<TABLE width=500>
7 ]- u( {6 B: i4 X2 \/ P) s<TBODY>
1 X( S9 n: n2 b; D+ H<TR>
3 [# a. K! @* {5 @<TD><PRE>Method 01 6 x3 l+ [; i& Z! i6 R
=========
9 n& K' g7 S! x0 I, @( f2 x( s0 M ~7 X
This method of detection of SoftICE (as well as the following one) is
4 Z7 ~" ~$ W1 k$ ~: ^3 l$ hused by the majority of packers/encryptors found on Internet.0 z' U3 p! ?5 W" h
It seeks the signature of BoundsChecker in SoftICE
3 I& H& d& X E1 x4 f8 @# B% _9 @6 T+ [1 `- J
mov ebp, 04243484Bh ; 'BCHK'
5 O# G# s8 I' d m7 q1 x, s j mov ax, 04h, g1 i0 y+ Q# k# `
int 3 - k/ j' Z! q$ w# z+ m E* D0 _
cmp al,41 V, E$ }# w) P3 s: L& c# @
jnz SoftICE_Detected
) }1 q) K: k% d" a, q$ j. z* k M. ^- h' ^# l! B% W% `
___________________________________________________________________________% q1 o G- F1 |- {4 A0 n
4 H: T0 ^2 p$ A6 Y3 a
Method 024 `* i P9 ?, \3 G
=========
: [ a' M5 Z g" R# z/ i# N8 P7 Q
Still a method very much used (perhaps the most frequent one). It is used* v+ q/ _ g4 k& H) `; R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 n( K2 h8 ? L5 m
or execute SoftICE commands...! q+ n: L$ Y) M
It is also used to crash SoftICE and to force it to execute any commands
: Q% Q$ h1 y+ R4 R- M(HBOOT...) :-((
( x; h* d9 ?# u, t" ? W# L! k7 C: x( _7 U+ H) h, t# O
Here is a quick description:6 w, N( W$ D7 }, x% F# d
-AX = 0910h (Display string in SIce windows)6 G; p0 p4 Q* J# N5 F/ A
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); |1 n7 N5 L: U9 D. D" ~& Q' A
-AX = 0912h (Get breakpoint infos)3 |2 A6 O& [) E& b
-AX = 0913h (Set Sice breakpoints)$ M) y! ]6 G7 _: I( I' s
-AX = 0914h (Remove SIce breakoints)
' t* _1 ?9 Z+ x U$ o+ i/ y
- y Z3 t6 Y9 t2 w; D7 p6 P& zEach time you'll meet this trick, you'll see:
1 n6 m* }5 N- g) z+ j( J-SI = 4647h
4 h9 |% r% u4 j: Q7 f6 y1 j-DI = 4A4Dh
5 T0 _: r/ ]9 i+ `Which are the 'magic values' used by SoftIce.
; x1 e. o) c/ P9 QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) h1 Q6 N7 G6 J7 W( ]
0 P8 N2 N% J# h* _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 n1 r5 e/ u1 b: kEnvelope utility use to protect DOS applications:
I. {! h. i8 E1 l1 f" T8 z( m$ B/ {8 S
* d5 l4 t. Y" D4C19:0095 MOV AX,0911 ; execute command.
/ z! G8 Y! m: K M: a# S4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* k) V: }6 K C% y
4C19:009A MOV SI,4647 ; 1st magic value.
! p! O. T! J/ h0 B4C19:009D MOV DI,4A4D ; 2nd magic value.
& B/ n/ W8 |, t! m* b$ O& b; a4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) I1 P% m( s2 n( k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 [* Q% A$ }& w8 R3 W& G8 q( X# j4 T
4C19:00A4 INC CX9 y! W" ]" e% {+ h& a5 B6 T% E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% J, j6 X* F' R( j" h4C19:00A8 JB 0095 ; 6 different commands.) ~8 T; o2 P9 u! j- R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 X5 O1 Q5 Y1 _3 T4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 S3 F. d, ]! X, D6 \
( h1 ~! E1 ^8 mThe program will execute 6 different SIce commands located at ds:dx, which
+ o4 A, f$ d% k1 T! H) Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ v5 }+ @- _3 i3 b9 S9 w7 v
8 r, c3 P+ b* }/ u2 m! K8 [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." H7 M6 E4 R6 b4 f, ]% f/ e
___________________________________________________________________________
6 |6 l- S: `- N8 m! S+ D; C/ Y2 S2 i, u0 o
; ?5 h7 N' m1 K+ g- [Method 037 x* {: O& r ~ a7 U* z4 b
=========
9 L/ f; c* n/ M% b6 f) K) e0 M' l S# m, W( `& d( S
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; r! `. n# a" g(API Get entry point)
- V5 N! M6 c! R* g' @
: }! [: p+ ?8 y+ L1 O6 f Y* L* i% n4 [2 a: D
xor di,di
' k$ o4 [7 {3 p# q mov es,di
o4 d& \" }* J( q0 D# I' u mov ax, 1684h " F, z/ U% h0 |6 X
mov bx, 0202h ; VxD ID of winice3 B V- W8 H3 t$ D
int 2Fh5 j3 x6 k7 p3 v* x; ?6 [* J
mov ax, es ; ES:DI -> VxD API entry point- c) s: W1 f% H( \
add ax, di8 P% W7 Z3 @5 u7 Y. F# {% Z
test ax,ax
* k. r8 W, U6 v% }. ] jnz SoftICE_Detected7 \: K( u- b) b& h
* G4 \( f; y# z* P___________________________________________________________________________& Q$ @9 B" ~2 r$ z# E& @
( C* A7 |+ I7 ?7 ~Method 044 C4 B7 ?: h1 h1 o7 b# P" H5 d) s! w
========= s) y9 b% U3 k# |8 ?8 d
: ?* D) [. N& Y
Method identical to the preceding one except that it seeks the ID of SoftICE' \3 ^( a5 H2 u& p
GFX VxD.$ ]; y* E& m5 }) d( E3 U' T
5 q6 u9 ^/ @8 I* [1 h. h( k3 `
xor di,di
, N, Z+ ~: U" t. n1 u" K6 k3 ? mov es,di
j, F; n9 Z5 O" ` mov ax, 1684h
' P3 ?- }, d9 K# S( d mov bx, 7a5Fh ; VxD ID of SIWVID- E9 X1 k# N, [
int 2fh9 p' U2 E- N; M+ i+ q' _
mov ax, es ; ES:DI -> VxD API entry point
# q& v( y: X! e Q3 f add ax, di
6 F% ~7 _" i, |, P& f test ax,ax$ }8 L9 o6 S" R
jnz SoftICE_Detected
. f6 U" C9 Y1 ?- ]2 \% s+ @
7 U1 D: j5 k' |; o__________________________________________________________________________8 |0 B! P. Z+ h7 x. S' g0 `
p( N) l; {6 [# A# ?7 N. E9 n7 B4 H, o
Method 056 @3 s$ Y- _# f6 W. n+ I6 C
=========
) Y6 F' Z7 M9 b \; Z$ ?- K$ i9 O) `! y# Y# X& P2 b6 z! w V0 B
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" t9 ^; R% {* `( G8 ?& p3 Xdebugger. It calls the int 41h, function 4Fh.$ ?. r l7 I R
There are several alternatives.
! c+ T6 Y& \; W4 D5 i' T( `8 y; I- i
The following one is the simplest:6 j; f9 K$ d7 n/ {( d' w
: q ?# _# y( Z# X' f0 E+ |$ M+ E9 ]
mov ax,4fh, J& |+ @" L* C; H) _, H0 T8 b, w2 q
int 41h
& m" D% |& @/ d4 u cmp ax, 0F386 Y& n5 s2 b8 h9 f8 |7 D$ E
jz SoftICE_detected" |- u3 {* M: { n. J1 ~+ Z
+ v3 w9 V* f# N6 c- s& \" r/ R/ v1 ~9 `4 _9 h) I
Next method as well as the following one are 2 examples from Stone's & }0 [4 }2 @1 a( y
"stn-wid.zip" (www.cracking.net):- N& c: v9 V( C/ o
0 y2 H! L: u( \0 W6 k6 D+ J
mov bx, cs
4 O2 d) `* @( K) j lea dx, int41handler2
! s; C2 C0 n3 D3 Y8 K2 G3 G* R4 ~" V xchg dx, es:[41h*4]
* o8 k, ^5 y+ j xchg bx, es:[41h*4+2]* @5 w7 a: h; o# s1 r
mov ax,4fh6 B9 K a% A5 Q; J" x
int 41h0 [3 ]$ X0 m7 F7 U* c/ M. U) o; ?
xchg dx, es:[41h*4]) u" E( V) U% e
xchg bx, es:[41h*4+2]
) x+ s. f, n( I% j+ t7 W# k cmp ax, 0f386h7 d# d1 W- X( |! j3 p8 k) Q
jz SoftICE_detected k2 x- a- L# v4 G% i. M
# w: _! I) l& j. _4 w
int41handler2 PROC
: q) m9 r6 P1 j D& W0 `2 r0 @4 @; D3 N iret
% K' k' @6 r- `4 s# W& Iint41handler2 ENDP, w% N. g3 k. \( m6 o# _2 o# x
+ S5 q0 j. H& F/ W& a1 @! P9 k
; ], c! a+ y2 G" U
_________________________________________________________________________* k$ c O2 T4 U- H2 O7 B
: a$ v' r' G7 `) \; v1 W7 n$ Z8 V4 t
Method 06, x, b* |- K/ |7 w$ `
=========: d$ T O+ {* u
8 o) ^# g/ |- d) q) n! @% M0 E
2nd method similar to the preceding one but more difficult to detect:7 z* x: E L% `% u% o1 z2 |/ T
% ]; e; I+ g' v8 U' s* ^. K
% F/ F& R- `6 ~' z D! Y e
int41handler PROC/ r M: d W: B. Z3 I0 J
mov cl,al
! ]1 z; h- O, e" a5 F" D: c! Q iret: u' X* l: H! g. X5 d
int41handler ENDP4 G1 h9 n" w! B
* w" k& `2 V8 o4 d. _9 `# Q+ v- [* k( }+ z' U' ]
xor ax,ax0 o5 z8 a( N% n" M Y5 v' {9 [
mov es,ax
0 r; a S1 K% Z0 Q0 A mov bx, cs
! {0 ]+ `1 ~$ Z. h8 E% ]1 O, @* d lea dx, int41handler
1 K4 b2 h" B' i* c6 K! o xchg dx, es:[41h*4]) w- R$ `# M& _2 I3 R( e
xchg bx, es:[41h*4+2]8 _4 |: E7 }& v8 y8 Y
in al, 40h) J" {2 d5 S$ R& i w
xor cx,cx
/ s) [. P) T8 B( e5 ] int 41h. S, p% P! C( A0 v T
xchg dx, es:[41h*4]
4 c5 U" `( d7 B, Z& @8 ^: p4 l xchg bx, es:[41h*4+2]; v7 D/ a* z7 }- k
cmp cl,al4 M& l7 C( @& y* H+ A
jnz SoftICE_detected1 w2 b+ | i- B
+ ?' @/ q$ o. \1 v6 U_________________________________________________________________________) S# f* b6 g1 A! U p
- r1 j# S7 X3 Q# m& K1 {
Method 07% a8 D" J& e2 Z: x+ {# j
=========& ]! }7 l* r3 k* Y# V8 \
; c) _' G* t' I" {( N/ v$ E
Method of detection of the WinICE handler in the int68h (V86). D3 q+ g" p$ g& u" f7 K# H! Z
. |4 D3 F( q1 c- O" x. Q mov ah,43h) O: J* Y% W6 k' ?2 k# @$ b: @
int 68h
+ K) d; e0 o! {) V! m cmp ax,0F386h; i9 H% f" D: }: ]1 N# S
jz SoftICE_Detected) Q0 E l0 M, k+ m' D# n
1 U* m6 T2 p& a% Y1 s* N
% E6 a- }! ^8 m5 {! H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% S% l# z" P; h2 ]
app like this:
( _& e! x) {1 g" q
' f# \, V7 n7 g Y. k" W! j$ X BPX exec_int if ax==685 n: C" M, z8 U) a# N: Y
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 u9 M$ e0 w! P$ ] located at [ebp+48h] for 32Bit apps)
$ ]7 a# c' `( v__________________________________________________________________________ r5 B }2 X' q' x' G5 ^: [
3 e9 O- k |. B0 U2 G
5 ^& {; ?! F; YMethod 08 H Z8 R7 r5 m! i9 p' p" @. y
=========0 }0 s. F! `4 y+ Z5 Y0 J8 L' k* p
8 C8 Y; C8 e$ Q6 V' ^$ I; a7 eIt is not a method of detection of SoftICE but a possibility to crash the
* H \0 K( ^) g+ _9 l8 D0 Hsystem by intercepting int 01h and int 03h and redirecting them to another
& k6 s$ f r+ l. \routine.$ ?8 s3 I% c- X: J' g, Q! a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( v! n0 Z w- Z+ B1 W# R5 f" ^
to the new routine to execute (hangs computer...)
" y2 M- Y# f a+ [4 m/ n4 m% y' h6 B/ G2 c- f
mov ah, 25h* Q- ^3 W- p; K& D8 a
mov al, Int_Number (01h or 03h)2 L3 r- x3 c$ U1 Y4 A( i
mov dx, offset New_Int_Routine6 Z) K7 g3 F: o R- S0 \6 X
int 21h" o+ e- s6 S3 f8 x9 H
- F4 |0 ^. [1 b
__________________________________________________________________________6 }/ Z: _: Q) [
" j; j; q) q, v0 {/ k7 R) t
Method 090 Z& N/ u% G3 J5 ~# Q7 F# q" |4 i# x
=========
' m9 m& ^7 R' k# y" u+ p$ X0 n# ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( f/ y! P+ b4 m2 ^( m8 Q
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 q+ }% |3 {& `! U& RThe Get_DDB service is used to determine whether or not a VxD is installed
; o E. N4 o4 F% s7 _, O( @for the specified device and returns a Device Description Block (in ecx) for
# \4 s3 n3 o) Fthat device if it is installed.
1 L1 y" \# W& Y2 e2 A
4 D$ g& i: w4 p. s" b* t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 X8 I/ E/ n$ ], P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 O5 Z. r0 n0 B+ F
VMMCall Get_DDB5 @/ o H! m G& b/ Q- l9 Y" }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 [; P' g% a$ c) @: y
: K- e' k) l. D' z! g1 gNote as well that you can easily detect this method with SoftICE:
7 i5 \9 [! y8 {0 ]. ]4 }8 E- O bpx Get_DDB if ax==0202 || ax==7a5fh7 s+ Q8 m' P: n0 Q6 v4 T+ k% h) J
6 A! v3 ^& D+ E; M4 Q5 R__________________________________________________________________________
) m5 y6 H4 g, ~8 e& m* c6 F
1 u- S) H0 V; w7 h8 C9 DMethod 105 R5 ?: L: u/ w) J. J5 y2 c
=========
* m4 |# _& Q3 |' D0 v k1 h3 A3 E: F4 x
=>Disable or clear breakpoints before using this feature. DO NOT trace with: _2 ^4 t2 K7 ^; _
SoftICE while the option is enable!!9 U& [* l' ^! U/ I) c
& d3 m2 t6 i+ V! W+ ~- P; K! |: m: \& TThis trick is very efficient:" i( O" Q% J& q+ |- g3 f) A: }+ U
by checking the Debug Registers, you can detect if SoftICE is loaded$ [! ^9 _( G4 e5 u+ g! q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 T- |4 a+ l# B' s5 f" |there are some memory breakpoints set (dr0 to dr3) simply by reading their: g/ f% T5 `" U6 r2 f2 d% N
value (in ring0 only). Values can be manipulated and or changed as well
& C6 d4 S; `% v( I( y2 W1 L(clearing BPMs for instance)/ C9 T. D6 _9 i1 @! s, k- j: n
8 t2 e# w3 W) I% k9 F; b
__________________________________________________________________________
5 X5 ~+ a9 d4 P( |- l: d4 x; N4 c' G( D+ V0 U( q( v8 p5 Y& B5 Q
Method 11
4 U$ f" S7 [, V1 O=========
+ w5 n! C, i G; A, ^; a, m! |6 d* o) I0 p$ L7 ?" T2 k7 |
This method is most known as 'MeltICE' because it has been freely distributed
( q7 ~ \ _+ u% K9 h; gvia www.winfiles.com. However it was first used by NuMega people to allow9 X/ @; W3 g7 k
Symbol Loader to check if SoftICE was active or not (the code is located6 Y7 B' z" G( K' @# p
inside nmtrans.dll).5 }+ C7 V2 I! L" { l- ~7 \+ K, T
& L# a% R% w9 T+ r- M& gThe way it works is very simple:% b9 A$ I2 h Z0 d5 E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 L, M6 h; I3 v
WinNT) with the CreateFileA API.. n( n$ h& F, }; G+ N
. m% ?6 M3 m9 ?) o1 l5 xHere is a sample (checking for 'SICE'):
: U0 q% w2 s# X) c2 O/ y' n, X2 Y( B7 P7 n
BOOL IsSoftIce95Loaded()% B- O2 }2 m/ K
{
! w, ]. L) }8 g6 B' v% K9 e HANDLE hFile; 9 C4 }: F; E i6 e* ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 h0 n6 o* b b3 O FILE_SHARE_READ | FILE_SHARE_WRITE,+ [, I5 m& u" k, x2 c. i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 e7 R, R. H/ n% U5 A6 w
if( hFile != INVALID_HANDLE_VALUE )/ W1 R$ O: X' l/ a
{, J6 j7 F& J2 ]( D5 Z# j, w' Q
CloseHandle(hFile);, m% x6 D" L* H& C4 ^) H- Z( c! @5 i
return TRUE;4 h1 ^$ r6 e6 R% G- T; r J2 r$ ]
}
' q) B! @7 \5 ~% j( f2 n return FALSE;& V; L" i! e6 W4 _9 _0 X& a$ m
}
: {" I& v3 `1 U# m* X$ V9 i4 a" l! `
Although this trick calls the CreateFileA function, don't even expect to be
5 P( f4 o1 s, x/ \9 E3 m' K6 X' rable to intercept it by installing a IFS hook: it will not work, no way!7 y. R+ I4 }( S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' y0 F. A6 A+ t' B. E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# i) Z# \5 R5 l) u4 wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 _# }* e) q2 v. M9 kfield.
- H! e: m! J8 m: j7 Q' a5 G, WIn fact, its purpose is not to load/unload VxDs but only to send a
0 m/ \6 L9 n3 Q+ K; gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, C3 z9 [$ V4 |( J6 o* ?7 N% Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try- n9 k( Y G3 a/ `5 v/ T6 f
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., y8 w* @* x) d$ c9 V
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 ]% Q* L, v, x$ h. w6 k7 f
its handle to be opened and then, will be detected.
5 P3 |3 @. }% K- {" H7 a) j6 CYou can check that simply by hooking Winice.exe control proc entry point: `2 w( u6 O2 \( g9 W6 T
while running MeltICE.% S V5 m, P+ g, I6 N
; U$ S( U: d2 `7 m6 x$ q: i
" @+ R: y4 T# M/ ]- H! o 00401067: push 00402025 ; \\.\SICE
; B" m% C! h% R& X# F1 r0 f 0040106C: call CreateFileA
2 l0 K7 _: u, r3 K* q! U; s 00401071: cmp eax,-001
2 J2 b, }* b K; X2 C- j 00401074: je 00401091
1 @) M8 L8 |4 d/ p2 Y* U) B
% ?( L J; b, p2 t$ \! r7 v3 Y& L5 O. H z" N
There could be hundreds of BPX you could use to detect this trick.$ H- ^1 Z1 c6 E1 \- j' y
-The most classical one is:
( ]& x9 @4 j( v BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: X6 c) Z5 G ~& a( W
*(esp->4+4)=='NTIC'' ^$ g5 w" [3 j
6 s. }" p3 W) V+ p7 p
-The most exotic ones (could be very slooooow :-(
}: i5 r9 J8 Y- A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ q9 ~ Y# A( c( K# G! ^6 B. b
;will break 3 times :-(
, z# x9 I9 P/ b
% d6 j+ _# f3 I/ V% ~-or (a bit) faster: & N5 d& J( R& \) ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, m' X- h6 ?8 r! v( y7 {' f7 W( ]" Y2 L8 |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * X2 F" g1 p& h
;will break 3 times :-(( K+ C( T% C" o& T; P) C6 p
! u2 @8 ~% T& i/ i-Much faster:* U( V7 q7 X$ `; P7 @8 Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' p5 Y, G$ }0 X4 E
8 E( Q6 J: D% ]" U; c0 B" r
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ @$ U: c0 v3 z) K) Q
function to do the same job:/ w- Z4 w7 c" @$ W# I$ d
5 ^4 o6 ?5 N4 e* P! @3 t
push 00 ; OF_READ
: a, P' `2 R, {3 f mov eax,[00656634] ; '\\.\SICE',06 c% J7 J" \( R/ h
push eax. q! M' ~$ ?4 \9 O$ O
call KERNEL32!_lopen7 o- }2 d, \2 s' I7 n9 D' T
inc eax q8 g/ N0 p; i0 B) s' O# i, _
jnz 00650589 ; detected) r* F/ k4 |8 u
push 00 ; OF_READ0 j( t' ~* P2 F1 z/ [' f
mov eax,[00656638] ; '\\.\SICE'
( n* e$ z5 Z; s0 d( S. n+ v. M push eax# }- Z; U! C0 }( o$ \) ?
call KERNEL32!_lopen+ t; R6 T1 C1 w, U) ` a
inc eax
0 G: q3 [! c$ Y$ }+ p jz 006505ae ; not detected
; b8 q9 V4 D7 H# n* X0 W" W- |6 r$ u4 a/ [- E! g, \
( x8 _' m2 l6 ^% I; e+ U2 Q, a__________________________________________________________________________/ c0 s, X& U, C, e
9 B& Z8 E: ]! ~' w3 o
Method 12& V! s: {% l% R' V, H
=========& M( P" {" z; |
. g& _$ i/ ]! U2 D$ CThis trick is similar to int41h/4fh Debugger installation check (code 05
8 J8 F$ X q( w, q" a& 06) but very limited because it's only available for Win95/98 (not NT)& a9 Q+ n4 }$ Q7 U* G7 Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. M& K4 Y: T, x8 E+ g: M; }% u' |
2 P+ A( g: N# T9 P2 H. n push 0000004fh ; function 4fh3 F- Z6 x+ X/ @, G( c/ x
push 002a002ah ; high word specifies which VxD (VWIN32)( `, u' g3 t7 F! O h
; low word specifies which service
5 J) M3 D6 A; P$ j' F; p (VWIN32_Int41Dispatch)( ]. p6 b' T4 l1 i- q; D
call Kernel32!ORD_001 ; VxdCall
- v, h$ e( Y# S5 q cmp ax, 0f386h ; magic number returned by system debuggers
/ C. Y/ o. l7 ~' H. _1 z jz SoftICE_detected% t; {& U. w T6 ^" ?. J! [" }
0 S4 W% _2 u0 A! T& X8 T
Here again, several ways to detect it:
! f- K- k0 K0 X1 d8 R9 t6 ?5 L6 x
6 S9 G# ]9 _4 E3 Q BPINT 41 if ax==4f. E6 k3 w7 F7 }, U. g1 U3 ~1 @! Z
9 p3 w$ r( E& N. f0 [ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! W; ]1 P, A. G7 [+ L
" z' T% N# q$ S9 `7 F0 ]& n3 V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* r' f4 u: \: {
8 C$ F8 ^1 J2 h# e. T- S6 w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! v& s/ [% H- i0 y; y4 _4 s1 U2 E: j2 K+ ?5 S
__________________________________________________________________________
3 @: [# [% G6 r$ k1 O4 m* H7 s+ d- ~
Method 13# v- G9 j G. g$ b$ N0 m- j
=========
' d2 R6 X4 D9 N/ K2 _
9 T' s1 b2 N/ n5 M+ ?Not a real method of detection, but a good way to know if SoftICE is! k$ e* g# H9 T. S8 Q
installed on a computer and to locate its installation directory.6 H' x2 o& }) E, L
It is used by few softs which access the following registry keys (usually #2) :1 @- z+ W6 p1 N
n! H$ H% U) ^1 ~" N4 Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! R4 u) E& J, r0 K
\Uninstall\SoftICE0 Y- a; t" {3 d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: Z" i. |( G; F# ], }5 [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' W' N! D& b3 v# W4 ]( ]) y
\App Paths\Loader32.Exe" m5 I# P9 Y* g$ ~" d' D! e7 D
& H2 H0 T8 p6 Z! f4 h4 J& Y7 R+ o
! [# q. l) |7 H+ D& P5 i P0 uNote that some nasty apps could then erase all files from SoftICE directory
! }8 H% C& V: Q. w(I faced that once :-(! \" k# e4 S: _* F/ A
9 m" D& w( a6 `, R- a
Useful breakpoint to detect it:3 i: ^+ ]6 P' d, v5 R2 M9 |
5 Q6 s& y f( Y) e$ g% T; h
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! N7 I3 t- o; O& Y! M
0 m: ^3 Q* `8 D
__________________________________________________________________________) J. G H: F! _
, b( H) M. p4 D" v, a
0 p/ ?" U: t2 d# U- B
Method 14
& t* B& I/ V* r6 K=========3 k* }4 O: j+ a5 f9 j
7 m; V' |! |0 [: h" tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ i7 A& G' x t* F( h1 [2 n" V
is to determines whether a debugger is running on your system (ring0 only).
8 e% d1 K% [% G/ F. r) K& s+ P, a+ b% O( |7 e0 r5 O! L/ p
VMMCall Test_Debug_Installed: a* T6 w0 J" s3 p
je not_installed" X$ t1 ?2 f. |& l
* M+ J) F" k+ `9 p+ S; Z+ ^
This service just checks a flag.6 w! f5 I2 [( y+ G- {; @1 p! |! @% T1 q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡