<TABLE width=500>7 f$ j, Q* q( M
<TBODY>0 j2 V) h7 N1 h* p. O7 V
<TR>
& v$ N$ N4 j+ L- L<TD><PRE>Method 01
1 C% d3 K% G6 p4 Y4 {" ?( R' H" ~=========( Y$ |3 T- s6 p2 x2 H/ t
7 q( V5 t: ]8 v) k
This method of detection of SoftICE (as well as the following one) is) N3 _7 T' D4 l' a1 O/ }3 J- a$ N: W# d
used by the majority of packers/encryptors found on Internet.! v4 f2 ~+ [( \. Q: [8 I5 Z
It seeks the signature of BoundsChecker in SoftICE
* ` g& T- z. X% `5 W) E5 {" y
mov ebp, 04243484Bh ; 'BCHK'
! h% @. M5 h& W E mov ax, 04h7 F% m. ~; }; r
int 3
) B$ c9 v4 ^4 K- r% } cmp al,4) l, T3 l- h( \+ b0 `" _
jnz SoftICE_Detected8 u2 c$ P2 U% [- |, f
2 Y: t6 e) J: n/ Q/ G4 O) G
___________________________________________________________________________
6 U$ e4 O2 Y% L- h$ A" W, R2 @# H* b
Method 02
$ E7 [0 f* @2 h' S=========0 b& d3 G( ^7 ]: y6 q
# @& h% `* a z/ b
Still a method very much used (perhaps the most frequent one). It is used+ U' c- O! v2 b, r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 P2 R5 M% @$ n# U& J
or execute SoftICE commands..." b& Z4 S# b0 _: \: h* M# P3 a# ?* Y
It is also used to crash SoftICE and to force it to execute any commands
" g6 L+ [" a0 j(HBOOT...) :-((
& |6 f: r9 a' _8 Z! q) A/ W+ C' \6 r) I) D$ v
Here is a quick description:
' E7 p( \ }8 D; o2 W7 l-AX = 0910h (Display string in SIce windows)
8 W) x/ C, \4 e& i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 {$ x J7 |/ R# P-AX = 0912h (Get breakpoint infos)
. ^* f7 ]/ s) G; c' b/ U-AX = 0913h (Set Sice breakpoints)# G# w/ y/ S) r$ a; c
-AX = 0914h (Remove SIce breakoints)
' z: Y$ k4 z& Z- X$ E7 @4 v& v5 f8 c! y0 C
Each time you'll meet this trick, you'll see:
% X' ?- c; O4 M+ k8 w$ X-SI = 4647h% B8 |5 }5 I9 T3 v
-DI = 4A4Dh) c2 X! L7 P) i" ^- g- [$ P
Which are the 'magic values' used by SoftIce.7 A0 x1 J& a; ^" ^: ]7 j5 V6 q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: u3 x: m2 j. ^+ g1 {: d
5 c$ T8 [: u* c4 a6 x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 ^: N* P- [- @/ B7 REnvelope utility use to protect DOS applications:$ D1 T9 `& k I, w7 g3 g
6 j! J- C* s/ ?: h% }+ z3 @$ e& V! k1 s
4C19:0095 MOV AX,0911 ; execute command.7 S% @9 @5 ` `1 e4 M4 v7 J
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. M3 Y6 t- o1 ]; F; l5 j4C19:009A MOV SI,4647 ; 1st magic value.3 y$ F4 X5 z) S9 t2 K: z" ^# z0 Q$ Y
4C19:009D MOV DI,4A4D ; 2nd magic value., J. T1 U) ? Y. t) [: v) }* r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- t. y2 h$ I1 M) f9 M/ }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute e( {. E5 k5 v7 G$ @# m9 D
4C19:00A4 INC CX* L& G( U& K3 C2 f: U0 \7 w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 O; v, a) P2 i: v6 D( p4C19:00A8 JB 0095 ; 6 different commands.
& b; o) {- j5 {* \4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ S6 e* i+ f, J4C19:00AD MOV BX,SP ; Good_Guy go ahead :); x5 D# a, x7 W/ ]
) n1 }# ~9 L5 z3 M: SThe program will execute 6 different SIce commands located at ds:dx, which
) N& ?2 z' P/ @* f% d ]5 O0 L# I* vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ A7 K n9 K9 ~8 l
0 Y$ r+ N" y# K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 h! a$ q- ?# w2 h! P# t# t___________________________________________________________________________
2 c9 e+ p+ i( R7 n& L3 b; V* s! D j4 B
" q$ k, }1 E [6 G
Method 03
$ x1 R: C ~- w G- Z' `0 Y=========
2 f( T: a; F( \+ X4 D- W" \* u6 y& P4 G) V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 R( z1 Z, W) h( R) ]; ]0 W
(API Get entry point)
6 ^: L1 i. q% E z( R
8 U& s& P- {. `# V, R5 J# c- G8 O
2 y# z1 W4 M2 R- z xor di,di" k i" E9 M5 f% ?
mov es,di
3 }! b7 P7 ^% `& f) ~ mov ax, 1684h
- O/ s e# M% r0 r! h; q: ^ mov bx, 0202h ; VxD ID of winice0 Y6 [6 ]$ W: n
int 2Fh+ O, Q) U3 a% P) o7 {
mov ax, es ; ES:DI -> VxD API entry point
: w/ s, k$ }# s# z add ax, di: V" b$ O; T3 t4 o/ G o& Q3 J/ |
test ax,ax4 J: q; K9 D# o4 m1 R# V% _
jnz SoftICE_Detected
0 I2 w6 w" S! J- m) a( L1 h0 x
$ ~9 _' i; t; W6 E+ ^+ ]/ K___________________________________________________________________________. z8 N& y! x4 Y; Z' K, K
1 h/ Y {4 u( k0 EMethod 04
% ~" F$ W# D1 [! o" N/ B; |=========
6 B/ k4 k7 J" l( V* F& y2 V$ ^/ `: k6 `
Method identical to the preceding one except that it seeks the ID of SoftICE. f* U4 e4 Z' @9 D, S) L
GFX VxD.- ?$ u7 m+ _1 T. i1 Y% s
3 Z0 [0 E7 j6 n$ W xor di,di
2 K2 g( N) b9 S0 P7 L mov es,di* E7 w1 U1 @; ]; }( O, f% J3 ^
mov ax, 1684h
" V) o1 o, L3 f I- b: m/ Y mov bx, 7a5Fh ; VxD ID of SIWVID+ Y5 `' s- q7 U' b
int 2fh7 M" T7 }. c, I9 N5 a8 f1 E
mov ax, es ; ES:DI -> VxD API entry point
8 ]! M/ a. {! v4 Q add ax, di) Z8 _2 W' Y" a( K% O& ^ l- r
test ax,ax% |) U. K& s0 w: x
jnz SoftICE_Detected. B S- `4 E! p! R4 N! N
0 c- l! k4 i3 B+ R G+ F8 c$ k
__________________________________________________________________________" w: Z2 X G7 z7 c2 l% x
- m( b; D* I. c9 n$ ?
/ ~+ L. I- S( E$ w% M
Method 05
& F$ T; H1 ^+ r=========
4 u) o8 z ]. W$ W7 P3 Z5 S4 x( Q, V* _$ X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 k: b% c {% t) T1 udebugger. It calls the int 41h, function 4Fh.5 x$ n' a, D% _) j& C" r& V7 |, q8 }
There are several alternatives. " E1 Y8 s9 x3 Z' ^4 o7 T9 _
8 S' j% E& D: ]; B) A+ G
The following one is the simplest:& E& }5 N8 c6 X
# t/ {6 j# v, E
mov ax,4fh: N9 I9 c8 |; E4 B: _6 G) i9 c
int 41h% [$ n+ f; i5 Y4 o! w% p4 t! N
cmp ax, 0F386
+ e: L+ }( {$ k$ o jz SoftICE_detected+ K5 ?+ s, M, W+ J4 ?/ \% l& U
+ Y, c- X: l; z G0 \
" ]# X, @1 p+ fNext method as well as the following one are 2 examples from Stone's
. P$ Q/ E5 n+ d* F+ m! i1 }" q"stn-wid.zip" (www.cracking.net):% ^5 m! K l; T* r/ I
' I0 e$ G& k8 C
mov bx, cs! R- }6 p$ H' X
lea dx, int41handler26 T) i. `+ ]2 w$ ^# |- x
xchg dx, es:[41h*4]
' T' a8 q* b; c/ Q& b xchg bx, es:[41h*4+2] u$ R* u1 X. d) W2 \& k0 x* j
mov ax,4fh4 b- E. |3 u# |+ X
int 41h6 B% y- C/ }' B7 x a9 {$ \9 j, ?* l
xchg dx, es:[41h*4]' \+ u, j6 j# z. q$ d
xchg bx, es:[41h*4+2]
% f2 T, U, _/ a4 n cmp ax, 0f386h
$ X) y. |+ t& }" A+ @1 t0 U) n jz SoftICE_detected2 q5 b& D6 }. @
S6 s$ ?, g d
int41handler2 PROC
: S: q, b: i: G$ L, _6 {' G iret, p& E9 T5 b3 o
int41handler2 ENDP% K. N" a0 J& d* A4 ^
! e3 _% C) f2 W6 P
2 y, Q7 _$ n+ i_________________________________________________________________________
, U+ `: r& o+ X( R9 V
; t1 N G& }# {2 w, l) t" |) u. t: Y, X) e. y% `" H" i w9 w6 r& S
Method 066 r- O! z3 B# M+ x
=========
: r9 u' j: h" M* E% C
& m" J& R' ?0 s* G4 a, \+ P* q5 F' N' T- g$ D) Z
2nd method similar to the preceding one but more difficult to detect:
" o# i; [5 Q# t) P5 Y9 ?1 Z9 p/ W5 [/ U+ M4 Q+ i
; ]; W( E& Z0 sint41handler PROC. ?1 n7 w3 ?* U3 Z7 f
mov cl,al
4 H4 T8 U. G" b/ d3 k& t4 u: l iret
: p: z4 Z4 Q" s$ D3 U3 ^3 hint41handler ENDP) i- T; V! m# O. y3 ^
# i0 ]6 H2 f% z0 j) Y5 a
& R. `$ V- ]1 w0 J7 k* S+ | xor ax,ax) Y' D3 t' r) l' t0 q8 ^& E$ l4 e
mov es,ax! C3 ^, q: v+ [( R
mov bx, cs( V/ o1 q0 s4 N! q. z" t) O9 R
lea dx, int41handler
+ ^8 `# w+ I: k$ Z6 Z1 t xchg dx, es:[41h*4]
7 Q; |0 C! O! z xchg bx, es:[41h*4+2] a4 H2 I; D8 }* T- J9 m
in al, 40h
' ^0 o6 `* o ^0 G, C, L0 g8 u+ X xor cx,cx
6 D& p" v1 X# g, Z+ k3 M* k/ y int 41h
, q! K5 }9 J, f xchg dx, es:[41h*4]
9 _ O5 n( k7 T$ w xchg bx, es:[41h*4+2]: D; V) x( _. ^+ N- U
cmp cl,al
3 Y( H/ N% h v+ i2 q; F jnz SoftICE_detected
/ ]4 J- @: W( |& N; k6 F- z9 K$ K
_________________________________________________________________________* `; o2 m$ x% T- ~
: z7 {9 e% C0 v; ^/ m4 C- NMethod 07+ [& g6 U8 e3 B6 Z
=========1 r. {3 @6 Q3 H: Y
7 j: @7 D# b0 W
Method of detection of the WinICE handler in the int68h (V86)
6 o6 w' I! E/ Q9 L, A% H" d% a' x3 S- L: j& O! u. J$ P3 G
mov ah,43h- y1 a* X0 w, Q* X
int 68h+ c' A$ P5 e+ G
cmp ax,0F386h4 o; f3 N; S7 r$ v
jz SoftICE_Detected; _! T7 H+ m6 I2 F
6 y8 {# C) \2 |1 M' ^" Y- z
% w) o0 o8 @4 q2 @ g0 [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ J% W, O% |+ G# X9 f app like this:
9 F. p, ?, F+ b
: B& p! k1 V; c BPX exec_int if ax==68
, c) g$ v' Q3 M+ I( c (function called is located at byte ptr [ebp+1Dh] and client eip is& z7 B& ?! J: i
located at [ebp+48h] for 32Bit apps)4 N0 ^$ ?3 i! B+ I% w$ R
__________________________________________________________________________
% [7 i6 m) l p- T+ E3 I) l1 h/ T9 i
V9 w6 {2 f8 I9 i. n, l- L& Q
( M$ l9 G+ r3 I1 S: }- l( Q6 V0 fMethod 084 M" v3 e6 N/ x. E0 {' @
=========
$ {! Y4 J& h* M+ q. P0 P# o( A" u
8 U7 c7 }9 V% L( t8 B7 R3 uIt is not a method of detection of SoftICE but a possibility to crash the W# k: G2 h% l- t+ O" l8 D
system by intercepting int 01h and int 03h and redirecting them to another8 Q; f# ^9 b1 r2 s
routine.
7 u; ~: i5 c" N6 a7 K8 L& `, DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ O- Q4 c0 F6 H. I9 G. |- `& |to the new routine to execute (hangs computer...)
/ H) l2 |6 J' O) S' h4 W
- `4 A, v% L5 z7 t% H mov ah, 25h) I8 I( z. |; t2 e4 y: c
mov al, Int_Number (01h or 03h)
4 I# L+ A \7 O9 n: V mov dx, offset New_Int_Routine
6 _5 E G1 F& V: F' y3 u" Z int 21h
: L6 J4 ^7 h+ i9 j, X. w" A! N3 t# ]& ?- L; P- F" i
__________________________________________________________________________
' n8 J; A* r4 l. g* @5 g( x! _ k6 P k' H( }' V. l
Method 096 P" H" m& ~/ k3 h' a9 J, u9 C. a4 u' a
=========* ^6 v4 F# y) J4 j1 i( P
9 F# Y) E" a6 B4 q4 p2 ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; k3 W7 Q+ S2 N# X& n
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 M" ?! y$ h2 M, ^# K' X, TThe Get_DDB service is used to determine whether or not a VxD is installed
/ d0 B3 H r% F3 Z* T* m9 _for the specified device and returns a Device Description Block (in ecx) for- ^5 i3 ~5 c. Z. ], }
that device if it is installed.
) g+ l, Y0 V( S/ Z6 W& t3 z) h3 B- i* ^; N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* C3 T5 p+ B1 q) v, w; Y) O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), Q1 [4 I2 P( M
VMMCall Get_DDB
/ I4 Y. `5 R% |3 z& a7 v" ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 R2 h0 @4 K# \) q4 {7 Y) E! O+ s, A- p
Note as well that you can easily detect this method with SoftICE:7 F. o7 V% Z! F: y; L) m" z" {
bpx Get_DDB if ax==0202 || ax==7a5fh
: Q& A. @0 U$ F& j% j8 f U! [" Z {8 J a3 g h! Q& F9 d9 C
__________________________________________________________________________
) r2 f L& Q5 @7 N8 w% l/ Q1 b* _; s! [
Method 10
% M# Z+ }+ L7 \+ i% x=========
$ e0 J1 f, q4 x$ M
3 E; h% U8 p/ s' V( [=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 I- J. I3 E( X! @* R( Y! v SoftICE while the option is enable!!1 Y0 }- |, o' G& j
# O& Y% R9 K& L7 d5 ~This trick is very efficient:
; ~6 Z2 [& b0 y& gby checking the Debug Registers, you can detect if SoftICE is loaded
. k4 T% h+ X, f/ X4 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 g% `# ]+ Y$ c
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 f' n0 ]. l' t+ o7 `value (in ring0 only). Values can be manipulated and or changed as well
* P( \; K' L9 _* h(clearing BPMs for instance)" y0 r5 U5 E( n) f+ Z
O5 |7 r+ N5 m0 ^$ ___________________________________________________________________________
! {( V+ Y, s# N" t5 r# s, m, O5 Q% k" L; M8 F' ~4 ^) ~
Method 11" E9 S( S+ t5 [1 \" b; k, P2 q. J
=========
/ }! g7 L0 O/ U' Y! K6 j
3 e4 @7 e3 E' e4 dThis method is most known as 'MeltICE' because it has been freely distributed+ ], L" O4 Z! Q5 H# h3 a- q% u
via www.winfiles.com. However it was first used by NuMega people to allow
0 R- @" M" I y. F7 h/ USymbol Loader to check if SoftICE was active or not (the code is located5 N) v/ |% K" @
inside nmtrans.dll).
1 b* t# ]- H1 C- L' w7 ?
+ y' ?7 F6 M4 s" UThe way it works is very simple:
& e+ h( Y' ~+ ~; Z$ |2 P7 {It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, ~* t( l v/ X" i+ G8 e
WinNT) with the CreateFileA API.! @" v/ m b1 h9 O# }
; v) `1 [: q7 _* l& O$ VHere is a sample (checking for 'SICE'):, J/ q9 W* V: G. s* T5 {! L
. r/ u, a+ x6 ?* V
BOOL IsSoftIce95Loaded()
/ x+ w$ P2 j6 w( N( c1 S0 b8 S8 e{
1 x/ F) `! j( D5 H HANDLE hFile; - ?5 I1 Z# A) ]. z! W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! i, r& @2 Q; r# {) u8 x5 y- n) \ FILE_SHARE_READ | FILE_SHARE_WRITE,
# |+ ?/ ~; w3 m5 r6 E2 P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 \" v: S% w2 p \; n% F: U. O if( hFile != INVALID_HANDLE_VALUE ); ^$ Q7 A- B4 O& R7 o' b7 N& b
{' g6 N" q) ?" o
CloseHandle(hFile);
% p5 k. ^1 f6 R5 B& V; Z return TRUE;
0 u1 E6 a' m- A( v. h) D }
8 b# K/ \/ a5 F$ w: k3 u# K return FALSE;( d `; p b3 k6 Y
}
R$ h- ~( J, N- D$ z$ ^* b/ d
+ _! U' L, k1 s; UAlthough this trick calls the CreateFileA function, don't even expect to be
9 i9 V% b4 r0 K0 k* hable to intercept it by installing a IFS hook: it will not work, no way! A2 }6 S. P n( x
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ I0 \- ^! C- J Q. I6 K! P' k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ [ _( J7 `, j3 \5 T, Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 [) L. l% j# [% a2 `- d2 ffield.
5 J7 S; Y0 t" r+ tIn fact, its purpose is not to load/unload VxDs but only to send a & _ F2 Z3 E. D" o! K
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ s" |' e) t4 G: D6 a" k* b/ t v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 s- h! z J( x" g' b" s+ b3 m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 i! l5 p) S! p
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 [& B2 i% t1 ^4 G7 D0 @0 C: U
its handle to be opened and then, will be detected.
. a+ ~3 B* L& H8 ]1 ]1 ]3 q! GYou can check that simply by hooking Winice.exe control proc entry point
/ T& M, Z6 c! [0 H4 }" z' \# ywhile running MeltICE.
1 l, F {; }0 _! a: e9 y
6 X) L; |& e- G1 j: I4 R
1 Y( n3 ^& e8 z 00401067: push 00402025 ; \\.\SICE! R( n5 l& [& C
0040106C: call CreateFileA; S1 B: _1 [5 Y( h
00401071: cmp eax,-001- W7 @0 M1 S1 e0 J1 ?" |
00401074: je 00401091
) N; [' r N( Z$ _/ m
# w z* V. o' I1 |
0 Z7 j L+ m3 G: hThere could be hundreds of BPX you could use to detect this trick.
. @/ N) l, |2 s-The most classical one is:
6 z3 T4 H; T" y% H BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 o# a9 f. ^6 [. m
*(esp->4+4)=='NTIC'
1 {8 `+ r( ~! @0 P
" ] {) B' v) W" N-The most exotic ones (could be very slooooow :-(4 N2 |( v1 q( g, ]
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ ?$ ]! X2 A: u" H2 e& U( ` ;will break 3 times :-(2 J$ m4 G5 Z0 s/ F4 Q
% n! y8 F& {! N; ^, x: @& A7 {
-or (a bit) faster:
C, E4 C2 [& Z4 ]. n0 ]; b0 l9 o1 E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 o2 S9 Z. w! h [0 r8 {3 d
: E+ h; H$ S4 A( R h: i# w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 C- [* y4 {/ M ;will break 3 times :-(& T) P* i! b- Z4 Z6 Y3 |. ?
$ k( ^4 O2 r9 w8 L. O1 `: y-Much faster:
. a$ k+ l, v/ F& p r2 j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! U& [5 H7 v& U+ g* Q
6 }. E. ]' h' ~% X5 H" | i% a$ ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" A, k- Y) L! s
function to do the same job:
% Y* t( \9 c4 s! j6 J$ T, H) i P7 c' C4 B8 C' U0 D! B! F R9 n
push 00 ; OF_READ% b3 P) L* x5 v+ o7 f' x
mov eax,[00656634] ; '\\.\SICE',0
. ~1 D `/ S E) m2 O push eax
& _! h' A z! J; Z3 e! E8 } call KERNEL32!_lopen5 x; e P+ @9 p! P- k \
inc eax/ w6 q3 b! y w" M: E# f2 n
jnz 00650589 ; detected2 H6 N t" a5 q! {
push 00 ; OF_READ% y$ Z" ^$ l' Q: N4 C( o, h
mov eax,[00656638] ; '\\.\SICE'
& ?/ P# y3 |( X push eax
2 n0 ?" d* W* n1 I) J call KERNEL32!_lopen" j5 F# B; `3 j( k. U) K5 N
inc eax
! {- U2 Z$ `3 |( b4 F jz 006505ae ; not detected
1 B$ Z) \9 W& g ^- R6 G- S! N7 j. H& T: W5 E% w# c
" P8 V* }7 @0 x6 B- p: W: i__________________________________________________________________________
, s4 l' H( c4 w$ h5 B h, A6 ~8 k# ]
& y/ P& a9 M$ k `3 e/ LMethod 121 ^6 Z0 i2 U; r' a% w
=========3 H8 k$ a* D7 E( H
9 w4 \5 `. B$ ]
This trick is similar to int41h/4fh Debugger installation check (code 05
- h" F9 |2 m* }! d& 06) but very limited because it's only available for Win95/98 (not NT)' q- L" p0 }2 Z( ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ E4 f7 ]" f) l6 V; s% M
# k. P6 M3 _) A! U7 I4 y' b push 0000004fh ; function 4fh: l5 N# e( w* _- f4 N0 K9 Q3 W
push 002a002ah ; high word specifies which VxD (VWIN32)6 v5 g# j' U* ]8 v- x0 J2 s
; low word specifies which service
) t, R9 a" Q1 V' X (VWIN32_Int41Dispatch). X) A2 J; l |' o/ o, w1 Y
call Kernel32!ORD_001 ; VxdCall6 e( k9 j" l& l3 o& U+ c. z
cmp ax, 0f386h ; magic number returned by system debuggers5 {1 R' J4 P; @4 i- v! o3 K
jz SoftICE_detected
9 G; I# v" h) m3 t9 J( w3 d
( u# o' Z3 p6 G4 @. G8 JHere again, several ways to detect it:. V2 O4 ~& x6 T( p( C) ?7 S4 S7 k
W* [3 _( {, M: x3 S8 Y BPINT 41 if ax==4f* y. Q1 I+ I2 d: z& j$ C
+ x* p, G% {$ o: R; j& h! C BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& H. l8 ?2 {* k- s1 V
9 F: @/ ~: N; q/ Q: w: H& [& s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! u, R8 C1 Q7 H6 q* P2 C
" I9 p% n4 F( e& F: g8 Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: t4 q ?- E3 \1 L0 A8 M
4 m3 ?% h# V# u2 S2 w: H2 ?+ h& J A__________________________________________________________________________9 Z. Z* ~' ~# L A7 b! o' T
9 ?& ^1 t" t& t( }% uMethod 13
4 c, B' A# N3 X0 g! S: [/ A" q=========
4 {% D! h& O. K% R9 r( H, T* n6 ^# ^5 ]; f0 c
Not a real method of detection, but a good way to know if SoftICE is8 |% k2 C! f1 x( g0 h
installed on a computer and to locate its installation directory.
# d2 t/ c" Z- O! ]: a/ hIt is used by few softs which access the following registry keys (usually #2) :
! w1 m9 M' L! B# q2 O# w r3 ?7 W' Y6 c% ^& t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) |) D/ @# ^9 ]0 b\Uninstall\SoftICE
( }: b) r+ w* [ A1 r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# t8 q$ |6 m0 w/ a4 A8 Y: v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 {* Y( O2 \& R/ D- Z
\App Paths\Loader32.Exe4 c& P4 A) R& T1 B
& g5 V. B: t* I% y
9 z ~0 C1 n3 N/ H& X
Note that some nasty apps could then erase all files from SoftICE directory
3 M4 j) k9 L* g; n(I faced that once :-(
, N; y. e8 x7 l9 r1 P5 S
2 Q N: I3 G% v4 k# HUseful breakpoint to detect it:/ C; ~, U, V7 f' \8 Y* E7 a( z) c9 b
# g: z, I/ N3 y: G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 ^3 }. r) F, p2 Y" x6 ^* `' F
' W A. [/ [# i3 D__________________________________________________________________________
( ~' T* }4 H* o B
1 P* O. d& F% |+ @4 j, |. v2 R- n, p* f! t8 j. W+ @
Method 14 ) g1 I5 {3 V; }: J9 ]9 K& u
=========; ]* f- [" M5 G1 R9 \) q
# P$ q+ e7 j- k$ p/ V6 G& P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' D% m: h0 J9 a O, Z
is to determines whether a debugger is running on your system (ring0 only).
+ j+ ]9 _& V- W% J6 ~
7 Q) E: R5 E$ X4 b+ V: C( d2 Y VMMCall Test_Debug_Installed0 h! u3 I, `$ ^' q4 N
je not_installed5 B9 N$ G7 }6 l6 r! U* g4 t2 d
( {4 z( B5 x5 _6 @This service just checks a flag.2 \0 d' S2 W! M X/ O' y' S' b
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡