<TABLE width=500>
' |* [& W/ k0 s5 ?4 g<TBODY>
' i' b" i5 D# Y% v<TR>
! t7 Y3 t" \4 \/ w* U2 I4 S2 @<TD><PRE>Method 01
$ D$ \4 E& G8 o7 Z=========
H0 S/ G1 l/ S/ A% z9 j0 Q9 Y& l% { T4 n) C1 L; b
This method of detection of SoftICE (as well as the following one) is% N, g- E [9 a* j& o
used by the majority of packers/encryptors found on Internet.
! V; W, U7 F; i- x8 k5 x# ^3 PIt seeks the signature of BoundsChecker in SoftICE
3 S8 a# F& o" Z% W( A% |4 I1 L4 H. n/ C# G
mov ebp, 04243484Bh ; 'BCHK'
/ M# Q" [; z+ l7 f mov ax, 04h
; ?: q' G! p) X1 o& @ int 3
+ |! Q: Y1 o5 r. T' `9 T cmp al,4
. a- ~+ q5 J/ d. q7 J jnz SoftICE_Detected/ P7 _ n. j2 |1 z
$ {2 P7 W5 n @# ~( b- x$ W6 F
___________________________________________________________________________
3 C) _' h5 w- }6 g1 n6 R) u1 X+ ~* V5 F
Method 02
. B2 S, x( I7 d7 r=========
# S# q5 s+ Q( Q0 H
5 A- _1 ]' C: ~, j2 l* CStill a method very much used (perhaps the most frequent one). It is used. n& L/ X1 c9 V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 {$ y% B5 w2 ]/ r& R
or execute SoftICE commands...% J- I: A7 N) K
It is also used to crash SoftICE and to force it to execute any commands
$ j% x7 z- }- ^, R2 ]0 Y: S% @# r+ \(HBOOT...) :-((
5 j2 \! L) {) b% \, O) a# ^
+ p. d2 c& |2 _+ }3 t4 z" t# t' THere is a quick description:& z3 s4 J, T" m8 e; S% g
-AX = 0910h (Display string in SIce windows)
7 s6 [8 l4 E! c, d4 C/ n0 m# s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. k3 m7 p6 G* |' p) J5 K3 G-AX = 0912h (Get breakpoint infos)8 u! U! `( z! b" u) u
-AX = 0913h (Set Sice breakpoints)- \0 T1 N# w8 O6 x7 |/ B2 Q: g! `7 u
-AX = 0914h (Remove SIce breakoints)
! v$ G% z' m( t6 e8 L) b) u8 R9 U8 y+ h
Each time you'll meet this trick, you'll see:
/ J. j0 q( E h* N" U-SI = 4647h/ s; |, m9 c' h. h5 v6 b( L
-DI = 4A4Dh" ^0 C7 u9 A. e9 m1 H
Which are the 'magic values' used by SoftIce.
; p2 L$ f3 o% |0 kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 }! M+ K ? |5 y
. q- T) R& A5 ~, z6 z9 ~% p( [Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 J& Q3 h+ ^- u7 BEnvelope utility use to protect DOS applications:+ i9 ~8 }, O' }! }3 @" [
. t1 h* }( J$ A. K
- [# D) X$ [8 R7 P2 ~3 i
4C19:0095 MOV AX,0911 ; execute command.
3 F1 v# {8 L. n- b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." J3 x9 b& `- @9 L
4C19:009A MOV SI,4647 ; 1st magic value.+ p. Q, E* D [
4C19:009D MOV DI,4A4D ; 2nd magic value.' ~; d" ]$ @- n" M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): N2 v( O) V4 {" U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! W$ i7 K: c1 U4 y |) y$ o4C19:00A4 INC CX
; E3 B; F1 s3 y9 R& X- N U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, j; Z- L' Y; Z/ h% Q: q5 X4C19:00A8 JB 0095 ; 6 different commands.
) U6 X* a" l1 ^! e4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 H/ f2 ], `; [: W9 z5 }* _) V5 g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( t) j+ U, H6 g' S. l
% q3 ?6 C& [4 a$ t3 f0 `# U+ V# s
The program will execute 6 different SIce commands located at ds:dx, which7 X: _, q1 ]- x6 C; Q" b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' P9 _9 i" ?2 r& H5 {2 _- r8 p! j. N0 @2 u5 l! \: t' j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ x( V+ z1 Q- ]$ G$ ]7 U7 P9 l___________________________________________________________________________
" b# G6 K$ C @0 w& j) e! U, Z3 W% j6 ~/ c2 `
4 Z* m1 ]( k. y7 o8 n& S$ uMethod 03
# a _) }3 Y8 r9 L3 C=========
, [4 w2 q- b" ~" f- W" N
9 r! w) V' ~2 q1 S; a$ v9 `4 ~0 _3 ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ V" o$ j3 `" ^2 K1 O* e(API Get entry point)
& B! e& b6 B, B" Y : s# A5 O3 E' |1 [
. i$ _5 q& A* L# m8 f8 P
xor di,di
) _$ I1 W+ E/ A9 O mov es,di- Z' i3 a0 m7 I C
mov ax, 1684h , J3 t" H+ \. M* p C
mov bx, 0202h ; VxD ID of winice. F" c- }4 R$ j, A: ^
int 2Fh# d6 W. O) T' P& H! K: J
mov ax, es ; ES:DI -> VxD API entry point
( g) s; F" Y8 w$ n3 i9 A add ax, di* _8 F$ f9 S% P* B# h
test ax,ax
; z! f. I3 O* A; @ jnz SoftICE_Detected
. \* d* u) M7 k
3 s! S* @+ ~4 I3 u4 t4 _9 j: J___________________________________________________________________________, W# d: o! `: c' e6 U
, f" P' v; R5 w" S( k% p
Method 04
- s) ]+ f. \ b# ] G9 F/ v=========3 D5 h! _; x; \9 Q9 s) z6 m7 h
& G, U+ C) i7 H8 [- i. R1 pMethod identical to the preceding one except that it seeks the ID of SoftICE
7 Z+ F8 h, e1 @: |. ^1 SGFX VxD.( g+ I5 t6 a( I1 G } r
/ |+ `! }7 c/ O, X( D
xor di,di
, L! W9 M/ E) { N" o( i5 x mov es,di
1 G( l2 t l7 O3 e7 J* ?8 s mov ax, 1684h
' L2 s' ~* \# `2 a5 q! u: X+ v mov bx, 7a5Fh ; VxD ID of SIWVID
' Y. W; A4 U# {, N* l. y! x int 2fh, s/ G* ]0 }' E/ y. P) E
mov ax, es ; ES:DI -> VxD API entry point# g% Y3 U6 } u# |
add ax, di8 C+ m% G1 w! a; h: E2 |8 |
test ax,ax
& f6 m6 z6 i# c/ L# p: a G jnz SoftICE_Detected
/ i& |9 Z0 w! i" I
3 {( v) d& G8 w__________________________________________________________________________0 K/ t2 u. K" b% N( g% [
8 r# m0 B" V' b* H @, Z1 N
4 {" w# L! `. y3 {2 @Method 05. @' r: `' t5 f: s* Q
=========
$ l' ^9 P3 c w- V8 s! }, l7 m$ i) M' m j7 b$ M
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 i, v* W# j0 [
debugger. It calls the int 41h, function 4Fh.! K) j; e5 W N9 h" \, X6 h
There are several alternatives. ) K3 {3 V& ]( O8 P- Z0 K. ?
/ n' N) F; J! J; e1 oThe following one is the simplest:! @+ c, u; b! p% H; n6 D" s
# ?. }4 v, Z8 G, J' ^
mov ax,4fh1 [% E' {! {- X) H, ~% h
int 41h
[; l; t8 i/ f" y% ~" u cmp ax, 0F386
8 b" v7 c8 l6 V6 d! e# ] jz SoftICE_detected
' a( x9 t! {7 ]. g$ H
4 L. k% v7 w) [$ J6 g
/ p0 _# u9 ^% l O U2 t, [4 bNext method as well as the following one are 2 examples from Stone's
3 u' k5 j4 o" R8 @"stn-wid.zip" (www.cracking.net):
& X. j+ y! P$ k \
. j* J$ H, j* l mov bx, cs" P5 `! S3 F; }6 `9 b
lea dx, int41handler2" V' y" w Q/ i$ V, U
xchg dx, es:[41h*4]+ J( C: C6 t: O' Y0 g3 F
xchg bx, es:[41h*4+2]; F. \. `/ m$ ]/ s
mov ax,4fh
1 v$ W( ]2 n; u int 41h
0 K. I4 e- Q6 l4 I: c5 }9 G xchg dx, es:[41h*4]
T* n$ m, G, z: a xchg bx, es:[41h*4+2]
% Q' \- Q! [6 @0 | cmp ax, 0f386h4 D+ x! j; ~% Q: I
jz SoftICE_detected9 b0 ?, A2 y. t
! |" {: b4 _! N$ d& }
int41handler2 PROC8 A2 p0 ~9 {* b- [$ e
iret
" r& d0 H& v2 u: |0 z% Qint41handler2 ENDP7 d; i7 z5 P. g F, |+ i
7 M' R. m& G- k+ B' q# t- {
+ C( ~$ b+ k1 ]6 J_________________________________________________________________________* S$ Q; p* I i6 _7 z
$ Y, P5 s, Q# o+ [2 S) e. a# N ]% o* @
' R* N- @% u$ A1 mMethod 064 x5 F$ b9 Q; l- o) r1 ]6 u! e
=========
2 B r: s3 e* L
* V, v/ V3 {* h, c8 ?. J
& O9 h8 A! I& m2nd method similar to the preceding one but more difficult to detect:
9 n ?& V: k8 j& u
' E# L2 t$ ?5 X( T0 g9 b% ?& N6 m6 e) n$ j8 P: X
int41handler PROC
5 \% P* j: N( F2 W5 s! a mov cl,al
/ f& ^1 t% @/ } iret0 g1 {2 ]5 S1 a: V1 `
int41handler ENDP
6 u3 @3 M1 H: @3 r% ?) w
G0 C2 _: y2 K4 e& a+ s# C* z; U: \# u7 A/ f k2 Y! [+ {
xor ax,ax1 K. G3 t1 S6 F
mov es,ax
: r/ u# r( w0 L% Z( s! M mov bx, cs
! W" X9 D1 [( j5 l$ X lea dx, int41handler* y2 o* l% J9 x5 U
xchg dx, es:[41h*4]9 i& Y) ]6 w: I3 i* b
xchg bx, es:[41h*4+2]
+ l/ ? Z( C. q6 `+ h; u7 f, P+ k in al, 40h
& e" ^! V( ?) U) F* B- O, | xor cx,cx5 C# ^- p$ H3 Y1 z
int 41h/ Y! r' I& t1 m: _6 B
xchg dx, es:[41h*4]
7 `3 i: S Q, u% D4 |/ h9 e xchg bx, es:[41h*4+2]" h: J0 L I7 T9 }4 U* }
cmp cl,al; d' O: ~" i" B
jnz SoftICE_detected2 h, Z! K, m( o9 m7 a/ ?
; \5 Q" T3 f$ V
_________________________________________________________________________
" B% W5 L3 L& y( h: S8 F) M) G! }' G9 z1 Z) _
Method 07
+ J6 F4 s9 \0 I8 p7 ?" e=========
/ d' P" \( `0 K: Y( ~' z* q0 g0 p) A F$ o8 Q6 n4 S+ g
Method of detection of the WinICE handler in the int68h (V86)' Y& v7 `+ F! `( M5 C* Y
3 q3 h1 `2 }8 f% A- C
mov ah,43h0 N) T9 j' a9 h. r1 j5 U
int 68h
$ a4 @: I0 [3 w5 R6 Y) |# c2 m cmp ax,0F386h
3 }3 N; [) [) _, d) Y7 \. P5 e0 Y jz SoftICE_Detected
; M x4 W( N/ _, U: v* a% c
/ a9 _! ^" Z3 e/ F0 {% }7 G8 K* x7 R5 q- q9 B* Y4 y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& \6 f- S9 j' J% r* ~$ D
app like this:
* }1 E8 }" L7 v, H$ u
0 [$ o$ `2 K; P$ T BPX exec_int if ax==68 p$ T& d+ s3 L$ a+ _3 O
(function called is located at byte ptr [ebp+1Dh] and client eip is& Z7 E0 s( R5 B! U
located at [ebp+48h] for 32Bit apps)/ q! V& T; n3 e9 m: X( B
__________________________________________________________________________9 V' S+ a- l' P6 M
- R$ F, g" F2 _8 [$ M) w$ j4 [, {
Method 08
2 G! Y; W& i5 R/ c; S# a5 q# Q% y=========
1 O% T& H+ i' z2 o- L+ \ o! Y. |# R. ^! j1 z# Y1 N
It is not a method of detection of SoftICE but a possibility to crash the4 d/ k: _, v* j8 C+ a( Q, d
system by intercepting int 01h and int 03h and redirecting them to another
& @. v+ T( l4 [routine.
! |$ H: m h+ z' qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 D9 v& ~) H& L5 ]7 V7 Q i2 `
to the new routine to execute (hangs computer...)+ e- @; a, ~1 ]6 h/ b
" T# v) L5 Y7 x# O
mov ah, 25h5 Z+ e) P6 }+ @
mov al, Int_Number (01h or 03h)9 c9 l- o4 n* }. e) R1 |
mov dx, offset New_Int_Routine5 t: K0 @6 m! K* V" J6 N/ M
int 21h
/ u* c' C u- h$ P9 P1 k2 K! N0 ^. i* F7 _' ^/ E9 o; e! I( Z
__________________________________________________________________________' C" ? ^4 X+ N8 P# D
/ p( |* p& t; T1 [# g' q% W6 m3 ~% ?' tMethod 09" {0 e$ X: }* _( q
=========5 s2 a U% ?& O) g
! A6 i8 L/ j$ z4 g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 n( U1 j% n5 v* ~
performed in ring0 (VxD or a ring3 app using the VxdCall). D- V! ?3 ^4 r9 r l
The Get_DDB service is used to determine whether or not a VxD is installed
) d. M: t! r& `for the specified device and returns a Device Description Block (in ecx) for4 L) _; `* m" E, S, E7 C$ F1 L
that device if it is installed.
4 A5 A1 E9 N4 _
v& A$ _0 C2 Y- Z/ G3 c mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
@2 Q/ t$ D9 J% m- {0 a* L* R mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( Z1 }* U; y8 l5 m2 h; j VMMCall Get_DDB# g/ B3 D' y" g! ?5 F+ v
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% q5 \' d% y% i, x- _4 }$ p" i4 J- s, `3 Z9 @
Note as well that you can easily detect this method with SoftICE:
; m1 n, K7 u5 k: ]# B bpx Get_DDB if ax==0202 || ax==7a5fh
& |' P. P+ w( L( v. @1 H5 J# P& z, U+ u) g7 l" N' i" [. r1 K
__________________________________________________________________________2 |! \% O+ f/ L! J- W4 P4 G
5 V, d- U( k8 w4 z" w0 P o0 J! L
Method 10
+ O/ j! Y, P: {=========5 x, _" B; i; X4 [
3 c/ t( X7 H6 j: N3 T2 T6 X' K=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 p7 f, p1 T4 v2 Y& p7 @" c SoftICE while the option is enable!!) n! S+ x8 ~% S( N# c5 x$ o
, a2 o" M6 |) O, X. L4 F0 MThis trick is very efficient:
& k* J1 l" r+ Rby checking the Debug Registers, you can detect if SoftICE is loaded
3 U# R- V. s0 a! j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 I3 W( Q8 Z) y/ c
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' ~% T8 N9 }/ Y) K/ W4 a5 Hvalue (in ring0 only). Values can be manipulated and or changed as well
$ R, w2 D! P \9 V8 o(clearing BPMs for instance). }6 N! d0 w+ a& u P
7 V! a6 N4 r: V w; G5 z5 G) d__________________________________________________________________________ J' e _9 m6 }
/ v, O' |- g: X$ P! c3 L
Method 11) N- M7 C% I* K; u0 l; G: C
========= h" n) B& _$ b6 Y9 B* q, z
3 @/ O5 _6 c( i+ h8 o, YThis method is most known as 'MeltICE' because it has been freely distributed1 k, Z" S4 R2 u, B8 ]
via www.winfiles.com. However it was first used by NuMega people to allow
0 t4 T; b+ J2 J0 J$ k& m n: @Symbol Loader to check if SoftICE was active or not (the code is located* Z0 _/ n% n( {4 n
inside nmtrans.dll).
9 e1 N# j! t* w% Z' N% K! N/ l$ T/ N& D4 M+ E& @3 |) q5 U& g ?
The way it works is very simple:
5 a# V" f3 P; j5 ]" f; oIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 [. t4 b4 f, ], x& v$ V
WinNT) with the CreateFileA API.6 `# l) X: c- s7 `% W8 g# j
a8 E5 n% ~, m8 H+ o; R
Here is a sample (checking for 'SICE'):
6 F7 E9 s. p' ], d4 k, D9 Q
@3 F9 {1 c RBOOL IsSoftIce95Loaded()
4 T: E* I. q& x, E. W{( N$ h7 k# w8 D* c/ m# ?5 ^
HANDLE hFile; 0 ?! e3 U i% c6 d4 C
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; P* l; m3 R7 k6 ~! |& T4 o9 Q
FILE_SHARE_READ | FILE_SHARE_WRITE,
( v) w- a8 q' z6 f, d NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' Q4 q" Z4 @5 f5 e& j
if( hFile != INVALID_HANDLE_VALUE )% H) i0 C( D4 R7 h4 q4 F
{
& ]& t3 K3 V/ ~# J4 n CloseHandle(hFile);6 D3 {- Q$ b) ^
return TRUE;
" I5 S# P4 ^: V& `' f3 o }
! p9 [) q6 [7 n \( O. y return FALSE;
+ ?0 u1 G' _, F0 h x( w G}& k8 V: k1 H2 E, k5 z+ |7 b
7 [ g6 I2 T2 b, y7 V6 \1 L# KAlthough this trick calls the CreateFileA function, don't even expect to be
5 \: E- c! q F& K$ g; vable to intercept it by installing a IFS hook: it will not work, no way!
]) C% }: O7 l# A& }0 SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) g5 P0 z4 c" m0 Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 F2 o5 Z1 H" N7 _& S Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 ~6 O4 L0 I8 D: Vfield.
5 e3 Y' O2 G2 Z9 u$ M$ ]# R, }In fact, its purpose is not to load/unload VxDs but only to send a & @( f# C6 Z O( E9 J. T5 Q/ a" h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 V7 ~, g8 C9 p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 k" e" ~3 W A6 I( O" b
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! v+ m7 y0 q1 M' @& f7 }If the VxD is loaded, it will always clear eax and the Carry flag to allow6 n, B$ H; w' w6 L( ^. T. I* L2 n
its handle to be opened and then, will be detected.
" \) O4 h" N U5 S' [% pYou can check that simply by hooking Winice.exe control proc entry point
" o6 l( L- Y! wwhile running MeltICE.
" ?. k2 v, x5 D" D f5 A6 }: I/ V: K' v, d! o
0 n2 \6 r% _. D
00401067: push 00402025 ; \\.\SICE
' S7 } f8 H+ ?1 V: _5 } 0040106C: call CreateFileA7 h" v/ a4 d" D L+ B2 X
00401071: cmp eax,-0016 d# g% o1 k6 F( \* |" J7 F' q2 L! K
00401074: je 00401091& X; U4 z; ?: r1 D) i; ^
& a6 |: z `0 S# u3 r6 R
' ^& \( N4 s7 G& [& W5 Q1 _$ b w' w, y
There could be hundreds of BPX you could use to detect this trick.; R" d% z: g6 C- L; p* L7 n; w
-The most classical one is:
. \: G( x+ ?8 k8 v; F2 j' h BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- S( {' v4 u% x; W% H
*(esp->4+4)=='NTIC'
F/ J: `4 ~: ~7 I
- f' [5 q0 r/ P& j/ p4 D" y-The most exotic ones (could be very slooooow :-($ H/ _7 E* q: I* a( ^
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 Q; y" Z/ _3 Q+ t& G% u4 r
;will break 3 times :-(# C* O9 b L& ^* j3 `: |6 h
+ o- o; o" P1 @9 F3 M* e& o% N0 j+ F-or (a bit) faster: 4 E: B V+ p# c3 w; Y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 @/ ^0 L) y! O7 N, E% c
) a1 L4 ^6 i" P+ g. B0 b( {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # F; M R3 g1 e6 T" L
;will break 3 times :-(7 C" a: H" N K- |& _0 O; I
1 j8 ~5 W6 k6 U4 S; z
-Much faster:
3 e, Q/ H/ x# T; w8 [8 N# x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 k& g: m' L0 \/ f% q
5 l, J8 }; N& n. a) z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% \* Q/ c6 v& x# ?. ^function to do the same job: K# v# h4 u. }
2 e! j9 x) i" P) H5 b& Z1 ~ V
push 00 ; OF_READ
2 f7 F+ J0 B/ E9 }( j% n" s8 y mov eax,[00656634] ; '\\.\SICE',0+ R1 e1 v' u4 Q- B$ x
push eax2 a' @5 s8 K$ W, a& J' Z4 o
call KERNEL32!_lopen
( n5 t! ^; T7 G2 S* S inc eax$ z. `& j5 w- Z
jnz 00650589 ; detected
/ p0 W% C4 M* K+ E) ]- e push 00 ; OF_READ
' B5 R, ?; Q- A* R0 ^1 u, L, N8 r mov eax,[00656638] ; '\\.\SICE'5 V+ v, O( z4 C! |! d+ |
push eax) s$ d2 E5 Y/ H; f/ q; Y
call KERNEL32!_lopen( ?0 z( T8 l2 S9 ~* H8 ?
inc eax% ?+ b; n5 m: U% m
jz 006505ae ; not detected
# A' S5 e9 M: Z& i& Y' n# F+ d& |, g' g
& @1 g/ f2 m$ ^+ S( r, a
__________________________________________________________________________3 L! i% u6 k, }1 d, L
6 z% R! C( t( }" M" ~Method 123 F! Z2 H' }/ ^
=========2 H5 i5 r' k; X
| _* b3 A" ?# b7 R; I
This trick is similar to int41h/4fh Debugger installation check (code 05
1 x" C& }" a) M. X2 J3 T0 p- Y& o' P& 06) but very limited because it's only available for Win95/98 (not NT)' @2 `9 U& w, j! y1 p1 a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ y1 G2 ~" P0 J- U9 |
' h7 N5 R2 Y) ?" O- Q8 z9 p; s! a5 n
push 0000004fh ; function 4fh
+ I$ L5 h, \/ R* K' Z push 002a002ah ; high word specifies which VxD (VWIN32)+ C! u& k. v- b0 H: m a
; low word specifies which service
, q7 t2 r' n' j* |8 V1 [! j (VWIN32_Int41Dispatch)5 `* G! F6 @9 h, {+ c8 R
call Kernel32!ORD_001 ; VxdCall
- d, Y% b& E1 {% F( L cmp ax, 0f386h ; magic number returned by system debuggers
3 l, B9 R5 t g5 Q5 H4 F [- _, g jz SoftICE_detected
: I7 O4 T3 y/ I' H' N% }
8 f @4 S' x1 E% q3 m" AHere again, several ways to detect it:
2 u9 m2 R% S2 P) U
. t) k8 I/ E% N: ] BPINT 41 if ax==4f
" v' X/ U' }* e0 M- n* L' Q
" k" Q0 c5 N6 Z* e BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ X5 B' F% `7 m8 |; X! l4 Y( z) E; E+ L' j- `+ z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" s/ p* y& C$ J# G; e, a4 l$ n) T) n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# E9 g3 q. v X2 c2 k
4 t* ^: s' u+ T7 h8 X% ]__________________________________________________________________________4 P5 L# J; @& x. V( {; `( x
4 S5 M5 \& `. T: q
Method 13. o% i, u Q& g0 S f
=========
' v8 r* _3 h% C) e. |
- \% n: q3 l1 {2 g% gNot a real method of detection, but a good way to know if SoftICE is+ Y8 Z' a5 r7 h' {
installed on a computer and to locate its installation directory.
; N( T, {' P# fIt is used by few softs which access the following registry keys (usually #2) :
# w2 f2 C5 I5 a4 j" w
$ {: Y6 u6 e. v) q- E- k5 P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 S, ~, ?& l6 Z& a/ o\Uninstall\SoftICE
2 J" X; O- Y- R( q# s& ~4 ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 l7 L5 E9 X0 U0 K8 @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) S% l( w9 [* o% t( t\App Paths\Loader32.Exe- z$ p- v1 d* g) Q- L" }
1 r& _1 l1 r5 m# A) y
/ F! F% s, C2 _/ ~3 V" l+ J) [
Note that some nasty apps could then erase all files from SoftICE directory7 |! y+ s" h! k T' s, R( o" s
(I faced that once :-(
. i2 Y0 d5 k) [' W6 p, j3 s( G$ f# U! N* G3 t. q7 W$ o2 n- x
Useful breakpoint to detect it:
& t1 s6 [* |2 `4 E, Q/ b) j" x$ R9 d( y7 U O+ b4 d( Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 N5 C2 P; s, ?1 a8 m0 r2 D1 r8 y6 t! i% l, D3 g8 B
__________________________________________________________________________9 I8 O9 w+ F: d7 ?, L' m
! X8 a7 v- u" q: [
2 ~$ Z1 H5 x( | H3 a
Method 14 : v x" v; Q. _) d% G
=========
, E/ r% v# K5 A5 i7 h/ ^6 K- x5 M; B# B* \3 x2 `. E! _( c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) s9 w3 q$ h- ?0 W- ]8 ~is to determines whether a debugger is running on your system (ring0 only).
* ?7 m) _; ~; W! O+ |) i( a7 z" a" ~/ ^* P! l! V& m4 V* n
VMMCall Test_Debug_Installed5 ~- O6 L1 l8 j9 L j1 w( u
je not_installed5 n0 ^) D0 w8 y' K
- I3 n- j2 }* n( XThis service just checks a flag.
3 \1 p8 P: N1 }3 b</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡