<TABLE width=500>
h1 N% Q: O1 t7 Z4 H<TBODY>, |7 Q2 G" z! G6 {! X/ O
<TR>1 s6 S& f- d0 @7 D# ]# Y$ } |
<TD><PRE>Method 01 0 G0 \0 |3 Y, T: q: _% r
=========! _- i* |# d) V
) h6 M1 j6 n' s( M+ y; QThis method of detection of SoftICE (as well as the following one) is& ~0 V! J4 U: U) s1 `3 x! }
used by the majority of packers/encryptors found on Internet.
. p+ t3 I5 q8 D7 I# m" {/ qIt seeks the signature of BoundsChecker in SoftICE
/ k! }( N$ n0 i. R# E8 K
, b& Q+ n# D8 {6 x, ^# y mov ebp, 04243484Bh ; 'BCHK'9 S; e) Z R) Z9 J" y3 |' f
mov ax, 04h+ A3 U" D; l+ {* H, @6 S0 m
int 3
% M. z+ k- c% Q. H6 i+ X cmp al,4' G7 U1 R5 ?- p3 F+ j
jnz SoftICE_Detected
- ?: a3 G D1 S, ^- a* O' W) p+ Y
___________________________________________________________________________! m9 S9 M( w& [4 C- m( k9 ?4 ^- F8 I/ i
3 \# Z: L0 L3 s4 p9 O" h
Method 02
- D. W! m1 T1 q. u7 t2 U8 e" N=========
5 `% {& [$ k. r) V% h) h, D# s' x1 s4 K' v6 k9 J2 L' e
Still a method very much used (perhaps the most frequent one). It is used8 {- ]8 `9 I+ b7 n& ]* W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- Z0 H$ p5 F7 i
or execute SoftICE commands...7 U# }2 U m% [4 ~& Z- D# I6 `
It is also used to crash SoftICE and to force it to execute any commands: M+ i2 W! R; P% Q0 ~/ H* z7 ^
(HBOOT...) :-((
3 |# B% i! j: f8 A% Q2 W* f0 b
2 u$ t/ S/ z7 P1 oHere is a quick description:: O6 f3 k* t' [! J4 I r# u% {
-AX = 0910h (Display string in SIce windows)
- Y) [- x, F% Z# j4 v" P" f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- ^% Y1 Y, q! ~% z/ F
-AX = 0912h (Get breakpoint infos)! g$ [; h- ]2 H5 {
-AX = 0913h (Set Sice breakpoints) k& }# l$ C# z6 O
-AX = 0914h (Remove SIce breakoints)
% \1 W! t$ E7 C3 C7 j& B" H* q3 W
& y c* q6 t1 c1 lEach time you'll meet this trick, you'll see:+ C! s! {$ J+ d' f
-SI = 4647h
( {, P1 c p( d" c8 z-DI = 4A4Dh
; O/ g% _! |# ^% N! O6 P9 w0 S D) LWhich are the 'magic values' used by SoftIce.! R6 j; A7 J, @$ I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 I4 R+ d: |% @
7 t, {9 o! F9 W. yHere is one example from the file "Haspinst.exe" which is the dongle HASP7 j* a0 Q: G3 j8 ~8 X7 ]* A, o
Envelope utility use to protect DOS applications:
4 j* O# V1 e; [* d" w* u: b/ v3 f: J& D4 m- F
) \4 e5 A7 Y' }- c
4C19:0095 MOV AX,0911 ; execute command.3 ^# [- A, U, G5 g
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 h( f) Q: o* p1 g m4C19:009A MOV SI,4647 ; 1st magic value.
) t( Z4 ~/ ~5 F, H4 R# L4 e4C19:009D MOV DI,4A4D ; 2nd magic value./ s! J! G# Q+ I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, C3 G5 H! R% }+ p a4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ ?4 x( T' p7 K" X5 [* x/ |4C19:00A4 INC CX
6 e* F: z( A! S, Z! s* {$ T3 e1 d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& Q5 h/ t+ k. Q$ T: J# M. s# d4C19:00A8 JB 0095 ; 6 different commands.
8 S) u$ S5 E3 k! C1 G4 q- s; U; M1 n4C19:00AA JMP 0002 ; Bad_Guy jmp back./ K6 ~- d% a9 Q8 a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 E9 I% _4 ?7 I# U- d0 _
* O' d( r$ \9 Q. }- d: T( F9 l
The program will execute 6 different SIce commands located at ds:dx, which0 V* ^9 p4 ]# ?; w0 F! T1 u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: Z; d7 N. v# F) ]
% X; ^% u; S. q( w* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ m% m8 ]) m7 s1 p1 J: O. V___________________________________________________________________________
$ E2 Z1 E$ W$ }
5 c3 ^, v* t& \5 n* t
# r% a1 t6 i$ C& b' `Method 03/ h( k- E. J9 X0 r
=========
4 w0 p0 t& _1 x/ k" _* k; T4 k5 |3 j2 H- e5 H! [" m
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. D5 e' O7 M0 Q1 n(API Get entry point)' p( i; p/ s4 C5 J! C
) o5 X+ \5 _9 b* M$ a2 Y2 P
7 r1 u: j+ r% T+ w' h5 v xor di,di
7 g! p, Q# n' [' Z mov es,di
8 E# L3 w( Z; z mov ax, 1684h
6 x5 V& Q; I+ z4 l5 [ mov bx, 0202h ; VxD ID of winice2 R' H2 |( j. v& o' ^
int 2Fh0 x2 d) B1 v2 C4 v$ U" t, D- ~# B, R' M
mov ax, es ; ES:DI -> VxD API entry point
2 L5 Y8 K4 R0 w8 Y8 f5 y- n' c add ax, di* F% S: w- e, R2 v
test ax,ax
6 s2 e7 X! T9 ]! Z4 E& ]$ F jnz SoftICE_Detected% s# ^( ~2 w( a" ]% {% E
2 D; j( J! u9 h" ]% u
___________________________________________________________________________
2 \# p3 l, ~( ]& n4 r1 m
; E: n" p9 _* `& m9 T! ?: iMethod 041 o7 ^ G8 V; g1 a1 j. p& C
=========
1 \" Y* D* A$ D$ ^8 b# Y
0 o5 r0 c( H6 m) c. {: j8 TMethod identical to the preceding one except that it seeks the ID of SoftICE
2 Z* b: x {% K @8 A* v0 t& pGFX VxD.' {8 c% L4 u+ T3 G; b }' d! f
+ ?1 y I( s) R2 `! E
xor di,di% r& K ^+ j$ q2 z) ?
mov es,di* T: z: f" A" V( ?9 C7 P
mov ax, 1684h
0 ?0 ?1 P; W+ H: G: G B mov bx, 7a5Fh ; VxD ID of SIWVID
) g# v9 U: Q7 a9 G* U+ u int 2fh
) h+ L. J- \/ \& o$ Q3 g& ]0 T mov ax, es ; ES:DI -> VxD API entry point
$ o* ?+ h: s6 P r, l9 l: J6 e add ax, di7 J+ ?1 z. W) `/ Z2 W
test ax,ax
" k, I/ f6 l0 B$ i; y7 ] jnz SoftICE_Detected8 v# ^: w7 R* \
2 |5 F. L7 ?, w+ o" X__________________________________________________________________________
, w8 q% \$ J: V/ m- \3 ]# _8 D
: h' _& k5 c; n5 V
0 A5 l% T( ? \' T+ s7 b3 KMethod 05
& V- ?. o1 Z" ^& Q9 Y4 k4 w1 ]=========
! h) p; b M) |9 O
3 b, T* J, d+ j. N9 bMethod seeking the 'magic number' 0F386h returned (in ax) by all system2 y' [2 w1 I* U* [3 m @0 w% S- W
debugger. It calls the int 41h, function 4Fh." M4 U* n* m% O) c
There are several alternatives.
# a0 r; Y" t* x V B# y: h4 C3 T( h- S- {. R
The following one is the simplest:+ [& H6 x5 {3 N8 d
6 e0 E/ I( r9 u) e mov ax,4fh
7 M+ s8 @) Q# H8 u2 j int 41h6 H8 y, A4 F9 S- P& C
cmp ax, 0F386
( ]3 w" y0 E; p jz SoftICE_detected0 J9 M5 G; u8 U% l
( b5 Z% V( n# q7 Z4 l
$ r C: z4 n( eNext method as well as the following one are 2 examples from Stone's : D+ F$ p w) e0 G" n, Q
"stn-wid.zip" (www.cracking.net):
4 z+ ~5 M: E. t/ m
% M- f! m+ A+ E5 B" d! { v mov bx, cs
h# W1 t7 g. X5 I lea dx, int41handler2
. ^7 \3 a% F6 D( q5 r! A; R xchg dx, es:[41h*4]
5 W4 l+ i2 n8 a' g2 B$ T) ~ xchg bx, es:[41h*4+2]5 v- W4 {" B( y5 i- l6 B
mov ax,4fh
L' j- W, A; S int 41h
9 s) p$ O. ?1 i! f xchg dx, es:[41h*4]0 ` p$ P& A% g; G6 N; k! ]: z
xchg bx, es:[41h*4+2]
& s, p, Q5 h. ^* j; Q" X cmp ax, 0f386h1 P6 }' I: P H
jz SoftICE_detected
$ ^: Q6 J; W2 ?
" h& V( p2 D$ D( }3 u' Y5 ^int41handler2 PROC2 W0 ~* g" e c& V* d
iret# c7 S& }! Y1 ^1 g- X) [, p
int41handler2 ENDP& T2 E" e7 v$ p( J( l
5 \7 w: h7 K1 d; u$ K+ Q/ [; A
4 w/ @+ H2 F* }$ I. Y_________________________________________________________________________+ z% m: \$ P$ L4 l
# E |3 |3 G- g* _9 w2 U1 i. ~7 X5 e) z o
Method 066 P2 u) D: ~* L
=========
- {# ~* ]' Z' x$ a
! Z4 O& y0 N% k; z$ @* ^& n
8 j$ g7 G7 m- D2nd method similar to the preceding one but more difficult to detect:; a5 j' w6 h4 k) u" \- Z
$ @5 c0 |! D, W: ^- \( S. ~6 W3 Y7 V4 u, Y
int41handler PROC: {) b: @9 l8 J( P' R
mov cl,al
0 o/ e/ E$ E% F( s iret7 b! a! q% }0 B% }% x) u* a
int41handler ENDP
0 v U: X4 n; z% C. T; k( k
! c5 G3 K2 ^, e- t/ [. Q0 N% F8 f) d2 C s
xor ax,ax
5 C W4 D; B& Q mov es,ax
* ]$ l9 p! E7 S' \' z7 P mov bx, cs
* G4 d9 b t6 l; G0 M, e) W7 y lea dx, int41handler9 M6 ]% |7 B E% k4 A" v/ p) i$ G
xchg dx, es:[41h*4]% m n8 f& l1 a$ F4 m- O
xchg bx, es:[41h*4+2]
) t* S, u3 C9 w" j5 A/ ^0 _; r) o0 N in al, 40h
+ Z7 D6 ^" v9 H" t xor cx,cx$ h6 _2 g" T- P% _; G
int 41h+ H* l( a+ m7 k9 x& f% [
xchg dx, es:[41h*4]
- }7 s; K. d- l xchg bx, es:[41h*4+2]1 ~% J; T" f- D% Y8 n! y
cmp cl,al W3 e* m, E& M) j& S
jnz SoftICE_detected: }6 t# ?7 B1 {" \( g+ o
R" U( P- B u1 E5 Y6 @, e. T_________________________________________________________________________" G! O& ?0 c% E" e$ Z+ d! q
* t+ Y$ F1 z1 ~Method 077 f r9 b; z( J* d( y, D1 |
=========
! d F' b. ^) b3 t/ j
) W2 d0 _$ x* g7 K6 jMethod of detection of the WinICE handler in the int68h (V86)& n# M% S/ o* D5 ^: B, }
, K: g2 X& {; B: _ mov ah,43h
9 N$ K! B/ N# F, s+ X' q int 68h
: ?* l2 ?4 V/ r( H! K2 f3 M cmp ax,0F386h
% |1 U4 [* D h, ^( |) ~& \+ K jz SoftICE_Detected
; k5 C& J! l) Q- E
; Y6 r9 \1 z, r# n
' s# W: d3 D2 z1 L% o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 N( \5 s2 E3 p; E R app like this:
% D1 M# W. n/ c4 J* \3 d( x' F/ A9 k' g% | X) y) ] K
BPX exec_int if ax==68
& ]' b6 v! j& D% V7 ~# I* V" } (function called is located at byte ptr [ebp+1Dh] and client eip is
1 i' a+ e% z/ ^7 _ located at [ebp+48h] for 32Bit apps), m( }6 M- ]; M Z5 d
__________________________________________________________________________
8 N( ~0 n( q0 p P& L. u( N4 o' I5 R( _
5 {3 w: I+ d3 G: o
Method 08. Y* S Q9 j* F% w, Q6 B% u8 |( C
=========
/ B# x3 D! J3 ]: i$ \5 U3 o' f1 `- |3 d6 u. V* E/ c
It is not a method of detection of SoftICE but a possibility to crash the8 [1 M8 O1 R) |# P- ]7 h9 \; Z6 l& E
system by intercepting int 01h and int 03h and redirecting them to another4 Z2 [. x" U5 n% G1 [3 N. d9 e1 ]
routine.2 B, I) r9 U6 [: M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- L$ d- k- N/ P* K
to the new routine to execute (hangs computer...)% B; X; y4 k& j, e4 _1 Y
/ o7 a1 s" @1 o# J- b
mov ah, 25h
7 _7 S' S+ \. ^! _( G1 i3 z mov al, Int_Number (01h or 03h)
' U# c: h7 s# q# ? mov dx, offset New_Int_Routine ^! }6 K1 t3 P5 a$ T* `
int 21h+ i, D+ K+ K) X8 u/ t$ F
- k# ~; m4 \% r5 A W__________________________________________________________________________
% k, H- h, V4 \. z6 i z2 N$ o5 g$ K0 D0 P) u0 a4 M- @; V' p5 D
Method 09! p- E/ T: k2 `3 i0 _& `4 U
=========
9 o8 s, u6 W. l# }6 e! o- q- W5 a, J1 g1 a* n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* A1 s9 r! J6 Fperformed in ring0 (VxD or a ring3 app using the VxdCall).
/ j, q u% @& T. x- |The Get_DDB service is used to determine whether or not a VxD is installed
( E: d2 S' O$ p- T# Jfor the specified device and returns a Device Description Block (in ecx) for/ J! f l, x! W
that device if it is installed.' l ?5 G, Y3 }9 P
/ Q, H( u8 T+ c+ q& | mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! K {, A' H$ d7 K! W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( l, Z; X/ @* P4 q
VMMCall Get_DDB9 Z6 y" w4 A2 y" N+ B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 q$ g+ @1 f, ]4 ]* K# A/ p
$ w* }* ?8 N3 d) e
Note as well that you can easily detect this method with SoftICE:. ?5 o5 ]" X0 b1 I
bpx Get_DDB if ax==0202 || ax==7a5fh
, o1 S2 m) B: c* J2 ]! J( i) w
2 K: y3 C1 w1 c, I/ D4 j__________________________________________________________________________( i8 o3 l* a; E$ n; V' n
7 Z5 y3 ~1 h. VMethod 10- b7 M4 D% }. Z1 ?
=========
- E* M4 ]* z+ `! v' r. n1 ]' |+ ]2 P, z O# o0 K1 {
=>Disable or clear breakpoints before using this feature. DO NOT trace with& y( e4 M) f) c5 d
SoftICE while the option is enable!!
1 h' v! ^7 u4 S# P$ T1 ~
5 ~; M( |5 Z" D' _This trick is very efficient: \7 T2 b9 V3 h" q
by checking the Debug Registers, you can detect if SoftICE is loaded
, g1 _ ]5 D' W( Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 m/ l1 `0 a. h/ R) nthere are some memory breakpoints set (dr0 to dr3) simply by reading their" |4 L: k1 _8 x. h5 Z/ c* {5 R; H
value (in ring0 only). Values can be manipulated and or changed as well
: s0 ?; S) C* k. i! T(clearing BPMs for instance)
# d" S: \! u% T9 [# D+ ]
6 Y8 ?4 B r/ ^ t+ L6 q__________________________________________________________________________4 d* B) k; h; _; l4 R" T
8 x! c( F; y0 {; P/ x |- K7 k
Method 116 w O% f% } `- t
=========
4 D/ \" M- k Z: P% M+ z
2 U2 b. V) K# O' t$ hThis method is most known as 'MeltICE' because it has been freely distributed
7 O# f8 z o9 ^8 v2 [$ ]via www.winfiles.com. However it was first used by NuMega people to allow
, x0 C3 P/ D9 ^Symbol Loader to check if SoftICE was active or not (the code is located
$ S4 N' B* e; q5 einside nmtrans.dll).1 P$ M# s1 v, W% z$ _8 X6 q
: v9 B/ d) ?, D+ T" i8 V tThe way it works is very simple:
* f: i7 G6 Q$ r" h0 ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. v) G( i. e: O4 V" K% s+ ^
WinNT) with the CreateFileA API.6 d: x: C* H; o
( [1 k6 K5 T2 [
Here is a sample (checking for 'SICE'):
9 \4 H1 p( {% _7 S$ ]" X9 g3 [; p5 w1 n
BOOL IsSoftIce95Loaded()
, S G" i8 H- P{
7 U3 D4 C/ h2 _- h2 K HANDLE hFile; + c5 A! H' Z9 s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, L' r# p! i9 T, {
FILE_SHARE_READ | FILE_SHARE_WRITE,5 s# k" `. H/ r2 O
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 a- {1 j$ A) Y& j if( hFile != INVALID_HANDLE_VALUE )2 u7 s9 e/ b; e# y0 h, F
{( P- b2 c3 C3 \' f. ~4 X4 B6 u5 N
CloseHandle(hFile);6 y6 n5 j- F" M0 u
return TRUE;
4 \- [ v* S* p }
. G- C' t4 V6 H7 z: i! P( V return FALSE;
, B8 n' P% m( c# H8 }. [4 u1 f& E}8 Y* L% J3 _- k$ j& @# r) y
% N7 L1 v4 V3 Z" e0 x, J3 q. N: B+ i
Although this trick calls the CreateFileA function, don't even expect to be$ S; ?) h2 q" p* T% r5 ~9 Q s1 h
able to intercept it by installing a IFS hook: it will not work, no way!, ]' m" g( G% G2 {) Q9 q% D x7 g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( m7 B$ _2 t, d9 z* ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ K2 ~* i. p% D8 `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- U e3 {* _5 V
field.+ |% h( N4 W) k6 o2 _
In fact, its purpose is not to load/unload VxDs but only to send a ' q5 l/ B# \& V9 c6 s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 T1 B0 _' h, N( O8 |* h4 Y( D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
- z* T# M& o8 U) Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 O. o! j* _+ T' p- Y9 \If the VxD is loaded, it will always clear eax and the Carry flag to allow
( |( H* P& D; H5 Yits handle to be opened and then, will be detected.0 ~* y9 }) f2 T7 l; W/ f
You can check that simply by hooking Winice.exe control proc entry point4 R0 i9 i; @) G9 M
while running MeltICE.
6 {* u; j: w9 G2 J g
! q! Q0 U& I+ N2 k. V) h9 u- u% L8 Q; u1 }4 K3 D' Q" g1 T
00401067: push 00402025 ; \\.\SICE
, m1 ?8 g3 }8 }0 U, K2 r! u 0040106C: call CreateFileA
0 a' D( L3 L/ } 00401071: cmp eax,-001& |/ R( ~( _8 o0 \) d
00401074: je 00401091( v& h3 e( Q7 _! S! x
0 `# s( S0 q( z/ @) S
, M1 Y+ h% N# G% y8 O) m
There could be hundreds of BPX you could use to detect this trick.* ? `- P/ y7 F6 A; v' d
-The most classical one is:) }& [; J( D6 Q, a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 l# a2 T) M; G9 ~
*(esp->4+4)=='NTIC'+ h8 q+ r8 [2 L& r6 U( n
1 k' _2 E5 ]2 I( P+ i) G3 }
-The most exotic ones (could be very slooooow :-(
V5 `" r2 o9 x: i. U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 m, b8 w( n1 p5 \) \ ;will break 3 times :-(, U. b/ u4 B- a0 D# I$ o
S- [3 U% k' x2 u$ d3 i
-or (a bit) faster: + v Y' M3 s1 S+ N: R1 B
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! l( N$ K S; u
" s$ F0 @! r V' v1 \ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 t4 g: I8 U8 r- ?' s' c
;will break 3 times :-(" t$ w0 w( j1 u3 R* f+ ~# g) B
" M5 r* H. z/ i7 t
-Much faster:& B$ u- x6 Y( } h- O! [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ b2 Y# k" Y; M8 i' X. w5 Z8 b. B& \1 Y1 z& A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 ]% d7 W2 L& @* O
function to do the same job:
% ]. U# i. g/ a' C [4 n. H+ U! z( `+ O
push 00 ; OF_READ
" c: W- k/ s0 U8 g2 w mov eax,[00656634] ; '\\.\SICE',0
$ o3 t8 ^( E6 i) n2 [1 s% b push eax$ l; b$ |, P9 n' z/ q3 Q
call KERNEL32!_lopen
* I9 X0 n% ~; ^ inc eax0 e& K F2 Q D' u& z& J n8 l% v
jnz 00650589 ; detected b: ?/ e/ B* ~6 R
push 00 ; OF_READ
9 W2 G' o7 z& D. ` mov eax,[00656638] ; '\\.\SICE'
+ N8 B- d5 @6 l+ w. y push eax
: B! L* t0 l" f5 F" c/ ?. r) Q call KERNEL32!_lopen2 x+ F7 _2 G' q7 Y/ i/ s8 g% e
inc eax
) a. l8 G7 u' f' c jz 006505ae ; not detected; r; N$ h8 Q. A$ E4 d V% n4 ~
( a: H/ K: a& C3 ~
6 Z, r! u7 s+ J& r__________________________________________________________________________
' ?9 l W9 X i
6 o+ [: _6 H$ G1 |2 R9 j- x3 w! E8 GMethod 12
4 U$ k( p# i0 }5 |=========' e$ C2 D" ^( R: d) Z( m+ u
5 H2 `: v) I/ W3 I, A# ^" rThis trick is similar to int41h/4fh Debugger installation check (code 05- D9 ?! h8 O' _- S# n2 ~0 ~
& 06) but very limited because it's only available for Win95/98 (not NT)- [- z3 Y3 }2 {& C7 f( _5 T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' w! Q9 A4 { l5 X
, Q1 B! Q0 l6 O9 e push 0000004fh ; function 4fh
+ [+ y Y+ `) _0 @4 P push 002a002ah ; high word specifies which VxD (VWIN32)4 \8 J; h1 e" a
; low word specifies which service
5 c2 h& ^7 b" \7 o& U" f4 [ (VWIN32_Int41Dispatch)
+ x, }. \8 r' W6 d8 o call Kernel32!ORD_001 ; VxdCall; X6 C0 k- G H% Z
cmp ax, 0f386h ; magic number returned by system debuggers8 F7 j& A5 u& }( z; U( U
jz SoftICE_detected& z% [! U! s! s3 G1 V6 w, f
4 k: f @* y. w9 t7 w ?
Here again, several ways to detect it:& Q m. M2 s% a4 h0 y2 \
3 B" q) q; W5 y3 `% B A! z8 M BPINT 41 if ax==4f
- ^3 d) K1 a( x
7 P. F2 ]! v0 ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& t! a$ c/ P5 C" t4 R' x# R
$ V8 i' n3 z( S/ ?; S
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ @0 i2 y h" f: M2 o
- k2 H/ [- D4 z( h2 v1 b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# s1 }7 G) ]1 c8 w6 b; ?! R/ l
/ R- N# K: H4 c8 Z. ^+ A0 y' ~
__________________________________________________________________________- J$ F" }* w% P; _1 m$ {
+ _! }& W* e' Q# u$ C4 \, nMethod 13
3 L7 {4 E- }1 {/ c; `3 P' D- _=========
+ B1 w+ u2 W; R+ u& Q! q, h0 j y$ i" z/ S, D/ B
Not a real method of detection, but a good way to know if SoftICE is9 [" o6 U1 o+ U7 Z a
installed on a computer and to locate its installation directory.
+ A/ D# W; d$ S0 h# uIt is used by few softs which access the following registry keys (usually #2) :
% @2 ~7 D: X, C* \) |3 {, y4 V% v- }. q" o" Y, R( a4 V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 N! f2 D) ?- U+ l
\Uninstall\SoftICE P* ~, |/ b4 @3 A; |4 W# ]- v: a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% V1 t: \: E: f% y# c* m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! }" j3 H" |+ H; K* l
\App Paths\Loader32.Exe2 h, A$ K9 w3 ]5 @$ R9 a% P# w0 ]0 h
, s; i8 |7 d4 |6 ? K5 G8 R( H& Y
! D1 T/ Z$ g8 X ^
Note that some nasty apps could then erase all files from SoftICE directory
: [, j4 ^6 E( q& }7 K d* o# Y# D(I faced that once :-(# q6 ^" |: ^0 l
8 H0 w2 k4 R4 J2 i& S& K- Q& AUseful breakpoint to detect it:
3 m5 O, n8 G7 s2 p! [1 s7 w0 d0 K6 p, k- M* K# R, k$ O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', g. V4 ~( e1 F' [; Z0 s. \. N
2 W. }& S5 s: S. h5 x. A+ N; Z1 \
__________________________________________________________________________
6 e! Q6 i0 W2 L3 n1 L+ a. p4 Y# Q. u" q2 e5 b
_8 H) N' c! p! M
Method 14 ( ` U' R+ u: f& m4 Q3 F
=========7 o! B2 A: K$ ~/ Q4 o/ h0 L, s/ V# s
9 r: N+ m7 M W% R" d4 `( B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; Y: H: x3 g, }1 \/ u/ d1 y5 Fis to determines whether a debugger is running on your system (ring0 only).
1 N' N0 b* S# _6 }3 i ^
5 a% q) ?1 _# e VMMCall Test_Debug_Installed
& ?5 q2 F" `, ~ je not_installed
/ u6 t/ d( j" @* X1 h$ m2 F
: D: x5 h; f. |This service just checks a flag. `% q2 d% ~& V" L4 m9 O( y& D
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡