<TABLE width=500>2 W* p# u0 \3 }2 E3 @
<TBODY>
+ F( l' K4 p1 \: \1 d: @<TR>, k7 g0 I' D. f1 M/ {( C& e
<TD><PRE>Method 01
! s3 `; r* B: y- _1 ~* ^=========( B, N6 A/ h7 m
6 r( j. |2 F9 ^% _% ^/ C$ R
This method of detection of SoftICE (as well as the following one) is: P- }7 s* {% m ]6 m
used by the majority of packers/encryptors found on Internet.
; Z( h3 d2 D8 U/ JIt seeks the signature of BoundsChecker in SoftICE
9 q3 E9 l- P9 T; @
; m' _9 Y0 Y8 R: W: A" c" x% |3 ] mov ebp, 04243484Bh ; 'BCHK'
/ m L+ \# V. J* q( N" v mov ax, 04h/ @; q% g" X6 M1 |, A- w( v
int 3 % V! [. M; g; d% ^/ s9 H- y
cmp al,4, Q% ?* {' W8 A+ Q ]9 E
jnz SoftICE_Detected" ~$ ^- V7 Z/ U1 d, B
0 j: y( z! f( W% y___________________________________________________________________________, Q! N4 w0 T$ D
$ S1 z7 j" C" p$ R# ~4 s7 K5 r( H- ?- g
Method 028 J, y4 a `5 G Y; H/ }
=========! ^+ W7 U3 J# [# R2 U! q: M
& @' C, e+ R3 M7 p8 y
Still a method very much used (perhaps the most frequent one). It is used
0 k/ M& ~1 Z& q) o( ?; r4 ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 M! e- J6 P" B2 O6 F$ H) v9 V
or execute SoftICE commands...8 u3 l# Y6 h* B; ~6 D( A0 p! d
It is also used to crash SoftICE and to force it to execute any commands
A6 R6 w3 k b1 M8 ~' C(HBOOT...) :-(( 8 p4 L. S ~$ e8 ?
: j8 _& K, V5 V" b
Here is a quick description:) A6 ? F# k- T) q/ g
-AX = 0910h (Display string in SIce windows)+ D* M. |% {3 E L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 u& ?2 @$ h. A% _5 W T
-AX = 0912h (Get breakpoint infos)3 E/ N4 g9 c0 O
-AX = 0913h (Set Sice breakpoints)" n: \) B @" c: i- @: ^" u
-AX = 0914h (Remove SIce breakoints)% \7 t3 N0 X% K( Z
8 N7 d1 Z3 i1 W. W7 ~Each time you'll meet this trick, you'll see:" {' E% k, G, q- o% A: ~+ P
-SI = 4647h4 |' i+ g; w4 g8 S5 V
-DI = 4A4Dh
/ _4 E" S; O8 P+ M% ^& m/ S; @Which are the 'magic values' used by SoftIce.7 u6 Y+ o$ e& H# o' o
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% ]1 l& N/ J( X, ]7 z
6 W3 Y' z" `$ w; g+ jHere is one example from the file "Haspinst.exe" which is the dongle HASP
s9 T$ F- L4 u6 XEnvelope utility use to protect DOS applications:
* g+ Q+ S* N) ~
# n1 D- h( n, X+ d/ {: [4 ?; k- `6 B8 h" _
4C19:0095 MOV AX,0911 ; execute command.' h" w5 b, v: f/ ~6 Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' C, n" v' e" C+ U0 {, z
4C19:009A MOV SI,4647 ; 1st magic value.! [! d0 g5 g: s" p) H
4C19:009D MOV DI,4A4D ; 2nd magic value.+ w4 M: H. ?1 C; L$ [; x! H+ y7 v5 _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! ?) K' d. w u5 p" o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 p+ z' c6 O# Q0 u0 Q# z' {
4C19:00A4 INC CX
8 W! ?+ K: }* b( N" @! g4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. A' ]6 b0 d. C: j4C19:00A8 JB 0095 ; 6 different commands.7 v1 ?2 \% O% Y, S* a% J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' A X7 o3 ]) N2 d7 S5 N& K& @6 q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' ?" C9 H$ B8 [3 T' G. i! e" E i! O& a; s
1 l7 l. R* U% t: }The program will execute 6 different SIce commands located at ds:dx, which
1 Y8 `/ W# k5 F Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 B( ]# V @% k! T* v8 z( ^
, ^. U ^8 `) w( L; _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( I b+ K: F4 r
___________________________________________________________________________
6 s8 H, I% G& P! z" W- X6 Z/ M% ]7 Q) ^1 j
. M6 q3 X& V2 b) s, jMethod 036 x, P$ O8 T' q& h, V
=========: ^9 ^9 c& o( F7 [1 k: Y( G
+ U# W6 L1 f4 g/ m1 x+ P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) p" P" k! T, n2 H
(API Get entry point)0 Q! F4 }2 A" P& W& P h$ X& g4 w
4 g- r; Z) y k+ v+ {
* C/ ^& G1 {/ [3 i3 |. m; @ xor di,di, D$ K) Y# z7 h8 |( ]# c7 _. w
mov es,di
: M8 k- l2 N) j7 Q1 O3 P: E mov ax, 1684h
9 M1 V' T) o7 T, m mov bx, 0202h ; VxD ID of winice2 Z+ C. z3 {* S# M* o" J' k
int 2Fh& W+ y# c. |4 g! y. [1 {
mov ax, es ; ES:DI -> VxD API entry point6 a' v5 P0 e. y, _
add ax, di
) y2 U0 E7 m. L! o: K6 E test ax,ax
) M8 Q9 F$ Z2 L jnz SoftICE_Detected
6 V5 _3 \( ? I2 n! z
* W8 R' g/ K/ M, t! C___________________________________________________________________________9 R: l/ y2 y, J
# @: ]& x* R: n$ g- n/ `+ `+ M9 qMethod 047 j! ~. g! t5 p1 v
=========' Q. ~; Z9 D `* a( r
4 M0 s( z2 ^% w6 P* D
Method identical to the preceding one except that it seeks the ID of SoftICE5 G$ W. {7 ^) Q. r
GFX VxD., D! ~/ \9 C2 \
5 Q( q7 M: J+ g/ K: `) l
xor di,di+ s3 ^1 h! q+ ~1 H
mov es,di; N! s& q3 Q, o
mov ax, 1684h
8 a* {; o% J) k3 Y& l, }2 W$ H+ \3 F mov bx, 7a5Fh ; VxD ID of SIWVID
( B" V( H9 l! c4 T int 2fh$ {4 d6 X3 j! Z% e% J8 C( b
mov ax, es ; ES:DI -> VxD API entry point
* ?, V6 E" o) p add ax, di, a" D4 P& T" Q" \; U3 f# F) H
test ax,ax3 }0 T6 s7 A5 e
jnz SoftICE_Detected$ O2 v3 {# H$ m6 r* _- I0 F6 y5 x
% `" k6 p9 W" n/ f
__________________________________________________________________________
4 A! R: B @, W9 f) {' R
* T" o5 H" @& k) X" x8 P7 V; j& ]% E5 }. b$ ?( r
Method 05
8 Z5 _$ ~) j# L# `=========
: _( j J1 d `0 w% S- [. I! k) s; G5 Z- m2 [& o2 u
Method seeking the 'magic number' 0F386h returned (in ax) by all system* Y: ]& H: x3 i, G
debugger. It calls the int 41h, function 4Fh.& x) W/ S- o9 I
There are several alternatives. ! S% K, I4 Y4 k. u/ t+ `: F. \: h( f, z# x
8 f- Y0 [7 D6 H" |- qThe following one is the simplest:
$ [7 `, A0 m0 s$ \3 o5 a* ?& n. J8 C
/ f4 C, o* s2 v) ] mov ax,4fh3 }. B* X& V) ~# Q5 t( m
int 41h
8 Y. O9 ?. h4 s# c; z cmp ax, 0F3867 X& n% }7 U5 f( C! Y0 Z
jz SoftICE_detected
2 {) v3 t9 l$ x! x, G
m( V3 ]* A5 b, K
( r J0 |- k6 D' c$ RNext method as well as the following one are 2 examples from Stone's 9 _; A) H+ N7 w |: I9 j# ^
"stn-wid.zip" (www.cracking.net):, P6 l9 U$ n. Y) ]$ L& i
+ ], \* W% a# \7 W, m4 u mov bx, cs- G6 U7 `- a7 Q1 k+ E3 Y" v
lea dx, int41handler2
' y% E7 ^ [1 j0 n3 a xchg dx, es:[41h*4]1 E& x9 |! O/ X! A& G, L
xchg bx, es:[41h*4+2]
! e% p6 U! A6 F% K9 m$ {* D0 H) a mov ax,4fh& `+ a: F& [7 J! Y
int 41h
; t& _8 [* x, H8 d xchg dx, es:[41h*4]
1 F9 G; E) U! N( R5 s xchg bx, es:[41h*4+2]
0 z" c, O7 B& S a* y, X cmp ax, 0f386h8 V5 u! Q+ ~4 W L Z- t( R0 E; n
jz SoftICE_detected* j! d- ?. K, E/ e" d* q
+ ^- F+ T2 t1 I+ H
int41handler2 PROC8 ] F- }$ B+ C7 x+ K' D4 n
iret5 D6 G3 P# z8 n/ j
int41handler2 ENDP
. a5 M, r7 v i4 v5 D2 o
! B, D5 ?) H: i0 c/ R- Z
7 c1 n# \! Q; ^! \_________________________________________________________________________* \# O5 V3 s+ p: q% C2 s+ S
+ ]' \- x0 {- N6 ?2 e1 `
# a+ ^4 M8 p! Z/ VMethod 06
& B( f9 c2 Y1 B! E' \5 L( B=========: w4 Q+ [' |! I* C; A
6 |* a$ w* m5 b, @0 t8 ]! V: {
/ }& r+ k7 o5 d: r$ M5 O( v2nd method similar to the preceding one but more difficult to detect:: @6 X j6 j8 d1 K' m0 r4 W
( J/ |/ F7 ~% {; {* f7 T4 o" c# A% q: t1 u* x: i3 f
int41handler PROC
+ {4 I2 r& e& J3 ?! C mov cl,al
: `/ ]- m+ q; ~2 S4 i. r iret
8 h" I$ ]7 r7 F; lint41handler ENDP5 a; ]8 a- |& u$ |2 |
: `9 ?" f. s9 w$ W
2 ^' n! a/ S' ?, u% Q ]( Z xor ax,ax
2 _0 W/ [. R4 t, P7 P1 ~ mov es,ax
& W' M' h: i0 q, G, E/ _ mov bx, cs3 v% I- l# ^- W7 X& e8 ]) r, l
lea dx, int41handler
( v% A! m0 q2 Q xchg dx, es:[41h*4]
6 a, w; f& c; b% N: K. I" U3 R xchg bx, es:[41h*4+2]
4 |: S" L& v8 J7 C0 {1 S/ B, K in al, 40h
/ I; R7 i1 q3 l xor cx,cx
4 ^/ \5 N% G5 G G& d$ c int 41h
6 i! [/ [1 j3 v3 n& ~ xchg dx, es:[41h*4]
3 n) U Q; _* |% h xchg bx, es:[41h*4+2]- n" ^9 j5 e2 J8 C( i+ E& k' u
cmp cl,al
9 d, n& y: x9 W( x) } jnz SoftICE_detected' m4 w8 R0 `! y5 i
2 N. C' W N0 S5 N
_________________________________________________________________________
* N' }/ F+ }; ]3 K- ?
% i* A! F' E& K( z* iMethod 07! d, d* i4 `6 f: h1 j
=========
2 |; W7 Q" C- r1 t- I
" P% H1 Q/ U- d2 N$ LMethod of detection of the WinICE handler in the int68h (V86)8 R: s3 G0 m5 k
8 F' E6 z2 E( P6 _% c9 B mov ah,43h# U; `6 V. H' @2 c7 R# V0 b+ q
int 68h
. W x; J. ]. y$ l6 ` cmp ax,0F386h8 E7 I' G5 h; P$ P
jz SoftICE_Detected' ]2 t' J% n) l3 Z. a
+ I: X* I: A# M. L( Z
5 X, p+ B5 Y" R: u! n# e/ k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- q# w, K3 A, z, [5 K( n
app like this:
( o7 S% M; e. d/ R+ j' |# ]" _5 i4 g. T7 f- I9 _
BPX exec_int if ax==68" A! [8 f% Q* k
(function called is located at byte ptr [ebp+1Dh] and client eip is
5 {0 O3 g1 R8 ?/ H( @, x located at [ebp+48h] for 32Bit apps); B$ {# {! _' w% ~, b: Q
__________________________________________________________________________+ o4 W9 D- Z t/ \+ z
# s# ]( t, l I2 a s8 D$ L" D
3 Z$ J* ]% v/ B9 m, j( P. `# U
Method 089 \2 G" |* M( Q P0 a
=========
T4 f# W& o( Z6 f5 l) s- z% p9 a( K7 V+ c( |$ z. a+ `
It is not a method of detection of SoftICE but a possibility to crash the
* u- r# ^& r2 Bsystem by intercepting int 01h and int 03h and redirecting them to another9 b9 a. J* |0 Z: d+ s
routine.3 J# }: I, E" j. r( T: s* ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 B* E m( v! r8 O! |1 x1 [
to the new routine to execute (hangs computer...)
, t/ S2 D" C5 a( w1 S- |! t' _7 g; m
mov ah, 25h
8 ]8 Z e% i% |8 J! e; a9 D mov al, Int_Number (01h or 03h)0 j3 b. G ?8 v6 n* S; P* }
mov dx, offset New_Int_Routine
. e# @8 K5 ]+ A int 21h3 w. N' S2 r5 }4 A
5 ^4 _8 d8 S3 {7 X$ x! E! L! o__________________________________________________________________________
5 @1 \1 i0 X- p) v
9 I( Q# j; X/ UMethod 09
; ^" z1 E5 N* T2 _/ Q=========
/ @9 n8 i1 A- O0 Q( |
3 i/ Q+ S/ ^ h% ~) EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ B) V: S( C: i1 H9 C0 O: w& {performed in ring0 (VxD or a ring3 app using the VxdCall).6 P3 a4 W6 L5 s5 o2 J
The Get_DDB service is used to determine whether or not a VxD is installed
! L8 L9 T0 D5 v3 j; l# Rfor the specified device and returns a Device Description Block (in ecx) for
0 @/ T D% l. [: \+ I A# kthat device if it is installed.5 w( w, l$ n# F) P/ i
L2 v% ]+ t2 n mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 v! A, R( V; G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) J/ v" J) V& A, S4 M
VMMCall Get_DDB4 D2 y% q4 N) n0 ~9 P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 X8 x$ M- w4 p% u6 h8 X4 \# X1 z4 @) a, N5 E
Note as well that you can easily detect this method with SoftICE:7 _/ c+ ]( Y9 K# g# s% `
bpx Get_DDB if ax==0202 || ax==7a5fh
, X0 J/ Q% ^. ^8 m( G% G" B5 z- l. H+ c( f) b! C
__________________________________________________________________________1 B) l# R( N P( G: e- X
* x& X9 O/ J, n: z+ r8 \5 `
Method 10
& q9 j J( J/ {+ w L% [=========$ K; f0 D/ ~7 n( g# W
4 z. j) D v% a/ \6 ^& P1 L=>Disable or clear breakpoints before using this feature. DO NOT trace with% M5 [/ Z. @5 ^
SoftICE while the option is enable!!
) n8 Y0 ]6 S3 w# K; Y' p8 U( ]% D7 A K7 {: d) d& b' ~ |
This trick is very efficient:9 r! U; f8 i' A3 F) o7 l
by checking the Debug Registers, you can detect if SoftICE is loaded
, m4 l& v& j" h8 `2 {7 H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, H; P/ Z5 u& |there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 L: B+ |. B6 Mvalue (in ring0 only). Values can be manipulated and or changed as well
; [, z/ W% b' W; M(clearing BPMs for instance)
* C) r& K: r# K: i e8 b. t; D* J/ X& F
__________________________________________________________________________
7 B' P3 e. |- T% g
$ i. E/ P: `# g; A7 T+ K, e' rMethod 11
8 {9 Q- ?4 K7 l3 q, H=========; m2 p5 g4 T9 Z( M$ t
, [' j. {9 f- _9 G& o
This method is most known as 'MeltICE' because it has been freely distributed# g6 y7 k7 F R! U: v2 z/ w
via www.winfiles.com. However it was first used by NuMega people to allow
7 \- Z, X$ c% j" JSymbol Loader to check if SoftICE was active or not (the code is located
* @/ {6 H9 x8 z) Xinside nmtrans.dll).
( t" F, j" d' v8 m/ {; M' Y( a% B( @- I4 X v
The way it works is very simple:
4 W* l$ E/ F4 x* X4 f& V1 fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 V8 P7 R8 i% m2 h/ b
WinNT) with the CreateFileA API.
; D$ Z! z6 G* D, d3 L3 ^$ N0 |- V4 G' x' x; a" @
Here is a sample (checking for 'SICE'):' I0 }9 C6 W; k0 Z) L0 \
4 V7 _$ E t" F- D: v! L& B @; |: a8 aBOOL IsSoftIce95Loaded()9 R+ [7 l0 l G* Z4 R
{
" J8 n& V$ {& @2 t4 E3 w; L HANDLE hFile;
" a& T, A1 w; y# a5 q. l, K; ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; |* \# E( [# S1 x0 \
FILE_SHARE_READ | FILE_SHARE_WRITE,
( X! D" t# m1 G* n3 D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" I1 i; ?" E; {. s$ v if( hFile != INVALID_HANDLE_VALUE )9 v/ i2 y3 k; D
{
E3 p$ _+ z* R; o( w7 O1 T0 @ CloseHandle(hFile);
1 \! K: ~( e" o6 f* W return TRUE;
. y" A5 A# P: S0 n/ Y) q- G }4 i7 b! b& N( j& ?/ g8 F' b
return FALSE;
9 ^7 D: i, M0 y k% i5 U}1 O" c' Q0 T/ d* d
0 t9 ^: w6 s+ m! i6 p9 {
Although this trick calls the CreateFileA function, don't even expect to be. ^. I7 `$ a) W: j
able to intercept it by installing a IFS hook: it will not work, no way!
. \; u. J. ?( ^6 V k; @, bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 ~( { j, h8 a Z. q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" t$ t [* w5 [+ `0 Y; ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' N5 `; Y" I; A- u- g
field.3 x1 Z$ d# U) G, j6 i% w! j, {
In fact, its purpose is not to load/unload VxDs but only to send a
4 r2 y$ g" {* g% p# q- M' JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ g3 g& K: Z/ j4 S; U2 v+ Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
E3 ~& q" s( E1 u$ xto load/unload a non-dynamically loadable driver such as SoftICE ;-).& ?7 O5 Z" L4 V$ e0 {6 ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" W* c7 }! y. U1 W4 Lits handle to be opened and then, will be detected.
8 z" a; l/ [1 e7 } t) VYou can check that simply by hooking Winice.exe control proc entry point, j, r, G: X" l- h o
while running MeltICE.1 p( n' R1 P% E+ |
4 A( {0 r; g" |: e" Y3 A+ X8 l6 w8 A1 T0 A, Y: ]: P2 M+ n2 ]
00401067: push 00402025 ; \\.\SICE
, W" G) x% s8 w4 t: `2 l5 P3 ` 0040106C: call CreateFileA
! H& {4 P0 ]. Y+ `" Y; p 00401071: cmp eax,-001
; e0 w" D1 t! F# k) {/ ^7 _ 00401074: je 00401091
5 I( X) k/ G# @0 D- O) P4 i: @0 M; _% |' ]& Q2 P8 Z
( E e% J4 E+ ] D |# m: ?. mThere could be hundreds of BPX you could use to detect this trick.9 \8 `' ^, L: ^; L$ R
-The most classical one is:
( h5 t' h: U2 d9 D6 |: X6 V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' M" h6 }1 Z2 t* c* x* ] *(esp->4+4)=='NTIC') Q4 s; L* N: @2 F% X
$ z4 v4 s& h5 x k, v. U+ T-The most exotic ones (could be very slooooow :-(( D- G1 E9 c( Q9 G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( D5 Z* m0 e! s5 p ;will break 3 times :-(
8 P3 \! l& o" e' E, O! y. H% S1 D' y( f9 t; d
-or (a bit) faster: ; W+ ^2 C% r( T5 g6 I4 v. {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ C7 w4 [( B% v& h2 X
5 d! M; V9 y. y0 u [# ?3 M: S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. g) U# v3 e8 b9 Y. G$ u6 a( g ;will break 3 times :-(' Z) ]! e& Q( @1 N: ]
* o, x* `$ K; C, J; c3 `
-Much faster:6 U9 Z# i: U0 s) y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 U" H% j1 v; x
" k! T- z3 T0 h' n0 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: G4 H1 N7 r d( {function to do the same job:
& c, d: ?& q* ?# b
- V6 @) y6 e$ K8 Q# q) g! v push 00 ; OF_READ9 U W5 S; ?/ s* Y2 z9 e" D4 x
mov eax,[00656634] ; '\\.\SICE',0- a: h8 a9 Y0 Q
push eax O6 l0 k! i" s6 C7 C$ @
call KERNEL32!_lopen" Q) [% a+ `+ p' |0 p2 L q
inc eax
! W1 s: w- |/ d7 ?5 ~ jnz 00650589 ; detected
& \" a% V% l, L& ] push 00 ; OF_READ3 Y y0 f% c2 Q. m; K
mov eax,[00656638] ; '\\.\SICE'* }! k1 d( y% d F2 j) w
push eax
* _3 f% S/ Y# j/ w call KERNEL32!_lopen: L+ R$ V5 O" c7 o) z( I
inc eax
6 A& Q" u9 G4 v, G. E% z jz 006505ae ; not detected8 N- j$ O1 `& O1 a8 {* z- g
. T. O8 P0 O# W! ?2 n
9 ?% g, e. m. _+ `8 D- l" J9 |! }__________________________________________________________________________
J- R* g. E6 U6 G3 a$ Y O5 f/ V' @ P9 w
Method 12$ Q8 s; o C/ ?0 Q; ?# X! V
=========4 V3 M* K5 j4 G. z
, X# D& ]! D, H& ]2 h5 L: K# b# k
This trick is similar to int41h/4fh Debugger installation check (code 059 \. D! Z) o; }7 h) d1 n1 w
& 06) but very limited because it's only available for Win95/98 (not NT)
3 a( E6 d5 i, }* ]- n+ t! U; v) Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 [- g2 W1 U+ y0 F* x
! }; J' `" C0 N- J: U push 0000004fh ; function 4fh, O0 r: s' Q3 O8 l7 j! K4 w- u
push 002a002ah ; high word specifies which VxD (VWIN32)% _ B0 ?, I, v+ O1 H2 y( ?4 \) O% K
; low word specifies which service
! J' y" W* Q1 D7 a* A8 d (VWIN32_Int41Dispatch)
, P) c8 Q( y9 q4 y: Y call Kernel32!ORD_001 ; VxdCall
. }$ C. d v! i% a) t! H# f8 C9 P& } cmp ax, 0f386h ; magic number returned by system debuggers
3 t/ y4 a: R0 w/ L+ m jz SoftICE_detected' e" ]- E6 A4 a8 z
: J P x' }3 d! _: OHere again, several ways to detect it:# m$ r1 E" m4 t2 w j' X/ Q
: v4 x @5 g. }$ S BPINT 41 if ax==4f2 q g" q8 O' X3 d4 R
( V- g( [! W$ X* K2 s+ l, @
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 Q3 ^6 N Z: R
' B" a0 a: p5 d" l7 t0 x& h, w" n
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* D6 K8 I4 H9 n( \; I& I
* |! S+ ~# {: P( ]5 y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* Z# m" n! q" k6 q0 b! t% y
) t& x7 e( Z/ s: v5 _
__________________________________________________________________________
! L; N3 B' Q' t. ~1 x. J3 r
9 X1 u7 D( w2 X# yMethod 13
. O/ |3 W* y2 ?=========
4 I( Q- X/ x! D" ?4 a, j. I0 W) O/ u" {
Not a real method of detection, but a good way to know if SoftICE is' d# k& R! m% {$ o- }" k8 `6 W
installed on a computer and to locate its installation directory.
! v: @2 f* x: SIt is used by few softs which access the following registry keys (usually #2) :
! [; k: t/ v( J5 S( e0 ^. ~$ g3 Y& e' @2 H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 K3 ?/ k' i* v; U4 M5 j* A
\Uninstall\SoftICE
2 H, A; I. |4 B& k7 @- m" H9 i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" U8 {: r* d& ~& S6 m3 a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: w% U1 k4 V! [# V\App Paths\Loader32.Exe; z% {! b1 }- \3 z5 e
- v* s# L" h9 A* J8 m& @- j- W
4 o, Q- g# j7 f2 U& INote that some nasty apps could then erase all files from SoftICE directory( B" R) [! h( u: {! a
(I faced that once :-(" ]% l) m7 [8 z8 b
# ~2 _( E4 ^$ h, i- j- a! gUseful breakpoint to detect it:
y0 |! _5 a4 w$ x" d8 A& W. ?; D/ Z, O4 R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 {3 Z& a4 R1 y( J. w6 D" g9 l
# |: }" E6 y. i9 H+ e! T
__________________________________________________________________________
\+ C+ K7 i* C* S6 t/ R% q. D {2 I2 V4 J( J9 X8 t$ v
$ {& P6 q3 c# z
Method 14
7 R$ N3 d: `; r% {1 w=========! }% X: |8 f' M# J
: ]6 ^+ N2 b$ ~; `- T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( I) |- Y0 t z% B5 i' V6 Dis to determines whether a debugger is running on your system (ring0 only).% U$ d, d$ @# c0 g2 w6 ?! b# ^+ X4 ?
8 f- f: K" c c* h VMMCall Test_Debug_Installed
4 ~5 B. `: m+ l: g) G# s/ p9 c5 e je not_installed# y' b" `6 ^8 U h, ?8 S( }$ i
, Q$ z( ?$ b8 Y% ? T& Q: k6 ~; _
This service just checks a flag.! {% q. \5 v* {- n, ~3 t Z& [
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡