<TABLE width=500>2 d7 p7 C. Y C5 V
<TBODY>& q: f9 m3 Y n+ R7 y
<TR>2 E$ @( @% ~9 X' N G/ k
<TD><PRE>Method 01
, \/ `, l. z( e=========6 j0 ]! p* j( P8 K
, r, r9 I/ v. q0 N0 ~This method of detection of SoftICE (as well as the following one) is/ k' L, m; N4 I5 j' ]" R# W" S' x
used by the majority of packers/encryptors found on Internet. K' p- n6 u2 J1 g
It seeks the signature of BoundsChecker in SoftICE7 C+ \3 ]' O4 l# S
/ }3 Q* P( ?7 _/ ?9 { mov ebp, 04243484Bh ; 'BCHK'8 n; U: [/ I/ h" ?( R# r6 J8 `% |
mov ax, 04h- g2 `2 S3 ^* C; N" f+ D* Z
int 3 . z7 r5 g5 c# M6 m5 F% ^
cmp al,4& w9 Z1 j! V1 g6 P
jnz SoftICE_Detected' \ V$ B' c S8 |; G0 m7 s: ^1 s l
6 K2 r' `4 a" s6 u___________________________________________________________________________& d/ G) g0 x5 Q/ U* B5 g
! B J; D4 x# d; j. M6 c/ FMethod 02
# `- o# C4 Y0 y5 Z2 p! [=========% S0 {* Y9 l& X8 S- T
% x! P! u7 z2 Z4 y/ k, Z/ T! B
Still a method very much used (perhaps the most frequent one). It is used
* x! f/ H, f( Q E. @4 o8 fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! j2 @& n/ A2 X' dor execute SoftICE commands...4 Z& Y. q1 A+ c$ c* P3 h
It is also used to crash SoftICE and to force it to execute any commands
0 {4 U2 |! |$ g' s6 c' Q I(HBOOT...) :-(( " g U; f- W& `4 l7 ^
' L8 H# r1 y C: n0 t( M6 Z6 g5 U
Here is a quick description:! I) k9 w% r1 c4 B$ u6 J* H" V
-AX = 0910h (Display string in SIce windows)
2 O; V, S g8 L/ f; N; `7 O-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# Y5 B e+ x h' Q8 P* J-AX = 0912h (Get breakpoint infos)3 S4 t! Q# j! S5 O( Y
-AX = 0913h (Set Sice breakpoints)
+ x- q- j1 [4 d* T* _0 N-AX = 0914h (Remove SIce breakoints)
- ^) B |( S5 S9 P: F
& |5 L4 u6 K/ |Each time you'll meet this trick, you'll see:. Q$ f2 Y% W0 d( v0 Y
-SI = 4647h
4 d: ]/ b4 _* S# g e2 f( ?2 A/ y-DI = 4A4Dh( d, v$ M3 o n, _/ F
Which are the 'magic values' used by SoftIce." T( H ~% V" m. b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ Z" Q, |/ J. C2 x( c. z
8 d2 w1 A$ G# H& i# z$ JHere is one example from the file "Haspinst.exe" which is the dongle HASP! b1 G# E& T% ^1 r5 v# m% }
Envelope utility use to protect DOS applications:$ Y2 r6 ~$ C" f' h7 ~0 Y
5 y N3 X; v* V
/ c! u( j5 h7 R) Y4 T. w
4C19:0095 MOV AX,0911 ; execute command.
! _! Q Z2 D% f+ p' k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; S: [$ \5 V1 \ g& f4C19:009A MOV SI,4647 ; 1st magic value. O! M: p; t, Q8 G
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 E" a! D8 p9 Y! w. G1 g. I1 t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 l$ p/ X! P \4 I$ q& E9 D ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! q: ]5 M; ?4 P) A4C19:00A4 INC CX
0 v( H) N* k' n, `& o j4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' \5 \; `$ E8 K: Y+ L: v1 W" K
4C19:00A8 JB 0095 ; 6 different commands.
; [: J& y" R" y4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& h$ W0 j6 w) P' W& K2 @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) C9 b U* \6 f- F. R# j6 P& ?
3 A5 L4 M; L2 m8 s$ IThe program will execute 6 different SIce commands located at ds:dx, which
1 G* t- o1 N4 M7 b' R0 |7 Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- z; \3 d" V, C7 C( m: c& t* e& g6 D6 F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! p) o6 [' @! ~
___________________________________________________________________________4 i1 }, N. F) t3 g5 Y* f
, Y E" |6 _$ v$ R: U
* I5 w* m. P3 @: a# v+ S6 \Method 03
: r5 {; ^; G6 ^0 |8 o=========
/ Z" {9 t' H. H6 p1 U
4 n. r7 F6 p! E( k" ]! iLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 E* r! K. J5 K+ P( A: P: h
(API Get entry point)
4 e1 O$ Y0 x3 T+ p8 Z( `! D ( n$ V" u! `3 |: b- K, G
+ U" I2 V4 i0 U/ i5 Z; X$ N2 h
xor di,di
2 u& P' F$ q& {2 f: w5 W& c mov es,di
- o4 V2 \* R6 P- K6 R- Y1 Q) x& Z mov ax, 1684h
9 ^# o+ A; P3 E2 U mov bx, 0202h ; VxD ID of winice& d+ M$ ^' c% ?; P% f2 ]' X
int 2Fh
" ?+ v* p* \0 f$ Y mov ax, es ; ES:DI -> VxD API entry point2 H' Y. b! F a9 M) V! q. [# D
add ax, di% M. x1 K7 N& _. K
test ax,ax
: B* z: x" @5 m. T5 D4 k jnz SoftICE_Detected
2 Y; j7 x6 ^8 X& H9 |1 [! G$ J! o
3 J3 Q. |% s. U8 ~3 I0 C4 e( H___________________________________________________________________________
. e& C/ O8 C7 U4 h7 y/ A, c/ ^+ Z' s2 x0 `. C8 ]3 g
Method 04& w; J4 k) K3 f! q6 Z
=========& {# v" R; c+ @
, t* J7 |# W4 w- n4 \
Method identical to the preceding one except that it seeks the ID of SoftICE
' ]& F( H* o- `9 ^8 HGFX VxD.
6 e/ x( U0 N& P% ^& k7 u
* L4 q; p6 ?/ L) i xor di,di8 Q$ y0 ^& J0 t! T4 I0 u) L2 h
mov es,di$ H/ v' F3 r0 f @
mov ax, 1684h
; u$ k. ~. D' [( b mov bx, 7a5Fh ; VxD ID of SIWVID/ K, X6 b! T2 F) ?7 i
int 2fh; K6 p% z. D- I% O# Q& m
mov ax, es ; ES:DI -> VxD API entry point- j8 @2 ]+ w; w1 L' H/ S
add ax, di+ r6 Y* h F7 k2 v6 @
test ax,ax2 y4 A- ?- H: g' |
jnz SoftICE_Detected7 u& n4 Y$ ]( k! z
# z- B8 b6 M% j9 d__________________________________________________________________________
7 E# o0 t3 G, c+ N: ?3 K( V! M& q! e: n; G( g. B1 @
: [4 A9 f n9 ]( OMethod 05
* y7 \3 q' s% [: t=========
5 d* ?* j9 r x6 b" W# B
( G# W5 K3 E2 d) V; o: LMethod seeking the 'magic number' 0F386h returned (in ax) by all system& o0 W: n3 h, o, t. i: J
debugger. It calls the int 41h, function 4Fh.5 V7 ]5 N. ]9 @9 E5 _8 b/ D
There are several alternatives. ], w: h. g9 ~% w! E
. a* x2 h. f* B* W% c% DThe following one is the simplest:
+ R* f+ T" C, v+ U3 z0 }6 k
8 F L4 t. N& \" P mov ax,4fh) N# u8 x9 T/ ~# J4 ~ M2 s
int 41h
U3 d/ b/ T$ F& ?, J |9 ~- K cmp ax, 0F386
1 }; W. N7 E! M jz SoftICE_detected
2 ]5 t- s4 W$ A$ |- }4 v1 y9 S; x8 E3 ^3 T
3 I; v: [" v8 N# a5 uNext method as well as the following one are 2 examples from Stone's * z7 s4 Z/ w2 T: b. a
"stn-wid.zip" (www.cracking.net):; n# m/ F/ i* R) e
- c* c7 g& C2 r7 W, L
mov bx, cs
! {! }" E* e; M2 u lea dx, int41handler24 b3 ]/ t, [; V. u' D1 s
xchg dx, es:[41h*4]
% E T* R- a( L xchg bx, es:[41h*4+2]
! ~/ ?; _0 X, ?% e$ e mov ax,4fh: y: [0 q/ Z( \, Q1 d
int 41h
& W$ ?: `) y) c- d- I2 v: z# m xchg dx, es:[41h*4]; J; o* c+ X; u/ V5 A% U
xchg bx, es:[41h*4+2]
9 f$ t) b$ |6 Y; j# i8 |2 k cmp ax, 0f386h
! e3 L8 {3 l1 `, K- w* ?. r2 a4 \ jz SoftICE_detected
- L$ R z9 u# r
+ A/ f4 {( F! e& I( z# f: kint41handler2 PROC
. k( P. t7 n7 ^ iret6 Z* G7 A! a X
int41handler2 ENDP
) v& X! @$ Y* C9 ?9 h
* Z: }7 F7 @9 T8 C1 z& U4 f+ R- r. N
_________________________________________________________________________
+ {7 t/ U( \- P3 J
& s. h) @( Z7 ~ i' `
2 D9 m: k7 W: o/ E! Z+ [2 GMethod 06$ f/ a. y# ^: H- M; C
=========
( H/ d9 n6 `/ j8 a, p: p1 q
# M- }5 Z; H2 \3 z6 \
8 f) j& X- E' E/ N/ ^7 L3 L9 I2nd method similar to the preceding one but more difficult to detect:$ M% \% p$ l" f7 X: k
0 ?9 e# y' ^4 T: i) q; l
, m1 @0 n* e/ h O6 `int41handler PROC
' R3 U4 ^! g& F. C mov cl,al$ ]# I5 e/ Q2 s
iret
0 B: Z2 [5 }7 g4 r' f% z$ sint41handler ENDP
$ G q; f# n$ B8 w
, ^$ l, W. } S7 ~. W
9 N% o/ _& k- w& T" J/ P xor ax,ax4 ~0 v- i; g% _# f" N
mov es,ax
7 p S# m' i. v; N mov bx, cs& n# X9 G' q) J4 E7 L& `
lea dx, int41handler: a& k, q: Q! y5 b3 \2 Q! E
xchg dx, es:[41h*4]! f2 v3 t( R9 ^. M2 X, N
xchg bx, es:[41h*4+2]6 }3 I" w1 E* e6 ~7 N0 p; H
in al, 40h: i8 Q& @8 }6 o
xor cx,cx* [2 @/ m" d5 b# b" K2 P
int 41h5 J% P; A0 N4 D6 n) P R8 k
xchg dx, es:[41h*4]2 l: f" F/ r0 \
xchg bx, es:[41h*4+2]0 x; n8 E7 q7 j* L' B
cmp cl,al
" M5 v3 B3 T) k jnz SoftICE_detected6 u1 f/ J5 G2 x( f2 u) ^
: R: x. m% R# p6 d3 e I3 k
_________________________________________________________________________
2 C5 G$ d# R W+ N
8 o; ~) C/ Y; t8 D2 g& D) GMethod 07: r9 D0 H7 }! {7 \
=========. ] H( G# {2 k9 A- ]
) ~0 R8 Y# z6 V1 J% _
Method of detection of the WinICE handler in the int68h (V86)
" _0 C6 C/ }4 z1 i+ ^! c, F! ?; Y/ f$ H+ h2 B9 B
mov ah,43h
0 Y) C" I2 P# J P8 ?& b int 68h' T& M- _, `) E( R) l t
cmp ax,0F386h( M8 V( O! D |
jz SoftICE_Detected, [4 K6 L Y/ A2 D+ M
) L) o6 v; J" e2 r7 Y) b3 B& L+ G/ z/ U3 F. a% o0 X+ I9 P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ ^/ _$ x4 h5 Q8 L W app like this:
7 z8 P- S7 u0 a1 e# t' ]3 x( U/ C; z$ |% G6 r% E2 P
BPX exec_int if ax==68
4 a' z7 H e- ~" p0 j5 t8 m# K0 \ (function called is located at byte ptr [ebp+1Dh] and client eip is, |( a) T0 {7 ^1 ]
located at [ebp+48h] for 32Bit apps)
9 `( V: x" _+ o4 I, n' x__________________________________________________________________________
1 Q% T; G: n! [) w4 A5 g U" b, W
( e* Y% Y. n2 [) f
' b) J3 x. V% h) M5 C0 g; eMethod 08% L! S7 J1 v/ _& R+ j4 I
=========
! u1 u u5 `$ R( E( Z2 W( e. h H. O q! u2 [9 P7 Q4 ~ I
It is not a method of detection of SoftICE but a possibility to crash the6 y: w( G! P% U1 h; v4 b/ s
system by intercepting int 01h and int 03h and redirecting them to another
6 _& A) Z' H2 F( m8 x* ?: Oroutine.
~1 B# K- @: sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ t9 Y3 y; g* Q6 zto the new routine to execute (hangs computer...)
$ a/ }; T, I3 q8 Z( _/ x0 ]9 v) b' b0 C
mov ah, 25h
! g9 X9 L0 ]! E: X mov al, Int_Number (01h or 03h): z5 G. @; }. i1 m
mov dx, offset New_Int_Routine
+ F3 Q) P% X! T, p [1 B1 a int 21h* |/ K/ {2 p1 V
5 t( r% P- t# z! B
__________________________________________________________________________
" z& E& }' d; X: H3 m6 I" M5 }, k0 R
Method 09
) M0 s9 `8 V* I' s! e! |, s1 N=========5 h) G8 f5 L7 q5 T; M$ h; _
6 @) t* q- m$ |2 u. k# ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( l( k, q- E4 X" B$ z/ k
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ k/ \# }+ c. t n GThe Get_DDB service is used to determine whether or not a VxD is installed( S( h( R+ w1 ^
for the specified device and returns a Device Description Block (in ecx) for
0 a& E0 j( C: S. [* Sthat device if it is installed.
# K! n( N( w7 C/ M6 V2 D: p; {, R' \1 N. b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 U9 |$ h8 ]' `5 H* o- c8 ~5 g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; ^8 O( d; n& V# T# Y VMMCall Get_DDB9 Q: s J( j; a: a: |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& W; q3 P0 X/ S9 B
, I7 f) Q+ |- L# r6 eNote as well that you can easily detect this method with SoftICE:; u6 @- Q! w2 N2 @; f B
bpx Get_DDB if ax==0202 || ax==7a5fh
7 L* f/ x+ a2 o% @# {
: S s3 k6 T& z__________________________________________________________________________/ }/ q6 m3 F& a; }: R
3 u( ~" O* ]: k( i* nMethod 105 o! `, H# ]$ N& P5 U% y) ~
=========, n2 b( b9 `3 [, h3 [
% h) Q0 r# `6 P- d: V5 _& B" u
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: t& H, r: M- x5 D) R SoftICE while the option is enable!!4 s0 H9 R3 G+ t& X
' b2 x9 Q! d) B2 h$ @This trick is very efficient:
! g( J# d; v6 @( M( B4 Cby checking the Debug Registers, you can detect if SoftICE is loaded0 C( n( f: y' _* h% h! L+ _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 B( n% [. ~( M( g8 I8 J
there are some memory breakpoints set (dr0 to dr3) simply by reading their- h" |6 o) \3 q0 Y+ m J3 H
value (in ring0 only). Values can be manipulated and or changed as well9 n& b2 @# _- ], V! J( L8 X7 {
(clearing BPMs for instance)/ Z! m# Z! @$ f2 D* z5 k9 @
+ i/ L1 i! U5 j! L) J__________________________________________________________________________0 V/ @3 S- ?' k2 V. ~; G3 S
+ I% j H2 [# P- ]) p" v; x9 l
Method 11
+ H8 a5 |0 I! c! z5 e; N=========& g% b, U$ P3 k. Q2 l; C2 H2 N4 r) P/ }
7 Z8 M1 O" M! A4 R M4 x4 kThis method is most known as 'MeltICE' because it has been freely distributed+ _$ d h6 x9 x) h5 r
via www.winfiles.com. However it was first used by NuMega people to allow: j! I$ |8 y, J& K9 [. T* |2 n3 f
Symbol Loader to check if SoftICE was active or not (the code is located
5 d* p0 V0 N9 o# A* [0 [. |9 F& Ninside nmtrans.dll).1 I' o6 X- W8 E
3 k- l7 c$ p5 w8 y9 C: ?The way it works is very simple:0 G1 g, ]/ N4 F4 {4 c' p" s$ f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. a. D7 Q3 L, q6 S& J( R
WinNT) with the CreateFileA API.( r; F+ u, c# F/ Y6 U
`; x2 }- r9 _8 E/ ?0 O2 ^. hHere is a sample (checking for 'SICE'):' |' W7 K6 o6 S6 t
% {3 |* E, ?5 Z& XBOOL IsSoftIce95Loaded()" E) a, S! i+ f4 h* r- y# Y
{
! m: l+ l. n. a& a3 ~; z HANDLE hFile; 1 O8 n' R1 r7 P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- Z4 V* K: i/ ?/ W" c6 l
FILE_SHARE_READ | FILE_SHARE_WRITE,
( E* n8 }; D$ j7 l5 ~# {. D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 F X. E: v" b: P5 K, F7 O* E if( hFile != INVALID_HANDLE_VALUE )
2 \ v$ P4 [5 F6 U8 C9 \ {( `% G0 J- p# ^ N
CloseHandle(hFile);
5 y# J; \; q- R: c return TRUE;# N, n) \4 \8 H! H* }+ N% r7 [ A
}
* s- Q$ Z, x4 w. s8 q0 Z3 B return FALSE;
; y' z& E$ k* o0 U: ?; C, Q7 d}; F3 g- W; X. ]& T. _8 l/ M
2 E- c( D5 n `& ]+ a& x) ]
Although this trick calls the CreateFileA function, don't even expect to be
2 @9 D* f7 Z4 w6 J- m% b/ ^9 q/ Rable to intercept it by installing a IFS hook: it will not work, no way!
+ Y$ p6 w- ~ k3 @5 | P ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( J/ y/ ~1 L. D6 Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
t1 c, `+ i, J0 X' A0 Y1 ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% p3 \+ G% d4 Q9 Ofield.
# @4 j; Y! a7 H, T7 e1 ?! qIn fact, its purpose is not to load/unload VxDs but only to send a
% U; t! A7 l) J2 |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ C) I2 e6 W& J* s& h3 |to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! u9 {4 g* y( ^& A1 y) @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. s/ f/ w/ o% A- I# |0 ^2 FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 n& K4 O% [4 I- hits handle to be opened and then, will be detected. w; G& l b/ b( a5 E& a2 |0 T; q
You can check that simply by hooking Winice.exe control proc entry point# O$ F8 @; ~3 r# O2 b
while running MeltICE.. e p( @. d4 @5 c1 Y) s
9 P+ J# |& @: B( f, B+ Y9 R
* h) m) K6 J D4 C 00401067: push 00402025 ; \\.\SICE
8 a2 P6 C- g$ O* H 0040106C: call CreateFileA) e; Z; O+ K1 @ n2 q' h$ L
00401071: cmp eax,-0016 \0 m6 U0 h/ k6 @8 v7 M9 U
00401074: je 00401091
3 g+ Z/ a$ i% e6 p9 Z4 @% Q: R6 q4 i/ P. o5 ?, C
9 w3 _: q: W" Q
There could be hundreds of BPX you could use to detect this trick.
% T' _- y* y8 X& K1 h7 X& U2 E% }! J$ ^-The most classical one is:
+ |1 i; p" Z: l# K BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 t$ Y: _! U; y. M *(esp->4+4)=='NTIC'& t6 P* o; O0 ]: W, Z
$ u7 N$ t2 S8 F
-The most exotic ones (could be very slooooow :-(7 k+ Q8 m9 g& ?7 Q U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . N- _! \; C: l
;will break 3 times :-(
! T/ i% z' Y, x& x# R9 z
" r' E; n2 s$ i% ^& s-or (a bit) faster:
* C0 U; A- D8 v! Y) |' h, \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 T/ g+ T6 z0 g" e& W/ u' W1 z$ O% v0 k4 u# k, N- a. v+ ~5 ^$ z5 _" r& U: D
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( {/ a0 U4 S! z9 @3 f" N" [0 |
;will break 3 times :-(# B5 P( x2 x: u" Y( J% u8 [" I
: A0 m4 m( A6 ?-Much faster:# p1 E, q6 I( o
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. c4 A3 r3 T% W( c: z( P$ m
. T9 A' r" y5 ^# z; ~- iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
! u+ H6 s8 n/ a$ {- Vfunction to do the same job:% l6 i; P! l% I/ x
" |4 V; t; H& G3 e. ]9 Z: Z) }7 x push 00 ; OF_READ e, X8 q2 J7 n
mov eax,[00656634] ; '\\.\SICE',0( \' ]3 s* v5 T6 F* ?
push eax2 y6 Y8 r, q* e# m
call KERNEL32!_lopen
, h+ k' j! |7 k0 T' H inc eax! A7 @9 ~/ }1 B- B
jnz 00650589 ; detected6 ?( s" O1 a# J- ~5 a# D
push 00 ; OF_READ
) w2 r, P# c1 b; F5 v `* t8 C: j mov eax,[00656638] ; '\\.\SICE'
! }, M/ N" g! Y, o' a+ x push eax
! E; W$ r: H1 l' B/ u) h* C& r call KERNEL32!_lopen
) l5 c% E; S. k2 M* e inc eax R8 S+ g# F7 J; G
jz 006505ae ; not detected. x U' U7 } p" u$ M0 T
/ u; V9 N S! C1 ~
9 b5 r7 O8 u7 `__________________________________________________________________________
9 I6 g5 [2 I/ X& q0 d: m4 ~9 n& O+ H# b! m+ e
Method 12
e) i9 p6 ^$ ?6 X1 `, `) B( U=========' C" F. U0 H/ O7 Q l
6 y& ]; i/ B) t9 r2 R
This trick is similar to int41h/4fh Debugger installation check (code 05
+ F# D1 I0 h) G2 h. O& 06) but very limited because it's only available for Win95/98 (not NT)! ^) n0 S' o1 s- x3 Z1 s/ B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 Z3 q" e% f) S+ }( Q+ [% m+ H, n' `6 H1 w9 H. E1 b3 j
push 0000004fh ; function 4fh9 x( G$ d, Y9 c% W: T) E) [
push 002a002ah ; high word specifies which VxD (VWIN32)+ y8 U; z: Y% T5 ~6 O- r5 \: k$ g
; low word specifies which service
0 A: |* f4 H r8 d0 E3 g (VWIN32_Int41Dispatch)
) @, b& W- j* @3 o7 H }4 B% ~+ r" V" u call Kernel32!ORD_001 ; VxdCall
4 ^" z; r! \9 k3 V4 M. C9 X8 `% ] cmp ax, 0f386h ; magic number returned by system debuggers$ b: g* ]+ T- c2 U4 w3 @$ j
jz SoftICE_detected/ z f, t$ @8 R( _* c. {
2 {7 t2 K( h1 W9 n! F) ZHere again, several ways to detect it:) F' ~# k9 a, a7 n5 [" @
* L! M! ]: i( Y n" m% f0 _3 i: Z* w
BPINT 41 if ax==4f
% b8 X* x! B% d: x1 T
~; I0 _4 w* h' @ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" m8 E+ J# q# t" e: w4 R1 ~- d4 d8 @5 L0 J, [
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A J* D/ M6 g) M, }
3 Y- w& L, H% B# j3 x5 H0 T2 D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 g$ S1 O) o( L4 w
3 v" j5 O+ r& v2 c& F5 @
__________________________________________________________________________
6 \* _" k6 R2 s* _
% X4 D9 S* n( p( N% D8 i: }/ ]4 vMethod 13
1 O5 s& C' B7 s8 R* Q=========8 w4 w" ` `! P; ^4 g
f0 r1 Z( G% D! [* c( bNot a real method of detection, but a good way to know if SoftICE is
- K% b' Y' |9 i$ h6 l" rinstalled on a computer and to locate its installation directory.. h8 D! [, n, _0 v& w8 t
It is used by few softs which access the following registry keys (usually #2) :) A# j* p; G/ W; L$ L4 W z
+ E! [/ v& e3 m& A* T; a( G
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 Y4 x: `( u3 G# s
\Uninstall\SoftICE
' {, g+ s9 h% h0 l$ J! H" Q+ t* f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 W& T) F, v* W7 J- c' L& J; C* {% ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 d3 {) m7 k9 U" p7 X4 V
\App Paths\Loader32.Exe
; `' y8 Y. M8 q2 n7 L! [
: T1 ^0 Z2 W# ^8 n* W. J8 |, u' }, ~
. Z5 g7 M8 i. q# E3 nNote that some nasty apps could then erase all files from SoftICE directory
- b9 f2 C0 u2 y0 R(I faced that once :-(
0 | B9 c Q2 U: B! @% M, O8 V; w9 w2 Q4 L. `4 g
Useful breakpoint to detect it:
7 ^( M$ M+ e1 T. D
. @8 U% W* ~6 s0 t' T. Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# e* w* P0 N( N: k3 v. f/ G
. H0 z' j4 b9 ]__________________________________________________________________________4 l4 ?/ c0 J5 E+ \
) s" t( _1 R0 s+ o6 Y
9 [& {: X; d7 I/ ] i" S- O5 iMethod 14 6 K# j* o7 n, O& n* P+ r5 z
=========& k. x0 r6 j& ~6 a& }7 _
$ O% {+ {: J2 j' f7 v5 I7 p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 e3 h R3 j. L9 I/ C0 q' s+ q
is to determines whether a debugger is running on your system (ring0 only).
, v5 k& h7 F% _+ e% k
, m# W" ~3 {6 A$ V$ g3 l VMMCall Test_Debug_Installed
8 h2 S% l/ P; O5 \% G3 f je not_installed
- r$ B% V: S z& d6 P* \9 F: q# ^; G' `; F3 i! _1 K
This service just checks a flag.
1 g8 \* E: K: ^! n F4 X/ Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡