<TABLE width=500>
- I0 t% I+ y3 r% T5 O% M# v<TBODY>* r+ l9 L. O" Q" D! b% {4 t8 s" ^
<TR>; t1 g! |& L v
<TD><PRE>Method 01 8 r) |0 I: E( ]& f
=========
, z2 {; j! I5 `7 R: Z5 \4 ~) N, {4 [ C
This method of detection of SoftICE (as well as the following one) is
2 Y) @- F5 Q3 j* L/ iused by the majority of packers/encryptors found on Internet.. N4 [; x& Y: b1 A/ \. o! F) C
It seeks the signature of BoundsChecker in SoftICE2 q8 ~, P5 d5 z5 r: Z
o" L% p; @- A* h- k% D) X+ Z mov ebp, 04243484Bh ; 'BCHK'- d1 e- H& o2 {# ?
mov ax, 04h( A% X' t/ D- |0 {! z
int 3
' z9 a G! X1 [' ?- t9 X) C) _) \ cmp al,4/ X V1 A- @+ M5 x* Z/ P& c) O
jnz SoftICE_Detected
& R% ?, m" ]8 D& b, C9 K! E$ v; q
! o( A' [1 B9 M% K. ?___________________________________________________________________________( j/ Q" d& r3 S) ]4 t
2 ` ^/ ]# l9 a4 K
Method 02
9 ~* U( O; Y9 d. Z=========
- n% w; _* [, D" t3 f4 o% [: { f' k6 `' P* i
Still a method very much used (perhaps the most frequent one). It is used" Z( @4 f) M1 H b8 k3 e% n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 J) }+ O3 r4 {! t4 for execute SoftICE commands...5 J$ @% D5 v4 T8 C
It is also used to crash SoftICE and to force it to execute any commands
# R% R3 C" U& Q! w% A(HBOOT...) :-(( - f, S# C+ u1 Z
$ @& ? b! X4 U1 [$ a2 J/ n& _! ~Here is a quick description:
; V8 h- |$ T; ?( X-AX = 0910h (Display string in SIce windows)7 S3 U- K' [4 d8 C5 B+ [" a: s- d/ p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& \# S: T9 ?/ A M i8 t+ T# b# t
-AX = 0912h (Get breakpoint infos)
3 b& m3 C7 S; ]2 [-AX = 0913h (Set Sice breakpoints), D1 ^: ^. {# g9 G6 l9 n5 }7 L$ x' `
-AX = 0914h (Remove SIce breakoints)
3 u( V5 X" t l1 l/ F
! ~+ ?9 U1 z: y& MEach time you'll meet this trick, you'll see:
8 N% b7 j3 A! w# x-SI = 4647h3 E4 a# _1 p9 n0 B! I
-DI = 4A4Dh
1 f' V/ r* i, x$ L- F" \Which are the 'magic values' used by SoftIce., d" p" z- _: \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- @ a: g/ b1 U/ S9 z
; D* s2 j( [! V( L' X. M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: H0 g2 N6 M1 b! A% N# D1 {Envelope utility use to protect DOS applications:7 D) W/ `8 h" V/ p" ~/ [
3 V# [* Z+ |; Y# D0 Q) Y: f4 F; u5 L' R. d
4C19:0095 MOV AX,0911 ; execute command.; W" d* f: \ Y0 c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 t) O* J% i4 [2 o4C19:009A MOV SI,4647 ; 1st magic value.
" h9 t9 r- I; A" \4C19:009D MOV DI,4A4D ; 2nd magic value.
1 [( a: z9 _* x0 a% e- G1 y; `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 ~3 X" p; a- j- I0 v( V( s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* i; |, J' U7 s( W% Y4C19:00A4 INC CX
4 l o7 V9 X" H; f3 l0 o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 g8 Q3 V1 |6 }; N8 K4C19:00A8 JB 0095 ; 6 different commands.9 N" B ?1 J% U# {. A( v
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; C9 a1 V. Z' ~ P) F" U8 k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) b! }5 T7 z4 @, r8 u: C
( c7 V, u; V+ W; z3 u9 k/ dThe program will execute 6 different SIce commands located at ds:dx, which8 ^8 v8 E2 A, |9 r" t8 D& T6 t9 C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 o* C0 b+ j# t) Q
: d; n! q X$ `$ n7 c) c7 T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& _4 |. P% l- v5 ?# w% s) |4 v___________________________________________________________________________
* k2 [1 Y6 {0 p" a2 V& e
# z, W- A; H/ x* x2 Q
r- S' l) d) [7 |) `% P- nMethod 03
m9 T; E n. H=========
% E3 w3 d1 j8 d4 l" _2 S+ Z! p2 J5 {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 s( e) b( V' s! V& B3 c+ V) N(API Get entry point)
* |& y6 |# \# ]4 C& X ( m; g% o: E& V& z# T1 I: _
' }3 c! q0 Q; ^! z
xor di,di8 @1 r7 V5 N7 C: ^7 |- x
mov es,di
( E& s* [5 g% v q' ~# y6 v7 h mov ax, 1684h
* {. M0 N5 ^; k) x1 \3 d( N0 O mov bx, 0202h ; VxD ID of winice% t* J$ s* }8 r5 F5 E2 \
int 2Fh
8 P8 V3 G4 A$ y. U& ~( s7 B- w mov ax, es ; ES:DI -> VxD API entry point# p, M, c: P4 n3 e
add ax, di7 m `0 w& d I) C9 X7 v
test ax,ax
1 Q, p) d5 q$ C jnz SoftICE_Detected
. \. Q% `- Y( W
) g n# U/ s: F. Q- t+ i. E7 L___________________________________________________________________________5 C* c0 W: l# H& B- H8 i; }' ]
) M- x6 D+ @, u' t: ]Method 048 M+ p! d+ E* N4 V
=========
% K$ v6 F& u: G& y
% X# G r/ T9 ~6 }9 lMethod identical to the preceding one except that it seeks the ID of SoftICE2 B" v- g/ Z" h# B% H
GFX VxD.
T3 P" h2 K$ I/ h
- n6 [1 b! C, o xor di,di
' f y% J% [6 M0 Y% I mov es,di
8 P1 z) ~' P/ n0 J: ^5 m4 \- Q: g mov ax, 1684h
( e' ^% n( _1 P& u' S: L mov bx, 7a5Fh ; VxD ID of SIWVID
; m* J, }6 K a7 X! e5 W" y int 2fh
2 k2 \6 B9 T6 r, X* i* U3 ^0 A mov ax, es ; ES:DI -> VxD API entry point
6 W* G" q8 ]1 v- _$ o* z3 \3 H add ax, di
% F/ d+ [. I7 N test ax,ax
5 R, [* m% Q2 X8 Z/ |' T jnz SoftICE_Detected- `: X% \+ k+ ]6 @4 v
+ m: B# z7 C: }
__________________________________________________________________________
) X) q1 ]2 l' E% l @* \5 P( W
2 v; W- S1 A* y; k0 Q* X
$ R1 M9 L" z% v0 c' y t* ~Method 05
+ L. g! L( W5 R, O=========
8 C. }" x2 y' D( C5 N' e+ q8 g7 P2 |5 @- {" x- w* U+ Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system) B+ B8 [4 Q9 o4 G1 F" N
debugger. It calls the int 41h, function 4Fh.9 [( v* s$ Y6 m8 a+ t' g) U
There are several alternatives.
5 p9 `' f/ y' z# _9 }& X( T y8 T) l! w0 s5 u
The following one is the simplest:
7 Q3 c2 K# z }4 z8 B* f9 e9 l+ x* V
mov ax,4fh
5 Z, Z+ s9 @" A; o3 t9 d int 41h& L6 K/ }, K6 ?3 J
cmp ax, 0F386* }( C x' m, n
jz SoftICE_detected
9 @* a! b9 S- C, a8 t4 t' c
9 k9 N! J% Y2 b! f) z5 e
% n: \* N1 a# |1 Y CNext method as well as the following one are 2 examples from Stone's $ O& B. n/ Z2 b& D, H
"stn-wid.zip" (www.cracking.net):( z# h6 T d. R' L7 ? p( Z
Q8 Z1 S) h- z7 J( k- J mov bx, cs. N6 Z# C# g. f5 {; w
lea dx, int41handler20 \: c( ?$ B& L5 W( M$ q; _
xchg dx, es:[41h*4]
( }& h# Q: a# s6 x! x1 r3 b" j+ @ xchg bx, es:[41h*4+2]6 @' G+ y" g0 B: d* V
mov ax,4fh
# u5 g) _& N2 r+ ~/ D7 j7 ` int 41h8 s }4 y/ c# M
xchg dx, es:[41h*4]
+ h/ y2 k' v X xchg bx, es:[41h*4+2]& Z2 F+ s! H; S8 P, O U
cmp ax, 0f386h
$ K, w M" C' b: H jz SoftICE_detected2 G L$ U' L. f( m7 m/ T, C
; ~; q! W: w4 yint41handler2 PROC/ M. X+ Y6 x, @4 b; S
iret% A; g8 ~5 J1 I; ~, S; T
int41handler2 ENDP
, O' U: ]/ @' j6 E% }4 d& A" X3 H% E' P* U; R2 z- {
- h. |0 Q8 J" r% e_________________________________________________________________________2 L: p5 r! Y6 B
$ J. y0 |* m3 ^8 E T
# r' n9 f( B( V7 @2 {# pMethod 06
- k+ p2 w7 T( o6 n& D$ ~. I' _/ I5 d" F=========
: g& S# ? `& D0 F! }
' Y* ]) z7 K; a, p$ q4 }
8 L3 L! V( d5 ^2nd method similar to the preceding one but more difficult to detect:% f0 S( w o I; `
" W- x! Q$ F+ v, t! }" t
$ T7 _2 P/ ?+ I0 r% R1 {% y B4 }9 Qint41handler PROC0 \7 G" H( u/ W
mov cl,al
6 U; w0 G0 D# h" S7 K iret4 f0 S F# ~- v5 n
int41handler ENDP4 @4 I9 i- v6 V, w" r
, K" x, Q1 n" Q/ `
% R4 v, L7 `( n' Q' e/ P" T
xor ax,ax% g# ~. v7 Y( \4 j: R$ J K6 {2 P# d6 O
mov es,ax
2 c* M0 ^' D" a5 y. y mov bx, cs: v' P* W4 |8 R
lea dx, int41handler
$ J! K$ c V( u# u# X& c0 @* N xchg dx, es:[41h*4]
2 q k, e6 _. c& t( ] xchg bx, es:[41h*4+2]
! M0 ?2 B8 [& F5 V in al, 40h
4 O7 K6 E9 F7 V' O8 [ xor cx,cx
% l* E$ p9 P6 l; V int 41h
9 m F/ n7 B' _' } xchg dx, es:[41h*4]
5 X9 R$ Z+ m9 z! ` xchg bx, es:[41h*4+2]2 i7 S( [/ ^8 o- i8 j! C1 |+ v! J+ L
cmp cl,al
0 x) P9 z9 b- e) O jnz SoftICE_detected E5 S2 w9 \) e! m
( L( L8 X) w& n( {5 ^% E. @
_________________________________________________________________________) \' _% F( H' T% g8 W. b8 R& i
2 A* `+ f9 g' s& l
Method 07
* b6 j6 z- V- \; v7 ]" C+ P=========% J$ U9 c" c& @; f
3 h4 s6 J$ B7 m- n
Method of detection of the WinICE handler in the int68h (V86)
4 s- z! M" O; ]% }" e* E7 Y9 e* p1 Z' U/ D% M
mov ah,43h( x" c. P8 B7 k J
int 68h
* ]+ q% \) \! [" o0 Q cmp ax,0F386h$ d2 m7 b- X7 e2 J
jz SoftICE_Detected
" O+ h: B! H" D
5 i) P: @! T$ }- h
8 K9 M0 s: N% ]3 t3 @' b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 s3 Z. M1 S8 i& D5 R
app like this:! b, \; }6 |) g& e Q' E$ C& B
! S* ?8 H) I! O3 u' k0 v) V BPX exec_int if ax==681 E+ E B1 D0 n3 M( V4 `; _
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 A/ u+ m- D- d1 |: B& N located at [ebp+48h] for 32Bit apps)
& ?3 G& s2 L4 L0 e( r% }0 b& ~__________________________________________________________________________4 A) i& Z% J( Z
( X5 [/ }% [- A- ~. v6 U8 n0 U3 e/ X5 h6 g& `$ W
Method 08; Y0 q4 A! s& x, w; n
=========
) ]3 U" ?5 L, Y8 b# p7 F% W$ H6 n7 C. K2 Z0 _
It is not a method of detection of SoftICE but a possibility to crash the
8 Q. T6 _" Q# {& R3 usystem by intercepting int 01h and int 03h and redirecting them to another+ R6 _5 Z8 M5 s2 d5 A
routine.
4 S: v6 _$ s+ x& [, m0 Q1 k sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 a' a6 Q+ R. Y3 Z0 Bto the new routine to execute (hangs computer...)( u! O' J6 B8 Z/ t
! b0 z1 G. t" C+ v
mov ah, 25h0 D2 m4 J5 y; f- X* p2 Z3 r R9 G
mov al, Int_Number (01h or 03h)
4 ~0 n7 ?. K" W/ Z mov dx, offset New_Int_Routine/ L: g. o2 G2 b, c" D
int 21h" Y- F: O: i% h7 I, d7 M
3 i; S5 X! ~0 e3 g2 i, ~
__________________________________________________________________________
& j' ?1 j4 h% n& P6 G$ N+ h2 _* P1 z: w0 `$ H
Method 09
2 n# p* ` v$ g4 `( k6 c; _=========
1 j4 x& k: }" u) @0 v
1 @' I% G1 K _! m+ G9 a4 J7 jThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- M, a" R0 ^: A4 s' j
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 B% z8 l4 @% v: ?. ~The Get_DDB service is used to determine whether or not a VxD is installed
6 |- G+ ~8 e, i7 g# rfor the specified device and returns a Device Description Block (in ecx) for
. w1 `4 @1 W. o) G3 w }: R( ^ E" ythat device if it is installed.
$ D" o" ^/ t* _. P, \" S' D9 d% d4 ~ \1 Y1 k7 l% [
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 \9 w8 `) ^6 W# j$ K mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ \/ w x& }( i VMMCall Get_DDB% q2 x* `( G% s1 l2 F- a
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! D" e7 D9 u& W/ p: a0 S: E
! p+ [ A; |- y. T# Q8 _Note as well that you can easily detect this method with SoftICE:
0 d" E6 E: _8 ^% j bpx Get_DDB if ax==0202 || ax==7a5fh
6 T* W# W' ]) V3 @ B6 [: \
% R: r, G" x' ] q$ t7 ~__________________________________________________________________________# |( P6 ^0 c) {
+ z. O) `; A9 [& G* P* b2 pMethod 10
3 _9 O" K) }; w2 c9 g=========
5 w( |; M6 t7 d
- E+ }+ j# f# f! f7 f: D9 l# Z=>Disable or clear breakpoints before using this feature. DO NOT trace with; j! J) w& r7 U. [
SoftICE while the option is enable!!: M4 s7 V' C( e1 t
: l. Q! A8 `$ G/ g, U3 B: ]) z- u
This trick is very efficient:
) u! `. a( G/ l! Xby checking the Debug Registers, you can detect if SoftICE is loaded7 I0 {- b% d2 `& h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' k3 l8 Q: b7 `; h1 r) q' i8 a
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ Q q. ^/ G* G4 ]/ O
value (in ring0 only). Values can be manipulated and or changed as well
8 N& w/ C7 W3 Z# Y" y1 D( v" q(clearing BPMs for instance)
0 Y7 R m" x ?( o- G5 I$ N/ e* H0 \+ {5 j; B7 m% z) P5 `
__________________________________________________________________________6 K% C) j2 q; y3 i; m" X- ]
( w# ?2 n- F" u8 v. G4 W2 B
Method 11
3 q2 e) t0 J3 ? q+ A=========& Q/ O; Z& Z. C* G
+ _6 P( U; x4 f" a
This method is most known as 'MeltICE' because it has been freely distributed
6 ?' a- W/ t T9 h2 I/ ^# N1 _0 Tvia www.winfiles.com. However it was first used by NuMega people to allow
3 T: B& w! \6 Z( M2 |Symbol Loader to check if SoftICE was active or not (the code is located p1 a1 K& v& T1 m. `
inside nmtrans.dll). v, x2 F- Y8 t# F: B) `
5 P, m3 F* b& W# L7 H2 c
The way it works is very simple:. A: ~* F! n* N9 f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; w6 S; s+ Z! c bWinNT) with the CreateFileA API.$ Q# V7 {; {( ^; M# G. q6 @
* f$ N" i4 I, U2 ^" g& BHere is a sample (checking for 'SICE'):
# N' E( U! R8 x4 u/ B8 {! f8 z' {" o5 H% k- i/ T
BOOL IsSoftIce95Loaded()
" ]* B4 ^0 \, g0 s" ]# k+ P2 Z{
4 Z+ ^* y' b0 b HANDLE hFile; x6 e: f9 I2 h8 Z/ ~) z3 \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& X% A5 n8 k$ n% O4 Y- w FILE_SHARE_READ | FILE_SHARE_WRITE, Z6 J7 d) N" Z$ x* n, J" R
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, p, V5 k1 v9 ?, ] if( hFile != INVALID_HANDLE_VALUE )2 [% j, I; `" U. S) N x
{
" M% r: c6 Z5 p5 i7 c( e5 R CloseHandle(hFile);* v5 ^$ O% g5 [9 t8 J
return TRUE;
, T. y }) J' c% w6 a }
( s9 p2 _0 k \2 v/ Q0 W return FALSE;
9 M3 J3 V) j1 ?% H}
4 `6 r# _6 N2 r; Q/ l* Z: _+ q! @& c/ s7 y1 f6 |
Although this trick calls the CreateFileA function, don't even expect to be; ~- n6 |' S9 |: u- ?8 a
able to intercept it by installing a IFS hook: it will not work, no way!, D/ ?8 A7 Z* v, a/ b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 f- d9 u9 {6 aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( o% H! X1 P0 L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ a! R3 @# s3 Z0 c; {
field.
* `% O2 F- i% d3 B$ p; N3 O/ rIn fact, its purpose is not to load/unload VxDs but only to send a : d% b! T6 @1 a7 }( }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 d3 e1 D2 O& F: l @to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: A0 b/ `0 a% O$ M' ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) Z8 d, _ {0 s* F/ y7 A* l0 gIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; B7 u& r- P* O, u7 kits handle to be opened and then, will be detected.
/ P4 k! M, q2 u; s2 bYou can check that simply by hooking Winice.exe control proc entry point
6 G. l1 q- C0 Kwhile running MeltICE.6 `3 s+ r# ]+ f0 t- P
" ~$ T) Y1 _" `- m* u0 N; B, h
& Y* z. ^" B1 \3 P- f 00401067: push 00402025 ; \\.\SICE
: _# O8 U! Z; o1 P2 c 0040106C: call CreateFileA+ ?- G- U: Z: y7 r1 K
00401071: cmp eax,-001! L( [$ s. M* v t2 @9 v: `) Z
00401074: je 00401091
9 X0 p; Y! x9 b& U5 g( v0 F6 q( P% g! c5 f( R
4 o7 n; t; V+ K, N5 C
There could be hundreds of BPX you could use to detect this trick.7 M: @0 g; M- x+ q5 I) p
-The most classical one is:
7 @: n8 ~* q/ C7 | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) y4 G( I8 Z- P2 y; l$ b2 c/ b; W' u *(esp->4+4)=='NTIC'
6 c0 ], M# T) w3 p" X/ h
6 u( j4 f4 ]) B5 j-The most exotic ones (could be very slooooow :-(
6 G# y Z6 N# Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- E6 k ~5 V: V9 a: ~- U5 c ;will break 3 times :-(. X- o$ r- s6 ^. e5 j6 F! q
6 G9 a0 U6 h0 T' p; ^8 K
-or (a bit) faster:
7 W6 p) r: ]0 l, ^# _. L BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 X$ D2 `7 @3 E% p1 X7 D' I! k8 @$ S( J8 p! l+ ~9 y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ @& u* k: w7 Q% J- e5 K
;will break 3 times :-(
/ b$ M0 h# _2 j1 Y9 B
9 u0 S$ e" c3 N& i1 w& @-Much faster:9 l6 \, | E" [' e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; {5 [/ p; y2 F, F' P8 d; ]* M* h5 w3 V7 Z. U' \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ Q4 h( Q9 ? L* S
function to do the same job:
+ p' v. M# Y' S* K* u9 c+ \3 N w# ?# F; [
push 00 ; OF_READ
. T% r5 N$ z" C; i4 ] e- l5 G mov eax,[00656634] ; '\\.\SICE',0) ]" e. F4 V$ a9 D. \3 J
push eax; y2 Y6 d+ ?! k4 Z
call KERNEL32!_lopen
$ h+ |7 q6 F- n% m3 Y inc eax
- J7 _, v5 i3 P- k! n) V jnz 00650589 ; detected, h3 p: C. J8 v2 Q
push 00 ; OF_READ: d1 V1 N' @( t5 q' {
mov eax,[00656638] ; '\\.\SICE'
5 K9 L$ S! r. \& P9 M push eax. Q) k% R6 s# I7 G$ k' {3 R
call KERNEL32!_lopen
, T# Z& [4 B* t: i inc eax3 n+ E" f* \; B& ~
jz 006505ae ; not detected% ~! L- ~; j" H; K
Z# Q% ^* e1 H, D! M- D
! N6 H' J/ D6 f/ z" k__________________________________________________________________________. t" s6 D. n ^: U
/ U, u: D) x5 K3 ]! CMethod 12
# v+ ~" {/ N1 W* j7 m; B* V1 Y2 `% o========= z7 H/ c2 G y
& }' v- `1 |% q8 H( s/ VThis trick is similar to int41h/4fh Debugger installation check (code 05
* m, I/ }; z- f$ n& 06) but very limited because it's only available for Win95/98 (not NT)/ `$ m/ M* c2 i& p* l: [6 j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: |5 g: w3 z/ F" \
8 B2 s' N' P5 h0 Y5 d- t! R8 R. N push 0000004fh ; function 4fh1 E0 ^# a; Z" U0 a ]0 N6 @
push 002a002ah ; high word specifies which VxD (VWIN32)
! Y, n3 x* W0 j/ M+ t( {/ C$ i/ ~7 \ ; low word specifies which service
' J$ R8 O" C) T8 L% U" X (VWIN32_Int41Dispatch) d& z. w; I$ u; b4 l
call Kernel32!ORD_001 ; VxdCall' _6 A4 d# @% H1 I3 G0 f" z7 @1 O
cmp ax, 0f386h ; magic number returned by system debuggers/ E3 h0 O/ o: {6 T2 V( {
jz SoftICE_detected
, Z; Y& ?& _' r4 P& ^0 Y# G) i6 `- [. S7 ^
Here again, several ways to detect it:
9 v+ D M' D/ E: L/ y' \) f; U9 b* _2 U
BPINT 41 if ax==4f
9 }( M# P/ V" c
, q; x9 B* G. W+ X BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( W+ h% x( p% i1 D8 I2 Z% R6 b; a, C" T
6 {9 y$ K) ]. N# a8 B7 C% ]6 v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. o2 F! C" `" v2 y' N4 [% F0 j2 Z) p2 e5 b) j* Z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 M0 d& n) z6 j4 Z. m1 S
6 J% }+ n. l1 B- P8 y: V6 w__________________________________________________________________________
y. ^; T$ a1 \, T8 Q+ p: j% B9 ~! O9 ~9 v H) M
Method 13* X- V; U1 t2 y9 e1 Z/ ?6 Z, U3 U
=========
& ~: A& V5 Q7 b! S/ h( C8 l/ r
: F8 s; U4 B* \/ ?- p1 JNot a real method of detection, but a good way to know if SoftICE is' i) B4 ^/ k$ T3 M1 X
installed on a computer and to locate its installation directory.
3 j; ?5 h: n) m% {It is used by few softs which access the following registry keys (usually #2) :
' f1 M+ p% R: W3 t' f8 w2 `% ]) B& P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ ] P( x) q6 s$ t
\Uninstall\SoftICE
% ?3 G5 ?1 m" y, ^4 u4 z% ^: f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# S: z; T: f" g+ F& k5 ^8 D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 `4 w: K L4 y2 s }\App Paths\Loader32.Exe3 ^) R' C7 P' Y0 O
/ s7 {! ?4 z9 p; i) F
3 n1 T1 y; d* A' `Note that some nasty apps could then erase all files from SoftICE directory
5 T' F3 E6 r9 o9 c; D(I faced that once :-(" V3 B! c% G+ _9 Q
! E" r; ~1 Y8 l' y* e- g- W9 B+ Q2 f) }* G
Useful breakpoint to detect it:. h" q- r9 B* Q3 l6 t
, c& z/ o+ N1 R. o7 D4 i2 G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') u8 ?! Y' N5 Q. N) ~% c( u: e* j1 ^8 Q
/ h# U% r" I- |; m__________________________________________________________________________+ a9 S C5 c% c! f e4 f2 ~$ M5 T
6 r3 H5 l# ~5 b. B2 X
: S% I+ x+ M9 k( u, UMethod 14
9 n( t1 C" e7 K5 M( y=========
" d8 l2 O V3 w6 x3 c+ A- ?
; q( }! V8 |1 W; U) GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; Z4 q( X- h5 j. m) K3 |- Fis to determines whether a debugger is running on your system (ring0 only).
- ]/ O* h1 i$ l' L1 _' x; f! b" a2 M) T' q8 `, }* z, b
VMMCall Test_Debug_Installed
% f. w' e0 g" Y2 r je not_installed% k% i- {* C, l4 u" f$ Z
\' h: c ~. B( x* U( q
This service just checks a flag.5 \# Z, K$ @: v( j
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡