<TABLE width=500>( g% B9 ^' u# z9 ?9 f
<TBODY>& N) |% Y; |( J- h3 h. e
<TR>
) a1 ?4 c) D# B# E<TD><PRE>Method 01 5 v" g& D! D. n* v
=========3 l" ^ t2 R' e$ {# a- Q
; ]: s) t/ T% \% {" {This method of detection of SoftICE (as well as the following one) is
1 M0 b: ~, N% O& Vused by the majority of packers/encryptors found on Internet.! I6 j, D9 [( A# \* Y
It seeks the signature of BoundsChecker in SoftICE% S7 |/ r/ e9 }! {
0 R1 u' z6 d% J- q mov ebp, 04243484Bh ; 'BCHK'3 `5 V1 r: S) s
mov ax, 04h
0 \; k3 y2 q0 B; F4 v3 i2 o, F int 3
/ g' @) ]) F% O7 L8 W& J( | cmp al,4
; T6 K/ y$ I" r9 f/ ]0 o jnz SoftICE_Detected# {( Z/ N, W) @5 ^- y
% e0 Y! o8 J; s" v
___________________________________________________________________________- ^: d U' Q3 m$ j) c2 a
@2 P# H" n0 l0 g2 [Method 02
+ p. ~* Q' t7 d- f0 M5 C; ^& Q4 z=========# p- O# F9 P* l: b/ A
1 B& p( m* p p0 ^Still a method very much used (perhaps the most frequent one). It is used# ]7 M3 S; [2 A/ s* K4 H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% V5 Y, _: a9 Yor execute SoftICE commands...
3 u4 n5 j; Q& pIt is also used to crash SoftICE and to force it to execute any commands% r2 O2 \; L" K- Z) T& n' c
(HBOOT...) :-((
1 U& c1 g& l" v& X( }
1 ~0 u: h- V; v3 }Here is a quick description:" h$ _. X2 {4 ~# }: Z
-AX = 0910h (Display string in SIce windows)
* H0 L7 w+ ?. T! f2 w6 v) Y2 o-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 Z1 e5 W7 u8 P( f" v3 S' ?, X-AX = 0912h (Get breakpoint infos)
C! b, p1 p, f2 H* a-AX = 0913h (Set Sice breakpoints)
% @7 G! c1 Y+ x-AX = 0914h (Remove SIce breakoints)
1 G9 e# u6 P7 x4 f. }, T1 |( }1 U* x. b
Each time you'll meet this trick, you'll see:3 o0 f2 e/ ?1 A6 u
-SI = 4647h: j3 Z- A* f( f% `! L7 J
-DI = 4A4Dh
1 n- a; Q5 r/ f) u1 i1 gWhich are the 'magic values' used by SoftIce. t! {+ U/ Z7 C% S5 d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: e4 I3 R! P; d7 t6 e1 Y
$ l' [1 \' u7 i1 k' r
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 m/ Y. G$ h& p) Y4 u8 oEnvelope utility use to protect DOS applications:
' l5 D. W: w, c" {
" w2 a. M8 I! h
1 c D- ~- }3 S6 C C+ ]4C19:0095 MOV AX,0911 ; execute command.
! y- H, B8 ~ E2 ^% E0 |0 x' f- `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 n$ A# e1 z% D6 b3 D4C19:009A MOV SI,4647 ; 1st magic value.
; X0 p' M7 R5 f: f4C19:009D MOV DI,4A4D ; 2nd magic value." S, M3 K3 @' u$ [. |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); e) g* s" L; K% u5 V U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. k& |8 f, E0 e) L( a4 D
4C19:00A4 INC CX
! K, T2 I; q `6 D4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 l$ B5 q- Z0 x
4C19:00A8 JB 0095 ; 6 different commands.
2 S& s$ L, q1 W5 N/ U( c4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& B. u | }5 I4 f' ?1 c4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* C. g+ P# _3 W2 h9 M- I2 Z* f4 W/ x! B% G r
The program will execute 6 different SIce commands located at ds:dx, which3 H7 g+ O9 r1 i' b6 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& N. l. E4 k' \+ B
6 i+ V1 ^7 f P' H9 J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* o; E! b4 n2 ]$ v) m- H
___________________________________________________________________________- K* S2 u' [! @& |' u9 \
0 w0 _7 _" g; t4 V9 `) W; D! b% [7 ~: V+ p: F- f0 a9 j% r
Method 03
, y5 V0 h+ z, Q. p6 t=========
* X+ O# U- [* Z/ h, _; q. T7 h; j4 G. u8 n x' d8 k( ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: l7 ]/ b" F; b) t) A(API Get entry point)
4 R: u f2 @8 @+ T+ f
8 L1 z0 A9 w8 i9 Z% b
. d. U. w$ V# }6 _& p! x/ r xor di,di
# J: C7 U3 \4 v& o1 g% r9 F mov es,di: f- W* P4 k9 Q }) y* D
mov ax, 1684h
8 z7 r$ A& `( `( [ mov bx, 0202h ; VxD ID of winice
) h. i' i# f5 p c0 c+ v& n6 | int 2Fh
$ e. ]/ n1 Z3 ^. N9 @ mov ax, es ; ES:DI -> VxD API entry point5 d0 M! P( ]" I4 d9 I& ]
add ax, di
. k* d/ \+ E1 M% h% R" c" K test ax,ax
- Y; ]" D4 b1 D jnz SoftICE_Detected i. t: B9 h6 Q% a) k
/ ?( [3 v Y% M2 Z2 e___________________________________________________________________________
, t0 I1 L" K+ F+ G6 v8 p- X; l& H7 j: d' `+ l
Method 04
+ w0 q0 u$ j; Y- v' n=========/ G! a7 }; z% ]6 n. n
& p b# z6 `+ ~; [3 k' E
Method identical to the preceding one except that it seeks the ID of SoftICE) j! x0 W- u6 j% E$ v
GFX VxD.
5 \# Z6 C+ L7 o- k) q5 A: a
) {* u0 S1 H3 H( [8 v; n9 i xor di,di: H2 ?) ?$ Z: }
mov es,di) I- C& R1 `) B7 w- ?1 E3 \
mov ax, 1684h . e1 B; z6 j& {( w7 Q, }
mov bx, 7a5Fh ; VxD ID of SIWVID! l# R1 Q6 { h- D8 {; O2 j
int 2fh
: A3 @ m* m( r0 T1 W, }0 @ mov ax, es ; ES:DI -> VxD API entry point) c* m2 b7 g; S# b# B$ S9 d1 }9 T6 B
add ax, di1 v! r) X2 L4 N4 i6 m2 ?
test ax,ax, s$ m+ q3 h, G+ m8 Q" z4 Y5 z
jnz SoftICE_Detected$ C2 t% p, J5 V7 r ^+ @. M. k
0 L& T0 g) S, f$ @, l__________________________________________________________________________
8 Z/ W9 y# Z( x+ \ q% [- Y. |. f4 s2 m- |7 B
: J2 ?+ z% b6 ?6 z
Method 053 z. k* ]) T$ C3 ]8 O( g9 `
=========: l( n2 X' \- u
! | N7 z2 F+ |4 k3 d) K
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ ?9 G; B! Z- F& n, ? O, e1 a! Fdebugger. It calls the int 41h, function 4Fh.1 p2 L, T. V7 }) e" R
There are several alternatives.
Y" V* |# q N- {& d% ~! G6 x; B# P, o3 A6 |6 t
The following one is the simplest:
% v a+ k; U6 h- v( y! S- y/ Q; [- G# o# o
mov ax,4fh1 t& ?+ Q7 d, }
int 41h
7 @& [3 T. o2 |4 h" @0 d U cmp ax, 0F386
3 ~& u6 R; P7 R" U3 j6 C5 P jz SoftICE_detected
4 E# P" G( q8 n7 J3 _) U/ O
/ D' H2 f+ Q& k/ v/ @5 r2 F2 w* v9 u( ?" I3 u
Next method as well as the following one are 2 examples from Stone's / o; u; {# t' c9 G6 ?
"stn-wid.zip" (www.cracking.net):
$ w8 W/ Z, R4 B u' u& X8 Y3 _3 _' u; O8 B
mov bx, cs
; H( b7 m0 O0 e. H' [9 P- }% x lea dx, int41handler20 v# F7 L: d% I8 M/ f" N
xchg dx, es:[41h*4]! I# a# _, ~. d6 k" j( m9 d
xchg bx, es:[41h*4+2]
3 B: q2 x/ d+ T2 t9 W$ Q4 k mov ax,4fh* @( D7 S1 [; k/ O8 }
int 41h
5 M* i& o2 M _9 p& s xchg dx, es:[41h*4]' H3 s' F6 s) v
xchg bx, es:[41h*4+2]3 I" Q4 A% P5 M1 D
cmp ax, 0f386h; j! w& N! s! ?& N
jz SoftICE_detected0 }6 u' d# S4 |. b' ^! S
$ J! y+ U( e. D& f* S- Wint41handler2 PROC: n* q0 v4 D4 y5 V/ H) m
iret
! P+ l2 k1 k5 a6 qint41handler2 ENDP
- c1 X. i& M- H% |6 }% x$ K* o
! N, r; ^) C) P; _9 p' ]
' H! Z" {& u" z: `8 \! ]9 ~ m_________________________________________________________________________
6 t" y, X6 v7 B0 j7 @3 [: D1 s1 }% |/ D `0 v, A0 m) P
9 A6 z( R8 T. W2 E. yMethod 06# R* a9 |/ |% \6 Z4 ~1 r
=========
9 q0 g) [2 ]& Y; L
& i1 L% o" l. Y* w" D- y7 L1 V) l1 O7 @5 n; E7 ^
2nd method similar to the preceding one but more difficult to detect:( B/ x) q( k& A3 R
& m5 f$ r2 ~ t# n. W
: h% L7 ?& `! Y+ P7 E9 _
int41handler PROC J1 O- E5 U/ P( q
mov cl,al7 v s! \. i8 X% ?3 V
iret3 a% t: B7 }: J* D
int41handler ENDP
- ~5 P7 S, C. ]- R% g" D/ R1 H' d& L% }: o3 a+ f+ J
7 Z: g- V: i5 P& |+ k2 {: S0 b. n2 _
xor ax,ax4 t2 B/ {" J" y* @
mov es,ax- _; k6 J. W% o! Y2 Q6 g4 N# Q5 X
mov bx, cs" k( @! |/ H$ j) J1 y
lea dx, int41handler9 P- K9 ^5 H; w$ c
xchg dx, es:[41h*4]( k0 p4 {) M3 }" K) y9 r
xchg bx, es:[41h*4+2]
$ s- k& ?, V3 d% ]& B" s, j in al, 40h
9 v* n" E. [, G4 `; ~ xor cx,cx9 k6 O3 k& h4 E6 |4 z: c
int 41h
" S/ h) Z* U- I; D) X a xchg dx, es:[41h*4]1 o6 D# J5 D/ V5 p, u
xchg bx, es:[41h*4+2]
- r* j& s! v3 I p. `+ _0 A' a cmp cl,al
* m* `# y( ^$ z: f4 D( y jnz SoftICE_detected
. j+ i- }; Z3 n* _; P, Q. |+ k8 N/ K0 o% m+ ]
_________________________________________________________________________
4 \, z) u- W* S& M/ V# w
* ~% }6 n( E2 d% ]Method 07
) M/ }8 }. _4 g4 r+ S( r& G- W=========
0 h3 D" P% V3 F
6 S- x: n( s% _6 T; _, y/ \" p9 S9 SMethod of detection of the WinICE handler in the int68h (V86)
/ R4 Q$ a, {9 @5 k( H9 `) k. o
9 l0 z' |* `, k( z I; q mov ah,43h
- z/ b( w4 w/ [7 _, M. ~! _: g+ G) G int 68h
3 n2 `% _% J: _% F cmp ax,0F386h
1 k* q u7 L4 K1 T3 \ jz SoftICE_Detected
$ R: L+ U5 {8 B @
0 v. B# K' @$ ^7 p( Q0 t7 w
5 s F7 y8 R P9 T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 e: {* ?, u% ?# E( q9 `% z
app like this:
# h5 X5 A; L6 }
2 r8 t0 w6 h. L BPX exec_int if ax==68
/ K$ H. W. H/ U. _. \( o (function called is located at byte ptr [ebp+1Dh] and client eip is( {& S/ y1 V+ ]
located at [ebp+48h] for 32Bit apps), V4 ^, F$ J. j3 r( O
__________________________________________________________________________
3 d+ X! E9 o5 t; X8 B! D
& n V$ m2 X1 b! ]8 D- u' P9 q5 C& a7 M, |! N4 }4 j. b- z1 z
Method 08
( g* P4 _8 ~: a=========0 A) z" i3 X0 Y$ u- i
$ L, g9 u8 Q) S9 W' aIt is not a method of detection of SoftICE but a possibility to crash the
. _9 K+ M, K! f S5 |( ?7 Q; b" v ^# { Isystem by intercepting int 01h and int 03h and redirecting them to another4 {9 z7 f3 y3 @& O; A% l
routine.
5 e& m, E' I* j0 _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 Z8 J+ I, T% U7 H2 R E; |
to the new routine to execute (hangs computer...)
8 e9 ?% H* l/ W* [1 v
, y- N5 e% K) p _ mov ah, 25h5 X* O6 T" p5 J
mov al, Int_Number (01h or 03h)
! t n# n' i9 A# a$ p/ u8 I mov dx, offset New_Int_Routine$ y' v1 ~5 A$ w$ k4 \
int 21h
( t" {5 P& Q z' v8 R! e/ ^ @8 e- y. g& x/ o. f
__________________________________________________________________________
; Y! H4 d3 x7 c7 a6 S( Z+ W9 G d* {1 |
Method 09
% x/ H* G6 A/ t2 t, j=========. Y1 F( m3 h+ w" }
) B, k* z! A; ~& y7 Z& z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% |2 c8 H+ l4 ?0 {
performed in ring0 (VxD or a ring3 app using the VxdCall).
( s ?5 B, P3 w; N1 i! @% OThe Get_DDB service is used to determine whether or not a VxD is installed
" u# G0 u L k# lfor the specified device and returns a Device Description Block (in ecx) for5 ~- [) `$ D( ]+ a$ H7 ]+ n5 Y
that device if it is installed.6 t/ C+ y* ?4 A G4 E, n+ z
$ d: h; Q" _7 S2 |7 ~, Q8 ~+ r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ g0 p1 t; y1 }6 i0 D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 J! e+ [% D7 t" V
VMMCall Get_DDB
. M) c' M% K2 S( _# e& Q6 _4 L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! _! J# p2 Q- S7 w) `' x9 B
5 J% Y$ f8 y2 W% {$ @6 D( G$ GNote as well that you can easily detect this method with SoftICE:
% m0 S0 c9 F* I+ ]; W; C8 W bpx Get_DDB if ax==0202 || ax==7a5fh
k) | m* r N4 x+ I
2 ]( X% T( @/ L! i* i, x__________________________________________________________________________
* {; [4 \2 \, |1 K* f+ R% |8 _) e. n% w- h- O
Method 102 ?# Z1 J! S2 w& k0 h: M
=========
2 n& _+ [6 M2 u/ n$ {( q3 s, a( \# l' k+ d& m- W1 Q0 P. A
=>Disable or clear breakpoints before using this feature. DO NOT trace with) r. i7 i( o$ K& H! \ |1 @
SoftICE while the option is enable!!
5 W2 c2 y, m# I$ C3 ]; f0 Y5 y+ Y
This trick is very efficient:
/ e7 A2 J% L" O& \! pby checking the Debug Registers, you can detect if SoftICE is loaded
9 ^, q% d) J M: r# f3 O! l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ U d3 U0 {6 u% S$ Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 ?+ M" j' K0 F! Y: Rvalue (in ring0 only). Values can be manipulated and or changed as well
$ ^1 O8 V, O2 X. o0 v(clearing BPMs for instance): l. {3 L* L. j
1 ]" _5 I# z/ `; m/ ?( z! Y- U1 `) R__________________________________________________________________________
' l% t' m9 `2 K& C! Y5 l) P6 b3 i8 N% _9 b
Method 11" J; C! w3 ]0 Y t" O2 f" U# y
=========2 m5 U% Y. i* k' c3 b
, G) l' \( k X
This method is most known as 'MeltICE' because it has been freely distributed
2 v I( t7 F; Y- p( a: rvia www.winfiles.com. However it was first used by NuMega people to allow
' R: Z4 s8 Y2 _Symbol Loader to check if SoftICE was active or not (the code is located
% g% b9 L" N3 h Q' P! Cinside nmtrans.dll).) I9 P) _: D+ h: O
9 k0 Z2 \6 l( k6 |9 G
The way it works is very simple:# r+ [% @3 I- _# ~7 T7 s( ?6 Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 I) |; F* p7 a2 e x" p% h2 W9 aWinNT) with the CreateFileA API., [: Y) k) L0 Q
& b) P9 R- }8 Y2 T/ L% D
Here is a sample (checking for 'SICE'):. d v8 N$ ^, p' Y
! M! ?2 ~, c& E0 `. f
BOOL IsSoftIce95Loaded()2 D! u: @1 d6 u' e3 _' m
{$ j0 ?6 q! i W$ b0 C+ ~- @. |/ T
HANDLE hFile; # F: U4 Y; e" o$ h- \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 X6 c; l1 b. c9 F9 c6 S FILE_SHARE_READ | FILE_SHARE_WRITE,6 Q9 w" @$ D9 i; ?6 E( s; \8 d7 d$ s
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# e- ]6 V% N9 a1 r3 q h( D if( hFile != INVALID_HANDLE_VALUE )$ a$ `) d8 w9 M9 v9 D7 B7 P. Z1 f
{2 K1 i, X5 D) {3 l/ G K. ~" A8 z
CloseHandle(hFile);+ K& T9 g3 s3 i! Y
return TRUE;
5 u3 V7 p5 ^2 y2 E! { }
) d3 }$ L1 J- A1 Q& a return FALSE;$ c& t4 A2 [ b
}
|3 }& N( W( E) g. S/ g
! s& K* c5 t- A# R: P4 d( Q* OAlthough this trick calls the CreateFileA function, don't even expect to be6 P$ Q3 K$ f. V7 }2 [4 g' x& M8 h
able to intercept it by installing a IFS hook: it will not work, no way! q/ L( B: Y& b# P. O) }. r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 I6 E4 f# }1 aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' A& E, r" d Land then browse the DDB list until it find the VxD and its DDB_Control_Proc+ r6 I0 K% d$ o( M7 [5 x
field.( @. @# a% M2 e6 {
In fact, its purpose is not to load/unload VxDs but only to send a
2 C6 u8 d) ]- ~; x. W; r7 i' U4 YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, M1 j k6 H$ I+ y7 ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try" u$ ~+ m- R6 |8 P% F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, \" x. M& C1 M+ V$ `. T+ Y' @If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 s+ C- o! l! b/ A; h8 `# fits handle to be opened and then, will be detected.
" y4 ~! M' ?' e) m( Z. W5 TYou can check that simply by hooking Winice.exe control proc entry point
/ @: `" z( l* ^; iwhile running MeltICE.
2 i- t4 y% ~& G3 a5 O6 z+ x( |/ w3 X8 p R, S3 T0 `
3 X8 t+ @0 N( i, @1 ?2 { 00401067: push 00402025 ; \\.\SICE# X R# g3 M# v, z4 h
0040106C: call CreateFileA
. w3 @4 f# i5 |! z, _1 f 00401071: cmp eax,-001+ z$ L1 R: s& ?0 I# _
00401074: je 00401091( f% g3 f; R1 Q
- y5 r' v/ r1 Y' l4 E3 m, C- [: r- M3 _1 n. x
There could be hundreds of BPX you could use to detect this trick.* w' _* n: q! L4 K( u' [
-The most classical one is:
0 H* D- i# i; t$ D G5 m& @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) `: _0 M* U. A$ F# \2 f, y
*(esp->4+4)=='NTIC'
$ ^2 @: D' {' l1 f2 g" g, c
+ I$ _. e+ Y; \9 C! z6 z" M' l-The most exotic ones (could be very slooooow :-(6 J9 l6 ^; ?1 T2 Y9 K% p) ~+ ^
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 j. ~6 k9 W) W$ M% z+ E ;will break 3 times :-(
! e) w/ Y/ O. j' ~# ~( g7 A9 ^( e( l& [
-or (a bit) faster:
8 v; e3 b8 C0 t3 |7 | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: y" I7 \4 i$ z
: b7 V V4 J# ?0 A; W6 ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 D9 t8 x. C& m ;will break 3 times :-(
1 C. W/ `# y1 e) I7 K9 R
, r0 e1 `& E' X" W# A1 l) b-Much faster:1 {9 `' Y* O/ j- K0 ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- \) C5 q9 w7 C x
* L- V3 S% x1 ~9 ^: pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen, y+ f) u/ y! s) ]' P
function to do the same job:2 c! x: l$ W% V" C% e
" d! q2 H$ ^2 B$ \
push 00 ; OF_READ
# R; E! C! y# D mov eax,[00656634] ; '\\.\SICE',09 f0 E6 J; b' p, r5 c
push eax
1 E+ R' r, O8 h- |- x8 L5 D. O+ i1 ?5 k# a call KERNEL32!_lopen( h9 A" q, \! U4 ?
inc eax
' F" E7 C) ?6 w- A+ U jnz 00650589 ; detected$ q! C9 W1 @+ ~! i2 c: d. v5 v
push 00 ; OF_READ8 k* K' A5 v/ w1 \# w
mov eax,[00656638] ; '\\.\SICE'* ~# }' D2 G& N1 j% i8 x+ @
push eax9 r3 {& x6 L K) a) F
call KERNEL32!_lopen
" E4 ?- T8 B" D' j6 X8 D inc eax
5 t d8 R. o9 S. h2 V2 p5 D7 ?5 ^ b jz 006505ae ; not detected/ S) ^' Z* \- t: T, G
M+ L1 x- U( h% ?" O
0 d: _& i' g9 P( t2 A I__________________________________________________________________________
. L+ f! }/ @, k6 {- b) }! g; ^; z4 L, c, A$ r+ s n
Method 128 r8 Q# |# Z% t7 p! s/ N0 V* N: F
=========
- v% K, f1 i6 k" Y3 q$ N
+ Y }7 T8 Y2 B7 P- |' T7 [- IThis trick is similar to int41h/4fh Debugger installation check (code 05 r: }2 `' Y1 \6 T
& 06) but very limited because it's only available for Win95/98 (not NT)
: F) v$ b5 A) n" `' Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* X( z4 B/ @+ W P0 d0 K
7 C. E* S+ K8 t2 f9 r# J push 0000004fh ; function 4fh( A, H" F" m, m7 ?; v
push 002a002ah ; high word specifies which VxD (VWIN32)
8 `; x/ t" T$ r) \. | ; low word specifies which service2 j f6 T9 J$ O6 X. d
(VWIN32_Int41Dispatch)0 ]- K( o$ v$ {' v: r+ T5 X1 G0 `
call Kernel32!ORD_001 ; VxdCall
M* k9 _4 @# t9 t9 a cmp ax, 0f386h ; magic number returned by system debuggers6 J) h2 [+ S/ B" X) A+ C
jz SoftICE_detected y; E6 m- b* F- a6 k. y( {$ {' @4 x
1 T0 O! [/ P5 q6 i% T: T
Here again, several ways to detect it:/ t6 O" K8 D! F
/ a) t: Z- L9 v- Q- U8 ^' L1 U
BPINT 41 if ax==4f
# Y q3 v1 n& H6 T/ }# \. l' y! B0 ?1 {& \& B" Y3 ~" j, [/ u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, Z' ]: `; o( i% @
1 q: |$ c+ Z5 K8 d( C2 U$ E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& N4 M" a$ \5 e& @4 p1 e T
+ R1 s f9 a/ H. u r. p6 d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) l0 q8 D L- q, `
- J) d! O7 n6 s; B4 m# J7 @
__________________________________________________________________________
F! L( |7 R- z3 z% V5 A1 F z- d$ d$ A! \ Z: [
Method 13% I( r4 d8 i4 c9 ? H6 G
=========
, p- z8 F; K; i: v7 l, E0 g$ E
+ E( ]! M2 e: m, I$ n* dNot a real method of detection, but a good way to know if SoftICE is; h, Q+ J" b4 J- Z. ]0 P
installed on a computer and to locate its installation directory.+ F* Y( o- r/ V5 ?
It is used by few softs which access the following registry keys (usually #2) :, G7 w6 b' @+ E2 j% g7 J6 w
5 B- _4 v3 _( e8 R6 g+ U) T; p2 ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 |4 A+ M0 P" i- L! a$ d& E
\Uninstall\SoftICE3 ^6 T; |2 Z/ p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 i3 e7 N7 }$ m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& v0 h8 W( Z" ~2 ]' m\App Paths\Loader32.Exe
/ U$ i# m2 o, L$ r/ e! E! \' v
B1 ?2 n/ g0 l7 |2 E, l% o! G0 s( _9 i$ a
Note that some nasty apps could then erase all files from SoftICE directory' F9 v4 ~0 S- Z8 O* {
(I faced that once :-(
4 o; Q6 u+ {; b0 ^+ ~/ L) |- v- a6 |
Useful breakpoint to detect it:; z8 Q( h, j, e% t
- F7 O: W4 l) F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 t& G0 [' } p* C; t
( q6 ^! h9 N. n' W! R7 N- x# w
__________________________________________________________________________
3 l# a$ l* R1 ~1 M# o% d) [2 N' V% `% ^6 `: |) O
) B* z t6 P z) ~ H8 `: MMethod 14 5 x3 t" T s; f
=========
6 _. \$ [9 t' d0 K
8 e, d1 F" G. P2 R5 S7 ~* l0 mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 [6 J% G, j; z' }' y3 [: o2 H
is to determines whether a debugger is running on your system (ring0 only).
1 w9 I* T( }! h$ A7 ?! q* j1 d3 D0 ~: T
VMMCall Test_Debug_Installed4 H# ?% E. Q: Z* q6 O; m
je not_installed+ R0 [2 K; g Y+ V6 w1 Y3 l3 t3 Y
! C8 M% f J ?This service just checks a flag.% g' H# ~: U n* I6 x, |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡