<TABLE width=500>5 k% I r: {& i" j7 ^# \
<TBODY>
) E) e5 n+ }6 \, ^5 [# J' z- v<TR>
& ~, b# j* l; O3 P# u; Q% x6 i<TD><PRE>Method 01
+ A9 u% y: v1 L# X7 x=========
; v0 V$ Q" m7 _7 _$ m5 E& W
8 j' X2 y$ d" \; x' FThis method of detection of SoftICE (as well as the following one) is% H& p' Z: S+ C5 _2 r7 U+ H
used by the majority of packers/encryptors found on Internet.
" h o; K8 {% }It seeks the signature of BoundsChecker in SoftICE
" ~) j- ?. G+ A4 z/ }% J, X, f5 T. t5 A" y; b% u5 P
mov ebp, 04243484Bh ; 'BCHK'& [) V! h v: m8 H8 i. A6 T8 C
mov ax, 04h9 X1 N- w7 C4 B9 U9 c, c. D/ I
int 3 ! q p M& u- G2 V: J+ z" E3 r
cmp al,47 z; t) w7 j+ J2 w H, R
jnz SoftICE_Detected
1 ^9 h0 ~/ i' B, T3 K) x1 z# ^5 _: ^5 o, n3 e6 ?$ o
___________________________________________________________________________ u4 a! |. n! @$ Z8 a
3 B9 P" z8 d7 x' g" |. dMethod 02
" u! f% y6 H( L9 r8 ?# i. l=========* B% Y8 W. g5 C
# K# _- ^) j, _3 b
Still a method very much used (perhaps the most frequent one). It is used1 x; [( m/ r" } Z' b+ M+ m; t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ N* V- X- G) S# i
or execute SoftICE commands...+ H, T# i2 I4 Z5 [6 \
It is also used to crash SoftICE and to force it to execute any commands
; M. O: i" M4 f5 x( I5 o+ S(HBOOT...) :-((
; O6 j+ K' r0 E& m5 t! {7 M* N9 w5 q% n1 @ N% |6 {
Here is a quick description:
8 q5 i1 j3 q& R' V-AX = 0910h (Display string in SIce windows)
" }! [: x9 U. A9 V7 r0 J* e. ]* c& _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 p2 c/ w! Q# p8 V$ n
-AX = 0912h (Get breakpoint infos)) l5 C! Q9 Q7 n6 F0 d, `
-AX = 0913h (Set Sice breakpoints)
" }# a# i5 Y' I3 h% J. R2 W-AX = 0914h (Remove SIce breakoints)1 m3 Y. G& B5 q$ R. r/ d
. w# @/ p$ `' G" W4 a: F Z7 TEach time you'll meet this trick, you'll see:- t8 Y( b( m0 F: Z( V. U
-SI = 4647h
- e1 g+ D l% Y# h' {- `-DI = 4A4Dh
! G7 y2 X# {( R" t0 G$ Q0 S9 mWhich are the 'magic values' used by SoftIce.. c% J6 C3 O5 @$ z3 F, u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 m0 K* j8 t$ l1 j
, j& \9 i' h; D3 s* I" l
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) `* }5 E, @4 {* \ G! WEnvelope utility use to protect DOS applications:* @+ d6 s. L0 j6 w
2 V, p* M' i. I5 { g
9 Q8 V- O5 V9 ]7 G% n3 W5 ~4 T4C19:0095 MOV AX,0911 ; execute command.$ B- N" t# i: u& N9 p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 X+ ?+ H! H3 r, v
4C19:009A MOV SI,4647 ; 1st magic value.; i8 Z& n' j0 i! ?, C! H
4C19:009D MOV DI,4A4D ; 2nd magic value.8 q6 j8 \) }0 I" u4 P; p
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), H1 F7 e* m) M
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( }6 _* U9 a' a; w5 r! P5 B" y6 q3 ^
4C19:00A4 INC CX
* k8 z9 c g1 ]' |! v% b4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! X1 Z( h1 a" q: j. u" Z
4C19:00A8 JB 0095 ; 6 different commands.
2 @; b- K7 s( C+ P7 x/ Z4 `+ i4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- \) v, K: y/ j7 O, ~2 K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( F! O5 _! w Z9 b# N0 N; H$ R& _( e2 g- T$ ]
The program will execute 6 different SIce commands located at ds:dx, which
& s, p* E( k: Y1 Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 v3 y2 ?+ Z! u; t
. z, r& h, L8 {+ @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, z/ b k% n: o% F# Y___________________________________________________________________________
; Q" R' Q% k/ c" }" S) ~# _8 J' g: m" }) X( L) Z
1 K" e" O9 w8 g3 k/ D4 Q; a
Method 03
/ H" q; X/ M3 V' h6 g p=========
, Z& v: g$ r& J- b$ P8 Q" T8 V2 t8 p- x( G* l4 ^ T! b5 b0 q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 r+ v8 B* u0 P" F& S T(API Get entry point); C u7 {7 A7 A
) S! L. w5 ^+ I* l
4 k% d6 @# E. c% p- d xor di,di% U* F+ ~5 l8 h" }$ h
mov es,di: K( B( K. k$ A
mov ax, 1684h ( J- Q; r; }4 c6 Y; K$ }$ X
mov bx, 0202h ; VxD ID of winice* e& E$ g$ E' O
int 2Fh
( G6 s. @- e1 L0 u mov ax, es ; ES:DI -> VxD API entry point
2 h, j; Z$ z3 f: ~% W2 q add ax, di) v) J2 G9 C! @) f
test ax,ax8 q$ l' v+ p8 T8 K0 ], l5 \
jnz SoftICE_Detected4 c! n: _2 F/ m. D( p
7 P/ b/ f+ c3 s: z+ H* t2 R
___________________________________________________________________________
' l `' `5 ^ M; g
7 r S3 f' t8 Z. GMethod 04
' n, P: \0 ]7 m4 }( }& p0 w=========! A6 `5 M9 F' @7 W
7 v3 H- |! O+ k+ `. a" [Method identical to the preceding one except that it seeks the ID of SoftICE3 V- j7 e& l3 l! @# A; T0 Y2 P0 G/ P
GFX VxD." y: L' f( c8 t3 F
7 O' x0 M/ z- O6 s1 w8 j
xor di,di1 b' g5 @$ }' k0 f
mov es,di9 Z5 O7 i# n1 q' |( n
mov ax, 1684h / J& q: q# Q) J4 m; L. C+ J
mov bx, 7a5Fh ; VxD ID of SIWVID
- ~7 Z% B c1 N. Q5 N int 2fh: t6 J# M5 @+ t$ t
mov ax, es ; ES:DI -> VxD API entry point
6 S, [6 T: }1 x0 r" Q add ax, di
$ {1 v7 H; P0 |3 Z0 Z test ax,ax
2 Q1 W E. |4 A5 Q/ d+ b. a jnz SoftICE_Detected
+ b. E( G, G: r4 B. a6 H
0 I/ y7 m. R1 f__________________________________________________________________________! s" T9 C$ o6 o: b
5 B2 V9 O! T- X8 ]# l
5 P; Q9 G) a) K7 MMethod 05$ i8 a! V+ a) Y/ S$ l% K
=========
; N% J+ N2 \' B( s( D( g5 w/ D4 p: u2 d! P
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- J; b$ _. T( n$ M; [debugger. It calls the int 41h, function 4Fh.
8 A; R- \3 z0 |0 j( TThere are several alternatives.
: w! [# V. D' _8 x
/ m. M- W% a$ O- m) g- RThe following one is the simplest:! `" K/ s6 w) o# d/ x9 i4 L
; x! N; _, p& \% U1 Q, A/ a2 j# y8 E
mov ax,4fh
! `! _# D& N) ? int 41h' _2 b }- ~7 c+ U1 R0 i
cmp ax, 0F386: E/ X1 _9 z0 c( o; i4 X9 t a4 e
jz SoftICE_detected
' r! T* _ s) [! i. D$ u6 Y% ^: E4 _8 h; t* C* U @% x: z
2 J6 a# X0 P. \Next method as well as the following one are 2 examples from Stone's
* z3 S# W5 z+ L8 t" j"stn-wid.zip" (www.cracking.net):5 V. g5 G6 b2 c1 O! E
7 h) j g& T6 _+ y; e5 h0 I) V! ^8 Y mov bx, cs
% B8 \2 c& \" b5 c lea dx, int41handler2
/ g( d+ p) p, }9 a* @ xchg dx, es:[41h*4]* c' K h: l. c& ~3 w/ _( u
xchg bx, es:[41h*4+2]+ C/ O. f! q0 `* `
mov ax,4fh! q W* C4 r8 B% U5 q
int 41h
# M4 L) ~/ P+ ^: Z xchg dx, es:[41h*4]8 @! g- @$ l6 P- a: @2 _
xchg bx, es:[41h*4+2]
0 \+ {7 f G% N1 a cmp ax, 0f386h
4 u7 G6 J0 Z ^+ Z& R7 m jz SoftICE_detected
( u3 t# i7 y2 @+ d: c9 O
4 A: m4 _- Q5 H; [int41handler2 PROC- u* U8 F1 a1 |+ x2 V
iret& U! T( P& f* G$ @4 e% F* u
int41handler2 ENDP$ J- s& e1 c3 i- B- j+ _% u/ o
8 p& Q' Y9 o9 S% B8 Q6 ^, f ^) }3 M" P& J# Y: n* U
_________________________________________________________________________
" _; W) `; v M9 N8 t0 T$ q, |, ], G2 `& C
$ _/ T3 k6 t5 V6 v+ i! N, J$ U2 ~Method 06
7 O8 d3 S$ b2 ~/ w3 N1 |* N+ g=========
9 Y- F- y; X- P2 W* k. N* O z" E9 L$ b
. y0 m# t& {3 Z; T/ E) V1 Q" F- O
2nd method similar to the preceding one but more difficult to detect:& y% N& r. X) l1 d9 q
% D1 b4 t$ W; @: Y# S
/ Q9 e4 S' c5 e- W/ x
int41handler PROC
/ e4 H/ ]& R3 N. l mov cl,al
6 t. v: R+ f @9 S iret
# W! R2 P" K9 X" S eint41handler ENDP, x- ~7 \1 p- Z5 \# p7 p8 H1 O
. B9 J8 V3 F1 L/ w3 g2 @+ }( P, V
9 n* u; Y' O1 x xor ax,ax5 t& R, o- v9 f8 n
mov es,ax) `! w7 T3 m4 q
mov bx, cs
2 E2 @) I& n4 `/ |# E' L- y6 _ lea dx, int41handler
$ [- M, M6 x4 e xchg dx, es:[41h*4]4 s* Q+ Q% p8 M' Y
xchg bx, es:[41h*4+2]
; a" ]+ {1 J( X* \2 t. M in al, 40h
- {. \ r5 a/ i6 q% N xor cx,cx# y# z! l5 N. N
int 41h" A/ E& V2 i" d5 w1 l
xchg dx, es:[41h*4]. {4 w: a, d2 X- ?3 a- C
xchg bx, es:[41h*4+2] W; |. |+ T5 o5 T5 n
cmp cl,al
- I+ t, _1 M! w# ?, h$ ?' e$ z jnz SoftICE_detected
; i9 X* U5 c3 w% I0 g k8 n( J
_________________________________________________________________________
/ ]6 x3 _/ u1 u9 Q3 i4 [1 ~6 P( S% B/ ]3 j
Method 07
9 s4 X. z& _2 R8 [+ f=========9 `" e) h1 \' c
0 n$ ^$ `1 p* v" E4 y- e% s3 U+ A
Method of detection of the WinICE handler in the int68h (V86)0 P6 [ W+ a% S# V* M+ g
7 s, l/ x* |7 c8 q7 E6 W
mov ah,43h
. o2 P3 N1 N7 \* g+ @8 e int 68h
. R) x1 M" b' ?7 ]" w, Y2 ?, E cmp ax,0F386h
+ h9 y4 c }" p# R; K( x jz SoftICE_Detected) M$ p# A) ?! I7 ~( g1 v
; h+ w! P& p2 b$ E% {
, u4 i% C$ O6 E& T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) s# D5 G! |& s# ^/ q# R
app like this:
; _+ B$ n; Q" t9 }4 u2 i- z$ m8 a6 t0 g, s' w8 I$ f# ?- i5 O
BPX exec_int if ax==68
; I" S3 C4 O: m (function called is located at byte ptr [ebp+1Dh] and client eip is. [2 W+ ?# u+ `
located at [ebp+48h] for 32Bit apps)" M: E3 W& y# u5 J7 T. b
__________________________________________________________________________" q+ Y4 l* I* T5 r% g0 F1 D
# ?% Y3 |! z0 q& H
& S: i3 T- ~6 BMethod 088 q5 U# N. w0 ?& j
=========# I8 s- z3 w/ J+ ?) u; I9 }
* F* e8 g5 S/ n6 ~5 d/ H5 w
It is not a method of detection of SoftICE but a possibility to crash the K. E# r- d! T0 R
system by intercepting int 01h and int 03h and redirecting them to another4 n& K/ T2 e4 f+ @+ U, M% t
routine., S0 G" p7 g: @. p6 F7 D$ T
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 Y+ E! n/ B6 N! U" f3 I2 z
to the new routine to execute (hangs computer...)
9 w' A8 }; U" z. P& i' ^$ [) Y$ @: `* z1 F% q1 Q
mov ah, 25h, y! _+ j; M0 G s/ H
mov al, Int_Number (01h or 03h)
' |, v' V3 r& e mov dx, offset New_Int_Routine- T; b4 c/ a# K6 C) O2 Z; z
int 21h. {1 v3 @8 s, c7 f' ~# F- L/ [
* z; m6 s# b$ R& x$ e# \
__________________________________________________________________________
% \0 U) h# q+ `6 K5 {$ _& v$ d' M/ s
Method 09( D) h3 A6 i$ h7 t5 x1 Y
=========# G Z) |/ y" a) L: b7 |/ E
/ E o; i) ?6 C4 I' `* a) g' d2 fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 V5 D% V; b* S2 q% J6 {9 I
performed in ring0 (VxD or a ring3 app using the VxdCall).5 |2 ?- n. J( s+ Y* M! b
The Get_DDB service is used to determine whether or not a VxD is installed K: A+ D% ]; g0 @
for the specified device and returns a Device Description Block (in ecx) for0 u& u9 s( M. |7 d: f- E) o. V
that device if it is installed.
' ?9 H G8 p) _0 I0 [- c& U
) v5 f1 m7 y g7 l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' p# D9 a7 J( F# k
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); U" C: k4 ]& g8 ~5 y9 N3 O$ _- B
VMMCall Get_DDB
! P* X) h* |( C: l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# f+ O! Q% }! J( N, Y, l
+ E9 Q- [ [: S( P1 O0 C
Note as well that you can easily detect this method with SoftICE:9 [ f$ P- B( l
bpx Get_DDB if ax==0202 || ax==7a5fh: k: B7 z5 O2 q' _2 r
! A7 ~! R$ {' T" |3 I0 N
__________________________________________________________________________4 ^% k, z! y& S/ ~
: x* P* g% B' b# U
Method 10
: I7 q. b* ?$ z: U9 L=========
3 f3 Z/ E+ f7 M/ p! C8 @, m4 d& z, y( W/ x2 w6 @5 {# t/ F
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 \7 q& ]! T+ R4 n SoftICE while the option is enable!!
$ n [8 w3 N5 @# i1 w. _8 \! G
5 J% |. p! |7 QThis trick is very efficient:5 C% p$ x1 p( w0 S6 v2 A
by checking the Debug Registers, you can detect if SoftICE is loaded! {( F, T) L6 f4 n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" T/ n0 B: v6 s7 Z0 N+ i. Z0 qthere are some memory breakpoints set (dr0 to dr3) simply by reading their( i/ @9 k$ ]. Q9 d/ ^$ z# t8 @7 s
value (in ring0 only). Values can be manipulated and or changed as well7 z2 \2 {6 } v+ v" G" M% C- G, ^
(clearing BPMs for instance)% o2 |2 [" i; V S7 b5 L. m
* M% z5 C7 \* a& K' [# P% R- z
__________________________________________________________________________
' m, M- s+ s3 ]8 @# D/ Y# m$ }
/ s- X. S+ V( a/ [Method 11
& g" b( F+ J/ D5 x=========
! q) j- W+ Q2 [7 s. M6 m3 M2 q% z
This method is most known as 'MeltICE' because it has been freely distributed0 n. j* x7 A) H" q) O) R& W
via www.winfiles.com. However it was first used by NuMega people to allow
; k. w: E) k( Z- ISymbol Loader to check if SoftICE was active or not (the code is located
: j! y; T. a9 H/ _) A, pinside nmtrans.dll).$ o a( u, d4 n: _
" k' _5 ~6 h' Q+ B$ ~: k
The way it works is very simple:
3 ^4 `: _6 {6 J; @# M9 qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 g8 j; r; D0 ^( y; N3 f: c5 xWinNT) with the CreateFileA API.8 z4 {& i! S0 L# R
; A9 y) @& O+ s( N" EHere is a sample (checking for 'SICE'):
8 O# X- w1 ] V! J# J8 c8 w+ x( r* D4 {. `* W
BOOL IsSoftIce95Loaded()( r0 S, O! V/ ?. y* J5 ], }" n
{
4 G( p+ Y; A+ m! p$ M2 X8 N: v HANDLE hFile;
: K* x p: B, \ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( J( c4 [9 z2 p2 k% A FILE_SHARE_READ | FILE_SHARE_WRITE,4 y# e+ d0 I; k" P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- k% {: |$ a2 d; u! z- z2 }/ o
if( hFile != INVALID_HANDLE_VALUE )/ O2 z! x; o, K% f/ ?/ ^
{
0 i! ?1 B6 @* d8 }! x# k* ? CloseHandle(hFile); J5 }9 U+ R: s) U- ]2 G) Q
return TRUE;% J4 t& j" x1 E; R) i( c# A
}
3 P; g$ }4 B: t) Z/ t( ?( J return FALSE;
2 V: K+ P; w9 A3 a}6 Y2 B+ d7 R& [' j
4 K) e% j0 h$ w1 m1 O8 h3 }+ {
Although this trick calls the CreateFileA function, don't even expect to be$ X. P9 h( T+ {" \/ {( E f
able to intercept it by installing a IFS hook: it will not work, no way!
, e" E0 ]% y0 k( g( G( U( }' e$ ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 J7 C. d$ B# s$ D
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 y i: M6 D7 x8 k, O- S V
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 a# V: R- Y# w2 N! _
field.
# @4 k5 B) q# y8 w: ~# W! VIn fact, its purpose is not to load/unload VxDs but only to send a ( C9 X, B8 l5 \4 o6 T3 H& k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): |; D& \3 X/ e+ m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 q& Y3 Z7 ~! `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) N9 ?( ^2 r% R- bIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' a6 N* x# D* V( @' v% Wits handle to be opened and then, will be detected.
5 F5 h* e6 g, q s- ^, HYou can check that simply by hooking Winice.exe control proc entry point+ A8 D T. ~. G1 A
while running MeltICE.
$ p7 |% U4 Q8 j" \. ~! {6 N5 s! a
0 f( X% ?* y6 `% b) I; F: @2 K7 a& M7 k2 j( F: W8 w. @
00401067: push 00402025 ; \\.\SICE3 a1 D; S; T% M8 w. y! D
0040106C: call CreateFileA
) F, M' z0 L% k1 @ 00401071: cmp eax,-001& o$ W- q% E, p9 K+ K% l8 Q1 k I
00401074: je 00401091
8 L4 t6 P! Y/ G/ }
8 c. F" T2 F6 \; ? g# _* w' N$ L7 Q Q" `" x! k) F9 v8 N
There could be hundreds of BPX you could use to detect this trick.
, k {5 y/ j% n# t" m% @-The most classical one is:
- d: b; H k7 X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 J3 S& H! j/ \/ E *(esp->4+4)=='NTIC'
4 @- ]1 n- b0 F4 J0 s6 ?! i
/ X4 g' \2 i' B2 j4 \-The most exotic ones (could be very slooooow :-(+ Q+ X, U7 N8 c7 y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: t: N V, s" [- @- m! v ;will break 3 times :-(
- S0 {3 o; W6 A5 j3 H% i$ i! t; _- c h3 m# g
-or (a bit) faster: 9 Q, a, U3 D w0 I( }7 S& L8 e- n$ `( s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 }# r" b4 p7 f- n" K
* A4 [6 ~: s2 N5 q2 u7 `, [6 S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- |9 g M: R+ `$ w) a% N r ;will break 3 times :-(. z8 t' ~0 l$ p% z1 r
9 M2 U+ R) G; I6 n
-Much faster:
1 ^& n' D) g' C/ n" w5 B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' e( r6 x- Q: @8 R& q5 o: E) ]5 d
2 f2 F6 I Y' E/ @- u4 k E: O2 uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen N) |, E. `$ v5 L9 q, @
function to do the same job:( j7 N2 V5 ?& C9 U( o
8 U+ e+ f7 H2 c- b3 T- h2 _ push 00 ; OF_READ/ M# I$ S) R4 V+ x
mov eax,[00656634] ; '\\.\SICE',0# t% L+ ?5 o! I! V# q3 j
push eax
8 m" L3 V, }* s$ z call KERNEL32!_lopen% y- D4 B8 {" b. I
inc eax
3 C7 U, u- K; M) n jnz 00650589 ; detected
g4 r+ K, d s, L7 p* T0 T push 00 ; OF_READ
* F1 s1 Q, l+ O" t4 i mov eax,[00656638] ; '\\.\SICE'
w, }( m, f, }5 `- [& d' S# ~ push eax; x$ y7 I. K4 q: Q3 x& b+ e
call KERNEL32!_lopen
( s( D/ Y$ S% ]0 t* L* g! b7 t1 y inc eax
6 [$ R2 q: ~; z5 j6 h jz 006505ae ; not detected
+ @! c5 u. [+ _5 | U$ f( F! Z& E% q% \. ]) Q0 Q# a
; Q! D4 o5 p2 w# Z' R! K) o: J
__________________________________________________________________________* x+ H0 G s9 p1 N$ h8 ~* H
; Y! W. J7 }, O
Method 128 e# L& m; ^4 f, M) k
=========
+ i4 c# A D6 C5 M6 b* \
% q5 D0 Z! w: pThis trick is similar to int41h/4fh Debugger installation check (code 05- x v: ]1 \- R4 E3 _1 c4 F9 q7 `
& 06) but very limited because it's only available for Win95/98 (not NT); ^8 e* [7 A1 [; [; u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 l( _+ c# ]" N2 y$ O% j- t; W) t. ~. s+ w
push 0000004fh ; function 4fh7 l# \+ i8 R. E( U
push 002a002ah ; high word specifies which VxD (VWIN32)+ j \5 I; H2 x% i
; low word specifies which service
9 Q6 i: p4 S1 `. v4 l+ G2 C (VWIN32_Int41Dispatch)
; c; k$ ^5 K' l) v call Kernel32!ORD_001 ; VxdCall
4 U# B$ Z" |; a4 Y) M cmp ax, 0f386h ; magic number returned by system debuggers& E1 O# y) F$ h( i/ C% Y M
jz SoftICE_detected
4 F% @0 V# {2 x
) A* S; m l) |. P0 d5 WHere again, several ways to detect it:
% A1 a1 J* n4 B6 y$ {) Z3 P L/ s# c$ ^5 ]5 c
BPINT 41 if ax==4f
7 U7 t8 j& r( E/ w5 G5 A# ~0 \
+ p% e- t, l: s: N% i BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ P9 W! @3 H3 K% k/ c6 @
( _% ~& U% ?/ B- Q8 P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% [. v8 Y4 x( q3 Q: h P- d2 F6 t% {9 b6 N
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* g% G( b, g! P1 G4 n8 K
6 ^+ f- ?% [( K5 [
__________________________________________________________________________5 E' C" E1 @! g8 n# v* v; N8 V
- F& ^* j( |7 X0 _0 dMethod 138 R- R1 l3 ^2 V- `4 f! {
=========6 G4 q1 H/ O3 C/ u- H' o
8 V4 P; {3 B' k8 x8 v0 E( n# ?) \
Not a real method of detection, but a good way to know if SoftICE is% ?4 L3 `9 p* o/ p2 q' k+ I- ?/ q- `
installed on a computer and to locate its installation directory.
: J4 X8 N3 T3 q4 q, HIt is used by few softs which access the following registry keys (usually #2) :
# `' K; z# `' `8 D" d* t( w+ s! i
6 F% A# k$ \7 d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 E( U7 l, ?: C6 z6 ^* q; n
\Uninstall\SoftICE3 ~6 l: x E1 T r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 C7 h' a, Y1 k2 L-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( h. ?- D3 e" f! |" g( b3 Z) C
\App Paths\Loader32.Exe
& D8 \9 |7 O) e8 G! a: l" `' x& b1 F
: q: i) U3 ` v9 ?9 s1 t4 rNote that some nasty apps could then erase all files from SoftICE directory
w5 N. W/ ]# z1 m0 E1 f+ R; B(I faced that once :-(
& Z0 I ^; A' z5 Z2 p7 `* m) W) L+ ~7 D/ f
Useful breakpoint to detect it:4 V v5 G' Q/ a6 A% w3 ~4 b5 g: Z; f
" m5 b. ]+ y* D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ l: w0 _: m* j- k* {5 `! M) E$ t
4 O' W+ d. u0 W G, k__________________________________________________________________________% ?) j. Z9 |$ A* [) [* n0 p
' A( A; u$ ~/ o4 k; E6 p0 u r( i& v2 l- O0 L2 R
Method 14
+ o, z! d$ r0 i- \=========
& o U) w5 ^- c7 R- |: }* F; Y
& \; x) B% s# @& ^# W' L% ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. N* _5 l5 y8 [2 X% `1 D3 ` `+ r4 n
is to determines whether a debugger is running on your system (ring0 only).! n3 A* g; X' B2 o, }, s
# ^5 N7 Y% J7 n# g VMMCall Test_Debug_Installed) n9 X# t0 Q2 v3 v: ^- R- Z9 G
je not_installed4 s# H X. W0 B. A' K" ^$ T) d
- b2 a- R0 m3 U: X- [1 N+ [9 bThis service just checks a flag.8 {" y/ `0 C, Q0 [- m5 D! U: A R
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡