<TABLE width=500>
. a( U* M4 @" D7 W8 Z<TBODY>
8 T) k& ?) I$ R# v9 [$ t$ k<TR>+ F% x w! |# h5 x& J( L4 i
<TD><PRE>Method 01 + k& ]3 ~- E+ J1 R
=========
1 e5 V3 p4 A# c7 D+ L; H ]
; a2 E; o J/ K0 gThis method of detection of SoftICE (as well as the following one) is
7 `+ \6 m) D' i/ Cused by the majority of packers/encryptors found on Internet.9 X4 F: U1 q) O+ c
It seeks the signature of BoundsChecker in SoftICE
8 j. _3 ?1 _( [6 O: f8 t% }, p9 t \. k! v
mov ebp, 04243484Bh ; 'BCHK'" S/ ^$ A, B% D/ r8 o' p, k
mov ax, 04h
& o2 S2 a$ h7 O int 3 ) s) a z$ w. e5 G
cmp al,45 Y1 W1 B% O# z
jnz SoftICE_Detected( c7 o0 m4 v# C* K% F* @
9 T/ K( X$ r& C* B& C! t
___________________________________________________________________________. j9 M, V+ D2 l8 O3 }
) R5 g3 L4 ?8 A( gMethod 02. q1 _, C6 e+ J$ G; ?: d7 [, t
=========: ?1 x$ p2 w+ ?2 Q# | q7 ]
) ]; M& `1 L* i0 d3 k' V) R' k8 f
Still a method very much used (perhaps the most frequent one). It is used' V* u& t5 F) k6 _( `0 X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
t; f) h5 g* Z/ Q8 aor execute SoftICE commands...
( s1 r U3 m" F: R6 q- c ]1 ^It is also used to crash SoftICE and to force it to execute any commands
0 u8 O( ^' x- U ^* y. J(HBOOT...) :-(( 9 z; W j# ]: F5 k1 x
' d; m2 ~: M4 C V, t) F
Here is a quick description:9 `5 Z9 A9 o7 _, s6 @' H
-AX = 0910h (Display string in SIce windows)
' L7 t G, X2 P- K! Y1 S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; o; w, ]; H/ _& g9 ]-AX = 0912h (Get breakpoint infos); H: Y! D- Y) W8 C
-AX = 0913h (Set Sice breakpoints)
" Z; V7 K9 D1 \& y- w-AX = 0914h (Remove SIce breakoints)
, e, L* i o; F6 ?
j3 k6 P' B0 e( s1 ]2 Y& MEach time you'll meet this trick, you'll see:
" ^2 t/ @" O: c+ P/ h+ o-SI = 4647h. _/ ^3 J3 z) U( f* |. z! X* j
-DI = 4A4Dh6 i" u* c& t* c
Which are the 'magic values' used by SoftIce./ H- e3 M- ~/ _" W) v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 a/ L' j& ^4 N6 U, K) l
8 C& |1 }, S, j0 vHere is one example from the file "Haspinst.exe" which is the dongle HASP' j- r$ V, i7 j
Envelope utility use to protect DOS applications:1 r" k6 V, m: e/ Z: F: \
/ [9 D5 [: S0 r/ }+ b' Q
: Z7 _! Y* Q" ^* s9 ]: m- d
4C19:0095 MOV AX,0911 ; execute command.
8 J6 f( i5 R. _7 N& N" i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 Y8 p5 f% P% \* U9 K4C19:009A MOV SI,4647 ; 1st magic value.
% }9 y7 b$ S: ]8 f4C19:009D MOV DI,4A4D ; 2nd magic value.
# h/ k" T1 [' V. I$ m" _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- D( S! O/ p- i: a( p! G# B
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, ]( R5 b' R1 [ j) |' x0 o3 c
4C19:00A4 INC CX) s3 J8 J o+ E* R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; D3 e, s5 |$ K: Z
4C19:00A8 JB 0095 ; 6 different commands.& b! Y& B2 J9 ?% d& h6 {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 H) A2 _ D- ] k3 |4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 h! O1 e4 N6 ^! V6 ~( x2 ]
' a1 y0 K O! c7 r$ N- ~The program will execute 6 different SIce commands located at ds:dx, which; n. i' P& O" A4 D7 z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; G* b6 L# A1 t! G' o O: L
; {6 W. h$ w1 x3 I- }9 H* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 n: m2 a: L7 o* Q1 y( [# P# N___________________________________________________________________________
5 r7 h1 Y0 O; v7 K' Q$ y7 @: J# l; @8 \! ~: k8 D% D
0 H! [' A1 J* r8 _- T; e, P+ ^Method 03
; C2 q$ w A B. R( r8 @. z=========0 b; e2 \- q8 t. G
' v8 u1 P9 z; Q) kLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" O- L% ^" ~3 R T2 x j6 O(API Get entry point)& V. h8 ^. a- [6 C/ o0 _
- B( F$ ]8 |$ e4 w9 V) r
: s+ }5 x# S7 @5 s' Q8 H xor di,di
! N5 O& P$ R- Y. r# Q: T mov es,di
9 P5 J& A' j' ]! w1 v+ | mov ax, 1684h * q" M6 a% D2 u s( D* |
mov bx, 0202h ; VxD ID of winice
+ m) _4 V+ V9 _( i7 S/ t1 @ int 2Fh
- _) [0 [+ d7 m, ~ mov ax, es ; ES:DI -> VxD API entry point& d: T% L. N- X5 J- ~- j
add ax, di
% @. M. A# J% V test ax,ax2 d4 r6 W4 J* ~# b. K, D4 r
jnz SoftICE_Detected
$ W4 A. T9 ~! D/ O
" e3 o2 ^# D2 g0 ?5 z* A* L% N2 Z___________________________________________________________________________
, ]$ z( C/ N, g1 N. s% N H |' ^" C# N4 |7 c f( d2 j
Method 04
x4 p6 [4 e' a2 @8 P=========! m5 s8 E% D) ?/ r
' ]( k9 p2 r( i* pMethod identical to the preceding one except that it seeks the ID of SoftICE& Z. B( ~) `6 Y4 U9 i
GFX VxD.
4 j8 e1 }6 _4 a
+ M, A0 F# Q) @ xor di,di
9 [) ]. ~$ R: e2 _( i mov es,di
& z( [. T3 w1 r) S- f' }3 {/ t mov ax, 1684h 9 S/ a0 C: [, ^& }
mov bx, 7a5Fh ; VxD ID of SIWVID
3 n3 o6 U% Z+ s5 u( i" ~" v2 p. ]4 g int 2fh6 O$ ]+ L7 ], w! J
mov ax, es ; ES:DI -> VxD API entry point
' D) F+ {# ]& o2 u1 L g2 G add ax, di
; f; I0 ^! M7 a, i5 V, \' A test ax,ax
/ N' \8 X8 \) }1 v/ q jnz SoftICE_Detected: A/ j6 _' _9 U5 G) L. h
4 F3 r: z% j4 _5 [4 h6 F, j" e__________________________________________________________________________5 b4 R8 r. @& I) Z
. Q$ I; v0 D) a) ]5 Q0 j- M# V
8 e# X$ d% z% I- y1 D2 aMethod 05
; r. e$ s5 B% M2 ~; u=========/ i6 S* ]- [. i# X1 A. F
4 K3 W6 U4 B* |2 c# n
Method seeking the 'magic number' 0F386h returned (in ax) by all system! q, I2 w o6 ]- V% J3 \
debugger. It calls the int 41h, function 4Fh.8 Y {" F, c9 @6 W1 ]
There are several alternatives.
+ L3 p$ G, H. _' I/ P/ A2 t5 q
1 c& S. Z5 d+ PThe following one is the simplest: J- h! Z4 l4 H1 } q
4 g. x( u" m/ _6 f: x mov ax,4fh
2 A9 Y- _: F" P3 M. i: ] int 41h
, k1 n Y- B! j d cmp ax, 0F386
$ \! K* x) r n; C V* ] jz SoftICE_detected
# z o' }6 F ^6 I
/ U5 S" t; ~5 e( \; f: \6 j3 O, P' r, H& ~. O! V, M0 A
Next method as well as the following one are 2 examples from Stone's
/ Y, H& c9 I5 s"stn-wid.zip" (www.cracking.net):
$ \1 Q5 t f' d7 O' _8 p1 c; k; q- y+ g4 j; K# ]
mov bx, cs; U }" j, ^0 U3 J
lea dx, int41handler2
9 ]2 i6 S( H, X% @: C! ~" f2 W/ u- E xchg dx, es:[41h*4]* a! n T* i: Y
xchg bx, es:[41h*4+2], A; B- \# Q$ C
mov ax,4fh
9 `. M/ n* l7 a+ z6 C int 41h& i2 y' s8 U! `! p
xchg dx, es:[41h*4]
) u# K3 o7 Z8 Z0 R/ D. q# u# O xchg bx, es:[41h*4+2]
. m; x8 o/ v) u1 i3 u cmp ax, 0f386h
1 G8 |3 {$ P4 _2 [0 S jz SoftICE_detected
6 ]$ n) }1 g- V3 I5 h: }+ a5 g, ?8 g8 L- h# M$ r9 u
int41handler2 PROC
% S- T s" S6 U! m iret( C8 B) x' H1 s3 O. H0 p' L
int41handler2 ENDP# o" e7 i2 r1 {) o% \
! u: W2 z$ o6 C& W( @, {7 ?
, |- { @' u+ z6 y_________________________________________________________________________; D, K& i# m; M1 C5 i. R! n
* b$ o- G/ ?1 W+ d P" _! D; p1 `2 P- N3 }- F
Method 06
; {- a% O5 [' H=========
% Q' W& T# i7 K7 z% }; |% _- ^/ s7 p' e. V
! M$ E: H8 T) {. |: F8 B2nd method similar to the preceding one but more difficult to detect:
, p$ J% f* c" c8 k# d2 `2 X
8 J$ Q- d2 ^! k) g# j
, ]7 N' ?9 N9 m8 @7 R9 k6 fint41handler PROC
8 _) y# \4 S' o mov cl,al
$ y( V1 R5 Y7 z i: b$ t" M iret2 k* F$ g* y! [
int41handler ENDP
& o; \& x. S0 v; ?' n: I
0 t. s. w' b% K7 h- ]9 W) s7 R$ h' K' Y' e
xor ax,ax
$ z, d+ i$ |1 Q' W% v mov es,ax" W6 z+ i+ p C; @
mov bx, cs
; b/ x v' p' Z& _ lea dx, int41handler! B, o5 r8 b. T ~4 k9 \
xchg dx, es:[41h*4]
/ O0 d* [ X3 P5 i xchg bx, es:[41h*4+2]$ k- A" b+ x. ^+ o3 n
in al, 40h) a1 M1 x2 a$ ^) V; H& v3 T% U7 v
xor cx,cx, @, z" e+ T& s
int 41h
! S0 P2 r, [& ~ xchg dx, es:[41h*4], N$ m0 u& s* ]* K* L% A& D8 ~/ i
xchg bx, es:[41h*4+2]" C' O$ ]) G! s9 o$ L- V* J
cmp cl,al" b8 N' k% G0 t2 j t- [5 n( T
jnz SoftICE_detected$ I: U( ?. Q! |* S
. P- j& j$ D% Z3 H% ~; {; }# f1 Z; I_________________________________________________________________________; R% w0 i) T7 h8 I/ f& B
$ F" w; J3 V4 f2 \
Method 078 e& [) G5 f6 k+ q
=========
9 t- q5 G! \: v7 c% v A, C6 v% b7 D3 n, f- T) T
Method of detection of the WinICE handler in the int68h (V86)6 z9 C3 Q1 U" g! i+ B
3 L l2 c8 `3 M. y* q! W
mov ah,43h/ o+ {$ H) _% Y/ c( N& j5 b3 E
int 68h
1 Q, b9 A9 f" O. ]8 ^. H3 c cmp ax,0F386h
, o1 S0 a& M8 b" Y+ @- Q jz SoftICE_Detected. J* Y+ v) X+ V! W, G
& ]/ O" S0 y4 A% a8 `# A
7 d5 B$ v6 h H) I+ W4 g7 n& n: S=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 x( P1 p! v- I7 e5 e
app like this:& _: h* Y2 D' @, k0 K- p
2 `( P" z4 A9 U7 k8 |3 \0 n
BPX exec_int if ax==68
! P. g( h& x; I (function called is located at byte ptr [ebp+1Dh] and client eip is' h; |. R2 Y4 q u+ g
located at [ebp+48h] for 32Bit apps)1 J. b/ P8 P5 \: S/ h! ]
__________________________________________________________________________# G1 ~" i; N4 [
6 T; l# C. j: ]$ S
4 |1 }0 I" q( I4 D3 P' VMethod 08
: X a: M% f! V/ v4 }=========
4 B Q* r' j+ p
# h% Y1 {5 y8 F) `" ^5 mIt is not a method of detection of SoftICE but a possibility to crash the
$ @/ z3 U5 h' ~# ^ E: |system by intercepting int 01h and int 03h and redirecting them to another3 q0 S$ R2 L% W5 T
routine.5 c" C2 z4 g2 r5 `4 A5 {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. L1 V' @5 S/ ^6 V: |, Xto the new routine to execute (hangs computer...)
; O( l! m' |$ k$ u# s
5 q& Q! |( r* c& i mov ah, 25h$ F2 P+ {+ V, A1 B O* [
mov al, Int_Number (01h or 03h)5 p( h" r# ?- c& h: k. m
mov dx, offset New_Int_Routine
1 _$ q* Z( C" @* ~ int 21h# w* @2 w8 G9 M4 `& b' v
. j( H7 l6 a1 m2 x
__________________________________________________________________________1 R$ k) k) ?9 j) X
" N) b0 {* L5 _: `0 g/ I; m
Method 094 }' a* c9 y! X9 n( G( K/ o% E
=========- \) r4 a# m. q. z" f4 J
5 S+ q& P+ L" UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 n- K1 |+ I, [1 \8 N2 [! s
performed in ring0 (VxD or a ring3 app using the VxdCall).8 d* C- ^+ [" \( w9 |) ~; x
The Get_DDB service is used to determine whether or not a VxD is installed! M, g }! X. a# f
for the specified device and returns a Device Description Block (in ecx) for
5 `3 q5 r/ L Z Athat device if it is installed.
7 V6 o& }' U: b, Z) h. w' p. P3 q
0 V+ @* f+ o/ I+ G* a* t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% W& m8 R$ G- C2 Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# Z Y: [0 H4 _$ I0 J VMMCall Get_DDB% ?6 p* ]$ C0 X: U8 k# R* [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ Z4 y o# A2 L! t' U
% b( o. a% H7 k- E( DNote as well that you can easily detect this method with SoftICE:/ M G6 G$ l- u! C$ A2 e
bpx Get_DDB if ax==0202 || ax==7a5fh
1 q! y) k( F3 n. m: d
! K; P% O9 d# X, W! e1 D: n__________________________________________________________________________
5 Y: U) E& G; Q! `
! i2 [7 Y- a0 o" M" DMethod 10: ?+ ]3 u1 g/ k5 x- D, A
=========5 p, _" L+ d9 [3 Q0 Y% l) S3 T F5 `
& m) O3 ~6 s, U+ l) Y
=>Disable or clear breakpoints before using this feature. DO NOT trace with5 {4 i& c3 S- A# p# }2 F
SoftICE while the option is enable!!4 D( ^( Z$ i: N( N+ X; G8 V0 D
0 c1 f: L$ s0 i5 j0 @' S
This trick is very efficient:% F6 ~" l5 _- U3 M1 q( ?. x, K
by checking the Debug Registers, you can detect if SoftICE is loaded3 {# k5 u: h( |3 R y$ p" {3 D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 J1 d6 B# e! G8 n) X% m2 I
there are some memory breakpoints set (dr0 to dr3) simply by reading their, E/ V9 U, A/ o2 q4 d7 Q; n& A
value (in ring0 only). Values can be manipulated and or changed as well
4 j. I9 G( Q! A. s4 H(clearing BPMs for instance). I x Z) H& H/ G" n. Z
3 G5 X& O6 C! q2 i$ @! T
__________________________________________________________________________
7 ^0 Y/ @+ w- @, z+ W& H; L
/ C9 @- v4 t$ ?/ ]; b& sMethod 11
$ l5 y& u/ [; h7 I=========7 {; p+ G& U; C9 r8 l# H
0 N/ @' s# E e( V
This method is most known as 'MeltICE' because it has been freely distributed
f# T& L! U/ d' e# V* Ovia www.winfiles.com. However it was first used by NuMega people to allow
! {$ @, D+ J' X: `. a! f/ ]Symbol Loader to check if SoftICE was active or not (the code is located
1 ], ^/ |/ {0 B k7 U1 k1 ^1 vinside nmtrans.dll).# x, B# P: C& Q( U$ w0 z2 v
9 x5 q5 p4 R7 d' V4 H
The way it works is very simple:
' a$ i W* t; |' H4 i* S! ?0 ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' [5 n# z" ]: }
WinNT) with the CreateFileA API.4 {* N# T+ z" J4 m2 p$ B7 {0 g( d
, L/ J7 P; s5 O6 ZHere is a sample (checking for 'SICE'):
! e6 @8 v) d Y8 m% d0 M: y, ?' I7 Z8 k3 ]5 h3 G
BOOL IsSoftIce95Loaded()
8 H, _4 @( K) b" D7 p0 y- F! Z: N4 M{8 x- C: a* X% P4 D1 s4 R* R
HANDLE hFile;
8 a7 V0 p G7 s4 r hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 Y1 v( `+ S* U [* ?
FILE_SHARE_READ | FILE_SHARE_WRITE," S3 W! h! }8 d3 G1 f: v- `" t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ k: Z% S" j" z s& Z
if( hFile != INVALID_HANDLE_VALUE ) p5 z% N2 r& Y; ]. t7 w+ t; _
{
% n4 x+ H$ b; a$ s6 H# j0 J! { CloseHandle(hFile);
* T" P+ r* y$ R5 o# J1 r return TRUE;( S7 l* M8 H" ?4 A) ?9 C2 u% I
}
/ A$ W' N& [- V9 L return FALSE;+ C4 v$ m$ F7 R: u: y! Y1 i
}3 f: a B# k( `+ B4 w- c
3 h+ S; s$ a( C- vAlthough this trick calls the CreateFileA function, don't even expect to be
/ m9 y$ f! {, f! f: n- K- gable to intercept it by installing a IFS hook: it will not work, no way!; {. Z! m9 k. O( u6 d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* ? r% E8 |: L6 G* m2 M- Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 x% z) K! A: @ b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" j* ?1 ^& `" h, ]6 E' E( B0 m. c
field.
, U+ L) \& W3 ~/ D1 w9 v% {* gIn fact, its purpose is not to load/unload VxDs but only to send a
O6 P4 P2 f3 u! _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' @( Z- E: x a1 l+ L) x6 ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" M2 n& y) a: C" J& f6 X, v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 o: h/ q3 t. z1 C3 D o5 mIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 A: Z+ q/ u, G
its handle to be opened and then, will be detected.
" F% H+ t* \( p& I% }You can check that simply by hooking Winice.exe control proc entry point
- @3 a) ^1 z, Z% N7 o; bwhile running MeltICE.6 N5 S, }9 C; ?3 }( g) o
% v1 h! n9 C! N7 N, R' Y4 {
4 m/ I, A: C8 F; C& ]+ Q 00401067: push 00402025 ; \\.\SICE
: A: k( L5 K7 Y; q& N 0040106C: call CreateFileA6 r( |. B) k7 y+ X+ x1 t
00401071: cmp eax,-001# H$ [6 G+ M, h1 x/ ~( v) K- s" m, W
00401074: je 00401091
- X4 s" x) x! w( ?6 d) }. n+ s3 h5 ?% O9 O; |) n' Y! V: ^3 C2 z
" d* n8 V: l/ D5 ]9 Z3 XThere could be hundreds of BPX you could use to detect this trick.
- {% d* d' {4 F* m; p" r' G7 g( E-The most classical one is:
) }0 ^8 V7 N$ b* m BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 G B- H x- ^/ p" u9 o, A4 |8 F x$ I
*(esp->4+4)=='NTIC'$ f) q) o! B1 n2 g+ K
6 X! C9 I% z a' J3 \-The most exotic ones (could be very slooooow :-(7 U$ A& m4 B6 |( W O3 t9 e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ b7 a# Y( U6 N' E9 I+ u. _
;will break 3 times :-(' k* U z& ?+ O' G
, m$ P- \7 c7 n. ]) N( w3 j-or (a bit) faster: ; C& t9 s& l# M1 H+ a+ y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), }/ r. ~- I9 N G
& C/ ^* y6 S: n" ?
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ n! } l8 M7 x R/ O ;will break 3 times :-(
5 E( J. V9 U8 M$ H+ p' b) X7 b0 w! D. E' G& C7 g
-Much faster:' |, T) F$ v4 @: g8 K6 x+ J: Y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
b# a2 |8 p/ @4 z
6 P8 R0 m3 q0 f, Y9 R! A! pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; J+ |( ~. ]! h/ h
function to do the same job:
) Z' w+ O. z8 H4 N% W0 r& A3 b0 d4 ^) B$ _4 A- V
push 00 ; OF_READ2 Q0 }0 _, e2 ]
mov eax,[00656634] ; '\\.\SICE',0
2 {1 X1 x1 H" E) Z6 g push eax
: I" q+ t) O% H2 ?4 l call KERNEL32!_lopen1 ]6 o; I2 |( D# Q: t* l
inc eax
( g( E6 E1 u; V1 _) ` jnz 00650589 ; detected7 D. ?' T# ^% l5 F7 I
push 00 ; OF_READ i% G4 Q3 S. e1 `7 m
mov eax,[00656638] ; '\\.\SICE'2 r z2 |! f+ W O
push eax+ q4 Q. Z; _" t( i& }- e
call KERNEL32!_lopen
, G" Y! d) S( y l {1 } inc eax
. ?9 u0 l; |' n& O jz 006505ae ; not detected) ?, C5 [. f* w! X! N* r7 X
2 _; _ x9 n0 H1 u
\. k: h# [, Y- s3 ?. m
__________________________________________________________________________+ g1 g# o0 o/ Y# n7 o
! |2 G% E* n# _; T
Method 12
- F0 H8 v9 O2 @5 i) V8 N=========, a; [( ?' r; b3 c) s# I0 S
7 }& i+ i2 T) r a. g
This trick is similar to int41h/4fh Debugger installation check (code 05
8 F) A8 {0 s/ ]" P0 h1 V& O0 \6 i z2 Q& 06) but very limited because it's only available for Win95/98 (not NT)
# [) X$ c1 ^ F% Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: q* |! D5 q! P3 X9 ^
+ P9 ?% m3 F0 y/ a: {2 E; o* N! \
push 0000004fh ; function 4fh! d5 R, W/ o6 L; J4 e
push 002a002ah ; high word specifies which VxD (VWIN32)
9 o' v! L6 l7 ?. } ; low word specifies which service
( A& S; N; v. L: M! `9 c8 W (VWIN32_Int41Dispatch)5 U9 b6 I9 q) O! p
call Kernel32!ORD_001 ; VxdCall$ s1 J" R" o) ?
cmp ax, 0f386h ; magic number returned by system debuggers$ F* M$ Y- A- c
jz SoftICE_detected- x2 L! N8 k6 o7 f) y& _
# R' U [5 b, d4 N6 JHere again, several ways to detect it: L$ h- |* k# j4 }. I
1 u- p% x8 x2 C BPINT 41 if ax==4f7 ^$ K* q& e0 Q) t
, y/ T, |; \& ^1 i7 `: M& q$ G6 U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 p1 G @+ x+ G* r
! K1 B% ^' a% K& W& k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! p, e7 r+ }6 D" r3 L
/ Q) W, `# @! M( I( t) H5 @$ I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' `0 ^% u( A) b3 ]# }
- p; h3 e4 b( @9 r__________________________________________________________________________
; a" Y& `" J1 v
" ` k5 P6 z" r1 ]Method 137 z! ]9 ^/ {* Z& P
=========
% [+ h* {. g/ v4 S
/ u+ j8 @7 E5 \ P2 B# o" Z& bNot a real method of detection, but a good way to know if SoftICE is
0 b& M8 o1 s0 k0 R' u: w2 `# x5 Iinstalled on a computer and to locate its installation directory.
0 j! `0 @2 k# W9 O5 DIt is used by few softs which access the following registry keys (usually #2) :( a' n9 J9 ]% P- b( P) F
' x, k& C8 F! Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. y7 t0 ]7 c( }: @% _8 z6 Q# e& L5 m\Uninstall\SoftICE2 ]) P% K+ Y2 Q# r: O" ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ g. L2 L) x, l0 H) a) m8 L$ ?' r C9 E& @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" V, p/ N0 r% W/ t- R$ f* P. i\App Paths\Loader32.Exe6 t+ a% b8 N. j& v2 P4 c F
& t, O2 G/ J0 e' n; K, ]3 ]
( N+ v1 Z l6 n) oNote that some nasty apps could then erase all files from SoftICE directory% Q8 T' q' C+ F- A
(I faced that once :-(" J/ f: e# e4 j0 q
" f5 @1 c9 V6 v" Z- nUseful breakpoint to detect it:
# p9 E5 M" x* D1 s
, \: k( m4 Q7 r- [7 F' n/ Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
H0 N9 M0 t* J# ^6 Q4 `* Q+ y& M& i+ C; H
__________________________________________________________________________
# }% l, M# N$ j+ P0 S s7 `5 E4 V3 Q; X
% c* ] y5 R! x) Y& C
Method 14 , M5 ?# o; M$ c- e8 k# o. {. O4 ]* H
=========
|; H" m% ~* f# K& w$ @/ a; P( v3 y( E \8 T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 d, `1 F0 E% G+ E& u. g! A* Lis to determines whether a debugger is running on your system (ring0 only).
( X0 y5 @5 j) X" T+ \" M( E. k, Q7 [; z3 ~, u2 l/ W* \. `
VMMCall Test_Debug_Installed/ |( D4 ~. I: o; L$ M+ F
je not_installed
1 c) ], |- G0 y4 e' P$ T% U2 v5 G% R2 E
This service just checks a flag.) h+ P( d9 O) G) I# B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡