<TABLE width=500>
$ Q" H4 w. \" s- O/ ?<TBODY>
5 @8 J$ J: e* x0 v* C<TR># q2 g- [ s* Q7 X
<TD><PRE>Method 01
' V, x' L# |4 F& n8 k=========
5 T; R2 H/ I3 d* [4 D- ?# t! j! {
This method of detection of SoftICE (as well as the following one) is% t1 w! `7 l: Z. L6 y& \0 i1 b
used by the majority of packers/encryptors found on Internet.+ C" \0 s: O5 w q" a) u
It seeks the signature of BoundsChecker in SoftICE& K& v- a! E- N+ D; i1 ]
% T' r z; n5 ^! b4 O6 A+ G mov ebp, 04243484Bh ; 'BCHK'/ u6 s2 x; {( {( Y. T
mov ax, 04h' ~" w2 y% L& d$ `. W: F. R
int 3 9 O7 |7 H j2 R, e( U" ^6 F
cmp al,4
. {5 h' f7 K; N6 N, S jnz SoftICE_Detected
; K$ f$ V# K" M
8 t4 K% Y8 ~& d5 ^& K I" Z! ]___________________________________________________________________________0 e- _' d& W' I
8 \1 d1 b* ]' N' R$ A. ]6 `
Method 02
; u& g* y; k" Z8 q& P9 w4 f! k, [! r=========
% i$ i2 K1 ~' n( M; {" T2 F2 s l E7 ^# @! z$ Y" m
Still a method very much used (perhaps the most frequent one). It is used
( o- W( k1 e Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; P1 P- X D6 ^0 ]! e7 S E" D& Ror execute SoftICE commands.... v0 V" I8 r8 H: J' ]" q+ h1 k6 a7 y
It is also used to crash SoftICE and to force it to execute any commands" p; t; b0 p* t* s; U* r& X
(HBOOT...) :-((
! C/ n0 }, A! m8 N* m& R8 r
2 \; h( n2 s; k2 l& T$ MHere is a quick description:9 D. n- x, v( [9 l3 ~* [
-AX = 0910h (Display string in SIce windows)3 }! `0 y5 w8 r* H- m/ P* N7 @6 H; T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) ^! m; c" j" l
-AX = 0912h (Get breakpoint infos)
) e; ?: K" `* p' d, E4 P- `-AX = 0913h (Set Sice breakpoints)# E1 v1 s) g9 w1 N8 v
-AX = 0914h (Remove SIce breakoints): \; p7 O: o+ T' ^& }
; I) ?- n0 X' |
Each time you'll meet this trick, you'll see:
; L5 ^& K& _, b, i; b% U-SI = 4647h
* w$ K( a H* w) H9 n7 f-DI = 4A4Dh7 U' {: K) [( x6 U
Which are the 'magic values' used by SoftIce.
5 x! }9 O' l+ R1 i4 VFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* g b7 V$ _5 A3 w
/ P% u; H5 Y2 g' ~Here is one example from the file "Haspinst.exe" which is the dongle HASP, C( F' I8 i8 r: M8 N+ w+ o
Envelope utility use to protect DOS applications:+ J; N! M, L# r) r) z' G
& U9 N# G Q# z% O! U- h( ~: |9 M' p# N; [$ z' L
4C19:0095 MOV AX,0911 ; execute command.2 L; x& n' M( |5 Q' ]. }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 D0 n. p% B) N
4C19:009A MOV SI,4647 ; 1st magic value.
) t. d! }. n( ]( H) H" F8 v2 d4C19:009D MOV DI,4A4D ; 2nd magic value.
$ c( m! w r' S5 `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, f2 c# K3 Q8 w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 K& a$ K }7 v2 Q+ J
4C19:00A4 INC CX' [+ h, J/ A0 |& c# A
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( E$ y8 { T# J2 X3 k7 q, x4C19:00A8 JB 0095 ; 6 different commands.- F) G3 J$ G% u* ]6 m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 j u5 Y, Z. m: r: m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( a7 `7 w! ^* ^6 p
! `& y# ^) W5 R- YThe program will execute 6 different SIce commands located at ds:dx, which
" j% U9 x( P+ eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. b: ~6 X5 Q4 t# a$ Y9 z g8 a- Y; q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ {7 w$ A- u# U6 @7 f___________________________________________________________________________% k( U# t4 u% L; \/ y6 d
6 B1 B; R- W3 \. ^& q+ P2 @' N
8 d' `4 u& i3 h' N! b
Method 030 L5 [0 T, c: r$ [
=========
% U% y5 r8 _( ?4 l5 C2 N* i
0 {0 u. e( r2 d5 c8 ~* @2 GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" q+ P2 v* A' c- `* \! U8 O
(API Get entry point)
7 l* \1 f/ {- I: P, X# B; H# t
) \+ M1 G. L( W& `5 b5 p) v3 T8 f$ x4 j2 Z
xor di,di; R8 M; @ \( W& ^ `3 u
mov es,di
/ o, h g$ f. I" j$ r1 n+ G5 D mov ax, 1684h . o/ H1 @5 m v, I( T& N
mov bx, 0202h ; VxD ID of winice1 T* A" a3 s/ F, `6 [
int 2Fh
% Q1 Z( f5 J; K# `' ] E) t mov ax, es ; ES:DI -> VxD API entry point
# y- x( h4 J2 Z7 w# C6 w/ `6 p add ax, di
# V9 v6 V0 M% o1 D- M0 o; m, s test ax,ax
$ O3 s: P- E$ ~' E4 B2 ~' n) F jnz SoftICE_Detected' S; h1 t- N! i! ]
, X* \; D. F4 _5 `+ a# q$ m0 t' }* @# L
___________________________________________________________________________
5 R5 N! L% i1 N: h9 \+ W, W4 A$ J7 N, ~' g$ f; n2 B- t! O
Method 04
* g/ [4 M: |- ?=========2 C# D$ T$ p% S+ T% h1 \& v/ l+ F4 e
, T& O, }& {& Y
Method identical to the preceding one except that it seeks the ID of SoftICE
& G- l* l- g% F0 }GFX VxD.
$ ^4 z, r) A6 l+ s @
# x1 a1 x2 t9 a! j( g xor di,di! P5 Y$ _/ o6 ] P* K
mov es,di6 }/ U3 f s% z5 D. l( E
mov ax, 1684h 5 Z Y# J: U" {
mov bx, 7a5Fh ; VxD ID of SIWVID. L8 r" N, s- T* @) Y/ }3 \( E' w
int 2fh4 V$ l( U2 p' i7 w3 [
mov ax, es ; ES:DI -> VxD API entry point
! h2 \! k d9 Q add ax, di: w. [" }* e! o8 c0 b* r% \
test ax,ax
2 |; Y5 }, p" p5 u jnz SoftICE_Detected
6 Y: A G I) B5 G) w9 r/ h
+ W# M! v! v9 f& Q# e__________________________________________________________________________
5 `. V- a; a! x$ G1 W6 ^! ]/ I5 N2 t
1 Z& K+ e% c4 w. p6 x' JMethod 059 s" v2 ^: @% ?$ S0 L
=========& \3 ^ X4 Z, o
# J" b& b+ G7 V! R! N9 {: H( D
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# W7 {" i' a' C4 @# Hdebugger. It calls the int 41h, function 4Fh.
; P& K: H% @. g. I+ G" ?9 kThere are several alternatives. , [. {' [, [/ G) g( N) u0 A
3 L4 m- o" j N, {! s
The following one is the simplest:
# {1 N$ [) X( j% O) N6 R& s7 t; r- o- s
mov ax,4fh
; C( i# n6 h) [1 n g7 _, C int 41h
' b+ K1 R% j' B( o. O cmp ax, 0F386/ e/ }* @0 [+ F
jz SoftICE_detected
* I) R- a% }4 j2 i" b0 G
/ d) S; `# W+ A' n4 r9 s5 R8 B+ `- g+ Q+ y5 r
Next method as well as the following one are 2 examples from Stone's
2 r4 z; ^: |# x- s7 l: E"stn-wid.zip" (www.cracking.net):: O' p4 r, R1 W! A: @4 D+ F" E
$ e. k6 m& R7 P: C% U" L. z4 z/ h mov bx, cs
$ c+ @" A# Y- Z% a/ ^$ G( R6 ~# b lea dx, int41handler29 p$ \! v; \1 N" b
xchg dx, es:[41h*4]% L) M+ W W; C. y
xchg bx, es:[41h*4+2]
7 \2 Q2 N) d3 X. X mov ax,4fh+ l% H9 P4 i$ y% w7 G5 o4 }
int 41h
2 Y; T& g; L& B; ` xchg dx, es:[41h*4]( y4 ?, }1 j! g; x) H, ]
xchg bx, es:[41h*4+2]
; ^( r' ?9 F9 k cmp ax, 0f386h0 ~- l% i$ s7 l( ^2 e
jz SoftICE_detected
* Z1 R1 D) ]" l! k* l
% h- J7 a) c( r8 P0 p+ o8 Q; X" Hint41handler2 PROC2 r5 g' o* m' e2 Z1 x
iret
! `( w7 O6 F3 @' g( J4 b* wint41handler2 ENDP
% q; I: t' v& k: `0 ]; N7 W. `: U3 R/ o/ N
6 u R+ c0 t% e( X( A; p
_________________________________________________________________________, R7 N6 U7 |8 i0 A1 D. c* B
& ?$ q+ j( U0 P+ c. z# F
) c0 s/ t0 e/ n. L" x ~" e- i
Method 06) f2 O, X1 z) [" w o d
=========
2 C7 N9 i6 S7 j( @+ ]) t
* L! E) ~& |0 A8 C4 l
9 x9 o' ?8 t$ C2 a2nd method similar to the preceding one but more difficult to detect:9 r# z' f) x+ o1 N/ u( e3 V4 _
/ { S O% `' ^( V) P2 w+ N
4 u+ d$ G+ a4 S2 h1 b* g, |9 p
int41handler PROC& V( L) E. ~# z1 A* B; y' }* R) m
mov cl,al
: j) M5 ~' |0 |1 J" D iret- L* @( v5 o8 D, A9 o. {, U$ s' O
int41handler ENDP
2 m* @) A0 g/ p5 o
" g" ^ g9 H( ]" Q5 w* J- I
, e( y+ [& `- x- Q xor ax,ax, i% C' t& E0 e5 s) u
mov es,ax
2 c2 p* |" k6 E! S f* j mov bx, cs1 h9 t- ]$ y @1 H% ]
lea dx, int41handler
* H0 x6 O( j! Z1 J- D) d% f, ` xchg dx, es:[41h*4]
8 z& {. _6 \5 L xchg bx, es:[41h*4+2]
8 m- T' c) p$ I* ]5 v in al, 40h
8 ?5 n/ C/ K6 D3 a xor cx,cx
" _" I8 t6 @* p. D; t7 ^ int 41h/ @* {- E( o2 M& w2 F2 [% \/ r
xchg dx, es:[41h*4]
7 Q( n( z- K) h) A' }1 ?4 `2 s) ] xchg bx, es:[41h*4+2] C! o$ N) N( b& u2 ^
cmp cl,al# b5 C5 s7 p, h
jnz SoftICE_detected
' W* R- S2 M0 F1 e% M+ F2 ~6 w$ `! j0 \* w. ~1 U" q) W
_________________________________________________________________________1 y7 y' ~) L1 ^' v
" h( |. F9 ~, [$ T+ ]Method 07) q2 v3 L/ R ^% p/ g/ H
=========; \% ^. g9 {1 y, D
% Z, a+ N$ x5 G4 ^# ]/ U0 N7 F
Method of detection of the WinICE handler in the int68h (V86)
$ J. B X3 r; ]# B" [; r4 Y% ^7 v3 O3 _7 M9 i$ C) H+ i
mov ah,43h. ~) f& X* I0 G$ A! S. R: X# P! G
int 68h
% W$ k1 q) M6 q6 g5 s cmp ax,0F386h
. j, _6 l* H) q; u1 P) u D jz SoftICE_Detected* J# R$ \ K2 E5 U' k# i* C# h
0 W: R* ?" A {1 H& _0 D
% v# m8 H+ Q4 p5 o/ y" K6 H, S=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ A, T, S8 U) ^8 s app like this:
9 G+ x1 x/ p# P. G4 h; x- R8 |- w6 R6 m- H% p
BPX exec_int if ax==68% k# T: I8 N# [$ |
(function called is located at byte ptr [ebp+1Dh] and client eip is
. \% E* G; {! o) S/ |: c located at [ebp+48h] for 32Bit apps)
# u6 U, W/ f0 U; |. t0 @__________________________________________________________________________
/ O2 b/ y D6 ?1 D& F
) v+ g3 B9 Z! c. q ~# D
" M" T6 M4 L% n- b, p* _2 ?Method 086 `4 k' p. L( g( I
=========
( W, E+ u7 ~" z, i" Y. c
' v$ w( y3 T5 ?% n7 x) oIt is not a method of detection of SoftICE but a possibility to crash the9 c! s. p9 Z+ ?/ M+ W" [
system by intercepting int 01h and int 03h and redirecting them to another2 i. G! i# t* x5 B
routine.
3 `5 y$ Z2 ]1 Z+ [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* [- V+ ?% k! N3 k& Y, @" gto the new routine to execute (hangs computer...)
, `1 ^* r( I5 D) E4 }2 k$ q# F8 J! V$ Q6 A. k" u9 @
mov ah, 25h
( ^9 G: D. s* p J mov al, Int_Number (01h or 03h). b y+ q& m8 E9 n B' K& w1 O
mov dx, offset New_Int_Routine
% h% }) S1 u+ e8 x, x6 Q# i, k1 n$ x int 21h4 u# B. h j- T; Z
( g0 b; g8 y: x5 W+ c0 }
__________________________________________________________________________0 }# r: z7 [( n* G- s
( i& X% T% o7 N& }2 s0 K
Method 09
& N( S- R, J+ J1 h6 e, K=========0 H2 D3 |9 E* q3 C& |. c
" W1 W) a" a( n' p1 C2 d" ^. eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 |3 C' L& @, ~* H
performed in ring0 (VxD or a ring3 app using the VxdCall).2 c# P k/ o. {& Y- r) V
The Get_DDB service is used to determine whether or not a VxD is installed
' A3 K- U; m3 t5 t8 C$ Afor the specified device and returns a Device Description Block (in ecx) for
5 _5 w( e6 A2 v2 Hthat device if it is installed.
: V; T# ~% F" |. [
+ H- }* Q$ g5 Q. U/ N- { mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 ?6 Y- ]0 D0 @- s! t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 g4 J- |. R$ z, y" Y
VMMCall Get_DDB
- v0 ]' a4 p, c K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 {9 u. @) y1 m+ u6 T/ t
/ Y, A* i& L$ ~ I' j7 U! P+ ~Note as well that you can easily detect this method with SoftICE:
@- c2 n% D2 @# I6 }8 {5 _ bpx Get_DDB if ax==0202 || ax==7a5fh# }: t7 x! R5 s7 N; D- W9 y
. S$ C6 F m; V: }
__________________________________________________________________________
" E1 q+ ]7 \1 B, q- l" L7 F1 A. ]* U
Method 100 [' m0 i* s6 X( e7 K
=========
3 v4 P. s/ x; [, c; a
; p# O2 s: f# `0 d=>Disable or clear breakpoints before using this feature. DO NOT trace with$ o# `( z) K( k6 B& T% d
SoftICE while the option is enable!!1 w- N6 ~' b# c B' m7 p4 V" D
& l) v5 U8 |8 ]4 I
This trick is very efficient:
, B3 ^( a* o: d4 C, vby checking the Debug Registers, you can detect if SoftICE is loaded! e0 @3 a% z/ i+ R/ m9 Z# T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ P1 N% N+ K! n P' i' z$ t8 Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their5 m7 U3 z" P8 p" i; }- U
value (in ring0 only). Values can be manipulated and or changed as well, L1 c6 o4 Z; N+ [4 s! e
(clearing BPMs for instance)
) \+ P$ i: _2 |2 e
% }( L7 [6 q7 T: M__________________________________________________________________________& t) E r5 i/ S: Z# Y
1 K) o7 ?+ U# E$ Q: E+ W& R, a
Method 11
; a! O% K' Z X) ~# D8 n=========, G& z1 L$ ^0 |& `1 ^# V9 [
, d% m( \" I; G$ `* w
This method is most known as 'MeltICE' because it has been freely distributed
; Y' N; L2 u2 u- a$ bvia www.winfiles.com. However it was first used by NuMega people to allow
5 U A6 v0 G+ v4 K, y, nSymbol Loader to check if SoftICE was active or not (the code is located
: v8 C2 m3 q6 k5 d' {8 ninside nmtrans.dll).7 z* g3 W! p6 P! W8 r
2 R! c5 R# T5 T; A$ J+ h6 p3 GThe way it works is very simple:
0 c9 a5 P- y, Z8 UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ p; T2 ?& x0 u; Y9 m$ r
WinNT) with the CreateFileA API.
) X( d0 f' i' r
8 x6 F' f& H# a) m+ D3 b! k9 \+ SHere is a sample (checking for 'SICE'):
P! L f7 d! l6 I9 j" G) V. W6 ?
BOOL IsSoftIce95Loaded()
6 e' J8 S. T5 j! ^8 Q. p L! @{/ `5 h# t8 N S: I" O. U& n
HANDLE hFile; 6 r, J7 U' ]6 B, A& l* l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ }' l' [0 C& Y, y/ g4 r* _3 F) x FILE_SHARE_READ | FILE_SHARE_WRITE,* I* C8 }( t2 \- c; ^( p0 L% g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( Q4 p. _" _. ]
if( hFile != INVALID_HANDLE_VALUE )
1 I, i% c0 g f1 f5 I! P1 n {* l2 f) g5 J: }: ~3 r7 T+ Z5 H# U
CloseHandle(hFile);9 j+ @7 Y' I5 `- w
return TRUE;1 {. o3 _# W1 j w$ |8 D H
}
8 g! R, c" K1 e6 j" V1 M return FALSE;7 Q% P: L- R5 J! z
}2 Q) A# C% L+ M) ]/ ]$ ]' K" n
( e& B& ^$ _( e0 XAlthough this trick calls the CreateFileA function, don't even expect to be/ o" w* d/ Q) y( P: H" ?9 M) c
able to intercept it by installing a IFS hook: it will not work, no way!
6 G; u3 [0 R! R0 N3 ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 w, V8 y O) u! e: w6 m6 c2 x
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), U* P2 U/ P/ t" x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 I) e( j# H' {
field.: `2 o/ J* I; g3 U5 h
In fact, its purpose is not to load/unload VxDs but only to send a ' v' ]0 S# N+ }8 ~7 n# h; b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* W( ~( g! t6 ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 Z6 I$ G/ z R- t0 qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
* [5 |0 M8 [4 K! U: o% e, [If the VxD is loaded, it will always clear eax and the Carry flag to allow* y) ]' V- V7 ^: a
its handle to be opened and then, will be detected.
% d) \' R- R6 d `8 a+ V; `% ?You can check that simply by hooking Winice.exe control proc entry point: F8 g% I# _+ u3 E
while running MeltICE.
y- e$ v8 c3 d& p
' \# E6 ~& d3 h, n" q$ y e/ s- U: N5 V2 P( h3 ~, Z
00401067: push 00402025 ; \\.\SICE
1 V+ [( {6 b# P- J 0040106C: call CreateFileA* }. @# a: h6 M* z5 _1 M
00401071: cmp eax,-001
) S& {, G# U5 d+ d9 F) c 00401074: je 004010919 {/ y! O" A Q; A
/ ?; N! ~4 x" H; |8 m
* n5 B) X! h$ G# vThere could be hundreds of BPX you could use to detect this trick.& `( _% T" D( o* y7 ]: c
-The most classical one is:- X) g: O- Q& q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& q5 u" I- v6 Z Q V; E; F9 X *(esp->4+4)=='NTIC'" [" Z4 |) R% @ v5 ~0 R
& ?. ?' w6 c7 t$ L, S* A$ [
-The most exotic ones (could be very slooooow :-(
* B. H9 F2 R3 ~& p J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' n- D8 R) A3 p/ T; I
;will break 3 times :-(5 {) h* Y, [6 ]0 [
$ o& V) i5 [3 x4 f
-or (a bit) faster:
: O$ `! M0 }$ {* [ ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; j+ J1 \6 Y7 g8 l9 x- ]! a
4 L8 X4 V, ~: o( d( j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. O( Q( }. N, j g' \1 _ Q! u ;will break 3 times :-(2 j0 N' u0 W4 c- t& `
* `1 B/ O, R' o
-Much faster:6 Y3 O9 T. B; _3 O! t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) ~1 f2 W$ v/ E2 J) A0 m6 H- S6 M: {& |: N4 V2 H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- m5 y7 B+ u( {* \% zfunction to do the same job:& z; |! _0 y3 f# A8 ~5 y
2 N/ ^& Z; [$ ^
push 00 ; OF_READ/ z% B, z" E; J1 {) a! h
mov eax,[00656634] ; '\\.\SICE',0 {' Q" B" _+ y
push eax* I/ v4 M$ p+ V. i: d X# f
call KERNEL32!_lopen$ T. M& f: A9 F5 S8 t* h
inc eax
4 i v- L* O; k# k jnz 00650589 ; detected: Q5 A! t# q4 ~0 s& a$ K( N7 O
push 00 ; OF_READ- _8 e; v8 j- N3 T: H1 ~5 L6 r
mov eax,[00656638] ; '\\.\SICE'
$ Z1 f. w B0 ?& Y3 l) J0 g push eax
, \+ M- L: @' H/ T8 L call KERNEL32!_lopen5 A7 d( N; h& N
inc eax
+ S3 a* e8 C, Y: F6 v0 N jz 006505ae ; not detected1 w7 N' Q( ^3 ^/ |* a7 f
5 p) r$ |4 S1 P4 y. }& b9 Y6 q7 y; @# i
__________________________________________________________________________. B- ]* [7 t3 |/ r$ N* n
* T; Y% N6 [- W9 }Method 12& ]- }6 L9 T4 A8 E& H4 t; b
=========5 @' w# _+ L4 i* G3 k4 ^. |, A N
, Z) o3 N. n: @
This trick is similar to int41h/4fh Debugger installation check (code 05
* K' a( N' G! }+ c* l/ {& 06) but very limited because it's only available for Win95/98 (not NT)
5 j- k" F7 s8 p7 R/ u8 d' las it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* ]. b- a" t7 ^3 }6 C
% { c/ l9 ?: ^- ~/ s) k: y$ N push 0000004fh ; function 4fh
; J4 `3 K# `: s push 002a002ah ; high word specifies which VxD (VWIN32)
6 J# G, n) Y1 r/ V8 ^/ F4 r( n3 I% b ; low word specifies which service
2 t, J" o1 f: ?3 N0 X (VWIN32_Int41Dispatch)% k" j) v. Q9 F. u1 ]6 }$ ]2 O- ~
call Kernel32!ORD_001 ; VxdCall
7 H: u* b$ B2 ~5 z K cmp ax, 0f386h ; magic number returned by system debuggers3 K( R$ E/ P* f1 b; h9 i0 w
jz SoftICE_detected
5 E0 v) s- {& I9 H# t2 N% l, K J6 E6 {, t7 C6 J+ [
Here again, several ways to detect it:
) A) q. |- n8 N+ g) w5 X8 D; x
5 g v# F7 |: c) O; @ BPINT 41 if ax==4f# d; ^% F* a$ N
! H- i4 ^( p' \9 k% S5 X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* i' y% H A4 a; ]1 O4 [
1 ^5 @; E8 u/ Y/ W1 Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 m5 z8 r. ?8 C8 d+ U, @: |
: G) a$ O9 Y& X/ u( j1 I+ w X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 Q' ^# B: ]) U7 y5 K
- L. Y/ r2 ?0 l: Q" v% v__________________________________________________________________________
' U% V% e$ U) q* v3 ?. O
# k3 x8 n/ c- {: OMethod 13* ]3 N- V. ? T7 i% N9 a7 W
=========3 r8 e P/ ~& W$ B: F
- W' `2 [) I3 z# {
Not a real method of detection, but a good way to know if SoftICE is
" d4 `1 U1 P% B4 Pinstalled on a computer and to locate its installation directory.
) H6 K! N0 X& t2 S- yIt is used by few softs which access the following registry keys (usually #2) :- H/ N: `3 W0 z. @ Q( r! ^1 s
& Q# v4 C) X9 J; E6 c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( x0 } z7 X2 X. |
\Uninstall\SoftICE% l. b+ L8 z# ]$ n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- I6 ~- ~0 A6 [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 R) n: s( s! `+ v+ d$ E3 B5 L
\App Paths\Loader32.Exe% A% P. S6 _, g) h! ]
/ c" g" t! ~7 w) R1 S8 u9 a! x; U" w$ O! n7 _5 F7 ^! w
Note that some nasty apps could then erase all files from SoftICE directory3 G7 q. p9 k! U- Z: l
(I faced that once :-(
1 I1 w1 v$ P9 @: f! i! I# p6 D8 \ O. B
Useful breakpoint to detect it:# g2 h; S: O# m% F8 p0 X
7 y5 E; b0 ~9 ~6 k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; _4 w. n/ P! {9 Q G7 Z) l
# y7 n9 P/ ^% ~) K6 K/ u3 m, [__________________________________________________________________________4 p4 Y( n9 W- L# V) J
: ]7 H5 }" q v/ o8 m4 H1 _
- l" S" @- d* _# K, YMethod 14
/ V8 ]+ t, i7 c: E$ A=========
$ m0 T/ p1 {1 a+ j; d b% f; m5 f# |4 J; l3 U$ X/ X1 @- U& H4 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: V8 A7 U( G2 p( Dis to determines whether a debugger is running on your system (ring0 only).
6 Q% m/ k+ c1 \' C$ k9 T# B
; I) B' b8 x$ X ]: \0 N9 C; _- b VMMCall Test_Debug_Installed
2 L/ V" k" x( e8 C. H je not_installed
- r5 @2 }/ G; q0 B5 ~5 Z1 @+ d6 v4 X' }4 }* w
This service just checks a flag.
0 ]9 j/ g" \ ` p7 M2 X</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡