<TABLE width=500>0 U6 H! i# e, p1 n- G' I o8 w
<TBODY>
% \! e* _0 b. r0 |8 J4 N \<TR>0 J j' ]* r$ I- ^/ F
<TD><PRE>Method 01
" s* i: {& @0 D! F. [. e# {/ V=========
3 W! S2 k% k3 B3 O
' _0 {# {2 c2 d) H1 q8 KThis method of detection of SoftICE (as well as the following one) is' J$ i7 t. S, P2 x1 U" u
used by the majority of packers/encryptors found on Internet.
% E9 C3 ^2 v9 ~6 N0 r/ @It seeks the signature of BoundsChecker in SoftICE
' |6 d. a" |. D" N# D, F5 a5 U; |0 S, p
mov ebp, 04243484Bh ; 'BCHK'( L( t) z0 r T6 z0 p
mov ax, 04h h. u5 a: L7 @& G
int 3
( y/ w6 M" u7 m" W cmp al,4
/ D; _6 e+ q! ]% T) @. T jnz SoftICE_Detected' K* Y1 Q& H" O
W; M* i* K% A6 ^' B8 f+ h, v
___________________________________________________________________________
5 q* B" G7 u; V' q
) s1 _4 g8 \6 c0 {+ d# r5 wMethod 02
+ S+ \8 @3 q( s# o$ [5 E=========1 B, E# ?% t7 @7 M8 y6 I
/ c5 k8 e# }2 ?* P
Still a method very much used (perhaps the most frequent one). It is used
; H/ Q; [, R5 {- l/ [& Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ s$ O1 X: ^' e+ ^
or execute SoftICE commands...
9 d% M) |5 ^* W8 uIt is also used to crash SoftICE and to force it to execute any commands/ q0 V% w& Z, g3 \9 T
(HBOOT...) :-(( 0 i2 Z5 @; d. a# N. [7 |
! Y8 h8 l y. }5 gHere is a quick description:& J2 t' r7 E/ t' Z; t2 O" r
-AX = 0910h (Display string in SIce windows)
* }0 {+ ]" q% q* v( p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 L! H. k7 Y* {7 R J: G5 a* D# N+ \- G
-AX = 0912h (Get breakpoint infos)
1 b+ d0 s2 B8 X& g-AX = 0913h (Set Sice breakpoints)
" \5 ^/ U7 Q- E3 g' G* H-AX = 0914h (Remove SIce breakoints)6 Z( y! i) B9 h8 h" {/ R
% m' e7 C! E( _- V G' s( i
Each time you'll meet this trick, you'll see:
- y# B+ O6 N) Z3 K; f- A-SI = 4647h8 d. j8 {: D( @5 c( {* D' ?
-DI = 4A4Dh
& X; P6 s* w1 P' o, \, x, XWhich are the 'magic values' used by SoftIce.# ]6 H' m- W4 M5 t U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
s; p U1 W7 x% P* a* n) j0 O5 b M: X' q( e+ }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 i% }; {' e' _; IEnvelope utility use to protect DOS applications:
' b, Y5 f# d9 Y' y
0 V3 C! C5 r/ @# D
5 q$ _: @9 }! }9 H6 \4C19:0095 MOV AX,0911 ; execute command.8 O( z5 S8 X9 e' {( K- f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& s( I9 G9 @& F# o- L
4C19:009A MOV SI,4647 ; 1st magic value.; @( U2 S1 I" X3 ^& W5 X
4C19:009D MOV DI,4A4D ; 2nd magic value.
% j1 Z% X& x/ C4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 ~1 Q! ^7 J a# U7 M1 T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ G8 S; [9 O6 M: O( i1 s# I4C19:00A4 INC CX( i/ q; Q+ ^3 I+ L7 w5 V. l
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 Z# }3 V. @, N( s7 D- F2 ]4C19:00A8 JB 0095 ; 6 different commands., `1 x' O. j0 e- c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 @ _" x) O" v. Q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( K0 @' t1 p! J1 M( Q) x) d
$ M* H$ W) _9 i& e' F9 y
The program will execute 6 different SIce commands located at ds:dx, which. |* H& n* [+ M& Z/ p" a. D0 M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. v* q# m9 t% T
* i5 N, |" i) O) m, G# C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- j: a9 \. k0 t
___________________________________________________________________________
* k |7 x+ A! @9 E4 |8 h* X
3 Z% ]7 A# ^6 R0 c- `
6 `" w9 I2 B- \) }' E9 [0 r6 [7 tMethod 03! y( a, o! U y5 x+ [
=========& b# v, Q+ Q5 t4 P1 G' i5 E
; ^, X6 q8 y7 W KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 P' a- J' W' P$ ^
(API Get entry point)
2 l# | N2 ?" d+ Z) u# v 7 W+ s* L$ L$ |
% S3 x* M7 s) P+ o+ w' t xor di,di3 B$ V; f8 O0 S( d% s7 F' r8 Y
mov es,di
. C8 M1 r$ h( @ mov ax, 1684h ) p/ @% O3 E; w7 N6 w
mov bx, 0202h ; VxD ID of winice) J/ K" Y. ^4 B# E
int 2Fh3 V9 {4 n+ d3 R1 Z% x) t/ L
mov ax, es ; ES:DI -> VxD API entry point* k# n! L) b+ x! q, M: H- `
add ax, di
- u+ b1 D2 Y& B+ b test ax,ax
: [; o6 A/ `; |& H* \0 z: @ jnz SoftICE_Detected; A' @4 o! Q4 h( p* h% ?0 Q
9 s# I a) b5 u9 ]( x___________________________________________________________________________
. f X4 _$ H& {' B+ E: B0 D) \6 V ?6 R0 E0 E, A$ X+ L$ N+ o
Method 04
; y2 b6 R7 D( }& Q3 z- s" B. g& n1 t=========
5 E& P( Z' @2 _0 G! v( n$ C( ]# ?# u0 g# q% C( N6 H
Method identical to the preceding one except that it seeks the ID of SoftICE
2 P7 F/ p, i2 Q" [$ UGFX VxD.9 j6 u1 u* ?. H
& x5 L2 w( B, j( I& g9 P, {2 w0 ?
xor di,di
# Q& e9 h9 W4 x mov es,di
8 j; M9 U# G. K, k0 { mov ax, 1684h 3 ]; y: K/ M' I
mov bx, 7a5Fh ; VxD ID of SIWVID
; {6 _9 ]! J, D9 C# Z int 2fh
; c) g( I1 K: w" a, ?3 i mov ax, es ; ES:DI -> VxD API entry point
5 m7 J( C: t" ?4 ~7 Y* G" Y9 `9 o) K add ax, di, L" I# J( \" c1 d9 V
test ax,ax( L5 p+ W. J( u2 ?
jnz SoftICE_Detected' W4 v1 `; }: {* ]' S5 C* ^* L
. _; w9 w0 F6 Q; ?, i$ N, {: _' ~
__________________________________________________________________________
; f# v @" F) ^$ o
, v8 d" ?1 g( k4 e! X3 X
. C4 ]4 w3 L& o' J; X+ u0 i- RMethod 058 S5 @8 d5 ~% |0 n1 I0 S- T. Y
=========
8 l& L+ A" q4 q* F) k% Y8 h; ^1 h% y: f, ] X3 y3 x9 B
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ ~9 N9 g+ e* h+ rdebugger. It calls the int 41h, function 4Fh.
' E x0 f8 s! }1 n# s7 s3 lThere are several alternatives. 1 J* l+ |$ W2 H9 o$ @* M# k
1 d" L$ {( D% d3 w: p6 ~The following one is the simplest:
" j6 }2 i+ b. S. s7 @9 U3 @; z
# s& L$ p& |7 t7 L mov ax,4fh
! S5 f E: b2 I2 r- f int 41h3 w0 K! L! ~% B8 S4 A
cmp ax, 0F3867 {& L: [7 D: Q) r7 x
jz SoftICE_detected9 S* F, _9 {' R6 z
4 }7 h5 v* E/ E# Y3 a# g0 y
* [7 v: B- E: p0 X- I' [6 [Next method as well as the following one are 2 examples from Stone's
1 N' f: s: k/ N" H7 ["stn-wid.zip" (www.cracking.net):
$ y, c) [2 c+ U% n4 M/ v8 \1 [5 z: U: x6 ?2 }9 ]
mov bx, cs2 O" `& `% d7 U8 r
lea dx, int41handler2
( N5 u8 t+ B" P% l3 W3 o- ? xchg dx, es:[41h*4]3 K1 t- @1 P3 Q! @5 x) U
xchg bx, es:[41h*4+2]# |! {; {9 o' o; v" R# ^; X z
mov ax,4fh
& O. W1 V, |/ P3 Y int 41h
7 I0 v! x/ V' u X4 m! D xchg dx, es:[41h*4]. g# o" k+ ?/ O9 \8 s
xchg bx, es:[41h*4+2]& C7 G& ?) j; l& K. D
cmp ax, 0f386h% D* a5 w+ r, _0 R" G- A7 M
jz SoftICE_detected2 u, I, i2 ]$ |3 i
- F }5 w9 v- @
int41handler2 PROC
" s$ G5 @( R( S5 |) G x, c iret k3 Y( w: b P: e' r H9 ]
int41handler2 ENDP
8 J2 @' ]6 x7 F' H1 W& `
' H/ j, p6 D( H9 ~+ O+ O/ R$ @9 C. m$ w- u
_________________________________________________________________________
3 f: f3 f- d/ I. P) S {3 Q, X% s, m, a; }" q2 B8 g5 F
7 m7 ]' J" r! D+ K9 d% A/ _
Method 069 U% n1 ?5 J* I) B; V4 U m) i
=========
4 p$ J! @" D4 f$ d8 h
$ c1 }! O) Y* p5 @* K/ _
k4 k9 [$ [. U6 W$ _' C2nd method similar to the preceding one but more difficult to detect:" k5 {: v$ _2 L2 f7 A+ D$ [
, [. E8 K B& h1 \1 w+ T( b" h& \- r( _+ i( X
int41handler PROC
}/ [) {. p- R+ l0 n0 \. d5 R mov cl,al ~/ C) ^2 V6 X6 A# j) j, d* r: ]
iret! V" G" W0 j) L4 S$ k, t4 b0 I2 f
int41handler ENDP
- s- _9 u/ K6 v" E
9 ~! d0 t @# P6 G. D) h
% S5 H' r& j b2 h3 N+ P xor ax,ax
8 w3 g- S# i, l$ @ mov es,ax+ v( |3 p4 A i a; v
mov bx, cs$ s6 i) r' V; F5 l5 t8 S) o
lea dx, int41handler t1 ^; c6 ~9 v8 ?1 c
xchg dx, es:[41h*4]
e$ B+ k4 z" R% r& S xchg bx, es:[41h*4+2]- W7 F8 p* a C
in al, 40h
9 Q8 @2 H1 x) A9 z# V1 I* H$ r xor cx,cx
/ m! i6 R: g* R9 ~3 B0 l; ? int 41h6 S7 p' m4 K2 g: I; @! @2 G
xchg dx, es:[41h*4]
! m. y+ J U- ]- z/ n xchg bx, es:[41h*4+2]
$ }& n' u. S- O5 Q cmp cl,al
1 w4 _* d+ Q+ ~) ]7 w jnz SoftICE_detected
9 f* i9 U" w& h: T6 O8 |; o! I" O4 b7 G# X- E
_________________________________________________________________________+ Q8 T7 o( {4 R% ^$ m4 }
" I8 D3 _8 w; q! }7 E. UMethod 07
( }* h$ e' T/ V; Q' Y# A2 k$ C=========
( H( E9 z$ ~6 O+ X& U3 @0 s8 n% t i
Method of detection of the WinICE handler in the int68h (V86)3 @* o2 U$ Y2 i; w$ n4 B
* S1 ^8 ~# k+ [6 U# ^/ U/ f; [
mov ah,43h3 N( K: n3 l6 A) Q
int 68h! M, o3 e" J! m: Z8 _0 `. B
cmp ax,0F386h8 W7 x7 T8 X9 j' q* B, |
jz SoftICE_Detected
# {5 g5 B' k% d |$ M c' F
& t0 r/ v, D% N3 P
9 O' s8 s) c H, I- H8 k$ D* F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ i. v4 g$ A8 X% ]- `. | app like this:; L0 w1 m$ [: x# c7 y- i
' u! n7 n/ p. }& i. d BPX exec_int if ax==68% {8 ~- s M8 J2 O N) L/ z
(function called is located at byte ptr [ebp+1Dh] and client eip is5 }' b0 U! u: V; A+ Q
located at [ebp+48h] for 32Bit apps)
2 u: T2 ?3 W- _: D6 Z__________________________________________________________________________
) c4 @' A* }3 [0 R6 l
7 G Q/ u7 _+ R; t, e- E! r! }# w0 T: ]2 B" ]; L9 w
Method 08 W k5 P8 K2 {4 M; c
=========
- n7 Q, M& T- k& D: \% V$ k
8 t V3 L$ m9 e/ E% JIt is not a method of detection of SoftICE but a possibility to crash the
6 |- k8 q6 P( e( n6 Esystem by intercepting int 01h and int 03h and redirecting them to another
) i: P, h" J8 K( r# i! o4 Proutine.
# U/ X9 T" [7 zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& X% t7 ~; T4 B% p- e- c# L
to the new routine to execute (hangs computer...)
d8 W. r4 c2 h! c3 O5 \
" e7 D3 X) A6 d. S mov ah, 25h
2 Z/ L2 ?" N1 q mov al, Int_Number (01h or 03h)
/ T" j9 s- M9 I2 b: T mov dx, offset New_Int_Routine
" S4 S1 L! S: n# g) {6 X int 21h. Q9 [! O; V# i g5 ^
1 p, D* K: ^5 H( d2 Q__________________________________________________________________________3 {) d% v2 l2 f7 K6 _0 F: S# a
) s' S/ I m) {: Z! t
Method 09
: x: l8 t! C5 R9 s* E, T=========9 w' B6 Z! {7 U) t
! G: W1 H% D" |7 N. u/ b6 {3 c) f: H6 d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 V' y1 [0 p* [2 D, R) Q3 J0 Z
performed in ring0 (VxD or a ring3 app using the VxdCall).
* h) N; s; h. B' ?6 ]# }The Get_DDB service is used to determine whether or not a VxD is installed
B9 c8 z( J O% jfor the specified device and returns a Device Description Block (in ecx) for3 m* o, G; t3 r: S
that device if it is installed.+ o6 | Y% J, g' {& `" ^- [ D) L
7 K7 K- c, j# R& l' \- I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 T8 J) S, c- [. v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 H! y4 |9 ?' N& v. q( I r0 a
VMMCall Get_DDB! }' A# |& d2 L* U" l
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; x! ? b. U" W! S" L7 M
9 k7 z* I+ I6 ^$ q3 Q) f# W0 {Note as well that you can easily detect this method with SoftICE:+ [9 R D) |* n& J
bpx Get_DDB if ax==0202 || ax==7a5fh- h, A$ X- _1 F$ Y
' B* X; h Y% q__________________________________________________________________________ h+ I; {) F4 y' W `4 c
. k2 \: c! [, w' o* xMethod 10
7 U# x2 f! G) Q6 ]8 H1 ~2 z" M7 D6 b) u=========
. Q- _: a5 {7 w( K$ |) T# Z; N
' e* t2 ?# o+ J$ V=>Disable or clear breakpoints before using this feature. DO NOT trace with: b1 W a6 w' p" u, r
SoftICE while the option is enable!!
, o+ G [5 F+ T- D2 F+ Z: r u$ j' K- j% L
This trick is very efficient:+ c( u/ Y% N& ^5 m5 x5 L. o8 K
by checking the Debug Registers, you can detect if SoftICE is loaded+ n* k4 u g' Z6 ?" F+ X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, @' ?% N4 p0 u9 E6 ]0 }1 [
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 H$ B: s8 z% W2 Dvalue (in ring0 only). Values can be manipulated and or changed as well
. |; H5 |6 W$ L& Q. [: e" m3 k/ K3 f(clearing BPMs for instance)
/ J1 ? r: S, j* N8 N D' K x1 o$ ^# M+ v/ m2 S
__________________________________________________________________________
+ K) }: R# W0 [) i. P d Z% o1 {( {1 S. d
Method 11) ?( D& p% K4 U" q# H
=========
1 k t0 ^9 O" F
0 A+ p+ }2 d( B. Q4 @. uThis method is most known as 'MeltICE' because it has been freely distributed- {# J$ ^* @. r
via www.winfiles.com. However it was first used by NuMega people to allow
! M# @' A- L$ LSymbol Loader to check if SoftICE was active or not (the code is located! x* v0 E0 _0 X5 x
inside nmtrans.dll).2 h, V; r2 Q* q# ^( q& u
- u& Z( H0 D3 ]& H
The way it works is very simple:3 b8 Y) U# ~5 u, N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* o& w/ P/ x/ F J. qWinNT) with the CreateFileA API.7 R1 S6 `4 n6 B
, D% i4 Y% X! \% }9 U8 w1 L3 n% U
Here is a sample (checking for 'SICE'):
- }4 R8 P& H! s0 ?+ C S3 V
0 V2 C4 d' c6 D3 X1 Y1 S T ^BOOL IsSoftIce95Loaded()
$ M: e S# k: a{
% U. E# k8 q' Y! a2 b. o0 T HANDLE hFile; 4 J. @0 G$ K) }8 r
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," U: Y* B7 ^0 a& M1 E" ^; D
FILE_SHARE_READ | FILE_SHARE_WRITE,
4 H* V ~; n# N% B9 t/ _6 h1 a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" E( G H" j8 e' q3 u
if( hFile != INVALID_HANDLE_VALUE )
) B; e3 ]& a, m( n3 X6 F {
$ }7 `; F9 i3 D8 ?4 J) a, V4 c" a CloseHandle(hFile);+ l- d, R) x& B* o' H: a$ F
return TRUE;
; L7 A2 j$ s9 \& G' Q3 ` }) M# y% ]! x1 s' ~# t. H
return FALSE;
+ n, j( \4 K' d: Q' k/ r}9 e/ M' h I+ T$ \5 n
% X: p1 q% j% o. q& ~% j4 RAlthough this trick calls the CreateFileA function, don't even expect to be0 ]& f, s5 s/ D" A4 h
able to intercept it by installing a IFS hook: it will not work, no way!: N- t) A5 j1 ^3 T5 n9 J% Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. p! f! v: g. d5 E5 fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& k8 g: W4 K2 O: ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 x" d0 z: z2 _6 u/ \! `9 h' \7 _
field.6 p& G0 z6 @$ z& \, _, r S: d
In fact, its purpose is not to load/unload VxDs but only to send a 9 |: H e" W. H7 W1 X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; V5 I' c# w, d& [; Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( {3 C4 _/ h ^: T3 }% lto load/unload a non-dynamically loadable driver such as SoftICE ;-).# w! X b9 D- j' }/ f$ i3 g. p
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ D% X6 t. d8 c% _- k3 H4 `* |
its handle to be opened and then, will be detected.
6 u& E; N9 a- _You can check that simply by hooking Winice.exe control proc entry point
- e: k1 @ I6 h+ l1 jwhile running MeltICE.! R1 \; C$ U% S Z. L
X5 `5 Z6 @) {0 [
% b' o* \: [! F0 Q$ ` 00401067: push 00402025 ; \\.\SICE
( k5 b! G2 ^4 c: L 0040106C: call CreateFileA
1 a/ L+ L* T/ E 00401071: cmp eax,-001
. _0 z% k% r" q9 E8 q$ e 00401074: je 00401091
- W* l/ F5 @4 |" q& r$ B; w0 b) M7 A' ?9 `
+ G# z/ Y, D5 c5 S. i, G
There could be hundreds of BPX you could use to detect this trick.
+ H) u4 i6 I( Y/ C) k& `2 R-The most classical one is:
) E# k: z. j: N8 T: I BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# a7 Q! I2 G2 y( ~1 B *(esp->4+4)=='NTIC'
2 C( K' q% o* O9 l* ?; b: A. G# l% P
0 }, A* n3 f, A1 l, {2 `-The most exotic ones (could be very slooooow :-(* O8 D4 X- C3 w8 O% j$ h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' }/ Z; h& v9 Z! c ;will break 3 times :-(& d z0 x& p/ F1 m- W" f0 F
+ s' [6 m V4 X/ J$ X1 h+ q( W. I-or (a bit) faster: 1 W3 }$ a9 [3 v3 M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# ~# [8 z) h* j3 O" x$ x
/ R9 e. j5 z6 h4 z0 Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 \6 \' l( x5 c) c# }/ M9 B+ u
;will break 3 times :-(
9 c- v+ @8 H5 _. E% o# F: D1 v
) g- P8 `! n1 G. G3 k- s-Much faster:
3 T1 N' Q; x7 o: _1 e& _, E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ T: F7 e4 e U C' M* Q
) b; X) J4 d! N: I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 n9 Y8 J( x4 L
function to do the same job:
. r( T6 I0 ]7 I' h- _ P- t# Y5 v9 f
push 00 ; OF_READ" T: X- }* n5 b% Q0 F9 X' ?
mov eax,[00656634] ; '\\.\SICE',09 O( u- F$ h; X: h
push eax
) _6 l: [( S4 t, Y0 {- ^& i' r call KERNEL32!_lopen
$ ^$ b9 ?: q9 _+ Q8 h inc eax0 b& u8 M; h0 |: Z
jnz 00650589 ; detected) s" D* j, C' {# P6 }6 o
push 00 ; OF_READ* w. I5 L/ n4 |" n8 q6 z
mov eax,[00656638] ; '\\.\SICE'; E/ N% E, y9 G, ?5 p
push eax- S- }9 L/ ]$ U2 j& V
call KERNEL32!_lopen6 H. O8 n4 B Q' i% U& O
inc eax
& m9 P+ K W X, @! } jz 006505ae ; not detected1 X7 M' |) |, ^ w5 ]' g
- K4 G* B% j" |2 Z% `
; Z1 b# K/ I; H) t' L__________________________________________________________________________: n* e5 Y3 p% C. A( E1 G2 Z
" o) y6 ^& X4 N6 c- W2 k5 N! p
Method 12
) I" C7 i- ^3 a& Q# y=========: U% [, a G6 w3 e- q" x
9 s2 ]# }' U. z; k& `; Q( }
This trick is similar to int41h/4fh Debugger installation check (code 05
: I- U" ?- k; C2 {* s5 Y! r) `& 06) but very limited because it's only available for Win95/98 (not NT)
9 {/ l# i# S: h; e! Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ s( Y- m# M% }9 \5 E
) R! ?1 _; [5 t* H& `2 n push 0000004fh ; function 4fh: R' @0 o6 L+ V, k) Q" B% [
push 002a002ah ; high word specifies which VxD (VWIN32), Q% P- B3 O* O, ^- Y6 q& w- N% Q
; low word specifies which service
+ I N$ ?/ S1 B) Y7 ?" w (VWIN32_Int41Dispatch)! s& T: s3 D+ o' E" `
call Kernel32!ORD_001 ; VxdCall1 f! }$ I! c. x- U2 l( J
cmp ax, 0f386h ; magic number returned by system debuggers" h7 |) [: w! I! |+ X) M, G
jz SoftICE_detected
4 L* U H. e+ d. u* z0 }+ N
% ?; E- F3 ` u- U* ZHere again, several ways to detect it:
! k2 I3 u. e2 p/ l
/ j; \/ f; J, }7 Z y+ y BPINT 41 if ax==4f
. u0 v9 X V& n9 y* g) a' H/ ^' d" `$ C% K, X/ V
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! B* P+ v; f$ f& @$ Z/ F
% A. I9 T1 _' z* p: @9 l" a5 z8 E BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 A( Q" e( J% G7 U; E/ c, t+ e
1 ]" t* q9 _/ V# R; N) a: Y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 a0 F& B) l' u# ?8 c( c' ^9 C$ O, K0 j1 x+ E
__________________________________________________________________________
7 f+ w% G5 r7 ^) m# \6 \
# J2 K( X( I8 O# e9 j8 U: T( UMethod 13
2 }& R/ X" L2 o2 t=========
& m" }5 Z/ X Q# m9 y: _; m/ Y+ J# X9 Y
Not a real method of detection, but a good way to know if SoftICE is" X4 H( V1 ^8 Q/ S0 Z7 g3 ?
installed on a computer and to locate its installation directory.7 t$ r; N/ P, q) j
It is used by few softs which access the following registry keys (usually #2) :
! Z$ t: B8 U8 d" [; H$ t& u4 N
/ V6 W+ c3 ^# j; I) T0 s( {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 u% m/ Z* U8 T6 n6 T
\Uninstall\SoftICE* `! g" f2 P0 \# b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& t! g% r/ R, A; a. [0 n8 `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ d. W8 I! p( a7 U; s\App Paths\Loader32.Exe
' C5 p- N( f8 t) F8 S3 l, _/ F2 A% V. O# g5 o. j I
8 }1 O, c% r1 L& `: X0 m
Note that some nasty apps could then erase all files from SoftICE directory' i7 t- c% ] B' s+ t, a5 ^1 S
(I faced that once :-( q: p! t2 b7 d
3 ]$ o5 a( S3 IUseful breakpoint to detect it:2 b. D. U- |4 u
4 P. k( B9 R" }' I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ h# r B. ^- }9 n! V! }( Y) I( p* f
# ^2 A# y" c# }* T__________________________________________________________________________; I' J/ n! z: p+ W0 n$ y4 z
+ I$ e& s8 C2 d' ^5 M0 c8 m
' w, q( h0 w- @3 U4 i8 {
Method 14 4 g& S4 I9 |0 w- q
=========
" v& @, ^4 Q7 ]" V& U+ ]+ z' N5 a( f) Z% |1 }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 T4 s3 {0 C2 O' B8 f1 [+ Bis to determines whether a debugger is running on your system (ring0 only).0 l! u5 X" l) ^& P
# z+ z! o4 P0 M
VMMCall Test_Debug_Installed$ O9 j8 P+ V5 F; r$ P
je not_installed
; I* ]! L0 b0 X0 Y% C8 \
Q) C/ _$ }- L, t8 iThis service just checks a flag./ |+ ~+ B e; r/ y9 J, v9 _
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡