<TABLE width=500>1 ~4 Z- v& Q/ C
<TBODY>) g( m9 M; M& |8 x
<TR>
+ B6 H; ?6 V; T1 c<TD><PRE>Method 01 6 D7 l4 p- d* f" n+ a
=========
8 ^# f, T$ O- b. N* A! h. d4 t% `# `" ?+ v7 E5 y2 i9 C. _+ s; O
This method of detection of SoftICE (as well as the following one) is
& b7 w" \7 }/ D$ _used by the majority of packers/encryptors found on Internet.2 R" a, a) g, Q7 a1 [' b' y
It seeks the signature of BoundsChecker in SoftICE' G# k$ d e( Y& @; z' g8 H2 Q4 v! I
; p6 N, F: O+ Z3 M. r) | mov ebp, 04243484Bh ; 'BCHK'# e7 t; x1 S9 q, y3 N- g) ~
mov ax, 04h# G E, k0 a; R
int 3
9 @" w% x( {$ y' A! W$ U+ | cmp al,4' W9 ~8 @0 v" `/ k9 ] L
jnz SoftICE_Detected
; }( g, L' r3 t6 b. G. c
/ B! l+ A) N% @3 N* J___________________________________________________________________________
. d) o/ D; P; E+ {1 W; n5 L. k0 ~( ?; f6 u! z
Method 02
5 t# T, |; h0 M5 |) y8 @5 {=========0 q: L) T; {7 ?- S: b" M
7 Y' S p- t% u5 n6 v+ f5 y3 O9 vStill a method very much used (perhaps the most frequent one). It is used
* Y# S3 A, b: |$ l; H% A4 R+ @to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 y8 g, L) |! Yor execute SoftICE commands...+ t2 _, w+ h6 f$ x+ U
It is also used to crash SoftICE and to force it to execute any commands+ i& f% V; @1 k% t# A; V, U
(HBOOT...) :-((
( @2 X i3 o- u9 d
6 _5 n0 l# K; I$ YHere is a quick description:$ ^& f4 O0 R0 }. y7 ^% i
-AX = 0910h (Display string in SIce windows)9 n4 M9 R4 s$ l! G0 A6 ?" W
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- i1 u2 G2 K2 ?6 V-AX = 0912h (Get breakpoint infos)
+ |/ Q5 V4 Q! F, _-AX = 0913h (Set Sice breakpoints)
- g- ?! X! a" [( ~) c* P: N) \: A9 J-AX = 0914h (Remove SIce breakoints)
8 C, i) K, `! N9 v3 m' P% G7 y: m) g$ J1 Z, J
Each time you'll meet this trick, you'll see:
/ w! `. y7 z1 f& s-SI = 4647h& G: t+ c, j# p5 {
-DI = 4A4Dh2 d* n1 j/ S8 a8 }0 J
Which are the 'magic values' used by SoftIce. c1 C* N Q# `6 v9 Q' k' L( [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., t9 s4 Z4 j8 [; Z1 ^
0 }8 P1 z8 B% P5 J) q2 r
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ c& ^. A+ _8 x; T% u6 {
Envelope utility use to protect DOS applications:& q8 `( \4 g7 Z# [
2 U! N3 {0 z; W5 [' l7 y! M) r. y2 {3 M& W G* x
4C19:0095 MOV AX,0911 ; execute command.$ g/ [* [& R9 q" p7 g' c& H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; R, r H9 O; q; [2 O& P4C19:009A MOV SI,4647 ; 1st magic value.# C% v- o( l* R$ }
4C19:009D MOV DI,4A4D ; 2nd magic value.
/ s1 S+ w1 g- j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% h+ G! [ B- N ]7 v1 J" y: O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 L. [$ C: D9 S/ u! K4C19:00A4 INC CX, }$ {/ K- u8 m5 ?* [' ~9 E: h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, T8 b; l$ k3 R) U- F! I5 Y
4C19:00A8 JB 0095 ; 6 different commands.
6 _( n& H0 l. V2 p) c$ d4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 f' |7 f+ D* u) T: B4 Y, u
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 x* ~. ^% f* H
% j# W/ O/ X3 f; @; r* `The program will execute 6 different SIce commands located at ds:dx, which
6 @$ y( N4 d- `are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ e0 S, w- v7 E4 ]7 Z0 U8 ~
, F+ r" X7 ^" a: @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 l: |4 K, R, f. S b
___________________________________________________________________________
8 k, |( J3 A2 [; V" i( O5 P+ X/ o. |
* U7 ~" b6 X9 q& v# z+ WMethod 03/ u7 e, \9 a' X8 K5 f3 |1 I
=========
! J, q7 m; L H9 b* l6 c) f' x0 K9 ^9 U4 A$ l; M0 f5 L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 ^# G' T4 B- R) S4 ?1 u9 a" t(API Get entry point)
2 D- Z, ]+ M( w9 J5 N# e 4 }& l( F2 ~* ]6 z$ `* ~, b
1 _- k% \! G5 ` A+ O" G
xor di,di8 d |- y+ E( G
mov es,di
, d: y, g `! L! ]" i mov ax, 1684h 7 e* f( R/ i8 l- \3 g
mov bx, 0202h ; VxD ID of winice m$ Z/ @, S7 J1 C" ~, _" w! F
int 2Fh+ n4 R1 i4 I; A4 F
mov ax, es ; ES:DI -> VxD API entry point" Y2 i6 H' `4 v" M! ?( V/ R" e
add ax, di# L8 z$ M0 n$ [! I" l0 ~! } P! @' y
test ax,ax
# z; }9 @1 y: L9 E; g* R jnz SoftICE_Detected
. d) K/ P3 M2 g! ~0 ]% V5 U1 Z2 f. @5 r/ i" o; y+ j
___________________________________________________________________________! y2 s7 b6 T1 O. H3 {4 E+ } r
& q9 ?( v3 I1 r: ?9 c2 wMethod 04
9 Y @# o' B* q=========6 [( \$ c) k0 O) U
+ ^( @$ e- c! r: E$ h4 k8 O* `- o
Method identical to the preceding one except that it seeks the ID of SoftICE I9 [. F+ u% |
GFX VxD.
: B* R; F* B% @" o. V+ h$ r/ j- \6 M5 q3 ^
xor di,di2 j1 t2 z) U# m2 H1 L8 T3 z
mov es,di9 n8 z, R, a$ k7 g& r9 n& V7 o
mov ax, 1684h
& j9 J* u6 I" n6 Y& f" t mov bx, 7a5Fh ; VxD ID of SIWVID
, r( i; p; g8 R* z/ q x int 2fh- m6 i# ~4 r8 V/ A; c7 y- |1 x
mov ax, es ; ES:DI -> VxD API entry point( b; M; M' G+ b9 Z
add ax, di- g j* g/ |% A, M7 M: F
test ax,ax/ J i! c5 p0 V5 Y' c1 S: y( Z% n4 P
jnz SoftICE_Detected
3 n" }' @( t, m9 r5 m0 \2 X& ?6 e1 Q8 C3 `2 {- I; k
__________________________________________________________________________
# |* W, `% f4 m
1 u% R4 ~- x6 _6 }5 b3 `1 w
: f8 n$ w+ `; W; L# r3 \Method 05
8 Z; W$ d2 o0 M: \( }/ D5 r& j0 n=========- b8 r% l2 ~8 ~; Y
" z- w% @3 [, x# w- Q; uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! R+ N! o Z; i Udebugger. It calls the int 41h, function 4Fh.
/ d/ V" t7 ~% m, A2 u* _3 KThere are several alternatives.
( {8 |! _2 j- `1 T } T2 h1 v0 \
. v' j5 X+ W: r3 o1 j7 B6 W5 TThe following one is the simplest:: g0 b# s" s1 ^! Q, a
$ Y l' s& F+ m' Y0 x; D
mov ax,4fh
. y9 T% p I0 l; |' K7 D int 41h
2 ], ? W' K7 }& P5 x# [: G0 t cmp ax, 0F386
/ h" r* ~: n& [0 w$ ~9 M jz SoftICE_detected0 [, ]! X) H( K
7 P m2 _7 p* z |2 C, S# \4 V% p6 B J- L, E! P/ e, N7 E4 z
Next method as well as the following one are 2 examples from Stone's % Y: a1 G( F7 {0 `4 h
"stn-wid.zip" (www.cracking.net):
[+ m8 _- w, k2 v6 S- L
8 u V# g) {' h$ J9 [. v% p mov bx, cs
6 U: V8 z$ B: S I3 I b J W lea dx, int41handler2' |/ n0 E' T: _
xchg dx, es:[41h*4]
: j9 q Z9 d8 p4 k xchg bx, es:[41h*4+2]
/ C7 U, f$ u U- y+ W4 A: R mov ax,4fh. I+ S1 w: _- j P# T
int 41h
& g" A {, @( [7 c6 A9 Y xchg dx, es:[41h*4]% G9 q9 F8 a {& r( Y r
xchg bx, es:[41h*4+2]
- m2 O7 P5 z @1 G6 D& { cmp ax, 0f386h
% ^2 e1 ^- |5 ^* s! e5 z jz SoftICE_detected
" H: ]7 a, l1 b( e& J6 }0 X) J. [& V6 R9 f4 f2 A7 ?
int41handler2 PROC. S; t! K6 s6 t( x$ G( A
iret
2 C. @" ~: c9 b' f( ~" W4 G8 d# l. m/ Jint41handler2 ENDP
, Y" z$ j% b; m( X9 _3 |, g7 x/ q0 u8 [( L
" Q) u% j) s8 H7 [5 X_________________________________________________________________________( I, A! o' @* Z" W! @
1 u6 c4 l6 B8 K5 S+ J6 Z& ]* E1 f6 C
. D( ^# v A* c3 S. [0 d( s! p' r4 aMethod 06 T7 t( D, s+ z; U+ l
=========9 I+ c, L2 E7 B# k" C* c
0 y" y# N' U, O, N+ {* }( }
$ Y7 H9 @3 ~% ?: [4 y2 d
2nd method similar to the preceding one but more difficult to detect:! Q4 _: l# v. ]
2 {$ [% K* G: U8 H, a( x
@4 E' {2 _5 rint41handler PROC
) i9 u9 y+ x* P# ? mov cl,al/ B% @/ a& X, _( _- B1 j2 E
iret) i5 X6 P) J, g7 Q& h2 `
int41handler ENDP: ^$ @7 ]' i! y' J* U* j5 h
2 \: J4 l1 o( B0 y9 |$ S8 `3 ^* ?% H9 Y) O; e, ?
xor ax,ax7 O. Q* C& s4 [, S" [+ n8 h+ B
mov es,ax9 J5 m: T" ~1 `* a
mov bx, cs
7 v% n( D; G9 r6 y Z lea dx, int41handler2 M- {; J% v6 k5 X! K! J6 P( P
xchg dx, es:[41h*4]( ~" C2 G/ f3 H8 ^! P
xchg bx, es:[41h*4+2]4 ]" q3 V K3 C' I
in al, 40h- p |4 t' u; @
xor cx,cx6 H- V- t Z4 U+ J$ j5 x- `, E2 s
int 41h
4 _9 e/ x5 T% Q0 m# f xchg dx, es:[41h*4]' l! q% Z- t1 D
xchg bx, es:[41h*4+2]
( Z7 _" n3 F* e' t: N2 q k cmp cl,al
1 J& o6 w4 f. K: [1 _0 Z: U' | jnz SoftICE_detected
- `+ Y- A' Q+ z% M6 }
7 l0 y% q' L+ i ^5 q_________________________________________________________________________
5 X% p. A: z$ Q. E2 @3 p! M$ Q2 _0 n M) {
Method 07
# e+ j, Q) O; |=========
7 Y: O, N9 |! p0 Q/ Z5 W' v! [3 L8 _) i0 y) n. o% N6 z( u
Method of detection of the WinICE handler in the int68h (V86)
+ V" }, n7 n* E, U
) T* b1 M6 G8 p) y mov ah,43h2 K m$ s U3 O$ U
int 68h
0 O% K: f2 u: X6 t cmp ax,0F386h
3 U1 i, ?) u2 Y" M! L, Z jz SoftICE_Detected! U0 S6 }+ K# C0 ~+ }6 c
7 S& C" n S2 k m# \ @1 Z: L# C2 p8 `. D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* Y: q3 ^( O$ P* X app like this:; f6 O* |* t# z5 F
% }/ p, M/ ?. P: V6 J4 Q# v3 m
BPX exec_int if ax==68
|8 _: [) k9 {( z (function called is located at byte ptr [ebp+1Dh] and client eip is
: `& k2 }6 q$ ?# @* G6 T2 _' { located at [ebp+48h] for 32Bit apps)
( V( d9 {% ]+ d" J- r! m__________________________________________________________________________
^6 I( y' ?3 L7 t' Z
8 M( L6 B* U# _. D6 c$ {/ U* {( p& e% N- \0 `' u6 c. f! Y
Method 08% a8 }! N+ X6 w* x/ O
=========
% W# j4 Z3 v9 h1 a5 J0 h0 j( o' o) x- t" x, D
It is not a method of detection of SoftICE but a possibility to crash the# h) _4 B9 P# W
system by intercepting int 01h and int 03h and redirecting them to another
9 Z0 ]9 U8 Q1 \1 Oroutine.' S) S& s- C5 ^+ ]& K3 |" u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& H9 r& ~) N( K/ U
to the new routine to execute (hangs computer...)/ ^' s/ q3 H9 S% h+ J r6 x% z
$ F, a1 S* d O0 P6 n0 E* t mov ah, 25h
' D8 @, I) B2 P. j5 x! ` mov al, Int_Number (01h or 03h)1 _* B( [; t4 h# B7 e
mov dx, offset New_Int_Routine0 f3 C5 o# J4 c! w
int 21h i% u, H2 L! L0 ~6 z |
0 J) a& ]3 I& B$ {
__________________________________________________________________________7 L- L- f4 E' C+ N7 G
5 i0 Q6 H, {% ^6 b2 A* B0 j: A, vMethod 09
, d& l$ m( p7 L/ Y1 d=========
+ ?' c- N3 F2 ~( E- N+ ^9 A! d/ @/ M1 p- j' y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 ]9 N: U- K& q
performed in ring0 (VxD or a ring3 app using the VxdCall)." y7 C H+ d6 Z! i R
The Get_DDB service is used to determine whether or not a VxD is installed/ A9 m h" p$ w
for the specified device and returns a Device Description Block (in ecx) for) r9 P2 y; t& Q. a3 g! w
that device if it is installed.
+ B1 @$ ^; p! O: o! A1 m7 K8 p2 i* g8 m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 Y3 F2 W0 Y" f( }5 E; y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ j: [/ t) D5 u) X7 J* N% p
VMMCall Get_DDB, C# E' x" m. u# w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* O, @$ ~, r' ]
6 [ I( v! [( | F8 [1 xNote as well that you can easily detect this method with SoftICE:
' G) x( [) M2 t' b3 u bpx Get_DDB if ax==0202 || ax==7a5fh) x6 K7 c+ a* ?4 {7 W0 p
; o; _, o, Q* `9 N__________________________________________________________________________
4 _4 a# B( z( Q3 K- h5 N6 U4 I5 h# m# A1 D; O; s+ b7 N" E
Method 10
& z6 D* W0 Z# ?( h* J( {=========
3 u3 k0 j* O& l
& `: O. b) i0 B& _' G5 Q" R=>Disable or clear breakpoints before using this feature. DO NOT trace with; S* @3 R' L2 X7 Q- l( q
SoftICE while the option is enable!!+ T9 @, C3 u, f, `1 J. ?
+ d V, b0 G% T1 m
This trick is very efficient:
7 ~9 p6 G D6 @+ u6 Hby checking the Debug Registers, you can detect if SoftICE is loaded
1 o1 f: d* F' L1 q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
z2 A" {$ k5 }there are some memory breakpoints set (dr0 to dr3) simply by reading their
" e+ J0 s- Z- ^- K# y$ Xvalue (in ring0 only). Values can be manipulated and or changed as well" _9 Y0 s% s2 e* o
(clearing BPMs for instance)
* K0 {: T' t( O% ]$ J0 T" [$ G+ x6 p; F5 U, Z
__________________________________________________________________________
1 l6 _3 ~, |7 `8 A* g, Z6 ^" |! \( y7 W" p& f' o
Method 11
6 ~/ l5 r1 y8 K! o' ]5 A& L=========0 [8 \# u; Y) G# X: o: d, C' A
+ S* [( H! _% o( _1 D" @' ]This method is most known as 'MeltICE' because it has been freely distributed' ^# S+ e. E6 Z: u6 g, {6 u
via www.winfiles.com. However it was first used by NuMega people to allow; X9 Z2 {1 c6 ^ K2 ?
Symbol Loader to check if SoftICE was active or not (the code is located' q& c1 S( h# M' `- A/ `7 T
inside nmtrans.dll).
3 D3 v) q" {) K( P, Y* @# E6 ]! D8 n+ r# y# z2 W: m5 n
The way it works is very simple:
^3 w% n! N, Q6 o6 EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ L# B V6 W+ v4 F. I) u! rWinNT) with the CreateFileA API.8 c1 s3 ^# \. a
' q2 X0 @* u$ bHere is a sample (checking for 'SICE'):
9 x" S: X' s3 r3 J7 ^! R, X6 D1 H- j. Z4 ~) P& z9 K, G
BOOL IsSoftIce95Loaded()& C% e c6 ^# {' U- c! f3 A. a
{
_9 O6 M, |8 T3 Z8 z \* ] HANDLE hFile;
9 `9 Z& X7 T k, d' r hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
s/ H2 J" B; } FILE_SHARE_READ | FILE_SHARE_WRITE,
2 F$ l/ r& m& }1 d" @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ V$ L6 ^9 H. f; R2 r if( hFile != INVALID_HANDLE_VALUE )
) O; M8 K5 a+ e {
' K( |3 d Z* } CloseHandle(hFile);
# x5 }- i# E% F2 h& Q- ? return TRUE;
# {( N; f2 B# w' _* ?* }3 r- g }
4 K1 ?' m J* W& h6 N return FALSE;4 N1 `/ c# X* G) z
}
# w& \$ v f, l
- R3 p) F+ |4 {8 s& b9 r/ sAlthough this trick calls the CreateFileA function, don't even expect to be; l$ N# Q% z' M3 ]
able to intercept it by installing a IFS hook: it will not work, no way!6 U' K/ x* A5 j9 }# D) |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 K3 U7 Y; s# Z: d2 C" g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. s" u: _; H2 G- jand then browse the DDB list until it find the VxD and its DDB_Control_Proc! A/ U+ T+ Y( @: L
field.- F9 T: T d( y' z# ]0 p/ q
In fact, its purpose is not to load/unload VxDs but only to send a
# R" @* j( ^; H9 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 q; I2 v/ |5 E$ t/ x: y- a% t S
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 n: H* d! V6 C2 I9 k- f0 Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 e0 N$ Z) r% |8 C1 S1 Y& F
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) b6 w2 B: R+ p5 m" Pits handle to be opened and then, will be detected.8 A" H! `% N& g" ]0 P- K# F
You can check that simply by hooking Winice.exe control proc entry point
! z' _, w4 u7 Z1 ^2 nwhile running MeltICE.# C. z" i8 M+ i8 i& F- g& T P
( U5 k" K; m. N$ ?$ J0 e0 \
9 Z/ j# O5 A0 a6 {( U8 ]
00401067: push 00402025 ; \\.\SICE
( X2 V% p8 i; T+ e9 Q6 z 0040106C: call CreateFileA
0 T: G% K9 V9 u6 S' `# T 00401071: cmp eax,-001
- ^7 Z' o2 ^% B; f: x 00401074: je 00401091
4 y2 `1 R: N# {7 h( X- H/ q
0 G3 _ }% ^+ ?4 b/ x" r
/ l/ c4 L/ S8 C/ cThere could be hundreds of BPX you could use to detect this trick.
: o Z& Q/ q9 V. H0 N" U1 W-The most classical one is:, [- P i* @. m; E6 J0 }# d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! h* P9 V& R$ B$ M& o
*(esp->4+4)=='NTIC'
% P# F/ ]* Z! Z j4 H2 w
. N6 D7 y' r2 B O( y-The most exotic ones (could be very slooooow :-(( F1 j7 i/ _" r& Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# T( |! h* o; T7 @0 |* m ;will break 3 times :-(/ t# s, {* }" [
; b( P+ ]4 P% A& e) ~
-or (a bit) faster: ! }$ i. m; m) }) X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( v5 u, z! T5 q, J. s" |9 v
3 z" k8 v( M O, }0 n, M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / G# F/ v* I0 I" j
;will break 3 times :-() R/ S) `. D0 f$ D
: `# H# e5 |& z1 R- R" z B" h
-Much faster:
6 ~! u4 g1 F Z9 D1 f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ O& u. | ]7 k A$ O2 ^' c( J. h( P& s5 ~7 F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- Z8 @0 q1 |. nfunction to do the same job:6 X$ I$ z- z) K* v8 k' \
2 ? b1 f* g% J# z; D' ]3 l" v
push 00 ; OF_READ
4 R1 p7 h) F* O ] mov eax,[00656634] ; '\\.\SICE',09 @ z% x, y1 C2 W* X( J9 E
push eax
# A |7 X' }; i j5 `( I5 m call KERNEL32!_lopen9 e& o9 X4 L& u% l' W$ o
inc eax+ S4 Z, u) P) G* c8 S, E
jnz 00650589 ; detected
' O# {6 V" d9 e4 [ push 00 ; OF_READ
+ x8 |, u/ a/ } mov eax,[00656638] ; '\\.\SICE'
7 z8 l/ z( g+ d; c. J& m4 t4 A' n push eax
; y3 }2 [6 V7 @, \0 I0 c t" T8 F7 @ call KERNEL32!_lopen+ S& B9 f7 J- J( b, y/ e
inc eax5 z3 F6 B. v) S8 f
jz 006505ae ; not detected
: L$ u( {$ ^5 O! G
3 j8 ~- r. k) P& U
# p0 Q2 f6 m3 L( p__________________________________________________________________________1 Q' m( w# e4 u0 _
3 r9 G; }1 t9 M. _Method 12
& B4 n3 ?0 _: s9 ]6 g- Z. c4 o=========
, n, O! `; L6 a9 n1 o! B% L+ b3 f! k- O, d! M# s' N6 y* L& J# k
This trick is similar to int41h/4fh Debugger installation check (code 057 U* e# j; S/ r" ^5 U& [! Q( m! D& Z0 G
& 06) but very limited because it's only available for Win95/98 (not NT)- a/ E% n) a) ?; W2 f4 r: m( s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ M: d, _7 X0 g1 J, d
{ Y; A6 D0 W W3 p, g push 0000004fh ; function 4fh
3 F7 Z: L7 t, E$ P; T push 002a002ah ; high word specifies which VxD (VWIN32)9 E9 f' x9 v+ ]0 u0 F6 Z' [; ?
; low word specifies which service
5 b$ j& e' [) u* S( r; {2 ?) n u (VWIN32_Int41Dispatch)
3 k( ?* O4 c# n9 l% | call Kernel32!ORD_001 ; VxdCall
" T6 l3 Q9 d) j: r; C cmp ax, 0f386h ; magic number returned by system debuggers
. Q1 _3 g; F5 ~' y# q; p jz SoftICE_detected3 j% B) R3 O& j+ n3 K
6 n. v, f7 i7 ~) S: H0 x9 aHere again, several ways to detect it:
. `3 w: K5 C( ?, X* T/ m0 f, o$ k; r& N6 h4 e
BPINT 41 if ax==4f
: y/ G* e1 r5 F+ v7 O- U' E( K: @* Z4 H
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( H# D6 \4 u. T1 a1 k2 q* i' p4 I& x( y6 T% j8 @ e( P8 o
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" b3 |- n2 m W. o/ p
( G6 b$ O# D# u+ D/ K5 U* ]. } BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 }; T4 ~- @# c0 [, H4 X
4 z1 M. T' r4 o+ \__________________________________________________________________________
7 d) r2 G. C6 m7 V0 K* e1 b
6 I2 g: B/ }2 `Method 13
! d+ R6 a3 a3 ?0 C# _( @. B=========- M4 B% q8 ^. S" Y' b2 o7 q; r
4 I4 H; _, @% n6 o1 A1 U# MNot a real method of detection, but a good way to know if SoftICE is/ E4 N/ I/ ^- l; ~# [5 T4 t4 A N
installed on a computer and to locate its installation directory.
9 r4 E. z; `3 K' Y6 bIt is used by few softs which access the following registry keys (usually #2) :' {& }1 [7 A* P% L& \5 c: ]
+ I0 ^* \" Q6 O1 ^7 w0 P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! g$ _( |0 z2 |+ A2 r
\Uninstall\SoftICE3 K3 t! x! T& h, u2 l1 a% C1 L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 x2 t w- |! z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( B. a* q% d! b3 P e# C\App Paths\Loader32.Exe
7 M, d1 `4 S% H: B
* ]& l$ z x5 s
; `2 f4 s9 n' K' R, aNote that some nasty apps could then erase all files from SoftICE directory2 E+ v/ ~4 v6 N
(I faced that once :-(, A) Y" g" r1 T
) ^# j5 \* r1 x v/ r) L; t6 s
Useful breakpoint to detect it:
( E4 z" X6 l1 [$ t8 p) X% k& V1 a9 ~) P8 @" F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') C. ]) T6 ]. l, I# Y3 d
- K; I/ P% B) _! ?! N5 m0 g
__________________________________________________________________________3 C, e, K7 y1 J% N& s8 @1 l! t+ W
- a! e6 X% ] s+ i Z
; j0 M! x9 w$ T$ y$ u% D. \/ Y
Method 14 0 O& o, X& N' z8 n7 X& ]
=========" r7 {' W, e% B
# R# m# i2 f6 Z, Z' p) ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% b' P: J4 `# ^) b' c
is to determines whether a debugger is running on your system (ring0 only).
$ ]: c( L+ C, Y
9 \/ l' G, i& {8 }% q VMMCall Test_Debug_Installed5 n4 H% V, H* \3 F: S
je not_installed; V+ X/ }' p6 i7 S, w8 A
s1 [2 u' p$ J9 V; F- }( r; sThis service just checks a flag.! G( }/ z. \& b5 y Y9 A) w/ G
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡