<TABLE width=500>
9 _5 e2 v; I8 I7 ]- e W9 K$ y4 V3 `5 Y<TBODY>
# J: H2 X) K4 N* T5 f7 |! v<TR>2 I; f8 D6 K" o; W7 Q! g: n! k
<TD><PRE>Method 01
% m; D4 O, H0 @& \0 e=========9 {! t% s7 F* S
' w k+ U, O; B$ ]. O: [" Z$ z. Y# nThis method of detection of SoftICE (as well as the following one) is6 ?) k3 [& A* {. E2 s+ d
used by the majority of packers/encryptors found on Internet.
0 s0 @0 t6 o: M9 M4 wIt seeks the signature of BoundsChecker in SoftICE
# ~$ i) I0 _. X# a( @$ u0 W# e: e" t$ u/ B- t
mov ebp, 04243484Bh ; 'BCHK'# z8 }1 p1 N; q
mov ax, 04h. d8 R& H0 ]! O( f
int 3
; H! O4 _. \5 c& `2 i8 m% T cmp al,4% ^2 @0 i1 i* N6 r
jnz SoftICE_Detected9 @) c4 W( H1 A( K
5 Y2 ^8 _* v, v5 f9 N___________________________________________________________________________9 n! D, a- A N+ |4 B
6 U: @, T R" w( ? o. JMethod 026 x" t8 q* Y: |3 {2 Q: }
=========
% I# R' v+ E5 h9 x0 |5 i8 u, V1 J* K, X
Still a method very much used (perhaps the most frequent one). It is used. i, Y/ B3 w& F/ w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 [$ Z$ e# S. h% L& D1 Bor execute SoftICE commands...4 s. \" \& p# ]( n+ n
It is also used to crash SoftICE and to force it to execute any commands6 Q9 @$ O8 |: N2 q
(HBOOT...) :-((
$ H8 o. v; D& }, F" a. M# C# m s* \4 {$ ~
Here is a quick description:
j9 y/ ?( N6 x/ w3 k1 V-AX = 0910h (Display string in SIce windows)
8 {+ f [/ A! l( T; D$ u4 |; i* A-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 r: r. d) x k9 w. M. Y-AX = 0912h (Get breakpoint infos)
n u% x* r- R! x' }$ p-AX = 0913h (Set Sice breakpoints)5 I7 q1 V% T; z C, |# F- b1 Z
-AX = 0914h (Remove SIce breakoints)$ K) H1 ]0 E. D& t- J
3 f( o/ Y/ u! V( wEach time you'll meet this trick, you'll see:
1 s) V/ V$ K1 B- J' l9 s-SI = 4647h6 C5 b D8 X/ ~' e
-DI = 4A4Dh
1 ~6 r% `, W2 wWhich are the 'magic values' used by SoftIce.
% r) Y- \6 B& F1 oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ C3 Y/ J( h: d$ H
. F1 x# V1 T+ F' A5 u0 D% [/ B
Here is one example from the file "Haspinst.exe" which is the dongle HASP& }" j; ^. S4 Y
Envelope utility use to protect DOS applications:3 N. F6 z* e) }* X
0 e7 L( p+ v' i$ W- G2 E* o
1 F) _9 r6 P: H, a1 j$ w# ^4C19:0095 MOV AX,0911 ; execute command.
/ h# U+ ]! Z; b! |: `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, T, A8 J# b2 G4C19:009A MOV SI,4647 ; 1st magic value.
7 z/ I3 ~4 E- x4C19:009D MOV DI,4A4D ; 2nd magic value.
3 A: y! M4 {, I2 E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# C& n, E4 y3 J# z: v# E
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 e, A2 z8 V, R; S0 Z
4C19:00A4 INC CX/ v: j4 }& b: V- x' B0 H( i. i
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 N/ w: V: `) E. l- \# B. U- r4C19:00A8 JB 0095 ; 6 different commands.
3 G, O- A8 g" P: I) K! X/ s$ p4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; L6 m2 @" K5 u3 F6 U! F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 f! g5 q: |2 Z& d" J$ J* S' Y
% J; y" ?: l2 k3 cThe program will execute 6 different SIce commands located at ds:dx, which; H8 Q8 b3 V, D1 _% k8 J3 K. f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 S! J% g$ ^# d) F" \$ N+ `; h m3 G+ d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( l) Y0 R: z, L" k, k% f
___________________________________________________________________________
) H# e1 [3 o& \( X/ t% ~/ }8 L& Z' O" E1 x3 V& p( o
. F' N7 O" T; C( C$ L9 U- \
Method 03
8 a$ [% |9 _' K7 {: k" w' M) T=========
n5 N3 W4 {6 u) x: w( n! k' v# z5 a/ \7 {/ x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" r' f6 b: @4 W, p% w( R3 R5 n& W
(API Get entry point)( _" v' `% w! |- W5 N& ?) }
3 K! [; s3 t/ ^, M/ O
9 ~/ ~2 B" J5 B, v$ v: f xor di,di3 x5 z, b; j% t' T7 N( h
mov es,di( E1 M1 L. U8 Q+ `. n, ], N4 ]
mov ax, 1684h ( k8 q* c, t. H% O# F/ t
mov bx, 0202h ; VxD ID of winice; u* C# ~. F2 M: ^* ^" _
int 2Fh
" o- |6 P8 f, [8 y mov ax, es ; ES:DI -> VxD API entry point2 A9 h; r k3 p# i& M' _. y0 p7 E
add ax, di
1 p& \. }# @5 |4 e4 B test ax,ax
9 I( P7 h; D+ m) c! N jnz SoftICE_Detected
( t) f1 {1 ?8 Y6 f+ X- v+ Z0 P; b# F
9 p7 `9 Q9 h) w+ b, z; P& a___________________________________________________________________________& C/ C7 t: G# a* ^
8 i$ M/ D& ]8 g% P' Z
Method 04
- E) `" R9 O9 X=========
% @3 J5 j% r5 T! M
& X" d% W4 B, y" q1 E, dMethod identical to the preceding one except that it seeks the ID of SoftICE
- P( ~3 k2 C6 M! j# V, jGFX VxD.! l3 V# S( F. [. u) L
% S8 J. b+ U2 `( d4 H
xor di,di
* i a7 K0 d* y2 k7 `% x mov es,di
. i+ }- W/ ~. B% R" ^+ c Y; W mov ax, 1684h
2 i0 ]5 M' a/ t, _' S mov bx, 7a5Fh ; VxD ID of SIWVID
: D" Y# u- H: E4 i" n0 R6 Q int 2fh
$ k* M9 ^3 A* B0 T mov ax, es ; ES:DI -> VxD API entry point1 O; Q/ L# f2 C: A5 S, R1 p
add ax, di
& c T0 V. N2 [! G% u test ax,ax
( {- v* ~2 k& Z+ }8 f& ] jnz SoftICE_Detected
" q C: a* k q# c6 T* y
" f$ Y7 _: z$ A$ M9 o1 c__________________________________________________________________________
' V. [( n. p4 I2 c2 x% S9 O7 C0 n0 j1 n+ z
/ a8 H- C( l; J3 G; \/ u; _Method 05( e( |% @, f9 Y+ L" A: M
=========
( c; C6 w8 I; e7 m7 y& m) x
7 i& V, U: w$ YMethod seeking the 'magic number' 0F386h returned (in ax) by all system
: D# v* U8 o" bdebugger. It calls the int 41h, function 4Fh.
% y- h8 h2 E- E$ j2 JThere are several alternatives. ' N/ f; b6 l( \& n$ c1 v) m
. M4 G* Z$ ]! z0 G) a# l
The following one is the simplest:) Y% z# y7 _! e6 p% m" t
# G+ P \; r7 q3 [8 U# @5 c8 k1 t1 Q
mov ax,4fh
7 O/ ?7 n) ~; w/ S9 p int 41h
. o: x% E3 n0 N. u: y0 }! {, t+ A& D cmp ax, 0F386
! H2 i4 a5 X' c# a. l jz SoftICE_detected
: i* {+ p. [; R% _* N) M. X$ U8 e9 H7 T1 a+ X9 p4 }
3 c' n0 x7 I# Q5 f/ ^# \8 z, k
Next method as well as the following one are 2 examples from Stone's 7 n4 c7 h, R! E5 ] d. L+ h1 D
"stn-wid.zip" (www.cracking.net):
0 P5 w) g5 x- R
" @4 }0 l% _% q* U# s mov bx, cs" N5 T7 X/ N* P* P- ~
lea dx, int41handler20 ~3 A+ m" s4 v; l
xchg dx, es:[41h*4]
5 f% |+ |' x) {/ {$ d: r xchg bx, es:[41h*4+2]
. [: \) J( w! E9 v3 x3 N mov ax,4fh
0 B, D* k$ _& i4 | int 41h
% b- y4 t1 {: n2 N xchg dx, es:[41h*4]9 @% I6 y3 {3 T
xchg bx, es:[41h*4+2]0 I3 q; \; }% Y" R
cmp ax, 0f386h
6 y {- W$ O( f" R1 I jz SoftICE_detected0 P8 V8 ~# S$ R- \1 E, l5 }+ k
7 p, u- d1 i7 q( r! }8 Hint41handler2 PROC
; R# A h) s4 j; g P iret" j; X* ~( ^0 P
int41handler2 ENDP, N7 u: w( d8 |6 U# H# t
3 X2 J/ A# _, w" b" l7 Z
, E5 V2 x5 [7 p: S_________________________________________________________________________7 G4 T/ z" @" |/ k
& i2 m9 b0 h d) q. v7 l; H: T1 X, ?
Method 06
# ^9 G6 W! X# G; @/ ]=========) u6 h$ p# _6 _1 J
& E& G/ }1 b& w6 o8 }2 |9 l
+ Z' s2 n2 S, h# [" r2nd method similar to the preceding one but more difficult to detect: `. ~# @0 ~! p1 J: A
& d! p! x9 k7 \! m3 Q4 t
; \, k9 P, a$ y. d/ mint41handler PROC) p) f. l( A$ l/ e9 P5 S
mov cl,al5 v2 M+ W$ F8 K
iret( K: C* h8 d+ g* f/ ]
int41handler ENDP0 w7 ^/ K/ F4 E% F# L# @
, v! _. K5 ?3 _0 x( Y6 }
! u- o. k9 `2 H8 K' C" E& V xor ax,ax0 C& g; Z( I% i
mov es,ax
4 D: {# G9 G5 U% w( H mov bx, cs% G" Q; n5 {# O3 W+ Q# Y @. n# o
lea dx, int41handler
: a& w0 B p) m xchg dx, es:[41h*4]
0 L# O! ?' s* M# W xchg bx, es:[41h*4+2]
0 r- L: Z% P# j9 o( }' V in al, 40h
+ S0 v" ~' E* G7 T) Y. H9 F xor cx,cx1 }3 [; |& l. d8 Z6 L
int 41h
! Q# {- Y* B) O; w6 y xchg dx, es:[41h*4]. e7 d$ v. B1 J( ^
xchg bx, es:[41h*4+2]6 M3 s9 R) t, |" E! C- e
cmp cl,al. ~$ ?( e) i, ~, ~; n
jnz SoftICE_detected6 Q8 G2 ]5 c) Q7 q1 D) w2 J" B
" L% u$ ]9 F7 `' j
_________________________________________________________________________
. n+ e2 U( u1 V+ Y7 O
& l/ S9 T' Q, X' hMethod 07# o A: x5 l- i# v* Z( h
=========2 R/ M! H! }, ^
! t) V+ S5 H' C
Method of detection of the WinICE handler in the int68h (V86)& x3 D0 k0 w& D' D( i6 Q/ @2 P
' `- N: d5 Q" Q" O+ Q mov ah,43h% L0 f, x& r$ ]9 P
int 68h
) H( @' y3 _. t: J0 N. | cmp ax,0F386h
- q" o; `3 l" d; N jz SoftICE_Detected
& u' c S( ^! R( ]0 D0 r
3 K ~0 H( o- j4 G% X3 m- z$ D( r) A: l6 I/ s; g" Y& }
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: u3 F) E! F$ l
app like this:% o' x; k! Z4 ~( K; W+ H1 {
4 x2 F& p$ C( K* ?+ s
BPX exec_int if ax==68# `2 i4 w# q1 \% S0 |
(function called is located at byte ptr [ebp+1Dh] and client eip is
# L3 g' X/ S4 d# x, `6 M: U located at [ebp+48h] for 32Bit apps)
3 [; n$ A" A2 O }3 S__________________________________________________________________________( Y! T: X$ b2 H+ y5 O
/ z1 t$ {4 D6 c' G9 i/ ^7 l9 D3 S. t% s6 D* W% o
Method 08
7 p; E8 {+ `. c1 y( s. c=========8 k( c! u: G7 T0 X5 }
* i) J- Q8 F! `; c, k. P
It is not a method of detection of SoftICE but a possibility to crash the
1 ^0 J* ]3 s- f/ }8 f; Z* asystem by intercepting int 01h and int 03h and redirecting them to another; y, q- A$ P( H3 |
routine.
) W2 P) d3 ^' _! l- EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! {0 k" ~+ Y- h3 \# ^to the new routine to execute (hangs computer...)( B, B ?% E1 W
. @% M" k8 P2 B2 b) W9 ^: ~2 I4 A' Q
mov ah, 25h
, J' g0 F5 i8 t$ i6 L! g% R mov al, Int_Number (01h or 03h)* B) ]1 @/ D/ x4 a. c' \* [" _& v9 L
mov dx, offset New_Int_Routine, h- f/ d; `- n0 P, r3 A
int 21h
% T: h! |0 j3 O0 ?, c0 g( D7 q# R- s" D$ z: {1 I
__________________________________________________________________________
- A% [; ]1 v$ |
3 X- y* x4 T% O5 F5 h/ ~Method 09
! ^: ^1 v2 t- W3 S. u- f" ]% s=========. `* K! r( l3 F% a, T: m
6 c) c$ |8 E; b- X" u U
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" s4 e {6 m2 i' A% }performed in ring0 (VxD or a ring3 app using the VxdCall).
+ t3 g1 y( S9 }7 Z. W/ T$ wThe Get_DDB service is used to determine whether or not a VxD is installed7 o3 f' u3 v. D* d2 T& e
for the specified device and returns a Device Description Block (in ecx) for
0 J$ M/ e$ P+ tthat device if it is installed.
& m& A6 k0 M. c4 `5 I( Z5 {5 h
4 B! n8 |# Q( H! L! D% O mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 l7 b9 h8 O2 Y/ G! _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 a/ h# y+ P6 J# Y; i, `! E* s
VMMCall Get_DDB
" C/ i+ s: j& R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ r8 |" a7 T/ @0 g4 l& ]4 G2 y3 G3 s
Note as well that you can easily detect this method with SoftICE:
3 {; x, ^, \4 `7 ?3 c d bpx Get_DDB if ax==0202 || ax==7a5fh: ?: h) Z6 l0 S( f: Z
# i( x. [# h# [8 O' r5 h; v% ]
__________________________________________________________________________
6 Z8 I: Z4 z# ]# T$ |# r1 \# S0 g0 a/ C9 v' Y0 q1 v
Method 10( [6 q0 z, D" Z* n
=========+ c# \$ \4 [, W/ `) r
6 G: w7 l% V2 {1 V' c: Q5 W# z=>Disable or clear breakpoints before using this feature. DO NOT trace with# i {+ C) k' f
SoftICE while the option is enable!!
( a( w4 ?! i" K
( C/ U, [) l( M) |This trick is very efficient:
0 f) H, v. P2 Y. k1 sby checking the Debug Registers, you can detect if SoftICE is loaded
. o' {6 Y$ h* V8 Q/ c$ ~: ^(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, d: H( C! ]2 t1 e& k
there are some memory breakpoints set (dr0 to dr3) simply by reading their% v% {6 V$ Y+ [
value (in ring0 only). Values can be manipulated and or changed as well6 K# Z! n& ]9 v. ^- _* M% E
(clearing BPMs for instance)
9 J; ` q! x; s, ~ i; U/ q) y2 w. g, C/ N# D/ ^. p
__________________________________________________________________________ e5 {1 h9 Z0 M" i) t
! ^! Z9 p6 v7 A/ n/ o- ]Method 11* ?, d7 q2 x: N8 B0 R
=========
7 E. G0 @5 r! j; f* e& o: c- c, e& ]! h( L! T o( X; x G* C
This method is most known as 'MeltICE' because it has been freely distributed; M; r Y8 I2 ~" O c
via www.winfiles.com. However it was first used by NuMega people to allow# d: M% c% Q# d+ u9 P3 s" C
Symbol Loader to check if SoftICE was active or not (the code is located- ~0 y' C9 B0 G0 k) O
inside nmtrans.dll).& S0 V5 h4 S7 m/ S
; i$ u: ^. Q9 |7 m: v
The way it works is very simple:! ]3 z6 M5 |4 |0 N3 j3 B7 A# N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for Z( H3 A: Q, V* R, Z# k( C
WinNT) with the CreateFileA API.
, \$ D# W) A5 q. ?5 R( P v+ s$ E! J& g3 K+ d) m, Y) i" `
Here is a sample (checking for 'SICE'):8 G% W8 d5 k# E; H; g5 `
% t" ]1 l8 P4 P3 d4 x( ?BOOL IsSoftIce95Loaded()
7 }! O, |# \5 T0 w. _- I5 z" S{
) [) Q( G& B5 D! u) f6 k HANDLE hFile; " a3 b2 b3 B4 p) P0 r. d) I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) }# x2 l9 _8 U' Z. Y$ V FILE_SHARE_READ | FILE_SHARE_WRITE,
0 ~! y" v# r0 P$ i, ]+ A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( |/ j- a, p) |1 _& M1 Y% ]# A
if( hFile != INVALID_HANDLE_VALUE )+ ]+ n+ U, m$ @% C
{, O, `& m' v7 s" B1 s
CloseHandle(hFile);1 I- w6 F5 X9 m; o! w
return TRUE;
) f6 S! B( e* a& n2 d: \% H& G }( U1 f7 R2 c( w* H# I7 M5 e4 R
return FALSE;1 B; H& a' L* K9 P' |, Q
}
; C1 q; S6 e; O+ S
$ m. ]9 M& Y/ {4 S) SAlthough this trick calls the CreateFileA function, don't even expect to be8 M, ?# [1 M, h) P% O
able to intercept it by installing a IFS hook: it will not work, no way!, W, X+ `6 c1 v+ Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 q8 M! n, U% v: o% ?$ l7 T2 Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" E+ H8 ]9 y- ^# X& j: T" \and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( B1 K1 h; }( L+ R/ mfield.
2 \6 C7 A5 {# ^5 ~In fact, its purpose is not to load/unload VxDs but only to send a
7 ]6 Q- `8 |5 g, ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; K- Q$ u" ~5 u' Z1 xto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 ?0 ?3 y5 B; T: J7 X# j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).. |2 D: {# x7 a/ [
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 V4 q7 T) x4 N% W* R
its handle to be opened and then, will be detected.
7 u- ]+ B' Z, G: |) RYou can check that simply by hooking Winice.exe control proc entry point
+ p0 ?& j) v9 R+ @7 M0 d5 c Dwhile running MeltICE.
, p* a7 ~2 E! j+ n- r3 H4 N1 i% O0 U1 D# {2 _$ s7 i3 J
3 |: z4 b/ I( W' L. w 00401067: push 00402025 ; \\.\SICE! _- @- e) d f" _/ x4 z$ P5 B& e
0040106C: call CreateFileA
" p" `+ H( M; S1 S" F, F 00401071: cmp eax,-0016 Q6 D. u( ]: p2 X
00401074: je 00401091
. _* \" o- J2 s( T" ^$ c% {$ l% b( T2 Z# ^: \/ k2 @' @
! k+ H7 |/ V7 b7 W$ X/ Q
There could be hundreds of BPX you could use to detect this trick.# h0 [9 L" c2 r v5 L
-The most classical one is:
# \2 }" r/ b4 B# z5 P" `" F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' j+ L; m J; x c8 Y3 d *(esp->4+4)=='NTIC'/ ] M/ u {; ^
* L! c A8 y4 N+ o+ I V2 V0 a-The most exotic ones (could be very slooooow :-(9 L; Q; U3 d' W6 ]9 F5 B8 Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 `1 ]& y/ O: N/ h ;will break 3 times :-(7 n* i3 c, O8 u* l1 L* h0 N' T
, q; l; }! z8 F
-or (a bit) faster: & O0 e7 u0 N. X6 ?$ `0 U; C
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" x$ S1 \! k7 ? h% F
1 F$ z$ k; D8 L( ]6 q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, j; T9 M8 V- B- V2 h ;will break 3 times :-($ Y! n" _" h9 U# a- S
& k- f, d5 f* C& o$ X0 u3 l# a-Much faster:
$ s; R, v8 _% S4 ]: P3 F BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 t- t6 p: S' B* W
+ A0 K- h* ~6 F* U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 _4 |' b# s j# y# M5 }
function to do the same job: C9 D1 M, u1 \7 y% F1 E5 H
! {7 Z. B! y& k8 M% W, P
push 00 ; OF_READ
( O" K1 o& O- E5 F mov eax,[00656634] ; '\\.\SICE',07 z4 Z" W( z3 t- u( E
push eax3 u( E1 b7 _4 j
call KERNEL32!_lopen
5 p2 u' b8 M7 \0 C) B inc eax
6 B3 l0 z) c5 E' r2 m+ { jnz 00650589 ; detected! Q& C' X. s% W0 f7 {
push 00 ; OF_READ3 c# T$ _$ }; J* m+ n. m
mov eax,[00656638] ; '\\.\SICE'
: |, ^. H- Q( Q% E6 _% x push eax3 }1 Z" k( d `, w1 d% c4 G
call KERNEL32!_lopen
: f8 U( H5 H+ c- w inc eax' o2 E- `+ o4 q* R8 v
jz 006505ae ; not detected) F% u8 F! n% i
& y( y$ j6 Q2 m/ _$ x4 r; O9 J; k" T$ I: ?& P) h
__________________________________________________________________________
( }' F2 p9 i( Z8 ?4 [$ f8 q0 @% C
$ i$ }: X3 v8 Z) F0 f. v- XMethod 12% g2 s" \1 H7 d O, `2 Z
=========6 b7 M3 F: A( a
! \; t& ?$ A: r2 tThis trick is similar to int41h/4fh Debugger installation check (code 05
K7 C3 C0 e! O& e& 06) but very limited because it's only available for Win95/98 (not NT)
4 x. b$ L5 N( E. K- }8 Las it uses the VxDCall backdoor. This detection was found in Bleem Demo." Q1 A' A$ i2 a0 J+ _, ~
( X) M8 @8 A# g3 G4 y push 0000004fh ; function 4fh
3 d- x& a6 P$ ] E8 w( b push 002a002ah ; high word specifies which VxD (VWIN32)
( i$ Q1 {1 a8 e& \8 ^, O4 } ; low word specifies which service
4 N8 z- ~( L) z; p/ J (VWIN32_Int41Dispatch)$ P4 u+ j& w4 s1 p! P
call Kernel32!ORD_001 ; VxdCall; B4 f" d9 P- g C0 T" p. E
cmp ax, 0f386h ; magic number returned by system debuggers
/ a# L& Z, V7 T6 q6 ]7 `. Q9 |$ g jz SoftICE_detected
; \) t; r; ^9 u
9 m9 H" W4 t/ h, T: VHere again, several ways to detect it:
5 \$ t3 L/ z" C# ?: S/ ?7 P& l
8 m7 z( G* H" L1 E: E' j; x0 P; d BPINT 41 if ax==4f
' Q& z- k. ^2 Z0 ?! J) N, W" c0 d5 b# u4 r7 D9 K' W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ J& T3 n. y* l, ]9 w# i: f$ d' {8 e7 \: x! B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- N R) n7 I# L5 O# H
0 A8 l) X8 {/ K8 h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) u* W0 K# y k2 Z5 R
/ y, H) ^6 A( K__________________________________________________________________________
5 ]8 b1 p/ E, E5 V+ [/ a. E5 C% C- V1 W3 K( p, @6 _2 G+ ]
Method 13 P5 t4 ?4 J" ^9 V% q4 W
=========1 x& u" d7 }4 Y6 F. c
; [4 q: i# F% t4 z4 b d
Not a real method of detection, but a good way to know if SoftICE is* h2 T* M2 t6 G* n& U
installed on a computer and to locate its installation directory.
) ]2 Y/ u1 e6 ~% Z; p) @It is used by few softs which access the following registry keys (usually #2) :) z! z- W' E9 ~
/ p( N0 Y$ k0 K8 v4 B; A+ b# F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* }# ^, T/ `# @8 k! r- ]: y7 q2 X4 m
\Uninstall\SoftICE2 F( `0 N9 v. h! @0 b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 ^" L1 {8 P) t) [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 N# `, U$ `8 O
\App Paths\Loader32.Exe% L; v6 f" A$ ^- Z; F, ?
- P: P! ]+ [3 \. I1 c/ k9 O& k, T& {0 ~1 m+ C' k
Note that some nasty apps could then erase all files from SoftICE directory- w$ t% Q9 c; w; T: ?+ E
(I faced that once :-(7 D" Y7 r4 \: s
/ d! @0 h/ E R& \: \2 y. a8 SUseful breakpoint to detect it:
4 b9 x+ ~2 U- V; I' b( d
/ H9 j! M1 X' d8 E: g7 x" ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. ?0 g) s$ q9 T. S) e0 _+ a+ y; v
+ L$ }; R1 x5 h& H0 j; V__________________________________________________________________________& V: w3 ]8 p7 F4 Y2 w
( Q1 p5 l& |7 [7 R# P+ I+ L4 D. h) Q) Z, a
Method 14
6 ]: M$ W) j! t1 }! E8 t, u=========% J6 O8 U# X' X
! Y7 [7 f, Z/ \- v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) ~( N$ a; _3 Z- B& t: T$ Tis to determines whether a debugger is running on your system (ring0 only).
% ~$ `" p$ o7 _) y+ I; S2 J+ G! G$ i; |# m# Z" }
VMMCall Test_Debug_Installed
. M% c8 E; V- D je not_installed9 `. q' k4 ~% Y
& V7 m: N# o" a8 Z! P
This service just checks a flag.* o: L: k# ` B# |; o" g
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡