<TABLE width=500>
3 h6 y% d8 r- q/ |<TBODY>
4 m2 _) i. c) E$ d, y" ^<TR>% V/ u* @) s( w/ G+ k# b
<TD><PRE>Method 01 - i3 H$ o: Y: k i6 d& P
=========- }: R$ C c0 v; T+ k) m) D+ M
, a& Z. T) A* p/ ~2 L* L. c+ D
This method of detection of SoftICE (as well as the following one) is1 Y+ x5 P2 N3 _( ]% G2 a
used by the majority of packers/encryptors found on Internet.
- }, d, l9 x* f) C, ^It seeks the signature of BoundsChecker in SoftICE
- p8 p+ W0 @3 t/ v
8 i1 B' e& A) |& d: g$ n5 v5 [ mov ebp, 04243484Bh ; 'BCHK': {) T1 ?( F3 V$ g* x( n
mov ax, 04h' ]- ^7 J* n% F) }/ s" D" H9 `
int 3
; m. \6 o1 a! J* e# d cmp al,4
; a9 d. W$ s2 b6 v) r7 j jnz SoftICE_Detected) ?' ~" Q- k, r0 r* W/ x
8 g' |9 h0 _ K. u
___________________________________________________________________________
/ d5 `' D5 B/ K8 B# ?6 G0 [/ I1 p% F( b7 ~4 Z+ z3 }
Method 02/ L. c2 {# d1 S8 R7 z7 f
=========, q! f. g9 \/ }2 z
3 G& A8 i) N. u' q& lStill a method very much used (perhaps the most frequent one). It is used2 L4 d0 S& ]- G" j( Z# n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) m$ J5 |. u- A! E. f% Mor execute SoftICE commands..." j7 R7 X: P( R% Z0 B6 x0 g- ?
It is also used to crash SoftICE and to force it to execute any commands: G4 l) a9 t0 y" h/ n
(HBOOT...) :-((
$ g( I, E3 a8 E5 W9 m7 S0 [) h* ^$ K. _# q5 L
Here is a quick description:
9 f+ j$ m( j4 b M8 `7 t8 k( d! k* @. F-AX = 0910h (Display string in SIce windows), z6 A* l B! d1 m) s$ V, C
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 w0 L: _/ k' p) U3 n
-AX = 0912h (Get breakpoint infos)" r8 {# y+ q0 R, C" j8 B
-AX = 0913h (Set Sice breakpoints)) B& v8 t/ B' {: p9 |! J/ o8 W
-AX = 0914h (Remove SIce breakoints)
* X/ q1 c4 |0 }. I1 n% [7 [( z" _5 j% s
Each time you'll meet this trick, you'll see:4 U5 x0 m- y- I2 @0 b, K
-SI = 4647h
7 {9 R3 C( ?# k6 s3 c) L3 r-DI = 4A4Dh
- J2 Y k+ X" s" ] O* ZWhich are the 'magic values' used by SoftIce.! l) c* i; E0 n/ K |+ L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% v& g# y" _7 j& P9 } [, {/ {& ^, ]! ]" i z
Here is one example from the file "Haspinst.exe" which is the dongle HASP' [# B6 o; O) }* v
Envelope utility use to protect DOS applications:
. D' [+ m3 t- P5 `8 v% X# ?1 S2 l
' T6 e' _2 k: h( k2 N& O- Q4C19:0095 MOV AX,0911 ; execute command.4 C+ f; |: c$ J8 Y2 `" z8 @* G
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) J- P: K$ E9 A5 w' f% F1 E4C19:009A MOV SI,4647 ; 1st magic value./ B3 O O- y. F: v% E5 D
4C19:009D MOV DI,4A4D ; 2nd magic value.- G+ J4 {+ R, D# A$ N' ]
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' ^3 v% p' p' m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% V5 x/ O/ y+ o9 ?- E4C19:00A4 INC CX# k5 q; K9 V4 Q8 |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, t$ i- s* Y. ^ {+ D4C19:00A8 JB 0095 ; 6 different commands.. b6 }7 o7 n( u2 D* ~
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# Y& a7 v+ W4 I. E
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 f6 Q6 \' h. b6 @( T8 p. \! W! v3 [: Z: f: l, ^6 y. y, J
The program will execute 6 different SIce commands located at ds:dx, which* ~4 ?1 W& C; r$ y! C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# e7 l& S: m6 e* |; z6 l9 z4 G
: |$ T5 `0 m- _+ X D9 Y& ?* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" v& @$ p7 y$ a! ^1 n___________________________________________________________________________" z9 U1 K3 X, M
5 l4 F8 y/ M. |" M
6 D. n, v* G) R2 J2 r7 XMethod 03
( k6 u' a4 C4 x9 i=========
3 h0 X V# j, {8 v6 t$ p: c4 L1 U# ^7 P7 J; |; y: U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# r V- Z1 `6 V9 `8 i(API Get entry point)9 q' @3 t( U7 O
% k t7 d' C* y( v ]
7 d7 [5 b. `5 T. D6 @7 m' D xor di,di5 }7 h, n& B7 Z1 I
mov es,di0 p$ H9 B4 k1 O
mov ax, 1684h
" f( k" r5 n+ B* n, m* |8 h( v mov bx, 0202h ; VxD ID of winice' M3 z0 l9 e8 s6 ~- R2 q3 F
int 2Fh' [8 d {! L: T }% ?
mov ax, es ; ES:DI -> VxD API entry point. B# d+ f, |) g# Z! z
add ax, di
9 A% T j A7 R test ax,ax
9 Y$ |3 o# G7 t. a! T% X2 K jnz SoftICE_Detected
- n- G$ f9 A' Q" O: Z. s: u! ^; W+ l5 \- _. e# g% {7 V
___________________________________________________________________________: E/ w5 c2 k5 x
& t9 |* |# M, t- F9 E! ^Method 04
# r' V) ~1 g; s* h4 V=========
& `( a& B" u( L5 t F
7 V7 w; M! \7 ^. K7 KMethod identical to the preceding one except that it seeks the ID of SoftICE4 L4 [' \( {! U
GFX VxD.
( a P5 e: E* u6 V$ k1 X* z
* ~$ w% D* V+ h% ` xor di,di! u5 S6 O4 q5 c7 x X; H9 m
mov es,di
, w% a1 a" Q5 ? mov ax, 1684h ! Z6 |' n# Y4 R* o, M# B
mov bx, 7a5Fh ; VxD ID of SIWVID
- Y8 N3 v3 ]1 q e int 2fh7 s: i- `/ U& h0 ~5 ?
mov ax, es ; ES:DI -> VxD API entry point
8 Y E; n% V- I9 o add ax, di; v3 s& W; b) d% z, b4 s, p
test ax,ax
: H" M- C' [* U jnz SoftICE_Detected! K" c1 N( _! k
2 E C5 R, u$ F/ {% z
__________________________________________________________________________: p) a R. y- N
, k6 I+ E. F; E( ~ ?. @4 g) @5 Z; Q' Y
Method 05
; B A1 B7 L- i+ T7 p# u8 q& O=========# i6 }" ]; n4 f% p
4 ^4 x8 x+ ^3 Q8 w* E0 E G
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ t) v) }' y1 O( |! c1 Vdebugger. It calls the int 41h, function 4Fh.
' H. k9 a- d) l2 v$ D; W8 M. L6 OThere are several alternatives. # y6 F" W3 F* ]; i; e( Y0 z
# d) K. o+ \& iThe following one is the simplest:
0 v* J, r. l/ t* I' |9 ~8 @5 {$ F/ p9 t! ?& V, g# `
mov ax,4fh
! i. A, [# Q9 T5 v" H int 41h' N7 O4 k) D2 j8 i+ ` M [1 G
cmp ax, 0F386
& }2 q' \; K$ O- Z1 _/ p8 y jz SoftICE_detected
* D; W6 S: u1 q6 s% h! z
5 W- b" j( F( E) I+ M1 F# H G; U/ a5 J8 v$ ], N7 B
Next method as well as the following one are 2 examples from Stone's 8 ]8 P/ G# X3 n* M( _) y6 w
"stn-wid.zip" (www.cracking.net):
( x9 S9 ^" K v; [3 u8 G+ h
/ I. r4 k; D' K# \& W0 v mov bx, cs
6 d1 e6 l! m! ^8 C: | lea dx, int41handler2
$ s( X# s0 H/ ]. t1 X; E8 n xchg dx, es:[41h*4]9 e: n8 y/ ~5 A- Q. I
xchg bx, es:[41h*4+2]/ ^* o* `* t5 H2 U, p2 ~8 q* f) F, G K
mov ax,4fh
7 p- f) ~5 m' O1 [* d) T0 Y int 41h
( d+ R- A" L3 [+ p6 l xchg dx, es:[41h*4]
" T3 O1 M. \5 A8 w) o xchg bx, es:[41h*4+2]5 ]" k1 i7 i# |" q6 z
cmp ax, 0f386h! f* D; Q8 e& t9 p. t
jz SoftICE_detected5 ~7 P, t# g% r
' l, a, m) e2 ~3 \$ i$ w+ d
int41handler2 PROC
0 B* v v9 X6 Y iret
7 o% M' y0 z+ I/ {int41handler2 ENDP* `& h U8 w& K4 ~( T* K2 L, W
4 N( G7 j# H" T/ ?6 }
) V# G1 i' q& _8 w) h9 c" m* O) k& {
_________________________________________________________________________( q$ ]7 @7 n, F5 ]7 L) _
! }0 ]. G6 t% Z5 V8 z
3 A" H2 b" b9 n# K% }. p2 EMethod 06
4 Q( o6 [# ?3 Q0 k K1 @+ N=========
; U3 Q$ r# Y3 v
# H* W) \" @* c; Y# @9 S7 z" G9 l2 Q; l* |7 \
2nd method similar to the preceding one but more difficult to detect:
0 G( O: E f- }4 [' G2 H- R+ Y7 V/ V u
* Y' T1 q5 Z ]; X/ x
int41handler PROC
; w( o+ a" O- N! p6 o: J3 }( S mov cl,al
' R0 A& F! D" p. W" L# }) C iret
+ r' ` h2 F% @. Y9 Cint41handler ENDP
& ?$ z$ l4 b$ |: Y# n' }+ `2 S1 ?. L+ C; G9 N- T% l& o/ ~- A
8 ^7 X& x2 k( b" I6 e
xor ax,ax
8 a4 i7 q; f+ i2 f) \ mov es,ax
5 T% N5 _3 `' m: ` mov bx, cs5 |7 V3 U" N2 T' o
lea dx, int41handler
; E O- `# d3 s( K xchg dx, es:[41h*4]
$ \/ x, U! R& h: `/ S$ D$ M0 W xchg bx, es:[41h*4+2]
% `0 @0 A' Q) \6 E( o) a5 h7 @: W in al, 40h
, k# S, L& y' t( U, B: `% H5 ` xor cx,cx
$ c9 L" Z0 P' k+ j int 41h
1 C7 C: X1 f6 F2 Y1 r5 X xchg dx, es:[41h*4]
8 I* y, Y @# |. X( F xchg bx, es:[41h*4+2]
6 B# N' I$ n3 M/ o! |8 [% i2 ~5 m8 j cmp cl,al. p1 j- G5 H C
jnz SoftICE_detected7 Y4 X2 l {1 C! t
: Q5 W" p$ n# Y# w. f1 \_________________________________________________________________________6 T% _3 f! v, u5 W3 W2 e1 l
7 E: K2 Y! f+ s3 t- _Method 07
, b. K. ~' v% |" M% r8 F=========6 V9 R2 D" j0 R/ S9 Z( K4 V
' f, ]1 S! F2 G, K: Q2 `0 w
Method of detection of the WinICE handler in the int68h (V86)
: L' x' Y6 c8 U$ s6 ^
( D- e5 o! Q8 q% { mov ah,43h. A6 B8 P! m" i; c4 _% y! q
int 68h4 Q- y; H5 c' _! ~
cmp ax,0F386h
) }+ I& R+ | `) c jz SoftICE_Detected! y1 Q) i, E1 X) _- W
- P! r8 J6 b1 s4 l
4 n/ E/ ^6 w7 d& f% R% R8 b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) M6 {" |9 l, Z4 Y! i( S- ]$ N, o" D app like this:
2 M# U. M" e9 |0 I- g+ L; J) |7 _) n: ^0 r1 f! o
BPX exec_int if ax==68
" x+ }1 p4 x1 z2 \ (function called is located at byte ptr [ebp+1Dh] and client eip is
0 g; a# I2 l& j located at [ebp+48h] for 32Bit apps)) f& p8 H0 B% T' Y8 ^8 J: g7 p* Y
__________________________________________________________________________
8 }, E5 @# F: ~7 t2 [* z9 {: s0 J0 O! X3 L+ R
1 U$ Z8 V! E$ |Method 08) Q$ I' R9 O/ l0 D) s. ~& p
=========
; E+ e- U/ Y1 i% y F) P
( z- z% F" I# D! x% `( ~It is not a method of detection of SoftICE but a possibility to crash the
; s x; p; ?% I( z* Ysystem by intercepting int 01h and int 03h and redirecting them to another& c9 ^# @+ y5 Q, J0 w j* B' f" E
routine.+ W. t1 f5 ^2 j. @5 I5 I. _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: a' W8 c8 d$ U. _6 F
to the new routine to execute (hangs computer...)5 t4 M, g* ~% r$ W q3 ?# u! i
3 W9 N3 z6 _3 n( O' f
mov ah, 25h: q& S* x3 k+ O: j- y' V& V" |
mov al, Int_Number (01h or 03h)
5 o! o+ ~9 [) Q" |* m1 h mov dx, offset New_Int_Routine
" u" P* Y' |# w5 m int 21h v) K$ ~0 _7 v, F
1 F, X6 i9 n* U! d/ K+ \% W' Y( n__________________________________________________________________________
: Y9 i3 w( z) Z2 R% g# r4 P# Y& z, D( r; R& @
Method 09
1 g/ y/ Z. }: f! U( i=========
) @8 u6 S$ z/ W. p0 k% b+ I
& t( C6 D* D" K; t4 W6 oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ u A( s; N" operformed in ring0 (VxD or a ring3 app using the VxdCall).% C- S" D. \5 g, D% u
The Get_DDB service is used to determine whether or not a VxD is installed/ V6 m; U7 x7 w9 }* O: i) b
for the specified device and returns a Device Description Block (in ecx) for
. z3 P6 T9 n: l0 Uthat device if it is installed. Z( j X; \! P
- ?+ \: B: b7 [% j* |1 ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 [# D# S$ \9 G9 d2 u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( ~; e6 _- M; B6 E- z VMMCall Get_DDB& A% p1 |! a8 V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, S7 @" w9 g2 Y5 b) ~' `- \0 g
' t0 Q! Y, r% SNote as well that you can easily detect this method with SoftICE:4 s2 U" p7 X2 l; |7 ?8 P3 c( \
bpx Get_DDB if ax==0202 || ax==7a5fh+ f r8 B8 P9 |+ U) r3 G
2 Z$ I# @! r, N; ?* F5 m, ~
__________________________________________________________________________! Z: R3 }. j% S2 V: N
+ ]$ J) |! u, CMethod 10
; R. {2 {0 K* O6 I=========
& I1 m" |5 k C+ t+ T2 \2 ~1 Y) G- p
=>Disable or clear breakpoints before using this feature. DO NOT trace with a9 G/ a; r$ T; b% L
SoftICE while the option is enable!!
8 n8 P; t+ J: y+ g. ^& B3 `0 A% N/ N7 v) X' b9 b
This trick is very efficient:
" T+ B! {7 U* m: x, c- c, \by checking the Debug Registers, you can detect if SoftICE is loaded
, N1 |- X1 z5 N X. m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if `3 E9 v/ ]* U( B2 _9 T: _# Y! n. l
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; D4 c& P. s* C- N! zvalue (in ring0 only). Values can be manipulated and or changed as well
( a# _& M' C/ M5 R(clearing BPMs for instance)
8 ~: k/ n) j) X& t5 j3 B4 C, Q
# @0 ~! J% }, U7 J__________________________________________________________________________
( k" G- j) T9 i( L0 n( s" {2 z
H, }1 d* O* o4 U) rMethod 113 q% _7 |! a6 \1 ^1 ^0 Y% K4 J% l
=========
) g& C2 P ]9 A4 b' r9 R4 S6 x' G2 |8 S5 p- F, e# q
This method is most known as 'MeltICE' because it has been freely distributed
- b% Z" B7 R3 Y) `+ [via www.winfiles.com. However it was first used by NuMega people to allow
6 D- g) ^* w; W! e/ U; Y3 B: J# iSymbol Loader to check if SoftICE was active or not (the code is located2 o9 j5 y+ E5 |, H4 i# H
inside nmtrans.dll).0 I, j9 X/ r/ J
! f7 ]8 ?4 _& C( w$ h
The way it works is very simple:
; b' T2 V9 y( Y+ a8 c LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 q7 Y. j, }- [" t# f) `WinNT) with the CreateFileA API./ `3 H* O K& h0 y/ q0 @+ E
) w6 N+ s+ m- a5 _* j5 K# W
Here is a sample (checking for 'SICE'):% B) N& N$ @$ z9 L7 _
2 v& u7 `- J0 m( Y. H) h7 _2 ABOOL IsSoftIce95Loaded()- i9 S8 X; G8 C9 r% n+ x
{7 E4 b5 q. H* n
HANDLE hFile; r( M7 j5 w3 I8 l" R0 L8 h
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- d4 W( b) V6 X f6 H
FILE_SHARE_READ | FILE_SHARE_WRITE,; ]/ Z$ E* y' o; }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) S- j* s+ j: P8 d if( hFile != INVALID_HANDLE_VALUE ): S4 x, }5 q) l) y
{7 s2 E3 L! O. M2 D
CloseHandle(hFile);
" X* Z- k% ?9 B, L j return TRUE;
- o6 u) j; y% p4 e; H }# f, N5 f; g. K T E
return FALSE; X" N: G( @ C- n- S) ~$ @
}, D* i! _' V5 A" J' g
/ ]+ R! o8 \7 a6 i9 w
Although this trick calls the CreateFileA function, don't even expect to be* c0 V- K4 ]; Z& _, d/ l; u
able to intercept it by installing a IFS hook: it will not work, no way!* c6 W; f. a* W+ @# X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 w& |: ^. S& `; Q# {, ~: _' y& @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), \; T8 R5 v/ E% ~: K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 g' F% U# i4 i& B- J# d
field.
4 q* D0 K. x, K2 yIn fact, its purpose is not to load/unload VxDs but only to send a / l; [, J+ c7 s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' }& Q' l! }! Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ H! b7 O# a, ^- h, Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).5 o: v6 a' N) U1 s- `" W, p4 ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow% }' p% F( S3 p% K$ n" S
its handle to be opened and then, will be detected.% ^0 u2 D1 C8 m# p$ j1 \
You can check that simply by hooking Winice.exe control proc entry point
4 M4 q+ f/ o. N3 N [- \3 u/ y: bwhile running MeltICE.! _3 `! e0 e4 |& {" ~
& Y' Y/ ^! [% R" k/ W: T1 y3 q
/ |# y8 D3 B( W: `4 p* O 00401067: push 00402025 ; \\.\SICE7 |5 ?& u' {2 }4 c! p
0040106C: call CreateFileA {. [0 C; s) w# r$ y2 B( V
00401071: cmp eax,-001% t9 a9 @( S( h
00401074: je 00401091
6 m( a# G. ~( s9 |' ?# K2 j0 U6 `- c
0 W* D3 V! |9 w5 s$ j' K0 Z* ~! yThere could be hundreds of BPX you could use to detect this trick.
" V% B$ k/ m7 [-The most classical one is:: s0 \. s5 w6 _7 E2 ?8 x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 B* C' u$ C& q! X *(esp->4+4)=='NTIC'
( ^7 \9 B/ T% K* P4 p
% T% S+ l' i" i$ C' O-The most exotic ones (could be very slooooow :-(
" p5 G5 l' e$ T BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . L) G p' _/ _6 y, V; k% @
;will break 3 times :-(! x6 R) q( e0 p; {4 U- X8 s
+ G" C4 _9 n. a9 p! d1 \; `1 t
-or (a bit) faster:
8 V2 H. h4 K1 P" I- ^7 p( v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 s0 [8 J. P7 Y5 @% |3 C" D6 f/ X# G1 B; g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , H6 ^+ s/ U* j! X/ Z
;will break 3 times :-(
3 e- y* S/ Z, \" O" u8 X, n! H' T' j5 }
-Much faster:) E& I( u2 s7 t6 s% }. I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" P7 [5 R% R/ F0 U9 ]6 o0 ^
M7 D0 ^# ?& V- d5 }9 ]' J; u1 P# B1 eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 j3 F4 u+ c0 s
function to do the same job: f+ E; P/ O5 M# l$ y% c; k0 W
+ O! L! K3 }, A" Q% T2 U1 X: V push 00 ; OF_READ+ V9 b) f$ h0 P0 l/ S) ^8 |, s- O
mov eax,[00656634] ; '\\.\SICE',0
% e/ }) A! c$ U6 y& @4 g; {" B push eax
, z( D6 t4 [; m) a& Z call KERNEL32!_lopen
/ C1 M% {0 ]2 I/ X3 ^ inc eax
; [( x) ]3 C! k+ d& v% J jnz 00650589 ; detected9 |/ D3 T* s* H, P
push 00 ; OF_READ
- L4 C0 C9 x$ c# Z) Y% g% i mov eax,[00656638] ; '\\.\SICE'
. m# ]% y1 T2 _0 K$ Z( x2 V$ N; F* R push eax. f" X | \! d: @+ ~
call KERNEL32!_lopen0 h/ l2 X* O2 u8 H; a7 g: A8 d. N
inc eax. Y4 X7 Y0 h6 ?, y! R9 A
jz 006505ae ; not detected6 y, f6 H% u0 Y
% t* Z% |3 N9 \/ r0 [5 B
6 D2 P' T. K0 @__________________________________________________________________________
6 V. q/ C* Q) u5 H. d6 ^) z2 q! s7 _
2 f: X/ ?3 _1 {1 H* z' i6 b5 s" MMethod 12
2 w7 z Q& T. ^# m$ g=========
! C4 V. c. D+ _% U9 P+ @9 t! i3 \! P+ f
This trick is similar to int41h/4fh Debugger installation check (code 057 p) q# D% c$ \( C) t P; [# a
& 06) but very limited because it's only available for Win95/98 (not NT)
& I- i% _8 p* L$ r1 b! xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 d; ^7 ]. h2 ?4 N
; ^4 J% ^& {1 x6 L) B$ h
push 0000004fh ; function 4fh
& x6 y1 B; ]/ H1 _7 G7 y4 g* I) w/ ~ push 002a002ah ; high word specifies which VxD (VWIN32)
& \. K8 v1 [, M$ s3 U2 a4 |- v ; low word specifies which service
3 N- t; V8 w! X$ w/ q9 _4 m& ^( u (VWIN32_Int41Dispatch)
6 d- a3 w @, B call Kernel32!ORD_001 ; VxdCall, r, o( s0 F: O
cmp ax, 0f386h ; magic number returned by system debuggers
9 L: d6 O- \3 D3 |+ q% h jz SoftICE_detected& [* L% \9 T7 E5 G4 q+ b
8 K6 B, H! \5 L% [8 pHere again, several ways to detect it:5 u7 N* @9 P E. o
; g" E% j' R* m8 K+ q) }
BPINT 41 if ax==4f6 g/ d# F) r$ |# k! r( y, }; k
O+ F" O% E# T- g5 [; [% i; v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: }/ @# m: G8 r; s7 v* k n1 ]' P* Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* `8 |1 }" Q1 b2 Z. Q. Q/ G" b j8 Q0 T" B/ ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 Z0 i( \& x: T4 V' j- s8 X* D
`3 G9 g# L- |$ x+ q__________________________________________________________________________
( ]( G* i2 Q! W+ V0 k- G8 ^
) w- _! a, \0 bMethod 13
' ^- h4 }( B* i- |# |=========
0 c3 W3 t: @7 A1 A- @6 |$ {0 s+ k
Not a real method of detection, but a good way to know if SoftICE is" w1 x& C+ C2 [
installed on a computer and to locate its installation directory.
' u. z" s! F4 ^6 ]( O( HIt is used by few softs which access the following registry keys (usually #2) :
" [4 U* \# w8 S1 F$ p% M' v& T$ C' p' c. [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 R9 a: C- o4 _# E% U# f) N+ K- I\Uninstall\SoftICE, o5 X: ?: X- v3 R) F m* {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ f* b! f* ?( C1 h- c/ N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ r" ^8 I7 o7 U5 s. c
\App Paths\Loader32.Exe' s9 t, m9 N& b; }
5 z( M4 p. _* q* e) S
% L" w! s3 M7 D Z# xNote that some nasty apps could then erase all files from SoftICE directory
2 L$ B, R4 A( R+ _; w, {(I faced that once :-(' I! E! Z! z6 F% h# m9 O" `
$ O" X5 d/ e, x1 rUseful breakpoint to detect it:$ e( s( K- ]) X+ y" P
7 w2 U: u) [9 i v' K- u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* u9 d3 _2 y! T) a' y8 A9 w" c
! g0 C6 M- k0 c/ x( e__________________________________________________________________________
" m1 B$ E% s, ?: Q' z1 O
8 \/ j2 k+ z+ O5 J# a: ]. f0 Y( S4 u# t
Method 14
: E- H3 D; y0 b2 A0 d+ i( U7 K=========
: C% {/ s) C# T" a$ G8 `
9 b% F, q: u3 RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 Y7 E) U! U0 ^- `& V
is to determines whether a debugger is running on your system (ring0 only).' ?) e. y) F6 ]* |, f o7 g3 b
$ I9 q+ Z6 P3 v, ]) | VMMCall Test_Debug_Installed& \2 Z2 _7 W6 U+ q1 U& b" R0 Q
je not_installed
8 K4 h v* r. J% B3 F) ]5 l( _4 }8 n5 j( B8 W
This service just checks a flag.
0 U1 C5 F1 I$ m* Y% E! w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡