<TABLE width=500>" {3 ?6 [* G/ N# Q6 X5 f4 |
<TBODY>, [" h( `3 w0 f6 J& x3 s
<TR>1 F" _1 m7 K0 G1 \+ ~; z; D6 @
<TD><PRE>Method 01 9 x$ m/ r% A5 O9 ` p( H1 J
=========
6 y0 T' C3 U) h0 ?/ o% k
9 E0 b$ F& O. V% S: f* \5 `This method of detection of SoftICE (as well as the following one) is
2 Q4 d5 z d* m; l- F5 m! [used by the majority of packers/encryptors found on Internet.
. |; z* M/ T* l R5 j: dIt seeks the signature of BoundsChecker in SoftICE
" ]2 ]$ m; f3 |+ ~8 W. P% @, b$ L$ L8 H% t j% t
mov ebp, 04243484Bh ; 'BCHK'
* H; v( v8 m l" m mov ax, 04h
, d1 j9 C- m0 |- U$ L int 3 0 @1 p# [; Q8 X
cmp al,4
# @) \- |9 T' D2 W" U jnz SoftICE_Detected; O, t% f( i5 K9 p2 |0 p
; h$ P w( M& Y X4 B, U n/ ~; s___________________________________________________________________________$ @5 M8 M" a" P& j7 c
# y) {9 V. ~8 w) w8 C
Method 022 }! V+ ]% Q# S, f$ L% P
=========
- G/ M% z/ D, y. ^! s" |$ z( i. T! p, O9 Y* Y
Still a method very much used (perhaps the most frequent one). It is used1 e( T6 H5 `& e% U! k% R a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) ^ e+ T* x* t' I9 R( Xor execute SoftICE commands...& I" {3 p& W9 M# }
It is also used to crash SoftICE and to force it to execute any commands
- O0 ]1 e" W) _. E0 p- _9 ^(HBOOT...) :-(( 3 r( m+ h3 _! u3 k. a
5 V9 I& W {9 F% ]
Here is a quick description:
+ n* R0 m2 G5 q; k! I8 {-AX = 0910h (Display string in SIce windows)" o2 X$ @! ?0 h8 m. |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 v& |; ?" E# w7 l7 F- H* k$ P-AX = 0912h (Get breakpoint infos)- c) K: b4 ^. a/ X# n; S
-AX = 0913h (Set Sice breakpoints)8 u) \$ O! Q/ B w9 V$ a+ ^
-AX = 0914h (Remove SIce breakoints) [+ b( @" h5 b' |- d+ }5 g
- c. Y* P, `: n* w
Each time you'll meet this trick, you'll see:
: j# d1 O- Z' X; s) E-SI = 4647h
. n3 w. ]9 j/ p-DI = 4A4Dh) v0 T; u2 k8 X1 ^
Which are the 'magic values' used by SoftIce.
' F3 |: E% _* q: X. fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ ?9 m ]0 J$ V& b$ ~6 q
4 P Q; m/ l0 y: EHere is one example from the file "Haspinst.exe" which is the dongle HASP- h' o8 g Q5 B
Envelope utility use to protect DOS applications:! j( v1 M) ]1 K
0 [; x# j6 |) d; Z' |+ v& f# P
9 z; R2 Z1 p3 T% O, X
4C19:0095 MOV AX,0911 ; execute command.$ k& E. I( }" ^% K& G- v# T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
L4 |2 L' ?% ^" x6 a4C19:009A MOV SI,4647 ; 1st magic value.4 N. n: b6 Q5 V0 Y
4C19:009D MOV DI,4A4D ; 2nd magic value.- R2 ^% E- w g
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ F" V: n6 J/ l4 C3 q4 Q- q0 x
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 k+ s& ]. P0 Q. \
4C19:00A4 INC CX- ^6 I! F: W- ?
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% d. b9 d# a) `! _8 x3 @, l1 c: i
4C19:00A8 JB 0095 ; 6 different commands.+ s l1 R4 D. l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* p8 o' z- G4 S3 {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 b& H$ v ?( L4 Z5 r2 P8 `5 s9 f$ E. u- U! u9 Z8 k8 ?
The program will execute 6 different SIce commands located at ds:dx, which' Q! v. l: o/ y( U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. y! Y7 X0 K* X& `) {
4 m( E7 n! k5 T" s4 m {8 R. K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# e; H# y" {# |2 ?
___________________________________________________________________________
6 {% |: m& c1 K8 ?
, Q7 n9 _* a o0 e
P. C2 p, ?7 N' ~Method 03$ B1 n6 ~- {# r: {
=========
+ {0 \1 e8 j+ N( i, V+ K, E& e+ Q0 ^ [. |$ n2 I
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 C7 i) @ c( |' l7 `* y+ j* V
(API Get entry point) s* `* p$ p( A- {% A6 l
4 P0 |0 j1 v7 q& n7 z5 l6 g( e5 v' \
9 G; r3 B% c/ V# x: q4 y3 V2 p* v* C xor di,di% D M& d6 L8 Y- D' q; g# v
mov es,di
# c$ b3 u1 b, w8 ?; \8 N mov ax, 1684h
( ~8 q6 l l/ J9 p; `# h m: p mov bx, 0202h ; VxD ID of winice
9 ]& n0 n( s+ D' e int 2Fh
( m9 J' X, E8 g% r% P S0 S5 o mov ax, es ; ES:DI -> VxD API entry point
" _# q! `1 {& t5 _ t& m add ax, di
7 a# F4 D: O, h7 N2 R test ax,ax. V3 j8 I& K) q* E j! C
jnz SoftICE_Detected
8 I" E1 M% t: c! G1 y2 m1 a0 |8 J0 R
___________________________________________________________________________* E4 G) h7 K! f! g. j9 S8 v# ~
( ]: b3 _# `) t8 m) y
Method 04
( D% n% c% _4 p, g=========1 ] `; }1 @8 |
* F6 Z- S6 s4 f+ t& S+ @1 MMethod identical to the preceding one except that it seeks the ID of SoftICE3 H$ s$ H3 t" }
GFX VxD.
3 O! y, v8 f0 S+ J6 s6 @: V
/ B* T; ? z( `0 a xor di,di* A& _0 I/ S( k h
mov es,di
4 a9 M; E) D2 v' x( z# |) H9 E! W mov ax, 1684h / j& C4 P' t7 [# Z. G2 ? b( O
mov bx, 7a5Fh ; VxD ID of SIWVID0 C/ ?! f: v( ?* ]0 O6 F
int 2fh. x1 I# v/ e( {1 T
mov ax, es ; ES:DI -> VxD API entry point1 K( Y: g) Q4 _; {# E3 Q. B) `
add ax, di
1 ?. I9 N! @: m2 u7 i test ax,ax
, h# H9 U/ K/ E! O4 R jnz SoftICE_Detected. Z3 Y* @* a, O8 S# g) `# l
1 s# }& |+ r* G; [__________________________________________________________________________
) m5 P/ ?1 o# x* f
# R1 I: S# l: o. m$ F" ]( o0 v
Method 05
$ o4 \! i: }) n0 q=========9 s$ t0 Y1 C; S- d! Q
/ q; U; s q' G5 U- gMethod seeking the 'magic number' 0F386h returned (in ax) by all system$ G2 U7 `, ?4 d5 f; w
debugger. It calls the int 41h, function 4Fh.# e8 [) B) h( `( {3 X0 Q
There are several alternatives.
7 h3 J0 G3 }/ x# ]) \' Z& ]
/ z5 _: n! r/ i4 I% C, n: e8 KThe following one is the simplest:6 b/ Y$ C% T7 d9 P. }3 N* {
' M+ ^& n1 k9 p! l6 g6 m7 y7 l
mov ax,4fh1 \' {7 F, c2 V: b- g0 [6 q
int 41h/ @- z5 d2 I) M- D5 J
cmp ax, 0F386; ~# M. v T0 ~/ z0 @0 t
jz SoftICE_detected# N- w) @$ q5 I4 P8 S
$ O/ k: _# x& m* m
$ j/ a% x+ W8 h* }4 u6 ]2 K
Next method as well as the following one are 2 examples from Stone's
1 ?6 ]; A4 M, B, W9 |; A0 P"stn-wid.zip" (www.cracking.net):
6 Z# o$ G- [% o e% R) L/ s
7 r5 \' l+ F3 N. w/ z5 I mov bx, cs% g8 T q8 X! r! ]# G
lea dx, int41handler2
) X" W O4 d4 o% U+ q1 e O xchg dx, es:[41h*4]: g: j0 ]; N/ \: h' K1 j
xchg bx, es:[41h*4+2]- e8 @3 Z7 I5 {8 |" _
mov ax,4fh$ ^& l: L" x! x+ W0 R/ N$ J! `: u
int 41h
( y; y& S# {( Y: u. b xchg dx, es:[41h*4]
* g9 v4 z, C. x& R: S/ f" I( R. c xchg bx, es:[41h*4+2]- y* ]9 n. [9 J3 h# \1 }/ V
cmp ax, 0f386h
) n6 C( h8 B% c8 I. U( b jz SoftICE_detected
; K7 }' c `; Q4 ~2 g* B3 ?. F. l3 m% y5 {
int41handler2 PROC. A2 x4 j+ }* o3 H
iret- d5 L. _) {9 ?
int41handler2 ENDP
, m0 C. x' ?2 ?7 d& ~: e q3 }6 a( ^) }% s. ?! Y# ]( D( a
+ |9 d/ x' V3 s9 R6 ^" O_________________________________________________________________________
V9 ]" C! A& ^& x/ x9 W5 P
5 F x% m3 T! r& Q5 S7 u. @, ~5 @9 x) R1 r. H. H
Method 06# h0 q7 i" g- P" A4 Q- Z
=========: J) a1 G. [5 h3 J
4 b" d5 o+ G" b1 Y3 `
* d: P4 c: t- a' m" L& O7 s2 S2nd method similar to the preceding one but more difficult to detect:6 M: Q4 K3 K, B; D4 e
, p' u' d" }7 a, h( _
1 ~+ C$ ?: k7 K
int41handler PROC
$ |/ A+ g$ V* l6 B2 }; T% F0 J mov cl,al2 {; k& |: y, }, s6 V* R
iret
; o5 y, \5 I P$ f; l) qint41handler ENDP* h, q; ~$ @/ c {5 m
9 D* A, G5 q9 f4 B
8 ~3 h. L' n+ L) E& y' j: I, x xor ax,ax6 k, m0 _/ R. k3 A1 R
mov es,ax2 z* u. L2 L& X' r) w; A
mov bx, cs5 t& B4 ~8 k: } ^' Y7 N' D
lea dx, int41handler T( z- a+ @7 @( r- ?
xchg dx, es:[41h*4]
9 Z: z3 z I, c+ u s( T6 R) ` xchg bx, es:[41h*4+2]9 q( y$ x |# W. @* C5 d
in al, 40h1 K9 a' |1 ]( A' a9 S
xor cx,cx+ l! z0 ]9 `! P
int 41h+ y! w1 z0 S% {
xchg dx, es:[41h*4]
( S* N. ~' A* p9 N$ r xchg bx, es:[41h*4+2]6 t$ X! C/ U) }4 N
cmp cl,al
9 C l: t, n" ~! o5 K jnz SoftICE_detected
& t6 l& x5 I3 W6 \0 {3 x9 b
! o" _7 q, m, x5 x$ }_________________________________________________________________________7 X7 p( {; d5 D8 A$ O* {7 {1 O2 e
" R% }# O$ q2 W/ C
Method 07( l$ W& W6 k) T* _* U) B
=========
( _! \: ]7 h1 P+ G; t0 p# k
7 K+ c+ L4 M: \Method of detection of the WinICE handler in the int68h (V86)' G* O' h* @) y/ m5 x, W6 C
6 [. Z8 H3 t2 D {& _) r, I. K
mov ah,43h$ \" `* T0 _7 R! J6 n
int 68h
8 M' W/ y8 A8 h# a+ x M cmp ax,0F386h+ G- c: r+ n# E" D4 N
jz SoftICE_Detected
' P5 L5 @8 g+ w" s6 _5 p9 {
$ K6 Y4 J6 g5 h* A$ G: Z" D" ?: J# } D3 N* j) y, M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ D- Y% A' n: c; H* Z( a app like this:4 B" ^* B4 q; j. c' c
: H- } F9 X. P+ y
BPX exec_int if ax==68
! l( }' \5 o( t (function called is located at byte ptr [ebp+1Dh] and client eip is
& `. t2 @. m6 d5 P located at [ebp+48h] for 32Bit apps)
4 @: z/ l7 Z: R4 T$ ^5 o: J__________________________________________________________________________
$ _5 B6 X2 r. c" p
7 d- [! K; y0 l, w* U, I$ t+ x+ K" }$ u3 t2 g8 n% [* t
Method 08
' R& H G! p' B% v1 i=========
6 ?" N2 D* g2 O P/ B- B( s8 a6 F0 y' \
It is not a method of detection of SoftICE but a possibility to crash the
. C) b) p3 v: M0 ]system by intercepting int 01h and int 03h and redirecting them to another, ]( c; X+ B2 Y; D4 L
routine.
* R: t3 \7 C$ U% C: _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) I2 |9 s/ W1 P* V9 L( B1 k3 Kto the new routine to execute (hangs computer...) {2 @& M0 N7 f$ N" ]4 a6 l
% q: F; T9 }/ t5 \
mov ah, 25h4 \9 ^& u. L; y/ d4 l; {
mov al, Int_Number (01h or 03h)% `2 w! L. E$ V/ Q5 s* L+ V/ I9 j
mov dx, offset New_Int_Routine
4 O, y6 w* o7 M9 Y int 21h1 H5 w5 S& K, l" S6 b$ e6 j
" u% E9 Y( _" g6 s__________________________________________________________________________) O. Q+ y. W, e' B" _! a
' {8 S1 m( v& k. |" ^
Method 09
6 B9 K# ~( G: M/ @, Q% \' b=========9 Y7 A0 d/ V, E7 i
" G9 `. O% A# T: c# s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 N0 S9 r/ q# y) U9 Nperformed in ring0 (VxD or a ring3 app using the VxdCall).
: u4 i8 E/ `9 wThe Get_DDB service is used to determine whether or not a VxD is installed9 v( h7 S# ]! ]: i7 ?3 W+ [: ]
for the specified device and returns a Device Description Block (in ecx) for
/ _* |8 p/ Y3 |: a1 ^. z6 vthat device if it is installed.
5 h* z3 t% r/ E0 ^* F9 W, y D5 J* _! ^0 D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 c, U7 n, h* `( x \6 C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ B+ Y" `$ Z# E% d0 h- P3 T% r VMMCall Get_DDB
) l) D7 u5 J- a Z+ l% k* l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 {/ Z" G! j6 Y2 e3 C
& Y2 j3 B. U2 c. y: p1 UNote as well that you can easily detect this method with SoftICE:4 F* u4 Z$ ?4 {
bpx Get_DDB if ax==0202 || ax==7a5fh6 h) V* X4 G. F( F' T/ k
. C3 n( x/ v2 J1 v! ^, O6 j; C
__________________________________________________________________________
j2 V, m! s* U/ z. f( B9 z" n; S9 o9 S6 i5 ~, I. }& Q
Method 10: S% h/ h" k, u) D2 J
=========" u1 R s" i: K0 V3 R9 f0 {
9 S4 }* i* Z- [" b/ j5 o) \$ W=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 F$ r$ T0 _8 w# U SoftICE while the option is enable!!
6 H' k8 L7 J0 W. h
2 W3 s; o3 }# Y7 r! |: V4 o. mThis trick is very efficient:) H8 ^, D7 j( e3 `9 _; D
by checking the Debug Registers, you can detect if SoftICE is loaded& X& Z0 J: Y$ Y2 S4 o- y' i
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ W) O& j5 b1 s. Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& j7 B7 X/ b$ d! d( w, V$ ^value (in ring0 only). Values can be manipulated and or changed as well. b2 L, x6 d/ Z4 u. b4 `" _
(clearing BPMs for instance) Y7 E7 @7 H' [+ y2 Q4 o/ `7 m
, D$ A+ g4 e$ `: x3 r__________________________________________________________________________3 r( W, }% I. u$ L: N1 i/ W' v
" Z: k- P! a h* ?3 [* z
Method 11& y2 o) B, h' k: [1 ~
=========3 n2 A' j4 Z6 {( u" ]: V
6 Z' V8 o% v: h& Z4 sThis method is most known as 'MeltICE' because it has been freely distributed' F6 |8 V( O: {* y! W
via www.winfiles.com. However it was first used by NuMega people to allow5 e2 f: H5 \7 p( ^. f8 \5 ~
Symbol Loader to check if SoftICE was active or not (the code is located
4 A" j& S' d; A; _# zinside nmtrans.dll).# K4 y0 a* @; P; s( n R% }0 w+ c
5 D' a4 K6 W$ ]$ \0 @
The way it works is very simple:& g4 I& p1 ]6 @4 e9 h0 l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 o- q* B4 l4 ^1 u4 j+ X
WinNT) with the CreateFileA API.( S' }: k3 T1 C* w& j
4 e; ^% V& x9 ~% ]1 F* C. SHere is a sample (checking for 'SICE'):5 |! w' z2 G( H1 B/ ]; i% x a
. ^* _: h7 K4 A8 W3 ~# b4 A% g8 oBOOL IsSoftIce95Loaded()
4 D5 p J* n' W{
) D4 V' x9 B6 n; v. i7 c HANDLE hFile; 7 w" A/ r% m3 K0 j) k9 {* N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! v& l7 q) U# M A* y% W- g
FILE_SHARE_READ | FILE_SHARE_WRITE,# m% u& P$ n* n/ H+ k* |. M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 C8 u( X3 u. ^# l3 w if( hFile != INVALID_HANDLE_VALUE )& g0 p6 A; L) {8 A/ C( x
{
) Y" S S- B' Y7 ?; S CloseHandle(hFile);, I, _* r+ [$ @ u5 E0 J( g4 d
return TRUE;4 E8 z/ }3 M) L4 `; F2 G$ a0 T6 q
} X) A# V( i5 ~8 R
return FALSE;5 g( t( c: E7 e6 P) @% e
}
* s4 J) W) D U% S
" a" ]: w- d, ]2 ^0 _/ U$ x0 y2 IAlthough this trick calls the CreateFileA function, don't even expect to be5 Q0 B- G* R+ W+ d% Z7 v
able to intercept it by installing a IFS hook: it will not work, no way!4 o8 D( |2 U) O; Y5 X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ {: L: X8 X9 g3 v7 O* a' [9 ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( y# y2 z% D. M. Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 p* l4 x4 d. o H# l
field.
5 H4 E* {( o! d7 IIn fact, its purpose is not to load/unload VxDs but only to send a
+ V; N* P( Z* x) lW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 c7 j! Y( y5 p: P, E1 d- j3 bto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 U/ Q5 T3 d: H7 O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 b2 l6 f3 v, `8 T2 P+ m2 c$ {2 ?1 w
If the VxD is loaded, it will always clear eax and the Carry flag to allow, N) P J7 t0 F6 C! }* C }& n5 q9 U
its handle to be opened and then, will be detected.8 i1 g) N N7 S# q* q+ g" }
You can check that simply by hooking Winice.exe control proc entry point1 i2 b" r+ M0 X3 S
while running MeltICE.6 |( e3 f7 Q7 X
, U3 B% G) ^; J! B' Q* k
5 y( S! t# u& x, A/ J+ S- ?
00401067: push 00402025 ; \\.\SICE
B/ D8 m1 m( { F3 K 0040106C: call CreateFileA
$ J7 a$ y) L4 I, U 00401071: cmp eax,-0015 u- q+ @9 t7 L6 ^
00401074: je 00401091- ~4 q. G5 `5 Q) [8 s
/ `0 D) |0 ]9 N- ?: {( u! }
& l0 C, _& b, D& M4 wThere could be hundreds of BPX you could use to detect this trick.
9 e0 A# ~' ^( {! s v-The most classical one is:
. a' b) f# V$ ~! l( w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
g6 V: S# a$ U6 j+ G5 V; E6 v *(esp->4+4)=='NTIC'
: E6 v6 v0 }, S& G' A. ~- x$ A& Q3 i9 B6 S/ T$ G& ?0 X, U
-The most exotic ones (could be very slooooow :-(
/ M7 O$ E+ S. V* v. N+ E# Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ z5 b) D% [; U3 e8 i7 g$ c+ B% C ;will break 3 times :-(
+ P) W& L& i/ z$ R( n1 w! O
. ~0 l& q; c b" N-or (a bit) faster:
4 }! H% x% t. H6 [+ `! D* i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ C3 _2 R* Q1 X! S) J
5 a! b' G i |3 D$ a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 q+ f, L# Y3 W" Z1 g2 g" b
;will break 3 times :-(
0 O5 n* L& z% b: _& e8 I8 R
& B# o: s ^& X& c& S-Much faster:
+ ]( ^' V/ r+ q7 O' a2 W5 l BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 o: I( }/ R1 i0 D- A/ A, ? M) _9 e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% e2 ? }+ E# ]' d& U* f& W( u) y
function to do the same job:$ R3 J' E8 ]5 |' g3 Q4 N
n* ^: W1 u9 k2 P9 h+ O, v& g2 D
push 00 ; OF_READ: U: I* r$ _$ C% Y# R3 v: z
mov eax,[00656634] ; '\\.\SICE',02 k3 J: O- X( M+ b0 A+ q
push eax/ a8 }6 P* v' L' n, e
call KERNEL32!_lopen0 p# F% V$ s% u
inc eax
0 Q$ w' d6 p# `! c jnz 00650589 ; detected
+ W7 \# r+ K z; C6 v" T( t* Z push 00 ; OF_READ4 }* P0 n) J3 A8 {. }
mov eax,[00656638] ; '\\.\SICE'
- v) M( D S9 }7 x& i9 B! J; p/ h push eax4 ]8 b" p! ]& G6 ~$ ?+ M
call KERNEL32!_lopen
0 ^1 p- P; S# C0 n inc eax
, d' \ N2 V% v( R jz 006505ae ; not detected3 H6 D5 k- T$ j# }( B
! I, J5 h, @* A8 ?* w
. M% H$ z; U- z& k' O2 s__________________________________________________________________________ v( H- k5 }% }7 G) y' ^
. b) E9 Y V1 \7 [& OMethod 12% K9 Z! ^( l3 T8 Z5 T1 N9 c2 l
=========
* Q. X% Q1 f3 v6 C
' _; L1 `: \& X4 i0 bThis trick is similar to int41h/4fh Debugger installation check (code 05
8 l+ f6 s$ I( ]/ U& 06) but very limited because it's only available for Win95/98 (not NT)* C9 _: h0 ~( s; H m. `& ?3 J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." P; e2 h2 p7 [: u
8 D F) g* f" P9 Y( J push 0000004fh ; function 4fh" `' M# C0 {$ j* d5 K' l
push 002a002ah ; high word specifies which VxD (VWIN32)
v6 ~1 N7 w- S) U& A1 {) U ; low word specifies which service
( O' k1 d( @) w& \ R (VWIN32_Int41Dispatch)/ T+ {" y. ~! Q# j
call Kernel32!ORD_001 ; VxdCall' z5 |5 w w( c6 p% E; U. L
cmp ax, 0f386h ; magic number returned by system debuggers) o; M; d# o: n
jz SoftICE_detected; I! l& [2 X- c
: v6 ?: _: X( G4 w6 _% PHere again, several ways to detect it:# D% _' ]" ~& \
( ?* h* e& A1 d
BPINT 41 if ax==4f
* N# t0 d% P$ G9 {2 K2 _& u+ Y: N( Z+ a6 ~7 w4 J T" d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* o- E1 W+ `, ~$ ~, S1 [/ s8 A
" U% B: g _5 N
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 z, e9 N/ j' H2 a0 U; u& ^
4 J; C* g; r1 S# v+ a/ E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; n, H( t5 j) L3 Z2 ?
$ Y8 v# Q7 Y4 W__________________________________________________________________________$ B# m6 O2 F0 [) V w
M0 F! K1 G/ ]8 Y9 dMethod 13
5 k, u6 I& L8 Q=========6 F- M9 t* l+ p3 \# `& `
0 R0 v/ ~! n; L* ]+ w& i7 ENot a real method of detection, but a good way to know if SoftICE is; f- M; S7 o8 B0 K# R
installed on a computer and to locate its installation directory.
! l- B* C3 K/ x0 h/ v6 r7 |6 XIt is used by few softs which access the following registry keys (usually #2) :
k$ e+ ] [3 n, ~3 j# i: k [1 H5 Z, D0 D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 T( C$ `- G& b( {: I
\Uninstall\SoftICE
# y# c5 j1 j# z. p) b3 |+ x2 Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! D3 p# t( T! ]2 c0 \ m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 H" b+ e2 }1 m: l; `4 B5 m\App Paths\Loader32.Exe
& I/ Z) Y. e+ y: A, Z M4 f/ `
) _. j4 _8 \; q6 L" _/ Q
: G, O/ O4 h/ H0 i9 I% ?9 B2 tNote that some nasty apps could then erase all files from SoftICE directory
& w: z) ^3 Z G' E2 p" A(I faced that once :-(
4 u9 f5 T+ Q/ t; w; L
$ _$ Y& {0 w! B' L6 x3 K U0 `Useful breakpoint to detect it:
/ K u* q1 F" _8 ]4 t/ r' |! j0 n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* w8 K# b+ v$ Q7 {; q0 K i
1 [/ L, z8 \, f; L9 k__________________________________________________________________________
: Z# a% M* N- @4 A7 h/ b) R) L. b. _: E0 Q
0 Q1 P7 s3 l/ E
Method 14
$ K+ e- {6 V" J% B2 T=========
d5 ?9 ~* s: Q3 [
7 N2 E) R( |0 AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 s a- F% f; f) w
is to determines whether a debugger is running on your system (ring0 only).+ Y- C |+ z7 r+ @0 [
: e* c2 H8 Y: j1 p2 r0 ? q" Y5 r" M
VMMCall Test_Debug_Installed' E3 j# b( Z0 i1 M7 {5 K
je not_installed
- _; O( p9 K( Z
# l* a5 q0 j: i8 p; RThis service just checks a flag., K7 M# G3 q7 Y4 ]- }) Z7 R
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡