<TABLE width=500>" c# ` f, j) l+ ^# g
<TBODY>% B* c$ X- v! @3 x
<TR>& E( `: A: ]! X# c' \( S
<TD><PRE>Method 01 v& C. J2 \, C" |1 N/ u2 D: W
=========
1 _; `+ z: j' I/ {9 z' L* H: v- s7 M; w u; `* L" m. B% Q/ r
This method of detection of SoftICE (as well as the following one) is9 B) k( D; F. A: D7 Z2 o1 L0 `0 t
used by the majority of packers/encryptors found on Internet.% z w( l) w8 H4 S% Y, R) |
It seeks the signature of BoundsChecker in SoftICE( I4 n, S) ~; y1 p a3 M. ]
. E& S7 w/ D. H mov ebp, 04243484Bh ; 'BCHK'" R; q+ g) N' ~
mov ax, 04h
( L9 Z! S. S( j7 n# y+ W* @. Y int 3 4 G/ E& W1 S$ L( p: r
cmp al,4% x2 ?" d( f' f* _; J" j0 m4 ^
jnz SoftICE_Detected
, N! C. m# I' p+ b; A# i* l) o& a! ]" n; X) i
___________________________________________________________________________
& t- V' x% ]8 S( Q& x( l2 _% c5 ~& y8 Y' O8 c% [
Method 022 O1 c: p: L; V5 \; T/ O, p
=========- \; @0 H( S, b
& u" V1 U& n* `7 S
Still a method very much used (perhaps the most frequent one). It is used
5 a5 d" G4 A( b/ @& {$ _- Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 v2 i/ c, Z4 b N9 o1 ior execute SoftICE commands...
' `( f+ U+ z8 Z. IIt is also used to crash SoftICE and to force it to execute any commands
, O4 h+ T6 P: \& p(HBOOT...) :-(( / Q( z9 D7 W( w' f4 v2 V
. n6 T, G4 V7 ]: |4 PHere is a quick description:% U5 {) T9 k; j" |2 {( ` }
-AX = 0910h (Display string in SIce windows)
, m/ x1 {8 c$ L1 b( P% |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). {4 S, T5 e4 w4 U
-AX = 0912h (Get breakpoint infos)" C9 j6 N& k1 q5 M
-AX = 0913h (Set Sice breakpoints)6 {! Q$ G' a: n2 T
-AX = 0914h (Remove SIce breakoints)( I$ G ^3 U% S& M: F
! o$ x* H. p! P* D
Each time you'll meet this trick, you'll see:$ {- y/ g! e- \& E; s& U* Y
-SI = 4647h- o" g2 @' m6 W9 ~
-DI = 4A4Dh
6 a* q3 v3 e9 F6 \+ D) lWhich are the 'magic values' used by SoftIce.
" c) I/ ?- U- Y+ J( A0 qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 z e# Z) {1 L. H
8 k* [" D e* Q1 CHere is one example from the file "Haspinst.exe" which is the dongle HASP p5 ^4 v- f% V! _
Envelope utility use to protect DOS applications:$ x. R7 k$ O/ p4 u, c4 L
- i! Y5 P, z& F8 R8 E2 T
- _4 q7 g0 {& u) z6 p4C19:0095 MOV AX,0911 ; execute command.
/ Y6 {- g* ?* t3 z0 p5 x9 D/ e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: C/ [8 x( Q6 G& Z" ?. _. n; f1 C" C
4C19:009A MOV SI,4647 ; 1st magic value.$ m+ ^& f. f* f/ m
4C19:009D MOV DI,4A4D ; 2nd magic value.9 I, |7 r9 p/ }/ M2 f- p: ~; G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) c+ M1 a0 r x% a7 o& d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# x5 X/ \. v5 F+ F1 f8 c6 m4C19:00A4 INC CX) g) n1 y! E. f& g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& J7 U! Z$ J1 m% C, l4C19:00A8 JB 0095 ; 6 different commands.
5 W$ h/ M: T& R6 }4 N+ |/ X4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 z/ G- i; G) ~% N" C# O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 \0 _; T v5 q. t
2 | F: N! }8 z8 ?" s$ _The program will execute 6 different SIce commands located at ds:dx, which
" x0 I" a* b0 c0 Q2 {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* ^* V9 ~. Z0 ?/ c! W
; f3 K# {* J# r( \! q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: a" B1 N1 \+ m( C; \8 S" q" ?* ` o___________________________________________________________________________3 S; P- I8 P% o" z% `
" R0 J( X; ^- c7 |1 J
! {6 u$ e& Z" q9 ^Method 03
1 c% K! ?4 G9 O, j9 A) [9 {=========
4 b( A$ r, ^; Q5 D. G- }/ M: f
( ?* m- \6 E! c+ R; WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 w1 p' @* U# N, P) B6 h& j7 ]
(API Get entry point)6 X$ S5 u' v; A+ j. s8 k% k8 q
1 p+ _; s$ z# N1 J" [ d
4 \1 [) i/ v4 a) z: l% ` xor di,di% {6 ]0 h: [: B
mov es,di
) F2 t5 z( x7 { mov ax, 1684h ' r* }8 E3 s: k& `" p, R
mov bx, 0202h ; VxD ID of winice; d5 b6 D, f8 q, k, v4 E3 R
int 2Fh
6 Q n) k2 }6 \6 x% E# {3 h mov ax, es ; ES:DI -> VxD API entry point4 X' Z+ i5 ^4 C! Y2 t
add ax, di
9 Y* q; f1 z# S9 G) A test ax,ax$ D) ]" P( G+ v2 Y$ |
jnz SoftICE_Detected
4 v% z8 D: D9 u' C! d( j' b) j" ]: J$ s
___________________________________________________________________________1 w9 s. ?- c% H5 N
% H4 x' A$ F, J/ J
Method 04+ N* b+ T9 G2 r8 M( z
=========
. {1 k4 U# t/ ~( X4 G3 f3 c4 H" b' u0 S ^7 ^
Method identical to the preceding one except that it seeks the ID of SoftICE
9 ?- x2 s# i5 y7 y& wGFX VxD.# U5 `& Y- Q+ i% z# H% b; x; u2 t7 r
* w2 q6 n' I, v! y! d* O! H
xor di,di( t: _" ^- f- v* n
mov es,di# D% a" H1 |6 s% m# ~+ R
mov ax, 1684h - G& s" H. N6 E" ?7 `4 s8 O1 |6 {
mov bx, 7a5Fh ; VxD ID of SIWVID
/ p# B, D9 n2 `! ]- O1 q/ Z- @ int 2fh
2 F; p( c9 ~5 m1 B mov ax, es ; ES:DI -> VxD API entry point
! M# L" y; E7 O/ L add ax, di; w, u# Y {6 M# o5 D7 D: Q
test ax,ax
- \1 w6 o. k1 p2 {7 m jnz SoftICE_Detected
( E8 H6 F6 M9 Z8 {/ l! |9 I4 J5 w5 Y3 ]3 [( i8 P
__________________________________________________________________________' h) ?7 _0 @6 _; j) b
/ W" ~ \8 ?! p1 @1 H; c
4 E& f3 f5 {$ M5 V3 H2 e
Method 05% {* G. ~3 Z. T" u
=========
" [8 l0 ?- J# d' e# H
/ P% `( U" u6 ?0 s r6 @Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 k) s7 f! F& s; ~ `* jdebugger. It calls the int 41h, function 4Fh.* l3 k/ o" Z/ K& @7 V
There are several alternatives.
) ]7 e# S9 N' L& m! s+ b5 w% `1 m8 }9 D/ D9 f
The following one is the simplest:
6 P: w' [9 N; e Q k+ \- G3 e8 N0 E9 T# a# N; G
mov ax,4fh, D6 ~+ [. A' K( y Y( B3 ?# c" J
int 41h! N5 k2 T8 Z9 W3 h: R
cmp ax, 0F386
" e$ y7 b" f l- {) c jz SoftICE_detected/ a: ?: V/ G4 z* l3 y
. W. Y/ ?9 O( c2 U$ j4 U5 h$ b9 ]2 I0 n" c% D2 Q9 _
Next method as well as the following one are 2 examples from Stone's , U9 x. ^, n1 \1 w& i& @3 R
"stn-wid.zip" (www.cracking.net):) K6 U8 b1 }- u4 ^! q0 n- a
/ f3 o5 d+ q2 I1 m y
mov bx, cs
( s# |1 P7 n: M6 p lea dx, int41handler2
3 h: i6 A6 t, T: M7 C6 } xchg dx, es:[41h*4]! ~4 H2 M" ?& n3 v
xchg bx, es:[41h*4+2]
' l) E6 d3 N/ o mov ax,4fh
: u0 i. p* e' R5 c+ E$ x( U9 T int 41h
2 Y* E% |& t% r xchg dx, es:[41h*4]
) A4 P& Q% X" t# W% p xchg bx, es:[41h*4+2]
$ ~3 {% s( t. ?, N, w; G cmp ax, 0f386h. b4 a0 ] t0 e7 J2 z( Z$ S2 U
jz SoftICE_detected
1 {, i4 ?$ y2 H3 w" U1 u7 ^1 g+ r/ O, @3 d" [' @& m
int41handler2 PROC# }* ^5 v. k- @+ m$ \
iret
, }/ C) a1 Y& Oint41handler2 ENDP# N" D# s/ a! u. }0 R5 P' T
# v! q, I/ ^' ]% m& S' R# p
* W% x6 m2 @# l) e3 V( Q& c
_________________________________________________________________________
, W" J, U2 ?& r9 p+ F' Y# ?* b6 Y, u1 k
Y) D* _& P' \/ L( D2 KMethod 06
4 ]) x) K9 n2 x/ I& B=========
& i) W+ S( T. v. Q& j) D. O; G6 H+ q$ ^' C+ V
8 ?5 B) q8 h) e, m' z
2nd method similar to the preceding one but more difficult to detect:- U$ ~! h+ y+ x- Z$ V
/ E4 z+ Q. n* z2 ? g
6 A- a3 j! e5 [4 [" s yint41handler PROC
* a5 w' r/ v" _ mov cl,al5 i5 {% d8 P& q* w# Y, L2 ^
iret+ I5 ~3 y0 G& w4 U
int41handler ENDP2 v- n. N' j/ t* c, r* h8 Y
3 l+ d V- h4 y; a1 M
* x- R @$ z! b! ^' R6 X9 M, x xor ax,ax) f5 O H6 M% P
mov es,ax# [, f/ }- L' i% G9 ?! B* { Q- o
mov bx, cs9 V$ `! E9 d3 j! G
lea dx, int41handler
' Q& f' R! ~7 O( I! x8 } xchg dx, es:[41h*4]- u8 `8 W8 @' s# N K4 _: K; l
xchg bx, es:[41h*4+2]
5 `6 {( d' d; Y; j' _% j) B in al, 40h
' A+ d+ }! J' z xor cx,cx! n/ j6 }' s$ Z
int 41h! ^( _7 J* J1 E6 y) c
xchg dx, es:[41h*4]( P0 i* M6 {9 E7 A
xchg bx, es:[41h*4+2]
$ |# o$ \ ~2 _% n2 E+ r! R$ I cmp cl,al" A, r6 d% M6 _" O1 H. f
jnz SoftICE_detected
6 d: D+ f2 Q7 B4 n5 r; v3 a% g
) M Z8 J9 K0 `/ __________________________________________________________________________
9 X) s( a2 [2 C+ _" x) f
B' f5 d8 r, ^Method 075 n2 _ [# k6 B% a! T5 v. Q
=========
: d2 B- C" l0 v' t* ~- W/ B2 n d) C) ~
Method of detection of the WinICE handler in the int68h (V86)% ?; J) f7 d! q# i4 b% N" }
4 U1 u3 B l. \ mov ah,43h% D6 W$ \& Y0 E* \
int 68h+ \. Q3 A4 P* P8 u
cmp ax,0F386h
. H1 N6 @/ o" w! z jz SoftICE_Detected. j, U1 s3 l9 I1 n# r/ i
; K: @0 A( y3 D- D# v$ `
1 s7 \5 U$ _' _% s7 _0 r4 v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ t2 @" B9 F1 a- [ app like this:! l: w" S2 V* R5 C( e l/ k
/ y% l* |2 i0 w BPX exec_int if ax==68# T e' o8 y2 V. X% W4 B! Y
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 n. P/ f) _/ l0 O located at [ebp+48h] for 32Bit apps)
/ ]# q% J, D' ? p__________________________________________________________________________
7 s a1 i3 {0 L) `2 ^! o% C, l0 r( X% p- t: l! h+ h* _9 t
: X1 v/ m2 N7 |- fMethod 08: c! i x I0 v5 x
========= C9 z" ?4 \& M; V/ T( \
; a) m( e4 d+ p% {+ O# n. s* x: L
It is not a method of detection of SoftICE but a possibility to crash the
& ~$ }( Q$ `) s8 g2 h/ Rsystem by intercepting int 01h and int 03h and redirecting them to another
x: D4 I1 |# V: y% D* C( {$ uroutine.8 {6 c6 y# [. q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ l$ q9 \4 Z' {. B# `7 e7 \
to the new routine to execute (hangs computer...)& D' R5 F( Z" M* S
! R' _1 {2 D5 w6 z5 F5 Z( x mov ah, 25h
' p, K$ n* b9 W1 s3 @+ G3 c$ \ mov al, Int_Number (01h or 03h)+ a6 ^$ ?5 Z1 z( p+ P
mov dx, offset New_Int_Routine
: ?6 F7 X5 G! m) S7 y& u int 21h1 G W! a6 {1 d6 }
$ ]; t) j* ?* _5 t# ]$ j) D) I__________________________________________________________________________3 G* c# g3 w, h
/ X. w6 I7 K1 T6 F1 _, eMethod 09
4 B; n% k2 @) r* p% ~=========
: z/ q0 R0 d1 T9 l0 V0 J& w) d9 t- L. K$ @9 |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 Q% B) D( P. G1 Q0 yperformed in ring0 (VxD or a ring3 app using the VxdCall).# N/ e! D( z2 u% u9 Q P
The Get_DDB service is used to determine whether or not a VxD is installed! n/ c; @8 y$ ~) L1 O
for the specified device and returns a Device Description Block (in ecx) for& i! ?! q9 h% w9 E( t
that device if it is installed.2 s3 E! {+ f- X& ?: R1 y# O7 P/ i+ O
1 O8 A( m9 ?6 J- G( A$ d' W: L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& Z- f% Q8 |3 y0 Y( C4 o. h6 O3 |1 e$ V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 r. W$ h- n' `& [! z5 f VMMCall Get_DDB5 D' m; s9 U! o6 X: h& t1 m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 I3 _" W9 ^) \
( K3 z; x3 l% g: VNote as well that you can easily detect this method with SoftICE:
- ]$ G9 P$ M4 u9 F3 ^8 y0 r- ` bpx Get_DDB if ax==0202 || ax==7a5fh
K9 i/ \* g& ?) F7 h- w0 |2 x. P3 J5 _! r, d$ E s* K
__________________________________________________________________________ }4 t1 B% F% j
% p2 y$ j- o+ L9 }
Method 10% J, m- W2 N9 Y6 K4 H/ @; Y
=========+ w1 K7 G# c' P
0 }$ ~7 i8 J. q3 y=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ j: @6 h E& ?5 M SoftICE while the option is enable!!" Z7 X( L" K5 _2 s
b$ G; ?6 {' P2 Z0 j. ^% [2 X) NThis trick is very efficient:
X6 K9 l2 B, j4 Bby checking the Debug Registers, you can detect if SoftICE is loaded
" z$ e- X+ D9 ^8 d: m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ d Q& e+ E; n! ~0 }4 U+ Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their
B0 S6 L9 }2 k6 q" R& ovalue (in ring0 only). Values can be manipulated and or changed as well
2 X3 v( L% u% \* E9 r; J(clearing BPMs for instance)
- p( x4 m+ }+ @9 m) {& J9 u, a% r8 p0 _
__________________________________________________________________________
; f& S& w! a$ G; a: @, G8 ~* n3 b4 w( {. `( g7 O& L
Method 11
. Y2 Z6 B C7 Y8 u \5 Z* d=========0 s" N( I7 f- ]! o3 M
- x5 V0 L' k! JThis method is most known as 'MeltICE' because it has been freely distributed
O2 J3 q2 O B6 H( O2 Qvia www.winfiles.com. However it was first used by NuMega people to allow
* {4 z6 N, k" o5 _Symbol Loader to check if SoftICE was active or not (the code is located$ [" Z; n2 s2 }" L8 I
inside nmtrans.dll).9 D) v! v, J6 q' i& T' p9 B
, n1 U) a! N6 y5 I' p- ^' jThe way it works is very simple:5 X8 ^' b+ H! F) c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for ~) K# M& i C! o z# @0 b- N0 i
WinNT) with the CreateFileA API.
( y4 }3 y1 m6 v# t( c) e" U2 C2 R" c4 @5 R6 y* l7 b. _9 i
Here is a sample (checking for 'SICE'):) l! Z* a1 i, f" I7 l+ D: I
! [1 T% M+ p( |
BOOL IsSoftIce95Loaded()
* ^% b% K2 G. b. P{
4 b1 @1 E7 s9 s' O; A& ~ HANDLE hFile; 9 X9 q9 ~1 P* E& g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% {. u+ N& N, h3 a
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 M6 G6 d P% ]) i G8 Z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ P7 I2 l. B9 W% \6 F- r
if( hFile != INVALID_HANDLE_VALUE )
& d6 n" A% h& j% g2 _8 C' ?/ n {' v% r7 C% e, T) f
CloseHandle(hFile); G' S6 Q/ w \* F
return TRUE;
2 T/ s) d0 q! k7 a0 l7 q8 Z }" w& \# f* B" s3 t
return FALSE;
9 U5 I# M3 X* l, N2 r+ o% }}, v& q9 V* ]5 F( ]6 z0 K
9 x' T3 B( [. n4 C
Although this trick calls the CreateFileA function, don't even expect to be
- o* }3 }/ }" l8 Q2 Xable to intercept it by installing a IFS hook: it will not work, no way!$ N- I3 P! Q- u" T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 S8 G. `; K# lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 V k3 X3 {, M6 e" J. [$ mand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 a# ~7 _3 K2 I) i& ^
field.
2 l/ P/ \* B' z6 H$ W6 \6 ]In fact, its purpose is not to load/unload VxDs but only to send a ( p9 e' C" S) p- d3 I4 a( Q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) ]8 J* N0 {& z. h% _4 t5 `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. Y6 v+ m' @+ F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).: J, w- J7 G" W) p6 L ]# E) B
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ ~0 j$ d# Y9 Pits handle to be opened and then, will be detected.5 { D( w; B* Y% x
You can check that simply by hooking Winice.exe control proc entry point
+ s9 w$ J* T4 q; T B. S, U- nwhile running MeltICE.
1 Y* @ _8 }& m- o# ]9 _
; G0 {8 G9 U$ B' m i5 {: o/ ]: }+ S4 B4 x# Q5 s. }4 U0 ?$ h
00401067: push 00402025 ; \\.\SICE
' V1 C! y7 l! X8 B 0040106C: call CreateFileA$ }1 Q1 X5 Y" [7 Y& d: d# x
00401071: cmp eax,-0018 C2 c8 l# d2 {5 k
00401074: je 00401091
/ G, S$ N/ l s, r; D9 m3 A; {) h' v6 D4 u. U" T
$ V: u3 |% |4 r5 D
There could be hundreds of BPX you could use to detect this trick.
' ^; v: h2 ~# h E: H& u4 j-The most classical one is:
9 |, V: N7 T$ }2 E BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% J" J0 |+ \3 k9 { *(esp->4+4)=='NTIC') I3 h( y, m% P# t
% n- Y9 z8 D4 A
-The most exotic ones (could be very slooooow :-(9 R- t) n# R) B" q' p# R1 ?
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & M7 ?% [" O1 q8 p% B y9 P2 ~
;will break 3 times :-(
* L) H" j) T9 o
: D6 P: V) _* Q9 D$ Z: Q2 b-or (a bit) faster:
M) U. [; B% J" N4 @/ Y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 g8 t! o; h' c$ G' t; w3 e8 k( ^# Y$ s% y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* Z/ I3 n0 J+ B! u% F2 R ;will break 3 times :-(: F9 [ _; D; p2 y7 q6 S
; r4 _( v* ^5 d6 [
-Much faster:, J2 P L/ M7 Q4 |6 ~
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( r' m* M3 e9 k) k0 c. @
! u5 h$ }: a' }' x' |Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( V1 Q) ~0 W- J4 }1 V
function to do the same job:: v5 P- b& I' U0 _0 B
. n. L* |* W" X# x push 00 ; OF_READ8 s5 M# }4 m/ Z! Q0 j
mov eax,[00656634] ; '\\.\SICE',0
# V. O& {5 L" v* o! t1 O9 | push eax6 s5 q% e2 y5 N9 l
call KERNEL32!_lopen" O& m2 L; I# N" g
inc eax
( O& p1 i0 p6 j7 M1 q( y; s. G+ L! g6 [ jnz 00650589 ; detected/ `9 Y# \) p6 y$ Z& N' r$ X9 n
push 00 ; OF_READ
8 L$ X& m( v2 H mov eax,[00656638] ; '\\.\SICE'' Y2 v( l- R& X" ~8 M/ A) ]5 C
push eax
- g" _) p1 T/ d, s7 y" v call KERNEL32!_lopen8 A! i0 f& x: a
inc eax9 k" \( H9 ?) Y2 t( d
jz 006505ae ; not detected
- f: f6 o9 Y/ f4 P- v g0 n0 D5 N" p7 }- R: d6 b8 e
, r0 a6 a% Q* z J
__________________________________________________________________________
: B& b/ ^" F+ ~# F9 |! Y* n) c( b* d" |/ C: \5 s5 j# }1 C( A) c
Method 125 j- D4 X; P& S c" X" [
=========
! Q) o3 _9 J+ ~5 r& t
3 x, Z. E6 X* u( S9 H9 h+ Q8 CThis trick is similar to int41h/4fh Debugger installation check (code 05
- B" t3 ~& Q5 O1 K$ H- n& 06) but very limited because it's only available for Win95/98 (not NT)4 j; }6 H2 E. H$ _* R8 `
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ R: m/ \% ^* u& S, Z, e& l2 o% _% T# z. x W/ B8 A
push 0000004fh ; function 4fh
' q- g4 _% Q' A3 o% u1 u push 002a002ah ; high word specifies which VxD (VWIN32)
" H- S0 j. `. e* v ; low word specifies which service7 V9 C$ j2 P1 K3 l5 J# o0 W. ]# D
(VWIN32_Int41Dispatch)
; W: ~$ F4 I# S; v# s call Kernel32!ORD_001 ; VxdCall8 t% `8 h( y* J+ Q! G$ V" _) b
cmp ax, 0f386h ; magic number returned by system debuggers
: M- S( ^5 e. G% b jz SoftICE_detected' |' H. s! ^& O; ^, x2 j
+ v8 Z7 _/ `9 b$ VHere again, several ways to detect it:
4 ]# t& j1 M9 ^! z! N& t K
# o( e/ O) D' f" V' M9 o BPINT 41 if ax==4f
& Z/ n! }- x1 U6 `# C! I' u7 d |- L7 `9 ]- F% f. R, n {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( G( h! w! z% G8 t W) b/ T
Q( r$ e( ]1 ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 J4 y! ?# z1 y8 n0 _3 K, U/ }% Y4 U1 L! ?* R+ Z4 X2 n1 }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* |& @( u2 g8 `# P2 }' d
3 _$ j# {$ R* Y" G' x) X- V, O__________________________________________________________________________
4 r: p$ R5 E2 m$ K! [" L: ?9 _
7 \. Y* |* g7 a2 q- `3 eMethod 13
$ |; c- p2 _: _: ~0 [' n=========
; x) h% }3 A3 R- n: f+ K* T" H N+ K; M9 o$ }) ^# h5 y& s
Not a real method of detection, but a good way to know if SoftICE is
3 \+ ^5 F# }' W6 M6 N) w$ T$ [installed on a computer and to locate its installation directory.6 Y2 K& d( z( N! @3 m! ~
It is used by few softs which access the following registry keys (usually #2) :" o" o- j, I, J+ F" F8 L
7 A3 P6 P& _2 M& z% q# Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' o, C/ G, z% [' N$ W' I) M\Uninstall\SoftICE
3 b; ^4 k- a) E; w& H2 r- _0 {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 b7 E E7 g6 h8 j* E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) P9 F$ T6 Q; k) ~- o
\App Paths\Loader32.Exe
/ Q9 o1 i( U. V. `6 m: v
; _. h& d; C2 b- y3 N
9 j: } J: F# H& _7 dNote that some nasty apps could then erase all files from SoftICE directory
# w! Q+ i& C0 P% w; Z6 S(I faced that once :-($ f2 [( j4 H) p/ A$ J9 l7 \
8 h+ v) W9 O$ q) Z( S* P% YUseful breakpoint to detect it:
2 t1 S R F% d; T( ?3 K. e. ]% B- W7 L8 L
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' M5 W4 r; R' R( y
: B! R$ T5 K6 S__________________________________________________________________________
5 D& ]1 H4 z: a7 Z6 ^' \: a
1 a- z) s9 c& @1 B+ {
5 i& P, Q$ c: u9 y. cMethod 14 6 H2 L/ o9 \! Q0 r2 V
=========
) p' ]% n" Z4 m h' h m5 i! h4 Q Z
4 K! v% O4 i# ^3 O$ f6 F7 wA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) N4 h! ]' B" o6 bis to determines whether a debugger is running on your system (ring0 only).
( W4 U" b+ t) p- g7 b! ~: \
4 g! v" D8 E* y7 f4 i7 X2 w VMMCall Test_Debug_Installed7 S8 v' T' H2 }/ d" u( [
je not_installed
- J/ q0 o6 t9 Y$ x/ C
. M) h" d$ C* a$ y) @4 u7 m" fThis service just checks a flag.& w0 D; J4 ]1 {2 J* Z# }5 ~
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡