<TABLE width=500>
: c. q& o. Q- \+ Z4 \<TBODY>
# h6 R7 p" V6 e5 C# q7 S<TR>6 V; K( z5 j8 X1 G! b7 g1 A3 A' s
<TD><PRE>Method 01 1 d0 z5 P5 [5 j$ b7 `" j# B
=========
1 K9 r: p/ }/ P ?7 F4 U
0 }3 @% e. G3 D: B9 g! RThis method of detection of SoftICE (as well as the following one) is
/ P% ^' A4 V5 oused by the majority of packers/encryptors found on Internet., x' J' {+ D) {
It seeks the signature of BoundsChecker in SoftICE
/ J. P4 t0 a; `9 d) y# v% w2 M! b+ i* ?4 W, N- [4 t l2 s
mov ebp, 04243484Bh ; 'BCHK'
4 `, J, f; n: K: q mov ax, 04h
5 |# I" N4 F. @8 | int 3 . z( f2 s! A7 E n) {
cmp al,4
! w3 b0 u# K5 ?. N2 {( D, w jnz SoftICE_Detected
8 R# u9 h8 G" ]$ M# F/ k' x! L5 y+ e) p/ i
___________________________________________________________________________ Q0 a8 A3 G( M
: S8 p6 M( n& `8 }9 aMethod 025 v+ y; _: i' T+ n( ^' v& s
=========
/ }% C4 R) T% r, x! _3 F, Q3 @+ h% m
Still a method very much used (perhaps the most frequent one). It is used
% r; ~3 X( K9 G# k& c yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
Q8 B9 V8 s) }- [" @- k! tor execute SoftICE commands...
; C$ d2 {. f, }, S7 H7 @It is also used to crash SoftICE and to force it to execute any commands2 ?4 W" `( D+ N1 e/ z1 a
(HBOOT...) :-(( - Q. {& J; R# `) u8 B* ]
- ]) `& Y L' p& X7 ]Here is a quick description:
$ Q. P# B0 J, W( Q! D( k-AX = 0910h (Display string in SIce windows)8 o2 U |, R1 X _/ K9 V7 b
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). p) J- G7 _" L3 B
-AX = 0912h (Get breakpoint infos)% M* W: D, t2 f7 N; r
-AX = 0913h (Set Sice breakpoints)
( o2 Z5 F3 N" o/ U-AX = 0914h (Remove SIce breakoints)
9 S; x7 u$ r$ b! J# G3 `/ l! b& `' m; _2 J* c4 }. P" {" l2 D
Each time you'll meet this trick, you'll see:
- D: `: v, Y/ C1 f+ T, d4 \-SI = 4647h8 ]; C" r! f# S4 \
-DI = 4A4Dh' Z9 z4 o, C' j6 T8 u' @' z3 ^% y
Which are the 'magic values' used by SoftIce.
9 a- \5 }& x- ?# t1 I: }' CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ s, l- R, ~* M% }! h
2 t8 i) m; e3 C4 H2 ]# IHere is one example from the file "Haspinst.exe" which is the dongle HASP6 K3 A& w" q6 S. D
Envelope utility use to protect DOS applications:0 e0 R( A8 k) t9 J! r9 `0 @6 Q$ O
( q. {- [2 U9 ^+ X: p3 [5 C
& c8 J3 ^. [* T' U; G
4C19:0095 MOV AX,0911 ; execute command.
: N& H: j# z1 d. c9 K9 i& e0 A" A P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% q- x* }/ X2 Z5 E$ w9 r; O+ B4C19:009A MOV SI,4647 ; 1st magic value.
) r0 M0 R" h7 k4C19:009D MOV DI,4A4D ; 2nd magic value.
* A# X% t! E- v: p4 w4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- i$ ?6 i! @ D7 A; u6 J% b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' K- j+ |, ~4 ~" E2 s- r7 D4C19:00A4 INC CX
# h. n" E0 `3 k$ N4 u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 a A$ B: u# G
4C19:00A8 JB 0095 ; 6 different commands.
) P( X6 k) P$ S* U, U5 w9 ]4C19:00AA JMP 0002 ; Bad_Guy jmp back.' {; `% H) k; w" S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 T. m4 @% q! i0 F. S& Q7 y: X, v- G# v$ ~6 r7 E# e* ^$ e' `
The program will execute 6 different SIce commands located at ds:dx, which4 v4 n6 l; S8 J! |5 h0 o, L; K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 k- b5 H8 K0 S1 R7 [
& @1 o# [/ t' \5 l! e5 @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: U- d2 r0 K. n1 `
___________________________________________________________________________
8 t# i) N5 r" q* q% u
4 s+ L! \( L, X Y7 W) j( }' t) y7 E O* Q
Method 03
2 {! z8 Z7 N; D( p5 m=========8 v2 C% |+ r9 D. }2 t. N% d
) C! T+ b; V/ W
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 Y' E0 H# Z+ N6 w/ t+ x7 z(API Get entry point)
6 J% L; z! a8 _; W8 W
3 _' U+ R' X/ L% N9 n$ E$ ~$ I
+ Y: F1 U) V* ]) R0 J( v7 G xor di,di
0 y7 n, Y7 H% V' _ mov es,di
" q; G. C" ~1 Q' [. [ mov ax, 1684h ) m) p1 K- A5 U2 J7 b( x( L: Q3 ^
mov bx, 0202h ; VxD ID of winice5 z" v0 ^- B% r: E
int 2Fh7 }# I% w2 X5 C* ^+ `$ X
mov ax, es ; ES:DI -> VxD API entry point
/ P7 s/ U8 L+ M$ ~' m" q! B add ax, di% s' q# G: o; h1 ~
test ax,ax b1 B8 ~! A9 N
jnz SoftICE_Detected' W/ Q' E7 C1 ?: _4 ~$ y7 p
8 f0 B5 J: M# u3 U& _
___________________________________________________________________________6 p; U( p P) {: N& y- ?; b# p& R) t
- k* W3 [# w3 T7 [" x$ C
Method 04) M8 t0 V! J x2 B- W( |% \
=========
* M; M0 i( U# J' g
+ P- | g1 x: x7 Q \2 `8 {5 CMethod identical to the preceding one except that it seeks the ID of SoftICE( j" U' G( O! X d
GFX VxD.
% v+ S2 Y1 _/ J7 }, _1 X y; m) t- G( y$ \
xor di,di
+ q# {" O+ x5 O( P mov es,di0 |! u9 ?8 D4 W5 a, X
mov ax, 1684h 3 `9 h/ N' q' [5 m A. k
mov bx, 7a5Fh ; VxD ID of SIWVID
6 h0 ^/ j$ ~6 f8 K int 2fh( [# b7 `. W3 f: o0 r( q+ L0 K
mov ax, es ; ES:DI -> VxD API entry point1 p$ W8 t3 g$ f, j1 a! I1 G
add ax, di. @5 f M8 E' `
test ax,ax0 w# e1 g$ {% K! @2 v% Q) V$ S+ C `
jnz SoftICE_Detected
! ]! I! N$ A* O4 a2 j
/ f6 Z0 D# `8 X u; {: O0 y__________________________________________________________________________5 V& M' g( A9 x0 H8 c8 ]6 ]3 G
8 W; w3 n$ ]8 l
( I& H8 g8 ~' Z- i3 A* O3 u
Method 05# G# A) S: }. z& c+ ?& s) J
=========
9 o4 F+ i5 k( y+ W) Z1 W9 z. X; r* j) z4 q$ p3 A1 i M
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' @6 ^: V* M5 U" s8 ydebugger. It calls the int 41h, function 4Fh.
% c5 Z3 B- ~$ r) @0 U; @' lThere are several alternatives. 1 ~; Y# M! B- M# W
4 I( Q, H. [) f" TThe following one is the simplest:+ C8 k$ y6 a3 N& W. N
$ ?. ?& Y0 |$ o# c/ p( n mov ax,4fh
3 g' @. P: W8 I( Q% v5 ^ int 41h
( @# C$ H. K" Y8 u cmp ax, 0F386
5 T. }, J8 ?8 ~0 a4 ]1 p jz SoftICE_detected5 l! X9 _' s( g- L+ k! K. {3 \
* h' k% W6 f, p" E$ Y) B8 x8 v: R. k6 Z1 Y6 i( R
Next method as well as the following one are 2 examples from Stone's $ l/ S: s/ t; F9 t1 {$ M; l' i
"stn-wid.zip" (www.cracking.net):; ?$ l: ^1 E$ E" [; d+ P5 M/ @! C" M
2 F2 z* r& M& q" {: t; M
mov bx, cs, h% @3 b- B3 M$ _1 }
lea dx, int41handler2
4 e% Y3 o5 \9 D* I7 [( Y- ~ xchg dx, es:[41h*4]( x9 U: }$ G7 P8 L
xchg bx, es:[41h*4+2]
) j/ a) V6 V9 l* B4 `% z mov ax,4fh
' K% d- V, q% ` e. ]4 ` int 41h, s$ ^+ K9 [! Q+ d
xchg dx, es:[41h*4]: \7 v; i7 N4 _& W" V) K
xchg bx, es:[41h*4+2]
; N) w% {8 F- }5 M1 ? cmp ax, 0f386h4 [* L: E" ]$ p
jz SoftICE_detected7 L$ v* h$ I. }0 [! F
" @, F! |# v! p. \- d" W2 x& L& R7 rint41handler2 PROC
6 P/ c# \& [; u, ?2 ^ iret
2 R* S" h4 w) |0 mint41handler2 ENDP
2 b4 j) H @1 E) v* {# s9 j% u& n& c8 R+ b% w- r/ @; `
" z. l8 @1 X2 w. G_________________________________________________________________________! k% m3 }/ l+ ^/ r
|9 k* a% \1 o6 s* ?" ~
) v. ^% `. n% _" ]$ X; E+ RMethod 06' S+ S2 k" W9 ]; S
=========
1 n5 t$ a3 ~2 C- S3 ?: Y* S' t; \& o( A6 A
5 n6 T2 v& b$ P, }2nd method similar to the preceding one but more difficult to detect:6 `/ \9 U" ]/ r e
1 b; ?% {1 O ]
u6 o# s% N( Y/ w" c Dint41handler PROC
P9 Q1 w0 i7 O mov cl,al6 z9 i! G# m2 d% Q5 a( i- |) B# D
iret
) p5 _- ~# X5 W8 B7 Vint41handler ENDP* }& J- l0 W1 Z2 `; |! u; R
& O8 z& C% k0 _7 N# l7 J/ _
. z: X* Z$ r& I: @8 B: V, b
xor ax,ax
% Z* l2 H* B2 y; { mov es,ax$ j. m2 Z8 W" k0 ~
mov bx, cs5 Z8 T' n" u3 w) u
lea dx, int41handler
. N& \! ~0 F& |) {% k- {, | xchg dx, es:[41h*4]
1 T" o& y4 h. M9 `2 M9 m* C. V# A xchg bx, es:[41h*4+2]
% X6 |$ J& ]. V6 C9 \; l7 Q8 N1 I in al, 40h
8 `1 C5 G& {2 }- a5 W" d( _ xor cx,cx
) r" J' u: ?0 t- V; i$ G8 R- k int 41h+ S/ A, @" \( A* S/ e0 W
xchg dx, es:[41h*4]& i. h( O! F6 {! ~0 z" d
xchg bx, es:[41h*4+2]& ]' I& @1 D: D) J, j& a
cmp cl,al
9 |8 w( z: f) r- Q% t% E6 u jnz SoftICE_detected
0 w% M* J" b6 R* C# r, @5 O7 S5 F2 S9 h( k( {1 I% C7 w9 [. t. m9 e
_________________________________________________________________________6 p, S9 g k6 ?4 {+ T' Z3 ?" ~
0 t( Q* J# U; \. qMethod 07
1 y) m( P8 y! w2 ~2 x: T=========/ u( J: o" P, b
; M2 S. T, c4 DMethod of detection of the WinICE handler in the int68h (V86): r b: o+ B" x1 e
! k1 T- O) O# U mov ah,43h
# X" l9 ?+ ^# k' t6 w int 68h+ T+ Q- q5 _( f/ {
cmp ax,0F386h! r1 X) ?/ w- r3 s, E
jz SoftICE_Detected
( C- k& T) @9 H4 _+ l# w
, K$ g$ C) P' U5 s( d
6 i( o7 \ k+ k- [, B b8 g- I" Z3 d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& A e* W! Z2 I, }) n app like this:' Y$ A5 l+ y( Q# X9 \, ?
) [9 R/ x2 Q- V) T BPX exec_int if ax==68
, b2 r- e9 j0 h0 Z( Q (function called is located at byte ptr [ebp+1Dh] and client eip is
& s% |$ u' B6 R* R2 ^ located at [ebp+48h] for 32Bit apps)
: P1 f( e) t& r; o z1 i9 w__________________________________________________________________________3 f0 T/ A; i% M8 e
) U y+ t, Y- |, K& L4 ^' w
. a: C2 \8 [+ k& J b( vMethod 08
8 h. o7 Z5 Q8 \=========9 j0 u1 V( |# h1 _. P
3 F" N9 c' y& M" j9 Y; J/ L( XIt is not a method of detection of SoftICE but a possibility to crash the, u/ `: N: T' j; C" f- [/ g
system by intercepting int 01h and int 03h and redirecting them to another" l6 Z$ F7 [6 w- C$ O) d
routine.7 ]8 {* J b" s! \7 l+ \: D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 Y" ^( X* f0 O; B
to the new routine to execute (hangs computer...)4 }& K& E- _; L2 M9 I; W$ w
7 c" F! r3 v% \. @$ `
mov ah, 25h
- c2 m8 _/ K9 a ~7 G' `& I6 F mov al, Int_Number (01h or 03h)
! e6 P3 e3 T& g4 f# e+ t( h mov dx, offset New_Int_Routine! I. |* B: ]' h# S3 ]6 @* }
int 21h
i# f+ V2 A2 X- D4 {) x: c! w( a0 T, {6 r, \9 P4 [; J
__________________________________________________________________________
5 a) T/ J1 U4 V2 p% ?8 ?# k
# {+ b+ F( n! S+ d+ cMethod 09
; x8 d' }# A3 p# `" C1 j=========: H- u$ d1 x/ o q6 @& v+ e
# Y3 F* D* ]0 T, ?' \1 L% \1 cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 f8 H, Q! _$ u4 f# P* operformed in ring0 (VxD or a ring3 app using the VxdCall).
2 H, g+ L9 } h" j& r3 ?+ hThe Get_DDB service is used to determine whether or not a VxD is installed
* n& o* p2 K3 g* Pfor the specified device and returns a Device Description Block (in ecx) for
1 p- Y' V# t6 D# R7 @that device if it is installed.
; G6 ~& t0 H: ~( O1 [& [
+ ~7 N( C& N3 t' X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" z" h7 X8 {9 a& r! ` mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 }6 `/ p. |) X VMMCall Get_DDB
, k' c2 T, x/ S0 f s$ c mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 ]% q- c( h2 g9 E2 l
4 b( |- [6 o6 u/ R3 ?/ k2 G3 z" FNote as well that you can easily detect this method with SoftICE:
4 ?3 m \8 m( ]" e2 i' b bpx Get_DDB if ax==0202 || ax==7a5fh
5 [6 E6 _- L& B. b* [: f) D/ T- V o" y' R# V A4 D
__________________________________________________________________________" L, e( h* q% v: W6 z9 O; A( i9 @0 U- l
! W' ]" B: D3 WMethod 10 x+ c# N& \: R: o6 k& o% m
=========
0 P) t6 y, {3 K$ C9 o: W. p2 v9 E" z9 ?( o9 @! w9 e
=>Disable or clear breakpoints before using this feature. DO NOT trace with: w- L) W9 C9 S
SoftICE while the option is enable!!
7 ~5 s5 a6 k" }" y3 g3 `/ Z
6 J) Q3 Q& H+ d. W6 lThis trick is very efficient:
, z3 z+ v+ n+ l" k! o1 hby checking the Debug Registers, you can detect if SoftICE is loaded
' o8 j% x; z$ M. O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( d8 ^9 j) ^2 c9 Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* w% |/ I% l' `( ?' Yvalue (in ring0 only). Values can be manipulated and or changed as well" m* e/ w. J+ E1 n: K" n* P
(clearing BPMs for instance)
8 `: W9 w& Z! u. [' f, P
0 a4 Q8 ?( ]$ K! m__________________________________________________________________________
$ ~, L0 H+ z% N! K: h, }8 h! s8 H9 L; C- a) ~
Method 11 o1 ~' q$ n5 }; V* y
=========
# b! [2 {# S3 F: v) i4 m6 k9 V% ^3 K3 r" u; M, i
This method is most known as 'MeltICE' because it has been freely distributed0 d1 k4 j' x) m! g% W
via www.winfiles.com. However it was first used by NuMega people to allow7 S% i* N( S# h. R5 h3 r
Symbol Loader to check if SoftICE was active or not (the code is located% k: p7 K" X" O2 |) r* k( @
inside nmtrans.dll).: ]8 ~) S' H# D: }5 E9 \
; L/ A6 h6 E8 P. dThe way it works is very simple:
* L/ o/ U" G5 `" n# i& KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 O" x1 h! f" {9 Z3 g- t0 j
WinNT) with the CreateFileA API.9 x, t1 a# ]4 E1 w
" E H0 F# e0 }$ ~' _. H" XHere is a sample (checking for 'SICE'):
& q5 ~. Y" w( l+ g% m/ L. Q: j$ w) O8 r3 r, ?+ P
BOOL IsSoftIce95Loaded()
% B0 b7 |+ e9 h7 t6 A7 O{
$ I: a- R/ |, Q: R9 I3 c) Z0 ` HANDLE hFile; ( q @* ]; \$ y4 u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 ^4 O/ a2 E8 C. t
FILE_SHARE_READ | FILE_SHARE_WRITE,1 k* n, X& Y* i4 j P( h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) S4 y6 h* m2 ^, X6 V; |- s
if( hFile != INVALID_HANDLE_VALUE ). q- U3 @+ J# T" u0 i: u5 F4 r
{* s# W6 P# l4 X8 x1 V- g
CloseHandle(hFile);- r6 D5 z1 G2 P% X
return TRUE;
B3 h! k9 {# c" A6 h7 O! h }
% z5 x" T+ w! u a% Q. ~- w return FALSE;
: Y% X: I* g; f}4 D3 R- M6 v& V6 }% R5 I' T$ n4 G5 b
. r& ~" u. C8 [) IAlthough this trick calls the CreateFileA function, don't even expect to be
4 S4 O$ e/ B5 Uable to intercept it by installing a IFS hook: it will not work, no way!& i J1 `4 F1 `, H6 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: q7 ^0 C* l$ I' w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 s& R4 H$ D; K; A1 Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 Y/ o/ e; C e6 t& C; C% n5 L* {field.3 T4 X$ i+ Y$ V
In fact, its purpose is not to load/unload VxDs but only to send a
, _4 I _0 f6 U5 W6 s7 o; X. dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
U/ j$ `( {" Z+ F* O& uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
% ]/ N# U! H# |9 O# ]! `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" c. }7 ]. D! g7 W4 HIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 o- \+ z2 H* E/ i4 w; S9 l
its handle to be opened and then, will be detected.6 d" F% \% F2 S0 e7 A
You can check that simply by hooking Winice.exe control proc entry point
/ b2 c1 q0 Y0 z% V3 [; Twhile running MeltICE.7 i; g8 [6 g: ~% i
7 v: H6 v0 k P% T# h. S. Y2 R$ t- x9 ?9 L% {, v
00401067: push 00402025 ; \\.\SICE- U; s u' S* [7 x* t
0040106C: call CreateFileA$ R3 A4 m: G% _; B: ]' P U- L
00401071: cmp eax,-001* L/ B- H$ ]9 N- g% Z
00401074: je 00401091
$ d& T6 }) B( X# S( I& D
+ b" F, W( h9 L7 `/ i" ]& m
- t' _2 p% S9 ]2 fThere could be hundreds of BPX you could use to detect this trick.. O2 Z% U( W. \1 b$ ~
-The most classical one is:) d" v% }3 _6 ]; v" [5 W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
y! u9 i' V1 q *(esp->4+4)=='NTIC'6 `! J/ j3 A; \' N/ K6 }3 H
. } G) y) n& r0 i3 D* H0 Q-The most exotic ones (could be very slooooow :-(
, p( E; s+ o+ Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 f8 K! D H) N6 M. X* Y ;will break 3 times :-(: M" W O9 N9 w0 r- l3 D
: j K; D$ d. p7 f
-or (a bit) faster:
$ ]! B4 h3 T+ y! T BPINT 30 if (*edi=='SICE' || *edi=='SIWV') n7 Q; ]. `/ O: }/ m7 l
7 }. D! B5 B& X5 I- E! p: X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 n S- {5 E* z% y ;will break 3 times :-(9 D/ J" ]6 A6 B, `: P4 B
! U3 n2 M( a( |- [-Much faster:1 R; Z/ F( f" f& `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& o5 s3 Y7 e1 V! P
O) D2 d7 [3 A- f9 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) J* B4 _) _8 V% ~' j4 T* m+ pfunction to do the same job:: n/ C, U" k0 T. B- E4 Q, b
# E0 u9 F0 z' s* P- q push 00 ; OF_READ
9 ~+ G; i8 v/ g4 X) H mov eax,[00656634] ; '\\.\SICE',0
( {6 R: S5 W4 ^0 D push eax) K! f c1 `% K0 a. V/ N, ~
call KERNEL32!_lopen
. J$ z: O: z& p# Y! z% } inc eax: ]! Q2 n+ Z7 y
jnz 00650589 ; detected
$ I; x' M- E: b% E# p# V push 00 ; OF_READ. ~4 e) t' a5 |) q
mov eax,[00656638] ; '\\.\SICE'
) t# L9 ]& j# n5 P/ F5 y6 m$ D push eax
+ q2 {3 _8 Z- |( E7 o; i" j- b call KERNEL32!_lopen L" u6 b+ E, n. O) D
inc eax x, U9 K7 i# \
jz 006505ae ; not detected
- }: |9 Z1 ]0 ]; N- P
2 c5 ~9 P P% A% {0 V, g! K l5 ]. X' \; b8 a; ^
__________________________________________________________________________
) Y! H L5 O; G- G/ a) U1 Y: Y4 c: E) G
Method 129 L( j* u5 l! X% y1 `
=========4 B5 p! J5 Q* w: u% [$ X
( Q7 X$ }* _+ e. D% |# G; l- T
This trick is similar to int41h/4fh Debugger installation check (code 050 [0 R# n+ n7 Q' |6 n7 S
& 06) but very limited because it's only available for Win95/98 (not NT)
& V3 H3 f% a& [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 B B' f1 b& o# o! l: V
+ W1 O# f T( T3 d/ F: A+ \! A6 K push 0000004fh ; function 4fh- E7 K: A0 }6 j( E( u, T, i$ k: h
push 002a002ah ; high word specifies which VxD (VWIN32)8 ?5 [/ N, |7 t5 T2 E0 m
; low word specifies which service
4 n4 G8 Q0 @# @1 @ (VWIN32_Int41Dispatch)
2 E6 i- A [; ?8 |, u call Kernel32!ORD_001 ; VxdCall
+ ^% Y# D8 v. |' L- H, } cmp ax, 0f386h ; magic number returned by system debuggers$ e0 T4 S) X9 n& M) `$ V
jz SoftICE_detected( i0 M. U! Y! B0 e+ R
5 p( m+ G# r% K1 e3 sHere again, several ways to detect it:
/ C6 R' A1 E% p7 C! v$ ]3 M! J0 p, m& s2 I4 H
BPINT 41 if ax==4f
) P9 d# A: p/ [- W+ |4 Z' z, S3 j( F- q2 W7 {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* q7 ^( W( e1 d+ g& _* f
5 G* w% V% r" ~1 x. E BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 V% k9 |. w! T& A: P& U; Q
: s/ t1 X7 k7 h" n- j9 X8 W o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. H* @: u5 L# w4 N2 u* z! i7 E; d5 l# @$ M& W
__________________________________________________________________________5 I- q2 M) I6 \7 ? [3 S
6 R* t, F" n8 p" k- P% c/ \. uMethod 13
( D5 }$ ?8 }# J9 D6 T; h=========8 }' D8 ?. W) i3 C0 R# e
0 C# K* ^6 I# A
Not a real method of detection, but a good way to know if SoftICE is) X! F+ Q7 j" H0 I! l% w- A
installed on a computer and to locate its installation directory.
0 b+ ?' b1 X5 C$ M/ CIt is used by few softs which access the following registry keys (usually #2) :
& _- P4 Z1 i+ [; ^4 \' ]3 e& x; c$ y* P% W1 }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 ^( _2 b" |* p, B# R1 u\Uninstall\SoftICE2 Z2 k9 z% e( T! V' G1 e$ `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) [( u+ m# Z* ]) S4 H- g4 f3 @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 I6 c, e0 T* u; @; r/ G\App Paths\Loader32.Exe
1 {- R7 R# I: t& `. \
* w9 \# a/ u0 y1 a8 f! O" p- U
/ H3 z# h" |* wNote that some nasty apps could then erase all files from SoftICE directory
5 O/ j# d( o3 g5 ` a7 _(I faced that once :-(
) ?1 l- {2 t) d- j d! c3 T3 I4 o6 Y1 ]9 b) Q$ x0 w! E% I8 W* n
Useful breakpoint to detect it:: |1 M! `$ k u ~: o
9 k0 k& A' z D( a
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 J* S0 W1 O: j8 z+ o5 d4 R: E+ Y5 W2 a% _. k7 J
__________________________________________________________________________
7 }- n+ I4 C$ O I9 T: V' V
( `: z1 J" J8 ~$ z, \7 ]4 L1 z L0 f
Method 14
1 R2 u9 o- L* Y=========
. u+ T3 o5 g$ ^- v' z4 E4 `* u" ?6 `9 `. Y3 t* N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' N, ?0 e( ?1 \" }( ]5 X
is to determines whether a debugger is running on your system (ring0 only).
+ }! E3 n9 n+ X2 [3 Z3 _& O1 z3 J+ T
VMMCall Test_Debug_Installed1 w9 g# L' z8 Q7 i) y
je not_installed
7 o/ p/ o4 @" [" Y* U, S) M0 H4 F Z% d# U
This service just checks a flag.: w' } M* @9 i$ p$ @5 f6 H
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡