<TABLE width=500>7 }( v3 \4 c5 X5 a
<TBODY>
0 B( G% f, o. k7 y+ S4 p<TR>/ @+ a5 ?7 Y/ W/ K& C
<TD><PRE>Method 01 % q- b- l& j9 a" Q
=========# O( a6 s7 U5 B/ s5 H: e* e* J. J7 b
. I- W6 M+ ~& f y- j) ]8 N+ NThis method of detection of SoftICE (as well as the following one) is, J. b! C! v% g2 y6 ~
used by the majority of packers/encryptors found on Internet.0 v5 I, X, `4 s) p
It seeks the signature of BoundsChecker in SoftICE( I; M9 C( z+ a* v
0 _9 |5 q/ j2 q% e mov ebp, 04243484Bh ; 'BCHK'; T% ?" ^% X% N$ Q' r( S: M5 l+ ~9 q
mov ax, 04h/ ^, D* Y; c& M, g! X
int 3
' c- K' q y4 S% V- q, G( a cmp al,4& K$ x* A z9 ^) G, F% X
jnz SoftICE_Detected
# b: x' U+ X; c, d; t: @" _& L# ]2 F
___________________________________________________________________________% ^6 j3 ^) V9 V0 E+ [) o* t7 P
5 p! b2 _* b9 U4 y8 s
Method 02
( e% ?8 H! ^+ \& X=========( x( X. j8 R8 G+ y- h/ E6 ]% u
6 q7 ~) t& H4 U3 \ B
Still a method very much used (perhaps the most frequent one). It is used/ y$ `6 K' l. `' A$ l& e2 }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# B Q" w& o1 F, H0 L- S
or execute SoftICE commands...3 D* [7 V: ~! {) j# D. M
It is also used to crash SoftICE and to force it to execute any commands/ h* r6 O3 l1 j! d0 C0 W! b
(HBOOT...) :-(( 7 `/ u5 X( g4 b2 |5 R: J e8 a
+ f* g/ M; ?# p" I8 RHere is a quick description:
4 h+ {+ K# N) |; H! j+ E-AX = 0910h (Display string in SIce windows)$ e+ F, y+ |8 e/ n- E% r: M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- J" \1 G; U8 Z2 A-AX = 0912h (Get breakpoint infos)
" p+ I- i1 z/ v, O-AX = 0913h (Set Sice breakpoints) y3 g" P8 L/ ]# `' Z0 X# w. o
-AX = 0914h (Remove SIce breakoints)
- F( n; B& [$ }, v4 F c" c( ~" g; i% l: A
Each time you'll meet this trick, you'll see:- [5 O9 V% q3 e# ], M
-SI = 4647h
8 L7 q% F& B5 s# Y/ w-DI = 4A4Dh7 U, q N' @) R" V$ D
Which are the 'magic values' used by SoftIce.& t2 T& s7 F( b& y3 h( l
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. a& u. {3 N/ S7 i
& k& N5 ?! G+ M K4 f% H/ }
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 [* B' t: L# R& Z
Envelope utility use to protect DOS applications:
! _! D& {( ?. q0 P4 q0 w0 ~5 _' Z6 i9 l. W. v! B: a8 t: z% ?- H; G
% V( I$ l k! l3 y2 n! p4C19:0095 MOV AX,0911 ; execute command.$ a/ a7 k# M5 w- ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# [0 v" P( e& z8 k4C19:009A MOV SI,4647 ; 1st magic value.+ F8 t' I/ R" p3 P1 w
4C19:009D MOV DI,4A4D ; 2nd magic value./ m7 S. s* M/ O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: ^) i3 H) t' X( d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* _7 i M) P* P) ?4C19:00A4 INC CX" Y) p# m" u1 U2 Q, r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; z5 z0 p9 w- \. A7 F4C19:00A8 JB 0095 ; 6 different commands.9 X1 q9 }* t" c/ h) F/ q. h5 o* S6 Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, S: ^# t5 g4 B8 Y6 P6 t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 n' ^1 {& J* O, t/ ]4 N3 n+ M6 O% k8 b2 G5 V
The program will execute 6 different SIce commands located at ds:dx, which
/ y' g( _$ X0 J1 `8 B5 ], |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% d1 V1 y+ C4 \
0 g+ X+ m" G6 C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' e2 w6 X# t1 i3 o* G. z
___________________________________________________________________________2 l; O4 A6 B& B, T# C3 Z; L; ~" w
) M7 s3 h) k# ?* e, V! |
: S1 B" u( Y: h2 A. ?, i jMethod 03
& k8 C7 o; d, e& r S. v$ O1 h=========
" V+ I% Z( q1 w' {1 q7 u
4 | |1 E+ p8 v" ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 {2 H$ q) S" B2 I, ~) b
(API Get entry point); g& V3 L* I! a! k) ]0 ?" O
* k B+ b6 I" t3 y
& m* ]# E* d) ]" @6 l/ r& J
xor di,di, p( o- O& M( ]: C6 e v
mov es,di l& u2 U5 e( E# |, }$ s
mov ax, 1684h # T! ]; f. r* U5 k% B
mov bx, 0202h ; VxD ID of winice; G) w& i: L+ u) |+ o a
int 2Fh8 X/ r9 W+ c& e. @, G
mov ax, es ; ES:DI -> VxD API entry point
" F+ O$ I, b( Y8 r3 F5 b# k add ax, di5 ^! h" Q' f) l/ H3 D
test ax,ax
5 v) {! X( a4 W jnz SoftICE_Detected5 L1 h. E0 l" h% ?
& N; F4 \( |0 E R
___________________________________________________________________________
; [5 \& }2 u0 A: H3 C# D: E5 f: O# o% h: N; j8 _8 O
Method 04/ y7 C# O7 X8 y( B
=========
: e0 Q x& U1 w# x
- l1 h2 e0 N: u2 K0 [+ }Method identical to the preceding one except that it seeks the ID of SoftICE
4 l* p1 f& e- ?0 ]7 cGFX VxD.
6 T: P# s. f2 Q7 o K
7 ?( q; r9 D$ ~+ l xor di,di
& p3 T& N4 C* M. Z }9 n+ b mov es,di
7 _8 A. |0 r- o. H# [" y% L: b mov ax, 1684h ! E! J2 T/ \$ V( H4 ^: @9 u
mov bx, 7a5Fh ; VxD ID of SIWVID, q" Q1 T5 v/ g, B4 @0 Q# k
int 2fh& R1 I K# x- K/ b5 b% I! z* Y- M' c
mov ax, es ; ES:DI -> VxD API entry point
" C/ d1 [5 a2 h8 w add ax, di. V0 |' H5 Y6 a
test ax,ax
3 k' u5 s! k- i7 Q/ f jnz SoftICE_Detected$ C" Y/ j$ D4 ~# |$ M
. r0 I) q6 ]6 P& i__________________________________________________________________________, Q! Q9 i) q+ B. q9 N
7 n- j, s1 B4 }9 \' j: ^3 _ d: \4 A- |8 x5 m1 t! m
Method 05! g* p, W& t7 N* H
========= j- a$ g# p# ~/ P5 O* Q4 m
+ c) U! j8 Z7 Y% I: u! g( o- U
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) n5 I4 M4 n, Edebugger. It calls the int 41h, function 4Fh.8 ]' c7 k' p; E e2 f5 V2 T( D
There are several alternatives. 5 J! [+ K2 E2 M, u+ E
) ]. F0 R/ M& P' w) ~: m3 |0 j0 y( v
The following one is the simplest:/ M2 S- K e9 \1 o7 y
& k5 {- r. r. o; D! F
mov ax,4fh' n6 s' r2 m$ H" g: w
int 41h
' g5 ^4 t/ s9 y cmp ax, 0F386 T4 y, B7 B9 m4 F
jz SoftICE_detected+ [0 R8 _# K o$ y [
/ N W/ a# j7 Q& Z1 f/ ]& }, x* [& I0 }4 t4 j M
Next method as well as the following one are 2 examples from Stone's , i& \! L X/ V' r
"stn-wid.zip" (www.cracking.net):( i6 Q* f0 u$ s g
# Y9 |0 z4 E2 b; u$ T/ p mov bx, cs6 u- M, ]: r7 m0 Y
lea dx, int41handler2& R% K+ u4 M# C' E: U
xchg dx, es:[41h*4]* ?1 _/ T/ I$ t5 ^9 D2 w( R
xchg bx, es:[41h*4+2]
: F1 ?8 K7 M" ^& T3 c8 B mov ax,4fh
3 O1 C5 e A0 T, ~, C int 41h
d# h& K; |& a8 H( z* i# a/ q) ?% l xchg dx, es:[41h*4]
0 n/ P2 j5 `# @3 _( R9 j8 n xchg bx, es:[41h*4+2]
7 ?" d" s, c$ z/ |( c cmp ax, 0f386h. q% H% U% O" j" y% H# @
jz SoftICE_detected
$ ]$ c) d7 W. b3 X Z4 }& o4 E/ X c
( s( o- c4 L+ t, N. z2 @& fint41handler2 PROC& s3 s1 O8 J3 ?" H9 |
iret
' v4 S. q+ ]+ W% c+ Pint41handler2 ENDP
7 j5 L" C/ @# i
4 }! X# r n v' X8 q$ d5 l J) n' R
_________________________________________________________________________
1 p* m7 m" H" |, n
# E" w9 R- {* j6 k# x6 L% f1 V! f, u8 B7 T, U3 G8 h
Method 06/ Y" S5 D2 J& [. G
=========
5 J a; k" X, Q, @4 N5 h
1 r T+ f, L' F! d. ~ @. F, m1 R5 {, Z* @3 S
2nd method similar to the preceding one but more difficult to detect:, A/ L* O: A9 \
5 M9 t$ B% p2 J( w: K4 {2 W* C& x; A# L* o$ @. A+ O3 z/ ^
int41handler PROC& p- m n+ \+ u0 Q4 w/ I% W {, _
mov cl,al
' T! b9 J, p+ k. B8 w, i iret
% J3 v) R* s( h& fint41handler ENDP* a# E* V A2 T- F- _6 Y' ~5 K
/ K0 A! Y4 i6 p/ l* v8 Q
3 x" H: ]8 S5 a xor ax,ax
' \( ~ z1 d& h" c. R mov es,ax+ ?# a2 k ~4 |% e& @
mov bx, cs% g. A& ] D% G) _" [/ ~
lea dx, int41handler
$ ]5 B4 ?! R X3 t7 x7 z# h& O xchg dx, es:[41h*4]
3 Q# X' Y" a. W- g; M xchg bx, es:[41h*4+2]
, n$ @' T# x5 x) l0 Y; {7 u in al, 40h4 {7 N7 @- n1 L/ E0 F- C; D+ P: S
xor cx,cx
& w! B1 J9 Z( t0 h3 `7 q1 u int 41h
5 D c% w' }3 H' V+ | xchg dx, es:[41h*4]& |- M: M, _) T6 n5 O+ R }
xchg bx, es:[41h*4+2]7 g$ c, `5 f5 J0 J3 X1 G4 A
cmp cl,al
' |( | [) M; K8 F jnz SoftICE_detected
, D: G: p3 H" Z
) Y& Z% w+ [& v6 ?# F( f_________________________________________________________________________6 s0 ]" T: w% k' q8 n
: q( x. u+ i0 W8 u0 e% s% @Method 07- c) S& u* W" J) b' [' `2 M
=========% O6 @: ]. | p
/ w5 F9 X e/ ^8 q" v$ nMethod of detection of the WinICE handler in the int68h (V86)( Q6 D5 n3 \0 c& K4 ^
. `+ X& g' U& {, _' S. P" R4 g mov ah,43h: j9 ~; v- p! n3 \" J: H, ^
int 68h
1 f/ h; D6 v+ ^* [( b/ v, M6 K$ S cmp ax,0F386h
/ j. B0 f" ?* B# |4 x9 x jz SoftICE_Detected
% j8 d# b! D$ a
9 S6 Y$ ~7 F! X. j* k3 e k6 o) o9 L$ L4 p E
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; X5 e4 n9 h) y3 K. { app like this:
) z8 t6 J* L/ d( m c* c0 T
5 D2 B; |! X7 U2 @5 x7 x' x* s" M BPX exec_int if ax==68
7 a1 b- ~: |1 h; _# W1 W' ? (function called is located at byte ptr [ebp+1Dh] and client eip is% a' D7 g/ y& Y) t
located at [ebp+48h] for 32Bit apps)! y- V7 A2 D8 Q
__________________________________________________________________________0 h4 \5 [- A* \: E$ }# z
5 L2 p7 L( O5 G2 }
& k, |# ]7 K* z u8 ?0 h( I
Method 08
% _6 p3 X4 @0 Z+ Z9 x- H* V3 E/ b=========9 a% r- u1 A1 r) t( ]7 M& i7 C6 _
! ^# Z) d2 Y( F' E) f5 f; PIt is not a method of detection of SoftICE but a possibility to crash the
t3 r! V; v; c# T6 g* X9 P9 |- fsystem by intercepting int 01h and int 03h and redirecting them to another
7 Y/ |; q' `( S, }( froutine.
: \9 `& ^3 |( M k- aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* m+ p9 i8 g- a- q/ o9 V$ R" a
to the new routine to execute (hangs computer...)
% [: r2 l2 Q% w, ^ y o+ v4 `9 G" R; r6 ^, Y; s
mov ah, 25h. G) m9 w6 q; B8 d
mov al, Int_Number (01h or 03h)
$ K$ T( C" W$ y0 U mov dx, offset New_Int_Routine
# S5 U/ C6 |4 v+ G' P' q int 21h! \1 M+ F& f4 d" M
% J, O$ O! e: Q; f) K
__________________________________________________________________________
F- G2 ?7 T: D5 I
) y6 J# \3 u9 K( |Method 09
: R+ V) v9 Z6 O2 ^$ ~=========
~6 V, K, R; `6 `" b( g+ q6 D9 V. j1 ?9 p) n; I+ l, |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 y! `. X# F! m& @" ^5 z6 M l% |4 m
performed in ring0 (VxD or a ring3 app using the VxdCall).
: D3 h9 O3 z4 P% [8 `The Get_DDB service is used to determine whether or not a VxD is installed
) F% O/ F0 g- e- ?2 B3 Yfor the specified device and returns a Device Description Block (in ecx) for
% L% N3 L9 v+ Q8 K2 F1 F0 k5 `3 m# O. athat device if it is installed.
y+ a) Z5 k! f
" V0 _% V2 l4 r% R! g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 J9 s1 h! T# l1 ]- e0 l7 _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, A7 a* {- U" R+ g% w# @( m VMMCall Get_DDB3 X% Z8 @# P5 b% I& n% |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, F/ o R3 }# d& Q& I
; O* f% }0 l- L6 k1 c' W
Note as well that you can easily detect this method with SoftICE:
( r# E; [% e- Y1 |% j% t bpx Get_DDB if ax==0202 || ax==7a5fh
" O3 v- r# v0 b' b
0 m/ M9 g" v5 x; v, y__________________________________________________________________________
2 G9 C U% c% O: a, e
, R7 O4 Y! v+ K/ KMethod 10
- O/ h! [; F- [=========
, i; J, X" v1 B& v* \* R$ M) @/ K0 V
=>Disable or clear breakpoints before using this feature. DO NOT trace with) l( i7 V" ?7 h5 m8 H
SoftICE while the option is enable!!1 a/ R) [+ {! w% {' N
0 S) a! D4 b3 h* J7 J9 X
This trick is very efficient:
$ q, j% C4 W7 |& b- {by checking the Debug Registers, you can detect if SoftICE is loaded* j& y) d! N5 E( n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 L/ p& c. }8 i. p' A; M# ethere are some memory breakpoints set (dr0 to dr3) simply by reading their/ t! {) n) q- n* ~1 h# ~
value (in ring0 only). Values can be manipulated and or changed as well
% T( i% v; c2 E1 y(clearing BPMs for instance)5 i" g0 D# n" P" v
" j4 s, R6 B9 q$ W0 y$ [__________________________________________________________________________9 ~1 B4 F) p3 B" X( k5 I
% X3 F9 f+ B! T& t6 H+ c5 `Method 11
$ Y: R& U# @4 G. ~( k. D=========, ?# W% i% o! \, d
! {6 [; D8 H% s& K8 F3 l8 v F6 Y
This method is most known as 'MeltICE' because it has been freely distributed' B; m) t2 P2 y. M
via www.winfiles.com. However it was first used by NuMega people to allow
% s# l/ t1 Z: p! m: E& ~( j$ PSymbol Loader to check if SoftICE was active or not (the code is located: a' |5 r1 m& s# @+ V
inside nmtrans.dll).
. E" V& J% U+ P
4 t1 k: u2 I' X2 f5 Z/ c7 FThe way it works is very simple: d/ M3 Q K- J
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! X! z: J) Q2 Y6 R, l/ vWinNT) with the CreateFileA API." Q! l' b& H8 B% P: {, J
9 d- {8 G s5 L& I+ SHere is a sample (checking for 'SICE'):
+ F, l' j+ Q7 D4 R$ h/ [. {; n' Q5 y- D
BOOL IsSoftIce95Loaded()' z% J& b" f3 }
{8 S0 P0 `1 S3 m3 D6 o/ l( i
HANDLE hFile; ' x/ D2 }! _# S7 f+ ~
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 H# }2 v, w) E }" o
FILE_SHARE_READ | FILE_SHARE_WRITE,
" a5 }! t+ y c4 m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# Q) x9 K2 d) C
if( hFile != INVALID_HANDLE_VALUE )
. x3 |( q/ R, k7 J) u/ `6 W R {
& J5 H4 n1 h; } X CloseHandle(hFile);
) S% C& K9 D3 v1 [' [. i8 o$ f return TRUE;* ^9 D: d4 u* E+ c" n8 u( r
}
2 I& k4 ]3 b" T% n3 r return FALSE;/ a2 B5 s% O: v' }7 a
}
5 o: f, Z s+ X" t% J- @) l3 _$ ~8 {3 G! E
Although this trick calls the CreateFileA function, don't even expect to be- f% m' d- o7 o
able to intercept it by installing a IFS hook: it will not work, no way!
: X& j7 c% L( W) l" L1 UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, F: a8 b+ b% H* c }# Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 l) t! B$ b6 W0 q% I, g9 _) c7 ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 a; C3 R6 e k1 X
field.( P+ g0 f/ o# n; ?3 {% m
In fact, its purpose is not to load/unload VxDs but only to send a / Q! n# ^0 ^! W* @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): |3 e" S v; ]* o4 a* G
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 E' e( s. Y/ mto load/unload a non-dynamically loadable driver such as SoftICE ;-).) B" `8 f& W: Z4 |
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 T8 K- ~$ u6 G1 q- |
its handle to be opened and then, will be detected.
& x. x0 P* b6 Q# T# [4 rYou can check that simply by hooking Winice.exe control proc entry point
2 K$ T% X& D; p6 Ewhile running MeltICE.
1 X7 B: z% m/ G9 n- s1 U6 F
* ~) A6 x( |' {% D
. k5 q l: t$ U8 L9 F 00401067: push 00402025 ; \\.\SICE
+ X: [6 s9 `; g1 i- G 0040106C: call CreateFileA
! X2 r( f5 s. }. S" u& T5 S" n. @ 00401071: cmp eax,-001% _; P2 U$ u1 p% k5 `& n# v
00401074: je 00401091
3 x; h8 p M( ?! w8 m: D7 g ?0 y) f& f1 l2 a
0 n8 y* `( g# t. n0 j9 s2 W2 U9 ZThere could be hundreds of BPX you could use to detect this trick.; H u/ r9 ]' v% ^* m1 {
-The most classical one is:2 H$ C" b1 T* Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 ?: v5 m; a# a, ]2 d
*(esp->4+4)=='NTIC'
2 y+ T, z) z8 }7 ?
( S9 }( ]" S8 V! {9 O-The most exotic ones (could be very slooooow :-() [& s$ [' P- Q) l
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! f0 s! v5 H) N3 m4 l: H- m/ e; V# c ;will break 3 times :-(
0 ~0 Y5 m/ M4 X$ F% ]- s2 E
8 B0 W5 I) u b& R' Y: G. i-or (a bit) faster: ; b/ I3 P# I; ^( V# p; S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), C9 S, a8 z# ]& E; D! Z
/ ^# V k- A4 v- f- h7 R) C
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 C) n# C! l/ T& y0 L ;will break 3 times :-(% ~- s }# m) k( j9 w/ U. V. G$ e
( X" B M; A' j+ C; Y8 P9 p-Much faster:! j* C6 Z- n3 k! [: R# I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' U1 q% j* _0 j L( ~. M: e9 s
; C% G$ k7 I: x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ R" R' f: D d( \' z) |( q5 ~
function to do the same job:( r/ E+ X2 w8 g1 E6 Y4 ]7 {7 K
- X0 s: l& N! c8 P/ ] push 00 ; OF_READ
6 p% @. l8 ]0 J$ {6 n mov eax,[00656634] ; '\\.\SICE',07 E3 u, {8 ~; @7 D/ Q. Q/ F
push eax2 D: y8 c0 Y4 p, E, j7 ^
call KERNEL32!_lopen
d% f2 a( c$ w inc eax# t% s) b5 m ^2 x# ~6 l% p9 }
jnz 00650589 ; detected C6 K# q0 r: ?- j' V
push 00 ; OF_READ
3 {" ^5 ]$ P* i5 o/ L+ [ mov eax,[00656638] ; '\\.\SICE'" ^0 x' w: [0 D/ ~$ l6 p& N+ s& j9 [
push eax
# t' w% E2 D, Q" Z+ u* X call KERNEL32!_lopen I+ I& J; I' u% Z9 S, J9 H
inc eax9 D. X& m7 J! p, `# p
jz 006505ae ; not detected3 z. t3 j; G+ @ c' J/ u
9 k7 y7 u/ k' `7 l+ F A8 s: U$ u8 m d% q5 k: H+ W7 h+ A
__________________________________________________________________________
6 \. |7 ^$ Z. t% H) f
7 y7 F: _1 k3 w6 F4 g3 IMethod 12
) {0 W4 q: r. X- {& n5 ]/ u=========
7 d. m7 Y3 D* d& R0 B1 _+ Z+ P) ~3 J: E4 d! v, j# u! E3 J; h
This trick is similar to int41h/4fh Debugger installation check (code 05
& N3 H# M/ b; X% c& 06) but very limited because it's only available for Win95/98 (not NT)
- F1 |# b5 Q. P% U5 [" _* K8 kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# Y' }5 u0 P/ N: X8 E
- L' ~, f- q- |- j4 j4 m" }6 }4 W push 0000004fh ; function 4fh& b4 g9 o# h" _, a" B- s+ ~9 U: x S
push 002a002ah ; high word specifies which VxD (VWIN32). p# t4 i( {+ G0 h' K
; low word specifies which service
4 F8 R, c L. }& @6 c (VWIN32_Int41Dispatch). } s! q5 x6 a7 Q8 g5 G' q
call Kernel32!ORD_001 ; VxdCall- U) k5 P( D% e( y0 g1 m. y
cmp ax, 0f386h ; magic number returned by system debuggers: [7 n O! V) Z( u; y8 C
jz SoftICE_detected
5 E7 I c/ d. w* s6 a9 c! e7 G' i6 Z \& ?5 m- L; }- W* I. F
Here again, several ways to detect it:
& r" O/ l, O$ S5 Y) P" f$ n* a/ k4 N" j' u( r/ }% v
BPINT 41 if ax==4f) M8 e7 s" G4 ]0 B
0 t N4 ^+ M4 B( \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ Z8 A5 y' C; H f( }( Q7 q
! s6 e9 i8 i+ Y0 `: C9 M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( C, n& D; x. ^7 Q5 d N- R' [- Z8 z" G8 r7 |6 y2 h
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- ^# w1 s* H$ _( e) o# a& K
" m2 ?* }5 H8 `+ _+ i' N+ ^, d: a__________________________________________________________________________ P( R. d* K/ P+ g# Z. m
. G0 E0 O0 |. N* o# U
Method 134 @( w( y0 W5 a6 e5 ~/ y
=========# E: a; X& @2 Y0 Q
5 x9 Y F3 E. `, q3 a& ?Not a real method of detection, but a good way to know if SoftICE is0 ~. T+ h- w! w% W7 ^$ s1 [& |5 ~( t
installed on a computer and to locate its installation directory.
& W) h! _+ z' l6 aIt is used by few softs which access the following registry keys (usually #2) :/ @8 u0 J G6 p/ O$ H& U/ \& B
( y" U$ M: O; e1 o* r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 X$ Z7 j1 F3 Y& i% k+ Q\Uninstall\SoftICE! I9 e4 b* o l6 T6 Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- g) O( Z) z5 g
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% f/ s' s' p0 Z7 w\App Paths\Loader32.Exe
1 i0 F# |( V- Q& Z+ a1 E. {( `; ?( N' a8 ~% L! i7 }0 ?% Q
L" D: j7 N% M, F5 k( [Note that some nasty apps could then erase all files from SoftICE directory$ i- [# e1 t8 _1 e2 o2 D2 b
(I faced that once :-(
5 P$ t' i1 d( q5 W+ L7 ^5 ~5 t
8 V1 a; ]* g! m, l Y' z& |Useful breakpoint to detect it:8 ^& m0 ]3 B4 d0 Q2 h
5 p3 f2 H# E4 L1 z' J
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': Q" U. J- a6 P8 Y9 x
9 p1 o# E/ z: F( k$ }& z# _/ c+ ?
__________________________________________________________________________
3 x& a- ^" f2 R2 c$ T
, S3 {3 q( \( a: j8 q* a
! e* i4 {8 n2 i( w4 S; sMethod 14 * H6 a; v _2 R
=========
/ O6 f5 E$ L4 }2 o- M2 t. `$ K4 `! x$ l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* o- D( A8 O$ i# b! Vis to determines whether a debugger is running on your system (ring0 only).
2 ~% `7 w9 t- @* G0 G
) H6 f7 t- y" {, \( ?9 { VMMCall Test_Debug_Installed; U* g: t5 i' F) M; `- J" l
je not_installed, @4 f; }$ v' f1 }. v W0 w& V' g7 D
2 a, ~- D1 `; l) ~2 QThis service just checks a flag.4 x, l( D5 Q* l$ {6 ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡