<TABLE width=500>
; l! }; T; n6 Q/ B- B; w1 O<TBODY>7 W5 I/ l' f1 t! v; N
<TR>8 d; N) J% M/ s9 [9 z, I
<TD><PRE>Method 01 ) W1 W! l; c' q
=========, \+ m+ b6 |7 ~: h
. L# K% j, F7 q( SThis method of detection of SoftICE (as well as the following one) is
' W) _ r! O% e" j& ?( d3 ~2 lused by the majority of packers/encryptors found on Internet.
3 w) M' x! G1 a( `It seeks the signature of BoundsChecker in SoftICE
- V& c, R) [7 ~2 h$ t) q8 H6 K0 t" I3 U
mov ebp, 04243484Bh ; 'BCHK' y" m+ y3 S. K* ^7 W! Q
mov ax, 04h7 S8 }. r& f0 b4 V. H
int 3
. h. i+ N4 E t/ \! g cmp al,4) ^5 E" @* h' ] w# r" p1 {
jnz SoftICE_Detected3 ^3 i8 H0 ]) f( m/ a+ Y
+ B7 q$ ~; w+ ]2 G___________________________________________________________________________( H {' Q+ a8 M4 s( ~1 P' D
" E+ R) f/ r. L/ qMethod 026 N$ m% }3 \/ `4 { Z
=========, b7 r0 k$ L2 T1 g
& `. J# z0 ]6 Y" [* C& nStill a method very much used (perhaps the most frequent one). It is used9 a8 Q9 z3 Y* b7 v1 D! H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 d d8 m5 }8 ^! I$ l* ^# T5 W0 jor execute SoftICE commands...
" ]) _8 t2 m5 D( e7 C9 [It is also used to crash SoftICE and to force it to execute any commands
% H# O/ z/ `; {7 i(HBOOT...) :-(( 8 d( o ] j Q, r. Q
2 p+ u6 y [2 U2 n
Here is a quick description:
4 c+ z. S2 H: i _; ~-AX = 0910h (Display string in SIce windows)
/ d/ ]; x$ c& l" T9 ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ S! P( _* j# t! }: g4 b' m5 J& C
-AX = 0912h (Get breakpoint infos)* x. Z8 R6 }" J6 Q& X: v7 K
-AX = 0913h (Set Sice breakpoints)
0 g1 T" i7 I% a) E/ n: v% n% c-AX = 0914h (Remove SIce breakoints)2 S* L% s/ D0 s, ~# j
) i7 w3 P. h, x! wEach time you'll meet this trick, you'll see:( v1 U$ G) P# y( z8 N9 s
-SI = 4647h
. M# s l7 [( }; H6 Z; z. r6 f-DI = 4A4Dh' c* R" a, |. Y# W1 t( |0 A
Which are the 'magic values' used by SoftIce.! V$ m1 y- n1 r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# a0 D6 r8 M# G
( C$ T/ O! k6 I- |Here is one example from the file "Haspinst.exe" which is the dongle HASP
: z" ~: @7 K# OEnvelope utility use to protect DOS applications:
: j6 N' }6 q! d0 E+ k) V1 ]1 Q, a9 s2 `* R( d
0 z/ T4 z5 I0 u3 s* B' [
4C19:0095 MOV AX,0911 ; execute command.
. T* [ Y2 t: m0 ~2 W7 J8 V4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
f+ W1 B% Y' B: _: a, r& u. u4C19:009A MOV SI,4647 ; 1st magic value.0 D7 Z; _3 D; |; h; o( u( v$ o, }1 J! E
4C19:009D MOV DI,4A4D ; 2nd magic value.
, C8 k; y) X' B, Z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 W) i7 S( L+ a, e3 L5 z C9 q" U' _$ X4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# M' f, r7 X O9 @ z" o( @9 R4C19:00A4 INC CX9 R' u* y" E# G
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 @7 i; G* L" V) D* n1 B K. M
4C19:00A8 JB 0095 ; 6 different commands. n$ E5 W/ R: ?; C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 \7 @) ^3 i4 n. y8 L$ w* T+ _4C19:00AD MOV BX,SP ; Good_Guy go ahead :); \* r# x1 N9 f% g; q/ S
) _: F% u6 [; W6 b; a" k
The program will execute 6 different SIce commands located at ds:dx, which/ d. _4 \ E# y; ~. ^: x2 f. \1 j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) P" Z- U# {; A3 Z1 Y: ]9 ~3 ~8 H0 n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ J5 {( K2 e$ F& l5 e0 t+ ?
___________________________________________________________________________, K `$ f. X3 s
0 r" X* q q/ k. p, H( j
' d& T( k- X6 oMethod 034 E% f6 Y6 R( s
=========
: [& g, Y% `# {
7 v" f7 I4 F& b5 N# cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 e" V" N' s" E" E(API Get entry point)% h5 d3 I$ X; U. n/ ^; H
& E" t" Q# U/ R& d& p* K
0 p: [# v( E1 h
xor di,di$ s. S$ `% T& s# t
mov es,di
) y# [% T& W! N j" F8 f$ J% V mov ax, 1684h / U- E2 y0 E% v
mov bx, 0202h ; VxD ID of winice
6 i' ^+ t8 k# R- t int 2Fh/ z! Q2 B' `" m& Q" j
mov ax, es ; ES:DI -> VxD API entry point
) j/ t! s" N( o0 b7 i% F add ax, di8 c% {9 d" z3 f7 q& K( O% a
test ax,ax- o# M+ Z* _/ x/ Z, u
jnz SoftICE_Detected
$ t8 J$ |7 Q) \- h
6 q! Z8 G7 |& R; a( j___________________________________________________________________________
& x, }* B0 I+ \# H W+ G4 _
0 [ t; K0 _ O# c7 \. h$ e- K4 A; JMethod 04
/ I) H7 T. ]$ H7 P$ {=========
- [9 f) R) n% Q) Y" [8 Y0 u$ E) x
Method identical to the preceding one except that it seeks the ID of SoftICE9 S; L. j7 A& e6 ~* B1 H8 n6 a( Q3 b
GFX VxD.6 b6 m: z- S8 S0 @6 k6 H+ I
/ U* g, ^& h' t3 N7 U xor di,di, O# _- c/ g. r, w4 R7 i
mov es,di% y- P H( f; c3 y2 p
mov ax, 1684h
5 m7 F- T/ d2 @4 J; m mov bx, 7a5Fh ; VxD ID of SIWVID
7 \) l* D2 n5 _3 n# b int 2fh
7 j) j5 l/ q) ^ mov ax, es ; ES:DI -> VxD API entry point
% C3 r9 W( f) W2 H add ax, di
; o- A8 X u: Z9 i5 ]3 \ test ax,ax% }9 s/ P1 D( p& u# p9 _( f
jnz SoftICE_Detected
6 I& [5 v; D( Q& s2 i1 b' k) ^5 }$ h! \% a5 H
__________________________________________________________________________/ \2 t9 Y$ P$ J
, B3 n) J0 M1 ^8 Q+ z! I$ ^5 t( S) R7 p# w
Method 05
3 |# r3 Q9 B7 t# A, b=========
, I; f) `, V8 D' H6 ~" Q' U1 \
1 h' C. L, H/ ?; Y: S# p+ {+ C }8 dMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 q6 I( k% Y7 a: Idebugger. It calls the int 41h, function 4Fh.- v8 ?, C$ n2 M/ s0 I* A
There are several alternatives.
" a1 T: Q4 v: ^* }- J1 e' Z9 u1 G4 L8 c; G5 i/ ^( f
The following one is the simplest:
/ n* H- V: F2 u8 _
8 v% G9 ?! _9 j4 S2 c0 L mov ax,4fh
# H1 }% H6 S5 z0 s2 y4 b+ E int 41h. h" x6 r8 i# E1 T/ X2 i6 J
cmp ax, 0F386
+ f5 v- G* u6 ^, B6 `! B9 E) ? jz SoftICE_detected
+ F; }8 J7 W* D
% b7 |2 H; m7 O& L; e/ Z8 C4 _% c% {* Z3 P) o
Next method as well as the following one are 2 examples from Stone's
, A. K; H; {0 [ b' M4 k"stn-wid.zip" (www.cracking.net):. H& ?0 x2 o$ {2 f
! ^$ N+ W' y% R7 @0 {* k, O
mov bx, cs4 P$ c. S0 m2 q4 D# q6 V
lea dx, int41handler2
* {! k7 T& r0 }1 Y# N! e9 ?; D xchg dx, es:[41h*4]$ M4 N3 I" s. O( ^+ N
xchg bx, es:[41h*4+2]4 R5 r" e4 `8 G F/ W( _
mov ax,4fh
4 H- T9 P' n C+ b) L1 F5 T int 41h
* C0 S( Y8 Y9 ?$ R- c2 S xchg dx, es:[41h*4]" `: l# P9 @9 W, I* o2 S8 D
xchg bx, es:[41h*4+2]
5 `- {+ e( C/ g/ o4 v2 N& V cmp ax, 0f386h0 k4 T5 O5 C- L6 J1 b. K5 V
jz SoftICE_detected
8 j* M2 A$ p. @1 o( } G
3 g7 X& e* ?' Z( }0 B3 y* J. x xint41handler2 PROC
' Z* Y3 o2 P8 o3 [5 [! Z; o iret
4 B( l9 s! E: l6 u* K4 G3 w- Kint41handler2 ENDP$ K4 b9 n8 L/ e- b; F$ B
" d0 g* x1 g, _5 a$ L
9 H A( i- P5 c9 u s. g$ [
_________________________________________________________________________
* @' M) S$ T$ Y# _" B
: V' A6 D U. Q- j7 f5 K, O$ k e" _0 \5 ^6 J" O7 i$ c
Method 06" b" |1 ~+ Q( O4 I! Y- e# C
=========
8 m& b) W4 O9 o6 }- X- c
& c5 r. T/ V9 A& R1 u/ @; J' p: Z4 j9 m. ]* ?
2nd method similar to the preceding one but more difficult to detect:
: Z! r( ]/ a, [7 x2 b! [
2 y* T6 w, U3 M' p/ a) [; l7 m
7 t$ R5 ?% d4 N1 z+ J5 mint41handler PROC
, u) O% K R. N* }- D( B+ ^/ j! D5 d mov cl,al( h+ k( z/ Y% r3 f+ m3 l0 {8 I( j
iret1 e5 j. J- h# \' d/ J. S
int41handler ENDP
9 D J/ d7 X( y( j& h4 R$ ?$ P- C S! ?3 |. U! U
# ^( y+ |* X9 A3 J" F$ f
xor ax,ax
& ]; U+ @- g/ D1 J mov es,ax
: F0 s' w% @3 @0 ]" ?- V6 P mov bx, cs
4 R0 q E @6 q6 u U- K D# G: z/ T lea dx, int41handler
) v$ G0 t* I* o, | xchg dx, es:[41h*4]5 y0 D1 y( q0 v# E- {/ J/ ^
xchg bx, es:[41h*4+2]
8 q6 h B+ M( F, x1 I in al, 40h
! [! u# h- h* J6 A/ O xor cx,cx4 e {) I1 C* _$ U
int 41h, A; a# J/ C2 ^ M4 X9 @$ E
xchg dx, es:[41h*4]
+ F' ?- d- A% v4 h0 G xchg bx, es:[41h*4+2]5 Y$ c, O, N4 Z7 m
cmp cl,al( H$ m1 Q7 U8 |
jnz SoftICE_detected
& d0 t& o4 J. A' s( J0 H& y# z) d% ]0 F3 p
_________________________________________________________________________
, X3 \" S# A/ }+ U2 }; V& V
8 v0 M# R' z# ZMethod 07' r2 B! v+ a9 i, J
=========
) w% e4 j7 U9 K: @! ]$ _8 p9 c# W& b: J' Z, f- U1 c
Method of detection of the WinICE handler in the int68h (V86)9 |" [& u1 m4 B5 U
! Z7 `/ Z/ X: x( M* {" S4 o6 e# G, G mov ah,43h
) M( k3 Y6 g$ W3 Q$ g int 68h: P2 G# K% V; L+ S0 \, K" d/ T
cmp ax,0F386h
5 c) v+ g3 E# t% H5 m, w; x7 E jz SoftICE_Detected
+ j: z* Q! j. F3 X, C3 p7 B- U( C2 p# ]! V& w! Q3 Y
% u7 l) }! Z( y2 u8 x' h2 w
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- Y& c$ }7 o- J: y2 T' Y$ J
app like this: ^1 n; n# j$ `: Y+ h* a% Y1 K
5 F/ t1 {0 ]4 c8 z7 Z& B2 \ BPX exec_int if ax==682 J1 `' Z3 d$ R4 `+ j
(function called is located at byte ptr [ebp+1Dh] and client eip is3 _: u, L. W7 @$ k
located at [ebp+48h] for 32Bit apps)# e. f6 g1 q6 @- q& K" t9 o* Y
__________________________________________________________________________
k7 @4 l: }/ v; ~
/ I4 z4 e0 N2 N! q& o) G& s5 ^. F4 L' `$ P# \
Method 08
' ?7 j4 l& I; M% G=========
; K O" e4 m: }# q2 c2 n. ^. G
( H7 ^& P! S2 S5 b3 s, nIt is not a method of detection of SoftICE but a possibility to crash the5 S6 `0 T% ^, q
system by intercepting int 01h and int 03h and redirecting them to another1 N7 i- L' {+ j; s9 u
routine.
- d( b; ~/ I8 d8 d9 cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 G2 S6 F$ C% _
to the new routine to execute (hangs computer...)
8 w9 Y7 J) l& y8 V$ n$ K4 V& I2 S
! n+ G7 C6 ^, G |. S mov ah, 25h
- v4 [+ I7 Y- p2 p( G' ~0 r" z mov al, Int_Number (01h or 03h)
- Y. [2 E: L5 k! D" d mov dx, offset New_Int_Routine
+ _# T+ K. a- X, K5 B8 `$ K int 21h. O, b9 H# l7 M* g9 Z0 F# O
5 G- `( B r/ R* o; }
__________________________________________________________________________" H& r4 V: c# \3 u3 ^; C9 l( r
% w, H4 O! ]) v3 p2 n6 s. JMethod 09) Y3 {2 C5 F: J5 O
=========
. b) G7 A1 G) M" _- W2 o0 K; {/ x, D; W. U$ u' n( [# k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 C3 L9 O3 N/ c3 bperformed in ring0 (VxD or a ring3 app using the VxdCall).* X' C/ F2 y1 [. u! {, w# q& ?- g4 M
The Get_DDB service is used to determine whether or not a VxD is installed
1 @9 f& q2 k7 Q# y7 i( h; vfor the specified device and returns a Device Description Block (in ecx) for d/ m8 h2 H3 X) |% _
that device if it is installed.
' J$ ?* u( g! b* N
+ B* Y/ `) a, }- b1 r% T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- `( G5 j- `9 T* G. J: g1 M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! V5 B3 P3 ]/ D8 ]+ V* j# ~ VMMCall Get_DDB0 u9 {& n7 T# b P/ i2 G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' d, l' _5 n. r7 o
$ ~" m: c# e$ ~" l: @Note as well that you can easily detect this method with SoftICE:
4 P) h; l& D( [+ G* V' Z2 I& m/ x bpx Get_DDB if ax==0202 || ax==7a5fh% w4 I- T8 f! V5 O: c. O
! H4 c4 N# ]% ?5 a* L+ ^
__________________________________________________________________________
$ M) B! u: \0 F3 \( h# W4 \8 r3 H2 W
Method 10, b4 Q9 z; m" Y, a4 C# M( f- x
=========0 D6 l g: J8 M5 o7 y E
% ]/ l& |6 m* \
=>Disable or clear breakpoints before using this feature. DO NOT trace with: `/ C2 C' N: {/ h7 _- N
SoftICE while the option is enable!!
/ O4 N9 k) ?8 L& d0 L
& h8 X7 y" o, f% l# t) f4 AThis trick is very efficient:& a9 ? C: W$ p; H e# t* t7 J) A
by checking the Debug Registers, you can detect if SoftICE is loaded
9 n7 i. c1 x2 I6 V \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! M% w6 Y9 {/ Y4 l9 [! O, ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 k ~& ?3 s n7 `value (in ring0 only). Values can be manipulated and or changed as well y. w% z- }/ n5 n# ?- U2 M
(clearing BPMs for instance)
4 G4 m6 X( [$ @' h& Y) F% J- K* T! @" `$ w- p
__________________________________________________________________________
/ m8 x' Q1 Y& }( j" h8 [
* e% P5 a( u! w& J, _* v7 nMethod 11
, f! q) o7 O' x! s& y) F+ }- c l$ ~=========
9 @) z9 A! |; e6 a5 i0 F3 T
: D# ^9 c6 @3 f1 b5 G# eThis method is most known as 'MeltICE' because it has been freely distributed9 R3 h- k1 M( s. E
via www.winfiles.com. However it was first used by NuMega people to allow. b; z) y0 t" K. }2 Z, E
Symbol Loader to check if SoftICE was active or not (the code is located
6 e+ c' J0 B9 f; Dinside nmtrans.dll).7 ~+ p) W U, H, ?5 y
+ v- ]% R; d! ?' WThe way it works is very simple:1 e' u% y7 h. B2 L; ?9 N" }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 d( T6 ]% o) [WinNT) with the CreateFileA API.
8 q8 \) u6 F% Q1 |+ w/ X, U! w3 O( H) ~* M
Here is a sample (checking for 'SICE'):
( R) W/ A, \' r& ?) S' W# A8 ]
* Y( j2 a) k% k. r1 }; M* B; d$ PBOOL IsSoftIce95Loaded(). X9 d0 y3 M4 l2 o/ M
{& s I7 I- ^- L
HANDLE hFile; J4 q l0 O, X& {7 y- W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 i( B& ]6 P& f8 ~# Y FILE_SHARE_READ | FILE_SHARE_WRITE,9 z A( }: Y1 P, j1 ~) M5 ]1 i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 O) [& O% T, [3 d1 G ~
if( hFile != INVALID_HANDLE_VALUE )
2 Z( Y; y% `' I9 `* y {
9 L9 W8 G5 t7 J8 U4 A5 X8 a0 y CloseHandle(hFile);
$ E3 G# R. _5 v return TRUE;2 y o: F( g' W! p( |3 m1 l3 X
}
+ n! Q4 j6 K, u return FALSE;
4 e6 c0 Q% \' ?$ m% ^4 Y} C" Q2 V9 x$ g
m0 {. S1 ~6 l5 i
Although this trick calls the CreateFileA function, don't even expect to be# h$ z7 {/ N; n
able to intercept it by installing a IFS hook: it will not work, no way!. `% p0 d3 q3 F- Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; F4 S/ e; J" H: G$ R- o( oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 r/ v, z: _7 n. @4 ~+ f( ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ E: s' e0 @% h+ i- h; g
field.0 z# v) }# V3 c) v. {2 A! W4 L
In fact, its purpose is not to load/unload VxDs but only to send a 8 H: o+ j7 s2 Y- r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ b2 C1 O2 u& g+ X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ ?7 N. ~ g0 }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 k/ ~( _$ _0 E8 e# jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 Y' h; }! j; ~. V0 h9 M i! aits handle to be opened and then, will be detected.
* h- [ e( w, P5 m3 t9 P; X$ ~You can check that simply by hooking Winice.exe control proc entry point% K* K: Q- X7 b; o1 {
while running MeltICE.
3 f6 g6 R. N( \: [$ s' f/ l+ S& ]# X( X' g# n j8 B9 ]0 L% ^# j, L
9 I0 F Q; L+ h# h' _ 00401067: push 00402025 ; \\.\SICE
8 Y1 }: L" W8 @. \+ J9 e 0040106C: call CreateFileA
( \6 E/ Y: A$ m: f 00401071: cmp eax,-001
! [; L8 L: M- j, y1 b 00401074: je 004010917 g1 ]& I; y, g
& K# K, j4 n0 q/ [; s- [
! |( c9 z7 n; C3 j; [There could be hundreds of BPX you could use to detect this trick.
# A6 H9 @. f" j; q$ t8 u6 p7 M-The most classical one is:3 f8 ?5 o9 \8 {/ R/ N, G, G
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 \4 E k0 V7 B# ?- p1 K
*(esp->4+4)=='NTIC'
; B$ P! e: k5 [$ v- H$ ?
9 h9 u" E3 O% c: b J. f-The most exotic ones (could be very slooooow :-(
+ L& X6 ]. T$ c. M. I# F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; T4 T( x* K3 G7 X& C; _ ;will break 3 times :-(2 K# I/ [9 ~9 } N0 Y6 ?7 \; `
2 ? M. ^- Y* t5 `-or (a bit) faster:
; Z- A& r- R3 e- } D* q/ M6 k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 ?0 T1 G& C$ n7 f# m
' r: a. \$ k1 M* ]; q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' l! }+ k* j( T% t9 g ;will break 3 times :-(
! Z% {% V7 E( w, n, r ]' A: `
# h. ]5 B! U4 Q% [-Much faster:* [( o8 y F' W+ `/ o+ ]' d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& u9 q4 O0 X; _0 ^. t1 o8 }
% n; o! e$ h- l: C$ l& ]. F5 aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 k' g+ `( t& ?4 p/ dfunction to do the same job:' R5 X: v( w% Z7 N, V" k, W2 Q. c
: L8 M" g `. r/ R
push 00 ; OF_READ h! B% T G$ Q
mov eax,[00656634] ; '\\.\SICE',0$ s* a* G6 Q) X. F
push eax
! U F( `2 @+ Z2 P; | call KERNEL32!_lopen! f) T: `7 E+ ]( o5 |! M
inc eax" \- e1 W, d* @9 o
jnz 00650589 ; detected. G- b; L" G( n
push 00 ; OF_READ p& g8 f/ p2 _4 l4 s; \& K
mov eax,[00656638] ; '\\.\SICE'
+ c; p+ ?6 r# z' e push eax
* ~6 @% {( H/ \& g call KERNEL32!_lopen" ?+ @) X# j- i) v8 d
inc eax, ~$ z; K2 y5 l& U
jz 006505ae ; not detected9 n8 z; U9 ^" H
8 |2 h( ?" C! L: w$ v1 i+ M
- f2 O4 _" `; a. D1 ?__________________________________________________________________________
7 W* E n9 ?& {
4 }" J0 A! Z% g5 z* tMethod 12. ^9 N7 {7 A/ a' t" g
=========% r* ~/ H) Z1 B5 h% _
" y' `: M% C3 H5 w4 J6 |0 Q IThis trick is similar to int41h/4fh Debugger installation check (code 05
( w2 f: B2 c! Z% G0 ]# A& 06) but very limited because it's only available for Win95/98 (not NT)
' j3 O5 l( ^) S! I% W9 Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, h% u7 x' q$ P' s7 L) G6 v) U4 q, o
push 0000004fh ; function 4fh
5 k, K, Q: j* l. E( ~ push 002a002ah ; high word specifies which VxD (VWIN32)
4 \- W- ~' [2 l' x$ m ; low word specifies which service
6 B! Q8 a/ @- l$ q. F- e (VWIN32_Int41Dispatch)+ a( U3 b" Y" g
call Kernel32!ORD_001 ; VxdCall5 l9 H# f) A% i$ ~- @9 I" G' l5 g
cmp ax, 0f386h ; magic number returned by system debuggers
" R; p0 A# m, U jz SoftICE_detected
% M$ U3 k6 \, }" A) a/ X
( K8 b3 j/ e. d( ~ D5 Y* sHere again, several ways to detect it:
! w7 n1 y! t! J Q/ y* `! M2 \
# C9 ^7 v/ m( t/ f: j BPINT 41 if ax==4f# l+ k& V' Z; W3 p7 G q5 h+ w
) }( }4 g9 n: U0 e/ l BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 o# [- u& E1 Z
- r% A7 J; \5 V* g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 }& J% ]# ^" ]3 I# `. N( }9 F
4 i8 C2 n5 \( d* z4 ` [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, V+ q/ t2 Y0 S% P9 p5 ~5 p8 f9 t! x4 N6 i, e# i
__________________________________________________________________________
/ o7 g; q0 `' n j3 g! y8 h) K. \% m% f5 G% w- \' |
Method 13
6 C* i, ^3 \; Z Z x' w=========( K5 t9 G4 N1 x6 ]+ l1 r
+ e% |7 v8 U/ f8 {+ \Not a real method of detection, but a good way to know if SoftICE is6 Y2 V1 t! `$ `0 v$ a6 R- p) s
installed on a computer and to locate its installation directory.* L( J% K* y7 A% I
It is used by few softs which access the following registry keys (usually #2) :
$ Z$ f! R. E b# l5 H: P0 j+ v& |) P' e7 p& O3 T Y3 E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 R' ?' F: u- Q G \\Uninstall\SoftICE" y/ h- R6 L7 P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; S( ]; |' s2 J+ H' b, F7 {, e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
]. ^+ `3 `- `1 c( c: u\App Paths\Loader32.Exe
' Q3 q2 I* ^7 j7 S# V" G, i+ D
+ t9 C0 e8 `1 I# |
/ \' U q& O2 E0 FNote that some nasty apps could then erase all files from SoftICE directory9 P" J) z# g6 t& e
(I faced that once :-(! c2 ]9 k/ O0 ^( [* W
5 t& i6 A( @3 C. T! d/ ]
Useful breakpoint to detect it:" }6 J; k2 q" ^6 w# m1 X
$ j' |; |% s8 x0 l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': I# Y# t! M. p' }! s- u! @3 z
6 Z3 C/ T8 s" S( M
__________________________________________________________________________
- A$ C0 [2 F; B- d1 ]
9 ]1 c$ Q$ ~3 _
: c; D2 \. H+ FMethod 14 % _. z6 m( z0 Z# z6 O
=========4 u0 U1 @2 q' T$ m
/ @. ]( P* m/ X0 l3 P. b/ U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 T8 W- E+ V6 N- g9 P# {0 q* gis to determines whether a debugger is running on your system (ring0 only).9 d* _+ \5 m9 E6 i
' P A+ y! y7 l q- n: z$ p VMMCall Test_Debug_Installed) Y" L2 b8 U8 M; b5 a
je not_installed
1 ~& r: k5 K& s' v1 j5 l; z* v+ N- N/ R) Q1 i. Y7 y0 o
This service just checks a flag.
" \, g2 b" d% ]. r( `+ ], c</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡