<TABLE width=500>& K/ `" ? l: ~5 J a
<TBODY>
2 M+ ?" l7 _! r4 V<TR>
/ L9 \2 S- n( w2 q+ W0 k<TD><PRE>Method 01 & Q2 o3 z! s+ _) _
=========
: m' e* Q4 b6 h8 \
4 F5 ?7 {" u5 O2 s- I* {0 LThis method of detection of SoftICE (as well as the following one) is9 c8 E# z3 [8 a3 e7 j3 d; H% A
used by the majority of packers/encryptors found on Internet.
" a: P, `1 R) g7 m. oIt seeks the signature of BoundsChecker in SoftICE0 Z- e9 [# x5 c0 P" }* ?
* q8 E2 i1 q, Z; L+ J mov ebp, 04243484Bh ; 'BCHK'
5 u9 [ E; c$ t* z6 M mov ax, 04h
. w( Y# _/ S& b) O3 j* _ int 3
2 p' `& D5 [# y8 ?+ u cmp al,4, z' n7 B7 F' a1 j) I6 {; C
jnz SoftICE_Detected5 e9 \: @4 k+ Z; W
' [8 { H. @& m7 Z5 j___________________________________________________________________________
G; @2 |# J2 T$ u7 A& R2 Z5 y) p. ]) [4 k1 S0 K
Method 02
, V) I& `& u6 m; w+ B# }=========$ [- R; a( k- W
7 K: {7 a n5 e
Still a method very much used (perhaps the most frequent one). It is used
0 T% J+ w1 h, N% }% M/ Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- x/ a" F- u% b; P" Q4 @or execute SoftICE commands...) J8 J9 s9 ^ r7 M
It is also used to crash SoftICE and to force it to execute any commands3 w/ X: P8 F% T O$ l. \0 k$ v
(HBOOT...) :-(( ; [6 Q$ a: _1 W1 V
; V: b1 M4 U" b/ f9 s" C1 jHere is a quick description:6 u( B+ N9 }$ d. G& P" I, X u
-AX = 0910h (Display string in SIce windows)
: N- e" S3 I, s# i" h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! I$ E7 @4 x: Z4 N" q- m. B+ r: A, E
-AX = 0912h (Get breakpoint infos)
+ U" R; G/ b# {4 D. a: g-AX = 0913h (Set Sice breakpoints)9 @) L; o$ H4 z% E
-AX = 0914h (Remove SIce breakoints)
# Y. a: F |1 A+ |1 O) Z
1 f4 r; }2 u* u- S2 R) z7 `Each time you'll meet this trick, you'll see:& M* K% J( F; C6 p/ B2 `
-SI = 4647h
* q8 O5 u! H1 |' t-DI = 4A4Dh1 x' o/ @- m# @3 n" M' f
Which are the 'magic values' used by SoftIce.! i7 Z, O: j, S' @1 h0 ^) o% E7 a# _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 S j: f% v$ o: w4 l7 q7 }$ ?, _) T/ Y J! p4 Z7 S2 C
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 m! E2 Z0 P/ ?0 |8 [* lEnvelope utility use to protect DOS applications:
" w$ i6 Q0 U% W' \# R
( K2 N% O _ @; j% q6 n6 a6 ]' O4 P5 A5 ~% F) n! F9 Z
4C19:0095 MOV AX,0911 ; execute command./ \( V- O, O, a1 E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% d0 H6 l( O; S3 y* E- s0 [: e
4C19:009A MOV SI,4647 ; 1st magic value.
* y6 i' Q9 ?* ]% I# |4C19:009D MOV DI,4A4D ; 2nd magic value.! o! {" Y" K2 t. ^# x5 a% J! k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 I6 S1 }1 X6 {$ n: `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. o/ X* o' A, f% o1 e1 l: Q
4C19:00A4 INC CX8 I) T' f- {7 M* K" W! n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ B: j' s' Q0 g( _4C19:00A8 JB 0095 ; 6 different commands.
" a3 Z; S, A1 `) y4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ H* R% B. F$ p( A+ d4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ }- ~+ H7 d; R0 ?, E
2 z% ^# T6 I; T* a. q7 w
The program will execute 6 different SIce commands located at ds:dx, which
* _; Q5 m1 \- c% B9 k# z- P+ jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: U; y$ U3 r- V0 {& |! |
. A/ D; S1 v3 J& n' R# W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) \ `% K* V* a$ T' D8 V___________________________________________________________________________- I- E N) k- m" d: A9 M" l
* M3 \* m8 k7 D N2 ]: |
3 E2 ~ B- @( b
Method 03
i4 K: z2 P& h" P6 h=========; e" ]) e% L' K5 M! r9 ~
. k; ~& p- \( I
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 E& W, S; y8 [- q! I(API Get entry point)
2 I2 y9 {: Q" R! _ |8 ~) z; ] . ^+ ~# k) w# c( o8 n# i: O
( J3 Y! ] H7 ~9 c
xor di,di* f6 j" c) L6 t6 g
mov es,di N/ x9 i( i! f% E
mov ax, 1684h , v' L N: `! Z2 S2 i0 W0 a* G
mov bx, 0202h ; VxD ID of winice
: x) n. y; b1 m8 |* h9 ~ int 2Fh
3 N/ z* s3 S- o! a+ r. \& I mov ax, es ; ES:DI -> VxD API entry point
' h1 e( H2 E- J+ K Q1 p add ax, di
, I3 @: t5 m# P+ S test ax,ax+ |( R+ h& i# N0 o- c
jnz SoftICE_Detected: e" i& ]5 ~/ X! {! p: j
7 p/ C/ J; h. m4 ^+ m___________________________________________________________________________$ J: H. O* Z3 P: Q( m: s
4 K t% D$ d# l' CMethod 04. k4 W& B7 W% w% {
=========3 G- P2 @) d8 }5 l. ~# }
4 d% e3 K1 ?' \' ~8 {2 EMethod identical to the preceding one except that it seeks the ID of SoftICE) \: F1 N. Y5 T" U; o* o
GFX VxD., r* V( a6 i# g2 K- j( L$ v
5 F. E) `, R: j
xor di,di) _/ Z- x! f5 L# q
mov es,di
, \' n: Z7 V n! H( W5 r mov ax, 1684h $ I6 ^& ^1 d; m7 \
mov bx, 7a5Fh ; VxD ID of SIWVID
+ ^3 y) g8 I* ]% i4 G int 2fh* k, B8 ?- {+ V& z
mov ax, es ; ES:DI -> VxD API entry point
+ V5 |9 t1 E. B7 u" `9 S G2 T add ax, di
9 v- d8 o5 \+ j& ?) A test ax,ax$ q7 c' o- p$ b% H
jnz SoftICE_Detected; |4 N0 [6 M: h: i' l& Y( r
% X3 G6 q. N- Z0 @
__________________________________________________________________________2 m6 i: h2 t. Y' U1 N! K- V
9 h/ k( h) ~7 K% t# K4 \
& I/ s A" B. qMethod 05- O7 ?- h+ ~" {$ j
=========' C6 ~/ k; p, K0 c$ ]6 s
: z: y1 S# K. f; MMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ P( `; `2 ~, v9 \$ Ydebugger. It calls the int 41h, function 4Fh.* t* j0 Z- l1 ^- P7 Z
There are several alternatives. " r z, n5 L" p# {. N" V* [+ i
4 D) c3 A2 p! q* w7 N% C1 \: j
The following one is the simplest:- e: f8 B+ E$ C" @0 S/ _* G7 v# W/ f
* g, h/ D" d( }( Z; b9 _1 W1 f mov ax,4fh
9 G; d. j# K4 A, g6 E& Y int 41h
( f# _+ Z5 D+ [( v9 @; q5 M; P cmp ax, 0F386
+ c Z2 b4 T/ _& a jz SoftICE_detected
# P* N$ _% t! g* N8 v/ {
% f) S$ k* X& z5 [) m" ?) m7 X6 M! { j5 Y+ {
Next method as well as the following one are 2 examples from Stone's
3 I3 Z7 S6 O' x"stn-wid.zip" (www.cracking.net):
5 x( P! G- b$ Y4 {% o# k1 b |% h0 m% q( U: v& k0 y* U
mov bx, cs% a5 {; Z; j+ C4 a+ }. R
lea dx, int41handler22 p9 E( M0 y8 Y# c- a3 A
xchg dx, es:[41h*4]3 H7 `7 X. u, v) a
xchg bx, es:[41h*4+2]
8 |- l. W3 E9 B1 t0 B x mov ax,4fh Y' Z+ ^ p+ P0 s) i; o+ n
int 41h+ s, `: W4 ~; s1 K) {
xchg dx, es:[41h*4]
/ L- k1 d% G0 N# F3 \( g* _0 \ xchg bx, es:[41h*4+2]
5 t5 e% {" r5 Y! q- F4 B* i cmp ax, 0f386h: U7 z/ m6 m, a# A
jz SoftICE_detected
2 l! Z/ G6 ~$ D' v/ ~4 X# S$ w
2 H1 d5 o- n3 K* q; Qint41handler2 PROC
' w ]0 m/ q" K iret1 J4 }# D) K0 ]
int41handler2 ENDP( ]& z& a# j& b3 x0 I7 e
7 w, Y% y9 `- f" C' F2 K% t
+ A2 h( U7 j: X7 x2 z+ S' Y
_________________________________________________________________________
" Y t: O0 o& u3 w0 w n) s z7 r) w8 q/ H
+ [1 _8 M3 E6 o( q+ O6 J9 V" E. c) W1 R7 ~
Method 06
* ~6 I" L# @- \( m. o' d=========
( O! p0 @& \8 i% T' ?) ]- E, n, e/ f+ Z
- S& s4 c& D0 w4 ~
* R, S; z* R m! B9 g, q2nd method similar to the preceding one but more difficult to detect:
: w$ _5 G% w: k( |1 U- `( w9 V- w* ?6 Q) K
$ x7 a7 S" S5 N8 l. kint41handler PROC, T$ H' i% k* f( I, a: |
mov cl,al6 T: q+ _' ^: p6 V0 v* C8 i
iret
, U0 S/ [( A7 f M( C3 Yint41handler ENDP
+ [/ J0 z' A% C& Z- R1 `- Y, N* F% X" f3 H% V3 \& k2 S
. d+ w s: c! Y# P
xor ax,ax8 F- R* w1 ?, K/ l! s
mov es,ax
3 ~: W" _% P5 u. f( P$ _$ t mov bx, cs1 n: s; E( i) x8 @0 r
lea dx, int41handler2 E& ]) N& Z' t/ f' _, p- ?
xchg dx, es:[41h*4]
+ f4 @9 h5 H% ~3 M r5 R xchg bx, es:[41h*4+2]
" O5 s( z, }) B in al, 40h
, O8 t% Z9 H0 D- x" T xor cx,cx6 I/ a& }% W- r {
int 41h
, K3 A8 O$ i* Z! a! t xchg dx, es:[41h*4]
9 H0 y5 R: z- h! J8 z5 o! e2 e1 x/ A xchg bx, es:[41h*4+2]
# |; H: ~; {# W0 z9 v, O& O. u cmp cl,al- Y! V; n/ f# d. I: ?: Y4 M
jnz SoftICE_detected0 ?; i) Q G% v U
" r# U8 P/ d) x1 I& d. w m0 B_________________________________________________________________________
, r$ }( S/ D: e4 ~ _- {0 H E( `5 \: J; [
Method 073 l' `) K/ _- @7 [: i
=========% J/ _6 Z a9 c4 @; m/ t r
- z0 Y+ e- i; R$ d8 y( ]/ D- M! c, PMethod of detection of the WinICE handler in the int68h (V86)
: u* F( d/ z* S) d3 J: E
: m" K# S' ]- o. ~ r8 g3 @ mov ah,43h
0 _. ?3 ~$ c: k& f int 68h+ D4 T7 R# b6 t, Z7 q; `# O* L1 c
cmp ax,0F386h
* W; R, c7 c/ O jz SoftICE_Detected
! }) c9 s, G; X* E0 T4 X
/ X9 X0 p) g* {& Y1 I) o# p* b
$ c4 g5 ^- @% h6 I+ [7 A+ r5 I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) A+ X" _9 z) s: g+ K4 N
app like this:
: D9 D& j; `. h- h3 N" m. Z, |0 J4 r, C$ D* d% V
BPX exec_int if ax==68
! d* w+ L$ K0 j (function called is located at byte ptr [ebp+1Dh] and client eip is" \# B ~! {* @4 n
located at [ebp+48h] for 32Bit apps)+ X, ~- }2 X s! V
__________________________________________________________________________
/ S6 s; v3 a4 w2 n" K' d' ^& q/ Z, S' E$ f9 [
; r; f/ G1 A ]: FMethod 08
7 z" ~5 k. h6 R; U$ b" S=========
; q6 C2 s5 i6 M6 c7 [2 ^% m2 G* c/ u" N6 v* K! l
It is not a method of detection of SoftICE but a possibility to crash the) @2 K6 K. j9 K. A4 }2 u
system by intercepting int 01h and int 03h and redirecting them to another
: N0 X* K' V5 F0 V5 O7 Rroutine.
5 j, H& D+ P* r3 ]It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 v m' C! F: ?. c: D5 m) E
to the new routine to execute (hangs computer...)
0 O8 i0 ]$ _5 r( a2 U
/ j6 \% R" [8 c mov ah, 25h! M: V# D1 w% G
mov al, Int_Number (01h or 03h)
' U% |5 I" c6 K7 F# u9 R d6 x! W mov dx, offset New_Int_Routine
. ^3 C6 M. X, K6 f! \4 k int 21h- j! Q' v* ?" d# U
' N4 C, J k- N
__________________________________________________________________________0 _; p' r+ U5 c, \
# Z8 k9 |; X; e! C4 GMethod 092 _/ b# O- \9 t: `7 U {; [: F
=========) ~3 ^8 Y9 N! @0 Y/ p+ P C" H2 c- L
& [% g) f# B* J5 `6 c; B0 H1 nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# D, m- u9 O. |7 C& `% f8 o
performed in ring0 (VxD or a ring3 app using the VxdCall).( n' _, g, ^8 t1 a
The Get_DDB service is used to determine whether or not a VxD is installed
# y0 h7 Y3 ~: e& vfor the specified device and returns a Device Description Block (in ecx) for7 E0 f( g& D. J4 o, l& _
that device if it is installed.& K4 W) L, E. w. c9 ?
. `5 I/ |0 c+ H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 N# [$ Z, i4 A6 H2 c7 J mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% V0 N+ I- t! z" a. d VMMCall Get_DDB
8 V" C) ~% X S0 b# \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 `3 z5 b' y& D4 C
+ O% y% Y" M5 M) s# ~- b
Note as well that you can easily detect this method with SoftICE:4 L# ?) R4 W8 v4 I$ D3 p
bpx Get_DDB if ax==0202 || ax==7a5fh
- y7 _" O2 J9 k
# o: g8 J4 ~/ P/ O__________________________________________________________________________
2 \; m! [: I) j$ h# `( Z( a. q0 J# `% ~# {" u' v% T
Method 10
/ d! ~9 y: X$ l8 @! J% S0 ]=========
$ m* t2 N! O5 q& S' V9 A7 n/ B4 M8 E1 u. y
=>Disable or clear breakpoints before using this feature. DO NOT trace with; v$ c2 a' Q( _ `8 D9 ~* ?* C
SoftICE while the option is enable!!
6 {5 } R7 N6 G) _# F& [4 ?8 Y
: ^! O8 [! [; k4 N+ n- C5 cThis trick is very efficient:
. n2 _% A8 B, b0 U8 Y" v$ w+ ^by checking the Debug Registers, you can detect if SoftICE is loaded
% W; ~# e- @7 Q* u& V2 F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 B* j3 \1 N; U% F! x
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 `% h; Y1 R9 T9 o4 q" Avalue (in ring0 only). Values can be manipulated and or changed as well
2 G: y) M& f/ d: \2 r6 t/ r7 _0 K# B(clearing BPMs for instance)
2 P% D) L* u9 M$ ]2 b# R4 M4 W. ~% K; z$ |+ j4 P& O
__________________________________________________________________________
: F( I6 t4 g' n7 e. B8 f
1 U/ p: t3 j+ U, RMethod 11 [' i$ P. v& l, j( _- A
=========
3 M5 P8 m: E' n8 X3 d: W0 o
N' x" \. X# FThis method is most known as 'MeltICE' because it has been freely distributed
: K& W5 G) F3 U8 S& i. D3 Lvia www.winfiles.com. However it was first used by NuMega people to allow6 U y, I( V0 W( S
Symbol Loader to check if SoftICE was active or not (the code is located
( d" o, ^( q `' Vinside nmtrans.dll).. [% {: Z: n( n& }2 }
# Q9 z7 w7 u; t* p1 k
The way it works is very simple:
# L- g2 Y# K: M y I; GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 P0 o- m0 \% b. HWinNT) with the CreateFileA API.% t0 f- @* J p$ D4 n( Q: ?
0 o0 }9 G5 s1 [( f% p4 p o) THere is a sample (checking for 'SICE'):
, c- c9 e/ G1 `; `/ a* P
5 ~: H( i: G6 C0 D2 uBOOL IsSoftIce95Loaded()( D1 d5 w- w) T B
{
! r9 H( k. U. Q7 Z7 w7 Z HANDLE hFile;
7 {: @* ~4 c2 J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 v' s/ q0 x' y% ?0 w: E* Y& o FILE_SHARE_READ | FILE_SHARE_WRITE,2 E) ]8 e- q0 e; P! s9 Q5 Z7 M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( H4 A8 [0 {6 {- v" _1 f g7 i if( hFile != INVALID_HANDLE_VALUE )
; W# z e% [1 @6 D2 P& d1 C1 i {
7 o, S p0 L3 _$ d* Z& s/ Z CloseHandle(hFile);& S; T6 U* K- Y7 F! n5 r
return TRUE;
+ A/ U& i7 q) S }
4 [1 K2 v R6 P" G% F _ return FALSE;
" U! I% o' o5 `$ h! H. H}
; F1 p% l- Q- r4 j% S( w8 \8 N+ k0 t
Although this trick calls the CreateFileA function, don't even expect to be
' G2 B6 ~) C# J9 X' Table to intercept it by installing a IFS hook: it will not work, no way!
* |) l7 G5 v( L9 C$ w- ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) L0 G: A6 T+ h! Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# Z( I5 `' z0 h4 [8 G1 h `" }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# U& O. O( x& V6 @8 K$ `& I: |field.6 m& @$ W* D4 e ]
In fact, its purpose is not to load/unload VxDs but only to send a
, J! c, W0 a8 c5 r iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) X7 m: }8 h- o0 C7 c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ L& D. D- d9 s# C% `) s& y( K
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# Y+ `4 K7 H; |. ?If the VxD is loaded, it will always clear eax and the Carry flag to allow4 r6 z3 G$ [9 @! C' x( S* W6 c3 E
its handle to be opened and then, will be detected.5 S7 k9 e: R+ N1 x0 [' U. l. k6 Y
You can check that simply by hooking Winice.exe control proc entry point
& U4 L7 ^% U. d6 T) w2 d" j' i0 iwhile running MeltICE.7 K7 c0 n1 j9 U- R3 W* X
/ C7 O6 }* @5 [" |# M. n3 I
6 X, c0 i+ o2 Z0 b 00401067: push 00402025 ; \\.\SICE
R5 I4 {7 |2 ^/ n; Y% Y) N0 v; R, E 0040106C: call CreateFileA4 K- y6 E) G* {( a; U
00401071: cmp eax,-0011 L' f2 p) Y3 f' g% W% u. Q
00401074: je 00401091
; N' _" r% c; F5 q8 o
! y0 s, H& P. J& g' h2 G
2 C8 S, ?: h, b# R5 TThere could be hundreds of BPX you could use to detect this trick.
( \ w8 F4 }4 p6 i& o; V. P-The most classical one is:- g# {# u2 ~# \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 s3 _6 T) k. f* I9 d& Y" g2 ] *(esp->4+4)=='NTIC': ]" L# S5 i/ `$ _5 X
( e" n1 X* a8 B, |6 }* n
-The most exotic ones (could be very slooooow :-(' H2 u7 ?% g5 ]7 v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( W% Z, z+ u2 N; K! A
;will break 3 times :-(7 }8 g( |' u- j4 o7 ~$ v, O
$ g D- b2 I6 a7 F+ e8 N9 ?
-or (a bit) faster: * _# Y3 }6 `% Y/ K
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" @2 i L3 _6 ` A
5 _8 b+ ?! ]/ U4 D* L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) ]( N1 a9 j& W
;will break 3 times :-(
, i T. @) j) I7 x! m9 l6 g
" d* h' `1 q! R-Much faster:# b/ _4 u. @1 t# x3 e1 t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 ]7 f' D. [8 i% ], V+ z( d
/ j5 S% @5 V g& `- u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 A4 r& u1 [% p- @ y i8 C
function to do the same job:
' g. [) a5 c# x8 K+ [ w3 [6 O. n. d" G6 l
push 00 ; OF_READ
' C ?" v: S( ^; a: B2 F0 o mov eax,[00656634] ; '\\.\SICE',0
: @2 [' \+ Y/ N+ c @ push eax
" u9 \; b9 O( E- y9 z call KERNEL32!_lopen6 N! ^, O& U8 i
inc eax
T! W) ?8 E* s jnz 00650589 ; detected
2 T$ H }2 X) f" t: u! W push 00 ; OF_READ: o$ \% _! Y3 l
mov eax,[00656638] ; '\\.\SICE'
/ k" R+ u9 f- }+ }8 S: | push eax' r# m3 ]) V4 E; u' H
call KERNEL32!_lopen
( d' O* o, M( S: X |3 |* w4 O w. H inc eax" N' P8 |$ r- s) a! ?
jz 006505ae ; not detected
; R8 N! v- h. |) E
: w6 \# A' g1 u! o/ s; c7 E
% B' d" o k7 R- m9 ]/ S; M__________________________________________________________________________1 {2 o" }0 y8 M0 ~; h/ a
0 I; I& q1 e# W( U, Z. h/ _: b
Method 12
& q$ |' O! b; T4 {=========
o8 }9 ^/ H: p* r# V6 k( h2 G2 {$ z6 l: j% P3 j( [/ }4 ]/ t
This trick is similar to int41h/4fh Debugger installation check (code 055 l: C; i0 }# c' R# T" O
& 06) but very limited because it's only available for Win95/98 (not NT)
6 f+ W2 u- b0 {! ?) w) pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& [% T/ m4 o" j& e5 A
% U2 k7 p/ _- J, R- i9 B8 j( z t5 K push 0000004fh ; function 4fh9 o! e N9 ~# B2 F9 g
push 002a002ah ; high word specifies which VxD (VWIN32)
& |6 h+ ]% a3 h ; low word specifies which service! E! M1 g' s8 j+ z: S# Y
(VWIN32_Int41Dispatch)2 a3 O# i4 Y0 x
call Kernel32!ORD_001 ; VxdCall
* Z! h. u0 i% ]* b7 |9 X, V! N) |; w cmp ax, 0f386h ; magic number returned by system debuggers1 l& P3 m( @+ l+ H1 e
jz SoftICE_detected
6 f$ f) z$ x+ y. O( j8 i+ K0 Y7 z! S$ j) B: X p
Here again, several ways to detect it:# O8 K* m3 H% L0 x7 q3 N
8 a0 `9 e0 p8 j R8 h BPINT 41 if ax==4f8 E' W, O% \8 h# h5 ^) X" V$ V! Y
! l5 |2 T9 ]8 ?% E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, W5 Y( @5 g. x/ a
- m$ ~, r% [5 j) a( a% Z9 m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( h+ u( o- Y+ w4 O5 U N% p
% X4 p4 z! x7 ~: L3 W* i+ F BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
r5 W* \# Q$ g5 U a5 _/ t, r4 W. {) e. d8 \
__________________________________________________________________________
' K% w' d5 L/ p0 G. S& C' b1 t
# U2 B/ \9 \5 I. T g8 c7 A2 W+ lMethod 131 }: ?$ g5 a1 z( u/ U! K, W
=========! f2 N! b4 S$ O3 n0 B. l/ g
1 D: p6 |+ e- { U1 I( E
Not a real method of detection, but a good way to know if SoftICE is4 w9 d, M; q4 e" ^/ H( p, F
installed on a computer and to locate its installation directory.
: U+ h3 k+ J! c$ d7 D' x; KIt is used by few softs which access the following registry keys (usually #2) :
, y$ T$ s7 _ f
0 u! ^( X8 l6 s5 B6 _' F; w2 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 J0 C( ]8 Z$ X( e9 h# k: h\Uninstall\SoftICE* P7 L! T" c' Q3 X( a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 L& F' R5 b6 n! b0 n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 x3 Q! \3 P$ n2 b0 P, N& m/ n
\App Paths\Loader32.Exe
$ z! B" a( K. Q# S) Z
E" b$ T' |! Y4 q4 b4 R! ?4 r
8 b2 p ]: q; m+ E( j6 D, tNote that some nasty apps could then erase all files from SoftICE directory
$ m1 V' a- P" H$ L5 y(I faced that once :-(4 y* ]/ }5 {' s, C1 _6 k; L
) ~) ~4 Y% I; U! W1 W) z. PUseful breakpoint to detect it:
5 F3 U& V$ e% d! x
) w5 }: I. D' j8 S3 q& a3 F6 O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 F7 y1 x5 T) Y6 `5 T [8 S; ~2 g) P8 C0 A
3 o e% M E% P, k__________________________________________________________________________ @' A$ D. F$ r/ p4 g& F
7 } m1 G; U! c* u+ b! T: y2 W) n, T4 p5 [* T6 o
Method 14 - H+ ^& A- L& H) t
=========
) U: `) N; M9 {! }% W: B' ^ T
1 \. n. O0 {, g; x1 \A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 t2 l0 U6 q8 D$ F# s; c/ s. Vis to determines whether a debugger is running on your system (ring0 only).2 {. S( q N5 w- X. D
+ A& J5 m) n1 u$ `) ?* V8 M1 v VMMCall Test_Debug_Installed+ w# [0 @2 X' K1 V1 x
je not_installed
( H v) [$ N J2 j+ ^
1 c6 L% F$ u7 qThis service just checks a flag.
* M$ A# w1 M! a+ A</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡