<TABLE width=500>
' ?' o8 O* F) t<TBODY>- H9 B7 I- G. A. l
<TR>6 r6 i9 {( H9 y0 {0 ]3 W. Z
<TD><PRE>Method 01
5 i0 R; e% c# K1 T- H" `=========
" ^, X5 z, f( `5 b) A6 o9 [$ y" S+ ` Z
This method of detection of SoftICE (as well as the following one) is
0 y4 t) r" |$ e& k9 \& _used by the majority of packers/encryptors found on Internet.
5 y2 |1 I/ o g- p9 W2 DIt seeks the signature of BoundsChecker in SoftICE
. x( C* }2 b# k) f5 e2 Q6 `5 G: H1 Q7 a; w# j- G' i
mov ebp, 04243484Bh ; 'BCHK'4 a/ g9 e7 Y6 K1 c8 v$ {
mov ax, 04h a$ v4 O Y" @& s
int 3 ; b: D! A9 X& h. u7 c0 y/ \& ?! l
cmp al,4
- @ G' n1 f$ d0 K jnz SoftICE_Detected9 I& U/ V# g% U5 P( d, G
- r) L! N) K+ |9 R+ H! d" p3 r0 W
___________________________________________________________________________5 S7 |" |( b! \5 c3 k: w
; e8 [. s5 q) h5 T; O3 W' {
Method 02! }7 r0 }# D" S/ H( X1 q, K5 E
=========
+ ?: h6 ]# m- q( j4 D; m3 W9 y1 a8 X6 U, y
Still a method very much used (perhaps the most frequent one). It is used. F/ U8 g6 N, d* k6 T @/ D% Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" ]' `* X7 q2 J9 n" Z \or execute SoftICE commands...0 R3 u+ |7 ]- z; A: ~) c- O* j, k# B
It is also used to crash SoftICE and to force it to execute any commands
+ y& w, h0 \8 E8 s" ?(HBOOT...) :-((
' j2 E" Z" c* W! \6 y! F5 J9 H5 n' M( _- H+ h: [& t
Here is a quick description:
5 P; c" w+ y# {6 W* i0 g- m$ I6 }-AX = 0910h (Display string in SIce windows)! P8 U1 P! z0 h' r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 O# L% ]0 ?4 M* h$ n8 x9 r
-AX = 0912h (Get breakpoint infos)* e9 C! ~7 V* f" ~ i
-AX = 0913h (Set Sice breakpoints)4 v' q" M. A6 i3 `, A9 j
-AX = 0914h (Remove SIce breakoints)" s7 [8 _! b: T7 [* Z' q
6 @+ q9 q3 m5 k8 n! C* Q, h5 [
Each time you'll meet this trick, you'll see:
2 K5 S1 z* K' S. j8 _; x-SI = 4647h+ g r/ e4 k! ]2 y0 H& A. y
-DI = 4A4Dh. I5 |. z4 J- g5 k3 N
Which are the 'magic values' used by SoftIce.
9 I/ X' L# ]' |! `" bFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 P" V: Q) ]" |
9 m5 ?' r/ X/ d, Y+ U( \3 f
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 {7 l1 q( r% wEnvelope utility use to protect DOS applications:. j+ U% [, `* @6 _
+ L; w8 x+ E( p
" f, ]2 a; i9 J1 p5 V. x, b# y# M1 I- T6 f4C19:0095 MOV AX,0911 ; execute command.# E' _/ z' f2 c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
\1 o( i7 X1 e4C19:009A MOV SI,4647 ; 1st magic value.
! i* o J) D, V" G7 C4C19:009D MOV DI,4A4D ; 2nd magic value.
& U/ ^4 V6 K# ]. H& z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, U0 L ?7 e! N9 T# r: l/ u# |4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& f" f' j8 e. I& |
4C19:00A4 INC CX
$ l- g% {5 B3 P9 z6 k4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- F8 _: U$ S7 L5 a- q4C19:00A8 JB 0095 ; 6 different commands.
# J4 L& s* l) C4 h4C19:00AA JMP 0002 ; Bad_Guy jmp back./ l* [! g! O; \8 B2 Q0 r$ z3 Z4 ^; \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 z( r4 o: W2 E7 x o
: z0 u5 O3 Y, X! ?' a6 uThe program will execute 6 different SIce commands located at ds:dx, which" K' D: }' x! V# F/ B1 |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 Q4 W# i4 x8 S5 h/ K
* U) t6 H9 f6 f( j" p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 l: j9 O. w$ F. t# z5 D! z. u___________________________________________________________________________1 |; M$ _% T) w; r: Y5 F
& J! ~/ w( i: M: W+ s0 f3 Q; Z3 P& y& S) L" x3 Q
Method 03. }# ?3 b$ B$ U! f. L2 o7 @
=========- r0 e7 u, [ q. x
& H+ O C' s6 K9 F: cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- \" o1 t& m. d+ {
(API Get entry point): Q/ G8 j/ J9 j$ ?
' {) n$ _7 }$ T4 e$ X w4 m( M$ [1 Q4 C$ r9 H! l
xor di,di) C" `6 J$ j, ] s: i! b
mov es,di# G1 W* |+ u% N" C+ ]* G
mov ax, 1684h / X0 R' C2 C5 O x
mov bx, 0202h ; VxD ID of winice0 B4 _$ s- C) l
int 2Fh
% |! r# |% z1 t% ]; b! R- u7 n4 V mov ax, es ; ES:DI -> VxD API entry point9 ?2 d8 o: E: Y( z* x, Z+ I* [
add ax, di
) P2 }* R* f% h0 m- K' S$ V test ax,ax
5 _+ _# H' e+ `9 S# T, v" M4 p jnz SoftICE_Detected
! M$ E; z. B6 V! ^" X$ ~
a5 s6 Y F; O- T7 ]( d3 p" |___________________________________________________________________________$ ^% s* J9 [8 s
3 b3 q+ _' f) FMethod 04* O: x0 c2 E: s9 @3 W \
=========2 T1 y& u9 ^7 }! @
* ]- u& ]1 F. ^8 ]Method identical to the preceding one except that it seeks the ID of SoftICE- T1 y; F/ g) X; d" m6 i
GFX VxD.
" `& w: R4 T* T- d: @( W; z" m
. a$ [4 L+ n% ~" I: C; ?; A* Y7 G xor di,di
7 o2 F# N4 M7 n" B D; \ J mov es,di m t* n- w) M1 x& y) g) G7 l
mov ax, 1684h
( ]; s2 i' h7 \$ g mov bx, 7a5Fh ; VxD ID of SIWVID. n( ~6 D' @! V! U
int 2fh
6 h3 k+ w) h9 U mov ax, es ; ES:DI -> VxD API entry point
( y% `4 `+ k3 L4 [) w. }, L add ax, di& X+ p p+ e7 ^6 u2 L% H
test ax,ax
' k6 A! P$ N# d8 P% H jnz SoftICE_Detected
0 R) {7 o- `, {+ x# i; P
' q) }+ H" e2 Z& ^% ^__________________________________________________________________________
5 B N- P) g# P2 D+ y7 _; t D6 z$ Z2 v- v L. Q
8 }: H& C9 O$ ?Method 05# |7 O: [. P* @, ]" f. b
=========
, Z( v9 F& A: n1 Y
, ]! a _$ `0 L9 k, s6 h: [5 kMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% w. U3 |9 Z: Ldebugger. It calls the int 41h, function 4Fh.
8 m0 Q- m! I: X8 W' NThere are several alternatives.
9 z# g# `( I: H# `6 ~0 A F% J$ b: P7 b. f8 p' @+ ?8 P
The following one is the simplest:1 y1 Y. {9 x# S& j3 Q
* j: A; i* z, G: ^! [0 q& H mov ax,4fh$ O- ~3 N: R( @8 F" o
int 41h, L% _# v& V+ z0 y! E
cmp ax, 0F386# n! D7 K) c: i. c6 M
jz SoftICE_detected
4 i; h C- f2 H* j7 c$ T
% Z; H6 f% H; |+ N( c! K
; v1 H' v- l& U, J+ I0 \ dNext method as well as the following one are 2 examples from Stone's
! }6 A4 I7 E1 ^, F# p* ]"stn-wid.zip" (www.cracking.net):
- [# w7 {# \: n" U, w d- r, ~
' j: B( V/ n& y* ?% w K. L& A mov bx, cs
3 K# K# |* H* z: o' Z7 q3 p- X lea dx, int41handler29 W* d2 g( [4 }% T- j5 ?5 ^
xchg dx, es:[41h*4]" `% i" k) |6 ]$ c, }$ T- y3 R
xchg bx, es:[41h*4+2]
! o5 s6 N0 D, e' d mov ax,4fh
# b9 X2 J# X( g1 _% A! x! r int 41h
; ~/ M+ l( ~# y7 J' _ xchg dx, es:[41h*4]
- O7 x6 B- N; [$ v& { xchg bx, es:[41h*4+2]
4 `0 `- a6 }& C1 C2 f) T' P- E cmp ax, 0f386h
. K2 o' f$ g" i( T jz SoftICE_detected4 N3 J; n7 H5 d# ~) \; j8 m
2 L: e/ K. B" Y
int41handler2 PROC
6 Z n- F M$ q6 `& U" n& I iret! |1 l7 Y T; i5 A- z; h
int41handler2 ENDP- f; T3 w. M& U4 U. j
# E7 F( P+ W6 b+ H. G3 ?5 F" A
0 M8 l: a8 o4 ~1 {5 I6 d* v0 o_________________________________________________________________________* u/ J, R( x- p$ |' m2 |
( q8 S+ a" g0 C, ?/ _9 H" [
: S2 a" F" y6 A. E2 V# Q6 rMethod 06
" s3 G4 y4 y4 A3 e3 N/ N* f) H=========* x$ P. F4 G) J0 { l$ t }
) L1 p; I* m6 i3 D# i5 q, U G: `0 i6 q
2nd method similar to the preceding one but more difficult to detect:3 v9 B" L0 A: q9 ^
9 G1 C' g! G6 G9 N4 c
. G: Q) ~! W4 Y2 f) y. c: c- }9 Pint41handler PROC/ T8 d8 h; l( y, B* d4 \% v. r
mov cl,al) ?$ D; R6 B7 U9 e( ?9 R G; D
iret
3 I% \* V) K9 H+ t" `int41handler ENDP) `% U9 ~' @: c
' n' c$ x* F4 y3 \& m& `
& d9 Y0 G# \/ S/ d xor ax,ax
5 V2 v) ?" x, [/ ` t1 A" L7 u mov es,ax) J0 b" I5 \2 j6 w" N1 w( C J
mov bx, cs# R2 U% `, R! _
lea dx, int41handler9 W& r0 b1 ^, v8 N- @8 P& O
xchg dx, es:[41h*4]
1 P: f- u' y# t6 P! { xchg bx, es:[41h*4+2]
- |4 s/ U' T+ o" G$ E in al, 40h; e' ?9 m' Q4 s( o; r
xor cx,cx* a- w# u" G1 w3 U4 u
int 41h
: G9 r# h% N) \0 w xchg dx, es:[41h*4]
" q$ Q& I2 V- W- F- B xchg bx, es:[41h*4+2]
$ d% P, M& x, j8 @" r cmp cl,al
. }+ Q: a; p( N8 n jnz SoftICE_detected
: m0 w+ T* B/ @! x' `, o6 \/ Y! V2 P
_________________________________________________________________________
8 j" x4 U8 Z3 w% _+ F+ Y1 x" [1 I/ ^
" n0 A; I6 h* m: F' y6 vMethod 07
3 O$ ?5 n1 m! x! C=========0 w4 _( g& F4 v1 X
/ f( I: Z+ c/ H' w0 q! MMethod of detection of the WinICE handler in the int68h (V86)
) U9 m% x) c; |5 c, m3 h# J
5 Q0 c2 ^1 S2 ?6 j& _ mov ah,43h
: f- N I) y8 K6 X: v& V int 68h2 l* R4 o* t% M3 ^; q' o
cmp ax,0F386h* g' C) _1 Y. _. z. f
jz SoftICE_Detected
& v) @% {+ K8 e# A
) e" E6 G4 y/ n" q1 _+ P- r) x/ b1 v0 I; Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* R. e' Y8 e& E app like this:
9 P j$ w/ P3 [6 D1 }: S4 a9 D
/ D. V# k/ r! Z; x BPX exec_int if ax==68
3 w$ B6 B$ W& H( r+ g (function called is located at byte ptr [ebp+1Dh] and client eip is
- i, D9 s& l! z/ ?% [; e8 W located at [ebp+48h] for 32Bit apps)
9 m: t) k6 b) G2 ]4 Y* D__________________________________________________________________________' s9 g) N- c8 H
8 F& n1 E* h- |
1 u+ V4 F# y' B" ]$ B) C
Method 08
# }1 p( B3 t0 L' Y=========* w( }- S4 s( |! L1 @# J$ B7 T
; y9 r* W7 ~5 e1 l
It is not a method of detection of SoftICE but a possibility to crash the
* F* p, V% V- e" X8 c/ ^! K Nsystem by intercepting int 01h and int 03h and redirecting them to another0 Z/ @; `/ h" L! ]
routine.! ^5 I( x) r8 z1 \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 d& f5 H7 z$ Y: F4 m2 u
to the new routine to execute (hangs computer...)
- d2 }5 m% E$ l- T, A! m0 _7 u4 G4 Z" P
mov ah, 25h
% n2 ?) _" r: A4 S( M mov al, Int_Number (01h or 03h); t; c+ _7 V2 r0 b
mov dx, offset New_Int_Routine
* b7 h3 I& o1 D& I& n$ k int 21h
- f( [" B0 q$ M& O( `
3 [+ j# R% }7 F/ z( ]" t__________________________________________________________________________! H C" R* _- F7 [+ i3 l
! a8 a/ _$ \' ? J9 qMethod 099 V7 K( f. V5 |+ e0 P' D S" _/ E) I7 Q
=========
9 a8 S- C! ~/ f9 Q/ r6 Q
. ]! F7 B0 Y" k+ }& }$ P- VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 }' {- U! I4 d0 `% j7 X9 x! cperformed in ring0 (VxD or a ring3 app using the VxdCall).- E- O" C/ B2 U
The Get_DDB service is used to determine whether or not a VxD is installed
3 q, U: d8 T$ x) Dfor the specified device and returns a Device Description Block (in ecx) for
$ f/ `. X! G k! |* S2 x, Ethat device if it is installed.$ A5 ^" b( v, I( ?& s/ b
8 J3 V+ o3 ?: y+ N2 k
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% |8 \! w5 g& ~- S& N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 t2 `9 O9 r" j+ L7 S4 U* X% d
VMMCall Get_DDB2 B* g! A. ]9 V" d: k5 F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* O- W- s2 i$ {1 @3 K" N
6 a5 s) U8 s! i; B9 O! ~& o {Note as well that you can easily detect this method with SoftICE:- t1 w" B4 t# a
bpx Get_DDB if ax==0202 || ax==7a5fh3 V7 {. a0 j% A& u: I
5 ]9 [( ~4 R5 o B9 R7 y
__________________________________________________________________________/ S/ }/ _- |' e1 m1 }% U$ q# F* G
2 z/ D+ l9 ~4 m. n* FMethod 10
- X7 K9 o% ?- t, x# z=========
8 ?3 Z4 z: v* {% F
) @3 m! n0 n: g" R4 H8 [2 R: W=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 w. H6 \ @- L* e( s SoftICE while the option is enable!!
1 R7 C- d2 G; K
0 A$ W6 }$ n$ A8 H; uThis trick is very efficient:
4 P& s1 u p2 sby checking the Debug Registers, you can detect if SoftICE is loaded
) T: k: l" z# S" K8 H! B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: @( [! m s3 G) r) Y* Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their" U. n5 N7 C* @3 Z2 R2 J
value (in ring0 only). Values can be manipulated and or changed as well7 T5 O$ G: `$ u, t% }
(clearing BPMs for instance) _4 H5 B; r' ^) S3 e
3 N9 n0 G7 D* K: `! r__________________________________________________________________________9 B4 F, _! ~+ b# B
( ~* _& T" i, X4 r, e
Method 11/ S- j8 i7 R# i% A' ~' m
=========5 t* C: X% {" v: m
9 K* n8 ^7 \5 q5 J% w! M9 X; G
This method is most known as 'MeltICE' because it has been freely distributed$ g9 H+ ^+ A1 {3 Q$ [
via www.winfiles.com. However it was first used by NuMega people to allow5 h) @5 i* u+ h5 S; E6 ^
Symbol Loader to check if SoftICE was active or not (the code is located
% @! x7 i1 Z0 z1 O! [inside nmtrans.dll).; ^( u5 X' @9 z$ e# o( T
1 D$ D: z1 s& m# V+ }The way it works is very simple:; I+ ?' Q3 t' k0 M+ ?! a! j
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% ] c5 I' ^; Z4 }& K AWinNT) with the CreateFileA API.: ~0 s: L5 c# r/ N6 J: O I) ^7 H+ g; e
# f6 O. U' S, A1 n* K
Here is a sample (checking for 'SICE'):
2 P2 E' ^* a- c2 Y2 \$ N9 S6 P: i' [. Z1 B$ Y B
BOOL IsSoftIce95Loaded()- x( ^) q; Z/ B- `% _& ^
{
5 f4 x! ~. [2 D/ ]2 u8 d HANDLE hFile; 5 d0 }5 v! [: O5 I* A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 h' `- P) z* P% i- S2 y FILE_SHARE_READ | FILE_SHARE_WRITE,
8 u W: y& L, ?+ L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 u4 y5 r) |6 M8 @ if( hFile != INVALID_HANDLE_VALUE )
. o6 i- S) Q' } {, m1 S- ?3 A1 H$ I, z
CloseHandle(hFile);/ e2 ?: n, \2 k
return TRUE;
" S1 n6 J$ s, c+ d5 W1 e: q }, K W1 Y w# V. F6 j2 Z8 k" v2 ~8 u
return FALSE;6 O. H* C3 _0 M" c# I
}
. l+ b" q+ z: k& N5 A9 `# j
5 @3 `# l5 F, e3 i6 _" ~# Y2 rAlthough this trick calls the CreateFileA function, don't even expect to be
, {% s: s9 S6 Y; J) L9 j. hable to intercept it by installing a IFS hook: it will not work, no way!3 w3 R3 w8 R7 w" M$ t8 g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) K `3 e0 Z9 A s' {3 l: i1 b3 g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. ?* m' N2 M, N4 A: y5 cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; B V/ d$ }% o! A( q6 \field.
' H- a2 H. U8 m! m' w" fIn fact, its purpose is not to load/unload VxDs but only to send a + Q% P3 [7 U. R2 Z3 t: z, |* U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" r& e1 u$ y U" ]8 o9 ?$ xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 R# c) b+ i! v9 `to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 |$ {; _2 W1 G$ K
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( S& r/ [. X7 ?; }, G( I) Gits handle to be opened and then, will be detected.1 k, c& h/ ^) @
You can check that simply by hooking Winice.exe control proc entry point% C5 U5 q& T! V% X( \ e! u
while running MeltICE.) p( y" ^( {# O6 {0 L0 r
' o- K3 g* A4 K" p3 a: d; Z) y7 l: T3 ~6 e
00401067: push 00402025 ; \\.\SICE4 D8 x; B& H) U" u9 P/ j; E
0040106C: call CreateFileA
4 [( W. d" h2 M- A& I. H/ e: U 00401071: cmp eax,-001
# S x5 t) Z# g5 d6 k; }5 s 00401074: je 00401091
7 C+ E3 d; k7 G( Z1 d
. ~3 ]: P9 V/ u( H# S& r: e( l- F" Q2 G: \; c6 V% Q- x7 B
There could be hundreds of BPX you could use to detect this trick.
5 o6 p' j4 d8 s-The most classical one is:$ _0 g& a9 t: Q6 J8 o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! z1 V' f0 k3 Y- W
*(esp->4+4)=='NTIC'
0 W' p( g0 n% x! X9 S! |+ V
( |9 g1 y. G$ t4 [: ^$ ]-The most exotic ones (could be very slooooow :-(
8 \$ C/ V- D+ ?" r BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 V! C% U$ Z0 I( H6 V
;will break 3 times :-(/ ~, w( f3 @5 s6 h
" Y$ |9 D* O& j* X& g8 n-or (a bit) faster: 1 W) h" ^: k! b8 P, ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). y1 Y0 w6 \& o: Z3 H _
. V6 j# O6 ] f/ S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. T$ n. b- s x1 n ;will break 3 times :-(& g+ q0 H. [, _* ^8 S/ E! d
# u# b) C8 x5 h6 u
-Much faster:, B+ E5 s6 m- Z% \; u7 p) |2 F
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" X" W3 [+ @; r( y
7 O/ R) O: Z5 t. P# DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ l' N2 P$ D# a$ G1 z+ G8 W tfunction to do the same job:
8 R9 y7 G; m5 O" W+ f( m9 k- G8 C' Z4 U8 @' n9 s. G+ R3 f
push 00 ; OF_READ) @: v7 V2 A' p* a( r9 \
mov eax,[00656634] ; '\\.\SICE',0
2 r4 a' G1 e6 X! N& @ push eax
. g+ ]( V( {% _' O {/ ?1 ]7 w call KERNEL32!_lopen. B9 d+ ^# x: Z
inc eax/ F1 D% M) n$ H2 o
jnz 00650589 ; detected
0 J3 [6 T$ B. t' D push 00 ; OF_READ
, b e, [ J. ?$ {1 \9 S mov eax,[00656638] ; '\\.\SICE'8 ?- D2 H$ n* E, r
push eax5 T, i- g1 s% N6 J; h: b. ]
call KERNEL32!_lopen# {. q! C/ z' y/ j# ~ N
inc eax
/ @3 S4 M( o! v3 o jz 006505ae ; not detected
/ O' f' J0 }6 Q0 ]! n% T& Z
: N' k# D8 r" @1 Z
8 `) X; } T0 D__________________________________________________________________________3 \" J2 L6 ?- G% G5 g$ S
5 b- t2 r" G/ D yMethod 12
' ?8 F. r$ b( ]4 k6 E5 f' {=========: N8 d8 u e+ [+ ?* f
7 e5 S0 j& L7 _2 Y9 ]! RThis trick is similar to int41h/4fh Debugger installation check (code 05
! E3 _' I- v( j" _- w5 P4 M* ^& 06) but very limited because it's only available for Win95/98 (not NT)
\: G! o r8 k$ ?. Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( j8 p4 g" U. S/ x1 o
9 H) b+ ~0 i. s8 c- [+ W" a push 0000004fh ; function 4fh& @) |0 L2 h% I& j4 I
push 002a002ah ; high word specifies which VxD (VWIN32)
- ` v1 N& a1 \; U3 s ; low word specifies which service
0 D& `+ d+ J9 ~; R$ b! [& @1 x* W8 f (VWIN32_Int41Dispatch)5 L# p5 C) w6 u7 K( Y% z
call Kernel32!ORD_001 ; VxdCall
4 N3 R8 Z, }8 p cmp ax, 0f386h ; magic number returned by system debuggers" q; A$ W4 H0 I" D. R( r/ T h# I
jz SoftICE_detected
' C# V) y: p5 C
( S9 w& |0 w0 S& W; THere again, several ways to detect it:
, {4 A8 x J1 b6 W) ?9 ?) M' R" @ A9 |$ C& [5 j
BPINT 41 if ax==4f& p( @) z2 H2 r# W' `% [
: L9 v! G' [' k6 }' D$ Z9 I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: j0 W; |. |! O; b2 |* S( T7 |4 h4 x+ P* j. ^% V3 w8 T2 b% e! B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) g9 p) J9 T% ~& l" V( f& v& |8 _, K
; p6 K. c7 ^( R/ g; a! c% K BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& B R3 Y; L3 D0 ]: w
7 N, T; F' ?- v' V+ R+ `4 U__________________________________________________________________________! Q# s e) s- T% z
) t( n' v+ }; A
Method 133 y( V; X d# j ^, v4 U! ]( j" s/ W
=========) `; X; N* t; R2 x
4 H/ I4 T7 `4 I% A l3 x6 B1 w
Not a real method of detection, but a good way to know if SoftICE is f3 b6 b+ f! j. U% t
installed on a computer and to locate its installation directory.
/ h+ D% C- t& U: Z) H# e4 C; `# YIt is used by few softs which access the following registry keys (usually #2) :! F; a. y( |4 a% p$ u, n: r
" r1 ^$ q6 G! j6 I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 d ^7 y& k4 P) n' i1 A\Uninstall\SoftICE$ E) V, V, ?- _/ j1 ]% l0 C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 v# d8 j3 G I( [6 F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- F) k4 H; t5 Y! G' j9 g\App Paths\Loader32.Exe# Q# W1 c2 E5 g" N$ h
$ x8 k( A' _- D! D5 Z8 z7 B
, Y! V) C9 r% u8 n8 LNote that some nasty apps could then erase all files from SoftICE directory$ q, l! `7 _( F8 w; g
(I faced that once :-(
6 r; A) ?% M6 Z/ ^) M/ [ S6 i
. u! G3 {& m9 _. \; E0 vUseful breakpoint to detect it:
' s& X, ?7 P# h2 @% {1 E7 H
: m# z5 K/ j$ J1 d) m: K+ R6 I, W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! ]+ `- i2 k( U; ~+ _ K0 B
% G' `' l1 f5 |8 t" V4 U6 _+ K__________________________________________________________________________0 |. K$ i% f0 e
* ]1 }5 Z4 \& A( Y/ q
7 G5 T& P) s; w4 h# o& `1 oMethod 14
' Y! C4 |" l) [+ z& l# [7 x3 t=========
8 Q, D9 x" F% s9 j, O
! g/ k: J, r' s8 Q# d* Z% {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 z9 i# G( F! ~6 T- k+ u. ~, a5 {is to determines whether a debugger is running on your system (ring0 only).0 T e$ b$ l' q0 i# c5 Q) L$ R2 S
; @2 `) \; E; n- X- I' m
VMMCall Test_Debug_Installed( K1 B) M; t4 k* e5 [* W
je not_installed
6 O4 W4 |5 Q- ~8 L
7 \7 D7 _* H: e% z, H% HThis service just checks a flag.
- }$ k" e- }" T# I9 b7 }</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡