<TABLE width=500>0 c2 \& d$ `% X8 D8 d) @1 ?0 \
<TBODY>9 {! O, _ i3 D( @9 b4 T
<TR>) ?( ?; t8 x5 L( N& K5 K4 b5 c) X
<TD><PRE>Method 01 # l: b5 g: S; [2 w
=========
6 m v3 \5 u2 b0 h, D$ d: |; E
% L" Z- u8 R! L" k# ]9 kThis method of detection of SoftICE (as well as the following one) is
# h6 f! I$ f" @# J6 o4 Jused by the majority of packers/encryptors found on Internet.
- {8 F0 {/ s4 }6 w1 E6 W/ rIt seeks the signature of BoundsChecker in SoftICE$ b0 f- Y: E) y, q$ O+ B2 X. n% B7 O
7 G( W3 N" }9 k. K& Y mov ebp, 04243484Bh ; 'BCHK'
. ?3 D# ]% ]# q3 `: M- B( w mov ax, 04h* ?6 m% d" v3 d; i1 ^: z
int 3
1 Z |5 H3 l& e cmp al,4
$ Q3 {5 R! a) G1 C( d* s0 @ jnz SoftICE_Detected; ~) a: h8 Q* W$ \: Q) `, D
# R8 K$ Z! r- p, u6 r+ c___________________________________________________________________________
* D: b/ n# H, N7 d( @+ ]& `+ z6 y( O
Method 02
, k0 @9 N9 F/ w& ]. m* d& O. l4 Z=========
. e7 D) t( _7 @7 d
! c4 K, a1 i6 [2 BStill a method very much used (perhaps the most frequent one). It is used8 B0 q: ~9 Z. ]' p; E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 n6 y' {7 b. `8 `7 N- M- P7 z5 qor execute SoftICE commands...
; H/ ?- W% ]1 ~It is also used to crash SoftICE and to force it to execute any commands7 c/ c9 {# W ~- l
(HBOOT...) :-((
3 m8 F6 h5 I& G: a5 |6 o j# y( c- v7 O$ U' M: ^+ o/ p
Here is a quick description:
" c5 A# T9 ~. \2 X M2 y-AX = 0910h (Display string in SIce windows)
( P; H Q3 b+ m8 q9 Z0 I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) `4 _2 R& a' `/ z-AX = 0912h (Get breakpoint infos)2 O& g* g3 n/ v) ^
-AX = 0913h (Set Sice breakpoints)
1 y3 @- c9 c& P2 y-AX = 0914h (Remove SIce breakoints)
@, J! A; Q0 M: j7 {! Z6 u% a; Z, B6 _0 f4 b
Each time you'll meet this trick, you'll see:
+ h Y( Y$ w% ]; X9 n) t-SI = 4647h
: k) E0 Z: ^! V. q5 n" D0 m-DI = 4A4Dh+ w) Z7 r& N, \ R$ G
Which are the 'magic values' used by SoftIce.
- B; h* \; `- V r& P' `For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) }' f6 {+ v; `/ x/ y: Z1 |
1 A9 [0 j9 i9 S: U, u0 V: KHere is one example from the file "Haspinst.exe" which is the dongle HASP
! Q' |) l; ~4 W. k, d" e' bEnvelope utility use to protect DOS applications:8 g6 b/ l4 \; m4 q* w
$ }& A% _. B9 j) Y, a
' }9 [$ T. ]7 h5 R0 K* N
4C19:0095 MOV AX,0911 ; execute command.
: h) }& w- k! W( s/ W3 Y) y$ I9 x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ j, K2 F( f9 k8 \* ?; o R! l6 E4C19:009A MOV SI,4647 ; 1st magic value.
$ a: x, A+ r4 W9 b0 ?5 Q4C19:009D MOV DI,4A4D ; 2nd magic value.0 z% O" N3 }; k5 s: b: y) ?
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 ]& @, l) F7 P' G
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, s2 N* P- `* o# k8 `, M6 v$ f4C19:00A4 INC CX+ @7 D% H, {8 T9 J Y9 y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& H" \7 q4 e; `( u2 I4C19:00A8 JB 0095 ; 6 different commands.
& M0 W# a P/ }/ [$ H" l7 w4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ u5 ?/ B4 e" e4C19:00AD MOV BX,SP ; Good_Guy go ahead :); s. q& i+ d$ i/ a2 @; n3 M# n8 i* T& O
4 r0 A( |# C7 Q) N6 s8 Y) LThe program will execute 6 different SIce commands located at ds:dx, which# Q! O# H# _5 u3 s: b9 y6 \6 y7 X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 z' N! L1 u4 \6 m+ j/ m
. q' i+ b; q/ I* `/ T: y" p* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 Z3 @; a9 a( v& w7 Q
___________________________________________________________________________
% U0 e; ^# u3 N" c/ h1 R1 w: v$ g' c" h. A
8 A7 }, m5 f$ gMethod 03( x! Y" ^4 f( L d
=========
6 L9 Z% [* h8 c3 k* e x- B- G3 F4 }- f
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 H8 _6 o7 F* v: j$ n) p
(API Get entry point)
' X; |1 f9 v1 \" r9 P, H) V) { 8 u0 f( `/ |! p# Y: ^0 _
' e- b9 P6 m- D+ v( H7 h0 R2 M d xor di,di$ }2 a; b4 `* o, ?# ~! U
mov es,di+ z m/ f- Y9 X: a
mov ax, 1684h
7 I& m* L4 P5 C mov bx, 0202h ; VxD ID of winice
9 p0 q8 k1 M4 H+ M: f int 2Fh
& n1 `% h8 L$ c4 [ mov ax, es ; ES:DI -> VxD API entry point
" c" Q" x. y' e' W( W3 o5 R add ax, di
, @6 A, W5 A) T* { test ax,ax
8 i3 C: m& ^5 N/ w9 Z; I jnz SoftICE_Detected" a( f$ |1 w( `4 K5 |+ a9 T+ W# h
# D# A: @) o, K+ k) g' i___________________________________________________________________________7 o9 k$ P0 L1 L1 w" L& f& i
0 T, Y4 H6 Q4 n6 k, g" rMethod 043 m$ k$ {4 K/ \ G
=========2 ~0 h- V+ c. Z9 _# @6 [
C; v! F& S1 n7 T Q1 X* [Method identical to the preceding one except that it seeks the ID of SoftICE
0 k1 n% F7 {! \5 \4 s& eGFX VxD.6 c X& s: o8 w. Y, w
# T! p& |# X3 G# w1 D/ O/ d xor di,di
* _# M0 j. E( q: T; \ mov es,di- R% _( o, k+ C/ X( W" x
mov ax, 1684h 1 Q4 v# R# s$ u8 x, c# o
mov bx, 7a5Fh ; VxD ID of SIWVID
6 R: z: Q6 y9 n) j1 T int 2fh
5 \, j; O- [! x2 C' j' | mov ax, es ; ES:DI -> VxD API entry point: ^* ?8 H/ b( r( W
add ax, di. D2 }: K0 {. E8 H/ v
test ax,ax) F* b! m D* z1 O# }) z
jnz SoftICE_Detected: Y9 V) K: q! P# s# Q1 \9 F
: F" q; V5 ~/ {7 [__________________________________________________________________________
; _, t8 x; ]3 ~# D" @. P7 b1 U' [) W i& C3 G+ k
$ F3 w) `) X* x7 }* c
Method 05) t2 Y1 X7 m3 d7 z
=========
# [* m" r0 B; T3 y3 N* m3 I4 P Q- a
Method seeking the 'magic number' 0F386h returned (in ax) by all system" C3 y4 m- A) ^
debugger. It calls the int 41h, function 4Fh.0 t" O; @( Q+ [9 W
There are several alternatives. / V4 ^- U# u9 ?2 `
j4 I2 _2 J' q( {The following one is the simplest:
4 a: Q# m* e* \
0 r" l) X2 ^: I) l0 ]- b mov ax,4fh. l' O) V" N* J" ?- U
int 41h- J# ^4 u, `# M3 R& o
cmp ax, 0F386$ g, g# q% V+ S6 }+ @( P; N
jz SoftICE_detected- R" s$ Q8 c' S$ S! ?" @
$ `, ~& o9 |+ t: L! g1 a
* Q" }. o5 M8 n* ]( `5 s7 r
Next method as well as the following one are 2 examples from Stone's
! i; s3 K5 W3 j. k"stn-wid.zip" (www.cracking.net):% V. d) t0 Z o& Z' ?
- R4 y( [1 {+ l1 [+ @0 f) {
mov bx, cs
8 Z V4 E' k$ f5 M) F( X2 Z lea dx, int41handler2& [3 Z4 l0 @. D, Y% F
xchg dx, es:[41h*4]
6 |+ o! k+ V$ r; b7 E+ r8 O xchg bx, es:[41h*4+2]( L5 A9 o% ]# }% M
mov ax,4fh) R0 ]$ R0 M p# ^9 W
int 41h$ b7 t8 V2 X( g9 U0 a& Z1 }$ X# A
xchg dx, es:[41h*4]- i+ {! [0 k6 c0 ?5 [
xchg bx, es:[41h*4+2]& ?) j* D9 O2 f# O7 I6 t7 n
cmp ax, 0f386h
) B! \' Q8 n! r* ]5 A jz SoftICE_detected
: h' A$ d+ D# S3 v- d- |7 e* b- _" l4 g$ F/ m; X
int41handler2 PROC& P3 j3 h0 d) P& s- T7 G- \
iret: {; N. j( `. i- w% M7 x) Z* l3 I6 H1 Z, t
int41handler2 ENDP" |0 j9 M' t# D7 H! e/ z
( h8 K& B; @7 X
6 d" s: A5 `9 R% I' P# K_________________________________________________________________________& _: }3 |1 F9 Z
9 C! J3 m9 V, \/ d7 v6 i) s
) K, l* S# W' Z& a7 V
Method 06$ C" b6 F2 I+ H5 B$ \4 y
=========4 i% I. i$ Y1 i
( K4 U! K5 ]- x: q& B e; c8 z8 |
7 ~6 w$ b+ V+ q" s
2nd method similar to the preceding one but more difficult to detect:6 i* o# r' N/ I
0 w6 {: y0 G4 V
V+ ]# M0 q: q. j2 Hint41handler PROC& u8 ^; [( I8 w
mov cl,al
! y& E9 g# q4 ~ iret
k) ~& T1 I3 \) A( Rint41handler ENDP
# N% ^& }# e% w( s8 i/ M @7 A) J9 V0 h
Z, W% ]2 |7 Z' m xor ax,ax; e( `( }& n! w' I3 O, V5 Z2 }$ Z* b G
mov es,ax& |( D. N# s1 [6 N, [
mov bx, cs
) j0 M* u4 F6 |0 w/ g! \ lea dx, int41handler( M$ u" o% g; t# J2 P w
xchg dx, es:[41h*4]' c" o( K) p+ } `4 T& x
xchg bx, es:[41h*4+2]1 O6 [- R& J& u( {
in al, 40h% n& p( L8 I- O& ~6 v4 K
xor cx,cx
7 {5 A4 w5 G% W# W% ?9 h; {2 \ int 41h
- o- J8 C, Q3 T- m xchg dx, es:[41h*4]! S! m! U/ z7 q, o6 ^6 g/ W' R: Q) T
xchg bx, es:[41h*4+2]' \* j' J* \% w! s1 b1 B
cmp cl,al
" `+ B% x- a9 C jnz SoftICE_detected
9 B5 k7 @2 E* n I# {, j9 J# ]" ?( A! @' D" [3 w
_________________________________________________________________________ y* a9 V/ e5 C) E# O, f: k
' i; R1 s" T! h5 L0 ~
Method 07
7 Z5 V; |4 K9 P2 B- R+ U=========
" D# p5 X. @9 K" ~" {3 n! i0 r
6 w5 \$ X( T" NMethod of detection of the WinICE handler in the int68h (V86)
% D" b8 m+ r; J& g& s" r# {, I9 Q( n1 A% @. z
mov ah,43h
& t& y0 Y+ c) Z0 }) W: ^ int 68h7 r6 d, | r6 o, L
cmp ax,0F386h! s4 P! T- e, g" z% W9 D
jz SoftICE_Detected
$ o- D7 T- N4 A
) z% E l) A0 |) n
4 w& _6 _& }& C L# Z# S=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit N9 h5 `4 R& c' [, i
app like this: p) }& y3 I+ H( q+ n% Q6 x$ E
+ J! t N# b6 U8 |/ B
BPX exec_int if ax==68
8 H3 e. t& b+ ]& B& G (function called is located at byte ptr [ebp+1Dh] and client eip is8 A# w: f `5 `# M+ q( \& `! }! P- T
located at [ebp+48h] for 32Bit apps)- e# o8 C4 ?& _3 q1 e9 s9 ~0 I" x
__________________________________________________________________________7 ^& v2 M! b. n, n2 z- @
' O% z1 P" p9 R
j! I& {5 u6 W! g2 e9 U& i- f. m6 X3 I
Method 08( H, D- @% ^& f5 |9 r/ m
=========4 h* W$ q1 _1 o
9 d y* u, n4 ~& ?It is not a method of detection of SoftICE but a possibility to crash the
2 V, c G2 v" S1 ^+ Lsystem by intercepting int 01h and int 03h and redirecting them to another: i( p# A& }7 t& I
routine.
, @7 F: @& p4 B" Q7 wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- L& K$ w1 t6 ^% H7 }- j" l
to the new routine to execute (hangs computer...)
) `5 K' [' \. _9 \: _/ G K8 I0 C2 C4 l- n6 Y
mov ah, 25h
. A$ F Z8 t( f; U/ K mov al, Int_Number (01h or 03h)7 |9 h! G# }" }+ D
mov dx, offset New_Int_Routine
/ I' O2 s0 L0 n1 D int 21h# D: Z. j! n \& @8 T
7 h5 f) v! w& O: g
__________________________________________________________________________
1 f3 o/ c2 V: g' o9 O. r: s$ d
Method 09
% o! I" B6 U* {* E4 k- J=========2 y, I" _- d6 q- [3 | \. `4 c
% N b5 i: R5 ?' `9 i1 e% R7 l! `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; B- w0 |. R! M+ E/ p2 qperformed in ring0 (VxD or a ring3 app using the VxdCall).5 B1 l# k1 `# o, l% X8 D l
The Get_DDB service is used to determine whether or not a VxD is installed
8 H+ g; s$ j/ ?6 S6 q- _4 R( \for the specified device and returns a Device Description Block (in ecx) for8 D; O. z& j; t
that device if it is installed.
0 E# z% R) k+ C- j' M
" U$ n$ r$ w3 M; Q* N& K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 \$ j* G y: z" k5 z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ j* R" D2 {/ A: g, Y
VMMCall Get_DDB
; ]' ]' G6 q# u3 q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! L4 ^7 r: F. g. v6 X A5 r( ]+ l
# ?7 G; U! v- UNote as well that you can easily detect this method with SoftICE:
3 d* {1 K" W4 I& S4 y5 b bpx Get_DDB if ax==0202 || ax==7a5fh
: e4 y9 {( }6 d4 t* h& t7 ^2 W: f2 Q7 d& t
__________________________________________________________________________
. V! ]. V8 t8 E( |5 I
: x; N! ~8 }5 S! x8 N! r6 `Method 10. I+ [6 x u7 Q9 H
=========1 Z4 C7 l: P3 p" k1 z4 t
: p4 ^) h3 p/ z4 p# O
=>Disable or clear breakpoints before using this feature. DO NOT trace with. X! O( x6 y6 \- I& r
SoftICE while the option is enable!!# C5 e' i/ J; M9 ^) g' [7 M
1 t& D0 ^8 W1 J) ]! G0 l# P" R( UThis trick is very efficient:
) c7 p$ W2 l# t" c* Q7 @6 `3 gby checking the Debug Registers, you can detect if SoftICE is loaded
3 T% j# E3 ~, T- W2 p0 L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: V a$ k% X1 E( S/ mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
# {& P) w- l; d, B }value (in ring0 only). Values can be manipulated and or changed as well# j( B& T$ D0 X5 Y
(clearing BPMs for instance)
- z2 m3 Z! O9 n+ W5 g3 I, A- q5 Q% v. }
__________________________________________________________________________ E$ ~) P3 q* r" q. _
/ m7 B3 v7 B0 R. oMethod 11" m, z5 P2 W0 J2 a0 O
=========
/ ]+ f8 v- G# n& T/ q7 e- k! g; `7 Z: `/ ]5 S X+ s
This method is most known as 'MeltICE' because it has been freely distributed
@3 r, H, F' \" m- e! \" \via www.winfiles.com. However it was first used by NuMega people to allow
& N4 a0 I5 E/ x% m% lSymbol Loader to check if SoftICE was active or not (the code is located
& e7 G0 K! V) i4 J: |inside nmtrans.dll).2 |/ J D8 l7 {2 g2 C$ u
) Y& I2 z3 r, n$ K9 s% eThe way it works is very simple:# o0 j2 T2 L1 p6 b, n# O2 g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 e9 K' c! i9 a& |7 ?' O1 g/ J
WinNT) with the CreateFileA API.
4 j/ N8 ], t4 v0 ]2 T, B3 }4 e3 R/ ^+ v* b" g
Here is a sample (checking for 'SICE'): L' L: Q5 h: `1 G0 S
2 w r1 y; C7 L' j9 d ~5 NBOOL IsSoftIce95Loaded()
- f9 C/ j* J9 P6 s8 M/ G2 Y, h{
6 z$ T- _: d. i# i% R0 [* } k1 `. b HANDLE hFile; & ~* R, S/ h* t! K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. E) b+ Z% U8 w, r$ y
FILE_SHARE_READ | FILE_SHARE_WRITE,7 l' R4 V4 K7 V; `+ U; z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. h9 ^% c1 x: U if( hFile != INVALID_HANDLE_VALUE )) z' t" f/ \+ X3 x7 I, O
{
# j/ i# b7 {# g& t7 ? CloseHandle(hFile);
( j7 ^& w6 i' B) l7 I' P return TRUE;
- I1 ^+ ]* j, L1 Y) H+ F: T }
* N2 V' y3 p e# c3 X- [3 e. Y return FALSE;
# e; ^, @( S, Z0 n; K+ O}) T* G( f1 H( {1 A% G3 T M
! q$ R- L+ m6 m3 n5 i* W) {
Although this trick calls the CreateFileA function, don't even expect to be
- ^* [4 O/ u& F j% _' J+ h! C$ Jable to intercept it by installing a IFS hook: it will not work, no way!
/ D; S8 m. x8 W0 WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- ~) y$ a! l2 e+ V" F- A) A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 K, ~( z, J+ ^: w8 e7 P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: N q# D6 J" c v9 W9 Ofield.
5 t1 }: }& o! iIn fact, its purpose is not to load/unload VxDs but only to send a & W0 w3 ^- w6 P7 A. s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): U1 {1 E' `* e6 l( P- U' i0 }9 W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& s% z( a' K! z0 [: pto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: Y# d! n' X1 j( B8 qIf the VxD is loaded, it will always clear eax and the Carry flag to allow( X i' c: N$ l4 I+ g4 B, c- r! a
its handle to be opened and then, will be detected.
* Z2 `! j1 ~/ E- e" s9 IYou can check that simply by hooking Winice.exe control proc entry point, h) u, [( `# W) W% Y
while running MeltICE.. J8 J! R' _5 R( T
& V# f) {' ]$ w% ~* D/ o/ R- l& k! q0 j5 ?$ Z9 O0 I
00401067: push 00402025 ; \\.\SICE
+ w/ p7 \) G: G 0040106C: call CreateFileA
% n: q* J l' z3 X" O% R; G% E 00401071: cmp eax,-001. w( B2 A: p! {( z2 _
00401074: je 00401091$ V- Q1 Z& E6 x: K- d+ D
# q" E3 ~; c0 {4 P5 o$ ^( i3 q9 a
- t1 T6 w! t4 G$ \There could be hundreds of BPX you could use to detect this trick.
- V, F! W2 G( W9 s-The most classical one is:
M" B/ Q% `) C+ E/ |: `4 c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 L# Y. ~) R& J& f' w *(esp->4+4)=='NTIC'
4 ] R; y* u, g( z1 ?& K4 K- A
3 _/ P B0 A# E8 c-The most exotic ones (could be very slooooow :-(
% A" ]& [& }; H8 ^, F. @7 I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% l% ~5 ]- p5 u$ E0 Z. v ;will break 3 times :-(3 m) ~3 B3 {+ c* _( b
, _$ p+ p" {/ G/ S
-or (a bit) faster:
3 ]6 ?8 ]% A C- N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 F, x4 q# [) k
& A0 I, \3 u6 g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) H$ c/ D8 J+ Z' M( s; V ;will break 3 times :-(
' n- ]* B- \8 v# A% @! O* c2 p
' A" A4 M M* d. u4 ?, x- O0 N/ z$ D-Much faster:
+ V; Y% l: u% }8 n; _4 D+ e- ^& \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& Z# {9 E8 K; p- l
# v4 U `/ g: F! T8 ] ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: t, j# M8 n5 V7 a0 ~function to do the same job:; f0 t! m& @9 v) F) o
) {: ~* H | r4 P1 Z push 00 ; OF_READ
/ J) \! _/ O5 I* m mov eax,[00656634] ; '\\.\SICE',0
6 Y7 w: |- C; N0 f. w; }$ P push eax* v* V' L G& c* {" k: d
call KERNEL32!_lopen% Q0 ^" {6 J8 f5 c9 c" K
inc eax8 I3 k1 U) X; A, t! P3 }4 A R
jnz 00650589 ; detected
, i& |* t4 N' l+ o# p4 F9 y push 00 ; OF_READ
+ {) W e$ ?6 R( p3 ~5 o3 Y mov eax,[00656638] ; '\\.\SICE'5 j% \9 v3 t, e1 R, B2 U
push eax" Y6 ]7 U0 u# S/ \& v/ L, y
call KERNEL32!_lopen+ b, [+ r$ v+ u: L* v, v6 H
inc eax
3 W7 x+ j8 h% g& S4 O2 ? c" J jz 006505ae ; not detected# R: B l1 R- h; c( R) ~
4 j- C1 V# U* q! D7 }+ h; }( k5 @$ a. ~9 q6 y. A2 \
__________________________________________________________________________4 w8 |$ ] M9 n6 ]: b1 ]; D. e$ _! l
3 b2 E5 q1 l* k7 f, \. t
Method 12
- H& ?" u2 m7 V3 [. I$ T& {5 H5 Q=========
7 u/ H+ D3 ~, {2 t. n( z0 n1 i: s4 A; V9 Q. c. j
This trick is similar to int41h/4fh Debugger installation check (code 05- J$ h5 j' @" z6 l$ @0 s6 O
& 06) but very limited because it's only available for Win95/98 (not NT)# X- O9 `! z! K8 g* R- @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ I* S& ~6 `- F4 v5 C4 I) ^# D0 j
; g4 u" {; D! _, V* A- X z" T push 0000004fh ; function 4fh
5 E" }6 M. S2 n! M1 U6 N push 002a002ah ; high word specifies which VxD (VWIN32)
j. Q. l1 L9 W ; low word specifies which service3 O) F0 x: D* \. g* ^
(VWIN32_Int41Dispatch)( _% t: I/ s# e: ^. f) D
call Kernel32!ORD_001 ; VxdCall$ `' W9 _ p1 H+ ~
cmp ax, 0f386h ; magic number returned by system debuggers
: t1 L& g, n, D3 P- |# d5 i0 u jz SoftICE_detected
; i# ^" k; {; t- p* r- \( z
% F, S0 ?3 a R8 `* s6 t! C! C: pHere again, several ways to detect it:
l; O4 L0 F% v4 D# B+ e
8 M% h. y- `2 u# E: N r BPINT 41 if ax==4f
/ m7 M; K2 H' H/ F9 @3 b( q- i
- M& |4 v/ i; z, m& z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one x) M) ^; Q6 Q, W( E: d* M0 l
: D# S R$ U( M* s. d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 L. ]) `; A0 \$ ~! D% e
6 o B/ L9 ^) v" }5 d! z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* \ P2 t# u$ S" T) G. s' O* i4 \
: X; Q* @" k* N! X+ K__________________________________________________________________________5 T! _. F8 A! Y; E- s, y$ @8 W$ E
5 {: }. b" b; BMethod 13
( C) ~5 q0 o |4 S- K7 K2 G; ~5 B1 J0 l4 H=========
$ q- u. w. J7 e$ w' ^- A6 h g' B: |, A3 o
5 A0 n' R* Z0 l3 t3 q9 v. Y. P3 dNot a real method of detection, but a good way to know if SoftICE is; P) i4 W ^0 d7 G& t
installed on a computer and to locate its installation directory.
$ d: X1 U2 G5 V1 NIt is used by few softs which access the following registry keys (usually #2) :
5 U0 l8 b) q/ n3 d" j: E
: }" H. ^) a# u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) T! D/ O9 a4 B) ~\Uninstall\SoftICE- x1 C" \ P8 f& g! y* Z! n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; b0 m/ K0 ^+ G4 t$ s3 Y" ^( G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: p6 _' L( ^1 m% [3 {, U\App Paths\Loader32.Exe6 g( Y; E3 P, e) t' w$ Z7 h
+ P* |0 A% F( N! p
0 k+ j4 Y; j# `) rNote that some nasty apps could then erase all files from SoftICE directory
$ [" f' N5 M- _/ y(I faced that once :-(" _( s. o% N6 }/ \6 A2 o
7 N n$ ]" q# I& A# R5 C! V/ AUseful breakpoint to detect it:) n/ o4 y7 z6 h3 o7 }! X$ X0 B
- S& s- d0 T9 M# Y5 @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) [6 n ~, t, \1 ]1 A* z8 ?# N# K2 i# `
__________________________________________________________________________; c1 |; L/ v/ c. i
3 P! X; m) _) n% i+ _9 L
) m% f1 x' L1 W' a4 a" ^
Method 14 * X+ K0 Y, R* z2 ~/ i
=========, W s% ~/ q. [% d& z# D7 S: {
4 D. v8 M6 Z: y* \3 s* B0 ?A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 x. Q6 P/ ?3 q, h+ v
is to determines whether a debugger is running on your system (ring0 only).: e; j- t* f8 F% p
3 {: M3 X L8 z( l' Z' ]7 O" ~ VMMCall Test_Debug_Installed" \( b& j7 g: r% f9 A8 ^/ ` J
je not_installed7 H; [7 j! a8 @7 Y& t# z
, ^6 Z# M0 q1 H5 K6 {& vThis service just checks a flag.) ]; o) ?' W Y/ p6 [: B2 k
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡