<TABLE width=500> ]- `3 a2 X0 z0 w$ }0 C
<TBODY>
& [2 \9 d, l) {4 B, D<TR>
6 N% o2 h8 b# x$ u# ?8 s9 o<TD><PRE>Method 01 % R# Z! ~4 J6 `: K- k7 x" Q0 x, g4 ?
=========
+ J5 z8 v- u$ R$ t# C2 F- c/ `- m& @2 ^
This method of detection of SoftICE (as well as the following one) is
" C L2 c1 E2 M: Qused by the majority of packers/encryptors found on Internet.
- S/ M. R- q3 S' v8 B9 L- WIt seeks the signature of BoundsChecker in SoftICE
9 K; y6 R3 x, ^. r5 e2 [5 `' V
& M% U2 t8 @- h$ _2 z mov ebp, 04243484Bh ; 'BCHK'
2 Z( q' [& J2 Y- M, T; V mov ax, 04h
( E4 h0 i8 P J$ b* B; H int 3 - Y" b2 U. L) V1 l. `: p2 Y! _
cmp al,4. V( w) M% b! C" J1 `- Q* ]! m
jnz SoftICE_Detected
; Y1 g" I0 r8 P4 m; K% B
+ n/ Z3 P: G4 X( A1 |+ r. [! @___________________________________________________________________________
" |2 `) k) m( {- r# W5 P5 w& V$ Y8 F
Method 027 F4 D" V2 X+ E
=========
8 o$ O% b* l: j$ C' @* @# _: v- }( ^1 R- q \3 b& s* l: p% p2 i
Still a method very much used (perhaps the most frequent one). It is used
) J1 j" o8 t" ^/ O( \. {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: v3 I, V' \+ C" O9 p7 L! i
or execute SoftICE commands...
9 c5 c0 v) u3 W; eIt is also used to crash SoftICE and to force it to execute any commands& d6 |/ i6 ]. j' ^+ u* g
(HBOOT...) :-(( & Y7 @* Y! a4 F8 F8 [' l
5 H* o6 W1 X; z3 M1 }2 ~7 qHere is a quick description: k, b% R5 y6 q) Z
-AX = 0910h (Display string in SIce windows)
/ @3 F1 j [( ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
Y9 Q8 y8 ?! T* D% c- v. v-AX = 0912h (Get breakpoint infos)
2 m, x4 p! l4 i8 |0 ]9 a) S* u-AX = 0913h (Set Sice breakpoints)# ?$ U! s: ^% M% |0 E; C
-AX = 0914h (Remove SIce breakoints): O( B" ?# P' e# O
; O9 ]8 S% H6 \' Z
Each time you'll meet this trick, you'll see:' X' `' q# z- p. k: C
-SI = 4647h9 J( X3 K) |; E* u8 K
-DI = 4A4Dh- D2 Q$ F, K1 _$ t5 q" Q7 Q! n
Which are the 'magic values' used by SoftIce.
' \! S4 V$ V% G! @4 k9 SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' b9 ~3 P% l8 Y
. s6 f2 f A5 ~: \, v9 T3 oHere is one example from the file "Haspinst.exe" which is the dongle HASP* V0 I' n0 P) U, A! T; g; M. t
Envelope utility use to protect DOS applications:
5 ?* L r) o' g; {$ P) q- N8 o* m& R, s' g/ d
! F0 Q$ U4 |( Y; L2 u! T. v
4C19:0095 MOV AX,0911 ; execute command.
; y9 ^; {2 ?, ?" B! M) b1 u* |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) ?' K' [/ Z q. \# W
4C19:009A MOV SI,4647 ; 1st magic value.* Y* ]& g2 a! F1 S0 g4 g1 J9 j* p
4C19:009D MOV DI,4A4D ; 2nd magic value.
/ @. y2 o; |0 t! _; L4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); ]+ i) W; M$ }- g4 B% O# x* f$ ~0 N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ I+ ]$ N) V3 @. J Q4C19:00A4 INC CX
7 n, O! b2 L/ ~+ K- B4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' W" D7 j. g( A- B/ |7 r
4C19:00A8 JB 0095 ; 6 different commands.
3 `- A; Y- F0 `8 T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 R* K+ I1 m% ]3 y1 n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 I# }/ x% @3 a" I! W b- M) s, \( F# h7 C y% w+ Y; `
The program will execute 6 different SIce commands located at ds:dx, which( ]. m* Y7 G7 M1 O0 i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( K5 b. J3 S d- a% l4 }& f1 W9 c8 |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 _: k. M0 J: O6 V1 x___________________________________________________________________________( E' G( @: Q% m6 k/ N2 n6 d- S
; r1 L; T* a4 c: F! A S; s: p
# L) y' l2 G* f7 OMethod 03
7 w5 p; r+ K2 D& j=========
! v/ p$ v6 X8 }1 \. o/ V+ Z) _; Y# ^% p, F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 ~/ k3 m% b0 Q. k# B* E$ \
(API Get entry point)
/ s* F- P5 K. g
. t0 O' U* `/ f* j5 v, l" D" C! l J
xor di,di
& p* S5 F" ] q9 s mov es,di2 n1 [% ^6 i% w# w7 j
mov ax, 1684h j( ~" L5 e/ P; S0 I# P
mov bx, 0202h ; VxD ID of winice
+ J7 r3 k! b* z1 F int 2Fh. l& K8 @; Q% P, u0 b8 v
mov ax, es ; ES:DI -> VxD API entry point
6 q5 t8 Q. Y& S: i3 A4 [ add ax, di
" R( K( J% S7 W1 u! p8 u test ax,ax+ f1 F) E8 c2 w+ }1 C$ ?. Z
jnz SoftICE_Detected" C0 F* R" w; \" {
+ d W U5 l) v% g) u3 W9 S" M7 t___________________________________________________________________________2 C) o: k& s* v8 E
7 e$ B% p9 f6 V- E. b9 DMethod 04
, [! h% Z& s) b5 ?6 H# Q=========
+ C- k# f2 G% J
8 b% X/ A( `+ \Method identical to the preceding one except that it seeks the ID of SoftICE
, w! p+ Z! w1 HGFX VxD.
, Q6 Z" l9 e$ x Z) G
) }- E$ T: G/ b P- E0 N/ H xor di,di K% j6 g9 u' N
mov es,di. S4 y: p) F" g" x% T1 u( }
mov ax, 1684h
) X, A) E# U8 f+ T9 Q# P5 j' ? mov bx, 7a5Fh ; VxD ID of SIWVID
7 ]) g) e$ s( G1 T" d int 2fh$ J* a) e( G$ d N
mov ax, es ; ES:DI -> VxD API entry point
$ K, q0 [; N- R+ h add ax, di) v4 H9 u" J& v
test ax,ax
3 X( ?" x9 R; A, s jnz SoftICE_Detected
8 X! j( Y" J e
4 T( C2 a2 E5 L* V$ U; b__________________________________________________________________________
) v6 V" e( r0 g$ K8 W, d; ?4 `9 f* I+ G0 T J& `. T* t5 T
y/ S/ w; u! Y, d; ?2 cMethod 05
0 f" S) V# I t! B" J& T=========
9 i; O2 G: Q1 k4 e9 J/ ~; c) |. @/ t& b4 o' r9 h
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 |( A* v# A9 F5 f
debugger. It calls the int 41h, function 4Fh.
: e( ^! q1 H* x1 L% W2 nThere are several alternatives. ' N! _1 j8 M" D' Q+ B( c
( p+ e( L# g1 q/ g! H; [- T& AThe following one is the simplest:
" y6 }* z+ w; `2 K$ I% x; y# |) P( s- z, d9 b
mov ax,4fh
0 T8 O% e" O/ V int 41h. y% d$ W7 W" e9 i4 J
cmp ax, 0F386& ]+ C. j3 W& q/ \, Z
jz SoftICE_detected
! t2 d( N6 b3 k" q0 p Z
% L% M+ w1 l2 l+ \( N8 C6 X& f6 K$ n4 d0 Q `5 V" h+ \# \7 H8 x, S
Next method as well as the following one are 2 examples from Stone's
@5 k+ S, O3 @8 r! ] R% A"stn-wid.zip" (www.cracking.net):+ c! T- ?4 ~9 A2 \' n/ U
, w& a1 v" V0 \" U* A
mov bx, cs
. K8 a9 Q$ `% \; ?6 T8 ]! h lea dx, int41handler2
8 H: W& |2 D4 w! i xchg dx, es:[41h*4]9 r8 ~ l3 c& t& c6 j
xchg bx, es:[41h*4+2]
" a) h; Y& P/ E* p. r/ v8 Q mov ax,4fh2 T# F8 h9 ?/ n+ s+ }
int 41h
2 z5 a; D8 |( W: n% b$ B9 g xchg dx, es:[41h*4]
/ I/ Q5 {" d0 ~; a+ i) a, K9 F xchg bx, es:[41h*4+2]
8 H; k; S) c. P |2 u8 e4 G* U cmp ax, 0f386h2 X( h( y: O& X6 O
jz SoftICE_detected8 H( E: M3 @' E" X. ^
4 z1 u/ B2 [3 [' R6 N! K- i
int41handler2 PROC: ?- g' o8 \5 e Z
iret
2 i" j; Z$ Q3 l i+ sint41handler2 ENDP
' v, L1 G# w$ G2 w$ W6 w. | [) z2 c4 W$ F: m+ U
# P# ?- I |& F& p2 p" Q_________________________________________________________________________5 r) }9 F v% T" O% g( v
9 x8 X. @2 L: u+ s& V& q/ ?0 @1 K4 I1 }$ Z- f+ {& `
Method 06/ ] _0 D8 l9 W) }# m- A' v
=========- X: U2 v% V. D
1 v" s8 l7 D& U$ u7 c3 ?) S2 S: Z7 a) z; t7 K2 `( _* R. A
2nd method similar to the preceding one but more difficult to detect:
5 Z3 r3 m0 U' O: r7 {
' g0 j+ e) P, `7 x: u" \- z6 T1 I) ?
6 w5 O: E I) Wint41handler PROC
& n+ _7 y/ g7 K4 G4 E7 G mov cl,al; @ w5 e2 Z3 V
iret
& a0 \8 m1 n. ^& N. ^* Wint41handler ENDP
$ U2 _& j9 J( N2 N A
6 A H" b' a0 y# y- q
$ A' r& V) v9 G: ^+ x. W5 ? xor ax,ax. V, t1 m* W" J7 Y
mov es,ax7 S% G$ A8 N! t" r
mov bx, cs8 C) W7 S w- r$ g& a
lea dx, int41handler' _% A4 A y. E% D
xchg dx, es:[41h*4]4 y) O0 h0 B) Z8 T, A9 U* J5 R
xchg bx, es:[41h*4+2]
% b! L" f# P0 X( w! L) I in al, 40h
) c8 T# ]6 H2 H! C, v xor cx,cx0 R0 G6 o- M4 Y+ {" H: E
int 41h
0 l6 I3 L9 E; x$ a$ I xchg dx, es:[41h*4]7 G' [0 W( Z; m% l: h Y! `) g f
xchg bx, es:[41h*4+2]' ^/ }3 J7 l. o$ ^6 C
cmp cl,al( M; p# P" \- \) G( {4 I
jnz SoftICE_detected" X' D$ i" |3 L! E ^% G( d+ e
1 ?, @# g! ?) M1 E_________________________________________________________________________
6 S e% m2 I, I% U2 h7 Y4 _
, a7 j2 u F& U3 K) w" b! GMethod 07
& e* c% `8 c6 v* e& [7 C Q; x=========
- r& y$ M- }5 Q
1 F! P7 R/ b4 k" gMethod of detection of the WinICE handler in the int68h (V86). F& X3 v: [) @% B
( w% h, F5 H" j. l, C7 g( y
mov ah,43h
; F% c) F" _6 `' D! T int 68h) n, s. ]/ i- Y! [4 s$ I
cmp ax,0F386h( B# G; e% @% O B2 r" d) A
jz SoftICE_Detected
/ ~ l# R6 K( {( }, H+ N* V# a+ w0 A- Q1 m5 e2 Y) v
$ _& p( U4 N* R0 |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; V& Q+ B7 S6 J6 |: S5 {$ W! O app like this:
" u6 _3 p* x9 C5 H1 E0 h1 J7 D5 L% h7 \* U" w- Z
BPX exec_int if ax==68
8 D3 T& S. H1 N+ x# [5 Z/ ` (function called is located at byte ptr [ebp+1Dh] and client eip is
: _( m z1 q; R% |0 a; O) P located at [ebp+48h] for 32Bit apps)
% v; Y) C) m7 p8 [0 i__________________________________________________________________________
. D/ }! d$ X7 L c# u v$ i
5 q- G& k# v3 }1 i2 T* c- v% ]! i2 |8 Q
Method 08
/ J- Z' V( ~+ r0 T# n* } K# d=========- J }8 T5 u }; ]$ j
" J5 Q# r% ^# S, \2 ]It is not a method of detection of SoftICE but a possibility to crash the
4 i: w- i9 G9 p& M/ ?3 F0 qsystem by intercepting int 01h and int 03h and redirecting them to another
1 f6 B6 _- v' P% R( troutine.
7 W' D* l( }+ [, X* z8 o8 k7 mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- n5 F! e/ q5 `* P
to the new routine to execute (hangs computer...)2 s% w1 V& m+ B# r- c
8 l( i e1 W. [3 H0 c
mov ah, 25h
, l" d3 m4 F; r8 q5 g/ { mov al, Int_Number (01h or 03h)' T# z, Q9 |# d& o2 J3 R3 b; _
mov dx, offset New_Int_Routine _) I/ |! f: ^6 g( J1 P
int 21h
2 s8 e" Y o% R# s& a0 v& }$ o( ]& B0 {- R8 l
__________________________________________________________________________
$ q# X( z0 k" Q2 c, Z% l) f% c2 Z0 I X. a
Method 097 L3 ]2 e7 Z3 P4 }6 W5 f
=========
. ]) F- e) _0 h, [* M( H1 M9 w8 i+ n; r+ v5 N5 P0 M9 X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ B; N! R. ~' B
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 L/ O: A7 z3 J& k* M* UThe Get_DDB service is used to determine whether or not a VxD is installed2 I3 r5 {' j+ \( q6 ?& k
for the specified device and returns a Device Description Block (in ecx) for" S8 S! @* e0 b! v! c. \
that device if it is installed.
8 G m7 P: f1 {( C' v5 Q( V5 V" s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& H& _3 J' y! T+ i1 O+ }
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( | ~: g7 U6 D4 T7 t VMMCall Get_DDB e) |1 |0 n3 c5 F1 B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- E/ A; C. S) u% `5 S% Q# x6 V
3 N& L- ^( @ KNote as well that you can easily detect this method with SoftICE:
0 g% H% S) {; i: w" o- W, Y bpx Get_DDB if ax==0202 || ax==7a5fh
3 ]1 X/ y( g5 `5 l$ p! r% [. |/ S2 \
/ m2 [* e# d2 I: F9 y' g+ L. t5 M__________________________________________________________________________" I- @$ P0 m% Z4 v. d
. g. `& K) L3 S" d- CMethod 10
( W# Z; M8 x9 P' z$ ~=========
) L) r& V/ i, T
: x6 w% g% [, v2 i: G=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ X' \5 _( U' V' l2 n SoftICE while the option is enable!!1 J& Y9 q F6 A7 {2 U
8 O$ C7 ]8 ?7 ~
This trick is very efficient:( [: a; V6 b: G+ }8 n8 L* x
by checking the Debug Registers, you can detect if SoftICE is loaded
, D- v7 N2 K" o7 C' H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if T2 F$ w! i% d; @" M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! B2 v3 L8 C7 {& [value (in ring0 only). Values can be manipulated and or changed as well8 a4 B4 j. s) |( V
(clearing BPMs for instance)6 v$ e: C$ E( Z1 @. O
, `/ f6 U7 a X5 V7 |' D8 f
__________________________________________________________________________
' F* R% @* p3 d0 O, x% t5 |* Z$ C0 F
Method 11$ t3 b3 ]" L) F/ _) Q, W$ O
=========
/ K m$ x2 I) Y# V
$ i( X$ K$ K0 ^7 A% _8 D0 M* @0 zThis method is most known as 'MeltICE' because it has been freely distributed
' V3 V+ w2 r/ H$ j5 {- D" Avia www.winfiles.com. However it was first used by NuMega people to allow
( b# }& i% g4 m) N. t4 fSymbol Loader to check if SoftICE was active or not (the code is located
: ~' `4 h6 b1 P% N' G y% t% v6 d" Uinside nmtrans.dll).
+ O7 H, m* D6 z( H& I3 _; I- c z( [3 h1 g' u2 p7 j! V2 Y5 R
The way it works is very simple:+ \. d) w" t# [& v+ d. \5 }$ C4 ~5 u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* f h6 S4 ~, J# ?2 K3 P
WinNT) with the CreateFileA API.
) I5 ?& s) L# e4 ]9 U0 L$ h& M+ T9 K# }5 q0 |. d( D8 m
Here is a sample (checking for 'SICE'):
. ~9 w9 V- Z9 z/ K7 h0 N
( S6 f' P; F( P. _# t2 bBOOL IsSoftIce95Loaded()
7 E& G8 l' H4 Z$ k$ y{
9 v' A/ s) G- J HANDLE hFile; ; P( S# @* `5 H0 c. y( v
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- x5 ^# _" f/ A9 b
FILE_SHARE_READ | FILE_SHARE_WRITE,
* X; V5 E z8 k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, m7 ]' S: k2 S6 q if( hFile != INVALID_HANDLE_VALUE )# R( [ F: e7 h8 x& ], C7 O, b
{
, F3 B0 q& d/ s# G CloseHandle(hFile);9 Z% e. P0 W7 V5 n
return TRUE;
6 a5 M5 p4 r, \7 I- B5 @* x9 N }* p6 Q. ^5 y# h5 X( h+ m
return FALSE;+ [- }8 y* Z: k+ ]
}
3 I" G' M' L* q& }
' m5 a7 T3 P Y4 IAlthough this trick calls the CreateFileA function, don't even expect to be6 q4 p5 P: ^4 J
able to intercept it by installing a IFS hook: it will not work, no way!4 E# j* g# ^ z( g; c8 D3 ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& O6 G$ X0 L; n3 i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 u' s" K: M5 x) Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( ?: F9 h2 X5 _. z' rfield.
4 E, A- b/ N$ O' O# @0 s" M7 A. W7 ]In fact, its purpose is not to load/unload VxDs but only to send a - a) l( {; r' G$ l0 d8 Q- r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 _8 Q( V& h) c0 h$ H! b5 a5 M; V4 K" Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, s+ y2 Y3 T3 l0 a# ]2 f9 o8 | Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).9 y; E5 _) p' z2 r
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; ~2 ^" M" U Xits handle to be opened and then, will be detected./ U5 y, b( m) L# l: T
You can check that simply by hooking Winice.exe control proc entry point
+ t+ M( u8 M& z, Swhile running MeltICE.
' a, _( D @1 w1 e# y M4 o9 }8 A* E: N0 }$ m7 s: q- B/ |. H
: W$ t' E+ x' ]- N: P. X9 d; m2 _
00401067: push 00402025 ; \\.\SICE* v& p5 q/ c) `; p1 e
0040106C: call CreateFileA
: J: K) k) s' S% i3 R! f 00401071: cmp eax,-001
3 E$ j" |0 l; S+ N: k4 i! O 00401074: je 00401091
5 z& y, A6 c4 A9 {. W Z$ N7 r& N
7 ^9 Z1 P9 O" P; a! L8 D+ G8 T
There could be hundreds of BPX you could use to detect this trick.4 L) ?0 q) h& {1 d
-The most classical one is: q: C% J* y8 ?/ _$ }
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' \1 C7 f' X5 [& q *(esp->4+4)=='NTIC'
- I, P& N3 l0 s
$ a1 q8 e$ M6 B2 }" k-The most exotic ones (could be very slooooow :-(
# L4 T: G5 q' V: Q, U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; u7 T' p3 T J5 Z( m h ;will break 3 times :-(
7 Q+ }. {/ p# O1 i3 J* v4 c/ n) k& P
-or (a bit) faster: # G( Y# [6 U0 b2 g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ E! ~5 y1 A+ [* O
, U' ?6 b, W: G" Z# T% [' _1 I BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) l3 ~4 {0 H7 I4 v+ K. Z
;will break 3 times :-(
0 n4 x$ F' S2 [4 C. ~$ ]7 {/ h2 j3 r; r5 o; L9 p! t% | r
-Much faster:
. X% C. X$ Q9 I BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ l. X# ?' ]- G0 F
/ i4 b( f" U# E4 F/ q0 g0 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 s5 p5 E2 c( V8 D0 f! t
function to do the same job:- T( u, o: Z" b9 k! d! }6 A! }
8 E, N* p: m. {
push 00 ; OF_READ3 V) K; U0 x* R
mov eax,[00656634] ; '\\.\SICE',0
2 g1 }" b. i; b/ u( o0 w! ] push eax1 z) l- o8 ?. Z% s' Q
call KERNEL32!_lopen
4 ]1 F4 \' t# ~# b$ A inc eax9 h% ~+ z5 u" r
jnz 00650589 ; detected9 p. V0 X8 x* [% S" ? `
push 00 ; OF_READ7 i/ @/ T7 v" u
mov eax,[00656638] ; '\\.\SICE'( r5 J4 ^0 R2 S% \1 g% u
push eax
. w8 r! d$ M1 N$ K8 t% n8 G7 o3 s, i call KERNEL32!_lopen
( Q6 a( \3 O' K; P inc eax
( x! {; t7 q# Y; x jz 006505ae ; not detected
$ U- V5 V$ Z2 W- U& r2 F8 T% s/ M% p2 } H
* A. q. P; o4 J0 Q! l9 ~- y__________________________________________________________________________
4 B7 H' _. N% X, U- f9 ^9 g' ?2 }4 e
Method 12
- }3 \# d, T4 A) q% l' Z=========/ H$ t1 j( V: O9 U# H K
5 N! C7 ^3 \4 Y
This trick is similar to int41h/4fh Debugger installation check (code 05
& C) z% f2 q/ w( i- v v V& 06) but very limited because it's only available for Win95/98 (not NT); ~' _4 Z- G( I1 e$ l6 [
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 w0 T, M" x5 D/ `8 y
% {% B0 U: J$ B) Q% x% t P push 0000004fh ; function 4fh; U! a' n$ D5 b+ a4 p
push 002a002ah ; high word specifies which VxD (VWIN32); r+ g5 `. Z8 Z/ F. ~2 U
; low word specifies which service
2 t" m K: W% G1 C (VWIN32_Int41Dispatch)( M$ d9 `& x1 S- q; J; L% |
call Kernel32!ORD_001 ; VxdCall
, w- j0 W. A' |6 z) b. }6 U cmp ax, 0f386h ; magic number returned by system debuggers
$ A. F5 _, T! J6 ~) R) X jz SoftICE_detected
. U" i3 P( R% Z0 B* ?
9 J. M$ ^/ e0 s9 LHere again, several ways to detect it:
' H7 ~! Z% O; I" O9 e
8 ^8 r; t# W( K0 j% m! w4 ?% H BPINT 41 if ax==4f
, I1 t& x, l* L: J% [6 m' k( G
' c6 P [( |! q6 e1 Z& Z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' L9 x; }; p9 V; W; K; _! s+ R5 f/ L8 @& G" g& b" }0 V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ I- P3 n1 p+ W' n3 W, `7 V. ]) t" v( W' h Q& g8 l
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! J# z$ |6 c) Y0 c c
4 w3 T2 {' q( s. l0 j% D__________________________________________________________________________+ q; X7 k, {# u8 s# t/ u+ [
7 R" g, G0 r; v u6 n! J
Method 13
0 Q% X; k& T9 \: i=========4 c, s! o' `$ a: Y" b
5 M+ D8 S* `4 l6 INot a real method of detection, but a good way to know if SoftICE is
' q9 F+ k& F9 e% Yinstalled on a computer and to locate its installation directory.4 @- } N1 t3 l' T- ]& w
It is used by few softs which access the following registry keys (usually #2) :
/ D6 s B* F, e1 g# a( a h) T _" P$ Q( J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( Q) w5 x: R3 d' D3 t' k
\Uninstall\SoftICE6 u: e2 R2 n, u$ N% y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 \6 L- u, C7 _8 }3 D; ]; p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: p1 ^6 @( i' I9 Z) Z+ C\App Paths\Loader32.Exe! }7 p" ^% z. b7 q& B
, B3 l. w- k& ]5 O( o6 g. R8 g/ w" y7 i8 b2 j6 P! G
Note that some nasty apps could then erase all files from SoftICE directory
5 m. }' K E+ M+ k5 x" ~+ @8 O* [ f(I faced that once :-(
' i8 H9 L5 F) D3 c
" p) U; c" H7 R; @8 ~ W; y- BUseful breakpoint to detect it:$ L& p0 {8 E; M* A
4 P( T9 S- @1 {: z% r0 [
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 Y3 v" n* n7 w' g* a' S$ a( l
6 w0 N% x3 Q; N' b5 d__________________________________________________________________________0 ^$ h& M* w+ g% W( X9 M0 Y( a0 i
- q) S0 j& M& L" n1 a$ B: a
+ v7 i4 x& b4 i/ W, E1 z+ eMethod 14 6 O$ C o- x' l, x- g
=========$ [- L" w9 e+ [9 c8 P9 F7 r
2 H) d0 A* E+ W6 ^. Z2 P( SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& V0 ~0 P* V' X5 ?7 J2 g. ?) Z k
is to determines whether a debugger is running on your system (ring0 only).
" y& }4 S' B" F4 U
1 v; Y! h" W' P! x% S: {( j9 E0 t% I VMMCall Test_Debug_Installed
* E1 X( R0 p% p: x' w! @. F ^ je not_installed# j; ?8 I4 p1 ]- ^ ^: y
& ]/ j& ^( g9 c3 } X2 }
This service just checks a flag.
5 i; @ Y( R. Y& |+ k! f</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡