<TABLE width=500>. o7 @7 d! z( f8 E
<TBODY>
7 q6 M0 l/ v/ B9 {<TR>( ?& n7 W9 o5 j& X: h U
<TD><PRE>Method 01
* ]1 A' F- |, f T- v: s4 m7 t2 R=========/ }* V8 f8 V |. L+ M4 H- r6 ?
7 s3 n+ ~+ `* L3 h6 p
This method of detection of SoftICE (as well as the following one) is
4 u% g; l" _& N, _, Kused by the majority of packers/encryptors found on Internet.
* M' @: O4 o; ]3 n. r6 iIt seeks the signature of BoundsChecker in SoftICE
- c7 a7 W3 r5 j3 S/ j# F; T7 S2 o! R% Y
mov ebp, 04243484Bh ; 'BCHK'3 M. W/ C) e+ K
mov ax, 04h. h# t4 n3 O) ~" ^
int 3 $ p2 A1 Y4 C* ]3 M0 a
cmp al,48 V# ]1 J7 u6 m
jnz SoftICE_Detected2 f; }2 A. ^$ J: O" c4 w5 T
' f+ @' M4 r, z6 u: h# p___________________________________________________________________________" M2 q8 H9 p, I3 U& O: @
1 G" E/ N5 Z# G# l! z7 {Method 02 }" I) f# p% E: n; A, }
=========! a6 n2 D1 D7 u
+ f) Q1 g3 |6 N% T0 g f! {Still a method very much used (perhaps the most frequent one). It is used
+ t3 f2 w% Y- s7 pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. o* i1 V( p( t3 zor execute SoftICE commands...$ {) t, s9 z# s m; D' \
It is also used to crash SoftICE and to force it to execute any commands9 |5 i8 P: t# w1 Z* f
(HBOOT...) :-(( 4 r9 s6 G" v7 X) B6 u
. X' j8 Z+ R$ @8 mHere is a quick description:9 Y+ Q, u# l9 q' l0 }( b+ S! A" X& S
-AX = 0910h (Display string in SIce windows)
& F" ?' M! x0 {-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 x9 Q, ~! P6 y3 n8 u( ^
-AX = 0912h (Get breakpoint infos)8 i5 Z1 _6 e5 |. X. ^, R
-AX = 0913h (Set Sice breakpoints)% s% l7 L7 v8 o- q6 @) M* z
-AX = 0914h (Remove SIce breakoints)
/ i6 P' ?; ]1 x5 @, U
) x0 z1 M% V/ mEach time you'll meet this trick, you'll see:
+ Q( o L, e) L% w- `' Y$ q-SI = 4647h
) _" W& F, y% Y/ ~/ x7 E) y% X: h-DI = 4A4Dh
- U* C1 D! A$ f" v$ J( D3 t3 HWhich are the 'magic values' used by SoftIce.
' w- ?& f, n7 T+ o/ C4 m6 zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' P. \% i$ \' }* u+ I7 {# X! f1 B Z; h% ^8 n
Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 q# h) \7 Q( w. k+ X( cEnvelope utility use to protect DOS applications:
, v! q( r% Y5 R4 m0 M. ~" s' {% v0 ^5 E& j% ~
7 p1 o5 S0 G' S# X5 Z
4C19:0095 MOV AX,0911 ; execute command.
9 p, O( N6 x! a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( t; I+ s6 R% [$ e5 z. U. L$ h
4C19:009A MOV SI,4647 ; 1st magic value.
; S1 n' q' f5 b l! A: K4C19:009D MOV DI,4A4D ; 2nd magic value.
& ?/ d9 l% ^% f, N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" ~; N5 Q$ @! \1 l$ K( X4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 {* X$ [+ p) ^" C
4C19:00A4 INC CX) U' |- E- f9 ]4 w ?6 C/ b7 {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; G4 K9 Z: V v4C19:00A8 JB 0095 ; 6 different commands., W1 {/ e* u1 C$ I; o: s. S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( [" h/ a, R: i4 s8 ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 g4 X$ C6 _9 v$ H/ ^' T9 O+ e$ x0 Z8 C4 H ~ E
The program will execute 6 different SIce commands located at ds:dx, which
8 T; y# ~" h& v% W4 Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 q; f% \1 w- h6 i0 s/ t4 j4 q# Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 e9 c3 y3 v5 X
___________________________________________________________________________* M6 X$ `' Q6 i5 v) P
3 W4 H3 b1 I8 h: n; u2 _8 y
% |; j& C% B8 y' }9 `$ PMethod 03
: @* L1 q2 p! N+ |1 a; R( A7 i$ z: M=========: I4 g) m/ B x$ U6 v" Y. s7 J& L
' f8 Y: \ r" V; W5 DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ q$ T) M6 @! b) I) j0 l6 n(API Get entry point)
% j9 H& g! ~& z5 x- y( J* ]7 W
, `8 e) D; L# \: s' n& F0 d ?, d! @8 E9 _* H9 j
xor di,di
J$ o) m( [1 ^2 D mov es,di
: ], U6 h7 z& p% h8 m mov ax, 1684h
( k& X* K& A; |; C1 C1 s; n mov bx, 0202h ; VxD ID of winice3 J3 X [; g# X) t
int 2Fh7 a. a6 v0 w k/ ^( z, ~ q+ T
mov ax, es ; ES:DI -> VxD API entry point! z8 a8 p1 K( K, @5 ^. G
add ax, di, f5 L3 t' e. G/ H( `4 y% F J' C$ o
test ax,ax: y3 w7 k6 X$ O8 H! M
jnz SoftICE_Detected
K7 e0 w, h" W) c4 O; U. w7 X
# _" E0 u8 Z" h4 S( U2 i___________________________________________________________________________9 A+ ?3 M. M7 Y5 u
0 {4 O7 T/ T* d5 A! e
Method 04# R% ]3 }* v3 m# U. \
=========
3 k0 P d) G, _; e, C# M, m! l' S* g# r3 y4 F, U
Method identical to the preceding one except that it seeks the ID of SoftICE, D8 Z* ]3 @+ X. o
GFX VxD.
4 U& r6 f# j4 B2 [3 E! `" ?; D0 `! a! a
xor di,di
! c6 ~( A' F# r6 A+ ]6 o mov es,di4 q, h& S% r$ u, w4 N# N% u
mov ax, 1684h 7 y; k o+ E+ D" T, j
mov bx, 7a5Fh ; VxD ID of SIWVID
* n( C: r$ d+ U8 R; B& S int 2fh
! }" ^3 W; A, s; V, r; i mov ax, es ; ES:DI -> VxD API entry point; M% t, w9 z) F# M& T, R' C, }
add ax, di
5 v# B$ @! O1 k test ax,ax
1 m) i7 d! P7 g8 W) X2 A jnz SoftICE_Detected; A' @) i% ~+ x
6 d$ E% ]! a& m" Q
__________________________________________________________________________% D: N+ p# o1 @3 V( S6 w
) O) H6 B: N. u6 o- V% G5 _& T6 R0 _, n
Method 05
# I6 c( F. a: H$ f0 t; _, T=========6 L. u6 m* z' B8 t8 v' o& n* m
9 P& R# I9 [9 A; P$ Z0 iMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 _. c& q9 w; B6 C$ g* T
debugger. It calls the int 41h, function 4Fh.
% A5 k ^4 ]# z SThere are several alternatives.
% r {# _5 M& |1 d8 U
* \0 `- z% A& |7 U; u2 }The following one is the simplest:" m5 D0 [+ {+ t8 }( X6 ]
; W' R* g# V. N0 k# g3 ~ mov ax,4fh3 I/ ]5 Z/ O' K: @" b
int 41h/ O# L% b" I1 a- h0 N
cmp ax, 0F3861 x. O" t. \# I4 W c2 z5 e3 j
jz SoftICE_detected- K0 h1 z, u5 O
+ R% T9 N1 C) z. {
% ^. ~9 L3 S; |! s3 B# `# {# s
Next method as well as the following one are 2 examples from Stone's
4 ^3 X, R6 o* X( g( s+ z9 W( k"stn-wid.zip" (www.cracking.net):
7 s" i: r2 _8 [$ o7 I( e
6 n9 G4 m! t9 [6 N7 E& W' i mov bx, cs6 g) | i, x8 p- Y# c8 R
lea dx, int41handler2. M- o$ N; ^9 m. H |6 C
xchg dx, es:[41h*4]7 z4 G# g8 p* z
xchg bx, es:[41h*4+2]# u1 Q, X4 l% A3 [4 h7 h, s
mov ax,4fh
6 s X4 _6 W. O5 ?3 ^ int 41h
) U% r% d+ U' ]% a xchg dx, es:[41h*4]
: `0 d7 j6 G. Q3 h xchg bx, es:[41h*4+2]
4 W3 [& z: E( ^+ `4 [9 g, D cmp ax, 0f386h
/ n) ?5 O/ O8 e6 t: |" b jz SoftICE_detected! V3 B7 c- j7 d% c: B
6 Z8 z1 q9 M Qint41handler2 PROC
# h% s8 m# G/ U7 M1 |3 d iret
' u! [8 c" B* O/ s; |8 m) fint41handler2 ENDP
+ A6 \" \, E8 g# X U
6 ~% Q& z3 A6 v% h+ N; c( r. Q% { r# }; e" {& r
_________________________________________________________________________7 P7 m, U$ y) D, {
0 @6 ^: l8 l4 W m, S% o1 U( q" |3 ^
! ]# h# F( Y( H: `1 _$ F
Method 06
0 `! E/ ~5 T7 x/ K2 L2 P3 B& \1 @=========
$ @0 c# J* N& ]& C/ u. V/ E& a/ j
8 u4 @4 r. q2 D5 `' c. x2 }
: Y8 J5 ]1 }: T6 k0 r! g: L2nd method similar to the preceding one but more difficult to detect:: z6 Z: W* T) ~5 g" E3 h
- B. D- u2 I: p. V& e0 d- Y
- j) B% [& ?/ G R1 Y+ Uint41handler PROC
% b3 F) n# G: }; ]% h mov cl,al
) }+ }4 G6 h9 b6 N iret
0 {# a( v5 D( q( rint41handler ENDP
* [ H& J; V* c* a
& l7 O$ w7 u' _6 N$ p
0 L3 d. t7 {7 U, ~: f: I xor ax,ax
% ~' e2 O' v4 Y, l mov es,ax
& Z5 _5 {, Q/ q7 p+ ` mov bx, cs, Y8 @7 r% ?0 Q7 n/ z7 ^8 @. O
lea dx, int41handler: O$ h- ?3 e. X) C0 V0 R
xchg dx, es:[41h*4] A) V) |% S: m1 \
xchg bx, es:[41h*4+2]
- O) ]+ y% ~+ L: U in al, 40h
6 y1 _5 T2 W7 A- s6 m xor cx,cx
7 D4 X! c& }) c: a N int 41h
9 C* r3 L; n- v4 T4 Y% M! F xchg dx, es:[41h*4]) s; b2 l; Y, M% v6 @5 c2 y0 a' @
xchg bx, es:[41h*4+2]% L9 l, o" a! C
cmp cl,al+ C6 Y" f) Z9 q/ [% N
jnz SoftICE_detected. g" y. n4 E. _# A
; c$ g- S+ r2 d( w* m
_________________________________________________________________________
+ E7 f7 l; `- n1 m* w! ?- N
: N% u/ B; d: X' FMethod 077 e" B- s# U, _7 V' _% ?2 R! k0 P4 i
=========
. j5 K O5 Q. M8 M2 }. [, {' `( {/ ]7 w
Method of detection of the WinICE handler in the int68h (V86) p. o) b. ]% O
& c7 ?% D3 }0 e9 Z$ r, ]
mov ah,43h
9 x2 X4 B3 w9 g+ B% E int 68h
& O. H$ h, j& @: z ? cmp ax,0F386h8 ?( C9 P) x! ?6 H& ^2 s
jz SoftICE_Detected
& G. |+ {& P7 d8 J7 a, U7 `' x# M6 P7 t( Z" g/ F, z
+ a+ t% o3 \& ~" }* ]" f" I( q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( _0 g1 w; l0 s app like this:" W4 _) _- T# U7 L7 Z
# F: R" N% w! N" k
BPX exec_int if ax==683 q; u# s( _- i+ \5 B$ r0 c6 B
(function called is located at byte ptr [ebp+1Dh] and client eip is
. l! ?: Q' v9 v: H4 H/ w0 F5 J located at [ebp+48h] for 32Bit apps)
- T8 D' S% E0 u& ]& L__________________________________________________________________________8 |9 Y, r- U. a0 X: T# u: d% E. Q
# L( r! D" ]* z+ }
) [; |8 t! X2 U) i8 f; RMethod 08- }" y1 q. N1 B" e% ^
=========( C: \" H g; Z% E
: ]% E. {4 S% z5 X aIt is not a method of detection of SoftICE but a possibility to crash the! z' }# W6 f! m+ w
system by intercepting int 01h and int 03h and redirecting them to another
( U1 `/ M- n3 Proutine.( N' ~! ]8 k2 ?1 m; l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* e. x8 D7 n1 wto the new routine to execute (hangs computer...)
; g- i n5 E7 k6 ^1 u2 V2 F0 K& F% M4 `
mov ah, 25h
8 E4 M/ ~: o& Z# r! Y mov al, Int_Number (01h or 03h)* Z9 t G2 w) a* k+ g3 N" i) t
mov dx, offset New_Int_Routine
. A/ W) _' f* E! r int 21h
8 q" j& T2 |7 v$ M! v; H
# I+ ^) R% r \2 ?/ U__________________________________________________________________________
: g8 L+ q6 x0 V' t" ]8 T0 Y; u: A0 K% Y) S8 J j2 M: H& Q
Method 09& |( J: I6 E" ?4 F3 a
=========" s! m) \3 e. w" Y
2 [5 w2 P$ d$ U2 J) v5 K7 CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- k+ G7 A v: y4 p. C, g) q3 }performed in ring0 (VxD or a ring3 app using the VxdCall).8 K9 H8 b8 q {$ k: X5 d
The Get_DDB service is used to determine whether or not a VxD is installed
9 ^- u3 }- [5 z' s3 Xfor the specified device and returns a Device Description Block (in ecx) for
( p6 C2 q' T, z' V. R& othat device if it is installed./ J6 X5 [1 G5 K& [% s8 j
6 [1 ^/ g: {) \" G$ Q* s4 M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 O9 ]7 A9 P, h5 Y: } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ n2 Q% L$ R+ K# f' p1 [1 G& [" R5 y
VMMCall Get_DDB( k; ?6 O$ X% R4 y# G% ~4 j% t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- r. k0 H V1 J+ [& t# }+ i
0 X/ \# f2 r/ V ?" l9 ]Note as well that you can easily detect this method with SoftICE:3 ?- `6 x# ?- H: \# D
bpx Get_DDB if ax==0202 || ax==7a5fh
7 Y b! v; {. V1 ?4 |) O% S/ b) n; j) ?
__________________________________________________________________________
: I2 Q, w* _) E, I* U; c- o5 S3 w7 ]/ J
Method 10
; V; T1 _' _# m% u s% A6 }=========
( P9 y7 L7 X0 T2 J1 s, s) R G. N4 s5 }
3 b% `2 n; s( J& b' b/ Z2 L=>Disable or clear breakpoints before using this feature. DO NOT trace with+ F' s3 I) F" U- @3 M
SoftICE while the option is enable!!
9 y7 p0 ^) a/ I8 l6 @# Q
1 B$ @, _, c$ j4 H; DThis trick is very efficient:: D; M) ]. [ R' c
by checking the Debug Registers, you can detect if SoftICE is loaded
$ }9 H% Y5 W$ M' b+ _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& W! O7 ]: j8 W, L0 Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 |' m; H4 C n. v
value (in ring0 only). Values can be manipulated and or changed as well' v3 h$ |5 s, a' A$ {
(clearing BPMs for instance) V& r6 m# u* \4 @& i7 R
& A9 {- Q6 h) c9 x7 L r N
__________________________________________________________________________& i# [/ b4 Q+ A' c3 w6 v
! H$ u `7 I9 C0 r( H1 R
Method 11! l1 _0 Z! B2 T
=========
L5 J$ r+ {; c- b, N" }- a
. b" J e) U' K# L4 s* V3 c, \. yThis method is most known as 'MeltICE' because it has been freely distributed
\3 v W+ k, v2 ovia www.winfiles.com. However it was first used by NuMega people to allow
+ H3 w) n. @9 V- {) I9 D4 NSymbol Loader to check if SoftICE was active or not (the code is located
' V; Z9 _) ]% K _5 b# P+ ~inside nmtrans.dll).
$ b @) u2 t! |0 ^1 m8 I- u, \
1 W" |" [8 H# v: t/ ~7 BThe way it works is very simple:
0 E) B0 V# L: D! xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& ^2 j2 y* u# ?6 e! z. }* \
WinNT) with the CreateFileA API.+ J* [: T+ B# S
" ^/ P- i) Q, A- }3 O, A2 V
Here is a sample (checking for 'SICE'):
6 s$ s4 n: f4 |1 C3 [: }: Y9 S% |, ?& M N/ ~' R( C
BOOL IsSoftIce95Loaded()3 n( S+ K$ Q5 @
{% c" A5 H; d0 f
HANDLE hFile;
% t9 m/ f9 q3 c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, {$ v$ b( o: x
FILE_SHARE_READ | FILE_SHARE_WRITE,- D E5 v; u. F, @4 P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 z/ ^! W) x, O* G/ d5 l& W) ^ if( hFile != INVALID_HANDLE_VALUE )8 V9 L' j5 W+ ]5 i3 X( {# J
{
- w3 i B5 J K! g# M; y# B' ? CloseHandle(hFile);
( q7 B! |" n. }1 L- n return TRUE;
; L( c& `- Z# n+ p% u }
6 U o* u3 L8 N; G, S5 p return FALSE;/ Y2 ] H! ]/ q+ y
}. z6 c# l O+ _# T h: ?& y
5 S% t0 P4 G4 v8 }2 [
Although this trick calls the CreateFileA function, don't even expect to be
% Y% l5 a, u( Q. h6 o4 |2 s/ Pable to intercept it by installing a IFS hook: it will not work, no way!
8 S: b( U! Y& h% H' [9 XIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. |0 K7 C( A, Z: y1 ~! ]# H4 V7 Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, k1 e( f( o- w2 I8 e9 {) M0 x! Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
- _6 P" a. T& v: S5 \# J* c( s& Gfield./ J; J& I7 n, o2 b/ C
In fact, its purpose is not to load/unload VxDs but only to send a
0 d# ?" b( k' S) {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 x5 n4 |/ Q6 j3 X/ n5 Yto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ o; \! P, R- c( O# ]
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 g0 q$ v9 K7 V: r3 x" [6 rIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 j8 ^5 J, E+ O" G" U
its handle to be opened and then, will be detected.
: ?7 D4 ]) B; i7 `9 m f/ lYou can check that simply by hooking Winice.exe control proc entry point
1 L4 `, C/ f) j2 y3 ?1 ?while running MeltICE.
, ]/ C% I! `/ [* O7 {8 v! x
% e l0 k9 c+ X, V# m+ L
* x$ G, z" t* ]; s# P" ` 00401067: push 00402025 ; \\.\SICE
7 {5 j7 ?, N, H8 z. N( |" ] 0040106C: call CreateFileA
+ h5 \+ B% z% i 00401071: cmp eax,-0013 F+ G# T. Q! M6 \2 A2 S
00401074: je 004010916 d% l& {7 W( Z2 ~* O
- z' ?3 _2 K" `& U* M
% W; Q& f+ @: t jThere could be hundreds of BPX you could use to detect this trick.* |: W0 a) d4 y# ?: f* u
-The most classical one is:5 E% C. g7 E q% S8 P4 H( P1 v7 K% \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, [# z. C- i8 x. Y% I. I *(esp->4+4)=='NTIC'
0 T5 n3 {, v* H! C: Z9 \
2 H3 O7 T( o3 m$ F4 X: E-The most exotic ones (could be very slooooow :-(
0 g6 X6 a. I6 |+ a0 P2 k% I Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 ~2 g$ \4 ]" ^
;will break 3 times :-(! k/ \2 i3 k. l9 P! t: ?
- ^, h' n( z: U1 G6 O-or (a bit) faster: 1 n) n- o$ D- O3 Y% B
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: k" [; m7 W+ J) U
4 C" R8 {- u6 ]0 b& `2 y9 d* u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( l' Z3 F/ S# y5 T' B
;will break 3 times :-(
1 U' P5 |9 ~) U( u* T
5 e7 x& N8 v ?. b! O% }) K: c$ T+ d-Much faster:
0 C% a# @) E4 Y* F' j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' [4 f& \5 }! N- X
6 F5 u( ]) R; b" }9 V2 xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen$ j+ X G/ w y) E
function to do the same job:
, G) j# `' D' w% v) m! p, @, q \0 x6 U+ {
push 00 ; OF_READ
/ g- p+ c( ~* }( B6 w mov eax,[00656634] ; '\\.\SICE',00 x* Z& k+ U% X$ b0 t) V( {
push eax: [% R+ U( J3 l+ _: ~8 B
call KERNEL32!_lopen! [' Y+ k% B6 z/ @6 ?/ L
inc eax4 P5 x0 G! q* A6 H
jnz 00650589 ; detected
, X- r+ W9 R. i8 q) o* A push 00 ; OF_READ
1 k5 {9 T9 c9 W& X* m l# _ mov eax,[00656638] ; '\\.\SICE'0 m) F! w5 t$ N2 Z
push eax
2 T6 q. R2 ^% M' _* c4 o$ r call KERNEL32!_lopen2 Z( U: \: v2 s7 `1 j6 E' N
inc eax3 D" Q) p( B6 n+ a8 W$ w
jz 006505ae ; not detected0 N a& ~7 A- z; S
?0 g6 R( c- v) v& {+ S, j
; O; H" v6 B$ l, A) h1 A__________________________________________________________________________
( L! v8 T2 t4 Y
, v1 [: n, j/ f1 qMethod 124 N1 `' e% W$ k( U, c5 Q* t! J
=========
7 {$ g) P( ]& v. @) F: n4 u( M: ]5 \4 S, R
This trick is similar to int41h/4fh Debugger installation check (code 05
( A% a/ M" N0 O; H7 m/ ]& 06) but very limited because it's only available for Win95/98 (not NT)- u S$ i, l; Z1 e! X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 d" ^! N- R& }3 e
5 b2 D! l# H; p1 ~
push 0000004fh ; function 4fh+ C( I7 W* d4 B
push 002a002ah ; high word specifies which VxD (VWIN32)2 e8 |; r! B- i8 L7 p7 {0 X7 h
; low word specifies which service9 u/ j) A# T- y4 [
(VWIN32_Int41Dispatch)- w& P, X# p+ j$ U5 F
call Kernel32!ORD_001 ; VxdCall
* x C* ~4 B( t5 g! N1 B cmp ax, 0f386h ; magic number returned by system debuggers' @/ H$ }- `3 V& q0 ?$ H
jz SoftICE_detected* a1 E( o* X7 b! z6 g7 I
7 t+ h. K- E6 y! PHere again, several ways to detect it:/ n m/ _8 `3 c! Q
! o" ?" x+ w3 m7 ^; l1 v7 g
BPINT 41 if ax==4f
7 T7 G: u+ p6 L9 C9 y
! @9 u0 e: M. J$ O BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! i1 B9 Z3 B& O2 b+ T9 `. N: f3 }$ ~
' B7 ~* t5 k( M# N- c BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 `3 ]# m* b$ B6 T
) r) d9 x' y i* i0 b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% c- Y/ [% k8 A" f- @! k8 u! Y4 G7 j2 O* u2 v% `" [, ^
__________________________________________________________________________
! \# B* O/ B' T r
% s- G# j7 E% \6 z" KMethod 13& y9 `9 e- ~% ?
=========
, S3 a0 V3 g+ q3 g2 A N! x3 U* t f4 y# m+ Y( s
Not a real method of detection, but a good way to know if SoftICE is' I4 G% d& m2 u0 k; L) w0 |
installed on a computer and to locate its installation directory.
/ a. o. M& J- U( T! @3 F7 ~It is used by few softs which access the following registry keys (usually #2) :* G4 p# c5 v, t+ T
( u& l7 n' f u1 A( N5 g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; E$ E: T: \5 ^8 q* r\Uninstall\SoftICE0 l6 W* [3 w: G5 g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ `* C; ?' f( O9 p- d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 [" I1 C- c! m; `4 B4 G1 T( m
\App Paths\Loader32.Exe) ~! A8 o& D$ Q3 i# j
a0 n0 n, Q' B3 p$ o3 u9 i* i% Z4 y% Q
Note that some nasty apps could then erase all files from SoftICE directory
; n$ J" c; I, y* l( a(I faced that once :-(# s, @- G2 D' V$ h- P, V4 t8 N
6 w' D U! H% _: i1 u, xUseful breakpoint to detect it:" o6 _; q! O% P/ S
7 ^: F) j6 q' n! c s$ c9 h BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 C, G. c* _- `! m4 q8 ^+ n3 z
& j9 v) G+ b# n__________________________________________________________________________
6 f' x/ Y" |! ?$ _* P% r: p0 S
" ^2 q' s$ t, ]( V- [' Y+ ~% x3 R* z4 O9 L/ V9 O
Method 14 5 D$ @# B1 n* l5 q: Z! l4 s. U. \
=========9 M, @" ~/ I$ `
$ H8 g" X% q* m7 c% `/ M3 L }( t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 [ n* i$ a9 x$ n, w+ R( U
is to determines whether a debugger is running on your system (ring0 only).& B9 g7 ^. [) I9 |9 q% S/ P
7 \ {- l6 u: T: i VMMCall Test_Debug_Installed
) F' E* S- Q" X# Q je not_installed
5 D% U& @9 r/ P. D+ n$ W
2 I/ Y+ P: b0 x# t" dThis service just checks a flag.
6 P+ u5 l/ F$ Q- s7 m& Y. }) _! A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡