<TABLE width=500>
8 R4 u5 d" `3 U# _( l<TBODY>
* m# Z2 j, X# e5 d5 Z- j ~<TR>
, Y0 K9 h; Z2 V) G% b2 V9 r<TD><PRE>Method 01
8 H, [: Y h/ L9 \5 |* h6 |* ]' X=========( V8 S1 n: ~* ?
- K6 G4 b7 ]7 s* u. e
This method of detection of SoftICE (as well as the following one) is
& n# P) X4 R( E* H* ?used by the majority of packers/encryptors found on Internet.
+ X; Y, D8 `; ^4 cIt seeks the signature of BoundsChecker in SoftICE; ^, n9 `& z8 m) V+ E
! y* a" |$ @& W( M# ?8 m mov ebp, 04243484Bh ; 'BCHK'
3 s$ @5 B9 N3 F+ m7 E4 h mov ax, 04h
$ Y% R; ]* j% w. F; E int 3
1 ]! r1 ]+ n1 e+ O) O/ l$ O$ ` cmp al,47 | R* ^' E( ^
jnz SoftICE_Detected
3 W% s8 m: Z) ]) C4 r: A# G* C$ z7 F0 u; d; M
___________________________________________________________________________1 G" [; g0 B0 z# u$ z4 V
% s8 [& l( P8 }
Method 020 j1 M" o5 s- ~! C9 ~
=========
/ _. k Q! G' s2 [ n( j u/ h- }$ j
Still a method very much used (perhaps the most frequent one). It is used3 m; B$ m+ w9 o( Q& W u" x: `# I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! G8 {# `7 k/ |or execute SoftICE commands...) t% O- [' P5 S5 t2 w" T
It is also used to crash SoftICE and to force it to execute any commands
) S; R+ d7 |7 W" T) u0 u) Q" u(HBOOT...) :-((
) `( y; D# P' {1 t2 Z. U$ D
+ i1 j7 V B# u/ G) gHere is a quick description:4 w! b, q d9 o" j I+ b
-AX = 0910h (Display string in SIce windows)
- H: x& R* U& x7 y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
s, y' \2 L( k9 z+ w5 f: I-AX = 0912h (Get breakpoint infos)6 X8 i3 n. E5 j# h/ o) O" K
-AX = 0913h (Set Sice breakpoints)
0 |5 b5 R+ O# Q/ r-AX = 0914h (Remove SIce breakoints). u4 E! z/ t" h6 ]% a% g# {* u
- |, g' g' ~: L" }
Each time you'll meet this trick, you'll see:; m" ^3 F, ~0 ?
-SI = 4647h
0 H7 \1 P# P- i4 l" l-DI = 4A4Dh
& i. G7 k* I1 c, Y. TWhich are the 'magic values' used by SoftIce.
5 B, t% F; i+ h+ ?; k. o, iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ S+ o# F) ?: s' b* U) \/ v& j, C: m; |" [8 |
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 {4 ?; p* }6 A# ^' J
Envelope utility use to protect DOS applications:
6 t/ A. R1 n! m- w* P# e! A8 |& \5 k6 D8 M3 L
A7 y {6 F' k8 H4C19:0095 MOV AX,0911 ; execute command." C) w0 u9 z, S6 z' Y/ X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ h! ]/ J' J& G! B3 G- }! u4C19:009A MOV SI,4647 ; 1st magic value.; _! ~* L/ Z1 w& E, _0 n- t2 N
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 Z7 _1 x) P* a, Z3 B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% O, O. j& A3 v6 l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; {& l, l# T! J6 l( n# {
4C19:00A4 INC CX. p: V) G4 x& Q7 G0 S5 x% I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( O* c' t0 \& g/ z
4C19:00A8 JB 0095 ; 6 different commands.$ r0 h8 V- K) _4 g
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 S6 Q2 ~0 g/ l! K* e2 g1 f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). L* n$ \9 E$ @
7 |* v; S" B9 n- W0 @7 X, M5 zThe program will execute 6 different SIce commands located at ds:dx, which" d5 `6 j4 ` O) f0 j6 p2 j, \* A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- b) l; f1 t4 G( k0 G2 s7 S# w) Y. h9 H; a/ Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! O0 T; n, o4 n0 ?4 I___________________________________________________________________________
" |% z* ]- O% r7 `
" q2 B8 W; ^2 [, S1 S$ e8 o8 O" \/ Y& Q$ b6 O' ?
Method 03
O/ a+ E+ c5 R6 O, O. v& g, U' z=========
" T' a; `4 ]$ c, R1 g
3 U& E G# F' x. t' D: W* M4 LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; O' I2 e1 Y, b/ d) J(API Get entry point)* ?8 ^* O+ U( x9 n- ?( a
0 @2 _7 U' O3 M- L6 h
& m4 V/ }; S# O2 s/ M, d
xor di,di
$ t) v& \& w8 v. e mov es,di
7 n$ s+ j$ |7 D8 [, G0 y mov ax, 1684h . C' H" p3 P3 R9 s! K
mov bx, 0202h ; VxD ID of winice% z3 U6 Y! g/ C; J* \3 p3 w& I5 K) v% B
int 2Fh
! c( `# c1 v" T) G O/ ~, | mov ax, es ; ES:DI -> VxD API entry point
' t6 [9 b4 `" ~) V add ax, di2 t6 ?+ J) X# _$ P* _& c
test ax,ax
! Z8 Q; {) K4 R% T! S jnz SoftICE_Detected9 O4 X6 [% P2 t2 m
6 J2 A: m3 K) s9 L3 O: m
___________________________________________________________________________
1 S/ G7 m; g) ^) t1 |, H/ U6 y: c6 S
Method 045 ?6 d( k- g# Z4 l# \. V
=========
# P* N8 v: g0 ]6 K& X% r
( I- z; s8 G9 O: z5 YMethod identical to the preceding one except that it seeks the ID of SoftICE
) F, B4 t4 {, Z" RGFX VxD.4 _; K% R o- j/ n7 }, E
) M2 y7 m- X+ E. P, m3 Z. r' f xor di,di
- a: G: e3 c; z mov es,di
# ]% C( M; e8 c r7 i( H, R2 I# _ mov ax, 1684h
& J/ H3 S4 C1 D" d mov bx, 7a5Fh ; VxD ID of SIWVID
! Z/ o `* n* X# A# x% a/ n2 \, J int 2fh
- b( }' n; ]: e& h+ e0 T0 z mov ax, es ; ES:DI -> VxD API entry point( N g; j! m! c; O6 m+ t
add ax, di( K, } k( O, C4 ` ]* }9 M$ }
test ax,ax- j& g7 b- I' m9 Y5 `. a
jnz SoftICE_Detected
6 Z' n8 j4 e% X$ z0 f/ c) @+ ?; T
! c. q+ U5 b/ b__________________________________________________________________________% A: H& [( e8 q- b+ r
8 r R* O; W B1 [( [
% ]/ f" g5 |/ _+ _2 ]7 f! Z6 dMethod 055 F z" j8 c4 y' f# r
=========
$ t) h9 \0 E8 I$ N
- e" g' z% v$ ^' l/ D; }7 ~4 ]5 HMethod seeking the 'magic number' 0F386h returned (in ax) by all system
" I U/ M0 q' _, r% g9 D' {6 Odebugger. It calls the int 41h, function 4Fh.
4 y4 O( L9 ?9 G4 r$ ]% @There are several alternatives. ; a# m; K1 F7 X' C1 }$ {
! Y4 t+ z! `3 u- l3 ^4 I
The following one is the simplest:
$ m: i7 ^& o% R' L* V1 W) v3 P3 D4 \$ O) n& ?8 F. P
mov ax,4fh
- R) v+ C8 j- p, b& Q% x9 J: { int 41h' h* q/ u$ G! t7 r4 H! A
cmp ax, 0F386
5 W) g5 s! x/ d. V' x$ j jz SoftICE_detected
! u5 J3 L [0 R! a4 O' _) | Z0 q! }2 I e: F
' J. r% x; Q C* s9 S) w" s
Next method as well as the following one are 2 examples from Stone's 1 J4 C" ?7 g7 t5 K9 n
"stn-wid.zip" (www.cracking.net):
0 u+ @: d! _ y6 n+ m* _* i( N8 y! |8 v
mov bx, cs
7 o0 C. G a' f q: j7 { lea dx, int41handler2
9 c% c; M" L8 j- @2 x/ H0 ^4 q xchg dx, es:[41h*4]# L" \, ~: ]" k
xchg bx, es:[41h*4+2]1 i( _% B" s r: x6 _" u5 P
mov ax,4fh
! _6 G( ^% G4 V* W int 41h ^1 H' H ` O+ U4 a9 n6 {
xchg dx, es:[41h*4]7 M8 L. C2 T6 Q* w; M1 n) d# \
xchg bx, es:[41h*4+2]+ ^0 H5 w/ {+ }+ G# w
cmp ax, 0f386h% O1 f$ Q1 X e+ j8 P$ j
jz SoftICE_detected: A! a: O8 G0 D( k0 a: n
1 y& q+ C2 I& B6 f3 z) b! |
int41handler2 PROC
* C. V3 g: }" G+ u iret
; {, X& g: R& f- G5 D8 B2 cint41handler2 ENDP$ |) R# @' r% O0 v: L
# X7 z- h; \, X7 q
: O F- w% j. K1 m) v_________________________________________________________________________% f4 e8 g0 F5 M6 ^8 m( Z- O( J
* [) o5 i" C& N [6 V" a) D6 s/ g' ^! J1 K( Y/ E6 X1 p5 p P
Method 06
- z( @' P! b6 P=========
0 u& l+ P0 v: W7 L: d# d. Q! V
6 @6 e) E" C8 {% x' z; m& y: ]/ Z- `* G# t, c4 T: v' _
2nd method similar to the preceding one but more difficult to detect:( A. A& L- Q$ U9 `5 F( k1 M* ^: F
1 D0 U8 ^( y2 G! x1 @2 j! {3 A9 I$ y4 g! v+ F
int41handler PROC
) @/ d: `6 g5 [) S mov cl,al0 V* t- f/ T# K
iret
2 n2 ~/ D6 L! n7 R/ L/ x- Iint41handler ENDP4 H/ G2 u" g3 P- S
# \! r1 S7 p/ S
1 n' R' f+ p S ]1 J& M7 ^ xor ax,ax$ ?! v! o5 r9 ^
mov es,ax! A7 n) M& m2 |, J3 Y( m3 y7 q
mov bx, cs4 W/ v8 Z7 c v5 E2 f
lea dx, int41handler/ W. @( ]: _0 b% p8 f3 \
xchg dx, es:[41h*4]+ ?! z! J! n* b' A) J
xchg bx, es:[41h*4+2]
) V$ \0 `" S+ _* i in al, 40h
s" I9 I O( } xor cx,cx! j3 Z: D4 J; }" E; q! f) o, j- ^
int 41h( ^" d4 ~4 Z9 U* ~1 l( F H1 A
xchg dx, es:[41h*4]
G* [) J9 z/ K( N3 b8 b: G0 x F xchg bx, es:[41h*4+2]
& T* e, s* j* M) v4 E' h cmp cl,al3 I) z$ \& J8 A
jnz SoftICE_detected
: l" |# H! \( [% `1 H
7 c$ p- T4 e9 i, I) `_________________________________________________________________________
# G+ u( L9 i1 Q, t4 b
- u! B2 g/ e! I" E% \Method 077 q" z, Y( A, c8 r! J o$ P
=========% g4 Q. h) ?: Q# a9 }7 a& z. s
7 i* ~! J' p7 g9 oMethod of detection of the WinICE handler in the int68h (V86)! q. b+ ]- c6 r: R
' Q8 g% i- w: @0 E2 j mov ah,43h; G! S, c" }" L( U2 t3 z
int 68h; ?1 w) A, y& l: s
cmp ax,0F386h
% P/ ]& d/ y) V; u; C+ D0 | jz SoftICE_Detected# b7 x* O) Y9 L( e# Y% O# J* p, W* Q
% d* h3 h8 k; @' o4 O
$ M0 c# M- [* s6 T8 Z7 w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% u/ q0 H' ]* u, O( f, D( x2 R" O
app like this:/ q% [* E6 {$ B+ j$ C
4 z$ M6 ?6 c5 q; D
BPX exec_int if ax==68! v) G& T+ q6 U1 J! I
(function called is located at byte ptr [ebp+1Dh] and client eip is1 X7 P& e; k, ]7 m$ A! X/ @8 R
located at [ebp+48h] for 32Bit apps), P" E) o3 V4 I& }
__________________________________________________________________________
$ S- r! v$ q M' A! O
! h5 U" @5 |2 N( H
! r- O/ Q! r* c+ vMethod 08
# E1 e3 T' g5 z) F: ]: A=========
6 I' y( ~5 w4 b
* I# R6 }* q! A# ` E3 {4 P3 JIt is not a method of detection of SoftICE but a possibility to crash the! C3 \, M2 j# w- u3 u
system by intercepting int 01h and int 03h and redirecting them to another
4 }. ?* o' T; Aroutine.
3 Q$ F5 \) _3 ]8 C# }: }7 N! cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# v3 P: s6 X; `5 E" K
to the new routine to execute (hangs computer...)
) S+ W7 o+ x+ N! p- T$ N3 e. Q& b; v: `
mov ah, 25h
- n; ^! U, g% a: w) }; t mov al, Int_Number (01h or 03h)
7 Z5 h# G& U- ^ mov dx, offset New_Int_Routine) x+ s0 W( m% @' T9 k5 U" R
int 21h. W+ O9 t/ y" h* {7 x
" F# E3 _' l# ^0 ?: s3 Y. z
__________________________________________________________________________
6 {; p' w+ |/ P6 {& L' _3 M) Y6 }' ]" g# p
Method 09- z& h8 P8 \; Z9 C" k
=========5 S4 o2 p& r w2 ]9 M1 \
2 F5 b; @4 f, y) s6 YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only Y2 e9 G* m: Z& F \
performed in ring0 (VxD or a ring3 app using the VxdCall).
, ]& L. }7 K4 n2 S! ~ rThe Get_DDB service is used to determine whether or not a VxD is installed6 k$ R8 j; Z* w! Z, k! v
for the specified device and returns a Device Description Block (in ecx) for! w7 m; `$ W/ W
that device if it is installed.* n$ U; K. g. _3 q9 m ?6 d
6 D4 v: O, b) s/ C* H% q! \/ L! Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* `5 h' q2 N# r8 C+ l' s mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% ^% C- ]: r. ]7 Q2 K* C8 U: R# R VMMCall Get_DDB4 ^8 F \ t' _: U/ h4 h6 [. {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% f0 B5 S9 l( m$ f
9 b! Q f3 ?1 H- K4 PNote as well that you can easily detect this method with SoftICE:
6 I/ n- e( `8 I. n/ z: J. J bpx Get_DDB if ax==0202 || ax==7a5fh
5 h" S( r3 M y& B/ s9 l+ W6 c6 |+ b7 Z S- [0 e4 l6 X
__________________________________________________________________________/ B4 }9 A% ]& j/ m" V0 {& ]! g
6 K. c( f8 k2 I) u" o
Method 10# u* r! _- d( O. N% w+ I0 C4 Y0 t* r7 J
=========* U( x7 C9 W' H; |1 N
( A% W: ^7 {7 k8 | p=>Disable or clear breakpoints before using this feature. DO NOT trace with4 Z( E, w/ q; L# j) g8 ^0 P0 r# v
SoftICE while the option is enable!!+ H( g2 Y7 ]( G8 ?0 S6 P; q
) M7 {& t* {& J- L
This trick is very efficient:$ {1 `6 o' Y4 t' v
by checking the Debug Registers, you can detect if SoftICE is loaded
, f* A, K( v4 a9 u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 ~& ~& o3 @, M$ N: L$ ythere are some memory breakpoints set (dr0 to dr3) simply by reading their/ p- O2 O, P; S1 c. T
value (in ring0 only). Values can be manipulated and or changed as well2 Q! F2 c+ ?4 Z, ]9 h
(clearing BPMs for instance)% w. ?* C! ~0 H; d' ]
# w" U) q8 v1 h% d6 o+ u
__________________________________________________________________________
! q3 l7 H$ V# [
6 _ X2 C) e* bMethod 11, e( \2 E& ?) i2 O L0 E
=========; v F- U2 D1 \0 j
( D' T) M5 V% U$ Q u% _This method is most known as 'MeltICE' because it has been freely distributed
& a+ n+ @' ?% e: Y; }via www.winfiles.com. However it was first used by NuMega people to allow
# ]. y ` |- r W1 tSymbol Loader to check if SoftICE was active or not (the code is located9 {. K! x/ ]7 `. L. ? R
inside nmtrans.dll).6 L8 d' w. n& F
6 \. `- m/ u I7 kThe way it works is very simple:
, G- p. q1 J6 H u r/ |" a% }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, X! J$ G6 i$ N+ _WinNT) with the CreateFileA API.
3 E# F& f& K! ~! c& K1 A) l% z5 ^) i
Here is a sample (checking for 'SICE'):
0 ] h# ~: o: V K
) z9 F* m6 k7 \% u7 vBOOL IsSoftIce95Loaded()* z! `9 q* { N3 O% B+ w, m3 k- L1 ]
{
/ f/ p! m: l$ R2 Q7 g6 N5 X1 D% [$ E HANDLE hFile;
" i4 ~8 ?' V1 D3 b9 ` hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 q Z/ {5 \$ m& {5 ^! A0 E6 W" O
FILE_SHARE_READ | FILE_SHARE_WRITE,! I5 u5 T- }2 ]
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, z3 N' x# `. ?0 p: n" {& a if( hFile != INVALID_HANDLE_VALUE )7 K0 u# L; m' w0 L# [, f4 l# ?0 J/ C
{" n$ X" z0 b! O: p9 M# R+ q
CloseHandle(hFile); O# B7 S5 d) a
return TRUE;
0 O7 b9 \0 f) W+ h }
5 L7 R# Z( [+ V return FALSE;
. i1 I% ?9 [* n7 G# k+ _}
! o _5 u- u K; `- E
2 P/ S1 x* t9 g3 ]$ e9 MAlthough this trick calls the CreateFileA function, don't even expect to be! E( Y0 A- Y8 Q! U. C) w
able to intercept it by installing a IFS hook: it will not work, no way! Y! e( c: J' ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) G, U* I4 ~2 i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) b) c' {# p2 oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" K( j) E1 h Y6 ufield.
) X8 B$ @9 ~9 w" R2 `, TIn fact, its purpose is not to load/unload VxDs but only to send a 5 X6 f1 W W; B! p, Y( O2 J- D( q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! |2 K/ j& p1 i6 V+ H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# S K# R2 z0 J3 R* @ `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ P; e8 ~* _6 u _* e; L. |6 @If the VxD is loaded, it will always clear eax and the Carry flag to allow
4 f ^- B# v, V2 Kits handle to be opened and then, will be detected.% @: o$ ^# U% l" Q; L
You can check that simply by hooking Winice.exe control proc entry point
9 s K) x; ^# twhile running MeltICE.
- v$ q) ~# X6 i Q) t
5 Z1 b' p& _! U) w* k* _8 p% W5 ]0 A$ c b5 N0 {8 G& C
00401067: push 00402025 ; \\.\SICE
5 P* D6 E9 L3 F- \# v# N/ e5 @ 0040106C: call CreateFileA2 d1 s' w+ M0 p0 ^
00401071: cmp eax,-001
" L E4 d6 A5 a9 [0 G( m W 00401074: je 00401091
1 Z% y, ?" u" I( z% |4 n
) t& ^( q' m5 F! C' X) V3 Z) X X2 q! j- Y5 O
There could be hundreds of BPX you could use to detect this trick.$ u" y) ~ m7 g4 L8 q8 r8 i! l3 m8 R
-The most classical one is:, {5 U4 e, |2 [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 e# S2 R+ A3 G; G1 o$ x
*(esp->4+4)=='NTIC'; V$ D. |: A2 x9 X3 I8 X
3 n8 I" R! d6 Q. j+ s: E d* Z$ X-The most exotic ones (could be very slooooow :-(
: I7 s" A& `- D0 ] G. N5 d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ M0 S2 p) v$ b1 E7 ~& e; T ;will break 3 times :-(: u e0 G8 F' G9 j$ z- f# C
/ X6 k5 U2 o) \/ f g" |& Y1 x, z; Q-or (a bit) faster: * O) L7 a) V8 p
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* v9 [0 s/ H/ o" \: ^- Y5 M
8 W; Y& B/ T! U# C. a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , w+ T, M* H8 ~8 K8 g1 S" f
;will break 3 times :-(2 P( ^1 f7 H$ M- i9 S- ]9 R8 f) h
% s0 z9 A/ d7 b8 Y% y- }-Much faster:
( Y6 F/ v$ J: R+ n6 M BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- L0 C# \7 T: T3 a0 i. J
6 v X$ P" v1 p- z. z( Z* ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 \' A3 D N" X1 i/ ^" a9 vfunction to do the same job:
" d2 F1 E# X/ F$ I8 ~& N% X7 T3 g' u$ o$ r/ C
push 00 ; OF_READ1 m2 @& D0 P( L; B2 K
mov eax,[00656634] ; '\\.\SICE',0* n% e4 ~" R$ j* `0 C0 O0 S( y
push eax
' P7 k0 \4 a+ N7 a/ w8 w7 w! A2 } call KERNEL32!_lopen4 n& L ?+ I; `
inc eax
& t9 H3 e4 T- E' Y* S7 V jnz 00650589 ; detected5 ^; a4 m0 A4 h2 m( {' K( {
push 00 ; OF_READ
_) k$ [% j9 F, F* K7 z mov eax,[00656638] ; '\\.\SICE'
# L+ N% F `7 y8 N+ k5 [ push eax1 W, X4 X" ^" `5 V
call KERNEL32!_lopen7 L" z9 Q0 _+ S8 W
inc eax
# V& `9 k; E' r# u, m) \1 c, F& F. I jz 006505ae ; not detected- L7 V+ z% y; t1 b1 f
8 z1 a% y7 u! A, \% |1 Z- N
! `$ O0 y7 j' s5 Z- A! C__________________________________________________________________________% M" ~0 Q8 p+ [ @+ v" d" u; R
% J/ J: N) R" r) S E& c9 z
Method 12) _" B' A. w9 v( Y' e3 j
=========& o; `. _. V% |$ t8 T0 Z' O2 u
0 P: S, x' U9 P7 R0 q. l
This trick is similar to int41h/4fh Debugger installation check (code 05
5 `! f) k. K5 s8 ?1 t* o$ |0 }- g3 v& 06) but very limited because it's only available for Win95/98 (not NT)
4 e5 N n4 u/ H" l/ e5 }2 e& las it uses the VxDCall backdoor. This detection was found in Bleem Demo.( m+ r' V" @7 Y- _
$ O, z3 l2 K4 V/ m4 { push 0000004fh ; function 4fh( b3 F& y4 b9 ^/ A
push 002a002ah ; high word specifies which VxD (VWIN32)
/ Q9 f; S2 G6 k, u7 W4 w7 U$ j ; low word specifies which service/ ^; o0 h3 z+ ~4 Y0 L! U. q4 d. {
(VWIN32_Int41Dispatch): t. }- y ?. Y; D
call Kernel32!ORD_001 ; VxdCall* G( p; @5 ^2 f! f5 u. E" s0 r: z
cmp ax, 0f386h ; magic number returned by system debuggers9 ]! K+ C7 S! o/ p. z
jz SoftICE_detected$ H+ F) S8 H5 F
+ ~7 ]( I5 h6 d/ v- q
Here again, several ways to detect it:
5 p$ Y; k5 H0 y8 {- s9 |$ }& x( U/ A% S6 L4 b& p
BPINT 41 if ax==4f% w$ |: v: V4 p) k
) H2 x6 J2 n# c0 E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: c* v( I+ |8 c
( }3 f# a( W4 g! T& v# ]# H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 N% k% `6 Z: ^% R z! R
8 P$ B1 R$ J5 d; j' l/ w+ c BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" c4 |; R$ O$ E& v- J
3 s6 w4 a4 t9 W2 w__________________________________________________________________________
5 A- K; S3 _$ u- N# x. v$ w
1 c+ p* Z" [8 `Method 13
/ d4 [/ J) e/ R' k=========5 [/ c# b0 T% c: e2 I6 @
; s0 D6 y" J) r! b8 h6 g1 ^
Not a real method of detection, but a good way to know if SoftICE is7 Z, j+ |+ M, j( E' O) Z" f" P
installed on a computer and to locate its installation directory.
3 A5 B& c2 k+ Q) m$ UIt is used by few softs which access the following registry keys (usually #2) :
: } s) f9 N5 ?/ H8 S- h! o |" x5 b8 z8 g3 H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* {: q9 D+ B! }' ]: V# b( h* R# h( D
\Uninstall\SoftICE/ I) e( g4 Q6 W) X, F8 V0 M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 v& J9 U5 B, a: p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 Y0 k. z0 G' t5 I' X* m
\App Paths\Loader32.Exe
% Q- G, ?: }' {+ L+ l4 z6 v6 {: O, o3 i* N' i9 E
. k! ]8 @( s& \* o
Note that some nasty apps could then erase all files from SoftICE directory7 M# ?& I$ S( `' J+ c+ u
(I faced that once :-(( P* o6 T7 L7 H7 a# d) V
, |$ Q8 ^& w7 Z/ A, C
Useful breakpoint to detect it:& E# z; |6 o P+ M- z
6 \ `7 {& Z1 v# v1 E \9 r) R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 m4 r6 _: u9 o3 y8 {8 U5 y ?6 @0 ?. I Y7 k
__________________________________________________________________________
, S9 E: k/ ?9 D5 h5 p
0 [% Y; y' t: {7 d( U3 w' b) A* U/ Q9 b, c- f
Method 14
7 V) p4 E8 J! R. l- H=========
0 v/ l3 h1 h% k' Z4 H2 h7 G) Q! f! F) J+ Z7 H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 |" U$ t0 _0 S5 C$ Y5 N
is to determines whether a debugger is running on your system (ring0 only).+ v$ _2 W2 K0 j7 K+ P3 G8 k
8 U$ C: v$ R& t6 y
VMMCall Test_Debug_Installed* I# t3 }5 U1 s. z; |/ g7 q
je not_installed
& }0 n ~' X* c9 \' b: Z/ ^3 G# y P6 U& l& y# t( b
This service just checks a flag.
; m6 w5 }& O6 d6 A3 s' L</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡