<TABLE width=500>
5 m4 X3 ~- Y) T$ c8 b; P2 M<TBODY>
/ [% t0 l8 m2 s/ B) D8 E L& n<TR>
" U$ J' G* P3 E! y<TD><PRE>Method 01
2 B3 T0 C& ?/ i=========, b$ p- o1 f( q K3 j5 E0 }8 v
" J; z E. v7 G$ J
This method of detection of SoftICE (as well as the following one) is2 b. r; [6 z% C, s" M0 y
used by the majority of packers/encryptors found on Internet.
$ D- z! Y) c" c7 {% T7 ]5 sIt seeks the signature of BoundsChecker in SoftICE* @. B9 p6 {) r* a2 c
9 v& d2 l$ K# Y: o: O9 j; h" e
mov ebp, 04243484Bh ; 'BCHK'+ f. l0 N9 X; G! w& b
mov ax, 04h9 H! u) u; d+ ^! M @- d" [
int 3 . X& e. B8 ^' i6 @; j6 [5 R
cmp al,4- {! B" c1 [# R }8 E' u
jnz SoftICE_Detected, m5 L6 k& ? U' t; a8 l. K3 y) L3 F
- ^2 s. B3 x9 N' Z" u
___________________________________________________________________________7 x f, s! v, \! ~# o( R l9 H1 N0 H
0 {( r5 U" m, \+ o+ @6 d
Method 02
4 ?0 V; t( c; U* \8 @7 o Y0 O! h=========
" I0 r" }; r: K3 o+ x
: I. }3 Y: z9 @5 h1 ZStill a method very much used (perhaps the most frequent one). It is used
5 `* }. M- d \- U' Kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,- I& B/ v6 I" _$ u& Z
or execute SoftICE commands...; c% f: o4 B$ a, x. t5 H/ s+ P: B
It is also used to crash SoftICE and to force it to execute any commands! g' P! M- h" l, q- m8 H& W5 H4 }6 A
(HBOOT...) :-(( $ q- F% U! [- U; N2 I R2 x9 [
; P1 Y6 Z& |* Z) t0 x' L& I
Here is a quick description:
4 e+ _3 d7 ^+ H+ x, ~) U-AX = 0910h (Display string in SIce windows)
( X/ ~* K% U& B! ?( c u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), ^) o5 v" k- r/ W. a+ w; D
-AX = 0912h (Get breakpoint infos)7 [9 f5 `1 r3 u4 ]& l" J
-AX = 0913h (Set Sice breakpoints)
6 T. N; L% ~# B K( U-AX = 0914h (Remove SIce breakoints)
! l. A9 `' J2 T9 Z8 U' h- R. c8 J/ r
Each time you'll meet this trick, you'll see:
5 R5 x7 w- B% |2 h k: _% F-SI = 4647h2 m" u" Y: Z; w, e& n# v( l
-DI = 4A4Dh
6 `( ]! h. C- i) pWhich are the 'magic values' used by SoftIce.
- f) l. K* P7 f# R; L/ M8 HFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 T; s0 K0 l8 {1 A
! L/ @& N7 s/ p$ Q0 X! y# fHere is one example from the file "Haspinst.exe" which is the dongle HASP, `3 M) ~. x" Y* [* G
Envelope utility use to protect DOS applications:
2 ~& T9 D" ] F& r
3 z6 M& x/ W) b: Q4 v, H* a: |5 F# t) ~6 i, i [
4C19:0095 MOV AX,0911 ; execute command.
0 H" v: _# T h* |3 t9 r; z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 z# Z9 @$ N* g1 i' t. u
4C19:009A MOV SI,4647 ; 1st magic value." @" U4 U; [$ h' u
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 o6 r% A* U5 ?: s4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* o2 c6 Z. H D" u( G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, F K; {, m' P) f
4C19:00A4 INC CX0 K% M/ y1 p/ j" H& `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 j; E# t, S5 y( \1 ?, v) ~4C19:00A8 JB 0095 ; 6 different commands.
1 Y5 c! m7 h( T3 l( d7 I4C19:00AA JMP 0002 ; Bad_Guy jmp back.! Z0 \9 N# h) s+ G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 h# [1 z/ {3 h T% w, C$ j
" ]1 @# u; V W9 bThe program will execute 6 different SIce commands located at ds:dx, which2 v, c9 {2 }: c, Q' s; j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 M, U# X$ k p- h
& x. J4 H% N. P, V5 B7 J! A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& q0 U- A& B% n* ?' ~6 W* O___________________________________________________________________________
: z: h+ |. {* H$ S" g
' C3 t( g4 \- s9 J5 }2 ?* G \9 y; y. C/ T* C- l$ o
Method 03$ X ] c5 a$ \, s4 ^
=========4 G2 e+ l: f2 M; [! w& q$ E6 ?& |- ?
3 r* u2 ]6 n/ q2 T7 l
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: a/ ]' q7 C& l/ p% a2 S# ]; t
(API Get entry point)( H" L1 ?, [: j2 B) N
+ x2 O8 r( l5 F6 [% {; f
1 k; h0 I6 N3 k" o' Q xor di,di
) s- F1 X/ ~' F mov es,di& J! i7 t( U/ ]. o' ^
mov ax, 1684h : O* Z( ?3 e0 K9 j3 R! x4 M4 l
mov bx, 0202h ; VxD ID of winice5 k; y7 c! O9 D: e; g+ z1 N
int 2Fh' U- r+ P6 x; u/ v( P
mov ax, es ; ES:DI -> VxD API entry point
8 V$ G z9 ^. J1 t" I0 { add ax, di
6 d' M9 @/ Z" E# {/ V6 ]: ? test ax,ax$ T" j/ f! V7 Y- Q- }8 }* \" q' T
jnz SoftICE_Detected; j2 E. e" a3 c9 i' h* M( T
+ f8 x( Z( A" {$ b
___________________________________________________________________________9 B: Q) ~1 x/ j- V( G+ {# _/ Q
3 M0 f" b; T: i. @Method 04
6 T+ H7 [* @7 d! ^( P=========5 B: E9 E9 ^* t f7 L) n
' W" q+ \3 _% Z, h9 QMethod identical to the preceding one except that it seeks the ID of SoftICE! }' J# N0 x, w) S: \% j
GFX VxD.
% C7 a, {. L% u
1 j! R: U9 p5 t xor di,di
; x3 o" C" I4 W9 P) x: _) n5 j mov es,di. | @+ p/ P, K: {: m
mov ax, 1684h 1 E8 m3 E! P8 W3 [4 w
mov bx, 7a5Fh ; VxD ID of SIWVID j' k5 B4 h! W$ e0 b+ b" W
int 2fh: v1 w2 b' a. b6 p% S
mov ax, es ; ES:DI -> VxD API entry point# A) ]* G' n0 k
add ax, di; X, u1 V# M Z$ T
test ax,ax6 @" _# }1 L. T
jnz SoftICE_Detected
: K, b8 H/ q; h, i1 x
6 O0 p( k1 p: l8 R+ k__________________________________________________________________________4 P# Y, F, R7 X( q5 `: q
5 Y' Z8 _ S' h, S, }2 \$ w5 `$ A. K) ~, H3 @& P) w/ w
Method 05
7 K" e3 l& D6 }6 Z6 ` t& w=========- }% H' Q2 B) F U* Z% X# C
2 T3 G4 O2 _- |( P' RMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ T1 x# f% _6 o8 R9 A! k
debugger. It calls the int 41h, function 4Fh.
; c, V- {2 g4 ?3 w8 Z, cThere are several alternatives.
' U( g( I, Z. }
" {2 t9 z% ]# Q3 \: yThe following one is the simplest:
( G( O" `2 a8 Q% @. {
. O4 f: ^4 ?7 M5 A) \ mov ax,4fh5 e5 o( K2 Z: r z4 U
int 41h ^0 ^3 J6 Q7 X+ ]
cmp ax, 0F386
- b$ g1 `1 E. g' K jz SoftICE_detected' E& m2 t/ q* Z+ Z s6 ~ S
' |) F- w7 g( F; d
L5 ^) j4 y# @5 m$ DNext method as well as the following one are 2 examples from Stone's I3 e+ x' v9 K+ ~3 o
"stn-wid.zip" (www.cracking.net):
4 z R# `3 u+ Y; w4 v
s4 _9 z! b1 d! P# O0 Z) o6 n% X: ~ mov bx, cs0 b4 m. `- k1 w3 d2 L2 X, |
lea dx, int41handler2, i# |. _; H' M. j- B" ?5 p
xchg dx, es:[41h*4], e6 Q P A) U' U
xchg bx, es:[41h*4+2], S3 ]0 p6 Z! }& A" i
mov ax,4fh R* [& B! _$ T& k
int 41h
; a8 i7 m' d0 X: ~$ S8 R xchg dx, es:[41h*4]( I- t/ Z/ w8 v; K
xchg bx, es:[41h*4+2]
- C. ~3 P1 f5 a cmp ax, 0f386h- F l+ ]' b+ O5 S
jz SoftICE_detected
% N4 p8 S; T& y* ^' P) v: F( k+ R( J6 v
int41handler2 PROC
" t, h! {7 G/ A; B3 I5 D iret: W$ F# Q, h5 p! Z' a
int41handler2 ENDP
8 J4 D2 }6 N; r% a' s: u, q% ?4 Y/ _- F
: ]. @- {7 g4 u( u6 y1 W2 ^* }
_________________________________________________________________________9 W: a, F4 u5 V4 ~& L. g+ F p
/ e2 C- {: t# q) U4 D1 ?2 @. P5 C1 j
Method 06$ ]% ?3 w/ O( W# ^! s! K
=========
3 D* j! Y( N3 W1 g: H% o* u5 `3 X1 O. O f2 `' Y& q
3 q, T; j1 y& p+ G# Y* i, O# u5 ?3 z
2nd method similar to the preceding one but more difficult to detect:
8 O L5 a% u- G& `) j" p7 L& b7 T. ^
& i& l& i6 B9 p. W8 U' e7 r9 Yint41handler PROC
0 c' D( K# @1 u mov cl,al! M) P6 N# b* A% L) A( z4 d. U% a
iret
7 s* _- @% w# a. L- dint41handler ENDP
3 U9 [! B0 a4 Y
p6 Q; O/ I! L: X* D9 I% Z
& M6 h0 f! } N9 n# j" e xor ax,ax
8 q% N) d9 s' E; F/ T! R mov es,ax B9 S) R5 X; s' s
mov bx, cs R. I4 D9 R! [; J3 L: y
lea dx, int41handler0 s+ j5 g9 ^ N9 ]2 R
xchg dx, es:[41h*4]2 q! Y: Q2 n4 m* I/ T6 q& x) G1 a9 O/ g
xchg bx, es:[41h*4+2]5 W1 e: J9 o4 Y8 q1 q# w- |
in al, 40h
% h, {. p+ I! n" d9 r6 Y$ ` xor cx,cx! P4 V% s. z4 R" R
int 41h
( p& W1 ?4 {: K5 V' _9 e xchg dx, es:[41h*4]
8 l. j; J4 e3 u- ?+ r xchg bx, es:[41h*4+2]- I: U7 J2 t, v1 ]/ Y, S
cmp cl,al: F. i0 \ n! V, o3 I. v: ?1 n9 \
jnz SoftICE_detected
) X& |& ?9 i- T+ k( k2 X6 k
+ F+ ?: v/ t* \% X- j* b( @_________________________________________________________________________
0 |4 a8 J9 `, g( W: p2 y" K) j, i
' i3 n& {, M6 R6 |3 V9 gMethod 07
/ ?9 v- D" @4 t* c5 Q1 a=========5 R$ }4 Y2 B8 |1 U* T
3 ^2 N. z- N! L+ `; l
Method of detection of the WinICE handler in the int68h (V86)7 v7 [+ D X2 q+ N# e4 f6 Y
. p! {1 P t; L/ P5 j mov ah,43h
. D# p4 k" i6 y7 x8 ~3 ` int 68h% p+ C2 i7 o9 S- k
cmp ax,0F386h
) L7 C @. `3 B" _6 L5 V$ I$ P1 g jz SoftICE_Detected' J3 p% S5 {0 `' h9 E+ n5 S' f
* H h8 k! n3 n8 A& g
' e; y4 E4 J+ e- l6 ]6 }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 M" X# N2 Y1 A [2 A4 \% W) H3 {
app like this:
! M# N z3 }! f, [7 z4 w% {3 `3 f- G" z
BPX exec_int if ax==681 s9 F- r) K7 ^8 @
(function called is located at byte ptr [ebp+1Dh] and client eip is
Z: r: s' n1 \. C" |1 x located at [ebp+48h] for 32Bit apps)
3 Q! B+ @ h) D A% L$ s5 c__________________________________________________________________________
% Y$ {! d- O! o0 J7 F, z5 e$ l
* a% V" ]/ g8 y J1 Y7 W! `& i8 b, v l
Method 08! s D7 d4 x8 l9 s( p5 Y# D
=========3 C; Z9 H( a% x. l) f8 k7 h
$ w* @& ^* g* p* V% h# ]
It is not a method of detection of SoftICE but a possibility to crash the
; J, X% \3 G, {) f" p% I# T% {: tsystem by intercepting int 01h and int 03h and redirecting them to another
/ ]7 @6 h+ C2 P% k0 ~routine.
) R ^# ]% T. m/ MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 R# e0 j9 T! I) M6 L. r4 Gto the new routine to execute (hangs computer...). t9 r* n* H% Z d' W/ n) ?) @
& F8 |- `, |3 @9 `- V, K
mov ah, 25h
; z* [" w% e- f3 P! v1 y# w! w; ~8 u mov al, Int_Number (01h or 03h) ^; E, f' e* C0 q( t
mov dx, offset New_Int_Routine& c" m) {& l c( `
int 21h
' Q# _' h+ V7 \, y6 A
$ a( p4 {* C$ `$ B__________________________________________________________________________- `1 d" C/ ? p
* C) m9 r$ J, n( IMethod 099 d; U3 U/ U. T. a% e3 d
=========
2 t6 b% E6 U' T3 l# X# S
( s( c" B9 ~* y. S# BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: d9 l/ C$ L: J7 K' i
performed in ring0 (VxD or a ring3 app using the VxdCall).6 v: X- G3 W3 g7 J# u
The Get_DDB service is used to determine whether or not a VxD is installed
, b' D0 u5 w( V2 r1 h! ~ E; Hfor the specified device and returns a Device Description Block (in ecx) for
$ ~% [6 j# ~0 S, wthat device if it is installed.# l" f% [! {3 I. {% J/ _
9 u% B0 O0 O/ G8 W2 D* b U3 X, h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ ^+ z! \+ B4 \7 R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 e/ D, ^3 a4 a+ n2 x VMMCall Get_DDB* q& I. J1 F$ o4 Q9 ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 a! J2 o3 E9 @- ~
6 `( |3 a0 t& L; r& t% K0 x3 }Note as well that you can easily detect this method with SoftICE:) d% e8 f4 ^+ X
bpx Get_DDB if ax==0202 || ax==7a5fh6 h. z( g3 [, r7 [- I d. A
2 ?, v! O( L" U! ?/ {__________________________________________________________________________. f W3 @9 }# u8 g
2 v( i i! d- l3 H. N- f! I% X2 ^Method 107 H1 j0 a. N5 c6 L/ C6 ?
=========
]8 G3 H# H5 G* C
3 T7 m; _. v# K4 Q4 |. \: E=>Disable or clear breakpoints before using this feature. DO NOT trace with0 u5 W% W5 D# H- e- Y
SoftICE while the option is enable!!1 Z1 j' u" b* ^$ x- ?3 D8 i" s
9 N' C. J6 W* r6 A9 A5 ?This trick is very efficient:
4 N- o8 h; c! X! W) |5 Eby checking the Debug Registers, you can detect if SoftICE is loaded
2 R( d$ C! n h! K" I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 O/ U$ o! U' X2 d
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 O2 p C- Y( g" ~# g; b
value (in ring0 only). Values can be manipulated and or changed as well) T/ C3 a3 S! Z" f, I
(clearing BPMs for instance)
. q6 Z9 M* [2 S0 \3 C$ ~9 Y- [# f+ J3 B, n" Z
__________________________________________________________________________
! M( y0 V; B% [6 [0 l& W7 _ e# O) P3 ^! b" N3 V; o ~5 \: g; d
Method 11
$ p, |! Q ?, W a# s=========
1 P- |: h, t% H# U% B6 G/ d7 C7 v/ o( Q, v# ?, i
This method is most known as 'MeltICE' because it has been freely distributed+ ~7 T0 r; ^! M0 b
via www.winfiles.com. However it was first used by NuMega people to allow1 }& G2 z5 I! X1 a# f( H
Symbol Loader to check if SoftICE was active or not (the code is located) @" u/ Q0 D$ R5 V
inside nmtrans.dll).$ ] I& j' l7 s3 t" C
, F o- y# p. {5 g, }0 g2 H
The way it works is very simple:
3 Q$ v6 K4 w6 o5 w1 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ d- o8 \: `" X; o+ P$ @! HWinNT) with the CreateFileA API.+ J/ G, k9 Q& F+ Z, N
5 M5 n A( B; H) G9 dHere is a sample (checking for 'SICE'):
8 f) `/ }* A8 G, e6 P# q- e+ m0 ^9 D8 p
BOOL IsSoftIce95Loaded()
, ]/ Z& Q1 c* k" u" w- C1 ]( ]{
0 V# h' D: S* e; V, V/ D HANDLE hFile; & H6 y# K: E6 s8 x% U, B0 v
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ g; V3 L- H a6 g FILE_SHARE_READ | FILE_SHARE_WRITE,+ U) k7 C( M% T; y# K. P, s$ y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- D* z5 I, }5 x }1 ?$ }
if( hFile != INVALID_HANDLE_VALUE )
2 T. K% S( S. m8 a {
+ h5 z8 u# _3 X t& p) B CloseHandle(hFile);& j* n1 E4 ` d) U
return TRUE;5 ?. S3 B# C& X5 |6 Z4 s9 n
}
+ C/ t9 G+ N' F; |# t) ? return FALSE;
/ m2 z# G( y* h( C1 D2 v}
" j# U" {' H- j& t) a, u' Q
% o# [4 o4 s! \8 e8 L3 y' {: |Although this trick calls the CreateFileA function, don't even expect to be
" W; ?& x0 C3 y4 g% N& W4 Mable to intercept it by installing a IFS hook: it will not work, no way!
$ ^$ J7 `: v- h6 XIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) J( E& c, I/ H! S3 o# O, w% w* ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ o- p9 ~+ Z5 L7 j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ i0 o- u. L* Z9 k
field.
/ S y9 w/ Y' W) v7 ]In fact, its purpose is not to load/unload VxDs but only to send a
; y7 [+ N1 _: o- JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: C( l$ c$ V r7 Y$ `, jto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 ?6 y8 Z. c. J' H2 C3 V4 ]! Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ O9 A- p; E- q9 oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ M6 S8 q3 H8 l( b' l& bits handle to be opened and then, will be detected.
8 v' Q* l, o \0 }, A1 @You can check that simply by hooking Winice.exe control proc entry point9 i: S3 V+ X7 w8 {8 O' l0 c
while running MeltICE.
( q' A1 o! U! F# E
6 C1 n$ S( [3 t( V X0 I6 m" l2 y
00401067: push 00402025 ; \\.\SICE
4 \; y& K3 z2 B4 T1 u0 E 0040106C: call CreateFileA
2 M5 b. Q! K) b2 G! U) F# `( s 00401071: cmp eax,-0017 p+ t' R6 L/ S4 U9 r* B& s
00401074: je 00401091
- l/ o4 t% [. p3 w3 y. S4 t7 I: T3 A e: o4 t3 I
3 h4 ^5 Z- Q5 b4 I
There could be hundreds of BPX you could use to detect this trick./ ~7 t+ g5 f5 o! s+ u1 s
-The most classical one is:
" A. }0 {. x/ q( e0 K BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 q# n+ i+ J* K- n% i2 O
*(esp->4+4)=='NTIC'
, E- W5 k8 V/ \# }3 L# `& ]. X5 e+ ^. F! Q5 }. ]
-The most exotic ones (could be very slooooow :-(
1 W- \8 i# Y$ y. U- L3 h2 L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ @8 }: ]2 C6 }' ~+ f7 L ;will break 3 times :-(
; h4 v- l4 m0 R- n
# a: D9 a0 e# T8 v3 l-or (a bit) faster: 1 ` L& [* @1 ?& L+ @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 H; w* k A% k2 _$ X" G( Q
7 ^) r) X. p- H3 i" r2 I6 a# y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & r' d( r3 G! b6 @. {
;will break 3 times :-(( ~8 b5 Z2 Y8 j1 I1 X+ u
8 d. ~% |1 V. ]- x
-Much faster:
, X0 w8 r1 @8 V4 k BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ s2 T7 _) a/ S8 ^7 z3 s/ L Y+ S% K3 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. _4 R* y/ ^6 G, \7 r
function to do the same job:
; h" E/ u0 U8 n) S7 \3 V' T0 C8 v# K, @ p. {, r- b1 R
push 00 ; OF_READ
5 |! k* k. C3 ^( h mov eax,[00656634] ; '\\.\SICE',0/ G' f- ?$ x& n
push eax
: u/ ]; n- `1 k _ call KERNEL32!_lopen3 u$ k1 a0 i6 |# K
inc eax% J. d, \2 M/ j1 ^) I- U
jnz 00650589 ; detected: W' x* Y! T) v! Y3 @: b# t
push 00 ; OF_READ/ c; g. f4 V% ^# l- u) U
mov eax,[00656638] ; '\\.\SICE'! ?' p ^/ j- f$ y
push eax
* Z4 o+ [5 Y6 V call KERNEL32!_lopen( f4 O5 z3 k! R0 E
inc eax4 p+ V3 i2 Y+ V4 R' E# {0 P
jz 006505ae ; not detected
* [6 E+ F: V; h }! G" |$ E6 d
/ `. q0 F! f2 M. Z, f* Q _0 V: x2 ^8 m+ j; H* N
__________________________________________________________________________
F. y+ g+ u& n+ b) @$ z4 z& k
2 u7 O4 s/ W; Y2 Y2 c- BMethod 12
, {2 D6 s0 M( a. Y0 o=========
9 p- e3 T6 D) H* g! q2 V) k; S5 a- ~- _
This trick is similar to int41h/4fh Debugger installation check (code 055 L/ K) B: r7 Z* q
& 06) but very limited because it's only available for Win95/98 (not NT)
" @0 s! T9 W+ c8 ], Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 b% Q* t' ^( `: g. @' \2 Y7 ?" G' Z% H) s0 F* b
push 0000004fh ; function 4fh+ t, P- D- [' f( y
push 002a002ah ; high word specifies which VxD (VWIN32)
" b( {8 }1 {$ P" l1 p/ R* c% b ; low word specifies which service
* I+ l$ u+ A/ _ v (VWIN32_Int41Dispatch)6 A- j _! A2 i" E
call Kernel32!ORD_001 ; VxdCall
- W: M! R5 a3 G3 V, Q cmp ax, 0f386h ; magic number returned by system debuggers
8 Q' X6 K! e/ v& X5 n, \ jz SoftICE_detected
% F# V! v2 l' d( `- N+ y
$ ]1 G. O8 b% s; e& wHere again, several ways to detect it:
5 S' e5 y$ S2 ^" I4 b+ o8 l
( V6 ]* a# Z5 `! ?8 i6 I/ r, { BPINT 41 if ax==4f1 _& i) ^7 _4 q. T$ V& V3 L: ~ I
! }6 U" X W$ }$ B* |! P( N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( v1 m% h: n% `+ p4 Q
5 R" X1 W' P# b+ @2 V n4 c/ r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% k7 e( o z% T! C5 K% X8 B& P( I
* R" T5 N% q' q% H: f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) S3 T9 s' u& y8 {, ^3 J2 W2 M4 s
/ P% f% T' I4 x: {2 S9 F__________________________________________________________________________" V3 G5 L k3 a
' T M% ^$ m6 j B; S6 @1 MMethod 13% a: `, @) L" y! g
=========* a% L8 y0 M# e6 ^$ E! l8 h
. X3 V: {; S4 E$ \' ~/ e9 S+ J- M3 JNot a real method of detection, but a good way to know if SoftICE is
0 H# W. e" e* H# M3 pinstalled on a computer and to locate its installation directory.
C% O' k# z5 ?& |+ V r' EIt is used by few softs which access the following registry keys (usually #2) :
1 [ x! {4 o/ [; p5 X6 b6 ]
# d2 ]. {4 C. F6 e5 v& ^0 F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 P( q1 p& o* y$ `* ]( E/ m) g\Uninstall\SoftICE) v4 {+ a6 K: q* h5 L2 l; _+ k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
d' Q, y6 u8 p% H; k-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( U( ^4 H1 L( g, M+ t. G
\App Paths\Loader32.Exe: g+ r5 K( v. d
& y b& E9 o. v6 h* M
* N+ V( ?. X% Z, k% J3 ]Note that some nasty apps could then erase all files from SoftICE directory
- O; ^1 X& Y, u7 t) c" ](I faced that once :-($ k, P$ s# p% w
& U' f; n0 p' R$ I5 }9 ~, V
Useful breakpoint to detect it:5 `/ A0 `) h ?( a
4 [+ U. Z* [, R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* o3 v7 H! J' W$ {9 v6 H. d
5 A5 Q5 n. f/ h1 O__________________________________________________________________________& ]) @1 b- i( j3 _' u n/ Z
" D( v. c8 c+ R' k8 R* {- A
' G2 ]; d' ]% F" |Method 14
8 y9 q3 c; t1 c7 Y+ Z- k=========+ d- t& g4 j9 z( I% q8 L. D6 l
* d* Z1 R$ F) n7 z' @0 }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- K& V' W% X h" ?& p; P' P
is to determines whether a debugger is running on your system (ring0 only).
4 k5 Z1 }+ h: @ P4 y% ^( @
4 g$ W$ m4 s0 X( F4 y6 T7 w. D VMMCall Test_Debug_Installed
* L# B; ?: }3 F, j0 L7 h! p je not_installed
$ b6 i3 \; V3 y2 d& j3 C; y0 `! B* ~
This service just checks a flag./ c6 I( h) _6 P
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡