<TABLE width=500>
! t. L, r/ M8 T& a F<TBODY>; l0 d2 b. l; s3 P' U, D
<TR>8 `9 y, k1 T+ _/ y! L7 E n# t
<TD><PRE>Method 01 % X% R2 N5 K. L- f$ Q" A
=========3 E' M2 F; h" }9 ]
1 r: X) `8 A1 ?0 b; B1 _9 J r
This method of detection of SoftICE (as well as the following one) is
! K! L! y& Q+ G1 ~/ a) J7 C: f. Oused by the majority of packers/encryptors found on Internet.7 U8 [7 e1 `$ h& C+ Y6 H- C
It seeks the signature of BoundsChecker in SoftICE& S6 Y* f9 B/ Y8 B" b# U3 x
' |& u. X* J7 Q. [2 Q5 |' v$ k8 \' X mov ebp, 04243484Bh ; 'BCHK'
; t0 b7 q1 A I mov ax, 04h
) |2 L& O- _" Z$ Y& O7 B int 3 5 X2 X' F$ l1 h [6 Q+ z
cmp al,4* l% L: u% C% v# g
jnz SoftICE_Detected& E' w6 y# ^+ I7 e6 G
5 f0 ~; B! e: R9 b
___________________________________________________________________________5 O' q( N( y( D6 \6 s
9 I9 S# o. h1 U+ O: O3 G
Method 02 E4 N9 Z D7 m
=========
" Y: z: d7 B3 Z9 ~
- L9 F T3 O7 Z9 b% JStill a method very much used (perhaps the most frequent one). It is used
/ e' N% e5 k6 T* O$ O! U) `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* w. ?' w7 R: L eor execute SoftICE commands...
) K1 s4 p6 @& d: r+ OIt is also used to crash SoftICE and to force it to execute any commands$ x' S L9 \% H0 f3 T+ K9 d
(HBOOT...) :-(( & y, R9 i5 c) \5 D' P% @) q0 {7 T# u# W
- o& Y9 `8 i$ M/ [5 Z
Here is a quick description:5 i% T' l# o& P7 [
-AX = 0910h (Display string in SIce windows)9 Z! ?" Z0 K- `6 }1 y; g- y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* ^+ O2 }4 E, G4 \, u-AX = 0912h (Get breakpoint infos)7 [- E. Y6 D' g5 I5 R/ u
-AX = 0913h (Set Sice breakpoints): I8 W; \$ P# ?/ F% _
-AX = 0914h (Remove SIce breakoints)( y% D! q9 h- G% Q3 \* e! B
" W0 I& O7 X' F: z/ Q( v, |
Each time you'll meet this trick, you'll see:/ K G S; w2 {* b# {
-SI = 4647h9 \6 j3 X8 f9 F' I& m
-DI = 4A4Dh
" ?8 D' p9 n, w- nWhich are the 'magic values' used by SoftIce.3 }" z4 g+ G9 Q$ w& W4 |& Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 w2 ?6 Z: V+ m, Q$ `( ~
1 f! j! D" w6 J( a9 EHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ e" c' l; g2 |5 t$ B" REnvelope utility use to protect DOS applications:
$ v' D, v$ C( t
4 j/ a- R1 U- X% v5 |1 t& X* y' g8 z: t) A. k
4C19:0095 MOV AX,0911 ; execute command./ T4 Z2 R0 d, N# Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 L" U5 |8 w5 G( c. r2 ?5 U4C19:009A MOV SI,4647 ; 1st magic value.& N7 J' }1 ^8 C6 F( }; p
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 z. q: E1 P, W& O/ p+ {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% W8 G: A. Q/ n! H7 x9 ^$ G: [/ N4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, W, M) ^! f: r0 T$ G u4C19:00A4 INC CX
! C3 J/ e' N. j) d; ]$ L4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* R5 J8 |# Y$ p2 ]5 K
4C19:00A8 JB 0095 ; 6 different commands.
7 ^+ N9 K* l6 ~" o9 W; C1 S7 e4 e4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 [2 L" `7 p7 E5 y5 n$ A) h& @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 I: [# F. ^! q) u3 b( C: P$ t3 @
The program will execute 6 different SIce commands located at ds:dx, which1 N0 q8 {. F* @+ J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* Z& L1 @( r" l# h9 j
$ _# Y5 S! F4 z8 z: a! N+ k" `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. `+ \3 H3 t, `+ @0 t# G$ v___________________________________________________________________________
6 G7 G9 F. l& E% t, b/ n3 a8 c' j5 }: T& u
) ~, L7 T8 l3 l3 SMethod 03
7 \" ^" n0 x1 ]0 k- Z=========" `9 a/ x; b! S3 d' o8 m, ?; C6 I G
( c. P/ z* J G9 F9 q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 t w8 a1 w6 Z6 z- w4 g(API Get entry point)/ U/ O0 b, b) B/ h* i2 U; S) l8 U& @
7 K* l. q* w+ Q+ H% p% Q6 r! ^* D- ?
xor di,di
|+ _6 l+ n9 r3 v- m2 z mov es,di
5 h. M, i- L: S; f mov ax, 1684h / P+ w) O$ p# l) @
mov bx, 0202h ; VxD ID of winice
* c+ M9 Y3 W% G' t8 { int 2Fh
+ q# P: N6 b/ y! U7 s! t mov ax, es ; ES:DI -> VxD API entry point* C# m* L% n) w
add ax, di
, n5 ^' }" e8 Q' l0 U7 `- ?. @ B test ax,ax+ c1 d! a& P# t$ `8 J
jnz SoftICE_Detected
x, N- @' B3 u) Y, W: V
. f4 J. P& b! H; q' s' ?___________________________________________________________________________9 `) `2 |. u" x1 K
) \6 Z; ~6 P' z# u% K8 QMethod 04. @/ M( t. o7 N* ~1 W; j
=========
9 z) A* O# V$ V0 N$ L% {
5 J7 o, k" k3 m. Q5 a" s: \Method identical to the preceding one except that it seeks the ID of SoftICE3 [' z" D: g3 l7 K1 Z
GFX VxD.
- X7 u# R7 ]$ V8 v1 v# K" G% O4 t' n ~3 A2 M7 A
xor di,di& B& a; X5 O C( G+ w% b" J
mov es,di' v4 f2 |/ n8 f/ V' i) w! \* s
mov ax, 1684h
: ?6 C; }. ~8 } i mov bx, 7a5Fh ; VxD ID of SIWVID3 F. k7 e/ h: W$ u! b- K6 A# |
int 2fh& e9 m' e. R; X
mov ax, es ; ES:DI -> VxD API entry point& r- r& T- a. e; o1 |. A# L T
add ax, di; _+ | ?+ M- |" |; q5 T" a1 L
test ax,ax$ \ ?) l3 a/ K) G3 U8 G1 p
jnz SoftICE_Detected
' X$ q/ ~1 ]2 x* a; n: n$ {" Y; X' G% L$ T7 ?
__________________________________________________________________________! p; B/ ^# {1 Q* g- w+ ]. t( Q
5 Q6 J$ _4 M3 W+ y
- H+ R9 w% H" @- \Method 05* }% a1 z! i% O$ s0 e1 Q
=========, ^8 x9 |1 K, h
2 h N) U2 D2 B8 M
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# u b6 ~% t$ R7 v4 Idebugger. It calls the int 41h, function 4Fh.1 O8 Y; T, o9 b# [6 d
There are several alternatives.
4 s% P8 A" ^( a6 }: R7 n$ ]3 h- d9 d) u
The following one is the simplest:
' D8 C. R7 W, _/ s, ?/ }1 v4 z8 l' |6 b6 c1 n6 _% v# j
mov ax,4fh1 \ l; M* q W& C) D% v8 s" P
int 41h8 G5 g6 |) C5 d; T
cmp ax, 0F386
6 i9 a% ~) B6 v jz SoftICE_detected- n- E5 x5 `$ i: k! o3 B
& C& V$ k+ w) m8 [% H5 `# n
) Q, A2 Y# z0 I8 f) qNext method as well as the following one are 2 examples from Stone's 3 o. G" [. X6 I. q, B
"stn-wid.zip" (www.cracking.net):
7 B6 Y8 x$ y/ Q+ j* ] R# `
/ b9 ?: f7 q# E) ? mov bx, cs
* F! M% L( \: }( ^ lea dx, int41handler2( }1 D; _3 S' M. K1 `
xchg dx, es:[41h*4]2 T: p2 }, Z. y
xchg bx, es:[41h*4+2]
2 o( i# b' ?7 [ mov ax,4fh
# U5 o. a+ ^1 n! A2 [1 G) P, E4 Q) R, j int 41h
: K( S: ]4 @) d+ U7 j* s3 c9 Q( k8 @ xchg dx, es:[41h*4]
# [. y: `& o% R- k5 t/ o xchg bx, es:[41h*4+2]* ` j7 c5 H Z
cmp ax, 0f386h& v9 q M0 v( n3 ?/ W5 h
jz SoftICE_detected
! t7 ^* u7 `* M9 r3 a1 ~6 Z4 b! r P5 S0 \" N$ r
int41handler2 PROC
- k% z9 h( W/ V iret
: O& q6 [; L5 q9 q. r/ r0 zint41handler2 ENDP
) R* _" Z$ }0 x8 q/ E, R
6 u5 W3 k& o/ y+ Q$ p% [6 Z ?+ r# F
_________________________________________________________________________5 j; g: ]* N% P/ ?0 D# ~0 b/ ]/ \
$ p. F0 j! d5 N' ]$ u+ O$ ^; C# G2 e3 E7 ~( {1 U; u
Method 066 m' C) ^0 `/ T2 W6 v
=========7 {) q2 a/ c* |, t
4 y: i( @ a2 l
$ w2 Z7 P/ j' K5 Q* h0 ~2nd method similar to the preceding one but more difficult to detect:
# A2 _- O) q; p% Q! q* y0 P
- V5 c, i7 M( m
) _! j }/ k6 F$ kint41handler PROC
0 p; Z/ C I( v' g( `9 C9 l' M mov cl,al M8 D& C) W A6 h+ D2 S8 }
iret
0 m0 O: x+ V! S5 g% Fint41handler ENDP, ?5 h$ J6 s/ `
8 p# Y- f0 Y; E4 s
& ^$ h" T) I9 V4 w xor ax,ax! { G6 Y' Y' e6 A1 l; U" u
mov es,ax
( z" d6 Y, u/ H mov bx, cs
6 {: ?# _+ O. s) o) R/ |0 ] lea dx, int41handler
( W2 B, q+ o3 ~ xchg dx, es:[41h*4]
- }' X, D! N3 l0 K; w1 k7 r, ?7 r, a xchg bx, es:[41h*4+2]3 {! P& H- X4 A3 B2 s+ T
in al, 40h
+ O5 `: ]" i5 p xor cx,cx- K# e) v/ ]% Z+ @
int 41h- E6 ]) T; n* m( f) k }5 W% v4 \
xchg dx, es:[41h*4]
7 L1 U" ^! p7 I" v& Q xchg bx, es:[41h*4+2]
) K- m! i( r6 J# Z6 Q+ j cmp cl,al
- h- {" V8 e0 P! b4 x6 }- f jnz SoftICE_detected9 l0 _: k1 E5 I. z
' x5 w7 J4 p! O6 Q
_________________________________________________________________________
- ~7 O) C. L R$ B$ g6 h. w! ^- @6 G$ t
Method 07
1 Q2 n4 \- t5 o=========) @ X" E' q' x4 u# z7 R! M
: S0 |. A- o0 A4 t4 r$ c
Method of detection of the WinICE handler in the int68h (V86)
4 Y) ?( @# B% B, W
2 N9 h* {9 h( L* r I mov ah,43h! Z" k/ a, }9 I h
int 68h
. |/ i& Z% N6 D ^. J8 }2 R9 e cmp ax,0F386h
% u$ U1 }, L+ ] B( C! ]8 N0 b jz SoftICE_Detected2 V/ U! X# p G% d6 m
Y. V. _7 O: o4 \; B
8 Y; |6 d% K; M, w" R$ u. w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- X& o8 g, i- i: J- p& e
app like this:
1 k) C* ?) c" ~% }8 B
: L' O# b% J) }( k5 K BPX exec_int if ax==68# o5 ]) Z- W3 _2 G# t& }, \
(function called is located at byte ptr [ebp+1Dh] and client eip is
. B: u9 }+ K' @* d) \ located at [ebp+48h] for 32Bit apps)( [ T: o$ j- q5 S9 X8 i
__________________________________________________________________________# {, @1 Y! P% H3 |
2 {; c4 h' m' ] O7 V9 g1 r
& a) Z6 R! w! F( p2 b; @; \
Method 083 K: v$ a3 h- G% K+ q+ {: Z
=========
' C9 e) L$ n; x9 P% z" z- y$ d# I( O, O" b& s
It is not a method of detection of SoftICE but a possibility to crash the
" J% O) w7 M" U qsystem by intercepting int 01h and int 03h and redirecting them to another
6 p' T* O+ O& ?8 vroutine.3 U' X3 f9 u1 k4 `5 g. m5 t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ h/ c) e" u D* k4 {* Fto the new routine to execute (hangs computer...)
5 [' S. A* R h2 V5 t. j/ @# r
+ `! ^, z6 x1 S& N' h% F mov ah, 25h4 U: Q) @' Q; [6 D
mov al, Int_Number (01h or 03h): U# E% C" ?3 e/ }6 |
mov dx, offset New_Int_Routine* b7 Z- E: i+ B% d" @3 \7 f1 \
int 21h& ? ~$ |+ l8 E! ^1 f/ C3 J
$ x7 J4 |( j# u: I
__________________________________________________________________________
' c/ @4 P7 |: y# L2 W1 ^# x) W. ^9 y/ E/ ]9 s
Method 09
. K6 I+ @. o" Y8 J4 G* V3 B# L=========" i1 L( ^# h& X) H! W! o
% T" s8 R; k+ S; ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* T! D6 _* k: B* A( t* y
performed in ring0 (VxD or a ring3 app using the VxdCall).% X! X7 u' ?# L
The Get_DDB service is used to determine whether or not a VxD is installed
% y, s _' t3 N9 H7 V, ]! mfor the specified device and returns a Device Description Block (in ecx) for
# f7 g7 Q9 w, d: r3 \that device if it is installed.
w! r' [: `" _; Y8 s) u
9 m& R3 L" x7 |, D$ k) ^1 m mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ C& u3 u9 h( K, f' f8 u mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- u# b4 n5 Q+ `% G
VMMCall Get_DDB/ q) ]5 O0 D' u) U, f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 ~5 o$ _/ j( X# |; L0 n
5 R4 O8 n) i* B
Note as well that you can easily detect this method with SoftICE:' i p) Z, {( C* F+ q) n8 Q+ q
bpx Get_DDB if ax==0202 || ax==7a5fh
5 H& [( z% j* L0 \( s$ s. I' V, q2 @+ {& S- e4 R; a
__________________________________________________________________________
! K4 m; R" g9 \, S! v* m* f, p% r; I% Y
Method 10
' A7 V" I L4 d6 x: i2 `: k1 n' P=========
@9 f8 w, g: T5 P3 O4 R0 Y1 p+ ?8 m) N+ a* t6 C8 F h
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* u& O) e! ]3 M1 ^! E% O8 _7 _2 l SoftICE while the option is enable!!& t! q' M" I# {
! P0 z5 R- p3 @0 K4 I
This trick is very efficient:4 i- N5 o- R9 N& j# p7 U
by checking the Debug Registers, you can detect if SoftICE is loaded3 N6 }. }2 {5 X7 G7 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( s6 W/ H6 U5 O& K% v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; A5 u1 z* I/ l dvalue (in ring0 only). Values can be manipulated and or changed as well r$ e; g9 w0 J- v2 w* q
(clearing BPMs for instance)0 J0 B% x2 C5 L6 F
! | Y5 |( b0 m" M: t6 m' d
__________________________________________________________________________. j1 j0 i$ t' y; ?* `& b2 p
8 G) G5 F2 S& }1 F5 k9 dMethod 11
7 p7 I8 z2 F% U0 o=========
+ Y* }1 F: R( `" Z" U, x# i0 Z' |' J/ W
This method is most known as 'MeltICE' because it has been freely distributed \2 c# B5 P- Z* S" H
via www.winfiles.com. However it was first used by NuMega people to allow
* Q5 Y4 s! |5 b0 n: B; ASymbol Loader to check if SoftICE was active or not (the code is located
{0 q1 h' _ L! sinside nmtrans.dll).7 [1 q& j- p" H; e/ R( B
: f# h& F' G G N8 J- v# A9 m2 XThe way it works is very simple:& v$ m" |( j+ n& e( i0 m, W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, l, S; f0 s2 W* v, H' o$ s1 y5 @WinNT) with the CreateFileA API.: n% q: t5 m$ s% L$ H' Q( D
- L$ {7 S# ^, i' o& s0 b. }' GHere is a sample (checking for 'SICE'):
) t& K5 K& u7 j8 \% z& F( Z Y1 ~3 ^8 U
BOOL IsSoftIce95Loaded()& m7 H- ~5 n7 g" Q- a
{
/ ]5 u+ ^4 U0 }0 Y3 D1 G HANDLE hFile;
5 m/ L5 l1 _$ q0 F' } hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; a w! H$ _7 _5 A4 Y2 w
FILE_SHARE_READ | FILE_SHARE_WRITE,8 Y% j' K' d: j! x A& |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) _1 }& T t8 B" ? if( hFile != INVALID_HANDLE_VALUE )
9 ]2 T+ p' ~3 S: _( h0 ?( O {
% R3 Q: d6 s2 X CloseHandle(hFile);
' V" d! ?* h( b5 t! p; p return TRUE;
0 U5 y0 J$ o' }# s7 N }
# h6 p1 q5 W* _ Y return FALSE;
0 Y# F7 P+ Y' |* U7 }9 ]/ h, q}8 Q1 l4 J5 E3 s8 @: Z+ C
8 K* m( Q, c" Q& CAlthough this trick calls the CreateFileA function, don't even expect to be8 x. d2 s |1 d' s
able to intercept it by installing a IFS hook: it will not work, no way!
: H' s% v$ l' N, X* P! NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 w- q2 p! W T$ O1 I/ B! h$ v/ f- |3 oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). m& E8 L' o+ {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- l5 o2 |3 \- }
field.! V' V) W( @# C) Y% ^) j* i* a1 E
In fact, its purpose is not to load/unload VxDs but only to send a 7 ^, d2 F# W; Q; T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! d% r% O6 f& z' U" w+ X# \) }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 n1 P0 C. f* j) ^5 ^to load/unload a non-dynamically loadable driver such as SoftICE ;-)., [+ m* {% L5 K3 W' o r
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" j9 s: G" T+ ` i) Zits handle to be opened and then, will be detected.) Q* J0 }0 X. T- r s
You can check that simply by hooking Winice.exe control proc entry point! b5 p1 G3 t: L. z; |
while running MeltICE.
: |: _7 K% _: T$ h0 e6 `
& S. A) B, W% d. r5 x6 d9 _# ]& X4 N _; w7 S3 O* O" R
00401067: push 00402025 ; \\.\SICE2 E( a2 A& a2 R& m# T8 g' c" K
0040106C: call CreateFileA
; R+ U1 e7 j( w/ C1 p/ m: }0 b 00401071: cmp eax,-001 m5 {. x6 u0 _5 E1 ~. c
00401074: je 00401091, a+ [: a8 [* D) i& U+ ?+ w
0 P4 Y; G2 W* ]3 A* a- Q, S' G N
* i3 H0 C& k/ M! x- kThere could be hundreds of BPX you could use to detect this trick.! A" [& C' w. |( V
-The most classical one is:
) H+ l& x& W8 n! T ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' Z8 k ]: S6 o5 ]8 h3 H2 |0 F$ l *(esp->4+4)=='NTIC'4 p3 K2 `! r! u! u5 k/ B
* a- E, p# E4 g6 N4 Q
-The most exotic ones (could be very slooooow :-() \! O* h+ w% o4 f
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 u) G) T6 A% [6 i! a ;will break 3 times :-(
/ C# D' Q. n8 o
. q4 n+ X( ~' B3 n s; E6 X1 V1 r) e-or (a bit) faster:
+ C+ T6 b+ c- t7 U% } BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' T3 v* C C4 z
' K7 v7 L7 e5 i, L BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ V) u4 V- c- \3 O; l- I5 v ;will break 3 times :-(6 k) ~+ M& H6 ?9 i5 l0 e2 C
5 R9 n, A5 }* m-Much faster:
' a. F* G5 @1 B3 X BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': I+ M% H( t( O( R9 V' p
4 `: z9 z# J, W3 J' V# S9 t# T! B# ^( u; `- SNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! M/ C! o! i$ K0 i
function to do the same job:. r' Z4 x4 Y. e% z) e; c
5 ], m' J/ z, n4 q push 00 ; OF_READ& \ y( O6 m6 X$ p2 ]
mov eax,[00656634] ; '\\.\SICE',0
: Q* S5 y3 c1 I0 Q- s6 Y1 P push eax
1 i1 X% |0 `, g6 n call KERNEL32!_lopen
! n8 b6 m; n# D; A& g% d& Q5 m inc eax+ C, U( _* n& u) g; V. G6 @$ K
jnz 00650589 ; detected" }* B/ w( Y2 n/ L' Z: Q
push 00 ; OF_READ6 J8 t# N& K' k: W; ~- k6 `- c
mov eax,[00656638] ; '\\.\SICE'
9 p* c7 @6 P3 M: f7 s push eax8 |* J, a& {) R# b. N+ ^0 `
call KERNEL32!_lopen& j& {" e; } p" N! O
inc eax
6 H9 f$ r+ ]6 [3 l# Q! B" x% U* \ jz 006505ae ; not detected1 q' {) M3 ?. ]( j) ]5 n
+ `6 z: T, x3 Q( I4 G+ R, f; N/ V @8 r
__________________________________________________________________________ i% L" l# N) r" o1 ~( o4 q& n O
6 a; x2 t& ~. w5 _Method 127 O8 o, T+ f: W. B- D) e! s
=========
/ ]. t+ V1 c) G$ ]. W
- J* F; v5 ?7 K3 r9 @" o$ ]This trick is similar to int41h/4fh Debugger installation check (code 05. s& J M. G. X$ l9 }. I- }
& 06) but very limited because it's only available for Win95/98 (not NT)' Y' i4 q o- |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" r" j* G7 B! C
5 b/ g% X6 L( `0 ^ push 0000004fh ; function 4fh
- @2 W5 T0 s5 j- U. ^- O" ~6 j push 002a002ah ; high word specifies which VxD (VWIN32)
8 T1 y& q- |: m/ _; T. [ ; low word specifies which service
$ z) n1 B8 V" f( J. `5 Y; { q2 I (VWIN32_Int41Dispatch)9 H# q4 Z+ b# g: D# R
call Kernel32!ORD_001 ; VxdCall
8 d+ T; M* u0 E4 n: y. ^ cmp ax, 0f386h ; magic number returned by system debuggers7 E, m0 Q, M) Q% X! }
jz SoftICE_detected
: k& v) a7 |: J& E, Y; Y$ F% |% R
5 u. X6 a, n3 N( X& iHere again, several ways to detect it:/ D' A- a. I/ [# q+ v: ]; Y* h8 r% E
2 t" {* m2 a q0 o6 F BPINT 41 if ax==4f6 p# y& {5 i, U' r
) Z6 X5 X& |$ |/ A* @ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 V- T" Y9 n& G7 N' {
! h( c3 w$ t6 G$ r6 h" B0 B* U BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: M' b! } W' H
( o% M& `6 U' @. L! W6 B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 U7 ~" q( _: A
; p' S5 T" t8 r* [2 Z__________________________________________________________________________
! t3 f+ w" s l X4 E0 x( d2 g0 W6 Y. ~, q* x- t
Method 137 J( ^4 {! L( j* L3 g7 R
=========
2 y( C, A& R. G
/ v1 v; n* u! D3 ]8 @6 H; Z6 BNot a real method of detection, but a good way to know if SoftICE is
5 s X4 P2 t# Q. [7 F+ A! i4 Kinstalled on a computer and to locate its installation directory.
# j9 v4 v0 Y0 t' k) T2 _It is used by few softs which access the following registry keys (usually #2) :( Y Q( D- U$ s8 M: a) t2 f
4 C" @' O0 {4 a. _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 d; v3 j! {! |1 R2 K) u
\Uninstall\SoftICE4 i$ K, T" \8 ?2 k6 y' i% f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. }9 C# `- [1 q9 W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 j' T3 R) i2 ]( R/ E
\App Paths\Loader32.Exe/ D" M/ L2 P; O) R
2 E" d0 u* ?, K- _# N( p
0 R; p7 F/ _" `) ?% H0 c6 g9 fNote that some nasty apps could then erase all files from SoftICE directory
' \& F/ O+ |7 h1 j) |; \: B(I faced that once :-(
1 j! Z" [6 @# i7 P0 f: y: m3 V( C
Useful breakpoint to detect it:# n' P T, B- e- T/ y$ e
, y7 K/ Z1 P$ t/ y" `) k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! F. ]2 E- j1 [% w5 B( s& u, h1 G$ J# _" U
__________________________________________________________________________: Z) M1 p0 z2 b
* L: S& l( }4 m2 H# O+ j# [; _% I& {3 Q# ~
Method 14
1 L, h6 h6 a% U6 M( e=========# R5 P( d& N2 c2 }1 G, J
# R/ E4 P- i [& j/ \* c8 Z3 R' [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) P k/ p( I) n) F( m8 ^9 c' O1 m
is to determines whether a debugger is running on your system (ring0 only).
$ q. d. J4 Z+ o6 x( @1 S3 J
! B/ \0 l5 l' N9 W4 c VMMCall Test_Debug_Installed
4 T9 Y* G& d: b! s6 ~! r je not_installed
& C1 {7 ^: b. }
' R5 h, d* _2 G- p) yThis service just checks a flag.
, `1 n" R, Z. d</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡