<TABLE width=500>
7 l' A8 y" W* h& m5 n) ?# v; R) J2 e<TBODY>
# U: D5 {, Z; \; d1 C: z: x: V<TR>( k& ^2 P+ m' J4 d. w8 i7 t
<TD><PRE>Method 01
' h% ?8 ]$ Z) _$ i9 O$ x" y8 s=========! \: m! b2 @8 _. d0 p
V7 |5 O0 N) N% {6 b# ?: O \This method of detection of SoftICE (as well as the following one) is
, r% \; q; y Z3 v5 |: yused by the majority of packers/encryptors found on Internet.
* n4 F& s5 E9 n7 {It seeks the signature of BoundsChecker in SoftICE
, U6 L B* X I; u1 V
* N) |* T, _* P" z6 d$ b mov ebp, 04243484Bh ; 'BCHK'7 M1 {" E* W+ E0 I6 R1 J
mov ax, 04h
# |9 r( y+ K- n- I0 t2 W int 3
C) U- k5 j5 P, I% y; U, r/ E cmp al,4
" \4 u5 l" ]3 ^8 Q jnz SoftICE_Detected5 |9 Q* b4 {$ [0 {
5 u- l, Q( b/ K6 o5 z& z
___________________________________________________________________________/ |( [/ @/ Y6 Y, O& X
4 D$ y3 q7 f+ o& ]Method 02) \4 y4 L' v, G* x7 @
=========$ g! `& i- }+ p
4 u0 |2 d ]' g+ g; j7 e
Still a method very much used (perhaps the most frequent one). It is used! ]) }2 b' ^% T Y; ~0 ?
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; t$ U) |: w' p
or execute SoftICE commands...
5 n( E% f0 w( d4 n O# ~2 c$ A! jIt is also used to crash SoftICE and to force it to execute any commands2 A" Y% L! ? P* O
(HBOOT...) :-(( ! b$ C, b! T7 i6 B: x1 _: L) b
, ~. v6 g( E* a$ y) k/ l8 o1 R
Here is a quick description:+ A3 {* [9 q2 ~* R( c9 I
-AX = 0910h (Display string in SIce windows)
$ K, n+ r2 G6 y& J1 v$ s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* }: t/ j: E% a
-AX = 0912h (Get breakpoint infos)
# m2 O2 m% P: s-AX = 0913h (Set Sice breakpoints)- i: [) w5 ^) g$ m1 ?
-AX = 0914h (Remove SIce breakoints)
o9 H+ l h. x4 O' W2 F
; z) Q; j. X. k$ X7 m5 r1 d9 H3 {& |3 L SEach time you'll meet this trick, you'll see:7 d& O$ } E2 T, }( H( U" r& a: ?
-SI = 4647h& ?! u" c7 U" L4 f( |
-DI = 4A4Dh) [. w5 L | Z$ ^# e1 x7 R
Which are the 'magic values' used by SoftIce.
, ~- s* p D# T1 e- n0 hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ h f( l: U+ R* I! o, o4 R4 Q4 N5 j$ n
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 S2 g6 }0 ~ g2 }4 K
Envelope utility use to protect DOS applications:
+ X. _) F. ?& E( E% I0 Y/ C
- K0 ]1 b7 d* w: k/ x
0 U Y4 D$ G6 C6 }4C19:0095 MOV AX,0911 ; execute command.3 I6 j. R+ t; A @
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) Q! U1 }+ ?8 k& k. p/ B, w4C19:009A MOV SI,4647 ; 1st magic value.
. l" Y& e4 s5 M; v4C19:009D MOV DI,4A4D ; 2nd magic value.2 D, ]0 W+ X! n) n8 H
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ s& U% h: t; C5 c0 U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 h' L- x( B* c- |4C19:00A4 INC CX
6 N" L. |" l: f: _4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
N$ b6 Z& R; Z+ O4C19:00A8 JB 0095 ; 6 different commands.
1 a: F+ @. O4 r3 S' U4C19:00AA JMP 0002 ; Bad_Guy jmp back.) J1 f7 ?& ~+ i# v' K z# z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ l" ~1 E% i! k4 b6 _
; K# ~) Y1 H0 V# E
The program will execute 6 different SIce commands located at ds:dx, which
# i$ b8 N. _6 g+ X' o! fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) ]; ]: e+ ?- Q
0 m9 x( Q8 M% Q2 ]1 r% D9 G( V" t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 ^; [" \/ \" A& @
___________________________________________________________________________
$ f- q( D+ N& A
2 e" N8 [; U+ u* T$ ]- J" r. w! |: i' w8 G9 g" B
Method 033 d: E# j( Q$ e/ u" [1 I
=========
: m: n! F/ t/ g8 O' f+ P
5 F# |" Y% i G, z- ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 Q" a& ?# E2 ]2 n( A1 D( H
(API Get entry point)
& t; h" X! P8 k* x) { ; t7 Y" O8 o, ~. `4 z* H; S
$ [! J5 ~9 B6 y I$ @; L( y$ ]% L' c
xor di,di
5 [: m; p+ B5 \4 e mov es,di
6 X! |% M! C( z3 z mov ax, 1684h
. C, I" e! V# v9 L mov bx, 0202h ; VxD ID of winice2 N. b g. d) L% E# n
int 2Fh D+ m$ U. z! z. K# R
mov ax, es ; ES:DI -> VxD API entry point8 i$ p# D3 Z# f/ {$ q1 f/ B$ K
add ax, di2 p& i5 m s+ g( j
test ax,ax
6 Z1 W4 K* @& I" t- s jnz SoftICE_Detected
; {& m% R1 j5 }
+ [9 d) K2 _( c, b___________________________________________________________________________# g. @) ]+ z7 {" F( }- B
" d, w3 {* ?& R$ hMethod 046 c+ M0 A1 Z% h+ e2 j9 H
=========
5 z( F1 C* K* v. X
' e6 r7 g% R' V8 S4 e0 G+ uMethod identical to the preceding one except that it seeks the ID of SoftICE- F% l, l) F* U' o) [$ p
GFX VxD.
! S" ~7 M7 N, _8 y q6 a
3 V! e4 |* b3 l- J* s# h! R! G xor di,di
0 m% I1 _- a1 e; ? mov es,di6 Q- ` a4 g, a7 n! c( ?. l6 Q
mov ax, 1684h
" n; J% _' j( j: Z Z, M' q1 k mov bx, 7a5Fh ; VxD ID of SIWVID
$ @. @+ X- m6 ? h/ ? int 2fh( ~# |3 i& M9 Q8 A. y$ @
mov ax, es ; ES:DI -> VxD API entry point8 s$ _5 R; r/ n8 F+ I# z8 O" e
add ax, di
/ A" C- G8 C+ ~+ q9 ^7 X4 f test ax,ax
+ g% F( K j7 K* ]2 x: e5 ~ jnz SoftICE_Detected
) ?/ X# g9 \$ N0 R! c8 x' F4 a- g3 I! q6 M" W+ a+ Z; J
__________________________________________________________________________! L1 ~6 a) P3 A6 d/ H& y0 h
l3 Q3 h1 y* N2 x) H2 {/ b/ ~6 G( G \
Method 05
" L3 s3 a& k, j* D3 E- g% s4 L=========. C5 i; ^3 }2 l- \
! {( q- b( j. N
Method seeking the 'magic number' 0F386h returned (in ax) by all system& p# ]$ H" }0 q, b5 W( l
debugger. It calls the int 41h, function 4Fh.
- j# Z7 i, E. R, a- LThere are several alternatives. & s& `* h; _! v5 Z7 X+ x
9 Y: Z9 A" i; `# r' `) p( vThe following one is the simplest:" W. J. D$ g" A5 m: Y/ X9 M8 T
% i3 j a& A0 [& l; B" a
mov ax,4fh
/ s/ ^! K3 ~( n, i6 T2 E* F int 41h
; q9 B: k, G2 r5 | cmp ax, 0F386
& v: Y) x9 W+ O jz SoftICE_detected
$ s! ? a2 R, u, T1 ~2 m$ P8 C4 ?
9 {7 C# x+ h2 U* x: i
Next method as well as the following one are 2 examples from Stone's # P2 ]* W8 v( |) z% p) ^
"stn-wid.zip" (www.cracking.net):
+ F" }2 v9 I" P: J) q" m% `. p; A4 D |: h
mov bx, cs" R: b8 R- O- P/ |& C
lea dx, int41handler23 y& M h; ~; F; w
xchg dx, es:[41h*4]! [( c9 O$ V; F2 ?) X& P) L3 z9 A& N" @
xchg bx, es:[41h*4+2]! G2 T3 F) t# n/ F y$ a* c, A4 M
mov ax,4fh9 ?- _) }, j& M3 K
int 41h
7 N D8 L* B2 j8 n2 _ xchg dx, es:[41h*4]# _- y- h- z0 V* ?3 N3 x" G! d; L
xchg bx, es:[41h*4+2]! G: K6 S& M) e( {' t2 g9 i E* Z
cmp ax, 0f386h
2 W8 K$ I5 }- E$ m5 Q# j9 j. r jz SoftICE_detected5 x& k& p+ t) e% f: Q
+ F3 ^! L9 x( e: Y
int41handler2 PROC
7 j" [: ]7 C; w4 ~0 T H" G: s" | iret
0 G* v2 I' @. |) n4 I F: Tint41handler2 ENDP0 F! f8 u7 \9 O1 q- \( n6 U
( o2 X l: b8 s% H7 c0 Q" z
! _$ |: P/ ]! ^$ ?4 ]_________________________________________________________________________4 |# o, j3 d- P; o
& ^) @" |( \9 D, ^5 \( }
, D$ w* E& c( L+ J- h8 H8 _6 ZMethod 06
/ r" a# V$ Q& ~& c, R=========2 B4 n1 n& j& z2 L1 }! _% M1 m
8 {+ V8 H% L7 F: C1 j3 y7 p1 r: i, i: x. [1 t1 I$ \
2nd method similar to the preceding one but more difficult to detect:
' \% d' s8 z4 |6 h8 k7 Q; x" Z! t* p. P* h; @2 f
1 W4 x# U/ z* r
int41handler PROC% ^$ Y& j1 @ q: F$ {1 c
mov cl,al9 |/ C( o; b; D4 M' }: o3 N C
iret
2 |& f$ y; t, V) zint41handler ENDP' ?! j6 m) d! C& r% W0 ?1 V' q; v
* k) q* G( H5 Q) I6 i3 N6 e5 O3 l7 U
- O7 F% g% f* N* ^' ~# W2 r xor ax,ax v4 ?0 f6 N( }, ^3 [
mov es,ax
1 \: j' j0 g2 D) [ mov bx, cs
% e+ i( u2 }+ `, q. I lea dx, int41handler
4 h; ?( v4 z9 [$ S. I! X xchg dx, es:[41h*4]: Z5 a2 s/ E9 d1 B2 }' r# z' o4 `0 g
xchg bx, es:[41h*4+2]
) k3 D' p( t; p# @- R u in al, 40h. F# [0 ^" B7 U) A j e3 f
xor cx,cx
+ l9 ~: v3 _0 c3 u# }' e int 41h) e# g1 H5 I8 o1 B2 }( N3 o
xchg dx, es:[41h*4]. I1 R; U- K4 ]& R1 M, B% J/ T
xchg bx, es:[41h*4+2]7 ~! v4 y& z+ H9 \4 P" t
cmp cl,al
; K1 \' u5 U3 i# I2 K; A jnz SoftICE_detected2 w7 Q1 E& s! A# c3 |
: T! B& [& C0 y6 X8 Q
_________________________________________________________________________8 ?& r+ ^' X0 C0 f
, `3 ?) u9 q: u3 [2 T/ LMethod 07- d# p5 m0 q1 e" ~+ W! \
=========
: O+ X' E8 e5 s. e2 Y2 ^' F* f' R7 ]" Z0 V- P; |& M
Method of detection of the WinICE handler in the int68h (V86)
' p2 B& L( L% b! Y5 e4 {
7 E: a( S6 ]3 n3 p& T! u3 B5 M mov ah,43h
' \7 V8 M+ _/ p/ l3 t+ j int 68h; k, K Q1 r3 D- \
cmp ax,0F386h
0 f. O# G9 E3 D4 f s jz SoftICE_Detected
: {. R) q1 p5 Q4 ~' D3 N1 R% V. R; g) a
& t8 O+ A$ N& S( h4 @
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 _, R; j( `! g3 n9 x3 s, L7 v app like this:2 }1 l3 s% r5 O$ t
4 u% t+ I+ o9 y8 a; e
BPX exec_int if ax==68
' q# A: ]8 @ O, g (function called is located at byte ptr [ebp+1Dh] and client eip is
+ ^/ l& x8 r8 D5 M4 M% V, g, F located at [ebp+48h] for 32Bit apps)* Q1 V6 j/ \- z: y
__________________________________________________________________________
2 X6 K; ]) M! K+ ~3 h
* C! D% V9 p5 s& S7 D* u+ y5 V6 {6 b& r
Method 08- S7 J$ g' V2 x( }7 T
=========+ N! P7 a) o: M2 D( @; W
# k& E5 n5 T# e, bIt is not a method of detection of SoftICE but a possibility to crash the K( _8 R* d; w2 X4 w8 x" [
system by intercepting int 01h and int 03h and redirecting them to another
7 c6 t9 a$ k' R& V" broutine.$ N* K% Z& S( T2 X" @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& M- v w9 J( k5 o0 M- n; x, q4 Sto the new routine to execute (hangs computer...)
/ _+ ~; w' G& ]
* o$ u' X: j0 x; N7 o mov ah, 25h
9 T: H( h/ y) ]+ @ mov al, Int_Number (01h or 03h)) {% C6 \& ]' q3 f7 T* N, `
mov dx, offset New_Int_Routine. O' d. H, i/ }7 f" L I
int 21h% A' J& H2 x' j1 X1 } `4 w% Q
: `1 c( r5 b- ]* m__________________________________________________________________________
" p, A2 q( X+ P& A" e/ M w7 x* m, q* n1 I; u, v# `9 P
Method 09
% p4 R$ E' C3 }- s; b=========* k/ L) J8 l @4 o9 X) F; k; }+ z% `
. j f' m0 x, E3 L( L$ OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 N) V8 O& O7 fperformed in ring0 (VxD or a ring3 app using the VxdCall).
% k9 A/ M4 F2 t! pThe Get_DDB service is used to determine whether or not a VxD is installed
5 U9 A$ _; ]) wfor the specified device and returns a Device Description Block (in ecx) for
+ v1 F5 F, \- c ~% [% `that device if it is installed.
1 W7 p1 K. t8 Y2 V
$ R; U* o8 r* O. R mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 V- Z9 p) b/ t2 {1 X6 }( E6 y8 b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 r8 u( \* Z }9 \( @5 w+ }5 C- j
VMMCall Get_DDB0 M* y9 u, k, Y, C/ H8 k. B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 X) \; @4 {; p0 }
' d& F2 F4 z1 _0 I6 bNote as well that you can easily detect this method with SoftICE:. }8 M" e) P) `: C W
bpx Get_DDB if ax==0202 || ax==7a5fh+ z* h: w7 E* _+ \. a7 L# m8 m0 @
4 R) g8 E3 K& K: c o% h- r; d
__________________________________________________________________________
" u* V) B% t. F9 i2 f3 D: P; @) z
Method 10 z6 i9 h E* c- H" g
=========1 N* N$ T7 {- D& @; _ n
* Z7 n) ]4 \+ S/ W=>Disable or clear breakpoints before using this feature. DO NOT trace with3 M! s' u6 j: l- e
SoftICE while the option is enable!!5 W7 P. Z) e. M6 k. p6 A
4 {$ {6 _4 l) i8 m9 _This trick is very efficient:
4 l& L1 D1 t5 |8 S/ b1 G% t4 _' uby checking the Debug Registers, you can detect if SoftICE is loaded
( w' u/ G, [. j2 o! q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 Y) P- A/ v, B1 Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their) [+ X- H- D( y$ M$ f V5 N0 z
value (in ring0 only). Values can be manipulated and or changed as well/ B+ s z% N% {( z% x' B. M' ~- G
(clearing BPMs for instance)
9 L& J' {# U( p( C$ l9 _0 f3 H' }) _% }2 f' D
__________________________________________________________________________6 k+ l7 {6 g( b
: P3 E( |8 \/ _1 BMethod 11( L- N& d' D, u$ l1 J% }' F3 p% x
=========3 D# v1 k8 |. f1 a F* Z
8 K3 J$ L% T# z9 [5 t' N% C' N) F: C
This method is most known as 'MeltICE' because it has been freely distributed
4 v1 r( X8 k4 ?0 e |9 Tvia www.winfiles.com. However it was first used by NuMega people to allow; M$ m# Y: X* ~ P' s
Symbol Loader to check if SoftICE was active or not (the code is located
/ a" \. D1 ^1 p" c2 B! M7 Cinside nmtrans.dll).
! Q9 q* U5 s' e( {! [& q
! q0 f( t! x" \& L* |' ]" kThe way it works is very simple:4 b3 Z) U7 b& d2 Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 ^ Y& f+ {5 N
WinNT) with the CreateFileA API.
1 l& _- | r" |/ ?
p0 \1 {5 A1 o" ^% lHere is a sample (checking for 'SICE'):
3 W6 s' ` L$ R% D- }
) L3 K/ r, O0 E. j0 vBOOL IsSoftIce95Loaded()/ {( R" z; D; |; I% ~( t9 U- p2 M
{* R: K' X. q- u" v; S% e& F1 V
HANDLE hFile;
z* A: _, z' K+ V" D. C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" \! n" A7 C+ @* t; Y; m FILE_SHARE_READ | FILE_SHARE_WRITE,
- e! j$ a5 y7 B; y3 b! C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. a3 i2 {' `+ X4 F3 o3 p if( hFile != INVALID_HANDLE_VALUE )2 L# L1 @3 n& P; C+ J$ R5 p
{
0 B; ]) A1 |8 w9 q CloseHandle(hFile);. S; e- e+ |0 t1 n& G
return TRUE;
/ I; |+ A+ ~$ A4 T! ^7 W }; L2 f7 S% e% M# v0 K O
return FALSE;' w) l- g4 f$ d) I
}
: z: e7 h9 \0 I) c7 ^+ L
9 O) F5 z3 R) JAlthough this trick calls the CreateFileA function, don't even expect to be- s3 O( R d$ i( \3 H2 y" N
able to intercept it by installing a IFS hook: it will not work, no way!
- G/ S. y6 r9 {' DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 n$ S8 F& T+ P. q! D" x; qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): ^3 V' d3 v$ {5 G, H) H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, W; Q1 G5 M6 d3 Y
field.
& ^! D# F* L! k5 H2 QIn fact, its purpose is not to load/unload VxDs but only to send a
! V4 X5 T Y$ m9 r( X1 \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& A* R8 q# L$ c* o
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) R4 T' w7 T% U4 k8 \- [
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 m* r0 U! e. RIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 @* Y: V3 Q- Eits handle to be opened and then, will be detected.
- Z1 m+ P) o# A" n9 _You can check that simply by hooking Winice.exe control proc entry point) O: u( w5 i4 Z- Q2 Q# Q* b) ]
while running MeltICE.
# C: `% `$ F: b2 h2 l/ W: w. @2 d6 [7 o3 R+ J
3 r- o z4 |% J3 l 00401067: push 00402025 ; \\.\SICE
: n! b5 F4 C+ o6 o 0040106C: call CreateFileA' a& h8 `6 q- a% x2 F1 \. D1 e
00401071: cmp eax,-001( q; i) ]. Y7 @, z
00401074: je 00401091
- A+ v' c+ t: b- a$ s! K( V9 F' \6 o9 p4 x7 B' ^ _0 r/ M/ u
0 H8 o$ k: {9 k. U
There could be hundreds of BPX you could use to detect this trick.
1 r$ Y( d6 f0 T1 g; n-The most classical one is:
: Y! B( L9 r0 u) ~& M: { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ Z& A+ _0 @) s; W& { *(esp->4+4)=='NTIC'
: O, G& h2 t8 ]9 K% `. C
; T) K5 [( r: k* J/ Y- G-The most exotic ones (could be very slooooow :-(
. m) u1 Q; _) v/ [' g/ n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & u. T7 ?: Q9 q( l, X
;will break 3 times :-(! R1 e- l3 t+ ?$ ]: z
$ j' O& H i3 ]" o+ ?1 M2 L: p6 O-or (a bit) faster:
" b2 E0 y4 `% o. y* y3 ]$ H6 ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ h4 `/ ~! ]/ k, a" V1 p" P1 C- g i- `8 o" l8 f- u/ Y1 i) c1 x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, \& F! f" Q1 q4 z- T ;will break 3 times :-(% ^' h2 q* R& u$ ~" U+ d
, o B9 C; V+ t% I' q3 i/ `-Much faster:8 P S/ q0 ^6 {7 p/ @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': J2 C- D; J/ b4 G7 q8 t3 c; y: Y/ ^
% A( `. W! J; c+ l: m' H- TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" b: }( Z& t" l& |' f4 Tfunction to do the same job:
3 m, p2 L; j$ }0 E% T& o6 H/ M
) Y& D" W7 ?. y% U" S push 00 ; OF_READ
+ n; G+ i) ?1 j7 k8 ~# S mov eax,[00656634] ; '\\.\SICE',0% l/ a2 U+ x$ u: e8 U
push eax
' H2 f- `7 }% Y: d$ @ call KERNEL32!_lopen
- v: H* z. {# K- k inc eax
* V9 N8 s+ D( q1 l jnz 00650589 ; detected; |' x; s7 S, B2 Z
push 00 ; OF_READ7 M2 Z! r1 d! I% g! e
mov eax,[00656638] ; '\\.\SICE'
; V4 Q/ |( G3 Y( b( c+ Y- r push eax) P$ p: m! z: t& G" H: b
call KERNEL32!_lopen
1 |; M! P g6 C% X inc eax4 g. V7 B, y( t Y% g* E
jz 006505ae ; not detected8 p4 j2 [; S# f8 U- j
6 P% V) E( m7 d- s* J5 m
" L; R9 S( r; W/ A! ~2 Q__________________________________________________________________________& L/ e( t' i4 r7 j
1 P" f' ]8 _# p. YMethod 12
3 x6 K; M7 ~) D8 o6 n( `( U" S========= z9 Z' F* Z6 ^
/ g# K5 p0 v6 X6 U2 ?% S U, t
This trick is similar to int41h/4fh Debugger installation check (code 05
. }+ Y# S, I, Q& g; H1 B2 U8 g! W5 b& 06) but very limited because it's only available for Win95/98 (not NT)- i+ D: u7 f: n' K, r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! _- v c' ?6 i1 f" G9 @
$ p9 s) C$ O% ?0 f
push 0000004fh ; function 4fh
} ?6 ]; H* z( ~: I% p push 002a002ah ; high word specifies which VxD (VWIN32)
. l7 @: R" o# p! b( t6 X ; low word specifies which service) V6 y0 n6 l; e; t/ U6 t7 a {
(VWIN32_Int41Dispatch)' p, w& n. M- R4 ^
call Kernel32!ORD_001 ; VxdCall
: ~: {2 P3 S6 h6 O- W: q% h. j cmp ax, 0f386h ; magic number returned by system debuggers
$ R! m w; p! ]2 x jz SoftICE_detected$ n; t8 j4 I' n5 p; m! ^: L0 |
8 e5 z$ T- t2 _Here again, several ways to detect it:
, ]( l0 Y4 G: r9 Y, d
( e9 p' N n4 `0 a5 v BPINT 41 if ax==4f
/ ~$ O$ j! U) i- I; \
* N( \" r8 }1 X/ n: E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 E/ w7 S: C& O1 {3 \ A. z( e
% r2 `# ], v7 [, G' U8 o. F
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; B& U6 Q; ~3 U- D. P8 ~* P
7 A8 O" h7 ?2 c4 W" Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 ~9 ~( a% j" i y& S
6 |; Q! d1 e5 g! ]6 _' G
__________________________________________________________________________/ w. ? J* I2 R4 e7 E6 H2 d
; F" g* k% ?+ s1 RMethod 13
1 p3 G" [" n, f=========9 w: a- E3 o/ Z% ^
' [! G" y; M& e# C, cNot a real method of detection, but a good way to know if SoftICE is# Q0 ]' @3 P( I, s# B
installed on a computer and to locate its installation directory.
+ T7 n4 J# K* M; m9 K& v8 SIt is used by few softs which access the following registry keys (usually #2) :* O0 m0 r% ]& ?6 Q9 E
! M6 G0 Y+ \; v% u6 Y0 O- [ \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ d0 j3 @5 M; @/ ~2 c: Q" Y5 c, h
\Uninstall\SoftICE, d7 p; F3 M8 {5 G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) M# V9 \, E8 r6 e* R7 h( S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; h0 N& C6 d) K7 D\App Paths\Loader32.Exe
$ N! Z5 P4 Z# D+ b' Y: z" E
& }; r# V |1 X& J1 H/ w
5 L( P1 ]7 {% Z( `0 aNote that some nasty apps could then erase all files from SoftICE directory
! I. e1 t5 G' Z% p) z(I faced that once :-(
- i3 A7 L1 ?/ h1 ^4 |! B5 N
. |- S6 k- k) s. I) m/ r- U& w8 uUseful breakpoint to detect it:
6 B: x* C) _7 ]: O/ f$ J; n5 @3 ^6 t* h7 ? L6 `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- d; X1 V. V6 J6 r% X
- S$ D0 f1 L2 F__________________________________________________________________________1 y$ l; W: n+ v1 ^& ?
) T3 b1 z( V1 l3 _7 e- ?" \; L- f) A
! B7 x& U8 C$ c5 N! |Method 14 ( Q+ Y# B7 z3 i3 S4 W" w2 Y6 c" c
=========. [) Y+ W6 y" m. X5 C" `$ X6 ?
1 G h/ r/ ?' {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. \4 X; m8 E. a) s7 Fis to determines whether a debugger is running on your system (ring0 only).( Z( Q, Q) d2 Y$ d* ]( A: W
0 ^& H! P0 h" T! v, D( g2 r VMMCall Test_Debug_Installed/ k; [5 c8 s: I/ K' {6 p8 l# o
je not_installed J3 y, A; U l( H0 E+ C; O
3 H/ A# X. K0 n. V; N6 zThis service just checks a flag.
/ R$ u0 @0 @3 S M# Y. N</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡