<TABLE width=500>7 \/ h. m$ \8 A) u# I9 A
<TBODY>
! L1 }8 J: Q6 _9 U& A- X<TR>7 G( G9 E# z0 p% ?, r: Q. `
<TD><PRE>Method 01
& r# k3 z5 g' q# X=========" `. S) C1 z4 W8 `* b& Z% c
& @! F* `7 w% G4 y) z! g# Y3 ~6 OThis method of detection of SoftICE (as well as the following one) is8 b; A1 e9 z! o# K- D7 g
used by the majority of packers/encryptors found on Internet.! Z- i7 d) O" z$ U, z2 v0 T9 o
It seeks the signature of BoundsChecker in SoftICE7 R# j3 l; D8 u
) ` H& L1 p1 N% b( y, \# Y mov ebp, 04243484Bh ; 'BCHK'& m* y+ f, t" c, }( U, z3 F
mov ax, 04h2 _9 z+ L/ O. B5 e, o4 E+ g! K
int 3 : W4 l. j, g' i' k3 b3 r2 G' q D
cmp al,4' v) h8 P/ S: `6 ?7 j
jnz SoftICE_Detected5 L, Y4 P5 F- Q0 }
h& `3 f, b; [
___________________________________________________________________________; f6 a2 X. S5 R, D5 {0 |6 J. a7 {
. [" t8 i n8 s. }& i! N: I) ^0 CMethod 02' q& r' V6 v8 H6 z
=========; p: Z* w7 X' Y& n4 ]
+ i# Q1 e1 r& p9 U: Y$ O
Still a method very much used (perhaps the most frequent one). It is used `( J# \0 `3 F1 ~6 f) x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 F' q v+ x/ I2 X6 g4 a
or execute SoftICE commands...
( H$ ` }! E! eIt is also used to crash SoftICE and to force it to execute any commands
& U8 I8 W; k% ]" p8 p(HBOOT...) :-(( ( X/ E9 f% l2 p" S) i
; p4 L: h( U* {0 O
Here is a quick description:1 m" q0 i6 }; B& C
-AX = 0910h (Display string in SIce windows)
' M5 s! B0 B ^/ b* L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 S# n% p7 o4 O4 v0 `- j6 e2 _-AX = 0912h (Get breakpoint infos)
6 v8 T& O3 E$ H) ]: @ X8 ]- l-AX = 0913h (Set Sice breakpoints)
4 D: Q+ G j9 J. S3 Q; k: Q' S-AX = 0914h (Remove SIce breakoints)
' n1 A& W1 b3 \7 _" A R, Z$ p' y9 C
Each time you'll meet this trick, you'll see:# m' @6 O5 k3 v% ]4 E/ m5 ^
-SI = 4647h- c X+ N" w1 b
-DI = 4A4Dh. J$ W! V, g ~9 a* E* t8 f2 s
Which are the 'magic values' used by SoftIce.
' f# r7 c) J5 u! j! J" dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ z6 E& \' i5 {( L, H) J% X& _+ n+ R' t% H2 G0 U6 J9 J
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 |( l% x3 B% G( j) r( O3 \4 p
Envelope utility use to protect DOS applications:
5 c- O! P8 j8 V, g+ A9 _9 c8 N: n) z5 }% J* F N
/ `+ w# W# ^$ x9 Y1 P) G6 u9 v8 `
4C19:0095 MOV AX,0911 ; execute command.' @1 T j7 x# V6 {' O, G" z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 a, @" f y, D$ S8 E
4C19:009A MOV SI,4647 ; 1st magic value.* T# K6 d: B2 c- }: o3 e, M
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 G% o1 r' _# B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) Q& U9 y. O' c+ Y0 f' F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 ?) f R5 R. ]3 N* }2 @) {9 ~
4C19:00A4 INC CX* r7 b9 |! P7 L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ \$ \+ V- F% b2 R$ w: k
4C19:00A8 JB 0095 ; 6 different commands., i! H# V9 t4 f" L* w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 Q2 y9 l ~+ m& K# v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 o# m; h' _) C9 H
7 ?& \8 ` J- n r# N8 K* ZThe program will execute 6 different SIce commands located at ds:dx, which: m2 o* d! i: e2 u% [% u) ^- d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ J; Y9 V, W' T9 N, w* E A" g
# N9 o, @3 x5 R' {% b/ E5 d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: `& \% N7 x* P( L. v$ @# Y S___________________________________________________________________________
3 _' m; s+ t0 T+ \
! k% _; Z; \5 n1 X
9 @7 ~# L0 d7 jMethod 03' z6 l0 Y: {5 M
=========
- U. q) @) R9 x5 o. |& \! x4 t$ U/ i1 l( V$ i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 Y0 s8 T) ~2 }
(API Get entry point)
7 L4 ~8 L) r8 W) _1 x; { , w3 A3 E" v# [9 p
' {8 i }: @% O& X& G
xor di,di
; \: Y5 u0 {' u% O' o' G' ]8 I mov es,di$ c0 b' `/ S; R3 E% T% c6 ?
mov ax, 1684h 1 K/ f! ^5 @6 y) ]' Y
mov bx, 0202h ; VxD ID of winice
* A8 K) S7 C% G6 z' ^. i int 2Fh5 S5 Q! ]3 a! Z i; N b
mov ax, es ; ES:DI -> VxD API entry point, p6 O. t1 R7 z3 [2 y% z
add ax, di
& b0 Q1 r+ R2 M7 Q! R test ax,ax- U8 B8 B& [0 S& z$ k
jnz SoftICE_Detected( h& K; \5 Q* v) D( e, {3 I
( L$ |. Y6 D* m+ M- b' t
___________________________________________________________________________
$ b: t' [8 r; N: q, d) b; b. m4 M6 A: w; H2 k( H
Method 04
2 Z) T' W; V ~- S; @7 d V2 e=========
`, z4 i; g* Y! r' H$ L5 {. _8 \! L, _
Method identical to the preceding one except that it seeks the ID of SoftICE
: m1 g2 [; {$ ~( {GFX VxD.
) a7 G% E" [6 U; z7 O; ]. P0 k7 w5 c! j
xor di,di+ s2 w- K5 F9 s4 Q8 g2 J
mov es,di% A# P2 q4 L" H/ E9 j6 a! s
mov ax, 1684h
8 Y0 t- g/ m) x0 l mov bx, 7a5Fh ; VxD ID of SIWVID
: M2 H; D, v% A) C& {2 d9 V int 2fh
" q, ]4 S+ V- |& Q$ ]9 z mov ax, es ; ES:DI -> VxD API entry point! z2 G9 Y8 v7 }- z, F
add ax, di: f5 J6 R8 z* ?6 d
test ax,ax
& N1 u) I+ z# y2 n* p# { jnz SoftICE_Detected9 ^9 D9 B7 M3 \
' i$ f! o2 `2 _! ^/ n; G8 u3 A( J__________________________________________________________________________7 J4 X$ i& n4 q
/ `$ I8 I1 a; j$ |/ r7 Q
7 ?# G8 `7 V* x. C* PMethod 05
9 q1 Y3 \. P2 e4 F=========
9 i# m% k0 ]- Q! ]: D- Q- B7 [ U6 V! \3 R8 F
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 g: o" _9 a3 j q+ s' x' ~debugger. It calls the int 41h, function 4Fh.% ^* `7 E/ ~. j. U1 G
There are several alternatives.
9 _7 v( |6 g& \3 m* N- u" p3 H$ G: { `$ x1 x3 N
The following one is the simplest:
/ W' z& { Z' R) `4 J. E
$ n) p3 t& G2 ~( y k% @ mov ax,4fh
+ |( m" ~% Z% r/ h5 {( s- i int 41h
/ ]: A A" R* _ cmp ax, 0F386
! N* ]( n4 d& J' Q jz SoftICE_detected
: U5 {# |4 a% S7 D; w, q+ |* X5 A' K! {9 l. W+ r$ d$ a# t
) z" g1 B; _) @Next method as well as the following one are 2 examples from Stone's
) Z* i* h1 S, t+ I v A& H. ~"stn-wid.zip" (www.cracking.net):
+ s' T+ F# ^8 H. I
. ~' @9 Y$ Y# A% N- w mov bx, cs2 i3 d9 p' r8 c/ t
lea dx, int41handler2& H5 M5 r3 k- I% h" z4 V
xchg dx, es:[41h*4], |3 k+ b% ~" `3 ?
xchg bx, es:[41h*4+2]4 X+ G" r( K4 t9 |8 u& X
mov ax,4fh0 W6 [5 a( w3 D9 W0 }
int 41h
7 f4 U9 z2 a# X- Z2 h- A* d xchg dx, es:[41h*4]3 L2 S, i2 g% Q0 O- M& \
xchg bx, es:[41h*4+2]
; x& B3 v8 E1 O" l6 Y3 w" n cmp ax, 0f386h) i4 f" n5 m1 |1 @. R
jz SoftICE_detected
[9 Y* ]; D7 y9 ^% ?( n
* U7 `+ y3 @ n4 t Z4 m8 fint41handler2 PROC9 [, [0 r0 C# A- O( i
iret3 r( S: v0 z% j( z# V8 k+ [) v4 |
int41handler2 ENDP
7 F# U* Y6 K6 ~
0 h, E9 K6 c: E
3 e. V5 W/ D& m7 O_________________________________________________________________________5 P, p( S% N# V: S) o7 }" P- q# ~
& V: w% n: {8 t
" o$ L U9 a; X: G) A: u) w3 ]" y8 @
Method 06- d; X6 h# z1 S$ i4 A
=========. {: x. ~( G' M7 i
0 e' T' c7 s9 T" P7 F
& V& w) @4 l# G. U
2nd method similar to the preceding one but more difficult to detect:
% v8 q5 [$ a0 A, s% s
; ?! G: N$ A1 v4 H9 \# A2 ]; ~
: u# q9 ^ G! N! zint41handler PROC
) b, K" i0 w* X6 @9 j mov cl,al
4 r' {- r' n5 N9 g. I4 R iret
2 v: L9 }9 J2 ^7 a. oint41handler ENDP
- b; n- W& E( F" G9 D2 g8 }+ Z$ T; ^8 b* b
0 t K9 x9 _6 [
xor ax,ax
. J* }% M9 Z7 K I mov es,ax* A7 O2 Q/ P, F. ~( W' ~1 o" M$ `
mov bx, cs0 i1 _6 ~- n( v5 o" s
lea dx, int41handler" [; p4 I4 B+ W* k* b
xchg dx, es:[41h*4]
6 l) m! w) F( q& ] xchg bx, es:[41h*4+2]. f5 t2 l( E* ]3 f3 x% }( M% A6 r
in al, 40h
4 i% |3 C! n; A7 A! |7 {- @ xor cx,cx; I! B4 x9 U0 L3 u* N
int 41h Q- a1 ~$ [$ r9 z
xchg dx, es:[41h*4]( O4 \& }& x1 l- y! A, o- Z# J
xchg bx, es:[41h*4+2]
5 S. ?% i4 q/ a cmp cl,al5 Q& @' r/ K- E3 K. z
jnz SoftICE_detected, T: P+ M4 [' G1 c; T' r
1 g3 V1 u7 |; T8 u2 p( b
_________________________________________________________________________+ e; o- }: h# M6 s! r# w( v+ Q, B& W
3 h u9 [" _# l \6 oMethod 07% k! d0 o0 n& D! L. k2 z/ l
=========1 h' S0 F" e3 `. A7 c6 l( h/ y
2 I0 }4 u F% x' `
Method of detection of the WinICE handler in the int68h (V86)
1 x! x( T8 j. t) {. {" l# K+ l0 c: [1 l# S |2 K) h
mov ah,43h
' i. A5 h6 Q$ D' X) p; y% { b int 68h+ b- V, g$ K( B
cmp ax,0F386h
* a+ S4 f4 `" n2 t jz SoftICE_Detected: Q% A3 f, G: q7 w4 d6 \6 T% A% T
' O5 C4 M- [7 E
5 Q6 A. d Y0 l* o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit ?% O |0 h0 Q0 n% Q
app like this:
5 a9 |0 _1 r5 p2 d& Y9 k* R$ N2 m* j# P: j$ j2 l& j1 ^
BPX exec_int if ax==68
5 m7 p4 b/ U% y& y' ^$ Q" `6 L/ v (function called is located at byte ptr [ebp+1Dh] and client eip is
# o3 [* C) E7 ]% M5 p) v0 E* r located at [ebp+48h] for 32Bit apps)2 o& D/ N( W- D0 y) G% a
__________________________________________________________________________
X8 G, I; c2 z0 J/ g" U- Y
. h! q; V! _ `5 ^
: x( Z* r* x# mMethod 08
3 [' a# f% u# X& ~=========
" @) L% R( J2 m5 L& y- |5 c3 T# |4 X) x j
It is not a method of detection of SoftICE but a possibility to crash the
$ Y+ W$ v& v0 h& `* `9 ]3 |system by intercepting int 01h and int 03h and redirecting them to another( K/ J) f% s' \5 |
routine.
5 ^8 n. M" R) ]; f' oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# d$ A7 Z J4 |- M0 m) cto the new routine to execute (hangs computer...), u4 x, E1 b' y7 ^3 p
$ j% ?0 _: R% d" K6 t( Y& l mov ah, 25h& j; ?+ p0 h: L: B% M
mov al, Int_Number (01h or 03h)( n; Z4 v; @7 G
mov dx, offset New_Int_Routine3 z9 l: A' b. l, O
int 21h4 `0 B' G: T" y, U* Q5 D
0 P, U W/ h/ T
__________________________________________________________________________
% z+ j B8 u9 t X4 i6 \5 e7 m3 _8 Z& r! t2 x
Method 09
8 l E" v2 f$ [. I5 ]=========% V+ O3 t& A4 M0 h/ e' B& X2 L
0 B1 r/ w. U$ B* Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 s+ s- i$ y6 ?# e+ a" t0 k5 r
performed in ring0 (VxD or a ring3 app using the VxdCall).3 r- x5 \; c4 C4 u
The Get_DDB service is used to determine whether or not a VxD is installed# ^; R! d9 ]# ~2 R$ V5 J; O2 h
for the specified device and returns a Device Description Block (in ecx) for! q) _7 O* L: b3 c- W0 ]
that device if it is installed.
" j) S. Z$ E+ R, y/ O, {; V; F* c" G4 v. X! V9 q b R+ v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 Y' e, r0 V3 r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 l- h( H) J+ @( ~ VMMCall Get_DDB
3 z: d. b4 _. l' V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( H/ L& f1 `: H
0 }7 @& T" I N1 l' ]! b
Note as well that you can easily detect this method with SoftICE:
" o" k* W+ s& p" y1 h! B3 [7 f bpx Get_DDB if ax==0202 || ax==7a5fh
. o$ {4 S0 _* H& N9 _ u, i' @- X
4 j4 s1 c/ A, U8 e) }# } A__________________________________________________________________________
. `" p& s- n& P& [! \+ ?
4 K6 y) j. Y3 b mMethod 10
9 p+ c5 a; ^; T=========
- M: `3 y) d. Y* f
4 J- N" o1 Z* N4 L: x! S=>Disable or clear breakpoints before using this feature. DO NOT trace with
& [# z8 O8 l% Z3 }% A SoftICE while the option is enable!!( Y& l- \% w6 W W7 {
5 R/ w k3 P. B8 F. t/ m" E9 kThis trick is very efficient:
' ?. s- ^+ j4 v8 z) {! s# Lby checking the Debug Registers, you can detect if SoftICE is loaded8 A+ g, ~2 ]: f' J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; b, y0 u9 v. p3 D/ x3 Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their, |$ F3 E6 C* F% x0 r. z" S
value (in ring0 only). Values can be manipulated and or changed as well
3 m: u$ d! f2 Q! s( j$ q(clearing BPMs for instance)# @* Q" C- w8 c8 i
; s" O# ^5 a8 W__________________________________________________________________________1 k; s" k/ h( G" W( v
0 F( [3 \1 ]6 G
Method 116 M9 Q! ? }6 E- m$ g& }
=========! @$ |; X0 ~7 o; j! A: Z
5 [2 r' F( a3 R) ~* O! H
This method is most known as 'MeltICE' because it has been freely distributed; r$ t, S* _7 z/ f
via www.winfiles.com. However it was first used by NuMega people to allow
3 @% h: ^ }' W. K: }Symbol Loader to check if SoftICE was active or not (the code is located
6 W: P0 {8 ?% x% r7 O* Qinside nmtrans.dll)., w1 f: U1 X. m+ g
l( ]& q* q p( qThe way it works is very simple:- R8 }8 c. u/ _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 W5 R( p/ h8 V, l1 h$ s1 pWinNT) with the CreateFileA API.- w. B# f! @% P4 k
9 e8 [8 s0 N# U, `% n5 D1 LHere is a sample (checking for 'SICE'):
8 D6 b3 I/ g8 ~6 ?, U' S# E
" ^" J. b/ B. z2 u/ }( @. l% X1 pBOOL IsSoftIce95Loaded()
( h/ H1 S- A) g5 o* v) {% i{
' n6 D2 S2 G M1 n( g HANDLE hFile; : Q0 M) _& h! e7 i5 D' E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," ^6 A4 g4 j4 u, P+ \9 _; P4 q
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 z: o1 _5 k2 }6 w) ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( l. [2 o# v( X" ~3 S
if( hFile != INVALID_HANDLE_VALUE )
* ^/ [4 ~9 p# e8 m& Z {" T" P9 ~: o1 V% S4 u
CloseHandle(hFile);1 d# v: K* B6 e, S1 I
return TRUE;
& @0 q. K& e9 @& w) f$ k6 k) h4 c }
# m/ t; U' k1 U) [1 Y; p" Y, L7 n return FALSE;1 V# J+ R3 _8 C7 s* I* `
}
) ]3 ^5 O3 e+ G+ Z* {7 m4 o% m$ G( a8 \( E0 @5 |
Although this trick calls the CreateFileA function, don't even expect to be: \+ K- Y! d9 C% D* J
able to intercept it by installing a IFS hook: it will not work, no way!
$ G) b$ V$ E2 X2 W7 pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F( P& Y8 G. l" d6 {! V6 L' _
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: L1 S! ^ Z! W" N) xand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ O# [4 E& m# Q% O9 ?5 a# P
field.' |) ]6 V; u9 s. O" @8 h9 d
In fact, its purpose is not to load/unload VxDs but only to send a 5 q9 D2 I- X; F& K# ^, G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ `3 f1 K9 i8 ^5 p- yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 m4 W4 m. z( s; [: {" d4 W- ]# cto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ v0 E* m, c, h5 i7 L0 `5 Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 x8 ]6 c. o( C1 ^/ Iits handle to be opened and then, will be detected.* v: N; ?/ Y0 ^2 A8 w- ~
You can check that simply by hooking Winice.exe control proc entry point: S% E" O' S0 z# y0 _( Z, v
while running MeltICE.
% v; @3 ~6 A( i
/ B: g4 p. H6 U5 t6 E+ y# `1 m
+ ]8 V: l, O( \4 b m 00401067: push 00402025 ; \\.\SICE
0 P& C, t0 `# z' N1 N7 {3 d/ e 0040106C: call CreateFileA- T& Q( f. p0 Z0 `( R$ o/ b, a3 X
00401071: cmp eax,-001# L% t, `7 ^" A+ y
00401074: je 00401091
& D/ W/ x7 `; n! v# w! ~
3 F9 b6 ^) l; E/ \* ?0 a0 K0 [/ ^* g; L7 |: O& S6 w' [4 m' F- b3 S
There could be hundreds of BPX you could use to detect this trick.
7 o! Z6 D8 ?! l- G. y% \-The most classical one is:$ \& @0 t- a6 l1 O$ ~! k
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 w- f3 C% a- a9 E# _+ K; n4 M+ A *(esp->4+4)=='NTIC'
" J# {/ q" s) j% Z9 j) j9 {
) f, q+ w5 Y1 J3 F- w" r. l-The most exotic ones (could be very slooooow :-() y/ F: J+ G; X" S5 o; _8 t8 i, k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 i$ [: j0 W% h+ w
;will break 3 times :-(
7 {' j2 L3 m8 Z) V* \! _6 \ \4 s
. @' }" R9 _8 p6 m& T& }- \( }-or (a bit) faster: 4 _- u% L7 K$ p3 j- q! ?5 f( q n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 ]3 p: w3 A* y" N% s
; N' a5 \7 K# [4 E4 L+ X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + V1 s* D& U+ R; r
;will break 3 times :-(+ Z7 H; {' R" q7 _
2 D- X& p% _" p-Much faster: @# h% D# A: B: c
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# B5 ^; ^! C6 O, B! S6 f/ G$ }( p* {" |- z. z, q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ R( I3 Z1 \4 J, V7 @function to do the same job:
9 U( w. p; C* m u7 ], L1 h
7 r, B4 K: B% S push 00 ; OF_READ
" `6 P) h" d! r2 a& g mov eax,[00656634] ; '\\.\SICE',0
+ ]* k! h H7 a8 y3 J5 d8 @& d push eax
2 B4 o+ y5 J7 F7 o call KERNEL32!_lopen" ]! G0 C8 z& R' R* A6 ~3 |
inc eax
% C K6 f0 `3 l% R& H0 l jnz 00650589 ; detected+ ? l( }& G! [: l$ T( m
push 00 ; OF_READ5 f/ M/ P5 }3 _; E y3 X
mov eax,[00656638] ; '\\.\SICE'! j9 o, H3 a, | R
push eax
2 t1 z! I. ~9 W) | call KERNEL32!_lopen6 p @+ }; x. T; v6 S9 ]' f2 R
inc eax
9 H$ Y) Y5 f, u/ | jz 006505ae ; not detected* F8 }& N0 L6 v, ]( o
, u$ r3 j9 Q0 F2 o6 Y" N$ c
' m8 ~* b& r, p6 \__________________________________________________________________________
8 s9 S0 }( M; b1 N# d' P
- j$ U* i1 s; Y1 KMethod 12
/ m; f( ~2 T2 U' w0 l- e- M=========5 V5 b# s F8 [) ?
7 }7 f6 C, [# V
This trick is similar to int41h/4fh Debugger installation check (code 055 e! e0 E2 I( V) I' o
& 06) but very limited because it's only available for Win95/98 (not NT)/ U$ W! ?+ ]/ l+ g* i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., J" r9 N4 C8 X% L
' p/ @' u* Z- a" B* _
push 0000004fh ; function 4fh
4 h9 L) a1 p5 R- i9 p" p push 002a002ah ; high word specifies which VxD (VWIN32)
1 ?# R3 r- x# D5 f- T1 B+ f5 L. P ; low word specifies which service1 n2 t* r' ~" H# W' l0 C4 N
(VWIN32_Int41Dispatch): k. m. G& A+ `4 o ^" B. K
call Kernel32!ORD_001 ; VxdCall
6 t. U0 Y2 U9 A# d, e/ R cmp ax, 0f386h ; magic number returned by system debuggers1 f1 ~; [' w, n
jz SoftICE_detected- @% Y$ W/ ^2 d K+ P8 T: N* S2 [
* f" r: j* W8 U7 |
Here again, several ways to detect it:
' A: ~4 _" u2 _* |- c
( o& `5 T8 p! t! U k BPINT 41 if ax==4f
% O% Y5 X9 s# @& G
" F2 H4 `- K' {4 f* u; h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& ^/ G2 X3 D: k" a k
+ S( n9 X" v3 `1 `& X( R BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ l: H a4 D; [2 \& B# h
' a# B) p. d! K. c2 b2 s2 U2 L0 j( S
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, O% W) H1 m3 E7 [; ~8 l
. ?! [* r8 o) p6 _' J! |% Z3 p
__________________________________________________________________________5 J# S1 |; \/ K; b' J: |2 B; g
. a9 D5 e5 M# `9 W) T. ZMethod 13
4 `/ V" ]3 u: n$ Z3 U9 ]=========
7 L$ G0 I7 g7 M" z" ^: p# s* o1 _+ s1 Y6 |5 [# }* `" o
Not a real method of detection, but a good way to know if SoftICE is
# }6 W% u( T/ R+ R- vinstalled on a computer and to locate its installation directory.) z Y, C+ b& D1 E
It is used by few softs which access the following registry keys (usually #2) :% y! y6 I' S' A# z; ~. f
9 M8 S* x. A$ Q- z- T- d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% n/ T7 ?, O: ~9 f\Uninstall\SoftICE9 A3 ]5 } }- x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 F( l' z/ X2 ?' S* r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" t3 F* x( D7 X9 J
\App Paths\Loader32.Exe
" ~! v% U0 C* g4 m) w' U5 M
" p3 I6 n& t: I0 \, s7 d; R" d6 G9 `8 O; F k
Note that some nasty apps could then erase all files from SoftICE directory
( z& k; t. ^7 p(I faced that once :-(' ?/ w1 Z. [9 |$ j+ u
2 {: \0 R4 ] l8 M6 @8 ?1 C
Useful breakpoint to detect it:
( d8 U' q3 H& ^
9 T' A+ G% W8 n7 |; o+ U BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; M# r8 P$ E* h( F5 N( a0 I
$ q% H1 H2 q) x& w6 P% i__________________________________________________________________________
) ^+ `& P% k) f' C0 s. _4 U. R; _% Q% |$ P
5 m+ ?' Y/ a+ e, wMethod 14
6 W$ r$ X" \, H$ P" K=========; k/ {( J+ m3 d1 y2 P% ]
( ]) a/ s: g& {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: R5 J2 M& ?! X. Z: u( B! [is to determines whether a debugger is running on your system (ring0 only).
4 b+ D' l* `( { {0 G4 H( X2 ?7 t2 l4 i, L1 V- C
VMMCall Test_Debug_Installed# u. R; Z7 x% I* k
je not_installed k6 l2 q) K8 u% a+ r8 h
& E d4 d- k, u) pThis service just checks a flag.
4 f* M' ?) m5 }</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡