<TABLE width=500>; B/ z9 l) H5 k7 H+ O- E
<TBODY>& w1 R: E4 D. p. T( ]. g
<TR>, b% W8 F5 N; i& p2 h9 J
<TD><PRE>Method 01 0 g" ] J/ O" p; \
=========
: V. v5 X# I6 t$ k9 `- O; z1 I+ e9 s" q- H& s: z* P K
This method of detection of SoftICE (as well as the following one) is
" y2 {& J+ N- b B$ V4 \; ] `3 Pused by the majority of packers/encryptors found on Internet.
. l/ Y/ s4 l( }( ]3 N% ^2 t( kIt seeks the signature of BoundsChecker in SoftICE
; f! O. u ]% x$ u) H: X7 P. ]- W# D0 I
mov ebp, 04243484Bh ; 'BCHK'5 N6 Z. v2 V ~& i! h% @- ~- Y5 U
mov ax, 04h. v5 b7 O# y" U$ k2 K
int 3
$ P; G3 S. @% u$ E `5 I! a6 I cmp al,4
: o) J7 ?5 m8 d1 j0 g* j ` jnz SoftICE_Detected
" V& U* l0 _0 ]* `* b0 r+ {( W7 g3 ^- E% _ v
___________________________________________________________________________
) y! V, T9 a6 E; ]9 j$ d, l( @( g- M
Method 02
! J$ L5 S* k" I- S& R=========
: \% Y% c4 [$ s& v
! ~. G( E A ?7 M0 N8 bStill a method very much used (perhaps the most frequent one). It is used& O( Q7 l1 m" @# i$ |+ w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 U+ @2 p c, f7 E8 h- {
or execute SoftICE commands...- r6 d1 P( b" c0 G
It is also used to crash SoftICE and to force it to execute any commands
* W' W6 L/ G: t; R(HBOOT...) :-((
) x4 F7 `. H2 _4 B2 q, [! N$ G8 P/ |- S
Here is a quick description:
- V8 o |! ]# w-AX = 0910h (Display string in SIce windows)
* Y/ S, G5 O# U: {' r* c3 j4 \-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- }) {2 r. z! d. P. ~) g& }-AX = 0912h (Get breakpoint infos)( z( B" p5 G0 V8 f% m8 P' ~
-AX = 0913h (Set Sice breakpoints)6 B' L* }+ q* Q
-AX = 0914h (Remove SIce breakoints)
6 k& s% t- k1 h* E$ D2 f( M" k8 v9 C' n% r3 a% Y1 |
Each time you'll meet this trick, you'll see:
" w O6 V4 H: T0 h1 j-SI = 4647h" o' T; G& m' @/ i5 d, {$ m0 z
-DI = 4A4Dh8 T7 U( a% ] z% q7 r% S7 N
Which are the 'magic values' used by SoftIce.& A. y% [' T2 i/ h- `0 J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 e. C3 F! e% K$ h7 O( [- H
2 E0 t# {. Z* N2 Y/ W& O9 iHere is one example from the file "Haspinst.exe" which is the dongle HASP6 B8 ^ M2 K4 B: R5 G# N$ e
Envelope utility use to protect DOS applications:
: Q+ H& G. R$ l. k! V B+ L; o
7 l$ D& D, Q% I! S+ E; C* W' R2 m
0 q# B& y& H- f) |* `4C19:0095 MOV AX,0911 ; execute command.
( {3 L+ i: y& g% o E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 z: v! F S3 M8 j/ V5 v
4C19:009A MOV SI,4647 ; 1st magic value.2 }% X% C# a2 K( r( a
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 k0 H! F) d8 D& a' Z$ t# }/ Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) T6 A# R* ^; g
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 N. [; }- a3 ~. \* u4C19:00A4 INC CX/ e8 |4 D9 ~4 J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' G3 w( L- o, o9 u. K4C19:00A8 JB 0095 ; 6 different commands.2 n9 |) J$ y1 |6 V
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 [% u) P" s' C5 Q, q" L) {0 Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 L- P& p+ E# Z. Y' x A3 v* }' [0 s$ R# M% F: N& W
The program will execute 6 different SIce commands located at ds:dx, which2 u1 y( k4 U3 y& Z; z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; Y% u3 r; E/ I7 X( k5 Y N
, G! V, }1 T! a6 }' `/ j% s* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* d! z S5 B; L z___________________________________________________________________________
+ _. K& {1 Y; ^& i* [) e, l+ r9 G& V7 B
' n: |) m2 ]% }" g. }Method 03
+ G3 E) b: Y; ]1 C1 i( T=========
+ L: x! c9 o' y* W" U7 d3 H6 c O3 H E5 r m8 @ N, x8 D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 V, A0 J( R* N$ e! H9 m0 I(API Get entry point)
1 E9 G8 V% X9 Q, @2 q3 y
! h. E i0 Y1 ]
! _$ u$ h ?+ C1 d" L. [ xor di,di
. o. p5 \+ v$ j* x$ n mov es,di
+ c6 `' y# ?# d) O. h) d& ^ mov ax, 1684h O6 m1 J) b3 m" c! O ^5 g
mov bx, 0202h ; VxD ID of winice
* _0 Z. X; Q/ \# F& P, M int 2Fh
( l( y6 S' n& S( O) p mov ax, es ; ES:DI -> VxD API entry point
9 c/ S" O* v, y% L4 }) Z1 K3 K add ax, di
% A- A7 k; g( B; f test ax,ax
$ I# r# g) h; y- ? jnz SoftICE_Detected
9 M# P+ F+ T2 ~* e! d: {) [$ q& P7 p( f3 J5 W g9 o
___________________________________________________________________________
# I, F. U* s! b" c
% f, N% |% p9 G' ^+ k8 {! DMethod 04
" n$ h! j5 ?, x2 J) R4 z=========
: w, T* T" B' e& p: s
- C$ r" I0 q( {! ?Method identical to the preceding one except that it seeks the ID of SoftICE8 C/ ]/ F$ b2 ^4 }% b& W( `: A
GFX VxD.
1 t* c- l6 t# y& l8 f$ U
, l6 M2 F' e2 m- o' z xor di,di
/ ~& o- e; P8 z/ x0 M3 J mov es,di) L$ o) p: M3 ~5 m- s1 @6 K
mov ax, 1684h $ o5 I) z# N ]9 L" X
mov bx, 7a5Fh ; VxD ID of SIWVID- j" Y2 I e: y' g7 j6 m' A
int 2fh: b( \6 |( R( z9 S8 k
mov ax, es ; ES:DI -> VxD API entry point( N9 k% w$ j; D, r! G
add ax, di
% Q3 {5 r) T. T3 M test ax,ax
1 H' ?; Y/ w' s) e" A2 h/ R jnz SoftICE_Detected; W. o; `; O6 i- Z/ s
1 E3 ~+ v: G# T+ n& H2 D__________________________________________________________________________ I N# W5 _" v
5 w- [" @4 s' ?
/ {) {2 `, F' k7 |/ z" c) f* WMethod 053 P; J5 e- f* P
=========5 o" b, t& _- J$ b2 U: _
7 q, F& E5 q7 ^& w
Method seeking the 'magic number' 0F386h returned (in ax) by all system2 W+ U% |# g. V6 R2 `* a
debugger. It calls the int 41h, function 4Fh.
& Z" ^% I" i6 k6 Z% d4 aThere are several alternatives. & G6 O$ ?3 _. |
4 Q- o: M2 ^: P; r: k6 d" fThe following one is the simplest:% ^& p" {& c' k1 H$ I' W' O! `
+ O% O4 S; U7 W
mov ax,4fh
' [ v* J* [: ?0 P int 41h9 k* ^3 j$ ` p" _3 i
cmp ax, 0F386) h: z: J- e$ K
jz SoftICE_detected6 i% n; V5 G& {0 F
0 _3 Q! k- k6 g- H X' N
; {) D1 m/ E) J1 h3 WNext method as well as the following one are 2 examples from Stone's % D. S# d; e% t/ `0 n1 ^
"stn-wid.zip" (www.cracking.net):
: A( a2 k5 ~1 c3 y% b1 d
# M; P/ x6 M4 j" e! i mov bx, cs
% V' ^6 c. R& z6 F4 J( d lea dx, int41handler25 @% P# M' K5 u2 K- A
xchg dx, es:[41h*4]
+ j# H5 a% J( J( [/ Z; @ xchg bx, es:[41h*4+2]4 Q8 m l8 M0 Y7 C+ p3 n+ Z
mov ax,4fh
8 _$ V: s6 k! X c8 s; l8 T1 i int 41h9 K, {) f& E: D2 X8 ?. r
xchg dx, es:[41h*4]6 a# a, h2 n9 O& ]# |
xchg bx, es:[41h*4+2]& y% D. x) c4 j% G$ Q- Q2 W0 _% J; J
cmp ax, 0f386h
( ^1 {( p& k3 W jz SoftICE_detected5 W) O8 a- J9 I; O' x( U
4 X r" k+ Y0 [. Y) W: rint41handler2 PROC
" u$ B$ y7 d& C* R' V. o0 ? iret
& s/ R1 ^' {2 X# \% H; `' k3 B( w% R9 Mint41handler2 ENDP0 J9 Y; Z6 p9 [6 e
) p4 u$ F9 ^9 ]9 r1 p" |
6 M* H4 |4 x$ y+ V1 v* K9 m% o_________________________________________________________________________2 l( E9 I( \" v" S Q
8 `% _# q. \! p V
& l# L( L% D3 ^Method 06
* x) o2 k; b c. Q. g+ |=========
: o5 U3 a5 X0 E$ j5 [1 i7 D7 F9 f! `0 Y
- i% N5 P0 W9 h# `2 z2nd method similar to the preceding one but more difficult to detect:
& i, n' j4 r( s* H8 `+ E3 W) _: M- Q9 E# y, {5 R
2 f2 d& {) U j- ]+ X8 c( cint41handler PROC
" m( U3 O* H, E. ? mov cl,al, L7 d; L/ l) M. g
iret. E# `8 q \+ O5 Q# k
int41handler ENDP* L3 f3 l. I% F- e2 q
4 q$ {1 e' z0 X8 m: f% I$ b- I, J
- w, T/ ~. L; U xor ax,ax
/ M6 F- W# S$ v mov es,ax
& `$ j5 l( |! a/ P' x mov bx, cs
; F0 `7 y% W+ K8 A lea dx, int41handler
: U+ x9 g: Q% I xchg dx, es:[41h*4]% d% s0 c! d8 W7 S+ Z s# T
xchg bx, es:[41h*4+2]
0 W: \5 u7 F# {4 f( v in al, 40h6 x9 {/ x- z7 v5 n
xor cx,cx2 h) I8 }* Y" g# r2 z
int 41h+ I- E3 y" E% F' r' ^- d
xchg dx, es:[41h*4]
P' w( @9 H0 r6 |, a6 n4 x: T& x xchg bx, es:[41h*4+2], Z9 j; g- R/ U8 n7 X! v s
cmp cl,al3 F6 ]+ @; K( G2 {
jnz SoftICE_detected
8 a/ e1 C: ~4 [
$ {2 a$ y& F, a& d! d. z$ v_________________________________________________________________________
* g* U- b3 e) p0 O. p) {. i! R
# ^8 o: R2 P, e& N8 r) eMethod 07$ J r+ A1 _9 [* e: X
=========
( {- d% t1 m1 o% P6 B
% c, F) R' [* g0 C5 i) iMethod of detection of the WinICE handler in the int68h (V86)
T+ x3 D: C7 k" Q3 b" e/ D* i" Y0 t9 i3 Z
mov ah,43h
- u: O7 t$ @2 S, w2 K; q3 {8 _; u int 68h3 u: l6 G" k2 \ {& A2 H
cmp ax,0F386h
% C3 }. z- D& C! `' t+ T; ~ jz SoftICE_Detected
* F# `' |3 D: }( R1 H8 {2 I$ w6 ?
& }& X# A" a2 O# ?+ c2 W; G; G2 N* ~2 V9 N b7 g7 B4 l& i' f. q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ v2 G: O6 N. B3 H! i' u0 j app like this:
2 C: n& q. Y' K- @$ v3 L7 G. p# Y2 w- J2 I' \) l/ M
BPX exec_int if ax==68& o5 O# m9 Z6 x
(function called is located at byte ptr [ebp+1Dh] and client eip is8 e! V4 A p6 K! e9 a
located at [ebp+48h] for 32Bit apps)
. ]* t" C; u3 M# `% e9 w__________________________________________________________________________
5 P7 t K; v- g' q! ^( q$ f& a/ T, {9 x$ ?( }/ E
$ {# g! Z, U6 A9 D( Y9 P6 r% {Method 08
N" }2 A: J% Z% v0 G. ~8 U6 l=========
% b# D T/ I5 U
" w V9 g5 s3 m8 R2 i3 I2 o3 SIt is not a method of detection of SoftICE but a possibility to crash the
/ Y! i& B& t" V/ m7 T) Nsystem by intercepting int 01h and int 03h and redirecting them to another
. x3 B+ u( s) l- Proutine.* ?( Q8 r/ b+ _3 s2 K0 e- D o+ B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ u$ P/ y+ ^# N/ m/ z( |
to the new routine to execute (hangs computer...)
$ b: m* X7 [7 @8 T& D/ o6 P
0 w" s8 g$ P, y K mov ah, 25h
) W9 T- L9 c9 _3 g mov al, Int_Number (01h or 03h)9 @! z* v4 ^8 \
mov dx, offset New_Int_Routine
. l6 J& I& j) U. [. K7 w e) h int 21h+ B! x# k {+ ~; C P
8 b& V4 M( ?6 J" R z__________________________________________________________________________ [7 Z, G! Y3 c& C9 {) `
4 j G0 F3 N r! t) o
Method 09+ f0 D1 G' u, G/ h- N5 G8 z
=========
, I7 p5 ~2 \: \7 `4 G6 W ~& J5 Z! z2 g& l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# p$ {% k; o* Z1 @$ iperformed in ring0 (VxD or a ring3 app using the VxdCall). O0 K* n$ n1 M6 H4 V" L
The Get_DDB service is used to determine whether or not a VxD is installed* i1 E/ i( T" l9 F- @& r9 a
for the specified device and returns a Device Description Block (in ecx) for
( C' O$ _; R2 C" x- R2 ]* Cthat device if it is installed.
, D% ]( Y! H" a# ^$ l" ?* q* m
6 Q; L( K: M& y1 ?# M0 C3 P mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: G0 D2 ~) P" s! p- O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# |+ f2 e$ Q9 V
VMMCall Get_DDB0 J; _+ w" |( b0 j/ n: c
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( F- S% H+ s# }
" K V# \6 g. I! y- O0 ^" x
Note as well that you can easily detect this method with SoftICE:
/ R2 o5 M+ h. L bpx Get_DDB if ax==0202 || ax==7a5fh7 t7 y8 N, e3 E/ @1 t
$ n+ R- d* `! u8 f- g, v
__________________________________________________________________________$ @9 I1 H6 t7 p# Q
& H) r7 h$ F: d2 mMethod 10
0 {4 Q- a+ Q4 l7 M, d g; d4 x=========
4 g- X. b& A% j* P6 c7 p8 p
5 z/ }% r8 p9 d! Z s( F! n U=>Disable or clear breakpoints before using this feature. DO NOT trace with
& `1 e& Q4 e0 D% `5 a1 H SoftICE while the option is enable!!
( |& C7 Y( {2 C. s: w2 s4 b& X8 E G8 ]( H5 q5 j; M
This trick is very efficient:7 }( a) e6 y$ s3 ^5 B: F8 r) d% G9 {
by checking the Debug Registers, you can detect if SoftICE is loaded9 F, f6 p* ~1 D+ l& z9 y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; ~) h' C( c! g) sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, C% t/ ~; S b9 I: k+ Svalue (in ring0 only). Values can be manipulated and or changed as well
& m; f P6 ?8 ~% A(clearing BPMs for instance)+ r" j2 r1 y* C/ [2 } F% [- E
$ V4 ~- L/ e& W: j( u, ~" p__________________________________________________________________________( B2 m6 g2 E5 {& F, a2 y! h
! w+ ~$ K q; \ o: i/ \- rMethod 11- C9 T5 c# B w7 k
=========/ `, a8 {; h1 }- C/ _
/ |+ A9 B6 m2 A! d! pThis method is most known as 'MeltICE' because it has been freely distributed2 W- ^9 Q5 Q$ ^! D. E& H0 `2 V4 G
via www.winfiles.com. However it was first used by NuMega people to allow
( Y) W0 y1 F4 S% `( h/ e- TSymbol Loader to check if SoftICE was active or not (the code is located
, k& c' Y; R/ Z; Linside nmtrans.dll).% R, d c. @; T$ S
$ x3 T& p8 x+ k
The way it works is very simple:
- a$ L+ a- X$ _3 o' T$ \It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: S2 y; T$ T7 ~# i
WinNT) with the CreateFileA API.
% E- Z0 G( f! d4 W
7 |, }6 ]4 S# Y$ ~, D1 yHere is a sample (checking for 'SICE'):
- }( {0 f {' C) d2 C) w, f; H
& ^9 Z& L' l* s2 I D; F% ]* UBOOL IsSoftIce95Loaded()
# Q# z2 J9 K- f' O- o N{/ v5 @7 z+ A- U: f8 u
HANDLE hFile;
" [2 i3 C: c( P( I2 ?4 |$ C% l* ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 B' L7 x. o1 t0 ^7 W
FILE_SHARE_READ | FILE_SHARE_WRITE,, ^) t i5 P$ Y6 s. g9 W
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ i3 c8 m% x) o! S if( hFile != INVALID_HANDLE_VALUE )- w @: v. r1 ?- E4 I! T
{
+ W7 U6 B C1 _8 O) X CloseHandle(hFile);/ |' H8 ]. V9 [4 G' d3 z
return TRUE;+ s# T0 j: L3 q* c. r! J& y
}
f$ j2 D4 T5 O3 z1 U: H q return FALSE;8 o/ R: m; M; w0 Q( U
}
! V% d0 r8 _0 D
3 u7 ~; m; H/ k& k0 ]% n9 c5 @Although this trick calls the CreateFileA function, don't even expect to be h3 z! k' M3 E2 w- a
able to intercept it by installing a IFS hook: it will not work, no way!: `0 C% A# q# d) ~; n$ {/ F) m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 r( h, z/ Q* u" v7 mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), m* R( c8 }. y ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc J8 e( K2 P& c7 L6 s
field.
4 M$ u+ B7 L6 N( t& H( BIn fact, its purpose is not to load/unload VxDs but only to send a
5 T" \, i6 B: Z( D. S- i0 f/ KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) V: h0 s: \* l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ S, J* L- m0 c0 p4 A* ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
* I- q1 p7 @" cIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ U, Q: e. P6 U& Pits handle to be opened and then, will be detected.8 }: L* K( j9 m; B) k: @
You can check that simply by hooking Winice.exe control proc entry point
, k) e( l- f, Q+ R% s% D* c, ]7 Swhile running MeltICE.
: l2 [) A( t$ o4 t1 P0 ?
( ?5 E- u% e8 O! j; L, Y; K$ ~* B: Z3 C |5 C; `, W
00401067: push 00402025 ; \\.\SICE
5 N5 A7 ^' C: c- t 0040106C: call CreateFileA
+ _" k( `- C/ m" p/ F- c e 00401071: cmp eax,-001
; T5 ^1 K+ R& w/ K+ b 00401074: je 004010915 Z& C3 \1 Y' ` L1 ?3 h) C
2 C) m. H x8 [, W9 D/ g m! ~& ^- `: F
There could be hundreds of BPX you could use to detect this trick.
3 }* N% `1 e% i7 C1 K* X% L- T-The most classical one is:
5 I x: g2 d: } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 G) f5 o! b+ z5 Y3 E6 z7 U1 E *(esp->4+4)=='NTIC'
8 S5 [& m9 a& R, r! H: r
) ]' o s+ a# l# r' P6 v" x' ?" H-The most exotic ones (could be very slooooow :-(
$ X0 k9 J2 x2 R0 \4 Q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 K& Z' Q: s& c3 V
;will break 3 times :-(
! p* {" Z i4 g+ _
s* H* ^( }. m2 k: O! p-or (a bit) faster:
# x; t- W& p" G$ E* e* q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 T& ?( V& K: m5 u- d: h5 q2 @$ H7 |) {' G9 a! x7 b
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- h1 d0 r4 L3 i ;will break 3 times :-(
6 Z% `. X1 i# ^7 v7 R
8 |8 F" m2 D; I% c6 g-Much faster:) q8 y3 |7 \; b
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') l J0 V' Z+ B/ I. R
$ X1 p n7 y9 w& [: W8 u; ?3 ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen |4 k, N% o( m y
function to do the same job:
% b5 L* m' g. ]; {2 f, L' e
: F9 a8 q5 Z: v1 O, \: B push 00 ; OF_READ+ F4 l3 Q& x4 v$ r
mov eax,[00656634] ; '\\.\SICE',09 z+ Y/ }0 u1 ~: n! H
push eax# |/ d7 Z h. L. h; U
call KERNEL32!_lopen; i/ w2 H2 Z# L. c# v
inc eax
] J1 e% F V0 e. i jnz 00650589 ; detected" p( W6 G" N- f0 P5 x
push 00 ; OF_READ
; m4 c8 Q6 ^" V! B' e4 Z mov eax,[00656638] ; '\\.\SICE' z% B; M1 x- z
push eax
3 t+ g+ ^0 _0 `$ G- m call KERNEL32!_lopen
' G' G- Q; i3 a inc eax3 @2 B3 _( W# D, v- H/ Z+ X* w
jz 006505ae ; not detected, K5 v2 z. d1 a( b% G' B0 _$ M
+ n) w. f' [! P# z- {$ D& x
; J' ]1 O: _/ w9 h* l( o8 u
__________________________________________________________________________" u9 o7 B5 g& V
' X9 u0 [7 l7 h ]% P
Method 12: e7 d; x" q& M; v% @7 ^! w) ]
=========$ A9 U4 B9 M' q2 u
3 y) q0 p* D- x0 t3 B7 x
This trick is similar to int41h/4fh Debugger installation check (code 05/ \& ?( v" G* ?9 Z$ m
& 06) but very limited because it's only available for Win95/98 (not NT)9 Y' h5 A) S# n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ a; ]. V" p/ o$ n0 ~
* g6 ?, H2 ? [* w, I2 W push 0000004fh ; function 4fh
& ?! t9 H, L' K push 002a002ah ; high word specifies which VxD (VWIN32)
2 D7 ?7 Q( T9 w( u4 { ; low word specifies which service5 O' @; p& Q5 q r; w6 W1 ?
(VWIN32_Int41Dispatch)
& d* v( x$ ]) X, _! u3 [1 P call Kernel32!ORD_001 ; VxdCall9 _2 x% _4 e1 n+ x3 I1 a% T
cmp ax, 0f386h ; magic number returned by system debuggers
1 w7 [: ?8 B, |3 ]" t' _ jz SoftICE_detected- D Z* ~6 P+ I, r& ?% @
# d, R# y- g2 [1 ~1 @6 r) m5 w
Here again, several ways to detect it:
) R, s' M9 j+ C5 N6 ^; [: m; D9 r$ I5 \6 f% n4 F! x3 A: R
BPINT 41 if ax==4f
. j1 h. j3 h; E1 y9 s0 x+ a
) A. }8 u' C7 Y, m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 _6 [" i& K+ N9 H; `5 S5 ?5 y7 j4 X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 z/ H5 t7 G4 ^5 l* B+ U
0 U5 q" v3 b5 X+ U BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, L* b( _& t$ m! s
1 r5 d# j2 }7 l- l+ M* @" v! ~__________________________________________________________________________
) |) c2 S& b+ M9 T& W6 r; P
$ Y8 [6 `8 m) ~+ d# K! u w5 `Method 13
3 v1 L( Z4 u; {6 |! }" q; L/ c=========
# R r* I; G9 J6 a2 t, S
8 T. L/ X7 G3 C1 l6 \6 I) [Not a real method of detection, but a good way to know if SoftICE is# S" Z+ E$ |! t$ u6 Q6 W2 u
installed on a computer and to locate its installation directory.
" V7 _0 k) e4 ?9 yIt is used by few softs which access the following registry keys (usually #2) :- x1 w* c. O- S8 X+ l2 R+ V% E
! P. F8 a7 G- P( U( d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 _1 T3 c7 w ^( K0 w
\Uninstall\SoftICE: X- C, b6 K) o, O- M2 X# _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 a) O! G" V! w0 l& Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 B+ r' [; h6 c5 f0 ~4 ]\App Paths\Loader32.Exe8 ^, r2 J, {9 x7 Z/ ^$ \
0 K% V7 k7 U( o$ ~' @$ _
- G4 ?, y) b+ K0 V. x' xNote that some nasty apps could then erase all files from SoftICE directory) h9 }+ V* I: [! j
(I faced that once :-(1 C+ M2 a/ p$ y
" y0 L3 B% p& L, V' v9 k2 J i0 o
Useful breakpoint to detect it:
2 T- b1 H5 @, g2 t2 F a7 Y+ ]; |( }
: M& s7 B6 v" Q; @! v3 C& x- V6 Y) D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' G4 x! W5 x: Q8 H1 x( ~3 D
9 W, m( F6 [8 C+ A: p
__________________________________________________________________________; z! C' D2 q( @
8 m# s" l" e1 [/ Y$ e. v3 A5 F8 q$ p
Method 14
9 a$ l3 [ z, j3 }( H; O6 n, U) ]=========
4 }* W1 B3 r$ T- K1 V, S T \5 w1 ~! n% \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ i5 i: ^. c" I9 e- I7 Fis to determines whether a debugger is running on your system (ring0 only).
- ~' P" ]6 @- F$ `0 {9 ]. S1 L
% W+ ^$ |! R' b! _0 E' g VMMCall Test_Debug_Installed6 j+ Q( c; |- @! K2 M
je not_installed
# p8 V0 q. C# V; p8 t: F D n; _
This service just checks a flag.& {: t7 k% e; o: a# k& m( {
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡