<TABLE width=500>
8 f6 Z: }( k$ p- x. {2 {: b8 O7 i<TBODY>
+ c/ F- {! u3 a<TR>" c5 D$ ?2 n0 \# c
<TD><PRE>Method 01 ( z i0 Z) }9 [1 W* @/ D
=========
% j" Z3 o2 z7 D( B+ G- K8 K4 R4 O V; @- n+ H/ S8 G( }
This method of detection of SoftICE (as well as the following one) is
3 R7 I% v( a0 T2 pused by the majority of packers/encryptors found on Internet.
. N" O! @) \+ `% ^% tIt seeks the signature of BoundsChecker in SoftICE n6 X U- ~* U
& }1 X4 B8 P& K8 d. O mov ebp, 04243484Bh ; 'BCHK'2 f! E1 o; A8 r6 H1 p7 Y$ g u# s
mov ax, 04h5 X$ w& E- A0 z4 o
int 3
& _* y2 P6 g) y2 m1 w. z cmp al,4; T n8 f6 s* _7 L& {* [
jnz SoftICE_Detected: p$ d5 j3 t; ^3 g, \+ S$ Y
. j% h; d" t; ?9 b2 Y___________________________________________________________________________
' S- a3 h( Y- `) F1 o4 h A/ Z! J
/ }& u( k# x! F9 kMethod 02) l0 Q. N2 x4 ^2 k* u( n& O
=========
$ c' {; Q& {; d( S$ s4 o% i4 k, x& i
Still a method very much used (perhaps the most frequent one). It is used
' E/ k" \. v Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' o; I3 o) C" v" [' e: sor execute SoftICE commands...
: `: ]3 c2 T+ w3 c/ QIt is also used to crash SoftICE and to force it to execute any commands
4 N( E6 F, h1 m1 W, r, g(HBOOT...) :-(( ' `7 A$ F8 m+ y: T( r7 L) N a: c
' ~ \% r7 j' j/ z! A6 f* f+ [
Here is a quick description:* J4 q2 b& g0 @/ s' |7 b$ I6 n
-AX = 0910h (Display string in SIce windows)
+ j+ |: b# S1 G) G M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* V/ O5 K/ \- H/ @1 g1 h9 [-AX = 0912h (Get breakpoint infos)
a4 ?' a6 A. l-AX = 0913h (Set Sice breakpoints), r; G+ b* B4 U/ Z$ Q2 M" I2 j
-AX = 0914h (Remove SIce breakoints)
" z; W, `4 R& Q" V) g! A, B- S' |1 e. R" i$ Q$ T, H& i
Each time you'll meet this trick, you'll see:4 X2 z. _( w' X
-SI = 4647h6 J& c5 q* O5 Y3 E0 s" q1 B
-DI = 4A4Dh
& X9 A7 [" r6 w9 T* z) YWhich are the 'magic values' used by SoftIce.
" Z2 R+ w/ b/ W4 S+ K5 `For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. X2 `4 K& L$ V+ M; a$ \
9 w4 ^9 P1 K% ^2 lHere is one example from the file "Haspinst.exe" which is the dongle HASP3 q% s; ^5 P# D: L
Envelope utility use to protect DOS applications:
5 ?2 u9 V& o+ e% O+ b& E2 O7 h: O* O6 o; `
0 s5 H& F$ L: a/ i9 a1 e4C19:0095 MOV AX,0911 ; execute command.& P: A1 q, N- \% s z9 D% \% k# N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., I7 B; M. I, g2 T+ R& e
4C19:009A MOV SI,4647 ; 1st magic value.8 l7 H! F6 M+ s5 ^
4C19:009D MOV DI,4A4D ; 2nd magic value.
7 u2 r6 m" Q* E% D. s: d4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ @# a( E/ T( `) }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 v, g$ @9 U% M( m, o; F( H- j4C19:00A4 INC CX( q/ M2 v* ` d4 R- h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 q$ G# S6 P& S) Y/ y4C19:00A8 JB 0095 ; 6 different commands.& t( Z. X: f: \: R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 @, v" x% \, Y* c" K$ g7 G1 P8 g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ p5 D& w4 |* G: v0 d% z0 F
1 b3 I! T$ ]8 U$ c6 I1 {The program will execute 6 different SIce commands located at ds:dx, which
# J8 D- H% s: {3 R5 O* f) q7 aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% M' ]0 H' W' a7 b* ^+ G% K& ^8 ^5 ]" M! G( w; P: ]# l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# P% D, _1 W! x1 s___________________________________________________________________________
$ V. J2 x4 ^! g+ v7 T
6 h9 m3 l9 P3 c( O8 g. r) P8 ^( u6 P( g8 {5 Q+ e2 u
Method 03; L- \" b" k' v- U) q6 |
=========
5 k2 V5 V9 b: o& q7 k6 x
I. N6 B4 l" J) j+ y' GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ o7 e# [! a& A) Y
(API Get entry point)
s* K* {, y1 ^: d% N2 Y! e/ D O! I' N & d9 `, \; u3 w0 j
( d/ w6 B( Y/ z8 t/ A xor di,di
3 j9 P) n( u; C+ A2 s mov es,di8 G2 l0 B$ [6 M1 z
mov ax, 1684h 1 A Z. ?& w3 R) e+ {3 P
mov bx, 0202h ; VxD ID of winice4 _2 v9 M; W ]3 W" n: @
int 2Fh
2 [" W. L2 u- O0 k mov ax, es ; ES:DI -> VxD API entry point6 `9 b) `! U* E
add ax, di7 n7 ~1 i* a: s9 u) |
test ax,ax* E5 @$ W- c+ Z3 M- C
jnz SoftICE_Detected3 J2 L, g! u- ^% T4 S
& K' ?& e* |, A- f$ i! B
___________________________________________________________________________
" F5 F! o" \: B
n6 D. x9 |4 D) H5 U. kMethod 04
/ Y4 L' Q o" e8 i2 p=========
$ k. A# Q5 E. A/ }3 r' T- E( o; { ^* {; G9 o
Method identical to the preceding one except that it seeks the ID of SoftICE
/ p" {6 A* d% ~+ J) T: A& zGFX VxD.
/ D1 {0 }* C2 N: v! ?4 V* `; ^
6 b( c" K$ r+ p+ W0 J xor di,di
1 q5 P& ~3 ?: \ mov es,di
% X1 h h1 B, n4 |& Y mov ax, 1684h 5 K5 K D% x4 u5 n* M
mov bx, 7a5Fh ; VxD ID of SIWVID
6 D+ d+ @1 m2 Q( @ int 2fh
/ N0 G# N0 `# x9 E6 O3 T mov ax, es ; ES:DI -> VxD API entry point$ m% A% h/ B7 `4 u W* @6 P: d" c- ^
add ax, di9 c. E2 w+ S7 V$ A
test ax,ax9 S4 x( Y5 P$ J3 ~2 x
jnz SoftICE_Detected
. f' w" y1 h# ^% ]+ i! `$ ]5 Y8 C. V1 r+ L" D3 p- K0 T- ?
__________________________________________________________________________
6 R. Z, h' B% j" `7 F# r# Q( N7 {/ U
: q& f: Q2 o( V$ L6 `
Method 05
8 T+ m% J. N4 Q v' d8 o=========3 j3 u. v ?! V/ g4 z0 F. \
D& A6 {' K/ z) N8 Z4 nMethod seeking the 'magic number' 0F386h returned (in ax) by all system
" i4 Q4 p9 e0 F( f: ydebugger. It calls the int 41h, function 4Fh./ k. E9 `! Z* `) I6 d) ]
There are several alternatives. * P) Z' i& i/ ^" D; [1 Y
: O# H/ I' Y' t+ ] b6 V
The following one is the simplest:
9 c* J7 U8 t4 I( T+ U/ g/ `/ f- b& }9 R
mov ax,4fh
0 T7 R# m0 z6 N/ A int 41h" t' p: `6 t9 J6 v: |/ Z7 c
cmp ax, 0F386
/ V) l: z, k, U6 h' t jz SoftICE_detected
! D8 a3 h z1 w1 S, h
3 i2 @0 d$ R8 N6 ?; _% }+ {' h+ u" N; r* ]7 J/ K
Next method as well as the following one are 2 examples from Stone's
, r4 D( E {) i: |4 R: G; x"stn-wid.zip" (www.cracking.net):
3 H# e* ?: X4 q/ v. z4 R
, ^0 K3 C! V) J c mov bx, cs; z. l/ g9 ~ Z9 d j3 ^8 h
lea dx, int41handler2! t/ j- J- L: c0 C& H6 q
xchg dx, es:[41h*4]! [& ?2 Z" e# a4 u
xchg bx, es:[41h*4+2]9 n# O. S8 a; e5 j' z
mov ax,4fh
% ~+ U# ]/ n" K [; s4 V9 R int 41h
6 \: p0 U* q2 w xchg dx, es:[41h*4]
/ |7 [ g- e- V# y7 c xchg bx, es:[41h*4+2]
% V' N7 u! w! G* _2 n cmp ax, 0f386h
8 p0 r2 t+ o+ w* U jz SoftICE_detected1 [8 C: p2 I9 x( V/ _: z
- |7 v9 n7 c) O+ `0 Y4 w* Uint41handler2 PROC) T) K0 S. e4 f+ k/ D% v
iret! ?/ y7 ~+ [- y5 S, Q6 P7 r5 c
int41handler2 ENDP. [! z3 O/ c# V: M3 |/ J6 w) X
' K7 Y% x: a8 ~6 Q/ f
3 k2 V$ V' p3 R_________________________________________________________________________, b. L) f7 H" m
9 N# {- n( o* G3 V5 ~# C0 d
6 u1 {7 m) ^# c/ i7 h( `9 GMethod 06
$ g2 @* i) Q4 z+ n d=========
* {+ d% V) w; S- m# U R( R6 H( J% ~+ a/ F6 U
; y3 R \2 b+ |# `$ U
2nd method similar to the preceding one but more difficult to detect:) z. J' q* t! y0 v3 B8 J
% Q! D% H! {0 i2 v
! N6 U' v$ T9 g7 i* Yint41handler PROC. C! R! a1 n/ {: \
mov cl,al
! ]' o* Z% g3 [( j1 n, Z iret9 O/ m+ w5 L8 H/ l: N4 o( U
int41handler ENDP
1 R) N4 h6 u$ H# H
0 q4 s5 j1 v2 h# ]0 J3 R/ u: t: `" U2 ^- R
xor ax,ax
/ k3 W- f7 `6 B6 z% |, T! T+ } mov es,ax7 k U6 v# M# s8 `) f L5 S8 U
mov bx, cs
3 L' L1 _, `0 s: e: q lea dx, int41handler/ u: ~( `2 ]. w
xchg dx, es:[41h*4]
1 Z$ O" y6 C- x* y1 a0 c4 A xchg bx, es:[41h*4+2]
5 K2 a2 Q1 k7 H ^ in al, 40h
; v6 V$ A, v9 P( C7 h xor cx,cx# T( e8 j4 m* M1 l! r
int 41h
- s6 V, T: J2 K( W4 P xchg dx, es:[41h*4]- K6 A# ]& V- Z j$ U3 m
xchg bx, es:[41h*4+2]1 ?0 h6 f- o" F
cmp cl,al
3 d( P+ i( d, P: l( @/ ?: M) e jnz SoftICE_detected
( K: Z) X/ {; n( Y4 c: m3 y5 U& r) }3 k
_________________________________________________________________________
# y3 }1 t" ~! _ b' k
, g- M1 U: k2 ]* EMethod 07
+ P" J& Z2 n8 d# d=========2 c* @2 g0 A5 d! i7 N
0 h5 ]( n$ C! I7 R, a; t- I
Method of detection of the WinICE handler in the int68h (V86)4 M: A6 k5 w( B% ?0 ]4 q
4 M) Y+ \, `- _9 V
mov ah,43h5 B. g+ }5 H* Y8 W) y* f/ d
int 68h
) a/ c! ?7 v2 Y. a% Q2 x cmp ax,0F386h9 ?. m* _! H; @3 e; c2 z h
jz SoftICE_Detected" P' M; r+ u& A
% e2 @3 Z( U& n. S/ \
) ?# n) A5 A/ }0 w% n+ d& l, R, u+ v4 }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' H& H3 d( S7 R. J8 u+ S app like this:9 i8 ^! |' Z) C8 S4 ~ Y
& o7 Z1 I3 s& n: W" O1 D" u3 O" w* b
BPX exec_int if ax==68, _, g+ F" a3 G2 y# y
(function called is located at byte ptr [ebp+1Dh] and client eip is) m' J8 l8 u; L. @: H2 ?
located at [ebp+48h] for 32Bit apps), f2 I8 N1 z) s, X2 J3 H
__________________________________________________________________________
) F4 `) _* A: Z) N' R3 N9 W' y; ^! a
& O' ~" U- g* u2 ^0 o- I! W! G
Method 08
6 J$ y) V5 V) c( [=========
, X8 @. X! o( j: F& x* ^1 }$ N$ B4 p4 p7 H
It is not a method of detection of SoftICE but a possibility to crash the9 @: k) ?: q9 U. E2 `3 |
system by intercepting int 01h and int 03h and redirecting them to another
; w6 W) C$ ?7 E/ b/ ]routine.6 E6 \( d# X. W
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! u3 S, b' N5 s2 y& R0 k3 t; bto the new routine to execute (hangs computer...)4 ^6 a, b9 ]# b# F: r
# C5 f6 w& A* k( ~! E6 m mov ah, 25h' R0 Q g1 h9 Z( ]; o; e
mov al, Int_Number (01h or 03h)
5 q: R6 J, P9 R+ m: y+ M mov dx, offset New_Int_Routine, s- K' K4 P2 S; f& V
int 21h: ]8 f; ~$ X9 G' ^
7 O6 ^3 d* v9 e6 Z9 A__________________________________________________________________________
. v1 ]2 K1 n0 c6 }8 u
& f+ W R9 P% e2 _5 e2 {3 `7 t8 c$ OMethod 096 m4 Y) O& x7 `: ~/ @4 l0 [
=========$ F. S4 E8 ], ]9 b% ?
* M. I( O( G1 G, M! QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 A& P) q: N) r( h7 k: T/ Gperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ t7 N$ b1 t9 O5 tThe Get_DDB service is used to determine whether or not a VxD is installed
7 X- N( r% P2 T1 }for the specified device and returns a Device Description Block (in ecx) for2 A: @" g4 v! @3 x& @, s; L
that device if it is installed.- |- i- W2 t5 J) x k: ^- ]
' q6 f. K- k0 A/ `/ i- w: ?' z; c
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 u5 ?( S9 y" c. s5 U. G% e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! _* J4 ?# R) |0 d$ Y VMMCall Get_DDB! N" ]2 f2 A _- [8 w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ a2 J8 _" r& k( @6 K: a# w
- R- \2 Q8 Z2 Q9 U# dNote as well that you can easily detect this method with SoftICE:
# I. k2 b. |/ C l3 r5 n bpx Get_DDB if ax==0202 || ax==7a5fh
; ~6 P* i, {6 T; J3 w0 H9 B2 N* \6 F$ b( T# b
__________________________________________________________________________* b0 _7 `* ?# G3 Z; g5 z8 _8 S* y
$ |" c) c( f9 x0 {( A
Method 10! ]' f5 N" v- I6 W: V
=========
) F' Y, x0 p) C
! u, O5 h: o( o. R4 I6 Z$ d=>Disable or clear breakpoints before using this feature. DO NOT trace with4 G, O& C3 d& M
SoftICE while the option is enable!!8 u! {( e% j% v: \1 F
" {# ^9 V- |- ` \8 F |This trick is very efficient: s C% {# d2 K, Z7 h
by checking the Debug Registers, you can detect if SoftICE is loaded* u7 \3 C! _# l- v( u" k4 l. ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 C1 a; \: O& b+ g% J0 I2 y
there are some memory breakpoints set (dr0 to dr3) simply by reading their6 X3 j* O# F; E, I/ D i# }
value (in ring0 only). Values can be manipulated and or changed as well
) }+ ^- N9 J9 g2 Z, {5 _(clearing BPMs for instance)+ V) d5 p+ C2 t9 `
5 L# v' B! k* C! U* s6 E
__________________________________________________________________________
" [4 Q- W# O3 D+ Y' a% N# Q, e9 Z% i0 w$ C$ E
Method 11
1 k# f3 ~6 Z5 E' ?1 L& ]=========3 `5 R# Y9 ?0 }* h% F5 C
3 \0 s F# G. eThis method is most known as 'MeltICE' because it has been freely distributed
, }3 c$ Q/ S; ?via www.winfiles.com. However it was first used by NuMega people to allow" o, A4 S; ]/ ^
Symbol Loader to check if SoftICE was active or not (the code is located- b* c0 e2 y1 ]: q0 d! I' d- T; u5 R
inside nmtrans.dll)." Q( w, s& I4 R% G+ n" z
/ S z# Q0 {* s& Z' c3 j2 ~
The way it works is very simple:
/ f; M8 c! M! nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 v3 e7 Y, {2 k* aWinNT) with the CreateFileA API.
3 K% `3 Y+ \# i. F+ u& t
+ y- R) m3 E Y8 ZHere is a sample (checking for 'SICE'):$ \% W# g& ^2 q1 u. j
. p; Q L* T( Z$ q0 a$ t
BOOL IsSoftIce95Loaded()3 r p5 U% a D
{/ V' E3 K: r& M% \$ t
HANDLE hFile;
$ y& ^- j3 }1 Z$ S! M C- m5 @/ e; y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, r7 e6 y0 Y/ {( o2 g
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ W: ~, M% E3 F NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: U0 V& j) @) a& K if( hFile != INVALID_HANDLE_VALUE )1 V2 ^& K# I' c5 s9 S
{
) A. B6 N1 Z# {8 F* B CloseHandle(hFile);
& b7 V3 U8 M8 w/ P/ J! ^2 a return TRUE;& g/ N; X' ]- Z+ ~0 n# J
}1 q4 }. H' s; b! P8 j" j7 B( V
return FALSE;
5 F/ z Z% ]1 n; e: c2 D7 ^6 X}
3 \6 s% Z/ \9 I' H# t
( G' u* B v) s* F6 vAlthough this trick calls the CreateFileA function, don't even expect to be
v1 `. q2 S2 u% Qable to intercept it by installing a IFS hook: it will not work, no way!
: d/ r/ O; {1 C$ g3 }3 p. ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, s2 M# M* N4 A; ?: Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* e {9 d D5 U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 \$ N$ r) l7 e- Zfield.4 |& m* O, A% U( y+ ~5 J
In fact, its purpose is not to load/unload VxDs but only to send a
" g* i& e7 n/ j+ j& e- ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, e9 C) \; j- G a. M- f7 _4 gto the VxD Control_Dispatch proc (how the hell a shareware soft could try* M6 L" P7 E$ V' o2 p6 Y+ f: E! i5 L
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* Q3 I. D+ s1 N$ o. F5 T. u
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- H; Y* k7 _9 K' ^its handle to be opened and then, will be detected.% E7 d9 N4 r) n2 K0 t
You can check that simply by hooking Winice.exe control proc entry point# U7 [$ k5 L( S3 u
while running MeltICE.( t7 P% K9 T' a6 y
* S( o- I% U. o' N( Z9 k' }
- @5 J9 K( Q' ~2 J 00401067: push 00402025 ; \\.\SICE$ T% ?$ m. i( X* m) [; ^
0040106C: call CreateFileA
+ ?2 ]& E% U w' F; n+ ~ 00401071: cmp eax,-001
$ [7 x+ `, n7 Y 00401074: je 00401091
! J M7 I* |* Y& R- f: k9 Q( X& T, C ?. a v
- k, S m2 |% j" m
There could be hundreds of BPX you could use to detect this trick.) ^# N. ~) P! g! u, N; A
-The most classical one is:
% a$ K) H7 s3 R/ p2 U6 ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( [% L- a% A+ |
*(esp->4+4)=='NTIC'
6 } _1 M4 O3 W6 }- O# @$ \
l& s( o% r. Q5 I, b. B9 v7 _2 H-The most exotic ones (could be very slooooow :-(
+ {) W" }" e! ^3 X! ?/ @9 h' J! I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - Z. T& U& y. S }
;will break 3 times :-(
n- I8 D9 F# [ W4 c. f: }) h2 J0 c* |; m2 C7 B9 T9 i
-or (a bit) faster: : n" u! L9 N; E: E0 `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: j. d, G2 O$ ~1 ]2 S3 I$ j+ v2 W9 U+ a5 u! y9 D" A: F% m4 |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + b1 o m8 S2 s% n% c' ^4 i
;will break 3 times :-(; d0 J0 k; l3 `% {7 |1 ^
$ U4 V) n. s( S% U
-Much faster:2 X; |/ C" o5 F7 W0 P2 v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: h- L& V, z& H3 b. ?' V9 f5 y; X5 h$ S: }1 L4 [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
g1 r2 I( Y% ] q9 Afunction to do the same job:
- K9 q( S' V) F
7 L) m, X4 K- c0 R) \* t1 R push 00 ; OF_READ1 {* ?3 c r* }1 s$ @, F
mov eax,[00656634] ; '\\.\SICE',0
3 I/ N5 q0 k! {/ C% h3 H5 | push eax$ R8 t' T `) C/ @
call KERNEL32!_lopen
. d- v7 ~* s; k$ C inc eax
; [* q% f) q2 C6 P$ T jnz 00650589 ; detected
8 i) I9 Z. ^6 H+ m! I push 00 ; OF_READ( D6 C& `+ ?0 S N% I1 s! y" H" S
mov eax,[00656638] ; '\\.\SICE'0 F; I. H6 H' x4 m. n3 x% A8 x
push eax
3 `, D* F* w z" i! c0 H/ z! N call KERNEL32!_lopen
+ e1 ~+ R8 G1 Y" }' d7 O p: s inc eax
/ d+ s7 I' _/ _6 O jz 006505ae ; not detected. @% W) P; _: y: i. ]* X
! V: Z& I" ~8 `' {* l
; S% J ]+ u4 x; k+ J+ P' r2 Z% U__________________________________________________________________________) ~ B8 j9 J( s
& J8 F2 L0 o @ z! z6 c% ^4 R0 DMethod 12
' ^+ `1 @) W) E! r# I=========! O( Y0 z* a* `7 N/ q9 q% n- f
, t/ G/ R4 |; v
This trick is similar to int41h/4fh Debugger installation check (code 05) ?* I6 L6 |+ M/ Z0 Y* o% A$ l- {8 Y
& 06) but very limited because it's only available for Win95/98 (not NT)
5 ^$ H7 h( o7 {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 E) P S! o' Y; `3 U
; H( O4 X; I5 R3 s
push 0000004fh ; function 4fh
" J8 ^" ^* `- [- I$ S- t: f push 002a002ah ; high word specifies which VxD (VWIN32)
" g5 k2 q" B+ Y* G! d4 g ; low word specifies which service
: h6 v1 o7 I2 ] Q/ q% @$ o (VWIN32_Int41Dispatch)
% e( `1 Z% M' u5 E4 D+ m9 e call Kernel32!ORD_001 ; VxdCall8 i+ s7 N* M Z8 t7 n$ L6 Y6 s c& J
cmp ax, 0f386h ; magic number returned by system debuggers
" n) \" ]) e/ W7 `7 {* g2 G$ E jz SoftICE_detected+ P# t9 y( b4 m
- x2 \7 S9 C* r' q* Q# a# S6 k5 {Here again, several ways to detect it:
: `2 k0 l; v: }# s! S
. _' k% ]6 ]- { BPINT 41 if ax==4f2 j) c3 q+ c- n! b* r
; \; {1 g; x4 B$ w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ c# y) V* I+ L4 `9 R+ W" H
9 t- A# M6 p% i; V( l7 |
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! T0 h' U. @# z' V, m# m( D+ d
& C3 ^1 m9 W; F# D$ d BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 T4 N4 i9 j. N7 Q: ^/ f2 ~
8 U0 F( `& Q9 `; V4 ]__________________________________________________________________________/ `0 D# I' @9 {) W
; T M+ {- {- M$ E* b; [2 g @Method 13
4 ~8 X _5 f. X2 r7 ]=========
1 h3 ?. a6 f" }/ C$ r5 }! f1 |
! Q# N% S; m5 |+ G; E6 r. q2 E9 lNot a real method of detection, but a good way to know if SoftICE is) i9 k( q4 Y# i! r
installed on a computer and to locate its installation directory.
- e3 u4 ^. X) H7 w- T+ w- K eIt is used by few softs which access the following registry keys (usually #2) :6 W- h$ E$ M7 u+ c
8 o5 N; `6 i- T. Y( T+ v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& }( m$ \# P- D5 @) b- `\Uninstall\SoftICE
# I" _9 m- s4 {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 E" h( f$ R% i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! Y$ B* n, a9 C9 T; A\App Paths\Loader32.Exe
0 i3 _' `3 Q2 n1 P
5 t+ @0 N6 ?% x7 l( }: t* i. |# O! E) d& I* U$ }
Note that some nasty apps could then erase all files from SoftICE directory
" C% P8 g0 C4 _- E9 ]3 M(I faced that once :-(4 r6 }% K* s6 X+ O2 D: G9 M
) Q9 c! h2 F$ zUseful breakpoint to detect it:( \( I* Z, w, L& P, I. S
! c3 E8 @' {: L0 m8 I# W, K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 v* k4 I4 d/ _- A Q; l; N' u9 Q, K# R
__________________________________________________________________________) m0 t/ p# e( F6 M
# e3 E" p$ g! Z, ?6 e& g' j5 Q
$ B# K( o+ ]# ^( b$ r LMethod 14 ( T2 C! n' G& U7 |: M# k
=========
1 z% ^( R% ^( N# q' p I: J$ o$ Q$ L7 v/ N% |% s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ } [/ f( b! P& I
is to determines whether a debugger is running on your system (ring0 only).- m# [& ~4 O1 ~; @5 w6 k8 G& I( f1 s n
) ~) j' E) a4 a7 G7 h VMMCall Test_Debug_Installed
6 }3 N6 l. x( X% S6 g; E. ~ je not_installed
' J/ {) s: S1 K. I4 D5 K, o+ W& z' F0 {; N+ n2 L
This service just checks a flag.: J$ K5 w1 G4 b( {2 Y# H, r4 k+ [6 I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡