<TABLE width=500>7 a) y [" E* p% Y
<TBODY>" `" [% b. K/ U# p ~ q( e
<TR>+ H* ^! w. \6 J' {; {, Y
<TD><PRE>Method 01
5 l- V3 b/ F9 D3 C8 T9 m7 S=========1 g/ D3 Z6 s e9 w. n" H
1 o& N$ Q- ]9 Z& Y3 U O! [7 Q3 [
This method of detection of SoftICE (as well as the following one) is
1 U) @3 \1 ~8 e" w7 d! C- Z4 U" dused by the majority of packers/encryptors found on Internet.
1 t; w! J' R4 TIt seeks the signature of BoundsChecker in SoftICE/ [2 b P& k- u( S3 X
6 }. y1 {0 [" o. C n6 K
mov ebp, 04243484Bh ; 'BCHK'
1 g9 t4 r. X2 S o9 @: M mov ax, 04h7 @8 ?% F& S8 { ?4 B c
int 3 6 m8 c# V/ n+ Y, ?4 p- Y u
cmp al,4
; G v& u& l7 N; f% T: ` jnz SoftICE_Detected
% c9 ]2 Q- p t w0 a1 d' D) ^
8 v1 l( Q% _+ y ]+ h___________________________________________________________________________* R/ R6 t. ?% u: I0 D
9 I& \( w0 Q" {Method 023 `1 r! E& _. r( b& N$ E
=========
( T; S$ D9 _, a8 l
4 V' \* Z2 t) u3 iStill a method very much used (perhaps the most frequent one). It is used& Q( p* c1 Y% w1 L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 S4 ?7 x9 o* K; Y1 Hor execute SoftICE commands...
( x* N- {2 e% V% wIt is also used to crash SoftICE and to force it to execute any commands3 f0 P: q2 k' P% R1 b( M6 z( k
(HBOOT...) :-((
! w! J" o: e! H; \
2 U' K+ F& W8 C. R6 ^7 \3 lHere is a quick description:
5 r" w8 h, Y. a U; \; D9 V% c-AX = 0910h (Display string in SIce windows): R/ j/ _5 T$ W2 _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ q k& j- R" F7 Z$ F# p$ f
-AX = 0912h (Get breakpoint infos)
- h; i4 ?; q: M! @- D9 _# A# e-AX = 0913h (Set Sice breakpoints)
- j8 _* B# @% V; X-AX = 0914h (Remove SIce breakoints)1 w- }5 L$ {: e6 g. B7 L9 h1 O
, ~; l: E% }! j9 `3 m- }Each time you'll meet this trick, you'll see:% `& }4 E- e: i0 n; p' v
-SI = 4647h+ y3 X _, ^% A5 b
-DI = 4A4Dh' z+ |. I* z. _* ~
Which are the 'magic values' used by SoftIce.+ {% K0 U$ U' _6 x$ e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 O' ?2 R7 L5 P, I& ]
& M- J G' z F, C( `$ ^Here is one example from the file "Haspinst.exe" which is the dongle HASP4 l/ R; Q7 U& \4 r
Envelope utility use to protect DOS applications:
; n5 r3 T5 L7 p1 Y. `& q
2 p, N- [6 E9 p6 |2 t' F8 }+ q4 f) t C* h. j4 j$ b' R( u' J: h
4C19:0095 MOV AX,0911 ; execute command.; d9 G7 T# z9 ^* L' J
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 E/ z' t# N+ f4C19:009A MOV SI,4647 ; 1st magic value.1 v: h6 K8 | d& J' B7 D) |, Z3 A) F
4C19:009D MOV DI,4A4D ; 2nd magic value.0 _ \+ ~ g0 E4 J3 C( a5 e
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 m0 |2 P' z% P- K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. c& R$ g" M# c1 x9 ^" m. T4C19:00A4 INC CX
& B; m( U8 l( |; `2 E, Z* n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 a; w Y3 r2 ]
4C19:00A8 JB 0095 ; 6 different commands.* N9 C6 t/ _( k0 @& z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 { o) c# Z1 Y+ w. D6 N% k3 g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% [* R; L' H% C- M
# m2 T0 X) C! t; aThe program will execute 6 different SIce commands located at ds:dx, which! ^; I) H& B7 W! p; b5 P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' X) L4 a9 P6 `; e; h( U+ i' _" r
; z- k9 Z4 {) `7 B$ L0 e# P; C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 a+ X, a5 \$ k) D* h5 `___________________________________________________________________________
5 N6 R/ S" N) I" [% a. l
5 S8 B' W9 l" U; F* [8 Z" T. x' N, M+ [! n
Method 030 a7 P# g" n4 O' h
=========& w0 O+ _2 d. C. u
- F8 W1 j; }* \/ |0 ^( j" M* s: B M! hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( h8 u! }& T: A$ q0 ]+ J(API Get entry point)! B& Y$ T" S, ^8 t: f( B) d
/ x7 ~! p7 ?4 R4 D8 n2 u
\( |4 c# Y; w5 P$ L( {- W2 X
xor di,di
- j( O1 x' |4 h! @! s9 A- e mov es,di
3 q, ?# `, L3 x) @7 }5 X; q mov ax, 1684h
) C( Y5 A: C8 ~# f9 g5 ? mov bx, 0202h ; VxD ID of winice4 T% O. G; M8 @. L5 l' |
int 2Fh
4 _0 D2 Y2 i. L- N" {' E3 b6 W mov ax, es ; ES:DI -> VxD API entry point
+ P/ Q5 r9 S7 \- i/ M) o! L add ax, di: O! `2 |* E& f8 z& `, d
test ax,ax4 C+ r# u1 V5 \9 {6 n
jnz SoftICE_Detected
3 K9 u; V( `* d, A& r0 K/ z) s0 ~7 ]$ s! W7 b/ H
___________________________________________________________________________
: ]3 N' D7 @* e! o! i
" M9 P& u! b+ {Method 047 D9 ~$ n& f0 v+ a% @# J
=========
/ k8 W: K6 q, z: I# x
) d; F! H: N8 w9 q; MMethod identical to the preceding one except that it seeks the ID of SoftICE* ~8 G8 @1 O! P' K9 z( l/ }* l
GFX VxD.7 q; O& i2 P N4 ]
# K# R H" b; x% S( g0 P( h @
xor di,di$ |0 M; G- G& ~$ n! ?7 O% L
mov es,di
( e) ], c' o: T+ t3 W; K mov ax, 1684h # z, B( y- E6 ^. Q
mov bx, 7a5Fh ; VxD ID of SIWVID, w6 F1 q7 H: \* y! E- p
int 2fh$ _' I0 c' c. \& q H
mov ax, es ; ES:DI -> VxD API entry point
. i) ]: S8 U0 l add ax, di
9 p" X6 @' e# g# W' h! k test ax,ax6 ^( p* f% a2 h3 @" D
jnz SoftICE_Detected2 b) r& x' e" ?3 O7 M4 n
( t( t, y: f' ^6 M2 S2 Q
__________________________________________________________________________4 U! G3 J, c1 Y5 W: Z5 J: D2 R
|0 ]& u, i' r4 J* k( R& {# o: J% K2 P
. U$ V( P2 y( a" }5 sMethod 054 w, @" E5 ?$ P8 l
=========
2 x3 J. J7 `1 |, y* `1 M8 f6 R7 z7 u- b& @. g4 |9 H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: q5 R4 g- t8 o4 Y, q( {6 \debugger. It calls the int 41h, function 4Fh.
; ^, U5 I. Y" l* t& s: b! e' DThere are several alternatives. 4 t! \( y7 m" D* O$ B3 y5 W
2 ]/ ?* G. q, O6 sThe following one is the simplest:! V( F" C4 w' F3 b5 V
& _ w1 T6 O; F" {& m. k mov ax,4fh
$ B5 D* ~) W Q e. a y int 41h5 @) |/ J% {" z$ a
cmp ax, 0F386+ s+ e @5 m; z1 s% @4 y+ n
jz SoftICE_detected
* S! {* y8 p, G. A/ |3 h' _# f* {6 S* z7 m' ^
! |# ~4 d/ _( `* ], UNext method as well as the following one are 2 examples from Stone's
) S2 ^! k; J0 }% E- O' k"stn-wid.zip" (www.cracking.net):
0 H8 ~; J. e) E. n% p; O; M3 w$ i' h( n, l2 ]
mov bx, cs
y; J- v, Q) R+ J6 r8 c lea dx, int41handler2. f9 F2 m" C9 e1 V7 P+ @) a, o
xchg dx, es:[41h*4]( P& s7 T$ q# S% I) X0 g
xchg bx, es:[41h*4+2]: {/ d( _. M+ `9 i
mov ax,4fh
) h' ]/ t- w" p6 o8 X6 f$ G1 | int 41h
1 M* G: ]/ K$ p4 o, G xchg dx, es:[41h*4]9 v( J9 i4 N; ^. f
xchg bx, es:[41h*4+2]4 O; q1 ~4 u) [8 @5 ?7 n+ m
cmp ax, 0f386h1 [* n4 y, B7 A
jz SoftICE_detected
8 b) o0 O0 [& ]1 N! t5 `5 I+ s, i0 }
int41handler2 PROC
" |8 Q) s' _7 c- h+ N- A iret; k5 [8 }5 v2 s0 U& Y* Z
int41handler2 ENDP
/ ^+ @# `1 X+ C1 S3 C3 m
9 D5 Z, P) c! T+ D/ K' r0 @/ z z% q
_________________________________________________________________________- P7 ?7 u' V7 R8 L! d- C
g2 J: e) K0 D0 T5 F
( `5 g0 B' j$ c1 k3 f. V$ l# vMethod 06) F; e0 A& n3 o" o# T8 ?
=========! @! L2 {: w/ ]
8 o5 U+ O4 G2 ~ y+ ?
2 {* l/ Z" z/ E2nd method similar to the preceding one but more difficult to detect:; {% T- Q8 R9 Y1 ]9 b
; U3 D4 ] O4 y
2 ^ o% @4 C0 W8 Y _; `6 c1 }8 tint41handler PROC
- z" s; H% |; U& A W I mov cl,al
8 C: k/ I2 b* r0 g iret$ l+ }8 i$ A) R! @. O) s
int41handler ENDP
+ \3 [, u4 B) y6 I* j4 W+ o$ g! P$ j4 \' Y" P8 l
) |. ~# Z; |% t; {7 b xor ax,ax* r' t& x! e) }4 j! W
mov es,ax
8 j; }9 u" t6 e* M! w T- t- f+ A# D mov bx, cs
) T6 C& e" f3 z lea dx, int41handler
+ W" k& N" a( I xchg dx, es:[41h*4]
- ?/ C1 D4 w8 D6 {) Z8 r8 G0 z2 b( W xchg bx, es:[41h*4+2]
+ S7 h& T+ f ^4 P( k: i in al, 40h
. B- k9 W" C' q- c xor cx,cx
) v1 k" }+ O9 c7 U- T! D int 41h0 f) K5 Z) k$ `
xchg dx, es:[41h*4]* `- g* @& M$ k& J+ j
xchg bx, es:[41h*4+2]; `. n3 H6 I" N7 E0 F
cmp cl,al
1 O1 F5 P6 q0 k& ?! h jnz SoftICE_detected% g9 f0 O6 D6 G" q
3 R' P# G. O0 N; a7 p# H; X* D
_________________________________________________________________________ h2 Q5 D" i M: ^( d
1 `9 P5 _. i1 p) K' }Method 078 u* P( \- t4 {" M7 M( c
=========& k- z* L# a' F2 q
0 ~) D1 P- k9 `- }- c
Method of detection of the WinICE handler in the int68h (V86)" E3 G4 T8 c- |; j* N2 Y
9 @8 w$ i& a6 y' F( a3 Y q
mov ah,43h2 q+ C$ [$ v3 ^# [
int 68h
: V2 g; e. _; K( m; S* D cmp ax,0F386h
+ U& [0 F& r7 n& v jz SoftICE_Detected* O& g/ `5 v% y
4 j9 E, `, @: t2 N3 U
& ~# L( O& g* n2 o6 d1 Y* ~0 K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 S: N Y0 M1 F. }" @7 K; h app like this:/ h) t* d. S2 A
& R0 Y7 f& v7 b
BPX exec_int if ax==68- o9 h* A. |0 p/ K. Y6 a
(function called is located at byte ptr [ebp+1Dh] and client eip is0 ^7 y1 f# K9 ?- a* k5 k- E* I& G
located at [ebp+48h] for 32Bit apps)- X0 E a( R* ^/ l; V! _* [
__________________________________________________________________________" b4 L5 S" Y# D
: T' s. `/ z+ U0 G1 y( Y3 w% m, `" ^$ j: ~1 Z' _
Method 08
/ D4 M v% Q7 S1 E! E=========
G9 H) S+ L9 R+ I, o
' Z2 L" e( H2 T$ |( _- z% AIt is not a method of detection of SoftICE but a possibility to crash the' a* \0 c+ u; C1 C% Z" ^# O7 J
system by intercepting int 01h and int 03h and redirecting them to another# h' `/ Z2 J6 j+ R& m2 C ^
routine.
4 q$ a9 B0 p- M6 yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* B$ t. m( j; @" v0 F
to the new routine to execute (hangs computer...)9 M7 y2 Q% l3 g; ~3 x8 j7 b7 Q
' x$ C: [* V$ Z8 ?" L mov ah, 25h
K' e) N( P- X: l+ L mov al, Int_Number (01h or 03h): C# g: E; m4 L" s
mov dx, offset New_Int_Routine' v$ I: ^% ` r. W/ j
int 21h
5 \' D. \ t( d3 J' L8 U6 }9 V- a+ K) m5 V2 G. N: y0 [! q
__________________________________________________________________________ s+ S) v9 h1 [/ \. ^( K
4 w( m* z" V! E3 |1 fMethod 09
& Y% K) X( ~( s& _=========7 G; p6 R$ R' b& ]6 r' U( p% B9 O
* M7 d1 v6 e! i. ~6 P9 C$ Q; P8 y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# u/ Y- h4 X# y" l) m, A; V& iperformed in ring0 (VxD or a ring3 app using the VxdCall).) u3 Q9 X3 l, ]2 G* h; s
The Get_DDB service is used to determine whether or not a VxD is installed
* d1 T+ t: @( |for the specified device and returns a Device Description Block (in ecx) for
. _$ l( _3 M8 s0 t( sthat device if it is installed. D3 A% J" o' v& I0 e
* W% m1 w! r p, F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; \( x" r& `$ x
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
c4 `5 U. f s! x2 n- i% ~ VMMCall Get_DDB' v; m, F( o4 w X( z$ }, x W; Q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' ?. x+ ~0 R4 v& H' t, \, g
# [4 G, c9 u6 N! l2 Y( N7 ^7 NNote as well that you can easily detect this method with SoftICE:
$ w6 G. ^% V2 I bpx Get_DDB if ax==0202 || ax==7a5fh
( d+ B4 h6 P" q$ \
7 n3 v5 P* S8 p5 \" k__________________________________________________________________________5 b; ?+ O2 ^9 ~
! r( ?, y% A9 e0 `# e7 R
Method 101 }) @ A( _( B& V* X% a
=========
8 s$ e3 k4 G0 c3 g1 k. E9 e$ b. @
=>Disable or clear breakpoints before using this feature. DO NOT trace with- d. X2 d+ j( P- l6 E
SoftICE while the option is enable!!
9 _% P- R' u. z( i b+ Y6 Y3 B* f6 ?; s' F! H8 `2 P/ G, K e
This trick is very efficient:" @- R8 P6 B. A- f. C
by checking the Debug Registers, you can detect if SoftICE is loaded/ E6 k1 X. @0 m! T8 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ D. w% r0 E ?' Q$ J
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 r8 I# |$ k: b4 J* d$ |
value (in ring0 only). Values can be manipulated and or changed as well% e4 T/ A7 n: G# f9 ]- d: V8 } M. b
(clearing BPMs for instance)
; a+ z" ^4 x5 ]; ?& {. R9 @5 \) L& Q' t" {7 s6 Z
__________________________________________________________________________, h( U Y9 y7 f" M1 n& }+ N+ Q1 L
- [; ] m5 h% g% P. U6 O0 dMethod 119 ^' F8 [. |8 K& d3 R$ D6 u
=========
$ @; T. K* Y+ O2 o1 g# [7 L( p K( ]. Y) a4 }+ `
This method is most known as 'MeltICE' because it has been freely distributed/ h* N. u2 c1 i6 N
via www.winfiles.com. However it was first used by NuMega people to allow h& I4 E3 V& `0 M5 _
Symbol Loader to check if SoftICE was active or not (the code is located3 ]- g1 k4 N" E. E" [
inside nmtrans.dll).
/ C ~ N0 s) G( K7 T* G$ R# [3 M( l: w! s( d
The way it works is very simple:4 R2 s! E/ B. t' r7 H, n7 V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- u; U: d- G5 F' v6 x- J* q& }WinNT) with the CreateFileA API.4 |8 p8 n7 `2 C3 l) a5 U- n h
; [6 }+ C0 h9 n" G4 q% x. Y
Here is a sample (checking for 'SICE'):: D* c( f: Q6 ^& T' K1 W
' `7 ?4 l! O. c9 N! }4 u4 u% B0 GBOOL IsSoftIce95Loaded()
# ^0 }% S) u. ]; S/ o1 R{
* j1 }( G6 i% a HANDLE hFile;
! [5 R# v9 I+ H I* f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* d: w1 w& e i' \5 t* A" d; p
FILE_SHARE_READ | FILE_SHARE_WRITE, i+ v. y0 N: Y/ J) O) U# k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& V- `7 R( ]. {; c$ Y1 }% G if( hFile != INVALID_HANDLE_VALUE ): b) v, Y, g! C6 _( F1 n) E/ a
{
! S/ I/ e" X. s- }# Y CloseHandle(hFile);
8 } R; Z# h% m9 m3 c3 J. _ return TRUE;
) [! [& w* w1 @$ W& K5 h }
* e0 H: F; u: f& } return FALSE;( a3 h% l: j) j" Z) Z" L- B
}: }4 _! R9 d8 X, r
L5 [* D! {& H/ C7 q: u' lAlthough this trick calls the CreateFileA function, don't even expect to be, \- N0 m% m' ?
able to intercept it by installing a IFS hook: it will not work, no way!
8 l' y4 u6 r; j% n* d6 YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: E4 }& ^/ \( ]: [: M, w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; u+ r/ m: z6 u+ E7 ?) kand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 U4 o. n' |$ q0 f
field.1 |8 N% K: b) t* Y- y: F
In fact, its purpose is not to load/unload VxDs but only to send a 6 b; B% K; [. O& A1 n) \% N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) w* x+ F7 {/ V) Q! v0 N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: _$ X8 T, q( q8 C! m3 U4 ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 Q6 B% N4 V: m6 ]9 \3 X6 I
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' ~. ~$ y9 \# H6 x9 eits handle to be opened and then, will be detected.
, g4 u! m1 X$ R) p8 H4 B8 AYou can check that simply by hooking Winice.exe control proc entry point: G) k2 |8 y! b/ E6 I1 |2 S
while running MeltICE.
X- k7 t# F- G* h4 |
2 x2 k" U5 D9 S! s! g# ~& ]7 f7 E; H/ q; B
00401067: push 00402025 ; \\.\SICE1 C g; [% w% a! O( i( u7 J
0040106C: call CreateFileA
& @. K+ R" w) f; d9 E, { 00401071: cmp eax,-001- a) \- `0 H& I8 @
00401074: je 004010917 d( E/ }" R7 A
+ f: M0 r7 ?- x( L4 G
6 ]' M1 `. b8 g1 e3 Z
There could be hundreds of BPX you could use to detect this trick.
+ B! k7 X) [3 Z6 W( k-The most classical one is:
! Y( C ]9 x. H9 w: D% f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 f- \% v) A+ O3 M# ~3 q: L! [ *(esp->4+4)=='NTIC'
1 x0 t$ M/ Q, W k9 A- c" l; e8 I/ U% @( |
-The most exotic ones (could be very slooooow :-(
2 ], V7 ]( x: S1 X9 K9 V" L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ t2 Z$ q/ R0 Z0 | ;will break 3 times :-(% X T' _9 @( U" B
+ q. O! c! F8 `8 C6 {- m
-or (a bit) faster:
! \( @5 l- _* v: [9 { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ \' X6 m' t( K# b T, ]8 ^3 S
+ a) O, `8 B1 h" J: _/ m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * c" N- @/ {+ ^
;will break 3 times :-(2 Y' s) N4 F% g" b! p
/ o" T, Z$ f1 _! U% v+ n% f, v
-Much faster:
' n4 s( e8 h5 C7 B4 E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" u5 w6 R) ~9 ?# S4 ]* q6 E( w- {
* v: v9 x' t' \! `: p" Z4 U O; B: fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
; z# h1 H1 P% v- y+ F( Vfunction to do the same job:
4 z* G( p2 j6 Y! ^! b. ?
j: h9 a3 I+ T! W) L) r push 00 ; OF_READ2 f: H" y# c8 `* }
mov eax,[00656634] ; '\\.\SICE',0
8 ~7 _. S, o" ?! i push eax- E; \, e! g y0 p4 C E: [" e
call KERNEL32!_lopen/ ^+ W; q# Q) A" E/ U' Q" J
inc eax/ n% I% Q0 l5 T& Q+ h" D/ |. L
jnz 00650589 ; detected5 \% o' C* S1 q) x9 t
push 00 ; OF_READ3 h% M+ `" z4 `1 J) E7 S
mov eax,[00656638] ; '\\.\SICE', M- @% ?- L6 v
push eax
4 b/ L. c: ^% z' t call KERNEL32!_lopen
5 l2 {8 N y3 @1 B6 N7 m inc eax
. M$ T$ O7 n! y3 ~' d jz 006505ae ; not detected
) V& z9 e0 z. A0 @: K
; H8 u6 v# o0 `/ g; m0 [2 J
2 m! M: A# j# L0 Q/ h% O: L__________________________________________________________________________$ Z0 F& O+ `' ^# o) `+ G5 X: b2 S
; J( F( @" q1 }8 F8 X1 tMethod 12
( }9 s! I. }8 P1 J=========7 m! w' n& P( ~0 f5 f
o2 O0 R" H+ a, o. K/ A& Q! OThis trick is similar to int41h/4fh Debugger installation check (code 05
8 z0 b4 R4 |+ |8 o& 06) but very limited because it's only available for Win95/98 (not NT). E* i8 p1 g g: O5 T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' [. I: V9 y( ?) f3 r; O3 L4 a: Q
/ x- O; }6 x2 a# M! e# `) K
push 0000004fh ; function 4fh, S& |* D1 g9 E3 r. b. J
push 002a002ah ; high word specifies which VxD (VWIN32)
9 k0 s' e4 z, U$ @) b) G ; low word specifies which service
% @3 a2 Y( t) p; J& U (VWIN32_Int41Dispatch)
E9 @: `9 j7 z3 c1 ^; b3 e. ` call Kernel32!ORD_001 ; VxdCall
' v6 k4 L( }! j4 R6 Q+ N) p$ q- } cmp ax, 0f386h ; magic number returned by system debuggers
0 y2 n' y' E$ `" t) V jz SoftICE_detected
; z- b6 Q1 L* }! l7 p6 G6 @/ d% n$ f" K' i: R$ i
Here again, several ways to detect it: C9 `& D1 i% A' ]4 ]# d. O( u
% ?4 K6 T! B* ]
BPINT 41 if ax==4f
0 k* I# v( u$ \$ S* Z
. {6 i7 J! [3 z9 g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% S9 ~1 F- { `/ e6 l8 i* p
3 k& }( V& \* K( S' Z& [& t1 V3 N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! J2 ^* Z9 }# `$ i
s; [3 A. ?, w" e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 A: p9 d; T- i9 n; X( Z
& ]" }' @& i$ S( K) E__________________________________________________________________________
8 V1 Y( l- o% s8 M9 i- x1 Y7 N) m4 t8 b% p0 M/ Z8 `, N8 e: C. q
Method 134 t5 S: V% @; h4 i4 V. w3 u$ b
=========
$ D" |4 @8 w# c, v
( n5 n5 m% V, R$ @Not a real method of detection, but a good way to know if SoftICE is8 }9 _9 H7 C( a; D' M3 }8 s
installed on a computer and to locate its installation directory.
1 q2 u9 m* q' n( ^+ GIt is used by few softs which access the following registry keys (usually #2) :+ Z& I4 l: e3 l0 P$ S0 \
& t+ f* _: B! F0 F4 \2 w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 `% q* Y q4 [$ V- x\Uninstall\SoftICE
0 H; x/ x! k" |- S; a* ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 j& e% M r4 z* T& B8 M: S4 x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 d( s X# S- B* f& ~( o. I\App Paths\Loader32.Exe* \! i8 ]# p8 g; `# u
, u" ~# w8 T! E. z. R
/ K8 {' Q6 ?2 yNote that some nasty apps could then erase all files from SoftICE directory+ h% n( J4 k6 k5 |5 T: I
(I faced that once :-(7 x" M9 q! Z& i0 ]6 R- l3 l
0 k9 [4 V Z, CUseful breakpoint to detect it:
1 L" x t8 ~7 L# A, l6 ~( n0 Z# R7 h9 g+ c
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# _( p4 |) w5 J; N
' f- D! o: A7 U" O__________________________________________________________________________
+ ]1 Y8 \! Q/ w& B/ }
6 ~9 {- J1 E+ f( e
- ^* N7 w, k3 WMethod 14 1 i% |2 U+ h2 i E" \
=========0 U: `- e* G t- }! Z( N9 M7 L+ b
; {7 i( o3 @& d7 T% u9 N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ r- t- ~' n" R, M% w
is to determines whether a debugger is running on your system (ring0 only).5 b G& `: T/ p5 l2 L, ]$ c& p2 r: K
: K& c5 Y( L7 n, H: i
VMMCall Test_Debug_Installed
/ L# d! p' p# v C) G) ^) z: D je not_installed
A# C% a* d+ N8 z) d0 P& G) b: D: Q3 H# }9 |8 y8 x. b9 g/ ^
This service just checks a flag.
5 g. f- N* N$ H' p, u</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡