<TABLE width=500>" E8 C/ f7 c. y/ {6 a% }1 v$ q
<TBODY>6 }2 r' p1 l& W+ f+ a3 ]
<TR>2 Y4 W( Q' ]# `/ b
<TD><PRE>Method 01 : E) K6 E$ n, p
=========
" y0 [3 t6 \# f9 o k
% S3 ?- k- Q/ b9 _* s9 tThis method of detection of SoftICE (as well as the following one) is
h4 Y4 Q9 U1 T2 Z( gused by the majority of packers/encryptors found on Internet.! |' A7 D2 A: |, Z
It seeks the signature of BoundsChecker in SoftICE
" ]) |# z$ h5 ]: j
" \! o% Y) u9 i0 j mov ebp, 04243484Bh ; 'BCHK'
1 c* k- ^; ~4 V$ B) G, f% V9 M& t4 J mov ax, 04h
/ f2 Q5 [/ U$ ~& ` int 3 ' `/ f) {& u& }1 t1 W Y1 _: r
cmp al,4( r0 b; ?: K8 r9 \0 ~
jnz SoftICE_Detected( z( q. _/ E1 f n. m5 t
7 g& F9 {2 P+ I; i1 x___________________________________________________________________________. j j. N7 z9 f- o# ^& I
9 A, m7 i6 }. O# f4 J* IMethod 024 Z2 [ ?+ X# m- \4 B" F4 a
=========
( f4 J/ N }3 Z8 x: @) Z
6 k! C) t* @: d3 w& S4 S- Z$ BStill a method very much used (perhaps the most frequent one). It is used) {6 p$ M$ g1 l+ n+ d# R& ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! A7 Q1 C0 a. _2 A. `3 l5 P
or execute SoftICE commands...& l; _% h0 y4 @5 X3 H& T
It is also used to crash SoftICE and to force it to execute any commands5 E) L' `+ a. y4 N
(HBOOT...) :-((
) w0 c7 t5 U& H/ K
) a' g' X% u9 \2 Z# p$ i8 {Here is a quick description:: f1 ]# U' Q2 x3 W4 @! @: }7 O
-AX = 0910h (Display string in SIce windows)
. E* Y; ~1 P1 e v8 u: w-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- y s" M- N3 G+ w; p9 [
-AX = 0912h (Get breakpoint infos), q/ w3 j* Y5 ?; V! r- Q! r, A# ?: l
-AX = 0913h (Set Sice breakpoints)- @7 L: f7 w% A
-AX = 0914h (Remove SIce breakoints)- d' @2 U& n7 ^/ V
8 {+ V9 B2 B/ Y4 ~5 qEach time you'll meet this trick, you'll see:) X) c0 G. f( j2 d" l$ H
-SI = 4647h% O4 Q7 k" R& @+ c
-DI = 4A4Dh+ ^# y( E9 T+ l
Which are the 'magic values' used by SoftIce.$ ^' I' ^( L* ]* L. p# a! `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ A0 ? o ]' |5 ^ M/ \
. }/ J. Y% Y& ^5 f8 Q) g3 l S" \; n5 hHere is one example from the file "Haspinst.exe" which is the dongle HASP
& B3 H; }3 [. R' L+ J. R+ MEnvelope utility use to protect DOS applications:
+ g4 B2 Y8 n0 t' m
9 C9 o- k( M! H6 s6 ^# _1 _/ }$ L0 O- D" W4 l3 U
4C19:0095 MOV AX,0911 ; execute command.
' ?) E1 k& ~4 T h. f9 A) J$ I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% b& v- J Y2 p( r" I; R2 U: p
4C19:009A MOV SI,4647 ; 1st magic value.5 V5 N. ^# X4 e, A( b* I
4C19:009D MOV DI,4A4D ; 2nd magic value.5 S9 |6 Q U5 \- {/ z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 }! M- S1 L8 D& h4 e4 f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% r9 j' v3 x; O7 ~/ j t4C19:00A4 INC CX
, ^# e& a+ i1 O$ G) n- m; \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 m4 }6 k" M! G% t ~% n
4C19:00A8 JB 0095 ; 6 different commands.
- G/ n5 r6 h% T4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 Z8 ~1 A3 K/ H& V/ S$ t( v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 l6 u1 ~+ O; i* L& R( q I2 j( u" c
The program will execute 6 different SIce commands located at ds:dx, which
+ j6 t0 a7 g( W1 ?: t. P! X3 _" j9 ?0 ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 J5 M r& ?( h! P- v# @! X
- D9 s- y/ Z0 D/ N0 P: Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 p; ~ w; a5 G9 T9 e+ r
___________________________________________________________________________4 b" s, z2 p" I
; J2 K( `8 t2 c
0 M v1 c8 U, H, ^4 aMethod 03
, m7 X5 H) g) Z6 u=========
) I" J& o6 h/ ?, u3 `% k# l
: s9 \- j' h# R$ W' A. d: uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, C: E4 V5 s- e
(API Get entry point)2 |3 C. [0 r/ S" Z3 ]
; d5 A4 H3 j" V! v& V/ S ]
3 G7 A7 t: w! w xor di,di
% F5 n, c: w/ F' Q6 |# ^; G mov es,di. g9 ^; P6 D% o* s
mov ax, 1684h
; w b, r9 W/ C" y9 q X3 |/ D mov bx, 0202h ; VxD ID of winice
$ M2 E; q# C2 A" W/ X9 n0 r z int 2Fh5 E C0 t' `, w( C5 P" g
mov ax, es ; ES:DI -> VxD API entry point
0 T, U* u3 @; R) J7 J; T add ax, di6 t" \, |% Q! g8 E8 r5 T3 G
test ax,ax+ a4 O. p" i& x4 _( A) P
jnz SoftICE_Detected6 k1 h& ^+ A2 T
: W% H3 W$ }" h8 H
___________________________________________________________________________
- C8 a2 C# O* r5 F5 D/ m( k/ h$ l; q
Method 04% a7 D5 x5 v- { D( W5 L' g1 E
=========: a: |6 K+ g! z
0 v$ E' s% N0 a; {7 V9 b6 U
Method identical to the preceding one except that it seeks the ID of SoftICE
$ n3 e- w$ ?$ Q( r5 o" H2 w6 UGFX VxD.
/ Z2 \6 L% F' Z; Z2 w% E2 ^
/ q ?7 T# F* q, x* K- | xor di,di
; y- d/ _0 x+ K: d( p mov es,di$ A6 f- b* h' {7 ~8 @4 X& i2 [" f
mov ax, 1684h / [' i1 F3 W5 T+ J& ]' ?
mov bx, 7a5Fh ; VxD ID of SIWVID
" Y$ Z, t; e# g7 M5 B int 2fh5 H5 @' g. L8 X0 E6 ~7 P/ J
mov ax, es ; ES:DI -> VxD API entry point9 ^, \2 k* C; k; \
add ax, di* T. f6 I9 s5 I9 i1 r
test ax,ax( O- }9 O1 ~. d- y3 ]
jnz SoftICE_Detected( w3 X5 ~$ L, F- Y1 L! H$ E* Z
" c1 w3 K2 y0 l: `$ `' x# ~3 C/ X
__________________________________________________________________________, N, h. ~! O7 B% i3 j5 A! p
+ M6 U: k" X6 }# c f! Q' m
/ U4 s7 s" z* B7 M! Z; cMethod 05
* n2 D# j. G1 ^6 G' q; c3 K& n=========' `) D; g% U% z: V, k$ l: |
' P |: x* Q% v! N$ z' i2 ?& m D+ XMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 u% [; D7 O, ]6 Hdebugger. It calls the int 41h, function 4Fh.1 I9 M! h3 I7 \* F9 y; k
There are several alternatives. 4 Z* s! a3 E$ V9 y8 j5 g, o
* o5 ?+ a; d& B* x6 w0 N- LThe following one is the simplest:
4 |6 z; \0 W1 j, Z, m$ a- }; }" k/ i/ z Z
mov ax,4fh
6 x7 T0 [2 D1 y% ]0 e int 41h
4 [' }# i3 m6 H& { cmp ax, 0F3861 \/ f3 B6 O' i* g
jz SoftICE_detected
' c& h2 _ d! f) r
8 W) h" x" _4 Z- ~: Z$ U9 Z, e: i* N
Next method as well as the following one are 2 examples from Stone's $ p, q9 z( |0 M
"stn-wid.zip" (www.cracking.net):: L, T9 j$ z& r
/ C. P# w$ z# |4 q5 T mov bx, cs
: m' Y$ w" \/ @ Z* t5 } lea dx, int41handler2* e' u/ `( {8 J1 @
xchg dx, es:[41h*4]9 e3 K1 M' `4 l2 k+ o
xchg bx, es:[41h*4+2]
. p2 g b4 Y! x; a mov ax,4fh8 ^# l* S$ r9 P7 ?) }, c
int 41h
9 e, T5 h# x2 L) I4 U% t xchg dx, es:[41h*4]
) Z/ A# Q. U5 x, H xchg bx, es:[41h*4+2]
+ [) p# K( K7 G' W; e5 `$ X cmp ax, 0f386h4 k& r6 B5 S+ @" b' t
jz SoftICE_detected6 N$ V1 ]6 e. D0 a
4 Q' g1 M1 l* e9 L, R5 Q0 D1 Lint41handler2 PROC7 u7 z' T( S* H! }. ]2 ~8 v/ A8 ~
iret
. h' \- f, \% Rint41handler2 ENDP
- c# \( D7 j2 k" \( S7 a | b+ o+ D
x! J& X% ?9 o1 G
_________________________________________________________________________
1 [& l+ L3 I G6 F* E( c
9 x, p4 n" i; W5 n
$ u5 A) q6 T+ y) R. @: f7 HMethod 060 u V q! z# b4 y6 M8 }
=========
! j* ]! p' b3 o6 V$ K" u- ?( C2 c
2 I/ i3 M* z) S5 x' d2 H1 `0 x# l/ A1 p2 b% c, i p* ^
2nd method similar to the preceding one but more difficult to detect:
7 o9 f" W6 ?% a# h; P4 O% s4 [; f$ [* O T# k5 v1 t8 o
@& p; J" i8 w9 H5 C5 d/ W! Bint41handler PROC2 ^! c" B0 [) x8 W- n; p# \
mov cl,al. N& g' G0 z& c3 ?, `
iret
. k8 K3 g* B" g$ a8 h, {9 ]int41handler ENDP# N' m. T# b/ K$ _3 P0 D! |9 q
. a4 h* q! B4 U2 ]
P* J S+ d( I7 l0 G# T, S- T" { xor ax,ax5 Z* E R8 U3 h5 m
mov es,ax
1 f- G; u% v& Z+ I( ^# {! j mov bx, cs) W% M9 P% B* c
lea dx, int41handler$ m) ]2 V, n8 {! U
xchg dx, es:[41h*4]$ k: K2 V% q2 G% p
xchg bx, es:[41h*4+2]& P' I5 k) T* W
in al, 40h
$ R9 X! p- i& Q W3 J- V xor cx,cx
" v0 O! ^. {- V, C6 T int 41h
5 L3 ?0 G+ j' J2 H X4 s xchg dx, es:[41h*4], I0 V& j& I7 u4 V, f' t T' a" Y3 x
xchg bx, es:[41h*4+2]" g9 s4 ?* l: ~' [+ f
cmp cl,al
7 H, o! D% x$ B* Y7 n4 m, s jnz SoftICE_detected
9 h" A* f- ^* X& `6 N) o+ i; [; g7 O8 U) m
_________________________________________________________________________
/ @& V2 r6 x& c% r [+ }' j* }' F* k- W/ m6 p4 L
Method 07! T+ o' @: C" a: F
=========
3 D8 P5 e" ^- ~6 p# M7 `3 ?0 n& Y8 r- ?# d
Method of detection of the WinICE handler in the int68h (V86)
: ?0 L; P t* o" H! V# V# E, W, {
1 J0 k% j$ h2 N mov ah,43h
- x+ Z) C1 Q9 ^9 T1 @6 i int 68h+ w; f2 _) E! L: K; d/ Q4 ^
cmp ax,0F386h
% s: @+ t/ u" f! I/ f, V; N, x0 I jz SoftICE_Detected
. r. U6 X3 g! c# g6 f& ]% D
0 B8 P7 b# L+ E6 F4 q! w6 U# s2 M3 l. i+ E9 a" ?
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% Z3 |6 P; E( W, T9 v; m3 T$ o
app like this:
1 m$ e/ [& G; J; _. m; I2 L( n D/ M
BPX exec_int if ax==68
. Q# l0 \- b3 ~, ?; R6 U (function called is located at byte ptr [ebp+1Dh] and client eip is
+ i( [" S2 K) B9 D3 ?; n located at [ebp+48h] for 32Bit apps) g; J# y6 V5 b' [
__________________________________________________________________________
! U) e. `4 H& r- \/ ]. h3 o3 p- v3 {7 e' K
. J% I" M( ^- }Method 08
. X. ?- q B7 f* v5 }( J0 D=========
2 D* g. q& R$ {) ?! Y G: R/ P7 B8 [
6 W# g0 J2 [! s( R p3 H5 RIt is not a method of detection of SoftICE but a possibility to crash the& R- F' ?/ o$ G9 y4 S' U* r
system by intercepting int 01h and int 03h and redirecting them to another
& ]4 j/ I1 Q& k5 `3 S0 R O2 ~routine.7 b8 j1 ?$ W) i2 l& N# \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& K/ J9 g7 `8 U- A7 c$ ito the new routine to execute (hangs computer...)
0 s' p" n+ r; i) y- G8 r- t
: Y+ Y6 e" K, t L! n7 t, z mov ah, 25h
D) K: l8 y( a3 _% B mov al, Int_Number (01h or 03h)
5 c5 F/ k; p! Q9 @ mov dx, offset New_Int_Routine
; q6 r- C7 f! M8 d int 21h) j% a3 C* v7 {- G/ I) }
& c" h1 k) F6 A' p
__________________________________________________________________________
7 v& x# R# {, e/ f1 }6 g% R ~: r9 O, O3 V' ] ^
Method 09
. @# u3 z+ R K" ]; z=========1 F1 m# w5 q3 ~6 |- [3 i
3 A1 f/ h% c/ L+ jThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 y0 m/ \0 f/ g" y/ u9 Fperformed in ring0 (VxD or a ring3 app using the VxdCall).
" }' {) g X w- F+ N. LThe Get_DDB service is used to determine whether or not a VxD is installed5 b6 J! m% l9 d
for the specified device and returns a Device Description Block (in ecx) for
7 c1 b7 x/ V" bthat device if it is installed.3 w0 ]/ j/ i! |) q
/ |# u4 j; O, T6 z1 E5 {7 C$ x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 o% O0 n9 e9 Y; T mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 C1 x7 Q$ o2 L' g7 |$ k) Y
VMMCall Get_DDB$ w/ ]; [+ w$ }, J2 z+ Y1 v6 V& H
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 ?0 l; O9 v7 L) A% s. z
, j; r2 ?; U' y) z4 @9 \3 BNote as well that you can easily detect this method with SoftICE:% C# Y0 T# W5 F- f* c# i
bpx Get_DDB if ax==0202 || ax==7a5fh
^5 e5 U& y8 M% _9 c
" s% Q: a! t. y& G__________________________________________________________________________( ]5 L4 j) U$ f7 _, u! d) O, f
6 k! u' P+ m/ _) C% C; @Method 10
9 I6 `* D+ V$ i9 c' {7 I=========. Z) q' p% E+ \0 n
( `0 E" g1 {$ ]9 m5 U! b7 D% o$ N
=>Disable or clear breakpoints before using this feature. DO NOT trace with* R; G% w$ v( y+ w, J9 M0 T" X
SoftICE while the option is enable!!& ~4 E* {8 e8 ^! i8 J: w# k" {
5 S O( k1 C$ Q3 e+ ~/ T
This trick is very efficient:# y, I: H5 c1 i; Y' |" P! [
by checking the Debug Registers, you can detect if SoftICE is loaded
' g( J* H' B% F6 q" ^; x" K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 l" O6 ]# |, x5 A2 `, h
there are some memory breakpoints set (dr0 to dr3) simply by reading their. M- m& [9 w8 Q/ W
value (in ring0 only). Values can be manipulated and or changed as well
9 G$ h6 K! |& ](clearing BPMs for instance)
4 e* t; f& l4 h: t0 W; H. a8 p- [. l: ^# E
__________________________________________________________________________9 L: \0 A z1 ? F. Y7 E
$ i8 U4 C1 Z# W3 @& I
Method 11
* e6 a. t; O) x$ T=========
9 a" K" Z9 v' r$ n/ c7 `, C, s# h: h& K
This method is most known as 'MeltICE' because it has been freely distributed
9 H0 N/ W k( {5 ` c9 Nvia www.winfiles.com. However it was first used by NuMega people to allow- i. ~4 z4 Q! z% I
Symbol Loader to check if SoftICE was active or not (the code is located2 p6 q' r& O6 |
inside nmtrans.dll).8 V( o- h/ q: G8 S
1 u5 d1 U" s9 I' y$ AThe way it works is very simple:: p) X1 }9 F* J( u6 h1 C4 ^( C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 u- J4 H* @9 IWinNT) with the CreateFileA API.- @5 @9 N( G$ s4 k
+ G/ U+ r/ G+ V4 e/ x& c# F% q: THere is a sample (checking for 'SICE'):% U6 v, d9 W$ ~1 |7 O/ M: w% F
/ L U5 s5 `; M6 t# Q, U" ?BOOL IsSoftIce95Loaded()
6 d' U0 u0 g; G% X* A{ I; u8 ?2 p$ j z
HANDLE hFile; % d7 n9 _8 \4 |3 `& {
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, |9 Y( C+ m" W. P* a
FILE_SHARE_READ | FILE_SHARE_WRITE,; ?! Z- j% P- G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) {1 Q6 k# b+ T
if( hFile != INVALID_HANDLE_VALUE )
) H9 k' t, H% ^% b" {8 Z {
4 x7 { B1 [/ [" h( @: L& P CloseHandle(hFile);
1 a' k9 ?$ l- h2 s8 F" U return TRUE;* ~1 u& P0 |# D+ T. t
}
8 \! g& n( |0 o) B. n+ W( [. t return FALSE;
, k; k0 \# w# k}
7 u+ `* F7 [) t6 c9 h- E
( _, m8 ~7 }" j! l& f0 RAlthough this trick calls the CreateFileA function, don't even expect to be
$ d3 M# ]6 F1 S7 uable to intercept it by installing a IFS hook: it will not work, no way!
9 D1 }" r+ M- s7 a9 O- `2 y: u* P6 `In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" S# t3 X! P$ Z4 bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- K+ @8 q8 @) O! v" C
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' A1 E' q' @, C# s2 S9 o& rfield.) I& J4 {+ C- l6 c
In fact, its purpose is not to load/unload VxDs but only to send a / i7 z3 |# l8 U8 l
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, H4 N' }- f* X9 T& ?1 f* Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
- h5 U6 B* _& V Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 d5 I/ x, C. Z" t: CIf the VxD is loaded, it will always clear eax and the Carry flag to allow
# h+ P1 z2 S' @# _7 b; S$ J1 cits handle to be opened and then, will be detected." I3 E9 ?& x- X! t8 p/ P, x, f( Y
You can check that simply by hooking Winice.exe control proc entry point" |# g B8 D9 p$ \' a
while running MeltICE./ L- i3 {$ A9 Z
' {6 b7 j. y3 ]& l; b6 [3 m
" X' `- L4 \7 v" z) v 00401067: push 00402025 ; \\.\SICE
" ?' r4 J7 d# x7 y3 W 0040106C: call CreateFileA2 h* p) q, a6 n2 p( b8 O
00401071: cmp eax,-001, z; i1 Y, g7 n8 b! E) S
00401074: je 00401091
( _' h8 M! C& h' N P+ g m) ?# G
& O" F- e' r! F. x7 h9 J% X$ y; ^ O; m5 v) U+ U [
There could be hundreds of BPX you could use to detect this trick.0 g: i1 x$ U% Q+ e+ `2 I
-The most classical one is:) W7 t5 g* |7 M3 @& K
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 P1 \+ |- s# D6 K) Q% @
*(esp->4+4)=='NTIC'7 }' r9 \8 c6 D3 ?1 w
6 e; ~& N) y2 k-The most exotic ones (could be very slooooow :-(+ z9 u) {6 K- I9 W M7 B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 Y \, y0 Y7 a ;will break 3 times :-($ U1 R: F+ g* O1 G; ?0 \2 }; w
& j( w* D7 b. r2 n' X/ E
-or (a bit) faster:
) ?5 V+ H' v. ]7 D0 o1 J. u BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* I" L4 {3 j/ J$ I0 ^; z3 f: I8 B. m6 U: Z8 s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 p( ~* m0 p$ Y9 h Z* S ;will break 3 times :-(
' q$ C* {9 M% f& D5 L( K% c! n' h( G, o, d2 K
-Much faster: T+ _/ V* \. L$ s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* {$ A$ p$ f! L, @+ P% L
+ q0 |* a0 i- J" W4 n: o: B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 a) S j; f* L3 t
function to do the same job:
9 q' c- e( W+ T; T1 @% M$ N o; b, Q. K
push 00 ; OF_READ
# q2 {6 r% _- c/ O: e/ n mov eax,[00656634] ; '\\.\SICE',0
+ j! Y: L5 }" D# g push eax
% k; b" M1 e& c9 `2 c0 \% K" h call KERNEL32!_lopen7 ]% x" }* A9 I4 @/ A
inc eax
* s! A) d5 G1 E1 X jnz 00650589 ; detected# B7 L5 P1 E5 g7 ?% B# I
push 00 ; OF_READ
) h* h; t/ Q2 H mov eax,[00656638] ; '\\.\SICE'$ R! J- a/ P2 X, v1 j
push eax6 j! e: R4 A0 [& V7 f6 L7 u) x& O
call KERNEL32!_lopen# J' q8 d/ K# ^5 v
inc eax9 i, N' K F' O) E5 N3 m. C
jz 006505ae ; not detected v5 q+ P9 S! g5 p
% i: |: n3 B' l3 x( E. o
8 O/ t/ k! p( n( z1 w__________________________________________________________________________
- G5 H% h( K$ x! P( V! L
! L+ o7 K2 i5 ]' G0 I7 sMethod 12
O' O; {+ e Q i=========
3 ?9 y' m6 J. v" t: F U% d& X4 A7 j. h: o7 }0 ?5 O, N. j+ w/ C
This trick is similar to int41h/4fh Debugger installation check (code 05
' y% X! w7 B A! i1 Q5 b& 06) but very limited because it's only available for Win95/98 (not NT)& a9 @- u4 I0 U" t7 z! H2 q; Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 N2 t3 M# N: T; `" M, _* J k7 h& F: [# W; M
push 0000004fh ; function 4fh2 Q" X5 C+ O# l0 c- H. J" C4 S
push 002a002ah ; high word specifies which VxD (VWIN32)5 }: J! n$ X/ n/ S# f
; low word specifies which service
* L# O9 Y) H0 H' S! W/ p. r (VWIN32_Int41Dispatch)
$ u* l' f# B* H) E call Kernel32!ORD_001 ; VxdCall
+ k( z6 d+ n% c+ H. V* f [+ o cmp ax, 0f386h ; magic number returned by system debuggers
6 w( f1 F* |$ \4 Q8 g' B C# j jz SoftICE_detected7 n$ C% F* \; e: O3 I
3 C4 B' S" P1 a+ k! o4 S% L4 v9 [Here again, several ways to detect it:" c9 n6 O, B; [- ]; z* c) w& X
1 L/ |0 }" j/ L3 n
BPINT 41 if ax==4f8 ?0 r! z; X: z3 |
% w8 T6 s' u& W+ f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% k6 _0 N& ?7 D; b
2 T8 j4 k( V( O7 h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( V% F! v) l/ ~) ~) o& ]4 l4 u
: S3 V3 X! t) _0 X: J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ T2 a8 g; f( j! v+ J; @5 e
: P& ~. S& ]3 ?0 i__________________________________________________________________________" Q% l" t2 [5 {, I0 E D0 J* N
- `$ I5 p y2 r0 m) r7 Z( \ ]Method 131 T( G3 k3 k% N' v6 l2 k
=========# H2 e" z( {! u
/ }2 X5 n c0 b5 A. l5 D
Not a real method of detection, but a good way to know if SoftICE is* l+ i+ n# e7 P: L* [. b& `- r
installed on a computer and to locate its installation directory.! |' j% P8 k4 d
It is used by few softs which access the following registry keys (usually #2) :
- v# f. `$ R$ \# }" {0 G5 G. g$ x% \2 o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. ` i. H) _) o( X& {" @\Uninstall\SoftICE
2 u2 R, X8 F4 ~1 N8 X& h2 W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' l% G/ B' `* Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" N! Q* [, D- d1 m9 g9 w\App Paths\Loader32.Exe4 p* K2 d5 U5 |7 f+ {, `$ a& e' x
7 A9 q! ], V8 A! V$ h
' Y, ~5 [% e& Z V2 V& b" x
Note that some nasty apps could then erase all files from SoftICE directory
+ I% M9 r$ W8 W! `(I faced that once :-(2 b' ^. E( @+ `2 ^2 I- A3 W( i8 U
. S5 {- P8 T8 E; X2 h( `
Useful breakpoint to detect it:& c/ j# t5 Y, @2 n1 _
% {+ [4 L4 k4 q$ ]4 B5 g* [8 G6 P. K4 s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% Q( P( \- ?: F
# i0 Y, ]- }5 V6 h
__________________________________________________________________________; h$ V% S: o% v6 ^+ A
: ~$ a1 m3 H6 S0 ^
% z- h/ d; b( I! \& x. t% VMethod 14
" Z6 }1 k6 {/ P$ g' ?/ t& d+ p=========" a* J, L* F2 |: o6 A- h
) G3 w% F! b! t4 @ b
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ Y( Z# M6 P0 Sis to determines whether a debugger is running on your system (ring0 only).9 Z7 e' z0 V3 h6 k
) M% m$ d- H6 ` VMMCall Test_Debug_Installed
; m0 F7 @6 \8 p) r" F9 h je not_installed
& B* E* J7 x" ~) S
1 t* ]4 o2 [$ vThis service just checks a flag.* Z/ e- K( \. a% B% H
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡