<TABLE width=500>" S! p. U/ ~( z3 w
<TBODY>
; u5 L: Z4 q$ w+ s+ ]1 p<TR>7 Z# ^0 o: J1 [4 E2 |* j6 A/ ?7 |
<TD><PRE>Method 01 ' p9 V, Q' S9 U8 ?
=========3 h1 M" \8 O3 \! d! t
d m1 N" h j0 G/ C: t5 c8 k7 `This method of detection of SoftICE (as well as the following one) is1 N# {6 V3 ?$ K. l: Z4 O: h
used by the majority of packers/encryptors found on Internet.
" _3 I% @& @7 G- L6 X5 nIt seeks the signature of BoundsChecker in SoftICE
+ z3 h# g( c5 I4 k5 y- X2 s7 F8 G" q9 Y6 [% g
mov ebp, 04243484Bh ; 'BCHK') G! b h) u/ p6 ^8 P1 c
mov ax, 04h: L: K2 j$ a* _8 }
int 3
# A8 \# Z4 N; T cmp al,4
: R9 [$ I! k2 y. X$ } jnz SoftICE_Detected% q* s" e) }2 ~' v- W
+ {$ T% a r8 ]1 f
___________________________________________________________________________, ]/ x/ V9 J' o2 o9 |
( J# f5 J0 m! T* U4 g
Method 02
1 W; ?: i* m; I9 W=========
, V5 c7 {; m2 V
6 T7 @' o. N& f1 gStill a method very much used (perhaps the most frequent one). It is used
: D! \+ e4 R+ I5 tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 u& S( {- `0 h! Z7 J2 l0 \; \9 F2 Ior execute SoftICE commands...7 A- l2 Z2 r: c+ z
It is also used to crash SoftICE and to force it to execute any commands# h) n7 s! I2 ~0 o6 Z6 ~
(HBOOT...) :-((
8 q' J3 t9 g" l, I/ l6 b$ s, ]
& g( l$ l3 }3 T; b5 aHere is a quick description:
( Q5 X' K9 Q' B-AX = 0910h (Display string in SIce windows)# O8 x& _, r0 s W& e$ ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 D6 {7 _$ {' h U8 H. y
-AX = 0912h (Get breakpoint infos)
% {7 j. y0 a; X+ I0 G3 N: f( n-AX = 0913h (Set Sice breakpoints)8 `. E# s: O6 H6 W' o X4 x
-AX = 0914h (Remove SIce breakoints)) I# B- k0 b0 [6 `% @' _
/ T3 V$ f. I7 K' w/ @Each time you'll meet this trick, you'll see:
. n! X- ^3 [6 _8 ?1 t. q-SI = 4647h
% i/ D0 m: g# {-DI = 4A4Dh4 c/ M( z( C2 v7 X
Which are the 'magic values' used by SoftIce.: q0 n- |6 e- V6 s' P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 y: d4 D+ e! `- j4 C* m9 }- ]( A/ ?% P6 b
Here is one example from the file "Haspinst.exe" which is the dongle HASP; S$ J3 _8 `8 J+ K; ^/ {! j5 [
Envelope utility use to protect DOS applications:
- D9 [: N1 a' _: s( M
0 ~1 x) E# `' F
4 M+ X1 s \# x K4C19:0095 MOV AX,0911 ; execute command.; F$ q! T6 O: H0 L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 g$ Y# q! q. }6 L) s/ k( @1 c/ V
4C19:009A MOV SI,4647 ; 1st magic value.
0 x5 Y8 z ~! {+ n6 l' J4C19:009D MOV DI,4A4D ; 2nd magic value.
5 H0 S) O* b) C6 P+ Y$ H: l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 u4 v8 C6 k" W3 b' ^$ U, c4 M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 R. F* I! f2 `$ d4C19:00A4 INC CX
" g' _- z& H* J) h3 R# ?. @# }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" H% X' c- @5 h4C19:00A8 JB 0095 ; 6 different commands.
# F1 P# `& _6 g. l. r4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ I( l' @0 V7 K, N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 T) V5 M% ?: |1 {0 K. k
1 j& x& A8 y7 e3 l" M/ O7 r6 bThe program will execute 6 different SIce commands located at ds:dx, which/ u$ J6 c2 z" @6 U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." j8 H( ~, E9 G9 h% U
4 ~: K3 d3 _' R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# d, V. V, a) c5 k
___________________________________________________________________________
! {+ i% O8 ~ o% C& a8 o6 `/ b- R6 C4 t( Y
" [% M4 S F6 r, K, R$ OMethod 03
+ C5 P& V" U1 o* J* O=========9 c& R. v* v& ~; ? U* i
5 m: I& q% R# u! J# A+ W9 i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, k8 j/ _( {( `3 N(API Get entry point)
' T) s O) U/ ]
8 b1 S9 |! D+ b' P. u, U' O! T+ t# [2 L
xor di,di7 S9 W1 r6 o% A& L4 L: j9 @4 Y
mov es,di$ s& h; v! y8 S& \3 z3 ]
mov ax, 1684h " d0 X- }7 N$ [5 b% ]( ?; Y1 i
mov bx, 0202h ; VxD ID of winice
0 c7 l8 z2 G1 Y int 2Fh' L8 P% X/ E, C0 d! ?5 w
mov ax, es ; ES:DI -> VxD API entry point
* ^' H$ n0 }1 j1 J add ax, di
M. Y; B: c; ?& U6 B test ax,ax
% i# d9 S4 r; P8 T' A- K0 v jnz SoftICE_Detected1 H9 M! l" e: f
p4 W# o7 a/ V- c! _. h5 X* s___________________________________________________________________________+ g+ v# {4 ?; P0 p. i5 j
* @; ~2 Q; O% _! ]
Method 04
! O, U$ }( X I7 \: c% F$ X% Z=========
/ U- {$ P6 r( T% k/ X- |5 Q4 [& N6 a
7 Q+ R# C# J0 g+ L+ _7 w" F/ JMethod identical to the preceding one except that it seeks the ID of SoftICE9 c- p8 ?& \# G- S6 B3 V: D* I5 g
GFX VxD.( R1 @; I/ P2 r* A& `, P
: N- C3 \9 [+ D/ T' M' _ xor di,di" R0 S8 \' X* I5 Q3 h5 P4 L1 ~* w) [
mov es,di+ y; v+ t7 O5 F" a3 K9 d% k
mov ax, 1684h
. T( C3 D) k' ^ mov bx, 7a5Fh ; VxD ID of SIWVID6 R7 M$ l4 u7 [2 |7 @; n
int 2fh, R& _6 d) N+ a8 x
mov ax, es ; ES:DI -> VxD API entry point
) m, s+ h. C+ r add ax, di
9 A/ l# A1 Y# C! h0 `" N test ax,ax/ E% h' ~1 ~! ?# Q
jnz SoftICE_Detected
- M7 q" f& L, J
( A; n5 i0 d4 J9 P* n3 x0 x: q__________________________________________________________________________0 m5 h9 T" C5 z" a$ G3 h9 l( a
& r( @5 V/ z3 P: y1 u3 t
4 g# F" |/ D3 X5 p5 O8 cMethod 05" ~; x+ [: M! ~. R! M7 j4 I
=========" ?+ B) K* z5 l# Y z
3 p3 U' v* l& \) F' u
Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 g: u# g: M3 D& z* s: c+ ^! W, D8 Ydebugger. It calls the int 41h, function 4Fh.
F% r, U6 _' k$ M' d C& v7 \: ]There are several alternatives. - A4 ?8 X" L" |) t9 R) w; g. x
3 y. R; r: F& y1 w9 e- m7 i
The following one is the simplest:5 o) b7 C7 b6 [6 O
; \3 q2 G6 H; p. R) [4 M mov ax,4fh
9 k5 `7 j ^/ a) J4 l int 41h7 d1 P3 f7 L S6 L9 w7 ^* o" ^% u
cmp ax, 0F386
% h; V+ [, u$ F+ F jz SoftICE_detected
9 {4 ]* I( c$ Q+ p! f; m6 s0 `" c
3 R( q( h: U+ r: W; D0 O) jNext method as well as the following one are 2 examples from Stone's
) T$ Z1 D4 f0 j; p8 k8 A"stn-wid.zip" (www.cracking.net):: n0 w3 g# C) L. X. b0 b
P j% e, a8 f$ ]+ D7 ?2 ? s
mov bx, cs
3 W/ M% U; s" e' p6 s5 M8 h$ P lea dx, int41handler29 I" v9 {) Y+ w6 u" m
xchg dx, es:[41h*4]: g5 o7 Q" \4 [
xchg bx, es:[41h*4+2]
( d% n d( I, ?9 L/ G; W) Y mov ax,4fh/ C9 z: u3 |' Q3 L$ t
int 41h
$ ^/ ~2 R. O% f/ k& h; a xchg dx, es:[41h*4]$ v- P2 P" p) s6 x0 w- C; Y
xchg bx, es:[41h*4+2]
' C. [' }! W% M2 e) u3 ^ cmp ax, 0f386h
7 j" v a- |2 J% l! R3 W jz SoftICE_detected
2 C' t0 c, |* g" b' k H
9 i& O* I3 v2 K) Yint41handler2 PROC3 ~9 e& ^4 J. m$ @% t0 ~
iret: _, M+ t: M3 T
int41handler2 ENDP8 }- Y- g; N# m0 p# R" y
, N+ s0 O* K# K3 o0 i
& ~ \! W6 a; Y& k
_________________________________________________________________________& a ]! G) V( \: C2 t4 g' y
0 u9 \* o" [, e8 Y6 x
" s3 @7 O3 |' [$ S6 \0 S- p. MMethod 06
" P) a6 D+ P9 L=========
, _, A2 z: l! B
$ j% X5 e4 R# I( o! u; e
; B2 J( n7 R, o9 Q8 x( O" p+ W2nd method similar to the preceding one but more difficult to detect:6 D4 D+ q: g' L
: K o0 V7 M: D( z
- C/ l& W; ]7 _+ |
int41handler PROC' C% e0 r3 A4 B L/ b5 X4 [% `
mov cl,al
& e2 [3 h9 q9 G" e2 D iret
. t% B/ X, U. o( [4 Qint41handler ENDP
5 A- X5 D: M- r3 }$ n
/ ]4 n+ y4 u! ?0 j* t6 n5 Z
u) p' z4 p. }) {4 K xor ax,ax
/ D) h4 a3 j8 k' y7 v/ P, C" f mov es,ax
* s( n. x% Y0 \ mov bx, cs
+ ?: {4 y- i. c! V lea dx, int41handler
0 W6 L& w) r2 u4 T, R xchg dx, es:[41h*4]4 S- M, j( J- ^
xchg bx, es:[41h*4+2]5 W7 D' Q; x! U+ _
in al, 40h
4 v, Z# N, m6 h' V xor cx,cx$ f* V2 O0 m9 U5 h/ C3 W
int 41h3 }$ a# ?" r) p9 h7 q: G, W
xchg dx, es:[41h*4]
5 E$ [4 D- t0 O5 ] xchg bx, es:[41h*4+2]% w8 t) c, ]; B( i. t
cmp cl,al, S C- \1 ?8 n! y% s/ Y
jnz SoftICE_detected5 x; b! R. E/ }
) o4 R0 l8 s3 g) K7 x3 }/ N_________________________________________________________________________ A4 s: T5 w5 A4 t
3 c! ?# U9 |" i$ g
Method 07
# L0 F) z& C+ M, b" h, \8 i2 z=========1 a$ y" p2 V0 q, E3 s$ I
. `/ H. m( ]9 W% U7 P1 [
Method of detection of the WinICE handler in the int68h (V86)% i. ?: ]6 c) T K. Z$ g
7 P( \, F4 `* s: E" {+ n! ]# Q
mov ah,43h. Q$ [" A% d* b$ j9 M
int 68h
6 T- V* E& I. ?# ]. g ^ cmp ax,0F386h7 e k1 p0 F$ z2 s- ]% z
jz SoftICE_Detected9 l9 b7 ~1 E8 D3 [: c+ ^0 ^
$ \4 ]) Z3 L* U' y
0 n, F9 @1 n3 O1 `* `+ c9 y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 Z i& S, B* U% d( i; ~" n
app like this:7 b4 I; Y; |- }$ ]7 s# B
. ~! M# n1 l( K7 y! X. ^3 M BPX exec_int if ax==68
# h) Y& t- k- m (function called is located at byte ptr [ebp+1Dh] and client eip is5 k; N/ s" O" A! L$ a
located at [ebp+48h] for 32Bit apps)
- A Q7 H4 d, |. [) {1 B__________________________________________________________________________
( F$ t5 _1 a# c& w
. e# r1 T1 R. x# h
v9 G6 M K: V* B$ b. iMethod 08) p% M, e7 a2 I& t9 j4 Q
=========/ a; [9 } G. k) ]
% h% Z1 p" E7 s0 k2 Y5 Q( ]
It is not a method of detection of SoftICE but a possibility to crash the
- |/ u! \* S- _+ ]system by intercepting int 01h and int 03h and redirecting them to another
5 }8 }# y* @' C* I1 s& Rroutine.4 R0 U6 e$ G: U# L: Z" `: d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% G) z1 t4 C9 r8 q, Z3 ^
to the new routine to execute (hangs computer...), B7 Y6 \0 X0 }; O
% e0 I6 O( P3 R0 r+ U
mov ah, 25h: S+ M' `' ^7 m1 |; M2 x* A
mov al, Int_Number (01h or 03h)
& z7 t# c' R; M1 @- D mov dx, offset New_Int_Routine7 F) X! y/ _. N! N9 H! Y: P
int 21h
+ ^ B* @7 c8 B8 c; B5 n# h9 u
__________________________________________________________________________9 ]) H+ J+ k" U" P. x' T
\' ~- f: }2 N1 `- mMethod 09
0 D- l' A' ?: _6 {=========' ^$ f* W. c2 [$ r! H- R, }
; ~% c& g4 _# j4 |0 H$ R$ _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 f; [$ g, T0 n1 W
performed in ring0 (VxD or a ring3 app using the VxdCall).! T4 ]' I/ `* J" B
The Get_DDB service is used to determine whether or not a VxD is installed3 Q5 @0 F, T* g
for the specified device and returns a Device Description Block (in ecx) for. b3 W& X" D9 C9 m8 M' P
that device if it is installed.
+ ^/ ?$ t$ j7 f5 {1 T# A; a2 l/ s; Y; M! \2 P- _3 f- [& y# t5 U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& S! T' s) V" q% O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ D0 B, e1 h0 V4 X VMMCall Get_DDB
6 l3 V/ B: R/ Z* I8 s9 I mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( ?5 ^+ a5 r$ p/ s; S6 ?
2 U# O3 n0 q( U- ^7 J7 l: Z. h6 PNote as well that you can easily detect this method with SoftICE:4 }: h& @- T" s* @: p; D
bpx Get_DDB if ax==0202 || ax==7a5fh P3 H; o8 @: Y6 b
- j! |. {# }$ L( Q: R) ~
__________________________________________________________________________5 B, {, j% K; a7 u5 _
$ Z S( g+ G8 r9 E
Method 10/ d4 b& W( Y9 c8 R
=========
: p/ g$ G4 V% o: ?1 ]
9 e. Y6 w2 a+ [( G8 f=>Disable or clear breakpoints before using this feature. DO NOT trace with$ P4 Z- b* I5 U4 J! R
SoftICE while the option is enable!!5 C3 T% g) g) k0 B) @7 s- P3 @
- H5 O+ @4 ?) a2 X9 x; oThis trick is very efficient:
' o, E* L- d% A* S$ ]by checking the Debug Registers, you can detect if SoftICE is loaded
8 ]( ^6 U$ }( _- b6 {, q( D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- V4 k+ l2 m, P" P- V9 Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) H9 V# F) o& c2 ?value (in ring0 only). Values can be manipulated and or changed as well2 L2 W1 `4 g& f' s0 H. }- j: G
(clearing BPMs for instance)
% q- j j0 m& y! ]% p5 x
6 w* f* B5 p7 f8 i; Z__________________________________________________________________________
) O" G+ {6 J. T% r' [2 T, r, N3 y7 J9 a1 P' ^; v
Method 119 O" \9 ^5 _% H3 t, c+ v: ?" R
=========. O, ^" a6 c4 T$ l: L8 L& L
, s0 d: F5 J/ V9 x) V0 }8 P
This method is most known as 'MeltICE' because it has been freely distributed
3 D# @3 P, ]7 V# Tvia www.winfiles.com. However it was first used by NuMega people to allow
7 M; c. m" \5 jSymbol Loader to check if SoftICE was active or not (the code is located
% W" j$ {% K* Q1 x) A3 W) sinside nmtrans.dll).
! z, E' B# y1 }9 v! H& \9 C8 ]9 Y+ K
The way it works is very simple:
/ @7 k* A# H3 N9 ]It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 B! d7 g. F8 P4 f$ O. }3 @$ rWinNT) with the CreateFileA API.+ R( ~- N7 i2 }
' \ }* m! G' Q J2 A: J
Here is a sample (checking for 'SICE'):# z1 O- ~3 p( }; \. [
2 J; u- _& [0 X" [' j& ]# ?- x3 o
BOOL IsSoftIce95Loaded()
; X1 v. ^! A1 g9 G{* o. u3 `+ m# {
HANDLE hFile;
8 k/ z% i. {% T& \( H5 G$ i) G+ v hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 f1 n* r& U' B. e
FILE_SHARE_READ | FILE_SHARE_WRITE,) v/ e4 `( M' }/ G" X3 i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; U. B/ e7 v% {, R- T9 O if( hFile != INVALID_HANDLE_VALUE )& |+ R3 h: D1 g0 ^/ B
{* l& W# e) b" z+ p1 k [
CloseHandle(hFile);
7 d v0 i/ c& G/ |4 O4 p% b return TRUE;+ c/ o6 c) }0 \* M
}3 q, r/ O v/ Q$ B8 j" U* v$ ?
return FALSE; ~. [* R/ y" ^- [5 N
}1 [* A x# g' n# W# S3 P/ j
. X+ C* z6 u% Y* v6 R4 F1 M" P* U4 I
Although this trick calls the CreateFileA function, don't even expect to be9 p7 G! ]9 q. p
able to intercept it by installing a IFS hook: it will not work, no way!
0 y9 G6 f" f7 XIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' L3 I5 \; f- i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! k; T! E% K, @% T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 l, n0 L' `/ S2 t4 S7 Q+ M) ifield.
# W m$ c, s( @% x7 DIn fact, its purpose is not to load/unload VxDs but only to send a
3 E' D1 L, j1 p8 ]( O; g2 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 B8 i3 t/ n3 K& ?" r0 h# c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ b1 w' a+ \. `6 t2 Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ ~; Z! j P& B) R3 I @1 t& J4 V( T: mIf the VxD is loaded, it will always clear eax and the Carry flag to allow% V0 U$ n4 O" g, q; b7 \9 _
its handle to be opened and then, will be detected.1 I: s/ g2 h7 b# P( X
You can check that simply by hooking Winice.exe control proc entry point
( Q' n- M8 d8 B8 e$ v }+ Rwhile running MeltICE./ O$ }, ^1 S, }" M: [( M: |
* e* u. b Q3 E
6 a2 B ^1 G: j% ~$ B- g1 Q E 00401067: push 00402025 ; \\.\SICE& r; K4 v c3 [) w* d. V1 ?; i
0040106C: call CreateFileA
k! c6 i$ w4 M 00401071: cmp eax,-001' A' ~' T) Z# @3 p+ q
00401074: je 00401091
1 P4 K) |4 v. [6 } @4 Y! G! h6 w- m. j& j0 \# @
8 G6 z5 Y; q) T) N: b2 Q7 CThere could be hundreds of BPX you could use to detect this trick.- y1 C: }" n9 m. p. F7 k$ _
-The most classical one is:
% j" I4 y; g {/ v1 {# F' Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 C# @- \4 v3 {- q: x% O *(esp->4+4)=='NTIC'& O# }9 w3 _9 N" \
) I- r" r5 E' s. c o# L' o7 R
-The most exotic ones (could be very slooooow :-(
) S: q* O' J& s3 V0 C7 W BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # F; T# }' {. W `+ R' w/ E4 I
;will break 3 times :-(+ J5 l9 g* j% r# W+ t
0 [0 p$ w4 q9 _3 t' g-or (a bit) faster:
- a, k+ K7 l& F3 `' O* S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 c9 f7 a6 _7 Y1 a/ F) Q+ Q
% P; K, { J1 K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " W3 k, O) L4 t
;will break 3 times :-(
$ `/ d p1 H+ U* p" ]$ `3 [4 ]! [' u. G: U& ]# U# m, Z' Y
-Much faster:+ @6 l8 j9 q& C& }4 O
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
H! F$ Q* o2 S
: P7 F0 @- ]8 l# x, ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen; S) d+ ?* P" d$ G6 w7 T, I
function to do the same job:, ?0 h& ~, q7 Y. W& o, d. v
7 @4 M! f; t6 u$ J) @( q* o
push 00 ; OF_READ9 u1 c" u2 ]( Q9 s, |
mov eax,[00656634] ; '\\.\SICE',0& }; _: ^/ E" {* D! s# e+ ?) \
push eax# U o) p% K+ u1 `
call KERNEL32!_lopen
) x$ {" f' D; x7 D inc eax
; m4 x- N3 I: ~# O! G2 v jnz 00650589 ; detected- N. L6 L T9 \4 b& o9 T5 v& M
push 00 ; OF_READ% P, C; K7 P, x4 a0 m* U( F
mov eax,[00656638] ; '\\.\SICE'/ S# q [0 @5 P4 K* [& I
push eax/ n' d- c8 m: T2 ?
call KERNEL32!_lopen
0 W9 g6 v& O* {$ {; ? inc eax
+ ` M8 W9 x; _! q8 @% c* U# f jz 006505ae ; not detected, z( B x$ A7 d* }: w" G$ D
^! i5 M" [' Z, F( q# x$ H# w$ r0 ^
9 {, ^, h& r+ V' A2 E: T
__________________________________________________________________________/ r ~" b t# z1 b; Z
! {4 Y1 c' O% t! P! K6 F# \Method 12
! x) i) y* _0 l8 h" I=========
& ^5 Z- y& N8 r) M4 w; C. [
- Z+ `' Z! P: I6 Z! b$ ^This trick is similar to int41h/4fh Debugger installation check (code 05
; J1 d+ _2 y& A7 P# p1 H4 V- v* }6 H$ m& 06) but very limited because it's only available for Win95/98 (not NT)
8 ]3 D* p* e! S( R! [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- e# d' g$ x1 F$ i% ^. z* v
) V6 m2 q1 V$ d
push 0000004fh ; function 4fh# O* X) ~$ R& e3 E& F) x$ w
push 002a002ah ; high word specifies which VxD (VWIN32)
: Y4 G8 ]9 s! K& x; } ; low word specifies which service; p+ l5 v; @* B: }0 A- w
(VWIN32_Int41Dispatch)
: g* m! I$ c: n! u$ d call Kernel32!ORD_001 ; VxdCall
% q% M$ _+ Z7 O cmp ax, 0f386h ; magic number returned by system debuggers
6 S4 Y2 q }7 ^5 l: v jz SoftICE_detected
- g u7 j5 i( u4 R
* @- M4 t2 H! d3 c) g5 HHere again, several ways to detect it:7 z0 @8 y) x4 Y7 k h6 s, M
% x9 J. u& V. c7 d4 m5 A BPINT 41 if ax==4f. T" |& `9 x- ^& |+ b
' v/ t5 \5 t5 H( h2 o9 b0 Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# ?0 J8 s. k+ A2 `7 c9 N7 m5 u' | ]# t- M f8 _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 D j: R6 K0 M# W; g) Q- n( C# p7 |, x$ R+ ~- E J7 d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 h4 U) k5 y1 R8 a1 ^; ^' P. u( D1 @3 Q1 D5 O6 T$ q. |. @ b2 K
__________________________________________________________________________: Y% G; N/ X. N: k+ Q6 \8 o% r
. B6 |( X5 ]( p+ u! R7 o2 _) bMethod 13
$ B8 D. z( R" ~5 r. t0 D=========. r3 s; f$ Y: s) m6 i+ u2 t
8 s2 @! o, Q6 j& f$ }; INot a real method of detection, but a good way to know if SoftICE is) O+ m* A0 Z* o4 T3 d, ~
installed on a computer and to locate its installation directory.' c, e& r. l2 W
It is used by few softs which access the following registry keys (usually #2) :
e3 ~% a1 d! M1 q2 z- r# e/ U. I( y8 H' [* d( S7 x3 _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- y* z7 i# |- T+ B\Uninstall\SoftICE% s" i$ o6 N% C5 @7 w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 f6 [" z" y x' F8 H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, j* d9 u3 j$ J4 F _# c. W" Z: N\App Paths\Loader32.Exe
! F) ]+ t% x [7 F
$ f6 l2 d" R' i! ?& B2 ]- ?! g1 I0 Y( q; G: F. |+ m9 {+ t
Note that some nasty apps could then erase all files from SoftICE directory
* e: `# J( j5 U4 S6 j4 u" g7 F5 A(I faced that once :-(& M; c$ O8 Y5 q
9 |$ K9 c5 ]. z' |) ]
Useful breakpoint to detect it:
V2 s3 d. g/ o$ g9 p( {
$ X3 ^4 }; L( Q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 v6 c7 Z2 D$ L! d! B) l6 Y( X) n( m# b# Q6 Z8 h0 H
__________________________________________________________________________( P2 t) l ?# x
! Y; o `8 l7 C
$ U H' i4 d) {# l4 SMethod 14
; S1 f% T" a3 |+ S5 a# f0 j=========% K! v7 A; ]$ S3 x) H6 [$ b3 [
0 |% l% _8 C$ R0 M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ {) q# W2 c' n% A4 _' f$ ^+ u) xis to determines whether a debugger is running on your system (ring0 only).5 { {3 R# \$ O4 s2 Y4 x- U0 w
* M7 M, u& P+ F) y1 s" {) {
VMMCall Test_Debug_Installed% X1 x, f" Z2 ?0 E3 I G2 o
je not_installed
' o% N4 ^2 ^" I2 o! p
1 X1 k8 G- J0 q* bThis service just checks a flag.+ g. p. ~- M7 b( m
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡