<TABLE width=500>
$ b9 M( `& Y9 ?8 o* ]<TBODY>/ Y9 @7 c w: y4 }
<TR>9 A0 _& N: c3 y
<TD><PRE>Method 01 $ @" F+ Q) l, H8 L( N% M
=========
# D+ r/ b! ?3 x$ |' d
8 }4 t8 p% N7 `) ~1 q# J- g- DThis method of detection of SoftICE (as well as the following one) is. I3 ?+ G6 |& @6 X6 C: M2 [
used by the majority of packers/encryptors found on Internet.
" y5 h7 A( d" O: I6 \- X5 eIt seeks the signature of BoundsChecker in SoftICE
% P7 w/ _! v7 F
9 \0 C% E) y1 f" [* o M5 B mov ebp, 04243484Bh ; 'BCHK'/ V& g: F+ a5 w- `
mov ax, 04h- B5 I+ B* @4 {/ Z3 x
int 3
7 W. ] n6 T: U. z$ O cmp al,4" |' [9 }0 n( e: Y4 P: T6 w/ }- [0 t
jnz SoftICE_Detected
. s; I0 ?9 Z t$ c1 s) Q; c0 F2 Z9 m
___________________________________________________________________________" I- `/ J7 J4 Q$ p% l0 \# ?% @
% P( V% @# b6 i& `Method 02
4 p7 ?: z! ]+ J' t=========
1 e' u6 t8 @2 i' k" x9 v
0 l4 `/ [/ p. O3 o1 @0 DStill a method very much used (perhaps the most frequent one). It is used
+ n- ]6 V6 |# z4 f) nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( ^8 x3 [. i' P2 ~
or execute SoftICE commands...
0 b# O1 N* t! Y; Z- s, R+ E+ V4 jIt is also used to crash SoftICE and to force it to execute any commands+ L9 `6 l2 Q1 ]' g" t
(HBOOT...) :-(( " q6 p! @ B, Z: `" X' g. ~
, Z T* ^& V5 M/ J4 l$ xHere is a quick description:
3 Y O$ F) R" T-AX = 0910h (Display string in SIce windows); K; l E% N- @- T4 }, j
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- `; S- c* D0 _4 b: X0 l-AX = 0912h (Get breakpoint infos)
, q+ ~3 O" K3 T! `, M" `7 s; T-AX = 0913h (Set Sice breakpoints)
- b# M2 Y7 k( @+ v-AX = 0914h (Remove SIce breakoints)$ S" m \5 g$ V: J& t. Q
0 E; t1 k( g2 ]6 i$ L1 _5 ~Each time you'll meet this trick, you'll see:
3 F% y% t4 H. b-SI = 4647h
6 s$ F+ h. W: a9 F/ g4 n-DI = 4A4Dh
8 Y5 O, F9 c6 }) I4 S* dWhich are the 'magic values' used by SoftIce.
1 I B3 i& l& F8 ~3 u( `For more informations, see "Ralf Brown Interrupt list" chapter int 03h.( {! X& w7 H) o6 O; J# X
+ Y1 d1 i/ b" K
Here is one example from the file "Haspinst.exe" which is the dongle HASP( `! i9 Q! y; C3 X
Envelope utility use to protect DOS applications:
6 [7 F) T) k5 \6 k1 v
; O/ G7 m, D: ~- ^! P7 O" w- y: T- h* ^1 Q$ J) B6 \
4C19:0095 MOV AX,0911 ; execute command.! ]% J' {2 {& P' c4 z& ^" ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! N( y: y0 `$ {6 ^
4C19:009A MOV SI,4647 ; 1st magic value.
+ j: p+ {: r. @9 U7 T4C19:009D MOV DI,4A4D ; 2nd magic value." i6 X5 F3 [9 @' A* V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& L/ @! _7 X$ W: x4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 q3 U- @, K! k) e- ]( d
4C19:00A4 INC CX2 X, W7 x f) l" C# w; r6 F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 f% F' s; r( ^2 y( D
4C19:00A8 JB 0095 ; 6 different commands.
% p* ~. [) K2 q# O# `0 m4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ }" s' I1 A e# {( v4 Z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) {; Q9 F6 e U
& C) R* P3 ?: M/ I
The program will execute 6 different SIce commands located at ds:dx, which. ]4 Z/ P- {, I ^5 d8 _( b* x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, K C& f l$ {/ `; G# Z5 r
) a- X6 t: G: V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) U% }+ i7 ^# b3 |5 `; Y- T1 W0 j! r/ w
___________________________________________________________________________$ R9 n4 {6 }0 ~8 a
% l& F. ?5 b/ F
& n! T6 B" y% g, @! o7 mMethod 03
6 }5 H3 }4 s4 g) E; X: J$ A=========
8 `+ G6 a$ x7 K
, E8 i! n3 v- K# Y! w) w. RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h L; n* `$ {5 i. b8 o; Q0 g) F) D4 v
(API Get entry point)$ [- ~5 A: M. m: Q6 W% f+ b. o
3 o! \9 m0 H9 W6 [
; S: H, d2 [- }& M! s xor di,di
; j6 R Q( \( r; O mov es,di* [' G/ d5 ^6 a* o7 m% f# z
mov ax, 1684h * M) l) r+ v# G! ~1 w- {
mov bx, 0202h ; VxD ID of winice2 H9 i! }1 q R# L; P
int 2Fh
/ Y; h- {6 s6 ^ k4 Z mov ax, es ; ES:DI -> VxD API entry point/ a8 M5 C; g( N* o# n( z1 P
add ax, di
3 i4 h2 M( ]0 P5 N$ I# |2 _$ u test ax,ax
' l/ l) G8 n9 y$ b8 x% Z jnz SoftICE_Detected( u. [+ S9 J$ R- l' B- y& H1 U. Y
6 b- [/ W7 D7 X
___________________________________________________________________________
( m {: ?# \8 D% c' @& L C7 k0 b9 I9 C2 E: }0 o7 K) j, ~; T/ G
Method 04
H+ @/ V) t- }, o=========
% n V' P7 Z$ o6 b3 j- Z( A% K: D6 j% k8 P, h
Method identical to the preceding one except that it seeks the ID of SoftICE' K, j& Q0 d( T$ X. C, o
GFX VxD. Y" [: c$ A5 z" g5 f
: E' {( N2 R" T% d N xor di,di
- v* ^/ T0 J( c) Y8 j$ a mov es,di
4 U. g% V% e- _+ A0 ?5 |. p mov ax, 1684h
+ j9 r9 z8 \- |9 C& c- x' p mov bx, 7a5Fh ; VxD ID of SIWVID
$ S- N3 R5 J6 z) Q int 2fh
, p9 L1 Z- @( u; ]( s" G1 ` mov ax, es ; ES:DI -> VxD API entry point) g0 K+ I. i7 I* g7 A+ D
add ax, di
$ n( z8 i2 p N test ax,ax
4 q# H8 D" Y# s" k: ] jnz SoftICE_Detected
$ {$ c8 h& n/ H% F# K) G/ G8 a' g( b6 @) Y' P" M
__________________________________________________________________________0 I9 \8 `8 `* c! m+ C5 r" i
1 p2 _3 X9 |1 e) i( S: F$ r
2 U- N$ j) l8 W5 ~Method 05
: E" L* x& y. c4 u& L=========5 C6 z7 I G8 }: W8 U/ O( E j
% t5 W0 t+ [- P. v0 P
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, J6 b9 D K i4 ~/ X( {debugger. It calls the int 41h, function 4Fh.
9 O. Y( x ~8 K% C3 j9 D) N" c C( x& cThere are several alternatives. 8 T3 J5 N6 L2 _, O4 T- k
. v; j, r P' tThe following one is the simplest:
: A3 F' y8 M: K) a/ e
1 t" Q# ~" \5 e4 H( y mov ax,4fh1 x$ S" j0 R ]
int 41h
" x( T$ D3 @. W- o0 D! D cmp ax, 0F386
' W& v& Y/ \8 I0 L4 c( d- P# L jz SoftICE_detected
L3 u1 f) f" o2 u
4 d% B* u9 t& t, N. m1 r) [, ^- X: B+ v1 g% R1 D: H1 ~
Next method as well as the following one are 2 examples from Stone's
2 F- H* R$ O7 T1 k% `: O"stn-wid.zip" (www.cracking.net):
% f4 @8 N" U3 ~( }+ r5 s+ p7 x4 Q
: A, o% N9 C- |, b mov bx, cs0 g6 Y+ {4 I9 p% U0 R
lea dx, int41handler2
) L) b- C( r' u( c6 C3 K xchg dx, es:[41h*4]! }) z) S: ^ ?# G0 P. {! [
xchg bx, es:[41h*4+2]
9 b! x9 [" j z( _& R; @, O9 D mov ax,4fh
& |! e" H1 s5 }9 V* z8 S; H; M int 41h
; J, `. N" ]/ o+ a xchg dx, es:[41h*4]) @0 Y& O/ n$ }
xchg bx, es:[41h*4+2]' V. g& v2 K: i# X6 w# U) d
cmp ax, 0f386h$ d# e9 S- H [6 T6 n* L4 l% _
jz SoftICE_detected7 s5 t k3 c+ f
7 Y' {: f8 n n2 E) _( }7 S" @
int41handler2 PROC
) W$ H- `8 Q8 n. v8 K$ Q iret
* w3 i: f0 P$ X8 W8 {0 _8 [int41handler2 ENDP" Z. m* M5 a& ~" H# ]' M
' T4 _$ s3 ~; `7 Y' t
6 \1 \' p- Q. \_________________________________________________________________________
/ E+ b: x; J9 V- x9 Z, [# Y% F! l. B2 z) q
$ d7 ]. C: h! q5 x& r- {
Method 06/ w3 Y) G3 m$ \9 }) {0 E
=========" S% h) L. o; u1 j) ^! y. ]; f7 }3 k
$ ^) _- Z% Y7 o; `3 H. p& V& j
/ Q, C4 }/ C% n; X2nd method similar to the preceding one but more difficult to detect:
1 l1 X, {0 p- m) c4 l/ u# |* O' U+ a
~8 }6 U3 ]5 t, c
int41handler PROC
6 @8 h7 R; I# j) e& v0 X mov cl,al
. Z- K/ Q5 `) f$ n iret
& d0 ? t# M/ X& f( Sint41handler ENDP
, x: Y E' H5 E4 T5 @0 `. O3 x+ G" ]5 ]
4 p1 O, y4 f0 H* n xor ax,ax- |7 r9 v1 c. U' @5 V
mov es,ax
# J- l3 x* B+ q5 H mov bx, cs! ]. K5 Z6 k" e9 n8 ]
lea dx, int41handler" S% }! h' o: Y6 R, Y: D% [+ A
xchg dx, es:[41h*4], _5 h' k, ~8 e1 j+ C5 J
xchg bx, es:[41h*4+2]. C% o: I; V4 ?! c3 E
in al, 40h1 p/ h/ G" T) m
xor cx,cx) \& [8 ^0 q A2 l+ [' G+ N% j/ L
int 41h
* R; \9 Z7 T9 T1 i+ N9 A P9 V xchg dx, es:[41h*4]
* F/ p4 C) }4 v* Q3 F$ j4 m: W6 X xchg bx, es:[41h*4+2]
6 s; O. L. r1 ^- n- ] cmp cl,al
9 k& U* T0 D8 d+ d0 B# H jnz SoftICE_detected
+ S6 c1 [2 Y/ g9 Z) c: N% c9 n3 ~" \ @& G5 [0 x
_________________________________________________________________________
4 I+ N7 P2 g1 P6 U- @5 s5 U$ J* ?1 N8 [
Method 07 N- G+ {# v' g, [% r4 [4 F6 x
=========
, M! s6 O6 D) u G' j
, V ^) U+ l' F T% \; }Method of detection of the WinICE handler in the int68h (V86)
b' \& j7 W& x" ^* U: z2 g& Y) f W. w! i' }8 {
mov ah,43h
5 C, _$ N# O# o7 L: m int 68h9 M; m/ J/ \3 c7 K5 D1 G4 \
cmp ax,0F386h$ N) g$ k3 |' f# b" ^; Z
jz SoftICE_Detected6 r3 O! I2 L( G# |0 l
; J+ t1 z! Y" S; F9 @& i
4 w% E. G& G' i5 W/ C8 V=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 i7 i3 r$ J) q5 S# O* k
app like this:5 H! e; _' F" j
0 u% P d0 F Z4 ^
BPX exec_int if ax==68
7 k! r7 v# x$ o2 g* _( r9 N: _( r (function called is located at byte ptr [ebp+1Dh] and client eip is
5 K8 b' ~' k9 d; v located at [ebp+48h] for 32Bit apps)
- H& N9 U g9 H2 B* x7 r+ }__________________________________________________________________________
7 s+ p6 t {2 V+ G5 K# T4 u$ w
* e( r# |; ~' J3 w% F% p
Method 08
V; D7 q1 E# B& Q( `=========1 {. C' D' A: F6 ?9 o. m: z
. w( `' X( V/ B+ K6 pIt is not a method of detection of SoftICE but a possibility to crash the" j/ C/ P8 h7 h- j
system by intercepting int 01h and int 03h and redirecting them to another) x. {1 S0 s' ~1 D% @3 P
routine.
M' W7 H& _) m! M' P# b" uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 y! ~1 \. Z" r) D& E$ M
to the new routine to execute (hangs computer...)8 {& R% Q. u. G) z
6 _- K2 f' @! M4 G. M" z7 v
mov ah, 25h
: D2 p+ I$ V1 m9 D mov al, Int_Number (01h or 03h)
3 _% P2 g1 }+ i% F* M0 U mov dx, offset New_Int_Routine
+ w6 ~3 d$ h! R% U int 21h5 M* i5 }. V1 F3 D
6 B( \4 i% L6 s5 l__________________________________________________________________________
2 i" K! X5 D6 Z
; W% }% g' i) \; C! dMethod 09# }2 i0 H' E& ^9 f0 c- I8 [
=========4 K/ t; q& W) \1 Y6 `4 |
- ~$ a3 N* a, T) K3 p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( i" h7 f! _; vperformed in ring0 (VxD or a ring3 app using the VxdCall).* u& X0 P" X8 H5 ~- B' G4 b
The Get_DDB service is used to determine whether or not a VxD is installed
: @ {+ i6 Q' w/ {) i6 J- _0 dfor the specified device and returns a Device Description Block (in ecx) for# w3 |) }) u3 y2 f! H
that device if it is installed.
/ Z k d3 N4 X' j2 [& U% q
7 z( J. n+ j& {% d* O4 D; e! ]& ^8 I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' E4 q- h1 u2 h mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- A0 l0 m7 n2 J8 Z1 G& D$ }* O
VMMCall Get_DDB
4 {' N7 p1 J' R, b9 @, D5 H mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 C" }3 Y( W, t* Q ~# l. r2 S+ V; w" }. Q
Note as well that you can easily detect this method with SoftICE:
) s% c6 {* b) ?% _8 A bpx Get_DDB if ax==0202 || ax==7a5fh
. H/ w$ e; l% K/ t4 P9 Y4 G J9 y0 F" y' r
__________________________________________________________________________
/ |- u9 S, f$ `* j
/ ~. L: T& Q- a7 B4 X& s3 SMethod 10
/ K# ^0 m. _+ a/ ]' S* L4 F=========: U+ v6 _+ e8 z$ r9 A, c, h, E% }
# S, `& f3 \5 X) d. P# L w3 M
=>Disable or clear breakpoints before using this feature. DO NOT trace with
! w6 Q' Z7 K; C# U' S+ J; R; ~# x" k, ] SoftICE while the option is enable!!
6 c( q3 A) j& t. X- x" N5 a0 l ]0 {) B+ _$ H
This trick is very efficient:! \+ Q- R& j% F8 C( I; u
by checking the Debug Registers, you can detect if SoftICE is loaded2 f y4 ~" g( e; P3 R8 d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% u5 M3 E4 O6 J
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. z$ p; N% {0 @; L: Xvalue (in ring0 only). Values can be manipulated and or changed as well! ?. a" F4 o0 o X0 u
(clearing BPMs for instance)
( S' Q% \# D. o) x9 S
5 P3 N& {/ S5 e3 G! F" P- W__________________________________________________________________________/ u' K. J" j3 i4 X' ^2 U
6 y* l( u9 u+ T+ { q
Method 11, O* s1 k Q$ K" \1 v% C
=========7 T0 y& ^ l' q8 a3 S/ }( _
8 V, e( q8 ]3 x/ ^( BThis method is most known as 'MeltICE' because it has been freely distributed
8 D$ o' u4 K( xvia www.winfiles.com. However it was first used by NuMega people to allow4 R5 z! r3 I% U% J* m& q' s
Symbol Loader to check if SoftICE was active or not (the code is located. R L6 X5 D6 z# l4 k
inside nmtrans.dll).- S: j3 z# H2 f
- U5 \/ {" z2 H- U% n& QThe way it works is very simple:" q5 F$ S+ U1 E" D. {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, [1 r1 F5 K' H% XWinNT) with the CreateFileA API.- i w. T E: C) z3 v6 _* s' B
( R6 b' D% G+ b7 DHere is a sample (checking for 'SICE'):
- T2 |, Q/ M" V# X
) ?7 n- v) w- U5 @3 @6 TBOOL IsSoftIce95Loaded()
5 _& a& x: b( d7 ]. Q% F{
; c4 f8 O! V$ i9 `# Z) s: k' }: z HANDLE hFile; $ a9 d' k$ D; T: K. ]8 {
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 u2 ^4 Y* M$ ]* c" ]: ^: e FILE_SHARE_READ | FILE_SHARE_WRITE,
( z$ K. U+ T+ W" E" s2 C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 Q. i5 j: A* r9 C
if( hFile != INVALID_HANDLE_VALUE )
, T2 E1 m; _0 ?; b {
" m; p( F- [+ W0 q2 p/ Z# J$ s _ CloseHandle(hFile);/ ], g' ?0 @) ~. q
return TRUE;
5 i6 X9 Z9 Q' i9 \) P! ?2 X }
8 S. X2 Q' [3 d return FALSE;
. ?5 g- X9 j% ?2 r; [7 P/ \: {}
% h. x" Y2 a4 |4 w0 S2 Q
( V: t" D# `& rAlthough this trick calls the CreateFileA function, don't even expect to be9 B x! h5 ^6 L5 }8 H1 y4 P
able to intercept it by installing a IFS hook: it will not work, no way!
9 X* g3 A7 C( t! s. OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. Q6 F, B3 Z- j; q; lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( g3 k% h& Q, [' B9 Iand then browse the DDB list until it find the VxD and its DDB_Control_Proc& M l4 ]2 H, ?' U
field.% d/ s( q# y* o4 ~2 Y3 |
In fact, its purpose is not to load/unload VxDs but only to send a % k- C8 P. P) c# e" U* l: U/ s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 i3 [9 R0 l# F" oto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 F: |6 A2 X9 ]* v& O+ ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 ?" {0 Z/ d8 E; wIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 H3 [1 M4 W) Q$ r. t+ Fits handle to be opened and then, will be detected.) k8 M+ z8 o& i. C& X8 j; ?
You can check that simply by hooking Winice.exe control proc entry point/ l4 m( [9 a( W8 ]0 T9 H# j
while running MeltICE.) R. G/ a; F* w3 Q! j
$ D- `8 W# M6 e% M# F
; [/ _# Y+ P) F0 X 00401067: push 00402025 ; \\.\SICE, ?; _3 w7 M, U2 Y. G/ v8 j
0040106C: call CreateFileA
0 V3 r d) |, g5 c8 F& p 00401071: cmp eax,-001
$ N3 m3 Q& A& D6 g5 S6 W% _ 00401074: je 00401091, \% u5 ]$ n6 u
, P( ?; d! e0 H4 r
3 N* B) A) q0 s. N) qThere could be hundreds of BPX you could use to detect this trick.
2 c+ n2 q2 U. H; ^-The most classical one is:; B) V- \) s* Q9 w' d# O9 |' P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
P# a9 z4 D1 b$ ~+ b+ C *(esp->4+4)=='NTIC'& B. d* g5 I0 w, T+ n
3 [ B' z- N: i3 s4 ]-The most exotic ones (could be very slooooow :-(
- o4 y& v% w+ N- q# |& C2 v BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# ]" }$ K7 W t, w/ g5 r5 I- o ;will break 3 times :-(% J9 z8 e: ~2 _( h! U3 ^
% W" ?" }9 `8 F0 p0 a
-or (a bit) faster: : O3 O* d. H2 k0 B4 d
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* h7 n' V' r5 |* p, P! j+ C
/ T0 d, [; V1 r( s m Z9 G BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 s, i0 u3 ^4 j3 x
;will break 3 times :-(' c9 H% n, f# R, `
~) ]9 d1 p( r$ M7 Q" W-Much faster:
5 _4 H: @9 K* X& K- S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 ~# E3 i( ~8 I& g5 ^8 a0 R0 g Y A t, b) Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 z8 r* {) i1 z$ Y
function to do the same job:, s# b6 f' }! W3 \" v4 q8 K ]& u
, |. ^" i5 n2 \
push 00 ; OF_READ5 g: \6 P D3 J/ C2 i
mov eax,[00656634] ; '\\.\SICE',0
- k3 ?2 N& l+ y push eax% u* w3 x1 h5 o$ P! P- H
call KERNEL32!_lopen$ M9 p( Z6 B$ [ \0 p/ K2 r+ c
inc eax
, H; z; q" k; W% e jnz 00650589 ; detected' i8 u$ U; D7 H0 R1 V2 V9 G, R
push 00 ; OF_READ" M/ u% `2 G- G) J! ]) {- ?
mov eax,[00656638] ; '\\.\SICE'. [' g' V) i0 X) M! y0 F; o/ Q
push eax$ j* a' T' w5 |. h
call KERNEL32!_lopen
3 ~3 G/ ^0 S6 Y. t inc eax0 ]* j2 Y, A$ z& N; B7 F. ~! Y) T7 v4 L
jz 006505ae ; not detected
# r& x4 M9 B7 N. D9 J2 {9 `. |: [/ ~9 B0 T
8 V5 ?. N" w/ a- E__________________________________________________________________________3 z; ]7 ]' W {5 ~& G# _$ m9 O' |
6 I! l7 H5 \$ \, f0 S( ~5 f% I
Method 12
; `" n# P# Q" }; q0 [4 J=========/ c; }4 c; O8 G1 X1 w, B$ f
8 h4 C$ O/ ?4 l# i1 RThis trick is similar to int41h/4fh Debugger installation check (code 05
* l3 o$ n% m6 ]# l# F* ~* h& 06) but very limited because it's only available for Win95/98 (not NT)2 R+ C0 L3 [) R* q$ I( N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& f: O0 @& E1 y: ^) n. M; i9 O" Q% f3 K% O) \! `
push 0000004fh ; function 4fh O- f- V0 r9 k
push 002a002ah ; high word specifies which VxD (VWIN32)0 c+ e( G' C- [/ Z2 x5 |# S
; low word specifies which service
9 E' |0 O! U8 I* c2 f, J; z+ t (VWIN32_Int41Dispatch)
: H3 `3 [$ a2 r P& E* D* g! j! V call Kernel32!ORD_001 ; VxdCall9 }4 T; P! T) c
cmp ax, 0f386h ; magic number returned by system debuggers
% h+ q* l. q1 E3 W+ V: w jz SoftICE_detected
+ x+ [' @4 |) k0 h1 f
6 ]* `) |5 |! G$ ?' U. M& V; q% BHere again, several ways to detect it:5 |% n Q- q, b x4 r9 }9 i' ?- H
- ]: ?8 b( K9 L- N! J c BPINT 41 if ax==4f( ]# B h" x' D6 M
( J B) I7 W1 r* }- [ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" @# h8 s; k0 C) ~7 @
" q7 J1 X% b) E- M& i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 u$ V1 t1 c! t* h( ^2 q( M! L
3 n" X9 v! m0 s: B4 y9 D# C: d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- L! T G, t1 K: R/ }% B3 Y
# |/ p D2 Y( V5 b: {2 [0 v__________________________________________________________________________1 a, C/ m, w( w3 P* h+ ]% l
/ K3 G% r" V z) FMethod 13
2 z* d; p) V; R" x' F1 @4 R=========& c" ?, @4 J/ h8 V4 L5 m
. [. p" g2 `) [& M6 Y! A5 ONot a real method of detection, but a good way to know if SoftICE is8 V+ b1 A# l4 b8 U, Q; b j8 e
installed on a computer and to locate its installation directory.& r" t* w1 I: L& ]4 B
It is used by few softs which access the following registry keys (usually #2) :
}5 l: X7 r; w) i% A( W. _. g) A4 ~$ W- [) Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, q5 Z9 ]: d+ d* E2 }) m4 C
\Uninstall\SoftICE2 z% f' I2 J( d1 D4 n T: u' t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 r3 i% {/ L8 H" X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 z9 n k* h- E4 p8 z& }& {
\App Paths\Loader32.Exe1 y# E' K; {- s
# ^- s+ V) u( a% i( e
& o8 F; W+ C5 _Note that some nasty apps could then erase all files from SoftICE directory
; r4 P* `1 a" ^(I faced that once :-(. Z3 P( l2 B$ t
) G7 k- g8 i+ B) U( nUseful breakpoint to detect it:
( [. U# L' U6 @" k* k4 v: `. {0 s/ Q5 n: z& G, H w g. M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 Y4 L3 D; X( F2 d# b& I6 ]$ U. Q, S2 V3 l/ u2 ~# t3 C5 s' ]
__________________________________________________________________________
4 n2 x/ b7 i. r" |/ z5 j: a# o) x U/ Z: x7 |! g
* w7 H0 w$ y) B2 O* @
Method 14 - H" t, ~6 F( c
=========6 m" D% E- V; E- h
7 |. N" s& w; m0 x! l) t" Q8 Y4 SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) ~ o2 K% y1 a7 E) v qis to determines whether a debugger is running on your system (ring0 only).
p( H2 b6 l! G3 J" D% j, v2 m* k# r9 B
VMMCall Test_Debug_Installed
% M( |5 t" M' j+ F' Z2 ^/ D7 @ je not_installed
) [9 Z+ T" r; S
A# L; b) G; z. z" v! ]7 Q" PThis service just checks a flag.. i8 B4 {! w: D5 D0 ]0 O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡