<TABLE width=500> C9 z8 t) i& e }
<TBODY>
, B& x& p- k0 }! @<TR>
/ e# T7 w8 R0 q5 h$ C<TD><PRE>Method 01 7 A. x/ J0 Y$ U: s
=========
* V- @ N F" i# x2 w4 P" F S0 r- O' H a6 B2 [3 j0 j: b
This method of detection of SoftICE (as well as the following one) is
: ~% X3 F) _! w& aused by the majority of packers/encryptors found on Internet.
, G+ P( ^$ B8 XIt seeks the signature of BoundsChecker in SoftICE
+ j! Z; W# \' \& @# p( D! y0 h$ K+ A: G
mov ebp, 04243484Bh ; 'BCHK'
- K! N h+ n. f# U' l( w mov ax, 04h
& p" }2 _! @& _4 ~ int 3
! M: U1 X% x& F% R cmp al,4
& z4 g8 o+ h& t* P" D# x* ` jnz SoftICE_Detected8 L4 o/ E+ J: c
9 {1 n. q3 i! g) y___________________________________________________________________________2 f' A$ D C+ }2 \8 U
' z- V, }/ n0 v1 |2 q* C$ `5 _
Method 02
3 f2 H* t# f6 |9 t. c, p9 _, a=========
5 h9 R7 T4 f1 P6 b
5 o6 a( y4 r; x3 CStill a method very much used (perhaps the most frequent one). It is used; j S3 m1 [0 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 C- G5 v2 A: m7 ^2 b1 N5 H
or execute SoftICE commands...# S) I7 }' \5 L p4 P
It is also used to crash SoftICE and to force it to execute any commands w1 x* C! q6 l" J
(HBOOT...) :-(( # v" I- a+ i0 R7 B
! Z$ C8 u, p( E# g- H
Here is a quick description:4 U4 _, C. M7 u
-AX = 0910h (Display string in SIce windows)
! q' f' s* Z! @2 i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 `# h( e6 g- W; Y, v! ]0 s-AX = 0912h (Get breakpoint infos)
# v# ]. R N; v t6 j- F9 | O-AX = 0913h (Set Sice breakpoints)
" w0 \/ D: S! h-AX = 0914h (Remove SIce breakoints)
* a" N" h* {& c. [( H! S- T+ o M/ C H/ l) M9 j2 d( E$ O
Each time you'll meet this trick, you'll see:
* y& Y& U; R6 A* p r/ C* {-SI = 4647h# P6 u* K4 Z Y K+ o
-DI = 4A4Dh
$ Q; _! F- M4 ^* r: Z6 M: z l6 a" z LWhich are the 'magic values' used by SoftIce.2 b/ y/ z( ~- n# F6 v7 b! F- C: c. Z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., W- d" |1 y1 K0 |% n# ~+ w8 L
" O: ]. z0 u+ T5 K/ @+ ^) V
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 C" U" u3 g' H2 H7 C, a: J1 KEnvelope utility use to protect DOS applications:
. n7 p; A& {1 r2 A1 o3 A5 ?2 L
6 ?( X3 p% F3 T1 b: D
- h; M C9 M( @4C19:0095 MOV AX,0911 ; execute command.
8 q; [& M8 P% G: F0 r4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 i/ k* K; z1 ~- n1 f3 ^0 U4C19:009A MOV SI,4647 ; 1st magic value.+ s1 V: U7 k, L! c t
4C19:009D MOV DI,4A4D ; 2nd magic value.% A. ^' v- u4 F( U, I$ B
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ h$ G" r! s3 ?2 x6 R# l& L( ~# W) Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& o' e/ r& V( ~$ K2 P. Y% [2 M4C19:00A4 INC CX
! W& }$ r/ S( g z2 O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' ~5 T8 G+ N6 H0 k! x, c
4C19:00A8 JB 0095 ; 6 different commands.0 b4 V$ k8 }" p9 d( e3 p! K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% E; M/ @( ~" j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ f) K1 u# C0 @+ R
0 m5 g4 }0 A. X1 x# j" x' D7 bThe program will execute 6 different SIce commands located at ds:dx, which9 r Z1 \& _0 |) }( |/ ^+ ]' I5 J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- \: f( j! U7 r# v; J3 _# P7 `( G6 @ K+ O" G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 |2 [0 h! u6 M6 u* q___________________________________________________________________________" O2 V- W3 q9 Z$ m- K0 G0 p/ O" ^
{# _" q2 m$ A5 [) R
- \2 Z6 q6 |. U2 E, d0 |7 @+ I9 mMethod 03
) p( d6 _/ V& D9 d=========7 l$ S; J+ b& m2 o! `
8 X* ?* v$ G* S+ d6 g: i+ j) A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# d6 A$ C) h: s" k" n( [
(API Get entry point)# R6 V9 x) C% j9 V+ ~9 ^' Z
6 g4 b3 {7 J# D
+ }1 \' B' g+ p xor di,di! f; Q+ B- W# D) @
mov es,di& ], u0 ]# }( g: G
mov ax, 1684h & p5 X& b4 y; w: c+ s9 B
mov bx, 0202h ; VxD ID of winice E: `+ O; f; P3 O
int 2Fh
W5 x7 @; y" b; X0 k; p/ K1 Z; w mov ax, es ; ES:DI -> VxD API entry point1 u( R: Z5 m4 W5 m- H) k
add ax, di, F* x% D2 I7 ^5 {& P1 K0 e& _7 x
test ax,ax" j/ N" ~6 j( l' ]4 Y
jnz SoftICE_Detected; \0 E1 C, I) a% P& X' t J
7 L7 y! E+ J7 j& f5 [# C8 Y___________________________________________________________________________
+ l. c+ }) J- j4 w( l
( R/ _9 A5 o2 yMethod 04
U+ o. y/ n5 T0 D=========% H4 |4 B7 P/ P7 \5 `7 i
2 @0 d8 ~) d# eMethod identical to the preceding one except that it seeks the ID of SoftICE
% q/ l+ s R3 r2 }GFX VxD.' N0 W. T9 K+ S. M7 j
6 w1 m$ y( s: W9 k g5 N; g- A2 e& o
xor di,di
/ k3 S, b# i" y mov es,di
# q* G$ r2 y8 x' H" F mov ax, 1684h 4 x' }' M3 |9 ]
mov bx, 7a5Fh ; VxD ID of SIWVID
# u' J# x4 E* ~ int 2fh; Y7 s5 z& {; r8 g3 A
mov ax, es ; ES:DI -> VxD API entry point
6 o# D6 h- g* p- {1 I add ax, di
% t k, e! M6 Y1 U test ax,ax
1 X' f) g$ R$ U jnz SoftICE_Detected
, z( [: ]$ Y7 v: w3 n* b3 A: j, m6 v+ M/ l
__________________________________________________________________________/ ? C2 j7 v1 @' B4 d) P8 o' g
& \; y. p G2 W; D
9 ^3 k& H. p. m: p: OMethod 05( b5 E! a! ^* _
=========
6 X/ z" }- J6 [+ F4 p2 q
6 Y/ Z d+ g" }Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 z9 u4 W9 D3 T/ o( Xdebugger. It calls the int 41h, function 4Fh. F9 K/ D( P w; i( c
There are several alternatives.
4 Q3 b% Y- Z d. V) x
: H }3 y# J' q: s: ?5 B7 o9 V) nThe following one is the simplest:
* {- Y! ^, l+ x0 y
( J/ @- A& V6 W4 \ mov ax,4fh
% h) d. w$ ]# E6 h int 41h# p; L8 i3 v/ i- X1 H: d* \. {
cmp ax, 0F3862 o$ U6 x6 d% C
jz SoftICE_detected4 R% M# r% M$ r! j3 T
0 _" t$ a2 z9 \6 v
7 k' X( ^6 i% r1 u( CNext method as well as the following one are 2 examples from Stone's + E/ N c- S0 Q/ W& N, I
"stn-wid.zip" (www.cracking.net):) ~3 K7 [& c* f) `, j, ~9 D! R/ S
3 J: V3 N- j5 m+ v mov bx, cs& r7 q5 K# m7 s) k6 g
lea dx, int41handler25 {8 A2 k1 U1 t1 Q! a0 `2 T& h
xchg dx, es:[41h*4]# e0 t5 K( \; L# R, s' q
xchg bx, es:[41h*4+2] T1 [6 n3 m) u4 }1 s
mov ax,4fh
$ q9 F8 U, t+ T( h9 H6 f int 41h
. u* ~$ V( D4 [4 @3 N# \ xchg dx, es:[41h*4]
/ Z8 `6 ]4 X) a! {" ?' W. M; _% a xchg bx, es:[41h*4+2]9 y$ \5 ~7 ]1 M+ l/ @
cmp ax, 0f386h
f0 E" |$ f, ~ jz SoftICE_detected- `+ [! D0 A5 G! l9 Q+ g& t
5 C( e6 m& T3 f% q% I; D
int41handler2 PROC6 \6 V7 c7 K9 U' _* g
iret
$ h' @# X. V' I+ R9 V( yint41handler2 ENDP
4 O: R1 L$ n; F9 x. B p
1 p; R- z/ j. A; c
- _0 }: Z1 \* g( H_________________________________________________________________________! P% E0 M" v. I) v6 V; I
( f9 V* L0 C. `* ~/ t# p
2 w% j+ s, @1 x* L% IMethod 06
" L2 C( m- t9 R9 E: f3 W=========
* Q& a7 e4 d z) H4 { i% h' m/ n9 _
# H9 N* l1 t* @2nd method similar to the preceding one but more difficult to detect:
; O8 o( C7 L0 W7 s1 m' ?; k; U/ G# z! f
f% {* i' s b5 x. }/ k h
int41handler PROC
$ c$ R$ `8 d, ~ mov cl,al) Z- N% i& `7 P8 u- d% a( [
iret6 q: i; i4 A5 ?
int41handler ENDP
! @6 @0 g) o7 I/ u( E2 I
! G' a0 |# q1 R b1 N8 [& B2 q P, N
xor ax,ax) b; p* G' M% i' ]
mov es,ax
+ b# H0 L2 z/ O: P5 @7 x5 J mov bx, cs
. `# d) Q p; M8 _) t, g# x lea dx, int41handler9 B! S# M8 J1 k' j
xchg dx, es:[41h*4] i2 [ l) @. r4 {0 U
xchg bx, es:[41h*4+2]$ x4 C d Z: X/ d9 v: }
in al, 40h: V" p/ m0 C1 Z1 _5 Y$ p( ` x
xor cx,cx
) h$ \7 z, P+ d$ q' s int 41h: k/ y% `" }- N$ p6 ~
xchg dx, es:[41h*4]" E% J$ B8 Y- [2 _/ _
xchg bx, es:[41h*4+2], }1 W4 Q$ x: ~4 n' p
cmp cl,al
# N9 I$ J4 u7 j8 n. F jnz SoftICE_detected9 i! ]. m8 T( ~! `
6 ^' A( k% ]. a I8 c7 L" w1 D/ m1 J_________________________________________________________________________
3 t: ]. f4 d$ `' C. z$ N3 m g5 g; [
Method 07
' A* E0 Z$ P: ^# T$ P=========
3 ?8 N& W3 z! t
! o1 m( C. Q" i0 a# B; B! H, @, ]3 WMethod of detection of the WinICE handler in the int68h (V86)! m( b( N( C# Q. {# E
- L& N% m5 T) W* _. Z4 w# f, k mov ah,43h: V- y' A8 I( _3 r" A
int 68h
( @: ^6 {5 U- m4 Q4 N0 s: @ cmp ax,0F386h
1 K" E; l u( [! n# w jz SoftICE_Detected
* i$ r% F O G1 S! c- T2 O/ `' B/ ]8 h; e e
% v* ~6 X' `( f! h6 N3 Y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! ~: t! T3 h% u/ F: I9 T
app like this:
1 ]( a k t& @5 T) Q' a+ S. ]% `
BPX exec_int if ax==68- Y: b, `" g/ g5 C
(function called is located at byte ptr [ebp+1Dh] and client eip is+ d! f. o* ]# M O
located at [ebp+48h] for 32Bit apps), y$ E! z( x" g# N. {
__________________________________________________________________________4 q) {: R2 p# V2 a% ~! W% s
5 B3 `/ S0 T2 y9 \3 n) e+ X/ @* \9 `# P6 X+ n5 h3 ?7 m# W
Method 08- X/ @7 m ?: i' j
=========
1 H; T6 C" O/ u" R8 M; @
# n8 `% c) f/ `$ Q1 b8 fIt is not a method of detection of SoftICE but a possibility to crash the$ y! T" |( K& E8 C7 M$ q
system by intercepting int 01h and int 03h and redirecting them to another s& ?1 ]/ M8 _, t( p! ?# @6 j
routine.8 ~8 C* l8 e, M) U0 |1 C/ ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 m% P, \0 ~5 e3 O j
to the new routine to execute (hangs computer...)
( O+ t; \6 |& {. B/ s
" z+ S9 p; X+ T; V0 T/ Q mov ah, 25h
* a. ?9 A) ~4 w0 R. b mov al, Int_Number (01h or 03h)
f! L3 ]: y" l& a5 Z: ^, s mov dx, offset New_Int_Routine) }9 h+ ^) d( z" L# R
int 21h! M% ~' g8 @5 G& I6 d6 R
8 K4 ^! w' P8 Q/ M+ x__________________________________________________________________________3 T1 L' S% z& s0 P1 l7 M
; Q0 C6 o/ j& {- k, w
Method 09
: U, T- v! H; i1 E v! l4 w=========3 c* B ~9 V' d9 \9 P3 x
1 ~' G6 H$ R2 |$ Z' HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' O' i( U3 ^8 o+ C9 w* Aperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 d \ {- \/ |4 j( KThe Get_DDB service is used to determine whether or not a VxD is installed
; v' X$ _& ?9 q' w0 l0 Wfor the specified device and returns a Device Description Block (in ecx) for
4 I- ?3 h. ` L% l. R% {, Uthat device if it is installed.
. o! Y$ t) j% y1 L& @( J2 A7 ^4 l q. m2 v6 p# s8 u
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ G* q% U+ {, e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! |& a6 z! X v VMMCall Get_DDB: [4 x* H% g9 g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 z0 M, O8 K! B* Q! T3 J$ Q) c- e- V0 G1 u
Note as well that you can easily detect this method with SoftICE:4 k$ T, z! `1 a* z
bpx Get_DDB if ax==0202 || ax==7a5fh7 M: t' ~2 \3 Z8 M4 F
1 m3 j. }8 P9 P& b__________________________________________________________________________
* X5 R! d5 k A* d
8 W9 M \# c& J M$ T, PMethod 10
! E- g r; n; D- ?) x/ S; X! k8 c=========2 R: c! O' t' m+ |; j- L5 P; w& j
7 U. h7 n$ }! X* z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 J* m1 L4 Z: U+ K SoftICE while the option is enable!!
3 m1 T! S8 c7 M2 B- l7 k
+ A2 y% u7 F$ J1 X! E- @9 \This trick is very efficient:
: P% }6 d y7 N4 J& p6 qby checking the Debug Registers, you can detect if SoftICE is loaded" p% }4 |' j: a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 K, J* }0 F8 A* N6 wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, H6 N+ s0 k j; P d- N% A- bvalue (in ring0 only). Values can be manipulated and or changed as well
0 L* u8 o& Z4 k5 R) o* Y(clearing BPMs for instance)
2 l% J0 D1 ? f! Q* u8 L
4 |1 h% F* \/ E__________________________________________________________________________1 L: |9 ~' G ^5 J! K, {/ x0 ]
3 V$ v% E) j$ p+ Y2 }7 FMethod 11( m/ n Y+ R$ t( }4 A5 }
=========
' @; X9 M+ n9 F3 I8 y5 K" s0 O# J1 W6 s/ @4 Y
This method is most known as 'MeltICE' because it has been freely distributed
, z2 g) V# K P9 a9 cvia www.winfiles.com. However it was first used by NuMega people to allow! l$ r# R: }1 s' x" F7 Z/ t7 z
Symbol Loader to check if SoftICE was active or not (the code is located6 W4 w7 z4 B, l7 @" T( ] C5 n
inside nmtrans.dll).
! l- h! f2 j) ]) N' I1 M& a: F0 O/ {( W+ Z" {5 \5 ^
The way it works is very simple:2 N. U/ }8 i, v) S% ]7 X! S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, Z3 Z1 m& W3 ~. R
WinNT) with the CreateFileA API.
( _" o3 Y# F6 E$ g+ M. K
7 T1 n3 f2 G0 d) s1 i3 r/ fHere is a sample (checking for 'SICE'):
7 c; i0 t/ {5 s7 z; x$ \- K& _7 _. J6 F% j2 k2 ^9 E# {
BOOL IsSoftIce95Loaded()
# p; [( t: Y8 F# p {: }{ I' d8 B+ m/ R5 C1 z7 }
HANDLE hFile; C6 ?% \5 X# q( |
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 L- o3 I5 ~2 k; s" r4 K4 R FILE_SHARE_READ | FILE_SHARE_WRITE,
5 E$ A4 y0 _% T! Z1 I$ K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. P2 i- M$ h9 u( R
if( hFile != INVALID_HANDLE_VALUE )
, N$ ^1 p, d9 j7 U {! t& s2 J+ o( z0 m# Z# I* q
CloseHandle(hFile);6 Y: N3 w0 A) K' K' G5 x% E8 |" w
return TRUE;7 }5 u7 D7 A4 h: l! G
}
& j0 z6 A2 h: u6 m6 X5 T9 n return FALSE;- u$ K+ {1 E5 {9 K' z% U( L
}
# y K! z( [7 f: ]# a/ @, ?3 L$ |& A0 j& n4 E) |( S
Although this trick calls the CreateFileA function, don't even expect to be6 [- r2 J( L& _! q; r
able to intercept it by installing a IFS hook: it will not work, no way!+ o% Q9 O! w# l N1 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% E4 ^# h3 C3 c" _8 J) W( ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ A) o1 y3 r1 M5 X c5 A5 e4 X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* `& V. @2 q w- [+ B4 qfield.
7 R1 Y* C% m7 RIn fact, its purpose is not to load/unload VxDs but only to send a X4 ?2 e) Z3 b) B u- i
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 w2 w/ p. f/ Z5 w4 Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. p( g3 s; U; m7 k7 \% ?; m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# w) g& {* {, e/ c5 X* o' j$ ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow4 s( \" p k6 w3 J) v/ s9 A
its handle to be opened and then, will be detected.
1 B# c6 P; c9 |5 U, a* fYou can check that simply by hooking Winice.exe control proc entry point
8 b) P7 [4 q0 N0 awhile running MeltICE.6 q/ x/ G( }7 N, i
" ?. T- U1 J; a, P
: |% h5 T" K5 s O 00401067: push 00402025 ; \\.\SICE9 W% q/ t7 I! ~, A& A; e3 q
0040106C: call CreateFileA
% r \+ U0 j0 |' N1 f' I 00401071: cmp eax,-001
) H3 ~, W% v& z3 A$ m. m! v8 j* n8 | 00401074: je 00401091
: [. z3 |# A! J
9 H* A; E+ s/ V7 \9 `* ~; G; ~' K; o- q: _
There could be hundreds of BPX you could use to detect this trick.# K6 @& H- s3 J8 o9 N- R8 n0 w1 x
-The most classical one is:8 R7 Q3 b! z( S
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% z$ |% S/ W1 b0 x *(esp->4+4)=='NTIC'( A; W* m4 u" H+ ]" Q' E
: A3 e5 R j( P, F& R-The most exotic ones (could be very slooooow :-(
( F4 j) Z. m p$ Q4 g7 ~! j- q' p BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 q( L2 F [, v0 S
;will break 3 times :-(6 U. }/ E- s8 z* L" [: \/ R* Z
& @: ^9 f3 O4 C/ B1 u
-or (a bit) faster:
! a7 V; w; M) |( `) ]( u BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* L* X1 t q& b B" I. A M
! R# r( H4 l8 O1 U* | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# \) ~, u$ N3 \- U0 p! P, p0 R ;will break 3 times :-(( o6 d- O* Q- z- u3 h" }* ^
7 ~) N! _! r. m, x- _
-Much faster:# D r! g% F% Q2 E/ [" ?! v# R8 ?
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. ?; ]9 h0 c, m Y0 F! |* ?
: H; L/ `& d H1 L, Y% ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 C) h/ J/ F! M: q- s) w1 \1 Wfunction to do the same job:7 y8 M+ R' V3 k n9 U& n- I; e
7 w$ w0 X0 C' r; u' L0 V
push 00 ; OF_READ& U. K/ ?$ T1 l' |. O3 u/ N
mov eax,[00656634] ; '\\.\SICE',0$ F2 M" w% U# d4 p
push eax6 B7 t5 @& G" W( s' c# Y
call KERNEL32!_lopen$ U+ y" \7 V: W( ~; ~, R: a b
inc eax
% e4 j( [+ ~$ Q jnz 00650589 ; detected. ^. f" J& r4 g. Q3 A- n+ v1 ^
push 00 ; OF_READ
; H7 d7 N) N1 X& @5 e3 O) d mov eax,[00656638] ; '\\.\SICE'
1 ~# ]0 o: W4 M push eax
( S$ s2 D0 K, u- y call KERNEL32!_lopen
# G) Z. G6 ?- r+ O# A9 K inc eax
]: q+ M+ x( x9 t/ e% V jz 006505ae ; not detected) U/ F$ c8 Z; \, r6 D
/ t" Z k* J8 E0 v
& I" Y* M, @8 e& @5 ~7 N__________________________________________________________________________! ^9 r. x! y3 { k$ |
4 N _# X$ M4 c! Q, _7 l
Method 12' Q6 Q4 t* n8 Z8 p
=========( a/ {2 s; A+ f7 Q" @+ I4 }
, J, v8 ~" |( j9 k( ]* D6 E
This trick is similar to int41h/4fh Debugger installation check (code 05: K; x. [) A A [/ H& }* P
& 06) but very limited because it's only available for Win95/98 (not NT)
1 p; l5 W8 {( E8 q4 Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 ^" | m# K2 d5 F
" e0 Q) k i A z9 v- ~ push 0000004fh ; function 4fh% k I* S+ F r
push 002a002ah ; high word specifies which VxD (VWIN32)7 k+ L! ^( x( s/ g' U% D
; low word specifies which service
: I, Z; y/ `$ o7 B! c (VWIN32_Int41Dispatch). B! _2 S$ z, [2 r3 Y
call Kernel32!ORD_001 ; VxdCall+ A; } E4 H$ R0 B
cmp ax, 0f386h ; magic number returned by system debuggers
8 h' R7 r0 V% k+ W9 T Z0 I jz SoftICE_detected9 Z: ]/ l% g8 b% w, O
, `% [$ e# o/ G# }3 W; |5 lHere again, several ways to detect it:$ t5 r; K; a4 R! k
& T1 E5 Q$ _+ c BPINT 41 if ax==4f
! S: U, `* p1 W" v- ^, z/ g9 ~- M1 ^( t/ v3 n+ r% d9 d, h2 f1 R& u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& `8 T$ z- I3 E: u
" s5 t( _& J/ H* L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% U# t) D! R* H9 K0 G( B. K" q. x* t+ D( f4 ~( l- m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; ]5 h [) n0 |% I8 t4 ~: i; m- j
1 p |; d# r: N1 z; z& D
__________________________________________________________________________
$ d- g) U8 q" r# _1 @/ b1 W, l' x6 Z' E5 d( u
Method 13# U3 U* Y5 f9 _, x' |/ m9 s
=========
7 e& S* V4 k4 c7 Y( o$ e! o7 |" w. g: z+ P% g; [
Not a real method of detection, but a good way to know if SoftICE is
5 P b: v# e' a+ \3 c( ainstalled on a computer and to locate its installation directory.9 V" F; k4 d6 h9 m3 v: q
It is used by few softs which access the following registry keys (usually #2) :1 L# l, N/ r* |% {
+ U: S5 A0 E, |7 s-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% ?; m, U9 F* D\Uninstall\SoftICE
3 c* v8 _$ k, D n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* Y' F0 _! S3 s' U( [: M) L5 L* R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- Y9 |( N) x! r5 @
\App Paths\Loader32.Exe1 i7 }- O$ W8 F* q q& d6 ^
7 l+ `0 \: J2 ^" g8 b
, E0 t4 P, i1 j# J/ f. [/ YNote that some nasty apps could then erase all files from SoftICE directory
( g6 V5 q5 `2 v( X: R( L! m$ F(I faced that once :-(" f* s% e$ Z% E$ \, T# z- b
& g: T$ Q5 y5 x- qUseful breakpoint to detect it:. ~$ [- h) o5 G- f1 u$ Q
2 w4 {; t4 d# u& C# m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 T0 z$ H; r8 m; `; e
1 V7 x( Y. M, h1 ]__________________________________________________________________________3 Z9 q) E5 \% ?% P8 d) Y) V
) e# ?, Z2 A; J# `7 d
$ G, n1 X+ f# _5 z% CMethod 14
+ ^1 a6 R6 L5 o7 \=========* m( I# _5 x# B
1 B$ Z! ?1 {* A1 H6 ?, z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 _# a; G* _, d! P4 v9 Vis to determines whether a debugger is running on your system (ring0 only).8 Y p! q* k% w' }
$ n9 E: r4 d8 B VMMCall Test_Debug_Installed
$ N0 ]/ t* f y+ v2 k) {3 [ je not_installed: i6 S! U; z* Q ]" j4 a3 i* q0 \
& u$ Y5 E0 i) q7 ^3 X3 aThis service just checks a flag.
0 F/ P. X/ j" h; K$ v, {2 ?</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡