<TABLE width=500>
* b8 h& f2 X& c9 F<TBODY>
" Y: c1 O; Y3 Q+ p5 W<TR>
: k7 i% L$ y& |1 b- y& d<TD><PRE>Method 01
1 E/ [: O" ~9 ~3 _/ U6 ~=========% |, }' l$ N5 }7 q6 W4 m- s
2 X S5 r5 j* CThis method of detection of SoftICE (as well as the following one) is
: a8 {% x1 _/ b6 p, f, K2 |used by the majority of packers/encryptors found on Internet.. f7 U0 _4 B& C; g2 \5 N- k# I6 ~
It seeks the signature of BoundsChecker in SoftICE* B+ U- W/ P6 w/ V/ S
1 V2 L$ ^! M. x! m/ x2 p9 q4 Z
mov ebp, 04243484Bh ; 'BCHK'
' F/ j( B5 f$ T+ p/ c9 {+ Q mov ax, 04h! i d% [6 R( y* g2 t, T
int 3 + ^6 p* j P4 j l1 T
cmp al,4: [! C$ p/ }. H
jnz SoftICE_Detected
- @ N' x& o2 b6 @7 G; }; o5 Z" `4 u: T2 T, c
___________________________________________________________________________ r) M* _' F4 Q( P% K
- t& R g9 x8 H' i+ `8 X; A
Method 02' ?: M* A1 @. `, \7 }" v
=========
. [# X) f$ h$ b! Z2 n" }6 P+ l( K. ^1 n0 p$ m# O- I
Still a method very much used (perhaps the most frequent one). It is used
+ K1 p' p6 H0 Y- X6 N! o+ zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. P0 S4 I, q3 y7 a: \or execute SoftICE commands...
7 e B4 g/ H* xIt is also used to crash SoftICE and to force it to execute any commands
- L7 f# y- Z% I& n& T0 j; u7 P" G(HBOOT...) :-((
9 H7 H' G/ J7 p% ^7 I8 h J# _1 I5 w/ F0 _$ P3 y S, U9 H* i8 X
Here is a quick description:
8 b2 D* e Q* P9 {-AX = 0910h (Display string in SIce windows)* l- z" q( a! `% `; }" h4 s5 j; f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' X) |& W8 c) k/ l" i
-AX = 0912h (Get breakpoint infos)
( Y% I" i5 K$ _; n# m- w2 ?! t-AX = 0913h (Set Sice breakpoints)+ l5 V9 Z. O$ _$ L: M3 \0 D8 X
-AX = 0914h (Remove SIce breakoints)
8 x, G8 u+ x' H0 D1 C
, L0 x& P: m* V/ ?* c, G& d+ f7 m0 CEach time you'll meet this trick, you'll see:5 Z) ~' l* v; N3 B; X1 `+ f
-SI = 4647h
5 ^0 ^; h u+ f: C-DI = 4A4Dh
/ l+ f( }1 O; y" n5 QWhich are the 'magic values' used by SoftIce.- P& F" P' Z5 x/ v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 _6 X: v( @# C
?5 k) ~! Y) q) L8 I. pHere is one example from the file "Haspinst.exe" which is the dongle HASP
# ?+ i* I- V' KEnvelope utility use to protect DOS applications:) g1 Q' C! k9 w; ~; w8 H7 t
) d" A! Y3 D6 i! X$ c. R
% O: A J8 @% H( y/ y; f- T& u: Z
4C19:0095 MOV AX,0911 ; execute command.4 X& }4 R" I, [2 ~( l( C
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. [/ Q7 p+ ]% r G1 Z2 e" o4C19:009A MOV SI,4647 ; 1st magic value.
6 I# ?6 Y1 }) J; \4C19:009D MOV DI,4A4D ; 2nd magic value.
9 A, S8 K) {- M3 a* Z4 ^7 G; }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# E* g/ ?# V" Y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ I7 O2 h# ]1 X6 G6 r* W" ?6 f4C19:00A4 INC CX
# {+ K( W, b8 O! M- i t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ I5 _! c: \3 ]5 T" b4C19:00A8 JB 0095 ; 6 different commands.
1 \! m. \: W) L k: U8 k4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 k: x9 Y5 d. h4 Q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 [# S' ?2 {; A
( g- C, Q) J5 b. E8 v
The program will execute 6 different SIce commands located at ds:dx, which( @' M4 {; D9 p( v6 B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" }, j" U% n- \; J0 F! [; J6 U; ]8 r9 |, k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 y8 ^9 f) T: B4 f8 j4 f, Y: N___________________________________________________________________________
( J ?" b1 w3 X% s% e9 K6 Y" g) S: w7 X" z( |8 P* r! t
" X1 }* B5 \ W7 }$ c3 N2 q' L* {Method 03
3 U) K4 ~/ b3 Q: ^: K=========+ K, U* G: q9 ?& ^ c
3 V: s( U/ U" }' d8 r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* J' |' G9 ~2 p; p- k! v# ]8 a(API Get entry point)
4 r& x% |! }, S, P0 \, e
7 |* V7 V) j& L3 W& o
% V. r# i+ T2 ?# ?7 f" L xor di,di2 I5 c& v, X( w( z( `
mov es,di! Y% |& j$ l/ }3 B; Z& k
mov ax, 1684h 4 G3 X7 L7 L6 q. t! J$ p6 k
mov bx, 0202h ; VxD ID of winice
- B* T; w3 A. E- Z: s int 2Fh
2 ?! y- Z8 V# K* I' J2 L) K mov ax, es ; ES:DI -> VxD API entry point
) t( C2 b! E X5 l+ G add ax, di& b3 o& i& z4 `5 g z3 B+ s
test ax,ax
2 n) a* r( y2 O' q2 s- ~9 {+ [ jnz SoftICE_Detected2 z _% u/ v" E1 U& {
3 p5 T+ C! {+ B M___________________________________________________________________________
3 z! U4 p) ?7 Q" t
- H. Q' U7 j( a- R3 J6 j8 iMethod 04) Y! d0 |1 B! {3 \# \+ t
=========
% D: p/ X. k9 r1 I; M2 |* ^0 l& l3 g% L \: y* h8 i, W
Method identical to the preceding one except that it seeks the ID of SoftICE* S( ? L, @7 f
GFX VxD.( @) h& o' T! L" D# \& c
, q4 N% r6 U2 n* C& t+ P- c) u
xor di,di
% V, i0 ~) w6 G2 q' |- B8 _ mov es,di# J8 A! X: g5 t$ x0 f, }
mov ax, 1684h
7 x8 |5 p5 W, \- i' I4 H% h mov bx, 7a5Fh ; VxD ID of SIWVID1 A# _' t0 ?2 S5 R% {
int 2fh. r, b ~% D" s6 r. t# W5 S- e, C
mov ax, es ; ES:DI -> VxD API entry point0 s! u- L5 D. R/ D6 j3 z1 j v m
add ax, di
2 V1 g. ~8 U7 b+ O# E9 B- `: j test ax,ax
2 u" W* |3 M* p Z. T! ] jnz SoftICE_Detected
6 T5 y" ]0 S) C$ U3 `) m3 A
& V- |4 Y) e) W0 H' O$ I__________________________________________________________________________
; M# I& @/ f6 M/ c' F# N" X) V0 ]/ t9 Z9 H; a
. H; D) q6 @5 J/ BMethod 053 P* F8 S; `& k) R8 [: }# Y$ Q
=========
- C/ F* P: z8 j- m0 t7 B; K. t' |
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ u) o6 a+ b# F7 U9 M
debugger. It calls the int 41h, function 4Fh.+ a* r; y8 @4 ]( m
There are several alternatives.
9 Q# s8 T5 F, E1 N( Z& E
! r/ ~0 }5 ?7 ]# FThe following one is the simplest:3 M7 u% I% r- `) s
/ p* }) p( V& E% W* C& Y% \* Y3 y% k mov ax,4fh
2 Z! I+ d4 d6 a; k5 { int 41h
$ r& ]0 T0 e! c( T0 ?2 M cmp ax, 0F386* S) `( P& @* }3 `* j
jz SoftICE_detected
- Y' c$ B% s# r s) U6 i; I5 N5 K7 O! Q) c
9 H8 O& ^+ z( M4 H1 a. }3 Q
Next method as well as the following one are 2 examples from Stone's $ F `7 ? S7 t5 d
"stn-wid.zip" (www.cracking.net):
Y( u0 u) X+ B% C
8 p5 L0 H; M9 J& J* k! \- c& z1 J mov bx, cs0 ?$ [8 y8 O% o" K. ~/ P
lea dx, int41handler2
7 G# F1 e) i* s; t6 |* H xchg dx, es:[41h*4]. U/ X9 ~' _) l: g( ^) o& I' B6 }5 ~
xchg bx, es:[41h*4+2]# N) L# o' z0 l% }8 j x( U
mov ax,4fh
U) j( ]! X6 u" D) c2 \ int 41h
) f$ R+ C$ f* m xchg dx, es:[41h*4]* N' _8 L4 h( V2 s" [
xchg bx, es:[41h*4+2]: A) R' t; @3 c+ w* }) O
cmp ax, 0f386h
8 ]1 p L. s9 y) ?% M; O3 T5 S jz SoftICE_detected
# N" b$ |. d( c8 T1 _% z) o' E" v" l e9 O2 R3 b/ Q2 Q
int41handler2 PROC
: P9 s- C- f, Q$ i C( Z iret
6 w4 `/ T% A; n- i! _int41handler2 ENDP6 X$ n2 J$ A3 C) H4 e
- B. p, J3 J* b2 C
7 E$ Y. v. D; O+ Q0 I1 n
_________________________________________________________________________$ g8 Y& o0 d1 z( Z! X; r* o8 H
$ H. |. V5 t. `) \2 k# b. |$ m5 A8 ]7 n5 r2 p
Method 06, p: F2 U* }* ]5 M7 G* D
=========( W, o. X ?* p9 R0 z
/ s m7 k5 j% l
" }) @0 H1 T- N) s4 e* `2nd method similar to the preceding one but more difficult to detect:" s5 u+ c/ v0 l
5 j4 c$ Z& z* `0 q! T6 ]/ G
" D2 y* ^% I0 ~5 K7 l; vint41handler PROC/ u% \* \# c9 x7 d. l' R% A
mov cl,al
5 `9 x3 v& i: u4 g+ b iret/ F) F) I/ v# h
int41handler ENDP
2 c+ a6 c+ o D6 _) n1 u- f9 r/ m8 Z' i P" q" V
2 N1 V, F0 H1 p& B$ ^( z/ K
xor ax,ax
! l2 D: ?, L3 m0 m! C mov es,ax
: p, _8 a% X( I6 @ mov bx, cs
+ X) K; _! I* h lea dx, int41handler
3 a, D9 |7 p. p% Y xchg dx, es:[41h*4]
) T: a; B, I! z# U" q6 o7 K xchg bx, es:[41h*4+2]4 y) ?' A3 H1 v4 Y; ^5 }+ ^" R
in al, 40h8 t: m6 ?% ]( e; }0 R
xor cx,cx3 y. I" `0 E" R6 M9 p
int 41h6 f; j) e0 H. K7 L, M
xchg dx, es:[41h*4]
, o0 }% u8 w7 Y; K xchg bx, es:[41h*4+2]4 I; q* s4 D7 L2 t
cmp cl,al
0 W$ M5 X% F- L- L$ m4 h jnz SoftICE_detected; K- G' N# C& p" A1 x/ w
% g$ J6 a: \" R! j6 M- W. {_________________________________________________________________________+ b. L2 u* l' f; R0 j7 P
) s. X }& w8 n" Z2 |Method 07: Y2 U" T5 L- H6 N
=========& T$ Z1 p4 D3 l. u) U2 v
6 ~3 p) K7 Y2 E6 w- ]
Method of detection of the WinICE handler in the int68h (V86) k# s9 T/ q6 ^2 t1 C
% Y2 N" F0 e$ y
mov ah,43h3 ^$ V* l) d* G: T z
int 68h6 P# a+ I) _7 \* W' C
cmp ax,0F386h
& q- h1 N( \- e9 y2 r( Q, ^ jz SoftICE_Detected
- x& Q- t8 w8 v+ \- M
; |1 t( [9 i4 @ c# x9 r( ]
% f. d% S: e4 ^. q0 j4 y! M=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, D! f9 r+ W n! `0 i3 S
app like this:3 y5 O I$ O+ g2 f! L2 g
, y: }7 C& x9 }: T% o: I c BPX exec_int if ax==68
1 ^) }% v3 \3 E7 A8 p, p( m (function called is located at byte ptr [ebp+1Dh] and client eip is1 c/ L9 A( h4 v# f/ n( V9 G
located at [ebp+48h] for 32Bit apps)
# t2 W0 {0 c& F; t__________________________________________________________________________
4 g2 M) i+ c7 _, v- u
/ S5 e6 O1 J5 ]1 Y' n! d' [9 P% p5 k
Method 087 \( a" n* L) r5 U" E% f# b
=========
6 I9 T, ]9 A' f/ r/ i7 U* A: p6 K% h9 n9 E3 K
It is not a method of detection of SoftICE but a possibility to crash the
" h! L5 c; m7 y( t+ _. bsystem by intercepting int 01h and int 03h and redirecting them to another
- u( b3 F# F0 }- N# ]& r/ Rroutine.
9 f7 X. P3 i2 r- a! m L) {. z* CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* ^) j4 v: r% |7 n" M( u$ W
to the new routine to execute (hangs computer...)
! W( n, T! `. L& ]
j! G; l4 K2 d- }! L5 u mov ah, 25h
3 U* h4 c7 ?. a$ P* x; V2 C mov al, Int_Number (01h or 03h)
3 c2 }7 r, r( P! q mov dx, offset New_Int_Routine
1 i; }, @7 I5 C$ W, l9 P( C int 21h' R6 S8 r8 H6 V4 N9 l
: \* l* T3 G; Z' w' |
__________________________________________________________________________
2 k! F: \" C1 t2 B& N
- N, e( u3 p+ W3 SMethod 09
3 [ {$ H. l' Z1 H5 L=========
2 g4 X! h# x9 n, s( i% d' w
+ X& [! C' K5 w# s8 Z9 AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 ~( n/ N( A/ e9 b! L5 w8 |
performed in ring0 (VxD or a ring3 app using the VxdCall).
. N6 D- ]+ c8 z# I2 P) D2 H* |The Get_DDB service is used to determine whether or not a VxD is installed( `0 y" m: ]0 Q& {8 H6 K( c# b
for the specified device and returns a Device Description Block (in ecx) for/ ]2 a/ B$ E) ]3 _( `9 S& O
that device if it is installed.. @0 i5 Q; r$ D" {8 k+ b
4 h+ }1 d. g( e0 m0 E; _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 ^% m" u, I$ B9 e0 U, x6 {' U; [8 k' t! C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), M! _! E1 T, ]) ~( Y( J5 T* R
VMMCall Get_DDB
7 b2 y4 r. \ P8 D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- e3 ]- P! e$ T( t, ?" k
/ x" n7 R8 k% |9 v! {) m6 [* gNote as well that you can easily detect this method with SoftICE:8 h: B! T0 f1 c* j
bpx Get_DDB if ax==0202 || ax==7a5fh7 n- T( Q( L' J5 O, L
D( i5 q/ @5 i3 c" d1 ]. i__________________________________________________________________________
, {1 M% p" x* e# E" v9 Z1 g$ x b1 B$ X% u r6 Y
Method 10+ j2 ?$ t7 s0 r# t) _3 a
=========
5 E4 @7 a% f) C1 W" W9 O# O3 N% I1 X5 F- E2 U- j: {$ g
=>Disable or clear breakpoints before using this feature. DO NOT trace with
- U6 `6 w6 ^- N6 G SoftICE while the option is enable!!
6 O/ Q" r. j4 w. ?8 U9 [
% z% v6 b- p& jThis trick is very efficient:
1 ~( } t3 | {1 H aby checking the Debug Registers, you can detect if SoftICE is loaded
+ s+ E4 t" }; y0 m, e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 F4 q1 H3 ~9 w2 V# uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% p, ]0 Q- j0 q, p( g9 [, |value (in ring0 only). Values can be manipulated and or changed as well+ e7 z4 }8 M6 v4 Z. i% D
(clearing BPMs for instance). y1 K+ R1 q) s) S" n
% L. d, `: a* y0 i__________________________________________________________________________
! t0 X, N5 N6 ` }3 M1 c! U- E- D7 ~: D
Method 116 n4 S' }& o3 r: E) J
=========
+ t# J$ T; T, \1 }. `/ `# y; W
. y( R: U& m0 E' e, e5 xThis method is most known as 'MeltICE' because it has been freely distributed2 E' M# F1 T _* s2 D
via www.winfiles.com. However it was first used by NuMega people to allow# i7 _0 \; _* F1 Z* z# C. ~
Symbol Loader to check if SoftICE was active or not (the code is located' x/ F" r" ?5 X6 t
inside nmtrans.dll).; `; m9 E+ {4 o
1 ~/ e* z, L7 a! S G! mThe way it works is very simple:: i; ]4 _4 A6 Y6 Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ W, X; p; b( [! M1 a
WinNT) with the CreateFileA API.# _) r. Z m( q, J C' N
8 H2 [) a" V" S
Here is a sample (checking for 'SICE'):, A$ ~% _! v6 w6 X. X' z0 H
6 h8 d# g! g) W. N5 [' M
BOOL IsSoftIce95Loaded(). z% w, W' R5 @: l9 _' y
{, z# |; p* Q1 B2 X7 c
HANDLE hFile;
* _( ]' E& w- w$ m# f9 ?5 L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( D( l3 J3 l1 c0 j
FILE_SHARE_READ | FILE_SHARE_WRITE,! x7 Y' e; S( a0 A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 U# n. q; H/ x c" k8 I, l
if( hFile != INVALID_HANDLE_VALUE )" I) k: o/ e3 P
{5 U) m- L" S0 K! e3 `) o* \
CloseHandle(hFile);0 P+ f3 S! I. i4 \$ E
return TRUE;! }3 {0 Q' g6 T% G" [
}
3 `0 j7 Z. p: w" O& r6 p8 k return FALSE;7 {* h: ]( u0 A: | A
}
2 `; o U# h$ R Q' P( Q6 t+ b) U8 t4 Z4 U- {) f
Although this trick calls the CreateFileA function, don't even expect to be
" a; q7 k1 W4 pable to intercept it by installing a IFS hook: it will not work, no way!
; K4 \2 f r9 d* D: q6 yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ I* ^3 n& r' X, J: G! `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ z- Z& X, u; P/ G; Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc' ~8 g$ m3 P9 @; N
field.4 d- _' F7 P8 M0 t! T; [- i
In fact, its purpose is not to load/unload VxDs but only to send a
5 I" e1 O; e: c r3 k+ {: y, nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 G2 X& Y! G0 }+ `& Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ p$ O7 N# q* q/ r9 r* Q: r, s
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 N( g% M$ S6 F% j7 I" \# u2 ~
If the VxD is loaded, it will always clear eax and the Carry flag to allow' r( u2 J6 M# _# O; I! r* Z0 U
its handle to be opened and then, will be detected.# x$ r' p. z% K- K# H+ ]' c9 ^4 k# K
You can check that simply by hooking Winice.exe control proc entry point5 p0 m t/ q9 M% x+ \
while running MeltICE.5 X* o& e9 D: V
! u$ x' g( v. q2 x# i+ [. E4 P6 F, d! E: x1 x$ m( b, ]
00401067: push 00402025 ; \\.\SICE; g6 P+ w0 y9 D4 m; X
0040106C: call CreateFileA
/ _ W B [9 ~3 b, Y' n v' J 00401071: cmp eax,-001' |4 d1 z x' d8 h' F8 A5 _; {
00401074: je 00401091 z# t1 Z P5 r
" h. x# t5 R. d
' ]% v& A' r8 I. \1 V
There could be hundreds of BPX you could use to detect this trick.
" e1 [( z3 M& z. U: h3 y {-The most classical one is:
2 T/ L. i) K% k, J; H8 v. I2 y, ?0 a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% D: F0 |9 ]4 T, ~6 C( G
*(esp->4+4)=='NTIC'. N r& V+ J) E6 z" N* U. b
4 f- h. O% Q5 }7 q& G! @-The most exotic ones (could be very slooooow :-(6 A; r. \- ~* r, `1 z, C
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , A* a% [8 `2 ~4 w1 O9 e
;will break 3 times :-(
- J. m, b& ^/ ^0 j9 x1 j9 P* u
# I* Q" b" Y+ K-or (a bit) faster: 9 K R ]$ Z [( ]8 \9 J
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& o0 {2 t6 S3 }0 a5 T7 Y, n
; x2 g6 s# O5 e) k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
B5 l# [/ G% H: L" e ;will break 3 times :-(9 k% c; {; S: A% }$ }" ]6 i/ Y& O! }
0 J1 M6 L4 [ q! }* h: B$ n-Much faster:5 R$ o* t: \5 _- g( s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- C3 ~3 ^4 `: T
: s+ k" L6 i- Z/ w" k# s* S' t- z1 o
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 w; l8 E1 X/ Y9 l! f% @function to do the same job:+ D- T8 l( v" x* d6 `, w+ ~
+ [) ]* m" [" H
push 00 ; OF_READ
' W+ o; C, B: p& w" ^9 J mov eax,[00656634] ; '\\.\SICE',0
( W! a3 g- L- Q- n n. w push eax$ J* w. [! T. d5 x
call KERNEL32!_lopen z! k2 y- k+ k- g, Q* L
inc eax) b \: Z$ e- D0 ~ j9 J) v
jnz 00650589 ; detected; |) a: _& o$ I0 Q; g" l7 s
push 00 ; OF_READ
- b" R; J! }8 n% \" x4 h" J6 Z mov eax,[00656638] ; '\\.\SICE'
, l* Y) L# H* z push eax
3 h) @/ v* i! ~- _+ D6 K call KERNEL32!_lopen' Z5 F( P9 E. d5 G
inc eax* l5 o) ~) B- D
jz 006505ae ; not detected
5 C/ |8 |/ I" V, u( m1 m% {% e
4 N7 L- L: b5 R2 F2 y8 U* a; e2 d' [6 l
__________________________________________________________________________
( n& }' \/ S) g/ k3 K4 L$ `! s/ f6 [- d
Method 12) c# r. L7 ?1 O* R( i7 ~) y' N
=========
( E; w. w5 s5 M2 D5 ?' q
3 S# o3 `4 h7 M. M" I" D8 |" P- nThis trick is similar to int41h/4fh Debugger installation check (code 05. k& U' E% k) w7 Z4 m5 {+ S' z
& 06) but very limited because it's only available for Win95/98 (not NT)
, @6 v# n1 U/ K# j1 ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. R6 I/ w7 u5 P2 P0 w. T: a5 Z6 N0 N' r" e+ e
push 0000004fh ; function 4fh
j7 k! e& D8 r) y9 o9 x push 002a002ah ; high word specifies which VxD (VWIN32)5 h* s6 o8 ]" [: @
; low word specifies which service
- V( L' A+ K+ i/ f (VWIN32_Int41Dispatch)
, D9 `2 ~; Y* T. M& N9 j! { call Kernel32!ORD_001 ; VxdCall
/ d% f+ i8 O' d: D; R& V: z cmp ax, 0f386h ; magic number returned by system debuggers
' E; ?% l% Y/ V# ]3 L: g) {" W% s& N6 F jz SoftICE_detected
* K6 c( k* k/ N* i d# Y+ O$ y
. N: {; Q0 Y: W5 S" s4 k' i, L/ pHere again, several ways to detect it:
, q& u0 _8 ], x1 G; A
: D d( j8 @2 A8 J* K: p$ E( {1 q BPINT 41 if ax==4f0 j3 H2 H* _9 u+ s: k) X; H
" g# ]" ?* L& ?2 ~; y- e! k
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 V' w& `: R8 ]9 ]5 ~, u
p: C/ s7 c0 V& l5 K" o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 T; u3 B8 G5 U7 ~. G5 `6 j/ \: G, W2 S
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 w5 O/ q$ F; q# O9 x8 v9 @6 t8 m, L+ ]9 C3 ^0 h5 x5 w
__________________________________________________________________________, M4 A, ]" I( N
" W! E3 m, R* Q% L
Method 136 X* E) n, c! D( D: H
=========
' n0 l1 c+ i) a( R; f
9 \0 D* p% N) i- G& ^" n# H0 gNot a real method of detection, but a good way to know if SoftICE is
9 o3 A2 @9 h" v4 D4 M4 jinstalled on a computer and to locate its installation directory.+ t; u/ t6 H9 S) ]+ H; M, @
It is used by few softs which access the following registry keys (usually #2) :
+ a9 e+ Y: k7 }/ e! \) e! D" T& E. U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. E# n7 N' {# V9 M\Uninstall\SoftICE3 {: B! e, T) B$ D/ ~9 }& t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE z0 H. z; b3 j3 |* G; P5 Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 v0 n- F6 O! G7 U1 `2 g+ [
\App Paths\Loader32.Exe
$ B' F5 U2 c6 u F* @6 Z9 P# c& u5 V- k' \; z6 x5 Q2 F) S( O% l
& ?- H- M1 R5 H' pNote that some nasty apps could then erase all files from SoftICE directory
/ a3 C0 s7 [, k7 f5 Y! \(I faced that once :-(+ N& m+ D, z) M+ J: o$ H9 e2 _, K
; x6 x3 Y) C7 C3 X& U/ K
Useful breakpoint to detect it:
' T, n4 P% B# d/ n8 g f
) ?* [1 ` z6 k6 T# j& @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') d. H! M4 s+ U
6 ^- C+ d, D8 l+ P__________________________________________________________________________2 r3 o+ R: Y9 B4 o
) I' R! }: }% v/ l( m' S7 y
1 {1 Z+ |6 W& `( Y# r% I( TMethod 14
8 U, M; k0 s8 q2 V& Q6 I=========
( [: w2 g/ P2 _! B9 b5 s" }! L* d( l; `) h8 m% `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* Y3 P: `! h5 ]0 B# s; I2 X
is to determines whether a debugger is running on your system (ring0 only).
s& w0 V2 }! d* B( C* Y4 y
4 ]/ V% X2 i* q. R- ?9 ? VMMCall Test_Debug_Installed8 M* K0 M/ J5 f4 p1 s) v
je not_installed
% }) h! Z* J( Q- E% R( n6 w3 p, f0 O) i% p% L! Z, i! t
This service just checks a flag.
% S! z5 I3 C8 A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡