<TABLE width=500>( N8 r' x7 C# i0 |1 v
<TBODY>6 H- r/ I. ]) `7 V; Y8 j- T( ?' r3 c
<TR>
7 _1 {+ y7 P: u) R) {4 X<TD><PRE>Method 01 : N: f( S" O5 S* e0 o
=========
$ T! _& ^8 X: Y- W( m( `0 F1 e* C
6 ]9 ]/ P: F' q) A1 \( EThis method of detection of SoftICE (as well as the following one) is
: @% P9 `, \; [+ b/ v5 P2 Oused by the majority of packers/encryptors found on Internet.7 @( G* M+ l- N2 X
It seeks the signature of BoundsChecker in SoftICE
2 v+ O& r' K C$ C( W( s% K0 ]6 y k/ j# d7 _" T7 ~. Q/ Y
mov ebp, 04243484Bh ; 'BCHK'
$ [* u$ I z+ [ mov ax, 04h
7 I8 _+ T/ b* T; w! `& X int 3
2 K% v% C1 e# G, X. V$ A" ]9 W3 [ cmp al,4) j; D- _7 h) k4 p
jnz SoftICE_Detected
: _5 u1 ~. f1 N( @* |+ O0 ?4 P. Z* [, b6 \- T# a
___________________________________________________________________________) L/ T4 X% d7 O; {% E
& ^! f! M; @1 L) @6 n
Method 02
. ?; s4 u. ~' M6 \, Q9 N6 W3 d=========7 f1 @4 J; ^% L: l C$ v( @
' B, `) V2 O) H2 t! m( D+ j1 OStill a method very much used (perhaps the most frequent one). It is used
' c+ f4 B$ U/ S, ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) o, s$ d) p( O* z+ `1 Y' f2 Y1 ~
or execute SoftICE commands...& O0 H( U6 ~$ x. }& F0 b; O8 g# ^6 o
It is also used to crash SoftICE and to force it to execute any commands. r1 E: Z7 o# K- n# y) D! F$ g# C
(HBOOT...) :-((
6 b1 ? q, o9 B: f0 H" h3 x8 a2 R/ K9 ?5 n0 X' Y4 W
Here is a quick description:
- @$ K6 K9 C8 X- i; N; n5 m-AX = 0910h (Display string in SIce windows)
' E% k8 X/ h( H* Y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 D1 V' C$ M( g/ D
-AX = 0912h (Get breakpoint infos)3 o" g; c/ N: e- y3 I0 o0 y! B6 m
-AX = 0913h (Set Sice breakpoints)
* C5 T. t1 S& e-AX = 0914h (Remove SIce breakoints)
! w0 O. k* A/ M; y
& b$ o9 j; s( Y) s1 l: |9 K9 Y% [Each time you'll meet this trick, you'll see:
! u9 s+ i X' e! i* }: `: g6 s-SI = 4647h
5 S) {3 E% J$ j: D-DI = 4A4Dh% e, i8 ?% Z! m _
Which are the 'magic values' used by SoftIce.4 A% z! x+ t3 I4 L8 i3 S/ z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! {' q$ f8 h' D; s7 ~8 D( Y* E4 l
A8 Z$ y2 ?; }4 N, M- q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ K4 Y3 t8 B/ m5 W6 Y( N+ x8 XEnvelope utility use to protect DOS applications:
% P1 z. G. @$ Q6 F' p$ c& n- f+ \7 c. ~1 N% D5 e* F. [0 o
% `. _1 |: r: L4C19:0095 MOV AX,0911 ; execute command.
8 h; M0 n5 {3 g! z {0 k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
}9 X4 Z1 l4 A. t) ~1 X4C19:009A MOV SI,4647 ; 1st magic value.
% U5 ~( a* I7 w$ F O4C19:009D MOV DI,4A4D ; 2nd magic value.
# [; O" c2 ?6 X& m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 {+ F: ?6 X6 f- J g
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* `' j6 g6 T% \# Z0 a6 _4 l
4C19:00A4 INC CX! Q. N& i' A' s' F$ ]# \; x8 @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; y1 b, S9 _6 W7 f7 o
4C19:00A8 JB 0095 ; 6 different commands.
, s5 Q# n+ B9 @1 X$ F4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 w6 M- q$ ?) W4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# Y8 h' v/ P$ k* A
# S" v# a% }7 {2 zThe program will execute 6 different SIce commands located at ds:dx, which
" y0 M1 \% F# i" I/ Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 U7 I$ L# M$ D2 v# P3 Q; Y0 P4 f) F1 ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 o4 Z1 V/ }* ^4 F___________________________________________________________________________
' u+ U A! C* F& C0 y
+ ?0 z: Z: D% z2 O: j, Z; _
' \+ I9 U2 k# _Method 035 v3 O z; \; g: p. M- z& P
=========! ^# T. N$ v; K8 F* U
9 ?5 V- o7 q# |& r1 tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: @0 i6 X! m* f P: u
(API Get entry point)
2 @' t$ O& [) ~ 4 W2 c1 d+ v* r
& P, [5 L7 T, A xor di,di, E8 x, a6 h1 h: x+ L Q
mov es,di
) O# D0 ^1 Q: q* @ mov ax, 1684h
9 U% r& R1 R! m3 g mov bx, 0202h ; VxD ID of winice
, v2 G5 k. @! h int 2Fh
3 g9 e: j- M' V: ~6 @* |7 B$ D mov ax, es ; ES:DI -> VxD API entry point& i/ k: w: u- }
add ax, di
# k- o0 _) r+ A* X0 o test ax,ax2 }* w% Z; J# s3 a0 [6 H0 y
jnz SoftICE_Detected
* |+ R) ]# t8 `) n& |6 O6 Y2 a; c* Q- S3 w
___________________________________________________________________________9 u0 \3 v* K7 B# P4 p: v8 I1 R4 @
4 B+ u8 {- J. R5 vMethod 04
2 C8 |! T# P! {7 g6 H1 b- c5 |7 W=========
/ V) d0 e0 @8 N- O/ [
0 t2 b, G0 H2 A+ ZMethod identical to the preceding one except that it seeks the ID of SoftICE' N2 N2 D3 x8 Q9 X: b" D C
GFX VxD.' M }# X9 p( ~' r+ K: c6 H
! b% x1 g J6 h q4 `% N xor di,di. V% p/ t) t9 L# M
mov es,di% H0 n" N ~/ Z% o+ N1 W$ R
mov ax, 1684h U4 k1 m! u, I1 j
mov bx, 7a5Fh ; VxD ID of SIWVID
# U' N: G6 L5 ^, Y9 o int 2fh# s5 W: d1 z2 L9 {. H8 [$ c7 r$ K5 F
mov ax, es ; ES:DI -> VxD API entry point$ ^$ x8 M! ^5 x; f3 i
add ax, di0 Q% |, M, K- e) s: S
test ax,ax! E0 X5 ^% e3 w( v( T) @0 |: I7 H
jnz SoftICE_Detected
3 t: x$ Z' K) f8 s2 A% O& D8 z2 p( j' l1 T4 q
__________________________________________________________________________# J* P# \! Y; [" z8 Y5 D
D9 F% z7 V& P$ A Y
7 L1 P* N8 X; ?. m% S; xMethod 054 m6 }2 o( |5 W
=========$ c5 @8 H. ~) E! w+ r9 c6 {1 p
* ~; C! v' R3 `$ u% N& B
Method seeking the 'magic number' 0F386h returned (in ax) by all system" k/ c6 _: }( H" ?
debugger. It calls the int 41h, function 4Fh.4 I3 `& h+ L* h+ u5 t) z0 U: A
There are several alternatives. ! {/ ]/ J& G5 F+ X
1 V* F3 r# F( h* O- Z* d
The following one is the simplest:% z4 ~1 ] [1 f: k
" D8 M' Q. |5 B mov ax,4fh
& `5 g o; g1 ~% `) }+ b: k int 41h
9 k2 q+ j+ C/ Z* D& F/ W0 k cmp ax, 0F386
# E4 R U" G) T0 ^ jz SoftICE_detected
, a# x# p4 d6 M/ \2 U; W$ x G9 R7 X
* a, E! x% s! Z6 q/ U% ~! }1 YNext method as well as the following one are 2 examples from Stone's
$ A# F6 j( P4 E+ q8 V P"stn-wid.zip" (www.cracking.net):
1 h& j+ T% i/ l7 f8 m$ P; B: u2 a+ i) L; }
mov bx, cs
+ [ K, r# V: p# i/ s; r h- F lea dx, int41handler2
" U/ Z3 F3 i, Q& k8 { xchg dx, es:[41h*4]
- i0 |* d: {1 y+ B( m xchg bx, es:[41h*4+2]: i1 {/ z: O0 k+ _6 t6 x! d/ L
mov ax,4fh7 f& `: D# x Y% k' @+ K, D
int 41h. Z$ V: b0 c/ B2 A% B B
xchg dx, es:[41h*4], t9 G' X: c d4 ^! V8 z
xchg bx, es:[41h*4+2]
|9 _& j2 G1 u8 O6 x! D0 m cmp ax, 0f386h
4 }! _$ I" ~* |, x- X) ` jz SoftICE_detected
9 _. k4 [0 r" R7 k
3 e5 P( O: t% n' X1 A Gint41handler2 PROC
6 U9 j1 v: N% w iret, b: G3 M0 H$ c6 A( t( ]1 U
int41handler2 ENDP$ N' m% i8 E/ _0 @. s: R0 [ Y
& |6 u0 O, Y# E% p+ _. e U
) H1 P$ n5 v* {% n. M9 j( d5 o_________________________________________________________________________: o. I* D% |# _6 o( K$ G* p2 I
# o: w6 m* f3 G& C
' d2 G) ?; _$ z( Z& [" h+ j2 z: HMethod 06
+ r. B2 \' y+ T! D* Q=========
1 Z0 \+ w% `$ q0 B! g7 t* z; b2 ~+ Q9 {
. x3 x' Q! J; Q# R8 |% C9 x2nd method similar to the preceding one but more difficult to detect:
) V' V7 A6 E# T0 X, h9 w& Q! A! @% `* n$ P, M. U# A
1 ?8 U; M5 B- N9 j9 Oint41handler PROC
; N- J( Y3 p2 ]; w mov cl,al
" E6 v3 I; f, o iret
) G$ Q' B. ?- g) s2 B) l7 ?int41handler ENDP& A% H( s" }# n7 \# w2 P
7 g& z' z$ {4 v- Q8 B
1 F! c7 M9 ]7 q' B' ^1 R7 S3 l* f xor ax,ax% s O2 z' V0 o' K
mov es,ax7 q& x. Q* I( `0 m- K
mov bx, cs+ l1 N7 A, b f! y
lea dx, int41handler: W- r: g& P, j$ o C; J |' R
xchg dx, es:[41h*4]: @% t2 s& [& f
xchg bx, es:[41h*4+2]
* y, R! e5 }9 n: d/ @ in al, 40h
! h0 L Y' R& b5 G. C ?; M8 N xor cx,cx4 V7 V0 p- C' F
int 41h H' z3 d5 K) Z0 I( f
xchg dx, es:[41h*4]+ K4 r1 J* m8 \* h# V6 ?/ O
xchg bx, es:[41h*4+2]1 p2 R9 F+ O3 Z
cmp cl,al
5 n. J& J, J: q# `3 }/ o jnz SoftICE_detected
- y/ ~2 X" {) t2 v1 V9 ^- s j3 R# G: v. S- v3 ~# Z X
_________________________________________________________________________
! F2 {/ @ o* D; E. Q
- X" u0 h. i! a+ ?Method 077 m: n5 p( i% v( h& N/ [# v
=========0 ]4 c4 w3 e& c- }7 u+ S! L
& r3 U. K8 S1 X0 x* J- E0 B/ SMethod of detection of the WinICE handler in the int68h (V86): g4 ]4 s8 V' w+ G- r/ i4 R
8 d+ I1 k: m* h4 c% e, v
mov ah,43h
5 \) P- z* y( s0 y) O+ F7 Q int 68h7 ~" A6 O! u7 p1 g$ u# A
cmp ax,0F386h! d. R* i3 a% H; S* s
jz SoftICE_Detected
; w+ F- `% d: |: L# c/ m/ S3 r- ]5 X! O- y0 x* |
8 j+ s% X! R+ T3 d0 W/ ~$ D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. M! T7 ?" [1 u( B. F. D
app like this:3 b8 C, R% y! C* w k; a
" s# l/ H# e/ }( A BPX exec_int if ax==68. u; ?# D8 w7 X: G' A. G, z$ n
(function called is located at byte ptr [ebp+1Dh] and client eip is
+ p( P3 Y1 @, a, f, B& _ located at [ebp+48h] for 32Bit apps)
; @) G* t ^5 p, }9 m6 L__________________________________________________________________________
4 T! [# p( U+ {
& F2 L0 U2 e( M& j! \8 F: W. G+ L/ f. m2 P* Y2 A
Method 08& B4 V: |1 R" d3 e. A; o7 |2 y6 H+ \
=========
' v% u1 q2 v6 v0 Q4 J% y- h8 Z& ^8 F4 o1 f6 U5 X
It is not a method of detection of SoftICE but a possibility to crash the7 y4 A7 i* t# X2 m; B3 @
system by intercepting int 01h and int 03h and redirecting them to another7 }! x$ w6 h# E: [& n, A* j
routine.* D( U7 o2 Q" \' ^4 `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 d* p* n! }( k+ J- Z4 c" k3 |to the new routine to execute (hangs computer...)
9 W# G& s# w/ }' Y. \( q( @& A! p+ l0 F# f1 d
mov ah, 25h; H0 F, N9 ]5 V. O' L5 `; X
mov al, Int_Number (01h or 03h)
# @2 O, t% K. Y0 Z8 ] mov dx, offset New_Int_Routine2 z, E W* J' G" O
int 21h
n# g1 V8 q9 p+ @2 U1 F6 S. p4 u5 o; `% d
% g+ S7 t" T' C7 ?. O! ]9 {+ B+ S) D__________________________________________________________________________4 h: a- {; I1 F7 i2 V4 M6 O4 k; A
, Q7 z0 g- a9 C: bMethod 093 }% u, }0 h2 i& Z! s6 {3 `
=========) Y* ?% M6 K8 E% s+ X; }
$ o/ F) z! a5 b. K/ j" rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 u8 [( E: q( T7 [, {% g( H
performed in ring0 (VxD or a ring3 app using the VxdCall).
' K0 o6 v1 {& h3 A- J5 e- E5 ]The Get_DDB service is used to determine whether or not a VxD is installed
3 u: `/ t5 u8 _9 z Mfor the specified device and returns a Device Description Block (in ecx) for0 g9 @* U3 w( [$ {( E% j9 }5 B+ ~6 n
that device if it is installed.
5 T9 D1 m5 w& E7 U& e" V8 j5 J% I+ {4 @; t' A* }- O
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( G/ t) t4 J L& C! {, S7 F" m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 d9 ]5 a7 y, `9 R3 V VMMCall Get_DDB6 I8 T5 p: i' [2 l0 W4 y$ _
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! A1 W: B9 n% i+ k J
6 C; ^$ P% n3 g: CNote as well that you can easily detect this method with SoftICE:* U" m( E5 F, w9 U! `+ c2 e
bpx Get_DDB if ax==0202 || ax==7a5fh' l7 a# x6 z( T" {* ^+ g
5 q. P4 z1 M: I9 G+ q. h__________________________________________________________________________1 i! g7 L: r7 y: h9 ]
0 V. d$ C2 x8 R9 ^/ oMethod 10$ ^- J: v* r$ \- M
=========/ S+ y- O' P7 R$ X
9 R9 {# T4 m/ a
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ ]$ x$ |, D9 r% [ SoftICE while the option is enable!!
) [8 t- C2 i' W! W" W2 I5 j( w+ \5 A8 r5 X
This trick is very efficient:
- x7 R" j! k4 ^9 o% hby checking the Debug Registers, you can detect if SoftICE is loaded5 ]( m; V0 O* a) G0 F! i
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) Z' j0 z* p$ }. H$ T1 R# i: f3 {there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 X' @+ A9 o4 } K% E" L- F2 Hvalue (in ring0 only). Values can be manipulated and or changed as well
5 ~1 N; g5 @" e: Y- A* ?(clearing BPMs for instance)
3 R+ f& N" z/ P9 {) c6 e
9 L G: o5 q" l- c__________________________________________________________________________6 \/ [* L# M0 y' r" S
( ]' L) w8 J# v
Method 11
" B0 M u" p- o! K=========
* P- n# ]' n3 g3 c) m
1 ~* o, @& s7 u0 w) _, C5 |This method is most known as 'MeltICE' because it has been freely distributed
+ F1 I+ l; ~& C( B4 hvia www.winfiles.com. However it was first used by NuMega people to allow2 Y4 K& | ^2 U4 b* L) X& m* L
Symbol Loader to check if SoftICE was active or not (the code is located
) s% f5 f& A/ h7 j/ I1 s% jinside nmtrans.dll).
1 j: M6 r, g( y# L: K5 c+ i$ D5 @6 I( d. m' U# f
The way it works is very simple:
+ r D* e, [& V: e+ V4 ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 m8 t- R9 s. ]* z! @/ w
WinNT) with the CreateFileA API.
; {# ?* q5 L$ g+ ]- ^1 `
0 V& s2 T; o# Q' P+ `4 a9 [) WHere is a sample (checking for 'SICE'):$ M: E7 @2 I- k
0 x8 y/ a- {% \( W X
BOOL IsSoftIce95Loaded()1 _2 A* V, r& g& `- f8 H
{
" |! C' x* E) Q2 F' Q HANDLE hFile;
: \/ ~# |, Q" Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* x+ ~8 w& d5 M# L: s- [0 C FILE_SHARE_READ | FILE_SHARE_WRITE,
g! a. b6 n7 B$ T9 V) |. K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( x; `. [8 s4 x. I+ m K% a
if( hFile != INVALID_HANDLE_VALUE )( E- ?% {) B* p& d6 g4 I- w% G
{
/ D, a* p* @" g6 ~( {/ M CloseHandle(hFile);
& L4 @- t; a3 |1 N$ g return TRUE;
& l1 I* v; a; n/ A, J: s3 h+ ~ }
T: r/ [. H0 y2 Y R return FALSE;
' F8 E/ o8 A `& ~}0 S# t4 F5 c$ d# `0 K+ d6 ]4 W
# `* M) I# Q% v* D% q/ K$ d
Although this trick calls the CreateFileA function, don't even expect to be
- M6 O* t/ J* p6 B; x" o3 oable to intercept it by installing a IFS hook: it will not work, no way!0 Y* U9 b' {0 x& S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( A+ @: g$ Z2 Z9 i( O* ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) t1 M9 Z" H; Q) U- o3 ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: u' S X7 A4 K3 M& D: m
field./ N* K3 T! l* S
In fact, its purpose is not to load/unload VxDs but only to send a 5 W3 w5 H8 K# _4 R% C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- M, k0 @7 w1 A/ s0 s' qto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 g/ j5 I- G7 ?7 S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 L# q" ]$ ?3 r* h v) F
If the VxD is loaded, it will always clear eax and the Carry flag to allow. x) c" q' I( ]7 _
its handle to be opened and then, will be detected.
" ] v. n, e. o; HYou can check that simply by hooking Winice.exe control proc entry point3 S' {# [4 w2 l9 N' e9 C$ x
while running MeltICE.
7 `/ h2 u7 F- @9 ?/ N6 t A
' o& o* k- I0 s+ N1 c
; m" J5 @$ T# y6 E, w3 W4 R; U 00401067: push 00402025 ; \\.\SICE
3 u- Z4 h9 b* `4 j" A* s6 A1 Q3 S, K 0040106C: call CreateFileA( g! w* b# N. D, i6 B& G8 J+ Y# Y E
00401071: cmp eax,-001& D& y# {8 V2 Y. G! ~/ a: l' C
00401074: je 00401091
' s$ |2 B; X& s! Z& W9 @
& H0 B* H% `3 D6 \# P/ h2 ~, |7 A* A( i9 o
There could be hundreds of BPX you could use to detect this trick.- v* }8 x i- X
-The most classical one is:0 [ s& G; T6 `; z! h( J8 F) L
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& x7 I# Y, t$ I0 h/ n5 z* T *(esp->4+4)=='NTIC'( o0 K; ?9 u# x: o
. w- _" N$ d2 s2 A z* v" W-The most exotic ones (could be very slooooow :-(- c! ~2 m" A8 D$ \! L) `5 F
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # ^( _2 S% r3 x/ U+ G0 d
;will break 3 times :-(( s( c( ^; H' g+ q
4 `+ t& a( M% v$ k* Z
-or (a bit) faster: b, ]' A8 c9 J; h5 h* G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( k& d1 B- J9 f: u6 H% e% [6 S/ M+ H$ @5 T' u
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - X4 e' I2 o5 v& Q; i# b3 n; z
;will break 3 times :-(; g, i7 H: T& a
, y/ V V* Y2 W6 n3 p
-Much faster:
^9 ]7 j. K1 K( E; V. L6 x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 c- c8 r* ^* O% s: `' s. `6 e& N/ r+ ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 d; f+ J& r* j7 x
function to do the same job:( p. u- {) H9 Z( u
+ [* ]5 j* O* b! j push 00 ; OF_READ: v# }- S" g) J* Z5 u
mov eax,[00656634] ; '\\.\SICE',0' m/ y& b' q/ S
push eax
# v j1 L1 m( `( I call KERNEL32!_lopen
h* ]! ~, S! \6 @- _( E inc eax* @% y' u5 d- ?+ }% c
jnz 00650589 ; detected4 G5 t- S# P& x. |
push 00 ; OF_READ
" s4 F: I, l( e3 h1 Z7 I6 g mov eax,[00656638] ; '\\.\SICE'
1 w. L8 z* O$ R; H$ k& c push eax% L0 Q, Z: i) l, W' {8 K! D
call KERNEL32!_lopen4 n0 L' l7 n4 X5 Q% h) p. J
inc eax$ G% r0 a m/ r& g
jz 006505ae ; not detected2 Q" [& y4 b) Z( h) [, ^
) _+ m& K* y* ?8 U$ A* Y" r, i9 E U8 k
__________________________________________________________________________
4 ^- |) h2 l3 _- s% Q( [ o! M m% ?% L* f' k0 P! b
Method 12% C; f5 Y9 ]2 \! {, B3 w% ]
=========3 D. B) w+ }% k1 c9 q
1 [( ^3 w# }" \/ L0 p
This trick is similar to int41h/4fh Debugger installation check (code 053 z* `+ U# K+ q; ]
& 06) but very limited because it's only available for Win95/98 (not NT)
' q, e7 u" |" N! Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 I! k& U6 U+ R- ^" m H
( P# j) i9 b6 Q push 0000004fh ; function 4fh
+ X# `) @/ x6 N2 x1 L7 q3 P push 002a002ah ; high word specifies which VxD (VWIN32)
9 e3 M8 ~( t3 v9 k5 C4 z) x3 I9 ? ; low word specifies which service5 g! p# N7 u0 d
(VWIN32_Int41Dispatch)* z" o6 v& _( j! ~
call Kernel32!ORD_001 ; VxdCall
( f0 x% |. c! s5 @7 K cmp ax, 0f386h ; magic number returned by system debuggers
+ E5 r U0 N- v; h6 J jz SoftICE_detected
- F E; E* t2 Y: {
$ z: o6 O" C% ?: BHere again, several ways to detect it:; ]- F$ E: r2 b( u
! Y; Z) s u/ `$ W BPINT 41 if ax==4f d0 ^! } ?& ]# l+ A( k: D7 c* t8 x
9 `. ?; t# P' r. q; L) i N" E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ b8 q) `" L L q: O' k4 L. s
8 R" b; o1 U4 y |( n" X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- ~4 Y% J0 Z; h- @4 w$ G* i
- t* _8 j8 L& W3 Y7 o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. d5 F4 c2 z) H. Y
& E8 I& W3 [+ }3 K__________________________________________________________________________. x: W U+ q' { W J8 g* w
" T/ Y3 M; j2 v
Method 13, R. ] F+ a9 i' y. u# K
=========3 X$ M/ O9 @, m+ F3 `
8 L5 }3 ?/ Y. \( e
Not a real method of detection, but a good way to know if SoftICE is9 I h k" \0 X& l2 c; E
installed on a computer and to locate its installation directory.
! [; ^/ l# k* X; T0 \& U5 iIt is used by few softs which access the following registry keys (usually #2) :
5 y' B Y, `4 X% e1 T( I0 g- ~" {% X7 G
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 b! _( S: u: ?; X\Uninstall\SoftICE
5 w1 L6 E1 d6 t0 o-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, [1 w$ o9 C. X: e2 p& P9 D- W" s3 q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 ]9 I1 }" n9 v) p- f$ [! ^\App Paths\Loader32.Exe ^6 V8 c4 E7 A" P9 e5 l: q
i2 g; I ]+ f/ ~( ?2 P6 g5 \
# j: [. B$ k: f, j* qNote that some nasty apps could then erase all files from SoftICE directory
8 T& o W$ O$ M3 p( c* j8 K(I faced that once :-(
$ l0 _: k+ v' l. L$ X1 K. w$ \ b4 E: T3 P( [, o7 Z
Useful breakpoint to detect it:2 ^& l4 h8 g3 E U# h9 j
3 b0 Y' p, A- }$ j# I BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 Z5 Y! y1 F b; @8 ^, r
8 R0 ^6 m0 R& I__________________________________________________________________________- N# }* F2 |( c- B+ N% V/ Y0 H3 i4 |
) g6 H+ H; g8 W0 x8 b9 \
8 U6 s4 I" x! J' {Method 14
7 P' D/ Q! m: Q0 P% S e4 w; i% K' }=========
" E% w0 ]' }2 ^) S7 g$ n6 e8 k9 z- Q& }' E/ F0 ?2 j
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; ]- W! H# N9 _, ?& O/ Q( G, B
is to determines whether a debugger is running on your system (ring0 only).
) P+ S. k5 h& e& O9 w, C% E1 W7 s& R: i6 `
VMMCall Test_Debug_Installed/ o; I6 P4 x$ ]6 ]. R* l! m
je not_installed
9 P M+ Z4 e5 I* B/ \; d) C, ^% [2 q
This service just checks a flag.
3 Y4 c9 @" y# a! e: A7 d7 y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡