<TABLE width=500>) u/ J, d; p8 V% Q' \" Z3 B# w
<TBODY>
, z6 a9 C! i; [& K# k- T' w<TR>7 |1 k/ {9 P/ Z$ U
<TD><PRE>Method 01
! w4 b1 {8 f5 u; H [0 e& n=========! v6 {2 ]( k9 c: H' ], Q4 j
% ^! H! B) `* p OThis method of detection of SoftICE (as well as the following one) is
\9 w9 L( v8 w' X% E) @# K& [used by the majority of packers/encryptors found on Internet.- j. t3 C) O- F: V H9 y1 ]7 l) T8 N
It seeks the signature of BoundsChecker in SoftICE# n- N' F/ v, c; X( k5 B/ b
& F7 k! @: Z I mov ebp, 04243484Bh ; 'BCHK'
, k, G) K% F. ^2 J% @- N* I mov ax, 04h
/ V% `; w+ {) _+ c# ^0 M' s int 3 & H- q' p) ~' q2 I$ ~$ C. t
cmp al,41 U. G% E' [! P, `
jnz SoftICE_Detected3 v" L4 b. b' A; a8 K" S
0 d0 ? ?6 @/ V" S2 d" R___________________________________________________________________________
5 u% b+ z. r6 g V5 @ s: S. H0 n+ l) `& v' I
Method 02
6 f0 f# H2 m0 ?. q) Y=========
5 p5 T) ~4 ^0 [- Q" X( ~, P% y& T# A
Still a method very much used (perhaps the most frequent one). It is used% V% V- b/ J8 \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. y r( Z/ y- @+ b7 B
or execute SoftICE commands...5 \3 s4 m' f: {" u; \
It is also used to crash SoftICE and to force it to execute any commands
, U, Z1 m" i. z7 X" y(HBOOT...) :-((
+ p8 C' ]+ f( I& J$ L( Q9 {
% E. t! c; t" n% X$ @% c# iHere is a quick description:4 M! {* w( a: t6 ~; d
-AX = 0910h (Display string in SIce windows)6 C/ M/ S/ T: C3 D% C
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* q# o* q7 l0 Q5 V1 A-AX = 0912h (Get breakpoint infos)- P6 D; A! o( E! r# z
-AX = 0913h (Set Sice breakpoints)
- l% y) d) z, I-AX = 0914h (Remove SIce breakoints)) _- g9 S" B) t9 ~; X" a
8 H/ n5 ]1 {, i5 L. b" REach time you'll meet this trick, you'll see:
: j6 |+ s3 j" Y7 K) Y. T" `( W-SI = 4647h
T; |- J2 h W5 r-DI = 4A4Dh
. [- x& P" b+ |& i1 bWhich are the 'magic values' used by SoftIce.+ i4 `6 E: s3 Z4 q/ t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 t# `! L- u" \0 O8 t3 d( G
3 D( r* J3 b/ t- mHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 V; N+ ~/ b& }8 ^$ _Envelope utility use to protect DOS applications:/ s2 r) C% i. v' D- ]+ I5 J
& |% S4 B O5 w' Q
+ O9 G' q8 q5 Q3 J' M5 z" a4C19:0095 MOV AX,0911 ; execute command.' w" ~# E7 Z8 b
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 S& V$ J' X& K# |+ R5 j4C19:009A MOV SI,4647 ; 1st magic value.
# F; t1 e" r- M4 k) o4C19:009D MOV DI,4A4D ; 2nd magic value.
) X/ q& [5 C5 i1 ]: E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' B" u& ?% x# X0 D4 a- Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 T' j1 l# F/ ?! ?4C19:00A4 INC CX# d8 O& [- J. k3 F$ S" G
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ m* {$ F) a" \ ?/ Z/ i/ d
4C19:00A8 JB 0095 ; 6 different commands. n% J4 Q# c7 W8 }8 y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 Z; h# j0 E: W5 h1 c" L. }
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; M; m w$ O$ H- |* i# P. K$ d8 X# a
The program will execute 6 different SIce commands located at ds:dx, which [) H) ]6 o6 [1 P/ l4 X/ C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* ~* U' C3 G d3 I. `6 \
% E# c; X& v9 o& [$ i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 C5 |# z) T8 Q; z# z( C: P0 [3 Z4 C; w
___________________________________________________________________________0 u1 i1 v" ~# _6 O) j- I. z) x
. h! X; _) x' Z$ i* W0 f7 h6 ]
7 [: ]0 Q, Z* G6 G- r7 L( h) y% @Method 037 K; h# @9 q9 a/ m% v5 R
=========
6 G" U0 m0 _* }% ~$ i. [4 E
) |4 v7 m* w, ?" T# Y0 rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 E$ i4 f7 i; D4 i/ E6 h7 J1 D
(API Get entry point): E8 q# f6 q+ t3 U
/ W! W+ U1 {0 X. ]0 A5 r% [5 z
3 ~& j4 o1 Z) E$ M3 P* I) I xor di,di- N; _. g L$ E# }
mov es,di
" q! O/ l! G5 y R- W* w% J0 C mov ax, 1684h , i0 e6 s) g# ?8 E. R( L+ ?
mov bx, 0202h ; VxD ID of winice
" y. V6 S% D+ y- e int 2Fh
" y* F" D8 A4 ` mov ax, es ; ES:DI -> VxD API entry point
( C" v9 M( a) {( F$ a add ax, di5 Z. k G4 y6 ~( V7 v
test ax,ax
c: c8 P, g/ J9 J jnz SoftICE_Detected
& T+ L3 {8 g4 T, n/ H) T, q" e* @- L1 g3 Q: E: Z- C& O) d5 c0 {1 q
___________________________________________________________________________+ I1 ?: c8 `5 r9 o! f. d
' R& S4 P& n9 [ kMethod 04
: _" {% b; d7 A% D* N=========% F6 W# f, x9 @" P0 h y% P$ a( U
W+ K- q$ L- U4 Y7 G. F; h2 D+ i, c
Method identical to the preceding one except that it seeks the ID of SoftICE
& u/ {" z; l8 rGFX VxD.
# L: h" \# N \- {7 s
0 l* r$ |3 N* T& ~4 M xor di,di
8 Y! J3 z( _: D# d0 o W mov es,di: \5 U% d, o& s( r U D" R' K1 v
mov ax, 1684h
5 I' m, e1 _0 _; K mov bx, 7a5Fh ; VxD ID of SIWVID' h; n8 E7 N' Y
int 2fh: `' X4 U* k1 p3 d
mov ax, es ; ES:DI -> VxD API entry point- m8 r0 E# x) n$ u* d
add ax, di. X5 F* P' y$ \$ O& O( A0 E
test ax,ax
7 Q* P6 K* T3 s jnz SoftICE_Detected
4 d! a7 @9 ?5 \2 g$ \: Q
. t0 j7 Q* O$ g1 U__________________________________________________________________________
9 O8 Z+ F! F c( W4 y* K2 Z: ]: M) u7 a) w% g4 g; I1 \$ n5 [
' _2 n1 _% U8 H) |
Method 05; y5 G4 I! v9 _. I$ r! @% L* `
=========9 B% r5 L+ l8 a" u9 P+ j
# X' N8 F8 @ R, N7 ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 |5 _9 H5 F* Fdebugger. It calls the int 41h, function 4Fh., k& V. P& |1 h& v8 ^, u
There are several alternatives. 6 H/ ?4 c* L1 G. a. \3 K3 ?- h
7 J7 F9 z/ @, I& Q0 E( X% [7 hThe following one is the simplest:5 K: Q. U! u& |' \# o
$ c3 o- p! G! I3 ?$ B4 k mov ax,4fh
! q6 i- d( w2 l. s3 R# F P7 x/ ^ int 41h
# R# \2 r- g1 F) d+ q1 f* W) z cmp ax, 0F386. |) C R0 E0 e7 l4 S3 q& R7 m
jz SoftICE_detected( ?3 f# A3 V. G2 H1 k; M
G5 y7 R f7 U! i! P# d/ d# T# X) W: {: N, s% p) w. r1 T( L' l
Next method as well as the following one are 2 examples from Stone's 1 s8 f% g7 u) p; {
"stn-wid.zip" (www.cracking.net):$ V- L$ q6 ?" u0 K! g" `3 c8 y1 H
: q! x/ T5 f" m1 Z* i- k& |7 A mov bx, cs; ?; b5 {* u+ ?. `/ D* S& V
lea dx, int41handler27 J0 g6 \! D. ]+ S2 F5 ?
xchg dx, es:[41h*4]
* J$ U2 x' d5 P8 D% D7 p xchg bx, es:[41h*4+2]
4 d& j$ h0 t7 c4 n8 [6 F' w mov ax,4fh
/ d3 m Y, f% i) d) F int 41h
! a- f" `7 N& j xchg dx, es:[41h*4]
$ R. E$ M4 H/ l% K xchg bx, es:[41h*4+2]
' O6 I" f% _( i# I cmp ax, 0f386h& w( V; {* ^! o3 N" [( E
jz SoftICE_detected/ T2 C S( |+ U t, N9 N
4 M1 y, a* G8 i3 P9 U- n
int41handler2 PROC
! c; S: U) j6 F* b/ N iret
" _! X/ z# u; P" O4 ^; mint41handler2 ENDP
% _# x# p& Y8 W& i3 w4 _
1 a5 m5 v+ x, M% K9 B8 Y: w F& p; O3 w( L( r# i& g8 r/ V
_________________________________________________________________________; x, W, @) F1 q! `$ W8 w
. v! B: C. H2 S$ U4 s
1 J' n( X% l: \& d
Method 06/ G# T& `, K, d* c* w6 c0 J
=========
% g5 V- O0 G& g+ f; x. ?- I$ E7 |1 |$ K, L1 k
# G: @7 y2 _' Y% N2nd method similar to the preceding one but more difficult to detect:, ?' L8 H7 ?0 [$ |
* q3 S4 o1 Z& U8 L% t. I6 [ w; r
: Z& O! E f2 o3 V
int41handler PROC+ J8 Q# T! l4 q, ]$ P& q- F
mov cl,al
7 j0 r/ s- |8 Y4 |% | iret
$ z4 g# k( d- d7 `7 D; C% t y. l% \int41handler ENDP
2 B$ E; P# B. H9 q" ?- U
1 ?2 ?. F( R/ S
& o6 k# i$ V ?. J8 `8 t/ a xor ax,ax: A1 o% {1 }% C" v, l) t
mov es,ax, w* m: |2 \" h
mov bx, cs
- }9 p2 y/ ~7 ~$ M+ j lea dx, int41handler7 L+ v9 m. J. ^) }6 G0 U; M
xchg dx, es:[41h*4]
$ B) u! I6 |6 E: V8 O* T xchg bx, es:[41h*4+2]5 _$ M! B) v! ^
in al, 40h
" Z' T" o8 R; d/ X' w" j xor cx,cx/ i/ I" ], c' H! \9 L. z* d v% c
int 41h. J3 y, O1 T+ D/ o- p& A( s
xchg dx, es:[41h*4]7 w) A0 X% O7 K& |1 w+ _$ \
xchg bx, es:[41h*4+2]
" H, B/ t6 k: u2 c cmp cl,al+ l7 v+ U4 W: L5 c" ?- B9 I1 C
jnz SoftICE_detected
/ \8 _0 K |, y1 n( `6 c2 ] z) |+ q0 I* k- @
_________________________________________________________________________+ {) C- Y, j, ?. Y Z9 {
3 V9 O3 d' N, k+ `& o6 A0 B1 `Method 07% N- ]% m6 H Q
=========
' A0 S+ O" m. K7 B1 G& j0 K( s- i& @1 J r: p
Method of detection of the WinICE handler in the int68h (V86)( a* T; ] J1 u) q1 a+ }6 l5 e' p
; B: `: p! w, h$ V# D5 y mov ah,43h! T; r( R3 E9 V6 A
int 68h$ v$ {) S; a4 T; R: u$ w
cmp ax,0F386h
# G4 O: N% Q( j6 a! c0 T jz SoftICE_Detected
* q4 ]. s) ~3 X, N. M" K5 X( Z" I& f) A( ^5 L8 r
% ^1 D, n% q$ x2 ?7 I$ V. M=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# E$ |, C- b7 y! d- S
app like this:
9 x) y. n% N6 W6 r* x r( T8 ~. f6 w0 d Y
BPX exec_int if ax==685 k% x. y" H2 d) }" N, v
(function called is located at byte ptr [ebp+1Dh] and client eip is
& X0 P$ c; u' X7 ~ located at [ebp+48h] for 32Bit apps)4 M3 K4 Z* R" [% S" v& E
__________________________________________________________________________
6 R/ m) v8 ?' w4 i$ l, `7 Z3 R0 P# |6 i4 u4 D
) I/ K$ Y: A: [: h* wMethod 08$ @8 j1 N# ^ A) ]
=========
+ x0 o% a3 B* P! y% f' e2 r7 `: i# l& u
It is not a method of detection of SoftICE but a possibility to crash the
+ n* G6 T6 r$ J1 o$ C, psystem by intercepting int 01h and int 03h and redirecting them to another
3 k4 L3 H& F' X( R) o" wroutine.1 D) j1 M9 _. F6 C4 j2 k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 h% J7 l) S1 [' \5 f0 K
to the new routine to execute (hangs computer...)
; B* F" @# F- Y+ _/ @! R1 M1 x) ~8 Y
mov ah, 25h
8 l3 G* c" O; I+ t$ D+ U mov al, Int_Number (01h or 03h)
; }5 e z# |1 Z; r2 _1 t2 Z mov dx, offset New_Int_Routine
& L H1 s9 {7 C- e int 21h
6 i% l% G) a- Z; Q
9 c, ^: B5 _# Y" m, H: j__________________________________________________________________________
& Q+ n7 M6 a9 ]5 x- `7 L; W! L+ Z" v* p1 ~4 T6 o
Method 09; M) {# L/ n5 ]
=========
" u9 ?: I3 y/ o% Z: S4 h3 n* c% m# l8 u% \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( |. Y2 i7 D( y; B
performed in ring0 (VxD or a ring3 app using the VxdCall).
! f4 M% s& k$ HThe Get_DDB service is used to determine whether or not a VxD is installed
. g2 h5 \, w8 q9 f# H, ?6 j9 g9 F- Cfor the specified device and returns a Device Description Block (in ecx) for
" C3 w! e9 C: j4 C3 n! A# S! i2 Sthat device if it is installed.+ F3 ?: T6 z1 p2 K7 o) q$ s
" {: D' V8 k: u7 X, K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' [) S6 t) S% m2 W# {8 q0 I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& K9 v- n4 L- ^8 i3 e! a
VMMCall Get_DDB
5 K- Y& w0 w7 | _3 t* N+ w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# X4 A( t) f8 _; c
, H9 j" F8 r- _/ n Q" j2 e) k
Note as well that you can easily detect this method with SoftICE:8 R+ y x$ ~+ w1 a& L& x& ^2 \
bpx Get_DDB if ax==0202 || ax==7a5fh$ ^8 P. p' V* D2 c
# t. J t& W$ P! a D& d
__________________________________________________________________________5 D* k& f' R9 ?, F; h' |# `8 {1 X- U
( K: J5 {7 @8 I* HMethod 10 ]# v1 t# I% `7 n
=========
6 Y9 l! |4 X+ W5 _! w# e' e9 n1 A& t
$ ]9 q* r0 h5 t3 H) p=>Disable or clear breakpoints before using this feature. DO NOT trace with; H4 `% \# `( k' R# Q/ d( f
SoftICE while the option is enable!!$ C# b3 q! X! l2 }9 a, x# E
% S6 }9 H& v' p1 a- b
This trick is very efficient:
8 y- G- m. I9 }+ R) Cby checking the Debug Registers, you can detect if SoftICE is loaded
M* K2 {6 f/ Z% y' z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ o2 N* N( V+ j% ]" W$ y& K
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 u$ S5 Q7 u3 n7 U( K# evalue (in ring0 only). Values can be manipulated and or changed as well
9 A, E& m( b9 x8 O(clearing BPMs for instance). ^5 }. d! S( [$ p. S- R
$ i* V2 w) `$ d( W7 }* ?__________________________________________________________________________# x2 S1 F( x" `5 o% L3 H$ P& B
: K& v' Y) Z3 f+ nMethod 117 ^, G3 w6 B& [5 k
=========
* T z* _/ X, X2 d, `/ z1 ^
" H2 O6 L" H j9 B: FThis method is most known as 'MeltICE' because it has been freely distributed
6 D6 O" X8 T5 [/ x. n8 m7 wvia www.winfiles.com. However it was first used by NuMega people to allow
3 s& h7 p" _! Z3 r! ~! ySymbol Loader to check if SoftICE was active or not (the code is located
3 k6 U2 S: A- n: _+ U6 Minside nmtrans.dll).
6 x2 V) l) k# {5 A, J' L+ s# q3 I" U6 g; Q# J
The way it works is very simple:
) J6 U0 I$ U& t8 J( j" UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- V6 C; f' w h* P* [
WinNT) with the CreateFileA API.
5 U$ M$ l- b! t0 ~$ z ]) N7 Z( C0 J% g! W# t, t! I
Here is a sample (checking for 'SICE'):2 n1 K' L- G4 h( i
3 |) X5 y: r& d2 Q' N* j- ] K! O
BOOL IsSoftIce95Loaded()
0 Y' g$ X' H* D1 |{( e+ g* E$ l q# ?; n4 Y8 |
HANDLE hFile; : _5 N* T3 ^7 A/ [, z4 I6 S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ _9 r! B& l% A9 i
FILE_SHARE_READ | FILE_SHARE_WRITE,
" h9 r2 r3 f# u8 t$ l5 L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! \' V6 L& C1 J* a0 l0 X+ [( @7 \2 M" ~
if( hFile != INVALID_HANDLE_VALUE )
. f# E3 ?2 k0 ]3 |' I* p1 h {
: T0 h8 o; Y/ P+ S$ s! K L# G4 h( _ CloseHandle(hFile);
% N) ]/ H5 i* e3 J. S- T4 A* ~5 w return TRUE;
& w L( G) N# B$ u }
# h' f6 ~$ Z5 K! v return FALSE;% L6 a* w3 K/ v+ y* [
}
8 T8 \ f' H- A U6 t' u( H ~
* A' r) l, d8 N5 h: R HAlthough this trick calls the CreateFileA function, don't even expect to be
& n- c0 b' m7 d' Eable to intercept it by installing a IFS hook: it will not work, no way!
' H' D6 V1 h- H! R) Q7 z* b2 uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 \( A* C0 Y& G1 e" bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 h7 o% I% \5 v3 Z8 W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ w, F8 n% \9 p9 V q n, d3 g
field.
3 z; {% F4 B. K% e& R qIn fact, its purpose is not to load/unload VxDs but only to send a ; ^, x/ I. I* \( h0 v6 H$ J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ e* P1 p: u2 v& b1 Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try& \3 J3 J* m, c% G9 [
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. w' f& _; G' x) n4 [" ^If the VxD is loaded, it will always clear eax and the Carry flag to allow
* E; Z: K7 H1 Z( tits handle to be opened and then, will be detected.. ?2 m/ f: B1 h- b% F
You can check that simply by hooking Winice.exe control proc entry point
' p) X5 y7 a7 n e1 h( `while running MeltICE.
S9 {* L* i6 N( X) [6 U0 Z
" E! p2 T8 B! X/ {3 z) u; z( e& G) V. U
00401067: push 00402025 ; \\.\SICE
" b1 M6 p8 h1 q+ g; G 0040106C: call CreateFileA2 u" e2 n8 _7 s- `3 w) W
00401071: cmp eax,-001! U2 }; R8 q' j. _9 ~
00401074: je 00401091/ @" Q# r" ^' }
$ l0 m b: c' b u
7 L* n! j, G g3 S8 k. }There could be hundreds of BPX you could use to detect this trick.
* B( {( i* m' _4 Y* V& M-The most classical one is:
2 F% ?' C% [# {. N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( E$ n, I8 d# U; E. P
*(esp->4+4)=='NTIC'
6 y5 b" Q) Q' R* A5 j, d" p6 m
9 R" F" ? ?( u {+ i-The most exotic ones (could be very slooooow :-(
3 h; f- ?4 u& j1 t. T0 u, g4 n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ a K V, Z. f! C- z# Q0 Z3 C3 V ;will break 3 times :-(
5 N' J: b/ Q# J8 J; G$ [; }. Q4 N0 P" J% y9 I9 Q& c% K
-or (a bit) faster: . M- m+ X4 L/ `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 a6 f' _2 d/ ~ X, E8 S9 R
8 b9 i( T( z( V0 y2 U BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + q! r1 B+ z6 A3 n: ~1 y# k
;will break 3 times :-(
g+ Z2 y8 {& b2 x( t* [( m! O
j; r0 @0 \; \# k6 U-Much faster:
! \/ m9 A( r9 c3 N8 K BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ O# {5 J. {+ R9 p
0 P2 n" W2 o. {+ P( e' {. JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 H9 |5 m1 r7 y
function to do the same job:
0 H4 N F* V: L' x/ D0 C H$ w1 _
push 00 ; OF_READ/ M' z- t6 U0 L' d. A
mov eax,[00656634] ; '\\.\SICE',04 j. D, T4 j9 K
push eax
& F% l2 U1 G1 P+ K' V9 p call KERNEL32!_lopen* `; u" l% x4 b/ K. p; r7 M
inc eax6 }& C* P. G- ?" ]( f+ a
jnz 00650589 ; detected
) y: A) ]. G$ h8 S! Y5 [ push 00 ; OF_READ* S, m9 N+ b+ @
mov eax,[00656638] ; '\\.\SICE'3 i J g7 e9 h* c+ P# l
push eax
/ I4 q. R0 [! K6 A6 l3 d) `! v call KERNEL32!_lopen
; X& G8 r d1 `" f5 n inc eax
e9 B+ `9 W3 y3 J# x% a jz 006505ae ; not detected
: z# v+ v9 s9 Z4 e) \. p
A! z! b( F) a
- ^) @/ F* X/ S/ \__________________________________________________________________________
' f- N& l* f0 j! O$ T4 \
( e' R6 d3 G! s1 uMethod 12. u( [8 q7 i+ W/ D5 q2 b" y
=========; I0 q2 T4 U- F
+ G+ Z( a- l& Z
This trick is similar to int41h/4fh Debugger installation check (code 05
$ B( m- v; R0 ^: S3 p5 M. U: Y& 06) but very limited because it's only available for Win95/98 (not NT)
/ A5 L: \" w1 U% e* U+ xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# l: e. d- _: ]4 I( d
- ?6 e/ t. W5 a push 0000004fh ; function 4fh+ s- d* ]6 x7 Z1 N- L3 s# ~1 v' V, }
push 002a002ah ; high word specifies which VxD (VWIN32)' }9 Y7 T& P1 }6 G, s: w& {
; low word specifies which service% \( C2 z( u$ G
(VWIN32_Int41Dispatch)% F/ U4 Y) G: H: a5 l
call Kernel32!ORD_001 ; VxdCall
; i6 S6 o& t: C1 n1 |. G6 w cmp ax, 0f386h ; magic number returned by system debuggers6 G) w) g% {; l* F. A/ r
jz SoftICE_detected" D9 a) R6 {) k
5 ^( j( D: E" W+ f
Here again, several ways to detect it:! d4 A9 s- o' {+ A! H, S
- y: K- n9 [. z: f- L7 z3 b BPINT 41 if ax==4f8 q: \7 c k7 c7 `1 w- o1 v/ d
" q! W0 M h6 D; V) J
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& [- z8 N5 W$ N: ]/ g' c& T
$ }" J5 m2 o0 @- j6 h; ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ |0 O5 }: V& }! [2 C: v1 }! |& T D$ G, z. G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% I: v" k. k s& }# u9 L
2 t2 z: w, C! ]( J7 U+ ?/ S* v__________________________________________________________________________8 z! X" K" Y) p( j
$ e4 Z1 I8 Z( I& S1 U4 V5 t5 w* WMethod 13 {" p- h' T# E# H* E3 Z- ^. v
=========3 ~6 j7 W( `7 B$ K; n
& e6 [" ?1 K' p/ `Not a real method of detection, but a good way to know if SoftICE is! C3 q1 L9 j$ ]: G" b' Z! ~0 g
installed on a computer and to locate its installation directory.
. d1 \2 l% D" W! h9 b- `, }It is used by few softs which access the following registry keys (usually #2) :
) Q7 M3 d" |+ D+ Q- g, R5 _$ \* }; @% ?5 }# d' G2 h" J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 Q- Y1 @" K- k+ X n% x( h\Uninstall\SoftICE' s+ m( B$ H, q' {* h+ C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! l9 E1 }8 u. x# P: i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& Z, w% Y9 k7 F( {0 m0 F+ `/ a. u9 R. L
\App Paths\Loader32.Exe
7 ?' q* N% F. \: c8 T5 G
' N, C5 p! g8 P( V0 @" K) Q: f+ J/ h/ J% A; B! ]
Note that some nasty apps could then erase all files from SoftICE directory
+ T! P% X( A, R(I faced that once :-(
* q8 A1 i7 T- K7 A( b
# W9 O0 ^' @# g& w; ?) o, HUseful breakpoint to detect it:
0 ]+ r9 o) q5 W% {# {
7 f- [( p+ Q7 _+ {) T BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 I: |" U; a! b8 h7 C0 }; H
2 d$ |' e( j: z$ S* ^1 a8 F$ {__________________________________________________________________________/ ]; d" J9 ?6 H( K. \/ r
: ]: y7 U$ @( z/ @2 o( [, ~) f. v
5 Q( A8 q+ V# o/ J% {3 G+ M9 zMethod 14
7 @% o& @' y* m! D=========4 K9 e% c0 X2 H+ R
6 K& s9 ^$ P6 H' _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ {& v% o2 R0 s3 `
is to determines whether a debugger is running on your system (ring0 only).2 A* Q2 e4 C( p! W- w
: a! e& @8 ^+ ?& a
VMMCall Test_Debug_Installed, m0 r* x" _; ]- h) W6 @. U0 g
je not_installed
- i+ S7 N5 q9 j) o) i& p E3 H, d% r9 j# Y& a: t' t6 s2 ?
This service just checks a flag.0 Z5 K( @: U; D; W' q2 r
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡