<TABLE width=500>
- T; M5 ]* }- r# n3 Y5 ]<TBODY>: m/ j( {; v& [1 b
<TR>2 u/ f; H/ e1 L. v2 f+ h) _! U/ h' s
<TD><PRE>Method 01
) \& }6 V' n3 w4 O+ n7 e( j=========
0 X) H! m9 |+ |8 b; d: _; E
7 X: v" R0 l1 G5 k, d7 ? z5 rThis method of detection of SoftICE (as well as the following one) is
" M; ~% r& r- v7 p, tused by the majority of packers/encryptors found on Internet.
' ^2 T% C: L1 R% P9 X6 [2 RIt seeks the signature of BoundsChecker in SoftICE8 o" q; ]2 K4 C# p5 s
7 v! ~+ Z d* S# o. V, H
mov ebp, 04243484Bh ; 'BCHK'0 w! ]- p( i" N0 Q
mov ax, 04h
8 r/ _- _) L! r7 h5 _" q+ p int 3 6 s" S/ x9 r0 u" P# s+ L# P
cmp al,4
, R+ y0 B% H; S6 }- |, A jnz SoftICE_Detected
$ ? Z" z, y8 k- {- x! w/ \ i4 `: ^. f6 p! }, K6 v0 ^
___________________________________________________________________________, I; N' _, O& @. x: G% z9 v
( r" B$ H2 b+ c1 Y" V8 j& u! C# X
Method 024 [2 i: [ W0 |! M: \
=========
# @8 d4 H2 f* }) Y" }2 z! ~& @0 W! \) q
Still a method very much used (perhaps the most frequent one). It is used, X& A( u, X" j% n: G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ T( z: ^* O' m, h6 ~: y
or execute SoftICE commands...$ G8 k# O& K9 B" q. z
It is also used to crash SoftICE and to force it to execute any commands
2 h: Q/ k9 \9 _5 z3 h7 R1 J9 S(HBOOT...) :-((
$ _+ w1 I3 O) Q, r% I
/ c$ O8 `' B8 f; _5 P/ A7 UHere is a quick description:
& j" |8 k! j: c) T) e5 U-AX = 0910h (Display string in SIce windows)
6 R3 g1 n8 `6 l6 ^' T8 m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 ^* e0 T4 V9 j, {8 B: I-AX = 0912h (Get breakpoint infos)
& e; `8 s! v) r6 g7 F6 _-AX = 0913h (Set Sice breakpoints)
; m% y' S% y0 L2 Q. ^-AX = 0914h (Remove SIce breakoints) ~) J. y+ A! j! h2 q$ L- n7 V
) \' F0 u* q+ A% T9 _! QEach time you'll meet this trick, you'll see:- u1 g. @* p# {, t
-SI = 4647h9 A: K) {7 I& f; E+ C
-DI = 4A4Dh
' N. I7 ]6 Y7 g7 Q- z/ KWhich are the 'magic values' used by SoftIce.* |' T0 @3 z2 }. i) {( ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. a0 w6 u9 ~/ _* l- @3 c+ N$ \
; n. n- c( O# w
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% ?* k# b+ L7 l+ l" p4 yEnvelope utility use to protect DOS applications:! C5 v- A$ K7 {+ j4 ^* A. k s
9 [: y2 B' |; {4 |. d: O$ ] X# c+ n7 T
4C19:0095 MOV AX,0911 ; execute command.5 Z! M" X7 f! M+ S3 u. r5 }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 U8 ?- S6 M" J! O$ d2 k) D
4C19:009A MOV SI,4647 ; 1st magic value.1 N/ M7 w) `2 [( w8 C1 p; t6 T
4C19:009D MOV DI,4A4D ; 2nd magic value.9 {2 t' G5 v! u; j, `( w0 q# B
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ t, x: O o' t! \# b: ^- Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" @( E% `7 y; r6 a
4C19:00A4 INC CX, @/ a7 b7 W7 s
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 Z# Y& e9 x+ a
4C19:00A8 JB 0095 ; 6 different commands.
# g0 G! s3 Z' m: c4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, r# f! E" E* {9 h- S$ R4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; _- ~/ ^" A/ t. h' k- G
4 Q2 Z, {, S* t8 z- wThe program will execute 6 different SIce commands located at ds:dx, which1 o+ _2 u6 G, X0 @. b! h' I- c
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* r* N! C8 f2 C
: v3 Q0 O, f9 [0 D4 K: t* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 T; d' O! ]" p$ p V& E; H$ k___________________________________________________________________________& c5 u O/ w" w
+ n# g2 G8 f4 J1 E
3 G6 b. C" h3 A* f y6 y/ E
Method 03# o8 o9 ]/ t" O, @% O9 F
=========
4 `* Z9 N2 y: Y" q9 ~' @
5 `4 K4 e0 X$ rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. X: Y! B4 `/ `3 u( j' L7 o6 `, Q(API Get entry point)
( x7 O& q; A" H$ \& s5 _) R, i4 r
( z! Q. \4 Z3 o. @' t) y t; `/ W1 V0 @; u6 E- p
xor di,di5 z: r5 V4 x7 ]* k# Z, k" y
mov es,di- K: D6 F6 C9 _* U7 f2 k" N6 p
mov ax, 1684h . G& M. W0 I/ M' K- I l$ L
mov bx, 0202h ; VxD ID of winice& {2 {3 Z7 n. w3 Z8 l, e3 Z5 y3 C9 x
int 2Fh) b2 R5 M, f& Z
mov ax, es ; ES:DI -> VxD API entry point
- J ]; h( q/ q7 @ add ax, di
% X; t e5 T+ |7 ^ test ax,ax
# Y4 ^) N! J/ y5 a jnz SoftICE_Detected
" G6 J% B2 Q& y' w4 q0 u1 Q
% E/ K0 ~2 x' Q5 h* [___________________________________________________________________________9 l7 [0 [% w4 P5 A1 b# q4 P# a) A
0 R. }- |0 o+ `% z: ?3 u
Method 04
3 s) n! w8 D) ?; G=========# k& L4 G/ u6 B% ^2 c5 u6 `
$ d2 b6 L( L2 @Method identical to the preceding one except that it seeks the ID of SoftICE
( o' v2 A: q, c9 q UGFX VxD.
! h/ M; c+ H7 Y. ?# d0 F9 f+ e
1 n T2 o ^+ }* y; w2 e xor di,di
: r' A, n$ A3 z9 l2 p mov es,di$ m8 F+ \/ [3 Z
mov ax, 1684h ) o/ }- V5 G r" ?
mov bx, 7a5Fh ; VxD ID of SIWVID
* H! M( \7 O6 p int 2fh( Q; d+ a$ }3 x' s) C% ]
mov ax, es ; ES:DI -> VxD API entry point: S& |# c+ c" w7 U: W! W9 r* @
add ax, di
, B5 d" j% ]% } p' I& l7 L test ax,ax" V! L+ m1 T c7 P
jnz SoftICE_Detected
2 X# }; X- d( j" t/ e1 K+ J3 B' k2 g/ z$ L I1 r: \
__________________________________________________________________________! A1 h% b( g% g* c. H# F* n
. k8 i& `# |5 r9 H
0 m, F. D# j; z6 _9 D9 J2 V v8 JMethod 054 i" G7 z( \! i" _% y V
=========+ z7 D; q& w2 u0 [" g% m' q
) W1 U! ~9 V/ _
Method seeking the 'magic number' 0F386h returned (in ax) by all system% B3 o* S$ ^/ _& G' ?- d8 d' b
debugger. It calls the int 41h, function 4Fh.
# p% I3 P+ E; ~3 _. f9 g. V3 BThere are several alternatives.
. t W" c/ {. ?2 ~# @ T& e, R! [3 l! X6 Z% ^& P
The following one is the simplest:
( J& n; Q& B& M+ ?6 \) ~" i4 }) ]" {
5 A0 n1 O! A+ S mov ax,4fh3 o. Q% v! b. d& l/ E) X' y6 `
int 41h9 @. f( Y* T- w. v' v
cmp ax, 0F386
: U8 c }: M3 N! p! [" ^/ c jz SoftICE_detected
8 `# o; Q9 @. ?# V! Z! L
2 W* X0 m5 J+ D& g
* g; b3 _0 {/ y ^, M4 XNext method as well as the following one are 2 examples from Stone's
' Q) q& L8 s$ a6 M* |( f, M) M9 C( _/ x"stn-wid.zip" (www.cracking.net):
- K" X; }; W! s# W) |1 U* r8 {# C
mov bx, cs( N! O- Z# s b
lea dx, int41handler2
% c, x7 ]' U0 ~3 i; A xchg dx, es:[41h*4]. v/ u# k: A1 S5 E7 F$ [/ c
xchg bx, es:[41h*4+2]9 v) ~1 ^1 c- H5 W
mov ax,4fh
4 E! Y& D8 x& F* r( j) E int 41h
; y8 @9 Y, G. Z# @3 x xchg dx, es:[41h*4]& }$ N- _5 x' g% U& D( ^8 h
xchg bx, es:[41h*4+2]' y) V9 ^( `, X6 X2 J! F, p
cmp ax, 0f386h
! a- I4 T5 K( a+ n6 G) V; O jz SoftICE_detected
/ o9 P1 L" O: z2 |' V# a; A
7 a5 z _4 a0 g: s [int41handler2 PROC0 e3 q% X& L9 I
iret
( Q3 t' s# x- ?, {int41handler2 ENDP% ?9 n! r& g, `. o
& \0 ?. G, ^1 v- W P: c8 _) C9 X; x# M* o. Z. s- o
_________________________________________________________________________# f1 I; C P! \% H/ c! R: f0 O
" j' d4 h& ^! G' L
) E( B; t; w7 I7 |
Method 066 f2 Z2 L$ W- j: @( n8 R8 D% @
=========: K* x' g; z/ M3 j' V
5 a3 }7 F5 B7 o# S& i
& ^) O% l& R# p
2nd method similar to the preceding one but more difficult to detect:% Q3 i; O% _3 ^! V# a9 P% \
3 e3 H$ s: f4 u# n, |6 k! B' N8 H7 l9 e/ @ A6 T
int41handler PROC* Z/ F. V2 Q" A/ q5 t
mov cl,al
$ c* y5 q0 _4 E. G* z& h& F( c iret
1 t: K) x0 u9 T% P# H& Jint41handler ENDP8 h5 p5 `; l+ G' m& F& m$ e% o. G
" ?# @/ a# m* A, @' @9 {
; d5 g3 F0 R; t; J# `4 S# D9 D
xor ax,ax, @# t9 T* ~ a' J. G
mov es,ax
8 a3 A( M7 g" {9 @ mov bx, cs, G. ^* q) F3 N0 b8 A
lea dx, int41handler' a! L% C, I; d) F3 b/ N
xchg dx, es:[41h*4]
) r8 \4 o8 J6 o0 h xchg bx, es:[41h*4+2]- Q9 h4 d$ \$ C; A3 q* M) ^
in al, 40h: a; u6 _" [* r! D3 x F+ i
xor cx,cx, l# b3 f' \9 g& w! v
int 41h
+ I+ I% d0 M8 C7 K4 j- I- f xchg dx, es:[41h*4]9 `8 X* k* ~5 v7 y t
xchg bx, es:[41h*4+2]
7 Y' V- y) |" o cmp cl,al
# x3 n7 R% W' ]' n$ F% ~5 ?3 [/ Q4 O jnz SoftICE_detected
, A2 g5 `, O$ J$ w! f* m2 L5 |" Q, j' W, N3 N
_________________________________________________________________________
% t/ G, Q1 g7 ?, }
1 S' D5 v5 S+ C9 E. O! v8 ZMethod 07
5 y3 e) w, B" T) h/ W; Y=========! w$ Z- {; e" h+ K& e6 i1 p
% q+ B& G2 V" U( \; W5 P
Method of detection of the WinICE handler in the int68h (V86)& C- L X; D7 o" V% e, a! k
: K2 Q4 E$ F! N( f" U* l+ M5 I mov ah,43h6 O2 n7 r5 p) s- _) v9 m" ]
int 68h
8 W: H% ^8 h7 ?& f3 } cmp ax,0F386h
4 v5 X* ]1 b9 w- r jz SoftICE_Detected
3 I$ b- Q, w1 b N. T* p
$ }7 K+ D! G% t- M8 U; D, x/ u$ J$ z6 _; J/ c
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# d* c. p+ _. A, D9 |2 C7 g
app like this:
5 ?, P1 \- }7 d8 `% s: ]9 M- ^
: O7 s+ W( c2 j" @/ M BPX exec_int if ax==68
( f4 I e4 D9 Q (function called is located at byte ptr [ebp+1Dh] and client eip is
8 W/ m! i4 K% ]3 @3 M7 P located at [ebp+48h] for 32Bit apps)
1 b& k, V& i. e( i/ J' f2 z$ y__________________________________________________________________________
5 b+ b+ ?* J- g# \4 O3 P% A* F/ Q8 S# k( B
7 N8 y* L4 g6 Z8 A" @Method 08$ m' r; O$ v6 O
=========5 J" u2 _. E. O) h1 _0 k6 Z0 I
3 m. j7 ]& Z! g. F# u) M; E* [It is not a method of detection of SoftICE but a possibility to crash the
" w Y7 P; K) b8 Psystem by intercepting int 01h and int 03h and redirecting them to another3 K7 q; A5 s' d$ k
routine.
~$ a; c) Z3 b! qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 Y1 g+ t" Z- _- q
to the new routine to execute (hangs computer...)
9 H# j, t, [$ A+ R$ W0 L
. M0 W7 {2 P5 w+ c7 N1 a9 s mov ah, 25h
! w* J6 Z3 ~% u7 m1 X& Z mov al, Int_Number (01h or 03h)
1 _2 L( S4 V: A' P mov dx, offset New_Int_Routine$ R+ o: U8 W6 b3 p) _4 ?
int 21h
9 Z( T; _ x* T; f1 }! Y3 ]+ X+ a* }# w9 K
__________________________________________________________________________& G8 W6 E& F& e9 L6 m# I
3 o9 x( }' D c3 ~$ b4 u0 C
Method 095 f- Y4 |& E7 e5 k* g$ w# g
=========
3 w* N5 k; p. v0 d9 Q
2 P/ T' I# N( d \This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( G( P, i+ r) t$ T7 S9 J$ C6 Hperformed in ring0 (VxD or a ring3 app using the VxdCall).( h! @6 T( k2 e5 @7 p, U
The Get_DDB service is used to determine whether or not a VxD is installed
) L1 {% M3 P' q2 g3 Kfor the specified device and returns a Device Description Block (in ecx) for a0 g5 e1 b8 O* z2 [
that device if it is installed.
2 T( C1 n" I: P3 ^
, N( J& V3 X# D% b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 M' T! X8 y; i3 _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. r# x* \! G1 N. ]$ d% L. h( B. Y2 ` VMMCall Get_DDB, K; u$ {& C. J) n
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 ?* `- Y! c" M1 H0 d: ^$ M! }- O: a* E' h
Note as well that you can easily detect this method with SoftICE:. e9 q" d0 Q T' ~8 I
bpx Get_DDB if ax==0202 || ax==7a5fh- D% B. q4 ~: [
) X/ x4 o; O- d: p; |' F
__________________________________________________________________________0 v5 _2 |' L: ]) @
3 i: o8 ?2 L" ], l6 UMethod 10
. h6 W5 F. h1 b4 K( Z5 K9 _=========! W- Z' J) x& k6 m
, f2 F. u/ ~% F9 n$ S- f3 R4 Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
! Y" h8 J# ~+ ~5 n' ~ u+ [ SoftICE while the option is enable!!
9 a' [% n4 J3 U2 |+ i6 C( {0 U7 h3 o1 X/ K$ |! K
This trick is very efficient:
- F" ^7 N) |0 ] A$ @# V% o' gby checking the Debug Registers, you can detect if SoftICE is loaded/ \- D" k9 q3 G' k$ H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- K7 T7 w5 r# S! W! i
there are some memory breakpoints set (dr0 to dr3) simply by reading their' Q& f6 U/ U( W5 C# v
value (in ring0 only). Values can be manipulated and or changed as well
1 I1 L. F2 a2 q& a5 N: w C* g/ j6 E(clearing BPMs for instance)
0 ?: q9 q' K! e. V$ U
* z" T% e' S: F w& G9 i: ~__________________________________________________________________________! z" I+ s$ X/ z
0 A2 S! ?, C. E, V
Method 11
0 T3 _9 N0 H9 c, L8 Y=========6 d- y% i( ^. Y
0 S7 X2 t( I, P& [2 a* YThis method is most known as 'MeltICE' because it has been freely distributed
/ A7 Y7 C) A. S: m! ^' H4 wvia www.winfiles.com. However it was first used by NuMega people to allow
& m" z3 k% [3 Y, X d' ySymbol Loader to check if SoftICE was active or not (the code is located( i8 m/ [3 T5 M7 r( u+ I5 t
inside nmtrans.dll)., L7 b( s" V/ e* x
$ i7 Y* w: n! v2 } z, ~9 U0 lThe way it works is very simple:9 N; n5 E6 q f# U; H# h' }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: x7 [8 e1 I* z3 i+ `. K
WinNT) with the CreateFileA API.
% @- w/ l1 x+ l6 T5 j6 m1 O7 e) `' B5 G5 D
Here is a sample (checking for 'SICE'):+ }- k# G) n) `) H: O* v7 y
9 W& L* E+ p' S; i% T' MBOOL IsSoftIce95Loaded()/ P/ s: n. A. G9 Y$ z( V8 b
{
( o: R/ u1 v' J/ I) |# s5 l HANDLE hFile; + c/ k8 m9 P: D" i L1 {
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# F$ }& y& U K
FILE_SHARE_READ | FILE_SHARE_WRITE,
5 H4 T! R3 ?$ Z1 [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 c1 k7 {0 u- ~9 \8 F, G if( hFile != INVALID_HANDLE_VALUE )
7 _, ^. K9 F6 L' w7 M2 \ {0 E/ r' R- Q v
CloseHandle(hFile);" `5 n# z. b `9 s
return TRUE;
7 \$ b! n1 J! @5 Z. f" [% V }+ U0 `: n9 O2 t( n+ { c
return FALSE;! b( Q* u) r$ ~. z) l
}, _! h6 J: x+ \/ V
1 f! N9 k y0 a6 t; o3 @
Although this trick calls the CreateFileA function, don't even expect to be
1 o6 g* Z$ i. [) xable to intercept it by installing a IFS hook: it will not work, no way!
! n0 E7 g: T l! WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 b9 m" H4 t/ _9 t7 Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), j5 j3 c* X6 ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 p. \- r, T8 ^; L% ]) G+ g+ W a1 Wfield.
8 A! t( k. K* B* J% YIn fact, its purpose is not to load/unload VxDs but only to send a 6 y& k( }9 v9 ^) S0 l _! K8 }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' ?0 l( j5 X8 Y0 n3 P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ C) m7 _2 |6 K
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& z" U7 I3 L+ E8 P
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 m1 }7 _. A% Z9 h+ o
its handle to be opened and then, will be detected.4 M) U5 Y$ M7 x( o, Y8 |
You can check that simply by hooking Winice.exe control proc entry point) J5 ~; L/ T( }( r5 s
while running MeltICE.
! N1 c8 F1 ]* o4 \ x
# f/ ^' `4 Q7 I# _6 E9 V9 c1 ^$ H$ @, G; s ~6 E3 ~
00401067: push 00402025 ; \\.\SICE5 m$ K% m( n+ o$ Z
0040106C: call CreateFileA7 g* S$ K5 D4 u: @& b3 K
00401071: cmp eax,-001& q3 S2 P n* t" ^1 C
00401074: je 004010913 V6 [4 H1 F; y/ O# t* V
: E3 e N# X! i6 ?! j
9 W" x e! g9 s4 ~
There could be hundreds of BPX you could use to detect this trick.6 V( e$ s0 z& M# S5 ?# y# v
-The most classical one is:
* Z; m+ ?" q% R! v. ^, e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% k3 S5 ~- m5 W7 c7 x
*(esp->4+4)=='NTIC' n$ s6 {! ?+ h2 H8 l2 h
0 }2 D& S6 Z( z) ]' d; }: O-The most exotic ones (could be very slooooow :-(
( J. s" |. m& n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') G6 A }5 o( h. E; b$ p! K
;will break 3 times :-(
7 f7 x& O5 E7 q+ A6 V4 J# {* p
. [/ u+ |" C" O" M5 @& n7 D-or (a bit) faster: ! K# b3 {" z1 n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: U: ?* Q7 ~, t, q. J, e. a) _3 N& L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % E: p! o5 w }4 ^, b! J3 l
;will break 3 times :-(0 q9 t' N& v3 D9 }5 W, ?
2 p- U- @' f: P
-Much faster:0 |4 t; j) E: O1 T7 v" G7 X# c2 X- _
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 c: G, N+ T* v& |
- ^% B$ L! F+ K: S/ vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ u! F a6 V; `0 _- R5 s% [function to do the same job:
( s: I- D7 Q1 [ |6 n* Z# a; b
push 00 ; OF_READ
$ ~. M) C1 i4 i& j mov eax,[00656634] ; '\\.\SICE',0
5 s5 i' k: K( w4 v2 r6 g2 L$ A1 m push eax
, X9 {( X7 j9 @% p4 X" ~ call KERNEL32!_lopen9 o! F9 S# L. a$ y4 {" t
inc eax
" m/ |+ B7 v( n% ~ jnz 00650589 ; detected
4 y T/ w: b, _ push 00 ; OF_READ
9 m Q8 U9 q. }/ Z' Q2 ^ mov eax,[00656638] ; '\\.\SICE'
# Y/ X8 O4 ~5 [# e$ q4 ] push eax
# N% t2 A2 o- A call KERNEL32!_lopen. r/ J6 Q3 I/ y2 M1 }
inc eax
* \% o' l2 z& H% ]" n: g9 D jz 006505ae ; not detected
+ }$ F' y5 f7 u4 t6 S" P1 Q5 j8 j8 p# j, K3 n
: l5 ^9 Q2 E+ b9 `__________________________________________________________________________0 o. {% ?0 D# o
2 k% F9 l! \* ?2 j. J
Method 129 {7 Z9 z G: {6 T- c
=========
0 g! j3 `+ @6 q6 x5 c- F
0 x% a, H2 y9 H* qThis trick is similar to int41h/4fh Debugger installation check (code 05* Q( O" s4 o- @& v
& 06) but very limited because it's only available for Win95/98 (not NT)
* C9 ?5 {% Q# Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) x3 p6 R% C I5 M$ U
* F3 E+ z; \9 B: |( W3 [6 r4 n v push 0000004fh ; function 4fh. V: g. ?! G3 v8 u
push 002a002ah ; high word specifies which VxD (VWIN32)( Q. T5 n2 B1 H" t+ n4 S
; low word specifies which service
0 ]. o; o7 |6 F% g- W7 Q" _ (VWIN32_Int41Dispatch)/ f" q# z( ^& [1 y3 r
call Kernel32!ORD_001 ; VxdCall
2 Q* F- {% {. |" g cmp ax, 0f386h ; magic number returned by system debuggers
+ v3 `) M8 e; }; K5 N/ c jz SoftICE_detected2 J% D! `$ E- B& Y
* S4 i1 ~, `: l- r6 O8 ~Here again, several ways to detect it:4 x$ K6 K H y' w& h- f/ z
* q- W* U9 D7 H$ r) K2 u- L) y BPINT 41 if ax==4f4 H; o! h0 J2 M8 [- w% e5 B
' D0 V! \& v* y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- u9 L7 I3 m0 u, C( g# q0 f
! S! Z+ V3 u9 F7 P: f& L8 |# s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 O/ [0 m7 A) I0 M' u
( f5 ~ S, Z5 l
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! ?9 s) C! o# T. L. B. _- Q, B7 }
__________________________________________________________________________5 o8 Z {0 D( l, |, z3 _
! T$ W8 L; m/ `: J: mMethod 13) Y! n* Z P( f
=========
2 M) A! p9 A. S. Q! O
- Q; U7 X: z3 |+ a+ K) \2 _* INot a real method of detection, but a good way to know if SoftICE is
, B% a* q5 k; a" `. ?! Pinstalled on a computer and to locate its installation directory.
7 l1 W d b# T3 u) LIt is used by few softs which access the following registry keys (usually #2) :
2 d$ W6 r k. P! E1 ^% R+ p4 u
$ m8 s4 K* k- |7 |' ~2 b; F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* K, T6 V0 }- R
\Uninstall\SoftICE, o x' R# Y4 G7 I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. L/ O! E+ v# k& j: {" x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( B# X. ^9 Z6 u. E9 C! h\App Paths\Loader32.Exe, Y% l3 R7 S4 S
- M, u- d% J1 I1 A
, E1 C4 o+ N1 KNote that some nasty apps could then erase all files from SoftICE directory* j8 u$ l3 b! C; ]& q
(I faced that once :-(9 ~' ^/ [) U3 z: {, Z
$ B+ B% h4 ]' k. y! t. u9 xUseful breakpoint to detect it:
# j0 K$ [' U8 H( W
: e1 W) ^' h; K& ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: c3 p0 _+ g' r. [$ G' _- A. y+ s4 H8 W3 G# Z! b
__________________________________________________________________________
0 k" M( Y5 F; q7 E
! |+ |2 M2 G" x
( C4 C/ i( c- qMethod 14 3 d3 K7 x1 W; a4 o
=========! }5 h3 }! U/ b" @! s
) f, E$ [2 h( H: i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& t$ o* w+ n3 d7 e
is to determines whether a debugger is running on your system (ring0 only).# A% F* k/ O0 o4 F7 W" x% t
+ \! c8 I' }, e5 ?" k
VMMCall Test_Debug_Installed
$ K3 T3 ^1 d: J# M: Z9 j' V je not_installed
) s' z- a5 k4 \. t! x$ c J4 v0 H2 `, [4 W& Z& w3 e/ h& v' B
This service just checks a flag.
& R2 C0 d& E, ]( i3 d( t</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡