<TABLE width=500>
+ V, j- Q! [" a<TBODY>2 P2 P% Y, c$ M1 s) a6 G
<TR>2 x! G' v7 O( ^
<TD><PRE>Method 01 8 F6 y6 o/ E7 V0 x, O5 O! M$ b
=========' P. {) B+ N2 u: \0 B
" i, l) s3 \- S3 G7 DThis method of detection of SoftICE (as well as the following one) is1 H2 G7 \& F5 w& j+ \' A
used by the majority of packers/encryptors found on Internet./ O& n5 D( x9 q! J+ I0 u
It seeks the signature of BoundsChecker in SoftICE
4 s+ Y0 F- k* \! K
6 g+ K/ R8 L8 D5 J# y0 J7 K Q mov ebp, 04243484Bh ; 'BCHK'
3 A# J, M7 b) `/ s, K% i mov ax, 04h
1 ~1 P' }3 e& z/ B, f4 I* v8 ~ int 3
9 G$ }, o1 X* s3 t+ e cmp al,40 `/ c( ^0 F; d2 x1 ?
jnz SoftICE_Detected
3 ?' Y/ L" o5 P3 R5 ~ L% M) I6 N. [
___________________________________________________________________________* a7 e# t9 \- b9 g( L
) ~4 b; N) ?$ r% p& Y: u
Method 02+ F1 h8 B' M/ `- e
=========
$ |% X: p2 v0 W0 I
0 z# y( {. b9 ?% q0 X0 i" UStill a method very much used (perhaps the most frequent one). It is used- O) A" W) n2 C7 X7 J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& z9 t2 q3 w z( y* r- S' W* uor execute SoftICE commands..., ]( d4 {0 A. [1 Q
It is also used to crash SoftICE and to force it to execute any commands- t j: a# R) E) {( z7 f7 x
(HBOOT...) :-((
p& d& e) c9 J5 f
: z# p. J' k+ U. _: gHere is a quick description:1 p/ J5 u5 s: _ |# v) {9 W
-AX = 0910h (Display string in SIce windows)
, ]4 H& m9 n6 i5 B& K0 w# r' X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 e5 n- |) W. _$ |' L$ p6 H8 z
-AX = 0912h (Get breakpoint infos)8 x6 X1 f! m+ d6 x
-AX = 0913h (Set Sice breakpoints)4 M8 x0 r1 L8 r4 y
-AX = 0914h (Remove SIce breakoints)( I+ s9 z6 F! R- |+ A
0 I: Z3 f! u7 o% ?' X8 ~Each time you'll meet this trick, you'll see:" M5 v! f. m/ U; {/ O/ S
-SI = 4647h
8 f0 Y' D5 Q4 h& {- i9 n. ~-DI = 4A4Dh
+ e6 a; n2 B& e7 ?$ q; KWhich are the 'magic values' used by SoftIce.
7 k5 \% }+ q4 O. R3 C/ e9 mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 m- W: U) m9 C& ? [
- R: P$ l2 y+ i3 [* [Here is one example from the file "Haspinst.exe" which is the dongle HASP9 j: D: B; S( I N
Envelope utility use to protect DOS applications:
( K* ~; f( {9 \2 I j
) ~5 F: N) p1 S# J: F+ N2 C$ q. B
^6 w, x e/ `7 Y+ G4C19:0095 MOV AX,0911 ; execute command., O8 r1 |" b, y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% Y' O: `) @$ {9 Z( F6 c9 M
4C19:009A MOV SI,4647 ; 1st magic value./ x# m1 e: a$ ^* d4 Y
4C19:009D MOV DI,4A4D ; 2nd magic value.
6 g5 J/ r6 Q5 w& q2 a" Y- j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# } v# p4 j! o- m7 J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 [8 S$ t z0 H. K: u
4C19:00A4 INC CX; S* q6 ]* E5 R w4 H8 F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 Q* S9 d5 U# N( @$ A4C19:00A8 JB 0095 ; 6 different commands.
5 Z5 o$ B& y. ^0 X4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ q1 X/ _; f0 }9 e8 _
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 B# i5 @' @8 Q3 S8 ^
. i* p% {, t/ `6 ]0 SThe program will execute 6 different SIce commands located at ds:dx, which
( ^2 f, H/ }2 qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 ^1 J2 D! }4 k# H6 B6 |. \/ E4 G0 S$ ]5 \, P: N3 M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 b6 K: g* J/ o8 T9 ]
___________________________________________________________________________3 R: W; d4 s: i+ A0 W
6 m3 s4 E. m+ J, X! y0 U7 W9 a4 P. c) K) z4 _2 s6 U
Method 03& N: q! b b( y2 c
=========
# j! Z; N t. _ a! B( P, f+ Q) R/ O8 V2 L' \
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 Q6 i8 x. M9 g9 }3 d4 e(API Get entry point)# d$ j0 c# I8 j* z3 ]0 Q
7 |- v* y+ K' w% e
8 \% R x) W8 i4 t2 L" t0 j xor di,di. T8 f G1 I* k) o7 K; Q, ` }7 Z
mov es,di3 F1 k. k/ P, m$ x$ U
mov ax, 1684h + z9 G6 v* s, {; I
mov bx, 0202h ; VxD ID of winice
, [! D. A4 F7 s4 t int 2Fh3 g/ Z! o/ O) b/ p! T
mov ax, es ; ES:DI -> VxD API entry point, W' {. c& |3 @. _; r1 Z
add ax, di( P9 A) m6 S% I% |4 @
test ax,ax
0 j8 X! w, D& X( i jnz SoftICE_Detected
* k% S/ Y& d8 O8 f8 o' [# r$ w) j5 R6 A
___________________________________________________________________________
: }/ p2 F- O5 q0 B2 e" P. o( v& s0 h8 [! o+ a( F1 ?
Method 04
& @( Z) p. `3 V=========
# B1 Q: D/ U- I, U% r$ Q
; a& t1 B9 M p, N9 ]0 m7 vMethod identical to the preceding one except that it seeks the ID of SoftICE
9 ]" y/ u: ?$ H2 @* f m& AGFX VxD.
6 T( g& I0 m8 g$ |5 F0 P* k' J1 v1 s4 I8 _5 y
xor di,di
+ r" i2 a( H+ [" y4 c" g mov es,di8 z" L" X. u- _/ d/ z4 I- Q
mov ax, 1684h ' `4 j5 y; ?. k- V; J8 y+ }0 D6 k
mov bx, 7a5Fh ; VxD ID of SIWVID0 w% a- c) C& v
int 2fh
( W8 {7 l, K) s% K" [4 ? mov ax, es ; ES:DI -> VxD API entry point' e" o9 h" w$ A5 x3 y
add ax, di! E" _. g7 q n1 X6 V2 \
test ax,ax
* b$ [. Z3 b& Z- y8 p! B( a jnz SoftICE_Detected
; N9 ?2 u: S7 x$ k; e' P, I! V( I5 m
__________________________________________________________________________% e* P/ [5 y% f/ _' W
! R* i8 Q* c- x: V6 m! c. ]& C8 A* t. {
Method 05
+ V! i8 l' g* r4 h" e' F/ N=========
5 X3 U# u+ {" H
4 b4 X0 W5 U" Q; p, f% R, c9 jMethod seeking the 'magic number' 0F386h returned (in ax) by all system( |4 X3 I; K" m& K- u C5 D
debugger. It calls the int 41h, function 4Fh.# N7 ^/ |9 p. F
There are several alternatives.
* d/ h0 C: i' j* C1 p7 W% o$ r
6 k. A, Y- \' `. ^: F+ NThe following one is the simplest:
4 M. {4 c2 K, N: e: L5 T# v
! L/ T% }( U- L" T mov ax,4fh+ q5 G9 T$ I1 K% t
int 41h* Z# p# a+ o0 g# g; L; l
cmp ax, 0F386
+ v, n2 [5 ~; ]4 L# o5 b: x jz SoftICE_detected; G2 y/ i: ?. h
" @( e) E7 d( g' s7 B" [
6 `: L5 k% S8 }7 `: m
Next method as well as the following one are 2 examples from Stone's * y2 B8 ?* Q3 t, f* Y
"stn-wid.zip" (www.cracking.net):
1 x8 t3 b" W9 y+ F# z A2 D$ I: q: z- w- g! g R7 r7 l- O
mov bx, cs6 J- F- A3 i- I/ A* S/ ?
lea dx, int41handler2
4 C. w) S& @% S" ~8 z2 _ xchg dx, es:[41h*4]. L# ^2 @+ k+ A0 _2 {) T& O+ Z
xchg bx, es:[41h*4+2]0 l* H. T* Q8 c
mov ax,4fh
8 ~! h9 r s6 g* q, d int 41h& l9 u* \3 U. T3 ?! r
xchg dx, es:[41h*4]
$ B$ M/ R' R$ l9 c+ Y- w' g. P xchg bx, es:[41h*4+2]
7 C( w {; a; p8 _& [ cmp ax, 0f386h8 f1 R5 w: U- O8 ?1 m3 i8 s9 N- Z- Q
jz SoftICE_detected- e3 Y b; u8 j, o0 r6 \
* Z$ B5 a; J, \int41handler2 PROC
" Y/ `! V& p, W! z+ s iret
" M5 X# g- Y; B( qint41handler2 ENDP
; w* e- n) Y: R8 L9 j# c* B/ T6 V* b: @. c' N
' ?7 p0 K- k Q, O4 ^_________________________________________________________________________% K, \7 h# B( ]0 a. K+ u. C' H* n
0 n. l" i2 g1 K/ g( C4 G
& |7 s4 g, M9 h% x8 l, X
Method 06
6 z" k: X' w& {4 H5 G3 J7 @4 ^=========- V" W s, e( \, M. N
1 O3 \: A4 j1 {6 ]: l' k+ I- p- g' r
0 J- l: b3 M8 R& t7 m2nd method similar to the preceding one but more difficult to detect:* a U9 q' s4 L
8 o- s, |8 n. C! Y2 \5 T
6 [0 i9 B5 O. M2 zint41handler PROC$ v) G% n7 `: ?4 G/ S" [$ q, {
mov cl,al3 b- |0 N! S0 ?9 N
iret
1 R8 B$ V$ e6 e8 }6 Y B3 f3 jint41handler ENDP2 z) R/ n" s7 C& d9 m* \& M& K; y
2 ~5 ?# r, v5 s4 P- ~1 x, R8 a! R: `& a4 p# [# G; J$ U0 E
xor ax,ax/ K& J1 m! h# T. P$ J
mov es,ax/ d8 j# `) j* R
mov bx, cs
- b/ n& @/ V% i. J7 d1 U: _! p; X lea dx, int41handler5 |* q3 a) L7 l+ G* r
xchg dx, es:[41h*4]0 q0 f; s# B, T; O6 b/ s8 i
xchg bx, es:[41h*4+2]( s7 ?+ W. @& a. l. W
in al, 40h
5 }5 z1 j, L7 q6 _ xor cx,cx F1 t8 x; d1 _! k
int 41h; e( v* A4 y$ ]$ P1 b$ V0 t
xchg dx, es:[41h*4]
% A% F5 _& U# _+ ? xchg bx, es:[41h*4+2]* \* G; Y* e! @
cmp cl,al
/ q* S$ M5 S/ Q jnz SoftICE_detected
& q2 m( k$ _, c2 W* {8 T1 Y; |( V' x: }6 Y& W2 e0 L; K
_________________________________________________________________________
' A W& j! H/ y4 Y/ v4 F# r) d" Y) U% K% O }& P" i
Method 07- D# E+ I3 p. `; B
=========
, \8 j, ]6 x8 c3 W( j3 e0 b) l/ a
; p4 F- Y. Z8 n8 ?. x/ dMethod of detection of the WinICE handler in the int68h (V86)2 o. b# B3 ^& O% J1 o4 g$ r9 ]' R: _
0 C0 n. A' A7 ^# H z
mov ah,43h
) w+ @- Y& d0 R- Z5 Q9 G! N6 W& R int 68h
|5 ]$ W+ h+ ]$ U cmp ax,0F386h+ v) E. P$ P4 U5 J
jz SoftICE_Detected
+ F& B% I3 U8 s* f% T, z7 m# X# e( A* C, F: ^' ~( P
0 a1 R; _4 o; D: H/ S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! N# r) O. u) ~( ^4 q4 l2 Y app like this:
1 Y( K, J/ {, x7 B: P6 D a8 w; a8 T: w
BPX exec_int if ax==68
/ b% s8 C/ V+ _. x (function called is located at byte ptr [ebp+1Dh] and client eip is) [! w; d2 }8 p5 W" \$ P5 A
located at [ebp+48h] for 32Bit apps)
! p3 ~4 C" r& `- d__________________________________________________________________________4 H7 ~; B: x$ V
! |5 Q! t$ l0 ]& \% i W- `. h8 ^- F& Z+ e
Method 08( q* D: @. i0 F/ @. I! r0 |
=========
/ h9 R" |/ H6 p+ \7 v& x2 l7 s' |% r
It is not a method of detection of SoftICE but a possibility to crash the8 r: z0 A+ g. G5 w0 j9 L7 m
system by intercepting int 01h and int 03h and redirecting them to another( J' G T9 ^+ x
routine.
- s% {( @9 X6 T6 m. U$ R- [) OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' t9 ]! {% K: b/ g8 \to the new routine to execute (hangs computer...)6 W% z* `' V* K
% y4 i1 z+ o q D mov ah, 25h7 L0 m1 ~ R0 Q& u7 h6 R; t% q: t
mov al, Int_Number (01h or 03h)( W. r+ e% f5 {
mov dx, offset New_Int_Routine- {6 v5 w4 G0 W$ ?" L7 f
int 21h
B$ @7 T- t0 q( C9 ^
+ J3 C8 j6 G5 T# E( U__________________________________________________________________________
T# v# |; L; X% q5 D1 ^3 K
1 B1 P+ i8 Q K! sMethod 09
1 R: J/ o/ T6 t=========7 a, E% z4 n; z6 P& ]) g1 }
* N6 P5 w- I- \+ a( P# w9 ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 [1 _5 X! N/ M" a
performed in ring0 (VxD or a ring3 app using the VxdCall).
, R( [0 o; K- L ]8 ]5 E7 \The Get_DDB service is used to determine whether or not a VxD is installed
7 m$ q( ` L. Q9 e* a D0 Afor the specified device and returns a Device Description Block (in ecx) for
% p. @/ E( S# c$ y4 u) }that device if it is installed.
5 f* X% v x9 V. m- b# X
8 {& Q3 G! c' A/ a% [: B7 x- P mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 w* l# L1 o8 Q4 F1 |& ?6 q @, |
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" G* |+ K4 o! d' E# ~, V: ]& }
VMMCall Get_DDB+ r: h9 e- d& ^) P5 c
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# N: G3 K4 f+ A: y" v/ M; P) V* B
Note as well that you can easily detect this method with SoftICE:
- A* S/ }9 f7 u$ M5 V$ g, k4 Z bpx Get_DDB if ax==0202 || ax==7a5fh3 _: X5 f/ ?& R# e/ C' E
+ d0 H* K# i I- R/ \1 j
__________________________________________________________________________
2 P; C9 Z0 W# I7 y! p$ }+ k0 R, q' ?2 S6 `+ x; Z
Method 10
$ } {. x5 o u=========/ E6 y. ]5 j" R- e/ z$ A# n" N
; Z0 r; m: q8 j, ?: K2 ]" K3 s=>Disable or clear breakpoints before using this feature. DO NOT trace with3 C6 G' J! F* _1 @ a
SoftICE while the option is enable!!
" Z* k" u" F" }4 c6 b# f9 Y+ X/ ]; G! [( y/ p( x' e
This trick is very efficient:
, z' U8 C' L, ~6 x4 Pby checking the Debug Registers, you can detect if SoftICE is loaded2 a" S2 o8 T! }5 T3 R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 P6 Q5 [9 {# _$ pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" W. n0 d6 Q/ D1 Z* N2 evalue (in ring0 only). Values can be manipulated and or changed as well: u; f3 m5 m2 T. o4 d9 W% e7 ^, x% W2 \
(clearing BPMs for instance)8 A5 Y% u% T. w
+ U+ d) H7 M6 W__________________________________________________________________________
5 g* D1 F4 [2 C' D7 P, q
# S, F7 K% B, ]4 O$ L' ?' y- ]Method 11: U' r: ~* y# Z
=========& R) u! Y) I$ u( q
& v/ K% ~4 K: u, X0 `+ o$ L
This method is most known as 'MeltICE' because it has been freely distributed* s2 G$ t: N2 k$ J$ X% `
via www.winfiles.com. However it was first used by NuMega people to allow3 D6 N9 W0 ~) t* T7 l
Symbol Loader to check if SoftICE was active or not (the code is located
9 K0 x: ]' Z* I, R1 g* hinside nmtrans.dll).4 `' ?, w# {; J. |' H* p! v& M7 r
6 W6 h) k% H0 ?6 x/ V. y0 c" l1 MThe way it works is very simple:/ t& c8 m6 Z4 r( T1 j7 o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% m, B) Z) M0 u7 jWinNT) with the CreateFileA API.
, i5 y: r+ o. q
" d D5 Y" q/ @# v4 {& l+ pHere is a sample (checking for 'SICE'):, M3 [/ Q( l, N$ \% W
* p$ `: J# s- _ Z' @5 ?3 F2 `2 O5 ]
BOOL IsSoftIce95Loaded()
8 y1 F1 }8 E% C{
& l# r" d* g8 d3 P2 b HANDLE hFile;
/ g, A1 q5 P* P7 t: B0 s; M- g6 H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# \: ?* }( o( z! u/ ~" z8 ?! @ FILE_SHARE_READ | FILE_SHARE_WRITE, H2 w" D3 N8 ^) [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 {/ y" m$ E3 P3 s8 Z
if( hFile != INVALID_HANDLE_VALUE )
8 b4 u' g! x( J% \/ k( x {; w5 E8 y* W* \
CloseHandle(hFile);5 F& H7 Y0 q" P
return TRUE;- R' q, m5 q5 ?* J( L
}
7 c7 d1 }$ }3 {) U$ P return FALSE;; f- E" s+ R, R9 H/ y
}% c, ~3 U$ Y/ v% S7 G# V0 c1 E
, _. V0 `7 k1 s% f0 N0 S. d, y! y
Although this trick calls the CreateFileA function, don't even expect to be
" c* I2 o/ K: Q" @5 H# k- N: d2 T" e: Aable to intercept it by installing a IFS hook: it will not work, no way!; ? x3 O" D2 Z; ^: \: o' D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( c8 d+ }+ |, C3 q' K1 jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ q* j: B) ^8 x: U+ k$ G s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 S6 E- v, B% lfield.
( I* M3 ]! L* g9 E; {In fact, its purpose is not to load/unload VxDs but only to send a
5 Y# `. I1 C# }( q) iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): ^4 }/ Z0 W' d% P9 T- |( L, r7 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; C3 d# {4 a" Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 o" x' q/ P+ }+ M& x
If the VxD is loaded, it will always clear eax and the Carry flag to allow, S% Y& Z: Y( q
its handle to be opened and then, will be detected.
7 c. E' N+ z( }You can check that simply by hooking Winice.exe control proc entry point4 q0 m6 e# ^$ Z; y0 O- {6 {
while running MeltICE.
4 e/ J( |" h; S' B8 u9 T G5 F- P4 }7 ]
: P3 z! ~) Z/ l3 b 00401067: push 00402025 ; \\.\SICE2 n& A. _0 k9 i. a/ {$ V8 a; I6 |) n
0040106C: call CreateFileA$ A4 H8 Y+ D" V' }) \& }+ L
00401071: cmp eax,-001
6 c( `8 S( O% }) D9 M 00401074: je 00401091
/ @. p) R7 |: S/ k4 a1 q6 o) |. B# Q
% T d% e+ j5 o- i$ @8 M5 l
There could be hundreds of BPX you could use to detect this trick.
) ?1 \7 o( _& _5 I$ d-The most classical one is:
" k, \# @3 [8 q) J$ F5 a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 w. _, N3 d& k
*(esp->4+4)=='NTIC'
! Z& z, L, t/ V! l( [5 _& o, G/ C( A" Z2 @7 o6 H% q
-The most exotic ones (could be very slooooow :-(
1 |( r5 Y! M2 k8 T- ^4 [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' e8 `3 h2 A. K6 j9 i4 f% O
;will break 3 times :-(
$ z% o' W% C+ o+ S( x3 p/ ]6 g! y; w
-or (a bit) faster: 7 Z8 R9 H9 d9 D. |. A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# ^6 b7 f4 ^2 x+ q: B/ _6 b
/ C& S# s$ Q9 d/ m( p$ I BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 r* Y/ a4 n5 a1 j
;will break 3 times :-(. W1 F: A; e/ a/ P* `
- T& \+ W) o; O, q P9 U" |. n
-Much faster:% l, q( `8 C! t' m" n, Z4 M+ J& l# n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 I" F$ W# A8 e/ s2 k- ]
% m" k6 U1 F7 RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; Y- l N' {' V% |
function to do the same job:
8 b, s& C0 ^- }$ y+ F# S( v, _+ }9 K/ ]8 @. `
push 00 ; OF_READ( @) d* ^, b5 V$ Z
mov eax,[00656634] ; '\\.\SICE',0
- s, W! b) y D' Q) l2 }+ l push eax
7 z! F4 ~6 M, d) S+ U- K call KERNEL32!_lopen
0 Q" L0 ^* q8 T1 P+ L0 E) M, K inc eax
$ W# `$ U( f8 h7 S7 b9 U% k jnz 00650589 ; detected
" c! ?* T) h1 S. k, h' K push 00 ; OF_READ$ g5 |4 p, F3 _) V7 C( `
mov eax,[00656638] ; '\\.\SICE'
% c4 u7 J: {" }* e" Z. ^2 h push eax
& G. a4 ]5 X* `% ~1 b call KERNEL32!_lopen
& O; Y0 `2 F+ B r' v# p inc eax+ [! u" u1 ` s' C
jz 006505ae ; not detected/ v) g2 d7 e" J- F
% p& ^5 `# s E' e0 m9 ^: L8 _* o# l5 A& u) o, B5 Z
__________________________________________________________________________9 d& ~1 g8 l8 \" U3 M3 }- s
. B7 N \. n# w) L% C
Method 12
$ o( h* ]( G- U. b9 ~=========
3 h7 c5 U4 V% x6 g: N. u* Z5 n0 f! T# n" _. L* z
This trick is similar to int41h/4fh Debugger installation check (code 057 C- R3 ?6 g* F: N. r
& 06) but very limited because it's only available for Win95/98 (not NT)3 B/ G- `0 n$ x5 q, K6 S+ W; U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% M4 H* d8 j; J: x: c) X0 }
8 l% b4 L0 ^ ~- _4 J) V push 0000004fh ; function 4fh0 |; p9 C5 j( X4 m
push 002a002ah ; high word specifies which VxD (VWIN32)
, X3 Q; B f: g) j0 r ; low word specifies which service W/ }7 O. b/ J8 ?4 [, B0 F; T
(VWIN32_Int41Dispatch)& e4 D/ A% F- g2 A& ~
call Kernel32!ORD_001 ; VxdCall( O8 \: L( `7 k5 w8 W
cmp ax, 0f386h ; magic number returned by system debuggers
& u) y8 }* Z8 Z. |( M8 k jz SoftICE_detected
5 y" I& B# e3 X9 P% V) J! q8 Y. k# D
Here again, several ways to detect it:
- B9 V) ^- r; D- n6 D( K; c, C
2 V; O7 [7 N; W: P& x; S BPINT 41 if ax==4f/ T# v2 }& r. H9 M3 \
/ J5 i+ f; ^- m9 c$ T7 z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( N7 N% `1 Z# z; t$ I5 V6 ]7 z, M7 P# I Y( O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 [4 \6 F: E# y% \1 j) l
7 K0 k, }8 L! w" g1 w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 {2 ~5 f; Z* n) |4 w2 F6 N
* \6 L4 ]- Q- t. }
__________________________________________________________________________' |: a6 l; _, q3 Z7 C, S
, T% H, F3 X4 h4 j2 C6 X/ J( xMethod 13& b- b# D& o* t/ ]7 @$ K# J
=========
' h( n6 t+ N* I3 ?# f, J0 p$ k' z- m b0 \: H7 M
Not a real method of detection, but a good way to know if SoftICE is
. u; m% o5 x" y# `0 E+ [) cinstalled on a computer and to locate its installation directory.: q* @! d; x2 F- ?
It is used by few softs which access the following registry keys (usually #2) :
3 l0 U8 G$ |% c0 h, O: N
( z/ m' v$ X6 q! S: Y5 r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, P; Y4 W4 R5 B) X\Uninstall\SoftICE# e4 u* B! z2 {1 k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 e) n9 Y/ C& Y9 g: j0 y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 d5 N1 f% }: [; L
\App Paths\Loader32.Exe
1 P# O* r( ^6 p0 U7 v& y/ z3 r( }
$ r3 W9 \1 f5 Z6 Q1 m T% j, h3 t9 p
Note that some nasty apps could then erase all files from SoftICE directory
4 }1 G9 z8 m; h, {( @8 R(I faced that once :-(1 x( k- |: Z5 }9 k6 n' H
' p% m" r" L" u+ B( x2 nUseful breakpoint to detect it:2 [1 a8 S; d+ _& H3 g
, U X# {9 n, \4 [% i3 H" {2 G+ H7 v; y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. F" g' t! n s1 q6 B
4 E% ~+ m# \. |" m__________________________________________________________________________
( }5 U8 t1 Q8 r. a1 b# B1 W' m7 n2 S& A4 ]
8 |/ A/ _4 e! A, b4 ?& _Method 14
) v9 J# \) c. R========= c# | Y3 R0 p b5 T: o
0 L3 m3 J- d$ e1 L0 R6 N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 ?& o9 w/ r8 q" N' Qis to determines whether a debugger is running on your system (ring0 only).9 v0 S" \' n8 ]* c" [0 E+ T
# K3 v, E" _5 b$ F, t VMMCall Test_Debug_Installed
* u2 n; C) M$ h/ } a je not_installed
, Y* I1 I1 Q8 g1 M9 _
5 z4 t C& O- x5 _: `( _This service just checks a flag.3 j$ r9 x1 N+ n) V. G# I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡