<TABLE width=500>
0 `- {1 \0 R5 K& n9 p<TBODY>
0 g t& w5 w2 c, s<TR>
) h$ y$ X! o3 y( f1 j T<TD><PRE>Method 01
1 |/ c( i3 m+ \0 ~" W8 k. V=========! U% d2 x+ z9 s7 J
: |. c: d ~8 o: _8 A9 T& O Z
This method of detection of SoftICE (as well as the following one) is! o: s3 t0 x& y, f, u
used by the majority of packers/encryptors found on Internet.6 a+ ?) H8 S$ C/ J6 l$ c1 G2 k( `8 Y2 j
It seeks the signature of BoundsChecker in SoftICE) s6 {3 I( T- {! R
& S, ?( u5 ^( M3 O& f/ m5 R. {
mov ebp, 04243484Bh ; 'BCHK'
% c/ w+ J; U3 f; e" k" Q) |4 B! L" d mov ax, 04h' k7 Q2 d# z" Y; R* E% D
int 3
; t' h! O" ?0 t/ I$ L cmp al,4% M2 @" s% H9 r; ~. z0 @% F
jnz SoftICE_Detected
4 `0 ?2 u( N( s+ x b/ v2 G) g- V w+ l0 h
___________________________________________________________________________+ |: s1 X) U* `) c3 f' l( b+ K
+ Y. [+ x* R& XMethod 029 P1 K' e/ e7 ~. l4 j; S
=========
* }7 @' r0 z; n( S; z6 X. |% J
& h7 {$ n- F! _; M3 n7 ~# oStill a method very much used (perhaps the most frequent one). It is used/ U( C G! V- v& h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; D" e9 c8 M6 K, U0 I$ F
or execute SoftICE commands...
( G7 {8 l x5 \: t" e l; p0 M# [7 eIt is also used to crash SoftICE and to force it to execute any commands
+ Y/ _( q. ]8 h' A f- {(HBOOT...) :-(( u" ^" R( J S/ c1 N; O2 p
* M* p5 }8 z0 k0 y7 YHere is a quick description:
A& S8 z: a! X* ^-AX = 0910h (Display string in SIce windows)5 Q7 m6 Z: W, ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& o) r: p) @ V
-AX = 0912h (Get breakpoint infos)
' H: `' w, S- _' o, \/ h) Z-AX = 0913h (Set Sice breakpoints)1 Z$ d$ U8 q7 B$ Z( U5 j4 {
-AX = 0914h (Remove SIce breakoints)
: [) ?) c, l: w& c1 o) N" O+ @9 @0 n/ Q
Each time you'll meet this trick, you'll see:) a+ Y M$ D# c& V# X0 O2 O
-SI = 4647h
: Z# A3 c# F& z3 t- X, p-DI = 4A4Dh4 K7 |# ^, H) Z3 w ~* l
Which are the 'magic values' used by SoftIce.2 [) k( F5 }& N2 K3 ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! B1 ~; j6 c- {! J! i
: G, l% W/ F$ F# {5 _, M5 E# KHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ v8 p P5 v2 O) L0 s: mEnvelope utility use to protect DOS applications:1 J3 D; O7 f; O! P
0 _: ^' k+ g8 y' [7 Y# e T O; S, K0 p) Z0 {% M# K
4C19:0095 MOV AX,0911 ; execute command.3 s6 Q/ `1 m6 z. F) k. P4 R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# r9 R" v. W# Q D; i4C19:009A MOV SI,4647 ; 1st magic value.: g8 O+ \. b, o7 e
4C19:009D MOV DI,4A4D ; 2nd magic value.! u! \- F9 j+ Y- m6 R$ t6 z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 O/ e/ R6 e6 O% w" d0 J1 J& ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute I8 b5 O- _9 z6 B, K7 F3 r
4C19:00A4 INC CX
, q* M* e6 ?8 V( O& K4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 o' C5 H1 {, A9 g+ T
4C19:00A8 JB 0095 ; 6 different commands., s. R1 N- G0 E$ @: K* ]0 ?% u) y9 ?' G" N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 t# x" W% c; a6 B8 d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ \ k/ @: J; C5 Z! M/ i
0 T' B. Y( Q& J0 ~The program will execute 6 different SIce commands located at ds:dx, which3 S5 U% Y7 A# t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 ^% r4 {/ t* L B
! ~, u" ^3 ^- Z' ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! N% o3 R$ H8 a' E7 a, w6 O+ \% S
___________________________________________________________________________- Q% }5 i o3 c
+ v2 Q1 o! C& U& r' r) O. r
1 n5 Y5 e2 b; L; z
Method 03: ]! o- c; E; G/ ~9 l; k
=========( x+ m& d) z* t- z! b
4 c E/ u# V0 w; l: GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% c$ K6 d5 k/ R( \) e% X
(API Get entry point)3 Q' |; K0 ~9 T/ `8 [
' W+ {* V0 b* ]2 h5 P) Y, ?
$ d7 ]* `8 W5 D$ M xor di,di t3 b/ D8 i" z7 a. w
mov es,di2 u; K; y" U7 X9 f/ }; c& S# Z5 `
mov ax, 1684h
4 |( ~9 _2 Y$ k mov bx, 0202h ; VxD ID of winice9 t, |/ w8 ?7 x
int 2Fh: Z H4 M& |. Q5 `. R- i# K( B+ [$ f
mov ax, es ; ES:DI -> VxD API entry point8 m( Q P; z5 F# g( X5 F! A" \, C
add ax, di; C" b# R& {! B
test ax,ax
6 c8 U! t/ @" g! Y jnz SoftICE_Detected
3 J0 k( o3 _; n, s, i" }2 I, R, E: Q* H
___________________________________________________________________________
% K$ k, O5 [) }" x
" t- m+ }* i4 `: y0 GMethod 045 T6 h; [# H. s& N/ q
=========
' }3 o i# k# b# H) S5 j/ }- W
9 k# ]3 H: E9 y4 l" j; z% aMethod identical to the preceding one except that it seeks the ID of SoftICE
* F6 S8 _" z2 _8 K- Y8 YGFX VxD. _. k3 Z' A! Y- S5 w
9 ]- j3 }3 [ b+ a+ K
xor di,di3 l+ W- t* I$ Y5 I6 {
mov es,di, _9 [& @" y4 X( P- W2 N
mov ax, 1684h % U& r, [8 C& ]
mov bx, 7a5Fh ; VxD ID of SIWVID
0 E7 a2 r/ B; v* b- R" C( G1 m8 D int 2fh
0 D) l# t6 W1 K) {4 b+ c1 ? mov ax, es ; ES:DI -> VxD API entry point& v+ d3 v; S' N4 N6 K$ i; @
add ax, di6 r4 J5 F; E# X3 N* }& K
test ax,ax
& n1 f9 { s1 D9 n1 y) r2 N jnz SoftICE_Detected
) [9 ~7 h5 O! [" F1 |6 X
" l& n$ x# p3 E, l__________________________________________________________________________; ]# q1 q/ V0 g! ~. q" M
6 S: J, l" _1 u8 @. \( s7 g
% p' i& n0 [3 A* h. P% P8 C
Method 05
2 M% J* c: b- r5 z5 A q=========
2 p1 i, b9 R. c$ d: m9 f2 \
0 @- L1 X0 Z* S& A. [Method seeking the 'magic number' 0F386h returned (in ax) by all system: {7 N( M5 \; p0 i
debugger. It calls the int 41h, function 4Fh.
/ U. u) C, n, d1 a$ _! jThere are several alternatives.
( [/ R9 k+ B. {& w1 O9 h# q6 r5 M
The following one is the simplest:1 v( q! `( y1 j5 _+ H* S; B0 t) X0 l
9 _7 t7 L- D+ {3 e5 T( [
mov ax,4fh y. G& f- I9 l, P% E9 {
int 41h8 k0 r0 |2 o0 f5 F5 m9 V
cmp ax, 0F386: q4 Z7 q) S( {/ j9 g% x
jz SoftICE_detected
6 k; [7 J0 \& [1 \6 [! y4 Z$ F. l' \8 u; V/ K! _8 Z
4 w, b$ n. ?6 H
Next method as well as the following one are 2 examples from Stone's
" y/ y' B# w# j) ]"stn-wid.zip" (www.cracking.net):
6 C* I) @) u6 A4 E+ [8 J* H) }! ]) j* j6 C- o L/ v v
mov bx, cs
( K" s$ K: b4 i7 L# B lea dx, int41handler2
) Y! Z. Q+ y/ ?' ^ xchg dx, es:[41h*4]7 V# `+ ?" p# G/ K. [. D
xchg bx, es:[41h*4+2]
5 Q1 ?* o9 a& ^3 g$ @4 r mov ax,4fh- z- f& e9 @- U( Y5 F
int 41h- n8 X8 Q- ^! S
xchg dx, es:[41h*4]- w+ b( D/ ^/ Y2 H% b- V
xchg bx, es:[41h*4+2]7 _- B, b" T! P6 F
cmp ax, 0f386h D/ ?, i# E7 h
jz SoftICE_detected# _) S: ]; n( w+ B
; X9 }0 F' A% r# g
int41handler2 PROC, l# l- B1 b5 W5 C) T+ }
iret. {& L' P9 p8 y
int41handler2 ENDP
; M2 b7 i9 l$ q/ ?0 @# P8 W1 @9 h, m, c, b( G. e
' u7 I; X& q1 Q' n$ i$ G' J_________________________________________________________________________" u7 {9 S& \: G1 ]
7 p( ?5 y" W, K! r; P, l' p4 N- z$ N0 D/ V( S. Z: {
Method 06
( h' B# U( l% F+ g! v8 m=========
" @9 D9 |3 n5 B* g# W* O, l4 b3 _. O6 c2 U5 \
; I4 D+ S( x- R- I& T$ g' f' m5 D
2nd method similar to the preceding one but more difficult to detect:6 R) k: R$ b1 i7 V8 j
( ^' z9 d/ [6 s" l6 }7 U/ @
! `! [ ?: G. [+ R/ k* _
int41handler PROC
' r4 w* T3 H6 `8 H8 m, t0 `" C- m5 G mov cl,al* d9 k: W: I/ t
iret
d z# D' Z% Y1 G* [ Gint41handler ENDP
@5 q% X# p# K; e- R6 R
2 E# Q: E' H3 L
2 i: y! S8 \2 ], r! y. { xor ax,ax N. V" ^: j! F" X5 e
mov es,ax
0 m+ D/ I, c! h: K9 L mov bx, cs* z5 |5 C+ R" D* C+ p$ ^" l+ P6 h
lea dx, int41handler
; q) B' l. I9 @0 }4 q) b xchg dx, es:[41h*4]( Q/ z2 v% y1 A! k& L
xchg bx, es:[41h*4+2]* z& A9 W/ Y% y/ {
in al, 40h+ o+ g& r% O6 ~: K8 w3 X8 N
xor cx,cx
8 J0 g# P+ G7 i, v int 41h3 s0 k2 ]( i ^( k
xchg dx, es:[41h*4]
) F- ]. v$ W! s: c. s( u xchg bx, es:[41h*4+2]
2 s( f" l# v& d# c) i- t cmp cl,al
. k$ l {* D! W4 T& }) Q x jnz SoftICE_detected
4 b* H8 h/ R/ T7 C0 r3 l5 _
* S6 u! T1 x# A, q+ @. K_________________________________________________________________________
+ U' M* }+ p: D- o# W& R' q* t
Method 07
1 z% U: h5 D: t- v4 f: A' V5 D# \=========2 Z; E% a) P! ^- Q. I# j/ ^* c
8 Q, _9 E! q( C) I1 H* L; gMethod of detection of the WinICE handler in the int68h (V86)' @" i: Y+ S4 }- R* L& n* m
e% B m0 \* i1 m, u2 z, y. D
mov ah,43h
, M- C0 W( l n0 ?) u$ K int 68h' `1 P9 `0 \7 Q6 \
cmp ax,0F386h+ p: I7 V* R1 x! y8 a; }' T' s! F
jz SoftICE_Detected
$ J# ~ H. ~3 D# E& r, z& W L P" Y% ^/ d* S @$ p
* H7 K6 |+ D& x& }8 k1 Z1 w
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 M# K- Q" z2 ?% r3 ~ app like this:" Q8 z H/ _" Z2 `
9 Q$ O9 P A* b1 B) ? BPX exec_int if ax==68
/ u( D1 B% _; s3 t- g (function called is located at byte ptr [ebp+1Dh] and client eip is2 _% q5 r. e1 y- I% }6 s
located at [ebp+48h] for 32Bit apps): ~& v# l/ V* I ]
__________________________________________________________________________
( `) |0 ?# }) x3 M) P+ N* q$ I* L9 Q U
. t9 o4 s% A& y2 I1 B$ vMethod 08
/ D+ _9 X1 o# p o V5 L7 @! ^=========
: o$ f0 P6 ] A% ?/ |
% L. k. X- e6 N m6 }9 ^It is not a method of detection of SoftICE but a possibility to crash the
( t( n5 V; x: O/ {system by intercepting int 01h and int 03h and redirecting them to another
3 {8 @0 d7 Y2 C3 _4 r: v4 Froutine.
" k# h" F' _/ CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# P& t2 o$ _4 c, g4 S
to the new routine to execute (hangs computer...)
L$ q9 J/ f; _3 \) u+ k% S. b" d' Q% Y6 |
mov ah, 25h
0 K) b5 z2 P# ]6 t5 W$ z0 I" U( S mov al, Int_Number (01h or 03h)$ { E5 e0 N& a
mov dx, offset New_Int_Routine
5 m% z) p; M+ ~: }( H7 { int 21h
. g8 [3 u+ {/ `8 k
7 y9 L# ] y/ x5 o, d__________________________________________________________________________
( r4 z4 y+ \3 ?0 k5 b
! D. R5 W3 o* o! C9 OMethod 09
9 E1 U* @8 G/ L' n0 k! D=========, f# g1 u# e! v
5 d* R. u$ Y) s/ [+ r, I( iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: \7 h+ M: u7 A, F6 G# \0 i( bperformed in ring0 (VxD or a ring3 app using the VxdCall).
( A9 z4 D2 b9 E9 t; u9 X9 rThe Get_DDB service is used to determine whether or not a VxD is installed
$ y& H# h3 t- ]* Y, [for the specified device and returns a Device Description Block (in ecx) for
3 r& A; n1 c/ m5 sthat device if it is installed.
# }( [* U7 R# {% g9 ?6 r& t) J9 t( D4 i, c6 x) L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 {( g6 q- A5 H# e: O4 D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 U0 [" |# e' B VMMCall Get_DDB# z0 \2 J9 K4 W) E. T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' F% J$ e Z2 m9 h% l; d
! r# e' Q4 p, z0 C4 x$ \7 N8 ]
Note as well that you can easily detect this method with SoftICE:/ T1 z$ P2 N1 ?( K
bpx Get_DDB if ax==0202 || ax==7a5fh# n0 W2 _7 }6 v1 `$ l
) y) T/ f Y4 R, c6 V c& X5 b
__________________________________________________________________________5 P5 \; ]3 v2 G8 ^+ P* q2 x
" e2 J [, b+ W8 n1 a; R8 [
Method 101 r @* M6 z# G
=========
2 M9 W7 b0 \6 M* b7 ]( J) F! E: ~' h; t" @
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ M5 r! w! a/ g; |9 K+ H
SoftICE while the option is enable!!* o' [* L& f" U9 ` {6 f7 c* R3 b/ `
! D" _4 |: Y; C. @
This trick is very efficient:% i" |4 U6 X4 T) ~0 x
by checking the Debug Registers, you can detect if SoftICE is loaded
- @5 I/ t2 A8 H( q8 Y4 m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% T! \$ \2 @* {/ Y2 A
there are some memory breakpoints set (dr0 to dr3) simply by reading their! {- p5 }) j- W+ ]! t) V j
value (in ring0 only). Values can be manipulated and or changed as well
M! {; I6 J9 f1 l# `2 ](clearing BPMs for instance)9 F1 G4 B& w: i( j0 b* b
) B- W, ?5 L" n( G0 g k__________________________________________________________________________
- {2 ~# B5 c- G3 ~9 X* o
# }% |# v& ~4 W/ I1 v4 ZMethod 11
4 \3 H* a9 R. b7 d=========4 b" N" Q/ y9 O" V6 e9 y/ i
7 I7 C4 Q( m( R' W
This method is most known as 'MeltICE' because it has been freely distributed: o$ s( U/ L' U2 z e" W+ s
via www.winfiles.com. However it was first used by NuMega people to allow) F$ j; |0 L+ S6 f
Symbol Loader to check if SoftICE was active or not (the code is located
, M0 V. C; T4 ^; p! U) p+ o) tinside nmtrans.dll).
: y& j6 F, h5 p' k& N* i6 p( N. W2 w7 y
The way it works is very simple:
% j4 F: r7 X6 a1 v( M6 `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# }6 `' ~. f4 a$ \% W& x
WinNT) with the CreateFileA API.
& t r ]2 B, g
* R5 Z4 h; r: ]/ I) PHere is a sample (checking for 'SICE'):$ h3 G" y$ o: R. I) V% S
$ P" c' G) m \
BOOL IsSoftIce95Loaded()
) L# D: C- x6 P* W{! G/ [5 O1 I8 @- d' Q4 y
HANDLE hFile; 9 n9 ?. z0 \: C7 F) I7 h: g5 \0 H' u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& }! X4 u# z9 j. a, S* e/ G
FILE_SHARE_READ | FILE_SHARE_WRITE,
. |$ M% r% L; O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! b1 H4 X, m! Y. I7 Q2 ~
if( hFile != INVALID_HANDLE_VALUE )1 b$ v3 f, O0 T
{
) M1 }9 F N3 [4 Z# D* D3 f3 A0 A CloseHandle(hFile);
9 n$ l' g9 i* M, I, T O return TRUE;( {6 o x( }% W7 W" I- g
}6 H1 j/ m! S/ o7 C% b2 z8 h6 k
return FALSE;- R8 k# m' w* |2 h
}
" u7 \6 `. x, z: ?& y; N
0 a' V/ \; W% f& @8 S; r: F. t; \Although this trick calls the CreateFileA function, don't even expect to be9 k% u- T9 @6 z- V( l7 }( j
able to intercept it by installing a IFS hook: it will not work, no way!
# _) z T) w3 o2 C- |. }& {) a9 ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! Q: }7 N4 k2 b9 E" A( c' v4 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) [" H; {8 ~ O& R5 Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& G+ m+ ?6 U+ N W4 efield.' L) C2 L6 S1 R' D2 f
In fact, its purpose is not to load/unload VxDs but only to send a ; S7 u# U a6 ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 S4 g" i: L" V1 H( Q4 ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
^4 d2 i# W! K. U# e# Xto load/unload a non-dynamically loadable driver such as SoftICE ;-). E7 H' n+ {4 {* ?0 R
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ }4 C. F0 }- T" M7 z
its handle to be opened and then, will be detected.: [* E$ V, S& z
You can check that simply by hooking Winice.exe control proc entry point
- E' ]# I9 U J% `! Lwhile running MeltICE.( b0 Q; P w) e" c, J3 {7 M
# _8 V/ L2 l7 B, t4 P W1 Q8 ^
/ O% E7 n& F) [
00401067: push 00402025 ; \\.\SICE" v; s0 N0 U6 x7 j2 P8 ~1 @
0040106C: call CreateFileA
3 E& L4 f, u" U/ _ 00401071: cmp eax,-001: b f$ c7 V1 [! o8 u; i" U! [
00401074: je 004010913 Y6 j; I3 l# }' Q
/ Z+ O1 r5 P) }( _" D2 w6 `" y' r: J2 y
There could be hundreds of BPX you could use to detect this trick. u* Q5 z, ?% L3 a
-The most classical one is:) M6 C8 ]' f3 A9 e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 n; N( l9 z v+ r- T7 i+ ~ *(esp->4+4)=='NTIC'" s0 E1 G7 N4 ]0 d3 J# z. E
% x+ v% N" A" |
-The most exotic ones (could be very slooooow :-(
3 A- r# ?# k* Z+ E) ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; x; c1 M$ d' b2 P# a! n3 D6 \2 v, |
;will break 3 times :-(& G: R6 N7 ?3 o
B. `: \0 s, l* z4 S( E-or (a bit) faster:
- ?' c: Z9 V* W8 e8 l BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, x6 y7 @& `/ P, ?- n. T* r2 [6 }) a. j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 m. m& m/ e+ l2 c$ q
;will break 3 times :-(- W! f! `: F3 |7 T" A
2 k: L% y0 }% d/ r
-Much faster:) [; p! N2 t. M' I& @, b. n1 _3 z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 \; o( G% F! Q
2 e' n7 K2 N- O; X' A, z+ {/ ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen X6 O3 h0 a* R& t: E& s
function to do the same job:' s! K0 }2 T& t, H, `6 K
* X. {$ f k/ `
push 00 ; OF_READ. |( M( K1 I. d) C: R2 ^0 R
mov eax,[00656634] ; '\\.\SICE',00 Y# L( Q4 E7 |: |6 _ E/ T
push eax
' Y v/ V9 }( _ call KERNEL32!_lopen7 d: x3 ]! |0 Q, X
inc eax# b' O+ l0 z8 y/ C4 E
jnz 00650589 ; detected! |. I3 I+ U/ t4 v0 ]* D3 D
push 00 ; OF_READ p% h. X- q$ x+ w
mov eax,[00656638] ; '\\.\SICE'
! E e! I; X H, ^% O; t push eax
" X, g$ d; ?5 P/ | call KERNEL32!_lopen
2 o5 j8 X. B! s+ k' i" A7 [ inc eax5 ?; s. d1 J. |+ m% U# B0 |5 }' b
jz 006505ae ; not detected8 E- S M7 ^" w
. p! W% D7 Y6 [7 U# S9 V6 ?
+ {- z# K& h$ X% ^) e4 @__________________________________________________________________________: C$ }7 H) ~; O$ X' h, C
% s3 Q2 U3 H7 k4 F( F: I ^# f T( a
Method 12/ O- x1 ~3 n9 @7 \( ]
=========3 b& m# c/ a+ K& y
: F1 u& {$ i) w: J0 eThis trick is similar to int41h/4fh Debugger installation check (code 05
4 d6 D1 i7 r& i3 |" x: Z4 U& 06) but very limited because it's only available for Win95/98 (not NT)
) v/ b6 l, O+ F( t, has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 _1 k7 X/ v, m% g7 P1 Q4 L8 ~) j/ I
push 0000004fh ; function 4fh7 a9 G4 J+ h6 S! q# i! n
push 002a002ah ; high word specifies which VxD (VWIN32). ?# ]# f7 w$ X2 w( v+ [
; low word specifies which service
& ^3 g1 C. w2 K6 [4 s7 z7 M' p C (VWIN32_Int41Dispatch)8 u$ m: V+ f. @+ G
call Kernel32!ORD_001 ; VxdCall9 w' X& _8 _2 Y7 e. u
cmp ax, 0f386h ; magic number returned by system debuggers
2 |& Q& Z. b# E6 J- l3 s. ^$ n2 S jz SoftICE_detected
- L# m; `/ n. \* W; I
' |* F- Y, L& q* s5 MHere again, several ways to detect it:
: W2 p( O+ z) y" q$ B( @- i- a2 L2 w
BPINT 41 if ax==4f' H4 m! T+ K5 W7 ^+ ]* q
! v3 q. Z' Y0 j
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# p" V$ ?! y- S& w& f, _. y, x; h. V: J, f5 e4 B2 X( ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: u8 [( B+ Y3 o0 W
+ K9 s( X% ^5 y9 o& P: b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 F* ]! w+ ?6 q8 z1 |. B& Q
% ] D* A" a6 Z9 ^+ m* n! ]& u" L
__________________________________________________________________________, @2 J: z' V4 e$ Z- I% A
' f6 E2 `! Y8 T0 {
Method 137 H0 U) V$ i7 _; H$ o4 x
=========1 u+ t1 e7 H8 J' k5 x; s- |" G
2 o# {0 y& Z+ Z4 z; ^. J; w; X- _' GNot a real method of detection, but a good way to know if SoftICE is! c2 q0 U. D; R( L
installed on a computer and to locate its installation directory.! r7 M0 W. d5 X( S4 ~
It is used by few softs which access the following registry keys (usually #2) :
1 A9 G+ T2 k! P! E+ {* _1 A0 l) i1 N9 \1 ^8 B$ a6 e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 i# A, O/ N/ a E9 K
\Uninstall\SoftICE
j3 q" _5 I7 } @$ G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! m$ Q! z% T6 N {6 }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* Q: f$ E9 Z( y! D; Z6 w; `
\App Paths\Loader32.Exe
9 \! w; @9 ~- u- M$ ?" E* I- B3 H. u. l3 n! ^
/ d, d9 A7 T+ f5 Y) ]% _8 LNote that some nasty apps could then erase all files from SoftICE directory
; D8 L8 k x3 e(I faced that once :-(
M! t$ q1 k. |4 {. k, I
: k3 z' W, c2 I/ n5 I7 S: F9 [Useful breakpoint to detect it:& @9 [6 z- F& K- S! q- U7 z2 h. C
: h! R# S: N l2 T3 I9 a; Y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 l' b o, t" v2 j. ^) k
; i2 P# v/ D$ N; W1 a: h Y& o" `
__________________________________________________________________________
# [4 w4 N# z% P8 H/ }1 N! b+ P* t6 @
% h' }; b% |' @3 Y; MMethod 14
& K2 v6 Y. T7 ^$ i( p=========, `: x$ @+ H% I4 U. R
- I8 A8 P" n" f; } o) |- P4 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 R$ _) N) E0 Q% d
is to determines whether a debugger is running on your system (ring0 only).2 X: D, i# V. b" z; w9 v
' A' H. v; V! p) b VMMCall Test_Debug_Installed% k1 l6 J1 a# P8 x- ~. c2 a. P4 n0 @
je not_installed
: X5 q" l# ?$ ~* }% z8 X
! K. i$ e" P a" iThis service just checks a flag. u: I0 v1 x ]* P
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡