<TABLE width=500>* t* R. F. o+ x, n: A# }
<TBODY>; e; K3 \- J( X# g
<TR>/ k1 z+ ~! F2 N/ n7 Y
<TD><PRE>Method 01
7 b# }+ s0 B4 s9 G9 g3 Q=========5 G. j; X. Z% p4 |
) x, ^) ?" i' \ yThis method of detection of SoftICE (as well as the following one) is
' P7 m5 _ g' |+ w) Fused by the majority of packers/encryptors found on Internet.' X; i }- `# \! t
It seeks the signature of BoundsChecker in SoftICE% h+ b1 X9 ^" S- X: _' C; W+ a
- p1 |1 n1 Y' e$ @5 O4 [8 ?
mov ebp, 04243484Bh ; 'BCHK'8 {, J: n; y: N' C) {
mov ax, 04h
( [9 N; e% S$ l3 l" |9 k! A int 3
4 O k' r$ E5 L cmp al,4% p+ ]) H9 G% `: L% ?' X$ @' _
jnz SoftICE_Detected/ [" v: H& [, B/ e
! a, ~3 g4 i$ v4 V% S! }9 J: {___________________________________________________________________________
, x. T& g2 T8 N
; K X$ F% f; k$ Z- uMethod 02
/ b" m4 n- u6 u5 [% V0 Z=========% _+ u2 u* a' ^) m f X
: D- `6 O8 x1 J& A3 f% w6 j
Still a method very much used (perhaps the most frequent one). It is used
* D9 U. ]. J6 z5 U: Q/ q8 Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
P4 B. z3 g& d2 @" H$ gor execute SoftICE commands...% R9 h7 B5 R, P( R1 |0 ]6 B8 ~( Z
It is also used to crash SoftICE and to force it to execute any commands
; c- D3 o) |. \7 B8 m(HBOOT...) :-((
2 Z& j: s) p# F8 ?$ J( j, C; O/ |8 z; [5 [0 B: b! H$ q9 P
Here is a quick description:& K: c/ b5 Q$ t5 F4 l" x& C
-AX = 0910h (Display string in SIce windows)
. H3 m, s) o! I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# Z% y% ?% f& d1 N. X
-AX = 0912h (Get breakpoint infos); ]& j2 o/ o3 Z w, v* r1 Z
-AX = 0913h (Set Sice breakpoints)
- r2 V( n( `$ T7 @& U9 {6 m-AX = 0914h (Remove SIce breakoints)& c @8 J) _4 \* v
% X: P1 [& o! f7 F2 h' v- W2 W( D
Each time you'll meet this trick, you'll see:# ^8 S$ w' J" t+ h; r# Y5 R
-SI = 4647h( X0 X7 U1 ?! j; j' u
-DI = 4A4Dh
: X4 j: U0 u& [8 ?Which are the 'magic values' used by SoftIce.
' h! K, `/ L; WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 ]2 L2 ~0 `. n4 Y6 X7 B8 _! `9 ?+ e$ B3 l2 r
Here is one example from the file "Haspinst.exe" which is the dongle HASP: g/ L, b+ m: P3 a
Envelope utility use to protect DOS applications:/ O% F7 k" X# o4 \, O
. |6 P- k- R9 }( _
9 `3 y& U9 H& B* W |0 F' F! @4C19:0095 MOV AX,0911 ; execute command., S5 a- S# p _# {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! l4 b- B- L9 E# s+ v9 l! N
4C19:009A MOV SI,4647 ; 1st magic value.
+ a7 I% s' B: ~' w6 f$ f! ]4C19:009D MOV DI,4A4D ; 2nd magic value.0 t2 T4 Z9 ~7 q; w i1 E; D
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ v2 i1 t. p% O9 U# l- I, i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 \, W8 r' M) R$ c0 o7 i5 D
4C19:00A4 INC CX
; {) h4 G3 m; @, h4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# q+ q0 \7 ?; R% N
4C19:00A8 JB 0095 ; 6 different commands.
/ [$ ?( g2 X* k% J( {1 \1 \& G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 r% A" y0 S S8 a7 g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( e8 |% N6 {0 Q6 |7 v5 T
: x( L. C4 k7 r, x8 b X) ZThe program will execute 6 different SIce commands located at ds:dx, which
9 {# x7 V5 V$ T+ }5 Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 x6 h8 o7 a, Z
% f4 z. b+ I, k: ~: k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ @# e2 S3 p9 i1 P4 @0 A& [0 k9 G
___________________________________________________________________________# E7 N- @8 I1 M+ f. U' D5 k+ Q
) E3 A) O3 }9 v, Q# J% `% i: f3 Q# z! c/ k: S; W8 J! o$ a) a
Method 036 d1 e+ T1 w" [; n
=========! j3 t/ F+ c3 a- B$ M
# |# e4 N5 t2 w: W4 D& i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% [8 S; m; \- C# U) \
(API Get entry point)
$ x7 x R; P; p1 M! m- t" r8 A . q9 M* v1 g. b9 Y
6 h2 c3 y( H8 o7 } xor di,di: ]9 i8 [2 @$ i: K/ L' O
mov es,di
/ D. l: C5 T: y1 h3 x! h+ L! S: ~8 S mov ax, 1684h # h- v: F" S2 I# K! Z" K
mov bx, 0202h ; VxD ID of winice
3 d( o" ]' n) y+ y* g4 N" ?* G int 2Fh
1 E0 P# g7 `8 w5 s7 S# e mov ax, es ; ES:DI -> VxD API entry point
9 p. f0 ^: I! `$ I% D9 G add ax, di5 y5 ^7 U6 x- f% d- _4 j
test ax,ax
4 i+ l V P: }5 g1 c; E" U3 `) C jnz SoftICE_Detected
, ^9 ~0 g! n! l
s5 K; ~# `' m& `0 ]4 D. l E___________________________________________________________________________
+ z6 V: w4 M/ j& z/ b0 d0 K& T O) }4 V" R' J
Method 04
, L, _1 M# n5 @' [) O& q% [=========8 `! [) u: X, f8 a
' r: j" X" c- H) F3 [& p
Method identical to the preceding one except that it seeks the ID of SoftICE
0 }7 h4 P$ p/ ~8 k. b' ~0 P$ \GFX VxD.9 a) F7 J! X8 g: v
6 L, P3 T* p' K; f d
xor di,di
) a1 S ]! F) B+ E4 } mov es,di
# ]) F& p2 c$ Y% H* n' d- C mov ax, 1684h
5 `1 q: l) _) U4 H' ~' c" e mov bx, 7a5Fh ; VxD ID of SIWVID
8 H. ?: @5 D+ U" z8 D int 2fh
, |9 |: I7 X0 g, c1 t mov ax, es ; ES:DI -> VxD API entry point6 p; E7 v, m/ A1 Z; r+ O
add ax, di
% h( T4 L5 m2 \% u( @ test ax,ax- K- V7 E6 O B* C
jnz SoftICE_Detected7 v; x) M2 e/ K# y. F
2 d( c% N' r$ W, Q__________________________________________________________________________- P; u4 _1 C! J3 [
2 E) J3 p4 G9 f! i# F7 I9 Y8 q5 i) ]8 q+ _: k5 U# M
Method 057 A R( p/ S) w( T+ p# B. _
=========' p, T9 S8 |1 F- R* f, H0 m
$ b$ ]# o% ?) Q- p
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 ?5 s7 C7 _4 J/ X5 T. K; Cdebugger. It calls the int 41h, function 4Fh.
+ s0 ]" t% k% s8 Q" c* B8 ]5 J5 UThere are several alternatives.
, I' I# Q7 s9 d3 Y J( h2 ~' d; e* u
6 B: \" F3 t* ~5 Q& ]( sThe following one is the simplest:
5 I7 ^, M$ E4 C) m! p
& d+ \& u; \& G4 \& s. p8 S mov ax,4fh
; g3 |! Q+ |# r( y! m' u% @ int 41h/ O9 H' f5 F O' r
cmp ax, 0F3862 n: { E6 r" v; {; a* C* E) l
jz SoftICE_detected/ x/ {* t4 S, s# d. ~$ I
# l- U2 ?$ B0 g7 k( [; e4 P
! V& n. k( L, aNext method as well as the following one are 2 examples from Stone's 8 h1 P7 @$ I7 y' U
"stn-wid.zip" (www.cracking.net):
% I1 G8 j3 M. W2 b, X3 P6 y
- T1 W4 y) [/ Z6 p mov bx, cs
& r5 W; ?: `. ^0 q2 y3 W: V5 y lea dx, int41handler2. q, s( ^* F& \2 u r
xchg dx, es:[41h*4]
/ V2 V& a8 P; _ xchg bx, es:[41h*4+2]
" c* B1 B1 D5 z mov ax,4fh( ` h" [. z2 N: B8 `5 f9 V
int 41h4 k% e2 ^ N# a
xchg dx, es:[41h*4]
. P7 f# B4 ]% ]3 H xchg bx, es:[41h*4+2]! l# s& h2 u! C+ v5 S
cmp ax, 0f386h3 v7 A2 d% f: H
jz SoftICE_detected/ a/ ]- X& k6 R8 R6 M# x
! H& W+ [0 O4 {9 g( T
int41handler2 PROC
3 Q/ Q# r6 j2 W0 v9 a* v iret
' j5 o9 C3 s: ?' k3 qint41handler2 ENDP
9 D/ F& i' ?4 G& N3 X5 t+ x; ^8 n! P# b$ J; }4 D
. o+ Z' R5 N) f) t: I( E
_________________________________________________________________________
# q9 `3 b+ I, p% _* ?1 w0 D
% Y9 t/ |. i* a& w. L: p
9 y( n6 f0 _" w- _1 nMethod 06
- N7 b% {4 t) l=========
; |% [2 W- o! ]" m! z% ?( C; K4 D' ?. M0 S6 v
+ ]6 z( v7 V; O* I2nd method similar to the preceding one but more difficult to detect:
# M9 a! {% t5 @+ }, a: r3 k0 l8 A+ }4 g5 L' }; F u
1 w' ]3 U6 e' ]+ N! ]
int41handler PROC
5 [ y/ h" w1 J3 T9 `& ]! A mov cl,al! B0 E# T3 i, n8 h* u
iret' M9 W& ~. l# V) l7 Q" T& Y2 W9 n
int41handler ENDP
* q4 W. F4 b( z, u! ]
9 d( t9 c. y0 F7 v4 C* w) @0 y
& x% `- n. v8 t, c$ k- f$ H xor ax,ax
9 T$ P' b- T: E mov es,ax4 {% N! N4 G' V2 M0 T. q3 R
mov bx, cs3 s) d, _7 C5 A9 l* S* C
lea dx, int41handler
# p. i# ?/ x, g& B$ V" X xchg dx, es:[41h*4]) a/ X0 I Q. }) Q/ \ {2 m! s" r! z- r
xchg bx, es:[41h*4+2]
; {" T$ o6 k! s% A in al, 40h {- x6 z6 g* p M4 b
xor cx,cx
3 R# K& o' }3 d0 h int 41h; v6 ^/ g7 m, i" K
xchg dx, es:[41h*4]
% \; [' I: c2 O- R xchg bx, es:[41h*4+2]
7 y) Q6 G4 F% `" E cmp cl,al
1 Q+ ~- n& P i0 b jnz SoftICE_detected
0 d1 M+ |, |4 O9 ?5 j! W2 D7 |4 Z: k* u4 \- T' j e( ~( ?# M
_________________________________________________________________________
, M2 u% I, H# c4 t# ~+ w+ {9 V- f9 ^# o
Method 07: N. q' x4 v/ d% O: a
=========
! `7 F% e' f! A; M
. s& Q8 w. {1 x Z* Y( ~/ B9 O1 FMethod of detection of the WinICE handler in the int68h (V86): V- k2 r5 c1 L# `' i
/ x7 }" V/ P$ c7 w1 ^( ~5 [
mov ah,43h
7 @, u, ]- Q) Z3 r* f int 68h' i" P% F, Y% ~& T6 u/ _6 E% ^9 r
cmp ax,0F386h; `1 }" @# e4 o, C/ M
jz SoftICE_Detected
$ Z+ w( r6 x# O9 Z' W3 n2 N* M. _( W/ @, ~ v+ e
6 m T# X1 C P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 {9 c# i1 w* H
app like this: J* r0 X$ h7 W% \4 v! x
% G4 T$ Q5 R/ @5 i: q/ L BPX exec_int if ax==68
2 {; A4 E0 O( K. U! s* Q0 H( X (function called is located at byte ptr [ebp+1Dh] and client eip is" R- k8 d! C6 W+ E( j3 D3 c0 ~0 m; [1 e
located at [ebp+48h] for 32Bit apps)" ~6 ?, [0 }* u) w2 o4 y' Q6 `
__________________________________________________________________________
) `4 E! z6 ]1 V% N+ J5 ^% J( N
9 X' o- w5 K0 A* \7 `) I' |" n w! m5 D1 ^& n6 E$ G# W
Method 085 P* E4 @( E3 T; Y2 V$ @/ U
=========* Q& e1 n" j& W( c& C
0 b e: e8 p9 p, HIt is not a method of detection of SoftICE but a possibility to crash the& E" O5 B" d: o2 q8 y
system by intercepting int 01h and int 03h and redirecting them to another
- f/ p3 ]8 T$ k, T( P/ Eroutine.5 ^: `) @1 S# N8 [
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 k% l( F p' |to the new routine to execute (hangs computer...)0 T. ]& t; z4 C
! ]+ n7 {+ Y3 t# A' l8 ]1 r
mov ah, 25h6 y8 h+ S1 V9 j( I" A# D+ [ g% }
mov al, Int_Number (01h or 03h); p2 y9 ` h+ E# [/ d
mov dx, offset New_Int_Routine
; R) @ r+ }! } ]8 P C3 x int 21h V7 p7 U& v5 Q( h6 _: x5 h
8 b1 A2 `2 p; W__________________________________________________________________________
& d, \( Q" v( L' z9 a' U
0 W0 Z! m9 |0 D/ J9 hMethod 098 b% U2 O5 ?+ Z0 z7 \: Z$ r
=========
1 \- h7 K" J3 |* G) e0 j, _3 M) U7 G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: ^2 j9 T/ W5 _) y9 C, ~performed in ring0 (VxD or a ring3 app using the VxdCall).! m+ n# i0 T# ~; ~: N8 U
The Get_DDB service is used to determine whether or not a VxD is installed" ^2 `$ K" m5 Z" g0 B" Y7 N
for the specified device and returns a Device Description Block (in ecx) for
9 A& d9 o1 G6 ^' cthat device if it is installed.
+ l: s' D8 x2 ^* K8 K6 c# d" b* d0 p7 d# B& s' {7 ` f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% C$ X+ b! m: [5 y9 V8 o mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 G* y& m7 v0 n6 b+ m2 D- |. A VMMCall Get_DDB. ?- ], Z/ Z7 }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; q" k+ _8 [8 A3 ?/ j
4 ?) F& \! P# t+ ]. pNote as well that you can easily detect this method with SoftICE:
; ]- B. A7 e8 E+ r bpx Get_DDB if ax==0202 || ax==7a5fh
G+ S- @2 i6 H" D3 _4 ?! u6 X# Z
__________________________________________________________________________* t4 L; D2 G# m
+ T P/ w: J/ L1 Q0 ^5 yMethod 10! c+ i9 g# V. U# d
=========: |0 T1 |; g# g+ v* `( y
7 n- y, O9 W4 O# P
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 \6 f* j5 c! f" Q9 A1 V SoftICE while the option is enable!!
9 f: `& h2 v) u* g F! z& e: T, Z/ b. i7 y; Z
This trick is very efficient:" \2 f" K' w Y
by checking the Debug Registers, you can detect if SoftICE is loaded4 ^7 N; s5 j f; q# X+ \5 u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' r, c0 f* ~( S( k, n! P
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 f# D% Y5 Q3 I' s, @
value (in ring0 only). Values can be manipulated and or changed as well P8 H$ d+ c/ K; y1 \
(clearing BPMs for instance)
- k+ O% U/ U3 N* b6 L" o7 i7 j; C+ m* o5 g
__________________________________________________________________________
4 P6 U) m a8 ]( A9 J C3 ?% z' j& P& _
Method 11- V8 B! V+ \9 F0 G
=========
3 Y" s( n: X' _/ S& I, z+ A- o% `$ |' ?& {1 Z8 T
This method is most known as 'MeltICE' because it has been freely distributed: \( K6 L8 B" F
via www.winfiles.com. However it was first used by NuMega people to allow
! \5 E' M/ [: _/ }: E: ~/ pSymbol Loader to check if SoftICE was active or not (the code is located6 [2 s* m5 T. @( P3 ]
inside nmtrans.dll).$ e, d3 A! O) x% C5 o
5 P& W4 U8 U5 c
The way it works is very simple:! i% X& f1 o" J M8 C; b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ L) }! p$ M) j4 d9 c
WinNT) with the CreateFileA API.
7 \8 M7 d- o( P7 q
" N9 b( q6 w& V/ b4 } _Here is a sample (checking for 'SICE'):# z2 o% d: c$ j& ^- X8 X5 c2 ?! {
3 w W/ T( F6 Z# EBOOL IsSoftIce95Loaded()
2 R7 X1 h+ M0 z5 H{- I; [) q" ~' h& e s3 Y- M% k
HANDLE hFile;
3 Y/ b7 ~+ ]! E' |1 D7 j+ f. w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 e/ H v/ Z" O
FILE_SHARE_READ | FILE_SHARE_WRITE,; D& l. E7 m4 e; m+ K5 L" c8 y1 \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: G/ o1 m7 m; e if( hFile != INVALID_HANDLE_VALUE )
; O5 t5 e5 C( G. `5 D {2 ?8 t3 l5 b5 Q. C% m' j- z
CloseHandle(hFile);( a% T5 ?7 t! G; s
return TRUE;* K2 i9 W* b& P5 U' n3 ~; R
}# D+ q$ a! T% A! }: i0 A
return FALSE;- j8 N+ p9 N5 [3 L1 Q# n. N
}
+ }% r6 I' }' k; H# ], N/ s
4 e+ z$ }1 z' cAlthough this trick calls the CreateFileA function, don't even expect to be( ~9 a& N# L! N/ f" F+ }. Z
able to intercept it by installing a IFS hook: it will not work, no way!
p3 \& \! B3 a4 } P4 L6 z! c* ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F
g/ `9 o# h8 ~5 Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) `' K% d/ Y) f( l# [and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 {, Q# @' w: H! f7 w/ V, F [field.5 s+ V1 G( ]7 b- X' c
In fact, its purpose is not to load/unload VxDs but only to send a
0 s) B3 A! |; J: YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 h5 Q) _" g4 L% y* S2 p5 uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ Q/ l& R$ A& c B9 ?" k7 Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; Y' `! v: s/ H6 NIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 h7 x0 J7 @/ q( a9 S/ {! r# ]/ V9 T& `
its handle to be opened and then, will be detected.! O' u2 B9 \ h
You can check that simply by hooking Winice.exe control proc entry point0 r8 p2 S1 g" Y$ H0 O
while running MeltICE.2 [- Z7 w" ~7 L8 I4 T) ^
; K/ x* I5 h' ~$ k4 I
" [) [; l' E/ r: D# a+ K 00401067: push 00402025 ; \\.\SICE
+ J$ U3 A& x, j" W9 J 0040106C: call CreateFileA( `; u! i; R3 t7 d2 V* B
00401071: cmp eax,-001
( z4 z" e- h8 T0 U" Z# _ 00401074: je 00401091
) p# R5 G1 Y+ Q4 P' A- t3 b# `5 c& z0 n3 Y z% Q
# ~: W/ R* x9 l. c
There could be hundreds of BPX you could use to detect this trick.
# k0 q0 h8 T0 H: v-The most classical one is:) s$ a/ l% x8 ?5 N P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) j6 D; {2 u `
*(esp->4+4)=='NTIC'
# P4 x( i! Q( i/ @3 `4 e; [3 ^3 e- x! ]9 l8 ]
-The most exotic ones (could be very slooooow :-(( a, j% D& ~* D3 Y9 a+ v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / b4 _9 d1 N* M b6 L. x
;will break 3 times :-(4 f" q( b# p+ Z! o( ]5 b
# N' D4 Y2 K( z5 @* U3 a% M-or (a bit) faster:
# y' x: v' m3 u, |3 O# j$ b/ v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) c2 X3 x5 ?7 S0 l# E9 I
, ~: r$ C1 a* k& Y! r7 O0 V BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; U: B) P A0 j5 q
;will break 3 times :-(; A6 r z( i5 K7 E& k; d
" ?9 A$ i# a: l* O- n0 S( b% B) q
-Much faster:
$ p4 b U$ J3 M9 D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. ]1 _1 b( H U" d8 T1 ^7 `" c4 O" t9 V7 O4 w: U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& A. N% W4 Y' i$ P4 K
function to do the same job:
5 t' X. _6 S( N* L, r4 ?" X6 _& T+ d0 D
push 00 ; OF_READ
9 J! G& N$ A/ x1 F) I1 q5 @ mov eax,[00656634] ; '\\.\SICE',0# e e0 {2 k3 |: k& [1 j/ I
push eax
* S0 B: h" D8 M call KERNEL32!_lopen
; e$ W Z" t# t8 | inc eax* b6 {6 v2 q b" O
jnz 00650589 ; detected: X$ o7 y( A: k9 ?1 B$ M: K* z) b
push 00 ; OF_READ& e9 S. e/ w2 x; u
mov eax,[00656638] ; '\\.\SICE'' D( K# [- g4 ]3 g$ W7 ^9 l
push eax
J5 _3 J' m1 f4 ^' l4 ^ call KERNEL32!_lopen4 S4 ~$ y, V: v3 Y/ Q" U
inc eax
4 q- O- c0 U& j* ?$ ]) ] jz 006505ae ; not detected
0 d, q" L7 u3 I8 C$ |, B0 Q. Z# J' y4 B/ {
5 ]5 z6 a8 h1 \0 S8 r1 k6 v__________________________________________________________________________
0 I6 \+ C9 K8 c/ A# a# _7 q1 U: A' ~* b$ F$ [- L* s
Method 123 V$ u0 x, x# z$ I2 t$ R6 L6 p% ?
=========
' d! z( }6 N/ z9 k/ U' A Q( C8 ]9 W0 d8 T: `$ z8 |
This trick is similar to int41h/4fh Debugger installation check (code 05
7 D( S: `; }5 _' N3 a3 I& 06) but very limited because it's only available for Win95/98 (not NT)- W& I0 l/ \# B- P9 N" a; R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. p/ W- f3 R% T' p
2 r9 Q/ ?0 V8 G+ J push 0000004fh ; function 4fh
L- Q' n( k& R3 T3 c N" o: \ push 002a002ah ; high word specifies which VxD (VWIN32)$ G% x9 b7 P- x& K. `
; low word specifies which service% J4 e' D4 U7 z# g& n
(VWIN32_Int41Dispatch)
$ q: I; D% {, C- x! C call Kernel32!ORD_001 ; VxdCall* z u! E+ u+ l4 ]. J
cmp ax, 0f386h ; magic number returned by system debuggers
' L1 |" i+ l6 m7 v7 @" ?) v2 r9 B r jz SoftICE_detected
1 A& {/ m& X Y: }1 q) k4 }; E
+ T. r2 y6 y; I) {& d! mHere again, several ways to detect it:
3 p5 n, l& h [6 ?, T! x4 D/ W( M; E( h; R% A+ j: o
BPINT 41 if ax==4f2 @& ]+ R' l, H
+ X" c4 G! q' W% Q; ] L, Q o/ K; c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' d8 v) D. j! r7 E. `; O
7 T$ G. T9 j; Q! c BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' g. K6 z0 N1 q' `( b* L, \8 ^& V
0 F4 g' k9 B9 ?; M( S- A0 v BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 b$ X! |, {8 I+ }2 a. v6 h6 [
% E4 a* `5 Z7 ~+ M/ j' o+ h; x- @__________________________________________________________________________
+ `5 v$ m+ j9 E% {2 ]: s
' e0 I" ]* M# i/ _5 z9 \; oMethod 13
1 L0 Y1 p$ M: {=========0 R* r a: I4 L W
( O3 x* \' y4 b+ X; H9 ]; W
Not a real method of detection, but a good way to know if SoftICE is
$ j. b4 v) {. l$ K9 kinstalled on a computer and to locate its installation directory.
# f( o# a' k/ f$ b/ T, O$ s& c. XIt is used by few softs which access the following registry keys (usually #2) :
o; S3 J0 @( h M% M
+ g) {! p2 ^/ t6 s-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 u) O9 l0 H# a" {( P
\Uninstall\SoftICE* [# o/ m% {4 f; {1 c
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) n5 W, T! Y+ H' k' u, H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% [% ?6 j. D. M2 e9 G; B\App Paths\Loader32.Exe
# J3 g9 q) v+ W% l9 K* n' z. N- @; `
, d, [1 m- J& V% `; c, K4 I3 ENote that some nasty apps could then erase all files from SoftICE directory
6 P; q& P: f( X k: l- `* C(I faced that once :-(. X" D8 F# X* I' Y* Y: l; t
* N7 q9 k3 e U- A8 a8 {6 v& AUseful breakpoint to detect it: @% V1 b0 Z- H' L% c0 [' U
2 q9 p2 s2 k# J! |3 l+ ^! u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) M) w. e! r1 j T
* g5 G* }) b7 c# g( o: W0 k__________________________________________________________________________
2 ?( C, v ]: w) ^; b! t4 N: H( R; K3 u0 W
8 `4 [) r* x4 @4 G% c! EMethod 14
2 x! K2 Z, \1 o=========$ d, m: {5 `! Z. C; \
- V9 K) R& _& F# B8 _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 J% z8 D2 I- W% z" H
is to determines whether a debugger is running on your system (ring0 only).1 _7 K; [5 N# M
5 H, y7 v( K; [2 A; v5 U n4 W; P: F
VMMCall Test_Debug_Installed! t& O$ ~! p- A$ B* Z f
je not_installed
, ?: {' l7 m" W5 M! @7 R; H& K1 {5 y# F0 G) o9 w
This service just checks a flag.
+ W7 J! _! ?; X9 l* s$ l. j</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡