<TABLE width=500>
0 C* H+ p5 T) @" W% N<TBODY>
& q1 t q! N9 B% K$ B% R4 a4 O<TR>
) j& ?9 m) }. x<TD><PRE>Method 01
; V9 ?' o, I/ J7 X1 X* a: Y=========" y4 t O6 [# T0 e0 b( r2 C& b
$ W1 u% x: Z' A9 @7 A0 o4 C9 NThis method of detection of SoftICE (as well as the following one) is
% y1 p) ^1 Z9 }3 Bused by the majority of packers/encryptors found on Internet." `" r. O6 z( v) l
It seeks the signature of BoundsChecker in SoftICE/ d" u+ Z/ G4 H" J
# f% |! ^" E* q1 y3 H- }
mov ebp, 04243484Bh ; 'BCHK'$ A. j! P2 a8 C# ^: U: G# U
mov ax, 04h
' @8 X! `3 Z% D) Q& G$ H: X int 3 2 ^: h% k+ @0 m: A0 y
cmp al,4$ P E0 I/ }# {0 N7 q- H# e1 g
jnz SoftICE_Detected q5 v4 N5 u% {" U
8 T' o+ Z# S- B3 ]
___________________________________________________________________________
5 m& ~0 |1 f; D3 O' \8 |! ], r$ H8 ?3 K' H% n1 W5 |6 v
Method 02( `2 O p; I0 n4 t, _) g
=========( L9 v @; `, \7 q; c
0 n% b8 E/ v7 f. y
Still a method very much used (perhaps the most frequent one). It is used/ C/ @# x! _1 K- p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ z- B, O% d% c2 P
or execute SoftICE commands...
$ L/ a! w' S& y: mIt is also used to crash SoftICE and to force it to execute any commands
! M; g, V$ k! n- n3 K7 s, n(HBOOT...) :-((
" x) s$ L: A# Y; ]$ o# K. ^: w, t8 P' m4 n
Here is a quick description:
I9 u9 m. c V. \* y-AX = 0910h (Display string in SIce windows)
# R, [ h, O! _: i0 _- ~/ V-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' @" j2 i, n' F/ X1 F-AX = 0912h (Get breakpoint infos)
! k) C& r. J! D6 V8 L-AX = 0913h (Set Sice breakpoints) F6 S, g, `( J* ^) @0 z
-AX = 0914h (Remove SIce breakoints)% S, R; U3 P q6 `! m# U( v& B
1 J3 W5 [% `2 BEach time you'll meet this trick, you'll see:. v) x% | U5 X, h7 A- U/ c8 J
-SI = 4647h, F8 q! s. ~* E d: F
-DI = 4A4Dh4 Y4 A/ x8 ?2 Z9 k; r* R4 E
Which are the 'magic values' used by SoftIce.
" A o3 s" K3 A! lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 u4 f* u$ c/ F9 |$ |
( |" f3 H% Y I, M: P
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ [6 h* a4 J4 c8 x( {9 ?Envelope utility use to protect DOS applications:
0 P# z2 [1 C- o( a* I n4 a( z* t5 l8 Y) E6 i! B4 X. S+ k
3 S, r7 s( D: u6 q3 c2 Z4C19:0095 MOV AX,0911 ; execute command.
) n, Y5 C% t7 g7 W6 q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; g' U. U* e- j: ^
4C19:009A MOV SI,4647 ; 1st magic value.: R5 k2 \& e6 K9 F% R
4C19:009D MOV DI,4A4D ; 2nd magic value.
; u' ?/ | O m! B7 v/ B# a7 m' L4 |4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 j$ e. _2 X5 t! l; f* e
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" r: V, W6 J X0 W; a4 }4C19:00A4 INC CX# P" i) [& v, o) ~2 K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: w" u e* C0 {! f. A4C19:00A8 JB 0095 ; 6 different commands.' G* \3 m; c8 M! l( H6 i2 Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 k @- m( I" c* [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! ?. U3 g3 |4 j$ I/ w, g# C
. T% S1 W5 s* ]
The program will execute 6 different SIce commands located at ds:dx, which4 U' h) n* N$ ~" k5 g1 x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% F. t( o2 Y% x" r. N. ]& U4 H9 s1 ^2 Y6 J( ~: b* y3 o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ E1 E7 S; f# a___________________________________________________________________________
! C+ j% s A) t' m3 z& A( }& n/ g6 I2 m( b7 t5 f% }0 Z* }" H5 J
) e; c$ I: |# n+ i( W
Method 03
: S3 n) T5 H) B; I7 v2 H2 \0 B1 Q=========
3 _1 t+ X: M* Z# W* M5 S2 \6 J6 z+ K& M2 {8 e% ~
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 t# H# t+ ^0 [: M" J& i1 `5 M(API Get entry point)* c2 z" v9 z; z9 }. z, l
* J: F/ i( ]8 E$ Q% Y
6 p* k) I$ f1 r! G0 ?/ i2 ? xor di,di0 V6 f+ [1 ?! ]8 J
mov es,di
5 B% T' i, _! y- y# R mov ax, 1684h
0 y0 t/ H) m K" z/ m# X mov bx, 0202h ; VxD ID of winice
" C. t0 p7 {. F int 2Fh
1 n. M: ]0 o. l! a" h9 @ mov ax, es ; ES:DI -> VxD API entry point: `1 d1 `) V3 d$ O4 b3 Y4 m, v+ y
add ax, di
- Y. h5 r( x8 N. H test ax,ax
2 L A* G; s9 V3 ], f jnz SoftICE_Detected
5 {9 M1 u) [# h) w7 R* E: Y$ Y
# v, u0 R" L+ u% S___________________________________________________________________________# f7 z# M3 q8 Q3 F; K, T" \5 A+ d' W
. u2 Q$ M* s6 s
Method 04" J0 {! W; s0 i- _! y
=========
; z" T$ `, c) Z5 s/ e
" p( H' c- u. H3 m2 m1 y' ~# XMethod identical to the preceding one except that it seeks the ID of SoftICE
4 ^" T- C# K/ IGFX VxD.
$ z: f m- f" d% ^( T0 J/ n# X* l; w% [9 I9 F9 [. X
xor di,di( H$ Z; E9 N8 B6 v4 O3 w* } n
mov es,di
: A' F0 }: Y1 |( V mov ax, 1684h
$ P8 R4 a" T' f4 f mov bx, 7a5Fh ; VxD ID of SIWVID! D& J9 P0 B3 w) ~$ g
int 2fh
$ `; O- H( f% m- T' r mov ax, es ; ES:DI -> VxD API entry point
7 c, J! C+ d# c" _6 Y add ax, di1 x( b" y( s6 l6 G
test ax,ax5 q8 j$ W& m6 |. V9 G( C8 |2 a8 r5 w
jnz SoftICE_Detected+ u% z4 C2 b- s6 u- c
+ p: w2 t5 r, @% f0 F8 m
__________________________________________________________________________
! M0 ?5 L3 X! h5 m( q
+ m9 I( t$ c6 q- F0 F) {% i# L% L6 o7 i% Z/ T" g2 O- I
Method 05
# \( M/ {: S g) y7 M: v=========
- p. c% b/ z5 _/ {2 P( R+ m) @4 i$ v0 v7 M. _8 W$ e6 T
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 [5 P" v3 e: x$ ~& b% j
debugger. It calls the int 41h, function 4Fh.
5 V2 `5 m7 y5 U' Q; K) x; U) cThere are several alternatives. 4 R1 d9 k- I) m. k+ X6 `0 k+ H
: c8 _, w' Q+ C& K
The following one is the simplest:2 u/ j }- N3 }% a/ l
: `2 O8 m3 [: L0 w: h mov ax,4fh( y. r3 K, D2 ?" S# ]
int 41h | x1 c$ f' i) W" i$ u+ `
cmp ax, 0F386
* L/ }$ h7 _1 w4 k jz SoftICE_detected# T+ T6 s e* {4 h
: L9 e% K" z% F1 B
/ n' m# @. V2 j
Next method as well as the following one are 2 examples from Stone's & N% D+ C# |! j
"stn-wid.zip" (www.cracking.net):% ^$ A, E, l6 W" c! R
4 [9 R( B4 v c( f* [! C M, @+ ` mov bx, cs
. q9 ^0 n% i" A4 p L' n lea dx, int41handler24 V& g) Q, T& e! J& d* L$ a
xchg dx, es:[41h*4]- V9 }' i1 r% ~4 u
xchg bx, es:[41h*4+2]. i4 u0 l& U$ K$ g. l3 G( j
mov ax,4fh" s5 N( [6 i2 c+ B& T3 Q. X
int 41h
8 K T6 {+ N# q& H xchg dx, es:[41h*4]
" C% ~. ~, s! S2 z" |6 y [- ~ xchg bx, es:[41h*4+2]: r0 a" G6 z- J/ C
cmp ax, 0f386h
1 F4 O0 h, W8 d0 c jz SoftICE_detected
% F7 r% c t) C' D, k. Z: s2 P0 g9 V; H+ f
int41handler2 PROC
6 A* N' v* z0 N* {# n, C iret
4 Z9 i1 Q8 f2 o7 ~; Nint41handler2 ENDP
# W0 j0 d# j. l3 V. P1 l! o4 w* \, U: U
1 V) `# H _6 J+ W/ {_________________________________________________________________________% X! s1 |$ I n
9 n" r- y! r$ z0 Y8 X. l* l, x* p0 f3 ?$ a6 L7 ?* z; A
Method 06
, p) W/ a& r E* n7 b* i' U" F=========' H, m3 k3 ^+ Y# C
8 l1 N. p( D( K7 b7 A f
A9 N( Y/ |& w4 T f
2nd method similar to the preceding one but more difficult to detect:
# {6 a- L8 T( F" b" P& M7 D* L0 y# O9 t; w& n! ~
# O0 E0 o( Z$ J1 I* `- \) Vint41handler PROC
n3 _# C% q4 j% \7 G" K0 [( [ mov cl,al
$ i/ t( j% {: n0 t5 L iret6 s4 D( D |2 ]/ e' Y
int41handler ENDP
$ s6 `5 W S9 h ~& J7 U3 ?1 Y
* h6 L' g9 H9 I* C4 _7 T$ K( [) o( N+ ]. _8 n. c M% W2 R, T
xor ax,ax
; d8 D ]* x1 l mov es,ax
9 P* x5 X& z& K- F+ p+ I2 e: W- s mov bx, cs
( v4 c4 I: C' g5 c9 W& d lea dx, int41handler
. e' ?- ]9 N# `, e; O6 r xchg dx, es:[41h*4]
6 C. @% R9 g% s7 j& K: q7 R xchg bx, es:[41h*4+2]
5 V7 x+ a" P- z8 A in al, 40h/ Q A5 s1 b7 G
xor cx,cx
) S H6 `& |* p5 Q" } int 41h
0 V$ W1 {3 z2 O xchg dx, es:[41h*4]
0 r4 }- X: ?# R4 {4 m+ V xchg bx, es:[41h*4+2]( r) v! y1 `% m
cmp cl,al+ u# v+ i' L% U4 q" \) o5 N9 M/ }5 ?
jnz SoftICE_detected
: k- [7 ?4 V3 [0 Z" t% H E+ \% W: n: u3 e! @, n3 L
_________________________________________________________________________" a8 d; A2 D3 ]6 I
3 N& o7 j2 e" z) |* V2 {0 o/ g0 |& GMethod 07$ D; G" d" Y9 n
=========
% d# S2 s3 @4 j. ~
* [2 i0 x! v) @( b% \" tMethod of detection of the WinICE handler in the int68h (V86)7 m2 @+ o2 R, T5 [9 Z" I' ?' J+ k3 A
& `& u( e5 u$ I4 U+ l* \$ e
mov ah,43h& `/ r6 ]+ W: L. x9 o+ {
int 68h
- Z1 a( |+ K% B4 }" x# W6 d cmp ax,0F386h
# \5 G$ ?. W4 R6 X- F! L/ A( M- ~ h jz SoftICE_Detected
% E5 \% {/ g! M5 w3 P* B+ O* B) U
* D6 Q: x4 O+ O8 A5 v( u' ]# W; M
& e; r/ m q5 _9 W; Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ I" V7 R) N, S b
app like this:
, K8 i4 p5 ^4 D- c1 C' u- X y( g# p( V9 s2 \
BPX exec_int if ax==681 B3 \/ l& k7 Z/ k5 Z1 D3 m
(function called is located at byte ptr [ebp+1Dh] and client eip is# V% s; A3 m5 o, S" u* W( k
located at [ebp+48h] for 32Bit apps)' g' J, L; T) {) ?% u7 h5 Y
__________________________________________________________________________
# e, Z! T, e: o8 T; R; Y0 s0 b6 q: V7 A; W2 [
7 ? `+ S" T. _5 p8 |/ ^Method 08% A7 M- `" a) [5 f: b3 c& C
=========- ?7 z* u! \6 u2 ~. Z% D5 G
/ ^* k9 \1 [- {- v; K# bIt is not a method of detection of SoftICE but a possibility to crash the; I) ?$ C% V0 ]: R4 k N8 @2 Z
system by intercepting int 01h and int 03h and redirecting them to another7 D5 I. ?' |* j# s7 M7 G( X
routine.
6 D3 X2 `" c5 D! @2 s; \- r+ R6 ]It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* t: r; D5 c! A- a# D/ sto the new routine to execute (hangs computer...)& H- i0 [! b0 N `% r
4 n1 G0 Z6 I0 @5 L, [% y
mov ah, 25h/ P. G' k3 q8 g- M, a4 M
mov al, Int_Number (01h or 03h)
( D6 y0 ~; g+ [. z2 y: Z$ y mov dx, offset New_Int_Routine
, B2 i1 U4 W. T int 21h, C: q9 r3 ^' d- U" f
1 o8 Q# Q$ U: G: ]0 L, w__________________________________________________________________________
: m( G) G7 O) l9 p% @7 M' J6 j- e3 @& Y
Method 09
; h4 u' K# N4 H: Z- z T" C=========
2 [$ Q, g) p* K% Z* X
. y! T! s1 D. GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 F4 e7 h7 x' b% Operformed in ring0 (VxD or a ring3 app using the VxdCall).1 V6 ?( X0 U( q0 j
The Get_DDB service is used to determine whether or not a VxD is installed' A6 B* ~. R( s8 r, @9 T
for the specified device and returns a Device Description Block (in ecx) for% B; J# l* b+ ~) T- s4 ~+ G
that device if it is installed.
. J9 e: v$ \; Q" y/ ^7 q! S& o0 h+ C/ n
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 B6 U9 }1 }# x" T- P" _$ R- Q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 \! \- ]% g) F: w/ Q; l) \
VMMCall Get_DDB
4 }7 P; `* ~/ ~% E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 r& B; A5 c1 U5 t5 \! P4 _0 _# K. z
Note as well that you can easily detect this method with SoftICE:0 G+ n5 S5 l& t# ?2 J( b
bpx Get_DDB if ax==0202 || ax==7a5fh
/ V5 \! k+ \) m3 _, R. ^0 i, w
h' `; P' z r7 q2 A__________________________________________________________________________
" R |& M5 m, x! ?3 Z3 A2 x- i% n8 J. V1 F/ O
Method 10
+ ?# N. {* e# b2 z" w, o3 C=========
! d" n* o @1 Q1 j: N+ a
( r# d8 p. ^# ~ }- B. p=>Disable or clear breakpoints before using this feature. DO NOT trace with
) e) X! G- S4 u9 ]) o2 T SoftICE while the option is enable!!9 h' D) w5 K. r4 k
1 }1 ~& X: U* ~: S; s2 nThis trick is very efficient:
; x6 L3 C! W, o9 x6 Q% ?by checking the Debug Registers, you can detect if SoftICE is loaded5 ^- I% l1 }, p0 [' E- z3 h- o% m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) H8 C2 @5 \4 ^( k% Z4 ]there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 e* g% Q. e8 e- pvalue (in ring0 only). Values can be manipulated and or changed as well) t$ e0 r$ I% g% v, {
(clearing BPMs for instance): H& Q [: n6 b
e# R( k$ @$ L* F$ R__________________________________________________________________________/ H/ z: j7 p z- H' D
' C) I0 L/ K0 W! k+ `- {, }
Method 11
7 }/ T/ d0 G" R) F, a9 B=========
' o% Y8 k$ e2 x5 B* T% V. _3 O$ ?
, Q, l5 {' t- f& ?9 h8 l& hThis method is most known as 'MeltICE' because it has been freely distributed
+ V! k8 ^% ?3 h# u- r. t: T: bvia www.winfiles.com. However it was first used by NuMega people to allow- Y. n& }. \1 L5 S1 J# Z1 _) L
Symbol Loader to check if SoftICE was active or not (the code is located! V8 @2 N0 B/ s4 l! J
inside nmtrans.dll).
3 M) v9 }- E5 X$ n
3 @6 a: d! m7 r1 v _! n1 }The way it works is very simple:* ?; d- [: g. E2 i! F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 W' s0 u* L1 Q0 r: P2 ]
WinNT) with the CreateFileA API.$ C2 `8 U' y' P; N
8 P% h' w( `4 ~, @5 t% X! y/ oHere is a sample (checking for 'SICE'):- J* o" a# f* V: X
& O( y: p/ }8 x
BOOL IsSoftIce95Loaded(), E% @6 a/ e# ~3 W+ \
{0 ^. ^0 d7 F. |
HANDLE hFile; / Y6 `5 s% R8 ^ ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, ` V; a4 z- p7 f( c FILE_SHARE_READ | FILE_SHARE_WRITE,! |) Q8 V% @6 n6 {
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 R8 q$ \2 y. p- [ if( hFile != INVALID_HANDLE_VALUE )
' e5 v+ Y# G) B9 d { u2 O0 O2 E2 k e
CloseHandle(hFile);2 O. w; N& r0 B3 X
return TRUE;$ T8 }- n+ [) c( Q4 f3 ]: `# \
}& y; B" a7 ~: T- p3 a A& K
return FALSE;9 P' m* I+ G: S9 d# f/ R( S
}
2 ]" \0 ~: a2 I2 B( m6 y2 ^$ t# J! a ~/ y
Although this trick calls the CreateFileA function, don't even expect to be7 f8 }$ L( L J( v
able to intercept it by installing a IFS hook: it will not work, no way!
, ]6 U9 j: f: x; l6 oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ L; L k) Q) v# C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 z& B" a6 t% v9 F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. d2 Y: y a5 q" Y3 D; _
field.8 c. z) V1 p5 b9 a# ?5 n, [: [
In fact, its purpose is not to load/unload VxDs but only to send a
. M6 t% m# p6 F: a5 {1 J$ VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 y( Q, b( l+ [3 N }$ l% H* E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try a9 N- X4 p+ T& z
to load/unload a non-dynamically loadable driver such as SoftICE ;-). `7 G% j. p- K
If the VxD is loaded, it will always clear eax and the Carry flag to allow* F7 K$ V; y2 O+ n, g
its handle to be opened and then, will be detected.; I. {1 w3 u& B" I
You can check that simply by hooking Winice.exe control proc entry point
$ c# B" Q8 l% |9 Swhile running MeltICE.8 }- g2 m* ^; i1 t! y
' K! a7 m! ?/ j: z; t
; X4 Y2 o! G9 J9 g; h 00401067: push 00402025 ; \\.\SICE& }& S/ r0 }6 Q. E _ F
0040106C: call CreateFileA
# N* E' {. ^+ z+ F$ ~ 00401071: cmp eax,-001, a1 [& a, |4 ^) I8 Y
00401074: je 004010911 ^* e8 @3 i1 |! O$ G' H6 C
7 X. J' S' @ c8 {; S2 |
* x- x& D( E2 }. H- P, JThere could be hundreds of BPX you could use to detect this trick.
- `7 B# R) L' G2 M5 J-The most classical one is:
; G. b% W9 ]+ p2 S1 w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: f a! H) ]9 W *(esp->4+4)=='NTIC'3 L. H$ ~3 p5 @, e( e& `
) z" G- r. m# e% @: X \-The most exotic ones (could be very slooooow :-(
k5 V! X; ^9 ?4 t) H: n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 @- w5 ~( N( H* i3 X
;will break 3 times :-(
8 Q" _* x0 a) [; I! [ O9 E/ k6 R7 N$ c. B" A( o
-or (a bit) faster:
! ?& I( A- `3 |8 [. ^: L( g- L BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' n% W8 E/ j$ Z& ^6 h5 T9 X* _
1 I7 k. L; b2 b$ W. M- y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) F8 f) \% M% U3 {7 O! L: V
;will break 3 times :-(2 \5 |. B7 y- G/ ^/ c+ p
. D& Q& ^# U" I2 l
-Much faster:
r" q2 k! U! I) T) l BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, p1 W1 g. A! Z
) I, L! `& O( A- `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& ?3 Y) R7 I' k: L( G& `$ wfunction to do the same job:
; A5 H! g2 p- v$ M
$ ]5 P* ^0 H5 P& h9 B: s# | push 00 ; OF_READ
% D4 v1 Q0 a" E/ M* N- q/ a mov eax,[00656634] ; '\\.\SICE',0* K' f6 [2 m, m1 d1 \3 ~
push eax9 w2 `) V; w% \5 L2 Y: j" X& F
call KERNEL32!_lopen
1 m% P/ j* U! J' U2 d/ y0 [0 H inc eax
: A7 h" `$ E) T$ C: t jnz 00650589 ; detected
' w8 B/ l1 j6 _6 w push 00 ; OF_READ
4 f& B+ ]; Y- T6 l- e6 W7 U. Q; M mov eax,[00656638] ; '\\.\SICE'
! F, Z8 D/ R9 L }- [7 _% Y3 Y0 y' E8 e push eax1 _+ j/ T$ v- j5 d# F: q+ Y, c/ l2 ^
call KERNEL32!_lopen
N X- R# L, A: q# C inc eax0 R; g% G) `0 D/ \
jz 006505ae ; not detected6 u4 Z" |6 ^( g9 q4 ^4 S3 N
4 X8 R" T4 W+ y9 Q7 e
3 o- ~; g% B( S7 z8 C5 F$ N( [__________________________________________________________________________
) U ~ r" d2 I( U, B5 {9 B" m9 Z S7 i u/ o
Method 12$ m. w1 c0 g* {. C( J* g
=========+ N4 L4 q, Q6 _2 f
5 N, b# ?* V8 P6 N' `. R6 cThis trick is similar to int41h/4fh Debugger installation check (code 05
' P$ w) J3 ~9 v' o5 J3 Q+ F* \" Z& 06) but very limited because it's only available for Win95/98 (not NT)5 m, z% j5 P, A' [5 @) |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 y# o3 x+ C- w4 l0 h: p
& Y( Z) p$ j% b" [7 r push 0000004fh ; function 4fh
: v& d% _+ a; k% B. N1 Y push 002a002ah ; high word specifies which VxD (VWIN32)
: |% D8 A6 b( B5 I ; low word specifies which service3 ~; S: q# O( w: f$ j0 `1 a
(VWIN32_Int41Dispatch)
& x6 U: k0 D9 D0 z, p call Kernel32!ORD_001 ; VxdCall" s: k$ p, I2 m! g2 \2 |
cmp ax, 0f386h ; magic number returned by system debuggers2 w7 O$ k4 D( k! x Y* l
jz SoftICE_detected: r7 i5 U& [. i, l& i
2 N! ?$ X3 X# B/ l6 gHere again, several ways to detect it:" b( _3 s/ u! M- [/ i9 l8 W
, T; x, x- J' X5 j$ f
BPINT 41 if ax==4f+ a6 P" f( d- F
6 {1 V: V2 k: {! J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 L8 G/ J+ ?# N; u9 N' R1 F8 P6 B# R" i& |6 Y5 V) M0 }& }
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 R" D/ \- {. N* K
6 r4 z, w$ x% e- k3 T5 N! n) y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& b; S& Q( s$ Z
, m, P4 |2 v' F8 Z: g* o__________________________________________________________________________
2 H. S8 g& @5 G1 U" o5 S% v
! Z7 D1 t, i) L& X' A3 A% W Y* tMethod 136 D) u$ m2 o" t9 N
=========
2 y/ r9 o3 C4 W0 y
2 `' v3 m7 u& pNot a real method of detection, but a good way to know if SoftICE is% M1 Z {: T2 [$ W
installed on a computer and to locate its installation directory.. Y" {- I9 E. ~% j+ \" ?
It is used by few softs which access the following registry keys (usually #2) :" H/ S+ [' ^6 W- A) E# P
4 |% m2 t+ J4 @& W5 G9 h3 m/ ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ r2 V( ~$ l. X+ S4 H8 \ l. A
\Uninstall\SoftICE
: g# s, R" s) |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 a2 d! P% a$ ?8 T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; v$ \7 }' P5 v9 Z! Y* \\App Paths\Loader32.Exe
8 N' {& i% p( t& Y, p; }3 I; k+ y/ M5 @3 o; Y% q$ u
0 y9 f8 R8 u8 u0 t2 z' s. dNote that some nasty apps could then erase all files from SoftICE directory( b* [4 `7 N2 y/ n1 u& [
(I faced that once :-(
) n# F! j: `$ @* }+ m t, j7 C! i/ k/ O" n" C# B
Useful breakpoint to detect it:# {. y% K2 n+ [
+ W& f. \2 E: {* n# _; y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. C3 a! D( H' C# [& ~
% O8 ?4 t2 K$ M__________________________________________________________________________1 G+ ?, J. C6 c2 Q, u4 c
3 m9 u* s2 W6 y$ [# O; l* A2 _
: c; t% Z, |! }& b! M5 uMethod 14 . J; M- m( y6 q* {8 b
=========' V4 {4 O" V M, A2 M8 _
; {9 s7 c7 e6 W( f' {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose S2 m% s/ a- a. x' D/ _) I$ |0 S
is to determines whether a debugger is running on your system (ring0 only).
% K/ f7 h- ?% U: H8 h8 M. c- d
% d3 R; k0 D: m7 j. t; I0 Z8 X& j VMMCall Test_Debug_Installed
7 Z& a9 S) z' K1 o# s3 R je not_installed
/ y7 h/ p- Y" b% [8 K1 [7 W7 b1 g; ~3 u: H+ R+ O
This service just checks a flag.
0 w7 |8 a% j1 i4 ?/ n</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡