w7 a0 K9 u0 g* y* x* M
test ax,ax- S" H9 k; t$ j* \. g+ ^7 C: G
jnz SoftICE_Detected+ J7 b9 ^% Y/ C$ G
9 \; K/ A3 o* q2 G, H$ N
___________________________________________________________________________6 Y0 C0 i v. s
# j/ X5 ?" S3 r3 p, n3 i" [( pMethod 04, \" g. s6 A/ p& R/ k1 |( Z
=========. U9 o! N7 u8 R0 u
9 C8 n0 z+ k. m1 }' u7 I3 F1 [- |Method identical to the preceding one except that it seeks the ID of SoftICE% N9 q1 c# B: b$ A+ v, x1 g
GFX VxD.) D1 E7 }# r. K5 N7 u" o
$ w& O/ [7 N) _% h# w& [# ? xor di,di
) J- r7 g5 j f) V+ }" l+ T3 M. ? mov es,di
' R- V1 a* J- {0 d! C, k3 W mov ax, 1684h 5 m; J9 D/ k( u# U/ ^- b
mov bx, 7a5Fh ; VxD ID of SIWVID6 k6 E& T/ J3 G
int 2fh
) d# v- X! P5 S( [& h8 ?5 W3 ^8 ` H mov ax, es ; ES:DI -> VxD API entry point# l$ H9 Y; j8 F7 n3 P* ]) P! U$ E0 n
add ax, di
) j) c p, v5 F2 C# v4 m test ax,ax, S7 ^8 J; l4 Y4 G w+ |% M
jnz SoftICE_Detected' y" p' Y6 q( p# [7 c6 a
5 C' n; S6 h& c2 g9 X8 z" G__________________________________________________________________________& C- Q! C! q' \- V& V$ K- a
! q* p) R2 D( H2 E; R% v! N
6 {" F+ N3 I! l/ r" M; EMethod 05/ D( f. R" v! W" Z! Z8 _2 u" o
=========+ y `2 ^% E% u% W5 V2 ~
6 Q# Q4 t; s+ X( M7 y0 L# K' ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 b' i+ ^2 W% J- ]$ bdebugger. It calls the int 41h, function 4Fh.
^) D3 B }# ZThere are several alternatives.
8 @% _6 V( k# T
" Q& t6 ]/ Q0 ?The following one is the simplest: | B7 \1 F8 j' o
6 s1 t$ Z, ]% I6 {/ A6 ~
mov ax,4fh
9 o+ h! Z$ S9 U. g/ ?% W int 41h2 I2 N1 Y! t8 j
cmp ax, 0F386& Z3 G4 j8 Q# q% G- F1 C
jz SoftICE_detected) g5 M$ ^ J2 `* m( P X
8 ~9 u( V: ]( M) T" p
V8 V% N. e# t
Next method as well as the following one are 2 examples from Stone's ' z9 M' @: D- F2 e
"stn-wid.zip" (www.cracking.net):) L% U6 A3 w! b6 Y5 q
3 ~' b6 K" ?" R0 m0 h% c mov bx, cs0 z8 O, R2 v4 G4 I
lea dx, int41handler2
h( q5 H$ I) |5 e% x- r9 B xchg dx, es:[41h*4]
; _8 o4 L$ O% \2 @2 j4 Y) u* [ xchg bx, es:[41h*4+2]
# a3 V: P+ I) \7 m& k9 i mov ax,4fh
5 I" [& q( ]9 H* Z int 41h
4 n0 V3 A4 j5 S1 q xchg dx, es:[41h*4]
9 |( N, R4 A" x% `1 P! d6 R xchg bx, es:[41h*4+2]
: C9 e4 {2 X( N4 j cmp ax, 0f386h+ u b3 _! T/ b* p2 q+ A: C/ n
jz SoftICE_detected
0 V: Z8 }! d0 I' Y5 z, W, y& O! ^ q# G% v; p: F# T8 f
int41handler2 PROC( F2 Q! s' {/ Q0 W0 {* Y( Y
iret
4 x* k: r$ I9 k, @0 `, @0 oint41handler2 ENDP
8 d8 p; b B' C2 w/ `: `) o
2 T3 Q& R; O* G; F0 ^ R9 P, L4 K9 ]/ {7 n* e& b9 m
_________________________________________________________________________
$ H; c% h1 I8 U2 |: B' K1 d( |$ H$ F( z# ~; B
, q8 i, x5 I6 ~. j I g1 jMethod 06
8 M9 m U! m0 o0 i=========
( n0 p X: P( B+ W
, O& A; r! z9 {* v Q. ~( m( H8 `: ], ?1 I
2nd method similar to the preceding one but more difficult to detect:
+ e0 ~1 u: `, D; I. t' R
% H8 i" s9 e8 R+ e. H& p% D# X, ]+ e; \: L* z# R$ Y
int41handler PROC' z' r' l& Z% y7 F4 h
mov cl,al; H/ e3 n3 s _& Z
iret3 X S4 C9 l0 q
int41handler ENDP/ f9 g% T1 M2 t c8 v, f
% [) o8 m- V9 _& E4 Z& r9 x6 W9 \) ?3 r
xor ax,ax
3 T' }' y& f3 ] mov es,ax
) V8 r% P* V. _* Q6 R mov bx, cs
/ T! R% @2 C# i, H lea dx, int41handler
- k' R9 w) w, x/ ~2 n* e* m$ s xchg dx, es:[41h*4]' J2 P/ f; \6 r5 Y
xchg bx, es:[41h*4+2]
9 `, c, n6 |. _; c. _. j in al, 40h! |+ p8 J6 I# J9 }, |; i# S& B4 [& n
xor cx,cx, r8 P" p$ G: y7 w
int 41h
4 O, P5 Z' ]* T, V' \3 |) O xchg dx, es:[41h*4]
g( \% R, }; l( x$ q4 B xchg bx, es:[41h*4+2]
3 L% q& v2 c2 s6 J9 Q. O cmp cl,al+ z0 h6 ^ N$ H% q
jnz SoftICE_detected
/ T8 k6 V$ c$ S1 R
+ }. n! {- [) L4 l8 b y) I_________________________________________________________________________% T! f$ g, c$ A+ h, ]2 x/ R
( R$ u" p( O G& K" HMethod 07/ ]8 m: n% I3 f) P" _5 J/ c
=========6 M0 `( t8 t% i+ R9 H
0 l5 M; Y0 Y: i2 u/ q$ hMethod of detection of the WinICE handler in the int68h (V86)2 K: P! @8 c: E: d
! ]3 t9 O1 w/ H% s* B
mov ah,43h. r( @0 ~ g' h: h# b+ [ B' O
int 68h/ Y. U i, g$ P9 I
cmp ax,0F386h2 x) f! l j. a4 R/ W) v
jz SoftICE_Detected9 w9 B" P6 N4 Q# I' h8 c+ A
! A, k- G! p1 d1 y% b* d( f5 j$ Z. _& m9 m1 ]
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit H; W* r) l# T* V
app like this:
/ U+ o5 _& k# ?. }8 V# h# h1 p
BPX exec_int if ax==68
' f- A$ v G3 v/ }% a3 a (function called is located at byte ptr [ebp+1Dh] and client eip is
0 I& W; ]/ B3 H" W2 i located at [ebp+48h] for 32Bit apps)$ [4 h( q( U1 q2 I- i
__________________________________________________________________________
2 H/ \) N C$ C* `, \: ]$ ^) Y
4 N7 x8 q3 B5 ]) Z1 Z" ~& t
3 L: q+ l& u9 ]+ T9 S. HMethod 08
$ T% V$ S/ _" Z3 n=========
- O' P, P! x9 h' v
$ Y) J. a, J2 K6 \* CIt is not a method of detection of SoftICE but a possibility to crash the
- N- Q n5 O, Isystem by intercepting int 01h and int 03h and redirecting them to another! P Q9 l" O! X. Q/ D- K
routine.
4 {$ m7 l! ^; f( a' lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points o t: |; T+ m* a
to the new routine to execute (hangs computer...)
: x, n; G& i, [+ z7 y# H# B
2 g$ G/ \4 P# U! y mov ah, 25h
' m% c, X' u( U. T' |3 F4 U Z! T, v mov al, Int_Number (01h or 03h)5 T) y4 a) G, N9 }) B6 o$ m
mov dx, offset New_Int_Routine$ w% R& `. C2 h. p* E
int 21h' z9 M8 B# y' ^ R% t. F: J3 l
( W, J* a$ u% r! `5 P__________________________________________________________________________
# t% u! N4 S4 `2 a- K- f8 I0 \/ r: Q+ g- B, p! ^
Method 090 B' V: X6 ]* t0 p
=========* [ i8 \3 G$ c6 A9 `
% u4 @/ d; L3 S3 x* ~& z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 H% t. b% U5 u/ C3 K A, i& q
performed in ring0 (VxD or a ring3 app using the VxdCall).
) L; h5 r, M) K0 ^9 `, GThe Get_DDB service is used to determine whether or not a VxD is installed
E1 |+ V; h. s$ }! Q2 {: wfor the specified device and returns a Device Description Block (in ecx) for! m& Z2 L1 h- g% P
that device if it is installed.
V6 G- I5 T6 ?2 P
! Q/ k. H, k- ~: T, X' b# D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 S! t g- [0 _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); a# {) L* _, Y ]( T9 q9 [7 x' f
VMMCall Get_DDB
' U, g) X: Y2 n6 Q% A; n( m8 q" R. G mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% x/ F% h4 \$ J! `$ n
% }1 h! ]1 F# a0 k2 C0 L5 ~0 tNote as well that you can easily detect this method with SoftICE:( i/ d& P* [7 D) u3 K) I/ i
bpx Get_DDB if ax==0202 || ax==7a5fh
1 r/ H2 k0 O6 n) `: b$ f0 D% B. d f0 Y* f9 ]+ b
__________________________________________________________________________
8 c* X; k* a4 r
5 i0 K8 h( m& ~Method 10& D+ i _! Z( ^' W
=========
2 C! [3 w: O V
2 ^/ R4 o, p8 p2 X( E9 N; A3 M! m=>Disable or clear breakpoints before using this feature. DO NOT trace with9 b- Q, L4 C0 B# q4 N; \9 }
SoftICE while the option is enable!!
5 K9 U; f! H) j6 t3 `
- G5 P3 S, ]; q2 n& ~, TThis trick is very efficient:
& \8 e; Y- N# Q3 N# U- u5 Qby checking the Debug Registers, you can detect if SoftICE is loaded
& G% F* z+ a* U V- G2 }3 p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( u, ^6 @) `3 ^* D0 @% d
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 Z( s! P5 y( [5 R) V/ a" F. Ivalue (in ring0 only). Values can be manipulated and or changed as well$ v. ^# L' V9 }" e
(clearing BPMs for instance)7 _! D9 Y, g5 l; [5 }
1 j% B' J( q7 x- X1 W__________________________________________________________________________
, {5 K! B, f% ~ M
K# X+ W$ ], e5 XMethod 11" j- T- g. z d# L
=========
( d0 u* T/ M; m% O' A7 ?7 Y0 G) i$ \7 q8 |( l: P' K2 n' ?2 z: J
This method is most known as 'MeltICE' because it has been freely distributed
+ ^; f/ |+ b m' Ovia www.winfiles.com. However it was first used by NuMega people to allow
# y, Y( Y3 r' W# y5 ySymbol Loader to check if SoftICE was active or not (the code is located# y4 _" @6 B" l9 K& J8 n' e0 r; p
inside nmtrans.dll).# @ i! Y) d4 v% Q: w- W
' V0 x- u/ i- @
The way it works is very simple:
7 V& k$ G. U; g `) w! MIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 \' c3 O2 {4 _( I: S" Y6 H; @WinNT) with the CreateFileA API.
9 c8 O/ b) d \7 |4 f' v; Y" i! l0 T3 B" Q( X5 H& X
Here is a sample (checking for 'SICE'):" S& t; j. @: G" m
& L, Y8 j, B0 B$ Y
BOOL IsSoftIce95Loaded()
" m( D8 p! C8 o{
+ g2 j2 B- d0 g' { HANDLE hFile; 9 R5 |# S% d5 f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 N& z3 @: [' V- _$ O FILE_SHARE_READ | FILE_SHARE_WRITE,' A& I1 { S* x# ~7 q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 m+ D# j' m4 o9 c if( hFile != INVALID_HANDLE_VALUE )6 @0 |. H$ H5 Z" p. o) r
{
8 W v3 D4 E% n) q, K* G6 a CloseHandle(hFile);
4 K; F p5 W) ]5 _% L; i return TRUE;
1 E: I. W8 u& R3 R }
; T9 _6 ~! T) f: t* Q: ?2 r' y2 d return FALSE;
$ S2 F, m% n5 j# K4 H4 R}) i$ t# p: n0 h
0 Q# h) _3 u: k2 G( D6 ?$ D
Although this trick calls the CreateFileA function, don't even expect to be
0 T* o' `: Q+ r' n6 Eable to intercept it by installing a IFS hook: it will not work, no way!
1 _" F7 t- W7 ~; Y& k) |" x0 vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( s$ i( y2 d$ ~, }" F" B8 cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
y3 A6 z( ?* ^/ [8 mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) s* P: w& f. l ]% mfield." P c2 L& b& j
In fact, its purpose is not to load/unload VxDs but only to send a % {+ _& I. Q" C& J' q% r; b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( `, ?% R; a8 j, y$ F2 Q8 r! P# Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 l$ b/ L+ W- J! Z9 Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).5 F8 l5 ~5 l7 D$ U. ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; i2 d/ `: o6 Q: B. lits handle to be opened and then, will be detected.6 D" a) i+ n4 y
You can check that simply by hooking Winice.exe control proc entry point4 g# w& j% d- U
while running MeltICE.
% o" K/ i* O& A& T# M" n
* A9 F" r: ^0 B
5 r4 k' M9 Y% O! b% b: I+ n 00401067: push 00402025 ; \\.\SICE
, @$ g$ Z. R) h0 a$ u1 H* j$ r 0040106C: call CreateFileA
% h8 _4 u5 o8 \: W0 a: s 00401071: cmp eax,-001
1 t* E3 G# @/ m! F' Y9 N- c* f 00401074: je 00401091
1 c4 {* a8 v3 _% Y; ~& y1 |5 R
; |- d# E9 v! g
$ |$ }& B6 H3 U7 L( T. _+ B4 qThere could be hundreds of BPX you could use to detect this trick.
* W3 C3 Y( ]) Z1 ~. g3 S; {' M, N-The most classical one is:% _6 y& L1 C( s$ m! s3 b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ U: S; H: @9 Z
*(esp->4+4)=='NTIC'
9 R4 y6 a, Q3 o! E8 H/ ]& C
+ b V+ q* v e I8 x8 ? ?-The most exotic ones (could be very slooooow :-(
9 c3 ?: `/ @. U9 {3 Z1 r$ q, ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 e: W* U. k8 o' V- d' p1 j+ _; } ;will break 3 times :-(
0 K* V' j& q$ X3 S' a# d4 ^! _! D/ T0 i
-or (a bit) faster: 5 B- m" s9 `9 w7 }( b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( M4 T/ \. x3 U/ z
7 D1 P7 A: p N, K* v U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 E0 j$ {0 k3 w1 q3 g* {% F
;will break 3 times :-(, Y# m% Z: P) i' D* [+ H
: Q' i- }. u: I' {* o$ N- ]( q-Much faster:8 ]: V) m( v; Y' x c
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ h& L: J+ w: \/ r# e
( l1 B1 ]$ P! T# p* n0 X5 ?- ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" Q4 \* P1 }' i' @- h# o
function to do the same job:/ V* ~7 n6 r. b
5 H+ E4 k+ _1 }
push 00 ; OF_READ5 M1 n. Q4 V( M5 a9 l; `; j7 v
mov eax,[00656634] ; '\\.\SICE',0' M$ ~9 n( y8 h2 t3 S" O/ t
push eax
4 z! q0 |* p( i call KERNEL32!_lopen2 w$ m* n. r) j! K8 r# K) h. P
inc eax/ ^! b" H0 h' S
jnz 00650589 ; detected
! H( @" U! z ], W2 ?9 e push 00 ; OF_READ3 f& P: I9 T9 E
mov eax,[00656638] ; '\\.\SICE'. _+ l, ~& D% \( @# O
push eax3 O( i% m' [7 ]% F! a
call KERNEL32!_lopen
! H" \& Q& B/ l inc eax
, k$ H, U5 E. J( k, g jz 006505ae ; not detected
x9 L! r8 y& K( l9 x1 Y; F1 R6 r* g1 c
/ C% x# _6 s3 I4 i1 c) }2 |( R__________________________________________________________________________
$ W. Q7 _; P- Z- ~" D
; y! W, R$ P' N2 n2 L2 tMethod 12
9 ^8 M1 D' V+ P8 y: t& }! B3 ]=========. m5 C- a0 c; W9 H! g# u" N; a
. n" S$ c3 v5 S& f; u/ w EThis trick is similar to int41h/4fh Debugger installation check (code 05
+ U7 H5 j$ Q8 i4 t& 06) but very limited because it's only available for Win95/98 (not NT)( S7 d3 K0 x/ s0 O* [
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' l# V* l: r R: b; b+ s5 D
5 Z- {& ^# q/ L1 X0 N; k; R$ X7 c push 0000004fh ; function 4fh s! ?6 l! s, @2 r
push 002a002ah ; high word specifies which VxD (VWIN32)) X& |8 g6 I- h! m
; low word specifies which service
9 J7 x9 h- L& Z4 ~ p* E5 ], r (VWIN32_Int41Dispatch)
& T, b! H8 F3 W3 a# |. p call Kernel32!ORD_001 ; VxdCall
% h: l! Q: T$ G. a5 e. ?: ^ cmp ax, 0f386h ; magic number returned by system debuggers
9 m/ l u% z5 |0 S, N2 P2 i% f- B jz SoftICE_detected8 Y6 U, p/ \1 m" }. Y! _
' _- b' Y9 f7 ^Here again, several ways to detect it:
1 X' ?3 G* j! v1 B
* G% n& x: k$ k) [. }4 L BPINT 41 if ax==4f" n. H# u) s o% H' H( [4 l8 e9 c; S
# Q1 a+ U/ n. C9 A$ V3 A3 R0 c9 B
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% x# f; K6 j7 V7 n. y
4 p3 B( r# D+ X3 ]. j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 k K3 M/ j% u) q" g+ F! E5 d: M- j
b! A* a' s; k+ R
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 ~& I' d# J- X: F1 ^3 x/ V
7 r( a: z) l* B9 l* n
__________________________________________________________________________
# k! t$ E$ j$ k# s. l6 F. t2 u5 M! P0 K: H3 e! B6 O
Method 13
. ?$ T) _9 E9 T$ H- V=========9 u. X" j* h9 i6 W
* I4 P A- r7 g. d1 qNot a real method of detection, but a good way to know if SoftICE is
. W* B2 R, B/ H$ Dinstalled on a computer and to locate its installation directory.
$ K$ e( Y% l8 ~$ ~It is used by few softs which access the following registry keys (usually #2) :$ l5 g9 D( l5 a# |7 A
6 K! M6 s5 `7 [8 M& Y' @7 W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* k! w% Q* y J# v0 C( [5 T\Uninstall\SoftICE
- N4 {8 z( Q6 S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE X$ Z4 @& f& Q2 ]9 X: A& r+ p: e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; P6 B* n( P3 M\App Paths\Loader32.Exe
# X W4 G# n, a3 e$ ?: Y9 p) M7 A+ O" q
x3 S2 ]7 V, @5 h& c% \
7 p. E) r8 S8 cNote that some nasty apps could then erase all files from SoftICE directory
A# k4 R* Z' K" B/ G9 w) z9 S(I faced that once :-(* U5 @& i+ W) ? V: ~! ?7 r( S
( ~* |) }, N; w! A4 L6 e# K
Useful breakpoint to detect it:
6 R+ ` p, f% i
! c1 R# w/ m6 q9 ~3 n) S. }; T BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% [% D7 I6 {/ L3 k. I7 E) h
' {6 M4 F0 @, q0 L5 U__________________________________________________________________________
6 i; g# E" R/ P& \3 r0 u2 c# M/ q, o" }
# @" x; ?0 [9 X
Method 14
4 D- p( C9 _. u t2 Y- s" Q9 U. U& j7 Z=========
9 _; o# g! F- R9 Q) m1 u: F& w2 Y
2 c% ~, A3 {& V E0 I% m8 wA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- _) H* X! c" V2 ]: i4 U( o" sis to determines whether a debugger is running on your system (ring0 only).
8 S' H2 v) q1 s" W6 Y2 f
" _' K7 ]9 E5 v8 J* Y5 V VMMCall Test_Debug_Installed
$ U+ w4 a0 `6 z je not_installed. S! D+ C* }$ N, C0 }8 O! ?& X
/ ~# R8 g+ V2 L7 LThis service just checks a flag.
( H( P6 U7 q* M+ S; ]9 t</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡