<TABLE width=500>
0 |: i+ _0 V4 c m, L6 y<TBODY>7 l" L3 l7 r5 K! u7 W
<TR>8 ~9 w1 Y, ]+ [% [0 B
<TD><PRE>Method 01
1 s+ w) m9 R( g+ j+ w8 H- P=========5 I7 L! E1 ^4 i, ^
) x; @* |) a2 |1 CThis method of detection of SoftICE (as well as the following one) is
. i0 F3 L% H+ Mused by the majority of packers/encryptors found on Internet.
1 c! [# Q# m. \$ a( r* JIt seeks the signature of BoundsChecker in SoftICE+ t" O4 h. y5 p2 [3 S
! x* E u( L6 u# f' t mov ebp, 04243484Bh ; 'BCHK'1 K( i, c+ h; S) c* F
mov ax, 04h p' a7 I# n! F$ E9 Z o
int 3 + S& L& p. x! q- e! `
cmp al,4, b8 a9 ~% z3 n1 q
jnz SoftICE_Detected4 h8 {5 Z; Y" E& B' L
2 |* H9 m6 s) o L___________________________________________________________________________
# R# n, z2 [" @' D/ f2 o! ~1 d) x% w) H& T- l0 w* f/ e. I9 d
Method 02, @8 B+ z/ N. O1 Q7 o$ [
=========( h; O4 O; v5 V
/ S- B" h2 p; t* r
Still a method very much used (perhaps the most frequent one). It is used
* s8 _5 j: a. f: bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 l2 ] b. r0 w5 O( S& J+ e
or execute SoftICE commands...
# x$ e1 d/ m6 T3 O K1 tIt is also used to crash SoftICE and to force it to execute any commands
6 u6 E! R/ g% v! |: t(HBOOT...) :-((
5 X; G, Q7 Z' d3 `
: V" ~' t$ h: _( pHere is a quick description:, t; l; C# G9 N# p* {& m
-AX = 0910h (Display string in SIce windows)% y! K+ N6 s; L, w O3 g7 t' J. \
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* C' n8 Z$ F* b
-AX = 0912h (Get breakpoint infos)
, \8 I: W# x; w-AX = 0913h (Set Sice breakpoints)% a, W& D0 z9 ^+ C3 M/ P+ g& V
-AX = 0914h (Remove SIce breakoints) g* i& z, d F2 T
/ w, b: S. h4 x, {3 @Each time you'll meet this trick, you'll see:5 i& z% B* A; _
-SI = 4647h! {2 L" U7 @" V d# M$ D2 ~5 m8 e
-DI = 4A4Dh8 C% V! _6 [) |9 E
Which are the 'magic values' used by SoftIce.7 ?3 C( l/ K, B+ h/ P) Q/ B
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 s# W& B4 @/ M$ C
0 H" b3 u) S' P* m/ p
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ ~. A8 c+ Z+ O' [' v5 m% t
Envelope utility use to protect DOS applications:
' E- a& ]' K0 g; }( |; q6 I! p4 r; u
- }$ e" T4 Q, t2 v4C19:0095 MOV AX,0911 ; execute command.$ q9 s; @# C8 {$ s/ N- t2 M
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. C! C% O3 z8 g3 e: @2 [. m
4C19:009A MOV SI,4647 ; 1st magic value.8 c: V# s+ O% J: N1 I
4C19:009D MOV DI,4A4D ; 2nd magic value.6 g2 O" l# g- S( i: v; Q% R% B
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 o" k& X% N6 p6 B" G, A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: \7 J9 t% J8 M) H6 q/ Q. K
4C19:00A4 INC CX
% R: C0 G0 \: S' e4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 O; Q! T4 }0 X: ~3 q+ j/ b
4C19:00A8 JB 0095 ; 6 different commands.
2 Y% T/ [: J$ }, G6 g- A4C19:00AA JMP 0002 ; Bad_Guy jmp back.! @. }9 X! X }' v/ i2 s: Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
e. m7 f" o: G& k; Z
0 i- ]2 v1 s# Y0 X; }' q' L, VThe program will execute 6 different SIce commands located at ds:dx, which; m! q7 X. r( w( G/ H& s1 t0 J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 ]) r( U9 I! L/ f
7 i0 A- l- ^ h" k/ Z! t* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; p1 z7 R& [ l: G" w8 ]___________________________________________________________________________# j5 P8 l" Q5 h; M- L/ j
6 y, I5 ^: u3 Z7 `" G
1 J3 I& ~0 K& ?9 {9 e0 f' C
Method 036 G4 V8 k0 V) j( f2 c
=========
: Y9 s2 U, r$ U7 a0 S1 j! u: q0 z0 h/ n4 i; _1 b9 ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# A( v/ i. y: Q! ^
(API Get entry point)
% N: E4 f5 \4 H% [3 S
$ V; m5 A- M3 w. h0 _0 x( Y6 x N2 l+ g5 n$ T
xor di,di7 o; o! i2 p9 l q
mov es,di
; t6 |& F8 r$ M; T, D mov ax, 1684h 7 q1 u' K6 y0 w
mov bx, 0202h ; VxD ID of winice0 H1 _/ k9 H9 O& K$ `, C
int 2Fh4 t- `/ W/ w( k2 \$ |9 i3 q
mov ax, es ; ES:DI -> VxD API entry point3 m) w: ~) M* r! L& B- [- c
add ax, di# {- Q$ Q; c2 J# B
test ax,ax
+ m9 q5 H' Z6 V- \7 a jnz SoftICE_Detected
# b" n/ L7 m- O2 T5 J1 A7 q' S* U- P4 R; Q2 W. A! F
___________________________________________________________________________
. g4 U5 H# ~& P) l
! z- q$ |+ ]# A9 H/ @5 v6 ~Method 04
/ F/ A1 }- `. v0 T; r4 X1 l=========
& Z; `( J$ f9 |6 Z
' c: M( b& D- Z' l- DMethod identical to the preceding one except that it seeks the ID of SoftICE+ w0 T" Y( B- k; A
GFX VxD.
2 E( y' L' @+ f, ]! ?
' L+ ^! l2 j2 I: m; y xor di,di
, j; O8 W) ~0 Y/ I mov es,di k: \( s; k8 r& v
mov ax, 1684h % E2 b3 z! x% I: E n% Z5 r
mov bx, 7a5Fh ; VxD ID of SIWVID; a8 r' A4 U5 {( `
int 2fh
9 O! d" ~4 {8 V/ L, H+ [ mov ax, es ; ES:DI -> VxD API entry point
( M* v9 d& }: l( C3 e# z7 s add ax, di9 ^( Y0 S# z' h4 t- ]
test ax,ax* v* v7 Q0 g/ ~2 n0 B5 @
jnz SoftICE_Detected6 E D4 r& |* |6 s2 Q" r# i
) h$ R T% H) O: N* S) Q: x! r( Y: D
__________________________________________________________________________9 ]" s/ Q4 F( o% K
) T/ F( E2 `- q/ t
# T( z; N, O+ Y2 B1 _* r) C1 s- o
Method 05
$ t; G( T/ ]" I* v2 W4 ]1 x=========
3 Z; A$ h1 n L X! S/ X t
7 M+ [! h, d) MMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 ~9 a7 h- n% M0 B! edebugger. It calls the int 41h, function 4Fh.. r+ W5 A, q( j
There are several alternatives. " V- v$ H! Y5 ~. }, N' E
% U% i! n: Z' k/ LThe following one is the simplest:1 j$ U5 H0 z2 P! c/ d: M
3 L+ ~8 ]5 H9 @9 a' T, q mov ax,4fh
- o5 x$ e: ^( B* l. n: x3 X0 K int 41h; t/ M1 C0 q' }7 q8 l' N+ t) [ J
cmp ax, 0F386
# l" e9 U7 e# g0 z* Y jz SoftICE_detected" U- j P% h/ q, }/ C* [
8 r& S( b" E, i" `/ O$ s
. f' l0 |+ b& w8 D ~; S! {Next method as well as the following one are 2 examples from Stone's 5 `3 [% f2 \8 m# _/ [% e6 A9 }+ v0 R
"stn-wid.zip" (www.cracking.net):3 l3 z7 i" \ M# }
% s6 {& z. D$ `, Z, W
mov bx, cs
" g, ]; ~! ^9 s5 |+ [" T$ g lea dx, int41handler2
B2 E G' H5 ` xchg dx, es:[41h*4]! ^ l P- ^6 p- N) o+ U
xchg bx, es:[41h*4+2]) o4 G' d. x* M0 q% G
mov ax,4fh: h& q# y! `/ ^9 e8 {0 i1 y; ]: `
int 41h; Q+ m7 t$ O/ Y: E
xchg dx, es:[41h*4]
$ `4 g, k5 p) }6 @6 N xchg bx, es:[41h*4+2]% z- h8 U( G9 q2 a- d; B
cmp ax, 0f386h9 d' d q, b' i* j+ T- u
jz SoftICE_detected$ F9 ^5 e( U+ p
; e/ r. D5 e" x( w9 J8 Yint41handler2 PROC3 x1 u3 I8 g' z& g0 j; G
iret2 m: p" X. v4 q
int41handler2 ENDP; A9 p9 }) F0 g& b( q% o
" o0 v+ U. o" R* U; R
& K% b( X. |: i* K, u* x3 g
_________________________________________________________________________0 D8 `- ~/ K) u/ Y& r/ l
, F. V( C5 j. u) M& e* N* E# H) d0 R. d- ]8 Y3 @6 {
Method 06. k( x5 p, X( y2 z
=========
! p( w, T; v0 J) Z, U
5 f) z: _$ @- R% e9 q6 s E7 b4 r a2 ^3 X1 o/ \/ J
2nd method similar to the preceding one but more difficult to detect:" z4 A5 q; T- P
1 l7 E* D* N+ K1 C
! J3 S9 F3 u# Q0 o2 bint41handler PROC
" k# N+ B1 W8 Z5 e4 o# w; J' Q mov cl,al
. O# |0 I2 z( h iret1 ]% `8 ~' G0 j/ b+ q
int41handler ENDP
1 g$ y, [6 B7 R/ `/ `, u3 ^; W- x) A# z* i
m# D" Q$ B+ I* z' z, A8 N xor ax,ax, p8 T P& r& X1 h x
mov es,ax! a& d! g" A/ i0 i
mov bx, cs9 [% s4 S' d0 d/ o9 x
lea dx, int41handler# v! J( t; Y% _
xchg dx, es:[41h*4]# u; H5 r0 _3 |$ f) v9 O8 i' _
xchg bx, es:[41h*4+2]
+ [% D! \6 g% Z in al, 40h" x: R2 @( V) `: D2 m+ ~3 N
xor cx,cx1 e2 H" ?! V; I
int 41h d d6 {; f3 b9 L6 o& ]' Z5 P) d
xchg dx, es:[41h*4]) }- E% w6 G* W
xchg bx, es:[41h*4+2]
8 E3 e1 k4 x& N3 F/ {" S cmp cl,al; w% A# N! |. [* @, ^+ [4 c
jnz SoftICE_detected- o) q) b! l) T, {! t; ]0 \
2 U5 _, z( V9 m }( \
_________________________________________________________________________) g H. ^' b6 }8 O
" l* x1 p1 u6 e; g2 y1 S: YMethod 07
0 o' q6 ], M& Q. t=========
8 O& q! K6 Z9 r+ r9 _3 J5 Y; _: `8 ]4 ~- J) ~
Method of detection of the WinICE handler in the int68h (V86)
' d6 A$ \- g+ T5 @+ D3 Z# M \$ k' A5 W- x/ U" q
mov ah,43h; ^& O. \0 M4 f; P3 F4 T
int 68h
$ Q+ K% s6 u. z; _+ o" X7 p l. l cmp ax,0F386h
- f: G; K# ]9 x jz SoftICE_Detected
% {' e' L: C0 W( n
0 y% N( s: q) g3 v" Q% ?9 ?" d$ g* h8 B( @
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ p6 O# Z6 E0 Y0 p7 ` app like this:" J; q( \3 p, U b' V9 H! K
! ~# x$ k2 j1 _
BPX exec_int if ax==68
) ]* t( P; L" f6 r Q: r0 B: ` (function called is located at byte ptr [ebp+1Dh] and client eip is$ X/ o' m# i4 C( v5 ^
located at [ebp+48h] for 32Bit apps)5 {# ]) [' q& }
__________________________________________________________________________
0 I* _! |' v) ~- u' B# i) U0 F# @6 m3 S) B: [
3 h8 N, U- G' T- w1 x, d; K
Method 08
; E6 p. R! S' b1 D9 J=========
; D/ M) M* h* R- v3 b6 {+ I* U) H Y/ ~) x/ y# U; \: a# u) Y
It is not a method of detection of SoftICE but a possibility to crash the; Q. ~ E" z. I z
system by intercepting int 01h and int 03h and redirecting them to another
0 t+ [- u0 O* Q0 groutine.+ |, C/ ~8 m7 t9 {5 k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- O" p4 O6 ^( Oto the new routine to execute (hangs computer...)
0 ~6 y* \* @1 R& P2 b) m: l7 `9 V5 s
mov ah, 25h
& y% B. |& Z+ ~4 ]3 m mov al, Int_Number (01h or 03h)
; a C% \+ x0 R) D. I mov dx, offset New_Int_Routine
9 t' ?6 n- Y. v3 e; \+ |3 \ int 21h3 S. ?$ ?9 l- g/ H2 r; m9 p
; o8 r/ k$ d, r ]
__________________________________________________________________________
1 @, t! L6 }+ \9 ?5 E5 L* m5 O
0 |# n# m9 s1 t3 h0 aMethod 09
6 c. T) }5 P3 u# V7 C% {1 p/ L: k=========
& r1 d+ v& H$ }3 l: T8 z- G/ H) _
, m* R1 l5 c) CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 f8 [, s' Q% U) W& o7 X+ Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 R: h6 \# r5 |4 {% `* R3 {; w& A/ K# F* V AThe Get_DDB service is used to determine whether or not a VxD is installed4 k3 U& r7 l0 }
for the specified device and returns a Device Description Block (in ecx) for
+ p. X; G. D* Jthat device if it is installed.% a9 u3 u/ t2 p
/ ` z6 o0 h) U) f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; D. ~$ F- Y. U* l( z2 a8 ?; c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* q6 Q$ p/ U# Y
VMMCall Get_DDB
+ ~# H' Z' A! \3 ], K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' Z) E. u$ F) s( R2 S
K# Y& D- ]4 i* \# m1 e( {Note as well that you can easily detect this method with SoftICE:8 W; a- d7 z3 I5 ^0 X
bpx Get_DDB if ax==0202 || ax==7a5fh- M/ G; p; t0 u" w
/ C4 C" j" A5 ]__________________________________________________________________________" I! m9 w5 ]% I! k2 E* ]
4 o% j5 d* P5 R, T6 @' D
Method 10
! l8 G ]/ S6 h=========
3 U. S! ?& @ P( K6 ?3 U, U% s) M+ [. m& B6 k
=>Disable or clear breakpoints before using this feature. DO NOT trace with. b3 m$ M4 r: `- f }, K* u
SoftICE while the option is enable!!' H) ^5 C1 \- ]) @4 W
- i0 G# P& F* R* n1 m! B4 \This trick is very efficient:
6 s$ |$ t/ ^+ e Z) mby checking the Debug Registers, you can detect if SoftICE is loaded
! y# N0 f ?+ [+ k- D6 J, I& G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; M3 [5 i6 x1 f' i
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# X( O. |* D: X! O4 k1 D6 l+ @) jvalue (in ring0 only). Values can be manipulated and or changed as well6 I. A) S8 I( r) \; i9 U/ S! g
(clearing BPMs for instance)
3 ^8 o2 a/ b! a# w; J; i6 V
$ ]: j$ S5 D, E__________________________________________________________________________
% z* V0 P" e/ `: Z
) t7 `" \; x! \3 }. e5 R! oMethod 11' n( x( m0 o& }, f
=========
6 @ g6 r2 S Q! X8 a
" s9 G0 `: {3 c$ N$ ?+ B' p. d8 fThis method is most known as 'MeltICE' because it has been freely distributed* K- ^+ i8 I5 m. Z6 O1 H" ?5 }4 j
via www.winfiles.com. However it was first used by NuMega people to allow
: y! r# {( d8 aSymbol Loader to check if SoftICE was active or not (the code is located4 u7 t4 \' e7 W& \
inside nmtrans.dll).2 K" E. ]6 B8 m. C+ Z
. H% @( j) C5 g: b6 l" T
The way it works is very simple:
/ d& [+ e; F D7 O! X; d$ @% jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 V7 J' D P& x) l( @; JWinNT) with the CreateFileA API.
9 S9 b. B) v+ I, D" F- @9 o. t* a
Here is a sample (checking for 'SICE'):
; s1 `3 _8 Y. d/ t
+ ]* ?; i# s; y5 o* q. [7 x4 |BOOL IsSoftIce95Loaded()
: C2 {5 z) g6 T% O8 ^* l{2 s' Q+ H( r/ Z; Z% u9 a8 i& a
HANDLE hFile; 2 K: h v# o$ X/ }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," E+ r% @* z0 [; e0 z% ?/ h
FILE_SHARE_READ | FILE_SHARE_WRITE,
]5 q6 z1 D0 \! O; ], X2 i/ e9 _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! M3 j: c% R; _$ W* ]( B) ? if( hFile != INVALID_HANDLE_VALUE )
* J0 q) [) ^3 ~3 U( {: A {
: ~7 V- V2 _+ {6 B* S: z CloseHandle(hFile);
6 W, b, U$ @# i. M8 @" ? return TRUE;
0 ~1 D0 J" s1 F5 L: { }; m3 r1 ^! K: w/ \9 v
return FALSE;4 @2 p/ r" O7 s; g0 b1 E; [
}
2 h: ?# \ {6 @' I# a# j# [6 g {. C7 Q8 b: [& r
Although this trick calls the CreateFileA function, don't even expect to be9 Z( e6 R4 b) n8 Z3 S' T
able to intercept it by installing a IFS hook: it will not work, no way!$ }1 a6 c) {& Z- r+ L9 `- O# J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) t' l1 _+ f% A$ P, | Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 \5 b+ L2 @' v& `% h6 O5 m2 N
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 i: g2 D' o1 u R j/ Z* Q: @4 _; Nfield.3 S* S' f" a5 d* A6 w
In fact, its purpose is not to load/unload VxDs but only to send a
9 ^! l! K6 y/ dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 e: O3 q+ A) p- V9 J7 ~( Zto the VxD Control_Dispatch proc (how the hell a shareware soft could try! {/ T5 s8 i/ A: q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ U, O# U7 q* x0 i# Q7 |. P- \
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ O: p5 _, x6 F* A9 w. f$ z
its handle to be opened and then, will be detected.
1 _# s: R& D! ^% h I% J9 @3 hYou can check that simply by hooking Winice.exe control proc entry point
; R9 P7 e* H- G/ [) [+ o8 mwhile running MeltICE.
. d" n8 g" H4 L; M, O) E$ X0 ^5 L" a6 V- O+ l0 K
- p* C: u4 \7 z
00401067: push 00402025 ; \\.\SICE
! d% Q; `4 d: K; G 0040106C: call CreateFileA
2 ?/ S) j, A: {+ f5 f 00401071: cmp eax,-001
0 W8 E7 N W# g, t0 i 00401074: je 004010917 J- }+ `6 U4 p: |
$ p$ P; S! Q! B7 B6 Y0 `
; D* m6 ~# U3 f% W- u+ f2 zThere could be hundreds of BPX you could use to detect this trick.$ q6 Q* y7 x8 Y r1 B3 [: P5 Y
-The most classical one is:1 R$ Z/ C" ^( F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 k! d% B* h+ W0 r *(esp->4+4)=='NTIC'
$ V. ]8 t5 P% G, v' Z1 O
6 h' g6 `% E8 R7 k, J" ~-The most exotic ones (could be very slooooow :-(: }5 s3 e( b7 Y' _' `) P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 P( |4 q' `, K j5 H' B2 L ;will break 3 times :-(2 b" J0 T" L8 Y& I" y1 J; w3 N" j
9 d1 ?' j8 N8 K0 S
-or (a bit) faster:
, W2 e5 z' Q/ K% Y! y2 p5 F ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 A7 q1 O6 h( u+ Q2 i# q( F' Q
# S0 i4 i0 J5 i1 p5 D5 _: P6 P. r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! G6 I8 @4 q- `9 g8 J4 f ;will break 3 times :-(
) J( u6 w: K2 ~7 \! D
4 H! T" A0 g7 S2 R% e8 j1 Y-Much faster:
" H/ a' W4 Q6 j8 P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ I5 K" A9 f) A7 j5 g+ J9 Z8 C, c2 n5 X/ Y7 r
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: p$ h2 B# P/ o& Z! z3 o
function to do the same job:
0 }- Y7 q6 R, o& c% _/ ] p- @) a
push 00 ; OF_READ. G. Q1 |! m" Q0 e0 n9 @1 w
mov eax,[00656634] ; '\\.\SICE',0
) l3 }4 e$ |9 U) n/ f/ k push eax
* G3 ?$ n5 R3 |9 T; Z* h2 K1 ^- ?1 W call KERNEL32!_lopen# Q. T; G) C8 Z" J, F
inc eax
/ l0 Z( b$ r) x; @9 N1 x2 [ jnz 00650589 ; detected
' A3 o/ ^; q7 A push 00 ; OF_READ; S7 s9 W+ g" `; ~1 I2 n& v
mov eax,[00656638] ; '\\.\SICE'0 j, `4 `( m9 M
push eax
) F2 [& N/ \; ? call KERNEL32!_lopen
3 ~; V6 _6 P4 t0 L2 P2 f3 H9 E inc eax6 Z6 [' r! c) c# w! P# m* u& n( m
jz 006505ae ; not detected
" [; p( q! _' [) J1 g1 S
9 R4 b/ y* Z5 x5 \4 U3 s
0 T1 p$ p8 N; g__________________________________________________________________________( U( `3 Z0 k# P H7 s; E
3 I- q! m+ L9 g) @" {
Method 12
1 w8 {& N6 k, s+ H1 C& z=========
, l! P" \& n& p2 ^& K3 I5 T- j# r
This trick is similar to int41h/4fh Debugger installation check (code 05! [& J, I& b* ~5 M
& 06) but very limited because it's only available for Win95/98 (not NT)
- g6 X9 e2 }( g0 V( i2 zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. F' E J1 L' _6 M$ S
6 Y- W7 N' E! f0 j) k push 0000004fh ; function 4fh
0 q, i5 N4 e' V& U2 ~* K* M push 002a002ah ; high word specifies which VxD (VWIN32)
0 D- _, L- }! Y6 _- t ; low word specifies which service
& ]; A/ t6 y% `# p (VWIN32_Int41Dispatch) Q2 Q' B: N$ i! f
call Kernel32!ORD_001 ; VxdCall# ^1 \' I/ y' ~
cmp ax, 0f386h ; magic number returned by system debuggers& m7 c& R2 z# Q. y
jz SoftICE_detected, x8 s, Y, f" w0 M
5 j0 ]5 f, W5 |8 Y$ y/ ~( Y. eHere again, several ways to detect it:
: M. H" h. _: h& V, [+ q* C0 v( y8 b$ ?1 a
BPINT 41 if ax==4f
: o* n2 l$ x* w1 E6 ?% Z. O; B4 Y5 V% G* r& h$ U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 B/ z3 P+ R2 u) o; y! Z) c
& k' Y" p8 k0 Y9 n3 j1 o3 X2 e7 C BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- }0 f7 E& f4 S7 m, `. U. V
4 `9 n5 P( @8 h7 D5 \+ e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 }+ T# I4 w X
3 u, e* Q* {$ L* `* v__________________________________________________________________________
3 y; f! Z9 l1 {. V- g# w2 e9 }, Q% g) c
Method 13
6 R1 w5 k: g. u: @% t7 Z2 Z( F) z=========+ c- M% e% i+ k5 L) k
, ~% q# x- I0 QNot a real method of detection, but a good way to know if SoftICE is
! S/ [6 G( G' n. `5 l9 v& G3 Uinstalled on a computer and to locate its installation directory.
! b# |0 b4 Q6 Y. q3 j" I' BIt is used by few softs which access the following registry keys (usually #2) :' Z+ i, `7 [: i# E) G5 x, q
3 H& q2 Q3 p/ y. `7 v: T0 e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 Q( L i. ^1 i1 t. h4 O& }\Uninstall\SoftICE9 i6 A* e U. Z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% V+ h5 ?5 O* j4 W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 @8 Q8 v5 V/ I8 f' n& z0 V\App Paths\Loader32.Exe/ ^1 A/ O+ c* @
% L! m* [' F7 m. _; r+ Z" i
! C/ ~ x0 T8 Z1 s) x
Note that some nasty apps could then erase all files from SoftICE directory. l* v5 E* g- P0 X+ }0 [+ e0 N/ @
(I faced that once :-(
% M8 A: z$ ^4 K3 c; F. J" Y. ?' }, A1 B: f
Useful breakpoint to detect it:
: r/ q8 W8 x9 M& \4 M5 b9 N; g2 T+ v7 F5 N$ c% W5 d% [( @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# x& f/ q3 T; K' _( J
$ d/ o! \0 R1 `5 Z# U7 E9 |% ]" K
__________________________________________________________________________
. ^1 U' @$ B, N: q
. ^* O9 H6 P" d5 P8 k0 x1 |/ z6 m) g1 s1 u2 w9 p
Method 14
4 J" u% A* L" k/ a=========# G- p4 l) s+ t+ p& g, Z
; I7 ?$ o8 g, }1 q, _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& l2 O% D3 b; }9 z; [% D1 X5 wis to determines whether a debugger is running on your system (ring0 only).7 B7 @4 D, u! S G4 S- i
2 Z0 E& e. r0 h$ x# x( i. Z* s VMMCall Test_Debug_Installed
# @3 X. C" s' l. f; h je not_installed0 U9 w6 ?! I( B9 ~6 T/ B0 k
- _ u+ ]6 f, i- i: H% i
This service just checks a flag.
9 b: Y" Z( I( E9 ]</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡