<TABLE width=500>8 H5 s! r0 }5 g$ M+ i
<TBODY>
- n' |! D( }+ h% o<TR>
2 F( ]! [0 s2 t- r/ |& Q* Y" C<TD><PRE>Method 01 7 K( Y5 [: X) @# [, @. t ]) w1 _
=========' e8 g* ~1 q+ k" u! b
6 [& y2 U. _9 RThis method of detection of SoftICE (as well as the following one) is( e" v; r- L5 i- F
used by the majority of packers/encryptors found on Internet.$ c9 A" F) A0 C- V* o
It seeks the signature of BoundsChecker in SoftICE# q5 p$ ?. q& o" y! A% l6 _
! W8 k& Z+ ^& [% L
mov ebp, 04243484Bh ; 'BCHK'+ P7 _. f$ E% s- }3 Q/ Y4 g$ t
mov ax, 04h
( c8 F8 x$ _7 R. o int 3
: V9 ^- w) N8 M% } cmp al,4
. x$ {2 K* l7 l. m jnz SoftICE_Detected
: ~1 V; s: |9 l1 O$ D6 X" r( J9 t! j5 E& n3 u/ K- ?
___________________________________________________________________________
0 @$ a2 W) C( m) L
: q6 J$ F: S/ k9 n5 ~$ q: |Method 02
# P; \+ ]7 x- w. n# z g=========& O. X" C' }9 w; r: @( S
/ }) Z* ]8 P0 F6 w, t7 rStill a method very much used (perhaps the most frequent one). It is used8 `0 K! Q# x7 Q% y* N6 P! ^- O4 {+ c
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* K/ a2 _' b/ Q6 v) o* H
or execute SoftICE commands...
9 v" j# [4 q' L3 \" x6 MIt is also used to crash SoftICE and to force it to execute any commands' ^4 R- e# R- z
(HBOOT...) :-((
) v' w% f$ ^$ S% j8 R- ^% q8 E. G. S' N! W: m
Here is a quick description:. q5 z4 `$ c1 ?- R! b+ S( ^% r0 W
-AX = 0910h (Display string in SIce windows)
$ \8 X0 n3 t& P8 n. }& N6 \" m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) J& @8 k0 ^1 ~! ]% f, V9 b7 s4 I
-AX = 0912h (Get breakpoint infos)
+ D9 M: G7 k) I* U, \3 y-AX = 0913h (Set Sice breakpoints)3 z" \: l7 l( U! R; e
-AX = 0914h (Remove SIce breakoints)
0 j0 b# f0 O1 d( {& N( y- F; z8 n6 Y* g/ v
Each time you'll meet this trick, you'll see: |: w; j# R O0 |" y! ~
-SI = 4647h2 g( {: l2 r& Z) g
-DI = 4A4Dh! L/ O4 e' F v/ K( B$ R
Which are the 'magic values' used by SoftIce.
" A g. B o4 vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# e" _& `" A% \$ r
$ t. f2 a! l/ K
Here is one example from the file "Haspinst.exe" which is the dongle HASP, `( u# @: T4 x2 A3 Y# c& C% H
Envelope utility use to protect DOS applications:6 K" l& x: y& ~+ K% y
: n; W! s" e& x# ^6 g/ \# r& |3 {$ T/ V! g
4C19:0095 MOV AX,0911 ; execute command.
( K9 c& z6 m6 x9 Q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) I2 B1 \ Y+ u, l# k4C19:009A MOV SI,4647 ; 1st magic value.
+ r4 {4 I# d; J6 \6 }: t2 e; @ n4C19:009D MOV DI,4A4D ; 2nd magic value.
, S) Y+ S, O5 Z7 c# u# |4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 ^' F$ Z: d% u5 S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 k' E* D$ ]) g/ |6 S; i \4C19:00A4 INC CX
: x/ B. D2 C8 {, M6 o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 x% w! E! ?2 g Z
4C19:00A8 JB 0095 ; 6 different commands.. ^' L( \& l) Q9 O) T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 y+ r0 t9 R' d' s4 z v. O2 i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, s4 |$ I+ m3 o4 `% E* B! m& f' D2 H; @. L
The program will execute 6 different SIce commands located at ds:dx, which
7 ~! e5 o! J0 L& _2 Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& B* E- }9 E0 y2 I' S& W, \7 l8 [- m* \0 @- f' M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 \. {5 V6 i) F" o+ J# ]
___________________________________________________________________________
& {- K. `% a6 N* Y& \1 T1 e' A5 ^! E. Q8 f& h' G# L
+ D# c4 e F, Q# _Method 03
6 h* H" Q8 P7 e* u=========" g: G' h; v/ ^" v2 v
~! H1 w$ t4 f" f V T
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 q( ]; j* r$ ~, V$ X8 b! ]( ](API Get entry point)- k6 c6 G ?- ~$ [ }% c0 V
! L6 _) e' m& v5 ] e8 h1 C" E: c
xor di,di" W! ?6 j1 `- p" Q9 f
mov es,di
3 r7 H3 u: V5 J. U& L& K mov ax, 1684h
' g: K/ E8 _) w6 m+ c mov bx, 0202h ; VxD ID of winice
/ J! F! x* \: {' X8 L& N" x' e int 2Fh" q5 O3 c- J# b
mov ax, es ; ES:DI -> VxD API entry point
9 V6 p( T! b- d6 d! v/ n add ax, di
( g5 {3 D7 x0 @! h test ax,ax0 f3 f1 R% b# s) D" U" Y/ D/ G
jnz SoftICE_Detected
# V) w) ~! t9 R; `/ H! `, ~0 l) R
5 P& a- V. j+ [1 A___________________________________________________________________________
* E1 R1 ~) W4 o, }: |8 @$ k! ~- h: P# o7 I# f1 z% S
Method 04
3 @/ r" b' q. x# U: @=========' `" y f/ _7 Q" ^
2 o0 e( V8 S+ e% tMethod identical to the preceding one except that it seeks the ID of SoftICE
0 A! L% M. s2 _9 uGFX VxD.
) b+ i! @2 `1 V2 }' I! M: f) J2 S5 `, J7 F/ A$ l
xor di,di
1 T+ ~0 H; n; p2 L5 r9 o mov es,di& @6 D8 h- P# G7 L8 Z U* ^1 s
mov ax, 1684h
C W; s, l6 b( M/ `9 r8 `$ V/ P. D mov bx, 7a5Fh ; VxD ID of SIWVID! P! V, G5 ~$ ?7 J1 a* s
int 2fh
! @8 A, B- ~3 h mov ax, es ; ES:DI -> VxD API entry point$ k5 h" n% Q6 O% H& K* W
add ax, di% r9 z( _1 U* o
test ax,ax8 d* l2 Q1 N) [. O
jnz SoftICE_Detected4 V* ^4 ^& t) Z( O& m C. k
0 O p% g% W4 r. P; v7 v__________________________________________________________________________9 J% j/ g8 X3 ?! ]+ v
. V$ X5 u8 S! K3 S! g) G
$ L; J( L! X9 u" {! d& a! ^Method 05* Z4 k' v2 h5 K5 O; t; F
=========
/ d% h: E& Y/ d( Q, F' S. h$ f' ?9 S5 a/ v2 G
Method seeking the 'magic number' 0F386h returned (in ax) by all system f$ f }. O% d8 M0 J
debugger. It calls the int 41h, function 4Fh.
) c) K: h9 A6 I. o" `9 P( XThere are several alternatives. ) }/ b5 f2 W* ^# P" ]# @
. a' A/ ]; Z6 n' ZThe following one is the simplest:
2 P5 y2 D+ E( @$ x8 K9 t# p7 @" G4 V4 [ |" k% ~
mov ax,4fh- c1 W% q# c/ y$ L$ n3 c
int 41h2 u% u" f% s5 P( x; U
cmp ax, 0F386
# O7 @( i3 s2 m8 D; j4 a& V jz SoftICE_detected
* K% G: l# X# w- D
7 p$ K* k5 P; U* J) D
: S3 j5 Z% R' M* _3 Z7 d' H# ^1 iNext method as well as the following one are 2 examples from Stone's ' d) C+ m" v6 o! u& W
"stn-wid.zip" (www.cracking.net):
9 G; O! Q' j: s1 Y. q' n4 T7 N" j! N- U5 v
mov bx, cs% g* g; p3 ]3 U
lea dx, int41handler28 \1 D" y, O3 B
xchg dx, es:[41h*4]
4 a: A4 j& l/ S- }" g+ ] xchg bx, es:[41h*4+2]+ G# f) T6 f5 w4 T. b0 e' m
mov ax,4fh% x5 A- e' r9 ~
int 41h
$ X' F/ J) t `6 k" G xchg dx, es:[41h*4]2 m" b; @" U: S: D% P# k3 _
xchg bx, es:[41h*4+2]
" E( v4 S) Y* o, C' Q cmp ax, 0f386h
9 l y6 m/ b" n. d jz SoftICE_detected
; h! J0 U2 l. ^2 e: v) U9 P+ I$ P# |; M: e8 t" j* ]
int41handler2 PROC- B) m5 v) O; d
iret
' ]1 k2 I; W: n3 Aint41handler2 ENDP
6 t2 V6 f2 s. c8 @8 ~/ [4 |
* ^2 e$ b8 G; b& ^. L5 c! t- Z+ H8 k' A- {) E+ H E! G6 g3 C9 V% m
_________________________________________________________________________3 g6 t w. E4 N$ k! _( G, l8 X1 x
" |2 e7 Z$ o3 _" G- m0 u
( g6 _+ h5 v0 S+ mMethod 06+ o4 ]- n; L! A$ C; b$ c9 u
=========
; }+ U( N6 G. K0 s
( j) c) Z4 j& l' h5 ^; M5 V+ S0 N5 b4 `8 l$ @4 C0 m6 |
2nd method similar to the preceding one but more difficult to detect:
* |5 G h! C5 B, P5 I; g; [
! F' T* p8 I5 U, Z% z i t5 _' j V! V* Z/ S! d8 Y9 ]4 o3 z d# S3 p
int41handler PROC
) n7 V5 T: x6 j: j+ j mov cl,al
: X9 y* _! k5 S G" Y9 F5 O3 K- k iret8 K% Y2 J. y# k
int41handler ENDP
( O* L3 c; f. q0 ^/ b% X, H" b- I4 o1 v E# T9 x7 W9 z, G- R& P
' ~0 A( D* q: u2 q; ]# k; n xor ax,ax& }, X9 H" T* H: q0 ]: h- W% o& u
mov es,ax! Q# S& p- L+ m
mov bx, cs
: w4 p+ ~# m5 s, v& N) z1 q lea dx, int41handler& i) \! M! Q6 o9 x4 c4 s
xchg dx, es:[41h*4]3 ?, X: r& a+ j4 T+ s4 ^
xchg bx, es:[41h*4+2]% e' \/ u- E2 }, N
in al, 40h
4 @$ `8 Q Y( T xor cx,cx1 T7 V6 `& ?- M T
int 41h
( j2 G9 s: c( i/ w) l% G* q0 N xchg dx, es:[41h*4]7 A# x0 _, @" c: [9 x/ m
xchg bx, es:[41h*4+2]% } Y" E+ g1 p* @; z+ G) T- x
cmp cl,al$ b0 m5 q5 F2 ^* Z# H
jnz SoftICE_detected
4 E* X- m% c& v* g7 d& Y3 ~4 f$ A. O" I, g
_________________________________________________________________________
4 E4 L3 N! W& L+ Q( M8 I! R0 I* L$ h% p( g2 b
Method 07' S# w# p m0 m& J! P
=========
+ Y6 P4 c* K0 d/ E2 Q1 N5 T7 O% m
& |3 @3 {; l9 NMethod of detection of the WinICE handler in the int68h (V86)
v. c. r' r/ X5 Z0 g( b$ W+ K+ d% ^5 @. @: G9 V
mov ah,43h! D0 L8 t) |) O& }$ z% X% W' k
int 68h
" f. V5 K3 J2 R) t( e% Q cmp ax,0F386h: A) y' B* ?. U6 g! ^
jz SoftICE_Detected6 w0 P- `2 A4 N1 W& q0 V. U
- D: Z% t8 d- b5 M0 e* y( Y) }2 } n' D" ? y& l. m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 k! [3 {' F$ U! [; J/ T app like this:
+ e: Y2 W5 E4 x. m- b5 X, j( h3 W O8 {* z
BPX exec_int if ax==68' q; O t! d: a$ ]1 @- Q- [
(function called is located at byte ptr [ebp+1Dh] and client eip is" d8 k" q! Q7 _, e* e% L X
located at [ebp+48h] for 32Bit apps)
" F, e, z& a Y( u) \$ p i__________________________________________________________________________
$ c9 D X' d" m$ G/ Y3 B
# Q: J! n8 }1 L% {$ G! t! e1 e5 v9 f, t9 {$ x9 |( Q/ f f$ _
Method 08( O) `* Q2 W1 p9 I0 R
=========
0 t% `5 @# i% i" C. Q! K; c
1 U# O/ _% B' } XIt is not a method of detection of SoftICE but a possibility to crash the# x$ _, @4 K5 s
system by intercepting int 01h and int 03h and redirecting them to another: _: B0 \7 c( q' Y7 Q5 U. f$ ]
routine., `) q2 W$ x6 x! I% t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 l+ n8 f2 ?% P0 L$ Fto the new routine to execute (hangs computer...)
. X5 X& N1 j) o! I1 L5 Y+ t/ u2 @/ H2 Q! ?: h2 w
mov ah, 25h
- H( W1 h3 E% |3 { mov al, Int_Number (01h or 03h), `: U- ]7 h1 {$ X/ ]
mov dx, offset New_Int_Routine& }( \6 k9 |1 s h
int 21h2 D6 k( ]+ Q; c0 f$ i2 f/ m
/ V6 v+ r* w: m1 A$ x, ?! ~__________________________________________________________________________, V; U- \+ a8 e$ n+ b
' A$ U& z/ |! t
Method 09) J& v+ O. s% f E% ~4 j
=========
. J& o) B9 ]7 N9 B: d$ z& F3 K+ H7 I5 p7 [8 l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; P S3 l8 N1 T- Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 h& R8 W0 c- v! A. T+ ?The Get_DDB service is used to determine whether or not a VxD is installed! n7 k) N: k9 Y. g
for the specified device and returns a Device Description Block (in ecx) for7 Z) d4 t" c6 C0 B
that device if it is installed.1 n& m4 j$ E" o- j4 W
$ q# S6 C4 |. G1 n) R. f mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; _, ~( s1 E Q1 \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 A3 ?) y7 X# V: e) i
VMMCall Get_DDB
5 V% c$ z, k+ v; d* h2 Q% ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, e' ]. i$ Y" P$ P, N$ X
3 p: z0 V. G6 L0 F# T( ?3 y/ {( F KNote as well that you can easily detect this method with SoftICE:: L! l( @" \9 c. b1 o
bpx Get_DDB if ax==0202 || ax==7a5fh% G" Z. l8 r( O
* Z5 W6 p, p) p. b6 p! g4 C
__________________________________________________________________________
2 s: P8 o2 n s$ x2 g) S) E, s6 r e
Method 10
: ^9 Y/ S0 i2 U& u- R+ ?=========
5 @! U0 s6 u& B3 x. ^
- T5 s4 n3 V( C9 K7 W5 S7 r0 L=>Disable or clear breakpoints before using this feature. DO NOT trace with
! _; Y+ }/ v" K* |' I' [ SoftICE while the option is enable!!( X6 J( q7 t7 }/ k& |% m; Q$ k
3 e1 x+ a# X) G& l; p: C
This trick is very efficient:
# O/ A6 y r+ D, F0 k2 [by checking the Debug Registers, you can detect if SoftICE is loaded
: f N/ Y3 ^% a. ]% @* k, z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# Y$ b# t8 I; ]3 ?/ G: ]% Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 S+ U) ~9 k& [: | ?( j+ Evalue (in ring0 only). Values can be manipulated and or changed as well
) G; u1 J t4 s6 p* B* f6 K {(clearing BPMs for instance)
5 b# _, D# M- {, [. u% I" x) n* z& o4 r% U# u* ]
__________________________________________________________________________# I" e/ m/ ~* Y" T
+ L- h5 ^ E0 H3 jMethod 113 k" q2 z$ R+ w5 ?$ ~/ Q' R6 C
=========
0 n4 ]! q9 S; H
& G0 y0 |. F* U% TThis method is most known as 'MeltICE' because it has been freely distributed6 }& p' y- S v9 B& x* |
via www.winfiles.com. However it was first used by NuMega people to allow3 f' Z6 V, \) ?5 N9 m! O
Symbol Loader to check if SoftICE was active or not (the code is located4 r! c# I9 K7 P# X d
inside nmtrans.dll)./ R5 q% o3 l; J7 c) d
% K" ]% x8 N/ f- d8 _$ J3 a
The way it works is very simple:: F0 y! ~# }& G2 O4 M( T" g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 Y2 [$ ?. ?9 u$ f
WinNT) with the CreateFileA API.
_: U; @3 K! Y! ~" d s1 r" ]2 h! b# b) [( J3 i! l
Here is a sample (checking for 'SICE'):
; N: L) \+ F8 v q! c
4 L* `) b$ m$ n# aBOOL IsSoftIce95Loaded()' p3 W7 s% I/ j! q) S) {9 b
{7 n* e: k7 @% h
HANDLE hFile; . e: y# T6 ~; l7 H9 D
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: O5 O9 ^1 E7 b8 W! E
FILE_SHARE_READ | FILE_SHARE_WRITE,7 K$ O% p2 g7 S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* Z3 v( o6 ]/ h' t4 w# M if( hFile != INVALID_HANDLE_VALUE )
$ `) j+ g! S# z6 Y {( M6 F6 c, I3 z% o4 A. [5 T: B
CloseHandle(hFile);) w; ]7 Q# v" b* l0 h
return TRUE;" q) B0 e: E& w9 O1 s, y
}
( [( p8 b" g, u7 x$ q ] return FALSE;
( c+ w- C$ B: p2 D}- u: B" I9 x2 ^
/ a' h) ^/ p; I# ]9 j8 zAlthough this trick calls the CreateFileA function, don't even expect to be" L; g0 H5 X* P% }" q6 d
able to intercept it by installing a IFS hook: it will not work, no way!1 K6 t: `/ u& M4 K; m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. l% R$ H+ B' T; J: E- ]" T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ H- l% m: g% H) ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 w* h- w7 B2 y9 O h4 Nfield.
5 h/ L8 p: A4 n+ B" qIn fact, its purpose is not to load/unload VxDs but only to send a ' |* T. M; a0 ?, Y' Q/ q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 @2 o- Y- z% B( B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 }3 X. H7 ]+ u0 s, [" yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: V2 A& F: Z& |0 U$ M7 iIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 ]7 ~: V7 E- i
its handle to be opened and then, will be detected.
- k% W/ }% d" }, G; nYou can check that simply by hooking Winice.exe control proc entry point0 i9 `5 V# Z7 N" \' p, g
while running MeltICE.8 y |/ W G5 n) Q# G) A
! O1 k4 R R8 q5 d9 |8 [
* a R' k$ H9 X 00401067: push 00402025 ; \\.\SICE$ Q" S' R5 N& X" l0 G+ ~3 ^
0040106C: call CreateFileA
! a6 m0 g0 Z2 h+ t# s2 a 00401071: cmp eax,-001
" G3 Z9 L+ o7 E/ T& h 00401074: je 004010913 t9 h2 ?8 C1 H, ~+ N, ^6 D k6 U
( n$ n0 r1 {: s) ]: y, h1 J& b
1 b& U8 w' K9 w" b/ S4 B
There could be hundreds of BPX you could use to detect this trick.$ J! E4 p% L) g
-The most classical one is:
4 }+ v$ A8 f" x8 R6 @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 l: J. \" L9 ?/ a *(esp->4+4)=='NTIC'6 Z; K( J, u' `% Z3 f
) y- o' @/ m$ ~5 q' t5 f; l0 f U-The most exotic ones (could be very slooooow :-(
/ `9 O$ F: Y; Q" ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 P Y# s5 b/ Z1 ~7 F2 o ;will break 3 times :-(# D$ X% Z% f$ f& E( {
$ B$ J! l8 v g) \3 a
-or (a bit) faster: 7 H7 P8 t8 l- _+ o$ f0 S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% s1 U! P8 l. Y' o! p1 l9 |8 V* J/ w# z" I- v
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 D5 a5 o' ~8 c
;will break 3 times :-(7 H i* j. r* s! Y E
1 w6 }- _( {9 ~. w9 R" s+ J-Much faster:
: N& t* i+ |( [1 { BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 K3 S7 V3 k/ _/ h j) }9 U
% g; F1 n+ G# V/ UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 ]+ Q6 D- `4 z, R4 D/ `# _* Z
function to do the same job:
) x1 s; J9 I/ L( C9 f
( L3 y8 @! ^- \7 Q push 00 ; OF_READ' t2 B# k* S `8 [4 p
mov eax,[00656634] ; '\\.\SICE',0
% o( v; m' @# R/ A( }/ { push eax) l1 X- `/ F, ?/ R# R# _
call KERNEL32!_lopen1 V* Y+ I3 f6 w1 E5 [
inc eax
2 e! G3 P4 h2 d [" J* D4 m9 H jnz 00650589 ; detected2 }4 G7 x. _' T' V9 s+ S% `- T$ F" o
push 00 ; OF_READ
1 ^+ x/ U! O6 [/ Q! m; t mov eax,[00656638] ; '\\.\SICE'; y/ ]: P' n% y. t
push eax$ M; q. b# L2 x. Y. D
call KERNEL32!_lopen$ l" M4 t! y" b5 P
inc eax5 \7 ^( R6 ]6 A R* l
jz 006505ae ; not detected5 q3 N. @( d) F1 |% S
2 q6 ~9 ?8 U' A# E
1 Z, x- B/ ~9 E__________________________________________________________________________
! D$ i* y0 T$ V. G1 @$ f4 C6 i& M6 ?9 S
Method 12$ W! i. }3 M7 [: c0 O( I
=========
* B3 i3 z% z; G/ @, g6 j7 Z
4 k7 R D) Y& Z- c) A- mThis trick is similar to int41h/4fh Debugger installation check (code 05
4 t! y, M( t7 _. r& 06) but very limited because it's only available for Win95/98 (not NT)
: Y1 ^7 o! ?- S+ C9 y$ e" x* q5 L* ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 {" Q( w( j$ P/ w, r1 P1 _& g
; a; ~7 [" H6 d& i2 g+ W$ b% x
push 0000004fh ; function 4fh
8 N& P5 J. h9 I7 N0 ~3 I push 002a002ah ; high word specifies which VxD (VWIN32)
; U: A- w5 v O+ N* ]. t% {0 y& f ; low word specifies which service J! b1 [! B/ L2 M& t9 Y! ^
(VWIN32_Int41Dispatch)
* J+ e1 d. m: h+ I call Kernel32!ORD_001 ; VxdCall- H# A0 V; Y+ X: T9 m2 o0 d. [
cmp ax, 0f386h ; magic number returned by system debuggers$ o3 T+ k: u, X1 R2 b
jz SoftICE_detected6 p( l( x2 I' d1 C6 x
2 _) S4 P; s6 L' ~% m- i( mHere again, several ways to detect it:
F$ v+ H( X& Z' l- A* h7 [' i* N2 x2 ?; m# |* M
BPINT 41 if ax==4f4 C4 W( I3 S- |2 H |3 m
3 V; a' I( P' n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 X6 @* z' W0 F) J0 x( g3 d
+ O# W; @" O& k+ r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# A r+ N# q# Q. j" g+ V* Z
( Q; j# X* z# @ V# Q, W BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 m$ R9 K/ D1 s+ [; u' `" ~
- x$ J S' ^3 ^ ~( o__________________________________________________________________________
) ]# |% d p' ~7 l+ P- ~( `2 C* w; {
; J, b) Q& O" J& dMethod 13; F' R. V7 t! P1 @
=========
# ]/ X/ p5 ]5 `6 b8 X, d' h# M/ h4 f5 t' s6 T4 i2 ^5 X
Not a real method of detection, but a good way to know if SoftICE is" p6 s/ m4 |- h1 P2 c4 @4 F# N! L7 {
installed on a computer and to locate its installation directory.
* S; V& S% U1 n+ `5 ]% TIt is used by few softs which access the following registry keys (usually #2) :+ n7 P/ D3 y. I/ w
9 n3 c# C" O8 O7 ]! |3 s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" _/ V7 k* y" P( p3 {( b+ ?\Uninstall\SoftICE7 X# Q/ @, g3 T7 H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# N: _5 C4 O3 ?7 [) R1 p; }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( U8 u* L+ ]: h$ D\App Paths\Loader32.Exe
/ d# E" G( C# J, O# S) q% v3 j2 z: P* y4 m& b9 T( p9 R
J7 d. _+ n1 t5 H9 T6 z$ L
Note that some nasty apps could then erase all files from SoftICE directory7 ~" ?+ X' M; f% O4 I1 z" s. m' `1 ~
(I faced that once :-(. z$ g& b) A) \5 r
& n v% T9 W' z% \/ Y( C1 R' [$ U
Useful breakpoint to detect it:
/ K% ^. f6 o% s& T- c* i: L3 [7 G8 \! l. X2 p; F, R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 E" y# E( q! R; \9 s' }
4 d9 D9 X7 y! ]5 _5 e9 F$ c$ T
__________________________________________________________________________
: b5 ]- M3 ]! `0 G i4 e
# u* l: s+ }* M k p$ v0 |, S2 A2 l
Method 14
: ?" u" n. h) p0 V=========
. _; j( b) W* I$ ~4 C- n" c- E) B" H. F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, m: m G) u. i8 o8 I0 S2 V
is to determines whether a debugger is running on your system (ring0 only).
3 A2 u" d% U/ l& l, b" S, k# K, M+ W) S* {. U; u, W
VMMCall Test_Debug_Installed/ D0 G! W' e/ `; i" g( s
je not_installed
& N* L" o1 N/ J% o4 H0 V+ P6 c0 z+ @2 c
D# }, x- X* ^0 yThis service just checks a flag.7 Q6 D8 k' w8 n! [+ @
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡