<TABLE width=500>
2 [2 `- i! v/ m) T! u<TBODY>( d7 H8 O. u& r+ D+ B
<TR>
' X( F4 u; r! N: K$ r' F% _, V% C* O<TD><PRE>Method 01 ( O a( |, M5 v) l1 r$ P
=========
* i1 t4 m7 d+ M, c# X6 o& D7 M7 }+ s7 `4 u1 E' ~% H
This method of detection of SoftICE (as well as the following one) is% ~' t8 D9 z5 \. m, k3 {' x- R
used by the majority of packers/encryptors found on Internet.( H' M a+ k: }1 {$ ?. d
It seeks the signature of BoundsChecker in SoftICE$ v6 Q+ b& V7 ^7 s. t0 a
8 n! ]& N* H' ~, C! U
mov ebp, 04243484Bh ; 'BCHK'
3 r% c8 `! Q- t- C. c1 Z5 v mov ax, 04h
/ W! x7 |( M5 Y2 w% J* w6 P! H4 X int 3 % R9 H8 W# U. f2 X* ^' i# o0 Y7 J
cmp al,4
: [/ c9 a$ j2 a8 T7 y+ |) U jnz SoftICE_Detected/ Q1 E1 |' _2 R% W4 R9 B
* o/ i8 `1 f# R+ D( J4 O) l6 A___________________________________________________________________________5 J/ r7 Y% k% o2 ~
+ P* {0 S S5 l+ Z" |4 Q* @/ nMethod 02
1 U. O( k# ?% |2 U: P=========
% ^8 J' H0 V. z8 ?
) w, F% ?* }5 p$ n% }Still a method very much used (perhaps the most frequent one). It is used3 S7 F* l: ]# S6 A2 j. W; N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 x) a& y7 H; h( b
or execute SoftICE commands...
% r1 q1 F9 _1 z* c' ?- }2 Z+ zIt is also used to crash SoftICE and to force it to execute any commands8 w% D' Z0 @ f9 J- N1 b
(HBOOT...) :-(( ! [- ?, r6 _9 e# _- ^; D
/ ~: |6 w6 r x, f
Here is a quick description:
) |. Q3 _) M* K5 i9 v0 c-AX = 0910h (Display string in SIce windows)8 a/ p5 y: A) ~2 ^3 R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 I9 @7 Y' g9 [8 o3 k8 L, v4 \
-AX = 0912h (Get breakpoint infos)
3 d' |6 w' |* l! B-AX = 0913h (Set Sice breakpoints)" b; ?5 t" |3 w& S3 D; m
-AX = 0914h (Remove SIce breakoints)
" n; \4 F, I8 H+ W( }
; V, H6 I' W& T5 t! wEach time you'll meet this trick, you'll see:
/ N2 G! M" C) x! {2 L9 r-SI = 4647h
" L z, V3 ?7 ~( o# N-DI = 4A4Dh( g" c; l4 z. i
Which are the 'magic values' used by SoftIce.
( w: |3 U' }0 n) I4 AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ Q% s \' O! T# [) g6 o; q0 g! F& s8 p' ^. b: f% x# _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 w* {% \& F+ M1 pEnvelope utility use to protect DOS applications:9 y# P7 a: ]3 A# f
- b6 p. o+ R" t: V8 m; j/ u
/ H4 M* F+ O/ r" D/ j4C19:0095 MOV AX,0911 ; execute command.2 D y, J+ [ c; |! L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 g" W0 j1 f5 ?4 \! X! L
4C19:009A MOV SI,4647 ; 1st magic value.8 j, S; m* W* c
4C19:009D MOV DI,4A4D ; 2nd magic value.7 o' ?. X4 x$ P+ L9 N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" a' [4 [- V1 o$ ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- ^/ {0 \) A% n& ]1 o; K, n0 M4C19:00A4 INC CX- J$ ]1 k3 V& N
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ C+ B3 `9 y8 q9 O2 j9 W4C19:00A8 JB 0095 ; 6 different commands.
5 I1 S: R7 T7 K' @4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 ? A& M* b/ S3 g9 m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 e! Y$ }" v1 E& O3 C7 x1 K5 r) i- X T
The program will execute 6 different SIce commands located at ds:dx, which
" T* ~) ? |8 s7 m2 [& r9 @. Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 c5 a! R' P" k, s d
9 ~- Y4 S' I2 N! P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 l5 M- W# G* [1 N0 ~
___________________________________________________________________________. v, E) v" j( h6 P
8 ?. z6 Z c$ Q2 ?* n+ w1 g# z( A6 g. L& h
Method 03
/ B, H# D: K- J7 h- e! _) D5 F' B=========
# J @* }. D1 x2 y) @- ~
7 U; m: ^$ V [4 y3 jLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* R3 S" Y |; f* S" s- K; s6 ]
(API Get entry point)9 L- D. X: I8 Q5 R
; ~2 G$ O, l X! j0 S
- [' Y% ?7 l, b2 K8 V xor di,di/ ^* X( q Z% i' Q, d0 c9 o4 d
mov es,di
4 l0 H4 j. f' D# D5 y mov ax, 1684h
- E+ r( v3 R2 D, }' C1 W: G mov bx, 0202h ; VxD ID of winice
3 D/ O. }0 t8 u8 G% H# q% a int 2Fh. _$ [! _9 _0 \1 f: X! [
mov ax, es ; ES:DI -> VxD API entry point
2 w) s# S$ `$ N add ax, di
' m; r' W9 r6 Q Q, t test ax,ax
% A1 J% @2 [8 Z! Z* r5 u8 c* k# T jnz SoftICE_Detected
8 v8 \& Z, k/ V: m% i, U% M& F* I' Y6 I9 _' x" o; d& U
___________________________________________________________________________5 F5 p. H0 g# Y! K2 e3 o' F
O: O* Z7 A; L! |5 K# V0 q& r$ UMethod 04) q7 a$ `6 ~' f7 ?" E u
=========: I7 y6 l& i' f" | ?5 |
2 q' ]% w. r- y: K. o3 SMethod identical to the preceding one except that it seeks the ID of SoftICE$ C- X M) S* R" X
GFX VxD./ c' |- ~* h! J, L& c
; n& l* x; I* E4 x0 k xor di,di0 U# _: b0 o. |; R( P9 g' L$ }5 y
mov es,di
! D( ~; S9 p# G, y7 Y$ U5 K mov ax, 1684h
/ |( h; t5 ^) E7 ^* F mov bx, 7a5Fh ; VxD ID of SIWVID/ q# a( _) g: ~9 c! a' v" D
int 2fh: j. I2 J0 m6 w" b0 j
mov ax, es ; ES:DI -> VxD API entry point
: E) o, f5 P# Z add ax, di$ L% X4 p7 G2 U
test ax,ax# d5 I( {4 \( ?5 g6 g
jnz SoftICE_Detected8 B, J! Z1 l( S# l
' H- w' r' p" j% T__________________________________________________________________________
3 x" Q( j3 j" k5 D9 P& @7 D$ `7 \! r3 [) [
; a8 @0 x: G8 c# G
Method 053 [& {- z1 x! @
=========7 P# E; I, p1 v+ k
4 ^4 k$ q5 V8 f; f
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 B& I, s# B2 e5 z" D% U
debugger. It calls the int 41h, function 4Fh.! \" w* s1 u6 l, s6 U
There are several alternatives.
2 S# r$ a! S8 D
- D$ M* N' S: \& A: ^+ MThe following one is the simplest:
' I) }* L4 e, m. S+ O2 y7 v5 p: J- F2 b M3 {1 a
mov ax,4fh
4 j" p' N# c7 u int 41h
- k' d0 e0 ]4 n6 e6 U# O cmp ax, 0F3866 C1 Z3 e% H# v' r7 Q
jz SoftICE_detected+ `5 M2 T6 a: D X( `. I9 U
8 u4 Y0 ? e; ~- Y& `9 ^
( V" k+ n X' j# ~+ I1 KNext method as well as the following one are 2 examples from Stone's 7 |( V: k! [ A n! }
"stn-wid.zip" (www.cracking.net):
; R( F. i; u+ _& [1 Z& R0 q0 K i
* _3 ]; m& N4 c0 g mov bx, cs
' u& o& I2 a4 E$ l lea dx, int41handler2: Y8 ~! R3 i- p8 y3 ~8 }4 l% `
xchg dx, es:[41h*4]
8 y9 K4 o6 j. \3 v+ L xchg bx, es:[41h*4+2]( P% n& j- B3 k# p
mov ax,4fh
& |7 {$ g3 U" a5 o7 U2 O int 41h
$ z2 `/ \/ z7 f- D xchg dx, es:[41h*4]0 q* g: N& w! j' _, K5 P
xchg bx, es:[41h*4+2]8 ?& V9 g8 ^5 j7 X# L6 R% U
cmp ax, 0f386h
' }4 |# y! }1 Q' {: [" ]- y2 ^ jz SoftICE_detected
- A( J9 S7 S; W5 Q) @
" T) v; A: {% I) bint41handler2 PROC3 T! X& ^* S# J m( {
iret
! k8 g& J; @* s. C" I' dint41handler2 ENDP
$ I, r0 S) {0 v$ w9 @8 z) q/ D* |: E/ q# a. B* w% d5 _% Q
. P G- n- H! _- @1 h_________________________________________________________________________
" q: F1 t4 k# y- D0 P y
0 Y9 ^% ^" {* F2 s. Y
. a j/ }6 i( cMethod 06) p! ~9 y% N( j* c
=========
v3 v- S, k( A& B, e0 v
/ ~ r1 l* a+ o8 ?( P' o9 I# A. b! n7 H: |5 o6 k: P
2nd method similar to the preceding one but more difficult to detect:/ Q- H4 H7 k) d% w% |( ?" U
3 d3 u; ^. g, A. X1 [; p# R" N ?/ v( X3 @. r) M ?
int41handler PROC) R. i+ A- _% ^
mov cl,al! @) w# k- W. |1 u
iret
0 q( Y% Z0 M, E" s: Pint41handler ENDP
5 }. F6 \5 u& @% e) [
/ u( {3 ?1 E' W0 V- O9 D
7 ^% k2 T: _0 ]" g! n4 B4 t xor ax,ax ]! i7 _! ]5 |: C4 J& u
mov es,ax! G H. C8 H) R* T4 D& n# @8 \5 q! O
mov bx, cs5 \6 r ]( H9 Q7 ~ V
lea dx, int41handler5 S* e: ?7 D9 W8 e/ _ t0 f
xchg dx, es:[41h*4]
0 N6 o5 W/ r+ v/ z/ m xchg bx, es:[41h*4+2]1 L! O1 [! F; M n1 U
in al, 40h: o3 I- T: ]+ V) m* M! g; g' q# `
xor cx,cx7 Y$ O ]$ v: I5 N' c4 s1 t4 B, N0 @$ E
int 41h
4 @" F( @: S2 P* ]9 o xchg dx, es:[41h*4]' o" S: |( S" T- C" h9 Y+ b
xchg bx, es:[41h*4+2]4 L- r/ }: h3 u% B2 [
cmp cl,al" N! t5 Y4 |5 [2 t) E$ q, O
jnz SoftICE_detected( W6 b3 T: C7 {( P
, c5 I$ c% i% ?: \( F
_________________________________________________________________________
! f5 z8 H3 Z1 u8 u+ ^$ E/ J
" G* W: @2 _- @* KMethod 07, F# ]3 w0 |- F4 R) R4 P
=========) q# g2 H. _0 @; ^' q2 L! b) G
1 ^8 x1 D y/ Z4 D% G/ QMethod of detection of the WinICE handler in the int68h (V86)
V0 Y2 A/ C/ I, c2 k. R7 i: u0 M! q) @- v5 n7 ]+ H; b
mov ah,43h5 ]" Q4 T; t1 i
int 68h: ^( T( B+ I1 X( q. P: o+ G9 X
cmp ax,0F386h
& H, B' O% f0 E6 w jz SoftICE_Detected- Y( e9 X# \: A) b! b; p# n4 y
T: R" a2 F" U! X }! h# M
Z# a, i. c# ^0 [! w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, i' b2 z7 U$ {: i8 H% [2 T/ Y: v% U- p
app like this:
% H& K! o7 j4 O8 j% s; W) K" z" k" R. o# A' z5 O8 w
BPX exec_int if ax==68
" X- `: v5 G( e: Z0 \" Q0 k& M (function called is located at byte ptr [ebp+1Dh] and client eip is
+ L# H, Y9 z7 N# R located at [ebp+48h] for 32Bit apps) A! {% T3 j1 x! Q
__________________________________________________________________________* ^: D, s1 p7 h0 x. N
1 o$ v* D0 p$ Y j6 I9 Z: @0 @% a
' B+ U! }# x. E$ @- F) p- WMethod 080 I% |+ |+ w$ A' O$ K
=========
' `) g' C' q p; i* x) @1 W& X6 {& \0 }1 R E1 I5 j2 p
It is not a method of detection of SoftICE but a possibility to crash the
! k2 H3 j# {0 d6 h6 Bsystem by intercepting int 01h and int 03h and redirecting them to another
% m, f2 J4 Q0 sroutine.
% K# |8 O- a: A6 ]# ?( uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ {" w$ Z+ f; U1 Kto the new routine to execute (hangs computer...)& J5 B$ m* v0 {) k8 y% I
( P7 Y( s7 s, l8 Q( Z
mov ah, 25h
- K( ~) M% c9 a1 O mov al, Int_Number (01h or 03h)
( E- b0 V R v2 e mov dx, offset New_Int_Routine
7 r; G% r) ?( Y+ R0 i' \$ F5 f$ c% \$ E int 21h
1 i: P* M% K3 N, J \* ^/ c3 o7 ~+ |3 }& N
__________________________________________________________________________* Q( Z9 V- @) D# g' z! Z* m
7 r* V3 l4 o PMethod 09/ T0 |! y' b9 Y
=========
; H# d: n1 v4 n; z' P+ `' n+ y' l: a8 V- p/ v" L3 e( a! }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, y. b% ^- a& [6 G3 R- p
performed in ring0 (VxD or a ring3 app using the VxdCall).& y6 C) f8 B$ A2 {/ S. a
The Get_DDB service is used to determine whether or not a VxD is installed
& m. ^- H- p4 [* {9 g( F; Hfor the specified device and returns a Device Description Block (in ecx) for+ X( a5 H! p2 b w) U
that device if it is installed.
. ]7 O0 H) o z6 V9 m/ j ~7 R. ~3 B+ I$ ]: p; G6 O j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 M9 I' [2 f7 ^! D" } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( W& e( E. {' \% T
VMMCall Get_DDB
# ]5 n$ G6 F' q8 b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! e1 _: l- R' W1 B( @
6 _2 h3 l, u' N# i1 `& }& z- e2 b9 ~Note as well that you can easily detect this method with SoftICE:& S0 C: _1 a; D2 N
bpx Get_DDB if ax==0202 || ax==7a5fh" i/ S! ` n& E* N& k' y
1 K9 h& h9 ~# N: n- v5 B__________________________________________________________________________
! _- ^- ?% b; h' V. o
6 n0 S8 ?: M- s! [+ \& v+ OMethod 10
; f5 J! `7 l3 r0 q8 Q0 g4 Y=========" n! f6 k; I% H0 n2 j$ P8 Y# `
5 s" E- i: F+ s" F p
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 y) }( @% a9 y- @. v+ W' z SoftICE while the option is enable!!
) n$ Y; \" b" Q) ?/ f% r5 O
; m8 D) ^( u2 e0 z" O* M+ xThis trick is very efficient:
% o: N" j9 B- Q: Vby checking the Debug Registers, you can detect if SoftICE is loaded
+ L5 L. _. f0 C p* H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 b' t" W% f; i. a! u @' H3 p4 c% u$ A7 Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
; C$ B$ f4 F. N$ dvalue (in ring0 only). Values can be manipulated and or changed as well' o5 a* K/ x a1 f; `) l
(clearing BPMs for instance)
! ~' B! s6 J. b: N# Z8 P0 c& A
# T' l1 U! ?1 H& \% Q8 f__________________________________________________________________________
' ^5 V8 I/ x4 D8 L4 R2 l
: }7 C; \6 v% v$ kMethod 110 l3 w9 d e4 |
=========
, l3 x# W, k9 ]( h0 o8 m3 y0 S8 i, n( v& s6 k
This method is most known as 'MeltICE' because it has been freely distributed
& d; `! ^% p R6 u& I. i1 yvia www.winfiles.com. However it was first used by NuMega people to allow
. g9 k4 U& c1 K( CSymbol Loader to check if SoftICE was active or not (the code is located
- X8 U& M/ {& l2 b1 Binside nmtrans.dll).2 C; { L, O# ~- j! P( ~
1 y9 G# Q& W! \ X& X
The way it works is very simple: j! w: S ]+ q) a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ {9 R0 \- G! y6 t9 @
WinNT) with the CreateFileA API.
* ~+ Z/ @) ^+ ]- x$ D& K2 @1 q& s6 \% v" P# Q: C: x+ y
Here is a sample (checking for 'SICE'):
6 }5 \' P* f- K+ S
5 Z3 Z% c+ D- GBOOL IsSoftIce95Loaded()
' T4 E: d) J3 h2 k- |9 N{4 L1 t6 ?5 C) o6 I) {) R& R
HANDLE hFile; : A" \0 |6 R" m2 T! I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! M& q3 @3 Y& R FILE_SHARE_READ | FILE_SHARE_WRITE,+ e$ r5 p, k7 J/ I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& K6 P. c$ e f( Q* }4 L if( hFile != INVALID_HANDLE_VALUE )
% ~3 s9 c0 [ {1 G2 m5 h {4 P+ I' D2 U; R9 F% N1 X r- z
CloseHandle(hFile);2 w0 c R; s: q$ U) Q7 s3 ]
return TRUE;
" A9 U' D9 d. W" Q! O* L }
: i! k/ q* a+ l5 n1 w; D6 J return FALSE;
8 ~5 R& K$ A7 S, v% [# X) j}
) t; X4 N) j! e0 v; Y$ H
, M3 B4 J8 T* {8 ]Although this trick calls the CreateFileA function, don't even expect to be& _8 C! f) h1 G' w( N) e) v4 ? J
able to intercept it by installing a IFS hook: it will not work, no way!
4 ]( H1 {# K+ y3 K! u& IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 U* b- c/ W7 P5 s# A7 aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ k) v; m! \# D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 ^+ m# r7 |3 D6 b' ^
field.! j, \+ B4 q# G& T* q3 Q. f9 v. M# o" r: L
In fact, its purpose is not to load/unload VxDs but only to send a }/ U6 g6 z+ V9 v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
W+ S+ M5 F$ d% C O- bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: d9 j- {# u8 D/ nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 c& f/ y: o# ?3 g5 UIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 t/ I" \2 ^7 T2 Wits handle to be opened and then, will be detected.7 y/ v" P- y) y1 C) U; k
You can check that simply by hooking Winice.exe control proc entry point* q* {: F z, W N: K/ }
while running MeltICE.* I* C' u D4 [) ]( v7 m
! V! j4 Z3 @8 P' [4 B5 ~6 X1 j
8 ?6 D* L: q# `" I 00401067: push 00402025 ; \\.\SICE6 [% r8 N, v( M$ ?4 ]& b r
0040106C: call CreateFileA
1 I$ G( G$ i4 g. [; y; ]- w 00401071: cmp eax,-001
; r; ~: e' m$ {2 \& c0 G* k0 ], J 00401074: je 00401091
$ u8 \4 H7 S$ g7 j$ c7 {& q: P2 l9 o3 N
/ F8 f: W/ s, T$ `$ ?. g) T" EThere could be hundreds of BPX you could use to detect this trick.
" A2 J/ w! {( E! ^" S-The most classical one is:$ V- z- r4 n J2 E% }
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 ^- }2 r) U8 w& R i *(esp->4+4)=='NTIC'7 J. f( C; ]4 K
# J0 s9 s: f% M# X, Z-The most exotic ones (could be very slooooow :-(
x! ~! T+ x% W, ]7 ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" G3 d- o3 h6 O ;will break 3 times :-(
' |3 q. E1 v' b3 m( A- u3 s
1 A4 T `# J) b0 T) O-or (a bit) faster:
E! A1 B# z6 u" S& l( w8 J: U BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, f/ c0 |4 l" t1 S0 f q! A6 G0 T* T5 B! t5 J" c$ f
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % U5 S- q4 ~5 @! |0 m3 p3 M
;will break 3 times :-(: \2 \2 d Q8 {
8 {, T( t( ~& i-Much faster:
& x" S$ T" m1 g/ z9 S; H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* r$ |0 S$ o( W
, M s; P+ n6 i9 N' \) a# ?. pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 I9 n. H# n* u x V" o% ?
function to do the same job:- c$ ?9 U$ m$ O" p& C W
( r z$ b6 c& z push 00 ; OF_READ
& y% f8 E+ p" i* B mov eax,[00656634] ; '\\.\SICE',0! }8 v) P4 f$ u
push eax
4 X3 p: t9 ~. m call KERNEL32!_lopen1 q. ?! v# e' y/ f
inc eax
6 v# M, l9 Z- g$ F5 S jnz 00650589 ; detected
5 Z* p# [: X" t2 d' C+ Z push 00 ; OF_READ6 A/ X2 p* `$ j3 a. a5 c
mov eax,[00656638] ; '\\.\SICE'
7 T% n, D# ]' _& J6 ^: u& w; m2 j" q push eax! F, b9 S5 s& X% E
call KERNEL32!_lopen R ]5 G+ y# I4 \' Z
inc eax
4 ?6 v# @; U6 P4 B: B+ _ jz 006505ae ; not detected
& ^$ b2 q6 Z0 D* e2 Y7 |5 i! S# `# {% l
: l. }2 c. G2 Y( r3 v__________________________________________________________________________
8 A0 z- X$ r8 P: [$ O' e8 q
9 u! t& p2 t( c$ G) n BMethod 12
7 z7 ?7 _+ i; q" T& [# x; \=========5 O: k! I5 m X' f" e4 ?6 Q/ c
: v8 X& t, D& A2 J; U
This trick is similar to int41h/4fh Debugger installation check (code 05
/ V# b" {! s/ r6 p& 06) but very limited because it's only available for Win95/98 (not NT)& }# I2 L B9 P, I, K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 c! `& x8 `; v/ i( k/ s( I) I% p# _: Y- y
push 0000004fh ; function 4fh
, t' G. |, N0 I+ Q7 D3 {7 T* x3 A+ A push 002a002ah ; high word specifies which VxD (VWIN32)2 M: e8 f- Z/ G7 o+ Q* x8 k
; low word specifies which service
9 h! X- A9 B8 |7 b* X6 N (VWIN32_Int41Dispatch)
; [) m r8 h Z+ }6 \+ \* | call Kernel32!ORD_001 ; VxdCall
0 }" G9 B$ u- B" y5 | cmp ax, 0f386h ; magic number returned by system debuggers
4 V4 b% G) ?; Z; c$ E jz SoftICE_detected
, p& P6 I- u& y* X6 O' Q/ a
1 Z0 _: d% l) G U% i) ~' XHere again, several ways to detect it:& o6 ~* C# Y- A( E J
: x T1 B6 r8 G; Z BPINT 41 if ax==4f6 y4 k9 t/ q& ^; @5 x% g; P
% m: a2 [$ m) b) z. { BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 b5 T2 ?. N. G$ g# p9 a
$ k; F* K Z7 A( s
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A V; m1 |- l* T4 d& Q8 |3 i
9 r f) `1 m' P. i, h1 s. I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 c X+ ^5 y9 b
+ M' L' R3 R1 H__________________________________________________________________________0 d4 t' C/ `% q2 `2 k! }
: v$ x3 L( I3 q# N# d1 G1 F0 {/ s
Method 13
7 A. N& y3 b; k% `=========* b9 `5 d" J3 A
5 u4 X( G; t( [+ b9 u7 k" @* \* n
Not a real method of detection, but a good way to know if SoftICE is
+ p$ r8 S( `0 D$ cinstalled on a computer and to locate its installation directory.
6 k. l5 W' F2 X# hIt is used by few softs which access the following registry keys (usually #2) :
8 P8 B$ @6 s; [# Y% J$ _+ Q( ` |* S& k; n/ M' z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 z6 ]. b( ^0 P' K' j3 I: W
\Uninstall\SoftICE9 i. ]7 Y T( J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" o: _- J7 R2 i* \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( _: t* i* g8 t+ I
\App Paths\Loader32.Exe
' Y" j) A" k9 z0 \& k* _ d8 p& w; `& z' J. m; N6 M: h
. @5 x4 k8 n- j
Note that some nasty apps could then erase all files from SoftICE directory# f% Z2 A8 O0 j& k; S
(I faced that once :-(; Z+ \" W9 Z4 {0 a$ Z
/ `: J- P B3 E! ]; n
Useful breakpoint to detect it:
* \, ^0 q; X3 a9 { U; c
8 F& h* \0 E* j# R: F BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ f* p# s5 u- K- E. y% d1 d) C# Y5 |
__________________________________________________________________________
/ o5 g+ k. `9 w7 @5 g
7 c% i9 \% A; Z/ L% X& G2 r% |! t. q9 Z! t3 \
Method 14 - C5 x6 I$ _# K; b: E* J
=========- g, ?8 `* x8 J0 W3 Y( x
$ z& P3 m0 { s5 X, b f+ HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 h" E7 y7 z ~) i2 T( E& h5 l; S6 Lis to determines whether a debugger is running on your system (ring0 only).
/ R/ W: {9 B6 I" C7 I
) V3 A# b# z+ J" z4 r! o1 b VMMCall Test_Debug_Installed; P; p9 Q, n! k' J1 ]4 E
je not_installed
( }, C9 c6 Y/ p3 B. ]: i! i: J0 L6 l- j
This service just checks a flag.! x- v4 Q e% i. H4 }) J& _' z3 N
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡