<TABLE width=500>+ {' K# q7 P. H; T( c0 e, f
<TBODY>& \( V+ @2 C; v8 L; u2 ~3 W9 L
<TR>
9 | w* Y$ C, Y- A$ a, S<TD><PRE>Method 01
& e- `0 x; q; p/ a=========) p3 r& R* z f+ \( x% }$ }0 w* \
# C1 y" ?& O5 u2 L+ K4 \1 @This method of detection of SoftICE (as well as the following one) is
0 H! z3 @/ ], \used by the majority of packers/encryptors found on Internet.
: b3 P3 N( F% q" |It seeks the signature of BoundsChecker in SoftICE9 p( g% \8 ^; U1 e/ E- ~
, f8 y& ^4 j5 {- W mov ebp, 04243484Bh ; 'BCHK'
0 o _2 v p( g1 u mov ax, 04h
+ @6 q/ a! [. [) x% [* u/ ^" e int 3 - V5 X* q b; I' {, S
cmp al,4
; O+ t+ n8 G; G$ C, h jnz SoftICE_Detected# x* R5 g ?& u8 X# C' c; K1 }8 J% U+ l
( E1 Z& k3 i. ^# y$ R; o3 D7 z
___________________________________________________________________________, d2 |, r, m. G# c8 ~9 m
# B+ I, d; S, J7 I5 mMethod 02
! ?3 |6 {, h' H2 v7 D, s$ n# n/ J=========
% j) q: L" C/ F: Y
% d: j7 o5 m2 \Still a method very much used (perhaps the most frequent one). It is used, ^7 \+ X( k7 \% v4 |; C+ l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 N1 f4 l, U5 f2 [$ ?- M4 _or execute SoftICE commands...4 f. u: v# B2 s. _& m
It is also used to crash SoftICE and to force it to execute any commands2 D: L: I! g& v2 Y
(HBOOT...) :-((
. T$ R1 R) C/ T* n2 }) O+ p0 a6 T' _- f0 e! \6 n2 @6 T; `% n
Here is a quick description: R1 ^ G' K0 i& `+ r7 B
-AX = 0910h (Display string in SIce windows)4 V8 Z# u4 m* `9 z$ R: W3 F0 F! `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" r1 y! m, l6 u3 z% S- k, c; y
-AX = 0912h (Get breakpoint infos), F. d2 |( K0 I4 e" V$ Q
-AX = 0913h (Set Sice breakpoints)- f! O; R Q8 l9 k# {
-AX = 0914h (Remove SIce breakoints)
! F) y7 s3 E$ B/ |, _; {% ^: q6 X: ] ]- [+ J2 O
Each time you'll meet this trick, you'll see:
+ y' i) M$ ^/ d3 u5 ]3 }-SI = 4647h' Z0 m, P) w6 P, q, T2 H
-DI = 4A4Dh9 y7 e5 S3 t5 D. {/ v) z
Which are the 'magic values' used by SoftIce.+ |9 E) a! o* [0 n, O/ p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' ^) {8 F- u5 }0 W3 }& ^
7 p- W/ O2 i5 N) wHere is one example from the file "Haspinst.exe" which is the dongle HASP- k% O( _% M* q" z9 D
Envelope utility use to protect DOS applications:5 t" H; S# y+ c( b, m: R
[; Z6 v9 |- [. v) _9 T, \; B$ z5 v! |
4C19:0095 MOV AX,0911 ; execute command.( O- V+ Q1 R8 f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% {3 X) P( ~+ o* t! k
4C19:009A MOV SI,4647 ; 1st magic value.9 z0 P4 M8 u: ]! [" d5 l& i
4C19:009D MOV DI,4A4D ; 2nd magic value." i+ U- p5 b* ^, n N5 |% a
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 r" P" x8 Z6 I! u0 K+ n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ o% Y; c! ? ?! o4 M R4C19:00A4 INC CX1 A5 O( \, ]) c: c: p
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. w7 b$ S* I! j
4C19:00A8 JB 0095 ; 6 different commands.
4 s; u, `, V* D1 l j4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 }, K& j$ l! U. ]9 F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). y7 v6 L, }' m1 v) t" I: B
' k8 ^& h0 f4 ]! C: t$ ]The program will execute 6 different SIce commands located at ds:dx, which4 l& Z2 m) n8 u; i7 z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 { ?5 ~2 ]5 _4 B# H; k/ Q8 J- q( r- d$ F7 v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( c! T% N* r* C- d4 c Z
___________________________________________________________________________) j+ d% U8 a0 R" t! W z1 f
6 j) O5 v7 h0 u* G3 a' f
2 A- W+ {1 } q6 H5 l% q/ y* }; S5 AMethod 031 L7 ]) E# i' F6 A) Q: O: G
=========+ e3 F5 y3 L, H2 ]0 ?7 C
1 x: q7 w% B; kLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 j/ ~$ Z9 G2 Y9 M& O5 B+ [# W
(API Get entry point)- m O8 o* \0 S/ b4 r8 M2 Y
+ m% k+ o; d6 I |, z/ ]' [, c1 i3 I# F; c+ v, ~0 p0 H4 Y
xor di,di
& z X" E3 S1 E! J0 W' t3 E mov es,di
* ^, g) r3 j+ t" L2 {: Q# h mov ax, 1684h
8 [3 c$ x) J, f# B+ i& x. d mov bx, 0202h ; VxD ID of winice6 r3 q' u \; P' }
int 2Fh
$ P2 C; s! z a) h0 c7 q0 g mov ax, es ; ES:DI -> VxD API entry point
. c6 s, h7 P" ~5 G8 ` add ax, di# p. Y; t; D) ^
test ax,ax
* e! l3 v0 R. ~2 P, _ G2 U) C jnz SoftICE_Detected& K* V% t1 _$ v: b" o! E
' J" I! e) Z& }8 p$ G/ Y___________________________________________________________________________
, J+ f& y" P K
7 E) Y& P7 I: U' _8 b0 w8 R0 g# aMethod 04
' s# l+ c, o, G. T=========" ` e1 L1 B; v( b1 A
+ H3 |: T9 w' B% F( q) } S# QMethod identical to the preceding one except that it seeks the ID of SoftICE
' _) j4 O/ z) ]2 _4 }5 uGFX VxD.7 W: _# ^) M) |
3 P, _% ^" Z" c9 c! Q
xor di,di
% ]; J1 c1 A, p3 `- |2 c mov es,di
; H2 L8 ^0 ~2 d5 y+ m mov ax, 1684h
3 U2 {- n8 }( ^ [& m/ j2 I" r mov bx, 7a5Fh ; VxD ID of SIWVID
' T- g; I" f$ k8 d5 l int 2fh
' h4 [& U5 Y- `6 f& G mov ax, es ; ES:DI -> VxD API entry point
# T0 Y: S: J6 {6 R: N0 x add ax, di
% l0 p' G9 g6 W& A6 h test ax,ax, B1 l' {& @( S( R( {/ E! O9 f
jnz SoftICE_Detected4 d! D3 `( S& `( V7 B' |6 r" G
# K$ A* W" a. ?! g* }
__________________________________________________________________________/ @" ]/ O* ~/ ]4 J
" E! Z" r- x' r* r. z" ~0 O4 j* B" ]8 p. l' B
Method 05
7 M) _- j; ?, @2 L=========
, j! o$ A' R8 S% S
$ X6 j0 o- w/ z A+ p; |Method seeking the 'magic number' 0F386h returned (in ax) by all system" [7 ?( o( S$ Q5 R6 }/ P
debugger. It calls the int 41h, function 4Fh. V1 k5 A( f* B
There are several alternatives.
! w& F/ W- K+ R" m
0 {% O) A# Z& _1 k g! Q; |The following one is the simplest:
1 l" y+ n! i" j" N% s4 Q- |6 t Q8 `2 T# s0 h! R7 f
mov ax,4fh
$ y( s* b$ S) A3 K" N int 41h) u! ?, Z& F# m# r# E
cmp ax, 0F386
; S6 c- x& ^. {; s jz SoftICE_detected
4 S3 m* [, F- e- o9 r6 M2 E( ?. K: W& t2 A- O+ p5 f
G7 n& O7 T$ M& G* j( Q# fNext method as well as the following one are 2 examples from Stone's 8 B& x8 I1 s4 U, f( M
"stn-wid.zip" (www.cracking.net):/ p: U; P- ?, j
. j- B/ z8 L8 M2 D2 c3 q# C mov bx, cs/ n" E5 ~ K- g+ a) W" ?( ^$ D
lea dx, int41handler2
. a+ p5 |/ G3 S: t* ^ xchg dx, es:[41h*4] \& w( W" [: ]
xchg bx, es:[41h*4+2]7 u9 l$ h6 z1 Z: N. a
mov ax,4fh# {, p+ C9 l* C' A. U6 A
int 41h/ q- F$ L! k' C5 O h' R
xchg dx, es:[41h*4]
: a* K( U* P# l: @0 d xchg bx, es:[41h*4+2]6 w' S& ~6 e, h' K% E6 {
cmp ax, 0f386h
$ z, t- t! y3 H6 a7 a: W. t* E jz SoftICE_detected7 I. [& T" q; U3 @$ j( p" h
% a X4 t. E9 |* w2 Z
int41handler2 PROC
+ T+ L4 r' F+ Z! L, X: o iret
' e" {3 [2 e# |9 Pint41handler2 ENDP; O% t5 D( h. F
4 ]( P3 t( u7 u* ^9 V
* i9 h& ~+ G% R, c_________________________________________________________________________& o4 b" f, n7 X% e6 R
+ H3 R# o% _3 J1 k" I% y
( w$ E) Z& b! J* l+ G7 w
Method 06
* z$ }# q; ~% _$ O5 G% c. \! ^=========4 ?' T; H3 k, }
9 h& f9 e* s- ^+ I, `: _
. O$ z7 @6 I* g" W5 r& ^
2nd method similar to the preceding one but more difficult to detect:
3 E/ i9 l5 k- t2 ]( w
- y6 N4 V/ \% t8 x! j) p- N' L8 R1 S% }. e9 H
int41handler PROC2 b' ~" _* s, O+ b% G! R
mov cl,al: M7 K5 z- \5 ]7 G4 Y" F# P7 N h6 W
iret8 m: o; N, e; p% |& x/ O
int41handler ENDP
3 S6 R' K! W& X2 K/ M1 u" n8 s1 f% j' L8 l/ a7 o* o: y
- c+ F' n/ j: S! i6 D; s+ ? xor ax,ax9 S3 s$ `4 d, g) M) v2 J
mov es,ax
, E5 \2 M ~( C9 s1 ] mov bx, cs
/ I: t Y l) X$ F lea dx, int41handler( x v, Y2 s8 ]
xchg dx, es:[41h*4]) v- N8 G$ D7 W$ w- S
xchg bx, es:[41h*4+2]2 r3 W9 C! N3 U) |6 N9 R8 e
in al, 40h7 P i c. U& G4 \: f3 {
xor cx,cx
3 Z% ]" ^6 C5 u' t& e/ _- q2 p int 41h$ i* M r7 i3 E7 [' u" u
xchg dx, es:[41h*4]
% i' r& o* S7 X+ ?8 D xchg bx, es:[41h*4+2]4 r: P; X5 F) W! r
cmp cl,al% g1 X/ q3 l8 x: e5 c
jnz SoftICE_detected2 g; e5 d7 o* C% k3 S9 v% d
. ?' D( j" [9 q- L" R2 n+ q
_________________________________________________________________________
3 c7 `: ~2 h- f' i* N
$ u+ {8 b9 X! ^5 lMethod 07" @- K+ n; X* M5 [' w6 s
=========1 d( I7 x7 Y8 r/ ^! ?% ~$ z& v) d
) f7 o5 j, i5 F0 xMethod of detection of the WinICE handler in the int68h (V86), [% \" {: D4 o o5 I& _
3 V, t4 U+ |! F1 \
mov ah,43h
% f, k" v" S0 o; S int 68h m, ~ ]8 Z9 q% V" k2 S5 A U
cmp ax,0F386h
* _, F- G0 s5 t) H! _ jz SoftICE_Detected
8 w* e0 l2 O1 p5 Z5 o9 G3 G" W+ o5 @! N
" }9 I: E8 u- I9 ~=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% v3 t+ z8 y/ a& B- Z app like this:
2 ^ j2 Q3 E- R ^; V$ m2 _4 e
! V/ V+ N; l) X. x& [+ R% J BPX exec_int if ax==68& [! c. J t) I( M8 G/ E" b
(function called is located at byte ptr [ebp+1Dh] and client eip is
; T d1 Y8 ]1 W2 f located at [ebp+48h] for 32Bit apps)
5 m5 m0 q* \0 [" H1 @__________________________________________________________________________+ ]; P5 I5 R' T, d2 H# Z/ u- i
' S" o& [3 I, y5 {
) r6 V' u3 k. a" T7 y3 wMethod 08
% J" H' t+ V7 N! }1 r=========1 d: u G% A |% W2 A8 |& C
2 K) f9 |- m( V0 ]% B
It is not a method of detection of SoftICE but a possibility to crash the
: x: }+ T" W+ C: Y9 D% H7 c7 qsystem by intercepting int 01h and int 03h and redirecting them to another
' `, ^& F, b. v+ `8 R$ troutine.
$ V- T: V2 q7 x1 M% iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 {# f) f ?9 X- }% yto the new routine to execute (hangs computer...)
, M8 Q! x5 H5 n: z1 S1 d4 r* S+ p: V
mov ah, 25h' t+ d! b6 R* X2 [
mov al, Int_Number (01h or 03h)
0 n) l( `4 V0 Z g: H mov dx, offset New_Int_Routine
Y4 Q0 m# E- R/ k int 21h
5 z# {: u' V3 U! R* F/ C$ L7 B( T4 i6 Y: t5 v- h( h
__________________________________________________________________________1 w) \0 f( ?7 \: [
0 X* c) C# |3 X8 x: bMethod 09
6 r& L+ U% S* k=========
: F9 Y8 P) N+ o" W) W, N7 q' l2 f1 q& T+ {% h* D* d+ q" {% `' `. f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 N: C: K; Z5 A4 K9 yperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 |& S" I* m" C2 |The Get_DDB service is used to determine whether or not a VxD is installed
) b) C2 t6 d" Z% C4 { k+ i0 Ifor the specified device and returns a Device Description Block (in ecx) for7 Q! H) m: B5 ]( k5 H
that device if it is installed.
: }6 L( o9 F* j6 X8 d' R# @9 k; D5 E X7 F" S( L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 f' C- n* W6 |( ] mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% d" u* j0 ]4 y) K VMMCall Get_DDB9 [' p1 M5 k% @4 v
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) b. h! m0 b# @: B
, t6 [4 C8 z6 @( p
Note as well that you can easily detect this method with SoftICE:1 K& D( c3 \: O, u, G
bpx Get_DDB if ax==0202 || ax==7a5fh
- {- b' i# D& l' i6 d1 i8 _) {( w. c$ T# B
__________________________________________________________________________5 P5 N9 |6 Q0 j+ H8 k) x
# e# e% S% {4 [- uMethod 10
" Q: w2 J1 q/ P: L K0 K=========
y0 H- n- @# q( b7 U- P* e
1 i+ M0 |5 F2 M$ k1 P=>Disable or clear breakpoints before using this feature. DO NOT trace with
; V# \- I% f" A9 A6 m7 a SoftICE while the option is enable!!4 e& |( h4 _, _4 w8 D6 |; [2 v
2 z: X' O: c7 @9 EThis trick is very efficient:. Z6 Z5 |' X' S% Y" S# W) O, I: D
by checking the Debug Registers, you can detect if SoftICE is loaded+ j+ X9 n; s8 Z4 y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& y+ E* v8 ]. E) ^+ Q9 M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 Z" G% Q3 m6 z, H/ W- h: Wvalue (in ring0 only). Values can be manipulated and or changed as well! i; f7 F* p8 ^& e! d, [. ?% k
(clearing BPMs for instance)
% W* w2 x! ~% x: e/ y* ^
# [1 L- d. p5 u. R% v__________________________________________________________________________
$ `2 \) Y, N7 n
8 W# x2 t# T# t! M& K. `; m3 k& uMethod 11
7 F0 ~) i4 k g( Z=========. y7 L3 [! J+ Z
7 p) u( F1 E6 W: u1 D6 [6 M
This method is most known as 'MeltICE' because it has been freely distributed
* c$ T; H- s9 rvia www.winfiles.com. However it was first used by NuMega people to allow
: N" v( P$ ^- }/ U4 H! ^! LSymbol Loader to check if SoftICE was active or not (the code is located. w( _5 N$ L; R
inside nmtrans.dll).
6 l( a6 ]8 p$ @. x
: u0 {2 y+ i! N; B F. j, uThe way it works is very simple:
7 G4 n. z* L6 C: X& j; CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! g) w/ w; r# U+ JWinNT) with the CreateFileA API.' O' S( J K! j% E
& m( z' p: D9 h
Here is a sample (checking for 'SICE'):
) M% a2 q* e7 G* E) ^$ F
' ~# Y0 Z7 R& u. U% y1 Z) vBOOL IsSoftIce95Loaded()' @# `- d5 B) e: |0 }% Q; A
{
: F+ Z3 `7 M- R7 g2 o* Z% g( B HANDLE hFile;
2 c" \6 R( ^, ^ c8 _( j, ^# c6 N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& p- |4 H% y( Y; A! | FILE_SHARE_READ | FILE_SHARE_WRITE,
9 X6 }: y! ]$ L" U NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 k! K5 r6 z0 X% e/ i3 [
if( hFile != INVALID_HANDLE_VALUE )
# P: c' Y9 d1 l7 J {: X, y& e$ t+ Z6 D7 D# m) \
CloseHandle(hFile);4 |* ~2 u. B1 N- W* g: _5 o
return TRUE;
]8 P" R: M% B/ F }
8 G5 K/ b) p; V8 a, M return FALSE;- @$ f, \5 C( K; @
}
: f' ~% r) j4 a" r- H" S
; h4 l: A/ D2 h& `Although this trick calls the CreateFileA function, don't even expect to be0 A7 V3 k/ V. e$ U
able to intercept it by installing a IFS hook: it will not work, no way!
0 K1 I/ {. a# S2 M5 v7 |/ P* l* NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* W9 w/ v4 n5 N" m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% H, P+ Q7 B# G p3 g3 V# O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# n: D: F# B' n6 Y' bfield.0 t' d t2 h( B0 v
In fact, its purpose is not to load/unload VxDs but only to send a $ {, `- a* Y! s) I% i
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; o4 a; y$ l5 F9 Z% f: |8 Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ Z* c2 p9 g$ D3 e4 V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 K+ ~2 [" h% ?' U+ R Z; S5 D! bIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; t9 a0 N+ E: Y) u `5 o! s- e9 Vits handle to be opened and then, will be detected.9 e% Q/ `. T/ g+ A1 `
You can check that simply by hooking Winice.exe control proc entry point8 i! @9 C+ k+ D/ v; l4 p; \2 q4 B& I
while running MeltICE.
! D2 c2 b; A& B% C8 Z) u4 z1 w1 z, R# r6 I& |# o* C+ K( A
% U9 \' E+ U$ a6 J! p8 A+ W 00401067: push 00402025 ; \\.\SICE3 Y/ e$ q& S. y3 p1 v: }# @, Y
0040106C: call CreateFileA, P' P) U3 d4 Y! W# s l
00401071: cmp eax,-0012 [# l- ?, A2 ^( k" |
00401074: je 00401091 f7 w( v) x$ @( Z) n
1 e6 P/ H6 Z- T2 i; R% |, P5 I5 E
" d7 W! ?* v- p% b+ a6 cThere could be hundreds of BPX you could use to detect this trick.
4 x D% N: G9 E# }-The most classical one is:/ [# l, p& n6 e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! e/ b+ [) A* p5 r8 {" l) I0 t
*(esp->4+4)=='NTIC'
% f; b6 i2 i$ j3 O$ K2 c' ^7 a# W0 P0 G: U! B; |
-The most exotic ones (could be very slooooow :-(# M* @. C/ A- W$ t+ k+ B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 d( Q# u5 u- K! O! _ ;will break 3 times :-(- q, \, U2 P9 n7 ]2 k. c, n$ S1 F
- m; |# G- O# j5 w) K-or (a bit) faster:
8 [8 O9 F$ n0 |5 f2 U, p: H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 G, c2 U4 b2 M( e7 Q# w% F% t
2 H$ U a0 I U6 f2 o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . R3 V; \: N4 X" p6 }! C& z
;will break 3 times :-(1 k2 e& |/ M$ H' x' _: }
" h3 A4 O" ~" c-Much faster:
3 {' ?2 W+ j7 E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', ?& x0 E% ~3 l1 B' ~; x# [8 F
1 p3 r1 O9 c6 `" S* H/ @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 k5 `: }6 m, a$ N
function to do the same job:$ r; l5 k& D( K* D: Y- p! ?
+ c6 l8 T# i- k" V) D; R push 00 ; OF_READ8 C* E& R2 `& Q" S- d
mov eax,[00656634] ; '\\.\SICE',0
0 {+ c) P: `. ] push eax
p3 v; B7 a \; W0 \ call KERNEL32!_lopen
" Y- f: u) A, ?* }4 Y0 Y7 t, W inc eax+ i0 G& M5 w H* s8 _! P
jnz 00650589 ; detected, a% w/ H, e* `
push 00 ; OF_READ
c1 Y$ N) R3 _# O% J1 m, T6 m mov eax,[00656638] ; '\\.\SICE'4 N6 j' d5 N+ R! h8 d1 v
push eax3 e& t# v( t' ?5 V
call KERNEL32!_lopen& F1 d) M9 }8 @6 S' I) p9 `
inc eax. k" G5 S& C( b6 t: T
jz 006505ae ; not detected
/ ]* g' z% Q8 x/ d6 `$ W4 c
* P8 d# X2 h& ^9 T {# y9 m, q
1 F; l/ d5 E3 I( \__________________________________________________________________________
8 g" @4 |& `9 [* s. J# e) |# d1 g
/ y% N9 Q F! G+ t$ q) ]( T! D* oMethod 12
6 Q2 V6 Y) J% b* ?) e=========
8 d9 u; w @/ L# U0 s
7 @# _" ^7 G0 [2 a7 [8 w1 ?This trick is similar to int41h/4fh Debugger installation check (code 05
/ m6 Q; @' }. \* i) T& 06) but very limited because it's only available for Win95/98 (not NT)
, e) _" B8 c6 [8 y% Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.% [5 `, Z) o5 M7 V2 d7 a4 `
8 s) G8 K+ @7 E+ S: N
push 0000004fh ; function 4fh4 X6 ~8 E5 y- S: D$ X" B
push 002a002ah ; high word specifies which VxD (VWIN32)
& R# N4 |4 @) F7 k7 Y. Y1 G' | ; low word specifies which service
. g, M0 U+ t( c (VWIN32_Int41Dispatch)- s5 _' O5 l1 u) |
call Kernel32!ORD_001 ; VxdCall
/ T' }. |/ t9 @5 B8 Z# R& x: ^ cmp ax, 0f386h ; magic number returned by system debuggers
; F, M6 M5 [7 p) g/ m jz SoftICE_detected
1 n& _: _2 h* o& E) H
4 o, y' f5 C/ }6 `Here again, several ways to detect it:# Z7 D' d- e0 v. z% ?* l) @% E! ^
5 G q& ]0 m: [7 K BPINT 41 if ax==4f
1 H1 g. f( I7 D( p- I: t
# F+ V% N! U3 ]! Y$ f0 g& _ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- H+ L8 y8 k D \' w/ r
( A1 R- z4 B1 X5 Q | BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% Q: A% [5 o0 t) x
1 x& X& ] t* M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 b! E! x/ v& ?0 h) i
6 h g- D' g# K4 H
__________________________________________________________________________
% Y0 g3 O! e8 y" r3 n8 E, ]4 c
- u. R2 y+ w- f& j' I; _Method 13( X3 b8 Y5 P! ^1 [8 k
=========' Y) t" ]; B7 N
( d. q; r" C/ X3 p5 T* {/ [: U7 FNot a real method of detection, but a good way to know if SoftICE is
0 j( V9 [ }( x( H) g* xinstalled on a computer and to locate its installation directory.7 I2 E4 U* V' O
It is used by few softs which access the following registry keys (usually #2) :
: M0 M9 @. {$ `$ t1 a6 b( \5 g4 X/ M z4 j" `' K5 P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ p, `& m- w2 L# N! H$ e- t( B\Uninstall\SoftICE
* \' d. ~$ a |0 g1 S/ V$ m( V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 Q5 u8 G1 R5 L1 Q6 A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( u( f8 v- H' M1 W6 O\App Paths\Loader32.Exe
2 B0 b7 _5 B& |% c- ?) ?& t x4 F3 V- h! k
; l5 v; a0 A* O2 ^& R8 u J' ?! `
Note that some nasty apps could then erase all files from SoftICE directory5 X C& Z6 g7 a0 V, I, P
(I faced that once :-(
# `+ \1 Z8 l, ^& U E$ B6 V) Q; e* M- n0 a, ^9 j. c! y, F$ L
Useful breakpoint to detect it:
' X4 |. s U) j5 R, p0 M/ {, n; T/ |& M1 ^5 C
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') H) j/ H7 G7 T
L7 M& G& N' E( v9 S+ G
__________________________________________________________________________
* L3 A1 f" U& W1 ?$ s
1 g1 q* P# S, B
, f& c* `- I7 ?. }3 R$ v1 AMethod 14 3 [0 O: }5 V+ w9 b0 N+ N. \
=========
& H: `- L1 G6 K/ F
3 W/ m2 o5 c4 e! f: N# A7 v5 r, lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose F, V( F; B5 J) b/ q
is to determines whether a debugger is running on your system (ring0 only).( J. k( h5 k4 R) B
1 _5 M8 A, P' i. z) g
VMMCall Test_Debug_Installed) ^ U1 w# H2 w! H* B7 r
je not_installed
& K5 ] }4 X, V1 Y3 [
1 g$ n6 J1 K+ B' p9 hThis service just checks a flag.* c- \# X3 s( _
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡