<TABLE width=500>
$ e# u( ?/ x8 c" s# x+ b* z<TBODY>9 x1 P: @3 [, Y2 ?6 Q
<TR>
) |2 O6 a) a3 M A3 q<TD><PRE>Method 01 ' e( A, l6 }. V9 r
=========/ I2 b# I: O7 G) `/ f) `, r2 Q q
! ^2 d. F. E; d O4 z6 q) d- o# a p& S
This method of detection of SoftICE (as well as the following one) is8 @# P5 G2 l8 ^- \. o
used by the majority of packers/encryptors found on Internet.+ U& t, z4 q, {3 b, ?1 o
It seeks the signature of BoundsChecker in SoftICE& y. L2 s# e8 W1 b
# t8 f' }4 L* X% k$ \% ?% z mov ebp, 04243484Bh ; 'BCHK': a; m' o' l; R/ K/ u
mov ax, 04h
' f" t9 k: ?+ w+ M" d int 3 7 ]3 U6 w$ U) J' ]
cmp al,4
% m# H. S0 F, c# N+ J c jnz SoftICE_Detected
* O1 ?/ H5 K+ B' i" d) H" B- p; A# s, l
___________________________________________________________________________5 I! l6 W6 e: v9 }" u' z
3 {/ i4 _+ P+ C5 z7 G, P
Method 027 _3 n/ ^8 n' K" S
=========( Y# l6 W" V1 i, K+ x, D+ s q" z
$ \* z" D' {* ^9 h' q
Still a method very much used (perhaps the most frequent one). It is used2 r3 l. f% {. t6 {6 e9 p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- `5 \5 @# p! g% B7 G* X; z
or execute SoftICE commands..., @! v v! u: q% x2 ^+ f" w
It is also used to crash SoftICE and to force it to execute any commands
) ^( a7 e8 X) S ~2 J' w7 L(HBOOT...) :-(( $ N8 M+ }- N- X& G4 F+ X# p
' K, C+ Q8 `) v- }1 E/ d0 w4 W, w" F
Here is a quick description:7 R7 [1 |$ G' q. C+ Q5 ~
-AX = 0910h (Display string in SIce windows)
. a, ~! R8 G0 x7 W* H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 k6 f" V" x% r( ~
-AX = 0912h (Get breakpoint infos). u P) m* o& P2 H( M" x" Q2 N
-AX = 0913h (Set Sice breakpoints)
" T$ r9 F* c/ P8 t/ V. Z1 s-AX = 0914h (Remove SIce breakoints)
( ^, J6 v2 V7 _- j" Q/ B( c* z5 e6 `7 g% s4 m+ @1 q
Each time you'll meet this trick, you'll see:, r5 I/ }0 e8 z$ M) A- N2 @0 f, S* [
-SI = 4647h
, a: E; }4 Y1 ]7 R8 G, q-DI = 4A4Dh1 r% `2 h: u4 {: E
Which are the 'magic values' used by SoftIce.2 {7 s" W) ~4 [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ e: ]2 D9 M3 R2 u4 u5 x7 |8 c" G. Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 b+ Y; F, ^" K) e# iEnvelope utility use to protect DOS applications:
# t- ? Z) h7 C+ D* g) g
" J1 X0 Y9 d4 o, T9 p, \- }3 {' i* q) F+ _$ m4 p/ {) t' x" e; x
4C19:0095 MOV AX,0911 ; execute command.
8 a. ~% E Z7 @: u( y/ [: {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 A" o1 K* G+ C5 k9 l9 [; `
4C19:009A MOV SI,4647 ; 1st magic value.
/ A( S! z% X7 [. u4C19:009D MOV DI,4A4D ; 2nd magic value. ^! H( E% |4 m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( e" G& ?! f9 c# L6 y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
U! x# v0 p0 z# W4C19:00A4 INC CX
+ c% ?9 G0 o& e) t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 J" f; x9 O* X H; C& r4C19:00A8 JB 0095 ; 6 different commands.+ Z: i( T0 g/ z# ~! Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# y; g. e% Y0 [: d7 C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" k! n9 G/ e* {8 _0 I; `6 b
+ M- b, U( h$ @2 wThe program will execute 6 different SIce commands located at ds:dx, which
( y+ _. S$ `8 Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( d8 H- Z$ h [) V; w; d' t' G+ @' u S$ o/ p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 x# t: S5 M1 n. [___________________________________________________________________________! i: d2 V+ M7 z9 E; U9 Y
2 A, S* b+ U0 R: {% A4 L5 i; I
6 u! ?, s7 z; u3 B
Method 03/ X3 L5 w; M# w9 B( s! n5 Z
========= J7 M n! d8 | f( P! L# ~
! q) ?$ O) f7 w4 i0 ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" o$ x/ D B+ b" g3 R' D
(API Get entry point)" B& {4 [. ]3 b/ d% a
2 U% K( M$ T; U7 a' ^
- w6 O% Q+ Q }! P; n$ D# H xor di,di% |" w D8 N3 n
mov es,di% v; S: Y$ T, l# x
mov ax, 1684h / \; \8 A% s2 v, r: ]' U5 s) K
mov bx, 0202h ; VxD ID of winice$ d3 Z# E3 U% k
int 2Fh
7 C1 q9 G( `% J' y- W2 _3 @ mov ax, es ; ES:DI -> VxD API entry point
% O% `% j2 E& G5 a4 c add ax, di
9 Z% | t) l. Q0 I test ax,ax3 c! e j- o& _) a6 K
jnz SoftICE_Detected
h/ D R1 k. y2 D9 T3 \2 Z3 a
' w' w3 w4 F3 N8 ]$ a. y( ~___________________________________________________________________________- p5 C( ?/ e# y m1 k
( l4 A* e; o- z5 `. `
Method 04
( O4 d- Q% Y# n0 r- N=========' I, ]5 }& V$ x& K& v9 A- V
6 P6 U: U1 p8 J" F( JMethod identical to the preceding one except that it seeks the ID of SoftICE# g7 w7 h9 `, p& \" Q9 i' R
GFX VxD.
4 k5 _$ H" I8 r# G* t
) w- a# V, n( Q( o8 j6 M. m1 u9 j xor di,di. s; h/ @2 ?/ [% m) Q3 G
mov es,di
% X s! _/ e, T2 } mov ax, 1684h
5 y: T0 X) C) j R mov bx, 7a5Fh ; VxD ID of SIWVID- T; t4 S: U% r
int 2fh9 B) n! K# J0 D* a- B
mov ax, es ; ES:DI -> VxD API entry point+ {7 V$ I& V* y, u+ L
add ax, di; ]+ v& N! u {
test ax,ax2 P: M1 a+ w& x9 N
jnz SoftICE_Detected+ j2 k8 A" E+ M! @) g7 c
: P0 n$ t5 ^- o6 V3 r8 j9 m
__________________________________________________________________________
# x) _; `; w9 l7 Q. a" i
! O: M) p3 R, f4 B# g
/ d9 l! J& K% y; z4 h- c) hMethod 05
M8 p9 ` T0 h- e* s) [=========" s9 Y: Z1 z0 [* O* n: q
! s4 ~, P# j( q* o3 tMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% Q4 F: m1 f. e% z5 W: C: P% Odebugger. It calls the int 41h, function 4Fh.
$ \' X( C G. g; `$ X0 H* OThere are several alternatives.
, i- T7 r# h% E
5 T! \7 T0 k$ t+ x7 c/ _4 NThe following one is the simplest:. ~5 U' E% D, D5 d# V5 K# Z t
$ m. A+ E4 O! x$ d) f mov ax,4fh
& R3 g+ c3 ~% q0 Z ^- ?/ p, ` int 41h
7 ~1 |( C5 ?+ N cmp ax, 0F386
/ v7 e/ U. A ~0 h jz SoftICE_detected
" p7 O6 @6 g; ^* p: M3 r, o$ a
0 B5 Z+ t, u. V S/ P( P9 D4 w8 V% |; y3 J2 M" i0 |+ ]
Next method as well as the following one are 2 examples from Stone's
; m1 r: r0 K4 Q6 q. J8 O5 `"stn-wid.zip" (www.cracking.net):
% e5 w4 x0 p! v6 h" D0 D4 D- T% Y: v* U' P) t
mov bx, cs: @3 y( c7 X" n/ W0 q0 g
lea dx, int41handler2+ C' Q% ~" q/ g. E+ @- `* k4 E
xchg dx, es:[41h*4]" n/ u; j% c* P3 m# U
xchg bx, es:[41h*4+2]3 @$ ?8 {5 B6 ]4 E9 V- Q
mov ax,4fh, W) u9 e% e |% P7 ~
int 41h3 a$ v6 d0 b! L/ W0 t" N
xchg dx, es:[41h*4]
" S. N8 t7 O* ]9 p% r+ Q5 |5 k xchg bx, es:[41h*4+2]1 J( ]- F0 J, v
cmp ax, 0f386h! x: X2 w" g5 D& |1 Q1 Z9 B
jz SoftICE_detected
: F% ] w) ~2 U& _) l6 r7 M. S
% ~# i$ P6 g7 ^$ {3 ~int41handler2 PROC2 N h' Q- T, H: Q
iret
' {2 Q% e2 \" R1 T) l# hint41handler2 ENDP9 R0 m! a# E, g d/ Y; q$ }& j
0 g. q1 y7 }0 A7 Z) }6 d4 O
, K5 ~6 P/ z( C- i U8 M_________________________________________________________________________( {) c& Q5 U! ^4 U5 o
. v% c, s7 Q; b6 c
" M! ~9 |3 W3 a$ C' H
Method 06
5 {8 T- C" D9 j=========; A1 {+ d2 P& d7 L+ l5 }# [
! _) J5 _- }5 h, v E9 C
9 ^3 r+ s$ W0 _: }/ }; p/ n2nd method similar to the preceding one but more difficult to detect:' ^! n6 z" F7 |" h/ q2 _3 \0 ]
; p1 U' g5 G( |$ {1 S8 u4 e6 ~" L: x, c5 z1 x
int41handler PROC
3 c ~- Y% `- v) |1 s/ [ mov cl,al
9 t) C0 A3 R6 [, w) a; G3 b' ]2 [ iret
: t" M3 S7 s! L8 o. rint41handler ENDP
& c6 g* `+ u. p5 _8 w# {8 J
' ]1 s( [$ A1 Z# ~) ^
( x& U0 J7 t/ G1 [' X xor ax,ax! f6 E' y3 x5 o g
mov es,ax
! u: m/ e( I5 E# s& }9 P; _) ]. p mov bx, cs4 _) n$ V# }+ N& Z# q) i8 H
lea dx, int41handler
% q% K1 |* w* h+ e( W6 |. z1 j xchg dx, es:[41h*4] d9 I- X* _ B$ I1 k8 t: z
xchg bx, es:[41h*4+2]
( Y/ M( V' b- U0 l) s3 u in al, 40h
* C4 R' `1 D0 y8 H xor cx,cx* b; S- `1 Z1 G7 ^) C
int 41h
/ I1 p5 |! b! {" L" {% g xchg dx, es:[41h*4]
7 t$ f) V+ H: v' L" n xchg bx, es:[41h*4+2]
9 I2 X" u9 C. W" ?- d5 O- Y cmp cl,al$ v' q/ ?: w% A# E; W/ N
jnz SoftICE_detected' l; R. I' O: ~5 ^( c* P p
" G% O/ G P, Z; i1 y" O1 K; Z( I8 h_________________________________________________________________________/ i, s+ i9 o+ `8 ]
; V% g5 Q! f( w4 u4 ^6 jMethod 07
% J' h& s* |4 C( f: n& D=========3 n2 ?3 U6 u! x5 f1 [$ ~
& R" h& J6 {/ n7 EMethod of detection of the WinICE handler in the int68h (V86)) s0 E2 v6 d$ X9 A
. A6 r W4 N3 Z) A& f( P
mov ah,43h3 C+ ?8 U, M! ?5 [/ p
int 68h N' x' w \4 ~5 l* l- o0 [
cmp ax,0F386h1 O5 O: f6 U* S5 y' s9 }
jz SoftICE_Detected5 ]$ O' i/ n6 {0 G( s. M
" j: W( ]$ L" m7 h0 ?3 C
6 O% y5 \2 I9 o/ B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* Q( J) {/ m& w& O, _; W
app like this:
; j" O) u7 r( d# Y- g( C# s. T& @7 H
6 f: b5 G6 w9 y1 ~" ^8 R BPX exec_int if ax==685 |! Q, x) S* L3 i- w& U; K
(function called is located at byte ptr [ebp+1Dh] and client eip is( ^& H( i) g9 N q5 I
located at [ebp+48h] for 32Bit apps)" X- l! @% ~: G4 j6 l
__________________________________________________________________________
- V8 C8 x' _: ^; R+ I$ k: |7 _) B1 f- h f2 k6 Q3 Z8 m
1 K8 V4 s- }1 x& G0 D( n/ h4 x
Method 080 b; n9 d/ ]% o# o9 P* X
=========4 E. M' n. F { ^9 n( a2 x
) y! a. Q) }0 ]. o- O$ PIt is not a method of detection of SoftICE but a possibility to crash the4 J% G5 v X7 ^
system by intercepting int 01h and int 03h and redirecting them to another% I4 X" T" J8 _% `' \7 y, o
routine.) J) [: G. \8 ], T: J; _" P( `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' a: {6 c- R6 E' B. x2 {to the new routine to execute (hangs computer...)
, i. M0 I7 U8 x+ E: ~( \- C, w/ x1 ^: F. W' V
mov ah, 25h d$ h! y: U! c1 v$ ^
mov al, Int_Number (01h or 03h)) `8 U. o+ C0 L7 p
mov dx, offset New_Int_Routine
0 G- U6 m# [2 |% n+ ]' i7 |9 d int 21h
+ D! |9 N, L- H0 V; W5 B* H. Q' }& r; o3 }" a
__________________________________________________________________________, O( L, q$ `& J' ~. l" A2 s L
! i2 G/ j5 E# s3 kMethod 09
, _6 R( z; L0 C3 T9 p5 K=========+ X4 P( A" ^# n7 d
, ^; N1 @! L' f1 A. m# p$ f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 t" B Y E+ [$ Bperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 G) F+ u$ N. nThe Get_DDB service is used to determine whether or not a VxD is installed8 _* S7 n; |* w# q
for the specified device and returns a Device Description Block (in ecx) for
* Z- d& p: z9 B$ @that device if it is installed.) b F& E5 h: T1 s$ K7 Q
! ^& a* T& Q/ t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" o7 Z- M, L( L9 |$ F. s
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 }+ l* t& [/ a VMMCall Get_DDB# M! ^8 \& n+ G0 S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) N K4 }2 g! I! }3 S" S
7 S" [1 E- G7 G$ a
Note as well that you can easily detect this method with SoftICE:
7 N( d# z4 ^7 } bpx Get_DDB if ax==0202 || ax==7a5fh
6 k$ F- X5 O H/ q; f) c( B; V
- @5 f8 O/ t/ [/ J: a7 i__________________________________________________________________________/ @" ^& x6 D+ m
8 |2 C/ @# ~$ S. B) R( W
Method 10
+ V) d6 N% x" S* w( H=========
/ e7 L5 \4 |4 t
: @. V7 W8 o) R: w=>Disable or clear breakpoints before using this feature. DO NOT trace with9 s9 e( C- q ^7 a, G6 z; @ [4 c
SoftICE while the option is enable!!$ |7 i$ n2 z4 G: \5 w9 C- k5 A
, `! A# F6 a8 O' P3 m7 P
This trick is very efficient:
7 J" j& C1 E: C" s& Qby checking the Debug Registers, you can detect if SoftICE is loaded
; V2 V Y# ?. e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% ?0 v6 u3 _) }) B% \there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 w9 v" ~9 X2 K1 a2 b# I8 tvalue (in ring0 only). Values can be manipulated and or changed as well
; L7 c( u9 Z) f) V4 W(clearing BPMs for instance)2 c( q% }/ `! f9 _5 F- ?. w1 S
0 C# x- H( @$ _# b7 Y__________________________________________________________________________
3 [: o$ ^5 i4 L; m$ V1 t" O
7 J* F& I+ _ @" ]/ x- TMethod 11
* Y9 ]2 V+ n4 x, V$ D=========. o E" r* A# r1 I. Q* Y
) y) G+ b1 v. m% mThis method is most known as 'MeltICE' because it has been freely distributed! C- z5 A4 {8 Z0 ]
via www.winfiles.com. However it was first used by NuMega people to allow8 |+ c/ e/ U$ X$ c: E
Symbol Loader to check if SoftICE was active or not (the code is located
" `2 W$ F q8 x7 J% Kinside nmtrans.dll).
$ R% \- Y% z! d' w2 }% \( L) h4 Q3 u9 ]" X7 Y7 r
The way it works is very simple:( K6 {4 p/ `# z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' s1 L8 b" K* ]# d& q
WinNT) with the CreateFileA API.) t, i* `( t3 X7 g* B$ ^
. c9 ?8 U6 A! f9 x
Here is a sample (checking for 'SICE'):
|/ _& i8 e) m! _! G6 `7 {' n6 Y4 W/ a& H A( `
BOOL IsSoftIce95Loaded()
5 x- R% [2 I: ]) D3 Q{ V; W+ v8 \) |7 G! L6 Z3 w. s0 M7 ?: m
HANDLE hFile;
0 F. ^2 m' B; O8 I" D$ K1 \! @ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! a1 ^# a' q# n0 h Y+ y* I* @$ s FILE_SHARE_READ | FILE_SHARE_WRITE,& k W$ Y( i' f+ x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
u, h0 p }; ~9 V* c: B5 J7 w if( hFile != INVALID_HANDLE_VALUE )' H2 z M `0 u2 f% |
{( G" j5 G" g9 U3 [
CloseHandle(hFile);% N, b* k# ]4 K2 ~
return TRUE;9 H- P+ d6 I; x$ a& z' O+ n
}
+ C$ P" d$ d- s return FALSE;
" p2 C5 U8 y! [+ a$ p# x}
6 `8 n! `: ]$ l; j: ^" t& g$ {+ P, }7 K" k2 E+ M1 B3 \/ h8 F) E
Although this trick calls the CreateFileA function, don't even expect to be
7 j2 c9 k: [0 d, _* R% r6 Qable to intercept it by installing a IFS hook: it will not work, no way!
& Y$ L" O9 K7 b4 \1 Q& SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F f# {, u- e# `8 G1 H* b0 K- h8 F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ C! f) w& ~! ?* L0 O1 O: p8 o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ [( ^6 P" B8 _1 I( ]( J6 l
field.
7 J8 [* `$ z* N0 j! @2 O$ e4 }In fact, its purpose is not to load/unload VxDs but only to send a 3 E* d+ a- M: r2 W( ^, x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ p0 t7 J5 {, n. x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 Q* O r) `; t1 |* @2 }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 j/ I- }9 I$ @5 h! g' y3 f& ]& fIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 M" y6 C+ u" p; P3 t/ E7 N( E
its handle to be opened and then, will be detected.
# Q" S s! q: V! ~8 C7 A" EYou can check that simply by hooking Winice.exe control proc entry point
" Z( `, O6 [3 ?" T+ Dwhile running MeltICE.! s, P( ]2 c# X8 f& p
4 _7 W; {; @2 }( R, Y! |
* c" M& k5 ^, V5 U+ R+ C( J1 P
00401067: push 00402025 ; \\.\SICE) r1 Q! I Q# f7 L& C- C
0040106C: call CreateFileA
u6 M" {) E! X* `% E" P 00401071: cmp eax,-001! \6 k: [$ H4 U$ s; n
00401074: je 00401091
: f) A3 U- }6 y1 Z9 j0 t/ X; I( O6 Z+ J5 I
% L! B, N- k9 W+ M$ o( D+ ^! R
There could be hundreds of BPX you could use to detect this trick.
- O# n+ r( z2 D7 O" t+ I-The most classical one is:
$ o; v1 }. {9 B& `, R BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 t# j; p* w9 w2 \6 `- P *(esp->4+4)=='NTIC'; k4 G# G- w4 ~5 i
# a4 R7 V! o1 f% X' u-The most exotic ones (could be very slooooow :-(, ]8 M" f. J4 Y/ C0 _7 ] Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') N) i" T+ N" I7 ]5 `
;will break 3 times :-() B6 o1 Y) R0 N! i
6 w6 F- v6 f Z9 F/ N
-or (a bit) faster:
9 _5 j# K n" ^/ c7 D. c7 [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 s; z8 y/ n9 r5 {* `
& y; D7 f. V f; z* D/ J) d BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " [1 c# }' Y% ?: z9 ~5 ~% I
;will break 3 times :-( U) c$ P$ e% A- q) `
7 r! \& s2 p& l-Much faster:
' v2 h9 g1 X8 ?/ ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ f3 A+ c- B2 ~, F! A
7 O) \) ?* S$ p+ Q( C+ FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ a, E" W7 S3 o
function to do the same job:, @! Z; R1 u) [* H1 h
; J2 G8 {) J; w9 z+ L6 `% G1 S
push 00 ; OF_READ
% p) _% E; j7 r i mov eax,[00656634] ; '\\.\SICE',0& j7 |' Z& l1 r( i/ |9 l( k
push eax
. M+ }/ {: K( H- `& X call KERNEL32!_lopen q4 E9 ]" z* E/ e6 u/ M; c
inc eax, q9 T+ s, ^% W3 R
jnz 00650589 ; detected
( w. P& s0 j* p, x- N push 00 ; OF_READ
4 J# r% g( O4 |& b mov eax,[00656638] ; '\\.\SICE'
1 Q% C! g+ x5 T+ p push eax
3 y+ ]7 P+ h9 q. i2 `" l4 D. ~; r call KERNEL32!_lopen
" T- }+ }# P. v# i inc eax
" t+ a: S1 B- V% o jz 006505ae ; not detected
0 t. }8 o5 X8 @2 a
1 C& I$ H: F1 K4 u/ Y0 M! A5 B# q& z5 s, r: R! s
__________________________________________________________________________* N$ E" p4 }6 e! |" V+ E
" A. t8 h1 s/ }3 R; JMethod 12+ I; ~5 A8 x y1 K
=========& ?7 ?8 V; C3 p8 ^/ f
n# \5 N0 V0 e$ E. ?4 p# q5 l8 R
This trick is similar to int41h/4fh Debugger installation check (code 052 r9 t5 M" B- a# ?
& 06) but very limited because it's only available for Win95/98 (not NT)
( g6 P# h/ @$ y j6 tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( {0 X8 @8 @6 n- I5 a0 B( h/ i h
/ z) t0 \$ z4 A9 M' e push 0000004fh ; function 4fh0 \0 q7 H b, i6 Q- b
push 002a002ah ; high word specifies which VxD (VWIN32)
6 h, e; x' v" Y, y- K5 Q5 J4 A ; low word specifies which service
; f# g/ {9 ~' G* C" b. I (VWIN32_Int41Dispatch)
9 O$ J3 ^" Y) t0 N4 r8 \ call Kernel32!ORD_001 ; VxdCall
* M% C' i6 H* }, b. K. A cmp ax, 0f386h ; magic number returned by system debuggers z ~! F9 W/ {4 E+ Y, ~) h* R
jz SoftICE_detected
& U; F" B6 N, I p9 r B6 ?7 u( `0 U. ?, F4 O: j+ N& B) g2 k
Here again, several ways to detect it:
' V* W% O( s* E- ?* f
+ d; t4 A: @0 D1 h2 k8 D& E BPINT 41 if ax==4f
# }, s! p, g) C! D% s# }% C& U z5 c, q2 ?9 q! D2 Z8 x' x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) T- Y, f; Z. C N( o" Y1 g
5 r- @+ Q5 { Q" t: |7 m% @* O9 \ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* ]( e5 z/ d! O3 W4 K- b- ^
6 W& e5 J: \/ P# a0 x% b) n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# ^, a/ @2 q8 z u. t' J
7 s# I( b2 }: Y* \$ a; }__________________________________________________________________________' X2 M! b7 E& T1 l) K- p
9 ]% p% P. `$ T" wMethod 13
4 E9 _: M' R. Y% a3 q- Y; b=========
/ `0 r' g) Y( D$ g3 {! P* [: h7 c7 a! o& x- s
Not a real method of detection, but a good way to know if SoftICE is2 [: S' e2 b, B+ V7 E) T% C% V% ]& _ P
installed on a computer and to locate its installation directory., E M' g! A2 ?" J/ o
It is used by few softs which access the following registry keys (usually #2) :
# S% Y; Y/ b6 i9 ^$ \* ?2 u: Z9 O* f/ K/ v6 x# j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 j' I! y" |- W) h% o# d\Uninstall\SoftICE
; {* K$ j0 }- H* s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% M1 W/ P; \( I) E# H# }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# K6 D0 D' O# y( |! V% V\App Paths\Loader32.Exe
+ B/ y) T# G0 ]( J c4 G8 k
+ U8 [8 V4 }& f$ w, u0 c7 [0 {+ v5 O' P6 i0 B6 F
Note that some nasty apps could then erase all files from SoftICE directory7 G, M! t6 F7 x% ]; J& J- ?
(I faced that once :-(
+ I6 E$ Z9 w1 s! |. X
. R9 W) v# i6 R) o" [Useful breakpoint to detect it:
2 R. C o! W* `! [9 @# ^% v+ t- i4 x6 n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& Q; u5 d' U9 |9 y1 N8 C% |
; C$ E1 I8 q* {+ {: P: h+ Y6 y
__________________________________________________________________________
6 u7 v+ n9 N" s8 |* m8 d: c- {7 ?! [0 Z+ m, H8 w
* } ]# c/ q3 D& HMethod 14
7 _# e1 n$ m$ F7 f, T8 M. d; M=========
$ P2 K* s4 V' k! Q3 ^& Y/ J/ e$ D O& A) o: B) m4 ?, I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ U+ b1 f" A7 S5 u% R7 ~5 i; [1 J, e$ d
is to determines whether a debugger is running on your system (ring0 only).. Q) b# D$ l; u5 P# C
2 u" n6 N% m& z# s4 C+ D6 @ VMMCall Test_Debug_Installed' d' z; Q$ m( v
je not_installed7 f, m I& l0 A: Y
9 K$ A9 f& j& U) p7 H& r, ~2 FThis service just checks a flag.
+ a; A, j; T5 k. K5 N</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡