<TABLE width=500>
7 y$ n* O2 z8 `<TBODY>
7 {% W) _+ H0 z1 o3 w. T<TR>
7 m- i" H/ @" s3 F" `. X$ ~<TD><PRE>Method 01
4 _ }' y! N2 y8 `6 ~=========
: m$ b; }0 B5 \! ~; f8 M1 e' |( [* Y
This method of detection of SoftICE (as well as the following one) is; }0 G1 v5 Q# L7 N. C) G* ~7 j
used by the majority of packers/encryptors found on Internet.
! r" s7 G3 t& l# C u% ~It seeks the signature of BoundsChecker in SoftICE" G, W3 @! T8 ~# H4 s' w
, Q/ M+ w4 n3 P# N* b4 p% x7 ?- T% {9 d
mov ebp, 04243484Bh ; 'BCHK', G" P" g& I$ e1 f/ e) g, {! d
mov ax, 04h
4 v9 J6 O, O7 [6 Q4 Q int 3 7 c$ r1 A- [ M2 W
cmp al,4
[8 u6 N3 l( ~2 b% j R jnz SoftICE_Detected
, ^; W9 ^7 o9 n* t8 b! _$ i/ ^( r7 x% Q7 L
___________________________________________________________________________2 R, F3 k2 d) _0 v4 @
! z) J' K/ ` w7 QMethod 02
0 P; B2 v6 w7 v# ]7 C=========' N+ W# _3 ^, [& y& ]( i% @
9 G4 C: p S' } p0 b
Still a method very much used (perhaps the most frequent one). It is used
+ J, \+ |% x, ?/ T j; sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% s1 o3 T4 J2 Q( @' I/ k9 P7 J4 kor execute SoftICE commands...4 X# O) J# g3 Q8 w
It is also used to crash SoftICE and to force it to execute any commands
& _, }4 h! K. b& W(HBOOT...) :-((
& u0 A f8 j3 Q$ O$ C2 X( H
0 }6 ^( ^* p$ o, A v) yHere is a quick description:. O$ \9 v; _, s: K( z
-AX = 0910h (Display string in SIce windows)1 u/ a' C# U# Y6 l- e
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): F# R& n) y; `/ K
-AX = 0912h (Get breakpoint infos)4 G5 _6 R; T+ w) }- o
-AX = 0913h (Set Sice breakpoints)
" `8 ~: Q* U3 Q-AX = 0914h (Remove SIce breakoints)5 J+ `" R$ h1 a1 J/ i+ Q% X( b
: |2 H2 @( T6 g/ S- h
Each time you'll meet this trick, you'll see:7 T8 ~1 }( u( o" U$ h
-SI = 4647h
( H) @& V% X8 c% `-DI = 4A4Dh
8 ]3 ` X3 O5 [+ ?: q; N5 WWhich are the 'magic values' used by SoftIce.7 x1 ~- e% h' T1 W. f `9 M& S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 o" u. A' f8 M) v+ b) }2 i, i. ^ i5 @& t3 o
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 P% w; ~/ U* ?' i
Envelope utility use to protect DOS applications:4 A$ ]1 s1 x5 ^1 n8 O
: Q1 a9 x/ }3 g' J+ W2 k o1 | P
) p& s$ r. X I' I: |4C19:0095 MOV AX,0911 ; execute command.4 n5 g0 W1 O7 N6 Z% x, _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 W8 y3 w8 r9 ~6 I+ R/ C/ r
4C19:009A MOV SI,4647 ; 1st magic value.5 C6 C/ M5 T4 O& ?% Q& m
4C19:009D MOV DI,4A4D ; 2nd magic value.- r3 y2 Q q, |+ i/ o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; u+ @! Q0 n: W3 I3 R4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ G0 Z4 t3 y0 f/ [3 J8 \9 T0 y4C19:00A4 INC CX) |0 D; n! I9 C+ Q l" S* \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ ?9 }1 B/ ~/ V0 D7 \# E
4C19:00A8 JB 0095 ; 6 different commands.+ B4 Z" H/ L' H3 l) [
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) O! I/ u8 N9 k) b+ }+ w& e b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 y9 w2 Y; C# k& \) |
% Y; f0 M6 S" I5 z) O3 o/ Z( |
The program will execute 6 different SIce commands located at ds:dx, which
$ }9 E+ D, {7 A+ V+ zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ ~* L% u, \) m. S; r
! U# |9 A4 `$ @7 _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 r) u3 Y4 N& H) s; U
___________________________________________________________________________
9 a3 r! V( p. L9 j
n. V, k+ c, @4 V. q) c
) z9 n+ h) X; e/ m3 W! ^Method 03
F& E0 G5 d* l: F Y* [ `1 J( v=========# k; L/ j' E* E; O
! t# m; @& ?. J* _) ?/ d6 M4 n. U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! K: e2 @; ]: z7 b(API Get entry point)
4 N8 K' S, a! |0 A7 f. F
8 l* @- H$ d. b' K
# @' F5 D( d% a xor di,di* v2 |- {# w" K% K
mov es,di' D& k, e4 W' Y$ L; i& c7 ^4 w
mov ax, 1684h ' x) W9 f( S- N6 B7 _
mov bx, 0202h ; VxD ID of winice# E6 X# _2 G' Y6 a3 Q8 T6 b
int 2Fh' `# A+ _. Z) m, N- U' ~
mov ax, es ; ES:DI -> VxD API entry point! F9 I1 l8 Q$ V" [% [, r6 U1 t
add ax, di
1 P1 N# a8 s! L( u1 B test ax,ax
" y/ }1 ~" R( v' Z jnz SoftICE_Detected
& }$ P" p4 ~; X' V* \+ @
( ^, x M' U5 C. n8 e$ n___________________________________________________________________________
v A+ Y ^$ g. D, A2 p- S
/ U! m3 F% {: LMethod 04; J& Q" z$ w# u6 }0 x6 h% M( ]
=========
5 |% t0 C# i$ ?7 C0 Y
e1 [$ b; T7 E! ^* pMethod identical to the preceding one except that it seeks the ID of SoftICE
5 [ b5 k( ]5 J* e5 [, P- u+ UGFX VxD.! K8 x# M3 Q' `* H8 A
* Z" Z+ I, b6 a
xor di,di
7 w( p( s! V2 h2 c+ K/ N: N mov es,di5 N y1 E; w- L8 d( }6 Z8 H4 @
mov ax, 1684h # q* }5 o% }3 d# b: ~$ F
mov bx, 7a5Fh ; VxD ID of SIWVID" v' A9 }5 b# r! f
int 2fh+ ?# N3 C9 j4 U* i% b0 O6 G0 _
mov ax, es ; ES:DI -> VxD API entry point
5 I) x7 U- c/ t$ t+ M: K add ax, di
9 x7 w3 U) D0 E test ax,ax D% ^) l5 R7 j4 C! N, T" n2 f3 k
jnz SoftICE_Detected
% y' u. j+ z* ~) D( p3 q" j
7 @# Z) P: c7 [8 p+ u1 Q__________________________________________________________________________! p, ?" e" B1 M" ?9 k X
7 `: }( { N0 Z# y* v
, E3 b% m( x u4 b# c
Method 05 l/ y3 C: m6 L; F: }% ?4 Z
=========! R+ h$ c/ i3 _. c2 n
~$ p D& H0 a, p. e+ ^) _/ ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
v) q$ }( K- L5 ~$ H0 v& v Ydebugger. It calls the int 41h, function 4Fh.
; }' x2 q1 F9 [" S0 B2 PThere are several alternatives. " Q3 h" j8 u: P
/ R% k$ x! ~! b$ A9 X. G
The following one is the simplest:/ s6 _. {; l1 s* g1 s& e' B% t
8 f6 G# x- M8 s% C( x mov ax,4fh
/ S3 D V8 P/ D1 ?' d- _* ?! O int 41h
, [, X1 Q1 s. f9 i' b* b* x c. h cmp ax, 0F3866 t- s% O7 A3 W3 d" w
jz SoftICE_detected3 T; p- e, b4 R; |" _1 I
% p; j; J. K3 s9 j3 O+ f$ |
! `# W) `9 q4 j9 Y( b9 d
Next method as well as the following one are 2 examples from Stone's & [! y! o4 G1 e
"stn-wid.zip" (www.cracking.net):
/ q% A4 r' U( Q. i! }8 J1 Z. A% V" o1 S+ F& n- ]
mov bx, cs
6 N7 Z+ @! c* Y8 h lea dx, int41handler2
3 B$ |# U. {) L6 r xchg dx, es:[41h*4]
1 }, I6 Q! I) W; h: L% w$ l2 d& Q xchg bx, es:[41h*4+2]
* t" r: j* S4 L' W mov ax,4fh
}' H. X' e& P. I0 o% n5 `, U; m: Y" ]! W, n int 41h$ I2 V& i/ g6 B1 ~+ T! u
xchg dx, es:[41h*4]% w4 ^9 ~: E, o1 ]" @# w9 B G- M
xchg bx, es:[41h*4+2]
/ B: Y. h7 w' o2 E& M } cmp ax, 0f386h
: b" H) _ S9 T# T- X/ O9 V* U jz SoftICE_detected3 r* G: e! Z# Y ~
, S, Q1 W- Q- b! ]. Nint41handler2 PROC
3 c7 i0 x4 Q- |3 [ iret5 o7 I/ K& L$ d8 p h" A7 G! Y8 _9 w
int41handler2 ENDP/ p1 S$ U( T7 ?6 D- H1 V# E5 Y
6 s; G t0 I9 D
' j( Q- g. M& f_________________________________________________________________________
1 N( j- l/ h$ p7 x% W! z/ d8 U; a9 }; l+ ?; Z+ Q
+ {# p# z/ Z" b# x' xMethod 06) h- }3 P7 r! \( u3 [2 \% k
=========6 E% z3 x3 y+ J
) I7 @+ \! G7 b4 t5 K. X5 L
* M* F7 c! `- {2nd method similar to the preceding one but more difficult to detect:- ]- I; \ a) q
5 I2 o2 K& k: q! `0 O
5 Y1 D! U) s3 S! C
int41handler PROC
6 c! c( {8 M8 ^7 e6 m mov cl,al. y! |1 R1 Y: H6 n
iret
( i; F, O' V( Jint41handler ENDP
3 |9 h2 q7 ^! g7 J
: ^- G: Y8 }1 M% K$ o# _5 E: @9 D8 b3 A# Y2 y
xor ax,ax& g6 k# I7 h4 c
mov es,ax
5 n( k& {7 x O$ R* W0 U mov bx, cs: t2 ^1 f& F1 I* F
lea dx, int41handler6 |2 j- F3 C3 G- N
xchg dx, es:[41h*4]6 W* @( N& I" I' u9 V
xchg bx, es:[41h*4+2]) n& ^: o7 R# a+ f) ?
in al, 40h+ v% Z; q" R# F5 _3 Y8 z, I
xor cx,cx6 z. ?8 Q" J! i
int 41h) h. u6 Y( z' \& T/ x) {3 w+ O
xchg dx, es:[41h*4]9 {# C0 u: E4 E
xchg bx, es:[41h*4+2]1 D+ e" T3 E, r" a# X g
cmp cl,al5 U# L& f! ^; _9 k9 _' l2 K
jnz SoftICE_detected8 H) K8 ]9 s' `
( c# ?: m/ R2 h
_________________________________________________________________________
5 v, x! d/ {" a' X
% x8 z( N# [- {Method 07
; z& A) g) ^& _=========
- C+ o; t. h4 z* ?4 B: U9 R
1 ~$ A* Q; h4 \3 c: r2 `Method of detection of the WinICE handler in the int68h (V86)
& z5 H% ~' A+ g! ]+ V8 U* f% V
: v" u7 K8 F9 H7 O C; m @ mov ah,43h
' I) r% v: V: I4 l+ S1 e5 b4 N int 68h4 r5 V7 e* o9 k |1 T0 ?" h
cmp ax,0F386h
# t/ R7 f0 Q( b# i jz SoftICE_Detected* ~" `: Q5 c$ q5 V9 O
* ~: I' y- M# M% @: A
0 W8 g& O/ m& N$ B$ B9 t( ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit Y9 L- E( z$ `2 ^& F1 {1 J
app like this:. J6 U0 I+ }% q6 N
2 m& o1 {6 @# G/ H/ f ~" [ BPX exec_int if ax==68
4 f- s/ y8 J; A9 V. {" s# u \' E (function called is located at byte ptr [ebp+1Dh] and client eip is b6 R9 m* D! S: S- C* U
located at [ebp+48h] for 32Bit apps). n% V/ q, z9 j
__________________________________________________________________________
' E# k. j `& I& K% i3 z% h/ b0 [: l- ~1 V6 t
- F1 c/ w/ D, m) F6 u$ F& AMethod 082 L9 V8 y& w+ \+ @6 C+ _8 w
=========9 o, y6 K0 i8 x$ q* ]$ d- @9 T
" U4 v" h# ^/ w
It is not a method of detection of SoftICE but a possibility to crash the! d8 N$ j! t# O6 K- i+ b
system by intercepting int 01h and int 03h and redirecting them to another
9 S M* M5 M+ b9 P) ~7 l: |0 T7 Mroutine.5 r: U2 K6 J) x! b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" _% q0 `/ @* E# v
to the new routine to execute (hangs computer...), v4 W9 B d5 t1 N9 F- N
0 R" C7 W7 ~9 A# ? mov ah, 25h) F% b0 y/ r+ W3 Z9 Q
mov al, Int_Number (01h or 03h)
& h: A _: i. l" ` mov dx, offset New_Int_Routine: N0 s5 R- I1 G8 a3 U/ Y3 q3 _
int 21h
+ a! [5 k, j5 E1 F0 U4 b$ m9 C+ i$ k5 W, i
__________________________________________________________________________8 F. q8 s+ s" e( C& w) A$ ^. t
1 {8 {) ?) |& O' U8 C l
Method 09( }% n) g) R# s' V
=========) y5 U, i- n& v0 _4 X
; [0 ^$ O0 Z! W6 O; e+ v. K; j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 y$ p4 F9 k9 r. r0 ~performed in ring0 (VxD or a ring3 app using the VxdCall).4 j7 `. H* m3 T5 m
The Get_DDB service is used to determine whether or not a VxD is installed `) `! D: f! s1 {9 f$ H
for the specified device and returns a Device Description Block (in ecx) for% M4 T7 e; k% T: C' G
that device if it is installed.3 V5 }. J0 z! [: d
6 b6 n+ u" V, y7 x' y$ R) @: |
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 O$ \" b+ g c# s
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" |2 t5 k, F, Y# @. B( V$ s
VMMCall Get_DDB
' m% v* S1 U8 M) q3 i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) Q: X; _/ Z& z' C* L4 M ^1 r. B$ E/ N1 c
Note as well that you can easily detect this method with SoftICE:* |5 R; n/ k3 t$ R4 r2 a' G
bpx Get_DDB if ax==0202 || ax==7a5fh2 S% l) ^+ N: E6 W+ `# ~: W% r
# ~; v2 L W1 }3 z1 |__________________________________________________________________________8 `9 `7 l3 M8 n+ p/ s& N( k
7 A9 @2 ~1 c* JMethod 10- W" v# g6 p# @5 n0 L6 f6 y
=========. `! f9 N/ f, Q J7 I: t
/ ~" l; n2 k! R=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 z8 z, Z T! e! M% s1 @8 z SoftICE while the option is enable!!2 z3 o$ P& u* F* ~
# T; P" k6 X7 j& N/ a/ l, q1 x
This trick is very efficient:- t+ b: ^, h/ {4 E, L$ k: k
by checking the Debug Registers, you can detect if SoftICE is loaded
) S" M+ O- L9 [1 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- V, L8 L/ g- W8 X* `) H" r* X5 B
there are some memory breakpoints set (dr0 to dr3) simply by reading their# Q. C/ L2 W7 S8 N
value (in ring0 only). Values can be manipulated and or changed as well6 u$ s. d+ I; T& L
(clearing BPMs for instance)
/ _; g) n6 R% s5 p) v) T4 W+ h- Q/ s$ X+ l5 V7 p
__________________________________________________________________________; m: ?9 F; a+ q+ t I3 O) s
( O% R# G" H. ^+ r+ }Method 11( U8 p# K5 X/ o5 T
=========
: T+ g6 u. ~" {) {' ]3 `
0 o: i9 ?, k* H6 x; B" ], ^& mThis method is most known as 'MeltICE' because it has been freely distributed" Y& { ]2 @4 q/ R
via www.winfiles.com. However it was first used by NuMega people to allow5 C' w. }6 Q/ n/ f
Symbol Loader to check if SoftICE was active or not (the code is located0 H+ v% I5 P: J) a1 u
inside nmtrans.dll).
% y# F& e" W2 [8 q5 P
! P" X( R; `1 X; L8 _% _8 A% rThe way it works is very simple:6 u: Y: M5 `' Q1 m( f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
r" K0 V' x& h$ E- hWinNT) with the CreateFileA API.
$ {1 y( K: b7 j, t( a0 U$ A/ `) J! M/ l" p" m; M8 t5 d2 U4 y
Here is a sample (checking for 'SICE'):' h0 O3 [* ]( ]: z- e
# V, n3 b4 f% R2 P y/ ?BOOL IsSoftIce95Loaded()
/ n' i" L4 a* }{% `8 Z. M: _# V$ S: H" [0 Q
HANDLE hFile; ; e& R" G0 H( D
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: C0 _; O* r8 y0 o
FILE_SHARE_READ | FILE_SHARE_WRITE,/ A7 A. l5 I' i. x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ e. {. ]2 V. F4 s F6 u if( hFile != INVALID_HANDLE_VALUE )& u0 _2 `# Q& M- m9 O
{. S& [/ X$ w" X
CloseHandle(hFile);
) l$ }$ ~: [! t return TRUE;
0 |8 c+ `+ f! s, f/ Q$ ~ }
4 l0 ^$ N2 s- V6 q return FALSE;9 B. L8 ?+ Z2 z" r2 M4 t( y
}
6 a& N; e: f; D
& j5 k0 T% z: l) ?3 h3 o9 [+ ~) xAlthough this trick calls the CreateFileA function, don't even expect to be
b' s) {# D! K- m% [9 Z$ Zable to intercept it by installing a IFS hook: it will not work, no way!, ~0 l& v4 |! z$ e4 B) X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) m% k0 L' m3 p) B( k. M; l
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 m3 n4 J( S w8 t7 P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 g* z3 @3 b( J+ afield.
- j. |( ?9 L1 E4 @! {9 AIn fact, its purpose is not to load/unload VxDs but only to send a
u( r& F( ]& K; FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# g* r8 M9 l8 \& p( W' _4 J8 H N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' y7 c8 |% s; O; T' Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) |4 W% W4 [# GIf the VxD is loaded, it will always clear eax and the Carry flag to allow; k e' ]6 i$ \0 b: J
its handle to be opened and then, will be detected.+ q6 C) x# L# Z- N4 f p
You can check that simply by hooking Winice.exe control proc entry point% Z% m& ^( D7 {3 }% V/ r
while running MeltICE.
9 b9 y" v' ?; @6 s
" R2 s" z# _8 Z4 g/ {8 a4 Q9 p/ z' g, T: P5 o" h. O4 X% G: q
00401067: push 00402025 ; \\.\SICE
$ T; [0 i! e" h% x) t. ]* \6 A 0040106C: call CreateFileA2 N' \* @' \5 D$ e
00401071: cmp eax,-001 _3 A- @3 V g# Z
00401074: je 004010918 R4 `6 T" Z4 ~& B! [% l- ?
( d6 Z5 C) c5 ?4 j( V
% t) t2 r8 h$ W
There could be hundreds of BPX you could use to detect this trick.
- N& a3 R& }9 D) z4 _! Y) y5 q# v-The most classical one is:
; C; A* a, b0 `# O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) Q# R. @ R0 G' K, N/ H. l4 F
*(esp->4+4)=='NTIC'$ U. _* l3 m3 o9 l% k8 G
* u( u r. }9 ?8 b: B( R2 P: Y3 O
-The most exotic ones (could be very slooooow :-(
( T% _% z# k9 N! V- r3 S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" I" }. W* Z* R$ y& o5 H ;will break 3 times :-(
; t% O. C- Z I9 o
8 X$ C& |: I( k% Z( U-or (a bit) faster:
: W. e2 R6 ]' N- j- i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: B3 L! J7 z8 X! X" U; `% O" p* D8 x' t* {6 p2 X- G
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% J0 z6 j. M. m+ X; }+ f. T ;will break 3 times :-(
8 t% l; a2 \9 F; M% x2 h
- n) {. L0 C7 `' i; m" Y0 [1 N-Much faster:/ `- X5 W' d7 ~. A# ?* b, \! l1 a
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ T1 Q/ t$ R, d# C
; w/ B" h i3 ]7 I, L6 F' }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) U2 ]3 [5 d, C/ A7 p
function to do the same job:
2 i* N1 c! Z& [: d! z& i! [1 b2 P* S _
push 00 ; OF_READ; q2 ~( Y. b4 k" Y3 }
mov eax,[00656634] ; '\\.\SICE',0* m. n' }, b- v- M v
push eax3 @4 {) G; L2 ~( k6 W( y5 d
call KERNEL32!_lopen
/ q$ I3 P- l; h! T5 m. u inc eax
6 q! V; }% _" b4 x( i: W" ? jnz 00650589 ; detected' s$ I4 k: u# R" k$ X$ H- m
push 00 ; OF_READ' q1 E- w# O' R" a
mov eax,[00656638] ; '\\.\SICE'
' J9 Q5 M) L. S' C( C, e' ?, {" d push eax# Y T/ h( Q$ f
call KERNEL32!_lopen
; F: _. @3 c' b8 V' i; O6 @" b6 k inc eax
, o5 Y1 l% a; ^. S3 ~- E jz 006505ae ; not detected. U+ Z+ {4 f3 I
2 {# o0 `: O& p, t+ |# }- @8 K: W% W/ q0 i W% P) i* C E) ~
__________________________________________________________________________
7 w9 N x4 T2 {* P
# h- S5 u' e _. R7 tMethod 12) e$ T( k$ @$ G" E: n0 s
=========
2 Q" u) o4 q# b) \- t+ {- ?) u2 X4 R+ Y# N
This trick is similar to int41h/4fh Debugger installation check (code 05
) m. y* L$ |# Y8 i0 }& 06) but very limited because it's only available for Win95/98 (not NT)
C! X( m: H R# B3 h* Las it uses the VxDCall backdoor. This detection was found in Bleem Demo./ S: p6 x8 Q; S' Z6 _
, M, C' Z# ? A) N' n! o
push 0000004fh ; function 4fh
! }) z4 v- ?" { B9 [$ u/ j push 002a002ah ; high word specifies which VxD (VWIN32)0 l T# d6 C" `$ [- F; @7 q5 k' i
; low word specifies which service" d8 Y# A( D/ g! f
(VWIN32_Int41Dispatch)
- n, ]0 ^4 @, u R call Kernel32!ORD_001 ; VxdCall
6 H- e- t$ D* r0 g cmp ax, 0f386h ; magic number returned by system debuggers
4 i" D# r" H! [ jz SoftICE_detected
8 ?& ` ^2 D% r- w. |- T+ M0 P
1 j4 ]4 L7 q0 B |0 p- p- j9 KHere again, several ways to detect it:0 U2 F9 h/ E p: _ c6 d
- [" b9 l7 W# s" u. ~ ?6 s BPINT 41 if ax==4f
% Q4 X* J3 f5 P. @2 J/ ]; A! P$ W% r6 {; I
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ H u( G" u! H; B, K, z- k
0 O# A' e6 ^0 ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 b; F& J2 x7 ]8 `+ q: K" L" S/ X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; v# h. }$ V5 e$ x
+ b7 @3 Q4 ^# L u, ? R/ F
__________________________________________________________________________
% e7 l' n) G* v& W# b$ s9 v8 W/ I( ?/ c7 c" h. O
Method 13( k9 W$ T' {' e3 O9 m3 H
=========! d( X3 J' I$ } o3 m& T
) W( r, Q7 N! {; _Not a real method of detection, but a good way to know if SoftICE is- M5 I3 h4 e+ r/ j
installed on a computer and to locate its installation directory., O! u) u# d/ k1 Z. H
It is used by few softs which access the following registry keys (usually #2) :* i4 J1 ]6 M# [; Q) z
7 ] b: ^; A: Q _8 l5 T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! f- K3 u0 I* Q7 s. |( }
\Uninstall\SoftICE, k2 `1 |. r; o: f- h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ \2 G7 h$ |. q' E% v) Y+ \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ I; Y% d; I5 k. C; J$ x# D$ B/ ^\App Paths\Loader32.Exe7 ]' C7 p' V5 y) N
# A: l6 {# g" W1 f
: x! J+ R( ]7 c' uNote that some nasty apps could then erase all files from SoftICE directory
. P& Y1 b5 G6 s(I faced that once :-(
9 O4 i) ?0 G0 i% H8 l" `$ K$ d2 t' ]$ Q3 p: ^0 B/ _; T2 m
Useful breakpoint to detect it:$ K$ e/ [5 q' n
$ R! }7 m- d+ z2 ?) d( X2 U- L2 N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': f6 U; y! @) M; F1 E4 z6 m
) k, q f G) S5 p3 X) g__________________________________________________________________________
3 N$ B1 n( o' j
; C p6 r7 |; @3 @$ _' t7 F
" O# u; c1 U1 t4 V0 uMethod 14 # G: p* O; M! z# E7 v% } S* p
=========
- W+ F f0 b# |2 D' ]0 w+ X
5 e0 ?1 r) T/ H/ g- v1 U# S; {0 [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 v/ r/ ^: i; @is to determines whether a debugger is running on your system (ring0 only).( N& \9 s9 E! R4 j5 p0 `7 _! @: I2 M
' F/ w; z4 w w/ a4 E VMMCall Test_Debug_Installed
! z: ]/ U. n' f4 Y. h) L" ? je not_installed
$ h: i' w, B3 _% e5 d
' T! W! f0 V7 B2 m( D& ]This service just checks a flag.
; U$ K! z/ r6 A$ M4 H</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡