<TABLE width=500>
- S+ A( i r6 _8 l, E( G<TBODY>
/ `. [7 W3 r, _' m3 e, a& g/ ?<TR>6 S( [; h' s- t( V! G2 s
<TD><PRE>Method 01
' g6 a& C2 z; p/ X. H V) ~=========
% Y9 p+ v" I. z( _/ |# K. [ [ U& @+ J, [+ @9 P! i% u- G
This method of detection of SoftICE (as well as the following one) is! \ ]& q0 H+ s
used by the majority of packers/encryptors found on Internet.
1 _7 I+ a4 e+ ^ R( \It seeks the signature of BoundsChecker in SoftICE$ B5 o( N4 g* s
4 }. I8 A! z9 b9 S+ ~ b- x
mov ebp, 04243484Bh ; 'BCHK'
! _( t6 m5 Y% Q+ y: f9 a; B mov ax, 04h
; M' l4 e" d! P& ]: ^, [ int 3
3 V( W) r0 ?. l/ n3 {4 m cmp al,45 a7 t6 G' A6 |) ^" G( R
jnz SoftICE_Detected
7 C$ m1 d6 q5 s4 h; F7 P4 O
' P% n: y9 `" B___________________________________________________________________________
9 s* \2 g. d+ o3 k$ Y i( R) T" V( k! n K# K' R$ D( c4 `
Method 02+ c0 ]) @! U2 R2 _: v
=========
4 U S' B2 S' F' b+ {
! T5 A0 u- W- Q8 J3 k8 \* S$ G' T/ {Still a method very much used (perhaps the most frequent one). It is used
, H2 T, O' q" K x1 \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 l5 p" C# K! o
or execute SoftICE commands...# u9 p" u* g& x0 r6 s
It is also used to crash SoftICE and to force it to execute any commands
3 n* }7 t o+ H5 V% [- N(HBOOT...) :-(( 7 I8 Z" a0 m4 h; g
. r6 F- g+ Y+ J4 Z% Z9 y# R: R
Here is a quick description:
2 Q) S+ h/ T1 G5 D9 q-AX = 0910h (Display string in SIce windows)2 s) Q: b9 S# f7 I
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 h0 ~ S: j% y5 |# U4 ^-AX = 0912h (Get breakpoint infos)( e. O* V0 K7 H/ S+ @) q" z) ]
-AX = 0913h (Set Sice breakpoints)
) H' o& v8 R) m: T; v' j) E! o7 X, F-AX = 0914h (Remove SIce breakoints)
* x$ s8 x. w& b: U1 D6 H, D. s; V( F6 A9 D1 J# W6 p! n* T
Each time you'll meet this trick, you'll see:. S) I' Q2 y5 W, Z( c7 `+ {3 y! d
-SI = 4647h# Q- n' _/ J% @' i" b
-DI = 4A4Dh. T) [* U( R3 m' Q+ Y, F
Which are the 'magic values' used by SoftIce.
/ w4 g; D9 v. |8 ]4 [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ n/ F ]- U8 y/ A& O+ t4 P) ?$ ?6 D0 s1 c
Here is one example from the file "Haspinst.exe" which is the dongle HASP
' R% G' I( V" AEnvelope utility use to protect DOS applications:5 V, \; J1 I8 z) W/ [" C. M
" b$ n% N3 _0 F" S, @5 o
6 p* A. m3 |: a0 q- w9 A) |4C19:0095 MOV AX,0911 ; execute command.! L2 q F& O) D' L0 s, j" }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 y5 \* s* A: a- J: i% W: L4C19:009A MOV SI,4647 ; 1st magic value.
( ~9 _. o# s7 y l) {+ ~) z4C19:009D MOV DI,4A4D ; 2nd magic value.
8 A& M( s; K- h5 ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) F5 t& J& Z# C+ g$ {# L8 N7 T: S4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 A1 I' s5 ^- Y3 E4 L4C19:00A4 INC CX% L$ y8 K! h$ p9 S3 J7 x# E2 ^* \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' Z! F/ c6 ]( j* R. p6 N6 N" U4 N
4C19:00A8 JB 0095 ; 6 different commands.8 M, B& g4 T5 H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; d# y* k5 r0 Z. P! C; M4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( {% {9 j8 v( |
3 q' K- v/ [4 P8 v' cThe program will execute 6 different SIce commands located at ds:dx, which' ?* |* u% W/ Q$ v2 c D6 `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) e( x, U, _' P) L3 G. w6 m
6 |' G. a- c- O( r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 H; k$ S& n/ a m___________________________________________________________________________/ @6 @- c' p! u2 b
0 N4 m: ?0 I( o5 ]+ B6 l* d6 v4 [% | n# X
Method 03
/ ^/ E% P9 {0 m! [=========4 u% b/ B5 L0 j* M/ f ?& f
; q7 C4 _: `- V" k2 W* t& ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& e% z4 S0 K! `7 H9 i6 R(API Get entry point)
/ T! I5 ^) D, |% h# i 5 f; p8 l) t8 V1 o5 z
) C9 Q$ K9 h7 e F9 j( O @- G% d
xor di,di
: D! T- ?" j: d( n mov es,di1 K$ t5 y2 ^ k) z$ {
mov ax, 1684h
, h X4 N, [3 x* e# E mov bx, 0202h ; VxD ID of winice4 z2 {7 |, }1 U- l
int 2Fh3 a( b9 I1 a- `6 x
mov ax, es ; ES:DI -> VxD API entry point9 @) e, a# [3 \# M- u% B" O
add ax, di7 U- g/ |. E$ @+ g2 ]
test ax,ax7 N& K: E S/ A+ ^$ F, q
jnz SoftICE_Detected
1 Y- m Z( U' @7 N. k Z; a' a/ D* `$ a$ F; b7 ]
___________________________________________________________________________9 m" I, Q! e" J
+ b- v& @ k+ ^3 \
Method 04* l7 Q+ s: z# d1 Y' o) D
=========8 M6 O v* l0 g( y
0 C6 b# H$ x0 M0 M9 ?5 w6 J
Method identical to the preceding one except that it seeks the ID of SoftICE
1 v. ~' j" C$ HGFX VxD.+ X9 e1 E; u( a$ ~* ^7 I: r7 D
5 d8 o) m0 u4 _; X- Y$ `8 `! X
xor di,di/ r% H/ X3 s. \ w7 Y1 v" C* i0 `
mov es,di. m& J0 k3 H6 Z e6 J
mov ax, 1684h
# x1 t: A$ o1 `3 U mov bx, 7a5Fh ; VxD ID of SIWVID% F8 b6 ~# c5 R3 M" o% H
int 2fh7 M. T- z. _1 g; b! z' a
mov ax, es ; ES:DI -> VxD API entry point/ z! g. F# F; H: a
add ax, di
* Q3 S2 \1 e& g9 z# |2 l6 y% ` test ax,ax
# u1 M, u7 {( s; x jnz SoftICE_Detected5 ]* S$ t& p& K6 A; t( p
) i9 b: m" X. E( Y3 L__________________________________________________________________________) [. V& W1 p, v( Q4 ~
4 N: c% x8 r _- G/ v! z7 O8 @ _
8 G+ \0 }( o5 N, _+ h* \9 V
Method 05
/ j+ {1 y( A3 d+ l N=========
1 G; f7 b& c: `5 m; K1 U) d% S
1 X# J# J& o2 j6 A4 p0 qMethod seeking the 'magic number' 0F386h returned (in ax) by all system& C' F* }" ^ ]" \1 R' y
debugger. It calls the int 41h, function 4Fh.
5 x: {, ]5 {1 t: _: qThere are several alternatives.
+ d9 }$ V& R. @
. j3 ~; I4 P2 q* R: ~+ FThe following one is the simplest:1 G$ i7 E9 Y: o) ]& H7 D
6 ~: Q% ~8 P7 X4 Q; P; T9 D mov ax,4fh
( M7 V; ^ {2 U6 u) t8 k: _/ j int 41h5 y( F, q7 i" P9 E4 l' [ L
cmp ax, 0F386
7 j- ?8 T F+ W jz SoftICE_detected+ H9 g2 P( i3 ] ^ j# r9 S! d
) q6 P$ h5 S4 k r' n$ O' \, u& l
, O" u3 c- N' a. BNext method as well as the following one are 2 examples from Stone's 3 [- D; U7 V6 Z; c1 d- R
"stn-wid.zip" (www.cracking.net):9 j( ~4 x' @" ]# I
$ J4 J( L1 x; a. X. W; X
mov bx, cs
1 Z2 j* ^, G$ X" V5 v+ n lea dx, int41handler2" d% Q5 {) u' w3 I" W- E
xchg dx, es:[41h*4]/ J ~6 U; ^/ s0 v
xchg bx, es:[41h*4+2]
1 M& g3 ?' @# M& ]* A. I mov ax,4fh2 f6 e0 k; V( |; |
int 41h
3 d6 j) F" A& H; x: X: f# j xchg dx, es:[41h*4]
( }/ e; S+ m5 Z/ V xchg bx, es:[41h*4+2]
+ Q/ D% q+ W3 L2 [# ^ cmp ax, 0f386h
, L+ a+ ~8 T, v% ^( k jz SoftICE_detected
3 e X2 k! h" @# i1 Y2 P. r8 a' @: ~8 p9 g$ n) A
int41handler2 PROC0 e- {# b' T) } |. v0 V) s
iret
* `. t8 j. G; Z1 D6 x; g; K! G5 [int41handler2 ENDP: c( _) g2 z" w
: D) ~/ y6 z( l$ b+ `) h+ a
( U. ]* S9 f$ z3 ?4 w1 M) p* x$ t_________________________________________________________________________
9 \( e; ~% i! H! w1 N3 J# Z& E7 D) q' [/ o# g/ h) n* p
5 [- s/ _( |. @! U' hMethod 063 S% T! L1 X- a; U
=========
& l0 e. ~1 a0 o, ^+ n C( B" T
+ U( K u+ Z" Y$ e/ u1 V2 x0 V6 M2 j! O! U7 [$ l# q
2nd method similar to the preceding one but more difficult to detect:6 G+ o, }2 u! P
2 V' i/ M" G2 v: g8 Y- ~
; k/ U- h6 u1 @
int41handler PROC
6 T; J: j2 L' F" p" D mov cl,al
4 f. T8 B6 K n, ?& M iret4 I! |% U6 n1 l$ x
int41handler ENDP) t0 ? o! `7 { M" d
* i" y0 l& e7 W/ ^- a
( ]4 a) `# H: r xor ax,ax$ y' T7 n0 [/ x3 b
mov es,ax1 Z& @/ `& B, v' R/ ?
mov bx, cs* j4 p2 _0 h' O* K' m
lea dx, int41handler F/ N% K- t: _) B- Z
xchg dx, es:[41h*4]0 P" L. m9 I$ m6 w; p5 D, Y# O
xchg bx, es:[41h*4+2]
, q2 y. s2 j4 b8 V( W in al, 40h
" q6 D2 Q: F4 x; o6 t+ \ xor cx,cx c3 @% J0 a# a# H. s9 @
int 41h5 d, k7 R9 t" R
xchg dx, es:[41h*4]
9 a5 M+ U9 d3 H9 ]3 b% n; S xchg bx, es:[41h*4+2]% n! F3 k7 [; q7 ]3 j$ K
cmp cl,al/ X/ y+ Q3 j, n m2 {
jnz SoftICE_detected
% U* _! C: k+ _& v5 H* o b- |7 e$ l, a* v8 Z8 X
_________________________________________________________________________
7 n0 E# S9 }/ U6 o& H- g8 |9 [) n+ s$ w u9 p6 c/ W6 c
Method 07( R: Q3 x- }/ k. F: E
=========. i2 I* n7 |: m% U7 u# T& \
% Z! r: N+ F n& ^* I# AMethod of detection of the WinICE handler in the int68h (V86)% v* V* G5 n+ w4 V4 t6 t: S% U( C
) ^5 i/ n" r$ V1 f ~
mov ah,43h5 L7 z( f& {% ~& j1 P. v
int 68h j; R# v, l6 J1 v' v' c) ~
cmp ax,0F386h
$ u8 Z4 g: |0 W( V jz SoftICE_Detected; E5 t" s$ E( X i8 d
- H2 ^/ U8 f Q( D7 x) S% l
/ N V4 v$ g% v1 i! a5 p7 E& ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 I6 x4 i) |5 F- r' N7 U
app like this:
, s/ [. B: L) D; J: {, _1 p5 [' H; [, q( t
BPX exec_int if ax==68
1 t+ t8 r, @; k# W& O! @) b (function called is located at byte ptr [ebp+1Dh] and client eip is3 m, i# }, V1 X/ J+ q
located at [ebp+48h] for 32Bit apps)2 p; K! e3 z1 h/ ~' l% z
__________________________________________________________________________
- m) A [: t: ]7 e9 j
P q8 W3 V }& A/ ]% \; ~* _
- r* f5 y' @; C& X* ^8 `Method 08
; a/ e) M3 c! r=========
" {9 q L) Q, M% K! k: P* E6 p' Q. h& n
It is not a method of detection of SoftICE but a possibility to crash the% P5 U X" {, ]) b
system by intercepting int 01h and int 03h and redirecting them to another, p+ W" `1 a( g$ r
routine.
" A# ?+ H$ U P: [8 x6 oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ @" ]/ e5 |3 E; I, tto the new routine to execute (hangs computer...)
6 c3 r7 ~8 c4 ]8 C; W. x& {2 s! g7 ^" ^# K
mov ah, 25h
" z+ j/ O9 i! Z7 E, o6 i7 d mov al, Int_Number (01h or 03h); ~; T6 j# B! r5 |4 s( Q& N) z
mov dx, offset New_Int_Routine
# @$ `3 G3 S& B7 ~% ~ int 21h
; o3 ]( b1 {" q8 o* p& C9 `
- k/ c8 Z7 B$ }7 a) s. q% O__________________________________________________________________________
1 u0 x( g( h& w9 g5 }8 M7 _
8 ~5 W3 T( t( p% h! O+ eMethod 09( o( t& ]6 t; ~. {. f
=========9 Q f& a2 f$ o4 Q# Q5 [, ^
! E7 X+ b/ H `5 ?1 y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( R7 T4 @( O8 L6 dperformed in ring0 (VxD or a ring3 app using the VxdCall).
* D! N% ~: a6 k+ PThe Get_DDB service is used to determine whether or not a VxD is installed
" n3 @& u" B! [* m% [for the specified device and returns a Device Description Block (in ecx) for0 l/ w t8 I0 v% E' X/ i. b
that device if it is installed.8 K9 p# \! x" F! K( p- c5 l# r
- m; j; j- }1 R; P- I8 _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( E& |' b9 I0 s+ B
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% y% G# V2 A* S9 [ l* S VMMCall Get_DDB
. E, G0 `! _. c0 m6 W5 ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 m) k! ^ K( C' v$ }
0 `; X: T$ G% t% k! w' @) i7 u3 S zNote as well that you can easily detect this method with SoftICE:8 J* O; s( M" P1 R
bpx Get_DDB if ax==0202 || ax==7a5fh+ f' b( j. X& o3 N
8 o4 n9 V! t1 H, P__________________________________________________________________________/ ~9 b: }& S) n) h& G/ c
0 _: [& U+ j, M/ sMethod 100 d- z, O, y) G) I
=========
% w- j6 N/ |! i* r
* F* h3 r1 F( b3 a7 X. `. X9 W+ t=>Disable or clear breakpoints before using this feature. DO NOT trace with6 x6 v( v1 t0 C
SoftICE while the option is enable!!
9 M S0 K% |) Q
! g- T# k. t; [This trick is very efficient:
! i* ^& I2 z4 c: Cby checking the Debug Registers, you can detect if SoftICE is loaded' y k$ _) D2 M/ {& T" z" b6 H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; I. L7 k2 s* o. Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their) C$ ?( A% \+ U- y
value (in ring0 only). Values can be manipulated and or changed as well( k+ e F- m9 W$ q( D( N, K8 E
(clearing BPMs for instance)% M- ^: j, h# _8 s( @6 F: p
. o# o$ b1 [% Z6 z3 A5 f
__________________________________________________________________________8 w' Q7 ^3 i1 n* ] {
( n% T* X P& w4 ?. d: G+ MMethod 11
) j8 N4 L q u, ^& v0 D9 C# H=========* ?; Q( f1 G+ Z9 U* j) t
' V6 y. n. L+ o S
This method is most known as 'MeltICE' because it has been freely distributed
7 {& ]% d# u$ b3 g k* j; Xvia www.winfiles.com. However it was first used by NuMega people to allow+ S+ b1 U/ X" c h$ {
Symbol Loader to check if SoftICE was active or not (the code is located
- i( q$ s3 p6 K$ p; A2 B% t" minside nmtrans.dll).
: U6 m& }/ H# B% u- F/ s; k0 r
/ J ^) b* r, CThe way it works is very simple: @' L- o7 j+ G
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 ]- r# O3 R3 ]& GWinNT) with the CreateFileA API.
, F. q% h0 B0 q
: L. j9 x$ B) k, l# M$ u0 A6 o/ DHere is a sample (checking for 'SICE'):4 F1 p" R/ }9 ~3 W- k( v" y7 [+ N4 P6 f
" K# B. M- Q# i+ m( k2 r
BOOL IsSoftIce95Loaded()
: H ]% T/ z) b& |" f2 s% G* l& B. n{
$ t* J& i5 x5 l0 x HANDLE hFile; [( B% A& F2 W) F/ E. O/ M/ W6 U' e
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
x3 `3 O3 u; B( C6 A1 w. T D0 J FILE_SHARE_READ | FILE_SHARE_WRITE,
8 r w" o+ C" t! ]5 t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 q: W) N. Z. h/ V4 S, {& \; g if( hFile != INVALID_HANDLE_VALUE )( z9 w" j5 F4 H* a' H! H, v7 F2 D
{
) X% C# v, c1 o; r. a' h CloseHandle(hFile);# W' N9 N/ \6 O4 m9 `
return TRUE;
, f( E j& w4 `% I4 _0 K$ q& a }
* s; a1 |1 v4 w# X1 G, f9 t return FALSE;( ?) g' c# U- Y" x0 {8 v
}: `4 q+ ]: K" ]7 ], U
- x1 y8 K2 S. J( s
Although this trick calls the CreateFileA function, don't even expect to be/ n; R9 P* w" T2 g* e
able to intercept it by installing a IFS hook: it will not work, no way!
5 O! \" E" P1 \* [# dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% O( W! R6 x+ fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* v- W- K8 z# `! u5 C* W% M9 I' Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# F. J1 s0 Z+ F- E2 a& H. vfield.
: W! i6 h. F' J8 IIn fact, its purpose is not to load/unload VxDs but only to send a
! G( R+ w9 z- F* j2 @- z, FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 Z; C7 `* O, ]/ i; e5 e7 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& m0 s: l. S" P, ^5 B! s& p' M' Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
( ]0 V" A0 Y! d8 h( _If the VxD is loaded, it will always clear eax and the Carry flag to allow+ J% I/ D" x0 ?& m" e! o; ]- ?( s& D
its handle to be opened and then, will be detected.3 ?( n8 P" d8 F" b3 R1 P
You can check that simply by hooking Winice.exe control proc entry point! A* r4 I* h' D* E; q" e: x: i! V! _
while running MeltICE.
3 I! O2 |6 G @* N
! l% }+ A& @) d8 d
: L2 E* K- d3 E3 D 00401067: push 00402025 ; \\.\SICE
; j# M% @. b( ~ 0040106C: call CreateFileA! b* j3 W/ x* A( I8 g
00401071: cmp eax,-001
6 `* A: Y4 J9 D) K: H$ f6 l1 U 00401074: je 00401091) ~2 c- Q3 h7 v0 c& `
5 b0 E: f5 ^) ]% E( k% B
4 K0 Y+ ~3 n* N
There could be hundreds of BPX you could use to detect this trick.( |. n! j; E2 ^ V
-The most classical one is:
0 ?* s; ~' `9 v* A BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 B, S0 S3 d1 X+ ]% t. d* } *(esp->4+4)=='NTIC'% p! b# z! V6 @
. |: d' F% e" M [
-The most exotic ones (could be very slooooow :-(
4 @2 B2 O; _/ K, J# \: H! M9 I } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
Q- f% r8 D% J ;will break 3 times :-(
8 Q5 Z; ^5 V7 G, E; x7 p
4 X$ `! Q o) N1 V' B" F-or (a bit) faster:
" p! z; B& W: r% r d BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 Z# V) t0 X& p5 c
, Q8 R. |5 b" n) { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# H3 N4 b$ s9 H9 | ;will break 3 times :-(( E7 L( j Q3 p" Y! c+ m
8 I+ t' W' C# J7 d( u-Much faster:" f/ @' K2 M7 P0 D; I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# r) u( q* L3 }
9 F$ h9 ?5 \5 T: f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. ~, M) a& ~; Z1 M, V+ i2 D
function to do the same job:$ C3 ]* m2 H+ F* Z1 E
+ O% X% l" w& } A
push 00 ; OF_READ
; w3 Y: s+ k( z5 x mov eax,[00656634] ; '\\.\SICE',03 C1 Q+ c/ e) q* \( A: N* ^
push eax
4 ]4 \6 F' t- b. `. ] call KERNEL32!_lopen2 J3 d2 s1 I( j( A' V7 |) _5 ~
inc eax
4 q% B @4 U5 `0 Q3 o jnz 00650589 ; detected# W/ ~, x: N4 z' _/ r+ S& z$ S
push 00 ; OF_READ
% N2 o5 k0 \2 c$ T6 i mov eax,[00656638] ; '\\.\SICE': j! P1 w/ ?- j- g
push eax6 |2 I! b- C. W
call KERNEL32!_lopen
2 l" L' A- ^: r o8 I- q inc eax
; p3 r2 D7 w, ^4 A3 w+ W/ D jz 006505ae ; not detected
9 |" w8 u2 F+ H( `' p. x+ {
. q! _. ?- E6 Y2 m8 [$ o$ Z" Z* R D* t
! Q( @/ ^3 n9 ?: y0 N+ g1 X__________________________________________________________________________/ C' L: O5 U8 W5 G6 Q
3 |/ Y$ p6 g& x) I5 b U1 sMethod 12
9 K' m$ A( s4 f) ^- R=========
" ^9 b7 b# u0 ]5 C- ]# v$ ?4 ^
9 ~( Q1 m% a3 q5 w R& D8 ?This trick is similar to int41h/4fh Debugger installation check (code 05) v7 |! N" O/ m4 t& e
& 06) but very limited because it's only available for Win95/98 (not NT)
* \3 n; n. v6 V5 o S) Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.; h4 @) g7 S# u% m9 {6 U
& `" X; b/ b7 p* X push 0000004fh ; function 4fh
* N# F. U$ D; c5 Q( P! d push 002a002ah ; high word specifies which VxD (VWIN32)0 I& J: s7 C8 [9 {
; low word specifies which service
1 ?: G- V# e- [# L* t; | (VWIN32_Int41Dispatch)$ ^+ c0 c- X5 W9 W7 u' `& x
call Kernel32!ORD_001 ; VxdCall+ c# a2 v8 h! m2 a& \$ ~( c
cmp ax, 0f386h ; magic number returned by system debuggers
& q l' Z: C) Q+ V+ @2 Q# J jz SoftICE_detected( k1 q) e4 B- P5 Z
& g) I5 f; g/ ~* @6 Q) R% rHere again, several ways to detect it:) y: h6 g1 D0 X n& U1 d
/ J0 p& w( g+ @
BPINT 41 if ax==4f' R0 {& W2 L8 x' w
0 y( Y6 g+ C# l( J- k8 [1 Q, w: U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 i4 h6 T! l1 A; r
3 _" B6 A6 i4 r! G+ f
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; `# Y3 @, L; `7 }+ j4 S ^7 k# }" k. p* @2 u' h$ C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( d- V$ u; c6 R1 _" S& A% t
; F; G9 L. g& v0 _% ~+ X__________________________________________________________________________) v" R( K2 z4 i% d/ q* f# j
5 Z" H2 x0 P ~1 s) p& {& GMethod 13
$ B4 [/ c, v( `6 }" L=========! ^9 P) n% K$ p r: M' n, }
0 [; Y" D0 a. ]) `# {1 k" V% INot a real method of detection, but a good way to know if SoftICE is
! c. M$ d5 {6 f6 H: jinstalled on a computer and to locate its installation directory.
2 L D0 i0 O2 JIt is used by few softs which access the following registry keys (usually #2) :) A5 A6 a& N+ H/ Y) G' B
! J" n1 U5 }# \8 g- Z/ y1 P4 P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ M4 a u8 ]0 M# o: p' C\Uninstall\SoftICE
( [7 q* ?$ s* C" g, g' c1 t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 q4 z4 F3 A1 K% U$ r# }2 b" B8 M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# e4 F3 K1 K$ A2 l$ K\App Paths\Loader32.Exe
! f, R- E, X8 ]- q+ `- Z
2 d2 m. s( i. W4 N- A$ {% d' _& H+ ~" H/ D3 R$ d) M% u" }. X n/ ]
Note that some nasty apps could then erase all files from SoftICE directory8 u R: u+ l0 Z( J$ T& g
(I faced that once :-(3 p. d# ^& u! Y; Q* Y2 M2 a
0 g2 E+ g1 A/ d H3 [1 ~7 rUseful breakpoint to detect it:" Y6 O$ ]% d/ @1 U4 K
/ [) i' J w" q, |, O# e8 X! M( O1 d* F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* b" K) k. h- H4 i* |* ]8 ~' t
( K; d# _( S: Q
__________________________________________________________________________
) ?) R5 h3 s% S, Y+ |; p
1 ^; u6 P$ R/ e$ _3 I& _; k' A2 ]* o" O
Method 14 5 |8 ~# S1 q. @ b8 T$ q
=========
9 z6 D2 j& q' i: H& z
/ \: U' ^8 _) i6 E7 M- Z6 y" tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ ^( i) z. @0 @ I, P, W0 {
is to determines whether a debugger is running on your system (ring0 only).! H# \7 Y6 f* `/ G# Q- d1 W
% }! E& x. ^/ J2 [. o5 p# E
VMMCall Test_Debug_Installed$ z0 z+ U5 r% P
je not_installed
# ]2 e8 e& b3 Y; B K( k& H: X2 [4 }6 q/ S
This service just checks a flag.
) E6 ?: K! ?5 P9 `1 V</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡