<TABLE width=500>
, I0 R* I; z! F& J( v<TBODY>
4 a/ L$ q' [0 K# D+ S1 W! k<TR>
+ F5 v; I( i2 g; K3 T7 K<TD><PRE>Method 01
* I4 U+ W- S4 Y5 B" H=========+ g. o. R4 a' \
. W0 X; _; ^4 R) ?7 _! J% LThis method of detection of SoftICE (as well as the following one) is
/ Q& l7 Q/ L# Oused by the majority of packers/encryptors found on Internet.
- c3 d% ?, v6 k. NIt seeks the signature of BoundsChecker in SoftICE1 e+ p. R5 H U: }5 I" {$ h, U
5 W, `- o& m8 W5 B! e E4 S9 v mov ebp, 04243484Bh ; 'BCHK'
$ B w8 Q0 E& I# b, M mov ax, 04h, ^! o0 Z& I3 U, |. N6 N
int 3
8 Z% F1 m, j/ G' m# R cmp al,4% L) l& k# M% @+ o9 a `0 u- `
jnz SoftICE_Detected
6 w; B3 ]5 d4 m. E6 S" ?' r; z3 G, R D6 `$ s+ V2 t* p1 H$ v: b+ `
___________________________________________________________________________
. }9 _$ d8 \3 |! J0 s' k+ M
/ m8 P2 D* H! xMethod 028 @- X {# \- u( o1 z) t& g
=========
W, a: @/ J, H1 W+ f- @! B. K5 X7 R( d/ P, C
Still a method very much used (perhaps the most frequent one). It is used
: |; }6 C# U5 Z9 Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 _/ _8 H% o' s
or execute SoftICE commands...
2 [' j! j7 p' q& KIt is also used to crash SoftICE and to force it to execute any commands0 u2 w3 N K/ P- C+ L# P0 P0 P
(HBOOT...) :-((
. `1 D! H: F! h* v/ h. h; n7 b4 e4 S, D3 C
Here is a quick description: f) A O; C/ @! K
-AX = 0910h (Display string in SIce windows)
8 X! \& {9 g+ s/ s0 h5 z" p# ?$ |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. z7 G; e" ~" ^" z5 i+ n-AX = 0912h (Get breakpoint infos)
- z7 t+ j' v- R; i- @$ U- `% Q-AX = 0913h (Set Sice breakpoints)
# `8 I* e- C$ `- W-AX = 0914h (Remove SIce breakoints)
4 `; q; i3 [! L0 u8 ?% q8 P6 F6 i% D, d5 }
Each time you'll meet this trick, you'll see:+ j; [! O+ d" f& V" `+ x: W. d
-SI = 4647h' a: k [7 e* z$ V1 i/ B, {$ J/ ~- Y
-DI = 4A4Dh
1 h, v; v+ o) |+ o* b- s9 xWhich are the 'magic values' used by SoftIce.1 `9 ~! ~8 q% H2 `. E4 I' x4 O: U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- [% C3 x5 g- u4 c' A6 E
. Q; H, X" C4 Z! V t0 zHere is one example from the file "Haspinst.exe" which is the dongle HASP8 O5 _" h. C4 Q6 r7 _) z3 c
Envelope utility use to protect DOS applications:
- w* o- k% U# L% K7 |; m( F) i$ [% c3 C$ ?5 Y& d' Z
4 M) `- _. h) N3 i9 I Y' B4C19:0095 MOV AX,0911 ; execute command.
/ X: g) W9 A* s) _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 A) V, _6 h, y# g4C19:009A MOV SI,4647 ; 1st magic value.
5 `, q, F5 q4 c {, l1 l4C19:009D MOV DI,4A4D ; 2nd magic value.; k, X9 z6 E L) X, c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( V* e' c' n8 m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 B6 p4 M. n9 p, R
4C19:00A4 INC CX
9 Q9 j0 @1 G% R; _# e4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 A! w! k1 U( K6 {1 L/ T4C19:00A8 JB 0095 ; 6 different commands.: e% r8 V' i* ]& a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ M% s( q2 e( z: V9 j" M- l' \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 P& Q3 @% ~/ g5 U) M# w' b
3 l. d1 C9 k( z+ V; n, a: a9 k$ rThe program will execute 6 different SIce commands located at ds:dx, which
( d# `9 s8 @! }0 ~# ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 O2 a/ B$ Z2 I* A
8 m; o5 a$ ?- A/ G& I! L1 N; W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! @/ B$ N, t0 w5 B2 d t) B___________________________________________________________________________
7 B8 l/ U, C8 V. u- h. y5 v- R* m0 x7 X. q+ k6 l; T4 B8 F
( B. K* `! K) [6 wMethod 03
' a5 k+ @* h5 k. |# {( o=========
' T7 w- f5 ^! I3 ^% x
- u/ Z/ ]/ s% B/ U! i/ ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* v7 B6 H# x) s p, `1 [1 G% m(API Get entry point)- q+ c4 r: N, R$ A: Y0 E6 n; `
: W! r. z! \- b ?: @, T
/ S$ D5 ~4 D, k4 O xor di,di/ x4 i3 Y. Z8 Q& g5 G, j8 ?
mov es,di+ M7 y9 N; j0 L7 z+ k) t/ P
mov ax, 1684h
: o7 m+ u! [5 h' @ mov bx, 0202h ; VxD ID of winice7 h5 U2 E6 X2 S2 u8 v9 q
int 2Fh8 h2 w% S( r6 U1 J( x
mov ax, es ; ES:DI -> VxD API entry point. I) h$ u1 c& t* M7 U
add ax, di
# _& O+ Z$ n; v2 e9 v test ax,ax; Y2 z" f, Y I+ d9 f3 {
jnz SoftICE_Detected
2 k1 ^: \3 W5 a8 f5 n6 S" E5 J g9 O2 ~% L& G
___________________________________________________________________________
* Q5 h8 j. S7 E4 L9 I* f: h, [
. i0 a# I& j- l5 F: x. a* I+ LMethod 04/ h7 }& b) P; W% _- v% @$ W6 u
=========
\* K# i0 Y! I s
: P3 w& p8 p: z5 b: BMethod identical to the preceding one except that it seeks the ID of SoftICE
' k; O& s6 e; \$ mGFX VxD./ P, |& j( G* q+ g: W* u* X# d
6 L9 a5 X; _$ R; z3 c* B3 B xor di,di
& s4 X, y5 m E/ H. v9 |% ]* { mov es,di6 X/ U4 o8 O' C8 ~1 R5 ]
mov ax, 1684h : V( H% H" Z% O- o. x
mov bx, 7a5Fh ; VxD ID of SIWVID
0 n! Q- x( w4 g6 h! y4 k |3 M int 2fh" y9 N j0 P5 I% V0 ]
mov ax, es ; ES:DI -> VxD API entry point. B4 e: G u% J- L
add ax, di
, k) J( L* b. c6 z test ax,ax
9 t. y9 p. _3 @# a" v* J jnz SoftICE_Detected
7 }: S2 g. c7 J: V) K: X3 a
* G9 [" P# j! y+ h u__________________________________________________________________________' a( }- J4 `9 _
9 V0 [/ g/ \) M6 H u6 v2 t" G) L) L& u' s# {5 @
Method 05
" t5 b2 [, Z: I- J& x=========* E$ o; B$ V' o7 I( B! c& X
' A/ E0 Z' C* V, S
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 d& M ?2 G& R% P" @# sdebugger. It calls the int 41h, function 4Fh.; c3 |7 P! J, B' i# L; ^
There are several alternatives.
9 C7 V4 i! K* U& E7 i4 J! f1 C) o* c0 G! m$ j
The following one is the simplest:
8 Z' y( M9 a: A" ~. x
- h6 A; x5 A0 N mov ax,4fh
7 A. u3 c, S3 s- L" J7 E int 41h
5 L2 j* g& F- Z5 |' ] cmp ax, 0F386
$ \' R* t# W- |6 g# h& ^ jz SoftICE_detected
! e# j7 e- q( z
& U x1 X. T! s; J% D/ Q/ v& G
7 H" [' d9 a( n0 E5 I2 iNext method as well as the following one are 2 examples from Stone's
/ |. Y3 V0 a+ {$ Z5 }"stn-wid.zip" (www.cracking.net):7 P8 T% f% D8 E! w
( [' I( f0 G, X: W
mov bx, cs
3 E) k: p1 t8 p9 Q* c lea dx, int41handler2, D( F8 H- G2 V1 R7 j" [
xchg dx, es:[41h*4]! F. L& o9 K$ w) i
xchg bx, es:[41h*4+2]5 e g8 y. g/ N: p% m
mov ax,4fh, I/ ?$ ?2 g& Z7 M
int 41h9 T6 r- V: @0 H- i0 c
xchg dx, es:[41h*4]
: s3 ?6 D- I# k) K xchg bx, es:[41h*4+2]% m1 J% f/ [" v) i6 Z5 ~2 _% c
cmp ax, 0f386h
& W* B6 M5 q; c jz SoftICE_detected ?3 p4 n' s7 g1 K
9 w2 \7 v5 i! x! Uint41handler2 PROC# S$ ]% B, `" L* P' Q& _ b
iret9 `5 |6 G, ~" w/ T# w7 |3 [
int41handler2 ENDP
/ O7 {& H2 A( K( z- }" i- P) L: L1 q
4 u8 Q1 N: i( A' ?- N_________________________________________________________________________: m! u9 v4 p: N! H/ U& E2 k6 Y7 O
" E! f# e# |8 d) O" _9 F
6 _& y$ @. e# m; \: j3 |Method 063 d/ p2 Y2 Q" D: b6 I1 o$ Y
=========* {# D+ [8 ]4 w, ]' i& F/ f
. h2 D* w6 `. i/ p; D
* P! T+ M* c2 `3 W2 U5 R2nd method similar to the preceding one but more difficult to detect: u9 z, A0 `# E8 t4 a8 ?
2 D5 n0 a6 _7 v3 Z/ E& ^
# ^; o7 c7 e+ Qint41handler PROC
, h! F# ]4 @) _. K8 e) s, N mov cl,al+ x$ s- g" X+ F; ~$ B8 u( j
iret
" z; T% X3 E# L- n& I Z# l! Tint41handler ENDP- [' f' o! i5 [) M
( r }7 D- g! r4 t/ N4 k, {4 C7 g2 ~+ C$ k x& Y
xor ax,ax& y- t2 V" O* [
mov es,ax3 b8 {1 c& d& P4 W7 N% C. N
mov bx, cs
; i0 j2 _' {! R0 Y; L lea dx, int41handler
( F R; H! M4 W* d( z% Y8 U: D, N! D xchg dx, es:[41h*4]
A* \ {! B- Q; V. u xchg bx, es:[41h*4+2]8 n5 S4 {2 Y8 T( Y1 x! G+ F/ H
in al, 40h
+ Y9 Y4 a0 H V5 s0 Z. o% R xor cx,cx
, ~* o3 z% H; e" f$ F int 41h. v! \( j0 k' {- k
xchg dx, es:[41h*4]
$ u4 v. |8 d, S1 q. E% B/ s5 N xchg bx, es:[41h*4+2]! W4 K% ~8 \8 e& t
cmp cl,al
& e" S8 u. e+ D; L6 O6 u" H( S* z! E jnz SoftICE_detected
a) ?- u) `5 H! U0 C) ]; ~) u
& F3 D/ }( k9 |; d* M_________________________________________________________________________! o- o0 P4 F, W: m q: j& x
; r! f U8 }. r' [
Method 07+ X1 n }9 C0 V5 F" s
=========
( m6 t M- A5 \2 L1 M8 O) c
2 E8 w- T* S- ?& l+ j/ nMethod of detection of the WinICE handler in the int68h (V86)
# I' ]- o1 R3 s$ Z' I7 v
) [ R# D4 J! p/ A v: Z4 T mov ah,43h- S9 @$ J- H7 ~
int 68h
4 v/ E) T. _- _: t cmp ax,0F386h) Q5 e, T; R+ W* y% [, m" K
jz SoftICE_Detected0 ]3 w8 E8 ?+ a( c- u0 Z1 x0 ~
& ?" z- U1 [1 V6 f3 i
1 \* o: t: t/ g5 s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 M: t m% a& |8 [, l app like this:& @0 K! [6 e! c! o0 b0 B
5 X6 I) }+ P& c y& W BPX exec_int if ax==68" j' H, c2 W) s7 B
(function called is located at byte ptr [ebp+1Dh] and client eip is, V- b. g; d: G! k9 s
located at [ebp+48h] for 32Bit apps)
0 \9 S5 \2 {) ___________________________________________________________________________ f9 T; B+ `3 ?; _% A
0 y0 s/ B3 S1 ]; m
& M9 W: H2 Y8 P0 e4 g! R. }6 xMethod 08/ e5 G" c; [$ H; ^
=========& }+ w7 W! C3 R) o2 l/ G- U
; \) E$ F$ ]$ u! V# i1 aIt is not a method of detection of SoftICE but a possibility to crash the
* B3 D1 L3 Y3 d6 P, b) q- n+ q5 M! {$ Osystem by intercepting int 01h and int 03h and redirecting them to another( F s2 O3 R: n: u1 t- q7 @
routine.
0 }% Y, w5 N2 z5 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* d1 {8 E1 v8 Cto the new routine to execute (hangs computer...)
$ K1 Y$ l) Z$ X* T3 F0 t; U$ V8 l! b+ e0 \8 M) X
mov ah, 25h8 N! f9 \' w& b. a0 f, v
mov al, Int_Number (01h or 03h); i$ L5 U8 G' x* [7 A$ N
mov dx, offset New_Int_Routine5 k v8 `& W8 ]. I: @# P. i
int 21h
0 s( q5 Y: C9 C3 I2 ^$ r: ^6 `% E6 n& B
__________________________________________________________________________& q9 e& Y# \8 ^0 K& L
: L, R/ m @+ g" |8 \9 t
Method 091 H) ~8 i, |9 |
=========
" q# Y8 @" r7 a# |. J8 ~
3 O L9 J8 U9 d& l0 IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) K, x% J( [# s0 m4 v5 O2 A
performed in ring0 (VxD or a ring3 app using the VxdCall).1 V! _, } `, m, J5 T2 v1 u
The Get_DDB service is used to determine whether or not a VxD is installed0 D! p7 z8 g3 R) {
for the specified device and returns a Device Description Block (in ecx) for! ?$ Q: L; r& y) x; Q* ]
that device if it is installed.
: d8 z, k$ _$ x9 C/ ~: \3 E
/ l$ c0 h1 s* |0 g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ M% ~# v! D) M( V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( ?, R: ]' J+ S% h4 G- s( r9 w9 |
VMMCall Get_DDB3 ^$ f: n3 A$ {) O
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ i7 |; r$ j- l0 N
, z, b2 b$ g# e6 R" d; P" P8 x! Y
Note as well that you can easily detect this method with SoftICE:
5 ~$ g0 Q/ \0 M* z bpx Get_DDB if ax==0202 || ax==7a5fh: E6 I. u0 m0 B, {# N
5 H" U! A6 A h6 R1 B__________________________________________________________________________
8 I: Z1 l' O* j D( m D% J
" H' g' c. q' @5 w9 HMethod 107 H4 F% S, _- `" P! [
=========
* Q1 t/ ~+ N. Q: t
" w; d( W- ~$ O ?=>Disable or clear breakpoints before using this feature. DO NOT trace with3 M+ _+ w" O* i L4 r. m2 p
SoftICE while the option is enable!!- s2 a( u& }, p
2 |) Q% K: \# S- D- U
This trick is very efficient:3 Y5 S/ y. O2 T! q" _
by checking the Debug Registers, you can detect if SoftICE is loaded
* S+ L M$ B% A1 \9 j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" D2 {& \ ~5 K, C7 b0 l5 F% _there are some memory breakpoints set (dr0 to dr3) simply by reading their
- [: b- K0 }+ xvalue (in ring0 only). Values can be manipulated and or changed as well/ ^. F$ Y+ \' J8 d5 G
(clearing BPMs for instance)$ P2 ^2 P) _: _8 Z
4 P, i. f+ Y* e* F" I) l: ___________________________________________________________________________6 b! C6 T" i- O; `, T' x& q6 m+ |
, B3 S+ ^$ _3 {& g$ Q; y; Q8 m7 IMethod 11* X* t2 F, j: i% c- P
=========
: k* H' c' Y% K: n
0 g5 Y2 E* l* }+ p0 k7 bThis method is most known as 'MeltICE' because it has been freely distributed
/ ^8 u+ s% X& w1 T6 V% [via www.winfiles.com. However it was first used by NuMega people to allow
9 |3 j% @8 `& `0 o3 k* X3 ASymbol Loader to check if SoftICE was active or not (the code is located
7 u& D- \4 X. J* l8 x) Einside nmtrans.dll).
! }3 g! K; |4 L0 v& H6 `# O5 c- P( o4 t2 L; s' X' a
The way it works is very simple:
" w8 i. k/ ~' i0 R( J' RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ M3 r6 y0 w' ~0 b! r' g, v5 zWinNT) with the CreateFileA API.
/ G7 u- `, D3 ~) w" A3 ~- Y; ^" [ d9 T) L. q( h
Here is a sample (checking for 'SICE'):
/ Z9 h& ^$ C6 z$ \) S6 k' K/ s* k( n
BOOL IsSoftIce95Loaded()) m- k5 U8 O! S' ^1 N
{
) l5 K2 i$ o( D( [ HANDLE hFile;
, h2 T/ H& ]3 r- [2 q4 b& I; ~4 Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: s3 M% o/ |1 S: `
FILE_SHARE_READ | FILE_SHARE_WRITE,
" T% R3 `6 h, I. b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 I B. C: u7 B4 k# o: w
if( hFile != INVALID_HANDLE_VALUE )( K i% z0 S* u8 [1 d9 t) {) G
{2 F8 C1 J1 M6 a# A& t) Q8 }! l
CloseHandle(hFile);
* Z% K$ N. {: G8 O: D+ a/ l# ? return TRUE;
7 {( J& c" g- M4 S9 X }
* D, R# {# F5 c# {' V3 u return FALSE;9 c9 D. I2 }( r, p7 o$ L' Y) M
}8 r! Z- z5 w7 T8 |) ]- U8 a6 S3 \
" b1 M9 ]9 o% d" V* aAlthough this trick calls the CreateFileA function, don't even expect to be
( U% p6 Y+ m; X8 t) lable to intercept it by installing a IFS hook: it will not work, no way!
5 o7 E8 ?3 J* E/ k( rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 x& u+ ]0 `3 c( D4 q1 _% W+ b5 Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% l; |% h# s* D- }4 I- J+ Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc# o; O" x1 h5 Y1 O9 F, v2 S! H
field.
8 t; @' f: M2 |; nIn fact, its purpose is not to load/unload VxDs but only to send a 1 s, T5 o! c+ O) J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 K) [ a( L# Z$ N0 g6 p2 T5 [- R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ t: C$ o8 @. U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& L' i" H3 u0 `5 wIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 Q0 ~- Z. N: e* F0 gits handle to be opened and then, will be detected.: o1 R7 Z6 z. e) ^, z; [8 u
You can check that simply by hooking Winice.exe control proc entry point4 B" R+ U3 Q8 J" I
while running MeltICE.! c' n+ \$ T6 h
+ Q) z/ x$ i% @. F: J
# l2 n! ~7 K9 }, n1 J" H, f7 @
00401067: push 00402025 ; \\.\SICE
9 w# Q! R5 e3 M" u# c6 [ 0040106C: call CreateFileA) B. V; X* Z! `
00401071: cmp eax,-0017 Z% Y; ^2 ^1 A. W O% T0 q# o
00401074: je 00401091! `0 A E8 I: u/ k Z- n1 E
3 K6 `" a3 E/ V& ?* i- }
$ ~, L. V- i/ q/ F2 `+ p
There could be hundreds of BPX you could use to detect this trick.; ^0 S& w* \- q" m" _8 ]% `0 a, A
-The most classical one is:
- b3 G$ i8 j, n9 D! N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ U3 F( x# ]; F' }% v6 N
*(esp->4+4)=='NTIC'
: m% T6 a$ y* I4 U3 V
$ X0 ?5 z8 T2 j# u! \) P2 e-The most exotic ones (could be very slooooow :-(# R, n9 @6 @! f, H& D3 ?9 d% g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' q( v/ J. s( P* V6 f ;will break 3 times :-(8 Y5 g( h: Y* L t$ L1 H
6 k* a* h9 l6 ]0 e-or (a bit) faster: 4 s7 J" t" H# E5 ]# N1 T9 v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 v- }3 l, a; Q/ n$ Q H" T
) R- ^( G; W4 m+ `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . K# }/ b% P4 d
;will break 3 times :-(* h* v# k3 i+ z- W2 c8 V
. G, `1 n6 G& c) E0 b
-Much faster:
n% o4 [- X3 K' V+ s: | BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" R8 U4 T% C! T! n5 E6 d' M5 s. U/ F" i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. X! X- Z& k4 ]1 I. K" o l# ?function to do the same job:
Y) _% k, ~6 I: g4 U& O0 @% k" l* k4 F
push 00 ; OF_READ, B$ o! M& o, p% S' H
mov eax,[00656634] ; '\\.\SICE',0
6 R( w4 i+ j% w" B" }8 }0 ] push eax3 ?1 w9 U* f& F/ a9 A
call KERNEL32!_lopen
; Z9 ^, a* t V6 r/ U inc eax! t3 s: T8 j+ ~% K9 Q8 P7 e
jnz 00650589 ; detected1 M, C7 D8 ~; u2 l7 J
push 00 ; OF_READ' d2 @9 W- d) U- K
mov eax,[00656638] ; '\\.\SICE'- }! o5 J0 A, M
push eax: C5 m$ V% [7 [$ ^
call KERNEL32!_lopen. B2 M2 r' p' B1 f
inc eax
# ^; G O9 J9 s) X6 H: { jz 006505ae ; not detected. g6 Z; r+ v" ?) y0 e0 k7 Z- z) J
: X8 ^ m% @4 T' t# |
3 U* f0 V% o; t4 ]/ I1 Y__________________________________________________________________________. I7 M+ B) b5 Z6 ^* J. _9 g' h
$ O2 Y& y3 I- P4 ^0 u+ u" |4 EMethod 12% i, P: N8 F4 G
=========) L7 T- J' R2 m9 Y4 y, M3 B
k, D" P, M1 Z. e r* \
This trick is similar to int41h/4fh Debugger installation check (code 050 k$ ~$ r7 N! B, Y) ^' m
& 06) but very limited because it's only available for Win95/98 (not NT)
% B4 b3 a7 P# }/ E% d* b2 @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. h8 B. ]0 w9 I" f H- B9 b6 w7 i1 n5 f4 w6 y5 X& W
push 0000004fh ; function 4fh& k0 c4 H+ Z B2 D: g9 A' e
push 002a002ah ; high word specifies which VxD (VWIN32)
; P$ S$ q% L _ ; low word specifies which service4 O( D) V. f: G y/ w6 E S4 i
(VWIN32_Int41Dispatch)
' z( {% S6 U- Q8 @' a& ]0 L8 N call Kernel32!ORD_001 ; VxdCall* l$ w% }# [# |9 s) o( m1 X
cmp ax, 0f386h ; magic number returned by system debuggers% X: o) Y0 b- \* J
jz SoftICE_detected" v* a5 p/ j6 r* A }9 Q# b
' i& m" D: c4 B: \( R# X
Here again, several ways to detect it:; b9 |# l4 Y" c/ z% ^0 v l8 E
$ ]8 D2 [% F2 X9 \$ S) \$ E. r7 z6 G
BPINT 41 if ax==4f
8 {0 L9 p% E' X9 Y
2 R+ n5 g$ k; e0 M6 u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 ?, G6 L& g4 {4 g
6 u8 O9 p. a, f3 A' O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 f2 v1 O; p5 i* r
) }' m0 X" E/ t5 E( [; y" g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! `/ ~3 x3 e) H- ?( x# z+ f1 F
/ S$ {: C" j* C0 y6 p2 m
__________________________________________________________________________6 X0 h1 U) n) d3 i
: X) H1 `; s' X1 k- h+ wMethod 133 Y3 H! |/ s- E1 J
=========
6 r0 J- U k4 A! i3 s- Q0 o
' n8 s- @' y6 A8 x# _, CNot a real method of detection, but a good way to know if SoftICE is' E. D. r! {3 b" l) m+ u$ v! s
installed on a computer and to locate its installation directory.( ~- t+ [$ _2 n* P
It is used by few softs which access the following registry keys (usually #2) :; K. ^2 j0 t0 B' V" T8 |
$ F6 x% x: j' U1 W# O* E0 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* ?) ~% c4 h v
\Uninstall\SoftICE
0 ^' d0 \" q& g, D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 X9 S |! m8 N0 I' d9 @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# L5 x# N' [" X L% J! [) j3 j
\App Paths\Loader32.Exe; [% E5 P- _; K4 U
% U2 n; b; r" o3 {
! Q/ a0 Z/ a( c; j1 q( ^
Note that some nasty apps could then erase all files from SoftICE directory: l) Q1 ?+ F. E/ ~* _
(I faced that once :-(
/ V L) ?! x) R& s- \7 F( X( ]5 Q4 Q2 _
Useful breakpoint to detect it:, K k# F: j- D. H) k
% V8 n: B% S0 @* Q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 |# ^6 F5 T( `
r5 k7 y v! K__________________________________________________________________________% ?! o9 q3 N9 h; `9 l2 E: \2 o
9 E( g. k$ K# H% H% [. F
4 n- N S7 @- C" S. o* \2 h2 a) ~Method 14
* b" G1 |7 C2 l9 b3 ^5 Q=========- b/ V/ b" Z, `& U" O0 H8 I
+ s/ E% A& {0 fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! h+ q* u% g& O V2 e* {' Yis to determines whether a debugger is running on your system (ring0 only).
+ A) K- W/ l( B0 Y
+ g- t8 t. `0 m4 z( F$ I) z2 I; l VMMCall Test_Debug_Installed& k1 E' F$ n F9 d5 L2 B+ ~5 K$ Q; u
je not_installed2 d. }7 [) D2 M9 e8 H& F6 L
4 Z h1 e6 i; \This service just checks a flag.
2 I6 B; }+ c/ j. T; S: ?</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡