<TABLE width=500>
2 p, q# N5 n8 c8 y. `9 _0 K3 U: N<TBODY>
3 i" U" I7 p- ^" ?( B<TR>
3 M$ M$ R/ A4 d3 Z<TD><PRE>Method 01
1 I" _, h0 R9 ]- `=========
1 @6 Z: V: u+ z) \3 N+ Y8 o
8 N5 P+ X# E) {9 k. Q; ?This method of detection of SoftICE (as well as the following one) is
t: ?$ q0 w; l9 G; `8 v+ L: hused by the majority of packers/encryptors found on Internet.
* S! ]6 ]2 F/ r7 U( fIt seeks the signature of BoundsChecker in SoftICE
* a6 Y \# Y! e9 f6 _1 t6 m" ?( H" i/ j: k$ Q3 j( h
mov ebp, 04243484Bh ; 'BCHK'
H" G8 d6 |3 ?# g& N mov ax, 04h
- @" G [: X$ Z8 }/ Y" R int 3 # L$ i* n* S/ m [. w9 O2 l Y
cmp al,4- G8 D4 w: h+ ]; `0 {$ T: z+ c! G
jnz SoftICE_Detected3 U7 b; Q/ _8 Z- s. w8 ^
5 w3 G' y' v0 u0 G___________________________________________________________________________& E9 D- B R! r! |( }. c6 ^8 V
6 s( S, U& {* K* i: W5 K SMethod 02: p) e7 W! }0 k
=========
! Q, h: p" m j$ K+ Y
% J9 j! ~' h) V: h1 oStill a method very much used (perhaps the most frequent one). It is used
/ a% A: m% O9 f3 f% E5 Q( [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 o, p* R# h* Y! C& d0 b) gor execute SoftICE commands...
% f+ O0 @7 p/ @) W! E, p! wIt is also used to crash SoftICE and to force it to execute any commands
+ `: n6 w$ K c4 U: F3 e5 k(HBOOT...) :-(( 5 x' T; |3 _: U- R
( q. |/ }: [" H! z2 PHere is a quick description:
+ C. f7 J: `$ J% t% q+ v# }-AX = 0910h (Display string in SIce windows)+ {! R9 n' e* F1 c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- P' M9 O o: B5 w' {# ~( }4 ? d" `
-AX = 0912h (Get breakpoint infos)
9 Y# l: R. e. T6 r7 m6 d- S0 p-AX = 0913h (Set Sice breakpoints)3 Y4 O" v) G' y- C& |
-AX = 0914h (Remove SIce breakoints)% R7 _7 t- `1 V
+ a5 R. b6 F9 Q& cEach time you'll meet this trick, you'll see:* G k) E, x% ^& y& m$ o
-SI = 4647h2 ?5 ]1 l. w2 k* R6 j U+ m' [& C
-DI = 4A4Dh9 h+ r: v0 ]; W9 j! V& U
Which are the 'magic values' used by SoftIce.
; w2 x, l0 u+ k, y% AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 g( F( u6 P$ P; D, d! J" C
: q* b0 _; ^3 J+ ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
! b9 p9 o/ k0 \Envelope utility use to protect DOS applications:
# W% } r+ B; A" Y D) n
7 i$ O- t2 Q" `/ g/ F3 {% H6 a7 \, r, V: _, f9 q- K
4C19:0095 MOV AX,0911 ; execute command.
; ]) \9 b; N! ]1 c: a' a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 Z- @& t7 r! n- F( @; ^" b" Q: X4 G
4C19:009A MOV SI,4647 ; 1st magic value.8 i4 E8 |( E! [' V( h
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 Q0 u* ?% p8 W' h$ N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ e2 c0 @7 p: T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 S$ z4 V3 B a4 D4C19:00A4 INC CX
- s9 r) F1 V0 ?2 y _) c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 b/ v# g1 U6 `' G/ w z* ~4C19:00A8 JB 0095 ; 6 different commands.; v- q$ K9 l- T/ L; ]$ O
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 ?0 p* I" t' @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 z" r( k# Y# h9 F4 T" s2 {
5 j# f' q9 b, ?- zThe program will execute 6 different SIce commands located at ds:dx, which
; g0 {/ m& ^6 M& `# ]( B1 l$ rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; R2 t m* R; M- n( B3 T7 I4 k4 z
$ t; f; o9 E# d9 D$ ?$ e8 `# I. |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) s/ J- R3 [3 H8 O___________________________________________________________________________
$ {: U% n; V7 N6 }
# Q8 O3 z% [ z+ m
$ W$ h; T8 z. e* Y. w6 p7 u7 ?/ XMethod 03
2 b n' c7 j& X4 P% [4 E# W) q=========# a! l0 X" z6 V5 A
* ?( n. |8 D' F- F8 G1 ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% E2 l, i; t8 M( \" p(API Get entry point)
7 \* e* q' \" h5 E( |2 } f
- Q, l" a8 k+ x& N% B3 y6 O$ b p1 P3 W R7 e8 Y2 @& j
xor di,di* }2 P9 ` K! T, \, b! t# }6 k
mov es,di
- z6 m* ~( O* ] U/ K& O mov ax, 1684h ! L8 u0 {+ v2 c& Z
mov bx, 0202h ; VxD ID of winice" J: V, {( b& M# y* Q3 J, i ~
int 2Fh1 @8 K2 l* k; Q$ ~6 g; F
mov ax, es ; ES:DI -> VxD API entry point
( k; A+ L; A; b+ g add ax, di- a. W+ h2 q7 x- w! h* N( {
test ax,ax
# ?- q1 F' m( U- v, C, w( P' [ jnz SoftICE_Detected
8 v3 B+ T/ Z) Y2 Y1 O
% G: E% c. {1 |) E___________________________________________________________________________
! t2 w/ `2 K, N% ^6 K$ [2 f0 q/ U6 D! [% n/ k8 d
Method 04
1 K- o2 b6 C, _) u3 U=========3 m, Y6 t5 C6 o' c5 n/ w
1 \ Y ]3 y+ ?
Method identical to the preceding one except that it seeks the ID of SoftICE/ e* h( @% f" v+ \9 |
GFX VxD.
3 Y$ v0 h0 |4 x5 O1 F9 o( g
! b% B& d# }8 [, C0 _: m0 J# t xor di,di4 j- [- b5 l9 b/ h. J. y9 \! s
mov es,di+ W9 A) ^2 y9 P$ `4 f
mov ax, 1684h & X6 U' o% v) L; } N( ^
mov bx, 7a5Fh ; VxD ID of SIWVID
, v7 ]; b3 @8 P6 @% p int 2fh
1 k# L5 r1 o6 x r- d mov ax, es ; ES:DI -> VxD API entry point
( {2 A, }% F0 X! ?: A add ax, di
& w+ j4 Q; m! @5 s test ax,ax
3 L/ m- m% m* r7 f% {7 e$ Y) a jnz SoftICE_Detected0 H" W, G/ X1 b
8 {/ I8 s0 A! Y, g Q; s$ {__________________________________________________________________________
5 X! i2 U9 W9 J/ w- i, b. W# `' @! ^; y" y/ q$ V! y/ @
- M8 e e9 m+ nMethod 05: b" K5 b/ l5 F
=========
3 s4 {% }6 z% H% B$ C
; Y5 V' _6 [$ p) X9 E+ zMethod seeking the 'magic number' 0F386h returned (in ax) by all system. @; I& m, J$ m4 y# x4 ^% z) ?
debugger. It calls the int 41h, function 4Fh.
* G" l6 e: B( v0 Y, p& nThere are several alternatives.
# o. [0 D% H# q* z( m- q$ A0 @
! ?& w! ^ f {7 U4 k5 ~+ QThe following one is the simplest:
* Q% E+ x" P. N- Q: ]
6 O8 B6 T3 U+ g% C0 J' i0 J7 K8 n' q mov ax,4fh+ }- w. h9 w( ?5 y) c! R
int 41h
! i1 D8 f- y) N8 L) N cmp ax, 0F386& H- j' G E5 R8 ~7 N" P
jz SoftICE_detected
; k B+ t1 O! [! J% o# z
/ |2 ?, s7 U5 q! u5 x h! l+ H% J0 r- h
Next method as well as the following one are 2 examples from Stone's
' l0 }# F Z8 X8 S% o' P"stn-wid.zip" (www.cracking.net):1 t5 J2 [; _, U. J
3 @: y1 j3 C% f3 ^ mov bx, cs3 }9 [- G) g( c: u1 o4 X( w! e: P: p
lea dx, int41handler2# e3 l% h7 t! S5 _. i7 `' m
xchg dx, es:[41h*4]! O O# s, Z [0 q
xchg bx, es:[41h*4+2]
, x% q- L$ i. F# d' Y' u mov ax,4fh/ A+ K# f4 M# z: F/ K2 l
int 41h
3 \3 q7 R6 f$ ]1 B; ?! T0 d6 c xchg dx, es:[41h*4]& s1 z2 R, r5 j. O
xchg bx, es:[41h*4+2]9 F" y$ R& @" Z! F
cmp ax, 0f386h% e5 d6 \2 u3 } j
jz SoftICE_detected& p, o+ T! }( R4 x: Q
+ I: l- y' h9 G$ M( n, q
int41handler2 PROC
& W/ R4 E5 N" B- B iret
: I, s- {+ b& ?$ u* Gint41handler2 ENDP# L. i% e J* J2 |6 D2 J
2 u' O! }+ K9 y- |. V9 }
4 g6 q( d7 P5 g5 G, N. I3 E_________________________________________________________________________( T7 @. u& c+ h1 n. u
7 S K( E L. X! {1 K: |+ h. x0 A, |/ q$ ~" o2 f
Method 06) U) S9 Y4 ^7 ^* ?+ X
=========
( ~: _ V4 v+ y+ C
+ Q8 {( V" W" B" q. k" T& n8 g
, \7 k) U4 p9 H" W4 k2nd method similar to the preceding one but more difficult to detect:
6 p* J' y0 ?9 X+ \0 R/ l; m, D7 P4 O& \' S( k
: s2 F+ j: G% m- f+ t/ @int41handler PROC
5 m ^0 {* \- t+ X mov cl,al
' X7 W' Y+ z: n" c4 w' Z. T, T iret
0 ^8 J! a- T( [6 D- @int41handler ENDP, Y' S9 @% Z* T9 U. O$ x
* M3 |, w4 q" D% A: p+ e0 t. p) H, h& w5 c3 h
xor ax,ax
' w- a1 ^9 S6 C8 W3 y mov es,ax+ x$ U% d; j4 x% C$ D3 i
mov bx, cs/ B- F1 q8 R. A* G u& P3 \3 n
lea dx, int41handler
9 h: R6 y: {1 T xchg dx, es:[41h*4]
. A3 |2 R! T0 d( K0 g8 j/ I5 Y- v xchg bx, es:[41h*4+2]1 p5 d1 @9 d" Z1 D4 ^
in al, 40h9 N2 f3 A5 R' |9 z T
xor cx,cx
' V( q* h2 I8 v/ B int 41h
. }2 N* G) Q* v; n* l xchg dx, es:[41h*4]' G t. c$ B0 f
xchg bx, es:[41h*4+2]9 S+ q7 {; w* a A) f7 C
cmp cl,al
0 J( t/ H7 Z5 O3 v! k! L% Q jnz SoftICE_detected
5 J/ o( L' |0 l) F! [
2 N8 I' p* E; H! i0 S$ h_________________________________________________________________________
: ?0 k t8 x0 ?/ b" I% e5 ^8 C0 P M; u% g
Method 07
. V) e! ~' N; H# g, d& x=========" C4 ~6 m8 Z0 ]: B) }
9 `8 ^3 z$ @, w: ^! b2 m1 [! LMethod of detection of the WinICE handler in the int68h (V86): }8 Y4 }. ?& o5 w7 p+ E$ {
; K7 @! L. T$ t1 B/ F( L9 r
mov ah,43h
3 r; s0 ~ y. e' m" r int 68h% k% E' p' ]1 U7 T } Y
cmp ax,0F386h
' P: J4 y# E- C( u# E) q! o jz SoftICE_Detected
" e# h' {) Y% D+ B* q" z7 t- T" H6 x, e) Z# Z% Q$ a
5 T4 ] D8 p3 Q6 w
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ J2 H' y1 O5 \& e$ n4 A app like this:! _1 l i6 j6 z! f7 O0 H* m
: Z' o7 u7 F5 _
BPX exec_int if ax==68
+ I. j% v Y" y6 t2 H5 K8 j (function called is located at byte ptr [ebp+1Dh] and client eip is
0 ~- w0 f5 |7 A located at [ebp+48h] for 32Bit apps)1 v. l# D0 v6 K% S7 T
__________________________________________________________________________
' G( r6 R7 O$ s$ y3 O5 ?' c, O: f7 |( Y, D
7 p% A3 j! g i8 Z4 }Method 087 u/ X& B- j4 O2 q
=========
8 y& }9 y. e/ U8 g" H
2 F1 o( A/ {) S x& i0 `It is not a method of detection of SoftICE but a possibility to crash the
: o/ a& I& o% t3 D3 U, Tsystem by intercepting int 01h and int 03h and redirecting them to another5 M1 R: s9 W, p; g+ i9 b
routine.7 b$ T- `* N+ u, @& l: X8 W, ?" O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 O' x: D9 ]3 Z" x! j" w+ z4 O( b! xto the new routine to execute (hangs computer...)' I7 \% i% Q: j# P$ d
& F7 T8 U% I O, W# Z mov ah, 25h( C8 k/ o( i5 D/ i N- ]$ Y
mov al, Int_Number (01h or 03h)
+ M4 d1 n- T L" Q' q mov dx, offset New_Int_Routine" O8 d4 x. T# o/ V' U
int 21h
9 Q- Y" S# Z- W2 [/ T
) v! ]- s+ J v3 x$ V) C__________________________________________________________________________
$ U/ p9 v6 n) e, P8 e: M
4 q, k, x6 }% S mMethod 09
$ q2 K& G0 B, d; q; k, \+ s4 M=========
- l. b5 g, ~% T8 U, b1 F% u! z" m, _3 C3 y7 ]4 S" p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( `# Q8 {+ s) n( A: b2 v6 p% aperformed in ring0 (VxD or a ring3 app using the VxdCall).
" T' e7 x: |# e3 N; SThe Get_DDB service is used to determine whether or not a VxD is installed; _ C( ?. o6 N# ?2 S
for the specified device and returns a Device Description Block (in ecx) for4 T8 o. k5 B, `& U, A
that device if it is installed.% c$ U1 L [/ `0 ]4 G
0 p) t$ e/ @9 ` ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! b4 S3 e% C& M$ t3 ^+ [ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 D2 a) g+ D/ j. O
VMMCall Get_DDB9 Q, n! j+ Y3 @9 B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- I4 Q7 j n+ M
+ j0 E. ]1 |4 Q% |# ~1 WNote as well that you can easily detect this method with SoftICE:/ P( |+ h% n0 p& D5 ~1 A' M
bpx Get_DDB if ax==0202 || ax==7a5fh7 |: i) N* E4 ^& U
2 C" }! c3 K- v9 M__________________________________________________________________________
1 w) Y$ q: _- R+ p! e# k6 \9 }" T+ p5 ?+ a! w
Method 10
! k! T* E' [3 d; i% I! X, H=========
: d N ^/ N- x1 x$ G
% C x- |" g2 i/ o( J7 B=>Disable or clear breakpoints before using this feature. DO NOT trace with2 _& @3 @, T& p4 T
SoftICE while the option is enable!!3 ~9 X1 H t/ ~$ ]
- _: g, w* E, |3 AThis trick is very efficient:
% M9 k! R$ c7 q8 b! M8 |" W7 Oby checking the Debug Registers, you can detect if SoftICE is loaded
; {3 I# v7 W/ ^% H/ p* \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* p7 k7 O7 m9 }: D* p: ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 D( z* Q o j- a" z' lvalue (in ring0 only). Values can be manipulated and or changed as well( d1 t# Z: }; Q: d5 E
(clearing BPMs for instance)
" ^' u1 K6 E# o/ d3 S, c# M" c$ s* }/ L. D1 S7 g9 q# J
__________________________________________________________________________. e: ~3 O+ S' L+ v! ~3 F8 I
3 }0 p3 }; N! B$ b, {Method 115 S+ T N* k3 [1 }/ e; J
=========
# k3 _+ E q C$ m7 X7 y( z/ k1 W. x; n1 J* O2 B
This method is most known as 'MeltICE' because it has been freely distributed
; u. D: N% y9 {6 f$ a6 ivia www.winfiles.com. However it was first used by NuMega people to allow
& ?" U( [) |" {; C K, ySymbol Loader to check if SoftICE was active or not (the code is located
! J' C+ ~: J+ G! j3 k, winside nmtrans.dll).9 N3 [3 Z# Z2 {0 b7 u Y3 g
* r* Z6 W4 I. b! o4 k! N# WThe way it works is very simple:6 Q# ^" r: U1 K5 r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 U5 o5 g: y) uWinNT) with the CreateFileA API.
5 w4 a7 H J$ M( H* l( ^, t8 x5 V& \$ @" A& U
Here is a sample (checking for 'SICE'):
f& q! G( m! q6 c
" {# Z p( l; Q) s6 B5 FBOOL IsSoftIce95Loaded()* F% O/ u6 l n& k& h; `5 m
{
* ]/ |: U) [1 ~; S0 d" {; F+ K HANDLE hFile; ' [$ D8 V* ^8 P) R' [* ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; b5 E6 e+ ~! r* h# x& p9 M FILE_SHARE_READ | FILE_SHARE_WRITE,
, V; q8 w- \) q# ]( Z# p NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. \9 p7 s! o- I$ ^& n. T5 Q5 }
if( hFile != INVALID_HANDLE_VALUE )
) g/ ]) i5 r b {' h* k9 n$ P5 R, b4 |
CloseHandle(hFile);# P8 ^( ?2 S ^" d
return TRUE;: U- l$ g, {3 n8 c, u' J
}( a' n9 `" O9 _' K9 t8 o
return FALSE;0 R) {" Y$ Z' n: V' Y3 E6 W! x
}
9 a2 [' ` h O, r
/ u7 C8 Z# }3 z# O) rAlthough this trick calls the CreateFileA function, don't even expect to be; t) O# ]; n% v+ v
able to intercept it by installing a IFS hook: it will not work, no way!
1 A8 J! Z( F. Z D, K; AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 o5 [ A# t9 zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ U6 u& v- _) H1 N5 Y% }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
S% x' t' a0 k1 efield.6 d; e! q+ ] w
In fact, its purpose is not to load/unload VxDs but only to send a
. r, A+ P) D6 JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 B' M! P! f f& o- k9 ato the VxD Control_Dispatch proc (how the hell a shareware soft could try: J! E2 u! F8 Z: o& l) x" y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 s7 [ y3 a1 p; B6 ~8 Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% s S& d6 T; Y2 t3 u/ r/ ]its handle to be opened and then, will be detected.$ \# K- W/ O, ]( c! V2 z
You can check that simply by hooking Winice.exe control proc entry point
: @' b$ B# U, z5 d# }& d4 Owhile running MeltICE.3 S5 A* V. g6 q$ T/ @! u
1 w! |, i" S/ o5 N' n- A
( d7 n, u1 O2 Z4 q+ j
00401067: push 00402025 ; \\.\SICE
7 t4 P h# F: v* Q" q. y 0040106C: call CreateFileA
, d$ e! \2 N1 N( C" m9 V( l 00401071: cmp eax,-001
% o% P4 r6 s6 p5 F! z7 k 00401074: je 00401091 u- o, {) |* O- j! S! `
0 h, }7 Y7 {& f& `) J* x5 b
# x' u V2 v) K* U B9 zThere could be hundreds of BPX you could use to detect this trick.
% E9 B, X* t' D# G" B-The most classical one is: V" Y: _9 S) c) m2 T8 i1 s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 S6 U2 u$ x, \1 y( j0 \
*(esp->4+4)=='NTIC'0 g' F. a9 P" B4 t7 h
6 \3 O3 E# e; z2 k4 ~; X7 r. ]! X9 j7 F
-The most exotic ones (could be very slooooow :-(
0 k% r: x, q& H BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , C/ E4 O& S7 d8 s! B
;will break 3 times :-(
& k" S3 J( P. \: V0 x
9 m0 e. p% i7 r# q/ F c- ?-or (a bit) faster: " }) }, o. O+ E' ^/ j9 H* ]( X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( \: h8 F, S2 A2 o" C' e" T+ E% Z7 r t1 C" k+ Z) y. f5 D
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 g, {! l( O; s: h ;will break 3 times :-(
1 z1 } \! ?9 {# f' b5 \6 {
' W A7 @: L( s' R$ F) E-Much faster:4 l3 o$ N" a- O, ^8 S
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 u; ^( O2 p& @- V. z6 r% B. G A2 _# M% E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' p5 d" M6 M' Z/ {function to do the same job:' O8 ~' H) v# z) s, ?# m
% j T7 l6 V/ b7 Z' \2 \ x push 00 ; OF_READ
, @& `. ?8 t, k mov eax,[00656634] ; '\\.\SICE',0
4 H: \' H6 Q0 u N+ z0 a+ G W push eax
+ d6 B5 ^% C% q- Q! K call KERNEL32!_lopen4 C8 F' Q& S: l! Q
inc eax6 B0 s: n+ L0 k u1 X
jnz 00650589 ; detected" c* e+ W' G/ L( D0 j F
push 00 ; OF_READ
- w) {8 Z) _" w" v$ }% ^( x mov eax,[00656638] ; '\\.\SICE'. a1 b+ c0 A0 c/ _) w
push eax5 {* X7 ^; b( a& r9 f+ u
call KERNEL32!_lopen& y; |: B/ S8 j
inc eax
4 V' f. N) h T& e4 [ jz 006505ae ; not detected" y' D3 M3 Z' X: F$ W8 w8 j: y
* V8 t# \7 C( b; Q/ y' u9 r7 l8 L9 F: |! Z
__________________________________________________________________________$ V( T/ k/ ^8 ?; f' V4 {
t) g- S" R6 X1 c' nMethod 126 E, i8 ?* J7 H% a2 ?. V
=========
! t$ Y' ` s) J6 c% \7 x6 ^4 q& H# h6 Z6 [
This trick is similar to int41h/4fh Debugger installation check (code 05
/ y7 J2 ]+ I1 E1 X3 `4 A! |. k7 E& 06) but very limited because it's only available for Win95/98 (not NT)% S# V) I3 G4 d5 m, ^; w5 D8 r( N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* c: ^0 y, o7 R+ L; j4 x
, `+ w- E; G$ [' t7 Y2 D& n push 0000004fh ; function 4fh
- b8 V0 {$ ?) K% y6 _" Y% H* w push 002a002ah ; high word specifies which VxD (VWIN32)
5 v* V5 s5 x, F6 a: Q7 ` ; low word specifies which service1 f/ v. B& C: x/ e3 V
(VWIN32_Int41Dispatch)
. R, I6 @- c5 W( ^* N call Kernel32!ORD_001 ; VxdCall0 }* J6 Y( L3 e+ C* r0 t
cmp ax, 0f386h ; magic number returned by system debuggers0 i" @4 O0 K( q& Z% o
jz SoftICE_detected5 U/ C; c; Z6 r
3 x: S* ~- I7 @. w" w& f/ K7 w
Here again, several ways to detect it:
) c3 ?" X) g3 i/ \1 s% P$ y/ V! K1 G* L& [
BPINT 41 if ax==4f
, ^1 F. V( i" I( ~+ O6 j9 F0 V
) T% ]$ \0 `. V; C* f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) v" ^( \. M, T0 z+ I2 U
6 z5 V1 R% @7 b BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* @. q: q, C- v6 ~
" }. Z4 U% K: p! U9 Y. u: A BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 g, Z& }5 W" Q0 |. W9 ~& b
9 O5 n; A4 J+ }* F8 x__________________________________________________________________________8 }$ x" Y1 W- ?' `$ L' }
1 |; q# I7 {$ Z2 PMethod 13
( C9 E' N0 q* V3 R7 O$ o# A8 @=========
5 C3 V8 q e* c6 U$ X' n2 F, u& u3 d q. W
Not a real method of detection, but a good way to know if SoftICE is0 q E5 T2 T# Y; ~9 W
installed on a computer and to locate its installation directory.7 N5 f8 _2 g' e- V* S% g' L! Y
It is used by few softs which access the following registry keys (usually #2) :4 N$ Z) {9 y7 E* N. ]8 s
6 D8 W: w+ `" k7 f7 Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( b$ Q/ i: D% W& i$ S& _5 B) q
\Uninstall\SoftICE( G! ]8 Z n; p) u( q- Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 q+ Z9 Z$ a3 T6 G1 }) Z: H
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' P5 A9 h) L9 [: k5 I\App Paths\Loader32.Exe" ]( N0 d5 x6 W# M3 R- Q. L
- u6 b8 @$ h) B: F$ X e H6 o: x
) ~9 r6 d! J) MNote that some nasty apps could then erase all files from SoftICE directory+ _7 A3 `1 S' H' Q* G; U1 _: r
(I faced that once :-(
* F ?- \; h6 o/ Y+ O# _7 \" a% K1 B3 ]- i! Y( [
Useful breakpoint to detect it:
, }) c4 u9 T' Y- o# ?' C0 b8 U u) `* W
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 k- X! V9 j6 H, ~( U9 d9 @' `& D( v' ]# i5 r& K
__________________________________________________________________________
0 E6 H+ x) x: X3 y0 A
, q5 e! ~4 T; j& ?8 x) {4 g( d" n9 c* s9 J
Method 14 / {9 J; `/ O. H& f+ b& m$ {
=========0 @% m; C# P1 F! R5 a
5 o) H! E. _. Q8 n% k. ^: V) I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose m4 r; Z* p, v5 }8 t. ?
is to determines whether a debugger is running on your system (ring0 only).
" s: \3 }1 o; S% X$ P4 [6 r" r/ O7 k
0 t# v2 i1 b7 B6 v0 c5 Y( v9 Y VMMCall Test_Debug_Installed
* j5 V3 }0 P; p6 p8 v* j1 e% _ je not_installed
% B6 N' i9 b& l; [0 I5 I
5 G0 P' R- t% dThis service just checks a flag.* p1 Q& R: k8 O5 q. \8 \5 }5 {8 e
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡