<TABLE width=500>; n7 x" F* M) G
<TBODY>
: e; y) v. r4 ]7 u<TR>3 u0 U" c( Y. ^1 x, b
<TD><PRE>Method 01
/ d% e6 k: W- B, z0 }8 M=========7 I u3 w% Q, v8 o9 c4 p1 H4 ]
# n6 o/ O! e* Q3 D3 Y9 b% w6 CThis method of detection of SoftICE (as well as the following one) is( S! V6 y1 B" c
used by the majority of packers/encryptors found on Internet.) a: U; A* ^9 J. h5 ^
It seeks the signature of BoundsChecker in SoftICE: {, t2 h1 [( t3 x
5 a" R2 W& j/ K( Q& v, m7 W- V mov ebp, 04243484Bh ; 'BCHK'$ f, P+ d5 ]% Y3 B: R l1 B
mov ax, 04h& L0 O' n H8 e5 |2 y8 L/ e" g
int 3
& i- | u/ `! C$ D1 B } cmp al,4% f, d/ B2 Q3 {" h, `. z0 u% o0 ^
jnz SoftICE_Detected
# N% a T5 S; w" u1 k2 L9 K" F( N% y3 Y' B
___________________________________________________________________________# z5 d7 O- R6 T r
; M- w! a2 x4 o0 c- I+ X9 A, @
Method 025 O- I' E* I7 O: B+ K
=========
! S6 I0 h3 Z. j0 j3 E( Z
; p5 d+ f1 N/ ~- TStill a method very much used (perhaps the most frequent one). It is used
2 L: D8 O' V% o- c _ e+ d$ bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ ^% ^- e" a# j. n7 E
or execute SoftICE commands...
* `; E% Y- i; w- ?. zIt is also used to crash SoftICE and to force it to execute any commands
2 P- ?9 I& w4 v: p' x(HBOOT...) :-(( " X D, g0 D4 G2 g2 C
! ^) n' \( X: _5 DHere is a quick description:
# d1 l0 q& b9 q-AX = 0910h (Display string in SIce windows)
9 ]' B) j2 r, L; A$ s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' w! Z1 H+ q) Z* H* C/ B
-AX = 0912h (Get breakpoint infos)
R, q/ B8 }+ _* q, J-AX = 0913h (Set Sice breakpoints)- H$ b7 N+ I$ o/ _
-AX = 0914h (Remove SIce breakoints). P% {2 @, n( H% p1 o* w
7 g d, ], o0 j9 I# u! E/ KEach time you'll meet this trick, you'll see:' j3 `' [- @' t. Y* w' A7 o0 d2 J
-SI = 4647h
# _& i( r1 K2 K8 Z% Y-DI = 4A4Dh
. A# ~3 m+ R+ P& I# N$ QWhich are the 'magic values' used by SoftIce.
0 B6 v/ `& h6 |. a0 v( KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 w. v8 w5 a2 d/ R
% L! y" _6 V6 D% B% f
Here is one example from the file "Haspinst.exe" which is the dongle HASP: q4 u( d$ b, H: B/ a
Envelope utility use to protect DOS applications:
$ w6 m" J5 ]. E, ?1 u U+ g- b
, o- W4 u8 B, {1 g7 `, e L! v8 D6 s S% n
5 H1 k: I* ]% P4C19:0095 MOV AX,0911 ; execute command.2 w% D# q, r; M4 c; `
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' Y% a1 c2 k7 v- |4 i2 o5 Z
4C19:009A MOV SI,4647 ; 1st magic value.$ L7 n4 x- ~$ P) \
4C19:009D MOV DI,4A4D ; 2nd magic value.
, m+ r# ]7 {% v; K+ w4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
q& B; G: P l0 h2 U1 }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- X& V% r4 k! x4C19:00A4 INC CX& U+ h; i x( C/ E5 ?) q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: z( H' Q) c/ r& U( l% H1 {
4C19:00A8 JB 0095 ; 6 different commands.
B$ A7 N8 w, ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 y6 K/ @/ G. G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 k. \ e/ C9 Y& {7 J( c
+ J" u' ^" l3 fThe program will execute 6 different SIce commands located at ds:dx, which
, D+ W6 k0 g. K {; N0 pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 }% e, B9 g% b9 f' w& O& f8 q# m% p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% y& |% t6 |) R! [$ h" J___________________________________________________________________________
1 Y, g$ |0 f/ v8 m$ s6 ]* w+ y
0 o% L$ c* H; [5 a
Method 03
" Z! @% D/ e i4 f& }' v=========, n9 k7 v, |* S' a' C
, b+ z; c+ I% ~5 f0 k7 y# sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 O. n; Q" C3 H, u) E- C
(API Get entry point)- T9 e" f; ^- W9 ?
1 g8 i, J) V+ M* t. B
7 {6 i9 X& `1 \- c xor di,di6 d# Y' P( \- V7 @
mov es,di
. _4 P' q6 j! I+ o* E; Y, n: D mov ax, 1684h 4 d3 H0 l: b7 \
mov bx, 0202h ; VxD ID of winice$ @3 k7 Y! A4 n& I7 `2 {' g1 p
int 2Fh& Q( B( i0 H0 [7 y' g, R+ {
mov ax, es ; ES:DI -> VxD API entry point
! o; a7 ]( f* a8 `1 S add ax, di6 b5 s5 j" H1 Z0 A, W9 J: o
test ax,ax8 Q7 Z# v8 K; r; q
jnz SoftICE_Detected1 M2 J, l% f) U
/ g, W$ w: d5 e6 `) d" P( O: R___________________________________________________________________________
9 r; |) ~, e' O9 |* G; L8 L! a# _. u& n7 G' c+ V% {) e
Method 04
7 t. m+ `! n4 k4 B1 q% a9 j=========
: Y; u$ E* c/ |# N3 V( g1 p2 ^& t" C/ c; L6 ~! z
Method identical to the preceding one except that it seeks the ID of SoftICE! Z3 }. W% ?; _, r: q
GFX VxD.
( }' a# h8 w% L# [0 \6 G% n3 B) d* a
xor di,di9 G' [1 t* M9 k3 f
mov es,di
" d* t, z6 L- s" z mov ax, 1684h ! x3 j8 @$ t' x( b
mov bx, 7a5Fh ; VxD ID of SIWVID
* n2 [ F8 T, I7 v int 2fh
0 a) @9 ~) z5 @2 e& E9 Z( A mov ax, es ; ES:DI -> VxD API entry point
# P+ j ]& ~3 g add ax, di7 a! w0 k$ h V/ _
test ax,ax
- B! |2 d5 B' B) m' e# Q jnz SoftICE_Detected
0 D. ]+ a/ g" [( M' X% ?2 Z( s8 f8 j
__________________________________________________________________________9 L6 W$ |& y& P1 u0 N, {
8 p1 z5 |( b6 z) t: [6 m
4 N j n% t2 i9 L# OMethod 05
) }5 _7 Z" P( K: b=========
" o, ^. a0 H5 w) ?( ^# Z5 z* m
n$ b, D" Z# }2 ]7 eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
0 |3 D* X" Q" O, ]! E' c% ddebugger. It calls the int 41h, function 4Fh.
. [3 ~ T+ }8 b. f8 }# i& xThere are several alternatives. 9 d- @( _% q$ o8 H8 B$ c: \! m
( [+ d+ e5 r2 A$ D1 bThe following one is the simplest:
7 s' D' n* X( Y0 m! d# k" ?# F# V3 y
5 G( F5 E e& |- ] mov ax,4fh
% J- c) ^) R. _. h9 o# \ int 41h
7 K7 F0 f& @2 e* S cmp ax, 0F386
7 m" @9 ]' S5 c9 }7 u5 T9 a jz SoftICE_detected
$ ], `4 o1 P4 y1 Q9 o- g w6 a5 i8 R5 N; i+ N% b- P3 R
( u! q! y" B! d# [
Next method as well as the following one are 2 examples from Stone's 2 ?0 ?' Z, g7 `$ `1 ?. C
"stn-wid.zip" (www.cracking.net):2 ~3 I0 @7 K0 T9 I0 j! e# l' }9 N
( s" d$ _7 V' L; C mov bx, cs. a$ W: ?2 |# [2 B4 w- E
lea dx, int41handler2
& I4 r5 b& b+ ~. _6 ?1 n xchg dx, es:[41h*4]1 B6 }2 ], W8 q
xchg bx, es:[41h*4+2]/ C% d5 Z0 N0 n9 T
mov ax,4fh6 @5 H7 j; o" P$ W
int 41h+ j+ ^8 @# S; c1 C3 X R1 ^
xchg dx, es:[41h*4]
" Q }+ i4 a$ D& @ L; a5 w. A xchg bx, es:[41h*4+2]' }: Q e' i ]1 t% ]1 ^+ |
cmp ax, 0f386h) D1 k- | q9 G4 e
jz SoftICE_detected( Q& B6 y, w, O. ` \/ |, x" F6 J0 K
; y' D |7 {( r5 k' ?$ i- Eint41handler2 PROC) C6 {6 a4 \. T) |8 R' P
iret) s& g |- N1 s+ @, t) {* y
int41handler2 ENDP [: P! a- g9 P6 R3 U2 v. T7 T
3 ]$ `. F. X; W" w) h* I- N; c
# ~% @2 z9 @- L+ |0 G# |; i) q_________________________________________________________________________
9 P/ z$ u- S* k1 K# D: D1 v. ?7 m* f
' N! u! u1 F e9 z! ]! c$ A; w
Method 062 D; _% c4 P8 U! F7 B
=========2 T! F4 l( Q0 d9 N) n9 H
' P3 Y4 a5 G+ x3 o6 K5 W1 y+ }" ]. X4 r
2nd method similar to the preceding one but more difficult to detect: w1 Y8 N' q) ~& b
; W$ ]6 G( n& F0 ~
# u% i+ Y ^1 U0 N# p% [int41handler PROC# n) }4 M7 \" M H# P6 S
mov cl,al
0 D" _% h' L `, e iret
$ Z8 i2 C1 a& _. V5 N$ Lint41handler ENDP
0 {$ U% s1 E) E; P( \+ U |8 X3 Q, }+ c' v0 i2 J. R3 [" F& n
% e7 h ?; j5 k% a) K4 ~7 N
xor ax,ax
6 }+ B4 N$ f, v' Z- }* c mov es,ax
% U" A# r1 y4 o& c6 K- c u4 x mov bx, cs
S0 e& }! l$ g# \6 ` lea dx, int41handler; W. W5 D$ k3 E4 U5 k' A |, d
xchg dx, es:[41h*4]
1 ?# Y; g L! H- y3 \' d xchg bx, es:[41h*4+2]7 m. {7 K% ^, B8 F% ^! g' A
in al, 40h" ~0 D# N* y" T- j- A
xor cx,cx
; s% d2 H# o* G* W int 41h6 K1 B( @* C+ t
xchg dx, es:[41h*4]3 ~" X" r( ^" b6 b% x% v
xchg bx, es:[41h*4+2]9 `" z' J% R( R/ O3 E4 p
cmp cl,al/ K& w. p2 i# ]7 E" k) B
jnz SoftICE_detected
: R: X3 q Y+ I3 |8 |% h5 |3 p* J+ m( v& |& M
_________________________________________________________________________, O% |; o; p: ~4 h9 e
9 ?8 x) X# I4 L- x C4 |
Method 07
( d3 ^% F. v! k0 c" T; f& c=========
2 u8 k8 _/ V9 C/ @0 G0 b& V& y! K- `' w( Z6 q: M1 y
Method of detection of the WinICE handler in the int68h (V86); s0 N0 C2 s( ^7 N
1 @2 B2 p! d- a% P* D
mov ah,43h
# O4 P" [- e( l int 68h4 L5 o5 z! `3 i
cmp ax,0F386h
5 ^* T* n0 q: E; H4 q" | jz SoftICE_Detected
5 w/ t. k1 e0 k) b- A
i- @' o+ I1 Y/ Y1 l1 Y; {" T( i. z, c% j; T: u. U
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 f6 e* I2 U+ M0 y$ K" w* e
app like this:
3 {9 T. k" S$ s) T3 p2 [5 K" Z9 D; Q6 o
BPX exec_int if ax==68& K$ T7 u5 Y1 M0 Y" j1 f- d( o
(function called is located at byte ptr [ebp+1Dh] and client eip is" w9 W$ e# O& p2 q
located at [ebp+48h] for 32Bit apps)
: I) b$ Q6 X& m. Z$ d$ g8 j- }__________________________________________________________________________, g4 W0 \" e: C# q0 T3 b. E
: u0 i5 s- c7 |8 F' ^! B5 h
, \) @) l2 P; v' m) D* N
Method 08$ D- d% y3 U6 F; {; Z
=========
; b- |0 E6 m' Y* z& `
: E4 O; W% }8 h K& ^ v1 ZIt is not a method of detection of SoftICE but a possibility to crash the0 ?2 ]; f" n% n) |
system by intercepting int 01h and int 03h and redirecting them to another
& Z7 D1 T+ Y. @. zroutine.) k: m. s1 [6 d: h: @" J0 [
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; W% J! l& p5 ~% \- T
to the new routine to execute (hangs computer...)
0 O% W7 U" T/ ?/ R% k) ]9 o& t+ @8 |) ^. f; w B9 p2 u
mov ah, 25h
5 c& w( t6 \* l: O% K+ ^4 Y3 R mov al, Int_Number (01h or 03h)
/ c( S) }9 Z% j: H# A mov dx, offset New_Int_Routine0 Z5 R0 S; u, B( K8 r$ ^. i/ P
int 21h8 O m+ Z3 E1 ^
5 t' A, b! a3 J$ o5 R__________________________________________________________________________
9 e! h1 a; m5 e( z N* b! m8 C6 y, V) C% m# x' j* t7 N+ C
Method 09
8 g, g/ b; i+ a, O=========
' ~) G' D# b4 U% ^2 t" Y1 E" d# J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 }. n+ Q* @+ B$ Fperformed in ring0 (VxD or a ring3 app using the VxdCall).
. c4 Q2 l6 ~( w; g/ j e2 v- zThe Get_DDB service is used to determine whether or not a VxD is installed
! Q' Q$ l+ v/ e+ N- _1 R0 i' N6 Nfor the specified device and returns a Device Description Block (in ecx) for
7 ]3 F5 L: O. M' O6 o8 g% ]that device if it is installed.! O+ N" |: U! s
- E7 m$ i/ `) P) a9 ? ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% c7 ^' s5 C- c% Z; H
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 r* t+ V. `; p* @, Y! d E5 z VMMCall Get_DDB7 b' G7 f7 s/ ~% Z8 ` {8 e' _" K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 I$ E1 _2 s# w* K. b& Q( O. X$ w [, q) |" w( b- S5 M7 b/ y! M2 C
Note as well that you can easily detect this method with SoftICE:
2 P' S2 k5 p- N! X# y bpx Get_DDB if ax==0202 || ax==7a5fh. u7 r* M! R/ e# s
" `9 l4 v# A; @$ }0 E. @3 ]0 y7 x
__________________________________________________________________________# j2 h6 y% k, K: g+ [6 h
$ M( x, }) R' V$ Q z! T
Method 10
- k& \/ _, x0 g+ C, s& E=========0 F9 z8 Y7 f2 V v1 _* ?* m4 d( y
: ^" `1 X) P8 [1 X% o=>Disable or clear breakpoints before using this feature. DO NOT trace with
; y* E& x# [) Z: J SoftICE while the option is enable!!
7 H! H" b' f" l7 K! R( M9 Z# a. O9 _: A3 h( b \, [% _* V
This trick is very efficient:
; U$ j% m* R! d5 lby checking the Debug Registers, you can detect if SoftICE is loaded
8 k% m/ N9 m- G% B+ H8 T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 R/ U" l2 h2 Y$ T( w) Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 s0 |: N& U! T+ K4 h4 s
value (in ring0 only). Values can be manipulated and or changed as well- u& Z' s: d3 @3 i8 B( H8 ?* v/ k
(clearing BPMs for instance)4 H" q- [4 T( j0 I/ C
: A6 g o7 n4 e- Z' t
__________________________________________________________________________! G& R+ V* a3 s$ ~! o
" q9 G @: E# f' e* I! t
Method 11
+ U2 ]$ h& L9 y=========
8 l3 i2 R% I: d
7 }& Y" x9 Y! `5 Z" r4 E( i' `This method is most known as 'MeltICE' because it has been freely distributed
3 z0 b8 I; K9 r+ xvia www.winfiles.com. However it was first used by NuMega people to allow
( _6 F, A# W; {# u6 P) ?' `Symbol Loader to check if SoftICE was active or not (the code is located
0 @) v4 D8 o( [2 Y1 ]6 u$ _; ^: Iinside nmtrans.dll).
1 o+ L1 G& c7 S. S4 M% x( s; e7 J5 Z$ J5 b/ }+ Z
The way it works is very simple:7 B+ }2 {3 ]0 f$ j9 N$ ]4 h
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 ]0 j- d; m4 Z* \: H7 k
WinNT) with the CreateFileA API.4 z7 H' t! j7 R* E- ^# E
. p9 q2 Z+ S4 |. GHere is a sample (checking for 'SICE'):( r, V3 S1 f9 s8 t* z& D$ y
9 k& y3 j# P, Y3 [/ j
BOOL IsSoftIce95Loaded()
# V# a' {1 b- Y u- z& q" ~{
6 Z; T8 @+ |- F0 P HANDLE hFile; - E% m7 M1 m1 E! g8 j5 `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# {( ]4 N/ q3 V
FILE_SHARE_READ | FILE_SHARE_WRITE,; F7 a9 V/ H h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 D1 j" W$ T7 c p+ P2 U if( hFile != INVALID_HANDLE_VALUE )
, C3 U3 h: l. Y! J l4 \' C* E {
% G9 a5 i2 m6 p* w `; q9 C CloseHandle(hFile);( T! h: E6 [- @
return TRUE;
0 C0 D5 i$ j' x) K }
4 U) N# p$ O% l; Y( \ return FALSE;. `6 t' N& a1 g, e
}
# Y% j. u2 p* F( @7 N: j }+ R9 \
3 U5 [" K3 g* M' M8 B% kAlthough this trick calls the CreateFileA function, don't even expect to be
' d$ i4 x. ~4 `8 kable to intercept it by installing a IFS hook: it will not work, no way!: P* R. D% u+ z4 x# d5 X) G; H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; w, \5 F4 n2 K1 p+ h; @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* k; Y9 j/ c, O* f* Y! Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ h6 v- ~8 g |( Y/ C7 m1 r
field.
" j# s5 r7 V$ \4 }2 v0 k3 kIn fact, its purpose is not to load/unload VxDs but only to send a / u; y. l# u& F) ^: O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 {9 G$ H( q; N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 N. T1 L* ]( h+ w1 s% }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ s( o: h, D, U, n I+ pIf the VxD is loaded, it will always clear eax and the Carry flag to allow
4 C/ D) w' i# c) G# Vits handle to be opened and then, will be detected.
+ W$ O3 G% G9 h, r/ T: T/ V; kYou can check that simply by hooking Winice.exe control proc entry point
0 x, G/ r" f, F4 Xwhile running MeltICE., `( \! Z0 i( Y) Y1 G1 D
8 U1 G# y/ t: R3 A1 m
% { k1 y D# s1 z/ T
00401067: push 00402025 ; \\.\SICE N5 y; E# Q' O9 f
0040106C: call CreateFileA
: B' i, p3 N* Q. t: j4 A( m 00401071: cmp eax,-001
! L2 i1 A1 w: T0 @/ ]# _ 00401074: je 00401091' N* H2 ~( \5 e# T7 w, f
* u$ w. v% h5 D& L- C8 b+ }
9 P1 y7 \- f: W. i$ t# aThere could be hundreds of BPX you could use to detect this trick.# b" T! c C" m
-The most classical one is:
% I3 c( x$ ?8 V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 M# l- R$ F+ P$ ]/ N
*(esp->4+4)=='NTIC', E1 T: I; D% p
+ n( E, E. c3 b& t3 ^- L
-The most exotic ones (could be very slooooow :-(, @+ X( ^' e5 a D |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! ]0 r1 T" O5 } ;will break 3 times :-(* g `, p+ p! r! ]! E6 Z
/ j3 t, F, K( Q+ H7 o
-or (a bit) faster: 3 [6 e4 a8 j# c% p. `2 V. ]) m i4 h
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; d1 N Y" f# o: }3 [! A' g; I
& g/ S& `# b: s2 H& C4 u- x8 ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
_& v O: h, j3 y ;will break 3 times :-(6 x+ z' Q- \2 E' A
% Z5 Y3 D Z; a$ Y% B3 L+ o-Much faster:/ S7 J& A O7 C; {) }/ T6 F
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 L7 [& P- l7 _ N Q" K1 s7 f2 z+ j7 {3 N! Y& R8 c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 [: N' E4 ~. W7 R
function to do the same job:( N8 F7 u" Q; _+ B/ B
$ [2 g5 O% o1 `% J. F0 ~- w( S push 00 ; OF_READ
7 q( c4 ~' _/ b0 o/ d mov eax,[00656634] ; '\\.\SICE',0
1 u9 K/ B$ q7 s7 \, c- h push eax
3 N2 x: V! F* g& W call KERNEL32!_lopen, r2 f' c3 f+ X6 v% y
inc eax
N5 X. X, c0 r. U) Q1 A jnz 00650589 ; detected
+ H0 v- M# W3 F. z* a push 00 ; OF_READ
! C0 O0 ~# y1 G8 P; L! H5 ~ mov eax,[00656638] ; '\\.\SICE'' D( R; C/ C. u6 ?! F7 v
push eax
5 B3 t& l# v$ T3 G% w" a U call KERNEL32!_lopen! j% J4 U8 v9 c8 a8 _3 Y% O" U! T
inc eax
3 |+ S4 o% ~: N! L3 u jz 006505ae ; not detected
i" d) q. [, _1 }& K
6 c' h' R+ \' B! K. x2 c& ~1 H7 |' _; n3 Q! B1 Y% e
__________________________________________________________________________
- i" y* `8 G; U
+ C$ P. ]1 y* m$ ~7 f% pMethod 12; Q. j7 Q7 v# d( Z
=========, d9 q! ^ k( R# u
' _/ `9 z! I! R# V. A
This trick is similar to int41h/4fh Debugger installation check (code 05
1 v) V: w9 Z/ R6 k; _# v& V& 06) but very limited because it's only available for Win95/98 (not NT)! _2 ~; k5 |- b2 z+ b1 O5 L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: R, m0 ?4 u& q2 _& z
# U8 r/ H; n4 g, D- y* K
push 0000004fh ; function 4fh
$ A6 f1 {2 Q) h( \ u/ V7 U push 002a002ah ; high word specifies which VxD (VWIN32)$ R8 V1 [8 r% I, Y
; low word specifies which service
( K( _& B) D1 d1 G p! k (VWIN32_Int41Dispatch): a$ ^2 [8 S# e9 N
call Kernel32!ORD_001 ; VxdCall8 g6 ~6 M' R; a
cmp ax, 0f386h ; magic number returned by system debuggers
% j7 n, o9 c4 T4 l6 Z8 u9 ` jz SoftICE_detected) f! z% ^# m# I5 E% o
/ c: V' R- z) I' F, SHere again, several ways to detect it:
4 o/ ^# z! K+ d( u$ U3 o
" R$ c/ }6 x6 M7 g' N8 [3 S BPINT 41 if ax==4f
6 G* p; v" n! j8 w5 _1 V9 K* n0 a E: e7 E
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 G, g! Y! L6 T6 v7 b
& [: ]: p/ C7 s C" l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; x3 N# ^1 t% K7 A. q5 }* a9 i
5 B, w0 r. e1 c `; V* L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; _0 }1 c7 V$ s% X6 L9 E4 J" O" P: ^; c1 R( O( y' S$ k& m" ]
__________________________________________________________________________
/ s$ l, c$ R. c* o7 F( Y! E! o( W$ j* |- @! \4 T2 H1 U. ^0 D
Method 13
8 r- ?9 M; i* v) w0 Y=========
& s7 u: X- x# k, M8 w4 C. V' I1 A" z4 G) m* D# G5 ?4 i W( M
Not a real method of detection, but a good way to know if SoftICE is7 d& c- K% F8 [' }; h) i" c
installed on a computer and to locate its installation directory.
7 N6 I ?( ^2 y% h) YIt is used by few softs which access the following registry keys (usually #2) :
7 q& A, s, u0 z% v. \0 S9 t; |$ B1 r+ Z7 p1 m; w+ y* Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 k9 h" A) n! T( _- V2 d/ ?, D2 I/ N+ C
\Uninstall\SoftICE
& n- U% W6 a+ c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; t6 k7 ]9 K3 E3 V0 x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 M* g4 u W* z; j7 b
\App Paths\Loader32.Exe" I! g9 ?/ T5 }+ j4 b
9 O, Z4 f O4 ^6 j
: k8 t5 F9 ?4 ?2 W! n2 h+ {Note that some nasty apps could then erase all files from SoftICE directory4 a5 }! S. D5 j4 O8 l# _; \
(I faced that once :-( u' p( [+ m1 q) P% s5 P
( l' y5 _' y `" `/ h/ H& b* s# w% w+ aUseful breakpoint to detect it:! F& a* S3 x" P5 f$ t- C( |( V
) J2 f6 x7 a5 s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: D) i" X' V. {; t8 G8 V9 U* X$ M: E- I) \+ w4 K. t& W
__________________________________________________________________________1 Y* d! a3 h; P- @
$ f3 g* k! `( F4 {! s+ v- ?( R. t8 _" }
Method 14 6 G7 R$ z# O, x4 G0 Q7 z
=========6 z1 X' w1 D/ p* T" w$ l( x
" o6 w0 y7 p# h: U; eA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 U2 U7 s; V# `8 P: ris to determines whether a debugger is running on your system (ring0 only).
. H- o: `2 U0 T; n3 S5 i4 G r# X9 @
0 c; Q1 r6 H5 t. \0 \ VMMCall Test_Debug_Installed% g( W" l3 H" Q& }' [
je not_installed
3 a5 h- j4 t% c' b, g3 A* W8 I ?8 N" r9 c
This service just checks a flag.9 O: s: q3 f2 O5 c% `3 f
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡