<TABLE width=500>
$ R2 y" ^/ C7 `4 z<TBODY>" v7 Z" t% Y! p2 Q& Q% ]( @
<TR>
( p; N @, F' a) e<TD><PRE>Method 01
, A5 H8 I8 y5 Y! m/ y=========7 `7 {6 \ \. [- S/ b
6 }/ Y' z s& f4 ~* @5 u# j
This method of detection of SoftICE (as well as the following one) is
2 q" Q6 b9 ^. w; `* h4 dused by the majority of packers/encryptors found on Internet.0 h- A0 {& m! R3 _
It seeks the signature of BoundsChecker in SoftICE
2 e7 Y9 H5 ?6 z) l2 T% s: v
$ _- p0 n4 X9 Q9 `: z; L mov ebp, 04243484Bh ; 'BCHK'
4 J+ x1 r! Z8 G9 ` mov ax, 04h
I. K& s4 x. B int 3
, u# j( b- s+ \% ?* X# n. T9 ?' q2 @ cmp al,4$ y& k& Z( k/ ?9 x2 G4 x
jnz SoftICE_Detected
7 `7 [/ Z4 ]2 r% P4 a' P: J
7 F5 }2 n" F5 S( ~/ ~- i___________________________________________________________________________& l$ w4 ? F) L: _' U6 k6 S
- ~( E. }; a8 A9 m. B3 cMethod 023 z& P/ J' L+ z5 H" j% b
=========2 c) \2 {( `5 z2 ~& I# Z9 S
7 D' \6 h5 N; ^( n; [+ W% K: U- ?Still a method very much used (perhaps the most frequent one). It is used
8 t, v! H. B' ] ^( }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 J; f% ?8 K$ W" j4 X8 C
or execute SoftICE commands...% m2 O: @# l! i/ X* K# N
It is also used to crash SoftICE and to force it to execute any commands" `/ E: V; U( b/ D& |. x% t8 p
(HBOOT...) :-((
3 k$ t! [; R; ~
) R& a! |& ^- k# l: F, mHere is a quick description:) ]' \& f& B2 D% s7 G0 n, B
-AX = 0910h (Display string in SIce windows)
4 X$ w0 B n# f% n, t* e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% w Z, b0 ?1 B7 d) Z' S3 M-AX = 0912h (Get breakpoint infos)3 D/ o! Q% k ~% o6 C Z( W* r
-AX = 0913h (Set Sice breakpoints)+ U9 `- @. n. S0 Q
-AX = 0914h (Remove SIce breakoints)
2 d9 R" W' f! m
0 g1 \1 m( L( v) q) [7 y4 J4 v% O% BEach time you'll meet this trick, you'll see:
$ N" u. h" r( O( U: E( I m-SI = 4647h7 g& j9 d6 I: @
-DI = 4A4Dh
! i0 n0 z8 ~- K7 yWhich are the 'magic values' used by SoftIce.
0 c" [- \) D2 w3 h5 P* YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 n) I% N+ E3 a+ n$ n( o5 u* k% I7 y
7 i; `4 }+ e! v# uHere is one example from the file "Haspinst.exe" which is the dongle HASP2 e$ S8 R3 f& |$ n& i
Envelope utility use to protect DOS applications:
( n; V' k. |4 _
3 F9 T7 Z5 v0 E# c& ? u
, K- p9 B# R& O4 U- c4C19:0095 MOV AX,0911 ; execute command.
, g& ~( L' D, F v' F2 a! u# j4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 o6 V9 F3 F: m' i K
4C19:009A MOV SI,4647 ; 1st magic value.
0 {4 N* \; v+ `# I4C19:009D MOV DI,4A4D ; 2nd magic value.
5 f' s9 \0 Z3 u/ D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( {$ f6 m) ^# t& y) X n4 {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 F3 P4 Y3 d0 v# H4C19:00A4 INC CX
. s0 |$ }8 f3 U X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 x5 @- W# O0 s; q% L
4C19:00A8 JB 0095 ; 6 different commands. p7 k* o' ?0 A) z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 `2 Y! ]/ P% c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- t ^/ W% y4 G5 x2 w7 Q/ P* B5 q, h% w' P
The program will execute 6 different SIce commands located at ds:dx, which
) w" i6 S( g) i- H; sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 h% j( ?7 w9 n% |/ N6 h1 y) j3 g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, E. K) C' o% }___________________________________________________________________________, R* c, e0 m1 D
' P/ b3 p- m: w
, V- H( K& [. L9 G/ _$ |Method 03
% ?3 W% A$ g3 P# |, V: F4 _8 B+ A=========1 n5 ]/ ]( p+ T
& J' i! K6 s, Y" lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) ~, i b6 T) J. T
(API Get entry point) u( Y! Q, |: C7 t; O; l
0 X% t+ ]' s; E3 c9 e4 h1 r
4 G8 I9 W- `1 [" E xor di,di" w8 @# H, b5 W- Q5 n6 `3 d" R* k
mov es,di
y' y; S; c. D3 _3 G mov ax, 1684h
7 l8 t1 ^6 S h mov bx, 0202h ; VxD ID of winice6 H5 }) [- G8 k0 T
int 2Fh7 {% P5 M9 J0 \! _ o& n! s
mov ax, es ; ES:DI -> VxD API entry point5 |4 L! K4 U h$ B
add ax, di
, Y% k; q) b) H( ? test ax,ax
/ M' I- n' o) B z' N3 C! f jnz SoftICE_Detected
7 ~$ G, V* ?0 t9 x- ~% X
: A7 Q8 G% i9 T5 l6 n$ B___________________________________________________________________________ ~- ?- ^3 E6 h( H3 O6 p
: B( y% U4 t x& T$ `; tMethod 04
# F L" h U' k=========; }" s4 _+ E2 Q3 [
* X% u$ Y0 D+ {0 z kMethod identical to the preceding one except that it seeks the ID of SoftICE
2 e9 c3 n* v+ n9 M9 n. K- jGFX VxD.
) t5 V5 A, q4 \! [, N
/ ^' i& l) J' H7 { xor di,di
# A0 Q3 W0 Z& a2 v" \ mov es,di9 J# u( \( j+ b+ G7 b, W) J
mov ax, 1684h
9 \& F/ z* p {, S6 _ mov bx, 7a5Fh ; VxD ID of SIWVID
8 d" e# p; B2 @3 f! ]: P int 2fh V" ^: M. T7 _ o8 A4 C
mov ax, es ; ES:DI -> VxD API entry point
# x# U' b1 f" h add ax, di% I5 X N" P o& J2 G5 Y
test ax,ax
6 u9 R: g8 v# }+ _$ y9 n3 p jnz SoftICE_Detected. W/ F9 W/ N; D( |- H
2 z2 M Z8 g& t, K3 a6 u% n
__________________________________________________________________________* Y. U- s: N4 Y
9 }+ I9 O4 V# u9 z
( N6 B! h+ Y, l/ }1 c, OMethod 05
' i. }. I- M1 T: Y2 B=========
# D. }0 a N" H& A2 j$ B
/ q3 Z3 x% e3 a4 j/ l7 b: ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 U7 k. v% B9 d5 I; Pdebugger. It calls the int 41h, function 4Fh.
, e1 w: ]7 a% J: s* Z QThere are several alternatives. / I1 k4 }- u+ H; Q" Z7 F% K+ X( ?& g- a
5 W: j0 t. ~, @" XThe following one is the simplest:' H M3 ?9 e7 r' f$ z) r
3 {6 ]/ h5 N) h+ R
mov ax,4fh
# @% R) O: H5 F% }* n int 41h
C4 T1 ?( |5 m( p/ U: L cmp ax, 0F386
7 i6 _& G! u" M9 q( o" b jz SoftICE_detected
4 U0 v! p7 o2 F4 w, i; i$ n" D( Z. m5 _4 d, _8 D6 I( \" N
% K% y$ R4 v1 J; W
Next method as well as the following one are 2 examples from Stone's # z: H6 J7 D4 J; j& ` n) g* \2 `
"stn-wid.zip" (www.cracking.net):
5 L0 T( _5 h6 L( \8 [
: R* y0 Z, B0 b9 T( t* b' G" b mov bx, cs1 N9 d' }6 \* v+ m: T" W
lea dx, int41handler2& n7 N- C$ e" Z" [6 t. h
xchg dx, es:[41h*4]/ _5 x9 A6 {4 `' e, i
xchg bx, es:[41h*4+2]" |( g# Y8 G: J5 Q, q
mov ax,4fh
2 A- Z+ W& j5 l6 { int 41h D3 O0 t+ V: E2 j* o
xchg dx, es:[41h*4]
6 ~2 o& p2 a4 v; U- {! m4 D xchg bx, es:[41h*4+2]8 v: N+ B1 |! Q( |, I0 a, E2 B
cmp ax, 0f386h
: w( x, J) ~! S6 e- j0 e+ t5 o jz SoftICE_detected( I2 z: G0 \5 t
: o+ Q$ t5 _7 h3 u
int41handler2 PROC
7 ` X1 F% O! e/ O+ L iret& a" Q8 k3 {' \/ Q
int41handler2 ENDP
0 L+ Y3 q4 K/ [, E& m. a, J
6 v3 }2 q# H2 x: m: X6 N
6 P/ V2 `" _# f- V_________________________________________________________________________
6 {7 d A8 y$ m, p
4 Q7 E6 o# _' h' D" E1 }- F
- E/ K3 ?" m3 a3 l4 A' C; G0 L: ]Method 06
3 u+ E$ H V5 i: l; L=========
# e# K$ j- P6 ]- K5 D
* s$ N4 b: p0 Z6 j- F! }! W, a
' f! k) Q1 D! h) m$ V+ V9 c2nd method similar to the preceding one but more difficult to detect:9 I( M6 y4 K4 ^
" F% `8 A0 y5 a/ D8 ]4 ~( T- F+ D2 z5 \. ]
int41handler PROC
1 M* b1 B4 ~% y! F0 B4 a" C0 W6 h- P mov cl,al' H/ ?6 G) k$ |/ c. y- V
iret
+ w3 J, A8 J" R5 L: L% zint41handler ENDP' G+ `% F: Y' ^, x. s$ j
4 s3 p' c9 h0 R- D
& Y, w Z s* { W) W9 m
xor ax,ax
& @9 K' ?+ N$ x; u mov es,ax$ P. s2 r2 G6 J& s+ f
mov bx, cs! s& A& B* v7 r4 W# s4 {; z
lea dx, int41handler
' B1 B9 S7 f6 b- u+ s+ ~; { xchg dx, es:[41h*4]) Q: J/ Y0 d: u. H6 ~; d" `) X
xchg bx, es:[41h*4+2]
) O8 s. x4 m2 R# K7 }) A+ k in al, 40h8 z X5 B. ]0 ^& b$ P
xor cx,cx8 f0 u# [3 ]0 e$ D! U3 f1 e v
int 41h
6 P) [3 i9 |0 D, @ xchg dx, es:[41h*4]& Y& Q6 m" \ }8 E0 l! p& p
xchg bx, es:[41h*4+2]7 e* O# o0 v( ? J9 x1 P
cmp cl,al( n" G' D/ F0 V$ [1 b6 W' _
jnz SoftICE_detected# F7 @ h, I: G0 Z0 `8 N
/ ~1 Q: R4 E E- _+ {_________________________________________________________________________: c2 j. X* T* ]1 J |
% H( g/ a2 [" l, Q) g h5 pMethod 07! U! T; u- D: x' W+ `& l$ d5 f
=========% O5 w: k# k+ \' h# s+ H
- e& Q1 j: I7 o9 r5 Z# z N
Method of detection of the WinICE handler in the int68h (V86)
3 M6 z$ N/ Y" n
9 B1 o& }0 G/ s9 M( d mov ah,43h
! r! n O) j: A. P( a int 68h" X4 N& j9 O/ I$ V6 l; u9 q
cmp ax,0F386h
B% w" ~; K% K' e& b: s jz SoftICE_Detected
4 O2 |2 y2 Z% u; \
8 W" K1 f1 K, D. d2 x
r' `/ Z) b! v$ i=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. p- t' b- z: Q g' z) g# t app like this:
6 O1 x8 P& Z0 K5 g6 K
6 Q' v5 K, I$ i( W: ]% i' U' x BPX exec_int if ax==68 b1 @( {/ Z* D* x1 ], D+ o# V
(function called is located at byte ptr [ebp+1Dh] and client eip is. L. O; F1 k9 r$ X- `
located at [ebp+48h] for 32Bit apps)
+ q9 [+ r% R8 s5 ], \+ l__________________________________________________________________________" P3 k3 N( h# |& Z3 a
* w" P+ u4 m v' B7 |% }4 X# B+ k* } ?
Method 08
$ R# e5 E( V$ T3 {4 k9 ~" {=========3 y/ j( z* g. k
/ f9 v: }% M. a+ [
It is not a method of detection of SoftICE but a possibility to crash the
( {; P$ v5 ?* lsystem by intercepting int 01h and int 03h and redirecting them to another
3 i9 Z7 L$ d1 F: froutine.
! G' l# Q) P/ B( S5 K9 o! q0 k4 eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ b, J7 o5 B4 d
to the new routine to execute (hangs computer...)0 U* v( Q, G# {9 B' I
6 E5 {8 c! d; w6 B mov ah, 25h
. h7 F: d: w! e0 @; l$ N8 E3 o$ e mov al, Int_Number (01h or 03h)
/ }* |/ v& {0 D0 H' ^# ?3 d mov dx, offset New_Int_Routine$ k! C, g5 b" }, E% G1 z, V
int 21h" k, L: d- ~8 t+ b. {. E2 l
6 z, X+ _% n5 Z) a9 s* |
__________________________________________________________________________$ b# b. P; D+ w1 q' I0 C7 Q9 D
. z* r' ?! q; e& ]8 U/ N: A. S% Z/ SMethod 093 W/ O9 Q. Z# |! p8 F8 u8 Z' R4 B
=========1 X. [8 W6 x# D: `
! U0 U4 {1 c) w% E0 b( aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 |1 F% ~% [8 G" D3 E# j9 ]; L
performed in ring0 (VxD or a ring3 app using the VxdCall).0 K% e# h" m4 ]/ r A
The Get_DDB service is used to determine whether or not a VxD is installed
1 l' Q, W( m. ?6 Q9 Lfor the specified device and returns a Device Description Block (in ecx) for
4 D7 l4 Q2 i+ ^- n: L: f) }that device if it is installed.
5 G! M$ L9 x; e4 U8 r( ~$ f( b/ T! `2 y. y' O, |
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 n* ^4 T1 t0 d2 M! V2 U! t9 |
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ c6 J. S5 U7 c3 ~/ z: ` VMMCall Get_DDB" j3 g, m4 u+ @/ f* @) R* t: g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ I, C. j4 h1 U9 ~0 V& q- m. B! m
@8 o9 ^8 _( u' ^" l$ r* t. KNote as well that you can easily detect this method with SoftICE:
* }8 ~ P) `; E2 n, V: B bpx Get_DDB if ax==0202 || ax==7a5fh! v+ f0 z f$ o: H" ^2 J0 f
/ Z% b$ b+ M" p* J7 @) V- a__________________________________________________________________________
& m, c: r0 m, B+ }* P
0 W( o" C2 e% z/ F# E8 pMethod 10
4 x* F% l z t$ W |! @( V \=========1 }+ b" O/ J7 m0 n! R
# T: z$ s0 r5 y& `4 J& {# r1 P) A) Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 ~! {; T3 ?6 x/ o SoftICE while the option is enable!!# k) F6 y \5 g! g, |) k! a
: m9 C/ ?* F; g( h* _' w
This trick is very efficient:
# Y$ v" N* `9 ~/ R' ]by checking the Debug Registers, you can detect if SoftICE is loaded" U( G3 C' c6 S/ `" r3 d5 {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 o% ?: T& K3 g) A; |
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 f5 i/ I/ I, B: Y7 ~+ Ovalue (in ring0 only). Values can be manipulated and or changed as well! j0 ?. t- C0 y- @
(clearing BPMs for instance)! {, t0 ?3 k$ E) e U; }8 L5 a3 _
5 X2 Y8 O$ z4 p. B. Y0 H7 Y3 [__________________________________________________________________________
3 a6 ^' i; ~* B: W- E1 q
# v1 g6 X' a, [1 l# \& UMethod 11/ J ]/ E g! f1 |
=========% X9 Y* ]' w2 z: A& o2 L6 I4 ^
6 D: e! i/ ~9 ZThis method is most known as 'MeltICE' because it has been freely distributed
3 f) I5 L# I% {9 U& vvia www.winfiles.com. However it was first used by NuMega people to allow! W, r5 n, @; J3 Y0 V, B5 o
Symbol Loader to check if SoftICE was active or not (the code is located, l5 V3 [3 L' }( n' `
inside nmtrans.dll).- d' [: f. B' Q: R9 p
5 m j, F4 ~2 z$ UThe way it works is very simple:
) f' v- X j/ i) dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# m" F' C: I9 C+ h% ~
WinNT) with the CreateFileA API.
# o$ T0 p; a% }/ W% N0 g1 g# y5 z0 I
Here is a sample (checking for 'SICE'):, T' t- d; y4 M4 j% n' a; j; X
; N% \/ o0 T# e
BOOL IsSoftIce95Loaded()' F$ T V1 U$ v$ K8 s
{
9 [, m, [8 A6 y* Y. G/ i* U/ S HANDLE hFile; / N1 U% s) g+ j$ c- X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," d6 l5 A$ o# |6 n0 _) Y
FILE_SHARE_READ | FILE_SHARE_WRITE,0 B/ P: `( g G, G& U" D- W
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( u2 Q# }' e' w7 h
if( hFile != INVALID_HANDLE_VALUE )
$ d8 Q$ M; ?8 Q/ Y$ r {
' J& O, {+ X! N% c: \ CloseHandle(hFile);
s4 j! K$ q+ P7 L V6 j. }+ g return TRUE;' h# ]" o- [) C# r% J5 k9 ]# Z* J
} B1 X1 ]' s4 x; Y# u2 Y
return FALSE;' y* t: }/ x: ^9 h
}2 s6 R! J/ Q4 R. p$ D
( ?9 j, K# ?6 n A# L, P* RAlthough this trick calls the CreateFileA function, don't even expect to be- I; W7 ?. D( i4 }
able to intercept it by installing a IFS hook: it will not work, no way!
$ j4 n( B) `+ h$ cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) B3 l6 a' [- B0 z2 f. o6 x) T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ G4 E! ~2 u0 H4 ~ S
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) m. j8 r: l& D: A' [field.2 Y7 e6 `- u* x
In fact, its purpose is not to load/unload VxDs but only to send a 9 l' N4 T* y0 X* ]( c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: U4 `5 Y4 K* c+ E4 n7 q @to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* j) I, @( W3 x9 Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 g, S9 }: `1 N6 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow# @0 U: E% O, e) j( j: [4 A
its handle to be opened and then, will be detected.- F2 R$ C, E6 ^' g' v
You can check that simply by hooking Winice.exe control proc entry point
/ b2 G/ w- h. M8 G8 u6 twhile running MeltICE., F9 g( |' G/ ^- k, i
: E2 F4 K0 @' \7 O! U1 W3 `
* u/ S0 \, E" |* c, G
00401067: push 00402025 ; \\.\SICE
7 J* n8 R m9 U2 } u0 D8 h 0040106C: call CreateFileA
4 n0 }4 h" f9 O 00401071: cmp eax,-001
+ a( c4 Q6 ]( M 00401074: je 00401091% L1 e, O+ w0 k( }+ r0 _
9 P7 N: J) g; z' q: y& R) c
- W1 Q& }, M4 k" _4 m' uThere could be hundreds of BPX you could use to detect this trick.
/ Z9 H% v9 s+ f* ]# u-The most classical one is:
f- K3 I6 X" o3 f3 {: Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 m/ | y, f' f0 a *(esp->4+4)=='NTIC'
- F2 ~6 n1 V2 r7 y4 W. u# ?5 {) o: {* d: N* o& w1 J7 [
-The most exotic ones (could be very slooooow :-(
& v; M( k' @" ^5 D' O b; C0 k; y* U2 _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: ?7 v3 ?# N5 }7 x8 ^) N( p ;will break 3 times :-(7 m' G; s3 a9 I3 S7 @
& C5 }9 G! B0 F/ W# z: _9 j-or (a bit) faster:
) c# C# m2 N# z3 X BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 v6 [5 m9 T( g
+ V4 y2 b: D7 s6 g5 i% [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % ?4 s2 `$ j. F+ W# a
;will break 3 times :-(
! y- u7 O1 Z2 _2 g2 Z! J: ~0 M' r3 f1 S: {" u) R% {
-Much faster:
3 j# f, s. _7 \! ]) ^" d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: J `% C/ `( D9 p) S
9 v# @/ E+ M/ ~. z, sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ ^0 y( V5 B7 \function to do the same job:' f* y2 M7 \4 U( l. d) S1 s( F
7 V3 b0 F/ N9 U8 k1 j9 I
push 00 ; OF_READ
* u U0 W# M- Y9 s9 _ mov eax,[00656634] ; '\\.\SICE',03 W" y6 T) f: H1 I& t6 \+ z! u- a
push eax
2 d0 o* [' }# A7 s; ` call KERNEL32!_lopen
$ {) V# ~& ~( U, ^ inc eax+ e0 X. h5 d$ V* x4 D4 S6 g% A
jnz 00650589 ; detected
" z* p# Y3 C& ?) H6 J push 00 ; OF_READ
4 \9 g! {+ M8 a, _ mov eax,[00656638] ; '\\.\SICE', w& c/ x' |3 j2 v7 A+ Z
push eax
$ q: Q9 k7 U" Z call KERNEL32!_lopen
3 o% R/ R7 m% H! z+ A+ @ inc eax
7 C' s1 y( \& s+ |& B jz 006505ae ; not detected4 _2 h* v) ?+ U
- u; |: `. V/ O% \$ q! l: L& z/ L+ Q; s
; Q w8 e% G4 ]3 e: i/ W3 ~__________________________________________________________________________
8 Z6 }' n/ g, g' U; n! m5 {' _2 ]2 Q6 g+ ^
Method 12
4 ?: g- A% G! b0 L=========
. b" e3 h. @9 d5 Q' i& P% G; w; I. x3 k% { a0 q
This trick is similar to int41h/4fh Debugger installation check (code 05& V$ Y2 c! g m4 l/ @; L$ n; W4 `$ Z
& 06) but very limited because it's only available for Win95/98 (not NT)
, f2 H7 C; t) n3 {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 U' X+ A- Q! K5 ]% z- ?5 B
4 v3 v# v' Y# S% u2 B/ B# s
push 0000004fh ; function 4fh
; b9 I& V5 L) z+ \. i9 x% H push 002a002ah ; high word specifies which VxD (VWIN32)1 b0 A+ W' T7 q) I- W5 _7 G- X1 ~
; low word specifies which service
0 v* {7 k5 x7 Y& u; ? (VWIN32_Int41Dispatch)6 v3 M/ ], m( _, U! N
call Kernel32!ORD_001 ; VxdCall6 X, b: B9 m, ^
cmp ax, 0f386h ; magic number returned by system debuggers
% O& M- i' y( k jz SoftICE_detected( L; \5 i7 H3 y
0 M7 V) ]' {- N9 lHere again, several ways to detect it:7 ~) \ s, h7 V: L# m
, O: ^8 @9 n' b& x& P BPINT 41 if ax==4f
0 g' Y+ O& Y$ m+ j' U# z! [0 J
) a/ J3 q8 k3 k# d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 \; c- s+ n- E/ }5 W4 A1 {6 v+ t
{/ q: e0 }& }% o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) E! X" {8 Q8 U2 @( a
7 Z# g. r4 ]7 A BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( O1 i% w7 j3 W5 d! `9 Z
& o. I5 I; s* k__________________________________________________________________________
6 y2 O% c( p; [; F# E8 Y
3 S/ \/ s/ G2 B1 L! \Method 13+ }" A s4 v: a' ~8 \
=========
" R& Q) o* B$ p9 A
5 O, F/ ?& e* d v+ I! E3 dNot a real method of detection, but a good way to know if SoftICE is
% [+ ^) X7 k2 z4 C# jinstalled on a computer and to locate its installation directory.- C% a* O/ `! i( p2 X; j
It is used by few softs which access the following registry keys (usually #2) :* R) M; k$ b) Z* [' U0 V4 I
( J( A5 n! X4 @. n# E5 h# h: l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' f& K( p7 V* B$ L' F5 R* o\Uninstall\SoftICE* p3 }0 {) n z j( K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 P" u& G: v5 b% O# j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ p8 b# A7 T1 b8 B! E& S\App Paths\Loader32.Exe7 y9 X6 g" Z g+ q+ q( E& {
1 U* n2 C9 Y+ H7 m+ {
' s6 M8 s# l m! Q. b' h
Note that some nasty apps could then erase all files from SoftICE directory% g$ l/ ~! _! C% D; J
(I faced that once :-(
) B. C3 i8 w( c+ z% ]- X
6 v& h( L) o# ~2 T: ?0 _Useful breakpoint to detect it:
! K; B# Z: a8 s1 z; a! a8 T: C8 N. O0 A/ r/ ?
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! n2 ~0 ]) K3 | Q( ?$ S! ^, ~
- t. E" q+ c1 w, a__________________________________________________________________________# Y7 H5 R% B9 X7 u7 w
4 G4 m5 |7 e& e7 x. G
. H5 {/ Z$ l* g4 g# y
Method 14
9 U: ?0 L4 r1 y, E ]+ |3 i! ~=========
t# ^, X" N" a$ c4 t/ G$ n. E3 w1 l0 |% ?& u1 c* {( L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 v+ ~- }$ q% M
is to determines whether a debugger is running on your system (ring0 only).# B& C% W& M0 s; ?, l
- b) t4 Y: K( _& U" u k VMMCall Test_Debug_Installed' R/ ~/ D/ G' G& a5 { J
je not_installed2 q' K/ `6 p0 C- x* G
$ ~) A: e7 ?( \' B& a
This service just checks a flag.
, V( P# p% _, h* }</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡