<TABLE width=500>
6 w; K! B/ P0 D! U/ B<TBODY>, f5 }: k L! X
<TR>% @7 F# \6 v0 a p' C0 f6 b& e
<TD><PRE>Method 01
, D1 u1 g P2 {1 g=========2 O* G1 a' ~3 H: t. `, V" R5 }
9 H, x8 M2 b5 y l' m
This method of detection of SoftICE (as well as the following one) is
2 T# `; V9 O' M- C2 Sused by the majority of packers/encryptors found on Internet.) o4 [- s! N4 x9 U
It seeks the signature of BoundsChecker in SoftICE+ v- q) c, l( \
/ s- j6 j; M) l# x4 D( R3 N
mov ebp, 04243484Bh ; 'BCHK'
9 q5 m# S" m- f) G) M mov ax, 04h
8 S; Q1 `( J% k c/ [# O int 3 ( e( E: S! }9 H& ? T* \
cmp al,4
( r" G' c) [5 v$ Z; ]- B jnz SoftICE_Detected. J1 d& v( C) C# W1 B
! \5 B3 `! a% M___________________________________________________________________________
: m$ h- K0 C( L, y
$ s6 a) B1 T3 H4 }8 }Method 02: \' Z- K" V' U4 X/ t3 L
=========" O% n% Y8 f- L* P
. ^2 B. m6 I* I6 [% C
Still a method very much used (perhaps the most frequent one). It is used Q( x8 W) ^; }, t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ i/ _3 y0 T+ x! {; U$ i$ |' S, c. for execute SoftICE commands...
1 E+ p: ~4 \/ S, EIt is also used to crash SoftICE and to force it to execute any commands5 o& W3 Z2 U9 ]
(HBOOT...) :-(( * w$ E; w. Q* |; r7 h
Z) k, d1 q; }# l& o8 R; rHere is a quick description:& _ z" a, K* }6 r& v) A5 |
-AX = 0910h (Display string in SIce windows)
9 d0 j/ B' ^% G0 f! G( u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* N b* p, [ o9 @/ i @# d7 I
-AX = 0912h (Get breakpoint infos)5 |- o9 d* g6 U
-AX = 0913h (Set Sice breakpoints)* G% k$ ]/ z" I3 X( T5 w
-AX = 0914h (Remove SIce breakoints)
$ Y& k% F4 A' V" A3 |# t
- A- g% N( X- F$ {" S% o) KEach time you'll meet this trick, you'll see:
2 o) C3 w1 T+ e3 R7 }8 M-SI = 4647h
* N5 \! v! Q# O% u-DI = 4A4Dh7 x$ Z7 K6 @& a N1 G9 K0 y
Which are the 'magic values' used by SoftIce.
! Z7 q/ b' ]( QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ Q$ C% e/ c8 X! H1 m; A. q+ U6 V! z0 G: f
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 Y. i/ T0 o0 E& A2 U% J
Envelope utility use to protect DOS applications:
( ]2 k# V6 L* K: c: ^
: g+ X3 C+ v, H$ v' `9 G/ L* O6 R7 w$ J6 \
4C19:0095 MOV AX,0911 ; execute command." i; A( m9 r+ O0 E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' C0 f: _( D, c9 d4 Q, ^' {4 v4C19:009A MOV SI,4647 ; 1st magic value.( L& v4 q0 R5 c: K% Q* C. L$ D5 ]
4C19:009D MOV DI,4A4D ; 2nd magic value.
* D7 K `" N' Y9 t% ]3 _0 `9 \4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 y( L: v& b- X* o5 [5 o. k4 Y4 w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ G: W7 ?6 t$ M5 c# {( s' U4 U7 Z
4C19:00A4 INC CX8 s9 H `. v! J) l
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& @; ?* h0 @, I3 y4 O4 U
4C19:00A8 JB 0095 ; 6 different commands.
3 ~0 {; H4 s8 f* f& _" T# z4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( A5 o% G( }3 w5 l2 ~4 E) J7 g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 ?; H# E" x6 C4 x" a
) d3 i0 g4 A( `% ~4 b7 dThe program will execute 6 different SIce commands located at ds:dx, which+ v& s) M9 Y5 u; Y8 p# F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 j1 W) z3 \: ]$ J' B. u
) Z6 b- { T$ A' E6 R: \0 I) `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& |# U% b) S9 Z$ |' J3 U
___________________________________________________________________________* `# l1 U8 I: s; c
! _" j4 M F! l( _/ t$ ~- J! A& x8 ^! n2 f, s
Method 03: p2 B3 F! }: V7 V& i" s8 Y( c
=========6 z T1 E/ Y" ~; A
0 E& R# W- r0 P! L) S$ S: v9 nLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 c$ Z4 X% D s( M
(API Get entry point)
9 a3 _" Y5 e! ^6 q& g* w) v; o: b
* S" D* ~4 p: H8 q
5 O" E$ j* z. k' U: W* v8 D3 T xor di,di
/ l5 i r" e# P; W* `# h mov es,di
' Z. ?' l5 ` T0 t# C mov ax, 1684h % T* \/ ?! E k
mov bx, 0202h ; VxD ID of winice
6 |) L- U$ E4 b$ t# E& [- a int 2Fh2 q) X' L3 C# P- {
mov ax, es ; ES:DI -> VxD API entry point
" z6 J( W$ l2 W, N) C# C9 b add ax, di
: q; K! d/ _: a test ax,ax
. {- s/ \" _7 ?2 e9 l( c jnz SoftICE_Detected
- a$ }5 R1 v, o4 y2 {
6 u) Y8 T F: ~$ M, ], Y7 C( b8 L___________________________________________________________________________
& P, m* t) n; [# V" D5 F% b
/ [/ W/ ]3 R8 K3 K YMethod 04
' h- C( I0 m8 \=========! X+ k5 f, n6 G. M I' f, R
! U9 H/ ^) @$ mMethod identical to the preceding one except that it seeks the ID of SoftICE! o$ e( I/ h* a Q3 n \( p
GFX VxD.
. z4 ?: W4 W( ^! Z2 u+ w" Q6 Q0 g! @$ G/ h8 N& m& n3 c. ^. Z
xor di,di
4 v; w1 h. C5 b& m$ r* B3 a/ F0 ? mov es,di
) M9 b/ ]5 a/ w% b' G mov ax, 1684h
4 |5 x; O; N- `3 f mov bx, 7a5Fh ; VxD ID of SIWVID
. A. u6 O& W. T5 s3 v1 ` int 2fh
0 W$ A8 j2 t! o# h' W mov ax, es ; ES:DI -> VxD API entry point: M8 L5 V1 O( H/ b1 k
add ax, di
1 D0 u7 Z' t0 e test ax,ax7 Q; \9 J% b7 k
jnz SoftICE_Detected# E- j8 Y; X7 e1 |; S
. \3 z, X% @9 Y. Z
__________________________________________________________________________+ X8 @6 @0 _% O7 t, {* r( c
. p& ^. u+ B5 z0 G: K9 b2 w) s
3 @ j8 i# \% s/ [Method 05
1 s4 F+ q- R8 Q# |0 ^=========
, z Y& i4 |! W3 \
$ z$ w, c x$ b5 @Method seeking the 'magic number' 0F386h returned (in ax) by all system
' n! B }: h) k, J' V, cdebugger. It calls the int 41h, function 4Fh.
, h u8 v: H; T) TThere are several alternatives.
$ O( C$ t/ f/ P
+ W9 p8 E& R( k3 e- ~* U7 k iThe following one is the simplest:
: E4 A1 E7 N* E& l
2 v- S+ v+ i; o. z8 ]: { mov ax,4fh
' C0 e* P1 y) E7 z; l- r int 41h
5 ]: S" m; _* R; `8 O4 k" @ cmp ax, 0F386
& }; U$ w, y1 ~" K$ c jz SoftICE_detected
7 J4 ~' f0 l1 f' o2 I9 \, v. @( d) ^0 x1 H% n% B
6 d5 C- Z: `9 r! L. B5 t
Next method as well as the following one are 2 examples from Stone's 9 A/ B3 t B% a5 J4 p2 _5 y
"stn-wid.zip" (www.cracking.net):4 m& ^# e# f. u3 S8 J6 ?4 z, m: w
5 U( t. X1 U9 j; U. D4 y# S& g" { mov bx, cs
6 a; A: W! j, j, ^+ E5 c lea dx, int41handler2
6 g. W3 H5 z! Z xchg dx, es:[41h*4]
* |! M+ v' p8 P# I7 e xchg bx, es:[41h*4+2], `3 F0 x9 `- I: i. E/ H. N4 v1 G
mov ax,4fh6 j d8 T/ O) H; ^
int 41h2 ?4 v* y3 X4 F2 A5 H
xchg dx, es:[41h*4] t( K& H9 G, u9 Z/ W
xchg bx, es:[41h*4+2]
- q! X7 T7 e' P) q+ y cmp ax, 0f386h! x+ a4 o( e$ u0 O
jz SoftICE_detected
$ S- E" v# K& M8 O& X
: n/ o% e( F* @( v( G3 h, Vint41handler2 PROC8 ?" g0 H* @/ t2 q+ i) K3 Y
iret1 O7 Z8 D6 ]/ L* n
int41handler2 ENDP
, L! o: a" Y- }4 [% ~' B1 U/ c; a+ M' w3 g' \4 _
3 A A/ Y) _ z# f_________________________________________________________________________! ?7 J: B$ _. |" G0 k
! o$ s( _& y# I' Y( p/ d
}/ h0 a B) |) GMethod 06
9 C1 K9 I3 T; {+ `' |! w/ Q) U=========; O7 W( D% J) f9 h) K# Z& h
6 d) {' q3 k& o& J' x
' W# C9 T8 w% s% B# L% l2nd method similar to the preceding one but more difficult to detect:7 V4 y' E9 s# t
4 V6 S# F% U! |: ^! f. I1 j- O$ |9 z) f$ m0 o
int41handler PROC
$ @. a( l! U! f7 Z) L& d3 ` mov cl,al4 Q# J5 e8 g% g: S* n, ^5 |
iret
% Z" n7 Q+ E- Z, bint41handler ENDP
Q/ ^1 ?$ U" r- v# V# o
) a1 y0 T$ t" t2 B4 j
+ z! p( q: ]0 ]+ \: V3 a9 I xor ax,ax/ u4 f w- C8 W! p, g {( r
mov es,ax
" ~7 x& u7 _- b mov bx, cs/ E1 d6 Y$ | i: l
lea dx, int41handler
0 w- f% h2 B9 a( R9 f xchg dx, es:[41h*4]
/ r! t( i, v. H- b/ K xchg bx, es:[41h*4+2]
4 C6 r" p8 f! r in al, 40h* {* i" k+ g" w
xor cx,cx
: C2 ? a- k& i) Y1 C r int 41h
: d! [4 q9 i. D% h2 _ xchg dx, es:[41h*4]
8 u$ ?# P0 [# r0 G8 X8 E xchg bx, es:[41h*4+2]
$ q7 T: p7 e J- p; J9 y8 L; W3 j cmp cl,al: [8 p) k* U0 p" i. w2 H
jnz SoftICE_detected+ n) n/ C. Z) `
. A- M! X5 `/ }- x+ c1 ]_________________________________________________________________________% q$ \7 D, f' v
" s) A! O: F! cMethod 07. V+ N( l d4 r6 E- p
=========
# D) N2 I. m3 n# \! k6 d" N' F' o& B+ R( H* y
Method of detection of the WinICE handler in the int68h (V86)- ?9 s7 w9 S- T v# T4 [2 u
% N, l' U* o4 f8 d w mov ah,43h
8 Q" [) B( ^0 s; f& r int 68h/ U. x3 H, Z! ^/ V- ]* r
cmp ax,0F386h2 D# v: a4 N9 ^3 W+ f4 w/ m
jz SoftICE_Detected
7 V5 X5 s' u$ G# u3 c
9 v6 T' l5 s2 n
) E% v+ U. ]" v/ {8 y' h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 s$ c* v) t3 ~. p
app like this:
. N/ T& Y) N0 o3 N
# v5 I# d& v% [& | BPX exec_int if ax==680 Z+ f+ E% s. H d+ I
(function called is located at byte ptr [ebp+1Dh] and client eip is
. V1 c. i, c0 g( D& y located at [ebp+48h] for 32Bit apps)
1 ?8 K+ R+ t) U+ h' u__________________________________________________________________________
5 ]7 l7 b# U0 ]* D1 `
6 J7 ]* Z; s. I; T
# I) V2 S$ I, ?' rMethod 080 c$ {9 B' `! x8 i, T+ F
=========
$ P5 W/ Z/ `; Y/ o# N
% U- P* q- @$ I0 uIt is not a method of detection of SoftICE but a possibility to crash the
" E3 s% q9 _# v* X6 E# _. wsystem by intercepting int 01h and int 03h and redirecting them to another p Z( q H0 E, @. H
routine.# E, v* Z. s6 X: s0 B3 a, R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 z8 I2 ?. d: r D# eto the new routine to execute (hangs computer...)
4 p2 R/ x1 y2 @% q
+ S6 Z+ ^ g. o, o6 D7 q mov ah, 25h
5 z/ N9 [1 x: f mov al, Int_Number (01h or 03h)8 Y* K' r% p* ]+ x
mov dx, offset New_Int_Routine
/ T' J% f& N( R int 21h
; J! h- L4 `. @& F; I7 W5 u- ^' W0 y3 f9 x. t; F+ m
__________________________________________________________________________
* \8 s2 H; c* W9 X
+ T( q3 T% U5 L* _/ b' V0 I# P7 G/ sMethod 09% Y- m9 a7 `) A
=========2 Y& m, I f. i) {& d
3 M. V" F( d5 {& P3 M* @7 ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ [# f( l+ k: ]" I+ kperformed in ring0 (VxD or a ring3 app using the VxdCall).! J) c/ @- ^9 N% M1 ]8 l
The Get_DDB service is used to determine whether or not a VxD is installed
- n0 P: V7 y, a8 W, ^for the specified device and returns a Device Description Block (in ecx) for
) Z$ M) `9 K, Qthat device if it is installed.
8 `, M5 h9 |# K+ V6 R- m0 b; m" h C5 @) n3 a! ^$ f9 v" F4 p7 w1 K5 q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: W* G. j/ O) I4 h9 o- h+ i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 C! X% J3 o* J7 v7 C
VMMCall Get_DDB: A% |: ~3 g# n5 o1 p6 o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ z2 f! w# l8 _, p. W( J, N/ S/ o" k% [! T4 E6 Y! r e; y5 b
Note as well that you can easily detect this method with SoftICE:
; s: G8 ^; T1 U2 m# G bpx Get_DDB if ax==0202 || ax==7a5fh
( U& X9 i4 V& U5 m& R3 o) q0 p- j( ~8 |/ _: m1 D4 ]5 A
__________________________________________________________________________
1 {$ M* B: ^& S$ J0 T
0 @* L6 r4 {! [9 A" ~# f5 I2 jMethod 10
! L* I8 c3 @: b# v5 S=========
, C4 I5 a- |7 M9 L5 f
, B/ @5 [/ v& h1 I1 L F; Z=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 D- R; p0 O) F6 y( |4 x T0 G SoftICE while the option is enable!!% A& j4 f+ c- ^" F- R
8 D) b8 {& `, x1 A, K
This trick is very efficient:
1 t3 A3 e; p& ?. ^) b* K# Zby checking the Debug Registers, you can detect if SoftICE is loaded5 D+ g C) _& w/ }, T: m. |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 M0 A5 S9 B3 [) c/ w8 y2 r
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ e; K0 D) C, P% e
value (in ring0 only). Values can be manipulated and or changed as well
$ V# a' }9 ]! c- R, i& ^(clearing BPMs for instance)& G9 U# q) j1 a/ \3 f- B
2 z( j$ L2 ~9 c {- p" m v, W
__________________________________________________________________________
, t3 L# `. I* ^5 |( }
, o8 c% d; h S' J1 S1 _( M, aMethod 113 c/ M! ]& C7 N
=========! | v* E# G; [0 P) d2 h: ~; ?
3 q5 d( R. u* h5 ^
This method is most known as 'MeltICE' because it has been freely distributed3 V: @& \( y( Z% w; G" H
via www.winfiles.com. However it was first used by NuMega people to allow
& _; X8 g3 H) ~ mSymbol Loader to check if SoftICE was active or not (the code is located, F0 ~. B; L$ q2 _. f
inside nmtrans.dll).5 e0 ?. e0 B4 U1 e
F9 G; I+ c' A" g' LThe way it works is very simple:8 W/ O0 Q& X6 j& H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for M# [! ]5 I2 Y
WinNT) with the CreateFileA API.
5 E$ s4 z) T) z3 ^6 p
H; E7 U+ B; t* ^/ y/ rHere is a sample (checking for 'SICE'):
8 s9 S4 y3 i; \
4 M$ K5 A& @1 yBOOL IsSoftIce95Loaded()) Z, c- Y4 X N" Q0 ^$ D) Z+ w9 o
{
$ }& y) g t7 V3 e& H# J$ k+ G3 Y HANDLE hFile;
% l# T$ \1 R% y# G! @/ M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ |# h7 N* C: N; v$ d7 L2 o! e( r+ L
FILE_SHARE_READ | FILE_SHARE_WRITE,
u- _+ Z5 w7 o1 M+ V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, u4 A; ^* [7 }; M1 {% g- S
if( hFile != INVALID_HANDLE_VALUE )! d( p2 s' C0 \8 X
{
8 O8 D) `, x! Q! K3 Q" d& y CloseHandle(hFile);. f& i2 a/ I6 c' K
return TRUE;, m! d) ? r3 {; B0 E9 N! r8 R5 S
} s0 K7 d; J* Q! k" d
return FALSE;. V' W& X; d# i4 q6 S# }
}
. J8 O3 ~+ }. A& q7 o
% ?3 q3 U( ~1 _4 FAlthough this trick calls the CreateFileA function, don't even expect to be* f3 s5 U- Z5 \: Y) z
able to intercept it by installing a IFS hook: it will not work, no way!0 X) b/ p" t- d& b2 r2 r( h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 \1 B( s# l: D3 n, s6 ]& }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 T; |5 T% C8 aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
' }. k) j6 u2 f# G$ Cfield.
/ m. N9 ]1 T+ z. i+ [In fact, its purpose is not to load/unload VxDs but only to send a 4 r7 R9 `1 s: e$ Q8 z" X4 i) A5 Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): n, `6 c+ D, q+ y3 K' R U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ N: K" Z# C, c, q7 o g9 i# \; N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 U1 O: w8 ]0 t2 V ?If the VxD is loaded, it will always clear eax and the Carry flag to allow' `3 ^6 T; Z: N3 r. \, k, O% O8 s
its handle to be opened and then, will be detected.
4 ~/ E% {& R3 W+ c1 GYou can check that simply by hooking Winice.exe control proc entry point
* d: J9 s7 O; V5 C% b5 Xwhile running MeltICE.) t9 x' `% W3 ]% N5 k# [
! j; ?- f5 |0 F: x/ \
: a5 n0 F! y3 l1 a1 X
00401067: push 00402025 ; \\.\SICE
# e5 U. F; I9 W# r! ~$ w; J, A 0040106C: call CreateFileA
U; ]' b& \. J/ U5 i 00401071: cmp eax,-0012 {* |! i" Y4 }( j. F
00401074: je 004010916 j; x( u8 B4 G0 q- M) Z% G& m
- z3 ~ [# l8 ` t" g! b7 G5 n/ v
* k3 I+ Y6 j6 p6 m4 ]) W( B, ~. W
There could be hundreds of BPX you could use to detect this trick.0 S. C- s7 v* E+ P
-The most classical one is:% S1 x6 e1 \! F% ^( u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% b; v c+ M* i( Y2 i
*(esp->4+4)=='NTIC'
+ S% O2 R2 O& `4 ]" m& T
4 m$ I9 M* v1 [- Q6 n-The most exotic ones (could be very slooooow :-(
* Q/ b* U' W3 Z- l BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 X; |! e9 y P8 x6 m ;will break 3 times :-($ W, W/ A' L7 n& u
' f$ ~6 ?: C' w7 t0 l) j: z5 @' ~
-or (a bit) faster: : r: Y+ S) O6 Z$ G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 }) D$ Q. u: Z- A9 u! z; n5 `
' V- I$ o& B/ E% E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 ~% o0 s7 Q: n) L! Q/ A
;will break 3 times :-(
7 ]) M. P$ b3 R h" W) b* V9 g+ v1 H5 ~. M# M* p2 Q1 E" D
-Much faster:
; U( W6 k& F! ^" x3 v( i' g% J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; u7 X* e: l( D
& P% ~3 c. T* O8 B; C# ~ xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 q& O, i' O$ M0 E- Z' s2 ^( j
function to do the same job:
$ W; b; f, V$ d# }9 y& T7 m! s& {% [; T' U! x
push 00 ; OF_READ
+ e7 ~2 ~3 N1 _+ z ?4 J- [ mov eax,[00656634] ; '\\.\SICE',0
# x$ z1 f$ f) e6 C push eax/ r* }9 P1 O' `# T) h
call KERNEL32!_lopen$ Z3 p: @2 ~" Y; V/ l' q. O
inc eax! B. E- O" V0 H. H
jnz 00650589 ; detected
, d3 f' e+ B* |, n# f. K push 00 ; OF_READ' `% N, i0 x& j( P" z) y
mov eax,[00656638] ; '\\.\SICE'
- S8 P1 X- Y% e! r push eax
) L) J8 u, ^- o$ E" `; Z; D3 r, P G5 F2 H call KERNEL32!_lopen) }3 \ [; X' E% \8 L
inc eax
/ {( \- Z2 B# P jz 006505ae ; not detected& A$ ~: w" E* H8 @: B
. `7 f5 {& Y9 u9 |
3 M% k$ V8 X; T4 f- A& o+ M8 l+ H__________________________________________________________________________
$ A8 |6 S: L, M0 n. N- {: S
2 c! Q$ q2 }6 D. c( K: YMethod 12+ M' |5 b( {1 [5 \" k
=========( C8 c: k" g$ j0 Z/ X; U4 f, r6 l; |
* j3 ]7 W. W: @
This trick is similar to int41h/4fh Debugger installation check (code 05& F0 g% o" y% r& w5 y! r: ]9 p* S
& 06) but very limited because it's only available for Win95/98 (not NT), k# O1 S: X; f2 W. ]" m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* B; J. i4 R6 Y: {8 F
( v* W7 R, \( g9 Z8 b I4 A9 b push 0000004fh ; function 4fh& e* O3 q9 e# Z5 D
push 002a002ah ; high word specifies which VxD (VWIN32)
1 T1 }8 g. q7 F2 a0 } ; low word specifies which service
2 O$ z G# _+ f8 P (VWIN32_Int41Dispatch)
) I" i: s: M; `- i' |. z2 p9 A call Kernel32!ORD_001 ; VxdCall0 B- F/ A* |4 N7 F
cmp ax, 0f386h ; magic number returned by system debuggers
6 C. a6 o1 i8 q2 c jz SoftICE_detected5 e5 [' f8 e& T+ C9 @- k
6 `% w$ x" q5 X) e4 j; h
Here again, several ways to detect it:$ e1 f' ?) p5 X6 j3 Y2 x/ p# Z3 \
( ^7 {% A$ B( C
BPINT 41 if ax==4f
# B$ _$ X2 L) S9 ~3 ~, @5 v& K
& a* P( Y! l5 x( o( p, p) ^ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ X* `! i, |/ {$ D- P9 }
* w$ `8 _ {# s8 n* T- b- P& A BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! Y* y) L5 W! F m( Q f
6 T6 f2 |5 p( s$ S1 P' ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ h% L3 N* Q/ K% b. L% s
5 N$ p5 ^) h, v7 j V3 p__________________________________________________________________________! k& e% d% v, ]1 j
* u2 M5 F. Y; `/ z! r1 zMethod 13" f; m( e/ x8 i6 E8 a3 o4 P2 S
=========: c# h$ N, u% y: ~6 a
. g+ T$ `* k' j8 n
Not a real method of detection, but a good way to know if SoftICE is1 U7 Y1 g( y. |! l+ x# \
installed on a computer and to locate its installation directory.
! ^ h2 ^+ @) ^ C3 RIt is used by few softs which access the following registry keys (usually #2) :1 z$ h7 s& t, A3 M4 W9 G& P! ?! W- n
, O7 b3 _- Z" W& e! F+ d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' V/ O' z; Z5 X- @9 p7 w\Uninstall\SoftICE
& L, t n, d+ f' n+ K- h( r% b* }7 m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" k/ o; \ t1 h @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 N0 V* D1 |7 G% V) ~\App Paths\Loader32.Exe
" _- L3 A1 Q& ]+ K, b( i2 x" E& Q g& _: o1 F n; y
; L2 o" I* i! U) n5 JNote that some nasty apps could then erase all files from SoftICE directory
6 s, N$ S- R3 F. z4 c$ i3 W(I faced that once :-(
5 J7 V9 Z8 H9 \5 u4 ]/ l2 D5 }( ?6 r/ q/ |2 [8 f& g2 S% H N8 J6 `
Useful breakpoint to detect it:
: W7 R- B: T5 W$ T0 b. M: K
% }! C0 ^% y f( u8 D7 n, w! }1 u. y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') M, p8 N) V0 |
8 C7 V/ q# i4 i+ G
__________________________________________________________________________5 O0 w1 o: ?* B; c: U
9 @) R8 q. D' h/ } Y# ~
/ Y- E; n: w5 ^Method 14 , B7 Q0 O' w8 U
=========
" ^/ D3 G9 U: _( }
8 Q8 z+ Q% @/ x! }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ F/ y7 L. Z0 g% m8 X" p! bis to determines whether a debugger is running on your system (ring0 only).
3 d1 f! y" K2 i" R. q; k, u0 J( ^& Y, [1 D: F
VMMCall Test_Debug_Installed
+ i& a, n2 N8 P6 R' u0 E4 _ je not_installed
) K' X! w9 ~# P, R/ {: O+ ~( Z& {; q4 V% {1 b, ]* n
This service just checks a flag.6 Z# a O2 l) _# a2 |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡