<TABLE width=500>- \. w- A! r/ I5 x
<TBODY>9 t& W; B# _5 N7 T
<TR>( B" i: X1 I! d+ W- F w1 t. U
<TD><PRE>Method 01
1 |" n: A. @1 g: v) Y% f. E: @( {=========
% W& _4 ]4 {; v6 q y
2 F- D" t( d+ w6 fThis method of detection of SoftICE (as well as the following one) is( b2 A* E4 [% v3 J3 f5 p# y
used by the majority of packers/encryptors found on Internet.
5 P% v6 T4 l! I; _( \2 RIt seeks the signature of BoundsChecker in SoftICE1 R5 x0 E4 W3 p$ k7 T# B* a, a$ `
1 X, V' S' t: r( S B: ] mov ebp, 04243484Bh ; 'BCHK': i9 v' t; C' ?$ ^
mov ax, 04h
+ F, r' w* T4 Z int 3
* H+ R5 A& s/ v cmp al,4
, V; Z6 x; v$ T9 D) r jnz SoftICE_Detected2 p j) I+ J+ q$ [3 q7 x0 R
, H2 u. }1 N* Y0 }; P$ Q
___________________________________________________________________________
0 x8 [! S1 u. b+ Z8 T0 Y- e G0 w) x1 e
Method 02
* S3 S1 c; M8 F) K7 \=========4 X, z# G% J+ M3 W/ y8 C6 e
- ?( h4 R3 S h( b# wStill a method very much used (perhaps the most frequent one). It is used% {" S! S. c9 X& ^, X! D% ~( G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ c5 }6 C) o; q9 s
or execute SoftICE commands... \- e7 |$ u% V" k
It is also used to crash SoftICE and to force it to execute any commands+ k9 I5 R: A. {
(HBOOT...) :-((
8 \! t) M; C9 N4 V$ N- k( S, K' X" K) n8 r3 a
Here is a quick description:
+ d2 [1 y0 V$ @/ H( A-AX = 0910h (Display string in SIce windows)1 Q. v( J% H) K" p/ ?, [2 T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 M8 s; h+ Y! c, [
-AX = 0912h (Get breakpoint infos)
5 Y: q" ]. k" z% Y$ O2 v6 {$ Q-AX = 0913h (Set Sice breakpoints)
9 O8 @5 R$ |7 k" F-AX = 0914h (Remove SIce breakoints)# f+ V T4 N1 ]2 C# ~7 d4 Y9 R
2 g* E' J, o: E9 x @
Each time you'll meet this trick, you'll see:
) N9 T. t# c0 [3 X7 U-SI = 4647h
! I' K# ]7 d8 [: ^ s3 N" d-DI = 4A4Dh
) x2 p- E8 S$ BWhich are the 'magic values' used by SoftIce.
' F: Q( C! n6 k( C: SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ g7 f% O+ y a# i+ B
" D' U4 f" b, M# W0 u, W
Here is one example from the file "Haspinst.exe" which is the dongle HASP- H- ?. F3 d; j, n4 |( ]$ u3 Z- G
Envelope utility use to protect DOS applications:8 r% K/ n2 j& [# `8 X% e9 t
1 ?+ q' O0 y& r: e# T# {+ }- K+ E C% O
. }3 X' A9 r9 K# p6 s4C19:0095 MOV AX,0911 ; execute command.2 v0 z+ m3 `0 E" {! S0 u* m' z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 y6 l P; n/ g: O5 j4C19:009A MOV SI,4647 ; 1st magic value.
/ \# D! u1 b- N5 ^1 Y4C19:009D MOV DI,4A4D ; 2nd magic value.5 Y; a8 {- h7 `5 X
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' i: i) a3 J! F
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 i! h; p3 C5 W5 j0 _ U! N4C19:00A4 INC CX j+ |7 j8 m8 [& e, ]( U$ R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 p" U3 z6 ~4 S, L
4C19:00A8 JB 0095 ; 6 different commands.% }: E. O* o# z( Z2 E7 ?4 D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) Z7 {9 s- ~& j! e6 @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- D- i! A8 v: \$ Z2 ~+ ^8 K; ?, t1 b2 E7 l9 ?
The program will execute 6 different SIce commands located at ds:dx, which5 n3 u6 n0 [% l6 n( I9 D7 |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! O6 ^% p6 G& D4 P6 Q
' ^ r5 c( e" n2 S# i# G( l! M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* J+ s. @! K- D4 a
___________________________________________________________________________
; u0 Q& b! N. i- _% z4 ]( ^& J- X" T' t
# C. y/ p" j) j7 v e( X5 ZMethod 03
+ r- [) I& M, U=========
# J3 M# s0 H) y. @$ D
& Y1 z. @( t! B y' fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 n3 M; K; C' h/ J8 S(API Get entry point)
6 L2 ?% b% J- T( b ) a: E F7 w" @4 I! `+ a$ @, _
, p" I, g! S* s4 [% A xor di,di3 l8 U4 z) H t! n% Q. [; W6 v
mov es,di: D Y0 M4 j7 c9 F* k: @3 g4 }
mov ax, 1684h - M- @7 x8 G: r( u0 ]0 N3 Z. w i4 F
mov bx, 0202h ; VxD ID of winice+ m* r( c: P( r
int 2Fh0 @2 Y2 P6 B9 Y# _* Y% ?
mov ax, es ; ES:DI -> VxD API entry point
9 s+ C( B# _3 t) T7 w+ Q3 y' `* T add ax, di
. b2 g2 M& d. }: o6 _4 F test ax,ax8 p- s5 k) z- p7 i9 I
jnz SoftICE_Detected- b. J) T' Q9 D! Y7 a
$ h8 ^' |! h% d! O& S___________________________________________________________________________
$ @ e: [6 _2 S6 f# P, V
: o, G% w6 I" a) }) wMethod 042 a6 ~8 k. D$ @2 |% M
=========0 R) U& [' y t$ k
$ @$ R& t$ y# I6 fMethod identical to the preceding one except that it seeks the ID of SoftICE% @$ i& U9 L$ d
GFX VxD.% a6 b, {* W" @4 H, j
. H# \- s" v6 `; r: Y1 Z! k' V6 b xor di,di
$ p& m" F2 Q, ] mov es,di/ f+ o" o8 }& A* G0 b3 ^& s
mov ax, 1684h 8 F; a: t. p1 u& @* L$ E
mov bx, 7a5Fh ; VxD ID of SIWVID9 S+ o, f, V7 N
int 2fh$ i1 j3 z& g# i
mov ax, es ; ES:DI -> VxD API entry point
: V* b3 T" U; ]3 u$ `- C% j add ax, di2 F6 i6 w1 l4 S H: W
test ax,ax5 t6 `1 _' S: ~. C1 ]
jnz SoftICE_Detected
; h U2 c: o6 b, m( S( I2 z- j/ x* t r1 p' M
__________________________________________________________________________
8 S) P9 |) S, |4 T9 a+ b- M9 K7 t, Y$ H" n
2 X* S8 ?' e% f$ D* @
Method 05( X& D# N$ _( {' f1 Q8 S
=========
+ Y2 Y# d3 x1 n8 J$ i
2 o% D" c7 c8 S1 c$ G/ ?Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ k* F! \ t4 X0 r5 ?& ]9 ~debugger. It calls the int 41h, function 4Fh.
/ G' X% h H# n8 s4 c) {+ d& RThere are several alternatives.
4 {: [" u w4 P, m; P
, ]( X' J; v& b# ? P3 j" T$ PThe following one is the simplest:! D& H* J' f1 K# A H
* O, g1 m# Y% K5 U' {
mov ax,4fh! P w2 ]; _# k5 ?5 d3 M
int 41h5 H2 U- q( T# l# h
cmp ax, 0F3863 ~$ x5 ?7 @$ G* X" p
jz SoftICE_detected6 {8 r1 w& Y9 f8 c8 I! D
5 g5 ?% R2 g! N+ O1 B! i
" r- U. J/ [ Z0 ~5 b+ kNext method as well as the following one are 2 examples from Stone's
0 n+ z9 N, x5 p- C. ], t" S"stn-wid.zip" (www.cracking.net):+ f. n/ j1 {# F: J
! @' k; P6 v6 b3 l mov bx, cs
# Q7 A+ A. ]: C* D lea dx, int41handler20 V$ I, d3 Z; \! G0 d0 c; x
xchg dx, es:[41h*4]% u, C# W8 D, `# t+ T) u
xchg bx, es:[41h*4+2]
" E5 K. }/ O9 S% S* X5 R mov ax,4fh& b: N8 L) X3 o3 F Y F4 o
int 41h
1 E5 @6 V" a( M _+ ]3 [ xchg dx, es:[41h*4]- F" o o# K) _* T
xchg bx, es:[41h*4+2]
3 y' ?# J! p* _ cmp ax, 0f386h: M2 ?3 E/ |4 p9 S4 d) U
jz SoftICE_detected
( d" J: I+ l c+ ^0 m1 ?) g+ o$ J/ @9 i% G& n
int41handler2 PROC
. F3 G# ^1 q( Q0 D3 Y9 T iret
0 v; c- n6 D% f% S0 m$ D. Jint41handler2 ENDP
! e: J" V7 a0 @& S2 K2 u/ b9 M+ P& o% n+ g) T8 N2 L
) O& j1 X. E/ z+ k2 z% L
_________________________________________________________________________
( N* B M% k9 R3 |# u* O
4 `' D8 ^! F; _) ~$ x, q! p* {5 p$ P6 ~' ]+ B9 ~; D
Method 06' A$ n9 o( O: ?2 @
=========
Y8 h& y0 l x( F$ C! w. g$ ^2 Y6 X! S
9 X8 O. ~6 ?4 a' U/ c
2nd method similar to the preceding one but more difficult to detect:
+ \ E* g8 ~' V7 B& Y
4 f' F3 V5 X4 J( b! q
- E( W( g; v* A8 H, p1 h4 s- kint41handler PROC! n* L; E! A/ t' F$ M; M0 F
mov cl,al# B* f; t! Z2 g0 r4 X- _7 _9 p
iret
, J: k' t. {( F, Iint41handler ENDP
7 t3 J) ?9 }' G. t( S, K) g6 x
3 B( _8 O) |1 |- C
( G& d/ Z6 q4 _4 w* [ xor ax,ax
- \8 K* {1 I7 u! Z8 O& ]7 K mov es,ax
( n( g$ k/ Z4 }% z% J, r+ Q mov bx, cs
: {. R. g% j% [/ }. s lea dx, int41handler
$ k0 l2 P$ O+ y1 b0 V& e8 s+ \# u" U. A- s xchg dx, es:[41h*4]
. H' r$ V; X$ v( S xchg bx, es:[41h*4+2]
6 f( x' [, }# @2 q$ @) Q in al, 40h3 U/ J% S! I" e8 u/ Y t4 S
xor cx,cx9 G e: t( U' j3 h# u: `
int 41h5 L! C0 A7 D, z4 b" m
xchg dx, es:[41h*4]& A, S2 ?6 J* ?% h) M$ C
xchg bx, es:[41h*4+2] b( a4 s j3 q- R: X
cmp cl,al
1 ?& }) A: a' D' T jnz SoftICE_detected% `# c. V) ]! P$ C& ^' W/ x) f
) u# U, ^: Y, w
_________________________________________________________________________1 E7 L8 u3 _* T0 {
6 G' [6 b! z' f2 C! y9 C0 H2 F3 lMethod 07% V6 g5 q8 T5 o( O# I+ R
=========5 D. y7 D& u8 E G
; N. Z- `9 `3 e# e, L6 `$ H
Method of detection of the WinICE handler in the int68h (V86), z3 L$ R2 P5 f H' N# c
$ I) q2 L" i6 v0 t& ~ H mov ah,43h
. [' J/ S8 l$ n- d int 68h
# A# n# y2 C/ z! |, |3 Y0 q% c cmp ax,0F386h+ r) y+ P. C- f; u7 h+ T* F
jz SoftICE_Detected
& W0 G& \, B/ B" ^; Z% I! |" f; y
2 l" _# M6 b3 M1 Y9 P9 `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ `, n. j4 U* A( k; c
app like this:
2 a4 S/ Y1 Y& d& }# \/ @/ V; t+ \
5 m! g/ z3 @, `8 x/ n! V BPX exec_int if ax==68
9 \' l: U9 [; O, y (function called is located at byte ptr [ebp+1Dh] and client eip is/ D$ {7 N7 v7 Y- U0 h
located at [ebp+48h] for 32Bit apps)
- c# Z7 {: ]. Q/ \7 }__________________________________________________________________________
1 ]% V' l) l$ p+ `9 K3 r
* N3 b$ ?) f% v- N* s; X2 l$ J# I$ r$ b) d1 [0 o- r1 z& A' Z- M
Method 08
/ q$ k5 k$ v4 ~3 z2 ^=========
$ D! t; u- h0 J- v9 d$ s4 t- q& k s) K& }, N
It is not a method of detection of SoftICE but a possibility to crash the
7 _7 E, z7 S8 B9 {5 a' l+ Gsystem by intercepting int 01h and int 03h and redirecting them to another* ? s) X* A, C% l- f# q
routine.
) \/ E+ ]2 k; Q$ E1 S1 JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& s# m; M8 q! }6 d' zto the new routine to execute (hangs computer...)) d- ?1 h; O! f3 y% `3 l9 e2 Q3 z* |
5 l( i5 g) r# ~+ t9 z
mov ah, 25h
) ]$ N' l/ A/ S* F/ i% d* S9 ~: v mov al, Int_Number (01h or 03h)
% j7 H) A. I( R! S& B' e mov dx, offset New_Int_Routine
5 t3 _* [3 q/ B- @ int 21h
" p5 f. u% q; b( F: Y/ ]1 F4 h0 w: n
__________________________________________________________________________9 q! F; S4 r* B" O- L, G2 I
% i) h: `8 ~" U+ @6 c" y" t: AMethod 09& [6 \) Z+ a3 Z0 U. ^7 D
=========. t, W }, |* M* T* v- d- E
3 m9 Y* x( D7 _( C% j P9 N8 t, L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( Z# \ l' d `4 Dperformed in ring0 (VxD or a ring3 app using the VxdCall).2 N7 c/ w: b( y* ^( {+ \
The Get_DDB service is used to determine whether or not a VxD is installed+ U" C5 k+ C1 |( `% H: \4 c
for the specified device and returns a Device Description Block (in ecx) for
8 a& ~5 n8 z z$ l* E; ?9 y$ _that device if it is installed.4 D8 r+ {2 O0 v- V
5 w9 }6 v& z" t% E( g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. x4 E$ M P* l1 X$ j O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
v, F& \, h q# A( E& A' ] VMMCall Get_DDB, c1 ?2 A8 M. R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 y! q: O7 D, @' o* n
' G6 ~1 K) B5 i' c6 V$ r0 |9 W2 L
Note as well that you can easily detect this method with SoftICE:
$ s3 w- L& Q# s" S) E' J bpx Get_DDB if ax==0202 || ax==7a5fh, X$ p4 {. \0 a3 h
" ?; V p/ h" }4 S' |
__________________________________________________________________________8 t' P- y g7 G& b& X0 a
1 T3 n) `8 {* l' p/ a
Method 10
4 B- \2 g0 W9 G( v" ` s=========7 S. [, q f/ p" s! k7 P
$ b0 Y* [2 W4 d( x0 X. h# |" u=>Disable or clear breakpoints before using this feature. DO NOT trace with
, i) J+ s! H! K SoftICE while the option is enable!!
! h2 c' P8 @0 E1 Q+ R# v/ Z% ~% c1 Q/ m
This trick is very efficient:
0 k" p( k; }% B; T) k6 p! kby checking the Debug Registers, you can detect if SoftICE is loaded
% D. v7 b3 _. s& x4 O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ H% R) ]0 v- y* n- }( D& k u
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 y1 x6 e: g' l% Zvalue (in ring0 only). Values can be manipulated and or changed as well7 n$ a- l: l9 m# H2 ]* }
(clearing BPMs for instance)
P) N5 S% z: b E4 Z
( r) b/ w) j& j__________________________________________________________________________
6 l/ I" p# k1 ^' Y* T5 H
* J V) B! J0 l$ I) zMethod 11
1 R0 ~& z. c/ T$ d: L* B+ W0 l=========
8 D, J7 Z; W. m
3 g& k6 q/ V, d7 G! v; KThis method is most known as 'MeltICE' because it has been freely distributed. w* q, P, m* F$ W
via www.winfiles.com. However it was first used by NuMega people to allow
. I, n" S/ _) K- ~' D' uSymbol Loader to check if SoftICE was active or not (the code is located
7 x/ A. @/ x Linside nmtrans.dll).) ]8 T" f4 a1 G& w$ P
/ C5 N$ J N5 X2 ?3 |1 w1 }. |- _
The way it works is very simple:
9 Q, R3 M* A% k" g# x. K9 |; kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 w0 j7 u; d3 {
WinNT) with the CreateFileA API.
( U0 m$ F; A% ~5 M( U/ f9 y7 [7 N( Z* E- p. n! t; G) P
Here is a sample (checking for 'SICE'):) W o4 a8 P# F" Q% m, t
. D* {/ b7 {" z+ t
BOOL IsSoftIce95Loaded()- ?7 t5 k; Q9 z' h O3 f2 j
{2 d; q; Q4 D1 k- z) c, c- c
HANDLE hFile; 3 ~# q* ^2 S; K! P7 Z/ A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," \6 B; |, T0 L3 k; g
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 |- a9 \7 j: P% H. y% C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) m9 p# j: p$ ^+ t6 c0 Q: M# `) n% D if( hFile != INVALID_HANDLE_VALUE )0 G. n( |1 v- H, g
{
' d1 U' S) |) ~- g# }. e. D$ t CloseHandle(hFile);5 g$ I: K, w" w; s2 r- L) @
return TRUE;, G3 [* W) C2 T% l; t
}# D v3 d9 [1 k1 F5 x8 e/ u3 u
return FALSE;
& {- h5 g" e0 |! p% K$ x F}
: B: H9 Y* P$ a4 V$ A; Z7 L* `+ g0 I z. ~
Although this trick calls the CreateFileA function, don't even expect to be
( S. ~2 e# y! V+ aable to intercept it by installing a IFS hook: it will not work, no way!; y- O) \" t6 T2 Q/ J- T- s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: Q+ Y# e% t. m: a V" y7 l' c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# k- N3 {9 H9 ]( g9 m' G7 U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 h" C9 _; f1 y7 w3 `+ s) G9 I. Hfield.
, ?3 m+ i C- l4 s7 I, G5 dIn fact, its purpose is not to load/unload VxDs but only to send a 3 @+ c9 [) k, ? j1 \; L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 h& g1 T: c3 c& ~7 j: M1 n. o' z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 ^ q1 O! L4 j! e& W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# e; f+ X* J5 ~% k
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 f! s7 J: F& e% Vits handle to be opened and then, will be detected.2 Z/ G/ ?. h9 Q! a+ q* ~& c% f
You can check that simply by hooking Winice.exe control proc entry point5 }2 s) Z1 T5 g4 ?- Y+ p, D) t
while running MeltICE.2 c' ]9 d4 h$ w0 K5 \3 U
9 Y0 |( U6 M' L$ |2 L
! o" l: f4 i6 k; i 00401067: push 00402025 ; \\.\SICE
& ~& }% q2 S& W1 F ]( } 0040106C: call CreateFileA( g$ X& `8 I$ ~: G& P
00401071: cmp eax,-001
% N7 `% a9 X# T; L; x) P% |4 x' i 00401074: je 00401091' |4 ]/ F$ D) b i( ^" \9 } `
2 D+ f J& o+ D3 C3 s
2 t) M F0 Y% ]1 {; t9 {There could be hundreds of BPX you could use to detect this trick.4 X# x2 X) `3 s3 b: i+ H) w4 ^
-The most classical one is:
& L! W6 {% s- x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, I) X) y9 B' V `) x! z
*(esp->4+4)=='NTIC'/ V& h4 ^0 S6 b ~
! k- B6 d. V4 {! h$ A- i& |
-The most exotic ones (could be very slooooow :-(
! u3 o6 n/ I f" w" a3 C0 n7 B5 g+ E4 D BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' A; {9 D* P) P' K ;will break 3 times :-(2 U3 }/ e3 X6 o# x- n
0 N6 b! C3 V# K7 k
-or (a bit) faster:
6 W8 n( y( Y$ `+ x- C' A, ?, b9 { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 H: L* y+ ^4 V! f6 }$ j4 s: r% c. T- L8 W: Q; a# T& b2 D
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 `* P; O6 ?0 C ;will break 3 times :-(
; |" z. G$ \( X# i3 S. t5 o3 x5 K, G
-Much faster:7 g4 `; z+ y: M- a: W% n/ V n9 m+ o
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 a4 K# I, d& f; T% ~
) b4 g. l' g6 U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 k- Y$ O( ~. Q d" s& |function to do the same job:
! w# j+ I& u- o* v/ ~- A- J( U5 i, C/ p
push 00 ; OF_READ
; M+ I, y. S$ J: ], B mov eax,[00656634] ; '\\.\SICE',0
2 H, \) ^: f B' ~ push eax- ^ O5 J/ ^" p1 r; d. ?* X, u$ a
call KERNEL32!_lopen+ S9 S/ w5 v% d# y
inc eax1 ^. n" b$ [2 p% w" F. @
jnz 00650589 ; detected
/ d( ^& k8 z3 s# \# { push 00 ; OF_READ
5 m' d6 p, g; t, N! b mov eax,[00656638] ; '\\.\SICE'
& U! h7 h+ u3 T) G+ D push eax6 o& G1 r5 L6 F
call KERNEL32!_lopen2 J1 D" [# k7 }# G) z! F V
inc eax; w8 ^& m9 T) @( U! _ e! X: o6 G3 C
jz 006505ae ; not detected
/ N! x* R ^0 [4 f9 I- A
; b) H1 I8 B o" e, h
3 s2 |# M+ u: X3 I, O4 F__________________________________________________________________________" _6 g. W/ A) u! a: G
4 h$ Y) j+ U" z7 V/ F7 E: [9 [, vMethod 122 x1 y4 w& j; P; q8 p' z, f
=========
1 t9 |2 d. k. ^7 \( J! V
) D7 R; a2 U" P' {+ A* HThis trick is similar to int41h/4fh Debugger installation check (code 05
! E- P% v* a& U2 G& 06) but very limited because it's only available for Win95/98 (not NT)
; I2 q* C8 Y* i4 S% N) jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 m" q/ N7 q& d- ]
: ]0 m8 r5 H" p4 z- E! y) Y! M push 0000004fh ; function 4fh
: M- x) Z5 ]7 h push 002a002ah ; high word specifies which VxD (VWIN32)
+ L0 V8 n1 B: O$ Y3 q ; low word specifies which service/ ~1 [! ~; I0 H) c8 l. N x
(VWIN32_Int41Dispatch)) N) Q4 Q h( n# S- ?
call Kernel32!ORD_001 ; VxdCall
# w/ o6 ], h3 ?* P+ F# j4 M" T cmp ax, 0f386h ; magic number returned by system debuggers
, O4 s( I7 s3 M& z3 l/ y0 v jz SoftICE_detected
* N6 j# l6 @8 n/ I) M$ m L, x. M8 k: H1 s& u
Here again, several ways to detect it:- A, H5 ]; P( m2 t* [8 d
& y" I9 Q- U0 y! o1 Q0 f7 Q# R
BPINT 41 if ax==4f) I B& q: d$ W/ \* A, Y$ y
. @' m; ?: X) `2 [& W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 V+ Z8 ]! a1 f$ {8 I) H
: F. H$ w: F7 x& j1 s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 r2 j$ c: f+ Y
$ h, y2 ?) I8 N% I, B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ ~7 o1 W( i7 |- s Y/ X
0 v+ L' K* J: H. h$ m N, l
__________________________________________________________________________
: t$ Z( ? d+ L5 K; M. l3 K
9 Q8 d5 z* ] z8 C- Z) WMethod 13) _4 K% n+ R% H- ^$ z8 k8 r6 Z
=========- W" C$ W% Y; e4 h; o" ~3 D3 J
0 O% a: [' `0 U: q0 z A% W3 K- ~4 fNot a real method of detection, but a good way to know if SoftICE is& X* _3 d8 H8 ~% \0 T# Q* U
installed on a computer and to locate its installation directory.
$ ~' y, F C6 E! F! Z) W1 JIt is used by few softs which access the following registry keys (usually #2) :
$ u s3 a% X% Z4 v* _
2 X8 r+ K( P! I/ k* G {. Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ [4 A" L8 D6 `6 H6 c: \ A
\Uninstall\SoftICE2 r% {( A1 D" X" E6 x: V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, e* ?* z \! }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, c7 c( \% X6 s6 }
\App Paths\Loader32.Exe
7 {2 D, x% e+ }5 r L# h' P* o' X3 d/ C5 G w- G) b/ F% |
) h0 S1 j H# U6 B0 {4 w, i, a4 q$ G
Note that some nasty apps could then erase all files from SoftICE directory
/ M: {6 t! z$ g0 x(I faced that once :-(
- h+ g8 z" p! O1 K1 M5 W1 G
* p* h p! b) I! i) J- k$ C) U7 V* XUseful breakpoint to detect it:
4 N& D1 @& S/ N/ o9 \/ ~/ L$ l, d& y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 M2 Q _) T# e
, \" d* H/ H/ l# [6 D4 H
__________________________________________________________________________+ h( A) R) S; m) G9 z" M' E6 F" Y
6 z+ n" J7 X5 M0 f/ p( b/ d
W6 D2 s0 w0 Y# z* j8 AMethod 14
/ a- h6 b. m. t. ^=========
" a5 {3 d1 W& C& r# {4 b. }# X3 g, o- k* w0 P. ?1 v5 x$ U# p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 r" H) v: U; i% k1 C |/ l, V1 B# P
is to determines whether a debugger is running on your system (ring0 only).
7 Y p0 S! m# q; @, @/ d4 ]4 W, A& Y0 W. o2 ?, `0 q9 n8 H) i5 Z
VMMCall Test_Debug_Installed& w- h6 Y8 I0 F/ A# O' l# ?
je not_installed
. X4 f9 [) G" N$ r$ s- \5 [6 p- _, M4 T+ j/ ~4 T( W" X
This service just checks a flag.6 W4 P& ^) `5 J5 A J- x
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡