<TABLE width=500>) y/ ], E* s0 k; t4 @3 J2 A& d
<TBODY>) J" v. w& p X) ~4 Y+ A
<TR>+ i; f* [& q' k
<TD><PRE>Method 01
: j0 D" X' K$ A, ^4 B c=========5 o* a# |0 x2 t1 e) o* f8 E
4 _/ g* x7 P0 |2 D0 J: p& A3 jThis method of detection of SoftICE (as well as the following one) is
5 V+ w( j: Y+ d0 m4 hused by the majority of packers/encryptors found on Internet.
3 ~! k0 x' |5 J3 s( B( b1 I' HIt seeks the signature of BoundsChecker in SoftICE
. z! @0 p0 Q. F8 J, w+ O, b
4 S# V' ~( B. L, T: Z! o) O( c mov ebp, 04243484Bh ; 'BCHK'" U. c' |' v/ R( w# }
mov ax, 04h8 C7 Q6 h' w; A/ q# f
int 3 % g$ _! k/ b- W9 @: ]
cmp al,46 f, ^3 `' Q5 r5 ]
jnz SoftICE_Detected1 {: n5 h" P& |0 _ q2 M% d
9 I* X1 t. b1 o: |___________________________________________________________________________
& t" X. W; ^- Q* Y7 Z+ V2 {8 ^1 V9 J
Method 028 V5 E* S$ M1 R' L; }% O# s, P0 L
=========- Q; _2 A2 J8 |. V# L
% @' s5 F% s0 v+ H1 x
Still a method very much used (perhaps the most frequent one). It is used
- o$ i# [3 o; p7 g6 g4 J4 s- ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: x, Q* Z4 b0 O& G1 q7 ]# oor execute SoftICE commands...
% Y- M- Y, O5 {It is also used to crash SoftICE and to force it to execute any commands: a L* a1 F/ m' M9 Q& _
(HBOOT...) :-((
' V: R8 [1 h% @& Y
1 k7 g d, n+ n+ B8 r/ V8 mHere is a quick description:* Z3 \7 l/ |% V$ N
-AX = 0910h (Display string in SIce windows): k( u# _- v1 L' P4 g9 o' f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 H# O6 V7 D6 `( [5 B1 w( [4 z-AX = 0912h (Get breakpoint infos)( {9 J- y. T: S* W# T) s$ l/ d0 X
-AX = 0913h (Set Sice breakpoints)" D8 m5 r+ r$ a; z: Z0 a0 H
-AX = 0914h (Remove SIce breakoints)
2 m; @/ |& u" Q- y# e: X
4 }2 g" C/ B; SEach time you'll meet this trick, you'll see:- O" [. Y- [* Y$ |" h y) x+ m
-SI = 4647h
) b+ R! s/ [; a$ M" O3 `7 l-DI = 4A4Dh1 V0 _% J6 _% {. T5 }
Which are the 'magic values' used by SoftIce.
R _' J- T0 `0 ~5 A2 jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& s' U7 }7 y1 q2 E6 N9 A9 Q; w1 I& P. u
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 o4 a% L O' TEnvelope utility use to protect DOS applications:
4 c3 P! h" Q% [
" c( W! x. T+ l8 E6 R2 I X D( |7 Z$ B" z) x
4C19:0095 MOV AX,0911 ; execute command.6 Z4 d B/ ^/ w. ~+ B( x1 ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ I4 a' F! M: N5 y s3 i: C
4C19:009A MOV SI,4647 ; 1st magic value.7 x2 F" b2 s$ f
4C19:009D MOV DI,4A4D ; 2nd magic value.
$ F7 t7 w! v& V4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- v7 z) U0 E" b8 y) \% D1 O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ o7 J. |/ U T4C19:00A4 INC CX
5 [5 y% {& l( ^- l5 N# m4 v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 B. `* S1 U4 a
4C19:00A8 JB 0095 ; 6 different commands.
: K# e& G- q9 q! G8 U$ \4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 g) J. ~' ~. f. b3 p0 b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 ]" f5 k( c y
6 o' D' u; a9 k: g' J0 B) N# L0 m' h# zThe program will execute 6 different SIce commands located at ds:dx, which! O. }& I2 h0 ^8 A" H% d/ S! r
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# B+ H3 \' q9 Z8 F" u
( F8 E4 V8 u' ?9 i4 [- n( D* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. f2 V& X) K, j; ____________________________________________________________________________
8 S. o/ x% `0 C* y% i @" x# l, \, Q( S% R
2 I; _' [9 [8 ^% b/ T) ^
Method 03) G$ c4 v+ l5 s! a2 ~
=========
& a/ n3 T2 Z9 @& [ Z' r
W. k, U2 {2 C4 e% jLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ b, p9 M/ b" ? M+ i# p1 n
(API Get entry point)
& Q) |) H& B% @) r7 {
$ {% p) R+ U3 l
2 k# F% e: i( C8 H xor di,di
( Z& _, l! A& N1 ~ mov es,di4 S2 p1 s/ D, A; l" V
mov ax, 1684h ( l: H) ^4 H: G$ W8 r- z
mov bx, 0202h ; VxD ID of winice
6 p/ h' t& Z+ z: e0 M0 Y int 2Fh
) P) o# {5 Q+ U( H' I mov ax, es ; ES:DI -> VxD API entry point6 t9 k+ S/ b) r) D% D
add ax, di
% [8 v3 M* Y& X% n% H" O) C2 K test ax,ax7 E9 `( s% X9 b) S
jnz SoftICE_Detected
' h j8 S# ~+ b- R! I: g6 y' h
0 j) i R. K3 m% w0 P; ^; r' j___________________________________________________________________________0 @: s& R# ~8 b6 o3 v3 \
4 }3 L+ L) R- p3 ?2 K% W7 XMethod 045 Y2 P3 u9 x' D
=========8 Y8 u5 ?' Q# a' b
' t6 c: ~$ T1 z6 o! BMethod identical to the preceding one except that it seeks the ID of SoftICE7 h/ k2 \. @6 Q$ j9 b g3 f. i
GFX VxD.
, D! Y3 |' a7 s" V. H! K# ^( V A4 _* D7 u
xor di,di
3 e: l1 F8 y1 s7 q5 `, W mov es,di
3 Q4 ] g5 Q" R/ z& _" }4 Y# k mov ax, 1684h 0 R9 `' X; }/ c4 r5 o
mov bx, 7a5Fh ; VxD ID of SIWVID
5 u5 W6 y1 U' w! } int 2fh- T) _/ ^6 W* P3 h& }% S; `: M
mov ax, es ; ES:DI -> VxD API entry point3 X2 o6 R7 y1 x6 c6 D1 d6 N
add ax, di
N( @5 I& b/ a4 {+ ?" z: Z. d% M test ax,ax: r8 P( K5 x, C; m9 a8 u
jnz SoftICE_Detected: J/ @7 f: N' O& [
% F [8 z$ e. }: O__________________________________________________________________________6 Y3 O* U; a0 [$ F) G g3 i
- `4 q) U; b Y/ n1 I2 I4 K" p2 W- j6 h o& B5 `% Y& p
Method 05! G2 f: C7 K' ?# @) C4 p$ l
=========
! ~8 C: h7 f) q% l
0 g% D# F, r/ _; z/ OMethod seeking the 'magic number' 0F386h returned (in ax) by all system" S% L: M+ g1 g0 [' R X
debugger. It calls the int 41h, function 4Fh.
3 V: u+ P( _* ?1 FThere are several alternatives.
/ r( G, F& A- V& c! s: Q$ c8 W! B ?4 D+ Y5 u. _. f
The following one is the simplest:
& o. Q4 [8 U# @4 f6 }/ w& q& k- b9 A$ g5 J
mov ax,4fh
# T9 c+ }* P3 M, g int 41h
! v. M+ I. X+ L) P+ z$ T cmp ax, 0F386
5 h' _. f4 J# p0 ]: k/ } jz SoftICE_detected
5 f6 d6 P( W& H! Z5 w2 k3 s4 p; Q0 h E% a
0 |) X3 ?, s8 s! }6 p% q! @Next method as well as the following one are 2 examples from Stone's ( Z" `8 V* i- w6 b# q4 _) b
"stn-wid.zip" (www.cracking.net):& v5 x0 s$ G; h! B* c% F& g6 i
7 R/ z# c+ d3 J3 C- Z ^1 ?' v mov bx, cs
/ B4 u2 k. e* E( q; x7 v lea dx, int41handler2: e% e( p: ~/ v
xchg dx, es:[41h*4]& Q: H6 D# v8 u; d% f$ ?+ A) n6 L
xchg bx, es:[41h*4+2]
& I& S6 n% G6 w8 M+ F1 \0 y! f% b mov ax,4fh/ |( [- l! w7 z
int 41h
. G2 m6 q; ~. Q xchg dx, es:[41h*4]
1 o, O r8 u1 Q7 |) d5 v4 M0 u1 T8 r8 G xchg bx, es:[41h*4+2]
! z# v$ ~; J q0 u. n. O cmp ax, 0f386h3 D# |* W5 U; z$ H) ^, V
jz SoftICE_detected. T) N+ {6 K! L/ z9 \$ @# q
}8 O( G! Y# B+ A% U ^% E
int41handler2 PROC
& d/ t/ M! ]$ g, v' n* v- q6 p2 J+ L iret. M. \* `* I; [' W8 l% l
int41handler2 ENDP5 l9 S9 c! \0 |9 d* u
! c( n5 K3 k1 @/ M8 R. E o- k x, a1 Y D }. o' R: L
_________________________________________________________________________
) H' T& I1 X* Y2 g' V! s
" F& ]& f0 p9 F7 [( j
8 J! K6 g' M v# O8 c+ l+ i8 vMethod 06
/ ]. e+ s% W7 B* m# q! z ^=========9 g1 I- t0 X8 d W( j' f( ?
- @( q p8 G7 t1 U; ~
5 Z. q3 H/ a1 M
2nd method similar to the preceding one but more difficult to detect:( b- n) X' z" E3 E
5 M! q6 P& Y6 l' s( |6 L' R
: `3 l% h1 w# a/ Q8 n% R
int41handler PROC
8 Q, a4 [; i. x& p- T, b( f mov cl,al
" F$ Q8 ~* i }" Q' ] iret
. B1 j: ? p+ L7 s$ P3 @int41handler ENDP e( X7 S, ^1 t( l1 T) j
4 Y w; O: c4 J, k
- O6 @1 C5 `' _. H' {/ } xor ax,ax
( L: W! ^$ t8 u0 L# X mov es,ax
5 k7 N* n' C k) M' }' q. _ mov bx, cs
n0 \/ q! s* Q; Z. \ lea dx, int41handler
5 U( m+ A1 t2 U" M xchg dx, es:[41h*4]
+ M' z4 w$ I3 p$ T* j xchg bx, es:[41h*4+2]
0 a# t: u& I P9 ~% r: B# O2 M in al, 40h+ ` G' R6 q+ X3 v. [
xor cx,cx5 b: M2 p' x6 D L. c
int 41h% B- J1 U2 ^8 B
xchg dx, es:[41h*4]/ u6 c6 `; N5 j7 p7 H1 K( @! o
xchg bx, es:[41h*4+2]
9 T# G; f) ^9 e: }- x1 \ cmp cl,al& w2 g" N6 S3 G8 ~( u
jnz SoftICE_detected$ j, ^9 @: w2 L# t2 h
, l2 L% K4 M! x_________________________________________________________________________7 O1 t H- K5 m: M
& s- ^3 G6 F' w2 g1 v
Method 07
2 T E" l ], @/ U9 J=========( N- `7 `+ h" g2 g+ d
, a( L! g$ n4 i# ^
Method of detection of the WinICE handler in the int68h (V86)
c' R4 |# |6 Q- w3 d/ C* q
S, ~9 }/ w* Y _9 {1 e1 X mov ah,43h# ]0 z7 B/ v- p
int 68h
0 s: L& p& c2 Y) g5 \, u3 o cmp ax,0F386h4 K* V2 N! L h1 K+ F
jz SoftICE_Detected
4 `3 Z- F. t7 ^/ T; o, D% t5 W1 _& W2 _$ A
j& @; H7 L9 H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 }9 o) o7 ^) ~6 {2 D, ` app like this:
! y& B- s1 ~3 O7 i$ K% I: r1 I9 S3 [
BPX exec_int if ax==68
! `; y+ e, M3 T6 Z' s; M+ |. v (function called is located at byte ptr [ebp+1Dh] and client eip is0 \& \8 Q ~( d9 r3 }: r
located at [ebp+48h] for 32Bit apps)
! ~. r4 ^7 k& H! {- l( t! w__________________________________________________________________________
7 _$ ]( `! B, c' U% ^) X& C: g) w
: w) f( K) Z$ [. [+ OMethod 081 {$ ?6 J: |; y/ }* Z: l0 C* i
=========' h+ Y/ ^7 X" M- B
9 m3 K- `+ f9 m- F+ U
It is not a method of detection of SoftICE but a possibility to crash the
5 a* B K& U# S% W _1 Ssystem by intercepting int 01h and int 03h and redirecting them to another. W1 D! x3 @: v- f3 }0 z# u2 g
routine.
8 \9 A3 d- h& g2 w" j2 x8 |/ kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ e3 O- |; d( f4 Y- s) A( w" @5 A
to the new routine to execute (hangs computer...)3 S: k& `5 a2 ?2 e( x: O8 Y
1 ]* V6 x6 j# A
mov ah, 25h0 v' w# ~, Y( _6 s0 ~
mov al, Int_Number (01h or 03h)
& L' q n) j0 ~2 R1 v mov dx, offset New_Int_Routine
6 R2 p, ]2 x. _7 t. J8 d( G int 21h8 y% O' K2 v" C1 Z' U
, y" C4 I% e# d$ r* A( @6 ~, R
__________________________________________________________________________
# W) ^1 H' p5 T# F* F* r3 t' s% W: U. f( P0 y, t
Method 09# F; q: a6 ?, P% S
=========. o3 S& g0 A. S+ y
4 {7 \! x6 m; q% U7 M7 w8 ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# L" u( C$ B) I4 k- `8 O9 {performed in ring0 (VxD or a ring3 app using the VxdCall).5 H1 A# e6 u8 O' ^' H8 ^" s
The Get_DDB service is used to determine whether or not a VxD is installed, E7 n2 h ]7 y
for the specified device and returns a Device Description Block (in ecx) for
- e' l7 C9 G& D8 N* B: Y: Jthat device if it is installed.
: s; I5 m6 Z- f( w! b6 ^2 h+ ~5 [1 q+ u, r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ x- L5 b+ a" L" y6 y3 R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* D- x4 t# [& r3 Z
VMMCall Get_DDB
1 V4 T& P' C7 J' o2 }0 ]; z+ f, d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* k9 x4 o1 J6 B: m) L+ q; w
: E4 i3 \: B4 zNote as well that you can easily detect this method with SoftICE: g" U ~: v9 C! V! _
bpx Get_DDB if ax==0202 || ax==7a5fh
0 H+ R# p" s9 n3 |, P( ?* \% M4 z; E( N+ a6 D
__________________________________________________________________________
0 `7 Z% n( Q6 B5 s; f, |, b: h( n5 Z5 ^2 L6 Y
Method 10* G* N3 g9 O2 R7 L# [
=========- l' x! s/ ]$ o, E- F/ ]5 {6 @7 h
% Y) @$ x7 Y, O( K
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 c. M% Z8 y0 Z" @
SoftICE while the option is enable!!2 {! h& ^( z U+ e2 ~2 w, H* e
' E" u9 d: ]6 J6 |4 gThis trick is very efficient:
; |8 ^% E) S' L0 Aby checking the Debug Registers, you can detect if SoftICE is loaded% f& T- R# I7 G- s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( ^7 h! R- Q s7 i
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 N! v2 [5 u( ?) o( ~3 Svalue (in ring0 only). Values can be manipulated and or changed as well
( }9 H& T$ p$ v, L. e, |(clearing BPMs for instance)* _2 N; D! ]: T E
! c6 v# ], I" e6 T C$ u9 F2 {* [
__________________________________________________________________________
/ S5 m0 S* N% }0 ~) m! u/ p8 |1 J7 E# v4 E4 n" t
Method 11
: E' ^7 N7 i" @7 J$ ?=========
3 U4 J, x2 K& u% ?, N6 ^& J# g1 c* s/ F3 M m0 W
This method is most known as 'MeltICE' because it has been freely distributed
( U; L- x' V; u/ d1 Evia www.winfiles.com. However it was first used by NuMega people to allow
9 k' f5 v& S s: FSymbol Loader to check if SoftICE was active or not (the code is located
$ u0 I @9 @( m' @; S) P2 y& Dinside nmtrans.dll)./ ^5 n# N5 _1 `" e4 p
6 K% w ]$ Y2 P/ Y! U1 YThe way it works is very simple:
5 }; C) Z" N. a# `0 y/ }6 D+ gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 |* ^0 v# f7 j2 a( T9 cWinNT) with the CreateFileA API.
+ s% I, n! L$ k; E8 P7 W+ q! k" }2 R
Here is a sample (checking for 'SICE'):
; J- o; Y& S O) w( F* H5 O. `; Y8 C5 z
BOOL IsSoftIce95Loaded()7 R/ b7 M" L- X+ F" T+ c5 _1 n
{2 b. L! W- P; \! s7 c" K
HANDLE hFile;
4 U5 P! D" p" ?8 h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
w) x. o% ^# e; h0 \& [8 | FILE_SHARE_READ | FILE_SHARE_WRITE,* M; P, Z8 Q3 ]1 Z, F; u1 U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 X" p3 f' M4 c+ d3 w' J% A if( hFile != INVALID_HANDLE_VALUE )
) X" b ~: l# l3 H; V# Z {
# v3 E' _7 p: z/ q3 R, B CloseHandle(hFile);
8 N$ Y% L) F" R# e# u return TRUE;7 Y3 B; h9 n: L/ Y, k0 |
}
% ]' H8 F6 O$ ]; t8 z( K return FALSE;) r3 o: T# x9 l- Z
}# a" Z) x; Q1 X( q0 b- J
. F8 x' b1 Z# N6 d& NAlthough this trick calls the CreateFileA function, don't even expect to be
1 \7 ^9 I7 I9 v E% v- ~& wable to intercept it by installing a IFS hook: it will not work, no way!& i$ n D# w2 b; d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% T; c7 ?: k( l+ K p+ a2 b' }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ l1 v* L- Z. @; L1 p
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 K8 {$ h1 a( }field." h! [0 ?1 G6 i; q
In fact, its purpose is not to load/unload VxDs but only to send a " y9 ^/ R3 t; m0 ~1 ~- H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ d8 m( Y' E/ E+ Q( j! c, {to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 d* ?& \. C$ g' x6 z. @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& D8 k2 o) {' m% y" w
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" f/ i0 I0 k4 q9 H1 S- A9 L- aits handle to be opened and then, will be detected.& t, X) @& n, [2 D9 z
You can check that simply by hooking Winice.exe control proc entry point
! ]9 U( [2 Y% U7 ~while running MeltICE.
$ l* x( E* e3 _
: q" V8 A n, x; u
3 \$ y0 H! x. b' s% d/ G$ y+ Z 00401067: push 00402025 ; \\.\SICE: j) v& P4 Y/ @/ r' J9 K
0040106C: call CreateFileA
0 s# \, ]8 G1 k6 A; f2 F 00401071: cmp eax,-001" V! b& d& `, T% U$ l% [+ m
00401074: je 004010917 T6 H$ J$ `0 p
8 R# y0 o1 p7 }2 v' @7 x
: n8 J0 I0 |, rThere could be hundreds of BPX you could use to detect this trick.
( c v5 b1 T2 x8 P" A) w9 R-The most classical one is:
9 C% P( G+ s9 b1 ` BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' U1 I" B/ A9 r) `/ e3 Y2 ?1 ~- j
*(esp->4+4)=='NTIC'7 c. _6 F- Q5 k$ i; y, C. i
9 K, |1 w( P/ k6 L& k, C-The most exotic ones (could be very slooooow :-(
5 z( t2 S- \1 D6 e& G: G% K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . n/ I. o9 `" Y
;will break 3 times :-(" Z3 D4 ]; w9 u1 s9 r
3 \1 J5 K0 f" M p-or (a bit) faster: + E, _( {. b% a& r# ]
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( C$ z4 h) E x* K2 s6 f9 V O. X3 d4 w( v7 p
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( s6 C; L" P+ Z5 t1 G: `) T( F- H
;will break 3 times :-(
6 f8 |+ _. o3 f$ ?* p% t% Q7 k& a8 f V
-Much faster:+ _3 U7 P& ~) q$ U/ h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( u/ [9 X% k7 d* {* |
4 B7 k0 k! p# i6 Q6 G; _' u& zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" i$ p" P/ o' L% y7 [2 t' @9 Qfunction to do the same job:
: @$ x. K* v z( f9 X3 }. O, O) z3 u( G) n. q+ I& Z- ^
push 00 ; OF_READ a: s. L+ `1 l8 ]+ y4 o
mov eax,[00656634] ; '\\.\SICE',0; s/ F2 f: ^1 ?2 {
push eax
2 O( S2 P& @- l* p7 O call KERNEL32!_lopen
7 T; n% o' o! s# _! p inc eax3 b& n2 f* k, z% G8 g/ d
jnz 00650589 ; detected
# q2 u# @0 o4 |% V, ?* K: f" q9 f, D push 00 ; OF_READ
/ K( F; [7 t8 O4 m. K4 }! g5 Q mov eax,[00656638] ; '\\.\SICE'
1 @& o6 D8 r$ O p8 ?8 I9 [ push eax
( k' R F o3 j* o call KERNEL32!_lopen1 U% O/ P$ Q* D# h8 v* X
inc eax; _6 v7 \& ~' h& m, ^. `5 {4 {
jz 006505ae ; not detected
* D+ a% p% m# a$ r I
3 m% A9 [) S4 O) W& f5 d8 a d1 m% ]/ f
__________________________________________________________________________7 O2 @' R: C! V- A a4 |
& s0 s/ y' p) l/ J0 d& DMethod 12
# m% r4 \9 e2 m, _========= W: \" B K, X. V
, t% F; H4 p, N% E
This trick is similar to int41h/4fh Debugger installation check (code 05
: ]1 P( `8 [) a) f+ A8 D& 06) but very limited because it's only available for Win95/98 (not NT)4 _/ h9 y+ H2 t, Z* Y4 u# r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 h# f5 L) L' m7 ^7 F, `6 F2 L7 [1 @. p6 e/ a% G% }
push 0000004fh ; function 4fh
6 J# l/ W8 J& U1 s. z+ C push 002a002ah ; high word specifies which VxD (VWIN32) D4 \2 k$ ]) I" [3 c
; low word specifies which service
, u! g) p. V- _" G" N) @1 Z i (VWIN32_Int41Dispatch)6 w9 D- q3 s+ G1 I, ?8 e
call Kernel32!ORD_001 ; VxdCall) p# Q, H$ @, T8 e! u- w' {! o
cmp ax, 0f386h ; magic number returned by system debuggers
( C* \0 \: p% j3 x% l2 V4 V jz SoftICE_detected8 Z, z" g* _# ?, {/ B; y
( r4 K" U' M+ H3 {* V& H' iHere again, several ways to detect it:
3 N. Z" T: P: _ N& C' }$ x: m+ w. z7 }5 t3 s3 N
BPINT 41 if ax==4f
0 r; N6 G/ y/ x% `. @8 Q$ \/ u
1 n; j* l% n. y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 I& {! W+ O! G: b/ _, d
( W5 ?% ^. i- U, S3 h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# Y0 v# }1 ^( T' e0 x9 [
$ G$ Q* j4 ?5 ] l' y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
p9 j5 Q$ Z* _+ p
( J6 Q" }! L& Z% l! u. f__________________________________________________________________________, W2 w( T [7 T" d
; F' O2 ]9 j( X, V+ u# e. pMethod 13
7 T! f" A9 Q. I6 R: I# d4 V8 ]=========, N$ r8 X I# p/ Y* u
, c2 \! u2 |+ q
Not a real method of detection, but a good way to know if SoftICE is; E6 r8 k$ ?$ I8 |6 p
installed on a computer and to locate its installation directory.0 @ s/ w& {1 {! _' u1 B3 l
It is used by few softs which access the following registry keys (usually #2) :6 {. Q$ L; d) B4 Q) p2 s# N# N D
2 [4 H# J- H+ u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! J3 G, ~0 t; [0 H+ j) `/ D
\Uninstall\SoftICE
! H, p" z5 @( E* A: e1 {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: A/ s: ~: m+ }7 m* Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! R5 @2 f3 z+ y5 f ]6 B" r\App Paths\Loader32.Exe
! q3 t* p. e. e: e8 V! n8 S8 A7 j( K# S+ n
* ~1 u9 A$ f- Y q3 jNote that some nasty apps could then erase all files from SoftICE directory6 `8 u- ]* r/ A3 O+ r
(I faced that once :-(
$ I) ~; D$ f- i( a( p5 P R& Q9 q& g* Q
Useful breakpoint to detect it:
( O2 Z! W, p: [$ {2 y4 _. v V5 m+ { f3 Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 P, ~& I8 l: s; e* \8 P# G" [8 E/ J- Q3 ^
__________________________________________________________________________
5 d* U4 _: @1 ]1 M2 P- F" o
: k4 H ^" }2 s
+ W( A: O5 N1 A9 w% yMethod 14
/ k9 C+ T! W- Q) L f=========
$ v/ t9 c3 F; u. I0 |: i) p2 o2 U' E1 A" ~4 h: z$ k4 s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 D4 n+ |/ C* O/ }$ v3 Y; Xis to determines whether a debugger is running on your system (ring0 only).* b( w# E m1 x9 D- T) \
. f' l# U0 V: e- P; Y$ z* D
VMMCall Test_Debug_Installed* T/ z9 A9 L- L
je not_installed
* ^4 w9 F# K! n6 \+ {- S: k s) i
) J4 V& M' o6 t. W! q0 q" _$ gThis service just checks a flag.
8 `& Z. S, ?8 V4 j0 S; o, E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡