<TABLE width=500> S! [$ [' v5 E
<TBODY>" B& @2 m; h& R
<TR>
1 _, ]8 u, B; ~4 [<TD><PRE>Method 01 ; Y6 X. _) Q* E- {8 h! K! T5 v! P
=========
/ i) j4 \$ {% B. h3 P% `, F/ h
+ P/ e4 s7 @: d8 O3 h3 W5 LThis method of detection of SoftICE (as well as the following one) is
4 S2 _& n; S# c9 A: E. L$ W: zused by the majority of packers/encryptors found on Internet.- R5 q# R$ W# U
It seeks the signature of BoundsChecker in SoftICE; y- B- \+ G: B5 G+ I* J6 F' S5 o
% t, o- T% N# Q
mov ebp, 04243484Bh ; 'BCHK'5 K* z/ W* |! X9 D; G
mov ax, 04h
5 l# i+ K9 j% v6 l) { int 3 : @5 s. Y) P9 |8 e/ @3 v' e
cmp al,4
% ?. O8 Z9 x, b& K G2 ~ jnz SoftICE_Detected) |6 h# f5 A d" s
3 K$ K# P' {( A3 g
___________________________________________________________________________0 q1 d. V3 ]6 t4 \
: Z0 n6 W+ b# f. f% E ?/ kMethod 02
; N* r6 i7 ?9 m4 }# C5 z! t=========8 L+ G# ]! G, ^& |$ h
- Y/ u8 ~, i( C
Still a method very much used (perhaps the most frequent one). It is used i) u4 t0 N' y- c* N% f# H2 g1 y& k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ J$ H+ J, s' k. P- Z! d9 Q
or execute SoftICE commands...: y( ?( L. R3 c/ u% d
It is also used to crash SoftICE and to force it to execute any commands
4 q9 E% U7 t& G1 i) Q+ i(HBOOT...) :-(( 4 a% h/ f- j* M1 F. @& F8 A. M: l
' u2 v/ [1 {6 fHere is a quick description:- g S; b9 P; r q" J! O' b6 r
-AX = 0910h (Display string in SIce windows)
. a+ w& X2 @$ E-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! f2 Y- p9 O5 k8 g, Q- X
-AX = 0912h (Get breakpoint infos)
( Y# `4 t% H- ^7 w: M-AX = 0913h (Set Sice breakpoints)- c( l- v: ]3 \! v
-AX = 0914h (Remove SIce breakoints)
; L8 x! o B( X4 H' \/ a& G. W+ U( P g0 U$ K2 C
Each time you'll meet this trick, you'll see:
6 w! u; O# z# w0 z7 J$ Z: S7 `: w-SI = 4647h
2 y+ ^; ?& s2 f1 ~( l-DI = 4A4Dh
) [; K) i, V; v" ~Which are the 'magic values' used by SoftIce.$ ^3 i! v* V5 a: T; G' x5 t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 F' t2 v1 u* p+ G' m+ e1 n# E# G, ?$ K* u& Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP. F3 W# }) N2 t& v
Envelope utility use to protect DOS applications:* L& U4 M1 Z6 P
: X+ D% P# ^5 c& k# ?% R' m: H1 O/ f( q9 c2 a& L. s8 W+ g
4C19:0095 MOV AX,0911 ; execute command.
- T, D3 u H( z+ f4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( i: i2 z1 v' ]6 F0 z( `: r4C19:009A MOV SI,4647 ; 1st magic value.
' B' r( }$ e2 Q! n3 o) I3 ?4C19:009D MOV DI,4A4D ; 2nd magic value./ Q, C6 ?$ l5 O- t, t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* h& {9 q! Q; _1 [* G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 i% l% e. [& Y1 f& s5 C: V4C19:00A4 INC CX
3 m( x7 t7 j0 Z! ~0 a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ D+ d: p1 z2 m/ [
4C19:00A8 JB 0095 ; 6 different commands.
0 d) E* F, j5 ?( |4 ?5 k' T# E( T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 w) L2 L4 J: j2 z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) I. J' s1 k' c
- P% s% s2 ]5 a: X* ]4 jThe program will execute 6 different SIce commands located at ds:dx, which
6 j, ~3 F& B( t' a# C3 Q* D' iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; H7 f" G, Z" {
' y2 F& v, U+ o1 \" a2 ?8 V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. k! e( o* Y- n8 p" u' ]
___________________________________________________________________________/ f1 D6 w9 E; {4 `$ m/ H1 I( m
5 b4 D. n* `9 J; Y, x2 z
" }3 d; [- z$ N DMethod 03
% M( C4 ^: P w5 P4 R5 q=========, m9 u6 R B. g! P
- ~% o# f* g% n5 S' A. R
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 y0 X7 W0 L& I2 s8 f- g(API Get entry point)
; G7 |! X7 K L( y
: U; u0 i( b! ~1 w6 q3 z! b* G# R0 o8 H5 _
xor di,di
- R" C# A9 P8 Y mov es,di( k$ q4 O$ z. k9 q7 H
mov ax, 1684h
( y u& O% I" H mov bx, 0202h ; VxD ID of winice
& S G1 `5 P% [; v8 I) ? f: U int 2Fh
# w* I: U2 V1 Z0 G* X$ L- d1 ? mov ax, es ; ES:DI -> VxD API entry point. W& o5 r: K2 h+ e- \2 D
add ax, di. _( t6 U3 V6 X. r
test ax,ax
$ A x: C+ w9 q: C jnz SoftICE_Detected9 b( M, u+ Q' L
1 Z, G2 Z6 W; Q$ I9 a. f1 S
___________________________________________________________________________
: U7 d' \3 ?6 W: u& P6 ^; a; a* s. P" }* F: T; N' s
Method 04
2 P+ r( s; p1 n$ D. }6 I=========
) C0 ^7 |* D+ {+ C% v$ w1 L- o# q0 E. _# L4 S3 J) N
Method identical to the preceding one except that it seeks the ID of SoftICE" H# v: q$ h# ?) x
GFX VxD.) w3 R" ]* c+ w; i& ]$ l
; Z+ H. f$ q. m; o' r1 F xor di,di. l& z2 |- o6 q" m- G5 O% q
mov es,di
5 k5 D6 R0 X6 B/ T+ M7 ?% ] mov ax, 1684h 5 v4 T( P: X7 |% |5 b
mov bx, 7a5Fh ; VxD ID of SIWVID
) V$ s* U$ {- m! M int 2fh) m {5 K& Y3 [2 T9 u
mov ax, es ; ES:DI -> VxD API entry point
. u% Q6 C4 _& e% g" i! l add ax, di t- ]; P- H4 D' Z; h
test ax,ax
( s! z3 A& I+ z4 ~. g D7 i! r jnz SoftICE_Detected
6 @3 `( ~( n5 O+ [0 c" z7 Q5 `" g3 p8 {8 j1 Q* @: m
__________________________________________________________________________9 C# Q& w. ?, a6 u
+ @( q) @" |+ F8 d! ?4 C
% \% P( M* z$ @; J* Q' W' J2 {Method 05& u0 a2 z: [+ X
=========
+ c' l9 Q# R) M A7 J4 l" m+ ~) y, l
Method seeking the 'magic number' 0F386h returned (in ax) by all system! u0 u3 G2 M4 ~. E" {+ g" w
debugger. It calls the int 41h, function 4Fh.2 b: V0 G) k2 l, e
There are several alternatives. ! e z. h x. \$ c+ ?
8 X+ l- A9 B( e8 RThe following one is the simplest:
8 g: @' O/ h; S/ b' N2 g9 e* x+ |8 x9 N# ~" `9 y' @
mov ax,4fh
) j: N( k- V" L int 41h
! g, z% [5 j, D: G/ [ cmp ax, 0F386) F) R6 u: a" g% e. i- X, f ?
jz SoftICE_detected0 S& V' w8 C7 F
( b0 r& l7 @2 z$ A7 u; d
, A5 B$ D: J* C. n# o6 e
Next method as well as the following one are 2 examples from Stone's ( C: y: x1 _( `; l0 e
"stn-wid.zip" (www.cracking.net):& D5 T! T) j7 ?9 l8 ~
) I3 u: z( [1 h# u mov bx, cs9 x* @) X) {6 t* v6 G, A( R* a' K
lea dx, int41handler2
7 w8 e$ L$ L5 q2 v xchg dx, es:[41h*4]* S+ G, r4 d! J( k: X1 {- o7 P! x8 |
xchg bx, es:[41h*4+2]$ o5 v7 s0 d: U
mov ax,4fh
8 j8 x1 i0 v. z% k int 41h7 }: A( G' p$ W0 s9 n- c" X, a
xchg dx, es:[41h*4]
" U2 t3 V' V; p( _4 S xchg bx, es:[41h*4+2]$ s- i/ E% ]0 W" J0 H% [1 t' B3 C5 o
cmp ax, 0f386h
+ m- H/ y4 w; j( D; ?. Y# n jz SoftICE_detected
( ^7 V) ^" l- U1 G0 a( j/ Q3 w5 H G! P$ R$ w* p, j4 |- n
int41handler2 PROC
# y- e6 K$ f( h iret7 _7 @4 Y/ l( S* U. G
int41handler2 ENDP% t0 ]9 b1 f5 o! J* {; \
5 v3 O6 R, ]! z6 P
1 G- \+ M1 Y9 H2 b- a
_________________________________________________________________________
6 A6 O. f. X. E/ B8 Q
9 W; s; d# u6 w+ I$ ~0 A: m8 v
3 T' V; e7 k& t3 M: X/ _4 H/ qMethod 06+ @* K' b. s" _7 |8 _6 g3 i
=========/ D v/ t D* p
% N. w8 n2 W5 _3 S, {3 M% @# g
6 ~( ]9 w6 j# }8 i) X" P4 b0 U
2nd method similar to the preceding one but more difficult to detect:, @& f# y( s4 p" \3 L- E
$ r; w) h( g4 `" F& x5 |5 F' B0 S4 \( \( X; a/ N$ o
int41handler PROC
3 V& L0 N. r7 n- M* N2 D- L( ~ mov cl,al
C2 m* Y y2 ?& b iret& k- X }2 }5 |6 q* o3 N* x
int41handler ENDP) V: ]7 G$ H4 R3 P& M [
& K3 p l0 ^1 s7 S$ n- e' d1 i/ j
Q+ b; P2 }2 b0 m; l0 M" h xor ax,ax3 p4 R! n, w' S+ o9 ^" H
mov es,ax
: ~. z a* O, }$ C mov bx, cs9 v% R9 _) f' v; x; }: K4 |! [3 K% S
lea dx, int41handler$ f ^3 L* E5 ^+ z
xchg dx, es:[41h*4]
p; X: D- |! v. R6 B8 h. R5 R+ s xchg bx, es:[41h*4+2]
! ]6 \6 | n+ \& X in al, 40h7 _1 n4 t) ~5 v) b$ D
xor cx,cx2 {1 m* E7 u& `$ c8 c
int 41h
$ B3 J: X: ~6 z6 g xchg dx, es:[41h*4]* \" ~8 |/ W* @, H/ _: T
xchg bx, es:[41h*4+2]# E$ S0 R5 {% d. i; U' Y
cmp cl,al
! l$ \' K, F" A jnz SoftICE_detected
: r& O* w8 W; J7 i; P+ o: b9 K ], U" L- T2 @& }9 q j
_________________________________________________________________________0 u2 F. ^: H5 @9 M
) c7 A0 r; I% H. h$ c; PMethod 079 l/ b. r$ F2 l' o7 N
=========0 K- c }6 M! U' v
* a5 n& o4 [7 K+ e
Method of detection of the WinICE handler in the int68h (V86)% ? {. @! n2 ?1 s* C. S _1 L. o" I4 |
, c& K% W5 \) @& l- D2 E5 n
mov ah,43h) m7 D( B0 R+ @5 g& J& `* j1 f
int 68h
( o( q. \& S4 x7 q7 P+ p( k- p- b cmp ax,0F386h5 u) J' T( U, {# G
jz SoftICE_Detected
( ^" L& t# I5 {
! [4 Q/ \. Q, K1 o: T' T) {$ V, H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ _( P% R5 P3 x8 e' J
app like this:
% L+ r7 u, i s+ h9 f, Y" }
" V1 X' E9 F6 V- l0 j+ T! Q. C) i0 V BPX exec_int if ax==68
+ v# w( G I* i' t( l* Q- N& u: ? (function called is located at byte ptr [ebp+1Dh] and client eip is" r ?8 W2 ]7 W7 \1 W% F
located at [ebp+48h] for 32Bit apps)
' k/ Z+ a+ ?/ q; P__________________________________________________________________________( B' v/ j6 O' \6 L$ p! T4 _& [
2 S% X6 g, _: b1 v: Y3 l) d r3 G. C& C$ l
Method 08
3 k+ H T: [/ K$ {: ~=========
* e" }1 i1 n" P* T% M+ ]/ k: j/ j- X: U/ K
It is not a method of detection of SoftICE but a possibility to crash the, _/ X6 Z5 P ]! o7 ~ q% ?. I
system by intercepting int 01h and int 03h and redirecting them to another
& [1 ^# `8 R6 \# n g J: Yroutine.
1 Y( b$ P4 y/ b& {9 t/ Z9 \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- `. E3 z) e4 t {/ s3 Pto the new routine to execute (hangs computer...)
4 g1 I! g' }( Y" v9 d" J3 W* @
% ?% B. n, N) x( s ] mov ah, 25h
$ p3 ^* f6 S& w `% f& L mov al, Int_Number (01h or 03h)
1 ?; H. v6 E. M; i) r+ a* S mov dx, offset New_Int_Routine% Y! q& X- G. A* x# `! T3 P
int 21h
! C n5 P* _; k' Y. f4 a
# e% A; {# z! M4 V__________________________________________________________________________, `8 s4 M! E3 r0 q
2 I/ t' q. ?, A; f0 I& dMethod 09
q% D% V* A: J5 ?0 L=========
Z+ W/ U/ I8 X! Y: _* N3 I
9 h2 k' G& B' w# S7 E2 I& WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 c1 i2 m _: _" N4 |5 w+ M) }, U) xperformed in ring0 (VxD or a ring3 app using the VxdCall).7 V, G6 _, W2 f# d
The Get_DDB service is used to determine whether or not a VxD is installed
& e$ w$ ~4 p& x& x- ?- A/ Cfor the specified device and returns a Device Description Block (in ecx) for
! Q |; t; L E$ l4 d0 q6 mthat device if it is installed.& X7 n: g1 V+ c4 S$ A t
1 h) p+ @1 z7 [3 h4 q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 O* M3 W! r) K( A1 f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# @( U6 ~- {* Y7 ]/ r% g VMMCall Get_DDB. Y8 j6 u ~2 _3 l( e! {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 D5 o" \- O' k' j1 X ]0 `
1 t" x/ Y8 C/ z- V- ?
Note as well that you can easily detect this method with SoftICE:
$ E4 x+ e6 O- _9 M' m4 p bpx Get_DDB if ax==0202 || ax==7a5fh
- c) C3 |5 v8 m: z. k1 o, @) t) f1 M. s2 R7 I% ~
__________________________________________________________________________
3 B& ~/ }5 |+ p0 e1 H$ u9 N6 l {8 f# ~- \
Method 10! L! c2 C7 g0 ?: ~
=========
% H' n# ?$ L2 `) o" s1 _1 `
* D8 [& g" w `) u* v+ ^=>Disable or clear breakpoints before using this feature. DO NOT trace with# P( t" K6 O$ P+ A* Z) w3 ^
SoftICE while the option is enable!!/ |5 D& J& {9 e4 V/ ^
& d, O% l5 q/ n3 l4 x2 M% qThis trick is very efficient:
! l; I! f. C7 a. Pby checking the Debug Registers, you can detect if SoftICE is loaded* s+ [/ `7 ~2 f6 n5 `) X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( M" L! [6 y3 M ^2 j- q8 \there are some memory breakpoints set (dr0 to dr3) simply by reading their: o3 D9 D# T6 N {- g0 R
value (in ring0 only). Values can be manipulated and or changed as well
) a! Q% r* p) H. Y(clearing BPMs for instance)
t# k: O* I1 v
0 M# p! M9 t V9 U! h__________________________________________________________________________0 f: j: T f' w
1 Y" i" }( p2 Z. ]2 _1 zMethod 11
3 ~* X0 j0 l/ R$ E6 d=========
8 |% q8 z- A8 R1 Y. |# N1 B9 m8 I3 a; M: X/ ~
This method is most known as 'MeltICE' because it has been freely distributed& n2 L& h% U2 f B0 K" h
via www.winfiles.com. However it was first used by NuMega people to allow
( m; D' u# K: I- pSymbol Loader to check if SoftICE was active or not (the code is located
( m" F( a+ {8 y4 G Minside nmtrans.dll).# Q C: Q) M# h- ^8 ?
2 K* E, h" W' T, ?- R% z
The way it works is very simple:
) a' ^! y8 H7 i5 qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 j& h% X% g4 P, R4 r& _! q
WinNT) with the CreateFileA API.
8 o6 A+ U+ V+ i* S0 b% I" N0 j5 J) W
Here is a sample (checking for 'SICE'):
1 x4 i- ~ O8 x+ N3 d$ \7 r" z
& g' _. v, x; C: F0 ?BOOL IsSoftIce95Loaded()
7 L2 I. k" D$ N8 L) H! P4 n{
( ?9 s: e% o) C3 D) x HANDLE hFile;
) |5 A- w7 A# R! W# C% {% h' G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 O/ y2 Z$ ^7 u# ~5 m3 l FILE_SHARE_READ | FILE_SHARE_WRITE,7 H7 |. T7 B! G/ k, y+ [! v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 n; r* `3 q5 B7 G
if( hFile != INVALID_HANDLE_VALUE )0 z& N6 d. P; u9 y1 d
{2 v+ x3 g% P* A X$ Q0 \, I/ R4 A
CloseHandle(hFile);% \! ?" {: g, ]5 S, A% i+ n8 l
return TRUE;9 ~! M* E8 k* b
}1 |( [% H# C: [
return FALSE;6 `8 t& C3 j; \# e8 _% t
}" h/ x) ~ D9 W* I$ q
+ ]; T9 E- m$ a1 N i; p
Although this trick calls the CreateFileA function, don't even expect to be4 K$ Z$ \6 U' E7 g8 L
able to intercept it by installing a IFS hook: it will not work, no way!& c; ` H8 P' O" t* B
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& N, Y: {6 u& k! v" d5 y6 |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
N& O! t2 M6 t0 }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 a( k9 ?6 w- D3 U, ufield.+ o. j1 X: |+ \# S
In fact, its purpose is not to load/unload VxDs but only to send a + e( v, j+ \+ @) G3 V; U9 O3 K
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 N; j9 ? U; B) w2 R% Zto the VxD Control_Dispatch proc (how the hell a shareware soft could try! S2 o0 s0 @+ l# F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 B4 P3 o. }) ^' b B* C; M0 A
If the VxD is loaded, it will always clear eax and the Carry flag to allow; | O1 D. D, {7 {- Y. T( C& l
its handle to be opened and then, will be detected.
4 U8 H! F7 }; Q8 ]! b. O5 V& Q! wYou can check that simply by hooking Winice.exe control proc entry point& g8 j s6 ]( G) G! p0 ]
while running MeltICE.
' E+ ]8 D' Z- \; v$ ^: g% b/ C3 D" J3 A! p
/ T1 W5 S8 C9 B. \; N
00401067: push 00402025 ; \\.\SICE
. |5 B1 B! C9 U7 }3 X* Z$ e5 Y _4 p 0040106C: call CreateFileA
2 S$ v, j/ G. r4 f 00401071: cmp eax,-001
, ~0 O4 K! a; x1 o6 P( p5 i 00401074: je 00401091
5 z4 j: i% @' i1 C* b, l8 a
& `5 D; M) F- V% K8 t5 X/ K0 {9 N, i4 ^& R( H/ g
There could be hundreds of BPX you could use to detect this trick.
7 D0 I$ V& T- c' ?+ @8 o6 n( u8 K-The most classical one is:
5 d! i. o2 K: l- z8 V5 O* u" Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; d/ e. O3 B" L, O; I
*(esp->4+4)=='NTIC'
* A: G& m: T2 ~8 I5 t$ W' @2 H! _; G/ F2 @( c( N! G& \& Z. J
-The most exotic ones (could be very slooooow :-(
- d$ a9 e6 Q R8 v9 A2 y E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' i8 E$ `) l" h/ [$ H" S. n
;will break 3 times :-(+ J% `! y1 M; @8 n* M
8 J" w' @* p4 D-or (a bit) faster: $ }9 N; w, K: T) K6 u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 R5 `9 Z+ U& C5 V
+ h, C y& `! r: L* I% {; d% m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 ]9 Y9 l: y( G ;will break 3 times :-(
: \1 Y h% D! G2 B$ s1 V* a9 y% z/ ` U+ O
-Much faster:
/ p6 q' Z3 \5 e9 d: u BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', }) H' L6 m$ J. X! a0 V2 C
* w' ~- X% v7 ~4 L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' R* L9 x( K5 v9 B3 l9 ~
function to do the same job:* w I# ?3 D O
8 _' D) \# V g9 T- ^* U g
push 00 ; OF_READ
5 w+ }' h8 r8 V# H) `8 j mov eax,[00656634] ; '\\.\SICE',0 e- Q& P- m! a/ `0 g1 x) z6 n' o+ \
push eax
X2 @) I& t! p& t1 U+ ^' Z call KERNEL32!_lopen
) q: J; L) k7 ~" f inc eax- z1 q) N2 K9 `
jnz 00650589 ; detected3 y3 l n. n$ k6 A/ D4 L4 ^
push 00 ; OF_READ
4 o2 }0 G" i4 l+ C) h; s mov eax,[00656638] ; '\\.\SICE'
- r) A Z: k: }" y9 z* Z: V; ]% V( x; Q push eax! d! F% f( G. I/ |3 R
call KERNEL32!_lopen
2 B- F- V# F3 }) w inc eax
0 ^* x: Q b& T' ~$ [" } jz 006505ae ; not detected
/ u7 S2 w% r+ A o- _+ ]; F0 y8 y2 o, j. C
% H9 p0 {/ W" \0 R__________________________________________________________________________; [, C* k1 D8 \) p8 z
. D$ Y, ~( z8 G, i* E' E
Method 12
# g4 L% \* O0 j W; s3 W=========3 o2 ^* a* H# ]! ~/ y* \
* _5 T, N) t) a, `* y* G" T
This trick is similar to int41h/4fh Debugger installation check (code 05
& _, A% x+ L8 M# M( y' \8 W+ D& 06) but very limited because it's only available for Win95/98 (not NT)9 @4 T! \3 J# ?9 e- _( f' u. ?8 I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- R4 O. @/ b6 A) p- G" k' h& `1 z# ~
push 0000004fh ; function 4fh
' Q7 S) ^4 |! D: d4 n6 v) I0 Q push 002a002ah ; high word specifies which VxD (VWIN32)
3 d8 r' {5 s: I+ e8 M ; low word specifies which service7 t2 P Y; D A
(VWIN32_Int41Dispatch)
& F( {( o( @, k0 g, j/ R$ ? call Kernel32!ORD_001 ; VxdCall
! i8 r) h( A1 n5 A. q. x3 ` cmp ax, 0f386h ; magic number returned by system debuggers8 t7 }+ Q) q3 z* a( g, H
jz SoftICE_detected
% }. _$ s; P/ s
1 ]/ _$ M x: P! t- JHere again, several ways to detect it:
* ~5 s, v! f) w% u4 W0 W
, V& I+ U4 l) m" @; i$ A BPINT 41 if ax==4f' z# J% o1 J* ^1 f
& Z: T3 K4 @+ E% e$ o2 S5 ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: t, g7 U5 J! d& q
; P( v* K6 F# w ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 l7 ]- @0 l3 u3 k Y
6 f0 X$ h2 i* H7 A% U5 N/ v1 I( I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: @* N4 J( F: Z4 B
3 _( x8 {# f* s, t__________________________________________________________________________
' u" J! J5 U" T9 `& b/ \+ k! B% d. Q) A6 g) Z' ]5 Y, @
Method 133 g9 |; l* E9 x( l
=========7 K; A! }* O* | A8 k, b! B* X
$ Y0 c5 R$ H4 g" t5 r; i% z$ \7 W
Not a real method of detection, but a good way to know if SoftICE is% I9 w: i9 @! d$ X/ C) x
installed on a computer and to locate its installation directory.
6 u; i9 }) V8 c& v2 y7 yIt is used by few softs which access the following registry keys (usually #2) :
4 {, J( y8 [& ?4 t) a; T% q* I1 e' \; ?: h
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& X6 k& O0 o/ O d7 @8 M\Uninstall\SoftICE
5 G' _5 Z2 w# Y0 Q( d+ E' V K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" ^, V6 l5 K& |# W4 e. B/ v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% n/ O( L/ o. l2 b! l; m% W\App Paths\Loader32.Exe- d, k* j/ I9 b: e9 ^+ U c
B$ z+ E4 E$ b5 p8 F/ h8 P; e% `% j0 `
Note that some nasty apps could then erase all files from SoftICE directory
0 v: k- y* H6 S(I faced that once :-(
% T- R8 G/ O5 @, \ @) x. o* }! O! h* T4 @# F& {$ c$ L+ Z
Useful breakpoint to detect it:6 {1 V0 }" X* _. u: |8 J
4 U" o4 b/ X" f2 |6 p2 h$ j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 c8 n1 \1 b0 N" ~
% q* U+ j6 }5 A5 M. F
__________________________________________________________________________8 r& q" Y9 V- v7 \5 v: M2 T( ~
& v, v0 r9 J. e5 X. C' L* V* V9 b! v8 F* H# [/ V$ G; t6 o- N0 B
Method 14
0 W( O+ I( U. a=========
; [. X& F) V: P7 l! M# ~* e: R2 O2 Q b0 ^
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: r6 p) p2 }# b$ Y6 A) {is to determines whether a debugger is running on your system (ring0 only).
8 ?3 @! `: n) T+ _
8 C7 N( Y- f0 D: ^4 g1 u b' w d VMMCall Test_Debug_Installed
" c; W, R( A) E7 Q" D* d; ~) ^# Z je not_installed$ R4 c$ \/ p' V% W
$ g% t1 y& n9 R. i. XThis service just checks a flag.1 L. G$ H, Q- o$ F! @3 q" k
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡